Vendor import of BIND 9.4.1

1000 files changed, 116285 insertions, 40961 deletions

diff --git a/contrib/bind9/CHANGES b/contrib/bind9/CHANGES
index acf2817..358128e 100644
--- a/contrib/bind9/CHANGES
+++ b/contrib/bind9/CHANGES
@@ -1,12 +1,79 @@
 
-	--- 9.3.4 released ---
+	--- 9.4.1 released ---
+
+2172.	[bug]		query_addsoa() was being called with a non zone db.
+			[RT #16834]
+
+	--- 9.4.0 released ---
+
+2138.	[bug]		Lock order reversal in resolver.c. [RT #16653]
+
+2137.	[port]		Mips little endian and/or mips 64 bit are now
+			supported for atomic operations. [RT#16648]
+
+2136.	[bug]		nslookup/host looped if there was no search list
+			and the host didn't exist. [RT #16657]
+
+2135.	[bug]		Uninitialised rdataset in sdlz.c. [RT# 16656]
+
+2133.	[port]		powerpc:  Support both IBM and MacOS Power PC
+			assembler syntaxes. [RT #16647]
+
+2132.	[bug]		Missing unlock on out of memory in
+			dns_dispatchmgr_setudp().
+
+2131.	[contrib]	dlz/mysql: AXFR was broken. [RT #16630]
+
+2128.	[doc]		xsltproc --nonet, update DTD versions.  [RT #16635]
+
+	--- 9.4.0rc2 released ---
+
+2127.	[port]		Improved OpenSSL 0.9.8 support. [RT #16563]
 
 2126.	[security]	Serialise validation of type ANY responses. [RT #16555]
 
+2125.	[bug]		dns_zone_getzeronosoattl() REQUIRE failure if DLZ
+			was defined. [RT #16574]
+
 2124.	[security]	It was possible to dereference a freed fetch
 			context. [RT #16584]
 
-	--- 9.3.3 released ---
+2120.	[doc]		Fix markup on nsupdate man page. [RT #16556]
+
+	--- 9.4.0rc1 released ---
+
+2118.	[bug]		Handle response with long chains of domain name
+			compression pointers which point to other compression
+			pointers. [RT #16427]
+
+2117.	[bug]		DNSSEC fixes: named could fail to cache NSEC records
+			which could lead to validation failures.  named didn't
+			handle negative DS responses that were in the process
+			of being validated.  Check CNAME bit before accepting
+			NODATA proof. To be able to ignore a child NSEC there
+			must be SOA (and NS) set in the bitmap. [RT #16399]
+
+2116.	[bug]		'rndc reload' could cause the cache to continually
+			be cleaned. [RT #16401]
+
+2115.	[bug]		'rndc reconfig' could trigger a INSIST if the
+			number of masters for a zone was reduced. [RT #16444]
+
+2114.	[bug]		dig/host/nslookup: searches for names with multiple
+			labels were failing. [RT #16447]
+
+2113.	[bug]		nsupdate: if a zone is specified it should be used
+			for server discover. [RT# 16455]
+
+2112.	[security]	Warn if weak RSA exponent is used. [RT #16460]
+
+2111.	[bug]		Fix a number of errors reported by Coverity.
+			[RT #16507]
+
+2110.	[bug]		"minimal-response yes;" interacted badly with BIND 8
+			priming queries. [RT #16491]
+
+2109.	[port]		libbind: silence aix 5.3 compiler warnings. [RT #16502]
 
 2107.	[bug]		dighost.c: more cleanup of buffers. [RT #16499]
 
@@ -17,14 +84,24 @@
 
 2102.	[port]		Silence solaris 10 warnings.
 
+	--- 9.4.0b4 released ---
+
 2101.	[bug]		OpenSSL version checks were not quite right.
 			[RT #16476]
 
 2100.	[port]		win32: copy libeay32.dll to Build\Debug.
+			Copy Debug\named-checkzone to Debug\named-compilezone.
 
 2099.	[port]		win32: more manifiest issues.
 
-	--- 9.3.3rc3 released ---
+2098.	[bug]		Race in rbtdb.c:no_references(), which occasionally
+			triggered an INSIST failure about the node lock
+			reference.  [RT #16411]
+
+	--- 9.4.0b3 released ---
+
+2097.	[bug]		named could reference a destroyed memory context
+			after being reloaded / reconfigured. [RT #16428]
 
 2096.	[bug]		libbind: handle applications that fail to detect
 			res_init() failures better.
@@ -34,6 +111,8 @@
  
 2094.	[contrib]	Update named-bootconf.  [RT# 16404]
 
+2093.	[bug]		named-checkzone -s was broken.
+
 2092.	[bug]		win32: dig, host, nslookup.  Use registry config
 			if resolv.conf does not exist or no nameservers
 			listed. [RT #15877] 
@@ -51,6 +130,9 @@
 2088.	[security]	Change the default RSA exponent from 3 to 65537.
 			[RT #16391]
 
+2087.	[port]		libisc failed to compile on OS's w/o a vsnprintf.
+			[RT #16382]
+
 2086.	[port]		libbind: FreeBSD now has get*by*_r() functions.
 			[RT #16403]
 
@@ -62,7 +144,7 @@
 
 2082.	[doc]		Document 'cache-file' as a test only option.
 
-	--- 9.3.3rc2 released ---
+	--- 9.4.0b2 released ---
 
 2081.	[port]		libbind: minor 64-bit portability fix in memcluster.c.
 			[RT #16360]
@@ -70,16 +152,30 @@
 2080.	[port]		libbind: res_init.c did not compile on older versions
 			of Solaris. [RT #16363]
 
+2079.	[bug]		The lame cache was not handling multiple types
+			correctly. [RT #16361]
+
+2078.	[bug]		dnssec-checkzone output style "default" was badly
+			named.  It is now called "relative". [RT #16326]
+
+2077.	[bug]		'dnssec-signzone -O raw' wasn't outputing the
+			complete signed zone. [RT #16326]
+
 2076.	[bug]		Several files were missing #include <config.h>
 			causing build failures on OSF. [RT #16341]
 
+2075.	[bug]		The spillat timer event hander could leak memory.
+			[RT #16357]
+
 2074.	[bug]		dns_request_createvia2(), dns_request_createvia3(),
 			dns_request_createraw2() and dns_request_createraw3()
 			failed to send multiple UDP requests. [RT #16349]
 
-2066.	[security]	Handle SIG queries gracefully. [RT #16300]
+2073.	[bug]		Incorrect semantics check for update policy "wildcard".
+			[RT #16353]
 
-	--- 9.3.3rc1 released ---
+2072.	[bug]		We were not generating valid HMAC SHA digests.
+			[RT #16320]
 
 2071.	[port]		Test whether gcc accepts -fno-strict-aliasing.
 			[RT #16324]
@@ -89,9 +185,14 @@
 
 2069.	[bug]		Cross compiling was not working. [RT #16330]
 
+2068.	[cleanup]	Lower incremental tuning message to debug 1.
+			[RT #16319]
+
 2067.	[bug]		'rndc' could close the socket too early triggering
 			a INSIST under Windows. [RT #16317]
 
+2066.	[security]	Handle SIG queries gracefully. [RT #16300]
+
 2065.	[bug]		libbind: probe for HPUX prototypes for
 			endprotoent_r() and endservent_r().  [RT 16313]
 
@@ -103,8 +204,24 @@
 2062.	[bug]		'dig +nssearch' was reusing a buffer before it had
 			been returned by the socket code. [RT #16307]
 
-2057.	[bug]		Make setting "ra" dependent on both allow-query and
-			allow-recursion. [RT #16290]
+2061.	[bug]		Accept expired wildcard message reversed. [RT #16296]
+
+2060.	[bug]		Enabling DLZ support could leave views partially
+			configured. [RT #16295]
+
+	--- 9.4.0b1 released ---
+
+2059.	[bug]		Search into cache rbtdb could trigger an INSIST
+			failure while cleaning up a stale rdataset.
+			[RT #16292]
+
+2058.	[bug]		Adjust how we calculate rtt estimates in the presence
+			of authoritative servers that drop EDNS and/or CD
+			requests.  Also fallback to EDNS/512 and plain DNS
+			faster for zones with less than 3 servers.  [RT #16187]
+
+2057.	[bug]		Make setting "ra" dependent on both allow-query-cache
+			and allow-recursion. [RT #16290]
 
 2056.	[bug]		dig: ixfr= was not being treated case insensitively
 			at all times. [RT #15955]
@@ -138,9 +255,31 @@
 2047.	[bug]		Failed to initialise the interface flags to zero.
 			[RT #16245]
 
+2046.	[bug]		rbtdb.c:rdataset_setadditional() could cause duplicate
+			cleanup [RT #16247].
+
+2045.	[func]		Use lock buckets for acache entries to limit memory
+			consumption. [RT #16183]
+
+2044.	[port]		Add support for atomic operations for Itanium.
+			[RT #16179]
+
 2043.	[port]		nsupdate/nslookup: Force the flushing of the prompt
 			for interactive sessions. [RT#16148]
 
+2042.	[bug]		named-checkconf was incorrectly rejecting the
+			logging category "config". [RT #16117]
+
+2041.	[bug]		"configure --with-dlz-bdb=yes" produced a bad
+			set of libraries to be linked. [RT #16129]
+
+2040.	[bug]		rbtdb no_references() could trigger an INSIST
+			failure with --enable-atomic.  [RT #16022]
+
+2039.	[func]		Check that all buffers passed to the socket code
+			have been retrieved when the socket event is freed.
+			[RT #16122]
+
 2038.	[bug]		dig/nslookup/host was unlinking from wrong list
 			when handling errors. [RT #16122]
 
@@ -153,7 +292,12 @@
 
 2034.	[bug]		gcc: set -fno-strict-aliasing. [RT #16124]
 
-	--- 9.3.3b1 released ---
+2033.	[bug]		We wern't creating multiple client memory contexts
+			on demand as expected. [RT #16095]
+
+	--- 9.4.0a6 released ---
+
+2032.	[bug]		Remove a INSIST in query_addadditional2(). [RT #16074]
 
 2031.	[bug]		Emit a error message when "rndc refresh" is called on
 			a non slave/stub zone. [RT # 16073]
@@ -172,21 +316,80 @@
 2026.	[bug]		Rate limit the two recursive client exceeded messages.
 			[RT #16044]
 
+2025.	[func]		Update "zone serial unchanged" message. [RT #16026]
+
 2024.	[bug]		named emited spurious "zone serial unchanged"
 			messages on reload. [RT #16027]
 
 2023.	[bug]		"make install" should create ${localstatedir}/run and
 			${sysconfdir} if they do not exist. [RT #16033]
 
+2022.	[bug]		If dnssec validation is disabled only assert CD if
+			CD was requested. [RT #16037]
+
+2021.	[bug]		dnssec-enable no; triggered a REQUIRE. [RT #16037]
+
+2020.	[bug]		rdataset_setadditional() could leak memory. [RT #16034]
+
+2019.	[tuning]	Reduce the amount of work performed per quantum
+			when cleaning the cache. [RT #15986]
+
+2018.	[bug]		Checking if the HMAC MD5 private file was broken.
+			[RT #15960]
+
+2017.	[bug]		allow-query default was not correct. [RT #15946]
+
 2016.	[bug]		Return a partial answer if recursion is not
 			allowed but requested and we had the answer
 			to the original qname. [RT #15945]
 
+	--- 9.4.0a5 released ---
+
+2015.	[cleanup]	use-additional-cache is now acache-enable for
+			consistancy.  Default acache-enable off in BIND 9.4
+			as it requires memory usage to be configured.
+			It may be enabled by default in BIND 9.5 once we
+			have more experience with it.
+
+2014.	[func]		Statistics about acache now recorded and sent
+			to log. [RT #15976]
+
 2013.	[bug]		Handle unexpected TSIGs on unsigned AXFR/IXFR
 			responses more gracefully. [RT #15941]
 
+2012.	[func]		Don't insert new acache entries if acache is full.
+			[RT #15970]
+
+2011.	[func]		dnssec-signzone can now update the SOA record of
+			the signed zone, either as an increment or as the
+			system time(). [RT #15633]
+
+	--- 9.4.0a4 released ---
+
 2009.	[bug]		libbind: coverity fixes. [RT #15808]
 
+2008.	[func]		It is now posssible to enable/disable DNSSEC
+			validation from rndc.  This is useful for the
+			mobile hosts where the current connection point
+			breaks DNSSEC (firewall/proxy).  [RT #15592]
+
+				rndc validation newstate [view]
+
+2007.	[func]		It is now possible to explicitly enable DNSSEC
+			validation.  default dnssec-validation no; to
+			be changed to yes in 9.5.0.  [RT #15674]
+
+2006.	[security]	Allow-query-cache and allow-recursion now default
+			to the builtin acls "localnets" and "localhost".
+
+			This is being done to make caching servers less
+			attractive as reflective amplifying targets for
+			spoofed traffic.  This still leave authoritative
+			servers exposed.
+
+			The best fix is for full BCP 38 deployment to
+			remove spoofed traffic.
+
 2005.	[bug]		libbind: Retransmission timeouts should be
 			based on which attempt it is to the nameserver
 			and not the nameserver itself. [RT #13548]
@@ -202,8 +405,13 @@
 2002.	[bug]		libbind: tighten the constraints on when
 			struct addrinfo._ai_pad exists.  [RT #15783]
 
+2001.	[func]		Check the KSK flag when updating a secure dynamic zone.
+			New zone option "update-check-ksk yes;".  [RT #15817]
+
 2000.	[bug]		memmove()/strtol() fix was incomplete. [RT #15812]
 
+1999.	[func]		Implement "rrset-order fixed". [RT #13662]
+
 1998.	[bug]		Restrict handling of fifos as sockets to just SunOS.
 			This allows named to connect to entropy gathering
 			daemons that use fifos instead of sockets. [RT #15840]
@@ -212,6 +420,9 @@
 			when a positive one for the type was learnt.
 			[RT #15818]
 
+1996.	[bug]		nsupdate: if a zone has been specified it should
+			appear in the output of 'show'. [RT #15797]
+
 1995.	[bug]		'host' was reporting multiple "is an alias" messages.
 			[RT #15702]
 
@@ -221,6 +432,9 @@
 			after the timestamp if "print-time yes" was specified.
 			[RT #15844]
 
+1992.	[bug]		Not all incoming zone transfer messages included the
+			view.  [RT #15825]
+
 1991.	[cleanup]	The configuration data, once read, should be treated
 			as readonly.  Expand the use of const to enforce this
 			at compile time. [RT #15813]
@@ -232,6 +446,13 @@
 1989.	[bug]		win32: don't check the service password when
 			re-installing. [RT #15882]
 
+1988.	[bug]		Remove a bus error from the SHA256/SHA512 support.
+			[RT #15878]
+
+1987.	[func]		DS/DLV SHA256 digest algorithm support. [RT #15608]
+
+1986.	[func]		Report when a zone is removed. [RT #15849]
+
 1985.	[protocol]	DLV has now been assigned a official type code of
 			32769. [RT #15807]
 
@@ -243,6 +464,12 @@
 			zone.  You do not however have to upgrade all
 			servers for a zone with DLV records simultaniously.
 
+1984.	[func]		dig, nslookup and host now advertise a 4096 byte
+			EDNS UDP buffer size by default. [RT #15855]
+
+1983.	[func]		Two new update policies.  "selfsub" and "selfwild".
+			[RT #12895]
+
 1982.	[bug]		DNSKEY was being accepted on the parent side of
 			a delegation.  KEY is still accepted there for
 			RFC 3007 validated updates. [RT #15620]
@@ -250,6 +477,9 @@
 1981.	[bug]		win32: condition.c:wait() could fail to reattain
 			the mutex lock.
 
+1980.	[func]		dnssec-signzone: output the SOA record as the
+			first record in the signed zone. [RT #15758]
+
 1979.	[port]		linux: allow named to drop core after changing
 			user ids. [RT #15753]
 
@@ -266,6 +496,9 @@
 1974.	[doc]		List each of the zone types and associated zone
 			options seperately in the ARM.
 
+1973.	[func]		TSIG HMACSHA1, HMACSHA224, HMACSHA256, HMACSHA384 and
+			HMACSHA512 support. [RT #13606]
+
 1972.	[contrib]	DBUS dynamic forwarders integation from
 			Jason Vas Dias <jvdias@redhat.com>.
 
@@ -280,9 +513,16 @@
 
 1968.	[bug]		Missing lock in resolver.c:validated(). [RT #15739]
 
+1967.	[func]		dig/nslookup/host: warn about missing "QR". [RT #15779]
+
 1966.	[bug]		Don't set CD when we have fallen back to plain DNS.
 			[RT #15727]
 
+1965.	[func]		Suppress spurious "recusion requested but not
+			available" warning with 'dig +qr'. [RT #15780].
+
+1964.	[func]		Seperate out MX and SRV to CNAME checks. [RT #15723]
+
 1963.	[port]		Tru64 4.0E doesn't support send() and recv(). 
 			[RT #15586]
 
@@ -295,6 +535,10 @@
 1960.	[bug]		Update code should set NSEC ttls from SOA MINIMUM.
 			[RT #15465]
 
+1959.	[func]		Control the zeroing of the negative response TTL to
+			a soa query.  Defaults "zero-no-soa-ttl yes;" and
+			"zero-no-soa-ttl-cache no;". [RT #15460]
+
 1958.	[bug]		Named failed to update the zone's secure state
 			until the zone was reloaded. [RT #15412]
 
@@ -307,6 +551,15 @@
 
 1955.	[bug]		Pre-allocate the cache cleaning interator. [RT #14998]
 
+1954.	[func]		Named now falls back to advertising EDNS with a
+			512 byte receive buffer if the initial EDNS queries
+			fail.  [RT #14852]
+
+1953.	[func]		The maximum EDNS UDP response named will send can
+			now be set in named.conf (max-udp-size).  This is
+			independent of the advertised receive buffer
+			(edns-udp-size). [RT #14852]
+
 1952.	[port]		hpux: tell the linker to build a runtime link
 			path "-Wl,+b:". [RT #14816].
 
@@ -318,19 +571,36 @@
 			a TCP socket. This prevents the source address being
 			set for TCP connections. [RT #15628]
 
+1949.	[func]		Addition memory leakage checks. [RT #15544]
+
 1948.	[bug]		If was possible to trigger a REQUIRE failure in
 			xfrin.c:maybe_free() if named ran out of memory.
 			[RT #15568]
 
+1947.	[func]		It is now possible to configure named to accept
+			expired RRSIGs.  Default "dnssec-accept-expired no;".
+			Setting "dnssec-accept-expired yes;" leaves named
+			vulnerable to replay attacks.  [RT #14685]
+
 1946.	[bug]		resume_dslookup() could trigger a REQUIRE failure
 			when using forwarders. [RT #15549]
 
+1945.	[cleanup]	dnssec-keygen: RSA (RSAMD5) is nolonger recommended.
+			To generate a RSAMD5 key you must explicitly request
+			RSAMD5. [RT #13780]
+			
 1944.	[cleanup]	isc_hash_create() does not need a read/write lock.
 			[RT #15522]
 
 1943.	[bug]		Set the loadtime after rolling forward the journal.
 			[RT #15647]
 
+1597.	[func]		Allow notify-source and query-source to be specified
+			on a per server basis similar to transfer-source.
+			[RT #6496]
+
+	--- 9.4.0a3 released ---
+
 1942.	[bug]		If the name of a DNSKEY match that of one in
 			trusted-keys do not attempt to validate the DNSKEY
 			using the parents DS RRset. [RT #15649]
@@ -341,31 +611,46 @@
 1940.	[bug]		Fixed a number of error conditions reported by
 			Coverity.
 
-1939.	[bug]           The resolver could dereference a null pointer after
+1939.	[bug]		The resolver could dereference a null pointer after
 			validation if all the queries have timed out.
 			[RT #15528]
 
 1938.	[bug]		The validator was not correctly handling unsecure
 			negative responses at or below a SEP. [RT #15528]
 
+1937.	[bug]		sdlz doesn't handle RRSIG records. [RT #15564]
+
+1936.	[bug]		The validator could leak memory. [RT #15544]
+
+1935.	[bug]		'acache' was DO sensitive. [RT #15430]
+
+1934.	[func]		Validate pending NS RRsets, in the authority section,
+			prior to returning them if it can be done without
+			requiring DNSKEYs to be fetched.  [RT #15430]
+
 1919.	[contrib]	queryperf: a set of new features: collecting/printing
 			response delays, printing intermediate results, and
 			adjusting query rate for the "target" qps.
 
-	--- 9.3.2 released ---
+	--- 9.4.0a2 released ---
 
-	--- 9.3.2rc1 released ---
-
-1936.	[bug]		The validator could leak memory. [RT #15544]
+1933.	[bug]		dump_rdataset_raw() had a incorrect INSIST. [RT #15534]
 
 1932.	[bug]		hpux: LDFLAGS was getting corrupted. [RT #15530]
 
-	--- 9.3.2b2 released ---
+1931.	[bug]		Per-client mctx could require a huge amount of memory,
+			particularly for a busy caching server. [RT #15519]
 
 1930.	[port]		HPUX: ia64 support. [RT #15473]
 
 1929.	[port]		FreeBSD: extend use of PTHREAD_SCOPE_SYSTEM.
 
+1928.	[bug]		Race in rbtdb.c:currentversion(). [RT #15517]
+
+1927.	[bug]		Access to soanode or nsnode in rbtdb violated the
+			lock order rule and could cause a dead lock.
+			[RT# 15518]
+
 1926.	[bug]		The Windows installer did not check for empty
 			passwords.  BINDinstall was being installed in
 			the wrong place. [RT #15483]
@@ -377,17 +662,35 @@
 
 1923.	[bug]		ns_client_detach() called too early. [RT #15499]
 
-	--- 9.3.2b1 released ---
+1922.	[bug]		check-tool.c:setup_logging() missing call to
+			dns_log_setcontext().
+
+1921.	[bug]		Client memory contexts were not using internal
+			malloc. [RT# 15434]
+
+1920.	[bug]		The cache rbtdb lock array was too small to
+			have the desired performance characteristics.
+			[RT #15454]
+
+	--- 9.4.0a1 released ---
+
+1918.	[bug]		Memory leak when checking acls. [RT #15391]
 
 1917.	[doc]		funcsynopsisinfo wasn't being treated as verbatim
 			when generating man pages. [RT #15385]
 
+1916.	[func]		Integrate contibuted IDN code from JPNIC. [RT #15383]
+
 1915.	[bug]		dig +ndots was broken. [RT #15215]
 
 1914.	[protocol]	DS is required to accept mnemonic algorithms
 			(RFC 4034).  Still emit numeric algorithms for
 			compatability with RFC 3658. [RT #15354]
 
+1913.	[func]		Integrate contibuted DLZ code into named. [RT #11382]
+
+1912.	[port]		aix: atomic locking for powerpc. [RT #15020]
+
 1911.	[bug]		Update windows socket code. [RT #14965]
 
 1910.	[bug]		dig's +sigchase code overhauled. [RT #14933]
@@ -395,44 +698,113 @@
 1909.	[bug]		The DLV code has been re-worked to make no longer
 			query order sensitive. [RT #14933]
 
+1908.	[func]		dig now warns if 'RA' is not set in the answer when
+			'RD' was set in the query.  host/nslookup skip servers
+			that fail to set 'RA' when 'RD' is set unless a server
+			is explicitly set.  [RT #15005]
+
+1907.	[func]		host/nslookup now continue (default)/fail on SERVFAIL.
+			[RT #15006]
+
+1906.	[func]		dig now has a '-q queryname' and '+showsearch' options.
+			[RT #15034]
+
 1905.	[bug]		Strings returned from cfg_obj_asstring() should be
-                        treated as read-only.  [RT #15256]
+			treated as read-only.  The prototype for 
+			cfg_obj_asstring() has been updated to reflect this.
+			[RT #15256]
+
+1904.	[func]		Automatic empty zone creation for D.F.IP6.ARPA and
+			friends.  Note: RFC 1918 zones are not yet covered by
+			this but are likely to be in a future release.
+
+			New options: empty-server, empty-contact,
+			empty-zones-enable and disable-empty-zone.
+
+1903.	[func]		ISC string copy API.
+
+1902.	[func]		Attempt to make the amount of work performed in a
+			iteration self tuning.  The covers nodes clean from
+			the cache per iteration, nodes written to disk when
+			rewriting a master file and nodes destroyed per
+			iteration when destroying a zone or a cache.
+			[RT #14996]
 
 1901.	[cleanup]	Don't add DNSKEY records to the additional section.
 
 1900.	[bug]		ixfr-from-differences failed to ensure that the
 			serial number increased. [RT #15036]
 
-1896.	[bug]		Extend ISC_SOCKADDR_FORMATSIZE and
+1899.	[func]		named-checkconf now validates update-policy entries.
+			[RT #14963]
+
+1898.	[bug]		Extend ISC_SOCKADDR_FORMATSIZE and
 			ISC_NETADDR_FORMATSIZE to allow for scope details.
 
-1894.	[bug]		Recursive clients soft quota support wasn't working
+1897.	[func]		x86 and x86_64 now have seperate atomic locking
+			implementations.
+
+1896.	[bug]		Recursive clients soft quota support wasn't working
 			as expected. [RT #15103]
 
-1893.	[bug]		A escaped character is, potentially, converted to
+1895.	[bug]		A escaped character is, potentially, converted to
 			the output character set too early. [RT #14666]
 
-1892.	[port]		Use uintptr_t if available. [RT #14606]
+1894.	[doc]		Review ARM for BIND 9.4.
+
+1893.	[port]		Use uintptr_t if available. [RT #14606]
+
+1892.	[func]		Support for SPF rdata type. [RT #15033]
+
+1891.	[port]		freebsd: pthread_mutex_init can fail if it runs out
+			of memory. [RT #14995]
+
+1890.	[func]		Raise the UDP recieve buffer size to 32k if it is
+			less than 32k. [RT #14953]
 
 1889.	[port]		sunos: non blocking i/o support. [RT #14951]
 
+1888.	[func]		Support for IPSECKEY rdata type. [RT #14967]
+
 1887.	[bug]		The cache could delete expired records too fast for
 			clients with a virtual time in the past. [RT #14991]
 
 1886.	[bug]		fctx_create() could return success even though it
 			failed. [RT #14993]
 
+1885.	[func]		dig: report the number of extra bytes still left in
+			the packet after processing all the records.
+
 1884.	[cleanup]	dighost.c: move external declarations into <dig/dig.h>.
 
 1883.	[bug]		dnssec-signzone, dnssec-keygen: handle negative debug
 			levels. [RT #14962]
 
+1882.	[func]		Limit the number of recursive clients that can be
+			waiting for a single query (<qname,qtype,qclass>) to
+			resolve.  New options clients-per-query and
+			max-clients-per-query.
+
 1881.	[func]		Add a system test for named-checkconf. [RT #14931]
 
+1880.	[func]		The lame cache is now done on a <qname,qclass,qtype>
+			basis as some servers only appear to be lame for
+			certain query types.  [RT #14916]
+
+1879.	[func]		"USE INTERNAL MALLOC" is now runtime selectable.
+			[RT #14892]
+
+1878.	[func]		Detect duplicates of UDP queries we are recursing on
+			and drop them.  New stats category "duplicates".
+			[RT #2471]
+
 1877.	[bug]		Fix unreasonably low quantum on call to
 			dns_rbt_destroy2().  Remove unnecessay unhash_node()
 			call. [RT #14919]
 
+1876.	[func]		Additional memory debugging support to track size
+			and mctx arguments. [RT #14814]
+
 1875.	[bug]		process_dhtkey() was using the wrong memory context
 			to free some memory. [RT #14890]
 
@@ -443,6 +815,15 @@
 
 1872.	[port]		win32: Handle ERROR_NETNAME_DELETED.  [RT #13753]
 
+1870.	[func]		Added framework for handling multiple EDNS versions.
+			[RT #14873]
+
+1869.	[func]		dig can now specify the EDNS version when making
+			a query. [RT #14873]
+
+1868.	[func]		edns-udp-size can now be overridden on a per
+			server basis. [RT #14851]
+
 1867.	[bug]		It was possible to trigger a INSIST in
 			dlv_validatezonekey(). [RT #14846]
 
@@ -458,12 +839,21 @@
 
 1863.	[bug]		rrset-order "fixed" error messages not complete.
 
+1862.	[func]		Add additional zone data constancy checks.
+			named-checkzone has extended checking of NS, MX and 
+			SRV record and the hosts they reference.
+			named has extended post zone load checks.
+			New zone options: check-mx and integrity-check. 
+			[RT #4940]
+
 1861.	[bug]		dig could trigger a INSIST on certain malformed
 			responses. [RT #14801]
 
 1860.	[port]		solaris 2.8: hack_shutup_pthreadmutexinit was
 			incorrectly set. [RT #14775]
 
+1859.	[func]		Add support for CH A record. [RT #14695]
+
 1858.	[bug]		The flush-zones-on-shutdown option wasn't being
 			parsed. [RT #14686]
 
@@ -486,6 +876,8 @@
 1852.	[cleanup]	Remove last vestiges of dnssec-signkey and
 			dnssec-makekeyset (removed from Makefile years ago).
 
+1851.	[doc]		Doxygen comment markup. [RT #11398]
+
 1850.	[bug]		Memory leak in lwres_getipnodebyaddr(). [RT #14591]
 
 1849.	[doc]		All forms of the man pages (docbook, man, html) should
@@ -520,6 +912,9 @@
 1841.	[bug]		"dig +nssearch" now makes a recursive query to
 			find the list of nameservers to query. [RT #13694]
 
+1840.	[func]		dnssec-signzone can now randomize signature end times
+			(dnssec-signzone -j jitter). [RT #13609]
+
 1839.	[bug]		<isc/hash.h> was not being installed.
 
 1838.	[cleanup]	Don't allow Linux capabilities to be inherited.
@@ -564,16 +959,23 @@
 
 1822.	[bug]		check-names test for RT was reversed. [RT #13382]
 
-1821.	[doc]		acls definitions are no longer required to be 
-			in named.conf prior to reference.  They can be
-			defined after being referenced.
-
 1820.	[bug]		Gracefully handle acl loops. [RT #13659]
 
 1819.	[bug]		The validator needed to check both the algorithm and
 			digest types of the DS to determine if it could be
 			used to introduce a secure zone. [RT #13593]
 
+1818.	[bug]		'named-checkconf -z' triggered an INSIST. [RT #13599]
+
+1817.	[func]		Add support for additional zone file formats for
+			improving loading performance.  The masterfile-format
+			option in named.conf can be used to specify a
+			non-default format.  A separate command
+			named-compilezone was provided to generate zone files
+			in the new format.  Additionally, the -I and -O options
+			for dnssec-signzone specify the input and output
+			formats.
+
 1816.	[port]		UnixWare: failed to compile lib/isc/unix/net.c.
 			[RT #13597]
 
@@ -581,6 +983,21 @@
 			without also setting the zone and it encountered
 			a CNAME and was using TSIG.  [RT #13086]
 
+1814.	[func]		UNIX domain controls are now supported.
+
+1813.	[func]		Restructured the data locking framework using
+			architecture dependent atomic operations (when
+			available), improving response performance on
+			multi-processor machines significantly.
+			x86, x86_64, alpha, powerpc, and mips are currently
+			supported.
+
+1812.	[port]		win32: IN6_IS_ADDR_UNSPECIFIED macro is incorrect.
+			[RT #13453]
+
+1811.	[func]		Preserve the case of domain names in rdata during
+			zone transfers. [RT #13547]
+
 1810.	[bug]		configure, lib/bind/configure make different default
 			decisions about whether to do a threaded build.
 			[RT #13212]
@@ -588,9 +1005,19 @@
 1809.	[bug]		"make distclean" failed for libbind if the platform
 			is not supported.
 
+1808.	[bug]		zone.c:notify_zone() contained a race condition,
+			zone->db could change underneath it.  [RT #13511]
+
 1807.	[bug]		When forwarding (forward only) set the active domain
 			from the forward zone name. [RT #13526]
-			
+
+1806.	[bug]		The resolver returned the wrong result when a CNAME /
+			DNAME was encountered when fetching glue from a
+			secure namespace. [RT #13501]
+
+1805.	[bug]		Pending status was not being cleared when DLV was
+			active. [RT #13501]
+
 1804.	[bug]		Ensure that if we are queried for glue that it fits
 			in the additional section or TC is set to tell the
 			client to retry using TCP. [RT #10114]
@@ -600,40 +1027,36 @@
 
 1802.	[bug]		Handle connection resets better. [RT #11280]
 
-1799.	[bug]		'rndc flushname' failed to flush negative cache
-			entries. [RT #13438]
-
-1795.	[bug]		"rndc dumpdb" was not fully documented.  Minor
-			formating issues with "rndc dumpdb -all".  [RT #13396]
+1801.	[func]		Report differences between hints and real NS rrset
+			and associated address records.
 
-1791.	[bug]		'host -t a' still printed out AAAA and MX records.
-			[RT #13230]
-
-	--- 9.3.1 released ---
+1800.	[bug]		Changes #1719 allowed a INSIST to be triggered.
+			[RT #13428]
 
-1818.	[bug]		'named-checkconf -z' triggered an INSIST. [RT #13599]
+1799.	[bug]		'rndc flushname' failed to flush negative cache
+			entries. [RT #13438]
 
-	--- 9.3.1rc1 released ---
+1798.	[func]		The server syntax has been extended to support a
+			range of servers.  [RT #11132]
 
-1812.	[port]		win32: IN6_IS_ADDR_UNSPECIFIED macro is incorrect.
-			[RT #13453]
+1797.	[func]		named-checkconf now check acls to verify that they
+			only refer to existing acls. [RT #13101]
 
-1808.	[bug]		zone.c:notify_zone() contained a race condition,
-			zone->db could change underneath it.  [RT #13511]
+1796.	[func]		"rndc freeze/thaw" now freezes/thaws all zones.
 
-1806.	[bug]		The resolver returned the wrong result when a CNAME /
-			DNAME was encountered when fetching glue from a
-			secure namespace. [RT #13501]
+1795.	[bug]		"rndc dumpdb" was not fully documented.  Minor
+			formating issues with "rndc dumpdb -all".  [RT #13396]
 
-1805.	[bug]		Pending status was not being cleared when DLV was
-			active. [RT #13501]
+1794.	[func]		Named and named-checkzone can now both check for
+			non-terminal wildcard records.
 
-	--- 9.3.1beta2 released ---
+1793.	[func]		Extend adjusting TTL warning messages. [RT #13378]
 
-1800.	[bug]		Changes #1719 allowed a INSIST to be triggered.
-			[RT #13428]
+1792.	[func]		New zone option "notify-delay".  Specify a minimum
+			delay between sets of NOTIFY messages.
 
-	--- 9.3.1beta1 released ---
+1791.	[bug]		'host -t a' still printed out AAAA and MX records.
+			[RT #13230]
 
 1790.	[cleanup]	Move lib/dns/sec/dst up into lib/dns.  This should
 			allow parallel make to succeed.
@@ -706,6 +1129,9 @@
 			if there was no SOA record in the replacment db.
 			[RT #13016]
 
+1763.	[func]		Perform sanity checks on NS records which refer to
+			'in zone' names. [RT #13002]
+
 1762.	[bug]		isc_interfaceiter_create() could return ISC_R_SUCCESS
 			even when it failed. [RT #12995]
 
@@ -718,6 +1144,16 @@
 1759.	[bug]		Named failed to startup if the OS supported IPv6
 			but had no IPv6 interfaces configured. [RT #12942]
 
+1758.	[func]		Don't send notify messages to self. [RT #12933]
+
+1757.	[func]		host now can turn on memory debugging flags with '-m'.
+
+1756.	[func]		named-checkconf now checks the logging configuration.
+			[RT #12352]
+
+1755.	[func]		allow-update is now settable at the options / view
+			level. [RT #6636]
+
 1754.	[bug]		We wern't always attempting to query the parent
 			server for the DS records at the zone cut.
 			[RT #12774]
@@ -737,9 +1173,14 @@
 1749.	[bug]		'check-names response ignore;' failed to ignore.
 			[RT #12866]
 
+1748.	[func]		dig now returns the byte count for axfr/ixfr.
+			
 1747.	[bug]		BIND 8 compatability: named/named-checkconf failed
 			to parse "host-statistics-max" in named.conf.
 
+1746.	[func]		Make public the function to read a key file,
+			dst_key_read_public(). [RT #12450]
+
 1745.	[bug]		Dig/host/nslookup accept replies from link locals
 			regardless of scope if no scope was specified when
 			query was sent. [RT #12745]
@@ -796,6 +1237,8 @@
 1730.	[port]		Determine the length type used by the socket API.
 			[RT #12581]
 
+1729.	[func]		Improve check-names error messages.
+
 1728.	[doc]		Update check-names documentation.
 
 1727.	[bug]		named-checkzone: check-names support didn't match
@@ -833,6 +1276,9 @@
 1716.	[doc]		named.conf(5) was being installed in the wrong
 			location.  [RT# 12441]
 
+1715.	[func]		'dig +trace' now randomly selects the next servers
+			to try.  Report if there is a bad delegation.
+
 1714.	[bug]		dig/host/nslookup were only trying the first
 			address when a nameserver was specified by name.
 			[RT #12286]
@@ -843,13 +1289,12 @@
 
 1712.	[bug]		Missing FULLCHECK for "trusted-key" in dig.
 
-	--- 9.3.0 released ---
-
 1711.	[func]		'rndc unfreeze' has been deprecated by 'rndc thaw'.
 
-	--- 9.3.0rc4 released ---
+1710.	[func]		'rndc notify zone [class [view]]' resend the NOTIFY
+			messages for the specified zone. [RT #9479]
 
-1709.	[port]		solaris: add SMF support.
+1709.	[port]		solaris: add SMF support from Sun.
 
 1708.	[cleanup]	Replaced dns_fullname_hash() with dns_name_fullhash()
 			for conformance to the name space convention.  Binary
@@ -861,6 +1306,8 @@
 1706.	[bug]		'rndc stop' failed to cause zones to be flushed
 			sometimes. [RT #12328]
 
+1705.	[func]		Allow the journal's name to be changed via named.conf.
+
 1704.	[port]		lwres needed a snprintf() implementation for
 			platforms without snprintf().  Add missing
 			"#include <isc/print.h>". [RT #12321]
@@ -885,8 +1332,6 @@
 			specified one of listening addresses and a
 			different port than the listening port. [RT #12257]
 
-	--- 9.3.0rc3 released ---
-
 1696.	[bug]		dnssec-signzone failed to clean out nodes that
 			consisted of only NSEC and RRSIG records.
 			[RT #12154]
@@ -918,10 +1363,11 @@
 1686.	[bug]		Named sent a extraneous NOTIFY when it received a
 			redundant UPDATE request. [RT #11943]
 
-	--- 9.3.0rc2 released ---
-
 1685.	[bug]		Change #1679 loop tests weren't quite right.
 
+1684.	[func]		ixfr-from-differences now takes master and slave in
+			addition to yes and no at the options and view levels.
+
 1683.	[bug]		dig +sigchase could leak memory. [RT #11445]
 
 1682.	[port]		Update configure test for (long long) printf format.
@@ -930,6 +1376,8 @@
 1681.	[bug]		Only set SO_REUSEADDR when a port is specified in
 			isc_socket_bind(). [RT #11742]
 
+1680.	[func]		rndc: the source address can now be specified.
+
 1679.	[bug]		When there was a single nameserver with multiple
 			addresses for a zone not all addresses were tried.
 			[RT #11706]
@@ -938,6 +1386,13 @@
 
 1677.	[bug]		dig: +aaonly didn't work, +aaflag undocumented.
 
+1676.	[func]		New option "allow-query-cache".  This lets
+			allow-query be used to specify the default zone
+			access level rather than having to have every
+			zone override the global value.  allow-query-cache
+			can be set at both the options and view levels.
+			If allow-query-cache is not set allow-query applies.
+
 1675.	[bug]		named would sometimes add extra NSEC records to
 			the authority section.
 			
@@ -963,21 +1418,22 @@
 1666.	[bug]		The optional port on hostnames in dual-stack-servers
 			was being ignored.
 
+1665.	[func]		rndc now allows addresses to be set in the
+			server clauses.
+
+1664.	[bug]		nsupdate needed KEY for SIG(0), not DNSKEY.
+
 1663.	[func]		Look for OpenSSL by default.
 
+1662.	[bug]		Change #1658 failed to change one use of 'type'
+			to 'keytype'.
+
 1661.	[bug]		Restore dns_name_concatenate() call in
 			adb.c:set_target().  [RT #11582]
 
 1660.	[bug]		win32: connection_reset_fix() was being called
 			unconditionally.  [RT #11595]
 
-	--- 9.3.0rc1 released ---
-
-1664.	[bug]		nsupdate needed KEY for SIG(0), not DNSKEY.
-
-1662.	[bug]		Change #1658 failed to change one use of 'type'
-			to 'keytype'.
-
 1659.	[cleanup]	Cleanup some messages that were referring to KEY vs
 			DNSKEY, NXT vs NSEC and SIG vs RRSIG.
 
@@ -1034,8 +1490,6 @@
 
 1641.	[bug]		Update the check-names description in ARM. [RT #11389]
 
-	--- 9.3.0beta4 released ---
-
 1640.	[bug]		win32: isc_socket_cancel(ISC_SOCKCANCEL_ACCEPT) was
 			incorrectly closing the socket.  [RT #11291]
 
@@ -1080,12 +1534,6 @@
 1625.	[bug]		named failed to load/transfer RFC2535 signed zones
 			which contained CNAMES. [RT# 11237]
 
-1606.	[bug]	 	DLV insecurity proof was failing.
-
-1605.	[func]		New dns_db_find() option DNS_DBFIND_COVERINGNSEC.
-
-	--- 9.3.0beta3 released ---
-
 1624.	[bug]		zonemgr_putio() call should be locked. [RT# 11163]
 
 1623.	[bug]		A serial number of zero was being displayed in the
@@ -1130,16 +1578,6 @@
 			address type to be looked up with "@server".
 			[RT #11069]
 
-1600.	[bug]		Duplicate zone pre-load checks were not case
-			insensitive.
-
-1599.	[bug]		Fix memory leak on error path when checking named.conf.
-
-1598.	[func]		Specify that certain parts of the namespace must
-			be secure (dnssec-must-be-secure).
-
-	--- 9.3.0beta2 released ---
-
 1609.	[func]		dig now has support to chase DNSSEC signature chains.
 			Requires -DDIG_SIGCHASE=1 to be set in STD_CDEFINES.
 
@@ -1153,6 +1591,10 @@
 1607.	[bug]		dig, host and nslookup were still using random()
 			to generate query ids. [RT# 11013]
 
+1606.	[bug]	 	DLV insecurity proof was failing.
+
+1605.	[func]		New dns_db_find() option DNS_DBFIND_COVERINGNSEC.
+
 1604.	[bug]		A xfrout_ctx_create() failure would result in
 			xfrout_ctx_destroy() being called with a
 			partially initialized structure.
@@ -1167,15 +1609,26 @@
 			"allow-recursion" active' warning from view "_bind".
 			[RT# 10920]
 
+1600.	[bug]		Duplicate zone pre-load checks were not case
+			insensitive.
+
+1599.	[bug]		Fix memory leak on error path when checking named.conf.
+
+1598.	[func]		Specify that certain parts of the namespace must
+			be secure (dnssec-must-be-secure).
+
+1596.	[func]		Accept 'notify-source' style syntax for query-source.
+
+1595.	[func]		New notify type 'master-only'.  Enable notify for
+			master zones only.
+
 1594.	[bug]		'rndc dumpdb' could prevent named from answering
 			queries while the dump was in progress.  [RT #10565]
 
 1593.	[bug]		rndc should return "unknown command" to unknown
 			commands. [RT# 10642]
 
-	--- 9.3.0beta1 released ---
-
-1592.	[bug]		configure_view() could leak a dispatch. [RT #10675]
+1592.	[bug]		configure_view() could leak a dispatch. [RT# 10675]
 
 1591.	[bug]		libbind: updated to BIND 8.4.5.
 
@@ -1190,6 +1643,8 @@
 
 1586.	[func]		"check-names" is now implemented.
 
+1585.	[placeholder]
+
 1584.	[bug]		"make test" failed with a read only source tree.
 			[RT #10461]
 
@@ -1320,6 +1775,8 @@
 
 1543.	[bug]		Logging using "versions unlimited" did not work.
 
+1542.	[placeholder]
+
 1541.	[func]		NSEC now uses new bitmap format.
 
 1540.	[bug]		"rndc reload <dynamiczone>" was silently accepted.
@@ -1328,12 +1785,16 @@
 1539.	[bug]		Open UDP sockets for notify-source and transfer-source
 			that use reserved ports at startup. [RT #9475]
 
+1538.	[placeholder]	rt9997
+
 1537.	[func]		New option "querylog".  If set specify whether query
 			logging is to be enabled or disabled at startup.
 
 1536.	[bug]		Windows socket code failed to log a error description
 			when returning ISC_R_UNEXPECTED. [RT #9998]
 
+1535.	[placeholder]
+
 1534.	[bug]		Race condition when priming cache. [RT# 9940]
 
 1533.	[func]		Warn if both "recursion no;" and "allow-recursion"
@@ -1357,6 +1818,12 @@
 1527.	[cleanup]	Reduce the number of gettimeofday() calls without
 			losing necessary timer granularity.
 
+1526.	[func]		Implemented "additional section caching (or acache)",
+			an internal cache framework for additional section
+			content to improve response performance.  Several
+			configuration options were provided to control the
+			behavior.
+
 1525.	[bug]		dns_cache_create() could trigger a REQUIRE
 			failure in isc_mem_put() during error cleanup.
 			[RT# 9360]
@@ -1435,581 +1902,12 @@
 1500.	[bug]		host failed to lookup MX records.  Also look up
 			AAAA records.
 
-1475.	[port]		Probe for old sprintf().
-
-1474.	[port]		Provide strtoul() and memmove() for platforms
-			without them.
-
-1469.	[func]		Log end of outgoing zone transfer at same level
-			as the start of transfer is logged. [RT #4441]
-
-1468.	[func]		Internal zones are no longer counted for
-			'rndc status'.  [RT #4706]
-
-1467.	[func]		$GENERATES now supports optional class and ttl.
-
-1458.	[cleanup]	sprintf() -> snprintf().
-
-1457.	[port]		Provide strlcat() and strlcpy() for platforms without
-			them.
-
-1455.	[bug]		<netaddr> missing from server grammar in
-			doc/misc/options. [RT #5616]
-
-1454.	[port]		Use getifaddrs() if available for interface scanning.
-			--disable-getifaddrs to override.  Glibc currently
-			has a getifaddrs() that does not support IPv6.
-			Use --enable-getifaddrs=glibc to force the use of
-			this version under linux machines.
-
-1446.	[func]		Implemented undocumented alternate transfer sources
-			from BIND 8.  See use-alt-transfer-source,
-			alt-transfer-source and alt-transfer-source-v6.
-
-			SECURITY: use-alt-transfer-source is ENABLED unless
-			you are using views.  This may cause a security risk
-			resulting in accidental disclosure of wrong zone
-			content if the master supplying different source
-			content based on IP address.  If you are not certain
-			ISC recommends setting use-alt-transfer-source no;
-
-1444.	[func]		dns_view_findzonecut2() allows you to specify if the
-			cache should be searched for zone cuts.
-
-1443.	[func]		Masters lists can now be specified and referenced
-			in zone masters clauses and other masters lists.
-
-1442.	[func]		New functions for manipulating port lists:
-			dns_portlist_create(), dns_portlist_add(),
-			dns_portlist_remove(), dns_portlist_match(),
-			dns_portlist_attach() and dns_portlist_detach().
-
-1441.	[func]		It is now possible to tell dig to bind to a specific
-			source port.
-
-1440.	[func]		It is now possible to tell named to avoid using
-			certain source ports (avoid-v4-udp-ports,
-			avoid-v6-udp-ports).
-
-1438.	[func]		Log TSIG (if any) when logging NOTIFY requests.
-
-1436.	[func]		dns_zonemgr_resumexfrs() can be used to restart
-			stalled transfers.
-
-1433.	[bug]		named could trigger a REQUIRE failure if it could
-			not get a file descriptor when attempting to write
-			a master file. [RT #4347]
-
-1432.	[func]		The advertised EDNS UDP buffer size can now be set
-			via named.conf (edns-udp-size).
-
-1430.	[port]		linux: IPv6 interface scanning support.
-
-1422.	[func]		Log name/type/class when denying a query.  [RT #4663]
-
-1421.	[func]		Differentiate updates that don't succeed due to
-			prerequisites (unsuccessful) vs other reasons
-			(failed).
-
-1417.	[func]		ID.SERVER/CHAOS is now a built in zone.
-			See "server-id" for how to configure.
-
-1415.	[func]		DS TTL now derived from NS ttl.  NXT TTL now derived
-			from SOA MINIMUM.
-
-1414.	[func]		Support for KSK flag.
-
-1413.	[func]		Explicitly request the (re-)generation of DS records
-			from keysets (dnssec-signzone -g).
-
-1412.	[func]		You can now specify servers to be tried if a nameserver
-			has IPv6 address and you only support IPv4 or the
-			reverse. See dual-stack-servers.
-
-1410.	[func]		Handle records that live in the parent zone, e.g. DS.
-
-1409.	[bug]		DS should have attribute DNS_RDATATYPEATTR_DNSSEC.
-
-1404.	[bug]		libbind: ns_name_ntol() could overwrite a zero length
-			buffer.
-
-1403.	[func]		dnssec-signzone, dnssec-keygen, dnssec-makekeyset
-			dnssec-signkey now report their version in the
-			usage message.
-
-1402.	[cleanup]	A6 has been moved to experimental and is no longer
-			fully supported.
-
-1400.	[bug]		Block the addition of wildcard NS records by IXFR
-			or UPDATE. [RT #3502]
-
-1398.	[doc]		ARM: notify-also should have been also-notify.
-			[RT #4345]
-
-1396.	[func]		dnssec-signzone: adjust the default signing time by
-			1 hour to allow for clock skew.
-
-1394.	[func]		It is now possible to check if a particular element is
-			in a acl.  Remove duplicate entries from the localnets
-			acl.
-
-1393.	[port]		Bind to individual IPv6 interfaces if IPV6_IPV6ONLY
-			is not available in the kernel to prevent accidently
-			listening on IPv4 interfaces.
-
-1392.	[bug]		named-checkzone: update usage.
-
-1391.	[func]		Add support for IPv6 scoped addresses in named.
-
-1390.	[func]		host now supports ixfr.
-
-1386.	[bug]		named-checkzone -z stopped on errors in a zone.
-			[RT #3653]
-
-1383.	[func]		Track the serial number in a IXFR response and log if
-			a mismatch occurs.  This is a more specific error than
-			"not exact". [RT #3445]
-
-1380.	[func]		'rndc recursing' dump recursing queries to
-			'recursing-file = "named.recursing";'.
-
-1379.	[func]		'rndc status' now reports tcp and recursion quota
-			states.
-
-1378.	[func]		Improved positive feedback for 'rndc {reload|refresh}.
-
-1377.	[func]		dns_zone_load{new}() now reports if the zone was
-			loaded, queued for loading to up to date.
-
-1376.	[func]		New function dns_zone_logc() to log to specified
-			category.
-
-1375.	[func]		'rndc dumpdb' now dumps the adb cache along with the
-			data cache.
-
-1374.	[func]		dns_adb_dump() now logs the lame zones associated
-			with each server.
-
-1371.	[bug]		notify-source-v6, transfer-source-v6 and
-			query-source-v6 with explicit addresses and using the
-			same ports as named was listening on could interfere
-			with named's ability to answer queries sent to those
-			addresses.
-
-1368.	[func]		remove support for bitstring labels.
-
-1367.	[func]		Use response times to select forwarders.
-
-1365.	[func]		"localhost" and "localnets" acls now include IPv6
-			addresses / prefixes.
-
-1364.	[func]		Log file name when unable to open memory statistics
-			and dump database files. [RT# 3437]
-
-1363.	[func]		Listen-on-v6 now supports specific addresses.
-
-1362.	[bug]		remove IFF_RUNNING test when scanning interfaces.
-
-1361.	[func]		log the reason for rejecting a server when resolving
-			queries.
-
-1355.	[bug]		Fix DNSSEC wildcard proof for CNAME/DNAME.
-
-1344.	[func]		Log if the serial number on the master has gone
-			backwards.
-			If you have multiple machines specified in the masters
-			clause you may want to set 'multi-master yes;' to
-			suppress this warning.
-
-1343.	[func]		Log successful notifies received (info).  Adjust log
-			level for failed notifies to notice.
-
-1342.	[func]		Log remote address with TCP dispatch failures.
-
-1341.	[func]		Allow a rate limiter to be stalled.
-
-1339.	[func]		dig, host and nslookup now use IP6.ARPA for nibble
-			lookups.  Bit string lookups are no longer attempted.
-
-1336.	[func]		Nibble lookups under IP6.ARPA are now supported by
-			dns_byaddr_create().  dns_byaddr_createptrname() is
-			deprecated, use dns_byaddr_createptrname2() instead.
-
-1332.	[func]		Report the current serial with periodic commits when
-			rolling forward the journal.
-
-1331.	[func]		Generate DNSSEC wildcard proofs.
-
-1329.	[func]		named-checkzone will now check if nameservers that
-			appear to be IP addresses.  Available modes "fail",
-			"warn" (default) and "ignore" the results of the
-			check.
-
-1328.	[bug]		The validator could incorrectly verify an invalid
-			negative proof.
-
-1322.	[bug]		dnssec-signzone usage message was misleading.
-
-1321.	[bug]		If the last RRset in a zone is glue, dnssec-signzone
-			would incorrectly duplicate its output and sign it.
-
-1313.	[func]		Query log now says if the query was signed (S) or
-			if EDNS was used (E).
-
-1312.	[func]		Log TSIG key used w/ outgoing zone transfers.
-
-1309.	[func]		Log that a zone transfer was covered by a TSIG.
-
-1308.	[func]		DS (delegation signer) support.
-
-1304.	[func]		New function: dns_zone_name().
-
-1303.	[func]		Option 'flush-zones-on-shutdown <boolean>;'.
-
-1302.	[func]		Extended rndc dumpdb to support dumping of zones and
-			view selection: 'dumpdb [-all|-zones|-cache] [view]'.
-
-1301.	[func]		New category 'update-security'.
-
-1300.	[port]		Compaq Trucluster support.
-
-1293.	[func]		Entropy can now be retrieved from EGDs. [RT #2438]
-
-1292.	[func]		Enable IPv6 support when using ioctl style interface
-			scanning and OS supports SIOCGLIFADDR using struct
-			if_laddrreq.
-
-1291.	[func]		Enable IPv6 support when using sysctl style interface
-			scanning.
-
-1290.	[func]		"dig axfr" now reports the number of messages
-			as well as the number of records.
-
-1285.	[func]		lwres: probe the system to see what address families
-			are currently in use.
-
-1283.	[func]		Use "dataready" accept filter if available.
-
-1281.	[func]		Log zone when unable to get private keys to update
-			zone.  Log zone when NXT records are missing from
-			secure zone.
-
-1278.	[func]		dig: now supports +[no]cl +[no]ttlid.
-
-1277.	[func]		You can now create your own customized printing
-			styles: dns_master_stylecreate() and
-			dns_master_styledestroy().
-
-1271.	[bug]		"recursion available: {denied,approved}" was too
-			confusing.
-
-1267.	[func]		isc_file_openunique() now creates file using mode
-			0666 rather than 0600.
-
-1254.	[func]		preferred-glue option from BIND 8.3.
-
-1250.	[func]		Nsupdate will report the address the update was
-			sent to.
-
-1247.	[bug]		Don't reset the interface index for link/site local
-			addresses. [RT #2576]
-
-1246.	[func]		New functions isc_sockaddr_issitelocal(),
-			isc_sockaddr_islinklocal(), isc_netaddr_issitelocal()
-			and isc_netaddr_islinklocal().
-
-1243.	[bug]		It was possible to trigger a REQUIRE() in
-			dns_message_findtype(). [RT #2659]
-
-1235.	[func]		Report 'out of memory' errors from openssl.
-
-1234.	[bug]		contrib/sdb: 'zonetodb' failed to call
-			dns_result_register().  DNS_R_SEENINCLUDE should not
-			be fatal.
-
-1233.	[bug]		The flags field of a KEY record can be expressed in
-			hex as well as decimal.
-
-1226.	[func]		Use EDNS for zone refresh queries. [RT #2551]
-
-1225.	[func]		dns_message_setopt() no longer requires that
-			dns_message_renderbegin() to have been called.
-
-1224.	[bug]		'rrset-order' and 'sortlist' should be additive
-			not exclusive.
-
-1223.	[func]		'rrset-order' partially works 'cyclic' and 'random'
-			are supported.
-
-1220.	[func]		Support for APL rdata type.
-
-1219.	[func]		Named now reports the TSIG extended error code when
-			signature verification fails. [RT #1651]
-
-1217.	[func]		Report locations of previous key definition when a
-			duplicate is detected.
-
-1213.	[func]		Report view associated with client if it is not a
-			standard view (_default or _bind).
-
-1203.	[func]		Report locations of previous acl and zone definitions
-			when a duplicate is detected.
-
-1202.	[func]		New functions: cfg_obj_line() and cfg_obj_file().
-
-1192.	[bug]		The seconds fields in LOC records were restricted
-			to three decimal places.  More decimal places should
-			be allowed but warned about.
-
-1190.	[func]		Add the "rndc freeze" and "rndc unfreeze" commands.
-			[RT #2394]
-
-1187.	[bug]		named was incorrectly returning DNSSEC records
-			in negative responses when the DO bit was not set.
-
-1181.	[func]		Add the "key-directory" configuration statement,
-			which allows the server to look for online signing
-			keys in alternate directories.
-
-1180.	[func]		dnssec-keygen should always generate keys with
-			protocol 3 (DNSSEC), since it's less confusing
-			that way.
-
-1179.	[func]		Add SIG(0) support to nsupdate.
-
-1177.	[func]		Report view when loading zones if it is not a
-			standard view (_default or _bind). [RT #2270]
-
-1171.	[func]		Added function isc_region_compare(), updated files in
-			lib/dns to use this function instead of local one.
-
-1169.	[func]		Identify recursive queries in the query log.
-
-1163.	[func]		isc_time_formattimestamp() now includes the year.
-
-1159.	[bug]		MD and MF are not permitted to be loaded by RFC1123.
-
-1158.	[func]		Report the client's address when logging notify
-			messages.
-
-1157.	[func]		match-clients and match-destinations now accept
-			keys. [RT #2045]
-
-1155.	[func]		Recover from master files being removed from under
-			us.
-
-1153.	[func]		'rndc {stop|halt} -p' now reports the process id
-			of the instance of named being shutdown.
-
-1151.	[bug]		nslookup failed to check that the arguments to
-			the port, timeout, and retry options were
-			valid integers and in range. [RT #2099]
-
-1150.	[bug]		named incorrectly accepted TTL values
-			containing plus or minus signs, such as
-			1d+1h-1s.
-
-1149.	[func]		New function isc_parse_uint32().
-
-1148.	[func]		'rndc-confgen -a' now provides positive feedback.
-
-1147.	[func]		Set IPV6_V6ONLY on IPv6 sockets if supported by
-			the OS.  listen-on-v6 { any; }; should no longer
-			result in IPv4 queries be accepted.  Similarly
-			control { inet :: ... }; should no longer result
-			in IPv4 connections being accepted.  This can be
-			overridden at compile time by defining
-			ISC_ALLOW_MAPPED=1.
-
-1146.	[func]		Allow IPV6_IPV6ONLY to be set/cleared on a socket if
-			supported by the OS by a new function
-			isc_socket_ipv6only().
-
-1145.	[func]		"host" no longer reports a NOERROR/NODATA response
-			by printing nothing. [RT #2065]
-
-1143.	[bug]		When a trusted-keys statement was present and named
-			was built without crypto support, it would leak memory.
-
-1139.	[func]		It is now possible to flush a given name from the
-			cache(s) via 'rndc flushname name [view]'. [RT #2051]
-
-1138.	[func]		It is now possible to flush a given name from the
-			cache by calling the new function
-			dns_cache_flushname().
-
-1137.	[func]		It is now possible to flush a given name from the
-			ADB by calling the new function dns_adb_flushname().
-
-1135.	[func]		You can now override the default syslog() facility for
-			named/lwresd at compile time. [RT #1982]
-
-1132.	[func]		Improve UPDATE prerequisite failure diagnostic messages.
-
-1128.	[func]		sdb drivers can now provide RR data in either text
-			or wire format, the latter using the new functions
-			dns_sdb_putrdata() and dns_sdb_putnamedrdata().
-
-1127.	[func]		rndc: If the server to contact has multiple addresses,
-			try all of them.
-
-1119.	[func]		Added support in Win32 for NTFS file/directory ACL's
-			for access control.
-
-1115.	[func]		Set maximum values for cleaning-interval,
-			heartbeat-interval, interface-interval,
-			max-transfer-idle-in, max-transfer-idle-out,
-			max-transfer-time-in, max-transfer-time-out,
-			statistics-interval of 28 days and
-			sig-validity-interval of 3660 days. [RT #2002]
-
-1110.	[bug]		dig should only accept valid abbreviations of +options.
-			[RT #2003]
-
-1105.	[port]		OpenUNIX 8 enable threads by default. [RT #1970]
-
-1080.	[bug]		BIND 8 compatibility: accept bare IP prefixes
-			as the second element of a two-element top level
-			sort list statement. [RT #1964]
-
-1079.	[bug]		BIND 8 compatibility: accept bare elements at top
-			level of sort list treating them as if they were
-			a single element list. [RT #1963]
-
-1077.	[func]		Do not accept further recursive clients when
-			the total number of recursive lookups being
-			processed exceeds max-recursive-clients, even
-			if some of the lookups are internally generated.
-			[RT #1915, #1938]
-
-1073.	[bug]		The ADB cache cleaning should also be space driven.
-			[RT #1915, #1938]
-
-1067.	[func]		Allow quotas to be soft, isc_quota_soft().
-
-1065.	[func]		Runtime support to select new / old style interface
-			scanning using ioctls.
-
-1060.	[func]		Move refresh, stub and notify UDP retry processing
-			into dns_request.
-
-1059.	[func]		dns_request now support will now retry UDP queries,
-			dns_request_createvia2() and dns_request_createraw2().
-
-1058.	[func]		Limited lifetime ticker timers are now available,
-			isc_timertype_limited.
-
-1055.	[func]		Version and hostname queries can now be disabled
-			using "version none;" and "hostname none;",
-			respectively.
-
-1049.	[func]		"pid-file none;" will disable writing a pid file.
-			[RT #1848]
-
-1037.	[bug]		Negative responses whose authority section contain
-			SOA or NS records whose owner names are not equal
-			equal to or parents of the query name should be
-			rejected. [RT #1862]
-
-1036.	[func]		Silently drop requests received via multicast as
-			long as there is no final multicast DNS standard.
-
-1035.	[bug]		If we respond to multicast queries (which we
-			currently do not), respond from a unicast address
-			as specified in RFC 1123. [RT #137]
-
-1034.	[bug]		Ignore the RD bit on multicast queries as specified
-			in RFC 1123. [RT #137]
-
-1032.	[func]		hostname.bind/txt/chaos now returns the name of
-			the machine hosting the nameserver.  This is useful
-			in diagnosing problems with anycast servers.
-
-1025.	[bug]		Don't use multicast addresses to resolve iterative
-			queries. [RT #101]
-
-1024.	[port]		Compilation failed on HP-UX 11.11 due to
-			incompatible use of the SIOCGLIFCONF macro
-			name. [RT #1831]
-
-1023.	[func]		Accept hints without TTLs.
-
-1011.	[cleanup]	Removed isc_dir_current().
-
-1009.	[port]		OpenUNIX 8 support. [RT #1728]
-
-1008.	[port]		libtool.m4, ltmain.sh from libtool-1.4.2.
-
-1007.	[port]		config.guess, config.sub from autoconf-2.52.
-
-1003.	[func]		Add the +retry option to dig.
-
- 999.	[func]		"rndc retransfer zone [class [view]]" added.
-			[RT #1752]
-
- 998.	[func]		named-checkzone now has arguments to specify the
-			chroot directory (-t) and working directory (-w).
-			[RT #1755]
-
- 997.	[func]		Add support for RSA-SHA1 keys (RFC3110).
-
- 996.	[func]		Issue warning if the configuration filename contains
-			the chroot path.
-
- 994.	[func]		Treat non-authoritative responses to queries for type
-			NS as referrals even if the NS records are in the
-			answer section, because BIND 8 servers incorrectly
-			send them that way.  This is necessary for DNSSEC
-			validation of the NS records of a secure zone to
-			succeed when the parent is a BIND 8 server. [RT #1706]
-
- 993.	[func]		dig: -v now reports the version.
-
- 991.	[func]		Lower UDP refresh timeout messages to level
-			debug 1.
-
- 985.	[func]		Consider network interfaces to be up iff they have
-			a nonzero IP address rather than based on the
-			IFF_UP flag. [RT #1160]
-
- 983.	[func]		The server now supports generating IXFR difference
-			sequences for non-dynamic zones by comparing zone
-			versions, when enabled using the new config
-			option "ixfr-from-differences". [RT #1727]
-
- 982.	[func]		If "memstatistics-file" is set in options the memory
-			statistics will be written to it.
-
- 981.	[func]		The dnssec tools can now take multiple '-r randomfile'
-			arguments.
-
- 979.	[func]		Incremental master file dumping.  dns_master_dumpinc(),
-			dns_master_dumptostreaminc(), dns_dumpctx_attach(),
-			dns_dumpctx_detach(), dns_dumpctx_cancel(),
-			dns_dumpctx_db() and dns_dumpctx_version().
-
- 976.	[func]		named-checkconf can now test load master zones
-			(named-checkconf -z). [RT #1468]
-
- 970.	[func]		'max-journal-size' can now be used to set a target
-			size for a journal.
-
- 969.	[func]		dig now supports the undocumented dig 8 feature
-			of allowing arbitrary labels, not just dotted
-			decimal quads, with the -x option.  This can be
-			used to conveniently look up RFC2317 names as in
-			"dig -x 10.0.0.0-127". [RT #827, #1576, #1598]
-
-	--- 9.2.3rc1 released ---
-
 1499.	[bug]		isc_random need to be seeded better if arc4random()
 			is not used.
 
 1498.	[port]		bsdos: 5.x support.
 
-1497.	[protocol]	dig, nslookup and host now perform nibble lookups
-			under IP6.ARPA, use -i for IP6.INT (dig and host).
-			lwres now uses IP6.ARPA.
+1497.	[placeholder]
 
 1496.	[port]		test for pthread_attr_setstacksize().
 
@@ -2017,7 +1915,7 @@
 
 1494.	[security]	Turn on RSA BLINDING as a precaution.
 
-1493.	[doc]		A6 and "bitstring" labels are now experimental.
+1493.	[placeholder]
 
 1492.	[cleanup]	Preserve rwlock quota context when upgrading /
 			downgrading. [RT #5599]
@@ -2073,8 +1971,12 @@
 
 1477.	[bug]		memory leak using stub zones and TSIG.
 
-1476.	[port]		win32: port unreachables were blocking further i/o
-			on sockets (Windows 2000 SP2 and later).
+1476.	[placeholder]
+
+1475.	[port]		Probe for old sprintf().
+
+1474.	[port]		Provide strtoul() and memmove() for platforms
+			without them.
 
 1473.	[bug]		create_map() and create_string() failed to handle out
 			of memory cleanup.  [RT #6813]
@@ -2085,6 +1987,14 @@
 
 1470.	[bug]		Incorrect length passed to snprintf. [RT #5966]
 
+1469.	[func]		Log end of outgoing zone transfer at same level
+			as the start of transfer is logged. [RT #4441]
+
+1468.	[func]		Internal zones are no longer counted for
+			'rndc status'.  [RT #4706]
+
+1467.	[func]		$GENERATES now supports optional class and ttl.
+
 1466.	[bug]		lwresd configuration errors resulted in memory
 			and lock leaks.  [RT #5228]
 
@@ -2106,15 +2016,27 @@
 1460.	[bug]		inet_pton() failed to reject certain malformed
 			IPv6 literals.
 
-1459.	[bug]		win32: we were leaking a bits in the exception
-			fd_set resulting in "Socket operation on non-socket"
-			errors from select(). [RT #2966]
+1459.	[placeholder]
+
+1458.	[cleanup]	sprintf() -> snprintf().
+
+1457.	[port]		Provide strlcat() and strlcpy() for platforms without
+			them.
 
 1456.	[contrib]	gen-data-queryperf.py from Stephane Bortzmeyer.
 
+1455.	[bug]		<netaddr> missing from server grammar in
+			doc/misc/options. [RT #5616]
+
+1454.	[port]		Use getifaddrs() if available for interface scanning.
+			--disable-getifaddrs to override.  Glibc currently
+			has a getifaddrs() that does not support IPv6.
+			Use --enable-getifaddrs=glibc to force the use of
+			this version under linux machines.
+
 1453.	[doc]		ARM: $GENERATE example wasn't accurate. [RT #5298]
 
-1452.	[bug]		Bad #ifdef, ISC_RFC2335 -> ISC_RFC2535.
+1452.	[placeholder]
 
 1451.	[bug]		rndc-confgen didn't exit with a error code for all
 			failures. [RT #5209]
@@ -2131,44 +2053,121 @@
 			rdataset->private4 is now rdataset->privateuint4
 			to reflect a type change.
 
+1446.	[func]		Implemented undocumented alternate transfer sources
+			from BIND 8.  See use-alt-transfer-source,
+			alt-transfer-source and alt-transfer-source-v6.
+
+			SECURITY: use-alt-transfer-source is ENABLED unless
+			you are using views.  This may cause a security risk
+			resulting in accidental disclosure of wrong zone
+			content if the master supplying different source
+			content based on IP address.  If you are not certain
+			ISC recommends setting use-alt-transfer-source no;
+
 1445.	[bug]		DNS_ADBFIND_STARTATROOT broke stub zones.  This has
 			been replaced with DNS_ADBFIND_STARTATZONE which
 			causes the search to start using the closest zone.
 
+1444.	[func]		dns_view_findzonecut2() allows you to specify if the
+			cache should be searched for zone cuts.
+
+1443.	[func]		Masters lists can now be specified and referenced
+			in zone masters clauses and other masters lists.
+
+1442.	[func]		New functions for manipulating port lists:
+			dns_portlist_create(), dns_portlist_add(),
+			dns_portlist_remove(), dns_portlist_match(),
+			dns_portlist_attach() and dns_portlist_detach().
+
+1441.	[func]		It is now possible to tell dig to bind to a specific
+			source port.
+
+1440.	[func]		It is now possible to tell named to avoid using
+			certain source ports (avoid-v4-udp-ports,
+			avoid-v6-udp-ports).
+
 1439.	[bug]		Named could return NOERROR with certain NOTIFY
 			failures.  Return NOTAUTH if the NOTIFY zone is
 			not being served.
 
+1438.	[func]		Log TSIG (if any) when logging NOTIFY requests.
+
+1437.	[bug]		Leave space for stdio to work in. [RT #5033]
+
+1436.	[func]		dns_zonemgr_resumexfrs() can be used to restart
+			stalled transfers.
+
 1435.	[bug]		zmgr_resume_xfrs() was being called read locked
 			rather than write locked.  zmgr_resume_xfrs()
 			was not being called if the zone was being
 			shutdown.
 
-1437.	[bug]		Leave space for stdio to work in. [RT #5033]
-
 1434.	[bug]		"rndc reconfig" failed to initiate the initial
 			zone transfer of new slave zones.
 
+1433.	[bug]		named could trigger a REQUIRE failure if it could
+			not get a file descriptor when attempting to write
+			a master file. [RT #4347]
+
+1432.	[func]		The advertised EDNS UDP buffer size can now be set
+			via named.conf (edns-udp-size).
+
 1431.	[bug]		isc_print_snprintf() "%s" with precision could walk off
 			end of argument. [RT #5191]
 
+1430.	[port]		linux: IPv6 interface scanning support.
+
 1429.	[bug]		Prevent the cache getting locked to old servers.
 
+1428.	[placeholder]
+
+1427.	[bug]		Race condition in adb with threaded build.
+
+1426.	[placeholder]
+
+1425.	[port]		linux/libbind: define __USE_MISC when testing *_r()
+			function prototypes in netdb.h.  [RT #4921]
+
 1424.	[bug]		EDNS version not being correctly printed.
 
 1423.	[contrib]	queryperf: added A6 and SRV.
 
+1422.	[func]		Log name/type/class when denying a query.  [RT #4663]
+
+1421.	[func]		Differentiate updates that don't succeed due to
+			prerequisites (unsuccessful) vs other reasons
+			(failed).
+
 1420.	[port]		solaris: work around gcc optimizer bug.
 
 1419.	[port]		openbsd: use /dev/arandom. [RT #4950]
 
 1418.	[bug]		'rndc reconfig' did not cause new slaves to load.
 
+1417.	[func]		ID.SERVER/CHAOS is now a built in zone.
+			See "server-id" for how to configure.
+
 1416.	[bug]		Empty node should return NOERROR NODATA, not NXDOMAIN.
 			[RT #4715]
 
+1415.	[func]		DS TTL now derived from NS ttl.  NXT TTL now derived
+			from SOA MINIMUM.
+
+1414.	[func]		Support for KSK flag.
+
+1413.	[func]		Explicitly request the (re-)generation of DS records
+			from keysets (dnssec-signzone -g).
+
+1412.	[func]		You can now specify servers to be tried if a nameserver
+			has IPv6 address and you only support IPv4 or the
+			reverse. See dual-stack-servers.
+
 1411.	[bug]		empty nodes should stop wildcard matches. [RT #4802]
 
+1410.	[func]		Handle records that live in the parent zone, e.g. DS.
+
+1409.	[bug]		DS should have attribute DNS_RDATATYPEATTR_DNSSEC.
+
 1408.	[bug]		"make distclean" was not complete. [RT #4700]
 
 1407.	[bug]		lfsr incorrectly implements the shift register.
@@ -2179,13 +2178,49 @@
 
 1405.	[func]		Use arc4random() if available.
 
+1404.	[bug]		libbind: ns_name_ntol() could overwrite a zero length
+			buffer.
+
+1403.	[func]		dnssec-signzone, dnssec-keygen, dnssec-makekeyset
+			dnssec-signkey now report their version in the
+			usage message.
+
+1402.	[cleanup]	A6 has been moved to experimental and is no longer
+			fully supported.
+
 1401.	[bug]		adb wasn't clearing state when the timer expired.
 
+1400.	[bug]		Block the addition of wildcard NS records by IXFR
+			or UPDATE. [RT #3502]
+
 1399.	[bug]		Use serial number arithmetic when testing SIG
 			timestamps. [RT #4268]
 
+1398.	[doc]		ARM: notify-also should have been also-notify.
+			[RT #4345]
+
 1397.	[bug]		J.ROOT-SERVERS.NET is now 192.58.128.30.
 
+1396.	[func]		dnssec-signzone: adjust the default signing time by
+			1 hour to allow for clock skew.
+
+1395.	[port]		OpenSSL 0.9.7 defines CRYPTO_LOCK_ENGINE but doesn't
+			have a working implementation.  [RT #4079]
+
+1394.	[func]		It is now possible to check if a particular element is
+			in a acl.  Remove duplicate entries from the localnets
+			acl.
+
+1393.	[port]		Bind to individual IPv6 interfaces if IPV6_IPV6ONLY
+			is not available in the kernel to prevent accidently
+			listening on IPv4 interfaces.
+
+1392.	[bug]		named-checkzone: update usage.
+
+1391.	[func]		Add support for IPv6 scoped addresses in named.
+
+1390.	[func]		host now supports ixfr.
+
 1389.	[bug]		named could fail to rotate long log files.  [RT #3666]
 
 1388.	[port]		irix: check for sys/sysctl.h and NET_RT_IFLIST before
@@ -2195,68 +2230,81 @@
 			space (which caused an assertion failure) in
 			incremental cleaning.  [RT #3588]
 
+1386.	[bug]		named-checkzone -z stopped on errors in a zone.
+			[RT #3653]
+
 1385.	[bug]		Setting serial-query-rate to 10 would trigger a
 			REQUIRE failure.
 
 1384.	[bug]		host was incompatible with BIND 8 in its exit code and
 			in the output with the -l option.  [RT #3536]
 
-1373.	[bug]		Recovery from expired glue failed under certain
-			circumstances.
+1383.	[func]		Track the serial number in a IXFR response and log if
+			a mismatch occurs.  This is a more specific error than
+			"not exact". [RT #3445]
 
-1372.	[bug]		named crashes with an assertion failure on exit when
-			sharing the same port for listening and querying, and
-			changing listening addresses several times. [RT# 3509]
+1382.	[bug]		make install failed with --enable-libbind. [RT #3656]
 
-1370.	[bug]		dig '+[no]recurse' was incorrectly documented.
+1381.	[bug]		named failed to correctly process answers that
+			contained DNAME records where the resulting CNAME
+			resulted in a negative answer.
 
-1369.	[bug]		Adding an NS record as the lexicographically last
-			record in a secure zone didn't work.
+1380.	[func]		'rndc recursing' dump recursing queries to
+			'recursing-file = "named.recursing";'.
 
-1366.	[contrib]	queryperf usage was incomplete.  Add '-h' for help.
+1379.	[func]		'rndc status' now reports tcp and recursion quota
+			states.
 
-1348.	[port]		win32: Rewrote code to use I/O Completion Ports
-			in socket.c and eliminating a host of socket
-			errors. Performance is enhanced.
+1378.	[func]		Improved positive feedback for 'rndc {reload|refresh}.
 
-1333.	[contrib]	queryperf now reports a summary of returned
-			rcodes (-c), rcodes are printed in mnemonic form (-v).
+1377.	[func]		dns_zone_load{new}() now reports if the zone was
+			loaded, queued for loading to up to date.
 
-1299.	[bug]		Set AI_ADDRCONFIG when looking up addresses
-			via getaddrinfo() (affects dig, host, nslookup, rndc
-			and nsupdate).
+1376.	[func]		New function dns_zone_logc() to log to specified
+			category.
 
-1199.	[doc]		ARM reference to RFC 2157 should have been RFC 1918.
-			[RT #2436]
+1375.	[func]		'rndc dumpdb' now dumps the adb cache along with the
+			data cache.
 
-1122.	[tuning]	Resolution timeout reduced from 90 to 30 seconds.
-			[RT #2046]
+1374.	[func]		dns_adb_dump() now logs the lame zones associated
+			with each server.
 
- 992.	[doc]		dig: ~/.digrc is now documented.
+1373.	[bug]		Recovery from expired glue failed under certain
+			circumstances.
 
-	--- 9.2.2 released ---
+1372.	[bug]		named crashes with an assertion failure on exit when
+			sharing the same port for listening and querying, and
+			changing listening addresses several times. [RT# 3509]
 
-1428.	[port]		hpux: temporary work around of hpux 11.11 interface
-			scanning.
+1371.	[bug]		notify-source-v6, transfer-source-v6 and
+			query-source-v6 with explicit addresses and using the
+			same ports as named was listening on could interfere
+			with named's ability to answer queries sent to those
+			addresses.
 
-1427.	[bug]		Race condition in adb with threaded build.
+1370.	[bug]		dig '+[no]recurse' was incorrectly documented.
 
-1426.	[cleanup]	Disable RFC2535 style DNSSEC.  This is incompatible
-			with the forthcoming DS style DNSSEC.
+1369.	[bug]		Adding an NS record as the lexicographically last
+			record in a secure zone didn't work.
 
-1425.	[port]		linux/libbind: define __USE_MISC when testing *_r()
-			function prototypes in netdb.h.  [RT #4921]
+1368.	[func]		remove support for bitstring labels.
 
-1395.	[port]		OpenSSL 0.9.7 defines CRYPTO_LOCK_ENGINE but doesn't
-			have a working implementation.  [RT #4079]
+1367.	[func]		Use response times to select forwarders.
 
-1382.	[bug]		make install failed with --enable-libbind. [RT #3656]
+1366.	[contrib]	queryperf usage was incomplete.  Add '-h' for help.
 
-1381.	[bug]		named failed to correctly process answers that
-			contained DNAME records where the resulting CNAME
-			resulted in a negative answer.
+1365.	[func]		"localhost" and "localnets" acls now include IPv6
+			addresses / prefixes.
 
-	--- 9.2.2rc1 released ---
+1364.	[func]		Log file name when unable to open memory statistics
+			and dump database files. [RT# 3437]
+
+1363.	[func]		Listen-on-v6 now supports specific addresses.
+
+1362.	[bug]		remove IFF_RUNNING test when scanning interfaces.
+
+1361.	[func]		log the reason for rejecting a server when resolving
+			queries.
 
 1360.	[bug]		--enable-libbind would fail when not built in the
 			source tree for certain OS's.
@@ -2271,6 +2319,8 @@
 
 1356.	[tuning]	Reduce the number of events / quantum for zone tasks.
 
+1355.	[bug]		Fix DNSSEC wildcard proof for CNAME/DNAME.
+
 1354.	[doc]		lwres man pages had illegal nroff.
 
 1353.	[contrib]	sdb/ldap to version 0.9.
@@ -2288,26 +2338,68 @@
 1349.	[security]	Minimum OpenSSL version now 0.9.6e (was 0.9.5a).
 			http://www.cert.org/advisories/CA-2002-23.html
 
-1346.	[bug]		Win32: select timeout in socket.c was too small
-			as value given was meant to be milliseconds and
-			timeval structure requires microseconds. This
-			caused high CPU loads with a compute bound loop.
-			[RT #3358]
+1348.	[port]		win32: Rewrote code to use I/O Completion Ports
+			in socket.c and eliminating a host of socket
+			errors. Performance is enhanced.
+
+1347.	[placeholder]
+
+1346.	[placeholder]
 
 1345.	[port]		Use a explicit -Wformat with gcc.  Not all versions
 			include it in -Wall.
 
+1344.	[func]		Log if the serial number on the master has gone
+			backwards.
+			If you have multiple machines specified in the masters
+			clause you may want to set 'multi-master yes;' to
+			suppress this warning.
+
+1343.	[func]		Log successful notifies received (info).  Adjust log
+			level for failed notifies to notice.
+
+1342.	[func]		Log remote address with TCP dispatch failures.
+
+1341.	[func]		Allow a rate limiter to be stalled.
+
 1340.	[bug]		Delay and spread out the startup refresh load.
 
+1339.	[func]		dig, host and nslookup now use IP6.ARPA for nibble
+			lookups.  Bit string lookups are no longer attempted.
+
+1338.	[placeholder]
+
+1337.	[placeholder]
+
+1336.	[func]		Nibble lookups under IP6.ARPA are now supported by
+			dns_byaddr_create().  dns_byaddr_createptrname() is
+			deprecated, use dns_byaddr_createptrname2() instead.
+
 1335.	[bug]		When performing a nonexistence proof, the validator
 			should discard parent NXTs from higher in the DNS.
 
 1334.	[bug]		When signing/verifying rdatasets, duplicate rdatas
 			need to be suppressed.
 
+1333.	[contrib]	queryperf now reports a summary of returned
+			rcodes (-c), rcodes are printed in mnemonic form (-v).
+
+1332.	[func]		Report the current serial with periodic commits when
+			rolling forward the journal.
+
+1331.	[func]		Generate DNSSEC wildcard proofs.
+
 1330.	[bug]		When processing events (non-threaded) only allow
 			the task one chance to use to use its quantum.
 
+1329.	[func]		named-checkzone will now check if nameservers that
+			appear to be IP addresses.  Available modes "fail",
+			"warn" (default) and "ignore" the results of the
+			check.
+
+1328.	[bug]		The validator could incorrectly verify an invalid
+			negative proof.
+
 1327.	[bug]		The validator would incorrectly mark data as insecure
 			when seeing a bogus signature before a correct
 			signature.
@@ -2322,6 +2414,11 @@
 
 1323.	[port]		linux: Slackware 4.0 needs <asm/unistd.h>. [RT #3205]
 
+1322.	[bug]		dnssec-signzone usage message was misleading.
+
+1321.	[bug]		If the last RRset in a zone is glue, dnssec-signzone
+			would incorrectly duplicate its output and sign it.
+
 1320.	[doc]		query-source-v6 was missing from options section.
 			[RT #3218]
 
@@ -2339,11 +2436,20 @@
 
 1314.	[port]		Handle ECONNRESET from sendmsg() [unix].
 
+1313.	[func]		Query log now says if the query was signed (S) or
+			if EDNS was used (E).
+
+1312.	[func]		Log TSIG key used w/ outgoing zone transfers.
+
 1311.	[bug]		lwres_getrrsetbyname leaked memory.  [RT #3159]
 
 1310.	[bug]		'rndc stop' failed to cause zones to be flushed
 			sometimes. [RT #3157]
 
+1309.	[func]		Log that a zone transfer was covered by a TSIG.
+
+1308.	[func]		DS (delegation signer) support.
+
 1307.	[bug]		nsupdate: allow white space base64 key data.
 
 1306.	[bug]		Badly encoded LOC record when the size, horizontal
@@ -2352,6 +2458,21 @@
 1305.	[bug]		Document that internal zones are included in the
 			rndc status results.
 
+1304.	[func]		New function: dns_zone_name().
+
+1303.	[func]		Option 'flush-zones-on-shutdown <boolean>;'.
+
+1302.	[func]		Extended rndc dumpdb to support dumping of zones and
+			view selection: 'dumpdb [-all|-zones|-cache] [view]'.
+
+1301.	[func]		New category 'update-security'.
+
+1300.	[port]		Compaq Trucluster support.
+
+1299.	[bug]		Set AI_ADDRCONFIG when looking up addresses
+			via getaddrinfo() (affects dig, host, nslookup, rndc
+			and nsupdate).
+
 1298.	[bug]		The CINCLUDES macro in lib/dns/sec/dst/Makefile
 			could be left with a trailing "\" after configure
 			has been run.
@@ -2369,6 +2490,18 @@
 			IPv6 reverse resolution.  Try IP6.ARPA then IP6.INT
 			for nibble style resolution.
 
+1293.	[func]		Entropy can now be retrieved from EGDs. [RT #2438]
+
+1292.	[func]		Enable IPv6 support when using ioctl style interface
+			scanning and OS supports SIOCGLIFADDR using struct
+			if_laddrreq.
+
+1291.	[func]		Enable IPv6 support when using sysctl style interface
+			scanning.
+
+1290.	[func]		"dig axfr" now reports the number of messages
+			as well as the number of records.
+
 1289.	[port]		See if -ldl is required for OpenSSL? [RT #2672]
 
 1288.	[bug]		Adjusted REQUIRE's in lib/dns/name.c to better
@@ -2381,16 +2514,31 @@
 1286.	[bug]		dns_name_downcase() enforce requirement that
 			target != NULL or name->buffer != NULL.
 
+1285.	[func]		lwres: probe the system to see what address families
+			are currently in use.
+
 1284.	[bug]		The RTT estimate on unused servers was not aged.
 			[RT #2569]
 
+1283.	[func]		Use "dataready" accept filter if available.
+
 1282.	[port]		libbind: hpux 11.11 interface scanning.
 
+1281.	[func]		Log zone when unable to get private keys to update
+			zone.  Log zone when NXT records are missing from
+			secure zone.
+
 1280.	[bug]		libbind: escape '(' and ')' when converting to
 			presentation form.
 
 1279.	[port]		Darwin uses (unsigned long) for size_t. [RT #2590]
 
+1278.	[func]		dig: now supports +[no]cl +[no]ttlid.
+
+1277.	[func]		You can now create your own customized printing
+			styles: dns_master_stylecreate() and
+			dns_master_styledestroy().
+
 1276.	[bug]		libbind: const pointer conflicts in res_debug.c.
 
 1275.	[port]		libbind: hpux: treat all hpux systems as BIG_ENDIAN.
@@ -2402,6 +2550,9 @@
 1272.	[contrib]	Berkeley DB 4.0 sdb implementation from
 			Nuno Miguel Rodrigues <nmr@co.sapo.pt>.
 
+1271.	[bug]		"recursion available: {denied,approved}" was too
+			confusing.
+
 1270.	[bug]		Check that system inet_pton() and inet_ntop() support
 			AF_INET6.
 
@@ -2410,6 +2561,9 @@
 1268.	[port]		Openserver: the value FD_SETSIZE depends on whether
 			<sys/param.h> is included or not.  Be consistent.
 
+1267.	[func]		isc_file_openunique() now creates file using mode
+			0666 rather than 0600.
+
 1266.	[bug]		ISC_LINK_INIT, ISC_LINK_UNLINK, ISC_LIST_DEQUEUE,
 			__ISC_LINK_UNLINKUNSAFE and __ISC_LIST_DEQUEUEUNSAFE
 			are not C++ compatible, use *_TYPE versions instead.
@@ -2417,6 +2571,8 @@
 1265.	[bug]		libbind: LINK_INIT and UNLINK were not compatible with
 			C++, use LINK_INIT_TYPE and UNLINK_TYPE instead.
 
+1264.	[placeholder]
+
 1263.	[bug]		Reference after free error if dns_dispatchmgr_create()
 			failed.
 
@@ -2446,6 +2602,8 @@
 			next name, and for NOERROR NODATA responses, check
 			that the type is not present in the NXT bitmap.
 
+1254.	[func]		preferred-glue option from BIND 8.3.
+
 1253.	[bug]		The dnssec system test failed to remove the correct
 			files.
 
@@ -2453,48 +2611,38 @@
 			the answer was coming from against the address it was
 			sent to. [RT# 2692]
 
-1248.	[bug]		DESTDIR was not being propagated between makes.
-
-1245.	[bug]		Treat ENOBUFS, ENOMEM and ENFILE as soft errors for
-			accept().
-
-1242.	[bug]		named-checkzone failed if a journal existed. [RT #2657]
-
-1241.	[bug]		Drop received UDP messages with a zero source port
-			as these are invariably forged. [RT #2621]
-
-1209.	[bug]		Dig, host, nslookup were not checking the message ids
-			on the responses. [RT #2454]
-
-1097.	[func]		libbind: RES_PRF_TRUNC for dig.
-
-1096.	[func]		libbind: "DNSSEC OK" (DO) support.
+1251.	[port]		win32: a make file contained absolute version specific
+			references.
 
-1095.	[func]		libbind: resolver option: no-tld-query.  disables
-			trying unqualified as a tld.  no_tld_query is also
-			supported for FreeBSD compatibility.
+1250.	[func]		Nsupdate will report the address the update was
+			sent to.
 
-1094.	[func]		libbind: add support gcc's format string checking.
+1249.	[bug]		Missing masters clause was not handled gracefully.
+			[RT #2703]
 
-1089.	[func]		libbind: inet_{cidr,net}_{pton,ntop}() now have IPv6
-			support.
+1248.	[bug]		DESTDIR was not being propagated between makes.
 
-	--- 9.2.1 released ---
+1247.	[bug]		Don't reset the interface index for link/site local
+			addresses. [RT #2576]
 
-1251.	[port]		win32: a make file contained absolute version specific
-			references.
+1246.	[func]		New functions isc_sockaddr_issitelocal(),
+			isc_sockaddr_islinklocal(), isc_netaddr_issitelocal()
+			and isc_netaddr_islinklocal().
 
-1249.	[bug]		Missing masters clause was not handled gracefully.
-			[RT #2703]
+1245.	[bug]		Treat ENOBUFS, ENOMEM and ENFILE as soft errors for
+			accept().
 
 1244.	[bug]		Receiving a TCP message from a blackhole address would
 			prevent further messages being received over that
 			interface.
 
-1178.	[bug]		Follow and cache (if appropriate) A6 and other
-			data chains to completion in the additional section.
+1243.	[bug]		It was possible to trigger a REQUIRE() in
+			dns_message_findtype(). [RT #2659]
+
+1242.	[bug]		named-checkzone failed if a journal existed. [RT #2657]
 
-	--- 9.2.1rc2 released ---
+1241.	[bug]		Drop received UDP messages with a zero source port
+			as these are invariably forged. [RT #2621]
 
 1240.	[bug]		It was possible to leak zone references by
 			specifying an incorrect zone to rndc.
@@ -2511,6 +2659,15 @@
 1236.	[bug]		dns_rdata{class,type}_fromtext() didn't handle non
 			NULL terminated text regions. [RT #2588]
 
+1235.	[func]		Report 'out of memory' errors from openssl.
+
+1234.	[bug]		contrib/sdb: 'zonetodb' failed to call
+			dns_result_register().  DNS_R_SEENINCLUDE should not
+			be fatal.
+
+1233.	[bug]		The flags field of a KEY record can be expressed in
+			hex as well as decimal.
+
 1232.	[bug]		unix/errno2result() didn't handle EADDRNOTAVAIL.
 
 1231.	[port]		HPUX 11.11 recvmsg() can return spurious EADDRNOTAVAIL.
@@ -2526,15 +2683,34 @@
 			if a number was expected and some other token was
 			found. [RT#2532]
 
+1226.	[func]		Use EDNS for zone refresh queries. [RT #2551]
+
+1225.	[func]		dns_message_setopt() no longer requires that
+			dns_message_renderbegin() to have been called.
+
+1224.	[bug]		'rrset-order' and 'sortlist' should be additive
+			not exclusive.
+
+1223.	[func]		'rrset-order' partially works 'cyclic' and 'random'
+			are supported.
+
 1222.	[bug]		Specifying 'port *' did not always result in a system
 			selected (non-reserved) port being used. [RT #2537]
 
 1221.	[bug]		Zone types 'master', 'slave' and 'stub' were not being
 			compared case insensitively. [RT #2542]
 
+1220.	[func]		Support for APL rdata type.
+
+1219.	[func]		Named now reports the TSIG extended error code when
+			signature verification fails. [RT #1651]
+
 1218.	[bug]		Named incorrectly returned SERVFAIL rather than
 			NOTAUTH when there was a TSIG BADTIME error. [RT #2519]
 
+1217.	[func]		Report locations of previous key definition when a
+			duplicate is detected.
+
 1216.	[bug]		Multiple server clauses for the same server were not
 			reported.  [RT #2514]
 
@@ -2543,6 +2719,9 @@
 1214.	[bug]		Win32: isc_file_renameunique() could leave zero length
 			files behind.
 
+1213.	[func]		Report view associated with client if it is not a
+			standard view (_default or _bind).
+
 1212.	[port]		libbind: 64k answer buffers were causing stack space
 			to be exceeded for certain OS.  Use heap space instead.
 
@@ -2552,12 +2731,13 @@
 1210.	[bug]		libbind: getnameinfo() failed to lookup IPv4 mapped /
 			compatible addresses. [RT #2461]
 
+1209.	[bug]		Dig, host, nslookup were not checking the message ids
+			on the responses. [RT #2454]
+
 1208.	[bug]		dns_master_load*() failed to log a error message if
 			an error was detected when parsing the ownername of
 			a record.  [RT #2448]
 
-	--- 9.2.1rc1 released ---
-
 1207.	[bug]		libbind: getaddrinfo() could call freeaddrinfo() with
 			an invalid pointer.
 
@@ -2570,6 +2750,11 @@
 1204.	[bug]		libbind: res_nupdate() failed to update the name
 			server addresses before sending the update.
 
+1203.	[func]		Report locations of previous acl and zone definitions
+			when a duplicate is detected.
+
+1202.	[func]		New functions: cfg_obj_line() and cfg_obj_file().
+
 1201.	[bug]		Require that if 'callbacks' is passed to
 			dns_rdata_fromtext(), callbacks->error and
 			callbacks->warn are initialized.
@@ -2577,6 +2762,9 @@
 1200.	[bug]		Log 'errno' that we are unable to convert to
 			isc_result_t. [RT #2404]
 
+1199.	[doc]		ARM reference to RFC 2157 should have been RFC 1918.
+			[RT #2436]
+
 1198.	[bug]		OPT printing style was not consistent with the way the
 			header fields are printed.  The DO bit was not reported
 			if set.  Report if any of the MBZ bits are set.
@@ -2592,11 +2780,20 @@
 1194.	[bug]		Not all duplicate zone definitions were being detected
 			at the named.conf checking stage. [RT #2431]
 
-1193.	[bug]		Best effort parsing didn't handle packet truncation.
+1193.	[bug]		dig +besteffort parsing didn't handle packet
+			truncation.  dns_message_parse() has new flag
+			DNS_MESSAGE_IGNORETRUNCATION.
+
+1192.	[bug]		The seconds fields in LOC records were restricted
+			to three decimal places.  More decimal places should
+			be allowed but warned about.
 
 1191.	[bug]		A dynamic update removing the last non-apex name in
 			a secure zone would fail. [RT #2399]
 
+1190.	[func]		Add the "rndc freeze" and "rndc unfreeze" commands.
+			[RT #2394]
+
 1189.	[bug]		On some systems, malloc(0) returns NULL, which
 			could cause the caller to report an out of memory
 			error. [RT #2398]
@@ -2604,6 +2801,9 @@
 1188.	[bug]		Dynamic updates of a signed zone would fail if
 			some of the zone private keys were unavailable.
 
+1187.	[bug]		named was incorrectly returning DNSSEC records
+			in negative responses when the DO bit was not set.
+
 1186.	[bug]		isc_hex_tobuffer(,,length = 0) failed to unget the
 			EOL token when reading to end of line.
 
@@ -2619,14 +2819,30 @@
 1182.	[bug]		The server could throw an assertion failure when
 			constructing a negative response packet.
 
+1181.	[func]		Add the "key-directory" configuration statement,
+			which allows the server to look for online signing
+			keys in alternate directories.
+
+1180.	[func]		dnssec-keygen should always generate keys with
+			protocol 3 (DNSSEC), since it's less confusing
+			that way.
+
+1179.	[func]		Add SIG(0) support to nsupdate.
+
+1178.	[bug]		Follow and cache (if appropriate) A6 and other
+			data chains to completion in the additional section.
+
+1177.	[func]		Report view when loading zones if it is not a
+			standard view (_default or _bind). [RT #2270]
+
 1176.	[doc]		Document that allow-v6-synthesis is only performed
 			for clients that are supplied recursive service.
 			[RT #2260]
 
-1175.	[bug]		named-checkzone failed to call dns_result_register()
-			at startup which could result in runtime
-			exceptions when printing "out of memory" errors.
-			[RT #2335]
+1175.	[bug]		named-checkzone and named-checkconf failed to call
+			dns_result_register() at startup which could
+			result in runtime exceptions when printing
+			"out of memory" errors. [RT #2335]
 
 1174.	[bug]		Win32: add WSAECONNRESET to the expected errors
 			from connect(). [RT #2308]
@@ -2637,9 +2853,14 @@
 1172.	[doc]		Add CERT, GPOS, KX, NAPTR, NSAP, PX and TXT to
 			table of RR types in ARM.
 
+1171.	[func]		Added function isc_region_compare(), updated files in
+			lib/dns to use this function instead of local one.
+
 1170.	[bug]		Don't attempt to print the token when a I/O error
 			occurs when parsing named.conf. [RT #2275]
 
+1169.	[func]		Identify recursive queries in the query log.
+
 1168.	[bug]		Empty also-notify clauses were not handled. [RT #2309]
 
 1167.	[contrib]	nslint-2.1a3 (from author).
@@ -2652,6 +2873,8 @@
 1164.	[bug]		Empty masters clauses in slave / stub zones were not
 			handled gracefully. [RT #2262]
 
+1163.	[func]		isc_time_formattimestamp() now includes the year.
+
 1162.	[bug]		The allow-notify option was not accepted in slave
 			zone statements.
 
@@ -2661,18 +2884,62 @@
 1160.	[bug]		Generating Diffie-Hellman keys longer than 1024
 			bits could fail. [RT #2241]
 
+1159.	[bug]		MD and MF are not permitted to be loaded by RFC1123.
+
+1158.	[func]		Report the client's address when logging notify
+			messages.
+
+1157.	[func]		match-clients and match-destinations now accept
+			keys. [RT #2045]
+
 1156.	[port]		The configure test for strsep() incorrectly
 			succeeded on certain patched versions of
 			AIX 4.3.3. [RT #2190]
 
+1155.	[func]		Recover from master files being removed from under
+			us.
+
 1154.	[bug]		Don't attempt to obtain the netmask of a interface
 			if there is no address configured. [RT #2176]
 
+1153.	[func]		'rndc {stop|halt} -p' now reports the process id
+			of the instance of named being shutdown.
+
 1152.	[bug]		libbind: read buffer overflows.
 
+1151.	[bug]		nslookup failed to check that the arguments to
+			the port, timeout, and retry options were
+			valid integers and in range. [RT #2099]
+
+1150.	[bug]		named incorrectly accepted TTL values
+			containing plus or minus signs, such as
+			1d+1h-1s.
+
+1149.	[func]		New function isc_parse_uint32().
+
+1148.	[func]		'rndc-confgen -a' now provides positive feedback.
+
+1147.	[func]		Set IPV6_V6ONLY on IPv6 sockets if supported by
+			the OS.  listen-on-v6 { any; }; should no longer
+			result in IPv4 queries be accepted.  Similarly
+			control { inet :: ... }; should no longer result
+			in IPv4 connections being accepted.  This can be
+			overridden at compile time by defining
+			ISC_ALLOW_MAPPED=1.
+
+1146.	[func]		Allow IPV6_IPV6ONLY to be set/cleared on a socket if
+			supported by the OS by a new function
+			isc_socket_ipv6only().
+
+1145.	[func]		"host" no longer reports a NOERROR/NODATA response
+			by printing nothing. [RT #2065]
+
 1144.	[bug]		rndc-confgen would crash if both the -a and -t
 			options were specified. [RT #2159]
 
+1143.	[bug]		When a trusted-keys statement was present and named
+			was built without crypto support, it would leak memory.
+
 1142.	[bug]		dnssec-signzone would fail to delete temporary files
 			in some failure cases. [RT #2144]
 
@@ -2684,50 +2951,22 @@
 1140.	[bug]		rndc-confgen did not accept IPv6 addresses as arguments
 			to the -s option. [RT #2138]
 
-1136.	[bug]		CNAME records synthesized from DNAMEs did not
-			have a TTL of zero as required by RFC2672.
-			[RT #2129]
-
-1125.	[bug]		rndc: -k option was missing from usage message.
-			[RT #2057]
-
-1124.	[doc]		dig: +[no]dnssec, +[no]besteffort and +[no]fail
-			are now documented. [RT #2052]
-
-1123.	[bug]		dig +[no]fail did not match description. [RT #2052]
-
-1109.	[bug]		nsupdate accepted illegal ttl values.
-
-1108.	[bug]		On Win32, rndc was hanging when named was not running
-			due to failure to select for exceptional conditions
-			in select(). [RT #1870]
-
-1081.	[bug]		Multicast queries were incorrectly identified
-			based on the source address, not the destination
-			address.
-
-1072.	[bug]		The TCP client quota could be exceeded when
-			recursion occurred. [RT #1937]
-
-1071.	[bug]		Sockets listening for TCP DNS connections
-			specified an excessive listen backlog. [RT #1937]
-
-1070.	[bug]		Copy DNSSEC OK (DO) to response as specified by
-			draft-ietf-dnsext-dnssec-okbit-03.txt.
-
-1014.	[bug]		Some queries would cause statistics counters to
-			increment more than once or not at all. [RT #1321]
+1139.	[func]		It is now possible to flush a given name from the
+			cache(s) via 'rndc flushname name [view]'. [RT #2051]
 
-1012.	[bug]		The -p option to named did not behave as documented.
+1138.	[func]		It is now possible to flush a given name from the
+			cache by calling the new function
+			dns_cache_flushname().
 
- 988.	[bug]		'additional-from-auth no;' did not work reliably
-			in the case of queries answered from the cache.
-			[RT #1436]
+1137.	[func]		It is now possible to flush a given name from the
+			ADB by calling the new function dns_adb_flushname().
 
- 995.	[bug]		dig, host, nslookup: using a raw IPv6 address as a
-			target address should be fatal on a IPv4 only system.
+1136.	[bug]		CNAME records synthesized from DNAMEs did not
+			have a TTL of zero as required by RFC2672.
+			[RT #2129]
 
-	--- 9.2.0 released ---
+1135.	[func]		You can now override the default syslog() facility for
+			named/lwresd at compile time. [RT #1982]
 
 1134.	[bug]		Multi-threaded servers could deadlock in ferror()
 			when reloading zone files. [RT #1951, #1998]
@@ -2735,7 +2974,7 @@
 1133.	[bug]		IN6_IS_ADDR_LOOPBACK was not portably defined on
 			platforms without IN6_IS_ADDR_LOOPBACK. [RT #2106]
 
-	--- 9.2.0rc10 released ---
+1132.	[func]		Improve UPDATE prerequisite failure diagnostic messages.
 
 1131.	[bug]		The match-destinations view option did not work with
 			IPv6 destinations. [RT #2073, #2074]
@@ -2747,16 +2986,37 @@
 1129.	[bug]		Multi-threaded servers could crash under heavy
 			resolution load due to a race condition. [RT #2018]
 
+1128.	[func]		sdb drivers can now provide RR data in either text
+			or wire format, the latter using the new functions
+			dns_sdb_putrdata() and dns_sdb_putnamedrdata().
+
+1127.	[func]		rndc: If the server to contact has multiple addresses,
+			try all of them.
+
 1126.	[bug]		The server could access a freed event if shut
 			down while a client start event was pending
 			delivery. [RT #2061]
 
+1125.	[bug]		rndc: -k option was missing from usage message.
+			[RT #2057]
+
+1124.	[doc]		dig: +[no]dnssec, +[no]besteffort and +[no]fail
+			are now documented. [RT #2052]
+
+1123.	[bug]		dig +[no]fail did not match description. [RT #2052]
+
+1122.	[tuning]	Resolution timeout reduced from 90 to 30 seconds.
+			[RT #2046]
+
 1121.	[bug]		The server could attempt to access a NULL zone
 			table if shut down while resolving.
 			[RT #1587, #2054]
 
 1120.	[bug]		Errors in options were not fatal. [RT #2002]
 
+1119.	[func]		Added support in Win32 for NTFS file/directory ACL's
+			for access control.
+
 1118.	[bug]		On multi-threaded servers, a race condition
 			could cause an assertion failure in resolver.c
 			during resolver shutdown. [RT #2029]
@@ -2770,16 +3030,32 @@
 			or transfers-per-ns to a value greater than
 			2147483647 disabled transfers. [RT #2002]
 
+1115.	[func]		Set maximum values for cleaning-interval,
+			heartbeat-interval, interface-interval,
+			max-transfer-idle-in, max-transfer-idle-out,
+			max-transfer-time-in, max-transfer-time-out,
+			statistics-interval of 28 days and
+			sig-validity-interval of 3660 days. [RT #2002]
+
 1114.	[port]		Ignore more accept() errors. [RT #2021]
 
 1113.	[bug]		The allow-update-forwarding option was ignored
 			when specified in a view. [RT #2014]
 
+1112.	[placeholder]
+
 1111.	[bug]		Multi-threaded servers could deadlock processing
 			recursive queries due to a locking hierarchy
 			violation in adb.c. [RT #2017]
 
-	--- 9.2.0rc9 released ---
+1110.	[bug]		dig should only accept valid abbreviations of +options.
+			[RT #2003]
+
+1109.	[bug]		nsupdate accepted illegal ttl values.
+
+1108.	[bug]		On Win32, rndc was hanging when named was not running
+			due to failure to select for exceptional conditions
+			in select(). [RT #1870]
 
 1107.	[bug]		nsupdate could catch an assertion failure if an
 			invalid domain name was given as the argument to
@@ -2788,6 +3064,8 @@
 1106.	[bug]		After seeing an out of range TTL, nsupdate would
 			treat all TTLs as out of range. [RT #2001]
 
+1105.	[port]		OpenUNIX 8 enable threads by default. [RT #1970]
+
 1104.	[bug]		Invalid arguments to the transfer-format option
 			could cause an assertion failure. [RT #1995]
 
@@ -2805,6 +3083,16 @@
 
 1098.	[bug]		libbind: HMAC-MD5 key files are now mode 0600.
 
+1097.	[func]		libbind: RES_PRF_TRUNC for dig.
+
+1096.	[func]		libbind: "DNSSEC OK" (DO) support.
+
+1095.	[func]		libbind: resolver option: no-tld-query.  disables
+			trying unqualified as a tld.  no_tld_query is also
+			supported for FreeBSD compatibility.
+
+1094.	[func]		libbind: add support gcc's format string checking.
+
 1093.	[doc]		libbind: miscellaneous nroff fixes.
 
 1092.	[bug]		libbind: get*by*() failed to check if res_init() had
@@ -2818,6 +3106,9 @@
 			wasting space.  We weren't suppressing duplicate
 			addresses.
 
+1089.	[func]		libbind: inet_{cidr,net}_{pton,ntop}() now have IPv6
+			support.
+
 1088.	[port]		libbind: MPE/iX C.70 (incomplete)
 
 1087.	[bug]		libbind: struct __res_state too large on 64 bit arch.
@@ -2837,9 +3128,27 @@
 			to be sent to syslog in addition to stderr.
 			[RT #1974]
 
+1081.	[bug]		Multicast queries were incorrectly identified
+			based on the source address, not the destination
+			address.
+
+1080.	[bug]		BIND 8 compatibility: accept bare IP prefixes
+			as the second element of a two-element top level
+			sort list statement. [RT #1964]
+
+1079.	[bug]		BIND 8 compatibility: accept bare elements at top
+			level of sort list treating them as if they were
+			a single element list. [RT #1963]
+
 1078.	[bug]		We failed to correct bad tv_usec values in one case.
 			[RT #1966]
 
+1077.	[func]		Do not accept further recursive clients when
+			the total number of recursive lookups being
+			processed exceeds max-recursive-clients, even
+			if some of the lookups are internally generated.
+			[RT #1915, #1938]
+
 1076.	[bug]		A badly defined global key could trigger an assertion
 			on load/reload if views were used. [RT #1947]
 
@@ -2849,13 +3158,30 @@
 1074.	[bug]		Running out of memory in dump_rdataset() could
 			cause an assertion failure. [RT #1946]
 
-	--- 9.2.0rc8 released ---
+1073.	[bug]		The ADB cache cleaning should also be space driven.
+			[RT #1915, #1938]
+
+1072.	[bug]		The TCP client quota could be exceeded when
+			recursion occurred. [RT #1937]
+
+1071.	[bug]		Sockets listening for TCP DNS connections
+			specified an excessive listen backlog. [RT #1937]
+
+1070.	[bug]		Copy DNSSEC OK (DO) to response as specified by
+			draft-ietf-dnsext-dnssec-okbit-03.txt.
+
+1069.	[placeholder]
 
 1068.	[bug]		errno could be overwritten by catgets(). [RT #1921]
 
+1067.	[func]		Allow quotas to be soft, isc_quota_soft().
+
 1066.	[bug]		Provide a thread safe wrapper for strerror().
 			[RT #1689]
 
+1065.	[func]		Runtime support to select new / old style interface
+			scanning using ioctls.
+
 1064.	[bug]		Do not shut down active network interfaces if we
 			are unable to scan the interface list. [RT #1921]
 
@@ -2871,6 +3197,15 @@
 			maximum cache size was in progress, the server
 			could catch an assertion failure. [RT #1912]
 
+1060.	[func]		Move refresh, stub and notify UDP retry processing
+			into dns_request.
+
+1059.	[func]		dns_request now support will now retry UDP queries,
+			dns_request_createvia2() and dns_request_createraw2().
+
+1058.	[func]		Limited lifetime ticker timers are now available,
+			isc_timertype_limited.
+
 1057.	[bug]		Reloading the server after adding a "file" clause
 			to a zone statement could cause the server to
 			crash due to a typo in change 1016.
@@ -2878,7 +3213,9 @@
 1056.	[bug]		Rndc could catch an assertion failure on SIGINT due
 			to an uninitialized variable. [RT #1908]
 
-	--- 9.2.0rc7 released ---
+1055.	[func]		Version and hostname queries can now be disabled
+			using "version none;" and "hostname none;",
+			respectively.
 
 1054.	[bug]		On Win32, cfg_categories and cfg_modules need to be
 			exported from the libisccfg DLL.
@@ -2900,6 +3237,9 @@
 			failed to include the correct error code, file
 			name, and line number. [RT #1890]
 
+1049.	[func]		"pid-file none;" will disable writing a pid file.
+			[RT #1848]
+
 1048.	[bug]		Servers built with -DISC_MEM_USE_INTERNAL_MALLOC=1
 			didn't work.
 
@@ -2937,11 +3277,28 @@
 			TKEY queries with an owner name other than the root
 			could cause an assertion failure. [RT #1866, #1869]
 
+1037.	[bug]		Negative responses whose authority section contain
+			SOA or NS records whose owner names are not equal
+			equal to or parents of the query name should be
+			rejected. [RT #1862]
+
+1036.	[func]		Silently drop requests received via multicast as
+			long as there is no final multicast DNS standard.
+
+1035.	[bug]		If we respond to multicast queries (which we
+			currently do not), respond from a unicast address
+			as specified in RFC 1123. [RT #137]
+
+1034.	[bug]		Ignore the RD bit on multicast queries as specified
+			in RFC 1123. [RT #137]
+
 1033.	[bug]		Always respond to requests with an unsupported opcode
 			with NOTIMP, even if we don't have a matching view
 			or cannot determine the class.
 
-	--- 9.2.0rc6 released ---
+1032.	[func]		hostname.bind/txt/chaos now returns the name of
+			the machine hosting the nameserver.  This is useful
+			in diagnosing problems with anycast servers.
 
 1031.	[bug]		libbind.a: isc__gettimeofday() infinite recursion.
 			[RT #1858]
@@ -2960,13 +3317,20 @@
 1027.	[bug]		RRs having the reserved type 0 should be rejected.
 			[RT #1471]
 
-1026.	[port]		Recognize OpenUNIX 8 in config.guess. [RT #1830]
+1026.	[placeholder]
+
+1025.	[bug]		Don't use multicast addresses to resolve iterative
+			queries. [RT #101]
+
+1024.	[port]		Compilation failed on HP-UX 11.11 due to
+			incompatible use of the SIOCGLIFCONF macro
+			name. [RT #1831]
+
+1023.	[func]		Accept hints without TTLs.
 
 1022.	[bug]		Don't report empty root hints as "extra data".
 			[RT #1802]
 
-	--- 9.2.0rc5 released ---
-
 1021.	[bug]		On Win32, log message timestamps were one month
 			later than they should have been, and the server
 			would exhibit unspecified behavior in December.
@@ -2991,16 +3355,27 @@
 			"size" option failed to create numbered log
 			files. [RT #1783]
 
-	--- 9.2.0rc4 released ---
+1014.	[bug]		Some queries would cause statistics counters to
+			increment more than once or not at all. [RT #1321]
 
 1013.	[bug]		It was possible to cancel a query twice when marking
 			a server as bogus or by having a blackhole acl.
 			[RT #1776]
 
+1012.	[bug]		The -p option to named did not behave as documented.
+
+1011.	[cleanup]	Removed isc_dir_current().
+
 1010.	[bug]		The server could attempt to execute a command channel
 			command after initiating server shutdown, causing
 			an assertion failure. [RT #1766]
 
+1009.	[port]		OpenUNIX 8 support. [RT #1728]
+
+1008.	[port]		libtool.m4, ltmain.sh from libtool-1.4.2.
+
+1007.	[port]		config.guess, config.sub from autoconf-2.52.
+
 1006.	[bug]		If a KEY RR was found missing during DNSSEC validation,
 			an assertion failure could subsequently be triggered
 			in the resolver. [RT #1763]
@@ -3010,6 +3385,8 @@
 
 1004.	[port]		Deal with recvfrom() returning EHOSTDOWN. [RT #1770]
 
+1003.	[func]		Add the +retry option to dig.
+
 1002.	[bug]		When reporting an unknown class name in named.conf,
 			including the file name and line number. [RT #1759]
 
@@ -3020,31 +3397,83 @@
 1000.	[bug]		BIND 8 compatibility: accept "HESIOD" as an alias
 			for class "HS". [RT #1759]
 
-	--- 9.2.0rc3 released ---
+ 999.	[func]		"rndc retransfer zone [class [view]]" added.
+			[RT #1752]
+
+ 998.	[func]		named-checkzone now has arguments to specify the
+			chroot directory (-t) and working directory (-w).
+			[RT #1755]
+
+ 997.	[func]		Add support for RSA-SHA1 keys (RFC3110).
+
+ 996.	[func]		Issue warning if the configuration filename contains
+			the chroot path.
+
+ 995.	[bug]		dig, host, nslookup: using a raw IPv6 address as a
+			target address should be fatal on a IPv4 only system.
+
+ 994.	[func]		Treat non-authoritative responses to queries for type
+			NS as referrals even if the NS records are in the
+			answer section, because BIND 8 servers incorrectly
+			send them that way.  This is necessary for DNSSEC
+			validation of the NS records of a secure zone to
+			succeed when the parent is a BIND 8 server. [RT #1706]
+
+ 993.	[func]		dig: -v now reports the version.
+
+ 992.	[doc]		dig: ~/.digrc is now documented.
+
+ 991.	[func]		Lower UDP refresh timeout messages to level
+			debug 1.
 
  990.	[bug]		The rndc-confgen man page was not installed.
 
  989.	[bug]		Report filename if $INCLUDE fails for file related
 			errors. [RT #1736]
 
+ 988.	[bug]		'additional-from-auth no;' did not work reliably
+			in the case of queries answered from the cache.
+			[RT #1436]
+
  987.	[bug]		"dig -help" didn't show "+[no]stats".
 
  986.	[bug]		"dig +noall" failed to clear stats and command
 			printing.
 
+ 985.	[func]		Consider network interfaces to be up iff they have
+			a nonzero IP address rather than based on the
+			IFF_UP flag. [RT #1160]
+
  984.	[bug]		Multi-threading should be enabled by default on
 			Solaris 2.7 and newer, but it wasn't.
 
-	--- 9.2.0rc2 released ---
+ 983.	[func]		The server now supports generating IXFR difference
+			sequences for non-dynamic zones by comparing zone
+			versions, when enabled using the new config
+			option "ixfr-from-differences". [RT #1727]
+
+ 982.	[func]		If "memstatistics-file" is set in options the memory
+			statistics will be written to it.
+
+ 981.	[func]		The dnssec tools can now take multiple '-r randomfile'
+			arguments.
 
  980.	[bug]		Incoming zone transfers restarting after an error
 			could trigger an assertion failure. [RT #1692]
 
+ 979.	[func]		Incremental master file dumping.  dns_master_dumpinc(),
+			dns_master_dumptostreaminc(), dns_dumpctx_attach(),
+			dns_dumpctx_detach(), dns_dumpctx_cancel(),
+			dns_dumpctx_db() and dns_dumpctx_version().
+
  978.	[bug]		dns_db_attachversion() had an invalid REQUIRE()
 			condition.
 
  977.	[bug]		Improve "not at top of zone" error message.
 
+ 976.	[func]		named-checkconf can now test load master zones
+			(named-checkconf -z). [RT #1468]
+
  975.	[bug]		"max-cache-size default;" as a view option
 			caused an assertion failure.
 
@@ -3058,6 +3487,17 @@
  972.	[bug]		The file modification time code in zone.c was using the
 			wrong epoch. [RT #1667]
 
+ 971.	[placeholder]
+
+ 970.	[func]		'max-journal-size' can now be used to set a target
+			size for a journal.
+
+ 969.	[func]		dig now supports the undocumented dig 8 feature
+			of allowing arbitrary labels, not just dotted
+			decimal quads, with the -x option.  This can be
+			used to conveniently look up RFC2317 names as in
+			"dig -x 10.0.0.0-127". [RT #827, #1576, #1598]
+
  968.	[bug]		On win32, the isc_time_now() function was unnecessarily
 			calling strtime(). [RT #1671]
 
@@ -3267,6 +3707,8 @@
  910.	[port]		Some pre-RFC2133 IPv6 implementations do not define
 			IN6ADDR_ANY_INIT. [RT #1416]
 
+ 909.	[placeholder]
+
  908.	[func]		New program, rndc-confgen, to simplify setting up rndc.
 
  907.	[func]		The ability to get entropy from either the
@@ -3349,6 +3791,46 @@
  887.	[port]		Detect broken compilers that can't call static
 			functions from inline functions. [RT #1212]
 
+ 886.	[placeholder]
+
+ 885.	[placeholder]
+
+ 884.	[placeholder]
+
+ 883.	[placeholder]
+
+ 882.	[placeholder]
+
+ 881.	[placeholder]
+
+ 880.	[placeholder]
+
+ 879.	[placeholder]
+
+ 878.	[placeholder]
+
+ 877.	[placeholder]
+
+ 876.	[placeholder]
+
+ 875.	[placeholder]
+
+ 874.	[placeholder]
+
+ 873.	[placeholder]
+
+ 872.	[placeholder]
+
+ 871.	[placeholder]
+
+ 870.	[placeholder]
+
+ 869.	[placeholder]
+
+ 868.	[placeholder]
+
+ 867.	[placeholder]
+
  866.	[func]		Close debug only file channels when debug is set to
 			zero. [RT #1246]
 
@@ -4156,6 +4638,8 @@
 			to be non-null.  Also 'done' will not be called if
 			dns_master_load*inc() fails immediately. [RT #565]
 
+ 619.	[placeholder]
+
  618.	[bug]		Queries to a signed zone could sometimes cause
 			an assertion failure.
 
@@ -4388,6 +4872,8 @@
 
  548.	[func]		The lexer now ungets tokens more correctly.
 
+ 547.	[placeholder]
+
  546.	[func]		Option 'lame-ttl' is now implemented.
 
  545.	[func]		Name limit and counting options removed from dig;
@@ -4413,6 +4899,8 @@
 
  538.	[bug]		fix buffer overruns by 1 in lwres_getnameinfo().
 
+ 537.	[placeholder]
+
  536.	[func]		Use transfer-source{-v6} when sending refresh queries.
 			Transfer-source{-v6} now take a optional port
 			parameter for setting the UDP source port.  The port
@@ -4986,6 +5474,8 @@
 
  364.	[func]		Added additional-from-{cache,auth}
 
+ 363.	[placeholder]
+
  362.	[bug]		rndc no longer aborts if the configuration file is
 			missing an options statement. [RT #209]
 
@@ -5037,8 +5527,7 @@
 
  347.	[bug]		Don't crash if an argument is left off options in dig.
 
- 346.	[func]		Add support for .digrc config file, in the
-			user's current directory.
+ 346.	[placeholder]
 
  345.	[bug]		Large-scale changes/cleanups to dig:
 			* Significantly improve structure handling
@@ -5598,7 +6087,6 @@
  201.	[cleanup]	Removed the test/sdig program, it has been
 			replaced by bin/dig/dig.
 
-
 	--- 9.0.0b3 released ---
 
  200.	[bug]		Failures in sending query responses to clients
diff --git a/contrib/bind9/COPYRIGHT b/contrib/bind9/COPYRIGHT
index 8bbcf24..8f1c2af 100644
--- a/contrib/bind9/COPYRIGHT
+++ b/contrib/bind9/COPYRIGHT
@@ -1,4 +1,4 @@
-Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
+Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
 Copyright (C) 1996-2003  Internet Software Consortium.
 
 Permission to use, copy, modify, and distribute this software for any
@@ -13,7 +13,7 @@ LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
 OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 PERFORMANCE OF THIS SOFTWARE.
 
-$Id: COPYRIGHT,v 1.6.2.2.8.4 2006/01/04 00:37:22 marka Exp $
+$Id: COPYRIGHT,v 1.9.18.3 2007/01/08 02:41:59 marka Exp $
 
 Portions Copyright (C) 1996-2001  Nominum, Inc.
 
diff --git a/contrib/bind9/FAQ b/contrib/bind9/FAQ
index ba87de2..af6c89a 100644
--- a/contrib/bind9/FAQ
+++ b/contrib/bind9/FAQ
@@ -75,12 +75,12 @@ Q: Why do I get errors like "dns_zone_load: zone foo/IN: loading master file bar
 A: This is often caused by TXT records with missing close quotes. Check that all
    TXT records containing quoted strings have both open and close quotes.
 
-Q: How do I produce a usable core file from a multithreaded named on Linux?
+Q: How do I produce a usable core file from a multi-threaded named on Linux?
 
-A: If the Linux kernel is 2.4.7 or newer, multithreaded core dumps are usable
+A: If the Linux kernel is 2.4.7 or newer, multi-threaded core dumps are usable
    (that is, the correct thread is dumped). Otherwise, if using a 2.2 kernel,
    apply the kernel patch found in contrib/linux/coredump-patch and rebuild the
-   kernel. This patch will cause multithreaded programs to dump the correct
+   kernel. This patch will cause multi-threaded programs to dump the correct
    thread.
 
 Q: How do I restrict people from looking up the server version?
@@ -310,7 +310,7 @@ A: These indicate a malformed master zone. You can identify the exact records
    named-checkzone example.com tmp
 
    A CNAME record cannot exist with the same name as another record except for the
-   DNSSEC records which prove its existance (NSEC).
+   DNSSEC records which prove its existence (NSEC).
 
    RFC 1034, Section 3.6.2: "If a CNAME RR is present at a node, no other data
    should be present; this ensures that the data for a canonical name and its
@@ -385,11 +385,11 @@ Q: I get a error message like "zone wireless.ietf56.ietf.org/IN: loading master
 A: This error is produced when a line in the master file contains leading white
    space (tab/space) but the is no current record owner name to inherit the name
    from. Usually this is the result of putting white space before a comment.
-   Forgeting the "@" for the SOA record or indenting the master file.
+   Forgetting the "@" for the SOA record or indenting the master file.
 
 Q: Why are my logs in GMT (UTC).
 
-A: You are running chrooted (-t) and have not supplied local timzone information
+A: You are running chrooted (-t) and have not supplied local timezone information
    in the chroot area.
 
    FreeBSD: /etc/localtime
@@ -474,7 +474,7 @@ A: These indicate a filesystem permission error preventing named creating /
            masters { 192.168.4.12; };
    };
 
-Q: How do I intergrate BIND 9 and Solaris SMF
+Q: How do I integrate BIND 9 and Solaris SMF
 
 A: Sun has a blog entry describing how to do this.
 
@@ -487,7 +487,7 @@ A: No. The rules for glue (copies of the *address* records in the parent zones)
 
    You would have to add both the CNAME and address records (A/AAAA) as glue to
    the parent zone and have CNAMEs be followed when doing additional section
-   processing to make it work. No namesever implementation supports either of
+   processing to make it work. No nameserver implementation supports either of
    these requirements.
 
 Q: What does "RFC 1918 response from Internet for 0.0.0.10.IN-ADDR.ARPA" mean?
@@ -495,7 +495,7 @@ Q: What does "RFC 1918 response from Internet for 0.0.0.10.IN-ADDR.ARPA" mean?
 A: If the IN-ADDR.ARPA name covered refers to a internal address space you are
    using then you have failed to follow RFC 1918 usage rules and are leaking
    queries to the Internet. You should establish your own zones for these
-   addresses to prevent you quering the Internet's name servers for these
+   addresses to prevent you querying the Internet's name servers for these
    addresses. Please see http://as112.net/ for details of the problems you are
    causing and the counter measures that have had to be deployed.
 
@@ -549,7 +549,7 @@ A: Red Hat Security Enhanced Linux (SELinux) policy security protections :
    Red Hat have adopted the National Security Agency's SELinux security policy (
    see http://www.nsa.gov/selinux ) and recommendations for BIND security , which
    are more secure than running named in a chroot and make use of the bind-chroot
-   environment unecessary .
+   environment unnecessary .
 
    By default, named is not allowed by the SELinux policy to write, create or
    delete any files EXCEPT in these directories:
@@ -614,19 +614,19 @@ A: Red Hat Security Enhanced Linux (SELinux) policy security protections :
    in different locations, you can do so by changing the context of the custom
    file locations .
 
-   To create a custom configuration file location, eg. '/root/named.conf', to use
+   To create a custom configuration file location, e.g. '/root/named.conf', to use
    with the 'named -c' option, do:
 
    # chcon system_u:object_r:named_conf_t /root/named.conf
 
 
-   To create a custom modifiable named data location, eg. '/var/log/named' for a
+   To create a custom modifiable named data location, e.g. '/var/log/named' for a
    log file, do:
 
    # chcon system_u:object_r:named_cache_t /var/log/named
 
 
-   To create a custom zone file location, eg. /root/zones/, do:
+   To create a custom zone file location, e.g. /root/zones/, do:
 
    # chcon system_u:object_r:named_zone_t /root/zones/{.,*}
 
@@ -667,9 +667,55 @@ A: No, so long as the machines internal clock (as reported by "date -u") remains
    (which sets the default timezone for the machine) and possibly a directory
    which has all the conversion rules for the world (e.g. /usr/share/zoneinfo).
    When updating the OS do not forget to update any chroot areas as well. See your
-   OS's documetation for more details.
+   OS's documentation for more details.
 
    The local timezone conversion rules can also be done on a individual basis by
-   setting the TZ envirionment variable appropriately. See your OS's documentation
+   setting the TZ environment variable appropriately. See your OS's documentation
    for more details.
 
+Q: Why do we get the following warning at run time:
+
+   kernel: process `named' is using obsolete setsockopt SO_BSDCOMPAT
+
+A: The early Linux kernels broke sendto() by having it return that a ICMP
+   unreachable had be received for non connected UDP sockets. This made non
+   connected UDP sockets work like connected UDP socket which is fine when you are
+   only talking to one destination. Named however talks to multiple destinations
+   and it caused problems.
+
+   Rather than fix sendto() to just have BSD behaviour they added SO_BSDCOMPAT to
+   turn BSD behaviour on/off on a per socket basis.
+
+   Later they decided to make BSD behaviour the default and to aggressively track
+   down applications that used SO_BSDCOMPAT by issuing a warning. This is the sort
+   of things vendors do in alpha/beta stages of a release so that their code is
+   clean. They then turn the warning *off* for release code.
+
+   We still have customers that have kernels that require SO_BSDCOMPAT to operate.
+   We therefore cannot remove the setsockopt(SO_BSDCOMPAT) call.
+
+   Now most/all portable applications that use SO_BSDCOMPAT use it conditionally
+   manner so just removing SO_BSDCOMPAT from the header file would be safe as long
+   as the binary was not to be moved between systems. BIND's use is conditional.
+
+   In short, the Linux developers should either, remove the #define for
+   SO_BSDCOMPAT, and/or remove the warning.
+
+Q: Isn't "make install" supposed to generate a default named.conf?
+
+A: Short Answer: No.
+
+   Long Answer: There really isn't a default configuration which fits any site
+   perfectly. There are lots of decisions that need to be made and there is no
+   consensus on what the defaults should be. For example FreeBSD uses /etc/namedb
+   as the location where the configuration files for named are stored. Others use
+   /var/named.
+
+   What addresses to listen on? For a laptop on the move a lot you may only want
+   to listen on the loop back interfaces.
+
+   Who do you offer recursive service to? Is there are firewall to consider? If so
+   is it stateless or stateful. Are you directly on the Internet? Are you on a
+   private network? Are you on a NAT'd network? The answers to all these questions
+   change how you configure even a caching name server.
+
diff --git a/contrib/bind9/FAQ.xml b/contrib/bind9/FAQ.xml
index f67f723..4e11b84 100644
--- a/contrib/bind9/FAQ.xml
+++ b/contrib/bind9/FAQ.xml
@@ -1,3 +1,4 @@
+<?xml-stylesheet href="common.css" type="text/css"?>
 <!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
        "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" []>
 <!--
@@ -17,7 +18,7 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-<!-- $Id: FAQ.xml,v 1.4.6.5.6.1 2007/01/12 02:28:00 marka Exp $ -->
+<!-- $Id: FAQ.xml,v 1.4.4.8 2007/02/05 05:23:39 marka Exp $ -->
 
 <article class="faq">
   <title>Frequently Asked Questions about BIND 9</title>
@@ -186,17 +187,17 @@ example.com. 86400 IN SOA ns hostmaster ( 1 3600 1800 1814400 3600 )</programlis
     <qandaentry>
       <question>
 	<para>
-	How do I produce a usable core file from a multithreaded
+	How do I produce a usable core file from a multi-threaded
 	named on Linux?
 	</para>
       </question>
       <answer>
 	<para>
-	If the Linux kernel is 2.4.7 or newer, multithreaded core
+	If the Linux kernel is 2.4.7 or newer, multi-threaded core
 	dumps are usable (that is, the correct thread is dumped).
 	Otherwise, if using a 2.2 kernel, apply the kernel patch
 	found in contrib/linux/coredump-patch and rebuild the kernel.
-	This patch will cause multithreaded programs to dump the
+	This patch will cause multi-threaded programs to dump the
 	correct thread.
 	</para>
       </answer>
@@ -644,7 +645,7 @@ named-checkzone example.com tmp</programlisting>
 	</informalexample>
 	<para>
 	  A CNAME record cannot exist with the same name as another record
-	  except for the DNSSEC records which prove its existance (NSEC).
+	  except for the DNSSEC records which prove its existence (NSEC).
 	</para>
 	<para>
 	  RFC 1034, Section 3.6.2: <quote>If a CNAME RR is present at a node,
@@ -768,7 +769,7 @@ Master 10.0.1.1:
 	  contains leading white space (tab/space) but the is no
 	  current record owner name to inherit the name from.  Usually
 	  this is the result of putting white space before a comment.
-	  Forgeting the "@" for the SOA record or indenting the master
+	  Forgetting the "@" for the SOA record or indenting the master
 	  file.
 	</para>
       </answer>
@@ -782,7 +783,7 @@ Master 10.0.1.1:
       </question>
       <answer>
 	<para>
-	  You are running chrooted (-t) and have not supplied local timzone
+	  You are running chrooted (-t) and have not supplied local timezone
 	  information in the chroot area.
 	</para>
 	<simplelist>
@@ -945,7 +946,7 @@ zone "example.net" {
     <qandaentry>
       <question>
 	<para>
-	  How do I intergrate BIND 9 and Solaris SMF
+	  How do I integrate BIND 9 and Solaris SMF
 	</para>
       </question>
       <answer>
@@ -977,7 +978,7 @@ zone "example.net" {
 	  You would have to add both the CNAME and address records
 	  (A/AAAA) as glue to the parent zone and have CNAMEs be
 	  followed when doing additional section processing to make
-	  it work.  No namesever implementation supports either of
+	  it work.  No nameserver implementation supports either of
 	  these requirements.
 	</para>
       </answer>
@@ -996,7 +997,7 @@ zone "example.net" {
 	  space you are using then you have failed to follow RFC 1918
 	  usage rules and are leaking queries to the Internet.  You
 	  should establish your own zones for these addresses to prevent
-	  you quering the Internet's name servers for these addresses.
+	  you querying the Internet's name servers for these addresses.
 	  Please see <ulink url="http://as112.net/">http://as112.net/</ulink>
 	  for details of the problems you are causing and the counter
 	  measures that have had to be deployed.
@@ -1073,7 +1074,7 @@ empty:
 	   SELinux security policy ( see http://www.nsa.gov/selinux
 	   ) and recommendations for BIND security , which are more
 	   secure than running named in a chroot and make use of
-	   the bind-chroot environment unecessary .
+	   the bind-chroot environment unnecessary .
 	</para>
 
 	<para>
@@ -1174,7 +1175,7 @@ named_cache_t: for files modifiable by named - $ROOTDIR/var/{tmp,named/{slaves,d
 	</para>
 
 	<para>
-	  To create a custom configuration file location, eg.
+	  To create a custom configuration file location, e.g.
 	  '/root/named.conf', to use with the 'named -c' option,
 	  do:
 	  <informalexample>
@@ -1185,7 +1186,7 @@ named_cache_t: for files modifiable by named - $ROOTDIR/var/{tmp,named/{slaves,d
 	</para>
   
 	<para>
-	  To create a custom modifiable named data location, eg.
+	  To create a custom modifiable named data location, e.g.
 	  '/var/log/named' for a log file, do:
 	  <informalexample>
 	    <programlisting>
@@ -1195,7 +1196,7 @@ named_cache_t: for files modifiable by named - $ROOTDIR/var/{tmp,named/{slaves,d
 	</para>
    
 	<para>
-   To create a custom zone file location, eg. /root/zones/, do:
+   To create a custom zone file location, e.g. /root/zones/, do:
 	  <informalexample>
 	    <programlisting>
 # chcon system_u:object_r:named_zone_t /root/zones/{.,*}
@@ -1209,6 +1210,7 @@ named_cache_t: for files modifiable by named - $ROOTDIR/var/{tmp,named/{slaves,d
 	</para>
       </answer>
     </qandaentry>
+
     <qandaentry>
       <question>
 	<para>
@@ -1239,6 +1241,7 @@ zone "list.dsbl.org" {
         </programlisting>
       </answer>
     </qandaentry>
+
     <qandaentry>
       <question>
 	<para>
@@ -1262,15 +1265,93 @@ zone "list.dsbl.org" {
 	  a directory which has all the conversion rules for the
 	  world (e.g. /usr/share/zoneinfo).  When updating the OS
 	  do not forget to update any chroot areas as well.
-	  See your OS's documetation for more details.
+	  See your OS's documentation for more details.
 	</para>
 	<para>
 	  The local timezone conversion rules can also be done on
-	  a individual basis by setting the TZ envirionment variable
+	  a individual basis by setting the TZ environment variable
 	  appropriately.  See your OS's documentation for more
 	  details.
 	</para>
       </answer>
     </qandaentry>
+
+    <qandaentry>
+      <question>
+	<para>
+	  Why do we get the following warning at run time:
+<programlisting>kernel: process `named' is using obsolete setsockopt SO_BSDCOMPAT</programlisting>
+	</para>
+      </question>
+      <answer>
+	<para>
+          The early Linux kernels broke sendto() by having it return     
+          that a ICMP unreachable had be received for non connected
+          UDP sockets.  This made non connected UDP sockets work like
+          connected UDP socket which is fine when you are only talking
+          to one destination.  Named however talks to multiple
+          destinations and it caused problems.
+	</para>
+	<para>
+          Rather than fix sendto() to just have BSD behaviour they added
+          SO_BSDCOMPAT to turn BSD behaviour on/off on a per socket basis.
+	</para>
+	<para>
+          Later they decided to make BSD behaviour the default and
+          to aggressively track down applications that used SO_BSDCOMPAT
+          by issuing a warning.  This is the sort of things vendors
+          do in alpha/beta stages of a release so that their code is
+          clean.  They then turn the warning *off* for release code.
+	</para>
+	<para>
+          We still have customers that have kernels that require
+          SO_BSDCOMPAT to operate.  We therefore cannot remove the
+          setsockopt(SO_BSDCOMPAT) call.
+	</para>
+	<para>
+          Now most/all portable applications that use SO_BSDCOMPAT use it
+          conditionally manner so just removing SO_BSDCOMPAT from the
+          header file would be safe as long as the binary was not to
+          be moved between systems.  BIND's use is conditional.
+	</para>
+	<para>
+	  In short, the Linux developers should either, remove the #define for
+	  SO_BSDCOMPAT, and/or remove the warning.
+	</para>
+      </answer>
+    </qandaentry>
+
+    <qandaentry>
+      <question>
+	<para>
+	  Isn't "make install"  supposed to generate a default named.conf?
+	</para>
+      </question>
+      <answer>
+	<para>
+	  Short Answer: No. 
+	</para>
+	<para>
+	  Long Answer: There really isn't a default configuration which fits
+	  any site perfectly.  There are lots of decisions that need to
+	  be made and there is no consensus on what the defaults should be.
+	  For example FreeBSD uses /etc/namedb as the location where the
+	  configuration files for named are stored.  Others use /var/named.
+	</para>
+	<para>
+	  What addresses to listen on?  For a laptop on the move a lot
+	  you may only want to listen on the loop back interfaces.
+	</para>
+	<para>
+	  Who do you offer recursive service to?  Is there are firewall
+	  to consider?  If so is it stateless or stateful.  Are you
+	  directly on the Internet?  Are you on a private network? Are
+	  you on a NAT'd network? The answers
+	  to all these questions change how you configure even a
+	  caching name server.
+	</para>
+      </answer>
+    </qandaentry>
+
   </qandaset>
 </article>
diff --git a/contrib/bind9/Makefile.in b/contrib/bind9/Makefile.in
index 7f3a688..0820ce7 100644
--- a/contrib/bind9/Makefile.in
+++ b/contrib/bind9/Makefile.in
@@ -1,4 +1,4 @@
-# Copyright (C) 2004, 2006  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
 # Copyright (C) 1998-2002  Internet Software Consortium.
 #
 # Permission to use, copy, modify, and distribute this software for any
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.41.2.2.2.4 2006/05/19 00:04:00 marka Exp $
+# $Id: Makefile.in,v 1.43.18.4 2006/05/19 00:04:01 marka Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
@@ -58,3 +58,11 @@ check: test
 
 test:
 	(cd bin/tests && ${MAKE} ${MAKEDEFS} test)
+
+FAQ: FAQ.xml
+	${XSLTPROC} doc/xsl/isc-docbook-text.xsl FAQ.xml | \
+	${W3M} -T text/html -dump >$@.tmp
+	mv $@.tmp $@
+
+clean::
+	rm -f FAQ.tmp
diff --git a/contrib/bind9/README b/contrib/bind9/README
index 4763e53..ac05b83 100644
--- a/contrib/bind9/README
+++ b/contrib/bind9/README
@@ -42,41 +42,233 @@ BIND 9
 		Stichting NLnet - NLnet Foundation
 		Nominum, Inc.
 
-BIND 9.3.4
 
-	BIND 9.3.4 is a security release.
+BIND 9.4.1
 
-BIND 9.3.3
+	BIND 9.4.1 is a security release, containing a fix for a
+	security bug in 9.4.0.
+	
+BIND 9.4.0
 
-        BIND 9.3.3 is a maintenance release, containing fixes for
-        a number of bugs in 9.3.2.
+	BIND 9.4.0 has a number of new features over 9.3,
+	including:
 
-BIND 9.3.2
+	Implemented "additional section caching" (or "acache"), an
+	internal cache framework for additional section content to
+	improve response performance.  Several configuration options
+	were provided to control the behavior.
 
-        BIND 9.3.2 is a maintenance release, containing fixes for
-        a number of bugs in 9.3.1.
+	New notify type 'master-only'.  Enable notify for master
+	zones only.
 
-        libbind: corresponds to that from BIND 8.4.7-REL.
+	Accept 'notify-source' style syntax for query-source.
 
-	Known Issues:
+	rndc now allows addresses to be set in the server clauses.
 
-	The following INSIST can be triggered with DNSSEC enabled.
+	New option "allow-query-cache".  This lets allow-query be
+	used to specify the default zone access level rather than
+	having to have every zone override the global value.
+	allow-query-cache can be set at both the options and view
+	levels.  If allow-query-cache is not set allow-query applies.
 
-resolver.c:762: INSIST(result != 0 || dns_rdataset_isassociated(event->rdataset) || fctx->type == ((dns_rdatatype_t)dns_rdatatype_any) || fctx->type == ((dns_rdatatype_t)dns_rdatatype_rrsig)) failed
+	rndc: the source address can now be specified.
 
-	We are still trying to isolate the cause.  If you have core
-	dump please send a bug report to bind9-bugs@isc.org with
-	the location of the core, named executable and OS details.
-	
-	Note: contrib/nanny contains a perl script to restart named
-	in the event of a INSIST/REQUIRE/ENSURE failure.
+	ixfr-from-differences now takes master and slave in addition
+	to yes and no at the options and view levels.
+
+	Allow the journal's name to be changed via named.conf.
+
+	'rndc notify zone [class [view]]' resend the NOTIFY messages
+	for the specified zone.
+
+	'dig +trace' now randomly selects the next servers to try.
+	Report if there is a bad delegation.
+
+	Improve check-names error messages.
+
+	Make public the function to read a key file, dst_key_read_public().
+
+	dig now returns the byte count for axfr/ixfr.
+			
+	allow-update is now settable at the options / view level.
+
+	named-checkconf now checks the logging configuration.
+
+	host now can turn on memory debugging flags with '-m'.
+
+	Don't send notify messages to self.
+
+	Perform sanity checks on NS records which refer to 'in zone' names.
+
+	New zone option "notify-delay".  Specify a minimum delay
+	between sets of NOTIFY messages.
+
+	Extend adjusting TTL warning messages.
+
+	Named and named-checkzone can now both check for non-terminal
+	wildcard records.
+
+	"rndc freeze/thaw" now freezes/thaws all zones.
+
+	named-checkconf now check acls to verify that they only
+	refer to existing acls.
+
+	The server syntax has been extended to support a range of
+	servers.
+
+	Report differences between hints and real NS rrset and
+	associated address records.
+
+	Preserve the case of domain names in rdata during zone
+	transfers.
+
+	Restructured the data locking framework using architecture
+	dependent atomic operations (when available), improving
+	response performance on multi-processor machines significantly.
+	x86, x86_64, alpha, powerpc, and mips are currently supported.
+
+	UNIX domain controls are now supported.
+
+	Add support for additional zone file formats for improving
+	loading performance.  The masterfile-format option in
+	named.conf can be used to specify a non-default format.  A
+	separate command named-compilezone was provided to generate
+	zone files in the new format.  Additionally, the -I and -O
+	options for dnssec-signzone specify the input and output
+	formats.
+
+	dnssec-signzone can now randomize signature end times
+	(dnssec-signzone -j jitter).
+
+	Add support for CH A record.
+
+	Add additional zone data consistancy checks.  named-checkzone
+	has extended checking of NS, MX and SRV record and the hosts
+	they reference.  named has extended post zone load checks.
+	New zone options: check-mx and integrity-check.
+
+	edns-udp-size can now be overridden on a per server basis.
+
+	dig can now specify the EDNS version when making a query.
+
+	Added framework for handling multiple EDNS versions.
+
+	Additional memory debugging support to track size and mctx
+	arguments.
+
+	Detect duplicates of UDP queries we are recursing on and
+	drop them.  New stats category "duplicates".
+
+	Memory management. "USE INTERNAL MALLOC" is now runtime selectable.
+
+	The lame cache is now done on a <qname,qclass,qtype> basis
+	as some servers only appear to be lame for certain query
+	types.
+
+	Limit the number of recursive clients that can be waiting
+	for a single query (<qname,qtype,qclass>) to resolve.  New
+	options clients-per-query and max-clients-per-query.
+
+	dig: report the number of extra bytes still left in the
+	packet after processing all the records.
+
+	Support for IPSECKEY rdata type.
+
+	Raise the UDP receive buffer size to 32k if it is less than 32k.
+
+	x86 and x86_64 now have separate atomic locking implementations.
+
+	named-checkconf now validates update-policy entries.
+
+	Attempt to make the amount of work performed in a iteration
+	self tuning.  The covers nodes clean from the cache per
+	iteration, nodes written to disk when rewriting a master
+	file and nodes destroyed per iteration when destroying a
+	zone or a cache.
+
+	ISC string copy API.
+
+	Automatic empty zone creation for D.F.IP6.ARPA and friends.
+	Note: RFC 1918 zones are not yet covered by this but are
+	likely to be in a future release.
+
+	New options: empty-server, empty-contact, empty-zones-enable
+	and disable-empty-zone.
+
+	dig now has a '-q queryname' and '+showsearch' options.
+
+	host/nslookup now continue (default)/fail on SERVFAIL.
+
+	dig now warns if 'RA' is not set in the answer when 'RD'
+	was set in the query.  host/nslookup skip servers that fail
+	to set 'RA' when 'RD' is set unless a server is explicitly
+	set.
+
+	Integrate contributed DLZ code into named.
+
+	Integrate contributed IDN code from JPNIC.
+
+	Validate pending NS RRsets, in the authority section, prior
+	to returning them if it can be done without requiring DNSKEYs
+	to be fetched.
+
+	It is now possible to configure named to accept expired
+	RRSIGs.  Default "dnssec-accept-expired no;".  Setting
+	"dnssec-accept-expired yes;" leaves named vulnerable to
+	replay attacks.
+
+	Additional memory leakage checks.
+
+	The maximum EDNS UDP response named will send can now be
+	set in named.conf (max-udp-size).  This is independent of
+	the advertised receive buffer (edns-udp-size).
+
+	Named now falls back to advertising EDNS with a 512 byte
+	receive buffer if the initial EDNS queries fail.
+
+	Control the zeroing of the negative response TTL to a soa
+	query.  Defaults "zero-no-soa-ttl yes;" and
+	"zero-no-soa-ttl-cache no;".
+			
+	Separate out MX and SRV to CNAME checks.
+
+	dig/nslookup/host: warn about missing "QR".
+
+	TSIG HMACSHA1, HMACSHA224, HMACSHA256, HMACSHA384 and
+	HMACSHA512 support.
+
+	dnssec-signzone: output the SOA record as the first record
+	in the signed zone.
+
+	Two new update policies.  "selfsub" and "selfwild".
+
+	dig, nslookup and host now advertise a 4096 byte EDNS UDP
+	buffer size by default.
+
+	Report when a zone is removed.
+
+	DS/DLV SHA256 digest algorithm support.
+
+	Implement "rrset-order fixed".
+
+	Check the KSK flag when updating a secure dynamic zone.
+	New zone option "update-check-ksk yes;".
+
+	It is now possible to explicitly enable DNSSEC validation.
+	default dnssec-validation no; to be changed to yes in 9.5.0.
+
+	It is now possible to enable/disable DNSSEC validation
+	from rndc.  This is useful for the mobile hosts where the
+	current connection point breaks DNSSEC (firewall/proxy).
+
+		rndc validation newstate [view]
 
-BIND 9.3.1
+	dnssec-signzone can now update the SOA record of the signed
+	zone, either as an increment or as the system time().
 
-        BIND 9.3.1 is a maintenance release, containing fixes for
-        a number of bugs in 9.3.0.
+	Statistics about acache now recorded and sent to log.
 
-        libbind: corresponds to that from BIND 8.4.6-REL.
+	libbind: corresponds to that from BIND 8.4.7.
 
 BIND 9.3.0
 
diff --git a/contrib/bind9/README.idnkit b/contrib/bind9/README.idnkit
new file mode 100644
index 0000000..316f879
--- /dev/null
+++ b/contrib/bind9/README.idnkit
@@ -0,0 +1,112 @@
+
+			BIND-9 IDN patch
+
+	       Japan Network Information Center (JPNIC)
+
+
+* What is this patch for?
+
+This patch adds internationalized domain name (IDN) support to BIND-9.
+You'll get internationalized version of dig/host/nslookup commands.
+
+    + internationalized dig/host/nslookup
+	dig/host/nslookup accepts non-ASCII domain names in the local
+	codeset (such as Shift JIS, Big5 or ISO8859-1) determined by
+	the locale information.  The domain names are normalized and
+	converted to the encoding on the DNS protocol, and sent to DNS
+	servers.  The replies are converted back to the local codeset
+	and displayed.
+
+
+* Compilation & installation
+
+0. Prerequisite
+
+You have to build and install idnkit before building this patched version
+of bind-9.
+
+1. Running configure script
+
+Run `configure' in the top directory.  See `README' for the
+configuration options.
+
+This patch adds the following 4 options to `configure'.  You should
+at least specify `--with-idn' option to enable IDN support.
+
+    --with-idn[=IDN_PREFIX]
+	To enable IDN support, you have to specify `--with-idn' option.
+	The argument IDN_PREFIX is the install prefix of idnkit.  If
+	IDN_PREFIX is omitted, PREFIX (derived from `--prefix=PREFIX')
+	is assumed.
+
+    --with-libiconv[=LIBICONV_PREFIX]
+	Specify this option if idnkit you have installed links GNU
+	libiconv.  The argument LIBICONV_PREFIX is install prefix of
+	GNU libiconv.  If the argument is omitted, PREFIX (derived
+	from `--prefix=PREFIX') is assumed.
+
+	`--with-libiconv' is shorthand option for GNU libiconv.
+
+	    --with-libiconv=/usr/local
+
+	This is equivalent to:
+
+	    --with-iconv='-L/usr/local/lib -R/usr/local/lib -liconv'
+
+	`--with-libiconv' assumes that your C compiler has `-R'
+	option, and that the option adds the specified run-time path
+	to an exacutable binary.  If `-R' option of your compiler has
+	different meaning, or your compiler lacks the option, you
+	should use `--with-iconv' option instead.  Binary command
+	without run-time path information might be unexecutable.
+	In that case, you would see an error message like:
+
+	    error in loading shared libraries: libiconv.so.2: cannot
+	    open shared object file
+
+	If both `--with-libiconv' and `--with-iconv' options are
+	specified, `--with-iconv' is prior to `--with-libiconv'.
+
+    --with-iconv=ICONV_LIBSPEC
+	If your libc doens't provide iconv(), you need to specify the
+	library containing iconv() with this option.  `ICONV_LIBSPEC'
+	is the argument(s) to `cc' or `ld' to link the library, for
+	example, `--with-iconv="-L/usr/local/lib -liconv"'.
+	You don't need to specify the header file directory for "iconv.h"
+	to the compiler, as it isn't included directly by bind-9 with
+	this patch.
+
+    --with-idnlib=IDN_LIBSPEC
+	With this option, you can explicitly specify the argument(s)
+	to `cc' or `ld' to link the idnkit's library, `libidnkit'.  If
+	this option is not specified, `-L${PREFIX}/lib -lidnkit' is
+	assumed, where ${PREFIX} is the installation prefix specified
+	with `--with-idn' option above.  You may need to use this
+	option to specify extra argments, for example,
+	`--with-idnlib="-L/usr/local/lib -R/usr/local/lib -lidnkit"'.
+
+Please consult `README' for other configuration options.
+
+Note that if you want to specify some extra header file directories,
+you should use the environment variable STD_CINCLUDES instead of
+CFLAGS, as described in README.
+
+2. Compilation and installation
+
+After running "configure", just do
+
+	make
+	make install
+
+for compiling and installing.
+
+
+* Contact information
+
+Please see http//www.nic.ad.jp/en/idn/ for the latest news
+about idnkit and this patch.
+
+Bug reports and comments on this kit should be sent to
+mdnkit-bugs@nic.ad.jp and idn-cmt@nic.ad.jp, respectively.
+
+; $Id: README.idnkit,v 1.2.2.2 2005/09/12 02:12:08 marka Exp $
diff --git a/contrib/bind9/acconfig.h b/contrib/bind9/acconfig.h
index 574ea35..e8f7d52 100644
--- a/contrib/bind9/acconfig.h
+++ b/contrib/bind9/acconfig.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,9 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: acconfig.h,v 1.35.2.4.2.10 2004/12/04 06:50:02 marka Exp $ */
+/* $Id: acconfig.h,v 1.44.18.5 2005/04/29 00:15:20 marka Exp $ */
+
+/*! \file */
 
 /***
  *** This file is not to be included by any public header files, because
@@ -23,95 +25,97 @@
  ***/
 @TOP@
 
-/* define to `int' if <sys/types.h> doesn't define.  */
+/** define to `int' if <sys/types.h> doesn't define.  */
 #undef ssize_t
 
-/* define on DEC OSF to enable 4.4BSD style sa_len support */
+/** define on DEC OSF to enable 4.4BSD style sa_len support */
 #undef _SOCKADDR_LEN
 
-/* define if your system needs pthread_init() before using pthreads */
+/** define if your system needs pthread_init() before using pthreads */
 #undef NEED_PTHREAD_INIT
 
-/* define if your system has sigwait() */
+/** define if your system has sigwait() */
 #undef HAVE_SIGWAIT
 
-/* define if sigwait() is the UnixWare flavor */
+/** define if sigwait() is the UnixWare flavor */
 #undef HAVE_UNIXWARE_SIGWAIT
 
-/* define on Solaris to get sigwait() to work using pthreads semantics */
+/** define on Solaris to get sigwait() to work using pthreads semantics */
 #undef _POSIX_PTHREAD_SEMANTICS
 
-/* define if LinuxThreads is in use */
+/** define if LinuxThreads is in use */
 #undef HAVE_LINUXTHREADS
 
-/* define if sysconf() is available */
+/** define if sysconf() is available */
 #undef HAVE_SYSCONF
 
-/* define if sysctlbyname() is available */
+/** define if sysctlbyname() is available */
 #undef HAVE_SYSCTLBYNAME
 
-/* define if catgets() is available */
+/** define if catgets() is available */
 #undef HAVE_CATGETS
 
-/* define if getifaddrs() exists */
+/** define if getifaddrs() exists */
 #undef HAVE_GETIFADDRS
 
-/* define if you have the NET_RT_IFLIST sysctl variable and sys/sysctl.h */
+/** define if you have the NET_RT_IFLIST sysctl variable and sys/sysctl.h */
 #undef HAVE_IFLIST_SYSCTL
 
-/* define if chroot() is available */
+/** define if chroot() is available */
 #undef HAVE_CHROOT
 
-/* define if tzset() is available */
+/** define if tzset() is available */
 #undef HAVE_TZSET
 
-/* define if struct addrinfo exists */
+/** define if struct addrinfo exists */
 #undef HAVE_ADDRINFO
 
-/* define if getaddrinfo() exists */
+/** define if getaddrinfo() exists */
 #undef HAVE_GETADDRINFO
 
-/* define if gai_strerror() exists */
+/** define if gai_strerror() exists */
 #undef HAVE_GAISTRERROR
 
-/* define if arc4random() exists */
+/** define if arc4random() exists */
 #undef HAVE_ARC4RANDOM
 
-/* define if pthread_setconcurrency() should be called to tell the
+/**
+ * define if pthread_setconcurrency() should be called to tell the
  * OS how many threads we might want to run.
  */
 #undef CALL_PTHREAD_SETCONCURRENCY
 
-/* define if IPv6 is not disabled */
+/** define if IPv6 is not disabled */
 #undef WANT_IPV6
 
-/* define if flockfile() is available */
+/** define if flockfile() is available */
 #undef HAVE_FLOCKFILE
 
-/* define if getc_unlocked() is available */
+/** define if getc_unlocked() is available */
 #undef HAVE_GETCUNLOCKED
 
-/* Shut up warnings about sputaux in stdio.h on BSD/OS pre-4.1 */
+/** Shut up warnings about sputaux in stdio.h on BSD/OS pre-4.1 */
 #undef SHUTUP_SPUTAUX
 #ifdef SHUTUP_SPUTAUX
 struct __sFILE;
 extern __inline int __sputaux(int _c, struct __sFILE *_p);
 #endif
 
-/* Shut up warnings about missing sigwait prototype on BSD/OS 4.0* */
+/** Shut up warnings about missing sigwait prototype on BSD/OS 4.0* */
 #undef SHUTUP_SIGWAIT
 #ifdef SHUTUP_SIGWAIT
 int sigwait(const unsigned int *set, int *sig);
 #endif
 
-/* Shut up warnings from gcc -Wcast-qual on BSD/OS 4.1. */
+/** Shut up warnings from gcc -Wcast-qual on BSD/OS 4.1. */
 #undef SHUTUP_STDARG_CAST
 #if defined(SHUTUP_STDARG_CAST) && defined(__GNUC__)
-#include <stdarg.h>		/* Grr.  Must be included *every time*. */
-/*
+#include <stdarg.h>		/** Grr.  Must be included *every time*. */
+/**
  * The silly continuation line is to keep configure from
  * commenting out the #undef.
  */
+ 
 #undef \
 	va_start
 #define	va_start(ap, last) \
@@ -120,21 +124,21 @@ int sigwait(const unsigned int *set, int *sig);
 		_u.konst = &(last); \
 		ap = (va_list)(_u.var + __va_words(__typeof(last))); \
 	} while (0)
-#endif /* SHUTUP_STDARG_CAST && __GNUC__ */
+#endif /** SHUTUP_STDARG_CAST && __GNUC__ */
 
-/* define if the system has a random number generating device */
+/** define if the system has a random number generating device */
 #undef PATH_RANDOMDEV
 
-/* define if pthread_attr_getstacksize() is available */
+/** define if pthread_attr_getstacksize() is available */
 #undef HAVE_PTHREAD_ATTR_GETSTACKSIZE
 
-/* define if pthread_attr_setstacksize() is available */
+/** define if pthread_attr_setstacksize() is available */
 #undef HAVE_PTHREAD_ATTR_SETSTACKSIZE
 
-/* define if you have strerror in the C library. */
+/** define if you have strerror in the C library. */
 #undef HAVE_STRERROR
 
-/* Define if you are running under Compaq TruCluster. */
+/** Define if you are running under Compaq TruCluster. */
 #undef HAVE_TRUCLUSTER
 
 /* Define if OpenSSL includes DSA support */
diff --git a/contrib/bind9/bin/Makefile.in b/contrib/bind9/bin/Makefile.in
index d8261d7..2e29f94 100644
--- a/contrib/bind9/bin/Makefile.in
+++ b/contrib/bind9/bin/Makefile.in
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.22.208.1 2004/03/06 10:21:10 marka Exp $
+# $Id: Makefile.in,v 1.23 2004/03/05 04:57:10 marka Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
diff --git a/contrib/bind9/bin/check/Makefile.in b/contrib/bind9/bin/check/Makefile.in
index 5fdf463..cd9ecf6 100644
--- a/contrib/bind9/bin/check/Makefile.in
+++ b/contrib/bind9/bin/check/Makefile.in
@@ -1,4 +1,4 @@
-# Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
 # Copyright (C) 2000-2003  Internet Software Consortium.
 #
 # Permission to use, copy, modify, and distribute this software for any
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.15.2.3.8.6 2004/07/20 07:01:48 marka Exp $
+# $Id: Makefile.in,v 1.24.18.6 2006/06/09 00:54:08 marka Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
@@ -75,7 +75,8 @@ named-checkconf@EXEEXT@: named-checkconf.@O@ check-tool.@O@ ${ISCDEPLIBS} \
 
 named-checkzone@EXEEXT@: named-checkzone.@O@ check-tool.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS}
 	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
-	named-checkzone.@O@ check-tool.@O@ ${DNSLIBS} ${ISCLIBS} ${LIBS}
+	named-checkzone.@O@ check-tool.@O@ ${ISCCFGLIBS} ${DNSLIBS} \
+	${ISCLIBS} ${LIBS}
 
 doc man:: ${MANOBJS}
 
@@ -89,7 +90,9 @@ installdirs:
 install:: named-checkconf@EXEEXT@ named-checkzone@EXEEXT@ installdirs
 	${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} named-checkconf@EXEEXT@ ${DESTDIR}${sbindir}
 	${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} named-checkzone@EXEEXT@ ${DESTDIR}${sbindir}
+	(cd ${DESTDIR}${sbindir}; rm -f named-compilezone@EXEEXT@; ${LINK_PROGRAM} named-checkzone@EXEEXT@ named-compilezone@EXEEXT@)
 	for m in ${MANPAGES}; do ${INSTALL_DATA} ${srcdir}/$$m ${DESTDIR}${mandir}/man8; done
+	(cd ${DESTDIR}${mandir}/man8; rm -f named-compilezone.8; ${LINK_PROGRAM} named-checkzone.8 named-compilezone.8)
 
 clean distclean::
 	rm -f ${TARGETS} r1.htm
diff --git a/contrib/bind9/bin/check/check-tool.c b/contrib/bind9/bin/check/check-tool.c
index 1b67ca8..c8ef4df 100644
--- a/contrib/bind9/bin/check/check-tool.c
+++ b/contrib/bind9/bin/check/check-tool.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000-2002  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,9 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: check-tool.c,v 1.4.12.7 2004/11/30 01:15:40 marka Exp $ */
+/* $Id: check-tool.c,v 1.10.18.14 2006/06/08 01:43:00 marka Exp $ */
+
+/*! \file */
 
 #include <config.h>
 
@@ -27,6 +29,8 @@
 
 #include <isc/buffer.h>
 #include <isc/log.h>
+#include <isc/net.h>
+#include <isc/netdb.h>
 #include <isc/region.h>
 #include <isc/stdio.h>
 #include <isc/types.h>
@@ -34,24 +38,360 @@
 #include <dns/fixedname.h>
 #include <dns/log.h>
 #include <dns/name.h>
+#include <dns/rdata.h>
 #include <dns/rdataclass.h>
+#include <dns/rdataset.h>
 #include <dns/types.h>
 #include <dns/zone.h>
 
+#include <isccfg/log.h>
+
+#ifdef HAVE_ADDRINFO
+#ifdef HAVE_GETADDRINFO
+#ifdef HAVE_GAISTRERROR
+#define USE_GETADDRINFO
+#endif
+#endif
+#endif
+
 #define CHECK(r) \
-        do { \
+	do { \
 		result = (r); \
-                if (result != ISC_R_SUCCESS) \
-                        goto cleanup; \
-        } while (0)   
+		if (result != ISC_R_SUCCESS) \
+			goto cleanup; \
+	} while (0)   
 
 static const char *dbtype[] = { "rbt" };
 
 int debug = 0;
 isc_boolean_t nomerge = ISC_TRUE;
+isc_boolean_t docheckmx = ISC_TRUE;
+isc_boolean_t dochecksrv = ISC_TRUE;
+isc_boolean_t docheckns = ISC_TRUE;
 unsigned int zone_options = DNS_ZONEOPT_CHECKNS | 
+			    DNS_ZONEOPT_CHECKMX |
 			    DNS_ZONEOPT_MANYERRORS |
-			    DNS_ZONEOPT_CHECKNAMES;
+			    DNS_ZONEOPT_CHECKNAMES |
+			    DNS_ZONEOPT_CHECKINTEGRITY |
+			    DNS_ZONEOPT_CHECKWILDCARD |
+			    DNS_ZONEOPT_WARNMXCNAME |
+			    DNS_ZONEOPT_WARNSRVCNAME;
+
+/*
+ * This needs to match the list in bin/named/log.c.
+ */
+static isc_logcategory_t categories[] = {
+	{ "",		     0 },
+	{ "client",	     0 },
+	{ "network",	     0 },
+	{ "update",	     0 },
+	{ "queries",	     0 },
+	{ "unmatched", 	     0 },
+	{ "update-security", 0 },
+	{ NULL,		     0 }
+};
+
+static isc_boolean_t
+checkns(dns_zone_t *zone, dns_name_t *name, dns_name_t *owner,
+	dns_rdataset_t *a, dns_rdataset_t *aaaa)
+{
+#ifdef USE_GETADDRINFO
+	dns_rdataset_t *rdataset;
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+	struct addrinfo hints, *ai, *cur;
+	char namebuf[DNS_NAME_FORMATSIZE + 1];
+	char ownerbuf[DNS_NAME_FORMATSIZE];
+	char addrbuf[sizeof("xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:123.123.123.123")];
+	isc_boolean_t answer = ISC_TRUE;
+	isc_boolean_t match;
+	const char *type;
+	void *ptr = NULL;
+	int result;
+
+	REQUIRE(a == NULL || !dns_rdataset_isassociated(a) ||
+		a->type == dns_rdatatype_a);
+	REQUIRE(aaaa == NULL || !dns_rdataset_isassociated(aaaa) ||
+		aaaa->type == dns_rdatatype_aaaa);
+	memset(&hints, 0, sizeof(hints));
+	hints.ai_flags = AI_CANONNAME;
+	hints.ai_family = PF_UNSPEC;
+	hints.ai_socktype = SOCK_STREAM;
+	hints.ai_protocol = IPPROTO_TCP;
+
+	dns_name_format(name, namebuf, sizeof(namebuf) - 1);
+	/*
+	 * Turn off search.
+	 */
+	if (dns_name_countlabels(name) > 1U)
+		strcat(namebuf, ".");
+	dns_name_format(owner, ownerbuf, sizeof(ownerbuf));
+	
+	result = getaddrinfo(namebuf, NULL, &hints, &ai);
+	dns_name_format(name, namebuf, sizeof(namebuf) - 1);
+	switch (result) {
+	case 0:
+		if (strcasecmp(ai->ai_canonname, namebuf) != 0) {
+			dns_zone_log(zone, ISC_LOG_ERROR,
+				     "%s/NS '%s' (out of zone) "
+				     "is a CNAME (illegal)",
+				     ownerbuf, namebuf);
+			/* XXX950 make fatal for 9.5.0 */
+			/* answer = ISC_FALSE; */
+		}
+		break;
+	case EAI_NONAME:
+#if defined(EAI_NODATA) && (EAI_NODATA != EAI_NONAME)
+	case EAI_NODATA:
+#endif
+		dns_zone_log(zone, ISC_LOG_ERROR, "%s/NS '%s' (out of zone) "
+			     "has no addresses records (A or AAAA)",
+			     ownerbuf, namebuf);
+		/* XXX950 make fatal for 9.5.0 */
+		return (ISC_TRUE);
+
+	default:
+		dns_zone_log(zone, ISC_LOG_WARNING,
+			     "getaddrinfo(%s) failed: %s",
+			     namebuf, gai_strerror(result));
+		return (ISC_TRUE);
+	}
+	if (a == NULL || aaaa == NULL)
+		return (answer);
+	/*
+	 * Check that all glue records really exist.
+	 */
+	if (!dns_rdataset_isassociated(a))
+		goto checkaaaa;
+	result = dns_rdataset_first(a);
+	while (result == ISC_R_SUCCESS) {
+		dns_rdataset_current(a, &rdata);
+		match = ISC_FALSE;
+		for (cur = ai; cur != NULL; cur = cur->ai_next) {
+			if (cur->ai_family != AF_INET)
+				continue;
+			ptr = &((struct sockaddr_in *)(cur->ai_addr))->sin_addr;
+			if (memcmp(ptr, rdata.data, rdata.length) == 0) {
+				match = ISC_TRUE;
+				break;
+			}
+		}
+		if (!match) {
+			dns_zone_log(zone, ISC_LOG_ERROR, "%s/NS '%s' "
+				     "extra GLUE A record (%s)",
+				     ownerbuf, namebuf,
+				     inet_ntop(AF_INET, rdata.data,
+					       addrbuf, sizeof(addrbuf)));
+			/* XXX950 make fatal for 9.5.0 */
+			/* answer = ISC_FALSE; */
+		}
+		dns_rdata_reset(&rdata);
+		result = dns_rdataset_next(a);
+	}
+
+ checkaaaa:
+	if (!dns_rdataset_isassociated(aaaa))
+		goto checkmissing;
+	result = dns_rdataset_first(aaaa);
+	while (result == ISC_R_SUCCESS) {
+		dns_rdataset_current(aaaa, &rdata);
+		match = ISC_FALSE;
+		for (cur = ai; cur != NULL; cur = cur->ai_next) {
+			if (cur->ai_family != AF_INET6)
+				continue;
+			ptr = &((struct sockaddr_in6 *)(cur->ai_addr))->sin6_addr;
+			if (memcmp(ptr, rdata.data, rdata.length) == 0) {
+				match = ISC_TRUE;
+				break;
+			}
+		}
+		if (!match) {
+			dns_zone_log(zone, ISC_LOG_ERROR, "%s/NS '%s' "
+				     "extra GLUE AAAA record (%s)",
+				     ownerbuf, namebuf,
+				     inet_ntop(AF_INET6, rdata.data,
+					       addrbuf, sizeof(addrbuf)));
+			/* XXX950 make fatal for 9.5.0. */
+			/* answer = ISC_FALSE; */
+		}
+		dns_rdata_reset(&rdata);
+		result = dns_rdataset_next(aaaa);
+	}
+
+ checkmissing:
+	/*
+	 * Check that all addresses appear in the glue.
+	 */
+	for (cur = ai; cur != NULL; cur = cur->ai_next) {
+		switch (cur->ai_family) {
+		case AF_INET:
+			rdataset = a;
+			ptr = &((struct sockaddr_in *)(cur->ai_addr))->sin_addr;
+			type = "A";
+			break;
+		case AF_INET6:
+			rdataset = aaaa;
+			ptr = &((struct sockaddr_in6 *)(cur->ai_addr))->sin6_addr;
+			type = "AAAA";
+			break;
+		default:
+			 continue;
+		}
+		match = ISC_FALSE;
+		if (dns_rdataset_isassociated(rdataset))
+			result = dns_rdataset_first(rdataset);
+		else
+			result = ISC_R_FAILURE;
+		while (result == ISC_R_SUCCESS && !match) {
+			dns_rdataset_current(rdataset, &rdata);
+			if (memcmp(ptr, rdata.data, rdata.length) == 0)
+				match = ISC_TRUE;
+			dns_rdata_reset(&rdata);
+			result = dns_rdataset_next(rdataset);
+		}
+		if (!match) {
+			dns_zone_log(zone, ISC_LOG_ERROR, "%s/NS '%s' "
+				     "missing GLUE %s record (%s)",
+				     ownerbuf, namebuf, type,
+				     inet_ntop(cur->ai_family, ptr,
+					       addrbuf, sizeof(addrbuf)));
+			/* XXX950 make fatal for 9.5.0. */
+			/* answer = ISC_FALSE; */
+		}
+	}
+	freeaddrinfo(ai);
+	return (answer);
+#else
+	return (ISC_TRUE);
+#endif
+}
+
+static isc_boolean_t
+checkmx(dns_zone_t *zone, dns_name_t *name, dns_name_t *owner) {
+#ifdef USE_GETADDRINFO
+	struct addrinfo hints, *ai;
+	char namebuf[DNS_NAME_FORMATSIZE + 1];
+	char ownerbuf[DNS_NAME_FORMATSIZE];
+	int result;
+	int level = ISC_LOG_ERROR;
+	isc_boolean_t answer = ISC_TRUE;
+
+	memset(&hints, 0, sizeof(hints));
+	hints.ai_flags = AI_CANONNAME;
+	hints.ai_family = PF_UNSPEC;
+	hints.ai_socktype = SOCK_STREAM;
+	hints.ai_protocol = IPPROTO_TCP;
+
+	dns_name_format(name, namebuf, sizeof(namebuf) - 1);
+	/*
+	 * Turn off search.
+	 */
+	if (dns_name_countlabels(name) > 1U)
+		strcat(namebuf, ".");
+	dns_name_format(owner, ownerbuf, sizeof(ownerbuf));
+	
+	result = getaddrinfo(namebuf, NULL, &hints, &ai);
+	dns_name_format(name, namebuf, sizeof(namebuf) - 1);
+	switch (result) {
+	case 0:
+		if (strcasecmp(ai->ai_canonname, namebuf) != 0) {
+			if ((zone_options & DNS_ZONEOPT_WARNMXCNAME) != 0)
+				level = ISC_LOG_WARNING;
+			if ((zone_options & DNS_ZONEOPT_IGNOREMXCNAME) == 0) {
+				dns_zone_log(zone, ISC_LOG_WARNING,
+					     "%s/MX '%s' (out of zone) "
+					     "is a CNAME (illegal)",
+					     ownerbuf, namebuf);
+				if (level == ISC_LOG_ERROR)
+					answer = ISC_FALSE;
+			}
+		}
+		freeaddrinfo(ai);
+		return (answer);
+
+	case EAI_NONAME:
+#if defined(EAI_NODATA) && (EAI_NODATA != EAI_NONAME)
+	case EAI_NODATA:
+#endif
+		dns_zone_log(zone, ISC_LOG_ERROR, "%s/MX '%s' (out of zone) "
+			     "has no addresses records (A or AAAA)",
+			     ownerbuf, namebuf);
+		/* XXX950 make fatal for 9.5.0. */
+		return (ISC_TRUE);
+
+	default:
+		dns_zone_log(zone, ISC_LOG_WARNING,
+			     "getaddrinfo(%s) failed: %s",
+			     namebuf, gai_strerror(result));
+		return (ISC_TRUE);
+	}
+#else
+	return (ISC_TRUE);
+#endif
+}
+
+static isc_boolean_t
+checksrv(dns_zone_t *zone, dns_name_t *name, dns_name_t *owner) {
+#ifdef USE_GETADDRINFO
+	struct addrinfo hints, *ai;
+	char namebuf[DNS_NAME_FORMATSIZE + 1];
+	char ownerbuf[DNS_NAME_FORMATSIZE];
+	int result;
+	int level = ISC_LOG_ERROR;
+	isc_boolean_t answer = ISC_TRUE;
+
+	memset(&hints, 0, sizeof(hints));
+	hints.ai_flags = AI_CANONNAME;
+	hints.ai_family = PF_UNSPEC;
+	hints.ai_socktype = SOCK_STREAM;
+	hints.ai_protocol = IPPROTO_TCP;
+
+	dns_name_format(name, namebuf, sizeof(namebuf) - 1);
+	/*
+	 * Turn off search.
+	 */
+	if (dns_name_countlabels(name) > 1U)
+		strcat(namebuf, ".");
+	dns_name_format(owner, ownerbuf, sizeof(ownerbuf));
+	
+	result = getaddrinfo(namebuf, NULL, &hints, &ai);
+	dns_name_format(name, namebuf, sizeof(namebuf) - 1);
+	switch (result) {
+	case 0:
+		if (strcasecmp(ai->ai_canonname, namebuf) != 0) {
+			if ((zone_options & DNS_ZONEOPT_WARNSRVCNAME) != 0)
+				level = ISC_LOG_WARNING;
+			if ((zone_options & DNS_ZONEOPT_IGNORESRVCNAME) == 0) {
+				dns_zone_log(zone, level,
+					     "%s/SRV '%s' (out of zone) "
+					     "is a CNAME (illegal)",
+					     ownerbuf, namebuf);
+				if (level == ISC_LOG_ERROR)
+					answer = ISC_FALSE;
+			}
+		}
+		freeaddrinfo(ai);
+		return (answer);
+
+	case EAI_NONAME:
+#if defined(EAI_NODATA) && (EAI_NODATA != EAI_NONAME)
+	case EAI_NODATA:
+#endif
+		dns_zone_log(zone, ISC_LOG_ERROR, "%s/SRV '%s' (out of zone) "
+			     "has no addresses records (A or AAAA)",
+			     ownerbuf, namebuf);
+		/* XXX950 make fatal for 9.5.0. */
+		return (ISC_TRUE);
+
+	default:
+		dns_zone_log(zone, ISC_LOG_WARNING,
+			     "getaddrinfo(%s) failed: %s",
+			     namebuf, gai_strerror(result));
+		return (ISC_TRUE);
+	}
+#else
+	return (ISC_TRUE);
+#endif
+}
 
 isc_result_t
 setup_logging(isc_mem_t *mctx, isc_log_t **logp) {
@@ -60,7 +400,11 @@ setup_logging(isc_mem_t *mctx, isc_log_t **logp) {
 	isc_log_t *log = NULL;
 
 	RUNTIME_CHECK(isc_log_create(mctx, &log, &logconfig) == ISC_R_SUCCESS);
+	isc_log_registercategories(log, categories);
 	isc_log_setcontext(log);
+	dns_log_init(log);
+	dns_log_setcontext(log);
+	cfg_log_init(log);
 
 	destination.file.stream = stdout;
 	destination.file.name = NULL;
@@ -77,9 +421,11 @@ setup_logging(isc_mem_t *mctx, isc_log_t **logp) {
 	return (ISC_R_SUCCESS);
 }
 
+/*% load the zone */
 isc_result_t
 load_zone(isc_mem_t *mctx, const char *zonename, const char *filename,
-	  const char *classname, dns_zone_t **zonep)
+	  dns_masterformat_t fileformat, const char *classname,
+	  dns_zone_t **zonep)
 {
 	isc_result_t result;
 	dns_rdataclass_t rdclass;
@@ -104,10 +450,10 @@ load_zone(isc_mem_t *mctx, const char *zonename, const char *filename,
 	dns_fixedname_init(&fixorigin);
 	origin = dns_fixedname_name(&fixorigin);
 	CHECK(dns_name_fromtext(origin, &buffer, dns_rootname,
-			        ISC_FALSE, NULL));
+				ISC_FALSE, NULL));
 	CHECK(dns_zone_setorigin(zone, origin));
 	CHECK(dns_zone_setdbtype(zone, 1, (const char * const *) dbtype));
-	CHECK(dns_zone_setfile(zone, filename));
+	CHECK(dns_zone_setfile2(zone, filename, fileformat));
 
 	DE_CONST(classname, region.base);
 	region.length = strlen(classname);
@@ -116,9 +462,15 @@ load_zone(isc_mem_t *mctx, const char *zonename, const char *filename,
 	dns_zone_setclass(zone, rdclass);
 	dns_zone_setoption(zone, zone_options, ISC_TRUE);
 	dns_zone_setoption(zone, DNS_ZONEOPT_NOMERGE, nomerge);
+	if (docheckmx)
+		dns_zone_setcheckmx(zone, checkmx);
+	if (docheckns)
+		dns_zone_setcheckns(zone, checkns);
+	if (dochecksrv)
+		dns_zone_setchecksrv(zone, checksrv);
 
 	CHECK(dns_zone_load(zone));
-	if (zonep != NULL){
+	if (zonep != NULL) {
 		*zonep = zone;
 		zone = NULL;
 	}
@@ -129,8 +481,10 @@ load_zone(isc_mem_t *mctx, const char *zonename, const char *filename,
 	return (result);
 }
 
+/*% dump the zone */
 isc_result_t
-dump_zone(const char *zonename, dns_zone_t *zone, const char *filename)
+dump_zone(const char *zonename, dns_zone_t *zone, const char *filename,
+	  dns_masterformat_t fileformat, const dns_master_style_t *style)
 {
 	isc_result_t result;
 	FILE *output = stdout;
@@ -153,7 +507,7 @@ dump_zone(const char *zonename, dns_zone_t *zone, const char *filename)
 		}
 	}
 
-	result = dns_zone_fulldumptostream(zone, output);
+	result = dns_zone_dumptostream2(zone, output, fileformat, style);
 
 	if (filename != NULL)
 		(void)isc_stdio_close(output);
diff --git a/contrib/bind9/bin/check/check-tool.h b/contrib/bind9/bin/check/check-tool.h
index 105cd25..ef9017f 100644
--- a/contrib/bind9/bin/check/check-tool.h
+++ b/contrib/bind9/bin/check/check-tool.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000-2002  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,14 +15,17 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: check-tool.h,v 1.2.12.5 2004/03/08 04:04:13 marka Exp $ */
+/* $Id: check-tool.h,v 1.7.18.4 2005/06/20 01:19:25 marka Exp $ */
 
 #ifndef CHECK_TOOL_H
 #define CHECK_TOOL_H
 
-#include <isc/lang.h>
+/*! \file */
 
+#include <isc/lang.h>
 #include <isc/types.h>
+
+#include <dns/masterdump.h>
 #include <dns/types.h>
 
 ISC_LANG_BEGINDECLS
@@ -32,13 +35,18 @@ setup_logging(isc_mem_t *mctx, isc_log_t **logp);
 
 isc_result_t
 load_zone(isc_mem_t *mctx, const char *zonename, const char *filename,
-	  const char *classname, dns_zone_t **zonep);
+	  dns_masterformat_t fileformat, const char *classname,
+	  dns_zone_t **zonep);
 
 isc_result_t
-dump_zone(const char *zonename, dns_zone_t *zone, const char *filename);
+dump_zone(const char *zonename, dns_zone_t *zone, const char *filename,
+	  dns_masterformat_t fileformat, const dns_master_style_t *style);
 
 extern int debug;
 extern isc_boolean_t nomerge;
+extern isc_boolean_t docheckmx;
+extern isc_boolean_t docheckns;
+extern isc_boolean_t dochecksrv;
 extern unsigned int zone_options;
 
 ISC_LANG_ENDDECLS
diff --git a/contrib/bind9/bin/check/named-checkconf.8 b/contrib/bind9/bin/check/named-checkconf.8
index 7d06335..9fb900e 100644
--- a/contrib/bind9/bin/check/named-checkconf.8
+++ b/contrib/bind9/bin/check/named-checkconf.8
@@ -1,4 +1,4 @@
-.\" Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC")
 .\" Copyright (C) 2000-2002 Internet Software Consortium.
 .\" 
 .\" Permission to use, copy, modify, and distribute this software for any
@@ -13,13 +13,13 @@
 .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 .\" PERFORMANCE OF THIS SOFTWARE.
 .\"
-.\" $Id: named-checkconf.8,v 1.11.12.8 2006/06/29 13:02:30 marka Exp $
+.\" $Id: named-checkconf.8,v 1.16.18.11 2007/01/30 00:23:44 marka Exp $
 .\"
 .hy 0
 .ad l
 .\"     Title: named\-checkconf
 .\"    Author: 
-.\" Generator: DocBook XSL Stylesheets v1.70.1 <http://docbook.sf.net/>
+.\" Generator: DocBook XSL Stylesheets v1.71.1 <http://docbook.sf.net/>
 .\"      Date: June 14, 2000
 .\"    Manual: BIND9
 .\"    Source: BIND9
@@ -39,27 +39,37 @@ named\-checkconf \- named configuration file syntax checking tool
 \fBnamed\-checkconf\fR
 checks the syntax, but not the semantics, of a named configuration file.
 .SH "OPTIONS"
-.TP 3n
+.PP
 \-t \fIdirectory\fR
+.RS 4
 chroot to
 \fIdirectory\fR
 so that include directives in the configuration file are processed as if run by a similarly chrooted named.
-.TP 3n
+.RE
+.PP
 \-v
+.RS 4
 Print the version of the
 \fBnamed\-checkconf\fR
 program and exit.
-.TP 3n
+.RE
+.PP
 \-z
+.RS 4
 Perform a check load the master zonefiles found in
 \fInamed.conf\fR.
-.TP 3n
+.RE
+.PP
 \-j
+.RS 4
 When loading a zonefile read the journal if it exists.
-.TP 3n
+.RE
+.PP
 filename
+.RS 4
 The name of the configuration file to be checked. If not specified, it defaults to
 \fI/etc/named.conf\fR.
+.RE
 .SH "RETURN VALUES"
 .PP
 \fBnamed\-checkconf\fR
@@ -72,4 +82,7 @@ BIND 9 Administrator Reference Manual.
 .PP
 Internet Systems Consortium
 .SH "COPYRIGHT"
-Copyright \(co 2004, 2005 Internet Systems Consortium, Inc. ("ISC")
+Copyright \(co 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC")
+.br
+Copyright \(co 2000\-2002 Internet Software Consortium.
+.br
diff --git a/contrib/bind9/bin/check/named-checkconf.c b/contrib/bind9/bin/check/named-checkconf.c
index f50461d..cc63153 100644
--- a/contrib/bind9/bin/check/named-checkconf.c
+++ b/contrib/bind9/bin/check/named-checkconf.c
@@ -15,7 +15,9 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: named-checkconf.c,v 1.12.12.11 2006/03/02 00:37:20 marka Exp $ */
+/* $Id: named-checkconf.c,v 1.28.18.14 2006/02/28 03:10:47 marka Exp $ */
+
+/*! \file */
 
 #include <config.h>
 
@@ -39,7 +41,9 @@
 
 #include <dns/fixedname.h>
 #include <dns/log.h>
+#include <dns/name.h>
 #include <dns/result.h>
+#include <dns/zone.h>
 
 #include "check-tool.h"
 
@@ -52,6 +56,7 @@ isc_log_t *logc = NULL;
 			goto cleanup; \
 	} while (0)
 
+/*% usage */
 static void
 usage(void) {
         fprintf(stderr, "usage: named-checkconf [-j] [-v] [-z] [-t directory] "
@@ -59,6 +64,7 @@ usage(void) {
         exit(1);
 }
 
+/*% directory callback */
 static isc_result_t
 directory_callback(const char *clausename, const cfg_obj_t *obj, void *arg) {
 	isc_result_t result;
@@ -84,19 +90,84 @@ directory_callback(const char *clausename, const cfg_obj_t *obj, void *arg) {
 	return (ISC_R_SUCCESS);
 }
 
+static isc_boolean_t
+get_maps(const cfg_obj_t **maps, const char *name, const cfg_obj_t **obj) {
+	int i;
+	for (i = 0;; i++) {
+		if (maps[i] == NULL)
+			return (ISC_FALSE);
+		if (cfg_map_get(maps[i], name, obj) == ISC_R_SUCCESS)
+			return (ISC_TRUE);
+	}
+}
+
+static isc_boolean_t
+get_checknames(const cfg_obj_t **maps, const cfg_obj_t **obj) {
+	const cfg_listelt_t *element;
+	const cfg_obj_t *checknames;
+	const cfg_obj_t *type;
+	const cfg_obj_t *value;
+	isc_result_t result;
+	int i;
+
+	for (i = 0;; i++) {
+		if (maps[i] == NULL)
+			return (ISC_FALSE);
+		checknames = NULL;
+		result = cfg_map_get(maps[i], "check-names", &checknames);
+		if (result != ISC_R_SUCCESS)
+			continue;
+		if (checknames != NULL && !cfg_obj_islist(checknames)) {
+			*obj = checknames;
+			return (ISC_TRUE);
+		}
+		for (element = cfg_list_first(checknames);
+		     element != NULL;
+		     element = cfg_list_next(element)) {
+			value = cfg_listelt_value(element);
+			type = cfg_tuple_get(value, "type");
+			if (strcasecmp(cfg_obj_asstring(type), "master") != 0)
+				continue;
+			*obj = cfg_tuple_get(value, "mode");
+			return (ISC_TRUE);
+		}
+	}
+}
+
+static isc_result_t
+config_get(const cfg_obj_t **maps, const char *name, const cfg_obj_t **obj) {
+	int i;
+
+	for (i = 0;; i++) {
+		if (maps[i] == NULL)
+			return (ISC_R_NOTFOUND);
+		if (cfg_map_get(maps[i], name, obj) == ISC_R_SUCCESS)
+			return (ISC_R_SUCCESS);
+	}
+}
+
+/*% configure the zone */
 static isc_result_t
 configure_zone(const char *vclass, const char *view,
-	       const cfg_obj_t *zconfig, isc_mem_t *mctx)
+	       const cfg_obj_t *zconfig, const cfg_obj_t *vconfig,
+	       const cfg_obj_t *config, isc_mem_t *mctx)
 {
+	int i = 0;
 	isc_result_t result;
 	const char *zclass;
 	const char *zname;
 	const char *zfile;
+	const cfg_obj_t *maps[4];
 	const cfg_obj_t *zoptions = NULL;
 	const cfg_obj_t *classobj = NULL;
 	const cfg_obj_t *typeobj = NULL;
 	const cfg_obj_t *fileobj = NULL;
 	const cfg_obj_t *dbobj = NULL;
+	const cfg_obj_t *obj = NULL;
+	const cfg_obj_t *fmtobj = NULL;
+	dns_masterformat_t masterformat;
+
+	zone_options = DNS_ZONEOPT_CHECKNS | DNS_ZONEOPT_MANYERRORS;
 
 	zname = cfg_obj_asstring(cfg_tuple_get(zconfig, "name"));
 	classobj = cfg_tuple_get(zconfig, "class");
@@ -104,7 +175,18 @@ configure_zone(const char *vclass, const char *view,
                 zclass = vclass;
         else
 		zclass = cfg_obj_asstring(classobj);
+
 	zoptions = cfg_tuple_get(zconfig, "options");
+	maps[i++] = zoptions;
+	if (vconfig != NULL)
+		maps[i++] = cfg_tuple_get(vconfig, "options");
+	if (config != NULL) {
+		cfg_map_get(config, "options", &obj);
+		if (obj != NULL)
+			maps[i++] = obj;
+	}
+	maps[i++] = NULL;
+
 	cfg_map_get(zoptions, "type", &typeobj);
 	if (typeobj == NULL)
 		return (ISC_R_FAILURE);
@@ -117,13 +199,116 @@ configure_zone(const char *vclass, const char *view,
 	if (fileobj == NULL)
 		return (ISC_R_FAILURE);
 	zfile = cfg_obj_asstring(fileobj);
-	result = load_zone(mctx, zname, zfile, zclass, NULL);
+
+	obj = NULL;
+	if (get_maps(maps, "check-mx", &obj)) {
+		if (strcasecmp(cfg_obj_asstring(obj), "warn") == 0) {
+			zone_options |= DNS_ZONEOPT_CHECKMX;
+			zone_options &= ~DNS_ZONEOPT_CHECKMXFAIL;
+		} else if (strcasecmp(cfg_obj_asstring(obj), "fail") == 0) {
+			zone_options |= DNS_ZONEOPT_CHECKMX;
+			zone_options |= DNS_ZONEOPT_CHECKMXFAIL;
+		} else if (strcasecmp(cfg_obj_asstring(obj), "ignore") == 0) {
+			zone_options &= ~DNS_ZONEOPT_CHECKMX;
+			zone_options &= ~DNS_ZONEOPT_CHECKMXFAIL;
+		} else
+			INSIST(0);
+	} else {
+		zone_options |= DNS_ZONEOPT_CHECKMX;
+		zone_options &= ~DNS_ZONEOPT_CHECKMXFAIL;
+	}
+
+	obj = NULL;
+	if (get_maps(maps, "check-integrity", &obj)) {
+		if (cfg_obj_asboolean(obj))
+			zone_options |= DNS_ZONEOPT_CHECKINTEGRITY;
+		else
+			zone_options &= ~DNS_ZONEOPT_CHECKINTEGRITY;
+	}
+
+	obj = NULL;
+	if (get_maps(maps, "check-mx-cname", &obj)) {
+		if (strcasecmp(cfg_obj_asstring(obj), "warn") == 0) {
+			zone_options |= DNS_ZONEOPT_WARNMXCNAME;
+			zone_options &= ~DNS_ZONEOPT_IGNOREMXCNAME;
+		} else if (strcasecmp(cfg_obj_asstring(obj), "fail") == 0) {
+			zone_options &= ~DNS_ZONEOPT_WARNMXCNAME;
+			zone_options &= ~DNS_ZONEOPT_IGNOREMXCNAME;
+		} else if (strcasecmp(cfg_obj_asstring(obj), "ignore") == 0) {
+			zone_options |= DNS_ZONEOPT_WARNMXCNAME;
+			zone_options |= DNS_ZONEOPT_IGNOREMXCNAME;
+		} else
+			INSIST(0);
+	} else {
+		zone_options |= DNS_ZONEOPT_WARNMXCNAME;
+		zone_options &= ~DNS_ZONEOPT_IGNOREMXCNAME;
+	}
+
+	obj = NULL;
+	if (get_maps(maps, "check-srv-cname", &obj)) {
+		if (strcasecmp(cfg_obj_asstring(obj), "warn") == 0) {
+			zone_options |= DNS_ZONEOPT_WARNSRVCNAME;
+			zone_options &= ~DNS_ZONEOPT_IGNORESRVCNAME;
+		} else if (strcasecmp(cfg_obj_asstring(obj), "fail") == 0) {
+			zone_options &= ~DNS_ZONEOPT_WARNSRVCNAME;
+			zone_options &= ~DNS_ZONEOPT_IGNORESRVCNAME;
+		} else if (strcasecmp(cfg_obj_asstring(obj), "ignore") == 0) {
+			zone_options |= DNS_ZONEOPT_WARNSRVCNAME;
+			zone_options |= DNS_ZONEOPT_IGNORESRVCNAME;
+		} else
+			INSIST(0);
+	} else {
+		zone_options |= DNS_ZONEOPT_WARNSRVCNAME;
+		zone_options &= ~DNS_ZONEOPT_IGNORESRVCNAME;
+	}
+
+	obj = NULL;
+	if (get_maps(maps, "check-sibling", &obj)) {
+		if (cfg_obj_asboolean(obj))
+			zone_options |= DNS_ZONEOPT_CHECKSIBLING;
+		else
+			zone_options &= ~DNS_ZONEOPT_CHECKSIBLING;
+	}
+
+	obj = NULL;
+	if (get_checknames(maps, &obj)) {
+		if (strcasecmp(cfg_obj_asstring(obj), "warn") == 0) {
+			zone_options |= DNS_ZONEOPT_CHECKNAMES;
+			zone_options &= ~DNS_ZONEOPT_CHECKNAMESFAIL;
+		} else if (strcasecmp(cfg_obj_asstring(obj), "fail") == 0) {
+			zone_options |= DNS_ZONEOPT_CHECKNAMES;
+			zone_options |= DNS_ZONEOPT_CHECKNAMESFAIL;
+		} else if (strcasecmp(cfg_obj_asstring(obj), "ignore") == 0) {
+			zone_options &= ~DNS_ZONEOPT_CHECKNAMES;
+			zone_options &= ~DNS_ZONEOPT_CHECKNAMESFAIL;
+		} else
+			INSIST(0);
+	} else {
+               zone_options |= DNS_ZONEOPT_CHECKNAMES;
+               zone_options |= DNS_ZONEOPT_CHECKNAMESFAIL;
+	}
+
+	masterformat = dns_masterformat_text;
+	fmtobj = NULL;
+	result = config_get(maps, "masterfile-format", &fmtobj);
+	if (result == ISC_R_SUCCESS) {
+		const char *masterformatstr = cfg_obj_asstring(fmtobj);
+		if (strcasecmp(masterformatstr, "text") == 0)
+			masterformat = dns_masterformat_text;
+		else if (strcasecmp(masterformatstr, "raw") == 0)
+			masterformat = dns_masterformat_raw;
+		else
+			INSIST(0);
+	}
+
+	result = load_zone(mctx, zname, zfile, masterformat, zclass, NULL);
 	if (result != ISC_R_SUCCESS)
 		fprintf(stderr, "%s/%s/%s: %s\n", view, zname, zclass,
 			dns_result_totext(result));
 	return(result);
 }
 
+/*% configure a view */
 static isc_result_t
 configure_view(const char *vclass, const char *view, const cfg_obj_t *config,
 	       const cfg_obj_t *vconfig, isc_mem_t *mctx)
@@ -149,7 +334,8 @@ configure_view(const char *vclass, const char *view, const cfg_obj_t *config,
 	     element = cfg_list_next(element))
 	{
 		const cfg_obj_t *zconfig = cfg_listelt_value(element);
-		tresult = configure_zone(vclass, view, zconfig, mctx);
+		tresult = configure_zone(vclass, view, zconfig, vconfig,
+					 config, mctx);
 		if (tresult != ISC_R_SUCCESS)
 			result = tresult;
 	}
@@ -157,6 +343,7 @@ configure_view(const char *vclass, const char *view, const cfg_obj_t *config,
 }
 
 
+/*% load zones from the configuration */
 static isc_result_t
 load_zones_fromconfig(const cfg_obj_t *config, isc_mem_t *mctx) {
 	const cfg_listelt_t *element;
@@ -197,6 +384,7 @@ load_zones_fromconfig(const cfg_obj_t *config, isc_mem_t *mctx) {
 	return (result);
 }
 
+/*% The main processing routine */
 int
 main(int argc, char **argv) {
 	int c;
@@ -240,6 +428,9 @@ main(int argc, char **argv) {
 
 		case 'z':
 			load_zones = ISC_TRUE;
+			docheckmx = ISC_FALSE;
+			docheckns = ISC_FALSE;
+			dochecksrv = ISC_FALSE;
 			break;
 
 		default:
@@ -275,8 +466,6 @@ main(int argc, char **argv) {
 		exit_status = 1;
 
 	if (result == ISC_R_SUCCESS && load_zones) {
-		dns_log_init(logc);
-                dns_log_setcontext(logc);
 		result = load_zones_fromconfig(config, mctx);
 		if (result != ISC_R_SUCCESS)
 			exit_status = 1;
@@ -286,6 +475,8 @@ main(int argc, char **argv) {
 
 	cfg_parser_destroy(&parser);
 
+	dns_name_destroy();
+
 	isc_log_destroy(&logc);
 
 	isc_hash_destroy();
diff --git a/contrib/bind9/bin/check/named-checkconf.docbook b/contrib/bind9/bin/check/named-checkconf.docbook
index c2529f6..afeb8d5 100644
--- a/contrib/bind9/bin/check/named-checkconf.docbook
+++ b/contrib/bind9/bin/check/named-checkconf.docbook
@@ -1,8 +1,8 @@
-<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.0//EN"
-               "http://www.oasis-open.org/docbook/xml/4.0/docbookx.dtd"
+<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
+               "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
 	       [<!ENTITY mdash "&#8212;">]>
 <!--
- - Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
  - Copyright (C) 2000-2002  Internet Software Consortium.
  -
  - Permission to use, copy, modify, and distribute this software for any
@@ -18,9 +18,8 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-<!-- $Id: named-checkconf.docbook,v 1.3.2.1.8.7 2005/05/12 21:35:56 sra Exp $ -->
-
-<refentry>
+<!-- $Id: named-checkconf.docbook,v 1.8.18.7 2007/01/29 23:57:20 marka Exp $ -->
+<refentry id="man.named-checkconf">
   <refentryinfo>
     <date>June 14, 2000</date>
   </refentryinfo>
@@ -35,6 +34,7 @@
     <copyright>
       <year>2004</year>
       <year>2005</year>
+      <year>2007</year>
       <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
     </copyright>
     <copyright>
@@ -63,9 +63,9 @@
 
   <refsect1>
     <title>DESCRIPTION</title>
-    <para>
-        <command>named-checkconf</command> checks the syntax, but not
-	the semantics, of a named configuration file.
+    <para><command>named-checkconf</command>
+      checks the syntax, but not the semantics, of a named
+      configuration file.
     </para>
   </refsect1>
 
@@ -75,52 +75,53 @@
     <variablelist>
       <varlistentry>
         <term>-t <replaceable class="parameter">directory</replaceable></term>
-	<listitem>
-	  <para>
-	      chroot to <filename>directory</filename> so that include
-	      directives in the configuration file are processed as if
-	      run by a similarly chrooted named.
-	  </para>
-	</listitem>
+        <listitem>
+          <para>
+            chroot to <filename>directory</filename> so that
+            include
+            directives in the configuration file are processed as if
+            run by a similarly chrooted named.
+          </para>
+        </listitem>
       </varlistentry>
 
       <varlistentry>
         <term>-v</term>
-	<listitem>
-	  <para>
-	      Print the version of the <command>named-checkconf</command>
-	      program and exit.
-	  </para>
-	</listitem>
+        <listitem>
+          <para>
+            Print the version of the <command>named-checkconf</command>
+            program and exit.
+          </para>
+        </listitem>
       </varlistentry>
 
       <varlistentry>
         <term>-z</term>
-	<listitem>
-	  <para>
-	      Perform a check load the master zonefiles found in
-	      <filename>named.conf</filename>.
-	  </para>
-	</listitem>
+        <listitem>
+          <para>
+            Perform a check load the master zonefiles found in
+            <filename>named.conf</filename>.
+          </para>
+        </listitem>
       </varlistentry>
 
       <varlistentry>
         <term>-j</term>
-	<listitem>
-	  <para>
-	      When loading a zonefile read the journal if it exists.
-	  </para>
-	</listitem>
+        <listitem>
+          <para>
+            When loading a zonefile read the journal if it exists.
+          </para>
+        </listitem>
       </varlistentry>
 
       <varlistentry>
         <term>filename</term>
-	<listitem>
-	  <para>
-	       The name of the configuration file to be checked.  If not
-	       specified, it defaults to <filename>/etc/named.conf</filename>.
-	  </para>
-	</listitem>
+        <listitem>
+          <para>
+            The name of the configuration file to be checked.  If not
+            specified, it defaults to <filename>/etc/named.conf</filename>.
+          </para>
+        </listitem>
       </varlistentry>
 
     </variablelist>
@@ -129,18 +130,16 @@
 
   <refsect1>
     <title>RETURN VALUES</title>
-    <para>
-        <command>named-checkconf</command> returns an exit status of 1 if
-	errors were detected and 0 otherwise.
+    <para><command>named-checkconf</command>
+      returns an exit status of 1 if
+      errors were detected and 0 otherwise.
     </para>
   </refsect1>
 
   <refsect1>
     <title>SEE ALSO</title>
-    <para>
-      <citerefentry>
-        <refentrytitle>named</refentrytitle>
-	<manvolnum>8</manvolnum>
+    <para><citerefentry>
+        <refentrytitle>named</refentrytitle><manvolnum>8</manvolnum>
       </citerefentry>,
       <citetitle>BIND 9 Administrator Reference Manual</citetitle>.
     </para>
@@ -148,16 +147,12 @@
 
   <refsect1>
     <title>AUTHOR</title>
-    <para>
-        <corpauthor>Internet Systems Consortium</corpauthor>
+    <para><corpauthor>Internet Systems Consortium</corpauthor>
     </para>
   </refsect1>
 
-</refentry>
-
-<!--
+</refentry><!--
  - Local variables:
  - mode: sgml
  - End:
 -->
-
diff --git a/contrib/bind9/bin/check/named-checkconf.html b/contrib/bind9/bin/check/named-checkconf.html
index 2283c51..f099645 100644
--- a/contrib/bind9/bin/check/named-checkconf.html
+++ b/contrib/bind9/bin/check/named-checkconf.html
@@ -1,5 +1,5 @@
 <!--
- - Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC")
  - Copyright (C) 2000-2002 Internet Software Consortium.
  - 
  - Permission to use, copy, modify, and distribute this software for any
@@ -14,15 +14,15 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-<!-- $Id: named-checkconf.html,v 1.5.2.1.4.15 2006/06/29 13:02:30 marka Exp $ -->
+<!-- $Id: named-checkconf.html,v 1.9.18.18 2007/01/30 00:23:44 marka Exp $ -->
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
 <title>named-checkconf</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.70.1">
+<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
 </head>
 <body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en">
-<a name="id2482688"></a><div class="titlepage"></div>
+<a name="man.named-checkconf"></a><div class="titlepage"></div>
 <div class="refnamediv">
 <h2>Name</h2>
 <p><span class="application">named-checkconf</span> &#8212; named configuration file syntax checking tool</p>
@@ -32,60 +32,59 @@
 <div class="cmdsynopsis"><p><code class="command">named-checkconf</code>  [<code class="option">-v</code>] [<code class="option">-j</code>] [<code class="option">-t <em class="replaceable"><code>directory</code></em></code>] {filename} [<code class="option">-z</code>]</p></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2549430"></a><h2>DESCRIPTION</h2>
-<p>
-        <span><strong class="command">named-checkconf</strong></span> checks the syntax, but not
-	the semantics, of a named configuration file.
+<a name="id2543383"></a><h2>DESCRIPTION</h2>
+<p><span><strong class="command">named-checkconf</strong></span>
+      checks the syntax, but not the semantics, of a named
+      configuration file.
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2549443"></a><h2>OPTIONS</h2>
+<a name="id2543395"></a><h2>OPTIONS</h2>
 <div class="variablelist"><dl>
 <dt><span class="term">-t <em class="replaceable"><code>directory</code></em></span></dt>
 <dd><p>
-	      chroot to <code class="filename">directory</code> so that include
-	      directives in the configuration file are processed as if
-	      run by a similarly chrooted named.
-	  </p></dd>
+            chroot to <code class="filename">directory</code> so that
+            include
+            directives in the configuration file are processed as if
+            run by a similarly chrooted named.
+          </p></dd>
 <dt><span class="term">-v</span></dt>
 <dd><p>
-	      Print the version of the <span><strong class="command">named-checkconf</strong></span>
-	      program and exit.
-	  </p></dd>
+            Print the version of the <span><strong class="command">named-checkconf</strong></span>
+            program and exit.
+          </p></dd>
 <dt><span class="term">-z</span></dt>
 <dd><p>
-	      Perform a check load the master zonefiles found in
-	      <code class="filename">named.conf</code>.
-	  </p></dd>
+            Perform a check load the master zonefiles found in
+            <code class="filename">named.conf</code>.
+          </p></dd>
 <dt><span class="term">-j</span></dt>
 <dd><p>
-	      When loading a zonefile read the journal if it exists.
-	  </p></dd>
+            When loading a zonefile read the journal if it exists.
+          </p></dd>
 <dt><span class="term">filename</span></dt>
 <dd><p>
-	       The name of the configuration file to be checked.  If not
-	       specified, it defaults to <code class="filename">/etc/named.conf</code>.
-	  </p></dd>
+            The name of the configuration file to be checked.  If not
+            specified, it defaults to <code class="filename">/etc/named.conf</code>.
+          </p></dd>
 </dl></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2549534"></a><h2>RETURN VALUES</h2>
-<p>
-        <span><strong class="command">named-checkconf</strong></span> returns an exit status of 1 if
-	errors were detected and 0 otherwise.
+<a name="id2543488"></a><h2>RETURN VALUES</h2>
+<p><span><strong class="command">named-checkconf</strong></span>
+      returns an exit status of 1 if
+      errors were detected and 0 otherwise.
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2549547"></a><h2>SEE ALSO</h2>
-<p>
-      <span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>,
+<a name="id2543499"></a><h2>SEE ALSO</h2>
+<p><span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>,
       <em class="citetitle">BIND 9 Administrator Reference Manual</em>.
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2549639"></a><h2>AUTHOR</h2>
-<p>
-        <span class="corpauthor">Internet Systems Consortium</span>
+<a name="id2543521"></a><h2>AUTHOR</h2>
+<p><span class="corpauthor">Internet Systems Consortium</span>
     </p>
 </div>
 </div></body>
diff --git a/contrib/bind9/bin/check/named-checkzone.8 b/contrib/bind9/bin/check/named-checkzone.8
index f50085c..ecd389c 100644
--- a/contrib/bind9/bin/check/named-checkzone.8
+++ b/contrib/bind9/bin/check/named-checkzone.8
@@ -1,4 +1,4 @@
-.\" Copyright (C) 2004-2006 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2004-2007 Internet Systems Consortium, Inc. ("ISC")
 .\" Copyright (C) 2000-2002 Internet Software Consortium.
 .\" 
 .\" Permission to use, copy, modify, and distribute this software for any
@@ -13,13 +13,13 @@
 .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 .\" PERFORMANCE OF THIS SOFTWARE.
 .\"
-.\" $Id: named-checkzone.8,v 1.11.2.1.8.11 2006/10/05 02:50:17 marka Exp $
+.\" $Id: named-checkzone.8,v 1.18.18.20 2007/01/30 00:23:44 marka Exp $
 .\"
 .hy 0
 .ad l
 .\"     Title: named\-checkzone
 .\"    Author: 
-.\" Generator: DocBook XSL Stylesheets v1.70.1 <http://docbook.sf.net/>
+.\" Generator: DocBook XSL Stylesheets v1.71.1 <http://docbook.sf.net/>
 .\"      Date: June 13, 2000
 .\"    Manual: BIND9
 .\"    Source: BIND9
@@ -30,10 +30,12 @@
 .\" disable justification (adjust text to left margin only)
 .ad l
 .SH "NAME"
-named\-checkzone \- zone file validity checking tool
+named\-checkzone, named\-compilezone \- zone file validity checking or converting tool
 .SH "SYNOPSIS"
 .HP 16
-\fBnamed\-checkzone\fR [\fB\-d\fR] [\fB\-j\fR] [\fB\-q\fR] [\fB\-v\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-k\ \fR\fB\fImode\fR\fR] [\fB\-n\ \fR\fB\fImode\fR\fR] [\fB\-o\ \fR\fB\fIfilename\fR\fR] [\fB\-t\ \fR\fB\fIdirectory\fR\fR] [\fB\-w\ \fR\fB\fIdirectory\fR\fR] [\fB\-D\fR] {zonename} {filename}
+\fBnamed\-checkzone\fR [\fB\-d\fR] [\fB\-j\fR] [\fB\-q\fR] [\fB\-v\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-f\ \fR\fB\fIformat\fR\fR] [\fB\-F\ \fR\fB\fIformat\fR\fR] [\fB\-i\ \fR\fB\fImode\fR\fR] [\fB\-k\ \fR\fB\fImode\fR\fR] [\fB\-m\ \fR\fB\fImode\fR\fR] [\fB\-M\ \fR\fB\fImode\fR\fR] [\fB\-n\ \fR\fB\fImode\fR\fR] [\fB\-o\ \fR\fB\fIfilename\fR\fR] [\fB\-s\ \fR\fB\fIstyle\fR\fR] [\fB\-S\ \fR\fB\fImode\fR\fR] [\fB\-t\ \fR\fB\fIdirectory\fR\fR] [\fB\-w\ \fR\fB\fIdirectory\fR\fR] [\fB\-D\fR] [\fB\-W\ \fR\fB\fImode\fR\fR] {zonename} {filename}
+.HP 18
+\fBnamed\-compilezone\fR [\fB\-d\fR] [\fB\-j\fR] [\fB\-q\fR] [\fB\-v\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-C\ \fR\fB\fImode\fR\fR] [\fB\-f\ \fR\fB\fIformat\fR\fR] [\fB\-F\ \fR\fB\fIformat\fR\fR] [\fB\-i\ \fR\fB\fImode\fR\fR] [\fB\-k\ \fR\fB\fImode\fR\fR] [\fB\-m\ \fR\fB\fImode\fR\fR] [\fB\-n\ \fR\fB\fImode\fR\fR] [\fB\-o\ \fR\fB\fIfilename\fR\fR] [\fB\-s\ \fR\fB\fIstyle\fR\fR] [\fB\-t\ \fR\fB\fIdirectory\fR\fR] [\fB\-w\ \fR\fB\fIdirectory\fR\fR] [\fB\-D\fR] [\fB\-W\ \fR\fB\fImode\fR\fR] {zonename} {filename}
 .SH "DESCRIPTION"
 .PP
 \fBnamed\-checkzone\fR
@@ -42,64 +44,211 @@ checks the syntax and integrity of a zone file. It performs the same checks as
 does when loading a zone. This makes
 \fBnamed\-checkzone\fR
 useful for checking zone files before configuring them into a name server.
+.PP
+\fBnamed\-compilezone\fR
+is similar to
+\fBnamed\-checkzone\fR, but it always dumps the zone contents to a specified file in a specified format. Additionally, it applies stricter check levels by default, since the dump output will be used as an actual zone file loaded by
+\fBnamed\fR. When manaully specified otherwise, the check levels must at least be as strict as those specified in the
+\fBnamed\fR
+configuration file.
 .SH "OPTIONS"
-.TP 3n
+.PP
 \-d
+.RS 4
 Enable debugging.
-.TP 3n
+.RE
+.PP
 \-q
+.RS 4
 Quiet mode \- exit code only.
-.TP 3n
+.RE
+.PP
 \-v
+.RS 4
 Print the version of the
 \fBnamed\-checkzone\fR
 program and exit.
-.TP 3n
+.RE
+.PP
 \-j
+.RS 4
 When loading the zone file read the journal if it exists.
-.TP 3n
+.RE
+.PP
 \-c \fIclass\fR
+.RS 4
 Specify the class of the zone. If not specified "IN" is assumed.
-.TP 3n
+.RE
+.PP
+\-i \fImode\fR
+.RS 4
+Perform post load zone integrity checks. Possible modes are
+\fB"full"\fR
+(default),
+\fB"full\-sibling"\fR,
+\fB"local"\fR,
+\fB"local\-sibling"\fR
+and
+\fB"none"\fR.
+.sp
+Mode
+\fB"full"\fR
+checks that MX records refer to A or AAAA record (both in\-zone and out\-of\-zone hostnames). Mode
+\fB"local"\fR
+only checks MX records which refer to in\-zone hostnames.
+.sp
+Mode
+\fB"full"\fR
+checks that SRV records refer to A or AAAA record (both in\-zone and out\-of\-zone hostnames). Mode
+\fB"local"\fR
+only checks SRV records which refer to in\-zone hostnames.
+.sp
+Mode
+\fB"full"\fR
+checks that delegation NS records refer to A or AAAA record (both in\-zone and out\-of\-zone hostnames). It also checks that glue addresses records in the zone match those advertised by the child. Mode
+\fB"local"\fR
+only checks NS records which refer to in\-zone hostnames or that some required glue exists, that is when the nameserver is in a child zone.
+.sp
+Mode
+\fB"full\-sibling"\fR
+and
+\fB"local\-sibling"\fR
+disable sibling glue checks but are otherwise the same as
+\fB"full"\fR
+and
+\fB"local"\fR
+respectively.
+.sp
+Mode
+\fB"none"\fR
+disables the checks.
+.RE
+.PP
+\-f \fIformat\fR
+.RS 4
+Specify the format of the zone file. Possible formats are
+\fB"text"\fR
+(default) and
+\fB"raw"\fR.
+.RE
+.PP
+\-F \fIformat\fR
+.RS 4
+Specify the format of the output file specified. Possible formats are
+\fB"text"\fR
+(default) and
+\fB"raw"\fR. For
+\fBnamed\-checkzone\fR, this does not cause any effects unless it dumps the zone contents.
+.RE
+.PP
 \-k \fImode\fR
+.RS 4
 Perform
 \fB"check\-names"\fR
 checks with the specified failure mode. Possible modes are
+\fB"fail"\fR
+(default for
+\fBnamed\-compilezone\fR),
+\fB"warn"\fR
+(default for
+\fBnamed\-checkzone\fR) and
+\fB"ignore"\fR.
+.RE
+.PP
+\-m \fImode\fR
+.RS 4
+Specify whether MX records should be checked to see if they are addresses. Possible modes are
 \fB"fail"\fR,
 \fB"warn"\fR
 (default) and
 \fB"ignore"\fR.
-.TP 3n
-\-n \fImode\fR
-Specify whether NS records should be checked to see if they are addresses. Possible modes are
+.RE
+.PP
+\-M \fImode\fR
+.RS 4
+Check if a MX record refers to a CNAME. Possible modes are
 \fB"fail"\fR,
 \fB"warn"\fR
 (default) and
 \fB"ignore"\fR.
-.TP 3n
+.RE
+.PP
+\-n \fImode\fR
+.RS 4
+Specify whether NS records should be checked to see if they are addresses. Possible modes are
+\fB"fail"\fR
+(default for
+\fBnamed\-compilezone\fR),
+\fB"warn"\fR
+(default for
+\fBnamed\-checkzone\fR) and
+\fB"ignore"\fR.
+.RE
+.PP
 \-o \fIfilename\fR
+.RS 4
 Write zone output to
-\fIfilename\fR.
-.TP 3n
+\fIfilename\fR. This is mandatory for
+\fBnamed\-compilezone\fR.
+.RE
+.PP
+\-s \fIstyle\fR
+.RS 4
+Specify the style of the dumped zone file. Possible styles are
+\fB"full"\fR
+(default) and
+\fB"relative"\fR. The full format is most suitable for processing automatically by a separate script. On the other hand, the relative format is more human\-readable and is thus suitable for editing by hand. For
+\fBnamed\-checkzone\fR
+this does not cause any effects unless it dumps the zone contents. It also does not have any meaning if the output format is not text.
+.RE
+.PP
+\-S \fImode\fR
+.RS 4
+Check if a SRV record refers to a CNAME. Possible modes are
+\fB"fail"\fR,
+\fB"warn"\fR
+(default) and
+\fB"ignore"\fR.
+.RE
+.PP
 \-t \fIdirectory\fR
+.RS 4
 chroot to
 \fIdirectory\fR
 so that include directives in the configuration file are processed as if run by a similarly chrooted named.
-.TP 3n
+.RE
+.PP
 \-w \fIdirectory\fR
+.RS 4
 chdir to
 \fIdirectory\fR
 so that relative filenames in master file $INCLUDE directives work. This is similar to the directory clause in
 \fInamed.conf\fR.
-.TP 3n
+.RE
+.PP
 \-D
-Dump zone file in canonical format.
-.TP 3n
+.RS 4
+Dump zone file in canonical format. This is always enabled for
+\fBnamed\-compilezone\fR.
+.RE
+.PP
+\-W \fImode\fR
+.RS 4
+Specify whether to check for non\-terminal wildcards. Non\-terminal wildcards are almost always the result of a failure to understand the wildcard matching algorithm (RFC 1034). Possible modes are
+\fB"warn"\fR
+(default) and
+\fB"ignore"\fR.
+.RE
+.PP
 zonename
+.RS 4
 The domain name of the zone being checked.
-.TP 3n
+.RE
+.PP
 filename
+.RS 4
 The name of the zone file.
+.RE
 .SH "RETURN VALUES"
 .PP
 \fBnamed\-checkzone\fR
@@ -113,4 +262,7 @@ BIND 9 Administrator Reference Manual.
 .PP
 Internet Systems Consortium
 .SH "COPYRIGHT"
-Copyright \(co 2004\-2006 Internet Systems Consortium, Inc. ("ISC")
+Copyright \(co 2004\-2007 Internet Systems Consortium, Inc. ("ISC")
+.br
+Copyright \(co 2000\-2002 Internet Software Consortium.
+.br
diff --git a/contrib/bind9/bin/check/named-checkzone.c b/contrib/bind9/bin/check/named-checkzone.c
index 0eea166..aa94b8c 100644
--- a/contrib/bind9/bin/check/named-checkzone.c
+++ b/contrib/bind9/bin/check/named-checkzone.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,9 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: named-checkzone.c,v 1.13.2.3.8.11 2004/10/25 01:36:06 marka Exp $ */
+/* $Id: named-checkzone.c,v 1.29.18.16 2006/10/05 05:24:35 marka Exp $ */
+
+/*! \file */
 
 #include <config.h>
 
@@ -37,9 +39,12 @@
 #include <dns/db.h>
 #include <dns/fixedname.h>
 #include <dns/log.h>
+#include <dns/masterdump.h>
+#include <dns/name.h>
 #include <dns/rdataclass.h>
 #include <dns/rdataset.h>
 #include <dns/result.h>
+#include <dns/types.h>
 #include <dns/zone.h>
 
 #include "check-tool.h"
@@ -51,6 +56,9 @@ dns_zone_t *zone = NULL;
 dns_zonetype_t zonetype = dns_zone_master;
 static int dumpzone = 0;
 static const char *output_filename;
+static char *prog_name = NULL;
+static const dns_master_style_t *outputstyle = NULL;
+static enum { progmode_check, progmode_compile } progmode;
 
 #define ERRRET(result, function) \
 	do { \
@@ -65,9 +73,13 @@ static const char *output_filename;
 static void
 usage(void) {
 	fprintf(stderr,
-		"usage: named-checkzone [-djqvD] [-c class] [-o output] "
+		"usage: %s [-djqvD] [-c class] [-o output] "
+		"[-f inputformat] [-F outputformat] "
 		"[-t directory] [-w directory] [-k (ignore|warn|fail)] "
-		"[-n (ignore|warn|fail)] zonename filename\n");
+		"[-n (ignore|warn|fail)] [-m (ignore|warn|fail)] "
+		"[-i (full|local|none)] [-M (ignore|warn|fail)] "
+		"[-S (ignore|warn|fail)] [-W (ignore|warn)] "
+		"zonename filename\n", prog_name);
 	exit(1);
 }
 
@@ -75,8 +87,10 @@ static void
 destroy(void) {
 	if (zone != NULL)
 		dns_zone_detach(&zone);
+	dns_name_destroy();
 }
 
+/*% main processing routine */
 int
 main(int argc, char **argv) {
 	int c;
@@ -87,8 +101,45 @@ main(int argc, char **argv) {
 	char classname_in[] = "IN";
 	char *classname = classname_in;
 	const char *workdir = NULL;
+	const char *inputformatstr = NULL;
+	const char *outputformatstr = NULL;
+	dns_masterformat_t inputformat = dns_masterformat_text;
+	dns_masterformat_t outputformat = dns_masterformat_text;
+
+	outputstyle = &dns_master_style_full;
+
+	prog_name = strrchr(argv[0], '/');
+	if (prog_name != NULL)
+		prog_name++;
+	else
+		prog_name = argv[0];
+	/*
+	 * Libtool doesn't preserve the program name prior to final
+	 * installation.  Remove the libtool prefix ("lt-").
+	 */
+	if (strncmp(prog_name, "lt-", 3) == 0)
+		prog_name += 3;
+	if (strcmp(prog_name, "named-checkzone") == 0)
+		progmode = progmode_check;
+	else if (strcmp(prog_name, "named-compilezone") == 0)
+		progmode = progmode_compile;
+	else
+		INSIST(0);
+
+	/* Compilation specific defaults */
+	if (progmode == progmode_compile) {
+		zone_options |= (DNS_ZONEOPT_CHECKNS |
+				 DNS_ZONEOPT_FATALNS |
+				 DNS_ZONEOPT_CHECKNAMES |
+				 DNS_ZONEOPT_CHECKNAMESFAIL |
+				 DNS_ZONEOPT_CHECKWILDCARD);
+	}
+
+#define ARGCMP(X) (strcmp(isc_commandline_argument, X) == 0)
 
-	while ((c = isc_commandline_parse(argc, argv, "c:dijk:n:qst:o:vw:D")) != EOF) {
+	while ((c = isc_commandline_parse(argc, argv,
+					  "c:df:i:jk:m:n:qs:t:o:vw:DF:M:S:W:"))
+	       != EOF) {
 		switch (c) {
 		case 'c':
 			classname = isc_commandline_argument;
@@ -98,34 +149,104 @@ main(int argc, char **argv) {
 			debug++;
 			break;
 
+		case 'i':
+			if (ARGCMP("full")) {
+				zone_options |= DNS_ZONEOPT_CHECKINTEGRITY |
+						DNS_ZONEOPT_CHECKSIBLING;
+				docheckmx = ISC_TRUE;
+				docheckns = ISC_TRUE;
+				dochecksrv = ISC_TRUE;
+			} else if (ARGCMP("full-sibling")) {
+				zone_options |= DNS_ZONEOPT_CHECKINTEGRITY;
+				zone_options &= ~DNS_ZONEOPT_CHECKSIBLING;
+				docheckmx = ISC_TRUE;
+				docheckns = ISC_TRUE;
+				dochecksrv = ISC_TRUE;
+			} else if (ARGCMP("local")) {
+				zone_options |= DNS_ZONEOPT_CHECKINTEGRITY;
+				zone_options |= DNS_ZONEOPT_CHECKSIBLING;
+				docheckmx = ISC_FALSE;
+				docheckns = ISC_FALSE;
+				dochecksrv = ISC_FALSE;
+			} else if (ARGCMP("local-sibling")) {
+				zone_options |= DNS_ZONEOPT_CHECKINTEGRITY;
+				zone_options &= ~DNS_ZONEOPT_CHECKSIBLING;
+				docheckmx = ISC_FALSE;
+				docheckns = ISC_FALSE;
+				dochecksrv = ISC_FALSE;
+			} else if (ARGCMP("none")) {
+				zone_options &= ~DNS_ZONEOPT_CHECKINTEGRITY;
+				zone_options &= ~DNS_ZONEOPT_CHECKSIBLING;
+				docheckmx = ISC_FALSE;
+				docheckns = ISC_FALSE;
+				dochecksrv = ISC_FALSE;
+			} else {
+				fprintf(stderr, "invalid argument to -i: %s\n",
+					isc_commandline_argument);
+				exit(1);
+			}
+			break;
+
+		case 'f':
+			inputformatstr = isc_commandline_argument;
+			break;
+
+		case 'F':
+			outputformatstr = isc_commandline_argument;
+			break;
+
 		case 'j':
 			nomerge = ISC_FALSE;
 			break;
 
+		case 'k':
+			if (ARGCMP("warn")) {
+				zone_options |= DNS_ZONEOPT_CHECKNAMES;
+				zone_options &= ~DNS_ZONEOPT_CHECKNAMESFAIL;
+			} else if (ARGCMP("fail")) {
+				zone_options |= DNS_ZONEOPT_CHECKNAMES |
+						DNS_ZONEOPT_CHECKNAMESFAIL;
+			} else if (ARGCMP("ignore")) {
+				zone_options &= ~(DNS_ZONEOPT_CHECKNAMES |
+						  DNS_ZONEOPT_CHECKNAMESFAIL);
+			} else {
+				fprintf(stderr, "invalid argument to -k: %s\n",
+					isc_commandline_argument);
+				exit(1);
+			}
+			break;
+
 		case 'n':
-			if (!strcmp(isc_commandline_argument, "ignore"))
+			if (ARGCMP("ignore")) {
 				zone_options &= ~(DNS_ZONEOPT_CHECKNS|
 						  DNS_ZONEOPT_FATALNS);
-			else if (!strcmp(isc_commandline_argument, "warn")) {
+			} else if (ARGCMP("warn")) {
 				zone_options |= DNS_ZONEOPT_CHECKNS;
 				zone_options &= ~DNS_ZONEOPT_FATALNS;
-			} else if (!strcmp(isc_commandline_argument, "fail"))
+			} else if (ARGCMP("fail")) {
 				zone_options |= DNS_ZONEOPT_CHECKNS|
 					        DNS_ZONEOPT_FATALNS;
+			} else {
+				fprintf(stderr, "invalid argument to -n: %s\n",
+					isc_commandline_argument);
+				exit(1);
+			}
 			break;
 
-		case 'k':
-			if (!strcmp(isc_commandline_argument, "warn")) {
-				zone_options |= DNS_ZONEOPT_CHECKNAMES;
-				zone_options &= ~DNS_ZONEOPT_CHECKNAMESFAIL;
-			} else if (!strcmp(isc_commandline_argument,
-					   "fail")) {
-				zone_options |= DNS_ZONEOPT_CHECKNAMES |
-						DNS_ZONEOPT_CHECKNAMESFAIL;
-			} else if (!strcmp(isc_commandline_argument,
-					   "ignore")) {
-				zone_options &= ~(DNS_ZONEOPT_CHECKNAMES |
-						  DNS_ZONEOPT_CHECKNAMESFAIL);
+		case 'm':
+			if (ARGCMP("warn")) {
+				zone_options |= DNS_ZONEOPT_CHECKMX;
+				zone_options &= ~DNS_ZONEOPT_CHECKMXFAIL;
+			} else if (ARGCMP("fail")) {
+				zone_options |= DNS_ZONEOPT_CHECKMX |
+						DNS_ZONEOPT_CHECKMXFAIL;
+			} else if (ARGCMP("ignore")) {
+				zone_options &= ~(DNS_ZONEOPT_CHECKMX |
+						  DNS_ZONEOPT_CHECKMXFAIL);
+			} else {
+				fprintf(stderr, "invalid argument to -m: %s\n",
+					isc_commandline_argument);
+				exit(1);
 			}
 			break;
 
@@ -149,6 +270,19 @@ main(int argc, char **argv) {
 			}
 			break;
 
+		case 's':
+			if (ARGCMP("full"))
+				outputstyle = &dns_master_style_full;
+			else if (ARGCMP("relative")) {
+				outputstyle = &dns_master_style_default;
+			} else {
+				fprintf(stderr,
+					"unknown or unsupported style: %s\n",
+					isc_commandline_argument);
+				exit(1);
+			}
+			break;
+
 		case 'o':
 			output_filename = isc_commandline_argument;
 			break;
@@ -165,11 +299,61 @@ main(int argc, char **argv) {
 			dumpzone++;
 			break;
 
+		case 'M':
+			if (ARGCMP("fail")) {
+				zone_options &= ~DNS_ZONEOPT_WARNMXCNAME;
+				zone_options &= ~DNS_ZONEOPT_IGNOREMXCNAME;
+			} else if (ARGCMP("warn")) {
+				zone_options |= DNS_ZONEOPT_WARNMXCNAME;
+				zone_options &= ~DNS_ZONEOPT_IGNOREMXCNAME;
+			} else if (ARGCMP("ignore")) {
+				zone_options |= DNS_ZONEOPT_WARNMXCNAME;
+				zone_options |= DNS_ZONEOPT_IGNOREMXCNAME;
+			} else {
+				fprintf(stderr, "invalid argument to -M: %s\n",
+					isc_commandline_argument);
+				exit(1);
+			}
+			break;
+
+		case 'S':
+			if (ARGCMP("fail")) {
+				zone_options &= ~DNS_ZONEOPT_WARNSRVCNAME;
+				zone_options &= ~DNS_ZONEOPT_IGNORESRVCNAME;
+			} else if (ARGCMP("warn")) {
+				zone_options |= DNS_ZONEOPT_WARNSRVCNAME;
+				zone_options &= ~DNS_ZONEOPT_IGNORESRVCNAME;
+			} else if (ARGCMP("ignore")) {
+				zone_options |= DNS_ZONEOPT_WARNSRVCNAME;
+				zone_options |= DNS_ZONEOPT_IGNORESRVCNAME;
+			} else {
+				fprintf(stderr, "invalid argument to -S: %s\n",
+					isc_commandline_argument);
+				exit(1);
+			}
+			break;
+
+		case 'W':
+			if (ARGCMP("warn"))
+				zone_options |= DNS_ZONEOPT_CHECKWILDCARD;
+			else if (ARGCMP("ignore"))
+				zone_options &= ~DNS_ZONEOPT_CHECKWILDCARD;
+			break;
+
 		default:
 			usage();
 		}
 	}
 
+	if (progmode == progmode_compile) {
+		dumpzone = 1;	/* always dump */
+		if (output_filename == NULL) {
+			fprintf(stderr,
+				"output file required, but not specified\n");
+			usage();
+		}
+	}
+
 	if (workdir != NULL) {
 		result = isc_dir_chdir(workdir);
 		if (result != ISC_R_SUCCESS) {
@@ -179,15 +363,36 @@ main(int argc, char **argv) {
 		}
 	}
 
+	if (inputformatstr != NULL) {
+		if (strcasecmp(inputformatstr, "text") == 0)
+			inputformat = dns_masterformat_text;
+		else if (strcasecmp(inputformatstr, "raw") == 0)
+			inputformat = dns_masterformat_raw;
+		else {
+			fprintf(stderr, "unknown file format: %s\n",
+			    inputformatstr);
+			exit(1);
+		}
+	}
+
+	if (outputformatstr != NULL) {
+		if (strcasecmp(outputformatstr, "text") == 0)
+			outputformat = dns_masterformat_text;
+		else if (strcasecmp(outputformatstr, "raw") == 0)
+			outputformat = dns_masterformat_raw;
+		else {
+			fprintf(stderr, "unknown file format: %s\n",
+				outputformatstr);
+			exit(1);
+		}
+	}
+
 	if (isc_commandline_index + 2 > argc)
 		usage();
 
 	RUNTIME_CHECK(isc_mem_create(0, 0, &mctx) == ISC_R_SUCCESS);
-	if (!quiet) {
+	if (!quiet)
 		RUNTIME_CHECK(setup_logging(mctx, &lctx) == ISC_R_SUCCESS);
-		dns_log_init(lctx);
-		dns_log_setcontext(lctx);
-	}
 	RUNTIME_CHECK(isc_entropy_create(mctx, &ectx) == ISC_R_SUCCESS);
 	RUNTIME_CHECK(isc_hash_create(mctx, ectx, DNS_NAME_MAXWIRE)
 		      == ISC_R_SUCCESS);
@@ -196,10 +401,18 @@ main(int argc, char **argv) {
 
 	origin = argv[isc_commandline_index++];
 	filename = argv[isc_commandline_index++];
-	result = load_zone(mctx, origin, filename, classname, &zone);
+	result = load_zone(mctx, origin, filename, inputformat, classname,
+			   &zone);
 
 	if (result == ISC_R_SUCCESS && dumpzone) {
-		result = dump_zone(origin, zone, output_filename);
+		if (!quiet && progmode == progmode_compile) {
+			fprintf(stdout, "dump zone to %s...", output_filename);
+			fflush(stdout);
+		}
+		result = dump_zone(origin, zone, output_filename,
+				   outputformat, outputstyle);
+		if (!quiet && progmode == progmode_compile)
+			fprintf(stdout, "done\n");
 	}
 
 	if (!quiet && result == ISC_R_SUCCESS)
diff --git a/contrib/bind9/bin/check/named-checkzone.docbook b/contrib/bind9/bin/check/named-checkzone.docbook
index a24e92b..70e1878 100644
--- a/contrib/bind9/bin/check/named-checkzone.docbook
+++ b/contrib/bind9/bin/check/named-checkzone.docbook
@@ -1,8 +1,8 @@
-<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.0//EN"
-               "http://www.oasis-open.org/docbook/xml/4.0/docbookx.dtd"
+<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
+               "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
 	       [<!ENTITY mdash "&#8212;">]>
 <!--
- - Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
  - Copyright (C) 2000-2002  Internet Software Consortium.
  -
  - Permission to use, copy, modify, and distribute this software for any
@@ -18,9 +18,8 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-<!-- $Id: named-checkzone.docbook,v 1.3.2.2.8.13 2006/09/30 23:58:36 marka Exp $ -->
-
-<refentry>
+<!-- $Id: named-checkzone.docbook,v 1.11.18.17 2007/01/29 23:57:20 marka Exp $ -->
+<refentry id="man.named-checkzone">
   <refentryinfo>
     <date>June 13, 2000</date>
   </refentryinfo>
@@ -36,6 +35,7 @@
       <year>2004</year>
       <year>2005</year>
       <year>2006</year>
+      <year>2007</year>
       <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
     </copyright>
     <copyright>
@@ -48,7 +48,8 @@
 
   <refnamediv>
     <refname><application>named-checkzone</application></refname>
-    <refpurpose>zone file validity checking tool</refpurpose>
+    <refname><application>named-compilezone</application></refname>
+    <refpurpose>zone file validity checking or converting tool</refpurpose>
   </refnamediv>
 
   <refsynopsisdiv>
@@ -59,12 +60,43 @@
       <arg><option>-q</option></arg>
       <arg><option>-v</option></arg>
       <arg><option>-c <replaceable class="parameter">class</replaceable></option></arg>
+      <arg><option>-f <replaceable class="parameter">format</replaceable></option></arg>
+      <arg><option>-F <replaceable class="parameter">format</replaceable></option></arg>
+      <arg><option>-i <replaceable class="parameter">mode</replaceable></option></arg>
+      <arg><option>-k <replaceable class="parameter">mode</replaceable></option></arg>
+      <arg><option>-m <replaceable class="parameter">mode</replaceable></option></arg>
+      <arg><option>-M <replaceable class="parameter">mode</replaceable></option></arg>
+      <arg><option>-n <replaceable class="parameter">mode</replaceable></option></arg>
+      <arg><option>-o <replaceable class="parameter">filename</replaceable></option></arg>
+      <arg><option>-s <replaceable class="parameter">style</replaceable></option></arg>
+      <arg><option>-S <replaceable class="parameter">mode</replaceable></option></arg>
+      <arg><option>-t <replaceable class="parameter">directory</replaceable></option></arg>
+      <arg><option>-w <replaceable class="parameter">directory</replaceable></option></arg>
+      <arg><option>-D</option></arg>
+      <arg><option>-W <replaceable class="parameter">mode</replaceable></option></arg>
+      <arg choice="req">zonename</arg>
+      <arg choice="req">filename</arg>
+    </cmdsynopsis>
+    <cmdsynopsis>
+      <command>named-compilezone</command>
+      <arg><option>-d</option></arg>
+      <arg><option>-j</option></arg>
+      <arg><option>-q</option></arg>
+      <arg><option>-v</option></arg>
+      <arg><option>-c <replaceable class="parameter">class</replaceable></option></arg>
+      <arg><option>-C <replaceable class="parameter">mode</replaceable></option></arg>
+      <arg><option>-f <replaceable class="parameter">format</replaceable></option></arg>
+      <arg><option>-F <replaceable class="parameter">format</replaceable></option></arg>
+      <arg><option>-i <replaceable class="parameter">mode</replaceable></option></arg>
       <arg><option>-k <replaceable class="parameter">mode</replaceable></option></arg>
+      <arg><option>-m <replaceable class="parameter">mode</replaceable></option></arg>
       <arg><option>-n <replaceable class="parameter">mode</replaceable></option></arg>
       <arg><option>-o <replaceable class="parameter">filename</replaceable></option></arg>
+      <arg><option>-s <replaceable class="parameter">style</replaceable></option></arg>
       <arg><option>-t <replaceable class="parameter">directory</replaceable></option></arg>
       <arg><option>-w <replaceable class="parameter">directory</replaceable></option></arg>
       <arg><option>-D</option></arg>
+      <arg><option>-W <replaceable class="parameter">mode</replaceable></option></arg>
       <arg choice="req">zonename</arg>
       <arg choice="req">filename</arg>
     </cmdsynopsis>
@@ -72,13 +104,23 @@
 
   <refsect1>
     <title>DESCRIPTION</title>
-    <para>
-        <command>named-checkzone</command> checks the syntax and integrity of
-	a zone file.  It performs the same checks as <command>named</command>
-	does when loading a zone.  This makes
-	<command>named-checkzone</command> useful for checking zone
-	files before configuring them into a name server.
+    <para><command>named-checkzone</command>
+      checks the syntax and integrity of a zone file.  It performs the
+      same checks as <command>named</command> does when loading a
+      zone.  This makes <command>named-checkzone</command> useful for
+      checking zone files before configuring them into a name server.
     </para>
+    <para>
+        <command>named-compilezone</command> is similar to
+	<command>named-checkzone</command>, but it always dumps the
+        zone contents to a specified file in a specified format.
+	Additionally, it applies stricter check levels by default,
+        since the dump output will be used as an actual zone file
+	loaded by <command>named</command>.
+	When manaully specified otherwise, the check levels must at
+        least be as strict as those specified in the
+	<command>named</command> configuration file.
+     </para>
   </refsect1>
 
   <refsect1>
@@ -87,131 +129,280 @@
     <variablelist>
       <varlistentry>
         <term>-d</term>
-	<listitem>
-	  <para>
-	      Enable debugging.
-	  </para>
-	</listitem>
+        <listitem>
+          <para>
+            Enable debugging.
+          </para>
+        </listitem>
       </varlistentry>
 
       <varlistentry>
         <term>-q</term>
-	<listitem>
-	  <para>
-	      Quiet mode - exit code only.
-	  </para>
-	</listitem>
+        <listitem>
+          <para>
+            Quiet mode - exit code only.
+          </para>
+        </listitem>
       </varlistentry>
 
       <varlistentry>
         <term>-v</term>
-	<listitem>
-	  <para>
-	      Print the version of the <command>named-checkzone</command>
-	      program and exit.
-	  </para>
-	</listitem>
+        <listitem>
+          <para>
+            Print the version of the <command>named-checkzone</command>
+            program and exit.
+          </para>
+        </listitem>
       </varlistentry>
 
       <varlistentry>
         <term>-j</term>
         <listitem>
           <para>
-              When loading the zone file read the journal if it exists.
-          </para>   
+            When loading the zone file read the journal if it exists.
+          </para>
         </listitem>
       </varlistentry>
 
       <varlistentry>
         <term>-c <replaceable class="parameter">class</replaceable></term>
+        <listitem>
+          <para>
+            Specify the class of the zone.  If not specified "IN" is assumed.
+          </para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-i <replaceable class="parameter">mode</replaceable></term>
 	<listitem>
 	  <para>
-	      Specify the class of the zone.  If not specified "IN" is assumed.
+	      Perform post load zone integrity checks.  Possible modes are
+	      <command>"full"</command> (default),
+	      <command>"full-sibling"</command>,
+	      <command>"local"</command>,
+	      <command>"local-sibling"</command> and
+	      <command>"none"</command>.
+	  </para>
+	  <para>
+	      Mode <command>"full"</command> checks that MX records
+	      refer to A or AAAA record (both in-zone and out-of-zone
+	      hostnames).  Mode <command>"local"</command> only
+	      checks MX records which refer to in-zone hostnames.
+	  </para>
+	  <para>
+	      Mode <command>"full"</command> checks that SRV records
+	      refer to A or AAAA record (both in-zone and out-of-zone
+	      hostnames).  Mode <command>"local"</command> only
+	      checks SRV records which refer to in-zone hostnames.
+	  </para>
+	  <para>
+	      Mode <command>"full"</command> checks that delegation NS
+	      records refer to A or AAAA record (both in-zone and out-of-zone
+	      hostnames).  It also checks that glue addresses records
+	      in the zone match those advertised by the child.
+	      Mode <command>"local"</command> only checks NS records which
+	      refer to in-zone hostnames or that some required glue exists,
+	      that is when the nameserver is in a child zone.
+	  </para>
+	  <para>
+	      Mode <command>"full-sibling"</command> and
+	      <command>"local-sibling"</command> disable sibling glue
+	      checks but are otherwise the same as <command>"full"</command>
+	      and <command>"local"</command> respectively.
+	  </para>
+	  <para>
+	      Mode <command>"none"</command> disables the checks.
 	  </para>
 	</listitem>
       </varlistentry>
 
       <varlistentry>
-        <term>-k <replaceable class="parameter">mode</replaceable></term>
+	<term>-f <replaceable class="parameter">format</replaceable></term>
 	<listitem>
 	  <para>
-	      Perform <command>"check-names"</command> checks with the specified failure mode.
-	      Possible modes are <command>"fail"</command>,
-	      <command>"warn"</command> (default) and
-	      <command>"ignore"</command>.
+	    Specify the format of the zone file.
+	    Possible formats are <command>"text"</command> (default)
+	    and <command>"raw"</command>.
 	  </para>
 	</listitem>
       </varlistentry>
 
       <varlistentry>
-        <term>-n <replaceable class="parameter">mode</replaceable></term>
+	<term>-F <replaceable class="parameter">format</replaceable></term>
 	<listitem>
 	  <para>
-	      Specify whether NS records should be checked to see if they
-	      are addresses.  Possible modes are <command>"fail"</command>,
-	      <command>"warn"</command> (default) and
-	      <command>"ignore"</command>.
+	    Specify the format of the output file specified.
+	    Possible formats are <command>"text"</command> (default)
+	    and <command>"raw"</command>.
+	    For <command>named-checkzone</command>,
+	    this does not cause any effects unless it dumps the zone
+	    contents.
 	  </para>
 	</listitem>
       </varlistentry>
 
       <varlistentry>
-        <term>-o <replaceable class="parameter">filename</replaceable></term>
+        <term>-k <replaceable class="parameter">mode</replaceable></term>
         <listitem>
           <para>
-	      Write zone output to <filename>filename</filename>.
+            Perform <command>"check-names"</command> checks with the
+	    specified failure mode.
+            Possible modes are <command>"fail"</command>
+	    (default for <command>named-compilezone</command>),
+            <command>"warn"</command>
+	    (default for <command>named-checkzone</command>) and
+            <command>"ignore"</command>.
           </para>
         </listitem>
       </varlistentry>
 
       <varlistentry>
-        <term>-t <replaceable class="parameter">directory</replaceable></term>
+        <term>-m <replaceable class="parameter">mode</replaceable></term>
         <listitem>
           <para>
-              chroot to <filename>directory</filename> so that include
-              directives in the configuration file are processed as if
-              run by a similarly chrooted named.
+            Specify whether MX records should be checked to see if they
+            are addresses.  Possible modes are <command>"fail"</command>,
+            <command>"warn"</command> (default) and
+            <command>"ignore"</command>.
           </para>
         </listitem>
       </varlistentry>
 
       <varlistentry>
-        <term>-w <replaceable class="parameter">directory</replaceable></term>
+	<term>-M <replaceable class="parameter">mode</replaceable></term>
+        <listitem>
+	  <para>
+	    Check if a MX record refers to a CNAME.
+            Possible modes are <command>"fail"</command>,
+            <command>"warn"</command> (default) and
+            <command>"ignore"</command>.
+	  </para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-n <replaceable class="parameter">mode</replaceable></term>
         <listitem>
           <para>
-              chdir to <filename>directory</filename> so that relative
-	      filenames in master file $INCLUDE directives work.  This
-	      is similar to the directory clause in
-	      <filename>named.conf</filename>.
+            Specify whether NS records should be checked to see if they
+            are addresses.
+	    Possible modes are <command>"fail"</command>
+	    (default for <command>named-compilezone</command>),
+            <command>"warn"</command>
+	    (default for <command>named-checkzone</command>) and
+            <command>"ignore"</command>.
           </para>
         </listitem>
       </varlistentry>
 
       <varlistentry>
-        <term>-D</term>
+        <term>-o <replaceable class="parameter">filename</replaceable></term>
+        <listitem>
+          <para>
+            Write zone output to <filename>filename</filename>.
+	    This is mandatory for <command>named-compilezone</command>.
+          </para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+	<term>-s <replaceable class="parameter">style</replaceable></term>
 	<listitem>
 	  <para>
-	      Dump zone file in canonical format.
+	    Specify the style of the dumped zone file.
+	    Possible styles are <command>"full"</command> (default)
+	    and <command>"relative"</command>.
+	    The full format is most suitable for processing
+	    automatically by a separate script.
+	    On the other hand, the relative format is more
+	    human-readable and is thus suitable for editing by hand.
+	    For <command>named-checkzone</command>
+	    this does not cause any effects unless it dumps the zone
+	    contents.
+	    It also does not have any meaning if the output format
+	    is not text.
 	  </para>
 	</listitem>
       </varlistentry>
 
       <varlistentry>
-        <term>zonename</term>
-	<listitem>
+	<term>-S <replaceable class="parameter">mode</replaceable></term>
+        <listitem>
 	  <para>
-	       The domain name of the zone being checked.
+	    Check if a SRV record refers to a CNAME.
+            Possible modes are <command>"fail"</command>,
+            <command>"warn"</command> (default) and
+            <command>"ignore"</command>.
 	  </para>
-	</listitem>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-t <replaceable class="parameter">directory</replaceable></term>
+        <listitem>
+          <para>
+            chroot to <filename>directory</filename> so that
+            include
+            directives in the configuration file are processed as if
+            run by a similarly chrooted named.
+          </para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-w <replaceable class="parameter">directory</replaceable></term>
+        <listitem>
+          <para>
+            chdir to <filename>directory</filename> so that
+            relative
+            filenames in master file $INCLUDE directives work.  This
+            is similar to the directory clause in
+            <filename>named.conf</filename>.
+          </para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-D</term>
+        <listitem>
+          <para>
+            Dump zone file in canonical format.
+	    This is always enabled for <command>named-compilezone</command>.
+          </para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-W <replaceable class="parameter">mode</replaceable></term>
+        <listitem>
+          <para>
+            Specify whether to check for non-terminal wildcards.
+            Non-terminal wildcards are almost always the result of a
+            failure to understand the wildcard matching algorithm (RFC 1034).
+            Possible modes are <command>"warn"</command> (default)
+            and
+            <command>"ignore"</command>.
+          </para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>zonename</term>
+        <listitem>
+          <para>
+            The domain name of the zone being checked.
+          </para>
+        </listitem>
       </varlistentry>
 
       <varlistentry>
         <term>filename</term>
-	<listitem>
-	  <para>
-	       The name of the zone file.
-	  </para>
-	</listitem>
+        <listitem>
+          <para>
+            The name of the zone file.
+          </para>
+        </listitem>
       </varlistentry>
 
     </variablelist>
@@ -220,18 +411,16 @@
 
   <refsect1>
     <title>RETURN VALUES</title>
-    <para>
-        <command>named-checkzone</command> returns an exit status of 1 if
-	errors were detected and 0 otherwise.
+    <para><command>named-checkzone</command>
+      returns an exit status of 1 if
+      errors were detected and 0 otherwise.
     </para>
   </refsect1>
 
   <refsect1>
     <title>SEE ALSO</title>
-    <para>
-      <citerefentry>
-        <refentrytitle>named</refentrytitle>
-	<manvolnum>8</manvolnum>
+    <para><citerefentry>
+        <refentrytitle>named</refentrytitle><manvolnum>8</manvolnum>
       </citerefentry>,
       <citetitle>RFC 1035</citetitle>,
       <citetitle>BIND 9 Administrator Reference Manual</citetitle>.
@@ -240,16 +429,12 @@
 
   <refsect1>
     <title>AUTHOR</title>
-    <para>
-        <corpauthor>Internet Systems Consortium</corpauthor>
+    <para><corpauthor>Internet Systems Consortium</corpauthor>
     </para>
   </refsect1>
 
-</refentry>
-
-<!--
+</refentry><!--
  - Local variables:
  - mode: sgml
  - End:
 -->
-
diff --git a/contrib/bind9/bin/check/named-checkzone.html b/contrib/bind9/bin/check/named-checkzone.html
index 8f5195a..be2f589 100644
--- a/contrib/bind9/bin/check/named-checkzone.html
+++ b/contrib/bind9/bin/check/named-checkzone.html
@@ -1,5 +1,5 @@
 <!--
- - Copyright (C) 2004-2006 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2004-2007 Internet Systems Consortium, Inc. ("ISC")
  - Copyright (C) 2000-2002 Internet Software Consortium.
  - 
  - Permission to use, copy, modify, and distribute this software for any
@@ -14,121 +14,241 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-<!-- $Id: named-checkzone.html,v 1.5.2.2.4.17 2006/10/05 02:50:17 marka Exp $ -->
+<!-- $Id: named-checkzone.html,v 1.11.18.27 2007/01/30 00:23:44 marka Exp $ -->
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
 <title>named-checkzone</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.70.1">
+<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
 </head>
 <body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en">
-<a name="id2482688"></a><div class="titlepage"></div>
+<a name="man.named-checkzone"></a><div class="titlepage"></div>
 <div class="refnamediv">
 <h2>Name</h2>
-<p><span class="application">named-checkzone</span> &#8212; zone file validity checking tool</p>
+<p><span class="application">named-checkzone</span>, <span class="application">named-compilezone</span> &#8212; zone file validity checking or converting tool</p>
 </div>
 <div class="refsynopsisdiv">
 <h2>Synopsis</h2>
-<div class="cmdsynopsis"><p><code class="command">named-checkzone</code>  [<code class="option">-d</code>] [<code class="option">-j</code>] [<code class="option">-q</code>] [<code class="option">-v</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-k <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-n <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-o <em class="replaceable"><code>filename</code></em></code>] [<code class="option">-t <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-w <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-D</code>] {zonename} {filename}</p></div>
+<div class="cmdsynopsis"><p><code class="command">named-checkzone</code>  [<code class="option">-d</code>] [<code class="option">-j</code>] [<code class="option">-q</code>] [<code class="option">-v</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-f <em class="replaceable"><code>format</code></em></code>] [<code class="option">-F <em class="replaceable"><code>format</code></em></code>] [<code class="option">-i <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-k <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-m <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-M <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-n <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-o <em class="replaceable"><code>filename</code></em></code>] [<code class="option">-s <em class="replaceable"><code>style</code></em></code>] [<code class="option">-S <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-t <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-w <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-D</code>] [<code class="option">-W <em class="replaceable"><code>mode</code></em></code>] {zonename} {filename}</p></div>
+<div class="cmdsynopsis"><p><code class="command">named-compilezone</code>  [<code class="option">-d</code>] [<code class="option">-j</code>] [<code class="option">-q</code>] [<code class="option">-v</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-C <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-f <em class="replaceable"><code>format</code></em></code>] [<code class="option">-F <em class="replaceable"><code>format</code></em></code>] [<code class="option">-i <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-k <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-m <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-n <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-o <em class="replaceable"><code>filename</code></em></code>] [<code class="option">-s <em class="replaceable"><code>style</code></em></code>] [<code class="option">-t <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-w <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-D</code>] [<code class="option">-W <em class="replaceable"><code>mode</code></em></code>] {zonename} {filename}</p></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2549490"></a><h2>DESCRIPTION</h2>
-<p>
-        <span><strong class="command">named-checkzone</strong></span> checks the syntax and integrity of
-	a zone file.  It performs the same checks as <span><strong class="command">named</strong></span>
-	does when loading a zone.  This makes
-	<span><strong class="command">named-checkzone</strong></span> useful for checking zone
-	files before configuring them into a name server.
+<a name="id2543665"></a><h2>DESCRIPTION</h2>
+<p><span><strong class="command">named-checkzone</strong></span>
+      checks the syntax and integrity of a zone file.  It performs the
+      same checks as <span><strong class="command">named</strong></span> does when loading a
+      zone.  This makes <span><strong class="command">named-checkzone</strong></span> useful for
+      checking zone files before configuring them into a name server.
     </p>
+<p>
+        <span><strong class="command">named-compilezone</strong></span> is similar to
+	<span><strong class="command">named-checkzone</strong></span>, but it always dumps the
+        zone contents to a specified file in a specified format.
+	Additionally, it applies stricter check levels by default,
+        since the dump output will be used as an actual zone file
+	loaded by <span><strong class="command">named</strong></span>.
+	When manaully specified otherwise, the check levels must at
+        least be as strict as those specified in the
+	<span><strong class="command">named</strong></span> configuration file.
+     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2549510"></a><h2>OPTIONS</h2>
+<a name="id2543700"></a><h2>OPTIONS</h2>
 <div class="variablelist"><dl>
 <dt><span class="term">-d</span></dt>
 <dd><p>
-	      Enable debugging.
-	  </p></dd>
+            Enable debugging.
+          </p></dd>
 <dt><span class="term">-q</span></dt>
 <dd><p>
-	      Quiet mode - exit code only.
-	  </p></dd>
+            Quiet mode - exit code only.
+          </p></dd>
 <dt><span class="term">-v</span></dt>
 <dd><p>
-	      Print the version of the <span><strong class="command">named-checkzone</strong></span>
-	      program and exit.
-	  </p></dd>
+            Print the version of the <span><strong class="command">named-checkzone</strong></span>
+            program and exit.
+          </p></dd>
 <dt><span class="term">-j</span></dt>
 <dd><p>
-              When loading the zone file read the journal if it exists.
+            When loading the zone file read the journal if it exists.
           </p></dd>
 <dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
 <dd><p>
-	      Specify the class of the zone.  If not specified "IN" is assumed.
+            Specify the class of the zone.  If not specified "IN" is assumed.
+          </p></dd>
+<dt><span class="term">-i <em class="replaceable"><code>mode</code></em></span></dt>
+<dd>
+<p>
+	      Perform post load zone integrity checks.  Possible modes are
+	      <span><strong class="command">"full"</strong></span> (default),
+	      <span><strong class="command">"full-sibling"</strong></span>,
+	      <span><strong class="command">"local"</strong></span>,
+	      <span><strong class="command">"local-sibling"</strong></span> and
+	      <span><strong class="command">"none"</strong></span>.
+	  </p>
+<p>
+	      Mode <span><strong class="command">"full"</strong></span> checks that MX records
+	      refer to A or AAAA record (both in-zone and out-of-zone
+	      hostnames).  Mode <span><strong class="command">"local"</strong></span> only
+	      checks MX records which refer to in-zone hostnames.
+	  </p>
+<p>
+	      Mode <span><strong class="command">"full"</strong></span> checks that SRV records
+	      refer to A or AAAA record (both in-zone and out-of-zone
+	      hostnames).  Mode <span><strong class="command">"local"</strong></span> only
+	      checks SRV records which refer to in-zone hostnames.
+	  </p>
+<p>
+	      Mode <span><strong class="command">"full"</strong></span> checks that delegation NS
+	      records refer to A or AAAA record (both in-zone and out-of-zone
+	      hostnames).  It also checks that glue addresses records
+	      in the zone match those advertised by the child.
+	      Mode <span><strong class="command">"local"</strong></span> only checks NS records which
+	      refer to in-zone hostnames or that some required glue exists,
+	      that is when the nameserver is in a child zone.
+	  </p>
+<p>
+	      Mode <span><strong class="command">"full-sibling"</strong></span> and
+	      <span><strong class="command">"local-sibling"</strong></span> disable sibling glue
+	      checks but are otherwise the same as <span><strong class="command">"full"</strong></span>
+	      and <span><strong class="command">"local"</strong></span> respectively.
+	  </p>
+<p>
+	      Mode <span><strong class="command">"none"</strong></span> disables the checks.
+	  </p>
+</dd>
+<dt><span class="term">-f <em class="replaceable"><code>format</code></em></span></dt>
+<dd><p>
+	    Specify the format of the zone file.
+	    Possible formats are <span><strong class="command">"text"</strong></span> (default)
+	    and <span><strong class="command">"raw"</strong></span>.
+	  </p></dd>
+<dt><span class="term">-F <em class="replaceable"><code>format</code></em></span></dt>
+<dd><p>
+	    Specify the format of the output file specified.
+	    Possible formats are <span><strong class="command">"text"</strong></span> (default)
+	    and <span><strong class="command">"raw"</strong></span>.
+	    For <span><strong class="command">named-checkzone</strong></span>,
+	    this does not cause any effects unless it dumps the zone
+	    contents.
 	  </p></dd>
 <dt><span class="term">-k <em class="replaceable"><code>mode</code></em></span></dt>
 <dd><p>
-	      Perform <span><strong class="command">"check-names"</strong></span> checks with the specified failure mode.
-	      Possible modes are <span><strong class="command">"fail"</strong></span>,
-	      <span><strong class="command">"warn"</strong></span> (default) and
-	      <span><strong class="command">"ignore"</strong></span>.
+            Perform <span><strong class="command">"check-names"</strong></span> checks with the
+	    specified failure mode.
+            Possible modes are <span><strong class="command">"fail"</strong></span>
+	    (default for <span><strong class="command">named-compilezone</strong></span>),
+            <span><strong class="command">"warn"</strong></span>
+	    (default for <span><strong class="command">named-checkzone</strong></span>) and
+            <span><strong class="command">"ignore"</strong></span>.
+          </p></dd>
+<dt><span class="term">-m <em class="replaceable"><code>mode</code></em></span></dt>
+<dd><p>
+            Specify whether MX records should be checked to see if they
+            are addresses.  Possible modes are <span><strong class="command">"fail"</strong></span>,
+            <span><strong class="command">"warn"</strong></span> (default) and
+            <span><strong class="command">"ignore"</strong></span>.
+          </p></dd>
+<dt><span class="term">-M <em class="replaceable"><code>mode</code></em></span></dt>
+<dd><p>
+	    Check if a MX record refers to a CNAME.
+            Possible modes are <span><strong class="command">"fail"</strong></span>,
+            <span><strong class="command">"warn"</strong></span> (default) and
+            <span><strong class="command">"ignore"</strong></span>.
 	  </p></dd>
 <dt><span class="term">-n <em class="replaceable"><code>mode</code></em></span></dt>
 <dd><p>
-	      Specify whether NS records should be checked to see if they
-	      are addresses.  Possible modes are <span><strong class="command">"fail"</strong></span>,
-	      <span><strong class="command">"warn"</strong></span> (default) and
-	      <span><strong class="command">"ignore"</strong></span>.
-	  </p></dd>
+            Specify whether NS records should be checked to see if they
+            are addresses.
+	    Possible modes are <span><strong class="command">"fail"</strong></span>
+	    (default for <span><strong class="command">named-compilezone</strong></span>),
+            <span><strong class="command">"warn"</strong></span>
+	    (default for <span><strong class="command">named-checkzone</strong></span>) and
+            <span><strong class="command">"ignore"</strong></span>.
+          </p></dd>
 <dt><span class="term">-o <em class="replaceable"><code>filename</code></em></span></dt>
 <dd><p>
-	      Write zone output to <code class="filename">filename</code>.
+            Write zone output to <code class="filename">filename</code>.
+	    This is mandatory for <span><strong class="command">named-compilezone</strong></span>.
           </p></dd>
+<dt><span class="term">-s <em class="replaceable"><code>style</code></em></span></dt>
+<dd><p>
+	    Specify the style of the dumped zone file.
+	    Possible styles are <span><strong class="command">"full"</strong></span> (default)
+	    and <span><strong class="command">"relative"</strong></span>.
+	    The full format is most suitable for processing
+	    automatically by a separate script.
+	    On the other hand, the relative format is more
+	    human-readable and is thus suitable for editing by hand.
+	    For <span><strong class="command">named-checkzone</strong></span>
+	    this does not cause any effects unless it dumps the zone
+	    contents.
+	    It also does not have any meaning if the output format
+	    is not text.
+	  </p></dd>
+<dt><span class="term">-S <em class="replaceable"><code>mode</code></em></span></dt>
+<dd><p>
+	    Check if a SRV record refers to a CNAME.
+            Possible modes are <span><strong class="command">"fail"</strong></span>,
+            <span><strong class="command">"warn"</strong></span> (default) and
+            <span><strong class="command">"ignore"</strong></span>.
+	  </p></dd>
 <dt><span class="term">-t <em class="replaceable"><code>directory</code></em></span></dt>
 <dd><p>
-              chroot to <code class="filename">directory</code> so that include
-              directives in the configuration file are processed as if
-              run by a similarly chrooted named.
+            chroot to <code class="filename">directory</code> so that
+            include
+            directives in the configuration file are processed as if
+            run by a similarly chrooted named.
           </p></dd>
 <dt><span class="term">-w <em class="replaceable"><code>directory</code></em></span></dt>
 <dd><p>
-              chdir to <code class="filename">directory</code> so that relative
-	      filenames in master file $INCLUDE directives work.  This
-	      is similar to the directory clause in
-	      <code class="filename">named.conf</code>.
+            chdir to <code class="filename">directory</code> so that
+            relative
+            filenames in master file $INCLUDE directives work.  This
+            is similar to the directory clause in
+            <code class="filename">named.conf</code>.
           </p></dd>
 <dt><span class="term">-D</span></dt>
 <dd><p>
-	      Dump zone file in canonical format.
-	  </p></dd>
+            Dump zone file in canonical format.
+	    This is always enabled for <span><strong class="command">named-compilezone</strong></span>.
+          </p></dd>
+<dt><span class="term">-W <em class="replaceable"><code>mode</code></em></span></dt>
+<dd><p>
+            Specify whether to check for non-terminal wildcards.
+            Non-terminal wildcards are almost always the result of a
+            failure to understand the wildcard matching algorithm (RFC 1034).
+            Possible modes are <span><strong class="command">"warn"</strong></span> (default)
+            and
+            <span><strong class="command">"ignore"</strong></span>.
+          </p></dd>
 <dt><span class="term">zonename</span></dt>
 <dd><p>
-	       The domain name of the zone being checked.
-	  </p></dd>
+            The domain name of the zone being checked.
+          </p></dd>
 <dt><span class="term">filename</span></dt>
 <dd><p>
-	       The name of the zone file.
-	  </p></dd>
+            The name of the zone file.
+          </p></dd>
 </dl></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2549824"></a><h2>RETURN VALUES</h2>
-<p>
-        <span><strong class="command">named-checkzone</strong></span> returns an exit status of 1 if
-	errors were detected and 0 otherwise.
+<a name="id2544299"></a><h2>RETURN VALUES</h2>
+<p><span><strong class="command">named-checkzone</strong></span>
+      returns an exit status of 1 if
+      errors were detected and 0 otherwise.
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2549836"></a><h2>SEE ALSO</h2>
-<p>
-      <span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>,
+<a name="id2544311"></a><h2>SEE ALSO</h2>
+<p><span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>,
       <em class="citetitle">RFC 1035</em>,
       <em class="citetitle">BIND 9 Administrator Reference Manual</em>.
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2549863"></a><h2>AUTHOR</h2>
-<p>
-        <span class="corpauthor">Internet Systems Consortium</span>
+<a name="id2544336"></a><h2>AUTHOR</h2>
+<p><span class="corpauthor">Internet Systems Consortium</span>
     </p>
 </div>
 </div></body>
diff --git a/contrib/bind9/bin/dig/Makefile.in b/contrib/bind9/bin/dig/Makefile.in
index 65c14ce..836b7f2 100644
--- a/contrib/bind9/bin/dig/Makefile.in
+++ b/contrib/bind9/bin/dig/Makefile.in
@@ -1,4 +1,4 @@
-# Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
 # Copyright (C) 2000-2002  Internet Software Consortium.
 #
 # Permission to use, copy, modify, and distribute this software for any
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.25.12.12 2004/08/18 23:25:57 marka Exp $
+# $Id: Makefile.in,v 1.33.18.6 2005/09/09 14:11:04 marka Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
@@ -45,7 +45,7 @@ DEPLIBS =	${DNSDEPLIBS} ${BIND9DEPLIBS} ${ISCDEPLIBS} ${ISCCFGDEPLIBS} \
 		${LWRESDEPLIBS}
 
 LIBS =		${LWRESLIBS} ${DNSLIBS} ${BIND9LIBS} ${ISCLIBS} \
-		${ISCCFGLIBS} @LIBS@
+		${ISCCFGLIBS} @IDNLIBS@ @LIBS@
 
 SUBDIRS =
 
diff --git a/contrib/bind9/bin/dig/dig.1 b/contrib/bind9/bin/dig/dig.1
index 735f31c..240b732 100644
--- a/contrib/bind9/bin/dig/dig.1
+++ b/contrib/bind9/bin/dig/dig.1
@@ -1,4 +1,4 @@
-.\" Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2004-2007 Internet Systems Consortium, Inc. ("ISC")
 .\" Copyright (C) 2000-2003 Internet Software Consortium.
 .\" 
 .\" Permission to use, copy, modify, and distribute this software for any
@@ -13,13 +13,13 @@
 .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 .\" PERFORMANCE OF THIS SOFTWARE.
 .\"
-.\" $Id: dig.1,v 1.14.2.4.2.11 2006/06/29 13:02:30 marka Exp $
+.\" $Id: dig.1,v 1.23.18.19 2007/01/30 00:23:44 marka Exp $
 .\"
 .hy 0
 .ad l
 .\"     Title: dig
 .\"    Author: 
-.\" Generator: DocBook XSL Stylesheets v1.70.1 <http://docbook.sf.net/>
+.\" Generator: DocBook XSL Stylesheets v1.71.1 <http://docbook.sf.net/>
 .\"      Date: Jun 30, 2000
 .\"    Manual: BIND9
 .\"    Source: BIND9
@@ -33,7 +33,7 @@
 dig \- DNS lookup utility
 .SH "SYNOPSIS"
 .HP 4
-\fBdig\fR [@server] [\fB\-b\ \fR\fB\fIaddress\fR\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-f\ \fR\fB\fIfilename\fR\fR] [\fB\-k\ \fR\fB\fIfilename\fR\fR] [\fB\-p\ \fR\fB\fIport#\fR\fR] [\fB\-t\ \fR\fB\fItype\fR\fR] [\fB\-x\ \fR\fB\fIaddr\fR\fR] [\fB\-y\ \fR\fB\fIname:key\fR\fR] [\fB\-4\fR] [\fB\-6\fR] [name] [type] [class] [queryopt...]
+\fBdig\fR [@server] [\fB\-b\ \fR\fB\fIaddress\fR\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-f\ \fR\fB\fIfilename\fR\fR] [\fB\-k\ \fR\fB\fIfilename\fR\fR] [\fB\-p\ \fR\fB\fIport#\fR\fR] [\fB\-q\ \fR\fB\fIname\fR\fR] [\fB\-t\ \fR\fB\fItype\fR\fR] [\fB\-x\ \fR\fB\fIaddr\fR\fR] [\fB\-y\ \fR\fB\fI[hmac:]\fR\fIname:key\fR\fR] [\fB\-4\fR] [\fB\-6\fR] [name] [type] [class] [queryopt...]
 .HP 4
 \fBdig\fR [\fB\-h\fR]
 .HP 4
@@ -65,21 +65,30 @@ It is possible to set per\-user defaults for
 \fBdig\fR
 via
 \fI${HOME}/.digrc\fR. This file is read and any options in it are applied before the command line arguments.
+.PP
+The IN and CH class names overlap with the IN and CH top level domains names. Either use the
+\fB\-t\fR
+and
+\fB\-c\fR
+options to specify the type and class or use the
+\fB\-q\fR
+the specify the domain name or use "IN." and "CH." when looking up these top level domains.
 .SH "SIMPLE USAGE"
 .PP
 A typical invocation of
 \fBdig\fR
 looks like:
 .sp
-.RS 3n
+.RS 4
 .nf
  dig @server name type 
 .fi
 .RE
 .sp
 where:
-.TP 3n
+.PP
 \fBserver\fR
+.RS 4
 is the name or IP address of the name server to query. This can be an IPv4 address in dotted\-decimal notation or an IPv6 address in colon\-delimited notation. When the supplied
 \fIserver\fR
 argument is a hostname,
@@ -91,11 +100,15 @@ argument is provided,
 consults
 \fI/etc/resolv.conf\fR
 and queries the name servers listed there. The reply from the name server that responds is displayed.
-.TP 3n
+.RE
+.PP
 \fBname\fR
+.RS 4
 is the name of the resource record that is to be looked up.
-.TP 3n
+.RE
+.PP
 \fBtype\fR
+.RS 4
 indicates what type of query is required \(em ANY, A, MX, SIG, etc.
 \fItype\fR
 can be any valid query type. If no
@@ -103,6 +116,7 @@ can be any valid query type. If no
 argument is supplied,
 \fBdig\fR
 will perform a lookup for an A record.
+.RE
 .SH "OPTIONS"
 .PP
 The
@@ -154,6 +168,13 @@ is set to
 ixfr=N. The incremental zone transfer will contain the changes made to the zone since the serial number in the zone's SOA record was
 \fIN\fR.
 .PP
+The
+\fB\-q\fR
+option sets the query name to
+\fIname\fR. This useful do distingish the
+\fIname\fR
+from other arguments.
+.PP
 Reverse lookups \- mapping addresses to names \- are simplified by the
 \fB\-x\fR
 option.
@@ -178,6 +199,8 @@ and their responses using transaction signatures (TSIG), specify a TSIG key file
 option. You can also specify the TSIG key itself on the command line using the
 \fB\-y\fR
 option;
+\fIhmac\fR
+is the type of the TSIG, default HMAC\-MD5,
 \fIname\fR
 is the name of the TSIG key and
 \fIkey\fR
@@ -185,7 +208,7 @@ is the actual key. The key is a base\-64 encoded string, typically generated by
 \fBdnssec\-keygen\fR(8). Caution should be taken when using the
 \fB\-y\fR
 option on multi\-user systems as the key can be visible in the output from
-\fBps\fR(1 )
+\fBps\fR(1)
 or in the shell's history file. When using TSIG authentication with
 \fBdig\fR, the name server that is queried needs to know the key and algorithm that is being used. In BIND, this is done by providing appropriate
 \fBkey\fR
@@ -202,19 +225,26 @@ Each query option is identified by a keyword preceded by a plus sign (+). Some k
 no
 to negate the meaning of that keyword. Other keywords assign values to options like the timeout interval. They have the form
 \fB+keyword=value\fR. The query options are:
-.TP 3n
+.PP
 \fB+[no]tcp\fR
+.RS 4
 Use [do not use] TCP when querying name servers. The default behaviour is to use UDP unless an AXFR or IXFR query is requested, in which case a TCP connection is used.
-.TP 3n
+.RE
+.PP
 \fB+[no]vc\fR
+.RS 4
 Use [do not use] TCP when querying name servers. This alternate syntax to
 \fI+[no]tcp\fR
 is provided for backwards compatibility. The "vc" stands for "virtual circuit".
-.TP 3n
+.RE
+.PP
 \fB+[no]ignore\fR
+.RS 4
 Ignore truncation in UDP responses instead of retrying with TCP. By default, TCP retries are performed.
-.TP 3n
+.RE
+.PP
 \fB+domain=somename\fR
+.RS 4
 Set the search list to contain the single domain
 \fIsomename\fR, as if specified in a
 \fBdomain\fR
@@ -222,36 +252,59 @@ directive in
 \fI/etc/resolv.conf\fR, and enable search list processing as if the
 \fI+search\fR
 option were given.
-.TP 3n
+.RE
+.PP
 \fB+[no]search\fR
+.RS 4
 Use [do not use] the search list defined by the searchlist or domain directive in
 \fIresolv.conf\fR
 (if any). The search list is not used by default.
-.TP 3n
+.RE
+.PP
+\fB+[no]showsearch\fR
+.RS 4
+Perform [do not perform] a search showing intermediate results.
+.RE
+.PP
 \fB+[no]defname\fR
+.RS 4
 Deprecated, treated as a synonym for
 \fI+[no]search\fR
-.TP 3n
+.RE
+.PP
 \fB+[no]aaonly\fR
+.RS 4
 Sets the "aa" flag in the query.
-.TP 3n
+.RE
+.PP
 \fB+[no]aaflag\fR
+.RS 4
 A synonym for
 \fI+[no]aaonly\fR.
-.TP 3n
+.RE
+.PP
 \fB+[no]adflag\fR
+.RS 4
 Set [do not set] the AD (authentic data) bit in the query. The AD bit currently has a standard meaning only in responses, not in queries, but the ability to set the bit in the query is provided for completeness.
-.TP 3n
+.RE
+.PP
 \fB+[no]cdflag\fR
+.RS 4
 Set [do not set] the CD (checking disabled) bit in the query. This requests the server to not perform DNSSEC validation of responses.
-.TP 3n
+.RE
+.PP
 \fB+[no]cl\fR
+.RS 4
 Display [do not display] the CLASS when printing the record.
-.TP 3n
+.RE
+.PP
 \fB+[no]ttlid\fR
+.RS 4
 Display [do not display] the TTL when printing the record.
-.TP 3n
+.RE
+.PP
 \fB+[no]recurse\fR
+.RS 4
 Toggle the setting of the RD (recursion desired) bit in the query. This bit is set by default, which means
 \fBdig\fR
 normally sends recursive queries. Recursion is automatically disabled when the
@@ -259,75 +312,109 @@ normally sends recursive queries. Recursion is automatically disabled when the
 or
 \fI+trace\fR
 query options are used.
-.TP 3n
+.RE
+.PP
 \fB+[no]nssearch\fR
+.RS 4
 When this option is set,
 \fBdig\fR
 attempts to find the authoritative name servers for the zone containing the name being looked up and display the SOA record that each name server has for the zone.
-.TP 3n
+.RE
+.PP
 \fB+[no]trace\fR
+.RS 4
 Toggle tracing of the delegation path from the root name servers for the name being looked up. Tracing is disabled by default. When tracing is enabled,
 \fBdig\fR
 makes iterative queries to resolve the name being looked up. It will follow referrals from the root servers, showing the answer from each server that was used to resolve the lookup.
-.TP 3n
+.RE
+.PP
 \fB+[no]cmd\fR
+.RS 4
 toggles the printing of the initial comment in the output identifying the version of
 \fBdig\fR
 and the query options that have been applied. This comment is printed by default.
-.TP 3n
+.RE
+.PP
 \fB+[no]short\fR
+.RS 4
 Provide a terse answer. The default is to print the answer in a verbose form.
-.TP 3n
+.RE
+.PP
 \fB+[no]identify\fR
+.RS 4
 Show [or do not show] the IP address and port number that supplied the answer when the
 \fI+short\fR
 option is enabled. If short form answers are requested, the default is not to show the source address and port number of the server that provided the answer.
-.TP 3n
+.RE
+.PP
 \fB+[no]comments\fR
+.RS 4
 Toggle the display of comment lines in the output. The default is to print comments.
-.TP 3n
+.RE
+.PP
 \fB+[no]stats\fR
+.RS 4
 This query option toggles the printing of statistics: when the query was made, the size of the reply and so on. The default behaviour is to print the query statistics.
-.TP 3n
+.RE
+.PP
 \fB+[no]qr\fR
+.RS 4
 Print [do not print] the query as it is sent. By default, the query is not printed.
-.TP 3n
+.RE
+.PP
 \fB+[no]question\fR
+.RS 4
 Print [do not print] the question section of a query when an answer is returned. The default is to print the question section as a comment.
-.TP 3n
+.RE
+.PP
 \fB+[no]answer\fR
+.RS 4
 Display [do not display] the answer section of a reply. The default is to display it.
-.TP 3n
+.RE
+.PP
 \fB+[no]authority\fR
+.RS 4
 Display [do not display] the authority section of a reply. The default is to display it.
-.TP 3n
+.RE
+.PP
 \fB+[no]additional\fR
+.RS 4
 Display [do not display] the additional section of a reply. The default is to display it.
-.TP 3n
+.RE
+.PP
 \fB+[no]all\fR
+.RS 4
 Set or clear all display flags.
-.TP 3n
+.RE
+.PP
 \fB+time=T\fR
+.RS 4
 Sets the timeout for a query to
 \fIT\fR
 seconds. The default time out is 5 seconds. An attempt to set
 \fIT\fR
 to less than 1 will result in a query timeout of 1 second being applied.
-.TP 3n
+.RE
+.PP
 \fB+tries=T\fR
+.RS 4
 Sets the number of times to try UDP queries to server to
 \fIT\fR
 instead of the default, 3. If
 \fIT\fR
 is less than or equal to zero, the number of tries is silently rounded up to 1.
-.TP 3n
+.RE
+.PP
 \fB+retry=T\fR
+.RS 4
 Sets the number of times to retry UDP queries to server to
 \fIT\fR
 instead of the default, 2. Unlike
 \fI+tries\fR, this does not include the initial query.
-.TP 3n
+.RE
+.PP
 \fB+ndots=D\fR
+.RS 4
 Set the number of dots that have to appear in
 \fIname\fR
 to
@@ -339,30 +426,51 @@ or
 \fBdomain\fR
 directive in
 \fI/etc/resolv.conf\fR.
-.TP 3n
+.RE
+.PP
 \fB+bufsize=B\fR
+.RS 4
 Set the UDP message buffer size advertised using EDNS0 to
 \fIB\fR
-bytes. The maximum and minimum sizes of this buffer are 65535 and 0 respectively. Values outside this range are rounded up or down appropriately.
-.TP 3n
+bytes. The maximum and minimum sizes of this buffer are 65535 and 0 respectively. Values outside this range are rounded up or down appropriately. Values other than zero will cause a EDNS query to be sent.
+.RE
+.PP
+\fB+edns=#\fR
+.RS 4
+Specify the EDNS version to query with. Valid values are 0 to 255. Setting the EDNS version will cause a EDNS query to be sent.
+\fB+noedns\fR
+clears the remembered EDNS version.
+.RE
+.PP
 \fB+[no]multiline\fR
+.RS 4
 Print records like the SOA records in a verbose multi\-line format with human\-readable comments. The default is to print each record on a single line, to facilitate machine parsing of the
 \fBdig\fR
 output.
-.TP 3n
+.RE
+.PP
 \fB+[no]fail\fR
+.RS 4
 Do not try the next server if you receive a SERVFAIL. The default is to not try the next server which is the reverse of normal stub resolver behaviour.
-.TP 3n
+.RE
+.PP
 \fB+[no]besteffort\fR
+.RS 4
 Attempt to display the contents of messages which are malformed. The default is to not display malformed answers.
-.TP 3n
+.RE
+.PP
 \fB+[no]dnssec\fR
+.RS 4
 Requests DNSSEC records be sent by setting the DNSSEC OK bit (DO) in the OPT record in the additional section of the query.
-.TP 3n
+.RE
+.PP
 \fB+[no]sigchase\fR
+.RS 4
 Chase DNSSEC signature chains. Requires dig be compiled with \-DDIG_SIGCHASE.
-.TP 3n
+.RE
+.PP
 \fB+trusted\-key=####\fR
+.RS 4
 Specifies a file containing trusted keys to be used with
 \fB+sigchase\fR. Each DNSKEY record must be on its own line.
 .sp
@@ -375,9 +483,12 @@ then
 in the current directory.
 .sp
 Requires dig be compiled with \-DDIG_SIGCHASE.
-.TP 3n
+.RE
+.PP
 \fB+[no]topdown\fR
+.RS 4
 When chasing DNSSEC signature chains perform a top down validation. Requires dig be compiled with \-DDIG_SIGCHASE.
+.RE
 .SH "MULTIPLE QUERIES"
 .PP
 The BIND 9 implementation of
@@ -394,7 +505,7 @@ A global set of query options, which should be applied to all queries, can also
 \fB+[no]cmd\fR
 option) can be overridden by a query\-specific set of query options. For example:
 .sp
-.RS 3n
+.RS 4
 .nf
 dig +qr www.isc.org any \-x 127.0.0.1 isc.org ns +noqr
 .fi
@@ -414,6 +525,17 @@ which means that
 \fBdig\fR
 will not print the initial query when it looks up the NS records for
 isc.org.
+.SH "IDN SUPPORT"
+.PP
+If
+\fBdig\fR
+has been built with IDN (internationalized domain name) support, it can accept and display non\-ASCII domain names.
+\fBdig\fR
+appropriately converts character encoding of domain name before sending a request to DNS server or displaying a reply from the server. If you'd like to turn off the IDN support for some reason, defines the
+\fBIDN_DISABLE\fR
+environment variable. The IDN support is disabled if the variable is set when
+\fBdig\fR
+runs.
 .SH "FILES"
 .PP
 \fI/etc/resolv.conf\fR
@@ -425,8 +547,11 @@ isc.org.
 \fBnamed\fR(8),
 \fBdnssec\-keygen\fR(8),
 RFC1035.
-.SH "BUGS "
+.SH "BUGS"
 .PP
 There are probably too many query options.
 .SH "COPYRIGHT"
-Copyright \(co 2004, 2005 Internet Systems Consortium, Inc. ("ISC")
+Copyright \(co 2004\-2007 Internet Systems Consortium, Inc. ("ISC")
+.br
+Copyright \(co 2000\-2003 Internet Software Consortium.
+.br
diff --git a/contrib/bind9/bin/dig/dig.c b/contrib/bind9/bin/dig/dig.c
index 619e029..dd80199 100644
--- a/contrib/bind9/bin/dig/dig.c
+++ b/contrib/bind9/bin/dig/dig.c
@@ -15,7 +15,9 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: dig.c,v 1.157.2.13.2.31 2006/07/22 23:52:57 marka Exp $ */
+/* $Id: dig.c,v 1.186.18.26 2006/07/21 23:52:21 marka Exp $ */
+
+/*! \file */
 
 #include <config.h>
 #include <stdlib.h>
@@ -40,6 +42,7 @@
 #include <dns/rdatatype.h>
 #include <dns/rdataclass.h>
 #include <dns/result.h>
+#include <dns/tsig.h>
 
 #include <bind9/getaddresses.h>
 
@@ -67,6 +70,7 @@ static isc_boolean_t short_form = ISC_FALSE, printcmd = ISC_TRUE,
 	ip6_int = ISC_FALSE, plusquest = ISC_FALSE, pluscomm = ISC_FALSE,
 	multiline = ISC_FALSE, nottl = ISC_FALSE, noclass = ISC_FALSE;
 
+/*% opcode text */
 static const char *opcodetext[] = {
 	"QUERY",
 	"IQUERY",
@@ -86,6 +90,7 @@ static const char *opcodetext[] = {
 	"RESERVED15"
 };
 
+/*% return code text */
 static const char *rcodetext[] = {
 	"NOERROR",
 	"FORMERR",
@@ -106,6 +111,7 @@ static const char *rcodetext[] = {
 	"BADVERS"
 };
 
+/*% print usage */
 static void
 print_usage(FILE *fp) {
 	fputs(
@@ -122,11 +128,13 @@ usage(void) {
 	exit(1);
 }
 
+/*% version */
 static void
 version(void) {
 	fputs("DiG " VERSION "\n", stderr);
 }
 
+/*% help */
 static void
 help(void) {
 	print_usage(stdout);
@@ -141,10 +149,11 @@ help(void) {
 "                 -f filename         (batch mode)\n"
 "                 -b address[#port]   (bind to source address/port)\n"
 "                 -p port             (specify port number)\n"
+"                 -q name             (specify query name)\n"
 "                 -t type             (specify query type)\n"
 "                 -c class            (specify query class)\n"
 "                 -k keyfile          (specify tsig key file)\n"
-"                 -y name:key         (specify named base64 tsig key)\n"
+"                 -y [hmac:]name:key  (specify named base64 tsig key)\n"
 "                 -4                  (use IPv4 query transport only)\n"
 "                 -6                  (use IPv6 query transport only)\n"
 "        d-opt    is of the form +keyword[=value], where keyword is:\n"
@@ -156,7 +165,9 @@ help(void) {
 "                 +domain=###         (Set default domainname)\n"
 "                 +bufsize=###        (Set EDNS0 Max UDP packet size)\n"
 "                 +ndots=###          (Set NDOTS value)\n"
+"                 +edns=###           (Set EDNS version)\n"
 "                 +[no]search         (Set whether to use searchlist)\n"
+"                 +[no]showsearch     (Search with intermediate results)\n"
 "                 +[no]defname        (Ditto)\n"
 "                 +[no]recurse        (Recursive mode)\n"
 "                 +[no]ignore         (Don't revert to TCP for TC responses.)"
@@ -198,7 +209,7 @@ help(void) {
 	stdout);
 }
 
-/*
+/*%
  * Callback from dighost.c to print the received message.
  */
 void
@@ -219,10 +230,12 @@ received(int bytes, isc_sockaddr_t *from, dig_query_t *query) {
 		time(&tnow);
 		printf(";; WHEN: %s", ctime(&tnow));
 		if (query->lookup->doing_xfr) {
-			printf(";; XFR size: %u records (messages %u)\n",
-			       query->rr_count, query->msg_count);
+			printf(";; XFR size: %u records (messages %u, "
+			       "bytes %" ISC_PRINT_QUADFORMAT "u)\n",
+			       query->rr_count, query->msg_count,
+			       query->byte_count);
 		} else {
-			printf(";; MSG SIZE  rcvd: %d\n", bytes);
+			printf(";; MSG SIZE  rcvd: %u\n", bytes);
 
 		}
 		if (key != NULL) {
@@ -236,8 +249,11 @@ received(int bytes, isc_sockaddr_t *from, dig_query_t *query) {
 		puts("");
 	} else if (query->lookup->identify && !short_form) {
 		diff = isc_time_microdiff(&now, &query->time_sent);
-		printf(";; Received %u bytes from %s(%s) in %d ms\n\n",
-		       bytes, fromtext, query->servname,
+		printf(";; Received %" ISC_PRINT_QUADFORMAT "u bytes "
+		       "from %s(%s) in %d ms\n\n",
+		       query->lookup->doing_xfr ?
+				query->byte_count : (isc_uint64_t)bytes,
+		       fromtext, query->servname,
 		       (int)diff/1000);
 	}
 }
@@ -253,7 +269,7 @@ trying(char *frm, dig_lookup_t *lookup) {
 	UNUSED(lookup);
 }
 
-/*
+/*%
  * Internal print routine used to print short form replies.
  */
 static isc_result_t
@@ -283,7 +299,7 @@ say_message(dns_rdata_t *rdata, dig_query_t *query, isc_buffer_t *buf) {
 	return (ISC_R_SUCCESS);
 }
 
-/*
+/*%
  * short_form message print handler.  Calls above say_message()
  */
 static isc_result_t
@@ -475,7 +491,16 @@ printmessage(dig_query_t *query, dns_message_t *msg, isc_boolean_t headers) {
 			       msg->counts[DNS_SECTION_ANSWER],
 			       msg->counts[DNS_SECTION_AUTHORITY],
 			       msg->counts[DNS_SECTION_ADDITIONAL]);
+
+			if (msg != query->lookup->sendmsg &&
+			    (msg->flags & DNS_MESSAGEFLAG_RD) != 0 &&
+			    (msg->flags & DNS_MESSAGEFLAG_RA) == 0)
+				printf(";; WARNING: recursion requested "
+				       "but not available\n");
 		}
+		if (msg != query->lookup->sendmsg && extrabytes != 0U)
+			printf(";; WARNING: Messages has %u extra byte%s at "
+			       "end\n", extrabytes, extrabytes != 0 ? "s" : "");
 	}
 
 repopulate_buffer:
@@ -578,7 +603,7 @@ cleanup:
 	return (result);
 }
 
-/*
+/*%
  * print the greeting message when the program first starts up.
  */
 static void
@@ -625,7 +650,7 @@ printgreeting(int argc, char **argv, dig_lookup_t *lookup) {
 	}
 }
 
-/*
+/*%
  * Reorder an argument list so that server names all come at the end.
  * This is a bit of a hack, to allow batch-mode processing to properly
  * handle the server options.
@@ -674,7 +699,7 @@ parse_uint(char *arg, const char *desc, isc_uint32_t max) {
 	return (tmp);
 }
 
-/*
+/*%
  * We're not using isc_commandline_parse() here since the command line
  * syntax of dig is quite a bit different from that which can be described
  * by that routine.
@@ -814,6 +839,8 @@ plus_option(char *option, isc_boolean_t is_batchfile,
 			break;
 		case 'n': /* dnssec */	
 			FULLCHECK("dnssec");
+			if (state && lookup->edns == -1)
+				lookup->edns = 0;
 			lookup->dnssec = state;
 			break;
 		case 'o': /* domain */	
@@ -829,6 +856,16 @@ plus_option(char *option, isc_boolean_t is_batchfile,
 			goto invalid_option;
 		}
 		break;
+	case 'e':
+		FULLCHECK("edns");
+		if (!state) {
+			lookup->edns = -1;
+			break;
+		}
+		if (value == NULL)
+			goto need_value;
+		lookup->edns = (isc_int16_t) parse_uint(value, "edns", 255);
+		break;
 	case 'f': /* fail */
 		FULLCHECK("fail");
 		lookup->servfail_stops = state;
@@ -928,17 +965,30 @@ plus_option(char *option, isc_boolean_t is_batchfile,
 			FULLCHECK("search");
 			usesearch = state;
 			break;
-		case 'h': /* short */
-			FULLCHECK("short");
-			short_form = state;
-			if (state) {
-				printcmd = ISC_FALSE;
-				lookup->section_additional = ISC_FALSE;
-				lookup->section_answer = ISC_TRUE;
-				lookup->section_authority = ISC_FALSE;
-				lookup->section_question = ISC_FALSE;
-				lookup->comments = ISC_FALSE;
-				lookup->stats = ISC_FALSE;
+		case 'h':
+			if (cmd[2] != 'o')
+				goto invalid_option;
+			switch (cmd[3]) {
+			case 'r': /* short */
+				FULLCHECK("short");
+				short_form = state;
+				if (state) {
+					printcmd = ISC_FALSE;
+					lookup->section_additional = ISC_FALSE;
+					lookup->section_answer = ISC_TRUE;
+					lookup->section_authority = ISC_FALSE;
+					lookup->section_question = ISC_FALSE;
+					lookup->comments = ISC_FALSE;
+					lookup->stats = ISC_FALSE;
+				}
+				break;
+			case 'w': /* showsearch */
+				FULLCHECK("showsearch");
+				showsearch = state;
+				usesearch = state;
+				break;
+			default:
+				goto invalid_option;
 			}
 			break;
 #ifdef DIG_SIGCHASE
@@ -1047,16 +1097,16 @@ plus_option(char *option, isc_boolean_t is_batchfile,
 	return;
 }
 
-/*
- * ISC_TRUE returned if value was used
+/*%
+ * #ISC_TRUE returned if value was used
  */
 static const char *single_dash_opts = "46dhimnv";
 static const char *dash_opts = "46bcdfhikmnptvyx";
 static isc_boolean_t
 dash_option(char *option, char *next, dig_lookup_t **lookup,
-	    isc_boolean_t *open_type_class)
+	    isc_boolean_t *open_type_class, isc_boolean_t config_only)
 {
-	char opt, *value, *ptr;
+	char opt, *value, *ptr, *ptr2, *ptr3;
 	isc_result_t result;
 	isc_boolean_t value_from_next;
 	isc_textregion_t tr;
@@ -1189,6 +1239,20 @@ dash_option(char *option, char *next, dig_lookup_t **lookup,
 	case 'p':
 		port = (in_port_t) parse_uint(value, "port number", MAXPORT);
 		return (value_from_next);
+	case 'q':
+		if (!config_only) {
+			(*lookup) = clone_lookup(default_lookup,
+					         ISC_TRUE);
+			strncpy((*lookup)->textname, value, 
+				sizeof((*lookup)->textname));
+			(*lookup)->textname[sizeof((*lookup)->textname)-1]=0;
+			(*lookup)->trace_root = ISC_TF((*lookup)->trace  ||
+						     (*lookup)->ns_search_only);
+			(*lookup)->new_search = ISC_TRUE;
+			ISC_LIST_APPEND(lookup_list, (*lookup), link);
+			debug("looking up %s", (*lookup)->textname);
+		}
+		return (value_from_next);
 	case 't':
 		*open_type_class = ISC_FALSE;
 		if (strncasecmp(value, "ixfr=", 5) == 0) {
@@ -1232,16 +1296,83 @@ dash_option(char *option, char *next, dig_lookup_t **lookup,
 				 value);
 		return (value_from_next);
 	case 'y':
-		ptr = next_token(&value,":");
+		ptr = next_token(&value,":");	/* hmac type or name */
 		if (ptr == NULL) {
 			usage();
 		}
+		ptr2 = next_token(&value, ":");	/* name or secret */
+		if (ptr2 == NULL)
+			usage();
+		ptr3 = next_token(&value,":"); /* secret or NULL */
+		if (ptr3 != NULL) {	
+			if (strcasecmp(ptr, "hmac-md5") == 0) {
+				hmacname = DNS_TSIG_HMACMD5_NAME;
+				digestbits = 0;
+			} else if (strncasecmp(ptr, "hmac-md5-", 9) == 0) {
+				hmacname = DNS_TSIG_HMACMD5_NAME;
+				digestbits = parse_uint(&ptr[9],
+							"digest-bits [0..128]",
+							128);
+				digestbits = (digestbits + 7) & ~0x7U;
+			} else if (strcasecmp(ptr, "hmac-sha1") == 0) {
+				hmacname = DNS_TSIG_HMACSHA1_NAME;
+				digestbits = 0;
+			} else if (strncasecmp(ptr, "hmac-sha1-", 10) == 0) {
+				hmacname = DNS_TSIG_HMACSHA1_NAME;
+				digestbits = parse_uint(&ptr[10],
+							"digest-bits [0..160]",
+							160);
+				digestbits = (digestbits + 7) & ~0x7U;
+			} else if (strcasecmp(ptr, "hmac-sha224") == 0) {
+				hmacname = DNS_TSIG_HMACSHA224_NAME;
+				digestbits = 0;
+			} else if (strncasecmp(ptr, "hmac-sha224-", 12) == 0) {
+				hmacname = DNS_TSIG_HMACSHA224_NAME;
+				digestbits = parse_uint(&ptr[12],
+							"digest-bits [0..224]",
+							224);
+				digestbits = (digestbits + 7) & ~0x7U;
+			} else if (strcasecmp(ptr, "hmac-sha256") == 0) {
+				hmacname = DNS_TSIG_HMACSHA256_NAME;
+				digestbits = 0;
+			} else if (strncasecmp(ptr, "hmac-sha256-", 12) == 0) {
+				hmacname = DNS_TSIG_HMACSHA256_NAME;
+				digestbits = parse_uint(&ptr[12],
+							"digest-bits [0..256]",
+							256);
+				digestbits = (digestbits + 7) & ~0x7U;
+			} else if (strcasecmp(ptr, "hmac-sha384") == 0) {
+				hmacname = DNS_TSIG_HMACSHA384_NAME;
+				digestbits = 0;
+			} else if (strncasecmp(ptr, "hmac-sha384-", 12) == 0) {
+				hmacname = DNS_TSIG_HMACSHA384_NAME;
+				digestbits = parse_uint(&ptr[12],
+							"digest-bits [0..384]",
+							384);
+				digestbits = (digestbits + 7) & ~0x7U;
+			} else if (strcasecmp(ptr, "hmac-sha512") == 0) {
+				hmacname = DNS_TSIG_HMACSHA512_NAME;
+				digestbits = 0;
+			} else if (strncasecmp(ptr, "hmac-sha512-", 12) == 0) {
+				hmacname = DNS_TSIG_HMACSHA512_NAME;
+				digestbits = parse_uint(&ptr[12],
+							"digest-bits [0..512]",
+							512);
+				digestbits = (digestbits + 7) & ~0x7U;
+			} else {
+				fprintf(stderr, ";; Warning, ignoring "
+					"invalid TSIG algorithm %s\n", ptr);
+				return (value_from_next);
+			}
+			ptr = ptr2;
+			ptr2 = ptr3;
+		} else  {
+			hmacname = DNS_TSIG_HMACMD5_NAME;
+			digestbits = 0;
+		}
 		strncpy(keynametext, ptr, sizeof(keynametext));
 		keynametext[sizeof(keynametext)-1]=0;
-		ptr = next_token(&value, "");
-		if (ptr == NULL)
-			usage();
-		strncpy(keysecret, ptr, sizeof(keysecret));
+		strncpy(keysecret, ptr2, sizeof(keysecret));
 		keysecret[sizeof(keysecret)-1]=0;
 		return (value_from_next);
 	case 'x':
@@ -1273,10 +1404,11 @@ dash_option(char *option, char *next, dig_lookup_t **lookup,
 	return (ISC_FALSE);
 }
 
-/*
+/*%
  * Because we may be trying to do memory allocation recording, we're going
  * to need to parse the arguments for the -m *before* we start the main
  * argument parsing routine.
+ *
  * I'd prefer not to have to do this, but I am not quite sure how else to
  * fix the problem.  Argument parsing in dig involves memory allocation
  * by its nature, so it can't be done in the main argument parser.
@@ -1421,13 +1553,15 @@ parse_args(isc_boolean_t is_batchfile, isc_boolean_t config_only,
 		} else if (rv[0][0] == '-') {
 			if (rc <= 1) {
 				if (dash_option(&rv[0][1], NULL,
-						&lookup, &open_type_class)) {
+						&lookup, &open_type_class,
+						config_only)) {
 					rc--;
 					rv++;
 				}
 			} else {
 				if (dash_option(&rv[0][1], rv[1],
-						&lookup, &open_type_class)) {
+						&lookup, &open_type_class,
+						config_only)) {
 					rc--;
 					rv++;
 				}
@@ -1621,6 +1755,7 @@ dighost_shutdown(void) {
 	}
 }
 
+/*% Main processing routine for dig */
 int
 main(int argc, char **argv) {
 	isc_result_t result;
diff --git a/contrib/bind9/bin/dig/dig.docbook b/contrib/bind9/bin/dig/dig.docbook
index 87c98ae..be01a86 100644
--- a/contrib/bind9/bin/dig/dig.docbook
+++ b/contrib/bind9/bin/dig/dig.docbook
@@ -1,8 +1,8 @@
-<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.0//EN"
-               "http://www.oasis-open.org/docbook/xml/4.0/docbookx.dtd"
+<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
+               "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
 	       [<!ENTITY mdash "&#8212;">]>
 <!--
- - Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
  - Copyright (C) 2000-2003  Internet Software Consortium.
  -
  - Permission to use, copy, modify, and distribute this software for any
@@ -18,24 +18,30 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-<!-- $Id: dig.docbook,v 1.4.2.7.4.12 2005/08/30 00:50:29 marka Exp $ -->
+<!-- $Id: dig.docbook,v 1.17.18.17 2007/01/29 23:57:20 marka Exp $ -->
+<refentry id="man.dig">
 
-<refentry>
+  <refentryinfo>
+    <date>Jun 30, 2000</date>
+  </refentryinfo>
 
-<refentryinfo>
-<date>Jun 30, 2000</date>
-</refentryinfo>
+  <refmeta>
+    <refentrytitle>dig</refentrytitle>
+    <manvolnum>1</manvolnum>
+    <refmiscinfo>BIND9</refmiscinfo>
+  </refmeta>
 
-<refmeta>
-<refentrytitle>dig</refentrytitle>
-<manvolnum>1</manvolnum>
-<refmiscinfo>BIND9</refmiscinfo>
-</refmeta>
+  <refnamediv>
+    <refname>dig</refname>
+    <refpurpose>DNS lookup utility</refpurpose>
+  </refnamediv>
 
   <docinfo>
     <copyright>
       <year>2004</year>
       <year>2005</year>
+      <year>2006</year>
+      <year>2007</year>
       <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
     </copyright>
     <copyright>
@@ -47,595 +53,884 @@
     </copyright>
   </docinfo>
 
-<refnamediv>
-<refname>dig</refname>
-<refpurpose>DNS lookup utility</refpurpose>
-</refnamediv>
-
-<refsynopsisdiv>
-<cmdsynopsis>
-<command>dig</command>
-<arg choice="opt">@server</arg>
-<arg><option>-b <replaceable class="parameter">address</replaceable></option></arg>
-<arg><option>-c <replaceable class="parameter">class</replaceable></option></arg>
-<arg><option>-f <replaceable class="parameter">filename</replaceable></option></arg>
-<arg><option>-k <replaceable class="parameter">filename</replaceable></option></arg>
-<arg><option>-p <replaceable class="parameter">port#</replaceable></option></arg>
-<arg><option>-t <replaceable class="parameter">type</replaceable></option></arg>
-<arg><option>-x <replaceable class="parameter">addr</replaceable></option></arg>
-<arg><option>-y <replaceable class="parameter">name:key</replaceable></option></arg>
-<arg><option>-4</option></arg>
-<arg><option>-6</option></arg>
-<arg choice="opt">name</arg>
-<arg choice="opt">type</arg>
-<arg choice="opt">class</arg>
-<arg choice="opt" rep="repeat">queryopt</arg>
-</cmdsynopsis>
-
-<cmdsynopsis>
-<command>dig</command>
-<arg><option>-h</option></arg>
-</cmdsynopsis>
-
-<cmdsynopsis>
-<command>dig</command>
-<arg choice="opt" rep="repeat">global-queryopt</arg>
-<arg choice="opt" rep="repeat">query</arg>
-</cmdsynopsis>
-</refsynopsisdiv>
-
-<refsect1>
-<title>DESCRIPTION</title>
-<para>
-<command>dig</command> (domain information groper) is a flexible tool
-for interrogating DNS name servers.  It performs DNS lookups and
-displays the answers that are returned from the name server(s) that
-were queried.  Most DNS administrators use <command>dig</command> to
-troubleshoot DNS problems because of its flexibility, ease of use and
-clarity of output.  Other lookup tools tend to have less functionality
-than <command>dig</command>.
-</para>
-
-<para>
-Although <command>dig</command> is normally used with command-line
-arguments, it also has a batch mode of operation for reading lookup
-requests from a file.  A brief summary of its command-line arguments
-and options is printed when the <option>-h</option> option is given.
-Unlike earlier versions, the BIND9 implementation of
-<command>dig</command> allows multiple lookups to be issued from the
-command line.
-</para>
-
-<para>
-Unless it is told to query a specific name server,
-<command>dig</command> will try each of the servers listed in
-<filename>/etc/resolv.conf</filename>.
-</para>
-
-<para>
-When no command line arguments or options are given, will perform an
-NS query for "." (the root).
-</para>
-
-<para>
-It is possible to set per-user defaults for <command>dig</command> via
-<filename>${HOME}/.digrc</filename>.  This file is read and any options in it
-are applied before the command line arguments.
-</para>
-
-</refsect1>
-
-<refsect1>
-<title>SIMPLE USAGE</title>
-
-<para>
-A typical invocation of <command>dig</command> looks like:
-<programlisting> dig @server name type </programlisting> where:
-
-<variablelist>
-
-<varlistentry><term><constant>server</constant></term>
-<listitem><para>
-is the name or IP address of the name server to query.  This can be an IPv4
-address in dotted-decimal notation or an IPv6
-address in colon-delimited notation.  When the supplied
-<parameter>server</parameter> argument is a hostname,
-<command>dig</command> resolves that name before querying that name
-server.  If no <parameter>server</parameter> argument is provided,
-<command>dig</command> consults <filename>/etc/resolv.conf</filename>
-and queries the name servers listed there.  The reply from the name
-server that responds is displayed.
-</para></listitem></varlistentry>
-
-<varlistentry><term><constant>name</constant></term>
-<listitem><para>
-is the name of the resource record that is to be looked up.
-</para></listitem></varlistentry>
-
-<varlistentry><term><constant>type</constant></term>
-<listitem><para>
-indicates what type of query is required &mdash;
-ANY, A, MX, SIG, etc.
-<parameter>type</parameter> can be any valid query type.  If no
-<parameter>type</parameter> argument is supplied,
-<command>dig</command> will perform a lookup for an A record.
-</para></listitem></varlistentry>
-
-</variablelist>
-</para>
-
-</refsect1>
-
-<refsect1>
-<title>OPTIONS</title>
-
-<para>
-The <option>-b</option> option sets the source IP address of the query
-to <parameter>address</parameter>.  This must be a valid address on
-one of the host's network interfaces or "0.0.0.0" or "::".  An optional port
-may be specified by appending "#&lt;port&gt;"
-</para>
-
-<para>
-The default query class (IN for internet) is overridden by the
-<option>-c</option> option.  <parameter>class</parameter> is any valid
-class, such as HS for Hesiod records or CH for CHAOSNET records.
-</para>
-
-<para>
-The <option>-f</option> option makes <command>dig </command> operate
-in batch mode by reading a list of lookup requests to process from the
-file <parameter>filename</parameter>.  The file contains a number of
-queries, one per line.  Each entry in the file should be organised in
-the same way they would be presented as queries to
-<command>dig</command> using the command-line interface.
-</para>
-
-<para>
-If a non-standard port number is to be queried, the
-<option>-p</option> option is used.  <parameter>port#</parameter> is
-the port number that <command>dig</command> will send its queries
-instead of the standard DNS port number 53.  This option would be used
-to test a name server that has been configured to listen for queries
-on a non-standard port number.
-</para>
-
-<para>
-The <option>-4</option> option forces <command>dig</command> to only
-use IPv4 query transport.  The <option>-6</option> option forces
-<command>dig</command> to only use IPv6 query transport.
-</para>
-
-<para>
-The <option>-t</option> option sets the query type to
-<parameter>type</parameter>.  It can be any valid query type which is
-supported in BIND9.  The default query type "A", unless the
-<option>-x</option> option is supplied to indicate a reverse lookup.
-A zone transfer can be requested by specifying a type of AXFR.  When
-an incremental zone transfer (IXFR) is required,
-<parameter>type</parameter> is set to <literal>ixfr=N</literal>.
-The incremental zone transfer will contain the changes made to the zone
-since the serial number in the zone's SOA record was
-<parameter>N</parameter>.
-</para>
-
-<para>
-Reverse lookups - mapping addresses to names - are simplified by the
-<option>-x</option> option.  <parameter>addr</parameter> is an IPv4
-address in dotted-decimal notation, or a colon-delimited IPv6 address.
-When this option is used, there is no need to provide the
-<parameter>name</parameter>, <parameter>class</parameter> and
-<parameter>type</parameter> arguments.  <command>dig</command>
-automatically performs a lookup for a name like
-<literal>11.12.13.10.in-addr.arpa</literal> and sets the query type and
-class to PTR and IN respectively.  By default, IPv6 addresses are
-looked up using nibble format under the IP6.ARPA domain.
-To use the older RFC1886 method using the IP6.INT domain 
-specify the <option>-i</option> option.  Bit string labels (RFC2874)
-are now experimental and are not attempted.
-</para>
-
-<para>
-To sign the DNS queries sent by <command>dig</command> and their
-responses using transaction signatures (TSIG), specify a TSIG key file
-using the <option>-k</option> option.  You can also specify the TSIG
-key itself on the command line using the <option>-y</option> option;
-<parameter>name</parameter> is the name of the TSIG key and
-<parameter>key</parameter> is the actual key.  The key is a base-64
-encoded string, typically generated by <citerefentry>
-<refentrytitle>dnssec-keygen</refentrytitle><manvolnum>8</manvolnum>
-</citerefentry>.
-
-Caution should be taken when using the <option>-y</option> option on
-multi-user systems as the key can be visible in the output from
-<citerefentry> <refentrytitle>ps</refentrytitle><manvolnum>1
-</manvolnum> </citerefentry> or in the shell's history file.  When
-using TSIG authentication with <command>dig</command>, the name
-server that is queried needs to know the key and algorithm that is
-being used.  In BIND, this is done by providing appropriate
-<command>key</command> and <command>server</command> statements in
-<filename>named.conf</filename>.
-</para>
-
-</refsect1>
-
-<refsect1>
-<title>QUERY OPTIONS</title>
-
-<para>
-<command>dig</command> provides a number of query options which affect
-the way in which lookups are made and the results displayed.  Some of
-these set or reset flag bits in the query header, some determine which
-sections of the answer get printed, and others determine the timeout
-and retry strategies.
-</para>
-
-<para>
-Each query option is identified by a keyword preceded by a plus sign
-(<literal>+</literal>).  Some keywords set or reset an option.  These may be preceded
-by the string <literal>no</literal> to negate the meaning of that keyword.  Other
-keywords assign values to options like the timeout interval.  They
-have the form <option>+keyword=value</option>.
-The query options are:
-
-<variablelist>
-
-<varlistentry><term><option>+[no]tcp</option></term>
-<listitem><para>
-Use [do not use] TCP when querying name servers.  The default
-behaviour is to use UDP unless an AXFR or IXFR query is requested, in
-which case a TCP connection is used.
-</para></listitem></varlistentry>
-
-<varlistentry><term><option>+[no]vc</option></term>
-<listitem><para>
-Use [do not use] TCP when querying name servers.  This alternate
-syntax to <parameter>+[no]tcp</parameter> is provided for backwards
-compatibility.  The "vc" stands for "virtual circuit".
-</para></listitem></varlistentry>
-
-<varlistentry><term><option>+[no]ignore</option></term>
-<listitem><para>
-Ignore truncation in UDP responses instead of retrying with TCP.  By
-default, TCP retries are performed.
-</para></listitem></varlistentry>
-
-<varlistentry><term><option>+domain=somename</option></term>
-<listitem><para>
-Set the search list to contain the single domain
-<parameter>somename</parameter>, as if specified in a
-<command>domain</command> directive in
-<filename>/etc/resolv.conf</filename>, and enable search list
-processing as if the <parameter>+search</parameter> option were given.
-</para></listitem></varlistentry>
-
-<varlistentry><term><option>+[no]search</option></term>
-<listitem><para>
-Use [do not use] the search list defined by the searchlist or domain
-directive in <filename>resolv.conf</filename> (if any).
-The search list is not used by default.
-</para></listitem></varlistentry>
-
-<varlistentry><term><option>+[no]defname</option></term>
-<listitem><para>
-Deprecated, treated as a synonym for <parameter>+[no]search</parameter>
-</para></listitem></varlistentry>
-
-<varlistentry><term><option>+[no]aaonly</option></term>
-<listitem><para>
-Sets the "aa" flag in the query.
-</para></listitem></varlistentry>
-
-<varlistentry><term><option>+[no]aaflag</option></term>
-<listitem><para>
-A synonym for <parameter>+[no]aaonly</parameter>.
-</para></listitem></varlistentry>
-
-<varlistentry><term><option>+[no]adflag</option></term>
-<listitem><para>
-Set [do not set] the AD (authentic data) bit in the query.  The AD bit
-currently has a standard meaning only in responses, not in queries,
-but the ability to set the bit in the query is provided for
-completeness.
-</para></listitem></varlistentry>
-
-<varlistentry><term><option>+[no]cdflag</option></term>
-<listitem><para>
-Set [do not set] the CD (checking disabled) bit in the query.  This
-requests the server to not perform DNSSEC validation of responses.
-</para></listitem></varlistentry>
-
-<varlistentry><term><option>+[no]cl</option></term>
-<listitem><para>
-Display [do not display] the CLASS when printing the record.
-</para></listitem></varlistentry>
-
-<varlistentry><term><option>+[no]ttlid</option></term>
-<listitem><para>
-Display [do not display] the TTL when printing the record.
-</para></listitem></varlistentry>
-
-<varlistentry><term><option>+[no]recurse</option></term>
-<listitem><para>
-Toggle the setting of the RD (recursion desired) bit in the query.
-This bit is set by default, which means <command>dig</command>
-normally sends recursive queries.  Recursion is automatically disabled
-when the <parameter>+nssearch</parameter> or
-<parameter>+trace</parameter> query options are used.
-</para></listitem></varlistentry>
-
-<varlistentry><term><option>+[no]nssearch</option></term>
-<listitem><para>
-When this option is set, <command>dig</command> attempts to find the
-authoritative name servers for the zone containing the name being
-looked up and display the SOA record that each name server has for the
-zone.
-</para></listitem></varlistentry>
-
-<varlistentry><term><option>+[no]trace</option></term>
-<listitem><para>
-Toggle tracing of the delegation path from the root name servers for
-the name being looked up.  Tracing is disabled by default.  When
-tracing is enabled, <command>dig</command> makes iterative queries to
-resolve the name being looked up.  It will follow referrals from the
-root servers, showing the answer from each server that was used to
-resolve the lookup.
-</para></listitem></varlistentry>
-
-<varlistentry><term><option>+[no]cmd</option></term>
-<listitem><para>
-toggles the printing of the initial comment in the output identifying
-the version of <command>dig</command> and the query options that have
-been applied.  This comment is printed by default.
-</para></listitem></varlistentry>
-
-<varlistentry><term><option>+[no]short</option></term>
-<listitem><para>
-Provide a terse answer.  The default is to print the answer in a
-verbose form.
-</para></listitem></varlistentry>
-
-<varlistentry><term><option>+[no]identify</option></term>
-<listitem><para>
-Show [or do not show] the IP address and port number that supplied the
-answer when the <parameter>+short</parameter> option is enabled.  If
-short form answers are requested, the default is not to show the
-source address and port number of the server that provided the answer.
-</para></listitem></varlistentry>
-
-<varlistentry><term><option>+[no]comments</option></term>
-<listitem><para>
-Toggle the display of comment lines in the output.  The default is to
-print comments.
-</para></listitem></varlistentry>
-
-<varlistentry><term><option>+[no]stats</option></term>
-<listitem><para>
-This query option toggles the printing of statistics: when the query
-was made, the size of the reply and so on.  The default behaviour is
-to print the query statistics.
-</para></listitem></varlistentry>
-
-<varlistentry><term><option>+[no]qr</option></term>
-<listitem><para>
-Print [do not print] the query as it is sent.
-By default, the query is not printed.
-</para></listitem></varlistentry>
-
-<varlistentry><term><option>+[no]question</option></term>
-<listitem><para>
-Print [do not print] the question section of a query when an answer is
-returned.  The default is to print the question section as a comment.
-</para></listitem></varlistentry>
-
-<varlistentry><term><option>+[no]answer</option></term>
-<listitem><para>
-Display [do not display] the answer section of a reply.  The default
-is to display it.
-</para></listitem></varlistentry>
-
-<varlistentry><term><option>+[no]authority</option></term>
-<listitem><para>
-Display [do not display] the authority section of a reply.  The
-default is to display it.
-</para></listitem></varlistentry>
-
-<varlistentry><term><option>+[no]additional</option></term>
-<listitem><para>
-Display [do not display] the additional section of a reply.
-The default is to display it.
-</para></listitem></varlistentry>
-
-<varlistentry><term><option>+[no]all</option></term>
-<listitem><para>
-Set or clear all display flags.
-</para></listitem></varlistentry>
-
-<varlistentry><term><option>+time=T</option></term>
-<listitem><para>
-
-Sets the timeout for a query to
-<parameter>T</parameter> seconds.  The default time out is 5 seconds.
-An attempt to set <parameter>T</parameter> to less than 1 will result
-in a query timeout of 1 second being applied.
-</para></listitem></varlistentry>
-
-<varlistentry><term><option>+tries=T</option></term>
-<listitem><para>
-Sets the number of times to try UDP queries to server to
-<parameter>T</parameter> instead of the default, 3.  If
-<parameter>T</parameter> is less than or equal to zero, the number of
-tries is silently rounded up to 1.
-</para></listitem></varlistentry>
-
-<varlistentry><term><option>+retry=T</option></term>
-<listitem><para>
-Sets the number of times to retry UDP queries to server to
-<parameter>T</parameter> instead of the default, 2.  Unlike
-<parameter>+tries</parameter>, this does not include the initial
-query.
-</para></listitem></varlistentry>
-
-<varlistentry><term><option>+ndots=D</option></term>
-<listitem><para>
-Set the number of dots that have to appear in
-<parameter>name</parameter> to <parameter>D</parameter> for it to be
-considered absolute.  The default value is that defined using the
-ndots statement in <filename>/etc/resolv.conf</filename>, or 1 if no
-ndots statement is present.  Names with fewer dots are interpreted as
-relative names and will be searched for in the domains listed in the
-<option>search</option> or <option>domain</option> directive in
-<filename>/etc/resolv.conf</filename>.
-</para></listitem></varlistentry>
-
-<varlistentry><term><option>+bufsize=B</option></term>
-<listitem><para>
-Set the UDP message buffer size advertised using EDNS0 to
-<parameter>B</parameter> bytes.  The maximum and minimum sizes of this
-buffer are 65535 and 0 respectively.  Values outside this range are
-rounded up or down appropriately.
-</para>
-</listitem></varlistentry>
-
-<varlistentry><term><option>+[no]multiline</option></term>
-<listitem><para>
-Print records like the SOA records in a verbose multi-line
-format with human-readable comments.  The default is to print
-each record on a single line, to facilitate machine parsing 
-of the <command>dig</command> output.
-</para></listitem></varlistentry>
-
-<varlistentry><term><option>+[no]fail</option></term>
-<listitem><para>
-Do not try the next server if you receive a SERVFAIL.  The default is
-to not try the next server which is the reverse of normal stub resolver
-behaviour.
-</para></listitem></varlistentry>
-
-<varlistentry><term><option>+[no]besteffort</option></term>
-<listitem><para>
-Attempt to display the contents of messages which are malformed.
-The default is to not display malformed answers.
-</para></listitem></varlistentry>
-
-<varlistentry><term><option>+[no]dnssec</option></term>
-<listitem><para>
-Requests DNSSEC records be sent by setting the DNSSEC OK bit (DO)
-in the OPT record in the additional section of the query.
-</para></listitem></varlistentry>
-
-<varlistentry><term><option>+[no]sigchase</option></term>
-<listitem><para>
-Chase DNSSEC signature chains.  Requires dig be compiled with
--DDIG_SIGCHASE.
-</para></listitem></varlistentry>
+  <refsynopsisdiv>
+    <cmdsynopsis>
+      <command>dig</command>
+      <arg choice="opt">@server</arg>
+      <arg><option>-b <replaceable class="parameter">address</replaceable></option></arg>
+      <arg><option>-c <replaceable class="parameter">class</replaceable></option></arg>
+      <arg><option>-f <replaceable class="parameter">filename</replaceable></option></arg>
+      <arg><option>-k <replaceable class="parameter">filename</replaceable></option></arg>
+      <arg><option>-p <replaceable class="parameter">port#</replaceable></option></arg>
+      <arg><option>-q <replaceable class="parameter">name</replaceable></option></arg>
+      <arg><option>-t <replaceable class="parameter">type</replaceable></option></arg>
+      <arg><option>-x <replaceable class="parameter">addr</replaceable></option></arg>
+      <arg><option>-y <replaceable class="parameter"><optional>hmac:</optional>name:key</replaceable></option></arg>
+      <arg><option>-4</option></arg>
+      <arg><option>-6</option></arg>
+      <arg choice="opt">name</arg>
+      <arg choice="opt">type</arg>
+      <arg choice="opt">class</arg>
+      <arg choice="opt" rep="repeat">queryopt</arg>
+    </cmdsynopsis>
+
+    <cmdsynopsis>
+      <command>dig</command>
+      <arg><option>-h</option></arg>
+    </cmdsynopsis>
+
+    <cmdsynopsis>
+      <command>dig</command>
+      <arg choice="opt" rep="repeat">global-queryopt</arg>
+      <arg choice="opt" rep="repeat">query</arg>
+    </cmdsynopsis>
+  </refsynopsisdiv>
+
+  <refsect1>
+    <title>DESCRIPTION</title>
+    <para><command>dig</command>
+      (domain information groper) is a flexible tool
+      for interrogating DNS name servers.  It performs DNS lookups and
+      displays the answers that are returned from the name server(s) that
+      were queried.  Most DNS administrators use <command>dig</command> to
+      troubleshoot DNS problems because of its flexibility, ease of use and
+      clarity of output.  Other lookup tools tend to have less functionality
+      than <command>dig</command>.
+    </para>
+
+    <para>
+      Although <command>dig</command> is normally used with
+      command-line
+      arguments, it also has a batch mode of operation for reading lookup
+      requests from a file.  A brief summary of its command-line arguments
+      and options is printed when the <option>-h</option> option is given.
+      Unlike earlier versions, the BIND9 implementation of
+      <command>dig</command> allows multiple lookups to be issued
+      from the
+      command line.
+    </para>
+
+    <para>
+      Unless it is told to query a specific name server,
+      <command>dig</command> will try each of the servers listed
+      in
+      <filename>/etc/resolv.conf</filename>.
+    </para>
+
+    <para>
+      When no command line arguments or options are given, will perform an
+      NS query for "." (the root).
+    </para>
+
+    <para>
+      It is possible to set per-user defaults for <command>dig</command> via
+      <filename>${HOME}/.digrc</filename>.  This file is read and
+      any options in it
+      are applied before the command line arguments.
+    </para>
+
+    <para>
+      The IN and CH class names overlap with the IN and CH top level
+      domains names.  Either use the <option>-t</option> and
+      <option>-c</option> options to specify the type and class or
+      use the <option>-q</option> the specify the domain name or
+      use "IN." and "CH." when looking up these top level domains.
+    </para>
+
+  </refsect1>
+
+  <refsect1>
+    <title>SIMPLE USAGE</title>
+
+    <para>
+      A typical invocation of <command>dig</command> looks like:
+      <programlisting> dig @server name type </programlisting>
+      where:
+
+      <variablelist>
+
+        <varlistentry>
+          <term><constant>server</constant></term>
+          <listitem>
+            <para>
+              is the name or IP address of the name server to query.  This can
+              be an IPv4
+              address in dotted-decimal notation or an IPv6
+              address in colon-delimited notation.  When the supplied
+              <parameter>server</parameter> argument is a
+              hostname,
+              <command>dig</command> resolves that name before
+              querying that name
+              server.  If no <parameter>server</parameter>
+              argument is provided,
+              <command>dig</command> consults <filename>/etc/resolv.conf</filename>
+              and queries the name servers listed there.  The reply from the
+              name
+              server that responds is displayed.
+            </para>
+          </listitem>
+        </varlistentry>
+
+        <varlistentry>
+          <term><constant>name</constant></term>
+          <listitem>
+            <para>
+              is the name of the resource record that is to be looked up.
+            </para>
+          </listitem>
+        </varlistentry>
+
+        <varlistentry>
+          <term><constant>type</constant></term>
+          <listitem>
+            <para>
+              indicates what type of query is required &mdash;
+              ANY, A, MX, SIG, etc.
+              <parameter>type</parameter> can be any valid query
+              type.  If no
+              <parameter>type</parameter> argument is supplied,
+              <command>dig</command> will perform a lookup for an
+              A record.
+            </para>
+          </listitem>
+        </varlistentry>
+
+      </variablelist>
+    </para>
+
+  </refsect1>
+
+  <refsect1>
+    <title>OPTIONS</title>
+
+    <para>
+      The <option>-b</option> option sets the source IP address of the query
+      to <parameter>address</parameter>.  This must be a valid
+      address on
+      one of the host's network interfaces or "0.0.0.0" or "::".  An optional
+      port
+      may be specified by appending "#&lt;port&gt;"
+    </para>
+
+    <para>
+      The default query class (IN for internet) is overridden by the
+      <option>-c</option> option.  <parameter>class</parameter> is
+      any valid
+      class, such as HS for Hesiod records or CH for CHAOSNET records.
+    </para>
+
+    <para>
+      The <option>-f</option> option makes <command>dig </command>
+      operate
+      in batch mode by reading a list of lookup requests to process from the
+      file <parameter>filename</parameter>.  The file contains a
+      number of
+      queries, one per line.  Each entry in the file should be organised in
+      the same way they would be presented as queries to
+      <command>dig</command> using the command-line interface.
+    </para>
+
+    <para>
+      If a non-standard port number is to be queried, the
+      <option>-p</option> option is used.  <parameter>port#</parameter> is
+      the port number that <command>dig</command> will send its
+      queries
+      instead of the standard DNS port number 53.  This option would be used
+      to test a name server that has been configured to listen for queries
+      on a non-standard port number.
+    </para>
+
+    <para>
+      The <option>-4</option> option forces <command>dig</command>
+      to only
+      use IPv4 query transport.  The <option>-6</option> option forces
+      <command>dig</command> to only use IPv6 query transport.
+    </para>
+
+    <para>
+      The <option>-t</option> option sets the query type to
+      <parameter>type</parameter>.  It can be any valid query type
+      which is
+      supported in BIND9.  The default query type "A", unless the
+      <option>-x</option> option is supplied to indicate a reverse lookup.
+      A zone transfer can be requested by specifying a type of AXFR.  When
+      an incremental zone transfer (IXFR) is required,
+      <parameter>type</parameter> is set to <literal>ixfr=N</literal>.
+      The incremental zone transfer will contain the changes made to the zone
+      since the serial number in the zone's SOA record was
+      <parameter>N</parameter>.
+    </para>
+
+    <para>
+      The <option>-q</option> option sets the query name to 
+      <parameter>name</parameter>.  This useful do distingish the
+      <parameter>name</parameter> from other arguments.
+    </para>
+
+    <para>
+      Reverse lookups - mapping addresses to names - are simplified by the
+      <option>-x</option> option.  <parameter>addr</parameter> is
+      an IPv4
+      address in dotted-decimal notation, or a colon-delimited IPv6 address.
+      When this option is used, there is no need to provide the
+      <parameter>name</parameter>, <parameter>class</parameter> and
+      <parameter>type</parameter> arguments.  <command>dig</command>
+      automatically performs a lookup for a name like
+      <literal>11.12.13.10.in-addr.arpa</literal> and sets the
+      query type and
+      class to PTR and IN respectively.  By default, IPv6 addresses are
+      looked up using nibble format under the IP6.ARPA domain.
+      To use the older RFC1886 method using the IP6.INT domain
+      specify the <option>-i</option> option.  Bit string labels (RFC2874)
+      are now experimental and are not attempted.
+    </para>
+
+    <para>
+      To sign the DNS queries sent by <command>dig</command> and
+      their
+      responses using transaction signatures (TSIG), specify a TSIG key file
+      using the <option>-k</option> option.  You can also specify the TSIG
+      key itself on the command line using the <option>-y</option> option;
+      <parameter>hmac</parameter> is the type of the TSIG, default HMAC-MD5,
+      <parameter>name</parameter> is the name of the TSIG key and
+      <parameter>key</parameter> is the actual key.  The key is a
+      base-64
+      encoded string, typically generated by
+      <citerefentry>
+        <refentrytitle>dnssec-keygen</refentrytitle><manvolnum>8</manvolnum>
+      </citerefentry>.
+
+      Caution should be taken when using the <option>-y</option> option on
+      multi-user systems as the key can be visible in the output from
+      <citerefentry>
+        <refentrytitle>ps</refentrytitle><manvolnum>1</manvolnum>
+      </citerefentry>
+      or in the shell's history file.  When
+      using TSIG authentication with <command>dig</command>, the name
+      server that is queried needs to know the key and algorithm that is
+      being used.  In BIND, this is done by providing appropriate
+      <command>key</command> and <command>server</command> statements in
+      <filename>named.conf</filename>.
+    </para>
+
+  </refsect1>
+
+  <refsect1>
+    <title>QUERY OPTIONS</title>
+
+    <para><command>dig</command>
+      provides a number of query options which affect
+      the way in which lookups are made and the results displayed.  Some of
+      these set or reset flag bits in the query header, some determine which
+      sections of the answer get printed, and others determine the timeout
+      and retry strategies.
+    </para>
+
+    <para>
+      Each query option is identified by a keyword preceded by a plus sign
+      (<literal>+</literal>).  Some keywords set or reset an
+      option.  These may be preceded
+      by the string <literal>no</literal> to negate the meaning of
+      that keyword.  Other
+      keywords assign values to options like the timeout interval.  They
+      have the form <option>+keyword=value</option>.
+      The query options are:
+
+      <variablelist>
+
+        <varlistentry>
+          <term><option>+[no]tcp</option></term>
+          <listitem>
+            <para>
+              Use [do not use] TCP when querying name servers.  The default
+              behaviour is to use UDP unless an AXFR or IXFR query is
+              requested, in
+              which case a TCP connection is used.
+            </para>
+          </listitem>
+        </varlistentry>
+
+        <varlistentry>
+          <term><option>+[no]vc</option></term>
+          <listitem>
+            <para>
+              Use [do not use] TCP when querying name servers.  This alternate
+              syntax to <parameter>+[no]tcp</parameter> is
+              provided for backwards
+              compatibility.  The "vc" stands for "virtual circuit".
+            </para>
+          </listitem>
+        </varlistentry>
+
+        <varlistentry>
+          <term><option>+[no]ignore</option></term>
+          <listitem>
+            <para>
+              Ignore truncation in UDP responses instead of retrying with TCP.
+               By
+              default, TCP retries are performed.
+            </para>
+          </listitem>
+        </varlistentry>
+
+        <varlistentry>
+          <term><option>+domain=somename</option></term>
+          <listitem>
+            <para>
+              Set the search list to contain the single domain
+              <parameter>somename</parameter>, as if specified in
+              a
+              <command>domain</command> directive in
+              <filename>/etc/resolv.conf</filename>, and enable
+              search list
+              processing as if the <parameter>+search</parameter>
+              option were given.
+            </para>
+          </listitem>
+        </varlistentry>
+
+        <varlistentry>
+          <term><option>+[no]search</option></term>
+          <listitem>
+            <para>
+              Use [do not use] the search list defined by the searchlist or
+              domain
+              directive in <filename>resolv.conf</filename> (if
+              any).
+              The search list is not used by default.
+            </para>
+          </listitem>
+        </varlistentry>
+
+        <varlistentry>
+          <term><option>+[no]showsearch</option></term>
+          <listitem>
+            <para>
+              Perform [do not perform] a search showing intermediate
+	      results.
+            </para>
+          </listitem>
+        </varlistentry>
+
+        <varlistentry>
+          <term><option>+[no]defname</option></term>
+          <listitem>
+            <para>
+              Deprecated, treated as a synonym for <parameter>+[no]search</parameter>
+            </para>
+          </listitem>
+        </varlistentry>
+
+        <varlistentry>
+          <term><option>+[no]aaonly</option></term>
+          <listitem>
+            <para>
+              Sets the "aa" flag in the query.
+            </para>
+          </listitem>
+        </varlistentry>
+
+        <varlistentry>
+          <term><option>+[no]aaflag</option></term>
+          <listitem>
+            <para>
+              A synonym for <parameter>+[no]aaonly</parameter>.
+            </para>
+          </listitem>
+        </varlistentry>
+
+        <varlistentry>
+          <term><option>+[no]adflag</option></term>
+          <listitem>
+            <para>
+              Set [do not set] the AD (authentic data) bit in the query.  The
+              AD bit
+              currently has a standard meaning only in responses, not in
+              queries,
+              but the ability to set the bit in the query is provided for
+              completeness.
+            </para>
+          </listitem>
+        </varlistentry>
+
+        <varlistentry>
+          <term><option>+[no]cdflag</option></term>
+          <listitem>
+            <para>
+              Set [do not set] the CD (checking disabled) bit in the query.
+              This
+              requests the server to not perform DNSSEC validation of
+              responses.
+            </para>
+          </listitem>
+        </varlistentry>
+
+        <varlistentry>
+          <term><option>+[no]cl</option></term>
+          <listitem>
+            <para>
+              Display [do not display] the CLASS when printing the record.
+            </para>
+          </listitem>
+        </varlistentry>
+
+        <varlistentry>
+          <term><option>+[no]ttlid</option></term>
+          <listitem>
+            <para>
+              Display [do not display] the TTL when printing the record.
+            </para>
+          </listitem>
+        </varlistentry>
+
+        <varlistentry>
+          <term><option>+[no]recurse</option></term>
+          <listitem>
+            <para>
+              Toggle the setting of the RD (recursion desired) bit in the
+              query.
+              This bit is set by default, which means <command>dig</command>
+              normally sends recursive queries.  Recursion is automatically
+              disabled
+              when the <parameter>+nssearch</parameter> or
+              <parameter>+trace</parameter> query options are
+              used.
+            </para>
+          </listitem>
+        </varlistentry>
+
+        <varlistentry>
+          <term><option>+[no]nssearch</option></term>
+          <listitem>
+            <para>
+              When this option is set, <command>dig</command>
+              attempts to find the
+              authoritative name servers for the zone containing the name
+              being
+              looked up and display the SOA record that each name server has
+              for the
+              zone.
+            </para>
+          </listitem>
+        </varlistentry>
+
+        <varlistentry>
+          <term><option>+[no]trace</option></term>
+          <listitem>
+            <para>
+              Toggle tracing of the delegation path from the root name servers
+              for
+              the name being looked up.  Tracing is disabled by default.  When
+              tracing is enabled, <command>dig</command> makes
+              iterative queries to
+              resolve the name being looked up.  It will follow referrals from
+              the
+              root servers, showing the answer from each server that was used
+              to
+              resolve the lookup.
+            </para>
+          </listitem>
+        </varlistentry>
+
+        <varlistentry>
+          <term><option>+[no]cmd</option></term>
+          <listitem>
+            <para>
+              toggles the printing of the initial comment in the output
+              identifying
+              the version of <command>dig</command> and the query
+              options that have
+              been applied.  This comment is printed by default.
+            </para>
+          </listitem>
+        </varlistentry>
+
+        <varlistentry>
+          <term><option>+[no]short</option></term>
+          <listitem>
+            <para>
+              Provide a terse answer.  The default is to print the answer in a
+              verbose form.
+            </para>
+          </listitem>
+        </varlistentry>
+
+        <varlistentry>
+          <term><option>+[no]identify</option></term>
+          <listitem>
+            <para>
+              Show [or do not show] the IP address and port number that
+              supplied the
+              answer when the <parameter>+short</parameter> option
+              is enabled.  If
+              short form answers are requested, the default is not to show the
+              source address and port number of the server that provided the
+              answer.
+            </para>
+          </listitem>
+        </varlistentry>
+
+        <varlistentry>
+          <term><option>+[no]comments</option></term>
+          <listitem>
+            <para>
+              Toggle the display of comment lines in the output.  The default
+              is to
+              print comments.
+            </para>
+          </listitem>
+        </varlistentry>
+
+        <varlistentry>
+          <term><option>+[no]stats</option></term>
+          <listitem>
+            <para>
+              This query option toggles the printing of statistics: when the
+              query
+              was made, the size of the reply and so on.  The default
+              behaviour is
+              to print the query statistics.
+            </para>
+          </listitem>
+        </varlistentry>
+
+        <varlistentry>
+          <term><option>+[no]qr</option></term>
+          <listitem>
+            <para>
+              Print [do not print] the query as it is sent.
+              By default, the query is not printed.
+            </para>
+          </listitem>
+        </varlistentry>
+
+        <varlistentry>
+          <term><option>+[no]question</option></term>
+          <listitem>
+            <para>
+              Print [do not print] the question section of a query when an
+              answer is
+              returned.  The default is to print the question section as a
+              comment.
+            </para>
+          </listitem>
+        </varlistentry>
+
+        <varlistentry>
+          <term><option>+[no]answer</option></term>
+          <listitem>
+            <para>
+              Display [do not display] the answer section of a reply.  The
+              default
+              is to display it.
+            </para>
+          </listitem>
+        </varlistentry>
+
+        <varlistentry>
+          <term><option>+[no]authority</option></term>
+          <listitem>
+            <para>
+              Display [do not display] the authority section of a reply.  The
+              default is to display it.
+            </para>
+          </listitem>
+        </varlistentry>
+
+        <varlistentry>
+          <term><option>+[no]additional</option></term>
+          <listitem>
+            <para>
+              Display [do not display] the additional section of a reply.
+              The default is to display it.
+            </para>
+          </listitem>
+        </varlistentry>
+
+        <varlistentry>
+          <term><option>+[no]all</option></term>
+          <listitem>
+            <para>
+              Set or clear all display flags.
+            </para>
+          </listitem>
+        </varlistentry>
+
+        <varlistentry>
+          <term><option>+time=T</option></term>
+          <listitem>
+            <para>
+
+              Sets the timeout for a query to
+              <parameter>T</parameter> seconds.  The default time
+              out is 5 seconds.
+              An attempt to set <parameter>T</parameter> to less
+              than 1 will result
+              in a query timeout of 1 second being applied.
+            </para>
+          </listitem>
+        </varlistentry>
+
+        <varlistentry>
+          <term><option>+tries=T</option></term>
+          <listitem>
+            <para>
+              Sets the number of times to try UDP queries to server to
+              <parameter>T</parameter> instead of the default, 3.
+              If
+              <parameter>T</parameter> is less than or equal to
+              zero, the number of
+              tries is silently rounded up to 1.
+            </para>
+          </listitem>
+        </varlistentry>
+
+        <varlistentry>
+          <term><option>+retry=T</option></term>
+          <listitem>
+            <para>
+              Sets the number of times to retry UDP queries to server to
+              <parameter>T</parameter> instead of the default, 2.
+              Unlike
+              <parameter>+tries</parameter>, this does not include
+              the initial
+              query.
+            </para>
+          </listitem>
+        </varlistentry>
+
+        <varlistentry>
+          <term><option>+ndots=D</option></term>
+          <listitem>
+            <para>
+              Set the number of dots that have to appear in
+              <parameter>name</parameter> to <parameter>D</parameter> for it to be
+              considered absolute.  The default value is that defined using
+              the
+              ndots statement in <filename>/etc/resolv.conf</filename>, or 1 if no
+              ndots statement is present.  Names with fewer dots are
+              interpreted as
+              relative names and will be searched for in the domains listed in
+              the
+              <option>search</option> or <option>domain</option> directive in
+              <filename>/etc/resolv.conf</filename>.
+            </para>
+          </listitem>
+        </varlistentry>
+
+        <varlistentry>
+          <term><option>+bufsize=B</option></term>
+          <listitem>
+            <para>
+              Set the UDP message buffer size advertised using EDNS0 to
+              <parameter>B</parameter> bytes.  The maximum and minimum sizes
+	      of this buffer are 65535 and 0 respectively.  Values outside
+	      this range are rounded up or down appropriately.  
+	      Values other than zero will cause a EDNS query to be sent.
+            </para>
+          </listitem>
+        </varlistentry>
 
 	<varlistentry>
-	  <term><option>+trusted-key=####</option></term>
+	  <term><option>+edns=#</option></term>
 	  <listitem>
 	    <para>
-	      Specifies a file containing trusted keys to be used with
+	       Specify the EDNS version to query with.  Valid values
+	       are 0 to 255.  Setting the EDNS version will cause a
+	       EDNS query to be sent.  <option>+noedns</option> clears the
+	       remembered EDNS version.
+	    </para>
+	  </listitem>
+	</varlistentry>
+
+        <varlistentry>
+          <term><option>+[no]multiline</option></term>
+          <listitem>
+            <para>
+              Print records like the SOA records in a verbose multi-line
+              format with human-readable comments.  The default is to print
+              each record on a single line, to facilitate machine parsing
+              of the <command>dig</command> output.
+            </para>
+          </listitem>
+        </varlistentry>
+
+        <varlistentry>
+          <term><option>+[no]fail</option></term>
+          <listitem>
+            <para>
+              Do not try the next server if you receive a SERVFAIL.  The
+              default is
+              to not try the next server which is the reverse of normal stub
+              resolver
+              behaviour.
+            </para>
+          </listitem>
+        </varlistentry>
+
+        <varlistentry>
+          <term><option>+[no]besteffort</option></term>
+          <listitem>
+            <para>
+              Attempt to display the contents of messages which are malformed.
+              The default is to not display malformed answers.
+            </para>
+          </listitem>
+        </varlistentry>
+
+        <varlistentry>
+          <term><option>+[no]dnssec</option></term>
+          <listitem>
+            <para>
+              Requests DNSSEC records be sent by setting the DNSSEC OK bit
+              (DO)
+              in the OPT record in the additional section of the query.
+            </para>
+          </listitem>
+        </varlistentry>
+
+        <varlistentry>
+          <term><option>+[no]sigchase</option></term>
+          <listitem>
+            <para>
+              Chase DNSSEC signature chains.  Requires dig be compiled with
+              -DDIG_SIGCHASE.
+            </para>
+          </listitem>
+        </varlistentry>
+
+        <varlistentry>
+          <term><option>+trusted-key=####</option></term>
+          <listitem>
+            <para>
+              Specifies a file containing trusted keys to be used with
 	      <option>+sigchase</option>.  Each DNSKEY record must be
 	      on its own line.
-	    </para>
+            </para>
 	    <para>
 	      If not specified <command>dig</command> will look for
 	      <filename>/etc/trusted-key.key</filename> then
 	      <filename>trusted-key.key</filename> in the current directory.
 	    </para>
 	    <para>
-	      Requires dig be compiled with -DDIG_SIGCHASE.
+              Requires dig be compiled with -DDIG_SIGCHASE.
 	    </para>
-	  </listitem>
-	</varlistentry>
-
-<varlistentry><term><option>+[no]topdown</option></term>
-<listitem><para>
-When chasing DNSSEC signature chains perform a top down validation.
-Requires dig be compiled with -DDIG_SIGCHASE.
-</para></listitem></varlistentry>
-
-
-
-</variablelist>
-
-</para>
-</refsect1>
-
-<refsect1>
-<title>MULTIPLE QUERIES</title>
-
-<para>
-The BIND 9 implementation of <command>dig </command> supports
-specifying multiple queries on the command line (in addition to
-supporting the <option>-f</option> batch file option).  Each of those
-queries can be supplied with its own set of flags, options and query
-options.
-</para>
-
-<para>
-In this case, each <parameter>query</parameter> argument represent an
-individual query in the command-line syntax described above.  Each
-consists of any of the standard options and flags, the name to be
-looked up, an optional query type and class and any query options that
-should be applied to that query.
-</para>
-
-<para>
-A global set of query options, which should be applied to all queries,
-can also be supplied.  These global query options must precede the
-first tuple of name, class, type, options, flags, and query options
-supplied on the command line.  Any global query options (except
-the <option>+[no]cmd</option> option) can be
-overridden by a query-specific set of query options.  For example:
-<programlisting>
+          </listitem>
+        </varlistentry>
+
+        <varlistentry>
+          <term><option>+[no]topdown</option></term>
+          <listitem>
+            <para>
+              When chasing DNSSEC signature chains perform a top down
+              validation.
+              Requires dig be compiled with -DDIG_SIGCHASE.
+            </para>
+          </listitem>
+        </varlistentry>
+
+
+
+      </variablelist>
+
+    </para>
+  </refsect1>
+
+  <refsect1>
+    <title>MULTIPLE QUERIES</title>
+
+    <para>
+      The BIND 9 implementation of <command>dig </command>
+      supports
+      specifying multiple queries on the command line (in addition to
+      supporting the <option>-f</option> batch file option).  Each of those
+      queries can be supplied with its own set of flags, options and query
+      options.
+    </para>
+
+    <para>
+      In this case, each <parameter>query</parameter> argument
+      represent an
+      individual query in the command-line syntax described above.  Each
+      consists of any of the standard options and flags, the name to be
+      looked up, an optional query type and class and any query options that
+      should be applied to that query.
+    </para>
+
+    <para>
+      A global set of query options, which should be applied to all queries,
+      can also be supplied.  These global query options must precede the
+      first tuple of name, class, type, options, flags, and query options
+      supplied on the command line.  Any global query options (except
+      the <option>+[no]cmd</option> option) can be
+      overridden by a query-specific set of query options.  For example:
+      <programlisting>
 dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
 </programlisting>
-shows how <command>dig</command> could be used from the command line
-to make three lookups: an ANY query for <literal>www.isc.org</literal>, a
-reverse lookup of 127.0.0.1 and a query for the NS records of
-<literal>isc.org</literal>.
-
-A global query option of <parameter>+qr</parameter> is applied, so
-that <command>dig</command> shows the initial query it made for each
-lookup.  The final query has a local query option of
-<parameter>+noqr</parameter> which means that <command>dig</command>
-will not print the initial query when it looks up the NS records for
-<literal>isc.org</literal>.
-</para>
-
-</refsect1>
-
-<refsect1>
-<title>FILES</title>
-<para>
-<filename>/etc/resolv.conf</filename>
-</para>
-<para>
-<filename>${HOME}/.digrc</filename>
-</para>
-</refsect1>
-
-<refsect1>
-<title>SEE ALSO</title>
-<para>
-<citerefentry>
-<refentrytitle>host</refentrytitle><manvolnum>1</manvolnum>
-</citerefentry>,
-<citerefentry>
-<refentrytitle>named</refentrytitle><manvolnum>8</manvolnum>
-</citerefentry>,
-<citerefentry>
-<refentrytitle>dnssec-keygen</refentrytitle><manvolnum>8</manvolnum>
-</citerefentry>,
-<citetitle>RFC1035</citetitle>.
-</para>
-</refsect1>
-
-<refsect1>
-<title>BUGS </title>
-<para>
-There are probably too many query options. 
-</para>
-</refsect1>
-</refentry>
+      shows how <command>dig</command> could be used from the
+      command line
+      to make three lookups: an ANY query for <literal>www.isc.org</literal>, a
+      reverse lookup of 127.0.0.1 and a query for the NS records of
+      <literal>isc.org</literal>.
+
+      A global query option of <parameter>+qr</parameter> is
+      applied, so
+      that <command>dig</command> shows the initial query it made
+      for each
+      lookup.  The final query has a local query option of
+      <parameter>+noqr</parameter> which means that <command>dig</command>
+      will not print the initial query when it looks up the NS records for
+      <literal>isc.org</literal>.
+    </para>
+
+  </refsect1>
+
+  <refsect1>
+    <title>IDN SUPPORT</title>
+    <para>
+      If <command>dig</command> has been built with IDN (internationalized
+      domain name) support, it can accept and display non-ASCII domain names.
+      <command>dig</command> appropriately converts character encoding of
+      domain name before sending a request to DNS server or displaying a
+      reply from the server.
+      If you'd like to turn off the IDN support for some reason, defines
+      the <envar>IDN_DISABLE</envar> environment variable.
+      The IDN support is disabled if the variable is set when 
+      <command>dig</command> runs.
+    </para>
+  </refsect1>
+
+  <refsect1>
+    <title>FILES</title>
+    <para><filename>/etc/resolv.conf</filename>
+    </para>
+    <para><filename>${HOME}/.digrc</filename>
+    </para>
+  </refsect1>
+
+  <refsect1>
+    <title>SEE ALSO</title>
+    <para><citerefentry>
+        <refentrytitle>host</refentrytitle><manvolnum>1</manvolnum>
+      </citerefentry>,
+      <citerefentry>
+        <refentrytitle>named</refentrytitle><manvolnum>8</manvolnum>
+      </citerefentry>,
+      <citerefentry>
+        <refentrytitle>dnssec-keygen</refentrytitle><manvolnum>8</manvolnum>
+      </citerefentry>,
+      <citetitle>RFC1035</citetitle>.
+    </para>
+  </refsect1>
+
+  <refsect1>
+    <title>BUGS</title>
+    <para>
+      There are probably too many query options.
+    </para>
+  </refsect1>
+</refentry><!--
+ - Local variables:
+ - mode: sgml
+ - End:
+-->
diff --git a/contrib/bind9/bin/dig/dig.html b/contrib/bind9/bin/dig/dig.html
index 06771b3..945a896 100644
--- a/contrib/bind9/bin/dig/dig.html
+++ b/contrib/bind9/bin/dig/dig.html
@@ -1,5 +1,5 @@
 <!--
- - Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2004-2007 Internet Systems Consortium, Inc. ("ISC")
  - Copyright (C) 2000-2003 Internet Software Consortium.
  - 
  - Permission to use, copy, modify, and distribute this software for any
@@ -14,501 +14,616 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-<!-- $Id: dig.html,v 1.6.2.4.2.15 2006/06/29 13:02:30 marka Exp $ -->
+<!-- $Id: dig.html,v 1.13.18.25 2007/01/30 00:23:44 marka Exp $ -->
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
 <title>dig</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.70.1">
+<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
 </head>
 <body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en">
-<a name="id2482688"></a><div class="titlepage"></div>
+<a name="man.dig"></a><div class="titlepage"></div>
 <div class="refnamediv">
 <h2>Name</h2>
 <p>dig &#8212; DNS lookup utility</p>
 </div>
 <div class="refsynopsisdiv">
 <h2>Synopsis</h2>
-<div class="cmdsynopsis"><p><code class="command">dig</code>  [@server] [<code class="option">-b <em class="replaceable"><code>address</code></em></code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-f <em class="replaceable"><code>filename</code></em></code>] [<code class="option">-k <em class="replaceable"><code>filename</code></em></code>] [<code class="option">-p <em class="replaceable"><code>port#</code></em></code>] [<code class="option">-t <em class="replaceable"><code>type</code></em></code>] [<code class="option">-x <em class="replaceable"><code>addr</code></em></code>] [<code class="option">-y <em class="replaceable"><code>name:key</code></em></code>] [<code class="option">-4</code>] [<code class="option">-6</code>] [name] [type] [class] [queryopt...]</p></div>
+<div class="cmdsynopsis"><p><code class="command">dig</code>  [@server] [<code class="option">-b <em class="replaceable"><code>address</code></em></code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-f <em class="replaceable"><code>filename</code></em></code>] [<code class="option">-k <em class="replaceable"><code>filename</code></em></code>] [<code class="option">-p <em class="replaceable"><code>port#</code></em></code>] [<code class="option">-q <em class="replaceable"><code>name</code></em></code>] [<code class="option">-t <em class="replaceable"><code>type</code></em></code>] [<code class="option">-x <em class="replaceable"><code>addr</code></em></code>] [<code class="option">-y <em class="replaceable"><code>[<span class="optional">hmac:</span>]name:key</code></em></code>] [<code class="option">-4</code>] [<code class="option">-6</code>] [name] [type] [class] [queryopt...]</p></div>
 <div class="cmdsynopsis"><p><code class="command">dig</code>  [<code class="option">-h</code>]</p></div>
 <div class="cmdsynopsis"><p><code class="command">dig</code>  [global-queryopt...] [query...]</p></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2549541"></a><h2>DESCRIPTION</h2>
+<a name="id2543508"></a><h2>DESCRIPTION</h2>
+<p><span><strong class="command">dig</strong></span>
+      (domain information groper) is a flexible tool
+      for interrogating DNS name servers.  It performs DNS lookups and
+      displays the answers that are returned from the name server(s) that
+      were queried.  Most DNS administrators use <span><strong class="command">dig</strong></span> to
+      troubleshoot DNS problems because of its flexibility, ease of use and
+      clarity of output.  Other lookup tools tend to have less functionality
+      than <span><strong class="command">dig</strong></span>.
+    </p>
 <p>
-<span><strong class="command">dig</strong></span> (domain information groper) is a flexible tool
-for interrogating DNS name servers.  It performs DNS lookups and
-displays the answers that are returned from the name server(s) that
-were queried.  Most DNS administrators use <span><strong class="command">dig</strong></span> to
-troubleshoot DNS problems because of its flexibility, ease of use and
-clarity of output.  Other lookup tools tend to have less functionality
-than <span><strong class="command">dig</strong></span>.
-</p>
+      Although <span><strong class="command">dig</strong></span> is normally used with
+      command-line
+      arguments, it also has a batch mode of operation for reading lookup
+      requests from a file.  A brief summary of its command-line arguments
+      and options is printed when the <code class="option">-h</code> option is given.
+      Unlike earlier versions, the BIND9 implementation of
+      <span><strong class="command">dig</strong></span> allows multiple lookups to be issued
+      from the
+      command line.
+    </p>
 <p>
-Although <span><strong class="command">dig</strong></span> is normally used with command-line
-arguments, it also has a batch mode of operation for reading lookup
-requests from a file.  A brief summary of its command-line arguments
-and options is printed when the <code class="option">-h</code> option is given.
-Unlike earlier versions, the BIND9 implementation of
-<span><strong class="command">dig</strong></span> allows multiple lookups to be issued from the
-command line.
-</p>
+      Unless it is told to query a specific name server,
+      <span><strong class="command">dig</strong></span> will try each of the servers listed
+      in
+      <code class="filename">/etc/resolv.conf</code>.
+    </p>
 <p>
-Unless it is told to query a specific name server,
-<span><strong class="command">dig</strong></span> will try each of the servers listed in
-<code class="filename">/etc/resolv.conf</code>.
-</p>
+      When no command line arguments or options are given, will perform an
+      NS query for "." (the root).
+    </p>
 <p>
-When no command line arguments or options are given, will perform an
-NS query for "." (the root).
-</p>
+      It is possible to set per-user defaults for <span><strong class="command">dig</strong></span> via
+      <code class="filename">${HOME}/.digrc</code>.  This file is read and
+      any options in it
+      are applied before the command line arguments.
+    </p>
 <p>
-It is possible to set per-user defaults for <span><strong class="command">dig</strong></span> via
-<code class="filename">${HOME}/.digrc</code>.  This file is read and any options in it
-are applied before the command line arguments.
-</p>
+      The IN and CH class names overlap with the IN and CH top level
+      domains names.  Either use the <code class="option">-t</code> and
+      <code class="option">-c</code> options to specify the type and class or
+      use the <code class="option">-q</code> the specify the domain name or
+      use "IN." and "CH." when looking up these top level domains.
+    </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2549600"></a><h2>SIMPLE USAGE</h2>
+<a name="id2543577"></a><h2>SIMPLE USAGE</h2>
 <p>
-A typical invocation of <span><strong class="command">dig</strong></span> looks like:
-</p>
+      A typical invocation of <span><strong class="command">dig</strong></span> looks like:
+      </p>
 <pre class="programlisting"> dig @server name type </pre>
-<p> where:
+<p>
+      where:
 
-</p>
+      </p>
 <div class="variablelist"><dl>
 <dt><span class="term"><code class="constant">server</code></span></dt>
 <dd><p>
-is the name or IP address of the name server to query.  This can be an IPv4
-address in dotted-decimal notation or an IPv6
-address in colon-delimited notation.  When the supplied
-<em class="parameter"><code>server</code></em> argument is a hostname,
-<span><strong class="command">dig</strong></span> resolves that name before querying that name
-server.  If no <em class="parameter"><code>server</code></em> argument is provided,
-<span><strong class="command">dig</strong></span> consults <code class="filename">/etc/resolv.conf</code>
-and queries the name servers listed there.  The reply from the name
-server that responds is displayed.
-</p></dd>
+              is the name or IP address of the name server to query.  This can
+              be an IPv4
+              address in dotted-decimal notation or an IPv6
+              address in colon-delimited notation.  When the supplied
+              <em class="parameter"><code>server</code></em> argument is a
+              hostname,
+              <span><strong class="command">dig</strong></span> resolves that name before
+              querying that name
+              server.  If no <em class="parameter"><code>server</code></em>
+              argument is provided,
+              <span><strong class="command">dig</strong></span> consults <code class="filename">/etc/resolv.conf</code>
+              and queries the name servers listed there.  The reply from the
+              name
+              server that responds is displayed.
+            </p></dd>
 <dt><span class="term"><code class="constant">name</code></span></dt>
 <dd><p>
-is the name of the resource record that is to be looked up.
-</p></dd>
+              is the name of the resource record that is to be looked up.
+            </p></dd>
 <dt><span class="term"><code class="constant">type</code></span></dt>
 <dd><p>
-indicates what type of query is required &#8212;
-ANY, A, MX, SIG, etc.
-<em class="parameter"><code>type</code></em> can be any valid query type.  If no
-<em class="parameter"><code>type</code></em> argument is supplied,
-<span><strong class="command">dig</strong></span> will perform a lookup for an A record.
-</p></dd>
+              indicates what type of query is required &#8212;
+              ANY, A, MX, SIG, etc.
+              <em class="parameter"><code>type</code></em> can be any valid query
+              type.  If no
+              <em class="parameter"><code>type</code></em> argument is supplied,
+              <span><strong class="command">dig</strong></span> will perform a lookup for an
+              A record.
+            </p></dd>
 </dl></div>
 <p>
-</p>
+    </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2549747"></a><h2>OPTIONS</h2>
+<a name="id2543668"></a><h2>OPTIONS</h2>
+<p>
+      The <code class="option">-b</code> option sets the source IP address of the query
+      to <em class="parameter"><code>address</code></em>.  This must be a valid
+      address on
+      one of the host's network interfaces or "0.0.0.0" or "::".  An optional
+      port
+      may be specified by appending "#&lt;port&gt;"
+    </p>
 <p>
-The <code class="option">-b</code> option sets the source IP address of the query
-to <em class="parameter"><code>address</code></em>.  This must be a valid address on
-one of the host's network interfaces or "0.0.0.0" or "::".  An optional port
-may be specified by appending "#&lt;port&gt;"
-</p>
+      The default query class (IN for internet) is overridden by the
+      <code class="option">-c</code> option.  <em class="parameter"><code>class</code></em> is
+      any valid
+      class, such as HS for Hesiod records or CH for CHAOSNET records.
+    </p>
 <p>
-The default query class (IN for internet) is overridden by the
-<code class="option">-c</code> option.  <em class="parameter"><code>class</code></em> is any valid
-class, such as HS for Hesiod records or CH for CHAOSNET records.
-</p>
+      The <code class="option">-f</code> option makes <span><strong class="command">dig </strong></span>
+      operate
+      in batch mode by reading a list of lookup requests to process from the
+      file <em class="parameter"><code>filename</code></em>.  The file contains a
+      number of
+      queries, one per line.  Each entry in the file should be organised in
+      the same way they would be presented as queries to
+      <span><strong class="command">dig</strong></span> using the command-line interface.
+    </p>
 <p>
-The <code class="option">-f</code> option makes <span><strong class="command">dig </strong></span> operate
-in batch mode by reading a list of lookup requests to process from the
-file <em class="parameter"><code>filename</code></em>.  The file contains a number of
-queries, one per line.  Each entry in the file should be organised in
-the same way they would be presented as queries to
-<span><strong class="command">dig</strong></span> using the command-line interface.
-</p>
+      If a non-standard port number is to be queried, the
+      <code class="option">-p</code> option is used.  <em class="parameter"><code>port#</code></em> is
+      the port number that <span><strong class="command">dig</strong></span> will send its
+      queries
+      instead of the standard DNS port number 53.  This option would be used
+      to test a name server that has been configured to listen for queries
+      on a non-standard port number.
+    </p>
 <p>
-If a non-standard port number is to be queried, the
-<code class="option">-p</code> option is used.  <em class="parameter"><code>port#</code></em> is
-the port number that <span><strong class="command">dig</strong></span> will send its queries
-instead of the standard DNS port number 53.  This option would be used
-to test a name server that has been configured to listen for queries
-on a non-standard port number.
-</p>
+      The <code class="option">-4</code> option forces <span><strong class="command">dig</strong></span>
+      to only
+      use IPv4 query transport.  The <code class="option">-6</code> option forces
+      <span><strong class="command">dig</strong></span> to only use IPv6 query transport.
+    </p>
 <p>
-The <code class="option">-4</code> option forces <span><strong class="command">dig</strong></span> to only
-use IPv4 query transport.  The <code class="option">-6</code> option forces
-<span><strong class="command">dig</strong></span> to only use IPv6 query transport.
-</p>
+      The <code class="option">-t</code> option sets the query type to
+      <em class="parameter"><code>type</code></em>.  It can be any valid query type
+      which is
+      supported in BIND9.  The default query type "A", unless the
+      <code class="option">-x</code> option is supplied to indicate a reverse lookup.
+      A zone transfer can be requested by specifying a type of AXFR.  When
+      an incremental zone transfer (IXFR) is required,
+      <em class="parameter"><code>type</code></em> is set to <code class="literal">ixfr=N</code>.
+      The incremental zone transfer will contain the changes made to the zone
+      since the serial number in the zone's SOA record was
+      <em class="parameter"><code>N</code></em>.
+    </p>
 <p>
-The <code class="option">-t</code> option sets the query type to
-<em class="parameter"><code>type</code></em>.  It can be any valid query type which is
-supported in BIND9.  The default query type "A", unless the
-<code class="option">-x</code> option is supplied to indicate a reverse lookup.
-A zone transfer can be requested by specifying a type of AXFR.  When
-an incremental zone transfer (IXFR) is required,
-<em class="parameter"><code>type</code></em> is set to <code class="literal">ixfr=N</code>.
-The incremental zone transfer will contain the changes made to the zone
-since the serial number in the zone's SOA record was
-<em class="parameter"><code>N</code></em>.
-</p>
+      The <code class="option">-q</code> option sets the query name to 
+      <em class="parameter"><code>name</code></em>.  This useful do distingish the
+      <em class="parameter"><code>name</code></em> from other arguments.
+    </p>
 <p>
-Reverse lookups - mapping addresses to names - are simplified by the
-<code class="option">-x</code> option.  <em class="parameter"><code>addr</code></em> is an IPv4
-address in dotted-decimal notation, or a colon-delimited IPv6 address.
-When this option is used, there is no need to provide the
-<em class="parameter"><code>name</code></em>, <em class="parameter"><code>class</code></em> and
-<em class="parameter"><code>type</code></em> arguments.  <span><strong class="command">dig</strong></span>
-automatically performs a lookup for a name like
-<code class="literal">11.12.13.10.in-addr.arpa</code> and sets the query type and
-class to PTR and IN respectively.  By default, IPv6 addresses are
-looked up using nibble format under the IP6.ARPA domain.
-To use the older RFC1886 method using the IP6.INT domain 
-specify the <code class="option">-i</code> option.  Bit string labels (RFC2874)
-are now experimental and are not attempted.
-</p>
+      Reverse lookups - mapping addresses to names - are simplified by the
+      <code class="option">-x</code> option.  <em class="parameter"><code>addr</code></em> is
+      an IPv4
+      address in dotted-decimal notation, or a colon-delimited IPv6 address.
+      When this option is used, there is no need to provide the
+      <em class="parameter"><code>name</code></em>, <em class="parameter"><code>class</code></em> and
+      <em class="parameter"><code>type</code></em> arguments.  <span><strong class="command">dig</strong></span>
+      automatically performs a lookup for a name like
+      <code class="literal">11.12.13.10.in-addr.arpa</code> and sets the
+      query type and
+      class to PTR and IN respectively.  By default, IPv6 addresses are
+      looked up using nibble format under the IP6.ARPA domain.
+      To use the older RFC1886 method using the IP6.INT domain
+      specify the <code class="option">-i</code> option.  Bit string labels (RFC2874)
+      are now experimental and are not attempted.
+    </p>
 <p>
-To sign the DNS queries sent by <span><strong class="command">dig</strong></span> and their
-responses using transaction signatures (TSIG), specify a TSIG key file
-using the <code class="option">-k</code> option.  You can also specify the TSIG
-key itself on the command line using the <code class="option">-y</code> option;
-<em class="parameter"><code>name</code></em> is the name of the TSIG key and
-<em class="parameter"><code>key</code></em> is the actual key.  The key is a base-64
-encoded string, typically generated by <span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>.
+      To sign the DNS queries sent by <span><strong class="command">dig</strong></span> and
+      their
+      responses using transaction signatures (TSIG), specify a TSIG key file
+      using the <code class="option">-k</code> option.  You can also specify the TSIG
+      key itself on the command line using the <code class="option">-y</code> option;
+      <em class="parameter"><code>hmac</code></em> is the type of the TSIG, default HMAC-MD5,
+      <em class="parameter"><code>name</code></em> is the name of the TSIG key and
+      <em class="parameter"><code>key</code></em> is the actual key.  The key is a
+      base-64
+      encoded string, typically generated by
+      <span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>.
 
-Caution should be taken when using the <code class="option">-y</code> option on
-multi-user systems as the key can be visible in the output from
-<span class="citerefentry"><span class="refentrytitle">ps</span>(1
-)</span> or in the shell's history file.  When
-using TSIG authentication with <span><strong class="command">dig</strong></span>, the name
-server that is queried needs to know the key and algorithm that is
-being used.  In BIND, this is done by providing appropriate
-<span><strong class="command">key</strong></span> and <span><strong class="command">server</strong></span> statements in
-<code class="filename">named.conf</code>.
-</p>
+      Caution should be taken when using the <code class="option">-y</code> option on
+      multi-user systems as the key can be visible in the output from
+      <span class="citerefentry"><span class="refentrytitle">ps</span>(1)</span>
+      or in the shell's history file.  When
+      using TSIG authentication with <span><strong class="command">dig</strong></span>, the name
+      server that is queried needs to know the key and algorithm that is
+      being used.  In BIND, this is done by providing appropriate
+      <span><strong class="command">key</strong></span> and <span><strong class="command">server</strong></span> statements in
+      <code class="filename">named.conf</code>.
+    </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2549998"></a><h2>QUERY OPTIONS</h2>
+<a name="id2543939"></a><h2>QUERY OPTIONS</h2>
+<p><span><strong class="command">dig</strong></span>
+      provides a number of query options which affect
+      the way in which lookups are made and the results displayed.  Some of
+      these set or reset flag bits in the query header, some determine which
+      sections of the answer get printed, and others determine the timeout
+      and retry strategies.
+    </p>
 <p>
-<span><strong class="command">dig</strong></span> provides a number of query options which affect
-the way in which lookups are made and the results displayed.  Some of
-these set or reset flag bits in the query header, some determine which
-sections of the answer get printed, and others determine the timeout
-and retry strategies.
-</p>
-<p>
-Each query option is identified by a keyword preceded by a plus sign
-(<code class="literal">+</code>).  Some keywords set or reset an option.  These may be preceded
-by the string <code class="literal">no</code> to negate the meaning of that keyword.  Other
-keywords assign values to options like the timeout interval.  They
-have the form <code class="option">+keyword=value</code>.
-The query options are:
+      Each query option is identified by a keyword preceded by a plus sign
+      (<code class="literal">+</code>).  Some keywords set or reset an
+      option.  These may be preceded
+      by the string <code class="literal">no</code> to negate the meaning of
+      that keyword.  Other
+      keywords assign values to options like the timeout interval.  They
+      have the form <code class="option">+keyword=value</code>.
+      The query options are:
 
-</p>
+      </p>
 <div class="variablelist"><dl>
 <dt><span class="term"><code class="option">+[no]tcp</code></span></dt>
 <dd><p>
-Use [do not use] TCP when querying name servers.  The default
-behaviour is to use UDP unless an AXFR or IXFR query is requested, in
-which case a TCP connection is used.
-</p></dd>
+              Use [do not use] TCP when querying name servers.  The default
+              behaviour is to use UDP unless an AXFR or IXFR query is
+              requested, in
+              which case a TCP connection is used.
+            </p></dd>
 <dt><span class="term"><code class="option">+[no]vc</code></span></dt>
 <dd><p>
-Use [do not use] TCP when querying name servers.  This alternate
-syntax to <em class="parameter"><code>+[no]tcp</code></em> is provided for backwards
-compatibility.  The "vc" stands for "virtual circuit".
-</p></dd>
+              Use [do not use] TCP when querying name servers.  This alternate
+              syntax to <em class="parameter"><code>+[no]tcp</code></em> is
+              provided for backwards
+              compatibility.  The "vc" stands for "virtual circuit".
+            </p></dd>
 <dt><span class="term"><code class="option">+[no]ignore</code></span></dt>
 <dd><p>
-Ignore truncation in UDP responses instead of retrying with TCP.  By
-default, TCP retries are performed.
-</p></dd>
+              Ignore truncation in UDP responses instead of retrying with TCP.
+               By
+              default, TCP retries are performed.
+            </p></dd>
 <dt><span class="term"><code class="option">+domain=somename</code></span></dt>
 <dd><p>
-Set the search list to contain the single domain
-<em class="parameter"><code>somename</code></em>, as if specified in a
-<span><strong class="command">domain</strong></span> directive in
-<code class="filename">/etc/resolv.conf</code>, and enable search list
-processing as if the <em class="parameter"><code>+search</code></em> option were given.
-</p></dd>
+              Set the search list to contain the single domain
+              <em class="parameter"><code>somename</code></em>, as if specified in
+              a
+              <span><strong class="command">domain</strong></span> directive in
+              <code class="filename">/etc/resolv.conf</code>, and enable
+              search list
+              processing as if the <em class="parameter"><code>+search</code></em>
+              option were given.
+            </p></dd>
 <dt><span class="term"><code class="option">+[no]search</code></span></dt>
 <dd><p>
-Use [do not use] the search list defined by the searchlist or domain
-directive in <code class="filename">resolv.conf</code> (if any).
-The search list is not used by default.
-</p></dd>
+              Use [do not use] the search list defined by the searchlist or
+              domain
+              directive in <code class="filename">resolv.conf</code> (if
+              any).
+              The search list is not used by default.
+            </p></dd>
+<dt><span class="term"><code class="option">+[no]showsearch</code></span></dt>
+<dd><p>
+              Perform [do not perform] a search showing intermediate
+	      results.
+            </p></dd>
 <dt><span class="term"><code class="option">+[no]defname</code></span></dt>
 <dd><p>
-Deprecated, treated as a synonym for <em class="parameter"><code>+[no]search</code></em>
-</p></dd>
+              Deprecated, treated as a synonym for <em class="parameter"><code>+[no]search</code></em>
+            </p></dd>
 <dt><span class="term"><code class="option">+[no]aaonly</code></span></dt>
 <dd><p>
-Sets the "aa" flag in the query.
-</p></dd>
+              Sets the "aa" flag in the query.
+            </p></dd>
 <dt><span class="term"><code class="option">+[no]aaflag</code></span></dt>
 <dd><p>
-A synonym for <em class="parameter"><code>+[no]aaonly</code></em>.
-</p></dd>
+              A synonym for <em class="parameter"><code>+[no]aaonly</code></em>.
+            </p></dd>
 <dt><span class="term"><code class="option">+[no]adflag</code></span></dt>
 <dd><p>
-Set [do not set] the AD (authentic data) bit in the query.  The AD bit
-currently has a standard meaning only in responses, not in queries,
-but the ability to set the bit in the query is provided for
-completeness.
-</p></dd>
+              Set [do not set] the AD (authentic data) bit in the query.  The
+              AD bit
+              currently has a standard meaning only in responses, not in
+              queries,
+              but the ability to set the bit in the query is provided for
+              completeness.
+            </p></dd>
 <dt><span class="term"><code class="option">+[no]cdflag</code></span></dt>
 <dd><p>
-Set [do not set] the CD (checking disabled) bit in the query.  This
-requests the server to not perform DNSSEC validation of responses.
-</p></dd>
+              Set [do not set] the CD (checking disabled) bit in the query.
+              This
+              requests the server to not perform DNSSEC validation of
+              responses.
+            </p></dd>
 <dt><span class="term"><code class="option">+[no]cl</code></span></dt>
 <dd><p>
-Display [do not display] the CLASS when printing the record.
-</p></dd>
+              Display [do not display] the CLASS when printing the record.
+            </p></dd>
 <dt><span class="term"><code class="option">+[no]ttlid</code></span></dt>
 <dd><p>
-Display [do not display] the TTL when printing the record.
-</p></dd>
+              Display [do not display] the TTL when printing the record.
+            </p></dd>
 <dt><span class="term"><code class="option">+[no]recurse</code></span></dt>
 <dd><p>
-Toggle the setting of the RD (recursion desired) bit in the query.
-This bit is set by default, which means <span><strong class="command">dig</strong></span>
-normally sends recursive queries.  Recursion is automatically disabled
-when the <em class="parameter"><code>+nssearch</code></em> or
-<em class="parameter"><code>+trace</code></em> query options are used.
-</p></dd>
+              Toggle the setting of the RD (recursion desired) bit in the
+              query.
+              This bit is set by default, which means <span><strong class="command">dig</strong></span>
+              normally sends recursive queries.  Recursion is automatically
+              disabled
+              when the <em class="parameter"><code>+nssearch</code></em> or
+              <em class="parameter"><code>+trace</code></em> query options are
+              used.
+            </p></dd>
 <dt><span class="term"><code class="option">+[no]nssearch</code></span></dt>
 <dd><p>
-When this option is set, <span><strong class="command">dig</strong></span> attempts to find the
-authoritative name servers for the zone containing the name being
-looked up and display the SOA record that each name server has for the
-zone.
-</p></dd>
+              When this option is set, <span><strong class="command">dig</strong></span>
+              attempts to find the
+              authoritative name servers for the zone containing the name
+              being
+              looked up and display the SOA record that each name server has
+              for the
+              zone.
+            </p></dd>
 <dt><span class="term"><code class="option">+[no]trace</code></span></dt>
 <dd><p>
-Toggle tracing of the delegation path from the root name servers for
-the name being looked up.  Tracing is disabled by default.  When
-tracing is enabled, <span><strong class="command">dig</strong></span> makes iterative queries to
-resolve the name being looked up.  It will follow referrals from the
-root servers, showing the answer from each server that was used to
-resolve the lookup.
-</p></dd>
+              Toggle tracing of the delegation path from the root name servers
+              for
+              the name being looked up.  Tracing is disabled by default.  When
+              tracing is enabled, <span><strong class="command">dig</strong></span> makes
+              iterative queries to
+              resolve the name being looked up.  It will follow referrals from
+              the
+              root servers, showing the answer from each server that was used
+              to
+              resolve the lookup.
+            </p></dd>
 <dt><span class="term"><code class="option">+[no]cmd</code></span></dt>
 <dd><p>
-toggles the printing of the initial comment in the output identifying
-the version of <span><strong class="command">dig</strong></span> and the query options that have
-been applied.  This comment is printed by default.
-</p></dd>
+              toggles the printing of the initial comment in the output
+              identifying
+              the version of <span><strong class="command">dig</strong></span> and the query
+              options that have
+              been applied.  This comment is printed by default.
+            </p></dd>
 <dt><span class="term"><code class="option">+[no]short</code></span></dt>
 <dd><p>
-Provide a terse answer.  The default is to print the answer in a
-verbose form.
-</p></dd>
+              Provide a terse answer.  The default is to print the answer in a
+              verbose form.
+            </p></dd>
 <dt><span class="term"><code class="option">+[no]identify</code></span></dt>
 <dd><p>
-Show [or do not show] the IP address and port number that supplied the
-answer when the <em class="parameter"><code>+short</code></em> option is enabled.  If
-short form answers are requested, the default is not to show the
-source address and port number of the server that provided the answer.
-</p></dd>
+              Show [or do not show] the IP address and port number that
+              supplied the
+              answer when the <em class="parameter"><code>+short</code></em> option
+              is enabled.  If
+              short form answers are requested, the default is not to show the
+              source address and port number of the server that provided the
+              answer.
+            </p></dd>
 <dt><span class="term"><code class="option">+[no]comments</code></span></dt>
 <dd><p>
-Toggle the display of comment lines in the output.  The default is to
-print comments.
-</p></dd>
+              Toggle the display of comment lines in the output.  The default
+              is to
+              print comments.
+            </p></dd>
 <dt><span class="term"><code class="option">+[no]stats</code></span></dt>
 <dd><p>
-This query option toggles the printing of statistics: when the query
-was made, the size of the reply and so on.  The default behaviour is
-to print the query statistics.
-</p></dd>
+              This query option toggles the printing of statistics: when the
+              query
+              was made, the size of the reply and so on.  The default
+              behaviour is
+              to print the query statistics.
+            </p></dd>
 <dt><span class="term"><code class="option">+[no]qr</code></span></dt>
 <dd><p>
-Print [do not print] the query as it is sent.
-By default, the query is not printed.
-</p></dd>
+              Print [do not print] the query as it is sent.
+              By default, the query is not printed.
+            </p></dd>
 <dt><span class="term"><code class="option">+[no]question</code></span></dt>
 <dd><p>
-Print [do not print] the question section of a query when an answer is
-returned.  The default is to print the question section as a comment.
-</p></dd>
+              Print [do not print] the question section of a query when an
+              answer is
+              returned.  The default is to print the question section as a
+              comment.
+            </p></dd>
 <dt><span class="term"><code class="option">+[no]answer</code></span></dt>
 <dd><p>
-Display [do not display] the answer section of a reply.  The default
-is to display it.
-</p></dd>
+              Display [do not display] the answer section of a reply.  The
+              default
+              is to display it.
+            </p></dd>
 <dt><span class="term"><code class="option">+[no]authority</code></span></dt>
 <dd><p>
-Display [do not display] the authority section of a reply.  The
-default is to display it.
-</p></dd>
+              Display [do not display] the authority section of a reply.  The
+              default is to display it.
+            </p></dd>
 <dt><span class="term"><code class="option">+[no]additional</code></span></dt>
 <dd><p>
-Display [do not display] the additional section of a reply.
-The default is to display it.
-</p></dd>
+              Display [do not display] the additional section of a reply.
+              The default is to display it.
+            </p></dd>
 <dt><span class="term"><code class="option">+[no]all</code></span></dt>
 <dd><p>
-Set or clear all display flags.
-</p></dd>
+              Set or clear all display flags.
+            </p></dd>
 <dt><span class="term"><code class="option">+time=T</code></span></dt>
 <dd><p>
 
-Sets the timeout for a query to
-<em class="parameter"><code>T</code></em> seconds.  The default time out is 5 seconds.
-An attempt to set <em class="parameter"><code>T</code></em> to less than 1 will result
-in a query timeout of 1 second being applied.
-</p></dd>
+              Sets the timeout for a query to
+              <em class="parameter"><code>T</code></em> seconds.  The default time
+              out is 5 seconds.
+              An attempt to set <em class="parameter"><code>T</code></em> to less
+              than 1 will result
+              in a query timeout of 1 second being applied.
+            </p></dd>
 <dt><span class="term"><code class="option">+tries=T</code></span></dt>
 <dd><p>
-Sets the number of times to try UDP queries to server to
-<em class="parameter"><code>T</code></em> instead of the default, 3.  If
-<em class="parameter"><code>T</code></em> is less than or equal to zero, the number of
-tries is silently rounded up to 1.
-</p></dd>
+              Sets the number of times to try UDP queries to server to
+              <em class="parameter"><code>T</code></em> instead of the default, 3.
+              If
+              <em class="parameter"><code>T</code></em> is less than or equal to
+              zero, the number of
+              tries is silently rounded up to 1.
+            </p></dd>
 <dt><span class="term"><code class="option">+retry=T</code></span></dt>
 <dd><p>
-Sets the number of times to retry UDP queries to server to
-<em class="parameter"><code>T</code></em> instead of the default, 2.  Unlike
-<em class="parameter"><code>+tries</code></em>, this does not include the initial
-query.
-</p></dd>
+              Sets the number of times to retry UDP queries to server to
+              <em class="parameter"><code>T</code></em> instead of the default, 2.
+              Unlike
+              <em class="parameter"><code>+tries</code></em>, this does not include
+              the initial
+              query.
+            </p></dd>
 <dt><span class="term"><code class="option">+ndots=D</code></span></dt>
 <dd><p>
-Set the number of dots that have to appear in
-<em class="parameter"><code>name</code></em> to <em class="parameter"><code>D</code></em> for it to be
-considered absolute.  The default value is that defined using the
-ndots statement in <code class="filename">/etc/resolv.conf</code>, or 1 if no
-ndots statement is present.  Names with fewer dots are interpreted as
-relative names and will be searched for in the domains listed in the
-<code class="option">search</code> or <code class="option">domain</code> directive in
-<code class="filename">/etc/resolv.conf</code>.
-</p></dd>
+              Set the number of dots that have to appear in
+              <em class="parameter"><code>name</code></em> to <em class="parameter"><code>D</code></em> for it to be
+              considered absolute.  The default value is that defined using
+              the
+              ndots statement in <code class="filename">/etc/resolv.conf</code>, or 1 if no
+              ndots statement is present.  Names with fewer dots are
+              interpreted as
+              relative names and will be searched for in the domains listed in
+              the
+              <code class="option">search</code> or <code class="option">domain</code> directive in
+              <code class="filename">/etc/resolv.conf</code>.
+            </p></dd>
 <dt><span class="term"><code class="option">+bufsize=B</code></span></dt>
 <dd><p>
-Set the UDP message buffer size advertised using EDNS0 to
-<em class="parameter"><code>B</code></em> bytes.  The maximum and minimum sizes of this
-buffer are 65535 and 0 respectively.  Values outside this range are
-rounded up or down appropriately.
-</p></dd>
+              Set the UDP message buffer size advertised using EDNS0 to
+              <em class="parameter"><code>B</code></em> bytes.  The maximum and minimum sizes
+	      of this buffer are 65535 and 0 respectively.  Values outside
+	      this range are rounded up or down appropriately.  
+	      Values other than zero will cause a EDNS query to be sent.
+            </p></dd>
+<dt><span class="term"><code class="option">+edns=#</code></span></dt>
+<dd><p>
+	       Specify the EDNS version to query with.  Valid values
+	       are 0 to 255.  Setting the EDNS version will cause a
+	       EDNS query to be sent.  <code class="option">+noedns</code> clears the
+	       remembered EDNS version.
+	    </p></dd>
 <dt><span class="term"><code class="option">+[no]multiline</code></span></dt>
 <dd><p>
-Print records like the SOA records in a verbose multi-line
-format with human-readable comments.  The default is to print
-each record on a single line, to facilitate machine parsing 
-of the <span><strong class="command">dig</strong></span> output.
-</p></dd>
+              Print records like the SOA records in a verbose multi-line
+              format with human-readable comments.  The default is to print
+              each record on a single line, to facilitate machine parsing
+              of the <span><strong class="command">dig</strong></span> output.
+            </p></dd>
 <dt><span class="term"><code class="option">+[no]fail</code></span></dt>
 <dd><p>
-Do not try the next server if you receive a SERVFAIL.  The default is
-to not try the next server which is the reverse of normal stub resolver
-behaviour.
-</p></dd>
+              Do not try the next server if you receive a SERVFAIL.  The
+              default is
+              to not try the next server which is the reverse of normal stub
+              resolver
+              behaviour.
+            </p></dd>
 <dt><span class="term"><code class="option">+[no]besteffort</code></span></dt>
 <dd><p>
-Attempt to display the contents of messages which are malformed.
-The default is to not display malformed answers.
-</p></dd>
+              Attempt to display the contents of messages which are malformed.
+              The default is to not display malformed answers.
+            </p></dd>
 <dt><span class="term"><code class="option">+[no]dnssec</code></span></dt>
 <dd><p>
-Requests DNSSEC records be sent by setting the DNSSEC OK bit (DO)
-in the OPT record in the additional section of the query.
-</p></dd>
+              Requests DNSSEC records be sent by setting the DNSSEC OK bit
+              (DO)
+              in the OPT record in the additional section of the query.
+            </p></dd>
 <dt><span class="term"><code class="option">+[no]sigchase</code></span></dt>
 <dd><p>
-Chase DNSSEC signature chains.  Requires dig be compiled with
--DDIG_SIGCHASE.
-</p></dd>
+              Chase DNSSEC signature chains.  Requires dig be compiled with
+              -DDIG_SIGCHASE.
+            </p></dd>
 <dt><span class="term"><code class="option">+trusted-key=####</code></span></dt>
 <dd>
 <p>
-	      Specifies a file containing trusted keys to be used with
+              Specifies a file containing trusted keys to be used with
 	      <code class="option">+sigchase</code>.  Each DNSKEY record must be
 	      on its own line.
-	    </p>
+            </p>
 <p>
 	      If not specified <span><strong class="command">dig</strong></span> will look for
 	      <code class="filename">/etc/trusted-key.key</code> then
 	      <code class="filename">trusted-key.key</code> in the current directory.
 	    </p>
 <p>
-	      Requires dig be compiled with -DDIG_SIGCHASE.
+              Requires dig be compiled with -DDIG_SIGCHASE.
 	    </p>
 </dd>
 <dt><span class="term"><code class="option">+[no]topdown</code></span></dt>
 <dd><p>
-When chasing DNSSEC signature chains perform a top down validation.
-Requires dig be compiled with -DDIG_SIGCHASE.
-</p></dd>
+              When chasing DNSSEC signature chains perform a top down
+              validation.
+              Requires dig be compiled with -DDIG_SIGCHASE.
+            </p></dd>
 </dl></div>
 <p>
 
-</p>
+    </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2550666"></a><h2>MULTIPLE QUERIES</h2>
+<a name="id2545128"></a><h2>MULTIPLE QUERIES</h2>
 <p>
-The BIND 9 implementation of <span><strong class="command">dig </strong></span> supports
-specifying multiple queries on the command line (in addition to
-supporting the <code class="option">-f</code> batch file option).  Each of those
-queries can be supplied with its own set of flags, options and query
-options.
-</p>
+      The BIND 9 implementation of <span><strong class="command">dig </strong></span>
+      supports
+      specifying multiple queries on the command line (in addition to
+      supporting the <code class="option">-f</code> batch file option).  Each of those
+      queries can be supplied with its own set of flags, options and query
+      options.
+    </p>
 <p>
-In this case, each <em class="parameter"><code>query</code></em> argument represent an
-individual query in the command-line syntax described above.  Each
-consists of any of the standard options and flags, the name to be
-looked up, an optional query type and class and any query options that
-should be applied to that query.
-</p>
+      In this case, each <em class="parameter"><code>query</code></em> argument
+      represent an
+      individual query in the command-line syntax described above.  Each
+      consists of any of the standard options and flags, the name to be
+      looked up, an optional query type and class and any query options that
+      should be applied to that query.
+    </p>
 <p>
-A global set of query options, which should be applied to all queries,
-can also be supplied.  These global query options must precede the
-first tuple of name, class, type, options, flags, and query options
-supplied on the command line.  Any global query options (except
-the <code class="option">+[no]cmd</code> option) can be
-overridden by a query-specific set of query options.  For example:
-</p>
+      A global set of query options, which should be applied to all queries,
+      can also be supplied.  These global query options must precede the
+      first tuple of name, class, type, options, flags, and query options
+      supplied on the command line.  Any global query options (except
+      the <code class="option">+[no]cmd</code> option) can be
+      overridden by a query-specific set of query options.  For example:
+      </p>
 <pre class="programlisting">
 dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
 </pre>
 <p>
-shows how <span><strong class="command">dig</strong></span> could be used from the command line
-to make three lookups: an ANY query for <code class="literal">www.isc.org</code>, a
-reverse lookup of 127.0.0.1 and a query for the NS records of
-<code class="literal">isc.org</code>.
+      shows how <span><strong class="command">dig</strong></span> could be used from the
+      command line
+      to make three lookups: an ANY query for <code class="literal">www.isc.org</code>, a
+      reverse lookup of 127.0.0.1 and a query for the NS records of
+      <code class="literal">isc.org</code>.
 
-A global query option of <em class="parameter"><code>+qr</code></em> is applied, so
-that <span><strong class="command">dig</strong></span> shows the initial query it made for each
-lookup.  The final query has a local query option of
-<em class="parameter"><code>+noqr</code></em> which means that <span><strong class="command">dig</strong></span>
-will not print the initial query when it looks up the NS records for
-<code class="literal">isc.org</code>.
-</p>
+      A global query option of <em class="parameter"><code>+qr</code></em> is
+      applied, so
+      that <span><strong class="command">dig</strong></span> shows the initial query it made
+      for each
+      lookup.  The final query has a local query option of
+      <em class="parameter"><code>+noqr</code></em> which means that <span><strong class="command">dig</strong></span>
+      will not print the initial query when it looks up the NS records for
+      <code class="literal">isc.org</code>.
+    </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2550725"></a><h2>FILES</h2>
+<a name="id2545258"></a><h2>IDN SUPPORT</h2>
 <p>
-<code class="filename">/etc/resolv.conf</code>
-</p>
-<p>
-<code class="filename">${HOME}/.digrc</code>
-</p>
+      If <span><strong class="command">dig</strong></span> has been built with IDN (internationalized
+      domain name) support, it can accept and display non-ASCII domain names.
+      <span><strong class="command">dig</strong></span> appropriately converts character encoding of
+      domain name before sending a request to DNS server or displaying a
+      reply from the server.
+      If you'd like to turn off the IDN support for some reason, defines
+      the <code class="envar">IDN_DISABLE</code> environment variable.
+      The IDN support is disabled if the variable is set when 
+      <span><strong class="command">dig</strong></span> runs.
+    </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2550744"></a><h2>SEE ALSO</h2>
-<p>
-<span class="citerefentry"><span class="refentrytitle">host</span>(1)</span>,
-<span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>,
-<span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>,
-<em class="citetitle">RFC1035</em>.
-</p>
+<a name="id2545281"></a><h2>FILES</h2>
+<p><code class="filename">/etc/resolv.conf</code>
+    </p>
+<p><code class="filename">${HOME}/.digrc</code>
+    </p>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2545298"></a><h2>SEE ALSO</h2>
+<p><span class="citerefentry"><span class="refentrytitle">host</span>(1)</span>,
+      <span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>,
+      <span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>,
+      <em class="citetitle">RFC1035</em>.
+    </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2550782"></a><h2>BUGS </h2>
+<a name="id2545335"></a><h2>BUGS</h2>
 <p>
-There are probably too many query options. 
-</p>
+      There are probably too many query options.
+    </p>
 </div>
 </div></body>
 </html>
diff --git a/contrib/bind9/bin/dig/dighost.c b/contrib/bind9/bin/dig/dighost.c
index 398711d..2e950a4 100644
--- a/contrib/bind9/bin/dig/dighost.c
+++ b/contrib/bind9/bin/dig/dighost.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,9 +15,10 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: dighost.c,v 1.221.2.19.2.36 2006/12/07 01:26:33 marka Exp $ */
+/* $Id: dighost.c,v 1.259.18.39 2007/02/14 23:45:43 marka Exp $ */
 
-/*
+/*! \file
+ *  \note
  * Notice to programmers:  Do not use this code as an example of how to
  * use the ISC library to perform DNS lookups.  Dig and Host both operate
  * on the request level, since they allow fine-tuning of output and are
@@ -32,6 +33,17 @@
 #include <string.h>
 #include <limits.h>
 
+#ifdef HAVE_LOCALE_H
+#include <locale.h>
+#endif
+
+#ifdef WITH_IDN
+#include <idn/result.h>
+#include <idn/log.h>
+#include <idn/resconf.h>
+#include <idn/api.h>
+#endif
+
 #include <dns/byaddr.h>
 #ifdef DIG_SIGCHASE
 #include <dns/dnssec.h>
@@ -95,16 +107,19 @@ dig_serverlist_t server_list;
 dig_searchlistlist_t search_list;
 
 isc_boolean_t
+	check_ra = ISC_FALSE,
 	have_ipv4 = ISC_FALSE,
 	have_ipv6 = ISC_FALSE,
 	specified_source = ISC_FALSE,
 	free_now = ISC_FALSE,
 	cancel_now = ISC_FALSE,
 	usesearch = ISC_FALSE,
+	showsearch = ISC_FALSE,
 	qr = ISC_FALSE,
 	is_dst_up = ISC_FALSE;
 in_port_t port = 53;
 unsigned int timeout = 0;
+unsigned int extrabytes;
 isc_mem_t *mctx = NULL;
 isc_taskmgr_t *taskmgr = NULL;
 isc_task_t *global_task = NULL;
@@ -119,20 +134,35 @@ int ndots = -1;
 int tries = 3;
 int lookup_counter = 0;
 
-/*
+#ifdef WITH_IDN
+static void		initialize_idn(void);
+static isc_result_t	output_filter(isc_buffer_t *buffer,
+				      unsigned int used_org,
+				      isc_boolean_t absolute);
+static idn_result_t	append_textname(char *name, const char *origin,
+					size_t namesize);
+static void		idn_check_result(idn_result_t r, const char *msg);
+
+#define MAXDLEN		256
+#endif
+
+/*%
  * Exit Codes:
- *   0   Everything went well, including things like NXDOMAIN
- *   1   Usage error
- *   7   Got too many RR's or Names
- *   8   Couldn't open batch file
- *   9   No reply from server
- *   10  Internal error
+ *
+ *\li	0   Everything went well, including things like NXDOMAIN
+ *\li	1   Usage error
+ *\li	7   Got too many RR's or Names
+ *\li	8   Couldn't open batch file
+ *\li	9   No reply from server
+ *\li	10  Internal error
  */
 int exitcode = 0;
 int fatalexit = 0;
 char keynametext[MXNAME];
 char keyfile[MXNAME] = "";
 char keysecret[MXNAME] = "";
+dns_name_t *hmacname = NULL;
+unsigned int digestbits = 0;
 isc_buffer_t *namebuf = NULL;
 dns_tsigkey_t *key = NULL;
 isc_boolean_t validated = ISC_TRUE;
@@ -246,7 +276,7 @@ dns_name_t chase_name; /* the query name */
 /*
  * the current name is the parent name when we follow delegation
  */
-dns_name_t chase_current_name;
+dns_name_t chase_current_name; 
 /*
  * the child name is used for delegation (NS DS responses in AUTHORITY section)
  */
@@ -293,7 +323,7 @@ struct_tk_list tk_list = { {NULL, NULL, NULL, NULL, NULL}, 0};
 
 #define DIG_MAX_ADDRESSES 20
 
-/*
+/*%
  * Apply and clear locks at the event level in global task.
  * Can I get rid of these using shutdown events?  XXX
  */
@@ -377,7 +407,7 @@ hex_dump(isc_buffer_t *b) {
 		printf("\n");
 }
 
-/*
+/*%
  * Append 'len' bytes of 'text' at '*p', failing with
  * ISC_R_NOSPACE if that would advance p past 'end'.
  */
@@ -493,7 +523,7 @@ check_result(isc_result_t result, const char *msg) {
 	}
 }
 
-/*
+/*%
  * Create a server structure, which is part of the lookup structure.
  * This is little more than a linked list of servers to query in hopes
  * of finding the answer the user is looking for
@@ -535,7 +565,7 @@ addr2af(int lwresaddrtype)
 	return (af);
 }
 
-/*
+/*%
  * Create a copy of the server list from the lwres configuration structure.
  * The dest list must have already had ISC_LIST_INIT applied.
  */
@@ -585,7 +615,7 @@ set_nameserver(char *opt) {
 		return;
 
 	result = bind9_getaddresses(opt, 0, sockaddrs,
-				    DIG_MAX_ADDRESSES, &count);
+				    DIG_MAX_ADDRESSES, &count); 
 	if (result != ISC_R_SUCCESS)
 		fatal("couldn't get address for '%s': %s",
 		      opt, isc_result_totext(result));
@@ -630,7 +660,7 @@ add_nameserver(lwres_conf_t *confdata, const char *addr, int af) {
 	return (ISC_R_FAILURE);
 }
 
-/*
+/*%
  * Produce a cloned server list.  The dest list must have already had
  * ISC_LIST_INIT applied.
  */
@@ -648,7 +678,7 @@ clone_server_list(dig_serverlist_t src, dig_serverlist_t *dest) {
 	}
 }
 
-/*
+/*%
  * Create an empty lookup structure, which holds all the information needed
  * to get an answer to a user's question.  This structure contains two
  * linked lists: the server list (servers to query) and the query list
@@ -704,6 +734,7 @@ make_empty_lookup(void) {
 #endif
 #endif
 	looknew->udpsize = 0;
+	looknew->edns = -1;
 	looknew->recurse = ISC_TRUE;
 	looknew->aaonly = ISC_FALSE;
 	looknew->adflag = ISC_FALSE;
@@ -723,13 +754,15 @@ make_empty_lookup(void) {
 	looknew->section_authority = ISC_TRUE;
 	looknew->section_additional = ISC_TRUE;
 	looknew->new_search = ISC_FALSE;
+	looknew->done_as_is = ISC_FALSE;
+	looknew->need_search = ISC_FALSE;
 	ISC_LINK_INIT(looknew, link);
 	ISC_LIST_INIT(looknew->q);
 	ISC_LIST_INIT(looknew->my_server_list);
 	return (looknew);
 }
 
-/*
+/*%
  * Clone a lookup, perhaps copying the server list.  This does not clone
  * the query list, since it will be regenerated by the setup_lookup()
  * function, nor does it queue up the new lookup for processing.
@@ -780,6 +813,7 @@ clone_lookup(dig_lookup_t *lookold, isc_boolean_t servers) {
 #endif
 #endif
 	looknew->udpsize = lookold->udpsize;
+	looknew->edns = lookold->edns;
 	looknew->recurse = lookold->recurse;
 	looknew->aaonly = lookold->aaonly;
 	looknew->adflag = lookold->adflag;
@@ -794,6 +828,8 @@ clone_lookup(dig_lookup_t *lookold, isc_boolean_t servers) {
 	looknew->section_additional = lookold->section_additional;
 	looknew->retries = lookold->retries;
 	looknew->tsigctx = NULL;
+	looknew->need_search = lookold->need_search;
+	looknew->done_as_is = lookold->done_as_is;
 
 	if (servers)
 		clone_server_list(lookold->my_server_list,
@@ -801,7 +837,7 @@ clone_lookup(dig_lookup_t *lookold, isc_boolean_t servers) {
 	return (looknew);
 }
 
-/*
+/*%
  * Requeue a lookup for further processing, perhaps copying the server
  * list.  The new lookup structure is returned to the caller, and is
  * queued for processing.  If servers are not cloned in the requeue, they
@@ -863,14 +899,15 @@ setup_text_key(void) {
 	if (result != ISC_R_SUCCESS)
 		goto failure;
 
-	result = dns_tsigkey_create(&keyname, dns_tsig_hmacmd5_name,
-				    secretstore, secretsize,
-				    ISC_FALSE, NULL, 0, 0, mctx,
+	result = dns_tsigkey_create(&keyname, hmacname, secretstore,
+				    secretsize, ISC_FALSE, NULL, 0, 0, mctx,
 				    NULL, &key);
  failure:
 	if (result != ISC_R_SUCCESS)
 		printf(";; Couldn't create key %s: %s\n",
 		       keynametext, isc_result_totext(result));
+	else
+		dst_key_setbits(key->key, digestbits);
 
 	isc_mem_free(mctx, secretstore);
 	dns_name_invalidate(&keyname);
@@ -891,8 +928,31 @@ setup_file_key(void) {
 		goto failure;
 	}
 
-	result = dns_tsigkey_createfromkey(dst_key_name(dstkey),
-					   dns_tsig_hmacmd5_name,
+	switch (dst_key_alg(dstkey)) {
+	case DST_ALG_HMACMD5:
+		hmacname = DNS_TSIG_HMACMD5_NAME;
+		break;
+	case DST_ALG_HMACSHA1:
+		hmacname = DNS_TSIG_HMACSHA1_NAME;
+		break;
+	case DST_ALG_HMACSHA224:
+		hmacname = DNS_TSIG_HMACSHA224_NAME;
+		break;
+	case DST_ALG_HMACSHA256:
+		hmacname = DNS_TSIG_HMACSHA256_NAME;
+		break;
+	case DST_ALG_HMACSHA384:
+		hmacname = DNS_TSIG_HMACSHA384_NAME;
+		break;
+	case DST_ALG_HMACSHA512:
+		hmacname = DNS_TSIG_HMACSHA512_NAME;
+		break;
+	default:
+		printf(";; Couldn't create key %s: bad algorithm\n",
+		       keynametext);
+		goto failure;
+	}
+	result = dns_tsigkey_createfromkey(dst_key_name(dstkey), hmacname,
 					   dstkey, ISC_FALSE, NULL, 0, 0,
 					   mctx, NULL, &key);
 	if (result != ISC_R_SUCCESS) {
@@ -933,7 +993,7 @@ create_search_list(lwres_conf_t *confdata) {
 	}
 }
 
-/*
+/*%
  * Setup the system as a whole, reading key information and resolv.conf
  * settings.
  */
@@ -987,6 +1047,10 @@ setup_system(void) {
 	if (ISC_LIST_EMPTY(server_list))
 		copy_server_list(lwconf, &server_list);
 
+#ifdef WITH_IDN
+	initialize_idn();
+#endif
+
 	if (keyfile[0] != 0)
 		setup_file_key();
 	else if (keysecret[0] != 0)
@@ -1017,7 +1081,7 @@ clear_searchlist(void) {
 	}
 }
 
-/*
+/*%
  * Override the search list derived from resolv.conf by 'domain'.
  */
 void
@@ -1029,7 +1093,7 @@ set_search_domain(char *domain) {
 	ISC_LIST_APPEND(search_list, search, link);
 }
 
-/*
+/*%
  * Setup the ISC and DNS libraries for use by the system.
  */
 void
@@ -1086,12 +1150,14 @@ setup_libs(void) {
 	dns_result_register();
 }
 
-/*
+/*%
  * Add EDNS0 option record to a message.  Currently, the only supported
  * options are UDP buffer size and the DO bit.
  */
 static void
-add_opt(dns_message_t *msg, isc_uint16_t udpsize, isc_boolean_t dnssec) {
+add_opt(dns_message_t *msg, isc_uint16_t udpsize, isc_uint16_t edns,
+	isc_boolean_t dnssec)
+{
 	dns_rdataset_t *rdataset = NULL;
 	dns_rdatalist_t *rdatalist = NULL;
 	dns_rdata_t *rdata = NULL;
@@ -1110,9 +1176,9 @@ add_opt(dns_message_t *msg, isc_uint16_t udpsize, isc_boolean_t dnssec) {
 	rdatalist->type = dns_rdatatype_opt;
 	rdatalist->covers = 0;
 	rdatalist->rdclass = udpsize;
-	rdatalist->ttl = 0;
+	rdatalist->ttl = edns << 16;
 	if (dnssec)
-		rdatalist->ttl = DNS_MESSAGEEXTFLAG_DO;
+		rdatalist->ttl |= DNS_MESSAGEEXTFLAG_DO;
 	rdata->data = NULL;
 	rdata->length = 0;
 	ISC_LIST_INIT(rdatalist->rdata);
@@ -1122,7 +1188,7 @@ add_opt(dns_message_t *msg, isc_uint16_t udpsize, isc_boolean_t dnssec) {
 	check_result(result, "dns_message_setopt");
 }
 
-/*
+/*%
  * Add a question section to a message, asking for the specified name,
  * type, and class.
  */
@@ -1142,7 +1208,7 @@ add_question(dns_message_t *message, dns_name_t *name,
 	ISC_LIST_APPEND(name->list, rdataset, link);
 }
 
-/*
+/*%
  * Check if we're done with all the queued lookups, which is true iff
  * all sockets, sends, and recvs are accounted for (counters == 0),
  * and the lookup list is empty.
@@ -1163,7 +1229,7 @@ check_if_done(void) {
 	}
 }
 
-/*
+/*%
  * Clear out a query when we're done with it.  WARNING: This routine
  * WILL invalidate the query pointer.
  */
@@ -1202,7 +1268,7 @@ clear_query(dig_query_t *query) {
 		isc_mem_free(mctx, query);
 }
 
-/*
+/*%
  * Try and clear out a lookup if we're done with it.  Return ISC_TRUE if
  * the lookup was successfully cleared.  If ISC_TRUE is returned, the
  * lookup pointer has been invalidated.
@@ -1260,7 +1326,7 @@ try_clear_lookup(dig_lookup_t *lookup) {
 	return (ISC_TRUE);
 }
 
-/*
+/*%
  * If we can, start the next lookup in the queue running.
  * This assumes that the lookup on the head of the queue hasn't been
  * started yet.  It also removes the lookup from the head of the queue,
@@ -1336,7 +1402,7 @@ start_lookup(void) {
 			current_lookup->qrdtype_sigchase
 				= current_lookup->qrdtype;
 			current_lookup->qrdtype = dns_rdatatype_ns;
-		
+		   
 			current_lookup->rdclass_sigchase
 				= current_lookup->rdclass;
 			current_lookup->rdclass_sigchaseset
@@ -1373,7 +1439,7 @@ start_lookup(void) {
 	}
 }
 
-/*
+/*%
  * If we can, clear the current lookup and start the next one running.
  * This calls try_clear_lookup, so may invalidate the lookup pointer.
  */
@@ -1394,7 +1460,7 @@ check_next_lookup(dig_lookup_t *lookup) {
 	}
 }
 
-/*
+/*%
  * Create and queue a new lookup as a followup to the current lookup,
  * based on the supplied message and section.  This is used in trace and
  * name server search modes to start a new lookup using servers from
@@ -1411,6 +1477,8 @@ followup_lookup(dns_message_t *msg, dig_query_t *query, dns_section_t section)
 	isc_result_t result;
 	isc_boolean_t success = ISC_FALSE;
 	int numLookups = 0;
+	dns_name_t *domain;
+	isc_boolean_t horizontal = ISC_FALSE, bad = ISC_FALSE;
 
 	INSIST(!free_now);
 
@@ -1437,6 +1505,26 @@ followup_lookup(dns_message_t *msg, dig_query_t *query, dns_section_t section)
 
 		debug("found NS set");
 
+		if (query->lookup->trace && !query->lookup->trace_root) {
+			dns_namereln_t namereln;
+			unsigned int nlabels;
+			int order;
+
+			domain = dns_fixedname_name(&query->lookup->fdomain);
+			namereln = dns_name_fullcompare(name, domain,
+							&order, &nlabels);
+			if (namereln == dns_namereln_equal) {
+				if (!horizontal)
+					printf(";; BAD (HORIZONTAL) REFERRAL\n");
+				horizontal = ISC_TRUE;
+			} else if (namereln != dns_namereln_subdomain) {
+				if (!bad)
+					printf(";; BAD REFERRAL\n");
+				bad = ISC_TRUE;
+				continue;
+			}
+		}
+
 		for (result = dns_rdataset_first(rdataset);
 		     result == ISC_R_SUCCESS;
 		     result = dns_rdataset_next(rdataset)) {
@@ -1474,6 +1562,9 @@ followup_lookup(dns_message_t *msg, dig_query_t *query, dns_section_t section)
 				lookup->trace_root = ISC_FALSE;
 				if (lookup->ns_search_only)
 					lookup->recurse = ISC_FALSE;
+				dns_fixedname_init(&lookup->fdomain);
+				domain = dns_fixedname_name(&lookup->fdomain);
+				dns_name_copy(name, domain, NULL);
 			}
 			srv = make_server(namestr, namestr);
 			debug("adding server %s", srv->servername);
@@ -1487,10 +1578,32 @@ followup_lookup(dns_message_t *msg, dig_query_t *query, dns_section_t section)
 	    (query->lookup->trace || query->lookup->ns_search_only))
 		return (followup_lookup(msg, query, DNS_SECTION_AUTHORITY));
 
-	return numLookups;
+	/*
+	 * Randomize the order the nameserver will be tried.
+	 */
+	if (numLookups > 1) {
+		isc_uint32_t i, j;
+		dig_serverlist_t my_server_list;
+
+		ISC_LIST_INIT(my_server_list);
+
+		for (i = numLookups; i > 0; i--) {
+			isc_random_get(&j);
+			j %= i;
+			srv = ISC_LIST_HEAD(lookup->my_server_list);
+			while (j-- > 0)
+				srv = ISC_LIST_NEXT(srv, link);
+			ISC_LIST_DEQUEUE(lookup->my_server_list, srv, link);
+			ISC_LIST_APPEND(my_server_list, srv, link);
+		}
+		ISC_LIST_APPENDLIST(lookup->my_server_list,
+				    my_server_list, link);
+	}
+
+	return (numLookups);
 }
 
-/*
+/*%
  * Create and queue a new lookup using the next origin from the search
  * list, read in setup_system().
  *
@@ -1499,6 +1612,7 @@ followup_lookup(dns_message_t *msg, dig_query_t *query, dns_section_t section)
 static isc_boolean_t
 next_origin(dns_message_t *msg, dig_query_t *query) {
 	dig_lookup_t *lookup;
+	dig_searchlist_t *search;
 
 	UNUSED(msg);
 
@@ -1513,18 +1627,27 @@ next_origin(dns_message_t *msg, dig_query_t *query) {
 		 * about finding the next entry.
 		 */
 		return (ISC_FALSE);
-	if (query->lookup->origin == NULL)
+	if (query->lookup->origin == NULL && !query->lookup->need_search)
 		/*
 		 * Then we just did rootorg; there's nothing left.
 		 */
 		return (ISC_FALSE);
-	lookup = requeue_lookup(query->lookup, ISC_TRUE);
-	lookup->origin = ISC_LIST_NEXT(query->lookup->origin, link);
+	if (query->lookup->origin == NULL && query->lookup->need_search) {
+		lookup = requeue_lookup(query->lookup, ISC_TRUE);
+		lookup->origin = ISC_LIST_HEAD(search_list);
+		lookup->need_search = ISC_FALSE;
+	} else {
+		search = ISC_LIST_NEXT(query->lookup->origin, link);
+		if (search == NULL && query->lookup->done_as_is)
+			return (ISC_FALSE);
+		lookup = requeue_lookup(query->lookup, ISC_TRUE);
+		lookup->origin = search;
+	}
 	cancel_lookup(query->lookup);
 	return (ISC_TRUE);
 }
 
-/*
+/*%
  * Insert an SOA record into the sendmessage in a lookup.  Used for
  * creating IXFR queries.
  */
@@ -1590,7 +1713,7 @@ insert_soa(dig_lookup_t *lookup) {
 	dns_message_addname(lookup->sendmsg, soaname, DNS_SECTION_AUTHORITY);
 }
 
-/*
+/*%
  * Setup the supplied lookup structure, making it ready to start sending
  * queries to servers.  Create and initialize the message to be sent as
  * well as the query structures and buffer space for the replies.  If the
@@ -1606,6 +1729,15 @@ setup_lookup(dig_lookup_t *lookup) {
 	isc_buffer_t b;
 	dns_compress_t cctx;
 	char store[MXNAME];
+#ifdef WITH_IDN
+	idn_result_t mr;
+	char utf8_textname[MXNAME], utf8_origin[MXNAME], idn_textname[MXNAME];
+#endif
+
+#ifdef WITH_IDN
+	result = dns_name_settotextfilter(output_filter);
+	check_result(result, "dns_name_settotextfilter");
+#endif
 
 	REQUIRE(lookup != NULL);
 	INSIST(!free_now);
@@ -1634,6 +1766,17 @@ setup_lookup(dig_lookup_t *lookup) {
 	isc_buffer_init(&lookup->onamebuf, lookup->onamespace,
 			sizeof(lookup->onamespace));
 
+#ifdef WITH_IDN
+	/*
+	 * We cannot convert `textname' and `origin' separately.
+	 * `textname' doesn't contain TLD, but local mapping needs
+	 * TLD.
+	 */
+	mr = idn_encodename(IDN_LOCALCONV | IDN_DELIMMAP, lookup->textname,
+			    utf8_textname, sizeof(utf8_textname));
+	idn_check_result(mr, "convert textname to UTF-8");
+#endif
+
 	/*
 	 * If the name has too many dots, force the origin to be NULL
 	 * (which produces an absolute lookup).  Otherwise, take the origin
@@ -1641,12 +1784,43 @@ setup_lookup(dig_lookup_t *lookup) {
 	 * take the first entry in the searchlist iff either usesearch
 	 * is TRUE or we got a domain line in the resolv.conf file.
 	 */
-	/* XXX New search here? */
-	if ((count_dots(lookup->textname) >= ndots) || !usesearch)
-		lookup->origin = NULL; /* Force abs lookup */
-	else if (lookup->origin == NULL && lookup->new_search && usesearch)
-		lookup->origin = ISC_LIST_HEAD(search_list);
+	if (lookup->new_search) {
+#ifdef WITH_IDN
+		if ((count_dots(utf8_textname) >= ndots) || !usesearch) {
+			lookup->origin = NULL; /* Force abs lookup */
+			lookup->done_as_is = ISC_TRUE;
+			lookup->need_search = usesearch;
+		} else if (lookup->origin == NULL && usesearch) {
+			lookup->origin = ISC_LIST_HEAD(search_list);
+			lookup->need_search = ISC_FALSE;
+		}
+#else
+		if ((count_dots(lookup->textname) >= ndots) || !usesearch) {
+			lookup->origin = NULL; /* Force abs lookup */
+			lookup->done_as_is = ISC_TRUE;
+			lookup->need_search = usesearch;
+		} else if (lookup->origin == NULL && usesearch) {
+			lookup->origin = ISC_LIST_HEAD(search_list);
+			lookup->need_search = ISC_FALSE;
+		}
+#endif
+	}
 
+#ifdef WITH_IDN
+	if (lookup->origin != NULL) {
+		mr = idn_encodename(IDN_LOCALCONV | IDN_DELIMMAP,
+				    lookup->origin->origin, utf8_origin,
+				    sizeof(utf8_origin));
+		idn_check_result(mr, "convert origin to UTF-8");
+		mr = append_textname(utf8_textname, utf8_origin,
+				     sizeof(utf8_textname));
+		idn_check_result(mr, "append origin to textname");
+	}
+	mr = idn_encodename(IDN_LOCALMAP | IDN_NAMEPREP | IDN_ASCCHECK |
+			    IDN_IDNCONV | IDN_LENCHECK, utf8_textname,
+			    idn_textname, sizeof(idn_textname));
+	idn_check_result(mr, "convert UTF-8 textname to IDN encoding");
+#else
 	if (lookup->origin != NULL) {
 		debug("trying origin %s", lookup->origin->origin);
 		result = dns_message_gettempname(lookup->sendmsg,
@@ -1687,11 +1861,22 @@ setup_lookup(dig_lookup_t *lookup) {
 			      lookup->textname, isc_result_totext(result));
 		}
 		dns_message_puttempname(lookup->sendmsg, &lookup->oname);
-	} else {
+	} else
+#endif
+	{
 		debug("using root origin");
 		if (lookup->trace && lookup->trace_root)
 			dns_name_clone(dns_rootname, lookup->name);
 		else {
+#ifdef WITH_IDN
+			len = strlen(idn_textname);
+			isc_buffer_init(&b, idn_textname, len);
+			isc_buffer_add(&b, len);
+			result = dns_name_fromtext(lookup->name, &b,
+						   dns_rootname,
+						   ISC_FALSE,
+						   &lookup->namebuf);
+#else
 			len = strlen(lookup->textname);
 			isc_buffer_init(&b, lookup->textname, len);
 			isc_buffer_add(&b, len);
@@ -1699,6 +1884,7 @@ setup_lookup(dig_lookup_t *lookup) {
 						   dns_rootname,
 						   ISC_FALSE,
 						   &lookup->namebuf);
+#endif
 		}
 		if (result != ISC_R_SUCCESS) {
 			dns_message_puttempname(lookup->sendmsg,
@@ -1793,10 +1979,13 @@ setup_lookup(dig_lookup_t *lookup) {
 	result = dns_message_renderbegin(lookup->sendmsg, &cctx,
 					 &lookup->renderbuf);
 	check_result(result, "dns_message_renderbegin");
-	if (lookup->udpsize > 0 || lookup->dnssec) {
+	if (lookup->udpsize > 0 || lookup->dnssec || lookup->edns > -1) {
 		if (lookup->udpsize == 0)
-			lookup->udpsize = 2048;
-		add_opt(lookup->sendmsg, lookup->udpsize, lookup->dnssec);
+			lookup->udpsize = 4096;
+		if (lookup->edns < 0)
+			lookup->edns = 0;
+		add_opt(lookup->sendmsg, lookup->udpsize,
+			lookup->edns, lookup->dnssec);
 	}
 
 	result = dns_message_rendersection(lookup->sendmsg,
@@ -1844,6 +2033,7 @@ setup_lookup(dig_lookup_t *lookup) {
 		query->userarg = serv->userarg;
 		query->rr_count = 0;
 		query->msg_count = 0;
+		query->byte_count = 0;
 		ISC_LINK_INIT(query, link);
 		ISC_LIST_INIT(query->recvlist);
 		ISC_LIST_INIT(query->lengthlist);
@@ -1862,12 +2052,13 @@ setup_lookup(dig_lookup_t *lookup) {
 	}
 	/* XXX qrflag, print_query, etc... */
 	if (!ISC_LIST_EMPTY(lookup->q) && qr) {
+		extrabytes = 0;
 		printmessage(ISC_LIST_HEAD(lookup->q), lookup->sendmsg,
 			     ISC_TRUE);
 	}
 }
 
-/*
+/*%
  * Event handler for send completion.  Track send counter, and clear out
  * the query if the send was canceled.
  */
@@ -1914,7 +2105,7 @@ send_done(isc_task_t *_task, isc_event_t *event) {
 	UNLOCK_LOOKUP;
 }
 
-/*
+/*%
  * Cancel a lookup, sending isc_socket_cancel() requests to all outstanding
  * IO sockets.  The cancel handlers should take care of cleaning up the
  * query and lookup structures
@@ -1976,7 +2167,7 @@ bringup_timer(dig_query_t *query, unsigned int default_timeout) {
 static void
 connect_done(isc_task_t *task, isc_event_t *event);
 
-/*
+/*%
  * Unlike send_udp, this can't be called multiple times with the same
  * query.  When we retry TCP, we requeue the whole lookup, which should
  * start anew.
@@ -2045,7 +2236,7 @@ send_tcp_connect(dig_query_t *query) {
 	}
 }
 
-/*
+/*%
  * Send a UDP packet to the remote nameserver, possible starting the
  * recv action as well.  Also make sure that the timer is running and
  * is properly reset.
@@ -2106,7 +2297,7 @@ send_udp(dig_query_t *query) {
 	sendcount++;
 }
 
-/*
+/*%
  * IO timeout handler, used for both connect and recv timeouts.  If
  * retries are still allowed, either resend the UDP packet or queue a
  * new TCP lookup.  Otherwise, cancel the lookup.
@@ -2165,7 +2356,7 @@ connect_timeout(isc_task_t *task, isc_event_t *event) {
 	UNLOCK_LOOKUP;
 }
 
-/*
+/*%
  * Event handler for the TCP recv which gets the length header of TCP
  * packets.  Start the next recv of length bytes.
  */
@@ -2249,7 +2440,7 @@ tcp_length_done(isc_task_t *task, isc_event_t *event) {
 	UNLOCK_LOOKUP;
 }
 
-/*
+/*%
  * For transfers that involve multiple recvs (XFR's in particular),
  * launch the next recv.
  */
@@ -2308,7 +2499,7 @@ launch_next_query(dig_query_t *query, isc_boolean_t include_question) {
 	return;
 }
 
-/*
+/*%
  * Event handler for TCP connect complete.  Make sure the connection was
  * successful, then pass into launch_next_query to actually send the
  * question.
@@ -2388,7 +2579,7 @@ connect_done(isc_task_t *task, isc_event_t *event) {
 	UNLOCK_LOOKUP;
 }
 
-/*
+/*%
  * Check if the ongoing XFR needs more data before it's complete, using
  * the semantics of IXFR and AXFR protocols.  Much of the complexity of
  * this routine comes from determining when an IXFR is complete.
@@ -2416,6 +2607,7 @@ check_for_more_data(dig_query_t *query, dns_message_t *msg,
 	 */
 
 	query->msg_count++;
+	query->byte_count += sevent->n;
 	result = dns_message_firstname(msg, DNS_SECTION_ANSWER);
 	if (result != ISC_R_SUCCESS) {
 		puts("; Transfer failed.");
@@ -2531,7 +2723,7 @@ check_for_more_data(dig_query_t *query, dns_message_t *msg,
 	return (ISC_TRUE);
 }
 
-/*
+/*%
  * Event handler for recv complete.  Perform whatever actions are necessary,
  * based on the specifics of the user's request.
  */
@@ -2616,36 +2808,25 @@ recv_done(isc_task_t *task, isc_event_t *event) {
 	}
 
 	if (!l->tcp_mode &&
-	    !isc_sockaddr_equal(&sevent->address, &query->sockaddr)) {
+	    !isc_sockaddr_compare(&sevent->address, &query->sockaddr,
+				  ISC_SOCKADDR_CMPADDR|
+				  ISC_SOCKADDR_CMPPORT|
+				  ISC_SOCKADDR_CMPSCOPE|
+				  ISC_SOCKADDR_CMPSCOPEZERO)) {
 		char buf1[ISC_SOCKADDR_FORMATSIZE];
 		char buf2[ISC_SOCKADDR_FORMATSIZE];
 		isc_sockaddr_t any;
 
-		if (isc_sockaddr_pf(&query->sockaddr) == AF_INET)
+		if (isc_sockaddr_pf(&query->sockaddr) == AF_INET) 
 			isc_sockaddr_any(&any);
 		else
 			isc_sockaddr_any6(&any);
 
-#ifdef ISC_PLATFORM_HAVESCOPEID
 		/*
-		 * Accept answers from any scope if we havn't specified the
-		 * scope as long as the address and port match.
-		 */
-		if (isc_sockaddr_pf(&query->sockaddr) == AF_INET6 &&
-		    query->sockaddr.type.sin6.sin6_scope_id == 0 &&
-		    memcmp(&sevent->address.type.sin6.sin6_addr,
-			   &query->sockaddr.type.sin6.sin6_addr,
-			   sizeof(query->sockaddr.type.sin6.sin6_addr)) == 0 &&
-		    isc_sockaddr_getport(&sevent->address) ==
-		    isc_sockaddr_getport(&query->sockaddr))
-			/* empty */;
-		else
-#endif
-		/*
-		 * We don't expect a match above when the packet is
-		 * sent to 0.0.0.0, :: or to a multicast addresses.
-		 * XXXMPA broadcast needs to be handled here as well.
-		 */
+		* We don't expect a match when the packet is 
+		* sent to 0.0.0.0, :: or to a multicast addresses.
+		* XXXMPA broadcast needs to be handled here as well.
+		*/
 		if ((!isc_sockaddr_eqaddr(&query->sockaddr, &any) &&
 		     !isc_sockaddr_ismulticast(&query->sockaddr)) ||
 		    isc_sockaddr_getport(&query->sockaddr) !=
@@ -2695,6 +2876,9 @@ recv_done(isc_task_t *task, isc_event_t *event) {
 			       "(< header size) message received\n");
 	}
 
+	if (result == ISC_R_SUCCESS && (msgflags & DNS_MESSAGEFLAG_QR) == 0)
+		printf(";; Warning: query response not set\n");
+
 	if (!match) {
 		isc_buffer_invalidate(&query->recvbuf);
 		isc_buffer_init(&query->recvbuf, query->recvspace, COMMSIZE);
@@ -2761,8 +2945,8 @@ recv_done(isc_task_t *task, isc_event_t *event) {
 		UNLOCK_LOOKUP;
 		return;
 	}
-	if ((msg->flags & DNS_MESSAGEFLAG_TC) != 0
-	    && !l->ignore && !l->tcp_mode) {
+	if ((msg->flags & DNS_MESSAGEFLAG_TC) != 0 &&
+            !l->ignore && !l->tcp_mode) {
 		printf(";; Truncated, retrying in TCP mode.\n");
 		n = requeue_lookup(l, ISC_TRUE);
 		n->tcp_mode = ISC_TRUE;
@@ -2775,7 +2959,9 @@ recv_done(isc_task_t *task, isc_event_t *event) {
 		UNLOCK_LOOKUP;
 		return;
 	}			
-	if (msg->rcode == dns_rcode_servfail && !l->servfail_stops) {
+	if ((msg->rcode == dns_rcode_servfail && !l->servfail_stops) ||
+	    (check_ra && (msg->flags & DNS_MESSAGEFLAG_RA) == 0 && l->recurse))
+	{
 		dig_query_t *next = ISC_LIST_NEXT(query, link);
 		if (l->current_query == query)
 			l->current_query = NULL;
@@ -2793,9 +2979,13 @@ recv_done(isc_task_t *task, isc_event_t *event) {
 		 */
 		if ((ISC_LIST_HEAD(l->q) != query) ||
 		    (ISC_LIST_NEXT(query, link) != NULL)) {
-			printf(";; Got SERVFAIL reply from %s, "
-			       "trying next server\n",
-			       query->servname);
+			if( l->comments == ISC_TRUE )
+				printf(";; Got %s from %s, "
+				       "trying next server\n",
+				       msg->rcode == dns_rcode_servfail ?
+				       "SERVFAIL reply" :
+				       "recursion not available",
+				       query->servname);
 			clear_query(query);
 			check_next_lookup(l);
 			dns_message_destroy(&msg);
@@ -2822,6 +3012,8 @@ recv_done(isc_task_t *task, isc_event_t *event) {
 		check_result(result,"dns_message_getquerytsig");
 	}
 
+	extrabytes = isc_buffer_remaininglength(b);
+
 	debug("after parse");
 	if (l->doing_xfr && l->xfr_q == NULL) {
 		l->xfr_q = query;
@@ -2856,8 +3048,9 @@ recv_done(isc_task_t *task, isc_event_t *event) {
 	}
 
 	if (!l->doing_xfr || l->xfr_q == query) {
-		if (msg->rcode != dns_rcode_noerror && l->origin != NULL) {
-			if (!next_origin(msg, query)) {
+		if (msg->rcode != dns_rcode_noerror &&
+		    (l->origin != NULL || l->need_search)) {
+			if (!next_origin(msg, query) || showsearch) {
 				printmessage(query, msg, ISC_TRUE);
 				received(b->used, &sevent->address, query);
 			}
@@ -2891,7 +3084,7 @@ recv_done(isc_task_t *task, isc_event_t *event) {
 
 			if (l->trace_root) {
 				/*
-				 * This is the initial NS query.
+				 * This is the initial NS query. 
 				 */
 				int n;
 
@@ -2906,7 +3099,7 @@ recv_done(isc_task_t *task, isc_event_t *event) {
 				if (!do_sigchase)
 #endif
 				printmessage(query, msg, ISC_TRUE);
-		}
+		} 
 #ifdef DIG_SIGCHASE
 		if (do_sigchase) {
 			chase_msg = isc_mem_allocate(mctx,
@@ -2925,13 +3118,13 @@ recv_done(isc_task_t *task, isc_event_t *event) {
 
 			isc_buffer_usedregion(b, &r);
 			result = isc_buffer_allocate(mctx, &buf, r.length);
-	
+	   
 			check_result(result, "isc_buffer_allocate");
 			result =  isc_buffer_copyregion(buf, &r);
 			check_result(result, "isc_buffer_copyregion");
-	
+	   
 			result =  dns_message_parse(msg_temp, buf, 0);
-
+ 
 			isc_buffer_free(&buf);
 			chase_msg->msg = msg_temp;
 
@@ -2946,11 +3139,10 @@ recv_done(isc_task_t *task, isc_event_t *event) {
 			chase_msg2->msg = msg;
 		}
 #endif
-	
 	}
-
+       
 #ifdef DIG_SIGCHASE
-	if (l->sigchase && ISC_LIST_EMPTY(lookup_list)) {
+	if (l->sigchase && ISC_LIST_EMPTY(lookup_list)) {   
 		sigchase(msg_temp);
 	}
 #endif
@@ -3009,7 +3201,7 @@ recv_done(isc_task_t *task, isc_event_t *event) {
 	UNLOCK_LOOKUP;
 }
 
-/*
+/*%
  * Turn a name into an address, using system-supplied routines.  This is
  * used in looking up server names, etc... and needs to use system-supplied
  * routines, since they may be using a non-DNS system for these lookups.
@@ -3028,7 +3220,7 @@ get_address(char *host, in_port_t port, isc_sockaddr_t *sockaddr) {
 	INSIST(count == 1);
 }
 
-/*
+/*%
  * Initiate either a TCP or UDP lookup
  */
 void
@@ -3044,7 +3236,7 @@ do_lookup(dig_lookup_t *lookup) {
 		send_udp(ISC_LIST_HEAD(lookup->q));
 }
 
-/*
+/*%
  * Start everything in action upon task startup.
  */
 void
@@ -3057,7 +3249,7 @@ onrun_callback(isc_task_t *task, isc_event_t *event) {
 	UNLOCK_LOOKUP;
 }
 
-/*
+/*%
  * Make everything on the lookup queue go away.  Mainly used by the
  * SIGINT handler.
  */
@@ -3101,16 +3293,19 @@ cancel_all(void) {
 	UNLOCK_LOOKUP;
 }
 
-/*
+/*%
  * Destroy all of the libs we are using, and get everything ready for a
  * clean shutdown.
  */
 void
 destroy_libs(void) {
-#ifdef DIG_SIGCHASE
+#ifdef DIG_SIGCHASE 
 	void * ptr;
 	dig_message_t *chase_msg;
 #endif
+#ifdef WITH_IDN
+	isc_result_t result;
+#endif
 
 	debug("destroy_libs()");
 	if (global_task != NULL) {
@@ -3142,6 +3337,13 @@ destroy_libs(void) {
 	flush_server_list();
 
 	clear_searchlist();
+
+#ifdef WITH_IDN
+        result = dns_name_settotextfilter(NULL);
+        check_result(result, "dns_name_settotextfilter");
+#endif
+	dns_name_destroy();
+
 	if (commctx != NULL) {
 		debug("freeing commctx");
 		isc_mempool_destroy(&commctx);
@@ -3218,8 +3420,104 @@ destroy_libs(void) {
 		isc_mem_destroy(&mctx);
 }
 
+#ifdef WITH_IDN
+static void
+initialize_idn(void) {
+	idn_result_t r;
+	isc_result_t result;
+
+#ifdef HAVE_SETLOCALE
+	/* Set locale */
+	(void)setlocale(LC_ALL, "");
+#endif
+	/* Create configuration context. */
+	r = idn_nameinit(1);
+	if (r != idn_success)
+		fatal("idn api initialization failed: %s",
+		      idn_result_tostring(r));
+
+	/* Set domain name -> text post-conversion filter. */
+	result = dns_name_settotextfilter(output_filter);
+	check_result(result, "dns_name_settotextfilter");
+}
+
+static isc_result_t
+output_filter(isc_buffer_t *buffer, unsigned int used_org,
+	      isc_boolean_t absolute)
+{
+	char tmp1[MAXDLEN], tmp2[MAXDLEN];
+	size_t fromlen, tolen;
+	isc_boolean_t end_with_dot;
+
+	/*
+	 * Copy contents of 'buffer' to 'tmp1', supply trailing dot
+	 * if 'absolute' is true, and terminate with NUL.
+	 */
+	fromlen = isc_buffer_usedlength(buffer) - used_org;
+	if (fromlen >= MAXDLEN)
+		return (ISC_R_SUCCESS);
+	memcpy(tmp1, (char *)isc_buffer_base(buffer) + used_org, fromlen);
+	end_with_dot = (tmp1[fromlen - 1] == '.') ? ISC_TRUE : ISC_FALSE;
+	if (absolute && !end_with_dot) {
+		fromlen++;
+		if (fromlen >= MAXDLEN)
+			return (ISC_R_SUCCESS);
+		tmp1[fromlen - 1] = '.';
+	}
+	tmp1[fromlen] = '\0';
+
+	/*
+	 * Convert contents of 'tmp1' to local encoding.
+	 */
+	if (idn_decodename(IDN_DECODE_APP, tmp1, tmp2, MAXDLEN) != idn_success)
+		return (ISC_R_SUCCESS);
+	strcpy(tmp1, tmp2);
+
+	/*
+	 * Copy the converted contents in 'tmp1' back to 'buffer'.
+	 * If we have appended trailing dot, remove it.
+	 */
+	tolen = strlen(tmp1);
+	if (absolute && !end_with_dot && tmp1[tolen - 1] == '.')
+		tolen--;
+
+	if (isc_buffer_length(buffer) < used_org + tolen)
+		return (ISC_R_NOSPACE);
+
+	isc_buffer_subtract(buffer, isc_buffer_usedlength(buffer) - used_org);
+	memcpy(isc_buffer_used(buffer), tmp1, tolen);
+	isc_buffer_add(buffer, tolen);
+
+	return (ISC_R_SUCCESS);
+}
+
+static idn_result_t
+append_textname(char *name, const char *origin, size_t namesize) {
+	size_t namelen = strlen(name);
+	size_t originlen = strlen(origin);
+
+	/* Already absolute? */
+	if (namelen > 0 && name[namelen - 1] == '.')
+		return idn_success;
 
+	/* Append dot and origin */
 
+	if (namelen + 1 + originlen >= namesize)
+		return idn_buffer_overflow;
+
+	name[namelen++] = '.';
+	(void)strcpy(name + namelen, origin);
+	return idn_success;
+}
+ 
+static void
+idn_check_result(idn_result_t r, const char *msg) {
+	if (r != idn_success) {
+		exitcode = 1;
+		fatal("%s: %s", msg, idn_result_tostring(r));
+	}
+}
+#endif /* WITH_IDN */
 
 #ifdef DIG_SIGCHASE
 void
@@ -3247,12 +3545,12 @@ void
 dump_database_section(dns_message_t *msg, int section)
 {
 	dns_name_t *msg_name=NULL;
-
+ 
 	dns_rdataset_t *rdataset;
 
 	do {
 		dns_message_currentname(msg, section, &msg_name);
-
+    
 		for (rdataset = ISC_LIST_HEAD(msg_name->list); rdataset != NULL;
 		     rdataset = ISC_LIST_NEXT(rdataset, link)) {	
 			dns_name_print(msg_name, stdout);
@@ -3271,15 +3569,15 @@ dump_database(void) {
 	for (msg = ISC_LIST_HEAD(chase_message_list);  msg != NULL;
 	     msg = ISC_LIST_NEXT(msg, link)) {
 		if (dns_message_firstname(msg->msg, DNS_SECTION_ANSWER)
-		    == ISC_R_SUCCESS)
+		    == ISC_R_SUCCESS) 
 			dump_database_section(msg->msg, DNS_SECTION_ANSWER);
-
+       
 		if (dns_message_firstname(msg->msg, DNS_SECTION_AUTHORITY)
-		    == ISC_R_SUCCESS)
+		    == ISC_R_SUCCESS) 
 			dump_database_section(msg->msg, DNS_SECTION_AUTHORITY);
 	
 		if (dns_message_firstname(msg->msg, DNS_SECTION_ADDITIONAL)
-		    == ISC_R_SUCCESS)
+		    == ISC_R_SUCCESS) 
 			dump_database_section(msg->msg, DNS_SECTION_ADDITIONAL);
 	}
 }
@@ -3347,7 +3645,7 @@ chase_scanname(dns_name_t *name, dns_rdatatype_t type, dns_rdatatype_t covers)
 {
 	dns_rdataset_t *rdataset = NULL;
 	dig_message_t * msg;
-
+ 
 	for (msg = ISC_LIST_HEAD(chase_message_list2);  msg != NULL;
 	     msg = ISC_LIST_NEXT(msg, link)) {
 		if (dns_message_firstname(msg->msg, DNS_SECTION_ANSWER)
@@ -3440,7 +3738,7 @@ insert_trustedkey(dst_key_t * key)
 		return;
 
 	tk_list.key[tk_list.nb_tk++] = key;
-	return;
+	return;   
 }
 
 void
@@ -3463,7 +3761,7 @@ char alphnum[] =
 	"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789";
 
 isc_result_t
-removetmpkey(isc_mem_t *mctx, const char *file)
+removetmpkey(isc_mem_t *mctx, const char *file) 
 {
 	char *tempnamekey = NULL;
 	int tempnamekeylen;
@@ -3476,7 +3774,7 @@ removetmpkey(isc_mem_t *mctx, const char *file)
 		return (ISC_R_NOMEMORY);
 
 	memset(tempnamekey, 0, tempnamekeylen);
-
+ 
 	strcat(tempnamekey, file);
 	strcat(tempnamekey,".key");
 	isc_file_remove(tempnamekey);
@@ -3516,14 +3814,14 @@ opentmpkey(isc_mem_t *mctx, const char *file, char **tempp, FILE **fp) {
 			isc_mem_free(mctx, tempname);
 			return (ISC_R_FAILURE);
 		}
-	
+	    
 		x = cp--;
 		while (cp >= tempname && *cp == 'X') {
 			isc_random_get(&which);
 			*cp = alphnum[which % (sizeof(alphnum) - 1)];
 			x = cp--;
 		}
-
+ 
 		tempnamekeylen = tempnamelen+5;
 		tempnamekey = isc_mem_allocate(mctx, tempnamekeylen);
 		if (tempnamekey == NULL)
@@ -3533,7 +3831,7 @@ opentmpkey(isc_mem_t *mctx, const char *file, char **tempp, FILE **fp) {
 		strncpy(tempnamekey, tempname, tempnamelen);
 		strcat(tempnamekey ,".key");
 
-	
+	   
 		if (isc_file_exists(tempnamekey)) {
 			isc_mem_free(mctx, tempnamekey);
 			isc_mem_free(mctx, tempname);
@@ -3568,7 +3866,7 @@ get_trusted_key(isc_mem_t *mctx)
 	char buf[1500];
 	FILE *fp, *fptemp;
 	dst_key_t *key = NULL;
-
+ 
 	result = isc_file_exists(trustedkey);
 	if (result !=  ISC_TRUE) {
 		result = isc_file_exists("/etc/trusted-key.key");
@@ -3646,11 +3944,11 @@ nameFromString(const char *str, dns_name_t *p_ret) {
 
 	result = dns_name_dup(dns_fixedname_name(&fixedname), mctx, p_ret);
 	check_result(result, "nameFromString");
-}
+} 
 
 
 #if DIG_SIGCHASE_TD
-isc_result_t
+isc_result_t 
 prepare_lookup(dns_name_t *name)
 {
 	isc_result_t result;
@@ -3668,7 +3966,7 @@ prepare_lookup(dns_name_t *name)
 	lookup->rdtype = lookup->rdtype_sigchase;
 	lookup->rdtypeset = ISC_TRUE;
 	lookup->qrdtype = lookup->qrdtype_sigchase;
-
+   
 	s = ISC_LIST_HEAD(lookup->my_server_list);
 	while (s != NULL) {
 		debug("freeing server %p belonging to %p",
@@ -3702,11 +4000,11 @@ prepare_lookup(dns_name_t *name)
 		dns_rdataset_current(chase_nsrdataset, &rdata);
 
 		(void)dns_rdata_tostruct(&rdata, &ns, NULL);
-
-
-
+      
+     
+      
 #ifdef __FOLLOW_GLUE__
-
+      
 		result = advanced_rrsearch(&rdataset, &ns.name,
 					   dns_rdatatype_aaaa,
 					   dns_rdatatype_any, &true);
@@ -3730,12 +4028,12 @@ prepare_lookup(dns_name_t *name)
 
 
 				srv = make_server(namestr, namestr);
-	
+	     
 				ISC_LIST_APPEND(lookup->my_server_list,
 						srv, link);
 			}
 		}
-
+      
 		rdataset = NULL;
 		result = advanced_rrsearch(&rdataset, &ns.name, dns_rdatatype_a,
 					   dns_rdatatype_any, &true);
@@ -3757,28 +4055,28 @@ prepare_lookup(dns_name_t *name)
 				isc_buffer_free(&b);
 				dns_rdata_reset(&a);
 				printf("ns name: %s\n", namestr);
-
+      
 
 				srv = make_server(namestr, namestr);
-	
+	     
 				ISC_LIST_APPEND(lookup->my_server_list,
 						srv, link);
 			}
 		}
 #else
-
+       
 		dns_name_format(&ns.name, namestr, sizeof(namestr));
 		printf("ns name: ");
 		dns_name_print(&ns.name, stdout);
 		printf("\n");
 		srv = make_server(namestr, namestr);
-	
+	     
 		ISC_LIST_APPEND(lookup->my_server_list, srv, link);
 
-#endif
+#endif 
 		dns_rdata_freestruct(&ns);
 		dns_rdata_reset(&rdata);
-
+      
 	}
 
 	ISC_LIST_APPEND(lookup_list, lookup, link);
@@ -3832,10 +4130,10 @@ grandfather_pb_test(dns_name_t *zone_name, dns_rdataset_t  *sigrdataset)
 
 	do {
 		dns_rdataset_current(sigrdataset, &sigrdata);
-
+    
 		result = dns_rdata_tostruct(&sigrdata, &siginfo, NULL);
 		check_result(result, "sigrdata tostruct siginfo");
-
+ 
 		if (dns_name_compare(&siginfo.signer, zone_name) == 0) {
 			dns_rdata_freestruct(&siginfo);
 			dns_rdata_reset(&sigrdata);
@@ -3843,7 +4141,7 @@ grandfather_pb_test(dns_name_t *zone_name, dns_rdataset_t  *sigrdataset)
 		}
 
 		dns_rdata_freestruct(&siginfo);
-
+ 
 	} while (dns_rdataset_next(chase_sigkeyrdataset) == ISC_R_SUCCESS);
 
 	dns_rdata_reset(&sigrdata);
@@ -3873,7 +4171,7 @@ initialization(dns_name_t *name)
 
 	return (ISC_R_SUCCESS);
 }
-#endif
+#endif 
 
 void
 print_rdataset(dns_name_t *name, dns_rdataset_t *rdataset, isc_mem_t *mctx)
@@ -3897,10 +4195,10 @@ print_rdataset(dns_name_t *name, dns_rdataset_t *rdataset, isc_mem_t *mctx)
 }
 
 
-void
+void 
 dup_name(dns_name_t *source, dns_name_t *target, isc_mem_t *mctx) {
-	isc_result_t result;
-
+	isc_result_t result; 
+ 
 	if (dns_name_dynamic(target))
 		free_name(target, mctx);
 	result = dns_name_dup(source, mctx, target);
@@ -3944,12 +4242,12 @@ contains_trusted_key(dns_name_t *name, dns_rdataset_t *rdataset,
 	do {
 		dns_rdataset_current(rdataset, &rdata);
 		INSIST(rdata.type == dns_rdatatype_dnskey);
-  	
+  	  
 		result = dns_dnssec_keyfromrdata(name, &rdata,
 						 mctx, &dnsseckey);
 		check_result(result, "dns_dnssec_keyfromrdata");
 
-
+    
 		for (i = 0; i < tk_list.nb_tk; i++) {
 			if (dst_key_compare(tk_list.key[i], dnsseckey)
 			    == ISC_TRUE) {
@@ -3969,7 +4267,7 @@ contains_trusted_key(dns_name_t *name, dns_rdataset_t *rdataset,
 				}
 			}
 		}
-
+ 
 		dns_rdata_reset(&rdata);
 		if (dnsseckey != NULL)
 			dst_key_free(&dnsseckey);
@@ -3999,7 +4297,7 @@ sigchase_verify_sig(dns_name_t *name, dns_rdataset_t *rdataset,
 	do {
 		dns_rdataset_current(keyrdataset, &keyrdata);
 		INSIST(keyrdata.type == dns_rdatatype_dnskey);
-  	
+  	  
 		result = dns_dnssec_keyfromrdata(name, &keyrdata,
 						 mctx, &dnsseckey);
 		check_result(result, "dns_dnssec_keyfromrdata");
@@ -4031,22 +4329,22 @@ sigchase_verify_sig_key(dns_name_t *name, dns_rdataset_t *rdataset,
 	result = dns_rdataset_first(sigrdataset);
 	check_result(result, "empty RRSIG dataset");
 	dns_rdata_init(&sigrdata);
-
+    
 	do {
 		dns_rdataset_current(sigrdataset, &sigrdata);
 
 		result = dns_rdata_tostruct(&sigrdata, &siginfo, NULL);
 		check_result(result, "sigrdata tostruct siginfo");
-
+ 
 		/*
 		 * Test if the id of the DNSKEY is
 		 * the id of the DNSKEY signer's
 		 */
 		if (siginfo.keyid == dst_key_id(dnsseckey)) {
-
+    
 			result = dns_rdataset_first(rdataset);
 			check_result(result, "empty DS dataset");
-
+    
 			result = dns_dnssec_verify(name, rdataset, dnsseckey,
 						   ISC_FALSE, mctx, &sigrdata);
 
@@ -4063,7 +4361,7 @@ sigchase_verify_sig_key(dns_name_t *name, dns_rdataset_t *rdataset,
 			}
 		}
 		dns_rdata_freestruct(&siginfo);
-
+ 
 	} while (dns_rdataset_next(chase_sigkeyrdataset) == ISC_R_SUCCESS);
 
 	dns_rdata_reset(&sigrdata);
@@ -4089,18 +4387,18 @@ sigchase_verify_ds(dns_name_t *name, dns_rdataset_t *keyrdataset,
 	dns_rdata_init(&dsrdata);
 	do {
 		dns_rdataset_current(dsrdataset, &dsrdata);
-
+    
 		result = dns_rdata_tostruct(&dsrdata, &dsinfo, NULL);
 		check_result(result, "dns_rdata_tostruct  for DS");
-
+    
 		result = dns_rdataset_first(keyrdataset);
 		check_result(result, "empty KEY dataset");
-		dns_rdata_init(&keyrdata);	
+		dns_rdata_init(&keyrdata);	  
 
 		do {
 			dns_rdataset_current(keyrdataset, &keyrdata);
 			INSIST(keyrdata.type == dns_rdatatype_dnskey);
-  	
+  	  
 			result = dns_dnssec_keyfromrdata(name, &keyrdata,
 							 mctx, &dnsseckey);
 			check_result(result, "dns_dnssec_keyfromrdata");
@@ -4115,14 +4413,14 @@ sigchase_verify_ds(dns_name_t *name, dns_rdataset_t *keyrdataset,
 				result = dns_ds_buildrdata(name, &keyrdata,
 							   dsinfo.digest_type,
 							   dsbuf, &newdsrdata);
-				dns_rdata_freestruct(&dsinfo);
+				dns_rdata_freestruct(&dsinfo);  
 
 				if (result != ISC_R_SUCCESS) {
 					dns_rdata_reset(&keyrdata);
 					dns_rdata_reset(&newdsrdata);
 					dns_rdata_reset(&dsrdata);
 					dst_key_free(&dnsseckey);
-					dns_rdata_freestruct(&dsinfo);
+					dns_rdata_freestruct(&dsinfo);  
 					printf("Oops: impossible to build"
 					       " new DS rdata\n");
 					return (result);
@@ -4136,7 +4434,7 @@ sigchase_verify_ds(dns_name_t *name, dns_rdataset_t *keyrdataset,
 					printf(";; Now verify that this"
 					       " DNSKEY validates the "
 					       "DNSKEY RRset\n");
-	
+	       
 					result = sigchase_verify_sig_key(name,
 							 keyrdataset,
 							 dnsseckey,
@@ -4147,7 +4445,7 @@ sigchase_verify_ds(dns_name_t *name, dns_rdataset_t *keyrdataset,
 						dns_rdata_reset(&newdsrdata);
 						dns_rdata_reset(&dsrdata);
 						dst_key_free(&dnsseckey);
-		
+		 
 						return (result);
 					}
 				} else {
@@ -4161,12 +4459,12 @@ sigchase_verify_ds(dns_name_t *name, dns_rdataset_t *keyrdataset,
 			dnsseckey = NULL;
 		} while (dns_rdataset_next(chase_keyrdataset) == ISC_R_SUCCESS);
 		dns_rdata_reset(&keyrdata);
-
+ 
 	} while (dns_rdataset_next(chase_dsrdataset) == ISC_R_SUCCESS);
 #if 0
 	dns_rdata_reset(&dsrdata); WARNING
 #endif
-
+ 
 	return (ISC_R_NOTFOUND);
 }
 
@@ -4179,13 +4477,13 @@ sigchase_verify_ds(dns_name_t *name, dns_rdataset_t *keyrdataset,
  * ISC_R_SUCCESS: if we found the rrset
  * ISC_R_NOTFOUND: we do not found the rrset in cache
  * and we do a query on the net
- * ISC_R_FAILURE: rrset not found
+ * ISC_R_FAILURE: rrset not found 
  */
 isc_result_t
 advanced_rrsearch(dns_rdataset_t **rdataset, dns_name_t *name,
 		  dns_rdatatype_t type, dns_rdatatype_t covers,
 		  isc_boolean_t *lookedup)
-{
+{ 
 	isc_boolean_t  tmplookedup;
 
 	INSIST(rdataset != NULL);
@@ -4260,7 +4558,7 @@ sigchase_td(dns_message_t *msg)
 		}
 	}
 
-
+   
 	if (have_answer) {
 		chase_rdataset
 			= chase_scanname_section(msg, &chase_name,
@@ -4320,7 +4618,7 @@ sigchase_td(dns_message_t *msg)
 						    chase_dsrdataset,
 						    mctx);
 		}
-
+      
 		if (result != ISC_R_SUCCESS) {
 			printf("\n;; chain of trust can't be validated:"
 			       " FAILED\n\n");
@@ -4372,7 +4670,7 @@ sigchase_td(dns_message_t *msg)
 			chase_sigrdataset = NULL;
 			have_response = ISC_FALSE;
 			have_delegation_ns = ISC_FALSE;
-	
+	  
 			dns_name_init(&tmp_name, NULL);
 			result = child_of_zone(&chase_name, &chase_current_name,
 					       &tmp_name);
@@ -4451,8 +4749,8 @@ sigchase_td(dns_message_t *msg)
 		}
 		chase_keyrdataset = NULL;
 		chase_sigkeyrdataset = NULL;
-
-
+    
+ 
 		prepare_lookup(&chase_authority_name);
 	
 		have_response = ISC_FALSE;
@@ -4548,7 +4846,7 @@ sigchase_td(dns_message_t *msg)
 	}
 }
 
-#endif
+#endif 
 
 
 #if DIG_SIGCHASE_BU
@@ -4565,7 +4863,7 @@ getneededrr(dns_message_t *msg)
 	if ((result = dns_message_firstname(msg, DNS_SECTION_ANSWER))
 	    != ISC_R_SUCCESS) {
 		printf(";; NO ANSWERS: %s\n", isc_result_totext(result));
-
+    
 		if (chase_name.ndata == NULL)
 			return (ISC_R_ADDRNOTAVAIL);
 	} else {
@@ -4608,7 +4906,7 @@ getneededrr(dns_message_t *msg)
 	}
 	INSIST(chase_sigrdataset != NULL);
 
-
+ 
 	/* first find the DNSKEY name */
 	result = dns_rdataset_first(chase_sigrdataset);
 	check_result(result, "empty RRSIG dataset");
@@ -4619,7 +4917,7 @@ getneededrr(dns_message_t *msg)
 	dup_name(&siginfo.signer, &chase_signame, mctx);
 	dns_rdata_freestruct(&siginfo);
 	dns_rdata_reset(&sigrdata);
-
+ 
 	/* Do we have a key?  */
 	if (chase_keyrdataset == NULL) {
 		result = advanced_rrsearch(&chase_keyrdataset,
@@ -4688,7 +4986,7 @@ getneededrr(dns_message_t *msg)
 			print_rdataset(&chase_signame, chase_dsrdataset, mctx);
 		}
 	}
-
+ 
 	if (chase_dsrdataset != NULL) {
 		/*
 		 * if there is no RRSIG of DS,
@@ -4747,7 +5045,7 @@ sigchase_bu(dns_message_t *msg)
 		dns_name_init(&query_name, NULL);
 		dns_name_init(&rdata_name, NULL);
 		nameFromString(current_lookup->textname, &query_name);
-
+   
 		result = prove_nx(msg, &query_name, current_lookup->rdclass,
 				  current_lookup->rdtype, &rdata_name,
 				  &rdataset, &sigrdataset);
@@ -4850,7 +5148,7 @@ sigchase_bu(dns_message_t *msg)
 	chase_sigdsrdataset = NULL;
 	chase_siglookedup = chase_keylookedup = ISC_FALSE;
 	chase_dslookedup = chase_sigdslookedup = ISC_FALSE;
-
+ 
 	printf(";; Now, we want to validate the DS :  recursive call\n");
 	sigchase(msg);
 	return;
@@ -4943,7 +5241,7 @@ prove_nx_domain(dns_message_t *msg,
 		       " validate the non-existence : FAILED\n");
 		return (ISC_R_FAILURE);
 	}
-
+ 
 	do {
 		nsecname = NULL;
 		dns_message_currentname(msg, DNS_SECTION_AUTHORITY, &nsecname);
@@ -5089,5 +5387,6 @@ prove_nx(dns_message_t *msg, dns_name_t *name, dns_rdataclass_t class,
 				      rdataset, sigrdataset);
 		return (ret);
 	}
+	/* Never get here */ 
 }
 #endif
diff --git a/contrib/bind9/bin/dig/host.1 b/contrib/bind9/bin/dig/host.1
index 3a0432c..3149fc6 100644
--- a/contrib/bind9/bin/dig/host.1
+++ b/contrib/bind9/bin/dig/host.1
@@ -1,4 +1,4 @@
-.\" Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC")
 .\" Copyright (C) 2000-2002 Internet Software Consortium.
 .\" 
 .\" Permission to use, copy, modify, and distribute this software for any
@@ -13,13 +13,13 @@
 .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 .\" PERFORMANCE OF THIS SOFTWARE.
 .\"
-.\" $Id: host.1,v 1.11.2.1.4.8 2006/06/29 13:02:30 marka Exp $
+.\" $Id: host.1,v 1.14.18.13 2007/01/30 00:23:44 marka Exp $
 .\"
 .hy 0
 .ad l
 .\"     Title: host
 .\"    Author: 
-.\" Generator: DocBook XSL Stylesheets v1.70.1 <http://docbook.sf.net/>
+.\" Generator: DocBook XSL Stylesheets v1.71.1 <http://docbook.sf.net/>
 .\"      Date: Jun 30, 2000
 .\"    Manual: BIND9
 .\"    Source: BIND9
@@ -33,7 +33,7 @@
 host \- DNS lookup utility
 .SH "SYNOPSIS"
 .HP 5
-\fBhost\fR [\fB\-aCdlnrTwv\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-N\ \fR\fB\fIndots\fR\fR] [\fB\-R\ \fR\fB\fInumber\fR\fR] [\fB\-t\ \fR\fB\fItype\fR\fR] [\fB\-W\ \fR\fB\fIwait\fR\fR] [\fB\-4\fR] [\fB\-6\fR] {name} [server]
+\fBhost\fR [\fB\-aCdlnrsTwv\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-N\ \fR\fB\fIndots\fR\fR] [\fB\-R\ \fR\fB\fInumber\fR\fR] [\fB\-t\ \fR\fB\fItype\fR\fR] [\fB\-W\ \fR\fB\fIwait\fR\fR] [\fB\-m\ \fR\fB\fIflag\fR\fR] [\fB\-4\fR] [\fB\-6\fR] {name} [server]
 .SH "DESCRIPTION"
 .PP
 \fBhost\fR
@@ -179,6 +179,32 @@ is less than one, the wait interval is set to one second. When the
 option is used,
 \fBhost\fR
 will effectively wait forever for a reply. The time to wait for a response will be set to the number of seconds given by the hardware's maximum value for an integer quantity.
+.PP
+The
+\fB\-s\fR
+option tells
+\fBhost\fR
+\fInot\fR
+to send the query to the next nameserver if any server responds with a SERVFAIL response, which is the reverse of normal stub resolver behaviour.
+.PP
+The
+\fB\-m\fR
+can be used to set the memory usage debugging flags
+\fIrecord\fR,
+\fIusage\fR
+and
+\fItrace\fR.
+.SH "IDN SUPPORT"
+.PP
+If
+\fBhost\fR
+has been built with IDN (internationalized domain name) support, it can accept and display non\-ASCII domain names.
+\fBhost\fR
+appropriately converts character encoding of domain name before sending a request to DNS server or displaying a reply from the server. If you'd like to turn off the IDN support for some reason, defines the
+\fBIDN_DISABLE\fR
+environment variable. The IDN support is disabled if the variable is set when
+\fBhost\fR
+runs.
 .SH "FILES"
 .PP
 \fI/etc/resolv.conf\fR
@@ -187,4 +213,7 @@ will effectively wait forever for a reply. The time to wait for a response will
 \fBdig\fR(1),
 \fBnamed\fR(8).
 .SH "COPYRIGHT"
-Copyright \(co 2004, 2005 Internet Systems Consortium, Inc. ("ISC")
+Copyright \(co 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC")
+.br
+Copyright \(co 2000\-2002 Internet Software Consortium.
+.br
diff --git a/contrib/bind9/bin/dig/host.c b/contrib/bind9/bin/dig/host.c
index 7d8ce9b..f73145c 100644
--- a/contrib/bind9/bin/dig/host.c
+++ b/contrib/bind9/bin/dig/host.c
@@ -15,7 +15,9 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: host.c,v 1.76.2.5.2.16 2006/05/23 04:43:47 marka Exp $ */
+/* $Id: host.c,v 1.94.18.14 2006/05/23 04:40:42 marka Exp $ */
+
+/*! \file */
 
 #include <config.h>
 #include <limits.h>
@@ -114,8 +116,8 @@ static void
 show_usage(void) {
 	fputs(
 "Usage: host [-aCdlriTwv] [-c class] [-N ndots] [-t type] [-W time]\n"
-"            [-R number] hostname [server]\n"
-"       -a is equivalent to -v -t *\n"
+"            [-R number] [-m flag] hostname [server]\n"
+"       -a is equivalent to -v -t ANY\n"
 "       -c specifies query class for non-IN data\n"
 "       -C compares SOA records on authoritative nameservers\n"
 "       -d is equivalent to -v\n"
@@ -124,13 +126,15 @@ show_usage(void) {
 "       -N changes the number of dots allowed before root lookup is done\n"
 "       -r disables recursive processing\n"
 "       -R specifies number of retries for UDP packets\n"
+"       -s a SERVFAIL response should stop query\n"
 "       -t specifies the query type\n"
 "       -T enables TCP/IP mode\n"
 "       -v enables verbose output\n"
 "       -w specifies to wait forever for a reply\n"
 "       -W specifies how long to wait for a reply\n"
 "       -4 use IPv4 query transport only\n"
-"       -6 use IPv6 query transport only\n", stderr);
+"       -6 use IPv6 query transport only\n"
+"       -m set memory debugging flag (trace|record|usage)\n", stderr);
 	exit(1);
 }
 
@@ -556,6 +560,52 @@ printmessage(dig_query_t *query, dns_message_t *msg, isc_boolean_t headers) {
 	return (result);
 }
 
+static const char * optstring = "46ac:dilnm:rst:vwCDN:R:TW:";
+
+static void
+pre_parse_args(int argc, char **argv) {
+	int c;
+
+	while ((c = isc_commandline_parse(argc, argv, optstring)) != -1) {
+		switch (c) {
+		case 'm':
+			if (strcasecmp("trace", isc_commandline_argument) == 0)
+				isc_mem_debugging |= ISC_MEM_DEBUGTRACE;
+			else if (!strcasecmp("record",
+					     isc_commandline_argument) == 0)
+				isc_mem_debugging |= ISC_MEM_DEBUGRECORD;
+			else if (strcasecmp("usage",
+					    isc_commandline_argument) == 0)
+				isc_mem_debugging |= ISC_MEM_DEBUGUSAGE;
+			break;
+
+		case '4': break;
+		case '6': break;
+		case 'a': break;
+		case 'c': break;
+		case 'd': break;
+		case 'i': break;
+		case 'l': break;
+		case 'n': break;
+		case 'r': break;
+		case 's': break;
+		case 't': break;
+		case 'v': break;
+		case 'w': break;
+		case 'C': break;
+		case 'D': break;
+		case 'N': break;
+		case 'R': break;
+		case 'T': break;
+		case 'W': break;
+		default:
+			show_usage();
+		}
+	}
+	isc_commandline_reset = ISC_TRUE;
+	isc_commandline_index = 1;
+}
+
 static void
 parse_args(isc_boolean_t is_batchfile, int argc, char **argv) {
 	char hostname[MXNAME];
@@ -572,8 +622,10 @@ parse_args(isc_boolean_t is_batchfile, int argc, char **argv) {
 
 	lookup = make_empty_lookup();
 
-	while ((c = isc_commandline_parse(argc, argv, "lvwrdt:c:aTCN:R:W:Dni46"))
-	       != EOF) {
+	lookup->servfail_stops = ISC_FALSE;
+	lookup->comments = ISC_FALSE;
+
+	while ((c = isc_commandline_parse(argc, argv, optstring)) != -1) {
 		switch (c) {
 		case 'l':
 			lookup->tcp_mode = ISC_TRUE;
@@ -657,6 +709,9 @@ parse_args(isc_boolean_t is_batchfile, int argc, char **argv) {
 		case 'n':
 			/* deprecated */
 			break;
+		case 'm':
+			/* Handled by pre_parse_args(). */
+			break;
 		case 'w':
 			/*
 			 * The timer routines are coded such that
@@ -710,6 +765,9 @@ parse_args(isc_boolean_t is_batchfile, int argc, char **argv) {
 			} else
 				fatal("can't find IPv6 networking");
 			break;
+		case 's':
+			lookup->servfail_stops = ISC_TRUE;
+			break;
 		}
 	}
 
@@ -724,7 +782,8 @@ parse_args(isc_boolean_t is_batchfile, int argc, char **argv) {
 		set_nameserver(argv[isc_commandline_index+1]);
 		debug("server is %s", argv[isc_commandline_index+1]);
 		listed_server = ISC_TRUE;
-	}
+	} else
+		check_ra = ISC_TRUE;
 
 	lookup->pending = ISC_FALSE;
 	if (get_reverse(store, sizeof(store), hostname,
@@ -758,6 +817,7 @@ main(int argc, char **argv) {
 
 	debug("main()");
 	progname = argv[0];
+	pre_parse_args(argc, argv);
 	result = isc_app_start();
 	check_result(result, "isc_app_start");
 	setup_libs();
@@ -771,4 +831,3 @@ main(int argc, char **argv) {
 	isc_app_finish();
 	return ((seen_error == 0) ? 0 : 1);
 }
-
diff --git a/contrib/bind9/bin/dig/host.docbook b/contrib/bind9/bin/dig/host.docbook
index 2b6e92b..09a306c 100644
--- a/contrib/bind9/bin/dig/host.docbook
+++ b/contrib/bind9/bin/dig/host.docbook
@@ -1,8 +1,8 @@
-<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.0//EN"
-               "http://www.oasis-open.org/docbook/xml/4.0/docbookx.dtd"
+<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
+               "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
 	       [<!ENTITY mdash "&#8212;">]>
 <!--
- - Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
  - Copyright (C) 2000-2002  Internet Software Consortium.
  -
  - Permission to use, copy, modify, and distribute this software for any
@@ -18,24 +18,29 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-<!-- $Id: host.docbook,v 1.2.2.2.4.7 2005/05/13 01:22:32 marka Exp $ -->
+<!-- $Id: host.docbook,v 1.5.18.9 2007/01/29 23:57:20 marka Exp $ -->
+<refentry id="man.host">
 
-<refentry>
+  <refentryinfo>
+    <date>Jun 30, 2000</date>
+  </refentryinfo>
 
-<refentryinfo>
-<date>Jun 30, 2000</date>
-</refentryinfo>
+  <refmeta>
+    <refentrytitle>host</refentrytitle>
+    <manvolnum>1</manvolnum>
+    <refmiscinfo>BIND9</refmiscinfo>
+  </refmeta>
 
-<refmeta>
-<refentrytitle>host</refentrytitle>
-<manvolnum>1</manvolnum>
-<refmiscinfo>BIND9</refmiscinfo>
-</refmeta>
+  <refnamediv>
+    <refname>host</refname>
+    <refpurpose>DNS lookup utility</refpurpose>
+  </refnamediv>
 
   <docinfo>
     <copyright>
       <year>2004</year>
       <year>2005</year>
+      <year>2007</year>
       <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
     </copyright>
     <copyright>
@@ -46,183 +51,227 @@
     </copyright>
   </docinfo>
 
-<refnamediv>
-<refname>host</refname>
-<refpurpose>DNS lookup utility</refpurpose>
-</refnamediv>
-
-<refsynopsisdiv>
-<cmdsynopsis>
-  <command>host</command>
-  <arg><option>-aCdlnrTwv</option></arg>
-  <arg><option>-c <replaceable class="parameter">class</replaceable></option></arg>
-  <arg><option>-N <replaceable class="parameter">ndots</replaceable></option></arg>
-  <arg><option>-R <replaceable class="parameter">number</replaceable></option></arg>
-  <arg><option>-t <replaceable class="parameter">type</replaceable></option></arg>
-  <arg><option>-W <replaceable class="parameter">wait</replaceable></option></arg>
-  <arg><option>-4</option></arg>
-  <arg><option>-6</option></arg>
-  <arg choice="req">name</arg>
-  <arg choice="opt">server</arg>
-</cmdsynopsis>
-</refsynopsisdiv>
-
-<refsect1>
-<title>DESCRIPTION</title>
-<para>
-<command>host</command>
-is a simple utility for performing DNS lookups.
-It is normally used to convert names to IP addresses and vice versa.
-When no arguments or options are given,
-<command>host</command>
-prints a short summary of its command line arguments and options.
-</para>
-
-<para>
-<parameter>name</parameter> is the domain name that is to be looked
-up.  It can also be a dotted-decimal IPv4 address or a colon-delimited
-IPv6 address, in which case <command>host</command> will by default
-perform a reverse lookup for that address.
-<parameter>server</parameter> is an optional argument which is either
-the name or IP address of the name server that <command>host</command>
-should query instead of the server or servers listed in
-<filename>/etc/resolv.conf</filename>.
-</para>
-
-<para>
-The <option>-a</option> (all) option is equivalent to setting the
-<option>-v</option> option and asking <command>host</command> to make
-a query of type ANY.
-</para>
-
-<para>
-When the <option>-C</option> option is used, <command>host</command>
-will attempt to display the SOA records for zone
-<parameter>name</parameter> from all the listed authoritative name
-servers for that zone.  The list of name servers is defined by the NS
-records that are found for the zone.
-</para>
-
-<para>
-The <option>-c</option> option instructs to make a DNS query of class
-<parameter>class</parameter>.  This can be used to lookup Hesiod or
-Chaosnet class resource records.  The default class is IN (Internet).
-</para>
-
-<para>
-Verbose output is generated by <command>host</command> when the
-<option>-d</option> or <option>-v</option> option is used.  The two
-options are equivalent.  They have been provided for backwards
-compatibility.  In previous versions, the <option>-d</option> option
-switched on debugging traces and <option>-v</option> enabled verbose
-output.
-</para>
-
-<para>
-List mode is selected by the <option>-l</option> option.  This makes
-<command>host</command> perform a zone transfer for zone
-<parameter>name</parameter>.  Transfer the zone printing out the NS, PTR
-and address records (A/AAAA).  If combined with <option>-a</option>
-all records will be printed.  
-</para>
-
-<para>
-The <option>-i</option>
-option specifies that reverse lookups of IPv6 addresses should
-use the IP6.INT domain as defined in RFC1886.
-The default is to use IP6.ARPA.
-</para>
-
-<para>
-The <option>-N</option> option sets the number of dots that have to be
-in <parameter>name</parameter> for it to be considered absolute.  The
-default value is that defined using the ndots statement in
-<filename>/etc/resolv.conf</filename>, or 1 if no ndots statement is
-present.  Names with fewer dots are interpreted as relative names and
-will be searched for in the domains listed in the <type>search</type>
-or <type>domain</type> directive in
-<filename>/etc/resolv.conf</filename>.
-</para>
-
-<para>
-The number of UDP retries for a lookup can be changed with the
-<option>-R</option> option.  <parameter>number</parameter> indicates
-how many times <command>host</command> will repeat a query that does
-not get answered.  The default number of retries is 1.  If
-<parameter>number</parameter> is negative or zero, the number of
-retries will default to 1.
-</para>
-
-<para>
-Non-recursive queries can be made via the <option>-r</option> option.
-Setting this option clears the <type>RD</type> &mdash; recursion
-desired &mdash; bit in the query which <command>host</command> makes.
-This should mean that the name server receiving the query will not
-attempt to resolve <parameter>name</parameter>.  The
-<option>-r</option> option enables <command>host</command> to mimic
-the behaviour of a name server by making non-recursive queries and
-expecting to receive answers to those queries that are usually
-referrals to other name servers.
-</para>
-
-<para>
-By default <command>host</command> uses UDP when making queries.  The
-<option>-T</option> option makes it use a TCP connection when querying
-the name server.  TCP will be automatically selected for queries that
-require it, such as zone transfer (AXFR) requests.
-</para>
-
-<para>
-The <option>-4</option> option forces <command>host</command> to only
-use IPv4 query transport.  The <option>-6</option> option forces
-<command>host</command> to only use IPv6 query transport.
-</para>
-
-<para>
-The <option>-t</option> option is used to select the query type.
-<parameter>type</parameter> can be any recognised query type: CNAME,
-NS, SOA, SIG, KEY, AXFR, etc.  When no query type is specified,
-<command>host</command> automatically selects an appropriate query
-type.  By default it looks for A records, but if the
-<option>-C</option> option was given, queries will be made for SOA
-records, and if <parameter>name</parameter> is a dotted-decimal IPv4
-address or colon-delimited IPv6 address, <command>host</command> will
-query for PTR records.  If a query type of IXFR is chosen the starting
-serial number can be specified by appending an equal followed by the
-starting serial number (e.g. -t IXFR=12345678).
-</para>
-
-<para>
-The time to wait for a reply can be controlled through the
-<option>-W</option> and <option>-w</option> options.  The
-<option>-W</option> option makes <command>host</command> wait for
-<parameter>wait</parameter> seconds.  If <parameter>wait</parameter>
-is less than one, the wait interval is set to one second.  When the
-<option>-w</option> option is used, <command>host</command> will
-effectively wait forever for a reply.  The time to wait for a response
-will be set to the number of seconds given by the hardware's maximum
-value for an integer quantity.
-</para>
-
-</refsect1>
-
-<refsect1>
-<title>FILES</title>
-<para>
-<filename>/etc/resolv.conf</filename>
-</para>
-</refsect1>
-
-<refsect1>
-<title>SEE ALSO</title>
-<para>
-<citerefentry>
-<refentrytitle>dig</refentrytitle><manvolnum>1</manvolnum>
-</citerefentry>,
-<citerefentry>
-<refentrytitle>named</refentrytitle><manvolnum>8</manvolnum>
-</citerefentry>.
-</para>
-
-</refsect1>
-</refentry>
+  <refsynopsisdiv>
+    <cmdsynopsis>
+      <command>host</command>
+      <arg><option>-aCdlnrsTwv</option></arg>
+      <arg><option>-c <replaceable class="parameter">class</replaceable></option></arg>
+      <arg><option>-N <replaceable class="parameter">ndots</replaceable></option></arg>
+      <arg><option>-R <replaceable class="parameter">number</replaceable></option></arg>
+      <arg><option>-t <replaceable class="parameter">type</replaceable></option></arg>
+      <arg><option>-W <replaceable class="parameter">wait</replaceable></option></arg>
+      <arg><option>-m <replaceable class="parameter">flag</replaceable></option></arg>
+      <arg><option>-4</option></arg>
+      <arg><option>-6</option></arg>
+      <arg choice="req">name</arg>
+      <arg choice="opt">server</arg>
+    </cmdsynopsis>
+  </refsynopsisdiv>
+
+  <refsect1>
+    <title>DESCRIPTION</title>
+
+    <para><command>host</command>
+      is a simple utility for performing DNS lookups.
+      It is normally used to convert names to IP addresses and vice versa.
+      When no arguments or options are given,
+      <command>host</command>
+      prints a short summary of its command line arguments and options.
+    </para>
+
+    <para><parameter>name</parameter> is the domain name that is to be
+      looked
+      up.  It can also be a dotted-decimal IPv4 address or a colon-delimited
+      IPv6 address, in which case <command>host</command> will by
+      default
+      perform a reverse lookup for that address.
+      <parameter>server</parameter> is an optional argument which
+      is either
+      the name or IP address of the name server that <command>host</command>
+      should query instead of the server or servers listed in
+      <filename>/etc/resolv.conf</filename>.
+    </para>
+
+    <para>
+      The <option>-a</option> (all) option is equivalent to setting the
+      <option>-v</option> option and asking <command>host</command> to make
+      a query of type ANY.
+    </para>
+
+    <para>
+      When the <option>-C</option> option is used, <command>host</command>
+      will attempt to display the SOA records for zone
+      <parameter>name</parameter> from all the listed
+      authoritative name
+      servers for that zone.  The list of name servers is defined by the NS
+      records that are found for the zone.
+    </para>
+
+    <para>
+      The <option>-c</option> option instructs to make a DNS query of class
+      <parameter>class</parameter>.  This can be used to lookup
+      Hesiod or
+      Chaosnet class resource records.  The default class is IN (Internet).
+    </para>
+
+    <para>
+      Verbose output is generated by <command>host</command> when
+      the
+      <option>-d</option> or <option>-v</option> option is used.  The two
+      options are equivalent.  They have been provided for backwards
+      compatibility.  In previous versions, the <option>-d</option> option
+      switched on debugging traces and <option>-v</option> enabled verbose
+      output.
+    </para>
+
+    <para>
+      List mode is selected by the <option>-l</option> option.  This makes
+      <command>host</command> perform a zone transfer for zone
+      <parameter>name</parameter>.  Transfer the zone printing out
+      the NS, PTR
+      and address records (A/AAAA).  If combined with <option>-a</option>
+      all records will be printed.
+    </para>
+
+    <para>
+      The <option>-i</option>
+      option specifies that reverse lookups of IPv6 addresses should
+      use the IP6.INT domain as defined in RFC1886.
+      The default is to use IP6.ARPA.
+    </para>
+
+    <para>
+      The <option>-N</option> option sets the number of dots that have to be
+      in <parameter>name</parameter> for it to be considered
+      absolute.  The
+      default value is that defined using the ndots statement in
+      <filename>/etc/resolv.conf</filename>, or 1 if no ndots
+      statement is
+      present.  Names with fewer dots are interpreted as relative names and
+      will be searched for in the domains listed in the <type>search</type>
+      or <type>domain</type> directive in
+      <filename>/etc/resolv.conf</filename>.
+    </para>
+
+    <para>
+      The number of UDP retries for a lookup can be changed with the
+      <option>-R</option> option.  <parameter>number</parameter>
+      indicates
+      how many times <command>host</command> will repeat a query
+      that does
+      not get answered.  The default number of retries is 1.  If
+      <parameter>number</parameter> is negative or zero, the
+      number of
+      retries will default to 1.
+    </para>
+
+    <para>
+      Non-recursive queries can be made via the <option>-r</option> option.
+      Setting this option clears the <type>RD</type> &mdash; recursion
+      desired &mdash; bit in the query which <command>host</command> makes.
+      This should mean that the name server receiving the query will not
+      attempt to resolve <parameter>name</parameter>.  The
+      <option>-r</option> option enables <command>host</command>
+      to mimic
+      the behaviour of a name server by making non-recursive queries and
+      expecting to receive answers to those queries that are usually
+      referrals to other name servers.
+    </para>
+
+    <para>
+      By default <command>host</command> uses UDP when making
+      queries.  The
+      <option>-T</option> option makes it use a TCP connection when querying
+      the name server.  TCP will be automatically selected for queries that
+      require it, such as zone transfer (AXFR) requests.
+    </para>
+
+    <para>
+      The <option>-4</option> option forces <command>host</command> to only
+      use IPv4 query transport.  The <option>-6</option> option forces
+      <command>host</command> to only use IPv6 query transport.
+    </para>
+
+    <para>
+      The <option>-t</option> option is used to select the query type.
+      <parameter>type</parameter> can be any recognised query
+      type: CNAME,
+      NS, SOA, SIG, KEY, AXFR, etc.  When no query type is specified,
+      <command>host</command> automatically selects an appropriate
+      query
+      type.  By default it looks for A records, but if the
+      <option>-C</option> option was given, queries will be made for SOA
+      records, and if <parameter>name</parameter> is a
+      dotted-decimal IPv4
+      address or colon-delimited IPv6 address, <command>host</command> will
+      query for PTR records.  If a query type of IXFR is chosen the starting
+      serial number can be specified by appending an equal followed by the
+      starting serial number (e.g. -t IXFR=12345678).
+    </para>
+
+    <para>
+      The time to wait for a reply can be controlled through the
+      <option>-W</option> and <option>-w</option> options.  The
+      <option>-W</option> option makes <command>host</command>
+      wait for
+      <parameter>wait</parameter> seconds.  If <parameter>wait</parameter>
+      is less than one, the wait interval is set to one second.  When the
+      <option>-w</option> option is used, <command>host</command>
+      will
+      effectively wait forever for a reply.  The time to wait for a response
+      will be set to the number of seconds given by the hardware's maximum
+      value for an integer quantity.
+    </para>
+
+    <para>
+      The <option>-s</option> option tells <command>host</command> 
+      <emphasis>not</emphasis> to send the query to the next nameserver
+      if any server responds with a SERVFAIL response, which is the
+      reverse of normal stub resolver behaviour.
+    </para>
+
+    <para>
+      The <option>-m</option> can be used to set the memory usage debugging
+      flags
+      <parameter>record</parameter>, <parameter>usage</parameter> and
+      <parameter>trace</parameter>.
+    </para>
+  </refsect1>
+
+  <refsect1>
+    <title>IDN SUPPORT</title>
+    <para>
+      If <command>host</command> has been built with IDN (internationalized
+      domain name) support, it can accept and display non-ASCII domain names. 
+      <command>host</command> appropriately converts character encoding of
+      domain name before sending a request to DNS server or displaying a
+      reply from the server.
+      If you'd like to turn off the IDN support for some reason, defines
+      the <envar>IDN_DISABLE</envar> environment variable.
+      The IDN support is disabled if the variable is set when
+      <command>host</command> runs.
+    </para>
+  </refsect1>
+
+  <refsect1>
+    <title>FILES</title>
+    <para><filename>/etc/resolv.conf</filename>
+    </para>
+  </refsect1>
+
+  <refsect1>
+    <title>SEE ALSO</title>
+    <para><citerefentry>
+        <refentrytitle>dig</refentrytitle><manvolnum>1</manvolnum>
+      </citerefentry>,
+      <citerefentry>
+        <refentrytitle>named</refentrytitle><manvolnum>8</manvolnum>
+      </citerefentry>.
+    </para>
+
+  </refsect1>
+</refentry><!--
+ - Local variables:
+ - mode: sgml
+ - End:
+-->
diff --git a/contrib/bind9/bin/dig/host.html b/contrib/bind9/bin/dig/host.html
index 4c16215..b370769 100644
--- a/contrib/bind9/bin/dig/host.html
+++ b/contrib/bind9/bin/dig/host.html
@@ -1,5 +1,5 @@
 <!--
- - Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC")
  - Copyright (C) 2000-2002 Internet Software Consortium.
  - 
  - Permission to use, copy, modify, and distribute this software for any
@@ -14,158 +14,199 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-<!-- $Id: host.html,v 1.4.2.1.4.14 2006/06/29 13:02:30 marka Exp $ -->
+<!-- $Id: host.html,v 1.7.18.19 2007/01/30 00:23:44 marka Exp $ -->
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
 <title>host</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.70.1">
+<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
 </head>
 <body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en">
-<a name="id2482688"></a><div class="titlepage"></div>
+<a name="man.host"></a><div class="titlepage"></div>
 <div class="refnamediv">
 <h2>Name</h2>
 <p>host &#8212; DNS lookup utility</p>
 </div>
 <div class="refsynopsisdiv">
 <h2>Synopsis</h2>
-<div class="cmdsynopsis"><p><code class="command">host</code>  [<code class="option">-aCdlnrTwv</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-N <em class="replaceable"><code>ndots</code></em></code>] [<code class="option">-R <em class="replaceable"><code>number</code></em></code>] [<code class="option">-t <em class="replaceable"><code>type</code></em></code>] [<code class="option">-W <em class="replaceable"><code>wait</code></em></code>] [<code class="option">-4</code>] [<code class="option">-6</code>] {name} [server]</p></div>
+<div class="cmdsynopsis"><p><code class="command">host</code>  [<code class="option">-aCdlnrsTwv</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-N <em class="replaceable"><code>ndots</code></em></code>] [<code class="option">-R <em class="replaceable"><code>number</code></em></code>] [<code class="option">-t <em class="replaceable"><code>type</code></em></code>] [<code class="option">-W <em class="replaceable"><code>wait</code></em></code>] [<code class="option">-m <em class="replaceable"><code>flag</code></em></code>] [<code class="option">-4</code>] [<code class="option">-6</code>] {name} [server]</p></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2549466"></a><h2>DESCRIPTION</h2>
-<p>
-<span><strong class="command">host</strong></span>
-is a simple utility for performing DNS lookups.
-It is normally used to convert names to IP addresses and vice versa.
-When no arguments or options are given,
-<span><strong class="command">host</strong></span>
-prints a short summary of its command line arguments and options.
-</p>
-<p>
-<em class="parameter"><code>name</code></em> is the domain name that is to be looked
-up.  It can also be a dotted-decimal IPv4 address or a colon-delimited
-IPv6 address, in which case <span><strong class="command">host</strong></span> will by default
-perform a reverse lookup for that address.
-<em class="parameter"><code>server</code></em> is an optional argument which is either
-the name or IP address of the name server that <span><strong class="command">host</strong></span>
-should query instead of the server or servers listed in
-<code class="filename">/etc/resolv.conf</code>.
-</p>
-<p>
-The <code class="option">-a</code> (all) option is equivalent to setting the
-<code class="option">-v</code> option and asking <span><strong class="command">host</strong></span> to make
-a query of type ANY.
-</p>
-<p>
-When the <code class="option">-C</code> option is used, <span><strong class="command">host</strong></span>
-will attempt to display the SOA records for zone
-<em class="parameter"><code>name</code></em> from all the listed authoritative name
-servers for that zone.  The list of name servers is defined by the NS
-records that are found for the zone.
-</p>
-<p>
-The <code class="option">-c</code> option instructs to make a DNS query of class
-<em class="parameter"><code>class</code></em>.  This can be used to lookup Hesiod or
-Chaosnet class resource records.  The default class is IN (Internet).
-</p>
-<p>
-Verbose output is generated by <span><strong class="command">host</strong></span> when the
-<code class="option">-d</code> or <code class="option">-v</code> option is used.  The two
-options are equivalent.  They have been provided for backwards
-compatibility.  In previous versions, the <code class="option">-d</code> option
-switched on debugging traces and <code class="option">-v</code> enabled verbose
-output.
-</p>
-<p>
-List mode is selected by the <code class="option">-l</code> option.  This makes
-<span><strong class="command">host</strong></span> perform a zone transfer for zone
-<em class="parameter"><code>name</code></em>.  Transfer the zone printing out the NS, PTR
-and address records (A/AAAA).  If combined with <code class="option">-a</code>
-all records will be printed.  
-</p>
-<p>
-The <code class="option">-i</code>
-option specifies that reverse lookups of IPv6 addresses should
-use the IP6.INT domain as defined in RFC1886.
-The default is to use IP6.ARPA.
-</p>
-<p>
-The <code class="option">-N</code> option sets the number of dots that have to be
-in <em class="parameter"><code>name</code></em> for it to be considered absolute.  The
-default value is that defined using the ndots statement in
-<code class="filename">/etc/resolv.conf</code>, or 1 if no ndots statement is
-present.  Names with fewer dots are interpreted as relative names and
-will be searched for in the domains listed in the <span class="type">search</span>
-or <span class="type">domain</span> directive in
-<code class="filename">/etc/resolv.conf</code>.
-</p>
-<p>
-The number of UDP retries for a lookup can be changed with the
-<code class="option">-R</code> option.  <em class="parameter"><code>number</code></em> indicates
-how many times <span><strong class="command">host</strong></span> will repeat a query that does
-not get answered.  The default number of retries is 1.  If
-<em class="parameter"><code>number</code></em> is negative or zero, the number of
-retries will default to 1.
-</p>
-<p>
-Non-recursive queries can be made via the <code class="option">-r</code> option.
-Setting this option clears the <span class="type">RD</span> &#8212; recursion
-desired &#8212; bit in the query which <span><strong class="command">host</strong></span> makes.
-This should mean that the name server receiving the query will not
-attempt to resolve <em class="parameter"><code>name</code></em>.  The
-<code class="option">-r</code> option enables <span><strong class="command">host</strong></span> to mimic
-the behaviour of a name server by making non-recursive queries and
-expecting to receive answers to those queries that are usually
-referrals to other name servers.
-</p>
-<p>
-By default <span><strong class="command">host</strong></span> uses UDP when making queries.  The
-<code class="option">-T</code> option makes it use a TCP connection when querying
-the name server.  TCP will be automatically selected for queries that
-require it, such as zone transfer (AXFR) requests.
-</p>
-<p>
-The <code class="option">-4</code> option forces <span><strong class="command">host</strong></span> to only
-use IPv4 query transport.  The <code class="option">-6</code> option forces
-<span><strong class="command">host</strong></span> to only use IPv6 query transport.
-</p>
-<p>
-The <code class="option">-t</code> option is used to select the query type.
-<em class="parameter"><code>type</code></em> can be any recognised query type: CNAME,
-NS, SOA, SIG, KEY, AXFR, etc.  When no query type is specified,
-<span><strong class="command">host</strong></span> automatically selects an appropriate query
-type.  By default it looks for A records, but if the
-<code class="option">-C</code> option was given, queries will be made for SOA
-records, and if <em class="parameter"><code>name</code></em> is a dotted-decimal IPv4
-address or colon-delimited IPv6 address, <span><strong class="command">host</strong></span> will
-query for PTR records.  If a query type of IXFR is chosen the starting
-serial number can be specified by appending an equal followed by the
-starting serial number (e.g. -t IXFR=12345678).
-</p>
-<p>
-The time to wait for a reply can be controlled through the
-<code class="option">-W</code> and <code class="option">-w</code> options.  The
-<code class="option">-W</code> option makes <span><strong class="command">host</strong></span> wait for
-<em class="parameter"><code>wait</code></em> seconds.  If <em class="parameter"><code>wait</code></em>
-is less than one, the wait interval is set to one second.  When the
-<code class="option">-w</code> option is used, <span><strong class="command">host</strong></span> will
-effectively wait forever for a reply.  The time to wait for a response
-will be set to the number of seconds given by the hardware's maximum
-value for an integer quantity.
-</p>
+<a name="id2543428"></a><h2>DESCRIPTION</h2>
+<p><span><strong class="command">host</strong></span>
+      is a simple utility for performing DNS lookups.
+      It is normally used to convert names to IP addresses and vice versa.
+      When no arguments or options are given,
+      <span><strong class="command">host</strong></span>
+      prints a short summary of its command line arguments and options.
+    </p>
+<p><em class="parameter"><code>name</code></em> is the domain name that is to be
+      looked
+      up.  It can also be a dotted-decimal IPv4 address or a colon-delimited
+      IPv6 address, in which case <span><strong class="command">host</strong></span> will by
+      default
+      perform a reverse lookup for that address.
+      <em class="parameter"><code>server</code></em> is an optional argument which
+      is either
+      the name or IP address of the name server that <span><strong class="command">host</strong></span>
+      should query instead of the server or servers listed in
+      <code class="filename">/etc/resolv.conf</code>.
+    </p>
+<p>
+      The <code class="option">-a</code> (all) option is equivalent to setting the
+      <code class="option">-v</code> option and asking <span><strong class="command">host</strong></span> to make
+      a query of type ANY.
+    </p>
+<p>
+      When the <code class="option">-C</code> option is used, <span><strong class="command">host</strong></span>
+      will attempt to display the SOA records for zone
+      <em class="parameter"><code>name</code></em> from all the listed
+      authoritative name
+      servers for that zone.  The list of name servers is defined by the NS
+      records that are found for the zone.
+    </p>
+<p>
+      The <code class="option">-c</code> option instructs to make a DNS query of class
+      <em class="parameter"><code>class</code></em>.  This can be used to lookup
+      Hesiod or
+      Chaosnet class resource records.  The default class is IN (Internet).
+    </p>
+<p>
+      Verbose output is generated by <span><strong class="command">host</strong></span> when
+      the
+      <code class="option">-d</code> or <code class="option">-v</code> option is used.  The two
+      options are equivalent.  They have been provided for backwards
+      compatibility.  In previous versions, the <code class="option">-d</code> option
+      switched on debugging traces and <code class="option">-v</code> enabled verbose
+      output.
+    </p>
+<p>
+      List mode is selected by the <code class="option">-l</code> option.  This makes
+      <span><strong class="command">host</strong></span> perform a zone transfer for zone
+      <em class="parameter"><code>name</code></em>.  Transfer the zone printing out
+      the NS, PTR
+      and address records (A/AAAA).  If combined with <code class="option">-a</code>
+      all records will be printed.
+    </p>
+<p>
+      The <code class="option">-i</code>
+      option specifies that reverse lookups of IPv6 addresses should
+      use the IP6.INT domain as defined in RFC1886.
+      The default is to use IP6.ARPA.
+    </p>
+<p>
+      The <code class="option">-N</code> option sets the number of dots that have to be
+      in <em class="parameter"><code>name</code></em> for it to be considered
+      absolute.  The
+      default value is that defined using the ndots statement in
+      <code class="filename">/etc/resolv.conf</code>, or 1 if no ndots
+      statement is
+      present.  Names with fewer dots are interpreted as relative names and
+      will be searched for in the domains listed in the <span class="type">search</span>
+      or <span class="type">domain</span> directive in
+      <code class="filename">/etc/resolv.conf</code>.
+    </p>
+<p>
+      The number of UDP retries for a lookup can be changed with the
+      <code class="option">-R</code> option.  <em class="parameter"><code>number</code></em>
+      indicates
+      how many times <span><strong class="command">host</strong></span> will repeat a query
+      that does
+      not get answered.  The default number of retries is 1.  If
+      <em class="parameter"><code>number</code></em> is negative or zero, the
+      number of
+      retries will default to 1.
+    </p>
+<p>
+      Non-recursive queries can be made via the <code class="option">-r</code> option.
+      Setting this option clears the <span class="type">RD</span> &#8212; recursion
+      desired &#8212; bit in the query which <span><strong class="command">host</strong></span> makes.
+      This should mean that the name server receiving the query will not
+      attempt to resolve <em class="parameter"><code>name</code></em>.  The
+      <code class="option">-r</code> option enables <span><strong class="command">host</strong></span>
+      to mimic
+      the behaviour of a name server by making non-recursive queries and
+      expecting to receive answers to those queries that are usually
+      referrals to other name servers.
+    </p>
+<p>
+      By default <span><strong class="command">host</strong></span> uses UDP when making
+      queries.  The
+      <code class="option">-T</code> option makes it use a TCP connection when querying
+      the name server.  TCP will be automatically selected for queries that
+      require it, such as zone transfer (AXFR) requests.
+    </p>
+<p>
+      The <code class="option">-4</code> option forces <span><strong class="command">host</strong></span> to only
+      use IPv4 query transport.  The <code class="option">-6</code> option forces
+      <span><strong class="command">host</strong></span> to only use IPv6 query transport.
+    </p>
+<p>
+      The <code class="option">-t</code> option is used to select the query type.
+      <em class="parameter"><code>type</code></em> can be any recognised query
+      type: CNAME,
+      NS, SOA, SIG, KEY, AXFR, etc.  When no query type is specified,
+      <span><strong class="command">host</strong></span> automatically selects an appropriate
+      query
+      type.  By default it looks for A records, but if the
+      <code class="option">-C</code> option was given, queries will be made for SOA
+      records, and if <em class="parameter"><code>name</code></em> is a
+      dotted-decimal IPv4
+      address or colon-delimited IPv6 address, <span><strong class="command">host</strong></span> will
+      query for PTR records.  If a query type of IXFR is chosen the starting
+      serial number can be specified by appending an equal followed by the
+      starting serial number (e.g. -t IXFR=12345678).
+    </p>
+<p>
+      The time to wait for a reply can be controlled through the
+      <code class="option">-W</code> and <code class="option">-w</code> options.  The
+      <code class="option">-W</code> option makes <span><strong class="command">host</strong></span>
+      wait for
+      <em class="parameter"><code>wait</code></em> seconds.  If <em class="parameter"><code>wait</code></em>
+      is less than one, the wait interval is set to one second.  When the
+      <code class="option">-w</code> option is used, <span><strong class="command">host</strong></span>
+      will
+      effectively wait forever for a reply.  The time to wait for a response
+      will be set to the number of seconds given by the hardware's maximum
+      value for an integer quantity.
+    </p>
+<p>
+      The <code class="option">-s</code> option tells <span><strong class="command">host</strong></span> 
+      <span class="emphasis"><em>not</em></span> to send the query to the next nameserver
+      if any server responds with a SERVFAIL response, which is the
+      reverse of normal stub resolver behaviour.
+    </p>
+<p>
+      The <code class="option">-m</code> can be used to set the memory usage debugging
+      flags
+      <em class="parameter"><code>record</code></em>, <em class="parameter"><code>usage</code></em> and
+      <em class="parameter"><code>trace</code></em>.
+    </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2549874"></a><h2>FILES</h2>
-<p>
-<code class="filename">/etc/resolv.conf</code>
-</p>
+<a name="id2543725"></a><h2>IDN SUPPORT</h2>
+<p>
+      If <span><strong class="command">host</strong></span> has been built with IDN (internationalized
+      domain name) support, it can accept and display non-ASCII domain names. 
+      <span><strong class="command">host</strong></span> appropriately converts character encoding of
+      domain name before sending a request to DNS server or displaying a
+      reply from the server.
+      If you'd like to turn off the IDN support for some reason, defines
+      the <code class="envar">IDN_DISABLE</code> environment variable.
+      The IDN support is disabled if the variable is set when
+      <span><strong class="command">host</strong></span> runs.
+    </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2549886"></a><h2>SEE ALSO</h2>
-<p>
-<span class="citerefentry"><span class="refentrytitle">dig</span>(1)</span>,
-<span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>.
-</p>
+<a name="id2543748"></a><h2>FILES</h2>
+<p><code class="filename">/etc/resolv.conf</code>
+    </p>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2543828"></a><h2>SEE ALSO</h2>
+<p><span class="citerefentry"><span class="refentrytitle">dig</span>(1)</span>,
+      <span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>.
+    </p>
 </div>
 </div></body>
 </html>
diff --git a/contrib/bind9/bin/dig/include/dig/dig.h b/contrib/bind9/bin/dig/include/dig/dig.h
index 91dae5c..675bb15 100644
--- a/contrib/bind9/bin/dig/include/dig/dig.h
+++ b/contrib/bind9/bin/dig/include/dig/dig.h
@@ -15,11 +15,13 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: dig.h,v 1.71.2.6.2.14 2006/12/07 01:26:33 marka Exp $ */
+/* $Id: dig.h,v 1.82.18.19 2006/12/07 06:08:02 marka Exp $ */
 
 #ifndef DIG_H
 #define DIG_H
 
+/*! \file */
+
 #include <dns/rdatalist.h>
 
 #include <dst/dst.h>
@@ -38,29 +40,36 @@
 #define MXSERV 20
 #define MXNAME (DNS_NAME_MAXTEXT+1)
 #define MXRD 32
+/*% Buffer Size */
 #define BUFSIZE 512
 #define COMMSIZE 0xffff
 #ifndef RESOLV_CONF
+/*% location of resolve.conf */
 #define RESOLV_CONF "/etc/resolv.conf"
 #endif
+/*% output buffer */
 #define OUTPUTBUF 32767
+/*% Max RR Limit */
 #define MAXRRLIMIT 0xffffffff
 #define MAXTIMEOUT 0xffff
+/*% Max number of tries */
 #define MAXTRIES 0xffffffff
+/*% Max number of dots */
 #define MAXNDOTS 0xffff
+/*% Max number of ports */
 #define MAXPORT 0xffff
+/*% Max serial number */
 #define MAXSERIAL 0xffffffff
 
-/*
- * Default timeout values
- */
+/*% Default TCP Timeout */
 #define TCP_TIMEOUT 10
+/*% Default UDP Timeout */
 #define UDP_TIMEOUT 5
 
 #define SERVER_TIMEOUT 1
 
 #define LOOKUP_LIMIT 64
-/*
+/*%
  * Lookup_limit is just a limiter, keeping too many lookups from being
  * created.  It's job is mainly to prevent the program from running away
  * in a tight loop of constant lookups.  It's value is arbitrary.
@@ -90,22 +99,23 @@ typedef struct dig_message dig_message_t;
 typedef ISC_LIST(dig_server_t) dig_serverlist_t;
 typedef struct dig_searchlist dig_searchlist_t;
 
+/*% The dig_lookup structure */
 struct dig_lookup {
 	isc_boolean_t
-	        pending, /* Pending a successful answer */
+	        pending, /*%< Pending a successful answer */
 		waiting_connect,
 		doing_xfr,
-		ns_search_only, /* dig +nssearch, host -C */
-		identify, /* Append an "on server <foo>" message */
-		identify_previous_line, /* Prepend a "Nameserver <foo>:"
+		ns_search_only, /*%< dig +nssearch, host -C */
+		identify, /*%< Append an "on server <foo>" message */
+		identify_previous_line, /*% Prepend a "Nameserver <foo>:"
 					   message, with newline and tab */
 		ignore,
 		recurse,
 		aaonly,
 		adflag,
 		cdflag,
-		trace, /* dig +trace */
-		trace_root, /* initial query for either +trace or +nssearch */
+		trace, /*% dig +trace */
+		trace_root, /*% initial query for either +trace or +nssearch */
 		tcp_mode,
 		ip6_int,
 		comments,
@@ -116,6 +126,8 @@ struct dig_lookup {
 		section_additional,
 		servfail_stops,
 		new_search,
+		need_search,
+		done_as_is,
 		besteffort,
 		dnssec;
 #ifdef DIG_SIGCHASE
@@ -130,7 +142,7 @@ isc_boolean_t	sigchase;
 #endif
 #endif
 	
-	char textname[MXNAME]; /* Name we're going to be looking up */
+	char textname[MXNAME]; /*% Name we're going to be looking up */
 	char cmdline[MXNAME];
 	dns_rdatatype_t rdtype;
 	dns_rdatatype_t qrdtype;
@@ -162,14 +174,17 @@ isc_boolean_t	sigchase;
 	isc_uint32_t retries;
 	int nsfound;
 	isc_uint16_t udpsize;
+	isc_int16_t edns;
 	isc_uint32_t ixfr_serial;
 	isc_buffer_t rdatabuf;
 	char rdatastore[MXNAME];
 	dst_context_t *tsigctx;
 	isc_buffer_t *querysig;
 	isc_uint32_t msgcounter;
+	dns_fixedname_t fdomain;
 };
 
+/*% The dig_query structure */
 struct dig_query {
 	dig_lookup_t *lookup;
 	isc_boolean_t waiting_connect,
@@ -200,6 +215,7 @@ struct dig_query {
 	ISC_LINK(dig_query_t) link;
 	isc_sockaddr_t sockaddr;
 	isc_time_t time_sent;
+	isc_uint64_t byte_count;
 	isc_buffer_t sendbuf;
 };
 
@@ -230,9 +246,10 @@ typedef ISC_LIST(dig_lookup_t) dig_lookuplist_t;
 extern dig_lookuplist_t lookup_list;
 extern dig_serverlist_t server_list;
 extern dig_searchlistlist_t search_list;
+extern unsigned int extrabytes;
 
-extern isc_boolean_t have_ipv4, have_ipv6, specified_source,
-        usesearch, qr;
+extern isc_boolean_t check_ra, have_ipv4, have_ipv6, specified_source,
+        usesearch, showsearch, qr;
 extern in_port_t port;
 extern unsigned int timeout;
 extern isc_mem_t *mctx;
@@ -245,6 +262,8 @@ extern isc_sockaddr_t bind_address;
 extern char keynametext[MXNAME];
 extern char keyfile[MXNAME];
 extern char keysecret[MXNAME];
+extern dns_name_t *hmacname;
+extern unsigned int digestbits;
 #ifdef DIG_SIGCHASE
 extern char trustedkey[MXNAME];
 #endif
@@ -346,13 +365,13 @@ printrdataset(dns_name_t *owner_name, dns_rdataset_t *rdataset,
 
 isc_result_t
 printmessage(dig_query_t *query, dns_message_t *msg, isc_boolean_t headers);
-/*
+/*%<
  * Print the final result of the lookup.
  */
 
 void
 received(int bytes, isc_sockaddr_t *from, dig_query_t *query);
-/*
+/*%<
  * Print a message about where and when the response
  * was received from, like the final comment in the
  * output of "dig".
diff --git a/contrib/bind9/bin/dig/nslookup.1 b/contrib/bind9/bin/dig/nslookup.1
index 7b1d4d2..f941e9b 100644
--- a/contrib/bind9/bin/dig/nslookup.1
+++ b/contrib/bind9/bin/dig/nslookup.1
@@ -1,4 +1,4 @@
-.\" Copyright (C) 2004-2006 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2004-2007 Internet Systems Consortium, Inc. ("ISC")
 .\" 
 .\" Permission to use, copy, modify, and distribute this software for any
 .\" purpose with or without fee is hereby granted, provided that the above
@@ -12,13 +12,13 @@
 .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 .\" PERFORMANCE OF THIS SOFTWARE.
 .\"
-.\" $Id: nslookup.1,v 1.1.6.7 2006/06/29 13:02:30 marka Exp $
+.\" $Id: nslookup.1,v 1.1.10.12 2007/01/30 00:23:44 marka Exp $
 .\"
 .hy 0
 .ad l
 .\"     Title: nslookup
 .\"    Author: 
-.\" Generator: DocBook XSL Stylesheets v1.70.1 <http://docbook.sf.net/>
+.\" Generator: DocBook XSL Stylesheets v1.71.1 <http://docbook.sf.net/>
 .\"      Date: Jun 30, 2000
 .\"    Manual: BIND9
 .\"    Source: BIND9
@@ -42,10 +42,10 @@ has two modes: interactive and non\-interactive. Interactive mode allows the use
 .SH "ARGUMENTS"
 .PP
 Interactive mode is entered in the following cases:
-.TP 3n
+.TP 4
 1.
 when no arguments are given (the default name server will be used)
-.TP 3n
+.TP 4
 2.
 when the first argument is a hyphen (\-) and the second argument is the host name or Internet address of a name server.
 .sp
@@ -54,17 +54,22 @@ when the first argument is a hyphen (\-) and the second argument is the host nam
 Non\-interactive mode is used when the name or Internet address of the host to be looked up is given as the first argument. The optional second argument specifies the host name or address of a name server.
 .PP
 Options can also be specified on the command line if they precede the arguments and are prefixed with a hyphen. For example, to change the default query type to host information, and the initial timeout to 10 seconds, type:
-.sp .RS 3n .nf nslookup \-query=hinfo \-timeout=10 .fi .RE
+.sp .RS 4 .nf nslookup \-query=hinfo \-timeout=10 .fi .RE
 .SH "INTERACTIVE COMMANDS"
-.TP 3n
-host [server]
+.PP
+\fBhost\fR [server]
+.RS 4
 Look up information for host using the current default server or using server, if specified. If host is an Internet address and the query type is A or PTR, the name of the host is returned. If host is a name and does not have a trailing period, the search list is used to qualify the name.
 .sp
 To look up a host not in the current domain, append a period to the name.
-.TP 3n
+.RE
+.PP
 \fBserver\fR \fIdomain\fR
-.TP 3n
+.RS 4
+.RE
+.PP
 \fBlserver\fR \fIdomain\fR
+.RS 4
 Change the default server to
 \fIdomain\fR;
 \fBlserver\fR
@@ -72,107 +77,165 @@ uses the initial server to look up information about
 \fIdomain\fR, while
 \fBserver\fR
 uses the current default server. If an authoritative answer can't be found, the names of servers that might have the answer are returned.
-.TP 3n
+.RE
+.PP
 \fBroot\fR
+.RS 4
 not implemented
-.TP 3n
+.RE
+.PP
 \fBfinger\fR
+.RS 4
 not implemented
-.TP 3n
+.RE
+.PP
 \fBls\fR
+.RS 4
 not implemented
-.TP 3n
+.RE
+.PP
 \fBview\fR
+.RS 4
 not implemented
-.TP 3n
+.RE
+.PP
 \fBhelp\fR
+.RS 4
 not implemented
-.TP 3n
+.RE
+.PP
 \fB?\fR
+.RS 4
 not implemented
-.TP 3n
+.RE
+.PP
 \fBexit\fR
+.RS 4
 Exits the program.
-.TP 3n
+.RE
+.PP
 \fBset\fR \fIkeyword\fR\fI[=value]\fR
+.RS 4
 This command is used to change state information that affects the lookups. Valid keywords are:
-.RS 3n
-.TP 3n
+.RS 4
+.PP
 \fBall\fR
+.RS 4
 Prints the current values of the frequently used options to
 \fBset\fR. Information about the current default server and host is also printed.
-.TP 3n
+.RE
+.PP
 \fBclass=\fR\fIvalue\fR
+.RS 4
 Change the query class to one of:
-.RS 3n
-.TP 3n
+.RS 4
+.PP
 \fBIN\fR
+.RS 4
 the Internet class
-.TP 3n
+.RE
+.PP
 \fBCH\fR
+.RS 4
 the Chaos class
-.TP 3n
+.RE
+.PP
 \fBHS\fR
+.RS 4
 the Hesiod class
-.TP 3n
+.RE
+.PP
 \fBANY\fR
+.RS 4
 wildcard
 .RE
-.IP "" 3n
+.RE
+.IP "" 4
 The class specifies the protocol group of the information.
 .sp
 (Default = IN; abbreviation = cl)
-.TP 3n
-\fB\fI[no]\fR\fR\fBdebug\fR
+.RE
+.PP
+\fB \fR\fB\fI[no]\fR\fR\fBdebug\fR
+.RS 4
 Turn debugging mode on. A lot more information is printed about the packet sent to the server and the resulting answer.
 .sp
 (Default = nodebug; abbreviation =
 [no]deb)
-.TP 3n
-\fB\fI[no]\fR\fR\fBd2\fR
+.RE
+.PP
+\fB \fR\fB\fI[no]\fR\fR\fBd2\fR
+.RS 4
 Turn debugging mode on. A lot more information is printed about the packet sent to the server and the resulting answer.
 .sp
 (Default = nod2)
-.TP 3n
+.RE
+.PP
 \fBdomain=\fR\fIname\fR
+.RS 4
 Sets the search list to
 \fIname\fR.
-.TP 3n
-\fB\fI[no]\fR\fR\fBsearch\fR
+.RE
+.PP
+\fB \fR\fB\fI[no]\fR\fR\fBsearch\fR
+.RS 4
 If the lookup request contains at least one period but doesn't end with a trailing period, append the domain names in the domain search list to the request until an answer is received.
 .sp
 (Default = search)
-.TP 3n
+.RE
+.PP
 \fBport=\fR\fIvalue\fR
+.RS 4
 Change the default TCP/UDP name server port to
 \fIvalue\fR.
 .sp
 (Default = 53; abbreviation = po)
-.TP 3n
+.RE
+.PP
 \fBquerytype=\fR\fIvalue\fR
-.TP 3n
+.RS 4
+.RE
+.PP
 \fBtype=\fR\fIvalue\fR
+.RS 4
 Change the type of the information query.
 .sp
 (Default = A; abbreviations = q, ty)
-.TP 3n
-\fB\fI[no]\fR\fR\fBrecurse\fR
+.RE
+.PP
+\fB \fR\fB\fI[no]\fR\fR\fBrecurse\fR
+.RS 4
 Tell the name server to query other servers if it does not have the information.
 .sp
 (Default = recurse; abbreviation = [no]rec)
-.TP 3n
+.RE
+.PP
 \fBretry=\fR\fInumber\fR
+.RS 4
 Set the number of retries to number.
-.TP 3n
+.RE
+.PP
 \fBtimeout=\fR\fInumber\fR
+.RS 4
 Change the initial timeout interval for waiting for a reply to number seconds.
-.TP 3n
-\fB\fI[no]\fR\fR\fBvc\fR
+.RE
+.PP
+\fB \fR\fB\fI[no]\fR\fR\fBvc\fR
+.RS 4
 Always use a virtual circuit when sending requests to the server.
 .sp
 (Default = novc)
 .RE
-.IP "" 3n
+.PP
+\fB \fR\fB\fI[no]\fR\fR\fBfail\fR
+.RS 4
+Try the next nameserver if a nameserver responds with SERVFAIL or a referral (nofail) or terminate query (fail) on such a response.
+.sp
+(Default = nofail)
+.RE
+.RE
+.IP "" 4
+.RE
 .SH "FILES"
 .PP
 \fI/etc/resolv.conf\fR
@@ -185,4 +248,5 @@ Always use a virtual circuit when sending requests to the server.
 .PP
 Andrew Cherenson
 .SH "COPYRIGHT"
-Copyright \(co 2004\-2006 Internet Systems Consortium, Inc. ("ISC")
+Copyright \(co 2004\-2007 Internet Systems Consortium, Inc. ("ISC")
+.br
diff --git a/contrib/bind9/bin/dig/nslookup.c b/contrib/bind9/bin/dig/nslookup.c
index 5ae64d0..e2310af 100644
--- a/contrib/bind9/bin/dig/nslookup.c
+++ b/contrib/bind9/bin/dig/nslookup.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: nslookup.c,v 1.90.2.4.2.12 2006/06/09 23:50:53 marka Exp $ */
+/* $Id: nslookup.c,v 1.101.18.12 2006/12/07 06:08:02 marka Exp $ */
 
 #include <config.h>
 
@@ -50,7 +50,8 @@ static isc_boolean_t short_form = ISC_TRUE,
 	comments = ISC_TRUE, section_question = ISC_TRUE,
 	section_answer = ISC_TRUE, section_authority = ISC_TRUE,
 	section_additional = ISC_TRUE, recurse = ISC_TRUE,
-	aaonly = ISC_FALSE;
+	aaonly = ISC_FALSE, nofail = ISC_TRUE;
+
 static isc_boolean_t in_use = ISC_FALSE;
 static char defclass[MXRD] = "IN";
 static char deftype[MXRD] = "A";
@@ -619,8 +620,10 @@ setoption(char *opt) {
 		tcpmode = ISC_FALSE;
  	} else if (strncasecmp(opt, "deb", 3) == 0) {
 		short_form = ISC_FALSE;
+		showsearch = ISC_TRUE;
 	} else if (strncasecmp(opt, "nodeb", 5) == 0) {
 		short_form = ISC_TRUE;
+		showsearch = ISC_FALSE;
  	} else if (strncasecmp(opt, "d2", 2) == 0) {
 		debugging = ISC_TRUE;
 	} else if (strncasecmp(opt, "nod2", 4) == 0) {
@@ -631,6 +634,10 @@ setoption(char *opt) {
 		usesearch = ISC_FALSE;
 	} else if (strncasecmp(opt, "sil", 3) == 0) {
 		/* deprecation_msg = ISC_FALSE; */
+	} else if (strncasecmp(opt, "fail", 3) == 0) {
+		nofail=ISC_FALSE;
+	} else if (strncasecmp(opt, "nofail", 3) == 0) {
+		nofail=ISC_TRUE;
 	} else {
 		printf("*** Invalid option: %s\n", opt);	
 	}
@@ -689,6 +696,8 @@ addlookup(char *opt) {
 	lookup->section_authority = section_authority;
 	lookup->section_additional = section_additional;
 	lookup->new_search = ISC_TRUE;
+	if (nofail)
+		lookup->servfail_stops = ISC_FALSE;
 	ISC_LIST_INIT(lookup->q);
 	ISC_LINK_INIT(lookup, link);
 	ISC_LIST_APPEND(lookup_list, lookup, link);
@@ -728,6 +737,7 @@ get_next_command(void) {
 		 (strcasecmp(ptr, "lserver") == 0)) {
 		isc_app_block();
 		set_nameserver(arg);
+		check_ra = ISC_FALSE;
 		isc_app_unblock();
 		show_settings(ISC_TRUE, ISC_TRUE);
 	} else if (strcasecmp(ptr, "exit") == 0) {
@@ -766,9 +776,10 @@ parse_args(int argc, char **argv) {
 				have_lookup = ISC_TRUE;
 				in_use = ISC_TRUE;
 				addlookup(argv[0]);
-			}
-			else
+			} else {
 				set_nameserver(argv[0]);
+				check_ra = ISC_FALSE;
+			}
 		}
 	}
 }
@@ -844,6 +855,8 @@ main(int argc, char **argv) {
 	ISC_LIST_INIT(server_list);
 	ISC_LIST_INIT(search_list);
 
+	check_ra = ISC_TRUE;
+
 	result = isc_app_start();
 	check_result(result, "isc_app_start");
 
diff --git a/contrib/bind9/bin/dig/nslookup.docbook b/contrib/bind9/bin/dig/nslookup.docbook
index 741ad34..c989b73 100644
--- a/contrib/bind9/bin/dig/nslookup.docbook
+++ b/contrib/bind9/bin/dig/nslookup.docbook
@@ -1,8 +1,8 @@
-<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.0//EN"
-               "http://www.oasis-open.org/docbook/xml/4.0/docbookx.dtd"
+<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
+               "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
 	       [<!ENTITY mdash "&#8212;">]>
 <!--
- - Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
  -
  - Permission to use, copy, modify, and distribute this software for any
  - purpose with or without fee is hereby granted, provided that the above
@@ -17,12 +17,11 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-<!-- $Id: nslookup.docbook,v 1.3.6.7 2006/01/06 00:01:42 marka Exp $ -->
-
+<!-- $Id: nslookup.docbook,v 1.4.2.10 2007/01/29 23:57:20 marka Exp $ -->
 <!--
  - Copyright (c) 1985, 1989
  -    The Regents of the University of California.  All rights reserved.
- - 
+ -
  - Redistribution and use in source and binary forms, with or without
  - modification, are permitted provided that the following conditions
  - are met:
@@ -38,7 +37,7 @@
  - 4. Neither the name of the University nor the names of its contributors
  -    may be used to endorse or promote products derived from this software
  -    without specific prior written permission.
- - 
+ -
  - THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
  - ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  - IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
@@ -51,281 +50,449 @@
  - OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
  - SUCH DAMAGE.
 -->
-
 <refentry>
 
-<refentryinfo>
-<date>Jun 30, 2000</date>
-</refentryinfo>
+  <refentryinfo>
+    <date>Jun 30, 2000</date>
+  </refentryinfo>
+
+  <refmeta>
+    <refentrytitle>nslookup</refentrytitle>
+    <manvolnum>1</manvolnum>
+    <refmiscinfo>BIND9</refmiscinfo>
+  </refmeta>
 
-<refmeta>
-<refentrytitle>nslookup</refentrytitle>
-<manvolnum>1</manvolnum>
-<refmiscinfo>BIND9</refmiscinfo>
-</refmeta>
+  <refnamediv>
+    <refname>nslookup</refname>
+    <refpurpose>query Internet name servers interactively</refpurpose>
+  </refnamediv>
 
   <docinfo>
     <copyright>
       <year>2004</year>
       <year>2005</year>
       <year>2006</year>
+      <year>2007</year>
       <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
     </copyright>
   </docinfo>
 
-<refnamediv>
-<refname>nslookup</refname>
-<refpurpose>query Internet name servers interactively</refpurpose>
-</refnamediv>
-
-<refsynopsisdiv>
-<cmdsynopsis>
-  <command>nslookup</command>
-  <arg><option>-option</option></arg>
-  <arg choice="opt">name | -</arg>
-  <arg choice="opt">server</arg>
-</cmdsynopsis>
-</refsynopsisdiv>
-
-<refsect1>
-<title>DESCRIPTION</title>
-<para>
-<command>Nslookup</command>
-is a program to query Internet domain name servers.  <command>Nslookup</command>
-has two modes: interactive and non-interactive.  Interactive mode allows
-the user to query name servers for information about various hosts and
-domains or to print a list of hosts in a domain.  Non-interactive mode is
-used to print just the name and requested information for a host or
-domain.
-</para>
-</refsect1>
-
-<refsect1>
-<title>ARGUMENTS</title>
-<para>
-Interactive mode is entered in the following cases:
-<orderedlist numeration="loweralpha">
-<listitem>
-<para>
-when no arguments are given (the default name server will be used)
-</para>
-</listitem>
-<listitem>
-<para>
-when the first argument is a hyphen (-) and the second argument is
-the host name or Internet address of a name server.
-</para>
-</listitem>
-</orderedlist>
-</para>
-
-<para>
-Non-interactive mode is used when the name or Internet address of the
-host to be looked up is given as the first argument. The optional second
-argument specifies the host name or address of a name server.
-</para>
-
-<para>
-Options can also be specified on the command line if they precede the
-arguments and are prefixed with a hyphen.  For example, to
-change the default query type to host information, and the initial timeout to 10 seconds, type:
-<informalexample>
-<programlisting>
+  <refsynopsisdiv>
+    <cmdsynopsis>
+      <command>nslookup</command>
+      <arg><option>-option</option></arg>
+      <arg choice="opt">name | -</arg>
+      <arg choice="opt">server</arg>
+    </cmdsynopsis>
+  </refsynopsisdiv>
+
+  <refsect1>
+    <title>DESCRIPTION</title>
+    <para><command>Nslookup</command>
+      is a program to query Internet domain name servers.  <command>Nslookup</command>
+      has two modes: interactive and non-interactive.  Interactive mode allows
+      the user to query name servers for information about various hosts and
+      domains or to print a list of hosts in a domain.  Non-interactive mode
+      is
+      used to print just the name and requested information for a host or
+      domain.
+    </para>
+  </refsect1>
+
+  <refsect1>
+    <title>ARGUMENTS</title>
+    <para>
+      Interactive mode is entered in the following cases:
+      <orderedlist numeration="loweralpha">
+        <listitem>
+          <para>
+            when no arguments are given (the default name server will be used)
+          </para>
+        </listitem>
+        <listitem>
+          <para>
+            when the first argument is a hyphen (-) and the second argument is
+            the host name or Internet address of a name server.
+          </para>
+        </listitem>
+      </orderedlist>
+    </para>
+
+    <para>
+      Non-interactive mode is used when the name or Internet address of the
+      host to be looked up is given as the first argument. The optional second
+      argument specifies the host name or address of a name server.
+    </para>
+
+    <para>
+      Options can also be specified on the command line if they precede the
+      arguments and are prefixed with a hyphen.  For example, to
+      change the default query type to host information, and the initial
+      timeout to 10 seconds, type:
+      <informalexample>
+        <programlisting>
 nslookup -query=hinfo  -timeout=10
 </programlisting>
-</informalexample>
-</para>
-
-</refsect1>
-
-<refsect1>
-<title>INTERACTIVE COMMANDS</title>
-<variablelist>
-<varlistentry><term>host <optional>server</optional></term>
-<listitem><para>
-Look up information for host using the current default server or
-using server, if specified.  If host is an Internet address and
-the query type is A or PTR, the name of the host is returned.
-If host is a name and does not have a trailing period, the
-search list is used to qualify the name.
-</para>
-
-<para>
-To look up a host not in the current domain, append a period to
-the name.
-</para></listitem></varlistentry>
-
-<varlistentry><term><constant>server</constant> <replaceable class="parameter">domain</replaceable></term>
-<listitem><para></para></listitem></varlistentry>
-<varlistentry><term><constant>lserver</constant> <replaceable class="parameter">domain</replaceable></term>
-<listitem><para>
-Change the default server to <replaceable>domain</replaceable>; <constant>lserver</constant> uses the initial
-server to look up information about <replaceable>domain</replaceable>, while <constant>server</constant> uses
-the current default server.  If an authoritative answer can't be
-found, the names of servers that might have the answer are
-returned.
-</para></listitem></varlistentry>
-
-<varlistentry><term><constant>root</constant></term>
-<listitem><para>not implemented</para></listitem></varlistentry>
-
-<varlistentry><term><constant>finger</constant></term>
-<listitem><para>not implemented</para></listitem></varlistentry>
-
-<varlistentry><term><constant>ls</constant></term>
-<listitem><para>not implemented</para></listitem></varlistentry>
-
-<varlistentry><term><constant>view</constant></term>
-<listitem><para>not implemented</para></listitem></varlistentry>
-
-<varlistentry><term><constant>help</constant></term>
-<listitem><para>not implemented</para></listitem></varlistentry>
-
-<varlistentry><term><constant>?</constant></term>
-<listitem><para>not implemented</para></listitem></varlistentry>
-
-<varlistentry><term><constant>exit</constant></term>
-<listitem><para>Exits the program.</para></listitem></varlistentry>
-
-<varlistentry><term><constant>set</constant> <replaceable>keyword<optional>=value</optional></replaceable></term>
-<listitem><para>This command is used to change state information that affects
-the lookups.  Valid keywords are:
- <variablelist>
-  <varlistentry><term><constant>all</constant></term>
-  <listitem>
-  <para>Prints the current values of the frequently used
-  options to <command>set</command>.  Information about the  current default
-  server and host is also printed.
-  </para>
-  </listitem>
-  </varlistentry>
-
-  <varlistentry><term><constant>class=</constant><replaceable>value</replaceable></term>
-  <listitem><para>
-   Change the query class to one of:
-   <variablelist>
-    <varlistentry><term><constant>IN</constant></term>
-    <listitem><para>the Internet class</para></listitem></varlistentry>
-    <varlistentry><term><constant>CH</constant></term>
-    <listitem><para>the Chaos class</para></listitem></varlistentry>
-    <varlistentry><term><constant>HS</constant></term>
-    <listitem><para>the Hesiod class</para></listitem></varlistentry>
-    <varlistentry><term><constant>ANY</constant></term>
-    <listitem><para>wildcard</para></listitem></varlistentry>
-   </variablelist>
-   The class specifies the protocol group of the information.
-   </para><para>
-   (Default = IN; abbreviation = cl)
-   </para></listitem>
-  </varlistentry>
-
-  <varlistentry><term><constant><replaceable><optional>no</optional></replaceable>debug</constant></term>
-  <listitem><para>
-  Turn debugging mode on.  A lot more information is
-  printed about the packet sent to the server and the
-  resulting answer.
-  </para><para>
-  (Default = nodebug; abbreviation = <optional>no</optional>deb)
-  </para></listitem></varlistentry>
-
-  <varlistentry><term><constant><replaceable><optional>no</optional></replaceable>d2</constant></term>
-  <listitem><para>
-  Turn debugging mode on.  A lot more information is
-  printed about the packet sent to the server and the
-  resulting answer.
-  </para><para>
-  (Default = nod2)
-  </para></listitem></varlistentry>
-
-  <varlistentry><term><constant>domain=</constant><replaceable>name</replaceable></term>
-  <listitem><para>
-  Sets the search list to <replaceable>name</replaceable>.
-  </para></listitem></varlistentry>
-
-  <varlistentry><term><constant><replaceable><optional>no</optional></replaceable>search</constant></term>
-  <listitem><para>
-  If the lookup request contains at least one period but
-  doesn't end with a trailing period, append the domain
-  names in the domain search list to the request until an
-  answer is received.
-  </para><para>
-  (Default = search)
-  </para></listitem></varlistentry>
-
-  <varlistentry><term><constant>port=</constant><replaceable>value</replaceable></term>
-  <listitem><para>
-  Change the default TCP/UDP name server port to <replaceable>value</replaceable>.
-  </para><para>
-  (Default = 53; abbreviation = po)
-  </para></listitem></varlistentry>
-
-  <varlistentry><term><constant>querytype=</constant><replaceable>value</replaceable></term>
-  <listitem><para></para></listitem></varlistentry>
-
-  <varlistentry><term><constant>type=</constant><replaceable>value</replaceable></term>
-  <listitem><para>
-  Change the type of the information query.
-  </para><para>
-  (Default = A; abbreviations = q, ty)
-  </para></listitem></varlistentry>
-
-  <varlistentry><term><constant><replaceable><optional>no</optional></replaceable>recurse</constant></term>
-  <listitem><para>
-  Tell the name server to query other servers if it does not have the
-  information.
-  </para><para>
-  (Default = recurse; abbreviation = [no]rec)
-  </para></listitem></varlistentry>
-
-  <varlistentry><term><constant>retry=</constant><replaceable>number</replaceable></term>
-  <listitem><para>
-  Set the number of retries to number.
-  </para></listitem></varlistentry>
-
-  <varlistentry><term><constant>timeout=</constant><replaceable>number</replaceable></term>
-  <listitem><para>
-  Change the initial timeout interval for waiting for a
-  reply to number seconds.
-  </para></listitem></varlistentry>
-
-  <varlistentry><term><constant><replaceable><optional>no</optional></replaceable>vc</constant></term>
-  <listitem><para>
-  Always use a virtual circuit when sending requests to the server.
-  </para><para>
-  (Default = novc)
-  </para></listitem></varlistentry>
-
-  </variablelist>
-</para></listitem></varlistentry>
-</variablelist>
-</refsect1>
-
-<refsect1>
-<title>FILES</title>
-<para>
-<filename>/etc/resolv.conf</filename>
-</para>
-</refsect1>
-
-<refsect1>
-<title>SEE ALSO</title>
-<para>
-<citerefentry>
-<refentrytitle>dig</refentrytitle><manvolnum>1</manvolnum>
-</citerefentry>,
-<citerefentry>
-<refentrytitle>host</refentrytitle><manvolnum>1</manvolnum>
-</citerefentry>,
-<citerefentry>
-<refentrytitle>named</refentrytitle><manvolnum>8</manvolnum>
-</citerefentry>.
-</para>
-</refsect1>
-
-<refsect1>
-<title>Author</title>
-<para>
-Andrew Cherenson
-</para>
-</refsect1>
-</refentry>
+      </informalexample>
+    </para>
+
+  </refsect1>
+
+  <refsect1>
+    <title>INTERACTIVE COMMANDS</title>
+    <variablelist>
+      <varlistentry>
+        <term><constant>host</constant> <optional>server</optional></term>
+        <listitem>
+          <para>
+            Look up information for host using the current default server or
+            using server, if specified.  If host is an Internet address and
+            the query type is A or PTR, the name of the host is returned.
+            If host is a name and does not have a trailing period, the
+            search list is used to qualify the name.
+          </para>
+
+          <para>
+            To look up a host not in the current domain, append a period to
+            the name.
+          </para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><constant>server</constant> <replaceable class="parameter">domain</replaceable></term>
+        <listitem>
+          <para/>
+        </listitem>
+      </varlistentry>
+      <varlistentry>
+        <term><constant>lserver</constant> <replaceable class="parameter">domain</replaceable></term>
+        <listitem>
+          <para>
+            Change the default server to <replaceable>domain</replaceable>; <constant>lserver</constant> uses the initial
+            server to look up information about <replaceable>domain</replaceable>, while <constant>server</constant> uses
+            the current default server.  If an authoritative answer can't be
+            found, the names of servers that might have the answer are
+            returned.
+          </para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><constant>root</constant></term>
+        <listitem>
+          <para>
+            not implemented
+          </para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><constant>finger</constant></term>
+        <listitem>
+          <para>
+            not implemented
+          </para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><constant>ls</constant></term>
+        <listitem>
+          <para>
+            not implemented
+          </para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><constant>view</constant></term>
+        <listitem>
+          <para>
+            not implemented
+          </para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><constant>help</constant></term>
+        <listitem>
+          <para>
+            not implemented
+          </para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><constant>?</constant></term>
+        <listitem>
+          <para>
+            not implemented
+          </para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><constant>exit</constant></term>
+        <listitem>
+          <para>
+            Exits the program.
+          </para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><constant>set</constant>
+          <replaceable>keyword<optional>=value</optional></replaceable></term>
+        <listitem>
+          <para>
+            This command is used to change state information that affects
+            the lookups.  Valid keywords are:
+            <variablelist>
+              <varlistentry>
+                <term><constant>all</constant></term>
+                <listitem>
+                  <para>
+                    Prints the current values of the frequently used
+                    options to <command>set</command>.
+                    Information about the  current default
+                    server and host is also printed.
+                  </para>
+                </listitem>
+              </varlistentry>
+
+              <varlistentry>
+                <term><constant>class=</constant><replaceable>value</replaceable></term>
+                <listitem>
+                  <para>
+                    Change the query class to one of:
+                    <variablelist>
+                      <varlistentry>
+                        <term><constant>IN</constant></term>
+                        <listitem>
+                          <para>
+                            the Internet class
+                          </para>
+                        </listitem>
+                      </varlistentry>
+                      <varlistentry>
+                        <term><constant>CH</constant></term>
+                        <listitem>
+                          <para>
+                            the Chaos class
+                          </para>
+                        </listitem>
+                      </varlistentry>
+                      <varlistentry>
+                        <term><constant>HS</constant></term>
+                        <listitem>
+                          <para>
+                            the Hesiod class
+                          </para>
+                        </listitem>
+                      </varlistentry>
+                      <varlistentry>
+                        <term><constant>ANY</constant></term>
+                        <listitem>
+                          <para>
+                            wildcard
+                          </para>
+                        </listitem>
+                      </varlistentry>
+                    </variablelist>
+                    The class specifies the protocol group of the information.
+
+                  </para>
+		  <para>
+                    (Default = IN; abbreviation = cl)
+                  </para>
+                </listitem>
+              </varlistentry>
+
+              <varlistentry>
+                <term><constant>
+                    <replaceable><optional>no</optional></replaceable>debug</constant></term>
+                <listitem>
+                  <para>
+                    Turn debugging mode on.  A lot more information is
+                    printed about the packet sent to the server and the
+                    resulting answer.
+                  </para>
+		  <para>
+                    (Default = nodebug; abbreviation = <optional>no</optional>deb)
+                  </para>
+                </listitem>
+              </varlistentry>
+
+              <varlistentry>
+                <term><constant>
+                    <replaceable><optional>no</optional></replaceable>d2</constant></term>
+                <listitem>
+                  <para>
+                    Turn debugging mode on.  A lot more information is
+                    printed about the packet sent to the server and the
+                    resulting answer.
+                  </para>
+		  <para>
+                    (Default = nod2)
+                  </para>
+                </listitem>
+              </varlistentry>
+
+              <varlistentry>
+                <term><constant>domain=</constant><replaceable>name</replaceable></term>
+                <listitem>
+                  <para>
+                    Sets the search list to <replaceable>name</replaceable>.
+                  </para>
+                </listitem>
+              </varlistentry>
+
+              <varlistentry>
+                <term><constant>
+                    <replaceable><optional>no</optional></replaceable>search</constant></term>
+                <listitem>
+                  <para>
+                    If the lookup request contains at least one period but
+                    doesn't end with a trailing period, append the domain
+                    names in the domain search list to the request until an
+                    answer is received.
+                  </para>
+		  <para>
+                    (Default = search)
+                  </para>
+                </listitem>
+              </varlistentry>
+
+              <varlistentry>
+                <term><constant>port=</constant><replaceable>value</replaceable></term>
+                <listitem>
+                  <para>
+                    Change the default TCP/UDP name server port to <replaceable>value</replaceable>.
+                  </para>
+		  <para>
+                    (Default = 53; abbreviation = po)
+                  </para>
+                </listitem>
+              </varlistentry>
+
+              <varlistentry>
+                <term><constant>querytype=</constant><replaceable>value</replaceable></term>
+                <listitem>
+                  <para/>
+                </listitem>
+              </varlistentry>
+
+              <varlistentry>
+                <term><constant>type=</constant><replaceable>value</replaceable></term>
+                <listitem>
+                  <para>
+                    Change the type of the information query.
+                  </para>
+		  <para>
+                    (Default = A; abbreviations = q, ty)
+                  </para>
+                </listitem>
+              </varlistentry>
+
+              <varlistentry>
+                <term><constant>
+                    <replaceable><optional>no</optional></replaceable>recurse</constant></term>
+                <listitem>
+                  <para>
+                    Tell the name server to query other servers if it does not
+                    have the
+                    information.
+                  </para>
+		  <para>
+                    (Default = recurse; abbreviation = [no]rec)
+                  </para>
+                </listitem>
+              </varlistentry>
+
+              <varlistentry>
+                <term><constant>retry=</constant><replaceable>number</replaceable></term>
+                <listitem>
+                  <para>
+                    Set the number of retries to number.
+                  </para>
+                </listitem>
+              </varlistentry>
+
+              <varlistentry>
+                <term><constant>timeout=</constant><replaceable>number</replaceable></term>
+                <listitem>
+                  <para>
+                    Change the initial timeout interval for waiting for a
+                    reply to number seconds.
+                  </para>
+                </listitem>
+              </varlistentry>
+
+              <varlistentry>
+                <term><constant>
+                    <replaceable><optional>no</optional></replaceable>vc</constant></term>
+                <listitem>
+                  <para>
+                    Always use a virtual circuit when sending requests to the
+                    server.
+                  </para>
+		  <para>
+                    (Default = novc)
+                  </para>
+                </listitem>
+              </varlistentry>
+
+              <varlistentry>
+                <term><constant>
+                    <replaceable><optional>no</optional></replaceable>fail</constant></term>
+                <listitem>
+                  <para>
+		    Try the next nameserver if a nameserver responds with
+		    SERVFAIL or a referral (nofail) or terminate query
+		    (fail) on such a response.
+		  </para>
+		  <para>
+                    (Default = nofail)
+                  </para>
+	        </listitem>
+	      </varlistentry>
+
+            </variablelist>
+          </para>
+        </listitem>
+      </varlistentry>
+    </variablelist>
+  </refsect1>
+
+  <refsect1>
+    <title>FILES</title>
+    <para><filename>/etc/resolv.conf</filename>
+    </para>
+  </refsect1>
+
+  <refsect1>
+    <title>SEE ALSO</title>
+    <para><citerefentry>
+        <refentrytitle>dig</refentrytitle><manvolnum>1</manvolnum>
+      </citerefentry>,
+      <citerefentry>
+        <refentrytitle>host</refentrytitle><manvolnum>1</manvolnum>
+      </citerefentry>,
+      <citerefentry>
+        <refentrytitle>named</refentrytitle><manvolnum>8</manvolnum>
+      </citerefentry>.
+    </para>
+  </refsect1>
+
+  <refsect1>
+    <title>Author</title>
+    <para>
+      Andrew Cherenson
+    </para>
+  </refsect1>
+</refentry><!--
+ - Local variables:
+ - mode: sgml
+ - End:
+-->
diff --git a/contrib/bind9/bin/dig/nslookup.html b/contrib/bind9/bin/dig/nslookup.html
index e6801e9..07f8c3e 100644
--- a/contrib/bind9/bin/dig/nslookup.html
+++ b/contrib/bind9/bin/dig/nslookup.html
@@ -1,5 +1,5 @@
 <!--
- - Copyright (C) 2004-2006 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2004-2007 Internet Systems Consortium, Inc. ("ISC")
  - 
  - Permission to use, copy, modify, and distribute this software for any
  - purpose with or without fee is hereby granted, provided that the above
@@ -13,15 +13,15 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-<!-- $Id: nslookup.html,v 1.1.6.12 2006/06/29 13:02:30 marka Exp $ -->
+<!-- $Id: nslookup.html,v 1.1.10.19 2007/01/30 00:23:44 marka Exp $ -->
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
 <title>nslookup</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.70.1">
+<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
 </head>
 <body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en">
-<a name="id2482694"></a><div class="titlepage"></div>
+<a name="id2476276"></a><div class="titlepage"></div>
 <div class="refnamediv">
 <h2>Name</h2>
 <p>nslookup &#8212; query Internet name servers interactively</p>
@@ -31,234 +31,279 @@
 <div class="cmdsynopsis"><p><code class="command">nslookup</code>  [<code class="option">-option</code>] [name | -] [server]</p></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2549404"></a><h2>DESCRIPTION</h2>
-<p>
-<span><strong class="command">Nslookup</strong></span>
-is a program to query Internet domain name servers.  <span><strong class="command">Nslookup</strong></span>
-has two modes: interactive and non-interactive.  Interactive mode allows
-the user to query name servers for information about various hosts and
-domains or to print a list of hosts in a domain.  Non-interactive mode is
-used to print just the name and requested information for a host or
-domain.
-</p>
+<a name="id2543355"></a><h2>DESCRIPTION</h2>
+<p><span><strong class="command">Nslookup</strong></span>
+      is a program to query Internet domain name servers.  <span><strong class="command">Nslookup</strong></span>
+      has two modes: interactive and non-interactive.  Interactive mode allows
+      the user to query name servers for information about various hosts and
+      domains or to print a list of hosts in a domain.  Non-interactive mode
+      is
+      used to print just the name and requested information for a host or
+      domain.
+    </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2549421"></a><h2>ARGUMENTS</h2>
+<a name="id2543371"></a><h2>ARGUMENTS</h2>
 <p>
-Interactive mode is entered in the following cases:
-</p>
+      Interactive mode is entered in the following cases:
+      </p>
 <div class="orderedlist"><ol type="a">
 <li><p>
-when no arguments are given (the default name server will be used)
-</p></li>
+            when no arguments are given (the default name server will be used)
+          </p></li>
 <li><p>
-when the first argument is a hyphen (-) and the second argument is
-the host name or Internet address of a name server.
-</p></li>
+            when the first argument is a hyphen (-) and the second argument is
+            the host name or Internet address of a name server.
+          </p></li>
 </ol></div>
 <p>
-</p>
+    </p>
 <p>
-Non-interactive mode is used when the name or Internet address of the
-host to be looked up is given as the first argument. The optional second
-argument specifies the host name or address of a name server.
-</p>
+      Non-interactive mode is used when the name or Internet address of the
+      host to be looked up is given as the first argument. The optional second
+      argument specifies the host name or address of a name server.
+    </p>
 <p>
-Options can also be specified on the command line if they precede the
-arguments and are prefixed with a hyphen.  For example, to
-change the default query type to host information, and the initial timeout to 10 seconds, type:
-</p>
+      Options can also be specified on the command line if they precede the
+      arguments and are prefixed with a hyphen.  For example, to
+      change the default query type to host information, and the initial
+      timeout to 10 seconds, type:
+      </p>
 <div class="informalexample"><pre class="programlisting">
 nslookup -query=hinfo  -timeout=10
 </pre></div>
 <p>
-</p>
+    </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2549464"></a><h2>INTERACTIVE COMMANDS</h2>
+<a name="id2543413"></a><h2>INTERACTIVE COMMANDS</h2>
 <div class="variablelist"><dl>
-<dt><span class="term">host [<span class="optional">server</span>]</span></dt>
+<dt><span class="term"><code class="constant">host</code> [<span class="optional">server</span>]</span></dt>
 <dd>
 <p>
-Look up information for host using the current default server or
-using server, if specified.  If host is an Internet address and
-the query type is A or PTR, the name of the host is returned.
-If host is a name and does not have a trailing period, the
-search list is used to qualify the name.
-</p>
+            Look up information for host using the current default server or
+            using server, if specified.  If host is an Internet address and
+            the query type is A or PTR, the name of the host is returned.
+            If host is a name and does not have a trailing period, the
+            search list is used to qualify the name.
+          </p>
 <p>
-To look up a host not in the current domain, append a period to
-the name.
-</p>
+            To look up a host not in the current domain, append a period to
+            the name.
+          </p>
 </dd>
 <dt><span class="term"><code class="constant">server</code> <em class="replaceable"><code>domain</code></em></span></dt>
 <dd><p></p></dd>
 <dt><span class="term"><code class="constant">lserver</code> <em class="replaceable"><code>domain</code></em></span></dt>
 <dd><p>
-Change the default server to <em class="replaceable"><code>domain</code></em>; <code class="constant">lserver</code> uses the initial
-server to look up information about <em class="replaceable"><code>domain</code></em>, while <code class="constant">server</code> uses
-the current default server.  If an authoritative answer can't be
-found, the names of servers that might have the answer are
-returned.
-</p></dd>
+            Change the default server to <em class="replaceable"><code>domain</code></em>; <code class="constant">lserver</code> uses the initial
+            server to look up information about <em class="replaceable"><code>domain</code></em>, while <code class="constant">server</code> uses
+            the current default server.  If an authoritative answer can't be
+            found, the names of servers that might have the answer are
+            returned.
+          </p></dd>
 <dt><span class="term"><code class="constant">root</code></span></dt>
-<dd><p>not implemented</p></dd>
+<dd><p>
+            not implemented
+          </p></dd>
 <dt><span class="term"><code class="constant">finger</code></span></dt>
-<dd><p>not implemented</p></dd>
+<dd><p>
+            not implemented
+          </p></dd>
 <dt><span class="term"><code class="constant">ls</code></span></dt>
-<dd><p>not implemented</p></dd>
+<dd><p>
+            not implemented
+          </p></dd>
 <dt><span class="term"><code class="constant">view</code></span></dt>
-<dd><p>not implemented</p></dd>
+<dd><p>
+            not implemented
+          </p></dd>
 <dt><span class="term"><code class="constant">help</code></span></dt>
-<dd><p>not implemented</p></dd>
+<dd><p>
+            not implemented
+          </p></dd>
 <dt><span class="term"><code class="constant">?</code></span></dt>
-<dd><p>not implemented</p></dd>
+<dd><p>
+            not implemented
+          </p></dd>
 <dt><span class="term"><code class="constant">exit</code></span></dt>
-<dd><p>Exits the program.</p></dd>
-<dt><span class="term"><code class="constant">set</code> <em class="replaceable"><code>keyword[<span class="optional">=value</span>]</code></em></span></dt>
+<dd><p>
+            Exits the program.
+          </p></dd>
+<dt><span class="term"><code class="constant">set</code>
+          <em class="replaceable"><code>keyword[<span class="optional">=value</span>]</code></em></span></dt>
 <dd>
-<p>This command is used to change state information that affects
-the lookups.  Valid keywords are:
- </p>
+<p>
+            This command is used to change state information that affects
+            the lookups.  Valid keywords are:
+            </p>
 <div class="variablelist"><dl>
 <dt><span class="term"><code class="constant">all</code></span></dt>
-<dd><p>Prints the current values of the frequently used
-  options to <span><strong class="command">set</strong></span>.  Information about the  current default
-  server and host is also printed.
-  </p></dd>
+<dd><p>
+                    Prints the current values of the frequently used
+                    options to <span><strong class="command">set</strong></span>.
+                    Information about the  current default
+                    server and host is also printed.
+                  </p></dd>
 <dt><span class="term"><code class="constant">class=</code><em class="replaceable"><code>value</code></em></span></dt>
 <dd>
 <p>
-   Change the query class to one of:
-   </p>
+                    Change the query class to one of:
+                    </p>
 <div class="variablelist"><dl>
 <dt><span class="term"><code class="constant">IN</code></span></dt>
-<dd><p>the Internet class</p></dd>
+<dd><p>
+                            the Internet class
+                          </p></dd>
 <dt><span class="term"><code class="constant">CH</code></span></dt>
-<dd><p>the Chaos class</p></dd>
+<dd><p>
+                            the Chaos class
+                          </p></dd>
 <dt><span class="term"><code class="constant">HS</code></span></dt>
-<dd><p>the Hesiod class</p></dd>
+<dd><p>
+                            the Hesiod class
+                          </p></dd>
 <dt><span class="term"><code class="constant">ANY</code></span></dt>
-<dd><p>wildcard</p></dd>
+<dd><p>
+                            wildcard
+                          </p></dd>
 </dl></div>
 <p>
-   The class specifies the protocol group of the information.
-   </p>
+                    The class specifies the protocol group of the information.
+
+                  </p>
 <p>
-   (Default = IN; abbreviation = cl)
-   </p>
+                    (Default = IN; abbreviation = cl)
+                  </p>
 </dd>
-<dt><span class="term"><code class="constant"><em class="replaceable"><code>[<span class="optional">no</span>]</code></em>debug</code></span></dt>
+<dt><span class="term"><code class="constant">
+                    <em class="replaceable"><code>[<span class="optional">no</span>]</code></em>debug</code></span></dt>
 <dd>
 <p>
-  Turn debugging mode on.  A lot more information is
-  printed about the packet sent to the server and the
-  resulting answer.
-  </p>
+                    Turn debugging mode on.  A lot more information is
+                    printed about the packet sent to the server and the
+                    resulting answer.
+                  </p>
 <p>
-  (Default = nodebug; abbreviation = [<span class="optional">no</span>]deb)
-  </p>
+                    (Default = nodebug; abbreviation = [<span class="optional">no</span>]deb)
+                  </p>
 </dd>
-<dt><span class="term"><code class="constant"><em class="replaceable"><code>[<span class="optional">no</span>]</code></em>d2</code></span></dt>
+<dt><span class="term"><code class="constant">
+                    <em class="replaceable"><code>[<span class="optional">no</span>]</code></em>d2</code></span></dt>
 <dd>
 <p>
-  Turn debugging mode on.  A lot more information is
-  printed about the packet sent to the server and the
-  resulting answer.
-  </p>
+                    Turn debugging mode on.  A lot more information is
+                    printed about the packet sent to the server and the
+                    resulting answer.
+                  </p>
 <p>
-  (Default = nod2)
-  </p>
+                    (Default = nod2)
+                  </p>
 </dd>
 <dt><span class="term"><code class="constant">domain=</code><em class="replaceable"><code>name</code></em></span></dt>
 <dd><p>
-  Sets the search list to <em class="replaceable"><code>name</code></em>.
-  </p></dd>
-<dt><span class="term"><code class="constant"><em class="replaceable"><code>[<span class="optional">no</span>]</code></em>search</code></span></dt>
+                    Sets the search list to <em class="replaceable"><code>name</code></em>.
+                  </p></dd>
+<dt><span class="term"><code class="constant">
+                    <em class="replaceable"><code>[<span class="optional">no</span>]</code></em>search</code></span></dt>
 <dd>
 <p>
-  If the lookup request contains at least one period but
-  doesn't end with a trailing period, append the domain
-  names in the domain search list to the request until an
-  answer is received.
-  </p>
+                    If the lookup request contains at least one period but
+                    doesn't end with a trailing period, append the domain
+                    names in the domain search list to the request until an
+                    answer is received.
+                  </p>
 <p>
-  (Default = search)
-  </p>
+                    (Default = search)
+                  </p>
 </dd>
 <dt><span class="term"><code class="constant">port=</code><em class="replaceable"><code>value</code></em></span></dt>
 <dd>
 <p>
-  Change the default TCP/UDP name server port to <em class="replaceable"><code>value</code></em>.
-  </p>
+                    Change the default TCP/UDP name server port to <em class="replaceable"><code>value</code></em>.
+                  </p>
 <p>
-  (Default = 53; abbreviation = po)
-  </p>
+                    (Default = 53; abbreviation = po)
+                  </p>
 </dd>
 <dt><span class="term"><code class="constant">querytype=</code><em class="replaceable"><code>value</code></em></span></dt>
 <dd><p></p></dd>
 <dt><span class="term"><code class="constant">type=</code><em class="replaceable"><code>value</code></em></span></dt>
 <dd>
 <p>
-  Change the type of the information query.
-  </p>
+                    Change the type of the information query.
+                  </p>
 <p>
-  (Default = A; abbreviations = q, ty)
-  </p>
+                    (Default = A; abbreviations = q, ty)
+                  </p>
 </dd>
-<dt><span class="term"><code class="constant"><em class="replaceable"><code>[<span class="optional">no</span>]</code></em>recurse</code></span></dt>
+<dt><span class="term"><code class="constant">
+                    <em class="replaceable"><code>[<span class="optional">no</span>]</code></em>recurse</code></span></dt>
 <dd>
 <p>
-  Tell the name server to query other servers if it does not have the
-  information.
-  </p>
+                    Tell the name server to query other servers if it does not
+                    have the
+                    information.
+                  </p>
 <p>
-  (Default = recurse; abbreviation = [no]rec)
-  </p>
+                    (Default = recurse; abbreviation = [no]rec)
+                  </p>
 </dd>
 <dt><span class="term"><code class="constant">retry=</code><em class="replaceable"><code>number</code></em></span></dt>
 <dd><p>
-  Set the number of retries to number.
-  </p></dd>
+                    Set the number of retries to number.
+                  </p></dd>
 <dt><span class="term"><code class="constant">timeout=</code><em class="replaceable"><code>number</code></em></span></dt>
 <dd><p>
-  Change the initial timeout interval for waiting for a
-  reply to number seconds.
-  </p></dd>
-<dt><span class="term"><code class="constant"><em class="replaceable"><code>[<span class="optional">no</span>]</code></em>vc</code></span></dt>
+                    Change the initial timeout interval for waiting for a
+                    reply to number seconds.
+                  </p></dd>
+<dt><span class="term"><code class="constant">
+                    <em class="replaceable"><code>[<span class="optional">no</span>]</code></em>vc</code></span></dt>
+<dd>
+<p>
+                    Always use a virtual circuit when sending requests to the
+                    server.
+                  </p>
+<p>
+                    (Default = novc)
+                  </p>
+</dd>
+<dt><span class="term"><code class="constant">
+                    <em class="replaceable"><code>[<span class="optional">no</span>]</code></em>fail</code></span></dt>
 <dd>
 <p>
-  Always use a virtual circuit when sending requests to the server.
-  </p>
+		    Try the next nameserver if a nameserver responds with
+		    SERVFAIL or a referral (nofail) or terminate query
+		    (fail) on such a response.
+		  </p>
 <p>
-  (Default = novc)
-  </p>
+                    (Default = nofail)
+                  </p>
 </dd>
 </dl></div>
 <p>
-</p>
+          </p>
 </dd>
 </dl></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2549990"></a><h2>FILES</h2>
-<p>
-<code class="filename">/etc/resolv.conf</code>
-</p>
+<a name="id2546279"></a><h2>FILES</h2>
+<p><code class="filename">/etc/resolv.conf</code>
+    </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2550003"></a><h2>SEE ALSO</h2>
-<p>
-<span class="citerefentry"><span class="refentrytitle">dig</span>(1)</span>,
-<span class="citerefentry"><span class="refentrytitle">host</span>(1)</span>,
-<span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>.
-</p>
+<a name="id2546291"></a><h2>SEE ALSO</h2>
+<p><span class="citerefentry"><span class="refentrytitle">dig</span>(1)</span>,
+      <span class="citerefentry"><span class="refentrytitle">host</span>(1)</span>,
+      <span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>.
+    </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2550038"></a><h2>Author</h2>
+<a name="id2546325"></a><h2>Author</h2>
 <p>
-Andrew Cherenson
-</p>
+      Andrew Cherenson
+    </p>
 </div>
 </div></body>
 </html>
diff --git a/contrib/bind9/bin/dnssec/Makefile.in b/contrib/bind9/bin/dnssec/Makefile.in
index b9b7bea..b94dca7 100644
--- a/contrib/bind9/bin/dnssec/Makefile.in
+++ b/contrib/bind9/bin/dnssec/Makefile.in
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.19.12.12 2005/05/02 00:25:54 marka Exp $
+# $Id: Makefile.in,v 1.26.18.4 2005/05/02 00:26:11 marka Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
diff --git a/contrib/bind9/bin/dnssec/dnssec-keygen.8 b/contrib/bind9/bin/dnssec/dnssec-keygen.8
index 35bb0ef..39762fd 100644
--- a/contrib/bind9/bin/dnssec/dnssec-keygen.8
+++ b/contrib/bind9/bin/dnssec/dnssec-keygen.8
@@ -1,4 +1,4 @@
-.\" Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC")
 .\" Copyright (C) 2000-2003 Internet Software Consortium.
 .\" 
 .\" Permission to use, copy, modify, and distribute this software for any
@@ -13,13 +13,13 @@
 .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 .\" PERFORMANCE OF THIS SOFTWARE.
 .\"
-.\" $Id: dnssec-keygen.8,v 1.19.12.10 2006/06/29 13:02:30 marka Exp $
+.\" $Id: dnssec-keygen.8,v 1.23.18.13 2007/01/30 00:23:44 marka Exp $
 .\"
 .hy 0
 .ad l
 .\"     Title: dnssec\-keygen
 .\"    Author: 
-.\" Generator: DocBook XSL Stylesheets v1.70.1 <http://docbook.sf.net/>
+.\" Generator: DocBook XSL Stylesheets v1.71.1 <http://docbook.sf.net/>
 .\"      Date: June 30, 2000
 .\"    Manual: BIND9
 .\"    Source: BIND9
@@ -39,8 +39,9 @@ dnssec\-keygen \- DNSSEC key generation tool
 \fBdnssec\-keygen\fR
 generates keys for DNSSEC (Secure DNS), as defined in RFC 2535 and RFC <TBA\\>. It can also generate keys for use with TSIG (Transaction Signatures), as defined in RFC 2845.
 .SH "OPTIONS"
-.TP 3n
+.PP
 \-a \fIalgorithm\fR
+.RS 4
 Selects the cryptographic algorithm. The value of
 \fBalgorithm\fR
 must be one of RSAMD5 (RSA) or RSASHA1, DSA, DH (Diffie Hellman), or HMAC\-MD5. These values are case insensitive.
@@ -48,38 +49,58 @@ must be one of RSAMD5 (RSA) or RSASHA1, DSA, DH (Diffie Hellman), or HMAC\-MD5.
 Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement algorithm, and DSA is recommended. For TSIG, HMAC\-MD5 is mandatory.
 .sp
 Note 2: HMAC\-MD5 and DH automatically set the \-k flag.
-.TP 3n
+.RE
+.PP
 \-b \fIkeysize\fR
+.RS 4
 Specifies the number of bits in the key. The choice of key size depends on the algorithm used. RSAMD5 / RSASHA1 keys must be between 512 and 2048 bits. Diffie Hellman keys must be between 128 and 4096 bits. DSA keys must be between 512 and 1024 bits and an exact multiple of 64. HMAC\-MD5 keys must be between 1 and 512 bits.
-.TP 3n
+.RE
+.PP
 \-n \fInametype\fR
+.RS 4
 Specifies the owner type of the key. The value of
 \fBnametype\fR
 must either be ZONE (for a DNSSEC zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated with a host (KEY)), USER (for a key associated with a user(KEY)) or OTHER (DNSKEY). These values are case insensitive.
-.TP 3n
+.RE
+.PP
 \-c \fIclass\fR
+.RS 4
 Indicates that the DNS record containing the key should have the specified class. If not specified, class IN is used.
-.TP 3n
+.RE
+.PP
 \-e
+.RS 4
 If generating an RSAMD5/RSASHA1 key, use a large exponent.
-.TP 3n
+.RE
+.PP
 \-f \fIflag\fR
+.RS 4
 Set the specified flag in the flag field of the KEY/DNSKEY record. The only recognized flag is KSK (Key Signing Key) DNSKEY.
-.TP 3n
+.RE
+.PP
 \-g \fIgenerator\fR
+.RS 4
 If generating a Diffie Hellman key, use this generator. Allowed values are 2 and 5. If no generator is specified, a known prime from RFC 2539 will be used if possible; otherwise the default is 2.
-.TP 3n
+.RE
+.PP
 \-h
+.RS 4
 Prints a short summary of the options and arguments to
 \fBdnssec\-keygen\fR.
-.TP 3n
+.RE
+.PP
 \-k
+.RS 4
 Generate KEY records rather than DNSKEY records.
-.TP 3n
+.RE
+.PP
 \-p \fIprotocol\fR
+.RS 4
 Sets the protocol value for the generated key. The protocol is a number between 0 and 255. The default is 3 (DNSSEC). Other possible values for this argument are listed in RFC 2535 and its successors.
-.TP 3n
+.RE
+.PP
 \-r \fIrandomdev\fR
+.RS 4
 Specifies the source of randomness. If the operating system does not provide a
 \fI/dev/random\fR
 or equivalent device, the default source of randomness is keyboard input.
@@ -87,17 +108,24 @@ or equivalent device, the default source of randomness is keyboard input.
 specifies the name of a character device or file containing random data to be used instead of the default. The special value
 \fIkeyboard\fR
 indicates that keyboard input should be used.
-.TP 3n
+.RE
+.PP
 \-s \fIstrength\fR
+.RS 4
 Specifies the strength value of the key. The strength is a number between 0 and 15, and currently has no defined purpose in DNSSEC.
-.TP 3n
+.RE
+.PP
 \-t \fItype\fR
+.RS 4
 Indicates the use of the key.
 \fBtype\fR
 must be one of AUTHCONF, NOAUTHCONF, NOAUTH, or NOCONF. The default is AUTHCONF. AUTH refers to the ability to authenticate data, and CONF the ability to encrypt data.
-.TP 3n
+.RE
+.PP
 \-v \fIlevel\fR
+.RS 4
 Sets the debugging level.
+.RE
 .SH "GENERATED KEYS"
 .PP
 When
@@ -105,20 +133,18 @@ When
 completes successfully, it prints a string of the form
 \fIKnnnn.+aaa+iiiii\fR
 to the standard output. This is an identification string for the key it has generated.
-.TP 3n
+.TP 4
 \(bu
 \fInnnn\fR
 is the key name.
-.TP 3n
+.TP 4
 \(bu
 \fIaaa\fR
 is the numeric representation of the algorithm.
-.TP 3n
+.TP 4
 \(bu
 \fIiiiii\fR
 is the key identifier (or footprint).
-.sp
-.RE
 .PP
 \fBdnssec\-keygen\fR
 creates two file, with names based on the printed string.
@@ -168,4 +194,7 @@ RFC 2539.
 .PP
 Internet Systems Consortium
 .SH "COPYRIGHT"
-Copyright \(co 2004, 2005 Internet Systems Consortium, Inc. ("ISC")
+Copyright \(co 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC")
+.br
+Copyright \(co 2000\-2003 Internet Software Consortium.
+.br
diff --git a/contrib/bind9/bin/dnssec/dnssec-keygen.c b/contrib/bind9/bin/dnssec/dnssec-keygen.c
index 7feaf7c..19087ea 100644
--- a/contrib/bind9/bin/dnssec/dnssec-keygen.c
+++ b/contrib/bind9/bin/dnssec/dnssec-keygen.c
@@ -1,6 +1,6 @@
 /*
- * Portions Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Portions Copyright (C) 2000-2003  Internet Software Consortium.
+ * Portions Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
+ * Portions Copyright (C) 1999-2003  Internet Software Consortium.
  * Portions Copyright (C) 1995-2000 by Network Associates, Inc.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -16,7 +16,9 @@
  * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: dnssec-keygen.c,v 1.48.2.1.10.11 2004/06/11 01:17:34 marka Exp $ */
+/* $Id: dnssec-keygen.c,v 1.66.18.9 2007/01/18 00:06:11 marka Exp $ */
+
+/*! \file */
 
 #include <config.h>
 
@@ -47,7 +49,9 @@
 const char *program = "dnssec-keygen";
 int verbose;
 
-static const char *algs = "RSA | RSAMD5 | DH | DSA | RSASHA1 | HMAC-MD5";
+static const char *algs = "RSA | RSAMD5 | DH | DSA | RSASHA1 | HMAC-MD5 |"
+			  " HMAC-SHA1 | HMAC-SHA224 | HMAC-SHA256 | "
+			  " HMAC-SHA384 | HMAC-SHA512";
 
 static isc_boolean_t
 dsa_size_ok(int size) {
@@ -68,10 +72,16 @@ usage(void) {
 	fprintf(stderr, "        DH:\t\t[128..4096]\n");
 	fprintf(stderr, "        DSA:\t\t[512..1024] and divisible by 64\n");
 	fprintf(stderr, "        HMAC-MD5:\t[1..512]\n");
+	fprintf(stderr, "        HMAC-SHA1:\t[1..160]\n");
+	fprintf(stderr, "        HMAC-SHA224:\t[1..224]\n");
+	fprintf(stderr, "        HMAC-SHA256:\t[1..256]\n");
+	fprintf(stderr, "        HMAC-SHA384:\t[1..384]\n");
+	fprintf(stderr, "        HMAC-SHA512:\t[1..512]\n");
 	fprintf(stderr, "    -n nametype: ZONE | HOST | ENTITY | USER | OTHER\n");
 	fprintf(stderr, "    name: owner of the key\n");
 	fprintf(stderr, "Other options:\n");
 	fprintf(stderr, "    -c <class> (default: IN)\n");
+	fprintf(stderr, "    -d <digest bits> (0 => max, default)\n");
 	fprintf(stderr, "    -e use large exponent (RSAMD5/RSASHA1 only)\n");
 	fprintf(stderr, "    -f keyflag: KSK\n");
 	fprintf(stderr, "    -g <generator> use specified generator "
@@ -115,6 +125,7 @@ main(int argc, char **argv) {
 	isc_entropy_t	*ectx = NULL;
 	dns_rdataclass_t rdclass;
 	int		options = DST_TYPE_PRIVATE | DST_TYPE_PUBLIC;
+	int		dbits = 0;
 
 	if (argc == 1)
 		usage();
@@ -124,7 +135,7 @@ main(int argc, char **argv) {
 	dns_result_register();
 
 	while ((ch = isc_commandline_parse(argc, argv,
-					   "a:b:c:ef:g:kn:t:p:s:r:v:h")) != -1)
+					   "a:b:c:d:ef:g:kn:t:p:s:r:v:h")) != -1)
 	{
 	    switch (ch) {
 		case 'a':
@@ -138,6 +149,11 @@ main(int argc, char **argv) {
 		case 'c':
 			classname = isc_commandline_argument;
 			break;
+		case 'd':
+			dbits = strtol(isc_commandline_argument, &endp, 10);
+			if (*endp != '\0' || dbits < 0)
+				fatal("-d requires a non-negative number");
+			break;
 		case 'e':
 			rsa_exp = 1;
 			break;
@@ -211,9 +227,29 @@ main(int argc, char **argv) {
 
 	if (algname == NULL)
 		fatal("no algorithm was specified");
-	if (strcasecmp(algname, "HMAC-MD5") == 0) {
+	if (strcasecmp(algname, "RSA") == 0) {
+		fprintf(stderr, "The use of RSA (RSAMD5) is not recommended.\n"
+				"If you still wish to use RSA (RSAMD5) please "
+				"specify \"-a RSAMD5\"\n");
+		return (1);
+	} else if (strcasecmp(algname, "HMAC-MD5") == 0) {
 		options |= DST_TYPE_KEY;
 		alg = DST_ALG_HMACMD5;
+	} else if (strcasecmp(algname, "HMAC-SHA1") == 0) {
+		options |= DST_TYPE_KEY;
+		alg = DST_ALG_HMACSHA1;
+	} else if (strcasecmp(algname, "HMAC-SHA224") == 0) {
+		options |= DST_TYPE_KEY;
+		alg = DST_ALG_HMACSHA224;
+	} else if (strcasecmp(algname, "HMAC-SHA256") == 0) {
+		options |= DST_TYPE_KEY;
+		alg = DST_ALG_HMACSHA256;
+	} else if (strcasecmp(algname, "HMAC-SHA384") == 0) {
+		options |= DST_TYPE_KEY;
+		alg = DST_ALG_HMACSHA384;
+	} else if (strcasecmp(algname, "HMAC-SHA512") == 0) {
+		options |= DST_TYPE_KEY;
+		alg = DST_ALG_HMACSHA512;
 	} else {
 		r.base = algname;
 		r.length = strlen(algname);
@@ -260,6 +296,56 @@ main(int argc, char **argv) {
 	case DST_ALG_HMACMD5:
 		if (size < 1 || size > 512)
 			fatal("HMAC-MD5 key size %d out of range", size);
+		if (dbits != 0 && (dbits < 80 || dbits > 128))
+			fatal("HMAC-MD5 digest bits %d out of range", dbits);
+		if ((dbits % 8) != 0)
+			fatal("HMAC-MD5 digest bits %d not divisible by 8",
+			      dbits);
+		break;
+	case DST_ALG_HMACSHA1:
+		if (size < 1 || size > 160)
+			fatal("HMAC-SHA1 key size %d out of range", size);
+		if (dbits != 0 && (dbits < 80 || dbits > 160))
+			fatal("HMAC-SHA1 digest bits %d out of range", dbits);
+		if ((dbits % 8) != 0)
+			fatal("HMAC-SHA1 digest bits %d not divisible by 8",
+			      dbits);
+		break;
+	case DST_ALG_HMACSHA224:
+		if (size < 1 || size > 224)
+			fatal("HMAC-SHA224 key size %d out of range", size);
+		if (dbits != 0 && (dbits < 112 || dbits > 224))
+			fatal("HMAC-SHA224 digest bits %d out of range", dbits);
+		if ((dbits % 8) != 0)
+			fatal("HMAC-SHA224 digest bits %d not divisible by 8",
+			      dbits);
+		break;
+	case DST_ALG_HMACSHA256:
+		if (size < 1 || size > 256)
+			fatal("HMAC-SHA256 key size %d out of range", size);
+		if (dbits != 0 && (dbits < 128 || dbits > 256))
+			fatal("HMAC-SHA256 digest bits %d out of range", dbits);
+		if ((dbits % 8) != 0)
+			fatal("HMAC-SHA256 digest bits %d not divisible by 8",
+			      dbits);
+		break;
+	case DST_ALG_HMACSHA384:
+		if (size < 1 || size > 384)
+			fatal("HMAC-384 key size %d out of range", size);
+		if (dbits != 0 && (dbits < 192 || dbits > 384))
+			fatal("HMAC-SHA384 digest bits %d out of range", dbits);
+		if ((dbits % 8) != 0)
+			fatal("HMAC-SHA384 digest bits %d not divisible by 8",
+			      dbits);
+		break;
+	case DST_ALG_HMACSHA512:
+		if (size < 1 || size > 512)
+			fatal("HMAC-SHA512 key size %d out of range", size);
+		if (dbits != 0 && (dbits < 256 || dbits > 512))
+			fatal("HMAC-SHA512 digest bits %d out of range", dbits);
+		if ((dbits % 8) != 0)
+			fatal("HMAC-SHA512 digest bits %d not divisible by 8",
+			      dbits);
 		break;
 	}
 
@@ -306,7 +392,10 @@ main(int argc, char **argv) {
 	}
 
 	if ((flags & DNS_KEYFLAG_OWNERMASK) == DNS_KEYOWNER_ZONE &&
-	    (alg == DNS_KEYALG_DH || alg == DST_ALG_HMACMD5))
+	    (alg == DNS_KEYALG_DH || alg == DST_ALG_HMACMD5 ||
+	     alg == DST_ALG_HMACSHA1 || alg == DST_ALG_HMACSHA224 ||
+	     alg == DST_ALG_HMACSHA256 || alg == DST_ALG_HMACSHA384 ||
+	     alg == DST_ALG_HMACSHA512))
 		fatal("a key with algorithm '%s' cannot be a zone key",
 		      algname);
 
@@ -330,6 +419,11 @@ main(int argc, char **argv) {
 		break;
 	case DNS_KEYALG_DSA:
 	case DST_ALG_HMACMD5:
+	case DST_ALG_HMACSHA1:
+	case DST_ALG_HMACSHA224:
+	case DST_ALG_HMACSHA256:
+	case DST_ALG_HMACSHA384:
+	case DST_ALG_HMACSHA512:
 		param = 0;
 		break;
 	}
@@ -358,6 +452,8 @@ main(int argc, char **argv) {
 			exit(-1);
 		}
 
+		dst_key_setbits(key, dbits);
+
 		/*
 		 * Try to read a key with the same name, alg and id from disk.
 		 * If there is one we must continue generating a new one
@@ -407,6 +503,7 @@ main(int argc, char **argv) {
 	cleanup_logging(&log);
 	cleanup_entropy(&ectx);
 	dst_lib_destroy();
+	dns_name_destroy();
 	if (verbose > 10)
 		isc_mem_stats(mctx, stdout);
 	isc_mem_destroy(&mctx);
diff --git a/contrib/bind9/bin/dnssec/dnssec-keygen.docbook b/contrib/bind9/bin/dnssec/dnssec-keygen.docbook
index e1eee22..cc5f1e7 100644
--- a/contrib/bind9/bin/dnssec/dnssec-keygen.docbook
+++ b/contrib/bind9/bin/dnssec/dnssec-keygen.docbook
@@ -1,8 +1,8 @@
-<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.0//EN"
-               "http://www.oasis-open.org/docbook/xml/4.0/docbookx.dtd"
+<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
+               "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
 	       [<!ENTITY mdash "&#8212;">]>
 <!--
- - Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
  - Copyright (C) 2000-2003  Internet Software Consortium.
  -
  - Permission to use, copy, modify, and distribute this software for any
@@ -18,9 +18,8 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-<!-- $Id: dnssec-keygen.docbook,v 1.3.12.9 2005/08/30 01:41:41 marka Exp $ -->
-
-<refentry>
+<!-- $Id: dnssec-keygen.docbook,v 1.7.18.9 2007/01/29 23:57:20 marka Exp $ -->
+<refentry id="man.dnssec-keygen">
   <refentryinfo>
     <date>June 30, 2000</date>
   </refentryinfo>
@@ -31,10 +30,16 @@
     <refmiscinfo>BIND9</refmiscinfo>
   </refmeta>
 
+  <refnamediv>
+    <refname><application>dnssec-keygen</application></refname>
+    <refpurpose>DNSSEC key generation tool</refpurpose>
+  </refnamediv>
+
   <docinfo>
     <copyright>
       <year>2004</year>
       <year>2005</year>
+      <year>2007</year>
       <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
     </copyright>
     <copyright>
@@ -46,11 +51,6 @@
     </copyright>
   </docinfo>
 
-  <refnamediv>
-    <refname><application>dnssec-keygen</application></refname>
-    <refpurpose>DNSSEC key generation tool</refpurpose>
-  </refnamediv>
-
   <refsynopsisdiv>
     <cmdsynopsis>
       <command>dnssec-keygen</command>
@@ -74,11 +74,10 @@
 
   <refsect1>
     <title>DESCRIPTION</title>
-    <para>
-        <command>dnssec-keygen</command> generates keys for DNSSEC
-	(Secure DNS), as defined in RFC 2535 and RFC &lt;TBA\&gt;.  It can also generate
-	keys for use with TSIG (Transaction Signatures), as
-	defined in RFC 2845.
+    <para><command>dnssec-keygen</command>
+      generates keys for DNSSEC (Secure DNS), as defined in RFC 2535
+      and RFC &lt;TBA\&gt;.  It can also generate keys for use with
+      TSIG (Transaction Signatures), as defined in RFC 2845.
     </para>
   </refsect1>
 
@@ -88,168 +87,173 @@
     <variablelist>
       <varlistentry>
         <term>-a <replaceable class="parameter">algorithm</replaceable></term>
-	<listitem>
-	  <para>
-	      Selects the cryptographic algorithm.  The value of
-	      <option>algorithm</option> must be one of RSAMD5 (RSA) or RSASHA1,
-	      DSA, DH (Diffie Hellman), or HMAC-MD5.  These values
-	      are case insensitive.
-	  </para>
-	  <para>
-	      Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement algorithm,
-	      and DSA is recommended.  For TSIG, HMAC-MD5 is mandatory.
-	  </para>
-	  <para>
-	      Note 2: HMAC-MD5 and DH automatically set the -k flag.
-	  </para>
-	</listitem>
+        <listitem>
+          <para>
+            Selects the cryptographic algorithm.  The value of
+            <option>algorithm</option> must be one of RSAMD5 (RSA) or RSASHA1,
+            	      DSA, DH (Diffie Hellman), or HMAC-MD5.  These values
+            are case insensitive.
+          </para>
+          <para>
+            Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement
+            algorithm,
+            and DSA is recommended.  For TSIG, HMAC-MD5 is mandatory.
+          </para>
+          <para>
+            Note 2: HMAC-MD5 and DH automatically set the -k flag.
+          </para>
+        </listitem>
       </varlistentry>
 
       <varlistentry>
         <term>-b <replaceable class="parameter">keysize</replaceable></term>
-	<listitem>
-	  <para>
-	       Specifies the number of bits in the key.  The choice of key
-	       size depends on the algorithm used.  RSAMD5 / RSASHA1 keys must be between
-	       512 and 2048 bits.  Diffie Hellman keys must be between
-	       128 and 4096 bits.  DSA keys must be between 512 and 1024
-	       bits and an exact multiple of 64.  HMAC-MD5 keys must be
-	       between 1 and 512 bits.
-	  </para>
-	</listitem>
+        <listitem>
+          <para>
+            Specifies the number of bits in the key.  The choice of key
+            size depends on the algorithm used.  RSAMD5 / RSASHA1 keys must be
+            between
+            512 and 2048 bits.  Diffie Hellman keys must be between
+            128 and 4096 bits.  DSA keys must be between 512 and 1024
+            bits and an exact multiple of 64.  HMAC-MD5 keys must be
+            between 1 and 512 bits.
+          </para>
+        </listitem>
       </varlistentry>
 
       <varlistentry>
         <term>-n <replaceable class="parameter">nametype</replaceable></term>
-	<listitem>
-	  <para>
-	       Specifies the owner type of the key.  The value of
-	       <option>nametype</option> must either be ZONE (for a DNSSEC
-	       zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated with a host (KEY)),
-	       USER (for a key associated with a user(KEY)) or OTHER (DNSKEY).  These values are
-	       case insensitive.
-	  </para>
-	</listitem>
+        <listitem>
+          <para>
+            Specifies the owner type of the key.  The value of
+            <option>nametype</option> must either be ZONE (for a DNSSEC
+            zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated with
+            a host (KEY)),
+            USER (for a key associated with a user(KEY)) or OTHER (DNSKEY).
+            These values are
+            case insensitive.
+          </para>
+        </listitem>
       </varlistentry>
 
       <varlistentry>
         <term>-c <replaceable class="parameter">class</replaceable></term>
-	<listitem>
-	  <para>
-	       Indicates that the DNS record containing the key should have
-	       the specified class.  If not specified, class IN is used.
-	  </para>
-	</listitem>
+        <listitem>
+          <para>
+            Indicates that the DNS record containing the key should have
+            the specified class.  If not specified, class IN is used.
+          </para>
+        </listitem>
       </varlistentry>
 
       <varlistentry>
         <term>-e</term>
-	<listitem>
-	  <para>
-	       If generating an RSAMD5/RSASHA1 key, use a large exponent.
-	  </para>
-	</listitem>
+        <listitem>
+          <para>
+            If generating an RSAMD5/RSASHA1 key, use a large exponent.
+          </para>
+        </listitem>
       </varlistentry>
 
       <varlistentry>
         <term>-f <replaceable class="parameter">flag</replaceable></term>
-	<listitem>
-	  <para>
-		Set the specified flag in the flag field of the KEY/DNSKEY record.
-		The only recognized flag is KSK (Key Signing Key) DNSKEY.
-	  </para>
-	</listitem>
+        <listitem>
+          <para>
+            Set the specified flag in the flag field of the KEY/DNSKEY record.
+            		The only recognized flag is KSK (Key Signing Key) DNSKEY.
+          </para>
+        </listitem>
       </varlistentry>
 
       <varlistentry>
         <term>-g <replaceable class="parameter">generator</replaceable></term>
-	<listitem>
-	  <para>
-	       If generating a Diffie Hellman key, use this generator.
-	       Allowed values are 2 and 5.  If no generator
-	       is specified, a known prime from RFC 2539 will be used
-	       if possible; otherwise the default is 2.
-	  </para>
-	</listitem>
+        <listitem>
+          <para>
+            If generating a Diffie Hellman key, use this generator.
+            Allowed values are 2 and 5.  If no generator
+            is specified, a known prime from RFC 2539 will be used
+            if possible; otherwise the default is 2.
+          </para>
+        </listitem>
       </varlistentry>
 
       <varlistentry>
         <term>-h</term>
-	<listitem>
-	  <para>
-	       Prints a short summary of the options and arguments to
-	       <command>dnssec-keygen</command>.
-	  </para>
-	</listitem>
+        <listitem>
+          <para>
+            Prints a short summary of the options and arguments to
+            <command>dnssec-keygen</command>.
+          </para>
+        </listitem>
       </varlistentry>
 
       <varlistentry>
         <term>-k</term>
-	<listitem>
-	  <para>
-	       Generate KEY records rather than DNSKEY records.
-	  </para>
-	</listitem>
+        <listitem>
+          <para>
+            Generate KEY records rather than DNSKEY records.
+          </para>
+        </listitem>
       </varlistentry>
 
       <varlistentry>
         <term>-p <replaceable class="parameter">protocol</replaceable></term>
-	<listitem>
-	  <para>
-	       Sets the protocol value for the generated key.  The protocol
-	       is a number between 0 and 255.  The default is 3 (DNSSEC).
-	       Other possible values for this argument are listed in
-	       RFC 2535 and its successors.
-	  </para>
-	</listitem>
+        <listitem>
+          <para>
+            Sets the protocol value for the generated key.  The protocol
+            is a number between 0 and 255.  The default is 3 (DNSSEC).
+            Other possible values for this argument are listed in
+            RFC 2535 and its successors.
+          </para>
+        </listitem>
       </varlistentry>
 
       <varlistentry>
         <term>-r <replaceable class="parameter">randomdev</replaceable></term>
-	<listitem>
-	  <para>
-	       Specifies the source of randomness.  If the operating
-	       system does not provide a <filename>/dev/random</filename>
-	       or equivalent device, the default source of randomness
-	       is keyboard input.  <filename>randomdev</filename> specifies
-	       the name of a character device or file containing random
-	       data to be used instead of the default.  The special value
-	       <filename>keyboard</filename> indicates that keyboard
-	       input should be used.
-	  </para>
-	</listitem>
+        <listitem>
+          <para>
+            Specifies the source of randomness.  If the operating
+            system does not provide a <filename>/dev/random</filename>
+            or equivalent device, the default source of randomness
+            is keyboard input.  <filename>randomdev</filename>
+            specifies
+            the name of a character device or file containing random
+            data to be used instead of the default.  The special value
+            <filename>keyboard</filename> indicates that keyboard
+            input should be used.
+          </para>
+        </listitem>
       </varlistentry>
 
       <varlistentry>
         <term>-s <replaceable class="parameter">strength</replaceable></term>
-	<listitem>
-	  <para>
-	       Specifies the strength value of the key.  The strength is
-	       a number between 0 and 15, and currently has no defined
-	       purpose in DNSSEC.
-	  </para>
-	</listitem>
+        <listitem>
+          <para>
+            Specifies the strength value of the key.  The strength is
+            a number between 0 and 15, and currently has no defined
+            purpose in DNSSEC.
+          </para>
+        </listitem>
       </varlistentry>
 
       <varlistentry>
         <term>-t <replaceable class="parameter">type</replaceable></term>
-	<listitem>
-	  <para>
-	       Indicates the use of the key.  <option>type</option> must be
-	       one of AUTHCONF, NOAUTHCONF, NOAUTH, or NOCONF.  The default
-	       is AUTHCONF.  AUTH refers to the ability to authenticate
-	       data, and CONF the ability to encrypt data.
-	  </para>
-	</listitem>
+        <listitem>
+          <para>
+            Indicates the use of the key.  <option>type</option> must be
+            one of AUTHCONF, NOAUTHCONF, NOAUTH, or NOCONF.  The default
+            is AUTHCONF.  AUTH refers to the ability to authenticate
+            data, and CONF the ability to encrypt data.
+          </para>
+        </listitem>
       </varlistentry>
 
       <varlistentry>
         <term>-v <replaceable class="parameter">level</replaceable></term>
-	<listitem>
-	  <para>
-	       Sets the debugging level.
-	  </para>
-	</listitem>
+        <listitem>
+          <para>
+            Sets the debugging level.
+          </para>
+        </listitem>
       </varlistentry>
 
     </variablelist>
@@ -258,82 +262,82 @@
   <refsect1>
     <title>GENERATED KEYS</title>
     <para>
-        When <command>dnssec-keygen</command> completes successfully,
-	it prints a string of the form <filename>Knnnn.+aaa+iiiii</filename>
-	to the standard output.  This is an identification string for
-	the key it has generated.
+      When <command>dnssec-keygen</command> completes
+      successfully,
+      it prints a string of the form <filename>Knnnn.+aaa+iiiii</filename>
+      to the standard output.  This is an identification string for
+      the key it has generated.
     </para>
     <itemizedlist>
       <listitem>
-        <para>
-          <filename>nnnn</filename> is the key name.
+        <para><filename>nnnn</filename> is the key name.
         </para>
       </listitem>
       <listitem>
-        <para>
-          <filename>aaa</filename> is the numeric representation of the
+        <para><filename>aaa</filename> is the numeric representation
+          of the
           algorithm.
         </para>
       </listitem>
       <listitem>
-        <para>
-          <filename>iiiii</filename> is the key identifier (or footprint).
+        <para><filename>iiiii</filename> is the key identifier (or
+          footprint).
         </para>
       </listitem>
     </itemizedlist>
-    <para>
-        <command>dnssec-keygen</command> creates two file, with names based
-	on the printed string.  <filename>Knnnn.+aaa+iiiii.key</filename>
-	contains the public key, and
-	<filename>Knnnn.+aaa+iiiii.private</filename> contains the private
-	key.
+    <para><command>dnssec-keygen</command> 
+      creates two file, with names based
+      on the printed string.  <filename>Knnnn.+aaa+iiiii.key</filename>
+      contains the public key, and
+      <filename>Knnnn.+aaa+iiiii.private</filename> contains the
+      private
+      key.
     </para>
     <para>
-        The <filename>.key</filename> file contains a DNS KEY record that
-	can be inserted into a zone file (directly or with a $INCLUDE
-	statement).
+      The <filename>.key</filename> file contains a DNS KEY record
+      that
+      can be inserted into a zone file (directly or with a $INCLUDE
+      statement).
     </para>
     <para>
-        The <filename>.private</filename> file contains algorithm specific
-	fields.  For obvious security reasons, this file does not have
-	general read permission.
+      The <filename>.private</filename> file contains algorithm
+      specific
+      fields.  For obvious security reasons, this file does not have
+      general read permission.
     </para>
     <para>
-        Both <filename>.key</filename> and <filename>.private</filename>
-	files are generated for symmetric encryption algorithm such as
-	HMAC-MD5, even though the public and private key are equivalent.
+      Both <filename>.key</filename> and <filename>.private</filename>
+      files are generated for symmetric encryption algorithm such as
+      HMAC-MD5, even though the public and private key are equivalent.
     </para>
   </refsect1>
 
   <refsect1>
     <title>EXAMPLE</title>
     <para>
-        To generate a 768-bit DSA key for the domain
-	<userinput>example.com</userinput>, the following command would be
-	issued:
+      To generate a 768-bit DSA key for the domain
+      <userinput>example.com</userinput>, the following command would be
+      issued:
     </para>
-    <para>
-        <userinput>dnssec-keygen -a DSA -b 768 -n ZONE example.com</userinput>
+    <para><userinput>dnssec-keygen -a DSA -b 768 -n ZONE example.com</userinput>
     </para>
     <para>
-        The command would print a string of the form:
+      The command would print a string of the form:
     </para>
-    <para>
-        <userinput>Kexample.com.+003+26160</userinput>
+    <para><userinput>Kexample.com.+003+26160</userinput>
     </para>
     <para>
-        In this example, <command>dnssec-keygen</command> creates
-	the files <filename>Kexample.com.+003+26160.key</filename> and
-	<filename>Kexample.com.+003+26160.private</filename>
+      In this example, <command>dnssec-keygen</command> creates
+      the files <filename>Kexample.com.+003+26160.key</filename>
+      and
+      <filename>Kexample.com.+003+26160.private</filename>
     </para>
   </refsect1>
 
   <refsect1>
     <title>SEE ALSO</title>
-    <para>
-      <citerefentry>
-        <refentrytitle>dnssec-signzone</refentrytitle>
-	<manvolnum>8</manvolnum>
+    <para><citerefentry>
+        <refentrytitle>dnssec-signzone</refentrytitle><manvolnum>8</manvolnum>
       </citerefentry>,
       <citetitle>BIND 9 Administrator Reference Manual</citetitle>,
       <citetitle>RFC 2535</citetitle>,
@@ -344,14 +348,11 @@
 
   <refsect1>
     <title>AUTHOR</title>
-    <para>
-        <corpauthor>Internet Systems Consortium</corpauthor>
+    <para><corpauthor>Internet Systems Consortium</corpauthor>
     </para>
   </refsect1>
 
-</refentry>
-
-<!--
+</refentry><!--
  - Local variables:
  - mode: sgml
  - End:
diff --git a/contrib/bind9/bin/dnssec/dnssec-keygen.html b/contrib/bind9/bin/dnssec/dnssec-keygen.html
index 7a15099..5229868 100644
--- a/contrib/bind9/bin/dnssec/dnssec-keygen.html
+++ b/contrib/bind9/bin/dnssec/dnssec-keygen.html
@@ -1,5 +1,5 @@
 <!--
- - Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC")
  - Copyright (C) 2000-2003 Internet Software Consortium.
  - 
  - Permission to use, copy, modify, and distribute this software for any
@@ -14,15 +14,15 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-<!-- $Id: dnssec-keygen.html,v 1.5.2.1.4.15 2006/06/29 13:02:30 marka Exp $ -->
+<!-- $Id: dnssec-keygen.html,v 1.9.18.19 2007/01/30 00:23:44 marka Exp $ -->
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
 <title>dnssec-keygen</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.70.1">
+<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
 </head>
 <body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en">
-<a name="id2482688"></a><div class="titlepage"></div>
+<a name="man.dnssec-keygen"></a><div class="titlepage"></div>
 <div class="refnamediv">
 <h2>Name</h2>
 <p><span class="application">dnssec-keygen</span> &#8212; DNSSEC key generation tool</p>
@@ -32,186 +32,191 @@
 <div class="cmdsynopsis"><p><code class="command">dnssec-keygen</code>  {-a <em class="replaceable"><code>algorithm</code></em>} {-b <em class="replaceable"><code>keysize</code></em>} {-n <em class="replaceable"><code>nametype</code></em>} [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-e</code>] [<code class="option">-f <em class="replaceable"><code>flag</code></em></code>] [<code class="option">-g <em class="replaceable"><code>generator</code></em></code>] [<code class="option">-h</code>] [<code class="option">-k</code>] [<code class="option">-p <em class="replaceable"><code>protocol</code></em></code>] [<code class="option">-r <em class="replaceable"><code>randomdev</code></em></code>] [<code class="option">-s <em class="replaceable"><code>strength</code></em></code>] [<code class="option">-t <em class="replaceable"><code>type</code></em></code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] {name}</p></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2549521"></a><h2>DESCRIPTION</h2>
-<p>
-        <span><strong class="command">dnssec-keygen</strong></span> generates keys for DNSSEC
-	(Secure DNS), as defined in RFC 2535 and RFC &lt;TBA\&gt;.  It can also generate
-	keys for use with TSIG (Transaction Signatures), as
-	defined in RFC 2845.
+<a name="id2543474"></a><h2>DESCRIPTION</h2>
+<p><span><strong class="command">dnssec-keygen</strong></span>
+      generates keys for DNSSEC (Secure DNS), as defined in RFC 2535
+      and RFC &lt;TBA\&gt;.  It can also generate keys for use with
+      TSIG (Transaction Signatures), as defined in RFC 2845.
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2549533"></a><h2>OPTIONS</h2>
+<a name="id2543485"></a><h2>OPTIONS</h2>
 <div class="variablelist"><dl>
 <dt><span class="term">-a <em class="replaceable"><code>algorithm</code></em></span></dt>
 <dd>
 <p>
-	      Selects the cryptographic algorithm.  The value of
-	      <code class="option">algorithm</code> must be one of RSAMD5 (RSA) or RSASHA1,
-	      DSA, DH (Diffie Hellman), or HMAC-MD5.  These values
-	      are case insensitive.
-	  </p>
+            Selects the cryptographic algorithm.  The value of
+            <code class="option">algorithm</code> must be one of RSAMD5 (RSA) or RSASHA1,
+            	      DSA, DH (Diffie Hellman), or HMAC-MD5.  These values
+            are case insensitive.
+          </p>
 <p>
-	      Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement algorithm,
-	      and DSA is recommended.  For TSIG, HMAC-MD5 is mandatory.
-	  </p>
+            Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement
+            algorithm,
+            and DSA is recommended.  For TSIG, HMAC-MD5 is mandatory.
+          </p>
 <p>
-	      Note 2: HMAC-MD5 and DH automatically set the -k flag.
-	  </p>
+            Note 2: HMAC-MD5 and DH automatically set the -k flag.
+          </p>
 </dd>
 <dt><span class="term">-b <em class="replaceable"><code>keysize</code></em></span></dt>
 <dd><p>
-	       Specifies the number of bits in the key.  The choice of key
-	       size depends on the algorithm used.  RSAMD5 / RSASHA1 keys must be between
-	       512 and 2048 bits.  Diffie Hellman keys must be between
-	       128 and 4096 bits.  DSA keys must be between 512 and 1024
-	       bits and an exact multiple of 64.  HMAC-MD5 keys must be
-	       between 1 and 512 bits.
-	  </p></dd>
+            Specifies the number of bits in the key.  The choice of key
+            size depends on the algorithm used.  RSAMD5 / RSASHA1 keys must be
+            between
+            512 and 2048 bits.  Diffie Hellman keys must be between
+            128 and 4096 bits.  DSA keys must be between 512 and 1024
+            bits and an exact multiple of 64.  HMAC-MD5 keys must be
+            between 1 and 512 bits.
+          </p></dd>
 <dt><span class="term">-n <em class="replaceable"><code>nametype</code></em></span></dt>
 <dd><p>
-	       Specifies the owner type of the key.  The value of
-	       <code class="option">nametype</code> must either be ZONE (for a DNSSEC
-	       zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated with a host (KEY)),
-	       USER (for a key associated with a user(KEY)) or OTHER (DNSKEY).  These values are
-	       case insensitive.
-	  </p></dd>
+            Specifies the owner type of the key.  The value of
+            <code class="option">nametype</code> must either be ZONE (for a DNSSEC
+            zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated with
+            a host (KEY)),
+            USER (for a key associated with a user(KEY)) or OTHER (DNSKEY).
+            These values are
+            case insensitive.
+          </p></dd>
 <dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
 <dd><p>
-	       Indicates that the DNS record containing the key should have
-	       the specified class.  If not specified, class IN is used.
-	  </p></dd>
+            Indicates that the DNS record containing the key should have
+            the specified class.  If not specified, class IN is used.
+          </p></dd>
 <dt><span class="term">-e</span></dt>
 <dd><p>
-	       If generating an RSAMD5/RSASHA1 key, use a large exponent.
-	  </p></dd>
+            If generating an RSAMD5/RSASHA1 key, use a large exponent.
+          </p></dd>
 <dt><span class="term">-f <em class="replaceable"><code>flag</code></em></span></dt>
 <dd><p>
-		Set the specified flag in the flag field of the KEY/DNSKEY record.
-		The only recognized flag is KSK (Key Signing Key) DNSKEY.
-	  </p></dd>
+            Set the specified flag in the flag field of the KEY/DNSKEY record.
+            		The only recognized flag is KSK (Key Signing Key) DNSKEY.
+          </p></dd>
 <dt><span class="term">-g <em class="replaceable"><code>generator</code></em></span></dt>
 <dd><p>
-	       If generating a Diffie Hellman key, use this generator.
-	       Allowed values are 2 and 5.  If no generator
-	       is specified, a known prime from RFC 2539 will be used
-	       if possible; otherwise the default is 2.
-	  </p></dd>
+            If generating a Diffie Hellman key, use this generator.
+            Allowed values are 2 and 5.  If no generator
+            is specified, a known prime from RFC 2539 will be used
+            if possible; otherwise the default is 2.
+          </p></dd>
 <dt><span class="term">-h</span></dt>
 <dd><p>
-	       Prints a short summary of the options and arguments to
-	       <span><strong class="command">dnssec-keygen</strong></span>.
-	  </p></dd>
+            Prints a short summary of the options and arguments to
+            <span><strong class="command">dnssec-keygen</strong></span>.
+          </p></dd>
 <dt><span class="term">-k</span></dt>
 <dd><p>
-	       Generate KEY records rather than DNSKEY records.
-	  </p></dd>
+            Generate KEY records rather than DNSKEY records.
+          </p></dd>
 <dt><span class="term">-p <em class="replaceable"><code>protocol</code></em></span></dt>
 <dd><p>
-	       Sets the protocol value for the generated key.  The protocol
-	       is a number between 0 and 255.  The default is 3 (DNSSEC).
-	       Other possible values for this argument are listed in
-	       RFC 2535 and its successors.
-	  </p></dd>
+            Sets the protocol value for the generated key.  The protocol
+            is a number between 0 and 255.  The default is 3 (DNSSEC).
+            Other possible values for this argument are listed in
+            RFC 2535 and its successors.
+          </p></dd>
 <dt><span class="term">-r <em class="replaceable"><code>randomdev</code></em></span></dt>
 <dd><p>
-	       Specifies the source of randomness.  If the operating
-	       system does not provide a <code class="filename">/dev/random</code>
-	       or equivalent device, the default source of randomness
-	       is keyboard input.  <code class="filename">randomdev</code> specifies
-	       the name of a character device or file containing random
-	       data to be used instead of the default.  The special value
-	       <code class="filename">keyboard</code> indicates that keyboard
-	       input should be used.
-	  </p></dd>
+            Specifies the source of randomness.  If the operating
+            system does not provide a <code class="filename">/dev/random</code>
+            or equivalent device, the default source of randomness
+            is keyboard input.  <code class="filename">randomdev</code>
+            specifies
+            the name of a character device or file containing random
+            data to be used instead of the default.  The special value
+            <code class="filename">keyboard</code> indicates that keyboard
+            input should be used.
+          </p></dd>
 <dt><span class="term">-s <em class="replaceable"><code>strength</code></em></span></dt>
 <dd><p>
-	       Specifies the strength value of the key.  The strength is
-	       a number between 0 and 15, and currently has no defined
-	       purpose in DNSSEC.
-	  </p></dd>
+            Specifies the strength value of the key.  The strength is
+            a number between 0 and 15, and currently has no defined
+            purpose in DNSSEC.
+          </p></dd>
 <dt><span class="term">-t <em class="replaceable"><code>type</code></em></span></dt>
 <dd><p>
-	       Indicates the use of the key.  <code class="option">type</code> must be
-	       one of AUTHCONF, NOAUTHCONF, NOAUTH, or NOCONF.  The default
-	       is AUTHCONF.  AUTH refers to the ability to authenticate
-	       data, and CONF the ability to encrypt data.
-	  </p></dd>
+            Indicates the use of the key.  <code class="option">type</code> must be
+            one of AUTHCONF, NOAUTHCONF, NOAUTH, or NOCONF.  The default
+            is AUTHCONF.  AUTH refers to the ability to authenticate
+            data, and CONF the ability to encrypt data.
+          </p></dd>
 <dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
 <dd><p>
-	       Sets the debugging level.
-	  </p></dd>
+            Sets the debugging level.
+          </p></dd>
 </dl></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2549939"></a><h2>GENERATED KEYS</h2>
+<a name="id2543820"></a><h2>GENERATED KEYS</h2>
 <p>
-        When <span><strong class="command">dnssec-keygen</strong></span> completes successfully,
-	it prints a string of the form <code class="filename">Knnnn.+aaa+iiiii</code>
-	to the standard output.  This is an identification string for
-	the key it has generated.
+      When <span><strong class="command">dnssec-keygen</strong></span> completes
+      successfully,
+      it prints a string of the form <code class="filename">Knnnn.+aaa+iiiii</code>
+      to the standard output.  This is an identification string for
+      the key it has generated.
     </p>
 <div class="itemizedlist"><ul type="disc">
-<li><p>
-          <code class="filename">nnnn</code> is the key name.
+<li><p><code class="filename">nnnn</code> is the key name.
         </p></li>
-<li><p>
-          <code class="filename">aaa</code> is the numeric representation of the
+<li><p><code class="filename">aaa</code> is the numeric representation
+          of the
           algorithm.
         </p></li>
-<li><p>
-          <code class="filename">iiiii</code> is the key identifier (or footprint).
+<li><p><code class="filename">iiiii</code> is the key identifier (or
+          footprint).
         </p></li>
 </ul></div>
-<p>
-        <span><strong class="command">dnssec-keygen</strong></span> creates two file, with names based
-	on the printed string.  <code class="filename">Knnnn.+aaa+iiiii.key</code>
-	contains the public key, and
-	<code class="filename">Knnnn.+aaa+iiiii.private</code> contains the private
-	key.
+<p><span><strong class="command">dnssec-keygen</strong></span> 
+      creates two file, with names based
+      on the printed string.  <code class="filename">Knnnn.+aaa+iiiii.key</code>
+      contains the public key, and
+      <code class="filename">Knnnn.+aaa+iiiii.private</code> contains the
+      private
+      key.
     </p>
 <p>
-        The <code class="filename">.key</code> file contains a DNS KEY record that
-	can be inserted into a zone file (directly or with a $INCLUDE
-	statement).
+      The <code class="filename">.key</code> file contains a DNS KEY record
+      that
+      can be inserted into a zone file (directly or with a $INCLUDE
+      statement).
     </p>
 <p>
-        The <code class="filename">.private</code> file contains algorithm specific
-	fields.  For obvious security reasons, this file does not have
-	general read permission.
+      The <code class="filename">.private</code> file contains algorithm
+      specific
+      fields.  For obvious security reasons, this file does not have
+      general read permission.
     </p>
 <p>
-        Both <code class="filename">.key</code> and <code class="filename">.private</code>
-	files are generated for symmetric encryption algorithm such as
-	HMAC-MD5, even though the public and private key are equivalent.
+      Both <code class="filename">.key</code> and <code class="filename">.private</code>
+      files are generated for symmetric encryption algorithm such as
+      HMAC-MD5, even though the public and private key are equivalent.
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2550027"></a><h2>EXAMPLE</h2>
+<a name="id2543902"></a><h2>EXAMPLE</h2>
 <p>
-        To generate a 768-bit DSA key for the domain
-	<strong class="userinput"><code>example.com</code></strong>, the following command would be
-	issued:
+      To generate a 768-bit DSA key for the domain
+      <strong class="userinput"><code>example.com</code></strong>, the following command would be
+      issued:
     </p>
-<p>
-        <strong class="userinput"><code>dnssec-keygen -a DSA -b 768 -n ZONE example.com</code></strong>
+<p><strong class="userinput"><code>dnssec-keygen -a DSA -b 768 -n ZONE example.com</code></strong>
     </p>
 <p>
-        The command would print a string of the form:
+      The command would print a string of the form:
     </p>
-<p>
-        <strong class="userinput"><code>Kexample.com.+003+26160</code></strong>
+<p><strong class="userinput"><code>Kexample.com.+003+26160</code></strong>
     </p>
 <p>
-        In this example, <span><strong class="command">dnssec-keygen</strong></span> creates
-	the files <code class="filename">Kexample.com.+003+26160.key</code> and
-	<code class="filename">Kexample.com.+003+26160.private</code>
+      In this example, <span><strong class="command">dnssec-keygen</strong></span> creates
+      the files <code class="filename">Kexample.com.+003+26160.key</code>
+      and
+      <code class="filename">Kexample.com.+003+26160.private</code>
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2550073"></a><h2>SEE ALSO</h2>
-<p>
-      <span class="citerefentry"><span class="refentrytitle">dnssec-signzone</span>(8)</span>,
+<a name="id2543946"></a><h2>SEE ALSO</h2>
+<p><span class="citerefentry"><span class="refentrytitle">dnssec-signzone</span>(8)</span>,
       <em class="citetitle">BIND 9 Administrator Reference Manual</em>,
       <em class="citetitle">RFC 2535</em>,
       <em class="citetitle">RFC 2845</em>,
@@ -219,9 +224,8 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2550106"></a><h2>AUTHOR</h2>
-<p>
-        <span class="corpauthor">Internet Systems Consortium</span>
+<a name="id2544045"></a><h2>AUTHOR</h2>
+<p><span class="corpauthor">Internet Systems Consortium</span>
     </p>
 </div>
 </div></body>
diff --git a/contrib/bind9/bin/dnssec/dnssec-signzone.8 b/contrib/bind9/bin/dnssec/dnssec-signzone.8
index 734eca6..86347b1 100644
--- a/contrib/bind9/bin/dnssec/dnssec-signzone.8
+++ b/contrib/bind9/bin/dnssec/dnssec-signzone.8
@@ -1,4 +1,4 @@
-.\" Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2004-2007 Internet Systems Consortium, Inc. ("ISC")
 .\" Copyright (C) 2000-2003 Internet Software Consortium.
 .\" 
 .\" Permission to use, copy, modify, and distribute this software for any
@@ -13,13 +13,13 @@
 .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 .\" PERFORMANCE OF THIS SOFTWARE.
 .\"
-.\" $Id: dnssec-signzone.8,v 1.23.2.1.4.11 2006/06/29 13:02:30 marka Exp $
+.\" $Id: dnssec-signzone.8,v 1.28.18.16 2007/01/30 00:23:44 marka Exp $
 .\"
 .hy 0
 .ad l
 .\"     Title: dnssec\-signzone
 .\"    Author: 
-.\" Generator: DocBook XSL Stylesheets v1.70.1 <http://docbook.sf.net/>
+.\" Generator: DocBook XSL Stylesheets v1.71.1 <http://docbook.sf.net/>
 .\"      Date: June 30, 2000
 .\"    Manual: BIND9
 .\"    Source: BIND9
@@ -33,7 +33,7 @@
 dnssec\-signzone \- DNSSEC zone signing tool
 .SH "SYNOPSIS"
 .HP 16
-\fBdnssec\-signzone\fR [\fB\-a\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-d\ \fR\fB\fIdirectory\fR\fR] [\fB\-e\ \fR\fB\fIend\-time\fR\fR] [\fB\-f\ \fR\fB\fIoutput\-file\fR\fR] [\fB\-g\fR] [\fB\-h\fR] [\fB\-k\ \fR\fB\fIkey\fR\fR] [\fB\-l\ \fR\fB\fIdomain\fR\fR] [\fB\-i\ \fR\fB\fIinterval\fR\fR] [\fB\-n\ \fR\fB\fInthreads\fR\fR] [\fB\-o\ \fR\fB\fIorigin\fR\fR] [\fB\-p\fR] [\fB\-r\ \fR\fB\fIrandomdev\fR\fR] [\fB\-s\ \fR\fB\fIstart\-time\fR\fR] [\fB\-t\fR] [\fB\-v\ \fR\fB\fIlevel\fR\fR] [\fB\-z\fR] {zonefile} [key...]
+\fBdnssec\-signzone\fR [\fB\-a\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-d\ \fR\fB\fIdirectory\fR\fR] [\fB\-e\ \fR\fB\fIend\-time\fR\fR] [\fB\-f\ \fR\fB\fIoutput\-file\fR\fR] [\fB\-g\fR] [\fB\-h\fR] [\fB\-k\ \fR\fB\fIkey\fR\fR] [\fB\-l\ \fR\fB\fIdomain\fR\fR] [\fB\-i\ \fR\fB\fIinterval\fR\fR] [\fB\-I\ \fR\fB\fIinput\-format\fR\fR] [\fB\-j\ \fR\fB\fIjitter\fR\fR] [\fB\-N\ \fR\fB\fIsoa\-serial\-format\fR\fR] [\fB\-o\ \fR\fB\fIorigin\fR\fR] [\fB\-O\ \fR\fB\fIoutput\-format\fR\fR] [\fB\-p\fR] [\fB\-r\ \fR\fB\fIrandomdev\fR\fR] [\fB\-s\ \fR\fB\fIstart\-time\fR\fR] [\fB\-t\fR] [\fB\-v\ \fR\fB\fIlevel\fR\fR] [\fB\-z\fR] {zonefile} [key...]
 .SH "DESCRIPTION"
 .PP
 \fBdnssec\-signzone\fR
@@ -41,50 +41,71 @@ signs a zone. It generates NSEC and RRSIG records and produces a signed version
 \fIkeyset\fR
 file for each child zone.
 .SH "OPTIONS"
-.TP 3n
+.PP
 \-a
+.RS 4
 Verify all generated signatures.
-.TP 3n
+.RE
+.PP
 \-c \fIclass\fR
+.RS 4
 Specifies the DNS class of the zone.
-.TP 3n
+.RE
+.PP
 \-k \fIkey\fR
+.RS 4
 Treat specified key as a key signing key ignoring any key flags. This option may be specified multiple times.
-.TP 3n
+.RE
+.PP
 \-l \fIdomain\fR
+.RS 4
 Generate a DLV set in addition to the key (DNSKEY) and DS sets. The domain is appended to the name of the records.
-.TP 3n
+.RE
+.PP
 \-d \fIdirectory\fR
+.RS 4
 Look for
 \fIkeyset\fR
 files in
 \fBdirectory\fR
 as the directory
-.TP 3n
+.RE
+.PP
 \-g
+.RS 4
 Generate DS records for child zones from keyset files. Existing DS records will be removed.
-.TP 3n
+.RE
+.PP
 \-s \fIstart\-time\fR
+.RS 4
 Specify the date and time when the generated RRSIG records become valid. This can be either an absolute or relative time. An absolute start time is indicated by a number in YYYYMMDDHHMMSS notation; 20000530144500 denotes 14:45:00 UTC on May 30th, 2000. A relative start time is indicated by +N, which is N seconds from the current time. If no
 \fBstart\-time\fR
 is specified, the current time minus 1 hour (to allow for clock skew) is used.
-.TP 3n
+.RE
+.PP
 \-e \fIend\-time\fR
+.RS 4
 Specify the date and time when the generated RRSIG records expire. As with
 \fBstart\-time\fR, an absolute time is indicated in YYYYMMDDHHMMSS notation. A time relative to the start time is indicated with +N, which is N seconds from the start time. A time relative to the current time is indicated with now+N. If no
 \fBend\-time\fR
 is specified, 30 days from the start time is used as a default.
-.TP 3n
+.RE
+.PP
 \-f \fIoutput\-file\fR
+.RS 4
 The name of the output file containing the signed zone. The default is to append
 \fI.signed\fR
 to the input file.
-.TP 3n
+.RE
+.PP
 \-h
+.RS 4
 Prints a short summary of the options and arguments to
 \fBdnssec\-signzone\fR.
-.TP 3n
+.RE
+.PP
 \-i \fIinterval\fR
+.RS 4
 When a previously signed zone is passed as input, records may be resigned. The
 \fBinterval\fR
 option specifies the cycle interval as an offset from the current time (in seconds). If a RRSIG record expires after the cycle interval, it is retained. Otherwise, it is considered to be expiring soon, and it will be replaced.
@@ -96,17 +117,77 @@ or
 are specified,
 \fBdnssec\-signzone\fR
 generates signatures that are valid for 30 days, with a cycle interval of 7.5 days. Therefore, if any existing RRSIG records are due to expire in less than 7.5 days, they would be replaced.
-.TP 3n
+.RE
+.PP
+\-I \fIinput\-format\fR
+.RS 4
+The format of the input zone file. Possible formats are
+\fB"text"\fR
+(default) and
+\fB"raw"\fR. This option is primarily intended to be used for dynamic signed zones so that the dumped zone file in a non\-text format containing updates can be signed directly. The use of this option does not make much sense for non\-dynamic zones.
+.RE
+.PP
+\-j \fIjitter\fR
+.RS 4
+When signing a zone with a fixed signature lifetime, all RRSIG records issued at the time of signing expires simultaneously. If the zone is incrementally signed, i.e. a previously signed zone is passed as input to the signer, all expired signatures has to be regenerated at about the same time. The
+\fBjitter\fR
+option specifies a jitter window that will be used to randomize the signature expire time, thus spreading incremental signature regeneration over time.
+.sp
+Signature lifetime jitter also to some extent benefits validators and servers by spreading out cache expiration, i.e. if large numbers of RRSIGs don't expire at the same time from all caches there will be less congestion than if all validators need to refetch at mostly the same time.
+.RE
+.PP
 \-n \fIncpus\fR
+.RS 4
 Specifies the number of threads to use. By default, one thread is started for each detected CPU.
-.TP 3n
+.RE
+.PP
+\-N \fIsoa\-serial\-format\fR
+.RS 4
+The SOA serial number format of the signed zone. Possible formats are
+\fB"keep"\fR
+(default),
+\fB"increment"\fR
+and
+\fB"unixtime"\fR.
+.RS 4
+.PP
+\fB"keep"\fR
+.RS 4
+Do not modify the SOA serial number.
+.RE
+.PP
+\fB"increment"\fR
+.RS 4
+Increment the SOA serial number using RFC 1982 arithmetics.
+.RE
+.PP
+\fB"unixtime"\fR
+.RS 4
+Set the SOA serial number to the number of seconds since epoch.
+.RE
+.RE
+.RE
+.PP
 \-o \fIorigin\fR
+.RS 4
 The zone origin. If not specified, the name of the zone file is assumed to be the origin.
-.TP 3n
+.RE
+.PP
+\-O \fIoutput\-format\fR
+.RS 4
+The format of the output file containing the signed zone. Possible formats are
+\fB"text"\fR
+(default) and
+\fB"raw"\fR.
+.RE
+.PP
 \-p
+.RS 4
 Use pseudo\-random data when signing the zone. This is faster, but less secure, than using real random data. This option may be useful when signing large zones or when the entropy source is limited.
-.TP 3n
+.RE
+.PP
 \-r \fIrandomdev\fR
+.RS 4
 Specifies the source of randomness. If the operating system does not provide a
 \fI/dev/random\fR
 or equivalent device, the default source of randomness is keyboard input.
@@ -114,21 +195,32 @@ or equivalent device, the default source of randomness is keyboard input.
 specifies the name of a character device or file containing random data to be used instead of the default. The special value
 \fIkeyboard\fR
 indicates that keyboard input should be used.
-.TP 3n
+.RE
+.PP
 \-t
+.RS 4
 Print statistics at completion.
-.TP 3n
+.RE
+.PP
 \-v \fIlevel\fR
+.RS 4
 Sets the debugging level.
-.TP 3n
+.RE
+.PP
 \-z
+.RS 4
 Ignore KSK flag on key when determining what to sign.
-.TP 3n
+.RE
+.PP
 zonefile
+.RS 4
 The file containing the zone to be signed.
-.TP 3n
+.RE
+.PP
 key
+.RS 4
 The keys used to sign the zone. If no keys are specified, the default all zone keys that have private key files in the current directory.
+.RE
 .SH "EXAMPLE"
 .PP
 The following command signs the
@@ -159,4 +251,7 @@ RFC 2535.
 .PP
 Internet Systems Consortium
 .SH "COPYRIGHT"
-Copyright \(co 2004, 2005 Internet Systems Consortium, Inc. ("ISC")
+Copyright \(co 2004\-2007 Internet Systems Consortium, Inc. ("ISC")
+.br
+Copyright \(co 2000\-2003 Internet Software Consortium.
+.br
diff --git a/contrib/bind9/bin/dnssec/dnssec-signzone.c b/contrib/bind9/bin/dnssec/dnssec-signzone.c
index 4ac840d..1f5b538 100644
--- a/contrib/bind9/bin/dnssec/dnssec-signzone.c
+++ b/contrib/bind9/bin/dnssec/dnssec-signzone.c
@@ -16,7 +16,9 @@
  * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: dnssec-signzone.c,v 1.139.2.2.4.23 2006/01/04 23:50:19 marka Exp $ */
+/* $Id: dnssec-signzone.c,v 1.177.18.21 2006/08/30 23:01:54 marka Exp $ */
+
+/*! \file */
 
 #include <config.h>
 
@@ -33,6 +35,7 @@
 #include <isc/mutex.h>
 #include <isc/os.h>
 #include <isc/print.h>
+#include <isc/random.h>
 #include <isc/serial.h>
 #include <isc/stdio.h>
 #include <isc/string.h>
@@ -58,6 +61,7 @@
 #include <dns/rdatastruct.h>
 #include <dns/rdatatype.h>
 #include <dns/result.h>
+#include <dns/soa.h>
 #include <dns/time.h>
 
 #include <dst/dst.h>
@@ -85,6 +89,10 @@ struct signer_key_struct {
 #define SIGNER_EVENT_WRITE	(SIGNER_EVENTCLASS + 0)
 #define SIGNER_EVENT_WORK	(SIGNER_EVENTCLASS + 1)
 
+#define SOA_SERIAL_KEEP		0
+#define SOA_SERIAL_INCREMENT	1
+#define SOA_SERIAL_UNIXTIME	2
+
 typedef struct signer_event sevent_t;
 struct signer_event {
 	ISC_EVENT_COMMON(sevent_t);
@@ -96,6 +104,7 @@ static ISC_LIST(signer_key_t) keylist;
 static unsigned int keycount = 0;
 static isc_stdtime_t starttime = 0, endtime = 0, now;
 static int cycle = -1;
+static int jitter = 0;
 static isc_boolean_t tryverify = ISC_FALSE;
 static isc_boolean_t printstats = ISC_FALSE;
 static isc_mem_t *mctx = NULL;
@@ -104,6 +113,8 @@ static dns_ttl_t zonettl;
 static FILE *fp;
 static char *tempfile = NULL;
 static const dns_master_style_t *masterstyle;
+static dns_masterformat_t inputformat = dns_masterformat_text;
+static dns_masterformat_t outputformat = dns_masterformat_text;
 static unsigned int nsigned = 0, nretained = 0, ndropped = 0;
 static unsigned int nverified = 0, nverifyfailed = 0;
 static const char *directory;
@@ -125,6 +136,7 @@ static isc_boolean_t ignoreksk = ISC_FALSE;
 static dns_name_t *dlv = NULL;
 static dns_fixedname_t dlv_fixed;
 static dns_master_style_t *dsstyle = NULL;
+static unsigned int serialformat = SOA_SERIAL_KEEP;
 
 #define INCSTAT(counter)		\
 	if (printstats) {		\
@@ -154,42 +166,13 @@ static void
 dumpnode(dns_name_t *name, dns_dbnode_t *node) {
 	isc_result_t result;
 
+	if (outputformat != dns_masterformat_text)
+		return;
 	result = dns_master_dumpnodetostream(mctx, gdb, gversion, node, name,
 					     masterstyle, fp);
 	check_result(result, "dns_master_dumpnodetostream");
 }
 
-static void
-dumpdb(dns_db_t *db) {
-	dns_dbiterator_t *dbiter = NULL;
-	dns_dbnode_t *node;
-	dns_fixedname_t fname;
-	dns_name_t *name;
-	isc_result_t result;
-
-	dbiter = NULL;
-	result = dns_db_createiterator(db, ISC_FALSE, &dbiter);
-	check_result(result, "dns_db_createiterator()");
-
-	dns_fixedname_init(&fname);
-	name = dns_fixedname_name(&fname);
-	node = NULL;
-
-	for (result = dns_dbiterator_first(dbiter);
-	     result == ISC_R_SUCCESS;
-	     result = dns_dbiterator_next(dbiter))
-	{
-		result = dns_dbiterator_current(dbiter, &node, name);
-		check_result(result, "dns_dbiterator_current()");
-		dumpnode(name, node);
-		dns_db_detachnode(db, &node);
-	}
-	if (result != ISC_R_NOMORE)
-		fatal("iterating database: %s", isc_result_totext(result));
-
-	dns_dbiterator_destroy(&dbiter);
-}
-
 static signer_key_t *
 newkeystruct(dst_key_t *dstkey, isc_boolean_t signwithkey) {
 	signer_key_t *key;
@@ -217,8 +200,10 @@ signwithkey(dns_name_t *name, dns_rdataset_t *rdataset, dns_rdata_t *rdata,
 	    dst_key_t *key, isc_buffer_t *b)
 {
 	isc_result_t result;
+	isc_stdtime_t jendtime;
 
-	result = dns_dnssec_sign(name, rdataset, key, &starttime, &endtime,
+	jendtime = (jitter != 0) ? isc_random_jitter(endtime, jitter) : endtime;
+	result = dns_dnssec_sign(name, rdataset, key, &starttime, &jendtime,
 				 mctx, b, rdata);
 	isc_entropy_stopcallbacksources(ectx);
 	if (result != ISC_R_SUCCESS) {
@@ -253,7 +238,7 @@ iszonekey(signer_key_t *key) {
 		       dst_key_iszonekey(key->key)));
 }
 
-/*
+/*%
  * Finds the key that generated a RRSIG, if possible.  First look at the keys
  * that we've loaded already, and then see if there's a key on disk.
  */
@@ -291,7 +276,7 @@ keythatsigned(dns_rdata_rrsig_t *rrsig) {
 	return (key);
 }
 
-/*
+/*%
  * Check to see if we expect to find a key at this name.  If we see a RRSIG
  * and can't find the signing key that we expect to find, we drop the rrsig.
  * I'm not sure if this is completely correct, but it seems to work.
@@ -337,7 +322,7 @@ setverifies(dns_name_t *name, dns_rdataset_t *set, signer_key_t *key,
 	}
 }
 
-/*
+/*%
  * Signs a set.  Goes through contortions to decide if each RRSIG should
  * be dropped or retained, and then determines if any new SIGs need to
  * be generated.
@@ -598,7 +583,7 @@ opendb(const char *prefix, dns_name_t *name, dns_rdataclass_t rdclass,
 		dns_db_detach(dbp);
 }
 
-/*
+/*%
  * Loads the key set for a child zone, if there is one, and builds DS records.
  */
 static isc_result_t
@@ -653,6 +638,16 @@ loadds(dns_name_t *name, isc_uint32_t ttl, dns_rdataset_t *dsset) {
 					      ttl, &ds, &tuple);
 		check_result(result, "dns_difftuple_create");
 		dns_diff_append(&diff, &tuple);
+
+		dns_rdata_reset(&ds);
+		result = dns_ds_buildrdata(name, &key, DNS_DSDIGEST_SHA256,
+					   dsbuf, &ds);
+		check_result(result, "dns_ds_buildrdata");
+
+		result = dns_difftuple_create(mctx, DNS_DIFFOP_ADD, name,
+					      ttl, &ds, &tuple);
+		check_result(result, "dns_difftuple_create");
+		dns_diff_append(&diff, &tuple);
 	}
 	result = dns_diff_apply(&diff, db, ver);
 	check_result(result, "dns_diff_apply");
@@ -775,7 +770,7 @@ delegation(dns_name_t *name, dns_dbnode_t *node, isc_uint32_t *ttlp) {
 	return (ISC_TF(result == ISC_R_SUCCESS));
 }
 
-/*
+/*%
  * Signs all records at a name.  This mostly just signs each set individually,
  * but also adds the RRSIG bit to any NSECs generated earlier, deals with
  * parent/child KEY signatures, and handles other exceptional cases.
@@ -957,7 +952,7 @@ active_node(dns_dbnode_t *node) {
 		      isc_result_totext(result));
 
 	if (!active) {
-		/*
+		/*%
 		 * The node is empty of everything but NSEC / RRSIG records.
 		 */
 		for (result = dns_rdatasetiter_first(rdsiter);
@@ -1021,7 +1016,7 @@ active_node(dns_dbnode_t *node) {
 	return (active);
 }
 
-/*
+/*%
  * Extracts the TTL from the SOA.
  */
 static dns_ttl_t
@@ -1053,7 +1048,82 @@ soattl(void) {
 	return (ttl);
 }
 
-/*
+/*%
+ * Increment (or set if nonzero) the SOA serial
+ */
+static isc_result_t
+setsoaserial(isc_uint32_t serial) {
+	isc_result_t result;
+	dns_dbnode_t *node = NULL;
+	dns_rdataset_t rdataset;
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+	isc_uint32_t old_serial, new_serial;
+
+	result = dns_db_getoriginnode(gdb, &node);
+	if (result != ISC_R_SUCCESS)
+		return result;
+
+	dns_rdataset_init(&rdataset);
+
+	result = dns_db_findrdataset(gdb, node, gversion,
+				     dns_rdatatype_soa, 0,
+				     0, &rdataset, NULL);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+
+	result = dns_rdataset_first(&rdataset);
+	RUNTIME_CHECK(result == ISC_R_SUCCESS);
+
+	dns_rdataset_current(&rdataset, &rdata);
+
+	old_serial = dns_soa_getserial(&rdata);
+
+	if (serial) {
+		/* Set SOA serial to the value provided. */
+		new_serial = serial;
+	} else {
+		/* Increment SOA serial using RFC 1982 arithmetics */
+		new_serial = (old_serial + 1) & 0xFFFFFFFF;
+		if (new_serial == 0)
+			new_serial = 1;
+	}
+
+	/* If the new serial is not likely to cause a zone transfer
+	 * (a/ixfr) from servers having the old serial, warn the user.
+	 *
+	 * RFC1982 section 7 defines the maximum increment to be
+	 * (2^(32-1))-1.  Using u_int32_t arithmetic, we can do a single
+	 * comparison.  (5 - 6 == (2^32)-1, not negative-one)
+	 */
+	if (new_serial == old_serial ||
+	    (new_serial - old_serial) > 0x7fffffffU)
+		fprintf(stderr, "%s: warning: Serial number not advanced, "
+			"zone may not transfer\n", program);
+
+	dns_soa_setserial(new_serial, &rdata);
+
+	result = dns_db_deleterdataset(gdb, node, gversion,
+				       dns_rdatatype_soa, 0);
+	check_result(result, "dns_db_deleterdataset");
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+
+	result = dns_db_addrdataset(gdb, node, gversion,
+				    0, &rdataset, 0, NULL);
+	check_result(result, "dns_db_addrdataset");
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+
+cleanup:
+	dns_rdataset_disassociate(&rdataset);
+	if (node != NULL)
+		dns_db_detachnode(gdb, &node);
+	dns_rdata_reset(&rdata);
+
+	return (result);
+}
+
+/*%
  * Delete any RRSIG records at a node.
  */
 static void
@@ -1062,6 +1132,9 @@ cleannode(dns_db_t *db, dns_dbversion_t *version, dns_dbnode_t *node) {
 	dns_rdataset_t set;
 	isc_result_t result, dresult;
 
+	if (outputformat != dns_masterformat_text)
+		return;
+
 	dns_rdataset_init(&set);
 	result = dns_db_allrdatasets(db, node, version, 0, &rdsiter);
 	check_result(result, "dns_db_allrdatasets");
@@ -1089,7 +1162,7 @@ cleannode(dns_db_t *db, dns_dbversion_t *version, dns_dbnode_t *node) {
 	dns_rdatasetiter_destroy(&rdsiter);
 }
 
-/*
+/*%
  * Set up the iterator and global state before starting the tasks.
  */
 static void
@@ -1104,7 +1177,7 @@ presign(void) {
 	check_result(result, "dns_dbiterator_first()");
 }
 
-/*
+/*%
  * Clean up the iterator and global state after the tasks complete.
  */
 static void
@@ -1112,7 +1185,33 @@ postsign(void) {
 	dns_dbiterator_destroy(&gdbiter);
 }
 
-/*
+/*%
+ * Sign the apex of the zone.
+ */
+static void
+signapex(void) {
+	dns_dbnode_t *node = NULL;
+	dns_fixedname_t fixed;
+	dns_name_t *name;
+	isc_result_t result;
+	
+	dns_fixedname_init(&fixed);
+	name = dns_fixedname_name(&fixed);
+	result = dns_dbiterator_current(gdbiter, &node, name);
+	check_result(result, "dns_dbiterator_current()");
+	signname(node, name);
+	dumpnode(name, node);
+	cleannode(gdb, gversion, node);
+	dns_db_detachnode(gdb, &node);
+	result = dns_dbiterator_next(gdbiter);
+	if (result == ISC_R_NOMORE)
+		finished = ISC_TRUE;
+	else if (result != ISC_R_SUCCESS)
+		fatal("failure iterating database: %s",
+		      isc_result_totext(result));
+}
+
+/*%
  * Assigns a node to a worker thread.  This is protected by the master task's
  * lock.
  */
@@ -1192,7 +1291,7 @@ assignwork(isc_task_t *task, isc_task_t *worker) {
 	assigned++;
 }
 
-/*
+/*%
  * Start a worker task
  */
 static void
@@ -1204,7 +1303,7 @@ startworker(isc_task_t *task, isc_event_t *event) {
 	isc_event_free(&event);
 }
 
-/*
+/*%
  * Write a node to the output file, and restart the worker task.
  */
 static void
@@ -1222,7 +1321,7 @@ writenode(isc_task_t *task, isc_event_t *event) {
 	isc_event_free(&event);
 }
 
-/*
+/*%
  *  Sign a database node.
  */
 static void
@@ -1247,7 +1346,7 @@ sign(isc_task_t *task, isc_event_t *event) {
 	isc_task_send(master, ISC_EVENT_PTR(&wevent));
 }
 
-/*
+/*%
  * Generate NSEC records for the zone.
  */
 static void
@@ -1318,7 +1417,7 @@ nsecify(void) {
 	dns_dbiterator_destroy(&dbiter);
 }
 
-/*
+/*%
  * Load the zone file from disk
  */
 static void
@@ -1344,13 +1443,13 @@ loadzone(char *file, char *origin, dns_rdataclass_t rdclass, dns_db_t **db) {
 			       rdclass, 0, NULL, db);
 	check_result(result, "dns_db_create()");
 
-	result = dns_db_load(*db, file);
+	result = dns_db_load2(*db, file, inputformat);
 	if (result != ISC_R_SUCCESS && result != DNS_R_SEENINCLUDE)
 		fatal("failed loading zone from '%s': %s",
 		      file, isc_result_totext(result));
 }
 
-/*
+/*%
  * Finds all public zone keys in the zone, and attempts to load the
  * private keys from disk.
  */
@@ -1389,7 +1488,7 @@ loadzonekeys(dns_db_t *db) {
 	dns_db_closeversion(db, &currentversion, ISC_FALSE);
 }
 
-/*
+/*%
  * Finds all public zone keys in the zone.
  */
 static void
@@ -1580,6 +1679,19 @@ writeset(const char *prefix, dns_rdatatype_t type) {
 				ds.type = dns_rdatatype_dlv;
 			result = dns_difftuple_create(mctx, DNS_DIFFOP_ADD,
 						      name, 0, &ds, &tuple);
+			check_result(result, "dns_difftuple_create");
+			dns_diff_append(&diff, &tuple);
+
+			dns_rdata_reset(&ds);
+			result = dns_ds_buildrdata(gorigin, &rdata,
+						   DNS_DSDIGEST_SHA256,
+						   dsbuf, &ds);
+			check_result(result, "dns_ds_buildrdata");
+			if (type == dns_rdatatype_dlv)
+				ds.type = dns_rdatatype_dlv;
+			result = dns_difftuple_create(mctx, DNS_DIFFOP_ADD,
+						      name, 0, &ds, &tuple);
+
 		} else
 			result = dns_difftuple_create(mctx, DNS_DIFFOP_ADD,
 						      gorigin, zonettl,
@@ -1612,12 +1724,18 @@ static void
 print_time(FILE *fp) {
 	time_t currenttime;
 
+	if (outputformat != dns_masterformat_text)
+		return;
+
 	currenttime = time(NULL);
 	fprintf(fp, "; File written on %s", ctime(&currenttime));
 }
 
 static void
 print_version(FILE *fp) {
+	if (outputformat != dns_masterformat_text)
+		return;
+
 	fprintf(fp, "; dnssec_signzone version " VERSION "\n");
 }
 
@@ -1644,12 +1762,20 @@ usage(void) {
 	fprintf(stderr, "\t-i interval:\n");
 	fprintf(stderr, "\t\tcycle interval - resign "
 				"if < interval from end ( (end-start)/4 )\n");
+	fprintf(stderr, "\t-j jitter:\n");
+	fprintf(stderr, "\t\trandomize signature end time up to jitter seconds\n");
 	fprintf(stderr, "\t-v debuglevel (0)\n");
 	fprintf(stderr, "\t-o origin:\n");
 	fprintf(stderr, "\t\tzone origin (name of zonefile)\n");
 	fprintf(stderr, "\t-f outfile:\n");
 	fprintf(stderr, "\t\tfile the signed zone is written in "
 				"(zonefile + .signed)\n");
+	fprintf(stderr, "\t-I format:\n");
+	fprintf(stderr, "\t\tfile format of input zonefile (text)\n");
+	fprintf(stderr, "\t-O format:\n");
+	fprintf(stderr, "\t\tfile format of signed zone file (text)\n");
+	fprintf(stderr, "\t-N format:\n");
+	fprintf(stderr, "\t\tsoa serial format of signed zone file (keep)\n");
 	fprintf(stderr, "\t-r randomdev:\n");
 	fprintf(stderr,	"\t\ta file containing random data\n");
 	fprintf(stderr, "\t-a:\t");
@@ -1708,6 +1834,8 @@ main(int argc, char *argv[]) {
 	int i, ch;
 	char *startstr = NULL, *endstr = NULL, *classname = NULL;
 	char *origin = NULL, *file = NULL, *output = NULL;
+	char *inputformatstr = NULL, *outputformatstr = NULL;
+	char *serialformatstr = NULL;
 	char *dskeyfile[MAXDSKEYS];
 	int ndskeys = 0;
 	char *endp;
@@ -1720,7 +1848,6 @@ main(int argc, char *argv[]) {
 	isc_boolean_t free_output = ISC_FALSE;
 	int tempfilelen;
 	dns_rdataclass_t rdclass;
-	dns_db_t *udb = NULL;
 	isc_task_t **tasks = NULL;
 	isc_buffer_t b;
 	int len;
@@ -1736,7 +1863,7 @@ main(int argc, char *argv[]) {
 	dns_result_register();
 
 	while ((ch = isc_commandline_parse(argc, argv,
-					   "ac:d:e:f:ghi:k:l:n:o:pr:s:Stv:z"))
+					   "ac:d:e:f:ghi:I:j:k:l:n:N:o:O:pr:s:Stv:z"))
 	       != -1) {
 		switch (ch) {
 		case 'a':
@@ -1776,6 +1903,17 @@ main(int argc, char *argv[]) {
 				      "positive");
 			break;
 
+		case 'I':
+			inputformatstr = isc_commandline_argument;
+			break;
+
+		case 'j':
+			endp = NULL;
+			jitter = strtol(isc_commandline_argument, &endp, 0);
+			if (*endp != '\0' || jitter < 0)
+				fatal("jitter must be numeric and positive");
+			break;
+
 		case 'l': 
 			dns_fixedname_init(&dlv_fixed);
 			len = strlen(isc_commandline_argument);
@@ -1802,10 +1940,18 @@ main(int argc, char *argv[]) {
 				fatal("number of cpus must be numeric");
 			break;
 
+		case 'N':
+			serialformatstr = isc_commandline_argument;
+			break;
+
 		case 'o':
 			origin = isc_commandline_argument;
 			break;
 
+		case 'O':
+			outputformatstr = isc_commandline_argument;
+			break;
+
 		case 'p':
 			pseudorandom = ISC_TRUE;
 			break;
@@ -1901,6 +2047,36 @@ main(int argc, char *argv[]) {
 		sprintf(output, "%s.signed", file);
 	}
 
+	if (inputformatstr != NULL) {
+		if (strcasecmp(inputformatstr, "text") == 0)
+			inputformat = dns_masterformat_text;
+		else if (strcasecmp(inputformatstr, "raw") == 0)
+			inputformat = dns_masterformat_raw;
+		else
+			fatal("unknown file format: %s\n", inputformatstr);
+	}
+
+	if (outputformatstr != NULL) {
+		if (strcasecmp(outputformatstr, "text") == 0)
+			outputformat = dns_masterformat_text;
+		else if (strcasecmp(outputformatstr, "raw") == 0)
+			outputformat = dns_masterformat_raw;
+		else
+			fatal("unknown file format: %s\n", outputformatstr);
+	}
+
+	if (serialformatstr != NULL) {
+		if (strcasecmp(serialformatstr, "keep") == 0)
+			serialformat = SOA_SERIAL_KEEP;
+		else if (strcasecmp(serialformatstr, "increment") == 0 ||
+			 strcasecmp(serialformatstr, "incr") == 0)
+			serialformat = SOA_SERIAL_INCREMENT;
+		else if (strcasecmp(serialformatstr, "unixtime") == 0)
+			serialformat = SOA_SERIAL_UNIXTIME;
+		else
+			fatal("unknown soa serial format: %s\n", serialformatstr);
+	}
+
 	result = dns_master_stylecreate(&dsstyle,  DNS_STYLEFLAG_NO_TTL,
 					0, 24, 0, 0, 0, 8, mctx);
 	check_result(result, "dns_master_stylecreate");
@@ -2005,6 +2181,19 @@ main(int argc, char *argv[]) {
 	result = dns_db_newversion(gdb, &gversion);
 	check_result(result, "dns_db_newversion()");
 
+	switch (serialformat) {
+		case SOA_SERIAL_INCREMENT:
+			setsoaserial(0);
+			break;
+		case SOA_SERIAL_UNIXTIME:
+			setsoaserial(now);
+			break;
+		case SOA_SERIAL_KEEP:
+		default:
+			/* do nothing */
+			break;
+	}
+
 	nsecify();
 
 	if (!nokeys) {
@@ -2053,10 +2242,6 @@ main(int argc, char *argv[]) {
 		if (result != ISC_R_SUCCESS)
 			fatal("failed to create task: %s",
 			      isc_result_totext(result));
-		result = isc_app_onrun(mctx, master, startworker, tasks[i]);
-		if (result != ISC_R_SUCCESS)
-			fatal("failed to start task: %s",
-			      isc_result_totext(result));
 	}
 
 	RUNTIME_CHECK(isc_mutex_init(&namelock) == ISC_R_SUCCESS);
@@ -2064,9 +2249,24 @@ main(int argc, char *argv[]) {
 		RUNTIME_CHECK(isc_mutex_init(&statslock) == ISC_R_SUCCESS);
 
 	presign();
-	(void)isc_app_run();
-	if (!finished)
-		fatal("process aborted by user");
+	signapex();
+	if (!finished) {
+		/*
+		 * There is more work to do.  Spread it out over multiple
+		 * processors if possible.
+		 */
+		for (i = 0; i < (int)ntasks; i++) {
+			result = isc_app_onrun(mctx, master, startworker,
+					       tasks[i]);
+			if (result != ISC_R_SUCCESS)
+				fatal("failed to start task: %s",
+				      isc_result_totext(result));
+		}
+		(void)isc_app_run();
+		if (!finished)
+			fatal("process aborted by user");
+	} else
+		isc_task_detach(&master);
 	shuttingdown = ISC_TRUE;
 	for (i = 0; i < (int)ntasks; i++)
 		isc_task_detach(&tasks[i]);
@@ -2074,9 +2274,11 @@ main(int argc, char *argv[]) {
 	isc_mem_put(mctx, tasks, ntasks * sizeof(isc_task_t *));
 	postsign();
 
-	if (udb != NULL) {
-		dumpdb(udb);
-		dns_db_detach(&udb);
+	if (outputformat != dns_masterformat_text) {
+		result = dns_master_dumptostream2(mctx, gdb, gversion,
+						  masterstyle, outputformat,
+						  fp);
+		check_result(result, "dns_master_dumptostream2");
 	}
 
 	result = isc_stdio_close(fp);
@@ -2115,6 +2317,7 @@ main(int argc, char *argv[]) {
 	dst_lib_destroy();
 	isc_hash_destroy();
 	cleanup_entropy(&ectx);
+	dns_name_destroy();
 	if (verbose > 10)
 		isc_mem_stats(mctx, stdout);
 	isc_mem_destroy(&mctx);
diff --git a/contrib/bind9/bin/dnssec/dnssec-signzone.docbook b/contrib/bind9/bin/dnssec/dnssec-signzone.docbook
index 35f35cc..371d72b 100644
--- a/contrib/bind9/bin/dnssec/dnssec-signzone.docbook
+++ b/contrib/bind9/bin/dnssec/dnssec-signzone.docbook
@@ -1,8 +1,8 @@
-<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.0//EN"
-               "http://www.oasis-open.org/docbook/xml/4.0/docbookx.dtd"
+<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
+               "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
 	       [<!ENTITY mdash "&#8212;">]>
 <!--
- - Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
  - Copyright (C) 2000-2003  Internet Software Consortium.
  -
  - Permission to use, copy, modify, and distribute this software for any
@@ -18,23 +18,29 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-<!-- $Id: dnssec-signzone.docbook,v 1.2.2.2.4.11 2005/06/24 00:18:15 marka Exp $ -->
-
-<refentry>
+<!-- $Id: dnssec-signzone.docbook,v 1.10.18.15 2007/01/29 23:57:20 marka Exp $ -->
+<refentry id="man.dnssec-signzone">
   <refentryinfo>
     <date>June 30, 2000</date>
   </refentryinfo>
 
   <refmeta>
     <refentrytitle><application>dnssec-signzone</application></refentrytitle>
-    <manvolnum>8</manvolnum>
+   <manvolnum>8</manvolnum>
     <refmiscinfo>BIND9</refmiscinfo>
   </refmeta>
 
+  <refnamediv>
+    <refname><application>dnssec-signzone</application></refname>
+    <refpurpose>DNSSEC zone signing tool</refpurpose>
+  </refnamediv>
+
   <docinfo>
     <copyright>
       <year>2004</year>
       <year>2005</year>
+      <year>2006</year>
+      <year>2007</year>
       <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
     </copyright>
     <copyright>
@@ -46,11 +52,6 @@
     </copyright>
   </docinfo>
 
-  <refnamediv>
-    <refname><application>dnssec-signzone</application></refname>
-    <refpurpose>DNSSEC zone signing tool</refpurpose>
-  </refnamediv>
-
   <refsynopsisdiv>
     <cmdsynopsis>
       <command>dnssec-signzone</command>
@@ -64,8 +65,11 @@
       <arg><option>-k <replaceable class="parameter">key</replaceable></option></arg>
       <arg><option>-l <replaceable class="parameter">domain</replaceable></option></arg>
       <arg><option>-i <replaceable class="parameter">interval</replaceable></option></arg>
-      <arg><option>-n <replaceable class="parameter">nthreads</replaceable></option></arg>
+      <arg><option>-I <replaceable class="parameter">input-format</replaceable></option></arg>
+      <arg><option>-j <replaceable class="parameter">jitter</replaceable></option></arg>
+      <arg><option>-N <replaceable class="parameter">soa-serial-format</replaceable></option></arg>
       <arg><option>-o <replaceable class="parameter">origin</replaceable></option></arg>
+      <arg><option>-O <replaceable class="parameter">output-format</replaceable></option></arg>
       <arg><option>-p</option></arg>
       <arg><option>-r <replaceable class="parameter">randomdev</replaceable></option></arg>
       <arg><option>-s <replaceable class="parameter">start-time</replaceable></option></arg>
@@ -79,13 +83,13 @@
 
   <refsect1>
     <title>DESCRIPTION</title>
-    <para>
-        <command>dnssec-signzone</command> signs a zone.  It generates
-	NSEC and RRSIG records and produces a signed version of the
-	zone. The security status of delegations from the signed zone
-	(that is, whether the child zones are secure or not) is
-	determined by the presence or absence of a
-	<filename>keyset</filename> file for each child zone.
+    <para><command>dnssec-signzone</command>
+      signs a zone.  It generates
+      NSEC and RRSIG records and produces a signed version of the
+      zone. The security status of delegations from the signed zone
+      (that is, whether the child zones are secure or not) is
+      determined by the presence or absence of a
+      <filename>keyset</filename> file for each child zone.
     </para>
   </refsect1>
 
@@ -95,231 +99,323 @@
     <variablelist>
       <varlistentry>
         <term>-a</term>
-	<listitem>
-	  <para>
-	      Verify all generated signatures.
-	  </para>
-	</listitem>
+        <listitem>
+          <para>
+            Verify all generated signatures.
+          </para>
+        </listitem>
       </varlistentry>
 
       <varlistentry>
         <term>-c <replaceable class="parameter">class</replaceable></term>
-	<listitem>
-	  <para>
-	       Specifies the DNS class of the zone.
-	  </para>
-	</listitem>
+        <listitem>
+          <para>
+            Specifies the DNS class of the zone.
+          </para>
+        </listitem>
       </varlistentry>
 
       <varlistentry>
         <term>-k <replaceable class="parameter">key</replaceable></term>
-	<listitem>
-	  <para>
-	       Treat specified key as a key signing key ignoring any
-	       key flags.  This option may be specified multiple times.
-	  </para>
-	</listitem>
+        <listitem>
+          <para>
+            Treat specified key as a key signing key ignoring any
+            key flags.  This option may be specified multiple times.
+          </para>
+        </listitem>
       </varlistentry>
 
       <varlistentry>
         <term>-l <replaceable class="parameter">domain</replaceable></term>
-	<listitem>
-	  <para>
-		Generate a DLV set in addition to the key (DNSKEY) and DS sets.
-		The domain is appended to the name of the records.
-	  </para>
-	</listitem>
+        <listitem>
+          <para>
+            Generate a DLV set in addition to the key (DNSKEY) and DS sets.
+            The domain is appended to the name of the records.
+          </para>
+        </listitem>
       </varlistentry>
 
       <varlistentry>
         <term>-d <replaceable class="parameter">directory</replaceable></term>
-	<listitem>
-	  <para>
-	       Look for <filename>keyset</filename> files in
-	       <option>directory</option> as the directory 
-	  </para>
-	</listitem>
+        <listitem>
+          <para>
+            Look for <filename>keyset</filename> files in
+            <option>directory</option> as the directory
+          </para>
+        </listitem>
       </varlistentry>
 
       <varlistentry>
         <term>-g</term>
-	<listitem>
-	  <para>
-		Generate DS records for child zones from keyset files.
-		Existing DS records will be removed.
-	  </para>
-	</listitem>
+        <listitem>
+          <para>
+            Generate DS records for child zones from keyset files.
+            Existing DS records will be removed.
+          </para>
+        </listitem>
       </varlistentry>
 
       <varlistentry>
         <term>-s <replaceable class="parameter">start-time</replaceable></term>
-	<listitem>
-	  <para>
-	       Specify the date and time when the generated RRSIG records
-	       become valid.  This can be either an absolute or relative
-	       time.  An absolute start time is indicated by a number
-	       in YYYYMMDDHHMMSS notation; 20000530144500 denotes
-	       14:45:00 UTC on May 30th, 2000.  A relative start time is
-	       indicated by +N, which is N seconds from the current time.
-	       If no <option>start-time</option> is specified, the current
-	       time minus 1 hour (to allow for clock skew) is used.
-	  </para>
-	</listitem>
+        <listitem>
+          <para>
+            Specify the date and time when the generated RRSIG records
+            become valid.  This can be either an absolute or relative
+            time.  An absolute start time is indicated by a number
+            in YYYYMMDDHHMMSS notation; 20000530144500 denotes
+            14:45:00 UTC on May 30th, 2000.  A relative start time is
+            indicated by +N, which is N seconds from the current time.
+            If no <option>start-time</option> is specified, the current
+            time minus 1 hour (to allow for clock skew) is used.
+          </para>
+        </listitem>
       </varlistentry>
 
       <varlistentry>
         <term>-e <replaceable class="parameter">end-time</replaceable></term>
-	<listitem>
-	  <para>
-	       Specify the date and time when the generated RRSIG records
-	       expire.  As with <option>start-time</option>, an absolute
-	       time is indicated in YYYYMMDDHHMMSS notation.  A time relative
-	       to the start time is indicated with +N, which is N seconds from
-	       the start time.  A time relative to the current time is
-	       indicated with now+N.  If no <option>end-time</option> is
-	       specified, 30 days from the start time is used as a default.
-	  </para>
-	</listitem>
+        <listitem>
+          <para>
+            Specify the date and time when the generated RRSIG records
+            expire.  As with <option>start-time</option>, an absolute
+            time is indicated in YYYYMMDDHHMMSS notation.  A time relative
+            to the start time is indicated with +N, which is N seconds from
+            the start time.  A time relative to the current time is
+            indicated with now+N.  If no <option>end-time</option> is
+            specified, 30 days from the start time is used as a default.
+          </para>
+        </listitem>
       </varlistentry>
 
       <varlistentry>
         <term>-f <replaceable class="parameter">output-file</replaceable></term>
-	<listitem>
-	  <para>
-	       The name of the output file containing the signed zone.  The
-	       default is to append <filename>.signed</filename> to the
-	       input file.
-	  </para>
-	</listitem>
+        <listitem>
+          <para>
+            The name of the output file containing the signed zone.  The
+            default is to append <filename>.signed</filename> to
+            the
+            input file.
+          </para>
+        </listitem>
       </varlistentry>
 
       <varlistentry>
         <term>-h</term>
-	<listitem>
-	  <para>
-	       Prints a short summary of the options and arguments to
-	       <command>dnssec-signzone</command>.
-	  </para>
-	</listitem>
+        <listitem>
+          <para>
+            Prints a short summary of the options and arguments to
+            <command>dnssec-signzone</command>.
+          </para>
+        </listitem>
       </varlistentry>
 
       <varlistentry>
         <term>-i <replaceable class="parameter">interval</replaceable></term>
-	<listitem>
-	  <para>
-	       When a previously signed zone is passed as input, records
-	       may be resigned.  The <option>interval</option> option
-	       specifies the cycle interval as an offset from the current
-	       time (in seconds).  If a RRSIG record expires after the
-	       cycle interval, it is retained.  Otherwise, it is considered
-	       to be expiring soon, and it will be replaced.
-	  </para>
-	  <para>
-	       The default cycle interval is one quarter of the difference
-	       between the signature end and start times.  So if neither
-	       <option>end-time</option> or <option>start-time</option>
-	       are specified, <command>dnssec-signzone</command> generates
-	       signatures that are valid for 30 days, with a cycle
-	       interval of 7.5 days.  Therefore, if any existing RRSIG records
-	       are due to expire in less than 7.5 days, they would be
-	       replaced.
-	  </para>
-	</listitem>
+        <listitem>
+          <para>
+            When a previously signed zone is passed as input, records
+            may be resigned.  The <option>interval</option> option
+            specifies the cycle interval as an offset from the current
+            time (in seconds).  If a RRSIG record expires after the
+            cycle interval, it is retained.  Otherwise, it is considered
+            to be expiring soon, and it will be replaced.
+          </para>
+          <para>
+            The default cycle interval is one quarter of the difference
+            between the signature end and start times.  So if neither
+            <option>end-time</option> or <option>start-time</option>
+            are specified, <command>dnssec-signzone</command>
+            generates
+            signatures that are valid for 30 days, with a cycle
+            interval of 7.5 days.  Therefore, if any existing RRSIG records
+            are due to expire in less than 7.5 days, they would be
+            replaced.
+          </para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-I <replaceable class="parameter">input-format</replaceable></term>
+        <listitem>
+          <para>
+            The format of the input zone file.
+	    Possible formats are <command>"text"</command> (default)
+	    and <command>"raw"</command>.
+	    This option is primarily intended to be used for dynamic
+            signed zones so that the dumped zone file in a non-text
+            format containing updates can be signed directly.
+	    The use of this option does not make much sense for
+	    non-dynamic zones.
+          </para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-j <replaceable class="parameter">jitter</replaceable></term>
+        <listitem>
+          <para>
+            When signing a zone with a fixed signature lifetime, all
+            RRSIG records issued at the time of signing expires
+            simultaneously.  If the zone is incrementally signed, i.e.
+            a previously signed zone is passed as input to the signer,
+            all expired signatures has to be regenerated at about the
+            same time.  The <option>jitter</option> option specifies a
+            jitter window that will be used to randomize the signature
+            expire time, thus spreading incremental signature
+            regeneration over time.
+          </para>
+          <para>
+            Signature lifetime jitter also to some extent benefits
+            validators and servers by spreading out cache expiration,
+            i.e. if large numbers of RRSIGs don't expire at the same time
+            from all caches there will be less congestion than if all
+            validators need to refetch at mostly the same time.
+          </para>
+        </listitem>
       </varlistentry>
 
       <varlistentry>
         <term>-n <replaceable class="parameter">ncpus</replaceable></term>
-	<listitem>
-	  <para>
-	       Specifies the number of threads to use.  By default, one
-	       thread is started for each detected CPU.
-	  </para>
-	</listitem>
+        <listitem>
+          <para>
+            Specifies the number of threads to use.  By default, one
+            thread is started for each detected CPU.
+          </para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-N <replaceable class="parameter">soa-serial-format</replaceable></term>
+        <listitem>
+          <para>
+            The SOA serial number format of the signed zone.
+	    Possible formats are <command>"keep"</command> (default),
+            <command>"increment"</command> and
+	    <command>"unixtime"</command>.
+          </para>
+
+          <variablelist>
+	    <varlistentry>
+	      <term><command>"keep"</command></term>
+              <listitem>
+                <para>Do not modify the SOA serial number.</para>
+	      </listitem>
+            </varlistentry>
+
+	    <varlistentry>
+	      <term><command>"increment"</command></term>
+              <listitem>
+                <para>Increment the SOA serial number using RFC 1982
+                      arithmetics.</para>
+	      </listitem>
+            </varlistentry>
+
+	    <varlistentry>
+	      <term><command>"unixtime"</command></term>
+              <listitem>
+                <para>Set the SOA serial number to the number of seconds
+	        since epoch.</para>
+	      </listitem>
+            </varlistentry>
+	 </variablelist>
+
+        </listitem>
       </varlistentry>
 
       <varlistentry>
         <term>-o <replaceable class="parameter">origin</replaceable></term>
-	<listitem>
-	  <para>
-	       The zone origin.  If not specified, the name of the zone file
-	       is assumed to be the origin.
-	  </para>
-	</listitem>
+        <listitem>
+          <para>
+            The zone origin.  If not specified, the name of the zone file
+            is assumed to be the origin.
+          </para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-O <replaceable class="parameter">output-format</replaceable></term>
+        <listitem>
+          <para>
+            The format of the output file containing the signed zone.
+	    Possible formats are <command>"text"</command> (default)
+	    and <command>"raw"</command>.
+          </para>
+        </listitem>
       </varlistentry>
 
       <varlistentry>
         <term>-p</term>
-	<listitem>
-	  <para>
-	       Use pseudo-random data when signing the zone.  This is faster,
-	       but less secure, than using real random data.  This option
-	       may be useful when signing large zones or when the entropy
-	       source is limited.
-	  </para>
-	</listitem>
+        <listitem>
+          <para>
+            Use pseudo-random data when signing the zone.  This is faster,
+            but less secure, than using real random data.  This option
+            may be useful when signing large zones or when the entropy
+            source is limited.
+          </para>
+        </listitem>
       </varlistentry>
 
       <varlistentry>
         <term>-r <replaceable class="parameter">randomdev</replaceable></term>
-	<listitem>
-	  <para>
-	       Specifies the source of randomness.  If the operating
-	       system does not provide a <filename>/dev/random</filename>
-	       or equivalent device, the default source of randomness
-	       is keyboard input.  <filename>randomdev</filename> specifies
-	       the name of a character device or file containing random
-	       data to be used instead of the default.  The special value
-	       <filename>keyboard</filename> indicates that keyboard
-	       input should be used.
-	  </para>
-	</listitem>
+        <listitem>
+          <para>
+            Specifies the source of randomness.  If the operating
+            system does not provide a <filename>/dev/random</filename>
+            or equivalent device, the default source of randomness
+            is keyboard input.  <filename>randomdev</filename>
+            specifies
+            the name of a character device or file containing random
+            data to be used instead of the default.  The special value
+            <filename>keyboard</filename> indicates that keyboard
+            input should be used.
+          </para>
+        </listitem>
       </varlistentry>
 
       <varlistentry>
         <term>-t</term>
-	<listitem>
-	  <para>
-	       Print statistics at completion.
-	  </para>
-	</listitem>
+        <listitem>
+          <para>
+            Print statistics at completion.
+          </para>
+        </listitem>
       </varlistentry>
 
       <varlistentry>
         <term>-v <replaceable class="parameter">level</replaceable></term>
-	<listitem>
-	  <para>
-	       Sets the debugging level.
-	  </para>
-	</listitem>
+        <listitem>
+          <para>
+            Sets the debugging level.
+          </para>
+        </listitem>
       </varlistentry>
 
       <varlistentry>
         <term>-z</term>
-	<listitem>
-	  <para>
-	       Ignore KSK flag on key when determining what to sign.
-	  </para>
-	</listitem>
+        <listitem>
+          <para>
+            Ignore KSK flag on key when determining what to sign.
+          </para>
+        </listitem>
       </varlistentry>
 
       <varlistentry>
         <term>zonefile</term>
-	<listitem>
-	  <para>
-	       The file containing the zone to be signed.
-	  </para>
-	</listitem>
+        <listitem>
+          <para>
+            The file containing the zone to be signed.
+          </para>
+        </listitem>
       </varlistentry>
 
       <varlistentry>
         <term>key</term>
-	<listitem>
-	  <para>
-	       The keys used to sign the zone.  If no keys are specified, the
-	       default all zone keys that have private key files in the
-	       current directory.
-	  </para>
-	</listitem>
+        <listitem>
+          <para>
+            The keys used to sign the zone.  If no keys are specified, the
+            default all zone keys that have private key files in the
+            current directory.
+          </para>
+        </listitem>
       </varlistentry>
 
     </variablelist>
@@ -328,34 +424,34 @@
   <refsect1>
     <title>EXAMPLE</title>
     <para>
-        The following command signs the <userinput>example.com</userinput>
-	zone with the DSA key generated in the <command>dnssec-keygen</command>
-	man page.  The zone's keys must be in the zone.  If there are
-	<filename>keyset</filename> files associated with child zones,
-	they must be in the current directory.
-	<userinput>example.com</userinput>, the following command would be
-	issued:
+      The following command signs the <userinput>example.com</userinput>
+      zone with the DSA key generated in the <command>dnssec-keygen</command>
+      man page.  The zone's keys must be in the zone.  If there are
+      <filename>keyset</filename> files associated with child
+      zones,
+      they must be in the current directory.
+      <userinput>example.com</userinput>, the following command would be
+      issued:
     </para>
-    <para>
-        <userinput>dnssec-signzone -o example.com db.example.com Kexample.com.+003+26160</userinput>
+    <para><userinput>dnssec-signzone -o example.com db.example.com
+        Kexample.com.+003+26160</userinput>
     </para>
     <para>
-        The command would print a string of the form:
+      The command would print a string of the form:
     </para>
     <para>
-        In this example, <command>dnssec-signzone</command> creates
-	the file <filename>db.example.com.signed</filename>.  This file
-	should be referenced in a zone statement in a
-	<filename>named.conf</filename> file.
+      In this example, <command>dnssec-signzone</command> creates
+      the file <filename>db.example.com.signed</filename>.  This
+      file
+      should be referenced in a zone statement in a
+      <filename>named.conf</filename> file.
     </para>
   </refsect1>
 
   <refsect1>
     <title>SEE ALSO</title>
-    <para>
-      <citerefentry>
-        <refentrytitle>dnssec-keygen</refentrytitle>
-	<manvolnum>8</manvolnum>
+    <para><citerefentry>
+        <refentrytitle>dnssec-keygen</refentrytitle><manvolnum>8</manvolnum>
       </citerefentry>,
       <citetitle>BIND 9 Administrator Reference Manual</citetitle>,
       <citetitle>RFC 2535</citetitle>.
@@ -364,14 +460,11 @@
 
   <refsect1>
     <title>AUTHOR</title>
-    <para>
-        <corpauthor>Internet Systems Consortium</corpauthor>
+    <para><corpauthor>Internet Systems Consortium</corpauthor>
     </para>
   </refsect1>
 
-</refentry>
-
-<!--
+</refentry><!--
  - Local variables:
  - mode: sgml
  - End:
diff --git a/contrib/bind9/bin/dnssec/dnssec-signzone.html b/contrib/bind9/bin/dnssec/dnssec-signzone.html
index bd92631..da1e058 100644
--- a/contrib/bind9/bin/dnssec/dnssec-signzone.html
+++ b/contrib/bind9/bin/dnssec/dnssec-signzone.html
@@ -1,5 +1,5 @@
 <!--
- - Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2004-2007 Internet Systems Consortium, Inc. ("ISC")
  - Copyright (C) 2000-2003 Internet Software Consortium.
  - 
  - Permission to use, copy, modify, and distribute this software for any
@@ -14,206 +14,266 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-<!-- $Id: dnssec-signzone.html,v 1.4.2.1.4.16 2006/06/29 13:02:30 marka Exp $ -->
+<!-- $Id: dnssec-signzone.html,v 1.8.18.22 2007/01/30 00:23:44 marka Exp $ -->
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
 <title>dnssec-signzone</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.70.1">
+<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
 </head>
 <body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en">
-<a name="id2482688"></a><div class="titlepage"></div>
+<a name="man.dnssec-signzone"></a><div class="titlepage"></div>
 <div class="refnamediv">
 <h2>Name</h2>
 <p><span class="application">dnssec-signzone</span> &#8212; DNSSEC zone signing tool</p>
 </div>
 <div class="refsynopsisdiv">
 <h2>Synopsis</h2>
-<div class="cmdsynopsis"><p><code class="command">dnssec-signzone</code>  [<code class="option">-a</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-d <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-e <em class="replaceable"><code>end-time</code></em></code>] [<code class="option">-f <em class="replaceable"><code>output-file</code></em></code>] [<code class="option">-g</code>] [<code class="option">-h</code>] [<code class="option">-k <em class="replaceable"><code>key</code></em></code>] [<code class="option">-l <em class="replaceable"><code>domain</code></em></code>] [<code class="option">-i <em class="replaceable"><code>interval</code></em></code>] [<code class="option">-n <em class="replaceable"><code>nthreads</code></em></code>] [<code class="option">-o <em class="replaceable"><code>origin</code></em></code>] [<code class="option">-p</code>] [<code class="option">-r <em class="replaceable"><code>randomdev</code></em></code>] [<code class="option">-s <em class="replaceable"><code>start-time</code></em></code>] [<code class="option">-t</code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-z</code>] {zonefile} [key...]</p></div>
+<div class="cmdsynopsis"><p><code class="command">dnssec-signzone</code>  [<code class="option">-a</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-d <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-e <em class="replaceable"><code>end-time</code></em></code>] [<code class="option">-f <em class="replaceable"><code>output-file</code></em></code>] [<code class="option">-g</code>] [<code class="option">-h</code>] [<code class="option">-k <em class="replaceable"><code>key</code></em></code>] [<code class="option">-l <em class="replaceable"><code>domain</code></em></code>] [<code class="option">-i <em class="replaceable"><code>interval</code></em></code>] [<code class="option">-I <em class="replaceable"><code>input-format</code></em></code>] [<code class="option">-j <em class="replaceable"><code>jitter</code></em></code>] [<code class="option">-N <em class="replaceable"><code>soa-serial-format</code></em></code>] [<code class="option">-o <em class="replaceable"><code>origin</code></em></code>] [<code class="option">-O <em class="replaceable"><code>output-format</code></em></code>] [<code class="option">-p</code>] [<code class="option">-r <em class="replaceable"><code>randomdev</code></em></code>] [<code class="option">-s <em class="replaceable"><code>start-time</code></em></code>] [<code class="option">-t</code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-z</code>] {zonefile} [key...]</p></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2549544"></a><h2>DESCRIPTION</h2>
-<p>
-        <span><strong class="command">dnssec-signzone</strong></span> signs a zone.  It generates
-	NSEC and RRSIG records and produces a signed version of the
-	zone. The security status of delegations from the signed zone
-	(that is, whether the child zones are secure or not) is
-	determined by the presence or absence of a
-	<code class="filename">keyset</code> file for each child zone.
+<a name="id2543526"></a><h2>DESCRIPTION</h2>
+<p><span><strong class="command">dnssec-signzone</strong></span>
+      signs a zone.  It generates
+      NSEC and RRSIG records and produces a signed version of the
+      zone. The security status of delegations from the signed zone
+      (that is, whether the child zones are secure or not) is
+      determined by the presence or absence of a
+      <code class="filename">keyset</code> file for each child zone.
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2549560"></a><h2>OPTIONS</h2>
+<a name="id2543541"></a><h2>OPTIONS</h2>
 <div class="variablelist"><dl>
 <dt><span class="term">-a</span></dt>
 <dd><p>
-	      Verify all generated signatures.
-	  </p></dd>
+            Verify all generated signatures.
+          </p></dd>
 <dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
 <dd><p>
-	       Specifies the DNS class of the zone.
-	  </p></dd>
+            Specifies the DNS class of the zone.
+          </p></dd>
 <dt><span class="term">-k <em class="replaceable"><code>key</code></em></span></dt>
 <dd><p>
-	       Treat specified key as a key signing key ignoring any
-	       key flags.  This option may be specified multiple times.
-	  </p></dd>
+            Treat specified key as a key signing key ignoring any
+            key flags.  This option may be specified multiple times.
+          </p></dd>
 <dt><span class="term">-l <em class="replaceable"><code>domain</code></em></span></dt>
 <dd><p>
-		Generate a DLV set in addition to the key (DNSKEY) and DS sets.
-		The domain is appended to the name of the records.
-	  </p></dd>
+            Generate a DLV set in addition to the key (DNSKEY) and DS sets.
+            The domain is appended to the name of the records.
+          </p></dd>
 <dt><span class="term">-d <em class="replaceable"><code>directory</code></em></span></dt>
 <dd><p>
-	       Look for <code class="filename">keyset</code> files in
-	       <code class="option">directory</code> as the directory 
-	  </p></dd>
+            Look for <code class="filename">keyset</code> files in
+            <code class="option">directory</code> as the directory
+          </p></dd>
 <dt><span class="term">-g</span></dt>
 <dd><p>
-		Generate DS records for child zones from keyset files.
-		Existing DS records will be removed.
-	  </p></dd>
+            Generate DS records for child zones from keyset files.
+            Existing DS records will be removed.
+          </p></dd>
 <dt><span class="term">-s <em class="replaceable"><code>start-time</code></em></span></dt>
 <dd><p>
-	       Specify the date and time when the generated RRSIG records
-	       become valid.  This can be either an absolute or relative
-	       time.  An absolute start time is indicated by a number
-	       in YYYYMMDDHHMMSS notation; 20000530144500 denotes
-	       14:45:00 UTC on May 30th, 2000.  A relative start time is
-	       indicated by +N, which is N seconds from the current time.
-	       If no <code class="option">start-time</code> is specified, the current
-	       time minus 1 hour (to allow for clock skew) is used.
-	  </p></dd>
+            Specify the date and time when the generated RRSIG records
+            become valid.  This can be either an absolute or relative
+            time.  An absolute start time is indicated by a number
+            in YYYYMMDDHHMMSS notation; 20000530144500 denotes
+            14:45:00 UTC on May 30th, 2000.  A relative start time is
+            indicated by +N, which is N seconds from the current time.
+            If no <code class="option">start-time</code> is specified, the current
+            time minus 1 hour (to allow for clock skew) is used.
+          </p></dd>
 <dt><span class="term">-e <em class="replaceable"><code>end-time</code></em></span></dt>
 <dd><p>
-	       Specify the date and time when the generated RRSIG records
-	       expire.  As with <code class="option">start-time</code>, an absolute
-	       time is indicated in YYYYMMDDHHMMSS notation.  A time relative
-	       to the start time is indicated with +N, which is N seconds from
-	       the start time.  A time relative to the current time is
-	       indicated with now+N.  If no <code class="option">end-time</code> is
-	       specified, 30 days from the start time is used as a default.
-	  </p></dd>
+            Specify the date and time when the generated RRSIG records
+            expire.  As with <code class="option">start-time</code>, an absolute
+            time is indicated in YYYYMMDDHHMMSS notation.  A time relative
+            to the start time is indicated with +N, which is N seconds from
+            the start time.  A time relative to the current time is
+            indicated with now+N.  If no <code class="option">end-time</code> is
+            specified, 30 days from the start time is used as a default.
+          </p></dd>
 <dt><span class="term">-f <em class="replaceable"><code>output-file</code></em></span></dt>
 <dd><p>
-	       The name of the output file containing the signed zone.  The
-	       default is to append <code class="filename">.signed</code> to the
-	       input file.
-	  </p></dd>
+            The name of the output file containing the signed zone.  The
+            default is to append <code class="filename">.signed</code> to
+            the
+            input file.
+          </p></dd>
 <dt><span class="term">-h</span></dt>
 <dd><p>
-	       Prints a short summary of the options and arguments to
-	       <span><strong class="command">dnssec-signzone</strong></span>.
-	  </p></dd>
+            Prints a short summary of the options and arguments to
+            <span><strong class="command">dnssec-signzone</strong></span>.
+          </p></dd>
 <dt><span class="term">-i <em class="replaceable"><code>interval</code></em></span></dt>
 <dd>
 <p>
-	       When a previously signed zone is passed as input, records
-	       may be resigned.  The <code class="option">interval</code> option
-	       specifies the cycle interval as an offset from the current
-	       time (in seconds).  If a RRSIG record expires after the
-	       cycle interval, it is retained.  Otherwise, it is considered
-	       to be expiring soon, and it will be replaced.
-	  </p>
+            When a previously signed zone is passed as input, records
+            may be resigned.  The <code class="option">interval</code> option
+            specifies the cycle interval as an offset from the current
+            time (in seconds).  If a RRSIG record expires after the
+            cycle interval, it is retained.  Otherwise, it is considered
+            to be expiring soon, and it will be replaced.
+          </p>
+<p>
+            The default cycle interval is one quarter of the difference
+            between the signature end and start times.  So if neither
+            <code class="option">end-time</code> or <code class="option">start-time</code>
+            are specified, <span><strong class="command">dnssec-signzone</strong></span>
+            generates
+            signatures that are valid for 30 days, with a cycle
+            interval of 7.5 days.  Therefore, if any existing RRSIG records
+            are due to expire in less than 7.5 days, they would be
+            replaced.
+          </p>
+</dd>
+<dt><span class="term">-I <em class="replaceable"><code>input-format</code></em></span></dt>
+<dd><p>
+            The format of the input zone file.
+	    Possible formats are <span><strong class="command">"text"</strong></span> (default)
+	    and <span><strong class="command">"raw"</strong></span>.
+	    This option is primarily intended to be used for dynamic
+            signed zones so that the dumped zone file in a non-text
+            format containing updates can be signed directly.
+	    The use of this option does not make much sense for
+	    non-dynamic zones.
+          </p></dd>
+<dt><span class="term">-j <em class="replaceable"><code>jitter</code></em></span></dt>
+<dd>
+<p>
+            When signing a zone with a fixed signature lifetime, all
+            RRSIG records issued at the time of signing expires
+            simultaneously.  If the zone is incrementally signed, i.e.
+            a previously signed zone is passed as input to the signer,
+            all expired signatures has to be regenerated at about the
+            same time.  The <code class="option">jitter</code> option specifies a
+            jitter window that will be used to randomize the signature
+            expire time, thus spreading incremental signature
+            regeneration over time.
+          </p>
 <p>
-	       The default cycle interval is one quarter of the difference
-	       between the signature end and start times.  So if neither
-	       <code class="option">end-time</code> or <code class="option">start-time</code>
-	       are specified, <span><strong class="command">dnssec-signzone</strong></span> generates
-	       signatures that are valid for 30 days, with a cycle
-	       interval of 7.5 days.  Therefore, if any existing RRSIG records
-	       are due to expire in less than 7.5 days, they would be
-	       replaced.
-	  </p>
+            Signature lifetime jitter also to some extent benefits
+            validators and servers by spreading out cache expiration,
+            i.e. if large numbers of RRSIGs don't expire at the same time
+            from all caches there will be less congestion than if all
+            validators need to refetch at mostly the same time.
+          </p>
 </dd>
 <dt><span class="term">-n <em class="replaceable"><code>ncpus</code></em></span></dt>
 <dd><p>
-	       Specifies the number of threads to use.  By default, one
-	       thread is started for each detected CPU.
-	  </p></dd>
+            Specifies the number of threads to use.  By default, one
+            thread is started for each detected CPU.
+          </p></dd>
+<dt><span class="term">-N <em class="replaceable"><code>soa-serial-format</code></em></span></dt>
+<dd>
+<p>
+            The SOA serial number format of the signed zone.
+	    Possible formats are <span><strong class="command">"keep"</strong></span> (default),
+            <span><strong class="command">"increment"</strong></span> and
+	    <span><strong class="command">"unixtime"</strong></span>.
+          </p>
+<div class="variablelist"><dl>
+<dt><span class="term"><span><strong class="command">"keep"</strong></span></span></dt>
+<dd><p>Do not modify the SOA serial number.</p></dd>
+<dt><span class="term"><span><strong class="command">"increment"</strong></span></span></dt>
+<dd><p>Increment the SOA serial number using RFC 1982
+                      arithmetics.</p></dd>
+<dt><span class="term"><span><strong class="command">"unixtime"</strong></span></span></dt>
+<dd><p>Set the SOA serial number to the number of seconds
+	        since epoch.</p></dd>
+</dl></div>
+</dd>
 <dt><span class="term">-o <em class="replaceable"><code>origin</code></em></span></dt>
 <dd><p>
-	       The zone origin.  If not specified, the name of the zone file
-	       is assumed to be the origin.
-	  </p></dd>
+            The zone origin.  If not specified, the name of the zone file
+            is assumed to be the origin.
+          </p></dd>
+<dt><span class="term">-O <em class="replaceable"><code>output-format</code></em></span></dt>
+<dd><p>
+            The format of the output file containing the signed zone.
+	    Possible formats are <span><strong class="command">"text"</strong></span> (default)
+	    and <span><strong class="command">"raw"</strong></span>.
+          </p></dd>
 <dt><span class="term">-p</span></dt>
 <dd><p>
-	       Use pseudo-random data when signing the zone.  This is faster,
-	       but less secure, than using real random data.  This option
-	       may be useful when signing large zones or when the entropy
-	       source is limited.
-	  </p></dd>
+            Use pseudo-random data when signing the zone.  This is faster,
+            but less secure, than using real random data.  This option
+            may be useful when signing large zones or when the entropy
+            source is limited.
+          </p></dd>
 <dt><span class="term">-r <em class="replaceable"><code>randomdev</code></em></span></dt>
 <dd><p>
-	       Specifies the source of randomness.  If the operating
-	       system does not provide a <code class="filename">/dev/random</code>
-	       or equivalent device, the default source of randomness
-	       is keyboard input.  <code class="filename">randomdev</code> specifies
-	       the name of a character device or file containing random
-	       data to be used instead of the default.  The special value
-	       <code class="filename">keyboard</code> indicates that keyboard
-	       input should be used.
-	  </p></dd>
+            Specifies the source of randomness.  If the operating
+            system does not provide a <code class="filename">/dev/random</code>
+            or equivalent device, the default source of randomness
+            is keyboard input.  <code class="filename">randomdev</code>
+            specifies
+            the name of a character device or file containing random
+            data to be used instead of the default.  The special value
+            <code class="filename">keyboard</code> indicates that keyboard
+            input should be used.
+          </p></dd>
 <dt><span class="term">-t</span></dt>
 <dd><p>
-	       Print statistics at completion.
-	  </p></dd>
+            Print statistics at completion.
+          </p></dd>
 <dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
 <dd><p>
-	       Sets the debugging level.
-	  </p></dd>
+            Sets the debugging level.
+          </p></dd>
 <dt><span class="term">-z</span></dt>
 <dd><p>
-	       Ignore KSK flag on key when determining what to sign.
-	  </p></dd>
+            Ignore KSK flag on key when determining what to sign.
+          </p></dd>
 <dt><span class="term">zonefile</span></dt>
 <dd><p>
-	       The file containing the zone to be signed.
-	  </p></dd>
+            The file containing the zone to be signed.
+          </p></dd>
 <dt><span class="term">key</span></dt>
 <dd><p>
-	       The keys used to sign the zone.  If no keys are specified, the
-	       default all zone keys that have private key files in the
-	       current directory.
-	  </p></dd>
+            The keys used to sign the zone.  If no keys are specified, the
+            default all zone keys that have private key files in the
+            current directory.
+          </p></dd>
 </dl></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2550068"></a><h2>EXAMPLE</h2>
+<a name="id2544327"></a><h2>EXAMPLE</h2>
 <p>
-        The following command signs the <strong class="userinput"><code>example.com</code></strong>
-	zone with the DSA key generated in the <span><strong class="command">dnssec-keygen</strong></span>
-	man page.  The zone's keys must be in the zone.  If there are
-	<code class="filename">keyset</code> files associated with child zones,
-	they must be in the current directory.
-	<strong class="userinput"><code>example.com</code></strong>, the following command would be
-	issued:
+      The following command signs the <strong class="userinput"><code>example.com</code></strong>
+      zone with the DSA key generated in the <span><strong class="command">dnssec-keygen</strong></span>
+      man page.  The zone's keys must be in the zone.  If there are
+      <code class="filename">keyset</code> files associated with child
+      zones,
+      they must be in the current directory.
+      <strong class="userinput"><code>example.com</code></strong>, the following command would be
+      issued:
     </p>
-<p>
-        <strong class="userinput"><code>dnssec-signzone -o example.com db.example.com Kexample.com.+003+26160</code></strong>
+<p><strong class="userinput"><code>dnssec-signzone -o example.com db.example.com
+        Kexample.com.+003+26160</code></strong>
     </p>
 <p>
-        The command would print a string of the form:
+      The command would print a string of the form:
     </p>
 <p>
-        In this example, <span><strong class="command">dnssec-signzone</strong></span> creates
-	the file <code class="filename">db.example.com.signed</code>.  This file
-	should be referenced in a zone statement in a
-	<code class="filename">named.conf</code> file.
+      In this example, <span><strong class="command">dnssec-signzone</strong></span> creates
+      the file <code class="filename">db.example.com.signed</code>.  This
+      file
+      should be referenced in a zone statement in a
+      <code class="filename">named.conf</code> file.
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2550118"></a><h2>SEE ALSO</h2>
-<p>
-      <span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>,
+<a name="id2544375"></a><h2>SEE ALSO</h2>
+<p><span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>,
       <em class="citetitle">BIND 9 Administrator Reference Manual</em>,
       <em class="citetitle">RFC 2535</em>.
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2550145"></a><h2>AUTHOR</h2>
-<p>
-        <span class="corpauthor">Internet Systems Consortium</span>
+<a name="id2544400"></a><h2>AUTHOR</h2>
+<p><span class="corpauthor">Internet Systems Consortium</span>
     </p>
 </div>
 </div></body>
diff --git a/contrib/bind9/bin/dnssec/dnssectool.c b/contrib/bind9/bin/dnssec/dnssectool.c
index 83ba76d..4f95540 100644
--- a/contrib/bind9/bin/dnssec/dnssectool.c
+++ b/contrib/bind9/bin/dnssec/dnssectool.c
@@ -15,7 +15,13 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: dnssectool.c,v 1.31.2.3.2.6 2005/07/02 02:42:43 marka Exp $ */
+/* $Id: dnssectool.c,v 1.40.18.3 2005/07/01 03:55:28 marka Exp $ */
+
+/*! \file */
+
+/*%
+ * DNSSEC Support Routines.
+ */
 
 #include <config.h>
 
diff --git a/contrib/bind9/bin/dnssec/dnssectool.h b/contrib/bind9/bin/dnssec/dnssectool.h
index 0d17950..c5f3648 100644
--- a/contrib/bind9/bin/dnssec/dnssectool.h
+++ b/contrib/bind9/bin/dnssec/dnssectool.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: dnssectool.h,v 1.15.12.3 2004/03/08 04:04:18 marka Exp $ */
+/* $Id: dnssectool.h,v 1.18 2004/03/05 04:57:41 marka Exp $ */
 
 #ifndef DNSSECTOOL_H
 #define DNSSECTOOL_H 1
diff --git a/contrib/bind9/bin/named/Makefile.in b/contrib/bind9/bin/named/Makefile.in
index 50fb93b..a809e59c 100644
--- a/contrib/bind9/bin/named/Makefile.in
+++ b/contrib/bind9/bin/named/Makefile.in
@@ -1,4 +1,4 @@
-# Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
 # Copyright (C) 1998-2002  Internet Software Consortium.
 #
 # Permission to use, copy, modify, and distribute this software for any
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.74.12.11 2004/09/06 21:47:25 marka Exp $
+# $Id: Makefile.in,v 1.80.18.7 2005/09/05 00:18:10 marka Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
@@ -31,12 +31,20 @@ DBDRIVER_SRCS =
 DBDRIVER_INCLUDES =
 DBDRIVER_LIBS =
 
+DLZ_DRIVER_DIR =	${top_srcdir}/contrib/dlz/drivers
+
+DLZDRIVER_OBJS =	@DLZ_DRIVER_OBJS@
+DLZDRIVER_SRCS =	@DLZ_DRIVER_SRCS@
+DLZDRIVER_INCLUDES =	@DLZ_DRIVER_INCLUDES@
+DLZDRIVER_LIBS =	@DLZ_DRIVER_LIBS@
+
 CINCLUDES =	-I${srcdir}/include -I${srcdir}/unix/include \
 		${LWRES_INCLUDES} ${DNS_INCLUDES} ${BIND9_INCLUDES} \
 		${ISCCFG_INCLUDES} ${ISCCC_INCLUDES} ${ISC_INCLUDES} \
-		${DBDRIVER_INCLUDES}
+		${DLZDRIVER_INCLUDES} ${DBDRIVER_INCLUDES}
+
+CDEFINES =      @USE_DLZ@
 
-CDEFINES =
 CWARNINGS =
 
 DNSLIBS =	../../lib/dns/libdns.@A@ @DNS_CRYPTO_LIBS@
@@ -57,13 +65,14 @@ DEPLIBS =	${LWRESDEPLIBS} ${DNSDEPLIBS} ${BIND9DEPLIBS} \
 		${ISCCFGDEPLIBS} ${ISCCCDEPLIBS} ${ISCDEPLIBS}
 
 LIBS =		${LWRESLIBS} ${DNSLIBS} ${BIND9LIBS} \
-		${ISCCFGLIBS} ${ISCCCLIBS} ${ISCLIBS} ${DBDRIVER_LIBS} @LIBS@
+		${ISCCFGLIBS} ${ISCCCLIBS} ${ISCLIBS} \
+		${DLZDRIVER_LIBS} ${DBDRIVER_LIBS} @LIBS@
 
 SUBDIRS =	unix
 
 TARGETS =	named@EXEEXT@ lwresd@EXEEXT@
 
-OBJS =		aclconf.@O@ builtin.@O@ client.@O@ config.@O@ control.@O@ \
+OBJS =		builtin.@O@ client.@O@ config.@O@ control.@O@ \
 		controlconf.@O@ interfacemgr.@O@ \
 		listenlist.@O@ log.@O@ logconf.@O@ main.@O@ notify.@O@ \
 		query.@O@ server.@O@ sortlist.@O@ \
@@ -71,11 +80,11 @@ OBJS =		aclconf.@O@ builtin.@O@ client.@O@ config.@O@ control.@O@ \
 		zoneconf.@O@ \
 		lwaddr.@O@ lwresd.@O@ lwdclient.@O@ lwderror.@O@ lwdgabn.@O@ \
 		lwdgnba.@O@ lwdgrbn.@O@ lwdnoop.@O@ lwsearch.@O@ \
-		$(DBDRIVER_OBJS)
+		${DLZDRIVER_OBJS} ${DBDRIVER_OBJS}
 
 UOBJS =		unix/os.@O@
 
-SRCS =		aclconf.c builtin.c client.c config.c control.c \
+SRCS =		builtin.c client.c config.c control.c \
 		controlconf.c interfacemgr.c \
 		listenlist.c log.c logconf.c main.c notify.c \
 		query.c server.c sortlist.c \
@@ -83,7 +92,7 @@ SRCS =		aclconf.c builtin.c client.c config.c control.c \
 		zoneconf.c \
 		lwaddr.c lwresd.c lwdclient.c lwderror.c lwdgabn.c \
 		lwdgnba.c lwdgrbn.c lwdnoop.c lwsearch.c \
-		$(DBDRIVER_SRCS)
+		${DLZDRIVER_SRCS} ${DBDRIVER_SRCS}
 
 MANPAGES =	named.8 lwresd.8 named.conf.5
 
@@ -133,3 +142,4 @@ install:: named@EXEEXT@ lwresd@EXEEXT@ installdirs
 	${INSTALL_DATA} ${srcdir}/lwresd.8 ${DESTDIR}${mandir}/man8
 	${INSTALL_DATA} ${srcdir}/named.conf.5 ${DESTDIR}${mandir}/man5
 
+@DLZ_DRIVER_RULES@
diff --git a/contrib/bind9/bin/named/builtin.c b/contrib/bind9/bin/named/builtin.c
index af4d7a3..06cbd4a 100644
--- a/contrib/bind9/bin/named/builtin.c
+++ b/contrib/bind9/bin/named/builtin.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2001-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,10 +15,11 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: builtin.c,v 1.4.106.4 2004/03/08 04:04:18 marka Exp $ */
+/* $Id: builtin.c,v 1.5.18.5 2005/08/23 04:12:38 marka Exp $ */
 
-/*
- * The built-in "version", "hostname", "id" and "authors" databases.
+/*! \file
+ * \brief
+ * The built-in "version", "hostname", "id", "authors" and "empty" databases.
  */
 
 #include <config.h>
@@ -26,12 +27,13 @@
 #include <string.h>
 #include <stdio.h>
 
+#include <isc/mem.h>
 #include <isc/print.h>
 #include <isc/result.h>
 #include <isc/util.h>
 
-#include <dns/sdb.h>
 #include <dns/result.h>
+#include <dns/sdb.h>
 
 #include <named/builtin.h>
 #include <named/globals.h>
@@ -44,6 +46,7 @@ static isc_result_t do_version_lookup(dns_sdblookup_t *lookup);
 static isc_result_t do_hostname_lookup(dns_sdblookup_t *lookup);
 static isc_result_t do_authors_lookup(dns_sdblookup_t *lookup);
 static isc_result_t do_id_lookup(dns_sdblookup_t *lookup);
+static isc_result_t do_empty_lookup(dns_sdblookup_t *lookup);
 
 /*
  * We can't use function pointers as the db_data directly
@@ -53,12 +56,15 @@ static isc_result_t do_id_lookup(dns_sdblookup_t *lookup);
 
 struct builtin {
 	isc_result_t (*do_lookup)(dns_sdblookup_t *lookup);
+	char *server;
+	char *contact;
 };
 
-static builtin_t version_builtin = { do_version_lookup };
-static builtin_t hostname_builtin = { do_hostname_lookup };
-static builtin_t authors_builtin = { do_authors_lookup };
-static builtin_t id_builtin = { do_id_lookup };
+static builtin_t version_builtin = { do_version_lookup,  NULL, NULL };
+static builtin_t hostname_builtin = { do_hostname_lookup, NULL, NULL };
+static builtin_t authors_builtin = { do_authors_lookup, NULL, NULL };
+static builtin_t id_builtin = { do_id_lookup, NULL, NULL };
+static builtin_t empty_builtin = { do_empty_lookup, NULL, NULL };
 
 static dns_sdbimplementation_t *builtin_impl;
 
@@ -167,16 +173,37 @@ do_id_lookup(dns_sdblookup_t *lookup) {
 }
 
 static isc_result_t
+do_empty_lookup(dns_sdblookup_t *lookup) {
+
+	UNUSED(lookup);
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
 builtin_authority(const char *zone, void *dbdata, dns_sdblookup_t *lookup) {
 	isc_result_t result;
+	const char *contact = "hostmaster";
+	const char *server = "@";
+	builtin_t *b = (builtin_t *) dbdata;
 
 	UNUSED(zone);
 	UNUSED(dbdata);
 
-	result = dns_sdb_putsoa(lookup, "@", "hostmaster", 0);
+	if (b == &empty_builtin) {
+		server = ".";
+		contact = ".";
+	} else {
+		if (b->server != NULL)
+			server = b->server;
+		if (b->contact != NULL)
+			contact = b->contact;
+	}
+	
+	result = dns_sdb_putsoa(lookup, server, contact, 0);
 	if (result != ISC_R_SUCCESS)
 		return (ISC_R_FAILURE);
-	result = dns_sdb_putrr(lookup, "ns", 0, "@");
+
+	result = dns_sdb_putrr(lookup, "ns", 0, server);
 	if (result != ISC_R_SUCCESS)
 		return (ISC_R_FAILURE);
 
@@ -187,10 +214,17 @@ static isc_result_t
 builtin_create(const char *zone, int argc, char **argv,
 	       void *driverdata, void **dbdata)
 {
+	REQUIRE(argc >= 1);
+
 	UNUSED(zone);
 	UNUSED(driverdata);
-	if (argc != 1)
+
+	if (strcmp(argv[0], "empty") == 0) {
+		if (argc != 3)
+			return (DNS_R_SYNTAX);
+	} else if (argc != 1)
 		return (DNS_R_SYNTAX);
+
 	if (strcmp(argv[0], "version") == 0)
 		*dbdata = &version_builtin;
 	else if (strcmp(argv[0], "hostname") == 0)
@@ -199,17 +233,62 @@ builtin_create(const char *zone, int argc, char **argv,
 		*dbdata = &authors_builtin;
 	else if (strcmp(argv[0], "id") == 0)
 		*dbdata = &id_builtin;
-	else
+	else if (strcmp(argv[0], "empty") == 0) { 
+		builtin_t *empty;
+		char *server;
+		char *contact;
+		/*
+		 * We don't want built-in zones to fail.  Fallback to
+		 * the static configuration if memory allocation fails.
+		 */
+		empty = isc_mem_get(ns_g_mctx, sizeof(*empty));
+		server = isc_mem_strdup(ns_g_mctx, argv[1]);
+		contact = isc_mem_strdup(ns_g_mctx, argv[2]);
+		if (empty == NULL || server == NULL || contact == NULL) {
+			*dbdata = &empty_builtin;
+			if (server != NULL)
+				isc_mem_free(ns_g_mctx, server);
+			if (contact != NULL)
+				isc_mem_free(ns_g_mctx, contact);
+			if (empty != NULL)
+				isc_mem_put(ns_g_mctx, empty, sizeof (*empty));
+		} else {
+			memcpy(empty, &empty_builtin, sizeof (empty_builtin));
+			empty->server = server;
+			empty->contact = contact;
+			*dbdata = empty;
+		}
+	} else
 		return (ISC_R_NOTIMPLEMENTED);
 	return (ISC_R_SUCCESS);
 }
 
+static void
+builtin_destroy(const char *zone, void *driverdata, void **dbdata) {
+	builtin_t *b = (builtin_t *) *dbdata;
+
+	UNUSED(zone);
+	UNUSED(driverdata);
+
+	/*
+	 * Don't free the static versions.
+	 */
+	if (*dbdata == &version_builtin || *dbdata == &hostname_builtin ||
+	    *dbdata == &authors_builtin || *dbdata == &id_builtin ||
+	    *dbdata == &empty_builtin)
+		return;
+
+	isc_mem_free(ns_g_mctx, b->server);
+	isc_mem_free(ns_g_mctx, b->contact);
+	isc_mem_put(ns_g_mctx, b, sizeof (*b));
+}
+
 static dns_sdbmethods_t builtin_methods = {
 	builtin_lookup,
 	builtin_authority,
 	NULL,		/* allnodes */
 	builtin_create,
-	NULL		/* destroy */
+	builtin_destroy
 };
 
 isc_result_t
diff --git a/contrib/bind9/bin/named/client.c b/contrib/bind9/bin/named/client.c
index b0ce793..d69e44b 100644
--- a/contrib/bind9/bin/named/client.c
+++ b/contrib/bind9/bin/named/client.c
@@ -15,13 +15,14 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: client.c,v 1.176.2.13.4.31 2006/07/22 01:09:38 marka Exp $ */
+/* $Id: client.c,v 1.219.18.20 2006/07/22 01:02:36 marka Exp $ */
 
 #include <config.h>
 
 #include <isc/formatcheck.h>
 #include <isc/mutex.h>
 #include <isc/once.h>
+#include <isc/platform.h>
 #include <isc/print.h>
 #include <isc/stdio.h>
 #include <isc/string.h>
@@ -33,12 +34,13 @@
 #include <dns/dispatch.h>
 #include <dns/events.h>
 #include <dns/message.h>
+#include <dns/peer.h>
 #include <dns/rcode.h>
-#include <dns/resolver.h>
 #include <dns/rdata.h>
 #include <dns/rdataclass.h>
 #include <dns/rdatalist.h>
 #include <dns/rdataset.h>
+#include <dns/resolver.h>
 #include <dns/tsig.h>
 #include <dns/view.h>
 #include <dns/zone.h>
@@ -53,7 +55,9 @@
  *** Client
  ***/
 
-/*
+/*! \file
+ * Client Routines
+ *
  * Important note!
  *
  * All client state changes, other than that from idle to listening, occur
@@ -87,6 +91,25 @@
 #define SEND_BUFFER_SIZE		4096
 #define RECV_BUFFER_SIZE		4096
 
+#ifdef ISC_PLATFORM_USETHREADS
+#define NMCTXS				100
+/*%<
+ * Number of 'mctx pools' for clients. (Should this be configurable?)
+ * When enabling threads, we use a pool of memory contexts shared by
+ * client objects, since concurrent access to a shared context would cause
+ * heavy contentions.  The above constant is expected to be enough for
+ * completely avoiding contentions among threads for an authoritative-only
+ * server.
+ */
+#else
+#define NMCTXS				0
+/*%<
+ * If named with built without thread, simply share manager's context.  Using
+ * a separate context in this case would simply waste memory.
+ */
+#endif
+
+/*% nameserver client manager structure */
 struct ns_clientmgr {
 	/* Unlocked. */
 	unsigned int			magic;
@@ -96,15 +119,20 @@ struct ns_clientmgr {
 	isc_mutex_t			lock;
 	/* Locked by lock. */
 	isc_boolean_t			exiting;
-	client_list_t			active; 	/* Active clients */
-	client_list_t			recursing; 	/* Recursing clients */
-	client_list_t 			inactive;	/* To be recycled */
+	client_list_t			active; 	/*%< Active clients */
+	client_list_t			recursing; 	/*%< Recursing clients */
+	client_list_t 			inactive;	/*%< To be recycled */
+#if NMCTXS > 0
+	/*%< mctx pool for clients. */
+	unsigned int			nextmctx;
+	isc_mem_t *			mctxpool[NMCTXS];
+#endif
 };
 
 #define MANAGER_MAGIC			ISC_MAGIC('N', 'S', 'C', 'm')
 #define VALID_MANAGER(m)		ISC_MAGIC_VALID(m, MANAGER_MAGIC)
 
-/*
+/*! 
  * Client object states.  Ordering is significant: higher-numbered
  * states are generally "more active", meaning that the client can
  * have more dynamically allocated data, outstanding events, etc.
@@ -117,12 +145,12 @@ struct ns_clientmgr {
  */
 
 #define NS_CLIENTSTATE_FREED    0
-/*
+/*%<
  * The client object no longer exists.
  */
 
 #define NS_CLIENTSTATE_INACTIVE 1
-/*
+/*%<
  * The client object exists and has a task and timer.
  * Its "query" struct and sendbuf are initialized.
  * It is on the client manager's list of inactive clients.
@@ -130,7 +158,7 @@ struct ns_clientmgr {
  */
 
 #define NS_CLIENTSTATE_READY    2
-/*
+/*%<
  * The client object is either a TCP or a UDP one, and
  * it is associated with a network interface.  It is on the
  * client manager's list of active clients.
@@ -143,7 +171,7 @@ struct ns_clientmgr {
  */
 
 #define NS_CLIENTSTATE_READING  3
-/*
+/*%<
  * The client object is a TCP client object that has received
  * a connection.  It has a tcpsocket, tcpmsg, TCP quota, and an
  * outstanding TCP read request.  This state is not used for
@@ -151,14 +179,14 @@ struct ns_clientmgr {
  */
 
 #define NS_CLIENTSTATE_WORKING  4
-/*
+/*%<
  * The client object has received a request and is working
  * on it.  It has a view, and it may have any of a non-reset OPT,
  * recursion quota, and an outstanding write request.
  */
 
 #define NS_CLIENTSTATE_MAX      9
-/*
+/*%<
  * Sentinel value used to indicate "no state".  When client->newstate
  * has this value, we are not attempting to exit the current state.
  * Must be greater than any valid state.
@@ -171,6 +199,8 @@ struct ns_clientmgr {
 #define NS_CLIENT_DROPPORT 1
 #endif
 
+unsigned int ns_client_requests;
+
 static void client_read(ns_client_t *client);
 static void client_accept(ns_client_t *client);
 static void client_udprecv(ns_client_t *client);
@@ -227,7 +257,7 @@ ns_client_settimeout(ns_client_t *client, unsigned int seconds) {
 	}
 }
 
-/*
+/*%
  * Check for a deactivation or shutdown request and take appropriate
  * action.  Returns ISC_TRUE if either is in progress; in this case
  * the caller must no longer use the client object as it may have been
@@ -489,7 +519,7 @@ exit_check(ns_client_t *client) {
 
 		CTRACE("free");
 		client->magic = 0;
-		isc_mem_put(client->mctx, client, sizeof(*client));
+		isc_mem_putanddetach(&client->mctx, client, sizeof(*client));
 
 		goto unlock;
 	}
@@ -510,7 +540,7 @@ exit_check(ns_client_t *client) {
 	return (ISC_TRUE);
 }
 
-/*
+/*%
  * The client's task has received the client's control event
  * as part of the startup process.
  */
@@ -536,7 +566,7 @@ client_start(isc_task_t *task, isc_event_t *event) {
 }
 
 
-/*
+/*%
  * The client's task has received a shutdown event.
  */
 static void
@@ -591,6 +621,7 @@ ns_client_endrequest(ns_client_t *client) {
 
 	client->udpsize = 512;
 	client->extflags = 0;
+	client->ednsversion = -1;
 	dns_message_reset(client->message, DNS_MESSAGE_INTENTPARSE);
 
 	if (client->recursionquota != NULL)
@@ -705,7 +736,7 @@ client_senddone(isc_task_t *task, isc_event_t *event) {
 	ns_client_next(client, ISC_R_SUCCESS);
 }
 
-/*
+/*%
  * We only want to fail with ISC_R_NOSPACE when called from
  * ns_client_sendraw() and not when called from ns_client_send(),
  * tcpbuffer is NULL when called from ns_client_sendraw() and
@@ -1182,6 +1213,64 @@ allowed(isc_netaddr_t *addr, dns_name_t *signer, dns_acl_t *acl) {
 }
 
 /*
+ * Callback to see if a non-recursive query coming from 'srcaddr' to
+ * 'destaddr', with optional key 'mykey' for class 'rdclass' would be
+ * delivered to 'myview'.
+ *
+ * We run this unlocked as both the view list and the interface list
+ * are updated when the approprite task has exclusivity.
+ */
+isc_boolean_t
+ns_client_isself(dns_view_t *myview, dns_tsigkey_t *mykey,
+		 isc_sockaddr_t *srcaddr, isc_sockaddr_t *dstaddr,
+		 dns_rdataclass_t rdclass, void *arg)
+{
+	dns_view_t *view;
+	dns_tsigkey_t *key;
+	isc_netaddr_t netsrc;
+	isc_netaddr_t netdst;
+
+	UNUSED(arg);
+
+	if (!ns_interfacemgr_listeningon(ns_g_server->interfacemgr, dstaddr))
+		return (ISC_FALSE);
+
+	isc_netaddr_fromsockaddr(&netsrc, srcaddr);
+	isc_netaddr_fromsockaddr(&netdst, dstaddr);
+
+	for (view = ISC_LIST_HEAD(ns_g_server->viewlist);
+	     view != NULL;
+	     view = ISC_LIST_NEXT(view, link)) {
+		dns_name_t *tsig = NULL;
+
+		if (view->matchrecursiveonly)
+			continue;
+
+		if (rdclass != view->rdclass)
+			continue;
+
+		if (mykey != NULL) {
+			isc_boolean_t match;
+			isc_result_t result;
+
+			tsig = &mykey->name;
+			result = dns_view_gettsig(view, tsig, &key);
+			if (result != ISC_R_SUCCESS)
+				continue;
+			match = dst_key_compare(mykey->key, key->key);
+			dns_tsigkey_detach(&key);
+			if (!match)
+				continue;
+		}
+
+		if (allowed(&netsrc, tsig, view->matchclients) &&
+		    allowed(&netdst, tsig, view->matchdestinations))
+			break;
+	}
+	return (ISC_TF(view == myview));
+}
+
+/*
  * Handle an incoming request event from the socket (UDP case)
  * or tcpmsg (TCP case).
  */
@@ -1215,6 +1304,8 @@ client_request(isc_task_t *task, isc_event_t *event) {
 	       NS_CLIENTSTATE_READING :
 	       NS_CLIENTSTATE_READY);
 
+	ns_client_requests++;
+
 	if (event->ev_type == ISC_SOCKEVENT_RECVDONE) {
 		INSIST(!TCP_CLIENT(client));
 		sevent = (isc_socketevent_t *)event;
@@ -1384,8 +1475,6 @@ client_request(isc_task_t *task, isc_event_t *event) {
 	 */
 	opt = dns_message_getopt(client->message);
 	if (opt != NULL) {
-		unsigned int version;
-
 		/*
 		 * Set the client's UDP buffer size.
 		 */
@@ -1404,22 +1493,24 @@ client_request(isc_task_t *task, isc_event_t *event) {
 		client->extflags = (isc_uint16_t)(opt->ttl & 0xFFFF);
 
 		/*
-		 * Create an OPT for our reply.
+		 * Do we understand this version of EDNS?
+		 *
+		 * XXXRTH need library support for this!
 		 */
-		result = client_addopt(client);
-		if (result != ISC_R_SUCCESS) {
+		client->ednsversion = (opt->ttl & 0x00FF0000) >> 16;
+		if (client->ednsversion > 0) {
+			result = client_addopt(client);
+			if (result == ISC_R_SUCCESS)
+				result = DNS_R_BADVERS;
 			ns_client_error(client, result);
 			goto cleanup;
 		}
-
 		/*
-		 * Do we understand this version of ENDS?
-		 *
-		 * XXXRTH need library support for this!
+		 * Create an OPT for our reply.
 		 */
-		version = (opt->ttl & 0x00FF0000) >> 16;
-		if (version != 0) {
-			ns_client_error(client, DNS_R_BADVERS);
+		result = client_addopt(client);
+		if (result != ISC_R_SUCCESS) {
+			ns_client_error(client, result);
 			goto cleanup;
 		}
 	}
@@ -1629,6 +1720,19 @@ client_request(isc_task_t *task, isc_event_t *event) {
 		      			     "recursion not available");
 
 	/*
+	 * Adjust maximum UDP response size for this client.
+	 */
+	if (client->udpsize > 512) {
+		dns_peer_t *peer = NULL;
+		isc_uint16_t udpsize = view->maxudp;
+		(void) dns_peerlist_peerbyaddr(view->peers, &netaddr, &peer);
+		if (peer != NULL)
+			dns_peer_getmaxudp(peer, &udpsize);
+		if (client->udpsize > udpsize)
+			client->udpsize = udpsize;
+	}
+
+	/*
 	 * Dispatch the request.
 	 */
 	switch (client->message->opcode) {
@@ -1689,9 +1793,42 @@ client_timeout(isc_task_t *task, isc_event_t *event) {
 }
 
 static isc_result_t
+get_clientmctx(ns_clientmgr_t *manager, isc_mem_t **mctxp) {
+	isc_mem_t *clientmctx;
+#if NMCTXS > 0
+	isc_result_t result;
+#endif
+
+	/*
+	 * Caller must be holding the manager lock.
+	 */
+#if NMCTXS > 0
+	INSIST(manager->nextmctx < NMCTXS);
+	clientmctx = manager->mctxpool[manager->nextmctx];
+	if (clientmctx == NULL) {
+		result = isc_mem_create(0, 0, &clientmctx);
+		if (result != ISC_R_SUCCESS)
+			return (result);
+
+		manager->mctxpool[manager->nextmctx] = clientmctx;
+		manager->nextmctx++;
+		if (manager->nextmctx == NMCTXS)
+			manager->nextmctx = 0;
+	}
+#else
+	clientmctx = manager->mctx;
+#endif
+
+	isc_mem_attach(clientmctx, mctxp);
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
 client_create(ns_clientmgr_t *manager, ns_client_t **clientp) {
 	ns_client_t *client;
 	isc_result_t result;
+	isc_mem_t *mctx = NULL;
 
 	/*
 	 * Caller must be holding the manager lock.
@@ -1703,9 +1840,16 @@ client_create(ns_clientmgr_t *manager, ns_client_t **clientp) {
 
 	REQUIRE(clientp != NULL && *clientp == NULL);
 
-	client = isc_mem_get(manager->mctx, sizeof(*client));
-	if (client == NULL)
+	result = get_clientmctx(manager, &mctx);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	client = isc_mem_get(mctx, sizeof(*client));
+	if (client == NULL) {
+		isc_mem_detach(&mctx);
 		return (ISC_R_NOMEMORY);
+	}
+	client->mctx = mctx;
 
 	client->task = NULL;
 	result = isc_task_create(manager->taskmgr, 0, &client->task);
@@ -1722,7 +1866,7 @@ client_create(ns_clientmgr_t *manager, ns_client_t **clientp) {
 	client->timerset = ISC_FALSE;
 
 	client->message = NULL;
-	result = dns_message_create(manager->mctx, DNS_MESSAGE_INTENTPARSE,
+	result = dns_message_create(client->mctx, DNS_MESSAGE_INTENTPARSE,
 				    &client->message);
 	if (result != ISC_R_SUCCESS)
 		goto cleanup_timer;
@@ -1730,7 +1874,7 @@ client_create(ns_clientmgr_t *manager, ns_client_t **clientp) {
 	/* XXXRTH  Hardwired constants */
 
 	client->sendevent = (isc_socketevent_t *)
-			    isc_event_allocate(manager->mctx, client,
+			    isc_event_allocate(client->mctx, client,
 					       ISC_SOCKEVENT_SENDDONE,
 					       client_senddone, client,
 					       sizeof(isc_socketevent_t));
@@ -1739,14 +1883,14 @@ client_create(ns_clientmgr_t *manager, ns_client_t **clientp) {
 		goto cleanup_message;
 	}
 
-	client->recvbuf = isc_mem_get(manager->mctx, RECV_BUFFER_SIZE);
+	client->recvbuf = isc_mem_get(client->mctx, RECV_BUFFER_SIZE);
 	if  (client->recvbuf == NULL) {
 		result = ISC_R_NOMEMORY;
 		goto cleanup_sendevent;
 	}
 
 	client->recvevent = (isc_socketevent_t *)
-			    isc_event_allocate(manager->mctx, client,
+			    isc_event_allocate(client->mctx, client,
 					       ISC_SOCKEVENT_RECVDONE,
 					       client_request, client,
 					       sizeof(isc_socketevent_t));
@@ -1756,7 +1900,6 @@ client_create(ns_clientmgr_t *manager, ns_client_t **clientp) {
 	}
 
 	client->magic = NS_CLIENT_MAGIC;
-	client->mctx = manager->mctx;
 	client->manager = NULL;
 	client->state = NS_CLIENTSTATE_INACTIVE;
 	client->newstate = NS_CLIENTSTATE_MAX;
@@ -1778,6 +1921,7 @@ client_create(ns_clientmgr_t *manager, ns_client_t **clientp) {
 	client->opt = NULL;
 	client->udpsize = 512;
 	client->extflags = 0;
+	client->ednsversion = -1;
 	client->next = NULL;
 	client->shutdown = NULL;
 	client->shutdown_arg = NULL;
@@ -1826,7 +1970,7 @@ client_create(ns_clientmgr_t *manager, ns_client_t **clientp) {
 	isc_event_free((isc_event_t **)&client->recvevent);
 
  cleanup_recvbuf:
-	isc_mem_put(manager->mctx, client->recvbuf, RECV_BUFFER_SIZE);
+	isc_mem_put(client->mctx, client->recvbuf, RECV_BUFFER_SIZE);
 
  cleanup_sendevent:
 	isc_event_free((isc_event_t **)&client->sendevent);
@@ -1843,7 +1987,7 @@ client_create(ns_clientmgr_t *manager, ns_client_t **clientp) {
 	isc_task_detach(&client->task);
 
  cleanup_client:
-	isc_mem_put(manager->mctx, client, sizeof(*client));
+	isc_mem_putanddetach(&client->mctx, client, sizeof(*client));
 
 	return (result);
 }
@@ -2096,12 +2240,23 @@ ns_client_replace(ns_client_t *client) {
 
 static void
 clientmgr_destroy(ns_clientmgr_t *manager) {
+#if NMCTXS > 0
+	int i;
+#endif
+
 	REQUIRE(ISC_LIST_EMPTY(manager->active));
 	REQUIRE(ISC_LIST_EMPTY(manager->inactive));
 	REQUIRE(ISC_LIST_EMPTY(manager->recursing));
 
 	MTRACE("clientmgr_destroy");
 
+#if NMCTXS > 0
+	for (i = 0; i < NMCTXS; i++) {
+		if (manager->mctxpool[i] != NULL)
+			isc_mem_detach(&manager->mctxpool[i]);
+	}
+#endif
+
 	DESTROYLOCK(&manager->lock);
 	manager->magic = 0;
 	isc_mem_put(manager->mctx, manager, sizeof(*manager));
@@ -2113,6 +2268,9 @@ ns_clientmgr_create(isc_mem_t *mctx, isc_taskmgr_t *taskmgr,
 {
 	ns_clientmgr_t *manager;
 	isc_result_t result;
+#if NMCTXS > 0
+	int i;
+#endif
 
 	manager = isc_mem_get(mctx, sizeof(*manager));
 	if (manager == NULL)
@@ -2129,6 +2287,11 @@ ns_clientmgr_create(isc_mem_t *mctx, isc_taskmgr_t *taskmgr,
 	ISC_LIST_INIT(manager->active);
 	ISC_LIST_INIT(manager->inactive);
 	ISC_LIST_INIT(manager->recursing);
+#if NMCTXS > 0
+	manager->nextmctx = 0;
+	for (i = 0; i < NMCTXS; i++)
+		manager->mctxpool[i] = NULL; /* will be created on-demand */
+#endif
 	manager->magic = MANAGER_MAGIC;
 
 	MTRACE("create");
diff --git a/contrib/bind9/bin/named/config.c b/contrib/bind9/bin/named/config.c
index 7b5b99e..6a6d5e3 100644
--- a/contrib/bind9/bin/named/config.c
+++ b/contrib/bind9/bin/named/config.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2006  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2001-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,9 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: config.c,v 1.11.2.4.8.32 2006/02/28 06:32:53 marka Exp $ */
+/* $Id: config.c,v 1.47.18.28 2006/05/03 01:46:40 marka Exp $ */
+
+/*! \file */
 
 #include <config.h>
 
@@ -25,6 +27,7 @@
 #include <isc/buffer.h>
 #include <isc/log.h>
 #include <isc/mem.h>
+#include <isc/parseint.h>
 #include <isc/region.h>
 #include <isc/result.h>
 #include <isc/sockaddr.h>
@@ -42,6 +45,7 @@
 #include <named/config.h>
 #include <named/globals.h>
 
+/*% default configuration */
 static char defaultconf[] = "\
 options {\n\
 #	blackhole {none;};\n"
@@ -76,7 +80,7 @@ options {\n\
 #endif
 "\
 	recursive-clients 1000;\n\
-	rrset-order {order cyclic;};\n\
+	rrset-order {type NS order random; order cyclic; };\n\
 	serial-queries 20;\n\
 	serial-query-rate 20;\n\
 	server-id none;\n\
@@ -94,11 +98,13 @@ options {\n\
 	use-id-pool true;\n\
 	use-ixfr true;\n\
 	edns-udp-size 4096;\n\
+	max-udp-size 4096;\n\
 \n\
 	/* view */\n\
 	allow-notify {none;};\n\
 	allow-update-forwarding {none;};\n\
-	allow-recursion {any;};\n\
+	allow-query-cache { localnets; localhost; };\n\
+	allow-recursion { localnets; localhost; };\n\
 #	allow-v6-synthesis <obsolete>;\n\
 #	sortlist <none>\n\
 #	topology <none>\n\
@@ -125,7 +131,16 @@ options {\n\
 	check-names master fail;\n\
 	check-names slave warn;\n\
 	check-names response ignore;\n\
-	dnssec-enable no; /* Make yes for 9.4. */ \n\
+	check-mx warn;\n\
+	acache-enable no;\n\
+	acache-cleaning-interval 60;\n\
+	max-acache-size 0;\n\
+	dnssec-enable yes;\n\
+	dnssec-validation no; /* Make yes for 9.5. */ \n\
+	dnssec-accept-expired no;\n\
+	clients-per-query 10;\n\
+	max-clients-per-query 100;\n\
+	zero-no-soa-ttl-cache no;\n\
 "
 
 "	/* zone */\n\
@@ -133,6 +148,7 @@ options {\n\
 	allow-transfer {any;};\n\
 	notify yes;\n\
 #	also-notify <none>\n\
+	notify-delay 5;\n\
 	dialup no;\n\
 #	forward <none>\n\
 #	forwarders <none>\n\
@@ -155,6 +171,13 @@ options {\n\
 	zone-statistics false;\n\
 	max-journal-size unlimited;\n\
 	ixfr-from-differences false;\n\
+	check-wildcard yes;\n\
+	check-sibling yes;\n\
+	check-integrity yes;\n\
+	check-mx-cname warn;\n\
+	check-srv-cname warn;\n\
+	zero-no-soa-ttl yes;\n\
+	update-check-ksk yes;\n\
 };\n\
 "
 
@@ -258,7 +281,6 @@ ns_config_listcount(const cfg_obj_t *list) {
 isc_result_t
 ns_config_getclass(const cfg_obj_t *classobj, dns_rdataclass_t defclass,
 		   dns_rdataclass_t *classp) {
-	const char *str;
 	isc_textregion_t r;
 	isc_result_t result;
 
@@ -266,20 +288,18 @@ ns_config_getclass(const cfg_obj_t *classobj, dns_rdataclass_t defclass,
 		*classp = defclass;
 		return (ISC_R_SUCCESS);
 	}
-	str = cfg_obj_asstring(classobj);
-	DE_CONST(str, r.base);
-	r.length = strlen(str);
+	DE_CONST(cfg_obj_asstring(classobj), r.base);
+	r.length = strlen(r.base);
 	result = dns_rdataclass_fromtext(classp, &r);
 	if (result != ISC_R_SUCCESS)
 		cfg_obj_log(classobj, ns_g_lctx, ISC_LOG_ERROR,
-			    "unknown class '%s'", str);
+			    "unknown class '%s'", r.base);
 	return (result);
 }
 
 isc_result_t
 ns_config_gettype(const cfg_obj_t *typeobj, dns_rdatatype_t deftype,
 		   dns_rdatatype_t *typep) {
-	const char *str;
 	isc_textregion_t r;
 	isc_result_t result;
 
@@ -287,13 +307,12 @@ ns_config_gettype(const cfg_obj_t *typeobj, dns_rdatatype_t deftype,
 		*typep = deftype;
 		return (ISC_R_SUCCESS);
 	}
-	str = cfg_obj_asstring(typeobj);
-	DE_CONST(str, r.base);
-	r.length = strlen(str);
+	DE_CONST(cfg_obj_asstring(typeobj), r.base);
+	r.length = strlen(r.base);
 	result = dns_rdatatype_fromtext(typep, &r);
 	if (result != ISC_R_SUCCESS)
 		cfg_obj_log(typeobj, ns_g_lctx, ISC_LOG_ERROR,
-			    "unknown type '%s'", str);
+			    "unknown type '%s'", r.base);
 	return (result);
 }
 
@@ -383,7 +402,7 @@ ns_config_putiplist(isc_mem_t *mctx, isc_sockaddr_t **addrsp,
 
 static isc_result_t
 get_masters_def(const cfg_obj_t *cctx, const char *name,
-		const cfg_obj_t **ret)
+	        const cfg_obj_t **ret)
 {
 	isc_result_t result;
 	const cfg_obj_t *masters = NULL;
@@ -425,7 +444,7 @@ ns_config_getipandkeylist(const cfg_obj_t *config, const cfg_obj_t *list,
 	dns_fixedname_t fname;
 	isc_sockaddr_t *addrs = NULL;
 	dns_name_t **keys = NULL;
-	const char **lists = NULL;
+	struct { const char *name; } *lists = NULL;
 	struct {
 		const cfg_listelt_t *element;
 		in_port_t port;
@@ -494,7 +513,7 @@ ns_config_getipandkeylist(const cfg_obj_t *config, const cfg_obj_t *list,
 			}
 			/* Seen? */
 			for (j = 0; j < l; j++)
-				if (strcasecmp(lists[j], listname) == 0)
+				if (strcasecmp(lists[j].name, listname) == 0)
 					break;
 			if (j < l)
 				continue;
@@ -508,7 +527,7 @@ ns_config_getipandkeylist(const cfg_obj_t *config, const cfg_obj_t *list,
 			}
 			if (tresult != ISC_R_SUCCESS)
 				goto cleanup;
-			lists[l++] = listname;
+			lists[l++].name = listname;
 			/* Grow stack? */
 			if (stackcount == pushed) {
 				void * new;
@@ -713,16 +732,65 @@ ns_config_getport(const cfg_obj_t *config, in_port_t *portp) {
 	return (ISC_R_SUCCESS);
 }
 
+struct keyalgorithms {
+	const char *str;
+	enum { hmacnone, hmacmd5, hmacsha1, hmacsha224,
+	       hmacsha256, hmacsha384, hmacsha512 } hmac;
+	isc_uint16_t size;
+} algorithms[] = {
+	{ "hmac-md5", hmacmd5, 128 },
+	{ "hmac-md5.sig-alg.reg.int", hmacmd5, 0 },
+	{ "hmac-md5.sig-alg.reg.int.", hmacmd5, 0 },
+	{ "hmac-sha1", hmacsha1, 160 },
+	{ "hmac-sha224", hmacsha224, 224 },
+	{ "hmac-sha256", hmacsha256, 256 },
+	{ "hmac-sha384", hmacsha384, 384 },
+	{ "hmac-sha512", hmacsha512, 512 },
+	{  NULL, hmacnone, 0 }
+};
+
 isc_result_t
-ns_config_getkeyalgorithm(const char *str, dns_name_t **name)
+ns_config_getkeyalgorithm(const char *str, dns_name_t **name,
+			  isc_uint16_t *digestbits)
 {
-	if (strcasecmp(str, "hmac-md5") == 0 ||
-	    strcasecmp(str, "hmac-md5.sig-alg.reg.int") == 0 ||
-	    strcasecmp(str, "hmac-md5.sig-alg.reg.int.") == 0)
-	{
-		if (name != NULL)
-			*name = dns_tsig_hmacmd5_name;
-		return (ISC_R_SUCCESS);
+	int i;
+	size_t len = 0;
+	isc_uint16_t bits;
+	isc_result_t result;
+
+	for (i = 0; algorithms[i].str != NULL; i++) {
+		len = strlen(algorithms[i].str);
+		if (strncasecmp(algorithms[i].str, str, len) == 0 &&
+		    (str[len] == '\0' ||
+		     (algorithms[i].size != 0 && str[len] == '-')))
+			break;
 	}
-	return (ISC_R_NOTFOUND);
+	if (algorithms[i].str == NULL)
+		return (ISC_R_NOTFOUND);
+	if (str[len] == '-') {
+		result = isc_parse_uint16(&bits, str + len + 1, 10);
+		if (result != ISC_R_SUCCESS)
+			return (result);
+		if (bits > algorithms[i].size)
+			return (ISC_R_RANGE);
+	} else if (algorithms[i].size == 0)
+		bits = 128;
+	else
+		bits = algorithms[i].size;
+
+	if (name != NULL) {
+		switch (algorithms[i].hmac) {
+		case hmacmd5: *name = dns_tsig_hmacmd5_name; break;
+		case hmacsha1: *name = dns_tsig_hmacsha1_name; break;
+		case hmacsha224: *name = dns_tsig_hmacsha224_name; break;
+		case hmacsha256: *name = dns_tsig_hmacsha256_name; break;
+		case hmacsha384: *name = dns_tsig_hmacsha384_name; break;
+		case hmacsha512: *name = dns_tsig_hmacsha512_name; break;
+		default:
+			INSIST(0);
+		}
+	}
+	if (digestbits != NULL)
+		*digestbits = bits;
+	return (ISC_R_SUCCESS);
 }
diff --git a/contrib/bind9/bin/named/control.c b/contrib/bind9/bin/named/control.c
index c9d17ab..e3d54bd 100644
--- a/contrib/bind9/bin/named/control.c
+++ b/contrib/bind9/bin/named/control.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2001-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,9 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: control.c,v 1.7.2.2.2.14 2005/04/29 01:04:47 marka Exp $ */
+/* $Id: control.c,v 1.20.10.8 2006/03/10 00:23:20 marka Exp $ */
+
+/*! \file */
 
 #include <config.h>
 
@@ -52,7 +54,7 @@ command_compare(const char *text, const char *command) {
 	return (ISC_FALSE);
 }
 
-/*
+/*%
  * This function is called to process the incoming command
  * when a control channel message is received.  
  */
@@ -163,8 +165,15 @@ ns_control_docommand(isccc_sexpr_t *message, isc_buffer_t *text) {
 		result = ns_server_freeze(ns_g_server, ISC_FALSE, command);
 	} else if (command_compare(command, NS_COMMAND_RECURSING)) {
 		result = ns_server_dumprecursing(ns_g_server);
+	} else if (command_compare(command, NS_COMMAND_TIMERPOKE)) {
+		result = ISC_R_SUCCESS;
+		isc_timermgr_poke(ns_g_timermgr);
 	} else if (command_compare(command, NS_COMMAND_NULL)) {
 		result = ISC_R_SUCCESS;
+	} else if (command_compare(command, NS_COMMAND_NOTIFY)) {
+		result = ns_server_notifycommand(ns_g_server, command, text);
+	} else if (command_compare(command, NS_COMMAND_VALIDATION)) {
+		result = ns_server_validation(ns_g_server, command);
 	} else {
 		isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
 			      NS_LOGMODULE_CONTROL, ISC_LOG_WARNING,
diff --git a/contrib/bind9/bin/named/controlconf.c b/contrib/bind9/bin/named/controlconf.c
index b6bcc16..3e36446 100644
--- a/contrib/bind9/bin/named/controlconf.c
+++ b/contrib/bind9/bin/named/controlconf.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2006  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2001-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,9 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: controlconf.c,v 1.28.2.9.2.10 2006/02/28 06:32:53 marka Exp $ */
+/* $Id: controlconf.c,v 1.40.18.10 2006/12/07 04:53:02 marka Exp $ */
+
+/*! \file */
 
 #include <config.h>
 
@@ -96,6 +98,10 @@ struct controllistener {
 	isc_boolean_t			exiting;
 	controlkeylist_t		keys;
 	controlconnectionlist_t		connections;
+	isc_sockettype_t		type;
+	isc_uint32_t			perm;
+	isc_uint32_t			owner;
+	isc_uint32_t			group;
 	ISC_LINK(controllistener_t)	link;
 };
 
@@ -191,6 +197,8 @@ shutdown_listener(controllistener_t *listener) {
 		isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
 			      NS_LOGMODULE_CONTROL, ISC_LOG_NOTICE,
 			      "stopping command channel on %s", socktext);
+		if (listener->type == isc_sockettype_unix)
+			isc_socket_cleanunix(&listener->address, ISC_TRUE);
 		listener->exiting = ISC_TRUE;
 	}
 
@@ -596,7 +604,8 @@ control_newconn(isc_task_t *task, isc_event_t *event) {
 
 	sock = nevent->newsocket;
 	(void)isc_socket_getpeername(sock, &peeraddr);
-	if (!address_ok(&peeraddr, listener->acl)) {
+	if (listener->type == isc_sockettype_tcp &&
+	    !address_ok(&peeraddr, listener->acl)) {
 		char socktext[ISC_SOCKADDR_FORMATSIZE];
 		isc_sockaddr_format(&peeraddr, socktext, sizeof(socktext));
 		isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
@@ -681,7 +690,7 @@ controlkeylist_fromcfg(const cfg_obj_t *keylist, isc_mem_t *mctx,
 	char *newstr = NULL;
 	const char *str;
 	const cfg_obj_t *obj;
-	controlkey_t *key = NULL;
+	controlkey_t *key;
 
 	for (element = cfg_list_first(keylist);
 	     element != NULL;
@@ -700,7 +709,6 @@ controlkeylist_fromcfg(const cfg_obj_t *keylist, isc_mem_t *mctx,
 		key->secret.length = 0;
 		ISC_LINK_INIT(key, link);
 		ISC_LIST_APPEND(*keyids, key, link);
-		key = NULL;
 		newstr = NULL;
 	}
 	return (ISC_R_SUCCESS);
@@ -708,8 +716,6 @@ controlkeylist_fromcfg(const cfg_obj_t *keylist, isc_mem_t *mctx,
  cleanup:
 	if (newstr != NULL)
 		isc_mem_free(mctx, newstr);
-	if (key != NULL)
-		isc_mem_put(mctx, key, sizeof(*key));
 	free_controlkeylist(keyids, mctx);
 	return (ISC_R_NOMEMORY);
 }
@@ -751,7 +757,7 @@ register_keys(const cfg_obj_t *control, const cfg_obj_t *keylist,
 			algstr = cfg_obj_asstring(algobj);
 			secretstr = cfg_obj_asstring(secretobj);
 
-			if (ns_config_getkeyalgorithm(algstr, NULL) !=
+			if (ns_config_getkeyalgorithm(algstr, NULL, NULL) !=
 			    ISC_R_SUCCESS)
 			{
 				cfg_obj_log(control, ns_g_lctx,
@@ -841,7 +847,7 @@ get_rndckey(isc_mem_t *mctx, controlkeylist_t *keyids) {
 	algstr = cfg_obj_asstring(algobj);
 	secretstr = cfg_obj_asstring(secretobj);
 
-	if (ns_config_getkeyalgorithm(algstr, NULL) != ISC_R_SUCCESS) {
+	if (ns_config_getkeyalgorithm(algstr, NULL, NULL) != ISC_R_SUCCESS) {
 		cfg_obj_log(key, ns_g_lctx,
 			    ISC_LOG_WARNING,
 			    "unsupported algorithm '%s' in "
@@ -918,8 +924,8 @@ get_key_info(const cfg_obj_t *config, const cfg_obj_t *control,
 static void
 update_listener(ns_controls_t *cp, controllistener_t **listenerp,
 		const cfg_obj_t *control, const cfg_obj_t *config,
-		isc_sockaddr_t *addr, ns_aclconfctx_t *aclconfctx,
-		const char *socktext)
+		isc_sockaddr_t *addr, cfg_aclconfctx_t *aclconfctx,
+	        const char *socktext, isc_sockettype_t type)
 {
 	controllistener_t *listener;
 	const cfg_obj_t *allow;
@@ -1004,10 +1010,11 @@ update_listener(ns_controls_t *cp, controllistener_t **listenerp,
 	/*
 	 * Now, keep the old access list unless a new one can be made.
 	 */
-	if (control != NULL) {
+	if (control != NULL && type == isc_sockettype_tcp) {
 		allow = cfg_tuple_get(control, "allow");
-		result = ns_acl_fromconfig(allow, config, aclconfctx,
-					   listener->mctx, &new_acl);
+		result = cfg_acl_fromconfig(allow, config, ns_g_lctx,
+					    aclconfctx, listener->mctx,
+					    &new_acl);
 	} else {
 		result = dns_acl_any(listener->mctx, &new_acl);
 	}
@@ -1029,14 +1036,34 @@ update_listener(ns_controls_t *cp, controllistener_t **listenerp,
 			      "command channel %s: %s",
 			      socktext, isc_result_totext(result));
 
+	if (result == ISC_R_SUCCESS && type == isc_sockettype_unix) {
+		isc_uint32_t perm, owner, group;
+		perm  = cfg_obj_asuint32(cfg_tuple_get(control, "perm"));
+		owner = cfg_obj_asuint32(cfg_tuple_get(control, "owner"));
+		group = cfg_obj_asuint32(cfg_tuple_get(control, "group"));
+		result = ISC_R_SUCCESS;
+		if (listener->perm != perm || listener->owner != owner ||
+		    listener->group != group)
+			result = isc_socket_permunix(&listener->address, perm,
+						     owner, group);
+		if (result == ISC_R_SUCCESS) {
+			listener->perm = perm;
+			listener->owner = owner;
+			listener->group = group;
+		} else if (control != NULL)
+			cfg_obj_log(control, ns_g_lctx, ISC_LOG_WARNING,
+				    "couldn't update ownership/permission for "
+				    "command channel %s", socktext);
+	}
+
 	*listenerp = listener;
 }
 
 static void
 add_listener(ns_controls_t *cp, controllistener_t **listenerp,
 	     const cfg_obj_t *control, const cfg_obj_t *config,
-	     isc_sockaddr_t *addr, ns_aclconfctx_t *aclconfctx,
-	     const char *socktext)
+	     isc_sockaddr_t *addr, cfg_aclconfctx_t *aclconfctx,
+	     const char *socktext, isc_sockettype_t type)
 {
 	isc_mem_t *mctx = cp->server->mctx;
 	controllistener_t *listener;
@@ -1059,6 +1086,10 @@ add_listener(ns_controls_t *cp, controllistener_t **listenerp,
 		listener->listening = ISC_FALSE;
 		listener->exiting = ISC_FALSE;
 		listener->acl = NULL;
+		listener->type = type;
+		listener->perm = 0;
+		listener->owner = 0;
+		listener->group = 0;
 		ISC_LINK_INIT(listener, link);
 		ISC_LIST_INIT(listener->keys);
 		ISC_LIST_INIT(listener->connections);
@@ -1066,10 +1097,10 @@ add_listener(ns_controls_t *cp, controllistener_t **listenerp,
 		/*
 		 * Make the acl.
 		 */
-		if (control != NULL) {
+		if (control != NULL && type == isc_sockettype_tcp) {
 			allow = cfg_tuple_get(control, "allow");
-			result = ns_acl_fromconfig(allow, config, aclconfctx,
-						   mctx, &new_acl);
+			result = cfg_acl_fromconfig(allow, config, ns_g_lctx,
+						    aclconfctx, mctx, &new_acl);
 		} else {
 			result = dns_acl_any(mctx, &new_acl);
 		}
@@ -1104,20 +1135,35 @@ add_listener(ns_controls_t *cp, controllistener_t **listenerp,
 	if (result == ISC_R_SUCCESS) {
 		int pf = isc_sockaddr_pf(&listener->address);
 		if ((pf == AF_INET && isc_net_probeipv4() != ISC_R_SUCCESS) ||
+#ifdef ISC_PLATFORM_HAVESYSUNH
+		    (pf == AF_UNIX && isc_net_probeunix() != ISC_R_SUCCESS) ||
+#endif
 		    (pf == AF_INET6 && isc_net_probeipv6() != ISC_R_SUCCESS))
 			result = ISC_R_FAMILYNOSUPPORT;
 	}
 
+	if (result == ISC_R_SUCCESS && type == isc_sockettype_unix)
+		isc_socket_cleanunix(&listener->address, ISC_FALSE);
+
 	if (result == ISC_R_SUCCESS)
 		result = isc_socket_create(ns_g_socketmgr,
 					   isc_sockaddr_pf(&listener->address),
-					   isc_sockettype_tcp,
-					   &listener->sock);
+					   type, &listener->sock);
 
 	if (result == ISC_R_SUCCESS)
 		result = isc_socket_bind(listener->sock,
 					 &listener->address);
 
+	if (result == ISC_R_SUCCESS && type == isc_sockettype_unix) {
+		listener->perm = cfg_obj_asuint32(cfg_tuple_get(control,
+								"perm"));
+		listener->owner = cfg_obj_asuint32(cfg_tuple_get(control,
+								 "owner"));
+		listener->group = cfg_obj_asuint32(cfg_tuple_get(control,
+								 "group"));
+		result = isc_socket_permunix(&listener->address, listener->perm,
+					     listener->owner, listener->group);
+	}
 	if (result == ISC_R_SUCCESS)
 		result = control_listen(listener);
 
@@ -1154,7 +1200,7 @@ add_listener(ns_controls_t *cp, controllistener_t **listenerp,
 
 isc_result_t
 ns_controls_configure(ns_controls_t *cp, const cfg_obj_t *config,
-		      ns_aclconfctx_t *aclconfctx)
+		      cfg_aclconfctx_t *aclconfctx)
 {
 	controllistener_t *listener;
 	controllistenerlist_t new_listeners;
@@ -1200,9 +1246,6 @@ ns_controls_configure(ns_controls_t *cp, const cfg_obj_t *config,
 				 * The parser handles BIND 8 configuration file
 				 * syntax, so it allows unix phrases as well
 				 * inet phrases with no keys{} clause.
-				 *
-				 * "unix" phrases have been reported as
-				 * unsupported by the parser.
 				 */
 				control = cfg_listelt_value(element2);
 
@@ -1223,7 +1266,81 @@ ns_controls_configure(ns_controls_t *cp, const cfg_obj_t *config,
 					      socktext);
 
 				update_listener(cp, &listener, control, config,
-						&addr, aclconfctx, socktext);
+						&addr, aclconfctx, socktext,
+						isc_sockettype_tcp);
+
+				if (listener != NULL)
+					/*
+					 * Remove the listener from the old
+					 * list, so it won't be shut down.
+					 */
+					ISC_LIST_UNLINK(cp->listeners,
+							listener, link);
+				else
+					/*
+					 * This is a new listener.
+					 */
+					add_listener(cp, &listener, control,
+						     config, &addr, aclconfctx,
+						     socktext,
+						     isc_sockettype_tcp);
+
+				if (listener != NULL)
+					ISC_LIST_APPEND(new_listeners,
+							listener, link);
+			}
+		}
+		for (element = cfg_list_first(controlslist);
+		     element != NULL;
+		     element = cfg_list_next(element)) {
+			const cfg_obj_t *controls;
+			const cfg_obj_t *unixcontrols = NULL;
+
+			controls = cfg_listelt_value(element);
+			(void)cfg_map_get(controls, "unix", &unixcontrols);
+			if (unixcontrols == NULL)
+				continue;
+
+			for (element2 = cfg_list_first(unixcontrols);
+			     element2 != NULL;
+			     element2 = cfg_list_next(element2)) {
+				const cfg_obj_t *control;
+				const cfg_obj_t *path;
+				isc_sockaddr_t addr;
+				isc_result_t result;
+
+				/*
+				 * The parser handles BIND 8 configuration file
+				 * syntax, so it allows unix phrases as well
+				 * inet phrases with no keys{} clause.
+				 */
+				control = cfg_listelt_value(element2);
+
+				path = cfg_tuple_get(control, "path");
+				result = isc_sockaddr_frompath(&addr,
+						      cfg_obj_asstring(path));
+				if (result != ISC_R_SUCCESS) {
+					isc_log_write(ns_g_lctx,
+					      NS_LOGCATEGORY_GENERAL,
+					      NS_LOGMODULE_CONTROL,
+					      ISC_LOG_DEBUG(9),
+					      "control channel '%s': %s",
+					      cfg_obj_asstring(path),
+					      isc_result_totext(result));
+					continue;
+				}
+
+				isc_log_write(ns_g_lctx,
+					      NS_LOGCATEGORY_GENERAL,
+					      NS_LOGMODULE_CONTROL,
+					      ISC_LOG_DEBUG(9),
+					      "processing control channel '%s'",
+					      cfg_obj_asstring(path));
+
+				update_listener(cp, &listener, control, config,
+						&addr, aclconfctx,
+					        cfg_obj_asstring(path),
+						isc_sockettype_unix);
 
 				if (listener != NULL)
 					/*
@@ -1238,7 +1355,8 @@ ns_controls_configure(ns_controls_t *cp, const cfg_obj_t *config,
 					 */
 					add_listener(cp, &listener, control,
 						     config, &addr, aclconfctx,
-						     socktext);
+						     cfg_obj_asstring(path),
+						     isc_sockettype_unix);
 
 				if (listener != NULL)
 					ISC_LIST_APPEND(new_listeners,
@@ -1269,7 +1387,8 @@ ns_controls_configure(ns_controls_t *cp, const cfg_obj_t *config,
 			isc_sockaddr_format(&addr, socktext, sizeof(socktext));
 			
 			update_listener(cp, &listener, NULL, NULL,
-					&addr, NULL, socktext);
+					&addr, NULL, socktext,
+				        isc_sockettype_tcp);
 
 			if (listener != NULL)
 				/*
@@ -1283,7 +1402,8 @@ ns_controls_configure(ns_controls_t *cp, const cfg_obj_t *config,
 				 * This is a new listener.
 				 */
 				add_listener(cp, &listener, NULL, NULL,
-					     &addr, NULL, socktext);
+					     &addr, NULL, socktext,
+					     isc_sockettype_tcp);
 
 			if (listener != NULL)
 				ISC_LIST_APPEND(new_listeners,
diff --git a/contrib/bind9/bin/named/include/named/builtin.h b/contrib/bind9/bin/named/include/named/builtin.h
index 15564bf..37a3e76 100644
--- a/contrib/bind9/bin/named/include/named/builtin.h
+++ b/contrib/bind9/bin/named/include/named/builtin.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,11 +15,13 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: builtin.h,v 1.1.204.3 2004/03/08 04:04:20 marka Exp $ */
+/* $Id: builtin.h,v 1.2.18.2 2005/04/29 00:15:34 marka Exp $ */
 
 #ifndef NAMED_BUILTIN_H
 #define NAMED_BUILTIN_H 1
 
+/*! \file */
+
 #include <isc/types.h>
 
 isc_result_t ns_builtin_init(void);
diff --git a/contrib/bind9/bin/named/include/named/client.h b/contrib/bind9/bin/named/include/named/client.h
index f602be8..0cf7985 100644
--- a/contrib/bind9/bin/named/include/named/client.h
+++ b/contrib/bind9/bin/named/include/named/client.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: client.h,v 1.60.2.2.10.12 2006/06/06 00:11:40 marka Exp $ */
+/* $Id: client.h,v 1.69.18.9 2006/06/06 00:11:41 marka Exp $ */
 
 #ifndef NAMED_CLIENT_H
 #define NAMED_CLIENT_H 1
@@ -24,9 +24,8 @@
  ***** Module Info
  *****/
 
-/*
- * Client
- *
+/*! \file 
+ * \brief
  * This module defines two objects, ns_client_t and ns_clientmgr_t.
  *
  * An ns_client_t object handles incoming DNS requests from clients
@@ -44,12 +43,12 @@
  * fully handled (which can be much later), the ns_client_t must be
  * notified of this by calling one of the following functions
  * exactly once in the context of its task:
- *
+ * \code
  *   ns_client_send()	(sending a non-error response)
  *   ns_client_sendraw() (sending a raw response)
  *   ns_client_error()	(sending an error response)
  *   ns_client_next()	(sending no response)
- *
+ *\endcode
  * This will release any resources used by the request and
  * and allow the ns_client_t to listen for the next request.
  *
@@ -84,6 +83,7 @@
 
 typedef ISC_LIST(ns_client_t) client_list_t;
 
+/*% nameserver client structure */
 struct ns_client {
 	unsigned int		magic;
 	isc_mem_t *		mctx;
@@ -116,15 +116,16 @@ struct ns_client {
 	dns_rdataset_t *	opt;
 	isc_uint16_t		udpsize;
 	isc_uint16_t		extflags;
+	isc_int16_t		ednsversion;	/* -1 noedns */
 	void			(*next)(ns_client_t *);
 	void			(*shutdown)(void *arg, isc_result_t result);
 	void 			*shutdown_arg;
 	ns_query_t		query;
 	isc_stdtime_t		requesttime;
 	isc_stdtime_t		now;
-	dns_name_t		signername;   /* [T]SIG key name */
-	dns_name_t *		signer;	      /* NULL if not valid sig */
-	isc_boolean_t		mortal;	      /* Die after handling request */
+	dns_name_t		signername;   /*%< [T]SIG key name */
+	dns_name_t *		signer;	      /*%< NULL if not valid sig */
+	isc_boolean_t		mortal;	      /*%< Die after handling request */
 	isc_quota_t		*tcpquota;
 	isc_quota_t		*recursionquota;
 	ns_interface_t		*interface;
@@ -132,7 +133,7 @@ struct ns_client {
 	isc_boolean_t		peeraddr_valid;
 	struct in6_pktinfo	pktinfo;
 	isc_event_t		ctlevent;
-	/*
+	/*%
 	 * Information about recent FORMERR response(s), for
 	 * FORMERR loop avoidance.  This is separate for each
 	 * client object rather than global only to avoid
@@ -144,7 +145,7 @@ struct ns_client {
 		dns_messageid_t		id;
 	} formerrcache;
 	ISC_LINK(ns_client_t)	link;
-	/*
+	/*%
 	 * The list 'link' is part of, or NULL if not on any list.
 	 */
 	client_list_t		*list;
@@ -154,38 +155,42 @@ struct ns_client {
 #define NS_CLIENT_VALID(c)		ISC_MAGIC_VALID(c, NS_CLIENT_MAGIC)
 
 #define NS_CLIENTATTR_TCP		0x01
-#define NS_CLIENTATTR_RA		0x02 /* Client gets recusive service */
-#define NS_CLIENTATTR_PKTINFO		0x04 /* pktinfo is valid */
-#define NS_CLIENTATTR_MULTICAST		0x08 /* recv'd from multicast */
-#define NS_CLIENTATTR_WANTDNSSEC	0x10 /* include dnssec records */
+#define NS_CLIENTATTR_RA		0x02 /*%< Client gets recusive service */
+#define NS_CLIENTATTR_PKTINFO		0x04 /*%< pktinfo is valid */
+#define NS_CLIENTATTR_MULTICAST		0x08 /*%< recv'd from multicast */
+#define NS_CLIENTATTR_WANTDNSSEC	0x10 /*%< include dnssec records */
 
+extern unsigned int ns_client_requests;
 
 /***
  *** Functions
  ***/
 
-/*
+/*%
  * Note!  These ns_client_ routines MUST be called ONLY from the client's
  * task in order to ensure synchronization.
  */
 
 void
 ns_client_send(ns_client_t *client);
-/*
+/*%
  * Finish processing the current client request and
  * send client->message as a response.
+ * \brief
+ * Note!  These ns_client_ routines MUST be called ONLY from the client's
+ * task in order to ensure synchronization.
  */
 
 void
 ns_client_sendraw(ns_client_t *client, dns_message_t *msg);
-/*
+/*%
  * Finish processing the current client request and
  * send msg as a response using client->message->id for the id.
  */
 
 void
 ns_client_error(ns_client_t *client, isc_result_t result);
-/*
+/*%
  * Finish processing the current client request and return
  * an error response to the client.  The error response
  * will have an RCODE determined by 'result'.
@@ -193,38 +198,32 @@ ns_client_error(ns_client_t *client, isc_result_t result);
 
 void
 ns_client_next(ns_client_t *client, isc_result_t result);
-/*
+/*%
  * Finish processing the current client request,
  * return no response to the client.
  */
 
-void
-ns_client_qnamereplace(ns_client_t *client, dns_name_t *name);
-/*%
- * Replace the qname.
- */
-
 isc_boolean_t
 ns_client_shuttingdown(ns_client_t *client);
-/*
+/*%
  * Return ISC_TRUE iff the client is currently shutting down.
  */
 
 void
 ns_client_attach(ns_client_t *source, ns_client_t **target);
-/*
+/*%
  * Attach '*targetp' to 'source'.
  */
 
 void
 ns_client_detach(ns_client_t **clientp);
-/*
+/*%
  * Detach '*clientp' from its client.
  */
 
 isc_result_t
 ns_client_replace(ns_client_t *client);
-/*
+/*%
  * Try to replace the current client with a new one, so that the
  * current one can go off and do some lengthy work without
  * leaving the dispatch/socket without service.
@@ -232,20 +231,20 @@ ns_client_replace(ns_client_t *client);
 
 void
 ns_client_settimeout(ns_client_t *client, unsigned int seconds);
-/*
+/*%
  * Set a timer in the client to go off in the specified amount of time.
  */
 
 isc_result_t
 ns_clientmgr_create(isc_mem_t *mctx, isc_taskmgr_t *taskmgr,
 		    isc_timermgr_t *timermgr, ns_clientmgr_t **managerp);
-/*
+/*%
  * Create a client manager.
  */
 
 void
 ns_clientmgr_destroy(ns_clientmgr_t **managerp);
-/*
+/*%
  * Destroy a client manager and all ns_client_t objects
  * managed by it.
  */
@@ -253,7 +252,7 @@ ns_clientmgr_destroy(ns_clientmgr_t **managerp);
 isc_result_t
 ns_clientmgr_createclients(ns_clientmgr_t *manager, unsigned int n,
 			   ns_interface_t *ifp, isc_boolean_t tcp);
-/*
+/*%
  * Create up to 'n' clients listening on interface 'ifp'.
  * If 'tcp' is ISC_TRUE, the clients will listen for TCP connections,
  * otherwise for UDP requests.
@@ -261,7 +260,7 @@ ns_clientmgr_createclients(ns_clientmgr_t *manager, unsigned int n,
 
 isc_sockaddr_t *
 ns_client_getsockaddr(ns_client_t *client);
-/*
+/*%
  * Get the socket address of the client whose request is
  * currently being processed.
  */
@@ -270,27 +269,27 @@ isc_result_t
 ns_client_checkaclsilent(ns_client_t  *client,dns_acl_t *acl,
 			 isc_boolean_t default_allow);
 
-/*
+/*%
  * Convenience function for client request ACL checking.
  *
  * Check the current client request against 'acl'.  If 'acl'
  * is NULL, allow the request iff 'default_allow' is ISC_TRUE.
  *
  * Notes:
- *	This is appropriate for checking allow-update,
+ *\li	This is appropriate for checking allow-update,
  * 	allow-query, allow-transfer, etc.  It is not appropriate
  * 	for checking the blackhole list because we treat positive
  * 	matches as "allow" and negative matches as "deny"; in
  *	the case of the blackhole list this would be backwards.
  *
  * Requires:
- *	'client' points to a valid client.
- *	'acl' points to a valid ACL, or is NULL.
+ *\li	'client' points to a valid client.
+ *\li	'acl' points to a valid ACL, or is NULL.
  *
  * Returns:
- *	ISC_R_SUCCESS	if the request should be allowed
- * 	ISC_R_REFUSED	if the request should be denied
- *	No other return values are possible.
+ *\li	ISC_R_SUCCESS	if the request should be allowed
+ * \li	ISC_R_REFUSED	if the request should be denied
+ *\li	No other return values are possible.
  */
 
 isc_result_t
@@ -298,16 +297,16 @@ ns_client_checkacl(ns_client_t  *client,
 		   const char *opname, dns_acl_t *acl,
 		   isc_boolean_t default_allow,
 		   int log_level);
-/*
+/*%
  * Like ns_client_checkacl, but also logs the outcome of the
  * check at log level 'log_level' if denied, and at debug 3
  * if approved.  Log messages will refer to the request as
  * an 'opname' request.
  *
  * Requires:
- *	Those of ns_client_checkaclsilent(), and:
+ *\li	Those of ns_client_checkaclsilent(), and:
  *
- *	'opname' points to a null-terminated string.
+ *\li	'opname' points to a null-terminated string.
  */
 
 void
@@ -330,8 +329,7 @@ ns_client_aclmsg(const char *msg, dns_name_t *name, dns_rdatatype_t type,
 void
 ns_client_recursing(ns_client_t *client);
 /*%
- * Add client to end of recursing list.  If 'killoldest' is true
- * kill the oldest recursive client (list head). 
+ * Add client to end of th recursing list.
  */
 
 void
@@ -342,8 +340,22 @@ ns_client_killoldestquery(ns_client_t *client);
 
 void
 ns_client_dumprecursing(FILE *f, ns_clientmgr_t *manager);
-/*
+/*%
  * Dump the outstanding recursive queries to 'f'.
  */
 
+void
+ns_client_qnamereplace(ns_client_t *client, dns_name_t *name);
+/*%
+ * Replace the qname.
+ */
+
+isc_boolean_t
+ns_client_isself(dns_view_t *myview, dns_tsigkey_t *mykey,
+                 isc_sockaddr_t *srcaddr, isc_sockaddr_t *destaddr,
+                 dns_rdataclass_t rdclass, void *arg);
+/*%
+ * Isself callback.
+ */
+
 #endif /* NAMED_CLIENT_H */
diff --git a/contrib/bind9/bin/named/include/named/config.h b/contrib/bind9/bin/named/include/named/config.h
index 8e5b94a..e8e6038 100644
--- a/contrib/bind9/bin/named/include/named/config.h
+++ b/contrib/bind9/bin/named/include/named/config.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2006  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2001, 2002  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,11 +15,13 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: config.h,v 1.4.12.6 2006/03/02 00:37:20 marka Exp $ */
+/* $Id: config.h,v 1.6.18.6 2006/02/28 03:10:47 marka Exp $ */
 
 #ifndef NAMED_CONFIG_H
 #define NAMED_CONFIG_H 1
 
+/*! \file */
+
 #include <isccfg/cfg.h>
 
 #include <dns/types.h>
@@ -71,6 +73,7 @@ isc_result_t
 ns_config_getport(const cfg_obj_t *config, in_port_t *portp);
 
 isc_result_t
-ns_config_getkeyalgorithm(const char *str, dns_name_t **name);
+ns_config_getkeyalgorithm(const char *str, dns_name_t **name,
+			  isc_uint16_t *digestbits);
 
 #endif /* NAMED_CONFIG_H */
diff --git a/contrib/bind9/bin/named/include/named/control.h b/contrib/bind9/bin/named/include/named/control.h
index bdb706e..5b7e5f4 100644
--- a/contrib/bind9/bin/named/include/named/control.h
+++ b/contrib/bind9/bin/named/include/named/control.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2006  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2001-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,18 +15,20 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: control.h,v 1.6.2.2.2.9 2006/03/02 00:37:20 marka Exp $ */
+/* $Id: control.h,v 1.14.18.8 2006/03/09 23:46:20 marka Exp $ */
 
 #ifndef NAMED_CONTROL_H
 #define NAMED_CONTROL_H 1
 
-/*
+/*! \file
+ * \brief
  * The name server command channel.
  */
 
 #include <isccc/types.h>
 
-#include <named/aclconf.h>
+#include <isccfg/aclconf.h>
+
 #include <named/types.h>
 
 #define NS_CONTROL_PORT			953
@@ -48,18 +50,21 @@
 #define NS_COMMAND_FREEZE	"freeze"
 #define NS_COMMAND_UNFREEZE	"unfreeze"
 #define NS_COMMAND_THAW		"thaw"
+#define NS_COMMAND_TIMERPOKE	"timerpoke"
 #define NS_COMMAND_RECURSING	"recursing"
 #define NS_COMMAND_NULL		"null"
+#define NS_COMMAND_NOTIFY	"notify"
+#define NS_COMMAND_VALIDATION	"validation"
 
 isc_result_t
 ns_controls_create(ns_server_t *server, ns_controls_t **ctrlsp);
-/*
+/*%<
  * Create an initial, empty set of command channels for 'server'.
  */
 
 void
 ns_controls_destroy(ns_controls_t **ctrlsp);
-/*
+/*%<
  * Destroy a set of command channels.
  *
  * Requires:
@@ -68,8 +73,8 @@ ns_controls_destroy(ns_controls_t **ctrlsp);
 
 isc_result_t
 ns_controls_configure(ns_controls_t *controls, const cfg_obj_t *config,
-		      ns_aclconfctx_t *aclconfctx);
-/*
+		      cfg_aclconfctx_t *aclconfctx);
+/*%<
  * Configure zero or more command channels into 'controls'
  * as defined in the configuration parse tree 'config'.
  * The channels will evaluate ACLs in the context of
@@ -78,7 +83,7 @@ ns_controls_configure(ns_controls_t *controls, const cfg_obj_t *config,
 
 void
 ns_controls_shutdown(ns_controls_t *controls);
-/*
+/*%<
  * Initiate shutdown of all the command channels in 'controls'.
  */
 
diff --git a/contrib/bind9/bin/named/include/named/globals.h b/contrib/bind9/bin/named/include/named/globals.h
index b8137e8..11f3989 100644
--- a/contrib/bind9/bin/named/include/named/globals.h
+++ b/contrib/bind9/bin/named/include/named/globals.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2006  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,11 +15,13 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: globals.h,v 1.59.68.7 2006/03/02 00:37:20 marka Exp $ */
+/* $Id: globals.h,v 1.64.18.4 2006/03/02 00:37:21 marka Exp $ */
 
 #ifndef NAMED_GLOBALS_H
 #define NAMED_GLOBALS_H 1
 
+/*! \file */
+
 #include <isc/rwlock.h>
 #include <isc/log.h>
 #include <isc/net.h>
diff --git a/contrib/bind9/bin/named/include/named/interfacemgr.h b/contrib/bind9/bin/named/include/named/interfacemgr.h
index 54bd91c..42279ff 100644
--- a/contrib/bind9/bin/named/include/named/interfacemgr.h
+++ b/contrib/bind9/bin/named/include/named/interfacemgr.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2002  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: interfacemgr.h,v 1.23.24.7 2004/04/29 01:31:22 marka Exp $ */
+/* $Id: interfacemgr.h,v 1.26.18.4 2005/04/27 05:00:35 sra Exp $ */
 
 #ifndef NAMED_INTERFACEMGR_H
 #define NAMED_INTERFACEMGR_H 1
@@ -24,24 +24,23 @@
  ***** Module Info
  *****/
 
-/*
- * Interface manager
- *
+/*! \file
+ * \brief
  * The interface manager monitors the operating system's list
  * of network interfaces, creating and destroying listeners
  * as needed.
  *
  * Reliability:
- *	No impact expected.
+ *\li	No impact expected.
  *
  * Resources:
  *
  * Security:
- * 	The server will only be able to bind to the DNS port on
+ * \li	The server will only be able to bind to the DNS port on
  *	newly discovered interfaces if it is running as root.
  *
  * Standards:
- *	The API for scanning varies greatly among operating systems.
+ *\li	The API for scanning varies greatly among operating systems.
  *	This module attempts to hide the differences.
  */
 
@@ -65,23 +64,24 @@
 #define IFACE_MAGIC		ISC_MAGIC('I',':','-',')')
 #define NS_INTERFACE_VALID(t)	ISC_MAGIC_VALID(t, IFACE_MAGIC)
 
-#define NS_INTERFACEFLAG_ANYADDR	0x01U	/* bound to "any" address */
+#define NS_INTERFACEFLAG_ANYADDR	0x01U	/*%< bound to "any" address */
 
+/*% The nameserver interface structure */
 struct ns_interface {
-	unsigned int		magic;		/* Magic number. */
-	ns_interfacemgr_t *	mgr;		/* Interface manager. */
+	unsigned int		magic;		/*%< Magic number. */
+	ns_interfacemgr_t *	mgr;		/*%< Interface manager. */
 	isc_mutex_t		lock;
-	int			references;	/* Locked */
-	unsigned int		generation;     /* Generation number. */
-	isc_sockaddr_t		addr;           /* Address and port. */
-	unsigned int		flags;		/* Interface characteristics */
-	char 			name[32];	/* Null terminated. */
-	dns_dispatch_t *	udpdispatch;	/* UDP dispatcher. */
-	isc_socket_t *		tcpsocket;	/* TCP socket. */
-	int			ntcptarget;	/* Desired number of concurrent
-						   TCP accepts */
-	int			ntcpcurrent;	/* Current ditto, locked */
-	ns_clientmgr_t *	clientmgr;	/* Client manager. */
+	int			references;	/*%< Locked */
+	unsigned int		generation;     /*%< Generation number. */
+	isc_sockaddr_t		addr;           /*%< Address and port. */
+	unsigned int		flags;		/*%< Interface characteristics */
+	char 			name[32];	/*%< Null terminated. */
+	dns_dispatch_t *	udpdispatch;	/*%< UDP dispatcher. */
+	isc_socket_t *		tcpsocket;	/*%< TCP socket. */
+	int			ntcptarget;	/*%< Desired number of concurrent
+						     TCP accepts */
+	int			ntcpcurrent;	/*%< Current ditto, locked */
+	ns_clientmgr_t *	clientmgr;	/*%< Client manager. */
 	ISC_LINK(ns_interface_t) link;
 };
 
@@ -94,7 +94,7 @@ ns_interfacemgr_create(isc_mem_t *mctx, isc_taskmgr_t *taskmgr,
 		       isc_socketmgr_t *socketmgr,
 		       dns_dispatchmgr_t *dispatchmgr,
 		       ns_interfacemgr_t **mgrp);
-/*
+/*%
  * Create a new interface manager.
  *
  * Initially, the new manager will not listen on any interfaces.
@@ -113,7 +113,7 @@ ns_interfacemgr_shutdown(ns_interfacemgr_t *mgr);
 
 void
 ns_interfacemgr_scan(ns_interfacemgr_t *mgr, isc_boolean_t verbose);
-/*
+/*%
  * Scan the operatings system's list of network interfaces
  * and create listeners when new interfaces are discovered.
  * Shut down the sockets for interfaces that go away.
@@ -126,7 +126,7 @@ ns_interfacemgr_scan(ns_interfacemgr_t *mgr, isc_boolean_t verbose);
 void
 ns_interfacemgr_adjust(ns_interfacemgr_t *mgr, ns_listenlist_t *list,
 		       isc_boolean_t verbose);
-/*
+/*%
  * Similar to ns_interfacemgr_scan(), but this function also tries to see the
  * need for an explicit listen-on when a list element in 'list' is going to
  * override an already-listening a wildcard interface.
@@ -139,14 +139,14 @@ ns_interfacemgr_adjust(ns_interfacemgr_t *mgr, ns_listenlist_t *list,
 
 void
 ns_interfacemgr_setlistenon4(ns_interfacemgr_t *mgr, ns_listenlist_t *value);
-/*
+/*%
  * Set the IPv4 "listen-on" list of 'mgr' to 'value'.
  * The previous IPv4 listen-on list is freed.
  */
 
 void
 ns_interfacemgr_setlistenon6(ns_interfacemgr_t *mgr, ns_listenlist_t *value);
-/*
+/*%
  * Set the IPv6 "listen-on" list of 'mgr' to 'value'.
  * The previous IPv6 listen-on list is freed.
  */
@@ -162,7 +162,7 @@ ns_interface_detach(ns_interface_t **targetp);
 
 void
 ns_interface_shutdown(ns_interface_t *ifp);
-/*
+/*%
  * Stop listening for queries on interface 'ifp'.
  * May safely be called multiple times.
  */
@@ -170,4 +170,7 @@ ns_interface_shutdown(ns_interface_t *ifp);
 void
 ns_interfacemgr_dumprecursing(FILE *f, ns_interfacemgr_t *mgr);
 
+isc_boolean_t
+ns_interfacemgr_listeningon(ns_interfacemgr_t *mgr, isc_sockaddr_t *addr);
+
 #endif /* NAMED_INTERFACEMGR_H */
diff --git a/contrib/bind9/bin/named/include/named/listenlist.h b/contrib/bind9/bin/named/include/named/listenlist.h
index 31e8893..cdca026 100644
--- a/contrib/bind9/bin/named/include/named/listenlist.h
+++ b/contrib/bind9/bin/named/include/named/listenlist.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000, 2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: listenlist.h,v 1.10.208.1 2004/03/06 10:21:24 marka Exp $ */
+/* $Id: listenlist.h,v 1.11.18.2 2005/04/29 00:15:34 marka Exp $ */
 
 #ifndef NAMED_LISTENLIST_H
 #define NAMED_LISTENLIST_H 1
@@ -24,7 +24,8 @@
  ***** Module Info
  *****/
 
-/*
+/*! \file
+ * \brief
  * "Listen lists", as in the "listen-on" configuration statement.
  */
 
@@ -62,38 +63,38 @@ struct ns_listenlist {
 isc_result_t
 ns_listenelt_create(isc_mem_t *mctx, in_port_t port,
 		    dns_acl_t *acl, ns_listenelt_t **target);
-/*
+/*%
  * Create a listen-on list element.
  */
 
 void
 ns_listenelt_destroy(ns_listenelt_t *elt);
-/*
+/*%
  * Destroy a listen-on list element.
  */
 
 isc_result_t
 ns_listenlist_create(isc_mem_t *mctx, ns_listenlist_t **target);
-/*
+/*%
  * Create a new, empty listen-on list.
  */
 
 void
 ns_listenlist_attach(ns_listenlist_t *source, ns_listenlist_t **target);
-/*
+/*%
  * Attach '*target' to '*source'.
  */
 
 void
 ns_listenlist_detach(ns_listenlist_t **listp);
-/*
+/*%
  * Detach 'listp'.
  */
 
 isc_result_t
 ns_listenlist_default(isc_mem_t *mctx, in_port_t port,
 		      isc_boolean_t enabled, ns_listenlist_t **target);
-/*
+/*%
  * Create a listen-on list with default contents, matching
  * all addresses with port 'port' (if 'enabled' is ISC_TRUE),
  * or no addresses (if 'enabled' is ISC_FALSE).
diff --git a/contrib/bind9/bin/named/include/named/log.h b/contrib/bind9/bin/named/include/named/log.h
index e8ad1ca..6d6e648 100644
--- a/contrib/bind9/bin/named/include/named/log.h
+++ b/contrib/bind9/bin/named/include/named/log.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2002  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,11 +15,13 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: log.h,v 1.19.12.3 2004/03/08 04:04:21 marka Exp $ */
+/* $Id: log.h,v 1.21.18.2 2005/04/29 00:15:35 marka Exp $ */
 
 #ifndef NAMED_LOG_H
 #define NAMED_LOG_H 1
 
+/*! \file */
+
 #include <isc/log.h>
 #include <isc/types.h>
 
@@ -54,7 +56,7 @@
 
 isc_result_t
 ns_log_init(isc_boolean_t safe);
-/*
+/*%
  * Initialize the logging system and set up an initial default
  * logging default configuration that will be used until the
  * config file has been read.
@@ -66,7 +68,7 @@ ns_log_init(isc_boolean_t safe);
 
 isc_result_t
 ns_log_setdefaultchannels(isc_logconfig_t *lcfg);
-/*
+/*%
  * Set up logging channels according to the named defaults, which
  * may differ from the logging library defaults.  Currently,
  * this just means setting up default_debug.
@@ -74,19 +76,19 @@ ns_log_setdefaultchannels(isc_logconfig_t *lcfg);
 
 isc_result_t
 ns_log_setsafechannels(isc_logconfig_t *lcfg);
-/*
+/*%
  * Like ns_log_setdefaultchannels(), but omits any logging to files.
  */
 
 isc_result_t
 ns_log_setdefaultcategory(isc_logconfig_t *lcfg);
-/*
+/*%
  * Set up "category default" to go to the right places.
  */
 
 isc_result_t
 ns_log_setunmatchedcategory(isc_logconfig_t *lcfg);
-/*
+/*%
  * Set up "category unmatched" to go to the right places.
  */
 
diff --git a/contrib/bind9/bin/named/include/named/logconf.h b/contrib/bind9/bin/named/include/named/logconf.h
index b92ad31..79df5c6 100644
--- a/contrib/bind9/bin/named/include/named/logconf.h
+++ b/contrib/bind9/bin/named/include/named/logconf.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2006  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,16 +15,18 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: logconf.h,v 1.10.208.3 2006/03/02 00:37:20 marka Exp $ */
+/* $Id: logconf.h,v 1.11.18.4 2006/03/02 00:37:21 marka Exp $ */
 
 #ifndef NAMED_LOGCONF_H
 #define NAMED_LOGCONF_H 1
 
+/*! \file */
+
 #include <isc/log.h>
 
 isc_result_t
 ns_log_configure(isc_logconfig_t *logconf, const cfg_obj_t *logstmt);
-/*
+/*%<
  * Set up the logging configuration in '*logconf' according to
  * the named.conf data in 'logstmt'.
  */
diff --git a/contrib/bind9/bin/named/include/named/lwaddr.h b/contrib/bind9/bin/named/include/named/lwaddr.h
index 0aa66b7..552d1d4 100644
--- a/contrib/bind9/bin/named/include/named/lwaddr.h
+++ b/contrib/bind9/bin/named/include/named/lwaddr.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000, 2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,9 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: lwaddr.h,v 1.3.208.1 2004/03/06 10:21:24 marka Exp $ */
+/* $Id: lwaddr.h,v 1.4.18.2 2005/04/29 00:15:35 marka Exp $ */
+
+/*! \file */
 
 #include <lwres/lwres.h>
 #include <lwres/net.h>
diff --git a/contrib/bind9/bin/named/include/named/lwdclient.h b/contrib/bind9/bin/named/include/named/lwdclient.h
index 09d68ff..591b86c 100644
--- a/contrib/bind9/bin/named/include/named/lwdclient.h
+++ b/contrib/bind9/bin/named/include/named/lwdclient.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000, 2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,11 +15,13 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: lwdclient.h,v 1.13.208.1 2004/03/06 10:21:24 marka Exp $ */
+/* $Id: lwdclient.h,v 1.14.18.2 2005/04/29 00:15:36 marka Exp $ */
 
 #ifndef NAMED_LWDCLIENT_H
 #define NAMED_LWDCLIENT_H 1
 
+/*! \file */
+
 #include <isc/event.h>
 #include <isc/eventclass.h>
 #include <isc/netaddr.h>
@@ -37,23 +39,24 @@
 
 #define LWRD_SHUTDOWN		(LWRD_EVENTCLASS + 0x0001)
 
+/*% Lighweight Resolver Daemon Client */
 struct ns_lwdclient {
-	isc_sockaddr_t		address;	/* where to reply */
+	isc_sockaddr_t		address;	/*%< where to reply */
 	struct in6_pktinfo	pktinfo;
 	isc_boolean_t		pktinfo_valid;
-	ns_lwdclientmgr_t	*clientmgr;	/* our parent */
+	ns_lwdclientmgr_t	*clientmgr;	/*%< our parent */
 	ISC_LINK(ns_lwdclient_t) link;
 	unsigned int		state;
-	void			*arg;		/* packet processing state */
+	void			*arg;		/*%< packet processing state */
 
 	/*
 	 * Received data info.
 	 */
-	unsigned char		buffer[LWRES_RECVLENGTH]; /* receive buffer */
-	isc_uint32_t		recvlength;	/* length recv'd */
+	unsigned char		buffer[LWRES_RECVLENGTH]; /*%< receive buffer */
+	isc_uint32_t		recvlength;	/*%< length recv'd */
 	lwres_lwpacket_t	pkt;
 
-	/*
+	/*%
 	 * Send data state.  If sendbuf != buffer (that is, the send buffer
 	 * isn't our receive buffer) it will be freed to the lwres_context_t.
 	 */
@@ -61,19 +64,19 @@ struct ns_lwdclient {
 	isc_uint32_t		sendlength;
 	isc_buffer_t		recv_buffer;
 
-	/*
+	/*%
 	 * gabn (get address by name) state info.
 	 */
 	dns_adbfind_t		*find;
 	dns_adbfind_t		*v4find;
 	dns_adbfind_t		*v6find;
-	unsigned int		find_wanted;	/* Addresses we want */
+	unsigned int		find_wanted;	/*%< Addresses we want */
 	dns_fixedname_t		query_name;
 	dns_fixedname_t		target_name;
 	ns_lwsearchctx_t	searchctx;
 	lwres_gabnresponse_t	gabn;
 
-	/*
+	/*%
 	 * gnba (get name by address) state info.
 	 */
 	lwres_gnbaresponse_t	gnba;
@@ -81,7 +84,7 @@ struct ns_lwdclient {
 	unsigned int		options;
 	isc_netaddr_t		na;
 
-	/*
+	/*%
 	 * grbn (get rrset by name) state info.
 	 *
 	 * Note: this also uses target_name and searchctx.
@@ -90,7 +93,7 @@ struct ns_lwdclient {
 	dns_lookup_t	       *lookup;
 	dns_rdatatype_t		rdtype;
 
-	/*
+	/*%
 	 * Alias and address info.  This is copied up to the gabn/gnba
 	 * structures eventually.
 	 *
@@ -103,7 +106,7 @@ struct ns_lwdclient {
 	lwres_addr_t		addrs[LWRES_MAX_ADDRS];
 };
 
-/*
+/*%
  * Client states.
  *
  * _IDLE	The client is not doing anything at all.
@@ -156,7 +159,7 @@ struct ns_lwdclient {
 #define NS_LWDCLIENT_ISSEND(c)		\
 			((c)->state == NS_LWDCLIENT_STATESEND)
 
-/*
+/*%
  * Overall magic test that means we're not idle.
  */
 #define NS_LWDCLIENT_ISRUNNING(c)	(!NS_LWDCLIENT_ISIDLE(c))
@@ -174,17 +177,18 @@ struct ns_lwdclient {
 #define NS_LWDCLIENT_SETSENDDONE(c)	\
 			((c)->state = NS_LWDCLIENT_STATESENDDONE)
 
+/*% lightweight daemon client manager */
 struct ns_lwdclientmgr {
 	ns_lwreslistener_t     *listener;
 	isc_mem_t	       *mctx;
-	isc_socket_t	       *sock;		/* socket to use */
+	isc_socket_t	       *sock;		/*%< socket to use */
 	dns_view_t	       *view;
-	lwres_context_t	       *lwctx;		/* lightweight proto context */
-	isc_task_t	       *task;		/* owning task */
+	lwres_context_t	       *lwctx;		/*%< lightweight proto context */
+	isc_task_t	       *task;		/*%< owning task */
 	unsigned int		flags;
 	ISC_LINK(ns_lwdclientmgr_t)	link;
-	ISC_LIST(ns_lwdclient_t)	idle;		/* idle client slots */
-	ISC_LIST(ns_lwdclient_t)	running;	/* running clients */
+	ISC_LIST(ns_lwdclient_t)	idle;		/*%< idle client slots */
+	ISC_LIST(ns_lwdclient_t)	running;	/*%< running clients */
 };
 
 #define NS_LWDCLIENTMGR_FLAGRECVPENDING		0x00000001
diff --git a/contrib/bind9/bin/named/include/named/lwresd.h b/contrib/bind9/bin/named/include/named/lwresd.h
index 2aa1d55..ef93fcd 100644
--- a/contrib/bind9/bin/named/include/named/lwresd.h
+++ b/contrib/bind9/bin/named/include/named/lwresd.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2006  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000, 2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,11 +15,13 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: lwresd.h,v 1.12.208.3 2006/03/02 00:37:20 marka Exp $ */
+/* $Id: lwresd.h,v 1.13.18.4 2006/03/02 00:37:21 marka Exp $ */
 
 #ifndef NAMED_LWRESD_H
 #define NAMED_LWRESD_H 1
 
+/*! \file */
+
 #include <isc/types.h>
 #include <isc/sockaddr.h>
 
@@ -52,7 +54,7 @@ struct ns_lwreslistener {
 	ISC_LINK(ns_lwreslistener_t) link;
 };
 
-/*
+/*%
  * Configure lwresd.
  */
 isc_result_t
@@ -62,7 +64,7 @@ isc_result_t
 ns_lwresd_parseeresolvconf(isc_mem_t *mctx, cfg_parser_t *pctx,
 			   cfg_obj_t **configp);
 
-/*
+/*%
  * Trigger shutdown.
  */
 void
@@ -71,29 +73,36 @@ ns_lwresd_shutdown(void);
 /*
  * Manager functions
  */
+/*% create manager */
 isc_result_t
 ns_lwdmanager_create(isc_mem_t *mctx, const cfg_obj_t *lwres,
 		      ns_lwresd_t **lwresdp);
 
+/*% attach to manager */
 void
 ns_lwdmanager_attach(ns_lwresd_t *source, ns_lwresd_t **targetp);
 
+/*% detach from manager */
 void
 ns_lwdmanager_detach(ns_lwresd_t **lwresdp);
 
 /*
  * Listener functions
  */
+/*% attach to listener */
 void
 ns_lwreslistener_attach(ns_lwreslistener_t *source,
 			ns_lwreslistener_t **targetp);
 
+/*% detach from lister */
 void
 ns_lwreslistener_detach(ns_lwreslistener_t **listenerp);
 
+/*% link client manager */
 void
 ns_lwreslistener_unlinkcm(ns_lwreslistener_t *listener, ns_lwdclientmgr_t *cm);
 
+/*% unlink client manager */
 void
 ns_lwreslistener_linkcm(ns_lwreslistener_t *listener, ns_lwdclientmgr_t *cm);
 
diff --git a/contrib/bind9/bin/named/include/named/lwsearch.h b/contrib/bind9/bin/named/include/named/lwsearch.h
index a864a89..b85e401 100644
--- a/contrib/bind9/bin/named/include/named/lwsearch.h
+++ b/contrib/bind9/bin/named/include/named/lwsearch.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000, 2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: lwsearch.h,v 1.4.208.1 2004/03/06 10:21:25 marka Exp $ */
+/* $Id: lwsearch.h,v 1.5.18.2 2005/04/29 00:15:36 marka Exp $ */
 
 #ifndef NAMED_LWSEARCH_H
 #define NAMED_LWSEARCH_H 1
@@ -28,7 +28,8 @@
 
 #include <named/types.h>
 
-/*
+/*! \file
+ * \brief
  * Lightweight resolver search list types and routines.
  *
  * An ns_lwsearchlist_t holds a list of search path elements.
@@ -37,6 +38,7 @@
  * operation.
  */
 
+/*% An ns_lwsearchlist_t holds a list of search path elements. */
 struct ns_lwsearchlist {
 	unsigned int magic;
 
@@ -45,7 +47,7 @@ struct ns_lwsearchlist {
 	unsigned int refs;
 	dns_namelist_t names;
 };
-
+/*% An ns_lwsearchctx stores the state of search list during a lookup operation. */
 struct ns_lwsearchctx {
 	dns_name_t *relname;
 	dns_name_t *searchname;
@@ -57,51 +59,51 @@ struct ns_lwsearchctx {
 
 isc_result_t
 ns_lwsearchlist_create(isc_mem_t *mctx, ns_lwsearchlist_t **listp);
-/*
+/*%<
  * Create an empty search list object.
  */
 
 void
 ns_lwsearchlist_attach(ns_lwsearchlist_t *source, ns_lwsearchlist_t **target);
-/*
+/*%<
  * Attach to a search list object.
  */
 
 void
 ns_lwsearchlist_detach(ns_lwsearchlist_t **listp);
-/*
+/*%<
  * Detach from a search list object.
  */
 
 isc_result_t
 ns_lwsearchlist_append(ns_lwsearchlist_t *list, dns_name_t *name);
-/*
+/*%<
  * Append an element to a search list.  This creates a copy of the name.
  */
 
 void
 ns_lwsearchctx_init(ns_lwsearchctx_t *sctx, ns_lwsearchlist_t *list,
 		    dns_name_t *name, unsigned int ndots);
-/*
+/*%<
  * Creates a search list context structure.
  */
 
 void
 ns_lwsearchctx_first(ns_lwsearchctx_t *sctx);
-/*
+/*%<
  * Moves the search list context iterator to the first element, which
  * is usually the exact name.
  */
 
 isc_result_t
 ns_lwsearchctx_next(ns_lwsearchctx_t *sctx);
-/*
+/*%<
  * Moves the search list context iterator to the next element.
  */
 
 isc_result_t
 ns_lwsearchctx_current(ns_lwsearchctx_t *sctx, dns_name_t *absname);
-/*
+/*%<
  * Obtains the current name to be looked up.  This involves either
  * concatenating the name with a search path element, making an
  * exact name absolute, or doing nothing.
diff --git a/contrib/bind9/bin/named/include/named/main.h b/contrib/bind9/bin/named/include/named/main.h
index e37b519..dd4fe8c 100644
--- a/contrib/bind9/bin/named/include/named/main.h
+++ b/contrib/bind9/bin/named/include/named/main.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2002  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,11 +15,13 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: main.h,v 1.8.2.2.8.4 2004/03/08 04:04:21 marka Exp $ */
+/* $Id: main.h,v 1.11.18.2 2005/04/29 00:15:37 marka Exp $ */
 
 #ifndef NAMED_MAIN_H
 #define NAMED_MAIN_H 1
 
+/*! \file */
+
 void
 ns_main_earlyfatal(const char *format, ...) ISC_FORMAT_PRINTF(1, 2);
 
diff --git a/contrib/bind9/bin/named/include/named/notify.h b/contrib/bind9/bin/named/include/named/notify.h
index 3cb1d85..106d70c 100644
--- a/contrib/bind9/bin/named/include/named/notify.h
+++ b/contrib/bind9/bin/named/include/named/notify.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: notify.h,v 1.9.208.1 2004/03/06 10:21:25 marka Exp $ */
+/* $Id: notify.h,v 1.10.18.2 2005/04/29 00:15:37 marka Exp $ */
 
 #ifndef NAMED_NOTIFY_H
 #define NAMED_NOTIFY_H 1
@@ -27,8 +27,9 @@
  ***	Module Info
  ***/
 
-/*
- *	RFC 1996
+/*! \file
+ * \brief
+ *	RFC1996
  *	A Mechanism for Prompt Notification of Zone Changes (DNS NOTIFY)
  */
 
@@ -39,7 +40,7 @@
 void
 ns_notify_start(ns_client_t *client);
 
-/*
+/*%<
  *	Examines the incoming message to determine apporiate zone.
  *	Returns FORMERR if there is not exactly one question.
  *	Returns REFUSED if we do not serve the listed zone.
@@ -47,7 +48,7 @@ ns_notify_start(ns_client_t *client);
  *	and returns the return status.
  *
  * Requires
- *	client to be valid.
+ *\li	client to be valid.
  */
 
 #endif /* NAMED_NOTIFY_H */
diff --git a/contrib/bind9/bin/named/include/named/ns_smf_globals.h b/contrib/bind9/bin/named/include/named/ns_smf_globals.h
index 49aa31d..06df2ba 100644
--- a/contrib/bind9/bin/named/include/named/ns_smf_globals.h
+++ b/contrib/bind9/bin/named/include/named/ns_smf_globals.h
@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: ns_smf_globals.h,v 1.2.4.4 2005/05/13 01:22:33 marka Exp $ */
+/* $Id: ns_smf_globals.h,v 1.2.2.4 2005/05/13 01:32:46 marka Exp $ */
 
 #ifndef NS_SMF_GLOBALS_H
 #define NS_SMF_GLOBALS_H 1
diff --git a/contrib/bind9/bin/named/include/named/query.h b/contrib/bind9/bin/named/include/named/query.h
index 6f348d5..741212f 100644
--- a/contrib/bind9/bin/named/include/named/query.h
+++ b/contrib/bind9/bin/named/include/named/query.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2002  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,11 +15,13 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: query.h,v 1.28.2.3.8.6 2004/03/08 04:04:21 marka Exp $ */
+/* $Id: query.h,v 1.36.18.2 2005/04/29 00:15:37 marka Exp $ */
 
 #ifndef NAMED_QUERY_H
 #define NAMED_QUERY_H 1
 
+/*! \file */
+
 #include <isc/types.h>
 #include <isc/buffer.h>
 #include <isc/netaddr.h>
@@ -28,6 +30,7 @@
 
 #include <named/types.h>
 
+/*% nameserver database version structure */
 typedef struct ns_dbversion {
 	dns_db_t			*db;
 	dns_dbversion_t			*version;
@@ -35,6 +38,7 @@ typedef struct ns_dbversion {
 	ISC_LINK(struct ns_dbversion)	link;
 } ns_dbversion_t;
 
+/*% nameserver query structure */
 struct ns_query {
 	unsigned int			attributes;
 	unsigned int			restarts;
diff --git a/contrib/bind9/bin/named/include/named/server.h b/contrib/bind9/bin/named/include/named/server.h
index 37526c0..54d1dae 100644
--- a/contrib/bind9/bin/named/include/named/server.h
+++ b/contrib/bind9/bin/named/include/named/server.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2006  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,11 +15,13 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: server.h,v 1.58.2.1.10.13 2006/03/02 00:37:20 marka Exp $ */
+/* $Id: server.h,v 1.73.18.8 2006/03/09 23:46:20 marka Exp $ */
 
 #ifndef NAMED_SERVER_H
 #define NAMED_SERVER_H 1
 
+/*! \file */
+
 #include <isc/log.h>
 #include <isc/sockaddr.h>
 #include <isc/magic.h>
@@ -35,7 +37,7 @@
 #define NS_EVENT_RELOAD		(NS_EVENTCLASS + 0)
 #define NS_EVENT_CLIENTCONTROL	(NS_EVENTCLASS + 1)
 
-/*
+/*%
  * Name server state.  Better here than in lots of separate global variables.
  */
 struct ns_server {
@@ -49,18 +51,18 @@ struct ns_server {
 	isc_quota_t		tcpquota;
 	isc_quota_t		recursionquota;
 	dns_acl_t		*blackholeacl;
-	char *			statsfile;	/* Statistics file name */
-	char *			dumpfile;	/* Dump file name */
-	char *			recfile;	/* Recursive file name */
-	isc_boolean_t		version_set;	/* User has set version */
-	char *			version;	/* User-specified version */
-	isc_boolean_t		hostname_set;	/* User has set hostname */
-	char *			hostname;	/* User-specified hostname */
-	/* Use hostname for server id */
+	char *			statsfile;	/*%< Statistics file name */
+	char *			dumpfile;	/*%< Dump file name */
+	char *			recfile;	/*%< Recursive file name */
+	isc_boolean_t		version_set;	/*%< User has set version */
+	char *			version;	/*%< User-specified version */
+	isc_boolean_t		hostname_set;	/*%< User has set hostname */
+	char *			hostname;	/*%< User-specified hostname */
+	/*% Use hostname for server id */
 	isc_boolean_t		server_usehostname;
-	char *			server_id;	/* User-specified server id */
+	char *			server_id;	/*%< User-specified server id */
 
-        /*
+        /*%
 	 * Current ACL environment.  This defines the
 	 * current values of the localhost and localnets
 	 * ACLs.
@@ -77,6 +79,8 @@ struct ns_server {
 
 	isc_timer_t *		interface_timer;
 	isc_timer_t *		heartbeat_timer;
+	isc_timer_t *		pps_timer;
+
 	isc_uint32_t		interface_interval;
 	isc_uint32_t		heartbeat_interval;
 
@@ -84,14 +88,15 @@ struct ns_server {
 	isc_event_t *		reload_event;
 
 	isc_boolean_t		flushonshutdown;
-	isc_boolean_t		log_queries;	/* For BIND 8 compatibility */
+	isc_boolean_t		log_queries;	/*%< For BIND 8 compatibility */
 
-	isc_uint64_t *		querystats;	/* Query statistics counters */
+	isc_uint64_t *		querystats;	/*%< Query statistics counters */
 
-	ns_controls_t *		controls;	/* Control channels */
+	ns_controls_t *		controls;	/*%< Control channels */
 	unsigned int		dispatchgen;
 	ns_dispatchlist_t	dispatches;
-						
+
+	dns_acache_t		*acache;
 };
 
 #define NS_SERVER_MAGIC			ISC_MAGIC('S','V','E','R')
@@ -99,7 +104,7 @@ struct ns_server {
 
 void
 ns_server_create(isc_mem_t *mctx, ns_server_t **serverp);
-/*
+/*%<
  * Create a server object with default settings.
  * This function either succeeds or causes the program to exit
  * with a fatal error.
@@ -107,13 +112,13 @@ ns_server_create(isc_mem_t *mctx, ns_server_t **serverp);
 
 void
 ns_server_destroy(ns_server_t **serverp);
-/*
+/*%<
  * Destroy a server object, freeing its memory.
  */
 
 void
 ns_server_reloadwanted(ns_server_t *server);
-/*
+/*%<
  * Inform a server that a reload is wanted.  This function
  * may be called asynchronously, from outside the server's task.
  * If a reload is already scheduled or in progress, the call
@@ -122,92 +127,104 @@ ns_server_reloadwanted(ns_server_t *server);
 
 void
 ns_server_flushonshutdown(ns_server_t *server, isc_boolean_t flush);
-/*
+/*%<
  * Inform the server that the zones should be flushed to disk on shutdown.
  */
 
 isc_result_t
 ns_server_reloadcommand(ns_server_t *server, char *args, isc_buffer_t *text);
-/*
+/*%<
  * Act on a "reload" command from the command channel.
  */
 
 isc_result_t
 ns_server_reconfigcommand(ns_server_t *server, char *args);
-/*
+/*%<
  * Act on a "reconfig" command from the command channel.
  */
 
 isc_result_t
+ns_server_notifycommand(ns_server_t *server, char *args, isc_buffer_t *text);
+/*%<
+ * Act on a "notify" command from the command channel.
+ */
+
+isc_result_t
 ns_server_refreshcommand(ns_server_t *server, char *args, isc_buffer_t *text);
-/*
+/*%<
  * Act on a "refresh" command from the command channel.
  */
 
 isc_result_t
 ns_server_retransfercommand(ns_server_t *server, char *args);
-/*
+/*%<
  * Act on a "retransfer" command from the command channel.
  */
 
 isc_result_t
 ns_server_togglequerylog(ns_server_t *server);
-/*
+/*%<
  * Toggle logging of queries, as in BIND 8.
  */
 
-/*
+/*%
  * Dump the current statistics to the statistics file.
  */
 isc_result_t
 ns_server_dumpstats(ns_server_t *server);
 
-/*
+/*%
  * Dump the current cache to the dump file.
  */
 isc_result_t
 ns_server_dumpdb(ns_server_t *server, char *args);
 
-/*
+/*%
  * Change or increment the server debug level.
  */
 isc_result_t
 ns_server_setdebuglevel(ns_server_t *server, char *args);
 
-/*
+/*%
  * Flush the server's cache(s)
  */
 isc_result_t
 ns_server_flushcache(ns_server_t *server, char *args);
 
-/*
+/*%
  * Flush a particular name from the server's cache(s)
  */
 isc_result_t
 ns_server_flushname(ns_server_t *server, char *args);
 
-/*
+/*%
  * Report the server's status.
  */
 isc_result_t
 ns_server_status(ns_server_t *server, isc_buffer_t *text);
 
-/*
+/*%
  * Enable or disable updates for a zone.
  */
 isc_result_t
 ns_server_freeze(ns_server_t *server, isc_boolean_t freeze, char *args);
 
-/*
+/*%
  * Dump the current recursive queries.
  */
 isc_result_t
 ns_server_dumprecursing(ns_server_t *server);
 
-/*
+/*%
  * Maintain a list of dispatches that require reserved ports.
  */
 void
 ns_add_reserved_dispatch(ns_server_t *server, const isc_sockaddr_t *addr);
 
+/*%
+ * Enable or disable dnssec validation.
+ */
+isc_result_t
+ns_server_validation(ns_server_t *server, char *args);
+
 #endif /* NAMED_SERVER_H */
diff --git a/contrib/bind9/bin/named/include/named/sortlist.h b/contrib/bind9/bin/named/include/named/sortlist.h
index 9966686..f849be2 100644
--- a/contrib/bind9/bin/named/include/named/sortlist.h
+++ b/contrib/bind9/bin/named/include/named/sortlist.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2006  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000, 2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,22 +15,24 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: sortlist.h,v 1.4.208.3 2006/03/02 00:37:20 marka Exp $ */
+/* $Id: sortlist.h,v 1.5.18.4 2006/03/02 00:37:21 marka Exp $ */
 
 #ifndef NAMED_SORTLIST_H
 #define NAMED_SORTLIST_H 1
 
+/*! \file */
+
 #include <isc/types.h>
 
 #include <dns/types.h>
 
-/*
+/*%
  * Type for callback functions that rank addresses.
  */
 typedef int 
 (*dns_addressorderfunc_t)(const isc_netaddr_t *address, const void *arg);
 
-/*
+/*%
  * Return value type for setup_sortlist.
  */
 typedef enum {
@@ -42,7 +44,7 @@ typedef enum {
 ns_sortlisttype_t
 ns_sortlist_setup(dns_acl_t *acl, isc_netaddr_t *clientaddr,
 		  const void **argp);
-/*
+/*%<
  * Find the sortlist statement in 'acl' that applies to 'clientaddr', if any.
  *
  * If a 1-element sortlist item applies, return NS_SORTLISTTYPE_1ELEMENT and
@@ -57,14 +59,14 @@ ns_sortlist_setup(dns_acl_t *acl, isc_netaddr_t *clientaddr,
 
 int
 ns_sortlist_addrorder1(const isc_netaddr_t *addr, const void *arg);
-/*
+/*%<
  * Find the sort order of 'addr' in 'arg', the matching element
  * of a 1-element top-level sortlist statement.
  */
 
 int
 ns_sortlist_addrorder2(const isc_netaddr_t *addr, const void *arg);
-/*
+/*%<
  * Find the sort order of 'addr' in 'arg', a topology-like
  * ACL forming the second element in a 2-element top-level
  * sortlist statement.
@@ -74,7 +76,7 @@ void
 ns_sortlist_byaddrsetup(dns_acl_t *sortlist_acl, isc_netaddr_t *client_addr,
 			dns_addressorderfunc_t *orderp,
 			const void **argp);
-/*
+/*%<
  * Find the sortlist statement in 'acl' that applies to 'clientaddr', if any.
  * If a sortlist statement applies, return in '*orderp' a pointer to a function
  * for ranking network addresses based on that sortlist statement, and in
diff --git a/contrib/bind9/bin/named/include/named/tkeyconf.h b/contrib/bind9/bin/named/include/named/tkeyconf.h
index ac72f3e..946944d 100644
--- a/contrib/bind9/bin/named/include/named/tkeyconf.h
+++ b/contrib/bind9/bin/named/include/named/tkeyconf.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2006  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,11 +15,13 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: tkeyconf.h,v 1.9.208.3 2006/03/02 00:37:20 marka Exp $ */
+/* $Id: tkeyconf.h,v 1.10.18.4 2006/03/02 00:37:21 marka Exp $ */
 
 #ifndef NS_TKEYCONF_H
 #define NS_TKEYCONF_H 1
 
+/*! \file */
+
 #include <isc/types.h>
 #include <isc/lang.h>
 
@@ -30,20 +32,20 @@ ISC_LANG_BEGINDECLS
 isc_result_t
 ns_tkeyctx_fromconfig(const cfg_obj_t *options, isc_mem_t *mctx,
 		      isc_entropy_t *ectx, dns_tkeyctx_t **tctxp);
-/*
+/*%<
  * 	Create a TKEY context and configure it, including the default DH key
  *	and default domain, according to 'options'.
  *
  *	Requires:
- *		'cfg' is a valid configuration options object.
- *		'mctx' is not NULL
- *		'ectx' is not NULL
- *		'tctx' is not NULL
- *		'*tctx' is NULL
+ *\li		'cfg' is a valid configuration options object.
+ *\li		'mctx' is not NULL
+ *\li		'ectx' is not NULL
+ *\li		'tctx' is not NULL
+ *\li		'*tctx' is NULL
  *
  *	Returns:
- *		ISC_R_SUCCESS
- *		ISC_R_NOMEMORY
+ *\li		ISC_R_SUCCESS
+ *\li		ISC_R_NOMEMORY
  */
 
 ISC_LANG_ENDDECLS
diff --git a/contrib/bind9/bin/named/include/named/tsigconf.h b/contrib/bind9/bin/named/include/named/tsigconf.h
index fcb415e..a18eede 100644
--- a/contrib/bind9/bin/named/include/named/tsigconf.h
+++ b/contrib/bind9/bin/named/include/named/tsigconf.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2006  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,11 +15,13 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: tsigconf.h,v 1.9.208.3 2006/03/02 00:37:20 marka Exp $ */
+/* $Id: tsigconf.h,v 1.10.18.4 2006/03/02 00:37:21 marka Exp $ */
 
 #ifndef NS_TSIGCONF_H
 #define NS_TSIGCONF_H 1
 
+/*! \file */
+
 #include <isc/types.h>
 #include <isc/lang.h>
 
@@ -28,18 +30,18 @@ ISC_LANG_BEGINDECLS
 isc_result_t
 ns_tsigkeyring_fromconfig(const cfg_obj_t *config, const cfg_obj_t *vconfig,
 			  isc_mem_t *mctx, dns_tsig_keyring_t **ringp);
-/*
+/*%<
  * Create a TSIG key ring and configure it according to the 'key'
  * statements in the global and view configuration objects.
  *
  *	Requires:
- *		'config' is not NULL.
- *		'mctx' is not NULL
- *		'ring' is not NULL, and '*ring' is NULL
+ *	\li	'config' is not NULL.
+ *	\li	'mctx' is not NULL
+ *	\li	'ring' is not NULL, and '*ring' is NULL
  *
  *	Returns:
- *		ISC_R_SUCCESS
- *		ISC_R_NOMEMORY
+ *	\li	ISC_R_SUCCESS
+ *	\li	ISC_R_NOMEMORY
  */
 
 ISC_LANG_ENDDECLS
diff --git a/contrib/bind9/bin/named/include/named/types.h b/contrib/bind9/bin/named/include/named/types.h
index eb44c53..abc25d5 100644
--- a/contrib/bind9/bin/named/include/named/types.h
+++ b/contrib/bind9/bin/named/include/named/types.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,11 +15,13 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: types.h,v 1.19.208.2 2004/03/06 10:21:26 marka Exp $ */
+/* $Id: types.h,v 1.21.18.2 2005/04/29 00:15:38 marka Exp $ */
 
 #ifndef NAMED_TYPES_H
 #define NAMED_TYPES_H 1
 
+/*! \file */
+
 #include <dns/types.h>
 
 typedef struct ns_client		ns_client_t;
diff --git a/contrib/bind9/bin/named/include/named/update.h b/contrib/bind9/bin/named/include/named/update.h
index 4c97235..37daa95 100644
--- a/contrib/bind9/bin/named/include/named/update.h
+++ b/contrib/bind9/bin/named/include/named/update.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: update.h,v 1.8.208.1 2004/03/06 10:21:26 marka Exp $ */
+/* $Id: update.h,v 1.9.18.2 2005/04/29 00:15:39 marka Exp $ */
 
 #ifndef NAMED_UPDATE_H
 #define NAMED_UPDATE_H 1
@@ -24,7 +24,8 @@
  ***** Module Info
  *****/
 
-/*
+/*! \file
+ * \brief
  * RFC2136 Dynamic Update
  */
 
diff --git a/contrib/bind9/bin/named/include/named/xfrout.h b/contrib/bind9/bin/named/include/named/xfrout.h
index e96ff31..82e0e66 100644
--- a/contrib/bind9/bin/named/include/named/xfrout.h
+++ b/contrib/bind9/bin/named/include/named/xfrout.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: xfrout.h,v 1.7.208.1 2004/03/06 10:21:27 marka Exp $ */
+/* $Id: xfrout.h,v 1.8.18.2 2005/04/29 00:15:39 marka Exp $ */
 
 #ifndef NAMED_XFROUT_H
 #define NAMED_XFROUT_H 1
@@ -24,7 +24,8 @@
  ***** Module Info
  *****/
 
-/*
+/*! \file 
+ * \brief
  * Outgoing zone transfers (AXFR + IXFR).
  */
 
diff --git a/contrib/bind9/bin/named/include/named/zoneconf.h b/contrib/bind9/bin/named/include/named/zoneconf.h
index 3e63053..61737a2 100644
--- a/contrib/bind9/bin/named/include/named/zoneconf.h
+++ b/contrib/bind9/bin/named/include/named/zoneconf.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2006  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2002  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,25 +15,26 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: zoneconf.h,v 1.16.2.2.8.3 2006/03/02 00:37:20 marka Exp $ */
+/* $Id: zoneconf.h,v 1.19.18.5 2006/03/02 00:37:21 marka Exp $ */
 
 #ifndef NS_ZONECONF_H
 #define NS_ZONECONF_H 1
 
+/*! \file */
+
 #include <isc/lang.h>
 #include <isc/types.h>
 
+#include <isccfg/aclconf.h>
 #include <isccfg/cfg.h>
 
-#include <named/aclconf.h>
-
 ISC_LANG_BEGINDECLS
 
 isc_result_t
 ns_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig,
-		  const cfg_obj_t *zconfig, ns_aclconfctx_t *ac,
+		  const cfg_obj_t *zconfig, cfg_aclconfctx_t *ac,
 		  dns_zone_t *zone);
-/*
+/*%<
  * Configure or reconfigure a zone according to the named.conf
  * data in 'cctx' and 'czone'.
  *
@@ -41,16 +42,16 @@ ns_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig,
  * at zone creation time.
  *
  * Require:
- *	'lctx' to be initialized or NULL.
- *	'cctx' to be initialized or NULL.
- *	'ac' to point to an initialized ns_aclconfctx_t.
- *	'czone' to be initialized.
- *	'zone' to be initialized.
+ * \li	'lctx' to be initialized or NULL.
+ * \li	'cctx' to be initialized or NULL.
+ * \li	'ac' to point to an initialized ns_aclconfctx_t.
+ * \li	'czone' to be initialized.
+ * \li	'zone' to be initialized.
  */
 
 isc_boolean_t
 ns_zone_reusable(dns_zone_t *zone, const cfg_obj_t *zconfig);
-/*
+/*%<
  * If 'zone' can be safely reconfigured according to the configuration
  * data in 'zconfig', return ISC_TRUE.  If the configuration data is so
  * different from the current zone state that the zone needs to be destroyed
diff --git a/contrib/bind9/bin/named/interfacemgr.c b/contrib/bind9/bin/named/interfacemgr.c
index a341056..db41031 100644
--- a/contrib/bind9/bin/named/interfacemgr.c
+++ b/contrib/bind9/bin/named/interfacemgr.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2006  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2002  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,9 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: interfacemgr.c,v 1.59.2.5.8.18 2006/07/19 00:16:28 marka Exp $ */
+/* $Id: interfacemgr.c,v 1.76.18.8 2006/07/20 01:10:30 marka Exp $ */
+
+/*! \file */
 
 #include <config.h>
 
@@ -37,24 +39,29 @@
 #define IFMGR_COMMON_LOGARGS \
 	ns_g_lctx, NS_LOGCATEGORY_NETWORK, NS_LOGMODULE_INTERFACEMGR
 
+/*% nameserver interface manager structure */
 struct ns_interfacemgr {
-	unsigned int		magic;		/* Magic number. */
+	unsigned int		magic;		/*%< Magic number. */
 	int			references;
 	isc_mutex_t		lock;
-	isc_mem_t *		mctx;		/* Memory context. */
-	isc_taskmgr_t *		taskmgr;	/* Task manager. */
-	isc_socketmgr_t *	socketmgr;	/* Socket manager. */
+	isc_mem_t *		mctx;		/*%< Memory context. */
+	isc_taskmgr_t *		taskmgr;	/*%< Task manager. */
+	isc_socketmgr_t *	socketmgr;	/*%< Socket manager. */
 	dns_dispatchmgr_t *	dispatchmgr;
-	unsigned int		generation;	/* Current generation no. */
+	unsigned int		generation;	/*%< Current generation no. */
 	ns_listenlist_t *	listenon4;
 	ns_listenlist_t *	listenon6;
-	dns_aclenv_t		aclenv;		/* Localhost/localnets ACLs */
-	ISC_LIST(ns_interface_t) interfaces;	/* List of interfaces. */
+	dns_aclenv_t		aclenv;		/*%< Localhost/localnets ACLs */
+	ISC_LIST(ns_interface_t) interfaces;	/*%< List of interfaces. */
+	ISC_LIST(isc_sockaddr_t) listenon;
 };
 
 static void
 purge_old_interfaces(ns_interfacemgr_t *mgr);
 
+static void
+clearlistenon(ns_interfacemgr_t *mgr);
+
 isc_result_t
 ns_interfacemgr_create(isc_mem_t *mctx, isc_taskmgr_t *taskmgr,
 		       isc_socketmgr_t *socketmgr,
@@ -85,6 +92,7 @@ ns_interfacemgr_create(isc_mem_t *mctx, isc_taskmgr_t *taskmgr,
 	mgr->listenon6 = NULL;
 	
 	ISC_LIST_INIT(mgr->interfaces);
+	ISC_LIST_INIT(mgr->listenon);
 
 	/*
 	 * The listen-on lists are initially empty.
@@ -117,6 +125,7 @@ ns_interfacemgr_destroy(ns_interfacemgr_t *mgr) {
 	dns_aclenv_destroy(&mgr->aclenv);
 	ns_listenlist_detach(&mgr->listenon4);
 	ns_listenlist_detach(&mgr->listenon6);
+	clearlistenon(mgr);
 	DESTROYLOCK(&mgr->lock);
 	mgr->magic = 0;
 	isc_mem_put(mgr->mctx, mgr, sizeof(*mgr));
@@ -158,7 +167,7 @@ void
 ns_interfacemgr_shutdown(ns_interfacemgr_t *mgr) {
 	REQUIRE(NS_INTERFACEMGR_VALID(mgr));
 
-	/*
+	/*%
 	 * Shut down and detach all interfaces.
 	 * By incrementing the generation count, we make purge_old_interfaces()
 	 * consider all interfaces "old".
@@ -432,7 +441,7 @@ ns_interface_detach(ns_interface_t **targetp) {
 	*targetp = NULL;
 }
 
-/*
+/*%
  * Search the interface list for an interface whose address and port
  * both match those of 'addr'.  Return a pointer to it, or NULL if not found.
  */
@@ -447,7 +456,7 @@ find_matching_interface(ns_interfacemgr_t *mgr, isc_sockaddr_t *addr) {
 	return (ifp);
 }
 
-/*
+/*%
  * Remove any interfaces whose generation number is not the current one.
  */
 static void
@@ -537,6 +546,43 @@ setup_locals(ns_interfacemgr_t *mgr, isc_interface_t *interface) {
 	return (ISC_R_SUCCESS);
 }
 
+static void
+setup_listenon(ns_interfacemgr_t *mgr, isc_interface_t *interface,
+	       in_port_t port)
+{ 
+	isc_sockaddr_t *addr;
+	isc_sockaddr_t *old;
+
+	addr = isc_mem_get(mgr->mctx, sizeof(*addr));
+	if (addr == NULL)
+		return;
+
+	isc_sockaddr_fromnetaddr(addr, &interface->address, port);
+
+	for (old = ISC_LIST_HEAD(mgr->listenon);
+	     old != NULL;
+	     old = ISC_LIST_NEXT(old, link))
+		if (isc_sockaddr_equal(addr, old))
+			break;	
+
+	if (old != NULL)
+		isc_mem_put(mgr->mctx, addr, sizeof(*addr));
+	else
+		ISC_LIST_APPEND(mgr->listenon, addr, link);
+}
+
+static void
+clearlistenon(ns_interfacemgr_t *mgr) {
+	isc_sockaddr_t *old;
+
+	old = ISC_LIST_HEAD(mgr->listenon);
+	while (old != NULL) {
+		ISC_LIST_UNLINK(mgr->listenon, old, link);
+		isc_mem_put(mgr->mctx, old, sizeof(*old));
+		old = ISC_LIST_HEAD(mgr->listenon);
+	}
+}
+
 static isc_result_t
 do_scan(ns_interfacemgr_t *mgr, ns_listenlist_t *ext_listen,
 	isc_boolean_t verbose)
@@ -553,6 +599,7 @@ do_scan(ns_interfacemgr_t *mgr, ns_listenlist_t *ext_listen,
 	isc_sockaddr_t listen_addr;
 	ns_interface_t *ifp;
 	isc_boolean_t log_explicit = ISC_FALSE;
+	isc_boolean_t dolistenon;
 
 	if (ext_listen != NULL)
 		adjusting = ISC_TRUE;
@@ -643,6 +690,7 @@ do_scan(ns_interfacemgr_t *mgr, ns_listenlist_t *ext_listen,
 		result = clearacl(mgr->mctx, &mgr->aclenv.localnets);
 		if (result != ISC_R_SUCCESS)
 			goto cleanup_iter;
+		clearlistenon(mgr);
 	}
 
 	for (result = isc_interfaceiter_first(iter);
@@ -688,6 +736,7 @@ do_scan(ns_interfacemgr_t *mgr, ns_listenlist_t *ext_listen,
 		}
 
 		ll = (family == AF_INET) ? mgr->listenon4 : mgr->listenon6;
+		dolistenon = ISC_TRUE;
 		for (le = ISC_LIST_HEAD(ll->elts);
 		     le != NULL;
 		     le = ISC_LIST_NEXT(le, link))
@@ -723,6 +772,11 @@ do_scan(ns_interfacemgr_t *mgr, ns_listenlist_t *ext_listen,
 			if (match <= 0)
 				continue;
 
+			if (adjusting == ISC_FALSE && dolistenon == ISC_TRUE) {
+				setup_listenon(mgr, &interface, le->port);
+				dolistenon = ISC_FALSE;
+			}
+
 			/*
 			 * The case of "any" IPv6 address will require
 			 * special considerations later, so remember it.
@@ -909,3 +963,16 @@ ns_interfacemgr_dumprecursing(FILE *f, ns_interfacemgr_t *mgr) {
 	}
 	UNLOCK(&mgr->lock);
 }
+
+isc_boolean_t
+ns_interfacemgr_listeningon(ns_interfacemgr_t *mgr, isc_sockaddr_t *addr) {
+	isc_sockaddr_t *old;
+
+	old = ISC_LIST_HEAD(mgr->listenon);
+	for (old = ISC_LIST_HEAD(mgr->listenon);
+	     old != NULL;
+	     old = ISC_LIST_NEXT(old, link))
+		if (isc_sockaddr_equal(old, addr))
+			return (ISC_TRUE);
+	return (ISC_FALSE);
+}
diff --git a/contrib/bind9/bin/named/listenlist.c b/contrib/bind9/bin/named/listenlist.c
index bba164f..7e70ac9 100644
--- a/contrib/bind9/bin/named/listenlist.c
+++ b/contrib/bind9/bin/named/listenlist.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000, 2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,9 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: listenlist.c,v 1.9.208.1 2004/03/06 10:21:18 marka Exp $ */
+/* $Id: listenlist.c,v 1.10.18.2 2005/04/29 00:15:22 marka Exp $ */
+
+/*! \file */
 
 #include <config.h>
 
diff --git a/contrib/bind9/bin/named/log.c b/contrib/bind9/bin/named/log.c
index 9032af7..af75bab 100644
--- a/contrib/bind9/bin/named/log.c
+++ b/contrib/bind9/bin/named/log.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2002  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,9 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: log.c,v 1.33.2.1.10.6 2005/05/24 23:58:17 marka Exp $ */
+/* $Id: log.c,v 1.37.18.6 2006/06/09 00:54:08 marka Exp $ */
+
+/*! \file */
 
 #include <config.h>
 
@@ -29,9 +31,10 @@
 #define ISC_FACILITY LOG_DAEMON
 #endif
 
-/*
+/*%
  * When adding a new category, be sure to add the appropriate
- * #define to <named/log.h>.
+ * #define to <named/log.h> and to update the list in
+ * bin/check/check-tool.c.
  */
 static isc_logcategory_t categories[] = {
 	{ "",		 		0 },
@@ -44,7 +47,7 @@ static isc_logcategory_t categories[] = {
 	{ NULL, 			0 }
 };
 
-/*
+/*%
  * When adding a new module, be sure to add the appropriate
  * #define to <dns/log.h>.
  */
@@ -78,6 +81,9 @@ ns_log_init(isc_boolean_t safe) {
 	if (result != ISC_R_SUCCESS)
 		return (result);
 
+	/*
+	 * named-checktool.c:setup_logging() needs to be kept in sync.
+	 */
 	isc_log_registercategories(ns_g_lctx, ns_g_categories);
 	isc_log_registermodules(ns_g_lctx, ns_g_modules);
 	isc_log_setcontext(ns_g_lctx);
diff --git a/contrib/bind9/bin/named/logconf.c b/contrib/bind9/bin/named/logconf.c
index 1bf3b55..ce815f4 100644
--- a/contrib/bind9/bin/named/logconf.c
+++ b/contrib/bind9/bin/named/logconf.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2006  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,9 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: logconf.c,v 1.30.2.3.10.4 2006/03/02 00:37:20 marka Exp $ */
+/* $Id: logconf.c,v 1.35.18.5 2006/03/02 00:37:21 marka Exp $ */
+
+/*! \file */
 
 #include <config.h>
 
@@ -36,7 +38,7 @@
 	       if (result != ISC_R_SUCCESS) goto cleanup; 	 \
 	} while (0)
 
-/*
+/*%
  * Set up a logging category according to the named.conf data
  * in 'ccat' and add it to 'lctx'.
  */
@@ -84,7 +86,7 @@ category_fromconf(const cfg_obj_t *ccat, isc_logconfig_t *lctx) {
 	return (ISC_R_SUCCESS);
 }
 
-/*
+/*%
  * Set up a logging channel according to the named.conf data
  * in 'cchan' and add it to 'lctx'.
  */
diff --git a/contrib/bind9/bin/named/lwaddr.c b/contrib/bind9/bin/named/lwaddr.c
index 1bd8d82..78c2b0b 100644
--- a/contrib/bind9/bin/named/lwaddr.c
+++ b/contrib/bind9/bin/named/lwaddr.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000, 2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,9 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: lwaddr.c,v 1.3.208.1 2004/03/06 10:21:18 marka Exp $ */
+/* $Id: lwaddr.c,v 1.4.18.2 2005/04/29 00:15:23 marka Exp $ */
+
+/*! \file */
 
 #include <config.h>
 
@@ -29,7 +31,7 @@
 
 #include <named/lwaddr.h>
 
-/*
+/*%
  * Convert addresses from lwres to isc format.
  */
 isc_result_t
@@ -63,7 +65,7 @@ lwaddr_sockaddr_fromlwresaddr(isc_sockaddr_t *sa, lwres_addr_t *la,
 	return (ISC_R_SUCCESS);
 }
 
-/*
+/*%
  * Convert addresses from isc to lwres format.
  */
 
diff --git a/contrib/bind9/bin/named/lwdclient.c b/contrib/bind9/bin/named/lwdclient.c
index 7975a49..68069ed 100644
--- a/contrib/bind9/bin/named/lwdclient.c
+++ b/contrib/bind9/bin/named/lwdclient.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000, 2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,9 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: lwdclient.c,v 1.13.12.5 2004/03/08 09:04:15 marka Exp $ */
+/* $Id: lwdclient.c,v 1.17.18.2 2005/04/29 00:15:23 marka Exp $ */
+
+/*! \file */
 
 #include <config.h>
 
diff --git a/contrib/bind9/bin/named/lwderror.c b/contrib/bind9/bin/named/lwderror.c
index 51cecf0..db25824 100644
--- a/contrib/bind9/bin/named/lwderror.c
+++ b/contrib/bind9/bin/named/lwderror.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000, 2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,9 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: lwderror.c,v 1.7.208.1 2004/03/06 10:21:18 marka Exp $ */
+/* $Id: lwderror.c,v 1.8.18.2 2005/04/29 00:15:24 marka Exp $ */
+
+/*! \file */
 
 #include <config.h>
 
@@ -25,7 +27,7 @@
 #include <named/types.h>
 #include <named/lwdclient.h>
 
-/*
+/*%
  * Generate an error packet for the client, schedule a send, and put us in
  * the SEND state.
  *
diff --git a/contrib/bind9/bin/named/lwdgabn.c b/contrib/bind9/bin/named/lwdgabn.c
index 539c25b..454d4df 100644
--- a/contrib/bind9/bin/named/lwdgabn.c
+++ b/contrib/bind9/bin/named/lwdgabn.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2006  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000, 2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,9 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: lwdgabn.c,v 1.13.12.5 2006/03/02 00:37:20 marka Exp $ */
+/* $Id: lwdgabn.c,v 1.15.18.5 2006/03/02 00:37:21 marka Exp $ */
+
+/*! \file */
 
 #include <config.h>
 
@@ -47,7 +49,7 @@ static isc_result_t start_find(ns_lwdclient_t *);
 static void restart_find(ns_lwdclient_t *);
 static void init_gabn(ns_lwdclient_t *);
 
-/*
+/*%
  * Destroy any finds.  This can be used to "start over from scratch" and
  * should only be called when events are _not_ being generated by the finds.
  */
@@ -432,7 +434,7 @@ restart_find(ns_lwdclient_t *client) {
 				    client->clientmgr->task,
 				    process_gabn_finddone, client,
 				    dns_fixedname_name(&client->target_name),
-				    dns_rootname, options, 0,
+				    dns_rootname, 0, options, 0,
 				    dns_fixedname_name(&client->target_name),
 				    client->clientmgr->view->dstport,
 				    &client->find);
diff --git a/contrib/bind9/bin/named/lwdgnba.c b/contrib/bind9/bin/named/lwdgnba.c
index 21ef804..a500d27 100644
--- a/contrib/bind9/bin/named/lwdgnba.c
+++ b/contrib/bind9/bin/named/lwdgnba.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000-2002  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,9 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: lwdgnba.c,v 1.13.2.1.2.5 2004/03/08 04:04:19 marka Exp $ */
+/* $Id: lwdgnba.c,v 1.16.18.2 2005/04/29 00:15:24 marka Exp $ */
+
+/*! \file */
 
 #include <config.h>
 
diff --git a/contrib/bind9/bin/named/lwdgrbn.c b/contrib/bind9/bin/named/lwdgrbn.c
index 3ad9e9e..c1b2b1e 100644
--- a/contrib/bind9/bin/named/lwdgrbn.c
+++ b/contrib/bind9/bin/named/lwdgrbn.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2006  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000, 2001, 2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,9 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: lwdgrbn.c,v 1.11.208.5 2006/01/04 23:50:19 marka Exp $ */
+/* $Id: lwdgrbn.c,v 1.13.18.5 2006/12/07 23:57:58 marka Exp $ */
+
+/*! \file */
 
 #include <config.h>
 
@@ -183,8 +185,6 @@ iterate_node(lwres_grbnresponse_t *grbn, dns_db_t *db, dns_dbnode_t *node,
 		isc_mem_put(mctx, oldlens, oldsize * sizeof(*oldlens));
 	if (newrdatas != NULL)
 		isc_mem_put(mctx, newrdatas, used * sizeof(*oldrdatas));
-	if (newlens != NULL)
-		isc_mem_put(mctx, newlens, used * sizeof(*oldlens));
 	return (result);
 }
 
diff --git a/contrib/bind9/bin/named/lwdnoop.c b/contrib/bind9/bin/named/lwdnoop.c
index 30d95ee..fa591b4 100644
--- a/contrib/bind9/bin/named/lwdnoop.c
+++ b/contrib/bind9/bin/named/lwdnoop.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000, 2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,9 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: lwdnoop.c,v 1.6.208.1 2004/03/06 10:21:19 marka Exp $ */
+/* $Id: lwdnoop.c,v 1.7.18.2 2005/04/29 00:15:25 marka Exp $ */
+
+/*! \file */
 
 #include <config.h>
 
diff --git a/contrib/bind9/bin/named/lwresd.8 b/contrib/bind9/bin/named/lwresd.8
index 1333a5d..7275d29 100644
--- a/contrib/bind9/bin/named/lwresd.8
+++ b/contrib/bind9/bin/named/lwresd.8
@@ -1,4 +1,4 @@
-.\" Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC")
 .\" Copyright (C) 2000, 2001 Internet Software Consortium.
 .\" 
 .\" Permission to use, copy, modify, and distribute this software for any
@@ -13,13 +13,13 @@
 .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 .\" PERFORMANCE OF THIS SOFTWARE.
 .\"
-.\" $Id: lwresd.8,v 1.13.208.6 2006/06/29 13:02:30 marka Exp $
+.\" $Id: lwresd.8,v 1.15.18.10 2007/01/30 00:23:44 marka Exp $
 .\"
 .hy 0
 .ad l
 .\"     Title: lwresd
 .\"    Author: 
-.\" Generator: DocBook XSL Stylesheets v1.70.1 <http://docbook.sf.net/>
+.\" Generator: DocBook XSL Stylesheets v1.71.1 <http://docbook.sf.net/>
 .\"      Date: June 30, 2000
 .\"    Manual: BIND9
 .\"    Source: BIND9
@@ -60,42 +60,57 @@ entries are present, or if forwarding fails,
 \fBlwresd\fR
 resolves the queries autonomously starting at the root name servers, using a built\-in list of root server hints.
 .SH "OPTIONS"
-.TP 3n
+.PP
 \-C \fIconfig\-file\fR
+.RS 4
 Use
 \fIconfig\-file\fR
 as the configuration file instead of the default,
 \fI/etc/resolv.conf\fR.
-.TP 3n
+.RE
+.PP
 \-d \fIdebug\-level\fR
+.RS 4
 Set the daemon's debug level to
 \fIdebug\-level\fR. Debugging traces from
 \fBlwresd\fR
 become more verbose as the debug level increases.
-.TP 3n
+.RE
+.PP
 \-f
+.RS 4
 Run the server in the foreground (i.e. do not daemonize).
-.TP 3n
+.RE
+.PP
 \-g
+.RS 4
 Run the server in the foreground and force all logging to
 \fIstderr\fR.
-.TP 3n
+.RE
+.PP
 \-n \fI#cpus\fR
+.RS 4
 Create
 \fI#cpus\fR
 worker threads to take advantage of multiple CPUs. If not specified,
 \fBlwresd\fR
 will try to determine the number of CPUs present and create one thread per CPU. If it is unable to determine the number of CPUs, a single worker thread will be created.
-.TP 3n
+.RE
+.PP
 \-P \fIport\fR
+.RS 4
 Listen for lightweight resolver queries on port
 \fIport\fR. If not specified, the default is port 921.
-.TP 3n
+.RE
+.PP
 \-p \fIport\fR
+.RS 4
 Send DNS lookups to port
 \fIport\fR. If not specified, the default is port 53. This provides a way of testing the lightweight resolver daemon with a name server that listens for queries on a non\-standard port number.
-.TP 3n
+.RE
+.PP
 \-s
+.RS 4
 Write memory usage statistics to
 \fIstdout\fR
 on exit.
@@ -103,8 +118,10 @@ on exit.
 .B "Note:"
 This option is mainly of interest to BIND 9 developers and may be removed or changed in a future release.
 .RE
-.TP 3n
+.RE
+.PP
 \-t \fIdirectory\fR
+.RS 4
 \fBchroot()\fR
 to
 \fIdirectory\fR
@@ -117,22 +134,31 @@ option, as chrooting a process running as root doesn't enhance security on most
 \fBchroot()\fR
 is defined allows a process with root privileges to escape a chroot jail.
 .RE
-.TP 3n
+.RE
+.PP
 \-u \fIuser\fR
+.RS 4
 \fBsetuid()\fR
 to
 \fIuser\fR
 after completing privileged operations, such as creating sockets that listen on privileged ports.
-.TP 3n
+.RE
+.PP
 \-v
+.RS 4
 Report the version number and exit.
+.RE
 .SH "FILES"
-.TP 3n
+.PP
 \fI/etc/resolv.conf\fR
+.RS 4
 The default configuration file.
-.TP 3n
+.RE
+.PP
 \fI/var/run/lwresd.pid\fR
+.RS 4
 The default process\-id file.
+.RE
 .SH "SEE ALSO"
 .PP
 \fBnamed\fR(8),
@@ -142,4 +168,7 @@ The default process\-id file.
 .PP
 Internet Systems Consortium
 .SH "COPYRIGHT"
-Copyright \(co 2004, 2005 Internet Systems Consortium, Inc. ("ISC")
+Copyright \(co 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC")
+.br
+Copyright \(co 2000, 2001 Internet Software Consortium.
+.br
diff --git a/contrib/bind9/bin/named/lwresd.c b/contrib/bind9/bin/named/lwresd.c
index e48822f..a1073fa 100644
--- a/contrib/bind9/bin/named/lwresd.c
+++ b/contrib/bind9/bin/named/lwresd.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2006  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,9 +15,10 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: lwresd.c,v 1.37.2.2.2.8 2006/02/28 06:32:53 marka Exp $ */
+/* $Id: lwresd.c,v 1.46.18.7 2006/03/02 00:37:21 marka Exp $ */
 
-/*
+/*! \file 
+ * \brief
  * Main program for the Lightweight Resolver Daemon.
  *
  * To paraphrase the old saying about X11, "It's not a lightweight deamon
@@ -59,11 +60,11 @@
 #define LWRESLISTENER_MAGIC	ISC_MAGIC('L', 'W', 'R', 'L')
 #define VALID_LWRESLISTENER(l)	ISC_MAGIC_VALID(l, LWRESLISTENER_MAGIC)
 
-/*
+/*!
  * The total number of clients we can handle will be NTASKS * NRECVS.
  */
-#define NTASKS		2	/* tasks to create to handle lwres queries */
-#define NRECVS		2	/* max clients per task */
+#define NTASKS		2	/*%< tasks to create to handle lwres queries */
+#define NRECVS		2	/*%< max clients per task */
 
 typedef ISC_LIST(ns_lwreslistener_t) ns_lwreslistenerlist_t;
 
@@ -78,7 +79,7 @@ initialize_mutex(void) {
 }
 
 
-/*
+/*%
  * Wrappers around our memory management stuff, for the lwres functions.
  */
 void *
@@ -511,13 +512,19 @@ listener_create(isc_mem_t *mctx, ns_lwresd_t *lwresd,
 		ns_lwreslistener_t **listenerp)
 {
 	ns_lwreslistener_t *listener;
+	isc_result_t result;
 
 	REQUIRE(listenerp != NULL && *listenerp == NULL);
 
 	listener = isc_mem_get(mctx, sizeof(ns_lwreslistener_t));
 	if (listener == NULL)
 		return (ISC_R_NOMEMORY);
-	RUNTIME_CHECK(isc_mutex_init(&listener->lock) == ISC_R_SUCCESS);
+
+	result = isc_mutex_init(&listener->lock);
+	if (result != ISC_R_SUCCESS) {
+		isc_mem_put(mctx, listener, sizeof(ns_lwreslistener_t));
+		return (result);
+	}
 
 	listener->magic = LWRESLISTENER_MAGIC;
 	listener->refs = 1;
diff --git a/contrib/bind9/bin/named/lwresd.docbook b/contrib/bind9/bin/named/lwresd.docbook
index c1f500b..d1eabfa 100644
--- a/contrib/bind9/bin/named/lwresd.docbook
+++ b/contrib/bind9/bin/named/lwresd.docbook
@@ -1,8 +1,8 @@
-<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.0//EN"
-               "http://www.oasis-open.org/docbook/xml/4.0/docbookx.dtd"
+<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
+               "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
 	       [<!ENTITY mdash "&#8212;">]>
 <!--
- - Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
  - Copyright (C) 2000, 2001  Internet Software Consortium.
  -
  - Permission to use, copy, modify, and distribute this software for any
@@ -18,8 +18,7 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-<!-- $Id: lwresd.docbook,v 1.6.208.4 2005/05/13 01:22:33 marka Exp $ -->
-
+<!-- $Id: lwresd.docbook,v 1.7.18.5 2007/01/29 23:57:20 marka Exp $ -->
 <refentry>
   <refentryinfo>
     <date>June 30, 2000</date>
@@ -31,10 +30,16 @@
     <refmiscinfo>BIND9</refmiscinfo>
   </refmeta>
 
+  <refnamediv>
+    <refname><application>lwresd</application></refname>
+    <refpurpose>lightweight resolver daemon</refpurpose>
+  </refnamediv>
+
   <docinfo>
     <copyright>
       <year>2004</year>
       <year>2005</year>
+      <year>2007</year>
       <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
     </copyright>
     <copyright>
@@ -44,11 +49,6 @@
     </copyright>
   </docinfo>
 
-  <refnamediv>
-    <refname><application>lwresd</application></refname>
-    <refpurpose>lightweight resolver daemon</refpurpose>
-  </refnamediv>
-
   <refsynopsisdiv>
     <cmdsynopsis>
       <command>lwresd</command>
@@ -69,37 +69,39 @@
 
   <refsect1>
     <title>DESCRIPTION</title>
-    <para>
-	<command>lwresd</command> is the daemon providing name lookup
-	services to clients that use the BIND 9 lightweight resolver
-	library.  It is essentially a stripped-down, caching-only name
-	server that answers queries using the BIND 9 lightweight
-	resolver protocol rather than the DNS protocol.
+
+    <para><command>lwresd</command>
+      is the daemon providing name lookup
+      services to clients that use the BIND 9 lightweight resolver
+      library.  It is essentially a stripped-down, caching-only name
+      server that answers queries using the BIND 9 lightweight
+      resolver protocol rather than the DNS protocol.
     </para>
-    <para>
-	<command>lwresd</command> listens for resolver queries on a
-	UDP port on the IPv4 loopback interface, 127.0.0.1.  This
-	means that <command>lwresd</command> can only be used by
-	processes running on the local machine.  By default UDP port
-	number 921 is used for lightweight resolver requests and
-	responses.
+
+    <para><command>lwresd</command> 
+      listens for resolver queries on a
+      UDP port on the IPv4 loopback interface, 127.0.0.1.  This
+      means that <command>lwresd</command> can only be used by
+      processes running on the local machine.  By default UDP port
+      number 921 is used for lightweight resolver requests and
+      responses.
     </para>
     <para>
-	Incoming lightweight resolver requests are decoded by the
-	server which then resolves them using the DNS protocol.  When
-	the DNS lookup completes, <command>lwresd</command> encodes
-	the answers in the lightweight resolver format and returns
-	them to the client that made the request.
+      Incoming lightweight resolver requests are decoded by the
+      server which then resolves them using the DNS protocol.  When
+      the DNS lookup completes, <command>lwresd</command> encodes
+      the answers in the lightweight resolver format and returns
+      them to the client that made the request.
     </para>
     <para>
-	If <filename>/etc/resolv.conf</filename> contains any
-	<option>nameserver</option> entries, <command>lwresd</command>
-	sends recursive DNS queries to those servers.  This is similar
-	to the use of forwarders in a caching name server.  If no
-	<option>nameserver</option> entries are present, or if
-	forwarding fails, <command>lwresd</command> resolves the
-	queries autonomously starting at the root name servers, using
-	a built-in list of root server hints.
+      If <filename>/etc/resolv.conf</filename> contains any
+      <option>nameserver</option> entries, <command>lwresd</command>
+      sends recursive DNS queries to those servers.  This is similar
+      to the use of forwarders in a caching name server.  If no
+      <option>nameserver</option> entries are present, or if
+      forwarding fails, <command>lwresd</command> resolves the
+      queries autonomously starting at the root name servers, using
+      a built-in list of root server hints.
     </para>
   </refsect1>
 
@@ -108,145 +110,139 @@
 
     <variablelist>
       <varlistentry>
-	<term>-C <replaceable class="parameter">config-file</replaceable></term>
-	<listitem>
-	  <para>
-		Use <replaceable
-		class="parameter">config-file</replaceable> as the
-		configuration file instead of the default,
-		<filename>/etc/resolv.conf</filename>.
+        <term>-C <replaceable class="parameter">config-file</replaceable></term>
+        <listitem>
+          <para>
+            Use <replaceable class="parameter">config-file</replaceable> as the
+            configuration file instead of the default,
+            <filename>/etc/resolv.conf</filename>.
           </para>
-	</listitem>
+        </listitem>
       </varlistentry>
 
       <varlistentry>
-	<term>-d <replaceable class="parameter">debug-level</replaceable></term>
-	<listitem>
-	  <para>
-		Set the daemon's debug level to <replaceable
-		class="parameter">debug-level</replaceable>.
-		Debugging traces from <command>lwresd</command> become
-		more verbose as the debug level increases.
+        <term>-d <replaceable class="parameter">debug-level</replaceable></term>
+        <listitem>
+          <para>
+            Set the daemon's debug level to <replaceable class="parameter">debug-level</replaceable>.
+            Debugging traces from <command>lwresd</command> become
+            		more verbose as the debug level increases.
           </para>
-	</listitem>
+        </listitem>
       </varlistentry>
 
       <varlistentry>
-	<term>-f</term>
-	<listitem>
-	  <para>
-		Run the server in the foreground (i.e. do not daemonize).
+        <term>-f</term>
+        <listitem>
+          <para>
+            Run the server in the foreground (i.e. do not daemonize).
           </para>
-	</listitem>
+        </listitem>
       </varlistentry>
 
       <varlistentry>
-	<term>-g</term>
-	<listitem>
-	  <para>
-		Run the server in the foreground and force all logging
-		to <filename>stderr</filename>.
+        <term>-g</term>
+        <listitem>
+          <para>
+            Run the server in the foreground and force all logging
+            to <filename>stderr</filename>.
           </para>
-	</listitem>
+        </listitem>
       </varlistentry>
 
       <varlistentry>
-	<term>-n <replaceable class="parameter">#cpus</replaceable></term>
-	<listitem>
-	  <para>
-		Create <replaceable
-		class="parameter">#cpus</replaceable> worker threads
-		to take advantage of multiple CPUs.  If not specified,
-		<command>lwresd</command> will try to determine the
-		number of CPUs present and create one thread per CPU.
-		If it is unable to determine the number of CPUs, a
-		single worker thread will be created.
+        <term>-n <replaceable class="parameter">#cpus</replaceable></term>
+        <listitem>
+          <para>
+            Create <replaceable class="parameter">#cpus</replaceable> worker threads
+            to take advantage of multiple CPUs.  If not specified,
+            <command>lwresd</command> will try to determine the
+            number of CPUs present and create one thread per CPU.
+            If it is unable to determine the number of CPUs, a
+            single worker thread will be created.
           </para>
-	</listitem>
+        </listitem>
       </varlistentry>
 
       <varlistentry>
-	<term>-P <replaceable class="parameter">port</replaceable></term>
-	<listitem>
-	  <para>
-		Listen for lightweight resolver queries on port
-		<replaceable class="parameter">port</replaceable>.  If
-		not specified, the default is port 921.
+        <term>-P <replaceable class="parameter">port</replaceable></term>
+        <listitem>
+          <para>
+            Listen for lightweight resolver queries on port
+            <replaceable class="parameter">port</replaceable>.  If
+            		not specified, the default is port 921.
           </para>
-	</listitem>
+        </listitem>
       </varlistentry>
 
       <varlistentry>
-	<term>-p <replaceable class="parameter">port</replaceable></term>
-	<listitem>
-	  <para>
-		Send DNS lookups to port <replaceable
-		class="parameter">port</replaceable>.  If not
-		specified, the default is port 53.  This provides a
-		way of testing the lightweight resolver daemon with a
-		name server that listens for queries on a non-standard
-		port number.
+        <term>-p <replaceable class="parameter">port</replaceable></term>
+        <listitem>
+          <para>
+            Send DNS lookups to port <replaceable class="parameter">port</replaceable>.  If not
+            specified, the default is port 53.  This provides a
+            way of testing the lightweight resolver daemon with a
+            name server that listens for queries on a non-standard
+            port number.
           </para>
-	</listitem>
+        </listitem>
       </varlistentry>
 
       <varlistentry>
-	<term>-s</term>
-	<listitem>
-	  <para>
-		Write memory usage statistics to <filename>stdout</filename>
-		on exit.
+        <term>-s</term>
+        <listitem>
+          <para>
+            Write memory usage statistics to <filename>stdout</filename>
+            on exit.
           </para>
-	  <note>
-	    <para>
-		This option is mainly of interest to BIND 9 developers
-		and may be removed or changed in a future release.
-	    </para>
-	  </note>
-	</listitem>
+          <note>
+            <para>
+              This option is mainly of interest to BIND 9 developers
+              and may be removed or changed in a future release.
+            </para>
+          </note>
+        </listitem>
       </varlistentry>
 
       <varlistentry>
-	<term>-t <replaceable class="parameter">directory</replaceable></term>
-	<listitem>
-	  <para>
-		<function>chroot()</function> to <replaceable
-		class="parameter">directory</replaceable> after
-		processing the command line arguments, but before
-		reading the configuration file.
+        <term>-t <replaceable class="parameter">directory</replaceable></term>
+        <listitem>
+          <para><function>chroot()</function>
+	    to <replaceable class="parameter">directory</replaceable> after
+            processing the command line arguments, but before
+            reading the configuration file.
           </para>
-	  <warning>
-	    <para>
-		This option should be used in conjunction with the
-		<option>-u</option> option, as chrooting a process
-		running as root doesn't enhance security on most
-		systems; the way <function>chroot()</function> is
-		defined allows a process with root privileges to
-		escape a chroot jail.
-	    </para>
-	  </warning>
-	</listitem>
+          <warning>
+            <para>
+              This option should be used in conjunction with the
+              <option>-u</option> option, as chrooting a process
+              running as root doesn't enhance security on most
+              systems; the way <function>chroot()</function> is
+              defined allows a process with root privileges to
+              escape a chroot jail.
+            </para>
+          </warning>
+        </listitem>
       </varlistentry>
 
       <varlistentry>
-	<term>-u <replaceable class="parameter">user</replaceable></term>
-	<listitem>
-	  <para>
-		<function>setuid()</function> to <replaceable
-		class="parameter">user</replaceable> after completing
-		privileged operations, such as creating sockets that
-		listen on privileged ports.
+        <term>-u <replaceable class="parameter">user</replaceable></term>
+        <listitem>
+          <para><function>setuid()</function>
+	    to <replaceable class="parameter">user</replaceable> after completing
+            privileged operations, such as creating sockets that
+            listen on privileged ports.
           </para>
-	</listitem>
+        </listitem>
       </varlistentry>
 
       <varlistentry>
-	<term>-v</term>
-	<listitem>
-	  <para>
-		Report the version number and exit.
+        <term>-v</term>
+        <listitem>
+          <para>
+            Report the version number and exit.
           </para>
-	</listitem>
+        </listitem>
       </varlistentry>
 
     </variablelist>
@@ -259,21 +255,21 @@
     <variablelist>
 
       <varlistentry>
-	<term><filename>/etc/resolv.conf</filename></term>
-	<listitem>
-	  <para>
-		The default configuration file.
+        <term><filename>/etc/resolv.conf</filename></term>
+        <listitem>
+          <para>
+            The default configuration file.
           </para>
-	</listitem>
+        </listitem>
       </varlistentry>
 
       <varlistentry>
-	<term><filename>/var/run/lwresd.pid</filename></term>
-	<listitem>
-	  <para>
-		The default process-id file.
+        <term><filename>/var/run/lwresd.pid</filename></term>
+        <listitem>
+          <para>
+            The default process-id file.
           </para>
-	</listitem>
+        </listitem>
       </varlistentry>
 
     </variablelist>
@@ -282,33 +278,25 @@
 
   <refsect1>
     <title>SEE ALSO</title>
-    <para>
-	<citerefentry>
-	  <refentrytitle>named</refentrytitle>
-	  <manvolnum>8</manvolnum>
-        </citerefentry>,
-	<citerefentry>
-	  <refentrytitle>lwres</refentrytitle>
-	  <manvolnum>3</manvolnum>
-        </citerefentry>,
-	<citerefentry>
-	  <refentrytitle>resolver</refentrytitle>
-	  <manvolnum>5</manvolnum>
-        </citerefentry>.
+    <para><citerefentry>
+        <refentrytitle>named</refentrytitle><manvolnum>8</manvolnum>
+      </citerefentry>,
+      <citerefentry>
+        <refentrytitle>lwres</refentrytitle><manvolnum>3</manvolnum>
+      </citerefentry>,
+      <citerefentry>
+        <refentrytitle>resolver</refentrytitle><manvolnum>5</manvolnum>
+      </citerefentry>.
     </para>
   </refsect1>
 
   <refsect1>
     <title>AUTHOR</title>
-    <para>
-	<corpauthor>Internet Systems Consortium</corpauthor>
+    <para><corpauthor>Internet Systems Consortium</corpauthor>
     </para>
   </refsect1>
 
-</refentry>
-
-
-<!--
+</refentry><!--
  - Local variables:
  - mode: sgml
  - End:
diff --git a/contrib/bind9/bin/named/lwresd.html b/contrib/bind9/bin/named/lwresd.html
index 6ab7824..e25dfcf 100644
--- a/contrib/bind9/bin/named/lwresd.html
+++ b/contrib/bind9/bin/named/lwresd.html
@@ -1,5 +1,5 @@
 <!--
- - Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC")
  - Copyright (C) 2000, 2001 Internet Software Consortium.
  - 
  - Permission to use, copy, modify, and distribute this software for any
@@ -14,15 +14,15 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-<!-- $Id: lwresd.html,v 1.4.2.1.4.10 2006/06/29 13:02:30 marka Exp $ -->
+<!-- $Id: lwresd.html,v 1.5.18.16 2007/01/30 00:23:44 marka Exp $ -->
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
 <title>lwresd</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.70.1">
+<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
 </head>
 <body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en">
-<a name="id2482688"></a><div class="titlepage"></div>
+<a name="id2476275"></a><div class="titlepage"></div>
 <div class="refnamediv">
 <h2>Name</h2>
 <p><span class="application">lwresd</span> &#8212; lightweight resolver daemon</p>
@@ -32,157 +32,155 @@
 <div class="cmdsynopsis"><p><code class="command">lwresd</code>  [<code class="option">-C <em class="replaceable"><code>config-file</code></em></code>] [<code class="option">-d <em class="replaceable"><code>debug-level</code></em></code>] [<code class="option">-f</code>] [<code class="option">-g</code>] [<code class="option">-i <em class="replaceable"><code>pid-file</code></em></code>] [<code class="option">-n <em class="replaceable"><code>#cpus</code></em></code>] [<code class="option">-P <em class="replaceable"><code>port</code></em></code>] [<code class="option">-p <em class="replaceable"><code>port</code></em></code>] [<code class="option">-s</code>] [<code class="option">-t <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-u <em class="replaceable"><code>user</code></em></code>] [<code class="option">-v</code>]</p></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2549484"></a><h2>DESCRIPTION</h2>
-<p>
-	<span><strong class="command">lwresd</strong></span> is the daemon providing name lookup
-	services to clients that use the BIND 9 lightweight resolver
-	library.  It is essentially a stripped-down, caching-only name
-	server that answers queries using the BIND 9 lightweight
-	resolver protocol rather than the DNS protocol.
+<a name="id2543435"></a><h2>DESCRIPTION</h2>
+<p><span><strong class="command">lwresd</strong></span>
+      is the daemon providing name lookup
+      services to clients that use the BIND 9 lightweight resolver
+      library.  It is essentially a stripped-down, caching-only name
+      server that answers queries using the BIND 9 lightweight
+      resolver protocol rather than the DNS protocol.
     </p>
-<p>
-	<span><strong class="command">lwresd</strong></span> listens for resolver queries on a
-	UDP port on the IPv4 loopback interface, 127.0.0.1.  This
-	means that <span><strong class="command">lwresd</strong></span> can only be used by
-	processes running on the local machine.  By default UDP port
-	number 921 is used for lightweight resolver requests and
-	responses.
+<p><span><strong class="command">lwresd</strong></span> 
+      listens for resolver queries on a
+      UDP port on the IPv4 loopback interface, 127.0.0.1.  This
+      means that <span><strong class="command">lwresd</strong></span> can only be used by
+      processes running on the local machine.  By default UDP port
+      number 921 is used for lightweight resolver requests and
+      responses.
     </p>
 <p>
-	Incoming lightweight resolver requests are decoded by the
-	server which then resolves them using the DNS protocol.  When
-	the DNS lookup completes, <span><strong class="command">lwresd</strong></span> encodes
-	the answers in the lightweight resolver format and returns
-	them to the client that made the request.
+      Incoming lightweight resolver requests are decoded by the
+      server which then resolves them using the DNS protocol.  When
+      the DNS lookup completes, <span><strong class="command">lwresd</strong></span> encodes
+      the answers in the lightweight resolver format and returns
+      them to the client that made the request.
     </p>
 <p>
-	If <code class="filename">/etc/resolv.conf</code> contains any
-	<code class="option">nameserver</code> entries, <span><strong class="command">lwresd</strong></span>
-	sends recursive DNS queries to those servers.  This is similar
-	to the use of forwarders in a caching name server.  If no
-	<code class="option">nameserver</code> entries are present, or if
-	forwarding fails, <span><strong class="command">lwresd</strong></span> resolves the
-	queries autonomously starting at the root name servers, using
-	a built-in list of root server hints.
+      If <code class="filename">/etc/resolv.conf</code> contains any
+      <code class="option">nameserver</code> entries, <span><strong class="command">lwresd</strong></span>
+      sends recursive DNS queries to those servers.  This is similar
+      to the use of forwarders in a caching name server.  If no
+      <code class="option">nameserver</code> entries are present, or if
+      forwarding fails, <span><strong class="command">lwresd</strong></span> resolves the
+      queries autonomously starting at the root name servers, using
+      a built-in list of root server hints.
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2549533"></a><h2>OPTIONS</h2>
+<a name="id2543482"></a><h2>OPTIONS</h2>
 <div class="variablelist"><dl>
 <dt><span class="term">-C <em class="replaceable"><code>config-file</code></em></span></dt>
 <dd><p>
-		Use <em class="replaceable"><code>config-file</code></em> as the
-		configuration file instead of the default,
-		<code class="filename">/etc/resolv.conf</code>.
+            Use <em class="replaceable"><code>config-file</code></em> as the
+            configuration file instead of the default,
+            <code class="filename">/etc/resolv.conf</code>.
           </p></dd>
 <dt><span class="term">-d <em class="replaceable"><code>debug-level</code></em></span></dt>
 <dd><p>
-		Set the daemon's debug level to <em class="replaceable"><code>debug-level</code></em>.
-		Debugging traces from <span><strong class="command">lwresd</strong></span> become
-		more verbose as the debug level increases.
+            Set the daemon's debug level to <em class="replaceable"><code>debug-level</code></em>.
+            Debugging traces from <span><strong class="command">lwresd</strong></span> become
+            		more verbose as the debug level increases.
           </p></dd>
 <dt><span class="term">-f</span></dt>
 <dd><p>
-		Run the server in the foreground (i.e. do not daemonize).
+            Run the server in the foreground (i.e. do not daemonize).
           </p></dd>
 <dt><span class="term">-g</span></dt>
 <dd><p>
-		Run the server in the foreground and force all logging
-		to <code class="filename">stderr</code>.
+            Run the server in the foreground and force all logging
+            to <code class="filename">stderr</code>.
           </p></dd>
 <dt><span class="term">-n <em class="replaceable"><code>#cpus</code></em></span></dt>
 <dd><p>
-		Create <em class="replaceable"><code>#cpus</code></em> worker threads
-		to take advantage of multiple CPUs.  If not specified,
-		<span><strong class="command">lwresd</strong></span> will try to determine the
-		number of CPUs present and create one thread per CPU.
-		If it is unable to determine the number of CPUs, a
-		single worker thread will be created.
+            Create <em class="replaceable"><code>#cpus</code></em> worker threads
+            to take advantage of multiple CPUs.  If not specified,
+            <span><strong class="command">lwresd</strong></span> will try to determine the
+            number of CPUs present and create one thread per CPU.
+            If it is unable to determine the number of CPUs, a
+            single worker thread will be created.
           </p></dd>
 <dt><span class="term">-P <em class="replaceable"><code>port</code></em></span></dt>
 <dd><p>
-		Listen for lightweight resolver queries on port
-		<em class="replaceable"><code>port</code></em>.  If
-		not specified, the default is port 921.
+            Listen for lightweight resolver queries on port
+            <em class="replaceable"><code>port</code></em>.  If
+            		not specified, the default is port 921.
           </p></dd>
 <dt><span class="term">-p <em class="replaceable"><code>port</code></em></span></dt>
 <dd><p>
-		Send DNS lookups to port <em class="replaceable"><code>port</code></em>.  If not
-		specified, the default is port 53.  This provides a
-		way of testing the lightweight resolver daemon with a
-		name server that listens for queries on a non-standard
-		port number.
+            Send DNS lookups to port <em class="replaceable"><code>port</code></em>.  If not
+            specified, the default is port 53.  This provides a
+            way of testing the lightweight resolver daemon with a
+            name server that listens for queries on a non-standard
+            port number.
           </p></dd>
 <dt><span class="term">-s</span></dt>
 <dd>
 <p>
-		Write memory usage statistics to <code class="filename">stdout</code>
-		on exit.
+            Write memory usage statistics to <code class="filename">stdout</code>
+            on exit.
           </p>
 <div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
 <h3 class="title">Note</h3>
 <p>
-		This option is mainly of interest to BIND 9 developers
-		and may be removed or changed in a future release.
-	    </p>
+              This option is mainly of interest to BIND 9 developers
+              and may be removed or changed in a future release.
+            </p>
 </div>
 </dd>
 <dt><span class="term">-t <em class="replaceable"><code>directory</code></em></span></dt>
 <dd>
-<p>
-		<code class="function">chroot()</code> to <em class="replaceable"><code>directory</code></em> after
-		processing the command line arguments, but before
-		reading the configuration file.
+<p><code class="function">chroot()</code>
+	    to <em class="replaceable"><code>directory</code></em> after
+            processing the command line arguments, but before
+            reading the configuration file.
           </p>
 <div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;">
 <h3 class="title">Warning</h3>
 <p>
-		This option should be used in conjunction with the
-		<code class="option">-u</code> option, as chrooting a process
-		running as root doesn't enhance security on most
-		systems; the way <code class="function">chroot()</code> is
-		defined allows a process with root privileges to
-		escape a chroot jail.
-	    </p>
+              This option should be used in conjunction with the
+              <code class="option">-u</code> option, as chrooting a process
+              running as root doesn't enhance security on most
+              systems; the way <code class="function">chroot()</code> is
+              defined allows a process with root privileges to
+              escape a chroot jail.
+            </p>
 </div>
 </dd>
 <dt><span class="term">-u <em class="replaceable"><code>user</code></em></span></dt>
-<dd><p>
-		<code class="function">setuid()</code> to <em class="replaceable"><code>user</code></em> after completing
-		privileged operations, such as creating sockets that
-		listen on privileged ports.
+<dd><p><code class="function">setuid()</code>
+	    to <em class="replaceable"><code>user</code></em> after completing
+            privileged operations, such as creating sockets that
+            listen on privileged ports.
           </p></dd>
 <dt><span class="term">-v</span></dt>
 <dd><p>
-		Report the version number and exit.
+            Report the version number and exit.
           </p></dd>
 </dl></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2549939"></a><h2>FILES</h2>
+<a name="id2543746"></a><h2>FILES</h2>
 <div class="variablelist"><dl>
 <dt><span class="term"><code class="filename">/etc/resolv.conf</code></span></dt>
 <dd><p>
-		The default configuration file.
+            The default configuration file.
           </p></dd>
 <dt><span class="term"><code class="filename">/var/run/lwresd.pid</code></span></dt>
 <dd><p>
-		The default process-id file.
+            The default process-id file.
           </p></dd>
 </dl></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2549978"></a><h2>SEE ALSO</h2>
-<p>
-	<span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>,
-	<span class="citerefentry"><span class="refentrytitle">lwres</span>(3)</span>,
-	<span class="citerefentry"><span class="refentrytitle">resolver</span>(5)</span>.
+<a name="id2543785"></a><h2>SEE ALSO</h2>
+<p><span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>,
+      <span class="citerefentry"><span class="refentrytitle">lwres</span>(3)</span>,
+      <span class="citerefentry"><span class="refentrytitle">resolver</span>(5)</span>.
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2550017"></a><h2>AUTHOR</h2>
-<p>
-	<span class="corpauthor">Internet Systems Consortium</span>
+<a name="id2543819"></a><h2>AUTHOR</h2>
+<p><span class="corpauthor">Internet Systems Consortium</span>
     </p>
 </div>
 </div></body>
diff --git a/contrib/bind9/bin/named/lwsearch.c b/contrib/bind9/bin/named/lwsearch.c
index 8b9ea52..4a61f96 100644
--- a/contrib/bind9/bin/named/lwsearch.c
+++ b/contrib/bind9/bin/named/lwsearch.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000, 2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,9 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: lwsearch.c,v 1.7.208.1 2004/03/06 10:21:20 marka Exp $ */
+/* $Id: lwsearch.c,v 1.8.18.3 2005/07/12 01:22:17 marka Exp $ */
+
+/*! \file */
 
 #include <config.h>
 
@@ -38,6 +40,7 @@
 isc_result_t
 ns_lwsearchlist_create(isc_mem_t *mctx, ns_lwsearchlist_t **listp) {
 	ns_lwsearchlist_t *list;
+	isc_result_t result;
 
 	REQUIRE(mctx != NULL);
 	REQUIRE(listp != NULL && *listp == NULL);
@@ -46,7 +49,11 @@ ns_lwsearchlist_create(isc_mem_t *mctx, ns_lwsearchlist_t **listp) {
 	if (list == NULL)
 		return (ISC_R_NOMEMORY);
 	
-	RUNTIME_CHECK(isc_mutex_init(&list->lock) == ISC_R_SUCCESS);
+	result = isc_mutex_init(&list->lock);
+	if (result != ISC_R_SUCCESS) {
+		isc_mem_put(mctx, list, sizeof(ns_lwsearchlist_t));
+		return (result);
+	}
 	list->mctx = NULL;
 	isc_mem_attach(mctx, &list->mctx);
 	list->refs = 1;
diff --git a/contrib/bind9/bin/named/main.c b/contrib/bind9/bin/named/main.c
index 960de2a..6b9b67e 100644
--- a/contrib/bind9/bin/named/main.c
+++ b/contrib/bind9/bin/named/main.c
@@ -15,7 +15,9 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: main.c,v 1.119.2.3.2.25 2006/11/10 18:51:06 marka Exp $ */
+/* $Id: main.c,v 1.136.18.17 2006/11/10 18:51:14 marka Exp $ */
+
+/*! \file */
 
 #include <config.h>
 
@@ -71,6 +73,13 @@
  */
 /* #include "xxdb.h" */
 
+/*
+ * Include DLZ drivers if appropriate.
+ */
+#ifdef DLZ
+#include <dlz/dlz_drivers.h>
+#endif
+
 static isc_boolean_t	want_stats = ISC_FALSE;
 static char		program_name[ISC_DIR_NAMEMAX] = "named";
 static char		absolute_conffile[ISC_DIR_PATHMAX];
@@ -226,7 +235,7 @@ lwresd_usage(void) {
 		"              [-f|-g] [-n number_of_cpus] [-p port] "
 		"[-P listen-port] [-s]\n"
 		"              [-t chrootdir] [-u username] [-i pidfile]\n"
-		"              [-m {usage|trace|record}]\n");
+		"              [-m {usage|trace|record|size|mctx}]\n");
 }
 
 static void
@@ -239,7 +248,7 @@ usage(void) {
 		"usage: named [-4|-6] [-c conffile] [-d debuglevel] "
 		"[-f|-g] [-n number_of_cpus]\n"
 		"             [-p port] [-s] [-t chrootdir] [-u username]\n"
-		"             [-m {usage|trace|record}]\n");
+		"             [-m {usage|trace|record|size|mctx}]\n");
 }
 
 static void
@@ -307,6 +316,8 @@ static struct flag_def {
 	{ "trace",  ISC_MEM_DEBUGTRACE },
 	{ "record", ISC_MEM_DEBUGRECORD },
 	{ "usage", ISC_MEM_DEBUGUSAGE },
+	{ "size", ISC_MEM_DEBUGSIZE },
+	{ "mctx", ISC_MEM_DEBUGCTX },
 	{ NULL, 0 }
 };
 
@@ -671,6 +682,16 @@ setup(void) {
 	 */
 	/* xxdb_init(); */
 
+#ifdef DLZ
+	/*
+	 * Registyer any DLZ drivers.
+	 */
+	result = dlz_drivers_init();
+	if (result != ISC_R_SUCCESS)
+		ns_main_earlyfatal("dlz_drivers_init() failed: %s",
+				   isc_result_totext(result));
+#endif
+
 	ns_server_create(ns_g_mctx, &ns_g_server);
 }
 
@@ -687,6 +708,15 @@ cleanup(void) {
 	 */
 	/* xxdb_clear(); */
 
+#ifdef DLZ
+	/*
+	 * Unregister any DLZ drivers.
+	 */
+	dlz_drivers_clear();
+#endif
+
+	dns_name_destroy();
+
 	isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_MAIN,
 		      ISC_LOG_NOTICE, "exiting");
 	ns_log_shutdown();
@@ -882,6 +912,7 @@ main(int argc, char *argv[]) {
 		}
 	}
 	isc_mem_destroy(&ns_g_mctx);
+	isc_mem_checkdestroyed(stderr);
 
 	ns_main_setmemstats(NULL);
 
diff --git a/contrib/bind9/bin/named/named.8 b/contrib/bind9/bin/named/named.8
index 7172393..5b39e2a 100644
--- a/contrib/bind9/bin/named/named.8
+++ b/contrib/bind9/bin/named/named.8
@@ -1,4 +1,4 @@
-.\" Copyright (C) 2004-2006 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2004-2007 Internet Systems Consortium, Inc. ("ISC")
 .\" Copyright (C) 2000, 2001, 2003 Internet Software Consortium.
 .\" 
 .\" Permission to use, copy, modify, and distribute this software for any
@@ -13,13 +13,13 @@
 .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 .\" PERFORMANCE OF THIS SOFTWARE.
 .\"
-.\" $Id: named.8,v 1.17.208.9 2006/06/29 13:02:30 marka Exp $
+.\" $Id: named.8,v 1.20.18.12 2007/01/30 00:23:44 marka Exp $
 .\"
 .hy 0
 .ad l
 .\"     Title: named
 .\"    Author: 
-.\" Generator: DocBook XSL Stylesheets v1.70.1 <http://docbook.sf.net/>
+.\" Generator: DocBook XSL Stylesheets v1.71.1 <http://docbook.sf.net/>
 .\"      Date: June 30, 2000
 .\"    Manual: BIND9
 .\"    Source: BIND9
@@ -44,22 +44,27 @@ When invoked without arguments,
 will read the default configuration file
 \fI/etc/named.conf\fR, read any initial data, and listen for queries.
 .SH "OPTIONS"
-.TP 3n
+.PP
 \-4
+.RS 4
 Use IPv4 only even if the host machine is capable of IPv6.
 \fB\-4\fR
 and
 \fB\-6\fR
 are mutually exclusive.
-.TP 3n
+.RE
+.PP
 \-6
+.RS 4
 Use IPv6 only even if the host machine is capable of IPv4.
 \fB\-4\fR
 and
 \fB\-6\fR
 are mutually exclusive.
-.TP 3n
+.RE
+.PP
 \-c \fIconfig\-file\fR
+.RS 4
 Use
 \fIconfig\-file\fR
 as the configuration file instead of the default,
@@ -68,32 +73,44 @@ as the configuration file instead of the default,
 option in the configuration file,
 \fIconfig\-file\fR
 should be an absolute pathname.
-.TP 3n
+.RE
+.PP
 \-d \fIdebug\-level\fR
+.RS 4
 Set the daemon's debug level to
 \fIdebug\-level\fR. Debugging traces from
 \fBnamed\fR
 become more verbose as the debug level increases.
-.TP 3n
+.RE
+.PP
 \-f
+.RS 4
 Run the server in the foreground (i.e. do not daemonize).
-.TP 3n
+.RE
+.PP
 \-g
+.RS 4
 Run the server in the foreground and force all logging to
 \fIstderr\fR.
-.TP 3n
+.RE
+.PP
 \-n \fI#cpus\fR
+.RS 4
 Create
 \fI#cpus\fR
 worker threads to take advantage of multiple CPUs. If not specified,
 \fBnamed\fR
 will try to determine the number of CPUs present and create one thread per CPU. If it is unable to determine the number of CPUs, a single worker thread will be created.
-.TP 3n
+.RE
+.PP
 \-p \fIport\fR
+.RS 4
 Listen for queries on port
 \fIport\fR. If not specified, the default is port 53.
-.TP 3n
+.RE
+.PP
 \-s
+.RS 4
 Write memory usage statistics to
 \fIstdout\fR
 on exit.
@@ -101,8 +118,10 @@ on exit.
 .B "Note:"
 This option is mainly of interest to BIND 9 developers and may be removed or changed in a future release.
 .RE
-.TP 3n
+.RE
+.PP
 \-t \fIdirectory\fR
+.RS 4
 \fBchroot()\fR
 to
 \fIdirectory\fR
@@ -115,8 +134,10 @@ option, as chrooting a process running as root doesn't enhance security on most
 \fBchroot()\fR
 is defined allows a process with root privileges to escape a chroot jail.
 .RE
-.TP 3n
+.RE
+.PP
 \-u \fIuser\fR
+.RS 4
 \fBsetuid()\fR
 to
 \fIuser\fR
@@ -134,11 +155,15 @@ option only works when
 is run on kernel 2.2.18 or later, or kernel 2.3.99\-pre3 or later, since previous kernels did not allow privileges to be retained after
 \fBsetuid()\fR.
 .RE
-.TP 3n
+.RE
+.PP
 \-v
+.RS 4
 Report the version number and exit.
-.TP 3n
+.RE
+.PP
 \-x \fIcache\-file\fR
+.RS 4
 Load data from
 \fIcache\-file\fR
 into the cache of the default view.
@@ -146,17 +171,22 @@ into the cache of the default view.
 .B "Warning:"
 This option must not be used. It is only of interest to BIND 9 developers and may be removed or changed in a future release.
 .RE
+.RE
 .SH "SIGNALS"
 .PP
 In routine operation, signals should not be used to control the nameserver;
 \fBrndc\fR
 should be used instead.
-.TP 3n
+.PP
 SIGHUP
+.RS 4
 Force a reload of the server.
-.TP 3n
+.RE
+.PP
 SIGINT, SIGTERM
+.RS 4
 Shut down the server.
+.RE
 .PP
 The result of sending any other signals to the server is undefined.
 .SH "CONFIGURATION"
@@ -166,12 +196,16 @@ The
 configuration file is too complex to describe in detail here. A complete description is provided in the
 BIND 9 Administrator Reference Manual.
 .SH "FILES"
-.TP 3n
+.PP
 \fI/etc/named.conf\fR
+.RS 4
 The default configuration file.
-.TP 3n
+.RE
+.PP
 \fI/var/run/named.pid\fR
+.RS 4
 The default process\-id file.
+.RE
 .SH "SEE ALSO"
 .PP
 RFC 1033,
@@ -185,4 +219,7 @@ BIND 9 Administrator Reference Manual.
 .PP
 Internet Systems Consortium
 .SH "COPYRIGHT"
-Copyright \(co 2004\-2006 Internet Systems Consortium, Inc. ("ISC")
+Copyright \(co 2004\-2007 Internet Systems Consortium, Inc. ("ISC")
+.br
+Copyright \(co 2000, 2001, 2003 Internet Software Consortium.
+.br
diff --git a/contrib/bind9/bin/named/named.conf.5 b/contrib/bind9/bin/named/named.conf.5
index 1ace4da..75b1bb5 100644
--- a/contrib/bind9/bin/named/named.conf.5
+++ b/contrib/bind9/bin/named/named.conf.5
@@ -1,4 +1,4 @@
-.\" Copyright (C) 2004-2006 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2004-2007 Internet Systems Consortium, Inc. ("ISC")
 .\" 
 .\" Permission to use, copy, modify, and distribute this software for any
 .\" purpose with or without fee is hereby granted, provided that the above
@@ -12,13 +12,13 @@
 .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 .\" PERFORMANCE OF THIS SOFTWARE.
 .\"
-.\" $Id: named.conf.5,v 1.1.4.10 2006/09/13 02:56:20 marka Exp $
+.\" $Id: named.conf.5,v 1.1.2.23 2007/01/30 00:23:44 marka Exp $
 .\"
 .hy 0
 .ad l
 .\"     Title: \fInamed.conf\fR
 .\"    Author: 
-.\" Generator: DocBook XSL Stylesheets v1.70.1 <http://docbook.sf.net/>
+.\" Generator: DocBook XSL Stylesheets v1.71.1 <http://docbook.sf.net/>
 .\"      Date: Aug 13, 2004
 .\"    Manual: BIND9
 .\"    Source: BIND9
@@ -46,14 +46,14 @@ C++ style: // to end of line
 Unix style: # to end of line
 .SH "ACL"
 .sp
-.RS 3n
+.RS 4
 .nf
 acl \fIstring\fR { \fIaddress_match_element\fR; ... };
 .fi
 .RE
 .SH "KEY"
 .sp
-.RS 3n
+.RS 4
 .nf
 key \fIdomain_name\fR {
 	algorithm \fIstring\fR;
@@ -63,7 +63,7 @@ key \fIdomain_name\fR {
 .RE
 .SH "MASTERS"
 .sp
-.RS 3n
+.RS 4
 .nf
 masters \fIstring\fR [ port \fIinteger\fR ] {
 	( \fImasters\fR | \fIipv4_address\fR [port \fIinteger\fR] |
@@ -73,11 +73,13 @@ masters \fIstring\fR [ port \fIinteger\fR ] {
 .RE
 .SH "SERVER"
 .sp
-.RS 3n
+.RS 4
 .nf
-server ( \fIipv4_address\fR | \fIipv6_address\fR ) {
+server ( \fIipv4_address\fR\fI[/prefixlen]\fR | \fIipv6_address\fR\fI[/prefixlen]\fR ) {
 	bogus \fIboolean\fR;
 	edns \fIboolean\fR;
+	edns\-udp\-size \fIinteger\fR;
+	max\-udp\-size \fIinteger\fR;
 	provide\-ixfr \fIboolean\fR;
 	request\-ixfr \fIboolean\fR;
 	keys \fIserver_key\fR;
@@ -93,7 +95,7 @@ server ( \fIipv4_address\fR | \fIipv6_address\fR ) {
 .RE
 .SH "TRUSTED\-KEYS"
 .sp
-.RS 3n
+.RS 4
 .nf
 trusted\-keys {
 	\fIdomain_name\fR \fIflags\fR \fIprotocol\fR \fIalgorithm\fR \fIkey\fR; ... 
@@ -102,7 +104,7 @@ trusted\-keys {
 .RE
 .SH "CONTROLS"
 .sp
-.RS 3n
+.RS 4
 .nf
 controls {
 	inet ( \fIipv4_address\fR | \fIipv6_address\fR | * )
@@ -115,7 +117,7 @@ controls {
 .RE
 .SH "LOGGING"
 .sp
-.RS 3n
+.RS 4
 .nf
 logging {
 	channel \fIstring\fR {
@@ -134,7 +136,7 @@ logging {
 .RE
 .SH "LWRES"
 .sp
-.RS 3n
+.RS 4
 .nf
 lwres {
 	listen\-on [ port \fIinteger\fR ] {
@@ -148,7 +150,7 @@ lwres {
 .RE
 .SH "OPTIONS"
 .sp
-.RS 3n
+.RS 4
 .nf
 options {
 	avoid\-v4\-udp\-ports { \fIport\fR; ... };
@@ -157,7 +159,6 @@ options {
 	coresize \fIsize\fR;
 	datasize \fIsize\fR;
 	directory \fIquoted_string\fR;
-	cache\-file \fIquoted_string\fR; // test option
 	dump\-file \fIquoted_string\fR;
 	files \fIsize\fR;
 	heartbeat\-interval \fIinteger\fR;
@@ -205,8 +206,8 @@ options {
 	rfc2308\-type1 \fIboolean\fR; // not yet implemented
 	additional\-from\-auth \fIboolean\fR;
 	additional\-from\-cache \fIboolean\fR;
-	query\-source [ address ( \fIipv4_address\fR | * ) ] [ port ( \fIinteger\fR | * ) ];
-	query\-source\-v6 [ address ( \fIipv6_address\fR | * ) ] [ port ( \fIinteger\fR | * ) ];
+	query\-source ( ( \fIipv4_address\fR | * ) | [ address ( \fIipv4_address\fR | * ) ] ) [ port ( \fIinteger\fR | * ) ];
+	query\-source\-v6 ( ( \fIipv6_address\fR | * ) | [ address ( \fIipv6_address\fR | * ) ] ) [ port ( \fIinteger\fR | * ) ];
 	cleaning\-interval \fIinteger\fR;
 	min\-roots \fIinteger\fR; // not implemented
 	lame\-ttl \fIinteger\fR;
@@ -214,30 +215,48 @@ options {
 	max\-cache\-ttl \fIinteger\fR;
 	transfer\-format ( many\-answers | one\-answer );
 	max\-cache\-size \fIsize_no_default\fR;
+	max\-acache\-size \fIsize_no_default\fR;
+	clients\-per\-query \fInumber\fR;
+	max\-clients\-per\-query \fInumber\fR;
 	check\-names ( master | slave | response )
 		( fail | warn | ignore );
-	cache\-file \fIquoted_string\fR;
+	check\-mx ( fail | warn | ignore );
+	check\-integrity \fIboolean\fR;
+	check\-mx\-cname ( fail | warn | ignore );
+	check\-srv\-cname ( fail | warn | ignore );
+	cache\-file \fIquoted_string\fR; // test option
 	suppress\-initial\-notify \fIboolean\fR; // not yet implemented
 	preferred\-glue \fIstring\fR;
 	dual\-stack\-servers [ port \fIinteger\fR ] {
 		( \fIquoted_string\fR [port \fIinteger\fR] |
 		\fIipv4_address\fR [port \fIinteger\fR] |
 		\fIipv6_address\fR [port \fIinteger\fR] ); ...
-	}
+	};
 	edns\-udp\-size \fIinteger\fR;
+	max\-udp\-size \fIinteger\fR;
 	root\-delegation\-only [ exclude { \fIquoted_string\fR; ... } ];
 	disable\-algorithms \fIstring\fR { \fIstring\fR; ... };
 	dnssec\-enable \fIboolean\fR;
+	dnssec\-validation \fIboolean\fR;
 	dnssec\-lookaside \fIstring\fR trust\-anchor \fIstring\fR;
 	dnssec\-must\-be\-secure \fIstring\fR \fIboolean\fR;
+	dnssec\-accept\-expired \fIboolean\fR;
+	empty\-server \fIstring\fR;
+	empty\-contact \fIstring\fR;
+	empty\-zones\-enable \fIboolean\fR;
+	disable\-empty\-zone \fIstring\fR;
 	dialup \fIdialuptype\fR;
 	ixfr\-from\-differences \fIixfrdiff\fR;
 	allow\-query { \fIaddress_match_element\fR; ... };
+	allow\-query\-cache { \fIaddress_match_element\fR; ... };
 	allow\-transfer { \fIaddress_match_element\fR; ... };
+	allow\-update { \fIaddress_match_element\fR; ... };
 	allow\-update\-forwarding { \fIaddress_match_element\fR; ... };
+	update\-check\-ksk \fIboolean\fR;
 	notify \fInotifytype\fR;
 	notify\-source ( \fIipv4_address\fR | * ) [ port ( \fIinteger\fR | * ) ];
 	notify\-source\-v6 ( \fIipv6_address\fR | * ) [ port ( \fIinteger\fR | * ) ];
+	notify\-delay \fIseconds\fR;
 	also\-notify [ port \fIinteger\fR ] { ( \fIipv4_address\fR | \fIipv6_address\fR )
 		[ port \fIinteger\fR ]; ... };
 	allow\-notify { \fIaddress_match_element\fR; ... };
@@ -267,6 +286,8 @@ options {
 	use\-alt\-transfer\-source \fIboolean\fR;
 	zone\-statistics \fIboolean\fR;
 	key\-directory \fIquoted_string\fR;
+	zero\-no\-soa\-ttl \fIboolean\fR;
+	zero\-no\-soa\-ttl\-cache \fIboolean\fR;
 	allow\-v6\-synthesis { \fIaddress_match_element\fR; ... }; // obsolete
 	deallocate\-on\-exit \fIboolean\fR; // obsolete
 	fake\-iquery \fIboolean\fR; // obsolete
@@ -284,7 +305,7 @@ options {
 .RE
 .SH "VIEW"
 .sp
-.RS 3n
+.RS 4
 .nf
 view \fIstring\fR \fIoptional_class\fR {
 	match\-clients { \fIaddress_match_element\fR; ... };
@@ -297,7 +318,7 @@ view \fIstring\fR \fIoptional_class\fR {
 	zone \fIstring\fR \fIoptional_class\fR {
 		...
 	};
-	server ( \fIipv4_address\fR | \fIipv6_address\fR ) {
+	server ( \fIipv4_address\fR\fI[/prefixlen]\fR | \fIipv6_address\fR\fI[/prefixlen]\fR ) {
 		...
 	};
 	trusted\-keys {
@@ -318,8 +339,8 @@ view \fIstring\fR \fIoptional_class\fR {
 	rfc2308\-type1 \fIboolean\fR; // not yet implemented
 	additional\-from\-auth \fIboolean\fR;
 	additional\-from\-cache \fIboolean\fR;
-	query\-source [ address ( \fIipv4_address\fR | * ) ] [ port ( \fIinteger\fR | * ) ];
-	query\-source\-v6 [ address ( \fIipv6_address\fR | * ) ] [ port ( \fIinteger\fR | * ) ];
+	query\-source ( ( \fIipv4_address\fR | * ) | [ address ( \fIipv4_address\fR | * ) ] ) [ port ( \fIinteger\fR | * ) ];
+	query\-source\-v6 ( ( \fIipv6_address\fR | * ) | [ address ( \fIipv6_address\fR | * ) ] ) [ port ( \fIinteger\fR | * ) ];
 	cleaning\-interval \fIinteger\fR;
 	min\-roots \fIinteger\fR; // not implemented
 	lame\-ttl \fIinteger\fR;
@@ -327,9 +348,16 @@ view \fIstring\fR \fIoptional_class\fR {
 	max\-cache\-ttl \fIinteger\fR;
 	transfer\-format ( many\-answers | one\-answer );
 	max\-cache\-size \fIsize_no_default\fR;
+	max\-acache\-size \fIsize_no_default\fR;
+	clients\-per\-query \fInumber\fR;
+	max\-clients\-per\-query \fInumber\fR;
 	check\-names ( master | slave | response )
 		( fail | warn | ignore );
-	cache\-file \fIquoted_string\fR;
+	check\-mx ( fail | warn | ignore );
+	check\-integrity \fIboolean\fR;
+	check\-mx\-cname ( fail | warn | ignore );
+	check\-srv\-cname ( fail | warn | ignore );
+	cache\-file \fIquoted_string\fR; // test option
 	suppress\-initial\-notify \fIboolean\fR; // not yet implemented
 	preferred\-glue \fIstring\fR;
 	dual\-stack\-servers [ port \fIinteger\fR ] {
@@ -338,19 +366,30 @@ view \fIstring\fR \fIoptional_class\fR {
 		\fIipv6_address\fR [port \fIinteger\fR] ); ...
 	};
 	edns\-udp\-size \fIinteger\fR;
+	max\-udp\-size \fIinteger\fR;
 	root\-delegation\-only [ exclude { \fIquoted_string\fR; ... } ];
 	disable\-algorithms \fIstring\fR { \fIstring\fR; ... };
 	dnssec\-enable \fIboolean\fR;
+	dnssec\-validation \fIboolean\fR;
 	dnssec\-lookaside \fIstring\fR trust\-anchor \fIstring\fR;
 	dnssec\-must\-be\-secure \fIstring\fR \fIboolean\fR;
+	dnssec\-accept\-expired \fIboolean\fR;
+	empty\-server \fIstring\fR;
+	empty\-contact \fIstring\fR;
+	empty\-zones\-enable \fIboolean\fR;
+	disable\-empty\-zone \fIstring\fR;
 	dialup \fIdialuptype\fR;
 	ixfr\-from\-differences \fIixfrdiff\fR;
 	allow\-query { \fIaddress_match_element\fR; ... };
+	allow\-query\-cache { \fIaddress_match_element\fR; ... };
 	allow\-transfer { \fIaddress_match_element\fR; ... };
+	allow\-update { \fIaddress_match_element\fR; ... };
 	allow\-update\-forwarding { \fIaddress_match_element\fR; ... };
+	update\-check\-ksk \fIboolean\fR;
 	notify \fInotifytype\fR;
 	notify\-source ( \fIipv4_address\fR | * ) [ port ( \fIinteger\fR | * ) ];
 	notify\-source\-v6 ( \fIipv6_address\fR | * ) [ port ( \fIinteger\fR | * ) ];
+	notify\-delay \fIseconds\fR;
 	also\-notify [ port \fIinteger\fR ] { ( \fIipv4_address\fR | \fIipv6_address\fR )
 		[ port \fIinteger\fR ]; ... };
 	allow\-notify { \fIaddress_match_element\fR; ... };
@@ -380,6 +419,8 @@ view \fIstring\fR \fIoptional_class\fR {
 	use\-alt\-transfer\-source \fIboolean\fR;
 	zone\-statistics \fIboolean\fR;
 	key\-directory \fIquoted_string\fR;
+	zero\-no\-soa\-ttl \fIboolean\fR;
+	zero\-no\-soa\-ttl\-cache \fIboolean\fR;
 	allow\-v6\-synthesis { \fIaddress_match_element\fR; ... }; // obsolete
 	fetch\-glue \fIboolean\fR; // obsolete
 	maintain\-ixfr\-base \fIboolean\fR; // obsolete
@@ -389,7 +430,7 @@ view \fIstring\fR \fIoptional_class\fR {
 .RE
 .SH "ZONE"
 .sp
-.RS 3n
+.RS 4
 .nf
 zone \fIstring\fR \fIoptional_class\fR {
 	type ( master | slave | stub | hint |
@@ -403,8 +444,14 @@ zone \fIstring\fR \fIoptional_class\fR {
 	database \fIstring\fR;
 	delegation\-only \fIboolean\fR;
 	check\-names ( fail | warn | ignore );
+	check\-mx ( fail | warn | ignore );
+	check\-integrity \fIboolean\fR;
+	check\-mx\-cname ( fail | warn | ignore );
+	check\-srv\-cname ( fail | warn | ignore );
 	dialup \fIdialuptype\fR;
 	ixfr\-from\-differences \fIboolean\fR;
+	journal \fIquoted_string\fR;
+	zero\-no\-soa\-ttl \fIboolean\fR;
 	allow\-query { \fIaddress_match_element\fR; ... };
 	allow\-transfer { \fIaddress_match_element\fR; ... };
 	allow\-update { \fIaddress_match_element\fR; ... };
@@ -414,9 +461,11 @@ zone \fIstring\fR \fIoptional_class\fR {
 		( name | subdomain | wildcard | self ) \fIstring\fR
 		\fIrrtypelist\fR; ...
 	};
+	update\-check\-ksk \fIboolean\fR;
 	notify \fInotifytype\fR;
 	notify\-source ( \fIipv4_address\fR | * ) [ port ( \fIinteger\fR | * ) ];
 	notify\-source\-v6 ( \fIipv6_address\fR | * ) [ port ( \fIinteger\fR | * ) ];
+	notify\-delay \fIseconds\fR;
 	also\-notify [ port \fIinteger\fR ] { ( \fIipv4_address\fR | \fIipv6_address\fR )
 		[ port \fIinteger\fR ]; ... };
 	allow\-notify { \fIaddress_match_element\fR; ... };
@@ -463,4 +512,5 @@ zone \fIstring\fR \fIoptional_class\fR {
 \fBrndc\fR(8),
 \fBBIND 9 Administrator Reference Manual\fR().
 .SH "COPYRIGHT"
-Copyright \(co 2004\-2006 Internet Systems Consortium, Inc. ("ISC")
+Copyright \(co 2004\-2007 Internet Systems Consortium, Inc. ("ISC")
+.br
diff --git a/contrib/bind9/bin/named/named.conf.docbook b/contrib/bind9/bin/named/named.conf.docbook
index fb8a5ef..5d5f52f 100644
--- a/contrib/bind9/bin/named/named.conf.docbook
+++ b/contrib/bind9/bin/named/named.conf.docbook
@@ -1,8 +1,8 @@
-<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.0//EN"
-               "http://www.oasis-open.org/docbook/xml/4.0/docbookx.dtd"
+<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
+               "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
 	       [<!ENTITY mdash "&#8212;">]>
 <!--
- - Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
  -
  - Permission to use, copy, modify, and distribute this software for any
  - purpose with or without fee is hereby granted, provided that the above
@@ -17,8 +17,7 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-<!-- $Id: named.conf.docbook,v 1.1.4.8 2006/09/13 00:26:41 marka Exp $ -->
-
+<!-- $Id: named.conf.docbook,v 1.1.2.25 2007/01/29 23:57:20 marka Exp $ -->
 <refentry>
   <refentryinfo>
     <date>Aug 13, 2004</date>
@@ -30,20 +29,21 @@
     <refmiscinfo>BIND9</refmiscinfo>
   </refmeta>
 
+  <refnamediv>
+    <refname><filename>named.conf</filename></refname>
+    <refpurpose>configuration file for named</refpurpose>
+  </refnamediv>
+
   <docinfo>
     <copyright>
       <year>2004</year>
       <year>2005</year>
       <year>2006</year>
+      <year>2007</year>
       <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
     </copyright>
   </docinfo>
 
-  <refnamediv>
-    <refname><filename>named.conf</filename></refname>
-    <refpurpose>configuration file for named</refpurpose>
-  </refnamediv>
-
   <refsynopsisdiv>
     <cmdsynopsis>
       <command>named.conf</command>
@@ -52,58 +52,60 @@
 
   <refsect1>
     <title>DESCRIPTION</title>
-    <para>
-	<filename>named.conf</filename> is the configuration file for
-	<command>named</command>.  Statements are enclosed
-	in braces and terminated with a semi-colon.  Clauses in
-	the statements are also semi-colon terminated.  The usual
-	comment styles are supported:
+    <para><filename>named.conf</filename> is the configuration file
+      for
+      <command>named</command>.  Statements are enclosed
+      in braces and terminated with a semi-colon.  Clauses in
+      the statements are also semi-colon terminated.  The usual
+      comment styles are supported:
     </para>
     <para>
-	C style: /* */
+      C style: /* */
     </para>
     <para>
-	C++ style: // to end of line
+      C++ style: // to end of line
     </para>
     <para>
-	Unix style: # to end of line
+      Unix style: # to end of line
     </para>
   </refsect1>
 
-<refsect1>
-<title>ACL</title>
-<literallayout>
+  <refsect1>
+    <title>ACL</title>
+    <literallayout>
 acl <replaceable>string</replaceable> { <replaceable>address_match_element</replaceable>; ... };
 
 </literallayout>
-</refsect1>
+  </refsect1>
 
-<refsect1>
-<title>KEY</title>
-<literallayout>
+  <refsect1>
+    <title>KEY</title>
+    <literallayout>
 key <replaceable>domain_name</replaceable> {
 	algorithm <replaceable>string</replaceable>;
 	secret <replaceable>string</replaceable>;
 };
 </literallayout>
-</refsect1>
+  </refsect1>
 
-<refsect1>
-<title>MASTERS</title>
-<literallayout>
+  <refsect1>
+    <title>MASTERS</title>
+    <literallayout>
 masters <replaceable>string</replaceable> <optional> port <replaceable>integer</replaceable> </optional> {
 	( <replaceable>masters</replaceable> | <replaceable>ipv4_address</replaceable> <optional>port <replaceable>integer</replaceable></optional> |
 	<replaceable>ipv6_address</replaceable> <optional>port <replaceable>integer</replaceable></optional> ) <optional> key <replaceable>string</replaceable> </optional>; ...
 };
 </literallayout>
-</refsect1>
+  </refsect1>
 
-<refsect1>
-<title>SERVER</title>
-<literallayout>
-server ( <replaceable>ipv4_address</replaceable> | <replaceable>ipv6_address</replaceable> ) {
+  <refsect1>
+    <title>SERVER</title>
+    <literallayout>
+server ( <replaceable>ipv4_address<optional>/prefixlen</optional></replaceable> | <replaceable>ipv6_address<optional>/prefixlen</optional></replaceable> ) {
 	bogus <replaceable>boolean</replaceable>;
 	edns <replaceable>boolean</replaceable>;
+	edns-udp-size <replaceable>integer</replaceable>;
+	max-udp-size <replaceable>integer</replaceable>;
 	provide-ixfr <replaceable>boolean</replaceable>;
 	request-ixfr <replaceable>boolean</replaceable>;
 	keys <replaceable>server_key</replaceable>;
@@ -117,20 +119,20 @@ server ( <replaceable>ipv4_address</replaceable> | <replaceable>ipv6_address</re
 	support-ixfr <replaceable>boolean</replaceable>; // obsolete
 };
 </literallayout>
-</refsect1>
+  </refsect1>
 
-<refsect1>
-<title>TRUSTED-KEYS</title>
-<literallayout>
+  <refsect1>
+    <title>TRUSTED-KEYS</title>
+    <literallayout>
 trusted-keys {
 	<replaceable>domain_name</replaceable> <replaceable>flags</replaceable> <replaceable>protocol</replaceable> <replaceable>algorithm</replaceable> <replaceable>key</replaceable>; ... 
 };
 </literallayout>
-</refsect1>
+  </refsect1>
 
-<refsect1>
-<title>CONTROLS</title>
-<literallayout>
+  <refsect1>
+    <title>CONTROLS</title>
+    <literallayout>
 controls {
 	inet ( <replaceable>ipv4_address</replaceable> | <replaceable>ipv6_address</replaceable> | * )
 		<optional> port ( <replaceable>integer</replaceable> | * ) </optional>
@@ -139,11 +141,11 @@ controls {
 	unix <replaceable>unsupported</replaceable>; // not implemented
 };
 </literallayout>
-</refsect1>
+  </refsect1>
 
-<refsect1>
-<title>LOGGING</title>
-<literallayout>
+  <refsect1>
+    <title>LOGGING</title>
+    <literallayout>
 logging {
 	channel <replaceable>string</replaceable> {
 		file <replaceable>log_file</replaceable>;
@@ -158,11 +160,11 @@ logging {
 	category <replaceable>string</replaceable> { <replaceable>string</replaceable>; ... };
 };
 </literallayout>
-</refsect1>
+  </refsect1>
 
-<refsect1>
-<title>LWRES</title>
-<literallayout>
+  <refsect1>
+    <title>LWRES</title>
+    <literallayout>
 lwres {
 	listen-on <optional> port <replaceable>integer</replaceable> </optional> {
 		( <replaceable>ipv4_address</replaceable> | <replaceable>ipv6_address</replaceable> ) <optional> port <replaceable>integer</replaceable> </optional>; ...
@@ -172,11 +174,11 @@ lwres {
 	ndots <replaceable>integer</replaceable>;
 };
 </literallayout>
-</refsect1>
+  </refsect1>
 
-<refsect1>
-<title>OPTIONS</title>
-<literallayout>
+  <refsect1>
+    <title>OPTIONS</title>
+    <literallayout>
 options {
 	avoid-v4-udp-ports { <replaceable>port</replaceable>; ... };
 	avoid-v6-udp-ports { <replaceable>port</replaceable>; ... };
@@ -184,7 +186,6 @@ options {
 	coresize <replaceable>size</replaceable>;
 	datasize <replaceable>size</replaceable>;
 	directory <replaceable>quoted_string</replaceable>;
-	cache-file <replaceable>quoted_string</replaceable>; // test option
 	dump-file <replaceable>quoted_string</replaceable>;
 	files <replaceable>size</replaceable>;
 	heartbeat-interval <replaceable>integer</replaceable>;
@@ -232,8 +233,8 @@ options {
 	rfc2308-type1 <replaceable>boolean</replaceable>; // not yet implemented
 	additional-from-auth <replaceable>boolean</replaceable>;
 	additional-from-cache <replaceable>boolean</replaceable>;
-	query-source <optional> address ( <replaceable>ipv4_address</replaceable> | * ) </optional> <optional> port ( <replaceable>integer</replaceable> | * ) </optional>;
-	query-source-v6 <optional> address ( <replaceable>ipv6_address</replaceable> | * ) </optional> <optional> port ( <replaceable>integer</replaceable> | * ) </optional>;
+	query-source ( ( <replaceable>ipv4_address</replaceable> | * ) | <optional> address ( <replaceable>ipv4_address</replaceable> | * ) </optional> ) <optional> port ( <replaceable>integer</replaceable> | * ) </optional>;
+	query-source-v6 ( ( <replaceable>ipv6_address</replaceable> | * ) | <optional> address ( <replaceable>ipv6_address</replaceable> | * ) </optional> ) <optional> port ( <replaceable>integer</replaceable> | * ) </optional>;
 	cleaning-interval <replaceable>integer</replaceable>;
 	min-roots <replaceable>integer</replaceable>; // not implemented
 	lame-ttl <replaceable>integer</replaceable>;
@@ -241,33 +242,52 @@ options {
 	max-cache-ttl <replaceable>integer</replaceable>;
 	transfer-format ( many-answers | one-answer );
 	max-cache-size <replaceable>size_no_default</replaceable>;
+	max-acache-size <replaceable>size_no_default</replaceable>;
+	clients-per-query <replaceable>number</replaceable>;
+	max-clients-per-query <replaceable>number</replaceable>;
 	check-names ( master | slave | response )
 		( fail | warn | ignore );
-	cache-file <replaceable>quoted_string</replaceable>;
+	check-mx ( fail | warn | ignore );
+	check-integrity <replaceable>boolean</replaceable>;
+	check-mx-cname ( fail | warn | ignore );
+	check-srv-cname ( fail | warn | ignore );
+	cache-file <replaceable>quoted_string</replaceable>; // test option
 	suppress-initial-notify <replaceable>boolean</replaceable>; // not yet implemented
 	preferred-glue <replaceable>string</replaceable>;
 	dual-stack-servers <optional> port <replaceable>integer</replaceable> </optional> {
 		( <replaceable>quoted_string</replaceable> <optional>port <replaceable>integer</replaceable></optional> |
 		<replaceable>ipv4_address</replaceable> <optional>port <replaceable>integer</replaceable></optional> |
 		<replaceable>ipv6_address</replaceable> <optional>port <replaceable>integer</replaceable></optional> ); ...
-	}
+	};
 	edns-udp-size <replaceable>integer</replaceable>;
+	max-udp-size <replaceable>integer</replaceable>;
 	root-delegation-only <optional> exclude { <replaceable>quoted_string</replaceable>; ... } </optional>;
 	disable-algorithms <replaceable>string</replaceable> { <replaceable>string</replaceable>; ... };
 	dnssec-enable <replaceable>boolean</replaceable>;
+	dnssec-validation <replaceable>boolean</replaceable>;
 	dnssec-lookaside <replaceable>string</replaceable> trust-anchor <replaceable>string</replaceable>;
 	dnssec-must-be-secure <replaceable>string</replaceable> <replaceable>boolean</replaceable>;
+	dnssec-accept-expired <replaceable>boolean</replaceable>;
+
+	empty-server <replaceable>string</replaceable>;
+	empty-contact <replaceable>string</replaceable>;
+	empty-zones-enable <replaceable>boolean</replaceable>;
+	disable-empty-zone <replaceable>string</replaceable>;
 
 	dialup <replaceable>dialuptype</replaceable>;
 	ixfr-from-differences <replaceable>ixfrdiff</replaceable>;
 
 	allow-query { <replaceable>address_match_element</replaceable>; ... };
+	allow-query-cache { <replaceable>address_match_element</replaceable>; ... };
 	allow-transfer { <replaceable>address_match_element</replaceable>; ... };
+	allow-update { <replaceable>address_match_element</replaceable>; ... };
 	allow-update-forwarding { <replaceable>address_match_element</replaceable>; ... };
+	update-check-ksk <replaceable>boolean</replaceable>;
 
 	notify <replaceable>notifytype</replaceable>;
 	notify-source ( <replaceable>ipv4_address</replaceable> | * ) <optional> port ( <replaceable>integer</replaceable> | * ) </optional>;
 	notify-source-v6 ( <replaceable>ipv6_address</replaceable> | * ) <optional> port ( <replaceable>integer</replaceable> | * ) </optional>;
+	notify-delay <replaceable>seconds</replaceable>;
 	also-notify <optional> port <replaceable>integer</replaceable> </optional> { ( <replaceable>ipv4_address</replaceable> | <replaceable>ipv6_address</replaceable> )
 		<optional> port <replaceable>integer</replaceable> </optional>; ... };
 	allow-notify { <replaceable>address_match_element</replaceable>; ... };
@@ -302,6 +322,8 @@ options {
 
 	zone-statistics <replaceable>boolean</replaceable>;
 	key-directory <replaceable>quoted_string</replaceable>;
+	zero-no-soa-ttl <replaceable>boolean</replaceable>;
+	zero-no-soa-ttl-cache <replaceable>boolean</replaceable>;
 
 	allow-v6-synthesis { <replaceable>address_match_element</replaceable>; ... }; // obsolete
 	deallocate-on-exit <replaceable>boolean</replaceable>; // obsolete
@@ -317,11 +339,11 @@ options {
 	use-id-pool <replaceable>boolean</replaceable>; // obsolete
 };
 </literallayout>
-</refsect1>
+  </refsect1>
 
-<refsect1>
-<title>VIEW</title>
-<literallayout>
+  <refsect1>
+    <title>VIEW</title>
+    <literallayout>
 view <replaceable>string</replaceable> <replaceable>optional_class</replaceable> {
 	match-clients { <replaceable>address_match_element</replaceable>; ... };
 	match-destinations { <replaceable>address_match_element</replaceable>; ... };
@@ -336,7 +358,7 @@ view <replaceable>string</replaceable> <replaceable>optional_class</replaceable>
 		...
 	};
 
-	server ( <replaceable>ipv4_address</replaceable> | <replaceable>ipv6_address</replaceable> ) {
+	server ( <replaceable>ipv4_address<optional>/prefixlen</optional></replaceable> | <replaceable>ipv6_address<optional>/prefixlen</optional></replaceable> ) {
 		...
 	};
 
@@ -359,8 +381,8 @@ view <replaceable>string</replaceable> <replaceable>optional_class</replaceable>
 	rfc2308-type1 <replaceable>boolean</replaceable>; // not yet implemented
 	additional-from-auth <replaceable>boolean</replaceable>;
 	additional-from-cache <replaceable>boolean</replaceable>;
-	query-source <optional> address ( <replaceable>ipv4_address</replaceable> | * ) </optional> <optional> port ( <replaceable>integer</replaceable> | * ) </optional>;
-	query-source-v6 <optional> address ( <replaceable>ipv6_address</replaceable> | * ) </optional> <optional> port ( <replaceable>integer</replaceable> | * ) </optional>;
+	query-source ( ( <replaceable>ipv4_address</replaceable> | * ) | <optional> address ( <replaceable>ipv4_address</replaceable> | * ) </optional> ) <optional> port ( <replaceable>integer</replaceable> | * ) </optional>;
+	query-source-v6 ( ( <replaceable>ipv6_address</replaceable> | * ) | <optional> address ( <replaceable>ipv6_address</replaceable> | * ) </optional> ) <optional> port ( <replaceable>integer</replaceable> | * ) </optional>;
 	cleaning-interval <replaceable>integer</replaceable>;
 	min-roots <replaceable>integer</replaceable>; // not implemented
 	lame-ttl <replaceable>integer</replaceable>;
@@ -368,9 +390,16 @@ view <replaceable>string</replaceable> <replaceable>optional_class</replaceable>
 	max-cache-ttl <replaceable>integer</replaceable>;
 	transfer-format ( many-answers | one-answer );
 	max-cache-size <replaceable>size_no_default</replaceable>;
+	max-acache-size <replaceable>size_no_default</replaceable>;
+	clients-per-query <replaceable>number</replaceable>;
+	max-clients-per-query <replaceable>number</replaceable>;
 	check-names ( master | slave | response )
 		( fail | warn | ignore );
-	cache-file <replaceable>quoted_string</replaceable>;
+	check-mx ( fail | warn | ignore );
+	check-integrity <replaceable>boolean</replaceable>;
+	check-mx-cname ( fail | warn | ignore );
+	check-srv-cname ( fail | warn | ignore );
+	cache-file <replaceable>quoted_string</replaceable>; // test option
 	suppress-initial-notify <replaceable>boolean</replaceable>; // not yet implemented
 	preferred-glue <replaceable>string</replaceable>;
 	dual-stack-servers <optional> port <replaceable>integer</replaceable> </optional> {
@@ -379,22 +408,34 @@ view <replaceable>string</replaceable> <replaceable>optional_class</replaceable>
 		<replaceable>ipv6_address</replaceable> <optional>port <replaceable>integer</replaceable></optional> ); ...
 	};
 	edns-udp-size <replaceable>integer</replaceable>;
+	max-udp-size <replaceable>integer</replaceable>;
 	root-delegation-only <optional> exclude { <replaceable>quoted_string</replaceable>; ... } </optional>;
 	disable-algorithms <replaceable>string</replaceable> { <replaceable>string</replaceable>; ... };
 	dnssec-enable <replaceable>boolean</replaceable>;
+	dnssec-validation <replaceable>boolean</replaceable>;
 	dnssec-lookaside <replaceable>string</replaceable> trust-anchor <replaceable>string</replaceable>;
-
 	dnssec-must-be-secure <replaceable>string</replaceable> <replaceable>boolean</replaceable>;
+	dnssec-accept-expired <replaceable>boolean</replaceable>;
+
+	empty-server <replaceable>string</replaceable>;
+	empty-contact <replaceable>string</replaceable>;
+	empty-zones-enable <replaceable>boolean</replaceable>;
+	disable-empty-zone <replaceable>string</replaceable>;
+
 	dialup <replaceable>dialuptype</replaceable>;
 	ixfr-from-differences <replaceable>ixfrdiff</replaceable>;
 
 	allow-query { <replaceable>address_match_element</replaceable>; ... };
+	allow-query-cache { <replaceable>address_match_element</replaceable>; ... };
 	allow-transfer { <replaceable>address_match_element</replaceable>; ... };
+	allow-update { <replaceable>address_match_element</replaceable>; ... };
 	allow-update-forwarding { <replaceable>address_match_element</replaceable>; ... };
+	update-check-ksk <replaceable>boolean</replaceable>;
 
 	notify <replaceable>notifytype</replaceable>;
 	notify-source ( <replaceable>ipv4_address</replaceable> | * ) <optional> port ( <replaceable>integer</replaceable> | * ) </optional>;
 	notify-source-v6 ( <replaceable>ipv6_address</replaceable> | * ) <optional> port ( <replaceable>integer</replaceable> | * ) </optional>;
+	notify-delay <replaceable>seconds</replaceable>;
 	also-notify <optional> port <replaceable>integer</replaceable> </optional> { ( <replaceable>ipv4_address</replaceable> | <replaceable>ipv6_address</replaceable> )
 		<optional> port <replaceable>integer</replaceable> </optional>; ... };
 	allow-notify { <replaceable>address_match_element</replaceable>; ... };
@@ -429,6 +470,8 @@ view <replaceable>string</replaceable> <replaceable>optional_class</replaceable>
 
 	zone-statistics <replaceable>boolean</replaceable>;
 	key-directory <replaceable>quoted_string</replaceable>;
+	zero-no-soa-ttl <replaceable>boolean</replaceable>;
+	zero-no-soa-ttl-cache <replaceable>boolean</replaceable>;
 
 	allow-v6-synthesis { <replaceable>address_match_element</replaceable>; ... }; // obsolete
 	fetch-glue <replaceable>boolean</replaceable>; // obsolete
@@ -436,11 +479,11 @@ view <replaceable>string</replaceable> <replaceable>optional_class</replaceable>
 	max-ixfr-log-size <replaceable>size</replaceable>; // obsolete
 };
 </literallayout>
-</refsect1>
+  </refsect1>
 
-<refsect1>
-<title>ZONE</title>
-<literallayout>
+  <refsect1>
+    <title>ZONE</title>
+    <literallayout>
 zone <replaceable>string</replaceable> <replaceable>optional_class</replaceable> {
 	type ( master | slave | stub | hint |
 		forward | delegation-only );
@@ -455,8 +498,14 @@ zone <replaceable>string</replaceable> <replaceable>optional_class</replaceable>
 	database <replaceable>string</replaceable>;
 	delegation-only <replaceable>boolean</replaceable>;
 	check-names ( fail | warn | ignore );
+	check-mx ( fail | warn | ignore );
+	check-integrity <replaceable>boolean</replaceable>;
+	check-mx-cname ( fail | warn | ignore );
+	check-srv-cname ( fail | warn | ignore );
 	dialup <replaceable>dialuptype</replaceable>;
 	ixfr-from-differences <replaceable>boolean</replaceable>;
+	journal <replaceable>quoted_string</replaceable>;
+	zero-no-soa-ttl <replaceable>boolean</replaceable>;
 
 	allow-query { <replaceable>address_match_element</replaceable>; ... };
 	allow-transfer { <replaceable>address_match_element</replaceable>; ... };
@@ -467,10 +516,12 @@ zone <replaceable>string</replaceable> <replaceable>optional_class</replaceable>
 		( name | subdomain | wildcard | self ) <replaceable>string</replaceable>
 		<replaceable>rrtypelist</replaceable>; ...
 	};
+	update-check-ksk <replaceable>boolean</replaceable>;
 
 	notify <replaceable>notifytype</replaceable>;
 	notify-source ( <replaceable>ipv4_address</replaceable> | * ) <optional> port ( <replaceable>integer</replaceable> | * ) </optional>;
 	notify-source-v6 ( <replaceable>ipv6_address</replaceable> | * ) <optional> port ( <replaceable>integer</replaceable> | * ) </optional>;
+	notify-delay <replaceable>seconds</replaceable>;
 	also-notify <optional> port <replaceable>integer</replaceable> </optional> { ( <replaceable>ipv4_address</replaceable> | <replaceable>ipv6_address</replaceable> )
 		<optional> port <replaceable>integer</replaceable> </optional>; ... };
 	allow-notify { <replaceable>address_match_element</replaceable>; ... };
@@ -513,32 +564,29 @@ zone <replaceable>string</replaceable> <replaceable>optional_class</replaceable>
 	pubkey <replaceable>integer</replaceable> <replaceable>integer</replaceable> <replaceable>integer</replaceable> <replaceable>quoted_string</replaceable>; // obsolete
 };
 </literallayout>
-</refsect1>
-
-<refsect1>
-<title>FILES</title>
-<para>
-<filename>/etc/named.conf</filename>
-</para>
-</refsect1>
-
-<refsect1>
-<title>SEE ALSO</title>
-<para>
-<citerefentry>
-<refentrytitle>named</refentrytitle><manvolnum>8</manvolnum>
-</citerefentry>,
-<citerefentry>
-<refentrytitle>rndc</refentrytitle><manvolnum>8</manvolnum>
-</citerefentry>,
-<citerefentry>
-<refentrytitle>BIND 9 Administrator Reference Manual</refentrytitle>
-</citerefentry>.
-</para>
-</refsect1>
-
-</refentry>
-<!--
+  </refsect1>
+
+  <refsect1>
+    <title>FILES</title>
+    <para><filename>/etc/named.conf</filename>
+    </para>
+  </refsect1>
+
+  <refsect1>
+    <title>SEE ALSO</title>
+    <para><citerefentry>
+        <refentrytitle>named</refentrytitle><manvolnum>8</manvolnum>
+      </citerefentry>,
+      <citerefentry>
+        <refentrytitle>rndc</refentrytitle><manvolnum>8</manvolnum>
+      </citerefentry>,
+      <citerefentry>
+        <refentrytitle>BIND 9 Administrator Reference Manual</refentrytitle>
+      </citerefentry>.
+    </para>
+  </refsect1>
+
+</refentry><!--
  - Local variables:
  - mode: sgml
  - End:
diff --git a/contrib/bind9/bin/named/named.conf.html b/contrib/bind9/bin/named/named.conf.html
index b43ee7f..5cd449e 100644
--- a/contrib/bind9/bin/named/named.conf.html
+++ b/contrib/bind9/bin/named/named.conf.html
@@ -1,5 +1,5 @@
 <!--
- - Copyright (C) 2004-2006 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2004-2007 Internet Systems Consortium, Inc. ("ISC")
  - 
  - Permission to use, copy, modify, and distribute this software for any
  - purpose with or without fee is hereby granted, provided that the above
@@ -13,15 +13,15 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-<!-- $Id: named.conf.html,v 1.1.4.15 2006/09/13 02:56:21 marka Exp $ -->
+<!-- $Id: named.conf.html,v 1.1.2.32 2007/01/30 00:23:44 marka Exp $ -->
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
 <title>named.conf</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.70.1">
+<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
 </head>
 <body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en">
-<a name="id2482688"></a><div class="titlepage"></div>
+<a name="id2476275"></a><div class="titlepage"></div>
 <div class="refnamediv">
 <h2>Name</h2>
 <p><code class="filename">named.conf</code> &#8212; configuration file for named</p>
@@ -31,33 +31,33 @@
 <div class="cmdsynopsis"><p><code class="command">named.conf</code> </p></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2549388"></a><h2>DESCRIPTION</h2>
-<p>
-	<code class="filename">named.conf</code> is the configuration file for
-	<span><strong class="command">named</strong></span>.  Statements are enclosed
-	in braces and terminated with a semi-colon.  Clauses in
-	the statements are also semi-colon terminated.  The usual
-	comment styles are supported:
+<a name="id2542042"></a><h2>DESCRIPTION</h2>
+<p><code class="filename">named.conf</code> is the configuration file
+      for
+      <span><strong class="command">named</strong></span>.  Statements are enclosed
+      in braces and terminated with a semi-colon.  Clauses in
+      the statements are also semi-colon terminated.  The usual
+      comment styles are supported:
     </p>
 <p>
-	C style: /* */
+      C style: /* */
     </p>
 <p>
-	C++ style: // to end of line
+      C++ style: // to end of line
     </p>
 <p>
-	Unix style: # to end of line
+      Unix style: # to end of line
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2549417"></a><h2>ACL</h2>
+<a name="id2543367"></a><h2>ACL</h2>
 <div class="literallayout"><p><br>
 acl <em class="replaceable"><code>string</code></em> { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
 <br>
 </p></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2549433"></a><h2>KEY</h2>
+<a name="id2543383"></a><h2>KEY</h2>
 <div class="literallayout"><p><br>
 key <em class="replaceable"><code>domain_name</code></em> {<br>
 	algorithm <em class="replaceable"><code>string</code></em>;<br>
@@ -66,7 +66,7 @@ key <em class="replaceable"><code>domain_name</code></em> {<br>
 </p></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2549452"></a><h2>MASTERS</h2>
+<a name="id2543402"></a><h2>MASTERS</h2>
 <div class="literallayout"><p><br>
 masters <em class="replaceable"><code>string</code></em> [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] {<br>
 	( <em class="replaceable"><code>masters</code></em> | <em class="replaceable"><code>ipv4_address</code></em> [<span class="optional">port <em class="replaceable"><code>integer</code></em></span>] |<br>
@@ -75,11 +75,13 @@ masters <em class="replaceable"><code>string</code></em> [<span class="optional"
 </p></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2549498"></a><h2>SERVER</h2>
+<a name="id2543448"></a><h2>SERVER</h2>
 <div class="literallayout"><p><br>
-server ( <em class="replaceable"><code>ipv4_address</code></em> | <em class="replaceable"><code>ipv6_address</code></em> ) {<br>
+server ( <em class="replaceable"><code>ipv4_address[<span class="optional">/prefixlen</span>]</code></em> | <em class="replaceable"><code>ipv6_address[<span class="optional">/prefixlen</span>]</code></em> ) {<br>
 	bogus <em class="replaceable"><code>boolean</code></em>;<br>
 	edns <em class="replaceable"><code>boolean</code></em>;<br>
+	edns-udp-size <em class="replaceable"><code>integer</code></em>;<br>
+	max-udp-size <em class="replaceable"><code>integer</code></em>;<br>
 	provide-ixfr <em class="replaceable"><code>boolean</code></em>;<br>
 	request-ixfr <em class="replaceable"><code>boolean</code></em>;<br>
 	keys <em class="replaceable"><code>server_key</code></em>;<br>
@@ -95,7 +97,7 @@ server ( <em class="replaceable"><code>ipv4_address</code></em> | <em class="rep
 </p></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2549556"></a><h2>TRUSTED-KEYS</h2>
+<a name="id2543516"></a><h2>TRUSTED-KEYS</h2>
 <div class="literallayout"><p><br>
 trusted-keys {<br>
 	<em class="replaceable"><code>domain_name</code></em> <em class="replaceable"><code>flags</code></em> <em class="replaceable"><code>protocol</code></em> <em class="replaceable"><code>algorithm</code></em> <em class="replaceable"><code>key</code></em>; ... <br>
@@ -103,7 +105,7 @@ trusted-keys {<br>
 </p></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2549581"></a><h2>CONTROLS</h2>
+<a name="id2543542"></a><h2>CONTROLS</h2>
 <div class="literallayout"><p><br>
 controls {<br>
 	inet ( <em class="replaceable"><code>ipv4_address</code></em> | <em class="replaceable"><code>ipv6_address</code></em> | * )<br>
@@ -115,7 +117,7 @@ controls {<br>
 </p></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2549617"></a><h2>LOGGING</h2>
+<a name="id2543577"></a><h2>LOGGING</h2>
 <div class="literallayout"><p><br>
 logging {<br>
 	channel <em class="replaceable"><code>string</code></em> {<br>
@@ -133,7 +135,7 @@ logging {<br>
 </p></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2549655"></a><h2>LWRES</h2>
+<a name="id2543616"></a><h2>LWRES</h2>
 <div class="literallayout"><p><br>
 lwres {<br>
 	listen-on [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] {<br>
@@ -146,7 +148,7 @@ lwres {<br>
 </p></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2549697"></a><h2>OPTIONS</h2>
+<a name="id2543657"></a><h2>OPTIONS</h2>
 <div class="literallayout"><p><br>
 options {<br>
 	avoid-v4-udp-ports { <em class="replaceable"><code>port</code></em>; ... };<br>
@@ -155,7 +157,6 @@ options {<br>
 	coresize <em class="replaceable"><code>size</code></em>;<br>
 	datasize <em class="replaceable"><code>size</code></em>;<br>
 	directory <em class="replaceable"><code>quoted_string</code></em>;<br>
-	cache-file <em class="replaceable"><code>quoted_string</code></em>; // test option<br>
 	dump-file <em class="replaceable"><code>quoted_string</code></em>;<br>
 	files <em class="replaceable"><code>size</code></em>;<br>
 	heartbeat-interval <em class="replaceable"><code>integer</code></em>;<br>
@@ -203,8 +204,8 @@ options {<br>
 	rfc2308-type1 <em class="replaceable"><code>boolean</code></em>; // not yet implemented<br>
 	additional-from-auth <em class="replaceable"><code>boolean</code></em>;<br>
 	additional-from-cache <em class="replaceable"><code>boolean</code></em>;<br>
-	query-source [<span class="optional"> address ( <em class="replaceable"><code>ipv4_address</code></em> | * ) </span>] [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>];<br>
-	query-source-v6 [<span class="optional"> address ( <em class="replaceable"><code>ipv6_address</code></em> | * ) </span>] [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>];<br>
+	query-source ( ( <em class="replaceable"><code>ipv4_address</code></em> | * ) | [<span class="optional"> address ( <em class="replaceable"><code>ipv4_address</code></em> | * ) </span>] ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>];<br>
+	query-source-v6 ( ( <em class="replaceable"><code>ipv6_address</code></em> | * ) | [<span class="optional"> address ( <em class="replaceable"><code>ipv6_address</code></em> | * ) </span>] ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>];<br>
 	cleaning-interval <em class="replaceable"><code>integer</code></em>;<br>
 	min-roots <em class="replaceable"><code>integer</code></em>; // not implemented<br>
 	lame-ttl <em class="replaceable"><code>integer</code></em>;<br>
@@ -212,33 +213,52 @@ options {<br>
 	max-cache-ttl <em class="replaceable"><code>integer</code></em>;<br>
 	transfer-format ( many-answers | one-answer );<br>
 	max-cache-size <em class="replaceable"><code>size_no_default</code></em>;<br>
+	max-acache-size <em class="replaceable"><code>size_no_default</code></em>;<br>
+	clients-per-query <em class="replaceable"><code>number</code></em>;<br>
+	max-clients-per-query <em class="replaceable"><code>number</code></em>;<br>
 	check-names ( master | slave | response )<br>
 		( fail | warn | ignore );<br>
-	cache-file <em class="replaceable"><code>quoted_string</code></em>;<br>
+	check-mx ( fail | warn | ignore );<br>
+	check-integrity <em class="replaceable"><code>boolean</code></em>;<br>
+	check-mx-cname ( fail | warn | ignore );<br>
+	check-srv-cname ( fail | warn | ignore );<br>
+	cache-file <em class="replaceable"><code>quoted_string</code></em>; // test option<br>
 	suppress-initial-notify <em class="replaceable"><code>boolean</code></em>; // not yet implemented<br>
 	preferred-glue <em class="replaceable"><code>string</code></em>;<br>
 	dual-stack-servers [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] {<br>
 		( <em class="replaceable"><code>quoted_string</code></em> [<span class="optional">port <em class="replaceable"><code>integer</code></em></span>] |<br>
 		<em class="replaceable"><code>ipv4_address</code></em> [<span class="optional">port <em class="replaceable"><code>integer</code></em></span>] |<br>
 		<em class="replaceable"><code>ipv6_address</code></em> [<span class="optional">port <em class="replaceable"><code>integer</code></em></span>] ); ...<br>
-	}<br>
+	};<br>
 	edns-udp-size <em class="replaceable"><code>integer</code></em>;<br>
+	max-udp-size <em class="replaceable"><code>integer</code></em>;<br>
 	root-delegation-only [<span class="optional"> exclude { <em class="replaceable"><code>quoted_string</code></em>; ... } </span>];<br>
 	disable-algorithms <em class="replaceable"><code>string</code></em> { <em class="replaceable"><code>string</code></em>; ... };<br>
 	dnssec-enable <em class="replaceable"><code>boolean</code></em>;<br>
+	dnssec-validation <em class="replaceable"><code>boolean</code></em>;<br>
 	dnssec-lookaside <em class="replaceable"><code>string</code></em> trust-anchor <em class="replaceable"><code>string</code></em>;<br>
 	dnssec-must-be-secure <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>boolean</code></em>;<br>
+	dnssec-accept-expired <em class="replaceable"><code>boolean</code></em>;<br>
+<br>
+	empty-server <em class="replaceable"><code>string</code></em>;<br>
+	empty-contact <em class="replaceable"><code>string</code></em>;<br>
+	empty-zones-enable <em class="replaceable"><code>boolean</code></em>;<br>
+	disable-empty-zone <em class="replaceable"><code>string</code></em>;<br>
 <br>
 	dialup <em class="replaceable"><code>dialuptype</code></em>;<br>
 	ixfr-from-differences <em class="replaceable"><code>ixfrdiff</code></em>;<br>
 <br>
 	allow-query { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
+	allow-query-cache { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
 	allow-transfer { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
+	allow-update { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
 	allow-update-forwarding { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
+	update-check-ksk <em class="replaceable"><code>boolean</code></em>;<br>
 <br>
 	notify <em class="replaceable"><code>notifytype</code></em>;<br>
 	notify-source ( <em class="replaceable"><code>ipv4_address</code></em> | * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>];<br>
 	notify-source-v6 ( <em class="replaceable"><code>ipv6_address</code></em> | * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>];<br>
+	notify-delay <em class="replaceable"><code>seconds</code></em>;<br>
 	also-notify [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] { ( <em class="replaceable"><code>ipv4_address</code></em> | <em class="replaceable"><code>ipv6_address</code></em> )<br>
 		[<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>]; ... };<br>
 	allow-notify { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
@@ -273,6 +293,8 @@ options {<br>
 <br>
 	zone-statistics <em class="replaceable"><code>boolean</code></em>;<br>
 	key-directory <em class="replaceable"><code>quoted_string</code></em>;<br>
+	zero-no-soa-ttl <em class="replaceable"><code>boolean</code></em>;<br>
+	zero-no-soa-ttl-cache <em class="replaceable"><code>boolean</code></em>;<br>
 <br>
 	allow-v6-synthesis { <em class="replaceable"><code>address_match_element</code></em>; ... }; // obsolete<br>
 	deallocate-on-exit <em class="replaceable"><code>boolean</code></em>; // obsolete<br>
@@ -290,7 +312,7 @@ options {<br>
 </p></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2550312"></a><h2>VIEW</h2>
+<a name="id2544400"></a><h2>VIEW</h2>
 <div class="literallayout"><p><br>
 view <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>optional_class</code></em> {<br>
 	match-clients { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
@@ -306,7 +328,7 @@ view <em class="replaceable"><code>string</code></em> <em class="replaceable"><c
 		...<br>
 	};<br>
 <br>
-	server ( <em class="replaceable"><code>ipv4_address</code></em> | <em class="replaceable"><code>ipv6_address</code></em> ) {<br>
+	server ( <em class="replaceable"><code>ipv4_address[<span class="optional">/prefixlen</span>]</code></em> | <em class="replaceable"><code>ipv6_address[<span class="optional">/prefixlen</span>]</code></em> ) {<br>
 		...<br>
 	};<br>
 <br>
@@ -329,8 +351,8 @@ view <em class="replaceable"><code>string</code></em> <em class="replaceable"><c
 	rfc2308-type1 <em class="replaceable"><code>boolean</code></em>; // not yet implemented<br>
 	additional-from-auth <em class="replaceable"><code>boolean</code></em>;<br>
 	additional-from-cache <em class="replaceable"><code>boolean</code></em>;<br>
-	query-source [<span class="optional"> address ( <em class="replaceable"><code>ipv4_address</code></em> | * ) </span>] [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>];<br>
-	query-source-v6 [<span class="optional"> address ( <em class="replaceable"><code>ipv6_address</code></em> | * ) </span>] [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>];<br>
+	query-source ( ( <em class="replaceable"><code>ipv4_address</code></em> | * ) | [<span class="optional"> address ( <em class="replaceable"><code>ipv4_address</code></em> | * ) </span>] ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>];<br>
+	query-source-v6 ( ( <em class="replaceable"><code>ipv6_address</code></em> | * ) | [<span class="optional"> address ( <em class="replaceable"><code>ipv6_address</code></em> | * ) </span>] ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>];<br>
 	cleaning-interval <em class="replaceable"><code>integer</code></em>;<br>
 	min-roots <em class="replaceable"><code>integer</code></em>; // not implemented<br>
 	lame-ttl <em class="replaceable"><code>integer</code></em>;<br>
@@ -338,9 +360,16 @@ view <em class="replaceable"><code>string</code></em> <em class="replaceable"><c
 	max-cache-ttl <em class="replaceable"><code>integer</code></em>;<br>
 	transfer-format ( many-answers | one-answer );<br>
 	max-cache-size <em class="replaceable"><code>size_no_default</code></em>;<br>
+	max-acache-size <em class="replaceable"><code>size_no_default</code></em>;<br>
+	clients-per-query <em class="replaceable"><code>number</code></em>;<br>
+	max-clients-per-query <em class="replaceable"><code>number</code></em>;<br>
 	check-names ( master | slave | response )<br>
 		( fail | warn | ignore );<br>
-	cache-file <em class="replaceable"><code>quoted_string</code></em>;<br>
+	check-mx ( fail | warn | ignore );<br>
+	check-integrity <em class="replaceable"><code>boolean</code></em>;<br>
+	check-mx-cname ( fail | warn | ignore );<br>
+	check-srv-cname ( fail | warn | ignore );<br>
+	cache-file <em class="replaceable"><code>quoted_string</code></em>; // test option<br>
 	suppress-initial-notify <em class="replaceable"><code>boolean</code></em>; // not yet implemented<br>
 	preferred-glue <em class="replaceable"><code>string</code></em>;<br>
 	dual-stack-servers [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] {<br>
@@ -349,22 +378,34 @@ view <em class="replaceable"><code>string</code></em> <em class="replaceable"><c
 		<em class="replaceable"><code>ipv6_address</code></em> [<span class="optional">port <em class="replaceable"><code>integer</code></em></span>] ); ...<br>
 	};<br>
 	edns-udp-size <em class="replaceable"><code>integer</code></em>;<br>
+	max-udp-size <em class="replaceable"><code>integer</code></em>;<br>
 	root-delegation-only [<span class="optional"> exclude { <em class="replaceable"><code>quoted_string</code></em>; ... } </span>];<br>
 	disable-algorithms <em class="replaceable"><code>string</code></em> { <em class="replaceable"><code>string</code></em>; ... };<br>
 	dnssec-enable <em class="replaceable"><code>boolean</code></em>;<br>
+	dnssec-validation <em class="replaceable"><code>boolean</code></em>;<br>
 	dnssec-lookaside <em class="replaceable"><code>string</code></em> trust-anchor <em class="replaceable"><code>string</code></em>;<br>
-<br>
 	dnssec-must-be-secure <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>boolean</code></em>;<br>
+	dnssec-accept-expired <em class="replaceable"><code>boolean</code></em>;<br>
+<br>
+	empty-server <em class="replaceable"><code>string</code></em>;<br>
+	empty-contact <em class="replaceable"><code>string</code></em>;<br>
+	empty-zones-enable <em class="replaceable"><code>boolean</code></em>;<br>
+	disable-empty-zone <em class="replaceable"><code>string</code></em>;<br>
+<br>
 	dialup <em class="replaceable"><code>dialuptype</code></em>;<br>
 	ixfr-from-differences <em class="replaceable"><code>ixfrdiff</code></em>;<br>
 <br>
 	allow-query { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
+	allow-query-cache { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
 	allow-transfer { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
+	allow-update { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
 	allow-update-forwarding { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
+	update-check-ksk <em class="replaceable"><code>boolean</code></em>;<br>
 <br>
 	notify <em class="replaceable"><code>notifytype</code></em>;<br>
 	notify-source ( <em class="replaceable"><code>ipv4_address</code></em> | * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>];<br>
 	notify-source-v6 ( <em class="replaceable"><code>ipv6_address</code></em> | * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>];<br>
+	notify-delay <em class="replaceable"><code>seconds</code></em>;<br>
 	also-notify [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] { ( <em class="replaceable"><code>ipv4_address</code></em> | <em class="replaceable"><code>ipv6_address</code></em> )<br>
 		[<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>]; ... };<br>
 	allow-notify { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
@@ -399,6 +440,8 @@ view <em class="replaceable"><code>string</code></em> <em class="replaceable"><c
 <br>
 	zone-statistics <em class="replaceable"><code>boolean</code></em>;<br>
 	key-directory <em class="replaceable"><code>quoted_string</code></em>;<br>
+	zero-no-soa-ttl <em class="replaceable"><code>boolean</code></em>;<br>
+	zero-no-soa-ttl-cache <em class="replaceable"><code>boolean</code></em>;<br>
 <br>
 	allow-v6-synthesis { <em class="replaceable"><code>address_match_element</code></em>; ... }; // obsolete<br>
 	fetch-glue <em class="replaceable"><code>boolean</code></em>; // obsolete<br>
@@ -408,7 +451,7 @@ view <em class="replaceable"><code>string</code></em> <em class="replaceable"><c
 </p></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2550878"></a><h2>ZONE</h2>
+<a name="id2544964"></a><h2>ZONE</h2>
 <div class="literallayout"><p><br>
 zone <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>optional_class</code></em> {<br>
 	type ( master | slave | stub | hint |<br>
@@ -424,8 +467,14 @@ zone <em class="replaceable"><code>string</code></em> <em class="replaceable"><c
 	database <em class="replaceable"><code>string</code></em>;<br>
 	delegation-only <em class="replaceable"><code>boolean</code></em>;<br>
 	check-names ( fail | warn | ignore );<br>
+	check-mx ( fail | warn | ignore );<br>
+	check-integrity <em class="replaceable"><code>boolean</code></em>;<br>
+	check-mx-cname ( fail | warn | ignore );<br>
+	check-srv-cname ( fail | warn | ignore );<br>
 	dialup <em class="replaceable"><code>dialuptype</code></em>;<br>
 	ixfr-from-differences <em class="replaceable"><code>boolean</code></em>;<br>
+	journal <em class="replaceable"><code>quoted_string</code></em>;<br>
+	zero-no-soa-ttl <em class="replaceable"><code>boolean</code></em>;<br>
 <br>
 	allow-query { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
 	allow-transfer { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
@@ -436,10 +485,12 @@ zone <em class="replaceable"><code>string</code></em> <em class="replaceable"><c
 		( name | subdomain | wildcard | self ) <em class="replaceable"><code>string</code></em><br>
 		<em class="replaceable"><code>rrtypelist</code></em>; ...<br>
 	};<br>
+	update-check-ksk <em class="replaceable"><code>boolean</code></em>;<br>
 <br>
 	notify <em class="replaceable"><code>notifytype</code></em>;<br>
 	notify-source ( <em class="replaceable"><code>ipv4_address</code></em> | * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>];<br>
 	notify-source-v6 ( <em class="replaceable"><code>ipv6_address</code></em> | * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>];<br>
+	notify-delay <em class="replaceable"><code>seconds</code></em>;<br>
 	also-notify [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] { ( <em class="replaceable"><code>ipv4_address</code></em> | <em class="replaceable"><code>ipv6_address</code></em> )<br>
 		[<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>]; ... };<br>
 	allow-notify { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
@@ -484,18 +535,16 @@ zone <em class="replaceable"><code>string</code></em> <em class="replaceable"><c
 </p></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2551216"></a><h2>FILES</h2>
-<p>
-<code class="filename">/etc/named.conf</code>
-</p>
+<a name="id2545316"></a><h2>FILES</h2>
+<p><code class="filename">/etc/named.conf</code>
+    </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2551228"></a><h2>SEE ALSO</h2>
-<p>
-<span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>,
-<span class="citerefentry"><span class="refentrytitle">rndc</span>(8)</span>,
-<span class="citerefentry"><span class="refentrytitle">BIND 9 Administrator Reference Manual</span></span>.
-</p>
+<a name="id2545328"></a><h2>SEE ALSO</h2>
+<p><span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>,
+      <span class="citerefentry"><span class="refentrytitle">rndc</span>(8)</span>,
+      <span class="citerefentry"><span class="refentrytitle">BIND 9 Administrator Reference Manual</span></span>.
+    </p>
 </div>
 </div></body>
 </html>
diff --git a/contrib/bind9/bin/named/named.docbook b/contrib/bind9/bin/named/named.docbook
index f7cae12..f648b9d 100644
--- a/contrib/bind9/bin/named/named.docbook
+++ b/contrib/bind9/bin/named/named.docbook
@@ -1,8 +1,8 @@
-<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.0//EN"
-               "http://www.oasis-open.org/docbook/xml/4.0/docbookx.dtd"
+<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
+               "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
 	       [<!ENTITY mdash "&#8212;">]>
 <!--
- - Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
  - Copyright (C) 2000, 2001, 2003  Internet Software Consortium.
  -
  - Permission to use, copy, modify, and distribute this software for any
@@ -18,9 +18,8 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-<!-- $Id: named.docbook,v 1.5.98.7 2006/01/17 23:49:30 marka Exp $ -->
-
-<refentry>
+<!-- $Id: named.docbook,v 1.7.18.8 2007/01/29 23:57:20 marka Exp $ -->
+<refentry id="man.named">
   <refentryinfo>
     <date>June 30, 2000</date>
   </refentryinfo>
@@ -31,11 +30,17 @@
     <refmiscinfo>BIND9</refmiscinfo>
   </refmeta>
 
+  <refnamediv>
+    <refname><application>named</application></refname>
+    <refpurpose>Internet domain name server</refpurpose>
+  </refnamediv>
+
   <docinfo>
     <copyright>
       <year>2004</year>
       <year>2005</year>
       <year>2006</year>
+      <year>2007</year>
       <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
     </copyright>
     <copyright>
@@ -46,11 +51,6 @@
     </copyright>
   </docinfo>
 
-  <refnamediv>
-    <refname><application>named</application></refname>
-    <refpurpose>Internet domain name server</refpurpose>
-  </refnamediv>
-
   <refsynopsisdiv>
     <cmdsynopsis>
       <command>named</command>
@@ -72,16 +72,17 @@
 
   <refsect1>
     <title>DESCRIPTION</title>
-    <para>
-	<command>named</command> is a Domain Name System (DNS) server,
-	part of the BIND 9 distribution from ISC.  For more
-	information on the DNS, see RFCs 1033, 1034, and 1035.
+    <para><command>named</command>
+      is a Domain Name System (DNS) server,
+      part of the BIND 9 distribution from ISC.  For more
+      information on the DNS, see RFCs 1033, 1034, and 1035.
     </para>
     <para>
-	When invoked without arguments, <command>named</command> will
-	read the default configuration file
-	<filename>/etc/named.conf</filename>, read any initial
-	data, and listen for queries.
+      When invoked without arguments, <command>named</command>
+      will
+      read the default configuration file
+      <filename>/etc/named.conf</filename>, read any initial
+      data, and listen for queries.
     </para>
   </refsect1>
 
@@ -90,189 +91,183 @@
 
     <variablelist>
       <varlistentry>
-	<term>-4</term>
-	<listitem>
-	  <para>
-		Use IPv4 only even if the host machine is capable of IPv6.
-		<option>-4</option> and <option>-6</option> are mutually
-		exclusive.
+        <term>-4</term>
+        <listitem>
+          <para>
+            Use IPv4 only even if the host machine is capable of IPv6.
+            <option>-4</option> and <option>-6</option> are mutually
+            exclusive.
           </para>
-	</listitem>
+        </listitem>
       </varlistentry>
 
       <varlistentry>
-	<term>-6</term>
-	<listitem>
-	  <para>
-		Use IPv6 only even if the host machine is capable of IPv4.
-		<option>-4</option> and <option>-6</option> are mutually
-		exclusive.
+        <term>-6</term>
+        <listitem>
+          <para>
+            Use IPv6 only even if the host machine is capable of IPv4.
+            <option>-4</option> and <option>-6</option> are mutually
+            exclusive.
           </para>
-	</listitem>
+        </listitem>
       </varlistentry>
       <varlistentry>
-	<term>-c <replaceable class="parameter">config-file</replaceable></term>
-	<listitem>
-	  <para>
-		Use <replaceable
-		class="parameter">config-file</replaceable> as the
-		configuration file instead of the default,
-		<filename>/etc/named.conf</filename>.  To
-		ensure that reloading the configuration file continues
-		to work after the server has changed its working
-		directory due to to a possible
-		<option>directory</option> option in the configuration
-		file, <replaceable
-		class="parameter">config-file</replaceable> should be
-		an absolute pathname.
+        <term>-c <replaceable class="parameter">config-file</replaceable></term>
+        <listitem>
+          <para>
+            Use <replaceable class="parameter">config-file</replaceable> as the
+            configuration file instead of the default,
+            <filename>/etc/named.conf</filename>.  To
+            ensure that reloading the configuration file continues
+            to work after the server has changed its working
+            directory due to to a possible
+            <option>directory</option> option in the configuration
+            file, <replaceable class="parameter">config-file</replaceable> should be
+            an absolute pathname.
           </para>
-	</listitem>
+        </listitem>
       </varlistentry>
 
       <varlistentry>
-	<term>-d <replaceable class="parameter">debug-level</replaceable></term>
-	<listitem>
-	  <para>
-		Set the daemon's debug level to <replaceable
-		class="parameter">debug-level</replaceable>.
-		Debugging traces from <command>named</command> become
-		more verbose as the debug level increases.
+        <term>-d <replaceable class="parameter">debug-level</replaceable></term>
+        <listitem>
+          <para>
+            Set the daemon's debug level to <replaceable class="parameter">debug-level</replaceable>.
+            Debugging traces from <command>named</command> become
+            more verbose as the debug level increases.
           </para>
-	</listitem>
+        </listitem>
       </varlistentry>
 
       <varlistentry>
-	<term>-f</term>
-	<listitem>
-	  <para>
-		Run the server in the foreground (i.e. do not daemonize).
+        <term>-f</term>
+        <listitem>
+          <para>
+            Run the server in the foreground (i.e. do not daemonize).
           </para>
-	</listitem>
+        </listitem>
       </varlistentry>
 
       <varlistentry>
-	<term>-g</term>
-	<listitem>
-	  <para>
-		Run the server in the foreground and force all logging
-		to <filename>stderr</filename>.
+        <term>-g</term>
+        <listitem>
+          <para>
+            Run the server in the foreground and force all logging
+            to <filename>stderr</filename>.
           </para>
-	</listitem>
+        </listitem>
       </varlistentry>
 
       <varlistentry>
-	<term>-n <replaceable class="parameter">#cpus</replaceable></term>
-	<listitem>
-	  <para>
-		Create <replaceable
-		class="parameter">#cpus</replaceable> worker threads
-		to take advantage of multiple CPUs.  If not specified,
-		<command>named</command> will try to determine the
-		number of CPUs present and create one thread per CPU.
-		If it is unable to determine the number of CPUs, a
-		single worker thread will be created.
+        <term>-n <replaceable class="parameter">#cpus</replaceable></term>
+        <listitem>
+          <para>
+            Create <replaceable class="parameter">#cpus</replaceable> worker threads
+            to take advantage of multiple CPUs.  If not specified,
+            <command>named</command> will try to determine the
+            number of CPUs present and create one thread per CPU.
+            If it is unable to determine the number of CPUs, a
+            single worker thread will be created.
           </para>
-	</listitem>
+        </listitem>
       </varlistentry>
 
       <varlistentry>
-	<term>-p <replaceable class="parameter">port</replaceable></term>
-	<listitem>
-	  <para>
-		Listen for queries on port <replaceable
-		class="parameter">port</replaceable>.  If not
-		specified, the default is port 53.
+        <term>-p <replaceable class="parameter">port</replaceable></term>
+        <listitem>
+          <para>
+            Listen for queries on port <replaceable class="parameter">port</replaceable>.  If not
+            specified, the default is port 53.
           </para>
-	</listitem>
+        </listitem>
       </varlistentry>
 
       <varlistentry>
-	<term>-s</term>
-	<listitem>
-	  <para>
-		Write memory usage statistics to <filename>stdout</filename> on exit.
+        <term>-s</term>
+        <listitem>
+          <para>
+            Write memory usage statistics to <filename>stdout</filename> on exit.
           </para>
-	  <note>
-	    <para>
-		This option is mainly of interest to BIND 9 developers
-		and may be removed or changed in a future release.
-	    </para>
-	  </note>
-	</listitem>
+          <note>
+            <para>
+              This option is mainly of interest to BIND 9 developers
+              and may be removed or changed in a future release.
+            </para>
+          </note>
+        </listitem>
       </varlistentry>
 
       <varlistentry>
-	<term>-t <replaceable class="parameter">directory</replaceable></term>
-	<listitem>
-	  <para>
-		<function>chroot()</function> to <replaceable
-		class="parameter">directory</replaceable> after
-		processing the command line arguments, but before
-		reading the configuration file.
+        <term>-t <replaceable class="parameter">directory</replaceable></term>
+        <listitem>
+          <para><function>chroot()</function>
+	    to <replaceable class="parameter">directory</replaceable> after
+            processing the command line arguments, but before
+            reading the configuration file.
           </para>
-	  <warning>
-	    <para>
-		This option should be used in conjunction with the
-		<option>-u</option> option, as chrooting a process
-		running as root doesn't enhance security on most
-		systems; the way <function>chroot()</function> is
-		defined allows a process with root privileges to
-		escape a chroot jail.
-	    </para>
-	  </warning>
-	</listitem>
+          <warning>
+            <para>
+              This option should be used in conjunction with the
+              <option>-u</option> option, as chrooting a process
+              running as root doesn't enhance security on most
+              systems; the way <function>chroot()</function> is
+              defined allows a process with root privileges to
+              escape a chroot jail.
+            </para>
+          </warning>
+        </listitem>
       </varlistentry>
 
       <varlistentry>
-	<term>-u <replaceable class="parameter">user</replaceable></term>
-	<listitem>
-	  <para>
-		<function>setuid()</function> to <replaceable
-		class="parameter">user</replaceable> after completing
-		privileged operations, such as creating sockets that
-		listen on privileged ports.
+        <term>-u <replaceable class="parameter">user</replaceable></term>
+        <listitem>
+          <para><function>setuid()</function>
+	    to <replaceable class="parameter">user</replaceable> after completing
+            privileged operations, such as creating sockets that
+            listen on privileged ports.
           </para>
-	  <note>
-	    <para>
-		On Linux, <command>named</command> uses the kernel's
-		capability mechanism to drop all root privileges
-		except the ability to <function>bind()</function> to a
-		privileged port and set process resource limits.
-		Unfortunately, this means that the <option>-u</option>
-		option only works when <command>named</command> is run
-		on kernel 2.2.18 or later, or kernel 2.3.99-pre3 or
-		later, since previous kernels did not allow privileges
-		to be retained after <function>setuid()</function>.
-	    </para>
-	  </note>
-	</listitem>
+          <note>
+            <para>
+              On Linux, <command>named</command> uses the kernel's
+              		capability mechanism to drop all root privileges
+              except the ability to <function>bind()</function> to
+              a
+              privileged port and set process resource limits.
+              Unfortunately, this means that the <option>-u</option>
+              option only works when <command>named</command> is
+              run
+              on kernel 2.2.18 or later, or kernel 2.3.99-pre3 or
+              later, since previous kernels did not allow privileges
+              to be retained after <function>setuid()</function>.
+            </para>
+          </note>
+        </listitem>
       </varlistentry>
 
       <varlistentry>
-	<term>-v</term>
-	<listitem>
-	  <para>
-		Report the version number and exit.
+        <term>-v</term>
+        <listitem>
+          <para>
+            Report the version number and exit.
           </para>
-	</listitem>
+        </listitem>
       </varlistentry>
 
       <varlistentry>
-	<term>-x <replaceable class="parameter">cache-file</replaceable></term>
-	<listitem>
-	  <para>
-		Load data from <replaceable
-		class="parameter">cache-file</replaceable> into the
-		cache of the default view.
+        <term>-x <replaceable class="parameter">cache-file</replaceable></term>
+        <listitem>
+          <para>
+            Load data from <replaceable class="parameter">cache-file</replaceable> into the
+            cache of the default view.
           </para>
-	  <warning>
-	    <para>
-		This option must not be used.  It is only of interest
-		to BIND 9 developers and may be removed or changed in a
-		future release.
-	    </para>
-	  </warning>
-	</listitem>
+          <warning>
+            <para>
+              This option must not be used.  It is only of interest
+              to BIND 9 developers and may be removed or changed in a
+              future release.
+            </para>
+          </warning>
+        </listitem>
       </varlistentry>
 
     </variablelist>
@@ -282,35 +277,35 @@
   <refsect1>
     <title>SIGNALS</title>
     <para>
-	In routine operation, signals should not be used to control
-	the nameserver; <command>rndc</command> should be used
-	instead.
+      In routine operation, signals should not be used to control
+      the nameserver; <command>rndc</command> should be used
+      instead.
     </para>
 
     <variablelist>
 
       <varlistentry>
-	<term>SIGHUP</term>
-	<listitem>
-	  <para>
-		Force a reload of the server.
+        <term>SIGHUP</term>
+        <listitem>
+          <para>
+            Force a reload of the server.
           </para>
-	</listitem>
+        </listitem>
       </varlistentry>
 
       <varlistentry>
-	<term>SIGINT, SIGTERM</term>
-	<listitem>
-	  <para>
-		Shut down the server.
+        <term>SIGINT, SIGTERM</term>
+        <listitem>
+          <para>
+            Shut down the server.
           </para>
-	</listitem>
+        </listitem>
       </varlistentry>
 
     </variablelist>
 
     <para>
-	The result of sending any other signals to the server is undefined.
+      The result of sending any other signals to the server is undefined.
     </para>
 
   </refsect1>
@@ -318,10 +313,10 @@
   <refsect1>
     <title>CONFIGURATION</title>
     <para>
-	The <command>named</command> configuration file is too complex
-	to describe in detail here.  A complete description is
-	provided in the <citetitle>BIND 9 Administrator Reference
-	Manual</citetitle>.
+      The <command>named</command> configuration file is too complex
+      to describe in detail here.  A complete description is provided
+      in the
+      <citetitle>BIND 9 Administrator Reference Manual</citetitle>.
     </para>
   </refsect1>
 
@@ -331,21 +326,21 @@
     <variablelist>
 
       <varlistentry>
-	<term><filename>/etc/named.conf</filename></term>
-	<listitem>
-	  <para>
-		The default configuration file.
+        <term><filename>/etc/named.conf</filename></term>
+        <listitem>
+          <para>
+            The default configuration file.
           </para>
-	</listitem>
+        </listitem>
       </varlistentry>
 
       <varlistentry>
-	<term><filename>/var/run/named.pid</filename></term>
-	<listitem>
-	  <para>
-		The default process-id file.
+        <term><filename>/var/run/named.pid</filename></term>
+        <listitem>
+          <para>
+            The default process-id file.
           </para>
-	</listitem>
+        </listitem>
       </varlistentry>
 
     </variablelist>
@@ -354,37 +349,32 @@
 
   <refsect1>
     <title>SEE ALSO</title>
-    <para>
-	<citetitle>RFC 1033</citetitle>,
-	<citetitle>RFC 1034</citetitle>,
-	<citetitle>RFC 1035</citetitle>,
-	<citerefentry>
-	  <refentrytitle>rndc</refentrytitle>
-	  <manvolnum>8</manvolnum>
-        </citerefentry>,
-	<citerefentry>
-	  <refentrytitle>lwresd</refentrytitle>
-	  <manvolnum>8</manvolnum>
-        </citerefentry>,
-	<citerefentry>
-	  <refentrytitle>named.conf</refentrytitle>
-	  <manvolnum>5</manvolnum>
-	</citerefentry>,
-	<citetitle>BIND 9 Administrator Reference Manual</citetitle>.
+    <para><citetitle>RFC 1033</citetitle>,
+      <citetitle>RFC 1034</citetitle>,
+      <citetitle>RFC 1035</citetitle>,
+      <citerefentry>
+        <refentrytitle>rndc</refentrytitle>
+	<manvolnum>8</manvolnum>
+      </citerefentry>,
+      <citerefentry>
+        <refentrytitle>lwresd</refentrytitle>
+	<manvolnum>8</manvolnum>
+      </citerefentry>,
+      <citerefentry>
+	<refentrytitle>named.conf</refentrytitle>
+	<manvolnum>5</manvolnum>
+      </citerefentry>,
+      <citetitle>BIND 9 Administrator Reference Manual</citetitle>.
     </para>
   </refsect1>
 
   <refsect1>
     <title>AUTHOR</title>
-    <para>
-	<corpauthor>Internet Systems Consortium</corpauthor>
+    <para><corpauthor>Internet Systems Consortium</corpauthor>
     </para>
   </refsect1>
 
-</refentry>
-
-
-<!--
+</refentry><!--
  - Local variables:
  - mode: sgml
  - End:
diff --git a/contrib/bind9/bin/named/named.html b/contrib/bind9/bin/named/named.html
index 6e77e5b..1839e4a 100644
--- a/contrib/bind9/bin/named/named.html
+++ b/contrib/bind9/bin/named/named.html
@@ -1,5 +1,5 @@
 <!--
- - Copyright (C) 2004-2006 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2004-2007 Internet Systems Consortium, Inc. ("ISC")
  - Copyright (C) 2000, 2001, 2003 Internet Software Consortium.
  - 
  - Permission to use, copy, modify, and distribute this software for any
@@ -14,15 +14,15 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-<!-- $Id: named.html,v 1.4.2.1.4.13 2006/06/29 13:02:30 marka Exp $ -->
+<!-- $Id: named.html,v 1.6.18.18 2007/01/30 00:23:44 marka Exp $ -->
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
 <title>named</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.70.1">
+<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
 </head>
 <body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en">
-<a name="id2482688"></a><div class="titlepage"></div>
+<a name="man.named"></a><div class="titlepage"></div>
 <div class="refnamediv">
 <h2>Name</h2>
 <p><span class="application">named</span> &#8212; Internet domain name server</p>
@@ -32,209 +32,210 @@
 <div class="cmdsynopsis"><p><code class="command">named</code>  [<code class="option">-4</code>] [<code class="option">-6</code>] [<code class="option">-c <em class="replaceable"><code>config-file</code></em></code>] [<code class="option">-d <em class="replaceable"><code>debug-level</code></em></code>] [<code class="option">-f</code>] [<code class="option">-g</code>] [<code class="option">-n <em class="replaceable"><code>#cpus</code></em></code>] [<code class="option">-p <em class="replaceable"><code>port</code></em></code>] [<code class="option">-s</code>] [<code class="option">-t <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-u <em class="replaceable"><code>user</code></em></code>] [<code class="option">-v</code>] [<code class="option">-x <em class="replaceable"><code>cache-file</code></em></code>]</p></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2549491"></a><h2>DESCRIPTION</h2>
-<p>
-	<span><strong class="command">named</strong></span> is a Domain Name System (DNS) server,
-	part of the BIND 9 distribution from ISC.  For more
-	information on the DNS, see RFCs 1033, 1034, and 1035.
+<a name="id2543444"></a><h2>DESCRIPTION</h2>
+<p><span><strong class="command">named</strong></span>
+      is a Domain Name System (DNS) server,
+      part of the BIND 9 distribution from ISC.  For more
+      information on the DNS, see RFCs 1033, 1034, and 1035.
     </p>
 <p>
-	When invoked without arguments, <span><strong class="command">named</strong></span> will
-	read the default configuration file
-	<code class="filename">/etc/named.conf</code>, read any initial
-	data, and listen for queries.
+      When invoked without arguments, <span><strong class="command">named</strong></span>
+      will
+      read the default configuration file
+      <code class="filename">/etc/named.conf</code>, read any initial
+      data, and listen for queries.
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2549516"></a><h2>OPTIONS</h2>
+<a name="id2543468"></a><h2>OPTIONS</h2>
 <div class="variablelist"><dl>
 <dt><span class="term">-4</span></dt>
 <dd><p>
-		Use IPv4 only even if the host machine is capable of IPv6.
-		<code class="option">-4</code> and <code class="option">-6</code> are mutually
-		exclusive.
+            Use IPv4 only even if the host machine is capable of IPv6.
+            <code class="option">-4</code> and <code class="option">-6</code> are mutually
+            exclusive.
           </p></dd>
 <dt><span class="term">-6</span></dt>
 <dd><p>
-		Use IPv6 only even if the host machine is capable of IPv4.
-		<code class="option">-4</code> and <code class="option">-6</code> are mutually
-		exclusive.
+            Use IPv6 only even if the host machine is capable of IPv4.
+            <code class="option">-4</code> and <code class="option">-6</code> are mutually
+            exclusive.
           </p></dd>
 <dt><span class="term">-c <em class="replaceable"><code>config-file</code></em></span></dt>
 <dd><p>
-		Use <em class="replaceable"><code>config-file</code></em> as the
-		configuration file instead of the default,
-		<code class="filename">/etc/named.conf</code>.  To
-		ensure that reloading the configuration file continues
-		to work after the server has changed its working
-		directory due to to a possible
-		<code class="option">directory</code> option in the configuration
-		file, <em class="replaceable"><code>config-file</code></em> should be
-		an absolute pathname.
+            Use <em class="replaceable"><code>config-file</code></em> as the
+            configuration file instead of the default,
+            <code class="filename">/etc/named.conf</code>.  To
+            ensure that reloading the configuration file continues
+            to work after the server has changed its working
+            directory due to to a possible
+            <code class="option">directory</code> option in the configuration
+            file, <em class="replaceable"><code>config-file</code></em> should be
+            an absolute pathname.
           </p></dd>
 <dt><span class="term">-d <em class="replaceable"><code>debug-level</code></em></span></dt>
 <dd><p>
-		Set the daemon's debug level to <em class="replaceable"><code>debug-level</code></em>.
-		Debugging traces from <span><strong class="command">named</strong></span> become
-		more verbose as the debug level increases.
+            Set the daemon's debug level to <em class="replaceable"><code>debug-level</code></em>.
+            Debugging traces from <span><strong class="command">named</strong></span> become
+            more verbose as the debug level increases.
           </p></dd>
 <dt><span class="term">-f</span></dt>
 <dd><p>
-		Run the server in the foreground (i.e. do not daemonize).
+            Run the server in the foreground (i.e. do not daemonize).
           </p></dd>
 <dt><span class="term">-g</span></dt>
 <dd><p>
-		Run the server in the foreground and force all logging
-		to <code class="filename">stderr</code>.
+            Run the server in the foreground and force all logging
+            to <code class="filename">stderr</code>.
           </p></dd>
 <dt><span class="term">-n <em class="replaceable"><code>#cpus</code></em></span></dt>
 <dd><p>
-		Create <em class="replaceable"><code>#cpus</code></em> worker threads
-		to take advantage of multiple CPUs.  If not specified,
-		<span><strong class="command">named</strong></span> will try to determine the
-		number of CPUs present and create one thread per CPU.
-		If it is unable to determine the number of CPUs, a
-		single worker thread will be created.
+            Create <em class="replaceable"><code>#cpus</code></em> worker threads
+            to take advantage of multiple CPUs.  If not specified,
+            <span><strong class="command">named</strong></span> will try to determine the
+            number of CPUs present and create one thread per CPU.
+            If it is unable to determine the number of CPUs, a
+            single worker thread will be created.
           </p></dd>
 <dt><span class="term">-p <em class="replaceable"><code>port</code></em></span></dt>
 <dd><p>
-		Listen for queries on port <em class="replaceable"><code>port</code></em>.  If not
-		specified, the default is port 53.
+            Listen for queries on port <em class="replaceable"><code>port</code></em>.  If not
+            specified, the default is port 53.
           </p></dd>
 <dt><span class="term">-s</span></dt>
 <dd>
 <p>
-		Write memory usage statistics to <code class="filename">stdout</code> on exit.
+            Write memory usage statistics to <code class="filename">stdout</code> on exit.
           </p>
 <div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
 <h3 class="title">Note</h3>
 <p>
-		This option is mainly of interest to BIND 9 developers
-		and may be removed or changed in a future release.
-	    </p>
+              This option is mainly of interest to BIND 9 developers
+              and may be removed or changed in a future release.
+            </p>
 </div>
 </dd>
 <dt><span class="term">-t <em class="replaceable"><code>directory</code></em></span></dt>
 <dd>
-<p>
-		<code class="function">chroot()</code> to <em class="replaceable"><code>directory</code></em> after
-		processing the command line arguments, but before
-		reading the configuration file.
+<p><code class="function">chroot()</code>
+	    to <em class="replaceable"><code>directory</code></em> after
+            processing the command line arguments, but before
+            reading the configuration file.
           </p>
 <div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;">
 <h3 class="title">Warning</h3>
 <p>
-		This option should be used in conjunction with the
-		<code class="option">-u</code> option, as chrooting a process
-		running as root doesn't enhance security on most
-		systems; the way <code class="function">chroot()</code> is
-		defined allows a process with root privileges to
-		escape a chroot jail.
-	    </p>
+              This option should be used in conjunction with the
+              <code class="option">-u</code> option, as chrooting a process
+              running as root doesn't enhance security on most
+              systems; the way <code class="function">chroot()</code> is
+              defined allows a process with root privileges to
+              escape a chroot jail.
+            </p>
 </div>
 </dd>
 <dt><span class="term">-u <em class="replaceable"><code>user</code></em></span></dt>
 <dd>
-<p>
-		<code class="function">setuid()</code> to <em class="replaceable"><code>user</code></em> after completing
-		privileged operations, such as creating sockets that
-		listen on privileged ports.
+<p><code class="function">setuid()</code>
+	    to <em class="replaceable"><code>user</code></em> after completing
+            privileged operations, such as creating sockets that
+            listen on privileged ports.
           </p>
 <div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
 <h3 class="title">Note</h3>
 <p>
-		On Linux, <span><strong class="command">named</strong></span> uses the kernel's
-		capability mechanism to drop all root privileges
-		except the ability to <code class="function">bind()</code> to a
-		privileged port and set process resource limits.
-		Unfortunately, this means that the <code class="option">-u</code>
-		option only works when <span><strong class="command">named</strong></span> is run
-		on kernel 2.2.18 or later, or kernel 2.3.99-pre3 or
-		later, since previous kernels did not allow privileges
-		to be retained after <code class="function">setuid()</code>.
-	    </p>
+              On Linux, <span><strong class="command">named</strong></span> uses the kernel's
+              		capability mechanism to drop all root privileges
+              except the ability to <code class="function">bind()</code> to
+              a
+              privileged port and set process resource limits.
+              Unfortunately, this means that the <code class="option">-u</code>
+              option only works when <span><strong class="command">named</strong></span> is
+              run
+              on kernel 2.2.18 or later, or kernel 2.3.99-pre3 or
+              later, since previous kernels did not allow privileges
+              to be retained after <code class="function">setuid()</code>.
+            </p>
 </div>
 </dd>
 <dt><span class="term">-v</span></dt>
 <dd><p>
-		Report the version number and exit.
+            Report the version number and exit.
           </p></dd>
 <dt><span class="term">-x <em class="replaceable"><code>cache-file</code></em></span></dt>
 <dd>
 <p>
-		Load data from <em class="replaceable"><code>cache-file</code></em> into the
-		cache of the default view.
+            Load data from <em class="replaceable"><code>cache-file</code></em> into the
+            cache of the default view.
           </p>
 <div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;">
 <h3 class="title">Warning</h3>
 <p>
-		This option must not be used.  It is only of interest
-		to BIND 9 developers and may be removed or changed in a
-		future release.
-	    </p>
+              This option must not be used.  It is only of interest
+              to BIND 9 developers and may be removed or changed in a
+              future release.
+            </p>
 </div>
 </dd>
 </dl></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2550002"></a><h2>SIGNALS</h2>
+<a name="id2543813"></a><h2>SIGNALS</h2>
 <p>
-	In routine operation, signals should not be used to control
-	the nameserver; <span><strong class="command">rndc</strong></span> should be used
-	instead.
+      In routine operation, signals should not be used to control
+      the nameserver; <span><strong class="command">rndc</strong></span> should be used
+      instead.
     </p>
 <div class="variablelist"><dl>
 <dt><span class="term">SIGHUP</span></dt>
 <dd><p>
-		Force a reload of the server.
+            Force a reload of the server.
           </p></dd>
 <dt><span class="term">SIGINT, SIGTERM</span></dt>
 <dd><p>
-		Shut down the server.
+            Shut down the server.
           </p></dd>
 </dl></div>
 <p>
-	The result of sending any other signals to the server is undefined.
+      The result of sending any other signals to the server is undefined.
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2550049"></a><h2>CONFIGURATION</h2>
+<a name="id2543861"></a><h2>CONFIGURATION</h2>
 <p>
-	The <span><strong class="command">named</strong></span> configuration file is too complex
-	to describe in detail here.  A complete description is
-	provided in the <em class="citetitle">BIND 9 Administrator Reference
-	Manual</em>.
+      The <span><strong class="command">named</strong></span> configuration file is too complex
+      to describe in detail here.  A complete description is provided
+      in the
+      <em class="citetitle">BIND 9 Administrator Reference Manual</em>.
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2550066"></a><h2>FILES</h2>
+<a name="id2543878"></a><h2>FILES</h2>
 <div class="variablelist"><dl>
 <dt><span class="term"><code class="filename">/etc/named.conf</code></span></dt>
 <dd><p>
-		The default configuration file.
+            The default configuration file.
           </p></dd>
 <dt><span class="term"><code class="filename">/var/run/named.pid</code></span></dt>
 <dd><p>
-		The default process-id file.
+            The default process-id file.
           </p></dd>
 </dl></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2550105"></a><h2>SEE ALSO</h2>
-<p>
-	<em class="citetitle">RFC 1033</em>,
-	<em class="citetitle">RFC 1034</em>,
-	<em class="citetitle">RFC 1035</em>,
-	<span class="citerefentry"><span class="refentrytitle">rndc</span>(8)</span>,
-	<span class="citerefentry"><span class="refentrytitle">lwresd</span>(8)</span>,
-	<span class="citerefentry"><span class="refentrytitle">named.conf</span>(5)</span>,
-	<em class="citetitle">BIND 9 Administrator Reference Manual</em>.
+<a name="id2543917"></a><h2>SEE ALSO</h2>
+<p><em class="citetitle">RFC 1033</em>,
+      <em class="citetitle">RFC 1034</em>,
+      <em class="citetitle">RFC 1035</em>,
+      <span class="citerefentry"><span class="refentrytitle">rndc</span>(8)</span>,
+      <span class="citerefentry"><span class="refentrytitle">lwresd</span>(8)</span>,
+      <span class="citerefentry"><span class="refentrytitle">named.conf</span>(5)</span>,
+      <em class="citetitle">BIND 9 Administrator Reference Manual</em>.
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2550157"></a><h2>AUTHOR</h2>
-<p>
-	<span class="corpauthor">Internet Systems Consortium</span>
+<a name="id2543969"></a><h2>AUTHOR</h2>
+<p><span class="corpauthor">Internet Systems Consortium</span>
     </p>
 </div>
 </div></body>
diff --git a/contrib/bind9/bin/named/notify.c b/contrib/bind9/bin/named/notify.c
index e3c5b2a..db2be71 100644
--- a/contrib/bind9/bin/named/notify.c
+++ b/contrib/bind9/bin/named/notify.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: notify.c,v 1.24.2.2.2.7 2004/08/28 06:25:30 marka Exp $ */
+/* $Id: notify.c,v 1.30.18.3 2005/04/29 00:15:26 marka Exp $ */
 
 #include <config.h>
 
@@ -32,8 +32,9 @@
 #include <named/log.h>
 #include <named/notify.h>
 
-/*
- * This module implements notify as in RFC 1996.
+/*! \file
+ * \brief
+ * This module implements notify as in RFC1996.
  */
 
 static void
diff --git a/contrib/bind9/bin/named/query.c b/contrib/bind9/bin/named/query.c
index c0a76a8..f30c07c 100644
--- a/contrib/bind9/bin/named/query.c
+++ b/contrib/bind9/bin/named/query.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,9 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: query.c,v 1.198.2.13.4.43 2006/08/31 03:57:11 marka Exp $ */
+/* $Id: query.c,v 1.257.18.36.12.1 2007/04/30 01:10:19 marka Exp $ */
+
+/*! \file */
 
 #include <config.h>
 
@@ -27,8 +29,13 @@
 #include <dns/adb.h>
 #include <dns/byaddr.h>
 #include <dns/db.h>
+#ifdef DLZ
+#include <dns/dlz.h>
+#endif
+#include <dns/dnssec.h>
 #include <dns/events.h>
 #include <dns/message.h>
+#include <dns/ncache.h>
 #include <dns/order.h>
 #include <dns/rdata.h>
 #include <dns/rdataclass.h>
@@ -51,24 +58,34 @@
 #include <named/sortlist.h>
 #include <named/xfrout.h>
 
+/*% Partial answer? */
 #define PARTIALANSWER(c)	(((c)->query.attributes & \
 				  NS_QUERYATTR_PARTIALANSWER) != 0)
+/*% Use Cache? */
 #define USECACHE(c)		(((c)->query.attributes & \
 				  NS_QUERYATTR_CACHEOK) != 0)
+/*% Recursion OK? */
 #define RECURSIONOK(c)		(((c)->query.attributes & \
 				  NS_QUERYATTR_RECURSIONOK) != 0)
+/*% Recursing? */
 #define RECURSING(c)		(((c)->query.attributes & \
 				  NS_QUERYATTR_RECURSING) != 0)
+/*% Cache glue ok? */
 #define CACHEGLUEOK(c)		(((c)->query.attributes & \
 				  NS_QUERYATTR_CACHEGLUEOK) != 0)
+/*% Want Recursion? */
 #define WANTRECURSION(c)	(((c)->query.attributes & \
 				  NS_QUERYATTR_WANTRECURSION) != 0)
+/*% Want DNSSEC? */
 #define WANTDNSSEC(c)		(((c)->attributes & \
 				  NS_CLIENTATTR_WANTDNSSEC) != 0)
+/*% No authority? */
 #define NOAUTHORITY(c)		(((c)->query.attributes & \
 				  NS_QUERYATTR_NOAUTHORITY) != 0)
+/*% No additional? */
 #define NOADDITIONAL(c)		(((c)->query.attributes & \
 				  NS_QUERYATTR_NOADDITIONAL) != 0)
+/*% Secure? */
 #define SECURE(c)		(((c)->query.attributes & \
 				  NS_QUERYATTR_SECURE) != 0)
 
@@ -92,10 +109,19 @@
 #define DNS_GETDB_NOLOG 0x02U
 #define DNS_GETDB_PARTIAL 0x04U
 
+typedef struct client_additionalctx {
+	ns_client_t *client;
+	dns_rdataset_t *rdataset;
+} client_additionalctx_t;
+
 static void
 query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype);
 
-/*
+static isc_boolean_t
+validate(ns_client_t *client, dns_db_t *db, dns_name_t *name,
+	 dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset);
+
+/*%
  * Increment query statistics counters.
  */
 static inline void
@@ -144,7 +170,12 @@ query_error(ns_client_t *client, isc_result_t result) {
 
 static void
 query_next(ns_client_t *client, isc_result_t result) {
-	inc_stats(client, dns_statscounter_failure);
+	if (result == DNS_R_DUPLICATE)
+		inc_stats(client, dns_statscounter_duplicate);
+	else if (result == DNS_R_DROP)
+		inc_stats(client, dns_statscounter_dropped);
+	else
+		inc_stats(client, dns_statscounter_failure);
 	ns_client_next(client, result);
 }
 
@@ -187,7 +218,7 @@ query_reset(ns_client_t *client, isc_boolean_t everything) {
 	isc_buffer_t *dbuf, *dbuf_next;
 	ns_dbversion_t *dbversion, *dbversion_next;
 
-	/*
+	/*%
 	 * Reset the query state of a client to its default state.
 	 */
 
@@ -266,7 +297,7 @@ query_newnamebuf(ns_client_t *client) {
 	isc_result_t result;
 
 	CTRACE("query_newnamebuf");
-	/*
+	/*%
 	 * Allocate a name buffer.
 	 */
 
@@ -289,7 +320,7 @@ query_getnamebuf(ns_client_t *client) {
 	isc_region_t r;
 
 	CTRACE("query_getnamebuf");
-	/*
+	/*%
 	 * Return a name buffer with space for a maximal name, allocating
 	 * a new one if necessary.
 	 */
@@ -325,7 +356,7 @@ query_keepname(ns_client_t *client, dns_name_t *name, isc_buffer_t *dbuf) {
 	isc_region_t r;
 
 	CTRACE("query_keepname");
-	/*
+	/*%
 	 * 'name' is using space in 'dbuf', but 'dbuf' has not yet been
 	 * adjusted to take account of that.  We do the adjustment.
 	 */
@@ -342,7 +373,7 @@ static inline void
 query_releasename(ns_client_t *client, dns_name_t **namep) {
 	dns_name_t *name = *namep;
 
-	/*
+	/*%
 	 * 'name' is no longer needed.  Return it to our pool of temporary
 	 * names.  If it is using a name buffer, relinquish its exclusive
 	 * rights on the buffer.
@@ -479,7 +510,7 @@ ns_query_init(ns_client_t *client) {
 	client->query.authdb = NULL;
 	client->query.authzone = NULL;
 	client->query.authdbset = ISC_FALSE;
-	client->query.isreferral = ISC_FALSE;	
+	client->query.isreferral = ISC_FALSE;
 	query_reset(client, ISC_FALSE);
 	result = query_newdbversion(client, 3);
 	if (result != ISC_R_SUCCESS) {
@@ -499,7 +530,7 @@ query_findversion(ns_client_t *client, dns_db_t *db,
 {
 	ns_dbversion_t *dbversion;
 
-	/*
+	/*%
 	 * We may already have done a query related to this
 	 * database.  If so, we must be sure to make subsequent
 	 * queries from the same version.
@@ -532,42 +563,23 @@ query_findversion(ns_client_t *client, dns_db_t *db,
 }
 
 static inline isc_result_t
-query_getzonedb(ns_client_t *client, dns_name_t *name, dns_rdatatype_t qtype,
-		unsigned int options, dns_zone_t **zonep, dns_db_t **dbp,
-		dns_dbversion_t **versionp)
+query_validatezonedb(ns_client_t *client, dns_name_t *name,
+		     dns_rdatatype_t qtype, unsigned int options,
+		     dns_zone_t *zone, dns_db_t *db,
+		     dns_dbversion_t **versionp)
 {
 	isc_result_t result;
 	isc_boolean_t check_acl, new_zone;
 	dns_acl_t *queryacl;
 	ns_dbversion_t *dbversion;
-	unsigned int ztoptions;
-	dns_zone_t *zone = NULL;
-	dns_db_t *db = NULL;
-	isc_boolean_t partial = ISC_FALSE;
 
-	REQUIRE(zonep != NULL && *zonep == NULL);
-	REQUIRE(dbp != NULL && *dbp == NULL);
-
-	/*
-	 * Find a zone database to answer the query.
-	 */
-	ztoptions = ((options & DNS_GETDB_NOEXACT) != 0) ?
-		DNS_ZTFIND_NOEXACT : 0;
-
-	result = dns_zt_find(client->view->zonetable, name, ztoptions, NULL,
-			     &zone);
-	if (result == DNS_R_PARTIALMATCH)
-		partial = ISC_TRUE;
-	if (result == ISC_R_SUCCESS || result == DNS_R_PARTIALMATCH)
-		result = dns_zone_getdb(zone, &db);
-
-	if (result != ISC_R_SUCCESS)		
-		goto fail;
+	REQUIRE(zone != NULL);
+	REQUIRE(db != NULL);
 
 	/*
 	 * This limits our searching to the zone where the first name
 	 * (the query target) was looked for.  This prevents following
-	 * CNAMES or DNAMES into other zones and prevents returning 
+	 * CNAMES or DNAMES into other zones and prevents returning
 	 * additional data from other zones.
 	 */
 	if (!client->view->additionalfromauth &&
@@ -644,7 +656,7 @@ query_getzonedb(ns_client_t *client, dns_name_t *name, dns_rdatatype_t qtype,
 						      ISC_LOG_DEBUG(3),
 						      "%s approved", msg);
 				}
-		    	} else {
+			} else {
 				ns_client_aclmsg("query", name, qtype,
 						 client->view->rdclass,
 						 msg, sizeof(msg));
@@ -683,17 +695,63 @@ query_getzonedb(ns_client_t *client, dns_name_t *name, dns_rdatatype_t qtype,
 	 */
 	dbversion->queryok = ISC_TRUE;
 
+	/* Transfer ownership, if necessary. */
+	if (versionp != NULL)
+		*versionp = dbversion->version;
+
+	return (ISC_R_SUCCESS);
+
+ refuse:
+	return (DNS_R_REFUSED);
+
+ fail:
+	return (result);
+}
+
+static inline isc_result_t
+query_getzonedb(ns_client_t *client, dns_name_t *name, dns_rdatatype_t qtype,
+		unsigned int options, dns_zone_t **zonep, dns_db_t **dbp,
+		dns_dbversion_t **versionp)
+{
+	isc_result_t result;
+	unsigned int ztoptions;
+	dns_zone_t *zone = NULL;
+	dns_db_t *db = NULL;
+	isc_boolean_t partial = ISC_FALSE;
+
+	REQUIRE(zonep != NULL && *zonep == NULL);
+	REQUIRE(dbp != NULL && *dbp == NULL);
+
+	/*%
+	 * Find a zone database to answer the query.
+	 */
+	ztoptions = ((options & DNS_GETDB_NOEXACT) != 0) ?
+		DNS_ZTFIND_NOEXACT : 0;
+
+	result = dns_zt_find(client->view->zonetable, name, ztoptions, NULL,
+			     &zone);
+	if (result == DNS_R_PARTIALMATCH)
+		partial = ISC_TRUE;
+	if (result == ISC_R_SUCCESS || result == DNS_R_PARTIALMATCH)
+		result = dns_zone_getdb(zone, &db);
+
+	if (result != ISC_R_SUCCESS)
+		goto fail;
+
+	result = query_validatezonedb(client, name, qtype, options, zone, db,
+				      versionp);
+
+	if (result != ISC_R_SUCCESS)
+		goto fail;
+
 	/* Transfer ownership. */
 	*zonep = zone;
 	*dbp = db;
-	*versionp = dbversion->version;
 
 	if (partial && (options & DNS_GETDB_PARTIAL) != 0)
 		return (DNS_R_PARTIALMATCH);
 	return (ISC_R_SUCCESS);
 
- refuse:
-	result = DNS_R_REFUSED;
  fail:
 	if (zone != NULL)
 		dns_zone_detach(&zone);
@@ -713,7 +771,7 @@ query_getcachedb(ns_client_t *client, dns_name_t *name, dns_rdatatype_t qtype,
 
 	REQUIRE(dbp != NULL && *dbp == NULL);
 
-	/*
+	/*%
 	 * Find a cache database to answer the query.
 	 * This may fail with DNS_R_REFUSED if the client
 	 * is not allowed to use the cache.
@@ -745,7 +803,7 @@ query_getcachedb(ns_client_t *client, dns_name_t *name, dns_rdatatype_t qtype,
 	if (check_acl) {
 		isc_boolean_t log = ISC_TF((options & DNS_GETDB_NOLOG) == 0);
 		char msg[NS_CLIENT_ACLMSGSIZE("query (cache)")];
-		
+
 		result = ns_client_checkaclsilent(client,
 						  client->view->queryacl,
 						  ISC_TRUE);
@@ -811,9 +869,85 @@ query_getdb(ns_client_t *client, dns_name_t *name, dns_rdatatype_t qtype,
 {
 	isc_result_t result;
 
+#ifdef DLZ
+	isc_result_t tresult;
+	unsigned int namelabels;
+	unsigned int zonelabels;
+	dns_zone_t *zone = NULL;
+	dns_db_t *tdbp;
+
+	REQUIRE(zonep != NULL && *zonep == NULL);
+
+	tdbp = NULL;
+
+	/* Calculate how many labels are in name. */
+	namelabels = dns_name_countlabels(name);
+	zonelabels = 0;
+
+	/* Try to find name in bind's standard database. */
+	result = query_getzonedb(client, name, qtype, options, &zone,
+				 dbp, versionp);
+
+	/* See how many labels are in the zone's name.	  */
+	if (result == ISC_R_SUCCESS && zone != NULL)
+		zonelabels = dns_name_countlabels(dns_zone_getorigin(zone));
+	/*
+	 * If # zone labels < # name labels, try to find an even better match
+	 * Only try if a DLZ driver is loaded for this view
+	 */
+	if (zonelabels < namelabels && client->view->dlzdatabase != NULL) {
+		tresult = dns_dlzfindzone(client->view, name,
+					  zonelabels, &tdbp);
+		 /* If we successful, we found a better match. */
+		if (tresult == ISC_R_SUCCESS) {
+			/*
+			 * If the previous search returned a zone, detach it.
+			 */
+			if (zone != NULL)
+				dns_zone_detach(&zone);
+
+			/*
+			 * If the previous search returned a database,
+			 * detach it.
+			 */
+			if (*dbp != NULL)
+				dns_db_detach(dbp);
+
+			/*
+			 * If the previous search returned a version, clear it.
+			 */
+			*versionp = NULL;
+
+			/*
+			 * Get our database version.
+			 */
+			dns_db_currentversion(tdbp, versionp);
+
+			/*
+			 * Be sure to return our database.
+			 */
+			*dbp = tdbp;
+
+			/*
+			 * We return a null zone, No stats for DLZ zones.
+			 */
+			zone = NULL;
+			result = tresult;
+		}
+	}
+#else
 	result = query_getzonedb(client, name, qtype, options,
 				 zonep, dbp, versionp);
+#endif
+
+	/* If successfull, Transfer ownership of zone. */
 	if (result == ISC_R_SUCCESS) {
+#ifdef DLZ
+		*zonep = zone;
+#endif
+		/*
+		 * If neither attempt above succeeded, return the cache instead
+		 */
 		*is_zonep = ISC_TRUE;
 	} else if (result == ISC_R_NOTFOUND) {
 		result = query_getcachedb(client, name, qtype, dbp, options);
@@ -975,10 +1109,23 @@ query_addadditional(void *arg, dns_name_t *name, dns_rdatatype_t qtype) {
 		 * Most likely the client isn't allowed to query the cache.
 		 */
 		goto try_glue;
-
-	result = dns_db_find(db, name, version, type,  client->query.dboptions,
+	/*
+	 * Attempt to validate glue.
+	 */
+	if (sigrdataset == NULL) {
+		sigrdataset = query_newrdataset(client);
+		if (sigrdataset == NULL)
+			goto cleanup;
+	}
+	result = dns_db_find(db, name, version, type,
+			     client->query.dboptions | DNS_DBFIND_GLUEOK,
 			     client->now, &node, fname, rdataset,
 			     sigrdataset);
+	if (result == DNS_R_GLUE &&
+	    validate(client, db, fname, rdataset, sigrdataset))
+		result = ISC_R_SUCCESS;
+	if (!WANTDNSSEC(client))
+		query_putrdataset(client, &sigrdataset);
 	if (result == ISC_R_SUCCESS)
 		goto found;
 
@@ -1192,7 +1339,7 @@ query_addadditional(void *arg, dns_name_t *name, dns_rdatatype_t qtype) {
 	 * recursing to add address records, which in turn can cause
 	 * recursion to add KEYs.
 	 */
- 	if (type == dns_rdatatype_srv && trdataset != NULL) {
+	if (type == dns_rdatatype_srv && trdataset != NULL) {
 		/*
 		 * If we're adding SRV records to the additional data
 		 * section, it's helpful if we add the SRV additional data
@@ -1222,9 +1369,523 @@ query_addadditional(void *arg, dns_name_t *name, dns_rdatatype_t qtype) {
 }
 
 static inline void
+query_discardcache(ns_client_t *client, dns_rdataset_t *rdataset_base,
+		   dns_rdatasetadditional_t additionaltype,
+		   dns_rdatatype_t type, dns_zone_t **zonep, dns_db_t **dbp,
+		   dns_dbversion_t **versionp, dns_dbnode_t **nodep,
+		   dns_name_t *fname)
+{
+	dns_rdataset_t *rdataset;
+
+	while  ((rdataset = ISC_LIST_HEAD(fname->list)) != NULL) {
+		ISC_LIST_UNLINK(fname->list, rdataset, link);
+		query_putrdataset(client, &rdataset);
+	}
+	if (*versionp != NULL)
+		dns_db_closeversion(*dbp, versionp, ISC_FALSE);
+	if (*nodep != NULL)
+		dns_db_detachnode(*dbp, nodep);
+	if (*dbp != NULL)
+		dns_db_detach(dbp);
+	if (*zonep != NULL)
+		dns_zone_detach(zonep);
+	(void)dns_rdataset_putadditional(client->view->acache, rdataset_base,
+					 additionaltype, type);
+}
+
+static inline isc_result_t
+query_iscachevalid(dns_zone_t *zone, dns_db_t *db, dns_db_t *db0,
+		   dns_dbversion_t *version)
+{
+	isc_result_t result = ISC_R_SUCCESS;
+	dns_dbversion_t *version_current = NULL;
+	dns_db_t *db_current = db0;
+
+	if (db_current == NULL) {
+		result = dns_zone_getdb(zone, &db_current);
+		if (result != ISC_R_SUCCESS)
+			return (result);
+	}
+	dns_db_currentversion(db_current, &version_current);
+	if (db_current != db || version_current != version) {
+		result = ISC_R_FAILURE;
+		goto cleanup;
+	}
+
+ cleanup:
+	dns_db_closeversion(db_current, &version_current, ISC_FALSE);
+	if (db0 == NULL && db_current != NULL)
+		dns_db_detach(&db_current);
+
+	return (result);
+}
+
+static isc_result_t
+query_addadditional2(void *arg, dns_name_t *name, dns_rdatatype_t qtype) {
+	client_additionalctx_t *additionalctx = arg;
+	dns_rdataset_t *rdataset_base;
+	ns_client_t *client;
+	isc_result_t result, eresult;
+	dns_dbnode_t *node, *cnode;
+	dns_db_t *db, *cdb;
+	dns_name_t *fname, *mname0, cfname;
+	dns_rdataset_t *rdataset, *sigrdataset;
+	dns_rdataset_t *crdataset, *crdataset_next;
+	isc_buffer_t *dbuf;
+	isc_buffer_t b;
+	dns_dbversion_t *version, *cversion;
+	isc_boolean_t added_something, need_addname, needadditionalcache;
+	isc_boolean_t need_sigrrset;
+	dns_zone_t *zone;
+	dns_rdatatype_t type;
+	dns_rdatasetadditional_t additionaltype;
+
+	if (qtype != dns_rdatatype_a) {
+		/*
+		 * This function is optimized for "address" types.  For other
+		 * types, use a generic routine.
+		 * XXX: ideally, this function should be generic enough.
+		 */
+		return (query_addadditional(additionalctx->client,
+					    name, qtype));
+	}
+
+	/*
+	 * Initialization.
+	 */
+	rdataset_base = additionalctx->rdataset;
+	client = additionalctx->client;
+	REQUIRE(NS_CLIENT_VALID(client));
+	eresult = ISC_R_SUCCESS;
+	fname = NULL;
+	rdataset = NULL;
+	sigrdataset = NULL;
+	db = NULL;
+	cdb = NULL;
+	version = NULL;
+	cversion = NULL;
+	node = NULL;
+	cnode = NULL;
+	added_something = ISC_FALSE;
+	need_addname = ISC_FALSE;
+	zone = NULL;
+	needadditionalcache = ISC_FALSE;
+	additionaltype = dns_rdatasetadditional_fromauth;
+	dns_name_init(&cfname, NULL);
+
+	CTRACE("query_addadditional2");
+
+	/*
+	 * We treat type A additional section processing as if it
+	 * were "any address type" additional section processing.
+	 * To avoid multiple lookups, we do an 'any' database
+	 * lookup and iterate over the node.
+	 * XXXJT: this approach can cause a suboptimal result when the cache
+	 * DB only has partial address types and the glue DB has remaining
+	 * ones.
+	 */
+	type = dns_rdatatype_any;
+
+	/*
+	 * Get some resources.
+	 */
+	dbuf = query_getnamebuf(client);
+	if (dbuf == NULL)
+		goto cleanup;
+	fname = query_newname(client, dbuf, &b);
+	if (fname == NULL)
+		goto cleanup;
+	dns_name_setbuffer(&cfname, &b); /* share the buffer */
+
+	/* Check additional cache */
+	result = dns_rdataset_getadditional(rdataset_base, additionaltype,
+					    type, client->view->acache, &zone,
+					    &cdb, &cversion, &cnode, &cfname,
+					    client->message, client->now);
+	if (result != ISC_R_SUCCESS)
+		goto findauthdb;
+	if (zone == NULL) {
+		CTRACE("query_addadditional2: auth zone not found");
+		goto try_cache;
+	}
+
+	/* Is the cached DB up-to-date? */
+	result = query_iscachevalid(zone, cdb, NULL, cversion);
+	if (result != ISC_R_SUCCESS) {
+		CTRACE("query_addadditional2: old auth additional cache");
+		query_discardcache(client, rdataset_base, additionaltype,
+				   type, &zone, &cdb, &cversion, &cnode,
+				   &cfname);
+		goto findauthdb;
+	}
+
+	if (cnode == NULL) {
+		/*
+		 * We have a negative cache.  We don't have to check the zone
+		 * ACL, since the result (not using this zone) would be same
+		 * regardless of the result.
+		 */
+		CTRACE("query_addadditional2: negative auth additional cache");
+		dns_db_closeversion(cdb, &cversion, ISC_FALSE);
+		dns_db_detach(&cdb);
+		dns_zone_detach(&zone);
+		goto try_cache;
+	}
+
+	result = query_validatezonedb(client, name, qtype, DNS_GETDB_NOLOG,
+				      zone, cdb, NULL);
+	if (result != ISC_R_SUCCESS) {
+		query_discardcache(client, rdataset_base, additionaltype,
+				   type, &zone, &cdb, &cversion, &cnode,
+				   &cfname);
+		goto try_cache;
+	}
+
+	/* We've got an active cache. */
+	CTRACE("query_addadditional2: auth additional cache");
+	dns_db_closeversion(cdb, &cversion, ISC_FALSE);
+	db = cdb;
+	node = cnode;
+	dns_name_clone(&cfname, fname);
+	query_keepname(client, fname, dbuf);
+	goto foundcache;
+
+	/*
+	 * Look for a zone database that might contain authoritative
+	 * additional data.
+	 */
+ findauthdb:
+	result = query_getzonedb(client, name, qtype, DNS_GETDB_NOLOG,
+				 &zone, &db, &version);
+	if (result != ISC_R_SUCCESS) {
+		/* Cache the negative result */
+		(void)dns_rdataset_setadditional(rdataset_base, additionaltype,
+						 type, client->view->acache,
+						 NULL, NULL, NULL, NULL,
+						 NULL);
+		goto try_cache;
+	}
+
+	CTRACE("query_addadditional2: db_find");
+
+	/*
+	 * Since we are looking for authoritative data, we do not set
+	 * the GLUEOK flag.  Glue will be looked for later, but not
+	 * necessarily in the same database.
+	 */
+	node = NULL;
+	result = dns_db_find(db, name, version, type, client->query.dboptions,
+			     client->now, &node, fname, NULL, NULL);
+	if (result == ISC_R_SUCCESS)
+		goto found;
+
+	/* Cache the negative result */
+	(void)dns_rdataset_setadditional(rdataset_base, additionaltype,
+					 type, client->view->acache, zone, db,
+					 version, NULL, fname);
+
+	if (node != NULL)
+		dns_db_detachnode(db, &node);
+	version = NULL;
+	dns_db_detach(&db);
+
+	/*
+	 * No authoritative data was found.  The cache is our next best bet.
+	 */
+
+ try_cache:
+	additionaltype = dns_rdatasetadditional_fromcache;
+	result = query_getcachedb(client, name, qtype, &db, DNS_GETDB_NOLOG);
+	if (result != ISC_R_SUCCESS)
+		/*
+		 * Most likely the client isn't allowed to query the cache.
+		 */
+		goto try_glue;
+
+	result = dns_db_find(db, name, version, type,
+			     client->query.dboptions | DNS_DBFIND_GLUEOK,
+			     client->now, &node, fname, NULL, NULL);
+	if (result == ISC_R_SUCCESS)
+		goto found;
+
+	if (node != NULL)
+		dns_db_detachnode(db, &node);
+	dns_db_detach(&db);
+
+ try_glue:
+	/*
+	 * No cached data was found.  Glue is our last chance.
+	 * RFC1035 sayeth:
+	 *
+	 *	NS records cause both the usual additional section
+	 *	processing to locate a type A record, and, when used
+	 *	in a referral, a special search of the zone in which
+	 *	they reside for glue information.
+	 *
+	 * This is the "special search".  Note that we must search
+	 * the zone where the NS record resides, not the zone it
+	 * points to, and that we only do the search in the delegation
+	 * case (identified by client->query.gluedb being set).
+	 */
+	if (client->query.gluedb == NULL)
+		goto cleanup;
+
+	/*
+	 * Don't poision caches using the bailiwick protection model.
+	 */
+	if (!dns_name_issubdomain(name, dns_db_origin(client->query.gluedb)))
+		goto cleanup;
+
+	/* Check additional cache */
+	additionaltype = dns_rdatasetadditional_fromglue;
+	result = dns_rdataset_getadditional(rdataset_base, additionaltype,
+					    type, client->view->acache, NULL,
+					    &cdb, &cversion, &cnode, &cfname,
+					    client->message, client->now);
+	if (result != ISC_R_SUCCESS)
+		goto findglue;
+
+	result = query_iscachevalid(zone, cdb, client->query.gluedb, cversion);
+	if (result != ISC_R_SUCCESS) {
+		CTRACE("query_addadditional2: old glue additional cache");
+		query_discardcache(client, rdataset_base, additionaltype,
+				   type, &zone, &cdb, &cversion, &cnode,
+				   &cfname);
+		goto findglue;
+	}
+
+	if (cnode == NULL) {
+		/* We have a negative cache. */
+		CTRACE("query_addadditional2: negative glue additional cache");
+		dns_db_closeversion(cdb, &cversion, ISC_FALSE);
+		dns_db_detach(&cdb);
+		goto cleanup;
+	}
+
+	/* Cache hit. */
+	CTRACE("query_addadditional2: glue additional cache");
+	dns_db_closeversion(cdb, &cversion, ISC_FALSE);
+	db = cdb;
+	node = cnode;
+	dns_name_clone(&cfname, fname);
+	query_keepname(client, fname, dbuf);
+	goto foundcache;
+
+ findglue:
+	dns_db_attach(client->query.gluedb, &db);
+	result = dns_db_find(db, name, version, type,
+			     client->query.dboptions | DNS_DBFIND_GLUEOK,
+			     client->now, &node, fname, NULL, NULL);
+	if (!(result == ISC_R_SUCCESS ||
+	      result == DNS_R_ZONECUT ||
+	      result == DNS_R_GLUE)) {
+		/* cache the negative result */
+		(void)dns_rdataset_setadditional(rdataset_base, additionaltype,
+						 type, client->view->acache,
+						 NULL, db, version, NULL,
+						 fname);
+		goto cleanup;
+	}
+
+ found:
+	/*
+	 * We have found a DB node to iterate over from a DB.
+	 * We are going to look for address RRsets (i.e., A and AAAA) in the DB
+	 * node we've just found.  We'll then store the complete information
+	 * in the additional data cache.
+	 */
+	dns_name_clone(fname, &cfname);
+	query_keepname(client, fname, dbuf);
+	needadditionalcache = ISC_TRUE;
+
+	rdataset = query_newrdataset(client);
+	if (rdataset == NULL)
+		goto cleanup;
+
+	sigrdataset = query_newrdataset(client);
+	if (sigrdataset == NULL)
+		goto cleanup;
+
+	/*
+	 * Find A RRset with sig RRset.  Even if we don't find a sig RRset
+	 * for a client using DNSSEC, we'll continue the process to make a
+	 * complete list to be cached.  However, we need to cancel the
+	 * caching when something unexpected happens, in order to avoid
+	 * caching incomplete information.
+	 */
+	result = dns_db_findrdataset(db, node, version, dns_rdatatype_a, 0,
+				     client->now, rdataset, sigrdataset);
+	/*
+	 * If we can't promote glue/pending from the cache to secure
+	 * then drop it.
+	 */
+	if (result == ISC_R_SUCCESS &&
+	    additionaltype == dns_rdatasetadditional_fromcache &&
+	    (rdataset->trust == dns_trust_pending ||
+	     rdataset->trust == dns_trust_glue) &&
+	    !validate(client, db, fname, rdataset, sigrdataset)) {
+		dns_rdataset_disassociate(rdataset);
+		if (dns_rdataset_isassociated(sigrdataset))
+			dns_rdataset_disassociate(sigrdataset);
+		result = ISC_R_NOTFOUND;
+	}
+	if (result == DNS_R_NCACHENXDOMAIN)
+		goto setcache;
+	if (result == DNS_R_NCACHENXRRSET) {
+		dns_rdataset_disassociate(rdataset);
+		/*
+		 * Negative cache entries don't have sigrdatasets.
+		 */
+		INSIST(! dns_rdataset_isassociated(sigrdataset));
+	}
+	if (result == ISC_R_SUCCESS) {
+		/* Remember the result as a cache */
+		ISC_LIST_APPEND(cfname.list, rdataset, link);
+		if (dns_rdataset_isassociated(sigrdataset)) {
+			ISC_LIST_APPEND(cfname.list, sigrdataset, link);
+			sigrdataset = query_newrdataset(client);
+		}
+		rdataset = query_newrdataset(client);
+		if (sigrdataset == NULL || rdataset == NULL) {
+			/* do not cache incomplete information */
+			goto foundcache;
+		}
+	}
+
+	/* Find AAAA RRset with sig RRset */
+	result = dns_db_findrdataset(db, node, version, dns_rdatatype_aaaa,
+				     0, client->now, rdataset, sigrdataset);
+	/*
+	 * If we can't promote glue/pending from the cache to secure
+	 * then drop it.
+	 */
+	if (result == ISC_R_SUCCESS &&
+	    additionaltype == dns_rdatasetadditional_fromcache &&
+	    (rdataset->trust == dns_trust_pending ||
+	     rdataset->trust == dns_trust_glue) &&
+	    !validate(client, db, fname, rdataset, sigrdataset)) {
+		dns_rdataset_disassociate(rdataset);
+		if (dns_rdataset_isassociated(sigrdataset))
+			dns_rdataset_disassociate(sigrdataset);
+		result = ISC_R_NOTFOUND;
+	}
+	if (result == ISC_R_SUCCESS) {
+		ISC_LIST_APPEND(cfname.list, rdataset, link);
+		rdataset = NULL;
+		if (dns_rdataset_isassociated(sigrdataset)) {
+			ISC_LIST_APPEND(cfname.list, sigrdataset, link);
+			sigrdataset = NULL;
+		}
+	}
+
+ setcache:
+	/*
+	 * Set the new result in the cache if required.  We do not support
+	 * caching additional data from a cache DB.
+	 */
+	if (needadditionalcache == ISC_TRUE &&
+	    (additionaltype == dns_rdatasetadditional_fromauth ||
+	     additionaltype == dns_rdatasetadditional_fromglue)) {
+		(void)dns_rdataset_setadditional(rdataset_base, additionaltype,
+						 type, client->view->acache,
+						 zone, db, version, node,
+						 &cfname);
+	}
+
+ foundcache:
+	need_sigrrset = ISC_FALSE;
+	mname0 = NULL;
+	for (crdataset = ISC_LIST_HEAD(cfname.list);
+	     crdataset != NULL;
+	     crdataset = crdataset_next) {
+		dns_name_t *mname;
+
+		crdataset_next = ISC_LIST_NEXT(crdataset, link);
+
+		mname = NULL;
+		if (crdataset->type == dns_rdatatype_a ||
+		    crdataset->type == dns_rdatatype_aaaa) {
+			if (!query_isduplicate(client, fname, crdataset->type,
+					       &mname)) {
+				if (mname != NULL) {
+					/*
+					 * A different type of this name is
+					 * already stored in the additional
+					 * section.  We'll reuse the name.
+					 * Note that this should happen at most
+					 * once.  Otherwise, fname->link could
+					 * leak below.
+					 */
+					INSIST(mname0 == NULL);
+
+					query_releasename(client, &fname);
+					fname = mname;
+					mname0 = mname;
+				} else
+					need_addname = ISC_TRUE;
+				ISC_LIST_UNLINK(cfname.list, crdataset, link);
+				ISC_LIST_APPEND(fname->list, crdataset, link);
+				added_something = ISC_TRUE;
+				need_sigrrset = ISC_TRUE;
+			} else
+				need_sigrrset = ISC_FALSE;
+		} else if (crdataset->type == dns_rdatatype_rrsig &&
+			   need_sigrrset && WANTDNSSEC(client)) {
+			ISC_LIST_UNLINK(cfname.list, crdataset, link);
+			ISC_LIST_APPEND(fname->list, crdataset, link);
+			added_something = ISC_TRUE; /* just in case */
+			need_sigrrset = ISC_FALSE;
+		}
+	}
+
+	CTRACE("query_addadditional2: addname");
+
+	/*
+	 * If we haven't added anything, then we're done.
+	 */
+	if (!added_something)
+		goto cleanup;
+
+	/*
+	 * We may have added our rdatasets to an existing name, if so, then
+	 * need_addname will be ISC_FALSE.  Whether we used an existing name
+	 * or a new one, we must set fname to NULL to prevent cleanup.
+	 */
+	if (need_addname)
+		dns_message_addname(client->message, fname,
+				    DNS_SECTION_ADDITIONAL);
+	fname = NULL;
+
+ cleanup:
+	CTRACE("query_addadditional2: cleanup");
+
+	if (rdataset != NULL)
+		query_putrdataset(client, &rdataset);
+	if (sigrdataset != NULL)
+		query_putrdataset(client, &sigrdataset);
+	while  ((crdataset = ISC_LIST_HEAD(cfname.list)) != NULL) {
+		ISC_LIST_UNLINK(cfname.list, crdataset, link);
+		query_putrdataset(client, &crdataset);
+	}
+	if (fname != NULL)
+		query_releasename(client, &fname);
+	if (node != NULL)
+		dns_db_detachnode(db, &node);
+	if (db != NULL)
+		dns_db_detach(&db);
+	if (zone != NULL)
+		dns_zone_detach(&zone);
+
+	CTRACE("query_addadditional2: done");
+	return (eresult);
+}
+
+static inline void
 query_addrdataset(ns_client_t *client, dns_name_t *fname,
 		  dns_rdataset_t *rdataset)
 {
+	client_additionalctx_t additionalctx;
+
 	/*
 	 * Add 'rdataset' and any pertinent additional data to
 	 * 'fname', a name in the response message for 'client'.
@@ -1238,6 +1899,8 @@ query_addrdataset(ns_client_t *client, dns_name_t *fname,
 		rdataset->attributes |= dns_order_find(client->view->order,
 						       fname, rdataset->type,
 						       rdataset->rdclass);
+	rdataset->attributes |= DNS_RDATASETATTR_LOADORDER;
+
 	if (NOADDITIONAL(client))
 		return;
 
@@ -1246,8 +1909,10 @@ query_addrdataset(ns_client_t *client, dns_name_t *fname,
 	 *
 	 * We don't care if dns_rdataset_additionaldata() fails.
 	 */
-	(void)dns_rdataset_additionaldata(rdataset,
-					  query_addadditional, client);
+	additionalctx.client = client;
+	additionalctx.rdataset = rdataset;
+	(void)dns_rdataset_additionaldata(rdataset, query_addadditional2,
+					  &additionalctx);
 	CTRACE("query_addrdataset: done");
 }
 
@@ -1260,7 +1925,7 @@ query_addrrset(ns_client_t *client, dns_name_t **namep,
 	dns_rdataset_t *rdataset, *mrdataset, *sigrdataset;
 	isc_result_t result;
 
-	/*
+	/*%
 	 * To the current response for 'client', add the answer RRset
 	 * '*rdatasetp' and an optional signature set '*sigrdatasetp', with
 	 * owner name '*namep', to section 'section', unless they are
@@ -1328,11 +1993,12 @@ query_addrrset(ns_client_t *client, dns_name_t **namep,
 }
 
 static inline isc_result_t
-query_addsoa(ns_client_t *client, dns_db_t *db, isc_boolean_t zero_ttl) {
-	dns_name_t *name, *fname;
+query_addsoa(ns_client_t *client, dns_db_t *db, dns_dbversion_t *version,
+	     isc_boolean_t zero_ttl)
+{
+	dns_name_t *name;
 	dns_dbnode_t *node;
 	isc_result_t result, eresult;
-	dns_fixedname_t foundname;
 	dns_rdataset_t *rdataset = NULL, *sigrdataset = NULL;
 	dns_rdataset_t **sigrdatasetp = NULL;
 
@@ -1344,8 +2010,6 @@ query_addsoa(ns_client_t *client, dns_db_t *db, isc_boolean_t zero_ttl) {
 	name = NULL;
 	rdataset = NULL;
 	node = NULL;
-	dns_fixedname_init(&foundname);
-	fname = dns_fixedname_name(&foundname);
 
 	/*
 	 * Get resources and make 'name' be the database origin.
@@ -1371,9 +2035,23 @@ query_addsoa(ns_client_t *client, dns_db_t *db, isc_boolean_t zero_ttl) {
 	/*
 	 * Find the SOA.
 	 */
-	result = dns_db_find(db, name, NULL, dns_rdatatype_soa,
-			     client->query.dboptions, 0, &node,
-			     fname, rdataset, sigrdataset);
+	result = dns_db_getoriginnode(db, &node);
+	if (result == ISC_R_SUCCESS) {
+		result = dns_db_findrdataset(db, node, version,
+					     dns_rdatatype_soa,
+					     0, client->now, rdataset,
+					     sigrdataset);
+	} else {
+		dns_fixedname_t foundname;
+		dns_name_t *fname;
+
+		dns_fixedname_init(&foundname);
+		fname = dns_fixedname_name(&foundname);
+
+		result = dns_db_find(db, name, version, dns_rdatatype_soa,
+				     client->query.dboptions, 0, &node,
+				     fname, rdataset, sigrdataset);
+	}
 	if (result != ISC_R_SUCCESS) {
 		/*
 		 * This is bad.  We tried to get the SOA RR at the zone top
@@ -1429,7 +2107,7 @@ query_addsoa(ns_client_t *client, dns_db_t *db, isc_boolean_t zero_ttl) {
 }
 
 static inline isc_result_t
-query_addns(ns_client_t *client, dns_db_t *db) {
+query_addns(ns_client_t *client, dns_db_t *db, dns_dbversion_t *version) {
 	dns_name_t *name, *fname;
 	dns_dbnode_t *node;
 	isc_result_t result, eresult;
@@ -1476,13 +2154,22 @@ query_addns(ns_client_t *client, dns_db_t *db) {
 	/*
 	 * Find the NS rdataset.
 	 */
-	CTRACE("query_addns: calling dns_db_find");
-	result = dns_db_find(db, name, NULL, dns_rdatatype_ns,
-			     client->query.dboptions, 0, &node,
-			     fname, rdataset, sigrdataset);
-	CTRACE("query_addns: dns_db_find complete");
+	result = dns_db_getoriginnode(db, &node);
+	if (result == ISC_R_SUCCESS) {
+		result = dns_db_findrdataset(db, node, version,
+					     dns_rdatatype_ns,
+					     0, client->now, rdataset,
+					     sigrdataset);
+	} else {
+		CTRACE("query_addns: calling dns_db_find");
+		result = dns_db_find(db, name, NULL, dns_rdatatype_ns,
+				     client->query.dboptions, 0, &node,
+				     fname, rdataset, sigrdataset);
+		CTRACE("query_addns: dns_db_find complete");
+	}
 	if (result != ISC_R_SUCCESS) {
-		CTRACE("query_addns: dns_db_find failed");
+		CTRACE("query_addns: "
+		       "dns_db_findrdataset or dns_db_find failed");
 		/*
 		 * This is bad.  We tried to get the NS rdataset at the zone
 		 * top and it didn't work!
@@ -1575,6 +2262,161 @@ query_addcnamelike(ns_client_t *client, dns_name_t *qname, dns_name_t *tname,
 	return (ISC_R_SUCCESS);
 }
 
+/*
+ * Mark the RRsets as secure.  Update the cache (db) to reflect the
+ * change in trust level.
+ */
+static void
+mark_secure(ns_client_t *client, dns_db_t *db, dns_name_t *name,
+	    dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset)
+{
+	isc_result_t result;
+	dns_dbnode_t *node = NULL;
+
+	rdataset->trust = dns_trust_secure;
+	sigrdataset->trust = dns_trust_secure;
+
+	/*
+	 * Save the updated secure state.  Ignore failures.
+	 */
+	result = dns_db_findnode(db, name, ISC_TRUE, &node);
+	if (result != ISC_R_SUCCESS)
+		return;
+	(void)dns_db_addrdataset(db, node, NULL, client->now, rdataset,
+				 0, NULL);
+	(void)dns_db_addrdataset(db, node, NULL, client->now, sigrdataset,
+				 0, NULL);
+	dns_db_detachnode(db, &node);
+}
+
+/*
+ * Find the secure key that corresponds to rrsig.
+ * Note: 'keyrdataset' maintains state between sucessive calls,
+ * there may be multiple keys with the same keyid.
+ * Return ISC_FALSE if we have exhausted all the possible keys.
+ */
+static isc_boolean_t
+get_key(ns_client_t *client, dns_db_t *db, dns_rdata_rrsig_t *rrsig,
+	dns_rdataset_t *keyrdataset, dst_key_t **keyp)
+{ 
+	isc_result_t result;
+	dns_dbnode_t *node = NULL;
+	isc_boolean_t secure = ISC_FALSE;
+
+	if (!dns_rdataset_isassociated(keyrdataset)) {
+		result = dns_db_findnode(db, &rrsig->signer, ISC_FALSE, &node);
+		if (result != ISC_R_SUCCESS)
+			return (ISC_FALSE);
+
+		result = dns_db_findrdataset(db, node, NULL,
+					     dns_rdatatype_dnskey, 0,
+					     client->now, keyrdataset, NULL);
+		dns_db_detachnode(db, &node);
+		if (result != ISC_R_SUCCESS)
+			return (ISC_FALSE);
+
+		if (keyrdataset->trust != dns_trust_secure)
+			return (ISC_FALSE);
+
+		result = dns_rdataset_first(keyrdataset);
+	} else
+		result = dns_rdataset_next(keyrdataset);
+
+	for ( ; result == ISC_R_SUCCESS;
+	     result = dns_rdataset_next(keyrdataset)) {
+		dns_rdata_t rdata = DNS_RDATA_INIT;
+		isc_buffer_t b;
+
+		dns_rdataset_current(keyrdataset, &rdata);
+		isc_buffer_init(&b, rdata.data, rdata.length);
+		isc_buffer_add(&b, rdata.length);
+		result = dst_key_fromdns(&rrsig->signer, rdata.rdclass, &b,
+                                         client->mctx, keyp);
+		if (result != ISC_R_SUCCESS)
+			continue;
+		if (rrsig->algorithm == (dns_secalg_t)dst_key_alg(*keyp) &&
+                    rrsig->keyid == (dns_keytag_t)dst_key_id(*keyp) &&
+                    dst_key_iszonekey(*keyp)) {
+			secure = ISC_TRUE;
+			break;
+		}
+		dst_key_free(keyp);
+	}
+	return (secure);
+}
+
+static isc_boolean_t
+verify(dst_key_t *key, dns_name_t *name, dns_rdataset_t *rdataset,
+       dns_rdata_t *rdata, isc_mem_t *mctx, isc_boolean_t acceptexpired)
+{
+	isc_result_t result;
+	dns_fixedname_t fixed;
+	isc_boolean_t ignore = ISC_FALSE;
+
+	dns_fixedname_init(&fixed);
+	
+again:
+	result = dns_dnssec_verify2(name, rdataset, key, ignore, mctx,
+				    rdata, NULL);
+	if (result == DNS_R_SIGEXPIRED && acceptexpired) {
+		ignore = ISC_TRUE;
+		goto again;
+	}
+	if (result == ISC_R_SUCCESS || result == DNS_R_FROMWILDCARD)
+		return (ISC_TRUE);
+	return (ISC_FALSE);
+}
+
+/*
+ * Validate the rdataset if possible with available records.
+ */
+static isc_boolean_t
+validate(ns_client_t *client, dns_db_t *db, dns_name_t *name,
+	 dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset)
+{
+	isc_result_t result;
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+	dns_rdata_rrsig_t rrsig;
+	dst_key_t *key = NULL;
+	dns_rdataset_t keyrdataset;
+
+	if (sigrdataset == NULL || !dns_rdataset_isassociated(sigrdataset))
+		return (ISC_FALSE);
+	
+	for (result = dns_rdataset_first(sigrdataset);
+	     result == ISC_R_SUCCESS;
+	     result = dns_rdataset_next(sigrdataset)) {
+
+		dns_rdata_reset(&rdata);
+		dns_rdataset_current(sigrdataset, &rdata);
+		result = dns_rdata_tostruct(&rdata, &rrsig, NULL);
+		if (result != ISC_R_SUCCESS)
+			return (ISC_FALSE);
+		if (!dns_resolver_algorithm_supported(client->view->resolver,
+						      name, rrsig.algorithm))
+			continue;
+		if (!dns_name_issubdomain(name, &rrsig.signer))
+			continue;
+		dns_rdataset_init(&keyrdataset);
+		do {
+			if (!get_key(client, db, &rrsig, &keyrdataset, &key))
+				break;
+			if (verify(key, name, rdataset, &rdata, client->mctx,
+				   client->view->acceptexpired)) {
+				dst_key_free(&key);
+				dns_rdataset_disassociate(&keyrdataset);
+				mark_secure(client, db, name, rdataset,
+					    sigrdataset);
+				return (ISC_TRUE);
+			}
+			dst_key_free(&key);
+		} while (1);
+		if (dns_rdataset_isassociated(&keyrdataset))
+			dns_rdataset_disassociate(&keyrdataset);
+	}
+	return (ISC_FALSE);
+}
+
 static void
 query_addbestns(ns_client_t *client) {
 	dns_db_t *db, *zdb;
@@ -1622,7 +2464,11 @@ query_addbestns(ns_client_t *client) {
 	rdataset = query_newrdataset(client);
 	if (fname == NULL || rdataset == NULL)
 		goto cleanup;
-	if (WANTDNSSEC(client)) {
+	/*
+	 * Get the RRSIGs if the client requested them or if we may
+	 * need to validate answers from the cache.
+	 */
+	if (WANTDNSSEC(client) || !is_zone) {
 		sigrdataset = query_newrdataset(client);
 		if (sigrdataset == NULL)
 			goto cleanup;
@@ -1698,16 +2544,27 @@ query_addbestns(ns_client_t *client) {
 		zsigrdataset = NULL;
 	}
 
-	if ((client->query.dboptions & DNS_DBFIND_PENDINGOK) == 0 &&
-	    (rdataset->trust == dns_trust_pending ||
-	     (sigrdataset != NULL && sigrdataset->trust == dns_trust_pending)))
+	/*
+	 * Attempt to validate RRsets that are pending or that are glue.
+	 */
+	if ((rdataset->trust == dns_trust_pending ||
+	     (sigrdataset != NULL && sigrdataset->trust == dns_trust_pending))
+	    && !validate(client, db, fname, rdataset, sigrdataset) &&
+	    (client->query.dboptions & DNS_DBFIND_PENDINGOK) == 0)
 		goto cleanup;
 
-	if (WANTDNSSEC(client) && SECURE(client) &&
-	    (rdataset->trust == dns_trust_glue ||
-	     (sigrdataset != NULL && sigrdataset->trust == dns_trust_glue)))
+	if ((rdataset->trust == dns_trust_glue ||
+	     (sigrdataset != NULL && sigrdataset->trust == dns_trust_glue)) &&
+	    !validate(client, db, fname, rdataset, sigrdataset) &&
+	    SECURE(client) && WANTDNSSEC(client))
 		goto cleanup;
 
+	/*
+	 * If the client doesn't want DNSSEC we can discard the sigrdataset
+	 * now.
+	 */
+	if (!WANTDNSSEC(client))
+		query_putrdataset(client, &sigrdataset);
 	query_addrrset(client, &fname, &rdataset, &sigrdataset, dbuf,
 		       DNS_SECTION_AUTHORITY);
 
@@ -1837,20 +2694,20 @@ query_addwildcardproof(ns_client_t *client, dns_db_t *db,
 	 *   Given:
 	 *	example SOA
 	 *	example NSEC b.example
-	 * 	b.example A
-	 * 	b.example NSEC a.d.example
-	 * 	a.d.example A
-	 * 	a.d.example NSEC g.f.example
-	 * 	g.f.example A
-	 * 	g.f.example NSEC z.i.example
-	 * 	z.i.example A
-	 * 	z.i.example NSEC example
+	 *	b.example A
+	 *	b.example NSEC a.d.example
+	 *	a.d.example A
+	 *	a.d.example NSEC g.f.example
+	 *	g.f.example A
+	 *	g.f.example NSEC z.i.example
+	 *	z.i.example A
+	 *	z.i.example NSEC example
 	 *
 	 *   QNAME:
 	 *   a.example -> example NSEC b.example
-	 * 	owner common example
-	 * 	next common example
-	 * 	wild *.example
+	 *	owner common example
+	 *	next common example
+	 *	wild *.example
 	 *   d.b.example -> b.example NSEC a.d.example
 	 *	owner common b.example
 	 *	next common example
@@ -1861,7 +2718,7 @@ query_addwildcardproof(ns_client_t *client, dns_db_t *db,
 	 *	wild *.f.example
 	 *  j.example -> z.i.example NSEC example
 	 *	owner common example
-	 * 	next common example
+	 *	next common example
 	 *	wild *.f.example
 	 */
 	options = client->query.dboptions | DNS_DBFIND_NOWILD;
@@ -1922,7 +2779,7 @@ query_addwildcardproof(ns_client_t *client, dns_db_t *db,
 			name = wname;
 			goto again;
 		}
-	} 
+	}
  cleanup:
 	if (rdataset != NULL)
 		query_putrdataset(client, &rdataset);
@@ -2068,6 +2925,7 @@ query_recurse(ns_client_t *client, dns_rdatatype_t qtype, dns_name_t *qdomain,
 {
 	isc_result_t result;
 	dns_rdataset_t *rdataset, *sigrdataset;
+	isc_sockaddr_t *peeraddr;
 
 	inc_stats(client, dns_statscounter_recursion);
 
@@ -2149,14 +3007,19 @@ query_recurse(ns_client_t *client, dns_rdatatype_t qtype, dns_name_t *qdomain,
 
 	if (client->query.timerset == ISC_FALSE)
 		ns_client_settimeout(client, 60);
-	result = dns_resolver_createfetch(client->view->resolver,
-					  client->query.qname,
-					  qtype, qdomain, nameservers,
-					  NULL, client->query.fetchoptions,
-					  client->task,
-					  query_resume, client,
-					  rdataset, sigrdataset,
-					  &client->query.fetch);
+	if ((client->attributes & NS_CLIENTATTR_TCP) == 0)
+		peeraddr = &client->peeraddr;
+	else
+		peeraddr = NULL;
+	result = dns_resolver_createfetch2(client->view->resolver,
+					   client->query.qname,
+					   qtype, qdomain, nameservers,
+					   NULL, peeraddr, client->message->id,
+					   client->query.fetchoptions,
+					   client->task,
+					   query_resume, client,
+					   rdataset, sigrdataset,
+					   &client->query.fetch);
 
 	if (result == ISC_R_SUCCESS) {
 		/*
@@ -2193,7 +3056,7 @@ static isc_result_t
 rdata_tonetaddr(const dns_rdata_t *rdata, isc_netaddr_t *netaddr) {
 	struct in_addr ina;
 	struct in6_addr in6a;
-	
+
 	switch (rdata->type) {
 	case dns_rdatatype_a:
 		INSIST(rdata->length == 4);
@@ -2246,7 +3109,7 @@ setup_query_sortlist(ns_client_t *client) {
 	isc_netaddr_t netaddr;
 	dns_rdatasetorderfunc_t order = NULL;
 	const void *order_arg = NULL;
-	
+
 	isc_netaddr_fromsockaddr(&netaddr, &client->peeraddr);
 	switch (ns_sortlist_setup(client->view->sortlist,
 			       &netaddr, &order_arg)) {
@@ -2331,6 +3194,111 @@ answer_in_glue(ns_client_t *client, dns_rdatatype_t qtype) {
 	}
 }
 
+#define NS_NAME_INIT(A,B) \
+	 { \
+		DNS_NAME_MAGIC, \
+		A, sizeof(A), sizeof(B), \
+		DNS_NAMEATTR_READONLY | DNS_NAMEATTR_ABSOLUTE, \
+		B, NULL, { (void *)-1, (void *)-1}, \
+		{NULL, NULL} \
+	}
+
+static unsigned char inaddr10_offsets[] = { 0, 3, 11, 16 };
+static unsigned char inaddr172_offsets[] = { 0, 3, 7, 15, 20 };
+static unsigned char inaddr192_offsets[] = { 0, 4, 8, 16, 21 };
+
+static unsigned char inaddr10[] = "\00210\007IN-ADDR\004ARPA";
+
+static unsigned char inaddr16172[] = "\00216\003172\007IN-ADDR\004ARPA";
+static unsigned char inaddr17172[] = "\00217\003172\007IN-ADDR\004ARPA";
+static unsigned char inaddr18172[] = "\00218\003172\007IN-ADDR\004ARPA";
+static unsigned char inaddr19172[] = "\00219\003172\007IN-ADDR\004ARPA";
+static unsigned char inaddr20172[] = "\00220\003172\007IN-ADDR\004ARPA";
+static unsigned char inaddr21172[] = "\00221\003172\007IN-ADDR\004ARPA";
+static unsigned char inaddr22172[] = "\00222\003172\007IN-ADDR\004ARPA";
+static unsigned char inaddr23172[] = "\00223\003172\007IN-ADDR\004ARPA";
+static unsigned char inaddr24172[] = "\00224\003172\007IN-ADDR\004ARPA";
+static unsigned char inaddr25172[] = "\00225\003172\007IN-ADDR\004ARPA";
+static unsigned char inaddr26172[] = "\00226\003172\007IN-ADDR\004ARPA";
+static unsigned char inaddr27172[] = "\00227\003172\007IN-ADDR\004ARPA";
+static unsigned char inaddr28172[] = "\00228\003172\007IN-ADDR\004ARPA";
+static unsigned char inaddr29172[] = "\00229\003172\007IN-ADDR\004ARPA";
+static unsigned char inaddr30172[] = "\00230\003172\007IN-ADDR\004ARPA";
+static unsigned char inaddr31172[] = "\00231\003172\007IN-ADDR\004ARPA";
+
+static unsigned char inaddr168192[] = "\003168\003192\007IN-ADDR\004ARPA";
+
+static dns_name_t rfc1918names[] = {
+	NS_NAME_INIT(inaddr10, inaddr10_offsets),
+	NS_NAME_INIT(inaddr16172, inaddr172_offsets),
+	NS_NAME_INIT(inaddr17172, inaddr172_offsets),
+	NS_NAME_INIT(inaddr18172, inaddr172_offsets),
+	NS_NAME_INIT(inaddr19172, inaddr172_offsets),
+	NS_NAME_INIT(inaddr20172, inaddr172_offsets),
+	NS_NAME_INIT(inaddr21172, inaddr172_offsets),
+	NS_NAME_INIT(inaddr22172, inaddr172_offsets),
+	NS_NAME_INIT(inaddr23172, inaddr172_offsets),
+	NS_NAME_INIT(inaddr24172, inaddr172_offsets),
+	NS_NAME_INIT(inaddr25172, inaddr172_offsets),
+	NS_NAME_INIT(inaddr26172, inaddr172_offsets),
+	NS_NAME_INIT(inaddr27172, inaddr172_offsets),
+	NS_NAME_INIT(inaddr28172, inaddr172_offsets),
+	NS_NAME_INIT(inaddr29172, inaddr172_offsets),
+	NS_NAME_INIT(inaddr30172, inaddr172_offsets),
+	NS_NAME_INIT(inaddr31172, inaddr172_offsets),
+	NS_NAME_INIT(inaddr168192, inaddr192_offsets)
+};
+
+
+static unsigned char prisoner_data[] = "\010prisoner\004iana\003org";
+static unsigned char hostmaster_data[] = "\012hostmaster\014root-servers\003org";
+
+static unsigned char prisoner_offsets[] = { 0, 9, 14, 18 };
+static unsigned char hostmaster_offsets[] = { 0, 11, 24, 28 };
+
+static dns_name_t prisoner = NS_NAME_INIT(prisoner_data, prisoner_offsets);
+static dns_name_t hostmaster = NS_NAME_INIT(hostmaster_data, hostmaster_offsets);
+
+static void
+warn_rfc1918(ns_client_t *client, dns_name_t *fname, dns_rdataset_t *rdataset) {
+	unsigned int i;
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+	dns_rdata_soa_t soa;
+	dns_rdataset_t found;
+	isc_result_t result;
+	
+	for (i = 0; i < (sizeof(rfc1918names)/sizeof(*rfc1918names)); i++) {
+		if (dns_name_issubdomain(fname, &rfc1918names[i])) {
+			dns_rdataset_init(&found);
+			result = dns_ncache_getrdataset(rdataset,
+						        &rfc1918names[i],
+							dns_rdatatype_soa,
+							&found);
+			if (result != ISC_R_SUCCESS)
+				return;
+
+			result = dns_rdataset_first(&found);
+			RUNTIME_CHECK(result == ISC_R_SUCCESS);
+			dns_rdataset_current(&found, &rdata);
+			result = dns_rdata_tostruct(&rdata, &soa, NULL);
+			if (result != ISC_R_SUCCESS)
+				return;
+			if (dns_name_equal(&soa.origin, &prisoner) &&
+			    dns_name_equal(&soa.contact, &hostmaster)) {
+				char buf[DNS_NAME_FORMATSIZE];
+				dns_name_format(fname, buf, sizeof(buf));
+				ns_client_log(client, DNS_LOGCATEGORY_SECURITY,
+					      NS_LOGMODULE_QUERY,
+					      ISC_LOG_WARNING,
+					      "RFC 1918 response from "
+					      "Internet for %s", buf);
+			}
+			dns_rdataset_disassociate(&found);
+			return;
+		}
+	}
+}
+
 /*
  * Do the bulk of query processing for the current query of 'client'.
  * If 'event' is non-NULL, we are returning from recursion and 'qtype'
@@ -2434,7 +3402,7 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype)
 
 		goto resume;
 	}
-	
+
 	/*
 	 * Not returning from recursion.
 	 */
@@ -2527,10 +3495,20 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype)
 
 	if (is_zone)
 		authoritative = ISC_TRUE;
-       
+
 	if (event == NULL && client->query.restarts == 0) {
 		if (is_zone) {
-			dns_zone_attach(zone, &client->query.authzone);
+#ifdef DLZ
+			if (zone != NULL) {
+				/*
+				 * if is_zone = true, zone = NULL then this is
+				 * a DLZ zone.  Don't attempt to attach zone.
+				 */
+#endif
+				dns_zone_attach(zone, &client->query.authzone);
+#ifdef DLZ
+			}
+#endif
 			dns_db_attach(db, &client->query.authdb);
 		}
 		client->query.authdbset = ISC_TRUE;
@@ -2625,7 +3603,11 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype)
 				if (result == ISC_R_SUCCESS)
 					client->query.attributes |=
 						NS_QUERYATTR_RECURSING;
-				else {
+				else if (result == DNS_R_DUPLICATE ||
+					 result == DNS_R_DROP) {
+					/* Duplicate query. */
+					QUERY_ERROR(result);
+				} else {
 					/* Unable to recurse. */
 					QUERY_ERROR(DNS_R_SERVFAIL);
 				}
@@ -2795,6 +3777,9 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype)
 				if (result == ISC_R_SUCCESS)
 					client->query.attributes |=
 						NS_QUERYATTR_RECURSING;
+				else if (result == DNS_R_DUPLICATE ||
+					 result == DNS_R_DROP)
+					QUERY_ERROR(result);
 				else
 					QUERY_ERROR(DNS_R_SERVFAIL);
 			} else {
@@ -2851,7 +3836,7 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype)
 		/*
 		 * Add SOA.
 		 */
-		result = query_addsoa(client, db, ISC_FALSE);
+		result = query_addsoa(client, db, version, ISC_FALSE);
 		if (result != ISC_R_SUCCESS) {
 			QUERY_ERROR(result);
 			goto cleanup;
@@ -2891,10 +3876,14 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype)
 		 * the containing zone of an arbitrary name with a stub
 		 * resolver and not have it cached.
 		 */
-		if (qtype == dns_rdatatype_soa)
-			result = query_addsoa(client, db, ISC_TRUE);
+		if (qtype == dns_rdatatype_soa &&
+#ifdef DLZ
+		    zone != NULL &&
+#endif
+		    dns_zone_getzeronosoattl(zone))
+			result = query_addsoa(client, db, version, ISC_TRUE);
 		else
-			result = query_addsoa(client, db, ISC_FALSE);
+			result = query_addsoa(client, db, version, ISC_FALSE);
 		if (result != ISC_R_SUCCESS) {
 			QUERY_ERROR(result);
 			goto cleanup;
@@ -2930,6 +3919,14 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype)
 		if (result == DNS_R_NCACHENXDOMAIN)
 			client->message->rcode = dns_rcode_nxdomain;
 		/*
+		 * Look for RFC 1918 leakage from Internet.
+		 */
+		if (result == DNS_R_NCACHENXDOMAIN &&
+		    qtype == dns_rdatatype_ptr &&
+		    client->message->rdclass == dns_rdataclass_in &&
+		    dns_name_countlabels(fname) == 7)
+			warn_rfc1918(client, fname, rdataset);
+		/*
 		 * We don't call query_addrrset() because we don't need any
 		 * of its extra features (and things would probably break!).
 		 */
@@ -3090,7 +4087,7 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype)
 			dns_message_puttempname(client->message, &tname);
 			if (result == ISC_R_NOSPACE) {
 				/*
-				 * RFC 2672, section 4.1, subsection 3c says
+				 * RFC2672, section 4.1, subsection 3c says
 				 * we should return YXDOMAIN if the constructed
 				 * name would be too long.
 				 */
@@ -3212,6 +4209,21 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype)
 				 * an error unless we were searching for
 				 * glue.  Ugh.
 				 */
+				if (!is_zone) {
+					authoritative = ISC_FALSE;
+					dns_rdatasetiter_destroy(&rdsiter);
+					if (RECURSIONOK(client)) {
+						result = query_recurse(client,
+								       qtype,
+								       NULL,
+								       NULL);
+						if (result == ISC_R_SUCCESS)
+						    client->query.attributes |=
+							NS_QUERYATTR_RECURSING;
+						else
+						    QUERY_ERROR(DNS_R_SERVFAIL);					}
+					goto addauth;
+				}
 				/*
 				 * We were searching for SIG records in
 				 * a nonsecure zone.  Send a "no error,
@@ -3220,7 +4232,8 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype)
 				/*
 				 * Add SOA.
 				 */
-				result = query_addsoa(client, db, ISC_FALSE);
+				result = query_addsoa(client, db, version,
+						      ISC_FALSE);
 				if (result == ISC_R_SUCCESS)
 					result = ISC_R_NOMORE;
 			} else {
@@ -3249,6 +4262,13 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype)
 			noqname = rdataset;
 		else
 			noqname = NULL;
+		/*
+		 * BIND 8 priming queries need the additional section.
+		 */
+		if (is_zone && qtype == dns_rdatatype_ns &&
+		    dns_name_equal(client->query.qname, dns_rootname))
+			client->query.attributes &= ~NS_QUERYATTR_NOADDITIONAL;
+
 		query_addrrset(client, &fname, &rdataset, sigrdatasetp, dbuf,
 			       DNS_SECTION_ANSWER);
 		if (noqname != NULL)
@@ -3272,7 +4292,7 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype)
 			       qtype == dns_rdatatype_any) &&
 			      dns_name_equal(client->query.qname,
 					     dns_db_origin(db))))
-				(void)query_addns(client, db);
+				(void)query_addns(client, db, version);
 		} else if (qtype != dns_rdatatype_ns) {
 			if (fname != NULL)
 				query_releasename(client, &fname);
@@ -3337,13 +4357,22 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype)
 
 	if (eresult != ISC_R_SUCCESS &&
 	    (!PARTIALANSWER(client) || WANTRECURSION(client))) {
-		/*
-		 * If we don't have any answer to give the client,
-		 * or if the client requested recursion and thus wanted
-		 * the complete answer, send an error response.
-		 */
-		 query_error(client, eresult);
-		 ns_client_detach(&client);
+		if (eresult == DNS_R_DUPLICATE || eresult == DNS_R_DROP) {
+			/*
+			 * This was a duplicate query that we are
+			 * recursing on.  Don't send a response now.
+			 * The original query will still cause a response.
+			 */
+			query_next(client, eresult);
+		} else {
+			/*
+			 * If we don't have any answer to give the client,
+			 * or if the client requested recursion and thus wanted
+			 * the complete answer, send an error response.
+			 */
+			query_error(client, eresult);
+		}
+		ns_client_detach(&client);
 	} else if (!RECURSING(client)) {
 		/*
 		 * We are done.  Set up sortlist data for the message
@@ -3418,14 +4447,16 @@ ns_query_start(ns_client_t *client) {
 	if (!client->view->enablednssec) {
 		message->flags &= ~DNS_MESSAGEFLAG_CD;
 		client->extflags &= ~DNS_MESSAGEEXTFLAG_DO;
+		if (client->opt != NULL)
+			client->opt->ttl &= ~DNS_MESSAGEEXTFLAG_DO;
 	}
 
 	if ((message->flags & DNS_MESSAGEFLAG_RD) != 0)
 		client->query.attributes |= NS_QUERYATTR_WANTRECURSION;
-	
+
 	if ((client->extflags & DNS_MESSAGEEXTFLAG_DO) != 0)
 		client->attributes |= NS_CLIENTATTR_WANTDNSSEC;
-	
+
 	if (client->view->minimalresponses)
 		client->query.attributes |= (NS_QUERYATTR_NOAUTHORITY |
 					     NS_QUERYATTR_NOADDITIONAL);
@@ -3521,13 +4552,17 @@ ns_query_start(ns_client_t *client) {
 	 * If the client has requested that DNSSEC checking be disabled,
 	 * allow lookups to return pending data and instruct the resolver
 	 * to return data before validation has completed.
+	 *
+	 * We don't need to set DNS_DBFIND_PENDINGOK when validation is
+	 * disabled as there will be no pending data.
 	 */
 	if (message->flags & DNS_MESSAGEFLAG_CD ||
 	    qtype == dns_rdatatype_rrsig)
 	{
 		client->query.dboptions |= DNS_DBFIND_PENDINGOK;
 		client->query.fetchoptions |= DNS_FETCHOPT_NOVALIDATE;
-	}
+	} else if (!client->view->enablevalidation)
+		client->query.fetchoptions |= DNS_FETCHOPT_NOVALIDATE;
 
 	/*
 	 * Allow glue NS records to be added to the authority section
diff --git a/contrib/bind9/bin/named/server.c b/contrib/bind9/bin/named/server.c
index f29321e..6ae31cb 100644
--- a/contrib/bind9/bin/named/server.c
+++ b/contrib/bind9/bin/named/server.c
@@ -15,7 +15,9 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: server.c,v 1.339.2.15.2.70 2006/05/24 04:30:24 marka Exp $ */
+/* $Id: server.c,v 1.419.18.49 2006/12/07 05:24:19 marka Exp $ */
+
+/*! \file */
 
 #include <config.h>
 
@@ -41,13 +43,18 @@
 
 #include <bind9/check.h>
 
+#include <dns/acache.h>
 #include <dns/adb.h>
 #include <dns/cache.h>
 #include <dns/db.h>
 #include <dns/dispatch.h>
+#ifdef DLZ
+#include <dns/dlz.h>
+#endif
 #include <dns/forward.h>
 #include <dns/journal.h>
 #include <dns/keytable.h>
+#include <dns/lib.h>
 #include <dns/master.h>
 #include <dns/masterdump.h>
 #include <dns/order.h>
@@ -86,7 +93,7 @@
 #include <stdlib.h>
 #endif
 
-/*
+/*%
  * Check an operation for failure.  Assumes that the function
  * using it has a 'result' variable and a 'cleanup' label.
  */
@@ -160,6 +167,54 @@ struct zonelistentry {
 	ISC_LINK(struct zonelistentry)	link;
 };
 
+/*
+ * These zones should not leak onto the Internet.
+ */
+static const struct {
+	const char	*zone;
+	isc_boolean_t	rfc1918;
+} empty_zones[] = {
+#ifdef notyet
+	/* RFC 1918 */
+	{ "10.IN-ADDR.ARPA", ISC_TRUE },
+	{ "16.172.IN-ADDR.ARPA", ISC_TRUE },
+	{ "17.172.IN-ADDR.ARPA", ISC_TRUE },
+	{ "18.172.IN-ADDR.ARPA", ISC_TRUE },
+	{ "19.172.IN-ADDR.ARPA", ISC_TRUE },
+	{ "20.172.IN-ADDR.ARPA", ISC_TRUE },
+	{ "21.172.IN-ADDR.ARPA", ISC_TRUE },
+	{ "22.172.IN-ADDR.ARPA", ISC_TRUE },
+	{ "23.172.IN-ADDR.ARPA", ISC_TRUE },
+	{ "24.172.IN-ADDR.ARPA", ISC_TRUE },
+	{ "25.172.IN-ADDR.ARPA", ISC_TRUE },
+	{ "26.172.IN-ADDR.ARPA", ISC_TRUE },
+	{ "27.172.IN-ADDR.ARPA", ISC_TRUE },
+	{ "28.172.IN-ADDR.ARPA", ISC_TRUE },
+	{ "29.172.IN-ADDR.ARPA", ISC_TRUE },
+	{ "30.172.IN-ADDR.ARPA", ISC_TRUE },
+	{ "31.172.IN-ADDR.ARPA", ISC_TRUE },
+	{ "168.192.IN-ADDR.ARPA", ISC_TRUE },
+#endif
+
+	/* RFC 3330 */
+	{ "127.IN-ADDR.ARPA", ISC_FALSE },	/* LOOPBACK */
+	{ "254.169.IN-ADDR.ARPA", ISC_FALSE },	/* LINK LOCAL */
+	{ "2.0.192.IN-ADDR.ARPA", ISC_FALSE },	/* TEST NET */
+	{ "255.255.255.255.IN-ADDR.ARPA", ISC_FALSE },	/* BROADCAST */
+
+	/* Local IPv6 Unicast Addresses */
+	{ "0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA", ISC_FALSE },
+	{ "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA", ISC_FALSE },
+	/* LOCALLY ASSIGNED LOCAL ADDRES S SCOPE */
+	{ "D.F.IP6.ARPA", ISC_FALSE },
+	{ "8.E.F.IP6.ARPA", ISC_FALSE },	/* LINK LOCAL */
+	{ "9.E.F.IP6.ARPA", ISC_FALSE },	/* LINK LOCAL */
+	{ "A.E.F.IP6.ARPA", ISC_FALSE },	/* LINK LOCAL */
+	{ "B.E.F.IP6.ARPA", ISC_FALSE },	/* LINK LOCAL */
+
+	{ NULL, ISC_FALSE }
+};
+
 static void
 fatal(const char *msg, isc_result_t result);
 
@@ -168,11 +223,11 @@ ns_server_reload(isc_task_t *task, isc_event_t *event);
 
 static isc_result_t
 ns_listenelt_fromconfig(const cfg_obj_t *listener, const cfg_obj_t *config,
-			ns_aclconfctx_t *actx,
+			cfg_aclconfctx_t *actx,
 			isc_mem_t *mctx, ns_listenelt_t **target);
 static isc_result_t
 ns_listenlist_fromconfig(const cfg_obj_t *listenlist, const cfg_obj_t *config,
-			 ns_aclconfctx_t *actx,
+			 cfg_aclconfctx_t *actx,
 			 isc_mem_t *mctx, ns_listenlist_t **target);
 
 static isc_result_t
@@ -186,19 +241,19 @@ configure_alternates(const cfg_obj_t *config, dns_view_t *view,
 static isc_result_t
 configure_zone(const cfg_obj_t *config, const cfg_obj_t *zconfig,
 	       const cfg_obj_t *vconfig, isc_mem_t *mctx, dns_view_t *view,
-	       ns_aclconfctx_t *aclconf);
+	       cfg_aclconfctx_t *aclconf);
 
 static void
 end_reserved_dispatches(ns_server_t *server, isc_boolean_t all);
 
-/*
+/*%
  * Configure a single view ACL at '*aclp'.  Get its configuration by
  * calling 'getvcacl' (for per-view configuration) and maybe 'getscacl'
  * (for a global default).
  */
 static isc_result_t
 configure_view_acl(const cfg_obj_t *vconfig, const cfg_obj_t *config,
-		   const char *aclname, ns_aclconfctx_t *actx,
+		   const char *aclname, cfg_aclconfctx_t *actx,
 		   isc_mem_t *mctx, dns_acl_t **aclp)
 {
 	isc_result_t result;
@@ -225,7 +280,8 @@ configure_view_acl(const cfg_obj_t *vconfig, const cfg_obj_t *config,
 		 */
 		return (ISC_R_SUCCESS);
 
-	result = ns_acl_fromconfig(aclobj, config, actx, mctx, aclp);
+	result = cfg_acl_fromconfig(aclobj, config, ns_g_lctx,
+				    actx, mctx, aclp);
 
 	return (result);
 }
@@ -290,6 +346,13 @@ configure_view_dnsseckey(const cfg_obj_t *vconfig, const cfg_obj_t *key,
 	keystruct.datalen = r.length;
 	keystruct.data = r.base;
 
+	if ((keystruct.algorithm == DST_ALG_RSASHA1 ||
+	     keystruct.algorithm == DST_ALG_RSAMD5) &&
+	    r.length > 1 && r.base[0] == 1 && r.base[1] == 3)
+		cfg_obj_log(key, ns_g_lctx, ISC_LOG_WARNING,
+			    "trusted key '%s' has a weak exponent",
+			    keynamestr);
+
 	CHECK(dns_rdata_fromstruct(NULL,
 				   keystruct.common.rdclass,
 				   keystruct.common.rdtype,
@@ -326,7 +389,7 @@ configure_view_dnsseckey(const cfg_obj_t *vconfig, const cfg_obj_t *key,
 	return (result);
 }
 
-/*
+/*%
  * Configure DNSSEC keys for a view.  Currently used only for
  * the security roots.
  *
@@ -414,7 +477,7 @@ mustbesecure(const cfg_obj_t *mbs, dns_resolver_t *resolver)
 	return (result);
 }
 
-/*
+/*%
  * Get a dispatch appropriate for the resolver of a given view.
  */
 static isc_result_t
@@ -581,15 +644,14 @@ configure_order(dns_order_t *order, const cfg_obj_t *ent) {
 
 static isc_result_t
 configure_peer(const cfg_obj_t *cpeer, isc_mem_t *mctx, dns_peer_t **peerp) {
-	const isc_sockaddr_t *sa;
 	isc_netaddr_t na;
 	dns_peer_t *peer;
 	const cfg_obj_t *obj;
 	const char *str;
 	isc_result_t result;
+	unsigned int prefixlen;
 
-	sa = cfg_obj_assockaddr(cfg_map_getname(cpeer));
-	isc_netaddr_fromsockaddr(&na, sa);
+	cfg_obj_asnetprefix(cfg_map_getname(cpeer), &na, &prefixlen);
 
 	peer = NULL;
 	result = dns_peer_new(mctx, &na, &peer);
@@ -617,6 +679,28 @@ configure_peer(const cfg_obj_t *cpeer, isc_mem_t *mctx, dns_peer_t **peerp) {
 		CHECK(dns_peer_setsupportedns(peer, cfg_obj_asboolean(obj)));
 
 	obj = NULL;
+	(void)cfg_map_get(cpeer, "edns-udp-size", &obj);
+	if (obj != NULL) {
+		isc_uint32_t udpsize = cfg_obj_asuint32(obj);
+		if (udpsize < 512)
+			udpsize = 512;
+		if (udpsize > 4096)
+			udpsize = 4096;
+		CHECK(dns_peer_setudpsize(peer, (isc_uint16_t)udpsize));
+	}
+
+	obj = NULL;
+	(void)cfg_map_get(cpeer, "max-udp-size", &obj);
+	if (obj != NULL) {
+		isc_uint32_t udpsize = cfg_obj_asuint32(obj);
+		if (udpsize < 512)
+			udpsize = 512;
+		if (udpsize > 4096)
+			udpsize = 4096;
+		CHECK(dns_peer_setmaxudp(peer, (isc_uint16_t)udpsize));
+	}
+
+	obj = NULL;
 	(void)cfg_map_get(cpeer, "transfers", &obj);
 	if (obj != NULL)
 		CHECK(dns_peer_settransfers(peer, cfg_obj_asuint32(obj)));
@@ -644,7 +728,7 @@ configure_peer(const cfg_obj_t *cpeer, isc_mem_t *mctx, dns_peer_t **peerp) {
 	}
 
 	obj = NULL;
-	if (isc_sockaddr_pf(sa) == AF_INET)
+	if (na.family == AF_INET)
 		(void)cfg_map_get(cpeer, "transfer-source", &obj);
 	else
 		(void)cfg_map_get(cpeer, "transfer-source-v6", &obj);
@@ -653,7 +737,35 @@ configure_peer(const cfg_obj_t *cpeer, isc_mem_t *mctx, dns_peer_t **peerp) {
 						    cfg_obj_assockaddr(obj));
 		if (result != ISC_R_SUCCESS)
 			goto cleanup;
+		ns_add_reserved_dispatch(ns_g_server, cfg_obj_assockaddr(obj));
+	}
+
+	obj = NULL;
+	if (na.family == AF_INET)
+		(void)cfg_map_get(cpeer, "notify-source", &obj);
+	else
+		(void)cfg_map_get(cpeer, "notify-source-v6", &obj);
+	if (obj != NULL) {
+		result = dns_peer_setnotifysource(peer,
+						  cfg_obj_assockaddr(obj));
+		if (result != ISC_R_SUCCESS)
+			goto cleanup;
+		ns_add_reserved_dispatch(ns_g_server, cfg_obj_assockaddr(obj));
 	}
+
+	obj = NULL;
+	if (na.family == AF_INET)
+		(void)cfg_map_get(cpeer, "query-source", &obj);
+	else
+		(void)cfg_map_get(cpeer, "query-source-v6", &obj);
+	if (obj != NULL) {
+		result = dns_peer_setquerysource(peer,
+						 cfg_obj_assockaddr(obj));
+		if (result != ISC_R_SUCCESS)
+			goto cleanup;
+		ns_add_reserved_dispatch(ns_g_server, cfg_obj_assockaddr(obj));
+	}
+
 	*peerp = peer;
 	return (ISC_R_SUCCESS);
 
@@ -708,6 +820,68 @@ disable_algorithms(const cfg_obj_t *disabled, dns_resolver_t *resolver) {
 	return (result);
 }
 
+static isc_boolean_t
+on_disable_list(const cfg_obj_t *disablelist, dns_name_t *zonename) {
+	const cfg_listelt_t *element;
+	dns_fixedname_t fixed;
+	dns_name_t *name;
+	isc_result_t result;
+	const cfg_obj_t *value;
+	const char *str;
+	isc_buffer_t b;
+
+	dns_fixedname_init(&fixed);
+	name = dns_fixedname_name(&fixed);
+	
+	for (element = cfg_list_first(disablelist);
+	     element != NULL;
+	     element = cfg_list_next(element))
+	{
+		value = cfg_listelt_value(element);
+		str = cfg_obj_asstring(value);
+		isc_buffer_init(&b, str, strlen(str));
+		isc_buffer_add(&b, strlen(str));
+		result = dns_name_fromtext(name, &b, dns_rootname,
+					   ISC_TRUE, NULL);
+		RUNTIME_CHECK(result == ISC_R_SUCCESS);
+		if (dns_name_equal(name, zonename))
+			return (ISC_TRUE);
+	}
+	return (ISC_FALSE);
+}
+
+static void
+check_dbtype(dns_zone_t **zonep, unsigned int dbtypec, const char **dbargv,
+	     isc_mem_t *mctx)
+{
+	char **argv = NULL;
+	unsigned int i;
+	isc_result_t result;
+
+	result = dns_zone_getdbtype(*zonep, &argv, mctx);
+	if (result != ISC_R_SUCCESS) {
+		dns_zone_detach(zonep);
+		return;
+	}
+
+	/*
+	 * Check that all the arguments match.
+	 */
+	for (i = 0; i < dbtypec; i++)
+		if (argv[i] == NULL || strcmp(argv[i], dbargv[i]) != 0) {
+			dns_zone_detach(zonep);
+			break;
+		}
+
+	/*
+	 * Check that there are not extra arguments.
+	 */
+	if (i == dbtypec && argv[i] != NULL)
+		dns_zone_detach(zonep);
+	isc_mem_free(mctx, argv);
+}
+
+
 /*
  * Configure 'view' according to 'vconfig', taking defaults from 'config'
  * where values are missing in 'vconfig'.
@@ -717,8 +891,8 @@ disable_algorithms(const cfg_obj_t *disabled, dns_resolver_t *resolver) {
  */
 static isc_result_t
 configure_view(dns_view_t *view, const cfg_obj_t *config,
-	       const cfg_obj_t *vconfig, isc_mem_t *mctx, ns_aclconfctx_t *actx,
-	       isc_boolean_t need_hints)
+	       const cfg_obj_t *vconfig, isc_mem_t *mctx,
+	       cfg_aclconfctx_t *actx, isc_boolean_t need_hints)
 {
 	const cfg_obj_t *maps[4];
 	const cfg_obj_t *cfgmaps[3];
@@ -728,6 +902,11 @@ configure_view(dns_view_t *view, const cfg_obj_t *config,
 	const cfg_obj_t *forwarders;
 	const cfg_obj_t *alternates;
 	const cfg_obj_t *zonelist;
+#ifdef DLZ
+ 	const cfg_obj_t *dlz;
+ 	unsigned int dlzargc;
+ 	char **dlzargv;
+#endif
 	const cfg_obj_t *disabled;
 	const cfg_obj_t *obj;
 	const cfg_listelt_t *element;
@@ -736,6 +915,7 @@ configure_view(dns_view_t *view, const cfg_obj_t *config,
 	isc_result_t result;
 	isc_uint32_t max_adb_size;
 	isc_uint32_t max_cache_size;
+	isc_uint32_t max_acache_size;
 	isc_uint32_t lame_ttl;
 	dns_tsig_keyring_t *ring;
 	dns_view_t *pview = NULL;	/* Production view */
@@ -748,6 +928,14 @@ configure_view(dns_view_t *view, const cfg_obj_t *config,
 	dns_order_t *order = NULL;
 	isc_uint32_t udpsize;
 	unsigned int check = 0;
+	dns_zone_t *zone = NULL;
+	isc_uint32_t max_clients_per_query;
+	const char *sep = ": view ";
+	const char *viewname = view->name;
+	const char *forview = " for view ";
+	isc_boolean_t rfc1918;
+	isc_boolean_t empty_zones_enable;
+	const cfg_obj_t *disablelist = NULL;
 
 	REQUIRE(DNS_VIEW_VALID(view));
 
@@ -773,6 +961,12 @@ configure_view(dns_view_t *view, const cfg_obj_t *config,
 		cfgmaps[i++] = config;
 	cfgmaps[i] = NULL;
 
+	if (!strcmp(viewname, "_default")) {
+		sep = "";
+		viewname = "";
+		forview = "";
+	}
+
 	/*
 	 * Set the view's port number for outgoing queries.
 	 */
@@ -780,6 +974,52 @@ configure_view(dns_view_t *view, const cfg_obj_t *config,
 	dns_view_setdstport(view, port);
 
 	/*
+	 * Create additional cache for this view and zones under the view
+	 * if explicitly enabled.
+	 * XXX950 default to on.
+	 */
+	obj = NULL;
+	(void)ns_config_get(maps, "acache-enable", &obj);
+	if (obj != NULL && cfg_obj_asboolean(obj)) {
+		cmctx = NULL;
+		CHECK(isc_mem_create(0, 0, &cmctx));
+		CHECK(dns_acache_create(&view->acache, cmctx, ns_g_taskmgr,
+					ns_g_timermgr));
+		isc_mem_detach(&cmctx);
+	}
+	if (view->acache != NULL) {
+		obj = NULL;
+		result = ns_config_get(maps, "acache-cleaning-interval", &obj);
+		INSIST(result == ISC_R_SUCCESS);
+		dns_acache_setcleaninginterval(view->acache,
+					       cfg_obj_asuint32(obj) * 60);
+
+		obj = NULL;
+		result = ns_config_get(maps, "max-acache-size", &obj);
+		INSIST(result == ISC_R_SUCCESS);
+		if (cfg_obj_isstring(obj)) {
+			str = cfg_obj_asstring(obj);
+			INSIST(strcasecmp(str, "unlimited") == 0);
+			max_acache_size = ISC_UINT32_MAX;
+		} else {
+			isc_resourcevalue_t value;
+
+			value = cfg_obj_asuint64(obj);
+			if (value > ISC_UINT32_MAX) {
+				cfg_obj_log(obj, ns_g_lctx, ISC_LOG_ERROR,
+					    "'max-acache-size "
+					    "%" ISC_PRINT_QUADFORMAT
+					    "d' is too large",
+					    value);
+				result = ISC_R_RANGE;
+				goto cleanup;
+			}
+			max_acache_size = (isc_uint32_t)value;
+		}
+		dns_acache_setcachesize(view->acache, max_acache_size);
+	}
+
+	/*
 	 * Configure the zones.
 	 */
 	zonelist = NULL;
@@ -796,6 +1036,45 @@ configure_view(dns_view_t *view, const cfg_obj_t *config,
 				     actx));
 	}
 
+#ifdef DLZ
+	/*
+	 * Create Dynamically Loadable Zone driver.
+	 */
+	dlz = NULL;
+	if (voptions != NULL)
+		(void)cfg_map_get(voptions, "dlz", &dlz);
+	else
+		(void)cfg_map_get(config, "dlz", &dlz);
+
+	obj = NULL;
+	if (dlz != NULL) {
+		(void)cfg_map_get(cfg_tuple_get(dlz, "options"),
+				  "database", &obj);
+		if (obj != NULL) {
+			char *s = isc_mem_strdup(mctx, cfg_obj_asstring(obj));
+			if (s == NULL) {
+				result = ISC_R_NOMEMORY;
+				goto cleanup;
+			}
+			
+			result = dns_dlzstrtoargv(mctx, s, &dlzargc, &dlzargv);
+			if (result != ISC_R_SUCCESS) {
+				isc_mem_free(mctx, s);
+				goto cleanup;
+			}
+
+			obj = cfg_tuple_get(dlz, "name");
+			result = dns_dlzcreate(mctx, cfg_obj_asstring(obj),
+					       dlzargv[0], dlzargc, dlzargv,
+					       &view->dlzdatabase);
+			isc_mem_free(mctx, s);
+			isc_mem_put(mctx, dlzargv, dlzargc * sizeof(*dlzargv));
+			if (result != ISC_R_SUCCESS)
+				goto cleanup;
+		}
+	}
+#endif
+
 	/*
 	 * Configure the view's cache.  Try to reuse an existing
 	 * cache if possible, otherwise create a new cache.
@@ -931,6 +1210,11 @@ configure_view(dns_view_t *view, const cfg_obj_t *config,
 	if (lame_ttl > 1800)
 		lame_ttl = 1800;
 	dns_resolver_setlamettl(view->resolver, lame_ttl);
+
+	obj = NULL;
+	result = ns_config_get(maps, "zero-no-soa-ttl-cache", &obj);
+	INSIST(result == ISC_R_SUCCESS);
+	dns_resolver_setzeronosoattl(view->resolver, cfg_obj_asboolean(obj));
 	
 	/*
 	 * Set the resolver's EDNS UDP size.
@@ -946,6 +1230,19 @@ configure_view(dns_view_t *view, const cfg_obj_t *config,
 	dns_resolver_setudpsize(view->resolver, (isc_uint16_t)udpsize);
 	
 	/*
+	 * Set the maximum UDP response size.
+	 */
+	obj = NULL;
+	result = ns_config_get(maps, "max-udp-size", &obj);
+	INSIST(result == ISC_R_SUCCESS);
+	udpsize = cfg_obj_asuint32(obj);
+	if (udpsize < 512)
+		udpsize = 512;
+	if (udpsize > 4096)
+		udpsize = 4096;
+	view->maxudp = udpsize;
+
+	/*
 	 * Set supported DNSSEC algorithms.
 	 */
 	dns_resolver_reset_algorithms(view->resolver);
@@ -1138,8 +1435,12 @@ configure_view(dns_view_t *view, const cfg_obj_t *config,
 		view->additionalfromcache = ISC_TRUE;
 	}
 
-	CHECK(configure_view_acl(vconfig, config, "allow-query",
+	CHECK(configure_view_acl(vconfig, config, "allow-query-cache",
 				 actx, ns_g_mctx, &view->queryacl));
+	if (view->queryacl == NULL)
+		CHECK(configure_view_acl(NULL, ns_g_defaults,
+					 "allow-query-cache", actx,
+					 ns_g_mctx, &view->queryacl));
 
 	if (strcmp(view->name, "_bind") != 0)
 		CHECK(configure_view_acl(vconfig, config, "allow-recursion",
@@ -1152,20 +1453,18 @@ configure_view(dns_view_t *view, const cfg_obj_t *config,
 	if (!view->recursion && view->recursionacl != NULL &&
 	    (view->recursionacl->length != 1 ||
 	     view->recursionacl->elements[0].type != dns_aclelementtype_any ||
-	     view->recursionacl->elements[0].negative != ISC_TRUE)) {
-		const char *forview = " for view ";
-		const char *viewname = view->name;
-
-		if (!strcmp(view->name, "_bind") ||
-		    !strcmp(view->name, "_default")) {
-			forview = "";
-			viewname = "";
-		}
+	     view->recursionacl->elements[0].negative != ISC_TRUE))
 		isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
 			      NS_LOGMODULE_SERVER, ISC_LOG_WARNING,
 			      "both \"recursion no;\" and \"allow-recursion\" "
 			      "active%s%s", forview, viewname);
-	}
+
+	/*
+	 * Set default "allow-recursion" acl.
+	 */
+	if (view->recursionacl == NULL && view->recursion)
+		CHECK(configure_view_acl(NULL, ns_g_defaults, "allow-recursion",
+					 actx, ns_g_mctx, &view->recursionacl));
 
 	CHECK(configure_view_acl(vconfig, config, "sortlist",
 				 actx, ns_g_mctx, &view->sortlist));
@@ -1179,6 +1478,18 @@ configure_view(dns_view_t *view, const cfg_obj_t *config,
 	result = ns_config_get(maps, "provide-ixfr", &obj);
 	INSIST(result == ISC_R_SUCCESS);
 	view->provideixfr = cfg_obj_asboolean(obj);
+
+	obj = NULL;
+	result = ns_config_get(maps, "max-clients-per-query", &obj);
+	INSIST(result == ISC_R_SUCCESS);
+	max_clients_per_query = cfg_obj_asuint32(obj);
+
+	obj = NULL;
+	result = ns_config_get(maps, "clients-per-query", &obj);
+	INSIST(result == ISC_R_SUCCESS);
+	dns_resolver_setclientsperquery(view->resolver,
+					cfg_obj_asuint32(obj),
+					max_clients_per_query);
 			
 	obj = NULL;
 	result = ns_config_get(maps, "dnssec-enable", &obj);
@@ -1186,6 +1497,16 @@ configure_view(dns_view_t *view, const cfg_obj_t *config,
 	view->enablednssec = cfg_obj_asboolean(obj);
 
 	obj = NULL;
+	result = ns_config_get(maps, "dnssec-accept-expired", &obj);
+	INSIST(result == ISC_R_SUCCESS);
+	view->acceptexpired = cfg_obj_asboolean(obj);
+
+	obj = NULL;
+	result = ns_config_get(maps, "dnssec-validation", &obj);
+	INSIST(result == ISC_R_SUCCESS);
+	view->enablevalidation = cfg_obj_asboolean(obj);
+
+	obj = NULL;
 	result = ns_config_get(maps, "dnssec-lookaside", &obj);
 	if (result == ISC_R_SUCCESS) {
 		for (element = cfg_list_first(obj);
@@ -1231,15 +1552,13 @@ configure_view(dns_view_t *view, const cfg_obj_t *config,
 	 * For now, there is only one kind of trusted keys, the
 	 * "security roots".
 	 */
-	if (view->enablednssec) {
-		CHECK(configure_view_dnsseckeys(vconfig, config, mctx,
-						&view->secroots));
-		dns_resolver_resetmustbesecure(view->resolver);
-		obj = NULL;
-		result = ns_config_get(maps, "dnssec-must-be-secure", &obj);
-		if (result == ISC_R_SUCCESS)
-			CHECK(mustbesecure(obj, view->resolver));
-	}
+	CHECK(configure_view_dnsseckeys(vconfig, config, mctx,
+					&view->secroots));
+	dns_resolver_resetmustbesecure(view->resolver);
+	obj = NULL;
+	result = ns_config_get(maps, "dnssec-must-be-secure", &obj);
+	if (result == ISC_R_SUCCESS)
+		CHECK(mustbesecure(obj, view->resolver));
 
 	obj = NULL;
 	result = ns_config_get(maps, "max-cache-ttl", &obj);
@@ -1295,9 +1614,180 @@ configure_view(dns_view_t *view, const cfg_obj_t *config,
 	} else
 		dns_view_setrootdelonly(view, ISC_FALSE);
 
+	/*
+	 * Setup automatic empty zones.  If recursion is off then
+	 * they are disabled by default.
+	 */
+	obj = NULL;
+	(void)ns_config_get(maps, "empty-zones-enable", &obj);
+	(void)ns_config_get(maps, "disable-empty-zone", &disablelist);
+	if (obj == NULL && disablelist == NULL &&
+	    view->rdclass == dns_rdataclass_in) {
+		rfc1918 = ISC_FALSE;
+		empty_zones_enable = view->recursion;
+	} else if (view->rdclass == dns_rdataclass_in) {
+		rfc1918 = ISC_TRUE;
+		if (obj != NULL)
+			empty_zones_enable = cfg_obj_asboolean(obj);
+		else
+			empty_zones_enable = view->recursion;
+	} else {
+		rfc1918 = ISC_FALSE;
+		empty_zones_enable = ISC_FALSE;
+	}
+	if (empty_zones_enable) {
+		const char *empty;
+		int empty_zone = 0;
+		dns_fixedname_t fixed;
+		dns_name_t *name;
+		isc_buffer_t buffer;
+		const char *str;
+		char server[DNS_NAME_FORMATSIZE + 1];
+		char contact[DNS_NAME_FORMATSIZE + 1];
+		isc_boolean_t logit;
+		const char *empty_dbtype[4] =
+				    { "_builtin", "empty", NULL, NULL };
+		int empty_dbtypec = 4;
+
+		dns_fixedname_init(&fixed);
+		name = dns_fixedname_name(&fixed);
+
+		obj = NULL;
+		result = ns_config_get(maps, "empty-server", &obj);
+		if (result == ISC_R_SUCCESS) {
+			str = cfg_obj_asstring(obj);
+			isc_buffer_init(&buffer, str, strlen(str));
+			isc_buffer_add(&buffer, strlen(str));
+			CHECK(dns_name_fromtext(name, &buffer, dns_rootname,
+						ISC_FALSE, NULL));
+			isc_buffer_init(&buffer, server, sizeof(server) - 1);
+			CHECK(dns_name_totext(name, ISC_FALSE, &buffer));
+			server[isc_buffer_usedlength(&buffer)] = 0;
+			empty_dbtype[2] = server;
+		} else
+			empty_dbtype[2] = "@";
+
+		obj = NULL;
+		result = ns_config_get(maps, "empty-contact", &obj);
+		if (result == ISC_R_SUCCESS) {
+			str = cfg_obj_asstring(obj);
+			isc_buffer_init(&buffer, str, strlen(str));
+			isc_buffer_add(&buffer, strlen(str));
+			CHECK(dns_name_fromtext(name, &buffer, dns_rootname,
+						ISC_FALSE, NULL));
+			isc_buffer_init(&buffer, contact, sizeof(contact) - 1);
+			CHECK(dns_name_totext(name, ISC_FALSE, &buffer));
+			contact[isc_buffer_usedlength(&buffer)] = 0;
+			empty_dbtype[3] = contact;
+		} else
+			empty_dbtype[3] = ".";
+
+		logit = ISC_TRUE;
+		for (empty = empty_zones[empty_zone].zone;
+		     empty != NULL;
+		     empty = empty_zones[++empty_zone].zone)
+		{
+			dns_forwarders_t *forwarders = NULL;
+			dns_view_t *pview = NULL;
+
+			isc_buffer_init(&buffer, empty, strlen(empty));
+			isc_buffer_add(&buffer, strlen(empty));
+			/*
+			 * Look for zone on drop list.
+			 */
+			CHECK(dns_name_fromtext(name, &buffer, dns_rootname,
+						ISC_FALSE, NULL));
+			if (disablelist != NULL &&
+			    on_disable_list(disablelist, name))
+				continue;
+
+			/*
+			 * This zone already exists.
+			 */
+			(void)dns_view_findzone(view, name, &zone);
+			if (zone != NULL) {
+				dns_zone_detach(&zone);
+				continue;
+			}
+
+			/*
+			 * If we would forward this name don't add a
+			 * empty zone for it.
+			 */
+			result = dns_fwdtable_find(view->fwdtable, name,
+						   &forwarders);
+			if (result == ISC_R_SUCCESS &&
+			    forwarders->fwdpolicy == dns_fwdpolicy_only)
+				continue;
+						
+			if (!rfc1918 && empty_zones[empty_zone].rfc1918) {
+				if (logit) {
+					isc_log_write(ns_g_lctx,
+						      NS_LOGCATEGORY_GENERAL,
+						      NS_LOGMODULE_SERVER,
+						      ISC_LOG_WARNING,
+					              "Warning%s%s: "
+						      "'empty-zones-enable/"
+						      "disable-empty-zone' "
+						      "not set: disabling "
+						      "RFC 1918 empty zones",
+						      sep, viewname);
+					logit = ISC_FALSE;
+				}
+				continue;
+			}
+
+			/*
+			 * See if we can re-use a existing zone.
+			 */
+			result = dns_viewlist_find(&ns_g_server->viewlist,
+						   view->name, view->rdclass,
+						   &pview);
+			if (result != ISC_R_NOTFOUND &&
+			    result != ISC_R_SUCCESS)
+				goto cleanup;
+
+			if (pview != NULL) {
+				(void)dns_view_findzone(pview, name, &zone);
+				dns_view_detach(&pview);
+				if (zone != NULL)
+					check_dbtype(&zone, empty_dbtypec,
+						     empty_dbtype, mctx);
+				if (zone != NULL) {
+					dns_zone_setview(zone, view);
+					dns_zone_detach(&zone);
+					continue;
+				}
+			}
+
+			CHECK(dns_zone_create(&zone, mctx));
+			CHECK(dns_zone_setorigin(zone, name));
+			dns_zone_setview(zone, view);
+			CHECK(dns_zonemgr_managezone(ns_g_server->zonemgr, zone));
+			dns_zone_setclass(zone, view->rdclass);
+			dns_zone_settype(zone, dns_zone_master);
+			CHECK(dns_zone_setdbtype(zone, empty_dbtypec,
+					 	 empty_dbtype));
+			if (view->queryacl != NULL)
+				dns_zone_setqueryacl(zone, view->queryacl);
+			dns_zone_setdialup(zone, dns_dialuptype_no);
+			dns_zone_setnotifytype(zone, dns_notifytype_no);
+			dns_zone_setoption(zone, DNS_ZONEOPT_NOCHECKNS,
+					   ISC_TRUE);
+			CHECK(dns_view_addzone(view, zone));
+			isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
+				      NS_LOGMODULE_SERVER, ISC_LOG_INFO,
+				      "automatic empty zone%s%s: %s",
+				      sep, viewname,  empty);
+			dns_zone_detach(&zone);
+		}
+	}
+	
 	result = ISC_R_SUCCESS;
 
  cleanup:
+	if (zone != NULL)
+		dns_zone_detach(&zone);
 	if (dispatch4 != NULL)
 		dns_dispatch_detach(&dispatch4);
 	if (dispatch6 != NULL)
@@ -1563,7 +2053,7 @@ create_view(const cfg_obj_t *vconfig, dns_viewlist_t *viewlist,
 static isc_result_t
 configure_zone(const cfg_obj_t *config, const cfg_obj_t *zconfig,
 	       const cfg_obj_t *vconfig, isc_mem_t *mctx, dns_view_t *view,
-	       ns_aclconfctx_t *aclconf)
+	       cfg_aclconfctx_t *aclconf)
 {
 	dns_view_t *pview = NULL;	/* Production view */
 	dns_zone_t *zone = NULL;	/* New or reused zone */
@@ -1728,10 +2218,8 @@ configure_zone(const cfg_obj_t *config, const cfg_obj_t *zconfig,
 		result = dns_view_findzone(pview, origin, &zone);
 	if (result != ISC_R_NOTFOUND && result != ISC_R_SUCCESS)
 		goto cleanup;
-	if (zone != NULL) {
-		if (! ns_zone_reusable(zone, zconfig))
-			dns_zone_detach(&zone);
-	}
+	if (zone != NULL && !ns_zone_reusable(zone, zconfig))
+		dns_zone_detach(&zone);
 
 	if (zone != NULL) {
 		/*
@@ -1739,6 +2227,8 @@ configure_zone(const cfg_obj_t *config, const cfg_obj_t *zconfig,
 		 * new view.
 		 */
 		dns_zone_setview(zone, view);
+		if (view->acache != NULL)
+			dns_zone_setacache(zone, view->acache);
 	} else {
 		/*
 		 * We cannot reuse an existing zone, we have
@@ -1747,6 +2237,8 @@ configure_zone(const cfg_obj_t *config, const cfg_obj_t *zconfig,
 		CHECK(dns_zone_create(&zone, mctx));
 		CHECK(dns_zone_setorigin(zone, origin));
 		dns_zone_setview(zone, view);
+		if (view->acache != NULL)
+			dns_zone_setacache(zone, view->acache);
 		CHECK(dns_zonemgr_managezone(ns_g_server->zonemgr, zone));
 	}
 
@@ -2020,6 +2512,21 @@ heartbeat_timer_tick(isc_task_t *task, isc_event_t *event) {
 	}
 }
 
+static void
+pps_timer_tick(isc_task_t *task, isc_event_t *event) {
+	static unsigned int oldrequests = 0;
+	unsigned int requests = ns_client_requests;
+
+	UNUSED(task);
+	isc_event_free(&event);
+
+	/*
+	 * Don't worry about wrapping as the overflow result will be right.
+	 */
+	dns_pps = (requests - oldrequests) / 1200;
+	oldrequests = requests;
+}
+
 /*
  * Replace the current value of '*field', a dynamically allocated
  * string or NULL, with a dynamically allocated copy of the
@@ -2122,10 +2629,36 @@ portlist_fromconf(dns_portlist_t *portlist, unsigned int family,
 }
 
 static isc_result_t
+removed(dns_zone_t *zone, void *uap) {
+	const char *type;
+
+        if (dns_zone_getview(zone) != uap)
+		return (ISC_R_SUCCESS);
+
+	switch (dns_zone_gettype(zone)) {
+	case dns_zone_master:
+		type = "master";
+		break;
+	case dns_zone_slave:
+		type = "slave";
+		break;
+	case dns_zone_stub:
+		type = "stub";
+		break;
+	default:
+		type = "other";
+		break;
+	}
+	dns_zone_log(zone, ISC_LOG_INFO, "(%s) removed", type);
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
 load_configuration(const char *filename, ns_server_t *server,
 		   isc_boolean_t first_time)
 {
 	isc_result_t result;
+	isc_interval_t interval;
 	cfg_parser_t *parser = NULL;
 	cfg_obj_t *config;
 	const cfg_obj_t *options;
@@ -2139,14 +2672,14 @@ load_configuration(const char *filename, ns_server_t *server,
 	dns_view_t *view_next;
 	dns_viewlist_t viewlist;
 	dns_viewlist_t tmpviewlist;
-	ns_aclconfctx_t aclconfctx;
+	cfg_aclconfctx_t aclconfctx;
 	isc_uint32_t interface_interval;
 	isc_uint32_t heartbeat_interval;
 	isc_uint32_t udpsize;
 	in_port_t listen_port;
 	int i;
 
-	ns_aclconfctx_init(&aclconfctx);
+	cfg_aclconfctx_init(&aclconfctx);
 	ISC_LIST_INIT(viewlist);
 
 	/* Ensure exclusive access to configuration data. */
@@ -2401,7 +2934,6 @@ load_configuration(const char *filename, ns_server_t *server,
 				      isc_timertype_inactive,
 				      NULL, NULL, ISC_TRUE));
 	} else if (server->interface_interval != interface_interval) {
-		isc_interval_t interval;
 		isc_interval_set(&interval, interface_interval, 0);
 		CHECK(isc_timer_reset(server->interface_timer,
 				      isc_timertype_ticker,
@@ -2421,13 +2953,16 @@ load_configuration(const char *filename, ns_server_t *server,
 				      isc_timertype_inactive,
 				      NULL, NULL, ISC_TRUE));
 	} else if (server->heartbeat_interval != heartbeat_interval) {
-		isc_interval_t interval;
 		isc_interval_set(&interval, heartbeat_interval, 0);
 		CHECK(isc_timer_reset(server->heartbeat_timer,
 				      isc_timertype_ticker,
 				      NULL, &interval, ISC_FALSE));
 	}
 	server->heartbeat_interval = heartbeat_interval;
+	
+	isc_interval_set(&interval, 1200, 0);
+	CHECK(isc_timer_reset(server->pps_timer, isc_timertype_ticker, NULL,
+			      &interval, ISC_FALSE));
 
 	/*
 	 * Configure and freeze all explicit views.  Explicit
@@ -2716,7 +3251,7 @@ load_configuration(const char *filename, ns_server_t *server,
 	} else if (result == ISC_R_SUCCESS) {
 		CHECKM(setoptstring(server, &server->server_id, obj), "strdup");
 	} else {
-		result = setoptstring(server, &server->server_id, NULL);
+		result = setstring(server, &server->server_id, NULL);
 		RUNTIME_CHECK(result == ISC_R_SUCCESS);
 	}
 
@@ -2731,7 +3266,7 @@ load_configuration(const char *filename, ns_server_t *server,
 	result = ISC_R_SUCCESS;
 
  cleanup:
-	ns_aclconfctx_destroy(&aclconfctx);
+	cfg_aclconfctx_destroy(&aclconfctx);
 
 	if (parser != NULL) {
 		if (config != NULL)
@@ -2752,8 +3287,11 @@ load_configuration(const char *filename, ns_server_t *server,
 	     view = view_next) {
 		view_next = ISC_LIST_NEXT(view, link);
 		ISC_LIST_UNLINK(viewlist, view, link);
+		if (result == ISC_R_SUCCESS &&
+		    strcmp(view->name, "_bind") != 0)
+			(void)dns_zt_apply(view->zonetable, ISC_FALSE,
+					   removed, view);
 		dns_view_detach(&view);
-
 	}
 
 	/*
@@ -2860,6 +3398,11 @@ run_server(isc_task_t *task, isc_event_t *event) {
 				    server, &server->heartbeat_timer),
 		   "creating heartbeat timer");
 
+	CHECKFATAL(isc_timer_create(ns_g_timermgr, isc_timertype_inactive,
+				    NULL, NULL, server->task, pps_timer_tick,
+				    server, &server->pps_timer),
+		   "creating pps timer");
+
 	CHECKFATAL(cfg_parser_create(ns_g_mctx, NULL, &ns_g_parser),
 		   "creating default configuration parser");
 
@@ -2924,6 +3467,7 @@ shutdown_server(isc_task_t *task, isc_event_t *event) {
 
 	isc_timer_detach(&server->interface_timer);
 	isc_timer_detach(&server->heartbeat_timer);
+	isc_timer_detach(&server->pps_timer);
 
 	ns_interfacemgr_shutdown(server->interfacemgr);
 	ns_interfacemgr_detach(&server->interfacemgr);
@@ -3012,6 +3556,7 @@ ns_server_create(isc_mem_t *mctx, ns_server_t **serverp) {
 
 	server->interface_timer = NULL;
 	server->heartbeat_timer = NULL;
+	server->pps_timer = NULL;
 	
 	server->interface_interval = 0;
 	server->heartbeat_interval = 0;
@@ -3454,6 +3999,29 @@ ns_server_reconfigcommand(ns_server_t *server, char *args) {
 }
 
 /*
+ * Act on a "notify" command from the command channel.
+ */
+isc_result_t
+ns_server_notifycommand(ns_server_t *server, char *args, isc_buffer_t *text) {
+	isc_result_t result;
+	dns_zone_t *zone = NULL;
+	const unsigned char msg[] = "zone notify queued";
+
+	result = zone_from_args(server, args, &zone);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+	if (zone == NULL)
+		return (ISC_R_UNEXPECTEDEND);
+	
+	dns_zone_notify(zone);
+	dns_zone_detach(&zone);
+	if (sizeof(msg) <= isc_buffer_availablelength(text))
+		isc_buffer_putmem(text, msg, sizeof(msg));
+
+	return (ISC_R_SUCCESS);
+}	
+
+/*
  * Act on a "refresh" command from the command channel.
  */
 isc_result_t
@@ -3498,7 +4066,7 @@ ns_server_togglequerylog(ns_server_t *server) {
 
 static isc_result_t
 ns_listenlist_fromconfig(const cfg_obj_t *listenlist, const cfg_obj_t *config,
-			 ns_aclconfctx_t *actx,
+			 cfg_aclconfctx_t *actx,
 			 isc_mem_t *mctx, ns_listenlist_t **target)
 {
 	isc_result_t result;
@@ -3537,7 +4105,7 @@ ns_listenlist_fromconfig(const cfg_obj_t *listenlist, const cfg_obj_t *config,
  */
 static isc_result_t
 ns_listenelt_fromconfig(const cfg_obj_t *listener, const cfg_obj_t *config,
-			ns_aclconfctx_t *actx,
+			cfg_aclconfctx_t *actx,
 			isc_mem_t *mctx, ns_listenelt_t **target)
 {
 	isc_result_t result;
@@ -3569,8 +4137,8 @@ ns_listenelt_fromconfig(const cfg_obj_t *listener, const cfg_obj_t *config,
 	if (result != ISC_R_SUCCESS)
 		return (result);
 
-	result = ns_acl_fromconfig(cfg_tuple_get(listener, "acl"),
-				   config, actx, mctx, &delt->acl);
+	result = cfg_acl_fromconfig(cfg_tuple_get(listener, "acl"),
+				   config, ns_g_lctx, actx, mctx, &delt->acl);
 	if (result != ISC_R_SUCCESS) {
 		ns_listenelt_destroy(delt);
 		return (result);
@@ -3951,6 +4519,59 @@ ns_server_setdebuglevel(ns_server_t *server, char *args) {
 }
 
 isc_result_t
+ns_server_validation(ns_server_t *server, char *args) {
+	char *ptr, *viewname;
+	dns_view_t *view;
+	isc_boolean_t changed = ISC_FALSE;
+	isc_result_t result;
+	isc_boolean_t enable;
+
+	/* Skip the command name. */
+	ptr = next_token(&args, " \t");
+	if (ptr == NULL)
+		return (ISC_R_UNEXPECTEDEND);
+
+	/* Find out what we are to do. */
+	ptr = next_token(&args, " \t");
+	if (ptr == NULL)
+		return (ISC_R_UNEXPECTEDEND);
+
+	if (!strcasecmp(ptr, "on") || !strcasecmp(ptr, "yes") ||
+	    !strcasecmp(ptr, "enable") || !strcasecmp(ptr, "true"))
+		enable = ISC_TRUE;
+	else if (!strcasecmp(ptr, "off") || !strcasecmp(ptr, "no") ||
+		 !strcasecmp(ptr, "disable") || !strcasecmp(ptr, "false"))
+		enable = ISC_FALSE;
+	else
+		return (DNS_R_SYNTAX);
+
+	/* Look for the view name. */
+	viewname = next_token(&args, " \t");
+
+	result = isc_task_beginexclusive(server->task);
+	RUNTIME_CHECK(result == ISC_R_SUCCESS);
+	for (view = ISC_LIST_HEAD(server->viewlist);
+	     view != NULL;
+	     view = ISC_LIST_NEXT(view, link))
+	{
+		if (viewname != NULL && strcasecmp(viewname, view->name) != 0)
+			continue;
+		result = dns_view_flushcache(view);
+		if (result != ISC_R_SUCCESS)
+			goto out;
+		view->enablevalidation = enable;
+		changed = ISC_TRUE;
+	}
+	if (changed)
+		result = ISC_R_SUCCESS;
+	else
+		result = ISC_R_FAILURE;
+ out:
+	isc_task_endexclusive(server->task);	
+	return (result);
+}
+
+isc_result_t
 ns_server_flushcache(ns_server_t *server, char *args) {
 	char *ptr, *viewname;
 	dns_view_t *view;
@@ -4059,12 +4680,13 @@ ns_server_status(ns_server_t *server, isc_buffer_t *text) {
 		     "xfers deferred: %u\n"
 		     "soa queries in progress: %u\n"
 		     "query logging is %s\n"
-		     "recursive clients: %d/%d\n"
+		     "recursive clients: %d/%d/%d\n"
 		     "tcp clients: %d/%d\n"
 		     "server is up and running",
 		     zonecount, ns_g_debuglevel, xferrunning, xferdeferred,
 		     soaqueries, server->log_queries ? "ON" : "OFF",
-		     server->recursionquota.used, server->recursionquota.max,
+		     server->recursionquota.used, server->recursionquota.soft,
+		     server->recursionquota.max,
 		     server->tcpquota.used, server->tcpquota.max);
 	if (n >= isc_buffer_availablelength(text))
 		return (ISC_R_NOSPACE);
@@ -4073,11 +4695,11 @@ ns_server_status(ns_server_t *server, isc_buffer_t *text) {
 }
 
 /*
- * Act on a "freeze" or "unfreeze" command from the command channel.
+ * Act on a "freeze" or "thaw" command from the command channel.
  */
 isc_result_t
 ns_server_freeze(ns_server_t *server, isc_boolean_t freeze, char *args) {
-	isc_result_t result;
+	isc_result_t result, tresult;
 	dns_zone_t *zone = NULL;
 	dns_zonetype_t type;
 	char classstr[DNS_RDATACLASS_FORMATSIZE];
@@ -4090,8 +4712,26 @@ ns_server_freeze(ns_server_t *server, isc_boolean_t freeze, char *args) {
 	result = zone_from_args(server, args, &zone);
 	if (result != ISC_R_SUCCESS)
 		return (result);
-	if (zone == NULL)
-		return (ISC_R_UNEXPECTEDEND);
+	if (zone == NULL) {
+		result = isc_task_beginexclusive(server->task);
+		RUNTIME_CHECK(result == ISC_R_SUCCESS);
+		tresult = ISC_R_SUCCESS;
+	        for (view = ISC_LIST_HEAD(server->viewlist);
+		     view != NULL;
+		     view = ISC_LIST_NEXT(view, link)) {
+			result = dns_view_freezezones(view, freeze);
+			if (result != ISC_R_SUCCESS &&
+			    tresult == ISC_R_SUCCESS)
+				tresult = result;
+		}
+		isc_task_endexclusive(server->task);
+		isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
+			      NS_LOGMODULE_SERVER, ISC_LOG_INFO,
+			      "%s all zones: %s",
+			      freeze ? "freezing" : "thawing",
+			      isc_result_totext(tresult));
+		return (tresult);
+	}
 	type = dns_zone_gettype(zone);
 	if (type != dns_zone_master) {
 		dns_zone_detach(&zone);
@@ -4137,7 +4777,7 @@ ns_server_freeze(ns_server_t *server, isc_boolean_t freeze, char *args) {
 	isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
 		      NS_LOGMODULE_SERVER, ISC_LOG_INFO,
 		      "%s zone '%s/%s'%s%s: %s",
-		      freeze ? "freezing" : "unfreezing",
+		      freeze ? "freezing" : "thawing",
 		      zonename, classstr, sep, vname,
 		      isc_result_totext(result));
 	dns_zone_detach(&zone);
diff --git a/contrib/bind9/bin/named/sortlist.c b/contrib/bind9/bin/named/sortlist.c
index 0feba3b..28f0360 100644
--- a/contrib/bind9/bin/named/sortlist.c
+++ b/contrib/bind9/bin/named/sortlist.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2006  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000, 2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,9 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: sortlist.c,v 1.5.12.6 2006/03/02 00:37:20 marka Exp $ */
+/* $Id: sortlist.c,v 1.9.18.4 2006/03/02 00:37:21 marka Exp $ */
+
+/*! \file */
 
 #include <config.h>
 
diff --git a/contrib/bind9/bin/named/tkeyconf.c b/contrib/bind9/bin/named/tkeyconf.c
index f23c1db..3c843ac 100644
--- a/contrib/bind9/bin/named/tkeyconf.c
+++ b/contrib/bind9/bin/named/tkeyconf.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2006  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,9 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: tkeyconf.c,v 1.19.208.4 2006/03/02 00:37:20 marka Exp $ */
+/* $Id: tkeyconf.c,v 1.20.18.6 2006/03/02 00:37:21 marka Exp $ */
+
+/*! \file */
 
 #include <config.h>
 
diff --git a/contrib/bind9/bin/named/tsigconf.c b/contrib/bind9/bin/named/tsigconf.c
index a90438d..7fa7fe5 100644
--- a/contrib/bind9/bin/named/tsigconf.c
+++ b/contrib/bind9/bin/named/tsigconf.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2006  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,9 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: tsigconf.c,v 1.21.208.6 2006/03/02 00:37:20 marka Exp $ */
+/* $Id: tsigconf.c,v 1.22.18.6 2006/02/28 03:10:47 marka Exp $ */
+
+/*! \file */
 
 #include <config.h>
 
@@ -38,6 +40,7 @@ static isc_result_t
 add_initial_keys(const cfg_obj_t *list, dns_tsig_keyring_t *ring,
 		 isc_mem_t *mctx)
 {
+	dns_tsigkey_t *tsigkey = NULL;
 	const cfg_listelt_t *element;
 	const cfg_obj_t *key = NULL;
 	const char *keyid = NULL;
@@ -46,6 +49,7 @@ add_initial_keys(const cfg_obj_t *list, dns_tsig_keyring_t *ring,
 	int secretlen = 0;
 	isc_result_t ret;
 	isc_stdtime_t now;
+	isc_uint16_t bits;
 
 	for (element = cfg_list_first(list);
 	     element != NULL;
@@ -86,10 +90,11 @@ add_initial_keys(const cfg_obj_t *list, dns_tsig_keyring_t *ring,
 		 * Create the algorithm.
 		 */
 		algstr = cfg_obj_asstring(algobj);
-		if (ns_config_getkeyalgorithm(algstr, &alg) != ISC_R_SUCCESS) {
+		if (ns_config_getkeyalgorithm(algstr, &alg, &bits)
+		    != ISC_R_SUCCESS) {
 			cfg_obj_log(algobj, ns_g_lctx, ISC_LOG_ERROR,
-				    "key '%s': the only supported algorithm "
-				    "is hmac-md5", keyid);
+				    "key '%s': has a unsupported algorithm '%s'",
+				    keyid, algstr);
 			ret = DNS_R_BADALG;
 			goto failure;
 		}
@@ -110,11 +115,16 @@ add_initial_keys(const cfg_obj_t *list, dns_tsig_keyring_t *ring,
 		isc_stdtime_get(&now);
 		ret = dns_tsigkey_create(&keyname, alg, secret, secretlen,
 					 ISC_FALSE, NULL, now, now,
-					 mctx, ring, NULL);
+					 mctx, ring, &tsigkey);
 		isc_mem_put(mctx, secret, secretalloc);
 		secret = NULL;
 		if (ret != ISC_R_SUCCESS)
 			goto failure;
+		/*
+		 * Set digest bits.
+		 */
+		dst_key_setbits(tsigkey->key, bits);
+		dns_tsigkey_detach(&tsigkey);
 	}
 
 	return (ISC_R_SUCCESS);
@@ -127,7 +137,6 @@ add_initial_keys(const cfg_obj_t *list, dns_tsig_keyring_t *ring,
 	if (secret != NULL)
 		isc_mem_put(mctx, secret, secretalloc);
 	return (ret);
-
 }
 
 isc_result_t
diff --git a/contrib/bind9/bin/named/unix/Makefile.in b/contrib/bind9/bin/named/unix/Makefile.in
index 60ce968..a18351a 100644
--- a/contrib/bind9/bin/named/unix/Makefile.in
+++ b/contrib/bind9/bin/named/unix/Makefile.in
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.6.12.3 2004/03/08 09:04:15 marka Exp $
+# $Id: Makefile.in,v 1.8 2004/03/05 04:58:01 marka Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
diff --git a/contrib/bind9/bin/named/unix/include/named/os.h b/contrib/bind9/bin/named/unix/include/named/os.h
index 03baee5..24afdcb 100644
--- a/contrib/bind9/bin/named/unix/include/named/os.h
+++ b/contrib/bind9/bin/named/unix/include/named/os.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2002  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,11 +15,13 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: os.h,v 1.14.2.2.8.9 2004/09/29 06:36:44 marka Exp $ */
+/* $Id: os.h,v 1.22.18.3 2005/04/29 00:15:39 marka Exp $ */
 
 #ifndef NS_OS_H
 #define NS_OS_H 1
 
+/*! \file */
+
 #include <isc/types.h>
 
 void
diff --git a/contrib/bind9/bin/named/unix/os.c b/contrib/bind9/bin/named/unix/os.c
index 361d1b6..3864612 100644
--- a/contrib/bind9/bin/named/unix/os.c
+++ b/contrib/bind9/bin/named/unix/os.c
@@ -15,7 +15,9 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: os.c,v 1.46.2.4.8.24 2006/02/03 23:51:37 marka Exp $ */
+/* $Id: os.c,v 1.66.18.11 2006/02/03 23:51:38 marka Exp $ */
+
+/*! \file */
 
 #include <config.h>
 #include <stdarg.h>
@@ -114,7 +116,7 @@ static int dfd[2] = { -1, -1 };
 static isc_boolean_t non_root = ISC_FALSE;
 static isc_boolean_t non_root_caps = ISC_FALSE;
 
-/*
+/*%
  * We define _LINUX_FS_H to prevent it from being included.  We don't need
  * anything from it, and the files it includes cause warnings with 2.2
  * kernels, and compilation failures (due to conflicts between <linux/string.h>
@@ -176,7 +178,7 @@ static void
 linux_initialprivs(void) {
 	unsigned int caps;
 
-	/*
+	/*%
 	 * We don't need most privileges, so we drop them right away.
 	 * Later on linux_minprivs() will be called, which will drop our
 	 * capabilities to the minimum needed to run the server.
@@ -231,7 +233,7 @@ static void
 linux_minprivs(void) {
 	unsigned int caps;
 
-	/*
+	/*%
 	 * Drop all privileges except the ability to bind() to privileged
 	 * ports.
 	 *
@@ -258,7 +260,7 @@ linux_minprivs(void) {
 static void
 linux_keepcaps(void) {
 	char strbuf[ISC_STRERRORSIZE];
-	/*
+	/*%
 	 * Ask the kernel to allow us to keep our capabilities after we
 	 * setuid().
 	 */
diff --git a/contrib/bind9/bin/named/update.c b/contrib/bind9/bin/named/update.c
index fa0ddb0..0547761 100644
--- a/contrib/bind9/bin/named/update.c
+++ b/contrib/bind9/bin/named/update.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: update.c,v 1.88.2.5.2.29 2006/01/06 00:01:42 marka Exp $ */
+/* $Id: update.c,v 1.109.18.19 2006/03/06 01:38:00 marka Exp $ */
 
 #include <config.h>
 
@@ -31,6 +31,7 @@
 #include <dns/events.h>
 #include <dns/fixedname.h>
 #include <dns/journal.h>
+#include <dns/keyvalues.h>
 #include <dns/message.h>
 #include <dns/nsec.h>
 #include <dns/rdataclass.h>
@@ -48,7 +49,8 @@
 #include <named/log.h>
 #include <named/update.h>
 
-/*
+/*! \file
+ * \brief
  * This module implements dynamic update as in RFC2136.
  */
 
@@ -59,17 +61,17 @@
 
 /**************************************************************************/
 
-/*
+/*%
  * Log level for tracing dynamic update protocol requests.
  */
 #define LOGLEVEL_PROTOCOL	ISC_LOG_INFO
 
-/*
+/*%
  * Log level for low-level debug tracing.
  */
 #define LOGLEVEL_DEBUG 		ISC_LOG_DEBUG(8)
 
-/*
+/*%
  * Check an operation for failure.  These macros all assume that
  * the function using them has a 'result' variable and a 'failure'
  * label.
@@ -79,7 +81,7 @@
 	       if (result != ISC_R_SUCCESS) goto failure; 	 \
 	} while (0)
 
-/*
+/*%
  * Fail unconditionally with result 'code', which must not
  * be ISC_R_SUCCESS.  The reason for failure presumably has
  * been logged already.
@@ -94,7 +96,7 @@
 		if (result != ISC_R_SUCCESS) goto failure;	\
 	} while (0)
 
-/*
+/*%
  * Fail unconditionally and log as a client error.
  * The test against ISC_R_SUCCESS is there to keep the Solaris compiler
  * from complaining about "end-of-loop code not reached".
@@ -160,7 +162,7 @@
 		}							\
 		if (result != ISC_R_SUCCESS) goto failure;		\
 	} while (0)
-/*
+/*%
  * Fail unconditionally and log as a server error.
  * The test against ISC_R_SUCCESS is there to keep the Solaris compiler
  * from complaining about "end-of-loop code not reached".
@@ -270,12 +272,12 @@ checkupdateacl(ns_client_t *client, dns_acl_t *acl, const char *message,
 	return (result);
 }
 
-/*
+/*%
  * Update a single RR in version 'ver' of 'db' and log the
  * update in 'diff'.
  *
  * Ensures:
- *   '*tuple' == NULL.  Either the tuple is freed, or its
+ * \li  '*tuple' == NULL.  Either the tuple is freed, or its
  *         ownership has been transferred to the diff.
  */
 static isc_result_t
@@ -313,12 +315,12 @@ do_one_tuple(dns_difftuple_t **tuple,
 	return (ISC_R_SUCCESS);
 }
 
-/*
+/*%
  * Perform the updates in 'updates' in version 'ver' of 'db' and log the
  * update in 'diff'.
  *
  * Ensures:
- *   'updates' is empty.
+ * \li  'updates' is empty.
  */
 static isc_result_t
 do_diff(dns_diff_t *updates, dns_db_t *db, dns_dbversion_t *ver,
@@ -371,17 +373,17 @@ update_one_rr(dns_db_t *db, dns_dbversion_t *ver, dns_diff_t *diff,
  * XXXRTH  We might want to make this public somewhere in libdns.
  */
 
-/*
+/*%
  * Function type for foreach_rrset() iterator actions.
  */
 typedef isc_result_t rrset_func(void *data, dns_rdataset_t *rrset);
 
-/*
+/*%
  * Function type for foreach_rr() iterator actions.
  */
 typedef isc_result_t rr_func(void *data, rr_t *rr);
 
-/*
+/*%
  * Internal context struct for foreach_node_rr().
  */
 typedef struct {
@@ -389,7 +391,7 @@ typedef struct {
 	void *		rr_action_data;
 } foreach_node_rr_ctx_t;
 
-/*
+/*%
  * Internal helper function for foreach_node_rr().
  */
 static isc_result_t
@@ -413,7 +415,7 @@ foreach_node_rr_action(void *data, dns_rdataset_t *rdataset) {
 	return (ISC_R_SUCCESS);
 }
 
-/*
+/*%
  * For each rdataset of 'name' in 'ver' of 'db', call 'action'
  * with the rdataset and 'action_data' as arguments.  If the name
  * does not exist, do nothing.
@@ -471,7 +473,7 @@ foreach_rrset(dns_db_t *db,
 	return (result);
 }
 
-/*
+/*%
  * For each RR of 'name' in 'ver' of 'db', call 'action'
  * with the RR and 'action_data' as arguments.  If the name
  * does not exist, do nothing.
@@ -494,7 +496,7 @@ foreach_node_rr(dns_db_t *db,
 }
 
 
-/*
+/*%
  * For each of the RRs specified by 'db', 'ver', 'name', 'type',
  * (which can be dns_rdatatype_any to match any type), and 'covers', call
  * 'action' with the RR and 'action_data' as arguments. If the name
@@ -566,13 +568,13 @@ foreach_rr(dns_db_t *db,
  * Various tests on the database contents (for prerequisites, etc).
  */
 
-/*
+/*%
  * Function type for predicate functions that compare a database RR 'db_rr'
  * against an update RR 'update_rr'.
  */
 typedef isc_boolean_t rr_predicate(dns_rdata_t *update_rr, dns_rdata_t *db_rr);
 
-/*
+/*%
  * Helper function for rrset_exists().
  */
 static isc_result_t
@@ -582,7 +584,7 @@ rrset_exists_action(void *data, rr_t *rr) {
 	return (ISC_R_EXISTS);
 }
 
-/*
+/*%
  * Utility macro for RR existence checking functions.
  *
  * If the variable 'result' has the value ISC_R_EXISTS or
@@ -602,7 +604,7 @@ rrset_exists_action(void *data, rr_t *rr) {
 		 (*exists = ISC_FALSE, ISC_R_SUCCESS) :	\
 		 result))
 
-/*
+/*%
  * Set '*exists' to true iff an rrset of the given type exists,
  * to false otherwise.
  */
@@ -617,7 +619,7 @@ rrset_exists(dns_db_t *db, dns_dbversion_t *ver,
 	RETURN_EXISTENCE_FLAG;
 }
 
-/*
+/*%
  * Helper function for cname_incompatible_rrset_exists.
  */
 static isc_result_t
@@ -629,7 +631,7 @@ cname_compatibility_action(void *data, dns_rdataset_t *rrset) {
 	return (ISC_R_SUCCESS);
 }
 
-/*
+/*%
  * Check whether there is an rrset incompatible with adding a CNAME RR,
  * i.e., anything but another CNAME (which can be replaced) or a
  * DNSSEC RR (which can coexist).
@@ -646,7 +648,7 @@ cname_incompatible_rrset_exists(dns_db_t *db, dns_dbversion_t *ver,
 	RETURN_EXISTENCE_FLAG;
 }
 
-/*
+/*%
  * Helper function for rr_count().
  */
 static isc_result_t
@@ -657,7 +659,7 @@ count_rr_action(void *data, rr_t *rr) {
 	return (ISC_R_SUCCESS);
 }
 
-/*
+/*%
  * Count the number of RRs of 'type' belonging to 'name' in 'ver' of 'db'.
  */
 static isc_result_t
@@ -669,7 +671,7 @@ rr_count(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name,
 			   count_rr_action, countp));
 }
 
-/*
+/*%
  * Context struct and helper function for name_exists().
  */
 
@@ -680,7 +682,7 @@ name_exists_action(void *data, dns_rdataset_t *rrset) {
 	return (ISC_R_EXISTS);
 }
 
-/*
+/*%
  * Set '*exists' to true iff the given name exists, to false otherwise.
  */
 static isc_result_t
@@ -741,7 +743,7 @@ ssu_checkall(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name,
  */
 
 
-/*
+/*%
  * Append a tuple asserting the existence of the RR with
  * 'name' and 'rdata' to 'diff'.
  */
@@ -758,7 +760,7 @@ temp_append(dns_diff_t *diff, dns_name_t *name, dns_rdata_t *rdata) {
 	return (result);
 }
 
-/*
+/*%
  * Compare two rdatasets represented as sorted lists of tuples.
  * All list elements must have the same owner name and type.
  * Return ISC_R_SUCCESS if the rdatasets are equal, rcode(dns_rcode_nxrrset)
@@ -783,7 +785,7 @@ temp_check_rrset(dns_difftuple_t *a, dns_difftuple_t *b) {
 	return (ISC_R_SUCCESS);
 }
 
-/*
+/*%
  * A comparison function defining the sorting order for the entries
  * in the "temp" data structure.  The major sort key is the owner name,
  * followed by the type and rdata.
@@ -805,7 +807,7 @@ temp_order(const void *av, const void *bv) {
 	return (r);
 }
 
-/*
+/*%
  * Check the "RRset exists (value dependent)" prerequisite information
  * in 'temp' against the contents of the database 'db'.
  *
@@ -948,7 +950,7 @@ temp_check(isc_mem_t *mctx, dns_diff_t *temp, dns_db_t *db,
  * Conditional deletion of RRs.
  */
 
-/*
+/*%
  * Context structure for delete_if().
  */
 
@@ -961,11 +963,11 @@ typedef struct {
 	dns_rdata_t *update_rr;
 } conditional_delete_ctx_t;
 
-/*
+/*%
  * Predicate functions for delete_if().
  */
 
-/*
+/*%
  * Return true iff 'db_rr' is neither a SOA nor an NS RR nor
  * an RRSIG nor a NSEC.
  */
@@ -979,7 +981,7 @@ type_not_soa_nor_ns_p(dns_rdata_t *update_rr, dns_rdata_t *db_rr) {
 		ISC_TRUE : ISC_FALSE);
 }
 
-/*
+/*%
  * Return true iff 'db_rr' is neither a RRSIG nor a NSEC.
  */
 static isc_boolean_t
@@ -990,7 +992,7 @@ type_not_dnssec(dns_rdata_t *update_rr, dns_rdata_t *db_rr) {
 		ISC_TRUE : ISC_FALSE);
 }
 
-/*
+/*%
  * Return true always.
  */
 static isc_boolean_t
@@ -1000,7 +1002,7 @@ true_p(dns_rdata_t *update_rr, dns_rdata_t *db_rr) {
 	return (ISC_TRUE);
 }
 
-/*
+/*%
  * Return true iff the two RRs have identical rdata.
  */
 static isc_boolean_t
@@ -1014,7 +1016,7 @@ rr_equal_p(dns_rdata_t *update_rr, dns_rdata_t *db_rr) {
 		ISC_TRUE : ISC_FALSE);
 }
 
-/*
+/*%
  * Return true iff 'update_rr' should replace 'db_rr' according
  * to the special RFC2136 rules for CNAME, SOA, and WKS records.
  *
@@ -1048,7 +1050,7 @@ replaces_p(dns_rdata_t *update_rr, dns_rdata_t *db_rr) {
 	return (ISC_FALSE);
 }
 
-/*
+/*%
  * Internal helper function for delete_if().
  */
 static isc_result_t
@@ -1065,7 +1067,7 @@ delete_if_action(void *data, rr_t *rr) {
 	}
 }
 
-/*
+/*%
  * Conditionally delete RRs.  Apply 'predicate' to the RRs
  * specified by 'db', 'ver', 'name', and 'type' (which can
  * be dns_rdatatype_any to match any type).  Delete those
@@ -1094,7 +1096,7 @@ delete_if(rr_predicate *predicate,
 }
 
 /**************************************************************************/
-/*
+/*%
  * Prepare an RR for the addition of the new RR 'ctx->update_rr',
  * with TTL 'ctx->update_rr_ttl', to its rdataset, by deleting
  * the RRs if it is replaced by the new RR or has a conflicting TTL.
@@ -1175,7 +1177,7 @@ add_rr_prepare_action(void *data, rr_t *rr) {
  * Miscellaneous subroutines.
  */
 
-/*
+/*%
  * Extract a single update RR from 'section' of dynamic update message
  * 'msg', with consistency checking.
  *
@@ -1205,7 +1207,7 @@ get_current_rr(dns_message_t *msg, dns_section_t section,
 	rdata->rdclass = zoneclass;
 }
 
-/*
+/*%
  * Increment the SOA serial number of database 'db', version 'ver'.
  * Replace the SOA record in the database, and log the
  * change in 'diff'.
@@ -1250,7 +1252,7 @@ increment_soa_serial(dns_db_t *db, dns_dbversion_t *ver,
 	return (result);
 }
 
-/*
+/*%
  * Check that the new SOA record at 'update_rdata' does not
  * illegally cause the SOA serial number to decrease or stay
  * unchanged relative to the existing SOA in 'db'.
@@ -1300,9 +1302,9 @@ check_soa_increment(dns_db_t *db, dns_dbversion_t *ver,
  * Incremental updating of NSECs and RRSIGs.
  */
 
-#define MAXZONEKEYS 32	/* Maximum number of zone keys supported. */
+#define MAXZONEKEYS 32	/*%< Maximum number of zone keys supported. */
 
-/*
+/*%
  * We abuse the dns_diff_t type to represent a set of domain names
  * affected by the update.
  */
@@ -1310,8 +1312,8 @@ static isc_result_t
 namelist_append_name(dns_diff_t *list, dns_name_t *name) {
 	isc_result_t result;
 	dns_difftuple_t *tuple = NULL;
-	static dns_rdata_t dummy_rdata = { NULL, 0, 0, 0, 0,
-					   { (void*)(-1), (void*)(-1) } };
+	static dns_rdata_t dummy_rdata = DNS_RDATA_INIT;
+
 	CHECK(dns_difftuple_create(list->mctx, DNS_DIFFOP_EXISTS, name, 0,
 				   &dummy_rdata, &tuple));
 	dns_diff_append(list, &tuple);
@@ -1353,7 +1355,7 @@ namelist_append_subdomain(dns_db_t *db, dns_name_t *name, dns_diff_t *affected)
 
 
 
-/*
+/*%
  * Helper function for non_nsec_rrset_exists().
  */
 static isc_result_t
@@ -1366,7 +1368,7 @@ is_non_nsec_action(void *data, dns_rdataset_t *rrset) {
 	return (ISC_R_SUCCESS);
 }
 
-/*
+/*%
  * Check whether there is an rrset other than a NSEC or RRSIG NSEC,
  * i.e., anything that justifies the continued existence of a name
  * after a secure update.
@@ -1384,7 +1386,7 @@ non_nsec_rrset_exists(dns_db_t *db, dns_dbversion_t *ver,
 	RETURN_EXISTENCE_FLAG;
 }
 
-/*
+/*%
  * A comparison function for sorting dns_diff_t:s by name.
  */
 static int
@@ -1449,7 +1451,7 @@ is_glue(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name,
 	}
 }
 
-/*
+/*%
  * Find the next/previous name that has a NSEC record.
  * In other words, skip empty database nodes and names that
  * have had their NSECs removed because they are obscured by
@@ -1512,7 +1514,7 @@ next_active(ns_client_t *client, dns_zone_t *zone, dns_db_t *db,
 	return (result);
 }
 
-/*
+/*%
  * Add a NSEC record for "name", recording the change in "diff".
  * The existing NSEC is removed.
  */
@@ -1564,7 +1566,7 @@ add_nsec(ns_client_t *client, dns_zone_t *zone, dns_db_t *db,
 	return (result);
 }
 
-/*
+/*%
  * Add a placeholder NSEC record for "name", recording the change in "diff".
  */
 static isc_result_t
@@ -1603,14 +1605,52 @@ find_zone_keys(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver,
 	return (result);
 }
 
-/*
+static isc_boolean_t
+ksk_sanity(dns_db_t *db, dns_dbversion_t *ver) {
+	isc_boolean_t ret = ISC_FALSE;
+	isc_boolean_t have_ksk = ISC_FALSE, have_nonksk = ISC_FALSE;
+	isc_result_t result;
+	dns_dbnode_t *node = NULL;
+	dns_rdataset_t rdataset;
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+	dns_rdata_dnskey_t dnskey;
+
+	dns_rdataset_init(&rdataset);
+	CHECK(dns_db_findnode(db, dns_db_origin(db), ISC_FALSE, &node));
+	CHECK(dns_db_findrdataset(db, node, ver, dns_rdatatype_dnskey, 0, 0,
+				   &rdataset, NULL));
+	CHECK(dns_rdataset_first(&rdataset));
+	while (result == ISC_R_SUCCESS && (!have_ksk || !have_nonksk)) {
+		dns_rdataset_current(&rdataset, &rdata);
+		CHECK(dns_rdata_tostruct(&rdata, &dnskey, NULL));
+		if ((dnskey.flags & (DNS_KEYFLAG_OWNERMASK|DNS_KEYTYPE_NOAUTH))
+				 == DNS_KEYOWNER_ZONE) {
+			if ((dnskey.flags & DNS_KEYFLAG_KSK) != 0)
+				have_ksk = ISC_TRUE;
+			else
+				have_nonksk = ISC_TRUE;
+		}
+		dns_rdata_reset(&rdata);
+		result = dns_rdataset_next(&rdataset);
+	}
+	if (have_ksk && have_nonksk)
+		ret = ISC_TRUE;
+ failure:
+	if (dns_rdataset_isassociated(&rdataset))
+		dns_rdataset_disassociate(&rdataset);
+	if (node != NULL)
+		dns_db_detachnode(db, &node);
+	return (ret);
+}
+
+/*%
  * Add RRSIG records for an RRset, recording the change in "diff".
  */
 static isc_result_t
 add_sigs(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name,
 	 dns_rdatatype_t type, dns_diff_t *diff, dst_key_t **keys,
 	 unsigned int nkeys, isc_mem_t *mctx, isc_stdtime_t inception,
-	 isc_stdtime_t expire)
+	 isc_stdtime_t expire, isc_boolean_t check_ksk)
 {
 	isc_result_t result;
 	dns_dbnode_t *node = NULL;
@@ -1631,6 +1671,11 @@ add_sigs(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name,
 	dns_db_detachnode(db, &node);
 
 	for (i = 0; i < nkeys; i++) {
+		
+		if (check_ksk && type != dns_rdatatype_dnskey &&
+		    (dst_key_flags(keys[i]) & DNS_KEYFLAG_KSK) != 0)
+			continue;
+		
 		/* Calculate the signature, creating a RRSIG RDATA. */
 		CHECK(dns_dnssec_sign(name, &rdataset, keys[i],
 				      &inception, &expire,
@@ -1651,7 +1696,7 @@ add_sigs(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name,
 	return (result);
 }
 
-/*
+/*%
  * Update RRSIG and NSEC records affected by an update.  The original
  * update, including the SOA serial update but exluding the RRSIG & NSEC
  * changes, is in "diff" and has already been applied to "newver" of "db".
@@ -1684,6 +1729,7 @@ update_signatures(ns_client_t *client, dns_zone_t *zone, dns_db_t *db,
 	dns_rdata_t rdata = DNS_RDATA_INIT;
 	dns_rdataset_t rdataset;
 	dns_dbnode_t *node = NULL;
+	isc_boolean_t check_ksk;
 
 	dns_diff_init(client->mctx, &diffnames);
 	dns_diff_init(client->mctx, &affected);
@@ -1705,6 +1751,17 @@ update_signatures(ns_client_t *client, dns_zone_t *zone, dns_db_t *db,
 	expire = now + sigvalidityinterval;
 
 	/*
+	 * Do we look at the KSK flag on the DNSKEY to determining which
+	 * keys sign which RRsets?  First check the zone option then
+	 * check the keys flags to make sure atleast one has a ksk set
+	 * and one doesn't.
+	 */
+	check_ksk = ISC_TF((dns_zone_getoptions(zone) &
+			    DNS_ZONEOPT_UPDATECHECKKSK) != 0);
+	if (check_ksk)
+		check_ksk = ksk_sanity(db, newver);
+
+	/*
 	 * Get the NSEC's TTL from the SOA MINIMUM field.
 	 */
 	CHECK(dns_db_findnode(db, dns_db_origin(db), ISC_FALSE, &node));
@@ -1763,7 +1820,7 @@ update_signatures(ns_client_t *client, dns_zone_t *zone, dns_db_t *db,
 				CHECK(add_sigs(db, newver, name, type,
 					       &sig_diff, zone_keys, nkeys,
 					       client->mctx, inception,
-					       expire));
+					       expire, check_ksk));
 			}
 		skip:
 			/* Skip any other updates to the same RRset. */
@@ -1948,7 +2005,8 @@ update_signatures(ns_client_t *client, dns_zone_t *zone, dns_db_t *db,
 		} else if (t->op == DNS_DIFFOP_ADD) {
 			CHECK(add_sigs(db, newver, &t->name, dns_rdatatype_nsec,
 				       &sig_diff, zone_keys, nkeys,
-				       client->mctx, inception, expire));
+				       client->mctx, inception, expire,
+				       check_ksk));
 		} else {
 			INSIST(0);
 		}
@@ -1984,7 +2042,7 @@ update_signatures(ns_client_t *client, dns_zone_t *zone, dns_db_t *db,
 
 
 /**************************************************************************/
-/*
+/*%
  * The actual update code in all its glory.  We try to follow
  * the RFC2136 pseudocode as closely as possible.
  */
@@ -2113,7 +2171,7 @@ ns_update_start(ns_client_t *client, isc_result_t sigresult) {
 		dns_zone_detach(&zone);
 }
 
-/*
+/*%
  * DS records are not allowed to exist without corresponding NS records,
  * draft-ietf-dnsext-delegation-signer-11.txt, 2.2 Protocol Change,
  * "DS RRsets MUST NOT appear at non-delegation points or at a zone's apex".
@@ -2148,6 +2206,112 @@ remove_orphaned_ds(dns_db_t *db, dns_dbversion_t *newver, dns_diff_t *diff) {
 	return (result);
 }
 
+/*
+ * This implements the post load integrity checks for mx records.
+ */
+static isc_result_t
+check_mx(ns_client_t *client, dns_zone_t *zone,
+	 dns_db_t *db, dns_dbversion_t *newver, dns_diff_t *diff)
+{
+	char tmp[sizeof("xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:123.123.123.123.")];
+	char ownerbuf[DNS_NAME_FORMATSIZE];
+	char namebuf[DNS_NAME_FORMATSIZE];
+	char altbuf[DNS_NAME_FORMATSIZE];
+	dns_difftuple_t *t;
+	dns_fixedname_t fixed;
+	dns_name_t *foundname;
+	dns_rdata_mx_t mx;
+	dns_rdata_t rdata;
+	isc_boolean_t ok = ISC_TRUE;
+	isc_boolean_t isaddress;
+	isc_result_t result;
+	struct in6_addr addr6;
+	struct in_addr addr;
+	unsigned int options;
+
+	dns_fixedname_init(&fixed);
+	foundname = dns_fixedname_name(&fixed);
+	dns_rdata_init(&rdata);
+	options = dns_zone_getoptions(zone);
+
+	for (t = ISC_LIST_HEAD(diff->tuples);
+	     t != NULL;
+	     t = ISC_LIST_NEXT(t, link)) {
+		if (t->op != DNS_DIFFOP_DEL ||
+		    t->rdata.type != dns_rdatatype_mx)
+			continue;
+
+		result = dns_rdata_tostruct(&t->rdata, &mx, NULL);
+		RUNTIME_CHECK(result == ISC_R_SUCCESS);
+		/*
+		 * Check if we will error out if we attempt to reload the
+		 * zone.
+		 */
+		dns_name_format(&mx.mx, namebuf, sizeof(namebuf));
+		dns_name_format(&t->name, ownerbuf, sizeof(ownerbuf));
+		isaddress = ISC_FALSE;
+		if ((options & DNS_RDATA_CHECKMX) != 0 &&
+		    strlcpy(tmp, namebuf, sizeof(tmp)) < sizeof(tmp)) {
+			if (tmp[strlen(tmp) - 1] == '.')
+				tmp[strlen(tmp) - 1] = '\0';
+			if (inet_aton(tmp, &addr) == 1 ||
+			    inet_pton(AF_INET6, tmp, &addr6) == 1)
+				isaddress = ISC_TRUE;
+		}
+
+		if (isaddress && (options & DNS_RDATA_CHECKMXFAIL) != 0) {
+			update_log(client, zone, ISC_LOG_ERROR,
+				   "%s/MX: '%s': %s",
+				   ownerbuf, namebuf,
+				   dns_result_totext(DNS_R_MXISADDRESS));
+			ok = ISC_FALSE;
+		} else if (isaddress) {
+			update_log(client, zone, ISC_LOG_WARNING,
+				   "%s/MX: warning: '%s': %s",
+				   ownerbuf, namebuf,
+				   dns_result_totext(DNS_R_MXISADDRESS));
+		}
+		
+		/*
+		 * Check zone integrity checks.
+		 */
+		if ((options & DNS_ZONEOPT_CHECKINTEGRITY) == 0)
+			continue;
+		result = dns_db_find(db, &mx.mx, newver, dns_rdatatype_a,
+				     0, 0, NULL, foundname, NULL, NULL);
+		if (result == ISC_R_SUCCESS)
+			continue;
+
+		if (result == DNS_R_NXRRSET) {
+			result = dns_db_find(db, &mx.mx, newver,
+					     dns_rdatatype_aaaa,
+					     0, 0, NULL, foundname,
+					     NULL, NULL);
+			if (result == ISC_R_SUCCESS)
+				continue;
+		}
+
+		if (result == DNS_R_NXRRSET || result == DNS_R_NXDOMAIN) {
+			update_log(client, zone, ISC_LOG_ERROR,
+				   "%s/MX '%s' has no address records "
+				   "(A or AAAA)", ownerbuf, namebuf);
+			ok = ISC_FALSE;
+		} else if (result == DNS_R_CNAME) {
+			update_log(client, zone, ISC_LOG_ERROR,
+				   "%s/MX '%s' is a CNAME (illegal)",
+				   ownerbuf, namebuf);
+			ok = ISC_FALSE;
+		} else if (result == DNS_R_DNAME) {
+			dns_name_format(foundname, altbuf, sizeof altbuf);
+			update_log(client, zone, ISC_LOG_ERROR,
+				   "%s/MX '%s' is below a DNAME '%s' (illegal)",
+				   ownerbuf, namebuf, altbuf);
+			ok = ISC_FALSE;
+		}
+	}
+	return (ok ? ISC_R_SUCCESS : DNS_R_REFUSED);
+}
+
 static void
 update_action(isc_task_t *task, isc_event_t *event) {
 	update_event_t *uev = (update_event_t *) event;
@@ -2169,6 +2333,7 @@ update_action(isc_task_t *task, isc_event_t *event) {
 	dns_ssutable_t *ssutable = NULL;
 	dns_fixedname_t tmpnamefixed;
 	dns_name_t *tmpname = NULL;
+	unsigned int options;
 
 	INSIST(event->ev_type == DNS_EVENT_UPDATE);
 
@@ -2402,6 +2567,7 @@ update_action(isc_task_t *task, isc_event_t *event) {
 	 * Process the Update Section.
 	 */
 
+	options = dns_zone_getoptions(zone);
 	for (result = dns_message_firstname(request, DNS_SECTION_UPDATE);
 	     result == ISC_R_SUCCESS;
 	     result = dns_message_nextname(request, DNS_SECTION_UPDATE))
@@ -2418,7 +2584,7 @@ update_action(isc_task_t *task, isc_event_t *event) {
 		if (update_class == zoneclass) {
 
 			/*
-			 * RFC 1123 doesn't allow MF and MD in master zones.				 */
+			 * RFC1123 doesn't allow MF and MD in master zones.				 */
 			if (rdata.type == dns_rdatatype_md ||
 			    rdata.type == dns_rdatatype_mf) {
 				char typebuf[DNS_RDATATYPE_FORMATSIZE];
@@ -2488,6 +2654,15 @@ update_action(isc_task_t *task, isc_event_t *event) {
 				}
 				soa_serial_changed = ISC_TRUE;
 			}
+			if ((options & DNS_ZONEOPT_CHECKWILDCARD) != 0 &&
+			    dns_name_internalwildcard(name)) {
+				char namestr[DNS_NAME_FORMATSIZE];
+				dns_name_format(name, namestr,
+						sizeof(namestr));
+				update_log(client, zone, LOGLEVEL_PROTOCOL,
+					   "warning: ownername '%s' contains "
+					   "a non-terminal wildcard", namestr);
+			}
 
 			if (isc_log_wouldlog(ns_g_lctx, LOGLEVEL_PROTOCOL)) {
 				char namestr[DNS_NAME_FORMATSIZE];
@@ -2636,6 +2811,8 @@ update_action(isc_task_t *task, isc_event_t *event) {
 			CHECK(increment_soa_serial(db, ver, &diff, mctx));
 		}
 
+		CHECK(check_mx(client, zone, db, ver, &diff));
+
 		CHECK(remove_orphaned_ds(db, ver, &diff));
 
 		if (dns_db_issecure(db)) {
@@ -2747,7 +2924,7 @@ updatedone_action(isc_task_t *task, isc_event_t *event) {
 	ns_client_detach(&client);
 }
 
-/*
+/*%
  * Update forwarding support.
  */
 
diff --git a/contrib/bind9/bin/named/xfrout.c b/contrib/bind9/bin/named/xfrout.c
index 687c287..9fe90a2 100644
--- a/contrib/bind9/bin/named/xfrout.c
+++ b/contrib/bind9/bin/named/xfrout.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: xfrout.c,v 1.101.2.5.2.12 2005/10/14 02:13:05 marka Exp $ */
+/* $Id: xfrout.c,v 1.115.18.8 2006/03/05 23:58:51 marka Exp $ */
 
 #include <config.h>
 
@@ -27,6 +27,9 @@
 
 #include <dns/db.h>
 #include <dns/dbiterator.h>
+#ifdef DLZ
+#include <dns/dlz.h>
+#endif
 #include <dns/fixedname.h>
 #include <dns/journal.h>
 #include <dns/message.h>
@@ -48,7 +51,8 @@
 #include <named/server.h>
 #include <named/xfrout.h>
 
-/*
+/*! \file 
+ * \brief
  * Outgoing AXFR and IXFR.
  */
 
@@ -71,7 +75,7 @@
 
 #define XFROUT_RR_LOGLEVEL	ISC_LOG_DEBUG(8)
 
-/*
+/*%
  * Fail unconditionally and log as a client error.
  * The test against ISC_R_SUCCESS is there to keep the Solaris compiler
  * from complaining about "end-of-loop code not reached".
@@ -106,13 +110,14 @@
 	} while (0)
 
 /**************************************************************************/
-/*
+/*%
  * A db_rr_iterator_t is an iterator that iterates over an entire database,
  * returning one RR at a time, in some arbitrary order.
  */
 
 typedef struct db_rr_iterator db_rr_iterator_t;
 
+/*% db_rr_iterator structure */
 struct db_rr_iterator {
 	isc_result_t		result;
 	dns_db_t		*db;
@@ -195,7 +200,7 @@ db_rr_iterator_first(db_rr_iterator_t *it) {
 			continue;
 		}
 		dns_rdatasetiter_current(it->rdatasetit, &it->rdataset);
-
+		it->rdataset.attributes |= DNS_RDATASETATTR_LOADORDER;
 		it->result = dns_rdataset_first(&it->rdataset);
 		return (it->result);
 	}
@@ -245,6 +250,7 @@ db_rr_iterator_next(db_rr_iterator_t *it) {
 		if (it->result != ISC_R_SUCCESS)
 			return (it->result);
 		dns_rdatasetiter_current(it->rdatasetit, &it->rdataset);
+		it->rdataset.attributes |= DNS_RDATASETATTR_LOADORDER;
 		it->result = dns_rdataset_first(&it->rdataset);
 		if (it->result != ISC_R_SUCCESS)
 			return (it->result);
@@ -283,7 +289,7 @@ db_rr_iterator_current(db_rr_iterator_t *it, dns_name_t **name,
 
 /**************************************************************************/
 
-/* Log an RR (for debugging) */
+/*% Log an RR (for debugging) */
 
 static void
 log_rr(dns_name_t *name, dns_rdata_t *rdata, isc_uint32_t ttl) {
@@ -903,6 +909,9 @@ ns_xfr_start(ns_client_t *client, dns_rdatatype_t reqtype) {
 	char msg[NS_CLIENT_ACLMSGSIZE("zone transfer")];
 	char keyname[DNS_NAME_FORMATSIZE];
 	isc_boolean_t is_poll = ISC_FALSE;
+#ifdef DLZ
+	isc_boolean_t is_dlz = ISC_FALSE;
+#endif
 
 	switch (reqtype) {
 	case dns_rdatatype_axfr:
@@ -953,19 +962,71 @@ ns_xfr_start(ns_client_t *client, dns_rdatatype_t reqtype) {
 
 	result = dns_zt_find(client->view->zonetable, question_name, 0, NULL,
 			     &zone);
+
 	if (result != ISC_R_SUCCESS)
-		FAILQ(DNS_R_NOTAUTH, "non-authoritative zone",
-		      question_name, question_class);
-	switch(dns_zone_gettype(zone)) {
-	case dns_zone_master:
-	case dns_zone_slave:
-		break;	/* Master and slave zones are OK for transfer. */
-	default:
-		FAILQ(DNS_R_NOTAUTH, "non-authoritative zone",
-		      question_name, question_class);
+#ifdef DLZ
+	{
+		/*
+		 * Normal zone table does not have a match.  Try the DLZ database
+		 */
+	    	if (client->view->dlzdatabase != NULL) {
+			result = dns_dlzallowzonexfr(client->view,
+						     question_name, &client->peeraddr,
+						     &db);
+
+			if (result == ISC_R_NOPERM) {
+				char _buf1[DNS_NAME_FORMATSIZE];
+				char _buf2[DNS_RDATACLASS_FORMATSIZE];
+
+				result = DNS_R_REFUSED;
+				dns_name_format(question_name, _buf1,
+						sizeof(_buf1));
+				dns_rdataclass_format(question_class,
+						      _buf2, sizeof(_buf2));
+				ns_client_log(client, DNS_LOGCATEGORY_SECURITY,
+					      NS_LOGMODULE_XFER_OUT,
+					      ISC_LOG_ERROR,
+					      "zone transfer '%s/%s' denied",
+					      _buf1, _buf2);
+				goto failure;
+			}
+			if (result != ISC_R_SUCCESS)
+#endif
+			FAILQ(DNS_R_NOTAUTH, "non-authoritative zone",
+				  question_name, question_class);
+#ifdef DLZ
+			is_dlz = ISC_TRUE;
+			/*
+			 * DLZ only support full zone transfer, not incremental
+			 */
+			if (reqtype != dns_rdatatype_axfr) {
+				mnemonic = "AXFR-style IXFR";
+				reqtype = dns_rdatatype_axfr;
+			}
+
+		} else {
+			/*
+		 	 * not DLZ and not in normal zone table, we are
+			 * not authoritative
+			 */
+			FAILQ(DNS_R_NOTAUTH, "non-authoritative zone",
+			      question_name, question_class);
+		}
+	} else {
+		/* zone table has a match */
+#endif
+		switch(dns_zone_gettype(zone)) {
+			case dns_zone_master:
+			case dns_zone_slave:
+				break;	/* Master and slave zones are OK for transfer. */
+			default:
+				FAILQ(DNS_R_NOTAUTH, "non-authoritative zone", question_name, question_class);
+			}
+		CHECK(dns_zone_getdb(zone, &db));
+		dns_db_currentversion(db, &ver);
+#ifdef DLZ
 	}
-	CHECK(dns_zone_getdb(zone, &db));
-	dns_db_currentversion(db, &ver);
+#endif
 
 	xfrout_log1(client, question_name, question_class, ISC_LOG_DEBUG(6),
 		    "%s question section OK", mnemonic);
@@ -1021,11 +1082,20 @@ ns_xfr_start(ns_client_t *client, dns_rdatatype_t reqtype) {
 	/*
 	 * Decide whether to allow this transfer.
 	 */
-	ns_client_aclmsg("zone transfer", question_name, reqtype,
-			 client->view->rdclass, msg, sizeof(msg));
-	CHECK(ns_client_checkacl(client, msg,
-				 dns_zone_getxfracl(zone), ISC_TRUE,
-				 ISC_LOG_ERROR));
+#ifdef DLZ
+	/*
+	 * if not a DLZ zone decide whether to allow this transfer.
+	 */
+	if (!is_dlz) {
+#endif
+		ns_client_aclmsg("zone transfer", question_name, reqtype,
+				 client->view->rdclass, msg, sizeof(msg));
+		CHECK(ns_client_checkacl(client, msg,
+					 dns_zone_getxfracl(zone), ISC_TRUE,
+					 ISC_LOG_ERROR));
+#ifdef DLZ
+	}
+#endif
 
 	/*
 	 * AXFR over UDP is not possible.
@@ -1049,6 +1119,10 @@ ns_xfr_start(ns_client_t *client, dns_rdatatype_t reqtype) {
 	/*
 	 * Get a dynamically allocated copy of the current SOA.
 	 */
+#ifdef DLZ
+	if (is_dlz)
+		dns_db_currentversion(db, &ver);
+#endif
 	CHECK(dns_db_createsoatuple(db, ver, mctx, DNS_DIFFOP_EXISTS,
 				    &current_soa_tuple));
 
@@ -1131,15 +1205,32 @@ ns_xfr_start(ns_client_t *client, dns_rdatatype_t reqtype) {
 	 * Create the xfrout context object.  This transfers the ownership
 	 * of "stream", "db", "ver", and "quota" to the xfrout context object.
 	 */
-	CHECK(xfrout_ctx_create(mctx, client, request->id, question_name,
-				reqtype, question_class, db, ver, quota,
-				stream, dns_message_gettsigkey(request),
-				tsigbuf,
-				dns_zone_getmaxxfrout(zone),
-				dns_zone_getidleout(zone),
-				(format == dns_many_answers) ?
-					ISC_TRUE : ISC_FALSE,
-				&xfr));
+
+
+
+#ifdef DLZ
+	if (is_dlz)
+ 		CHECK(xfrout_ctx_create(mctx, client, request->id, question_name,
+ 					reqtype, question_class, db, ver, quota,
+ 					stream, dns_message_gettsigkey(request),
+ 					tsigbuf,
+ 					3600,
+ 					3600,
+ 					(format == dns_many_answers) ?
+  					ISC_TRUE : ISC_FALSE,
+ 					&xfr));
+ 	else
+#endif
+ 		CHECK(xfrout_ctx_create(mctx, client, request->id, question_name,
+ 					reqtype, question_class, db, ver, quota,
+ 					stream, dns_message_gettsigkey(request),
+ 					tsigbuf,
+ 					dns_zone_getmaxxfrout(zone),
+ 					dns_zone_getidleout(zone),
+ 					(format == dns_many_answers) ?
+ 					ISC_TRUE : ISC_FALSE,
+ 					&xfr));
+
 	xfr->mnemonic = mnemonic;
 	stream = NULL;
 	quota = NULL;
@@ -1511,6 +1602,7 @@ sendstream(xfrout_ctx_t *xfr) {
 
 	if ((xfr->client->attributes & NS_CLIENTATTR_TCP) != 0) {
 		CHECK(dns_compress_init(&cctx, -1, xfr->mctx));
+		dns_compress_setsensitive(&cctx, ISC_TRUE);
 		cleanup_cctx = ISC_TRUE;
 		CHECK(dns_message_renderbegin(msg, &cctx, &xfr->txbuf));
 		CHECK(dns_message_rendersection(msg, DNS_SECTION_QUESTION, 0));
diff --git a/contrib/bind9/bin/named/zoneconf.c b/contrib/bind9/bin/named/zoneconf.c
index 66ef905..a0c1bab 100644
--- a/contrib/bind9/bin/named/zoneconf.c
+++ b/contrib/bind9/bin/named/zoneconf.c
@@ -15,7 +15,9 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: zoneconf.c,v 1.87.2.4.10.19 2006/02/28 06:32:53 marka Exp $ */
+/* $Id: zoneconf.c,v 1.110.18.23 2006/05/16 03:39:57 marka Exp $ */
+
+/*% */
 
 #include <config.h>
 
@@ -35,13 +37,14 @@
 #include <dns/view.h>
 #include <dns/zone.h>
 
+#include <named/client.h>
 #include <named/config.h>
 #include <named/globals.h>
 #include <named/log.h>
 #include <named/server.h>
 #include <named/zoneconf.h>
 
-/*
+/*%
  * These are BIND9 server defaults, not necessarily identical to the
  * library defaults defined in zone.c.
  */
@@ -51,18 +54,18 @@
 		return (_r); \
 	} while (0)
 
-/*
+/*%
  * Convenience function for configuring a single zone ACL.
  */
 static isc_result_t
 configure_zone_acl(const cfg_obj_t *zconfig, const cfg_obj_t *vconfig,
 		   const cfg_obj_t *config, const char *aclname,
-		   ns_aclconfctx_t *actx, dns_zone_t *zone, 
+		   cfg_aclconfctx_t *actx, dns_zone_t *zone, 
 		   void (*setzacl)(dns_zone_t *, dns_acl_t *),
 		   void (*clearzacl)(dns_zone_t *))
 {
 	isc_result_t result;
-	const cfg_obj_t *maps[4];
+	const cfg_obj_t *maps[5];
 	const cfg_obj_t *aclobj = NULL;
 	int i = 0;
 	dns_acl_t *dacl = NULL;
@@ -77,6 +80,7 @@ configure_zone_acl(const cfg_obj_t *zconfig, const cfg_obj_t *vconfig,
 		if (options != NULL)
 			maps[i++] = options;
 	}
+	maps[i++] = ns_g_defaults;
 	maps[i] = NULL;
 
 	result = ns_config_get(maps, aclname, &aclobj);
@@ -85,8 +89,8 @@ configure_zone_acl(const cfg_obj_t *zconfig, const cfg_obj_t *vconfig,
 		return (ISC_R_SUCCESS);
 	}
 
-	result = ns_acl_fromconfig(aclobj, config, actx,
-				   dns_zone_getmctx(zone), &dacl);
+	result = cfg_acl_fromconfig(aclobj, config, ns_g_lctx, actx,
+				    dns_zone_getmctx(zone), &dacl);
 	if (result != ISC_R_SUCCESS)
 		return (result);
 	(*setzacl)(zone, dacl);
@@ -94,7 +98,7 @@ configure_zone_acl(const cfg_obj_t *zconfig, const cfg_obj_t *vconfig,
 	return (ISC_R_SUCCESS);
 }
 
-/*
+/*%
  * Parse the zone update-policy statement.
  */
 static isc_result_t
@@ -150,6 +154,10 @@ configure_zone_ssutable(const cfg_obj_t *zconfig, dns_zone_t *zone) {
 			mtype = DNS_SSUMATCHTYPE_WILDCARD;
 		else if (strcasecmp(str, "self") == 0)
 			mtype = DNS_SSUMATCHTYPE_SELF;
+		else if (strcasecmp(str, "selfsub") == 0)
+			mtype = DNS_SSUMATCHTYPE_SELFSUB;
+		else if (strcasecmp(str, "selfwild") == 0)
+			mtype = DNS_SSUMATCHTYPE_SELFWILD;
 		else
 			INSIST(0);
 
@@ -235,7 +243,7 @@ configure_zone_ssutable(const cfg_obj_t *zconfig, dns_zone_t *zone) {
 	return (result);
 }
 
-/*
+/*%
  * Convert a config file zone type into a server zone type.
  */
 static inline dns_zonetype_t
@@ -248,7 +256,7 @@ zonetype_fromconfig(const cfg_obj_t *map) {
 	return (ns_config_getzonetype(obj));
 }
 
-/*
+/*%
  * Helper function for strtoargv().  Pardon the gratuitous recursion.
  */
 static isc_result_t
@@ -282,7 +290,7 @@ strtoargvsub(isc_mem_t *mctx, char *s, unsigned int *argcp,
 	return (ISC_R_SUCCESS);
 }
 
-/*
+/*%
  * Tokenize the string "s" into whitespace-separated words,
  * return the number of words in '*argcp' and an array
  * of pointers to the words in '*argvp'.  The caller
@@ -313,7 +321,7 @@ checknames(dns_zonetype_t ztype, const cfg_obj_t **maps,
 
 isc_result_t
 ns_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig,
-		  const cfg_obj_t *zconfig, ns_aclconfctx_t *ac,
+		  const cfg_obj_t *zconfig, cfg_aclconfctx_t *ac,
 		  dns_zone_t *zone)
 {
 	isc_result_t result;
@@ -342,6 +350,9 @@ ns_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig,
 	isc_boolean_t alt;
 	dns_view_t *view;
 	isc_boolean_t check = ISC_FALSE, fail = ISC_FALSE;
+	isc_boolean_t warn = ISC_FALSE, ignore = ISC_FALSE;
+	isc_boolean_t ixfrdiff;
+	dns_masterformat_t masterformat;
 
 	i = 0;
 	if (zconfig != NULL) {
@@ -409,7 +420,26 @@ ns_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig,
 	result = cfg_map_get(zoptions, "file", &obj);
 	if (result == ISC_R_SUCCESS)
 		filename = cfg_obj_asstring(obj);
-	RETERR(dns_zone_setfile(zone, filename));
+
+	masterformat = dns_masterformat_text;
+	obj = NULL;
+	result= ns_config_get(maps, "masterfile-format", &obj);
+	if (result == ISC_R_SUCCESS) {
+		const char *masterformatstr = cfg_obj_asstring(obj);
+
+		if (strcasecmp(masterformatstr, "text") == 0)
+			masterformat = dns_masterformat_text;
+		else if (strcasecmp(masterformatstr, "raw") == 0)
+			masterformat = dns_masterformat_raw;
+		else
+			INSIST(0);
+	}
+	RETERR(dns_zone_setfile2(zone, filename, masterformat));
+
+	obj = NULL;
+	result = cfg_map_get(zoptions, "journal", &obj);
+	if (result == ISC_R_SUCCESS)
+		RETERR(dns_zone_setjournal(zone, cfg_obj_asstring(obj)));
 
 	if (ztype == dns_zone_slave)
 		RETERR(configure_zone_acl(zconfig, vconfig, config,
@@ -470,6 +500,8 @@ ns_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig,
 			const char *notifystr = cfg_obj_asstring(obj);
 			if (strcasecmp(notifystr, "explicit") == 0)
 				notifytype = dns_notifytype_explicit;
+			else if (strcasecmp(notifystr, "master-only") == 0)
+				notifytype = dns_notifytype_masteronly;
 			else
 				INSIST(0);
 		}
@@ -504,6 +536,8 @@ ns_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig,
 		RETERR(dns_zone_setnotifysrc6(zone, cfg_obj_assockaddr(obj)));
 		ns_add_reserved_dispatch(ns_g_server, cfg_obj_assockaddr(obj));
 
+		dns_zone_setisself(zone, ns_client_isself, NULL);
+
 		RETERR(configure_zone_acl(zconfig, vconfig, config,
 					  "allow-transfer", ac, zone,
 					  dns_zone_setxfracl,
@@ -546,8 +580,17 @@ ns_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig,
 		obj = NULL;
 		result = ns_config_get(maps, "ixfr-from-differences", &obj);
 		INSIST(result == ISC_R_SUCCESS);
-		dns_zone_setoption(zone, DNS_ZONEOPT_IXFRFROMDIFFS,
-				   cfg_obj_asboolean(obj));
+		if (cfg_obj_isboolean(obj))
+			ixfrdiff = cfg_obj_asboolean(obj);
+		else if (strcasecmp(cfg_obj_asstring(obj), "master") &&
+			 ztype == dns_zone_master)
+			ixfrdiff = ISC_TRUE;
+		else if (strcasecmp(cfg_obj_asstring(obj), "slave") &&
+			ztype == dns_zone_slave)
+			ixfrdiff = ISC_TRUE;
+		else
+			ixfrdiff = ISC_FALSE;
+		dns_zone_setoption(zone, DNS_ZONEOPT_IXFRFROMDIFFS, ixfrdiff);
 
 		checknames(ztype, maps, &obj);
 		INSIST(obj != NULL);
@@ -562,6 +605,128 @@ ns_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig,
 			INSIST(0);
 		dns_zone_setoption(zone, DNS_ZONEOPT_CHECKNAMES, check);
 		dns_zone_setoption(zone, DNS_ZONEOPT_CHECKNAMESFAIL, fail);
+
+		obj = NULL;
+		result = ns_config_get(maps, "notify-delay", &obj);
+		INSIST(result == ISC_R_SUCCESS);
+		dns_zone_setnotifydelay(zone, cfg_obj_asuint32(obj));
+
+		obj = NULL;
+		result = ns_config_get(maps, "check-sibling", &obj);
+		INSIST(result == ISC_R_SUCCESS);
+		dns_zone_setoption(zone, DNS_ZONEOPT_CHECKSIBLING, 
+				   cfg_obj_asboolean(obj));
+
+		obj = NULL;
+		result = ns_config_get(maps, "zero-no-soa-ttl", &obj);
+		INSIST(result == ISC_R_SUCCESS);
+		dns_zone_setzeronosoattl(zone, cfg_obj_asboolean(obj));
+	}
+
+	/*
+	 * Configure update-related options.  These apply to
+	 * primary masters only.
+	 */
+	if (ztype == dns_zone_master) {
+		dns_acl_t *updateacl;
+		RETERR(configure_zone_acl(zconfig, vconfig, config,
+					  "allow-update", ac, zone,
+					  dns_zone_setupdateacl,
+					  dns_zone_clearupdateacl));
+		
+		updateacl = dns_zone_getupdateacl(zone);
+		if (updateacl != NULL  && dns_acl_isinsecure(updateacl))
+			isc_log_write(ns_g_lctx, DNS_LOGCATEGORY_SECURITY,
+				      NS_LOGMODULE_SERVER, ISC_LOG_WARNING,
+				      "zone '%s' allows updates by IP "
+				      "address, which is insecure",
+				      zname);
+		
+		RETERR(configure_zone_ssutable(zoptions, zone));
+
+		obj = NULL;
+		result = ns_config_get(maps, "sig-validity-interval", &obj);
+		INSIST(result == ISC_R_SUCCESS);
+		dns_zone_setsigvalidityinterval(zone,
+						cfg_obj_asuint32(obj) * 86400);
+
+		obj = NULL;
+		result = ns_config_get(maps, "key-directory", &obj);
+		if (result == ISC_R_SUCCESS) {
+			filename = cfg_obj_asstring(obj);
+			if (!isc_file_isabsolute(filename)) {
+				cfg_obj_log(obj, ns_g_lctx, ISC_LOG_ERROR,
+					    "key-directory '%s' "
+					    "is not absolute", filename);
+				return (ISC_R_FAILURE);
+			}
+			RETERR(dns_zone_setkeydirectory(zone, filename));
+		}
+
+		obj = NULL;
+		result = ns_config_get(maps, "check-wildcard", &obj);
+		if (result == ISC_R_SUCCESS)
+			check = cfg_obj_asboolean(obj);
+		else
+			check = ISC_FALSE;
+		dns_zone_setoption(zone, DNS_ZONEOPT_CHECKWILDCARD, check);
+
+		obj = NULL;
+		result = ns_config_get(maps, "check-mx", &obj);
+		INSIST(obj != NULL);
+		if (strcasecmp(cfg_obj_asstring(obj), "warn") == 0) {
+			fail = ISC_FALSE;
+			check = ISC_TRUE;
+		} else if (strcasecmp(cfg_obj_asstring(obj), "fail") == 0) {
+			fail = check = ISC_TRUE;
+		} else if (strcasecmp(cfg_obj_asstring(obj), "ignore") == 0) {
+			fail = check = ISC_FALSE;
+		} else
+			INSIST(0);
+		dns_zone_setoption(zone, DNS_ZONEOPT_CHECKMX, check);
+		dns_zone_setoption(zone, DNS_ZONEOPT_CHECKMXFAIL, fail);
+
+		obj = NULL;
+		result = ns_config_get(maps, "check-integrity", &obj);
+		INSIST(obj != NULL);
+		dns_zone_setoption(zone, DNS_ZONEOPT_CHECKINTEGRITY, 
+				   cfg_obj_asboolean(obj));
+
+		obj = NULL;
+		result = ns_config_get(maps, "check-mx-cname", &obj);
+		INSIST(obj != NULL);
+		if (strcasecmp(cfg_obj_asstring(obj), "warn") == 0) {
+			warn = ISC_TRUE;
+			ignore = ISC_FALSE;
+		} else if (strcasecmp(cfg_obj_asstring(obj), "fail") == 0) {
+			warn = ignore = ISC_FALSE;
+		} else if (strcasecmp(cfg_obj_asstring(obj), "ignore") == 0) {
+			warn = ignore = ISC_TRUE;
+		} else
+			INSIST(0);
+		dns_zone_setoption(zone, DNS_ZONEOPT_WARNMXCNAME, warn);
+		dns_zone_setoption(zone, DNS_ZONEOPT_IGNOREMXCNAME, ignore);
+
+		obj = NULL;
+		result = ns_config_get(maps, "check-srv-cname", &obj);
+		INSIST(obj != NULL);
+		if (strcasecmp(cfg_obj_asstring(obj), "warn") == 0) {
+			warn = ISC_TRUE;
+			ignore = ISC_FALSE;
+		} else if (strcasecmp(cfg_obj_asstring(obj), "fail") == 0) {
+			warn = ignore = ISC_FALSE;
+		} else if (strcasecmp(cfg_obj_asstring(obj), "ignore") == 0) {
+			warn = ignore = ISC_TRUE;
+		} else
+			INSIST(0);
+		dns_zone_setoption(zone, DNS_ZONEOPT_WARNSRVCNAME, warn);
+		dns_zone_setoption(zone, DNS_ZONEOPT_IGNORESRVCNAME, ignore);
+
+		obj = NULL;
+		result = ns_config_get(maps, "update-check-ksk", &obj);
+		INSIST(result == ISC_R_SUCCESS);
+		dns_zone_setoption(zone, DNS_ZONEOPT_UPDATECHECKKSK, 
+				   cfg_obj_asboolean(obj));
 	}
 
 	/*
diff --git a/contrib/bind9/bin/nsupdate/Makefile.in b/contrib/bind9/bin/nsupdate/Makefile.in
index 2652628..6bb22f8 100644
--- a/contrib/bind9/bin/nsupdate/Makefile.in
+++ b/contrib/bind9/bin/nsupdate/Makefile.in
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.15.12.10 2004/07/20 07:01:49 marka Exp $
+# $Id: Makefile.in,v 1.22.18.1 2004/07/20 07:03:20 marka Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
diff --git a/contrib/bind9/bin/nsupdate/nsupdate.8 b/contrib/bind9/bin/nsupdate/nsupdate.8
index 7e254e0..5b9f247 100644
--- a/contrib/bind9/bin/nsupdate/nsupdate.8
+++ b/contrib/bind9/bin/nsupdate/nsupdate.8
@@ -1,4 +1,4 @@
-.\" Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2004-2007 Internet Systems Consortium, Inc. ("ISC")
 .\" Copyright (C) 2000-2003 Internet Software Consortium.
 .\" 
 .\" Permission to use, copy, modify, and distribute this software for any
@@ -13,13 +13,13 @@
 .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 .\" PERFORMANCE OF THIS SOFTWARE.
 .\"
-.\" $Id: nsupdate.8,v 1.24.2.2.2.9 2006/06/29 13:02:30 marka Exp $
+.\" $Id: nsupdate.8,v 1.30.18.13 2007/01/30 00:23:44 marka Exp $
 .\"
 .hy 0
 .ad l
 .\"     Title: nsupdate
 .\"    Author: 
-.\" Generator: DocBook XSL Stylesheets v1.70.1 <http://docbook.sf.net/>
+.\" Generator: DocBook XSL Stylesheets v1.71.1 <http://docbook.sf.net/>
 .\"      Date: Jun 30, 2000
 .\"    Manual: BIND9
 .\"    Source: BIND9
@@ -33,7 +33,7 @@
 nsupdate \- Dynamic DNS update utility
 .SH "SYNOPSIS"
 .HP 9
-\fBnsupdate\fR [\fB\-d\fR] [[\fB\-y\ \fR\fB\fIkeyname:secret\fR\fR] | [\fB\-k\ \fR\fB\fIkeyfile\fR\fR]] [\fB\-t\ \fR\fB\fItimeout\fR\fR] [\fB\-u\ \fR\fB\fIudptimeout\fR\fR] [\fB\-r\ \fR\fB\fIudpretries\fR\fR] [\fB\-v\fR] [filename]
+\fBnsupdate\fR [\fB\-d\fR] [[\fB\-y\ \fR\fB\fI[hmac:]\fR\fIkeyname:secret\fR\fR] | [\fB\-k\ \fR\fB\fIkeyfile\fR\fR]] [\fB\-t\ \fR\fB\fItimeout\fR\fR] [\fB\-u\ \fR\fB\fIudptimeout\fR\fR] [\fB\-r\ \fR\fB\fIudpretries\fR\fR] [\fB\-v\fR] [filename]
 .SH "DESCRIPTION"
 .PP
 \fBnsupdate\fR
@@ -71,7 +71,7 @@ uses the
 \fB\-y\fR
 or
 \fB\-k\fR
-option (with an HMAC\-MD5 key) to provide the shared secret needed to generate a TSIG record for authenticating Dynamic DNS update requests. These options are mutually exclusive. With the
+option to provide the shared secret needed to generate a TSIG record for authenticating Dynamic DNS update requests, default type HMAC\-MD5. These options are mutually exclusive. With the
 \fB\-k\fR
 option,
 \fBnsupdate\fR
@@ -82,14 +82,14 @@ reads the shared secret from the file
 must also be present. When the
 \fB\-y\fR
 option is used, a signature is generated from
-\fIkeyname:secret.\fR
+[\fIhmac:\fR]\fIkeyname:secret.\fR
 \fIkeyname\fR
 is the name of the key, and
 \fIsecret\fR
 is the base64 encoded shared secret. Use of the
 \fB\-y\fR
 option is discouraged because the shared secret is supplied as a command line argument in clear text. This may be visible in the output from
-\fBps\fR(1 )
+\fBps\fR(1)
 or in a history file maintained by the user's shell.
 .PP
 The
@@ -127,8 +127,9 @@ Every update request consists of zero or more prerequisites and zero or more upd
 command) causes the accumulated commands to be sent as one Dynamic DNS update request to the name server.
 .PP
 The command formats and their meaning are as follows:
-.TP 3n
-.HP 7 \fBserver\fR {servername} [port]
+.PP
+\fBserver\fR {servername} [port]
+.RS 4
 Sends all dynamic update requests to the name server
 \fIservername\fR. When no server statement is provided,
 \fBnsupdate\fR
@@ -137,30 +138,38 @@ will send updates to the master server of the correct zone. The MNAME field of t
 is the port number on
 \fIservername\fR
 where the dynamic update requests get sent. If no port number is specified, the default DNS port number of 53 is used.
-.TP 3n
-.HP 6 \fBlocal\fR {address} [port]
+.RE
+.PP
+\fBlocal\fR {address} [port]
+.RS 4
 Sends all dynamic update requests using the local
 \fIaddress\fR. When no local statement is provided,
 \fBnsupdate\fR
 will send updates using an address and port chosen by the system.
 \fIport\fR
 can additionally be used to make requests come from a specific port. If no port number is specified, the system will assign one.
-.TP 3n
-.HP 5 \fBzone\fR {zonename}
+.RE
+.PP
+\fBzone\fR {zonename}
+.RS 4
 Specifies that all updates are to be made to the zone
 \fIzonename\fR. If no
 \fIzone\fR
 statement is provided,
 \fBnsupdate\fR
 will attempt determine the correct zone to update based on the rest of the input.
-.TP 3n
-.HP 6 \fBclass\fR {classname}
+.RE
+.PP
+\fBclass\fR {classname}
+.RS 4
 Specify the default class. If no
 \fIclass\fR
 is specified the default class is
 \fIIN\fR.
-.TP 3n
-.HP 4 \fBkey\fR {name} {secret}
+.RE
+.PP
+\fBkey\fR {name} {secret}
+.RS 4
 Specifies that all updates are to be TSIG signed using the
 \fIkeyname\fR
 \fIkeysecret\fR
@@ -170,17 +179,23 @@ command overrides any key specified on the command line via
 \fB\-y\fR
 or
 \fB\-k\fR.
-.TP 3n
-.HP 16 \fBprereq nxdomain\fR {domain\-name}
+.RE
+.PP
+\fBprereq nxdomain\fR {domain\-name}
+.RS 4
 Requires that no resource record of any type exists with name
 \fIdomain\-name\fR.
-.TP 3n
-.HP 16 \fBprereq yxdomain\fR {domain\-name}
+.RE
+.PP
+\fBprereq yxdomain\fR {domain\-name}
+.RS 4
 Requires that
 \fIdomain\-name\fR
 exists (has as at least one resource record, of any type).
-.TP 3n
-.HP 15 \fBprereq nxrrset\fR {domain\-name} [class] {type}
+.RE
+.PP
+\fBprereq nxrrset\fR {domain\-name} [class] {type}
+.RS 4
 Requires that no resource record exists of the specified
 \fItype\fR,
 \fIclass\fR
@@ -188,8 +203,10 @@ and
 \fIdomain\-name\fR. If
 \fIclass\fR
 is omitted, IN (internet) is assumed.
-.TP 3n
-.HP 15 \fBprereq yxrrset\fR {domain\-name} [class] {type}
+.RE
+.PP
+\fBprereq yxrrset\fR {domain\-name} [class] {type}
+.RS 4
 This requires that a resource record of the specified
 \fItype\fR,
 \fIclass\fR
@@ -198,8 +215,10 @@ and
 must exist. If
 \fIclass\fR
 is omitted, IN (internet) is assumed.
-.TP 3n
-.HP 15 \fBprereq yxrrset\fR {domain\-name} [class] {type} {data...}
+.RE
+.PP
+\fBprereq yxrrset\fR {domain\-name} [class] {type} {data...}
+.RS 4
 The
 \fIdata\fR
 from each set of prerequisites of this form sharing a common
@@ -212,8 +231,10 @@ are combined to form a set of RRs. This set of RRs must exactly match the set of
 \fIdomain\-name\fR. The
 \fIdata\fR
 are written in the standard text representation of the resource record's RDATA.
-.TP 3n
-.HP 14 \fBupdate delete\fR {domain\-name} [ttl] [class] [type\ [data...]]
+.RE
+.PP
+\fBupdate delete\fR {domain\-name} [ttl] [class] [type\ [data...]]
+.RS 4
 Deletes any resource records named
 \fIdomain\-name\fR. If
 \fItype\fR
@@ -224,22 +245,31 @@ is provided, only matching resource records will be removed. The internet class
 is not supplied. The
 \fIttl\fR
 is ignored, and is only allowed for compatibility.
-.TP 3n
-.HP 11 \fBupdate add\fR {domain\-name} {ttl} [class] {type} {data...}
+.RE
+.PP
+\fBupdate add\fR {domain\-name} {ttl} [class] {type} {data...}
+.RS 4
 Adds a new resource record with the specified
 \fIttl\fR,
 \fIclass\fR
 and
 \fIdata\fR.
-.TP 3n
-.HP 5 \fBshow\fR
+.RE
+.PP
+\fBshow\fR
+.RS 4
 Displays the current message, containing all of the prerequisites and updates specified since the last send.
-.TP 3n
-.HP 5 \fBsend\fR
+.RE
+.PP
+\fBsend\fR
+.RS 4
 Sends the current message. This is equivalent to entering a blank line.
-.TP 3n
-.HP 7 \fBanswer\fR
+.RE
+.PP
+\fBanswer\fR
+.RS 4
 Displays the answer.
+.RE
 .PP
 Lines beginning with a semicolon are comments and are ignored.
 .SH "EXAMPLES"
@@ -251,7 +281,7 @@ could be used to insert and delete resource records from the
 zone. Notice that the input in each example contains a trailing blank line so that a group of commands are sent as one dynamic update request to the master name server for
 \fBexample.com\fR.
 .sp
-.RS 3n
+.RS 4
 .nf
 # nsupdate
 > update delete oldhost.example.com A
@@ -267,7 +297,7 @@ are deleted. and an A record for
 \fBnewhost.example.com\fR
 it IP address 172.16.1.1 is added. The newly\-added record has a 1 day TTL (86400 seconds)
 .sp
-.RS 3n
+.RS 4
 .nf
 # nsupdate
 > prereq nxdomain nickname.example.com
@@ -280,17 +310,23 @@ it IP address 172.16.1.1 is added. The newly\-added record has a 1 day TTL (8640
 The prerequisite condition gets the name server to check that there are no resource records of any type for
 \fBnickname.example.com\fR. If there are, the update request fails. If this name does not exist, a CNAME for it is added. This ensures that when the CNAME is added, it cannot conflict with the long\-standing rule in RFC1034 that a name must not exist as any other record type if it exists as a CNAME. (The rule has been updated for DNSSEC in RFC2535 to allow CNAMEs to have RRSIG, DNSKEY and NSEC records.)
 .SH "FILES"
-.TP 3n
+.PP
 \fB/etc/resolv.conf\fR
+.RS 4
 used to identify default name server
-.TP 3n
+.RE
+.PP
 \fBK{name}.+157.+{random}.key\fR
+.RS 4
 base\-64 encoding of HMAC\-MD5 key created by
 \fBdnssec\-keygen\fR(8).
-.TP 3n
+.RE
+.PP
 \fBK{name}.+157.+{random}.private\fR
+.RS 4
 base\-64 encoding of HMAC\-MD5 key created by
 \fBdnssec\-keygen\fR(8).
+.RE
 .SH "SEE ALSO"
 .PP
 \fBRFC2136\fR(),
@@ -306,4 +342,7 @@ base\-64 encoding of HMAC\-MD5 key created by
 .PP
 The TSIG key is redundantly stored in two separate files. This is a consequence of nsupdate using the DST library for its cryptographic operations, and may change in future releases.
 .SH "COPYRIGHT"
-Copyright \(co 2004, 2005 Internet Systems Consortium, Inc. ("ISC")
+Copyright \(co 2004\-2007 Internet Systems Consortium, Inc. ("ISC")
+.br
+Copyright \(co 2000\-2003 Internet Software Consortium.
+.br
diff --git a/contrib/bind9/bin/nsupdate/nsupdate.c b/contrib/bind9/bin/nsupdate/nsupdate.c
index 107d85f..412505e 100644
--- a/contrib/bind9/bin/nsupdate/nsupdate.c
+++ b/contrib/bind9/bin/nsupdate/nsupdate.c
@@ -15,7 +15,9 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: nsupdate.c,v 1.103.2.15.2.23 2006/06/09 07:29:24 marka Exp $ */
+/* $Id: nsupdate.c,v 1.130.18.15 2006/12/07 05:39:45 marka Exp $ */
+
+/*! \file */
 
 #include <config.h>
 
@@ -159,6 +161,9 @@ debug(const char *format, ...) ISC_FORMAT_PRINTF(1, 2);
 static void
 ddebug(const char *format, ...) ISC_FORMAT_PRINTF(1, 2);
 
+static void
+error(const char *format, ...) ISC_FORMAT_PRINTF(1, 2);
+
 #define STATUS_MORE	(isc_uint16_t)0
 #define STATUS_SEND	(isc_uint16_t)1
 #define STATUS_QUIT	(isc_uint16_t)2
@@ -193,6 +198,16 @@ fatal(const char *format, ...) {
 }
 
 static void
+error(const char *format, ...) {
+	va_list args;
+
+	va_start(args, format);
+	vfprintf(stderr, format, args);
+	va_end(args);
+	fprintf(stderr, "\n");
+}
+
+static void
 debug(const char *format, ...) {
 	va_list args;
 
@@ -282,6 +297,74 @@ reset_system(void) {
 	updatemsg->opcode = dns_opcode_update;
 }
 
+static isc_uint16_t
+parse_hmac(dns_name_t **hmac, const char *hmacstr, size_t len) {
+	isc_uint16_t digestbits = 0;
+	isc_result_t result;
+	char buf[20];
+
+	REQUIRE(hmac != NULL && *hmac == NULL);
+	REQUIRE(hmacstr != NULL);
+
+	if (len >= sizeof(buf))
+		fatal("unknown key type '%.*s'", (int)(len), hmacstr);
+
+	strncpy(buf, hmacstr, len);
+	buf[len] = 0;
+	
+	if (strcasecmp(buf, "hmac-md5") == 0) {
+		*hmac = DNS_TSIG_HMACMD5_NAME;
+	} else if (strncasecmp(buf, "hmac-md5-", 9) == 0) {
+		*hmac = DNS_TSIG_HMACMD5_NAME;
+		result = isc_parse_uint16(&digestbits, &buf[9], 10);
+		if (result != ISC_R_SUCCESS || digestbits > 128)
+			fatal("digest-bits out of range [0..128]");
+		digestbits = (digestbits +7) & ~0x7U;
+	} else if (strcasecmp(buf, "hmac-sha1") == 0) {
+		*hmac = DNS_TSIG_HMACSHA1_NAME;
+	} else if (strncasecmp(buf, "hmac-sha1-", 10) == 0) {
+		*hmac = DNS_TSIG_HMACSHA1_NAME;
+		result = isc_parse_uint16(&digestbits, &buf[10], 10);
+		if (result != ISC_R_SUCCESS || digestbits > 160)
+			fatal("digest-bits out of range [0..160]");
+		digestbits = (digestbits +7) & ~0x7U;
+	} else if (strcasecmp(buf, "hmac-sha224") == 0) {
+		*hmac = DNS_TSIG_HMACSHA224_NAME;
+	} else if (strncasecmp(buf, "hmac-sha224-", 12) == 0) {
+		*hmac = DNS_TSIG_HMACSHA224_NAME;
+		result = isc_parse_uint16(&digestbits, &buf[12], 10);
+		if (result != ISC_R_SUCCESS || digestbits > 224)
+			fatal("digest-bits out of range [0..224]");
+		digestbits = (digestbits +7) & ~0x7U;
+	} else if (strcasecmp(buf, "hmac-sha256") == 0) {
+		*hmac = DNS_TSIG_HMACSHA256_NAME;
+	} else if (strncasecmp(buf, "hmac-sha256-", 12) == 0) {
+		*hmac = DNS_TSIG_HMACSHA256_NAME;
+		result = isc_parse_uint16(&digestbits, &buf[12], 10);
+		if (result != ISC_R_SUCCESS || digestbits > 256)
+			fatal("digest-bits out of range [0..256]");
+		digestbits = (digestbits +7) & ~0x7U;
+	} else if (strcasecmp(buf, "hmac-sha384") == 0) {
+		*hmac = DNS_TSIG_HMACSHA384_NAME;
+	} else if (strncasecmp(buf, "hmac-sha384-", 12) == 0) {
+		*hmac = DNS_TSIG_HMACSHA384_NAME;
+		result = isc_parse_uint16(&digestbits, &buf[12], 10);
+		if (result != ISC_R_SUCCESS || digestbits > 384)
+			fatal("digest-bits out of range [0..384]");
+		digestbits = (digestbits +7) & ~0x7U;
+	} else if (strcasecmp(buf, "hmac-sha512") == 0) {
+		*hmac = DNS_TSIG_HMACSHA512_NAME;
+	} else if (strncasecmp(buf, "hmac-sha512-", 12) == 0) {
+		*hmac = DNS_TSIG_HMACSHA512_NAME;
+		result = isc_parse_uint16(&digestbits, &buf[12], 10);
+		if (result != ISC_R_SUCCESS || digestbits > 512)
+			fatal("digest-bits out of range [0..512]");
+		digestbits = (digestbits +7) & ~0x7U;
+	} else
+		fatal("unknown key type '%s'", buf);
+	return (digestbits);
+}
+
 static void
 setup_keystr(void) {
 	unsigned char *secret = NULL;
@@ -290,9 +373,12 @@ setup_keystr(void) {
 	isc_result_t result;
 	isc_buffer_t keynamesrc;
 	char *secretstr;
-	char *s;
+	char *s, *n;
 	dns_fixedname_t fkeyname;
 	dns_name_t *keyname;
+	char *name;
+	dns_name_t *hmacname = NULL;
+	isc_uint16_t digestbits = 0;
 
 	dns_fixedname_init(&fkeyname);
 	keyname = dns_fixedname_name(&fkeyname);
@@ -300,12 +386,24 @@ setup_keystr(void) {
 	debug("Creating key...");
 
 	s = strchr(keystr, ':');
-	if (s == NULL || s == keystr || *s == 0)
-		fatal("key option must specify keyname:secret");
+	if (s == NULL || s == keystr || s[1] == 0)
+		fatal("key option must specify [hmac:]keyname:secret");
 	secretstr = s + 1;
+	n = strchr(secretstr, ':');
+	if (n != NULL) {
+		if (n == secretstr || n[1] == 0)
+			fatal("key option must specify [hmac:]keyname:secret");
+		name = secretstr;
+		secretstr = n + 1;
+		digestbits = parse_hmac(&hmacname, keystr, s - keystr);
+	} else {
+		hmacname = DNS_TSIG_HMACMD5_NAME;
+		name = keystr;
+		n = s;
+	}
 
-	isc_buffer_init(&keynamesrc, keystr, s - keystr);
-	isc_buffer_add(&keynamesrc, s - keystr);
+	isc_buffer_init(&keynamesrc, name, n - name);
+	isc_buffer_add(&keynamesrc, n - name);
 
 	debug("namefromtext");
 	result = dns_name_fromtext(keyname, &keynamesrc, dns_rootname,
@@ -328,12 +426,13 @@ setup_keystr(void) {
 	secretlen = isc_buffer_usedlength(&secretbuf);
 
 	debug("keycreate");
-	result = dns_tsigkey_create(keyname, dns_tsig_hmacmd5_name,
-				    secret, secretlen, ISC_TRUE, NULL,
-				    0, 0, mctx, NULL, &tsigkey);
+	result = dns_tsigkey_create(keyname, hmacname, secret, secretlen,
+				    ISC_TRUE, NULL, 0, 0, mctx, NULL, &tsigkey);
 	if (result != ISC_R_SUCCESS)
 		fprintf(stderr, "could not create key from %s: %s\n",
 			keystr, dns_result_totext(result));
+	else
+		dst_key_setbits(tsigkey->key, digestbits);
  failure:
 	if (secret != NULL)
 		isc_mem_free(mctx, secret);
@@ -343,6 +442,7 @@ static void
 setup_keyfile(void) {
 	dst_key_t *dstkey = NULL;
 	isc_result_t result;
+	dns_name_t *hmacname = NULL;
 
 	debug("Creating key...");
 
@@ -354,11 +454,31 @@ setup_keyfile(void) {
 			keyfile, isc_result_totext(result));
 		return;
 	}
-	if (dst_key_alg(dstkey) == DST_ALG_HMACMD5) {
+	switch (dst_key_alg(dstkey)) {
+	case DST_ALG_HMACMD5:
+		hmacname = DNS_TSIG_HMACMD5_NAME;
+		break;
+	case DST_ALG_HMACSHA1:
+		hmacname = DNS_TSIG_HMACSHA1_NAME;
+		break;
+	case DST_ALG_HMACSHA224:
+		hmacname = DNS_TSIG_HMACSHA224_NAME;
+		break;
+	case DST_ALG_HMACSHA256:
+		hmacname = DNS_TSIG_HMACSHA256_NAME;
+		break;
+	case DST_ALG_HMACSHA384:
+		hmacname = DNS_TSIG_HMACSHA384_NAME;
+		break;
+	case DST_ALG_HMACSHA512:
+		hmacname = DNS_TSIG_HMACSHA512_NAME;
+		break;
+	}
+	if (hmacname != NULL) {
 		result = dns_tsigkey_createfromkey(dst_key_name(dstkey),
-						   dns_tsig_hmacmd5_name,
-						   dstkey, ISC_FALSE, NULL,
-						   0, 0, mctx, NULL, &tsigkey);
+						   hmacname, dstkey, ISC_FALSE,
+						   NULL, 0, 0, mctx, NULL,
+						   &tsigkey);
 		if (result != ISC_R_SUCCESS) {
 			fprintf(stderr, "could not create key from %s: %s\n",
 				keyfile, isc_result_totext(result));
@@ -998,6 +1118,9 @@ evaluate_key(char *cmdline) {
 	int secretlen;
 	unsigned char *secret = NULL;
 	isc_buffer_t secretbuf;
+	dns_name_t *hmacname = NULL;
+	isc_uint16_t digestbits = 0;
+	char *n;
 
 	namestr = nsu_strsep(&cmdline, " \t\r\n");
 	if (*namestr == 0) {
@@ -1008,6 +1131,13 @@ evaluate_key(char *cmdline) {
 	dns_fixedname_init(&fkeyname);
 	keyname = dns_fixedname_name(&fkeyname);
 
+	n = strchr(namestr, ':');
+	if (n != NULL) {
+		digestbits = parse_hmac(&hmacname, namestr, n - namestr);
+		namestr = n + 1;
+	} else
+		hmacname = DNS_TSIG_HMACMD5_NAME;
+
 	isc_buffer_init(&b, namestr, strlen(namestr));
 	isc_buffer_add(&b, strlen(namestr));
 	result = dns_name_fromtext(keyname, &b, dns_rootname, ISC_FALSE, NULL);
@@ -1038,15 +1168,16 @@ evaluate_key(char *cmdline) {
 
 	if (tsigkey != NULL)
 		dns_tsigkey_detach(&tsigkey);
-	result = dns_tsigkey_create(keyname, dns_tsig_hmacmd5_name,
-				    secret, secretlen, ISC_TRUE, NULL, 0, 0,
-				    mctx, NULL, &tsigkey);
+	result = dns_tsigkey_create(keyname, hmacname, secret, secretlen,
+				    ISC_TRUE, NULL, 0, 0, mctx, NULL,
+				    &tsigkey);
 	isc_mem_free(mctx, secret);
 	if (result != ISC_R_SUCCESS) {
 		fprintf(stderr, "could not create key from %s %s: %s\n",
 			namestr, secretstr, dns_result_totext(result));
 		return (STATUS_SYNTAX);
 	}
+	dst_key_setbits(tsigkey->key, digestbits);
 	return (STATUS_MORE);
 }
 
@@ -1304,12 +1435,50 @@ evaluate_update(char *cmdline) {
 }
 
 static void
+setzone(dns_name_t *zonename) {
+	isc_result_t result;
+	dns_name_t *name = NULL;
+	dns_rdataset_t *rdataset = NULL;
+
+	result = dns_message_firstname(updatemsg, DNS_SECTION_ZONE);
+	if (result == ISC_R_SUCCESS) {
+		dns_message_currentname(updatemsg, DNS_SECTION_ZONE, &name);
+		dns_message_removename(updatemsg, name, DNS_SECTION_ZONE);
+		for (rdataset = ISC_LIST_HEAD(name->list);
+		     rdataset != NULL;
+		     rdataset = ISC_LIST_HEAD(name->list)) {
+			ISC_LIST_UNLINK(name->list, rdataset, link);
+			dns_rdataset_disassociate(rdataset);
+			dns_message_puttemprdataset(updatemsg, &rdataset);
+		}
+		dns_message_puttempname(updatemsg, &name);
+	}
+
+	if (zonename != NULL) {
+		result = dns_message_gettempname(updatemsg, &name);
+		check_result(result, "dns_message_gettempname");
+		dns_name_init(name, NULL);
+		dns_name_clone(zonename, name);
+		result = dns_message_gettemprdataset(updatemsg, &rdataset);
+		check_result(result, "dns_message_gettemprdataset");
+		dns_rdataset_makequestion(rdataset, getzoneclass(),
+					  dns_rdatatype_soa);
+		ISC_LIST_INIT(name->list);
+		ISC_LIST_APPEND(name->list, rdataset, link);
+		dns_message_addname(updatemsg, name, DNS_SECTION_ZONE);
+	}
+}
+
+static void
 show_message(dns_message_t *msg) {
 	isc_result_t result;
 	isc_buffer_t *buf = NULL;
 	int bufsz;
 
 	ddebug("show_message()");
+
+	setzone(userzone);
+
 	bufsz = INITTEXT;
 	do { 
 		if (bufsz > MAXTEXT) {
@@ -1537,22 +1706,11 @@ send_update(dns_name_t *zonename, isc_sockaddr_t *master,
 {
 	isc_result_t result;
 	dns_request_t *request = NULL;
-	dns_name_t *name = NULL;
-	dns_rdataset_t *rdataset = NULL;
 	unsigned int options = 0;
 
 	ddebug("send_update()");
 
-	result = dns_message_gettempname(updatemsg, &name);
-	check_result(result, "dns_message_gettempname");
-	dns_name_init(name, NULL);
-	dns_name_clone(zonename, name);
-	result = dns_message_gettemprdataset(updatemsg, &rdataset);
-	check_result(result, "dns_message_gettemprdataset");
-	dns_rdataset_makequestion(rdataset, getzoneclass(), dns_rdatatype_soa);
-	ISC_LIST_INIT(name->list);
-	ISC_LIST_APPEND(name->list, rdataset, link);
-	dns_message_addname(updatemsg, name, DNS_SECTION_ZONE);
+	setzone(zonename);
 
 	if (usevc)
 		options |= DNS_REQUESTOPT_TCP;
@@ -1643,8 +1801,9 @@ recvsoa(isc_task_t *task, isc_event_t *event) {
 		setzoneclass(dns_rdataclass_none);
 		return;
 	}
-	isc_mem_put(mctx, reqinfo, sizeof(nsu_requestinfo_t));
 
+	isc_mem_put(mctx, reqinfo, sizeof(nsu_requestinfo_t));
+	reqinfo = NULL;
 	isc_event_free(&event);
 	reqev = NULL;
 
@@ -1703,6 +1862,19 @@ recvsoa(isc_task_t *task, isc_event_t *event) {
 	    rcvmsg->rcode != dns_rcode_nxdomain)
 		fatal("response to SOA query was unsuccessful");
 
+	if (userzone != NULL && rcvmsg->rcode == dns_rcode_nxdomain) {
+		char namebuf[DNS_NAME_FORMATSIZE];
+		dns_name_format(userzone, namebuf, sizeof(namebuf));
+		error("specified zone '%s' does not exist (NXDOMAIN)",
+		      namebuf);
+		dns_message_destroy(&rcvmsg);
+		dns_request_destroy(&request);
+		dns_message_destroy(&soaquery);
+		ddebug("Out of recvsoa");
+		done_update();
+		return;
+	}
+
  lookforsoa:
 	if (pass == 0)
 		section = DNS_SECTION_ANSWER;
@@ -1859,15 +2031,6 @@ start_update(void) {
 
 	if (answer != NULL)
 		dns_message_destroy(&answer);
-	result = dns_message_firstname(updatemsg, section);
-	if (result == ISC_R_NOMORE) {
-		section = DNS_SECTION_PREREQUISITE;
-		result = dns_message_firstname(updatemsg, section);
-	}
-	if (result != ISC_R_SUCCESS) {
-		done_update();
-		return;
-	}
 
 	if (userzone != NULL && userserver != NULL) {
 		send_update(userzone, userserver, localaddr);
@@ -1879,7 +2042,8 @@ start_update(void) {
 				    &soaquery);
 	check_result(result, "dns_message_create");
 
-	soaquery->flags |= DNS_MESSAGEFLAG_RD;
+	if (userserver == NULL)
+		soaquery->flags |= DNS_MESSAGEFLAG_RD;
 
 	result = dns_message_gettempname(soaquery, &name);
 	check_result(result, "dns_message_gettempname");
@@ -1889,10 +2053,24 @@ start_update(void) {
 
 	dns_rdataset_makequestion(rdataset, getzoneclass(), dns_rdatatype_soa);
 
-	firstname = NULL;
-	dns_message_currentname(updatemsg, section, &firstname);
-	dns_name_init(name, NULL);
-	dns_name_clone(firstname, name);
+	if (userzone != NULL) {
+		dns_name_init(name, NULL);
+		dns_name_clone(userzone, name);
+	} else {
+		result = dns_message_firstname(updatemsg, section);
+		if (result == ISC_R_NOMORE) {
+			section = DNS_SECTION_PREREQUISITE;
+			result = dns_message_firstname(updatemsg, section);
+		}
+		if (result != ISC_R_SUCCESS) {
+			done_update();
+			return;
+		}
+		firstname = NULL;
+		dns_message_currentname(updatemsg, section, &firstname);
+		dns_name_init(name, NULL);
+		dns_name_clone(firstname, name);
+	}
 
 	ISC_LIST_INIT(name->list);
 	ISC_LIST_APPEND(name->list, rdataset, link);
@@ -1927,6 +2105,9 @@ cleanup(void) {
 	ddebug("Destroying hash context");
 	isc_hash_destroy();
 
+	ddebug("Destroying name state");
+	dns_name_destroy();
+
 	ddebug("Destroying memory context");
 	if (memdebugging)
 		isc_mem_stats(mctx, stderr);
diff --git a/contrib/bind9/bin/nsupdate/nsupdate.docbook b/contrib/bind9/bin/nsupdate/nsupdate.docbook
index 7a2b4cf..77eff65 100644
--- a/contrib/bind9/bin/nsupdate/nsupdate.docbook
+++ b/contrib/bind9/bin/nsupdate/nsupdate.docbook
@@ -1,8 +1,8 @@
-<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.0//EN"
-               "http://www.oasis-open.org/docbook/xml/4.0/docbookx.dtd"
+<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
+               "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
 	       [<!ENTITY mdash "&#8212;">]>
 <!--
- - Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
  - Copyright (C) 2000-2003  Internet Software Consortium.
  -
  - Permission to use, copy, modify, and distribute this software for any
@@ -18,22 +18,27 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-<!-- $Id: nsupdate.docbook,v 1.8.2.3.2.10 2005/05/12 21:36:03 sra Exp $ -->
-
+<!-- $Id: nsupdate.docbook,v 1.18.18.8 2007/01/29 23:57:20 marka Exp $ -->
 <refentry>
-<refentryinfo>
-<date>Jun 30, 2000</date>
-</refentryinfo>
-<refmeta>
-<refentrytitle>nsupdate</refentrytitle>
-<manvolnum>8</manvolnum>
-<refmiscinfo>BIND9</refmiscinfo>
-</refmeta>
+  <refentryinfo>
+    <date>Jun 30, 2000</date>
+  </refentryinfo>
+  <refmeta>
+    <refentrytitle>nsupdate</refentrytitle>
+    <manvolnum>8</manvolnum>
+    <refmiscinfo>BIND9</refmiscinfo>
+  </refmeta>
+  <refnamediv>
+    <refname>nsupdate</refname>
+    <refpurpose>Dynamic DNS update utility</refpurpose>
+  </refnamediv>
 
   <docinfo>
     <copyright>
       <year>2004</year>
       <year>2005</year>
+      <year>2006</year>
+      <year>2007</year>
       <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
     </copyright>
     <copyright>
@@ -45,614 +50,608 @@
     </copyright>
   </docinfo>
 
-<refnamediv>
-<refname>nsupdate</refname>
-<refpurpose>Dynamic DNS update utility</refpurpose>
-</refnamediv>
-<refsynopsisdiv>
-<cmdsynopsis>
-<command>nsupdate</command>
-<arg><option>-d</option></arg>
-<group>
-  <arg><option>-y <replaceable class="parameter">keyname:secret</replaceable></option></arg>
-  <arg><option>-k <replaceable class="parameter">keyfile</replaceable></option></arg>
-</group>
-<arg><option>-t <replaceable class="parameter">timeout</replaceable></option></arg>
-<arg><option>-u <replaceable class="parameter">udptimeout</replaceable></option></arg>
-<arg><option>-r <replaceable class="parameter">udpretries</replaceable></option></arg>
-<arg><option>-v</option></arg>
-<arg>filename</arg>
-</cmdsynopsis>
-</refsynopsisdiv>
-
-<refsect1>
-<title>DESCRIPTION</title>
-<para>
-<command>nsupdate</command>
-is used to submit Dynamic DNS Update requests as defined in RFC2136
-to a name server.
-This allows resource records to be added or removed from a zone
-without manually editing the zone file.
-A single update request can contain requests to add or remove more than one
-resource record.
-</para>
-<para>
-Zones that are under dynamic control via
-<command>nsupdate</command>
-or a DHCP server should not be edited by hand.
-Manual edits could
-conflict with dynamic updates and cause data to be lost.
-</para>
-<para>
-The resource records that are dynamically added or removed with
-<command>nsupdate</command>
-have to be in the same zone.
-Requests are sent to the zone's master server.
-This is identified by the MNAME field of the zone's SOA record.
-</para>
-<para>
-The
-<option>-d</option>
-option makes
-<command>nsupdate</command>
-operate in debug mode.
-This provides tracing information about the update requests that are
-made and the replies received from the name server.
-</para>
-<para>
-Transaction signatures can be used to authenticate the Dynamic DNS
-updates.
-These use the TSIG resource record type described in RFC2845 or the
-SIG(0) record described in RFC3535 and RFC2931.
-TSIG relies on a shared secret that should only be known to
-<command>nsupdate</command> and the name server.
-Currently, the only supported encryption algorithm for TSIG is
-HMAC-MD5, which is defined in RFC 2104.
-Once other algorithms are defined for TSIG, applications will need to
-ensure they select the appropriate algorithm as well as the key when
-authenticating each other.
-For instance suitable
-<type>key</type>
-and
-<type>server</type>
-statements would be added to
-<filename>/etc/named.conf</filename>
-so that the name server can associate the appropriate secret key
-and algorithm with the IP address of the
-client application that will be using TSIG authentication.
-SIG(0) uses public key cryptography.  To use a SIG(0) key, the public
-key must be stored in a KEY record in a zone served by the name server.
-<command>nsupdate</command>
-does not read
-<filename>/etc/named.conf</filename>.
-</para>
-<para>
-<command>nsupdate</command>
-uses the
-<option>-y</option>
-or
-<option>-k</option>
-option (with an HMAC-MD5 key) to provide the shared secret needed to generate
-a TSIG record for authenticating Dynamic DNS update requests.
-These options are mutually exclusive.
-With the
-<option>-k</option>
-option,
-<command>nsupdate</command>
-reads the shared secret from the file
-<parameter>keyfile</parameter>,
-whose name is of the form 
-<filename>K{name}.+157.+{random}.private</filename>.
-For historical
-reasons, the file 
-<filename>K{name}.+157.+{random}.key</filename>
-must also be present.  When the
-<option>-y</option>
-option is used, a signature is generated from
-<parameter>keyname:secret.</parameter>
-<parameter>keyname</parameter>
-is the name of the key,
-and
-<parameter>secret</parameter>
-is the base64 encoded shared secret.
-Use of the
-<option>-y</option>
-option is discouraged because the shared secret is supplied as a command
-line argument in clear text.
-This may be visible in the output from
-<citerefentry>
-<refentrytitle>ps</refentrytitle><manvolnum>1
-</manvolnum>
-</citerefentry>
-or in a history file maintained by the user's shell.
-</para>
-<para>
-The <option>-k</option> may also be used to specify a SIG(0) key used
-to authenticate Dynamic DNS update requests.  In this case, the key
-specified is not an HMAC-MD5 key.
-</para>
-<para>
-By default
-<command>nsupdate</command>
-uses UDP to send update requests to the name server unless they are too
-large to fit in a UDP request in which case TCP will be used.
-The
-<option>-v</option>
-option makes
-<command>nsupdate</command>
-use a TCP connection.
-This may be preferable when a batch of update requests is made.
-</para>
-<para>The <option>-t</option> option sets the maximum time a update request can
-take before it is aborted.  The default is 300 seconds.  Zero can be used
-to disable the timeout.
-</para>
-<para>The <option>-u</option> option sets the UDP retry interval.  The default is
-3 seconds.  If zero the interval will be computed from the timeout interval
-and number of UDP retries.
-</para>
-<para>The <option>-r</option> option sets the number of UDP retries. The default is
-3.  If zero only one update request will be made.
-</para>
-</refsect1>
-
-<refsect1>
-<title>INPUT FORMAT</title>
-<para>
-<command>nsupdate</command>
-reads input from
-<parameter>filename</parameter>
-or standard input.
-Each command is supplied on exactly one line of input.
-Some commands are for administrative purposes.
-The others are either update instructions or prerequisite checks on the
-contents of the zone.
-These checks set conditions that some name or set of
-resource records (RRset) either exists or is absent from the zone.
-These conditions must be met if the entire update request is to succeed.
-Updates will be rejected if the tests for the prerequisite conditions fail.
-</para>
-<para>
-Every update request consists of zero or more prerequisites
-and zero or more updates.
-This allows a suitably authenticated update request to proceed if some
-specified resource records are present or missing from the zone.
-A blank input line (or the <command>send</command> command) causes the
-accumulated commands to be sent as one Dynamic DNS update request to the
-name server.
-</para>
-<para>
-The command formats and their meaning are as follows:
-<variablelist>
-<varlistentry><term>
-<cmdsynopsis>
-<command>server</command>
-<arg choice="req">servername</arg>
-<arg choice="opt">port</arg>
-</cmdsynopsis>
-</term>
-<listitem>
-<para>
-Sends all dynamic update requests to the name server
-<parameter>servername</parameter>.
-When no server statement is provided,
-<command>nsupdate</command>
-will send updates to the master server of the correct zone.
-The MNAME field of that zone's SOA record will identify the master
-server for that zone.
-<parameter>port</parameter>
-is the port number on
-<parameter>servername</parameter>
-where the dynamic update requests get sent.
-If no port number is specified, the default DNS port number of 53 is
-used.
-</para>
-</listitem>
-</varlistentry>
-
-<varlistentry><term>
-<cmdsynopsis>
-<command>local</command>
-<arg choice="req">address</arg>
-<arg choice="opt">port</arg>
-</cmdsynopsis>
-</term>
-<listitem>
-<para>
-Sends all dynamic update requests using the local
-<parameter>address</parameter>.
-
-When no local statement is provided,
-<command>nsupdate</command>
-will send updates using an address and port chosen by the system.
-<parameter>port</parameter>
-can additionally be used to make requests come from a specific port.
-If no port number is specified, the system will assign one.
-</para>
-</listitem>
-</varlistentry>
-
-<varlistentry><term>
-<cmdsynopsis>
-<command>zone</command>
-<arg choice="req">zonename</arg>
-</cmdsynopsis>
-</term>
-<listitem>
-<para>
-Specifies that all updates are to be made to the zone
-<parameter>zonename</parameter>.
-If no
-<parameter>zone</parameter>
-statement is provided,
-<command>nsupdate</command>
-will attempt determine the correct zone to update based on the rest of the input.
-</para>
-</listitem>
-</varlistentry>
-
-<varlistentry><term>
-<cmdsynopsis>
-<command>class</command>
-<arg choice="req">classname</arg>
-</cmdsynopsis>
-</term>
-<listitem>
-<para>
-Specify the default class.
-If no <parameter>class</parameter> is specified the default class is
-<parameter>IN</parameter>.
-</para>
-</listitem>
-</varlistentry>
-
-<varlistentry><term>
-<cmdsynopsis>
-<command>key</command>
-<arg choice="req">name</arg>
-<arg choice="req">secret</arg>
-</cmdsynopsis>
-</term>
-<listitem>
-<para>
-Specifies that all updates are to be TSIG signed using the
-<parameter>keyname</parameter> <parameter>keysecret</parameter> pair.
-The <command>key</command> command
-overrides any key specified on the command line via
-<option>-y</option> or <option>-k</option>.
-</para>
-</listitem>
-</varlistentry>
-
-<varlistentry><term>
-<cmdsynopsis>
-<command>prereq nxdomain</command>
-<arg choice="req">domain-name</arg>
-</cmdsynopsis>
-</term>
-<listitem>
-<para>
-Requires that no resource record of any type exists with name
-<parameter>domain-name</parameter>.
-</para>
-</listitem>
-</varlistentry>
-
-
-<varlistentry><term>
-<cmdsynopsis>
-<command>prereq yxdomain</command>
-<arg choice="req">domain-name</arg>
-</cmdsynopsis>
-</term>
-<listitem>
-<para>
-Requires that
-<parameter>domain-name</parameter>
-exists (has as at least one resource record, of any type).
-</para>
-</listitem>
-</varlistentry>
-
-<varlistentry><term>
-<cmdsynopsis>
-<command>prereq nxrrset</command>
-<arg choice="req">domain-name</arg>
-<arg choice="opt">class</arg>
-<arg choice="req">type</arg>
-</cmdsynopsis>
-</term>
-<listitem>
-<para>
-Requires that no resource record exists of the specified
-<parameter>type</parameter>,
-<parameter>class</parameter>
-and
-<parameter>domain-name</parameter>.
-If
-<parameter>class</parameter>
-is omitted, IN (internet) is assumed.
-</para>
-</listitem>
-</varlistentry>
-
-
-<varlistentry><term>
-<cmdsynopsis>
-<command>prereq yxrrset</command>
-<arg choice="req">domain-name</arg>
-<arg choice="opt">class</arg>
-<arg choice="req">type</arg>
-</cmdsynopsis>
-</term>
-<listitem>
-<para>
-This requires that a resource record of the specified
-<parameter>type</parameter>,
-<parameter>class</parameter>
-and
-<parameter>domain-name</parameter>
-must exist.
-If
-<parameter>class</parameter>
-is omitted, IN (internet) is assumed.
-</para>
-</listitem>
-</varlistentry>
-
-<varlistentry><term>
-<cmdsynopsis>
-<command>prereq yxrrset</command>
-<arg choice="req">domain-name</arg>
-<arg choice="opt">class</arg>
-<arg choice="req">type</arg>
-<arg choice="req" rep="repeat">data</arg>
-</cmdsynopsis>
-</term>
-<listitem>
-<para>
-The
-<parameter>data</parameter>
-from each set of prerequisites of this form
-sharing a common
-<parameter>type</parameter>,
-<parameter>class</parameter>,
-and 
-<parameter>domain-name</parameter>
-are combined to form a set of RRs.  This set of RRs must
-exactly match the set of RRs existing in the zone at the
-given 
-<parameter>type</parameter>,
-<parameter>class</parameter>,
-and 
-<parameter>domain-name</parameter>.
-The
-<parameter>data</parameter>
-are written in the standard text representation of the resource record's
-RDATA.
-</para>
-</listitem>
-</varlistentry>
-
-<varlistentry><term>
-<cmdsynopsis>
-<command>update delete</command>
-<arg choice="req">domain-name</arg>
-<arg choice="opt">ttl</arg>
-<arg choice="opt">class</arg>
-<arg choice="opt">type <arg choice="opt" rep="repeat">data</arg></arg>
-</cmdsynopsis>
-</term>
-<listitem>
-<para>
-Deletes any resource records named
-<parameter>domain-name</parameter>.
-If
-<parameter>type</parameter>
-and
-<parameter>data</parameter>
-is provided, only matching resource records will be removed.
-The internet class is assumed if
-<parameter>class</parameter>
-is not supplied.  The
-<parameter>ttl</parameter>
-is ignored, and is only allowed for compatibility.
-</para>
-</listitem>
-</varlistentry>
-
-<varlistentry><term>
-<cmdsynopsis>
-<command>update add</command>
-<arg choice="req">domain-name</arg>
-<arg choice="req">ttl</arg>
-<arg choice="opt">class</arg>
-<arg choice="req">type</arg>
-<arg choice="req" rep="repeat">data</arg>
-</cmdsynopsis>
-</term>
-<listitem>
-<para>
-Adds a new resource record with the specified
-<parameter>ttl</parameter>,
-<parameter>class</parameter>
-and
-<parameter>data</parameter>.
-</para>
-</listitem>
-</varlistentry>
-
-<varlistentry><term>
-<cmdsynopsis>
-<command>show</command>
-</cmdsynopsis>
-</term>
-<listitem>
-<para>
-Displays the current message, containing all of the prerequisites and
-updates specified since the last send.
-</para>
-</listitem>
-</varlistentry>
-
-<varlistentry><term>
-<cmdsynopsis>
-<command>send</command>
-</cmdsynopsis>
-</term>
-<listitem>
-<para>
-Sends the current message.  This is equivalent to entering a blank line.
-</para>
-</listitem>
-</varlistentry>
-
-<varlistentry><term>
-<cmdsynopsis>
-<command>answer</command>
-</cmdsynopsis>
-</term>
-<listitem>
-<para>
-Displays the answer.
-</para>
-</listitem>
-</varlistentry>
-
-</variablelist>
-</para>
-
-<para>
-Lines beginning with a semicolon are comments and are ignored.
-</para>
-
-</refsect1>
-
-<refsect1>
-<title>EXAMPLES</title>
-<para>
-The examples below show how
-<command>nsupdate</command>
-could be used to insert and delete resource records from the
-<type>example.com</type>
-zone.
-Notice that the input in each example contains a trailing blank line so that
-a group of commands are sent as one dynamic update request to the
-master name server for
-<type>example.com</type>.
-
-<programlisting>
+  <refsynopsisdiv>
+    <cmdsynopsis>
+      <command>nsupdate</command>
+      <arg><option>-d</option></arg>
+      <group>
+        <arg><option>-y <replaceable class="parameter"><optional>hmac:</optional>keyname:secret</replaceable></option></arg>
+        <arg><option>-k <replaceable class="parameter">keyfile</replaceable></option></arg>
+      </group>
+      <arg><option>-t <replaceable class="parameter">timeout</replaceable></option></arg>
+      <arg><option>-u <replaceable class="parameter">udptimeout</replaceable></option></arg>
+      <arg><option>-r <replaceable class="parameter">udpretries</replaceable></option></arg>
+      <arg><option>-v</option></arg>
+      <arg>filename</arg>
+    </cmdsynopsis>
+  </refsynopsisdiv>
+
+  <refsect1>
+    <title>DESCRIPTION</title>
+    <para><command>nsupdate</command>
+      is used to submit Dynamic DNS Update requests as defined in RFC2136
+      to a name server.
+      This allows resource records to be added or removed from a zone
+      without manually editing the zone file.
+      A single update request can contain requests to add or remove more than
+      one
+      resource record.
+    </para>
+    <para>
+      Zones that are under dynamic control via
+      <command>nsupdate</command>
+      or a DHCP server should not be edited by hand.
+      Manual edits could
+      conflict with dynamic updates and cause data to be lost.
+    </para>
+    <para>
+      The resource records that are dynamically added or removed with
+      <command>nsupdate</command>
+      have to be in the same zone.
+      Requests are sent to the zone's master server.
+      This is identified by the MNAME field of the zone's SOA record.
+    </para>
+    <para>
+      The
+      <option>-d</option>
+      option makes
+      <command>nsupdate</command>
+      operate in debug mode.
+      This provides tracing information about the update requests that are
+      made and the replies received from the name server.
+    </para>
+    <para>
+      Transaction signatures can be used to authenticate the Dynamic DNS
+      updates.
+      These use the TSIG resource record type described in RFC2845 or the
+      SIG(0) record described in RFC3535 and RFC2931.
+      TSIG relies on a shared secret that should only be known to
+      <command>nsupdate</command> and the name server.
+      Currently, the only supported encryption algorithm for TSIG is
+      HMAC-MD5, which is defined in RFC 2104.
+      Once other algorithms are defined for TSIG, applications will need to
+      ensure they select the appropriate algorithm as well as the key when
+      authenticating each other.
+      For instance suitable
+      <type>key</type>
+      and
+      <type>server</type>
+      statements would be added to
+      <filename>/etc/named.conf</filename>
+      so that the name server can associate the appropriate secret key
+      and algorithm with the IP address of the
+      client application that will be using TSIG authentication.
+      SIG(0) uses public key cryptography.  To use a SIG(0) key, the public
+      key must be stored in a KEY record in a zone served by the name server.
+      <command>nsupdate</command>
+      does not read
+      <filename>/etc/named.conf</filename>.
+    </para>
+    <para><command>nsupdate</command>
+      uses the <option>-y</option> or <option>-k</option> option
+      to provide the shared secret needed to generate a TSIG record
+      for authenticating Dynamic DNS update requests, default type
+      HMAC-MD5.  These options are mutually exclusive.  With the
+      <option>-k</option> option, <command>nsupdate</command> reads
+      the shared secret from the file <parameter>keyfile</parameter>,
+      whose name is of the form
+      <filename>K{name}.+157.+{random}.private</filename>.  For
+      historical reasons, the file
+      <filename>K{name}.+157.+{random}.key</filename> must also be
+      present.  When the <option>-y</option> option is used, a
+      signature is generated from
+      <optional><parameter>hmac:</parameter></optional><parameter>keyname:secret.</parameter>
+      <parameter>keyname</parameter> is the name of the key, and
+      <parameter>secret</parameter> is the base64 encoded shared
+      secret.  Use of the <option>-y</option> option is discouraged
+      because the shared secret is supplied as a command line
+      argument in clear text.  This may be visible in the output
+      from
+      <citerefentry>
+	<refentrytitle>ps</refentrytitle><manvolnum>1</manvolnum>
+      </citerefentry> or in a history file maintained by the user's
+      shell.
+    </para>
+    <para>
+      The <option>-k</option> may also be used to specify a SIG(0) key used
+      to authenticate Dynamic DNS update requests.  In this case, the key
+      specified is not an HMAC-MD5 key.
+    </para>
+    <para>
+      By default
+      <command>nsupdate</command>
+      uses UDP to send update requests to the name server unless they are too
+      large to fit in a UDP request in which case TCP will be used.
+      The
+      <option>-v</option>
+      option makes
+      <command>nsupdate</command>
+      use a TCP connection.
+      This may be preferable when a batch of update requests is made.
+    </para>
+    <para>
+      The <option>-t</option> option sets the maximum time a update request
+      can
+      take before it is aborted.  The default is 300 seconds.  Zero can be
+      used
+      to disable the timeout.
+    </para>
+    <para>
+      The <option>-u</option> option sets the UDP retry interval.  The default
+      is
+      3 seconds.  If zero the interval will be computed from the timeout
+      interval
+      and number of UDP retries.
+    </para>
+    <para>
+      The <option>-r</option> option sets the number of UDP retries. The
+      default is
+      3.  If zero only one update request will be made.
+    </para>
+  </refsect1>
+
+  <refsect1>
+    <title>INPUT FORMAT</title>
+    <para><command>nsupdate</command>
+      reads input from
+      <parameter>filename</parameter>
+      or standard input.
+      Each command is supplied on exactly one line of input.
+      Some commands are for administrative purposes.
+      The others are either update instructions or prerequisite checks on the
+      contents of the zone.
+      These checks set conditions that some name or set of
+      resource records (RRset) either exists or is absent from the zone.
+      These conditions must be met if the entire update request is to succeed.
+      Updates will be rejected if the tests for the prerequisite conditions
+      fail.
+    </para>
+    <para>
+      Every update request consists of zero or more prerequisites
+      and zero or more updates.
+      This allows a suitably authenticated update request to proceed if some
+      specified resource records are present or missing from the zone.
+      A blank input line (or the <command>send</command> command)
+      causes the
+      accumulated commands to be sent as one Dynamic DNS update request to the
+      name server.
+    </para>
+    <para>
+      The command formats and their meaning are as follows:
+      <variablelist>
+
+        <varlistentry>
+          <term>
+              <command>server</command>
+              <arg choice="req">servername</arg>
+              <arg choice="opt">port</arg>
+            </term>
+          <listitem>
+            <para>
+              Sends all dynamic update requests to the name server
+              <parameter>servername</parameter>.
+              When no server statement is provided,
+              <command>nsupdate</command>
+              will send updates to the master server of the correct zone.
+              The MNAME field of that zone's SOA record will identify the
+              master
+              server for that zone.
+              <parameter>port</parameter>
+              is the port number on
+              <parameter>servername</parameter>
+              where the dynamic update requests get sent.
+              If no port number is specified, the default DNS port number of
+              53 is
+              used.
+            </para>
+          </listitem>
+        </varlistentry>
+
+        <varlistentry>
+          <term>
+              <command>local</command>
+              <arg choice="req">address</arg>
+              <arg choice="opt">port</arg>
+            </term>
+          <listitem>
+            <para>
+              Sends all dynamic update requests using the local
+              <parameter>address</parameter>.
+
+              When no local statement is provided,
+              <command>nsupdate</command>
+              will send updates using an address and port chosen by the
+              system.
+              <parameter>port</parameter>
+              can additionally be used to make requests come from a specific
+              port.
+              If no port number is specified, the system will assign one.
+            </para>
+          </listitem>
+        </varlistentry>
+
+        <varlistentry>
+          <term>
+              <command>zone</command>
+              <arg choice="req">zonename</arg>
+            </term>
+          <listitem>
+            <para>
+              Specifies that all updates are to be made to the zone
+              <parameter>zonename</parameter>.
+              If no
+              <parameter>zone</parameter>
+              statement is provided,
+              <command>nsupdate</command>
+              will attempt determine the correct zone to update based on the
+              rest of the input.
+            </para>
+          </listitem>
+        </varlistentry>
+
+        <varlistentry>
+          <term>
+              <command>class</command>
+              <arg choice="req">classname</arg>
+            </term>
+          <listitem>
+            <para>
+              Specify the default class.
+              If no <parameter>class</parameter> is specified the
+              default class is
+              <parameter>IN</parameter>.
+            </para>
+          </listitem>
+        </varlistentry>
+
+        <varlistentry>
+          <term>
+              <command>key</command>
+              <arg choice="req">name</arg>
+              <arg choice="req">secret</arg>
+            </term>
+          <listitem>
+            <para>
+              Specifies that all updates are to be TSIG signed using the
+              <parameter>keyname</parameter> <parameter>keysecret</parameter> pair.
+              The <command>key</command> command
+              overrides any key specified on the command line via
+              <option>-y</option> or <option>-k</option>.
+            </para>
+          </listitem>
+        </varlistentry>
+
+        <varlistentry>
+          <term>
+              <command>prereq nxdomain</command>
+              <arg choice="req">domain-name</arg>
+            </term>
+          <listitem>
+            <para>
+              Requires that no resource record of any type exists with name
+              <parameter>domain-name</parameter>.
+            </para>
+          </listitem>
+        </varlistentry>
+
+
+        <varlistentry>
+          <term>
+              <command>prereq yxdomain</command>
+              <arg choice="req">domain-name</arg>
+            </term>
+          <listitem>
+            <para>
+              Requires that
+              <parameter>domain-name</parameter>
+              exists (has as at least one resource record, of any type).
+            </para>
+          </listitem>
+        </varlistentry>
+
+        <varlistentry>
+          <term>
+              <command>prereq nxrrset</command>
+              <arg choice="req">domain-name</arg>
+              <arg choice="opt">class</arg>
+              <arg choice="req">type</arg>
+            </term>
+          <listitem>
+            <para>
+              Requires that no resource record exists of the specified
+              <parameter>type</parameter>,
+              <parameter>class</parameter>
+              and
+              <parameter>domain-name</parameter>.
+              If
+              <parameter>class</parameter>
+              is omitted, IN (internet) is assumed.
+            </para>
+          </listitem>
+        </varlistentry>
+
+
+        <varlistentry>
+          <term>
+              <command>prereq yxrrset</command>
+              <arg choice="req">domain-name</arg>
+              <arg choice="opt">class</arg>
+              <arg choice="req">type</arg>
+            </term>
+          <listitem>
+            <para>
+              This requires that a resource record of the specified
+              <parameter>type</parameter>,
+              <parameter>class</parameter>
+              and
+              <parameter>domain-name</parameter>
+              must exist.
+              If
+              <parameter>class</parameter>
+              is omitted, IN (internet) is assumed.
+            </para>
+          </listitem>
+        </varlistentry>
+
+        <varlistentry>
+          <term>
+              <command>prereq yxrrset</command>
+              <arg choice="req">domain-name</arg>
+              <arg choice="opt">class</arg>
+              <arg choice="req">type</arg>
+              <arg choice="req" rep="repeat">data</arg>
+            </term>
+          <listitem>
+            <para>
+              The
+              <parameter>data</parameter>
+              from each set of prerequisites of this form
+              sharing a common
+              <parameter>type</parameter>,
+              <parameter>class</parameter>,
+              and
+              <parameter>domain-name</parameter>
+              are combined to form a set of RRs.  This set of RRs must
+              exactly match the set of RRs existing in the zone at the
+              given
+              <parameter>type</parameter>,
+              <parameter>class</parameter>,
+              and
+              <parameter>domain-name</parameter>.
+              The
+              <parameter>data</parameter>
+              are written in the standard text representation of the resource
+              record's
+              RDATA.
+            </para>
+          </listitem>
+        </varlistentry>
+
+        <varlistentry>
+          <term>
+              <command>update delete</command>
+              <arg choice="req">domain-name</arg>
+              <arg choice="opt">ttl</arg>
+              <arg choice="opt">class</arg>
+              <arg choice="opt">type <arg choice="opt" rep="repeat">data</arg></arg>
+            </term>
+          <listitem>
+            <para>
+              Deletes any resource records named
+              <parameter>domain-name</parameter>.
+              If
+              <parameter>type</parameter>
+              and
+              <parameter>data</parameter>
+              is provided, only matching resource records will be removed.
+              The internet class is assumed if
+              <parameter>class</parameter>
+              is not supplied.  The
+              <parameter>ttl</parameter>
+              is ignored, and is only allowed for compatibility.
+            </para>
+          </listitem>
+        </varlistentry>
+
+        <varlistentry>
+          <term>
+              <command>update add</command>
+              <arg choice="req">domain-name</arg>
+              <arg choice="req">ttl</arg>
+              <arg choice="opt">class</arg>
+              <arg choice="req">type</arg>
+              <arg choice="req" rep="repeat">data</arg>
+            </term>
+          <listitem>
+            <para>
+              Adds a new resource record with the specified
+              <parameter>ttl</parameter>,
+              <parameter>class</parameter>
+              and
+              <parameter>data</parameter>.
+            </para>
+          </listitem>
+        </varlistentry>
+
+        <varlistentry>
+          <term>
+              <command>show</command>
+            </term>
+          <listitem>
+            <para>
+              Displays the current message, containing all of the
+              prerequisites and
+              updates specified since the last send.
+            </para>
+          </listitem>
+        </varlistentry>
+
+        <varlistentry>
+          <term>
+              <command>send</command>
+            </term>
+          <listitem>
+            <para>
+              Sends the current message.  This is equivalent to entering a
+              blank line.
+            </para>
+          </listitem>
+        </varlistentry>
+
+        <varlistentry>
+          <term>
+              <command>answer</command>
+            </term>
+          <listitem>
+            <para>
+              Displays the answer.
+            </para>
+          </listitem>
+        </varlistentry>
+
+      </variablelist>
+    </para>
+
+    <para>
+      Lines beginning with a semicolon are comments and are ignored.
+    </para>
+
+  </refsect1>
+
+  <refsect1>
+    <title>EXAMPLES</title>
+    <para>
+      The examples below show how
+      <command>nsupdate</command>
+      could be used to insert and delete resource records from the
+      <type>example.com</type>
+      zone.
+      Notice that the input in each example contains a trailing blank line so
+      that
+      a group of commands are sent as one dynamic update request to the
+      master name server for
+      <type>example.com</type>.
+
+      <programlisting>
 # nsupdate
-> update delete oldhost.example.com A
-> update add newhost.example.com 86400 A 172.16.1.1
-> send
+&gt; update delete oldhost.example.com A
+&gt; update add newhost.example.com 86400 A 172.16.1.1
+&gt; send
 </programlisting>
-</para>
-<para>
-Any A records for
-<type>oldhost.example.com</type>
-are deleted.
-and an A record for
-<type>newhost.example.com</type>
-it IP address 172.16.1.1 is added.
-The newly-added record has a 1 day TTL (86400 seconds)
-<programlisting>
+    </para>
+    <para>
+      Any A records for
+      <type>oldhost.example.com</type>
+      are deleted.
+      and an A record for
+      <type>newhost.example.com</type>
+      it IP address 172.16.1.1 is added.
+      The newly-added record has a 1 day TTL (86400 seconds)
+      <programlisting>
 # nsupdate
-> prereq nxdomain nickname.example.com
-> update add nickname.example.com 86400 CNAME somehost.example.com
-> send
+&gt; prereq nxdomain nickname.example.com
+&gt; update add nickname.example.com 86400 CNAME somehost.example.com
+&gt; send
 </programlisting>
-</para>
-<para>
-The prerequisite condition gets the name server to check that there
-are no resource records of any type for
-<type>nickname.example.com</type>.
-
-If there are, the update request fails.
-If this name does not exist, a CNAME for it is added.
-This ensures that when the CNAME is added, it cannot conflict with the
-long-standing rule in RFC1034 that a name must not exist as any other
-record type if it exists as a CNAME.
-(The rule has been updated for DNSSEC in RFC2535 to allow CNAMEs to have
-RRSIG, DNSKEY and NSEC records.)
-</para>
-</refsect1>
-
-<refsect1>
-<title>FILES</title>
-
-<variablelist>
-<varlistentry><term><constant>/etc/resolv.conf</constant></term>
-<listitem>
-<para>
-used to identify default name server
-</para>
-</listitem>
-</varlistentry>
-
-<varlistentry><term><constant>K{name}.+157.+{random}.key</constant></term>
-<listitem>
-<para>
-base-64 encoding of HMAC-MD5 key created by
-<citerefentry>
-<refentrytitle>dnssec-keygen</refentrytitle><manvolnum>8</manvolnum>
-</citerefentry>.
-</para>
-</listitem>
-</varlistentry>
-
-<varlistentry><term><constant>K{name}.+157.+{random}.private</constant></term>
-<listitem>
-<para>
-base-64 encoding of HMAC-MD5 key created by
-<citerefentry>
-<refentrytitle>dnssec-keygen</refentrytitle><manvolnum>8</manvolnum>
-</citerefentry>.
-</para>
-</listitem>
-</varlistentry>
-</variablelist>
-</refsect1>
-
-<refsect1>
-<title>SEE ALSO</title>
-<para>
-<citerefentry>
-<refentrytitle>RFC2136</refentrytitle>
-</citerefentry>,
-<citerefentry>
-<refentrytitle>RFC3007</refentrytitle>
-</citerefentry>,
-<citerefentry>
-<refentrytitle>RFC2104</refentrytitle>
-</citerefentry>,
-<citerefentry>
-<refentrytitle>RFC2845</refentrytitle>
-</citerefentry>,
-<citerefentry>
-<refentrytitle>RFC1034</refentrytitle>
-</citerefentry>,
-<citerefentry>
-<refentrytitle>RFC2535</refentrytitle>
-</citerefentry>,
-<citerefentry>
-<refentrytitle>RFC2931</refentrytitle>
-</citerefentry>,
-<citerefentry>
-<refentrytitle>named</refentrytitle><manvolnum>8</manvolnum>
-</citerefentry>,
-<citerefentry>
-<refentrytitle>dnssec-keygen</refentrytitle><manvolnum>8</manvolnum>
-</citerefentry>.
-</para>
-</refsect1>
-<refsect1>
-<title>BUGS</title>
-<para>
-The TSIG key is redundantly stored in two separate files.
-This is a consequence of nsupdate using the DST library
-for its cryptographic operations, and may change in future
-releases.
-</para>
-</refsect1>
-</refentry>
+    </para>
+    <para>
+      The prerequisite condition gets the name server to check that there
+      are no resource records of any type for
+      <type>nickname.example.com</type>.
+
+      If there are, the update request fails.
+      If this name does not exist, a CNAME for it is added.
+      This ensures that when the CNAME is added, it cannot conflict with the
+      long-standing rule in RFC1034 that a name must not exist as any other
+      record type if it exists as a CNAME.
+      (The rule has been updated for DNSSEC in RFC2535 to allow CNAMEs to have
+      RRSIG, DNSKEY and NSEC records.)
+    </para>
+  </refsect1>
+
+  <refsect1>
+    <title>FILES</title>
+
+    <variablelist>
+      <varlistentry>
+        <term><constant>/etc/resolv.conf</constant></term>
+        <listitem>
+          <para>
+            used to identify default name server
+          </para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><constant>K{name}.+157.+{random}.key</constant></term>
+        <listitem>
+          <para>
+            base-64 encoding of HMAC-MD5 key created by
+            <citerefentry>
+              <refentrytitle>dnssec-keygen</refentrytitle><manvolnum>8</manvolnum>
+            </citerefentry>.
+          </para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><constant>K{name}.+157.+{random}.private</constant></term>
+        <listitem>
+          <para>
+            base-64 encoding of HMAC-MD5 key created by
+            <citerefentry>
+              <refentrytitle>dnssec-keygen</refentrytitle><manvolnum>8</manvolnum>
+            </citerefentry>.
+          </para>
+        </listitem>
+      </varlistentry>
+
+    </variablelist>
+  </refsect1>
+
+  <refsect1>
+    <title>SEE ALSO</title>
+    <para><citerefentry>
+        <refentrytitle>RFC2136</refentrytitle>
+      </citerefentry>,
+      <citerefentry>
+        <refentrytitle>RFC3007</refentrytitle>
+      </citerefentry>,
+      <citerefentry>
+        <refentrytitle>RFC2104</refentrytitle>
+      </citerefentry>,
+      <citerefentry>
+        <refentrytitle>RFC2845</refentrytitle>
+      </citerefentry>,
+      <citerefentry>
+        <refentrytitle>RFC1034</refentrytitle>
+      </citerefentry>,
+      <citerefentry>
+        <refentrytitle>RFC2535</refentrytitle>
+      </citerefentry>,
+      <citerefentry>
+        <refentrytitle>RFC2931</refentrytitle>
+      </citerefentry>,
+      <citerefentry>
+        <refentrytitle>named</refentrytitle><manvolnum>8</manvolnum>
+      </citerefentry>,
+      <citerefentry>
+        <refentrytitle>dnssec-keygen</refentrytitle><manvolnum>8</manvolnum>
+      </citerefentry>.
+    </para>
+
+  </refsect1>
+  <refsect1>
+    <title>BUGS</title>
+    <para>
+      The TSIG key is redundantly stored in two separate files.
+      This is a consequence of nsupdate using the DST library
+      for its cryptographic operations, and may change in future
+      releases.
+    </para>
+  </refsect1>
+</refentry><!--
+ - Local variables:
+ - mode: sgml
+ - End:
+-->
diff --git a/contrib/bind9/bin/nsupdate/nsupdate.html b/contrib/bind9/bin/nsupdate/nsupdate.html
index 4df8280..ecf52ab 100644
--- a/contrib/bind9/bin/nsupdate/nsupdate.html
+++ b/contrib/bind9/bin/nsupdate/nsupdate.html
@@ -1,5 +1,5 @@
 <!--
- - Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2004-2007 Internet Systems Consortium, Inc. ("ISC")
  - Copyright (C) 2000-2003 Internet Software Consortium.
  - 
  - Permission to use, copy, modify, and distribute this software for any
@@ -14,375 +14,408 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-<!-- $Id: nsupdate.html,v 1.9.2.3.2.15 2006/06/29 13:02:30 marka Exp $ -->
+<!-- $Id: nsupdate.html,v 1.14.18.21 2007/01/30 00:23:44 marka Exp $ -->
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
 <title>nsupdate</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.70.1">
+<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
 </head>
 <body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en">
-<a name="id2482688"></a><div class="titlepage"></div>
+<a name="id2476275"></a><div class="titlepage"></div>
 <div class="refnamediv">
 <h2>Name</h2>
 <p>nsupdate &#8212; Dynamic DNS update utility</p>
 </div>
 <div class="refsynopsisdiv">
 <h2>Synopsis</h2>
-<div class="cmdsynopsis"><p><code class="command">nsupdate</code>  [<code class="option">-d</code>] [[<code class="option">-y <em class="replaceable"><code>keyname:secret</code></em></code>] |  [<code class="option">-k <em class="replaceable"><code>keyfile</code></em></code>]] [<code class="option">-t <em class="replaceable"><code>timeout</code></em></code>] [<code class="option">-u <em class="replaceable"><code>udptimeout</code></em></code>] [<code class="option">-r <em class="replaceable"><code>udpretries</code></em></code>] [<code class="option">-v</code>] [filename]</p></div>
+<div class="cmdsynopsis"><p><code class="command">nsupdate</code>  [<code class="option">-d</code>] [[<code class="option">-y <em class="replaceable"><code>[<span class="optional">hmac:</span>]keyname:secret</code></em></code>] |  [<code class="option">-k <em class="replaceable"><code>keyfile</code></em></code>]] [<code class="option">-t <em class="replaceable"><code>timeout</code></em></code>] [<code class="option">-u <em class="replaceable"><code>udptimeout</code></em></code>] [<code class="option">-r <em class="replaceable"><code>udpretries</code></em></code>] [<code class="option">-v</code>] [filename]</p></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2549461"></a><h2>DESCRIPTION</h2>
+<a name="id2543417"></a><h2>DESCRIPTION</h2>
+<p><span><strong class="command">nsupdate</strong></span>
+      is used to submit Dynamic DNS Update requests as defined in RFC2136
+      to a name server.
+      This allows resource records to be added or removed from a zone
+      without manually editing the zone file.
+      A single update request can contain requests to add or remove more than
+      one
+      resource record.
+    </p>
 <p>
-<span><strong class="command">nsupdate</strong></span>
-is used to submit Dynamic DNS Update requests as defined in RFC2136
-to a name server.
-This allows resource records to be added or removed from a zone
-without manually editing the zone file.
-A single update request can contain requests to add or remove more than one
-resource record.
-</p>
+      Zones that are under dynamic control via
+      <span><strong class="command">nsupdate</strong></span>
+      or a DHCP server should not be edited by hand.
+      Manual edits could
+      conflict with dynamic updates and cause data to be lost.
+    </p>
 <p>
-Zones that are under dynamic control via
-<span><strong class="command">nsupdate</strong></span>
-or a DHCP server should not be edited by hand.
-Manual edits could
-conflict with dynamic updates and cause data to be lost.
-</p>
+      The resource records that are dynamically added or removed with
+      <span><strong class="command">nsupdate</strong></span>
+      have to be in the same zone.
+      Requests are sent to the zone's master server.
+      This is identified by the MNAME field of the zone's SOA record.
+    </p>
 <p>
-The resource records that are dynamically added or removed with
-<span><strong class="command">nsupdate</strong></span>
-have to be in the same zone.
-Requests are sent to the zone's master server.
-This is identified by the MNAME field of the zone's SOA record.
-</p>
+      The
+      <code class="option">-d</code>
+      option makes
+      <span><strong class="command">nsupdate</strong></span>
+      operate in debug mode.
+      This provides tracing information about the update requests that are
+      made and the replies received from the name server.
+    </p>
 <p>
-The
-<code class="option">-d</code>
-option makes
-<span><strong class="command">nsupdate</strong></span>
-operate in debug mode.
-This provides tracing information about the update requests that are
-made and the replies received from the name server.
-</p>
+      Transaction signatures can be used to authenticate the Dynamic DNS
+      updates.
+      These use the TSIG resource record type described in RFC2845 or the
+      SIG(0) record described in RFC3535 and RFC2931.
+      TSIG relies on a shared secret that should only be known to
+      <span><strong class="command">nsupdate</strong></span> and the name server.
+      Currently, the only supported encryption algorithm for TSIG is
+      HMAC-MD5, which is defined in RFC 2104.
+      Once other algorithms are defined for TSIG, applications will need to
+      ensure they select the appropriate algorithm as well as the key when
+      authenticating each other.
+      For instance suitable
+      <span class="type">key</span>
+      and
+      <span class="type">server</span>
+      statements would be added to
+      <code class="filename">/etc/named.conf</code>
+      so that the name server can associate the appropriate secret key
+      and algorithm with the IP address of the
+      client application that will be using TSIG authentication.
+      SIG(0) uses public key cryptography.  To use a SIG(0) key, the public
+      key must be stored in a KEY record in a zone served by the name server.
+      <span><strong class="command">nsupdate</strong></span>
+      does not read
+      <code class="filename">/etc/named.conf</code>.
+    </p>
+<p><span><strong class="command">nsupdate</strong></span>
+      uses the <code class="option">-y</code> or <code class="option">-k</code> option
+      to provide the shared secret needed to generate a TSIG record
+      for authenticating Dynamic DNS update requests, default type
+      HMAC-MD5.  These options are mutually exclusive.  With the
+      <code class="option">-k</code> option, <span><strong class="command">nsupdate</strong></span> reads
+      the shared secret from the file <em class="parameter"><code>keyfile</code></em>,
+      whose name is of the form
+      <code class="filename">K{name}.+157.+{random}.private</code>.  For
+      historical reasons, the file
+      <code class="filename">K{name}.+157.+{random}.key</code> must also be
+      present.  When the <code class="option">-y</code> option is used, a
+      signature is generated from
+      [<span class="optional"><em class="parameter"><code>hmac:</code></em></span>]<em class="parameter"><code>keyname:secret.</code></em>
+      <em class="parameter"><code>keyname</code></em> is the name of the key, and
+      <em class="parameter"><code>secret</code></em> is the base64 encoded shared
+      secret.  Use of the <code class="option">-y</code> option is discouraged
+      because the shared secret is supplied as a command line
+      argument in clear text.  This may be visible in the output
+      from
+      <span class="citerefentry"><span class="refentrytitle">ps</span>(1)</span> or in a history file maintained by the user's
+      shell.
+    </p>
 <p>
-Transaction signatures can be used to authenticate the Dynamic DNS
-updates.
-These use the TSIG resource record type described in RFC2845 or the
-SIG(0) record described in RFC3535 and RFC2931.
-TSIG relies on a shared secret that should only be known to
-<span><strong class="command">nsupdate</strong></span> and the name server.
-Currently, the only supported encryption algorithm for TSIG is
-HMAC-MD5, which is defined in RFC 2104.
-Once other algorithms are defined for TSIG, applications will need to
-ensure they select the appropriate algorithm as well as the key when
-authenticating each other.
-For instance suitable
-<span class="type">key</span>
-and
-<span class="type">server</span>
-statements would be added to
-<code class="filename">/etc/named.conf</code>
-so that the name server can associate the appropriate secret key
-and algorithm with the IP address of the
-client application that will be using TSIG authentication.
-SIG(0) uses public key cryptography.  To use a SIG(0) key, the public
-key must be stored in a KEY record in a zone served by the name server.
-<span><strong class="command">nsupdate</strong></span>
-does not read
-<code class="filename">/etc/named.conf</code>.
-</p>
+      The <code class="option">-k</code> may also be used to specify a SIG(0) key used
+      to authenticate Dynamic DNS update requests.  In this case, the key
+      specified is not an HMAC-MD5 key.
+    </p>
 <p>
-<span><strong class="command">nsupdate</strong></span>
-uses the
-<code class="option">-y</code>
-or
-<code class="option">-k</code>
-option (with an HMAC-MD5 key) to provide the shared secret needed to generate
-a TSIG record for authenticating Dynamic DNS update requests.
-These options are mutually exclusive.
-With the
-<code class="option">-k</code>
-option,
-<span><strong class="command">nsupdate</strong></span>
-reads the shared secret from the file
-<em class="parameter"><code>keyfile</code></em>,
-whose name is of the form 
-<code class="filename">K{name}.+157.+{random}.private</code>.
-For historical
-reasons, the file 
-<code class="filename">K{name}.+157.+{random}.key</code>
-must also be present.  When the
-<code class="option">-y</code>
-option is used, a signature is generated from
-<em class="parameter"><code>keyname:secret.</code></em>
-<em class="parameter"><code>keyname</code></em>
-is the name of the key,
-and
-<em class="parameter"><code>secret</code></em>
-is the base64 encoded shared secret.
-Use of the
-<code class="option">-y</code>
-option is discouraged because the shared secret is supplied as a command
-line argument in clear text.
-This may be visible in the output from
-<span class="citerefentry"><span class="refentrytitle">ps</span>(1
-)</span>
-or in a history file maintained by the user's shell.
-</p>
+      By default
+      <span><strong class="command">nsupdate</strong></span>
+      uses UDP to send update requests to the name server unless they are too
+      large to fit in a UDP request in which case TCP will be used.
+      The
+      <code class="option">-v</code>
+      option makes
+      <span><strong class="command">nsupdate</strong></span>
+      use a TCP connection.
+      This may be preferable when a batch of update requests is made.
+    </p>
 <p>
-The <code class="option">-k</code> may also be used to specify a SIG(0) key used
-to authenticate Dynamic DNS update requests.  In this case, the key
-specified is not an HMAC-MD5 key.
-</p>
+      The <code class="option">-t</code> option sets the maximum time a update request
+      can
+      take before it is aborted.  The default is 300 seconds.  Zero can be
+      used
+      to disable the timeout.
+    </p>
 <p>
-By default
-<span><strong class="command">nsupdate</strong></span>
-uses UDP to send update requests to the name server unless they are too
-large to fit in a UDP request in which case TCP will be used.
-The
-<code class="option">-v</code>
-option makes
-<span><strong class="command">nsupdate</strong></span>
-use a TCP connection.
-This may be preferable when a batch of update requests is made.
-</p>
-<p>The <code class="option">-t</code> option sets the maximum time a update request can
-take before it is aborted.  The default is 300 seconds.  Zero can be used
-to disable the timeout.
-</p>
-<p>The <code class="option">-u</code> option sets the UDP retry interval.  The default is
-3 seconds.  If zero the interval will be computed from the timeout interval
-and number of UDP retries.
-</p>
-<p>The <code class="option">-r</code> option sets the number of UDP retries. The default is
-3.  If zero only one update request will be made.
-</p>
+      The <code class="option">-u</code> option sets the UDP retry interval.  The default
+      is
+      3 seconds.  If zero the interval will be computed from the timeout
+      interval
+      and number of UDP retries.
+    </p>
+<p>
+      The <code class="option">-r</code> option sets the number of UDP retries. The
+      default is
+      3.  If zero only one update request will be made.
+    </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2549686"></a><h2>INPUT FORMAT</h2>
-<p>
-<span><strong class="command">nsupdate</strong></span>
-reads input from
-<em class="parameter"><code>filename</code></em>
-or standard input.
-Each command is supplied on exactly one line of input.
-Some commands are for administrative purposes.
-The others are either update instructions or prerequisite checks on the
-contents of the zone.
-These checks set conditions that some name or set of
-resource records (RRset) either exists or is absent from the zone.
-These conditions must be met if the entire update request is to succeed.
-Updates will be rejected if the tests for the prerequisite conditions fail.
-</p>
+<a name="id2543645"></a><h2>INPUT FORMAT</h2>
+<p><span><strong class="command">nsupdate</strong></span>
+      reads input from
+      <em class="parameter"><code>filename</code></em>
+      or standard input.
+      Each command is supplied on exactly one line of input.
+      Some commands are for administrative purposes.
+      The others are either update instructions or prerequisite checks on the
+      contents of the zone.
+      These checks set conditions that some name or set of
+      resource records (RRset) either exists or is absent from the zone.
+      These conditions must be met if the entire update request is to succeed.
+      Updates will be rejected if the tests for the prerequisite conditions
+      fail.
+    </p>
 <p>
-Every update request consists of zero or more prerequisites
-and zero or more updates.
-This allows a suitably authenticated update request to proceed if some
-specified resource records are present or missing from the zone.
-A blank input line (or the <span><strong class="command">send</strong></span> command) causes the
-accumulated commands to be sent as one Dynamic DNS update request to the
-name server.
-</p>
+      Every update request consists of zero or more prerequisites
+      and zero or more updates.
+      This allows a suitably authenticated update request to proceed if some
+      specified resource records are present or missing from the zone.
+      A blank input line (or the <span><strong class="command">send</strong></span> command)
+      causes the
+      accumulated commands to be sent as one Dynamic DNS update request to the
+      name server.
+    </p>
 <p>
-The command formats and their meaning are as follows:
-</p>
+      The command formats and their meaning are as follows:
+      </p>
 <div class="variablelist"><dl>
 <dt><span class="term">
-<div class="cmdsynopsis"><p><code class="command">server</code>  {servername} [port]</p></div>
-</span></dt>
+              <span><strong class="command">server</strong></span>
+               {servername}
+               [port]
+            </span></dt>
 <dd><p>
-Sends all dynamic update requests to the name server
-<em class="parameter"><code>servername</code></em>.
-When no server statement is provided,
-<span><strong class="command">nsupdate</strong></span>
-will send updates to the master server of the correct zone.
-The MNAME field of that zone's SOA record will identify the master
-server for that zone.
-<em class="parameter"><code>port</code></em>
-is the port number on
-<em class="parameter"><code>servername</code></em>
-where the dynamic update requests get sent.
-If no port number is specified, the default DNS port number of 53 is
-used.
-</p></dd>
+              Sends all dynamic update requests to the name server
+              <em class="parameter"><code>servername</code></em>.
+              When no server statement is provided,
+              <span><strong class="command">nsupdate</strong></span>
+              will send updates to the master server of the correct zone.
+              The MNAME field of that zone's SOA record will identify the
+              master
+              server for that zone.
+              <em class="parameter"><code>port</code></em>
+              is the port number on
+              <em class="parameter"><code>servername</code></em>
+              where the dynamic update requests get sent.
+              If no port number is specified, the default DNS port number of
+              53 is
+              used.
+            </p></dd>
 <dt><span class="term">
-<div class="cmdsynopsis"><p><code class="command">local</code>  {address} [port]</p></div>
-</span></dt>
+              <span><strong class="command">local</strong></span>
+               {address}
+               [port]
+            </span></dt>
 <dd><p>
-Sends all dynamic update requests using the local
-<em class="parameter"><code>address</code></em>.
+              Sends all dynamic update requests using the local
+              <em class="parameter"><code>address</code></em>.
 
-When no local statement is provided,
-<span><strong class="command">nsupdate</strong></span>
-will send updates using an address and port chosen by the system.
-<em class="parameter"><code>port</code></em>
-can additionally be used to make requests come from a specific port.
-If no port number is specified, the system will assign one.
-</p></dd>
+              When no local statement is provided,
+              <span><strong class="command">nsupdate</strong></span>
+              will send updates using an address and port chosen by the
+              system.
+              <em class="parameter"><code>port</code></em>
+              can additionally be used to make requests come from a specific
+              port.
+              If no port number is specified, the system will assign one.
+            </p></dd>
 <dt><span class="term">
-<div class="cmdsynopsis"><p><code class="command">zone</code>  {zonename}</p></div>
-</span></dt>
+              <span><strong class="command">zone</strong></span>
+               {zonename}
+            </span></dt>
 <dd><p>
-Specifies that all updates are to be made to the zone
-<em class="parameter"><code>zonename</code></em>.
-If no
-<em class="parameter"><code>zone</code></em>
-statement is provided,
-<span><strong class="command">nsupdate</strong></span>
-will attempt determine the correct zone to update based on the rest of the input.
-</p></dd>
+              Specifies that all updates are to be made to the zone
+              <em class="parameter"><code>zonename</code></em>.
+              If no
+              <em class="parameter"><code>zone</code></em>
+              statement is provided,
+              <span><strong class="command">nsupdate</strong></span>
+              will attempt determine the correct zone to update based on the
+              rest of the input.
+            </p></dd>
 <dt><span class="term">
-<div class="cmdsynopsis"><p><code class="command">class</code>  {classname}</p></div>
-</span></dt>
+              <span><strong class="command">class</strong></span>
+               {classname}
+            </span></dt>
 <dd><p>
-Specify the default class.
-If no <em class="parameter"><code>class</code></em> is specified the default class is
-<em class="parameter"><code>IN</code></em>.
-</p></dd>
+              Specify the default class.
+              If no <em class="parameter"><code>class</code></em> is specified the
+              default class is
+              <em class="parameter"><code>IN</code></em>.
+            </p></dd>
 <dt><span class="term">
-<div class="cmdsynopsis"><p><code class="command">key</code>  {name} {secret}</p></div>
-</span></dt>
+              <span><strong class="command">key</strong></span>
+               {name}
+               {secret}
+            </span></dt>
 <dd><p>
-Specifies that all updates are to be TSIG signed using the
-<em class="parameter"><code>keyname</code></em> <em class="parameter"><code>keysecret</code></em> pair.
-The <span><strong class="command">key</strong></span> command
-overrides any key specified on the command line via
-<code class="option">-y</code> or <code class="option">-k</code>.
-</p></dd>
+              Specifies that all updates are to be TSIG signed using the
+              <em class="parameter"><code>keyname</code></em> <em class="parameter"><code>keysecret</code></em> pair.
+              The <span><strong class="command">key</strong></span> command
+              overrides any key specified on the command line via
+              <code class="option">-y</code> or <code class="option">-k</code>.
+            </p></dd>
 <dt><span class="term">
-<div class="cmdsynopsis"><p><code class="command">prereq nxdomain</code>  {domain-name}</p></div>
-</span></dt>
+              <span><strong class="command">prereq nxdomain</strong></span>
+               {domain-name}
+            </span></dt>
 <dd><p>
-Requires that no resource record of any type exists with name
-<em class="parameter"><code>domain-name</code></em>.
-</p></dd>
+              Requires that no resource record of any type exists with name
+              <em class="parameter"><code>domain-name</code></em>.
+            </p></dd>
 <dt><span class="term">
-<div class="cmdsynopsis"><p><code class="command">prereq yxdomain</code>  {domain-name}</p></div>
-</span></dt>
+              <span><strong class="command">prereq yxdomain</strong></span>
+               {domain-name}
+            </span></dt>
 <dd><p>
-Requires that
-<em class="parameter"><code>domain-name</code></em>
-exists (has as at least one resource record, of any type).
-</p></dd>
+              Requires that
+              <em class="parameter"><code>domain-name</code></em>
+              exists (has as at least one resource record, of any type).
+            </p></dd>
 <dt><span class="term">
-<div class="cmdsynopsis"><p><code class="command">prereq nxrrset</code>  {domain-name} [class] {type}</p></div>
-</span></dt>
+              <span><strong class="command">prereq nxrrset</strong></span>
+               {domain-name}
+               [class]
+               {type}
+            </span></dt>
 <dd><p>
-Requires that no resource record exists of the specified
-<em class="parameter"><code>type</code></em>,
-<em class="parameter"><code>class</code></em>
-and
-<em class="parameter"><code>domain-name</code></em>.
-If
-<em class="parameter"><code>class</code></em>
-is omitted, IN (internet) is assumed.
-</p></dd>
+              Requires that no resource record exists of the specified
+              <em class="parameter"><code>type</code></em>,
+              <em class="parameter"><code>class</code></em>
+              and
+              <em class="parameter"><code>domain-name</code></em>.
+              If
+              <em class="parameter"><code>class</code></em>
+              is omitted, IN (internet) is assumed.
+            </p></dd>
 <dt><span class="term">
-<div class="cmdsynopsis"><p><code class="command">prereq yxrrset</code>  {domain-name} [class] {type}</p></div>
-</span></dt>
+              <span><strong class="command">prereq yxrrset</strong></span>
+               {domain-name}
+               [class]
+               {type}
+            </span></dt>
 <dd><p>
-This requires that a resource record of the specified
-<em class="parameter"><code>type</code></em>,
-<em class="parameter"><code>class</code></em>
-and
-<em class="parameter"><code>domain-name</code></em>
-must exist.
-If
-<em class="parameter"><code>class</code></em>
-is omitted, IN (internet) is assumed.
-</p></dd>
+              This requires that a resource record of the specified
+              <em class="parameter"><code>type</code></em>,
+              <em class="parameter"><code>class</code></em>
+              and
+              <em class="parameter"><code>domain-name</code></em>
+              must exist.
+              If
+              <em class="parameter"><code>class</code></em>
+              is omitted, IN (internet) is assumed.
+            </p></dd>
 <dt><span class="term">
-<div class="cmdsynopsis"><p><code class="command">prereq yxrrset</code>  {domain-name} [class] {type} {data...}</p></div>
-</span></dt>
+              <span><strong class="command">prereq yxrrset</strong></span>
+               {domain-name}
+               [class]
+               {type}
+               {data...}
+            </span></dt>
 <dd><p>
-The
-<em class="parameter"><code>data</code></em>
-from each set of prerequisites of this form
-sharing a common
-<em class="parameter"><code>type</code></em>,
-<em class="parameter"><code>class</code></em>,
-and 
-<em class="parameter"><code>domain-name</code></em>
-are combined to form a set of RRs.  This set of RRs must
-exactly match the set of RRs existing in the zone at the
-given 
-<em class="parameter"><code>type</code></em>,
-<em class="parameter"><code>class</code></em>,
-and 
-<em class="parameter"><code>domain-name</code></em>.
-The
-<em class="parameter"><code>data</code></em>
-are written in the standard text representation of the resource record's
-RDATA.
-</p></dd>
+              The
+              <em class="parameter"><code>data</code></em>
+              from each set of prerequisites of this form
+              sharing a common
+              <em class="parameter"><code>type</code></em>,
+              <em class="parameter"><code>class</code></em>,
+              and
+              <em class="parameter"><code>domain-name</code></em>
+              are combined to form a set of RRs.  This set of RRs must
+              exactly match the set of RRs existing in the zone at the
+              given
+              <em class="parameter"><code>type</code></em>,
+              <em class="parameter"><code>class</code></em>,
+              and
+              <em class="parameter"><code>domain-name</code></em>.
+              The
+              <em class="parameter"><code>data</code></em>
+              are written in the standard text representation of the resource
+              record's
+              RDATA.
+            </p></dd>
 <dt><span class="term">
-<div class="cmdsynopsis"><p><code class="command">update delete</code>  {domain-name} [ttl] [class] [type [data...]]</p></div>
-</span></dt>
+              <span><strong class="command">update delete</strong></span>
+               {domain-name}
+               [ttl]
+               [class]
+               [type [data...]]
+            </span></dt>
 <dd><p>
-Deletes any resource records named
-<em class="parameter"><code>domain-name</code></em>.
-If
-<em class="parameter"><code>type</code></em>
-and
-<em class="parameter"><code>data</code></em>
-is provided, only matching resource records will be removed.
-The internet class is assumed if
-<em class="parameter"><code>class</code></em>
-is not supplied.  The
-<em class="parameter"><code>ttl</code></em>
-is ignored, and is only allowed for compatibility.
-</p></dd>
+              Deletes any resource records named
+              <em class="parameter"><code>domain-name</code></em>.
+              If
+              <em class="parameter"><code>type</code></em>
+              and
+              <em class="parameter"><code>data</code></em>
+              is provided, only matching resource records will be removed.
+              The internet class is assumed if
+              <em class="parameter"><code>class</code></em>
+              is not supplied.  The
+              <em class="parameter"><code>ttl</code></em>
+              is ignored, and is only allowed for compatibility.
+            </p></dd>
 <dt><span class="term">
-<div class="cmdsynopsis"><p><code class="command">update add</code>  {domain-name} {ttl} [class] {type} {data...}</p></div>
-</span></dt>
+              <span><strong class="command">update add</strong></span>
+               {domain-name}
+               {ttl}
+               [class]
+               {type}
+               {data...}
+            </span></dt>
 <dd><p>
-Adds a new resource record with the specified
-<em class="parameter"><code>ttl</code></em>,
-<em class="parameter"><code>class</code></em>
-and
-<em class="parameter"><code>data</code></em>.
-</p></dd>
+              Adds a new resource record with the specified
+              <em class="parameter"><code>ttl</code></em>,
+              <em class="parameter"><code>class</code></em>
+              and
+              <em class="parameter"><code>data</code></em>.
+            </p></dd>
 <dt><span class="term">
-<div class="cmdsynopsis"><p><code class="command">show</code> </p></div>
-</span></dt>
+              <span><strong class="command">show</strong></span>
+            </span></dt>
 <dd><p>
-Displays the current message, containing all of the prerequisites and
-updates specified since the last send.
-</p></dd>
+              Displays the current message, containing all of the
+              prerequisites and
+              updates specified since the last send.
+            </p></dd>
 <dt><span class="term">
-<div class="cmdsynopsis"><p><code class="command">send</code> </p></div>
-</span></dt>
+              <span><strong class="command">send</strong></span>
+            </span></dt>
 <dd><p>
-Sends the current message.  This is equivalent to entering a blank line.
-</p></dd>
+              Sends the current message.  This is equivalent to entering a
+              blank line.
+            </p></dd>
 <dt><span class="term">
-<div class="cmdsynopsis"><p><code class="command">answer</code> </p></div>
-</span></dt>
+              <span><strong class="command">answer</strong></span>
+            </span></dt>
 <dd><p>
-Displays the answer.
-</p></dd>
+              Displays the answer.
+            </p></dd>
 </dl></div>
 <p>
-</p>
+    </p>
 <p>
-Lines beginning with a semicolon are comments and are ignored.
-</p>
+      Lines beginning with a semicolon are comments and are ignored.
+    </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2550382"></a><h2>EXAMPLES</h2>
+<a name="id2544649"></a><h2>EXAMPLES</h2>
 <p>
-The examples below show how
-<span><strong class="command">nsupdate</strong></span>
-could be used to insert and delete resource records from the
-<span class="type">example.com</span>
-zone.
-Notice that the input in each example contains a trailing blank line so that
-a group of commands are sent as one dynamic update request to the
-master name server for
-<span class="type">example.com</span>.
+      The examples below show how
+      <span><strong class="command">nsupdate</strong></span>
+      could be used to insert and delete resource records from the
+      <span class="type">example.com</span>
+      zone.
+      Notice that the input in each example contains a trailing blank line so
+      that
+      a group of commands are sent as one dynamic update request to the
+      master name server for
+      <span class="type">example.com</span>.
 
-</p>
+      </p>
 <pre class="programlisting">
 # nsupdate
 &gt; update delete oldhost.example.com A
@@ -390,16 +423,16 @@ master name server for
 &gt; send
 </pre>
 <p>
-</p>
+    </p>
 <p>
-Any A records for
-<span class="type">oldhost.example.com</span>
-are deleted.
-and an A record for
-<span class="type">newhost.example.com</span>
-it IP address 172.16.1.1 is added.
-The newly-added record has a 1 day TTL (86400 seconds)
-</p>
+      Any A records for
+      <span class="type">oldhost.example.com</span>
+      are deleted.
+      and an A record for
+      <span class="type">newhost.example.com</span>
+      it IP address 172.16.1.1 is added.
+      The newly-added record has a 1 day TTL (86400 seconds)
+      </p>
 <pre class="programlisting">
 # nsupdate
 &gt; prereq nxdomain nickname.example.com
@@ -407,62 +440,61 @@ The newly-added record has a 1 day TTL (86400 seconds)
 &gt; send
 </pre>
 <p>
-</p>
+    </p>
 <p>
-The prerequisite condition gets the name server to check that there
-are no resource records of any type for
-<span class="type">nickname.example.com</span>.
+      The prerequisite condition gets the name server to check that there
+      are no resource records of any type for
+      <span class="type">nickname.example.com</span>.
 
-If there are, the update request fails.
-If this name does not exist, a CNAME for it is added.
-This ensures that when the CNAME is added, it cannot conflict with the
-long-standing rule in RFC1034 that a name must not exist as any other
-record type if it exists as a CNAME.
-(The rule has been updated for DNSSEC in RFC2535 to allow CNAMEs to have
-RRSIG, DNSKEY and NSEC records.)
-</p>
+      If there are, the update request fails.
+      If this name does not exist, a CNAME for it is added.
+      This ensures that when the CNAME is added, it cannot conflict with the
+      long-standing rule in RFC1034 that a name must not exist as any other
+      record type if it exists as a CNAME.
+      (The rule has been updated for DNSSEC in RFC2535 to allow CNAMEs to have
+      RRSIG, DNSKEY and NSEC records.)
+    </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2550426"></a><h2>FILES</h2>
+<a name="id2544693"></a><h2>FILES</h2>
 <div class="variablelist"><dl>
 <dt><span class="term"><code class="constant">/etc/resolv.conf</code></span></dt>
 <dd><p>
-used to identify default name server
-</p></dd>
+            used to identify default name server
+          </p></dd>
 <dt><span class="term"><code class="constant">K{name}.+157.+{random}.key</code></span></dt>
 <dd><p>
-base-64 encoding of HMAC-MD5 key created by
-<span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>.
-</p></dd>
+            base-64 encoding of HMAC-MD5 key created by
+            <span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>.
+          </p></dd>
 <dt><span class="term"><code class="constant">K{name}.+157.+{random}.private</code></span></dt>
 <dd><p>
-base-64 encoding of HMAC-MD5 key created by
-<span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>.
-</p></dd>
+            base-64 encoding of HMAC-MD5 key created by
+            <span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>.
+          </p></dd>
 </dl></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2549061"></a><h2>SEE ALSO</h2>
-<p>
-<span class="citerefentry"><span class="refentrytitle">RFC2136</span></span>,
-<span class="citerefentry"><span class="refentrytitle">RFC3007</span></span>,
-<span class="citerefentry"><span class="refentrytitle">RFC2104</span></span>,
-<span class="citerefentry"><span class="refentrytitle">RFC2845</span></span>,
-<span class="citerefentry"><span class="refentrytitle">RFC1034</span></span>,
-<span class="citerefentry"><span class="refentrytitle">RFC2535</span></span>,
-<span class="citerefentry"><span class="refentrytitle">RFC2931</span></span>,
-<span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>,
-<span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>.
-</p>
+<a name="id2544830"></a><h2>SEE ALSO</h2>
+<p><span class="citerefentry"><span class="refentrytitle">RFC2136</span></span>,
+      <span class="citerefentry"><span class="refentrytitle">RFC3007</span></span>,
+      <span class="citerefentry"><span class="refentrytitle">RFC2104</span></span>,
+      <span class="citerefentry"><span class="refentrytitle">RFC2845</span></span>,
+      <span class="citerefentry"><span class="refentrytitle">RFC1034</span></span>,
+      <span class="citerefentry"><span class="refentrytitle">RFC2535</span></span>,
+      <span class="citerefentry"><span class="refentrytitle">RFC2931</span></span>,
+      <span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>,
+      <span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>.
+    </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2549132"></a><h2>BUGS</h2>
+<a name="id2544901"></a><h2>BUGS</h2>
 <p>
-The TSIG key is redundantly stored in two separate files.
-This is a consequence of nsupdate using the DST library
-for its cryptographic operations, and may change in future
-releases.
-</p>
+      The TSIG key is redundantly stored in two separate files.
+      This is a consequence of nsupdate using the DST library
+      for its cryptographic operations, and may change in future
+      releases.
+    </p>
 </div>
 </div></body>
 </html>
diff --git a/contrib/bind9/bin/rndc/Makefile.in b/contrib/bind9/bin/rndc/Makefile.in
index e677315..eed3c0a 100644
--- a/contrib/bind9/bin/rndc/Makefile.in
+++ b/contrib/bind9/bin/rndc/Makefile.in
@@ -1,4 +1,4 @@
-# Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2004, 2007  Internet Systems Consortium, Inc. ("ISC")
 # Copyright (C) 2000-2002  Internet Software Consortium.
 #
 # Permission to use, copy, modify, and distribute this software for any
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.32.2.3.8.8 2004/07/20 07:01:50 marka Exp $
+# $Id: Makefile.in,v 1.40.18.3 2007/01/19 00:55:49 marka Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
@@ -47,6 +47,8 @@ RNDCDEPLIBS =	${ISCCFGDEPLIBS} ${ISCCCDEPLIBS} ${BIND9DEPLIBS} ${DNSDEPLIBS} ${I
 CONFLIBS =	${DNSLIBS} ${ISCLIBS} @LIBS@
 CONFDEPLIBS =	${DNSDEPLIBS} ${ISCDEPLIBS}
 
+SRCS=		rndc.c rndc-confgen.c
+
 SUBDIRS =	unix
 
 TARGETS =	rndc@EXEEXT@ rndc-confgen@EXEEXT@
diff --git a/contrib/bind9/bin/rndc/include/rndc/os.h b/contrib/bind9/bin/rndc/include/rndc/os.h
index b5ade47..b5c1d24 100644
--- a/contrib/bind9/bin/rndc/include/rndc/os.h
+++ b/contrib/bind9/bin/rndc/include/rndc/os.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,9 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: os.h,v 1.4.206.1 2004/03/06 10:21:33 marka Exp $ */
+/* $Id: os.h,v 1.5.18.2 2005/04/29 00:15:41 marka Exp $ */
+
+/*! \file */
 
 #ifndef RNDC_OS_H
 #define RNDC_OS_H 1
@@ -26,13 +28,13 @@
 ISC_LANG_BEGINDECLS
 
 FILE *safe_create(const char *filename);
-/*
+/*%<
  * Open 'filename' for writing, truncate if necessary.  If the file was
  * created ensure that only the owner can read/write it.
  */
 
 int set_user(FILE *fd, const char *user);
-/*
+/*%<
  * Set the owner of the file refernced by 'fd' to 'user'.
  * Returns:
  *   0 		success
diff --git a/contrib/bind9/bin/rndc/rndc-confgen.8 b/contrib/bind9/bin/rndc/rndc-confgen.8
index c6a4218..fe25a7b 100644
--- a/contrib/bind9/bin/rndc/rndc-confgen.8
+++ b/contrib/bind9/bin/rndc/rndc-confgen.8
@@ -1,4 +1,4 @@
-.\" Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC")
 .\" Copyright (C) 2001, 2003 Internet Software Consortium.
 .\" 
 .\" Permission to use, copy, modify, and distribute this software for any
@@ -13,13 +13,13 @@
 .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 .\" PERFORMANCE OF THIS SOFTWARE.
 .\"
-.\" $Id: rndc-confgen.8,v 1.3.2.5.2.8 2006/06/29 13:02:31 marka Exp $
+.\" $Id: rndc-confgen.8,v 1.9.18.11 2007/01/30 00:23:44 marka Exp $
 .\"
 .hy 0
 .ad l
 .\"     Title: rndc\-confgen
 .\"    Author: 
-.\" Generator: DocBook XSL Stylesheets v1.70.1 <http://docbook.sf.net/>
+.\" Generator: DocBook XSL Stylesheets v1.71.1 <http://docbook.sf.net/>
 .\"      Date: Aug 27, 2001
 .\"    Manual: BIND9
 .\"    Source: BIND9
@@ -56,8 +56,9 @@ file and a
 \fBcontrols\fR
 statement altogether.
 .SH "OPTIONS"
-.TP 3n
+.PP
 \-a
+.RS 4
 Do automatic
 \fBrndc\fR
 configuration. This creates a file
@@ -100,31 +101,43 @@ option and set up a
 and
 \fInamed.conf\fR
 as directed.
-.TP 3n
+.RE
+.PP
 \-b \fIkeysize\fR
+.RS 4
 Specifies the size of the authentication key in bits. Must be between 1 and 512 bits; the default is 128.
-.TP 3n
+.RE
+.PP
 \-c \fIkeyfile\fR
+.RS 4
 Used with the
 \fB\-a\fR
 option to specify an alternate location for
 \fIrndc.key\fR.
-.TP 3n
+.RE
+.PP
 \-h
+.RS 4
 Prints a short summary of the options and arguments to
 \fBrndc\-confgen\fR.
-.TP 3n
+.RE
+.PP
 \-k \fIkeyname\fR
+.RS 4
 Specifies the key name of the rndc authentication key. This must be a valid domain name. The default is
 \fBrndc\-key\fR.
-.TP 3n
+.RE
+.PP
 \-p \fIport\fR
+.RS 4
 Specifies the command channel port where
 \fBnamed\fR
 listens for connections from
 \fBrndc\fR. The default is 953.
-.TP 3n
+.RE
+.PP
 \-r \fIrandomfile\fR
+.RS 4
 Specifies a source of random data for generating the authorization. If the operating system does not provide a
 \fI/dev/random\fR
 or equivalent device, the default source of randomness is keyboard input.
@@ -132,14 +145,18 @@ or equivalent device, the default source of randomness is keyboard input.
 specifies the name of a character device or file containing random data to be used instead of the default. The special value
 \fIkeyboard\fR
 indicates that keyboard input should be used.
-.TP 3n
+.RE
+.PP
 \-s \fIaddress\fR
+.RS 4
 Specifies the IP address where
 \fBnamed\fR
 listens for command channel connections from
 \fBrndc\fR. The default is the loopback address 127.0.0.1.
-.TP 3n
+.RE
+.PP
 \-t \fIchrootdir\fR
+.RS 4
 Used with the
 \fB\-a\fR
 option to specify a directory where
@@ -148,8 +165,10 @@ will run chrooted. An additional copy of the
 \fIrndc.key\fR
 will be written relative to this directory so that it will be found by the chrooted
 \fBnamed\fR.
-.TP 3n
+.RE
+.PP
 \-u \fIuser\fR
+.RS 4
 Used with the
 \fB\-a\fR
 option to set the owner of the
@@ -157,6 +176,7 @@ option to set the owner of the
 file generated. If
 \fB\-t\fR
 is also specified only the file in the chroot area has its owner changed.
+.RE
 .SH "EXAMPLES"
 .PP
 To allow
@@ -185,4 +205,7 @@ BIND 9 Administrator Reference Manual.
 .PP
 Internet Systems Consortium
 .SH "COPYRIGHT"
-Copyright \(co 2004, 2005 Internet Systems Consortium, Inc. ("ISC")
+Copyright \(co 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC")
+.br
+Copyright \(co 2001, 2003 Internet Software Consortium.
+.br
diff --git a/contrib/bind9/bin/rndc/rndc-confgen.c b/contrib/bind9/bin/rndc/rndc-confgen.c
index f6e578e..0764104 100644
--- a/contrib/bind9/bin/rndc/rndc-confgen.c
+++ b/contrib/bind9/bin/rndc/rndc-confgen.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2001, 2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,18 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: rndc-confgen.c,v 1.9.2.6.2.5 2004/09/28 07:14:57 marka Exp $ */
+/* $Id: rndc-confgen.c,v 1.18.18.3 2005/04/29 00:15:40 marka Exp $ */
+
+/*! \file */
+
+/**
+ * rndc-confgen generates configuration files for rndc. It can be used
+ * as a convenient alternative to writing the rndc.conf file and the
+ * corresponding controls and key statements in named.conf by hand.
+ * Alternatively, it can be run with the -a option to set up a
+ * rndc.key file and avoid the need for a rndc.conf file and a
+ * controls statement altogether.
+ */
 
 #include <config.h>
 
@@ -45,7 +56,7 @@
 
 #include "util.h"
 
-#define DEFAULT_KEYLENGTH	128		/* Bits. */
+#define DEFAULT_KEYLENGTH	128		/*% Bits. */
 #define DEFAULT_KEYNAME		"rndc-key"
 #define DEFAULT_SERVER		"127.0.0.1"
 #define DEFAULT_PORT		953
@@ -78,7 +89,7 @@ Usage:\n\
 	exit (status);
 }
 
-/*
+/*%
  * Write an rndc.key file to 'keyfile'.  If 'user' is non-NULL,
  * make that user the owner of the file.  The key will have
  * the name 'keyname' and the secret in the buffer 'secret'.
diff --git a/contrib/bind9/bin/rndc/rndc-confgen.docbook b/contrib/bind9/bin/rndc/rndc-confgen.docbook
index e0c5a68..7267f5c 100644
--- a/contrib/bind9/bin/rndc/rndc-confgen.docbook
+++ b/contrib/bind9/bin/rndc/rndc-confgen.docbook
@@ -1,8 +1,8 @@
-<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.0//EN"
-               "http://www.oasis-open.org/docbook/xml/4.0/docbookx.dtd"
+<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
+               "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
 	       [<!ENTITY mdash "&#8212;">]>
 <!--
- - Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
  - Copyright (C) 2001, 2003  Internet Software Consortium.
  -
  - Permission to use, copy, modify, and distribute this software for any
@@ -18,9 +18,8 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-<!-- $Id: rndc-confgen.docbook,v 1.3.2.1.4.5 2005/05/13 01:22:34 marka Exp $ -->
-
-<refentry>
+<!-- $Id: rndc-confgen.docbook,v 1.6.18.6 2007/01/29 23:57:20 marka Exp $ -->
+<refentry id="man.rndc-confgen">
   <refentryinfo>
     <date>Aug 27, 2001</date>
   </refentryinfo>
@@ -31,10 +30,16 @@
     <refmiscinfo>BIND9</refmiscinfo>
   </refmeta>
 
+  <refnamediv>
+    <refname><application>rndc-confgen</application></refname>
+    <refpurpose>rndc key generation tool</refpurpose>
+  </refnamediv>
+
   <docinfo>
     <copyright>
       <year>2004</year>
       <year>2005</year>
+      <year>2007</year>
       <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
     </copyright>
     <copyright>
@@ -44,11 +49,6 @@
     </copyright>
   </docinfo>
 
-  <refnamediv>
-    <refname><application>rndc-confgen</application></refname>
-    <refpurpose>rndc key generation tool</refpurpose>
-  </refnamediv>
-
   <refsynopsisdiv>
     <cmdsynopsis>
       <command>rndc-confgen</command>
@@ -67,18 +67,18 @@
 
   <refsect1>
     <title>DESCRIPTION</title>
-    <para>
-        <command>rndc-confgen</command> generates configuration files
-	for <command>rndc</command>.  It can be used as a
-        convenient alternative to writing the
-        <filename>rndc.conf</filename> file
-        and the corresponding <command>controls</command>
-        and <command>key</command>
-	statements in <filename>named.conf</filename> by hand.
-        Alternatively, it can be run with the <command>-a</command>
-        option to set up a <filename>rndc.key</filename> file and
-        avoid the need for a <filename>rndc.conf</filename> file
-        and a <command>controls</command> statement altogether.
+    <para><command>rndc-confgen</command>
+      generates configuration files
+      for <command>rndc</command>.  It can be used as a
+      convenient alternative to writing the
+      <filename>rndc.conf</filename> file
+      and the corresponding <command>controls</command>
+      and <command>key</command>
+      statements in <filename>named.conf</filename> by hand.
+      Alternatively, it can be run with the <command>-a</command>
+      option to set up a <filename>rndc.key</filename> file and
+      avoid the need for a <filename>rndc.conf</filename> file
+      and a <command>controls</command> statement altogether.
     </para>
 
   </refsect1>
@@ -89,145 +89,152 @@
     <variablelist>
       <varlistentry>
         <term>-a</term>
-	<listitem>
-	  <para>
-	      Do automatic <command>rndc</command> configuration.
-	      This creates a file <filename>rndc.key</filename>
-	      in <filename>/etc</filename> (or whatever
-              <varname>sysconfdir</varname>
-	      was specified as when <acronym>BIND</acronym> was built)
-              that is read by both <command>rndc</command>
-              and <command>named</command> on startup.  The
-	      <filename>rndc.key</filename> file defines a default
-              command channel and authentication key allowing
-	      <command>rndc</command> to communicate with
-	      <command>named</command> on the local host
-	      with no further configuration.  
-	  </para>
-	  <para>
-	      Running <command>rndc-confgen -a</command> allows
-	      BIND 9 and <command>rndc</command> to be used as drop-in
-	      replacements for BIND 8 and <command>ndc</command>,
-	      with no changes to the existing BIND 8
-	      <filename>named.conf</filename> file.
-	  </para>
+        <listitem>
+          <para>
+            Do automatic <command>rndc</command> configuration.
+            This creates a file <filename>rndc.key</filename>
+            in <filename>/etc</filename> (or whatever
+            <varname>sysconfdir</varname>
+            was specified as when <acronym>BIND</acronym> was
+            built)
+            that is read by both <command>rndc</command>
+            and <command>named</command> on startup.  The
+            <filename>rndc.key</filename> file defines a default
+            command channel and authentication key allowing
+            <command>rndc</command> to communicate with
+            <command>named</command> on the local host
+            with no further configuration.
+          </para>
+          <para>
+            Running <command>rndc-confgen -a</command> allows
+            BIND 9 and <command>rndc</command> to be used as
+            drop-in
+            replacements for BIND 8 and <command>ndc</command>,
+            with no changes to the existing BIND 8
+            <filename>named.conf</filename> file.
+          </para>
           <para>
-	      If a more elaborate configuration than that
-	      generated by <command>rndc-confgen -a</command>
-	      is required, for example if rndc is to be used remotely,
-	      you should run <command>rndc-confgen</command> without the
-	      <command>-a</command> option and set up a
-	      <filename>rndc.conf</filename> and
-	      <filename>named.conf</filename>
-	      as directed.
+            If a more elaborate configuration than that
+            generated by <command>rndc-confgen -a</command>
+            is required, for example if rndc is to be used remotely,
+            you should run <command>rndc-confgen</command> without
+            the
+            <command>-a</command> option and set up a
+            <filename>rndc.conf</filename> and
+            <filename>named.conf</filename>
+            as directed.
           </para>
-	</listitem>
+        </listitem>
       </varlistentry>
 
       <varlistentry>
         <term>-b <replaceable class="parameter">keysize</replaceable></term>
-	<listitem>
-	  <para>
-	       Specifies the size of the authentication key in bits.
-	       Must be between 1 and 512 bits; the default is 128.
-	  </para>
-	</listitem>
+        <listitem>
+          <para>
+            Specifies the size of the authentication key in bits.
+            Must be between 1 and 512 bits; the default is 128.
+          </para>
+        </listitem>
       </varlistentry>
 
       <varlistentry>
         <term>-c <replaceable class="parameter">keyfile</replaceable></term>
-	<listitem>
-	  <para>
-	       Used with the <command>-a</command> option to specify
-	       an alternate location for <filename>rndc.key</filename>.
-	  </para>
-	</listitem>
+        <listitem>
+          <para>
+            Used with the <command>-a</command> option to specify
+            an alternate location for <filename>rndc.key</filename>.
+          </para>
+        </listitem>
       </varlistentry>
 
       <varlistentry>
         <term>-h</term>
-	<listitem>
-	  <para>
-	       Prints a short summary of the options and arguments to
-	       <command>rndc-confgen</command>.
-	  </para>
-	</listitem>
+        <listitem>
+          <para>
+            Prints a short summary of the options and arguments to
+            <command>rndc-confgen</command>.
+          </para>
+        </listitem>
       </varlistentry>
 
       <varlistentry>
         <term>-k <replaceable class="parameter">keyname</replaceable></term>
-	<listitem>
-	  <para>
-	       Specifies the key name of the rndc authentication key.
-	       This must be a valid domain name.
-	       The default is <constant>rndc-key</constant>.
-	  </para>
-	</listitem>
+        <listitem>
+          <para>
+            Specifies the key name of the rndc authentication key.
+            This must be a valid domain name.
+            The default is <constant>rndc-key</constant>.
+          </para>
+        </listitem>
       </varlistentry>
 
       <varlistentry>
         <term>-p <replaceable class="parameter">port</replaceable></term>
-	<listitem>
-	  <para>
-	       Specifies the command channel port where <command>named</command>
-	       listens for connections from <command>rndc</command>.
-	       The default is 953.
-	  </para>
-	</listitem>
+        <listitem>
+          <para>
+            Specifies the command channel port where <command>named</command>
+            listens for connections from <command>rndc</command>.
+            The default is 953.
+          </para>
+        </listitem>
       </varlistentry>
 
       <varlistentry>
         <term>-r <replaceable class="parameter">randomfile</replaceable></term>
-	<listitem>
-	  <para>
-	       Specifies a source of random data for generating the
-	       authorization.  If the operating
-	       system does not provide a <filename>/dev/random</filename>
-	       or equivalent device, the default source of randomness
-	       is keyboard input.  <filename>randomdev</filename> specifies
-	       the name of a character device or file containing random
-	       data to be used instead of the default.  The special value
-	       <filename>keyboard</filename> indicates that keyboard
-	       input should be used.
-	  </para>
-	</listitem>
+        <listitem>
+          <para>
+            Specifies a source of random data for generating the
+            authorization.  If the operating
+            system does not provide a <filename>/dev/random</filename>
+            or equivalent device, the default source of randomness
+            is keyboard input.  <filename>randomdev</filename>
+            specifies
+            the name of a character device or file containing random
+            data to be used instead of the default.  The special value
+            <filename>keyboard</filename> indicates that keyboard
+            input should be used.
+          </para>
+        </listitem>
       </varlistentry>
 
       <varlistentry>
         <term>-s <replaceable class="parameter">address</replaceable></term>
-	<listitem>
-	  <para>
-	       Specifies the IP address where <command>named</command>
-	       listens for command channel connections from
-	       <command>rndc</command>.  The default is the loopback
-	       address 127.0.0.1.
-	  </para>
-	</listitem>
+        <listitem>
+          <para>
+            Specifies the IP address where <command>named</command>
+            listens for command channel connections from
+            <command>rndc</command>.  The default is the loopback
+            address 127.0.0.1.
+          </para>
+        </listitem>
       </varlistentry>
 
       <varlistentry>
         <term>-t <replaceable class="parameter">chrootdir</replaceable></term>
-	<listitem>
-	  <para>
-	       Used with the <command>-a</command> option to specify
-	       a directory where <command>named</command> will run
-	       chrooted.  An additional copy of the <filename>rndc.key</filename>
-	       will be written relative to this directory so that
-	       it will be found by the chrooted <command>named</command>.
-	  </para>
-	</listitem>
+        <listitem>
+          <para>
+            Used with the <command>-a</command> option to specify
+            a directory where <command>named</command> will run
+            chrooted.  An additional copy of the <filename>rndc.key</filename>
+            will be written relative to this directory so that
+            it will be found by the chrooted <command>named</command>.
+          </para>
+        </listitem>
       </varlistentry>
 
       <varlistentry>
         <term>-u <replaceable class="parameter">user</replaceable></term>
-	<listitem>
-	  <para>
-	       Used with the <command>-a</command> option to set the owner
-	       of the <filename>rndc.key</filename> file generated.  If
-	       <command>-t</command> is also specified only the file in
-	       the chroot area has its owner changed.
-	  </para>
-	</listitem>
+        <listitem>
+          <para>
+            Used with the <command>-a</command> option to set the
+            owner
+            of the <filename>rndc.key</filename> file generated.
+            If
+            <command>-t</command> is also specified only the file
+            in
+            the chroot area has its owner changed.
+          </para>
+        </listitem>
       </varlistentry>
 
     </variablelist>
@@ -236,37 +243,31 @@
   <refsect1>
     <title>EXAMPLES</title>
     <para>
-        To allow <command>rndc</command> to be used with
-	no manual configuration, run
+      To allow <command>rndc</command> to be used with
+      no manual configuration, run
     </para>
-    <para>
-        <userinput>rndc-confgen -a</userinput>
+    <para><userinput>rndc-confgen -a</userinput>
     </para>
     <para>
-        To print a sample <filename>rndc.conf</filename> file and
-	corresponding <command>controls</command> and <command>key</command>
-	statements to be manually inserted into <filename>named.conf</filename>,
-	run
+      To print a sample <filename>rndc.conf</filename> file and
+      corresponding <command>controls</command> and <command>key</command>
+      statements to be manually inserted into <filename>named.conf</filename>,
+      run
     </para>
-    <para>
-        <userinput>rndc-confgen</userinput>
+    <para><userinput>rndc-confgen</userinput>
     </para>
   </refsect1>
 
   <refsect1>
     <title>SEE ALSO</title>
-    <para>
-      <citerefentry>
-        <refentrytitle>rndc</refentrytitle>
-	<manvolnum>8</manvolnum>
+    <para><citerefentry>
+        <refentrytitle>rndc</refentrytitle><manvolnum>8</manvolnum>
       </citerefentry>,
       <citerefentry>
-        <refentrytitle>rndc.conf</refentrytitle>
-	<manvolnum>5</manvolnum>
+        <refentrytitle>rndc.conf</refentrytitle><manvolnum>5</manvolnum>
       </citerefentry>,
       <citerefentry>
-        <refentrytitle>named</refentrytitle>
-	<manvolnum>8</manvolnum>
+        <refentrytitle>named</refentrytitle><manvolnum>8</manvolnum>
       </citerefentry>,
       <citetitle>BIND 9 Administrator Reference Manual</citetitle>.
     </para>
@@ -274,14 +275,11 @@
 
   <refsect1>
     <title>AUTHOR</title>
-    <para>
-        <corpauthor>Internet Systems Consortium</corpauthor>
+    <para><corpauthor>Internet Systems Consortium</corpauthor>
     </para>
   </refsect1>
 
-</refentry>
-
-<!--
+</refentry><!--
  - Local variables:
  - mode: sgml
  - End:
diff --git a/contrib/bind9/bin/rndc/rndc-confgen.html b/contrib/bind9/bin/rndc/rndc-confgen.html
index 058cd56..fd40a81 100644
--- a/contrib/bind9/bin/rndc/rndc-confgen.html
+++ b/contrib/bind9/bin/rndc/rndc-confgen.html
@@ -1,5 +1,5 @@
 <!--
- - Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC")
  - Copyright (C) 2001, 2003 Internet Software Consortium.
  - 
  - Permission to use, copy, modify, and distribute this software for any
@@ -14,15 +14,15 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-<!-- $Id: rndc-confgen.html,v 1.3.2.5.2.13 2006/06/29 13:02:31 marka Exp $ -->
+<!-- $Id: rndc-confgen.html,v 1.8.18.17 2007/01/30 00:23:44 marka Exp $ -->
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
 <title>rndc-confgen</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.70.1">
+<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
 </head>
 <body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en">
-<a name="id2482688"></a><div class="titlepage"></div>
+<a name="man.rndc-confgen"></a><div class="titlepage"></div>
 <div class="refnamediv">
 <h2>Name</h2>
 <p><span class="application">rndc-confgen</span> &#8212; rndc key generation tool</p>
@@ -32,153 +32,156 @@
 <div class="cmdsynopsis"><p><code class="command">rndc-confgen</code>  [<code class="option">-a</code>] [<code class="option">-b <em class="replaceable"><code>keysize</code></em></code>] [<code class="option">-c <em class="replaceable"><code>keyfile</code></em></code>] [<code class="option">-h</code>] [<code class="option">-k <em class="replaceable"><code>keyname</code></em></code>] [<code class="option">-p <em class="replaceable"><code>port</code></em></code>] [<code class="option">-r <em class="replaceable"><code>randomfile</code></em></code>] [<code class="option">-s <em class="replaceable"><code>address</code></em></code>] [<code class="option">-t <em class="replaceable"><code>chrootdir</code></em></code>] [<code class="option">-u <em class="replaceable"><code>user</code></em></code>]</p></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2549476"></a><h2>DESCRIPTION</h2>
-<p>
-        <span><strong class="command">rndc-confgen</strong></span> generates configuration files
-	for <span><strong class="command">rndc</strong></span>.  It can be used as a
-        convenient alternative to writing the
-        <code class="filename">rndc.conf</code> file
-        and the corresponding <span><strong class="command">controls</strong></span>
-        and <span><strong class="command">key</strong></span>
-	statements in <code class="filename">named.conf</code> by hand.
-        Alternatively, it can be run with the <span><strong class="command">-a</strong></span>
-        option to set up a <code class="filename">rndc.key</code> file and
-        avoid the need for a <code class="filename">rndc.conf</code> file
-        and a <span><strong class="command">controls</strong></span> statement altogether.
+<a name="id2543429"></a><h2>DESCRIPTION</h2>
+<p><span><strong class="command">rndc-confgen</strong></span>
+      generates configuration files
+      for <span><strong class="command">rndc</strong></span>.  It can be used as a
+      convenient alternative to writing the
+      <code class="filename">rndc.conf</code> file
+      and the corresponding <span><strong class="command">controls</strong></span>
+      and <span><strong class="command">key</strong></span>
+      statements in <code class="filename">named.conf</code> by hand.
+      Alternatively, it can be run with the <span><strong class="command">-a</strong></span>
+      option to set up a <code class="filename">rndc.key</code> file and
+      avoid the need for a <code class="filename">rndc.conf</code> file
+      and a <span><strong class="command">controls</strong></span> statement altogether.
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2549522"></a><h2>OPTIONS</h2>
+<a name="id2543474"></a><h2>OPTIONS</h2>
 <div class="variablelist"><dl>
 <dt><span class="term">-a</span></dt>
 <dd>
 <p>
-	      Do automatic <span><strong class="command">rndc</strong></span> configuration.
-	      This creates a file <code class="filename">rndc.key</code>
-	      in <code class="filename">/etc</code> (or whatever
-              <code class="varname">sysconfdir</code>
-	      was specified as when <acronym class="acronym">BIND</acronym> was built)
-              that is read by both <span><strong class="command">rndc</strong></span>
-              and <span><strong class="command">named</strong></span> on startup.  The
-	      <code class="filename">rndc.key</code> file defines a default
-              command channel and authentication key allowing
-	      <span><strong class="command">rndc</strong></span> to communicate with
-	      <span><strong class="command">named</strong></span> on the local host
-	      with no further configuration.  
-	  </p>
+            Do automatic <span><strong class="command">rndc</strong></span> configuration.
+            This creates a file <code class="filename">rndc.key</code>
+            in <code class="filename">/etc</code> (or whatever
+            <code class="varname">sysconfdir</code>
+            was specified as when <acronym class="acronym">BIND</acronym> was
+            built)
+            that is read by both <span><strong class="command">rndc</strong></span>
+            and <span><strong class="command">named</strong></span> on startup.  The
+            <code class="filename">rndc.key</code> file defines a default
+            command channel and authentication key allowing
+            <span><strong class="command">rndc</strong></span> to communicate with
+            <span><strong class="command">named</strong></span> on the local host
+            with no further configuration.
+          </p>
 <p>
-	      Running <span><strong class="command">rndc-confgen -a</strong></span> allows
-	      BIND 9 and <span><strong class="command">rndc</strong></span> to be used as drop-in
-	      replacements for BIND 8 and <span><strong class="command">ndc</strong></span>,
-	      with no changes to the existing BIND 8
-	      <code class="filename">named.conf</code> file.
-	  </p>
+            Running <span><strong class="command">rndc-confgen -a</strong></span> allows
+            BIND 9 and <span><strong class="command">rndc</strong></span> to be used as
+            drop-in
+            replacements for BIND 8 and <span><strong class="command">ndc</strong></span>,
+            with no changes to the existing BIND 8
+            <code class="filename">named.conf</code> file.
+          </p>
 <p>
-	      If a more elaborate configuration than that
-	      generated by <span><strong class="command">rndc-confgen -a</strong></span>
-	      is required, for example if rndc is to be used remotely,
-	      you should run <span><strong class="command">rndc-confgen</strong></span> without the
-	      <span><strong class="command">-a</strong></span> option and set up a
-	      <code class="filename">rndc.conf</code> and
-	      <code class="filename">named.conf</code>
-	      as directed.
+            If a more elaborate configuration than that
+            generated by <span><strong class="command">rndc-confgen -a</strong></span>
+            is required, for example if rndc is to be used remotely,
+            you should run <span><strong class="command">rndc-confgen</strong></span> without
+            the
+            <span><strong class="command">-a</strong></span> option and set up a
+            <code class="filename">rndc.conf</code> and
+            <code class="filename">named.conf</code>
+            as directed.
           </p>
 </dd>
 <dt><span class="term">-b <em class="replaceable"><code>keysize</code></em></span></dt>
 <dd><p>
-	       Specifies the size of the authentication key in bits.
-	       Must be between 1 and 512 bits; the default is 128.
-	  </p></dd>
+            Specifies the size of the authentication key in bits.
+            Must be between 1 and 512 bits; the default is 128.
+          </p></dd>
 <dt><span class="term">-c <em class="replaceable"><code>keyfile</code></em></span></dt>
 <dd><p>
-	       Used with the <span><strong class="command">-a</strong></span> option to specify
-	       an alternate location for <code class="filename">rndc.key</code>.
-	  </p></dd>
+            Used with the <span><strong class="command">-a</strong></span> option to specify
+            an alternate location for <code class="filename">rndc.key</code>.
+          </p></dd>
 <dt><span class="term">-h</span></dt>
 <dd><p>
-	       Prints a short summary of the options and arguments to
-	       <span><strong class="command">rndc-confgen</strong></span>.
-	  </p></dd>
+            Prints a short summary of the options and arguments to
+            <span><strong class="command">rndc-confgen</strong></span>.
+          </p></dd>
 <dt><span class="term">-k <em class="replaceable"><code>keyname</code></em></span></dt>
 <dd><p>
-	       Specifies the key name of the rndc authentication key.
-	       This must be a valid domain name.
-	       The default is <code class="constant">rndc-key</code>.
-	  </p></dd>
+            Specifies the key name of the rndc authentication key.
+            This must be a valid domain name.
+            The default is <code class="constant">rndc-key</code>.
+          </p></dd>
 <dt><span class="term">-p <em class="replaceable"><code>port</code></em></span></dt>
 <dd><p>
-	       Specifies the command channel port where <span><strong class="command">named</strong></span>
-	       listens for connections from <span><strong class="command">rndc</strong></span>.
-	       The default is 953.
-	  </p></dd>
+            Specifies the command channel port where <span><strong class="command">named</strong></span>
+            listens for connections from <span><strong class="command">rndc</strong></span>.
+            The default is 953.
+          </p></dd>
 <dt><span class="term">-r <em class="replaceable"><code>randomfile</code></em></span></dt>
 <dd><p>
-	       Specifies a source of random data for generating the
-	       authorization.  If the operating
-	       system does not provide a <code class="filename">/dev/random</code>
-	       or equivalent device, the default source of randomness
-	       is keyboard input.  <code class="filename">randomdev</code> specifies
-	       the name of a character device or file containing random
-	       data to be used instead of the default.  The special value
-	       <code class="filename">keyboard</code> indicates that keyboard
-	       input should be used.
-	  </p></dd>
+            Specifies a source of random data for generating the
+            authorization.  If the operating
+            system does not provide a <code class="filename">/dev/random</code>
+            or equivalent device, the default source of randomness
+            is keyboard input.  <code class="filename">randomdev</code>
+            specifies
+            the name of a character device or file containing random
+            data to be used instead of the default.  The special value
+            <code class="filename">keyboard</code> indicates that keyboard
+            input should be used.
+          </p></dd>
 <dt><span class="term">-s <em class="replaceable"><code>address</code></em></span></dt>
 <dd><p>
-	       Specifies the IP address where <span><strong class="command">named</strong></span>
-	       listens for command channel connections from
-	       <span><strong class="command">rndc</strong></span>.  The default is the loopback
-	       address 127.0.0.1.
-	  </p></dd>
+            Specifies the IP address where <span><strong class="command">named</strong></span>
+            listens for command channel connections from
+            <span><strong class="command">rndc</strong></span>.  The default is the loopback
+            address 127.0.0.1.
+          </p></dd>
 <dt><span class="term">-t <em class="replaceable"><code>chrootdir</code></em></span></dt>
 <dd><p>
-	       Used with the <span><strong class="command">-a</strong></span> option to specify
-	       a directory where <span><strong class="command">named</strong></span> will run
-	       chrooted.  An additional copy of the <code class="filename">rndc.key</code>
-	       will be written relative to this directory so that
-	       it will be found by the chrooted <span><strong class="command">named</strong></span>.
-	  </p></dd>
+            Used with the <span><strong class="command">-a</strong></span> option to specify
+            a directory where <span><strong class="command">named</strong></span> will run
+            chrooted.  An additional copy of the <code class="filename">rndc.key</code>
+            will be written relative to this directory so that
+            it will be found by the chrooted <span><strong class="command">named</strong></span>.
+          </p></dd>
 <dt><span class="term">-u <em class="replaceable"><code>user</code></em></span></dt>
 <dd><p>
-	       Used with the <span><strong class="command">-a</strong></span> option to set the owner
-	       of the <code class="filename">rndc.key</code> file generated.  If
-	       <span><strong class="command">-t</strong></span> is also specified only the file in
-	       the chroot area has its owner changed.
-	  </p></dd>
+            Used with the <span><strong class="command">-a</strong></span> option to set the
+            owner
+            of the <code class="filename">rndc.key</code> file generated.
+            If
+            <span><strong class="command">-t</strong></span> is also specified only the file
+            in
+            the chroot area has its owner changed.
+          </p></dd>
 </dl></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2549972"></a><h2>EXAMPLES</h2>
+<a name="id2543787"></a><h2>EXAMPLES</h2>
 <p>
-        To allow <span><strong class="command">rndc</strong></span> to be used with
-	no manual configuration, run
+      To allow <span><strong class="command">rndc</strong></span> to be used with
+      no manual configuration, run
     </p>
-<p>
-        <strong class="userinput"><code>rndc-confgen -a</code></strong>
+<p><strong class="userinput"><code>rndc-confgen -a</code></strong>
     </p>
 <p>
-        To print a sample <code class="filename">rndc.conf</code> file and
-	corresponding <span><strong class="command">controls</strong></span> and <span><strong class="command">key</strong></span>
-	statements to be manually inserted into <code class="filename">named.conf</code>,
-	run
+      To print a sample <code class="filename">rndc.conf</code> file and
+      corresponding <span><strong class="command">controls</strong></span> and <span><strong class="command">key</strong></span>
+      statements to be manually inserted into <code class="filename">named.conf</code>,
+      run
     </p>
-<p>
-        <strong class="userinput"><code>rndc-confgen</code></strong>
+<p><strong class="userinput"><code>rndc-confgen</code></strong>
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2550016"></a><h2>SEE ALSO</h2>
-<p>
-      <span class="citerefentry"><span class="refentrytitle">rndc</span>(8)</span>,
+<a name="id2543829"></a><h2>SEE ALSO</h2>
+<p><span class="citerefentry"><span class="refentrytitle">rndc</span>(8)</span>,
       <span class="citerefentry"><span class="refentrytitle">rndc.conf</span>(5)</span>,
       <span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>,
       <em class="citetitle">BIND 9 Administrator Reference Manual</em>.
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2550058"></a><h2>AUTHOR</h2>
-<p>
-        <span class="corpauthor">Internet Systems Consortium</span>
+<a name="id2543867"></a><h2>AUTHOR</h2>
+<p><span class="corpauthor">Internet Systems Consortium</span>
     </p>
 </div>
 </div></body>
diff --git a/contrib/bind9/bin/rndc/rndc.8 b/contrib/bind9/bin/rndc/rndc.8
index 04bd133..11e0c2d 100644
--- a/contrib/bind9/bin/rndc/rndc.8
+++ b/contrib/bind9/bin/rndc/rndc.8
@@ -1,4 +1,4 @@
-.\" Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC")
 .\" Copyright (C) 2000, 2001 Internet Software Consortium.
 .\" 
 .\" Permission to use, copy, modify, and distribute this software for any
@@ -13,13 +13,13 @@
 .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 .\" PERFORMANCE OF THIS SOFTWARE.
 .\"
-.\" $Id: rndc.8,v 1.24.206.6 2006/06/29 13:02:30 marka Exp $
+.\" $Id: rndc.8,v 1.26.18.12 2007/01/30 00:23:44 marka Exp $
 .\"
 .hy 0
 .ad l
 .\"     Title: rndc
 .\"    Author: 
-.\" Generator: DocBook XSL Stylesheets v1.70.1 <http://docbook.sf.net/>
+.\" Generator: DocBook XSL Stylesheets v1.71.1 <http://docbook.sf.net/>
 .\"      Date: June 30, 2000
 .\"    Manual: BIND9
 .\"    Source: BIND9
@@ -33,7 +33,7 @@
 rndc \- name server control utility
 .SH "SYNOPSIS"
 .HP 5
-\fBrndc\fR [\fB\-c\ \fR\fB\fIconfig\-file\fR\fR] [\fB\-k\ \fR\fB\fIkey\-file\fR\fR] [\fB\-s\ \fR\fB\fIserver\fR\fR] [\fB\-p\ \fR\fB\fIport\fR\fR] [\fB\-V\fR] [\fB\-y\ \fR\fB\fIkey_id\fR\fR] {command}
+\fBrndc\fR [\fB\-b\ \fR\fB\fIsource\-address\fR\fR] [\fB\-c\ \fR\fB\fIconfig\-file\fR\fR] [\fB\-k\ \fR\fB\fIkey\-file\fR\fR] [\fB\-s\ \fR\fB\fIserver\fR\fR] [\fB\-p\ \fR\fB\fIport\fR\fR] [\fB\-V\fR] [\fB\-y\ \fR\fB\fIkey_id\fR\fR] {command}
 .SH "DESCRIPTION"
 .PP
 \fBrndc\fR
@@ -53,14 +53,24 @@ named the only supported authentication algorithm is HMAC\-MD5, which uses a sha
 \fBrndc\fR
 reads a configuration file to determine how to contact the name server and decide what algorithm and key it should use.
 .SH "OPTIONS"
-.TP 3n
+.PP
+\-b \fIsource\-address\fR
+.RS 4
+Use
+\fIsource\-address\fR
+as the source address for the connection to the server. Multiple instances are permitted to allow setting of both the IPv4 and IPv6 source addresses.
+.RE
+.PP
 \-c \fIconfig\-file\fR
+.RS 4
 Use
 \fIconfig\-file\fR
 as the configuration file instead of the default,
 \fI/etc/rndc.conf\fR.
-.TP 3n
+.RE
+.PP
 \-k \fIkey\-file\fR
+.RS 4
 Use
 \fIkey\-file\fR
 as the key file instead of the default,
@@ -69,21 +79,29 @@ as the key file instead of the default,
 will be used to authenticate commands sent to the server if the
 \fIconfig\-file\fR
 does not exist.
-.TP 3n
+.RE
+.PP
 \-s \fIserver\fR
+.RS 4
 \fIserver\fR
 is the name or address of the server which matches a server statement in the configuration file for
 \fBrndc\fR. If no server is supplied on the command line, the host named by the default\-server clause in the option statement of the configuration file will be used.
-.TP 3n
+.RE
+.PP
 \-p \fIport\fR
+.RS 4
 Send commands to TCP port
 \fIport\fR
 instead of BIND 9's default control channel port, 953.
-.TP 3n
+.RE
+.PP
 \-V
+.RS 4
 Enable verbose logging.
-.TP 3n
+.RE
+.PP
 \-y \fIkeyid\fR
+.RS 4
 Use the key
 \fIkeyid\fR
 from the configuration file.
@@ -93,6 +111,7 @@ must be known by named with the same algorithm and secret string in order for co
 is specified,
 \fBrndc\fR
 will first look for a key clause in the server statement of the server being used, or if no server statement is present for that host, then the default\-key clause of the options statement. Note that the configuration file contains shared secrets which are used to send authenticated control commands to name servers. It should therefore not have general read or write access.
+.RE
 .PP
 For the complete set of commands supported by
 \fBrndc\fR, see the BIND 9 Administrator Reference Manual or run
@@ -121,4 +140,7 @@ BIND 9 Administrator Reference Manual.
 .PP
 Internet Systems Consortium
 .SH "COPYRIGHT"
-Copyright \(co 2004, 2005 Internet Systems Consortium, Inc. ("ISC")
+Copyright \(co 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC")
+.br
+Copyright \(co 2000, 2001 Internet Software Consortium.
+.br
diff --git a/contrib/bind9/bin/rndc/rndc.c b/contrib/bind9/bin/rndc/rndc.c
index a5e912d..8fd0d8e 100644
--- a/contrib/bind9/bin/rndc/rndc.c
+++ b/contrib/bind9/bin/rndc/rndc.c
@@ -15,7 +15,9 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: rndc.c,v 1.77.2.5.2.19 2006/08/04 03:03:08 marka Exp $ */
+/* $Id: rndc.c,v 1.96.18.17 2006/08/04 03:03:41 marka Exp $ */
+
+/*! \file */
 
 /*
  * Principal Author: DCL
@@ -30,6 +32,7 @@
 #include <isc/commandline.h>
 #include <isc/file.h>
 #include <isc/log.h>
+#include <isc/net.h>
 #include <isc/mem.h>
 #include <isc/random.h>
 #include <isc/socket.h>
@@ -50,6 +53,8 @@
 #include <isccc/types.h>
 #include <isccc/util.h>
 
+#include <dns/name.h>
+
 #include <bind9/getaddresses.h>
 
 #include "util.h"
@@ -64,6 +69,8 @@ static const char *admin_keyfile;
 static const char *version = VERSION;
 static const char *servername = NULL;
 static isc_sockaddr_t serveraddrs[SERVERADDRS];
+static isc_sockaddr_t local4, local6;
+static isc_boolean_t local4set = ISC_FALSE, local6set = ISC_FALSE;
 static int nserveraddrs;
 static int currentaddr = 0;
 static unsigned int remoteport = 0;
@@ -97,10 +104,14 @@ command is one of the following:\n\
 		Schedule immediate maintenance for a zone.\n\
   retransfer zone [class [view]]\n\
 		Retransfer a single zone without checking serial number.\n\
+  freeze	Suspend updates to all dynamic zones.\n\
   freeze zone [class [view]]\n\
   		Suspend updates to a dynamic zone.\n\
+  thaw		Enable updates to all dynamic zones and reload them.\n\
   thaw zone [class [view]]\n\
   		Enable updates to a frozen dynamic zone and reload it.\n\
+  notify zone [class [view]]\n\
+		Resend NOTIFY messages for the zone.\n\
   reconfig	Reload configuration file and new zones only.\n\
   stats		Write server statistics to the statistics file.\n\
   querylog	Toggle query logging.\n\
@@ -121,6 +132,8 @@ command is one of the following:\n\
 		Flush the given name from the server's cache(s)\n\
   status	Display status of the server.\n\
   recursing	Dump the queries that are currently recursing (named.recursing)\n\
+  validation newstate [view]\n\
+		Enable / disable DNSSEC validation.\n\
   *restart	Restart the server.\n\
 \n\
 * == not yet implemented\n\
@@ -133,11 +146,20 @@ Version: %s\n",
 static void
 get_addresses(const char *host, in_port_t port) {
 	isc_result_t result;
-
-	isc_app_block();
-	result = bind9_getaddresses(servername, port,
-				    serveraddrs, SERVERADDRS, &nserveraddrs);
-	isc_app_unblock();
+	int found = 0, count;
+
+	if (*host == '/') {
+		result = isc_sockaddr_frompath(&serveraddrs[nserveraddrs],
+					       host);
+		if (result == ISC_R_SUCCESS)
+			nserveraddrs++; 
+	} else {
+		count = SERVERADDRS - nserveraddrs;
+		result = bind9_getaddresses(host, port,
+					    &serveraddrs[nserveraddrs],
+					    count, &found);
+		nserveraddrs += found;
+	}
 	if (result != ISC_R_SUCCESS)
 		fatal("couldn't get address for '%s': %s",
 		      host, isc_result_totext(result));
@@ -174,10 +196,12 @@ rndc_recvdone(isc_task_t *task, isc_event_t *event) {
 
 	if (ccmsg.result == ISC_R_EOF)
 		fatal("connection to remote host closed\n"
-		      "This may indicate that the remote server is using "
-		      "an older version of \n"
-		      "the command protocol, this host is not authorized "
-		      "to connect,\nor the key is invalid.");
+		      "This may indicate that\n"
+		      "* the remote server is using an older version of"
+		      " the command protocol,\n"
+		      "* this host is not authorized to connect,\n"
+		      "* the clocks are not syncronized, or\n"
+		      "* the key is invalid.");
 
 	if (ccmsg.result != ISC_R_SUCCESS)
 		fatal("recv failed: %s", isc_result_totext(ccmsg.result));
@@ -235,10 +259,12 @@ rndc_recvnonce(isc_task_t *task, isc_event_t *event) {
 
 	if (ccmsg.result == ISC_R_EOF)
 		fatal("connection to remote host closed\n"
-		      "This may indicate that the remote server is using "
-		      "an older version of \n"
-		      "the command protocol, this host is not authorized "
-		      "to connect,\nor the key is invalid.");
+		      "This may indicate that\n"
+		      "* the remote server is using an older version of"
+		      " the command protocol,\n"
+		      "* this host is not authorized to connect,\n"
+		      "* the clocks are not syncronized, or\n"
+		      "* the key is invalid.");
 
 	if (ccmsg.result != ISC_R_SUCCESS)
 		fatal("recv failed: %s", isc_result_totext(ccmsg.result));
@@ -357,6 +383,8 @@ rndc_connected(isc_task_t *task, isc_event_t *event) {
 static void
 rndc_startconnect(isc_sockaddr_t *addr, isc_task_t *task) {
 	isc_result_t result;
+	int pf;
+	isc_sockettype_t type;
 
 	char socktext[ISC_SOCKADDR_FORMATSIZE];
 
@@ -364,9 +392,22 @@ rndc_startconnect(isc_sockaddr_t *addr, isc_task_t *task) {
 
 	notify("using server %s (%s)", servername, socktext);
 
-	DO("create socket", isc_socket_create(socketmgr,
-					      isc_sockaddr_pf(addr),
-					      isc_sockettype_tcp, &sock));
+	pf = isc_sockaddr_pf(addr);
+	if (pf == AF_INET || pf == AF_INET6)
+		type = isc_sockettype_tcp;
+	else
+		type = isc_sockettype_unix;
+	DO("create socket", isc_socket_create(socketmgr, pf, type, &sock));
+	switch (isc_sockaddr_pf(addr)) {
+	case AF_INET:
+		DO("bind socket", isc_socket_bind(sock, &local4));
+		break;
+	case AF_INET6:
+		DO("bind socket", isc_socket_bind(sock, &local6));
+		break;
+	default:
+		break;
+	}
 	DO("connect", isc_socket_connect(sock, addr, task, rndc_connected,
 					 NULL));
 	connects++;
@@ -376,8 +417,6 @@ static void
 rndc_start(isc_task_t *task, isc_event_t *event) {
 	isc_event_free(&event);
 
-	get_addresses(servername, (in_port_t) remoteport);
-
 	currentaddr = 0;
 	rndc_startconnect(&serveraddrs[currentaddr], task);
 }
@@ -388,6 +427,7 @@ parse_config(isc_mem_t *mctx, isc_log_t *log, const char *keyname,
 {
 	isc_result_t result;
 	const char *conffile = admin_conffile;
+	const cfg_obj_t *addresses = NULL;
 	const cfg_obj_t *defkey = NULL;
 	const cfg_obj_t *options = NULL;
 	const cfg_obj_t *servers = NULL;
@@ -398,12 +438,14 @@ parse_config(isc_mem_t *mctx, isc_log_t *log, const char *keyname,
 	const cfg_obj_t *secretobj = NULL;
 	const cfg_obj_t *algorithmobj = NULL;
 	cfg_obj_t *config = NULL;
+	const cfg_obj_t *address = NULL;
 	const cfg_listelt_t *elt;
 	const char *secretstr;
 	const char *algorithm;
 	static char secretarray[1024];
 	const cfg_type_t *conftype = &cfg_type_rndcconf;
 	isc_boolean_t key_only = ISC_FALSE;
+	const cfg_listelt_t *element;
 
 	if (! isc_file_exists(conffile)) {
 		conffile = admin_keyfile;
@@ -521,10 +563,96 @@ parse_config(isc_mem_t *mctx, isc_log_t *log, const char *keyname,
 	if (defport != NULL) {
 		remoteport = cfg_obj_asuint32(defport);
 		if (remoteport > 65535 || remoteport == 0)
-			fatal("port %d out of range", remoteport);
+			fatal("port %u out of range", remoteport);
 	} else if (remoteport == 0)
 		remoteport = NS_CONTROL_PORT;
 
+	if (server != NULL)
+		result = cfg_map_get(server, "addresses", &addresses);
+	else
+		result = ISC_R_NOTFOUND;
+	if (result == ISC_R_SUCCESS) {
+		for (element = cfg_list_first(addresses);
+		     element != NULL;
+		     element = cfg_list_next(element))
+		{
+			isc_sockaddr_t sa;
+
+			address = cfg_listelt_value(element);
+			if (!cfg_obj_issockaddr(address)) {
+				unsigned int myport;
+				const char *name;
+				const cfg_obj_t *obj;
+
+				obj = cfg_tuple_get(address, "name");
+				name = cfg_obj_asstring(obj);
+				obj = cfg_tuple_get(address, "port");
+				if (cfg_obj_isuint32(obj)) {
+					myport = cfg_obj_asuint32(obj);
+					if (myport > ISC_UINT16_MAX ||
+					    myport == 0)
+						fatal("port %u out of range",
+						      myport);
+				} else
+					myport = remoteport;
+				if (nserveraddrs < SERVERADDRS)
+					get_addresses(name, (in_port_t) myport);
+				else
+					fprintf(stderr, "too many address: "
+					        "%s: dropped\n", name);
+				continue;
+			}
+			sa = *cfg_obj_assockaddr(address);
+			if (isc_sockaddr_getport(&sa) == 0)
+				isc_sockaddr_setport(&sa, remoteport);
+			if (nserveraddrs < SERVERADDRS)
+				serveraddrs[nserveraddrs++] = sa;
+			else {
+				char socktext[ISC_SOCKADDR_FORMATSIZE];
+
+				isc_sockaddr_format(&sa, socktext,
+						    sizeof(socktext));
+				fprintf(stderr,
+					"too many address: %s: dropped\n",
+					socktext);
+			}
+		}
+	}
+
+	if (!local4set && server != NULL) {
+		address = NULL;
+		cfg_map_get(server, "source-address", &address);
+		if (address != NULL) {
+			local4 = *cfg_obj_assockaddr(address);
+			local4set = ISC_TRUE;
+		}
+	}
+	if (!local4set && options != NULL) {
+		address = NULL;
+		cfg_map_get(options, "default-source-address", &address);
+		if (address != NULL) {
+			local4 = *cfg_obj_assockaddr(address);
+			local4set = ISC_TRUE;
+		}
+	}
+
+	if (!local6set && server != NULL) {
+		address = NULL;
+		cfg_map_get(server, "source-address-v6", &address);
+		if (address != NULL) {
+			local6 = *cfg_obj_assockaddr(address);
+			local6set = ISC_TRUE;
+		}
+	}
+	if (!local6set && options != NULL) {
+		address = NULL;
+		cfg_map_get(options, "default-source-address-v6", &address);
+		if (address != NULL) {
+			local6 = *cfg_obj_assockaddr(address);
+			local6set = ISC_TRUE;
+		}
+	}
+
 	*configp = config;
 }
 
@@ -540,6 +668,8 @@ main(int argc, char **argv) {
 	cfg_parser_t *pctx = NULL;
 	cfg_obj_t *config = NULL;
 	const char *keyname = NULL;
+	struct in_addr in;
+	struct in6_addr in6;
 	char *p;
 	size_t argslen;
 	int ch;
@@ -553,13 +683,28 @@ main(int argc, char **argv) {
 	admin_conffile = RNDC_CONFFILE;
 	admin_keyfile = RNDC_KEYFILE;
 
+	isc_sockaddr_any(&local4);
+	isc_sockaddr_any6(&local6);
+
 	result = isc_app_start();
 	if (result != ISC_R_SUCCESS)
 		fatal("isc_app_start() failed: %s", isc_result_totext(result));
 
-	while ((ch = isc_commandline_parse(argc, argv, "c:k:Mmp:s:Vy:"))
+	while ((ch = isc_commandline_parse(argc, argv, "b:c:k:Mmp:s:Vy:"))
 	       != -1) {
 		switch (ch) {
+		case 'b':
+			if (inet_pton(AF_INET, isc_commandline_argument,
+				      &in) == 1) {
+				isc_sockaddr_fromin(&local4, &in, 0);
+				local4set = ISC_TRUE;
+			} else if (inet_pton(AF_INET6, isc_commandline_argument,
+					     &in6) == 1) {
+				isc_sockaddr_fromin6(&local6, &in6, 0);
+				local6set = ISC_TRUE;
+			}
+			break;
+
 		case 'c':
 			admin_conffile = isc_commandline_argument;
 			break;
@@ -586,15 +731,19 @@ main(int argc, char **argv) {
 		case 's':
 			servername = isc_commandline_argument;
 			break;
+
 		case 'V':
 			verbose = ISC_TRUE;
 			break;
+
 		case 'y':
 			keyname = isc_commandline_argument;
 			break;
+ 
 		case '?':
 			usage(0);
 			break;
+
 		default:
 			fatal("unexpected error parsing command arguments: "
 			      "got %c\n", ch);
@@ -665,6 +814,9 @@ main(int argc, char **argv) {
 	if (strcmp(command, "restart") == 0)
 		fatal("'%s' is not implemented", command);
 
+	if (nserveraddrs == 0)
+		get_addresses(servername, (in_port_t) remoteport);
+
 	DO("post event", isc_app_onrun(mctx, task, rndc_start, NULL));
 
 	result = isc_app_run();
@@ -686,6 +838,8 @@ main(int argc, char **argv) {
 	isc_mem_put(mctx, args, argslen);
 	isccc_ccmsg_invalidate(&ccmsg);
 
+	dns_name_destroy();
+
 	if (show_final_mem)
 		isc_mem_stats(mctx, stderr);
 
diff --git a/contrib/bind9/bin/rndc/rndc.conf b/contrib/bind9/bin/rndc/rndc.conf
index 1dc5607..e303535 100644
--- a/contrib/bind9/bin/rndc/rndc.conf
+++ b/contrib/bind9/bin/rndc/rndc.conf
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: rndc.conf,v 1.7.206.1 2004/03/06 10:21:32 marka Exp $ */
+/* $Id: rndc.conf,v 1.8.18.1 2004/06/18 04:39:39 marka Exp $ */
 
 /*
  * Sample rndc configuration file.
@@ -30,6 +30,17 @@ server localhost {
         key     "key";
 };
 
+key "cc64b3d1db63fc88d7cb5d2f9f57d258" {
+	algorithm hmac-md5;
+	secret "34f88008d07deabbe65bd01f1d233d47";
+};
+
+server "test1" {
+        key "cc64b3d1db63fc88d7cb5d2f9f57d258";
+	port 5353;
+        addresses { 10.53.0.1; };
+};
+
 key "key" {
         algorithm       hmac-md5;
         secret "c3Ryb25nIGVub3VnaCBmb3IgYSBtYW4gYnV0IG1hZGUgZm9yIGEgd29tYW4K";
diff --git a/contrib/bind9/bin/rndc/rndc.conf.5 b/contrib/bind9/bin/rndc/rndc.conf.5
index 3a06a44..ce12151 100644
--- a/contrib/bind9/bin/rndc/rndc.conf.5
+++ b/contrib/bind9/bin/rndc/rndc.conf.5
@@ -1,4 +1,4 @@
-.\" Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC")
 .\" Copyright (C) 2000, 2001 Internet Software Consortium.
 .\" 
 .\" Permission to use, copy, modify, and distribute this software for any
@@ -13,13 +13,13 @@
 .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 .\" PERFORMANCE OF THIS SOFTWARE.
 .\"
-.\" $Id: rndc.conf.5,v 1.21.206.6 2006/06/29 13:02:31 marka Exp $
+.\" $Id: rndc.conf.5,v 1.23.18.13 2007/01/30 00:23:44 marka Exp $
 .\"
 .hy 0
 .ad l
 .\"     Title: \fIrndc.conf\fR
 .\"    Author: 
-.\" Generator: DocBook XSL Stylesheets v1.70.1 <http://docbook.sf.net/>
+.\" Generator: DocBook XSL Stylesheets v1.71.1 <http://docbook.sf.net/>
 .\"      Date: June 30, 2000
 .\"    Manual: BIND9
 .\"    Source: BIND9
@@ -53,7 +53,7 @@ is much simpler than
 .PP
 The
 \fBoptions\fR
-statement contains three clauses. The
+statement contains five clauses. The
 \fBdefault\-server\fR
 clause is followed by the name or address of a name server. This host will be used when no name server is given as an argument to
 \fBrndc\fR. The
@@ -74,14 +74,25 @@ option is provided on the rndc command line, and no
 \fBport\fR
 clause is found in a matching
 \fBserver\fR
-statement, this default port will be used to connect.
+statement, this default port will be used to connect. The
+\fBdefault\-source\-address\fR
+and
+\fBdefault\-source\-address\-v6\fR
+clauses which can be used to set the IPv4 and IPv6 source addresses respectively.
 .PP
 After the
 \fBserver\fR
-keyword, the server statement includes a string which is the hostname or address for a name server. The statement has two possible clauses:
-\fBkey\fR
+keyword, the server statement includes a string which is the hostname or address for a name server. The statement has three possible clauses:
+\fBkey\fR,
+\fBport\fR
 and
-\fBport\fR. The key name must match the name of a key statement in the file. The port number specifies the port to connect to.
+\fBaddresses\fR. The key name must match the name of a key statement in the file. The port number specifies the port to connect to. If an
+\fBaddresses\fR
+clause is supplied these addresses will be used instead of the server name. Each address can take a optional port. If an
+\fBsource\-address\fR
+or
+\fBsource\-address\-v6\fR
+of supplied then these will be used to specify the IPv4 and IPv6 source addresses respectively.
 .PP
 The
 \fBkey\fR
@@ -100,27 +111,66 @@ program, also known as
 \fBmmencode\fR
 does not ship with BIND 9 but is available on many systems. See the EXAMPLE section for sample command lines for each.
 .SH "EXAMPLE"
-.sp
-.RS 3n
+.PP
+.RS 4
 .nf
-    options {
+      options {
         default\-server  localhost;
         default\-key     samplekey;
       };
+.fi
+.RE
+.sp
+.PP
+.RS 4
+.nf
       server localhost {
         key             samplekey;
       };
+.fi
+.RE
+.sp
+.PP
+.RS 4
+.nf
+      server testserver {
+        key		testkey;
+        addresses	{ localhost port 5353; };
+      };
+.fi
+.RE
+.sp
+.PP
+.RS 4
+.nf
       key samplekey {
         algorithm       hmac\-md5;
-        secret          "c3Ryb25nIGVub3VnaCBmb3IgYSBtYW4gYnV0IG1hZGUgZm9yIGEgd29tYW4K";
+        secret          "6FMfj43Osz4lyb24OIe2iGEz9lf1llJO+lz";
       };
 .fi
 .RE
+.sp
+.PP
+.RS 4
+.nf
+      key testkey {
+        algorithm	hmac\-md5;
+        secret		"R3HI8P6BKw9ZwXwN3VZKuQ==";
+      }
+.fi
+.RE
+.sp
 .PP
 In the above example,
 \fBrndc\fR
 will by default use the server at localhost (127.0.0.1) and the key called samplekey. Commands to the localhost server will use the samplekey key, which must also be defined in the server's configuration file with the same name and secret. The key statement indicates that samplekey uses the HMAC\-MD5 algorithm and its secret clause contains the base\-64 encoding of the HMAC\-MD5 secret enclosed in double quotes.
 .PP
+If
+\fBrndc \-s testserver\fR
+is used then
+\fBrndc\fR
+will connect to server on localhost port 5353 using the key testkey.
+.PP
 To generate a random secret with
 \fBrndc\-confgen\fR:
 .PP
@@ -158,4 +208,7 @@ BIND 9 Administrator Reference Manual.
 .PP
 Internet Systems Consortium
 .SH "COPYRIGHT"
-Copyright \(co 2004, 2005 Internet Systems Consortium, Inc. ("ISC")
+Copyright \(co 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC")
+.br
+Copyright \(co 2000, 2001 Internet Software Consortium.
+.br
diff --git a/contrib/bind9/bin/rndc/rndc.conf.docbook b/contrib/bind9/bin/rndc/rndc.conf.docbook
index 16b9caf..624a235 100644
--- a/contrib/bind9/bin/rndc/rndc.conf.docbook
+++ b/contrib/bind9/bin/rndc/rndc.conf.docbook
@@ -1,8 +1,8 @@
-<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.0//EN"
-               "http://www.oasis-open.org/docbook/xml/4.0/docbookx.dtd"
+<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
+               "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
 	       [<!ENTITY mdash "&#8212;">]>
 <!--
- - Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
  - Copyright (C) 2000, 2001  Internet Software Consortium.
  -
  - Permission to use, copy, modify, and distribute this software for any
@@ -18,9 +18,8 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-<!-- $Id: rndc.conf.docbook,v 1.4.206.4 2005/05/12 21:36:04 sra Exp $ -->
-
-<refentry>
+<!-- $Id: rndc.conf.docbook,v 1.5.18.9 2007/01/29 23:57:20 marka Exp $ -->
+<refentry id="man.rndc.conf">
   <refentryinfo>
     <date>June 30, 2000</date>
   </refentryinfo>
@@ -31,10 +30,16 @@
     <refmiscinfo>BIND9</refmiscinfo>
   </refmeta>
 
+  <refnamediv>
+    <refname><filename>rndc.conf</filename></refname>
+    <refpurpose>rndc configuration file</refpurpose>
+  </refnamediv>
+
   <docinfo>
     <copyright>
       <year>2004</year>
       <year>2005</year>
+      <year>2007</year>
       <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
     </copyright>
     <copyright>
@@ -44,11 +49,6 @@
     </copyright>
   </docinfo>
 
-  <refnamediv>
-    <refname><filename>rndc.conf</filename></refname>
-    <refpurpose>rndc configuration file</refpurpose>
-  </refnamediv>
-
   <refsynopsisdiv>
     <cmdsynopsis>
       <command>rndc.conf</command>
@@ -57,152 +57,183 @@
 
   <refsect1>
     <title>DESCRIPTION</title>
-    <para>
-        <filename>rndc.conf</filename> is the configuration file
-	for <command>rndc</command>, the BIND 9 name server control
-	utility.  This file has a similar structure and syntax to
-	<filename>named.conf</filename>.  Statements are enclosed
-	in braces and terminated with a semi-colon.  Clauses in
-	the statements are also semi-colon terminated.  The usual
-	comment styles are supported:
-    </para>
-    <para>
-        C style: /* */
-    </para>
-    <para>
-        C++ style: // to end of line
-    </para>
-    <para>
-        Unix style: # to end of line
-    </para>
-    <para>
-        <filename>rndc.conf</filename> is much simpler than
-	<filename>named.conf</filename>.  The file uses three
-	statements: an options statement, a server statement
-	and a key statement.
-    </para>
-    <para>
-        The <option>options</option> statement contains three clauses.
-	The <option>default-server</option> clause is followed by the
-	name or address of a name server.  This host will be used when
-	no name server is given as an argument to
-	<command>rndc</command>.  The <option>default-key</option>
-	clause is followed by the name of a key which is identified by
-	a <option>key</option> statement.  If no
-	<option>keyid</option> is provided on the rndc command line,
-	and no <option>key</option> clause is found in a matching
-	<option>server</option> statement, this default key will be
-	used to authenticate the server's commands and responses.  The
-	<option>default-port</option> clause is followed by the port
-	to connect to on the remote name server.  If no
-	<option>port</option> option is provided on the rndc command
-	line, and no <option>port</option> clause is found in a
-	matching <option>server</option> statement, this default port
-	will be used to connect.
-    </para>
-    <para>
-        After the <option>server</option> keyword, the server statement
-	includes a string which is the hostname or address for a name
-	server.  The statement has two possible clauses:
-	<option>key</option> and <option>port</option>. The key name must
-	match the name of a key statement in the file.  The port number
-	specifies the port to connect to.
-    </para>
-    <para>
-        The <option>key</option> statement begins with an identifying
-	string, the name of the key.  The statement has two clauses.
-	<option>algorithm</option> identifies the encryption algorithm
-	for <command>rndc</command> to use; currently only HMAC-MD5 is
-	supported.  This is followed by a secret clause which contains
-	the base-64 encoding of the algorithm's encryption key.  The
-	base-64 string is enclosed in double quotes.
-    </para>
-    <para>
-        There are two common ways to generate the base-64 string for the
-	secret.  The BIND 9 program <command>rndc-confgen</command> can
-	be used to generate a random key, or the
-	<command>mmencode</command> program, also known as
-	<command>mimencode</command>, can be used to generate a base-64
-	string from known input.  <command>mmencode</command> does not
-	ship with BIND 9 but is available on many systems.  See the
-	EXAMPLE section for sample command lines for each.
+    <para><filename>rndc.conf</filename> is the configuration file
+      for <command>rndc</command>, the BIND 9 name server control
+      utility.  This file has a similar structure and syntax to
+      <filename>named.conf</filename>.  Statements are enclosed
+      in braces and terminated with a semi-colon.  Clauses in
+      the statements are also semi-colon terminated.  The usual
+      comment styles are supported:
+    </para>
+    <para>
+      C style: /* */
+    </para>
+    <para>
+      C++ style: // to end of line
+    </para>
+    <para>
+      Unix style: # to end of line
+    </para>
+    <para><filename>rndc.conf</filename> is much simpler than
+      <filename>named.conf</filename>.  The file uses three
+      statements: an options statement, a server statement
+      and a key statement.
+    </para>
+    <para>
+      The <option>options</option> statement contains five clauses.
+      The <option>default-server</option> clause is followed by the
+      name or address of a name server.  This host will be used when
+      no name server is given as an argument to
+      <command>rndc</command>.  The <option>default-key</option>
+      clause is followed by the name of a key which is identified by
+      a <option>key</option> statement.  If no
+      <option>keyid</option> is provided on the rndc command line,
+      and no <option>key</option> clause is found in a matching
+      <option>server</option> statement, this default key will be
+      used to authenticate the server's commands and responses.  The
+      <option>default-port</option> clause is followed by the port
+      to connect to on the remote name server.  If no
+      <option>port</option> option is provided on the rndc command
+      line, and no <option>port</option> clause is found in a
+      matching <option>server</option> statement, this default port
+      will be used to connect.
+      The <option>default-source-address</option> and
+      <option>default-source-address-v6</option> clauses which
+      can be used to set the IPv4 and IPv6 source addresses
+      respectively.
+    </para>
+    <para>
+      After the <option>server</option> keyword, the server
+      statement includes a string which is the hostname or address
+      for a name server.  The statement has three possible clauses:
+      <option>key</option>, <option>port</option> and
+      <option>addresses</option>. The key name must match the
+      name of a key statement in the file.  The port number
+      specifies the port to connect to.  If an <option>addresses</option>
+      clause is supplied these addresses will be used instead of
+      the server name.  Each address can take a optional port.
+      If an <option>source-address</option> or <option>source-address-v6</option>
+      of supplied then these will be used to specify the IPv4 and IPv6
+      source addresses respectively.
+    </para>
+    <para>
+      The <option>key</option> statement begins with an identifying
+      string, the name of the key.  The statement has two clauses.
+      <option>algorithm</option> identifies the encryption algorithm
+      for <command>rndc</command> to use; currently only HMAC-MD5
+      is
+      supported.  This is followed by a secret clause which contains
+      the base-64 encoding of the algorithm's encryption key.  The
+      base-64 string is enclosed in double quotes.
+    </para>
+    <para>
+      There are two common ways to generate the base-64 string for the
+      secret.  The BIND 9 program <command>rndc-confgen</command>
+      can
+      be used to generate a random key, or the
+      <command>mmencode</command> program, also known as
+      <command>mimencode</command>, can be used to generate a
+      base-64
+      string from known input.  <command>mmencode</command> does
+      not
+      ship with BIND 9 but is available on many systems.  See the
+      EXAMPLE section for sample command lines for each.
     </para>
   </refsect1>
 
   <refsect1>
     <title>EXAMPLE</title>
 
-    <programlisting>
-    options {
+    <para><programlisting>
+      options {
         default-server  localhost;
         default-key     samplekey;
       };
-
+</programlisting>
+    </para>
+    <para><programlisting>
       server localhost {
         key             samplekey;
       };
-
+</programlisting>
+    </para>
+    <para><programlisting>
+      server testserver {
+        key		testkey;
+        addresses	{ localhost port 5353; };
+      };
+</programlisting>
+    </para>
+    <para><programlisting>
       key samplekey {
         algorithm       hmac-md5;
-        secret          "c3Ryb25nIGVub3VnaCBmb3IgYSBtYW4gYnV0IG1hZGUgZm9yIGEgd29tYW4K";
+        secret          "6FMfj43Osz4lyb24OIe2iGEz9lf1llJO+lz";
       };
+</programlisting>
+    </para>
+    <para><programlisting>
+      key testkey {
+        algorithm	hmac-md5;
+        secret		"R3HI8P6BKw9ZwXwN3VZKuQ==";
+      }
     </programlisting>
+    </para>
 
     <para>
-        In the above example, <command>rndc</command> will by default use
-	the server at localhost (127.0.0.1) and the key called samplekey.
-	Commands to the localhost server will use the samplekey key, which
-	must also be defined in the server's configuration file with the
-	same name and secret.  The key statement indicates that samplekey
-	uses the HMAC-MD5 algorithm and its secret clause contains the
-	base-64 encoding of the HMAC-MD5 secret enclosed in double quotes.
+      In the above example, <command>rndc</command> will by
+      default use
+      the server at localhost (127.0.0.1) and the key called samplekey.
+      Commands to the localhost server will use the samplekey key, which
+      must also be defined in the server's configuration file with the
+      same name and secret.  The key statement indicates that samplekey
+      uses the HMAC-MD5 algorithm and its secret clause contains the
+      base-64 encoding of the HMAC-MD5 secret enclosed in double quotes.
     </para>
     <para>
-        To generate a random secret with <command>rndc-confgen</command>:
+      If <command>rndc -s testserver</command> is used then <command>rndc</command> will
+      connect to server on localhost port 5353 using the key testkey.
     </para>
     <para>
-        <userinput>rndc-confgen</userinput>
+      To generate a random secret with <command>rndc-confgen</command>:
     </para>
-    <para>
-        A complete <filename>rndc.conf</filename> file, including the
-        randomly generated key, will be written to the standard
-        output.  Commented out <option>key</option> and
-        <option>controls</option> statements for
-        <filename>named.conf</filename> are also printed.
+    <para><userinput>rndc-confgen</userinput>
     </para>
     <para>
-        To generate a base-64 secret with <command>mmencode</command>:
+      A complete <filename>rndc.conf</filename> file, including
+      the
+      randomly generated key, will be written to the standard
+      output.  Commented out <option>key</option> and
+      <option>controls</option> statements for
+      <filename>named.conf</filename> are also printed.
     </para>
     <para>
-        <userinput>echo "known plaintext for a secret" | mmencode</userinput>
+      To generate a base-64 secret with <command>mmencode</command>:
+    </para>
+    <para><userinput>echo "known plaintext for a secret" | mmencode</userinput>
     </para>
   </refsect1>
 
   <refsect1>
     <title>NAME SERVER CONFIGURATION</title>
     <para>
-        The name server must be configured to accept rndc connections and
-	to recognize the key specified in the <filename>rndc.conf</filename>
-	file, using the controls statement in <filename>named.conf</filename>.
-	See the sections on the <option>controls</option> statement in the
-	BIND 9 Administrator Reference Manual for details.
+      The name server must be configured to accept rndc connections and
+      to recognize the key specified in the <filename>rndc.conf</filename>
+      file, using the controls statement in <filename>named.conf</filename>.
+      See the sections on the <option>controls</option> statement in the
+      BIND 9 Administrator Reference Manual for details.
     </para>
   </refsect1>
 
   <refsect1>
     <title>SEE ALSO</title>
-    <para>
-      <citerefentry>
-        <refentrytitle>rndc</refentrytitle>
-	<manvolnum>8</manvolnum>
+    <para><citerefentry>
+        <refentrytitle>rndc</refentrytitle><manvolnum>8</manvolnum>
       </citerefentry>,
       <citerefentry>
-        <refentrytitle>rndc-confgen</refentrytitle>
-	<manvolnum>8</manvolnum>
+        <refentrytitle>rndc-confgen</refentrytitle><manvolnum>8</manvolnum>
       </citerefentry>,
       <citerefentry>
-        <refentrytitle>mmencode</refentrytitle>
-	<manvolnum>1</manvolnum>
+        <refentrytitle>mmencode</refentrytitle><manvolnum>1</manvolnum>
       </citerefentry>,
       <citetitle>BIND 9 Administrator Reference Manual</citetitle>.
     </para>
@@ -210,16 +241,12 @@
 
   <refsect1>
     <title>AUTHOR</title>
-    <para>
-        <corpauthor>Internet Systems Consortium</corpauthor>
+    <para><corpauthor>Internet Systems Consortium</corpauthor>
     </para>
   </refsect1>
 
-</refentry>
-
-<!--
+</refentry><!--
  - Local variables:
  - mode: sgml
  - End:
 -->
-
diff --git a/contrib/bind9/bin/rndc/rndc.conf.html b/contrib/bind9/bin/rndc/rndc.conf.html
index fefe616..8e510bd 100644
--- a/contrib/bind9/bin/rndc/rndc.conf.html
+++ b/contrib/bind9/bin/rndc/rndc.conf.html
@@ -1,5 +1,5 @@
 <!--
- - Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC")
  - Copyright (C) 2000, 2001 Internet Software Consortium.
  - 
  - Permission to use, copy, modify, and distribute this software for any
@@ -14,15 +14,15 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-<!-- $Id: rndc.conf.html,v 1.5.2.1.4.13 2006/06/29 13:02:31 marka Exp $ -->
+<!-- $Id: rndc.conf.html,v 1.6.18.21 2007/01/30 00:23:44 marka Exp $ -->
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
 <title>rndc.conf</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.70.1">
+<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
 </head>
 <body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en">
-<a name="id2482688"></a><div class="titlepage"></div>
+<a name="man.rndc.conf"></a><div class="titlepage"></div>
 <div class="refnamediv">
 <h2>Name</h2>
 <p><code class="filename">rndc.conf</code> &#8212; rndc configuration file</p>
@@ -32,147 +32,185 @@
 <div class="cmdsynopsis"><p><code class="command">rndc.conf</code> </p></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2549398"></a><h2>DESCRIPTION</h2>
-<p>
-        <code class="filename">rndc.conf</code> is the configuration file
-	for <span><strong class="command">rndc</strong></span>, the BIND 9 name server control
-	utility.  This file has a similar structure and syntax to
-	<code class="filename">named.conf</code>.  Statements are enclosed
-	in braces and terminated with a semi-colon.  Clauses in
-	the statements are also semi-colon terminated.  The usual
-	comment styles are supported:
-    </p>
-<p>
-        C style: /* */
-    </p>
-<p>
-        C++ style: // to end of line
-    </p>
-<p>
-        Unix style: # to end of line
-    </p>
-<p>
-        <code class="filename">rndc.conf</code> is much simpler than
-	<code class="filename">named.conf</code>.  The file uses three
-	statements: an options statement, a server statement
-	and a key statement.
-    </p>
-<p>
-        The <code class="option">options</code> statement contains three clauses.
-	The <code class="option">default-server</code> clause is followed by the
-	name or address of a name server.  This host will be used when
-	no name server is given as an argument to
-	<span><strong class="command">rndc</strong></span>.  The <code class="option">default-key</code>
-	clause is followed by the name of a key which is identified by
-	a <code class="option">key</code> statement.  If no
-	<code class="option">keyid</code> is provided on the rndc command line,
-	and no <code class="option">key</code> clause is found in a matching
-	<code class="option">server</code> statement, this default key will be
-	used to authenticate the server's commands and responses.  The
-	<code class="option">default-port</code> clause is followed by the port
-	to connect to on the remote name server.  If no
-	<code class="option">port</code> option is provided on the rndc command
-	line, and no <code class="option">port</code> clause is found in a
-	matching <code class="option">server</code> statement, this default port
-	will be used to connect.
-    </p>
-<p>
-        After the <code class="option">server</code> keyword, the server statement
-	includes a string which is the hostname or address for a name
-	server.  The statement has two possible clauses:
-	<code class="option">key</code> and <code class="option">port</code>. The key name must
-	match the name of a key statement in the file.  The port number
-	specifies the port to connect to.
-    </p>
-<p>
-        The <code class="option">key</code> statement begins with an identifying
-	string, the name of the key.  The statement has two clauses.
-	<code class="option">algorithm</code> identifies the encryption algorithm
-	for <span><strong class="command">rndc</strong></span> to use; currently only HMAC-MD5 is
-	supported.  This is followed by a secret clause which contains
-	the base-64 encoding of the algorithm's encryption key.  The
-	base-64 string is enclosed in double quotes.
-    </p>
-<p>
-        There are two common ways to generate the base-64 string for the
-	secret.  The BIND 9 program <span><strong class="command">rndc-confgen</strong></span> can
-	be used to generate a random key, or the
-	<span><strong class="command">mmencode</strong></span> program, also known as
-	<span><strong class="command">mimencode</strong></span>, can be used to generate a base-64
-	string from known input.  <span><strong class="command">mmencode</strong></span> does not
-	ship with BIND 9 but is available on many systems.  See the
-	EXAMPLE section for sample command lines for each.
+<a name="id2543352"></a><h2>DESCRIPTION</h2>
+<p><code class="filename">rndc.conf</code> is the configuration file
+      for <span><strong class="command">rndc</strong></span>, the BIND 9 name server control
+      utility.  This file has a similar structure and syntax to
+      <code class="filename">named.conf</code>.  Statements are enclosed
+      in braces and terminated with a semi-colon.  Clauses in
+      the statements are also semi-colon terminated.  The usual
+      comment styles are supported:
+    </p>
+<p>
+      C style: /* */
+    </p>
+<p>
+      C++ style: // to end of line
+    </p>
+<p>
+      Unix style: # to end of line
+    </p>
+<p><code class="filename">rndc.conf</code> is much simpler than
+      <code class="filename">named.conf</code>.  The file uses three
+      statements: an options statement, a server statement
+      and a key statement.
+    </p>
+<p>
+      The <code class="option">options</code> statement contains five clauses.
+      The <code class="option">default-server</code> clause is followed by the
+      name or address of a name server.  This host will be used when
+      no name server is given as an argument to
+      <span><strong class="command">rndc</strong></span>.  The <code class="option">default-key</code>
+      clause is followed by the name of a key which is identified by
+      a <code class="option">key</code> statement.  If no
+      <code class="option">keyid</code> is provided on the rndc command line,
+      and no <code class="option">key</code> clause is found in a matching
+      <code class="option">server</code> statement, this default key will be
+      used to authenticate the server's commands and responses.  The
+      <code class="option">default-port</code> clause is followed by the port
+      to connect to on the remote name server.  If no
+      <code class="option">port</code> option is provided on the rndc command
+      line, and no <code class="option">port</code> clause is found in a
+      matching <code class="option">server</code> statement, this default port
+      will be used to connect.
+      The <code class="option">default-source-address</code> and
+      <code class="option">default-source-address-v6</code> clauses which
+      can be used to set the IPv4 and IPv6 source addresses
+      respectively.
+    </p>
+<p>
+      After the <code class="option">server</code> keyword, the server
+      statement includes a string which is the hostname or address
+      for a name server.  The statement has three possible clauses:
+      <code class="option">key</code>, <code class="option">port</code> and
+      <code class="option">addresses</code>. The key name must match the
+      name of a key statement in the file.  The port number
+      specifies the port to connect to.  If an <code class="option">addresses</code>
+      clause is supplied these addresses will be used instead of
+      the server name.  Each address can take a optional port.
+      If an <code class="option">source-address</code> or <code class="option">source-address-v6</code>
+      of supplied then these will be used to specify the IPv4 and IPv6
+      source addresses respectively.
+    </p>
+<p>
+      The <code class="option">key</code> statement begins with an identifying
+      string, the name of the key.  The statement has two clauses.
+      <code class="option">algorithm</code> identifies the encryption algorithm
+      for <span><strong class="command">rndc</strong></span> to use; currently only HMAC-MD5
+      is
+      supported.  This is followed by a secret clause which contains
+      the base-64 encoding of the algorithm's encryption key.  The
+      base-64 string is enclosed in double quotes.
+    </p>
+<p>
+      There are two common ways to generate the base-64 string for the
+      secret.  The BIND 9 program <span><strong class="command">rndc-confgen</strong></span>
+      can
+      be used to generate a random key, or the
+      <span><strong class="command">mmencode</strong></span> program, also known as
+      <span><strong class="command">mimencode</strong></span>, can be used to generate a
+      base-64
+      string from known input.  <span><strong class="command">mmencode</strong></span> does
+      not
+      ship with BIND 9 but is available on many systems.  See the
+      EXAMPLE section for sample command lines for each.
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2549601"></a><h2>EXAMPLE</h2>
+<a name="id2543500"></a><h2>EXAMPLE</h2>
 <pre class="programlisting">
-    options {
+      options {
         default-server  localhost;
         default-key     samplekey;
       };
-
+</pre>
+<p>
+    </p>
+<pre class="programlisting">
       server localhost {
         key             samplekey;
       };
-
+</pre>
+<p>
+    </p>
+<pre class="programlisting">
+      server testserver {
+        key		testkey;
+        addresses	{ localhost port 5353; };
+      };
+</pre>
+<p>
+    </p>
+<pre class="programlisting">
       key samplekey {
         algorithm       hmac-md5;
-        secret          "c3Ryb25nIGVub3VnaCBmb3IgYSBtYW4gYnV0IG1hZGUgZm9yIGEgd29tYW4K";
+        secret          "6FMfj43Osz4lyb24OIe2iGEz9lf1llJO+lz";
       };
+</pre>
+<p>
+    </p>
+<pre class="programlisting">
+      key testkey {
+        algorithm	hmac-md5;
+        secret		"R3HI8P6BKw9ZwXwN3VZKuQ==";
+      }
     </pre>
 <p>
-        In the above example, <span><strong class="command">rndc</strong></span> will by default use
-	the server at localhost (127.0.0.1) and the key called samplekey.
-	Commands to the localhost server will use the samplekey key, which
-	must also be defined in the server's configuration file with the
-	same name and secret.  The key statement indicates that samplekey
-	uses the HMAC-MD5 algorithm and its secret clause contains the
-	base-64 encoding of the HMAC-MD5 secret enclosed in double quotes.
     </p>
 <p>
-        To generate a random secret with <span><strong class="command">rndc-confgen</strong></span>:
+      In the above example, <span><strong class="command">rndc</strong></span> will by
+      default use
+      the server at localhost (127.0.0.1) and the key called samplekey.
+      Commands to the localhost server will use the samplekey key, which
+      must also be defined in the server's configuration file with the
+      same name and secret.  The key statement indicates that samplekey
+      uses the HMAC-MD5 algorithm and its secret clause contains the
+      base-64 encoding of the HMAC-MD5 secret enclosed in double quotes.
     </p>
 <p>
-        <strong class="userinput"><code>rndc-confgen</code></strong>
+      If <span><strong class="command">rndc -s testserver</strong></span> is used then <span><strong class="command">rndc</strong></span> will
+      connect to server on localhost port 5353 using the key testkey.
     </p>
 <p>
-        A complete <code class="filename">rndc.conf</code> file, including the
-        randomly generated key, will be written to the standard
-        output.  Commented out <code class="option">key</code> and
-        <code class="option">controls</code> statements for
-        <code class="filename">named.conf</code> are also printed.
+      To generate a random secret with <span><strong class="command">rndc-confgen</strong></span>:
+    </p>
+<p><strong class="userinput"><code>rndc-confgen</code></strong>
     </p>
 <p>
-        To generate a base-64 secret with <span><strong class="command">mmencode</strong></span>:
+      A complete <code class="filename">rndc.conf</code> file, including
+      the
+      randomly generated key, will be written to the standard
+      output.  Commented out <code class="option">key</code> and
+      <code class="option">controls</code> statements for
+      <code class="filename">named.conf</code> are also printed.
     </p>
 <p>
-        <strong class="userinput"><code>echo "known plaintext for a secret" | mmencode</code></strong>
+      To generate a base-64 secret with <span><strong class="command">mmencode</strong></span>:
+    </p>
+<p><strong class="userinput"><code>echo "known plaintext for a secret" | mmencode</code></strong>
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2549730"></a><h2>NAME SERVER CONFIGURATION</h2>
+<a name="id2543592"></a><h2>NAME SERVER CONFIGURATION</h2>
 <p>
-        The name server must be configured to accept rndc connections and
-	to recognize the key specified in the <code class="filename">rndc.conf</code>
-	file, using the controls statement in <code class="filename">named.conf</code>.
-	See the sections on the <code class="option">controls</code> statement in the
-	BIND 9 Administrator Reference Manual for details.
+      The name server must be configured to accept rndc connections and
+      to recognize the key specified in the <code class="filename">rndc.conf</code>
+      file, using the controls statement in <code class="filename">named.conf</code>.
+      See the sections on the <code class="option">controls</code> statement in the
+      BIND 9 Administrator Reference Manual for details.
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2549750"></a><h2>SEE ALSO</h2>
-<p>
-      <span class="citerefentry"><span class="refentrytitle">rndc</span>(8)</span>,
+<a name="id2543613"></a><h2>SEE ALSO</h2>
+<p><span class="citerefentry"><span class="refentrytitle">rndc</span>(8)</span>,
       <span class="citerefentry"><span class="refentrytitle">rndc-confgen</span>(8)</span>,
       <span class="citerefentry"><span class="refentrytitle">mmencode</span>(1)</span>,
       <em class="citetitle">BIND 9 Administrator Reference Manual</em>.
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2549793"></a><h2>AUTHOR</h2>
-<p>
-        <span class="corpauthor">Internet Systems Consortium</span>
+<a name="id2543652"></a><h2>AUTHOR</h2>
+<p><span class="corpauthor">Internet Systems Consortium</span>
     </p>
 </div>
 </div></body>
diff --git a/contrib/bind9/bin/rndc/rndc.docbook b/contrib/bind9/bin/rndc/rndc.docbook
index afb88f5..5dd2606 100644
--- a/contrib/bind9/bin/rndc/rndc.docbook
+++ b/contrib/bind9/bin/rndc/rndc.docbook
@@ -1,8 +1,8 @@
-<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.0//EN"
-               "http://www.oasis-open.org/docbook/xml/4.0/docbookx.dtd"
+<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
+               "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
 	       [<!ENTITY mdash "&#8212;">]>
 <!--
- - Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
  - Copyright (C) 2000, 2001  Internet Software Consortium.
  -
  - Permission to use, copy, modify, and distribute this software for any
@@ -18,9 +18,8 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-<!-- $Id: rndc.docbook,v 1.7.206.4 2005/05/12 21:36:05 sra Exp $ -->
-
-<refentry>
+<!-- $Id: rndc.docbook,v 1.8.18.8 2007/01/29 23:57:20 marka Exp $ -->
+<refentry id="man.rndc">
   <refentryinfo>
     <date>June 30, 2000</date>
   </refentryinfo>
@@ -31,10 +30,16 @@
     <refmiscinfo>BIND9</refmiscinfo>
   </refmeta>
 
+  <refnamediv>
+    <refname><application>rndc</application></refname>
+    <refpurpose>name server control utility</refpurpose>
+  </refnamediv>
+
   <docinfo>
     <copyright>
       <year>2004</year>
       <year>2005</year>
+      <year>2007</year>
       <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
     </copyright>
     <copyright>
@@ -44,14 +49,10 @@
     </copyright>
   </docinfo>
 
-  <refnamediv>
-    <refname><application>rndc</application></refname>
-    <refpurpose>name server control utility</refpurpose>
-  </refnamediv>
-
   <refsynopsisdiv>
     <cmdsynopsis>
       <command>rndc</command>
+      <arg><option>-b <replaceable class="parameter">source-address</replaceable></option></arg>
       <arg><option>-c <replaceable class="parameter">config-file</replaceable></option></arg>
       <arg><option>-k <replaceable class="parameter">key-file</replaceable></option></arg>
       <arg><option>-s <replaceable class="parameter">server</replaceable></option></arg>
@@ -64,31 +65,31 @@
 
   <refsect1>
     <title>DESCRIPTION</title>
-    <para>
-        <command>rndc</command> controls the operation of a name
-	server.  It supersedes the <command>ndc</command> utility
-	that was provided in old BIND releases.  If
-	<command>rndc</command> is invoked with no command line
-	options or arguments, it prints a short summary of the
-	supported commands and the available options and their
-	arguments.
+    <para><command>rndc</command>
+      controls the operation of a name
+      server.  It supersedes the <command>ndc</command> utility
+      that was provided in old BIND releases.  If
+      <command>rndc</command> is invoked with no command line
+      options or arguments, it prints a short summary of the
+      supported commands and the available options and their
+      arguments.
     </para>
-    <para>
-        <command>rndc</command> communicates with the name server
-	over a TCP connection, sending commands authenticated with
-	digital signatures.  In the current versions of
-	<command>rndc</command> and <command>named</command> named
-        the only supported authentication algorithm is HMAC-MD5,
-	which uses a shared secret on each end of the connection.
-	This provides TSIG-style authentication for the command
-	request and the name server's response.  All commands sent
-	over the channel must be signed by a key_id known to the
-	server.
+    <para><command>rndc</command>
+      communicates with the name server
+      over a TCP connection, sending commands authenticated with
+      digital signatures.  In the current versions of
+      <command>rndc</command> and <command>named</command> named
+      the only supported authentication algorithm is HMAC-MD5,
+      which uses a shared secret on each end of the connection.
+      This provides TSIG-style authentication for the command
+      request and the name server's response.  All commands sent
+      over the channel must be signed by a key_id known to the
+      server.
     </para>
-    <para>
-        <command>rndc</command> reads a configuration file to
-	determine how to contact the name server and decide what
-	algorithm and key it should use.
+    <para><command>rndc</command>
+      reads a configuration file to
+      determine how to contact the name server and decide what
+      algorithm and key it should use.
     </para>
   </refsect1>
 
@@ -97,85 +98,100 @@
 
     <variablelist>
       <varlistentry>
+        <term>-b <replaceable class="parameter">source-address</replaceable></term>
+        <listitem>
+          <para>
+            Use <replaceable class="parameter">source-address</replaceable>
+            as the source address for the connection to the server.
+            Multiple instances are permitted to allow setting of both
+            the IPv4 and IPv6 source addresses.
+          </para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
         <term>-c <replaceable class="parameter">config-file</replaceable></term>
-	<listitem>
-	  <para>
-	      Use <replaceable class="parameter">config-file</replaceable>
-	      as the configuration file instead of the default,
-	      <filename>/etc/rndc.conf</filename>.
-	  </para>
-	</listitem>
+        <listitem>
+          <para>
+            Use <replaceable class="parameter">config-file</replaceable>
+            as the configuration file instead of the default,
+            <filename>/etc/rndc.conf</filename>.
+          </para>
+        </listitem>
       </varlistentry>
 
       <varlistentry>
         <term>-k <replaceable class="parameter">key-file</replaceable></term>
-	<listitem>
-	  <para>
-	      Use <replaceable class="parameter">key-file</replaceable>
-	      as the key file instead of the default,
-	      <filename>/etc/rndc.key</filename>.  The key in
-	      <filename>/etc/rndc.key</filename> will be used to authenticate
-	      commands sent to the server if the <replaceable class="parameter">config-file</replaceable>
-	      does not exist.
-	  </para>
-	</listitem>
+        <listitem>
+          <para>
+            Use <replaceable class="parameter">key-file</replaceable>
+            as the key file instead of the default,
+            <filename>/etc/rndc.key</filename>.  The key in
+            <filename>/etc/rndc.key</filename> will be used to
+            authenticate
+            commands sent to the server if the <replaceable class="parameter">config-file</replaceable>
+            does not exist.
+          </para>
+        </listitem>
       </varlistentry>
 
       <varlistentry>
         <term>-s <replaceable class="parameter">server</replaceable></term>
-	<listitem>
-	  <para>
-	       <replaceable class="parameter">server</replaceable> is
-	       the name or address of the server which matches a
-	       server statement in the configuration file for
-	       <command>rndc</command>.  If no server is supplied on the
-	       command line, the host named by the default-server clause
-	       in the option statement of the configuration file will be
-	       used.
-	  </para>
-	</listitem>
+        <listitem>
+          <para><replaceable class="parameter">server</replaceable> is
+            	       the name or address of the server which matches a
+            server statement in the configuration file for
+            <command>rndc</command>.  If no server is supplied on
+            the
+            command line, the host named by the default-server clause
+            in the option statement of the configuration file will be
+            used.
+          </para>
+        </listitem>
       </varlistentry>
 
       <varlistentry>
         <term>-p <replaceable class="parameter">port</replaceable></term>
-	<listitem>
-	  <para>
-	       Send commands to TCP port
-	       <replaceable class="parameter">port</replaceable> instead
-	       of BIND 9's default control channel port, 953.
-	  </para>
-	</listitem>
+        <listitem>
+          <para>
+            Send commands to TCP port
+            <replaceable class="parameter">port</replaceable>
+            instead
+            of BIND 9's default control channel port, 953.
+          </para>
+        </listitem>
       </varlistentry>
 
       <varlistentry>
         <term>-V</term>
-	<listitem>
-	  <para>
-	       Enable verbose logging.
-	  </para>
-	</listitem>
+        <listitem>
+          <para>
+            Enable verbose logging.
+          </para>
+        </listitem>
       </varlistentry>
 
       <varlistentry>
         <term>-y <replaceable class="parameter">keyid</replaceable></term>
-	<listitem>
-	  <para>
-	       Use the key <replaceable class="parameter">keyid</replaceable>
-	       from the configuration file.
-	       <replaceable class="parameter">keyid</replaceable> must be
-	       known by named with the same algorithm and secret string
-	       in order for control message validation to succeed.
-	       If no <replaceable class="parameter">keyid</replaceable>
-	       is specified, <command>rndc</command> will first look
-	       for a key clause in the server statement of the server
-	       being used, or if no server statement is present for that
-	       host, then the default-key clause of the options statement.
-	       Note that the configuration file contains shared secrets
-	       which are used to send authenticated control commands
-	       to name servers.  It should therefore not have general read
-	       or write access.
-	  </para>
-	</listitem>
+        <listitem>
+          <para>
+            Use the key <replaceable class="parameter">keyid</replaceable>
+            from the configuration file.
+            <replaceable class="parameter">keyid</replaceable>
+            must be
+            known by named with the same algorithm and secret string
+            in order for control message validation to succeed.
+            If no <replaceable class="parameter">keyid</replaceable>
+            is specified, <command>rndc</command> will first look
+            for a key clause in the server statement of the server
+            being used, or if no server statement is present for that
+            host, then the default-key clause of the options statement.
+            Note that the configuration file contains shared secrets
+            which are used to send authenticated control commands
+            to name servers.  It should therefore not have general read
+            or write access.
+          </para>
+        </listitem>
       </varlistentry>
 
     </variablelist>
@@ -183,44 +199,40 @@
     <para>
       For the complete set of commands supported by <command>rndc</command>,
       see the BIND 9 Administrator Reference Manual or run
-      <command>rndc</command> without arguments to see its help message.
+      <command>rndc</command> without arguments to see its help
+      message.
     </para>
 
   </refsect1>
 
   <refsect1>
     <title>LIMITATIONS</title>
-    <para>
-        <command>rndc</command> does not yet support all the commands of
-	the BIND 8 <command>ndc</command> utility.
+    <para><command>rndc</command>
+      does not yet support all the commands of
+      the BIND 8 <command>ndc</command> utility.
     </para>
     <para>
-        There is currently no way to provide the shared secret for a
-        <option>key_id</option> without using the configuration file.
+      There is currently no way to provide the shared secret for a
+      <option>key_id</option> without using the configuration file.
     </para>
     <para>
-        Several error messages could be clearer.
+      Several error messages could be clearer.
     </para>
   </refsect1>
 
   <refsect1>
     <title>SEE ALSO</title>
-    <para>
-      <citerefentry>
-        <refentrytitle>rndc.conf</refentrytitle>
-	<manvolnum>5</manvolnum>
+    <para><citerefentry>
+        <refentrytitle>rndc.conf</refentrytitle><manvolnum>5</manvolnum>
       </citerefentry>,
       <citerefentry>
-        <refentrytitle>named</refentrytitle>
-	<manvolnum>8</manvolnum>
+        <refentrytitle>named</refentrytitle><manvolnum>8</manvolnum>
       </citerefentry>,
       <citerefentry>
-        <refentrytitle>named.conf</refentrytitle>
-	<manvolnum>5</manvolnum>
+        <refentrytitle>named.conf</refentrytitle><manvolnum>5</manvolnum>
       </citerefentry>
       <citerefentry>
-        <refentrytitle>ndc</refentrytitle>
-	<manvolnum>8</manvolnum>
+        <refentrytitle>ndc</refentrytitle><manvolnum>8</manvolnum>
       </citerefentry>,
       <citetitle>BIND 9 Administrator Reference Manual</citetitle>.
     </para>
@@ -228,16 +240,12 @@
 
   <refsect1>
     <title>AUTHOR</title>
-    <para>
-        <corpauthor>Internet Systems Consortium</corpauthor>
+    <para><corpauthor>Internet Systems Consortium</corpauthor>
     </para>
   </refsect1>
 
-</refentry>
-
-<!--
+</refentry><!--
  - Local variables:
  - mode: sgml
  - End:
 -->
-
diff --git a/contrib/bind9/bin/rndc/rndc.html b/contrib/bind9/bin/rndc/rndc.html
index 4dfd318..35e949a 100644
--- a/contrib/bind9/bin/rndc/rndc.html
+++ b/contrib/bind9/bin/rndc/rndc.html
@@ -1,5 +1,5 @@
 <!--
- - Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC")
  - Copyright (C) 2000, 2001 Internet Software Consortium.
  - 
  - Permission to use, copy, modify, and distribute this software for any
@@ -14,132 +14,142 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-<!-- $Id: rndc.html,v 1.7.2.1.4.12 2006/06/29 13:02:31 marka Exp $ -->
+<!-- $Id: rndc.html,v 1.8.18.19 2007/01/30 00:23:44 marka Exp $ -->
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
 <title>rndc</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.70.1">
+<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
 </head>
 <body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en">
-<a name="id2482688"></a><div class="titlepage"></div>
+<a name="man.rndc"></a><div class="titlepage"></div>
 <div class="refnamediv">
 <h2>Name</h2>
 <p><span class="application">rndc</span> &#8212; name server control utility</p>
 </div>
 <div class="refsynopsisdiv">
 <h2>Synopsis</h2>
-<div class="cmdsynopsis"><p><code class="command">rndc</code>  [<code class="option">-c <em class="replaceable"><code>config-file</code></em></code>] [<code class="option">-k <em class="replaceable"><code>key-file</code></em></code>] [<code class="option">-s <em class="replaceable"><code>server</code></em></code>] [<code class="option">-p <em class="replaceable"><code>port</code></em></code>] [<code class="option">-V</code>] [<code class="option">-y <em class="replaceable"><code>key_id</code></em></code>] {command}</p></div>
+<div class="cmdsynopsis"><p><code class="command">rndc</code>  [<code class="option">-b <em class="replaceable"><code>source-address</code></em></code>] [<code class="option">-c <em class="replaceable"><code>config-file</code></em></code>] [<code class="option">-k <em class="replaceable"><code>key-file</code></em></code>] [<code class="option">-s <em class="replaceable"><code>server</code></em></code>] [<code class="option">-p <em class="replaceable"><code>port</code></em></code>] [<code class="option">-V</code>] [<code class="option">-y <em class="replaceable"><code>key_id</code></em></code>] {command}</p></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2549451"></a><h2>DESCRIPTION</h2>
-<p>
-        <span><strong class="command">rndc</strong></span> controls the operation of a name
-	server.  It supersedes the <span><strong class="command">ndc</strong></span> utility
-	that was provided in old BIND releases.  If
-	<span><strong class="command">rndc</strong></span> is invoked with no command line
-	options or arguments, it prints a short summary of the
-	supported commands and the available options and their
-	arguments.
+<a name="id2543413"></a><h2>DESCRIPTION</h2>
+<p><span><strong class="command">rndc</strong></span>
+      controls the operation of a name
+      server.  It supersedes the <span><strong class="command">ndc</strong></span> utility
+      that was provided in old BIND releases.  If
+      <span><strong class="command">rndc</strong></span> is invoked with no command line
+      options or arguments, it prints a short summary of the
+      supported commands and the available options and their
+      arguments.
     </p>
-<p>
-        <span><strong class="command">rndc</strong></span> communicates with the name server
-	over a TCP connection, sending commands authenticated with
-	digital signatures.  In the current versions of
-	<span><strong class="command">rndc</strong></span> and <span><strong class="command">named</strong></span> named
-        the only supported authentication algorithm is HMAC-MD5,
-	which uses a shared secret on each end of the connection.
-	This provides TSIG-style authentication for the command
-	request and the name server's response.  All commands sent
-	over the channel must be signed by a key_id known to the
-	server.
+<p><span><strong class="command">rndc</strong></span>
+      communicates with the name server
+      over a TCP connection, sending commands authenticated with
+      digital signatures.  In the current versions of
+      <span><strong class="command">rndc</strong></span> and <span><strong class="command">named</strong></span> named
+      the only supported authentication algorithm is HMAC-MD5,
+      which uses a shared secret on each end of the connection.
+      This provides TSIG-style authentication for the command
+      request and the name server's response.  All commands sent
+      over the channel must be signed by a key_id known to the
+      server.
     </p>
-<p>
-        <span><strong class="command">rndc</strong></span> reads a configuration file to
-	determine how to contact the name server and decide what
-	algorithm and key it should use.
+<p><span><strong class="command">rndc</strong></span>
+      reads a configuration file to
+      determine how to contact the name server and decide what
+      algorithm and key it should use.
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2549492"></a><h2>OPTIONS</h2>
+<a name="id2543448"></a><h2>OPTIONS</h2>
 <div class="variablelist"><dl>
+<dt><span class="term">-b <em class="replaceable"><code>source-address</code></em></span></dt>
+<dd><p>
+            Use <em class="replaceable"><code>source-address</code></em>
+            as the source address for the connection to the server.
+            Multiple instances are permitted to allow setting of both
+            the IPv4 and IPv6 source addresses.
+          </p></dd>
 <dt><span class="term">-c <em class="replaceable"><code>config-file</code></em></span></dt>
 <dd><p>
-	      Use <em class="replaceable"><code>config-file</code></em>
-	      as the configuration file instead of the default,
-	      <code class="filename">/etc/rndc.conf</code>.
-	  </p></dd>
+            Use <em class="replaceable"><code>config-file</code></em>
+            as the configuration file instead of the default,
+            <code class="filename">/etc/rndc.conf</code>.
+          </p></dd>
 <dt><span class="term">-k <em class="replaceable"><code>key-file</code></em></span></dt>
 <dd><p>
-	      Use <em class="replaceable"><code>key-file</code></em>
-	      as the key file instead of the default,
-	      <code class="filename">/etc/rndc.key</code>.  The key in
-	      <code class="filename">/etc/rndc.key</code> will be used to authenticate
-	      commands sent to the server if the <em class="replaceable"><code>config-file</code></em>
-	      does not exist.
-	  </p></dd>
+            Use <em class="replaceable"><code>key-file</code></em>
+            as the key file instead of the default,
+            <code class="filename">/etc/rndc.key</code>.  The key in
+            <code class="filename">/etc/rndc.key</code> will be used to
+            authenticate
+            commands sent to the server if the <em class="replaceable"><code>config-file</code></em>
+            does not exist.
+          </p></dd>
 <dt><span class="term">-s <em class="replaceable"><code>server</code></em></span></dt>
-<dd><p>
-	       <em class="replaceable"><code>server</code></em> is
-	       the name or address of the server which matches a
-	       server statement in the configuration file for
-	       <span><strong class="command">rndc</strong></span>.  If no server is supplied on the
-	       command line, the host named by the default-server clause
-	       in the option statement of the configuration file will be
-	       used.
-	  </p></dd>
+<dd><p><em class="replaceable"><code>server</code></em> is
+            	       the name or address of the server which matches a
+            server statement in the configuration file for
+            <span><strong class="command">rndc</strong></span>.  If no server is supplied on
+            the
+            command line, the host named by the default-server clause
+            in the option statement of the configuration file will be
+            used.
+          </p></dd>
 <dt><span class="term">-p <em class="replaceable"><code>port</code></em></span></dt>
 <dd><p>
-	       Send commands to TCP port
-	       <em class="replaceable"><code>port</code></em> instead
-	       of BIND 9's default control channel port, 953.
-	  </p></dd>
+            Send commands to TCP port
+            <em class="replaceable"><code>port</code></em>
+            instead
+            of BIND 9's default control channel port, 953.
+          </p></dd>
 <dt><span class="term">-V</span></dt>
 <dd><p>
-	       Enable verbose logging.
-	  </p></dd>
+            Enable verbose logging.
+          </p></dd>
 <dt><span class="term">-y <em class="replaceable"><code>keyid</code></em></span></dt>
 <dd><p>
-	       Use the key <em class="replaceable"><code>keyid</code></em>
-	       from the configuration file.
-	       <em class="replaceable"><code>keyid</code></em> must be
-	       known by named with the same algorithm and secret string
-	       in order for control message validation to succeed.
-	       If no <em class="replaceable"><code>keyid</code></em>
-	       is specified, <span><strong class="command">rndc</strong></span> will first look
-	       for a key clause in the server statement of the server
-	       being used, or if no server statement is present for that
-	       host, then the default-key clause of the options statement.
-	       Note that the configuration file contains shared secrets
-	       which are used to send authenticated control commands
-	       to name servers.  It should therefore not have general read
-	       or write access.
-	  </p></dd>
+            Use the key <em class="replaceable"><code>keyid</code></em>
+            from the configuration file.
+            <em class="replaceable"><code>keyid</code></em>
+            must be
+            known by named with the same algorithm and secret string
+            in order for control message validation to succeed.
+            If no <em class="replaceable"><code>keyid</code></em>
+            is specified, <span><strong class="command">rndc</strong></span> will first look
+            for a key clause in the server statement of the server
+            being used, or if no server statement is present for that
+            host, then the default-key clause of the options statement.
+            Note that the configuration file contains shared secrets
+            which are used to send authenticated control commands
+            to name servers.  It should therefore not have general read
+            or write access.
+          </p></dd>
 </dl></div>
 <p>
       For the complete set of commands supported by <span><strong class="command">rndc</strong></span>,
       see the BIND 9 Administrator Reference Manual or run
-      <span><strong class="command">rndc</strong></span> without arguments to see its help message.
+      <span><strong class="command">rndc</strong></span> without arguments to see its help
+      message.
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2549811"></a><h2>LIMITATIONS</h2>
-<p>
-        <span><strong class="command">rndc</strong></span> does not yet support all the commands of
-	the BIND 8 <span><strong class="command">ndc</strong></span> utility.
+<a name="id2543652"></a><h2>LIMITATIONS</h2>
+<p><span><strong class="command">rndc</strong></span>
+      does not yet support all the commands of
+      the BIND 8 <span><strong class="command">ndc</strong></span> utility.
     </p>
 <p>
-        There is currently no way to provide the shared secret for a
-        <code class="option">key_id</code> without using the configuration file.
+      There is currently no way to provide the shared secret for a
+      <code class="option">key_id</code> without using the configuration file.
     </p>
 <p>
-        Several error messages could be clearer.
+      Several error messages could be clearer.
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2549840"></a><h2>SEE ALSO</h2>
-<p>
-      <span class="citerefentry"><span class="refentrytitle">rndc.conf</span>(5)</span>,
+<a name="id2543678"></a><h2>SEE ALSO</h2>
+<p><span class="citerefentry"><span class="refentrytitle">rndc.conf</span>(5)</span>,
       <span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>,
       <span class="citerefentry"><span class="refentrytitle">named.conf</span>(5)</span>
       <span class="citerefentry"><span class="refentrytitle">ndc</span>(8)</span>,
@@ -147,9 +157,8 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2549892"></a><h2>AUTHOR</h2>
-<p>
-        <span class="corpauthor">Internet Systems Consortium</span>
+<a name="id2543725"></a><h2>AUTHOR</h2>
+<p><span class="corpauthor">Internet Systems Consortium</span>
     </p>
 </div>
 </div></body>
diff --git a/contrib/bind9/bin/rndc/unix/Makefile.in b/contrib/bind9/bin/rndc/unix/Makefile.in
index 0409a18..6696c23 100644
--- a/contrib/bind9/bin/rndc/unix/Makefile.in
+++ b/contrib/bind9/bin/rndc/unix/Makefile.in
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.1.12.3 2004/03/08 04:04:24 marka Exp $
+# $Id: Makefile.in,v 1.3 2004/03/05 04:58:29 marka Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
diff --git a/contrib/bind9/bin/rndc/unix/os.c b/contrib/bind9/bin/rndc/unix/os.c
index 1adfdee..f5f6a91 100644
--- a/contrib/bind9/bin/rndc/unix/os.c
+++ b/contrib/bind9/bin/rndc/unix/os.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,9 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: os.c,v 1.5.206.1 2004/03/06 10:21:33 marka Exp $ */
+/* $Id: os.c,v 1.6.18.2 2005/04/29 00:15:41 marka Exp $ */
+
+/*! \file */
 
 #include <config.h>
 
diff --git a/contrib/bind9/bin/rndc/util.c b/contrib/bind9/bin/rndc/util.c
index 249cbe2..c64add72 100644
--- a/contrib/bind9/bin/rndc/util.c
+++ b/contrib/bind9/bin/rndc/util.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000, 2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,9 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: util.c,v 1.2.206.1 2004/03/06 10:21:32 marka Exp $ */
+/* $Id: util.c,v 1.3.18.2 2005/04/29 00:15:40 marka Exp $ */
+
+/*! \file */
 
 #include <config.h>
 
diff --git a/contrib/bind9/bin/rndc/util.h b/contrib/bind9/bin/rndc/util.h
index 3c19cd4..6414861 100644
--- a/contrib/bind9/bin/rndc/util.h
+++ b/contrib/bind9/bin/rndc/util.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000, 2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,11 +15,13 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: util.h,v 1.5.206.1 2004/03/06 10:21:32 marka Exp $ */
+/* $Id: util.h,v 1.6.18.2 2005/04/29 00:15:41 marka Exp $ */
 
 #ifndef RNDC_UTIL_H
 #define RNDC_UTIL_H 1
 
+/*! \file */
+
 #include <isc/lang.h>
 
 #include <isc/formatcheck.h>
diff --git a/contrib/bind9/configure.in b/contrib/bind9/configure.in
index 050a272..3e3d743 100644
--- a/contrib/bind9/configure.in
+++ b/contrib/bind9/configure.in
@@ -1,4 +1,4 @@
-# Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
 # Copyright (C) 1998-2003  Internet Software Consortium.
 #
 # Permission to use, copy, modify, and distribute this software for any
@@ -18,10 +18,10 @@ AC_DIVERT_PUSH(1)dnl
 esyscmd([sed "s/^/# /" COPYRIGHT])dnl
 AC_DIVERT_POP()dnl
 
-AC_REVISION($Revision: 1.294.2.23.2.73 $)
+AC_REVISION($Revision: 1.355.18.67 $)
 
 AC_INIT(lib/dns/name.c)
-AC_PREREQ(2.13)
+AC_PREREQ(2.59)
 
 AC_CONFIG_HEADER(config.h)
 AC_CONFIG_SUBDIRS(lib/bind)
@@ -31,12 +31,20 @@ AC_CANONICAL_HOST
 AC_PROG_MAKE_SET
 AC_PROG_RANLIB
 AC_PROG_INSTALL
+AC_PROG_LN_S
 
 AC_SUBST(STD_CINCLUDES)
 AC_SUBST(STD_CDEFINES)
 AC_SUBST(STD_CWARNINGS)
 AC_SUBST(CCOPT)
 
+#
+# Make very sure that these are the first files processed by
+# config.status, since we use the processed output as the input for
+# AC_SUBST_FILE() subsitutions in other files.
+#
+AC_CONFIG_FILES([make/rules make/includes])
+
 AC_PATH_PROG(AR, ar)
 ARFLAGS="cruv"
 AC_SUBST(AR)
@@ -354,6 +362,7 @@ AC_SUBST(LWRES_PLATFORM_NEEDSYSSELECTH)
 #
 AC_C_BIGENDIAN
 
+
 #
 # was --with-openssl specified?
 #
@@ -466,16 +475,6 @@ shared library configuration (e.g., LD_LIBRARY_PATH).)],
 		[AC_MSG_RESULT(assuming it does work on target platform)]
 		)
 		 
-		AC_CHECK_FUNC(DH_generate_parameters,
-			      AC_DEFINE(HAVE_DH_GENERATE_PARAMETERS, 1,
-					[Define if libcrypto has DH_generate_parameters]))
-		AC_CHECK_FUNC(RSA_generate_key,
-			      AC_DEFINE(HAVE_RSA_GENERATE_KEY, 1,
-					[Define if libcrypto has RSA_generate_key]))
-		AC_CHECK_FUNC(DSA_generate_parameters,
-			      AC_DEFINE(HAVE_DSA_GENERATE_PARAMETERS, 1,
-					[Define if libcrypto has DSA_generate_parameters]))
-
 AC_ARG_ENABLE(openssl-version-check,
 [AC_HELP_STRING([--enable-openssl-version-check],
         [Check OpenSSL Version @<:@default=yes@:>@])])
@@ -995,6 +994,7 @@ case "$enable_libbind" in
 		;;
 esac
 
+
 #
 # Here begins a very long section to determine the system's networking
 # capabilities.  The order of the tests is signficant.
@@ -1687,6 +1687,24 @@ case "$enable_linux_caps" in
 esac
 AC_CHECK_HEADERS(sys/prctl.h)
 
+AC_CHECK_HEADERS(sys/un.h,
+ISC_PLATFORM_HAVESYSUNH="#define ISC_PLATFORM_HAVESYSUNH 1"
+,
+ISC_PLATFORM_HAVESYSUNH="#undef ISC_PLATFORM_HAVESYSUNH"
+)
+AC_SUBST(ISC_PLATFORM_HAVESYSUNH)
+
+case "$host" in
+*-solaris*)
+	AC_DEFINE(NEED_SECURE_DIRECTORY, 1,
+		  [Define if connect does not honour the permission on the UNIX domain socket.])
+	;;
+*-sunos*)
+	AC_DEFINE(NEED_SECURE_DIRECTORY, 1,
+		  [Define if connect does not honour the permission on the UNIX domain socket.])
+	;;
+esac
+
 #
 # Time Zone Stuff
 #
@@ -1873,6 +1891,158 @@ esac
 AC_SUBST(ISC_PLATFORM_HAVEIFNAMETOINDEX)
 
 #
+# Machine architecture dependent features
+#
+AC_ARG_ENABLE(atomic,
+	[  --enable-atomic	enable machine specific atomic operations
+                        [[default=autodetect]]],
+			enable_atomic="$enableval",
+			enable_atomic="autodetect")
+case "$enable_atomic" in
+	yes|''|autodetect)
+		use_atomic=yes
+		;;
+	no)
+		use_atomic=no
+		arch=noatomic
+		;;
+esac
+
+ISC_PLATFORM_USEOSFASM="#undef ISC_PLATFORM_USEOSFASM"
+if test "$use_atomic" = "yes"; then
+	AC_MSG_CHECKING([architecture type for atomic operations])
+	have_atomic=yes		# set default
+	case "$host" in
+	[i[3456]86-*])
+		# XXX: some old x86 architectures actually do not support
+		#      (some of) these operations.  Do we need stricter checks?
+AC_TRY_RUN([
+main() {
+	exit((sizeof(void *) == 8) ? 0 : 1);
+}
+],
+		[arch=x86_64],
+		[arch=x86_32],
+	        [arch=x86_32])
+	;;
+	x86_64-*)
+		arch=x86_64
+	;;
+	alpha*-*)
+		arch=alpha
+	;;
+	powerpc-*)
+		arch=powerpc
+	;;
+	mips-*|mipsel-*|mips64-*|mips64el-*)
+		arch=mips
+	;;
+	ia64-*)
+		arch=ia64
+	;;
+	*)
+		have_atomic=no
+		arch=noatomic
+	;;
+	esac
+	AC_MSG_RESULT($arch)
+fi
+
+if test "$have_atomic" = "yes"; then
+	AC_MSG_CHECKING([compiler support for inline assembly code])
+
+	compiler=generic
+	# Check whether the compiler supports the assembly syntax we provide.
+	if test "X$GCC" = "Xyes"; then
+		# GCC's ASM extension always works
+		compiler=gcc
+		if test $arch = "x86_64"; then
+			# We can share the same code for gcc with x86_32
+			arch=x86_32
+		fi
+		if test $arch = "powerpc"; then
+			#
+			# The MacOS (and maybe others) uses "r0" for register
+			# zero. Under linux/ibm it is "0" for register 0.
+			# Probe to see if we have a MacOS style assembler.
+			#
+			AC_MSG_CHECKING([Checking for MacOS style assembler syntax])
+			AC_TRY_COMPILE(, [
+			__asm__ volatile ("li r0, 0x0\n"::);
+			], [
+			AC_MSG_RESULT(yes)
+			compiler="mac"
+			ISC_PLATFORM_USEMACASM="#define ISC_PLATFORM_USEMACASM 1"
+			], [AC_MSG_RESULT(no)])
+		fi
+	else
+		case "$host" in
+		alpha*-dec-osf*)
+			# Tru64 compiler has its own syntax for inline 
+			# assembly.
+			AC_TRY_COMPILE(, [
+#ifndef __DECC
+#error "unexpected compiler"
+#endif
+				return (0);],
+				[compiler=osf],)
+		;;
+		powerpc-ibm-aix*)
+			compiler=aix
+		;;
+		esac
+	fi
+	case "$compiler" in
+	gcc)
+		ISC_PLATFORM_USEGCCASM="#define ISC_PLATFORM_USEGCCASM 1"
+		;;
+	osf)
+		ISC_PLATFORM_USEOSFASM="#define ISC_PLATFORM_USEOSFASM 1"
+		;;
+	aix)
+		;;
+	mac)
+		;;
+	*)
+		# See if the generic __asm function works.  If not,
+		# we need to disable the atomic operations.
+		AC_TRY_LINK(, [
+					__asm("nop")
+				],
+		[compiler="standard"
+		ISC_PLATFORM_USESTDASM="#define ISC_PLATFORM_USESTDASM 1"],
+		[compiler="not supported (atomic operations disabled)"
+		have_atomic=no
+		arch=noatomic ]);
+		;;
+	esac
+
+	AC_MSG_RESULT($compiler)
+fi
+
+if test "$have_atomic" = "yes"; then
+	ISC_PLATFORM_HAVEXADD="#define ISC_PLATFORM_HAVEXADD 1"
+	ISC_PLATFORM_HAVECMPXCHG="#define ISC_PLATFORM_HAVECMPXCHG 1"
+	ISC_PLATFORM_HAVEATOMICSTORE="#define ISC_PLATFORM_HAVEATOMICSTORE 1"
+else
+	ISC_PLATFORM_HAVEXADD="#undef ISC_PLATFORM_HAVEXADD"
+	ISC_PLATFORM_HAVECMPXCHG="#undef ISC_PLATFORM_HAVECMPXCHG"
+	ISC_PLATFORM_HAVEATOMICSTORE="#undef ISC_PLATFORM_HAVEATOMICSTORE"
+fi
+
+AC_SUBST(ISC_PLATFORM_HAVEXADD)
+AC_SUBST(ISC_PLATFORM_HAVECMPXCHG)
+AC_SUBST(ISC_PLATFORM_HAVEATOMICSTORE)
+
+AC_SUBST(ISC_PLATFORM_USEGCCASM)
+AC_SUBST(ISC_PLATFORM_USEOSFASM)
+AC_SUBST(ISC_PLATFORM_USESTDASM)
+AC_SUBST(ISC_PLATFORM_USEMACASM)
+
+ISC_ARCH_DIR=$arch
+AC_SUBST(ISC_ARCH_DIR)
+
+#
 #  The following sets up how non-blocking i/o is established.
 #  Sunos, cygwin and solaris 2.x (x<5) require special handling.
 #
@@ -1915,6 +2085,13 @@ AC_PATH_PROGS(PDFLATEX, pdflatex, pdflatex)
 AC_SUBST(PDFLATEX)
 
 #
+# Look for w3m
+#
+
+AC_PATH_PROGS(W3M, w3m, w3m)
+AC_SUBST(W3M)
+
+#
 # Look for xsltproc (libxslt)
 #
 
@@ -1980,6 +2157,10 @@ NOM_PATH_FILE(XSLT_DOCBOOK_STYLE_XHTML, docbook/xhtml/docbook.xsl, $docbook_xsl_
 NOM_PATH_FILE(XSLT_DOCBOOK_STYLE_MAN, docbook/manpages/docbook.xsl, $docbook_xsl_trees)
 NOM_PATH_FILE(XSLT_DOCBOOK_CHUNK_HTML, docbook/html/chunk.xsl, $docbook_xsl_trees)
 NOM_PATH_FILE(XSLT_DOCBOOK_CHUNK_XHTML, docbook/xhtml/chunk.xsl, $docbook_xsl_trees)
+NOM_PATH_FILE(XSLT_DOCBOOK_CHUNKTOC_HTML, docbook/html/chunktoc.xsl, $docbook_xsl_trees)
+NOM_PATH_FILE(XSLT_DOCBOOK_CHUNKTOC_XHTML, docbook/xhtml/chunktoc.xsl, $docbook_xsl_trees)
+NOM_PATH_FILE(XSLT_DOCBOOK_MAKETOC_HTML, docbook/html/maketoc.xsl, $docbook_xsl_trees)
+NOM_PATH_FILE(XSLT_DOCBOOK_MAKETOC_XHTML, docbook/xhtml/maketoc.xsl, $docbook_xsl_trees)
 
 #
 # Same dance for db2latex
@@ -2019,6 +2200,82 @@ fi
 AC_SUBST(XSLT_DB2LATEX_ADMONITIONS)
 
 #
+# IDN support
+#
+AC_ARG_WITH(idn,
+	[  --with-idn[=MPREFIX]   enable IDN support using idnkit [default PREFIX]],
+	use_idn="$withval", use_idn="no")
+case "$use_idn" in
+yes)
+	if test X$prefix = XNONE ; then
+		idn_path=/usr/local
+	else
+		idn_path=$prefix
+	fi
+	;;
+no)
+	;;
+*)
+	idn_path="$use_idn"
+	;;
+esac
+
+iconvinc=
+iconvlib=
+AC_ARG_WITH(libiconv,
+	[  --with-libiconv[=IPREFIX]   GNU libiconv are in IPREFIX [default PREFIX]],
+	use_libiconv="$withval", use_libiconv="no")
+case "$use_libiconv" in
+yes)
+	if test X$prefix = XNONE ; then
+		iconvlib="-L/usr/local/lib -R/usr/local/lib -liconv"
+	else
+		iconvlib="-L$prefix/lib -R$prefix/lib -liconv"
+	fi
+	;;
+no)
+	iconvlib=
+	;;
+*)
+	iconvlib="-L$use_libiconv/lib -R$use_libiconv/lib -liconv"
+	;;
+esac
+
+AC_ARG_WITH(iconv,
+	[  --with-iconv[=LIBSPEC]   specify iconv library [default -liconv]],
+	iconvlib="$withval")
+case "$iconvlib" in
+no)
+	iconvlib=
+	;;
+yes)
+	iconvlib=-liconv
+	;;
+esac
+
+AC_ARG_WITH(idnlib,
+	[  --with-idnlib=ARG    specify libidnkit],
+	idnlib="$withval", idnlib="no")
+if test "$idnlib" = yes; then
+	AC_MSG_ERROR([You must specify ARG for --with-idnlib.])
+fi
+
+IDNLIBS=
+if test "$use_idn" != no; then
+	AC_DEFINE(WITH_IDN, 1, [define if idnkit support is to be included.])
+	STD_CINCLUDES="$STD_CINCLUDES -I$idn_path/include"
+	if test "$idnlib" != no; then
+		IDNLIBS="$idnlib $iconvlib"
+	else
+		IDNLIBS="-L$idn_path/lib -lidnkit $iconvlib"
+	fi
+fi
+AC_SUBST(IDNLIBS)
+
+AC_CHECK_HEADERS(locale.h)
+AC_CHECK_FUNCS(setlocale)
+
+#
 # Substitutions
 #
 AC_SUBST(BIND9_TOP_BUILDDIR)
@@ -2074,6 +2331,45 @@ LIBBIND9_API=$srcdir/lib/bind9/api
 AC_SUBST_FILE(LIBLWRES_API)
 LIBLWRES_API=$srcdir/lib/lwres/api
 
+#
+# Configure any DLZ drivers.
+#
+# If config.dlz.in selects one or more DLZ drivers, it will set
+# USE_DLZ to a non-empty value, which will be our clue to
+# enable the DLZ core functions.
+#
+# This section has to come after the libtool stuff because it needs to
+# know how to name the driver object files.
+#
+
+USE_DLZ=""
+DLZ_DRIVER_INCLUDES=""
+DLZ_DRIVER_LIBS=""
+DLZ_DRIVER_SRCS=""
+DLZ_DRIVER_OBJS=""
+
+sinclude(contrib/dlz/config.dlz.in)
+
+AC_MSG_CHECKING(for DLZ)
+
+if test -n "$USE_DLZ"
+then
+	AC_MSG_RESULT(yes)
+	USE_DLZ="-DDLZ $USE_DLZ"
+	DLZ_DRIVER_RULES=contrib/dlz/drivers/rules
+	AC_CONFIG_FILES([$DLZ_DRIVER_RULES])
+else
+	AC_MSG_RESULT(no)
+	DLZ_DRIVER_RULES=/dev/null
+fi
+
+AC_SUBST(USE_DLZ)
+AC_SUBST(DLZ_DRIVER_INCLUDES)
+AC_SUBST(DLZ_DRIVER_LIBS)
+AC_SUBST(DLZ_DRIVER_SRCS)
+AC_SUBST(DLZ_DRIVER_OBJS)
+AC_SUBST_FILE(DLZ_DRIVER_RULES)
+
 if test "$cross_compiling" = "yes"; then
 	if test -z "$BUILD_CC"; then
 		AC_ERROR([BUILD_CC not set])
@@ -2096,9 +2392,23 @@ AC_SUBST(BUILD_CPPFLAGS)
 AC_SUBST(BUILD_LDFLAGS)
 AC_SUBST(BUILD_LIBS)
 
-AC_OUTPUT(
-	make/rules
-	make/includes
+#
+# Commands to run at the end of config.status.
+# Don't just put these into configure, it won't work right if somebody
+# runs config.status directly (which autoconf allows).
+#
+
+AC_CONFIG_COMMANDS(
+	[chmod],
+	[chmod a+x isc-config.sh])
+
+#
+# Files to configure.  These are listed here because we used to
+# specify them as arguments to AC_OUTPUT.  It's (now) ok to move these
+# elsewhere if there's a good reason for doing so.
+#
+
+AC_CONFIG_FILES([
 	Makefile
 	make/Makefile
 	make/mkdep
@@ -2167,14 +2477,19 @@ AC_OUTPUT(
 	doc/Makefile
 	doc/arm/Makefile
 	doc/misc/Makefile
-	doc/xsl/Makefile
 	isc-config.sh
+	doc/xsl/Makefile
 	doc/xsl/isc-docbook-chunk.xsl
 	doc/xsl/isc-docbook-html.xsl
 	doc/xsl/isc-docbook-latex.xsl
 	doc/xsl/isc-manpage.xsl
-)
-chmod a+x isc-config.sh
+])
+
+#
+# Do it
+#
+
+AC_OUTPUT
 
 if test "X$OPENSSL_WARNING" != "X"; then
 cat << \EOF
diff --git a/contrib/bind9/doc/Makefile.in b/contrib/bind9/doc/Makefile.in
index 1e69dab..f307f41 100644
--- a/contrib/bind9/doc/Makefile.in
+++ b/contrib/bind9/doc/Makefile.in
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.4.206.3 2005/09/13 00:34:54 marka Exp $
+# $Id: Makefile.in,v 1.5.18.2 2005/07/23 04:35:12 marka Exp $
 
 # This Makefile is a placeholder.  It exists merely to make
 # sure that its directory gets created in the object directory
diff --git a/contrib/bind9/doc/arm/Bv9ARM-book.xml b/contrib/bind9/doc/arm/Bv9ARM-book.xml
index bccb088..17e778d 100644
--- a/contrib/bind9/doc/arm/Bv9ARM-book.xml
+++ b/contrib/bind9/doc/arm/Bv9ARM-book.xml
@@ -1,8 +1,8 @@
-<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.0//EN"
-               "http://www.oasis-open.org/docbook/xml/4.0/docbookx.dtd"
+<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
+               "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
 	       [<!ENTITY mdash "&#8212;">]>
 <!--
- - Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
  - Copyright (C) 2000-2003  Internet Software Consortium.
  -
  - Permission to use, copy, modify, and distribute this software for any
@@ -18,16 +18,16 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-<!-- File: $Id: Bv9ARM-book.xml,v 1.155.2.27.2.74 2006/11/14 22:38:53 sra Exp $ -->
-
-<book>
-<title>BIND 9 Administrator Reference Manual</title>
+<!-- File: $Id: Bv9ARM-book.xml,v 1.241.18.66 2007/01/29 23:57:20 marka Exp $ -->
+<book xmlns:xi="http://www.w3.org/2001/XInclude">
+  <title>BIND 9 Administrator Reference Manual</title>
 
   <bookinfo>
     <copyright>
       <year>2004</year>
       <year>2005</year>
       <year>2006</year>
+      <year>2007</year>
       <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
     </copyright>
     <copyright>
@@ -40,421 +40,636 @@
   </bookinfo>
 
   <chapter id="Bv9ARM.ch01">
-  <title>Introduction </title>
-  <para>The Internet Domain Name System (<acronym>DNS</acronym>) consists of the syntax
-  to specify the names of entities in the Internet in a hierarchical
-  manner, the rules used for delegating authority over names, and the
-  system implementation that actually maps names to Internet
-  addresses.  <acronym>DNS</acronym> data is maintained in a group of distributed
-  hierarchical databases.</para>
-
-  <sect1>
-    <title>Scope of Document</title>
-
-    <para>The Berkeley Internet Name Domain (<acronym>BIND</acronym>) implements a
-    domain name server for a number of operating systems. This
-    document provides basic information about the installation and
-    care of the Internet Software Consortium (<acronym>ISC</acronym>)
-    <acronym>BIND</acronym> version 9 software package for system
-    administrators.</para>
-
-    <para>This version of the manual corresponds to BIND version 9.3.</para>
-    
-  </sect1>
-  <sect1><title>Organization of This Document</title>
-    <para>In this document, <emphasis>Section 1</emphasis> introduces
-    the basic <acronym>DNS</acronym> and <acronym>BIND</acronym> concepts. <emphasis>Section 2</emphasis>
-    describes resource requirements for running <acronym>BIND</acronym> in various
-    environments. Information in <emphasis>Section 3</emphasis> is
-    <emphasis>task-oriented</emphasis> in its presentation and is
-    organized functionally, to aid in the process of installing the
-    <acronym>BIND</acronym> 9 software. The task-oriented section is followed by
-    <emphasis>Section 4</emphasis>, which contains more advanced
-    concepts that the system administrator may need for implementing
-    certain options. <emphasis>Section 5</emphasis>
-    describes the <acronym>BIND</acronym> 9 lightweight
-    resolver.  The contents of <emphasis>Section 6</emphasis> are
-    organized as in a reference manual to aid in the ongoing
-    maintenance of the software. <emphasis>Section 7
-    </emphasis>addresses security considerations, and
-    <emphasis>Section 8</emphasis> contains troubleshooting help. The
-    main body of the document is followed by several
-    <emphasis>Appendices</emphasis> which contain useful reference
-    information, such as a <emphasis>Bibliography</emphasis> and
-    historic information related to <acronym>BIND</acronym> and the Domain Name
-    System.</para>
-  </sect1>
-  <sect1><title>Conventions Used in This Document</title>
-
-    <para>In this document, we use the following general typographic
-    conventions:</para>
-
-<informaltable>
-        <tgroup cols = "2">
-          <colspec colname = "1" colnum = "1" colwidth = "3.000in"/>
-          <colspec colname = "2" colnum = "2" colwidth = "2.625in"/>
+    <title>Introduction</title>
+    <para>
+      The Internet Domain Name System (<acronym>DNS</acronym>)
+      consists of the syntax
+      to specify the names of entities in the Internet in a hierarchical
+      manner, the rules used for delegating authority over names, and the
+      system implementation that actually maps names to Internet
+      addresses.  <acronym>DNS</acronym> data is maintained in a
+      group of distributed
+      hierarchical databases.
+    </para>
+
+    <sect1>
+      <title>Scope of Document</title>
+
+      <para>
+        The Berkeley Internet Name Domain
+        (<acronym>BIND</acronym>) implements a
+        domain name server for a number of operating systems. This
+        document provides basic information about the installation and
+        care of the Internet Systems Consortium (<acronym>ISC</acronym>)
+        <acronym>BIND</acronym> version 9 software package for
+        system administrators.
+      </para>
+
+      <para>
+        This version of the manual corresponds to BIND version 9.4.
+      </para>
+
+    </sect1>
+    <sect1>
+      <title>Organization of This Document</title>
+      <para>
+        In this document, <emphasis>Section 1</emphasis> introduces
+        the basic <acronym>DNS</acronym> and <acronym>BIND</acronym> concepts. <emphasis>Section 2</emphasis>
+        describes resource requirements for running <acronym>BIND</acronym> in various
+        environments. Information in <emphasis>Section 3</emphasis> is
+        <emphasis>task-oriented</emphasis> in its presentation and is
+        organized functionally, to aid in the process of installing the
+        <acronym>BIND</acronym> 9 software. The task-oriented
+        section is followed by
+        <emphasis>Section 4</emphasis>, which contains more advanced
+        concepts that the system administrator may need for implementing
+        certain options. <emphasis>Section 5</emphasis>
+        describes the <acronym>BIND</acronym> 9 lightweight
+        resolver.  The contents of <emphasis>Section 6</emphasis> are
+        organized as in a reference manual to aid in the ongoing
+        maintenance of the software. <emphasis>Section 7</emphasis> addresses
+        security considerations, and
+        <emphasis>Section 8</emphasis> contains troubleshooting help. The
+        main body of the document is followed by several
+        <emphasis>Appendices</emphasis> which contain useful reference
+        information, such as a <emphasis>Bibliography</emphasis> and
+        historic information related to <acronym>BIND</acronym>
+        and the Domain Name
+        System.
+      </para>
+    </sect1>
+    <sect1>
+      <title>Conventions Used in This Document</title>
+
+      <para>
+        In this document, we use the following general typographic
+        conventions:
+      </para>
+
+      <informaltable>
+        <tgroup cols="2">
+          <colspec colname="1" colnum="1" colwidth="3.000in"/>
+          <colspec colname="2" colnum="2" colwidth="2.625in"/>
           <tbody>
             <row>
-              <entry colname = "1">
-<para><emphasis>To
-describe:</emphasis></para></entry>
-              <entry colname = "2">
-<para><emphasis>We use the style:</emphasis></para></entry>
+              <entry colname="1">
+                <para>
+                  <emphasis>To describe:</emphasis>
+                </para>
+              </entry>
+              <entry colname="2">
+                <para>
+                  <emphasis>We use the style:</emphasis>
+                </para>
+              </entry>
             </row>
             <row>
-              <entry colname = "1">
-<para>a pathname, filename, URL, hostname,
-mailing list name, or new term or concept</para></entry>
-              <entry colname = "2"><para><filename>Fixed width</filename></para></entry>
+              <entry colname="1">
+                <para>
+                  a pathname, filename, URL, hostname,
+                  mailing list name, or new term or concept
+                </para>
+              </entry>
+              <entry colname="2">
+                <para>
+                  <filename>Fixed width</filename>
+                </para>
+              </entry>
             </row>
             <row>
-              <entry colname = "1"><para>literal user
-input</para></entry>
-              <entry colname = "2"><para><userinput>Fixed Width Bold</userinput></para></entry>
+              <entry colname="1">
+                <para>
+                  literal user
+                  input
+                </para>
+              </entry>
+              <entry colname="2">
+                <para>
+                  <userinput>Fixed Width Bold</userinput>
+                </para>
+              </entry>
             </row>
             <row>
-              <entry colname = "1"><para>program output</para></entry>
-              <entry colname = "2"><para><computeroutput>Fixed Width</computeroutput></para></entry>
+              <entry colname="1">
+                <para>
+                  program output
+                </para>
+              </entry>
+              <entry colname="2">
+                <para>
+                  <computeroutput>Fixed Width</computeroutput>
+                </para>
+              </entry>
             </row>
           </tbody>
         </tgroup>
-</informaltable>
-
-    <para>The following conventions are used in descriptions of the
-<acronym>BIND</acronym> configuration file:<informaltable colsep = "0" frame = "all" rowsep = "0">
-        <tgroup cols = "2" colsep = "0" rowsep = "0"
-                tgroupstyle = "2Level-table">
-          <colspec colname = "1" colnum = "1" colsep = "0" colwidth = "3.000in"/>
-          <colspec colname = "2" colnum = "2" colsep = "0" colwidth = "2.625in"/>
-          <tbody>
-            <row rowsep = "0">
-              <entry colname = "1" colsep = "1" rowsep = "1"><para><emphasis>To
-describe:</emphasis></para></entry>
-              <entry colname = "2" rowsep = "1"><para><emphasis>We use the style:</emphasis></para></entry>
-            </row>
-            <row rowsep = "0">
-              <entry colname = "1" colsep = "1" rowsep = "1"><para>keywords</para></entry>
-              <entry colname = "2" rowsep = "1"><para><literal>Fixed Width</literal></para></entry>
-            </row>
-            <row rowsep = "0">
-              <entry colname = "1" colsep = "1" rowsep = "1"><para>variables</para></entry>
-              <entry colname = "2" rowsep = "1"><para><varname>Fixed Width</varname></para></entry>
-            </row>
-<row rowsep = "0">
-<entry colname = "1" colsep = "1"><para>Optional input</para></entry>
-                <entry colname = "2"><para><optional>Text is enclosed in square brackets</optional></para></entry>
-</row>
-</tbody>
-</tgroup></informaltable></para></sect1>
-<sect1><title>The Domain Name System (<acronym>DNS</acronym>)</title>
-<para>The purpose of this document is to explain the installation
-and upkeep of the <acronym>BIND</acronym> software package, and we
-begin by reviewing the fundamentals of the Domain Name System
-(<acronym>DNS</acronym>) as they relate to <acronym>BIND</acronym>.
-</para>
-
-<sect2>
-<title>DNS Fundamentals</title>
-
-<para>The Domain Name System (DNS) is the hierarchical, distributed
-database.  It stores information for mapping Internet host names to IP
-addresses and vice versa, mail routing information, and other data
-used by Internet applications.</para>
-
-<para>Clients look up information in the DNS by calling a
-<emphasis>resolver</emphasis> library, which sends queries to one or
-more <emphasis>name servers</emphasis> and interprets the responses.
-The <acronym>BIND</acronym> 9 software distribution contains a
-name server, <command>named</command>, and two resolver
-libraries, <command>liblwres</command> and <command>libbind</command>.
-</para>
-
-</sect2><sect2>
-<title>Domains and Domain Names</title>
-
-<para>The data stored in the DNS is identified by <emphasis>domain
-names</emphasis> that are organized as a tree according to
-organizational or administrative boundaries. Each node of the tree,
-called a <emphasis>domain</emphasis>, is given a label. The domain name of the
-node is the concatenation of all the labels on the path from the
-node to the <emphasis>root</emphasis> node.  This is represented
-in written form as a string of labels listed from right to left and
-separated by dots. A label need only be unique within its parent
-domain.</para>
-
-<para>For example, a domain name for a host at the
-company <emphasis>Example, Inc.</emphasis> could be
-<literal>mail.example.com</literal>,
-where <literal>com</literal> is the
-top level domain to which
-<literal>ourhost.example.com</literal> belongs,
-<literal>example</literal> is
-a subdomain of <literal>com</literal>, and
-<literal>ourhost</literal> is the
-name of the host.</para>
-
-<para>For administrative purposes, the name space is partitioned into
-areas called <emphasis>zones</emphasis>, each starting at a node and
-extending down to the leaf nodes or to nodes where other zones start.
-The data for each zone is stored in a <emphasis>name
-server</emphasis>, which answers queries about the zone using the
-<emphasis>DNS protocol</emphasis>.
-</para>
-
-<para>The data associated with each domain name is stored in the
-form of <emphasis>resource records</emphasis> (<acronym>RR</acronym>s).
-Some of the supported resource record types are described in
-<xref linkend="types_of_resource_records_and_when_to_use_them"/>.</para>
-
-<para>For more detailed information about the design of the DNS and
-the DNS protocol, please refer to the standards documents listed in
-<xref linkend="rfcs"/>.</para>
-</sect2>
-
-<sect2><title>Zones</title>
-<para>To properly operate a name server, it is important to understand
-the difference between a <emphasis>zone</emphasis>
-and a <emphasis>domain</emphasis>.</para>
-
-<para>As we stated previously, a zone is a point of delegation in
-the <acronym>DNS</acronym> tree. A zone consists of
-those contiguous parts of the domain
-tree for which a name server has complete information and over which
-it has authority. It contains all domain names from a certain point
-downward in the domain tree except those which are delegated to
-other zones. A delegation point is marked by one or more
-<emphasis>NS records</emphasis> in the
-parent zone, which should be matched by equivalent NS records at
-the root of the delegated zone.</para>
-
-<para>For instance, consider the <literal>example.com</literal>
-domain which includes names
-such as <literal>host.aaa.example.com</literal> and
-<literal>host.bbb.example.com</literal> even though
-the <literal>example.com</literal> zone includes
-only delegations for the <literal>aaa.example.com</literal> and
-<literal>bbb.example.com</literal> zones.  A zone can map
-exactly to a single domain, but could also include only part of a
-domain, the rest of which could be delegated to other
-name servers. Every name in the <acronym>DNS</acronym> tree is a
-<emphasis>domain</emphasis>, even if it is
-<emphasis>terminal</emphasis>, that is, has no
-<emphasis>subdomains</emphasis>.  Every subdomain is a domain and
-every domain except the root is also a subdomain. The terminology is
-not intuitive and we suggest that you read RFCs 1033, 1034 and 1035 to
-gain a complete understanding of this difficult and subtle
-topic.</para>
-
-<para>Though <acronym>BIND</acronym> is called a "domain name server",
-it deals primarily in terms of zones. The master and slave
-declarations in the <filename>named.conf</filename> file specify
-zones, not domains. When you ask some other site if it is willing to
-be a slave server for your <emphasis>domain</emphasis>, you are
-actually asking for slave service for some collection of zones.</para>
-</sect2>
-
-<sect2><title>Authoritative Name Servers</title>
-
-<para>Each zone is served by at least
-one <emphasis>authoritative name server</emphasis>,
-which contains the complete data for the zone.
-To make the DNS tolerant of server and network failures,
-most zones have two or more authoritative servers.
-</para>
-
-<para>Responses from authoritative servers have the "authoritative
-answer" (AA) bit set in the response packets.  This makes them 
-easy to identify when debugging DNS configurations using tools like
-<command>dig</command> (<xref linkend="diagnostic_tools"/>).</para>
-
-<sect3><title>The Primary Master</title>
-
-<para>
-The authoritative server where the master copy of the zone data is maintained is
-called the <emphasis>primary master</emphasis> server, or simply the
-<emphasis>primary</emphasis>.  It loads the zone contents from some
-local file edited by humans or perhaps generated mechanically from
-some other local file which is edited by humans.  This file is called
-the <emphasis>zone file</emphasis> or <emphasis>master file</emphasis>.</para>
-</sect3>
-
-<sect3><title>Slave Servers</title>
-<para>The other authoritative servers, the <emphasis>slave</emphasis>
-servers (also known as <emphasis>secondary</emphasis> servers) load
-the zone contents from another server using a replication process
-known as a <emphasis>zone transfer</emphasis>.  Typically the data are
-transferred directly from the primary master, but it is also possible
-to transfer it from another slave.  In other words, a slave server
-may itself act as a master to a subordinate slave server.</para>
-</sect3>
-
-<sect3><title>Stealth Servers</title>
-
-<para>Usually all of the zone's authoritative servers are listed in 
-NS records in the parent zone.  These NS records constitute
-a <emphasis>delegation</emphasis> of the zone from the parent.
-The authoritative servers are also listed in the zone file itself,
-at the <emphasis>top level</emphasis> or <emphasis>apex</emphasis>
-of the zone.  You can list servers in the zone's top-level NS
-records that are not in the parent's NS delegation, but you cannot
-list servers in the parent's delegation that are not present at
-the zone's top level.</para>
-
-<para>A <emphasis>stealth server</emphasis> is a server that is
-authoritative for a zone but is not listed in that zone's NS
-records.  Stealth servers can be used for keeping a local copy of a
-zone to speed up access to the zone's records or to make sure that the
-zone is available even if all the "official" servers for the zone are
-inaccessible.</para>
-
-<para>A configuration where the primary master server itself is a
-stealth server is often referred to as a "hidden primary"
-configuration.  One use for this configuration is when the primary master
-is behind a firewall and therefore unable to communicate directly
-with the outside world.</para>
-
-</sect3>
-
-</sect2>
-<sect2>
-
-<title>Caching Name Servers</title>
-
-<para>The resolver libraries provided by most operating systems are 
-<emphasis>stub resolvers</emphasis>, meaning that they are not capable of
-performing the full DNS resolution process by themselves by talking
-directly to the authoritative servers.  Instead, they rely on a local
-name server to perform the resolution on their behalf.  Such a server
-is called a <emphasis>recursive</emphasis> name server; it performs
-<emphasis>recursive lookups</emphasis> for local clients.</para>
-
-<para>To improve performance, recursive servers cache the results of
-the lookups they perform.  Since the processes of recursion and
-caching are intimately connected, the terms
-<emphasis>recursive server</emphasis> and
-<emphasis>caching server</emphasis> are often used synonymously.</para>
-
-<para>The length of time for which a record may be retained in
-the cache of a caching name server is controlled by the 
-Time To Live (TTL) field associated with each resource record.
-</para>
-
-<sect3><title>Forwarding</title>
-
-<para>Even a caching name server does not necessarily perform
-the complete recursive lookup itself.  Instead, it can
-<emphasis>forward</emphasis> some or all of the queries
-that it cannot satisfy from its cache to another caching name server,
-commonly referred to as a <emphasis>forwarder</emphasis>.
-</para>
-
-<para>There may be one or more forwarders,
-and they are queried in turn until the list is exhausted or an answer
-is found. Forwarders are typically used when you do not
-wish all the servers at a given site to interact directly with the rest of
-the Internet servers. A typical scenario would involve a number
-of internal <acronym>DNS</acronym> servers and an Internet firewall. Servers unable
-to pass packets through the firewall would forward to the server
-that can do it, and that server would query the Internet <acronym>DNS</acronym> servers
-on the internal server's behalf. An added benefit of using the forwarding
-feature is that the central machine develops a much more complete
-cache of information that all the clients can take advantage
-of.</para>
-</sect3>
-
-</sect2>
-
-<sect2><title>Name Servers in Multiple Roles</title>
-
-<para>The <acronym>BIND</acronym> name server can simultaneously act as
-a master for some zones, a slave for other zones, and as a caching
-(recursive) server for a set of local clients.</para>
-
-<para>However, since the functions of authoritative name service
-and caching/recursive name service are logically separate, it is
-often advantageous to run them on separate server machines.
-
-A server that only provides authoritative name service
-(an <emphasis>authoritative-only</emphasis> server) can run with
-recursion disabled, improving reliability and security.
-
-A server that is not authoritative for any zones and only provides
-recursive service to local
-clients (a <emphasis>caching-only</emphasis> server)
-does not need to be reachable from the Internet at large and can
-be placed inside a firewall.</para>
-
-    </sect2>
-  </sect1>
-
-</chapter>
-
-<chapter id="Bv9ARM.ch02"><title><acronym>BIND</acronym> Resource Requirements</title>
-
-<sect1>
-<title>Hardware requirements</title>
-
-<para><acronym>DNS</acronym> hardware requirements have traditionally been quite modest.
-For many installations, servers that have been pensioned off from
-active duty have performed admirably as <acronym>DNS</acronym> servers.</para>
-<para>The DNSSEC and IPv6 features of <acronym>BIND</acronym> 9 may prove to be quite
-CPU intensive however, so organizations that make heavy use of these
-features may wish to consider larger systems for these applications.
-<acronym>BIND</acronym> 9 is fully multithreaded, allowing full utilization of
-multiprocessor systems for installations that need it.</para></sect1>
-<sect1><title>CPU Requirements</title>
-<para>CPU requirements for <acronym>BIND</acronym> 9 range from i486-class machines
-for serving of static zones without caching, to enterprise-class
-machines if you intend to process many dynamic updates and DNSSEC
-signed zones, serving many thousands of queries per second.</para></sect1>
-
-<sect1><title>Memory Requirements</title>
-<para>The memory of the server has to be large enough to fit the
-cache and zones loaded off disk.  The <command>max-cache-size</command>
-option can be used to limit the amount of memory used by the cache,
-at the expense of reducing cache hit rates and causing more <acronym>DNS</acronym>
-traffic. It is still good practice to have enough memory to load
-all zone and cache data into memory &mdash; unfortunately, the best way
-to determine this for a given installation is to watch the name server
-in operation. After a few weeks the server process should reach
-a relatively stable size where entries are expiring from the cache as
-fast as they are being inserted.</para></sect1>
-
-<sect1><title>Name Server Intensive Environment Issues</title>
-<para>For name server intensive environments, there are two alternative
-configurations that may be used. The first is where clients and
-any second-level internal name servers query a main name server, which
-has enough memory to build a large cache. This approach minimizes
-the bandwidth used by external name lookups. The second alternative
-is to set up second-level internal name servers to make queries independently.
-In this configuration, none of the individual machines needs to
-have as much memory or CPU power as in the first alternative, but
-this has the disadvantage of making many more external queries,
-as none of the name servers share their cached data.</para></sect1>
-
-<sect1><title>Supported Operating Systems</title>
-<para>ISC <acronym>BIND</acronym> 9 compiles and runs on a large number
-of Unix-like operating system and on Windows NT / 2000.  For an up-to-date
-list of supported systems, see the README file in the top level directory
-of the BIND 9 source distribution.</para>
-</sect1>
-</chapter>
-
-<chapter id="Bv9ARM.ch03">
-<title>Name Server Configuration</title>
-<para>In this section we provide some suggested configurations along
-with guidelines for their use. We also address the topic of reasonable
-option setting.</para>
-
-<sect1 id="sample_configuration">
-<title>Sample Configurations</title>
-<sect2>
-<title>A Caching-only Name Server</title>
-<para>The following sample configuration is appropriate for a caching-only
-name server for use by clients internal to a corporation.  All queries
-from outside clients are refused using the <command>allow-query</command>
-option.  Alternatively, the same effect could be achieved using suitable
-firewall rules.</para>
+      </informaltable>
+
+      <para>
+        The following conventions are used in descriptions of the
+        <acronym>BIND</acronym> configuration file:<informaltable colsep="0" frame="all" rowsep="0">
+                  <tgroup cols="2" colsep="0" rowsep="0" tgroupstyle="2Level-table">
+                      <colspec colname="1" colnum="1" colsep="0" colwidth="3.000in"/>
+            <colspec colname="2" colnum="2" colsep="0" colwidth="2.625in"/>
+            <tbody>
+              <row rowsep="0">
+                <entry colname="1" colsep="1" rowsep="1">
+                  <para>
+                    <emphasis>To describe:</emphasis>
+                  </para>
+                </entry>
+                <entry colname="2" rowsep="1">
+                  <para>
+                    <emphasis>We use the style:</emphasis>
+                  </para>
+                </entry>
+              </row>
+              <row rowsep="0">
+                <entry colname="1" colsep="1" rowsep="1">
+                  <para>
+                    keywords
+                  </para>
+                </entry>
+                <entry colname="2" rowsep="1">
+                  <para>
+                    <literal>Fixed Width</literal>
+                  </para>
+                </entry>
+              </row>
+              <row rowsep="0">
+                <entry colname="1" colsep="1" rowsep="1">
+                  <para>
+                    variables
+                  </para>
+                </entry>
+                <entry colname="2" rowsep="1">
+                  <para>
+                    <varname>Fixed Width</varname>
+                  </para>
+                </entry>
+              </row>
+              <row rowsep="0">
+                <entry colname="1" colsep="1">
+                  <para>
+                    Optional input
+                  </para>
+                </entry>
+                <entry colname="2">
+                  <para>
+                    <optional>Text is enclosed in square brackets</optional>
+                  </para>
+                </entry>
+              </row>
+            </tbody>
+          </tgroup>
+        </informaltable>
+      </para>
+    </sect1>
+    <sect1>
+      <title>The Domain Name System (<acronym>DNS</acronym>)</title>
+      <para>
+        The purpose of this document is to explain the installation
+        and upkeep of the <acronym>BIND</acronym> software
+        package, and we
+        begin by reviewing the fundamentals of the Domain Name System
+        (<acronym>DNS</acronym>) as they relate to <acronym>BIND</acronym>.
+      </para>
+
+      <sect2>
+        <title>DNS Fundamentals</title>
+
+        <para>
+          The Domain Name System (DNS) is a hierarchical, distributed
+          database.  It stores information for mapping Internet host names to
+          IP
+          addresses and vice versa, mail routing information, and other data
+          used by Internet applications.
+        </para>
+
+        <para>
+          Clients look up information in the DNS by calling a
+          <emphasis>resolver</emphasis> library, which sends queries to one or
+          more <emphasis>name servers</emphasis> and interprets the responses.
+          The <acronym>BIND</acronym> 9 software distribution
+          contains a
+          name server, <command>named</command>, and two resolver
+          libraries, <command>liblwres</command> and <command>libbind</command>.
+        </para>
+
+        </sect2><sect2>
+        <title>Domains and Domain Names</title>
+
+        <para>
+          The data stored in the DNS is identified by <emphasis>domain names</emphasis> that are organized as a tree according to
+          organizational or administrative boundaries. Each node of the tree,
+          called a <emphasis>domain</emphasis>, is given a label. The domain
+          name of the
+          node is the concatenation of all the labels on the path from the
+          node to the <emphasis>root</emphasis> node.  This is represented
+          in written form as a string of labels listed from right to left and
+          separated by dots. A label need only be unique within its parent
+          domain.
+        </para>
+
+        <para>
+          For example, a domain name for a host at the
+          company <emphasis>Example, Inc.</emphasis> could be
+          <literal>ourhost.example.com</literal>,
+          where <literal>com</literal> is the
+          top level domain to which
+          <literal>ourhost.example.com</literal> belongs,
+          <literal>example</literal> is
+          a subdomain of <literal>com</literal>, and
+          <literal>ourhost</literal> is the
+          name of the host.
+        </para>
+
+        <para>
+          For administrative purposes, the name space is partitioned into
+          areas called <emphasis>zones</emphasis>, each starting at a node and
+          extending down to the leaf nodes or to nodes where other zones
+          start.
+          The data for each zone is stored in a <emphasis>name server</emphasis>, which answers queries about the zone using the
+          <emphasis>DNS protocol</emphasis>.
+        </para>
+
+        <para>
+          The data associated with each domain name is stored in the
+          form of <emphasis>resource records</emphasis> (<acronym>RR</acronym>s).
+          Some of the supported resource record types are described in
+          <xref linkend="types_of_resource_records_and_when_to_use_them"/>.
+        </para>
+
+        <para>
+          For more detailed information about the design of the DNS and
+          the DNS protocol, please refer to the standards documents listed in
+          <xref linkend="rfcs"/>.
+        </para>
+      </sect2>
+
+      <sect2>
+        <title>Zones</title>
+        <para>
+          To properly operate a name server, it is important to understand
+          the difference between a <emphasis>zone</emphasis>
+          and a <emphasis>domain</emphasis>.
+        </para>
+
+        <para>
+          As stated previously, a zone is a point of delegation in
+          the <acronym>DNS</acronym> tree. A zone consists of
+          those contiguous parts of the domain
+          tree for which a name server has complete information and over which
+          it has authority. It contains all domain names from a certain point
+          downward in the domain tree except those which are delegated to
+          other zones. A delegation point is marked by one or more
+          <emphasis>NS records</emphasis> in the
+          parent zone, which should be matched by equivalent NS records at
+          the root of the delegated zone.
+        </para>
+
+        <para>
+          For instance, consider the <literal>example.com</literal>
+          domain which includes names
+          such as <literal>host.aaa.example.com</literal> and
+          <literal>host.bbb.example.com</literal> even though
+          the <literal>example.com</literal> zone includes
+          only delegations for the <literal>aaa.example.com</literal> and
+          <literal>bbb.example.com</literal> zones.  A zone can
+          map
+          exactly to a single domain, but could also include only part of a
+          domain, the rest of which could be delegated to other
+          name servers. Every name in the <acronym>DNS</acronym>
+          tree is a
+          <emphasis>domain</emphasis>, even if it is
+          <emphasis>terminal</emphasis>, that is, has no
+          <emphasis>subdomains</emphasis>.  Every subdomain is a domain and
+          every domain except the root is also a subdomain. The terminology is
+          not intuitive and we suggest that you read RFCs 1033, 1034 and 1035
+          to
+          gain a complete understanding of this difficult and subtle
+          topic.
+        </para>
+
+        <para>
+          Though <acronym>BIND</acronym> is called a "domain name
+          server",
+          it deals primarily in terms of zones. The master and slave
+          declarations in the <filename>named.conf</filename> file
+          specify
+          zones, not domains. When you ask some other site if it is willing to
+          be a slave server for your <emphasis>domain</emphasis>, you are
+          actually asking for slave service for some collection of zones.
+        </para>
+      </sect2>
+
+      <sect2>
+        <title>Authoritative Name Servers</title>
+
+        <para>
+          Each zone is served by at least
+          one <emphasis>authoritative name server</emphasis>,
+          which contains the complete data for the zone.
+          To make the DNS tolerant of server and network failures,
+          most zones have two or more authoritative servers, on
+          different networks.
+        </para>
+
+        <para>
+          Responses from authoritative servers have the "authoritative
+          answer" (AA) bit set in the response packets.  This makes them
+          easy to identify when debugging DNS configurations using tools like
+          <command>dig</command> (<xref linkend="diagnostic_tools"/>).
+        </para>
+
+        <sect3>
+          <title>The Primary Master</title>
+
+          <para>
+            The authoritative server where the master copy of the zone
+            data is maintained is called the
+	    <emphasis>primary master</emphasis> server, or simply the
+            <emphasis>primary</emphasis>.  Typically it loads the zone
+            contents from some local file edited by humans or perhaps
+            generated mechanically from some other local file which is
+            edited by humans.  This file is called the
+	    <emphasis>zone file</emphasis> or
+	    <emphasis>master file</emphasis>.
+          </para>
+
+	  <para>
+	    In some cases, however, the master file may not be edited
+	    by humans at all, but may instead be the result of
+	    <emphasis>dynamic update</emphasis> operations.
+	  </para>
+        </sect3>
+
+        <sect3>
+          <title>Slave Servers</title>
+          <para>
+            The other authoritative servers, the <emphasis>slave</emphasis>
+            servers (also known as <emphasis>secondary</emphasis> servers)
+            load
+            the zone contents from another server using a replication process
+            known as a <emphasis>zone transfer</emphasis>.  Typically the data
+            are
+            transferred directly from the primary master, but it is also
+            possible
+            to transfer it from another slave.  In other words, a slave server
+            may itself act as a master to a subordinate slave server.
+          </para>
+        </sect3>
+
+        <sect3>
+          <title>Stealth Servers</title>
+
+          <para>
+            Usually all of the zone's authoritative servers are listed in
+            NS records in the parent zone.  These NS records constitute
+            a <emphasis>delegation</emphasis> of the zone from the parent.
+            The authoritative servers are also listed in the zone file itself,
+            at the <emphasis>top level</emphasis> or <emphasis>apex</emphasis>
+            of the zone.  You can list servers in the zone's top-level NS
+            records that are not in the parent's NS delegation, but you cannot
+            list servers in the parent's delegation that are not present at
+            the zone's top level.
+          </para>
+
+          <para>
+            A <emphasis>stealth server</emphasis> is a server that is
+            authoritative for a zone but is not listed in that zone's NS
+            records.  Stealth servers can be used for keeping a local copy of
+            a
+            zone to speed up access to the zone's records or to make sure that
+            the
+            zone is available even if all the "official" servers for the zone
+            are
+            inaccessible.
+          </para>
+
+          <para>
+            A configuration where the primary master server itself is a
+            stealth server is often referred to as a "hidden primary"
+            configuration.  One use for this configuration is when the primary
+            master
+            is behind a firewall and therefore unable to communicate directly
+            with the outside world.
+          </para>
+
+        </sect3>
+
+      </sect2>
+      <sect2>
+
+        <title>Caching Name Servers</title>
+
+	<!--
+	  - Terminology here is inconsistant.  Probably ought to
+	  - convert to using "recursive name server" everywhere
+	  - with just a note about "caching" terminology.
+	  -->
+
+        <para>
+          The resolver libraries provided by most operating systems are
+          <emphasis>stub resolvers</emphasis>, meaning that they are not
+          capable of
+          performing the full DNS resolution process by themselves by talking
+          directly to the authoritative servers.  Instead, they rely on a
+          local
+          name server to perform the resolution on their behalf.  Such a
+          server
+          is called a <emphasis>recursive</emphasis> name server; it performs
+          <emphasis>recursive lookups</emphasis> for local clients.
+        </para>
+
+        <para>
+          To improve performance, recursive servers cache the results of
+          the lookups they perform.  Since the processes of recursion and
+          caching are intimately connected, the terms
+          <emphasis>recursive server</emphasis> and
+          <emphasis>caching server</emphasis> are often used synonymously.
+        </para>
+
+        <para>
+          The length of time for which a record may be retained in
+          the cache of a caching name server is controlled by the
+          Time To Live (TTL) field associated with each resource record.
+        </para>
+
+        <sect3>
+          <title>Forwarding</title>
+
+          <para>
+            Even a caching name server does not necessarily perform
+            the complete recursive lookup itself.  Instead, it can
+            <emphasis>forward</emphasis> some or all of the queries
+            that it cannot satisfy from its cache to another caching name
+            server,
+            commonly referred to as a <emphasis>forwarder</emphasis>.
+          </para>
+
+          <para>
+            There may be one or more forwarders,
+            and they are queried in turn until the list is exhausted or an
+            answer
+            is found. Forwarders are typically used when you do not
+            wish all the servers at a given site to interact directly with the
+            rest of
+            the Internet servers. A typical scenario would involve a number
+            of internal <acronym>DNS</acronym> servers and an
+            Internet firewall. Servers unable
+            to pass packets through the firewall would forward to the server
+            that can do it, and that server would query the Internet <acronym>DNS</acronym> servers
+            on the internal server's behalf.
+          </para>
+        </sect3>
+
+      </sect2>
+
+      <sect2>
+        <title>Name Servers in Multiple Roles</title>
+
+        <para>
+          The <acronym>BIND</acronym> name server can
+          simultaneously act as
+          a master for some zones, a slave for other zones, and as a caching
+          (recursive) server for a set of local clients.
+        </para>
+
+        <para>
+          However, since the functions of authoritative name service
+          and caching/recursive name service are logically separate, it is
+          often advantageous to run them on separate server machines.
+
+          A server that only provides authoritative name service
+          (an <emphasis>authoritative-only</emphasis> server) can run with
+          recursion disabled, improving reliability and security.
+
+          A server that is not authoritative for any zones and only provides
+          recursive service to local
+          clients (a <emphasis>caching-only</emphasis> server)
+          does not need to be reachable from the Internet at large and can
+          be placed inside a firewall.
+        </para>
+
+      </sect2>
+    </sect1>
+
+  </chapter>
+
+  <chapter id="Bv9ARM.ch02">
+    <title><acronym>BIND</acronym> Resource Requirements</title>
+
+    <sect1>
+      <title>Hardware requirements</title>
+
+      <para>
+        <acronym>DNS</acronym> hardware requirements have
+        traditionally been quite modest.
+        For many installations, servers that have been pensioned off from
+        active duty have performed admirably as <acronym>DNS</acronym> servers.
+      </para>
+      <para>
+        The DNSSEC features of <acronym>BIND</acronym> 9
+        may prove to be quite
+        CPU intensive however, so organizations that make heavy use of these
+        features may wish to consider larger systems for these applications.
+        <acronym>BIND</acronym> 9 is fully multithreaded, allowing
+        full utilization of
+        multiprocessor systems for installations that need it.
+      </para>
+    </sect1>
+    <sect1>
+      <title>CPU Requirements</title>
+      <para>
+        CPU requirements for <acronym>BIND</acronym> 9 range from
+        i486-class machines
+        for serving of static zones without caching, to enterprise-class
+        machines if you intend to process many dynamic updates and DNSSEC
+        signed zones, serving many thousands of queries per second.
+      </para>
+    </sect1>
+
+    <sect1>
+      <title>Memory Requirements</title>
+      <para>
+        The memory of the server has to be large enough to fit the
+        cache and zones loaded off disk.  The <command>max-cache-size</command>
+        option can be used to limit the amount of memory used by the cache,
+        at the expense of reducing cache hit rates and causing more <acronym>DNS</acronym>
+        traffic.
+        Additionally, if additional section caching
+        (<xref linkend="acache"/>) is enabled,
+        the <command>max-acache-size</command> can be used to
+        limit the amount
+        of memory used by the mechanism.
+        It is still good practice to have enough memory to load
+        all zone and cache data into memory &mdash; unfortunately, the best
+        way
+        to determine this for a given installation is to watch the name server
+        in operation. After a few weeks the server process should reach
+        a relatively stable size where entries are expiring from the cache as
+        fast as they are being inserted.
+      </para>
+      <!--
+        - Add something here about leaving overhead for attacks?
+	- How much overhead?  Percentage?
+        -->
+    </sect1>
+
+    <sect1>
+      <title>Name Server Intensive Environment Issues</title>
+      <para>
+        For name server intensive environments, there are two alternative
+        configurations that may be used. The first is where clients and
+        any second-level internal name servers query a main name server, which
+        has enough memory to build a large cache. This approach minimizes
+        the bandwidth used by external name lookups. The second alternative
+        is to set up second-level internal name servers to make queries
+        independently.
+        In this configuration, none of the individual machines needs to
+        have as much memory or CPU power as in the first alternative, but
+        this has the disadvantage of making many more external queries,
+        as none of the name servers share their cached data.
+      </para>
+    </sect1>
+
+    <sect1>
+      <title>Supported Operating Systems</title>
+      <para>
+        ISC <acronym>BIND</acronym> 9 compiles and runs on a large
+        number
+        of Unix-like operating system and on NT-derived versions of
+        Microsoft Windows such as Windows 2000 and Windows XP.  For an
+        up-to-date
+        list of supported systems, see the README file in the top level
+        directory
+        of the BIND 9 source distribution.
+      </para>
+    </sect1>
+  </chapter>
+
+  <chapter id="Bv9ARM.ch03">
+    <title>Name Server Configuration</title>
+    <para>
+      In this section we provide some suggested configurations along
+      with guidelines for their use.  We suggest reasonable values for
+      certain option settings.
+    </para>
+
+    <sect1 id="sample_configuration">
+      <title>Sample Configurations</title>
+      <sect2>
+        <title>A Caching-only Name Server</title>
+        <para>
+          The following sample configuration is appropriate for a caching-only
+          name server for use by clients internal to a corporation.  All
+          queries
+          from outside clients are refused using the <command>allow-query</command>
+          option.  Alternatively, the same effect could be achieved using
+          suitable
+          firewall rules.
+        </para>
 
 <programlisting>
 // Two corporate subnets we wish to allow queries from.
@@ -470,17 +685,21 @@ zone "0.0.127.in-addr.arpa" {
      notify no;
 };
 </programlisting>
-</sect2>
 
-<sect2>
-<title>An Authoritative-only Name Server</title>
-<para>This sample configuration is for an authoritative-only server
-that is the master server for "<filename>example.com</filename>"
-and a slave for the subdomain "<filename>eng.example.com</filename>".</para>
+      </sect2>
+
+      <sect2>
+        <title>An Authoritative-only Name Server</title>
+        <para>
+          This sample configuration is for an authoritative-only server
+          that is the master server for "<filename>example.com</filename>"
+          and a slave for the subdomain "<filename>eng.example.com</filename>".
+        </para>
 
 <programlisting>
 options {
      directory "/etc/namedb";           // Working directory
+     allow-query-cache { none; };       // Do not allow access to cache
      allow-query { any; };              // This is the default
      recursion no;                      // Do not provide recursive service
 };
@@ -509,415 +728,743 @@ zone "eng.example.com" {
      masters { 192.168.4.12; };
 };
 </programlisting>
-</sect2>
-</sect1>
-
-<sect1>
-<title>Load Balancing</title>
-
-<para>A primitive form of load balancing can be achieved in
-the <acronym>DNS</acronym> by using multiple A records for one name.</para>
-
-<para>For example, if you have three WWW servers with network addresses
-of 10.0.0.1, 10.0.0.2 and 10.0.0.3, a set of records such as the
-following means that clients will connect to each machine one third
-of the time:</para>
-
-<informaltable colsep = "0" rowsep = "0">
-<tgroup cols = "5" colsep = "0" rowsep = "0" tgroupstyle = "2Level-table">
-<colspec colname = "1" colnum = "1" colsep = "0" colwidth = "0.875in"/>
-<colspec colname = "2" colnum = "2" colsep = "0" colwidth = "0.500in"/>
-<colspec colname = "3" colnum = "3" colsep = "0" colwidth = "0.750in"/>
-<colspec colname = "4" colnum = "4" colsep = "0" colwidth = "0.750in"/>
-<colspec colname = "5" colnum = "5" colsep = "0" colwidth = "2.028in"/>
-<tbody>
-<row rowsep = "0">
-<entry colname = "1"><para>Name</para></entry>
-<entry colname = "2"><para>TTL</para></entry>
-<entry colname = "3"><para>CLASS</para></entry>
-<entry colname = "4"><para>TYPE</para></entry>
-<entry colname = "5"><para>Resource Record (RR) Data</para></entry>
-</row>
-<row rowsep = "0">
-<entry colname = "1"><para><literal>www</literal></para></entry>
-<entry colname = "2"><para><literal>600</literal></para></entry>
-<entry colname = "3"><para><literal>IN</literal></para></entry>
-<entry colname = "4"><para><literal>A</literal></para></entry>
-<entry colname = "5"><para><literal>10.0.0.1</literal></para></entry>
-</row>
-<row rowsep = "0">
-<entry colname = "1"><para></para></entry>
-<entry colname = "2"><para><literal>600</literal></para></entry>
-<entry colname = "3"><para><literal>IN</literal></para></entry>
-<entry colname = "4"><para><literal>A</literal></para></entry>
-<entry colname = "5"><para><literal>10.0.0.2</literal></para></entry>
-</row>
-<row rowsep = "0">
-<entry colname = "1"><para></para></entry>
-<entry colname = "2"><para><literal>600</literal></para></entry>
-<entry colname = "3"><para><literal>IN</literal></para></entry>
-<entry colname = "4"><para><literal>A</literal></para></entry>
-<entry colname = "5"><para><literal>10.0.0.3</literal></para></entry>
-          </row>
-        </tbody>
-      </tgroup>
-    </informaltable>
-    <para>When a resolver queries for these records, <acronym>BIND</acronym> will rotate
-    them and respond to the query with the records in a different
-    order.  In the example above, clients will randomly receive
-    records in the order 1, 2, 3; 2, 3, 1; and 3, 1, 2. Most clients
-    will use the first record returned and discard the rest.</para>
-    <para>For more detail on ordering responses, check the
-    <command>rrset-order</command> substatement in the
-    <command>options</command> statement, see
-    <xref endterm="rrset_ordering_title" linkend="rrset_ordering"/>.
-    This substatement is not supported in
-    <acronym>BIND</acronym> 9, and only the ordering scheme described above is
-    available.</para>
-
-</sect1>
-
-<sect1>
-<title>Name Server Operations</title>
-
-<sect2>
-<title>Tools for Use With the Name Server Daemon</title>
-<para>There are several indispensable diagnostic, administrative
-and monitoring tools available to the system administrator for controlling
-and debugging the name server daemon. We describe several in this
-section </para>
-<sect3 id="diagnostic_tools">
-<title>Diagnostic Tools</title>
-<para>The <command>dig</command>, <command>host</command>, and
-<command>nslookup</command> programs are all command line tools
-for manually querying name servers.  They differ in style and
-output format.
-</para>
-
-<variablelist>
-<varlistentry>
-<term id="dig"><command>dig</command></term>
-<listitem>
-<para>The domain information groper (<command>dig</command>)
-is the most versatile and complete of these lookup tools.
-It has two modes: simple interactive
-mode for a single query, and batch mode which executes a query for
-each in a list of several query lines. All query options are accessible
-from the command line.</para>
-<cmdsynopsis label="Usage">
-        <command>dig</command>
-        <arg>@<replaceable>server</replaceable></arg>
-        <arg choice="plain"><replaceable>domain</replaceable></arg>
-        <arg><replaceable>query-type</replaceable></arg>
-        <arg><replaceable>query-class</replaceable></arg>
-        <arg>+<replaceable>query-option</replaceable></arg>
-        <arg>-<replaceable>dig-option</replaceable></arg>
-        <arg>%<replaceable>comment</replaceable></arg>
-</cmdsynopsis>
-<para>The usual simple use of dig will take the form</para>
-<simpara><command>dig @server domain query-type query-class</command></simpara>
-<para>For more information and a list of available commands and
-options, see the <command>dig</command> man page.</para>
-</listitem>
-</varlistentry>
-
-<varlistentry>
-<term><command>host</command></term>
-<listitem>
-<para>The <command>host</command> utility emphasizes simplicity
-and ease of use.  By default, it converts
-between host names and Internet addresses, but its functionality
-can be extended with the use of options.</para>
-<cmdsynopsis label="Usage">
-        <command>host</command>
-        <arg>-aCdlrTwv</arg>
-        <arg>-c <replaceable>class</replaceable></arg>
-        <arg>-N <replaceable>ndots</replaceable></arg>
-        <arg>-t <replaceable>type</replaceable></arg>
-        <arg>-W <replaceable>timeout</replaceable></arg>
-        <arg>-R <replaceable>retries</replaceable></arg>
-        <arg choice="plain"><replaceable>hostname</replaceable></arg>
-        <arg><replaceable>server</replaceable></arg>
-</cmdsynopsis>
-<para>For more information and a list of available commands and
-options, see the <command>host</command> man page.</para>
-</listitem>
-</varlistentry>
-
-<varlistentry>
-<term><command>nslookup</command></term>
-<listitem>
-<para><command>nslookup</command> has two modes: interactive
-and non-interactive. Interactive mode allows the user to query name servers
-for information about various hosts and domains or to print a list
-of hosts in a domain. Non-interactive mode is used to print just
-the name and requested information for a host or domain.</para>
-<cmdsynopsis label="Usage">
-        <command>nslookup</command>
-        <arg rep="repeat">-option</arg>
-        <group>
-                <arg><replaceable>host-to-find</replaceable></arg>
-                <arg>- <arg>server</arg></arg>
-        </group>
-</cmdsynopsis>
-<para>Interactive mode is entered when no arguments are given (the
-default name server will be used) or when the first argument is a
-hyphen (`-') and the second argument is the host name or Internet address
-of a name server.</para>
-<para>Non-interactive mode is used when the name or Internet address
-of the host to be looked up is given as the first argument. The
-optional second argument specifies the host name or address of a name server.</para>
-<para>Due to its arcane user interface and frequently inconsistent
-behavior, we do not recommend the use of <command>nslookup</command>.
-Use <command>dig</command> instead.</para>
-</listitem>
-
-</varlistentry>
-</variablelist>
-</sect3>
-
-<sect3 id="admin_tools">
-        <title>Administrative Tools</title>
-        <para>Administrative tools play an integral part in the management
-of a server.</para>
-        <variablelist>
-          <varlistentry id="named-checkconf" xreflabel="Named Configuration Checking application">
-            <term><command>named-checkconf</command></term>
-            <listitem>
-              <para>The <command>named-checkconf</command> program
-              checks the syntax of a <filename>named.conf</filename> file.</para>
-              <cmdsynopsis label="Usage">
-                <command>named-checkconf</command>
-		<arg>-jvz</arg>
-                <arg>-t <replaceable>directory</replaceable></arg>
-                <arg><replaceable>filename</replaceable></arg>
-              </cmdsynopsis>
-            </listitem>
-          </varlistentry>
-          <varlistentry id="named-checkzone" xreflabel="Zone Checking application">
-            <term><command>named-checkzone</command></term>
-            <listitem>
-              <para>The <command>named-checkzone</command> program checks a master file for
-              syntax and consistency.</para>
-              <cmdsynopsis label="Usage">
-                <command>named-checkzone</command>
-                <arg>-djqvD</arg>
-                <arg>-c <replaceable>class</replaceable></arg>
-                <arg>-o <replaceable>output</replaceable></arg>
-                <arg>-t <replaceable>directory</replaceable></arg>
-                <arg>-w <replaceable>directory</replaceable></arg>
-                <arg>-k <replaceable>(ignore|warn|fail)</replaceable></arg>
-                <arg>-n <replaceable>(ignore|warn|fail)</replaceable></arg>
-                <arg choice="plain"><replaceable>zone</replaceable></arg>
-                <arg><replaceable>filename</replaceable></arg>
-              </cmdsynopsis>
-            </listitem>
-          </varlistentry>
-          <varlistentry id="rndc" xreflabel="Remote Name Daemon Control application">
-            <term><command>rndc</command></term>
-            <listitem>
-              <para>The remote name daemon control
-              (<command>rndc</command>) program allows the system
-              administrator to control the operation of a name server.
-              If you run <command>rndc</command> without any options
-              it will display a usage message as follows:</para>
-              <cmdsynopsis label="Usage">
-                <command>rndc</command>
-                <arg>-c <replaceable>config</replaceable></arg>
-                <arg>-s <replaceable>server</replaceable></arg>
-                <arg>-p <replaceable>port</replaceable></arg>
-                <arg>-y <replaceable>key</replaceable></arg>
-                <arg choice="plain"><replaceable>command</replaceable></arg>
-                <arg rep="repeat"><replaceable>command</replaceable></arg>
-              </cmdsynopsis>
-              <para>The <command>command</command> is one of the following:</para>
-
-<variablelist>
-
-   <varlistentry><term><userinput>reload</userinput></term>
-   <listitem><para>Reload configuration file and zones.</para></listitem>
-   </varlistentry>
-
-   <varlistentry><term><userinput>reload <replaceable>zone</replaceable>
-       <optional><replaceable>class</replaceable>
-           <optional><replaceable>view</replaceable></optional></optional></userinput></term>
-   <listitem><para>Reload the given zone.</para></listitem>
-   </varlistentry>
 
-   <varlistentry><term><userinput>refresh <replaceable>zone</replaceable>
-       <optional><replaceable>class</replaceable>
+      </sect2>
+    </sect1>
+
+    <sect1>
+      <title>Load Balancing</title>
+      <!--
+        - Add explanation of why load balancing is fragile at best
+	- and completely pointless in the general case.
+        -->
+
+      <para>
+        A primitive form of load balancing can be achieved in
+        the <acronym>DNS</acronym> by using multiple A records for
+        one name.
+      </para>
+
+      <para>
+        For example, if you have three WWW servers with network addresses
+        of 10.0.0.1, 10.0.0.2 and 10.0.0.3, a set of records such as the
+        following means that clients will connect to each machine one third
+        of the time:
+      </para>
+
+      <informaltable colsep="0" rowsep="0">
+        <tgroup cols="5" colsep="0" rowsep="0" tgroupstyle="2Level-table">
+          <colspec colname="1" colnum="1" colsep="0" colwidth="0.875in"/>
+          <colspec colname="2" colnum="2" colsep="0" colwidth="0.500in"/>
+          <colspec colname="3" colnum="3" colsep="0" colwidth="0.750in"/>
+          <colspec colname="4" colnum="4" colsep="0" colwidth="0.750in"/>
+          <colspec colname="5" colnum="5" colsep="0" colwidth="2.028in"/>
+          <tbody>
+            <row rowsep="0">
+              <entry colname="1">
+                <para>
+                  Name
+                </para>
+              </entry>
+              <entry colname="2">
+                <para>
+                  TTL
+                </para>
+              </entry>
+              <entry colname="3">
+                <para>
+                  CLASS
+                </para>
+              </entry>
+              <entry colname="4">
+                <para>
+                  TYPE
+                </para>
+              </entry>
+              <entry colname="5">
+                <para>
+                  Resource Record (RR) Data
+                </para>
+              </entry>
+            </row>
+            <row rowsep="0">
+              <entry colname="1">
+                <para>
+                  <literal>www</literal>
+                </para>
+              </entry>
+              <entry colname="2">
+                <para>
+                  <literal>600</literal>
+                </para>
+              </entry>
+              <entry colname="3">
+                <para>
+                  <literal>IN</literal>
+                </para>
+              </entry>
+              <entry colname="4">
+                <para>
+                  <literal>A</literal>
+                </para>
+              </entry>
+              <entry colname="5">
+                <para>
+                  <literal>10.0.0.1</literal>
+                </para>
+              </entry>
+            </row>
+            <row rowsep="0">
+              <entry colname="1">
+                <para/>
+              </entry>
+              <entry colname="2">
+                <para>
+                  <literal>600</literal>
+                </para>
+              </entry>
+              <entry colname="3">
+                <para>
+                  <literal>IN</literal>
+                </para>
+              </entry>
+              <entry colname="4">
+                <para>
+                  <literal>A</literal>
+                </para>
+              </entry>
+              <entry colname="5">
+                <para>
+                  <literal>10.0.0.2</literal>
+                </para>
+              </entry>
+            </row>
+            <row rowsep="0">
+              <entry colname="1">
+                <para/>
+              </entry>
+              <entry colname="2">
+                <para>
+                  <literal>600</literal>
+                </para>
+              </entry>
+              <entry colname="3">
+                <para>
+                  <literal>IN</literal>
+                </para>
+              </entry>
+              <entry colname="4">
+                <para>
+                  <literal>A</literal>
+                </para>
+              </entry>
+              <entry colname="5">
+                <para>
+                  <literal>10.0.0.3</literal>
+                </para>
+              </entry>
+            </row>
+          </tbody>
+        </tgroup>
+      </informaltable>
+      <para>
+        When a resolver queries for these records, <acronym>BIND</acronym> will rotate
+        them and respond to the query with the records in a different
+        order.  In the example above, clients will randomly receive
+        records in the order 1, 2, 3; 2, 3, 1; and 3, 1, 2. Most clients
+        will use the first record returned and discard the rest.
+      </para>
+      <para>
+        For more detail on ordering responses, check the
+        <command>rrset-order</command> substatement in the
+        <command>options</command> statement, see
+        <xref endterm="rrset_ordering_title" linkend="rrset_ordering"/>.
+      </para>
+
+    </sect1>
+
+    <sect1>
+      <title>Name Server Operations</title>
+
+      <sect2>
+        <title>Tools for Use With the Name Server Daemon</title>
+        <para>
+          This section describes several indispensable diagnostic,
+          administrative and monitoring tools available to the system
+          administrator for controlling and debugging the name server
+          daemon.
+        </para>
+        <sect3 id="diagnostic_tools">
+          <title>Diagnostic Tools</title>
+          <para>
+            The <command>dig</command>, <command>host</command>, and
+            <command>nslookup</command> programs are all command
+            line tools
+            for manually querying name servers.  They differ in style and
+            output format.
+          </para>
+
+          <variablelist>
+            <varlistentry>
+              <term id="dig"><command>dig</command></term>
+              <listitem>
+                <para>
+                  The domain information groper (<command>dig</command>)
+                  is the most versatile and complete of these lookup tools.
+                  It has two modes: simple interactive
+                  mode for a single query, and batch mode which executes a
+                  query for
+                  each in a list of several query lines. All query options are
+                  accessible
+                  from the command line.
+                </para>
+                <cmdsynopsis label="Usage">
+                  <command>dig</command>
+                  <arg>@<replaceable>server</replaceable></arg>
+                  <arg choice="plain"><replaceable>domain</replaceable></arg>
+                  <arg><replaceable>query-type</replaceable></arg>
+                  <arg><replaceable>query-class</replaceable></arg>
+                  <arg>+<replaceable>query-option</replaceable></arg>
+                  <arg>-<replaceable>dig-option</replaceable></arg>
+                  <arg>%<replaceable>comment</replaceable></arg>
+                </cmdsynopsis>
+                <para>
+                  The usual simple use of dig will take the form
+                </para>
+                <simpara>
+                  <command>dig @server domain query-type query-class</command>
+                </simpara>
+                <para>
+                  For more information and a list of available commands and
+                  options, see the <command>dig</command> man
+                  page.
+                </para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><command>host</command></term>
+              <listitem>
+                <para>
+                  The <command>host</command> utility emphasizes
+                  simplicity
+                  and ease of use.  By default, it converts
+                  between host names and Internet addresses, but its
+                  functionality
+                  can be extended with the use of options.
+                </para>
+                <cmdsynopsis label="Usage">
+                  <command>host</command>
+                  <arg>-aCdlrTwv</arg>
+                  <arg>-c <replaceable>class</replaceable></arg>
+                  <arg>-N <replaceable>ndots</replaceable></arg>
+                  <arg>-t <replaceable>type</replaceable></arg>
+                  <arg>-W <replaceable>timeout</replaceable></arg>
+                  <arg>-R <replaceable>retries</replaceable></arg>
+                  <arg choice="plain"><replaceable>hostname</replaceable></arg>
+                  <arg><replaceable>server</replaceable></arg>
+                </cmdsynopsis>
+                <para>
+                  For more information and a list of available commands and
+                  options, see the <command>host</command> man
+                  page.
+                </para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><command>nslookup</command></term>
+              <listitem>
+                <para><command>nslookup</command>
+		  has two modes: interactive and
+                  non-interactive. Interactive mode allows the user to
+                  query name servers for information about various
+                  hosts and domains or to print a list of hosts in a
+                  domain. Non-interactive mode is used to print just
+                  the name and requested information for a host or
+                  domain.
+                </para>
+                <cmdsynopsis label="Usage">
+                  <command>nslookup</command>
+                  <arg rep="repeat">-option</arg>
+                  <group>
+                    <arg><replaceable>host-to-find</replaceable></arg>
+                    <arg>- <arg>server</arg></arg>
+                  </group>
+                </cmdsynopsis>
+                <para>
+                  Interactive mode is entered when no arguments are given (the
+                  default name server will be used) or when the first argument
+                  is a
+                  hyphen (`-') and the second argument is the host name or
+                  Internet address
+                  of a name server.
+                </para>
+                <para>
+                  Non-interactive mode is used when the name or Internet
+                  address
+                  of the host to be looked up is given as the first argument.
+                  The
+                  optional second argument specifies the host name or address
+                  of a name server.
+                </para>
+                <para>
+                  Due to its arcane user interface and frequently inconsistent
+                  behavior, we do not recommend the use of <command>nslookup</command>.
+                  Use <command>dig</command> instead.
+                </para>
+              </listitem>
+
+            </varlistentry>
+          </variablelist>
+        </sect3>
+
+        <sect3 id="admin_tools">
+          <title>Administrative Tools</title>
+          <para>
+            Administrative tools play an integral part in the management
+            of a server.
+          </para>
+          <variablelist>
+            <varlistentry id="named-checkconf" xreflabel="Named Configuration Checking application">
+
+              <term><command>named-checkconf</command></term>
+              <listitem>
+                <para>
+                  The <command>named-checkconf</command> program
+                  checks the syntax of a <filename>named.conf</filename> file.
+                </para>
+                <cmdsynopsis label="Usage">
+                  <command>named-checkconf</command>
+                  <arg>-jvz</arg>
+                  <arg>-t <replaceable>directory</replaceable></arg>
+                  <arg><replaceable>filename</replaceable></arg>
+                </cmdsynopsis>
+              </listitem>
+            </varlistentry>
+            <varlistentry id="named-checkzone" xreflabel="Zone Checking application">
+
+              <term><command>named-checkzone</command></term>
+              <listitem>
+                <para>
+                  The <command>named-checkzone</command> program
+                  checks a master file for
+                  syntax and consistency.
+                </para>
+                <cmdsynopsis label="Usage">
+                  <command>named-checkzone</command>
+                  <arg>-djqvD</arg>
+                  <arg>-c <replaceable>class</replaceable></arg>
+                  <arg>-o <replaceable>output</replaceable></arg>
+                  <arg>-t <replaceable>directory</replaceable></arg>
+                  <arg>-w <replaceable>directory</replaceable></arg>
+                  <arg>-k <replaceable>(ignore|warn|fail)</replaceable></arg>
+                  <arg>-n <replaceable>(ignore|warn|fail)</replaceable></arg>
+                  <arg>-W <replaceable>(ignore|warn)</replaceable></arg>
+                  <arg choice="plain"><replaceable>zone</replaceable></arg>
+                  <arg><replaceable>filename</replaceable></arg>
+                </cmdsynopsis>
+              </listitem>
+            </varlistentry>
+	    <varlistentry id="named-compilezone" xreflabel="Zone Compilation aplication">
+	      <term><command>named-compilezone</command></term>
+	      <listitem>
+		<para>
+		  Similar to <command>named-checkzone,</command> but
+		  it always dumps the zone content to a specified file
+		  (typically in a different format).
+		</para>
+	      </listitem>
+	    </varlistentry>
+            <varlistentry id="rndc" xreflabel="Remote Name Daemon Control application">
+
+              <term><command>rndc</command></term>
+              <listitem>
+                <para>
+                  The remote name daemon control
+                  (<command>rndc</command>) program allows the
+                  system
+                  administrator to control the operation of a name server.
+                  If you run <command>rndc</command> without any
+                  options
+                  it will display a usage message as follows:
+                </para>
+                <cmdsynopsis label="Usage">
+                  <command>rndc</command>
+                  <arg>-c <replaceable>config</replaceable></arg>
+                  <arg>-s <replaceable>server</replaceable></arg>
+                  <arg>-p <replaceable>port</replaceable></arg>
+                  <arg>-y <replaceable>key</replaceable></arg>
+                  <arg choice="plain"><replaceable>command</replaceable></arg>
+                  <arg rep="repeat"><replaceable>command</replaceable></arg>
+                </cmdsynopsis>
+                <para>The <command>command</command>
+		  is one of the following:
+                </para>
+
+                <variablelist>
+
+                  <varlistentry>
+                    <term><userinput>reload</userinput></term>
+                    <listitem>
+                      <para>
+                        Reload configuration file and zones.
+                      </para>
+                    </listitem>
+                  </varlistentry>
+
+                  <varlistentry>
+                    <term><userinput>reload <replaceable>zone</replaceable>
+                        <optional><replaceable>class</replaceable>
+           <optional><replaceable>view</replaceable></optional></optional></userinput></term>
+                    <listitem>
+                      <para>
+                        Reload the given zone.
+                      </para>
+                    </listitem>
+                  </varlistentry>
+
+                  <varlistentry>
+                    <term><userinput>refresh <replaceable>zone</replaceable>
+                        <optional><replaceable>class</replaceable>
            <optional><replaceable>view</replaceable></optional></optional></userinput></term>
-   <listitem><para>Schedule zone maintenance for the given zone.</para></listitem>
-   </varlistentry>
+                    <listitem>
+                      <para>
+                        Schedule zone maintenance for the given zone.
+                      </para>
+                    </listitem>
+                  </varlistentry>
 
-   <varlistentry><term><userinput>retransfer <replaceable>zone</replaceable>
-       <optional><replaceable>class</replaceable>
+                  <varlistentry>
+                    <term><userinput>retransfer <replaceable>zone</replaceable>
+
+                        <optional><replaceable>class</replaceable>
            <optional><replaceable>view</replaceable></optional></optional></userinput></term>
-   <listitem><para>Retransfer the given zone from the master.</para></listitem>
-   </varlistentry>
+                    <listitem>
+                      <para>
+                        Retransfer the given zone from the master.
+                      </para>
+                    </listitem>
+                  </varlistentry>
 
-   <varlistentry> <term><userinput>freeze <optional><replaceable>zone</replaceable>
+                  <varlistentry>
+
+                    <term><userinput>freeze
+                        <optional><replaceable>zone</replaceable>
        <optional><replaceable>class</replaceable>
            <optional><replaceable>view</replaceable></optional></optional></optional></userinput></term>
-   <listitem><para>Suspend updates to a dynamic zone.  If no zone is specified,
-	then all zones are suspended.  This allows manual
-    edits to be made to a zone normally updated by dynamic update.  It
-    also causes changes in the journal file to be synced into the master
-    and the journal file to be removed.  All dynamic update attempts will
-    be refused while the zone is frozen.</para></listitem>
-   </varlistentry>
-
-   <varlistentry><term><userinput>thaw <optional><replaceable>zone</replaceable>
+                    <listitem>
+                      <para>
+                        Suspend updates to a dynamic zone.  If no zone is
+                        specified,
+                        then all zones are suspended.  This allows manual
+                        edits to be made to a zone normally updated by dynamic
+                        update.  It
+                        also causes changes in the journal file to be synced
+                        into the master
+                        and the journal file to be removed.  All dynamic
+                        update attempts will
+                        be refused while the zone is frozen.
+                      </para>
+                    </listitem>
+                  </varlistentry>
+
+                  <varlistentry>
+                    <term><userinput>thaw
+                        <optional><replaceable>zone</replaceable>
        <optional><replaceable>class</replaceable>
            <optional><replaceable>view</replaceable></optional></optional></optional></userinput></term>
-   <listitem><para>Enable updates to a frozen dynamic zone.  If no zone is
-    specified, then all frozen zones are enabled.  This causes
-    the server to reload the zone from disk, and re-enables dynamic updates
-    after the load has completed.  After a zone is thawed, dynamic updates
-    will no longer be refused.</para></listitem>
-   </varlistentry>
-
-   <varlistentry><term><userinput>reconfig</userinput></term>
-   <listitem><para>Reload the configuration file and load new zones,
-   but do not reload existing zone files even if they have changed.
-   This is faster than a full <command>reload</command> when there
-   is a large number of zones because it avoids the need to examine the
-   modification times of the zones files.
-   </para></listitem>
-   </varlistentry>
-
-   <varlistentry><term><userinput>stats</userinput></term>
-   <listitem><para>Write server statistics to the statistics file.</para></listitem>
-   </varlistentry>
-
-   <varlistentry><term><userinput>querylog</userinput></term>
-   <listitem><para>Toggle query logging. Query logging can also be enabled
-   by explicitly directing the <command>queries</command>
-   <command>category</command> to a <command>channel</command> in the
-   <command>logging</command> section of
-   <filename>named.conf</filename>.</para></listitem></varlistentry>
-
-   <varlistentry><term><userinput>dumpdb <optional>-all|-cache|-zone</optional> <optional><replaceable>view ...</replaceable></optional></userinput></term>
-   <listitem><para>Dump the server's caches (default) and / or zones to the
-	 dump file for the specified views.  If no view is specified, all
-	 views are dumped.</para></listitem></varlistentry>
-
-   <varlistentry><term><userinput>stop <optional>-p</optional></userinput></term>
-   <listitem><para>Stop the server, making sure any recent changes
-   made through dynamic update or IXFR are first saved to the master files
-   of the updated zones.  If -p is specified named's process id is returned.
-   This allows an external process to determine when named had completed stopping.</para></listitem></varlistentry>
-
-   <varlistentry><term><userinput>halt <optional>-p</optional></userinput></term>
-   <listitem><para>Stop the server immediately.  Recent changes
-   made through dynamic update or IXFR are not saved to the master files,
-   but will be rolled forward from the journal files when the server
-   is restarted.  If -p is specified named's process id is returned.
-   This allows an external process to determine when named had completed
-   stopping.</para></listitem></varlistentry>
-
-   <varlistentry><term><userinput>trace</userinput></term>
-   <listitem><para>Increment the servers debugging level by one. </para></listitem></varlistentry>
-
-   <varlistentry><term><userinput>trace <replaceable>level</replaceable></userinput></term>
-   <listitem><para>Sets the server's debugging level to an explicit
-   value.</para></listitem></varlistentry>
-
-   <varlistentry><term><userinput>notrace</userinput></term>
-   <listitem><para>Sets the server's debugging level to 0.</para></listitem></varlistentry>
-
-   <varlistentry><term><userinput>flush</userinput></term>
-   <listitem><para>Flushes the server's cache.</para></listitem></varlistentry>
-
-   <varlistentry><term><userinput>flushname</userinput> <replaceable>name</replaceable></term>
-   <listitem><para>Flushes the given name from the server's cache.</para></listitem></varlistentry>
-
-   <varlistentry><term><userinput>status</userinput></term>
-   <listitem><para>Display status of the server.
-Note that the number of zones includes the internal <command>bind/CH</command> zone
-and the default <command>./IN</command> hint zone if there is not an
-explicit root zone configured.</para></listitem></varlistentry>
-
-   <varlistentry><term><userinput>recursing</userinput></term>
-   <listitem><para>Dump the list of queries named is currently recursing
-   on.
-   </para></listitem></varlistentry>
-
-</variablelist>
-
-<para>In <acronym>BIND</acronym> 9.2, <command>rndc</command>
-supports all the commands of the BIND 8 <command>ndc</command>
-utility except <command>ndc start</command> and
-<command>ndc restart</command>, which were also
-not supported in <command>ndc</command>'s channel mode.</para>
-
-<para>A configuration file is required, since all
-communication with the server is authenticated with
-digital signatures that rely on a shared secret, and
-there is no way to provide that secret other than with a
-configuration file.  The default location for the
-<command>rndc</command> configuration file is
-<filename>/etc/rndc.conf</filename>, but an alternate
-location can be specified with the <option>-c</option>
-option.  If the configuration file is not found,
-<command>rndc</command> will also look in
-<filename>/etc/rndc.key</filename> (or whatever
-<varname>sysconfdir</varname> was defined when
-the <acronym>BIND</acronym> build was configured).
-The <filename>rndc.key</filename> file is generated by
-running <command>rndc-confgen -a</command> as described in
-<xref linkend="controls_statement_definition_and_usage"/>.</para>
-
-<para>The format of the configuration file is similar to
-that of <filename>named.conf</filename>, but limited to
-only four statements, the <command>options</command>,
-<command>key</command>, <command>server</command> and
-<command>include</command>
-statements.  These statements are what associate the
-secret keys to the servers with which they are meant to
-be shared.  The order of statements is not
-significant.</para>
-
-<para>The <command>options</command> statement has three clauses:
-<command>default-server</command>, <command>default-key</command>, 
-and <command>default-port</command>.
-<command>default-server</command> takes a
-host name or address argument  and represents the server that will
-be contacted if no <option>-s</option>
-option is provided on the command line.  
-<command>default-key</command> takes
-the name of a key as its argument, as defined by a <command>key</command> statement.
-<command>default-port</command> specifies the port to which
-<command>rndc</command> should connect if no
-port is given on the command line or in a
-<command>server</command> statement.</para>
-
-<para>The <command>key</command> statement defines a key to be used
-by <command>rndc</command> when authenticating with
-<command>named</command>.  Its syntax is identical to the
-<command>key</command> statement in named.conf.
-The keyword <userinput>key</userinput> is
-followed by a key name, which must be a valid
-domain name, though it need not actually be hierarchical; thus,
-a string like "<userinput>rndc_key</userinput>" is a valid name.
-The <command>key</command> statement has two clauses:
-<command>algorithm</command> and <command>secret</command>.
-While the configuration parser will accept any string as the argument
-to algorithm, currently only the string "<userinput>hmac-md5</userinput>"
-has any meaning.  The secret is a base-64 encoded string.</para>
-
-<para>The <command>server</command> statement associates a key
-defined using the <command>key</command> statement with a server.
-The keyword <userinput>server</userinput> is followed by a
-host name or address.  The <command>server</command> statement
-has two clauses: <command>key</command> and <command>port</command>.
-The <command>key</command> clause specifies the name of the key
-to be used when communicating with this server, and the
-<command>port</command> clause can be used to
-specify the port <command>rndc</command> should connect
-to on the server.</para>
-
-<para>A sample minimal configuration file is as follows:</para>
+                    <listitem>
+                      <para>
+                        Enable updates to a frozen dynamic zone.  If no zone
+                        is
+                        specified, then all frozen zones are enabled.  This
+                        causes
+                        the server to reload the zone from disk, and
+                        re-enables dynamic updates
+                        after the load has completed.  After a zone is thawed,
+                        dynamic updates
+                        will no longer be refused.
+                      </para>
+                    </listitem>
+                  </varlistentry>
+
+                  <varlistentry>
+                    <term><userinput>notify <replaceable>zone</replaceable>
+                        <optional><replaceable>class</replaceable>
+           <optional><replaceable>view</replaceable></optional></optional></userinput></term>
+                    <listitem>
+                      <para>
+                        Resend NOTIFY messages for the zone.
+                      </para>
+                    </listitem>
+                  </varlistentry>
+
+                  <varlistentry>
+                    <term><userinput>reconfig</userinput></term>
+                    <listitem>
+                      <para>
+                        Reload the configuration file and load new zones,
+                        but do not reload existing zone files even if they
+                        have changed.
+                        This is faster than a full <command>reload</command> when there
+                        is a large number of zones because it avoids the need
+                        to examine the
+                        modification times of the zones files.
+                      </para>
+                    </listitem>
+                  </varlistentry>
+
+                  <varlistentry>
+                    <term><userinput>stats</userinput></term>
+                    <listitem>
+                      <para>
+                        Write server statistics to the statistics file.
+                      </para>
+                    </listitem>
+                  </varlistentry>
+
+                  <varlistentry>
+                    <term><userinput>querylog</userinput></term>
+                    <listitem>
+                      <para>
+                        Toggle query logging. Query logging can also be enabled
+                        by explicitly directing the <command>queries</command>
+                        <command>category</command> to a
+		        <command>channel</command> in the
+                        <command>logging</command> section of
+                        <filename>named.conf</filename> or by specifying
+			<command>querylog yes;</command> in the
+			<command>options</command> section of
+			<filename>named.conf</filename>.
+                      </para>
+                    </listitem>
+                  </varlistentry>
+
+                  <varlistentry>
+                    <term><userinput>dumpdb
+                        <optional>-all|-cache|-zone</optional>
+                        <optional><replaceable>view ...</replaceable></optional></userinput></term>
+                    <listitem>
+                      <para>
+                        Dump the server's caches (default) and/or zones to
+                        the
+                        dump file for the specified views.  If no view is
+                        specified, all
+                        views are dumped.
+                      </para>
+                    </listitem>
+                  </varlistentry>
+
+                  <varlistentry>
+                    <term><userinput>stop <optional>-p</optional></userinput></term>
+                    <listitem>
+                      <para>
+                        Stop the server, making sure any recent changes
+                        made through dynamic update or IXFR are first saved to
+                        the master files of the updated zones.
+			If -p is specified named's process id is returned.
+			This allows an external process to determine when named
+			had completed stopping.
+                      </para>
+                    </listitem>
+                  </varlistentry>
+
+                  <varlistentry>
+                    <term><userinput>halt <optional>-p</optional></userinput></term>
+                    <listitem>
+                      <para>
+                        Stop the server immediately.  Recent changes
+                        made through dynamic update or IXFR are not saved to
+                        the master files, but will be rolled forward from the
+			journal files when the server is restarted.
+			If -p is specified named's process id is returned.
+			This allows an external process to determine when named
+			had completed halting.
+                      </para>
+                    </listitem>
+                  </varlistentry>
+
+                  <varlistentry>
+                    <term><userinput>trace</userinput></term>
+                    <listitem>
+                      <para>
+                        Increment the servers debugging level by one.
+                      </para>
+                    </listitem>
+                  </varlistentry>
+
+                  <varlistentry>
+                    <term><userinput>trace <replaceable>level</replaceable></userinput></term>
+                    <listitem>
+                      <para>
+                        Sets the server's debugging level to an explicit
+                        value.
+                      </para>
+                    </listitem>
+                  </varlistentry>
+
+                  <varlistentry>
+                    <term><userinput>notrace</userinput></term>
+                    <listitem>
+                      <para>
+                        Sets the server's debugging level to 0.
+                      </para>
+                    </listitem>
+                  </varlistentry>
+
+                  <varlistentry>
+                    <term><userinput>flush</userinput></term>
+                    <listitem>
+                      <para>
+                        Flushes the server's cache.
+                      </para>
+                    </listitem>
+                  </varlistentry>
+
+                  <varlistentry>
+                    <term><userinput>flushname</userinput> <replaceable>name</replaceable></term>
+                    <listitem>
+                      <para>
+                        Flushes the given name from the server's cache.
+                      </para>
+                    </listitem>
+                  </varlistentry>
+
+                  <varlistentry>
+                    <term><userinput>status</userinput></term>
+                    <listitem>
+                      <para>
+                        Display status of the server.
+                        Note that the number of zones includes the internal <command>bind/CH</command> zone
+                        and the default <command>./IN</command>
+                        hint zone if there is not an
+                        explicit root zone configured.
+                      </para>
+                    </listitem>
+                  </varlistentry>
+
+                  <varlistentry>
+                    <term><userinput>recursing</userinput></term>
+                    <listitem>
+                      <para>
+                        Dump the list of queries named is currently recursing
+                        on.
+                      </para>
+                    </listitem>
+                  </varlistentry>
+
+                </variablelist>
+
+                <para>
+                  In <acronym>BIND</acronym> 9.2, <command>rndc</command>
+                  supports all the commands of the BIND 8 <command>ndc</command>
+                  utility except <command>ndc start</command> and
+                  <command>ndc restart</command>, which were also
+                  not supported in <command>ndc</command>'s
+                  channel mode.
+                </para>
+
+                <para>
+                  A configuration file is required, since all
+                  communication with the server is authenticated with
+                  digital signatures that rely on a shared secret, and
+                  there is no way to provide that secret other than with a
+                  configuration file.  The default location for the
+                  <command>rndc</command> configuration file is
+                  <filename>/etc/rndc.conf</filename>, but an
+                  alternate
+                  location can be specified with the <option>-c</option>
+                  option.  If the configuration file is not found,
+                  <command>rndc</command> will also look in
+                  <filename>/etc/rndc.key</filename> (or whatever
+                  <varname>sysconfdir</varname> was defined when
+                  the <acronym>BIND</acronym> build was
+                  configured).
+                  The <filename>rndc.key</filename> file is
+                  generated by
+                  running <command>rndc-confgen -a</command> as
+                  described in
+                  <xref linkend="controls_statement_definition_and_usage"/>.
+                </para>
+
+                <para>
+                  The format of the configuration file is similar to
+                  that of <filename>named.conf</filename>, but
+                  limited to
+                  only four statements, the <command>options</command>,
+                  <command>key</command>, <command>server</command> and
+                  <command>include</command>
+                  statements.  These statements are what associate the
+                  secret keys to the servers with which they are meant to
+                  be shared.  The order of statements is not
+                  significant.
+                </para>
+
+                <para>
+                  The <command>options</command> statement has
+                  three clauses:
+                  <command>default-server</command>, <command>default-key</command>,
+                  and <command>default-port</command>.
+                  <command>default-server</command> takes a
+                  host name or address argument  and represents the server
+                  that will
+                  be contacted if no <option>-s</option>
+                  option is provided on the command line.
+                  <command>default-key</command> takes
+                  the name of a key as its argument, as defined by a <command>key</command> statement.
+                  <command>default-port</command> specifies the
+                  port to which
+                  <command>rndc</command> should connect if no
+                  port is given on the command line or in a
+                  <command>server</command> statement.
+                </para>
+
+                <para>
+                  The <command>key</command> statement defines a
+                  key to be used
+                  by <command>rndc</command> when authenticating
+                  with
+                  <command>named</command>.  Its syntax is
+                  identical to the
+                  <command>key</command> statement in named.conf.
+                  The keyword <userinput>key</userinput> is
+                  followed by a key name, which must be a valid
+                  domain name, though it need not actually be hierarchical;
+                  thus,
+                  a string like "<userinput>rndc_key</userinput>" is a valid
+                  name.
+                  The <command>key</command> statement has two
+                  clauses:
+                  <command>algorithm</command> and <command>secret</command>.
+                  While the configuration parser will accept any string as the
+                  argument
+                  to algorithm, currently only the string "<userinput>hmac-md5</userinput>"
+                  has any meaning.  The secret is a base-64 encoded string
+		  as specified in RFC 3548.
+                </para>
+
+                <para>
+                  The <command>server</command> statement
+                  associates a key
+                  defined using the <command>key</command>
+                  statement with a server.
+                  The keyword <userinput>server</userinput> is followed by a
+                  host name or address.  The <command>server</command> statement
+                  has two clauses: <command>key</command> and <command>port</command>.
+                  The <command>key</command> clause specifies the
+                  name of the key
+                  to be used when communicating with this server, and the
+                  <command>port</command> clause can be used to
+                  specify the port <command>rndc</command> should
+                  connect
+                  to on the server.
+                </para>
+
+                <para>
+                  A sample minimal configuration file is as follows:
+                </para>
+
 <programlisting>
 key rndc_key {
      algorithm "hmac-md5";
@@ -929,275 +1476,418 @@ options {
 };
 </programlisting>
 
-<para>This file, if installed as <filename>/etc/rndc.conf</filename>,
-would allow the command:</para>
+                <para>
+                  This file, if installed as <filename>/etc/rndc.conf</filename>,
+                  would allow the command:
+                </para>
+
+                <para>
+                  <prompt>$ </prompt><userinput>rndc reload</userinput>
+                </para>
 
-<para><prompt>$ </prompt><userinput>rndc reload</userinput></para>
+                <para>
+                  to connect to 127.0.0.1 port 953 and cause the name server
+                  to reload, if a name server on the local machine were
+                  running with
+                  following controls statements:
+                </para>
 
-<para>to connect to 127.0.0.1 port 953 and cause the name server
-to reload, if a name server on the local machine were running with
-following controls statements:</para>
 <programlisting>
 controls {
         inet 127.0.0.1 allow { localhost; } keys { rndc_key; };
 };
 </programlisting>
-<para>and it had an identical key statement for
-<literal>rndc_key</literal>.</para>
-
-<para>Running the <command>rndc-confgen</command> program will
-conveniently create a <filename>rndc.conf</filename>
-file for you, and also display the
-corresponding <command>controls</command> statement that you need to
-add to <filename>named.conf</filename>.  Alternatively,
-you can run <command>rndc-confgen -a</command> to set up
-a <filename>rndc.key</filename> file and not modify 
-<filename>named.conf</filename> at all.
-</para>
 
-            </listitem>
-          </varlistentry>
-        </variablelist>
+                <para>
+                  and it had an identical key statement for
+                  <literal>rndc_key</literal>.
+                </para>
+
+                <para>
+                  Running the <command>rndc-confgen</command>
+                  program will
+                  conveniently create a <filename>rndc.conf</filename>
+                  file for you, and also display the
+                  corresponding <command>controls</command>
+                  statement that you need to
+                  add to <filename>named.conf</filename>.
+                  Alternatively,
+                  you can run <command>rndc-confgen -a</command>
+                  to set up
+                  a <filename>rndc.key</filename> file and not
+                  modify
+                  <filename>named.conf</filename> at all.
+                </para>
 
-      </sect3>
-    </sect2>
-<sect2>
-
-<title>Signals</title>
-<para>Certain UNIX signals cause the name server to take specific
-actions, as described in the following table.  These signals can
-be sent using the <command>kill</command> command.</para>
-<informaltable frame = "all" ><tgroup cols = "2">
-<colspec colname = "1" colnum = "1" colsep = "0" colwidth = "1.125in"/>
-<colspec colname = "2" colnum = "2" colsep = "0" colwidth = "4.000in"/>
-<tbody>
-<row rowsep = "0">
-<entry colname = "1"><para><command>SIGHUP</command></para></entry>
-<entry colname = "2"><para>Causes the server to read <filename>named.conf</filename> and
-reload the database. </para></entry>
-</row>
-<row rowsep = "0">
-<entry colname = "1"><para><command>SIGTERM</command></para></entry>
-<entry colname = "2"><para>Causes the server to clean up and exit.</para></entry>
-            </row>
-            <row rowsep = "0">
-              <entry colname = "1">
-<para><command>SIGINT</command></para>
-</entry>
-              <entry colname = "2"><para>Causes the server to clean up and exit.</para></entry>
-            </row>
-          </tbody>
-        </tgroup>
-      </informaltable>
-    </sect2>
-  </sect1>
+              </listitem>
+            </varlistentry>
+          </variablelist>
+
+        </sect3>
+      </sect2>
+      <sect2>
+
+        <title>Signals</title>
+        <para>
+          Certain UNIX signals cause the name server to take specific
+          actions, as described in the following table.  These signals can
+          be sent using the <command>kill</command> command.
+        </para>
+        <informaltable frame="all">
+          <tgroup cols="2">
+            <colspec colname="1" colnum="1" colsep="0" colwidth="1.125in"/>
+            <colspec colname="2" colnum="2" colsep="0" colwidth="4.000in"/>
+            <tbody>
+              <row rowsep="0">
+                <entry colname="1">
+                  <para><command>SIGHUP</command></para>
+                </entry>
+                <entry colname="2">
+                  <para>
+                    Causes the server to read <filename>named.conf</filename> and
+                    reload the database.
+                  </para>
+                </entry>
+              </row>
+              <row rowsep="0">
+                <entry colname="1">
+                  <para><command>SIGTERM</command></para>
+                </entry>
+                <entry colname="2">
+                  <para>
+                    Causes the server to clean up and exit.
+                  </para>
+                </entry>
+              </row>
+              <row rowsep="0">
+                <entry colname="1">
+                  <para><command>SIGINT</command></para>
+                </entry>
+                <entry colname="2">
+                  <para>
+                    Causes the server to clean up and exit.
+                  </para>
+                </entry>
+              </row>
+            </tbody>
+          </tgroup>
+        </informaltable>
+      </sect2>
+    </sect1>
   </chapter>
 
-<chapter id="Bv9ARM.ch04">
-<title>Advanced DNS Features</title>
-
-<sect1 id="notify">
-
-<title>Notify</title>
-<para><acronym>DNS</acronym> NOTIFY is a mechanism that allows master
-servers to notify their slave servers of changes to a zone's data. In
-response to a <command>NOTIFY</command> from a master server, the
-slave will check to see that its version of the zone is the
-current version and, if not, initiate a zone transfer.</para>
-
-<para><acronym>DNS</acronym>
-For more information about
-<command>NOTIFY</command>, see the description of the
-<command>notify</command> option in <xref linkend="boolean_options"/> and
-the description of the zone option <command>also-notify</command> in
-<xref linkend="zone_transfers"/>.  The <command>NOTIFY</command>
-protocol is specified in RFC 1996.
-</para>
-
-</sect1>
-
-<sect1 id="dynamic_update">
-<title>Dynamic Update</title>
-
-    <para>Dynamic Update is a method for adding, replacing or deleting
-    records in a master server by sending it a special form of DNS
-    messages.  The format and meaning of these messages is specified
-    in RFC 2136.</para>
-
-    <para>Dynamic update is enabled on a zone-by-zone basis, by
-    including an <command>allow-update</command> or
-    <command>update-policy</command> clause in the
-    <command>zone</command> statement.</para>
-
-    <para>Updating of secure zones (zones using DNSSEC) follows
-    RFC 3007: RRSIG and NSEC records affected by updates are automatically
-    regenerated by the server using an online zone key.
-    Update authorization is based
-    on transaction signatures and an explicit server policy.</para>
-
-    <sect2 id="journal">
-    <title>The journal file</title>
-
-    <para>All changes made to a zone using dynamic update are stored in the
-    zone's journal file.  This file is automatically created by the
-    server when the first dynamic update takes place.  The name of
-    the journal file is formed by appending the
-    extension <filename>.jnl</filename> to the
-    name of the corresponding zone file.  The journal file is in a
-    binary format and should not be edited manually.</para>
-
-    <para>The server will also occasionally write ("dump")
-    the complete contents of the updated zone to its zone file.
-    This is not done immediately after
-    each dynamic update, because that would be too slow when a large
-    zone is updated frequently.  Instead, the dump is delayed by
-    up to 15 minutes, allowing additional updates to take place.</para>
-
-    <para>When a server is restarted after a shutdown or crash, it will replay
-    the journal file to incorporate into the zone any updates that took
-    place after the last zone dump.</para>
-
-    <para>Changes that result from incoming incremental zone transfers are also
-    journalled in a similar way.</para>
-
-    <para>The zone files of dynamic zones cannot normally be edited by
-    hand because they are not guaranteed to contain the most recent
-    dynamic changes &mdash; those are only in the journal file.
-    The only way to ensure that the zone file of a dynamic zone
-    is up to date is to run <command>rndc stop</command>.</para>
-
-    <para>If you have to make changes to a dynamic zone
-    manually, the following procedure will work: Disable dynamic updates
-    to the zone using
-    <command>rndc freeze <replaceable>zone</replaceable></command>.
-    This will also remove the zone's <filename>.jnl</filename> file
-    and update the master file.  Edit the zone file.  Run
-    <command>rndc thaw <replaceable>zone</replaceable></command>
-    to reload the changed zone and re-enable dynamic updates.</para>
-
-  </sect2>
-    
-</sect1>
-    
-<sect1 id="incremental_zone_transfers">
-<title>Incremental Zone Transfers (IXFR)</title>
-
-<para>The incremental zone transfer (IXFR) protocol is a way for
-slave servers to transfer only changed data, instead of having to
-transfer the entire zone. The IXFR protocol is specified in RFC
-1995. See <xref linkend="proposed_standards"/>.</para>
-
-<para>When acting as a master, <acronym>BIND</acronym> 9
-supports IXFR for those zones
-where the necessary change history information is available. These
-include master zones maintained by dynamic update and slave zones
-whose data was obtained by IXFR.  For manually maintained master
-zones, and for slave zones obtained by performing a full zone 
-transfer (AXFR), IXFR is supported only if the option
-<command>ixfr-from-differences</command> is set
-to <userinput>yes</userinput>.
-</para>
-
-<para>When acting as a slave, <acronym>BIND</acronym> 9 will 
-attempt to use IXFR unless
-it is explicitly disabled. For more information about disabling
-IXFR, see the description of the <command>request-ixfr</command> clause
-of the <command>server</command> statement.</para>
-</sect1>
-
-<sect1><title>Split DNS</title>
-<para>Setting up different views, or visibility, of the DNS space to
-internal and external resolvers is usually referred to as a <emphasis>Split
-DNS</emphasis> setup. There are several reasons an organization
-would want to set up its DNS this way.</para>
-<para>One common reason for setting up a DNS system this way is
-to hide "internal" DNS information from "external" clients on the
-Internet. There is some debate as to whether or not this is actually useful.
-Internal DNS information leaks out in many ways (via email headers,
-for example) and most savvy "attackers" can find the information
-they need using other means.</para>
-<para>Another common reason for setting up a Split DNS system is
-to allow internal networks that are behind filters or in RFC 1918
-space (reserved IP space, as documented in RFC 1918) to resolve DNS
-on the Internet. Split DNS can also be used to allow mail from outside
-back in to the internal network.</para>
-<para>Here is an example of a split DNS setup:</para>
-<para>Let's say a company named <emphasis>Example, Inc.</emphasis>
-(<literal>example.com</literal>)
-has several corporate sites that have an internal network with reserved
-Internet Protocol (IP) space and an external demilitarized zone (DMZ),
-or "outside" section of a network, that is available to the public.</para>
-<para><emphasis>Example, Inc.</emphasis> wants its internal clients
-to be able to resolve external hostnames and to exchange mail with
-people on the outside. The company also wants its internal resolvers
-to have access to certain internal-only zones that are not available
-at all outside of the internal network.</para>
-<para>In order to accomplish this, the company will set up two sets
-of name servers. One set will be on the inside network (in the reserved
-IP space) and the other set will be on bastion hosts, which are "proxy"
-hosts that can talk to both sides of its network, in the DMZ.</para>
-<para>The internal servers will be configured to forward all queries,
-except queries for <filename>site1.internal</filename>, <filename>site2.internal</filename>, <filename>site1.example.com</filename>,
-and <filename>site2.example.com</filename>, to the servers in the
-DMZ. These internal servers will have complete sets of information
-for <filename>site1.example.com</filename>, <filename>site2.example.com</filename>,<emphasis> </emphasis><filename>site1.internal</filename>,
-and <filename>site2.internal</filename>.</para>
-<para>To protect the <filename>site1.internal</filename> and <filename>site2.internal</filename> domains,
-the internal name servers must be configured to disallow all queries
-to these domains from any external hosts, including the bastion
-hosts.</para>
-<para>The external servers, which are on the bastion hosts, will
-be configured to serve the "public" version of the <filename>site1</filename> and <filename>site2.example.com</filename> zones.
-This could include things such as the host records for public servers
-(<filename>www.example.com</filename> and <filename>ftp.example.com</filename>),
-and mail exchange (MX)  records (<filename>a.mx.example.com</filename> and <filename>b.mx.example.com</filename>).</para>
-<para>In addition, the public <filename>site1</filename> and <filename>site2.example.com</filename> zones
-should have special MX records that contain wildcard (`*') records
-pointing to the bastion hosts. This is needed because external mail
-servers do not have any other way of looking up how to deliver mail
-to those internal hosts. With the wildcard records, the mail will
-be delivered to the bastion host, which can then forward it on to
-internal hosts.</para>
-<para>Here's an example of a wildcard MX record:</para>
-<programlisting>*   IN MX 10 external1.example.com.</programlisting>
-<para>Now that they accept mail on behalf of anything in the internal
-network, the bastion hosts will need to know how to deliver mail
-to internal hosts. In order for this to work properly, the resolvers on
-the bastion hosts will need to be configured to point to the internal
-name servers for DNS resolution.</para>
-<para>Queries for internal hostnames will be answered by the internal
-servers, and queries for external hostnames will be forwarded back
-out to the DNS servers on the bastion hosts.</para>
-<para>In order for all this to work properly, internal clients will
-need to be configured to query <emphasis>only</emphasis> the internal
-name servers for DNS queries. This could also be enforced via selective
-filtering on the network.</para>
-<para>If everything has been set properly, <emphasis>Example, Inc.</emphasis>'s
-internal clients will now be able to:</para>
-<itemizedlist><listitem>
-        <simpara>Look up any hostnames in the <literal>site1</literal> and 
-<literal>site2.example.com</literal> zones.</simpara></listitem>
-<listitem>
-        <simpara>Look up any hostnames in the <literal>site1.internal</literal> and 
-<literal>site2.internal</literal> domains.</simpara></listitem>
-<listitem>
-        <simpara>Look up any hostnames on the Internet.</simpara></listitem>
-<listitem>
-        <simpara>Exchange mail with both internal AND external people.</simpara></listitem></itemizedlist>
-<para>Hosts on the Internet will be able to:</para>
-<itemizedlist><listitem>
-        <simpara>Look up any hostnames in the <literal>site1</literal> and 
-<literal>site2.example.com</literal> zones.</simpara></listitem>
-<listitem>
-        <simpara>Exchange mail with anyone in the <literal>site1</literal> and 
-<literal>site2.example.com</literal> zones.</simpara></listitem></itemizedlist>
-
-    <para>Here is an example configuration for the setup we just
-    described above. Note that this is only configuration information;
-    for information on how to configure your zone files, see <xref
-    linkend="sample_configuration"/>.</para>
-
-<para>Internal DNS server config:</para>
+  <chapter id="Bv9ARM.ch04">
+    <title>Advanced DNS Features</title>
+
+    <sect1 id="notify">
+
+      <title>Notify</title>
+      <para>
+        <acronym>DNS</acronym> NOTIFY is a mechanism that allows master
+        servers to notify their slave servers of changes to a zone's data. In
+        response to a <command>NOTIFY</command> from a master server, the
+        slave will check to see that its version of the zone is the
+        current version and, if not, initiate a zone transfer.
+      </para>
+
+      <para>
+        For more information about <acronym>DNS</acronym>
+        <command>NOTIFY</command>, see the description of the
+        <command>notify</command> option in <xref linkend="boolean_options"/> and
+        the description of the zone option <command>also-notify</command> in
+        <xref linkend="zone_transfers"/>.  The <command>NOTIFY</command>
+        protocol is specified in RFC 1996.
+      </para>
+
+      <note>
+	As a slave zone can also be a master to other slaves, named,
+        by default, sends <command>NOTIFY</command> messages for every zone
+	it loads.  Specifying <command>notify master-only;</command> will
+	cause named to only send <command>NOTIFY</command> for master
+	zones that it loads.
+      </note>
+
+    </sect1>
+
+    <sect1 id="dynamic_update">
+      <title>Dynamic Update</title>
+
+      <para>
+        Dynamic Update is a method for adding, replacing or deleting
+        records in a master server by sending it a special form of DNS
+        messages.  The format and meaning of these messages is specified
+        in RFC 2136.
+      </para>
+
+      <para>
+        Dynamic update is enabled by
+        including an <command>allow-update</command> or
+        <command>update-policy</command> clause in the
+        <command>zone</command> statement.
+      </para>
+
+      <para>
+        Updating of secure zones (zones using DNSSEC) follows
+        RFC 3007: RRSIG and NSEC records affected by updates are automatically
+            regenerated by the server using an online zone key.
+        Update authorization is based
+        on transaction signatures and an explicit server policy.
+      </para>
+
+      <sect2 id="journal">
+        <title>The journal file</title>
+
+        <para>
+          All changes made to a zone using dynamic update are stored
+          in the zone's journal file.  This file is automatically created
+          by the server when the first dynamic update takes place.
+          The name of the journal file is formed by appending the extension
+          <filename>.jnl</filename> to the name of the
+          corresponding zone
+          file unless specifically overridden.  The journal file is in a
+          binary format and should not be edited manually.
+        </para>
+
+        <para>
+          The server will also occasionally write ("dump")
+          the complete contents of the updated zone to its zone file.
+          This is not done immediately after
+          each dynamic update, because that would be too slow when a large
+          zone is updated frequently.  Instead, the dump is delayed by
+          up to 15 minutes, allowing additional updates to take place.
+        </para>
+
+        <para>
+          When a server is restarted after a shutdown or crash, it will replay
+              the journal file to incorporate into the zone any updates that
+          took
+          place after the last zone dump.
+        </para>
+
+        <para>
+          Changes that result from incoming incremental zone transfers are
+          also
+          journalled in a similar way.
+        </para>
+
+        <para>
+          The zone files of dynamic zones cannot normally be edited by
+          hand because they are not guaranteed to contain the most recent
+          dynamic changes &mdash; those are only in the journal file.
+          The only way to ensure that the zone file of a dynamic zone
+          is up to date is to run <command>rndc stop</command>.
+        </para>
+
+        <para>
+          If you have to make changes to a dynamic zone
+          manually, the following procedure will work: Disable dynamic updates
+              to the zone using
+          <command>rndc freeze <replaceable>zone</replaceable></command>.
+          This will also remove the zone's <filename>.jnl</filename> file
+          and update the master file.  Edit the zone file.  Run
+          <command>rndc thaw <replaceable>zone</replaceable></command>
+          to reload the changed zone and re-enable dynamic updates.
+        </para>
+
+      </sect2>
+
+    </sect1>
+
+    <sect1 id="incremental_zone_transfers">
+      <title>Incremental Zone Transfers (IXFR)</title>
+
+      <para>
+        The incremental zone transfer (IXFR) protocol is a way for
+        slave servers to transfer only changed data, instead of having to
+        transfer the entire zone. The IXFR protocol is specified in RFC
+        1995. See <xref linkend="proposed_standards"/>.
+      </para>
+
+      <para>
+        When acting as a master, <acronym>BIND</acronym> 9
+        supports IXFR for those zones
+        where the necessary change history information is available. These
+        include master zones maintained by dynamic update and slave zones
+        whose data was obtained by IXFR.  For manually maintained master
+        zones, and for slave zones obtained by performing a full zone
+        transfer (AXFR), IXFR is supported only if the option
+        <command>ixfr-from-differences</command> is set
+        to <userinput>yes</userinput>.
+      </para>
+
+      <para>
+        When acting as a slave, <acronym>BIND</acronym> 9 will
+        attempt to use IXFR unless
+        it is explicitly disabled. For more information about disabling
+        IXFR, see the description of the <command>request-ixfr</command> clause
+        of the <command>server</command> statement.
+      </para>
+    </sect1>
+
+    <sect1>
+      <title>Split DNS</title>
+      <para>
+        Setting up different views, or visibility, of the DNS space to
+        internal and external resolvers is usually referred to as a
+	<emphasis>Split DNS</emphasis> setup. There are several
+        reasons an organization would want to set up its DNS this way.
+      </para>
+      <para>
+        One common reason for setting up a DNS system this way is
+        to hide "internal" DNS information from "external" clients on the
+        Internet. There is some debate as to whether or not this is actually
+        useful.
+        Internal DNS information leaks out in many ways (via email headers,
+        for example) and most savvy "attackers" can find the information
+        they need using other means.
+	However, since listing addresses of internal servers that
+        external clients cannot possibly reach can result in
+        connection delays and other annoyances, an organization may
+        choose to use a Split DNS to present a consistant view of itself
+        to the outside world.
+      </para>
+      <para>
+        Another common reason for setting up a Split DNS system is
+        to allow internal networks that are behind filters or in RFC 1918
+        space (reserved IP space, as documented in RFC 1918) to resolve DNS
+        on the Internet. Split DNS can also be used to allow mail from outside
+        back in to the internal network.
+      </para>
+      <para>
+        Here is an example of a split DNS setup:
+      </para>
+      <para>
+        Let's say a company named <emphasis>Example, Inc.</emphasis>
+        (<literal>example.com</literal>)
+        has several corporate sites that have an internal network with
+        reserved
+        Internet Protocol (IP) space and an external demilitarized zone (DMZ),
+        or "outside" section of a network, that is available to the public.
+      </para>
+      <para>
+        <emphasis>Example, Inc.</emphasis> wants its internal clients
+        to be able to resolve external hostnames and to exchange mail with
+        people on the outside. The company also wants its internal resolvers
+        to have access to certain internal-only zones that are not available
+        at all outside of the internal network.
+      </para>
+      <para>
+        In order to accomplish this, the company will set up two sets
+        of name servers. One set will be on the inside network (in the
+        reserved
+        IP space) and the other set will be on bastion hosts, which are
+        "proxy"
+        hosts that can talk to both sides of its network, in the DMZ.
+      </para>
+      <para>
+        The internal servers will be configured to forward all queries,
+        except queries for <filename>site1.internal</filename>, <filename>site2.internal</filename>, <filename>site1.example.com</filename>,
+        and <filename>site2.example.com</filename>, to the servers
+        in the
+        DMZ. These internal servers will have complete sets of information
+        for <filename>site1.example.com</filename>, <filename>site2.example.com</filename>,<emphasis/> <filename>site1.internal</filename>,
+        and <filename>site2.internal</filename>.
+      </para>
+      <para>
+        To protect the <filename>site1.internal</filename> and <filename>site2.internal</filename> domains,
+        the internal name servers must be configured to disallow all queries
+        to these domains from any external hosts, including the bastion
+        hosts.
+      </para>
+      <para>
+        The external servers, which are on the bastion hosts, will
+        be configured to serve the "public" version of the <filename>site1</filename> and <filename>site2.example.com</filename> zones.
+        This could include things such as the host records for public servers
+        (<filename>www.example.com</filename> and <filename>ftp.example.com</filename>),
+        and mail exchange (MX)  records (<filename>a.mx.example.com</filename> and <filename>b.mx.example.com</filename>).
+      </para>
+      <para>
+        In addition, the public <filename>site1</filename> and <filename>site2.example.com</filename> zones
+        should have special MX records that contain wildcard (`*') records
+        pointing to the bastion hosts. This is needed because external mail
+        servers do not have any other way of looking up how to deliver mail
+        to those internal hosts. With the wildcard records, the mail will
+        be delivered to the bastion host, which can then forward it on to
+        internal hosts.
+      </para>
+      <para>
+        Here's an example of a wildcard MX record:
+      </para>
+      <programlisting>*   IN MX 10 external1.example.com.</programlisting>
+      <para>
+        Now that they accept mail on behalf of anything in the internal
+        network, the bastion hosts will need to know how to deliver mail
+        to internal hosts. In order for this to work properly, the resolvers
+        on
+        the bastion hosts will need to be configured to point to the internal
+        name servers for DNS resolution.
+      </para>
+      <para>
+        Queries for internal hostnames will be answered by the internal
+        servers, and queries for external hostnames will be forwarded back
+        out to the DNS servers on the bastion hosts.
+      </para>
+      <para>
+        In order for all this to work properly, internal clients will
+        need to be configured to query <emphasis>only</emphasis> the internal
+        name servers for DNS queries. This could also be enforced via
+        selective
+        filtering on the network.
+      </para>
+      <para>
+        If everything has been set properly, <emphasis>Example, Inc.</emphasis>'s
+        internal clients will now be able to:
+      </para>
+      <itemizedlist>
+        <listitem>
+          <simpara>
+            Look up any hostnames in the <literal>site1</literal>
+            and
+            <literal>site2.example.com</literal> zones.
+          </simpara>
+        </listitem>
+        <listitem>
+          <simpara>
+            Look up any hostnames in the <literal>site1.internal</literal> and
+            <literal>site2.internal</literal> domains.
+          </simpara>
+        </listitem>
+        <listitem>
+          <simpara>Look up any hostnames on the Internet.</simpara>
+        </listitem>
+        <listitem>
+          <simpara>Exchange mail with both internal and external people.</simpara>
+        </listitem>
+      </itemizedlist>
+      <para>
+        Hosts on the Internet will be able to:
+      </para>
+      <itemizedlist>
+        <listitem>
+          <simpara>
+            Look up any hostnames in the <literal>site1</literal>
+            and
+            <literal>site2.example.com</literal> zones.
+          </simpara>
+        </listitem>
+        <listitem>
+          <simpara>
+            Exchange mail with anyone in the <literal>site1</literal> and
+            <literal>site2.example.com</literal> zones.
+          </simpara>
+        </listitem>
+      </itemizedlist>
+
+      <para>
+        Here is an example configuration for the setup we just
+        described above. Note that this is only configuration information;
+        for information on how to configure your zone files, see <xref linkend="sample_configuration"/>.
+      </para>
+
+      <para>
+        Internal DNS server config:
+      </para>
+
 <programlisting>
 
 acl internals { 172.16.72.0/24; 192.168.1.0/24; };
@@ -1209,7 +1899,7 @@ options {
     ...
     forward only;
     forwarders {                                // forward to external servers
-        <varname>bastion-ips-go-here</varname>; 
+        <varname>bastion-ips-go-here</varname>;
     };
     allow-transfer { none; };                   // sample allow-transfer (no one)
     allow-query { internals; externals; };      // restrict query access
@@ -1253,7 +1943,11 @@ zone "site2.internal" {
   allow-transfer { internals; }
 };
 </programlisting>
-    <para>External (bastion host) DNS server config:</para>
+
+      <para>
+        External (bastion host) DNS server config:
+      </para>
+
 <programlisting>
 acl internals { 172.16.72.0/24; 192.168.1.0/24; };
 
@@ -1263,7 +1957,8 @@ options {
   ...
   ...
   allow-transfer { none; };                     // sample allow-transfer (no one)
-  allow-query { internals; externals; };        // restrict query access
+  allow-query { any; };                         // default query access
+  allow-query-cache { internals; externals; };  // restrict cache access
   allow-recursion { internals; externals; };    // restrict recursion
   ...
   ...
@@ -1272,7 +1967,6 @@ options {
 zone "site1.example.com" {                      // sample slave zone
   type master;
   file "m/site1.foo.com";
-  allow-query { any; };
   allow-transfer { internals; externals; };
 };
 
@@ -1280,317 +1974,458 @@ zone "site2.example.com" {
   type slave;
   file "s/site2.foo.com";
   masters { another_bastion_host_maybe; };
-  allow-query { any; };
   allow-transfer { internals; externals; }
 };
 </programlisting>
-<para>In the <filename>resolv.conf</filename> (or equivalent) on
-the bastion host(s):</para>
+
+      <para>
+        In the <filename>resolv.conf</filename> (or equivalent) on
+        the bastion host(s):
+      </para>
+
 <programlisting>
 search ...
 nameserver 172.16.72.2
 nameserver 172.16.72.3
 nameserver 172.16.72.4
 </programlisting>
-</sect1>
-<sect1 id="tsig"><title>TSIG</title>
-<para>This is a short guide to setting up Transaction SIGnatures
-(TSIG) based transaction security in <acronym>BIND</acronym>. It describes changes
-to the configuration file as well as what changes are required for
-different features, including the process of creating transaction
-keys and using transaction signatures with <acronym>BIND</acronym>.</para>
-<para><acronym>BIND</acronym> primarily supports TSIG for server to server communication.
-This includes zone transfer, notify, and recursive query messages.
-Resolvers based on newer versions of <acronym>BIND</acronym> 8 have limited support
-for TSIG.</para>
-
-    <para>TSIG might be most useful for dynamic update. A primary
-    server for a dynamic zone should use access control to control
-    updates, but IP-based access control is insufficient.
-    The cryptographic access control provided by TSIG
-    is far superior. The <command>nsupdate</command>
-    program supports TSIG via the <option>-k</option> and
-    <option>-y</option> command line options.</para>
-
-<sect2><title>Generate Shared Keys for Each Pair of Hosts</title>
-<para>A shared secret is generated to be shared between <emphasis>host1</emphasis> and <emphasis>host2</emphasis>.
-An arbitrary key name is chosen: "host1-host2.". The key name must
-be the same on both hosts.</para>
-<sect3><title>Automatic Generation</title>
-<para>The following command will generate a 128-bit (16 byte) HMAC-MD5
-key as described above. Longer keys are better, but shorter keys
-are easier to read. Note that the maximum key length is 512 bits;
-keys longer than that will be digested with MD5 to produce a
-128-bit key.</para>
-        <para><userinput>dnssec-keygen -a hmac-md5 -b 128 -n HOST host1-host2.</userinput></para>
-<para>The key is in the file <filename>Khost1-host2.+157+00000.private</filename>.
-Nothing directly uses this file, but the base-64 encoded string
-following "<literal>Key:</literal>"
-can be extracted from the file and used as a shared secret:</para>
-<programlisting>Key: La/E5CjG9O+os1jq0a2jdA==</programlisting>
-<para>The string "<literal>La/E5CjG9O+os1jq0a2jdA==</literal>" can
-be used as the shared secret.</para></sect3>
-<sect3><title>Manual Generation</title>
-<para>The shared secret is simply a random sequence of bits, encoded
-in base-64. Most ASCII strings are valid base-64 strings (assuming
-the length is a multiple of 4 and only valid characters are used),
-so the shared secret can be manually generated.</para>
-<para>Also, a known string can be run through <command>mmencode</command> or
-a similar program to generate base-64 encoded data.</para></sect3></sect2>
-<sect2><title>Copying the Shared Secret to Both Machines</title>
-<para>This is beyond the scope of DNS. A secure transport mechanism
-should be used. This could be secure FTP, ssh, telephone, etc.</para></sect2>
-<sect2><title>Informing the Servers of the Key's Existence</title>
-<para>Imagine <emphasis>host1</emphasis> and <emphasis>host 2</emphasis> are
-both servers. The following is added to each server's <filename>named.conf</filename> file:</para>
+
+    </sect1>
+    <sect1 id="tsig">
+      <title>TSIG</title>
+      <para>
+        This is a short guide to setting up Transaction SIGnatures
+        (TSIG) based transaction security in <acronym>BIND</acronym>. It describes changes
+        to the configuration file as well as what changes are required for
+        different features, including the process of creating transaction
+        keys and using transaction signatures with <acronym>BIND</acronym>.
+      </para>
+      <para>
+        <acronym>BIND</acronym> primarily supports TSIG for server
+        to server communication.
+        This includes zone transfer, notify, and recursive query messages.
+        Resolvers based on newer versions of <acronym>BIND</acronym> 8 have limited support
+        for TSIG.
+      </para>
+
+      <para>
+        TSIG can also be useful for dynamic update. A primary
+        server for a dynamic zone should control access to the dynamic
+        update service, but IP-based access control is insufficient.
+        The cryptographic access control provided by TSIG
+        is far superior. The <command>nsupdate</command>
+        program supports TSIG via the <option>-k</option> and
+        <option>-y</option> command line options or inline by use
+	of the <command>key</command>.
+      </para>
+
+      <sect2>
+        <title>Generate Shared Keys for Each Pair of Hosts</title>
+        <para>
+          A shared secret is generated to be shared between <emphasis>host1</emphasis> and <emphasis>host2</emphasis>.
+          An arbitrary key name is chosen: "host1-host2.". The key name must
+          be the same on both hosts.
+        </para>
+        <sect3>
+          <title>Automatic Generation</title>
+          <para>
+            The following command will generate a 128-bit (16 byte) HMAC-MD5
+            key as described above. Longer keys are better, but shorter keys
+            are easier to read. Note that the maximum key length is 512 bits;
+            keys longer than that will be digested with MD5 to produce a
+            128-bit key.
+          </para>
+          <para>
+            <userinput>dnssec-keygen -a hmac-md5 -b 128 -n HOST host1-host2.</userinput>
+          </para>
+          <para>
+            The key is in the file <filename>Khost1-host2.+157+00000.private</filename>.
+            Nothing directly uses this file, but the base-64 encoded string
+            following "<literal>Key:</literal>"
+            can be extracted from the file and used as a shared secret:
+          </para>
+          <programlisting>Key: La/E5CjG9O+os1jq0a2jdA==</programlisting>
+          <para>
+            The string "<literal>La/E5CjG9O+os1jq0a2jdA==</literal>" can
+            be used as the shared secret.
+          </para>
+        </sect3>
+        <sect3>
+          <title>Manual Generation</title>
+          <para>
+            The shared secret is simply a random sequence of bits, encoded
+            in base-64. Most ASCII strings are valid base-64 strings (assuming
+            the length is a multiple of 4 and only valid characters are used),
+            so the shared secret can be manually generated.
+          </para>
+          <para>
+            Also, a known string can be run through <command>mmencode</command> or
+            a similar program to generate base-64 encoded data.
+          </para>
+        </sect3>
+      </sect2>
+      <sect2>
+        <title>Copying the Shared Secret to Both Machines</title>
+        <para>
+          This is beyond the scope of DNS. A secure transport mechanism
+          should be used. This could be secure FTP, ssh, telephone, etc.
+        </para>
+      </sect2>
+      <sect2>
+        <title>Informing the Servers of the Key's Existence</title>
+        <para>
+          Imagine <emphasis>host1</emphasis> and <emphasis>host 2</emphasis>
+          are
+          both servers. The following is added to each server's <filename>named.conf</filename> file:
+        </para>
+
 <programlisting>
 key host1-host2. {
   algorithm hmac-md5;
   secret "La/E5CjG9O+os1jq0a2jdA==";
 };
 </programlisting>
-<para>The algorithm, hmac-md5, is the only one supported by <acronym>BIND</acronym>.
-The secret is the one generated above. Since this is a secret, it
-is recommended that either <filename>named.conf</filename> be non-world
-readable, or the key directive be added to a non-world readable
-file that is included by <filename>named.conf</filename>.</para>
-<para>At this point, the key is recognized. This means that if the
-server receives a message signed by this key, it can verify the
-signature. If the signature is successfully verified, the
-response is signed by the same key.</para></sect2>
-
-<sect2><title>Instructing the Server to Use the Key</title>
-<para>Since keys are shared between two hosts only, the server must
-be told when keys are to be used. The following is added to the <filename>named.conf</filename> file
-for <emphasis>host1</emphasis>, if the IP address of <emphasis>host2</emphasis> is
-10.1.2.3:</para>
+
+        <para>
+          The algorithm, hmac-md5, is the only one supported by <acronym>BIND</acronym>.
+          The secret is the one generated above. Since this is a secret, it
+          is recommended that either <filename>named.conf</filename> be non-world
+          readable, or the key directive be added to a non-world readable
+          file that is included by
+          <filename>named.conf</filename>.
+        </para>
+        <para>
+          At this point, the key is recognized. This means that if the
+          server receives a message signed by this key, it can verify the
+          signature. If the signature is successfully verified, the
+          response is signed by the same key.
+        </para>
+      </sect2>
+
+      <sect2>
+        <title>Instructing the Server to Use the Key</title>
+        <para>
+          Since keys are shared between two hosts only, the server must
+          be told when keys are to be used. The following is added to the <filename>named.conf</filename> file
+          for <emphasis>host1</emphasis>, if the IP address of <emphasis>host2</emphasis> is
+          10.1.2.3:
+        </para>
+
 <programlisting>
 server 10.1.2.3 {
   keys { host1-host2. ;};
 };
 </programlisting>
-<para>Multiple keys may be present, but only the first is used.
-This directive does not contain any secrets, so it may be in a world-readable
-file.</para>
-<para>If <emphasis>host1</emphasis> sends a message that is a request
-to that address, the message will be signed with the specified key. <emphasis>host1</emphasis> will
-expect any responses to signed messages to be signed with the same
-key.</para>
-<para>A similar statement must be present in <emphasis>host2</emphasis>'s
-configuration file (with <emphasis>host1</emphasis>'s address) for <emphasis>host2</emphasis> to
-sign request messages to <emphasis>host1</emphasis>.</para></sect2>
-<sect2><title>TSIG Key Based Access Control</title>
-<para><acronym>BIND</acronym> allows IP addresses and ranges to be specified in ACL
-definitions and
-<command>allow-{ query | transfer | update }</command> directives.
-This has been extended to allow TSIG keys also. The above key would
-be denoted <command>key host1-host2.</command></para>
-<para>An example of an allow-update directive would be:</para>
+
+        <para>
+          Multiple keys may be present, but only the first is used.
+          This directive does not contain any secrets, so it may be in a
+          world-readable
+          file.
+        </para>
+        <para>
+          If <emphasis>host1</emphasis> sends a message that is a request
+          to that address, the message will be signed with the specified key. <emphasis>host1</emphasis> will
+          expect any responses to signed messages to be signed with the same
+          key.
+        </para>
+        <para>
+          A similar statement must be present in <emphasis>host2</emphasis>'s
+          configuration file (with <emphasis>host1</emphasis>'s address) for <emphasis>host2</emphasis> to
+          sign request messages to <emphasis>host1</emphasis>.
+        </para>
+      </sect2>
+      <sect2>
+        <title>TSIG Key Based Access Control</title>
+        <para>
+          <acronym>BIND</acronym> allows IP addresses and ranges
+          to be specified in ACL
+          definitions and
+          <command>allow-{ query | transfer | update }</command>
+          directives.
+          This has been extended to allow TSIG keys also. The above key would
+          be denoted <command>key host1-host2.</command>
+        </para>
+        <para>
+          An example of an allow-update directive would be:
+        </para>
+
 <programlisting>
 allow-update { key host1-host2. ;};
 </programlisting>
 
-      <para>This allows dynamic updates to succeed only if the request
-      was signed by a key named
-      "<command>host1-host2.</command>".</para> <para>You may want to read about the more
-      powerful <command>update-policy</command> statement in <xref
-      linkend="dynamic_update_policies"/>.</para>
-
-    </sect2>
-    <sect2>
-      <title>Errors</title>
-
-      <para>The processing of TSIG signed messages can result in
-      several errors. If a signed message is sent to a non-TSIG
-      aware server, a FORMERR (format error) will be returned, since
-      the server will not understand the record. This is a result
-      of misconfiguration, since the server must be explicitly
-      configured to send a TSIG signed message to a specific
-      server.</para>
-
-      <para>If a TSIG aware server receives a message signed by an
-      unknown key, the response will be unsigned with the TSIG
-      extended error code set to BADKEY. If a TSIG aware server
-      receives a message with a signature that does not validate, the
-      response will be unsigned with the TSIG extended error code set
-      to BADSIG. If a TSIG aware server receives a message with a time
-      outside of the allowed range, the response will be signed with
-      the TSIG extended error code set to BADTIME, and the time values
-      will be adjusted so that the response can be successfully
-      verified. In any of these cases, the message's rcode is set to
-      NOTAUTH (not authenticated).</para>
-
-    </sect2>
-  </sect1>
-  <sect1>
-    <title>TKEY</title>
-
-    <para><command>TKEY</command> is a mechanism for automatically
-    generating a shared secret between two hosts.  There are several
-    "modes" of <command>TKEY</command> that specify how the key is
-    generated or assigned.  <acronym>BIND</acronym> 9
-    implements only one of these modes,
-    the Diffie-Hellman key exchange.  Both hosts are required to have
-    a Diffie-Hellman KEY record (although this record is not required
-    to be present in a zone).  The <command>TKEY</command> process
-    must use signed messages, signed either by TSIG or SIG(0).  The
-    result of <command>TKEY</command> is a shared secret that can be
-    used to sign messages with TSIG.  <command>TKEY</command> can also
-    be used to delete shared secrets that it had previously
-    generated.</para>
-
-    <para>The <command>TKEY</command> process is initiated by a client
-    or server by sending a signed <command>TKEY</command> query
-    (including any appropriate KEYs) to a TKEY-aware server.  The
-    server response, if it indicates success, will contain a
-    <command>TKEY</command> record and any appropriate keys.  After
-    this exchange, both participants have enough information to
-    determine the shared secret; the exact process depends on the
-    <command>TKEY</command> mode.  When using the Diffie-Hellman
-    <command>TKEY</command> mode, Diffie-Hellman keys are exchanged,
-    and the shared secret is derived by both participants.</para>
-  
-  </sect1>
-  <sect1>
-    <title>SIG(0)</title>
-
-    <para><acronym>BIND</acronym> 9 partially supports DNSSEC SIG(0)
-    transaction signatures as specified in RFC 2535 and RFC2931.  SIG(0)
-    uses public/private keys to authenticate messages.  Access control
-    is performed in the same manner as TSIG keys; privileges can be
-    granted or denied based on the key name.</para>
-
-    <para>When a SIG(0) signed message is received, it will only be
-    verified if the key is known and trusted by the server; the server
-    will not attempt to locate and / or validate the key.</para>
-
-    <para>SIG(0) signing of multiple-message TCP streams is not
-    supported.</para>
-
-    <para>The only tool shipped with <acronym>BIND</acronym> 9 that
-    generates SIG(0) signed messages is <command>nsupdate</command>.</para>
-
-  </sect1>
-  <sect1 id="DNSSEC">
-    <title>DNSSEC</title>
-
-    <para>Cryptographic authentication of DNS information is possible
-    through the DNS Security (<emphasis>DNSSEC-bis</emphasis>)
-    extensions, defined in RFC 4033, RFC4034 and RFC4035.  This
-    section describes the creation and use of DNSSEC signed
-    zones.</para>
-
-    <para>In order to set up a DNSSEC secure zone, there are a series
-    of steps which must be followed.  <acronym>BIND</acronym> 9 ships
-    with several tools
-    that are used in this process, which are explained in more detail
-    below.  In all cases, the <option>-h</option> option prints a
-    full list of parameters.  Note that the DNSSEC tools require the
-    keyset files to be in the working directory or the
-    directory specified by the <option>-h</option> option, and
-    that the tools shipped with BIND 9.2.x and earlier are not compatible
-    with the current ones.</para>
-
-    <para>There must also be communication with the administrators of
-    the parent and/or child zone to transmit keys.  A zone's security
-    status must be indicated by the parent zone for a DNSSEC capable 
-    resolver to trust its data.  This is done through the presence
-    or absence of a <literal>DS</literal> record at the delegation
-    point.</para>
-
-    <para>For other servers to trust data in this zone, they must
-    either be statically configured with this zone's zone key or the
-    zone key of another zone above this one in the DNS tree.</para>
-
-    <sect2>
-      <title>Generating Keys</title>
-
-      <para>The <command>dnssec-keygen</command> program is used to
-      generate keys.</para>
-
-      <para>A secure zone must contain one or more zone keys.  The
-      zone keys will sign all other records in the zone, as well as
-      the zone keys of any secure delegated zones.  Zone keys must
-      have the same name as the zone, a name type of
-      <command>ZONE</command>, and must be usable for authentication.
-      It is recommended that zone keys use a cryptographic algorithm
-      designated as "mandatory to implement" by the IETF; currently
-      the only one is RSASHA1.</para>
-
-      <para>The following command will generate a 768-bit RSASHA1 key for
-      the <filename>child.example</filename> zone:</para>
-
-      <para><userinput>dnssec-keygen -a RSASHA1 -b 768 -n ZONE child.example.</userinput></para>
-
-      <para>Two output files will be produced:
-      <filename>Kchild.example.+005+12345.key</filename> and
-      <filename>Kchild.example.+005+12345.private</filename> (where
-      12345 is an example of a key tag).  The key file names contain
-      the key name (<filename>child.example.</filename>), algorithm (3
-      is DSA, 1 is RSAMD5, 5 is RSASHA1, etc.), and the key tag (12345 in this case).
-      The private key (in the <filename>.private</filename> file) is
-      used to generate signatures, and the public key (in the
-      <filename>.key</filename> file) is used for signature
-      verification.</para>
-
-      <para>To generate another key with the same properties (but with
-      a different key tag), repeat the above command.</para>
-
-      <para>The public keys should be inserted into the zone file by
-      including the <filename>.key</filename> files using
-      <command>$INCLUDE</command> statements.
+        <para>
+          This allows dynamic updates to succeed only if the request
+          was signed by a key named
+          "<command>host1-host2.</command>".
+        </para>
+	<para>
+          You may want to read about the more
+          powerful <command>update-policy</command> statement in <xref linkend="dynamic_update_policies"/>.
+        </para>
+
+      </sect2>
+      <sect2>
+        <title>Errors</title>
+
+        <para>
+          The processing of TSIG signed messages can result in
+          several errors. If a signed message is sent to a non-TSIG aware
+          server, a FORMERR (format error) will be returned, since the server will not
+          understand the record. This is a result of misconfiguration,
+          since the server must be explicitly configured to send a TSIG
+          signed message to a specific server.
+        </para>
+
+        <para>
+          If a TSIG aware server receives a message signed by an
+          unknown key, the response will be unsigned with the TSIG
+          extended error code set to BADKEY. If a TSIG aware server
+          receives a message with a signature that does not validate, the
+          response will be unsigned with the TSIG extended error code set
+          to BADSIG. If a TSIG aware server receives a message with a time
+          outside of the allowed range, the response will be signed with
+          the TSIG extended error code set to BADTIME, and the time values
+          will be adjusted so that the response can be successfully
+          verified. In any of these cases, the message's rcode is set to
+          NOTAUTH (not authenticated).
+        </para>
+
+      </sect2>
+    </sect1>
+    <sect1>
+      <title>TKEY</title>
+
+      <para><command>TKEY</command>
+        is a mechanism for automatically generating a shared secret
+        between two hosts.  There are several "modes" of
+        <command>TKEY</command> that specify how the key is generated
+        or assigned.  <acronym>BIND</acronym> 9 implements only one of
+        these modes, the Diffie-Hellman key exchange.  Both hosts are
+        required to have a Diffie-Hellman KEY record (although this
+        record is not required to be present in a zone).  The
+        <command>TKEY</command> process must use signed messages,
+        signed either by TSIG or SIG(0).  The result of
+        <command>TKEY</command> is a shared secret that can be used to
+        sign messages with TSIG.  <command>TKEY</command> can also be
+        used to delete shared secrets that it had previously
+        generated.
       </para>
 
-    </sect2>
-    <sect2>
-      <title>Signing the Zone</title>
+      <para>
+        The <command>TKEY</command> process is initiated by a
+        client
+        or server by sending a signed <command>TKEY</command>
+        query
+        (including any appropriate KEYs) to a TKEY-aware server.  The
+        server response, if it indicates success, will contain a
+        <command>TKEY</command> record and any appropriate keys.
+        After
+        this exchange, both participants have enough information to
+        determine the shared secret; the exact process depends on the
+        <command>TKEY</command> mode.  When using the
+        Diffie-Hellman
+        <command>TKEY</command> mode, Diffie-Hellman keys are
+        exchanged,
+        and the shared secret is derived by both participants.
+      </para>
 
-      <para>The <command>dnssec-signzone</command> program is used to
-      sign a zone.</para>
+    </sect1>
+    <sect1>
+      <title>SIG(0)</title>
 
-      <para>Any <filename>keyset</filename> files corresponding
-      to secure subzones should be present.  The zone signer will
-      generate <literal>NSEC</literal> and <literal>RRSIG</literal>
-      records for the zone, as well as <literal>DS</literal> for
-      the child zones if <literal>'-d'</literal> is specified.
-      If <literal>'-d'</literal> is not specified, then DS RRsets for
-      the secure child zones need to be added manually.</para>
+      <para>
+        <acronym>BIND</acronym> 9 partially supports DNSSEC SIG(0)
+            transaction signatures as specified in RFC 2535 and RFC2931.
+        SIG(0)
+        uses public/private keys to authenticate messages.  Access control
+        is performed in the same manner as TSIG keys; privileges can be
+        granted or denied based on the key name.
+      </para>
 
-      <para>The following command signs the zone, assuming it is in a
-      file called <filename>zone.child.example</filename>.  By
-      default, all zone keys which have an available private key are
-      used to generate signatures.</para>
+      <para>
+        When a SIG(0) signed message is received, it will only be
+        verified if the key is known and trusted by the server; the server
+        will not attempt to locate and/or validate the key.
+      </para>
 
-<para><userinput>dnssec-signzone -o child.example zone.child.example</userinput></para>
+      <para>
+        SIG(0) signing of multiple-message TCP streams is not
+        supported.
+      </para>
 
-      <para>One output file is produced:
-      <filename>zone.child.example.signed</filename>.  This file
-      should be referenced by <filename>named.conf</filename> as the
-      input file for the zone.</para>
+      <para>
+        The only tool shipped with <acronym>BIND</acronym> 9 that
+        generates SIG(0) signed messages is <command>nsupdate</command>.
+      </para>
 
-      <para><command>dnssec-signzone</command> will also produce a
-      keyset and dsset files and optionally a dlvset file.  These
-      are used to provide the parent zone administators with the
-      <literal>DNSKEYs</literal> (or their corresponding <literal>DS</literal>
-      records) that are the secure entry point to the zone.</para>
+    </sect1>
+    <sect1 id="DNSSEC">
+      <title>DNSSEC</title>
 
-    </sect2>
+      <para>
+        Cryptographic authentication of DNS information is possible
+        through the DNS Security (<emphasis>DNSSEC-bis</emphasis>) extensions,
+        defined in RFC 4033, RFC 4034 and RFC 4035.
+	This section describes the creation and use of DNSSEC signed zones.
+      </para>
+
+      <para>
+        In order to set up a DNSSEC secure zone, there are a series
+        of steps which must be followed.  <acronym>BIND</acronym>
+        9 ships
+        with several tools
+        that are used in this process, which are explained in more detail
+        below.  In all cases, the <option>-h</option> option prints a
+        full list of parameters.  Note that the DNSSEC tools require the
+        keyset files to be in the working directory or the
+        directory specified by the <option>-d</option> option, and
+        that the tools shipped with BIND 9.2.x and earlier are not compatible
+        with the current ones.
+      </para>
 
-<sect2><title>Configuring Servers</title>
+      <para>
+        There must also be communication with the administrators of
+        the parent and/or child zone to transmit keys.  A zone's security
+        status must be indicated by the parent zone for a DNSSEC capable
+        resolver to trust its data.  This is done through the presence
+        or absence of a <literal>DS</literal> record at the
+        delegation
+        point.
+      </para>
+
+      <para>
+        For other servers to trust data in this zone, they must
+        either be statically configured with this zone's zone key or the
+        zone key of another zone above this one in the DNS tree.
+      </para>
+
+      <sect2>
+        <title>Generating Keys</title>
+
+        <para>
+          The <command>dnssec-keygen</command> program is used to
+          generate keys.
+        </para>
+
+        <para>
+          A secure zone must contain one or more zone keys.  The
+          zone keys will sign all other records in the zone, as well as
+          the zone keys of any secure delegated zones.  Zone keys must
+          have the same name as the zone, a name type of
+          <command>ZONE</command>, and must be usable for
+          authentication.
+          It is recommended that zone keys use a cryptographic algorithm
+          designated as "mandatory to implement" by the IETF; currently
+          the only one is RSASHA1.
+        </para>
+
+        <para>
+          The following command will generate a 768-bit RSASHA1 key for
+          the <filename>child.example</filename> zone:
+        </para>
+
+        <para>
+          <userinput>dnssec-keygen -a RSASHA1 -b 768 -n ZONE child.example.</userinput>
+        </para>
+
+        <para>
+          Two output files will be produced:
+          <filename>Kchild.example.+005+12345.key</filename> and
+          <filename>Kchild.example.+005+12345.private</filename>
+          (where
+          12345 is an example of a key tag).  The key file names contain
+          the key name (<filename>child.example.</filename>),
+          algorithm (3
+          is DSA, 1 is RSAMD5, 5 is RSASHA1, etc.), and the key tag (12345 in
+          this case).
+          The private key (in the <filename>.private</filename>
+          file) is
+          used to generate signatures, and the public key (in the
+          <filename>.key</filename> file) is used for signature
+          verification.
+        </para>
+
+        <para>
+          To generate another key with the same properties (but with
+          a different key tag), repeat the above command.
+        </para>
+
+        <para>
+          The public keys should be inserted into the zone file by
+          including the <filename>.key</filename> files using
+          <command>$INCLUDE</command> statements.
+        </para>
+
+      </sect2>
+      <sect2>
+        <title>Signing the Zone</title>
+
+        <para>
+          The <command>dnssec-signzone</command> program is used
+          to
+          sign a zone.
+        </para>
+
+        <para>
+          Any <filename>keyset</filename> files corresponding
+          to secure subzones should be present.  The zone signer will
+          generate <literal>NSEC</literal> and <literal>RRSIG</literal>
+          records for the zone, as well as <literal>DS</literal>
+          for
+          the child zones if <literal>'-d'</literal> is specified.
+                If <literal>'-d'</literal> is not specified, then
+          DS RRsets for
+          the secure child zones need to be added manually.
+        </para>
+
+        <para>
+          The following command signs the zone, assuming it is in a
+          file called <filename>zone.child.example</filename>.  By
+                default, all zone keys which have an available private key are
+                used to generate signatures.
+        </para>
+
+        <para>
+          <userinput>dnssec-signzone -o child.example zone.child.example</userinput>
+        </para>
+
+        <para>
+          One output file is produced:
+          <filename>zone.child.example.signed</filename>.  This
+          file
+          should be referenced by <filename>named.conf</filename>
+          as the
+          input file for the zone.
+        </para>
+
+        <para><command>dnssec-signzone</command>
+	  will also produce a keyset and dsset files and optionally a
+          dlvset file.  These are used to provide the parent zone
+          administators with the <literal>DNSKEYs</literal> (or their
+          corresponding <literal>DS</literal> records) that are the
+          secure entry point to the zone.
+        </para>
+
+      </sect2>
+
+      <sect2>
+        <title>Configuring Servers</title>
 
 	<para>
 	  To enable <command>named</command> to respond appropriately
 	  to DNS requests from DNSSEC aware clients,
 	  <command>dnssec-enable</command> must be set to yes.
-          </para>
-  
+        </para>
+
 	<para>
 	  To enable <command>named</command> to validate answers from
-	  other servers <command>dnssec-enable</command> and
-	  some <command>trusted-keys</command> must be configured
+	  other servers both <command>dnssec-enable</command> and
+	  <command>dnssec-validate</command> must be set and some
+	  <command>trusted-keys</command> must be configured
 	  into <filename>named.conf</filename>.
-          </para>
-
+        </para>
+	  
 	<para>
 	  <command>trusted-keys</command> are copies of DNSKEY RRs
 	  for zones that are used to form the first link in the
@@ -1658,6 +2493,7 @@ example.com. 257 3 5 "AwEAAaxPMcR2x0HbQV4WeZB6oEDX+r0QM65KbhTjrW1ZaARmPhEZZe
 options {
 	...
 	dnssec-enable yes;
+	dnssec-validation yes;
 };
 </programlisting>
 
@@ -1666,710 +2502,1168 @@ options {
 	  the root key is not valid.
 	</note>
 
-</sect2>
-
-</sect1>
-  <sect1>
-    <title>IPv6 Support in <acronym>BIND</acronym> 9</title>
-
-    <para><acronym>BIND</acronym> 9 fully supports all currently defined forms of IPv6
-    name to address and address to name lookups.  It will also use
-    IPv6 addresses to make queries when running on an IPv6 capable
-    system.</para>
-
-    <para>For forward lookups, <acronym>BIND</acronym> 9 supports only AAAA
-    records.  The use of A6 records is deprecated by RFC 3363, and the
-    support for forward lookups in <acronym>BIND</acronym> 9 is
-    removed accordingly.
-    However, authoritative <acronym>BIND</acronym> 9 name servers still
-    load zone files containing A6 records correctly, answer queries
-    for A6 records, and accept zone transfer for a zone containing A6
-    records.</para>
-
-    <para>For IPv6 reverse lookups, <acronym>BIND</acronym> 9 supports
-    the traditional "nibble" format used in the
-    <emphasis>ip6.arpa</emphasis> domain, as well as the older, deprecated
-    <emphasis>ip6.int</emphasis> domain.
-    <acronym>BIND</acronym> 9 formerly
-    supported the "binary label" (also known as "bitstring") format.
-    The support of binary labels, however, is now completely removed
-    according to the changes in RFC 3363.
-    Any applications in <acronym>BIND</acronym> 9 do not understand
-    the format any more, and will return an error if given.
-    In particular, an authoritative <acronym>BIND</acronym> 9 name
-    server rejects to load a zone file containing binary labels.</para>
-
-    <para>For an overview of the format and structure of IPv6 addresses,
-    see <xref linkend="ipv6addresses"/>.</para>
-
-    <sect2>
-      <title>Address Lookups Using AAAA Records</title>
-
-      <para>The AAAA record is a parallel to the IPv4 A record.  It
-      specifies the entire address in a single record.  For
-      example,</para>
+      </sect2>
+
+    </sect1>
+    <sect1>
+      <title>IPv6 Support in <acronym>BIND</acronym> 9</title>
+
+      <para>
+        <acronym>BIND</acronym> 9 fully supports all currently
+        defined forms of IPv6
+        name to address and address to name lookups.  It will also use
+        IPv6 addresses to make queries when running on an IPv6 capable
+        system.
+      </para>
+
+      <para>
+        For forward lookups, <acronym>BIND</acronym> 9 supports
+        only AAAA records.  RFC 3363 deprecated the use of A6 records,
+        and client-side support for A6 records was accordingly removed
+        from <acronym>BIND</acronym> 9.
+        However, authoritative <acronym>BIND</acronym> 9 name servers still
+        load zone files containing A6 records correctly, answer queries
+        for A6 records, and accept zone transfer for a zone containing A6
+        records.
+      </para>
+
+      <para>
+        For IPv6 reverse lookups, <acronym>BIND</acronym> 9 supports
+        the traditional "nibble" format used in the
+        <emphasis>ip6.arpa</emphasis> domain, as well as the older, deprecated
+        <emphasis>ip6.int</emphasis> domain.
+        Older versions of <acronym>BIND</acronym> 9 
+        supported the "binary label" (also known as "bitstring") format,
+        but support of binary labels has been completely removed per
+        RFC 3363.
+        Many applications in <acronym>BIND</acronym> 9 do not understand
+        the binary label format at all any more, and will return an
+        error if given.
+	In particular, an authoritative <acronym>BIND</acronym> 9
+        name server will not load a zone file containing binary labels.
+      </para>
+
+      <para>
+        For an overview of the format and structure of IPv6 addresses,
+        see <xref linkend="ipv6addresses"/>.
+      </para>
+
+      <sect2>
+        <title>Address Lookups Using AAAA Records</title>
+
+        <para>
+          The IPv6 AAAA record is a parallel to the IPv4 A record,
+          and, unlike the deprecated A6 record, specifies the entire
+          IPv6 address in a single record.  For example,
+        </para>
 
 <programlisting>
 $ORIGIN example.com.
 host            3600    IN      AAAA    2001:db8::1
 </programlisting>
 
-        <para>It is recommended that IPv4-in-IPv6 mapped addresses not
-        be used.  If a host has an IPv4 address, use an A record, not
-        a AAAA, with <literal>::ffff:192.168.42.1</literal> as the
-        address.</para>
-    </sect2>
-    <sect2>
-      <title>Address to Name Lookups Using Nibble Format</title>
-
-      <para>When looking up an address in nibble format, the address
-      components are simply reversed, just as in IPv4, and
-      <literal>ip6.arpa.</literal> is appended to the resulting name.
-      For example, the following would provide reverse name lookup for
-      a host with address
-      <literal>2001:db8::1</literal>.</para>
+        <para>
+          Use of IPv4-in-IPv6 mapped addresses is not recommended.
+	  If a host has an IPv4 address, use an A record, not
+          a AAAA, with <literal>::ffff:192.168.42.1</literal> as
+          the address.
+        </para>
+      </sect2>
+      <sect2>
+        <title>Address to Name Lookups Using Nibble Format</title>
+
+        <para>
+          When looking up an address in nibble format, the address
+          components are simply reversed, just as in IPv4, and
+          <literal>ip6.arpa.</literal> is appended to the
+          resulting name.
+          For example, the following would provide reverse name lookup for
+          a host with address
+          <literal>2001:db8::1</literal>.
+        </para>
 
 <programlisting>
 $ORIGIN 0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa.
 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0   14400 IN      PTR     host.example.com.
 </programlisting>
-    </sect2>
-  </sect1>
+
+      </sect2>
+    </sect1>
+  </chapter>
+
+  <chapter id="Bv9ARM.ch05">
+    <title>The <acronym>BIND</acronym> 9 Lightweight Resolver</title>
+    <sect1>
+      <title>The Lightweight Resolver Library</title>
+      <para>
+        Traditionally applications have been linked with a stub resolver
+        library that sends recursive DNS queries to a local caching name
+        server.
+      </para>
+      <para>
+        IPv6 once introduced new complexity into the resolution process,
+        such as following A6 chains and DNAME records, and simultaneous
+        lookup of IPv4 and IPv6 addresses.  Though most of the complexity was
+        then removed, these are hard or impossible
+        to implement in a traditional stub resolver.
+      </para>
+      <para>
+        <acronym>BIND</acronym> 9 therefore can also provide resolution
+        services to local clients
+        using a combination of a lightweight resolver library and a resolver
+        daemon process running on the local host.  These communicate using
+        a simple UDP-based protocol, the "lightweight resolver protocol"
+        that is distinct from and simpler than the full DNS protocol.
+      </para>
+    </sect1>
+    <sect1 id="lwresd">
+      <title>Running a Resolver Daemon</title>
+
+      <para>
+        To use the lightweight resolver interface, the system must
+        run the resolver daemon <command>lwresd</command> or a
+        local
+        name server configured with a <command>lwres</command>
+        statement.
+      </para>
+
+      <para>
+        By default, applications using the lightweight resolver library will
+        make
+        UDP requests to the IPv4 loopback address (127.0.0.1) on port 921.
+        The
+        address can be overridden by <command>lwserver</command>
+        lines in
+        <filename>/etc/resolv.conf</filename>.
+      </para>
+
+      <para>
+        The daemon currently only looks in the DNS, but in the future
+        it may use other sources such as <filename>/etc/hosts</filename>,
+        NIS, etc.
+      </para>
+
+      <para>
+        The <command>lwresd</command> daemon is essentially a
+        caching-only name server that responds to requests using the
+        lightweight
+        resolver protocol rather than the DNS protocol.  Because it needs
+        to run on each host, it is designed to require no or minimal
+        configuration.
+        Unless configured otherwise, it uses the name servers listed on
+        <command>nameserver</command> lines in <filename>/etc/resolv.conf</filename>
+        as forwarders, but is also capable of doing the resolution
+        autonomously if
+        none are specified.
+      </para>
+      <para>
+        The <command>lwresd</command> daemon may also be
+        configured with a
+        <filename>named.conf</filename> style configuration file,
+        in
+        <filename>/etc/lwresd.conf</filename> by default.  A name
+        server may also
+        be configured to act as a lightweight resolver daemon using the
+        <command>lwres</command> statement in <filename>named.conf</filename>.
+      </para>
+
+    </sect1>
   </chapter>
 
-  <chapter id="Bv9ARM.ch05"><title>The <acronym>BIND</acronym> 9 Lightweight Resolver</title>
-<sect1><title>The Lightweight Resolver Library</title>
-<para>Traditionally applications have been linked with a stub resolver
-library that sends recursive DNS queries to a local caching name
-server.</para>
-<para>IPv6 once introduced new complexity into the resolution process,
-such as following A6 chains and DNAME records, and simultaneous
-lookup of IPv4 and IPv6 addresses.  Though most of the complexity was
-then removed, these are hard or impossible
-to implement in a traditional stub resolver.</para>
-<para>Instead, <acronym>BIND</acronym> 9 provides resolution services to local clients
-using a combination of a lightweight resolver library and a resolver
-daemon process running on the local host.  These communicate using
-a simple UDP-based protocol, the "lightweight resolver protocol"
-that is distinct from and simpler than the full DNS protocol.</para></sect1>
-<sect1 id="lwresd"><title>Running a Resolver Daemon</title>
-
-<para>To use the lightweight resolver interface, the system must
-run the resolver daemon <command>lwresd</command> or a local
-name server configured with a <command>lwres</command> statement.</para>
-
-<para>By default, applications using the lightweight resolver library will make
-UDP requests to the IPv4 loopback address (127.0.0.1) on port 921.  The
-address can be overridden by <command>lwserver</command> lines in
-<filename>/etc/resolv.conf</filename>.</para>
-
-<para>The daemon currently only looks in the DNS, but in the future
-it may use other sources such as <filename>/etc/hosts</filename>,
-NIS, etc.</para>
-
-<para>The <command>lwresd</command> daemon is essentially a
-caching-only name server that responds to requests using the lightweight
-resolver protocol rather than the DNS protocol.  Because it needs
-to run on each host, it is designed to require no or minimal configuration.
-Unless configured otherwise, it uses the name servers listed on
-<command>nameserver</command> lines in <filename>/etc/resolv.conf</filename>
-as forwarders, but is also capable of doing the resolution autonomously if
-none are specified.</para>
-<para>The <command>lwresd</command> daemon may also be configured with a
-<filename>named.conf</filename> style configuration file, in
-<filename>/etc/lwresd.conf</filename> by default.  A name server may also
-be configured to act as a lightweight resolver daemon using the
-<command>lwres</command> statement in <filename>named.conf</filename>.</para>
-
-</sect1></chapter>
-
-<chapter id="Bv9ARM.ch06"><title><acronym>BIND</acronym> 9 Configuration Reference</title>
-
-<para><acronym>BIND</acronym> 9 configuration is broadly similar
-to <acronym>BIND</acronym> 8; however, there are a few new areas
-of configuration, such as views. <acronym>BIND</acronym>
-8 configuration files should work with few alterations in <acronym>BIND</acronym>
-9, although more complex configurations should be reviewed to check
-if they can be more efficiently implemented using the new features
-found in <acronym>BIND</acronym> 9.</para>
-
-<para><acronym>BIND</acronym> 4 configuration files can be converted to the new format
-using the shell script
-<filename>contrib/named-bootconf/named-bootconf.sh</filename>.</para>
-<sect1 id="configuration_file_elements"><title>Configuration File Elements</title>
-<para>Following is a list of elements used throughout the <acronym>BIND</acronym> configuration
-file documentation:</para>
-<informaltable colsep = "0"  rowsep = "0"><tgroup cols = "2"
-    colsep = "0" rowsep = "0" tgroupstyle = "2Level-table">
-<colspec colname = "1" colnum = "1" colsep = "0" colwidth = "1.855in"/>
-<colspec colname = "2" colnum = "2" colsep = "0" colwidth = "3.770in"/>
-<tbody>
-<row rowsep = "0">
-<entry colname = "1"><para><varname>acl_name</varname></para></entry>
-<entry colname = "2"><para>The name of an <varname>address_match_list</varname> as
-defined by the <command>acl</command> statement.</para></entry>
-</row>
-<row rowsep = "0">
-<entry colname = "1"><para><varname>address_match_list</varname></para></entry>
-<entry colname = "2"><para>A list of one or more <varname>ip_addr</varname>, 
-<varname>ip_prefix</varname>, <varname>key_id</varname>, 
-or <varname>acl_name</varname> elements, see
-<xref linkend="address_match_lists"/>.</para></entry>
-</row>
-<row rowsep = "0">
-<entry colname = "1"><para><varname>domain_name</varname></para></entry>
-<entry colname = "2"><para>A quoted string which will be used as
-a DNS name, for example "<literal>my.test.domain</literal>".</para></entry>
-</row>
-<row rowsep = "0">
-<entry colname = "1"><para><varname>dotted_decimal</varname></para></entry>
-<entry colname = "2"><para>One to four integers valued 0 through
-255 separated by dots (`.'), such as <command>123</command>, 
-<command>45.67</command> or <command>89.123.45.67</command>.</para></entry>
-</row>
-<row rowsep = "0">
-<entry colname = "1"><para><varname>ip4_addr</varname></para></entry>
-<entry colname = "2"><para>An IPv4 address with exactly four elements
-in <varname>dotted_decimal</varname> notation.</para></entry>
-</row>
-<row rowsep = "0">
-<entry colname = "1"><para><varname>ip6_addr</varname></para></entry>
-<entry colname = "2"><para>An IPv6 address, such as <command>2001:db8::1234</command>.
-IPv6 scoped addresses that have ambiguity on their scope zones must be
-disambiguated by an appropriate zone ID with the percent character
-(`%') as delimiter.
-It is strongly recommended to use string zone names rather than
-numeric identifiers, in order to be robust against system
-configuration changes.
-However, since there is no standard mapping for such names and
-identifier values, currently only interface names as link identifiers
-are supported, assuming one-to-one mapping between interfaces and links.
-For example, a link-local address <command>fe80::1</command> on the
-link attached to the interface <command>ne0</command>
-can be specified as <command>fe80::1%ne0</command>.
-Note that on most systems link-local addresses always have the
-ambiguity, and need to be disambiguated.</para></entry>
-</row>
-<row rowsep = "0">
-<entry colname = "1"><para><varname>ip_addr</varname></para></entry>
-<entry colname = "2"><para>An <varname>ip4_addr</varname> or <varname>ip6_addr</varname>.</para></entry>
-</row>
-<row rowsep = "0">
-<entry colname = "1"><para><varname>ip_port</varname></para></entry>
-<entry colname = "2"><para>An IP port <varname>number</varname>.
-<varname>number</varname> is limited to 0 through 65535, with values
-below 1024 typically restricted to use by processes running as root.
-In some cases, an asterisk (`*') character can be used as a placeholder to
-select a random high-numbered port.</para></entry>
-</row>
-<row rowsep = "0">
-<entry colname = "1"><para><varname>ip_prefix</varname></para></entry>
-<entry colname = "2"><para>An IP network specified as an <varname>ip_addr</varname>,
-followed by a slash (`/') and then the number of bits in the netmask.
-Trailing zeros in a <varname>ip_addr</varname> may omitted.
-For example, <command>127/8</command> is the network <command>127.0.0.0</command> with
-netmask <command>255.0.0.0</command> and <command>1.2.3.0/28</command> is
-network <command>1.2.3.0</command> with netmask <command>255.255.255.240</command>.</para></entry>
-</row>
-<row rowsep = "0">
-<entry colname = "1"><para><varname>key_id</varname></para></entry>
-<entry colname = "2"><para>A <varname>domain_name</varname> representing
-the name of a shared key, to be used for transaction security.</para></entry>
-</row>
-<row rowsep = "0">
-<entry colname = "1"><para><varname>key_list</varname></para></entry>
-<entry colname = "2"><para>A list of one or more <varname>key_id</varname>s,
-separated by semicolons and ending with a semicolon.</para></entry>
-</row>
-<row rowsep = "0">
-<entry colname = "1"><para><varname>number</varname></para></entry>
-<entry colname = "2"><para>A non-negative 32-bit integer
-(i.e., a number between 0 and 4294967295, inclusive).
-Its acceptable value might further
-be limited by the context in which it is used.</para></entry>
-</row>
-<row rowsep = "0">
-<entry colname = "1"><para><varname>path_name</varname></para></entry>
-<entry colname = "2"><para>A quoted string which will be used as
-a pathname, such as <filename>zones/master/my.test.domain</filename>.</para></entry>
-</row>
-<row rowsep = "0">
-<entry colname = "1"><para><varname>size_spec</varname></para></entry>
-<entry colname = "2"><para>A number, the word <userinput>unlimited</userinput>,
-or the word <userinput>default</userinput>.</para><para>
-An <varname>unlimited</varname> <varname>size_spec</varname> requests unlimited
-use, or the maximum available amount. A <varname>default size_spec</varname> uses
-the limit that was in force when the server was started.</para><para>A <varname>number</varname> can
-optionally be followed by a scaling factor: <userinput>K</userinput> or <userinput>k</userinput> for
-kilobytes, <userinput>M</userinput> or <userinput>m</userinput> for
-megabytes, and <userinput>G</userinput> or <userinput>g</userinput> for gigabytes,
-which scale by 1024, 1024*1024, and 1024*1024*1024 respectively.</para>
-<para>The value must be representable as a 64-bit unsigned integer
-(0 to 18446744073709551615, inclusive).
-Using <varname>unlimited</varname> is the best way
-to safely set a really large number.</para></entry>
-</row>
-<row rowsep = "0">
-<entry colname = "1"><para><varname>yes_or_no</varname></para></entry>
-<entry colname = "2"><para>Either <userinput>yes</userinput> or <userinput>no</userinput>.
-The words <userinput>true</userinput> and <userinput>false</userinput> are
-also accepted, as are the numbers <userinput>1</userinput> and <userinput>0</userinput>.</para></entry>
-</row>
-<row rowsep = "0">
-<entry colname = "1"><para><varname>dialup_option</varname></para></entry>
-<entry colname = "2"><para>One of <userinput>yes</userinput>,
-<userinput>no</userinput>, <userinput>notify</userinput>,
-<userinput>notify-passive</userinput>, <userinput>refresh</userinput> or
-<userinput>passive</userinput>.
-When used in a zone, <userinput>notify-passive</userinput>,
-<userinput>refresh</userinput>, and <userinput>passive</userinput>
-are restricted to slave and stub zones.</para></entry>
-</row>
-</tbody>
-</tgroup></informaltable>
-<sect2 id="address_match_lists"><title>Address Match Lists</title>
-<sect3><title>Syntax</title>
-        <programlisting><varname>address_match_list</varname> = address_match_list_element ;
+  <chapter id="Bv9ARM.ch06">
+    <title><acronym>BIND</acronym> 9 Configuration Reference</title>
+
+    <para>
+      <acronym>BIND</acronym> 9 configuration is broadly similar
+      to <acronym>BIND</acronym> 8; however, there are a few new
+      areas
+      of configuration, such as views. <acronym>BIND</acronym>
+      8 configuration files should work with few alterations in <acronym>BIND</acronym>
+      9, although more complex configurations should be reviewed to check
+      if they can be more efficiently implemented using the new features
+      found in <acronym>BIND</acronym> 9.
+    </para>
+
+    <para>
+      <acronym>BIND</acronym> 4 configuration files can be
+      converted to the new format
+      using the shell script
+      <filename>contrib/named-bootconf/named-bootconf.sh</filename>.
+    </para>
+    <sect1 id="configuration_file_elements">
+      <title>Configuration File Elements</title>
+      <para>
+        Following is a list of elements used throughout the <acronym>BIND</acronym> configuration
+        file documentation:
+      </para>
+      <informaltable colsep="0" rowsep="0">
+        <tgroup cols="2" colsep="0" rowsep="0" tgroupstyle="2Level-table">
+          <colspec colname="1" colnum="1" colsep="0" colwidth="1.855in"/>
+          <colspec colname="2" colnum="2" colsep="0" colwidth="3.770in"/>
+          <tbody>
+            <row rowsep="0">
+              <entry colname="1">
+                <para>
+                  <varname>acl_name</varname>
+                </para>
+              </entry>
+              <entry colname="2">
+                <para>
+                  The name of an <varname>address_match_list</varname> as
+                  defined by the <command>acl</command> statement.
+                </para>
+              </entry>
+            </row>
+            <row rowsep="0">
+              <entry colname="1">
+                <para>
+                  <varname>address_match_list</varname>
+                </para>
+              </entry>
+              <entry colname="2">
+                <para>
+                  A list of one or more
+                  <varname>ip_addr</varname>,
+                  <varname>ip_prefix</varname>, <varname>key_id</varname>,
+                  or <varname>acl_name</varname> elements, see
+                  <xref linkend="address_match_lists"/>.
+                </para>
+              </entry>
+            </row>
+            <row rowsep="0">
+              <entry colname="1">
+                <para>
+                  <varname>masters_list</varname>
+                </para>
+              </entry>
+              <entry colname="2">
+                <para>
+                  A named list of one or more <varname>ip_addr</varname>
+		  with optional <varname>key_id</varname> and/or
+		  <varname>ip_port</varname>.
+		  A <varname>masters_list</varname> may include other
+		  <varname>masters_lists</varname>.
+                </para>
+              </entry>
+            </row>
+            <row rowsep="0">
+              <entry colname="1">
+                <para>
+                  <varname>domain_name</varname>
+                </para>
+              </entry>
+              <entry colname="2">
+                <para>
+                  A quoted string which will be used as
+                  a DNS name, for example "<literal>my.test.domain</literal>".
+                </para>
+              </entry>
+            </row>
+            <row rowsep="0">
+              <entry colname="1">
+                <para>
+                  <varname>dotted_decimal</varname>
+                </para>
+              </entry>
+              <entry colname="2">
+                <para>
+                  One to four integers valued 0 through
+                  255 separated by dots (`.'), such as <command>123</command>,
+                  <command>45.67</command> or <command>89.123.45.67</command>.
+                </para>
+              </entry>
+            </row>
+            <row rowsep="0">
+              <entry colname="1">
+                <para>
+                  <varname>ip4_addr</varname>
+                </para>
+              </entry>
+              <entry colname="2">
+                <para>
+                  An IPv4 address with exactly four elements
+                  in <varname>dotted_decimal</varname> notation.
+                </para>
+              </entry>
+            </row>
+            <row rowsep="0">
+              <entry colname="1">
+                <para>
+                  <varname>ip6_addr</varname>
+                </para>
+              </entry>
+              <entry colname="2">
+                <para>
+                  An IPv6 address, such as <command>2001:db8::1234</command>.
+                  IPv6 scoped addresses that have ambiguity on their scope
+                  zones must be
+                  disambiguated by an appropriate zone ID with the percent
+                  character
+                  (`%') as delimiter.
+                  It is strongly recommended to use string zone names rather
+                  than
+                  numeric identifiers, in order to be robust against system
+                  configuration changes.
+                  However, since there is no standard mapping for such names
+                  and
+                  identifier values, currently only interface names as link
+                  identifiers
+                  are supported, assuming one-to-one mapping between
+                  interfaces and links.
+                  For example, a link-local address <command>fe80::1</command> on the
+                  link attached to the interface <command>ne0</command>
+                  can be specified as <command>fe80::1%ne0</command>.
+                  Note that on most systems link-local addresses always have
+                  the
+                  ambiguity, and need to be disambiguated.
+                </para>
+              </entry>
+            </row>
+            <row rowsep="0">
+              <entry colname="1">
+                <para>
+                  <varname>ip_addr</varname>
+                </para>
+              </entry>
+              <entry colname="2">
+                <para>
+                  An <varname>ip4_addr</varname> or <varname>ip6_addr</varname>.
+                </para>
+              </entry>
+            </row>
+            <row rowsep="0">
+              <entry colname="1">
+                <para>
+                  <varname>ip_port</varname>
+                </para>
+              </entry>
+              <entry colname="2">
+                <para>
+                  An IP port <varname>number</varname>.
+                  <varname>number</varname> is limited to 0
+                  through 65535, with values
+                  below 1024 typically restricted to use by processes running
+                  as root.
+                  In some cases, an asterisk (`*') character can be used as a
+                  placeholder to
+                  select a random high-numbered port.
+                </para>
+              </entry>
+            </row>
+            <row rowsep="0">
+              <entry colname="1">
+                <para>
+                  <varname>ip_prefix</varname>
+                </para>
+              </entry>
+              <entry colname="2">
+                <para>
+                  An IP network specified as an <varname>ip_addr</varname>,
+                  followed by a slash (`/') and then the number of bits in the
+                  netmask.
+                  Trailing zeros in a <varname>ip_addr</varname>
+                  may omitted.
+                  For example, <command>127/8</command> is the
+                  network <command>127.0.0.0</command> with
+                  netmask <command>255.0.0.0</command> and <command>1.2.3.0/28</command> is
+                  network <command>1.2.3.0</command> with netmask <command>255.255.255.240</command>.
+                </para>
+              </entry>
+            </row>
+            <row rowsep="0">
+              <entry colname="1">
+                <para>
+                  <varname>key_id</varname>
+                </para>
+              </entry>
+              <entry colname="2">
+                <para>
+                  A <varname>domain_name</varname> representing
+                  the name of a shared key, to be used for transaction
+                  security.
+                </para>
+              </entry>
+            </row>
+            <row rowsep="0">
+              <entry colname="1">
+                <para>
+                  <varname>key_list</varname>
+                </para>
+              </entry>
+              <entry colname="2">
+                <para>
+                  A list of one or more
+                  <varname>key_id</varname>s,
+                  separated by semicolons and ending with a semicolon.
+                </para>
+              </entry>
+            </row>
+            <row rowsep="0">
+              <entry colname="1">
+                <para>
+                  <varname>number</varname>
+                </para>
+              </entry>
+              <entry colname="2">
+                <para>
+                  A non-negative 32-bit integer
+                  (i.e., a number between 0 and 4294967295, inclusive).
+                  Its acceptable value might further
+                  be limited by the context in which it is used.
+                </para>
+              </entry>
+            </row>
+            <row rowsep="0">
+              <entry colname="1">
+                <para>
+                  <varname>path_name</varname>
+                </para>
+              </entry>
+              <entry colname="2">
+                <para>
+                  A quoted string which will be used as
+                  a pathname, such as <filename>zones/master/my.test.domain</filename>.
+                </para>
+              </entry>
+            </row>
+            <row rowsep="0">
+              <entry colname="1">
+                <para>
+                  <varname>size_spec</varname>
+                </para>
+              </entry>
+              <entry colname="2">
+                <para>
+                  A number, the word <userinput>unlimited</userinput>,
+                  or the word <userinput>default</userinput>.
+                </para>
+		<para>
+                  An <varname>unlimited</varname> <varname>size_spec</varname> requests unlimited
+                  use, or the maximum available amount. A <varname>default size_spec</varname> uses
+                  the limit that was in force when the server was started.
+                </para>
+                <para>
+                  A <varname>number</varname> can optionally be
+		  followed by a scaling factor:
+		  <userinput>K</userinput> or <userinput>k</userinput>
+		  for kilobytes,
+		  <userinput>M</userinput> or <userinput>m</userinput>
+		  for megabytes, and
+		  <userinput>G</userinput> or <userinput>g</userinput> for gigabytes,
+                  which scale by 1024, 1024*1024, and 1024*1024*1024
+                  respectively.
+                </para>
+                <para>
+                  The value must be representable as a 64-bit unsigned integer
+                  (0 to 18446744073709551615, inclusive).
+                  Using <varname>unlimited</varname> is the best
+                  way
+                  to safely set a really large number.
+                </para>
+              </entry>
+            </row>
+            <row rowsep="0">
+              <entry colname="1">
+                <para>
+                  <varname>yes_or_no</varname>
+                </para>
+              </entry>
+              <entry colname="2">
+                <para>
+                  Either <userinput>yes</userinput> or <userinput>no</userinput>.
+                  The words <userinput>true</userinput> and <userinput>false</userinput> are
+                  also accepted, as are the numbers <userinput>1</userinput>
+                  and <userinput>0</userinput>.
+                </para>
+              </entry>
+            </row>
+            <row rowsep="0">
+              <entry colname="1">
+                <para>
+                  <varname>dialup_option</varname>
+                </para>
+              </entry>
+              <entry colname="2">
+                <para>
+                  One of <userinput>yes</userinput>,
+                  <userinput>no</userinput>, <userinput>notify</userinput>,
+                  <userinput>notify-passive</userinput>, <userinput>refresh</userinput> or
+                  <userinput>passive</userinput>.
+                  When used in a zone, <userinput>notify-passive</userinput>,
+                  <userinput>refresh</userinput>, and <userinput>passive</userinput>
+                  are restricted to slave and stub zones.
+                </para>
+              </entry>
+            </row>
+          </tbody>
+        </tgroup>
+      </informaltable>
+      <sect2 id="address_match_lists">
+        <title>Address Match Lists</title>
+        <sect3>
+          <title>Syntax</title>
+
+<programlisting><varname>address_match_list</varname> = address_match_list_element ;
   <optional> address_match_list_element; ... </optional>
 <varname>address_match_list_element</varname> = <optional> ! </optional> (ip_address <optional>/length</optional> |
    key key_id | acl_name | { address_match_list } )
 </programlisting>
-</sect3>
-<sect3><title>Definition and Usage</title>
-<para>Address match lists are primarily used to determine access
-control for various server operations. They are also used in
-the <command>listen-on</command> and <command>sortlist</command>
-statements. The elements
-which constitute an address match list can be any of the following:</para>
-<itemizedlist><listitem>
-            <simpara>an IP address (IPv4 or IPv6)</simpara></listitem>
-<listitem>
-            <simpara>an IP prefix (in `/' notation)</simpara></listitem>
-<listitem>
-            <simpara>a key ID, as defined by the <command>key</command> statement</simpara></listitem>
-<listitem>
-            <simpara>the name of an address match list defined with
-the <command>acl</command> statement</simpara></listitem>
-<listitem>
-            <simpara>a nested address match list enclosed in braces</simpara></listitem></itemizedlist>
-
-<para>Elements can be negated with a leading exclamation mark (`!'),
-and the match list names "any", "none", "localhost", and "localnets"
-are predefined. More information on those names can be found in
-the description of the acl statement.</para>
-
-<para>The addition of the key clause made the name of this syntactic
-element something of a misnomer, since security keys can be used
-to validate access without regard to a host or network address. Nonetheless,
-the term "address match list" is still used throughout the documentation.</para>
-
-<para>When a given IP address or prefix is compared to an address
-match list, the list is traversed in order until an element matches.
-The interpretation of a match depends on whether the list is being used
-for access control, defining listen-on ports, or in a sortlist,
-and whether the element was negated.</para>
-
-<para>When used as an access control list, a non-negated match allows
-access and a negated match denies access. If there is no match,
-access is denied. The clauses <command>allow-notify</command>,
-<command>allow-query</command>, <command>allow-transfer</command>,
-<command>allow-update</command>, <command>allow-update-forwarding</command>,
-and <command>blackhole</command> all
-use address match lists  this. Similarly, the listen-on option will cause
-the server to not accept queries on any of the machine's addresses
-which do not match the list.</para>
-
-<para>Because of the first-match aspect of the algorithm, an element
-that defines a subset of another element in the list should come
-before the broader element, regardless of whether either is negated. For
-example, in
-<command>1.2.3/24; ! 1.2.3.13;</command> the 1.2.3.13 element is
-completely useless because the algorithm will match any lookup for
-1.2.3.13 to the 1.2.3/24 element.
-Using <command>! 1.2.3.13; 1.2.3/24</command> fixes
-that problem by having 1.2.3.13 blocked by the negation but all
-other 1.2.3.* hosts fall through.</para>
-</sect3>
-</sect2>
-
-<sect2>
-<title>Comment Syntax</title>
-
-<para>The <acronym>BIND</acronym> 9 comment syntax allows for comments to appear
-anywhere that white space may appear in a <acronym>BIND</acronym> configuration
-file. To appeal to programmers of all kinds, they can be written
-in the C, C++, or shell/perl style.</para>
-
-<sect3>
-<title>Syntax</title>
-
-<para><programlisting>/* This is a <acronym>BIND</acronym> comment as in C */</programlisting>
-<programlisting>// This is a <acronym>BIND</acronym> comment as in C++</programlisting>
-<programlisting># This is a <acronym>BIND</acronym> comment as in common UNIX shells and perl</programlisting>
-      </para>
-      </sect3>
-      <sect3>
-        <title>Definition and Usage</title>
-<para>Comments may appear anywhere that white space may appear in
-a <acronym>BIND</acronym> configuration file.</para>
-<para>C-style comments start with the two characters /* (slash,
-star) and end with */ (star, slash). Because they are completely
-delimited with these characters, they can be used to comment only
-a portion of a line or to span multiple lines.</para>
-<para>C-style comments cannot be nested. For example, the following
-is not valid because the entire comment ends with the first */:</para>
-        <para><programlisting>/* This is the start of a comment.
+
+        </sect3>
+        <sect3>
+          <title>Definition and Usage</title>
+          <para>
+            Address match lists are primarily used to determine access
+            control for various server operations. They are also used in
+            the <command>listen-on</command> and <command>sortlist</command>
+            statements. The elements
+            which constitute an address match list can be any of the
+            following:
+          </para>
+          <itemizedlist>
+            <listitem>
+              <simpara>an IP address (IPv4 or IPv6)</simpara>
+            </listitem>
+            <listitem>
+              <simpara>an IP prefix (in `/' notation)</simpara>
+            </listitem>
+            <listitem>
+              <simpara>
+                a key ID, as defined by the <command>key</command>
+                statement
+              </simpara>
+            </listitem>
+            <listitem>
+              <simpara>the name of an address match list defined with
+                the <command>acl</command> statement
+              </simpara>
+            </listitem>
+            <listitem>
+              <simpara>a nested address match list enclosed in braces</simpara>
+            </listitem>
+          </itemizedlist>
+
+          <para>
+            Elements can be negated with a leading exclamation mark (`!'),
+            and the match list names "any", "none", "localhost", and
+            "localnets"
+            are predefined. More information on those names can be found in
+            the description of the acl statement.
+          </para>
+
+          <para>
+            The addition of the key clause made the name of this syntactic
+            element something of a misnomer, since security keys can be used
+            to validate access without regard to a host or network address.
+            Nonetheless,
+            the term "address match list" is still used throughout the
+            documentation.
+          </para>
+
+          <para>
+            When a given IP address or prefix is compared to an address
+            match list, the list is traversed in order until an element
+            matches.
+            The interpretation of a match depends on whether the list is being
+            used
+            for access control, defining listen-on ports, or in a sortlist,
+            and whether the element was negated.
+          </para>
+
+	  <para>
+	    When used as an access control list, a non-negated match
+	    allows access and a negated match denies access. If
+	    there is no match, access is denied. The clauses
+	    <command>allow-notify</command>,
+	    <command>allow-query</command>,
+	    <command>allow-query-cache</command>,
+	    <command>allow-transfer</command>,
+	    <command>allow-update</command>,
+	    <command>allow-update-forwarding</command>, and
+	    <command>blackhole</command> all use address match
+	    lists.  Similarly, the listen-on option will cause the
+	    server to not accept queries on any of the machine's
+	    addresses which do not match the list.
+	  </para>
+
+          <para>
+            Because of the first-match aspect of the algorithm, an element
+            that defines a subset of another element in the list should come
+            before the broader element, regardless of whether either is
+            negated. For
+            example, in
+            <command>1.2.3/24; ! 1.2.3.13;</command> the 1.2.3.13
+            element is
+            completely useless because the algorithm will match any lookup for
+            1.2.3.13 to the 1.2.3/24 element.
+            Using <command>! 1.2.3.13; 1.2.3/24</command> fixes
+            that problem by having 1.2.3.13 blocked by the negation but all
+            other 1.2.3.* hosts fall through.
+          </para>
+        </sect3>
+      </sect2>
+
+      <sect2>
+        <title>Comment Syntax</title>
+
+        <para>
+          The <acronym>BIND</acronym> 9 comment syntax allows for
+          comments to appear
+          anywhere that white space may appear in a <acronym>BIND</acronym> configuration
+          file. To appeal to programmers of all kinds, they can be written
+          in the C, C++, or shell/perl style.
+        </para>
+
+        <sect3>
+          <title>Syntax</title>
+
+          <para>
+            <programlisting>/* This is a <acronym>BIND</acronym> comment as in C */</programlisting>
+            <programlisting>// This is a <acronym>BIND</acronym> comment as in C++</programlisting>
+            <programlisting># This is a <acronym>BIND</acronym> comment as in common UNIX shells and perl</programlisting>
+          </para>
+        </sect3>
+        <sect3>
+          <title>Definition and Usage</title>
+          <para>
+            Comments may appear anywhere that white space may appear in
+            a <acronym>BIND</acronym> configuration file.
+          </para>
+          <para>
+            C-style comments start with the two characters /* (slash,
+            star) and end with */ (star, slash). Because they are completely
+            delimited with these characters, they can be used to comment only
+            a portion of a line or to span multiple lines.
+          </para>
+          <para>
+            C-style comments cannot be nested. For example, the following
+            is not valid because the entire comment ends with the first */:
+          </para>
+          <para>
+
+<programlisting>/* This is the start of a comment.
    This is still part of the comment.
 /* This is an incorrect attempt at nesting a comment. */
    This is no longer in any comment. */
-</programlisting></para>
-
-<para>C++-style comments start with the two characters // (slash,
-slash) and continue to the end of the physical line. They cannot
-be continued across multiple physical lines; to have one logical
-comment span multiple lines, each line must use the // pair.</para>
-<para>For example:</para>
-        <para><programlisting>// This is the start of a comment.  The next line
+</programlisting>
+
+          </para>
+
+          <para>
+            C++-style comments start with the two characters // (slash,
+            slash) and continue to the end of the physical line. They cannot
+            be continued across multiple physical lines; to have one logical
+            comment span multiple lines, each line must use the // pair.
+          </para>
+          <para>
+            For example:
+          </para>
+          <para>
+
+<programlisting>// This is the start of a comment.  The next line
 // is a new comment, even though it is logically
 // part of the previous comment.
-</programlisting></para>
-<para>Shell-style (or perl-style, if you prefer) comments start
-with the character <literal>#</literal> (number sign) and continue to the end of the
-physical line, as in C++ comments.</para>
-<para>For example:</para>
+</programlisting>
 
-<para><programlisting># This is the start of a comment.  The next line
+          </para>
+          <para>
+            Shell-style (or perl-style, if you prefer) comments start
+            with the character <literal>#</literal> (number sign)
+            and continue to the end of the
+            physical line, as in C++ comments.
+          </para>
+          <para>
+            For example:
+          </para>
+
+          <para>
+
+<programlisting># This is the start of a comment.  The next line
 # is a new comment, even though it is logically
 # part of the previous comment.
 </programlisting>
-</para>
-
-<warning>
-   <para>You cannot use the semicolon (`;') character
-   to start a comment such as you would in a zone file. The
-   semicolon indicates the end of a configuration
-   statement.</para>
-</warning>
-</sect3>
-</sect2>
-</sect1>
-
-<sect1 id="Configuration_File_Grammar">
-<title>Configuration File Grammar</title>
-
-    <para>A <acronym>BIND</acronym> 9 configuration consists of statements and comments.
-    Statements end with a semicolon. Statements and comments are the
-    only elements that can appear without enclosing braces. Many
-    statements contain a block of sub-statements, which are also
-    terminated with a semicolon.</para>
-
-    <para>The following statements are supported:</para>
-
-    <informaltable colsep = "0"  rowsep = "0">
-      <tgroup cols = "2" colsep = "0" rowsep = "0" tgroupstyle =
-              "2Level-table">
-        <colspec colname = "1" colnum = "1" colsep = "0" colwidth = "1.336in"/>
-        <colspec colname = "2" colnum = "2" colsep = "0" colwidth = "3.778in"/>
-        <tbody>
-          <row rowsep = "0">
-            <entry colname = "1"><para><command>acl</command></para></entry>
-            <entry colname = "2"><para>defines a named IP address
-matching list, for access control and other uses.</para></entry>
-          </row>
-          <row rowsep = "0">
-            <entry colname = "1"><para><command>controls</command></para></entry>
-            <entry colname = "2"><para>declares control channels to be used
-by the <command>rndc</command> utility.</para></entry>
-          </row>
-          <row rowsep = "0">
-            <entry colname = "1"><para><command>include</command></para></entry>
-            <entry colname = "2"><para>includes a file.</para></entry>
-          </row>
-          <row rowsep = "0">
-            <entry colname = "1"><para><command>key</command></para></entry>
-            <entry colname = "2"><para>specifies key information for use in
-authentication and authorization using TSIG.</para></entry>
-          </row>
-          <row rowsep = "0">
-            <entry colname = "1"><para><command>logging</command></para></entry>
-            <entry colname = "2"><para>specifies what the server logs, and where
-the log messages are sent.</para></entry>
-          </row>
-          <row rowsep = "0">
-            <entry colname = "1"><para><command>lwres</command></para></entry>
-            <entry colname = "2"><para>configures <command>named</command> to
-also act as a light-weight resolver daemon (<command>lwresd</command>).</para></entry>
-          </row>
-          <row rowsep = "0">
-            <entry colname = "1"><para><command>masters</command></para></entry>
-            <entry colname = "2"><para>defines a named masters list for
-inclusion in stub and slave zone masters clauses.</para></entry>
-          </row>
-          <row rowsep = "0">
-            <entry colname = "1"><para><command>options</command></para></entry>
-            <entry colname = "2"><para>controls global server configuration
-options and sets defaults for other statements.</para></entry>
-          </row>
-          <row rowsep = "0">
-            <entry colname = "1"><para><command>server</command></para></entry>
-            <entry colname = "2"><para>sets certain configuration options on
-a per-server basis.</para></entry>
-          </row>
-          <row rowsep = "0">
-            <entry colname = "1"><para><command>trusted-keys</command></para></entry>
-            <entry colname = "2"><para>defines trusted DNSSEC keys.</para></entry>
-          </row>
-          <row rowsep = "0">
-            <entry colname = "1"><para><command>view</command></para></entry>
-            <entry colname = "2"><para>defines a view.</para></entry>
-          </row>
-          <row rowsep = "0">
-            <entry colname = "1"><para><command>zone</command></para></entry>
-            <entry colname = "2"><para>defines a zone.</para></entry>
-          </row>
-        </tbody>
-      </tgroup></informaltable>
-    
-    <para>The <command>logging</command> and
-    <command>options</command> statements may only occur once per
-    configuration.</para>
-
-    <sect2>
-      <title><command>acl</command> Statement Grammar</title>
-
-      <programlisting><command>acl</command> acl-name { 
-    address_match_list 
+
+          </para>
+
+          <warning>
+            <para>
+              You cannot use the semicolon (`;') character
+              to start a comment such as you would in a zone file. The
+              semicolon indicates the end of a configuration
+              statement.
+            </para>
+          </warning>
+        </sect3>
+      </sect2>
+    </sect1>
+
+    <sect1 id="Configuration_File_Grammar">
+      <title>Configuration File Grammar</title>
+
+      <para>
+        A <acronym>BIND</acronym> 9 configuration consists of
+        statements and comments.
+        Statements end with a semicolon. Statements and comments are the
+        only elements that can appear without enclosing braces. Many
+        statements contain a block of sub-statements, which are also
+        terminated with a semicolon.
+      </para>
+
+      <para>
+        The following statements are supported:
+      </para>
+
+      <informaltable colsep="0" rowsep="0">
+        <tgroup cols="2" colsep="0" rowsep="0" tgroupstyle="2Level-table">
+          <colspec colname="1" colnum="1" colsep="0" colwidth="1.336in"/>
+          <colspec colname="2" colnum="2" colsep="0" colwidth="3.778in"/>
+          <tbody>
+            <row rowsep="0">
+              <entry colname="1">
+                <para><command>acl</command></para>
+              </entry>
+              <entry colname="2">
+                <para>
+                  defines a named IP address
+                  matching list, for access control and other uses.
+                </para>
+              </entry>
+            </row>
+            <row rowsep="0">
+              <entry colname="1">
+                <para><command>controls</command></para>
+              </entry>
+              <entry colname="2">
+                <para>
+                  declares control channels to be used
+                  by the <command>rndc</command> utility.
+                </para>
+              </entry>
+            </row>
+            <row rowsep="0">
+              <entry colname="1">
+                <para><command>include</command></para>
+              </entry>
+              <entry colname="2">
+                <para>
+                  includes a file.
+                </para>
+              </entry>
+            </row>
+            <row rowsep="0">
+              <entry colname="1">
+                <para><command>key</command></para>
+              </entry>
+              <entry colname="2">
+                <para>
+                  specifies key information for use in
+                  authentication and authorization using TSIG.
+                </para>
+              </entry>
+            </row>
+            <row rowsep="0">
+              <entry colname="1">
+                <para><command>logging</command></para>
+              </entry>
+              <entry colname="2">
+                <para>
+                  specifies what the server logs, and where
+                  the log messages are sent.
+                </para>
+              </entry>
+            </row>
+            <row rowsep="0">
+              <entry colname="1">
+                <para><command>lwres</command></para>
+              </entry>
+              <entry colname="2">
+                <para>
+                  configures <command>named</command> to
+                  also act as a light-weight resolver daemon (<command>lwresd</command>).
+                </para>
+              </entry>
+            </row>
+            <row rowsep="0">
+              <entry colname="1">
+                <para><command>masters</command></para>
+              </entry>
+              <entry colname="2">
+                <para>
+                  defines a named masters list for
+                  inclusion in stub and slave zone masters clauses.
+                </para>
+              </entry>
+            </row>
+            <row rowsep="0">
+              <entry colname="1">
+                <para><command>options</command></para>
+              </entry>
+              <entry colname="2">
+                <para>
+                  controls global server configuration
+                  options and sets defaults for other statements.
+                </para>
+              </entry>
+            </row>
+            <row rowsep="0">
+              <entry colname="1">
+                <para><command>server</command></para>
+              </entry>
+              <entry colname="2">
+                <para>
+                  sets certain configuration options on
+                  a per-server basis.
+                </para>
+              </entry>
+            </row>
+            <row rowsep="0">
+              <entry colname="1">
+                <para><command>trusted-keys</command></para>
+              </entry>
+              <entry colname="2">
+                <para>
+                  defines trusted DNSSEC keys.
+                </para>
+              </entry>
+            </row>
+            <row rowsep="0">
+              <entry colname="1">
+                <para><command>view</command></para>
+              </entry>
+              <entry colname="2">
+                <para>
+                  defines a view.
+                </para>
+              </entry>
+            </row>
+            <row rowsep="0">
+              <entry colname="1">
+                <para><command>zone</command></para>
+              </entry>
+              <entry colname="2">
+                <para>
+                  defines a zone.
+                </para>
+              </entry>
+            </row>
+          </tbody>
+        </tgroup>
+      </informaltable>
+
+      <para>
+        The <command>logging</command> and
+        <command>options</command> statements may only occur once
+        per
+        configuration.
+      </para>
+
+      <sect2>
+        <title><command>acl</command> Statement Grammar</title>
+
+<programlisting><command>acl</command> acl-name {
+    address_match_list
 };
 </programlisting>
-    </sect2>
-    <sect2 id="acl">
-      <title><command>acl</command> Statement Definition and
-Usage</title>
-
-      <para>The <command>acl</command> statement assigns a symbolic
-      name to an address match list. It gets its name from a primary
-      use of address match lists: Access Control Lists (ACLs).</para>
-
-      <para>Note that an address match list's name must be defined
-      with <command>acl</command> before it can be used elsewhere; no
-      forward references are allowed.</para>
-
-      <para>The following ACLs are built-in:</para>
-
-<informaltable colsep = "0"  rowsep = "0"><tgroup cols = "2"
-    colsep = "0" rowsep = "0" tgroupstyle = "3Level-table">
-<colspec colname = "1" colnum = "1" colsep = "0" colwidth = "1.130in"/>
-<colspec colname = "2" colnum = "2" colsep = "0" colwidth = "4.000in"/>
-<tbody>
-<row rowsep = "0">
-<entry colname = "1"><para><command>any</command></para></entry>
-<entry colname = "2"><para>Matches all hosts.</para></entry>
-</row>
-<row rowsep = "0">
-<entry colname = "1"><para><command>none</command></para></entry>
-<entry colname = "2"><para>Matches no hosts.</para></entry>
-</row>
-<row rowsep = "0">
-<entry colname = "1"><para><command>localhost</command></para></entry>
-<entry colname = "2"><para>Matches the IPv4 and IPv6 addresses of all network
-interfaces on the system.</para></entry>
-</row>
-<row rowsep = "0">
-<entry colname = "1"><para><command>localnets</command></para></entry>
-<entry colname = "2"><para>Matches any host on an IPv4 or IPv6 network
-for which the system has an interface.
-Some systems do not provide a way to determine the prefix lengths of
-local IPv6 addresses.
-In such a case, <command>localnets</command> only matches the local
-IPv6 addresses, just like <command>localhost</command>.
-</para></entry>
-</row>
-</tbody>
-</tgroup></informaltable>
-
-</sect2>
-<sect2>
-      <title><command>controls</command> Statement Grammar</title>
+
+      </sect2>
+      <sect2 id="acl">
+        <title><command>acl</command> Statement Definition and
+          Usage</title>
+
+        <para>
+          The <command>acl</command> statement assigns a symbolic
+          name to an address match list. It gets its name from a primary
+          use of address match lists: Access Control Lists (ACLs).
+        </para>
+
+        <para>
+          Note that an address match list's name must be defined
+          with <command>acl</command> before it can be used
+          elsewhere; no
+          forward references are allowed.
+        </para>
+
+        <para>
+          The following ACLs are built-in:
+        </para>
+
+        <informaltable colsep="0" rowsep="0">
+          <tgroup cols="2" colsep="0" rowsep="0" tgroupstyle="3Level-table">
+            <colspec colname="1" colnum="1" colsep="0" colwidth="1.130in"/>
+            <colspec colname="2" colnum="2" colsep="0" colwidth="4.000in"/>
+            <tbody>
+              <row rowsep="0">
+                <entry colname="1">
+                  <para><command>any</command></para>
+                </entry>
+                <entry colname="2">
+                  <para>
+                    Matches all hosts.
+                  </para>
+                </entry>
+              </row>
+              <row rowsep="0">
+                <entry colname="1">
+                  <para><command>none</command></para>
+                </entry>
+                <entry colname="2">
+                  <para>
+                    Matches no hosts.
+                  </para>
+                </entry>
+              </row>
+              <row rowsep="0">
+                <entry colname="1">
+                  <para><command>localhost</command></para>
+                </entry>
+                <entry colname="2">
+                  <para>
+                    Matches the IPv4 and IPv6 addresses of all network
+                    interfaces on the system.
+                  </para>
+                </entry>
+              </row>
+              <row rowsep="0">
+                <entry colname="1">
+                  <para><command>localnets</command></para>
+                </entry>
+                <entry colname="2">
+                  <para>
+                    Matches any host on an IPv4 or IPv6 network
+                    for which the system has an interface.
+                    Some systems do not provide a way to determine the prefix
+                    lengths of
+                    local IPv6 addresses.
+                    In such a case, <command>localnets</command>
+                    only matches the local
+                    IPv6 addresses, just like <command>localhost</command>.
+                  </para>
+                </entry>
+              </row>
+            </tbody>
+          </tgroup>
+        </informaltable>
+
+      </sect2>
+      <sect2>
+        <title><command>controls</command> Statement Grammar</title>
+
 <programlisting><command>controls</command> {
-   inet ( ip_addr | * ) <optional> port ip_port </optional> allow { <replaceable> address_match_list </replaceable> }
-                keys { <replaceable> key_list </replaceable> };
-   <optional> inet ...; </optional>
+   [ inet ( ip_addr | * ) [ port ip_port ] allow { <replaceable> address_match_list </replaceable> }
+                keys { <replaceable>key_list</replaceable> }; ]
+   [ inet ...; ]
+   [ unix <replaceable>path</replaceable> perm <replaceable>number</replaceable> owner <replaceable>number</replaceable> group <replaceable>number</replaceable> keys { <replaceable>key_list</replaceable> }; ]
+   [ unix ...; ]
 };
 </programlisting>
-</sect2>
-
-<sect2 id="controls_statement_definition_and_usage">
-<title><command>controls</command> Statement Definition and Usage</title>
-
-      <para>The <command>controls</command> statement declares control
-      channels to be used by system administrators to control the
-      operation of the name server. These control channels are
-      used by the <command>rndc</command> utility to send commands to
-      and retrieve non-DNS results from a name server.</para>
-
-      <para>An <command>inet</command> control channel is a TCP
-      socket listening at the specified
-      <command>ip_port</command> on the specified
-      <command>ip_addr</command>, which can be an IPv4 or IPv6
-      address.  An <command>ip_addr</command>
-      of <literal>*</literal> (asterisk) is interpreted as the IPv4 wildcard
-      address; connections will be accepted on any of the system's
-      IPv4 addresses.  To listen on the IPv6 wildcard address,
-      use an <command>ip_addr</command> of <literal>::</literal>.
-      If you will only use <command>rndc</command> on the local host,
-      using the loopback address (<literal>127.0.0.1</literal>
-      or <literal>::1</literal>) is recommended for maximum
-      security.
-      </para>
 
-      <para>
-      If no port is specified, port 953
-      is used.  The asterisk "<literal>*</literal>" cannot be used for
-      <command>ip_port</command>.</para>
-
-      <para>The ability to issue commands over the control channel is
-      restricted by the <command>allow</command> and
-      <command>keys</command> clauses. Connections to the control
-      channel are permitted based on the
-      <command>address_match_list</command>.  This is for simple
-      IP address based filtering only; any <command>key_id</command>
-      elements of the <command>address_match_list</command> are
-      ignored.
-      </para>
+      </sect2>
+
+      <sect2 id="controls_statement_definition_and_usage">
+        <title><command>controls</command> Statement Definition and
+          Usage</title>
+
+        <para>
+          The <command>controls</command> statement declares control
+          channels to be used by system administrators to control the
+          operation of the name server. These control channels are
+          used by the <command>rndc</command> utility to send
+          commands to and retrieve non-DNS results from a name server.
+        </para>
+
+        <para>
+          An <command>inet</command> control channel is a TCP socket
+	  listening at the specified <command>ip_port</command> on the
+	  specified <command>ip_addr</command>, which can be an IPv4 or IPv6
+	  address.  An <command>ip_addr</command> of <literal>*</literal> (asterisk) is
+	  interpreted as the IPv4 wildcard address; connections will be
+	  accepted on any of the system's IPv4 addresses.
+	  To listen on the IPv6 wildcard address,
+          use an <command>ip_addr</command> of <literal>::</literal>.
+          If you will only use <command>rndc</command> on the local host,
+          using the loopback address (<literal>127.0.0.1</literal>
+          or <literal>::1</literal>) is recommended for maximum security.
+        </para>
+
+        <para>
+          If no port is specified, port 953 is used. The asterisk
+	  "<literal>*</literal>" cannot be used for <command>ip_port</command>.
+        </para>
+
+        <para>
+          The ability to issue commands over the control channel is
+          restricted by the <command>allow</command> and
+          <command>keys</command> clauses.
+	  Connections to the control channel are permitted based on the
+          <command>address_match_list</command>.  This is for simple
+          IP address based filtering only; any <command>key_id</command>
+          elements of the <command>address_match_list</command>
+          are ignored.
+        </para>
+
+	<para>
+	  A <command>unix</command> control channel is a UNIX domain
+	  socket listening at the specified path in the file system.
+	  Access to the socket is specified by the <command>perm</command>,
+	  <command>owner</command> and <command>group</command> clauses.
+	  Note on some platforms (SunOS and Solaris) the permissions
+	  (<command>perm</command>) are applied to the parent directory
+	  as the permissions on the socket itself are ignored.
+	</para>
 
-      <para>The primary authorization mechanism of the command
-      channel is the <command>key_list</command>, which contains
-      a list of <command>key_id</command>s.
-      Each <command>key_id</command> in
-      the <command>key_list</command> is authorized to execute
-      commands over the control channel.
-      See <xref linkend="rndc"/> in
-      <xref linkend="admin_tools"/>) for information about
-      configuring keys in <command>rndc</command>.</para>
-
-<para>
-If no <command>controls</command> statement is present,
-<command>named</command> will set up a default
-control channel listening on the loopback address 127.0.0.1
-and its IPv6 counterpart ::1.
-In this case, and also when the <command>controls</command> statement
-is present but does not have a <command>keys</command> clause,
-<command>named</command> will attempt to load the command channel key
-from the file <filename>rndc.key</filename> in
-<filename>/etc</filename> (or whatever <varname>sysconfdir</varname>
-was specified as when <acronym>BIND</acronym> was built).
-To create a <filename>rndc.key</filename> file, run
-<userinput>rndc-confgen -a</userinput>.
-</para>
-
-      <para>The <filename>rndc.key</filename> feature was created to
-      ease the transition of systems from <acronym>BIND</acronym> 8,
-      which did not have digital signatures on its command channel messages
-      and thus did not have a <command>keys</command> clause.
-
-It makes it possible to use an existing <acronym>BIND</acronym> 8
-configuration file in <acronym>BIND</acronym> 9 unchanged,
-and still have <command>rndc</command> work the same way
-<command>ndc</command> worked in BIND 8, simply by executing the
-command <userinput>rndc-confgen -a</userinput> after BIND 9 is
-installed.
-</para>
+        <para>
+          The primary authorization mechanism of the command
+          channel is the <command>key_list</command>, which
+          contains a list of <command>key_id</command>s.
+          Each <command>key_id</command> in the <command>key_list</command>
+	  is authorized to execute commands over the control channel.
+          See <xref linkend="rndc"/> in <xref linkend="admin_tools"/>)
+	  for information about configuring keys in <command>rndc</command>.
+        </para>
+
+        <para>
+          If no <command>controls</command> statement is present,
+          <command>named</command> will set up a default
+          control channel listening on the loopback address 127.0.0.1
+          and its IPv6 counterpart ::1.
+          In this case, and also when the <command>controls</command> statement
+          is present but does not have a <command>keys</command> clause,
+          <command>named</command> will attempt to load the command channel key
+          from the file <filename>rndc.key</filename> in
+          <filename>/etc</filename> (or whatever <varname>sysconfdir</varname>
+          was specified as when <acronym>BIND</acronym> was built).
+          To create a <filename>rndc.key</filename> file, run
+          <userinput>rndc-confgen -a</userinput>.
+        </para>
+
+        <para>
+          The <filename>rndc.key</filename> feature was created to
+          ease the transition of systems from <acronym>BIND</acronym> 8,
+          which did not have digital signatures on its command channel
+          messages and thus did not have a <command>keys</command> clause.
+
+          It makes it possible to use an existing <acronym>BIND</acronym> 8
+          configuration file in <acronym>BIND</acronym> 9 unchanged,
+          and still have <command>rndc</command> work the same way
+          <command>ndc</command> worked in BIND 8, simply by executing the
+          command <userinput>rndc-confgen -a</userinput> after BIND 9 is
+          installed.
+        </para>
+
+        <para>
+          Since the <filename>rndc.key</filename> feature
+          is only intended to allow the backward-compatible usage of
+          <acronym>BIND</acronym> 8 configuration files, this
+          feature does not
+          have a high degree of configurability.  You cannot easily change
+          the key name or the size of the secret, so you should make a
+          <filename>rndc.conf</filename> with your own key if you
+          wish to change
+          those things.  The <filename>rndc.key</filename> file
+          also has its
+          permissions set such that only the owner of the file (the user that
+          <command>named</command> is running as) can access it.
+          If you
+          desire greater flexibility in allowing other users to access
+          <command>rndc</command> commands, then you need to create
+          a
+          <filename>rndc.conf</filename> file and make it group
+          readable by a group
+          that contains the users who should have access.
+        </para>
+
+        <para>
+          To disable the command channel, use an empty
+	  <command>controls</command> statement:
+	  <command>controls { };</command>.
+        </para>
+
+      </sect2>
+      <sect2>
+        <title><command>include</command> Statement Grammar</title>
+        <programlisting>include <replaceable>filename</replaceable>;</programlisting>
+      </sect2>
+      <sect2>
+        <title><command>include</command> Statement Definition and
+          Usage</title>
+
+        <para>
+          The <command>include</command> statement inserts the
+          specified file at the point where the <command>include</command>
+          statement is encountered. The <command>include</command>
+                statement facilitates the administration of configuration
+          files
+          by permitting the reading or writing of some things but not
+          others. For example, the statement could include private keys
+          that are readable only by the name server.
+        </para>
+
+      </sect2>
+      <sect2>
+        <title><command>key</command> Statement Grammar</title>
 
-      <para>
-      Since the <filename>rndc.key</filename> feature
-      is only intended to allow the backward-compatible usage of
-      <acronym>BIND</acronym> 8 configuration files, this feature does not
-      have a high degree of configurability.  You cannot easily change
-      the key name or the size of the secret, so you should make a
-      <filename>rndc.conf</filename> with your own key if you wish to change
-      those things.  The <filename>rndc.key</filename> file also has its
-      permissions set such that only the owner of the file (the user that
-      <command>named</command> is running as) can access it.  If you
-      desire greater flexibility in allowing other users to access
-      <command>rndc</command> commands, then you need to create a
-      <filename>rndc.conf</filename> file and make it group readable by a group
-      that contains the users who should have access.</para>
-
-      <para>The UNIX control channel type of <acronym>BIND</acronym> 8 is not supported
-      in <acronym>BIND</acronym> 9.0, <acronym>BIND</acronym> 9.1,
-      <acronym>BIND</acronym> 9.2 and <acronym>BIND</acronym> 9.3.
-      If it is present in the controls statement from a
-      <acronym>BIND</acronym> 8 configuration file, it is ignored
-      and a warning is logged.</para>
-
-<para>
-To disable the command channel, use an empty <command>controls</command>
-statement: <command>controls { };</command>.
-</para>
-
-    </sect2>
-    <sect2>
-      <title><command>include</command> Statement Grammar</title>
-      <programlisting>include <replaceable>filename</replaceable>;</programlisting>
-    </sect2>
-    <sect2>
-      <title><command>include</command> Statement Definition and Usage</title>
-
-      <para>The <command>include</command> statement inserts the
-      specified file at the point where the <command>include</command>
-      statement is encountered. The <command>include</command>
-      statement facilitates the administration of configuration files
-      by permitting the reading or writing of some things but not
-      others. For example, the statement could include private keys
-      that are readable only by the name server.</para>
-
-    </sect2>
-    <sect2>
-      <title><command>key</command> Statement Grammar</title>
 <programlisting>key <replaceable>key_id</replaceable> {
     algorithm <replaceable>string</replaceable>;
     secret <replaceable>string</replaceable>;
 };
 </programlisting>
-    </sect2>
-
-<sect2>
-<title><command>key</command> Statement Definition and Usage</title>
-
-<para>The <command>key</command> statement defines a shared
-secret key for use with TSIG (see <xref linkend="tsig"/>)
-or the command channel
-(see <xref linkend="controls_statement_definition_and_usage"/>).
-</para>
-
-<para>
-The <command>key</command> statement can occur at the top level
-of the configuration file or inside a <command>view</command> 
-statement.  Keys defined in top-level <command>key</command>
-statements can be used in all views.  Keys intended for use in
-a <command>controls</command> statement
-(see <xref linkend="controls_statement_definition_and_usage"/>)
-must be defined at the top level.
-</para>
-
-<para>The <replaceable>key_id</replaceable>, also known as the
-key name, is a domain name uniquely identifying the key. It can
-be used in a <command>server</command>
-statement to cause requests sent to that
-server to be signed with this key, or in address match lists to
-verify that incoming requests have been signed with a key
-matching this name, algorithm, and secret.</para>
-
-<para>The <replaceable>algorithm_id</replaceable> is a string
-that specifies a security/authentication algorithm. The only
-algorithm currently supported with TSIG authentication is
-<literal>hmac-md5</literal>.  The
-<replaceable>secret_string</replaceable> is the secret to be
-used by the algorithm, and is treated as a base-64 encoded
-string.</para>
-
-</sect2>
-    <sect2>
-      <title><command>logging</command> Statement Grammar</title>
-      <programlisting><command>logging</command> {
+
+      </sect2>
+
+      <sect2>
+        <title><command>key</command> Statement Definition and Usage</title>
+
+        <para>
+          The <command>key</command> statement defines a shared
+          secret key for use with TSIG (see <xref linkend="tsig"/>)
+          or the command channel
+          (see <xref linkend="controls_statement_definition_and_usage"/>).
+        </para>
+
+        <para>
+          The <command>key</command> statement can occur at the
+          top level
+          of the configuration file or inside a <command>view</command>
+          statement.  Keys defined in top-level <command>key</command>
+          statements can be used in all views.  Keys intended for use in
+          a <command>controls</command> statement
+          (see <xref linkend="controls_statement_definition_and_usage"/>)
+          must be defined at the top level.
+        </para>
+
+        <para>
+          The <replaceable>key_id</replaceable>, also known as the
+          key name, is a domain name uniquely identifying the key. It can
+          be used in a <command>server</command>
+          statement to cause requests sent to that
+          server to be signed with this key, or in address match lists to
+          verify that incoming requests have been signed with a key
+          matching this name, algorithm, and secret.
+        </para>
+
+	<para>
+	  The <replaceable>algorithm_id</replaceable> is a string
+	  that specifies a security/authentication algorithm.  Named
+	  supports <literal>hmac-md5</literal>,
+	  <literal>hmac-sha1</literal>, <literal>hmac-sha224</literal>,
+	  <literal>hmac-sha256</literal>, <literal>hmac-sha384</literal>
+	  and <literal>hmac-sha512</literal> TSIG authentication.
+	  Truncated hashes are supported by appending the minimum
+	  number of required bits preceeded by a dash, e.g.
+	  <literal>hmac-sha1-80</literal>.  The
+	  <replaceable>secret_string</replaceable> is the secret
+	  to be used by the algorithm, and is treated as a base-64
+	  encoded string.
+	</para>
+
+      </sect2>
+      <sect2>
+        <title><command>logging</command> Statement Grammar</title>
+
+<programlisting><command>logging</command> {
    [ <command>channel</command> <replaceable>channel_name</replaceable> {
      ( <command>file</command> <replaceable>path name</replaceable>
-         [ <command>versions</command> ( <replaceable>number</replaceable> | <literal>unlimited</literal> ) ]
+         [ <command>versions</command> ( <replaceable>number</replaceable> | <command>unlimited</command> ) ]
          [ <command>size</command> <replaceable>size spec</replaceable> ]
        | <command>syslog</command> <replaceable>syslog_facility</replaceable>
        | <command>stderr</command>
@@ -2381,24 +3675,32 @@ string.</para>
      [ <command>print-time</command> <option>yes</option> or <option>no</option>; ]
    }; ]
    [ <command>category</command> <replaceable>category_name</replaceable> {
-     <replaceable>channel_name</replaceable> ; [ <replaceable>channel_nam</replaceable>e ; ... ]
+     <replaceable>channel_name</replaceable> ; [ <replaceable>channel_name</replaceable> ; ... ]
    }; ]
    ...
 };
 </programlisting>
-</sect2>
-
-<sect2>
-<title><command>logging</command> Statement Definition and Usage</title>
 
-<para>The <command>logging</command> statement configures a wide
-variety of logging options for the name server. Its <command>channel</command> phrase
-associates output methods, format options and severity levels with
-a name that can then be used with the <command>category</command> phrase
-to select how various classes of messages are logged.</para>
-<para>Only one <command>logging</command> statement is used to define
-as many channels and categories as are wanted. If there is no <command>logging</command> statement,
-the logging configuration will be:</para>
+      </sect2>
+
+      <sect2>
+        <title><command>logging</command> Statement Definition and
+          Usage</title>
+
+        <para>
+          The <command>logging</command> statement configures a
+          wide
+          variety of logging options for the name server. Its <command>channel</command> phrase
+          associates output methods, format options and severity levels with
+          a name that can then be used with the <command>category</command> phrase
+          to select how various classes of messages are logged.
+        </para>
+        <para>
+          Only one <command>logging</command> statement is used to
+          define
+          as many channels and categories as are wanted. If there is no <command>logging</command> statement,
+          the logging configuration will be:
+        </para>
 
 <programlisting>logging {
      category default { default_syslog; default_debug; };
@@ -2406,65 +3708,98 @@ the logging configuration will be:</para>
 };
 </programlisting>
 
-<para>In <acronym>BIND</acronym> 9, the logging configuration is only established when
-the entire configuration file has been parsed.  In <acronym>BIND</acronym> 8, it was
-established as soon as the <command>logging</command> statement
-was parsed. When the server is starting up, all logging messages
-regarding syntax errors in the configuration file go to the default
-channels, or to standard error if the "<option>-g</option>" option
-was specified.</para>
-
-<sect3>
-<title>The <command>channel</command> Phrase</title>
-
-<para>All log output goes to one or more <emphasis>channels</emphasis>;
-you can make as many of them as you want.</para>
-
-<para>Every channel definition must include a destination clause that
-says whether messages selected for the channel go to a file, to a
-particular syslog facility, to the standard error stream, or are
-discarded. It can optionally also limit the message severity level
-that will be accepted by the channel (the default is
-<command>info</command>), and whether to include a
-<command>named</command>-generated time stamp, the category name
-and/or severity level (the default is not to include any).</para>
-
-<para>The <command>null</command> destination clause 
-causes all messages sent to the channel to be discarded;
-in that case, other options for the channel are meaningless.</para>
-
-<para>The <command>file</command> destination clause directs the channel
-to a disk file.  It can include limitations
-both on how large the file is allowed to become, and how many versions
-of the file will be saved each time the file is opened.</para>
-
-<para>If you use the <command>versions</command> log file option, then
-<command>named</command> will retain that many backup versions of the file by
-renaming them when opening.  For example, if you choose to keep three old versions
-of the file <filename>lamers.log</filename>, then just before it is opened
-<filename>lamers.log.1</filename> is renamed to
-<filename>lamers.log.2</filename>, <filename>lamers.log.0</filename> is renamed
-to <filename>lamers.log.1</filename>, and <filename>lamers.log</filename> is
-renamed to <filename>lamers.log.0</filename>.
-You can say <command>versions unlimited</command> to not limit
-the number of versions.
-If a <command>size</command> option is associated with the log file,
-then renaming is only done when the file being opened exceeds the
-indicated size.  No backup versions are kept by default; any existing
-log file is simply appended.</para>
-
-<para>The <command>size</command> option for files is used to limit log
-growth. If the file ever exceeds the size, then <command>named</command> will
-stop writing to the file unless it has a <command>versions</command> option
-associated with it.  If backup versions are kept, the files are rolled as
-described above and a new one begun.  If there is no
-<command>versions</command> option, no more data will be written to the log
-until some out-of-band mechanism removes or truncates the log to less than the
-maximum size.  The default behavior is not to limit the size of the
-file.</para>
-
-<para>Example usage of the <command>size</command> and
-<command>versions</command> options:</para>
+        <para>
+          In <acronym>BIND</acronym> 9, the logging configuration
+          is only established when
+          the entire configuration file has been parsed.  In <acronym>BIND</acronym> 8, it was
+          established as soon as the <command>logging</command>
+          statement
+          was parsed. When the server is starting up, all logging messages
+          regarding syntax errors in the configuration file go to the default
+          channels, or to standard error if the "<option>-g</option>" option
+          was specified.
+        </para>
+
+        <sect3>
+          <title>The <command>channel</command> Phrase</title>
+
+          <para>
+            All log output goes to one or more <emphasis>channels</emphasis>;
+            you can make as many of them as you want.
+          </para>
+
+          <para>
+            Every channel definition must include a destination clause that
+            says whether messages selected for the channel go to a file, to a
+            particular syslog facility, to the standard error stream, or are
+            discarded. It can optionally also limit the message severity level
+            that will be accepted by the channel (the default is
+            <command>info</command>), and whether to include a
+            <command>named</command>-generated time stamp, the
+            category name
+            and/or severity level (the default is not to include any).
+          </para>
+
+          <para>
+            The <command>null</command> destination clause
+            causes all messages sent to the channel to be discarded;
+            in that case, other options for the channel are meaningless.
+          </para>
+
+          <para>
+            The <command>file</command> destination clause directs
+            the channel
+            to a disk file.  It can include limitations
+            both on how large the file is allowed to become, and how many
+            versions
+            of the file will be saved each time the file is opened.
+          </para>
+
+          <para>
+            If you use the <command>versions</command> log file
+            option, then
+            <command>named</command> will retain that many backup
+            versions of the file by
+            renaming them when opening.  For example, if you choose to keep
+            three old versions
+            of the file <filename>lamers.log</filename>, then just
+            before it is opened
+            <filename>lamers.log.1</filename> is renamed to
+            <filename>lamers.log.2</filename>, <filename>lamers.log.0</filename> is renamed
+            to <filename>lamers.log.1</filename>, and <filename>lamers.log</filename> is
+            renamed to <filename>lamers.log.0</filename>.
+            You can say <command>versions unlimited</command> to
+            not limit
+            the number of versions.
+            If a <command>size</command> option is associated with
+            the log file,
+            then renaming is only done when the file being opened exceeds the
+            indicated size.  No backup versions are kept by default; any
+            existing
+            log file is simply appended.
+          </para>
+
+          <para>
+            The <command>size</command> option for files is used
+            to limit log
+            growth. If the file ever exceeds the size, then <command>named</command> will
+            stop writing to the file unless it has a <command>versions</command> option
+            associated with it.  If backup versions are kept, the files are
+            rolled as
+            described above and a new one begun.  If there is no
+            <command>versions</command> option, no more data will
+            be written to the log
+            until some out-of-band mechanism removes or truncates the log to
+            less than the
+            maximum size.  The default behavior is not to limit the size of
+            the
+            file.
+          </para>
+
+          <para>
+            Example usage of the <command>size</command> and
+            <command>versions</command> options:
+          </para>
 
 <programlisting>channel an_example_channel {
     file "example.log" versions 3 size 20m;
@@ -2473,80 +3808,117 @@ file.</para>
 };
 </programlisting>
 
-<para>The <command>syslog</command> destination clause directs the
-channel to the system log.  Its argument is a
-syslog facility as described in the <command>syslog</command> man
-page. Known facilities are <command>kern</command>, <command>user</command>,
-<command>mail</command>, <command>daemon</command>, <command>auth</command>,
-<command>syslog</command>, <command>lpr</command>, <command>news</command>,
-<command>uucp</command>, <command>cron</command>, <command>authpriv</command>,
-<command>ftp</command>, <command>local0</command>, <command>local1</command>,
-<command>local2</command>, <command>local3</command>, <command>local4</command>,
-<command>local5</command>, <command>local6</command> and
-<command>local7</command>, however not all facilities are supported on
-all operating systems.
-How <command>syslog</command> will handle messages sent to
-this facility is described in the <command>syslog.conf</command> man
-page. If you have a system which uses a very old version of <command>syslog</command> that
-only uses two arguments to the <command>openlog()</command> function,
-then this clause is silently ignored.</para>
-<para>The <command>severity</command> clause works like <command>syslog</command>'s
-"priorities", except that they can also be used if you are writing
-straight to a file rather than using <command>syslog</command>.
-Messages which are not at least of the severity level given will
-not be selected for the channel; messages of higher severity levels
-will be accepted.</para>
-<para>If you are using <command>syslog</command>, then the <command>syslog.conf</command> priorities
-will also determine what eventually passes through. For example,
-defining a channel facility and severity as <command>daemon</command> and <command>debug</command> but
-only logging <command>daemon.warning</command> via <command>syslog.conf</command> will
-cause messages of severity <command>info</command> and <command>notice</command> to
-be dropped. If the situation were reversed, with <command>named</command> writing
-messages of only <command>warning</command> or higher, then <command>syslogd</command> would
-print all messages it received from the channel.</para>
-
-<para>The <command>stderr</command> destination clause directs the
-channel to the server's standard error stream.  This is intended for
-use when the server is running as a foreground process, for example
-when debugging a configuration.</para>
-
-<para>The server can supply extensive debugging information when
-it is in debugging mode. If the server's global debug level is greater
-than zero, then debugging mode will be active. The global debug
-level is set either by starting the <command>named</command> server
-with the <option>-d</option> flag followed by a positive integer,
-or by running <command>rndc trace</command>.
-The global debug level
-can be set to zero, and debugging mode turned off, by running <command>rndc
+          <para>
+            The <command>syslog</command> destination clause
+            directs the
+            channel to the system log.  Its argument is a
+            syslog facility as described in the <command>syslog</command> man
+            page. Known facilities are <command>kern</command>, <command>user</command>,
+            <command>mail</command>, <command>daemon</command>, <command>auth</command>,
+            <command>syslog</command>, <command>lpr</command>, <command>news</command>,
+            <command>uucp</command>, <command>cron</command>, <command>authpriv</command>,
+            <command>ftp</command>, <command>local0</command>, <command>local1</command>,
+            <command>local2</command>, <command>local3</command>, <command>local4</command>,
+            <command>local5</command>, <command>local6</command> and
+            <command>local7</command>, however not all facilities
+            are supported on
+            all operating systems.
+            How <command>syslog</command> will handle messages
+            sent to
+            this facility is described in the <command>syslog.conf</command> man
+            page. If you have a system which uses a very old version of <command>syslog</command> that
+            only uses two arguments to the <command>openlog()</command> function,
+            then this clause is silently ignored.
+          </para>
+          <para>
+            The <command>severity</command> clause works like <command>syslog</command>'s
+            "priorities", except that they can also be used if you are writing
+            straight to a file rather than using <command>syslog</command>.
+            Messages which are not at least of the severity level given will
+            not be selected for the channel; messages of higher severity
+            levels
+            will be accepted.
+          </para>
+          <para>
+            If you are using <command>syslog</command>, then the <command>syslog.conf</command> priorities
+            will also determine what eventually passes through. For example,
+            defining a channel facility and severity as <command>daemon</command> and <command>debug</command> but
+            only logging <command>daemon.warning</command> via <command>syslog.conf</command> will
+            cause messages of severity <command>info</command> and
+            <command>notice</command> to
+            be dropped. If the situation were reversed, with <command>named</command> writing
+            messages of only <command>warning</command> or higher,
+            then <command>syslogd</command> would
+            print all messages it received from the channel.
+          </para>
+
+          <para>
+            The <command>stderr</command> destination clause
+            directs the
+            channel to the server's standard error stream.  This is intended
+            for
+            use when the server is running as a foreground process, for
+            example
+            when debugging a configuration.
+          </para>
+
+          <para>
+            The server can supply extensive debugging information when
+            it is in debugging mode. If the server's global debug level is
+            greater
+            than zero, then debugging mode will be active. The global debug
+            level is set either by starting the <command>named</command> server
+            with the <option>-d</option> flag followed by a positive integer,
+            or by running <command>rndc trace</command>.
+            The global debug level
+            can be set to zero, and debugging mode turned off, by running <command>rndc
 notrace</command>. All debugging messages in the server have a debug
-level, and higher debug levels give more detailed output. Channels
-that specify a specific debug severity, for example:</para>
+            level, and higher debug levels give more detailed output. Channels
+            that specify a specific debug severity, for example:
+          </para>
+
 <programlisting>channel specific_debug_level {
     file "foo";
     severity debug 3;
 };
 </programlisting>
-        <para>will get debugging output of level 3 or less any time the
-server is in debugging mode, regardless of the global debugging
-level. Channels with <command>dynamic</command> severity use the
-server's global debug level to determine what messages to print.</para>
-        <para>If <command>print-time</command> has been turned on, then
-the date and time will be logged. <command>print-time</command> may
-be specified for a <command>syslog</command> channel, but is usually
-pointless since <command>syslog</command> also prints the date and
-time. If <command>print-category</command> is requested, then the
-category of the message will be logged as well. Finally, if <command>print-severity</command> is
-on, then the severity level of the message will be logged. The <command>print-</command> options may
-be used in any combination, and will always be printed in the following
-order: time, category, severity. Here is an example where all three <command>print-</command> options
-are on:</para>
-
-<para><computeroutput>28-Feb-2000 15:05:32.863 general: notice: running</computeroutput></para>
-
-<para>There are four predefined channels that are used for
-<command>named</command>'s default logging as follows. How they are
-used is described in <xref linkend="the_category_phrase"/>.
-</para>
+
+          <para>
+            will get debugging output of level 3 or less any time the
+            server is in debugging mode, regardless of the global debugging
+            level. Channels with <command>dynamic</command>
+            severity use the
+            server's global debug level to determine what messages to print.
+          </para>
+          <para>
+            If <command>print-time</command> has been turned on,
+            then
+            the date and time will be logged. <command>print-time</command> may
+            be specified for a <command>syslog</command> channel,
+            but is usually
+            pointless since <command>syslog</command> also prints
+            the date and
+            time. If <command>print-category</command> is
+            requested, then the
+            category of the message will be logged as well. Finally, if <command>print-severity</command> is
+            on, then the severity level of the message will be logged. The <command>print-</command> options may
+            be used in any combination, and will always be printed in the
+            following
+            order: time, category, severity. Here is an example where all
+            three <command>print-</command> options
+            are on:
+          </para>
+
+          <para>
+            <computeroutput>28-Feb-2000 15:05:32.863 general: notice: running</computeroutput>
+          </para>
+
+          <para>
+            There are four predefined channels that are used for
+            <command>named</command>'s default logging as follows.
+            How they are
+            used is described in <xref linkend="the_category_phrase"/>.
+          </para>
 
 <programlisting>channel default_syslog {
     syslog daemon;                      // send to syslog's daemon
@@ -2578,37 +3950,56 @@ channel null {
 };
 </programlisting>
 
-<para>The <command>default_debug</command> channel has the special
-property that it only produces output when the server's debug level is
-nonzero.  It normally writes to a file called <filename>named.run</filename>
-in the server's working directory.</para>
-
-<para>For security reasons, when the "<option>-u</option>"
-command line option is used, the <filename>named.run</filename> file
-is created only after <command>named</command> has changed to the
-new UID, and any debug output generated while <command>named</command> is
-starting up and still running as root is discarded.  If you need
-to capture this output, you must run the server with the "<option>-g</option>"
-option and redirect standard error to a file.</para>
-
-<para>Once a channel is defined, it cannot be redefined. Thus you
-cannot alter the built-in channels directly, but you can modify
-the default logging by pointing categories at channels you have defined.</para>
-</sect3>
-
-<sect3 id="the_category_phrase"><title>The <command>category</command> Phrase</title>
-
-<para>There are many categories, so you can send the logs you want
-to see wherever you want, without seeing logs you don't want. If
-you don't specify a list of channels for a category, then log messages
-in that category will be sent to the <command>default</command> category
-instead. If you don't specify a default category, the following
-"default default" is used:</para>
+          <para>
+            The <command>default_debug</command> channel has the
+            special
+            property that it only produces output when the server's debug
+            level is
+            nonzero.  It normally writes to a file called <filename>named.run</filename>
+            in the server's working directory.
+          </para>
+
+          <para>
+            For security reasons, when the "<option>-u</option>"
+            command line option is used, the <filename>named.run</filename> file
+            is created only after <command>named</command> has
+            changed to the
+            new UID, and any debug output generated while <command>named</command> is
+            starting up and still running as root is discarded.  If you need
+            to capture this output, you must run the server with the "<option>-g</option>"
+            option and redirect standard error to a file.
+          </para>
+
+          <para>
+            Once a channel is defined, it cannot be redefined. Thus you
+            cannot alter the built-in channels directly, but you can modify
+            the default logging by pointing categories at channels you have
+            defined.
+          </para>
+        </sect3>
+
+        <sect3 id="the_category_phrase">
+          <title>The <command>category</command> Phrase</title>
+
+          <para>
+            There are many categories, so you can send the logs you want
+            to see wherever you want, without seeing logs you don't want. If
+            you don't specify a list of channels for a category, then log
+            messages
+            in that category will be sent to the <command>default</command> category
+            instead. If you don't specify a default category, the following
+            "default default" is used:
+          </para>
+
 <programlisting>category default { default_syslog; default_debug; };
 </programlisting>
-<para>As an example, let's say you want to log security events to
-a file, but you also want keep the default logging behavior. You'd
-specify the following:</para>
+
+          <para>
+            As an example, let's say you want to log security events to
+            a file, but you also want keep the default logging behavior. You'd
+            specify the following:
+          </para>
+
 <programlisting>channel my_security_channel {
     file "my_security_file";
     severity info;
@@ -2618,138 +4009,269 @@ category security {
     default_syslog;
     default_debug;
 };</programlisting>
-<para>To discard all messages in a category, specify the <command>null</command> channel:</para>
+
+          <para>
+            To discard all messages in a category, specify the <command>null</command> channel:
+          </para>
+
 <programlisting>category xfer-out { null; };
 category notify { null; };
 </programlisting>
-<para>Following are the available categories and brief descriptions
-of the types of log information they contain. More
-categories may be added in future <acronym>BIND</acronym> releases.</para>
-<informaltable
-    colsep = "0" rowsep = "0"><tgroup cols = "2"
-    colsep = "0" rowsep = "0" tgroupstyle = "4Level-table">
-<colspec colname = "1" colnum = "1" colsep = "0" colwidth = "1.150in"/>
-<colspec colname = "2" colnum = "2" colsep = "0" colwidth = "3.350in"/>
-<tbody>
-<row rowsep = "0">
-<entry colname = "1"><para><command>default</command></para></entry>
-<entry colname = "2"><para>The default category defines the logging
-options for those categories where no specific configuration has been
-defined.</para></entry>
-</row>
-<row rowsep = "0">
-<entry colname = "1"><para><command>general</command></para></entry>
-<entry colname = "2"><para>The catch-all. Many things still aren't
-classified into categories, and they all end up here.</para></entry>
-</row>
-<row rowsep = "0">
-<entry colname = "1"><para><command>database</command></para></entry>
-<entry colname = "2"><para>Messages relating to the databases used
-internally by the name server to store zone and cache data.</para></entry>
-</row>
-<row rowsep = "0">
-<entry colname = "1"><para><command>security</command></para></entry>
-<entry colname = "2"><para>Approval and denial of requests.</para></entry>
-</row>
-<row rowsep = "0">
-<entry colname = "1"><para><command>config</command></para></entry>
-<entry colname = "2"><para>Configuration file parsing and processing.</para></entry>
-</row>
-<row rowsep = "0">
-<entry colname = "1"><para><command>resolver</command></para></entry>
-<entry colname = "2"><para>DNS resolution, such as the recursive
-lookups performed on behalf of clients by a caching name server.</para></entry>
-</row>
-<row rowsep = "0">
-<entry colname = "1"><para><command>xfer-in</command></para></entry>
-<entry colname = "2"><para>Zone transfers the server is receiving.</para></entry>
-</row>
-<row rowsep = "0">
-<entry colname = "1"><para><command>xfer-out</command></para></entry>
-<entry colname = "2"><para>Zone transfers the server is sending.</para></entry>
-</row>
-<row rowsep = "0">
-<entry colname = "1"><para><command>notify</command></para></entry>
-<entry colname = "2"><para>The NOTIFY protocol.</para></entry>
-</row>
-<row rowsep = "0">
-<entry colname = "1"><para><command>client</command></para></entry>
-<entry colname = "2"><para>Processing of client requests.</para></entry>
-</row>
-<row rowsep = "0">
-<entry colname = "1"><para><command>unmatched</command></para></entry>
-<entry colname = "2"><para>Messages that named was unable to determine the
-class of or for which there was no matching <command>view</command>.
-A one line summary is also logged to the <command>client</command> category.
-This category is best sent to a file or stderr, by default it is sent to
-the <command>null</command> channel.</para></entry>
-</row>
-<row rowsep = "0">
-<entry colname = "1"><para><command>network</command></para></entry>
-<entry colname = "2"><para>Network operations.</para></entry>
-</row>
-<row rowsep = "0">
-<entry colname = "1"><para><command>update</command></para></entry>
-<entry colname = "2"><para>Dynamic updates.</para></entry>
-</row>
-<row rowsep = "0">
-<entry colname = "1"><para><command>update-security</command></para></entry>
-<entry colname = "2"><para>Approval and denial of update requests.</para></entry>
-</row>
-<row rowsep = "0">
-<entry colname = "1"><para><command>queries</command></para></entry>
-<entry colname = "2"><para>Specify where queries should be logged to.</para>
-<para>
-At startup, specifying the category <command>queries</command> will also
-enable query logging unless <command>querylog</command> option has been
-specified.
-</para>
-<para>
-The query log entry reports the client's IP address and port number, and the
-query name, class and type.  It also reports whether the Recursion Desired
-flag was set (+ if set, - if not set), EDNS was in use (E) or if the
-query was signed (S).</para>
-<para><computeroutput>client 127.0.0.1#62536: query: www.example.com IN AAAA +SE</computeroutput>
-</para>
-<para><computeroutput>client ::1#62537: query: www.example.net IN AAAA -SE</computeroutput>
-</para>
-</entry>
-</row>
-<row rowsep = "0">
-<entry colname = "1"><para><command>dispatch</command></para></entry>
-<entry colname = "2"><para>Dispatching of incoming packets to the
-server modules where they are to be processed.
-</para></entry>
-</row>
-<row rowsep = "0">
-<entry colname = "1"><para><command>dnssec</command></para></entry>
-<entry colname = "2"><para>DNSSEC and TSIG protocol processing.
-</para></entry>
-</row>
-<row rowsep = "0">
-<entry colname = "1"><para><command>lame-servers</command></para></entry>
-<entry colname = "2"><para>Lame servers.  These are misconfigurations
-in remote servers, discovered by BIND 9 when trying to query
-those servers during resolution.
-</para></entry>
-</row>
-<row rowsep = "0">
-<entry colname = "1"><para><command>delegation-only</command></para></entry>
-<entry colname = "2"><para>Delegation only.  Logs queries that have have
-been forced to NXDOMAIN as the result of a delegation-only zone or
-a <command>delegation-only</command> in a hint or stub zone declaration.
-</para></entry>
-</row>
-</tbody>
-</tgroup></informaltable>
-</sect3>
-</sect2>
-
-<sect2>
-<title><command>lwres</command> Statement Grammar</title>
-
-<para> This is the grammar of the <command>lwres</command>
-statement in the <filename>named.conf</filename> file:</para>
+
+          <para>
+            Following are the available categories and brief descriptions
+            of the types of log information they contain. More
+            categories may be added in future <acronym>BIND</acronym> releases.
+          </para>
+          <informaltable colsep="0" rowsep="0">
+            <tgroup cols="2" colsep="0" rowsep="0" tgroupstyle="4Level-table">
+              <colspec colname="1" colnum="1" colsep="0" colwidth="1.150in"/>
+              <colspec colname="2" colnum="2" colsep="0" colwidth="3.350in"/>
+              <tbody>
+                <row rowsep="0">
+                  <entry colname="1">
+                    <para><command>default</command></para>
+                  </entry>
+                  <entry colname="2">
+                    <para>
+                      The default category defines the logging
+                      options for those categories where no specific
+                      configuration has been
+                      defined.
+                    </para>
+                  </entry>
+                </row>
+                <row rowsep="0">
+                  <entry colname="1">
+                    <para><command>general</command></para>
+                  </entry>
+                  <entry colname="2">
+                    <para>
+                      The catch-all. Many things still aren't
+                      classified into categories, and they all end up here.
+                    </para>
+                  </entry>
+                </row>
+                <row rowsep="0">
+                  <entry colname="1">
+                    <para><command>database</command></para>
+                  </entry>
+                  <entry colname="2">
+                    <para>
+                      Messages relating to the databases used
+                      internally by the name server to store zone and cache
+                      data.
+                    </para>
+                  </entry>
+                </row>
+                <row rowsep="0">
+                  <entry colname="1">
+                    <para><command>security</command></para>
+                  </entry>
+                  <entry colname="2">
+                    <para>
+                      Approval and denial of requests.
+                    </para>
+                  </entry>
+                </row>
+                <row rowsep="0">
+                  <entry colname="1">
+                    <para><command>config</command></para>
+                  </entry>
+                  <entry colname="2">
+                    <para>
+                      Configuration file parsing and processing.
+                    </para>
+                  </entry>
+                </row>
+                <row rowsep="0">
+                  <entry colname="1">
+                    <para><command>resolver</command></para>
+                  </entry>
+                  <entry colname="2">
+                    <para>
+                      DNS resolution, such as the recursive
+                      lookups performed on behalf of clients by a caching name
+                      server.
+                    </para>
+                  </entry>
+                </row>
+                <row rowsep="0">
+                  <entry colname="1">
+                    <para><command>xfer-in</command></para>
+                  </entry>
+                  <entry colname="2">
+                    <para>
+                      Zone transfers the server is receiving.
+                    </para>
+                  </entry>
+                </row>
+                <row rowsep="0">
+                  <entry colname="1">
+                    <para><command>xfer-out</command></para>
+                  </entry>
+                  <entry colname="2">
+                    <para>
+                      Zone transfers the server is sending.
+                    </para>
+                  </entry>
+                </row>
+                <row rowsep="0">
+                  <entry colname="1">
+                    <para><command>notify</command></para>
+                  </entry>
+                  <entry colname="2">
+                    <para>
+                      The NOTIFY protocol.
+                    </para>
+                  </entry>
+                </row>
+                <row rowsep="0">
+                  <entry colname="1">
+                    <para><command>client</command></para>
+                  </entry>
+                  <entry colname="2">
+                    <para>
+                      Processing of client requests.
+                    </para>
+                  </entry>
+                </row>
+                <row rowsep="0">
+                  <entry colname="1">
+                    <para><command>unmatched</command></para>
+                  </entry>
+                  <entry colname="2">
+                    <para>
+                      Messages that named was unable to determine the
+                      class of or for which there was no matching <command>view</command>.
+                      A one line summary is also logged to the <command>client</command> category.
+                      This category is best sent to a file or stderr, by
+                      default it is sent to
+                      the <command>null</command> channel.
+                    </para>
+                  </entry>
+                </row>
+                <row rowsep="0">
+                  <entry colname="1">
+                    <para><command>network</command></para>
+                  </entry>
+                  <entry colname="2">
+                    <para>
+                      Network operations.
+                    </para>
+                  </entry>
+                </row>
+                <row rowsep="0">
+                  <entry colname="1">
+                    <para><command>update</command></para>
+                  </entry>
+                  <entry colname="2">
+                    <para>
+                      Dynamic updates.
+                    </para>
+                  </entry>
+                </row>
+                <row rowsep="0">
+                  <entry colname="1">
+                    <para><command>update-security</command></para>
+                  </entry>
+                  <entry colname="2">
+                    <para>
+                      Approval and denial of update requests.
+                    </para>
+                  </entry>
+                </row>
+                <row rowsep="0">
+                  <entry colname="1">
+                    <para><command>queries</command></para>
+                  </entry>
+                  <entry colname="2">
+                    <para>
+                      Specify where queries should be logged to.
+                    </para>
+                    <para>
+                      At startup, specifying the category <command>queries</command> will also
+                      enable query logging unless <command>querylog</command> option has been
+                      specified.
+                    </para>
+                    <para>
+                      The query log entry reports the client's IP address and
+                      port number, and the
+                      query name, class and type.  It also reports whether the
+                      Recursion Desired
+                      flag was set (+ if set, - if not set), EDNS was in use
+                      (E) or if the
+                      query was signed (S).
+                    </para>
+                    <para>
+                      <computeroutput>client 127.0.0.1#62536: query: www.example.com IN AAAA +SE</computeroutput>
+                    </para>
+                    <para>
+                      <computeroutput>client ::1#62537: query: www.example.net IN AAAA -SE</computeroutput>
+                    </para>
+                  </entry>
+                </row>
+                <row rowsep="0">
+                  <entry colname="1">
+                    <para><command>dispatch</command></para>
+                  </entry>
+                  <entry colname="2">
+                    <para>
+                      Dispatching of incoming packets to the
+                      server modules where they are to be processed.
+                    </para>
+                  </entry>
+                </row>
+                <row rowsep="0">
+                  <entry colname="1">
+                    <para><command>dnssec</command></para>
+                  </entry>
+                  <entry colname="2">
+                    <para>
+                      DNSSEC and TSIG protocol processing.
+                    </para>
+                  </entry>
+                </row>
+                <row rowsep="0">
+                  <entry colname="1">
+                    <para><command>lame-servers</command></para>
+                  </entry>
+                  <entry colname="2">
+                    <para>
+                      Lame servers.  These are misconfigurations
+                      in remote servers, discovered by BIND 9 when trying to
+                      query
+                      those servers during resolution.
+                    </para>
+                  </entry>
+                </row>
+                <row rowsep="0">
+                  <entry colname="1">
+                    <para><command>delegation-only</command></para>
+                  </entry>
+                  <entry colname="2">
+                    <para>
+                      Delegation only.  Logs queries that have have
+                      been forced to NXDOMAIN as the result of a
+                      delegation-only zone or
+                      a <command>delegation-only</command> in a
+                      hint or stub zone declaration.
+                    </para>
+                  </entry>
+                </row>
+              </tbody>
+            </tgroup>
+          </informaltable>
+        </sect3>
+      </sect2>
+
+      <sect2>
+        <title><command>lwres</command> Statement Grammar</title>
+
+        <para>
+           This is the grammar of the <command>lwres</command>
+          statement in the <filename>named.conf</filename> file:
+        </para>
 
 <programlisting><command>lwres</command> {
     <optional> listen-on { <replaceable>ip_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> ; <optional> <replaceable>ip_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> ; ... </optional> }; </optional>
@@ -2759,55 +4281,87 @@ statement in the <filename>named.conf</filename> file:</para>
 };
 </programlisting>
 
-</sect2>
-<sect2>
-<title><command>lwres</command> Statement Definition and Usage</title>
-
-<para>The <command>lwres</command> statement configures the name
-server to also act as a lightweight resolver server. (See
-<xref linkend="lwresd"/>.)  There may be be multiple
-<command>lwres</command> statements configuring
-lightweight resolver servers with different properties.</para>
-
-<para>The <command>listen-on</command> statement specifies a list of
-addresses (and ports) that this instance of a lightweight resolver daemon
-should accept requests on.  If no port is specified, port 921 is used.
-If this statement is omitted, requests will be accepted on 127.0.0.1,
-port 921.</para>
-
-<para>The <command>view</command> statement binds this instance of a
-lightweight resolver daemon to a view in the DNS namespace, so that the
-response will be constructed in the same manner as a normal DNS query
-matching this view.  If this statement is omitted, the default view is
-used, and if there is no default view, an error is triggered.</para>
-
-<para>The <command>search</command> statement is equivalent to the
-<command>search</command> statement in
-<filename>/etc/resolv.conf</filename>.  It provides a list of domains
-which are appended to relative names in queries.</para>
-
-<para>The <command>ndots</command> statement is equivalent to the
-<command>ndots</command> statement in
-<filename>/etc/resolv.conf</filename>.  It indicates the minimum
-number of dots in a relative domain name that should result in an
-exact match lookup before search path elements are appended.</para>
-</sect2>
-<sect2>
-      <title><command>masters</command> Statement Grammar</title>
+      </sect2>
+      <sect2>
+        <title><command>lwres</command> Statement Definition and Usage</title>
+
+        <para>
+          The <command>lwres</command> statement configures the
+          name
+          server to also act as a lightweight resolver server. (See
+          <xref linkend="lwresd"/>.)  There may be be multiple
+          <command>lwres</command> statements configuring
+          lightweight resolver servers with different properties.
+        </para>
+
+        <para>
+          The <command>listen-on</command> statement specifies a
+          list of
+          addresses (and ports) that this instance of a lightweight resolver
+          daemon
+          should accept requests on.  If no port is specified, port 921 is
+          used.
+          If this statement is omitted, requests will be accepted on
+          127.0.0.1,
+          port 921.
+        </para>
+
+        <para>
+          The <command>view</command> statement binds this
+          instance of a
+          lightweight resolver daemon to a view in the DNS namespace, so that
+          the
+          response will be constructed in the same manner as a normal DNS
+          query
+          matching this view.  If this statement is omitted, the default view
+          is
+          used, and if there is no default view, an error is triggered.
+        </para>
+
+        <para>
+          The <command>search</command> statement is equivalent to
+          the
+          <command>search</command> statement in
+          <filename>/etc/resolv.conf</filename>.  It provides a
+          list of domains
+          which are appended to relative names in queries.
+        </para>
+
+        <para>
+          The <command>ndots</command> statement is equivalent to
+          the
+          <command>ndots</command> statement in
+          <filename>/etc/resolv.conf</filename>.  It indicates the
+          minimum
+          number of dots in a relative domain name that should result in an
+          exact match lookup before search path elements are appended.
+        </para>
+      </sect2>
+      <sect2>
+        <title><command>masters</command> Statement Grammar</title>
+
 <programlisting>
-<command>masters</command> <replaceable>name</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> { ( <replaceable>masters_list</replaceable> | <replaceable>ip_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> <optional>key <replaceable>key</replaceable></optional> ) ; <optional>...</optional> } ; 
+<command>masters</command> <replaceable>name</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> { ( <replaceable>masters_list</replaceable> | <replaceable>ip_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> <optional>key <replaceable>key</replaceable></optional> ) ; <optional>...</optional> };
 </programlisting>
-</sect2>
-<sect2>
-      <title><command>masters</command> Statement Definition and Usage </title>
-<para><command>masters</command> lists allow for a common set of masters
-to be easily used by multiple stub and slave zones.</para>
-</sect2>
-<sect2>
-<title><command>options</command> Statement Grammar</title>
-
-<para>This is the grammar of the <command>options</command>
-statement in the <filename>named.conf</filename> file:</para>
+
+      </sect2>
+
+      <sect2>
+        <title><command>masters</command> Statement Definition and
+          Usage</title>
+        <para><command>masters</command>
+	  lists allow for a common set of masters to be easily used by
+          multiple stub and slave zones.
+        </para>
+      </sect2>
+
+      <sect2>
+        <title><command>options</command> Statement Grammar</title>
+
+        <para>
+          This is the grammar of the <command>options</command>
+          statement in the <filename>named.conf</filename> file:
+        </para>
 
 <programlisting>options {
     <optional> version <replaceable>version_string</replaceable>; </optional>
@@ -2835,31 +4389,52 @@ statement in the <filename>named.conf</filename> file:</para>
     <optional> host-statistics-max <replaceable>number</replaceable>; </optional>
     <optional> minimal-responses <replaceable>yes_or_no</replaceable>; </optional>
     <optional> multiple-cnames <replaceable>yes_or_no</replaceable>; </optional>
-    <optional> notify <replaceable>yes_or_no</replaceable> | <replaceable>explicit</replaceable>; </optional>
+    <optional> notify <replaceable>yes_or_no</replaceable> | <replaceable>explicit</replaceable> | <replaceable>master-only</replaceable>; </optional>
     <optional> recursion <replaceable>yes_or_no</replaceable>; </optional>
     <optional> rfc2308-type1 <replaceable>yes_or_no</replaceable>; </optional>
     <optional> use-id-pool <replaceable>yes_or_no</replaceable>; </optional>
     <optional> maintain-ixfr-base <replaceable>yes_or_no</replaceable>; </optional>
     <optional> dnssec-enable <replaceable>yes_or_no</replaceable>; </optional>
+    <optional> dnssec-validation <replaceable>yes_or_no</replaceable>; </optional>
     <optional> dnssec-lookaside <replaceable>domain</replaceable> trust-anchor <replaceable>domain</replaceable>; </optional>
     <optional> dnssec-must-be-secure <replaceable>domain yes_or_no</replaceable>; </optional>
+    <optional> dnssec-accept-expired <replaceable>yes_or_no</replaceable>; </optional>
     <optional> forward ( <replaceable>only</replaceable> | <replaceable>first</replaceable> ); </optional>
     <optional> forwarders { <optional> <replaceable>ip_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> ; ... </optional> }; </optional>
-    <optional> dual-stack-servers <optional>port <replaceable>ip_port</replaceable></optional> { ( <replaceable>domain_name</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> | <replaceable>ip_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> ) ; ... }; </optional>
-    <optional> check-names ( <replaceable>master</replaceable> | <replaceable>slave</replaceable> | <replaceable>response</replaceable> )( <replaceable>warn</replaceable> | <replaceable>fail</replaceable> | <replaceable>ignore</replaceable> ); </optional>
+    <optional> dual-stack-servers <optional>port <replaceable>ip_port</replaceable></optional> {
+        ( <replaceable>domain_name</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> |
+          <replaceable>ip_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> ) ; 
+        ... }; </optional>
+    <optional> check-names ( <replaceable>master</replaceable> | <replaceable>slave</replaceable> | <replaceable>response</replaceable> )
+        ( <replaceable>warn</replaceable> | <replaceable>fail</replaceable> | <replaceable>ignore</replaceable> ); </optional>
+    <optional> check-mx ( <replaceable>warn</replaceable> | <replaceable>fail</replaceable> | <replaceable>ignore</replaceable> ); </optional>
+    <optional> check-wildcard <replaceable>yes_or_no</replaceable>; </optional>
+    <optional> check-integrity <replaceable>yes_or_no</replaceable>; </optional>
+    <optional> check-mx-cname ( <replaceable>warn</replaceable> | <replaceable>fail</replaceable> | <replaceable>ignore</replaceable> ); </optional>
+    <optional> check-srv-cname ( <replaceable>warn</replaceable> | <replaceable>fail</replaceable> | <replaceable>ignore</replaceable> ); </optional>
+    <optional> check-sibling <replaceable>yes_or_no</replaceable>; </optional>
     <optional> allow-notify { <replaceable>address_match_list</replaceable> }; </optional>
     <optional> allow-query { <replaceable>address_match_list</replaceable> }; </optional>
+    <optional> allow-query-cache { <replaceable>address_match_list</replaceable> }; </optional>
     <optional> allow-transfer { <replaceable>address_match_list</replaceable> }; </optional>
     <optional> allow-recursion { <replaceable>address_match_list</replaceable> }; </optional>
+    <optional> allow-update { <replaceable>address_match_list</replaceable> }; </optional>
     <optional> allow-update-forwarding { <replaceable>address_match_list</replaceable> }; </optional>
+    <optional> update-check-ksk <replaceable>yes_or_no</replaceable>; </optional>
     <optional> allow-v6-synthesis { <replaceable>address_match_list</replaceable> }; </optional>
     <optional> blackhole { <replaceable>address_match_list</replaceable> }; </optional>
     <optional> avoid-v4-udp-ports { <replaceable>port_list</replaceable> }; </optional>
     <optional> avoid-v6-udp-ports { <replaceable>port_list</replaceable> }; </optional>
     <optional> listen-on <optional> port <replaceable>ip_port</replaceable> </optional> { <replaceable>address_match_list</replaceable> }; </optional>
     <optional> listen-on-v6 <optional> port <replaceable>ip_port</replaceable> </optional> { <replaceable>address_match_list</replaceable> }; </optional>
-    <optional> query-source <optional> address ( <replaceable>ip_addr</replaceable> | <replaceable>*</replaceable> ) </optional> <optional> port ( <replaceable>ip_port</replaceable> | <replaceable>*</replaceable> ) </optional>; </optional>
-    <optional> query-source-v6 <optional> address ( <replaceable>ip_addr</replaceable> | <replaceable>*</replaceable> ) </optional> <optional> port ( <replaceable>ip_port</replaceable> | <replaceable>*</replaceable> ) </optional>; </optional>
+    <optional> query-source ( ( <replaceable>ip4_addr</replaceable> | <replaceable>*</replaceable> )
+        <optional> port ( <replaceable>ip_port</replaceable> | <replaceable>*</replaceable> ) </optional> |
+	<optional> address ( <replaceable>ip4_addr</replaceable> | <replaceable>*</replaceable> ) </optional>
+	<optional> port ( <replaceable>ip_port</replaceable> | <replaceable>*</replaceable> ) </optional> ) ; </optional>
+    <optional> query-source-v6 ( ( <replaceable>ip6_addr</replaceable> | <replaceable>*</replaceable> )
+	<optional> port ( <replaceable>ip_port</replaceable> | <replaceable>*</replaceable> ) </optional> | 
+	<optional> address ( <replaceable>ip6_addr</replaceable> | <replaceable>*</replaceable> ) </optional> 
+	<optional> port ( <replaceable>ip_port</replaceable> | <replaceable>*</replaceable> ) </optional> ) ; </optional>
     <optional> max-transfer-time-in <replaceable>number</replaceable>; </optional>
     <optional> max-transfer-time-out <replaceable>number</replaceable>; </optional>
     <optional> max-transfer-idle-in <replaceable>number</replaceable>; </optional>
@@ -2915,69 +4490,128 @@ statement in the <filename>named.conf</filename> file:</para>
     <optional> match-mapped-addresses <replaceable>yes_or_no</replaceable>; </optional>
     <optional> preferred-glue ( <replaceable>A</replaceable> | <replaceable>AAAA</replaceable> | <replaceable>NONE</replaceable> ); </optional>
     <optional> edns-udp-size <replaceable>number</replaceable>; </optional>
+    <optional> max-udp-size <replaceable>number</replaceable>; </optional>
     <optional> root-delegation-only <optional> exclude { <replaceable>namelist</replaceable> } </optional> ; </optional>
     <optional> querylog <replaceable>yes_or_no</replaceable> ; </optional>
     <optional> disable-algorithms <replaceable>domain</replaceable> { <replaceable>algorithm</replaceable>; <optional> <replaceable>algorithm</replaceable>; </optional> }; </optional>
+    <optional> acache-enable <replaceable>yes_or_no</replaceable> ; </optional>
+    <optional> acache-cleaning-interval <replaceable>number</replaceable>; </optional>
+    <optional> max-acache-size <replaceable>size_spec</replaceable> ; </optional>
+    <optional> clients-per-query <replaceable>number</replaceable> ; </optional>
+    <optional> max-clients-per-query <replaceable>number</replaceable> ; </optional>
+    <optional> masterfile-format (<constant>text</constant>|<constant>raw</constant>) ; </optional>
+    <optional> empty-server <replaceable>name</replaceable> ; </optional>
+    <optional> empty-contact <replaceable>name</replaceable> ; </optional>
+    <optional> empty-zones-enable <replaceable>yes_or_no</replaceable> ; </optional>
+    <optional> disable-empty-zone <replaceable>zone_name</replaceable> ; </optional>
+    <optional> zero-no-soa-ttl <replaceable>yes_or_no</replaceable> ; </optional>
+    <optional> zero-no-soa-ttl-cache <replaceable>yes_or_no</replaceable> ; </optional>
 };
 </programlisting>
-</sect2>
-
-<sect2 id="options"><title><command>options</command> Statement Definition and Usage</title>
-
-<para>The <command>options</command> statement sets up global options
-to be used by <acronym>BIND</acronym>. This statement may appear only
-once in a configuration file. If there is no <command>options</command>
-statement, an options block with each option set to its default will
-be used.</para>
-
-<variablelist>
-
-<varlistentry><term><command>directory</command></term>
-<listitem><para>The working directory of the server.
-Any non-absolute pathnames in the configuration file will be taken
-as relative to this directory. The default location for most server
-output files (e.g. <filename>named.run</filename>) is this directory.
-If a directory is not specified, the working directory defaults
-to `<filename>.</filename>', the directory from which the server
-was started. The directory specified should be an absolute path.</para>
-</listitem></varlistentry>
-
-<varlistentry><term><command>key-directory</command></term>
-<listitem><para>When performing dynamic update of secure zones, the
-directory where the public and private key files should be found,
-if different than the current working directory.  The directory specified
-must be an absolute path.</para>
-</listitem></varlistentry>
-
-<varlistentry><term><command>named-xfer</command></term>
-<listitem><para><emphasis>This option is obsolete.</emphasis>
-It was used in <acronym>BIND</acronym> 8 to
-specify the pathname to the <command>named-xfer</command> program.
-In <acronym>BIND</acronym> 9, no separate <command>named-xfer</command> program is
-needed; its functionality is built into the name server.</para>
-
-</listitem></varlistentry>
-
-<varlistentry><term><command>tkey-domain</command></term>
-<listitem><para>The domain appended to the names of all
-shared keys generated with <command>TKEY</command>. When a client
-requests a <command>TKEY</command> exchange, it may or may not specify
-the desired name for the key. If present, the name of the shared
-key will be "<varname>client specified part</varname>" + 
-"<varname>tkey-domain</varname>".
-Otherwise, the name of the shared key will be "<varname>random hex
+
+      </sect2>
+
+      <sect2 id="options">
+        <title><command>options</command> Statement Definition and
+          Usage</title>
+
+        <para>
+          The <command>options</command> statement sets up global
+          options
+          to be used by <acronym>BIND</acronym>. This statement
+          may appear only
+          once in a configuration file. If there is no <command>options</command>
+          statement, an options block with each option set to its default will
+          be used.
+        </para>
+
+        <variablelist>
+
+          <varlistentry>
+            <term><command>directory</command></term>
+            <listitem>
+              <para>
+                The working directory of the server.
+                Any non-absolute pathnames in the configuration file will be
+                taken
+                as relative to this directory. The default location for most
+                server
+                output files (e.g. <filename>named.run</filename>)
+                is this directory.
+                If a directory is not specified, the working directory
+                defaults to `<filename>.</filename>', the directory from
+                which the server
+                was started. The directory specified should be an absolute
+                path.
+              </para>
+            </listitem>
+          </varlistentry>
+
+          <varlistentry>
+            <term><command>key-directory</command></term>
+            <listitem>
+              <para>
+                When performing dynamic update of secure zones, the
+                directory where the public and private key files should be
+                found,
+                if different than the current working directory.  The
+                directory specified
+                must be an absolute path.
+              </para>
+            </listitem>
+          </varlistentry>
+
+          <varlistentry>
+            <term><command>named-xfer</command></term>
+            <listitem>
+              <para>
+                <emphasis>This option is obsolete.</emphasis>
+                It was used in <acronym>BIND</acronym> 8 to
+                specify the pathname to the <command>named-xfer</command> program.
+                In <acronym>BIND</acronym> 9, no separate <command>named-xfer</command> program is
+                needed; its functionality is built into the name server.
+              </para>
+
+            </listitem>
+          </varlistentry>
+
+          <varlistentry>
+            <term><command>tkey-domain</command></term>
+            <listitem>
+              <para>
+                The domain appended to the names of all
+                shared keys generated with
+                <command>TKEY</command>. When a client
+                requests a <command>TKEY</command> exchange, it
+                may or may not specify
+                the desired name for the key. If present, the name of the
+                shared
+                key will be "<varname>client specified part</varname>" +
+                "<varname>tkey-domain</varname>".
+                Otherwise, the name of the shared key will be "<varname>random hex
 digits</varname>" + "<varname>tkey-domain</varname>". In most cases,
-the <command>domainname</command> should be the server's domain
-name.</para>
-</listitem></varlistentry>
-
-<varlistentry><term><command>tkey-dhkey</command></term>
-<listitem><para>The Diffie-Hellman key used by the server
-to generate shared keys with clients using the Diffie-Hellman mode
-of <command>TKEY</command>. The server must be able to load the
-public and private keys from files in the working directory. In
-most cases, the keyname should be the server's host name.</para>
-</listitem></varlistentry>
+                the <command>domainname</command> should be the
+                server's domain
+                name.
+              </para>
+            </listitem>
+          </varlistentry>
+
+          <varlistentry>
+            <term><command>tkey-dhkey</command></term>
+            <listitem>
+              <para>
+                The Diffie-Hellman key used by the server
+                to generate shared keys with clients using the Diffie-Hellman
+                mode
+                of <command>TKEY</command>. The server must be
+                able to load the
+                public and private keys from files in the working directory.
+                In
+                most cases, the keyname should be the server's host name.
+              </para>
+            </listitem>
+          </varlistentry>
 
           <varlistentry>
             <term><command>cache-file</command></term>
@@ -2988,877 +4622,1711 @@ most cases, the keyname should be the server's host name.</para>
             </listitem>
           </varlistentry>
 
-<varlistentry><term><command>dump-file</command></term>
-<listitem><para>The pathname of the file the server dumps
-the database to when instructed to do so with
-<command>rndc dumpdb</command>.
-If not specified, the default is <filename>named_dump.db</filename>.</para>
-</listitem></varlistentry>
-<varlistentry><term><command>memstatistics-file</command></term>
-<listitem><para>The pathname of the file the server writes memory
-usage statistics to on exit. If not specified,
-the default is <filename>named.memstats</filename>.</para>
-</listitem></varlistentry>
-
-<varlistentry><term><command>pid-file</command></term>
-<listitem><para>The pathname of the file the server writes its process ID
-in. If not specified, the default is <filename>/var/run/named.pid</filename>.
-The pid-file is used by programs that want to send signals to the running
-name server. Specifying <command>pid-file none</command> disables the
-use of a PID file &mdash; no file will be written and any
-existing one will be removed.  Note that <command>none</command>
-is a keyword, not a file name, and therefore is not enclosed in
-double quotes.</para>
-</listitem></varlistentry>
-
-<varlistentry><term><command>statistics-file</command></term>
-<listitem><para>The pathname of the file the server appends statistics
-to when instructed to do so using <command>rndc stats</command>.
-If not specified, the default is <filename>named.stats</filename> in the
-server's current directory.  The format of the file is described
-in <xref linkend="statsfile"/>.</para>
-</listitem></varlistentry>
-
-<varlistentry><term><command>port</command></term>
-<listitem><para>
-The UDP/TCP port number the server uses for 
-receiving and sending DNS protocol traffic.
-The default is 53.  This option is mainly intended for server testing;
-a server using a port other than 53 will not be able to communicate with
-the global DNS.
-</para>
-</listitem></varlistentry>
-
-<varlistentry><term><command>random-device</command></term>
-<listitem><para>
-The source of entropy to be used by the server.  Entropy is primarily needed
-for DNSSEC operations, such as TKEY transactions and dynamic update of signed
-zones.  This options specifies the device (or file) from which to read
-entropy.  If this is a file, operations requiring entropy will fail when the
-file has been exhausted.  If not specified, the default value is
-<filename>/dev/random</filename>
-(or equivalent) when present, and none otherwise.  The
-<command>random-device</command> option takes effect during
-the initial configuration load at server startup time and
-is ignored on subsequent reloads.</para>
-</listitem></varlistentry>
-
-<varlistentry><term><command>preferred-glue</command></term>
-<listitem><para>
-If specified, the listed type (A or AAAA) will be emitted before other glue
-in the additional section of a query response.
-The default is not to prefer any type (NONE).
-</para>
-</listitem></varlistentry>
-
-<varlistentry><term><command>root-delegation-only</command></term>
-<listitem><para>
-Turn on enforcement of delegation-only in TLDs (top level domains)
-and root zones with an optional exclude list.
-</para>
-<para>
-Note some TLDs are not delegation only (e.g. "DE", "LV", "US" and "MUSEUM").
-</para>
+          <varlistentry>
+            <term><command>dump-file</command></term>
+            <listitem>
+              <para>
+                The pathname of the file the server dumps
+                the database to when instructed to do so with
+                <command>rndc dumpdb</command>.
+                If not specified, the default is <filename>named_dump.db</filename>.
+              </para>
+            </listitem>
+          </varlistentry>
+
+          <varlistentry>
+            <term><command>memstatistics-file</command></term>
+            <listitem>
+              <para>
+                The pathname of the file the server writes memory
+                usage statistics to on exit. If not specified,
+                the default is
+                <filename>named.memstats</filename>.
+              </para>
+            </listitem>
+          </varlistentry>
+
+          <varlistentry>
+            <term><command>pid-file</command></term>
+            <listitem>
+              <para>
+                The pathname of the file the server writes its process ID
+                in. If not specified, the default is <filename>/var/run/named.pid</filename>.
+                The pid-file is used by programs that want to send signals to
+                the running
+                name server. Specifying <command>pid-file none</command> disables the
+                use of a PID file &mdash; no file will be written and any
+                existing one will be removed.  Note that <command>none</command>
+                is a keyword, not a file name, and therefore is not enclosed
+                in
+                double quotes.
+              </para>
+            </listitem>
+          </varlistentry>
+
+          <varlistentry>
+            <term><command>statistics-file</command></term>
+            <listitem>
+              <para>
+                The pathname of the file the server appends statistics
+                to when instructed to do so using <command>rndc stats</command>.
+                If not specified, the default is <filename>named.stats</filename> in the
+                server's current directory.  The format of the file is
+                described
+                in <xref linkend="statsfile"/>.
+              </para>
+            </listitem>
+          </varlistentry>
+
+          <varlistentry>
+            <term><command>port</command></term>
+            <listitem>
+              <para>
+                The UDP/TCP port number the server uses for
+                receiving and sending DNS protocol traffic.
+                The default is 53.  This option is mainly intended for server
+                testing;
+                a server using a port other than 53 will not be able to
+                communicate with
+                the global DNS.
+              </para>
+            </listitem>
+          </varlistentry>
+
+          <varlistentry>
+            <term><command>random-device</command></term>
+            <listitem>
+              <para>
+                The source of entropy to be used by the server.  Entropy is
+                primarily needed
+                for DNSSEC operations, such as TKEY transactions and dynamic
+                update of signed
+                zones.  This options specifies the device (or file) from which
+                to read
+                entropy.  If this is a file, operations requiring entropy will
+                fail when the
+                file has been exhausted.  If not specified, the default value
+                is
+                <filename>/dev/random</filename>
+                (or equivalent) when present, and none otherwise.  The
+                <command>random-device</command> option takes
+                effect during
+                the initial configuration load at server startup time and
+                is ignored on subsequent reloads.
+              </para>
+            </listitem>
+          </varlistentry>
+
+          <varlistentry>
+            <term><command>preferred-glue</command></term>
+            <listitem>
+              <para>
+                If specified, the listed type (A or AAAA) will be emitted
+                before other glue
+                in the additional section of a query response.
+                The default is not to prefer any type (NONE).
+              </para>
+            </listitem>
+          </varlistentry>
+
+          <varlistentry>
+            <term><command>root-delegation-only</command></term>
+            <listitem>
+              <para>
+                Turn on enforcement of delegation-only in TLDs (top level domains) and root zones
+                with an optional
+                exclude list.
+              </para>
+              <para>
+                Note some TLDs are not delegation only (e.g. "DE", "LV", "US"
+                and "MUSEUM").
+              </para>
+
 <programlisting>
 options {
 	root-delegation-only exclude { "de"; "lv"; "us"; "museum"; };
 };
 </programlisting>
-</listitem></varlistentry>
-
-<varlistentry><term><command>disable-algorithms</command></term>
-<listitem><para>
-Disable the specified DNSSEC algorithms at and below the specified name.
-Multiple <command>disable-algorithms</command> statements are allowed.
-Only the most specific will be applied.
-</para></listitem></varlistentry>
-
-<varlistentry><term><command>dnssec-lookaside</command></term>
-<listitem><para>
-When set, <command>dnssec-lookaside</command> provides the
-validator with an alternate method to validate DNSKEY records at the
-top of a zone.  When a DNSKEY is at or below a domain specified by the
-deepest <command>dnssec-lookaside</command>, and the normal dnssec validation
-has left the key untrusted, the trust-anchor will be append to the key
-name and a DLV record will be looked up to see if it can validate the
-key.  If the DLV record validates a DNSKEY (similarly to the way a DS
-record does) the DNSKEY RRset is deemed to be trusted.
-</para></listitem></varlistentry>
-
-<varlistentry><term><command>dnssec-must-be-secure</command></term>
-<listitem><para>
-Specify heirarchies which must be or may not be secure (signed and validated).
-If <userinput>yes</userinput>, then named will only accept answers if they
-are secure.
-If <userinput>no</userinput>, then normal dnssec validation applies
-allowing for insecure answers to be accepted.
-The specified domain must be under a <command>trusted-key</command> or
-<command>dnssec-lookaside</command> must be active.
-</para></listitem></varlistentry>
-
-</variablelist>
-
-<sect3 id="boolean_options"><title>Boolean Options</title>
-
-<variablelist>
-
-<varlistentry><term><command>auth-nxdomain</command></term>
-<listitem><para>If <userinput>yes</userinput>, then the <command>AA</command> bit
-is always set on NXDOMAIN responses, even if the server is not actually
-authoritative. The default is <userinput>no</userinput>; this is
-a change from <acronym>BIND</acronym> 8. If you are using very old DNS software, you
-may need to set it to <userinput>yes</userinput>.</para></listitem></varlistentry>
-
-<varlistentry><term><command>deallocate-on-exit</command></term>
-<listitem><para>This option was used in <acronym>BIND</acronym> 8 to enable checking
-for memory leaks on exit. <acronym>BIND</acronym> 9 ignores the option and always performs
-the checks.</para></listitem></varlistentry>
-
-<varlistentry><term><command>dialup</command></term>
-<listitem><para>If <userinput>yes</userinput>, then the
-server treats all zones as if they are doing zone transfers across
-a dial-on-demand dialup link, which can be brought up by traffic
-originating from this server. This has different effects according
-to zone type and concentrates the zone maintenance so that it all
-happens in a short interval, once every <command>heartbeat-interval</command> and
-hopefully during the one call. It also suppresses some of the normal
-zone maintenance traffic. The default is <userinput>no</userinput>.</para>
-<para>The <command>dialup</command> option
-may also be specified in the <command>view</command> and 
-<command>zone</command> statements,
-in which case it overrides the global <command>dialup</command>
-option.</para>
-<para>If the zone is a master zone, then the server will send out a NOTIFY 
-request to all the slaves (default). This should trigger the zone serial
-number check in the slave (providing it supports NOTIFY) allowing the slave
-to verify the zone while the connection is active.
-The set of servers to which NOTIFY is sent can be controlled by
-<command>notify</command> and <command>also-notify</command>.</para>
-<para>If the
-zone is a slave or stub zone, then the server will suppress the regular
-"zone up to date" (refresh) queries and only perform them when the
-<command>heartbeat-interval</command> expires in addition to sending
-NOTIFY requests.</para><para>Finer control can be achieved by using
-<userinput>notify</userinput> which only sends NOTIFY messages,
-<userinput>notify-passive</userinput> which sends NOTIFY messages and
-suppresses the normal refresh queries, <userinput>refresh</userinput>
-which suppresses normal refresh processing and sends refresh queries 
-when the <command>heartbeat-interval</command> expires, and
-<userinput>passive</userinput> which just disables normal refresh
-processing.</para>
-
-<informaltable colsep = "0" rowsep = "0">
-<tgroup cols = "4" colsep = "0" rowsep = "0" tgroupstyle = "4Level-table">
-<colspec colname = "1" colnum = "1" colsep = "0" colwidth = "1.150in"/>
-<colspec colname = "2" colnum = "2" colsep = "0" colwidth = "1.150in"/>
-<colspec colname = "3" colnum = "3" colsep = "0" colwidth = "1.150in"/>
-<colspec colname = "4" colnum = "4" colsep = "0" colwidth = "1.150in"/>
-<tbody>
-<row rowsep = "0">
-<entry colname = "1"><para>dialup mode</para></entry>
-<entry colname = "2"><para>normal refresh</para></entry>
-<entry colname = "3"><para>heart-beat refresh</para></entry>
-<entry colname = "4"><para>heart-beat notify</para></entry>
-</row>
-<row rowsep = "0">
-<entry colname = "1"><para><command>no</command> (default)</para></entry>
-<entry colname = "2"><para>yes</para></entry>
-<entry colname = "3"><para>no</para></entry>
-<entry colname = "4"><para>no</para></entry>
-</row>
-<row rowsep = "0">
-<entry colname = "1"><para><command>yes</command></para></entry>
-<entry colname = "2"><para>no</para></entry>
-<entry colname = "3"><para>yes</para></entry>
-<entry colname = "4"><para>yes</para></entry>
-</row>
-<row rowsep = "0">
-<entry colname = "1"><para><command>notify</command></para></entry>
-<entry colname = "2"><para>yes</para></entry>
-<entry colname = "3"><para>no</para></entry>
-<entry colname = "4"><para>yes</para></entry>
-</row>
-<row rowsep = "0">
-<entry colname = "1"><para><command>refresh</command></para></entry>
-<entry colname = "2"><para>no</para></entry>
-<entry colname = "3"><para>yes</para></entry>
-<entry colname = "4"><para>no</para></entry>
-</row>
-<row rowsep = "0">
-<entry colname = "1"><para><command>passive</command></para></entry>
-<entry colname = "2"><para>no</para></entry>
-<entry colname = "3"><para>no</para></entry>
-<entry colname = "4"><para>no</para></entry>
-</row>
-<row rowsep = "0">
-<entry colname = "1"><para><command>notify-passive</command></para></entry>
-<entry colname = "2"><para>no</para></entry>
-<entry colname = "3"><para>no</para></entry>
-<entry colname = "4"><para>yes</para></entry>
-</row>
-</tbody>
-</tgroup></informaltable>
-
-<para>Note that normal NOTIFY processing is not affected by
-<command>dialup</command>.</para>
-
-</listitem></varlistentry>
-
-<varlistentry><term><command>fake-iquery</command></term>
-<listitem><para>In <acronym>BIND</acronym> 8, this option
-enabled simulating the obsolete DNS query type
-IQUERY. <acronym>BIND</acronym> 9 never does IQUERY simulation.
-</para></listitem></varlistentry>
-
-<varlistentry><term><command>fetch-glue</command></term>
-<listitem><para>This option is obsolete.
-In BIND 8, <userinput>fetch-glue yes</userinput>
-caused the server to attempt to fetch glue resource records it
-didn't have when constructing the additional
-data section of a response.  This is now considered a bad idea
-and BIND 9 never does it.</para></listitem></varlistentry>
-
-<varlistentry><term><command>flush-zones-on-shutdown</command></term>
-<listitem><para>When the nameserver exits due receiving SIGTERM,
-flush or do not flush any pending zone writes.  The default is
-<command>flush-zones-on-shutdown</command> <userinput>no</userinput>.
-</para></listitem></varlistentry>
-
-<varlistentry><term><command>has-old-clients</command></term>
-<listitem><para>This option was incorrectly implemented
-in <acronym>BIND</acronym> 8, and is ignored by <acronym>BIND</acronym> 9.
-To achieve the intended effect
-of
-<command>has-old-clients</command> <userinput>yes</userinput>, specify
-the two separate options <command>auth-nxdomain</command> <userinput>yes</userinput>
-and <command>rfc2308-type1</command> <userinput>no</userinput> instead.
-</para></listitem></varlistentry>
-
-<varlistentry><term><command>host-statistics</command></term>
-<listitem><para>In BIND 8, this enables keeping of
-statistics for every host that the name server interacts with.
-Not implemented in BIND 9.
-</para></listitem></varlistentry>
-
-<varlistentry><term><command>maintain-ixfr-base</command></term>
-<listitem><para><emphasis>This option is obsolete</emphasis>.
- It was used in <acronym>BIND</acronym> 8 to determine whether a transaction log was
-kept for Incremental Zone Transfer. <acronym>BIND</acronym> 9 maintains a transaction
-log whenever possible.  If you need to disable outgoing incremental zone
-transfers, use <command>provide-ixfr</command> <userinput>no</userinput>.
-</para></listitem></varlistentry>
-
-<varlistentry><term><command>minimal-responses</command></term>
-<listitem><para>If <userinput>yes</userinput>, then when generating
-responses the server will only add records to the authority and
-additional data sections when they are required (e.g. delegations,
-negative responses).  This may improve the performance of the server.
-The default is <userinput>no</userinput>.
-</para></listitem></varlistentry>
-
-<varlistentry><term><command>multiple-cnames</command></term>
-<listitem><para>This option was used in <acronym>BIND</acronym> 8 to allow
-a domain name to have multiple CNAME records in violation of the
-DNS standards.  <acronym>BIND</acronym> 9.2 always strictly
-enforces the CNAME rules both in master files and dynamic updates.
-</para></listitem></varlistentry>
-
-<varlistentry><term><command>notify</command></term>
-<listitem><para>If <userinput>yes</userinput> (the default),
-DNS NOTIFY messages are sent when a zone the server is authoritative for
-changes, see <xref linkend="notify"/>.  The messages are sent to the
-servers listed in the zone's NS records (except the master server identified
-in the SOA MNAME field), and to any servers listed in the
-<command>also-notify</command> option.
-</para><para>
-If <userinput>explicit</userinput>, notifies are sent only to
-servers explicitly listed using <command>also-notify</command>.
-If <userinput>no</userinput>, no notifies are sent.
-</para><para>
-The <command>notify</command> option may also be
-specified in the <command>zone</command> statement,
-in which case it overrides the <command>options notify</command> statement.
-It would only be necessary to turn off this option if it caused slaves
-to crash.</para></listitem></varlistentry>
-
-<varlistentry><term><command>recursion</command></term>
-<listitem><para>If <userinput>yes</userinput>, and a
-DNS query requests recursion, then the server will attempt to do
-all the work required to answer the query. If recursion is off
-and the server does not already know the answer, it will return a
-referral response. The default is <userinput>yes</userinput>.
-Note that setting <command>recursion no</command> does not prevent
-clients from getting data from the server's cache; it only
-prevents new data from being cached as an effect of client queries.
-Caching may still occur as an effect the server's internal
-operation, such as NOTIFY address lookups.
-See also <command>fetch-glue</command> above.
-</para></listitem></varlistentry>
-
-<varlistentry><term><command>rfc2308-type1</command></term>
-<listitem><para>Setting this to <userinput>yes</userinput> will
-cause the server to send NS records along with the SOA record for negative
-answers. The default is <userinput>no</userinput>.</para>
-<note><simpara>Not yet implemented in <acronym>BIND</acronym> 9.</simpara></note>
-</listitem></varlistentry>
-
-<varlistentry><term><command>use-id-pool</command></term>
-<listitem><para><emphasis>This option is obsolete</emphasis>.
-<acronym>BIND</acronym> 9 always allocates query IDs from a pool.
-</para></listitem></varlistentry>
-
-<varlistentry><term><command>zone-statistics</command></term>
-<listitem><para>If <userinput>yes</userinput>, the server will collect
-statistical data on all zones (unless specifically turned off
-on a per-zone basis by specifying <command>zone-statistics no</command>
-in the <command>zone</command> statement).  These statistics may be accessed
-using <command>rndc stats</command>, which will dump them to the file listed
-in the <command>statistics-file</command>.  See also <xref linkend="statsfile"/>.
-</para></listitem></varlistentry>
-
-<varlistentry><term><command>use-ixfr</command></term>
-<listitem><para><emphasis>This option is obsolete</emphasis>.
-If you need to disable IXFR to a particular server or servers see
-the information on the <command>provide-ixfr</command> option
-in <xref linkend="server_statement_definition_and_usage"/>. See also
-<xref linkend="incremental_zone_transfers"/>.
-</para></listitem></varlistentry>
-
-<varlistentry><term><command>provide-ixfr</command></term>
-<listitem>
-<para>
-See the description of
-<command>provide-ixfr</command> in
-<xref linkend="server_statement_definition_and_usage"/>.
-</para></listitem></varlistentry>
-
-<varlistentry><term><command>request-ixfr</command></term>
-<listitem>
-<para>
-See the description of
-<command>request-ixfr</command> in
-<xref linkend="server_statement_definition_and_usage"/>.
-</para></listitem></varlistentry>
-
-<varlistentry><term><command>treat-cr-as-space</command></term>
-<listitem><para>This option was used in <acronym>BIND</acronym> 8 to make
-the server treat carriage return ("<command>\r</command>") characters the same way
-as a space or tab character,
-to facilitate loading of zone files on a UNIX system that were generated
-on an NT or DOS machine. In <acronym>BIND</acronym> 9, both UNIX "<command>\n</command>"
-and NT/DOS "<command>\r\n</command>" newlines are always accepted,
-and the option is ignored.</para></listitem></varlistentry>
-
-<varlistentry>
-<term><command>additional-from-auth</command></term>
-<term><command>additional-from-cache</command></term>
-<listitem>
-
-<para>
-These options control the behavior of an authoritative server when
-answering queries which have additional data, or when following CNAME
-and DNAME chains.
-</para>
-
-<para>
-When both of these options are set to <userinput>yes</userinput> 
-(the default) and a
-query is being answered from authoritative data (a zone
-configured into the server), the additional data section of the
-reply will be filled in using data from other authoritative zones
-and from the cache.  In some situations this is undesirable, such
-as when there is concern over the correctness of the cache, or
-in servers where slave zones may be added and modified by
-untrusted third parties.  Also, avoiding
-the search for this additional data will speed up server operations
-at the possible expense of additional queries to resolve what would
-otherwise be provided in the additional section.
-</para>
-
-<para>
-For example, if a query asks for an MX record for host <literal>foo.example.com</literal>,
-and the record found is "<literal>MX 10 mail.example.net</literal>", normally the address
-records (A and AAAA) for <literal>mail.example.net</literal> will be provided as well,
-if known, even though they are not in the example.com zone.
-Setting these options to <command>no</command> disables this behavior and makes
-the server only search for additional data in the zone it answers from.
-</para>
-
-<para>
-These options are intended for use in authoritative-only 
-servers, or in authoritative-only views.  Attempts to set
-them to <command>no</command> without also specifying
-<command>recursion no</command> will cause the server to
-ignore the options and log a warning message.
-</para>
-
-<para>
-Specifying <command>additional-from-cache no</command> actually
-disables the use of the cache not only for additional data lookups
-but also when looking up the answer.  This is usually the desired
-behavior in an authoritative-only server where the correctness of
-the cached data is an issue.
-</para>
-
-<para>
-When a name server is non-recursively queried for a name that is not
-below the apex of any served zone, it normally answers with an
-"upwards referral" to the root servers or the servers of some other
-known parent of the query name.  Since the data in an upwards referral
-comes from the cache, the server will not be able to provide upwards
-referrals when <command>additional-from-cache no</command>
-has been specified.  Instead, it will respond to such queries
-with REFUSED.  This should not cause any problems since
-upwards referrals are not required for the resolution process.
-</para>
-
-</listitem></varlistentry>
-
-<varlistentry><term><command>match-mapped-addresses</command></term>
-<listitem><para>If <userinput>yes</userinput>, then an
-IPv4-mapped IPv6 address will match any address match
-list entries that match the corresponding IPv4 address.
-Enabling this option is sometimes useful on IPv6-enabled Linux
-systems, to work around a kernel quirk that causes IPv4
-TCP connections such as zone transfers to be accepted
-on an IPv6 socket using mapped addresses, causing
-address match lists designed for IPv4 to fail to match.
-The use of this option for any other purpose is discouraged.
-</para></listitem></varlistentry>
-
-<varlistentry><term><command>ixfr-from-differences</command></term>
-<listitem>
-<para>
-When  <userinput>yes</userinput> and the server loads a new version of a master
-zone from its zone file or receives a new version of a slave
-file by a non-incremental zone transfer, it will compare
-the new version to the previous one and calculate a set
-of differences.  The differences are then logged in the
-zone's journal file such that the changes can be transmitted
-to downstream slaves as an incremental zone transfer.
-</para><para>
-By allowing incremental zone transfers to be used for
-non-dynamic zones, this option saves bandwidth at the
-expense of increased CPU and memory consumption at the master.
-In particular, if the new version of a zone is completely
-different from the previous one, the set of differences
-will be of a size comparable to the combined size of the
-old and new zone version, and the server will need to
-temporarily allocate memory to hold this complete
-difference set.
-</para></listitem></varlistentry>
-
-<varlistentry><term><command>multi-master</command></term>
-<listitem>
-<para>
-This should be set when you have multiple masters for a zone and the
-addresses refer to different machines.  If <userinput>yes</userinput>, named will not log
-when the serial number on the master is less than what named currently
-has.  The default is <userinput>no</userinput>.
-</para></listitem></varlistentry>
-
-<varlistentry><term><command>dnssec-enable</command></term>
-<listitem>
-<para>
-Enable DNSSEC support in named.  Unless set to <userinput>yes</userinput>,
-named behaves as if it does not support DNSSEC.
-The default is <userinput>no</userinput>.
-</para></listitem></varlistentry>
-
-<varlistentry><term><command>querylog</command></term>
-<listitem>
-<para>
-Specify whether query logging should be started when named starts.
-If <command>querylog</command> is not specified, then the query logging
-is determined by the presence of the logging category <command>queries</command>.
-</para></listitem></varlistentry>
-
-<varlistentry><term><command>check-names</command></term>
-<listitem>
-<para>
-This option is used to restrict the character set and syntax of
-certain domain names in master files and/or DNS responses received
-from the network.  The default varies according to usage area.  For
-<command>master</command> zones the default is <command>fail</command>.
-For <command>slave</command> zones the default is <command>warn</command>.
-For answers received from the network (<command>response</command>)
-the default is <command>ignore</command>.
-</para>
-<para>The rules for legal hostnames and mail domains are derived from RFC 952
-and RFC 821 as modified by RFC 1123.
-</para>
-<para><command>check-names</command> applies to the owner names of A, AAA and
-MX records.  It also applies to the domain names in the RDATA of NS, SOA and MX
-records.  It also applies to the RDATA of PTR records where the owner name
-indicated that it is a reverse lookup of a hostname (the owner name ends in
-IN-ADDR.ARPA, IP6.ARPA, IP6.INT).
-</para>
-</listitem></varlistentry>
-
-</variablelist>
-
-</sect3>
-
-<sect3><title>Forwarding</title>
-<para>The forwarding facility can be used to create a large site-wide
-cache on a few servers, reducing traffic over links to external
-name servers. It can also be used to allow queries by servers that
-do not have direct access to the Internet, but wish to look up exterior
-names anyway. Forwarding occurs only on those queries for which
-the server is not authoritative and does not have the answer in
-its cache.</para>
-
-<variablelist>
-<varlistentry><term><command>forward</command></term>
-<listitem><para>This option is only meaningful if the
-forwarders list is not empty. A value of <varname>first</varname>,
-the default, causes the server to query the forwarders first &mdash; and
-if that doesn't answer the question, the server will then look for
-the answer itself. If <varname>only</varname> is specified, the
-server will only query the forwarders.
-</para></listitem></varlistentry>
-
-<varlistentry><term><command>forwarders</command></term>
-<listitem><para>Specifies the IP addresses to be used
-for forwarding. The default is the empty list (no forwarding).
-</para></listitem></varlistentry>
-
-</variablelist>
-
-<para>Forwarding can also be configured on a per-domain basis, allowing
-for the global forwarding options to be overridden in a variety
-of ways. You can set particular domains to use different forwarders,
-or have a different <command>forward only/first</command> behavior,
-or not forward at all, see <xref linkend="zone_statement_grammar"/>.</para>
-</sect3>
-
-<sect3><title>Dual-stack Servers</title>
-<para>Dual-stack servers are used as servers of last resort to work around
-problems in reachability due the lack of support for either IPv4 or IPv6
-on the host machine.</para>
-
-<variablelist>
-<varlistentry><term><command>dual-stack-servers</command></term>
-<listitem><para>Specifies host names or addresses of machines with access to
-both IPv4 and IPv6 transports. If a hostname is used, the server must be able
-to resolve the name using only the transport it has.  If the machine is dual
-stacked, then the <command>dual-stack-servers</command> have no effect unless
-access to a transport has been disabled on the command line
-(e.g. <command>named -4</command>).</para></listitem>
-</varlistentry>
-</variablelist>
-</sect3>
-
-<sect3 id="access_control"><title>Access Control</title>
-
-<para>Access to the server can be restricted based on the IP address
-of the requesting system. See <xref linkend="address_match_lists"/> for
-details on how to specify IP address lists.</para>
-
-<variablelist>
-
-<varlistentry><term><command>allow-notify</command></term>
-<listitem><para>Specifies which hosts are allowed to
-notify this server, a slave, of zone changes in addition
-to the zone masters.
-<command>allow-notify</command> may also be specified in the
-<command>zone</command> statement, in which case it overrides the
-<command>options allow-notify</command> statement.  It is only meaningful
-for a slave zone.  If not specified, the default is to process notify messages
-only from a zone's master.</para>
-</listitem></varlistentry>
-
-<varlistentry><term><command>allow-query</command></term>
-<listitem><para>Specifies which hosts are allowed to
-ask ordinary DNS questions. <command>allow-query</command> may also
-be specified in the <command>zone</command> statement, in which
-case it overrides the <command>options allow-query</command> statement. If
-not specified, the default is to allow queries from all hosts.</para>
-</listitem></varlistentry>
-
-
-<varlistentry><term><command>allow-recursion</command></term>
-<listitem><para>Specifies which hosts are allowed to
-make recursive queries through this server. If not specified, the
-default is to allow recursive queries from all hosts. 
-Note that disallowing recursive queries for a host does not prevent the
-host from retrieving data that is already in the server's cache.
-</para>
-</listitem></varlistentry>
-
-<varlistentry><term><command>allow-update-forwarding</command></term>
-<listitem><para>Specifies which hosts are allowed to
-submit Dynamic DNS updates to slave zones to be forwarded to the
-master.  The default is <userinput>{ none; }</userinput>, which 
-means that no update forwarding will be performed.  To enable
-update forwarding, specify
-<userinput>allow-update-forwarding { any; };</userinput>.
-Specifying values other than <userinput>{ none; }</userinput> or
-<userinput>{ any; }</userinput> is usually counterproductive, since
-the responsibility for update access control should rest with the 
-master server, not the slaves.</para>
-<para>Note that enabling the update forwarding feature on a slave server
-may expose master servers relying on insecure IP address based
-access control to attacks; see <xref linkend="dynamic_update_security"/>
-for more details.</para>
-</listitem></varlistentry>
-
-<varlistentry><term><command>allow-v6-synthesis</command></term>
-<listitem><para>This option was introduced for the smooth transition from AAAA
-to A6 and from "nibble labels" to binary labels.
-However, since both A6 and binary labels were then deprecated,
-this option was also deprecated.
-It is now ignored with some warning messages.
-</para>
-</listitem></varlistentry>
-
-<varlistentry><term><command>allow-transfer</command></term>
-<listitem><para>Specifies which hosts are allowed to
-receive zone transfers from the server. <command>allow-transfer</command> may
-also be specified in the <command>zone</command> statement, in which
-case it overrides the <command>options allow-transfer</command> statement.
-If not specified, the default is to allow transfers to all hosts.</para>
-</listitem></varlistentry>
-
-<varlistentry><term><command>blackhole</command></term>
-<listitem><para>Specifies a list of addresses that the
-server will not accept queries from or use to resolve a query. Queries
-from these addresses will not be responded to. The default is <userinput>none</userinput>.</para>
-</listitem></varlistentry>
-
-</variablelist>
-
-</sect3>
-
-<sect3><title>Interfaces</title>
-<para>The interfaces and ports that the server will answer queries
-from may be specified using the <command>listen-on</command> option. <command>listen-on</command> takes
-an optional port, and an <varname>address_match_list</varname>.
-The server will listen on all interfaces allowed by the address
-match list. If a port is not specified, port 53 will be used.</para>
-<para>Multiple <command>listen-on</command> statements are allowed.
-For example,</para>
+
+            </listitem>
+          </varlistentry>
+
+          <varlistentry>
+            <term><command>disable-algorithms</command></term>
+            <listitem>
+              <para>
+                Disable the specified DNSSEC algorithms at and below the
+                specified name.
+                Multiple <command>disable-algorithms</command>
+                statements are allowed.
+                Only the most specific will be applied.
+              </para>
+            </listitem>
+          </varlistentry>
+
+          <varlistentry>
+            <term><command>dnssec-lookaside</command></term>
+            <listitem>
+              <para>
+                When set, <command>dnssec-lookaside</command>
+                provides the
+                validator with an alternate method to validate DNSKEY records
+                at the
+                top of a zone.  When a DNSKEY is at or below a domain
+                specified by the
+                deepest <command>dnssec-lookaside</command>, and
+                the normal dnssec validation
+                has left the key untrusted, the trust-anchor will be append to
+                the key
+                name and a DLV record will be looked up to see if it can
+                validate the
+                key.  If the DLV record validates a DNSKEY (similarly to the
+                way a DS
+                record does) the DNSKEY RRset is deemed to be trusted.
+              </para>
+            </listitem>
+          </varlistentry>
+
+          <varlistentry>
+            <term><command>dnssec-must-be-secure</command></term>
+            <listitem>
+              <para>
+                Specify hierarchies which must be or may not be secure (signed and
+                validated).
+                If <userinput>yes</userinput>, then named will only accept
+                answers if they
+                are secure.
+                If <userinput>no</userinput>, then normal dnssec validation
+                applies
+                allowing for insecure answers to be accepted.
+                The specified domain must be under a <command>trusted-key</command> or
+                <command>dnssec-lookaside</command> must be
+                active.
+              </para>
+            </listitem>
+          </varlistentry>
+
+        </variablelist>
+
+        <sect3 id="boolean_options">
+          <title>Boolean Options</title>
+
+          <variablelist>
+
+            <varlistentry>
+              <term><command>auth-nxdomain</command></term>
+              <listitem>
+                <para>
+                  If <userinput>yes</userinput>, then the <command>AA</command> bit
+                  is always set on NXDOMAIN responses, even if the server is
+                  not actually
+                  authoritative. The default is <userinput>no</userinput>;
+                  this is
+                  a change from <acronym>BIND</acronym> 8. If you
+                  are using very old DNS software, you
+                  may need to set it to <userinput>yes</userinput>.
+                </para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><command>deallocate-on-exit</command></term>
+              <listitem>
+                <para>
+                  This option was used in <acronym>BIND</acronym>
+                  8 to enable checking
+                  for memory leaks on exit. <acronym>BIND</acronym> 9 ignores the option and always performs
+                  the checks.
+                </para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><command>dialup</command></term>
+              <listitem>
+                <para>
+                  If <userinput>yes</userinput>, then the
+                  server treats all zones as if they are doing zone transfers
+                  across
+                  a dial-on-demand dialup link, which can be brought up by
+                  traffic
+                  originating from this server. This has different effects
+                  according
+                  to zone type and concentrates the zone maintenance so that
+                  it all
+                  happens in a short interval, once every <command>heartbeat-interval</command> and
+                  hopefully during the one call. It also suppresses some of
+                  the normal
+                  zone maintenance traffic. The default is <userinput>no</userinput>.
+                </para>
+                <para>
+                  The <command>dialup</command> option
+                  may also be specified in the <command>view</command> and
+                  <command>zone</command> statements,
+                  in which case it overrides the global <command>dialup</command>
+                  option.
+                </para>
+                <para>
+                  If the zone is a master zone, then the server will send out a
+                  NOTIFY
+                  request to all the slaves (default). This should trigger the
+                  zone serial
+                  number check in the slave (providing it supports NOTIFY)
+                  allowing the slave
+                  to verify the zone while the connection is active.
+                  The set of servers to which NOTIFY is sent can be controlled
+                  by
+                  <command>notify</command> and <command>also-notify</command>.
+                </para>
+                <para>
+                  If the
+                  zone is a slave or stub zone, then the server will suppress
+                  the regular
+                  "zone up to date" (refresh) queries and only perform them
+                  when the
+                  <command>heartbeat-interval</command> expires in
+                  addition to sending
+                  NOTIFY requests.
+                </para>
+                <para>
+                  Finer control can be achieved by using
+                  <userinput>notify</userinput> which only sends NOTIFY
+                  messages,
+                  <userinput>notify-passive</userinput> which sends NOTIFY
+                  messages and
+                  suppresses the normal refresh queries, <userinput>refresh</userinput>
+                  which suppresses normal refresh processing and sends refresh
+                  queries
+                  when the <command>heartbeat-interval</command>
+                  expires, and
+                  <userinput>passive</userinput> which just disables normal
+                  refresh
+                  processing.
+                </para>
+
+                <informaltable colsep="0" rowsep="0">
+                  <tgroup cols="4" colsep="0" rowsep="0" tgroupstyle="4Level-table">
+                    <colspec colname="1" colnum="1" colsep="0" colwidth="1.150in"/>
+                    <colspec colname="2" colnum="2" colsep="0" colwidth="1.150in"/>
+                    <colspec colname="3" colnum="3" colsep="0" colwidth="1.150in"/>
+                    <colspec colname="4" colnum="4" colsep="0" colwidth="1.150in"/>
+                    <tbody>
+                      <row rowsep="0">
+                        <entry colname="1">
+                          <para>
+                            dialup mode
+                          </para>
+                        </entry>
+                        <entry colname="2">
+                          <para>
+                            normal refresh
+                          </para>
+                        </entry>
+                        <entry colname="3">
+                          <para>
+                            heart-beat refresh
+                          </para>
+                        </entry>
+                        <entry colname="4">
+                          <para>
+                            heart-beat notify
+                          </para>
+                        </entry>
+                      </row>
+                      <row rowsep="0">
+                        <entry colname="1">
+                          <para><command>no</command> (default)</para>
+                        </entry>
+                        <entry colname="2">
+                          <para>
+                            yes
+                          </para>
+                        </entry>
+                        <entry colname="3">
+                          <para>
+                            no
+                          </para>
+                        </entry>
+                        <entry colname="4">
+                          <para>
+                            no
+                          </para>
+                        </entry>
+                      </row>
+                      <row rowsep="0">
+                        <entry colname="1">
+                          <para><command>yes</command></para>
+                        </entry>
+                        <entry colname="2">
+                          <para>
+                            no
+                          </para>
+                        </entry>
+                        <entry colname="3">
+                          <para>
+                            yes
+                          </para>
+                        </entry>
+                        <entry colname="4">
+                          <para>
+                            yes
+                          </para>
+                        </entry>
+                      </row>
+                      <row rowsep="0">
+                        <entry colname="1">
+                          <para><command>notify</command></para>
+                        </entry>
+                        <entry colname="2">
+                          <para>
+                            yes
+                          </para>
+                        </entry>
+                        <entry colname="3">
+                          <para>
+                            no
+                          </para>
+                        </entry>
+                        <entry colname="4">
+                          <para>
+                            yes
+                          </para>
+                        </entry>
+                      </row>
+                      <row rowsep="0">
+                        <entry colname="1">
+                          <para><command>refresh</command></para>
+                        </entry>
+                        <entry colname="2">
+                          <para>
+                            no
+                          </para>
+                        </entry>
+                        <entry colname="3">
+                          <para>
+                            yes
+                          </para>
+                        </entry>
+                        <entry colname="4">
+                          <para>
+                            no
+                          </para>
+                        </entry>
+                      </row>
+                      <row rowsep="0">
+                        <entry colname="1">
+                          <para><command>passive</command></para>
+                        </entry>
+                        <entry colname="2">
+                          <para>
+                            no
+                          </para>
+                        </entry>
+                        <entry colname="3">
+                          <para>
+                            no
+                          </para>
+                        </entry>
+                        <entry colname="4">
+                          <para>
+                            no
+                          </para>
+                        </entry>
+                      </row>
+                      <row rowsep="0">
+                        <entry colname="1">
+                          <para><command>notify-passive</command></para>
+                        </entry>
+                        <entry colname="2">
+                          <para>
+                            no
+                          </para>
+                        </entry>
+                        <entry colname="3">
+                          <para>
+                            no
+                          </para>
+                        </entry>
+                        <entry colname="4">
+                          <para>
+                            yes
+                          </para>
+                        </entry>
+                      </row>
+                    </tbody>
+                  </tgroup>
+                </informaltable>
+
+                <para>
+                  Note that normal NOTIFY processing is not affected by
+                  <command>dialup</command>.
+                </para>
+
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><command>fake-iquery</command></term>
+              <listitem>
+                <para>
+                  In <acronym>BIND</acronym> 8, this option
+                  enabled simulating the obsolete DNS query type
+                  IQUERY. <acronym>BIND</acronym> 9 never does
+                  IQUERY simulation.
+                </para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><command>fetch-glue</command></term>
+              <listitem>
+                <para>
+                  This option is obsolete.
+                  In BIND 8, <userinput>fetch-glue yes</userinput>
+                  caused the server to attempt to fetch glue resource records
+                  it
+                  didn't have when constructing the additional
+                  data section of a response.  This is now considered a bad
+                  idea
+                  and BIND 9 never does it.
+                </para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><command>flush-zones-on-shutdown</command></term>
+              <listitem>
+                <para>
+                  When the nameserver exits due receiving SIGTERM,
+                  flush or do not flush any pending zone writes.  The default
+                  is
+                  <command>flush-zones-on-shutdown</command> <userinput>no</userinput>.
+                </para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><command>has-old-clients</command></term>
+              <listitem>
+                <para>
+                  This option was incorrectly implemented
+                  in <acronym>BIND</acronym> 8, and is ignored by <acronym>BIND</acronym> 9.
+                  To achieve the intended effect
+                  of
+                  <command>has-old-clients</command> <userinput>yes</userinput>, specify
+                  the two separate options <command>auth-nxdomain</command> <userinput>yes</userinput>
+                  and <command>rfc2308-type1</command> <userinput>no</userinput> instead.
+                </para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><command>host-statistics</command></term>
+              <listitem>
+                <para>
+                  In BIND 8, this enables keeping of
+                  statistics for every host that the name server interacts
+                  with.
+                  Not implemented in BIND 9.
+                </para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><command>maintain-ixfr-base</command></term>
+              <listitem>
+                <para>
+                  <emphasis>This option is obsolete</emphasis>.
+                  It was used in <acronym>BIND</acronym> 8 to
+                  determine whether a transaction log was
+                  kept for Incremental Zone Transfer. <acronym>BIND</acronym> 9 maintains a transaction
+                  log whenever possible.  If you need to disable outgoing
+                  incremental zone
+                  transfers, use <command>provide-ixfr</command> <userinput>no</userinput>.
+                </para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><command>minimal-responses</command></term>
+              <listitem>
+                <para>
+                  If <userinput>yes</userinput>, then when generating
+                  responses the server will only add records to the authority
+                  and additional data sections when they are required (e.g.
+                  delegations, negative responses).  This may improve the
+		  performance of the server.
+                  The default is <userinput>no</userinput>.
+                </para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><command>multiple-cnames</command></term>
+              <listitem>
+                <para>
+                  This option was used in <acronym>BIND</acronym> 8 to allow
+                  a domain name to have multiple CNAME records in violation of
+                  the DNS standards.  <acronym>BIND</acronym> 9.2 onwards
+                  always strictly enforces the CNAME rules both in master
+		  files and dynamic updates.
+                </para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><command>notify</command></term>
+              <listitem>
+                <para>
+                  If <userinput>yes</userinput> (the default),
+                  DNS NOTIFY messages are sent when a zone the server is
+                  authoritative for
+                  changes, see <xref linkend="notify"/>.  The messages are
+                  sent to the
+                  servers listed in the zone's NS records (except the master
+                  server identified
+                  in the SOA MNAME field), and to any servers listed in the
+                  <command>also-notify</command> option.
+                </para>
+                <para>
+                  If <userinput>master-only</userinput>, notifies are only
+                  sent
+                  for master zones.
+                  If <userinput>explicit</userinput>, notifies are sent only
+                  to
+                  servers explicitly listed using <command>also-notify</command>.
+                  If <userinput>no</userinput>, no notifies are sent.
+                </para>
+                <para>
+                  The <command>notify</command> option may also be
+                  specified in the <command>zone</command>
+                  statement,
+                  in which case it overrides the <command>options notify</command> statement.
+                  It would only be necessary to turn off this option if it
+                  caused slaves
+                  to crash.
+                </para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><command>recursion</command></term>
+              <listitem>
+                <para>
+                  If <userinput>yes</userinput>, and a
+                  DNS query requests recursion, then the server will attempt
+                  to do
+                  all the work required to answer the query. If recursion is
+                  off
+                  and the server does not already know the answer, it will
+                  return a
+                  referral response. The default is
+                  <userinput>yes</userinput>.
+                  Note that setting <command>recursion no</command> does not prevent
+                  clients from getting data from the server's cache; it only
+                  prevents new data from being cached as an effect of client
+                  queries.
+                  Caching may still occur as an effect the server's internal
+                  operation, such as NOTIFY address lookups.
+                  See also <command>fetch-glue</command> above.
+                </para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><command>rfc2308-type1</command></term>
+              <listitem>
+                <para>
+                  Setting this to <userinput>yes</userinput> will
+                  cause the server to send NS records along with the SOA
+                  record for negative
+                  answers. The default is <userinput>no</userinput>.
+                </para>
+                <note>
+                  <simpara>
+                    Not yet implemented in <acronym>BIND</acronym>
+                    9.
+                  </simpara>
+                </note>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><command>use-id-pool</command></term>
+              <listitem>
+                <para>
+                  <emphasis>This option is obsolete</emphasis>.
+                  <acronym>BIND</acronym> 9 always allocates query
+                  IDs from a pool.
+                </para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><command>zone-statistics</command></term>
+              <listitem>
+                <para>
+                  If <userinput>yes</userinput>, the server will collect
+                  statistical data on all zones (unless specifically turned
+                  off
+                  on a per-zone basis by specifying <command>zone-statistics no</command>
+                  in the <command>zone</command> statement).
+                  These statistics may be accessed
+                  using <command>rndc stats</command>, which will
+                  dump them to the file listed
+                  in the <command>statistics-file</command>.  See
+                  also <xref linkend="statsfile"/>.
+                </para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><command>use-ixfr</command></term>
+              <listitem>
+                <para>
+                  <emphasis>This option is obsolete</emphasis>.
+                  If you need to disable IXFR to a particular server or
+                  servers see
+                  the information on the <command>provide-ixfr</command> option
+                  in <xref linkend="server_statement_definition_and_usage"/>.
+                  See also
+                  <xref linkend="incremental_zone_transfers"/>.
+                </para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><command>provide-ixfr</command></term>
+              <listitem>
+                <para>
+                  See the description of
+                  <command>provide-ixfr</command> in
+                  <xref linkend="server_statement_definition_and_usage"/>.
+                </para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><command>request-ixfr</command></term>
+              <listitem>
+                <para>
+                  See the description of
+                  <command>request-ixfr</command> in
+                  <xref linkend="server_statement_definition_and_usage"/>.
+                </para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><command>treat-cr-as-space</command></term>
+              <listitem>
+                <para>
+                  This option was used in <acronym>BIND</acronym>
+                  8 to make
+                  the server treat carriage return ("<command>\r</command>") characters the same way
+                  as a space or tab character,
+                  to facilitate loading of zone files on a UNIX system that
+                  were generated
+                  on an NT or DOS machine. In <acronym>BIND</acronym> 9, both UNIX "<command>\n</command>"
+                  and NT/DOS "<command>\r\n</command>" newlines
+                  are always accepted,
+                  and the option is ignored.
+                </para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><command>additional-from-auth</command></term>
+              <term><command>additional-from-cache</command></term>
+              <listitem>
+
+                <para>
+                  These options control the behavior of an authoritative
+                  server when
+                  answering queries which have additional data, or when
+                  following CNAME
+                  and DNAME chains.
+                </para>
+
+                <para>
+                  When both of these options are set to <userinput>yes</userinput>
+                  (the default) and a
+                  query is being answered from authoritative data (a zone
+                  configured into the server), the additional data section of
+                  the
+                  reply will be filled in using data from other authoritative
+                  zones
+                  and from the cache.  In some situations this is undesirable,
+                  such
+                  as when there is concern over the correctness of the cache,
+                  or
+                  in servers where slave zones may be added and modified by
+                  untrusted third parties.  Also, avoiding
+                  the search for this additional data will speed up server
+                  operations
+                  at the possible expense of additional queries to resolve
+                  what would
+                  otherwise be provided in the additional section.
+                </para>
+
+                <para>
+                  For example, if a query asks for an MX record for host <literal>foo.example.com</literal>,
+                  and the record found is "<literal>MX 10 mail.example.net</literal>", normally the address
+                  records (A and AAAA) for <literal>mail.example.net</literal> will be provided as well,
+                  if known, even though they are not in the example.com zone.
+                  Setting these options to <command>no</command>
+                  disables this behavior and makes
+                  the server only search for additional data in the zone it
+                  answers from.
+                </para>
+
+                <para>
+                  These options are intended for use in authoritative-only
+                  servers, or in authoritative-only views.  Attempts to set
+                  them to <command>no</command> without also
+                  specifying
+                  <command>recursion no</command> will cause the
+                  server to
+                  ignore the options and log a warning message.
+                </para>
+
+                <para>
+                  Specifying <command>additional-from-cache no</command> actually
+                  disables the use of the cache not only for additional data
+                  lookups
+                  but also when looking up the answer.  This is usually the
+                  desired
+                  behavior in an authoritative-only server where the
+                  correctness of
+                  the cached data is an issue.
+                </para>
+
+                <para>
+                  When a name server is non-recursively queried for a name
+                  that is not
+                  below the apex of any served zone, it normally answers with
+                  an
+                  "upwards referral" to the root servers or the servers of
+                  some other
+                  known parent of the query name.  Since the data in an
+                  upwards referral
+                  comes from the cache, the server will not be able to provide
+                  upwards
+                  referrals when <command>additional-from-cache no</command>
+                  has been specified.  Instead, it will respond to such
+                  queries
+                  with REFUSED.  This should not cause any problems since
+                  upwards referrals are not required for the resolution
+                  process.
+                </para>
+
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><command>match-mapped-addresses</command></term>
+              <listitem>
+                <para>
+                  If <userinput>yes</userinput>, then an
+                  IPv4-mapped IPv6 address will match any address match
+                  list entries that match the corresponding IPv4 address.
+                  Enabling this option is sometimes useful on IPv6-enabled
+                  Linux
+                  systems, to work around a kernel quirk that causes IPv4
+                  TCP connections such as zone transfers to be accepted
+                  on an IPv6 socket using mapped addresses, causing
+                  address match lists designed for IPv4 to fail to match.
+                  The use of this option for any other purpose is discouraged.
+                </para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><command>ixfr-from-differences</command></term>
+              <listitem>
+                <para>
+                  When <userinput>yes</userinput> and the server loads a new version of a master
+                  zone from its zone file or receives a new version of a slave
+                  file by a non-incremental zone transfer, it will compare
+                  the new version to the previous one and calculate a set
+                  of differences.  The differences are then logged in the
+                  zone's journal file such that the changes can be transmitted
+                  to downstream slaves as an incremental zone transfer.
+                </para>
+                <para>
+                  By allowing incremental zone transfers to be used for
+                  non-dynamic zones, this option saves bandwidth at the
+                  expense of increased CPU and memory consumption at the
+                  master.
+                  In particular, if the new version of a zone is completely
+                  different from the previous one, the set of differences
+                  will be of a size comparable to the combined size of the
+                  old and new zone version, and the server will need to
+                  temporarily allocate memory to hold this complete
+                  difference set.
+                </para>
+                <para><command>ixfr-from-differences</command>
+		  also accepts <command>master</command> and
+                  <command>slave</command> at the view and options
+                  levels which causes
+                  <command>ixfr-from-differences</command> to apply to
+                  all <command>master</command> or
+                  <command>slave</command> zones respectively.
+                </para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><command>multi-master</command></term>
+              <listitem>
+                <para>
+                  This should be set when you have multiple masters for a zone
+                  and the
+                  addresses refer to different machines.  If <userinput>yes</userinput>, named will
+                  not log
+                  when the serial number on the master is less than what named
+                  currently
+                  has.  The default is <userinput>no</userinput>.
+                </para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><command>dnssec-enable</command></term>
+              <listitem>
+                <para>
+                  Enable DNSSEC support in named.  Unless set to <userinput>yes</userinput>,
+                  named behaves as if it does not support DNSSEC.
+                  The default is <userinput>yes</userinput>.
+                </para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><command>dnssec-validation</command></term>
+              <listitem>
+                <para>
+                  Enable DNSSEC validation in named.
+		  Note <command>dnssec-enable</command> also needs to be
+		  set to <userinput>yes</userinput> to be effective.
+                  The default is <userinput>no</userinput>.
+                </para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><command>dnssec-accept-expired</command></term>
+              <listitem>
+                <para>
+		  Accept expired signatures when verifying DNSSEC signatures.
+                  The default is <userinput>no</userinput>.
+                </para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><command>querylog</command></term>
+              <listitem>
+                <para>
+                  Specify whether query logging should be started when named
+                  starts.
+                  If <command>querylog</command> is not specified,
+                  then the query logging
+                  is determined by the presence of the logging category <command>queries</command>.
+                </para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><command>check-names</command></term>
+              <listitem>
+                <para>
+                  This option is used to restrict the character set and syntax
+                  of
+                  certain domain names in master files and/or DNS responses
+                  received
+                  from the network.  The default varies according to usage
+                  area.  For
+                  <command>master</command> zones the default is <command>fail</command>.
+                  For <command>slave</command> zones the default
+                  is <command>warn</command>.
+                  For answers received from the network (<command>response</command>)
+                  the default is <command>ignore</command>.
+                </para>
+                <para>
+                  The rules for legal hostnames and mail domains are derived
+                  from RFC 952 and RFC 821 as modified by RFC 1123.
+                </para>
+                <para><command>check-names</command>
+		  applies to the owner names of A, AAA and MX records.
+		  It also applies to the domain names in the RDATA of NS, SOA
+		  and MX records.
+		  It also applies to the RDATA of PTR records where the owner
+		  name indicated that it is a reverse lookup of a hostname
+		  (the owner name ends in IN-ADDR.ARPA, IP6.ARPA or IP6.INT).
+                </para>
+              </listitem>
+            </varlistentry>
+
+	    <varlistentry>
+	      <term><command>check-mx</command></term>
+	      <listitem>
+		<para>
+		  Check whether the MX record appears to refer to a IP address.
+		  The default is to <command>warn</command>.  Other possible
+		  values are <command>fail</command> and
+		  <command>ignore</command>.
+		</para>
+	      </listitem>
+	    </varlistentry>
+
+            <varlistentry>
+              <term><command>check-wildcard</command></term>
+              <listitem>
+                <para>
+                  This option is used to check for non-terminal wildcards.
+                  The use of non-terminal wildcards is almost always as a
+                  result of a failure
+                  to understand the wildcard matching algorithm (RFC 1034).
+                  This option
+                  affects master zones.  The default (<command>yes</command>) is to check
+                  for non-terminal wildcards and issue a warning.
+                </para>
+              </listitem>
+            </varlistentry>
+
+	    <varlistentry>
+	      <term><command>check-integrity</command></term>
+	      <listitem>
+		<para>
+		  Perform post load zone integrity checks on master
+		  zones.  This checks that MX and SRV records refer
+		  to address (A or AAAA) records and that glue
+		  address records exist for delegated zones.  For
+		  MX and SRV records only in-zone hostnames are
+		  checked (for out-of-zone hostnames use named-checkzone).
+		  For NS records only names below top of zone are
+		  checked (for out-of-zone names and glue consistancy
+		  checks use named-checkzone).  The default is
+		  <command>yes</command>.
+		</para>
+	      </listitem>
+	    </varlistentry>
+
+	    <varlistentry>
+	      <term><command>check-mx-cname</command></term>
+	      <listitem>
+		<para>
+		  If <command>check-integrity</command> is set then
+		  fail, warn or ignore MX records that refer
+		  to CNAMES.  The default is to <command>warn</command>.
+		</para>
+	      </listitem>
+	    </varlistentry>
+
+	    <varlistentry>
+	      <term><command>check-srv-cname</command></term>
+	      <listitem>
+		<para>
+		  If <command>check-integrity</command> is set then
+		  fail, warn or ignore SRV records that refer
+		  to CNAMES.  The default is to <command>warn</command>.
+		</para>
+	      </listitem>
+	    </varlistentry>
+
+	    <varlistentry>
+	      <term><command>check-sibling</command></term>
+	      <listitem>
+		<para>
+		  When performing integrity checks, also check that
+		  sibling glue exists.  The default is <command>yes</command>.
+		</para>
+	      </listitem>
+	    </varlistentry>
+
+	    <varlistentry>
+	      <term><command>zero-no-soa-ttl</command></term>
+	      <listitem>
+	        <para>
+		  When returning authoritative negative responses to
+		  SOA queries set the TTL of the SOA recored returned in
+		  the authority section to zero.
+		  The default is <command>yes</command>.
+	        </para>
+	      </listitem>
+	    </varlistentry>
+
+	    <varlistentry>
+	      <term><command>zero-no-soa-ttl-cache</command></term>
+	      <listitem>
+	        <para>
+		  When caching a negative response to a SOA query
+		  set the TTL to zero.
+		  The default is <command>no</command>.
+	        </para>
+	      </listitem>
+	    </varlistentry>
+
+	    <varlistentry>
+	      <term><command>update-check-ksk</command></term>
+	      <listitem>
+	        <para>
+		  When regenerating the RRSIGs following a UPDATE
+		  request to a secure zone, check the KSK flag on
+		  the DNSKEY RR to determine if this key should be
+		  used to generate the RRSIG.  This flag is ignored
+		  if there are not DNSKEY RRs both with and without
+		  a KSK.
+		  The default is <command>yes</command>.
+		</para>
+	      </listitem>
+	    </varlistentry>
+
+          </variablelist>
+
+        </sect3>
+
+        <sect3>
+          <title>Forwarding</title>
+          <para>
+            The forwarding facility can be used to create a large site-wide
+            cache on a few servers, reducing traffic over links to external
+            name servers. It can also be used to allow queries by servers that
+            do not have direct access to the Internet, but wish to look up
+            exterior
+            names anyway. Forwarding occurs only on those queries for which
+            the server is not authoritative and does not have the answer in
+            its cache.
+          </para>
+
+          <variablelist>
+            <varlistentry>
+              <term><command>forward</command></term>
+              <listitem>
+                <para>
+                  This option is only meaningful if the
+                  forwarders list is not empty. A value of <varname>first</varname>,
+                  the default, causes the server to query the forwarders
+                  first &mdash; and
+                  if that doesn't answer the question, the server will then
+                  look for
+                  the answer itself. If <varname>only</varname> is
+                  specified, the
+                  server will only query the forwarders.
+                </para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><command>forwarders</command></term>
+              <listitem>
+                <para>
+                  Specifies the IP addresses to be used
+                  for forwarding. The default is the empty list (no
+                  forwarding).
+                </para>
+              </listitem>
+            </varlistentry>
+
+          </variablelist>
+
+          <para>
+            Forwarding can also be configured on a per-domain basis, allowing
+            for the global forwarding options to be overridden in a variety
+            of ways. You can set particular domains to use different
+            forwarders,
+            or have a different <command>forward only/first</command> behavior,
+            or not forward at all, see <xref linkend="zone_statement_grammar"/>.
+          </para>
+        </sect3>
+
+        <sect3>
+          <title>Dual-stack Servers</title>
+          <para>
+            Dual-stack servers are used as servers of last resort to work
+            around
+            problems in reachability due the lack of support for either IPv4
+            or IPv6
+            on the host machine.
+          </para>
+
+          <variablelist>
+            <varlistentry>
+              <term><command>dual-stack-servers</command></term>
+              <listitem>
+                <para>
+                  Specifies host names or addresses of machines with access to
+                  both IPv4 and IPv6 transports. If a hostname is used, the
+                  server must be able
+                  to resolve the name using only the transport it has.  If the
+                  machine is dual
+                  stacked, then the <command>dual-stack-servers</command> have no effect unless
+                  access to a transport has been disabled on the command line
+                  (e.g. <command>named -4</command>).
+                </para>
+              </listitem>
+            </varlistentry>
+          </variablelist>
+        </sect3>
+
+        <sect3 id="access_control">
+          <title>Access Control</title>
+
+          <para>
+            Access to the server can be restricted based on the IP address
+            of the requesting system. See <xref linkend="address_match_lists"/> for
+            details on how to specify IP address lists.
+          </para>
+
+          <variablelist>
+
+            <varlistentry>
+              <term><command>allow-notify</command></term>
+              <listitem>
+                <para>
+                  Specifies which hosts are allowed to
+                  notify this server, a slave, of zone changes in addition
+                  to the zone masters.
+                  <command>allow-notify</command> may also be
+                  specified in the
+                  <command>zone</command> statement, in which case
+                  it overrides the
+                  <command>options allow-notify</command>
+                  statement.  It is only meaningful
+                  for a slave zone.  If not specified, the default is to
+                  process notify messages
+                  only from a zone's master.
+                </para>
+              </listitem>
+            </varlistentry>
+
+	    <varlistentry>
+	      <term><command>allow-query</command></term>
+	      <listitem>
+		<para>
+		  Specifies which hosts are allowed to ask ordinary
+		  DNS questions. <command>allow-query</command> may
+		  also be specified in the <command>zone</command>
+		  statement, in which case it overrides the
+		  <command>options allow-query</command> statement.
+		  If not specified, the default is to allow queries
+		  from all hosts.
+		</para>
+		<note>
+		  <para>
+		    <command>allow-query-cache</command> is now
+		    used to specify access to the cache.
+		  </para>
+		</note>
+	      </listitem>
+	    </varlistentry>
+
+	    <varlistentry>
+	      <term><command>allow-query-cache</command></term>
+	      <listitem>
+		<para>
+		  Specifies which hosts are allowed to get answers
+		  from the cache. The default is the builtin acls
+		  <command>localnets</command> and
+		  <command>localhost</command>.
+		</para>
+		<para>
+		  The way to set query access to the cache is now
+		  via <command>allow-query-cache</command>.
+		  This differs from earlier versions which used
+		  <command>allow-query</command>.
+		</para>
+	      </listitem>
+	    </varlistentry>
+
+            <varlistentry>
+              <term><command>allow-recursion</command></term>
+              <listitem>
+                <para>
+		  Specifies which hosts are allowed to make recursive
+		  queries through this server. If not specified,
+		  the default is to allow recursive queries from
+		  the builtin acls <command>localnets</command> and
+		  <command>localhost</command>.
+		  Note that disallowing recursive queries for a
+		  host does not prevent the host from retrieving
+		  data that is already in the server's cache.
+                </para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><command>allow-update</command></term>
+              <listitem>
+                <para>
+                  Specifies which hosts are allowed to
+                  submit Dynamic DNS updates for master zones. The default is
+                  to deny
+                  updates from all hosts.  Note that allowing updates based
+                  on the requestor's IP address is insecure; see
+                  <xref linkend="dynamic_update_security"/> for details.
+                </para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><command>allow-update-forwarding</command></term>
+              <listitem>
+                <para>
+                  Specifies which hosts are allowed to
+                  submit Dynamic DNS updates to slave zones to be forwarded to
+                  the
+                  master.  The default is <userinput>{ none; }</userinput>,
+                  which
+                  means that no update forwarding will be performed.  To
+                  enable
+                  update forwarding, specify
+                  <userinput>allow-update-forwarding { any; };</userinput>.
+                  Specifying values other than <userinput>{ none; }</userinput> or
+                  <userinput>{ any; }</userinput> is usually
+                  counterproductive, since
+                  the responsibility for update access control should rest
+                  with the
+                  master server, not the slaves.
+                </para>
+                <para>
+                  Note that enabling the update forwarding feature on a slave
+                  server
+                  may expose master servers relying on insecure IP address
+                  based
+                  access control to attacks; see <xref linkend="dynamic_update_security"/>
+                  for more details.
+                </para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><command>allow-v6-synthesis</command></term>
+              <listitem>
+                <para>
+                  This option was introduced for the smooth transition from
+                  AAAA
+                  to A6 and from "nibble labels" to binary labels.
+                  However, since both A6 and binary labels were then
+                  deprecated,
+                  this option was also deprecated.
+                  It is now ignored with some warning messages.
+                </para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><command>allow-transfer</command></term>
+              <listitem>
+                <para>
+                  Specifies which hosts are allowed to
+                  receive zone transfers from the server. <command>allow-transfer</command> may
+                  also be specified in the <command>zone</command>
+                  statement, in which
+                  case it overrides the <command>options allow-transfer</command> statement.
+                  If not specified, the default is to allow transfers to all
+                  hosts.
+                </para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><command>blackhole</command></term>
+              <listitem>
+                <para>
+                  Specifies a list of addresses that the
+                  server will not accept queries from or use to resolve a
+                  query. Queries
+                  from these addresses will not be responded to. The default
+                  is <userinput>none</userinput>.
+                </para>
+              </listitem>
+            </varlistentry>
+
+          </variablelist>
+
+        </sect3>
+
+        <sect3>
+          <title>Interfaces</title>
+          <para>
+            The interfaces and ports that the server will answer queries
+            from may be specified using the <command>listen-on</command> option. <command>listen-on</command> takes
+            an optional port, and an <varname>address_match_list</varname>.
+            The server will listen on all interfaces allowed by the address
+            match list. If a port is not specified, port 53 will be used.
+          </para>
+          <para>
+            Multiple <command>listen-on</command> statements are
+            allowed.
+            For example,
+          </para>
 
 <programlisting>listen-on { 5.6.7.8; };
 listen-on port 1234 { !1.2.3.4; 1.2/16; };
 </programlisting>
 
-<para>will enable the name server on port 53 for the IP address
-5.6.7.8, and on port 1234 of an address on the machine in net
-1.2 that is not 1.2.3.4.</para>
+          <para>
+            will enable the name server on port 53 for the IP address
+            5.6.7.8, and on port 1234 of an address on the machine in net
+            1.2 that is not 1.2.3.4.
+          </para>
 
-<para>If no <command>listen-on</command> is specified, the
-server will listen on port 53 on all interfaces.</para>
+          <para>
+            If no <command>listen-on</command> is specified, the
+            server will listen on port 53 on all interfaces.
+          </para>
 
-<para>The <command>listen-on-v6</command> option is used to
-specify the interfaces and the ports on which the server will listen
-for incoming queries sent using IPv6.</para>
+          <para>
+            The <command>listen-on-v6</command> option is used to
+            specify the interfaces and the ports on which the server will
+            listen
+            for incoming queries sent using IPv6.
+          </para>
 
-<para>When <programlisting>{ any; }</programlisting> is specified
-as the <varname>address_match_list</varname> for the
-<command>listen-on-v6</command> option,
-the server does not bind a separate socket to each IPv6 interface
-address as it does for IPv4 if the operating system has enough API
-support for IPv6 (specifically if it conforms to RFC 3493 and RFC 3542).
-Instead, it listens on the IPv6 wildcard address.
-If the system only has incomplete API support for IPv6, however,
-the behavior is the same as that for IPv4.</para>
+          <para>
+            When <programlisting>{ any; }</programlisting> is
+            specified
+            as the <varname>address_match_list</varname> for the
+            <command>listen-on-v6</command> option,
+            the server does not bind a separate socket to each IPv6 interface
+            address as it does for IPv4 if the operating system has enough API
+            support for IPv6 (specifically if it conforms to RFC 3493 and RFC
+            3542).
+            Instead, it listens on the IPv6 wildcard address.
+            If the system only has incomplete API support for IPv6, however,
+            the behavior is the same as that for IPv4.
+          </para>
 
-<para>A list of particular IPv6 addresses can also be specified, in which case
-the server listens on a separate socket for each specified address,
-regardless of whether the desired API is supported by the system.</para>
+          <para>
+            A list of particular IPv6 addresses can also be specified, in
+            which case
+            the server listens on a separate socket for each specified
+            address,
+            regardless of whether the desired API is supported by the system.
+          </para>
 
-<para>Multiple <command>listen-on-v6</command> options can be used.
-For example,</para>
+          <para>
+            Multiple <command>listen-on-v6</command> options can
+            be used.
+            For example,
+          </para>
 
 <programlisting>listen-on-v6 { any; };
 listen-on-v6 port 1234 { !2001:db8::/32; any; };
 </programlisting>
 
-<para>will enable the name server on port 53 for any IPv6 addresses
-(with a single wildcard socket),
-and on port 1234 of IPv6 addresses that is not in the prefix
-2001:db8::/32 (with separate sockets for each matched address.)</para>
+          <para>
+            will enable the name server on port 53 for any IPv6 addresses
+            (with a single wildcard socket),
+            and on port 1234 of IPv6 addresses that is not in the prefix
+            2001:db8::/32 (with separate sockets for each matched address.)
+          </para>
+
+          <para>
+            To make the server not listen on any IPv6 address, use
+          </para>
 
-<para>To make the server not listen on any IPv6 address, use</para>
 <programlisting>listen-on-v6 { none; };
 </programlisting>
-<para>If no <command>listen-on-v6</command> option is specified,
-the server will not listen on any IPv6 address.</para></sect3>
-
-<sect3><title>Query Address</title>
-<para>If the server doesn't know the answer to a question, it will
-query other name servers. <command>query-source</command> specifies
-the address and port used for such queries. For queries sent over
-IPv6, there is a separate <command>query-source-v6</command> option.
-If <command>address</command> is <command>*</command> (asterisk) or is omitted,
-a wildcard IP address (<command>INADDR_ANY</command>) will be used.
-If <command>port</command> is <command>*</command> or is omitted,
-a random unprivileged port will be used. The <command>avoid-v4-udp-ports</command>
-and <command>avoid-v6-udp-ports</command> options can be used to prevent named
-from selecting certain ports. The defaults are:</para>
+
+          <para>
+            If no <command>listen-on-v6</command> option is
+            specified,
+            the server will not listen on any IPv6 address.
+          </para>
+        </sect3>
+
+        <sect3>
+          <title>Query Address</title>
+          <para>
+            If the server doesn't know the answer to a question, it will
+            query other name servers. <command>query-source</command> specifies
+            the address and port used for such queries. For queries sent over
+            IPv6, there is a separate <command>query-source-v6</command> option.
+            If <command>address</command> is <command>*</command> (asterisk) or is omitted,
+            a wildcard IP address (<command>INADDR_ANY</command>)
+            will be used.
+            If <command>port</command> is <command>*</command> or is omitted,
+            a random unprivileged port will be used. The <command>avoid-v4-udp-ports</command>
+            and <command>avoid-v6-udp-ports</command> options can be used
+            to prevent named
+            from selecting certain ports. The defaults are:
+          </para>
+
 <programlisting>query-source address * port *;
 query-source-v6 address * port *;
 </programlisting>
-<note>
-<para>The address specified in the <command>query-source</command> option
-is used for both UDP and TCP queries, but the port applies only to 
-UDP queries.  TCP queries always use a random
-unprivileged port.</para></note>
-<note>
-<para>See also <command>transfer-source</command> and
-<command>notify-source</command>.</para></note>
-	<note>
-	  <para>
-	    Solaris 2.5.1 and earlier does not support setting the source
-	    address for TCP sockets.
-	  </para>
-        </note>
-</sect3>
-
-<sect3 id="zone_transfers"><title>Zone Transfers</title>
-<para><acronym>BIND</acronym> has mechanisms in place to facilitate zone transfers
-and set limits on the amount of load that transfers place on the
-system. The following options apply to zone transfers.</para>
-
-<variablelist>
-
-<varlistentry><term><command>also-notify</command></term>
-<listitem><para>Defines a global list of IP addresses of name servers
-that are also sent NOTIFY messages whenever a fresh copy of the
-zone is loaded, in addition to the servers listed in the zone's NS records.
-This helps to ensure that copies of the zones will
-quickly converge on stealth servers. If an <command>also-notify</command> list
-is given in a <command>zone</command> statement, it will override
-the <command>options also-notify</command> statement. When a <command>zone notify</command> statement
-is set to <command>no</command>, the IP addresses in the global <command>also-notify</command> list will
-not be sent NOTIFY messages for that zone. The default is the empty
-list (no global notification list).</para>
-</listitem></varlistentry>
-
-<varlistentry><term><command>max-transfer-time-in</command></term>
-<listitem><para>Inbound zone transfers running longer than
-this many minutes will be terminated. The default is 120 minutes
-(2 hours).  The maximum value is 28 days (40320 minutes).</para>
-</listitem></varlistentry>
-
-<varlistentry><term><command>max-transfer-idle-in</command></term>
-<listitem><para>Inbound zone transfers making no progress
-in this many minutes will be terminated. The default is 60 minutes
-(1 hour).  The maximum value is 28 days (40320 minutes).</para>
-</listitem></varlistentry>
-
-<varlistentry><term><command>max-transfer-time-out</command></term>
-<listitem><para>Outbound zone transfers running longer than
-this many minutes will be terminated. The default is 120 minutes
-(2 hours).  The maximum value is 28 days (40320 minutes).</para>
-</listitem></varlistentry>
-
-<varlistentry><term><command>max-transfer-idle-out</command></term>
-<listitem><para>Outbound zone transfers making no progress
-in this many minutes will be terminated.  The default is 60 minutes (1
-hour).  The maximum value is 28 days (40320 minutes).</para>
-</listitem></varlistentry>
-
-<varlistentry><term><command>serial-query-rate</command></term>
-<listitem><para>Slave servers will periodically query master servers
-to find out if zone serial numbers have changed. Each such query uses
-a minute amount of the slave server's network bandwidth.  To limit the
-amount of bandwidth used, BIND 9 limits the rate at which queries are
-sent.  The value of the <command>serial-query-rate</command> option,
-an integer, is the maximum number of queries sent per second.
-The default is 20.
-</para>
-</listitem></varlistentry>
-
-<varlistentry><term><command>serial-queries</command></term>
-<listitem><para>In BIND 8, the <command>serial-queries</command> option
-set the maximum number of concurrent serial number queries
-allowed to be outstanding at any given time.
-BIND 9 does not limit the number of outstanding
-serial queries and ignores the <command>serial-queries</command> option.
-Instead, it limits the rate at which the queries are sent
-as defined using the <command>serial-query-rate</command> option.
-</para>
-</listitem></varlistentry>
-
-<varlistentry><term><command>transfer-format</command></term>
-<listitem>
-
-<para>
-Zone transfers can be sent using two different formats,
-<command>one-answer</command> and <command>many-answers</command>.
-The <command>transfer-format</command> option is used
-on the master server to determine which format it sends.
-<command>one-answer</command> uses one DNS message per
-resource record transferred.
-<command>many-answers</command> packs as many resource records as
-possible into a message. <command>many-answers</command> is more
-efficient, but is only supported by relatively new slave servers,
-such as <acronym>BIND</acronym> 9, <acronym>BIND</acronym> 8.x and patched
-versions of <acronym>BIND</acronym> 4.9.5. The <command>many-answers</command>
-format is also supported by recent Microsoft Windows nameservers. The default is
-<command>many-answers</command>. <command>transfer-format</command>
-may be overridden on a per-server basis by using the
-<command>server</command> statement.
-</para>
-
-</listitem></varlistentry>
-
-<varlistentry><term><command>transfers-in</command></term>
-<listitem><para>The maximum number of inbound zone transfers
-that can be running concurrently. The default value is <literal>10</literal>.
-Increasing <command>transfers-in</command> may speed up the convergence
-of slave zones, but it also may increase the load on the local system.</para>
-</listitem></varlistentry>
-
-<varlistentry><term><command>transfers-out</command></term>
-<listitem><para>The maximum number of outbound zone transfers
-that can be running concurrently. Zone transfer requests in excess
-of the limit will be refused. The default value is <literal>10</literal>.</para>
-</listitem></varlistentry>
-
-<varlistentry><term><command>transfers-per-ns</command></term>
-<listitem><para>The maximum number of inbound zone transfers
-that can be concurrently transferring from a given remote name server.
-The default value is <literal>2</literal>. Increasing <command>transfers-per-ns</command> may
-speed up the convergence of slave zones, but it also may increase
-the load on the remote name server. <command>transfers-per-ns</command> may
-be overridden on a per-server basis by using the <command>transfers</command> phrase
-of the <command>server</command> statement.</para>
-</listitem></varlistentry>
-
-<varlistentry><term><command>transfer-source</command></term>
-<listitem><para><command>transfer-source</command> determines
-which local address will be bound to IPv4 TCP connections used to
-fetch zones transferred inbound by the server.  It also determines
-the source IPv4 address, and optionally the UDP port, used for the
-refresh queries and forwarded dynamic updates.  If not set, it defaults
-to a system controlled value which will usually be the address of
-the interface "closest to" the remote end. This address must appear
-in the remote end's <command>allow-transfer</command> option for
-the zone being transferred, if one is specified. This statement
-sets the <command>transfer-source</command> for all zones, but can
-be overridden on a per-view or per-zone basis by including a
-<command>transfer-source</command> statement within the
-<command>view</command> or <command>zone</command> block
-in the configuration file.</para>
-</listitem></varlistentry>
-
-<varlistentry><term><command>transfer-source-v6</command></term>
-<listitem><para>The same as <command>transfer-source</command>,
-except zone transfers are performed using IPv6.</para>
-              </listitem></varlistentry>
 
-	    <varlistentry>
-	      <term><command>alt-transfer-source</command></term>
-	      <listitem>
-		<para>
-		  An alternate transfer source if the one listed in
-		  <command>transfer-source</command> fails and
-		  <command>use-alt-transfer-source</command> is
-		  set.
-		</para>
+          <note>
+            <para>
+              The address specified in the <command>query-source</command> option
+              is used for both UDP and TCP queries, but the port applies only
+              to
+              UDP queries.  TCP queries always use a random
+              unprivileged port.
+            </para>
+          </note>
+	  <note>
+	    <para>
+	      Solaris 2.5.1 and earlier does not support setting the source
+	      address for TCP sockets.
+	    </para>
+	  </note>
+          <note>
+            <para>
+              See also <command>transfer-source</command> and
+              <command>notify-source</command>.
+            </para>
+          </note>
+        </sect3>
+
+        <sect3 id="zone_transfers">
+          <title>Zone Transfers</title>
+          <para>
+            <acronym>BIND</acronym> has mechanisms in place to
+            facilitate zone transfers
+            and set limits on the amount of load that transfers place on the
+            system. The following options apply to zone transfers.
+          </para>
+
+          <variablelist>
+
+            <varlistentry>
+              <term><command>also-notify</command></term>
+              <listitem>
+                <para>
+                  Defines a global list of IP addresses of name servers
+                  that are also sent NOTIFY messages whenever a fresh copy of
+                  the
+                  zone is loaded, in addition to the servers listed in the
+                  zone's NS records.
+                  This helps to ensure that copies of the zones will
+                  quickly converge on stealth servers. If an <command>also-notify</command> list
+                  is given in a <command>zone</command> statement,
+                  it will override
+                  the <command>options also-notify</command>
+                  statement. When a <command>zone notify</command>
+                  statement
+                  is set to <command>no</command>, the IP
+                  addresses in the global <command>also-notify</command> list will
+                  not be sent NOTIFY messages for that zone. The default is
+                  the empty
+                  list (no global notification list).
+                </para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><command>max-transfer-time-in</command></term>
+              <listitem>
+                <para>
+                  Inbound zone transfers running longer than
+                  this many minutes will be terminated. The default is 120
+                  minutes
+                  (2 hours).  The maximum value is 28 days (40320 minutes).
+                </para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><command>max-transfer-idle-in</command></term>
+              <listitem>
+                <para>
+                  Inbound zone transfers making no progress
+                  in this many minutes will be terminated. The default is 60
+                  minutes
+                  (1 hour).  The maximum value is 28 days (40320 minutes).
+                </para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><command>max-transfer-time-out</command></term>
+              <listitem>
+                <para>
+                  Outbound zone transfers running longer than
+                  this many minutes will be terminated. The default is 120
+                  minutes
+                  (2 hours).  The maximum value is 28 days (40320 minutes).
+                </para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><command>max-transfer-idle-out</command></term>
+              <listitem>
+                <para>
+                  Outbound zone transfers making no progress
+                  in this many minutes will be terminated.  The default is 60
+                  minutes (1
+                  hour).  The maximum value is 28 days (40320 minutes).
+                </para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><command>serial-query-rate</command></term>
+              <listitem>
+                <para>
+                  Slave servers will periodically query master servers
+                  to find out if zone serial numbers have changed. Each such
+                  query uses
+                  a minute amount of the slave server's network bandwidth.  To
+                  limit the
+                  amount of bandwidth used, BIND 9 limits the rate at which
+                  queries are
+                  sent.  The value of the <command>serial-query-rate</command> option,
+                  an integer, is the maximum number of queries sent per
+                  second.
+                  The default is 20.
+                </para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><command>serial-queries</command></term>
+              <listitem>
+                <para>
+                  In BIND 8, the <command>serial-queries</command>
+                  option
+                  set the maximum number of concurrent serial number queries
+                  allowed to be outstanding at any given time.
+                  BIND 9 does not limit the number of outstanding
+                  serial queries and ignores the <command>serial-queries</command> option.
+                  Instead, it limits the rate at which the queries are sent
+                  as defined using the <command>serial-query-rate</command> option.
+                </para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><command>transfer-format</command></term>
+              <listitem>
+
+                <para>
+                  Zone transfers can be sent using two different formats,
+                  <command>one-answer</command> and
+		  <command>many-answers</command>.
+                  The <command>transfer-format</command> option is used
+                  on the master server to determine which format it sends.
+                  <command>one-answer</command> uses one DNS message per
+                  resource record transferred.
+                  <command>many-answers</command> packs as many resource
+		  records as possible into a message.
+		  <command>many-answers</command> is more efficient, but is
+		  only supported by relatively new slave servers,
+                  such as <acronym>BIND</acronym> 9, <acronym>BIND</acronym>
+		  8.x and <acronym>BIND</acronym> 4.9.5 onwards.
+	          The <command>many-answers</command> format is also supported by
+		  recent Microsoft Windows nameservers.
+		  The default is <command>many-answers</command>.
+		  <command>transfer-format</command> may be overridden on a
+		  per-server basis by using the <command>server</command>
+		  statement.
+                </para>
+
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><command>transfers-in</command></term>
+              <listitem>
+                <para>
+                  The maximum number of inbound zone transfers
+                  that can be running concurrently. The default value is <literal>10</literal>.
+                  Increasing <command>transfers-in</command> may
+                  speed up the convergence
+                  of slave zones, but it also may increase the load on the
+                  local system.
+                </para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><command>transfers-out</command></term>
+              <listitem>
+                <para>
+                  The maximum number of outbound zone transfers
+                  that can be running concurrently. Zone transfer requests in
+                  excess
+                  of the limit will be refused. The default value is <literal>10</literal>.
+                </para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><command>transfers-per-ns</command></term>
+              <listitem>
+                <para>
+                  The maximum number of inbound zone transfers
+                  that can be concurrently transferring from a given remote
+                  name server.
+                  The default value is <literal>2</literal>.
+                  Increasing <command>transfers-per-ns</command>
+                  may
+                  speed up the convergence of slave zones, but it also may
+                  increase
+                  the load on the remote name server. <command>transfers-per-ns</command> may
+                  be overridden on a per-server basis by using the <command>transfers</command> phrase
+                  of the <command>server</command> statement.
+                </para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><command>transfer-source</command></term>
+              <listitem>
+                <para><command>transfer-source</command>
+		  determines which local address will be bound to IPv4
+                  TCP connections used to fetch zones transferred
+                  inbound by the server.  It also determines the
+                  source IPv4 address, and optionally the UDP port,
+                  used for the refresh queries and forwarded dynamic
+                  updates.  If not set, it defaults to a system
+                  controlled value which will usually be the address
+                  of the interface "closest to" the remote end. This
+                  address must appear in the remote end's
+                  <command>allow-transfer</command> option for the
+                  zone being transferred, if one is specified. This
+                  statement sets the
+                  <command>transfer-source</command> for all zones,
+                  but can be overridden on a per-view or per-zone
+                  basis by including a
+                  <command>transfer-source</command> statement within
+                  the <command>view</command> or
+                  <command>zone</command> block in the configuration
+                  file.
+                </para>
+	        <note>
+	          <para>
+	            Solaris 2.5.1 and earlier does not support setting the
+		    source address for TCP sockets.
+	          </para>
+                </note>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><command>transfer-source-v6</command></term>
+              <listitem>
+                <para>
+                  The same as <command>transfer-source</command>,
+                  except zone transfers are performed using IPv6.
+                </para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><command>alt-transfer-source</command></term>
+              <listitem>
+                <para>
+                  An alternate transfer source if the one listed in
+                  <command>transfer-source</command> fails and
+                  <command>use-alt-transfer-source</command> is
+                  set.
+                </para>
 		<note>
 		  If you do not wish the alternate transfer source
 		  to be used, you should set
@@ -3868,310 +6336,482 @@ except zone transfers are performed using IPv6.</para>
 		  query.
 		</note>
               </listitem>
-	    </varlistentry>
+            </varlistentry>
+
+            <varlistentry>
+              <term><command>alt-transfer-source-v6</command></term>
+              <listitem>
+                <para>
+                  An alternate transfer source if the one listed in
+                  <command>transfer-source-v6</command> fails and
+                  <command>use-alt-transfer-source</command> is
+                  set.
+                </para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><command>use-alt-transfer-source</command></term>
+              <listitem>
+                <para>
+                  Use the alternate transfer sources or not.  If views are
+                  specified this defaults to <command>no</command>
+                  otherwise it defaults to
+                  <command>yes</command> (for BIND 8
+                  compatibility).
+                </para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><command>notify-source</command></term>
+              <listitem>
+                <para><command>notify-source</command>
+		  determines which local source address, and
+                  optionally UDP port, will be used to send NOTIFY
+                  messages.  This address must appear in the slave
+                  server's <command>masters</command> zone clause or
+                  in an <command>allow-notify</command> clause.  This
+                  statement sets the <command>notify-source</command>
+                  for all zones, but can be overridden on a per-zone or
+                  per-view basis by including a
+                  <command>notify-source</command> statement within
+                  the <command>zone</command> or
+                  <command>view</command> block in the configuration
+                  file.
+                </para>
+	        <note>
+	          <para>
+	            Solaris 2.5.1 and earlier does not support setting the
+		    source address for TCP sockets.
+	          </para>
+                </note>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><command>notify-source-v6</command></term>
+              <listitem>
+                <para>
+                  Like <command>notify-source</command>,
+                  but applies to notify messages sent to IPv6 addresses.
+                </para>
+              </listitem>
+            </varlistentry>
+
+          </variablelist>
+
+        </sect3>
+
+        <sect3>
+          <title>Bad UDP Port Lists</title>
+          <para><command>avoid-v4-udp-ports</command>
+	    and <command>avoid-v6-udp-ports</command> specify a list
+            of IPv4 and IPv6 UDP ports that will not be used as system
+            assigned source ports for UDP sockets.  These lists
+            prevent named from choosing as its random source port a
+            port that is blocked by your firewall.  If a query went
+            out with such a source port, the answer would not get by
+            the firewall and the name server would have to query
+            again.
+          </para>
+        </sect3>
+
+        <sect3>
+          <title>Operating System Resource Limits</title>
+
+          <para>
+            The server's usage of many system resources can be limited.
+            Scaled values are allowed when specifying resource limits.  For
+            example, <command>1G</command> can be used instead of
+            <command>1073741824</command> to specify a limit of
+            one
+            gigabyte. <command>unlimited</command> requests
+            unlimited use, or the
+            maximum available amount. <command>default</command>
+            uses the limit
+            that was in force when the server was started. See the description
+            of <command>size_spec</command> in <xref linkend="configuration_file_elements"/>.
+          </para>
+
+          <para>
+            The following options set operating system resource limits for
+            the name server process.  Some operating systems don't support
+            some or
+            any of the limits. On such systems, a warning will be issued if
+            the
+            unsupported limit is used.
+          </para>
+
+          <variablelist>
+
+            <varlistentry>
+              <term><command>coresize</command></term>
+              <listitem>
+                <para>
+                  The maximum size of a core dump. The default
+                  is <literal>default</literal>.
+                </para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><command>datasize</command></term>
+              <listitem>
+                <para>
+                  The maximum amount of data memory the server
+                  may use. The default is <literal>default</literal>.
+                  This is a hard limit on server memory usage.
+                  If the server attempts to allocate memory in excess of this
+                  limit, the allocation will fail, which may in turn leave
+                  the server unable to perform DNS service.  Therefore,
+                  this option is rarely useful as a way of limiting the
+                  amount of memory used by the server, but it can be used
+                  to raise an operating system data size limit that is
+                  too small by default.  If you wish to limit the amount
+                  of memory used by the server, use the
+                  <command>max-cache-size</command> and
+                  <command>recursive-clients</command>
+                  options instead.
+                </para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><command>files</command></term>
+              <listitem>
+                <para>
+                  The maximum number of files the server
+                  may have open concurrently. The default is <literal>unlimited</literal>.
+                </para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><command>stacksize</command></term>
+              <listitem>
+                <para>
+                  The maximum amount of stack memory the server
+                  may use. The default is <literal>default</literal>.
+                </para>
+              </listitem>
+            </varlistentry>
+
+          </variablelist>
+
+        </sect3>
+
+        <sect3>
+          <title>Server  Resource Limits</title>
+
+          <para>
+            The following options set limits on the server's
+            resource consumption that are enforced internally by the
+            server rather than the operating system.
+          </para>
+
+          <variablelist>
+
+            <varlistentry>
+              <term><command>max-ixfr-log-size</command></term>
+              <listitem>
+                <para>
+                  This option is obsolete; it is accepted
+                  and ignored for BIND 8 compatibility.  The option
+                  <command>max-journal-size</command> performs a
+                  similar function in BIND 9.
+                </para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><command>max-journal-size</command></term>
+              <listitem>
+                <para>
+                  Sets a maximum size for each journal file
+                  (see <xref linkend="journal"/>).  When the journal file
+                  approaches
+                  the specified size, some of the oldest transactions in the
+                  journal
+                  will be automatically removed.  The default is
+                  <literal>unlimited</literal>.
+                </para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><command>host-statistics-max</command></term>
+              <listitem>
+                <para>
+                  In BIND 8, specifies the maximum number of host statistics
+                  entries to be kept.
+                  Not implemented in BIND 9.
+                </para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><command>recursive-clients</command></term>
+              <listitem>
+                <para>
+                  The maximum number of simultaneous recursive lookups
+                  the server will perform on behalf of clients.  The default
+                  is
+                  <literal>1000</literal>.  Because each recursing
+                  client uses a fair
+                  bit of memory, on the order of 20 kilobytes, the value of
+                  the
+                  <command>recursive-clients</command> option may
+                  have to be decreased
+                  on hosts with limited memory.
+                </para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><command>tcp-clients</command></term>
+              <listitem>
+                <para>
+                  The maximum number of simultaneous client TCP
+                  connections that the server will accept.
+                  The default is <literal>100</literal>.
+                </para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><command>max-cache-size</command></term>
+              <listitem>
+                <para>
+                  The maximum amount of memory to use for the
+                  server's cache, in bytes.  When the amount of data in the
+                  cache
+                  reaches this limit, the server will cause records to expire
+                  prematurely so that the limit is not exceeded.  In a server
+                  with
+                  multiple views, the limit applies separately to the cache of
+                  each
+                  view.  The default is <literal>unlimited</literal>, meaning that
+                  records are purged from the cache only when their TTLs
+                  expire.
+                </para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><command>tcp-listen-queue</command></term>
+              <listitem>
+                <para>
+                  The listen queue depth.  The default and minimum is 3.
+                  If the kernel supports the accept filter "dataready" this
+                  also controls how
+                  many TCP connections that will be queued in kernel space
+                  waiting for
+                  some data before being passed to accept.  Values less than 3
+                  will be
+                  silently raised.
+                </para>
+              </listitem>
+            </varlistentry>
+
+          </variablelist>
+
+        </sect3>
+
+        <sect3>
+          <title>Periodic Task Intervals</title>
+
+          <variablelist>
+
+            <varlistentry>
+              <term><command>cleaning-interval</command></term>
+              <listitem>
+                <para>
+                  The server will remove expired resource records
+                  from the cache every <command>cleaning-interval</command> minutes.
+                  The default is 60 minutes.  The maximum value is 28 days
+                  (40320 minutes).
+                  If set to 0, no periodic cleaning will occur.
+                </para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><command>heartbeat-interval</command></term>
+              <listitem>
+                <para>
+                  The server will perform zone maintenance tasks
+                  for all zones marked as <command>dialup</command> whenever this
+                  interval expires. The default is 60 minutes. Reasonable
+                  values are up
+                  to 1 day (1440 minutes).  The maximum value is 28 days
+                  (40320 minutes).
+                  If set to 0, no zone maintenance for these zones will occur.
+                </para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><command>interface-interval</command></term>
+              <listitem>
+                <para>
+                  The server will scan the network interface list
+                  every <command>interface-interval</command>
+                  minutes. The default
+                  is 60 minutes. The maximum value is 28 days (40320 minutes).
+                  If set to 0, interface scanning will only occur when
+                  the configuration file is  loaded. After the scan, the
+                  server will
+                  begin listening for queries on any newly discovered
+                  interfaces (provided they are allowed by the
+                  <command>listen-on</command> configuration), and
+                  will
+                  stop listening on interfaces that have gone away.
+                </para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><command>statistics-interval</command></term>
+              <listitem>
+                <para>
+                  Name server statistics will be logged
+                  every <command>statistics-interval</command>
+                  minutes. The default is
+                  60. The maximum value is 28 days (40320 minutes).
+                  If set to 0, no statistics will be logged.
+                  </para><note>
+                  <simpara>
+                    Not yet implemented in
+                    <acronym>BIND</acronym>9.
+                  </simpara>
+                </note>
+              </listitem>
+            </varlistentry>
+
+          </variablelist>
+
+        </sect3>
+
+        <sect3 id="topology">
+          <title>Topology</title>
+
+          <para>
+            All other things being equal, when the server chooses a name
+            server
+            to query from a list of name servers, it prefers the one that is
+            topologically closest to itself. The <command>topology</command> statement
+            takes an <command>address_match_list</command> and
+            interprets it
+            in a special way. Each top-level list element is assigned a
+            distance.
+            Non-negated elements get a distance based on their position in the
+            list, where the closer the match is to the start of the list, the
+            shorter the distance is between it and the server. A negated match
+            will be assigned the maximum distance from the server. If there
+            is no match, the address will get a distance which is further than
+            any non-negated list element, and closer than any negated element.
+            For example,
+          </para>
 
-<varlistentry><term><command>alt-transfer-source-v6</command></term>
-<listitem><para>An alternate transfer source if the one listed in
-<command>transfer-source-v6</command> fails and
-<command>use-alt-transfer-source</command> is set.</para>
-              </listitem></varlistentry>
-
-<varlistentry><term><command>use-alt-transfer-source</command></term>
-<listitem><para>Use the alternate transfer sources or not.  If views are
-specified this defaults to <command>no</command> otherwise it defaults to
-<command>yes</command> (for BIND 8 compatibility).</para>
-</listitem></varlistentry>
-
-<varlistentry><term><command>notify-source</command></term>
-<listitem><para><command>notify-source</command> determines
-which local source address, and optionally UDP port, will be used to
-send NOTIFY messages.
-This address must appear in the slave server's <command>masters</command>
-zone clause or in an <command>allow-notify</command> clause.
-This statement sets the <command>notify-source</command> for all zones,
-but can be overridden on a per-zone or per-view basis by including a
-<command>notify-source</command> statement within the <command>zone</command>
-or <command>view</command> block in the configuration file.</para>
-               <note>
-                 <para>
-                   Solaris 2.5.1 and earlier does not support setting the
-                   source address for TCP sockets.
-                 </para>
-                 </note>
-</listitem></varlistentry>
-
-<varlistentry><term><command>notify-source-v6</command></term>
-<listitem><para>Like <command>notify-source</command>,
-but applies to notify messages sent to IPv6 addresses.</para>
-</listitem></varlistentry>
-
-</variablelist>
-
-</sect3>
-
-<sect3>
-<title>Bad UDP Port Lists</title>
-<para>
-<command>avoid-v4-udp-ports</command> and <command>avoid-v6-udp-ports</command>
-specify a list of IPv4 and IPv6 UDP ports that will not be used as system
-assigned source ports for UDP sockets.  These lists prevent named
-from choosing as its random source port a port that is blocked by
-your firewall.  If a query went out with such a source port, the
-answer would not get by the firewall and the name server would have
-to query again.
-</para>
-</sect3>
-
-<sect3>
-<title>Operating System Resource Limits</title>
-
-<para>The server's usage of many system resources can be limited.
-Scaled values are allowed when specifying resource limits.  For
-example, <command>1G</command> can be used instead of
-<command>1073741824</command> to specify a limit of one
-gigabyte. <command>unlimited</command> requests unlimited use, or the
-maximum available amount. <command>default</command> uses the limit
-that was in force when the server was started. See the description
-of <command>size_spec</command> in <xref
-linkend="configuration_file_elements"/>.</para>
-
-<para>The following options set operating system resource limits for
-the name server process.  Some operating systems don't support some or
-any of the limits. On such systems, a warning will be issued if the
-unsupported limit is used.</para>
-
-<variablelist>
-
-<varlistentry><term><command>coresize</command></term>
-<listitem><para>The maximum size of a core dump. The default
-is <literal>default</literal>.</para>
-</listitem></varlistentry>
-
-<varlistentry><term><command>datasize</command></term>
-<listitem><para>The maximum amount of data memory the server
-may use. The default is <literal>default</literal>.
-This is a hard limit on server memory usage.
-If the server attempts to allocate memory in excess of this
-limit, the allocation will fail, which may in turn leave
-the server unable to perform DNS service.  Therefore,
-this option is rarely useful as a way of limiting the
-amount of memory used by the server, but it can be used
-to raise an operating system data size limit that is
-too small by default.  If you wish to limit the amount
-of memory used by the server, use the
-<command>max-cache-size</command> and 
-<command>recursive-clients</command>
-options instead.
-</para></listitem></varlistentry>
-
-<varlistentry><term><command>files</command></term>
-<listitem><para>The maximum number of files the server
-may have open concurrently. The default is <literal>unlimited</literal>.
-</para>
-</listitem></varlistentry>
-
-<varlistentry><term><command>stacksize</command></term>
-<listitem><para>The maximum amount of stack memory the server
-may use. The default is <literal>default</literal>.</para>
-</listitem></varlistentry>
-
-</variablelist>
-
-</sect3>
-
-<sect3>
-<title>Server  Resource Limits</title>
-
-<para>The following options set limits on the server's
-resource consumption that are enforced internally by the
-server rather than the operating system.</para>
-
-<variablelist>
-
-<varlistentry><term><command>max-ixfr-log-size</command></term>
-<listitem><para>This option is obsolete; it is accepted
-and ignored for BIND 8 compatibility.  The option
-<command>max-journal-size</command> performs a similar
-function in BIND 8.
-</para>
-</listitem></varlistentry>
-
-<varlistentry><term><command>max-journal-size</command></term>
-<listitem><para>Sets a maximum size for each journal file
-(see <xref linkend="journal"/>).  When the journal file approaches
-the specified size, some of the oldest transactions in the journal
-will be automatically removed.  The default is
-<literal>unlimited</literal>.</para>
-</listitem></varlistentry>
-
-<varlistentry><term><command>host-statistics-max</command></term>
-<listitem><para>In BIND 8, specifies the maximum number of host statistics
-entries to be kept.
-Not implemented in BIND 9.
-</para></listitem></varlistentry>
-
-<varlistentry><term><command>recursive-clients</command></term>
-<listitem><para>The maximum number of simultaneous recursive lookups
-the server will perform on behalf of clients.  The default is
-<literal>1000</literal>.  Because each recursing client uses a fair
-bit of memory, on the order of 20 kilobytes, the value of the
-<command>recursive-clients</command> option may have to be decreased
-on hosts with limited memory.
-</para>
-</listitem></varlistentry>
-
-<varlistentry><term><command>tcp-clients</command></term>
-<listitem><para>The maximum number of simultaneous client TCP
-connections that the server will accept.
-The default is <literal>100</literal>.</para>
-</listitem></varlistentry>
-
-<varlistentry><term><command>max-cache-size</command></term>
-<listitem><para>The maximum amount of memory to use for the
-server's cache, in bytes.  When the amount of data in the cache
-reaches this limit, the server will cause records to expire
-prematurely so that the limit is not exceeded.  In a server with
-multiple views, the limit applies separately to the cache of each
-view.  The default is <literal>unlimited</literal>, meaning that 
-records are purged from the cache only when their TTLs expire.
-</para>
-</listitem></varlistentry>
-
-<varlistentry><term><command>tcp-listen-queue</command></term>
-<listitem><para>The listen queue depth.  The default and minimum is 3.
-If the kernel supports the accept filter "dataready" this also controls how
-many TCP connections that will be queued in kernel space waiting for
-some data before being passed to accept.  Values less than 3 will be
-silently raised.
-</para>
-</listitem></varlistentry>
-
-</variablelist>
-
-</sect3>
-
-<sect3><title>Periodic Task Intervals</title>
-
-<variablelist>
-
-<varlistentry><term><command>cleaning-interval</command></term>
-<listitem><para>The server will remove expired resource records
-from the cache every <command>cleaning-interval</command> minutes.
-The default is 60 minutes.  The maximum value is 28 days (40320 minutes).
-If set to 0, no periodic cleaning will occur.</para>
-</listitem></varlistentry>
-
-<varlistentry><term><command>heartbeat-interval</command></term>
-<listitem><para>The server will perform zone maintenance tasks
-for all zones marked as <command>dialup</command> whenever this
-interval expires. The default is 60 minutes. Reasonable values are up
-to 1 day (1440 minutes).  The maximum value is 28 days (40320 minutes).
-If set to 0, no zone maintenance for these zones will occur.</para>
-</listitem></varlistentry>
-
-<varlistentry><term><command>interface-interval</command></term>
-<listitem><para>The server will scan the network interface list
-every <command>interface-interval</command> minutes. The default
-is 60 minutes. The maximum value is 28 days (40320 minutes).
-If set to 0, interface scanning will only occur when
-the configuration file is  loaded. After the scan, the server will
-begin listening for queries on any newly discovered
-interfaces (provided they are allowed by the
-<command>listen-on</command> configuration), and will
-stop listening on interfaces that have gone away.</para>
-</listitem></varlistentry>
-
-<varlistentry><term><command>statistics-interval</command></term>
-<listitem><para>Name server statistics will be logged
-every <command>statistics-interval</command> minutes. The default is 
-60. The maximum value is 28 days (40320 minutes).
-If set to 0, no statistics will be logged.</para><note>
-<simpara>Not yet implemented in <acronym>BIND</acronym>9.</simpara></note>
-</listitem></varlistentry>
-
-</variablelist>
-
-</sect3>
-
-<sect3 id="topology"><title>Topology</title>
-
-<para>All other things being equal, when the server chooses a name server
-to query from a list of name servers, it prefers the one that is
-topologically closest to itself. The <command>topology</command> statement
-takes an <command>address_match_list</command> and interprets it
-in a special way. Each top-level list element is assigned a distance.
-Non-negated elements get a distance based on their position in the
-list, where the closer the match is to the start of the list, the
-shorter the distance is between it and the server. A negated match
-will be assigned the maximum distance from the server. If there
-is no match, the address will get a distance which is further than
-any non-negated list element, and closer than any negated element.
-For example,</para>
 <programlisting>topology {
     10/8;
     !1.2.3/24;
     { 1.2/16; 3/8; };
 };</programlisting>
-<para>will prefer servers on network 10 the most, followed by hosts
-on network 1.2.0.0 (netmask 255.255.0.0) and network 3, with the
-exception of hosts on network 1.2.3 (netmask 255.255.255.0), which
-is preferred least of all.</para>
-<para>The default topology is</para>
+
+          <para>
+            will prefer servers on network 10 the most, followed by hosts
+            on network 1.2.0.0 (netmask 255.255.0.0) and network 3, with the
+            exception of hosts on network 1.2.3 (netmask 255.255.255.0), which
+            is preferred least of all.
+          </para>
+          <para>
+            The default topology is
+          </para>
+
 <programlisting>    topology { localhost; localnets; };
 </programlisting>
-<note><simpara>The <command>topology</command> option
-is not implemented in <acronym>BIND</acronym> 9.
-</simpara></note>
-</sect3>
-
-<sect3 id="the_sortlist_statement">
-
-<title>The <command>sortlist</command> Statement</title>
-
-<para>The response to a DNS query may consist of multiple resource
-records (RRs) forming a resource records set (RRset).
-The name server will normally return the
-RRs within the RRset in an indeterminate order
-(but see the <command>rrset-order</command>
-statement in <xref linkend="rrset_ordering"/>).
-The client resolver code should rearrange the RRs as appropriate,
-that is, using any addresses on the local net in preference to other addresses.
-However, not all resolvers can do this or are correctly configured.
-When a client is using a local server, the sorting can be performed
-in the server, based on the client's address. This only requires
-configuring the name servers, not all the clients.</para>
-
-<para>The <command>sortlist</command> statement (see below) takes
-an <command>address_match_list</command> and interprets it even
-more specifically than the <command>topology</command> statement
-does (<xref linkend="topology"/>).
-Each top level statement in the <command>sortlist</command> must
-itself be an explicit <command>address_match_list</command> with
-one or two elements. The first element (which may be an IP address,
-an IP prefix, an ACL name or a nested <command>address_match_list</command>)
-of each top level list is checked against the source address of
-the query until a match is found.</para>
-<para>Once the source address of the query has been matched, if
-the top level statement contains only one element, the actual primitive
-element that matched the source address is used to select the address
-in the response to move to the beginning of the response. If the
-statement is a list of two elements, then the second element is
-treated the same as the <command>address_match_list</command> in
-a <command>topology</command> statement. Each top level element
-is assigned a distance and the address in the response with the minimum
-distance is moved to the beginning of the response.</para>
-<para>In the following example, any queries received from any of
-the addresses of the host itself will get responses preferring addresses
-on any of the locally connected networks. Next most preferred are addresses
-on the 192.168.1/24 network, and after that either the 192.168.2/24
-or
-192.168.3/24 network with no preference shown between these two
-networks. Queries received from a host on the 192.168.1/24 network
-will prefer other addresses on that network to the 192.168.2/24
-and
-192.168.3/24 networks. Queries received from a host on the 192.168.4/24
-or the 192.168.5/24 network will only prefer other addresses on
-their directly connected networks.</para>
+
+          <note>
+            <simpara>
+              The <command>topology</command> option
+              is not implemented in <acronym>BIND</acronym> 9.
+            </simpara>
+          </note>
+        </sect3>
+
+        <sect3 id="the_sortlist_statement">
+
+          <title>The <command>sortlist</command> Statement</title>
+
+          <para>
+            The response to a DNS query may consist of multiple resource
+            records (RRs) forming a resource records set (RRset).
+            The name server will normally return the
+            RRs within the RRset in an indeterminate order
+            (but see the <command>rrset-order</command>
+            statement in <xref linkend="rrset_ordering"/>).
+            The client resolver code should rearrange the RRs as appropriate,
+            that is, using any addresses on the local net in preference to
+            other addresses.
+            However, not all resolvers can do this or are correctly
+            configured.
+            When a client is using a local server, the sorting can be performed
+            in the server, based on the client's address. This only requires
+            configuring the name servers, not all the clients.
+          </para>
+
+          <para>
+            The <command>sortlist</command> statement (see below)
+            takes
+            an <command>address_match_list</command> and
+            interprets it even
+            more specifically than the <command>topology</command>
+            statement
+            does (<xref linkend="topology"/>).
+            Each top level statement in the <command>sortlist</command> must
+            itself be an explicit <command>address_match_list</command> with
+            one or two elements. The first element (which may be an IP
+            address,
+            an IP prefix, an ACL name or a nested <command>address_match_list</command>)
+            of each top level list is checked against the source address of
+            the query until a match is found.
+          </para>
+          <para>
+            Once the source address of the query has been matched, if
+            the top level statement contains only one element, the actual
+            primitive
+            element that matched the source address is used to select the
+            address
+            in the response to move to the beginning of the response. If the
+            statement is a list of two elements, then the second element is
+            treated the same as the <command>address_match_list</command> in
+            a <command>topology</command> statement. Each top
+            level element
+            is assigned a distance and the address in the response with the
+            minimum
+            distance is moved to the beginning of the response.
+          </para>
+          <para>
+            In the following example, any queries received from any of
+            the addresses of the host itself will get responses preferring
+            addresses
+            on any of the locally connected networks. Next most preferred are
+            addresses
+            on the 192.168.1/24 network, and after that either the
+            192.168.2/24
+            or
+            192.168.3/24 network with no preference shown between these two
+            networks. Queries received from a host on the 192.168.1/24 network
+            will prefer other addresses on that network to the 192.168.2/24
+            and
+            192.168.3/24 networks. Queries received from a host on the
+            192.168.4/24
+            or the 192.168.5/24 network will only prefer other addresses on
+            their directly connected networks.
+          </para>
+
 <programlisting>sortlist {
     { localhost;                                   // IF   the local host
         { localnets;                               // THEN first fit on the
@@ -4189,410 +6829,1009 @@ their directly connected networks.</para>
     { { 192.168.4/24; 192.168.5/24; };             // if .4 or .5, prefer that net
     };
 };</programlisting>
-<para>The following example will give reasonable behavior for the
-local host and hosts on directly connected networks. It is similar
-to the behavior of the address sort in <acronym>BIND</acronym> 4.9.x. Responses sent
-to queries from the local host will favor any of the directly connected
-networks. Responses sent to queries from any other hosts on a directly
-connected network will prefer addresses on that same network. Responses
-to other queries will not be sorted.</para>
+
+          <para>
+            The following example will give reasonable behavior for the
+            local host and hosts on directly connected networks. It is similar
+            to the behavior of the address sort in <acronym>BIND</acronym> 4.9.x. Responses sent
+            to queries from the local host will favor any of the directly
+            connected
+            networks. Responses sent to queries from any other hosts on a
+            directly
+            connected network will prefer addresses on that same network.
+            Responses
+            to other queries will not be sorted.
+          </para>
+
 <programlisting>sortlist {
            { localhost; localnets; };
            { localnets; };
 };
 </programlisting>
-</sect3>
-<sect3 id="rrset_ordering"><title id="rrset_ordering_title">RRset Ordering</title>
-<para>When multiple records are returned in an answer it may be
-useful to configure the order of the records placed into the response.
-The <command>rrset-order</command> statement permits configuration
-of the ordering of the records in a multiple record response.
-See also the <command>sortlist</command> statement,
-<xref linkend="the_sortlist_statement"/>.
-</para>
-
-<para>An <command>order_spec</command> is defined as follows:</para>
-<programlisting><optional> class <replaceable>class_name</replaceable> </optional><optional> type <replaceable>type_name</replaceable> </optional><optional> name <replaceable>"domain_name"</replaceable></optional>
-      order <replaceable>ordering</replaceable>
-</programlisting>
-<para>If no class is specified, the default is <command>ANY</command>.
-If no type is specified, the default is <command>ANY</command>.
-If no name is specified, the default is "<command>*</command>" (asterisk).</para>
-<para>The legal values for <command>ordering</command> are:</para>
-<informaltable colsep = "0" rowsep = "0"><tgroup cols = "2"
-    colsep = "0" rowsep = "0" tgroupstyle = "4Level-table">
-<colspec colname = "1" colnum = "1" colsep = "0" colwidth = "0.750in"/>
-<colspec colname = "2" colnum = "2" colsep = "0" colwidth = "3.750in"/>
-<tbody>
-<row rowsep = "0">
-<entry colname = "1"><para><command>fixed</command></para></entry>
-<entry colname = "2"><para>Records are returned in the order they
-are defined in the zone file.</para></entry>
-</row>
-<row rowsep = "0">
-<entry colname = "1"><para><command>random</command></para></entry>
-<entry colname = "2"><para>Records are returned in some random order.</para></entry>
-</row>
-<row rowsep = "0">
-<entry colname = "1"><para><command>cyclic</command></para></entry>
-<entry colname = "2"><para>Records are returned in a round-robin
-order.</para></entry>
-</row>
-</tbody>
-</tgroup></informaltable>
-<para>For example:</para>
+
+        </sect3>
+        <sect3 id="rrset_ordering">
+          <title id="rrset_ordering_title">RRset Ordering</title>
+          <para>
+            When multiple records are returned in an answer it may be
+            useful to configure the order of the records placed into the
+            response.
+            The <command>rrset-order</command> statement permits
+            configuration
+            of the ordering of the records in a multiple record response.
+            See also the <command>sortlist</command> statement,
+            <xref linkend="the_sortlist_statement"/>.
+          </para>
+
+          <para>
+            An <command>order_spec</command> is defined as
+            follows:
+          </para>
+          <para>
+	    <optional>class <replaceable>class_name</replaceable></optional>
+            <optional>type <replaceable>type_name</replaceable></optional>
+            <optional>name <replaceable>"domain_name"</replaceable></optional>
+	    order <replaceable>ordering</replaceable>
+	  </para>
+          <para>
+            If no class is specified, the default is <command>ANY</command>.
+            If no type is specified, the default is <command>ANY</command>.
+            If no name is specified, the default is "<command>*</command>" (asterisk).
+          </para>
+          <para>
+            The legal values for <command>ordering</command> are:
+          </para>
+          <informaltable colsep="0" rowsep="0">
+            <tgroup cols="2" colsep="0" rowsep="0" tgroupstyle="4Level-table">
+              <colspec colname="1" colnum="1" colsep="0" colwidth="0.750in"/>
+              <colspec colname="2" colnum="2" colsep="0" colwidth="3.750in"/>
+              <tbody>
+                <row rowsep="0">
+                  <entry colname="1">
+                    <para><command>fixed</command></para>
+                  </entry>
+                  <entry colname="2">
+                    <para>
+                      Records are returned in the order they
+                      are defined in the zone file.
+                    </para>
+                  </entry>
+                </row>
+                <row rowsep="0">
+                  <entry colname="1">
+                    <para><command>random</command></para>
+                  </entry>
+                  <entry colname="2">
+                    <para>
+                      Records are returned in some random order.
+                    </para>
+                  </entry>
+                </row>
+                <row rowsep="0">
+                  <entry colname="1">
+                    <para><command>cyclic</command></para>
+                  </entry>
+                  <entry colname="2">
+                    <para>
+                      Records are returned in a round-robin
+                      order.
+                    </para>
+                  </entry>
+                </row>
+              </tbody>
+            </tgroup>
+          </informaltable>
+          <para>
+            For example:
+          </para>
+
 <programlisting>rrset-order {
    class IN type A name "host.example.com" order random;
    order cyclic;
 };
 </programlisting>
-<para>will cause any responses for type A records in class IN that
-have "<literal>host.example.com</literal>" as a suffix, to always be returned
-in random order. All other records are returned in cyclic order.</para>
-<para>If multiple <command>rrset-order</command> statements appear,
-they are not combined &mdash; the last one applies.</para>
-
-<note>
-<simpara>The <command>rrset-order</command> statement
-is not yet fully implemented in <acronym>BIND</acronym> 9.
-BIND 9 currently does not support "fixed" ordering.
-</simpara></note>
-</sect3>
-
-<sect3 id="tuning"><title>Tuning</title>
-
-<variablelist>
-
-<varlistentry><term><command>lame-ttl</command></term>
-<listitem><para>Sets the number of seconds to cache a
-lame server indication. 0 disables caching. (This is
-<emphasis role="bold">NOT</emphasis> recommended.)
-The default is <literal>600</literal> (10 minutes) and the maximum value is 
-<literal>1800</literal> (30 minutes).</para>
-
-</listitem></varlistentry>
-
-<varlistentry><term><command>max-ncache-ttl</command></term>
-<listitem><para>To reduce network traffic and increase performance,
-the server stores negative answers. <command>max-ncache-ttl</command> is
-used to set a maximum retention time for these answers in the server
-in seconds. The default
-<command>max-ncache-ttl</command> is <literal>10800</literal> seconds (3 hours).
-<command>max-ncache-ttl</command> cannot exceed 7 days and will
-be silently truncated to 7 days if set to a greater value.</para>
-</listitem></varlistentry>
-
-<varlistentry><term><command>max-cache-ttl</command></term>
-<listitem><para>Sets
-the maximum time for which the server will cache ordinary (positive)
-answers. The default is one week (7 days).</para>
-</listitem></varlistentry>
-
-<varlistentry><term><command>min-roots</command></term>
-<listitem><para>The minimum number of root servers that
-is required for a request for the root servers to be accepted. The default
-is <userinput>2</userinput>.</para>
-<note>
-<simpara>Not implemented in <acronym>BIND</acronym> 9.</simpara></note>
-</listitem></varlistentry>
-
-<varlistentry><term><command>sig-validity-interval</command></term>
-<listitem><para>Specifies the number of days into the
-future when DNSSEC signatures automatically generated as a result
-of dynamic updates (<xref linkend="dynamic_update"/>)
-will expire. The default is <literal>30</literal> days.
-The maximum value is 10 years (3660 days). The signature
-inception time is unconditionally set to one hour before the current time
-to allow for a limited amount of clock skew.</para>
-</listitem></varlistentry>
-
-<varlistentry>
-<term><command>min-refresh-time</command></term>
-<term><command>max-refresh-time</command></term>
-<term><command>min-retry-time</command></term>
-<term><command>max-retry-time</command></term>
-<listitem><para>
-These options control the server's behavior on refreshing a zone
-(querying for SOA changes) or retrying failed transfers.
-Usually the SOA values for the zone are used, but these values
-are set by the master, giving slave server administrators little
-control over their contents.
-</para><para>
-These options allow the administrator to set a minimum and maximum
-refresh and retry time either per-zone, per-view, or globally.
-These options are valid for slave and stub zones,
-and clamp the SOA refresh and retry times to the specified values.
-</para></listitem></varlistentry>
-
-<varlistentry>
-<term><command>edns-udp-size</command></term>
-<listitem><para>
-<command>edns-udp-size</command> sets the advertised EDNS UDP buffer
-size in bytes.  Valid values are 512 to 4096 bytes (values outside this range will be
-silently adjusted).  The default value is 4096.  The usual reason for
-setting edns-udp-size to a non-default value it to get UDP answers to
-pass through broken firewalls that block fragmented packets and/or
-block UDP packets that are greater than 512 bytes.
-</para></listitem></varlistentry>
-</variablelist>
-
-</sect3>
-
-<sect3 id="builtin">
-<title>Built-in server information zones</title>
-
-<para>The server provides some helpful diagnostic information
-through a number of built-in zones under the
-pseudo-top-level-domain <literal>bind</literal> in the
-<command>CHAOS</command> class.  These zones are part of a
-built-in view (see <xref linkend="view_statement_grammar"/>) of class
-<command>CHAOS</command> which is separate from the default view of
-class <command>IN</command>; therefore, any global server options
-such as <command>allow-query</command> do not apply the these zones.
-If you feel the need to disable these zones, use the options
-below, or hide the built-in <command>CHAOS</command> view by
-defining an explicit view of class <command>CHAOS</command>
-that matches all clients.</para>
-
-<variablelist>
-
-<varlistentry><term><command>version</command></term>
-<listitem><para>The version the server should report
-via a query of the name <literal>version.bind</literal>
-with type <command>TXT</command>, class <command>CHAOS</command>.
-The default is the real version number of this server.
-Specifying <command>version none</command>
-disables processing of the queries.</para>
-</listitem></varlistentry>
-
-<varlistentry><term><command>hostname</command></term>
-<listitem><para>The hostname the server should report via a query of
-the name <filename>hostname.bind</filename>
-with type <command>TXT</command>, class <command>CHAOS</command>.
-This defaults to the hostname of the machine hosting the name server as
-found by the gethostname() function.  The primary purpose of such queries is to
-identify which of a group of anycast servers is actually
-answering your queries.  Specifying <command>hostname none;</command>
-disables processing of the queries.</para> 
-</listitem></varlistentry>
-
-<varlistentry><term><command>server-id</command></term>
-<listitem><para>The ID of the server should report via a query of
-the name <filename>ID.SERVER</filename>
-with type <command>TXT</command>, class <command>CHAOS</command>.
-The primary purpose of such queries is to
-identify which of a group of anycast servers is actually
-answering your queries.  Specifying <command>server-id none;</command>
-disables processing of the queries.
-Specifying <command>server-id hostname;</command> will cause named to
-use the hostname as found by the gethostname() function.
-The default <command>server-id</command> is <command>none</command>.
-</para> 
-</listitem></varlistentry>
-
-</variablelist>
-
-</sect3>
-
-<sect3 id="statsfile">
-<title>The Statistics File</title>
-
-<para>The statistics file generated by <acronym>BIND</acronym> 9
-is similar, but not identical, to that
-generated by <acronym>BIND</acronym> 8.
-</para>
-<para>The statistics dump begins with a line, like:</para>
- <para>
- <command>+++ Statistics Dump +++ (973798949)</command>
- </para>
- <para>The numberr in parentheses is a standard
-Unix-style timestamp, measured as seconds since January 1, 1970.  Following
-that line are a series of lines containing a counter type, the value of the
-counter, optionally a zone name, and optionally a view name.
-The lines without view and zone listed are global statistics for the entire server.
-Lines with a zone and view name for the given view and zone (the view name is
-omitted for the default view).
-</para>
-<para>
-The statistics dump ends with the line where the
-number is identical to the number in the beginning line; for example:
-</para>
-<para>
-<command>--- Statistics Dump --- (973798949)</command>
-</para>
-<para>The following statistics counters are maintained:</para>
-<informaltable
-    colsep = "0" rowsep = "0"><tgroup cols = "2"
-    colsep = "0" rowsep = "0" tgroupstyle = "4Level-table">
-<colspec colname = "1" colnum = "1" colsep = "0" colwidth = "1.150in"/>
-<colspec colname = "2" colnum = "2" colsep = "0" colwidth = "3.350in"/>
-<tbody>
-<row rowsep = "0">
-<entry colname = "1"><para><command>success</command></para></entry>
-<entry colname = "2"><para>The number of
-successful queries made to the server or zone.  A successful query
-is defined as query which returns a NOERROR response with at least
-one answer RR.</para></entry>
-</row>
-<row rowsep = "0">
-<entry colname = "1"><para><command>referral</command></para></entry>
-<entry colname = "2"><para>The number of queries which resulted
-in referral responses.</para></entry>
-</row>
-<row rowsep = "0">
-<entry colname = "1"><para><command>nxrrset</command></para></entry>
-<entry colname = "2"><para>The number of queries which resulted in
-NOERROR responses with no data.</para></entry>
-</row>
-<row rowsep = "0">
-<entry colname = "1"><para><command>nxdomain</command></para></entry>
-<entry colname = "2"><para>The number
-of queries which resulted in NXDOMAIN responses.</para></entry>
-</row>
-<row rowsep = "0">
-<entry colname = "1"><para><command>failure</command></para></entry>
-<entry colname = "2"><para>The number of queries which resulted in a
-failure response other than those above.</para></entry>
-</row>
-<row rowsep = "0">
-<entry colname = "1"><para><command>recursion</command></para></entry>
-<entry colname = "2"><para>The number of queries which caused the server
-to perform recursion in order to find the final answer.</para></entry>
-</row>
-</tbody>
-</tgroup></informaltable>
-
-<para>
-Each query received by the server will cause exactly one of
-<command>success</command>,
-<command>referral</command>,
-<command>nxrrset</command>,
-<command>nxdomain</command>, or
-<command>failure</command>
-to be incremented, and may additionally cause the
-<command>recursion</command> counter to be incremented.
-</para>
-
-</sect3>
-
-</sect2>
-
-<sect2 id="server_statement_grammar">
-<title><command>server</command> Statement Grammar</title>
-
-<programlisting>server <replaceable>ip_addr</replaceable> {
+
+          <para>
+            will cause any responses for type A records in class IN that
+            have "<literal>host.example.com</literal>" as a
+            suffix, to always be returned
+            in random order. All other records are returned in cyclic order.
+          </para>
+          <para>
+            If multiple <command>rrset-order</command> statements
+            appear,
+            they are not combined &mdash; the last one applies.
+          </para>
+
+          <note>
+            <simpara>
+              The <command>rrset-order</command> statement
+              is not yet fully implemented in <acronym>BIND</acronym> 9.
+              BIND 9 currently does not fully support "fixed" ordering.
+            </simpara>
+          </note>
+        </sect3>
+
+        <sect3 id="tuning">
+          <title>Tuning</title>
+
+          <variablelist>
+
+            <varlistentry>
+              <term><command>lame-ttl</command></term>
+              <listitem>
+                <para>
+                  Sets the number of seconds to cache a
+                  lame server indication. 0 disables caching. (This is
+                  <emphasis role="bold">NOT</emphasis> recommended.)
+                  The default is <literal>600</literal> (10 minutes) and the
+                  maximum value is
+                  <literal>1800</literal> (30 minutes).
+                </para>
+
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><command>max-ncache-ttl</command></term>
+              <listitem>
+                <para>
+                  To reduce network traffic and increase performance,
+                  the server stores negative answers. <command>max-ncache-ttl</command> is
+                  used to set a maximum retention time for these answers in
+                  the server
+                  in seconds. The default
+                  <command>max-ncache-ttl</command> is <literal>10800</literal> seconds (3 hours).
+                  <command>max-ncache-ttl</command> cannot exceed
+                  7 days and will
+                  be silently truncated to 7 days if set to a greater value.
+                </para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><command>max-cache-ttl</command></term>
+              <listitem>
+                <para>
+		  Sets the maximum time for which the server will
+                  cache ordinary (positive) answers. The default is
+                  one week (7 days).
+                </para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><command>min-roots</command></term>
+              <listitem>
+                <para>
+                  The minimum number of root servers that
+                  is required for a request for the root servers to be
+                  accepted. The default
+                  is <userinput>2</userinput>.
+                </para>
+                <note>
+                  <simpara>
+                    Not implemented in <acronym>BIND</acronym> 9.
+                  </simpara>
+                </note>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><command>sig-validity-interval</command></term>
+              <listitem>
+                <para>
+                  Specifies the number of days into the
+                  future when DNSSEC signatures automatically generated as a
+                  result
+                  of dynamic updates (<xref linkend="dynamic_update"/>)
+                  will expire. The default is <literal>30</literal> days.
+                  The maximum value is 10 years (3660 days). The signature
+                  inception time is unconditionally set to one hour before the
+                  current time
+                  to allow for a limited amount of clock skew.
+                </para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><command>min-refresh-time</command></term>
+              <term><command>max-refresh-time</command></term>
+              <term><command>min-retry-time</command></term>
+              <term><command>max-retry-time</command></term>
+              <listitem>
+                <para>
+                  These options control the server's behavior on refreshing a
+                  zone
+                  (querying for SOA changes) or retrying failed transfers.
+                  Usually the SOA values for the zone are used, but these
+                  values
+                  are set by the master, giving slave server administrators
+                  little
+                  control over their contents.
+                </para>
+                <para>
+                  These options allow the administrator to set a minimum and
+                  maximum
+                  refresh and retry time either per-zone, per-view, or
+                  globally.
+                  These options are valid for slave and stub zones,
+                  and clamp the SOA refresh and retry times to the specified
+                  values.
+                </para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><command>edns-udp-size</command></term>
+              <listitem>
+                <para>
+		  Sets the advertised EDNS UDP buffer size in bytes.  Valid
+                  values are 512 to 4096 (values outside this range
+                  will be silently adjusted).  The default value is
+                  4096.  The usual reason for setting edns-udp-size to
+                  a non-default value it to get UDP answers to pass
+                  through broken firewalls that block fragmented
+                  packets and/or block UDP packets that are greater
+                  than 512 bytes.
+                </para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><command>max-udp-size</command></term>
+              <listitem>
+                <para>
+		  Sets the maximum EDNS UDP message size named will
+		  send in bytes.  Valid values are 512 to 4096 (values outside
+		  this range will be silently adjusted).  The default
+		  value is 4096.  The usual reason for setting
+		  max-udp-size to a non-default value is to get UDP
+		  answers to pass through broken firewalls that
+		  block fragmented packets and/or block UDP packets
+		  that are greater than 512 bytes.
+		</para>
+	      </listitem>
+	    </varlistentry>
+
+	    <varlistentry>
+	      <term><command>masterfile-format</command></term>
+	      <listitem>
+	        <para>Specifies
+		  the file format of zone files (see
+	          <xref linkend="zonefile_format"/>).
+	          The default value is <constant>text</constant>, which is the
+		  standard textual representation.  Files in other formats
+		  than <constant>text</constant> are typically expected
+		  to be generated by the <command>named-compilezone</command> tool.
+		  Note that when a zone file in a different format than
+		  <constant>text</constant> is loaded, <command>named</command>
+	          may omit some of the checks which would be performed for a
+		  file in the <constant>text</constant> format.  In particular,
+		  <command>check-names</command> checks do not apply
+		  for the <constant>raw</constant> format.  This means
+		  a zone file in the <constant>raw</constant> format
+		  must be generated with the same check level as that
+		  specified in the <command>named</command> configuration
+		  file.  This statement sets the
+		  <command>masterfile-format</command> for all zones,
+		  but can be overridden on a per-zone or per-view basis
+		  by including a <command>masterfile-format</command>
+		  statement within the <command>zone</command> or
+		  <command>view</command> block in the configuration
+		  file.
+	        </para>
+	      </listitem>
+	    </varlistentry>
+
+	    <varlistentry>
+	      <term><command>clients-per-query</command></term>
+	      <term><command>max-clients-per-query</command></term>
+              <listitem>
+		<para>These set the
+		  initial value (minimum) and maximum number of recursive
+		  simultanious clients for any given query
+		  (&lt;qname,qtype,qclass&gt;) that the server will accept
+		  before dropping additional clients.  named will attempt to
+		  self tune this value and changes will be logged.  The
+		  default values are 10 and 100.
+		</para>
+		<para>
+	          This value should reflect how many queries come in for
+		  a given name in the time it takes to resolve that name.
+		  If the number of queries exceed this value, named will
+		  assume that it is dealing with a non-responsive zone
+		  and will drop additional queries.  If it gets a response
+		  after dropping queries, it will raise the estimate.  The
+		  estimate will then be lowered in 20 minutes if it has
+		  remained unchanged.
+		</para>
+		<para>
+		  If <command>clients-per-query</command> is set to zero,
+		  then there is no limit on the number of clients per query
+		  and no queries will be dropped.
+		</para>
+		<para>
+		  If <command>max-clients-per-query</command> is set to zero,
+		  then there is no upper bound other than imposed by
+		  <command>recursive-clients</command>.
+		</para>
+              </listitem>
+	    </varlistentry>
+	  </variablelist>
+
+        </sect3>
+
+        <sect3 id="builtin">
+          <title>Built-in server information zones</title>
+
+          <para>
+            The server provides some helpful diagnostic information
+            through a number of built-in zones under the
+            pseudo-top-level-domain <literal>bind</literal> in the
+            <command>CHAOS</command> class.  These zones are part
+            of a
+            built-in view (see <xref linkend="view_statement_grammar"/>) of
+            class
+            <command>CHAOS</command> which is separate from the
+            default view of
+            class <command>IN</command>; therefore, any global
+            server options
+            such as <command>allow-query</command> do not apply
+            the these zones.
+            If you feel the need to disable these zones, use the options
+            below, or hide the built-in <command>CHAOS</command>
+            view by
+            defining an explicit view of class <command>CHAOS</command>
+            that matches all clients.
+          </para>
+
+          <variablelist>
+
+            <varlistentry>
+              <term><command>version</command></term>
+              <listitem>
+                <para>
+                  The version the server should report
+                  via a query of the name <literal>version.bind</literal>
+                  with type <command>TXT</command>, class <command>CHAOS</command>.
+                  The default is the real version number of this server.
+                  Specifying <command>version none</command>
+                  disables processing of the queries.
+                </para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><command>hostname</command></term>
+              <listitem>
+                <para>
+                  The hostname the server should report via a query of
+                  the name <filename>hostname.bind</filename>
+                  with type <command>TXT</command>, class <command>CHAOS</command>.
+                  This defaults to the hostname of the machine hosting the
+                  name server as
+                  found by the gethostname() function.  The primary purpose of such queries
+                  is to
+                  identify which of a group of anycast servers is actually
+                  answering your queries.  Specifying <command>hostname none;</command>
+                  disables processing of the queries.
+                </para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><command>server-id</command></term>
+              <listitem>
+                <para>
+                  The ID of the server should report via a query of
+                  the name <filename>ID.SERVER</filename>
+                  with type <command>TXT</command>, class <command>CHAOS</command>.
+                  The primary purpose of such queries is to
+                  identify which of a group of anycast servers is actually
+                  answering your queries.  Specifying <command>server-id none;</command>
+                  disables processing of the queries.
+                  Specifying <command>server-id hostname;</command> will cause named to
+                  use the hostname as found by the gethostname() function.
+                  The default <command>server-id</command> is <command>none</command>.
+                </para>
+              </listitem>
+            </varlistentry>
+
+          </variablelist>
+
+        </sect3>
+
+        <sect3 id="empty">
+          <title>Built-in Empty Zones</title>
+	  <para>
+	    Named has some built-in empty zones (SOA and NS records only).
+	    These are for zones that should normally be answered locally
+	    and which queries should not be sent to the Internet's root
+	    servers.  The offical servers which cover these namespaces
+	    return NXDOMAIN responses to these queries.  In particular,
+	    these cover the reverse namespace for addresses from RFC 1918 and
+	    RFC 3330.  They also include the reverse namespace for IPv6 local
+	    address (locally assigned), IPv6 link local addresses, the IPv6
+	    loopback address and the IPv6 unknown addresss.
+	  </para>
+	  <para>
+	    Named will attempt to determine if a built in zone already exists
+	    or is active (covered by a forward-only forwarding declaration)
+	    and will not not create a empty zone in that case.
+	  </para>
+	  <para>
+	    The current list of empty zones is:
+	    <itemizedlist>
+	      <listitem>10.IN-ADDR.ARPA</listitem>
+	      <listitem>127.IN-ADDR.ARPA</listitem>
+	      <listitem>254.169.IN-ADDR.ARPA</listitem>
+	      <listitem>16.172.IN-ADDR.ARPA</listitem>
+	      <listitem>17.172.IN-ADDR.ARPA</listitem>
+	      <listitem>18.172.IN-ADDR.ARPA</listitem>
+	      <listitem>19.172.IN-ADDR.ARPA</listitem>
+	      <listitem>20.172.IN-ADDR.ARPA</listitem>
+	      <listitem>21.172.IN-ADDR.ARPA</listitem>
+	      <listitem>22.172.IN-ADDR.ARPA</listitem>
+	      <listitem>23.172.IN-ADDR.ARPA</listitem>
+	      <listitem>24.172.IN-ADDR.ARPA</listitem>
+	      <listitem>25.172.IN-ADDR.ARPA</listitem>
+	      <listitem>26.172.IN-ADDR.ARPA</listitem>
+	      <listitem>27.172.IN-ADDR.ARPA</listitem>
+	      <listitem>28.172.IN-ADDR.ARPA</listitem>
+	      <listitem>29.172.IN-ADDR.ARPA</listitem>
+	      <listitem>30.172.IN-ADDR.ARPA</listitem>
+	      <listitem>31.172.IN-ADDR.ARPA</listitem>
+	      <listitem>168.192.IN-ADDR.ARPA</listitem>
+	      <listitem>2.0.192.IN-ADDR.ARPA</listitem>
+	      <listitem>0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA</listitem>
+	      <listitem>1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA</listitem>
+	      <listitem>D.F.IP6.ARPA</listitem>
+	      <listitem>8.E.F.IP6.ARPA</listitem>
+	      <listitem>9.E.F.IP6.ARPA</listitem>
+	      <listitem>A.E.F.IP6.ARPA</listitem>
+	      <listitem>B.E.F.IP6.ARPA</listitem>
+	    </itemizedlist>
+	  </para>
+	  <para>
+	    Empty zones are settable at the view level and only apply to
+	    views of class IN.  Disabled empty zones are only inherited
+	    from options if there are no disabled empty zones specified
+	    at the view level.  To override the options list of disabled
+	    zones, you can disable the root zone at the view level, for example:
+<programlisting>
+	    disable-empty-zone ".";
+</programlisting>
+	  </para>
+	  <para>
+	    If you are using the address ranges covered here, you should
+	    already have reverse zones covering the addresses you use.
+	    In practice this appears to not be the case with many queries
+	    being made to the infrustructure servers for names in these
+	    spaces.  So many in fact that sacrificial servers were needed
+	    to be deployed to channel the query load away from the
+	    infrustructure servers.
+	  </para>
+	  <note>
+	    The real parent servers for these zones should disable all
+	    empty zone under the parent zone they serve.  For the real
+	    root servers, this is all built in empty zones.  This will
+	    enable them to return referrals to deeper in the tree.
+	  </note>
+          <variablelist>
+	    <varlistentry>
+	      <term><command>empty-server</command></term>
+	      <listitem>
+	        <para>
+		  Specify what server name will appear in the returned
+		  SOA record for empty zones.  If none is specified, then
+		  the zone's name will be used.
+	        </para>
+	       </listitem>
+	    </varlistentry>
+	      
+	    <varlistentry>
+	      <term><command>empty-contact</command></term>
+	      <listitem>
+	        <para>
+		  Specify what contact name will appear in the returned
+		  SOA record for empty zones.  If none is specified, then
+		  "." will be used.
+	        </para>
+	      </listitem>
+	    </varlistentry>
+  
+	    <varlistentry>
+	      <term><command>empty-zones-enable</command></term>
+	      <listitem>
+	        <para>
+		  Enable or disable all empty zones.  By default they
+		  are enabled.
+	        </para>
+	      </listitem>
+	    </varlistentry>
+  
+	    <varlistentry>
+	    <term><command>disable-empty-zone</command></term>
+	      <listitem>
+	        <para>
+		  Disable individual empty zones.  By default none are
+		  disabled.  This option can be specified multiple times.
+	        </para>
+	      </listitem>
+	    </varlistentry>
+          </variablelist>
+        </sect3>
+  
+        <sect3 id="statsfile">
+          <title>The Statistics File</title>
+
+          <para>
+            The statistics file generated by <acronym>BIND</acronym> 9
+            is similar, but not identical, to that
+            generated by <acronym>BIND</acronym> 8.
+          </para>
+          <para>
+            The statistics dump begins with a line, like:
+	  </para>
+          <para>
+	    <command>+++ Statistics Dump +++ (973798949)</command>
+	  </para>
+	  <para>
+	    The number in parentheses is a standard
+            Unix-style timestamp, measured as seconds since January 1, 1970.
+            Following
+            that line are a series of lines containing a counter type, the
+            value of the
+            counter, optionally a zone name, and optionally a view name.
+            The lines without view and zone listed are global statistics for
+            the entire server.
+            Lines with a zone and view name for the given view and zone (the
+            view name is
+            omitted for the default view).
+	  </para>
+	  <para>
+	    The statistics dump ends with the line where the
+            number is identical to the number in the beginning line; for example:
+          </para>
+          <para>
+	    <command>--- Statistics Dump --- (973798949)</command>
+          </para>
+          <para>
+            The following statistics counters are maintained:
+          </para>
+          <informaltable colsep="0" rowsep="0">
+            <tgroup cols="2" colsep="0" rowsep="0" tgroupstyle="4Level-table">
+              <colspec colname="1" colnum="1" colsep="0" colwidth="1.150in"/>
+              <colspec colname="2" colnum="2" colsep="0" colwidth="3.350in"/>
+              <tbody>
+                <row rowsep="0">
+                  <entry colname="1">
+                    <para><command>success</command></para>
+                  </entry>
+                  <entry colname="2">
+                    <para>
+                      The number of
+                      successful queries made to the server or zone.  A
+                      successful query
+                      is defined as query which returns a NOERROR response
+                      with at least
+                      one answer RR.
+                    </para>
+                  </entry>
+                </row>
+                <row rowsep="0">
+                  <entry colname="1">
+                    <para><command>referral</command></para>
+                  </entry>
+                  <entry colname="2">
+                    <para>
+                      The number of queries which resulted
+                      in referral responses.
+                    </para>
+                  </entry>
+                </row>
+                <row rowsep="0">
+                  <entry colname="1">
+                    <para><command>nxrrset</command></para>
+                  </entry>
+                  <entry colname="2">
+                    <para>
+                      The number of queries which resulted in
+                      NOERROR responses with no data.
+                    </para>
+                  </entry>
+                </row>
+                <row rowsep="0">
+                  <entry colname="1">
+                    <para><command>nxdomain</command></para>
+                  </entry>
+                  <entry colname="2">
+                    <para>
+                      The number
+                      of queries which resulted in NXDOMAIN responses.
+                    </para>
+                  </entry>
+                </row>
+                <row rowsep="0">
+                  <entry colname="1">
+                    <para><command>failure</command></para>
+                  </entry>
+                  <entry colname="2">
+                    <para>
+                      The number of queries which resulted in a
+                      failure response other than those above.
+                    </para>
+                  </entry>
+                </row>
+                <row rowsep="0">
+                  <entry colname="1">
+                    <para><command>recursion</command></para>
+                  </entry>
+                  <entry colname="2">
+                    <para>
+                      The number of queries which caused the server
+                      to perform recursion in order to find the final answer.
+                    </para>
+                  </entry>
+                </row>
+              </tbody>
+            </tgroup>
+          </informaltable>
+
+          <para>
+            Each query received by the server will cause exactly one of
+            <command>success</command>,
+            <command>referral</command>,
+            <command>nxrrset</command>,
+            <command>nxdomain</command>, or
+            <command>failure</command>
+            to be incremented, and may additionally cause the
+            <command>recursion</command> counter to be
+            incremented.
+          </para>
+
+        </sect3>
+
+        <sect3 id="acache">
+          <title>Additional Section Caching</title>
+
+          <para>
+            The additional section cache, also called <command>acache</command>,
+            is an internal cache to improve the response performance of BIND 9.
+            When additional section caching is enabled, BIND 9 will
+            cache an internal short-cut to the additional section content for
+            each answer RR.
+            Note that <command>acache</command> is an internal caching
+            mechanism of BIND 9, and is not related to the DNS caching
+            server function.
+          </para>
+
+          <para>
+            Additional section caching does not change the
+            response content (except the RRsets ordering of the additional
+            section, see below), but can improve the response performance
+            significantly.
+            It is particularly effective when BIND 9 acts as an authoritative
+            server for a zone that has many delegations with many glue RRs.
+          </para>
+
+          <para>
+            In order to obtain the maximum performance improvement
+            from additional section caching, setting
+            <command>additional-from-cache</command>
+            to <command>no</command> is recommended, since the current
+            implementation of <command>acache</command>
+            does not short-cut of additional section information from the
+            DNS cache data.
+          </para>
+
+          <para>
+            One obvious disadvantage of <command>acache</command> is
+            that it requires much more
+            memory for the internal cached data.
+            Thus, if the response performance does not matter and memory
+            consumption is much more critical, the
+            <command>acache</command> mechanism can be
+            disabled by setting <command>acache-enable</command> to
+            <command>no</command>.
+            It is also possible to specify the upper limit of memory
+            consumption
+            for acache by using <command>max-acache-size</command>.
+          </para>
+
+          <para>
+            Additional section caching also has a minor effect on the
+            RRset ordering in the additional section.
+            Without <command>acache</command>,
+            <command>cyclic</command> order is effective for the additional
+            section as well as the answer and authority sections.
+            However, additional section caching fixes the ordering when it
+            first caches an RRset for the additional section, and the same
+            ordering will be kept in succeeding responses, regardless of the
+            setting of <command>rrset-order</command>.
+            The effect of this should be minor, however, since an
+            RRset in the additional section
+            typically only contains a small number of RRs (and in many cases
+            it only contains a single RR), in which case the
+            ordering does not matter much.
+          </para>
+
+          <para>
+            The following is a summary of options related to
+            <command>acache</command>.
+          </para>
+
+          <variablelist>
+
+            <varlistentry>
+              <term><command>acache-enable</command></term>
+              <listitem>
+                <para>
+                  If <command>yes</command>, additional section caching is
+		  enabled.  The default value is <command>no</command>.
+                </para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><command>acache-cleaning-interval</command></term>
+              <listitem>
+                <para>
+                  The server will remove stale cache entries, based on an LRU
+                  based
+                  algorithm, every <command>acache-cleaning-interval</command> minutes.
+                  The default is 60 minutes.
+                  If set to 0, no periodic cleaning will occur.
+                </para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><command>max-acache-size</command></term>
+              <listitem>
+                <para>
+                  The maximum amount of memory in bytes to use for the server's acache.
+                  When the amount of data in the acache reaches this limit,
+                  the server
+                  will clean more aggressively so that the limit is not
+                  exceeded.
+                  In a server with multiple views, the limit applies
+                  separately to the
+                  acache of each view.
+                  The default is <literal>unlimited</literal>,
+                  meaning that
+                  entries are purged from the acache only at the
+                  periodic cleaning time.
+                </para>
+              </listitem>
+            </varlistentry>
+
+          </variablelist>
+
+        </sect3>
+
+      </sect2>
+
+      <sect2 id="server_statement_grammar">
+        <title><command>server</command> Statement Grammar</title>
+
+<programlisting>server <replaceable>ip_addr[/prefixlen]</replaceable> {
     <optional> bogus <replaceable>yes_or_no</replaceable> ; </optional>
     <optional> provide-ixfr <replaceable>yes_or_no</replaceable> ; </optional>
     <optional> request-ixfr <replaceable>yes_or_no</replaceable> ; </optional>
     <optional> edns <replaceable>yes_or_no</replaceable> ; </optional>
+    <optional> edns-udp-size <replaceable>number</replaceable> ; </optional>
+    <optional> max-udp-size <replaceable>number</replaceable> ; </optional>
     <optional> transfers <replaceable>number</replaceable> ; </optional>
     <optional> transfer-format <replaceable>( one-answer | many-answers )</replaceable> ; ]</optional>
     <optional> keys <replaceable>{ string ; <optional> string ; <optional>...</optional></optional> }</replaceable> ; </optional>
     <optional> transfer-source (<replaceable>ip4_addr</replaceable> | <constant>*</constant>) <optional>port <replaceable>ip_port</replaceable></optional> ; </optional>
     <optional> transfer-source-v6 (<replaceable>ip6_addr</replaceable> | <constant>*</constant>) <optional>port <replaceable>ip_port</replaceable></optional> ; </optional>
+    <optional> notify-source (<replaceable>ip4_addr</replaceable> | <constant>*</constant>) <optional>port <replaceable>ip_port</replaceable></optional> ; </optional>
+    <optional> notify-source-v6 (<replaceable>ip6_addr</replaceable> | <constant>*</constant>) <optional>port <replaceable>ip_port</replaceable></optional> ; </optional>
+    <optional> query-source <optional> address ( <replaceable>ip_addr</replaceable> | <replaceable>*</replaceable> ) </optional> <optional> port ( <replaceable>ip_port</replaceable> | <replaceable>*</replaceable> ) </optional>; </optional>
+    <optional> query-source-v6 <optional> address ( <replaceable>ip_addr</replaceable> | <replaceable>*</replaceable> ) </optional> <optional> port ( <replaceable>ip_port</replaceable> | <replaceable>*</replaceable> ) </optional>; </optional>
 };
 </programlisting>
 
-</sect2>
-
-<sect2 id="server_statement_definition_and_usage">
-<title><command>server</command> Statement Definition and Usage</title>
-
-<para>The <command>server</command> statement defines characteristics
-to be associated with a remote name server.</para>
-
-<para>
-The <command>server</command> statement can occur at the top level of the
-configuration file or inside a <command>view</command> statement.  
-If a <command>view</command> statement contains
-one or more <command>server</command> statements, only those
-apply to the view and any top-level ones are ignored.
-If a view contains no <command>server</command> statements,
-any top-level <command>server</command> statements are used as
-defaults.
-</para>
-
-<para>If you discover that a remote server is giving out bad data,
-marking it as bogus will prevent further queries to it. The default
-value of <command>bogus</command> is <command>no</command>.</para>
-<para>The <command>provide-ixfr</command> clause determines whether
-the local server, acting as master, will respond with an incremental
-zone transfer when the given remote server, a slave, requests it.
-If set to <command>yes</command>, incremental transfer will be provided
-whenever possible. If set to <command>no</command>, all transfers
-to the remote server will be non-incremental. If not set, the value
-of the <command>provide-ixfr</command> option in the view or
-global options block is used as a default.</para>
-
-<para>The <command>request-ixfr</command> clause determines whether
-the local server, acting as a slave, will request incremental zone
-transfers from the given remote server, a master. If not set, the
-value of the <command>request-ixfr</command> option in the view or
-global options block is used as a default.</para>
-
-<para>IXFR requests to servers that do not support IXFR will automatically
-fall back to AXFR.  Therefore, there is no need to manually list
-which servers support IXFR and which ones do not; the global default
-of <command>yes</command> should always work.
-The purpose of the <command>provide-ixfr</command> and
-<command>request-ixfr</command> clauses is
-to make it possible to disable the use of IXFR even when both master
-and slave claim to support it, for example if one of the servers
-is buggy and crashes or corrupts data when IXFR is used.</para>
-
-<para>The <command>edns</command> clause determines whether the local server
-will attempt to use EDNS when communicating with the remote server.  The
-default is <command>yes</command>.</para>
-
-<para>The server supports two zone transfer methods. The first, <command>one-answer</command>,
-uses one DNS message per resource record transferred. <command>many-answers</command> packs
-as many resource records as possible into a message. <command>many-answers</command> is
-more efficient, but is only known to be understood by <acronym>BIND</acronym> 9, <acronym>BIND</acronym>
-8.x, and patched versions of <acronym>BIND</acronym> 4.9.5. You can specify which method
-to use for a server with the <command>transfer-format</command> option.
-If <command>transfer-format</command> is not specified, the <command>transfer-format</command> specified
-by the <command>options</command> statement will be used.</para>
-
-<para><command>transfers</command> is used to limit the number of
-concurrent inbound zone transfers from the specified server. If
-no <command>transfers</command> clause is specified, the limit is
-set according to the <command>transfers-per-ns</command> option.</para>
-
-<para>The <command>keys</command> clause identifies a
-<command>key_id</command> defined by the <command>key</command> statement,
-to be used for transaction security (TSIG, <xref linkend="tsig"/>)
-when talking to the remote server. 
-When a request is sent to the remote server, a request signature
-will be generated using the key specified here and appended to the
-message. A request originating from the remote server is not required
-to be signed by this key.</para>
-
-<para>Although the grammar of the <command>keys</command> clause
-allows for multiple keys, only a single key per server is currently
-supported.</para>
-
-<para>The <command>transfer-source</command> and
-<command>transfer-source-v6</command> clauses specify the IPv4 and IPv6 source
-address to be used for zone transfer with the remote server, respectively.
-For an IPv4 remote server, only <command>transfer-source</command> can
-be specified.
-Similarly, for an IPv6 remote server, only
-<command>transfer-source-v6</command> can be specified.
-For more details, see the description of
-<command>transfer-source</command> and
-<command>transfer-source-v6</command> in
-<xref linkend="zone_transfers"/>.</para>
-
-</sect2>
-
-<sect2><title><command>trusted-keys</command> Statement Grammar</title>
+        </sect2>
+
+        <sect2 id="server_statement_definition_and_usage">
+          <title><command>server</command> Statement Definition and
+            Usage</title>
+
+          <para>
+            The <command>server</command> statement defines
+            characteristics
+            to be associated with a remote name server.  If a prefix length is
+            specified, then a range of servers is covered.  Only the most
+            specific
+            server clause applies regardless of the order in
+            <filename>named.conf</filename>.
+          </para>
+
+          <para>
+            The <command>server</command> statement can occur at
+            the top level of the
+            configuration file or inside a <command>view</command>
+            statement.
+            If a <command>view</command> statement contains
+            one or more <command>server</command> statements, only
+            those
+            apply to the view and any top-level ones are ignored.
+            If a view contains no <command>server</command>
+            statements,
+            any top-level <command>server</command> statements are
+            used as
+            defaults.
+          </para>
+
+          <para>
+            If you discover that a remote server is giving out bad data,
+            marking it as bogus will prevent further queries to it. The
+            default
+            value of <command>bogus</command> is <command>no</command>.
+          </para>
+          <para>
+            The <command>provide-ixfr</command> clause determines
+            whether
+            the local server, acting as master, will respond with an
+            incremental
+            zone transfer when the given remote server, a slave, requests it.
+            If set to <command>yes</command>, incremental transfer
+            will be provided
+            whenever possible. If set to <command>no</command>,
+            all transfers
+            to the remote server will be non-incremental. If not set, the
+            value
+            of the <command>provide-ixfr</command> option in the
+            view or
+            global options block is used as a default.
+          </para>
+
+          <para>
+            The <command>request-ixfr</command> clause determines
+            whether
+            the local server, acting as a slave, will request incremental zone
+            transfers from the given remote server, a master. If not set, the
+            value of the <command>request-ixfr</command> option in
+            the view or
+            global options block is used as a default.
+          </para>
+
+          <para>
+            IXFR requests to servers that do not support IXFR will
+            automatically
+            fall back to AXFR.  Therefore, there is no need to manually list
+            which servers support IXFR and which ones do not; the global
+            default
+            of <command>yes</command> should always work.
+            The purpose of the <command>provide-ixfr</command> and
+            <command>request-ixfr</command> clauses is
+            to make it possible to disable the use of IXFR even when both
+            master
+            and slave claim to support it, for example if one of the servers
+            is buggy and crashes or corrupts data when IXFR is used.
+          </para>
+
+          <para>
+            The <command>edns</command> clause determines whether
+            the local server will attempt to use EDNS when communicating
+	    with the remote server.  The default is <command>yes</command>.
+          </para>
+
+          <para>
+            The <command>edns-udp-size</command> option sets the EDNS UDP size
+	    that is advertised by named when querying the remote server.
+	    Valid values are 512 to 4096 bytes (values outside this range will be
+	    silently adjusted).  This option is useful when you wish to
+	    advertises a different value to this server than the value you
+	    advertise globally, for example, when there is a firewall at the
+	    remote site that is blocking large replies.
+          </para>
+
+          <para>
+	    The <command>max-udp-size</command> option sets the
+	    maximum EDNS UDP message size named will send.  Valid
+	    values are 512 to 4096 bytes (values outside this range will
+	    be silently adjusted).  This option is useful when you
+	    know that there is a firewall that is blocking large
+	    replies from named.
+	  </para>
+
+          <para>
+            The server supports two zone transfer methods. The first, <command>one-answer</command>,
+            uses one DNS message per resource record transferred. <command>many-answers</command> packs
+            as many resource records as possible into a message. <command>many-answers</command> is
+            more efficient, but is only known to be understood by <acronym>BIND</acronym> 9, <acronym>BIND</acronym>
+            8.x, and patched versions of <acronym>BIND</acronym>
+            4.9.5. You can specify which method
+            to use for a server with the <command>transfer-format</command> option.
+            If <command>transfer-format</command> is not
+            specified, the <command>transfer-format</command>
+            specified
+            by the <command>options</command> statement will be
+            used.
+          </para>
+
+          <para><command>transfers</command>
+	    is used to limit the number of concurrent inbound zone
+            transfers from the specified server. If no
+            <command>transfers</command> clause is specified, the
+            limit is set according to the
+            <command>transfers-per-ns</command> option.
+          </para>
+
+          <para>
+            The <command>keys</command> clause identifies a
+            <command>key_id</command> defined by the <command>key</command> statement,
+            to be used for transaction security (TSIG, <xref linkend="tsig"/>)
+            when talking to the remote server.
+            When a request is sent to the remote server, a request signature
+            will be generated using the key specified here and appended to the
+            message. A request originating from the remote server is not
+            required
+            to be signed by this key.
+          </para>
+
+          <para>
+            Although the grammar of the <command>keys</command>
+            clause
+            allows for multiple keys, only a single key per server is
+            currently
+            supported.
+          </para>
+
+          <para>
+            The <command>transfer-source</command> and
+            <command>transfer-source-v6</command> clauses specify
+            the IPv4 and IPv6 source
+            address to be used for zone transfer with the remote server,
+            respectively.
+            For an IPv4 remote server, only <command>transfer-source</command> can
+            be specified.
+            Similarly, for an IPv6 remote server, only
+            <command>transfer-source-v6</command> can be
+            specified.
+            For more details, see the description of
+            <command>transfer-source</command> and
+            <command>transfer-source-v6</command> in
+            <xref linkend="zone_transfers"/>.
+          </para>
+
+	  <para>
+	    The <command>notify-source</command> and
+	    <command>notify-source-v6</command> clauses specify the
+	    IPv4 and IPv6 source address to be used for notify
+	    messages sent to remote servers, respectively.  For an
+	    IPv4 remote server, only <command>notify-source</command>
+	    can be specified.  Similarly, for an IPv6 remote server,
+	    only <command>notify-source-v6</command> can be specified.
+	  </para>
+
+	  <para>
+	    The <command>query-source</command> and
+	    <command>query-source-v6</command> clauses specify the
+	    IPv4 and IPv6 source address to be used for queries
+	    sent to remote servers, respectively.  For an IPv4
+	    remote server, only <command>query-source</command> can
+	    be specified.  Similarly, for an IPv6 remote server,
+	    only <command>query-source-v6</command> can be specified.
+	  </para>
+
+        </sect2>
+
+        <sect2>
+          <title><command>trusted-keys</command> Statement Grammar</title>
+
 <programlisting>trusted-keys {
     <replaceable>string</replaceable> <replaceable>number</replaceable> <replaceable>number</replaceable> <replaceable>number</replaceable> <replaceable>string</replaceable> ;
     <optional> <replaceable>string</replaceable> <replaceable>number</replaceable> <replaceable>number</replaceable> <replaceable>number</replaceable> <replaceable>string</replaceable> ; <optional>...</optional></optional>
 };
 </programlisting>
-</sect2>
 
+        </sect2>
 	<sect2>
 	  <title><command>trusted-keys</command> Statement Definition
 	    and Usage</title>
@@ -4607,15 +7846,15 @@ For more details, see the description of
 	    key, it is treated as if it had been validated and
 	    proven secure. The resolver attempts DNSSEC validation
 	    on all DNS data in subdomains of a security root.
-  	  </para>
-  	  <para>
+	  </para>
+	  <para>
 	    All keys (and corresponding zones) listed in
 	    <command>trusted-keys</command> are deemed to exist regardless
 	    of what parent zones say.  Similarly for all keys listed in
 	    <command>trusted-keys</command> only those keys are
 	    used to validate the DNSKEY RRset.  The parent's DS RRset
 	    will not be used.
-  	  </para>
+	  </para>
 	  <para>
 	    The <command>trusted-keys</command> statement can contain
 	    multiple key entries, each consisting of the key's
@@ -4624,71 +7863,114 @@ For more details, see the description of
 	  </para>
 	</sect2>
 
-<sect2 id="view_statement_grammar">
-<title><command>view</command> Statement Grammar</title>
-<programlisting>view <replaceable>view_name</replaceable> 
+        <sect2 id="view_statement_grammar">
+          <title><command>view</command> Statement Grammar</title>
+
+<programlisting>view <replaceable>view_name</replaceable>
       <optional><replaceable>class</replaceable></optional> {
-      match-clients { <replaceable>address_match_list</replaceable> } ;
-      match-destinations { <replaceable>address_match_list</replaceable> } ;
+      match-clients { <replaceable>address_match_list</replaceable> };
+      match-destinations { <replaceable>address_match_list</replaceable> };
       match-recursive-only <replaceable>yes_or_no</replaceable> ;
       <optional> <replaceable>view_option</replaceable>; ...</optional>
       <optional> <replaceable>zone_statement</replaceable>; ...</optional>
 };
-</programlisting></sect2>
-<sect2><title><command>view</command> Statement Definition and Usage</title>
-
-<para>The <command>view</command> statement is a powerful new feature
-of <acronym>BIND</acronym> 9 that lets a name server answer a DNS query differently
-depending on who is asking. It is particularly useful for implementing
-split DNS setups without having to run multiple servers.</para>
-
-<para>Each <command>view</command> statement defines a view of the
-DNS namespace that will be seen by a subset of clients.  A client matches
-a view if its source IP address matches the 
-<varname>address_match_list</varname> of the view's
-<command>match-clients</command> clause and its destination IP address matches
-the <varname>address_match_list</varname> of the view's
-<command>match-destinations</command> clause.  If not specified, both
-<command>match-clients</command> and <command>match-destinations</command>
-default to matching all addresses.  In addition to checking IP addresses
-<command>match-clients</command> and <command>match-destinations</command>
-can also take <command>keys</command> which provide an mechanism for the
-client to select the view.  A view can also be specified
-as <command>match-recursive-only</command>, which means that only recursive
-requests from matching clients will match that view.
-The order of the <command>view</command> statements is significant &mdash;
-a client request will be resolved in the context of the first
-<command>view</command> that it matches.</para>
-
-<para>Zones defined within a <command>view</command> statement will
-be only be accessible to clients that match the <command>view</command>.
- By defining a zone of the same name in multiple views, different
-zone data can be given to different clients, for example, "internal"
-and "external" clients in a split DNS setup.</para>
-
-<para>Many of the options given in the <command>options</command> statement
-can also be used within a <command>view</command> statement, and then
-apply only when resolving queries with that view.  When no view-specific
-value is given, the value in the <command>options</command> statement
-is used as a default.  Also, zone options can have default values specified
-in the <command>view</command> statement; these view-specific defaults
-take precedence over those in the <command>options</command> statement.</para>
-
-<para>Views are class specific.  If no class is given, class IN
-is assumed.  Note that all non-IN views must contain a hint zone,
-since only the IN class has compiled-in default hints.</para>
-
-<para>If there are no <command>view</command> statements in the config
-file, a default view that matches any client is automatically created
-in class IN. Any <command>zone</command> statements specified on
-the top level of the configuration file are considered to be part of
-this default view, and the <command>options</command> statement will
-apply to the default view. If any explicit <command>view</command>
-statements are present, all <command>zone</command> statements must
-occur inside <command>view</command> statements.</para>
-
-<para>Here is an example of a typical split DNS setup implemented
-using <command>view</command> statements:</para>
+</programlisting>
+
+        </sect2>
+        <sect2>
+          <title><command>view</command> Statement Definition and Usage</title>
+
+          <para>
+            The <command>view</command> statement is a powerful
+            feature
+            of <acronym>BIND</acronym> 9 that lets a name server
+            answer a DNS query differently
+            depending on who is asking. It is particularly useful for
+            implementing
+            split DNS setups without having to run multiple servers.
+          </para>
+
+          <para>
+            Each <command>view</command> statement defines a view
+            of the
+            DNS namespace that will be seen by a subset of clients.  A client
+            matches
+            a view if its source IP address matches the
+            <varname>address_match_list</varname> of the view's
+            <command>match-clients</command> clause and its
+            destination IP address matches
+            the <varname>address_match_list</varname> of the
+            view's
+            <command>match-destinations</command> clause.  If not
+            specified, both
+            <command>match-clients</command> and <command>match-destinations</command>
+            default to matching all addresses.  In addition to checking IP
+            addresses
+            <command>match-clients</command> and <command>match-destinations</command>
+            can also take <command>keys</command> which provide an
+            mechanism for the
+            client to select the view.  A view can also be specified
+            as <command>match-recursive-only</command>, which
+            means that only recursive
+            requests from matching clients will match that view.
+            The order of the <command>view</command> statements is
+            significant &mdash;
+            a client request will be resolved in the context of the first
+            <command>view</command> that it matches.
+          </para>
+
+          <para>
+            Zones defined within a <command>view</command>
+            statement will
+            be only be accessible to clients that match the <command>view</command>.
+            By defining a zone of the same name in multiple views, different
+            zone data can be given to different clients, for example,
+            "internal"
+            and "external" clients in a split DNS setup.
+          </para>
+
+          <para>
+            Many of the options given in the <command>options</command> statement
+            can also be used within a <command>view</command>
+            statement, and then
+            apply only when resolving queries with that view.  When no
+            view-specific
+            value is given, the value in the <command>options</command> statement
+            is used as a default.  Also, zone options can have default values
+            specified
+            in the <command>view</command> statement; these
+            view-specific defaults
+            take precedence over those in the <command>options</command> statement.
+          </para>
+
+          <para>
+            Views are class specific.  If no class is given, class IN
+            is assumed.  Note that all non-IN views must contain a hint zone,
+            since only the IN class has compiled-in default hints.
+          </para>
+
+          <para>
+            If there are no <command>view</command> statements in
+            the config
+            file, a default view that matches any client is automatically
+            created
+            in class IN. Any <command>zone</command> statements
+            specified on
+            the top level of the configuration file are considered to be part
+            of
+            this default view, and the <command>options</command>
+            statement will
+            apply to the default view. If any explicit <command>view</command>
+            statements are present, all <command>zone</command>
+            statements must
+            occur inside <command>view</command> statements.
+          </para>
+
+          <para>
+            Here is an example of a typical split DNS setup implemented
+            using <command>view</command> statements:
+          </para>
+
 <programlisting>view "internal" {
       // This should match our internal networks.
       match-clients { 10.0.0.0/8; };
@@ -4719,19 +8001,27 @@ view "external" {
       };
 };
 </programlisting>
-</sect2>
-<sect2 id="zone_statement_grammar"><title><command>zone</command>
-Statement Grammar</title>
-<programlisting>zone <replaceable>zone_name</replaceable> <optional><replaceable>class</replaceable></optional> { 
+
+        </sect2>
+        <sect2 id="zone_statement_grammar">
+          <title><command>zone</command>
+            Statement Grammar</title>
+
+<programlisting>zone <replaceable>zone_name</replaceable> <optional><replaceable>class</replaceable></optional> {
     type master;
-    <optional> allow-query { <replaceable>address_match_list</replaceable> } ; </optional>
-    <optional> allow-transfer { <replaceable>address_match_list</replaceable> } ; </optional>
-    <optional> allow-update { <replaceable>address_match_list</replaceable> } ; </optional>
-    <optional> update-policy { <replaceable>update_policy_rule</replaceable> <optional>...</optional> } ; </optional>
+    <optional> allow-query { <replaceable>address_match_list</replaceable> }; </optional>
+    <optional> allow-transfer { <replaceable>address_match_list</replaceable> }; </optional>
+    <optional> allow-update { <replaceable>address_match_list</replaceable> }; </optional>
+    <optional> update-policy { <replaceable>update_policy_rule</replaceable> <optional>...</optional> }; </optional>
     <optional> also-notify { <replaceable>ip_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> ; <optional> <replaceable>ip_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> ; ... </optional> }; </optional>
     <optional> check-names (<constant>warn</constant>|<constant>fail</constant>|<constant>ignore</constant>) ; </optional>
+    <optional> check-mx (<constant>warn</constant>|<constant>fail</constant>|<constant>ignore</constant>) ; </optional>
+    <optional> check-wildcard <replaceable>yes_or_no</replaceable>; </optional>
+    <optional> check-integrity <replaceable>yes_or_no</replaceable> ; </optional>
     <optional> dialup <replaceable>dialup_option</replaceable> ; </optional>
     <optional> file <replaceable>string</replaceable> ; </optional>
+    <optional> masterfile-format (<constant>text</constant>|<constant>raw</constant>) ; </optional>
+    <optional> journal <replaceable>string</replaceable> ; </optional>
     <optional> forward (<constant>only</constant>|<constant>first</constant>) ; </optional>
     <optional> forwarders { <optional> <replaceable>ip_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> ; ... </optional> }; </optional>
     <optional> ixfr-base <replaceable>string</replaceable> ; </optional>
@@ -4740,7 +8030,7 @@ Statement Grammar</title>
     <optional> max-ixfr-log-size <replaceable>number</replaceable> ; </optional>
     <optional> max-transfer-idle-out <replaceable>number</replaceable> ; </optional>
     <optional> max-transfer-time-out <replaceable>number</replaceable> ; </optional>
-    <optional> notify <replaceable>yes_or_no</replaceable> | <replaceable>explicit</replaceable> ; </optional>
+    <optional> notify <replaceable>yes_or_no</replaceable> | <replaceable>explicit</replaceable> | <replaceable>master-only</replaceable> ; </optional>
     <optional> pubkey <replaceable>number</replaceable> <replaceable>number</replaceable> <replaceable>number</replaceable> <replaceable>string</replaceable> ; </optional>
     <optional> notify-source (<replaceable>ip4_addr</replaceable> | <constant>*</constant>) <optional>port <replaceable>ip_port</replaceable></optional> ; </optional>
     <optional> notify-source-v6 (<replaceable>ip6_addr</replaceable> | <constant>*</constant>) <optional>port <replaceable>ip_port</replaceable></optional> ; </optional>
@@ -4752,30 +8042,34 @@ Statement Grammar</title>
     <optional> min-retry-time <replaceable>number</replaceable> ; </optional>
     <optional> max-retry-time <replaceable>number</replaceable> ; </optional>
     <optional> key-directory <replaceable>path_name</replaceable>; </optional>
+    <optional> zero-no-soa-ttl <replaceable>yes_or_no</replaceable> ; </optional>
 };
 
-zone <replaceable>zone_name</replaceable> <optional><replaceable>class</replaceable></optional> { 
+zone <replaceable>zone_name</replaceable> <optional><replaceable>class</replaceable></optional> {
     type slave;
-    <optional> allow-notify { <replaceable>address_match_list</replaceable> } ; </optional>
-    <optional> allow-query { <replaceable>address_match_list</replaceable> } ; </optional>
-    <optional> allow-transfer { <replaceable>address_match_list</replaceable> } ; </optional>
-    <optional> allow-update-forwarding { <replaceable>address_match_list</replaceable> } ; </optional>
+    <optional> allow-notify { <replaceable>address_match_list</replaceable> }; </optional>
+    <optional> allow-query { <replaceable>address_match_list</replaceable> }; </optional>
+    <optional> allow-transfer { <replaceable>address_match_list</replaceable> }; </optional>
+    <optional> allow-update-forwarding { <replaceable>address_match_list</replaceable> }; </optional>
+    <optional> update-check-ksk <replaceable>yes_or_no</replaceable>; </optional>
     <optional> also-notify { <replaceable>ip_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> ; <optional> <replaceable>ip_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> ; ... </optional> }; </optional>
     <optional> check-names (<constant>warn</constant>|<constant>fail</constant>|<constant>ignore</constant>) ; </optional>
     <optional> dialup <replaceable>dialup_option</replaceable> ; </optional>
     <optional> file <replaceable>string</replaceable> ; </optional>
+    <optional> masterfile-format (<constant>text</constant>|<constant>raw</constant>) ; </optional>
+    <optional> journal <replaceable>string</replaceable> ; </optional>
     <optional> forward (<constant>only</constant>|<constant>first</constant>) ; </optional>
     <optional> forwarders { <optional> <replaceable>ip_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> ; ... </optional> }; </optional>
     <optional> ixfr-base <replaceable>string</replaceable> ; </optional>
     <optional> ixfr-tmp-file <replaceable>string</replaceable> ; </optional>
     <optional> maintain-ixfr-base <replaceable>yes_or_no</replaceable> ; </optional>
-    <optional> masters <optional>port <replaceable>ip_port</replaceable></optional> { ( <replaceable>masters_list</replaceable> | <replaceable>ip_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> <optional>key <replaceable>key</replaceable></optional> ) ; <optional>...</optional> } ; </optional>
+    <optional> masters <optional>port <replaceable>ip_port</replaceable></optional> { ( <replaceable>masters_list</replaceable> | <replaceable>ip_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> <optional>key <replaceable>key</replaceable></optional> ) ; <optional>...</optional> }; </optional>
     <optional> max-ixfr-log-size <replaceable>number</replaceable> ; </optional>
     <optional> max-transfer-idle-in <replaceable>number</replaceable> ; </optional>
     <optional> max-transfer-idle-out <replaceable>number</replaceable> ; </optional>
     <optional> max-transfer-time-in <replaceable>number</replaceable> ; </optional>
     <optional> max-transfer-time-out <replaceable>number</replaceable> ; </optional>
-    <optional> notify <replaceable>yes_or_no</replaceable> | <replaceable>explicit</replaceable> ; </optional>
+    <optional> notify <replaceable>yes_or_no</replaceable> | <replaceable>explicit</replaceable> | <replaceable>master-only</replaceable> ; </optional>
     <optional> pubkey <replaceable>number</replaceable> <replaceable>number</replaceable> <replaceable>number</replaceable> <replaceable>string</replaceable> ; </optional>
     <optional> transfer-source (<replaceable>ip4_addr</replaceable> | <constant>*</constant>) <optional>port <replaceable>ip_port</replaceable></optional> ; </optional>
     <optional> transfer-source-v6 (<replaceable>ip6_addr</replaceable> | <constant>*</constant>) <optional>port <replaceable>ip_port</replaceable></optional> ; </optional>
@@ -4791,25 +8085,27 @@ zone <replaceable>zone_name</replaceable> <optional><replaceable>class</replacea
     <optional> min-retry-time <replaceable>number</replaceable> ; </optional>
     <optional> max-retry-time <replaceable>number</replaceable> ; </optional>
     <optional> multi-master <replaceable>yes_or_no</replaceable> ; </optional>
+    <optional> zero-no-soa-ttl <replaceable>yes_or_no</replaceable> ; </optional>
 };
 
-zone <replaceable>zone_name</replaceable> <optional><replaceable>class</replaceable></optional> { 
+zone <replaceable>zone_name</replaceable> <optional><replaceable>class</replaceable></optional> {
     type hint;
-    <optional> file <replaceable>string</replaceable> ; </optional>
+    file <replaceable>string</replaceable> ;
     <optional> delegation-only <replaceable>yes_or_no</replaceable> ; </optional>
     <optional> check-names (<constant>warn</constant>|<constant>fail</constant>|<constant>ignore</constant>) ; // Not Implemented. </optional>
 };
 
-zone <replaceable>zone_name</replaceable> <optional><replaceable>class</replaceable></optional> { 
+zone <replaceable>zone_name</replaceable> <optional><replaceable>class</replaceable></optional> {
     type stub;
-    <optional> allow-query { <replaceable>address_match_list</replaceable> } ; </optional>
+    <optional> allow-query { <replaceable>address_match_list</replaceable> }; </optional>
     <optional> check-names (<constant>warn</constant>|<constant>fail</constant>|<constant>ignore</constant>) ; </optional>
     <optional> dialup <replaceable>dialup_option</replaceable> ; </optional>
     <optional> delegation-only <replaceable>yes_or_no</replaceable> ; </optional>
     <optional> file <replaceable>string</replaceable> ; </optional>
+    <optional> masterfile-format (<constant>text</constant>|<constant>raw</constant>) ; </optional>
     <optional> forward (<constant>only</constant>|<constant>first</constant>) ; </optional>
     <optional> forwarders { <optional> <replaceable>ip_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> ; ... </optional> }; </optional>
-    <optional> masters <optional>port <replaceable>ip_port</replaceable></optional> { ( <replaceable>masters_list</replaceable> | <replaceable>ip_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> <optional>key <replaceable>key</replaceable></optional> ) ; <optional>...</optional> } ; </optional>
+    <optional> masters <optional>port <replaceable>ip_port</replaceable></optional> { ( <replaceable>masters_list</replaceable> | <replaceable>ip_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> <optional>key <replaceable>key</replaceable></optional> ) ; <optional>...</optional> }; </optional>
     <optional> max-transfer-idle-in <replaceable>number</replaceable> ; </optional>
     <optional> max-transfer-time-in <replaceable>number</replaceable> ; </optional>
     <optional> pubkey <replaceable>number</replaceable> <replaceable>number</replaceable> <replaceable>number</replaceable> <replaceable>string</replaceable> ; </optional>
@@ -4819,7 +8115,6 @@ zone <replaceable>zone_name</replaceable> <optional><replaceable>class</replacea
     <optional> alt-transfer-source-v6 (<replaceable>ip6_addr</replaceable> | <constant>*</constant>) <optional>port <replaceable>ip_port</replaceable></optional> ; </optional>
     <optional> use-alt-transfer-source <replaceable>yes_or_no</replaceable>; </optional>
     <optional> zone-statistics <replaceable>yes_or_no</replaceable> ; </optional>
-    <optional> sig-validity-interval <replaceable>number</replaceable> ; </optional>
     <optional> database <replaceable>string</replaceable> ; </optional>
     <optional> min-refresh-time <replaceable>number</replaceable> ; </optional>
     <optional> max-refresh-time <replaceable>number</replaceable> ; </optional>
@@ -4828,1013 +8123,2258 @@ zone <replaceable>zone_name</replaceable> <optional><replaceable>class</replacea
     <optional> multi-master <replaceable>yes_or_no</replaceable> ; </optional>
 };
 
-zone <replaceable>zone_name</replaceable> <optional><replaceable>class</replaceable></optional> { 
+zone <replaceable>zone_name</replaceable> <optional><replaceable>class</replaceable></optional> {
     type forward;
     <optional> forward (<constant>only</constant>|<constant>first</constant>) ; </optional>
     <optional> forwarders { <optional> <replaceable>ip_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> ; ... </optional> }; </optional>
     <optional> delegation-only <replaceable>yes_or_no</replaceable> ; </optional>
 };
 
-zone <replaceable>zone_name</replaceable> <optional><replaceable>class</replaceable></optional> { 
+zone <replaceable>zone_name</replaceable> <optional><replaceable>class</replaceable></optional> {
     type delegation-only;
 };
+
 </programlisting>
-</sect2>
-<sect2><title><command>zone</command> Statement Definition and Usage</title>
-<sect3><title>Zone Types</title>
-<informaltable colsep = "0" rowsep = "0">
-<tgroup cols = "2" colsep = "0" rowsep = "0"
-    tgroupstyle = "3Level-table">
-<colspec colname = "1" colnum = "1" colsep = "0" colwidth = "0.908in"/>
-<colspec colname = "2" colnum = "2" colsep = "0" colwidth = "4.217in"/>
-<tbody>
-<row rowsep = "0">
-<entry colname = "1"><para><varname>master</varname></para></entry>
-<entry colname = "2"><para>The server has a master copy of the data
-for the zone and will be able to provide authoritative answers for
-it.</para></entry>
-</row>
-<row rowsep = "0">
-<entry colname = "1"><para><varname>slave</varname></para></entry>
-<entry colname = "2"><para>A slave zone is a replica of a master
-zone. The <command>masters</command> list specifies one or more IP addresses
-of master servers that the slave contacts to update its copy of the zone.
-Masters list elements can also be names of other masters lists.
-By default, transfers are made from port 53 on the servers; this can
-be changed for all servers by specifying a port number before the
-list of IP addresses, or on a per-server basis after the IP address.
-Authentication to the master can also be done with per-server TSIG keys.
-If a file is specified, then the
-replica will be written to this file whenever the zone is changed,
-and reloaded from this file on a server restart. Use of a file is
-recommended, since it often speeds server startup and eliminates
-a needless waste of bandwidth. Note that for large numbers (in the
-tens or hundreds of thousands) of zones per server, it is best to
-use a two-level naming scheme for zone file names. For example,
-a slave server for the zone <literal>example.com</literal> might place
-the zone contents into a file called
-<filename>ex/example.com</filename> where <filename>ex/</filename> is
-just the first two letters of the zone name. (Most operating systems
-behave very slowly if you put 100 000 files into
-a single directory.)</para></entry>
-</row>
-<row rowsep = "0">
-<entry colname = "1"><para><varname>stub</varname></para></entry>
-<entry colname = "2"><para>A stub zone is similar to a slave zone,
-except that it replicates only the NS records of a master zone instead
-of the entire zone. Stub zones are not a standard part of the DNS;
-they are a feature specific to the <acronym>BIND</acronym> implementation.
-</para>
-
-<para>Stub zones can be used to eliminate the need for glue NS record
-in a parent zone at the expense of maintaining a stub zone entry and
-a set of name server addresses in <filename>named.conf</filename>.
-This usage is not recommended for new configurations, and BIND 9
-supports it only in a limited way.
-In <acronym>BIND</acronym> 4/8, zone transfers of a parent zone
-included the NS records from stub children of that zone. This meant
-that, in some cases, users could get away with configuring child stubs
-only in the master server for the parent zone. <acronym>BIND</acronym>
-9 never mixes together zone data from different zones in this
-way. Therefore, if a <acronym>BIND</acronym> 9 master serving a parent
-zone has child stub zones configured, all the slave servers for the
-parent zone also need to have the same child stub zones
-configured.</para>
-
-<para>Stub zones can also be used as a way of forcing the resolution
-of a given domain to use a particular set of authoritative servers.
-For example, the caching name servers on a private network using
-RFC1918 addressing may be configured with stub zones for
-<literal>10.in-addr.arpa</literal>
-to use a set of internal name servers as the authoritative
-servers for that domain.</para>
-</entry>
-</row>
-<row rowsep = "0">
-<entry colname = "1"><para><varname>forward</varname></para></entry>
-<entry colname = "2"><para>A "forward zone" is a way to configure
-forwarding on a per-domain basis.  A <command>zone</command> statement
-of type <command>forward</command> can contain a <command>forward</command> and/or <command>forwarders</command> statement,
-which will apply to queries within the domain given by the zone
-name. If no <command>forwarders</command> statement is present or
-an empty list for <command>forwarders</command> is given, then no
-forwarding will be done for the domain, canceling the effects of
-any forwarders in the <command>options</command> statement. Thus
-if you want to use this type of zone to change the behavior of the
-global <command>forward</command> option (that is, "forward first"
-to, then "forward only", or vice versa, but want to use the same
-servers as set globally) you need to re-specify the global forwarders.</para>
-</entry>
-</row>
-<row rowsep = "0">
-<entry colname = "1"><para><varname>hint</varname></para></entry>
-<entry colname = "2"><para>The initial set of root name servers is
-specified using a "hint zone". When the server starts up, it uses
-the root hints to find a root name server and get the most recent
-list of root name servers. If no hint zone is specified for class
-IN, the server uses a compiled-in default set of root servers hints.
-Classes other than IN have no built-in defaults hints.</para></entry>
-</row>
-<row rowsep = "0">
-<entry colname = "1"><para><varname>delegation-only</varname></para></entry>
-<entry colname = "2"><para>This is used to enforce the delegation-only
-status of infrastructure zones (e.g. COM, NET, ORG).  Any answer that
-is received without an explicit or implicit delegation in the authority
-section will be treated as NXDOMAIN.  This does not apply to the zone
-apex.  This should not be applied to leaf zones.</para>
-<para><varname>delegation-only</varname> has no effect on answers received
-from forwarders.</para></entry>
-</row>
-</tbody>
-</tgroup></informaltable></sect3>
-
-<sect3><title>Class</title>
-<para>The zone's name may optionally be followed by a class. If
-a class is not specified, class <literal>IN</literal> (for <varname>Internet</varname>),
-is assumed. This is correct for the vast majority of cases.</para>
-<para>The <literal>hesiod</literal> class is
-named for an information service from MIT's Project Athena. It is
-used to share information about various systems databases, such
-as users, groups, printers and so on. The keyword 
-<literal>HS</literal> is
-a synonym for hesiod.</para>
-<para>Another MIT development is CHAOSnet, a LAN protocol created
-in the mid-1970s. Zone data for it can be specified with the <literal>CHAOS</literal> class.</para></sect3>
-<sect3>
-
-<title>Zone Options</title>
-
-<variablelist>
-
-<varlistentry><term><command>allow-notify</command></term>
-<listitem><para>See the description of
-<command>allow-notify</command> in <xref linkend="access_control"/>.</para>
-</listitem></varlistentry>
-
-<varlistentry><term><command>allow-query</command></term>
-<listitem><para>See the description of
-<command>allow-query</command> in <xref linkend="access_control"/>.</para>
-</listitem></varlistentry>
-
-<varlistentry><term><command>allow-transfer</command></term>
-<listitem><para>See the description of <command>allow-transfer</command>
-in <xref linkend="access_control"/>.</para>
-</listitem></varlistentry>
-
-<varlistentry><term><command>allow-update</command></term>
-<listitem><para>Specifies which hosts are allowed to
-submit Dynamic DNS updates for master zones. The default is to deny
-updates from all hosts.  Note that allowing updates based
-on the requestor's IP address is insecure; see
-<xref linkend="dynamic_update_security"/> for details.
-</para>
-</listitem></varlistentry>
-
-<varlistentry><term><command>update-policy</command></term>
-<listitem><para>Specifies a "Simple Secure Update" policy. See
-<xref linkend="dynamic_update_policies"/>.</para>
-</listitem></varlistentry>
-
-<varlistentry><term><command>allow-update-forwarding</command></term>
-<listitem><para>See the description of <command>allow-update-forwarding</command>
-in <xref linkend="access_control"/>.</para>
-</listitem></varlistentry>
-
-<varlistentry><term><command>also-notify</command></term>
-<listitem><para>Only meaningful if <command>notify</command> is
-active for this zone. The set of machines that will receive a 
-<literal>DNS NOTIFY</literal> message
-for this zone is made up of all the listed name servers (other than
-the primary master) for the zone plus any IP addresses specified
-with <command>also-notify</command>. A port may be specified
-with each <command>also-notify</command> address to send the notify
-messages to a port other than the default of 53.
-<command>also-notify</command> is not meaningful for stub zones.
-The default is the empty list.</para>
-</listitem></varlistentry>
-
-<varlistentry><term><command>check-names</command></term>
-<listitem><para>
-This option is used to restrict the character set and syntax of
-certain domain names in master files and/or DNS responses received from the
-network.  The default varies according to zone type.  For <command>master</command> zones the default is <command>fail</command>.  For <command>slave</command>
-zones the default is <command>warn</command>.
-</para>
-</listitem></varlistentry>
-
-<varlistentry><term><command>database</command></term>
-<listitem><para>Specify the type of database to be used for storing the
-zone data.  The string following the <command>database</command> keyword
-is interpreted as a list of whitespace-delimited words.  The first word
-identifies the database type, and any subsequent words are passed
-as arguments to the database to be interpreted in a way specific
-to the database type.</para>
-<para>The default is <userinput>"rbt"</userinput>, BIND 9's native in-memory
-red-black-tree database.  This database does not take arguments.</para>
-<para>Other values are possible if additional database drivers
-have been linked into the server.  Some sample drivers are included
-with the distribution but none are linked in by default.</para>
-</listitem></varlistentry>
-
-<varlistentry><term><command>dialup</command></term>
-<listitem><para>See the description of
-<command>dialup</command> in <xref linkend="boolean_options"/>.</para>
-</listitem></varlistentry>
-
-<varlistentry><term><command>delegation-only</command></term>
-<listitem><para>The flag only applies to hint and stub zones.  If set
-to <userinput>yes</userinput>, then the zone will also be treated as if it
-is also a delegation-only type zone.
-</para>
-</listitem></varlistentry>
-
-<varlistentry><term><command>forward</command></term>
-<listitem><para>Only meaningful if the zone has a forwarders
-list. The <command>only</command> value causes the lookup to fail
-after trying the forwarders and getting no answer, while <command>first</command> would
-allow a normal lookup to be tried.</para>
-</listitem></varlistentry>
-
-<varlistentry><term><command>forwarders</command></term>
-<listitem><para>Used to override the list of global forwarders.
-If it is not specified in a zone of type <command>forward</command>,
-no forwarding is done for the zone and the global options are not used.</para>
-</listitem></varlistentry>
-
-<varlistentry><term><command>ixfr-base</command></term>
-<listitem><para>Was used in <acronym>BIND</acronym> 8 to specify the name
-of the transaction log (journal) file for dynamic update and IXFR.
-<acronym>BIND</acronym> 9 ignores the option and constructs the name of the journal
-file by appending "<filename>.jnl</filename>" to the name of the
-zone file.</para>
-</listitem></varlistentry>
-
-<varlistentry><term><command>ixfr-tmp-file</command></term>
-<listitem><para>Was an undocumented option in <acronym>BIND</acronym> 8.
-Ignored in <acronym>BIND</acronym> 9.</para>
-</listitem></varlistentry>
-
-<varlistentry><term><command>max-transfer-time-in</command></term>
-<listitem><para>See the description of
-<command>max-transfer-time-in</command> in <xref linkend="zone_transfers"/>.</para>
-</listitem></varlistentry>
-
-<varlistentry><term><command>max-transfer-idle-in</command></term>
-<listitem><para>See the description of
-<command>max-transfer-idle-in</command> in <xref linkend="zone_transfers"/>.</para>
-</listitem></varlistentry>
-
-<varlistentry><term><command>max-transfer-time-out</command></term>
-<listitem><para>See the description of
-<command>max-transfer-time-out</command> in <xref linkend="zone_transfers"/>.</para>
-</listitem></varlistentry>
-
-<varlistentry><term><command>max-transfer-idle-out</command></term>
-<listitem><para>See the description of
-<command>max-transfer-idle-out</command> in <xref linkend="zone_transfers"/>.</para>
-</listitem></varlistentry>
-
-<varlistentry><term><command>notify</command></term>
-<listitem><para>See the description of
-<command>notify</command> in <xref linkend="boolean_options"/>.</para>
-</listitem></varlistentry>
-
-<varlistentry><term><command>pubkey</command></term>
-<listitem><para>In <acronym>BIND</acronym> 8, this option was intended for specifying
-a public zone key for verification of signatures in DNSSEC signed
-zones when they are loaded from disk. <acronym>BIND</acronym> 9 does not verify signatures
-on load and ignores the option.</para>
-</listitem></varlistentry>
-
-<varlistentry><term><command>zone-statistics</command></term>
-<listitem><para>If <userinput>yes</userinput>, the server will keep statistical
-information for this zone, which can be dumped to the
-<command>statistics-file</command> defined in the server options.</para>
-</listitem></varlistentry>
-
-<varlistentry><term><command>sig-validity-interval</command></term>
-<listitem><para>See the description of
-<command>sig-validity-interval</command> in <xref linkend="tuning"/>.</para>
-</listitem></varlistentry>
-
-<varlistentry><term><command>transfer-source</command></term>
-<listitem><para>See the description of
-<command>transfer-source</command> in <xref linkend="zone_transfers"/>.
-</para>
-</listitem></varlistentry>
-
-<varlistentry><term><command>transfer-source-v6</command></term>
-<listitem><para>See the description of
-<command>transfer-source-v6</command> in <xref linkend="zone_transfers"/>.
-</para>
-</listitem></varlistentry>
-
-<varlistentry><term><command>alt-transfer-source</command></term>
-<listitem><para>See the description of
-<command>alt-transfer-source</command> in <xref linkend="zone_transfers"/>.
-</para>
-</listitem></varlistentry>
-
-<varlistentry><term><command>alt-transfer-source-v6</command></term>
-<listitem><para>See the description of
-<command>alt-transfer-source-v6</command> in <xref linkend="zone_transfers"/>.
-</para>
-</listitem></varlistentry>
-
-<varlistentry><term><command>use-alt-transfer-source</command></term>
-<listitem><para>See the description of
-<command>use-alt-transfer-source</command> in <xref linkend="zone_transfers"/>.
-</para>
-</listitem></varlistentry>
-
-
-<varlistentry><term><command>notify-source</command></term>
-<listitem><para>See the description of
-<command>notify-source</command> in <xref linkend="zone_transfers"/>
-</para>
-</listitem></varlistentry>
-
-<varlistentry><term><command>notify-source-v6</command></term>
-<listitem><para>See the description of
-<command>notify-source-v6</command> in <xref linkend="zone_transfers"/>.
-</para>
-</listitem></varlistentry>
-
-<varlistentry>
-<term><command>min-refresh-time</command></term>
-<term><command>max-refresh-time</command></term>
-<term><command>min-retry-time</command></term>
-<term><command>max-retry-time</command></term>
-<listitem><para>
-See the description in <xref linkend="tuning"/>.
-</para></listitem></varlistentry>
-
-<varlistentry><term><command>ixfr-from-differences</command></term>
-<listitem><para>See the description of
-<command>ixfr-from-differences</command> in <xref linkend="boolean_options"/>.</para>
-</listitem></varlistentry>
-
-<varlistentry><term><command>key-directory</command></term>
-<listitem><para>See the description of
-<command>key-directory</command> in <xref linkend="options"/>.</para>
-</listitem></varlistentry>
-
-<varlistentry><term><command>multi-master</command></term>
-<listitem><para>See the description of
-<command>multi-master</command> in <xref linkend="boolean_options"/>.</para>
-</listitem></varlistentry>
-
-</variablelist>
-
-</sect3>
-<sect3 id="dynamic_update_policies"><title>Dynamic Update Policies</title>
-<para><acronym>BIND</acronym> 9 supports two alternative methods of granting clients
-the right to perform dynamic updates to a zone, 
-configured by the <command>allow-update</command> and
-<command>update-policy</command> option, respectively.</para>
-<para>The <command>allow-update</command> clause works the same
-way as in previous versions of <acronym>BIND</acronym>. It grants given clients the
-permission to update any record of any name in the zone.</para>
-<para>The <command>update-policy</command> clause is new in <acronym>BIND</acronym>
-9 and allows more fine-grained control over what updates are allowed.
-A set of rules is specified, where each rule either grants or denies
-permissions for one or more names to be updated by one or more identities.
- If the dynamic update request message is signed (that is, it includes
-either a TSIG or SIG(0) record), the identity of the signer can
-be determined.</para>
-<para>Rules are specified in the <command>update-policy</command> zone
-option, and are only meaningful for master zones.  When the <command>update-policy</command> statement
-is present, it is a configuration error for the <command>allow-update</command> statement
-to be present.  The <command>update-policy</command> statement only
-examines the signer of a message; the source address is not relevant.</para>
-<para>This is how a rule definition looks:</para>
+
+        </sect2>
+        <sect2>
+          <title><command>zone</command> Statement Definition and Usage</title>
+          <sect3>
+            <title>Zone Types</title>
+            <informaltable colsep="0" rowsep="0">
+              <tgroup cols="2" colsep="0" rowsep="0" tgroupstyle="3Level-table">
+                <!--colspec colname="1" colnum="1" colsep="0" colwidth="1.108in"/-->
+                <!--colspec colname="2" colnum="2" colsep="0" colwidth="4.017in"/-->
+		<colspec colname="1" colnum="1" colsep="0"/>
+                <colspec colname="2" colnum="2" colsep="0" colwidth="4.017in"/>
+                <tbody>
+                  <row rowsep="0">
+                    <entry colname="1">
+                      <para>
+                        <varname>master</varname>
+                      </para>
+                    </entry>
+                    <entry colname="2">
+                      <para>
+                        The server has a master copy of the data
+                        for the zone and will be able to provide authoritative
+                        answers for
+                        it.
+                      </para>
+                    </entry>
+                  </row>
+                  <row rowsep="0">
+                    <entry colname="1">
+                      <para>
+                        <varname>slave</varname>
+                      </para>
+                    </entry>
+                    <entry colname="2">
+                      <para>
+                        A slave zone is a replica of a master
+                        zone. The <command>masters</command> list
+                        specifies one or more IP addresses
+                        of master servers that the slave contacts to update
+                        its copy of the zone.
+                        Masters list elements can also be names of other
+                        masters lists.
+                        By default, transfers are made from port 53 on the
+                        servers; this can
+                        be changed for all servers by specifying a port number
+                        before the
+                        list of IP addresses, or on a per-server basis after
+                        the IP address.
+                        Authentication to the master can also be done with
+                        per-server TSIG keys.
+                        If a file is specified, then the
+                        replica will be written to this file whenever the zone
+                        is changed,
+                        and reloaded from this file on a server restart. Use
+                        of a file is
+                        recommended, since it often speeds server startup and
+                        eliminates
+                        a needless waste of bandwidth. Note that for large
+                        numbers (in the
+                        tens or hundreds of thousands) of zones per server, it
+                        is best to
+                        use a two-level naming scheme for zone file names. For
+                        example,
+                        a slave server for the zone <literal>example.com</literal> might place
+                        the zone contents into a file called
+                        <filename>ex/example.com</filename> where <filename>ex/</filename> is
+                        just the first two letters of the zone name. (Most
+                        operating systems
+                        behave very slowly if you put 100 000 files into
+                        a single directory.)
+                      </para>
+                    </entry>
+                  </row>
+                  <row rowsep="0">
+                    <entry colname="1">
+                      <para>
+                        <varname>stub</varname>
+                      </para>
+                    </entry>
+                    <entry colname="2">
+                      <para>
+                        A stub zone is similar to a slave zone,
+                        except that it replicates only the NS records of a
+                        master zone instead
+                        of the entire zone. Stub zones are not a standard part
+                        of the DNS;
+                        they are a feature specific to the <acronym>BIND</acronym> implementation.
+                      </para>
+
+                      <para>
+                        Stub zones can be used to eliminate the need for glue
+                        NS record
+                        in a parent zone at the expense of maintaining a stub
+                        zone entry and
+                        a set of name server addresses in <filename>named.conf</filename>.
+                        This usage is not recommended for new configurations,
+                        and BIND 9
+                        supports it only in a limited way.
+                        In <acronym>BIND</acronym> 4/8, zone
+                        transfers of a parent zone
+                        included the NS records from stub children of that
+                        zone. This meant
+                        that, in some cases, users could get away with
+                        configuring child stubs
+                        only in the master server for the parent zone. <acronym>BIND</acronym>
+                        9 never mixes together zone data from different zones
+                        in this
+                        way. Therefore, if a <acronym>BIND</acronym> 9 master serving a parent
+                        zone has child stub zones configured, all the slave
+                        servers for the
+                        parent zone also need to have the same child stub
+                        zones
+                        configured.
+                      </para>
+
+                      <para>
+                        Stub zones can also be used as a way of forcing the
+                        resolution
+                        of a given domain to use a particular set of
+                        authoritative servers.
+                        For example, the caching name servers on a private
+                        network using
+                        RFC1918 addressing may be configured with stub zones
+                        for
+                        <literal>10.in-addr.arpa</literal>
+                        to use a set of internal name servers as the
+                        authoritative
+                        servers for that domain.
+                      </para>
+                    </entry>
+                  </row>
+                  <row rowsep="0">
+                    <entry colname="1">
+                      <para>
+                        <varname>forward</varname>
+                      </para>
+                    </entry>
+                    <entry colname="2">
+                      <para>
+                        A "forward zone" is a way to configure
+                        forwarding on a per-domain basis.  A <command>zone</command> statement
+                        of type <command>forward</command> can
+                        contain a <command>forward</command>
+                        and/or <command>forwarders</command>
+                        statement,
+                        which will apply to queries within the domain given by
+                        the zone
+                        name. If no <command>forwarders</command>
+                        statement is present or
+                        an empty list for <command>forwarders</command> is given, then no
+                        forwarding will be done for the domain, canceling the
+                        effects of
+                        any forwarders in the <command>options</command> statement. Thus
+                        if you want to use this type of zone to change the
+                        behavior of the
+                        global <command>forward</command> option
+                        (that is, "forward first"
+                        to, then "forward only", or vice versa, but want to
+                        use the same
+                        servers as set globally) you need to re-specify the
+                        global forwarders.
+                      </para>
+                    </entry>
+                  </row>
+                  <row rowsep="0">
+                    <entry colname="1">
+                      <para>
+                        <varname>hint</varname>
+                      </para>
+                    </entry>
+                    <entry colname="2">
+                      <para>
+                        The initial set of root name servers is
+                        specified using a "hint zone". When the server starts
+                        up, it uses
+                        the root hints to find a root name server and get the
+                        most recent
+                        list of root name servers. If no hint zone is
+                        specified for class
+                        IN, the server uses a compiled-in default set of root
+                        servers hints.
+                        Classes other than IN have no built-in defaults hints.
+                      </para>
+                    </entry>
+                  </row>
+                  <row rowsep="0">
+                    <entry colname="1">
+                      <para>
+                        <varname>delegation-only</varname>
+                      </para>
+                    </entry>
+                    <entry colname="2">
+                      <para>
+                        This is used to enforce the delegation-only
+                        status of infrastructure zones (e.g. COM, NET, ORG).
+                        Any answer that
+                        is received without an explicit or implicit delegation
+                        in the authority
+                        section will be treated as NXDOMAIN.  This does not
+                        apply to the zone
+                        apex.  This should not be applied to leaf zones.
+                      </para>
+                      <para>
+                        <varname>delegation-only</varname> has no
+                        effect on answers received
+                        from forwarders.
+                      </para>
+                    </entry>
+                  </row>
+                </tbody>
+              </tgroup>
+            </informaltable>
+          </sect3>
+
+          <sect3>
+            <title>Class</title>
+            <para>
+              The zone's name may optionally be followed by a class. If
+              a class is not specified, class <literal>IN</literal> (for <varname>Internet</varname>),
+              is assumed. This is correct for the vast majority of cases.
+            </para>
+            <para>
+              The <literal>hesiod</literal> class is
+              named for an information service from MIT's Project Athena. It
+              is
+              used to share information about various systems databases, such
+              as users, groups, printers and so on. The keyword
+              <literal>HS</literal> is
+              a synonym for hesiod.
+            </para>
+            <para>
+              Another MIT development is CHAOSnet, a LAN protocol created
+              in the mid-1970s. Zone data for it can be specified with the <literal>CHAOS</literal> class.
+            </para>
+          </sect3>
+          <sect3>
+
+            <title>Zone Options</title>
+
+            <variablelist>
+
+              <varlistentry>
+                <term><command>allow-notify</command></term>
+                <listitem>
+                  <para>
+                    See the description of
+                    <command>allow-notify</command> in <xref linkend="access_control"/>.
+                  </para>
+                </listitem>
+              </varlistentry>
+
+              <varlistentry>
+                <term><command>allow-query</command></term>
+                <listitem>
+                  <para>
+                    See the description of
+                    <command>allow-query</command> in <xref linkend="access_control"/>.
+                  </para>
+                </listitem>
+              </varlistentry>
+
+              <varlistentry>
+                <term><command>allow-transfer</command></term>
+                <listitem>
+                  <para>
+                    See the description of <command>allow-transfer</command>
+                    in <xref linkend="access_control"/>.
+                  </para>
+                </listitem>
+              </varlistentry>
+
+              <varlistentry>
+                <term><command>allow-update</command></term>
+                <listitem>
+                  <para>
+                    See the description of <command>allow-update</command>
+                    in <xref linkend="access_control"/>.
+                  </para>
+                </listitem>
+              </varlistentry>
+
+              <varlistentry>
+                <term><command>update-policy</command></term>
+                <listitem>
+                  <para>
+                    Specifies a "Simple Secure Update" policy. See
+                    <xref linkend="dynamic_update_policies"/>.
+                  </para>
+                </listitem>
+              </varlistentry>
+
+              <varlistentry>
+                <term><command>allow-update-forwarding</command></term>
+                <listitem>
+                  <para>
+                    See the description of <command>allow-update-forwarding</command>
+                    in <xref linkend="access_control"/>.
+                  </para>
+                </listitem>
+              </varlistentry>
+
+              <varlistentry>
+                <term><command>also-notify</command></term>
+                <listitem>
+                  <para>
+                    Only meaningful if <command>notify</command>
+                    is
+                    active for this zone. The set of machines that will
+                    receive a
+                    <literal>DNS NOTIFY</literal> message
+                    for this zone is made up of all the listed name servers
+                    (other than
+                    the primary master) for the zone plus any IP addresses
+                    specified
+                    with <command>also-notify</command>. A port
+                    may be specified
+                    with each <command>also-notify</command>
+                    address to send the notify
+                    messages to a port other than the default of 53.
+                    <command>also-notify</command> is not
+                    meaningful for stub zones.
+                    The default is the empty list.
+                  </para>
+                </listitem>
+              </varlistentry>
+
+              <varlistentry>
+                <term><command>check-names</command></term>
+                <listitem>
+                  <para>
+                    This option is used to restrict the character set and
+                    syntax of
+                    certain domain names in master files and/or DNS responses
+                    received from the
+                    network.  The default varies according to zone type.  For <command>master</command> zones the default is <command>fail</command>.  For <command>slave</command>
+                    zones the default is <command>warn</command>.
+                  </para>
+                </listitem>
+              </varlistentry>
+
+              <varlistentry>
+                <term><command>check-mx</command></term>
+                <listitem>
+                  <para>
+                    See the description of
+                    <command>check-mx</command> in <xref linkend="boolean_options"/>.
+                  </para>
+                </listitem>
+              </varlistentry>
+
+              <varlistentry>
+                <term><command>check-wildcard</command></term>
+                <listitem>
+                  <para>
+                    See the description of
+                    <command>check-wildcard</command> in <xref linkend="boolean_options"/>.
+                  </para>
+                </listitem>
+              </varlistentry>
+
+              <varlistentry>
+                <term><command>check-integrity</command></term>
+                <listitem>
+                  <para>
+                    See the description of
+                    <command>check-integrity</command> in <xref linkend="boolean_options"/>.
+                  </para>
+                </listitem>
+              </varlistentry>
+
+              <varlistentry>
+                <term><command>check-sibling</command></term>
+                <listitem>
+                  <para>
+                    See the description of
+                    <command>check-sibling</command> in <xref linkend="boolean_options"/>.
+                  </para>
+                </listitem>
+              </varlistentry>
+
+              <varlistentry>
+                <term><command>zero-no-soa-ttl</command></term>
+                <listitem>
+                  <para>
+                    See the description of
+                    <command>zero-no-soa-ttl</command> in <xref linkend="boolean_options"/>.
+                  </para>
+                </listitem>
+              </varlistentry>
+
+	      <varlistentry>
+	        <term><command>update-check-ksk</command></term>
+                <listitem>
+                  <para>
+                    See the description of
+                    <command>update-check-ksk</command> in <xref linkend="boolean_options"/>.
+                  </para>
+                </listitem>
+              </varlistentry>
+
+              <varlistentry>
+                <term><command>database</command></term>
+                <listitem>
+                  <para>
+                    Specify the type of database to be used for storing the
+                    zone data.  The string following the <command>database</command> keyword
+                    is interpreted as a list of whitespace-delimited words.
+                    The first word
+                    identifies the database type, and any subsequent words are
+                    passed
+                    as arguments to the database to be interpreted in a way
+                    specific
+                    to the database type.
+                  </para>
+                  <para>
+                    The default is <userinput>"rbt"</userinput>, BIND 9's
+                    native in-memory
+                    red-black-tree database.  This database does not take
+                    arguments.
+                  </para>
+                  <para>
+                    Other values are possible if additional database drivers
+                    have been linked into the server.  Some sample drivers are
+                    included
+                    with the distribution but none are linked in by default.
+                  </para>
+                </listitem>
+              </varlistentry>
+
+              <varlistentry>
+                <term><command>dialup</command></term>
+                <listitem>
+                  <para>
+                    See the description of
+                    <command>dialup</command> in <xref linkend="boolean_options"/>.
+                  </para>
+                </listitem>
+              </varlistentry>
+
+              <varlistentry>
+                <term><command>delegation-only</command></term>
+                <listitem>
+                  <para>
+                    The flag only applies to hint and stub zones.  If set
+                    to <userinput>yes</userinput>, then the zone will also be
+                    treated as if it
+                    is also a delegation-only type zone.
+                  </para>
+                </listitem>
+              </varlistentry>
+
+              <varlistentry>
+                <term><command>forward</command></term>
+                <listitem>
+                  <para>
+                    Only meaningful if the zone has a forwarders
+                    list. The <command>only</command> value causes
+                    the lookup to fail
+                    after trying the forwarders and getting no answer, while <command>first</command> would
+                    allow a normal lookup to be tried.
+                  </para>
+                </listitem>
+              </varlistentry>
+
+              <varlistentry>
+                <term><command>forwarders</command></term>
+                <listitem>
+                  <para>
+                    Used to override the list of global forwarders.
+                    If it is not specified in a zone of type <command>forward</command>,
+                    no forwarding is done for the zone and the global options are
+                    not used.
+                  </para>
+                </listitem>
+              </varlistentry>
+
+              <varlistentry>
+                <term><command>ixfr-base</command></term>
+                <listitem>
+                  <para>
+                    Was used in <acronym>BIND</acronym> 8 to
+                    specify the name
+                    of the transaction log (journal) file for dynamic update
+                    and IXFR.
+                    <acronym>BIND</acronym> 9 ignores the option
+                    and constructs the name of the journal
+                    file by appending "<filename>.jnl</filename>"
+                    to the name of the
+                    zone file.
+                  </para>
+                </listitem>
+              </varlistentry>
+
+              <varlistentry>
+                <term><command>ixfr-tmp-file</command></term>
+                <listitem>
+                  <para>
+                    Was an undocumented option in <acronym>BIND</acronym> 8.
+                    Ignored in <acronym>BIND</acronym> 9.
+                  </para>
+                </listitem>
+              </varlistentry>
+
+              <varlistentry>
+                <term><command>journal</command></term>
+                <listitem>
+                  <para>
+                    Allow the default journal's file name to be overridden.
+                    The default is the zone's file with "<filename>.jnl</filename>" appended.
+                    This is applicable to <command>master</command> and <command>slave</command> zones.
+                  </para>
+                </listitem>
+              </varlistentry>
+
+              <varlistentry>
+                <term><command>max-transfer-time-in</command></term>
+                <listitem>
+                  <para>
+                    See the description of
+                    <command>max-transfer-time-in</command> in <xref linkend="zone_transfers"/>.
+                  </para>
+                </listitem>
+              </varlistentry>
+
+              <varlistentry>
+                <term><command>max-transfer-idle-in</command></term>
+                <listitem>
+                  <para>
+                    See the description of
+                    <command>max-transfer-idle-in</command> in <xref linkend="zone_transfers"/>.
+                  </para>
+                </listitem>
+              </varlistentry>
+
+              <varlistentry>
+                <term><command>max-transfer-time-out</command></term>
+                <listitem>
+                  <para>
+                    See the description of
+                    <command>max-transfer-time-out</command> in <xref linkend="zone_transfers"/>.
+                  </para>
+                </listitem>
+              </varlistentry>
+
+              <varlistentry>
+                <term><command>max-transfer-idle-out</command></term>
+                <listitem>
+                  <para>
+                    See the description of
+                    <command>max-transfer-idle-out</command> in <xref linkend="zone_transfers"/>.
+                  </para>
+                </listitem>
+              </varlistentry>
+
+              <varlistentry>
+                <term><command>notify</command></term>
+                <listitem>
+                  <para>
+                    See the description of
+                    <command>notify</command> in <xref linkend="boolean_options"/>.
+                  </para>
+                </listitem>
+              </varlistentry>
+
+              <varlistentry>
+                <term><command>pubkey</command></term>
+                <listitem>
+                  <para>
+                    In <acronym>BIND</acronym> 8, this option was
+                    intended for specifying
+                    a public zone key for verification of signatures in DNSSEC
+                    signed
+                    zones when they are loaded from disk. <acronym>BIND</acronym> 9 does not verify signatures
+                    on load and ignores the option.
+                  </para>
+                </listitem>
+              </varlistentry>
+
+              <varlistentry>
+                <term><command>zone-statistics</command></term>
+                <listitem>
+                  <para>
+                    If <userinput>yes</userinput>, the server will keep
+                    statistical
+                    information for this zone, which can be dumped to the
+                    <command>statistics-file</command> defined in
+                    the server options.
+                  </para>
+                </listitem>
+              </varlistentry>
+
+              <varlistentry>
+                <term><command>sig-validity-interval</command></term>
+                <listitem>
+                  <para>
+                    See the description of
+                    <command>sig-validity-interval</command> in <xref linkend="tuning"/>.
+                  </para>
+                </listitem>
+              </varlistentry>
+
+              <varlistentry>
+                <term><command>transfer-source</command></term>
+                <listitem>
+                  <para>
+                    See the description of
+                    <command>transfer-source</command> in <xref linkend="zone_transfers"/>.
+                  </para>
+                </listitem>
+              </varlistentry>
+
+              <varlistentry>
+                <term><command>transfer-source-v6</command></term>
+                <listitem>
+                  <para>
+                    See the description of
+                    <command>transfer-source-v6</command> in <xref linkend="zone_transfers"/>.
+                  </para>
+                </listitem>
+              </varlistentry>
+
+              <varlistentry>
+                <term><command>alt-transfer-source</command></term>
+                <listitem>
+                  <para>
+                    See the description of
+                    <command>alt-transfer-source</command> in <xref linkend="zone_transfers"/>.
+                  </para>
+                </listitem>
+              </varlistentry>
+
+              <varlistentry>
+                <term><command>alt-transfer-source-v6</command></term>
+                <listitem>
+                  <para>
+                    See the description of
+                    <command>alt-transfer-source-v6</command> in <xref linkend="zone_transfers"/>.
+                  </para>
+                </listitem>
+              </varlistentry>
+
+              <varlistentry>
+                <term><command>use-alt-transfer-source</command></term>
+                <listitem>
+                  <para>
+                    See the description of
+                    <command>use-alt-transfer-source</command> in <xref linkend="zone_transfers"/>.
+                  </para>
+                </listitem>
+              </varlistentry>
+
+
+              <varlistentry>
+                <term><command>notify-source</command></term>
+                <listitem>
+                  <para>
+                    See the description of
+                    <command>notify-source</command> in <xref linkend="zone_transfers"/>.
+                  </para>
+                </listitem>
+              </varlistentry>
+
+              <varlistentry>
+                <term><command>notify-source-v6</command></term>
+                <listitem>
+                  <para>
+                    See the description of
+                    <command>notify-source-v6</command> in <xref linkend="zone_transfers"/>.
+                  </para>
+                </listitem>
+              </varlistentry>
+
+              <varlistentry>
+                <term><command>min-refresh-time</command></term>
+                <term><command>max-refresh-time</command></term>
+                <term><command>min-retry-time</command></term>
+                <term><command>max-retry-time</command></term>
+                <listitem>
+                  <para>
+                    See the description in <xref linkend="tuning"/>.
+                  </para>
+                </listitem>
+              </varlistentry>
+
+              <varlistentry>
+                <term><command>ixfr-from-differences</command></term>
+                <listitem>
+                  <para>
+                    See the description of
+                    <command>ixfr-from-differences</command> in <xref linkend="boolean_options"/>.
+                  </para>
+                </listitem>
+              </varlistentry>
+
+              <varlistentry>
+                <term><command>key-directory</command></term>
+                <listitem>
+                  <para>
+                    See the description of
+                    <command>key-directory</command> in <xref linkend="options"/>.
+                  </para>
+                </listitem>
+              </varlistentry>
+
+              <varlistentry>
+                <term><command>multi-master</command></term>
+                <listitem>
+                  <para>
+                    See the description of <command>multi-master</command> in
+		    <xref linkend="boolean_options"/>.
+                  </para>
+                </listitem>
+              </varlistentry>
+	
+	      <varlistentry>
+		<term><command>masterfile-format</command></term>
+		<listitem>
+		  <para>
+		    See the description of <command>masterfile-format</command>
+		    in <xref linkend="tuning"/>.
+		  </para>
+		</listitem>
+	      </varlistentry>
+
+            </variablelist>
+
+          </sect3>
+          <sect3 id="dynamic_update_policies">
+            <title>Dynamic Update Policies</title>
+            <para>
+              <acronym>BIND</acronym> 9 supports two alternative
+              methods of granting clients
+              the right to perform dynamic updates to a zone,
+              configured by the <command>allow-update</command>
+              and
+              <command>update-policy</command> option,
+              respectively.
+            </para>
+            <para>
+              The <command>allow-update</command> clause works the
+              same
+              way as in previous versions of <acronym>BIND</acronym>. It grants given clients the
+              permission to update any record of any name in the zone.
+            </para>
+            <para>
+              The <command>update-policy</command> clause is new
+              in <acronym>BIND</acronym>
+              9 and allows more fine-grained control over what updates are
+              allowed.
+              A set of rules is specified, where each rule either grants or
+              denies
+              permissions for one or more names to be updated by one or more
+              identities.
+              If the dynamic update request message is signed (that is, it
+              includes
+              either a TSIG or SIG(0) record), the identity of the signer can
+              be determined.
+            </para>
+            <para>
+              Rules are specified in the <command>update-policy</command> zone
+              option, and are only meaningful for master zones.  When the <command>update-policy</command> statement
+              is present, it is a configuration error for the <command>allow-update</command> statement
+              to be present.  The <command>update-policy</command>
+              statement only
+              examines the signer of a message; the source address is not
+              relevant.
+            </para>
+            <para>
+              This is how a rule definition looks:
+            </para>
+
 <programlisting>
 ( <command>grant</command> | <command>deny</command> ) <replaceable>identity</replaceable> <replaceable>nametype</replaceable> <replaceable>name</replaceable> <optional> <replaceable>types</replaceable> </optional>
 </programlisting>
-<para>Each rule grants or denies privileges.  Once a message has
-successfully matched a rule, the operation is immediately granted
-or denied and no further rules are examined.  A rule is matched
-when the signer matches the identity field, the name matches the
-name field in accordance with the nametype field, and the type matches
-the types specified in the type field.</para>
-
-<para>The identity field specifies a name or a wildcard name.  Normally, this
-is the name of the TSIG or SIG(0) key used to sign the update request.  When a
-TKEY exchange has been used to create a shared secret, the identity of the
-shared secret is the same as the identity of the key used to authenticate the
-TKEY exchange.  When the <replaceable>identity</replaceable> field specifies a
-wildcard name, it is subject to DNS wildcard expansion, so the rule will apply
-to multiple identities.  The <replaceable>identity</replaceable> field must
-contain a fully qualified domain name.</para>
-
-<para>The <replaceable>nametype</replaceable> field has 4 values:
-<varname>name</varname>, <varname>subdomain</varname>,
-<varname>wildcard</varname>, and <varname>self</varname>.
-</para>
-<informaltable>
-            <tgroup cols = "2" colsep = "0"
-    rowsep = "0" tgroupstyle = "4Level-table">
-<colspec colname = "1" colnum = "1" colsep = "0" colwidth = "0.819in"/>
-<colspec colname = "2" colnum = "2" colsep = "0" colwidth = "3.681in"/>
-<tbody>
-<row rowsep = "0">
-<entry colname = "1"><para><varname>name</varname></para></entry>
-<entry colname = "2"><para>Exact-match semantics.  This rule matches when the
-name being updated is identical to the contents of the
-<replaceable>name</replaceable> field.</para></entry>
-</row>
-<row rowsep = "0">
-<entry colname = "1"><para><varname>subdomain</varname></para></entry>
-<entry colname = "2"><para>This rule matches when the name being updated
-is a subdomain of, or identical to, the contents of the
-<replaceable>name</replaceable> field.</para></entry>
-</row>
-<row rowsep = "0">
-<entry colname = "1"><para><varname>wildcard</varname></para></entry>
-<entry colname = "2"><para>The <replaceable>name</replaceable> field is
-subject to DNS wildcard expansion, and this rule matches when the name
-being updated name is a valid expansion of the wildcard.</para></entry>
-</row>
-<row rowsep = "0">
-<entry colname = "1"><para><varname>self</varname></para></entry>
-<entry colname = "2"><para>This rule matches when the name being updated
-matches the contents of the <replaceable>identity</replaceable> field.
-The <replaceable>name</replaceable> field is ignored, but should be
-the same as the <replaceable>identity</replaceable> field.  The
-<varname>self</varname> nametype is most useful when allowing using
-one key per name to update, where the key has the same name as the name
-to be updated.  The <replaceable>identity</replaceable> would be
-specified as <constant>*</constant> in this case.</para></entry>
-</row>
-</tbody>
-</tgroup></informaltable>
-
-<para>In all cases, the <replaceable>name</replaceable> field must
-specify a fully qualified domain name.</para>
-
-<para>If no types are explicitly specified, this rule matches all types except
-SIG, NS, SOA, and NXT. Types may be specified by name, including
-"ANY" (ANY matches all types except NXT, which can never be updated).
-Note that when an attempt is made to delete all records associated with a
-name, the rules are checked for each existing record type.
-</para>
-      </sect3>
-    </sect2>
-  </sect1>
-  <sect1>
-    <title>Zone File</title>
-    <sect2 id="types_of_resource_records_and_when_to_use_them">
-      <title>Types of Resource Records and When to Use Them</title>
-<para>This section, largely borrowed from RFC 1034, describes the
-concept of a Resource Record (RR) and explains when each is used.
-Since the publication of RFC 1034, several new RRs have been identified
-and implemented in the DNS. These are also included.</para>
-      <sect3>
-        <title>Resource Records</title>
-
-        <para>A domain name identifies a node.  Each node has a set of
-        resource information, which may be empty.  The set of resource
-        information associated with a particular name is composed of
-        separate RRs. The order of RRs in a set is not significant and
-        need not be preserved by name servers, resolvers, or other
-        parts of the DNS. However, sorting of multiple RRs is
-        permitted for optimization purposes, for example, to specify
-        that a particular nearby server be tried first. See <xref
-        linkend="the_sortlist_statement"/> and <xref
-        linkend="rrset_ordering"/>.</para>
-
-<para>The components of a Resource Record are:</para>
-<informaltable colsep = "0"
-    rowsep = "0"><tgroup cols = "2" colsep = "0"
-    rowsep = "0" tgroupstyle = "4Level-table">
-<colspec colname = "1" colnum = "1" colsep = "0" colwidth = "1.000in"/>
-<colspec colname = "2" colnum = "2" colsep = "0" colwidth = "3.500in"/>
-<tbody>
-<row rowsep = "0">
-<entry colname = "1"><para>owner name</para></entry>
-<entry colname = "2"><para>the domain name where the RR is found.</para></entry>
-</row>
-<row rowsep = "0">
-<entry colname = "1"><para>type</para></entry>
-<entry colname = "2"><para>an encoded 16-bit value that specifies
-the type of the resource record.</para></entry>
-</row>
-<row rowsep = "0">
-<entry colname = "1"><para>TTL</para></entry>
-<entry colname = "2"><para>the time-to-live of the RR. This field
-is a 32-bit integer in units of seconds, and is primarily used by
-resolvers when they cache RRs. The TTL describes how long a RR can
-be cached before it should be discarded.</para></entry>
-</row>
-<row rowsep = "0">
-<entry colname = "1"><para>class</para></entry>
-<entry colname = "2"><para>an encoded 16-bit value that identifies
-a protocol family or instance of a protocol.</para></entry>
-</row>
-<row rowsep = "0">
-<entry colname = "1"><para>RDATA</para></entry>
-<entry colname = "2"><para>the resource data.  The format of the
-data is type (and sometimes class) specific.</para></entry>
-</row>
-</tbody>
-</tgroup></informaltable>
-<para>The following are <emphasis>types</emphasis> of valid RRs:</para>
-<informaltable colsep = "0"
-    rowsep = "0"><tgroup cols = "2" colsep = "0"
-    rowsep = "0" tgroupstyle = "4Level-table">
-<colspec colname = "1" colnum = "1" colsep = "0" colwidth = "0.875in"/>
-<colspec colname = "2" colnum = "2" colsep = "0" colwidth = "3.625in"/>
-<tbody>
-<row rowsep = "0">
-<entry colname = "1"><para>A</para></entry>
-<entry colname = "2"><para>a host address.  In the IN class, this is a
-32-bit IP address.  Described in RFC 1035.</para></entry>
-</row>
-<row rowsep = "0">
-<entry colname = "1"><para>AAAA</para></entry>
-<entry colname = "2"><para>IPv6 address.  Described in RFC 1886.</para></entry>
-</row>
-<row rowsep = "0">
-<entry colname = "1"><para>A6</para></entry>
-<entry colname = "2"><para>IPv6 address.  This can be a partial
-address (a suffix) and an indirection to the name where the rest of the
-address (the prefix) can be found.  Experimental.  Described in RFC 2874.</para></entry>
-</row>
-<row rowsep = "0">
-<entry colname = "1"><para>AFSDB</para></entry>
-<entry colname = "2"><para>location of AFS database servers.
-Experimental.  Described in RFC 1183.</para></entry>
-</row>
-<row rowsep = "0">
-<entry colname = "1"><para>APL</para></entry>
-<entry colname = "2"><para>address prefix list.  Experimental.
-Described in RFC 3123.</para></entry>
-</row>
-<row rowsep = "0">
-<entry colname = "1"><para>CERT</para></entry>
-<entry colname = "2"><para>holds a digital certificate.
-Described in RFC 2538.</para></entry>
-</row>
-<row rowsep = "0">
-<entry colname = "1"><para>CNAME</para></entry>
-<entry colname = "2"><para>identifies the canonical name of an alias.
-Described in RFC 1035.</para></entry>
-</row>
-<row rowsep = "0">
-<entry colname = "1"><para>DNAME</para></entry>
-<entry colname = "2"><para>Replaces the domain name specified with
-another name to be looked up, effectively aliasing an entire
-subtree of the domain name space rather than a single record
-as in the case of the CNAME RR.
-Described in RFC 2672.</para></entry>
-</row>
-<row rowsep = "0">
-<entry colname = "1"><para>GPOS</para></entry>
-<entry colname = "2"><para>Specifies the global position.  Superseded by LOC.</para></entry>
-</row>
-<row rowsep = "0">
-<entry colname = "1"><para>HINFO</para></entry>
-<entry colname = "2"><para>identifies the CPU and OS used by a host.
-Described in RFC 1035.</para></entry>
-</row>
-<row rowsep = "0">
-<entry colname = "1"><para>ISDN</para></entry>
-<entry colname = "2"><para>representation of ISDN addresses.
-Experimental.  Described in RFC 1183.</para></entry>
-</row>
-<row rowsep = "0">
-<entry colname = "1"><para>KEY</para></entry>
-<entry colname = "2"><para>stores a public key associated with a
-DNS name.  Described in RFC 2535.</para></entry>
-</row>
-<row rowsep = "0">
-<entry colname = "1"><para>KX</para></entry>
-<entry colname = "2"><para>identifies a key exchanger for this
-DNS name.  Described in RFC 2230.</para></entry>
-</row>
-<row rowsep = "0">
-<entry colname = "1"><para>LOC</para></entry>
-<entry colname = "2"><para>for storing GPS info.  Described in RFC 1876.
-Experimental.</para></entry>
-</row>
-<row rowsep = "0">
-<entry colname = "1"><para>MX</para></entry>
-<entry colname = "2"><para>identifies a mail exchange for the domain.
-A 16-bit preference value (lower is better)
-followed by the host name of the mail exchange.
-Described in RFC 974, RFC 1035.</para></entry>
-</row>
-<row rowsep = "0">
-<entry colname = "1"><para>NAPTR</para></entry>
-<entry colname = "2"><para>name authority pointer.  Described in RFC 2915.</para></entry>
-</row>
-<row rowsep = "0">
-<entry colname = "1"><para>NSAP</para></entry>
-<entry colname = "2"><para>a network service access point.
-Described in RFC 1706.</para></entry>
-</row>
-<row rowsep = "0">
-<entry colname = "1"><para>NS</para></entry>
-<entry colname = "2"><para>the authoritative name server for the
-domain.  Described in RFC 1035.</para></entry>
-</row>
-<row rowsep = "0">
-<entry colname = "1"><para>NXT</para></entry>
-<entry colname = "2"><para>used in DNSSEC to securely indicate that
-RRs with an owner name in a certain name interval do not exist in
-a zone and indicate what RR types are present for an existing name.
-Described in RFC 2535.</para></entry>
-</row>
-<row rowsep = "0">
-<entry colname = "1"><para>PTR</para></entry>
-<entry colname = "2"><para>a pointer to another part of the domain
-name space.  Described in RFC 1035.</para></entry>
-</row>
-<row rowsep = "0">
-<entry colname = "1"><para>PX</para></entry>
-<entry colname = "2"><para>provides mappings between RFC 822 and X.400
-addresses.  Described in RFC 2163.</para></entry>
-</row>
-<row rowsep = "0">
-<entry colname = "1"><para>RP</para></entry>
-<entry colname = "2"><para>information on persons responsible
-for the domain.  Experimental.  Described in RFC 1183.</para></entry>
-</row>
-<row rowsep = "0">
-<entry colname = "1"><para>RT</para></entry>
-<entry colname = "2"><para>route-through binding for hosts that
-do not have their own direct wide area network addresses.
-Experimental.  Described in RFC 1183.</para></entry>
-</row>
-<row rowsep = "0">
-<entry colname = "1"><para>SIG</para></entry>
-<entry colname = "2"><para>("signature") contains data authenticated
-in the secure DNS.  Described in RFC 2535.</para></entry>
-</row>
-<row rowsep = "0">
-<entry colname = "1"><para>SOA</para></entry>
-<entry colname = "2"><para>identifies the start of a zone of authority.
-Described in RFC 1035.</para></entry>
-</row>
-<row rowsep = "0">
-<entry colname = "1"><para>SRV</para></entry>
-<entry colname = "2"><para>information about well known network
-services (replaces WKS).  Described in RFC 2782.</para></entry>
-</row>
-<row rowsep = "0">
-<entry colname = "1"><para>TXT</para></entry>
-<entry colname = "2"><para>text records.  Described in RFC 1035.</para></entry>
-</row>
-<row rowsep = "0">
-<entry colname = "1"><para>WKS</para></entry>
-<entry colname = "2"><para>information about which well known
-network services, such as SMTP, that a domain supports. Historical.
-</para></entry>
-</row>
-<row rowsep = "0">
-<entry colname = "1"><para>X25</para></entry>
-<entry colname = "2"><para>representation of X.25 network addresses.
-Experimental.  Described in RFC 1183.</para></entry>
-</row>
-</tbody>
-</tgroup></informaltable>
-<para>The following <emphasis>classes</emphasis> of resource records
-are currently valid in the DNS:</para><informaltable colsep = "0"
-    rowsep = "0"><tgroup cols = "2" colsep = "0" rowsep = "0"
-    tgroupstyle = "4Level-table">
-<colspec colname = "1" colnum = "1" colsep = "0" colwidth = "0.875in"/>
-<colspec colname = "2" colnum = "2" colsep = "0" colwidth = "3.625in"/>
-<tbody>
-
-<row rowsep = "0">
-<entry colname = "1"><para>IN</para></entry>
-<entry colname = "2"><para>The Internet.</para></entry>
-</row>
-
-<row rowsep = "0">
-<entry colname = "1"><para>CH</para></entry>
-<entry colname = "2"><para>
-CHAOSnet, a LAN protocol created at MIT in the mid-1970s.
-Rarely used for its historical purpose, but reused for BIND's
-built-in server information zones, e.g.,
-<literal>version.bind</literal>.
-</para></entry>
-</row>
-
-<row rowsep = "0">
-<entry colname = "1"><para>HS</para></entry>
-<entry colname = "2"><para>
-Hesiod, an information service
-developed by MIT's Project Athena. It is used to share information
-about various systems databases, such as users, groups, printers
-and so on.
-</para></entry>
-</row>
-
-</tbody>
-</tgroup></informaltable>
-
-<para>The owner name is often implicit, rather than forming an integral
-part of the RR.  For example, many name servers internally form tree
-or hash structures for the name space, and chain RRs off nodes.
- The remaining RR parts are the fixed header (type, class, TTL)
-which is consistent for all RRs, and a variable part (RDATA) that
-fits the needs of the resource being described.</para>
-<para>The meaning of the TTL field is a time limit on how long an
-RR can be kept in a cache.  This limit does not apply to authoritative
-data in zones; it is also timed out, but by the refreshing policies
-for the zone.  The TTL is assigned by the administrator for the
-zone where the data originates.  While short TTLs can be used to
-minimize caching, and a zero TTL prohibits caching, the realities
-of Internet performance suggest that these times should be on the
-order of days for the typical host.  If a change can be anticipated,
-the TTL can be reduced prior to the change to minimize inconsistency
-during the change, and then increased back to its former value following
-the change.</para>
-<para>The data in the RDATA section of RRs is carried as a combination
-of binary strings and domain names.  The domain names are frequently
-used as "pointers" to other data in the DNS.</para></sect3>
-<sect3><title>Textual expression of RRs</title>
-<para>RRs are represented in binary form in the packets of the DNS
-protocol, and are usually represented in highly encoded form when
-stored in a name server or resolver.  In the examples provided in
-RFC 1034, a style similar to that used in master files was employed
-in order to show the contents of RRs.  In this format, most RRs
-are shown on a single line, although continuation lines are possible
-using parentheses.</para>
-<para>The start of the line gives the owner of the RR.  If a line
-begins with a blank, then the owner is assumed to be the same as
-that of the previous RR.  Blank lines are often included for readability.</para>
-<para>Following the owner, we list the TTL, type, and class of the
-RR.  Class and type use the mnemonics defined above, and TTL is
-an integer before the type field.  In order to avoid ambiguity in
-parsing, type and class mnemonics are disjoint, TTLs are integers,
-and the type mnemonic is always last. The IN class and TTL values
-are often omitted from examples in the interests of clarity.</para>
-<para>The resource data or RDATA section of the RR are given using
-knowledge of the typical representation for the data.</para>
-<para>For example, we might show the RRs carried in a message as:</para> <informaltable
-    colsep = "0" rowsep = "0"><tgroup cols = "3"
-    colsep = "0" rowsep = "0" tgroupstyle = "4Level-table">
-<colspec colname = "1" colnum = "1" colsep = "0" colwidth = "1.381in"/>
-<colspec colname = "2" colnum = "2" colsep = "0" colwidth = "1.020in"/>
-<colspec colname = "3" colnum = "3" colsep = "0" colwidth = "2.099in"/>
-<tbody>
-<row rowsep = "0">
-<entry colname = "1"><para><literal>ISI.EDU.</literal></para></entry>
-<entry colname = "2"><para><literal>MX</literal></para></entry>
-<entry colname = "3"><para><literal>10 VENERA.ISI.EDU.</literal></para></entry>
-</row>
-<row rowsep = "0">
-<entry colname = "1"><para></para></entry>
-<entry colname = "2"><para><literal>MX</literal></para></entry>
-<entry colname = "3"><para><literal>10 VAXA.ISI.EDU</literal></para></entry>
-</row>
-<row rowsep = "0">
-<entry colname = "1"><para><literal>VENERA.ISI.EDU</literal></para></entry>
-<entry colname = "2"><para><literal>A</literal></para></entry>
-<entry colname = "3"><para><literal>128.9.0.32</literal></para></entry>
-</row>
-<row rowsep = "0">
-<entry colname = "1"><para></para></entry>
-<entry colname = "2"><para><literal>A</literal></para></entry>
-<entry colname = "3"><para><literal>10.1.0.52</literal></para></entry>
-</row>
-<row rowsep = "0">
-<entry colname = "1"><para><literal>VAXA.ISI.EDU</literal></para></entry>
-<entry colname = "2"><para><literal>A</literal></para></entry>
-<entry colname = "3"><para><literal>10.2.0.27</literal></para></entry>
-</row>
-<row rowsep = "0">
-<entry colname = "1"><para></para></entry>
-<entry colname = "2"><para><literal>A</literal></para></entry>
-<entry colname = "3"><para><literal>128.9.0.33</literal></para></entry>
-</row>
-</tbody>
-</tgroup></informaltable>
-<para>The MX RRs have an RDATA section which consists of a 16-bit
-number followed by a domain name.  The address RRs use a standard
-IP address format to contain a 32-bit internet address.</para>
-<para>The above example shows six RRs, with two RRs at each of three
-domain names.</para>
-<para>Similarly we might see:</para><informaltable colsep = "0"
-    rowsep = "0"><tgroup cols = "3" colsep = "0" rowsep = "0"
-    tgroupstyle = "4Level-table">
-<colspec colname = "1" colnum = "1" colsep = "0" colwidth = "1.491in"/>
-<colspec colname = "2" colnum = "2" colsep = "0" colwidth = "1.067in"/>
-<colspec colname = "3" colnum = "3" colsep = "0" colwidth = "2.067in"/>
-<tbody>
-<row rowsep = "0">
-<entry colname = "1"><para><literal>XX.LCS.MIT.EDU. IN</literal></para></entry>
-<entry colname = "2"><para><literal>A</literal></para></entry>
-<entry colname = "3"><para><literal>10.0.0.44</literal></para></entry>
-</row>
-<row rowsep = "0">
-<entry colname = "1"><para><literal>CH</literal></para></entry>
-<entry colname = "2"><para><literal>A</literal></para></entry>
-<entry colname = "3"><para><literal>MIT.EDU. 2420</literal></para></entry>
-</row>
-</tbody>
-</tgroup></informaltable>
-<para>This example shows two addresses for <literal>XX.LCS.MIT.EDU</literal>,
-each of a different class.</para></sect3></sect2>
-
-<sect2><title>Discussion of MX Records</title>
-
-<para>As described above, domain servers store information as a
-series of resource records, each of which contains a particular
-piece of information about a given domain name (which is usually,
-but not always, a host). The simplest way to think of a RR is as
-a typed pair of data, a domain name matched with a relevant datum,
-and stored with some additional type information to help systems 
-determine when the RR is relevant.</para>
-
-<para>MX records are used to control delivery of email. The data
-specified in the record is a priority and a domain name. The priority
-controls the order in which email delivery is attempted, with the
-lowest number first. If two priorities are the same, a server is
-chosen randomly. If no servers at a given priority are responding,
-the mail transport agent will fall back to the next largest priority.
-Priority numbers do not have any absolute meaning &mdash; they are relevant
-only respective to other MX records for that domain name. The domain
-name given is the machine to which the mail will be delivered. It <emphasis>must</emphasis> have
-an associated A record &mdash; CNAME is not sufficient.</para>
-<para>For a given domain, if there is both a CNAME record and an
-MX record, the MX record is in error, and will be ignored. Instead,
-the mail will be delivered to the server specified in the MX record
-pointed to by the CNAME.</para>
-<informaltable colsep = "0" rowsep = "0"><tgroup cols = "5"
-    colsep = "0" rowsep = "0" tgroupstyle = "3Level-table">
-<colspec colname = "1" colnum = "1" colsep = "0" colwidth = "1.708in"/>
-<colspec colname = "2" colnum = "2" colsep = "0" colwidth = "0.444in"/>
-<colspec colname = "3" colnum = "3" colsep = "0" colwidth = "0.444in"/>
-<colspec colname = "4" colnum = "4" colsep = "0" colwidth = "0.976in"/>
-<colspec colname = "5" colnum = "5" colsep = "0" colwidth = "1.553in"/>
-<tbody>
-<row rowsep = "0">
-<entry colname = "1"><para><literal>example.com.</literal></para></entry>
-<entry colname = "2"><para><literal>IN</literal></para></entry>
-<entry colname = "3"><para><literal>MX</literal></para></entry>
-<entry colname = "4"><para><literal>10</literal></para></entry>
-<entry colname = "5"><para><literal>mail.example.com.</literal></para></entry>
-</row>
-<row rowsep = "0">
-<entry colname = "1"><para></para></entry>
-<entry colname = "2"><para><literal>IN</literal></para></entry>
-<entry colname = "3"><para><literal>MX</literal></para></entry>
-<entry colname = "4"><para><literal>10</literal></para></entry>
-<entry colname = "5"><para><literal>mail2.example.com.</literal></para></entry>
-</row>
-<row rowsep = "0">
-<entry colname = "1"><para></para></entry>
-<entry colname = "2"><para><literal>IN</literal></para></entry>
-<entry colname = "3"><para><literal>MX</literal></para></entry>
-<entry colname = "4"><para><literal>20</literal></para></entry>
-<entry colname = "5"><para><literal>mail.backup.org.</literal></para></entry>
-</row>
-<row rowsep = "0">
-<entry colname = "1"><para><literal>mail.example.com.</literal></para></entry>
-<entry colname = "2"><para><literal>IN</literal></para></entry>
-<entry colname = "3"><para><literal>A</literal></para></entry>
-<entry colname = "4"><para><literal>10.0.0.1</literal></para></entry>
-<entry colname = "5"><para></para></entry>
-</row>
-<row rowsep = "0">
-<entry colname = "1"><para><literal>mail2.example.com.</literal></para></entry>
-<entry colname = "2"><para><literal>IN</literal></para></entry>
-<entry colname = "3"><para><literal>A</literal></para></entry>
-<entry colname = "4"><para><literal>10.0.0.2</literal></para></entry>
-<entry colname = "5"><para></para></entry>
-</row>
-</tbody>
-</tgroup></informaltable><para>For example:</para>
-<para>Mail delivery will be attempted to <literal>mail.example.com</literal> and
-<literal>mail2.example.com</literal> (in
-any order), and if neither of those succeed, delivery to <literal>mail.backup.org</literal> will
-be attempted.</para></sect2>
-<sect2 id="Setting_TTLs"><title>Setting TTLs</title>
-<para>The time-to-live of the RR field is a 32-bit integer represented
-in units of seconds, and is primarily used by resolvers when they
-cache RRs. The TTL describes how long a RR can be cached before it
-should be discarded. The following three types of TTL are currently
-used in a zone file.</para>
-<informaltable colsep = "0" rowsep = "0"><tgroup cols = "2"
-    colsep = "0" rowsep = "0" tgroupstyle = "3Level-table">
-<colspec colname = "1" colnum = "1" colsep = "0" colwidth = "0.750in"/>
-<colspec colname = "2" colnum = "2" colsep = "0" colwidth = "4.375in"/>
-<tbody>
-<row rowsep = "0">
-<entry colname = "1"><para>SOA</para></entry>
-<entry colname = "2"><para>The last field in the SOA is the negative
-caching TTL. This controls how long other servers will cache no-such-domain
-(NXDOMAIN) responses from you.</para><para>The maximum time for
-negative caching is 3 hours (3h).</para></entry>
-</row>
-<row rowsep = "0">
-<entry colname = "1"><para>$TTL</para></entry>
-<entry colname = "2"><para>The $TTL directive at the top of the
-zone file (before the SOA) gives a default TTL for every RR without
-a specific TTL set.</para></entry>
-</row>
-<row rowsep = "0">
-<entry colname = "1"><para>RR TTLs</para></entry>
-<entry colname = "2"><para>Each RR can have a TTL as the second
-field in the RR, which will control how long other servers can cache
-the it.</para></entry>
-</row>
-</tbody>
-</tgroup></informaltable>
-<para>All of these TTLs default to units of seconds, though units
-can be explicitly specified, for example, <literal>1h30m</literal>. </para></sect2>
-<sect2><title>Inverse Mapping in IPv4</title>
-<para>Reverse name resolution (that is, translation from IP address
-to name) is achieved by means of the <emphasis>in-addr.arpa</emphasis> domain
-and PTR records. Entries in the in-addr.arpa domain are made in
-least-to-most significant order, read left to right. This is the
-opposite order to the way IP addresses are usually written. Thus,
-a machine with an IP address of 10.1.2.3 would have a corresponding
-in-addr.arpa name of
-3.2.1.10.in-addr.arpa. This name should have a PTR resource record
-whose data field is the name of the machine or, optionally, multiple
-PTR records if the machine has more than one name. For example,
-in the <optional>example.com</optional> domain:</para>
-<informaltable colsep = "0" rowsep = "0">
-<tgroup cols = "2" colsep = "0" rowsep = "0"
-    tgroupstyle = "3Level-table">
-<colspec colname = "1" colnum = "1" colsep = "0" colwidth = "1.125in"/>
-<colspec colname = "2" colnum = "2" colsep = "0" colwidth = "4.000in"/>
-<tbody>
-<row rowsep = "0">
-<entry colname = "1"><para><literal>$ORIGIN</literal></para></entry>
-<entry colname = "2"><para><literal>2.1.10.in-addr.arpa</literal></para></entry>
-</row>
-<row rowsep = "0">
-<entry colname = "1"><para><literal>3</literal></para></entry>
-<entry colname = "2"><para><literal>IN PTR foo.example.com.</literal></para></entry>
-</row>
-</tbody>
-</tgroup></informaltable>
-      <note>
-<para>The <command>$ORIGIN</command> lines in the examples
-are for providing context to the examples only-they do not necessarily
-appear in the actual usage. They are only used here to indicate
-that the example is relative to the listed origin.</para></note></sect2>
-<sect2><title>Other Zone File Directives</title>
-<para>The Master File Format was initially defined in RFC 1035 and
-has subsequently been extended. While the Master File Format itself
-is class independent all records in a Master File must be of the same
-class.</para>
-<para>Master File Directives include <command>$ORIGIN</command>, <command>$INCLUDE</command>,
-and <command>$TTL.</command></para>
-<sect3><title>The <command>$ORIGIN</command> Directive</title>
-<para>Syntax: <command>$ORIGIN
-</command><replaceable>domain-name</replaceable> <optional> <replaceable>comment</replaceable></optional></para>
-<para><command>$ORIGIN</command> sets the domain name that will
-be appended to any unqualified records. When a zone is first read
-in there is an implicit <command>$ORIGIN</command> &#60;<varname>zone-name</varname>><command>.</command> The
-current <command>$ORIGIN</command> is appended to the domain specified
-in the <command>$ORIGIN</command> argument if it is not absolute.</para>
-<programlisting>$ORIGIN example.com.
-WWW     CNAME   MAIN-SERVER</programlisting>
-<para>is equivalent to</para>
-<programlisting>WWW.EXAMPLE.COM. CNAME MAIN-SERVER.EXAMPLE.COM.</programlisting></sect3>
-<sect3><title>The <command>$INCLUDE</command> Directive</title>
-<para>Syntax: <command>$INCLUDE</command>
-<replaceable>filename</replaceable> <optional>
-<replaceable>origin</replaceable> </optional> <optional> <replaceable>comment</replaceable> </optional></para>
-<para>Read and process the file <filename>filename</filename> as
-if it were included into the file at this point.  If <command>origin</command> is
-specified the file is processed with <command>$ORIGIN</command> set
-to that value, otherwise the current <command>$ORIGIN</command> is
-used.</para>
-<para>The origin and the current domain name
-revert to the values they had prior to the <command>$INCLUDE</command> once
-the file has been read.</para>
-<note><para>
-RFC 1035 specifies that the current origin should be restored after
-an <command>$INCLUDE</command>, but it is silent on whether the current
-domain name should also be restored.  BIND 9 restores both of them.
-This could be construed as a deviation from RFC 1035, a feature, or both.
-</para></note>
-</sect3>
-<sect3><title>The <command>$TTL</command> Directive</title>
-<para>Syntax: <command>$TTL</command>
-<replaceable>default-ttl</replaceable> <optional>
-<replaceable>comment</replaceable> </optional></para>
-<para>Set the default Time To Live (TTL) for subsequent records
-with undefined TTLs. Valid TTLs are of the range 0-2147483647 seconds.</para>
-<para><command>$TTL</command> is defined in RFC 2308.</para></sect3></sect2>
-<sect2><title><acronym>BIND</acronym> Master File Extension: the  <command>$GENERATE</command> Directive</title>
-        <para>Syntax: <command>$GENERATE</command> <replaceable>range</replaceable> <replaceable>lhs</replaceable> <optional><replaceable>ttl</replaceable></optional> <optional><replaceable>class</replaceable></optional> <replaceable>type</replaceable> <replaceable>rhs</replaceable> <optional> <replaceable>comment</replaceable> </optional></para>
-<para><command>$GENERATE</command> is used to create a series of
-resource records that only differ from each other by an iterator. <command>$GENERATE</command> can
-be used to easily generate the sets of records required to support
-sub /24 reverse delegations described in RFC 2317: Classless IN-ADDR.ARPA
-delegation.</para>
+
+            <para>
+              Each rule grants or denies privileges.  Once a message has
+              successfully matched a rule, the operation is immediately
+              granted
+              or denied and no further rules are examined.  A rule is matched
+              when the signer matches the identity field, the name matches the
+              name field in accordance with the nametype field, and the type
+              matches
+              the types specified in the type field.
+            </para>
+
+            <para>
+              The identity field specifies a name or a wildcard name.
+              Normally, this
+              is the name of the TSIG or SIG(0) key used to sign the update
+              request.  When a
+              TKEY exchange has been used to create a shared secret, the
+              identity of the
+              shared secret is the same as the identity of the key used to
+              authenticate the
+              TKEY exchange.  When the <replaceable>identity</replaceable> field specifies a
+              wildcard name, it is subject to DNS wildcard expansion, so the
+              rule will apply
+              to multiple identities.  The <replaceable>identity</replaceable> field must
+              contain a fully qualified domain name.
+            </para>
+
+            <para>
+              The <replaceable>nametype</replaceable> field has 6
+              values:
+              <varname>name</varname>, <varname>subdomain</varname>,
+              <varname>wildcard</varname>, <varname>self</varname>,
+	       <varname>selfsub</varname>, and <varname>selfwild</varname>.
+            </para>
+            <informaltable>
+              <tgroup cols="2" colsep="0" rowsep="0" tgroupstyle="4Level-table">
+                <colspec colname="1" colnum="1" colsep="0" colwidth="0.819in"/>
+                <colspec colname="2" colnum="2" colsep="0" colwidth="3.681in"/>
+                <tbody>
+		  <row rowsep="0">
+		    <entry colname="1">
+		      <para>
+			<varname>name</varname>
+		      </para>
+		    </entry> <entry colname="2">
+		      <para>
+			Exact-match semantics.  This rule matches
+			when the name being updated is identical
+			to the contents of the
+			<replaceable>name</replaceable> field.
+		      </para>
+		    </entry>
+		  </row>
+		  <row rowsep="0">
+		    <entry colname="1">
+		      <para>
+			<varname>subdomain</varname>
+		      </para>
+		    </entry> <entry colname="2">
+		      <para>
+			This rule matches when the name being updated
+			is a subdomain of, or identical to, the
+			contents of the <replaceable>name</replaceable>
+			field.
+		      </para>
+		    </entry>
+		  </row>
+		  <row rowsep="0">
+		    <entry colname="1">
+		      <para>
+			<varname>wildcard</varname>
+		      </para>
+		    </entry> <entry colname="2">
+		      <para>
+			The <replaceable>name</replaceable> field
+			is subject to DNS wildcard expansion, and
+			this rule matches when the name being updated
+			name is a valid expansion of the wildcard.
+		      </para>
+		    </entry>
+		  </row>
+                  <row rowsep="0">
+                    <entry colname="1">
+                      <para>
+                        <varname>self</varname>
+                      </para>
+                    </entry>
+                    <entry colname="2">
+		      <para>
+			This rule matches when the name being updated
+			matches the contents of the
+			<replaceable>identity</replaceable> field.
+			The <replaceable>name</replaceable> field
+			is ignored, but should be the same as the
+			<replaceable>identity</replaceable> field.
+			The <varname>self</varname> nametype is
+			most useful when allowing using one key per
+			name to update, where the key has the same
+			name as the name to be updated.  The
+			<replaceable>identity</replaceable> would
+			be specified as <constant>*</constant> (an asterisk) in
+			this case.
+		      </para>
+		    </entry>
+		  </row>
+		  <row rowsep="0">
+		    <entry colname="1">
+		      <para>
+			<varname>selfsub</varname>
+		      </para>
+		    </entry> <entry colname="2">
+		      <para>
+			This rule is similar to <varname>self</varname>
+			except that subdomains of <varname>self</varname>
+			can also be updated.
+		      </para>
+		    </entry>
+		  </row>
+		  <row rowsep="0">
+		    <entry colname="1">
+		      <para>
+			<varname>selfwild</varname>
+		      </para>
+		    </entry> <entry colname="2">
+		      <para>
+			This rule is similar to <varname>self</varname>
+			except that only subdomains of
+			<varname>self</varname> can be updated.
+		      </para>
+		    </entry>
+		  </row>
+                </tbody>
+              </tgroup>
+            </informaltable>
+
+            <para>
+              In all cases, the <replaceable>name</replaceable>
+              field must
+              specify a fully qualified domain name.
+            </para>
+
+            <para>
+              If no types are explicitly specified, this rule matches all
+              types except
+              RRSIG, NS, SOA, and NSEC. Types may be specified by name, including
+              "ANY" (ANY matches all types except NSEC, which can never be
+              updated).
+              Note that when an attempt is made to delete all records
+              associated with a
+              name, the rules are checked for each existing record type.
+            </para>
+          </sect3>
+        </sect2>
+      </sect1>
+      <sect1>
+        <title>Zone File</title>
+        <sect2 id="types_of_resource_records_and_when_to_use_them">
+          <title>Types of Resource Records and When to Use Them</title>
+          <para>
+            This section, largely borrowed from RFC 1034, describes the
+            concept of a Resource Record (RR) and explains when each is used.
+            Since the publication of RFC 1034, several new RRs have been
+            identified
+            and implemented in the DNS. These are also included.
+          </para>
+          <sect3>
+            <title>Resource Records</title>
+
+            <para>
+              A domain name identifies a node.  Each node has a set of
+              resource information, which may be empty.  The set of resource
+              information associated with a particular name is composed of
+              separate RRs. The order of RRs in a set is not significant and
+              need not be preserved by name servers, resolvers, or other
+              parts of the DNS. However, sorting of multiple RRs is
+              permitted for optimization purposes, for example, to specify
+              that a particular nearby server be tried first. See <xref linkend="the_sortlist_statement"/> and <xref linkend="rrset_ordering"/>.
+            </para>
+
+            <para>
+              The components of a Resource Record are:
+            </para>
+            <informaltable colsep="0" rowsep="0">
+              <tgroup cols="2" colsep="0" rowsep="0" tgroupstyle="4Level-table">
+                <colspec colname="1" colnum="1" colsep="0" colwidth="1.000in"/>
+                <colspec colname="2" colnum="2" colsep="0" colwidth="3.500in"/>
+                <tbody>
+                  <row rowsep="0">
+                    <entry colname="1">
+                      <para>
+                        owner name
+                      </para>
+                    </entry>
+                    <entry colname="2">
+                      <para>
+                        The domain name where the RR is found.
+                      </para>
+                    </entry>
+                  </row>
+                  <row rowsep="0">
+                    <entry colname="1">
+                      <para>
+                        type
+                      </para>
+                    </entry>
+                    <entry colname="2">
+                      <para>
+                        An encoded 16-bit value that specifies
+                        the type of the resource record.
+                      </para>
+                    </entry>
+                  </row>
+                  <row rowsep="0">
+                    <entry colname="1">
+                      <para>
+                        TTL
+                      </para>
+                    </entry>
+                    <entry colname="2">
+                      <para>
+                        The time-to-live of the RR. This field
+                        is a 32-bit integer in units of seconds, and is
+                        primarily used by
+                        resolvers when they cache RRs. The TTL describes how
+                        long a RR can
+                        be cached before it should be discarded.
+                      </para>
+                    </entry>
+                  </row>
+                  <row rowsep="0">
+                    <entry colname="1">
+                      <para>
+                        class
+                      </para>
+                    </entry>
+                    <entry colname="2">
+                      <para>
+                        An encoded 16-bit value that identifies
+                        a protocol family or instance of a protocol.
+                      </para>
+                    </entry>
+                  </row>
+                  <row rowsep="0">
+                    <entry colname="1">
+                      <para>
+                        RDATA
+                      </para>
+                    </entry>
+                    <entry colname="2">
+                      <para>
+                        The resource data.  The format of the
+                        data is type (and sometimes class) specific.
+                      </para>
+                    </entry>
+                  </row>
+                </tbody>
+              </tgroup>
+            </informaltable>
+            <para>
+              The following are <emphasis>types</emphasis> of valid RRs:
+            </para>
+            <informaltable colsep="0" rowsep="0">
+              <tgroup cols="2" colsep="0" rowsep="0" tgroupstyle="4Level-table">
+                <colspec colname="1" colnum="1" colsep="0" colwidth="0.875in"/>
+                <colspec colname="2" colnum="2" colsep="0" colwidth="3.625in"/>
+                <tbody>
+                  <row rowsep="0">
+                    <entry colname="1">
+                      <para>
+                        A
+                      </para>
+                    </entry>
+                    <entry colname="2">
+                      <para>
+                        A host address.  In the IN class, this is a
+                        32-bit IP address.  Described in RFC 1035.
+                      </para>
+                    </entry>
+                  </row>
+                  <row rowsep="0">
+                    <entry colname="1">
+                      <para>
+                        AAAA
+                      </para>
+                    </entry>
+                    <entry colname="2">
+                      <para>
+                        IPv6 address.  Described in RFC 1886.
+                      </para>
+                    </entry>
+                  </row>
+                  <row rowsep="0">
+                    <entry colname="1">
+                      <para>
+                        A6
+                      </para>
+                    </entry>
+                    <entry colname="2">
+                      <para>
+                        IPv6 address.  This can be a partial
+                        address (a suffix) and an indirection to the name
+                        where the rest of the
+                        address (the prefix) can be found.  Experimental.
+                        Described in RFC 2874.
+                      </para>
+                    </entry>
+                  </row>
+                  <row rowsep="0">
+                    <entry colname="1">
+                      <para>
+                        AFSDB
+                      </para>
+                    </entry>
+                    <entry colname="2">
+                      <para>
+                        Location of AFS database servers.
+                        Experimental.  Described in RFC 1183.
+                      </para>
+                    </entry>
+                  </row>
+                  <row rowsep="0">
+                    <entry colname="1">
+                      <para>
+                        APL
+                      </para>
+                    </entry>
+                    <entry colname="2">
+                      <para>
+                        Address prefix list.  Experimental.
+                        Described in RFC 3123.
+                      </para>
+                    </entry>
+                  </row>
+                  <row rowsep="0">
+                    <entry colname="1">
+                      <para>
+                        CERT
+                      </para>
+                    </entry>
+                    <entry colname="2">
+                      <para>
+                        Holds a digital certificate.
+                        Described in RFC 2538.
+                      </para>
+                    </entry>
+                  </row>
+                  <row rowsep="0">
+                    <entry colname="1">
+                      <para>
+                        CNAME
+                      </para>
+                    </entry>
+                    <entry colname="2">
+                      <para>
+                        Identifies the canonical name of an alias.
+                        Described in RFC 1035.
+                      </para>
+                    </entry>
+                  </row>
+                  <row rowsep="0">
+                    <entry colname="1">
+                      <para>
+                        DNAME
+                      </para>
+                    </entry>
+                    <entry colname="2">
+                      <para>
+                        Replaces the domain name specified with
+                        another name to be looked up, effectively aliasing an
+                        entire
+                        subtree of the domain name space rather than a single
+                        record
+                        as in the case of the CNAME RR.
+                        Described in RFC 2672.
+                      </para>
+                    </entry>
+                  </row>
+                  <row rowsep="0">
+                    <entry colname="1">
+                      <para>
+                        DNSKEY
+                      </para>
+                    </entry>
+                    <entry colname="2">
+                      <para>
+                        Stores a public key associated with a signed
+                        DNS zone.  Described in RFC 4034.
+                      </para>
+                    </entry>
+                  </row>
+                  <row rowsep="0">
+                    <entry colname="1">
+                      <para>
+                        DS
+                      </para>
+                    </entry>
+                    <entry colname="2">
+                      <para>
+                        Stores the hash of a public key associated with a
+                        signed DNS zone.  Described in RFC 4034.
+                      </para>
+                    </entry>
+                  </row>
+                  <row rowsep="0">
+                    <entry colname="1">
+                      <para>
+                        GPOS
+                      </para>
+                    </entry>
+                    <entry colname="2">
+                      <para>
+                        Specifies the global position.  Superseded by LOC.
+                      </para>
+                    </entry>
+                  </row>
+                  <row rowsep="0">
+                    <entry colname="1">
+                      <para>
+                        HINFO
+                      </para>
+                    </entry>
+                    <entry colname="2">
+                      <para>
+                        Identifies the CPU and OS used by a host.
+                        Described in RFC 1035.
+                      </para>
+                    </entry>
+                  </row>
+                  <row rowsep="0">
+                    <entry colname="1">
+                      <para>
+                        ISDN
+                      </para>
+                    </entry>
+                    <entry colname="2">
+                      <para>
+                        Representation of ISDN addresses.
+                        Experimental.  Described in RFC 1183.
+                      </para>
+                    </entry>
+                  </row>
+                  <row rowsep="0">
+                    <entry colname="1">
+                      <para>
+                        KEY
+                      </para>
+                    </entry>
+                    <entry colname="2">
+                      <para>
+                        Stores a public key associated with a
+                        DNS name.  Used in original DNSSEC; replaced
+			by DNSKEY in DNSSECbis, but still used with
+			SIG(0).  Described in RFCs 2535 and 2931.
+                      </para>
+                    </entry>
+                  </row>
+                  <row rowsep="0">
+                    <entry colname="1">
+                      <para>
+                        KX
+                      </para>
+                    </entry>
+                    <entry colname="2">
+                      <para>
+                        Identifies a key exchanger for this
+                        DNS name.  Described in RFC 2230.
+                      </para>
+                    </entry>
+                  </row>
+                  <row rowsep="0">
+                    <entry colname="1">
+                      <para>
+                        LOC
+                      </para>
+                    </entry>
+                    <entry colname="2">
+                      <para>
+                        For storing GPS info.  Described in RFC 1876.
+                        Experimental.
+                      </para>
+                    </entry>
+                  </row>
+                  <row rowsep="0">
+                    <entry colname="1">
+                      <para>
+                        MX
+                      </para>
+                    </entry>
+                    <entry colname="2">
+                      <para>
+                        Identifies a mail exchange for the domain with
+                        a 16-bit preference value (lower is better)
+                        followed by the host name of the mail exchange.
+                        Described in RFC 974, RFC 1035.
+                      </para>
+                    </entry>
+                  </row>
+                  <row rowsep="0">
+                    <entry colname="1">
+                      <para>
+                        NAPTR
+                      </para>
+                    </entry>
+                    <entry colname="2">
+                      <para>
+                        Name authority pointer.  Described in RFC 2915.
+                      </para>
+                    </entry>
+                  </row>
+                  <row rowsep="0">
+                    <entry colname="1">
+                      <para>
+                        NSAP
+                      </para>
+                    </entry>
+                    <entry colname="2">
+                      <para>
+                        A network service access point.
+                        Described in RFC 1706.
+                      </para>
+                    </entry>
+                  </row>
+                  <row rowsep="0">
+                    <entry colname="1">
+                      <para>
+                        NS
+                      </para>
+                    </entry>
+                    <entry colname="2">
+                      <para>
+                        The authoritative name server for the
+                        domain.  Described in RFC 1035.
+                      </para>
+                    </entry>
+                  </row>
+                  <row rowsep="0">
+                    <entry colname="1">
+                      <para>
+                        NSEC
+                      </para>
+                    </entry>
+                    <entry colname="2">
+                      <para>
+                        Used in DNSSECbis to securely indicate that
+                        RRs with an owner name in a certain name interval do
+                        not exist in
+                        a zone and indicate what RR types are present for an
+                        existing name.
+                        Described in RFC 4034.
+                      </para>
+                    </entry>
+                  </row>
+                  <row rowsep="0">
+                    <entry colname="1">
+                      <para>
+                        NXT
+                      </para>
+                    </entry>
+                    <entry colname="2">
+                      <para>
+                        Used in DNSSEC to securely indicate that
+                        RRs with an owner name in a certain name interval do
+                        not exist in
+                        a zone and indicate what RR types are present for an
+                        existing name.
+			Used in original DNSSEC; replaced by NSEC in
+			DNSSECbis.
+                        Described in RFC 2535.
+                      </para>
+                    </entry>
+                  </row>
+                  <row rowsep="0">
+                    <entry colname="1">
+                      <para>
+                        PTR
+                      </para>
+                    </entry>
+                    <entry colname="2">
+                      <para>
+                        A pointer to another part of the domain
+                        name space.  Described in RFC 1035.
+                      </para>
+                    </entry>
+                  </row>
+                  <row rowsep="0">
+                    <entry colname="1">
+                      <para>
+                        PX
+                      </para>
+                    </entry>
+                    <entry colname="2">
+                      <para>
+                        Provides mappings between RFC 822 and X.400
+                        addresses.  Described in RFC 2163.
+                      </para>
+                    </entry>
+                  </row>
+                  <row rowsep="0">
+                    <entry colname="1">
+                      <para>
+                        RP
+                      </para>
+                    </entry>
+                    <entry colname="2">
+                      <para>
+                        Information on persons responsible
+                        for the domain.  Experimental.  Described in RFC 1183.
+                      </para>
+                    </entry>
+                  </row>
+                  <row rowsep="0">
+                    <entry colname="1">
+                      <para>
+                        RRSIG
+                      </para>
+                    </entry>
+                    <entry colname="2">
+                      <para>
+                        Contains DNSSECbis signature data.  Described
+			in RFC 4034.
+                      </para>
+                    </entry>
+                  </row>
+                  <row rowsep="0">
+                    <entry colname="1">
+                      <para>
+                        RT
+                      </para>
+                    </entry>
+                    <entry colname="2">
+                      <para>
+                        Route-through binding for hosts that
+                        do not have their own direct wide area network
+                        addresses.
+                        Experimental.  Described in RFC 1183.
+                      </para>
+                    </entry>
+                  </row>
+                  <row rowsep="0">
+                    <entry colname="1">
+                      <para>
+                        SIG
+                      </para>
+                    </entry>
+                    <entry colname="2">
+                      <para>
+                        Contains DNSSEC signature data.  Used in
+			original DNSSEC; replaced by RRSIG in
+			DNSSECbis, but still used for SIG(0).
+			Described in RFCs 2535 and 2931.
+                      </para>
+                    </entry>
+                  </row>
+                  <row rowsep="0">
+                    <entry colname="1">
+                      <para>
+                        SOA
+                      </para>
+                    </entry>
+                    <entry colname="2">
+                      <para>
+                        Identifies the start of a zone of authority.
+                        Described in RFC 1035.
+                      </para>
+                    </entry>
+                  </row>
+                  <row rowsep="0">
+                    <entry colname="1">
+                      <para>
+                        SRV
+                      </para>
+                    </entry>
+                    <entry colname="2">
+                      <para>
+                        Information about well known network
+                        services (replaces WKS).  Described in RFC 2782.
+                      </para>
+                    </entry>
+                  </row>
+                  <row rowsep="0">
+                    <entry colname="1">
+                      <para>
+                        TXT
+                      </para>
+                    </entry>
+                    <entry colname="2">
+                      <para>
+                        Text records.  Described in RFC 1035.
+                      </para>
+                    </entry>
+                  </row>
+                  <row rowsep="0">
+                    <entry colname="1">
+                      <para>
+                        WKS
+                      </para>
+                    </entry>
+                    <entry colname="2">
+                      <para>
+                        Information about which well known
+                        network services, such as SMTP, that a domain
+                        supports. Historical.
+                      </para>
+                    </entry>
+                  </row>
+                  <row rowsep="0">
+                    <entry colname="1">
+                      <para>
+                        X25
+                      </para>
+                    </entry>
+                    <entry colname="2">
+                      <para>
+                        Representation of X.25 network addresses.
+                        Experimental.  Described in RFC 1183.
+                      </para>
+                    </entry>
+                  </row>
+                </tbody>
+              </tgroup>
+            </informaltable>
+            <para>
+              The following <emphasis>classes</emphasis> of resource records
+              are currently valid in the DNS:
+            </para>
+            <informaltable colsep="0" rowsep="0"><tgroup cols="2" colsep="0" rowsep="0" tgroupstyle="4Level-table">
+                <colspec colname="1" colnum="1" colsep="0" colwidth="0.875in"/>
+                <colspec colname="2" colnum="2" colsep="0" colwidth="3.625in"/>
+                <tbody>
+
+                  <row rowsep="0">
+                    <entry colname="1">
+                      <para>
+                        IN
+                      </para>
+                    </entry>
+                    <entry colname="2">
+                      <para>
+                        The Internet.
+                      </para>
+                    </entry>
+                  </row>
+
+                  <row rowsep="0">
+                    <entry colname="1">
+                      <para>
+                        CH
+                      </para>
+                    </entry>
+                    <entry colname="2">
+                      <para>
+                        CHAOSnet, a LAN protocol created at MIT in the
+                        mid-1970s.
+                        Rarely used for its historical purpose, but reused for
+                        BIND's
+                        built-in server information zones, e.g.,
+                        <literal>version.bind</literal>.
+                      </para>
+                    </entry>
+                  </row>
+
+                  <row rowsep="0">
+                    <entry colname="1">
+                      <para>
+                        HS
+                      </para>
+                    </entry>
+                    <entry colname="2">
+                      <para>
+                        Hesiod, an information service
+                        developed by MIT's Project Athena. It is used to share
+                        information
+                        about various systems databases, such as users,
+                        groups, printers
+                        and so on.
+                      </para>
+                    </entry>
+                  </row>
+
+                </tbody>
+              </tgroup>
+            </informaltable>
+
+            <para>
+              The owner name is often implicit, rather than forming an
+              integral
+              part of the RR.  For example, many name servers internally form
+              tree
+              or hash structures for the name space, and chain RRs off nodes.
+              The remaining RR parts are the fixed header (type, class, TTL)
+              which is consistent for all RRs, and a variable part (RDATA)
+              that
+              fits the needs of the resource being described.
+            </para>
+            <para>
+              The meaning of the TTL field is a time limit on how long an
+              RR can be kept in a cache.  This limit does not apply to
+              authoritative
+              data in zones; it is also timed out, but by the refreshing
+              policies
+              for the zone.  The TTL is assigned by the administrator for the
+              zone where the data originates.  While short TTLs can be used to
+              minimize caching, and a zero TTL prohibits caching, the
+              realities
+              of Internet performance suggest that these times should be on
+              the
+              order of days for the typical host.  If a change can be
+              anticipated,
+              the TTL can be reduced prior to the change to minimize
+              inconsistency
+              during the change, and then increased back to its former value
+              following
+              the change.
+            </para>
+            <para>
+              The data in the RDATA section of RRs is carried as a combination
+              of binary strings and domain names.  The domain names are
+              frequently
+              used as "pointers" to other data in the DNS.
+            </para>
+          </sect3>
+          <sect3>
+            <title>Textual expression of RRs</title>
+            <para>
+              RRs are represented in binary form in the packets of the DNS
+              protocol, and are usually represented in highly encoded form
+              when
+              stored in a name server or resolver.  In the examples provided
+              in
+              RFC 1034, a style similar to that used in master files was
+              employed
+              in order to show the contents of RRs.  In this format, most RRs
+              are shown on a single line, although continuation lines are
+              possible
+              using parentheses.
+            </para>
+            <para>
+              The start of the line gives the owner of the RR.  If a line
+              begins with a blank, then the owner is assumed to be the same as
+              that of the previous RR.  Blank lines are often included for
+              readability.
+            </para>
+            <para>
+              Following the owner, we list the TTL, type, and class of the
+              RR.  Class and type use the mnemonics defined above, and TTL is
+              an integer before the type field.  In order to avoid ambiguity
+              in
+              parsing, type and class mnemonics are disjoint, TTLs are
+              integers,
+              and the type mnemonic is always last. The IN class and TTL
+              values
+              are often omitted from examples in the interests of clarity.
+            </para>
+            <para>
+              The resource data or RDATA section of the RR are given using
+              knowledge of the typical representation for the data.
+            </para>
+            <para>
+              For example, we might show the RRs carried in a message as:
+            </para>
+            <informaltable colsep="0" rowsep="0"><tgroup cols="3" colsep="0" rowsep="0" tgroupstyle="4Level-table">
+                <colspec colname="1" colnum="1" colsep="0" colwidth="1.381in"/>
+                <colspec colname="2" colnum="2" colsep="0" colwidth="1.020in"/>
+                <colspec colname="3" colnum="3" colsep="0" colwidth="2.099in"/>
+                <tbody>
+                  <row rowsep="0">
+                    <entry colname="1">
+                      <para>
+                        <literal>ISI.EDU.</literal>
+                      </para>
+                    </entry>
+                    <entry colname="2">
+                      <para>
+                        <literal>MX</literal>
+                      </para>
+                    </entry>
+                    <entry colname="3">
+                      <para>
+                        <literal>10 VENERA.ISI.EDU.</literal>
+                      </para>
+                    </entry>
+                  </row>
+                  <row rowsep="0">
+                    <entry colname="1">
+                      <para/>
+                    </entry>
+                    <entry colname="2">
+                      <para>
+                        <literal>MX</literal>
+                      </para>
+                    </entry>
+                    <entry colname="3">
+                      <para>
+                        <literal>10 VAXA.ISI.EDU</literal>
+                      </para>
+                    </entry>
+                  </row>
+                  <row rowsep="0">
+                    <entry colname="1">
+                      <para>
+                        <literal>VENERA.ISI.EDU</literal>
+                      </para>
+                    </entry>
+                    <entry colname="2">
+                      <para>
+                        <literal>A</literal>
+                      </para>
+                    </entry>
+                    <entry colname="3">
+                      <para>
+                        <literal>128.9.0.32</literal>
+                      </para>
+                    </entry>
+                  </row>
+                  <row rowsep="0">
+                    <entry colname="1">
+                      <para/>
+                    </entry>
+                    <entry colname="2">
+                      <para>
+                        <literal>A</literal>
+                      </para>
+                    </entry>
+                    <entry colname="3">
+                      <para>
+                        <literal>10.1.0.52</literal>
+                      </para>
+                    </entry>
+                  </row>
+                  <row rowsep="0">
+                    <entry colname="1">
+                      <para>
+                        <literal>VAXA.ISI.EDU</literal>
+                      </para>
+                    </entry>
+                    <entry colname="2">
+                      <para>
+                        <literal>A</literal>
+                      </para>
+                    </entry>
+                    <entry colname="3">
+                      <para>
+                        <literal>10.2.0.27</literal>
+                      </para>
+                    </entry>
+                  </row>
+                  <row rowsep="0">
+                    <entry colname="1">
+                      <para/>
+                    </entry>
+                    <entry colname="2">
+                      <para>
+                        <literal>A</literal>
+                      </para>
+                    </entry>
+                    <entry colname="3">
+                      <para>
+                        <literal>128.9.0.33</literal>
+                      </para>
+                    </entry>
+                  </row>
+                </tbody>
+              </tgroup>
+            </informaltable>
+            <para>
+              The MX RRs have an RDATA section which consists of a 16-bit
+              number followed by a domain name.  The address RRs use a
+              standard
+              IP address format to contain a 32-bit internet address.
+            </para>
+            <para>
+              The above example shows six RRs, with two RRs at each of three
+              domain names.
+            </para>
+            <para>
+              Similarly we might see:
+            </para>
+            <informaltable colsep="0" rowsep="0"><tgroup cols="3" colsep="0" rowsep="0" tgroupstyle="4Level-table">
+                <colspec colname="1" colnum="1" colsep="0" colwidth="1.491in"/>
+                <colspec colname="2" colnum="2" colsep="0" colwidth="1.067in"/>
+                <colspec colname="3" colnum="3" colsep="0" colwidth="2.067in"/>
+                <tbody>
+                  <row rowsep="0">
+                    <entry colname="1">
+                      <para>
+                        <literal>XX.LCS.MIT.EDU.</literal>
+                      </para>
+                    </entry>
+                    <entry colname="2">
+                      <para>
+                        <literal>IN A</literal>
+                      </para>
+                    </entry>
+                    <entry colname="3">
+                      <para>
+                        <literal>10.0.0.44</literal>
+                      </para>
+                    </entry>
+                  </row>
+                  <row rowsep="0">
+		    <entry colname="1"/>
+                    <entry colname="2">
+                      <para>
+                        <literal>CH A</literal>
+                      </para>
+                    </entry>
+                    <entry colname="3">
+                      <para>
+                        <literal>MIT.EDU. 2420</literal>
+                      </para>
+                    </entry>
+                  </row>
+                </tbody>
+              </tgroup>
+            </informaltable>
+            <para>
+              This example shows two addresses for
+	      <literal>XX.LCS.MIT.EDU</literal>, each of a different class.
+            </para>
+          </sect3>
+        </sect2>
+
+        <sect2>
+          <title>Discussion of MX Records</title>
+
+          <para>
+            As described above, domain servers store information as a
+            series of resource records, each of which contains a particular
+            piece of information about a given domain name (which is usually,
+            but not always, a host). The simplest way to think of a RR is as
+            a typed pair of data, a domain name matched with a relevant datum,
+            and stored with some additional type information to help systems
+            determine when the RR is relevant.
+          </para>
+
+          <para>
+            MX records are used to control delivery of email. The data
+            specified in the record is a priority and a domain name. The
+            priority
+            controls the order in which email delivery is attempted, with the
+            lowest number first. If two priorities are the same, a server is
+            chosen randomly. If no servers at a given priority are responding,
+            the mail transport agent will fall back to the next largest
+            priority.
+            Priority numbers do not have any absolute meaning &mdash; they are
+            relevant
+            only respective to other MX records for that domain name. The
+            domain
+            name given is the machine to which the mail will be delivered.
+	    It <emphasis>must</emphasis> have an associated address record
+	    (A or AAAA) &mdash; CNAME is not sufficient.
+          </para>
+          <para>
+            For a given domain, if there is both a CNAME record and an
+            MX record, the MX record is in error, and will be ignored.
+            Instead,
+            the mail will be delivered to the server specified in the MX
+            record
+            pointed to by the CNAME.
+          </para>
+	  <para>
+            For example:
+          </para>
+          <informaltable colsep="0" rowsep="0">
+            <tgroup cols="5" colsep="0" rowsep="0" tgroupstyle="3Level-table">
+              <colspec colname="1" colnum="1" colsep="0" colwidth="1.708in"/>
+              <colspec colname="2" colnum="2" colsep="0" colwidth="0.444in"/>
+              <colspec colname="3" colnum="3" colsep="0" colwidth="0.444in"/>
+              <colspec colname="4" colnum="4" colsep="0" colwidth="0.976in"/>
+              <colspec colname="5" colnum="5" colsep="0" colwidth="1.553in"/>
+              <tbody>
+                <row rowsep="0">
+                  <entry colname="1">
+                    <para>
+                      <literal>example.com.</literal>
+                    </para>
+                  </entry>
+                  <entry colname="2">
+                    <para>
+                      <literal>IN</literal>
+                    </para>
+                  </entry>
+                  <entry colname="3">
+                    <para>
+                      <literal>MX</literal>
+                    </para>
+                  </entry>
+                  <entry colname="4">
+                    <para>
+                      <literal>10</literal>
+                    </para>
+                  </entry>
+                  <entry colname="5">
+                    <para>
+                      <literal>mail.example.com.</literal>
+                    </para>
+                  </entry>
+                </row>
+                <row rowsep="0">
+                  <entry colname="1">
+                    <para/>
+                  </entry>
+                  <entry colname="2">
+                    <para>
+                      <literal>IN</literal>
+                    </para>
+                  </entry>
+                  <entry colname="3">
+                    <para>
+                      <literal>MX</literal>
+                    </para>
+                  </entry>
+                  <entry colname="4">
+                    <para>
+                      <literal>10</literal>
+                    </para>
+                  </entry>
+                  <entry colname="5">
+                    <para>
+                      <literal>mail2.example.com.</literal>
+                    </para>
+                  </entry>
+                </row>
+                <row rowsep="0">
+                  <entry colname="1">
+                    <para/>
+                  </entry>
+                  <entry colname="2">
+                    <para>
+                      <literal>IN</literal>
+                    </para>
+                  </entry>
+                  <entry colname="3">
+                    <para>
+                      <literal>MX</literal>
+                    </para>
+                  </entry>
+                  <entry colname="4">
+                    <para>
+                      <literal>20</literal>
+                    </para>
+                  </entry>
+                  <entry colname="5">
+                    <para>
+                      <literal>mail.backup.org.</literal>
+                    </para>
+                  </entry>
+                </row>
+                <row rowsep="0">
+                  <entry colname="1">
+                    <para>
+                      <literal>mail.example.com.</literal>
+                    </para>
+                  </entry>
+                  <entry colname="2">
+                    <para>
+                      <literal>IN</literal>
+                    </para>
+                  </entry>
+                  <entry colname="3">
+                    <para>
+                      <literal>A</literal>
+                    </para>
+                  </entry>
+                  <entry colname="4">
+                    <para>
+                      <literal>10.0.0.1</literal>
+                    </para>
+                  </entry>
+                  <entry colname="5">
+                    <para/>
+                  </entry>
+                </row>
+                <row rowsep="0">
+                  <entry colname="1">
+                    <para>
+                      <literal>mail2.example.com.</literal>
+                    </para>
+                  </entry>
+                  <entry colname="2">
+                    <para>
+                      <literal>IN</literal>
+                    </para>
+                  </entry>
+                  <entry colname="3">
+                    <para>
+                      <literal>A</literal>
+                    </para>
+                  </entry>
+                  <entry colname="4">
+                    <para>
+                      <literal>10.0.0.2</literal>
+                    </para>
+                  </entry>
+                  <entry colname="5">
+                    <para/>
+                  </entry>
+                </row>
+              </tbody>
+            </tgroup>
+            </informaltable><para>
+            Mail delivery will be attempted to <literal>mail.example.com</literal> and
+            <literal>mail2.example.com</literal> (in
+            any order), and if neither of those succeed, delivery to <literal>mail.backup.org</literal> will
+            be attempted.
+          </para>
+        </sect2>
+        <sect2 id="Setting_TTLs">
+          <title>Setting TTLs</title>
+          <para>
+            The time-to-live of the RR field is a 32-bit integer represented
+            in units of seconds, and is primarily used by resolvers when they
+            cache RRs. The TTL describes how long a RR can be cached before it
+            should be discarded. The following three types of TTL are
+            currently
+            used in a zone file.
+          </para>
+          <informaltable colsep="0" rowsep="0">
+            <tgroup cols="2" colsep="0" rowsep="0" tgroupstyle="3Level-table">
+              <colspec colname="1" colnum="1" colsep="0" colwidth="0.750in"/>
+              <colspec colname="2" colnum="2" colsep="0" colwidth="4.375in"/>
+              <tbody>
+                <row rowsep="0">
+                  <entry colname="1">
+                    <para>
+                      SOA
+                    </para>
+                  </entry>
+                  <entry colname="2">
+                    <para>
+                      The last field in the SOA is the negative
+                      caching TTL. This controls how long other servers will
+                      cache no-such-domain
+                      (NXDOMAIN) responses from you.
+                    </para>
+                    <para>
+                      The maximum time for
+                      negative caching is 3 hours (3h).
+                    </para>
+                  </entry>
+                </row>
+                <row rowsep="0">
+                  <entry colname="1">
+                    <para>
+                      $TTL
+                    </para>
+                  </entry>
+                  <entry colname="2">
+                    <para>
+                      The $TTL directive at the top of the
+                      zone file (before the SOA) gives a default TTL for every
+                      RR without
+                      a specific TTL set.
+                    </para>
+                  </entry>
+                </row>
+                <row rowsep="0">
+                  <entry colname="1">
+                    <para>
+                      RR TTLs
+                    </para>
+                  </entry>
+                  <entry colname="2">
+                    <para>
+                      Each RR can have a TTL as the second
+                      field in the RR, which will control how long other
+                      servers can cache
+                      the it.
+                    </para>
+                  </entry>
+                </row>
+              </tbody>
+            </tgroup>
+          </informaltable>
+          <para>
+            All of these TTLs default to units of seconds, though units
+            can be explicitly specified, for example, <literal>1h30m</literal>.
+          </para>
+        </sect2>
+        <sect2>
+          <title>Inverse Mapping in IPv4</title>
+          <para>
+            Reverse name resolution (that is, translation from IP address
+            to name) is achieved by means of the <emphasis>in-addr.arpa</emphasis> domain
+            and PTR records. Entries in the in-addr.arpa domain are made in
+            least-to-most significant order, read left to right. This is the
+            opposite order to the way IP addresses are usually written. Thus,
+            a machine with an IP address of 10.1.2.3 would have a
+            corresponding
+            in-addr.arpa name of
+            3.2.1.10.in-addr.arpa. This name should have a PTR resource record
+            whose data field is the name of the machine or, optionally,
+            multiple
+            PTR records if the machine has more than one name. For example,
+            in the <optional>example.com</optional> domain:
+          </para>
+          <informaltable colsep="0" rowsep="0">
+            <tgroup cols="2" colsep="0" rowsep="0" tgroupstyle="3Level-table">
+              <colspec colname="1" colnum="1" colsep="0" colwidth="1.125in"/>
+              <colspec colname="2" colnum="2" colsep="0" colwidth="4.000in"/>
+              <tbody>
+                <row rowsep="0">
+                  <entry colname="1">
+                    <para>
+                      <literal>$ORIGIN</literal>
+                    </para>
+                  </entry>
+                  <entry colname="2">
+                    <para>
+                      <literal>2.1.10.in-addr.arpa</literal>
+                    </para>
+                  </entry>
+                </row>
+                <row rowsep="0">
+                  <entry colname="1">
+                    <para>
+                      <literal>3</literal>
+                    </para>
+                  </entry>
+                  <entry colname="2">
+                    <para>
+                      <literal>IN PTR foo.example.com.</literal>
+                    </para>
+                  </entry>
+                </row>
+              </tbody>
+            </tgroup>
+          </informaltable>
+          <note>
+            <para>
+              The <command>$ORIGIN</command> lines in the examples
+              are for providing context to the examples only-they do not
+              necessarily
+              appear in the actual usage. They are only used here to indicate
+              that the example is relative to the listed origin.
+            </para>
+          </note>
+        </sect2>
+        <sect2>
+          <title>Other Zone File Directives</title>
+          <para>
+            The Master File Format was initially defined in RFC 1035 and
+            has subsequently been extended. While the Master File Format
+            itself
+            is class independent all records in a Master File must be of the
+            same
+            class.
+          </para>
+          <para>
+            Master File Directives include <command>$ORIGIN</command>, <command>$INCLUDE</command>,
+            and <command>$TTL.</command>
+          </para>
+          <sect3>
+            <title>The <command>$ORIGIN</command> Directive</title>
+            <para>
+              Syntax: <command>$ORIGIN</command>
+	      <replaceable>domain-name</replaceable>
+              <optional><replaceable>comment</replaceable></optional>
+            </para>
+            <para><command>$ORIGIN</command>
+	      sets the domain name that will be appended to any
+              unqualified records. When a zone is first read in there
+              is an implicit <command>$ORIGIN</command>
+              &lt;<varname>zone-name</varname>&gt;<command>.</command>
+              The current <command>$ORIGIN</command> is appended to
+              the domain specified in the <command>$ORIGIN</command>
+              argument if it is not absolute.
+            </para>
+
+<programlisting>
+$ORIGIN example.com.
+WWW     CNAME   MAIN-SERVER
+</programlisting>
+
+            <para>
+              is equivalent to
+            </para>
+
+<programlisting>
+WWW.EXAMPLE.COM. CNAME MAIN-SERVER.EXAMPLE.COM.
+</programlisting>
+
+          </sect3>
+          <sect3>
+            <title>The <command>$INCLUDE</command> Directive</title>
+            <para>
+              Syntax: <command>$INCLUDE</command>
+              <replaceable>filename</replaceable>
+              <optional>
+<replaceable>origin</replaceable> </optional>
+              <optional> <replaceable>comment</replaceable> </optional>
+            </para>
+            <para>
+              Read and process the file <filename>filename</filename> as
+              if it were included into the file at this point.  If <command>origin</command> is
+              specified the file is processed with <command>$ORIGIN</command> set
+              to that value, otherwise the current <command>$ORIGIN</command> is
+              used.
+            </para>
+            <para>
+              The origin and the current domain name
+              revert to the values they had prior to the <command>$INCLUDE</command> once
+              the file has been read.
+            </para>
+            <note>
+              <para>
+                RFC 1035 specifies that the current origin should be restored
+                after
+                an <command>$INCLUDE</command>, but it is silent
+                on whether the current
+                domain name should also be restored.  BIND 9 restores both of
+                them.
+                This could be construed as a deviation from RFC 1035, a
+                feature, or both.
+              </para>
+            </note>
+          </sect3>
+          <sect3>
+            <title>The <command>$TTL</command> Directive</title>
+            <para>
+              Syntax: <command>$TTL</command>
+              <replaceable>default-ttl</replaceable>
+              <optional>
+<replaceable>comment</replaceable> </optional>
+            </para>
+            <para>
+              Set the default Time To Live (TTL) for subsequent records
+              with undefined TTLs. Valid TTLs are of the range 0-2147483647
+              seconds.
+            </para>
+            <para><command>$TTL</command>
+	       is defined in RFC 2308.
+            </para>
+          </sect3>
+        </sect2>
+        <sect2>
+          <title><acronym>BIND</acronym> Master File Extension: the  <command>$GENERATE</command> Directive</title>
+          <para>
+            Syntax: <command>$GENERATE</command>
+	    <replaceable>range</replaceable>
+	    <replaceable>lhs</replaceable>
+            <optional><replaceable>ttl</replaceable></optional>
+            <optional><replaceable>class</replaceable></optional>
+	    <replaceable>type</replaceable>
+	    <replaceable>rhs</replaceable>
+            <optional><replaceable>comment</replaceable></optional>
+          </para>
+          <para><command>$GENERATE</command>
+	    is used to create a series of resource records that only
+            differ from each other by an
+            iterator. <command>$GENERATE</command> can be used to
+            easily generate the sets of records required to support
+            sub /24 reverse delegations described in RFC 2317:
+            Classless IN-ADDR.ARPA delegation.
+          </para>
+
 <programlisting>$ORIGIN 0.0.192.IN-ADDR.ARPA.
 $GENERATE 1-2 0 NS SERVER$.EXAMPLE.
 $GENERATE 1-127 $ CNAME $.0</programlisting>
-<para>is equivalent to</para>
+
+          <para>
+            is equivalent to
+          </para>
+
 <programlisting>0.0.0.192.IN-ADDR.ARPA NS SERVER1.EXAMPLE.
 0.0.0.192.IN-ADDR.ARPA. NS SERVER2.EXAMPLE.
 1.0.0.192.IN-ADDR.ARPA. CNAME 1.0.0.0.192.IN-ADDR.ARPA.
@@ -5842,97 +10382,215 @@ $GENERATE 1-127 $ CNAME $.0</programlisting>
 ...
 127.0.0.192.IN-ADDR.ARPA. CNAME 127.0.0.0.192.IN-ADDR.ARPA.
 </programlisting>
-      <informaltable colsep = "0" rowsep = "0">
-        <tgroup cols = "2" colsep = "0" rowsep = "0" tgroupstyle = "3Level-table">
-          <colspec colname = "1" colnum = "1" colsep = "0" colwidth = "0.875in"/>
-          <colspec colname = "2" colnum = "2" colsep = "0" colwidth = "4.250in"/>
-          <tbody>
-            <row rowsep = "0">
-              <entry colname = "1"><para><command>range</command></para></entry>
-              <entry colname = "2"><para>This can be one of two forms: start-stop
-or start-stop/step. If the first form is used, then step is set to
-        1. All of start, stop and step must be positive.</para></entry>
-      </row>
-        <row rowsep = "0">
-          <entry colname = "1"><para><command>lhs</command></para></entry>
-          <entry colname = "2"><para><command>lhs</command> describes the
-owner name of the resource records to be created. Any single
-<command>$</command> (dollar sign) symbols
-within the <command>lhs</command> side are replaced by the iterator
-value.
-To get a $ in the output you need to escape the <command>$</command>
-using a backslash <command>\</command>,
-e.g. <command>\$</command>. The <command>$</command> may optionally be followed
-by modifiers which change the offset from the iterator, field width and base. 
-Modifiers are introduced by a <command>{</command> immediately following the
-<command>$</command> as <command>${offset[,width[,base]]}</command>.
-For example, <command>${-20,3,d}</command> which subtracts 20 from the current value,
-prints the result as a decimal in a zero-padded field of width 3.  Available
-output forms are decimal (<command>d</command>), octal (<command>o</command>)
-and hexadecimal (<command>x</command> or <command>X</command> for uppercase).
-The default modifier is <command>${0,0,d}</command>.
-If the <command>lhs</command> is not
-absolute, the current <command>$ORIGIN</command> is appended to
-the name.</para>
-<para>For compatibility with earlier versions, <command>$$</command> is still
-recognized as indicating a literal $ in the output.</para></entry>
-        </row>
-        <row rowsep = "0">
-          <entry colname = "1"><para><command>ttl</command></para></entry>
-          <entry colname = "2"><para>Specifies the
-	  ttl of the generated records. If not specified this will be
-	  inherited using the normal ttl inheritance rules.</para>
-	  <para><command>class</command> and <command>ttl</command> can be
-	  entered in either order.</para></entry>
-	</row>
-        <row rowsep = "0">
-          <entry colname = "1"><para><command>class</command></para></entry>
-          <entry colname = "2"><para>Specifies the
-	  class of the generated records.  This must match the zone class if
-	  it is specified.</para>
-	  <para><command>class</command> and <command>ttl</command> can be
-	  entered in either order.</para></entry>
-	</row>
-        <row rowsep = "0">
-          <entry colname = "1"><para><command>type</command></para></entry>
-          <entry colname = "2"><para>At present the only supported types are
-PTR, CNAME, DNAME, A, AAAA and NS.</para></entry>
-        </row>
-        <row rowsep = "0">
-          <entry colname = "1"><para><command>rhs</command></para></entry>
-          <entry colname = "2"><para>A domain name. It is processed
-similarly to lhs.</para></entry>
-        </row>
-      </tbody>
-      </tgroup></informaltable>
-      <para>The <command>$GENERATE</command> directive is a <acronym>BIND</acronym> extension
-and not part of the standard zone file format.</para>
-      <para>BIND 8 does not support the optional TTL and CLASS fields.</para>
-    </sect2>
-  </sect1>
-</chapter>
-<chapter id="Bv9ARM.ch07"><title><acronym>BIND</acronym> 9 Security Considerations</title>
-<sect1 id="Access_Control_Lists"><title>Access Control Lists</title>
-<para>Access Control Lists (ACLs), are address match lists that
-you can set up and nickname for future use in <command>allow-notify</command>,
-<command>allow-query</command>, <command>allow-recursion</command>,
-<command>blackhole</command>, <command>allow-transfer</command>,
-etc.</para>
-<para>Using ACLs allows you to have finer control over who can access
-your name server, without cluttering up your config files with huge
-lists of IP addresses.</para>
-<para>It is a <emphasis>good idea</emphasis> to use ACLs, and to
-control access to your server. Limiting access to your server by
-outside parties can help prevent spoofing and denial of service (DoS)
-attacks against your server.</para>
-<para>Here is an example of how to properly apply ACLs:</para>
+
+          <informaltable colsep="0" rowsep="0">
+            <tgroup cols="2" colsep="0" rowsep="0" tgroupstyle="3Level-table">
+                        <colspec colname="1" colnum="1" colsep="0" colwidth="0.875in"/>
+              <colspec colname="2" colnum="2" colsep="0" colwidth="4.250in"/>
+              <tbody>
+                <row rowsep="0">
+                  <entry colname="1">
+                    <para><command>range</command></para>
+                  </entry>
+                  <entry colname="2">
+                    <para>
+                      This can be one of two forms: start-stop
+                      or start-stop/step. If the first form is used, then step
+                      is set to
+                      1. All of start, stop and step must be positive.
+                    </para>
+                  </entry>
+                </row>
+                <row rowsep="0">
+                  <entry colname="1">
+                    <para><command>lhs</command></para>
+                  </entry>
+                  <entry colname="2">
+                    <para><command>lhs</command>
+		      describes the owner name of the resource records
+                      to be created.  Any single <command>$</command>
+                      (dollar sign)
+                      symbols within the <command>lhs</command> side
+                      are replaced by the iterator value.
+
+                      To get a $ in the output you need to escape the
+                      <command>$</command> using a backslash
+                      <command>\</command>,
+                      e.g. <command>\$</command>. The
+                      <command>$</command> may optionally be followed
+                      by modifiers which change the offset from the
+                      iterator, field width and base.
+
+                      Modifiers are introduced by a
+                      <command>{</command> immediately following the
+                      <command>$</command> as
+                      <command>${offset[,width[,base]]}</command>.
+                      For example, <command>${-20,3,d}</command>
+                      subtracts 20 from the current value, prints the
+                      result as a decimal in a zero-padded field of
+                      width 3.
+
+		      Available output forms are decimal
+                      (<command>d</command>), octal
+                      (<command>o</command>) and hexadecimal
+                      (<command>x</command> or <command>X</command>
+                      for uppercase).  The default modifier is
+                      <command>${0,0,d}</command>.  If the
+                      <command>lhs</command> is not absolute, the
+                      current <command>$ORIGIN</command> is appended
+                      to the name.
+                    </para>
+                    <para>
+                      For compatibility with earlier versions, <command>$$</command> is still
+                      recognized as indicating a literal $ in the output.
+                    </para>
+                  </entry>
+                </row>
+                <row rowsep="0">
+                  <entry colname="1">
+                    <para><command>ttl</command></para>
+                  </entry>
+                  <entry colname="2">
+                    <para>
+		      Specifies the time-to-live of the generated records. If
+                      not specified this will be inherited using the
+                      normal ttl inheritance rules.
+                    </para>
+                    <para><command>class</command>
+		      and <command>ttl</command> can be
+                      entered in either order.
+                    </para>
+                  </entry>
+                </row>
+                <row rowsep="0">
+                  <entry colname="1">
+                    <para><command>class</command></para>
+                  </entry>
+                  <entry colname="2">
+                    <para>
+		      Specifies the class of the generated records.
+                      This must match the zone class if it is
+                      specified.
+                    </para>
+                    <para><command>class</command>
+		      and <command>ttl</command> can be
+                      entered in either order.
+                    </para>
+                  </entry>
+                </row>
+                <row rowsep="0">
+                  <entry colname="1">
+                    <para><command>type</command></para>
+                  </entry>
+                  <entry colname="2">
+                    <para>
+                      At present the only supported types are
+                      PTR, CNAME, DNAME, A, AAAA and NS.
+                    </para>
+                  </entry>
+                </row>
+                <row rowsep="0">
+                  <entry colname="1">
+                    <para><command>rhs</command></para>
+                  </entry>
+                  <entry colname="2">
+                    <para>
+                      A domain name. It is processed
+                      similarly to lhs.
+                    </para>
+                  </entry>
+                </row>
+              </tbody>
+            </tgroup>
+          </informaltable>
+          <para>
+            The <command>$GENERATE</command> directive is a <acronym>BIND</acronym> extension
+            and not part of the standard zone file format.
+          </para>
+          <para>
+            BIND 8 does not support the optional TTL and CLASS fields.
+          </para>
+        </sect2>
+
+	<sect2 id="zonefile_format">
+	  <title>Additional File Formats</title>
+	  <para>
+	    In addition to the standard textual format, BIND 9
+	    supports the ability to read or dump to zone files in
+	    other formats.  The <constant>raw</constant> format is
+	    currently available as an additional format.  It is a
+	    binary format representing BIND 9's internal data
+	    structure directly, thereby remarkably improving the
+	    loading time.
+	  </para>
+	  <para>
+	    For a primary server, a zone file in the
+	    <constant>raw</constant> format is expected to be
+	    generated from a textual zone file by the
+	    <command>named-compilezone</command> command.  For a
+	    secondary server or for a dynamic zone, it is automatically
+	    generated (if this format is specified by the
+	    <command>masterfile-format</command> option) when
+	    <command>named</command> dumps the zone contents after
+	    zone transfer or when applying prior updates.
+	  </para>
+	  <para>
+	    If a zone file in a binary format needs manual modification,
+	    it first must be converted to a textual form by the
+	    <command>named-compilezone</command> command.  All
+	    necessary modification should go to the text file, which
+	    should then be converted to the binary form by the
+	    <command>named-compilezone</command> command again.
+	  </para>
+    	  <para>
+	     Although the <constant>raw</constant> format uses the
+	     network byte order and avoids architecture-dependent
+	     data alignment so that it is as much portable as
+	     possible, it is primarily expected to be used inside
+	     the same single system.  In order to export a zone
+	     file in the <constant>raw</constant> format or make a
+	     portable backup of the file, it is recommended to
+	     convert the file to the standard textual representation.
+	  </para>
+	</sect2>
+      </sect1>
+    </chapter>
+    <chapter id="Bv9ARM.ch07">
+      <title><acronym>BIND</acronym> 9 Security Considerations</title>
+      <sect1 id="Access_Control_Lists">
+        <title>Access Control Lists</title>
+        <para>
+          Access Control Lists (ACLs), are address match lists that
+          you can set up and nickname for future use in <command>allow-notify</command>,
+          <command>allow-query</command>, <command>allow-recursion</command>,
+          <command>blackhole</command>, <command>allow-transfer</command>,
+          etc.
+        </para>
+        <para>
+          Using ACLs allows you to have finer control over who can access
+          your name server, without cluttering up your config files with huge
+          lists of IP addresses.
+        </para>
+        <para>
+          It is a <emphasis>good idea</emphasis> to use ACLs, and to
+          control access to your server. Limiting access to your server by
+          outside parties can help prevent spoofing and denial of service (DoS) attacks against
+          your server.
+        </para>
+        <para>
+          Here is an example of how to properly apply ACLs:
+        </para>
+
 <programlisting>
-// Set up an ACL named "bogusnets" that will block RFC1918 space,
-// which is commonly used in spoofing attacks.
-acl bogusnets { 0.0.0.0/8; 1.0.0.0/8; 2.0.0.0/8; 192.0.2.0/24; 224.0.0.0/3; 10.0.0.0/8; 172.16.0.0/12; 192.168.0.0/16; };
+// Set up an ACL named "bogusnets" that will block RFC1918 space
+// and some reserved space, which is commonly used in spoofing attacks.
+acl bogusnets {
+	0.0.0.0/8; 1.0.0.0/8; 2.0.0.0/8; 192.0.2.0/24; 224.0.0.0/3;
+	10.0.0.0/8; 172.16.0.0/12; 192.168.0.0/16;
+};
 
 // Set up an ACL called our-nets. Replace this with the real IP numbers.
-acl our-nets { x.x.x.x/24; x.x.x.x/21; }; 
+acl our-nets { x.x.x.x/24; x.x.x.x/21; };
 options {
   ...
   ...
@@ -5949,919 +10607,1646 @@ zone "example.com" {
   allow-query { any; };
 };
 </programlisting>
-<para>This allows recursive queries of the server from the outside
-unless recursion has been previously disabled.</para>
-<para>For more information on how to use ACLs to protect your server,
-see the <emphasis>AUSCERT</emphasis> advisory at
-<ulink url="ftp://ftp.auscert.org.au/pub/auscert/advisory/AL-1999.004.dns_dos">ftp://ftp.auscert.org.au/pub/auscert/advisory/AL-1999.004.dns_dos</ulink></para></sect1>
-<sect1><title><command>chroot</command> and <command>setuid</command> (for
-UNIX servers)</title>
-<para>On UNIX servers, it is possible to run <acronym>BIND</acronym> in a <emphasis>chrooted</emphasis> environment
-(using the <command>chroot()</command> function) by specifying the "<option>-t</option>"
-option. This can help improve system security by placing <acronym>BIND</acronym> in
-a "sandbox", which will limit the damage done if a server is compromised.</para>
-<para>Another useful feature in the UNIX version of <acronym>BIND</acronym> is the
-ability to run the daemon as an unprivileged user ( <option>-u</option> <replaceable>user</replaceable> ).
-We suggest running as an unprivileged user when using the <command>chroot</command> feature.</para>
-<para>Here is an example command line to load <acronym>BIND</acronym> in a <command>chroot</command> sandbox, 
-<command>/var/named</command>, and to run <command>named</command> <command>setuid</command> to
-user 202:</para>
-<para><userinput>/usr/local/bin/named -u 202 -t /var/named</userinput></para>
-
-<sect2><title>The <command>chroot</command> Environment</title>
-
-<para>In order for a <command>chroot</command> environment to
-work properly in a particular directory
-(for example, <filename>/var/named</filename>),
-you will need to set up an environment that includes everything
-<acronym>BIND</acronym> needs to run.
-From <acronym>BIND</acronym>'s point of view, <filename>/var/named</filename> is
-the root of the filesystem.  You will need to adjust the values of options like
-like <command>directory</command> and <command>pid-file</command> to account
-for this.
-</para>
-<para>
-Unlike with earlier versions of BIND, you will typically
-<emphasis>not</emphasis> need to compile <command>named</command>
-statically nor install shared libraries under the new root.
-However, depending on your operating system, you may need
-to set up things like
-<filename>/dev/zero</filename>,
-<filename>/dev/random</filename>,
-<filename>/dev/log</filename>, and
-<filename>/etc/localtime</filename>.
-</para>
-</sect2>
-
-<sect2><title>Using the <command>setuid</command> Function</title>
-
-<para>Prior to running the <command>named</command> daemon, use
-the <command>touch</command> utility (to change file access and
-modification times) or the <command>chown</command> utility (to
-set the user id and/or group id) on files
-to which you want <acronym>BIND</acronym>
-to write.  Note that if the <command>named</command> daemon is running as an
-unprivileged user, it will not be able to bind to new restricted ports if the
-server is reloaded.</para>
-</sect2>
-</sect1>
-
-<sect1 id="dynamic_update_security"><title>Dynamic Update Security</title> 
-
-<para>Access to the dynamic
-update facility should be strictly limited.  In earlier versions of
-<acronym>BIND</acronym>, the only way to do this was based on the IP
-address of the host requesting the update, by listing an IP address or
-network prefix in the <command>allow-update</command> zone option.
-This method is insecure since the source address of the update UDP packet
-is easily forged.  Also note that if the IP addresses allowed by the
-<command>allow-update</command> option include the address of a slave
-server which performs forwarding of dynamic updates, the master can be
-trivially attacked by sending the update to the slave, which will
-forward it to the master with its own source IP address causing the
-master to approve it without question.</para>
-
-<para>For these reasons, we strongly recommend that updates be
-cryptographically authenticated by means of transaction signatures
-(TSIG).  That is, the <command>allow-update</command> option should
-list only TSIG key names, not IP addresses or network
-prefixes. Alternatively, the new <command>update-policy</command>
-option can be used.</para>
-
-<para>Some sites choose to keep all dynamically-updated DNS data
-in a subdomain and delegate that subdomain to a separate zone. This
-way, the top-level zone containing critical data such as the IP addresses
-of public web and mail servers need not allow dynamic update at
-all.</para>
-
-</sect1></chapter>
-
-<chapter id="Bv9ARM.ch08">
-  <title>Troubleshooting</title>
-  <sect1>
-    <title>Common Problems</title>
-    <sect2>
-      <title>It's not working; how can I figure out what's wrong?</title>
-
-      <para>The best solution to solving installation and
-      configuration issues is to take preventative measures by setting
-      up logging files beforehand. The log files provide a
-      source of hints and information that can be used to figure out
-      what went wrong and how to fix the problem.</para>
-
-    </sect2>
-  </sect1>
-  <sect1>
-    <title>Incrementing and Changing the Serial Number</title>
-
-    <para>Zone serial numbers are just numbers-they aren't date
-    related.  A lot of people set them to a number that represents a
-    date, usually of the form YYYYMMDDRR. A number of people have been
-    testing these numbers for Y2K compliance and have set the number
-    to the year 2000 to see if it will work. They then try to restore
-    the old serial number. This will cause problems because serial
-    numbers are used to indicate that a zone has been updated. If the
-    serial number on the slave server is lower than the serial number
-    on the master, the slave server will attempt to update its copy of
-    the zone.</para>
-
-    <para>Setting the serial number to a lower number on the master
-    server than the slave server means that the slave will not perform
-    updates to its copy of the zone.</para>
-
-    <para>The solution to this is to add 2147483647 (2^31-1) to the
-    number, reload the zone and make sure all slaves have updated to
-    the new zone serial number, then reset the number to what you want
-    it to be, and reload the zone again.</para>
-
-  </sect1>
-  <sect1>
-    <title>Where Can I Get Help?</title>
-
-      <para>The Internet Software Consortium (<acronym>ISC</acronym>) offers a wide range
-    of support and service agreements for <acronym>BIND</acronym> and <acronym>DHCP</acronym> servers. Four
-    levels of premium support are available and each level includes
-    support for all <acronym>ISC</acronym> programs, significant discounts on products
-    and training, and a recognized priority on bug fixes and
-    non-funded feature requests. In addition, <acronym>ISC</acronym> offers a standard
-    support agreement package which includes services ranging from bug
-    fix announcements to remote support. It also includes training in
-    <acronym>BIND</acronym> and <acronym>DHCP</acronym>.</para>
-
-    <para>To discuss arrangements for support, contact
-    <ulink url="mailto:info@isc.org">info@isc.org</ulink> or visit the
-    <acronym>ISC</acronym> web page at <ulink
-    url="http://www.isc.org/services/support/">http://www.isc.org/services/support/</ulink>
-    to read more.</para>
-  </sect1>
-</chapter>
-<appendix id="Bv9ARM.ch09">
-  <title>Appendices</title>
-  <sect1>
-    <title>Acknowledgments</title>
-    <sect2>
-      <title>A Brief History of the <acronym>DNS</acronym> and <acronym>BIND</acronym></title>
-
-      <para>Although the "official" beginning of the Domain Name
-      System occurred in 1984 with the publication of RFC 920, the
-      core of the new system was described in 1983 in RFCs 882 and
-      883. From 1984 to 1987, the ARPAnet (the precursor to today's
-      Internet) became a testbed of experimentation for developing the
-      new naming/addressing scheme in a rapidly expanding,
-      operational network environment.  New RFCs were written and
-      published in 1987 that modified the original documents to
-      incorporate improvements based on the working model. RFC 1034,
-      "Domain Names-Concepts and Facilities", and RFC 1035, "Domain
-      Names-Implementation and Specification" were published and
-      became the standards upon which all <acronym>DNS</acronym> implementations are
-      built.
-</para>
-
-      <para>The first working domain name server, called "Jeeves", was
-written in 1983-84 by Paul Mockapetris for operation on DEC Tops-20
-machines located at the University of Southern California's Information
-Sciences Institute (USC-ISI) and SRI International's Network Information
-Center (SRI-NIC). A <acronym>DNS</acronym> server for Unix machines, the Berkeley Internet
-Name Domain (<acronym>BIND</acronym>) package, was written soon after by a group of
-graduate students at the University of California at Berkeley under
-a grant from the US Defense Advanced Research Projects Administration
-(DARPA).
-</para>
-<para>
-Versions of <acronym>BIND</acronym> through 4.8.3 were maintained by the Computer
-Systems Research Group (CSRG) at UC Berkeley. Douglas Terry, Mark
-Painter, David Riggle and Songnian Zhou made up the initial <acronym>BIND</acronym>
-project team. After that, additional work on the software package
-was done by Ralph Campbell. Kevin Dunlap, a Digital Equipment Corporation
-employee on loan to the CSRG, worked on <acronym>BIND</acronym> for 2 years, from 1985
-to 1987. Many other people also contributed to <acronym>BIND</acronym> development
-during that time: Doug Kingston, Craig Partridge, Smoot Carl-Mitchell,
-Mike Muuss, Jim Bloom and Mike Schwartz. <acronym>BIND</acronym> maintenance was subsequently
-handled by Mike Karels and O. Kure.</para>
-      <para><acronym>BIND</acronym> versions 4.9 and 4.9.1 were released by Digital Equipment
-Corporation (now Compaq Computer Corporation). Paul Vixie, then
-a DEC employee, became <acronym>BIND</acronym>'s primary caretaker. He was assisted
-by Phil Almquist, Robert Elz, Alan Barrett, Paul Albitz, Bryan Beecher, Andrew
-Partan, Andy Cherenson, Tom Limoncelli, Berthold Paffrath, Fuat
-Baran, Anant Kumar, Art Harkin, Win Treese, Don Lewis, Christophe
-Wolfhugel, and others.</para>
-      <para><acronym>BIND</acronym> version 4.9.2 was sponsored by Vixie Enterprises. Paul
-Vixie became <acronym>BIND</acronym>'s principal architect/programmer.</para>
-      <para><acronym>BIND</acronym> versions from 4.9.3 onward have been developed and maintained
-by the Internet Software Consortium with support being provided
-by ISC's sponsors. As co-architects/programmers, Bob Halley and
-Paul Vixie released the first production-ready version of <acronym>BIND</acronym> version
-8 in May 1997.</para>
-      <para><acronym>BIND</acronym> development work is made possible today by the sponsorship
-of several corporations, and by the tireless work efforts of numerous
-individuals.</para>
-    </sect2>
-  </sect1>
-<sect1 id="historical_dns_information">
-
-<title>General <acronym>DNS</acronym> Reference Information</title>
-    <sect2 id="ipv6addresses">
-      <title>IPv6 addresses (AAAA)</title>
-      <para>IPv6 addresses are 128-bit identifiers for interfaces and
-sets of interfaces which were introduced in the <acronym>DNS</acronym> to facilitate
-scalable Internet routing. There are three types of addresses: <emphasis>Unicast</emphasis>,
-an identifier for a single interface; <emphasis>Anycast</emphasis>,
-an identifier for a set of interfaces; and <emphasis>Multicast</emphasis>,
-an identifier for a set of interfaces. Here we describe the global
-Unicast address scheme. For more information, see RFC 2374.</para>
-<para>The aggregatable global Unicast address format is as follows:</para>
-<informaltable colsep = "0" rowsep = "0"><tgroup cols = "6"
-    colsep = "0" rowsep = "0" tgroupstyle = "1Level-table">
-<colspec colname = "1" colnum = "1" colsep = "0" colwidth = "0.477in"/>
-<colspec colname = "2" colnum = "2" colsep = "0" colwidth = "0.501in"/>
-<colspec colname = "3" colnum = "3" colsep = "0" colwidth = "0.523in"/>
-<colspec colname = "4" colnum = "4" colsep = "0" colwidth = "0.731in"/>
-<colspec colname = "5" colnum = "5" colsep = "0" colwidth = "1.339in"/>
-<colspec colname = "6" colnum = "6" colsep = "0" colwidth = "2.529in"/>
-<tbody>
-<row rowsep = "0">
-<entry colname = "1" colsep = "1" rowsep = "1"><para>3</para></entry>
-<entry colname = "2" colsep = "1" rowsep = "1"><para>13</para></entry>
-<entry colname = "3" colsep = "1" rowsep = "1"><para>8</para></entry>
-<entry colname = "4" colsep = "1" rowsep = "1"><para>24</para></entry>
-<entry colname = "5" colsep = "1" rowsep = "1"><para>16</para></entry>
-<entry colname = "6" rowsep = "1"><para>64 bits</para></entry>
-</row>
-<row rowsep = "0">
-<entry colname = "1" colsep = "1"><para>FP</para></entry>
-<entry colname = "2" colsep = "1"><para>TLA ID</para></entry>
-<entry colname = "3" colsep = "1"><para>RES</para></entry>
-<entry colname = "4" colsep = "1"><para>NLA ID</para></entry>
-<entry colname = "5" colsep = "1"><para>SLA ID</para></entry>
-<entry colname = "6"><para>Interface ID</para></entry>
-</row>
-<row rowsep = "0">
-<entry nameend = "4" namest = "1"><para>&#60;------ Public Topology
-------></para></entry>
-<entry colname = "5"><para></para></entry>
-<entry colname = "6"><para></para></entry>
-</row>
-<row rowsep = "0">
-<entry colname = "1"><para></para></entry>
-<entry colname = "2"><para></para></entry>
-<entry colname = "3"><para></para></entry>
-<entry colname = "4"><para></para></entry>
-<entry colname = "5"><para>&#60;-Site Topology-></para></entry>
-<entry colname = "6"><para></para></entry>
-</row>
-<row rowsep = "0">
-<entry colname = "1"><para></para></entry>
-<entry colname = "2"><para></para></entry>
-<entry colname = "3"><para></para></entry>
-<entry colname = "4"><para></para></entry>
-<entry colname = "5"><para></para></entry>
-<entry colname = "6"><para>&#60;------ Interface Identifier ------></para></entry>
-</row>
-</tbody>
-</tgroup></informaltable>
-      <para>Where
-<informaltable colsep = "0"  rowsep = "0"><tgroup
-    cols = "3" colsep = "0" rowsep = "0" tgroupstyle = "2Level-table">
-<colspec colname = "1" colnum = "1" colsep = "0" colwidth = "1.375in"/>
-<colspec colname = "2" colnum = "2" colsep = "0" colwidth = "0.250in"/>
-<colspec colname = "3" colnum = "3" colsep = "0" colwidth = "3.500in"/>
-<tbody>
-<row rowsep = "0">
-<entry colname = "1"><para>FP</para></entry>
-<entry colname = "2"><para>=</para></entry>
-<entry colname = "3"><para>Format Prefix (001)</para></entry>
-</row>
-<row rowsep = "0">
-<entry colname = "1"><para>TLA ID</para></entry>
-<entry colname = "2"><para>=</para></entry>
-<entry colname = "3"><para>Top-Level Aggregation Identifier</para></entry>
-</row>
-<row rowsep = "0">
-<entry colname = "1"><para>RES</para></entry>
-<entry colname = "2"><para>=</para></entry>
-<entry colname = "3"><para>Reserved for future use</para></entry>
-</row>
-<row rowsep = "0">
-<entry colname = "1"><para>NLA ID</para></entry>
-<entry colname = "2"><para>=</para></entry>
-<entry colname = "3"><para>Next-Level Aggregation Identifier</para></entry>
-</row>
-<row rowsep = "0">
-<entry colname = "1"><para>SLA ID</para></entry>
-<entry colname = "2"><para>=</para></entry>
-<entry colname = "3"><para>Site-Level Aggregation Identifier</para></entry>
-</row>
-<row rowsep = "0">
-<entry colname = "1"><para>INTERFACE ID</para></entry>
-<entry colname = "2"><para>=</para></entry>
-<entry colname = "3"><para>Interface Identifier</para></entry>
-</row>
-</tbody>
-</tgroup></informaltable></para>
-      <para>The <emphasis>Public Topology</emphasis> is provided by the
-upstream provider or ISP, and (roughly) corresponds to the IPv4 <emphasis>network</emphasis> section
-of the address range. The <emphasis>Site Topology</emphasis> is
-where you can subnet this space, much the same as subnetting an
-IPv4 /16 network into /24 subnets. The <emphasis>Interface Identifier</emphasis> is
-the address of an individual interface on a given network. (With
-IPv6, addresses belong to interfaces rather than machines.)</para>
-      <para>The subnetting capability of IPv6 is much more flexible than
-that of IPv4: subnetting can now be carried out on bit boundaries,
-in much the same way as Classless InterDomain Routing (CIDR).</para>
-<para>The Interface Identifier must be unique on that network. On
-ethernet networks, one way to ensure this is to set the address
-to the first three bytes of the hardware address, "FFFE", then the
-last three bytes of the hardware address. The lowest significant
-bit of the first byte should then be complemented. Addresses are
-written as 32-bit blocks separated with a colon, and leading zeros
-of a block may be omitted, for example:</para>
-<para><command>2001:db8:201:9:a00:20ff:fe81:2b32</command></para>
-<para>IPv6 address specifications are likely to contain long strings
-of zeros, so the architects have included a shorthand for specifying
-them. The double colon (`::') indicates the longest possible string
-of zeros that can fit, and can be used only once in an address.</para>
-    </sect2>
-  </sect1>
-  <sect1 id="bibliography">
-    <title>Bibliography (and Suggested Reading)</title>
-    <sect2 id="rfcs">
-      <title>Request for Comments (RFCs)</title>
-      <para>Specification documents for the Internet protocol suite, including
-the <acronym>DNS</acronym>, are published as part of the Request for Comments (RFCs)
-series of technical notes. The standards themselves are defined
-by the Internet Engineering Task Force (IETF) and the Internet Engineering
-Steering Group (IESG). RFCs can be obtained online via FTP at 
-<ulink url="ftp://www.isi.edu/in-notes/">ftp://www.isi.edu/in-notes/RFC<replaceable>xxx</replaceable>.txt</ulink> (where <replaceable>xxx</replaceable> is
-the number of the RFC). RFCs are also available via the Web at
-<ulink url="http://www.ietf.org/rfc/">http://www.ietf.org/rfc/</ulink>.
-</para>
-      <bibliography>
-        <bibliodiv>
-          <!-- one of (BIBLIOENTRY BIBLIOMIXED) -->
-          <title>Standards</title>
-          <biblioentry>
-            <abbrev>RFC974</abbrev>
-            <author>
-              <surname>Partridge</surname>
-              <firstname>C.</firstname>
-            </author>
-            <title>Mail Routing and the Domain System</title>
-            <pubdate>January 1986</pubdate>
-          </biblioentry>
-          <biblioentry>
-            <abbrev>RFC1034</abbrev>
-            <author>
-              <surname>Mockapetris</surname>
-              <firstname>P.V.</firstname>
-            </author> 
-            <title>Domain Names &mdash; Concepts and Facilities</title>
-            <pubdate>November 1987</pubdate>
-          </biblioentry>
-          <biblioentry>
-            <abbrev>RFC1035</abbrev>
-            <author>
-              <surname>Mockapetris</surname>
-              <firstname>P. V.</firstname>
-            </author> <title>Domain Names &mdash; Implementation and
-Specification</title>
-            <pubdate>November 1987</pubdate>
-          </biblioentry>
-        </bibliodiv>
-        <bibliodiv id="proposed_standards" xreflabel="Proposed Standards">
-
-          <title>Proposed Standards</title>
-          <!-- one of (BIBLIOENTRY BIBLIOMIXED) -->
-          <biblioentry>
-            <abbrev>RFC2181</abbrev>
-            <author>
-              <surname>Elz</surname>
-              <firstname>R., R. Bush</firstname>
-            </author>
-            <title>Clarifications to the <acronym>DNS</acronym> Specification</title>
-            <pubdate>July 1997</pubdate>
-          </biblioentry>
-          <biblioentry>
-            <abbrev>RFC2308</abbrev>
-            <author>
-              <surname>Andrews</surname>
-              <firstname>M.</firstname>
-            </author>
-            <title>Negative Caching of <acronym>DNS</acronym> Queries</title>
-            <pubdate>March 1998</pubdate>
-          </biblioentry>
-          <biblioentry>
-            <abbrev>RFC1995</abbrev>
-            <author>
-              <surname>Ohta</surname>
-              <firstname>M.</firstname>
-            </author>
-            <title>Incremental Zone Transfer in <acronym>DNS</acronym></title>
-            <pubdate>August 1996</pubdate>
-          </biblioentry>
-          <biblioentry>
-            <abbrev>RFC1996</abbrev>
-            <author>
-              <surname>Vixie</surname>
-              <firstname>P.</firstname>
-            </author>
-            <title>A Mechanism for Prompt Notification of Zone Changes</title>
-            <pubdate>August 1996</pubdate>
-          </biblioentry>
-          <biblioentry>
-            <abbrev>RFC2136</abbrev>
-            <authorgroup>
-              <author>
-                <surname>Vixie</surname>
-                <firstname>P.</firstname>
-              </author>
-              <author>
-                <firstname>S.</firstname>
-                <surname>Thomson</surname>
-              </author>
-              <author>
-                <firstname>Y.</firstname>
-                <surname>Rekhter</surname>
-              </author>
-              <author>
-                <firstname>J.</firstname>
-                <surname>Bound</surname>
-              </author>
-            </authorgroup> 
-            <title>Dynamic Updates in the Domain Name System</title>
-            <pubdate>April 1997</pubdate>
-          </biblioentry>
-          <biblioentry>
-            <abbrev>RFC2845</abbrev>
-            <authorgroup>
-              <author>
-                <surname>Vixie</surname>
-                <firstname>P.</firstname>
-              </author>
-              <author>
-                <firstname>O.</firstname>
-                <surname>Gudmundsson</surname>
-              </author>
-              <author>
-                <firstname>D.</firstname>
-                <surname>Eastlake</surname>
-                <lineage>3rd</lineage></author>
-              <author>
-                <firstname>B.</firstname>
-                <surname>Wellington</surname>
-              </author></authorgroup>
-            <title>Secret Key Transaction Authentication for <acronym>DNS</acronym> (TSIG)</title>
-            <pubdate>May 2000</pubdate>
-          </biblioentry>
-        </bibliodiv>
-        <bibliodiv>
-          <title>Proposed Standards Still Under Development</title>
-          <note>
-            <para><emphasis>Note:</emphasis> the following list of
-RFCs are undergoing major revision by the IETF.</para>
-          </note>
-          <biblioentry>
-            <abbrev>RFC1886</abbrev>
-            <authorgroup>
-              <author>
-                <surname>Thomson</surname>
-                <firstname>S.</firstname>
-              </author>
-              <author>
-                <firstname>C.</firstname>
-                <surname>Huitema</surname>
-              </author>
-            </authorgroup>
-            <title><acronym>DNS</acronym> Extensions to support IP version 6</title>
-            <pubdate>December 1995</pubdate>
-          </biblioentry>
-          <biblioentry>
-            <abbrev>RFC2065</abbrev>
-            <authorgroup>
-              <author>
-                <surname>Eastlake</surname>
-                <lineage>3rd</lineage>
-                <firstname>D.</firstname>
-              </author>
-              <author>
-                <firstname>C.</firstname>
-                <surname>Kaufman</surname>
-              </author>
-            </authorgroup>
-            <title>Domain Name System Security Extensions</title>
-            <pubdate>January 1997</pubdate>
-          </biblioentry>
-          <biblioentry>
-            <abbrev>RFC2137</abbrev>
-            <author>
-              <surname>Eastlake</surname>
-              <lineage>3rd</lineage>
-              <firstname>D.</firstname>
-            </author>
-            <title>Secure Domain Name System Dynamic Update</title>
-            <pubdate>April 1997</pubdate>
-          </biblioentry>
-        </bibliodiv>
-        <bibliodiv>
-          <title>Other Important RFCs About <acronym>DNS</acronym> Implementation</title>
-          <biblioentry>
-            <abbrev>RFC1535</abbrev>
-            <author>
-              <surname>Gavron</surname>
-              <firstname>E.</firstname>
-            </author>
-            <title>A Security Problem and Proposed Correction With Widely Deployed <acronym>DNS</acronym> Software.</title>
-            <pubdate>October 1993</pubdate>
-          </biblioentry>
-          <biblioentry>
-            <abbrev>RFC1536</abbrev>
-            <authorgroup>
-              <author>
-                <surname>Kumar</surname>
-                <firstname>A.</firstname>
-              </author>
-              <author>
-                <firstname>J.</firstname>
-                <surname>Postel</surname>
-              </author>
-              <author>
-                <firstname>C.</firstname>
-                <surname>Neuman</surname></author>
-              <author>
-                <firstname>P.</firstname>
-                <surname>Danzig</surname>
-              </author>
-              <author>
-                <firstname>S.</firstname>
-                <surname>Miller</surname>
-              </author>
-            </authorgroup>
-            <title>Common <acronym>DNS</acronym> Implementation Errors and Suggested Fixes</title>
-            <pubdate>October 1993</pubdate>
-          </biblioentry>
-          <biblioentry>
-            <abbrev>RFC1982</abbrev>
-            <authorgroup>
-              <author>
-                <surname>Elz</surname>
-                <firstname>R.</firstname>
-              </author>
-              <author>
-                <firstname>R.</firstname>
-                <surname>Bush</surname>
-              </author>
-            </authorgroup>
-            <title>Serial Number Arithmetic</title>
-            <pubdate>August 1996</pubdate>
-          </biblioentry>
-        </bibliodiv>
-        <bibliodiv>
-          <title>Resource Record Types</title>
-          <biblioentry>
-            <abbrev>RFC1183</abbrev>
-            <authorgroup>
-              <author>
-                <surname>Everhart</surname>
-                <firstname>C.F.</firstname>
-              </author>
-              <author>
-                <firstname>L. A.</firstname>
-                <surname>Mamakos</surname>
-              </author>
-              <author>
-                <firstname>R.</firstname>
-                <surname>Ullmann</surname>
-              </author>
-              <author>
-                <firstname>P.</firstname>
-                <surname>Mockapetris</surname>
-              </author>
-            </authorgroup>
-            <title>New <acronym>DNS</acronym> RR Definitions</title>
-            <pubdate>October 1990</pubdate>
-          </biblioentry>
-          <biblioentry>
-            <abbrev>RFC1706</abbrev>
-            <authorgroup>
-              <author>
-                <surname>Manning</surname>
-                <firstname>B.</firstname>
-              </author>
-              <author>
-                <firstname>R.</firstname>
-                <surname>Colella</surname>
-              </author>
-            </authorgroup>
-            <title><acronym>DNS</acronym> NSAP Resource Records</title>
-            <pubdate>October 1994</pubdate>
-          </biblioentry>
-          <biblioentry>
-            <abbrev>RFC2168</abbrev>
-            <authorgroup>
-              <author>
-                <surname>Daniel</surname>
-                <firstname>R.</firstname>
-              </author>
-              <author>
-                <firstname>M.</firstname>
-                <surname>Mealling</surname>
-              </author>
-            </authorgroup>
-            <title>Resolution of Uniform Resource Identifiers using
-the Domain Name System</title>
-            <pubdate>June 1997</pubdate>
-          </biblioentry>
-          <biblioentry>
-            <abbrev>RFC1876</abbrev>
-            <authorgroup>
-              <author>
-                <surname>Davis</surname>
-                <firstname>C.</firstname>
-              </author>
-              <author>
-                <firstname>P.</firstname>
-                <surname>Vixie</surname>
-              </author>
-              <author>
-                <firstname>T.</firstname>
-                <firstname>Goodwin</firstname>
-              </author>
-              <author>
-                <firstname>I.</firstname>
-                <surname>Dickinson</surname>
-              </author>
-            </authorgroup> 
-            <title>A Means for Expressing Location Information in the Domain
-Name System</title>
-            <pubdate>January 1996</pubdate>
-          </biblioentry>
-          <biblioentry>
-            <abbrev>RFC2052</abbrev>
-            <authorgroup>
-              <author>
-                <surname>Gulbrandsen</surname>
-                <firstname>A.</firstname>
-              </author>
-              <author>
-                <firstname>P.</firstname>
-                <surname>Vixie</surname>
-              </author>
-            </authorgroup>
-            <title>A <acronym>DNS</acronym> RR for Specifying the Location of
-Services.</title>
-            <pubdate>October 1996</pubdate>
-          </biblioentry>
-          <biblioentry>
-            <abbrev>RFC2163</abbrev>
-            <author>
-              <surname>Allocchio</surname>
-              <firstname>A.</firstname>
-            </author>
-            <title>Using the Internet <acronym>DNS</acronym> to Distribute MIXER
-Conformant Global Address Mapping</title>
-            <pubdate>January 1998</pubdate>
-          </biblioentry>
-          <biblioentry>
-            <abbrev>RFC2230</abbrev>
-            <author>
-              <surname>Atkinson</surname>
-              <firstname>R.</firstname>
-            </author>
-            <title>Key Exchange Delegation Record for the <acronym>DNS</acronym></title>
-            <pubdate>October 1997</pubdate>
-          </biblioentry>
-        </bibliodiv>
-        <bibliodiv>
-          <title><acronym>DNS</acronym> and the Internet</title>
-          <biblioentry>
-            <abbrev>RFC1101</abbrev>
-            <author>
-              <surname>Mockapetris</surname>
-              <firstname>P. V.</firstname>
-            </author>
-            <title><acronym>DNS</acronym> Encoding of Network Names and Other Types</title>
-            <pubdate>April 1989</pubdate>
-          </biblioentry>
-          <biblioentry>
-            <abbrev>RFC1123</abbrev>
-            <author>
-              <surname>Braden</surname>
-              <surname>R.</surname>
-            </author>
-            <title>Requirements for Internet Hosts - Application and Support</title>
-            <pubdate>October 1989</pubdate>
-          </biblioentry>
-          <biblioentry>
-            <abbrev>RFC1591</abbrev>
-            <author>
-              <surname>Postel</surname>
-              <firstname>J.</firstname></author>
-            <title>Domain Name System Structure and Delegation</title>
-            <pubdate>March 1994</pubdate></biblioentry>
-          <biblioentry>
-            <abbrev>RFC2317</abbrev>
-            <authorgroup>
-              <author>
-                <surname>Eidnes</surname>
-                <firstname>H.</firstname>
-              </author>
-              <author>
-                <firstname>G.</firstname>
-                <surname>de Groot</surname>
-              </author>
-              <author>
-                <firstname>P.</firstname>
-                <surname>Vixie</surname>
-              </author>
-            </authorgroup>
-            <title>Classless IN-ADDR.ARPA Delegation</title>
-            <pubdate>March 1998</pubdate>
-          </biblioentry>
-        </bibliodiv>
-        <bibliodiv>
-          <title><acronym>DNS</acronym> Operations</title>
-          <biblioentry>
-            <abbrev>RFC1537</abbrev>
-            <author>
-              <surname>Beertema</surname>
-              <firstname>P.</firstname>
-            </author>
-            <title>Common <acronym>DNS</acronym> Data File Configuration Errors</title>
-            <pubdate>October 1993</pubdate>
-          </biblioentry>
-          <biblioentry>
-            <abbrev>RFC1912</abbrev>
-            <author>
-              <surname>Barr</surname>
-              <firstname>D.</firstname>
-            </author>
-            <title>Common <acronym>DNS</acronym> Operational and Configuration Errors</title>
-            <pubdate>February 1996</pubdate>
-          </biblioentry>
-          <biblioentry>
-            <abbrev>RFC2010</abbrev>
-            <authorgroup>
-              <author>
-                <surname>Manning</surname>
-                <firstname>B.</firstname>
-              </author>
-              <author>
-                <firstname>P.</firstname>
-                <surname>Vixie</surname>
-              </author>
-            </authorgroup>
-            <title>Operational Criteria for Root Name Servers.</title>
-            <pubdate>October 1996</pubdate>
-          </biblioentry>
-          <biblioentry>
-            <abbrev>RFC2219</abbrev>
-            <authorgroup>
-              <author>
-                <surname>Hamilton</surname>
-                <firstname>M.</firstname>
-              </author>
-              <author>
-                <firstname>R.</firstname>
-                <surname>Wright</surname>
-              </author>
-            </authorgroup>
-            <title>Use of <acronym>DNS</acronym> Aliases for Network Services.</title>
-            <pubdate>October 1997</pubdate>
-          </biblioentry>
-        </bibliodiv>
-        <bibliodiv>
-          <title>Other <acronym>DNS</acronym>-related RFCs</title>
-          <note>
-            <para>Note: the following list of RFCs, although
-<acronym>DNS</acronym>-related, are not concerned with implementing software.</para>
-          </note>
-          <biblioentry>
-            <abbrev>RFC1464</abbrev>
-            <author>
-              <surname>Rosenbaum</surname>
-              <firstname>R.</firstname>
-            </author>
-            <title>Using the Domain Name System To Store Arbitrary String Attributes</title>
-            <pubdate>May 1993</pubdate>
-          </biblioentry>
-          <biblioentry>
-            <abbrev>RFC1713</abbrev>
-            <author>
-              <surname>Romao</surname>
-              <firstname>A.</firstname>
-            </author>
-            <title>Tools for <acronym>DNS</acronym> Debugging</title>
-            <pubdate>November 1994</pubdate></biblioentry>
-          <biblioentry>
-            <abbrev>RFC1794</abbrev>
-            <author>
-              <surname>Brisco</surname>
-              <firstname>T.</firstname>
-            </author>
-            <title><acronym>DNS</acronym> Support for Load Balancing</title>
-            <pubdate>April 1995</pubdate>
-          </biblioentry>
-          <biblioentry>
-            <abbrev>RFC2240</abbrev>
-            <author>
-              <surname>Vaughan</surname>
-              <firstname>O.</firstname></author>
-            <title>A Legal Basis for Domain Name Allocation</title>
-            <pubdate>November 1997</pubdate>
-          </biblioentry>
-          <biblioentry>
-            <abbrev>RFC2345</abbrev>
-            <authorgroup>
-              <author>
-                <surname>Klensin</surname>
-                <firstname>J.</firstname>
-              </author>
-              <author>
-                <firstname>T.</firstname>
-                <surname>Wolf</surname>
-              </author>
-              <author>
-                <firstname>G.</firstname>
-                <surname>Oglesby</surname>
-              </author>
-            </authorgroup>
-            <title>Domain Names and Company Name Retrieval</title>
-            <pubdate>May 1998</pubdate>
-          </biblioentry>
-          <biblioentry>
-            <abbrev>RFC2352</abbrev>
-            <author>
-              <surname>Vaughan</surname>
-              <firstname>O.</firstname>
-            </author>
-            <title>A Convention For Using Legal Names as Domain Names</title>
-            <pubdate>May 1998</pubdate>
-          </biblioentry>
-        </bibliodiv>
-        <bibliodiv>
-          <title>Obsolete and Unimplemented Experimental RRs</title>
-          <biblioentry>
-            <abbrev>RFC1712</abbrev>
-            <authorgroup>
-              <author>
-                <surname>Farrell</surname>
-                <firstname>C.</firstname>
-              </author>
-              <author>
-                <firstname>M.</firstname>
-                <surname>Schulze</surname>
-              </author>
-              <author>
-                <firstname>S.</firstname>
-                <surname>Pleitner</surname>
-              </author>
-              <author>
-                <firstname>D.</firstname>
-                <surname>Baldoni</surname>
-              </author>
-            </authorgroup>
-            <title><acronym>DNS</acronym> Encoding of Geographical
-Location</title>
-            <pubdate>November 1994</pubdate>
-          </biblioentry>
-        </bibliodiv>
-      </bibliography>
-    </sect2>
-    <sect2 id="internet_drafts">
-      <title>Internet Drafts</title>
-      <para>Internet Drafts (IDs) are rough-draft working documents of
-the Internet Engineering Task Force. They are, in essence, RFCs
-in the preliminary stages of development. Implementors are cautioned not
-to regard IDs as archival, and they should not be quoted or cited
-in any formal documents unless accompanied by the disclaimer that
-they are "works in progress." IDs have a lifespan of six months
-after which they are deleted unless updated by their authors.
-</para>
-    </sect2>
-    <sect2>
-      <title>Other Documents About <acronym>BIND</acronym></title>
-      <para></para>
-      <bibliography>
-        <biblioentry>
-          <authorgroup>
-            <author>
-              <surname>Albitz</surname>
-              <firstname>Paul</firstname>
-            </author>
-            <author>
-              <firstname>Cricket</firstname>
-              <surname>Liu</surname>
-            </author>
-          </authorgroup>
-          <title><acronym>DNS</acronym> and <acronym>BIND</acronym></title>
-          <copyright>
-            <year>1998</year>
-            <holder>Sebastopol, CA: O'Reilly and Associates</holder>
-          </copyright>
-        </biblioentry>
-      </bibliography>
-    </sect2>
-  </sect1>
-
-</appendix>
-
-</book>
+
+        <para>
+          This allows recursive queries of the server from the outside
+          unless recursion has been previously disabled.
+        </para>
+        <para>
+          For more information on how to use ACLs to protect your server,
+          see the <emphasis>AUSCERT</emphasis> advisory at:
+        </para>
+        <para>
+          <ulink url="ftp://ftp.auscert.org.au/pub/auscert/advisory/AL-1999.004.dns_dos"
+	             >ftp://ftp.auscert.org.au/pub/auscert/advisory/AL-1999.004.dns_dos</ulink>
+        </para>
+      </sect1>
+      <sect1>
+        <title><command>chroot</command> and <command>setuid</command></title>
+        <para>
+          On UNIX servers, it is possible to run <acronym>BIND</acronym> in a <emphasis>chrooted</emphasis> environment
+          (using the <command>chroot()</command> function) by specifying the "<option>-t</option>"
+          option. This can help improve system security by placing <acronym>BIND</acronym> in
+          a "sandbox", which will limit the damage done if a server is
+          compromised.
+        </para>
+        <para>
+          Another useful feature in the UNIX version of <acronym>BIND</acronym> is the
+          ability to run the daemon as an unprivileged user ( <option>-u</option> <replaceable>user</replaceable> ).
+          We suggest running as an unprivileged user when using the <command>chroot</command> feature.
+        </para>
+        <para>
+          Here is an example command line to load <acronym>BIND</acronym> in a <command>chroot</command> sandbox,
+          <command>/var/named</command>, and to run <command>named</command> <command>setuid</command> to
+          user 202:
+        </para>
+        <para>
+          <userinput>/usr/local/bin/named -u 202 -t /var/named</userinput>
+        </para>
+
+        <sect2>
+          <title>The <command>chroot</command> Environment</title>
+
+          <para>
+            In order for a <command>chroot</command> environment
+            to
+            work properly in a particular directory
+            (for example, <filename>/var/named</filename>),
+            you will need to set up an environment that includes everything
+            <acronym>BIND</acronym> needs to run.
+            From <acronym>BIND</acronym>'s point of view, <filename>/var/named</filename> is
+            the root of the filesystem.  You will need to adjust the values of
+            options like
+            like <command>directory</command> and <command>pid-file</command> to account
+            for this.
+          </para>
+          <para>
+            Unlike with earlier versions of BIND, you will typically
+            <emphasis>not</emphasis> need to compile <command>named</command>
+            statically nor install shared libraries under the new root.
+            However, depending on your operating system, you may need
+            to set up things like
+            <filename>/dev/zero</filename>,
+            <filename>/dev/random</filename>,
+            <filename>/dev/log</filename>, and
+            <filename>/etc/localtime</filename>.
+          </para>
+        </sect2>
+
+        <sect2>
+          <title>Using the <command>setuid</command> Function</title>
+
+          <para>
+            Prior to running the <command>named</command> daemon,
+            use
+            the <command>touch</command> utility (to change file
+            access and
+            modification times) or the <command>chown</command>
+            utility (to
+            set the user id and/or group id) on files
+            to which you want <acronym>BIND</acronym>
+            to write.
+          </para>
+	  <note>
+	    Note that if the <command>named</command> daemon is running as an
+            unprivileged user, it will not be able to bind to new restricted
+            ports if the server is reloaded.
+	  </note>
+        </sect2>
+      </sect1>
+
+      <sect1 id="dynamic_update_security">
+        <title>Dynamic Update Security</title>
+
+        <para>
+          Access to the dynamic
+          update facility should be strictly limited.  In earlier versions of
+          <acronym>BIND</acronym>, the only way to do this was
+          based on the IP
+          address of the host requesting the update, by listing an IP address
+          or
+          network prefix in the <command>allow-update</command>
+          zone option.
+          This method is insecure since the source address of the update UDP
+          packet
+          is easily forged.  Also note that if the IP addresses allowed by the
+          <command>allow-update</command> option include the
+          address of a slave
+          server which performs forwarding of dynamic updates, the master can
+          be
+          trivially attacked by sending the update to the slave, which will
+          forward it to the master with its own source IP address causing the
+          master to approve it without question.
+        </para>
+
+        <para>
+          For these reasons, we strongly recommend that updates be
+          cryptographically authenticated by means of transaction signatures
+          (TSIG).  That is, the <command>allow-update</command>
+          option should
+          list only TSIG key names, not IP addresses or network
+          prefixes. Alternatively, the new <command>update-policy</command>
+          option can be used.
+        </para>
+
+        <para>
+          Some sites choose to keep all dynamically-updated DNS data
+          in a subdomain and delegate that subdomain to a separate zone. This
+          way, the top-level zone containing critical data such as the IP
+          addresses
+          of public web and mail servers need not allow dynamic update at
+          all.
+        </para>
+
+      </sect1>
+    </chapter>
+
+    <chapter id="Bv9ARM.ch08">
+      <title>Troubleshooting</title>
+      <sect1>
+        <title>Common Problems</title>
+        <sect2>
+          <title>It's not working; how can I figure out what's wrong?</title>
+
+          <para>
+            The best solution to solving installation and
+            configuration issues is to take preventative measures by setting
+            up logging files beforehand. The log files provide a
+            source of hints and information that can be used to figure out
+            what went wrong and how to fix the problem.
+          </para>
+
+        </sect2>
+      </sect1>
+      <sect1>
+        <title>Incrementing and Changing the Serial Number</title>
+
+        <para>
+          Zone serial numbers are just numbers-they aren't date
+          related.  A lot of people set them to a number that represents a
+          date, usually of the form YYYYMMDDRR. A number of people have been
+          testing these numbers for Y2K compliance and have set the number
+          to the year 2000 to see if it will work. They then try to restore
+          the old serial number. This will cause problems because serial
+          numbers are used to indicate that a zone has been updated. If the
+          serial number on the slave server is lower than the serial number
+          on the master, the slave server will attempt to update its copy of
+          the zone.
+        </para>
+
+        <para>
+          Setting the serial number to a lower number on the master
+          server than the slave server means that the slave will not perform
+          updates to its copy of the zone.
+        </para>
+
+        <para>
+          The solution to this is to add 2147483647 (2^31-1) to the
+          number, reload the zone and make sure all slaves have updated to
+          the new zone serial number, then reset the number to what you want
+          it to be, and reload the zone again.
+        </para>
+
+      </sect1>
+      <sect1>
+        <title>Where Can I Get Help?</title>
+
+        <para>
+          The Internet Systems Consortium
+          (<acronym>ISC</acronym>) offers a wide range
+          of support and service agreements for <acronym>BIND</acronym> and <acronym>DHCP</acronym> servers. Four
+          levels of premium support are available and each level includes
+          support for all <acronym>ISC</acronym> programs,
+          significant discounts on products
+          and training, and a recognized priority on bug fixes and
+          non-funded feature requests. In addition, <acronym>ISC</acronym> offers a standard
+          support agreement package which includes services ranging from bug
+          fix announcements to remote support. It also includes training in
+          <acronym>BIND</acronym> and <acronym>DHCP</acronym>.
+        </para>
+
+        <para>
+          To discuss arrangements for support, contact
+          <ulink url="mailto:info@isc.org">info@isc.org</ulink> or visit the
+          <acronym>ISC</acronym> web page at
+	  <ulink url="http://www.isc.org/services/support/"
+	             >http://www.isc.org/services/support/</ulink>
+          to read more.
+        </para>
+      </sect1>
+    </chapter>
+    <appendix id="Bv9ARM.ch09">
+      <title>Appendices</title>
+      <sect1>
+        <title>Acknowledgments</title>
+        <sect2 id="historical_dns_information">
+          <title>A Brief History of the <acronym>DNS</acronym> and <acronym>BIND</acronym></title>
+
+          <para>
+            Although the "official" beginning of the Domain Name
+            System occurred in 1984 with the publication of RFC 920, the
+            core of the new system was described in 1983 in RFCs 882 and
+            883. From 1984 to 1987, the ARPAnet (the precursor to today's
+            Internet) became a testbed of experimentation for developing the
+            new naming/addressing scheme in a rapidly expanding,
+            operational network environment.  New RFCs were written and
+            published in 1987 that modified the original documents to
+            incorporate improvements based on the working model. RFC 1034,
+            "Domain Names-Concepts and Facilities", and RFC 1035, "Domain
+            Names-Implementation and Specification" were published and
+            became the standards upon which all <acronym>DNS</acronym> implementations are
+            built.
+          </para>
+
+          <para>
+            The first working domain name server, called "Jeeves", was
+            written in 1983-84 by Paul Mockapetris for operation on DEC
+            Tops-20
+            machines located at the University of Southern California's
+            Information
+            Sciences Institute (USC-ISI) and SRI International's Network
+            Information
+            Center (SRI-NIC). A <acronym>DNS</acronym> server for
+            Unix machines, the Berkeley Internet
+            Name Domain (<acronym>BIND</acronym>) package, was
+            written soon after by a group of
+            graduate students at the University of California at Berkeley
+            under
+            a grant from the US Defense Advanced Research Projects
+            Administration
+            (DARPA).
+          </para>
+          <para>
+	    Versions of <acronym>BIND</acronym> through
+            4.8.3 were maintained by the Computer
+            Systems Research Group (CSRG) at UC Berkeley. Douglas Terry, Mark
+            Painter, David Riggle and Songnian Zhou made up the initial <acronym>BIND</acronym>
+            project team. After that, additional work on the software package
+            was done by Ralph Campbell. Kevin Dunlap, a Digital Equipment
+            Corporation
+            employee on loan to the CSRG, worked on <acronym>BIND</acronym> for 2 years, from 1985
+            to 1987. Many other people also contributed to <acronym>BIND</acronym> development
+            during that time: Doug Kingston, Craig Partridge, Smoot
+            Carl-Mitchell,
+            Mike Muuss, Jim Bloom and Mike Schwartz. <acronym>BIND</acronym> maintenance was subsequently
+            handled by Mike Karels and O. Kure.
+          </para>
+          <para>
+            <acronym>BIND</acronym> versions 4.9 and 4.9.1 were
+            released by Digital Equipment
+            Corporation (now Compaq Computer Corporation). Paul Vixie, then
+            a DEC employee, became <acronym>BIND</acronym>'s
+            primary caretaker. He was assisted
+            by Phil Almquist, Robert Elz, Alan Barrett, Paul Albitz, Bryan
+            Beecher, Andrew
+            Partan, Andy Cherenson, Tom Limoncelli, Berthold Paffrath, Fuat
+            Baran, Anant Kumar, Art Harkin, Win Treese, Don Lewis, Christophe
+            Wolfhugel, and others.
+          </para>
+          <para>
+            <acronym>BIND</acronym> version 4.9.2 was sponsored by
+            Vixie Enterprises. Paul
+            Vixie became <acronym>BIND</acronym>'s principal
+            architect/programmer.
+          </para>
+          <para>
+            <acronym>BIND</acronym> versions from 4.9.3 onward
+            have been developed and maintained
+            by the Internet Systems Consortium and its predecessor,
+            the Internet Software Consortium,  with support being provided
+            by ISC's sponsors. As co-architects/programmers, Bob Halley and
+            Paul Vixie released the first production-ready version of
+	    <acronym>BIND</acronym> version 8 in May 1997.
+          </para>
+          <para>
+            <acronym>BIND</acronym> development work is made
+            possible today by the sponsorship
+            of several corporations, and by the tireless work efforts of
+            numerous individuals.
+          </para>
+        </sect2>
+      </sect1>
+      <sect1>
+        <title>General <acronym>DNS</acronym> Reference Information</title>
+        <sect2 id="ipv6addresses">
+          <title>IPv6 addresses (AAAA)</title>
+          <para>
+            IPv6 addresses are 128-bit identifiers for interfaces and
+            sets of interfaces which were introduced in the <acronym>DNS</acronym> to facilitate
+            scalable Internet routing. There are three types of addresses: <emphasis>Unicast</emphasis>,
+            an identifier for a single interface;
+            <emphasis>Anycast</emphasis>,
+            an identifier for a set of interfaces; and <emphasis>Multicast</emphasis>,
+            an identifier for a set of interfaces. Here we describe the global
+            Unicast address scheme. For more information, see RFC 3587.
+          </para>
+          <para>
+	    IPv6 unicast addresses consist of a
+	    <emphasis>global routing prefix</emphasis>, a
+	    <emphasis>subnet identifier</emphasis>, and an
+	    <emphasis>interface identifier</emphasis>.
+          </para>
+          <para>
+            The global routing prefix is provided by the
+            upstream provider or ISP, and (roughly) corresponds to the
+	    IPv4 <emphasis>network</emphasis> section
+            of the address range.
+
+	    The subnet identifier is for local subnetting, much the
+            same as subnetting an
+            IPv4 /16 network into /24 subnets.
+
+	    The interface identifier is the address of an individual
+            interface on a given network; in IPv6, addresses belong to
+            interfaces rather than to machines.
+          </para>
+          <para>
+            The subnetting capability of IPv6 is much more flexible than
+            that of IPv4: subnetting can be carried out on bit boundaries,
+            in much the same way as Classless InterDomain Routing
+            (CIDR), and the DNS PTR representation ("nibble" format)
+            makes setting up reverse zones easier.
+          </para>
+          <para>
+            The Interface Identifier must be unique on the local link,
+            and is usually generated automatically by the IPv6
+            implementation, although it is usually possible to
+            override the default setting if necessary.  A typical IPv6
+            address might look like:
+	    <command>2001:db8:201:9:a00:20ff:fe81:2b32</command>
+	  </para>
+          <para>
+            IPv6 address specifications often contain long strings
+            of zeros, so the architects have included a shorthand for
+            specifying
+            them. The double colon (`::') indicates the longest possible
+            string
+            of zeros that can fit, and can be used only once in an address.
+          </para>
+        </sect2>
+      </sect1>
+      <sect1 id="bibliography">
+        <title>Bibliography (and Suggested Reading)</title>
+        <sect2 id="rfcs">
+          <title>Request for Comments (RFCs)</title>
+          <para>
+            Specification documents for the Internet protocol suite, including
+            the <acronym>DNS</acronym>, are published as part of
+            the Request for Comments (RFCs)
+            series of technical notes. The standards themselves are defined
+            by the Internet Engineering Task Force (IETF) and the Internet
+            Engineering Steering Group (IESG). RFCs can be obtained online via FTP at:
+	  </para>
+	  <para>
+            <ulink url="ftp://www.isi.edu/in-notes/">
+	      ftp://www.isi.edu/in-notes/RFC<replaceable>xxxx</replaceable>.txt
+	    </ulink>
+	  </para>
+	  <para>
+	    (where <replaceable>xxxx</replaceable> is
+            the number of the RFC). RFCs are also available via the Web at:
+	  </para>
+	  <para>
+            <ulink url="http://www.ietf.org/rfc/"
+	               >http://www.ietf.org/rfc/</ulink>.
+          </para>
+          <bibliography>
+            <bibliodiv>
+              <!-- one of (BIBLIOENTRY BIBLIOMIXED) -->
+              <title>Standards</title>
+              <biblioentry>
+                <abbrev>RFC974</abbrev>
+                <author>
+                  <surname>Partridge</surname>
+                  <firstname>C.</firstname>
+                </author>
+                <title>Mail Routing and the Domain System</title>
+                <pubdate>January 1986</pubdate>
+              </biblioentry>
+              <biblioentry>
+                <abbrev>RFC1034</abbrev>
+                <author>
+                  <surname>Mockapetris</surname>
+                  <firstname>P.V.</firstname>
+                </author>
+                <title>Domain Names &mdash; Concepts and Facilities</title>
+                <pubdate>November 1987</pubdate>
+              </biblioentry>
+              <biblioentry>
+                <abbrev>RFC1035</abbrev>
+                <author>
+                  <surname>Mockapetris</surname>
+                  <firstname>P. V.</firstname>
+                  </author> <title>Domain Names &mdash; Implementation and
+                  Specification</title>
+                <pubdate>November 1987</pubdate>
+              </biblioentry>
+            </bibliodiv>
+            <bibliodiv id="proposed_standards" xreflabel="Proposed Standards">
+
+              <title>Proposed Standards</title>
+              <!-- one of (BIBLIOENTRY BIBLIOMIXED) -->
+              <biblioentry>
+                <abbrev>RFC2181</abbrev>
+                <author>
+                  <surname>Elz</surname>
+                  <firstname>R., R. Bush</firstname>
+                </author>
+                <title>Clarifications to the <acronym>DNS</acronym>
+                  Specification</title>
+                <pubdate>July 1997</pubdate>
+              </biblioentry>
+              <biblioentry>
+                <abbrev>RFC2308</abbrev>
+                <author>
+                  <surname>Andrews</surname>
+                  <firstname>M.</firstname>
+                </author>
+                <title>Negative Caching of <acronym>DNS</acronym>
+                  Queries</title>
+                <pubdate>March 1998</pubdate>
+              </biblioentry>
+              <biblioentry>
+                <abbrev>RFC1995</abbrev>
+                <author>
+                  <surname>Ohta</surname>
+                  <firstname>M.</firstname>
+                </author>
+                <title>Incremental Zone Transfer in <acronym>DNS</acronym></title>
+                <pubdate>August 1996</pubdate>
+              </biblioentry>
+              <biblioentry>
+                <abbrev>RFC1996</abbrev>
+                <author>
+                  <surname>Vixie</surname>
+                  <firstname>P.</firstname>
+                </author>
+                <title>A Mechanism for Prompt Notification of Zone Changes</title>
+                <pubdate>August 1996</pubdate>
+              </biblioentry>
+              <biblioentry>
+                <abbrev>RFC2136</abbrev>
+                <authorgroup>
+                  <author>
+                    <surname>Vixie</surname>
+                    <firstname>P.</firstname>
+                  </author>
+                  <author>
+                    <firstname>S.</firstname>
+                    <surname>Thomson</surname>
+                  </author>
+                  <author>
+                    <firstname>Y.</firstname>
+                    <surname>Rekhter</surname>
+                  </author>
+                  <author>
+                    <firstname>J.</firstname>
+                    <surname>Bound</surname>
+                  </author>
+                </authorgroup>
+                <title>Dynamic Updates in the Domain Name System</title>
+                <pubdate>April 1997</pubdate>
+              </biblioentry>
+	      <biblioentry>
+                <abbrev>RFC2671</abbrev>
+                <authorgroup>
+                  <author>
+                    <firstname>P.</firstname>
+                    <surname>Vixie</surname>
+                  </author>
+                </authorgroup>
+                <title>Extension Mechanisms for DNS (EDNS0)</title>
+                <pubdate>August 1997</pubdate>
+	      </biblioentry>
+	      <biblioentry>
+                <abbrev>RFC2672</abbrev>
+                <authorgroup>
+                  <author>
+                    <firstname>M.</firstname>
+                    <surname>Crawford</surname>
+                  </author>
+                </authorgroup>
+                <title>Non-Terminal DNS Name Redirection</title>
+                <pubdate>August 1999</pubdate>
+	      </biblioentry>
+              <biblioentry>
+                <abbrev>RFC2845</abbrev>
+                <authorgroup>
+                  <author>
+                    <surname>Vixie</surname>
+                    <firstname>P.</firstname>
+                  </author>
+                  <author>
+                    <firstname>O.</firstname>
+                    <surname>Gudmundsson</surname>
+                  </author>
+                  <author>
+                    <firstname>D.</firstname>
+                    <surname>Eastlake</surname>
+                    <lineage>3rd</lineage>
+                  </author>
+                  <author>
+                    <firstname>B.</firstname>
+                    <surname>Wellington</surname>
+                  </author>
+                </authorgroup>
+                <title>Secret Key Transaction Authentication for <acronym>DNS</acronym> (TSIG)</title>
+                <pubdate>May 2000</pubdate>
+              </biblioentry>
+              <biblioentry>
+                <abbrev>RFC2930</abbrev>
+                <authorgroup>
+                  <author>
+                    <firstname>D.</firstname>
+                    <surname>Eastlake</surname>
+                    <lineage>3rd</lineage>
+                  </author>
+                </authorgroup>
+                <title>Secret Key Establishment for DNS (TKEY RR)</title>
+                <pubdate>September 2000</pubdate>
+              </biblioentry>
+              <biblioentry>
+                <abbrev>RFC2931</abbrev>
+                <authorgroup>
+                  <author>
+                    <firstname>D.</firstname>
+                    <surname>Eastlake</surname>
+                    <lineage>3rd</lineage>
+                  </author>
+                </authorgroup>
+                <title>DNS Request and Transaction Signatures (SIG(0)s)</title>
+                <pubdate>September 2000</pubdate>
+              </biblioentry>
+              <biblioentry>
+                <abbrev>RFC3007</abbrev>
+                <authorgroup>
+                  <author>
+                    <firstname>B.</firstname>
+                    <surname>Wellington</surname>
+                  </author>
+                </authorgroup>
+                <title>Secure Domain Name System (DNS) Dynamic Update</title>
+                <pubdate>November 2000</pubdate>
+              </biblioentry>
+              <biblioentry>
+                <abbrev>RFC3645</abbrev>
+                <authorgroup>
+                  <author>
+                    <firstname>S.</firstname>
+                    <surname>Kwan</surname>
+                  </author>
+                  <author>
+                    <firstname>P.</firstname>
+                    <surname>Garg</surname>
+                  </author>
+                  <author>
+                    <firstname>J.</firstname>
+                    <surname>Gilroy</surname>
+                  </author>
+                  <author>
+                    <firstname>L.</firstname>
+                    <surname>Esibov</surname>
+                  </author>
+                  <author>
+                    <firstname>J.</firstname>
+                    <surname>Westhead</surname>
+                  </author>
+                  <author>
+                    <firstname>R.</firstname>
+                    <surname>Hall</surname>
+                  </author>
+                </authorgroup>
+                <title>Generic Security Service Algorithm for Secret
+		       Key Transaction Authentication for DNS
+		       (GSS-TSIG)</title>
+                <pubdate>October 2003</pubdate>
+              </biblioentry>
+            </bibliodiv>
+	    <bibliodiv>
+	      <title><acronym>DNS</acronym> Security Proposed Standards</title>
+	      <biblioentry>
+		<abbrev>RFC3225</abbrev>
+	 	<authorgroup>
+		  <author>
+		    <firstname>D.</firstname>
+		    <surname>Conrad</surname>
+		  </author>
+	 	</authorgroup>
+		<title>Indicating Resolver Support of DNSSEC</title>
+		<pubdate>December 2001</pubdate>
+	      </biblioentry>
+	      <biblioentry>
+	        <abbrev>RFC3833</abbrev>
+	 	<authorgroup>
+		  <author>
+		    <firstname>D.</firstname>
+		    <surname>Atkins</surname>
+		  </author>
+		  <author>
+		    <firstname>R.</firstname>
+		    <surname>Austein</surname>
+		  </author>
+		</authorgroup>
+		<title>Threat Analysis of the Domain Name System (DNS)</title>
+		<pubdate>August 2004</pubdate>
+	      </biblioentry>
+	      <biblioentry>
+	        <abbrev>RFC4033</abbrev>
+	 	<authorgroup>
+		  <author>
+		    <firstname>R.</firstname>
+		    <surname>Arends</surname>
+		  </author>
+		  <author>
+		    <firstname>R.</firstname>
+		    <surname>Austein</surname>
+		  </author>
+		  <author>
+		    <firstname>M.</firstname>
+		    <surname>Larson</surname>
+		  </author>
+		  <author>
+		    <firstname>D.</firstname>
+		    <surname>Massey</surname>
+		  </author>
+		  <author>
+		    <firstname>S.</firstname>
+		    <surname>Rose</surname>
+		  </author>
+		</authorgroup>
+		<title>DNS Security Introduction and Requirements</title>
+		<pubdate>March 2005</pubdate>
+	      </biblioentry>
+	      <biblioentry>
+	        <abbrev>RFC4044</abbrev>
+	 	<authorgroup>
+		  <author>
+		    <firstname>R.</firstname>
+		    <surname>Arends</surname>
+		  </author>
+		  <author>
+		    <firstname>R.</firstname>
+		    <surname>Austein</surname>
+		  </author>
+		  <author>
+		    <firstname>M.</firstname>
+		    <surname>Larson</surname>
+		  </author>
+		  <author>
+		    <firstname>D.</firstname>
+		    <surname>Massey</surname>
+		  </author>
+		  <author>
+		    <firstname>S.</firstname>
+		    <surname>Rose</surname>
+		  </author>
+		</authorgroup>
+		<title>Resource Records for the DNS Security Extensions</title>
+		<pubdate>March 2005</pubdate>
+	      </biblioentry>
+	      <biblioentry>
+	        <abbrev>RFC4035</abbrev>
+	 	<authorgroup>
+		  <author>
+		    <firstname>R.</firstname>
+		    <surname>Arends</surname>
+		  </author>
+		  <author>
+		    <firstname>R.</firstname>
+		    <surname>Austein</surname>
+		  </author>
+		  <author>
+		    <firstname>M.</firstname>
+		    <surname>Larson</surname>
+		  </author>
+		  <author>
+		    <firstname>D.</firstname>
+		    <surname>Massey</surname>
+		  </author>
+		  <author>
+		    <firstname>S.</firstname>
+		    <surname>Rose</surname>
+		  </author>
+		</authorgroup>
+		<title>Protocol Modifications for the DNS
+		       Security Extensions</title>
+		<pubdate>March 2005</pubdate>
+	      </biblioentry>
+            </bibliodiv>
+            <bibliodiv>
+              <title>Other Important RFCs About <acronym>DNS</acronym>
+                Implementation</title>
+              <biblioentry>
+                <abbrev>RFC1535</abbrev>
+                <author>
+                  <surname>Gavron</surname>
+                  <firstname>E.</firstname>
+                </author>
+                <title>A Security Problem and Proposed Correction With Widely
+                  Deployed <acronym>DNS</acronym> Software.</title>
+                <pubdate>October 1993</pubdate>
+              </biblioentry>
+              <biblioentry>
+                <abbrev>RFC1536</abbrev>
+                <authorgroup>
+                  <author>
+                    <surname>Kumar</surname>
+                    <firstname>A.</firstname>
+                  </author>
+                  <author>
+                    <firstname>J.</firstname>
+                    <surname>Postel</surname>
+                  </author>
+                  <author>
+                    <firstname>C.</firstname>
+                    <surname>Neuman</surname>
+                  </author>
+                  <author>
+                    <firstname>P.</firstname>
+                    <surname>Danzig</surname>
+                  </author>
+                  <author>
+                    <firstname>S.</firstname>
+                    <surname>Miller</surname>
+                  </author>
+                </authorgroup>
+                <title>Common <acronym>DNS</acronym> Implementation
+                  Errors and Suggested Fixes</title>
+                <pubdate>October 1993</pubdate>
+              </biblioentry>
+              <biblioentry>
+                <abbrev>RFC1982</abbrev>
+                <authorgroup>
+                  <author>
+                    <surname>Elz</surname>
+                    <firstname>R.</firstname>
+                  </author>
+                  <author>
+                    <firstname>R.</firstname>
+                    <surname>Bush</surname>
+                  </author>
+                </authorgroup>
+                <title>Serial Number Arithmetic</title>
+                <pubdate>August 1996</pubdate>
+              </biblioentry>
+              <biblioentry>
+                <abbrev>RFC4074</abbrev>
+                <authorgroup>
+                  <author>
+                    <surname>Morishita</surname>
+                    <firstname>Y.</firstname>
+                  </author>
+                  <author>
+                    <firstname>T.</firstname>
+                    <surname>Jinmei</surname>
+                  </author>
+                </authorgroup>
+                <title>Common Misbehaviour Against <acronym>DNS</acronym>
+		Queries for IPv6 Addresses</title>
+                <pubdate>May 2005</pubdate>
+              </biblioentry>
+            </bibliodiv>
+            <bibliodiv>
+              <title>Resource Record Types</title>
+              <biblioentry>
+                <abbrev>RFC1183</abbrev>
+                <authorgroup>
+                  <author>
+                    <surname>Everhart</surname>
+                    <firstname>C.F.</firstname>
+                  </author>
+                  <author>
+                    <firstname>L. A.</firstname>
+                    <surname>Mamakos</surname>
+                  </author>
+                  <author>
+                    <firstname>R.</firstname>
+                    <surname>Ullmann</surname>
+                  </author>
+                  <author>
+                    <firstname>P.</firstname>
+                    <surname>Mockapetris</surname>
+                  </author>
+                </authorgroup>
+                <title>New <acronym>DNS</acronym> RR Definitions</title>
+                <pubdate>October 1990</pubdate>
+              </biblioentry>
+              <biblioentry>
+                <abbrev>RFC1706</abbrev>
+                <authorgroup>
+                  <author>
+                    <surname>Manning</surname>
+                    <firstname>B.</firstname>
+                  </author>
+                  <author>
+                    <firstname>R.</firstname>
+                    <surname>Colella</surname>
+                  </author>
+                </authorgroup>
+                <title><acronym>DNS</acronym> NSAP Resource Records</title>
+                <pubdate>October 1994</pubdate>
+              </biblioentry>
+              <biblioentry>
+                <abbrev>RFC2168</abbrev>
+                <authorgroup>
+                  <author>
+                    <surname>Daniel</surname>
+                    <firstname>R.</firstname>
+                  </author>
+                  <author>
+                    <firstname>M.</firstname>
+                    <surname>Mealling</surname>
+                  </author>
+                </authorgroup>
+                <title>Resolution of Uniform Resource Identifiers using
+                  the Domain Name System</title>
+                <pubdate>June 1997</pubdate>
+              </biblioentry>
+              <biblioentry>
+                <abbrev>RFC1876</abbrev>
+                <authorgroup>
+                  <author>
+                    <surname>Davis</surname>
+                    <firstname>C.</firstname>
+                  </author>
+                  <author>
+                    <firstname>P.</firstname>
+                    <surname>Vixie</surname>
+                  </author>
+                  <author>
+                    <firstname>T.</firstname>
+                    <firstname>Goodwin</firstname>
+                  </author>
+                  <author>
+                    <firstname>I.</firstname>
+                    <surname>Dickinson</surname>
+                  </author>
+                </authorgroup>
+                <title>A Means for Expressing Location Information in the
+                  Domain
+                  Name System</title>
+                <pubdate>January 1996</pubdate>
+              </biblioentry>
+              <biblioentry>
+                <abbrev>RFC2052</abbrev>
+                <authorgroup>
+                  <author>
+                    <surname>Gulbrandsen</surname>
+                    <firstname>A.</firstname>
+                  </author>
+                  <author>
+                    <firstname>P.</firstname>
+                    <surname>Vixie</surname>
+                  </author>
+                </authorgroup>
+                <title>A <acronym>DNS</acronym> RR for Specifying the
+                  Location of
+                  Services.</title>
+                <pubdate>October 1996</pubdate>
+              </biblioentry>
+              <biblioentry>
+                <abbrev>RFC2163</abbrev>
+                <author>
+                  <surname>Allocchio</surname>
+                  <firstname>A.</firstname>
+                </author>
+                <title>Using the Internet <acronym>DNS</acronym> to
+                  Distribute MIXER
+                  Conformant Global Address Mapping</title>
+                <pubdate>January 1998</pubdate>
+              </biblioentry>
+              <biblioentry>
+                <abbrev>RFC2230</abbrev>
+                <author>
+                  <surname>Atkinson</surname>
+                  <firstname>R.</firstname>
+                </author>
+                <title>Key Exchange Delegation Record for the <acronym>DNS</acronym></title>
+                <pubdate>October 1997</pubdate>
+              </biblioentry>
+              <biblioentry>
+                <abbrev>RFC2536</abbrev>
+                <author>
+                  <surname>Eastlake</surname>
+                  <firstname>D.</firstname>
+                  <lineage>3rd</lineage>
+                </author>
+                <title>DSA KEYs and SIGs in the Domain Name System (DNS)</title>
+                <pubdate>March 1999</pubdate>
+              </biblioentry>
+              <biblioentry>
+                <abbrev>RFC2537</abbrev>
+                <author>
+                  <surname>Eastlake</surname>
+                  <firstname>D.</firstname>
+                  <lineage>3rd</lineage>
+                </author>
+                <title>RSA/MD5 KEYs and SIGs in the Domain Name System (DNS)</title>
+                <pubdate>March 1999</pubdate>
+              </biblioentry>
+              <biblioentry>
+                <abbrev>RFC2538</abbrev>
+		<authorgroup>
+                  <author>
+                    <surname>Eastlake</surname>
+                    <firstname>D.</firstname>
+                    <lineage>3rd</lineage>
+                  </author>
+		  <author>
+		    <surname>Gudmundsson</surname>
+		    <firstname>O.</firstname>
+		  </author>
+		</authorgroup>
+                <title>Storing Certificates in the Domain Name System (DNS)</title>
+                <pubdate>March 1999</pubdate>
+              </biblioentry>
+              <biblioentry>
+                <abbrev>RFC2539</abbrev>
+		<authorgroup>
+                  <author>
+                    <surname>Eastlake</surname>
+                    <firstname>D.</firstname>
+                    <lineage>3rd</lineage>
+                  </author>
+		</authorgroup>
+                <title>Storage of Diffie-Hellman Keys in the Domain Name System (DNS)</title>
+                <pubdate>March 1999</pubdate>
+              </biblioentry>
+              <biblioentry>
+                <abbrev>RFC2540</abbrev>
+		<authorgroup>
+                  <author>
+                    <surname>Eastlake</surname>
+                    <firstname>D.</firstname>
+                    <lineage>3rd</lineage>
+                  </author>
+		</authorgroup>
+                <title>Detached Domain Name System (DNS) Information</title>
+                <pubdate>March 1999</pubdate>
+              </biblioentry>
+              <biblioentry>
+                <abbrev>RFC2782</abbrev>
+                <author>
+                  <surname>Gulbrandsen</surname>
+                  <firstname>A.</firstname>
+                </author>
+                <author>
+                  <surname>Vixie</surname>
+                  <firstname>P.</firstname>
+                </author>
+                <author>
+                  <surname>Esibov</surname>
+                  <firstname>L.</firstname>
+                </author>
+                <title>A DNS RR for specifying the location of services (DNS SRV)</title>
+                <pubdate>February 2000</pubdate>
+              </biblioentry>
+              <biblioentry>
+                <abbrev>RFC2915</abbrev>
+                <author>
+                  <surname>Mealling</surname>
+                  <firstname>M.</firstname>
+                </author>
+                <author>
+                  <surname>Daniel</surname>
+                  <firstname>R.</firstname>
+                </author>
+                <title>The Naming Authority Pointer (NAPTR) DNS Resource Record</title>
+                <pubdate>September 2000</pubdate>
+              </biblioentry>
+              <biblioentry>
+                <abbrev>RFC3110</abbrev>
+                <author>
+                    <surname>Eastlake</surname>
+                    <firstname>D.</firstname>
+                    <lineage>3rd</lineage>
+                </author>
+                <title>RSA/SHA-1 SIGs and RSA KEYs in the Domain Name System (DNS)</title>
+                <pubdate>May 2001</pubdate>
+              </biblioentry>
+              <biblioentry>
+                <abbrev>RFC3123</abbrev>
+                <author>
+                  <surname>Koch</surname>
+                  <firstname>P.</firstname>
+                </author>
+                <title>A DNS RR Type for Lists of Address Prefixes (APL RR)</title>
+                <pubdate>June 2001</pubdate>
+              </biblioentry>
+              <biblioentry>
+                <abbrev>RFC3596</abbrev>
+                <authorgroup>
+                  <author>
+                    <surname>Thomson</surname>
+                    <firstname>S.</firstname>
+                  </author>
+                  <author>
+                    <firstname>C.</firstname>
+                    <surname>Huitema</surname>
+                  </author>
+                  <author>
+                    <firstname>V.</firstname>
+                    <surname>Ksinant</surname>
+                  </author>
+                  <author>
+                    <firstname>M.</firstname>
+                    <surname>Souissi</surname>
+                  </author>
+                </authorgroup>
+                <title><acronym>DNS</acronym> Extensions to support IP
+                  version 6</title>
+                <pubdate>October 2003</pubdate>
+              </biblioentry>
+              <biblioentry>
+                <abbrev>RFC3597</abbrev>
+                <author>
+                  <surname>Gustafsson</surname>
+                  <firstname>A.</firstname>
+                </author>
+                <title>Handling of Unknown DNS Resource Record (RR) Types</title>
+                <pubdate>September 2003</pubdate>
+              </biblioentry>
+            </bibliodiv>
+            <bibliodiv>
+              <title><acronym>DNS</acronym> and the Internet</title>
+              <biblioentry>
+                <abbrev>RFC1101</abbrev>
+                <author>
+                  <surname>Mockapetris</surname>
+                  <firstname>P. V.</firstname>
+                </author>
+                <title><acronym>DNS</acronym> Encoding of Network Names
+                  and Other Types</title>
+                <pubdate>April 1989</pubdate>
+              </biblioentry>
+              <biblioentry>
+                <abbrev>RFC1123</abbrev>
+                <author>
+                  <surname>Braden</surname>
+                  <surname>R.</surname>
+                </author>
+                <title>Requirements for Internet Hosts - Application and
+                  Support</title>
+                <pubdate>October 1989</pubdate>
+              </biblioentry>
+              <biblioentry>
+                <abbrev>RFC1591</abbrev>
+                <author>
+                  <surname>Postel</surname>
+                  <firstname>J.</firstname>
+                </author>
+                <title>Domain Name System Structure and Delegation</title>
+                <pubdate>March 1994</pubdate>
+              </biblioentry>
+              <biblioentry>
+                <abbrev>RFC2317</abbrev>
+                <authorgroup>
+                  <author>
+                    <surname>Eidnes</surname>
+                    <firstname>H.</firstname>
+                  </author>
+                  <author>
+                    <firstname>G.</firstname>
+                    <surname>de Groot</surname>
+                  </author>
+                  <author>
+                    <firstname>P.</firstname>
+                    <surname>Vixie</surname>
+                  </author>
+                </authorgroup>
+                <title>Classless IN-ADDR.ARPA Delegation</title>
+                <pubdate>March 1998</pubdate>
+              </biblioentry>
+              <biblioentry>
+                <abbrev>RFC2826</abbrev>
+                <authorgroup>
+                  <author>
+                    <surname>Internet Architecture Board</surname>
+                  </author>
+                </authorgroup>
+                <title>IAB Technical Comment on the Unique DNS Root</title>
+                <pubdate>May 2000</pubdate>
+              </biblioentry>
+              <biblioentry>
+                <abbrev>RFC2929</abbrev>
+                <authorgroup>
+                  <author>
+                    <surname>Eastlake</surname>
+                    <firstname>D.</firstname>
+                    <lineage>3rd</lineage>
+                  </author>
+                  <author>
+                    <surname>Brunner-Williams</surname>
+                    <firstname>E.</firstname>
+                  </author>
+                  <author>
+                    <surname>Manning</surname>
+                    <firstname>B.</firstname>
+                  </author>
+                </authorgroup>
+                <title>Domain Name System (DNS) IANA Considerations</title>
+                <pubdate>September 2000</pubdate>
+              </biblioentry>
+            </bibliodiv>
+            <bibliodiv>
+              <title><acronym>DNS</acronym> Operations</title>
+              <biblioentry>
+                <abbrev>RFC1033</abbrev>
+                <author>
+                  <surname>Lottor</surname>
+                  <firstname>M.</firstname>
+                </author>
+                <title>Domain administrators operations guide.</title>
+                <pubdate>November 1987</pubdate>
+              </biblioentry>
+              <biblioentry>
+                <abbrev>RFC1537</abbrev>
+                <author>
+                  <surname>Beertema</surname>
+                  <firstname>P.</firstname>
+                </author>
+                <title>Common <acronym>DNS</acronym> Data File
+                  Configuration Errors</title>
+                <pubdate>October 1993</pubdate>
+              </biblioentry>
+              <biblioentry>
+                <abbrev>RFC1912</abbrev>
+                <author>
+                  <surname>Barr</surname>
+                  <firstname>D.</firstname>
+                </author>
+                <title>Common <acronym>DNS</acronym> Operational and
+                  Configuration Errors</title>
+                <pubdate>February 1996</pubdate>
+              </biblioentry>
+              <biblioentry>
+                <abbrev>RFC2010</abbrev>
+                <authorgroup>
+                  <author>
+                    <surname>Manning</surname>
+                    <firstname>B.</firstname>
+                  </author>
+                  <author>
+                    <firstname>P.</firstname>
+                    <surname>Vixie</surname>
+                  </author>
+                </authorgroup>
+                <title>Operational Criteria for Root Name Servers.</title>
+                <pubdate>October 1996</pubdate>
+              </biblioentry>
+              <biblioentry>
+                <abbrev>RFC2219</abbrev>
+                <authorgroup>
+                  <author>
+                    <surname>Hamilton</surname>
+                    <firstname>M.</firstname>
+                  </author>
+                  <author>
+                    <firstname>R.</firstname>
+                    <surname>Wright</surname>
+                  </author>
+                </authorgroup>
+                <title>Use of <acronym>DNS</acronym> Aliases for
+                  Network Services.</title>
+                <pubdate>October 1997</pubdate>
+              </biblioentry>
+            </bibliodiv>
+	    <bibliodiv>
+              <title>Internationalized Domain Names</title>
+              <biblioentry>
+                <abbrev>RFC2825</abbrev>
+		<authorgroup>
+                  <author>
+                    <surname>IAB</surname>
+                  </author>
+                  <author>
+                    <surname>Daigle</surname>
+                    <firstname>R.</firstname>
+                  </author>
+		</authorgroup>
+                <title>A Tangled Web: Issues of I18N, Domain Names,
+		       and the Other Internet protocols</title>
+                <pubdate>May 2000</pubdate>
+              </biblioentry>
+              <biblioentry>
+                <abbrev>RFC3490</abbrev>
+		<authorgroup>
+                  <author>
+                    <surname>Faltstrom</surname>
+                    <firstname>P.</firstname>
+                  </author>
+                  <author>
+                    <surname>Hoffman</surname>
+                    <firstname>P.</firstname>
+                  </author>
+                  <author>
+                    <surname>Costello</surname>
+                    <firstname>A.</firstname>
+                  </author>
+		</authorgroup>
+                <title>Internationalizing Domain Names in Applications (IDNA)</title>
+                <pubdate>March 2003</pubdate>
+              </biblioentry>
+              <biblioentry>
+                <abbrev>RFC3491</abbrev>
+		<authorgroup>
+                  <author>
+                    <surname>Hoffman</surname>
+                    <firstname>P.</firstname>
+                  </author>
+                  <author>
+                    <surname>Blanchet</surname>
+                    <firstname>M.</firstname>
+                  </author>
+		</authorgroup>
+                <title>Nameprep: A Stringprep Profile for Internationalized Domain Names</title>
+                <pubdate>March 2003</pubdate>
+              </biblioentry>
+              <biblioentry>
+                <abbrev>RFC3492</abbrev>
+		<authorgroup>
+                  <author>
+                    <surname>Costello</surname>
+                    <firstname>A.</firstname>
+                  </author>
+		</authorgroup>
+                <title>Punycode: A Bootstring encoding of Unicode
+		       for Internationalized Domain Names in
+		       Applications (IDNA)</title>
+                <pubdate>March 2003</pubdate>
+              </biblioentry>
+	    </bibliodiv>
+            <bibliodiv>
+              <title>Other <acronym>DNS</acronym>-related RFCs</title>
+              <note>
+                <para>
+                  Note: the following list of RFCs, although
+                  <acronym>DNS</acronym>-related, are not
+                  concerned with implementing software.
+                </para>
+              </note>
+              <biblioentry>
+                <abbrev>RFC1464</abbrev>
+                <author>
+                  <surname>Rosenbaum</surname>
+                  <firstname>R.</firstname>
+                </author>
+                <title>Using the Domain Name System To Store Arbitrary String
+                  Attributes</title>
+                <pubdate>May 1993</pubdate>
+              </biblioentry>
+              <biblioentry>
+                <abbrev>RFC1713</abbrev>
+                <author>
+                  <surname>Romao</surname>
+                  <firstname>A.</firstname>
+                </author>
+                <title>Tools for <acronym>DNS</acronym> Debugging</title>
+                <pubdate>November 1994</pubdate>
+              </biblioentry>
+              <biblioentry>
+                <abbrev>RFC1794</abbrev>
+                <author>
+                  <surname>Brisco</surname>
+                  <firstname>T.</firstname>
+                </author>
+                <title><acronym>DNS</acronym> Support for Load
+                  Balancing</title>
+                <pubdate>April 1995</pubdate>
+              </biblioentry>
+              <biblioentry>
+                <abbrev>RFC2240</abbrev>
+                <author>
+                  <surname>Vaughan</surname>
+                  <firstname>O.</firstname>
+                </author>
+                <title>A Legal Basis for Domain Name Allocation</title>
+                <pubdate>November 1997</pubdate>
+              </biblioentry>
+              <biblioentry>
+                <abbrev>RFC2345</abbrev>
+                <authorgroup>
+                  <author>
+                    <surname>Klensin</surname>
+                    <firstname>J.</firstname>
+                  </author>
+                  <author>
+                    <firstname>T.</firstname>
+                    <surname>Wolf</surname>
+                  </author>
+                  <author>
+                    <firstname>G.</firstname>
+                    <surname>Oglesby</surname>
+                  </author>
+                </authorgroup>
+                <title>Domain Names and Company Name Retrieval</title>
+                <pubdate>May 1998</pubdate>
+              </biblioentry>
+              <biblioentry>
+                <abbrev>RFC2352</abbrev>
+                <author>
+                  <surname>Vaughan</surname>
+                  <firstname>O.</firstname>
+                </author>
+                <title>A Convention For Using Legal Names as Domain Names</title>
+                <pubdate>May 1998</pubdate>
+              </biblioentry>
+              <biblioentry>
+                <abbrev>RFC3071</abbrev>
+                <authorgroup>
+                  <author>
+                    <surname>Klensin</surname>
+                    <firstname>J.</firstname>
+                  </author>
+                </authorgroup>
+                <title>Reflections on the DNS, RFC 1591, and Categories of Domains</title>
+                <pubdate>February 2001</pubdate>
+              </biblioentry>
+              <biblioentry>
+                <abbrev>RFC3258</abbrev>
+                <authorgroup>
+                  <author>
+                    <surname>Hardie</surname>
+                    <firstname>T.</firstname>
+                  </author>
+                </authorgroup>
+                <title>Distributing Authoritative Name Servers via
+		       Shared Unicast Addresses</title>
+                <pubdate>April 2002</pubdate>
+              </biblioentry>
+              <biblioentry>
+                <abbrev>RFC3901</abbrev>
+                <authorgroup>
+                  <author>
+                    <surname>Durand</surname>
+                    <firstname>A.</firstname>
+                  </author>
+                  <author>
+                    <firstname>J.</firstname>
+                    <surname>Ihren</surname>
+                  </author>
+                </authorgroup>
+                <title>DNS IPv6 Transport Operational Guidelines</title>
+                <pubdate>September 2004</pubdate>
+              </biblioentry>
+              <biblioentry>
+                <abbrev>RFC2352</abbrev>
+                <author>
+                  <surname>Vaughan</surname>
+                  <firstname>O.</firstname>
+                </author>
+                <title>A Convention For Using Legal Names as Domain Names</title>
+                <pubdate>May 1998</pubdate>
+              </biblioentry>
+            </bibliodiv>
+            <bibliodiv>
+              <title>Obsolete and Unimplemented Experimental RFC</title>
+              <biblioentry>
+                <abbrev>RFC1712</abbrev>
+                <authorgroup>
+                  <author>
+                    <surname>Farrell</surname>
+                    <firstname>C.</firstname>
+                  </author>
+                  <author>
+                    <firstname>M.</firstname>
+                    <surname>Schulze</surname>
+                  </author>
+                  <author>
+                    <firstname>S.</firstname>
+                    <surname>Pleitner</surname>
+                  </author>
+                  <author>
+                    <firstname>D.</firstname>
+                    <surname>Baldoni</surname>
+                  </author>
+                </authorgroup>
+                <title><acronym>DNS</acronym> Encoding of Geographical
+                  Location</title>
+                <pubdate>November 1994</pubdate>
+              </biblioentry>
+              <biblioentry>
+                <abbrev>RFC2673</abbrev>
+                <authorgroup>
+                  <author>
+                    <surname>Crawford</surname>
+                    <firstname>M.</firstname>
+                  </author>
+                </authorgroup>
+                <title>Binary Labels in the Domain Name System</title>
+                <pubdate>August 1999</pubdate>
+              </biblioentry>
+              <biblioentry>
+                <abbrev>RFC2874</abbrev>
+                <authorgroup>
+                  <author>
+                    <surname>Crawford</surname>
+                    <firstname>M.</firstname>
+                  </author>
+                  <author>
+                    <surname>Huitema</surname>
+                    <firstname>C.</firstname>
+                  </author>
+                </authorgroup>
+                <title>DNS Extensions to Support IPv6 Address Aggregation
+		       and Renumbering</title>
+                <pubdate>July 2000</pubdate>
+              </biblioentry>
+            </bibliodiv>
+            <bibliodiv>
+              <title>Obsoleted DNS Security RFCs</title>
+	      <note>
+		<para>
+		  Most of these have been consolidated into RFC4033,
+		  RFC4034 and RFC4035 which collectively describe DNSSECbis.
+		</para>
+	      </note>
+              <biblioentry>
+                <abbrev>RFC2065</abbrev>
+                <authorgroup>
+                  <author>
+                    <surname>Eastlake</surname>
+                    <lineage>3rd</lineage>
+                    <firstname>D.</firstname>
+                  </author>
+                  <author>
+                    <firstname>C.</firstname>
+                    <surname>Kaufman</surname>
+                  </author>
+                </authorgroup>
+                <title>Domain Name System Security Extensions</title>
+                <pubdate>January 1997</pubdate>
+              </biblioentry>
+              <biblioentry>
+                <abbrev>RFC2137</abbrev>
+                <author>
+                  <surname>Eastlake</surname>
+                  <lineage>3rd</lineage>
+                  <firstname>D.</firstname>
+                </author>
+                <title>Secure Domain Name System Dynamic Update</title>
+                <pubdate>April 1997</pubdate>
+              </biblioentry>
+              <biblioentry>
+                <abbrev>RFC2535</abbrev>
+                <authorgroup>
+                  <author>
+                    <surname>Eastlake</surname>
+                    <lineage>3rd</lineage>
+                    <firstname>D.</firstname>
+                  </author>
+                </authorgroup>
+                <title>Domain Name System Security Extensions</title>
+                <pubdate>March 1999</pubdate>
+              </biblioentry>
+              <biblioentry>
+                <abbrev>RFC3008</abbrev>
+                <authorgroup>
+                  <author>
+                    <surname>Wellington</surname>
+                    <firstname>B.</firstname>
+                  </author>
+                </authorgroup>
+                <title>Domain Name System Security (DNSSEC)
+		       Signing Authority</title>
+                <pubdate>November 2000</pubdate>
+              </biblioentry>
+              <biblioentry>
+                <abbrev>RFC3090</abbrev>
+                <authorgroup>
+                  <author>
+                    <surname>Lewis</surname>
+                    <firstname>E.</firstname>
+                  </author>
+                </authorgroup>
+                <title>DNS Security Extension Clarification on Zone Status</title>
+                <pubdate>March 2001</pubdate>
+              </biblioentry>
+              <biblioentry>
+                <abbrev>RFC3445</abbrev>
+                <authorgroup>
+                  <author>
+                    <surname>Massey</surname>
+                    <firstname>D.</firstname>
+                  </author>
+                  <author>
+                    <surname>Rose</surname>
+                    <firstname>S.</firstname>
+                  </author>
+                </authorgroup>
+                <title>Limiting the Scope of the KEY Resource Record (RR)</title>
+                <pubdate>December 2002</pubdate>
+              </biblioentry>
+              <biblioentry>
+                <abbrev>RFC3655</abbrev>
+                <authorgroup>
+                  <author>
+                    <surname>Wellington</surname>
+                    <firstname>B.</firstname>
+                  </author>
+                  <author>
+                    <surname>Gudmundsson</surname>
+                    <firstname>O.</firstname>
+                  </author>
+                </authorgroup>
+                <title>Redefinition of DNS Authenticated Data (AD) bit</title>
+                <pubdate>November 2003</pubdate>
+              </biblioentry>
+              <biblioentry>
+                <abbrev>RFC3658</abbrev>
+                <authorgroup>
+                  <author>
+                    <surname>Gudmundsson</surname>
+                    <firstname>O.</firstname>
+                  </author>
+                </authorgroup>
+                <title>Delegation Signer (DS) Resource Record (RR)</title>
+                <pubdate>December 2003</pubdate>
+              </biblioentry>
+              <biblioentry>
+                <abbrev>RFC3755</abbrev>
+                <authorgroup>
+                  <author>
+                    <surname>Weiler</surname>
+                    <firstname>S.</firstname>
+                  </author>
+                </authorgroup>
+                <title>Legacy Resolver Compatibility for Delegation Signer (DS)</title>
+                <pubdate>May 2004</pubdate>
+              </biblioentry>
+              <biblioentry>
+                <abbrev>RFC3757</abbrev>
+                <authorgroup>
+                  <author>
+                    <surname>Kolkman</surname>
+                    <firstname>O.</firstname>
+                  </author>
+                  <author>
+                    <surname>Schlyter</surname>
+                    <firstname>J.</firstname>
+                  </author>
+                  <author>
+                    <surname>Lewis</surname>
+                    <firstname>E.</firstname>
+                  </author>
+                </authorgroup>
+                <title>Domain Name System KEY (DNSKEY) Resource Record
+		      (RR) Secure Entry Point (SEP) Flag</title>
+                <pubdate>April 2004</pubdate>
+              </biblioentry>
+              <biblioentry>
+                <abbrev>RFC3845</abbrev>
+                <authorgroup>
+                  <author>
+                    <surname>Schlyter</surname>
+                    <firstname>J.</firstname>
+                  </author>
+                </authorgroup>
+                <title>DNS Security (DNSSEC) NextSECure (NSEC) RDATA Format</title>
+                <pubdate>August 2004</pubdate>
+              </biblioentry>
+            </bibliodiv>
+          </bibliography>
+        </sect2>
+        <sect2 id="internet_drafts">
+          <title>Internet Drafts</title>
+          <para>
+            Internet Drafts (IDs) are rough-draft working documents of
+            the Internet Engineering Task Force. They are, in essence, RFCs
+            in the preliminary stages of development. Implementors are
+            cautioned not
+            to regard IDs as archival, and they should not be quoted or cited
+            in any formal documents unless accompanied by the disclaimer that
+            they are "works in progress." IDs have a lifespan of six months
+            after which they are deleted unless updated by their authors.
+          </para>
+        </sect2>
+        <sect2>
+          <title>Other Documents About <acronym>BIND</acronym></title>
+          <para/>
+          <bibliography>
+            <biblioentry>
+              <authorgroup>
+                <author>
+                  <surname>Albitz</surname>
+                  <firstname>Paul</firstname>
+                </author>
+                <author>
+                  <firstname>Cricket</firstname>
+                  <surname>Liu</surname>
+                </author>
+              </authorgroup>
+              <title><acronym>DNS</acronym> and <acronym>BIND</acronym></title>
+              <copyright>
+                <year>1998</year>
+                <holder>Sebastopol, CA: O'Reilly and Associates</holder>
+              </copyright>
+            </biblioentry>
+          </bibliography>
+        </sect2>
+      </sect1>
+    </appendix>
+
+    <reference id="Bv9ARM.ch10">
+      <title>Manual pages</title>
+      <xi:include href="../../bin/dig/dig.docbook"/>
+      <xi:include href="../../bin/dig/host.docbook"/>
+      <xi:include href="../../bin/dnssec/dnssec-keygen.docbook"/>
+      <xi:include href="../../bin/dnssec/dnssec-signzone.docbook"/>
+      <xi:include href="../../bin/check/named-checkconf.docbook"/>
+      <xi:include href="../../bin/check/named-checkzone.docbook"/>
+      <xi:include href="../../bin/named/named.docbook"/>
+      <!-- named.conf.docbook and others? -->
+      <!-- nsupdate gives db2latex indigestion, markup problems? -->
+      <xi:include href="../../bin/rndc/rndc.docbook"/>
+      <xi:include href="../../bin/rndc/rndc.conf.docbook"/>
+      <xi:include href="../../bin/rndc/rndc-confgen.docbook"/>
+    </reference>
+
+  </book>
+
+<!--
+  - Local variables:
+  - mode: sgml
+  - End:
+ -->
diff --git a/contrib/bind9/doc/arm/Bv9ARM.ch01.html b/contrib/bind9/doc/arm/Bv9ARM.ch01.html
index 3f3aebb..a644628 100644
--- a/contrib/bind9/doc/arm/Bv9ARM.ch01.html
+++ b/contrib/bind9/doc/arm/Bv9ARM.ch01.html
@@ -1,5 +1,5 @@
 <!--
- - Copyright (C) 2004-2006 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2004-2007 Internet Systems Consortium, Inc. ("ISC")
  - Copyright (C) 2000-2003 Internet Software Consortium.
  - 
  - Permission to use, copy, modify, and distribute this software for any
@@ -14,12 +14,12 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-<!-- $Id: Bv9ARM.ch01.html,v 1.12.2.2.8.15 2006/07/20 02:33:31 marka Exp $ -->
+<!-- $Id: Bv9ARM.ch01.html,v 1.16.18.19 2007/01/30 00:23:45 marka Exp $ -->
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
-<title>Chapter 1. Introduction </title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.70.1">
+<title>Chapter 1. Introduction</title>
+<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
 <link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
 <link rel="up" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
 <link rel="prev" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
@@ -28,7 +28,7 @@
 <body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
 <div class="navheader">
 <table width="100%" summary="Navigation header">
-<tr><th colspan="3" align="center">Chapter 1. Introduction </th></tr>
+<tr><th colspan="3" align="center">Chapter 1. Introduction</th></tr>
 <tr>
 <td width="20%" align="left">
 <a accesskey="p" href="Bv9ARM.html">Prev</a> </td>
@@ -41,71 +41,86 @@
 </div>
 <div class="chapter" lang="en">
 <div class="titlepage"><div><div><h2 class="title">
-<a name="Bv9ARM.ch01"></a>Chapter 1. Introduction </h2></div></div></div>
+<a name="Bv9ARM.ch01"></a>Chapter 1. Introduction</h2></div></div></div>
 <div class="toc">
 <p><b>Table of Contents</b></p>
 <dl>
-<dt><span class="sect1"><a href="Bv9ARM.ch01.html#id2569434">Scope of Document</a></span></dt>
-<dt><span class="sect1"><a href="Bv9ARM.ch01.html#id2569460">Organization of This Document</a></span></dt>
-<dt><span class="sect1"><a href="Bv9ARM.ch01.html#id2569736">Conventions Used in This Document</a></span></dt>
-<dt><span class="sect1"><a href="Bv9ARM.ch01.html#id2569994">The Domain Name System (<acronym class="acronym">DNS</acronym>)</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch01.html#id2564115">Scope of Document</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch01.html#id2564138">Organization of This Document</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch01.html#id2563473">Conventions Used in This Document</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch01.html#id2564746">The Domain Name System (<acronym class="acronym">DNS</acronym>)</a></span></dt>
 <dd><dl>
-<dt><span class="sect2"><a href="Bv9ARM.ch01.html#id2570014">DNS Fundamentals</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch01.html#id2570323">Domains and Domain Names</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch01.html#id2570407">Zones</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch01.html#id2570550">Authoritative Name Servers</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch01.html#id2570642">Caching Name Servers</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch01.html#id2570699">Name Servers in Multiple Roles</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch01.html#id2564768">DNS Fundamentals</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch01.html#id2564802">Domains and Domain Names</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch01.html#id2564886">Zones</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch01.html#id2567284">Authoritative Name Servers</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch01.html#id2567525">Caching Name Servers</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch01.html#id2567587">Name Servers in Multiple Roles</a></span></dt>
 </dl></dd>
 </dl>
 </div>
-<p>The Internet Domain Name System (<acronym class="acronym">DNS</acronym>) consists of the syntax
-  to specify the names of entities in the Internet in a hierarchical
-  manner, the rules used for delegating authority over names, and the
-  system implementation that actually maps names to Internet
-  addresses.  <acronym class="acronym">DNS</acronym> data is maintained in a group of distributed
-  hierarchical databases.</p>
+<p>
+      The Internet Domain Name System (<acronym class="acronym">DNS</acronym>)
+      consists of the syntax
+      to specify the names of entities in the Internet in a hierarchical
+      manner, the rules used for delegating authority over names, and the
+      system implementation that actually maps names to Internet
+      addresses.  <acronym class="acronym">DNS</acronym> data is maintained in a
+      group of distributed
+      hierarchical databases.
+    </p>
 <div class="sect1" lang="en">
 <div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id2569434"></a>Scope of Document</h2></div></div></div>
-<p>The Berkeley Internet Name Domain (<acronym class="acronym">BIND</acronym>) implements a
-    domain name server for a number of operating systems. This
-    document provides basic information about the installation and
-    care of the Internet Software Consortium (<acronym class="acronym">ISC</acronym>)
-    <acronym class="acronym">BIND</acronym> version 9 software package for system
-    administrators.</p>
-<p>This version of the manual corresponds to BIND version 9.3.</p>
+<a name="id2564115"></a>Scope of Document</h2></div></div></div>
+<p>
+        The Berkeley Internet Name Domain
+        (<acronym class="acronym">BIND</acronym>) implements a
+        domain name server for a number of operating systems. This
+        document provides basic information about the installation and
+        care of the Internet Systems Consortium (<acronym class="acronym">ISC</acronym>)
+        <acronym class="acronym">BIND</acronym> version 9 software package for
+        system administrators.
+      </p>
+<p>
+        This version of the manual corresponds to BIND version 9.4.
+      </p>
 </div>
 <div class="sect1" lang="en">
 <div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id2569460"></a>Organization of This Document</h2></div></div></div>
-<p>In this document, <span class="emphasis"><em>Section 1</em></span> introduces
-    the basic <acronym class="acronym">DNS</acronym> and <acronym class="acronym">BIND</acronym> concepts. <span class="emphasis"><em>Section 2</em></span>
-    describes resource requirements for running <acronym class="acronym">BIND</acronym> in various
-    environments. Information in <span class="emphasis"><em>Section 3</em></span> is
-    <span class="emphasis"><em>task-oriented</em></span> in its presentation and is
-    organized functionally, to aid in the process of installing the
-    <acronym class="acronym">BIND</acronym> 9 software. The task-oriented section is followed by
-    <span class="emphasis"><em>Section 4</em></span>, which contains more advanced
-    concepts that the system administrator may need for implementing
-    certain options. <span class="emphasis"><em>Section 5</em></span>
-    describes the <acronym class="acronym">BIND</acronym> 9 lightweight
-    resolver.  The contents of <span class="emphasis"><em>Section 6</em></span> are
-    organized as in a reference manual to aid in the ongoing
-    maintenance of the software. <span class="emphasis"><em>Section 7
-    </em></span>addresses security considerations, and
-    <span class="emphasis"><em>Section 8</em></span> contains troubleshooting help. The
-    main body of the document is followed by several
-    <span class="emphasis"><em>Appendices</em></span> which contain useful reference
-    information, such as a <span class="emphasis"><em>Bibliography</em></span> and
-    historic information related to <acronym class="acronym">BIND</acronym> and the Domain Name
-    System.</p>
+<a name="id2564138"></a>Organization of This Document</h2></div></div></div>
+<p>
+        In this document, <span class="emphasis"><em>Section 1</em></span> introduces
+        the basic <acronym class="acronym">DNS</acronym> and <acronym class="acronym">BIND</acronym> concepts. <span class="emphasis"><em>Section 2</em></span>
+        describes resource requirements for running <acronym class="acronym">BIND</acronym> in various
+        environments. Information in <span class="emphasis"><em>Section 3</em></span> is
+        <span class="emphasis"><em>task-oriented</em></span> in its presentation and is
+        organized functionally, to aid in the process of installing the
+        <acronym class="acronym">BIND</acronym> 9 software. The task-oriented
+        section is followed by
+        <span class="emphasis"><em>Section 4</em></span>, which contains more advanced
+        concepts that the system administrator may need for implementing
+        certain options. <span class="emphasis"><em>Section 5</em></span>
+        describes the <acronym class="acronym">BIND</acronym> 9 lightweight
+        resolver.  The contents of <span class="emphasis"><em>Section 6</em></span> are
+        organized as in a reference manual to aid in the ongoing
+        maintenance of the software. <span class="emphasis"><em>Section 7</em></span> addresses
+        security considerations, and
+        <span class="emphasis"><em>Section 8</em></span> contains troubleshooting help. The
+        main body of the document is followed by several
+        <span class="emphasis"><em>Appendices</em></span> which contain useful reference
+        information, such as a <span class="emphasis"><em>Bibliography</em></span> and
+        historic information related to <acronym class="acronym">BIND</acronym>
+        and the Domain Name
+        System.
+      </p>
 </div>
 <div class="sect1" lang="en">
 <div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id2569736"></a>Conventions Used in This Document</h2></div></div></div>
-<p>In this document, we use the following general typographic
-    conventions:</p>
+<a name="id2563473"></a>Conventions Used in This Document</h2></div></div></div>
+<p>
+        In this document, we use the following general typographic
+        conventions:
+      </p>
 <div class="informaltable"><table border="1">
 <colgroup>
 <col>
@@ -114,33 +129,59 @@
 <tbody>
 <tr>
 <td>
-<p><span class="emphasis"><em>To
-describe:</em></span></p>
-</td>
+                <p>
+                  <span class="emphasis"><em>To describe:</em></span>
+                </p>
+              </td>
 <td>
-<p><span class="emphasis"><em>We use the style:</em></span></p>
-</td>
+                <p>
+                  <span class="emphasis"><em>We use the style:</em></span>
+                </p>
+              </td>
 </tr>
 <tr>
 <td>
-<p>a pathname, filename, URL, hostname,
-mailing list name, or new term or concept</p>
-</td>
-<td><p><code class="filename">Fixed width</code></p></td>
+                <p>
+                  a pathname, filename, URL, hostname,
+                  mailing list name, or new term or concept
+                </p>
+              </td>
+<td>
+                <p>
+                  <code class="filename">Fixed width</code>
+                </p>
+              </td>
 </tr>
 <tr>
-<td><p>literal user
-input</p></td>
-<td><p><strong class="userinput"><code>Fixed Width Bold</code></strong></p></td>
+<td>
+                <p>
+                  literal user
+                  input
+                </p>
+              </td>
+<td>
+                <p>
+                  <strong class="userinput"><code>Fixed Width Bold</code></strong>
+                </p>
+              </td>
 </tr>
 <tr>
-<td><p>program output</p></td>
-<td><p><code class="computeroutput">Fixed Width</code></p></td>
+<td>
+                <p>
+                  program output
+                </p>
+              </td>
+<td>
+                <p>
+                  <code class="computeroutput">Fixed Width</code>
+                </p>
+              </td>
 </tr>
 </tbody>
 </table></div>
-<p>The following conventions are used in descriptions of the
-<acronym class="acronym">BIND</acronym> configuration file:</p>
+<p>
+        The following conventions are used in descriptions of the
+        <acronym class="acronym">BIND</acronym> configuration file:</p>
 <div class="informaltable"><table border="1">
 <colgroup>
 <col>
@@ -148,246 +189,353 @@ input</p></td>
 </colgroup>
 <tbody>
 <tr>
-<td><p><span class="emphasis"><em>To
-describe:</em></span></p></td>
-<td><p><span class="emphasis"><em>We use the style:</em></span></p></td>
+<td>
+                  <p>
+                    <span class="emphasis"><em>To describe:</em></span>
+                  </p>
+                </td>
+<td>
+                  <p>
+                    <span class="emphasis"><em>We use the style:</em></span>
+                  </p>
+                </td>
 </tr>
 <tr>
-<td><p>keywords</p></td>
-<td><p><code class="literal">Fixed Width</code></p></td>
+<td>
+                  <p>
+                    keywords
+                  </p>
+                </td>
+<td>
+                  <p>
+                    <code class="literal">Fixed Width</code>
+                  </p>
+                </td>
 </tr>
 <tr>
-<td><p>variables</p></td>
-<td><p><code class="varname">Fixed Width</code></p></td>
+<td>
+                  <p>
+                    variables
+                  </p>
+                </td>
+<td>
+                  <p>
+                    <code class="varname">Fixed Width</code>
+                  </p>
+                </td>
 </tr>
 <tr>
-<td><p>Optional input</p></td>
-<td><p>[<span class="optional">Text is enclosed in square brackets</span>]</p></td>
+<td>
+                  <p>
+                    Optional input
+                  </p>
+                </td>
+<td>
+                  <p>
+                    [<span class="optional">Text is enclosed in square brackets</span>]
+                  </p>
+                </td>
 </tr>
 </tbody>
 </table></div>
+<p>
+      </p>
 </div>
 <div class="sect1" lang="en">
 <div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id2569994"></a>The Domain Name System (<acronym class="acronym">DNS</acronym>)</h2></div></div></div>
-<p>The purpose of this document is to explain the installation
-and upkeep of the <acronym class="acronym">BIND</acronym> software package, and we
-begin by reviewing the fundamentals of the Domain Name System
-(<acronym class="acronym">DNS</acronym>) as they relate to <acronym class="acronym">BIND</acronym>.
-</p>
+<a name="id2564746"></a>The Domain Name System (<acronym class="acronym">DNS</acronym>)</h2></div></div></div>
+<p>
+        The purpose of this document is to explain the installation
+        and upkeep of the <acronym class="acronym">BIND</acronym> software
+        package, and we
+        begin by reviewing the fundamentals of the Domain Name System
+        (<acronym class="acronym">DNS</acronym>) as they relate to <acronym class="acronym">BIND</acronym>.
+      </p>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="id2570014"></a>DNS Fundamentals</h3></div></div></div>
-<p>The Domain Name System (DNS) is the hierarchical, distributed
-database.  It stores information for mapping Internet host names to IP
-addresses and vice versa, mail routing information, and other data
-used by Internet applications.</p>
-<p>Clients look up information in the DNS by calling a
-<span class="emphasis"><em>resolver</em></span> library, which sends queries to one or
-more <span class="emphasis"><em>name servers</em></span> and interprets the responses.
-The <acronym class="acronym">BIND</acronym> 9 software distribution contains a
-name server, <span><strong class="command">named</strong></span>, and two resolver
-libraries, <span><strong class="command">liblwres</strong></span> and <span><strong class="command">libbind</strong></span>.
-</p>
+<a name="id2564768"></a>DNS Fundamentals</h3></div></div></div>
+<p>
+          The Domain Name System (DNS) is a hierarchical, distributed
+          database.  It stores information for mapping Internet host names to
+          IP
+          addresses and vice versa, mail routing information, and other data
+          used by Internet applications.
+        </p>
+<p>
+          Clients look up information in the DNS by calling a
+          <span class="emphasis"><em>resolver</em></span> library, which sends queries to one or
+          more <span class="emphasis"><em>name servers</em></span> and interprets the responses.
+          The <acronym class="acronym">BIND</acronym> 9 software distribution
+          contains a
+          name server, <span><strong class="command">named</strong></span>, and two resolver
+          libraries, <span><strong class="command">liblwres</strong></span> and <span><strong class="command">libbind</strong></span>.
+        </p>
 </div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="id2570323"></a>Domains and Domain Names</h3></div></div></div>
-<p>The data stored in the DNS is identified by <span class="emphasis"><em>domain
-names</em></span> that are organized as a tree according to
-organizational or administrative boundaries. Each node of the tree,
-called a <span class="emphasis"><em>domain</em></span>, is given a label. The domain name of the
-node is the concatenation of all the labels on the path from the
-node to the <span class="emphasis"><em>root</em></span> node.  This is represented
-in written form as a string of labels listed from right to left and
-separated by dots. A label need only be unique within its parent
-domain.</p>
-<p>For example, a domain name for a host at the
-company <span class="emphasis"><em>Example, Inc.</em></span> could be
-<code class="literal">mail.example.com</code>,
-where <code class="literal">com</code> is the
-top level domain to which
-<code class="literal">ourhost.example.com</code> belongs,
-<code class="literal">example</code> is
-a subdomain of <code class="literal">com</code>, and
-<code class="literal">ourhost</code> is the
-name of the host.</p>
-<p>For administrative purposes, the name space is partitioned into
-areas called <span class="emphasis"><em>zones</em></span>, each starting at a node and
-extending down to the leaf nodes or to nodes where other zones start.
-The data for each zone is stored in a <span class="emphasis"><em>name
-server</em></span>, which answers queries about the zone using the
-<span class="emphasis"><em>DNS protocol</em></span>.
-</p>
-<p>The data associated with each domain name is stored in the
-form of <span class="emphasis"><em>resource records</em></span> (<acronym class="acronym">RR</acronym>s).
-Some of the supported resource record types are described in
-<a href="Bv9ARM.ch06.html#types_of_resource_records_and_when_to_use_them" title="Types of Resource Records and When to Use Them">the section called &#8220;Types of Resource Records and When to Use Them&#8221;</a>.</p>
-<p>For more detailed information about the design of the DNS and
-the DNS protocol, please refer to the standards documents listed in
-<a href="Bv9ARM.ch09.html#rfcs" title="Request for Comments (RFCs)">the section called &#8220;Request for Comments (RFCs)&#8221;</a>.</p>
+<a name="id2564802"></a>Domains and Domain Names</h3></div></div></div>
+<p>
+          The data stored in the DNS is identified by <span class="emphasis"><em>domain names</em></span> that are organized as a tree according to
+          organizational or administrative boundaries. Each node of the tree,
+          called a <span class="emphasis"><em>domain</em></span>, is given a label. The domain
+          name of the
+          node is the concatenation of all the labels on the path from the
+          node to the <span class="emphasis"><em>root</em></span> node.  This is represented
+          in written form as a string of labels listed from right to left and
+          separated by dots. A label need only be unique within its parent
+          domain.
+        </p>
+<p>
+          For example, a domain name for a host at the
+          company <span class="emphasis"><em>Example, Inc.</em></span> could be
+          <code class="literal">ourhost.example.com</code>,
+          where <code class="literal">com</code> is the
+          top level domain to which
+          <code class="literal">ourhost.example.com</code> belongs,
+          <code class="literal">example</code> is
+          a subdomain of <code class="literal">com</code>, and
+          <code class="literal">ourhost</code> is the
+          name of the host.
+        </p>
+<p>
+          For administrative purposes, the name space is partitioned into
+          areas called <span class="emphasis"><em>zones</em></span>, each starting at a node and
+          extending down to the leaf nodes or to nodes where other zones
+          start.
+          The data for each zone is stored in a <span class="emphasis"><em>name server</em></span>, which answers queries about the zone using the
+          <span class="emphasis"><em>DNS protocol</em></span>.
+        </p>
+<p>
+          The data associated with each domain name is stored in the
+          form of <span class="emphasis"><em>resource records</em></span> (<acronym class="acronym">RR</acronym>s).
+          Some of the supported resource record types are described in
+          <a href="Bv9ARM.ch06.html#types_of_resource_records_and_when_to_use_them" title="Types of Resource Records and When to Use Them">the section called &#8220;Types of Resource Records and When to Use Them&#8221;</a>.
+        </p>
+<p>
+          For more detailed information about the design of the DNS and
+          the DNS protocol, please refer to the standards documents listed in
+          <a href="Bv9ARM.ch09.html#rfcs" title="Request for Comments (RFCs)">the section called &#8220;Request for Comments (RFCs)&#8221;</a>.
+        </p>
 </div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="id2570407"></a>Zones</h3></div></div></div>
-<p>To properly operate a name server, it is important to understand
-the difference between a <span class="emphasis"><em>zone</em></span>
-and a <span class="emphasis"><em>domain</em></span>.</p>
-<p>As we stated previously, a zone is a point of delegation in
-the <acronym class="acronym">DNS</acronym> tree. A zone consists of
-those contiguous parts of the domain
-tree for which a name server has complete information and over which
-it has authority. It contains all domain names from a certain point
-downward in the domain tree except those which are delegated to
-other zones. A delegation point is marked by one or more
-<span class="emphasis"><em>NS records</em></span> in the
-parent zone, which should be matched by equivalent NS records at
-the root of the delegated zone.</p>
-<p>For instance, consider the <code class="literal">example.com</code>
-domain which includes names
-such as <code class="literal">host.aaa.example.com</code> and
-<code class="literal">host.bbb.example.com</code> even though
-the <code class="literal">example.com</code> zone includes
-only delegations for the <code class="literal">aaa.example.com</code> and
-<code class="literal">bbb.example.com</code> zones.  A zone can map
-exactly to a single domain, but could also include only part of a
-domain, the rest of which could be delegated to other
-name servers. Every name in the <acronym class="acronym">DNS</acronym> tree is a
-<span class="emphasis"><em>domain</em></span>, even if it is
-<span class="emphasis"><em>terminal</em></span>, that is, has no
-<span class="emphasis"><em>subdomains</em></span>.  Every subdomain is a domain and
-every domain except the root is also a subdomain. The terminology is
-not intuitive and we suggest that you read RFCs 1033, 1034 and 1035 to
-gain a complete understanding of this difficult and subtle
-topic.</p>
-<p>Though <acronym class="acronym">BIND</acronym> is called a "domain name server",
-it deals primarily in terms of zones. The master and slave
-declarations in the <code class="filename">named.conf</code> file specify
-zones, not domains. When you ask some other site if it is willing to
-be a slave server for your <span class="emphasis"><em>domain</em></span>, you are
-actually asking for slave service for some collection of zones.</p>
+<a name="id2564886"></a>Zones</h3></div></div></div>
+<p>
+          To properly operate a name server, it is important to understand
+          the difference between a <span class="emphasis"><em>zone</em></span>
+          and a <span class="emphasis"><em>domain</em></span>.
+        </p>
+<p>
+          As stated previously, a zone is a point of delegation in
+          the <acronym class="acronym">DNS</acronym> tree. A zone consists of
+          those contiguous parts of the domain
+          tree for which a name server has complete information and over which
+          it has authority. It contains all domain names from a certain point
+          downward in the domain tree except those which are delegated to
+          other zones. A delegation point is marked by one or more
+          <span class="emphasis"><em>NS records</em></span> in the
+          parent zone, which should be matched by equivalent NS records at
+          the root of the delegated zone.
+        </p>
+<p>
+          For instance, consider the <code class="literal">example.com</code>
+          domain which includes names
+          such as <code class="literal">host.aaa.example.com</code> and
+          <code class="literal">host.bbb.example.com</code> even though
+          the <code class="literal">example.com</code> zone includes
+          only delegations for the <code class="literal">aaa.example.com</code> and
+          <code class="literal">bbb.example.com</code> zones.  A zone can
+          map
+          exactly to a single domain, but could also include only part of a
+          domain, the rest of which could be delegated to other
+          name servers. Every name in the <acronym class="acronym">DNS</acronym>
+          tree is a
+          <span class="emphasis"><em>domain</em></span>, even if it is
+          <span class="emphasis"><em>terminal</em></span>, that is, has no
+          <span class="emphasis"><em>subdomains</em></span>.  Every subdomain is a domain and
+          every domain except the root is also a subdomain. The terminology is
+          not intuitive and we suggest that you read RFCs 1033, 1034 and 1035
+          to
+          gain a complete understanding of this difficult and subtle
+          topic.
+        </p>
+<p>
+          Though <acronym class="acronym">BIND</acronym> is called a "domain name
+          server",
+          it deals primarily in terms of zones. The master and slave
+          declarations in the <code class="filename">named.conf</code> file
+          specify
+          zones, not domains. When you ask some other site if it is willing to
+          be a slave server for your <span class="emphasis"><em>domain</em></span>, you are
+          actually asking for slave service for some collection of zones.
+        </p>
 </div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="id2570550"></a>Authoritative Name Servers</h3></div></div></div>
-<p>Each zone is served by at least
-one <span class="emphasis"><em>authoritative name server</em></span>,
-which contains the complete data for the zone.
-To make the DNS tolerant of server and network failures,
-most zones have two or more authoritative servers.
-</p>
-<p>Responses from authoritative servers have the "authoritative
-answer" (AA) bit set in the response packets.  This makes them 
-easy to identify when debugging DNS configurations using tools like
-<span><strong class="command">dig</strong></span> (<a href="Bv9ARM.ch03.html#diagnostic_tools" title="Diagnostic Tools">the section called &#8220;Diagnostic Tools&#8221;</a>).</p>
+<a name="id2567284"></a>Authoritative Name Servers</h3></div></div></div>
+<p>
+          Each zone is served by at least
+          one <span class="emphasis"><em>authoritative name server</em></span>,
+          which contains the complete data for the zone.
+          To make the DNS tolerant of server and network failures,
+          most zones have two or more authoritative servers, on
+          different networks.
+        </p>
+<p>
+          Responses from authoritative servers have the "authoritative
+          answer" (AA) bit set in the response packets.  This makes them
+          easy to identify when debugging DNS configurations using tools like
+          <span><strong class="command">dig</strong></span> (<a href="Bv9ARM.ch03.html#diagnostic_tools" title="Diagnostic Tools">the section called &#8220;Diagnostic Tools&#8221;</a>).
+        </p>
 <div class="sect3" lang="en">
 <div class="titlepage"><div><div><h4 class="title">
-<a name="id2570572"></a>The Primary Master</h4></div></div></div>
-<p>
-The authoritative server where the master copy of the zone data is maintained is
-called the <span class="emphasis"><em>primary master</em></span> server, or simply the
-<span class="emphasis"><em>primary</em></span>.  It loads the zone contents from some
-local file edited by humans or perhaps generated mechanically from
-some other local file which is edited by humans.  This file is called
-the <span class="emphasis"><em>zone file</em></span> or <span class="emphasis"><em>master file</em></span>.</p>
+<a name="id2567307"></a>The Primary Master</h4></div></div></div>
+<p>
+            The authoritative server where the master copy of the zone
+            data is maintained is called the
+            <span class="emphasis"><em>primary master</em></span> server, or simply the
+            <span class="emphasis"><em>primary</em></span>.  Typically it loads the zone
+            contents from some local file edited by humans or perhaps
+            generated mechanically from some other local file which is
+            edited by humans.  This file is called the
+            <span class="emphasis"><em>zone file</em></span> or
+            <span class="emphasis"><em>master file</em></span>.
+          </p>
+<p>
+            In some cases, however, the master file may not be edited
+            by humans at all, but may instead be the result of
+            <span class="emphasis"><em>dynamic update</em></span> operations.
+          </p>
 </div>
 <div class="sect3" lang="en">
 <div class="titlepage"><div><div><h4 class="title">
-<a name="id2570594"></a>Slave Servers</h4></div></div></div>
-<p>The other authoritative servers, the <span class="emphasis"><em>slave</em></span>
-servers (also known as <span class="emphasis"><em>secondary</em></span> servers) load
-the zone contents from another server using a replication process
-known as a <span class="emphasis"><em>zone transfer</em></span>.  Typically the data are
-transferred directly from the primary master, but it is also possible
-to transfer it from another slave.  In other words, a slave server
-may itself act as a master to a subordinate slave server.</p>
+<a name="id2567337"></a>Slave Servers</h4></div></div></div>
+<p>
+            The other authoritative servers, the <span class="emphasis"><em>slave</em></span>
+            servers (also known as <span class="emphasis"><em>secondary</em></span> servers)
+            load
+            the zone contents from another server using a replication process
+            known as a <span class="emphasis"><em>zone transfer</em></span>.  Typically the data
+            are
+            transferred directly from the primary master, but it is also
+            possible
+            to transfer it from another slave.  In other words, a slave server
+            may itself act as a master to a subordinate slave server.
+          </p>
 </div>
 <div class="sect3" lang="en">
 <div class="titlepage"><div><div><h4 class="title">
-<a name="id2570613"></a>Stealth Servers</h4></div></div></div>
-<p>Usually all of the zone's authoritative servers are listed in 
-NS records in the parent zone.  These NS records constitute
-a <span class="emphasis"><em>delegation</em></span> of the zone from the parent.
-The authoritative servers are also listed in the zone file itself,
-at the <span class="emphasis"><em>top level</em></span> or <span class="emphasis"><em>apex</em></span>
-of the zone.  You can list servers in the zone's top-level NS
-records that are not in the parent's NS delegation, but you cannot
-list servers in the parent's delegation that are not present at
-the zone's top level.</p>
-<p>A <span class="emphasis"><em>stealth server</em></span> is a server that is
-authoritative for a zone but is not listed in that zone's NS
-records.  Stealth servers can be used for keeping a local copy of a
-zone to speed up access to the zone's records or to make sure that the
-zone is available even if all the "official" servers for the zone are
-inaccessible.</p>
-<p>A configuration where the primary master server itself is a
-stealth server is often referred to as a "hidden primary"
-configuration.  One use for this configuration is when the primary master
-is behind a firewall and therefore unable to communicate directly
-with the outside world.</p>
+<a name="id2567358"></a>Stealth Servers</h4></div></div></div>
+<p>
+            Usually all of the zone's authoritative servers are listed in
+            NS records in the parent zone.  These NS records constitute
+            a <span class="emphasis"><em>delegation</em></span> of the zone from the parent.
+            The authoritative servers are also listed in the zone file itself,
+            at the <span class="emphasis"><em>top level</em></span> or <span class="emphasis"><em>apex</em></span>
+            of the zone.  You can list servers in the zone's top-level NS
+            records that are not in the parent's NS delegation, but you cannot
+            list servers in the parent's delegation that are not present at
+            the zone's top level.
+          </p>
+<p>
+            A <span class="emphasis"><em>stealth server</em></span> is a server that is
+            authoritative for a zone but is not listed in that zone's NS
+            records.  Stealth servers can be used for keeping a local copy of
+            a
+            zone to speed up access to the zone's records or to make sure that
+            the
+            zone is available even if all the "official" servers for the zone
+            are
+            inaccessible.
+          </p>
+<p>
+            A configuration where the primary master server itself is a
+            stealth server is often referred to as a "hidden primary"
+            configuration.  One use for this configuration is when the primary
+            master
+            is behind a firewall and therefore unable to communicate directly
+            with the outside world.
+          </p>
 </div>
 </div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="id2570642"></a>Caching Name Servers</h3></div></div></div>
-<p>The resolver libraries provided by most operating systems are 
-<span class="emphasis"><em>stub resolvers</em></span>, meaning that they are not capable of
-performing the full DNS resolution process by themselves by talking
-directly to the authoritative servers.  Instead, they rely on a local
-name server to perform the resolution on their behalf.  Such a server
-is called a <span class="emphasis"><em>recursive</em></span> name server; it performs
-<span class="emphasis"><em>recursive lookups</em></span> for local clients.</p>
-<p>To improve performance, recursive servers cache the results of
-the lookups they perform.  Since the processes of recursion and
-caching are intimately connected, the terms
-<span class="emphasis"><em>recursive server</em></span> and
-<span class="emphasis"><em>caching server</em></span> are often used synonymously.</p>
-<p>The length of time for which a record may be retained in
-the cache of a caching name server is controlled by the 
-Time To Live (TTL) field associated with each resource record.
-</p>
+<a name="id2567525"></a>Caching Name Servers</h3></div></div></div>
+<p>
+          The resolver libraries provided by most operating systems are
+          <span class="emphasis"><em>stub resolvers</em></span>, meaning that they are not
+          capable of
+          performing the full DNS resolution process by themselves by talking
+          directly to the authoritative servers.  Instead, they rely on a
+          local
+          name server to perform the resolution on their behalf.  Such a
+          server
+          is called a <span class="emphasis"><em>recursive</em></span> name server; it performs
+          <span class="emphasis"><em>recursive lookups</em></span> for local clients.
+        </p>
+<p>
+          To improve performance, recursive servers cache the results of
+          the lookups they perform.  Since the processes of recursion and
+          caching are intimately connected, the terms
+          <span class="emphasis"><em>recursive server</em></span> and
+          <span class="emphasis"><em>caching server</em></span> are often used synonymously.
+        </p>
+<p>
+          The length of time for which a record may be retained in
+          the cache of a caching name server is controlled by the
+          Time To Live (TTL) field associated with each resource record.
+        </p>
 <div class="sect3" lang="en">
 <div class="titlepage"><div><div><h4 class="title">
-<a name="id2570674"></a>Forwarding</h4></div></div></div>
-<p>Even a caching name server does not necessarily perform
-the complete recursive lookup itself.  Instead, it can
-<span class="emphasis"><em>forward</em></span> some or all of the queries
-that it cannot satisfy from its cache to another caching name server,
-commonly referred to as a <span class="emphasis"><em>forwarder</em></span>.
-</p>
-<p>There may be one or more forwarders,
-and they are queried in turn until the list is exhausted or an answer
-is found. Forwarders are typically used when you do not
-wish all the servers at a given site to interact directly with the rest of
-the Internet servers. A typical scenario would involve a number
-of internal <acronym class="acronym">DNS</acronym> servers and an Internet firewall. Servers unable
-to pass packets through the firewall would forward to the server
-that can do it, and that server would query the Internet <acronym class="acronym">DNS</acronym> servers
-on the internal server's behalf. An added benefit of using the forwarding
-feature is that the central machine develops a much more complete
-cache of information that all the clients can take advantage
-of.</p>
+<a name="id2567560"></a>Forwarding</h4></div></div></div>
+<p>
+            Even a caching name server does not necessarily perform
+            the complete recursive lookup itself.  Instead, it can
+            <span class="emphasis"><em>forward</em></span> some or all of the queries
+            that it cannot satisfy from its cache to another caching name
+            server,
+            commonly referred to as a <span class="emphasis"><em>forwarder</em></span>.
+          </p>
+<p>
+            There may be one or more forwarders,
+            and they are queried in turn until the list is exhausted or an
+            answer
+            is found. Forwarders are typically used when you do not
+            wish all the servers at a given site to interact directly with the
+            rest of
+            the Internet servers. A typical scenario would involve a number
+            of internal <acronym class="acronym">DNS</acronym> servers and an
+            Internet firewall. Servers unable
+            to pass packets through the firewall would forward to the server
+            that can do it, and that server would query the Internet <acronym class="acronym">DNS</acronym> servers
+            on the internal server's behalf.
+          </p>
 </div>
 </div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="id2570699"></a>Name Servers in Multiple Roles</h3></div></div></div>
-<p>The <acronym class="acronym">BIND</acronym> name server can simultaneously act as
-a master for some zones, a slave for other zones, and as a caching
-(recursive) server for a set of local clients.</p>
-<p>However, since the functions of authoritative name service
-and caching/recursive name service are logically separate, it is
-often advantageous to run them on separate server machines.
+<a name="id2567587"></a>Name Servers in Multiple Roles</h3></div></div></div>
+<p>
+          The <acronym class="acronym">BIND</acronym> name server can
+          simultaneously act as
+          a master for some zones, a slave for other zones, and as a caching
+          (recursive) server for a set of local clients.
+        </p>
+<p>
+          However, since the functions of authoritative name service
+          and caching/recursive name service are logically separate, it is
+          often advantageous to run them on separate server machines.
 
-A server that only provides authoritative name service
-(an <span class="emphasis"><em>authoritative-only</em></span> server) can run with
-recursion disabled, improving reliability and security.
+          A server that only provides authoritative name service
+          (an <span class="emphasis"><em>authoritative-only</em></span> server) can run with
+          recursion disabled, improving reliability and security.
 
-A server that is not authoritative for any zones and only provides
-recursive service to local
-clients (a <span class="emphasis"><em>caching-only</em></span> server)
-does not need to be reachable from the Internet at large and can
-be placed inside a firewall.</p>
+          A server that is not authoritative for any zones and only provides
+          recursive service to local
+          clients (a <span class="emphasis"><em>caching-only</em></span> server)
+          does not need to be reachable from the Internet at large and can
+          be placed inside a firewall.
+        </p>
 </div>
 </div>
 </div>
diff --git a/contrib/bind9/doc/arm/Bv9ARM.ch02.html b/contrib/bind9/doc/arm/Bv9ARM.ch02.html
index d1e3445..6098540 100644
--- a/contrib/bind9/doc/arm/Bv9ARM.ch02.html
+++ b/contrib/bind9/doc/arm/Bv9ARM.ch02.html
@@ -1,5 +1,5 @@
 <!--
- - Copyright (C) 2004-2006 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2004-2007 Internet Systems Consortium, Inc. ("ISC")
  - Copyright (C) 2000-2003 Internet Software Consortium.
  - 
  - Permission to use, copy, modify, and distribute this software for any
@@ -14,15 +14,15 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-<!-- $Id: Bv9ARM.ch02.html,v 1.10.2.1.8.12 2006/06/29 13:02:31 marka Exp $ -->
+<!-- $Id: Bv9ARM.ch02.html,v 1.13.18.18 2007/01/30 00:23:45 marka Exp $ -->
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
 <title>Chapter 2. BIND Resource Requirements</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.70.1">
+<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
 <link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
 <link rel="up" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
-<link rel="prev" href="Bv9ARM.ch01.html" title="Chapter 1. Introduction ">
+<link rel="prev" href="Bv9ARM.ch01.html" title="Chapter 1. Introduction">
 <link rel="next" href="Bv9ARM.ch03.html" title="Chapter 3. Name Server Configuration">
 </head>
 <body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
@@ -45,68 +45,96 @@
 <div class="toc">
 <p><b>Table of Contents</b></p>
 <dl>
-<dt><span class="sect1"><a href="Bv9ARM.ch02.html#id2570868">Hardware requirements</a></span></dt>
-<dt><span class="sect1"><a href="Bv9ARM.ch02.html#id2570892">CPU Requirements</a></span></dt>
-<dt><span class="sect1"><a href="Bv9ARM.ch02.html#id2570903">Memory Requirements</a></span></dt>
-<dt><span class="sect1"><a href="Bv9ARM.ch02.html#id2570918">Name Server Intensive Environment Issues</a></span></dt>
-<dt><span class="sect1"><a href="Bv9ARM.ch02.html#id2570995">Supported Operating Systems</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch02.html#id2567621">Hardware requirements</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch02.html#id2567648">CPU Requirements</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch02.html#id2567660">Memory Requirements</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch02.html#id2567687">Name Server Intensive Environment Issues</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch02.html#id2567698">Supported Operating Systems</a></span></dt>
 </dl>
 </div>
 <div class="sect1" lang="en">
 <div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id2570868"></a>Hardware requirements</h2></div></div></div>
-<p><acronym class="acronym">DNS</acronym> hardware requirements have traditionally been quite modest.
-For many installations, servers that have been pensioned off from
-active duty have performed admirably as <acronym class="acronym">DNS</acronym> servers.</p>
-<p>The DNSSEC and IPv6 features of <acronym class="acronym">BIND</acronym> 9 may prove to be quite
-CPU intensive however, so organizations that make heavy use of these
-features may wish to consider larger systems for these applications.
-<acronym class="acronym">BIND</acronym> 9 is fully multithreaded, allowing full utilization of
-multiprocessor systems for installations that need it.</p>
+<a name="id2567621"></a>Hardware requirements</h2></div></div></div>
+<p>
+        <acronym class="acronym">DNS</acronym> hardware requirements have
+        traditionally been quite modest.
+        For many installations, servers that have been pensioned off from
+        active duty have performed admirably as <acronym class="acronym">DNS</acronym> servers.
+      </p>
+<p>
+        The DNSSEC features of <acronym class="acronym">BIND</acronym> 9
+        may prove to be quite
+        CPU intensive however, so organizations that make heavy use of these
+        features may wish to consider larger systems for these applications.
+        <acronym class="acronym">BIND</acronym> 9 is fully multithreaded, allowing
+        full utilization of
+        multiprocessor systems for installations that need it.
+      </p>
 </div>
 <div class="sect1" lang="en">
 <div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id2570892"></a>CPU Requirements</h2></div></div></div>
-<p>CPU requirements for <acronym class="acronym">BIND</acronym> 9 range from i486-class machines
-for serving of static zones without caching, to enterprise-class
-machines if you intend to process many dynamic updates and DNSSEC
-signed zones, serving many thousands of queries per second.</p>
+<a name="id2567648"></a>CPU Requirements</h2></div></div></div>
+<p>
+        CPU requirements for <acronym class="acronym">BIND</acronym> 9 range from
+        i486-class machines
+        for serving of static zones without caching, to enterprise-class
+        machines if you intend to process many dynamic updates and DNSSEC
+        signed zones, serving many thousands of queries per second.
+      </p>
 </div>
 <div class="sect1" lang="en">
 <div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id2570903"></a>Memory Requirements</h2></div></div></div>
-<p>The memory of the server has to be large enough to fit the
-cache and zones loaded off disk.  The <span><strong class="command">max-cache-size</strong></span>
-option can be used to limit the amount of memory used by the cache,
-at the expense of reducing cache hit rates and causing more <acronym class="acronym">DNS</acronym>
-traffic. It is still good practice to have enough memory to load
-all zone and cache data into memory &#8212; unfortunately, the best way
-to determine this for a given installation is to watch the name server
-in operation. After a few weeks the server process should reach
-a relatively stable size where entries are expiring from the cache as
-fast as they are being inserted.</p>
+<a name="id2567660"></a>Memory Requirements</h2></div></div></div>
+<p>
+        The memory of the server has to be large enough to fit the
+        cache and zones loaded off disk.  The <span><strong class="command">max-cache-size</strong></span>
+        option can be used to limit the amount of memory used by the cache,
+        at the expense of reducing cache hit rates and causing more <acronym class="acronym">DNS</acronym>
+        traffic.
+        Additionally, if additional section caching
+        (<a href="Bv9ARM.ch06.html#acache" title="Additional Section Caching">the section called &#8220;Additional Section Caching&#8221;</a>) is enabled,
+        the <span><strong class="command">max-acache-size</strong></span> can be used to
+        limit the amount
+        of memory used by the mechanism.
+        It is still good practice to have enough memory to load
+        all zone and cache data into memory &#8212; unfortunately, the best
+        way
+        to determine this for a given installation is to watch the name server
+        in operation. After a few weeks the server process should reach
+        a relatively stable size where entries are expiring from the cache as
+        fast as they are being inserted.
+      </p>
 </div>
 <div class="sect1" lang="en">
 <div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id2570918"></a>Name Server Intensive Environment Issues</h2></div></div></div>
-<p>For name server intensive environments, there are two alternative
-configurations that may be used. The first is where clients and
-any second-level internal name servers query a main name server, which
-has enough memory to build a large cache. This approach minimizes
-the bandwidth used by external name lookups. The second alternative
-is to set up second-level internal name servers to make queries independently.
-In this configuration, none of the individual machines needs to
-have as much memory or CPU power as in the first alternative, but
-this has the disadvantage of making many more external queries,
-as none of the name servers share their cached data.</p>
+<a name="id2567687"></a>Name Server Intensive Environment Issues</h2></div></div></div>
+<p>
+        For name server intensive environments, there are two alternative
+        configurations that may be used. The first is where clients and
+        any second-level internal name servers query a main name server, which
+        has enough memory to build a large cache. This approach minimizes
+        the bandwidth used by external name lookups. The second alternative
+        is to set up second-level internal name servers to make queries
+        independently.
+        In this configuration, none of the individual machines needs to
+        have as much memory or CPU power as in the first alternative, but
+        this has the disadvantage of making many more external queries,
+        as none of the name servers share their cached data.
+      </p>
 </div>
 <div class="sect1" lang="en">
 <div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id2570995"></a>Supported Operating Systems</h2></div></div></div>
-<p>ISC <acronym class="acronym">BIND</acronym> 9 compiles and runs on a large number
-of Unix-like operating system and on Windows NT / 2000.  For an up-to-date
-list of supported systems, see the README file in the top level directory
-of the BIND 9 source distribution.</p>
+<a name="id2567698"></a>Supported Operating Systems</h2></div></div></div>
+<p>
+        ISC <acronym class="acronym">BIND</acronym> 9 compiles and runs on a large
+        number
+        of Unix-like operating system and on NT-derived versions of
+        Microsoft Windows such as Windows 2000 and Windows XP.  For an
+        up-to-date
+        list of supported systems, see the README file in the top level
+        directory
+        of the BIND 9 source distribution.
+      </p>
 </div>
 </div>
 <div class="navfooter">
@@ -120,7 +148,7 @@ of the BIND 9 source distribution.</p>
 </td>
 </tr>
 <tr>
-<td width="40%" align="left" valign="top">Chapter 1. Introduction  </td>
+<td width="40%" align="left" valign="top">Chapter 1. Introduction </td>
 <td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
 <td width="40%" align="right" valign="top"> Chapter 3. Name Server Configuration</td>
 </tr>
diff --git a/contrib/bind9/doc/arm/Bv9ARM.ch03.html b/contrib/bind9/doc/arm/Bv9ARM.ch03.html
index 399c826..4c2f9f3 100644
--- a/contrib/bind9/doc/arm/Bv9ARM.ch03.html
+++ b/contrib/bind9/doc/arm/Bv9ARM.ch03.html
@@ -1,5 +1,5 @@
 <!--
- - Copyright (C) 2004-2006 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2004-2007 Internet Systems Consortium, Inc. ("ISC")
  - Copyright (C) 2000-2003 Internet Software Consortium.
  - 
  - Permission to use, copy, modify, and distribute this software for any
@@ -14,12 +14,12 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-<!-- $Id: Bv9ARM.ch03.html,v 1.26.2.5.4.17 2006/06/29 13:02:31 marka Exp $ -->
+<!-- $Id: Bv9ARM.ch03.html,v 1.35.18.26 2007/01/30 00:23:45 marka Exp $ -->
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
 <title>Chapter 3. Name Server Configuration</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.70.1">
+<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
 <link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
 <link rel="up" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
 <link rel="prev" href="Bv9ARM.ch02.html" title="Chapter 2. BIND Resource Requirements">
@@ -47,31 +47,37 @@
 <dl>
 <dt><span class="sect1"><a href="Bv9ARM.ch03.html#sample_configuration">Sample Configurations</a></span></dt>
 <dd><dl>
-<dt><span class="sect2"><a href="Bv9ARM.ch03.html#id2571026">A Caching-only Name Server</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch03.html#id2571042">An Authoritative-only Name Server</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch03.html#id2568003">A Caching-only Name Server</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch03.html#id2568019">An Authoritative-only Name Server</a></span></dt>
 </dl></dd>
-<dt><span class="sect1"><a href="Bv9ARM.ch03.html#id2571064">Load Balancing</a></span></dt>
-<dt><span class="sect1"><a href="Bv9ARM.ch03.html#id2571484">Name Server Operations</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch03.html#id2568041">Load Balancing</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch03.html#id2568465">Name Server Operations</a></span></dt>
 <dd><dl>
-<dt><span class="sect2"><a href="Bv9ARM.ch03.html#id2571490">Tools for Use With the Name Server Daemon</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch03.html#id2572723">Signals</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch03.html#id2568470">Tools for Use With the Name Server Daemon</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch03.html#id2569972">Signals</a></span></dt>
 </dl></dd>
 </dl>
 </div>
-<p>In this section we provide some suggested configurations along
-with guidelines for their use. We also address the topic of reasonable
-option setting.</p>
+<p>
+      In this section we provide some suggested configurations along
+      with guidelines for their use.  We suggest reasonable values for
+      certain option settings.
+    </p>
 <div class="sect1" lang="en">
 <div class="titlepage"><div><div><h2 class="title" style="clear: both">
 <a name="sample_configuration"></a>Sample Configurations</h2></div></div></div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="id2571026"></a>A Caching-only Name Server</h3></div></div></div>
-<p>The following sample configuration is appropriate for a caching-only
-name server for use by clients internal to a corporation.  All queries
-from outside clients are refused using the <span><strong class="command">allow-query</strong></span>
-option.  Alternatively, the same effect could be achieved using suitable
-firewall rules.</p>
+<a name="id2568003"></a>A Caching-only Name Server</h3></div></div></div>
+<p>
+          The following sample configuration is appropriate for a caching-only
+          name server for use by clients internal to a corporation.  All
+          queries
+          from outside clients are refused using the <span><strong class="command">allow-query</strong></span>
+          option.  Alternatively, the same effect could be achieved using
+          suitable
+          firewall rules.
+        </p>
 <pre class="programlisting">
 // Two corporate subnets we wish to allow queries from.
 acl corpnets { 192.168.4.0/24; 192.168.7.0/24; };
@@ -89,13 +95,16 @@ zone "0.0.127.in-addr.arpa" {
 </div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="id2571042"></a>An Authoritative-only Name Server</h3></div></div></div>
-<p>This sample configuration is for an authoritative-only server
-that is the master server for "<code class="filename">example.com</code>"
-and a slave for the subdomain "<code class="filename">eng.example.com</code>".</p>
+<a name="id2568019"></a>An Authoritative-only Name Server</h3></div></div></div>
+<p>
+          This sample configuration is for an authoritative-only server
+          that is the master server for "<code class="filename">example.com</code>"
+          and a slave for the subdomain "<code class="filename">eng.example.com</code>".
+        </p>
 <pre class="programlisting">
 options {
      directory "/etc/namedb";           // Working directory
+     allow-query-cache { none; };       // Do not allow access to cache
      allow-query { any; };              // This is the default
      recursion no;                      // Do not provide recursive service
 };
@@ -128,13 +137,18 @@ zone "eng.example.com" {
 </div>
 <div class="sect1" lang="en">
 <div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id2571064"></a>Load Balancing</h2></div></div></div>
-<p>A primitive form of load balancing can be achieved in
-the <acronym class="acronym">DNS</acronym> by using multiple A records for one name.</p>
-<p>For example, if you have three WWW servers with network addresses
-of 10.0.0.1, 10.0.0.2 and 10.0.0.3, a set of records such as the
-following means that clients will connect to each machine one third
-of the time:</p>
+<a name="id2568041"></a>Load Balancing</h2></div></div></div>
+<p>
+        A primitive form of load balancing can be achieved in
+        the <acronym class="acronym">DNS</acronym> by using multiple A records for
+        one name.
+      </p>
+<p>
+        For example, if you have three WWW servers with network addresses
+        of 10.0.0.1, 10.0.0.2 and 10.0.0.3, a set of records such as the
+        following means that clients will connect to each machine one third
+        of the time:
+      </p>
 <div class="informaltable"><table border="1">
 <colgroup>
 <col>
@@ -145,296 +159,535 @@ of the time:</p>
 </colgroup>
 <tbody>
 <tr>
-<td><p>Name</p></td>
-<td><p>TTL</p></td>
-<td><p>CLASS</p></td>
-<td><p>TYPE</p></td>
-<td><p>Resource Record (RR) Data</p></td>
+<td>
+                <p>
+                  Name
+                </p>
+              </td>
+<td>
+                <p>
+                  TTL
+                </p>
+              </td>
+<td>
+                <p>
+                  CLASS
+                </p>
+              </td>
+<td>
+                <p>
+                  TYPE
+                </p>
+              </td>
+<td>
+                <p>
+                  Resource Record (RR) Data
+                </p>
+              </td>
 </tr>
 <tr>
-<td><p><code class="literal">www</code></p></td>
-<td><p><code class="literal">600</code></p></td>
-<td><p><code class="literal">IN</code></p></td>
-<td><p><code class="literal">A</code></p></td>
-<td><p><code class="literal">10.0.0.1</code></p></td>
+<td>
+                <p>
+                  <code class="literal">www</code>
+                </p>
+              </td>
+<td>
+                <p>
+                  <code class="literal">600</code>
+                </p>
+              </td>
+<td>
+                <p>
+                  <code class="literal">IN</code>
+                </p>
+              </td>
+<td>
+                <p>
+                  <code class="literal">A</code>
+                </p>
+              </td>
+<td>
+                <p>
+                  <code class="literal">10.0.0.1</code>
+                </p>
+              </td>
 </tr>
 <tr>
-<td><p></p></td>
-<td><p><code class="literal">600</code></p></td>
-<td><p><code class="literal">IN</code></p></td>
-<td><p><code class="literal">A</code></p></td>
-<td><p><code class="literal">10.0.0.2</code></p></td>
+<td>
+                <p></p>
+              </td>
+<td>
+                <p>
+                  <code class="literal">600</code>
+                </p>
+              </td>
+<td>
+                <p>
+                  <code class="literal">IN</code>
+                </p>
+              </td>
+<td>
+                <p>
+                  <code class="literal">A</code>
+                </p>
+              </td>
+<td>
+                <p>
+                  <code class="literal">10.0.0.2</code>
+                </p>
+              </td>
 </tr>
 <tr>
-<td><p></p></td>
-<td><p><code class="literal">600</code></p></td>
-<td><p><code class="literal">IN</code></p></td>
-<td><p><code class="literal">A</code></p></td>
-<td><p><code class="literal">10.0.0.3</code></p></td>
+<td>
+                <p></p>
+              </td>
+<td>
+                <p>
+                  <code class="literal">600</code>
+                </p>
+              </td>
+<td>
+                <p>
+                  <code class="literal">IN</code>
+                </p>
+              </td>
+<td>
+                <p>
+                  <code class="literal">A</code>
+                </p>
+              </td>
+<td>
+                <p>
+                  <code class="literal">10.0.0.3</code>
+                </p>
+              </td>
 </tr>
 </tbody>
 </table></div>
-<p>When a resolver queries for these records, <acronym class="acronym">BIND</acronym> will rotate
-    them and respond to the query with the records in a different
-    order.  In the example above, clients will randomly receive
-    records in the order 1, 2, 3; 2, 3, 1; and 3, 1, 2. Most clients
-    will use the first record returned and discard the rest.</p>
-<p>For more detail on ordering responses, check the
-    <span><strong class="command">rrset-order</strong></span> substatement in the
-    <span><strong class="command">options</strong></span> statement, see
-    <a href="Bv9ARM.ch06.html#rrset_ordering">RRset Ordering</a>.
-    This substatement is not supported in
-    <acronym class="acronym">BIND</acronym> 9, and only the ordering scheme described above is
-    available.</p>
+<p>
+        When a resolver queries for these records, <acronym class="acronym">BIND</acronym> will rotate
+        them and respond to the query with the records in a different
+        order.  In the example above, clients will randomly receive
+        records in the order 1, 2, 3; 2, 3, 1; and 3, 1, 2. Most clients
+        will use the first record returned and discard the rest.
+      </p>
+<p>
+        For more detail on ordering responses, check the
+        <span><strong class="command">rrset-order</strong></span> substatement in the
+        <span><strong class="command">options</strong></span> statement, see
+        <a href="Bv9ARM.ch06.html#rrset_ordering">RRset Ordering</a>.
+      </p>
 </div>
 <div class="sect1" lang="en">
 <div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id2571484"></a>Name Server Operations</h2></div></div></div>
+<a name="id2568465"></a>Name Server Operations</h2></div></div></div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="id2571490"></a>Tools for Use With the Name Server Daemon</h3></div></div></div>
-<p>There are several indispensable diagnostic, administrative
-and monitoring tools available to the system administrator for controlling
-and debugging the name server daemon. We describe several in this
-section </p>
+<a name="id2568470"></a>Tools for Use With the Name Server Daemon</h3></div></div></div>
+<p>
+          This section describes several indispensable diagnostic,
+          administrative and monitoring tools available to the system
+          administrator for controlling and debugging the name server
+          daemon.
+        </p>
 <div class="sect3" lang="en">
 <div class="titlepage"><div><div><h4 class="title">
 <a name="diagnostic_tools"></a>Diagnostic Tools</h4></div></div></div>
-<p>The <span><strong class="command">dig</strong></span>, <span><strong class="command">host</strong></span>, and
-<span><strong class="command">nslookup</strong></span> programs are all command line tools
-for manually querying name servers.  They differ in style and
-output format.
-</p>
+<p>
+            The <span><strong class="command">dig</strong></span>, <span><strong class="command">host</strong></span>, and
+            <span><strong class="command">nslookup</strong></span> programs are all command
+            line tools
+            for manually querying name servers.  They differ in style and
+            output format.
+          </p>
 <div class="variablelist"><dl>
 <dt><span class="term"><a name="dig"></a><span><strong class="command">dig</strong></span></span></dt>
 <dd>
-<p>The domain information groper (<span><strong class="command">dig</strong></span>)
-is the most versatile and complete of these lookup tools.
-It has two modes: simple interactive
-mode for a single query, and batch mode which executes a query for
-each in a list of several query lines. All query options are accessible
-from the command line.</p>
+<p>
+                  The domain information groper (<span><strong class="command">dig</strong></span>)
+                  is the most versatile and complete of these lookup tools.
+                  It has two modes: simple interactive
+                  mode for a single query, and batch mode which executes a
+                  query for
+                  each in a list of several query lines. All query options are
+                  accessible
+                  from the command line.
+                </p>
 <div class="cmdsynopsis"><p><code class="command">dig</code>  [@<em class="replaceable"><code>server</code></em>]  <em class="replaceable"><code>domain</code></em>  [<em class="replaceable"><code>query-type</code></em>] [<em class="replaceable"><code>query-class</code></em>] [+<em class="replaceable"><code>query-option</code></em>] [-<em class="replaceable"><code>dig-option</code></em>] [%<em class="replaceable"><code>comment</code></em>]</p></div>
-<p>The usual simple use of dig will take the form</p>
-<p><span><strong class="command">dig @server domain query-type query-class</strong></span></p>
-<p>For more information and a list of available commands and
-options, see the <span><strong class="command">dig</strong></span> man page.</p>
+<p>
+                  The usual simple use of dig will take the form
+                </p>
+<p>
+                  <span><strong class="command">dig @server domain query-type query-class</strong></span>
+                </p>
+<p>
+                  For more information and a list of available commands and
+                  options, see the <span><strong class="command">dig</strong></span> man
+                  page.
+                </p>
 </dd>
 <dt><span class="term"><span><strong class="command">host</strong></span></span></dt>
 <dd>
-<p>The <span><strong class="command">host</strong></span> utility emphasizes simplicity
-and ease of use.  By default, it converts
-between host names and Internet addresses, but its functionality
-can be extended with the use of options.</p>
+<p>
+                  The <span><strong class="command">host</strong></span> utility emphasizes
+                  simplicity
+                  and ease of use.  By default, it converts
+                  between host names and Internet addresses, but its
+                  functionality
+                  can be extended with the use of options.
+                </p>
 <div class="cmdsynopsis"><p><code class="command">host</code>  [-aCdlrTwv] [-c <em class="replaceable"><code>class</code></em>] [-N <em class="replaceable"><code>ndots</code></em>] [-t <em class="replaceable"><code>type</code></em>] [-W <em class="replaceable"><code>timeout</code></em>] [-R <em class="replaceable"><code>retries</code></em>]  <em class="replaceable"><code>hostname</code></em>  [<em class="replaceable"><code>server</code></em>]</p></div>
-<p>For more information and a list of available commands and
-options, see the <span><strong class="command">host</strong></span> man page.</p>
+<p>
+                  For more information and a list of available commands and
+                  options, see the <span><strong class="command">host</strong></span> man
+                  page.
+                </p>
 </dd>
 <dt><span class="term"><span><strong class="command">nslookup</strong></span></span></dt>
 <dd>
-<p><span><strong class="command">nslookup</strong></span> has two modes: interactive
-and non-interactive. Interactive mode allows the user to query name servers
-for information about various hosts and domains or to print a list
-of hosts in a domain. Non-interactive mode is used to print just
-the name and requested information for a host or domain.</p>
+<p><span><strong class="command">nslookup</strong></span>
+                  has two modes: interactive and
+                  non-interactive. Interactive mode allows the user to
+                  query name servers for information about various
+                  hosts and domains or to print a list of hosts in a
+                  domain. Non-interactive mode is used to print just
+                  the name and requested information for a host or
+                  domain.
+                </p>
 <div class="cmdsynopsis"><p><code class="command">nslookup</code>  [-option...] [[<em class="replaceable"><code>host-to-find</code></em>] |  [- [server]]]</p></div>
-<p>Interactive mode is entered when no arguments are given (the
-default name server will be used) or when the first argument is a
-hyphen (`-') and the second argument is the host name or Internet address
-of a name server.</p>
-<p>Non-interactive mode is used when the name or Internet address
-of the host to be looked up is given as the first argument. The
-optional second argument specifies the host name or address of a name server.</p>
-<p>Due to its arcane user interface and frequently inconsistent
-behavior, we do not recommend the use of <span><strong class="command">nslookup</strong></span>.
-Use <span><strong class="command">dig</strong></span> instead.</p>
+<p>
+                  Interactive mode is entered when no arguments are given (the
+                  default name server will be used) or when the first argument
+                  is a
+                  hyphen (`-') and the second argument is the host name or
+                  Internet address
+                  of a name server.
+                </p>
+<p>
+                  Non-interactive mode is used when the name or Internet
+                  address
+                  of the host to be looked up is given as the first argument.
+                  The
+                  optional second argument specifies the host name or address
+                  of a name server.
+                </p>
+<p>
+                  Due to its arcane user interface and frequently inconsistent
+                  behavior, we do not recommend the use of <span><strong class="command">nslookup</strong></span>.
+                  Use <span><strong class="command">dig</strong></span> instead.
+                </p>
 </dd>
 </dl></div>
 </div>
 <div class="sect3" lang="en">
 <div class="titlepage"><div><div><h4 class="title">
 <a name="admin_tools"></a>Administrative Tools</h4></div></div></div>
-<p>Administrative tools play an integral part in the management
-of a server.</p>
+<p>
+            Administrative tools play an integral part in the management
+            of a server.
+          </p>
 <div class="variablelist"><dl>
 <dt>
 <a name="named-checkconf"></a><span class="term"><span><strong class="command">named-checkconf</strong></span></span>
 </dt>
 <dd>
-<p>The <span><strong class="command">named-checkconf</strong></span> program
-              checks the syntax of a <code class="filename">named.conf</code> file.</p>
+<p>
+                  The <span><strong class="command">named-checkconf</strong></span> program
+                  checks the syntax of a <code class="filename">named.conf</code> file.
+                </p>
 <div class="cmdsynopsis"><p><code class="command">named-checkconf</code>  [-jvz] [-t <em class="replaceable"><code>directory</code></em>] [<em class="replaceable"><code>filename</code></em>]</p></div>
 </dd>
 <dt>
 <a name="named-checkzone"></a><span class="term"><span><strong class="command">named-checkzone</strong></span></span>
 </dt>
 <dd>
-<p>The <span><strong class="command">named-checkzone</strong></span> program checks a master file for
-              syntax and consistency.</p>
-<div class="cmdsynopsis"><p><code class="command">named-checkzone</code>  [-djqvD] [-c <em class="replaceable"><code>class</code></em>] [-o <em class="replaceable"><code>output</code></em>] [-t <em class="replaceable"><code>directory</code></em>] [-w <em class="replaceable"><code>directory</code></em>] [-k <em class="replaceable"><code>(ignore|warn|fail)</code></em>] [-n <em class="replaceable"><code>(ignore|warn|fail)</code></em>]  <em class="replaceable"><code>zone</code></em>  [<em class="replaceable"><code>filename</code></em>]</p></div>
+<p>
+                  The <span><strong class="command">named-checkzone</strong></span> program
+                  checks a master file for
+                  syntax and consistency.
+                </p>
+<div class="cmdsynopsis"><p><code class="command">named-checkzone</code>  [-djqvD] [-c <em class="replaceable"><code>class</code></em>] [-o <em class="replaceable"><code>output</code></em>] [-t <em class="replaceable"><code>directory</code></em>] [-w <em class="replaceable"><code>directory</code></em>] [-k <em class="replaceable"><code>(ignore|warn|fail)</code></em>] [-n <em class="replaceable"><code>(ignore|warn|fail)</code></em>] [-W <em class="replaceable"><code>(ignore|warn)</code></em>]  <em class="replaceable"><code>zone</code></em>  [<em class="replaceable"><code>filename</code></em>]</p></div>
 </dd>
 <dt>
+<a name="named-compilezone"></a><span class="term"><span><strong class="command">named-compilezone</strong></span></span>
+</dt>
+<dd><p>
+                  Similar to <span><strong class="command">named-checkzone,</strong></span> but
+                  it always dumps the zone content to a specified file
+                  (typically in a different format).
+                </p></dd>
+<dt>
 <a name="rndc"></a><span class="term"><span><strong class="command">rndc</strong></span></span>
 </dt>
 <dd>
-<p>The remote name daemon control
-              (<span><strong class="command">rndc</strong></span>) program allows the system
-              administrator to control the operation of a name server.
-              If you run <span><strong class="command">rndc</strong></span> without any options
-              it will display a usage message as follows:</p>
+<p>
+                  The remote name daemon control
+                  (<span><strong class="command">rndc</strong></span>) program allows the
+                  system
+                  administrator to control the operation of a name server.
+                  If you run <span><strong class="command">rndc</strong></span> without any
+                  options
+                  it will display a usage message as follows:
+                </p>
 <div class="cmdsynopsis"><p><code class="command">rndc</code>  [-c <em class="replaceable"><code>config</code></em>] [-s <em class="replaceable"><code>server</code></em>] [-p <em class="replaceable"><code>port</code></em>] [-y <em class="replaceable"><code>key</code></em>]  <em class="replaceable"><code>command</code></em>  [<em class="replaceable"><code>command</code></em>...]</p></div>
-<p>The <span><strong class="command">command</strong></span> is one of the following:</p>
+<p>The <span><strong class="command">command</strong></span>
+                  is one of the following:
+                </p>
 <div class="variablelist"><dl>
 <dt><span class="term"><strong class="userinput"><code>reload</code></strong></span></dt>
-<dd><p>Reload configuration file and zones.</p></dd>
+<dd><p>
+                        Reload configuration file and zones.
+                      </p></dd>
 <dt><span class="term"><strong class="userinput"><code>reload <em class="replaceable"><code>zone</code></em>
-       [<span class="optional"><em class="replaceable"><code>class</code></em>
+                        [<span class="optional"><em class="replaceable"><code>class</code></em>
            [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]</code></strong></span></dt>
-<dd><p>Reload the given zone.</p></dd>
+<dd><p>
+                        Reload the given zone.
+                      </p></dd>
 <dt><span class="term"><strong class="userinput"><code>refresh <em class="replaceable"><code>zone</code></em>
-       [<span class="optional"><em class="replaceable"><code>class</code></em>
+                        [<span class="optional"><em class="replaceable"><code>class</code></em>
            [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]</code></strong></span></dt>
-<dd><p>Schedule zone maintenance for the given zone.</p></dd>
+<dd><p>
+                        Schedule zone maintenance for the given zone.
+                      </p></dd>
 <dt><span class="term"><strong class="userinput"><code>retransfer <em class="replaceable"><code>zone</code></em>
-       [<span class="optional"><em class="replaceable"><code>class</code></em>
+
+                        [<span class="optional"><em class="replaceable"><code>class</code></em>
            [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]</code></strong></span></dt>
-<dd><p>Retransfer the given zone from the master.</p></dd>
-<dt><span class="term"><strong class="userinput"><code>freeze [<span class="optional"><em class="replaceable"><code>zone</code></em>
+<dd><p>
+                        Retransfer the given zone from the master.
+                      </p></dd>
+<dt><span class="term"><strong class="userinput"><code>freeze
+                        [<span class="optional"><em class="replaceable"><code>zone</code></em>
        [<span class="optional"><em class="replaceable"><code>class</code></em>
            [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]</span>]</code></strong></span></dt>
-<dd><p>Suspend updates to a dynamic zone.  If no zone is specified,
-	then all zones are suspended.  This allows manual
-    edits to be made to a zone normally updated by dynamic update.  It
-    also causes changes in the journal file to be synced into the master
-    and the journal file to be removed.  All dynamic update attempts will
-    be refused while the zone is frozen.</p></dd>
-<dt><span class="term"><strong class="userinput"><code>thaw [<span class="optional"><em class="replaceable"><code>zone</code></em>
+<dd><p>
+                        Suspend updates to a dynamic zone.  If no zone is
+                        specified,
+                        then all zones are suspended.  This allows manual
+                        edits to be made to a zone normally updated by dynamic
+                        update.  It
+                        also causes changes in the journal file to be synced
+                        into the master
+                        and the journal file to be removed.  All dynamic
+                        update attempts will
+                        be refused while the zone is frozen.
+                      </p></dd>
+<dt><span class="term"><strong class="userinput"><code>thaw
+                        [<span class="optional"><em class="replaceable"><code>zone</code></em>
        [<span class="optional"><em class="replaceable"><code>class</code></em>
            [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]</span>]</code></strong></span></dt>
-<dd><p>Enable updates to a frozen dynamic zone.  If no zone is
-    specified, then all frozen zones are enabled.  This causes
-    the server to reload the zone from disk, and re-enables dynamic updates
-    after the load has completed.  After a zone is thawed, dynamic updates
-    will no longer be refused.</p></dd>
+<dd><p>
+                        Enable updates to a frozen dynamic zone.  If no zone
+                        is
+                        specified, then all frozen zones are enabled.  This
+                        causes
+                        the server to reload the zone from disk, and
+                        re-enables dynamic updates
+                        after the load has completed.  After a zone is thawed,
+                        dynamic updates
+                        will no longer be refused.
+                      </p></dd>
+<dt><span class="term"><strong class="userinput"><code>notify <em class="replaceable"><code>zone</code></em>
+                        [<span class="optional"><em class="replaceable"><code>class</code></em>
+           [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]</code></strong></span></dt>
+<dd><p>
+                        Resend NOTIFY messages for the zone.
+                      </p></dd>
 <dt><span class="term"><strong class="userinput"><code>reconfig</code></strong></span></dt>
-<dd><p>Reload the configuration file and load new zones,
-   but do not reload existing zone files even if they have changed.
-   This is faster than a full <span><strong class="command">reload</strong></span> when there
-   is a large number of zones because it avoids the need to examine the
-   modification times of the zones files.
-   </p></dd>
+<dd><p>
+                        Reload the configuration file and load new zones,
+                        but do not reload existing zone files even if they
+                        have changed.
+                        This is faster than a full <span><strong class="command">reload</strong></span> when there
+                        is a large number of zones because it avoids the need
+                        to examine the
+                        modification times of the zones files.
+                      </p></dd>
 <dt><span class="term"><strong class="userinput"><code>stats</code></strong></span></dt>
-<dd><p>Write server statistics to the statistics file.</p></dd>
+<dd><p>
+                        Write server statistics to the statistics file.
+                      </p></dd>
 <dt><span class="term"><strong class="userinput"><code>querylog</code></strong></span></dt>
-<dd><p>Toggle query logging. Query logging can also be enabled
-   by explicitly directing the <span><strong class="command">queries</strong></span>
-   <span><strong class="command">category</strong></span> to a <span><strong class="command">channel</strong></span> in the
-   <span><strong class="command">logging</strong></span> section of
-   <code class="filename">named.conf</code>.</p></dd>
-<dt><span class="term"><strong class="userinput"><code>dumpdb [<span class="optional">-all|-cache|-zone</span>] [<span class="optional"><em class="replaceable"><code>view ...</code></em></span>]</code></strong></span></dt>
-<dd><p>Dump the server's caches (default) and / or zones to the
-	 dump file for the specified views.  If no view is specified, all
-	 views are dumped.</p></dd>
+<dd><p>
+                        Toggle query logging. Query logging can also be enabled
+                        by explicitly directing the <span><strong class="command">queries</strong></span>
+                        <span><strong class="command">category</strong></span> to a
+                        <span><strong class="command">channel</strong></span> in the
+                        <span><strong class="command">logging</strong></span> section of
+                        <code class="filename">named.conf</code> or by specifying
+                        <span><strong class="command">querylog yes;</strong></span> in the
+                        <span><strong class="command">options</strong></span> section of
+                        <code class="filename">named.conf</code>.
+                      </p></dd>
+<dt><span class="term"><strong class="userinput"><code>dumpdb
+                        [<span class="optional">-all|-cache|-zone</span>]
+                        [<span class="optional"><em class="replaceable"><code>view ...</code></em></span>]</code></strong></span></dt>
+<dd><p>
+                        Dump the server's caches (default) and/or zones to
+                        the
+                        dump file for the specified views.  If no view is
+                        specified, all
+                        views are dumped.
+                      </p></dd>
 <dt><span class="term"><strong class="userinput"><code>stop [<span class="optional">-p</span>]</code></strong></span></dt>
-<dd><p>Stop the server, making sure any recent changes
-   made through dynamic update or IXFR are first saved to the master files
-   of the updated zones.  If -p is specified named's process id is returned.
-   This allows an external process to determine when named had completed stopping.</p></dd>
+<dd><p>
+                        Stop the server, making sure any recent changes
+                        made through dynamic update or IXFR are first saved to
+                        the master files of the updated zones.
+                        If -p is specified named's process id is returned.
+                        This allows an external process to determine when named
+                        had completed stopping.
+                      </p></dd>
 <dt><span class="term"><strong class="userinput"><code>halt [<span class="optional">-p</span>]</code></strong></span></dt>
-<dd><p>Stop the server immediately.  Recent changes
-   made through dynamic update or IXFR are not saved to the master files,
-   but will be rolled forward from the journal files when the server
-   is restarted.  If -p is specified named's process id is returned.
-   This allows an external process to determine when named had completed
-   stopping.</p></dd>
+<dd><p>
+                        Stop the server immediately.  Recent changes
+                        made through dynamic update or IXFR are not saved to
+                        the master files, but will be rolled forward from the
+                        journal files when the server is restarted.
+                        If -p is specified named's process id is returned.
+                        This allows an external process to determine when named
+                        had completed halting.
+                      </p></dd>
 <dt><span class="term"><strong class="userinput"><code>trace</code></strong></span></dt>
-<dd><p>Increment the servers debugging level by one. </p></dd>
+<dd><p>
+                        Increment the servers debugging level by one.
+                      </p></dd>
 <dt><span class="term"><strong class="userinput"><code>trace <em class="replaceable"><code>level</code></em></code></strong></span></dt>
-<dd><p>Sets the server's debugging level to an explicit
-   value.</p></dd>
+<dd><p>
+                        Sets the server's debugging level to an explicit
+                        value.
+                      </p></dd>
 <dt><span class="term"><strong class="userinput"><code>notrace</code></strong></span></dt>
-<dd><p>Sets the server's debugging level to 0.</p></dd>
+<dd><p>
+                        Sets the server's debugging level to 0.
+                      </p></dd>
 <dt><span class="term"><strong class="userinput"><code>flush</code></strong></span></dt>
-<dd><p>Flushes the server's cache.</p></dd>
+<dd><p>
+                        Flushes the server's cache.
+                      </p></dd>
 <dt><span class="term"><strong class="userinput"><code>flushname</code></strong> <em class="replaceable"><code>name</code></em></span></dt>
-<dd><p>Flushes the given name from the server's cache.</p></dd>
+<dd><p>
+                        Flushes the given name from the server's cache.
+                      </p></dd>
 <dt><span class="term"><strong class="userinput"><code>status</code></strong></span></dt>
-<dd><p>Display status of the server.
-Note that the number of zones includes the internal <span><strong class="command">bind/CH</strong></span> zone
-and the default <span><strong class="command">./IN</strong></span> hint zone if there is not an
-explicit root zone configured.</p></dd>
+<dd><p>
+                        Display status of the server.
+                        Note that the number of zones includes the internal <span><strong class="command">bind/CH</strong></span> zone
+                        and the default <span><strong class="command">./IN</strong></span>
+                        hint zone if there is not an
+                        explicit root zone configured.
+                      </p></dd>
 <dt><span class="term"><strong class="userinput"><code>recursing</code></strong></span></dt>
-<dd><p>Dump the list of queries named is currently recursing
-   on.
-   </p></dd>
+<dd><p>
+                        Dump the list of queries named is currently recursing
+                        on.
+                      </p></dd>
 </dl></div>
-<p>In <acronym class="acronym">BIND</acronym> 9.2, <span><strong class="command">rndc</strong></span>
-supports all the commands of the BIND 8 <span><strong class="command">ndc</strong></span>
-utility except <span><strong class="command">ndc start</strong></span> and
-<span><strong class="command">ndc restart</strong></span>, which were also
-not supported in <span><strong class="command">ndc</strong></span>'s channel mode.</p>
-<p>A configuration file is required, since all
-communication with the server is authenticated with
-digital signatures that rely on a shared secret, and
-there is no way to provide that secret other than with a
-configuration file.  The default location for the
-<span><strong class="command">rndc</strong></span> configuration file is
-<code class="filename">/etc/rndc.conf</code>, but an alternate
-location can be specified with the <code class="option">-c</code>
-option.  If the configuration file is not found,
-<span><strong class="command">rndc</strong></span> will also look in
-<code class="filename">/etc/rndc.key</code> (or whatever
-<code class="varname">sysconfdir</code> was defined when
-the <acronym class="acronym">BIND</acronym> build was configured).
-The <code class="filename">rndc.key</code> file is generated by
-running <span><strong class="command">rndc-confgen -a</strong></span> as described in
-<a href="Bv9ARM.ch06.html#controls_statement_definition_and_usage" title="controls Statement Definition and Usage">the section called &#8220;<span><strong class="command">controls</strong></span> Statement Definition and Usage&#8221;</a>.</p>
-<p>The format of the configuration file is similar to
-that of <code class="filename">named.conf</code>, but limited to
-only four statements, the <span><strong class="command">options</strong></span>,
-<span><strong class="command">key</strong></span>, <span><strong class="command">server</strong></span> and
-<span><strong class="command">include</strong></span>
-statements.  These statements are what associate the
-secret keys to the servers with which they are meant to
-be shared.  The order of statements is not
-significant.</p>
-<p>The <span><strong class="command">options</strong></span> statement has three clauses:
-<span><strong class="command">default-server</strong></span>, <span><strong class="command">default-key</strong></span>, 
-and <span><strong class="command">default-port</strong></span>.
-<span><strong class="command">default-server</strong></span> takes a
-host name or address argument  and represents the server that will
-be contacted if no <code class="option">-s</code>
-option is provided on the command line.  
-<span><strong class="command">default-key</strong></span> takes
-the name of a key as its argument, as defined by a <span><strong class="command">key</strong></span> statement.
-<span><strong class="command">default-port</strong></span> specifies the port to which
-<span><strong class="command">rndc</strong></span> should connect if no
-port is given on the command line or in a
-<span><strong class="command">server</strong></span> statement.</p>
-<p>The <span><strong class="command">key</strong></span> statement defines a key to be used
-by <span><strong class="command">rndc</strong></span> when authenticating with
-<span><strong class="command">named</strong></span>.  Its syntax is identical to the
-<span><strong class="command">key</strong></span> statement in named.conf.
-The keyword <strong class="userinput"><code>key</code></strong> is
-followed by a key name, which must be a valid
-domain name, though it need not actually be hierarchical; thus,
-a string like "<strong class="userinput"><code>rndc_key</code></strong>" is a valid name.
-The <span><strong class="command">key</strong></span> statement has two clauses:
-<span><strong class="command">algorithm</strong></span> and <span><strong class="command">secret</strong></span>.
-While the configuration parser will accept any string as the argument
-to algorithm, currently only the string "<strong class="userinput"><code>hmac-md5</code></strong>"
-has any meaning.  The secret is a base-64 encoded string.</p>
-<p>The <span><strong class="command">server</strong></span> statement associates a key
-defined using the <span><strong class="command">key</strong></span> statement with a server.
-The keyword <strong class="userinput"><code>server</code></strong> is followed by a
-host name or address.  The <span><strong class="command">server</strong></span> statement
-has two clauses: <span><strong class="command">key</strong></span> and <span><strong class="command">port</strong></span>.
-The <span><strong class="command">key</strong></span> clause specifies the name of the key
-to be used when communicating with this server, and the
-<span><strong class="command">port</strong></span> clause can be used to
-specify the port <span><strong class="command">rndc</strong></span> should connect
-to on the server.</p>
-<p>A sample minimal configuration file is as follows:</p>
+<p>
+                  In <acronym class="acronym">BIND</acronym> 9.2, <span><strong class="command">rndc</strong></span>
+                  supports all the commands of the BIND 8 <span><strong class="command">ndc</strong></span>
+                  utility except <span><strong class="command">ndc start</strong></span> and
+                  <span><strong class="command">ndc restart</strong></span>, which were also
+                  not supported in <span><strong class="command">ndc</strong></span>'s
+                  channel mode.
+                </p>
+<p>
+                  A configuration file is required, since all
+                  communication with the server is authenticated with
+                  digital signatures that rely on a shared secret, and
+                  there is no way to provide that secret other than with a
+                  configuration file.  The default location for the
+                  <span><strong class="command">rndc</strong></span> configuration file is
+                  <code class="filename">/etc/rndc.conf</code>, but an
+                  alternate
+                  location can be specified with the <code class="option">-c</code>
+                  option.  If the configuration file is not found,
+                  <span><strong class="command">rndc</strong></span> will also look in
+                  <code class="filename">/etc/rndc.key</code> (or whatever
+                  <code class="varname">sysconfdir</code> was defined when
+                  the <acronym class="acronym">BIND</acronym> build was
+                  configured).
+                  The <code class="filename">rndc.key</code> file is
+                  generated by
+                  running <span><strong class="command">rndc-confgen -a</strong></span> as
+                  described in
+                  <a href="Bv9ARM.ch06.html#controls_statement_definition_and_usage" title="controls Statement Definition and
+          Usage">the section called &#8220;<span><strong class="command">controls</strong></span> Statement Definition and
+          Usage&#8221;</a>.
+                </p>
+<p>
+                  The format of the configuration file is similar to
+                  that of <code class="filename">named.conf</code>, but
+                  limited to
+                  only four statements, the <span><strong class="command">options</strong></span>,
+                  <span><strong class="command">key</strong></span>, <span><strong class="command">server</strong></span> and
+                  <span><strong class="command">include</strong></span>
+                  statements.  These statements are what associate the
+                  secret keys to the servers with which they are meant to
+                  be shared.  The order of statements is not
+                  significant.
+                </p>
+<p>
+                  The <span><strong class="command">options</strong></span> statement has
+                  three clauses:
+                  <span><strong class="command">default-server</strong></span>, <span><strong class="command">default-key</strong></span>,
+                  and <span><strong class="command">default-port</strong></span>.
+                  <span><strong class="command">default-server</strong></span> takes a
+                  host name or address argument  and represents the server
+                  that will
+                  be contacted if no <code class="option">-s</code>
+                  option is provided on the command line.
+                  <span><strong class="command">default-key</strong></span> takes
+                  the name of a key as its argument, as defined by a <span><strong class="command">key</strong></span> statement.
+                  <span><strong class="command">default-port</strong></span> specifies the
+                  port to which
+                  <span><strong class="command">rndc</strong></span> should connect if no
+                  port is given on the command line or in a
+                  <span><strong class="command">server</strong></span> statement.
+                </p>
+<p>
+                  The <span><strong class="command">key</strong></span> statement defines a
+                  key to be used
+                  by <span><strong class="command">rndc</strong></span> when authenticating
+                  with
+                  <span><strong class="command">named</strong></span>.  Its syntax is
+                  identical to the
+                  <span><strong class="command">key</strong></span> statement in named.conf.
+                  The keyword <strong class="userinput"><code>key</code></strong> is
+                  followed by a key name, which must be a valid
+                  domain name, though it need not actually be hierarchical;
+                  thus,
+                  a string like "<strong class="userinput"><code>rndc_key</code></strong>" is a valid
+                  name.
+                  The <span><strong class="command">key</strong></span> statement has two
+                  clauses:
+                  <span><strong class="command">algorithm</strong></span> and <span><strong class="command">secret</strong></span>.
+                  While the configuration parser will accept any string as the
+                  argument
+                  to algorithm, currently only the string "<strong class="userinput"><code>hmac-md5</code></strong>"
+                  has any meaning.  The secret is a base-64 encoded string
+                  as specified in RFC 3548.
+                </p>
+<p>
+                  The <span><strong class="command">server</strong></span> statement
+                  associates a key
+                  defined using the <span><strong class="command">key</strong></span>
+                  statement with a server.
+                  The keyword <strong class="userinput"><code>server</code></strong> is followed by a
+                  host name or address.  The <span><strong class="command">server</strong></span> statement
+                  has two clauses: <span><strong class="command">key</strong></span> and <span><strong class="command">port</strong></span>.
+                  The <span><strong class="command">key</strong></span> clause specifies the
+                  name of the key
+                  to be used when communicating with this server, and the
+                  <span><strong class="command">port</strong></span> clause can be used to
+                  specify the port <span><strong class="command">rndc</strong></span> should
+                  connect
+                  to on the server.
+                </p>
+<p>
+                  A sample minimal configuration file is as follows:
+                </p>
 <pre class="programlisting">
 key rndc_key {
      algorithm "hmac-md5";
@@ -445,38 +698,55 @@ options {
      default-key    rndc_key;
 };
 </pre>
-<p>This file, if installed as <code class="filename">/etc/rndc.conf</code>,
-would allow the command:</p>
-<p><code class="prompt">$ </code><strong class="userinput"><code>rndc reload</code></strong></p>
-<p>to connect to 127.0.0.1 port 953 and cause the name server
-to reload, if a name server on the local machine were running with
-following controls statements:</p>
+<p>
+                  This file, if installed as <code class="filename">/etc/rndc.conf</code>,
+                  would allow the command:
+                </p>
+<p>
+                  <code class="prompt">$ </code><strong class="userinput"><code>rndc reload</code></strong>
+                </p>
+<p>
+                  to connect to 127.0.0.1 port 953 and cause the name server
+                  to reload, if a name server on the local machine were
+                  running with
+                  following controls statements:
+                </p>
 <pre class="programlisting">
 controls {
         inet 127.0.0.1 allow { localhost; } keys { rndc_key; };
 };
 </pre>
-<p>and it had an identical key statement for
-<code class="literal">rndc_key</code>.</p>
-<p>Running the <span><strong class="command">rndc-confgen</strong></span> program will
-conveniently create a <code class="filename">rndc.conf</code>
-file for you, and also display the
-corresponding <span><strong class="command">controls</strong></span> statement that you need to
-add to <code class="filename">named.conf</code>.  Alternatively,
-you can run <span><strong class="command">rndc-confgen -a</strong></span> to set up
-a <code class="filename">rndc.key</code> file and not modify 
-<code class="filename">named.conf</code> at all.
-</p>
+<p>
+                  and it had an identical key statement for
+                  <code class="literal">rndc_key</code>.
+                </p>
+<p>
+                  Running the <span><strong class="command">rndc-confgen</strong></span>
+                  program will
+                  conveniently create a <code class="filename">rndc.conf</code>
+                  file for you, and also display the
+                  corresponding <span><strong class="command">controls</strong></span>
+                  statement that you need to
+                  add to <code class="filename">named.conf</code>.
+                  Alternatively,
+                  you can run <span><strong class="command">rndc-confgen -a</strong></span>
+                  to set up
+                  a <code class="filename">rndc.key</code> file and not
+                  modify
+                  <code class="filename">named.conf</code> at all.
+                </p>
 </dd>
 </dl></div>
 </div>
 </div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="id2572723"></a>Signals</h3></div></div></div>
-<p>Certain UNIX signals cause the name server to take specific
-actions, as described in the following table.  These signals can
-be sent using the <span><strong class="command">kill</strong></span> command.</p>
+<a name="id2569972"></a>Signals</h3></div></div></div>
+<p>
+          Certain UNIX signals cause the name server to take specific
+          actions, as described in the following table.  These signals can
+          be sent using the <span><strong class="command">kill</strong></span> command.
+        </p>
 <div class="informaltable"><table border="1">
 <colgroup>
 <col>
@@ -484,19 +754,35 @@ be sent using the <span><strong class="command">kill</strong></span> command.</p
 </colgroup>
 <tbody>
 <tr>
-<td><p><span><strong class="command">SIGHUP</strong></span></p></td>
-<td><p>Causes the server to read <code class="filename">named.conf</code> and
-reload the database. </p></td>
+<td>
+                  <p><span><strong class="command">SIGHUP</strong></span></p>
+                </td>
+<td>
+                  <p>
+                    Causes the server to read <code class="filename">named.conf</code> and
+                    reload the database.
+                  </p>
+                </td>
 </tr>
 <tr>
-<td><p><span><strong class="command">SIGTERM</strong></span></p></td>
-<td><p>Causes the server to clean up and exit.</p></td>
+<td>
+                  <p><span><strong class="command">SIGTERM</strong></span></p>
+                </td>
+<td>
+                  <p>
+                    Causes the server to clean up and exit.
+                  </p>
+                </td>
 </tr>
 <tr>
 <td>
-<p><span><strong class="command">SIGINT</strong></span></p>
-</td>
-<td><p>Causes the server to clean up and exit.</p></td>
+                  <p><span><strong class="command">SIGINT</strong></span></p>
+                </td>
+<td>
+                  <p>
+                    Causes the server to clean up and exit.
+                  </p>
+                </td>
 </tr>
 </tbody>
 </table></div>
diff --git a/contrib/bind9/doc/arm/Bv9ARM.ch04.html b/contrib/bind9/doc/arm/Bv9ARM.ch04.html
index adf2036..a316b1f 100644
--- a/contrib/bind9/doc/arm/Bv9ARM.ch04.html
+++ b/contrib/bind9/doc/arm/Bv9ARM.ch04.html
@@ -1,5 +1,5 @@
 <!--
- - Copyright (C) 2004-2006 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2004-2007 Internet Systems Consortium, Inc. ("ISC")
  - Copyright (C) 2000-2003 Internet Software Consortium.
  - 
  - Permission to use, copy, modify, and distribute this software for any
@@ -14,12 +14,12 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-<!-- $Id: Bv9ARM.ch04.html,v 1.30.2.6.2.24 2006/11/15 04:33:41 marka Exp $ -->
+<!-- $Id: Bv9ARM.ch04.html,v 1.40.18.34 2007/01/30 00:23:45 marka Exp $ -->
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
 <title>Chapter 4. Advanced DNS Features</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.70.1">
+<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
 <link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
 <link rel="up" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
 <link rel="prev" href="Bv9ARM.ch03.html" title="Chapter 3. Name Server Configuration">
@@ -49,213 +49,309 @@
 <dt><span class="sect1"><a href="Bv9ARM.ch04.html#dynamic_update">Dynamic Update</a></span></dt>
 <dd><dl><dt><span class="sect2"><a href="Bv9ARM.ch04.html#journal">The journal file</a></span></dt></dl></dd>
 <dt><span class="sect1"><a href="Bv9ARM.ch04.html#incremental_zone_transfers">Incremental Zone Transfers (IXFR)</a></span></dt>
-<dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2573147">Split DNS</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2570429">Split DNS</a></span></dt>
 <dt><span class="sect1"><a href="Bv9ARM.ch04.html#tsig">TSIG</a></span></dt>
 <dd><dl>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2573709">Generate Shared Keys for Each Pair of Hosts</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2573776">Copying the Shared Secret to Both Machines</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2573784">Informing the Servers of the Key's Existence</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2573824">Instructing the Server to Use the Key</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2573876">TSIG Key Based Access Control</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2573920">Errors</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2570949">Generate Shared Keys for Each Pair of Hosts</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571022">Copying the Shared Secret to Both Machines</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571033">Informing the Servers of the Key's Existence</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571141">Instructing the Server to Use the Key</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571198">TSIG Key Based Access Control</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571243">Errors</a></span></dt>
 </dl></dd>
-<dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2573933">TKEY</a></span></dt>
-<dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2573982">SIG(0)</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2571257">TKEY</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2571306">SIG(0)</a></span></dt>
 <dt><span class="sect1"><a href="Bv9ARM.ch04.html#DNSSEC">DNSSEC</a></span></dt>
 <dd><dl>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2574049">Generating Keys</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2574116">Signing the Zone</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2574259">Configuring Servers</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571579">Generating Keys</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571649">Signing the Zone</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571728">Configuring Servers</a></span></dt>
 </dl></dd>
-<dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2574396">IPv6 Support in <acronym class="acronym">BIND</acronym> 9</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2571802">IPv6 Support in <acronym class="acronym">BIND</acronym> 9</a></span></dt>
 <dd><dl>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2574455">Address Lookups Using AAAA Records</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2574475">Address to Name Lookups Using Nibble Format</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2572001">Address Lookups Using AAAA Records</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2572022">Address to Name Lookups Using Nibble Format</a></span></dt>
 </dl></dd>
 </dl>
 </div>
 <div class="sect1" lang="en">
 <div class="titlepage"><div><div><h2 class="title" style="clear: both">
 <a name="notify"></a>Notify</h2></div></div></div>
-<p><acronym class="acronym">DNS</acronym> NOTIFY is a mechanism that allows master
-servers to notify their slave servers of changes to a zone's data. In
-response to a <span><strong class="command">NOTIFY</strong></span> from a master server, the
-slave will check to see that its version of the zone is the
-current version and, if not, initiate a zone transfer.</p>
-<p><acronym class="acronym">DNS</acronym>
-For more information about
-<span><strong class="command">NOTIFY</strong></span>, see the description of the
-<span><strong class="command">notify</strong></span> option in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called &#8220;Boolean Options&#8221;</a> and
-the description of the zone option <span><strong class="command">also-notify</strong></span> in
-<a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called &#8220;Zone Transfers&#8221;</a>.  The <span><strong class="command">NOTIFY</strong></span>
-protocol is specified in RFC 1996.
-</p>
+<p>
+        <acronym class="acronym">DNS</acronym> NOTIFY is a mechanism that allows master
+        servers to notify their slave servers of changes to a zone's data. In
+        response to a <span><strong class="command">NOTIFY</strong></span> from a master server, the
+        slave will check to see that its version of the zone is the
+        current version and, if not, initiate a zone transfer.
+      </p>
+<p>
+        For more information about <acronym class="acronym">DNS</acronym>
+        <span><strong class="command">NOTIFY</strong></span>, see the description of the
+        <span><strong class="command">notify</strong></span> option in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called &#8220;Boolean Options&#8221;</a> and
+        the description of the zone option <span><strong class="command">also-notify</strong></span> in
+        <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called &#8220;Zone Transfers&#8221;</a>.  The <span><strong class="command">NOTIFY</strong></span>
+        protocol is specified in RFC 1996.
+      </p>
+<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
+<h3 class="title">Note</h3>
+        As a slave zone can also be a master to other slaves, named,
+        by default, sends <span><strong class="command">NOTIFY</strong></span> messages for every zone
+        it loads.  Specifying <span><strong class="command">notify master-only;</strong></span> will
+        cause named to only send <span><strong class="command">NOTIFY</strong></span> for master
+        zones that it loads.
+      </div>
 </div>
 <div class="sect1" lang="en">
 <div class="titlepage"><div><div><h2 class="title" style="clear: both">
 <a name="dynamic_update"></a>Dynamic Update</h2></div></div></div>
-<p>Dynamic Update is a method for adding, replacing or deleting
-    records in a master server by sending it a special form of DNS
-    messages.  The format and meaning of these messages is specified
-    in RFC 2136.</p>
-<p>Dynamic update is enabled on a zone-by-zone basis, by
-    including an <span><strong class="command">allow-update</strong></span> or
-    <span><strong class="command">update-policy</strong></span> clause in the
-    <span><strong class="command">zone</strong></span> statement.</p>
-<p>Updating of secure zones (zones using DNSSEC) follows
-    RFC 3007: RRSIG and NSEC records affected by updates are automatically
-    regenerated by the server using an online zone key.
-    Update authorization is based
-    on transaction signatures and an explicit server policy.</p>
+<p>
+        Dynamic Update is a method for adding, replacing or deleting
+        records in a master server by sending it a special form of DNS
+        messages.  The format and meaning of these messages is specified
+        in RFC 2136.
+      </p>
+<p>
+        Dynamic update is enabled by
+        including an <span><strong class="command">allow-update</strong></span> or
+        <span><strong class="command">update-policy</strong></span> clause in the
+        <span><strong class="command">zone</strong></span> statement.
+      </p>
+<p>
+        Updating of secure zones (zones using DNSSEC) follows
+        RFC 3007: RRSIG and NSEC records affected by updates are automatically
+            regenerated by the server using an online zone key.
+        Update authorization is based
+        on transaction signatures and an explicit server policy.
+      </p>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="journal"></a>The journal file</h3></div></div></div>
-<p>All changes made to a zone using dynamic update are stored in the
-    zone's journal file.  This file is automatically created by the
-    server when the first dynamic update takes place.  The name of
-    the journal file is formed by appending the
-    extension <code class="filename">.jnl</code> to the
-    name of the corresponding zone file.  The journal file is in a
-    binary format and should not be edited manually.</p>
-<p>The server will also occasionally write ("dump")
-    the complete contents of the updated zone to its zone file.
-    This is not done immediately after
-    each dynamic update, because that would be too slow when a large
-    zone is updated frequently.  Instead, the dump is delayed by
-    up to 15 minutes, allowing additional updates to take place.</p>
-<p>When a server is restarted after a shutdown or crash, it will replay
-    the journal file to incorporate into the zone any updates that took
-    place after the last zone dump.</p>
-<p>Changes that result from incoming incremental zone transfers are also
-    journalled in a similar way.</p>
-<p>The zone files of dynamic zones cannot normally be edited by
-    hand because they are not guaranteed to contain the most recent
-    dynamic changes &#8212; those are only in the journal file.
-    The only way to ensure that the zone file of a dynamic zone
-    is up to date is to run <span><strong class="command">rndc stop</strong></span>.</p>
-<p>If you have to make changes to a dynamic zone
-    manually, the following procedure will work: Disable dynamic updates
-    to the zone using
-    <span><strong class="command">rndc freeze <em class="replaceable"><code>zone</code></em></strong></span>.
-    This will also remove the zone's <code class="filename">.jnl</code> file
-    and update the master file.  Edit the zone file.  Run
-    <span><strong class="command">rndc thaw <em class="replaceable"><code>zone</code></em></strong></span>
-    to reload the changed zone and re-enable dynamic updates.</p>
+<p>
+          All changes made to a zone using dynamic update are stored
+          in the zone's journal file.  This file is automatically created
+          by the server when the first dynamic update takes place.
+          The name of the journal file is formed by appending the extension
+          <code class="filename">.jnl</code> to the name of the
+          corresponding zone
+          file unless specifically overridden.  The journal file is in a
+          binary format and should not be edited manually.
+        </p>
+<p>
+          The server will also occasionally write ("dump")
+          the complete contents of the updated zone to its zone file.
+          This is not done immediately after
+          each dynamic update, because that would be too slow when a large
+          zone is updated frequently.  Instead, the dump is delayed by
+          up to 15 minutes, allowing additional updates to take place.
+        </p>
+<p>
+          When a server is restarted after a shutdown or crash, it will replay
+              the journal file to incorporate into the zone any updates that
+          took
+          place after the last zone dump.
+        </p>
+<p>
+          Changes that result from incoming incremental zone transfers are
+          also
+          journalled in a similar way.
+        </p>
+<p>
+          The zone files of dynamic zones cannot normally be edited by
+          hand because they are not guaranteed to contain the most recent
+          dynamic changes &#8212; those are only in the journal file.
+          The only way to ensure that the zone file of a dynamic zone
+          is up to date is to run <span><strong class="command">rndc stop</strong></span>.
+        </p>
+<p>
+          If you have to make changes to a dynamic zone
+          manually, the following procedure will work: Disable dynamic updates
+              to the zone using
+          <span><strong class="command">rndc freeze <em class="replaceable"><code>zone</code></em></strong></span>.
+          This will also remove the zone's <code class="filename">.jnl</code> file
+          and update the master file.  Edit the zone file.  Run
+          <span><strong class="command">rndc thaw <em class="replaceable"><code>zone</code></em></strong></span>
+          to reload the changed zone and re-enable dynamic updates.
+        </p>
 </div>
 </div>
 <div class="sect1" lang="en">
 <div class="titlepage"><div><div><h2 class="title" style="clear: both">
 <a name="incremental_zone_transfers"></a>Incremental Zone Transfers (IXFR)</h2></div></div></div>
-<p>The incremental zone transfer (IXFR) protocol is a way for
-slave servers to transfer only changed data, instead of having to
-transfer the entire zone. The IXFR protocol is specified in RFC
-1995. See <a href="Bv9ARM.ch09.html#proposed_standards">Proposed Standards</a>.</p>
-<p>When acting as a master, <acronym class="acronym">BIND</acronym> 9
-supports IXFR for those zones
-where the necessary change history information is available. These
-include master zones maintained by dynamic update and slave zones
-whose data was obtained by IXFR.  For manually maintained master
-zones, and for slave zones obtained by performing a full zone 
-transfer (AXFR), IXFR is supported only if the option
-<span><strong class="command">ixfr-from-differences</strong></span> is set
-to <strong class="userinput"><code>yes</code></strong>.
-</p>
-<p>When acting as a slave, <acronym class="acronym">BIND</acronym> 9 will 
-attempt to use IXFR unless
-it is explicitly disabled. For more information about disabling
-IXFR, see the description of the <span><strong class="command">request-ixfr</strong></span> clause
-of the <span><strong class="command">server</strong></span> statement.</p>
+<p>
+        The incremental zone transfer (IXFR) protocol is a way for
+        slave servers to transfer only changed data, instead of having to
+        transfer the entire zone. The IXFR protocol is specified in RFC
+        1995. See <a href="Bv9ARM.ch09.html#proposed_standards">Proposed Standards</a>.
+      </p>
+<p>
+        When acting as a master, <acronym class="acronym">BIND</acronym> 9
+        supports IXFR for those zones
+        where the necessary change history information is available. These
+        include master zones maintained by dynamic update and slave zones
+        whose data was obtained by IXFR.  For manually maintained master
+        zones, and for slave zones obtained by performing a full zone
+        transfer (AXFR), IXFR is supported only if the option
+        <span><strong class="command">ixfr-from-differences</strong></span> is set
+        to <strong class="userinput"><code>yes</code></strong>.
+      </p>
+<p>
+        When acting as a slave, <acronym class="acronym">BIND</acronym> 9 will
+        attempt to use IXFR unless
+        it is explicitly disabled. For more information about disabling
+        IXFR, see the description of the <span><strong class="command">request-ixfr</strong></span> clause
+        of the <span><strong class="command">server</strong></span> statement.
+      </p>
 </div>
 <div class="sect1" lang="en">
 <div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id2573147"></a>Split DNS</h2></div></div></div>
-<p>Setting up different views, or visibility, of the DNS space to
-internal and external resolvers is usually referred to as a <span class="emphasis"><em>Split
-DNS</em></span> setup. There are several reasons an organization
-would want to set up its DNS this way.</p>
-<p>One common reason for setting up a DNS system this way is
-to hide "internal" DNS information from "external" clients on the
-Internet. There is some debate as to whether or not this is actually useful.
-Internal DNS information leaks out in many ways (via email headers,
-for example) and most savvy "attackers" can find the information
-they need using other means.</p>
-<p>Another common reason for setting up a Split DNS system is
-to allow internal networks that are behind filters or in RFC 1918
-space (reserved IP space, as documented in RFC 1918) to resolve DNS
-on the Internet. Split DNS can also be used to allow mail from outside
-back in to the internal network.</p>
-<p>Here is an example of a split DNS setup:</p>
-<p>Let's say a company named <span class="emphasis"><em>Example, Inc.</em></span>
-(<code class="literal">example.com</code>)
-has several corporate sites that have an internal network with reserved
-Internet Protocol (IP) space and an external demilitarized zone (DMZ),
-or "outside" section of a network, that is available to the public.</p>
-<p><span class="emphasis"><em>Example, Inc.</em></span> wants its internal clients
-to be able to resolve external hostnames and to exchange mail with
-people on the outside. The company also wants its internal resolvers
-to have access to certain internal-only zones that are not available
-at all outside of the internal network.</p>
-<p>In order to accomplish this, the company will set up two sets
-of name servers. One set will be on the inside network (in the reserved
-IP space) and the other set will be on bastion hosts, which are "proxy"
-hosts that can talk to both sides of its network, in the DMZ.</p>
-<p>The internal servers will be configured to forward all queries,
-except queries for <code class="filename">site1.internal</code>, <code class="filename">site2.internal</code>, <code class="filename">site1.example.com</code>,
-and <code class="filename">site2.example.com</code>, to the servers in the
-DMZ. These internal servers will have complete sets of information
-for <code class="filename">site1.example.com</code>, <code class="filename">site2.example.com</code>,<span class="emphasis"><em> </em></span><code class="filename">site1.internal</code>,
-and <code class="filename">site2.internal</code>.</p>
-<p>To protect the <code class="filename">site1.internal</code> and <code class="filename">site2.internal</code> domains,
-the internal name servers must be configured to disallow all queries
-to these domains from any external hosts, including the bastion
-hosts.</p>
-<p>The external servers, which are on the bastion hosts, will
-be configured to serve the "public" version of the <code class="filename">site1</code> and <code class="filename">site2.example.com</code> zones.
-This could include things such as the host records for public servers
-(<code class="filename">www.example.com</code> and <code class="filename">ftp.example.com</code>),
-and mail exchange (MX)  records (<code class="filename">a.mx.example.com</code> and <code class="filename">b.mx.example.com</code>).</p>
-<p>In addition, the public <code class="filename">site1</code> and <code class="filename">site2.example.com</code> zones
-should have special MX records that contain wildcard (`*') records
-pointing to the bastion hosts. This is needed because external mail
-servers do not have any other way of looking up how to deliver mail
-to those internal hosts. With the wildcard records, the mail will
-be delivered to the bastion host, which can then forward it on to
-internal hosts.</p>
-<p>Here's an example of a wildcard MX record:</p>
+<a name="id2570429"></a>Split DNS</h2></div></div></div>
+<p>
+        Setting up different views, or visibility, of the DNS space to
+        internal and external resolvers is usually referred to as a
+        <span class="emphasis"><em>Split DNS</em></span> setup. There are several
+        reasons an organization would want to set up its DNS this way.
+      </p>
+<p>
+        One common reason for setting up a DNS system this way is
+        to hide "internal" DNS information from "external" clients on the
+        Internet. There is some debate as to whether or not this is actually
+        useful.
+        Internal DNS information leaks out in many ways (via email headers,
+        for example) and most savvy "attackers" can find the information
+        they need using other means.
+        However, since listing addresses of internal servers that
+        external clients cannot possibly reach can result in
+        connection delays and other annoyances, an organization may
+        choose to use a Split DNS to present a consistant view of itself
+        to the outside world.
+      </p>
+<p>
+        Another common reason for setting up a Split DNS system is
+        to allow internal networks that are behind filters or in RFC 1918
+        space (reserved IP space, as documented in RFC 1918) to resolve DNS
+        on the Internet. Split DNS can also be used to allow mail from outside
+        back in to the internal network.
+      </p>
+<p>
+        Here is an example of a split DNS setup:
+      </p>
+<p>
+        Let's say a company named <span class="emphasis"><em>Example, Inc.</em></span>
+        (<code class="literal">example.com</code>)
+        has several corporate sites that have an internal network with
+        reserved
+        Internet Protocol (IP) space and an external demilitarized zone (DMZ),
+        or "outside" section of a network, that is available to the public.
+      </p>
+<p>
+        <span class="emphasis"><em>Example, Inc.</em></span> wants its internal clients
+        to be able to resolve external hostnames and to exchange mail with
+        people on the outside. The company also wants its internal resolvers
+        to have access to certain internal-only zones that are not available
+        at all outside of the internal network.
+      </p>
+<p>
+        In order to accomplish this, the company will set up two sets
+        of name servers. One set will be on the inside network (in the
+        reserved
+        IP space) and the other set will be on bastion hosts, which are
+        "proxy"
+        hosts that can talk to both sides of its network, in the DMZ.
+      </p>
+<p>
+        The internal servers will be configured to forward all queries,
+        except queries for <code class="filename">site1.internal</code>, <code class="filename">site2.internal</code>, <code class="filename">site1.example.com</code>,
+        and <code class="filename">site2.example.com</code>, to the servers
+        in the
+        DMZ. These internal servers will have complete sets of information
+        for <code class="filename">site1.example.com</code>, <code class="filename">site2.example.com</code>,<span class="emphasis"><em></em></span> <code class="filename">site1.internal</code>,
+        and <code class="filename">site2.internal</code>.
+      </p>
+<p>
+        To protect the <code class="filename">site1.internal</code> and <code class="filename">site2.internal</code> domains,
+        the internal name servers must be configured to disallow all queries
+        to these domains from any external hosts, including the bastion
+        hosts.
+      </p>
+<p>
+        The external servers, which are on the bastion hosts, will
+        be configured to serve the "public" version of the <code class="filename">site1</code> and <code class="filename">site2.example.com</code> zones.
+        This could include things such as the host records for public servers
+        (<code class="filename">www.example.com</code> and <code class="filename">ftp.example.com</code>),
+        and mail exchange (MX)  records (<code class="filename">a.mx.example.com</code> and <code class="filename">b.mx.example.com</code>).
+      </p>
+<p>
+        In addition, the public <code class="filename">site1</code> and <code class="filename">site2.example.com</code> zones
+        should have special MX records that contain wildcard (`*') records
+        pointing to the bastion hosts. This is needed because external mail
+        servers do not have any other way of looking up how to deliver mail
+        to those internal hosts. With the wildcard records, the mail will
+        be delivered to the bastion host, which can then forward it on to
+        internal hosts.
+      </p>
+<p>
+        Here's an example of a wildcard MX record:
+      </p>
 <pre class="programlisting">*   IN MX 10 external1.example.com.</pre>
-<p>Now that they accept mail on behalf of anything in the internal
-network, the bastion hosts will need to know how to deliver mail
-to internal hosts. In order for this to work properly, the resolvers on
-the bastion hosts will need to be configured to point to the internal
-name servers for DNS resolution.</p>
-<p>Queries for internal hostnames will be answered by the internal
-servers, and queries for external hostnames will be forwarded back
-out to the DNS servers on the bastion hosts.</p>
-<p>In order for all this to work properly, internal clients will
-need to be configured to query <span class="emphasis"><em>only</em></span> the internal
-name servers for DNS queries. This could also be enforced via selective
-filtering on the network.</p>
-<p>If everything has been set properly, <span class="emphasis"><em>Example, Inc.</em></span>'s
-internal clients will now be able to:</p>
+<p>
+        Now that they accept mail on behalf of anything in the internal
+        network, the bastion hosts will need to know how to deliver mail
+        to internal hosts. In order for this to work properly, the resolvers
+        on
+        the bastion hosts will need to be configured to point to the internal
+        name servers for DNS resolution.
+      </p>
+<p>
+        Queries for internal hostnames will be answered by the internal
+        servers, and queries for external hostnames will be forwarded back
+        out to the DNS servers on the bastion hosts.
+      </p>
+<p>
+        In order for all this to work properly, internal clients will
+        need to be configured to query <span class="emphasis"><em>only</em></span> the internal
+        name servers for DNS queries. This could also be enforced via
+        selective
+        filtering on the network.
+      </p>
+<p>
+        If everything has been set properly, <span class="emphasis"><em>Example, Inc.</em></span>'s
+        internal clients will now be able to:
+      </p>
 <div class="itemizedlist"><ul type="disc">
-<li>Look up any hostnames in the <code class="literal">site1</code> and 
-<code class="literal">site2.example.com</code> zones.</li>
-<li>Look up any hostnames in the <code class="literal">site1.internal</code> and 
-<code class="literal">site2.internal</code> domains.</li>
+<li>
+            Look up any hostnames in the <code class="literal">site1</code>
+            and
+            <code class="literal">site2.example.com</code> zones.
+          </li>
+<li>
+            Look up any hostnames in the <code class="literal">site1.internal</code> and
+            <code class="literal">site2.internal</code> domains.
+          </li>
 <li>Look up any hostnames on the Internet.</li>
-<li>Exchange mail with both internal AND external people.</li>
+<li>Exchange mail with both internal and external people.</li>
 </ul></div>
-<p>Hosts on the Internet will be able to:</p>
+<p>
+        Hosts on the Internet will be able to:
+      </p>
 <div class="itemizedlist"><ul type="disc">
-<li>Look up any hostnames in the <code class="literal">site1</code> and 
-<code class="literal">site2.example.com</code> zones.</li>
-<li>Exchange mail with anyone in the <code class="literal">site1</code> and 
-<code class="literal">site2.example.com</code> zones.</li>
+<li>
+            Look up any hostnames in the <code class="literal">site1</code>
+            and
+            <code class="literal">site2.example.com</code> zones.
+          </li>
+<li>
+            Exchange mail with anyone in the <code class="literal">site1</code> and
+            <code class="literal">site2.example.com</code> zones.
+          </li>
 </ul></div>
-<p>Here is an example configuration for the setup we just
-    described above. Note that this is only configuration information;
-    for information on how to configure your zone files, see <a href="Bv9ARM.ch03.html#sample_configuration" title="Sample Configurations">the section called &#8220;Sample Configurations&#8221;</a>.</p>
-<p>Internal DNS server config:</p>
+<p>
+        Here is an example configuration for the setup we just
+        described above. Note that this is only configuration information;
+        for information on how to configure your zone files, see <a href="Bv9ARM.ch03.html#sample_configuration" title="Sample Configurations">the section called &#8220;Sample Configurations&#8221;</a>.
+      </p>
+<p>
+        Internal DNS server config:
+      </p>
 <pre class="programlisting">
 
 acl internals { 172.16.72.0/24; 192.168.1.0/24; };
@@ -267,7 +363,7 @@ options {
     ...
     forward only;
     forwarders {                                // forward to external servers
-        <code class="varname">bastion-ips-go-here</code>; 
+        <code class="varname">bastion-ips-go-here</code>;
     };
     allow-transfer { none; };                   // sample allow-transfer (no one)
     allow-query { internals; externals; };      // restrict query access
@@ -311,7 +407,9 @@ zone "site2.internal" {
   allow-transfer { internals; }
 };
 </pre>
-<p>External (bastion host) DNS server config:</p>
+<p>
+        External (bastion host) DNS server config:
+      </p>
 <pre class="programlisting">
 acl internals { 172.16.72.0/24; 192.168.1.0/24; };
 
@@ -321,7 +419,8 @@ options {
   ...
   ...
   allow-transfer { none; };                     // sample allow-transfer (no one)
-  allow-query { internals; externals; };        // restrict query access
+  allow-query { any; };                         // default query access
+  allow-query-cache { internals; externals; };  // restrict cache access
   allow-recursion { internals; externals; };    // restrict recursion
   ...
   ...
@@ -330,7 +429,6 @@ options {
 zone "site1.example.com" {                      // sample slave zone
   type master;
   file "m/site1.foo.com";
-  allow-query { any; };
   allow-transfer { internals; externals; };
 };
 
@@ -338,12 +436,13 @@ zone "site2.example.com" {
   type slave;
   file "s/site2.foo.com";
   masters { another_bastion_host_maybe; };
-  allow-query { any; };
   allow-transfer { internals; externals; }
 };
 </pre>
-<p>In the <code class="filename">resolv.conf</code> (or equivalent) on
-the bastion host(s):</p>
+<p>
+        In the <code class="filename">resolv.conf</code> (or equivalent) on
+        the bastion host(s):
+      </p>
 <pre class="programlisting">
 search ...
 nameserver 172.16.72.2
@@ -354,416 +453,551 @@ nameserver 172.16.72.4
 <div class="sect1" lang="en">
 <div class="titlepage"><div><div><h2 class="title" style="clear: both">
 <a name="tsig"></a>TSIG</h2></div></div></div>
-<p>This is a short guide to setting up Transaction SIGnatures
-(TSIG) based transaction security in <acronym class="acronym">BIND</acronym>. It describes changes
-to the configuration file as well as what changes are required for
-different features, including the process of creating transaction
-keys and using transaction signatures with <acronym class="acronym">BIND</acronym>.</p>
-<p><acronym class="acronym">BIND</acronym> primarily supports TSIG for server to server communication.
-This includes zone transfer, notify, and recursive query messages.
-Resolvers based on newer versions of <acronym class="acronym">BIND</acronym> 8 have limited support
-for TSIG.</p>
-<p>TSIG might be most useful for dynamic update. A primary
-    server for a dynamic zone should use access control to control
-    updates, but IP-based access control is insufficient.
-    The cryptographic access control provided by TSIG
-    is far superior. The <span><strong class="command">nsupdate</strong></span>
-    program supports TSIG via the <code class="option">-k</code> and
-    <code class="option">-y</code> command line options.</p>
+<p>
+        This is a short guide to setting up Transaction SIGnatures
+        (TSIG) based transaction security in <acronym class="acronym">BIND</acronym>. It describes changes
+        to the configuration file as well as what changes are required for
+        different features, including the process of creating transaction
+        keys and using transaction signatures with <acronym class="acronym">BIND</acronym>.
+      </p>
+<p>
+        <acronym class="acronym">BIND</acronym> primarily supports TSIG for server
+        to server communication.
+        This includes zone transfer, notify, and recursive query messages.
+        Resolvers based on newer versions of <acronym class="acronym">BIND</acronym> 8 have limited support
+        for TSIG.
+      </p>
+<p>
+        TSIG can also be useful for dynamic update. A primary
+        server for a dynamic zone should control access to the dynamic
+        update service, but IP-based access control is insufficient.
+        The cryptographic access control provided by TSIG
+        is far superior. The <span><strong class="command">nsupdate</strong></span>
+        program supports TSIG via the <code class="option">-k</code> and
+        <code class="option">-y</code> command line options or inline by use
+        of the <span><strong class="command">key</strong></span>.
+      </p>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="id2573709"></a>Generate Shared Keys for Each Pair of Hosts</h3></div></div></div>
-<p>A shared secret is generated to be shared between <span class="emphasis"><em>host1</em></span> and <span class="emphasis"><em>host2</em></span>.
-An arbitrary key name is chosen: "host1-host2.". The key name must
-be the same on both hosts.</p>
+<a name="id2570949"></a>Generate Shared Keys for Each Pair of Hosts</h3></div></div></div>
+<p>
+          A shared secret is generated to be shared between <span class="emphasis"><em>host1</em></span> and <span class="emphasis"><em>host2</em></span>.
+          An arbitrary key name is chosen: "host1-host2.". The key name must
+          be the same on both hosts.
+        </p>
 <div class="sect3" lang="en">
 <div class="titlepage"><div><div><h4 class="title">
-<a name="id2573725"></a>Automatic Generation</h4></div></div></div>
-<p>The following command will generate a 128-bit (16 byte) HMAC-MD5
-key as described above. Longer keys are better, but shorter keys
-are easier to read. Note that the maximum key length is 512 bits;
-keys longer than that will be digested with MD5 to produce a
-128-bit key.</p>
-<p><strong class="userinput"><code>dnssec-keygen -a hmac-md5 -b 128 -n HOST host1-host2.</code></strong></p>
-<p>The key is in the file <code class="filename">Khost1-host2.+157+00000.private</code>.
-Nothing directly uses this file, but the base-64 encoded string
-following "<code class="literal">Key:</code>"
-can be extracted from the file and used as a shared secret:</p>
+<a name="id2570966"></a>Automatic Generation</h4></div></div></div>
+<p>
+            The following command will generate a 128-bit (16 byte) HMAC-MD5
+            key as described above. Longer keys are better, but shorter keys
+            are easier to read. Note that the maximum key length is 512 bits;
+            keys longer than that will be digested with MD5 to produce a
+            128-bit key.
+          </p>
+<p>
+            <strong class="userinput"><code>dnssec-keygen -a hmac-md5 -b 128 -n HOST host1-host2.</code></strong>
+          </p>
+<p>
+            The key is in the file <code class="filename">Khost1-host2.+157+00000.private</code>.
+            Nothing directly uses this file, but the base-64 encoded string
+            following "<code class="literal">Key:</code>"
+            can be extracted from the file and used as a shared secret:
+          </p>
 <pre class="programlisting">Key: La/E5CjG9O+os1jq0a2jdA==</pre>
-<p>The string "<code class="literal">La/E5CjG9O+os1jq0a2jdA==</code>" can
-be used as the shared secret.</p>
+<p>
+            The string "<code class="literal">La/E5CjG9O+os1jq0a2jdA==</code>" can
+            be used as the shared secret.
+          </p>
 </div>
 <div class="sect3" lang="en">
 <div class="titlepage"><div><div><h4 class="title">
-<a name="id2573760"></a>Manual Generation</h4></div></div></div>
-<p>The shared secret is simply a random sequence of bits, encoded
-in base-64. Most ASCII strings are valid base-64 strings (assuming
-the length is a multiple of 4 and only valid characters are used),
-so the shared secret can be manually generated.</p>
-<p>Also, a known string can be run through <span><strong class="command">mmencode</strong></span> or
-a similar program to generate base-64 encoded data.</p>
+<a name="id2571004"></a>Manual Generation</h4></div></div></div>
+<p>
+            The shared secret is simply a random sequence of bits, encoded
+            in base-64. Most ASCII strings are valid base-64 strings (assuming
+            the length is a multiple of 4 and only valid characters are used),
+            so the shared secret can be manually generated.
+          </p>
+<p>
+            Also, a known string can be run through <span><strong class="command">mmencode</strong></span> or
+            a similar program to generate base-64 encoded data.
+          </p>
 </div>
 </div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="id2573776"></a>Copying the Shared Secret to Both Machines</h3></div></div></div>
-<p>This is beyond the scope of DNS. A secure transport mechanism
-should be used. This could be secure FTP, ssh, telephone, etc.</p>
+<a name="id2571022"></a>Copying the Shared Secret to Both Machines</h3></div></div></div>
+<p>
+          This is beyond the scope of DNS. A secure transport mechanism
+          should be used. This could be secure FTP, ssh, telephone, etc.
+        </p>
 </div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="id2573784"></a>Informing the Servers of the Key's Existence</h3></div></div></div>
-<p>Imagine <span class="emphasis"><em>host1</em></span> and <span class="emphasis"><em>host 2</em></span> are
-both servers. The following is added to each server's <code class="filename">named.conf</code> file:</p>
+<a name="id2571033"></a>Informing the Servers of the Key's Existence</h3></div></div></div>
+<p>
+          Imagine <span class="emphasis"><em>host1</em></span> and <span class="emphasis"><em>host 2</em></span>
+          are
+          both servers. The following is added to each server's <code class="filename">named.conf</code> file:
+        </p>
 <pre class="programlisting">
 key host1-host2. {
   algorithm hmac-md5;
   secret "La/E5CjG9O+os1jq0a2jdA==";
 };
 </pre>
-<p>The algorithm, hmac-md5, is the only one supported by <acronym class="acronym">BIND</acronym>.
-The secret is the one generated above. Since this is a secret, it
-is recommended that either <code class="filename">named.conf</code> be non-world
-readable, or the key directive be added to a non-world readable
-file that is included by <code class="filename">named.conf</code>.</p>
-<p>At this point, the key is recognized. This means that if the
-server receives a message signed by this key, it can verify the
-signature. If the signature is successfully verified, the
-response is signed by the same key.</p>
+<p>
+          The algorithm, hmac-md5, is the only one supported by <acronym class="acronym">BIND</acronym>.
+          The secret is the one generated above. Since this is a secret, it
+          is recommended that either <code class="filename">named.conf</code> be non-world
+          readable, or the key directive be added to a non-world readable
+          file that is included by
+          <code class="filename">named.conf</code>.
+        </p>
+<p>
+          At this point, the key is recognized. This means that if the
+          server receives a message signed by this key, it can verify the
+          signature. If the signature is successfully verified, the
+          response is signed by the same key.
+        </p>
 </div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="id2573824"></a>Instructing the Server to Use the Key</h3></div></div></div>
-<p>Since keys are shared between two hosts only, the server must
-be told when keys are to be used. The following is added to the <code class="filename">named.conf</code> file
-for <span class="emphasis"><em>host1</em></span>, if the IP address of <span class="emphasis"><em>host2</em></span> is
-10.1.2.3:</p>
+<a name="id2571141"></a>Instructing the Server to Use the Key</h3></div></div></div>
+<p>
+          Since keys are shared between two hosts only, the server must
+          be told when keys are to be used. The following is added to the <code class="filename">named.conf</code> file
+          for <span class="emphasis"><em>host1</em></span>, if the IP address of <span class="emphasis"><em>host2</em></span> is
+          10.1.2.3:
+        </p>
 <pre class="programlisting">
 server 10.1.2.3 {
   keys { host1-host2. ;};
 };
 </pre>
-<p>Multiple keys may be present, but only the first is used.
-This directive does not contain any secrets, so it may be in a world-readable
-file.</p>
-<p>If <span class="emphasis"><em>host1</em></span> sends a message that is a request
-to that address, the message will be signed with the specified key. <span class="emphasis"><em>host1</em></span> will
-expect any responses to signed messages to be signed with the same
-key.</p>
-<p>A similar statement must be present in <span class="emphasis"><em>host2</em></span>'s
-configuration file (with <span class="emphasis"><em>host1</em></span>'s address) for <span class="emphasis"><em>host2</em></span> to
-sign request messages to <span class="emphasis"><em>host1</em></span>.</p>
+<p>
+          Multiple keys may be present, but only the first is used.
+          This directive does not contain any secrets, so it may be in a
+          world-readable
+          file.
+        </p>
+<p>
+          If <span class="emphasis"><em>host1</em></span> sends a message that is a request
+          to that address, the message will be signed with the specified key. <span class="emphasis"><em>host1</em></span> will
+          expect any responses to signed messages to be signed with the same
+          key.
+        </p>
+<p>
+          A similar statement must be present in <span class="emphasis"><em>host2</em></span>'s
+          configuration file (with <span class="emphasis"><em>host1</em></span>'s address) for <span class="emphasis"><em>host2</em></span> to
+          sign request messages to <span class="emphasis"><em>host1</em></span>.
+        </p>
 </div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="id2573876"></a>TSIG Key Based Access Control</h3></div></div></div>
-<p><acronym class="acronym">BIND</acronym> allows IP addresses and ranges to be specified in ACL
-definitions and
-<span><strong class="command">allow-{ query | transfer | update }</strong></span> directives.
-This has been extended to allow TSIG keys also. The above key would
-be denoted <span><strong class="command">key host1-host2.</strong></span></p>
-<p>An example of an allow-update directive would be:</p>
+<a name="id2571198"></a>TSIG Key Based Access Control</h3></div></div></div>
+<p>
+          <acronym class="acronym">BIND</acronym> allows IP addresses and ranges
+          to be specified in ACL
+          definitions and
+          <span><strong class="command">allow-{ query | transfer | update }</strong></span>
+          directives.
+          This has been extended to allow TSIG keys also. The above key would
+          be denoted <span><strong class="command">key host1-host2.</strong></span>
+        </p>
+<p>
+          An example of an allow-update directive would be:
+        </p>
 <pre class="programlisting">
 allow-update { key host1-host2. ;};
 </pre>
-<p>This allows dynamic updates to succeed only if the request
-      was signed by a key named
-      "<span><strong class="command">host1-host2.</strong></span>".</p>
-<p>You may want to read about the more
-      powerful <span><strong class="command">update-policy</strong></span> statement in <a href="Bv9ARM.ch06.html#dynamic_update_policies" title="Dynamic Update Policies">the section called &#8220;Dynamic Update Policies&#8221;</a>.</p>
+<p>
+          This allows dynamic updates to succeed only if the request
+          was signed by a key named
+          "<span><strong class="command">host1-host2.</strong></span>".
+        </p>
+<p>
+          You may want to read about the more
+          powerful <span><strong class="command">update-policy</strong></span> statement in <a href="Bv9ARM.ch06.html#dynamic_update_policies" title="Dynamic Update Policies">the section called &#8220;Dynamic Update Policies&#8221;</a>.
+        </p>
 </div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="id2573920"></a>Errors</h3></div></div></div>
-<p>The processing of TSIG signed messages can result in
-      several errors. If a signed message is sent to a non-TSIG
-      aware server, a FORMERR (format error) will be returned, since
-      the server will not understand the record. This is a result
-      of misconfiguration, since the server must be explicitly
-      configured to send a TSIG signed message to a specific
-      server.</p>
-<p>If a TSIG aware server receives a message signed by an
-      unknown key, the response will be unsigned with the TSIG
-      extended error code set to BADKEY. If a TSIG aware server
-      receives a message with a signature that does not validate, the
-      response will be unsigned with the TSIG extended error code set
-      to BADSIG. If a TSIG aware server receives a message with a time
-      outside of the allowed range, the response will be signed with
-      the TSIG extended error code set to BADTIME, and the time values
-      will be adjusted so that the response can be successfully
-      verified. In any of these cases, the message's rcode is set to
-      NOTAUTH (not authenticated).</p>
+<a name="id2571243"></a>Errors</h3></div></div></div>
+<p>
+          The processing of TSIG signed messages can result in
+          several errors. If a signed message is sent to a non-TSIG aware
+          server, a FORMERR (format error) will be returned, since the server will not
+          understand the record. This is a result of misconfiguration,
+          since the server must be explicitly configured to send a TSIG
+          signed message to a specific server.
+        </p>
+<p>
+          If a TSIG aware server receives a message signed by an
+          unknown key, the response will be unsigned with the TSIG
+          extended error code set to BADKEY. If a TSIG aware server
+          receives a message with a signature that does not validate, the
+          response will be unsigned with the TSIG extended error code set
+          to BADSIG. If a TSIG aware server receives a message with a time
+          outside of the allowed range, the response will be signed with
+          the TSIG extended error code set to BADTIME, and the time values
+          will be adjusted so that the response can be successfully
+          verified. In any of these cases, the message's rcode is set to
+          NOTAUTH (not authenticated).
+        </p>
 </div>
 </div>
 <div class="sect1" lang="en">
 <div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id2573933"></a>TKEY</h2></div></div></div>
-<p><span><strong class="command">TKEY</strong></span> is a mechanism for automatically
-    generating a shared secret between two hosts.  There are several
-    "modes" of <span><strong class="command">TKEY</strong></span> that specify how the key is
-    generated or assigned.  <acronym class="acronym">BIND</acronym> 9
-    implements only one of these modes,
-    the Diffie-Hellman key exchange.  Both hosts are required to have
-    a Diffie-Hellman KEY record (although this record is not required
-    to be present in a zone).  The <span><strong class="command">TKEY</strong></span> process
-    must use signed messages, signed either by TSIG or SIG(0).  The
-    result of <span><strong class="command">TKEY</strong></span> is a shared secret that can be
-    used to sign messages with TSIG.  <span><strong class="command">TKEY</strong></span> can also
-    be used to delete shared secrets that it had previously
-    generated.</p>
-<p>The <span><strong class="command">TKEY</strong></span> process is initiated by a client
-    or server by sending a signed <span><strong class="command">TKEY</strong></span> query
-    (including any appropriate KEYs) to a TKEY-aware server.  The
-    server response, if it indicates success, will contain a
-    <span><strong class="command">TKEY</strong></span> record and any appropriate keys.  After
-    this exchange, both participants have enough information to
-    determine the shared secret; the exact process depends on the
-    <span><strong class="command">TKEY</strong></span> mode.  When using the Diffie-Hellman
-    <span><strong class="command">TKEY</strong></span> mode, Diffie-Hellman keys are exchanged,
-    and the shared secret is derived by both participants.</p>
+<a name="id2571257"></a>TKEY</h2></div></div></div>
+<p><span><strong class="command">TKEY</strong></span>
+        is a mechanism for automatically generating a shared secret
+        between two hosts.  There are several "modes" of
+        <span><strong class="command">TKEY</strong></span> that specify how the key is generated
+        or assigned.  <acronym class="acronym">BIND</acronym> 9 implements only one of
+        these modes, the Diffie-Hellman key exchange.  Both hosts are
+        required to have a Diffie-Hellman KEY record (although this
+        record is not required to be present in a zone).  The
+        <span><strong class="command">TKEY</strong></span> process must use signed messages,
+        signed either by TSIG or SIG(0).  The result of
+        <span><strong class="command">TKEY</strong></span> is a shared secret that can be used to
+        sign messages with TSIG.  <span><strong class="command">TKEY</strong></span> can also be
+        used to delete shared secrets that it had previously
+        generated.
+      </p>
+<p>
+        The <span><strong class="command">TKEY</strong></span> process is initiated by a
+        client
+        or server by sending a signed <span><strong class="command">TKEY</strong></span>
+        query
+        (including any appropriate KEYs) to a TKEY-aware server.  The
+        server response, if it indicates success, will contain a
+        <span><strong class="command">TKEY</strong></span> record and any appropriate keys.
+        After
+        this exchange, both participants have enough information to
+        determine the shared secret; the exact process depends on the
+        <span><strong class="command">TKEY</strong></span> mode.  When using the
+        Diffie-Hellman
+        <span><strong class="command">TKEY</strong></span> mode, Diffie-Hellman keys are
+        exchanged,
+        and the shared secret is derived by both participants.
+      </p>
 </div>
 <div class="sect1" lang="en">
 <div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id2573982"></a>SIG(0)</h2></div></div></div>
-<p><acronym class="acronym">BIND</acronym> 9 partially supports DNSSEC SIG(0)
-    transaction signatures as specified in RFC 2535 and RFC2931.  SIG(0)
-    uses public/private keys to authenticate messages.  Access control
-    is performed in the same manner as TSIG keys; privileges can be
-    granted or denied based on the key name.</p>
-<p>When a SIG(0) signed message is received, it will only be
-    verified if the key is known and trusted by the server; the server
-    will not attempt to locate and / or validate the key.</p>
-<p>SIG(0) signing of multiple-message TCP streams is not
-    supported.</p>
-<p>The only tool shipped with <acronym class="acronym">BIND</acronym> 9 that
-    generates SIG(0) signed messages is <span><strong class="command">nsupdate</strong></span>.</p>
+<a name="id2571306"></a>SIG(0)</h2></div></div></div>
+<p>
+        <acronym class="acronym">BIND</acronym> 9 partially supports DNSSEC SIG(0)
+            transaction signatures as specified in RFC 2535 and RFC2931.
+        SIG(0)
+        uses public/private keys to authenticate messages.  Access control
+        is performed in the same manner as TSIG keys; privileges can be
+        granted or denied based on the key name.
+      </p>
+<p>
+        When a SIG(0) signed message is received, it will only be
+        verified if the key is known and trusted by the server; the server
+        will not attempt to locate and/or validate the key.
+      </p>
+<p>
+        SIG(0) signing of multiple-message TCP streams is not
+        supported.
+      </p>
+<p>
+        The only tool shipped with <acronym class="acronym">BIND</acronym> 9 that
+        generates SIG(0) signed messages is <span><strong class="command">nsupdate</strong></span>.
+      </p>
 </div>
 <div class="sect1" lang="en">
 <div class="titlepage"><div><div><h2 class="title" style="clear: both">
 <a name="DNSSEC"></a>DNSSEC</h2></div></div></div>
-<p>Cryptographic authentication of DNS information is possible
-    through the DNS Security (<span class="emphasis"><em>DNSSEC-bis</em></span>)
-    extensions, defined in RFC 4033, RFC4034 and RFC4035.  This
-    section describes the creation and use of DNSSEC signed
-    zones.</p>
-<p>In order to set up a DNSSEC secure zone, there are a series
-    of steps which must be followed.  <acronym class="acronym">BIND</acronym> 9 ships
-    with several tools
-    that are used in this process, which are explained in more detail
-    below.  In all cases, the <code class="option">-h</code> option prints a
-    full list of parameters.  Note that the DNSSEC tools require the
-    keyset files to be in the working directory or the
-    directory specified by the <code class="option">-h</code> option, and
-    that the tools shipped with BIND 9.2.x and earlier are not compatible
-    with the current ones.</p>
-<p>There must also be communication with the administrators of
-    the parent and/or child zone to transmit keys.  A zone's security
-    status must be indicated by the parent zone for a DNSSEC capable 
-    resolver to trust its data.  This is done through the presence
-    or absence of a <code class="literal">DS</code> record at the delegation
-    point.</p>
-<p>For other servers to trust data in this zone, they must
-    either be statically configured with this zone's zone key or the
-    zone key of another zone above this one in the DNS tree.</p>
+<p>
+        Cryptographic authentication of DNS information is possible
+        through the DNS Security (<span class="emphasis"><em>DNSSEC-bis</em></span>) extensions,
+        defined in RFC 4033, RFC 4034 and RFC 4035.
+        This section describes the creation and use of DNSSEC signed zones.
+      </p>
+<p>
+        In order to set up a DNSSEC secure zone, there are a series
+        of steps which must be followed.  <acronym class="acronym">BIND</acronym>
+        9 ships
+        with several tools
+        that are used in this process, which are explained in more detail
+        below.  In all cases, the <code class="option">-h</code> option prints a
+        full list of parameters.  Note that the DNSSEC tools require the
+        keyset files to be in the working directory or the
+        directory specified by the <code class="option">-d</code> option, and
+        that the tools shipped with BIND 9.2.x and earlier are not compatible
+        with the current ones.
+      </p>
+<p>
+        There must also be communication with the administrators of
+        the parent and/or child zone to transmit keys.  A zone's security
+        status must be indicated by the parent zone for a DNSSEC capable
+        resolver to trust its data.  This is done through the presence
+        or absence of a <code class="literal">DS</code> record at the
+        delegation
+        point.
+      </p>
+<p>
+        For other servers to trust data in this zone, they must
+        either be statically configured with this zone's zone key or the
+        zone key of another zone above this one in the DNS tree.
+      </p>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="id2574049"></a>Generating Keys</h3></div></div></div>
-<p>The <span><strong class="command">dnssec-keygen</strong></span> program is used to
-      generate keys.</p>
-<p>A secure zone must contain one or more zone keys.  The
-      zone keys will sign all other records in the zone, as well as
-      the zone keys of any secure delegated zones.  Zone keys must
-      have the same name as the zone, a name type of
-      <span><strong class="command">ZONE</strong></span>, and must be usable for authentication.
-      It is recommended that zone keys use a cryptographic algorithm
-      designated as "mandatory to implement" by the IETF; currently
-      the only one is RSASHA1.</p>
-<p>The following command will generate a 768-bit RSASHA1 key for
-      the <code class="filename">child.example</code> zone:</p>
-<p><strong class="userinput"><code>dnssec-keygen -a RSASHA1 -b 768 -n ZONE child.example.</code></strong></p>
-<p>Two output files will be produced:
-      <code class="filename">Kchild.example.+005+12345.key</code> and
-      <code class="filename">Kchild.example.+005+12345.private</code> (where
-      12345 is an example of a key tag).  The key file names contain
-      the key name (<code class="filename">child.example.</code>), algorithm (3
-      is DSA, 1 is RSAMD5, 5 is RSASHA1, etc.), and the key tag (12345 in this case).
-      The private key (in the <code class="filename">.private</code> file) is
-      used to generate signatures, and the public key (in the
-      <code class="filename">.key</code> file) is used for signature
-      verification.</p>
-<p>To generate another key with the same properties (but with
-      a different key tag), repeat the above command.</p>
-<p>The public keys should be inserted into the zone file by
-      including the <code class="filename">.key</code> files using
-      <span><strong class="command">$INCLUDE</strong></span> statements.
-      </p>
+<a name="id2571579"></a>Generating Keys</h3></div></div></div>
+<p>
+          The <span><strong class="command">dnssec-keygen</strong></span> program is used to
+          generate keys.
+        </p>
+<p>
+          A secure zone must contain one or more zone keys.  The
+          zone keys will sign all other records in the zone, as well as
+          the zone keys of any secure delegated zones.  Zone keys must
+          have the same name as the zone, a name type of
+          <span><strong class="command">ZONE</strong></span>, and must be usable for
+          authentication.
+          It is recommended that zone keys use a cryptographic algorithm
+          designated as "mandatory to implement" by the IETF; currently
+          the only one is RSASHA1.
+        </p>
+<p>
+          The following command will generate a 768-bit RSASHA1 key for
+          the <code class="filename">child.example</code> zone:
+        </p>
+<p>
+          <strong class="userinput"><code>dnssec-keygen -a RSASHA1 -b 768 -n ZONE child.example.</code></strong>
+        </p>
+<p>
+          Two output files will be produced:
+          <code class="filename">Kchild.example.+005+12345.key</code> and
+          <code class="filename">Kchild.example.+005+12345.private</code>
+          (where
+          12345 is an example of a key tag).  The key file names contain
+          the key name (<code class="filename">child.example.</code>),
+          algorithm (3
+          is DSA, 1 is RSAMD5, 5 is RSASHA1, etc.), and the key tag (12345 in
+          this case).
+          The private key (in the <code class="filename">.private</code>
+          file) is
+          used to generate signatures, and the public key (in the
+          <code class="filename">.key</code> file) is used for signature
+          verification.
+        </p>
+<p>
+          To generate another key with the same properties (but with
+          a different key tag), repeat the above command.
+        </p>
+<p>
+          The public keys should be inserted into the zone file by
+          including the <code class="filename">.key</code> files using
+          <span><strong class="command">$INCLUDE</strong></span> statements.
+        </p>
 </div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="id2574116"></a>Signing the Zone</h3></div></div></div>
-<p>The <span><strong class="command">dnssec-signzone</strong></span> program is used to
-      sign a zone.</p>
-<p>Any <code class="filename">keyset</code> files corresponding
-      to secure subzones should be present.  The zone signer will
-      generate <code class="literal">NSEC</code> and <code class="literal">RRSIG</code>
-      records for the zone, as well as <code class="literal">DS</code> for
-      the child zones if <code class="literal">'-d'</code> is specified.
-      If <code class="literal">'-d'</code> is not specified, then DS RRsets for
-      the secure child zones need to be added manually.</p>
-<p>The following command signs the zone, assuming it is in a
-      file called <code class="filename">zone.child.example</code>.  By
-      default, all zone keys which have an available private key are
-      used to generate signatures.</p>
-<p><strong class="userinput"><code>dnssec-signzone -o child.example zone.child.example</code></strong></p>
-<p>One output file is produced:
-      <code class="filename">zone.child.example.signed</code>.  This file
-      should be referenced by <code class="filename">named.conf</code> as the
-      input file for the zone.</p>
-<p><span><strong class="command">dnssec-signzone</strong></span> will also produce a
-      keyset and dsset files and optionally a dlvset file.  These
-      are used to provide the parent zone administators with the
-      <code class="literal">DNSKEYs</code> (or their corresponding <code class="literal">DS</code>
-      records) that are the secure entry point to the zone.</p>
+<a name="id2571649"></a>Signing the Zone</h3></div></div></div>
+<p>
+          The <span><strong class="command">dnssec-signzone</strong></span> program is used
+          to
+          sign a zone.
+        </p>
+<p>
+          Any <code class="filename">keyset</code> files corresponding
+          to secure subzones should be present.  The zone signer will
+          generate <code class="literal">NSEC</code> and <code class="literal">RRSIG</code>
+          records for the zone, as well as <code class="literal">DS</code>
+          for
+          the child zones if <code class="literal">'-d'</code> is specified.
+                If <code class="literal">'-d'</code> is not specified, then
+          DS RRsets for
+          the secure child zones need to be added manually.
+        </p>
+<p>
+          The following command signs the zone, assuming it is in a
+          file called <code class="filename">zone.child.example</code>.  By
+                default, all zone keys which have an available private key are
+                used to generate signatures.
+        </p>
+<p>
+          <strong class="userinput"><code>dnssec-signzone -o child.example zone.child.example</code></strong>
+        </p>
+<p>
+          One output file is produced:
+          <code class="filename">zone.child.example.signed</code>.  This
+          file
+          should be referenced by <code class="filename">named.conf</code>
+          as the
+          input file for the zone.
+        </p>
+<p><span><strong class="command">dnssec-signzone</strong></span>
+          will also produce a keyset and dsset files and optionally a
+          dlvset file.  These are used to provide the parent zone
+          administators with the <code class="literal">DNSKEYs</code> (or their
+          corresponding <code class="literal">DS</code> records) that are the
+          secure entry point to the zone.
+        </p>
 </div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="id2574259"></a>Configuring Servers</h3></div></div></div>
+<a name="id2571728"></a>Configuring Servers</h3></div></div></div>
 <p>
-	  To enable <span><strong class="command">named</strong></span> to respond appropriately
-	  to DNS requests from DNSSEC aware clients,
-	  <span><strong class="command">dnssec-enable</strong></span> must be set to yes.
-          </p>
+          To enable <span><strong class="command">named</strong></span> to respond appropriately
+          to DNS requests from DNSSEC aware clients,
+          <span><strong class="command">dnssec-enable</strong></span> must be set to yes.
+        </p>
 <p>
-	  To enable <span><strong class="command">named</strong></span> to validate answers from
-	  other servers <span><strong class="command">dnssec-enable</strong></span> and
-	  some <span><strong class="command">trusted-keys</strong></span> must be configured
-	  into <code class="filename">named.conf</code>.
-          </p>
+          To enable <span><strong class="command">named</strong></span> to validate answers from
+          other servers both <span><strong class="command">dnssec-enable</strong></span> and
+          <span><strong class="command">dnssec-validate</strong></span> must be set and some
+          <span><strong class="command">trusted-keys</strong></span> must be configured
+          into <code class="filename">named.conf</code>.
+        </p>
+<p>
+          <span><strong class="command">trusted-keys</strong></span> are copies of DNSKEY RRs
+          for zones that are used to form the first link in the
+          cryptographic chain of trust.  All keys listed in
+          <span><strong class="command">trusted-keys</strong></span> (and corresponding zones)
+          are deemed to exist and only the listed keys will be used
+          to validated the DNSKEY RRset that they are from.
+        </p>
 <p>
-	  <span><strong class="command">trusted-keys</strong></span> are copies of DNSKEY RRs
-	  for zones that are used to form the first link in the
-	  cryptographic chain of trust.  All keys listed in
-	  <span><strong class="command">trusted-keys</strong></span> (and corresponding zones)
-	  are deemed to exist and only the listed keys will be used
-	  to validated the DNSKEY RRset that they are from.
-	</p>
-<p>
-	  <span><strong class="command">trusted-keys</strong></span> are described in more detail
-	  later in this document.
-	</p>
-<p>
-	  Unlike <acronym class="acronym">BIND</acronym> 8, <acronym class="acronym">BIND</acronym>
-	  9 does not verify signatures on load, so zone keys for
-	  authoritative zones do not need to be specified in the
-	  configuration file.
-	</p>
-<p>
-	  After DNSSEC gets established, a typical DNSSEC configuration
-	  will look something like the following.  It has a one or
-	  more public keys for the root.  This allows answers from
-	  outside the organization to be validated.  It will also
-	  have several keys for parts of the namespace the organization
-	  controls.  These are here to ensure that named is immune
-	  to compromises in the DNSSEC components of the security
-	  of parent zones.
-	</p>
+          <span><strong class="command">trusted-keys</strong></span> are described in more detail
+          later in this document.
+        </p>
+<p>
+          Unlike <acronym class="acronym">BIND</acronym> 8, <acronym class="acronym">BIND</acronym>
+          9 does not verify signatures on load, so zone keys for
+          authoritative zones do not need to be specified in the
+          configuration file.
+        </p>
+<p>
+          After DNSSEC gets established, a typical DNSSEC configuration
+          will look something like the following.  It has a one or
+          more public keys for the root.  This allows answers from
+          outside the organization to be validated.  It will also
+          have several keys for parts of the namespace the organization
+          controls.  These are here to ensure that named is immune
+          to compromises in the DNSSEC components of the security
+          of parent zones.
+        </p>
 <pre class="programlisting">
 trusted-keys {
 
-	/* Root Key */
+        /* Root Key */
 "." 257 3 3 "BNY4wrWM1nCfJ+CXd0rVXyYmobt7sEEfK3clRbGaTwSJxrGkxJWoZu6I7PzJu/
-	     E9gx4UC1zGAHlXKdE4zYIpRhaBKnvcC2U9mZhkdUpd1Vso/HAdjNe8LmMlnzY3
-	     zy2Xy4klWOADTPzSv9eamj8V18PHGjBLaVtYvk/ln5ZApjYghf+6fElrmLkdaz
-	     MQ2OCnACR817DF4BBa7UR/beDHyp5iWTXWSi6XmoJLbG9Scqc7l70KDqlvXR3M
-	     /lUUVRbkeg1IPJSidmK3ZyCllh4XSKbje/45SKucHgnwU5jefMtq66gKodQj+M
-	     iA21AfUVe7u99WzTLzY3qlxDhxYQQ20FQ97S+LKUTpQcq27R7AT3/V5hRQxScI
-	     Nqwcz4jYqZD2fQdgxbcDTClU0CRBdiieyLMNzXG3";
+             E9gx4UC1zGAHlXKdE4zYIpRhaBKnvcC2U9mZhkdUpd1Vso/HAdjNe8LmMlnzY3
+             zy2Xy4klWOADTPzSv9eamj8V18PHGjBLaVtYvk/ln5ZApjYghf+6fElrmLkdaz
+             MQ2OCnACR817DF4BBa7UR/beDHyp5iWTXWSi6XmoJLbG9Scqc7l70KDqlvXR3M
+             /lUUVRbkeg1IPJSidmK3ZyCllh4XSKbje/45SKucHgnwU5jefMtq66gKodQj+M
+             iA21AfUVe7u99WzTLzY3qlxDhxYQQ20FQ97S+LKUTpQcq27R7AT3/V5hRQxScI
+             Nqwcz4jYqZD2fQdgxbcDTClU0CRBdiieyLMNzXG3";
 
 /* Key for our organization's forward zone */
 example.com. 257 3 5 "AwEAAaxPMcR2x0HbQV4WeZB6oEDX+r0QM65KbhTjrW1ZaARmPhEZZe
                       3Y9ifgEuq7vZ/zGZUdEGNWy+JZzus0lUptwgjGwhUS1558Hb4JKUbb
-	              OTcM8pwXlj0EiX3oDFVmjHO444gLkBO UKUf/mC7HvfwYH/Be22GnC
-		      lrinKJp1Og4ywzO9WglMk7jbfW33gUKvirTHr25GL7STQUzBb5Usxt
-		      8lgnyTUHs1t3JwCY5hKZ6CqFxmAVZP20igTixin/1LcrgX/KMEGd/b
-		      iuvF4qJCyduieHukuY3H4XMAcR+xia2 nIUPvm/oyWR8BW/hWdzOvn
-		      SCThlHf3xiYleDbt/o1OTQ09A0=";
+                      OTcM8pwXlj0EiX3oDFVmjHO444gLkBO UKUf/mC7HvfwYH/Be22GnC
+                      lrinKJp1Og4ywzO9WglMk7jbfW33gUKvirTHr25GL7STQUzBb5Usxt
+                      8lgnyTUHs1t3JwCY5hKZ6CqFxmAVZP20igTixin/1LcrgX/KMEGd/b
+                      iuvF4qJCyduieHukuY3H4XMAcR+xia2 nIUPvm/oyWR8BW/hWdzOvn
+                      SCThlHf3xiYleDbt/o1OTQ09A0=";
 
 /* Key for our reverse zone. */
 2.0.192.IN-ADDRPA.NET. 257 3 5 "AQOnS4xn/IgOUpBPJ3bogzwcxOdNax071L18QqZnQQQA
                                 VVr+iLhGTnNGp3HoWQLUIzKrJVZ3zggy3WwNT6kZo6c0
-				tszYqbtvchmgQC8CzKojM/W16i6MG/ea fGU3siaOdS0
-				yOI6BgPsw+YZdzlYMaIJGf4M4dyoKIhzdZyQ2bYQrjyQ
-				4LB0lC7aOnsMyYKHHYeRv PxjIQXmdqgOJGq+vsevG06
-			        zW+1xgYJh9rCIfnm1GX/KMgxLPG2vXTD/RnLX+D3T3UL
-				7HJYHJhAZD5L59VvjSPsZJHeDCUyWYrvPZesZDIRvhDD
-				52SKvbheeTJUm6EhkzytNN2SN96QRk8j/iI8ib";
+                                tszYqbtvchmgQC8CzKojM/W16i6MG/ea fGU3siaOdS0
+                                yOI6BgPsw+YZdzlYMaIJGf4M4dyoKIhzdZyQ2bYQrjyQ
+                                4LB0lC7aOnsMyYKHHYeRv PxjIQXmdqgOJGq+vsevG06
+                                zW+1xgYJh9rCIfnm1GX/KMgxLPG2vXTD/RnLX+D3T3UL
+                                7HJYHJhAZD5L59VvjSPsZJHeDCUyWYrvPZesZDIRvhDD
+                                52SKvbheeTJUm6EhkzytNN2SN96QRk8j/iI8ib";
 };
 
 options {
-	...
-	dnssec-enable yes;
+        ...
+        dnssec-enable yes;
+        dnssec-validation yes;
 };
 </pre>
 <div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
 <h3 class="title">Note</h3>
-	  None of the keys listed in this example are valid.  In particular,
-	  the root key is not valid.
-	</div>
+          None of the keys listed in this example are valid.  In particular,
+          the root key is not valid.
+        </div>
 </div>
 </div>
 <div class="sect1" lang="en">
 <div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id2574396"></a>IPv6 Support in <acronym class="acronym">BIND</acronym> 9</h2></div></div></div>
-<p><acronym class="acronym">BIND</acronym> 9 fully supports all currently defined forms of IPv6
-    name to address and address to name lookups.  It will also use
-    IPv6 addresses to make queries when running on an IPv6 capable
-    system.</p>
-<p>For forward lookups, <acronym class="acronym">BIND</acronym> 9 supports only AAAA
-    records.  The use of A6 records is deprecated by RFC 3363, and the
-    support for forward lookups in <acronym class="acronym">BIND</acronym> 9 is
-    removed accordingly.
-    However, authoritative <acronym class="acronym">BIND</acronym> 9 name servers still
-    load zone files containing A6 records correctly, answer queries
-    for A6 records, and accept zone transfer for a zone containing A6
-    records.</p>
-<p>For IPv6 reverse lookups, <acronym class="acronym">BIND</acronym> 9 supports
-    the traditional "nibble" format used in the
-    <span class="emphasis"><em>ip6.arpa</em></span> domain, as well as the older, deprecated
-    <span class="emphasis"><em>ip6.int</em></span> domain.
-    <acronym class="acronym">BIND</acronym> 9 formerly
-    supported the "binary label" (also known as "bitstring") format.
-    The support of binary labels, however, is now completely removed
-    according to the changes in RFC 3363.
-    Any applications in <acronym class="acronym">BIND</acronym> 9 do not understand
-    the format any more, and will return an error if given.
-    In particular, an authoritative <acronym class="acronym">BIND</acronym> 9 name
-    server rejects to load a zone file containing binary labels.</p>
-<p>For an overview of the format and structure of IPv6 addresses,
-    see <a href="Bv9ARM.ch09.html#ipv6addresses" title="IPv6 addresses (AAAA)">the section called &#8220;IPv6 addresses (AAAA)&#8221;</a>.</p>
+<a name="id2571802"></a>IPv6 Support in <acronym class="acronym">BIND</acronym> 9</h2></div></div></div>
+<p>
+        <acronym class="acronym">BIND</acronym> 9 fully supports all currently
+        defined forms of IPv6
+        name to address and address to name lookups.  It will also use
+        IPv6 addresses to make queries when running on an IPv6 capable
+        system.
+      </p>
+<p>
+        For forward lookups, <acronym class="acronym">BIND</acronym> 9 supports
+        only AAAA records.  RFC 3363 deprecated the use of A6 records,
+        and client-side support for A6 records was accordingly removed
+        from <acronym class="acronym">BIND</acronym> 9.
+        However, authoritative <acronym class="acronym">BIND</acronym> 9 name servers still
+        load zone files containing A6 records correctly, answer queries
+        for A6 records, and accept zone transfer for a zone containing A6
+        records.
+      </p>
+<p>
+        For IPv6 reverse lookups, <acronym class="acronym">BIND</acronym> 9 supports
+        the traditional "nibble" format used in the
+        <span class="emphasis"><em>ip6.arpa</em></span> domain, as well as the older, deprecated
+        <span class="emphasis"><em>ip6.int</em></span> domain.
+        Older versions of <acronym class="acronym">BIND</acronym> 9 
+        supported the "binary label" (also known as "bitstring") format,
+        but support of binary labels has been completely removed per
+        RFC 3363.
+        Many applications in <acronym class="acronym">BIND</acronym> 9 do not understand
+        the binary label format at all any more, and will return an
+        error if given.
+        In particular, an authoritative <acronym class="acronym">BIND</acronym> 9
+        name server will not load a zone file containing binary labels.
+      </p>
+<p>
+        For an overview of the format and structure of IPv6 addresses,
+        see <a href="Bv9ARM.ch09.html#ipv6addresses" title="IPv6 addresses (AAAA)">the section called &#8220;IPv6 addresses (AAAA)&#8221;</a>.
+      </p>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="id2574455"></a>Address Lookups Using AAAA Records</h3></div></div></div>
-<p>The AAAA record is a parallel to the IPv4 A record.  It
-      specifies the entire address in a single record.  For
-      example,</p>
+<a name="id2572001"></a>Address Lookups Using AAAA Records</h3></div></div></div>
+<p>
+          The IPv6 AAAA record is a parallel to the IPv4 A record,
+          and, unlike the deprecated A6 record, specifies the entire
+          IPv6 address in a single record.  For example,
+        </p>
 <pre class="programlisting">
 $ORIGIN example.com.
 host            3600    IN      AAAA    2001:db8::1
 </pre>
-<p>It is recommended that IPv4-in-IPv6 mapped addresses not
-        be used.  If a host has an IPv4 address, use an A record, not
-        a AAAA, with <code class="literal">::ffff:192.168.42.1</code> as the
-        address.</p>
+<p>
+          Use of IPv4-in-IPv6 mapped addresses is not recommended.
+          If a host has an IPv4 address, use an A record, not
+          a AAAA, with <code class="literal">::ffff:192.168.42.1</code> as
+          the address.
+        </p>
 </div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="id2574475"></a>Address to Name Lookups Using Nibble Format</h3></div></div></div>
-<p>When looking up an address in nibble format, the address
-      components are simply reversed, just as in IPv4, and
-      <code class="literal">ip6.arpa.</code> is appended to the resulting name.
-      For example, the following would provide reverse name lookup for
-      a host with address
-      <code class="literal">2001:db8::1</code>.</p>
+<a name="id2572022"></a>Address to Name Lookups Using Nibble Format</h3></div></div></div>
+<p>
+          When looking up an address in nibble format, the address
+          components are simply reversed, just as in IPv4, and
+          <code class="literal">ip6.arpa.</code> is appended to the
+          resulting name.
+          For example, the following would provide reverse name lookup for
+          a host with address
+          <code class="literal">2001:db8::1</code>.
+        </p>
 <pre class="programlisting">
 $ORIGIN 0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa.
 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0   14400 IN      PTR     host.example.com.
diff --git a/contrib/bind9/doc/arm/Bv9ARM.ch05.html b/contrib/bind9/doc/arm/Bv9ARM.ch05.html
index 51abc58..7d06e91 100644
--- a/contrib/bind9/doc/arm/Bv9ARM.ch05.html
+++ b/contrib/bind9/doc/arm/Bv9ARM.ch05.html
@@ -1,5 +1,5 @@
 <!--
- - Copyright (C) 2004-2006 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2004-2007 Internet Systems Consortium, Inc. ("ISC")
  - Copyright (C) 2000-2003 Internet Software Consortium.
  - 
  - Permission to use, copy, modify, and distribute this software for any
@@ -14,12 +14,12 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-<!-- $Id: Bv9ARM.ch05.html,v 1.24.2.5.2.17 2006/06/29 13:02:31 marka Exp $ -->
+<!-- $Id: Bv9ARM.ch05.html,v 1.33.18.28 2007/01/30 00:23:45 marka Exp $ -->
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
 <title>Chapter 5. The BIND 9 Lightweight Resolver</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.70.1">
+<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
 <link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
 <link rel="up" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
 <link rel="prev" href="Bv9ARM.ch04.html" title="Chapter 4. Advanced DNS Features">
@@ -45,53 +45,81 @@
 <div class="toc">
 <p><b>Table of Contents</b></p>
 <dl>
-<dt><span class="sect1"><a href="Bv9ARM.ch05.html#id2574507">The Lightweight Resolver Library</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch05.html#id2572055">The Lightweight Resolver Library</a></span></dt>
 <dt><span class="sect1"><a href="Bv9ARM.ch05.html#lwresd">Running a Resolver Daemon</a></span></dt>
 </dl>
 </div>
 <div class="sect1" lang="en">
 <div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id2574507"></a>The Lightweight Resolver Library</h2></div></div></div>
-<p>Traditionally applications have been linked with a stub resolver
-library that sends recursive DNS queries to a local caching name
-server.</p>
-<p>IPv6 once introduced new complexity into the resolution process,
-such as following A6 chains and DNAME records, and simultaneous
-lookup of IPv4 and IPv6 addresses.  Though most of the complexity was
-then removed, these are hard or impossible
-to implement in a traditional stub resolver.</p>
-<p>Instead, <acronym class="acronym">BIND</acronym> 9 provides resolution services to local clients
-using a combination of a lightweight resolver library and a resolver
-daemon process running on the local host.  These communicate using
-a simple UDP-based protocol, the "lightweight resolver protocol"
-that is distinct from and simpler than the full DNS protocol.</p>
+<a name="id2572055"></a>The Lightweight Resolver Library</h2></div></div></div>
+<p>
+        Traditionally applications have been linked with a stub resolver
+        library that sends recursive DNS queries to a local caching name
+        server.
+      </p>
+<p>
+        IPv6 once introduced new complexity into the resolution process,
+        such as following A6 chains and DNAME records, and simultaneous
+        lookup of IPv4 and IPv6 addresses.  Though most of the complexity was
+        then removed, these are hard or impossible
+        to implement in a traditional stub resolver.
+      </p>
+<p>
+        <acronym class="acronym">BIND</acronym> 9 therefore can also provide resolution
+        services to local clients
+        using a combination of a lightweight resolver library and a resolver
+        daemon process running on the local host.  These communicate using
+        a simple UDP-based protocol, the "lightweight resolver protocol"
+        that is distinct from and simpler than the full DNS protocol.
+      </p>
 </div>
 <div class="sect1" lang="en">
 <div class="titlepage"><div><div><h2 class="title" style="clear: both">
 <a name="lwresd"></a>Running a Resolver Daemon</h2></div></div></div>
-<p>To use the lightweight resolver interface, the system must
-run the resolver daemon <span><strong class="command">lwresd</strong></span> or a local
-name server configured with a <span><strong class="command">lwres</strong></span> statement.</p>
-<p>By default, applications using the lightweight resolver library will make
-UDP requests to the IPv4 loopback address (127.0.0.1) on port 921.  The
-address can be overridden by <span><strong class="command">lwserver</strong></span> lines in
-<code class="filename">/etc/resolv.conf</code>.</p>
-<p>The daemon currently only looks in the DNS, but in the future
-it may use other sources such as <code class="filename">/etc/hosts</code>,
-NIS, etc.</p>
-<p>The <span><strong class="command">lwresd</strong></span> daemon is essentially a
-caching-only name server that responds to requests using the lightweight
-resolver protocol rather than the DNS protocol.  Because it needs
-to run on each host, it is designed to require no or minimal configuration.
-Unless configured otherwise, it uses the name servers listed on
-<span><strong class="command">nameserver</strong></span> lines in <code class="filename">/etc/resolv.conf</code>
-as forwarders, but is also capable of doing the resolution autonomously if
-none are specified.</p>
-<p>The <span><strong class="command">lwresd</strong></span> daemon may also be configured with a
-<code class="filename">named.conf</code> style configuration file, in
-<code class="filename">/etc/lwresd.conf</code> by default.  A name server may also
-be configured to act as a lightweight resolver daemon using the
-<span><strong class="command">lwres</strong></span> statement in <code class="filename">named.conf</code>.</p>
+<p>
+        To use the lightweight resolver interface, the system must
+        run the resolver daemon <span><strong class="command">lwresd</strong></span> or a
+        local
+        name server configured with a <span><strong class="command">lwres</strong></span>
+        statement.
+      </p>
+<p>
+        By default, applications using the lightweight resolver library will
+        make
+        UDP requests to the IPv4 loopback address (127.0.0.1) on port 921.
+        The
+        address can be overridden by <span><strong class="command">lwserver</strong></span>
+        lines in
+        <code class="filename">/etc/resolv.conf</code>.
+      </p>
+<p>
+        The daemon currently only looks in the DNS, but in the future
+        it may use other sources such as <code class="filename">/etc/hosts</code>,
+        NIS, etc.
+      </p>
+<p>
+        The <span><strong class="command">lwresd</strong></span> daemon is essentially a
+        caching-only name server that responds to requests using the
+        lightweight
+        resolver protocol rather than the DNS protocol.  Because it needs
+        to run on each host, it is designed to require no or minimal
+        configuration.
+        Unless configured otherwise, it uses the name servers listed on
+        <span><strong class="command">nameserver</strong></span> lines in <code class="filename">/etc/resolv.conf</code>
+        as forwarders, but is also capable of doing the resolution
+        autonomously if
+        none are specified.
+      </p>
+<p>
+        The <span><strong class="command">lwresd</strong></span> daemon may also be
+        configured with a
+        <code class="filename">named.conf</code> style configuration file,
+        in
+        <code class="filename">/etc/lwresd.conf</code> by default.  A name
+        server may also
+        be configured to act as a lightweight resolver daemon using the
+        <span><strong class="command">lwres</strong></span> statement in <code class="filename">named.conf</code>.
+      </p>
 </div>
 </div>
 <div class="navfooter">
diff --git a/contrib/bind9/doc/arm/Bv9ARM.ch06.html b/contrib/bind9/doc/arm/Bv9ARM.ch06.html
index 1474685..cb17489 100644
--- a/contrib/bind9/doc/arm/Bv9ARM.ch06.html
+++ b/contrib/bind9/doc/arm/Bv9ARM.ch06.html
@@ -1,5 +1,5 @@
 <!--
- - Copyright (C) 2004-2006 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2004-2007 Internet Systems Consortium, Inc. ("ISC")
  - Copyright (C) 2000-2003 Internet Software Consortium.
  - 
  - Permission to use, copy, modify, and distribute this software for any
@@ -14,12 +14,12 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-<!-- $Id: Bv9ARM.ch06.html,v 1.56.2.12.2.43 2006/11/15 04:33:41 marka Exp $ -->
+<!-- $Id: Bv9ARM.ch06.html,v 1.82.18.63 2007/01/30 00:23:45 marka Exp $ -->
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
 <title>Chapter 6. BIND 9 Configuration Reference</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.70.1">
+<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
 <link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
 <link rel="up" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
 <link rel="prev" href="Bv9ARM.ch05.html" title="Chapter 5. The BIND 9 Lightweight Resolver">
@@ -48,64 +48,79 @@
 <dt><span class="sect1"><a href="Bv9ARM.ch06.html#configuration_file_elements">Configuration File Elements</a></span></dt>
 <dd><dl>
 <dt><span class="sect2"><a href="Bv9ARM.ch06.html#address_match_lists">Address Match Lists</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2575672">Comment Syntax</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2573470">Comment Syntax</a></span></dt>
 </dl></dd>
 <dt><span class="sect1"><a href="Bv9ARM.ch06.html#Configuration_File_Grammar">Configuration File Grammar</a></span></dt>
 <dd><dl>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2576157"><span><strong class="command">acl</strong></span> Statement Grammar</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574151"><span><strong class="command">acl</strong></span> Statement Grammar</a></span></dt>
 <dt><span class="sect2"><a href="Bv9ARM.ch06.html#acl"><span><strong class="command">acl</strong></span> Statement Definition and
-Usage</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2576326"><span><strong class="command">controls</strong></span> Statement Grammar</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#controls_statement_definition_and_usage"><span><strong class="command">controls</strong></span> Statement Definition and Usage</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2576672"><span><strong class="command">include</strong></span> Statement Grammar</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2576686"><span><strong class="command">include</strong></span> Statement Definition and Usage</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2576709"><span><strong class="command">key</strong></span> Statement Grammar</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2576730"><span><strong class="command">key</strong></span> Statement Definition and Usage</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2576870"><span><strong class="command">logging</strong></span> Statement Grammar</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2577064"><span><strong class="command">logging</strong></span> Statement Definition and Usage</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2578270"><span><strong class="command">lwres</strong></span> Statement Grammar</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2578343"><span><strong class="command">lwres</strong></span> Statement Definition and Usage</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2578406"><span><strong class="command">masters</strong></span> Statement Grammar</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2578518"><span><strong class="command">masters</strong></span> Statement Definition and Usage </a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2578533"><span><strong class="command">options</strong></span> Statement Grammar</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#options"><span><strong class="command">options</strong></span> Statement Definition and Usage</a></span></dt>
+          Usage</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574341"><span><strong class="command">controls</strong></span> Statement Grammar</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#controls_statement_definition_and_usage"><span><strong class="command">controls</strong></span> Statement Definition and
+          Usage</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574770"><span><strong class="command">include</strong></span> Statement Grammar</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574785"><span><strong class="command">include</strong></span> Statement Definition and
+          Usage</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574808"><span><strong class="command">key</strong></span> Statement Grammar</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574829"><span><strong class="command">key</strong></span> Statement Definition and Usage</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574920"><span><strong class="command">logging</strong></span> Statement Grammar</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2575046"><span><strong class="command">logging</strong></span> Statement Definition and
+          Usage</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2576396"><span><strong class="command">lwres</strong></span> Statement Grammar</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2576470"><span><strong class="command">lwres</strong></span> Statement Definition and Usage</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2576534"><span><strong class="command">masters</strong></span> Statement Grammar</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2576578"><span><strong class="command">masters</strong></span> Statement Definition and
+          Usage</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2576593"><span><strong class="command">options</strong></span> Statement Grammar</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#options"><span><strong class="command">options</strong></span> Statement Definition and
+          Usage</a></span></dt>
 <dt><span class="sect2"><a href="Bv9ARM.ch06.html#server_statement_grammar"><span><strong class="command">server</strong></span> Statement Grammar</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#server_statement_definition_and_usage"><span><strong class="command">server</strong></span> Statement Definition and Usage</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2586290"><span><strong class="command">trusted-keys</strong></span> Statement Grammar</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2586338"><span><strong class="command">trusted-keys</strong></span> Statement Definition
-	    and Usage</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#server_statement_definition_and_usage"><span><strong class="command">server</strong></span> Statement Definition and
+            Usage</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2585018"><span><strong class="command">trusted-keys</strong></span> Statement Grammar</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2585136"><span><strong class="command">trusted-keys</strong></span> Statement Definition
+            and Usage</a></span></dt>
 <dt><span class="sect2"><a href="Bv9ARM.ch06.html#view_statement_grammar"><span><strong class="command">view</strong></span> Statement Grammar</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2586420"><span><strong class="command">view</strong></span> Statement Definition and Usage</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2585216"><span><strong class="command">view</strong></span> Statement Definition and Usage</a></span></dt>
 <dt><span class="sect2"><a href="Bv9ARM.ch06.html#zone_statement_grammar"><span><strong class="command">zone</strong></span>
-Statement Grammar</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2587635"><span><strong class="command">zone</strong></span> Statement Definition and Usage</a></span></dt>
+            Statement Grammar</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2586586"><span><strong class="command">zone</strong></span> Statement Definition and Usage</a></span></dt>
 </dl></dd>
-<dt><span class="sect1"><a href="Bv9ARM.ch06.html#id2589173">Zone File</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch06.html#id2588846">Zone File</a></span></dt>
 <dd><dl>
 <dt><span class="sect2"><a href="Bv9ARM.ch06.html#types_of_resource_records_and_when_to_use_them">Types of Resource Records and When to Use Them</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2590605">Discussion of MX Records</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2590800">Discussion of MX Records</a></span></dt>
 <dt><span class="sect2"><a href="Bv9ARM.ch06.html#Setting_TTLs">Setting TTLs</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2591102">Inverse Mapping in IPv4</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2591208">Other Zone File Directives</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2591377"><acronym class="acronym">BIND</acronym> Master File Extension: the  <span><strong class="command">$GENERATE</strong></span> Directive</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2591419">Inverse Mapping in IPv4</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2591546">Other Zone File Directives</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2591803"><acronym class="acronym">BIND</acronym> Master File Extension: the  <span><strong class="command">$GENERATE</strong></span> Directive</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#zonefile_format">Additional File Formats</a></span></dt>
 </dl></dd>
 </dl>
 </div>
-<p><acronym class="acronym">BIND</acronym> 9 configuration is broadly similar
-to <acronym class="acronym">BIND</acronym> 8; however, there are a few new areas
-of configuration, such as views. <acronym class="acronym">BIND</acronym>
-8 configuration files should work with few alterations in <acronym class="acronym">BIND</acronym>
-9, although more complex configurations should be reviewed to check
-if they can be more efficiently implemented using the new features
-found in <acronym class="acronym">BIND</acronym> 9.</p>
-<p><acronym class="acronym">BIND</acronym> 4 configuration files can be converted to the new format
-using the shell script
-<code class="filename">contrib/named-bootconf/named-bootconf.sh</code>.</p>
+<p>
+      <acronym class="acronym">BIND</acronym> 9 configuration is broadly similar
+      to <acronym class="acronym">BIND</acronym> 8; however, there are a few new
+      areas
+      of configuration, such as views. <acronym class="acronym">BIND</acronym>
+      8 configuration files should work with few alterations in <acronym class="acronym">BIND</acronym>
+      9, although more complex configurations should be reviewed to check
+      if they can be more efficiently implemented using the new features
+      found in <acronym class="acronym">BIND</acronym> 9.
+    </p>
+<p>
+      <acronym class="acronym">BIND</acronym> 4 configuration files can be
+      converted to the new format
+      using the shell script
+      <code class="filename">contrib/named-bootconf/named-bootconf.sh</code>.
+    </p>
 <div class="sect1" lang="en">
 <div class="titlepage"><div><div><h2 class="title" style="clear: both">
 <a name="configuration_file_elements"></a>Configuration File Elements</h2></div></div></div>
-<p>Following is a list of elements used throughout the <acronym class="acronym">BIND</acronym> configuration
-file documentation:</p>
+<p>
+        Following is a list of elements used throughout the <acronym class="acronym">BIND</acronym> configuration
+        file documentation:
+      </p>
 <div class="informaltable"><table border="1">
 <colgroup>
 <col>
@@ -113,129 +128,298 @@ file documentation:</p>
 </colgroup>
 <tbody>
 <tr>
-<td><p><code class="varname">acl_name</code></p></td>
-<td><p>The name of an <code class="varname">address_match_list</code> as
-defined by the <span><strong class="command">acl</strong></span> statement.</p></td>
+<td>
+                <p>
+                  <code class="varname">acl_name</code>
+                </p>
+              </td>
+<td>
+                <p>
+                  The name of an <code class="varname">address_match_list</code> as
+                  defined by the <span><strong class="command">acl</strong></span> statement.
+                </p>
+              </td>
 </tr>
 <tr>
-<td><p><code class="varname">address_match_list</code></p></td>
-<td><p>A list of one or more <code class="varname">ip_addr</code>, 
-<code class="varname">ip_prefix</code>, <code class="varname">key_id</code>, 
-or <code class="varname">acl_name</code> elements, see
-<a href="Bv9ARM.ch06.html#address_match_lists" title="Address Match Lists">the section called &#8220;Address Match Lists&#8221;</a>.</p></td>
+<td>
+                <p>
+                  <code class="varname">address_match_list</code>
+                </p>
+              </td>
+<td>
+                <p>
+                  A list of one or more
+                  <code class="varname">ip_addr</code>,
+                  <code class="varname">ip_prefix</code>, <code class="varname">key_id</code>,
+                  or <code class="varname">acl_name</code> elements, see
+                  <a href="Bv9ARM.ch06.html#address_match_lists" title="Address Match Lists">the section called &#8220;Address Match Lists&#8221;</a>.
+                </p>
+              </td>
 </tr>
 <tr>
-<td><p><code class="varname">domain_name</code></p></td>
-<td><p>A quoted string which will be used as
-a DNS name, for example "<code class="literal">my.test.domain</code>".</p></td>
+<td>
+                <p>
+                  <code class="varname">masters_list</code>
+                </p>
+              </td>
+<td>
+                <p>
+                  A named list of one or more <code class="varname">ip_addr</code>
+                  with optional <code class="varname">key_id</code> and/or
+                  <code class="varname">ip_port</code>.
+                  A <code class="varname">masters_list</code> may include other
+                  <code class="varname">masters_lists</code>.
+                </p>
+              </td>
 </tr>
 <tr>
-<td><p><code class="varname">dotted_decimal</code></p></td>
-<td><p>One to four integers valued 0 through
-255 separated by dots (`.'), such as <span><strong class="command">123</strong></span>, 
-<span><strong class="command">45.67</strong></span> or <span><strong class="command">89.123.45.67</strong></span>.</p></td>
+<td>
+                <p>
+                  <code class="varname">domain_name</code>
+                </p>
+              </td>
+<td>
+                <p>
+                  A quoted string which will be used as
+                  a DNS name, for example "<code class="literal">my.test.domain</code>".
+                </p>
+              </td>
 </tr>
 <tr>
-<td><p><code class="varname">ip4_addr</code></p></td>
-<td><p>An IPv4 address with exactly four elements
-in <code class="varname">dotted_decimal</code> notation.</p></td>
+<td>
+                <p>
+                  <code class="varname">dotted_decimal</code>
+                </p>
+              </td>
+<td>
+                <p>
+                  One to four integers valued 0 through
+                  255 separated by dots (`.'), such as <span><strong class="command">123</strong></span>,
+                  <span><strong class="command">45.67</strong></span> or <span><strong class="command">89.123.45.67</strong></span>.
+                </p>
+              </td>
 </tr>
 <tr>
-<td><p><code class="varname">ip6_addr</code></p></td>
-<td><p>An IPv6 address, such as <span><strong class="command">2001:db8::1234</strong></span>.
-IPv6 scoped addresses that have ambiguity on their scope zones must be
-disambiguated by an appropriate zone ID with the percent character
-(`%') as delimiter.
-It is strongly recommended to use string zone names rather than
-numeric identifiers, in order to be robust against system
-configuration changes.
-However, since there is no standard mapping for such names and
-identifier values, currently only interface names as link identifiers
-are supported, assuming one-to-one mapping between interfaces and links.
-For example, a link-local address <span><strong class="command">fe80::1</strong></span> on the
-link attached to the interface <span><strong class="command">ne0</strong></span>
-can be specified as <span><strong class="command">fe80::1%ne0</strong></span>.
-Note that on most systems link-local addresses always have the
-ambiguity, and need to be disambiguated.</p></td>
+<td>
+                <p>
+                  <code class="varname">ip4_addr</code>
+                </p>
+              </td>
+<td>
+                <p>
+                  An IPv4 address with exactly four elements
+                  in <code class="varname">dotted_decimal</code> notation.
+                </p>
+              </td>
 </tr>
 <tr>
-<td><p><code class="varname">ip_addr</code></p></td>
-<td><p>An <code class="varname">ip4_addr</code> or <code class="varname">ip6_addr</code>.</p></td>
+<td>
+                <p>
+                  <code class="varname">ip6_addr</code>
+                </p>
+              </td>
+<td>
+                <p>
+                  An IPv6 address, such as <span><strong class="command">2001:db8::1234</strong></span>.
+                  IPv6 scoped addresses that have ambiguity on their scope
+                  zones must be
+                  disambiguated by an appropriate zone ID with the percent
+                  character
+                  (`%') as delimiter.
+                  It is strongly recommended to use string zone names rather
+                  than
+                  numeric identifiers, in order to be robust against system
+                  configuration changes.
+                  However, since there is no standard mapping for such names
+                  and
+                  identifier values, currently only interface names as link
+                  identifiers
+                  are supported, assuming one-to-one mapping between
+                  interfaces and links.
+                  For example, a link-local address <span><strong class="command">fe80::1</strong></span> on the
+                  link attached to the interface <span><strong class="command">ne0</strong></span>
+                  can be specified as <span><strong class="command">fe80::1%ne0</strong></span>.
+                  Note that on most systems link-local addresses always have
+                  the
+                  ambiguity, and need to be disambiguated.
+                </p>
+              </td>
 </tr>
 <tr>
-<td><p><code class="varname">ip_port</code></p></td>
-<td><p>An IP port <code class="varname">number</code>.
-<code class="varname">number</code> is limited to 0 through 65535, with values
-below 1024 typically restricted to use by processes running as root.
-In some cases, an asterisk (`*') character can be used as a placeholder to
-select a random high-numbered port.</p></td>
+<td>
+                <p>
+                  <code class="varname">ip_addr</code>
+                </p>
+              </td>
+<td>
+                <p>
+                  An <code class="varname">ip4_addr</code> or <code class="varname">ip6_addr</code>.
+                </p>
+              </td>
 </tr>
 <tr>
-<td><p><code class="varname">ip_prefix</code></p></td>
-<td><p>An IP network specified as an <code class="varname">ip_addr</code>,
-followed by a slash (`/') and then the number of bits in the netmask.
-Trailing zeros in a <code class="varname">ip_addr</code> may omitted.
-For example, <span><strong class="command">127/8</strong></span> is the network <span><strong class="command">127.0.0.0</strong></span> with
-netmask <span><strong class="command">255.0.0.0</strong></span> and <span><strong class="command">1.2.3.0/28</strong></span> is
-network <span><strong class="command">1.2.3.0</strong></span> with netmask <span><strong class="command">255.255.255.240</strong></span>.</p></td>
+<td>
+                <p>
+                  <code class="varname">ip_port</code>
+                </p>
+              </td>
+<td>
+                <p>
+                  An IP port <code class="varname">number</code>.
+                  <code class="varname">number</code> is limited to 0
+                  through 65535, with values
+                  below 1024 typically restricted to use by processes running
+                  as root.
+                  In some cases, an asterisk (`*') character can be used as a
+                  placeholder to
+                  select a random high-numbered port.
+                </p>
+              </td>
+</tr>
+<tr>
+<td>
+                <p>
+                  <code class="varname">ip_prefix</code>
+                </p>
+              </td>
+<td>
+                <p>
+                  An IP network specified as an <code class="varname">ip_addr</code>,
+                  followed by a slash (`/') and then the number of bits in the
+                  netmask.
+                  Trailing zeros in a <code class="varname">ip_addr</code>
+                  may omitted.
+                  For example, <span><strong class="command">127/8</strong></span> is the
+                  network <span><strong class="command">127.0.0.0</strong></span> with
+                  netmask <span><strong class="command">255.0.0.0</strong></span> and <span><strong class="command">1.2.3.0/28</strong></span> is
+                  network <span><strong class="command">1.2.3.0</strong></span> with netmask <span><strong class="command">255.255.255.240</strong></span>.
+                </p>
+              </td>
 </tr>
 <tr>
-<td><p><code class="varname">key_id</code></p></td>
-<td><p>A <code class="varname">domain_name</code> representing
-the name of a shared key, to be used for transaction security.</p></td>
+<td>
+                <p>
+                  <code class="varname">key_id</code>
+                </p>
+              </td>
+<td>
+                <p>
+                  A <code class="varname">domain_name</code> representing
+                  the name of a shared key, to be used for transaction
+                  security.
+                </p>
+              </td>
 </tr>
 <tr>
-<td><p><code class="varname">key_list</code></p></td>
-<td><p>A list of one or more <code class="varname">key_id</code>s,
-separated by semicolons and ending with a semicolon.</p></td>
+<td>
+                <p>
+                  <code class="varname">key_list</code>
+                </p>
+              </td>
+<td>
+                <p>
+                  A list of one or more
+                  <code class="varname">key_id</code>s,
+                  separated by semicolons and ending with a semicolon.
+                </p>
+              </td>
 </tr>
 <tr>
-<td><p><code class="varname">number</code></p></td>
-<td><p>A non-negative 32-bit integer
-(i.e., a number between 0 and 4294967295, inclusive).
-Its acceptable value might further
-be limited by the context in which it is used.</p></td>
+<td>
+                <p>
+                  <code class="varname">number</code>
+                </p>
+              </td>
+<td>
+                <p>
+                  A non-negative 32-bit integer
+                  (i.e., a number between 0 and 4294967295, inclusive).
+                  Its acceptable value might further
+                  be limited by the context in which it is used.
+                </p>
+              </td>
 </tr>
 <tr>
-<td><p><code class="varname">path_name</code></p></td>
-<td><p>A quoted string which will be used as
-a pathname, such as <code class="filename">zones/master/my.test.domain</code>.</p></td>
+<td>
+                <p>
+                  <code class="varname">path_name</code>
+                </p>
+              </td>
+<td>
+                <p>
+                  A quoted string which will be used as
+                  a pathname, such as <code class="filename">zones/master/my.test.domain</code>.
+                </p>
+              </td>
 </tr>
 <tr>
-<td><p><code class="varname">size_spec</code></p></td>
 <td>
-<p>A number, the word <strong class="userinput"><code>unlimited</code></strong>,
-or the word <strong class="userinput"><code>default</code></strong>.</p>
-<p>
-An <code class="varname">unlimited</code> <code class="varname">size_spec</code> requests unlimited
-use, or the maximum available amount. A <code class="varname">default size_spec</code> uses
-the limit that was in force when the server was started.</p>
-<p>A <code class="varname">number</code> can
-optionally be followed by a scaling factor: <strong class="userinput"><code>K</code></strong> or <strong class="userinput"><code>k</code></strong> for
-kilobytes, <strong class="userinput"><code>M</code></strong> or <strong class="userinput"><code>m</code></strong> for
-megabytes, and <strong class="userinput"><code>G</code></strong> or <strong class="userinput"><code>g</code></strong> for gigabytes,
-which scale by 1024, 1024*1024, and 1024*1024*1024 respectively.</p>
-<p>The value must be representable as a 64-bit unsigned integer
-(0 to 18446744073709551615, inclusive).
-Using <code class="varname">unlimited</code> is the best way
-to safely set a really large number.</p>
-</td>
+                <p>
+                  <code class="varname">size_spec</code>
+                </p>
+              </td>
+<td>
+                <p>
+                  A number, the word <strong class="userinput"><code>unlimited</code></strong>,
+                  or the word <strong class="userinput"><code>default</code></strong>.
+                </p>
+                <p>
+                  An <code class="varname">unlimited</code> <code class="varname">size_spec</code> requests unlimited
+                  use, or the maximum available amount. A <code class="varname">default size_spec</code> uses
+                  the limit that was in force when the server was started.
+                </p>
+                <p>
+                  A <code class="varname">number</code> can optionally be
+                  followed by a scaling factor:
+                  <strong class="userinput"><code>K</code></strong> or <strong class="userinput"><code>k</code></strong>
+                  for kilobytes,
+                  <strong class="userinput"><code>M</code></strong> or <strong class="userinput"><code>m</code></strong>
+                  for megabytes, and
+                  <strong class="userinput"><code>G</code></strong> or <strong class="userinput"><code>g</code></strong> for gigabytes,
+                  which scale by 1024, 1024*1024, and 1024*1024*1024
+                  respectively.
+                </p>
+                <p>
+                  The value must be representable as a 64-bit unsigned integer
+                  (0 to 18446744073709551615, inclusive).
+                  Using <code class="varname">unlimited</code> is the best
+                  way
+                  to safely set a really large number.
+                </p>
+              </td>
 </tr>
 <tr>
-<td><p><code class="varname">yes_or_no</code></p></td>
-<td><p>Either <strong class="userinput"><code>yes</code></strong> or <strong class="userinput"><code>no</code></strong>.
-The words <strong class="userinput"><code>true</code></strong> and <strong class="userinput"><code>false</code></strong> are
-also accepted, as are the numbers <strong class="userinput"><code>1</code></strong> and <strong class="userinput"><code>0</code></strong>.</p></td>
+<td>
+                <p>
+                  <code class="varname">yes_or_no</code>
+                </p>
+              </td>
+<td>
+                <p>
+                  Either <strong class="userinput"><code>yes</code></strong> or <strong class="userinput"><code>no</code></strong>.
+                  The words <strong class="userinput"><code>true</code></strong> and <strong class="userinput"><code>false</code></strong> are
+                  also accepted, as are the numbers <strong class="userinput"><code>1</code></strong>
+                  and <strong class="userinput"><code>0</code></strong>.
+                </p>
+              </td>
 </tr>
 <tr>
-<td><p><code class="varname">dialup_option</code></p></td>
-<td><p>One of <strong class="userinput"><code>yes</code></strong>,
-<strong class="userinput"><code>no</code></strong>, <strong class="userinput"><code>notify</code></strong>,
-<strong class="userinput"><code>notify-passive</code></strong>, <strong class="userinput"><code>refresh</code></strong> or
-<strong class="userinput"><code>passive</code></strong>.
-When used in a zone, <strong class="userinput"><code>notify-passive</code></strong>,
-<strong class="userinput"><code>refresh</code></strong>, and <strong class="userinput"><code>passive</code></strong>
-are restricted to slave and stub zones.</p></td>
+<td>
+                <p>
+                  <code class="varname">dialup_option</code>
+                </p>
+              </td>
+<td>
+                <p>
+                  One of <strong class="userinput"><code>yes</code></strong>,
+                  <strong class="userinput"><code>no</code></strong>, <strong class="userinput"><code>notify</code></strong>,
+                  <strong class="userinput"><code>notify-passive</code></strong>, <strong class="userinput"><code>refresh</code></strong> or
+                  <strong class="userinput"><code>passive</code></strong>.
+                  When used in a zone, <strong class="userinput"><code>notify-passive</code></strong>,
+                  <strong class="userinput"><code>refresh</code></strong>, and <strong class="userinput"><code>passive</code></strong>
+                  are restricted to slave and stub zones.
+                </p>
+              </td>
 </tr>
 </tbody>
 </table></div>
@@ -244,7 +428,7 @@ are restricted to slave and stub zones.</p></td>
 <a name="address_match_lists"></a>Address Match Lists</h3></div></div></div>
 <div class="sect3" lang="en">
 <div class="titlepage"><div><div><h4 class="title">
-<a name="id2575552"></a>Syntax</h4></div></div></div>
+<a name="id2573336"></a>Syntax</h4></div></div></div>
 <pre class="programlisting"><code class="varname">address_match_list</code> = address_match_list_element ;
   [<span class="optional"> address_match_list_element; ... </span>]
 <code class="varname">address_match_list_element</code> = [<span class="optional"> ! </span>] (ip_address [<span class="optional">/length</span>] |
@@ -253,115 +437,181 @@ are restricted to slave and stub zones.</p></td>
 </div>
 <div class="sect3" lang="en">
 <div class="titlepage"><div><div><h4 class="title">
-<a name="id2575578"></a>Definition and Usage</h4></div></div></div>
-<p>Address match lists are primarily used to determine access
-control for various server operations. They are also used in
-the <span><strong class="command">listen-on</strong></span> and <span><strong class="command">sortlist</strong></span>
-statements. The elements
-which constitute an address match list can be any of the following:</p>
+<a name="id2573364"></a>Definition and Usage</h4></div></div></div>
+<p>
+            Address match lists are primarily used to determine access
+            control for various server operations. They are also used in
+            the <span><strong class="command">listen-on</strong></span> and <span><strong class="command">sortlist</strong></span>
+            statements. The elements
+            which constitute an address match list can be any of the
+            following:
+          </p>
 <div class="itemizedlist"><ul type="disc">
 <li>an IP address (IPv4 or IPv6)</li>
 <li>an IP prefix (in `/' notation)</li>
-<li>a key ID, as defined by the <span><strong class="command">key</strong></span> statement</li>
+<li>
+                a key ID, as defined by the <span><strong class="command">key</strong></span>
+                statement
+              </li>
 <li>the name of an address match list defined with
-the <span><strong class="command">acl</strong></span> statement</li>
+                the <span><strong class="command">acl</strong></span> statement
+              </li>
 <li>a nested address match list enclosed in braces</li>
 </ul></div>
-<p>Elements can be negated with a leading exclamation mark (`!'),
-and the match list names "any", "none", "localhost", and "localnets"
-are predefined. More information on those names can be found in
-the description of the acl statement.</p>
-<p>The addition of the key clause made the name of this syntactic
-element something of a misnomer, since security keys can be used
-to validate access without regard to a host or network address. Nonetheless,
-the term "address match list" is still used throughout the documentation.</p>
-<p>When a given IP address or prefix is compared to an address
-match list, the list is traversed in order until an element matches.
-The interpretation of a match depends on whether the list is being used
-for access control, defining listen-on ports, or in a sortlist,
-and whether the element was negated.</p>
-<p>When used as an access control list, a non-negated match allows
-access and a negated match denies access. If there is no match,
-access is denied. The clauses <span><strong class="command">allow-notify</strong></span>,
-<span><strong class="command">allow-query</strong></span>, <span><strong class="command">allow-transfer</strong></span>,
-<span><strong class="command">allow-update</strong></span>, <span><strong class="command">allow-update-forwarding</strong></span>,
-and <span><strong class="command">blackhole</strong></span> all
-use address match lists  this. Similarly, the listen-on option will cause
-the server to not accept queries on any of the machine's addresses
-which do not match the list.</p>
-<p>Because of the first-match aspect of the algorithm, an element
-that defines a subset of another element in the list should come
-before the broader element, regardless of whether either is negated. For
-example, in
-<span><strong class="command">1.2.3/24; ! 1.2.3.13;</strong></span> the 1.2.3.13 element is
-completely useless because the algorithm will match any lookup for
-1.2.3.13 to the 1.2.3/24 element.
-Using <span><strong class="command">! 1.2.3.13; 1.2.3/24</strong></span> fixes
-that problem by having 1.2.3.13 blocked by the negation but all
-other 1.2.3.* hosts fall through.</p>
+<p>
+            Elements can be negated with a leading exclamation mark (`!'),
+            and the match list names "any", "none", "localhost", and
+            "localnets"
+            are predefined. More information on those names can be found in
+            the description of the acl statement.
+          </p>
+<p>
+            The addition of the key clause made the name of this syntactic
+            element something of a misnomer, since security keys can be used
+            to validate access without regard to a host or network address.
+            Nonetheless,
+            the term "address match list" is still used throughout the
+            documentation.
+          </p>
+<p>
+            When a given IP address or prefix is compared to an address
+            match list, the list is traversed in order until an element
+            matches.
+            The interpretation of a match depends on whether the list is being
+            used
+            for access control, defining listen-on ports, or in a sortlist,
+            and whether the element was negated.
+          </p>
+<p>
+            When used as an access control list, a non-negated match
+            allows access and a negated match denies access. If
+            there is no match, access is denied. The clauses
+            <span><strong class="command">allow-notify</strong></span>,
+            <span><strong class="command">allow-query</strong></span>,
+            <span><strong class="command">allow-query-cache</strong></span>,
+            <span><strong class="command">allow-transfer</strong></span>,
+            <span><strong class="command">allow-update</strong></span>,
+            <span><strong class="command">allow-update-forwarding</strong></span>, and
+            <span><strong class="command">blackhole</strong></span> all use address match
+            lists.  Similarly, the listen-on option will cause the
+            server to not accept queries on any of the machine's
+            addresses which do not match the list.
+          </p>
+<p>
+            Because of the first-match aspect of the algorithm, an element
+            that defines a subset of another element in the list should come
+            before the broader element, regardless of whether either is
+            negated. For
+            example, in
+            <span><strong class="command">1.2.3/24; ! 1.2.3.13;</strong></span> the 1.2.3.13
+            element is
+            completely useless because the algorithm will match any lookup for
+            1.2.3.13 to the 1.2.3/24 element.
+            Using <span><strong class="command">! 1.2.3.13; 1.2.3/24</strong></span> fixes
+            that problem by having 1.2.3.13 blocked by the negation but all
+            other 1.2.3.* hosts fall through.
+          </p>
 </div>
 </div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="id2575672"></a>Comment Syntax</h3></div></div></div>
-<p>The <acronym class="acronym">BIND</acronym> 9 comment syntax allows for comments to appear
-anywhere that white space may appear in a <acronym class="acronym">BIND</acronym> configuration
-file. To appeal to programmers of all kinds, they can be written
-in the C, C++, or shell/perl style.</p>
+<a name="id2573470"></a>Comment Syntax</h3></div></div></div>
+<p>
+          The <acronym class="acronym">BIND</acronym> 9 comment syntax allows for
+          comments to appear
+          anywhere that white space may appear in a <acronym class="acronym">BIND</acronym> configuration
+          file. To appeal to programmers of all kinds, they can be written
+          in the C, C++, or shell/perl style.
+        </p>
 <div class="sect3" lang="en">
 <div class="titlepage"><div><div><h4 class="title">
-<a name="id2575687"></a>Syntax</h4></div></div></div>
+<a name="id2573485"></a>Syntax</h4></div></div></div>
+<p>
+            </p>
 <pre class="programlisting">/* This is a <acronym class="acronym">BIND</acronym> comment as in C */</pre>
 <p>
-</p>
+            </p>
 <pre class="programlisting">// This is a <acronym class="acronym">BIND</acronym> comment as in C++</pre>
 <p>
-</p>
+            </p>
 <pre class="programlisting"># This is a <acronym class="acronym">BIND</acronym> comment as in common UNIX shells and perl</pre>
 <p>
-      </p>
+          </p>
 </div>
 <div class="sect3" lang="en">
 <div class="titlepage"><div><div><h4 class="title">
-<a name="id2575716"></a>Definition and Usage</h4></div></div></div>
-<p>Comments may appear anywhere that white space may appear in
-a <acronym class="acronym">BIND</acronym> configuration file.</p>
-<p>C-style comments start with the two characters /* (slash,
-star) and end with */ (star, slash). Because they are completely
-delimited with these characters, they can be used to comment only
-a portion of a line or to span multiple lines.</p>
-<p>C-style comments cannot be nested. For example, the following
-is not valid because the entire comment ends with the first */:</p>
+<a name="id2573515"></a>Definition and Usage</h4></div></div></div>
+<p>
+            Comments may appear anywhere that white space may appear in
+            a <acronym class="acronym">BIND</acronym> configuration file.
+          </p>
+<p>
+            C-style comments start with the two characters /* (slash,
+            star) and end with */ (star, slash). Because they are completely
+            delimited with these characters, they can be used to comment only
+            a portion of a line or to span multiple lines.
+          </p>
+<p>
+            C-style comments cannot be nested. For example, the following
+            is not valid because the entire comment ends with the first */:
+          </p>
+<p>
+
+</p>
 <pre class="programlisting">/* This is the start of a comment.
    This is still part of the comment.
 /* This is an incorrect attempt at nesting a comment. */
    This is no longer in any comment. */
 </pre>
-<p>C++-style comments start with the two characters // (slash,
-slash) and continue to the end of the physical line. They cannot
-be continued across multiple physical lines; to have one logical
-comment span multiple lines, each line must use the // pair.</p>
-<p>For example:</p>
+<p>
+
+          </p>
+<p>
+            C++-style comments start with the two characters // (slash,
+            slash) and continue to the end of the physical line. They cannot
+            be continued across multiple physical lines; to have one logical
+            comment span multiple lines, each line must use the // pair.
+          </p>
+<p>
+            For example:
+          </p>
+<p>
+
+</p>
 <pre class="programlisting">// This is the start of a comment.  The next line
 // is a new comment, even though it is logically
 // part of the previous comment.
 </pre>
-<p>Shell-style (or perl-style, if you prefer) comments start
-with the character <code class="literal">#</code> (number sign) and continue to the end of the
-physical line, as in C++ comments.</p>
-<p>For example:</p>
+<p>
+
+          </p>
+<p>
+            Shell-style (or perl-style, if you prefer) comments start
+            with the character <code class="literal">#</code> (number sign)
+            and continue to the end of the
+            physical line, as in C++ comments.
+          </p>
+<p>
+            For example:
+          </p>
+<p>
+
+</p>
 <pre class="programlisting"># This is the start of a comment.  The next line
 # is a new comment, even though it is logically
 # part of the previous comment.
 </pre>
 <p>
-</p>
+
+          </p>
 <div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;">
 <h3 class="title">Warning</h3>
-<p>You cannot use the semicolon (`;') character
-   to start a comment such as you would in a zone file. The
-   semicolon indicates the end of a configuration
-   statement.</p>
+<p>
+              You cannot use the semicolon (`;') character
+              to start a comment such as you would in a zone file. The
+              semicolon indicates the end of a configuration
+              statement.
+            </p>
 </div>
 </div>
 </div>
@@ -369,12 +619,17 @@ physical line, as in C++ comments.</p>
 <div class="sect1" lang="en">
 <div class="titlepage"><div><div><h2 class="title" style="clear: both">
 <a name="Configuration_File_Grammar"></a>Configuration File Grammar</h2></div></div></div>
-<p>A <acronym class="acronym">BIND</acronym> 9 configuration consists of statements and comments.
-    Statements end with a semicolon. Statements and comments are the
-    only elements that can appear without enclosing braces. Many
-    statements contain a block of sub-statements, which are also
-    terminated with a semicolon.</p>
-<p>The following statements are supported:</p>
+<p>
+        A <acronym class="acronym">BIND</acronym> 9 configuration consists of
+        statements and comments.
+        Statements end with a semicolon. Statements and comments are the
+        only elements that can appear without enclosing braces. Many
+        statements contain a block of sub-statements, which are also
+        terminated with a semicolon.
+      </p>
+<p>
+        The following statements are supported:
+      </p>
 <div class="informaltable"><table border="1">
 <colgroup>
 <col>
@@ -382,85 +637,167 @@ physical line, as in C++ comments.</p>
 </colgroup>
 <tbody>
 <tr>
-<td><p><span><strong class="command">acl</strong></span></p></td>
-<td><p>defines a named IP address
-matching list, for access control and other uses.</p></td>
+<td>
+                <p><span><strong class="command">acl</strong></span></p>
+              </td>
+<td>
+                <p>
+                  defines a named IP address
+                  matching list, for access control and other uses.
+                </p>
+              </td>
 </tr>
 <tr>
-<td><p><span><strong class="command">controls</strong></span></p></td>
-<td><p>declares control channels to be used
-by the <span><strong class="command">rndc</strong></span> utility.</p></td>
+<td>
+                <p><span><strong class="command">controls</strong></span></p>
+              </td>
+<td>
+                <p>
+                  declares control channels to be used
+                  by the <span><strong class="command">rndc</strong></span> utility.
+                </p>
+              </td>
 </tr>
 <tr>
-<td><p><span><strong class="command">include</strong></span></p></td>
-<td><p>includes a file.</p></td>
+<td>
+                <p><span><strong class="command">include</strong></span></p>
+              </td>
+<td>
+                <p>
+                  includes a file.
+                </p>
+              </td>
 </tr>
 <tr>
-<td><p><span><strong class="command">key</strong></span></p></td>
-<td><p>specifies key information for use in
-authentication and authorization using TSIG.</p></td>
+<td>
+                <p><span><strong class="command">key</strong></span></p>
+              </td>
+<td>
+                <p>
+                  specifies key information for use in
+                  authentication and authorization using TSIG.
+                </p>
+              </td>
 </tr>
 <tr>
-<td><p><span><strong class="command">logging</strong></span></p></td>
-<td><p>specifies what the server logs, and where
-the log messages are sent.</p></td>
+<td>
+                <p><span><strong class="command">logging</strong></span></p>
+              </td>
+<td>
+                <p>
+                  specifies what the server logs, and where
+                  the log messages are sent.
+                </p>
+              </td>
 </tr>
 <tr>
-<td><p><span><strong class="command">lwres</strong></span></p></td>
-<td><p>configures <span><strong class="command">named</strong></span> to
-also act as a light-weight resolver daemon (<span><strong class="command">lwresd</strong></span>).</p></td>
+<td>
+                <p><span><strong class="command">lwres</strong></span></p>
+              </td>
+<td>
+                <p>
+                  configures <span><strong class="command">named</strong></span> to
+                  also act as a light-weight resolver daemon (<span><strong class="command">lwresd</strong></span>).
+                </p>
+              </td>
 </tr>
 <tr>
-<td><p><span><strong class="command">masters</strong></span></p></td>
-<td><p>defines a named masters list for
-inclusion in stub and slave zone masters clauses.</p></td>
+<td>
+                <p><span><strong class="command">masters</strong></span></p>
+              </td>
+<td>
+                <p>
+                  defines a named masters list for
+                  inclusion in stub and slave zone masters clauses.
+                </p>
+              </td>
 </tr>
 <tr>
-<td><p><span><strong class="command">options</strong></span></p></td>
-<td><p>controls global server configuration
-options and sets defaults for other statements.</p></td>
+<td>
+                <p><span><strong class="command">options</strong></span></p>
+              </td>
+<td>
+                <p>
+                  controls global server configuration
+                  options and sets defaults for other statements.
+                </p>
+              </td>
 </tr>
 <tr>
-<td><p><span><strong class="command">server</strong></span></p></td>
-<td><p>sets certain configuration options on
-a per-server basis.</p></td>
+<td>
+                <p><span><strong class="command">server</strong></span></p>
+              </td>
+<td>
+                <p>
+                  sets certain configuration options on
+                  a per-server basis.
+                </p>
+              </td>
 </tr>
 <tr>
-<td><p><span><strong class="command">trusted-keys</strong></span></p></td>
-<td><p>defines trusted DNSSEC keys.</p></td>
+<td>
+                <p><span><strong class="command">trusted-keys</strong></span></p>
+              </td>
+<td>
+                <p>
+                  defines trusted DNSSEC keys.
+                </p>
+              </td>
 </tr>
 <tr>
-<td><p><span><strong class="command">view</strong></span></p></td>
-<td><p>defines a view.</p></td>
+<td>
+                <p><span><strong class="command">view</strong></span></p>
+              </td>
+<td>
+                <p>
+                  defines a view.
+                </p>
+              </td>
 </tr>
 <tr>
-<td><p><span><strong class="command">zone</strong></span></p></td>
-<td><p>defines a zone.</p></td>
+<td>
+                <p><span><strong class="command">zone</strong></span></p>
+              </td>
+<td>
+                <p>
+                  defines a zone.
+                </p>
+              </td>
 </tr>
 </tbody>
 </table></div>
-<p>The <span><strong class="command">logging</strong></span> and
-    <span><strong class="command">options</strong></span> statements may only occur once per
-    configuration.</p>
+<p>
+        The <span><strong class="command">logging</strong></span> and
+        <span><strong class="command">options</strong></span> statements may only occur once
+        per
+        configuration.
+      </p>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="id2576157"></a><span><strong class="command">acl</strong></span> Statement Grammar</h3></div></div></div>
-<pre class="programlisting"><span><strong class="command">acl</strong></span> acl-name { 
-    address_match_list 
+<a name="id2574151"></a><span><strong class="command">acl</strong></span> Statement Grammar</h3></div></div></div>
+<pre class="programlisting"><span><strong class="command">acl</strong></span> acl-name {
+    address_match_list
 };
 </pre>
 </div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="acl"></a><span><strong class="command">acl</strong></span> Statement Definition and
-Usage</h3></div></div></div>
-<p>The <span><strong class="command">acl</strong></span> statement assigns a symbolic
-      name to an address match list. It gets its name from a primary
-      use of address match lists: Access Control Lists (ACLs).</p>
-<p>Note that an address match list's name must be defined
-      with <span><strong class="command">acl</strong></span> before it can be used elsewhere; no
-      forward references are allowed.</p>
-<p>The following ACLs are built-in:</p>
+          Usage</h3></div></div></div>
+<p>
+          The <span><strong class="command">acl</strong></span> statement assigns a symbolic
+          name to an address match list. It gets its name from a primary
+          use of address match lists: Access Control Lists (ACLs).
+        </p>
+<p>
+          Note that an address match list's name must be defined
+          with <span><strong class="command">acl</strong></span> before it can be used
+          elsewhere; no
+          forward references are allowed.
+        </p>
+<p>
+          The following ACLs are built-in:
+        </p>
 <div class="informaltable"><table border="1">
 <colgroup>
 <col>
@@ -468,155 +805,201 @@ Usage</h3></div></div></div>
 </colgroup>
 <tbody>
 <tr>
-<td><p><span><strong class="command">any</strong></span></p></td>
-<td><p>Matches all hosts.</p></td>
+<td>
+                  <p><span><strong class="command">any</strong></span></p>
+                </td>
+<td>
+                  <p>
+                    Matches all hosts.
+                  </p>
+                </td>
 </tr>
 <tr>
-<td><p><span><strong class="command">none</strong></span></p></td>
-<td><p>Matches no hosts.</p></td>
+<td>
+                  <p><span><strong class="command">none</strong></span></p>
+                </td>
+<td>
+                  <p>
+                    Matches no hosts.
+                  </p>
+                </td>
 </tr>
 <tr>
-<td><p><span><strong class="command">localhost</strong></span></p></td>
-<td><p>Matches the IPv4 and IPv6 addresses of all network
-interfaces on the system.</p></td>
+<td>
+                  <p><span><strong class="command">localhost</strong></span></p>
+                </td>
+<td>
+                  <p>
+                    Matches the IPv4 and IPv6 addresses of all network
+                    interfaces on the system.
+                  </p>
+                </td>
 </tr>
 <tr>
-<td><p><span><strong class="command">localnets</strong></span></p></td>
-<td><p>Matches any host on an IPv4 or IPv6 network
-for which the system has an interface.
-Some systems do not provide a way to determine the prefix lengths of
-local IPv6 addresses.
-In such a case, <span><strong class="command">localnets</strong></span> only matches the local
-IPv6 addresses, just like <span><strong class="command">localhost</strong></span>.
-</p></td>
+<td>
+                  <p><span><strong class="command">localnets</strong></span></p>
+                </td>
+<td>
+                  <p>
+                    Matches any host on an IPv4 or IPv6 network
+                    for which the system has an interface.
+                    Some systems do not provide a way to determine the prefix
+                    lengths of
+                    local IPv6 addresses.
+                    In such a case, <span><strong class="command">localnets</strong></span>
+                    only matches the local
+                    IPv6 addresses, just like <span><strong class="command">localhost</strong></span>.
+                  </p>
+                </td>
 </tr>
 </tbody>
 </table></div>
 </div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="id2576326"></a><span><strong class="command">controls</strong></span> Statement Grammar</h3></div></div></div>
+<a name="id2574341"></a><span><strong class="command">controls</strong></span> Statement Grammar</h3></div></div></div>
 <pre class="programlisting"><span><strong class="command">controls</strong></span> {
-   inet ( ip_addr | * ) [<span class="optional"> port ip_port </span>] allow { <em class="replaceable"><code> address_match_list </code></em> }
-                keys { <em class="replaceable"><code> key_list </code></em> };
-   [<span class="optional"> inet ...; </span>]
+   [ inet ( ip_addr | * ) [ port ip_port ] allow { <em class="replaceable"><code> address_match_list </code></em> }
+                keys { <em class="replaceable"><code>key_list</code></em> }; ]
+   [ inet ...; ]
+   [ unix <em class="replaceable"><code>path</code></em> perm <em class="replaceable"><code>number</code></em> owner <em class="replaceable"><code>number</code></em> group <em class="replaceable"><code>number</code></em> keys { <em class="replaceable"><code>key_list</code></em> }; ]
+   [ unix ...; ]
 };
 </pre>
 </div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="controls_statement_definition_and_usage"></a><span><strong class="command">controls</strong></span> Statement Definition and Usage</h3></div></div></div>
-<p>The <span><strong class="command">controls</strong></span> statement declares control
-      channels to be used by system administrators to control the
-      operation of the name server. These control channels are
-      used by the <span><strong class="command">rndc</strong></span> utility to send commands to
-      and retrieve non-DNS results from a name server.</p>
-<p>An <span><strong class="command">inet</strong></span> control channel is a TCP
-      socket listening at the specified
-      <span><strong class="command">ip_port</strong></span> on the specified
-      <span><strong class="command">ip_addr</strong></span>, which can be an IPv4 or IPv6
-      address.  An <span><strong class="command">ip_addr</strong></span>
-      of <code class="literal">*</code> (asterisk) is interpreted as the IPv4 wildcard
-      address; connections will be accepted on any of the system's
-      IPv4 addresses.  To listen on the IPv6 wildcard address,
-      use an <span><strong class="command">ip_addr</strong></span> of <code class="literal">::</code>.
-      If you will only use <span><strong class="command">rndc</strong></span> on the local host,
-      using the loopback address (<code class="literal">127.0.0.1</code>
-      or <code class="literal">::1</code>) is recommended for maximum
-      security.
-      </p>
+<a name="controls_statement_definition_and_usage"></a><span><strong class="command">controls</strong></span> Statement Definition and
+          Usage</h3></div></div></div>
 <p>
-      If no port is specified, port 953
-      is used.  The asterisk "<code class="literal">*</code>" cannot be used for
-      <span><strong class="command">ip_port</strong></span>.</p>
-<p>The ability to issue commands over the control channel is
-      restricted by the <span><strong class="command">allow</strong></span> and
-      <span><strong class="command">keys</strong></span> clauses. Connections to the control
-      channel are permitted based on the
-      <span><strong class="command">address_match_list</strong></span>.  This is for simple
-      IP address based filtering only; any <span><strong class="command">key_id</strong></span>
-      elements of the <span><strong class="command">address_match_list</strong></span> are
-      ignored.
-      </p>
-<p>The primary authorization mechanism of the command
-      channel is the <span><strong class="command">key_list</strong></span>, which contains
-      a list of <span><strong class="command">key_id</strong></span>s.
-      Each <span><strong class="command">key_id</strong></span> in
-      the <span><strong class="command">key_list</strong></span> is authorized to execute
-      commands over the control channel.
-      See <a href="Bv9ARM.ch03.html#rndc">Remote Name Daemon Control application</a> in
-      <a href="Bv9ARM.ch03.html#admin_tools" title="Administrative Tools">the section called &#8220;Administrative Tools&#8221;</a>) for information about
-      configuring keys in <span><strong class="command">rndc</strong></span>.</p>
-<p>
-If no <span><strong class="command">controls</strong></span> statement is present,
-<span><strong class="command">named</strong></span> will set up a default
-control channel listening on the loopback address 127.0.0.1
-and its IPv6 counterpart ::1.
-In this case, and also when the <span><strong class="command">controls</strong></span> statement
-is present but does not have a <span><strong class="command">keys</strong></span> clause,
-<span><strong class="command">named</strong></span> will attempt to load the command channel key
-from the file <code class="filename">rndc.key</code> in
-<code class="filename">/etc</code> (or whatever <code class="varname">sysconfdir</code>
-was specified as when <acronym class="acronym">BIND</acronym> was built).
-To create a <code class="filename">rndc.key</code> file, run
-<strong class="userinput"><code>rndc-confgen -a</code></strong>.
-</p>
-<p>The <code class="filename">rndc.key</code> feature was created to
-      ease the transition of systems from <acronym class="acronym">BIND</acronym> 8,
-      which did not have digital signatures on its command channel messages
-      and thus did not have a <span><strong class="command">keys</strong></span> clause.
+          The <span><strong class="command">controls</strong></span> statement declares control
+          channels to be used by system administrators to control the
+          operation of the name server. These control channels are
+          used by the <span><strong class="command">rndc</strong></span> utility to send
+          commands to and retrieve non-DNS results from a name server.
+        </p>
+<p>
+          An <span><strong class="command">inet</strong></span> control channel is a TCP socket
+          listening at the specified <span><strong class="command">ip_port</strong></span> on the
+          specified <span><strong class="command">ip_addr</strong></span>, which can be an IPv4 or IPv6
+          address.  An <span><strong class="command">ip_addr</strong></span> of <code class="literal">*</code> (asterisk) is
+          interpreted as the IPv4 wildcard address; connections will be
+          accepted on any of the system's IPv4 addresses.
+          To listen on the IPv6 wildcard address,
+          use an <span><strong class="command">ip_addr</strong></span> of <code class="literal">::</code>.
+          If you will only use <span><strong class="command">rndc</strong></span> on the local host,
+          using the loopback address (<code class="literal">127.0.0.1</code>
+          or <code class="literal">::1</code>) is recommended for maximum security.
+        </p>
+<p>
+          If no port is specified, port 953 is used. The asterisk
+          "<code class="literal">*</code>" cannot be used for <span><strong class="command">ip_port</strong></span>.
+        </p>
+<p>
+          The ability to issue commands over the control channel is
+          restricted by the <span><strong class="command">allow</strong></span> and
+          <span><strong class="command">keys</strong></span> clauses.
+          Connections to the control channel are permitted based on the
+          <span><strong class="command">address_match_list</strong></span>.  This is for simple
+          IP address based filtering only; any <span><strong class="command">key_id</strong></span>
+          elements of the <span><strong class="command">address_match_list</strong></span>
+          are ignored.
+        </p>
+<p>
+          A <span><strong class="command">unix</strong></span> control channel is a UNIX domain
+          socket listening at the specified path in the file system.
+          Access to the socket is specified by the <span><strong class="command">perm</strong></span>,
+          <span><strong class="command">owner</strong></span> and <span><strong class="command">group</strong></span> clauses.
+          Note on some platforms (SunOS and Solaris) the permissions
+          (<span><strong class="command">perm</strong></span>) are applied to the parent directory
+          as the permissions on the socket itself are ignored.
+        </p>
+<p>
+          The primary authorization mechanism of the command
+          channel is the <span><strong class="command">key_list</strong></span>, which
+          contains a list of <span><strong class="command">key_id</strong></span>s.
+          Each <span><strong class="command">key_id</strong></span> in the <span><strong class="command">key_list</strong></span>
+          is authorized to execute commands over the control channel.
+          See <a href="Bv9ARM.ch03.html#rndc">Remote Name Daemon Control application</a> in <a href="Bv9ARM.ch03.html#admin_tools" title="Administrative Tools">the section called &#8220;Administrative Tools&#8221;</a>)
+          for information about configuring keys in <span><strong class="command">rndc</strong></span>.
+        </p>
+<p>
+          If no <span><strong class="command">controls</strong></span> statement is present,
+          <span><strong class="command">named</strong></span> will set up a default
+          control channel listening on the loopback address 127.0.0.1
+          and its IPv6 counterpart ::1.
+          In this case, and also when the <span><strong class="command">controls</strong></span> statement
+          is present but does not have a <span><strong class="command">keys</strong></span> clause,
+          <span><strong class="command">named</strong></span> will attempt to load the command channel key
+          from the file <code class="filename">rndc.key</code> in
+          <code class="filename">/etc</code> (or whatever <code class="varname">sysconfdir</code>
+          was specified as when <acronym class="acronym">BIND</acronym> was built).
+          To create a <code class="filename">rndc.key</code> file, run
+          <strong class="userinput"><code>rndc-confgen -a</code></strong>.
+        </p>
+<p>
+          The <code class="filename">rndc.key</code> feature was created to
+          ease the transition of systems from <acronym class="acronym">BIND</acronym> 8,
+          which did not have digital signatures on its command channel
+          messages and thus did not have a <span><strong class="command">keys</strong></span> clause.
 
-It makes it possible to use an existing <acronym class="acronym">BIND</acronym> 8
-configuration file in <acronym class="acronym">BIND</acronym> 9 unchanged,
-and still have <span><strong class="command">rndc</strong></span> work the same way
-<span><strong class="command">ndc</strong></span> worked in BIND 8, simply by executing the
-command <strong class="userinput"><code>rndc-confgen -a</code></strong> after BIND 9 is
-installed.
-</p>
+          It makes it possible to use an existing <acronym class="acronym">BIND</acronym> 8
+          configuration file in <acronym class="acronym">BIND</acronym> 9 unchanged,
+          and still have <span><strong class="command">rndc</strong></span> work the same way
+          <span><strong class="command">ndc</strong></span> worked in BIND 8, simply by executing the
+          command <strong class="userinput"><code>rndc-confgen -a</code></strong> after BIND 9 is
+          installed.
+        </p>
 <p>
-      Since the <code class="filename">rndc.key</code> feature
-      is only intended to allow the backward-compatible usage of
-      <acronym class="acronym">BIND</acronym> 8 configuration files, this feature does not
-      have a high degree of configurability.  You cannot easily change
-      the key name or the size of the secret, so you should make a
-      <code class="filename">rndc.conf</code> with your own key if you wish to change
-      those things.  The <code class="filename">rndc.key</code> file also has its
-      permissions set such that only the owner of the file (the user that
-      <span><strong class="command">named</strong></span> is running as) can access it.  If you
-      desire greater flexibility in allowing other users to access
-      <span><strong class="command">rndc</strong></span> commands, then you need to create a
-      <code class="filename">rndc.conf</code> file and make it group readable by a group
-      that contains the users who should have access.</p>
-<p>The UNIX control channel type of <acronym class="acronym">BIND</acronym> 8 is not supported
-      in <acronym class="acronym">BIND</acronym> 9.0, <acronym class="acronym">BIND</acronym> 9.1,
-      <acronym class="acronym">BIND</acronym> 9.2 and <acronym class="acronym">BIND</acronym> 9.3.
-      If it is present in the controls statement from a
-      <acronym class="acronym">BIND</acronym> 8 configuration file, it is ignored
-      and a warning is logged.</p>
-<p>
-To disable the command channel, use an empty <span><strong class="command">controls</strong></span>
-statement: <span><strong class="command">controls { };</strong></span>.
-</p>
+          Since the <code class="filename">rndc.key</code> feature
+          is only intended to allow the backward-compatible usage of
+          <acronym class="acronym">BIND</acronym> 8 configuration files, this
+          feature does not
+          have a high degree of configurability.  You cannot easily change
+          the key name or the size of the secret, so you should make a
+          <code class="filename">rndc.conf</code> with your own key if you
+          wish to change
+          those things.  The <code class="filename">rndc.key</code> file
+          also has its
+          permissions set such that only the owner of the file (the user that
+          <span><strong class="command">named</strong></span> is running as) can access it.
+          If you
+          desire greater flexibility in allowing other users to access
+          <span><strong class="command">rndc</strong></span> commands, then you need to create
+          a
+          <code class="filename">rndc.conf</code> file and make it group
+          readable by a group
+          that contains the users who should have access.
+        </p>
+<p>
+          To disable the command channel, use an empty
+          <span><strong class="command">controls</strong></span> statement:
+          <span><strong class="command">controls { };</strong></span>.
+        </p>
 </div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="id2576672"></a><span><strong class="command">include</strong></span> Statement Grammar</h3></div></div></div>
+<a name="id2574770"></a><span><strong class="command">include</strong></span> Statement Grammar</h3></div></div></div>
 <pre class="programlisting">include <em class="replaceable"><code>filename</code></em>;</pre>
 </div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="id2576686"></a><span><strong class="command">include</strong></span> Statement Definition and Usage</h3></div></div></div>
-<p>The <span><strong class="command">include</strong></span> statement inserts the
-      specified file at the point where the <span><strong class="command">include</strong></span>
-      statement is encountered. The <span><strong class="command">include</strong></span>
-      statement facilitates the administration of configuration files
-      by permitting the reading or writing of some things but not
-      others. For example, the statement could include private keys
-      that are readable only by the name server.</p>
+<a name="id2574785"></a><span><strong class="command">include</strong></span> Statement Definition and
+          Usage</h3></div></div></div>
+<p>
+          The <span><strong class="command">include</strong></span> statement inserts the
+          specified file at the point where the <span><strong class="command">include</strong></span>
+          statement is encountered. The <span><strong class="command">include</strong></span>
+                statement facilitates the administration of configuration
+          files
+          by permitting the reading or writing of some things but not
+          others. For example, the statement could include private keys
+          that are readable only by the name server.
+        </p>
 </div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="id2576709"></a><span><strong class="command">key</strong></span> Statement Grammar</h3></div></div></div>
+<a name="id2574808"></a><span><strong class="command">key</strong></span> Statement Grammar</h3></div></div></div>
 <pre class="programlisting">key <em class="replaceable"><code>key_id</code></em> {
     algorithm <em class="replaceable"><code>string</code></em>;
     secret <em class="replaceable"><code>string</code></em>;
@@ -625,43 +1008,58 @@ statement: <span><strong class="command">controls { };</strong></span>.
 </div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="id2576730"></a><span><strong class="command">key</strong></span> Statement Definition and Usage</h3></div></div></div>
-<p>The <span><strong class="command">key</strong></span> statement defines a shared
-secret key for use with TSIG (see <a href="Bv9ARM.ch04.html#tsig" title="TSIG">the section called &#8220;TSIG&#8221;</a>)
-or the command channel
-(see <a href="Bv9ARM.ch06.html#controls_statement_definition_and_usage" title="controls Statement Definition and Usage">the section called &#8220;<span><strong class="command">controls</strong></span> Statement Definition and Usage&#8221;</a>).
-</p>
+<a name="id2574829"></a><span><strong class="command">key</strong></span> Statement Definition and Usage</h3></div></div></div>
 <p>
-The <span><strong class="command">key</strong></span> statement can occur at the top level
-of the configuration file or inside a <span><strong class="command">view</strong></span> 
-statement.  Keys defined in top-level <span><strong class="command">key</strong></span>
-statements can be used in all views.  Keys intended for use in
-a <span><strong class="command">controls</strong></span> statement
-(see <a href="Bv9ARM.ch06.html#controls_statement_definition_and_usage" title="controls Statement Definition and Usage">the section called &#8220;<span><strong class="command">controls</strong></span> Statement Definition and Usage&#8221;</a>)
-must be defined at the top level.
-</p>
-<p>The <em class="replaceable"><code>key_id</code></em>, also known as the
-key name, is a domain name uniquely identifying the key. It can
-be used in a <span><strong class="command">server</strong></span>
-statement to cause requests sent to that
-server to be signed with this key, or in address match lists to
-verify that incoming requests have been signed with a key
-matching this name, algorithm, and secret.</p>
-<p>The <em class="replaceable"><code>algorithm_id</code></em> is a string
-that specifies a security/authentication algorithm. The only
-algorithm currently supported with TSIG authentication is
-<code class="literal">hmac-md5</code>.  The
-<em class="replaceable"><code>secret_string</code></em> is the secret to be
-used by the algorithm, and is treated as a base-64 encoded
-string.</p>
+          The <span><strong class="command">key</strong></span> statement defines a shared
+          secret key for use with TSIG (see <a href="Bv9ARM.ch04.html#tsig" title="TSIG">the section called &#8220;TSIG&#8221;</a>)
+          or the command channel
+          (see <a href="Bv9ARM.ch06.html#controls_statement_definition_and_usage" title="controls Statement Definition and
+          Usage">the section called &#8220;<span><strong class="command">controls</strong></span> Statement Definition and
+          Usage&#8221;</a>).
+        </p>
+<p>
+          The <span><strong class="command">key</strong></span> statement can occur at the
+          top level
+          of the configuration file or inside a <span><strong class="command">view</strong></span>
+          statement.  Keys defined in top-level <span><strong class="command">key</strong></span>
+          statements can be used in all views.  Keys intended for use in
+          a <span><strong class="command">controls</strong></span> statement
+          (see <a href="Bv9ARM.ch06.html#controls_statement_definition_and_usage" title="controls Statement Definition and
+          Usage">the section called &#8220;<span><strong class="command">controls</strong></span> Statement Definition and
+          Usage&#8221;</a>)
+          must be defined at the top level.
+        </p>
+<p>
+          The <em class="replaceable"><code>key_id</code></em>, also known as the
+          key name, is a domain name uniquely identifying the key. It can
+          be used in a <span><strong class="command">server</strong></span>
+          statement to cause requests sent to that
+          server to be signed with this key, or in address match lists to
+          verify that incoming requests have been signed with a key
+          matching this name, algorithm, and secret.
+        </p>
+<p>
+          The <em class="replaceable"><code>algorithm_id</code></em> is a string
+          that specifies a security/authentication algorithm.  Named
+          supports <code class="literal">hmac-md5</code>,
+          <code class="literal">hmac-sha1</code>, <code class="literal">hmac-sha224</code>,
+          <code class="literal">hmac-sha256</code>, <code class="literal">hmac-sha384</code>
+          and <code class="literal">hmac-sha512</code> TSIG authentication.
+          Truncated hashes are supported by appending the minimum
+          number of required bits preceeded by a dash, e.g.
+          <code class="literal">hmac-sha1-80</code>.  The
+          <em class="replaceable"><code>secret_string</code></em> is the secret
+          to be used by the algorithm, and is treated as a base-64
+          encoded string.
+        </p>
 </div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="id2576870"></a><span><strong class="command">logging</strong></span> Statement Grammar</h3></div></div></div>
+<a name="id2574920"></a><span><strong class="command">logging</strong></span> Statement Grammar</h3></div></div></div>
 <pre class="programlisting"><span><strong class="command">logging</strong></span> {
    [ <span><strong class="command">channel</strong></span> <em class="replaceable"><code>channel_name</code></em> {
      ( <span><strong class="command">file</strong></span> <em class="replaceable"><code>path name</code></em>
-         [ <span><strong class="command">versions</strong></span> ( <em class="replaceable"><code>number</code></em> | <code class="literal">unlimited</code> ) ]
+         [ <span><strong class="command">versions</strong></span> ( <em class="replaceable"><code>number</code></em> | <span><strong class="command">unlimited</strong></span> ) ]
          [ <span><strong class="command">size</strong></span> <em class="replaceable"><code>size spec</code></em> ]
        | <span><strong class="command">syslog</strong></span> <em class="replaceable"><code>syslog_facility</code></em>
        | <span><strong class="command">stderr</strong></span>
@@ -673,7 +1071,7 @@ string.</p>
      [ <span><strong class="command">print-time</strong></span> <code class="option">yes</code> or <code class="option">no</code>; ]
    }; ]
    [ <span><strong class="command">category</strong></span> <em class="replaceable"><code>category_name</code></em> {
-     <em class="replaceable"><code>channel_name</code></em> ; [ <em class="replaceable"><code>channel_nam</code></em>e ; ... ]
+     <em class="replaceable"><code>channel_name</code></em> ; [ <em class="replaceable"><code>channel_name</code></em> ; ... ]
    }; ]
    ...
 };
@@ -681,148 +1079,223 @@ string.</p>
 </div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="id2577064"></a><span><strong class="command">logging</strong></span> Statement Definition and Usage</h3></div></div></div>
-<p>The <span><strong class="command">logging</strong></span> statement configures a wide
-variety of logging options for the name server. Its <span><strong class="command">channel</strong></span> phrase
-associates output methods, format options and severity levels with
-a name that can then be used with the <span><strong class="command">category</strong></span> phrase
-to select how various classes of messages are logged.</p>
-<p>Only one <span><strong class="command">logging</strong></span> statement is used to define
-as many channels and categories as are wanted. If there is no <span><strong class="command">logging</strong></span> statement,
-the logging configuration will be:</p>
+<a name="id2575046"></a><span><strong class="command">logging</strong></span> Statement Definition and
+          Usage</h3></div></div></div>
+<p>
+          The <span><strong class="command">logging</strong></span> statement configures a
+          wide
+          variety of logging options for the name server. Its <span><strong class="command">channel</strong></span> phrase
+          associates output methods, format options and severity levels with
+          a name that can then be used with the <span><strong class="command">category</strong></span> phrase
+          to select how various classes of messages are logged.
+        </p>
+<p>
+          Only one <span><strong class="command">logging</strong></span> statement is used to
+          define
+          as many channels and categories as are wanted. If there is no <span><strong class="command">logging</strong></span> statement,
+          the logging configuration will be:
+        </p>
 <pre class="programlisting">logging {
      category default { default_syslog; default_debug; };
      category unmatched { null; };
 };
 </pre>
-<p>In <acronym class="acronym">BIND</acronym> 9, the logging configuration is only established when
-the entire configuration file has been parsed.  In <acronym class="acronym">BIND</acronym> 8, it was
-established as soon as the <span><strong class="command">logging</strong></span> statement
-was parsed. When the server is starting up, all logging messages
-regarding syntax errors in the configuration file go to the default
-channels, or to standard error if the "<code class="option">-g</code>" option
-was specified.</p>
+<p>
+          In <acronym class="acronym">BIND</acronym> 9, the logging configuration
+          is only established when
+          the entire configuration file has been parsed.  In <acronym class="acronym">BIND</acronym> 8, it was
+          established as soon as the <span><strong class="command">logging</strong></span>
+          statement
+          was parsed. When the server is starting up, all logging messages
+          regarding syntax errors in the configuration file go to the default
+          channels, or to standard error if the "<code class="option">-g</code>" option
+          was specified.
+        </p>
 <div class="sect3" lang="en">
 <div class="titlepage"><div><div><h4 class="title">
-<a name="id2577116"></a>The <span><strong class="command">channel</strong></span> Phrase</h4></div></div></div>
-<p>All log output goes to one or more <span class="emphasis"><em>channels</em></span>;
-you can make as many of them as you want.</p>
-<p>Every channel definition must include a destination clause that
-says whether messages selected for the channel go to a file, to a
-particular syslog facility, to the standard error stream, or are
-discarded. It can optionally also limit the message severity level
-that will be accepted by the channel (the default is
-<span><strong class="command">info</strong></span>), and whether to include a
-<span><strong class="command">named</strong></span>-generated time stamp, the category name
-and/or severity level (the default is not to include any).</p>
-<p>The <span><strong class="command">null</strong></span> destination clause 
-causes all messages sent to the channel to be discarded;
-in that case, other options for the channel are meaningless.</p>
-<p>The <span><strong class="command">file</strong></span> destination clause directs the channel
-to a disk file.  It can include limitations
-both on how large the file is allowed to become, and how many versions
-of the file will be saved each time the file is opened.</p>
-<p>If you use the <span><strong class="command">versions</strong></span> log file option, then
-<span><strong class="command">named</strong></span> will retain that many backup versions of the file by
-renaming them when opening.  For example, if you choose to keep three old versions
-of the file <code class="filename">lamers.log</code>, then just before it is opened
-<code class="filename">lamers.log.1</code> is renamed to
-<code class="filename">lamers.log.2</code>, <code class="filename">lamers.log.0</code> is renamed
-to <code class="filename">lamers.log.1</code>, and <code class="filename">lamers.log</code> is
-renamed to <code class="filename">lamers.log.0</code>.
-You can say <span><strong class="command">versions unlimited</strong></span> to not limit
-the number of versions.
-If a <span><strong class="command">size</strong></span> option is associated with the log file,
-then renaming is only done when the file being opened exceeds the
-indicated size.  No backup versions are kept by default; any existing
-log file is simply appended.</p>
-<p>The <span><strong class="command">size</strong></span> option for files is used to limit log
-growth. If the file ever exceeds the size, then <span><strong class="command">named</strong></span> will
-stop writing to the file unless it has a <span><strong class="command">versions</strong></span> option
-associated with it.  If backup versions are kept, the files are rolled as
-described above and a new one begun.  If there is no
-<span><strong class="command">versions</strong></span> option, no more data will be written to the log
-until some out-of-band mechanism removes or truncates the log to less than the
-maximum size.  The default behavior is not to limit the size of the
-file.</p>
-<p>Example usage of the <span><strong class="command">size</strong></span> and
-<span><strong class="command">versions</strong></span> options:</p>
+<a name="id2575098"></a>The <span><strong class="command">channel</strong></span> Phrase</h4></div></div></div>
+<p>
+            All log output goes to one or more <span class="emphasis"><em>channels</em></span>;
+            you can make as many of them as you want.
+          </p>
+<p>
+            Every channel definition must include a destination clause that
+            says whether messages selected for the channel go to a file, to a
+            particular syslog facility, to the standard error stream, or are
+            discarded. It can optionally also limit the message severity level
+            that will be accepted by the channel (the default is
+            <span><strong class="command">info</strong></span>), and whether to include a
+            <span><strong class="command">named</strong></span>-generated time stamp, the
+            category name
+            and/or severity level (the default is not to include any).
+          </p>
+<p>
+            The <span><strong class="command">null</strong></span> destination clause
+            causes all messages sent to the channel to be discarded;
+            in that case, other options for the channel are meaningless.
+          </p>
+<p>
+            The <span><strong class="command">file</strong></span> destination clause directs
+            the channel
+            to a disk file.  It can include limitations
+            both on how large the file is allowed to become, and how many
+            versions
+            of the file will be saved each time the file is opened.
+          </p>
+<p>
+            If you use the <span><strong class="command">versions</strong></span> log file
+            option, then
+            <span><strong class="command">named</strong></span> will retain that many backup
+            versions of the file by
+            renaming them when opening.  For example, if you choose to keep
+            three old versions
+            of the file <code class="filename">lamers.log</code>, then just
+            before it is opened
+            <code class="filename">lamers.log.1</code> is renamed to
+            <code class="filename">lamers.log.2</code>, <code class="filename">lamers.log.0</code> is renamed
+            to <code class="filename">lamers.log.1</code>, and <code class="filename">lamers.log</code> is
+            renamed to <code class="filename">lamers.log.0</code>.
+            You can say <span><strong class="command">versions unlimited</strong></span> to
+            not limit
+            the number of versions.
+            If a <span><strong class="command">size</strong></span> option is associated with
+            the log file,
+            then renaming is only done when the file being opened exceeds the
+            indicated size.  No backup versions are kept by default; any
+            existing
+            log file is simply appended.
+          </p>
+<p>
+            The <span><strong class="command">size</strong></span> option for files is used
+            to limit log
+            growth. If the file ever exceeds the size, then <span><strong class="command">named</strong></span> will
+            stop writing to the file unless it has a <span><strong class="command">versions</strong></span> option
+            associated with it.  If backup versions are kept, the files are
+            rolled as
+            described above and a new one begun.  If there is no
+            <span><strong class="command">versions</strong></span> option, no more data will
+            be written to the log
+            until some out-of-band mechanism removes or truncates the log to
+            less than the
+            maximum size.  The default behavior is not to limit the size of
+            the
+            file.
+          </p>
+<p>
+            Example usage of the <span><strong class="command">size</strong></span> and
+            <span><strong class="command">versions</strong></span> options:
+          </p>
 <pre class="programlisting">channel an_example_channel {
     file "example.log" versions 3 size 20m;
     print-time yes;
     print-category yes;
 };
 </pre>
-<p>The <span><strong class="command">syslog</strong></span> destination clause directs the
-channel to the system log.  Its argument is a
-syslog facility as described in the <span><strong class="command">syslog</strong></span> man
-page. Known facilities are <span><strong class="command">kern</strong></span>, <span><strong class="command">user</strong></span>,
-<span><strong class="command">mail</strong></span>, <span><strong class="command">daemon</strong></span>, <span><strong class="command">auth</strong></span>,
-<span><strong class="command">syslog</strong></span>, <span><strong class="command">lpr</strong></span>, <span><strong class="command">news</strong></span>,
-<span><strong class="command">uucp</strong></span>, <span><strong class="command">cron</strong></span>, <span><strong class="command">authpriv</strong></span>,
-<span><strong class="command">ftp</strong></span>, <span><strong class="command">local0</strong></span>, <span><strong class="command">local1</strong></span>,
-<span><strong class="command">local2</strong></span>, <span><strong class="command">local3</strong></span>, <span><strong class="command">local4</strong></span>,
-<span><strong class="command">local5</strong></span>, <span><strong class="command">local6</strong></span> and
-<span><strong class="command">local7</strong></span>, however not all facilities are supported on
-all operating systems.
-How <span><strong class="command">syslog</strong></span> will handle messages sent to
-this facility is described in the <span><strong class="command">syslog.conf</strong></span> man
-page. If you have a system which uses a very old version of <span><strong class="command">syslog</strong></span> that
-only uses two arguments to the <span><strong class="command">openlog()</strong></span> function,
-then this clause is silently ignored.</p>
-<p>The <span><strong class="command">severity</strong></span> clause works like <span><strong class="command">syslog</strong></span>'s
-"priorities", except that they can also be used if you are writing
-straight to a file rather than using <span><strong class="command">syslog</strong></span>.
-Messages which are not at least of the severity level given will
-not be selected for the channel; messages of higher severity levels
-will be accepted.</p>
-<p>If you are using <span><strong class="command">syslog</strong></span>, then the <span><strong class="command">syslog.conf</strong></span> priorities
-will also determine what eventually passes through. For example,
-defining a channel facility and severity as <span><strong class="command">daemon</strong></span> and <span><strong class="command">debug</strong></span> but
-only logging <span><strong class="command">daemon.warning</strong></span> via <span><strong class="command">syslog.conf</strong></span> will
-cause messages of severity <span><strong class="command">info</strong></span> and <span><strong class="command">notice</strong></span> to
-be dropped. If the situation were reversed, with <span><strong class="command">named</strong></span> writing
-messages of only <span><strong class="command">warning</strong></span> or higher, then <span><strong class="command">syslogd</strong></span> would
-print all messages it received from the channel.</p>
-<p>The <span><strong class="command">stderr</strong></span> destination clause directs the
-channel to the server's standard error stream.  This is intended for
-use when the server is running as a foreground process, for example
-when debugging a configuration.</p>
-<p>The server can supply extensive debugging information when
-it is in debugging mode. If the server's global debug level is greater
-than zero, then debugging mode will be active. The global debug
-level is set either by starting the <span><strong class="command">named</strong></span> server
-with the <code class="option">-d</code> flag followed by a positive integer,
-or by running <span><strong class="command">rndc trace</strong></span>.
-The global debug level
-can be set to zero, and debugging mode turned off, by running <span><strong class="command">rndc
+<p>
+            The <span><strong class="command">syslog</strong></span> destination clause
+            directs the
+            channel to the system log.  Its argument is a
+            syslog facility as described in the <span><strong class="command">syslog</strong></span> man
+            page. Known facilities are <span><strong class="command">kern</strong></span>, <span><strong class="command">user</strong></span>,
+            <span><strong class="command">mail</strong></span>, <span><strong class="command">daemon</strong></span>, <span><strong class="command">auth</strong></span>,
+            <span><strong class="command">syslog</strong></span>, <span><strong class="command">lpr</strong></span>, <span><strong class="command">news</strong></span>,
+            <span><strong class="command">uucp</strong></span>, <span><strong class="command">cron</strong></span>, <span><strong class="command">authpriv</strong></span>,
+            <span><strong class="command">ftp</strong></span>, <span><strong class="command">local0</strong></span>, <span><strong class="command">local1</strong></span>,
+            <span><strong class="command">local2</strong></span>, <span><strong class="command">local3</strong></span>, <span><strong class="command">local4</strong></span>,
+            <span><strong class="command">local5</strong></span>, <span><strong class="command">local6</strong></span> and
+            <span><strong class="command">local7</strong></span>, however not all facilities
+            are supported on
+            all operating systems.
+            How <span><strong class="command">syslog</strong></span> will handle messages
+            sent to
+            this facility is described in the <span><strong class="command">syslog.conf</strong></span> man
+            page. If you have a system which uses a very old version of <span><strong class="command">syslog</strong></span> that
+            only uses two arguments to the <span><strong class="command">openlog()</strong></span> function,
+            then this clause is silently ignored.
+          </p>
+<p>
+            The <span><strong class="command">severity</strong></span> clause works like <span><strong class="command">syslog</strong></span>'s
+            "priorities", except that they can also be used if you are writing
+            straight to a file rather than using <span><strong class="command">syslog</strong></span>.
+            Messages which are not at least of the severity level given will
+            not be selected for the channel; messages of higher severity
+            levels
+            will be accepted.
+          </p>
+<p>
+            If you are using <span><strong class="command">syslog</strong></span>, then the <span><strong class="command">syslog.conf</strong></span> priorities
+            will also determine what eventually passes through. For example,
+            defining a channel facility and severity as <span><strong class="command">daemon</strong></span> and <span><strong class="command">debug</strong></span> but
+            only logging <span><strong class="command">daemon.warning</strong></span> via <span><strong class="command">syslog.conf</strong></span> will
+            cause messages of severity <span><strong class="command">info</strong></span> and
+            <span><strong class="command">notice</strong></span> to
+            be dropped. If the situation were reversed, with <span><strong class="command">named</strong></span> writing
+            messages of only <span><strong class="command">warning</strong></span> or higher,
+            then <span><strong class="command">syslogd</strong></span> would
+            print all messages it received from the channel.
+          </p>
+<p>
+            The <span><strong class="command">stderr</strong></span> destination clause
+            directs the
+            channel to the server's standard error stream.  This is intended
+            for
+            use when the server is running as a foreground process, for
+            example
+            when debugging a configuration.
+          </p>
+<p>
+            The server can supply extensive debugging information when
+            it is in debugging mode. If the server's global debug level is
+            greater
+            than zero, then debugging mode will be active. The global debug
+            level is set either by starting the <span><strong class="command">named</strong></span> server
+            with the <code class="option">-d</code> flag followed by a positive integer,
+            or by running <span><strong class="command">rndc trace</strong></span>.
+            The global debug level
+            can be set to zero, and debugging mode turned off, by running <span><strong class="command">rndc
 notrace</strong></span>. All debugging messages in the server have a debug
-level, and higher debug levels give more detailed output. Channels
-that specify a specific debug severity, for example:</p>
+            level, and higher debug levels give more detailed output. Channels
+            that specify a specific debug severity, for example:
+          </p>
 <pre class="programlisting">channel specific_debug_level {
     file "foo";
     severity debug 3;
 };
 </pre>
-<p>will get debugging output of level 3 or less any time the
-server is in debugging mode, regardless of the global debugging
-level. Channels with <span><strong class="command">dynamic</strong></span> severity use the
-server's global debug level to determine what messages to print.</p>
-<p>If <span><strong class="command">print-time</strong></span> has been turned on, then
-the date and time will be logged. <span><strong class="command">print-time</strong></span> may
-be specified for a <span><strong class="command">syslog</strong></span> channel, but is usually
-pointless since <span><strong class="command">syslog</strong></span> also prints the date and
-time. If <span><strong class="command">print-category</strong></span> is requested, then the
-category of the message will be logged as well. Finally, if <span><strong class="command">print-severity</strong></span> is
-on, then the severity level of the message will be logged. The <span><strong class="command">print-</strong></span> options may
-be used in any combination, and will always be printed in the following
-order: time, category, severity. Here is an example where all three <span><strong class="command">print-</strong></span> options
-are on:</p>
-<p><code class="computeroutput">28-Feb-2000 15:05:32.863 general: notice: running</code></p>
-<p>There are four predefined channels that are used for
-<span><strong class="command">named</strong></span>'s default logging as follows. How they are
-used is described in <a href="Bv9ARM.ch06.html#the_category_phrase" title="The category Phrase">the section called &#8220;The <span><strong class="command">category</strong></span> Phrase&#8221;</a>.
-</p>
+<p>
+            will get debugging output of level 3 or less any time the
+            server is in debugging mode, regardless of the global debugging
+            level. Channels with <span><strong class="command">dynamic</strong></span>
+            severity use the
+            server's global debug level to determine what messages to print.
+          </p>
+<p>
+            If <span><strong class="command">print-time</strong></span> has been turned on,
+            then
+            the date and time will be logged. <span><strong class="command">print-time</strong></span> may
+            be specified for a <span><strong class="command">syslog</strong></span> channel,
+            but is usually
+            pointless since <span><strong class="command">syslog</strong></span> also prints
+            the date and
+            time. If <span><strong class="command">print-category</strong></span> is
+            requested, then the
+            category of the message will be logged as well. Finally, if <span><strong class="command">print-severity</strong></span> is
+            on, then the severity level of the message will be logged. The <span><strong class="command">print-</strong></span> options may
+            be used in any combination, and will always be printed in the
+            following
+            order: time, category, severity. Here is an example where all
+            three <span><strong class="command">print-</strong></span> options
+            are on:
+          </p>
+<p>
+            <code class="computeroutput">28-Feb-2000 15:05:32.863 general: notice: running</code>
+          </p>
+<p>
+            There are four predefined channels that are used for
+            <span><strong class="command">named</strong></span>'s default logging as follows.
+            How they are
+            used is described in <a href="Bv9ARM.ch06.html#the_category_phrase" title="The category Phrase">the section called &#8220;The <span><strong class="command">category</strong></span> Phrase&#8221;</a>.
+          </p>
 <pre class="programlisting">channel default_syslog {
     syslog daemon;                      // send to syslog's daemon
                                         // facility
@@ -852,35 +1325,50 @@ channel null {
                                         // this channel
 };
 </pre>
-<p>The <span><strong class="command">default_debug</strong></span> channel has the special
-property that it only produces output when the server's debug level is
-nonzero.  It normally writes to a file called <code class="filename">named.run</code>
-in the server's working directory.</p>
-<p>For security reasons, when the "<code class="option">-u</code>"
-command line option is used, the <code class="filename">named.run</code> file
-is created only after <span><strong class="command">named</strong></span> has changed to the
-new UID, and any debug output generated while <span><strong class="command">named</strong></span> is
-starting up and still running as root is discarded.  If you need
-to capture this output, you must run the server with the "<code class="option">-g</code>"
-option and redirect standard error to a file.</p>
-<p>Once a channel is defined, it cannot be redefined. Thus you
-cannot alter the built-in channels directly, but you can modify
-the default logging by pointing categories at channels you have defined.</p>
+<p>
+            The <span><strong class="command">default_debug</strong></span> channel has the
+            special
+            property that it only produces output when the server's debug
+            level is
+            nonzero.  It normally writes to a file called <code class="filename">named.run</code>
+            in the server's working directory.
+          </p>
+<p>
+            For security reasons, when the "<code class="option">-u</code>"
+            command line option is used, the <code class="filename">named.run</code> file
+            is created only after <span><strong class="command">named</strong></span> has
+            changed to the
+            new UID, and any debug output generated while <span><strong class="command">named</strong></span> is
+            starting up and still running as root is discarded.  If you need
+            to capture this output, you must run the server with the "<code class="option">-g</code>"
+            option and redirect standard error to a file.
+          </p>
+<p>
+            Once a channel is defined, it cannot be redefined. Thus you
+            cannot alter the built-in channels directly, but you can modify
+            the default logging by pointing categories at channels you have
+            defined.
+          </p>
 </div>
 <div class="sect3" lang="en">
 <div class="titlepage"><div><div><h4 class="title">
 <a name="the_category_phrase"></a>The <span><strong class="command">category</strong></span> Phrase</h4></div></div></div>
-<p>There are many categories, so you can send the logs you want
-to see wherever you want, without seeing logs you don't want. If
-you don't specify a list of channels for a category, then log messages
-in that category will be sent to the <span><strong class="command">default</strong></span> category
-instead. If you don't specify a default category, the following
-"default default" is used:</p>
+<p>
+            There are many categories, so you can send the logs you want
+            to see wherever you want, without seeing logs you don't want. If
+            you don't specify a list of channels for a category, then log
+            messages
+            in that category will be sent to the <span><strong class="command">default</strong></span> category
+            instead. If you don't specify a default category, the following
+            "default default" is used:
+          </p>
 <pre class="programlisting">category default { default_syslog; default_debug; };
 </pre>
-<p>As an example, let's say you want to log security events to
-a file, but you also want keep the default logging behavior. You'd
-specify the following:</p>
+<p>
+            As an example, let's say you want to log security events to
+            a file, but you also want keep the default logging behavior. You'd
+            specify the following:
+          </p>
 <pre class="programlisting">channel my_security_channel {
     file "my_security_file";
     severity info;
@@ -890,13 +1378,17 @@ category security {
     default_syslog;
     default_debug;
 };</pre>
-<p>To discard all messages in a category, specify the <span><strong class="command">null</strong></span> channel:</p>
+<p>
+            To discard all messages in a category, specify the <span><strong class="command">null</strong></span> channel:
+          </p>
 <pre class="programlisting">category xfer-out { null; };
 category notify { null; };
 </pre>
-<p>Following are the available categories and brief descriptions
-of the types of log information they contain. More
-categories may be added in future <acronym class="acronym">BIND</acronym> releases.</p>
+<p>
+            Following are the available categories and brief descriptions
+            of the types of log information they contain. More
+            categories may be added in future <acronym class="acronym">BIND</acronym> releases.
+          </p>
 <div class="informaltable"><table border="1">
 <colgroup>
 <col>
@@ -904,114 +1396,235 @@ categories may be added in future <acronym class="acronym">BIND</acronym> releas
 </colgroup>
 <tbody>
 <tr>
-<td><p><span><strong class="command">default</strong></span></p></td>
-<td><p>The default category defines the logging
-options for those categories where no specific configuration has been
-defined.</p></td>
+<td>
+                    <p><span><strong class="command">default</strong></span></p>
+                  </td>
+<td>
+                    <p>
+                      The default category defines the logging
+                      options for those categories where no specific
+                      configuration has been
+                      defined.
+                    </p>
+                  </td>
 </tr>
 <tr>
-<td><p><span><strong class="command">general</strong></span></p></td>
-<td><p>The catch-all. Many things still aren't
-classified into categories, and they all end up here.</p></td>
+<td>
+                    <p><span><strong class="command">general</strong></span></p>
+                  </td>
+<td>
+                    <p>
+                      The catch-all. Many things still aren't
+                      classified into categories, and they all end up here.
+                    </p>
+                  </td>
 </tr>
 <tr>
-<td><p><span><strong class="command">database</strong></span></p></td>
-<td><p>Messages relating to the databases used
-internally by the name server to store zone and cache data.</p></td>
+<td>
+                    <p><span><strong class="command">database</strong></span></p>
+                  </td>
+<td>
+                    <p>
+                      Messages relating to the databases used
+                      internally by the name server to store zone and cache
+                      data.
+                    </p>
+                  </td>
 </tr>
 <tr>
-<td><p><span><strong class="command">security</strong></span></p></td>
-<td><p>Approval and denial of requests.</p></td>
+<td>
+                    <p><span><strong class="command">security</strong></span></p>
+                  </td>
+<td>
+                    <p>
+                      Approval and denial of requests.
+                    </p>
+                  </td>
 </tr>
 <tr>
-<td><p><span><strong class="command">config</strong></span></p></td>
-<td><p>Configuration file parsing and processing.</p></td>
+<td>
+                    <p><span><strong class="command">config</strong></span></p>
+                  </td>
+<td>
+                    <p>
+                      Configuration file parsing and processing.
+                    </p>
+                  </td>
 </tr>
 <tr>
-<td><p><span><strong class="command">resolver</strong></span></p></td>
-<td><p>DNS resolution, such as the recursive
-lookups performed on behalf of clients by a caching name server.</p></td>
+<td>
+                    <p><span><strong class="command">resolver</strong></span></p>
+                  </td>
+<td>
+                    <p>
+                      DNS resolution, such as the recursive
+                      lookups performed on behalf of clients by a caching name
+                      server.
+                    </p>
+                  </td>
 </tr>
 <tr>
-<td><p><span><strong class="command">xfer-in</strong></span></p></td>
-<td><p>Zone transfers the server is receiving.</p></td>
+<td>
+                    <p><span><strong class="command">xfer-in</strong></span></p>
+                  </td>
+<td>
+                    <p>
+                      Zone transfers the server is receiving.
+                    </p>
+                  </td>
 </tr>
 <tr>
-<td><p><span><strong class="command">xfer-out</strong></span></p></td>
-<td><p>Zone transfers the server is sending.</p></td>
+<td>
+                    <p><span><strong class="command">xfer-out</strong></span></p>
+                  </td>
+<td>
+                    <p>
+                      Zone transfers the server is sending.
+                    </p>
+                  </td>
 </tr>
 <tr>
-<td><p><span><strong class="command">notify</strong></span></p></td>
-<td><p>The NOTIFY protocol.</p></td>
+<td>
+                    <p><span><strong class="command">notify</strong></span></p>
+                  </td>
+<td>
+                    <p>
+                      The NOTIFY protocol.
+                    </p>
+                  </td>
 </tr>
 <tr>
-<td><p><span><strong class="command">client</strong></span></p></td>
-<td><p>Processing of client requests.</p></td>
+<td>
+                    <p><span><strong class="command">client</strong></span></p>
+                  </td>
+<td>
+                    <p>
+                      Processing of client requests.
+                    </p>
+                  </td>
 </tr>
 <tr>
-<td><p><span><strong class="command">unmatched</strong></span></p></td>
-<td><p>Messages that named was unable to determine the
-class of or for which there was no matching <span><strong class="command">view</strong></span>.
-A one line summary is also logged to the <span><strong class="command">client</strong></span> category.
-This category is best sent to a file or stderr, by default it is sent to
-the <span><strong class="command">null</strong></span> channel.</p></td>
+<td>
+                    <p><span><strong class="command">unmatched</strong></span></p>
+                  </td>
+<td>
+                    <p>
+                      Messages that named was unable to determine the
+                      class of or for which there was no matching <span><strong class="command">view</strong></span>.
+                      A one line summary is also logged to the <span><strong class="command">client</strong></span> category.
+                      This category is best sent to a file or stderr, by
+                      default it is sent to
+                      the <span><strong class="command">null</strong></span> channel.
+                    </p>
+                  </td>
 </tr>
 <tr>
-<td><p><span><strong class="command">network</strong></span></p></td>
-<td><p>Network operations.</p></td>
+<td>
+                    <p><span><strong class="command">network</strong></span></p>
+                  </td>
+<td>
+                    <p>
+                      Network operations.
+                    </p>
+                  </td>
 </tr>
 <tr>
-<td><p><span><strong class="command">update</strong></span></p></td>
-<td><p>Dynamic updates.</p></td>
+<td>
+                    <p><span><strong class="command">update</strong></span></p>
+                  </td>
+<td>
+                    <p>
+                      Dynamic updates.
+                    </p>
+                  </td>
 </tr>
 <tr>
-<td><p><span><strong class="command">update-security</strong></span></p></td>
-<td><p>Approval and denial of update requests.</p></td>
+<td>
+                    <p><span><strong class="command">update-security</strong></span></p>
+                  </td>
+<td>
+                    <p>
+                      Approval and denial of update requests.
+                    </p>
+                  </td>
 </tr>
 <tr>
-<td><p><span><strong class="command">queries</strong></span></p></td>
 <td>
-<p>Specify where queries should be logged to.</p>
-<p>
-At startup, specifying the category <span><strong class="command">queries</strong></span> will also
-enable query logging unless <span><strong class="command">querylog</strong></span> option has been
-specified.
-</p>
-<p>
-The query log entry reports the client's IP address and port number, and the
-query name, class and type.  It also reports whether the Recursion Desired
-flag was set (+ if set, - if not set), EDNS was in use (E) or if the
-query was signed (S).</p>
-<p><code class="computeroutput">client 127.0.0.1#62536: query: www.example.com IN AAAA +SE</code>
-</p>
-<p><code class="computeroutput">client ::1#62537: query: www.example.net IN AAAA -SE</code>
-</p>
-</td>
+                    <p><span><strong class="command">queries</strong></span></p>
+                  </td>
+<td>
+                    <p>
+                      Specify where queries should be logged to.
+                    </p>
+                    <p>
+                      At startup, specifying the category <span><strong class="command">queries</strong></span> will also
+                      enable query logging unless <span><strong class="command">querylog</strong></span> option has been
+                      specified.
+                    </p>
+                    <p>
+                      The query log entry reports the client's IP address and
+                      port number, and the
+                      query name, class and type.  It also reports whether the
+                      Recursion Desired
+                      flag was set (+ if set, - if not set), EDNS was in use
+                      (E) or if the
+                      query was signed (S).
+                    </p>
+                    <p>
+                      <code class="computeroutput">client 127.0.0.1#62536: query: www.example.com IN AAAA +SE</code>
+                    </p>
+                    <p>
+                      <code class="computeroutput">client ::1#62537: query: www.example.net IN AAAA -SE</code>
+                    </p>
+                  </td>
 </tr>
 <tr>
-<td><p><span><strong class="command">dispatch</strong></span></p></td>
-<td><p>Dispatching of incoming packets to the
-server modules where they are to be processed.
-</p></td>
+<td>
+                    <p><span><strong class="command">dispatch</strong></span></p>
+                  </td>
+<td>
+                    <p>
+                      Dispatching of incoming packets to the
+                      server modules where they are to be processed.
+                    </p>
+                  </td>
 </tr>
 <tr>
-<td><p><span><strong class="command">dnssec</strong></span></p></td>
-<td><p>DNSSEC and TSIG protocol processing.
-</p></td>
+<td>
+                    <p><span><strong class="command">dnssec</strong></span></p>
+                  </td>
+<td>
+                    <p>
+                      DNSSEC and TSIG protocol processing.
+                    </p>
+                  </td>
 </tr>
 <tr>
-<td><p><span><strong class="command">lame-servers</strong></span></p></td>
-<td><p>Lame servers.  These are misconfigurations
-in remote servers, discovered by BIND 9 when trying to query
-those servers during resolution.
-</p></td>
+<td>
+                    <p><span><strong class="command">lame-servers</strong></span></p>
+                  </td>
+<td>
+                    <p>
+                      Lame servers.  These are misconfigurations
+                      in remote servers, discovered by BIND 9 when trying to
+                      query
+                      those servers during resolution.
+                    </p>
+                  </td>
 </tr>
 <tr>
-<td><p><span><strong class="command">delegation-only</strong></span></p></td>
-<td><p>Delegation only.  Logs queries that have have
-been forced to NXDOMAIN as the result of a delegation-only zone or
-a <span><strong class="command">delegation-only</strong></span> in a hint or stub zone declaration.
-</p></td>
+<td>
+                    <p><span><strong class="command">delegation-only</strong></span></p>
+                  </td>
+<td>
+                    <p>
+                      Delegation only.  Logs queries that have have
+                      been forced to NXDOMAIN as the result of a
+                      delegation-only zone or
+                      a <span><strong class="command">delegation-only</strong></span> in a
+                      hint or stub zone declaration.
+                    </p>
+                  </td>
 </tr>
 </tbody>
 </table></div>
@@ -1019,9 +1632,11 @@ a <span><strong class="command">delegation-only</strong></span> in a hint or stu
 </div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="id2578270"></a><span><strong class="command">lwres</strong></span> Statement Grammar</h3></div></div></div>
-<p> This is the grammar of the <span><strong class="command">lwres</strong></span>
-statement in the <code class="filename">named.conf</code> file:</p>
+<a name="id2576396"></a><span><strong class="command">lwres</strong></span> Statement Grammar</h3></div></div></div>
+<p>
+           This is the grammar of the <span><strong class="command">lwres</strong></span>
+          statement in the <code class="filename">named.conf</code> file:
+        </p>
 <pre class="programlisting"><span><strong class="command">lwres</strong></span> {
     [<span class="optional"> listen-on { <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; [<span class="optional"> <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; ... </span>] }; </span>]
     [<span class="optional"> view <em class="replaceable"><code>view_name</code></em>; </span>]
@@ -1032,50 +1647,78 @@ statement in the <code class="filename">named.conf</code> file:</p>
 </div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="id2578343"></a><span><strong class="command">lwres</strong></span> Statement Definition and Usage</h3></div></div></div>
-<p>The <span><strong class="command">lwres</strong></span> statement configures the name
-server to also act as a lightweight resolver server. (See
-<a href="Bv9ARM.ch05.html#lwresd" title="Running a Resolver Daemon">the section called &#8220;Running a Resolver Daemon&#8221;</a>.)  There may be be multiple
-<span><strong class="command">lwres</strong></span> statements configuring
-lightweight resolver servers with different properties.</p>
-<p>The <span><strong class="command">listen-on</strong></span> statement specifies a list of
-addresses (and ports) that this instance of a lightweight resolver daemon
-should accept requests on.  If no port is specified, port 921 is used.
-If this statement is omitted, requests will be accepted on 127.0.0.1,
-port 921.</p>
-<p>The <span><strong class="command">view</strong></span> statement binds this instance of a
-lightweight resolver daemon to a view in the DNS namespace, so that the
-response will be constructed in the same manner as a normal DNS query
-matching this view.  If this statement is omitted, the default view is
-used, and if there is no default view, an error is triggered.</p>
-<p>The <span><strong class="command">search</strong></span> statement is equivalent to the
-<span><strong class="command">search</strong></span> statement in
-<code class="filename">/etc/resolv.conf</code>.  It provides a list of domains
-which are appended to relative names in queries.</p>
-<p>The <span><strong class="command">ndots</strong></span> statement is equivalent to the
-<span><strong class="command">ndots</strong></span> statement in
-<code class="filename">/etc/resolv.conf</code>.  It indicates the minimum
-number of dots in a relative domain name that should result in an
-exact match lookup before search path elements are appended.</p>
+<a name="id2576470"></a><span><strong class="command">lwres</strong></span> Statement Definition and Usage</h3></div></div></div>
+<p>
+          The <span><strong class="command">lwres</strong></span> statement configures the
+          name
+          server to also act as a lightweight resolver server. (See
+          <a href="Bv9ARM.ch05.html#lwresd" title="Running a Resolver Daemon">the section called &#8220;Running a Resolver Daemon&#8221;</a>.)  There may be be multiple
+          <span><strong class="command">lwres</strong></span> statements configuring
+          lightweight resolver servers with different properties.
+        </p>
+<p>
+          The <span><strong class="command">listen-on</strong></span> statement specifies a
+          list of
+          addresses (and ports) that this instance of a lightweight resolver
+          daemon
+          should accept requests on.  If no port is specified, port 921 is
+          used.
+          If this statement is omitted, requests will be accepted on
+          127.0.0.1,
+          port 921.
+        </p>
+<p>
+          The <span><strong class="command">view</strong></span> statement binds this
+          instance of a
+          lightweight resolver daemon to a view in the DNS namespace, so that
+          the
+          response will be constructed in the same manner as a normal DNS
+          query
+          matching this view.  If this statement is omitted, the default view
+          is
+          used, and if there is no default view, an error is triggered.
+        </p>
+<p>
+          The <span><strong class="command">search</strong></span> statement is equivalent to
+          the
+          <span><strong class="command">search</strong></span> statement in
+          <code class="filename">/etc/resolv.conf</code>.  It provides a
+          list of domains
+          which are appended to relative names in queries.
+        </p>
+<p>
+          The <span><strong class="command">ndots</strong></span> statement is equivalent to
+          the
+          <span><strong class="command">ndots</strong></span> statement in
+          <code class="filename">/etc/resolv.conf</code>.  It indicates the
+          minimum
+          number of dots in a relative domain name that should result in an
+          exact match lookup before search path elements are appended.
+        </p>
 </div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="id2578406"></a><span><strong class="command">masters</strong></span> Statement Grammar</h3></div></div></div>
+<a name="id2576534"></a><span><strong class="command">masters</strong></span> Statement Grammar</h3></div></div></div>
 <pre class="programlisting">
-<span><strong class="command">masters</strong></span> <em class="replaceable"><code>name</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] { ( <em class="replaceable"><code>masters_list</code></em> | <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] [<span class="optional">key <em class="replaceable"><code>key</code></em></span>] ) ; [<span class="optional">...</span>] } ; 
+<span><strong class="command">masters</strong></span> <em class="replaceable"><code>name</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] { ( <em class="replaceable"><code>masters_list</code></em> | <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] [<span class="optional">key <em class="replaceable"><code>key</code></em></span>] ) ; [<span class="optional">...</span>] };
 </pre>
 </div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="id2578518"></a><span><strong class="command">masters</strong></span> Statement Definition and Usage </h3></div></div></div>
-<p><span><strong class="command">masters</strong></span> lists allow for a common set of masters
-to be easily used by multiple stub and slave zones.</p>
+<a name="id2576578"></a><span><strong class="command">masters</strong></span> Statement Definition and
+          Usage</h3></div></div></div>
+<p><span><strong class="command">masters</strong></span>
+          lists allow for a common set of masters to be easily used by
+          multiple stub and slave zones.
+        </p>
 </div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="id2578533"></a><span><strong class="command">options</strong></span> Statement Grammar</h3></div></div></div>
-<p>This is the grammar of the <span><strong class="command">options</strong></span>
-statement in the <code class="filename">named.conf</code> file:</p>
+<a name="id2576593"></a><span><strong class="command">options</strong></span> Statement Grammar</h3></div></div></div>
+<p>
+          This is the grammar of the <span><strong class="command">options</strong></span>
+          statement in the <code class="filename">named.conf</code> file:
+        </p>
 <pre class="programlisting">options {
     [<span class="optional"> version <em class="replaceable"><code>version_string</code></em>; </span>]
     [<span class="optional"> hostname <em class="replaceable"><code>hostname_string</code></em>; </span>]
@@ -1102,31 +1745,52 @@ statement in the <code class="filename">named.conf</code> file:</p>
     [<span class="optional"> host-statistics-max <em class="replaceable"><code>number</code></em>; </span>]
     [<span class="optional"> minimal-responses <em class="replaceable"><code>yes_or_no</code></em>; </span>]
     [<span class="optional"> multiple-cnames <em class="replaceable"><code>yes_or_no</code></em>; </span>]
-    [<span class="optional"> notify <em class="replaceable"><code>yes_or_no</code></em> | <em class="replaceable"><code>explicit</code></em>; </span>]
+    [<span class="optional"> notify <em class="replaceable"><code>yes_or_no</code></em> | <em class="replaceable"><code>explicit</code></em> | <em class="replaceable"><code>master-only</code></em>; </span>]
     [<span class="optional"> recursion <em class="replaceable"><code>yes_or_no</code></em>; </span>]
     [<span class="optional"> rfc2308-type1 <em class="replaceable"><code>yes_or_no</code></em>; </span>]
     [<span class="optional"> use-id-pool <em class="replaceable"><code>yes_or_no</code></em>; </span>]
     [<span class="optional"> maintain-ixfr-base <em class="replaceable"><code>yes_or_no</code></em>; </span>]
     [<span class="optional"> dnssec-enable <em class="replaceable"><code>yes_or_no</code></em>; </span>]
+    [<span class="optional"> dnssec-validation <em class="replaceable"><code>yes_or_no</code></em>; </span>]
     [<span class="optional"> dnssec-lookaside <em class="replaceable"><code>domain</code></em> trust-anchor <em class="replaceable"><code>domain</code></em>; </span>]
     [<span class="optional"> dnssec-must-be-secure <em class="replaceable"><code>domain yes_or_no</code></em>; </span>]
+    [<span class="optional"> dnssec-accept-expired <em class="replaceable"><code>yes_or_no</code></em>; </span>]
     [<span class="optional"> forward ( <em class="replaceable"><code>only</code></em> | <em class="replaceable"><code>first</code></em> ); </span>]
     [<span class="optional"> forwarders { [<span class="optional"> <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; ... </span>] }; </span>]
-    [<span class="optional"> dual-stack-servers [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] { ( <em class="replaceable"><code>domain_name</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] | <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ) ; ... }; </span>]
-    [<span class="optional"> check-names ( <em class="replaceable"><code>master</code></em> | <em class="replaceable"><code>slave</code></em> | <em class="replaceable"><code>response</code></em> )( <em class="replaceable"><code>warn</code></em> | <em class="replaceable"><code>fail</code></em> | <em class="replaceable"><code>ignore</code></em> ); </span>]
+    [<span class="optional"> dual-stack-servers [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] {
+        ( <em class="replaceable"><code>domain_name</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] |
+          <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ) ; 
+        ... }; </span>]
+    [<span class="optional"> check-names ( <em class="replaceable"><code>master</code></em> | <em class="replaceable"><code>slave</code></em> | <em class="replaceable"><code>response</code></em> )
+        ( <em class="replaceable"><code>warn</code></em> | <em class="replaceable"><code>fail</code></em> | <em class="replaceable"><code>ignore</code></em> ); </span>]
+    [<span class="optional"> check-mx ( <em class="replaceable"><code>warn</code></em> | <em class="replaceable"><code>fail</code></em> | <em class="replaceable"><code>ignore</code></em> ); </span>]
+    [<span class="optional"> check-wildcard <em class="replaceable"><code>yes_or_no</code></em>; </span>]
+    [<span class="optional"> check-integrity <em class="replaceable"><code>yes_or_no</code></em>; </span>]
+    [<span class="optional"> check-mx-cname ( <em class="replaceable"><code>warn</code></em> | <em class="replaceable"><code>fail</code></em> | <em class="replaceable"><code>ignore</code></em> ); </span>]
+    [<span class="optional"> check-srv-cname ( <em class="replaceable"><code>warn</code></em> | <em class="replaceable"><code>fail</code></em> | <em class="replaceable"><code>ignore</code></em> ); </span>]
+    [<span class="optional"> check-sibling <em class="replaceable"><code>yes_or_no</code></em>; </span>]
     [<span class="optional"> allow-notify { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
     [<span class="optional"> allow-query { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
+    [<span class="optional"> allow-query-cache { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
     [<span class="optional"> allow-transfer { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
     [<span class="optional"> allow-recursion { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
+    [<span class="optional"> allow-update { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
     [<span class="optional"> allow-update-forwarding { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
+    [<span class="optional"> update-check-ksk <em class="replaceable"><code>yes_or_no</code></em>; </span>]
     [<span class="optional"> allow-v6-synthesis { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
     [<span class="optional"> blackhole { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
     [<span class="optional"> avoid-v4-udp-ports { <em class="replaceable"><code>port_list</code></em> }; </span>]
     [<span class="optional"> avoid-v6-udp-ports { <em class="replaceable"><code>port_list</code></em> }; </span>]
     [<span class="optional"> listen-on [<span class="optional"> port <em class="replaceable"><code>ip_port</code></em> </span>] { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
     [<span class="optional"> listen-on-v6 [<span class="optional"> port <em class="replaceable"><code>ip_port</code></em> </span>] { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
-    [<span class="optional"> query-source [<span class="optional"> address ( <em class="replaceable"><code>ip_addr</code></em> | <em class="replaceable"><code>*</code></em> ) </span>] [<span class="optional"> port ( <em class="replaceable"><code>ip_port</code></em> | <em class="replaceable"><code>*</code></em> ) </span>]; </span>]
-    [<span class="optional"> query-source-v6 [<span class="optional"> address ( <em class="replaceable"><code>ip_addr</code></em> | <em class="replaceable"><code>*</code></em> ) </span>] [<span class="optional"> port ( <em class="replaceable"><code>ip_port</code></em> | <em class="replaceable"><code>*</code></em> ) </span>]; </span>]
+    [<span class="optional"> query-source ( ( <em class="replaceable"><code>ip4_addr</code></em> | <em class="replaceable"><code>*</code></em> )
+        [<span class="optional"> port ( <em class="replaceable"><code>ip_port</code></em> | <em class="replaceable"><code>*</code></em> ) </span>] |
+        [<span class="optional"> address ( <em class="replaceable"><code>ip4_addr</code></em> | <em class="replaceable"><code>*</code></em> ) </span>]
+        [<span class="optional"> port ( <em class="replaceable"><code>ip_port</code></em> | <em class="replaceable"><code>*</code></em> ) </span>] ) ; </span>]
+    [<span class="optional"> query-source-v6 ( ( <em class="replaceable"><code>ip6_addr</code></em> | <em class="replaceable"><code>*</code></em> )
+        [<span class="optional"> port ( <em class="replaceable"><code>ip_port</code></em> | <em class="replaceable"><code>*</code></em> ) </span>] | 
+        [<span class="optional"> address ( <em class="replaceable"><code>ip6_addr</code></em> | <em class="replaceable"><code>*</code></em> ) </span>] 
+        [<span class="optional"> port ( <em class="replaceable"><code>ip_port</code></em> | <em class="replaceable"><code>*</code></em> ) </span>] ) ; </span>]
     [<span class="optional"> max-transfer-time-in <em class="replaceable"><code>number</code></em>; </span>]
     [<span class="optional"> max-transfer-time-out <em class="replaceable"><code>number</code></em>; </span>]
     [<span class="optional"> max-transfer-idle-in <em class="replaceable"><code>number</code></em>; </span>]
@@ -1182,202 +1846,316 @@ statement in the <code class="filename">named.conf</code> file:</p>
     [<span class="optional"> match-mapped-addresses <em class="replaceable"><code>yes_or_no</code></em>; </span>]
     [<span class="optional"> preferred-glue ( <em class="replaceable"><code>A</code></em> | <em class="replaceable"><code>AAAA</code></em> | <em class="replaceable"><code>NONE</code></em> ); </span>]
     [<span class="optional"> edns-udp-size <em class="replaceable"><code>number</code></em>; </span>]
+    [<span class="optional"> max-udp-size <em class="replaceable"><code>number</code></em>; </span>]
     [<span class="optional"> root-delegation-only [<span class="optional"> exclude { <em class="replaceable"><code>namelist</code></em> } </span>] ; </span>]
     [<span class="optional"> querylog <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
     [<span class="optional"> disable-algorithms <em class="replaceable"><code>domain</code></em> { <em class="replaceable"><code>algorithm</code></em>; [<span class="optional"> <em class="replaceable"><code>algorithm</code></em>; </span>] }; </span>]
+    [<span class="optional"> acache-enable <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
+    [<span class="optional"> acache-cleaning-interval <em class="replaceable"><code>number</code></em>; </span>]
+    [<span class="optional"> max-acache-size <em class="replaceable"><code>size_spec</code></em> ; </span>]
+    [<span class="optional"> clients-per-query <em class="replaceable"><code>number</code></em> ; </span>]
+    [<span class="optional"> max-clients-per-query <em class="replaceable"><code>number</code></em> ; </span>]
+    [<span class="optional"> masterfile-format (<code class="constant">text</code>|<code class="constant">raw</code>) ; </span>]
+    [<span class="optional"> empty-server <em class="replaceable"><code>name</code></em> ; </span>]
+    [<span class="optional"> empty-contact <em class="replaceable"><code>name</code></em> ; </span>]
+    [<span class="optional"> empty-zones-enable <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
+    [<span class="optional"> disable-empty-zone <em class="replaceable"><code>zone_name</code></em> ; </span>]
+    [<span class="optional"> zero-no-soa-ttl <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
+    [<span class="optional"> zero-no-soa-ttl-cache <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
 };
 </pre>
 </div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="options"></a><span><strong class="command">options</strong></span> Statement Definition and Usage</h3></div></div></div>
-<p>The <span><strong class="command">options</strong></span> statement sets up global options
-to be used by <acronym class="acronym">BIND</acronym>. This statement may appear only
-once in a configuration file. If there is no <span><strong class="command">options</strong></span>
-statement, an options block with each option set to its default will
-be used.</p>
+<a name="options"></a><span><strong class="command">options</strong></span> Statement Definition and
+          Usage</h3></div></div></div>
+<p>
+          The <span><strong class="command">options</strong></span> statement sets up global
+          options
+          to be used by <acronym class="acronym">BIND</acronym>. This statement
+          may appear only
+          once in a configuration file. If there is no <span><strong class="command">options</strong></span>
+          statement, an options block with each option set to its default will
+          be used.
+        </p>
 <div class="variablelist"><dl>
 <dt><span class="term"><span><strong class="command">directory</strong></span></span></dt>
-<dd><p>The working directory of the server.
-Any non-absolute pathnames in the configuration file will be taken
-as relative to this directory. The default location for most server
-output files (e.g. <code class="filename">named.run</code>) is this directory.
-If a directory is not specified, the working directory defaults
-to `<code class="filename">.</code>', the directory from which the server
-was started. The directory specified should be an absolute path.</p></dd>
+<dd><p>
+                The working directory of the server.
+                Any non-absolute pathnames in the configuration file will be
+                taken
+                as relative to this directory. The default location for most
+                server
+                output files (e.g. <code class="filename">named.run</code>)
+                is this directory.
+                If a directory is not specified, the working directory
+                defaults to `<code class="filename">.</code>', the directory from
+                which the server
+                was started. The directory specified should be an absolute
+                path.
+              </p></dd>
 <dt><span class="term"><span><strong class="command">key-directory</strong></span></span></dt>
-<dd><p>When performing dynamic update of secure zones, the
-directory where the public and private key files should be found,
-if different than the current working directory.  The directory specified
-must be an absolute path.</p></dd>
+<dd><p>
+                When performing dynamic update of secure zones, the
+                directory where the public and private key files should be
+                found,
+                if different than the current working directory.  The
+                directory specified
+                must be an absolute path.
+              </p></dd>
 <dt><span class="term"><span><strong class="command">named-xfer</strong></span></span></dt>
-<dd><p><span class="emphasis"><em>This option is obsolete.</em></span>
-It was used in <acronym class="acronym">BIND</acronym> 8 to
-specify the pathname to the <span><strong class="command">named-xfer</strong></span> program.
-In <acronym class="acronym">BIND</acronym> 9, no separate <span><strong class="command">named-xfer</strong></span> program is
-needed; its functionality is built into the name server.</p></dd>
+<dd><p>
+                <span class="emphasis"><em>This option is obsolete.</em></span>
+                It was used in <acronym class="acronym">BIND</acronym> 8 to
+                specify the pathname to the <span><strong class="command">named-xfer</strong></span> program.
+                In <acronym class="acronym">BIND</acronym> 9, no separate <span><strong class="command">named-xfer</strong></span> program is
+                needed; its functionality is built into the name server.
+              </p></dd>
 <dt><span class="term"><span><strong class="command">tkey-domain</strong></span></span></dt>
-<dd><p>The domain appended to the names of all
-shared keys generated with <span><strong class="command">TKEY</strong></span>. When a client
-requests a <span><strong class="command">TKEY</strong></span> exchange, it may or may not specify
-the desired name for the key. If present, the name of the shared
-key will be "<code class="varname">client specified part</code>" + 
-"<code class="varname">tkey-domain</code>".
-Otherwise, the name of the shared key will be "<code class="varname">random hex
+<dd><p>
+                The domain appended to the names of all
+                shared keys generated with
+                <span><strong class="command">TKEY</strong></span>. When a client
+                requests a <span><strong class="command">TKEY</strong></span> exchange, it
+                may or may not specify
+                the desired name for the key. If present, the name of the
+                shared
+                key will be "<code class="varname">client specified part</code>" +
+                "<code class="varname">tkey-domain</code>".
+                Otherwise, the name of the shared key will be "<code class="varname">random hex
 digits</code>" + "<code class="varname">tkey-domain</code>". In most cases,
-the <span><strong class="command">domainname</strong></span> should be the server's domain
-name.</p></dd>
+                the <span><strong class="command">domainname</strong></span> should be the
+                server's domain
+                name.
+              </p></dd>
 <dt><span class="term"><span><strong class="command">tkey-dhkey</strong></span></span></dt>
-<dd><p>The Diffie-Hellman key used by the server
-to generate shared keys with clients using the Diffie-Hellman mode
-of <span><strong class="command">TKEY</strong></span>. The server must be able to load the
-public and private keys from files in the working directory. In
-most cases, the keyname should be the server's host name.</p></dd>
+<dd><p>
+                The Diffie-Hellman key used by the server
+                to generate shared keys with clients using the Diffie-Hellman
+                mode
+                of <span><strong class="command">TKEY</strong></span>. The server must be
+                able to load the
+                public and private keys from files in the working directory.
+                In
+                most cases, the keyname should be the server's host name.
+              </p></dd>
 <dt><span class="term"><span><strong class="command">cache-file</strong></span></span></dt>
 <dd><p>
-		This is for testing only.  Do not use.
+                This is for testing only.  Do not use.
               </p></dd>
 <dt><span class="term"><span><strong class="command">dump-file</strong></span></span></dt>
-<dd><p>The pathname of the file the server dumps
-the database to when instructed to do so with
-<span><strong class="command">rndc dumpdb</strong></span>.
-If not specified, the default is <code class="filename">named_dump.db</code>.</p></dd>
+<dd><p>
+                The pathname of the file the server dumps
+                the database to when instructed to do so with
+                <span><strong class="command">rndc dumpdb</strong></span>.
+                If not specified, the default is <code class="filename">named_dump.db</code>.
+              </p></dd>
 <dt><span class="term"><span><strong class="command">memstatistics-file</strong></span></span></dt>
-<dd><p>The pathname of the file the server writes memory
-usage statistics to on exit. If not specified,
-the default is <code class="filename">named.memstats</code>.</p></dd>
+<dd><p>
+                The pathname of the file the server writes memory
+                usage statistics to on exit. If not specified,
+                the default is
+                <code class="filename">named.memstats</code>.
+              </p></dd>
 <dt><span class="term"><span><strong class="command">pid-file</strong></span></span></dt>
-<dd><p>The pathname of the file the server writes its process ID
-in. If not specified, the default is <code class="filename">/var/run/named.pid</code>.
-The pid-file is used by programs that want to send signals to the running
-name server. Specifying <span><strong class="command">pid-file none</strong></span> disables the
-use of a PID file &#8212; no file will be written and any
-existing one will be removed.  Note that <span><strong class="command">none</strong></span>
-is a keyword, not a file name, and therefore is not enclosed in
-double quotes.</p></dd>
+<dd><p>
+                The pathname of the file the server writes its process ID
+                in. If not specified, the default is <code class="filename">/var/run/named.pid</code>.
+                The pid-file is used by programs that want to send signals to
+                the running
+                name server. Specifying <span><strong class="command">pid-file none</strong></span> disables the
+                use of a PID file &#8212; no file will be written and any
+                existing one will be removed.  Note that <span><strong class="command">none</strong></span>
+                is a keyword, not a file name, and therefore is not enclosed
+                in
+                double quotes.
+              </p></dd>
 <dt><span class="term"><span><strong class="command">statistics-file</strong></span></span></dt>
-<dd><p>The pathname of the file the server appends statistics
-to when instructed to do so using <span><strong class="command">rndc stats</strong></span>.
-If not specified, the default is <code class="filename">named.stats</code> in the
-server's current directory.  The format of the file is described
-in <a href="Bv9ARM.ch06.html#statsfile" title="The Statistics File">the section called &#8220;The Statistics File&#8221;</a>.</p></dd>
+<dd><p>
+                The pathname of the file the server appends statistics
+                to when instructed to do so using <span><strong class="command">rndc stats</strong></span>.
+                If not specified, the default is <code class="filename">named.stats</code> in the
+                server's current directory.  The format of the file is
+                described
+                in <a href="Bv9ARM.ch06.html#statsfile" title="The Statistics File">the section called &#8220;The Statistics File&#8221;</a>.
+              </p></dd>
 <dt><span class="term"><span><strong class="command">port</strong></span></span></dt>
 <dd><p>
-The UDP/TCP port number the server uses for 
-receiving and sending DNS protocol traffic.
-The default is 53.  This option is mainly intended for server testing;
-a server using a port other than 53 will not be able to communicate with
-the global DNS.
-</p></dd>
+                The UDP/TCP port number the server uses for
+                receiving and sending DNS protocol traffic.
+                The default is 53.  This option is mainly intended for server
+                testing;
+                a server using a port other than 53 will not be able to
+                communicate with
+                the global DNS.
+              </p></dd>
 <dt><span class="term"><span><strong class="command">random-device</strong></span></span></dt>
 <dd><p>
-The source of entropy to be used by the server.  Entropy is primarily needed
-for DNSSEC operations, such as TKEY transactions and dynamic update of signed
-zones.  This options specifies the device (or file) from which to read
-entropy.  If this is a file, operations requiring entropy will fail when the
-file has been exhausted.  If not specified, the default value is
-<code class="filename">/dev/random</code>
-(or equivalent) when present, and none otherwise.  The
-<span><strong class="command">random-device</strong></span> option takes effect during
-the initial configuration load at server startup time and
-is ignored on subsequent reloads.</p></dd>
+                The source of entropy to be used by the server.  Entropy is
+                primarily needed
+                for DNSSEC operations, such as TKEY transactions and dynamic
+                update of signed
+                zones.  This options specifies the device (or file) from which
+                to read
+                entropy.  If this is a file, operations requiring entropy will
+                fail when the
+                file has been exhausted.  If not specified, the default value
+                is
+                <code class="filename">/dev/random</code>
+                (or equivalent) when present, and none otherwise.  The
+                <span><strong class="command">random-device</strong></span> option takes
+                effect during
+                the initial configuration load at server startup time and
+                is ignored on subsequent reloads.
+              </p></dd>
 <dt><span class="term"><span><strong class="command">preferred-glue</strong></span></span></dt>
 <dd><p>
-If specified, the listed type (A or AAAA) will be emitted before other glue
-in the additional section of a query response.
-The default is not to prefer any type (NONE).
-</p></dd>
+                If specified, the listed type (A or AAAA) will be emitted
+                before other glue
+                in the additional section of a query response.
+                The default is not to prefer any type (NONE).
+              </p></dd>
 <dt><span class="term"><span><strong class="command">root-delegation-only</strong></span></span></dt>
 <dd>
 <p>
-Turn on enforcement of delegation-only in TLDs (top level domains)
-and root zones with an optional exclude list.
-</p>
+                Turn on enforcement of delegation-only in TLDs (top level domains) and root zones
+                with an optional
+                exclude list.
+              </p>
 <p>
-Note some TLDs are not delegation only (e.g. "DE", "LV", "US" and "MUSEUM").
-</p>
+                Note some TLDs are not delegation only (e.g. "DE", "LV", "US"
+                and "MUSEUM").
+              </p>
 <pre class="programlisting">
 options {
-	root-delegation-only exclude { "de"; "lv"; "us"; "museum"; };
+        root-delegation-only exclude { "de"; "lv"; "us"; "museum"; };
 };
 </pre>
 </dd>
 <dt><span class="term"><span><strong class="command">disable-algorithms</strong></span></span></dt>
 <dd><p>
-Disable the specified DNSSEC algorithms at and below the specified name.
-Multiple <span><strong class="command">disable-algorithms</strong></span> statements are allowed.
-Only the most specific will be applied.
-</p></dd>
+                Disable the specified DNSSEC algorithms at and below the
+                specified name.
+                Multiple <span><strong class="command">disable-algorithms</strong></span>
+                statements are allowed.
+                Only the most specific will be applied.
+              </p></dd>
 <dt><span class="term"><span><strong class="command">dnssec-lookaside</strong></span></span></dt>
 <dd><p>
-When set, <span><strong class="command">dnssec-lookaside</strong></span> provides the
-validator with an alternate method to validate DNSKEY records at the
-top of a zone.  When a DNSKEY is at or below a domain specified by the
-deepest <span><strong class="command">dnssec-lookaside</strong></span>, and the normal dnssec validation
-has left the key untrusted, the trust-anchor will be append to the key
-name and a DLV record will be looked up to see if it can validate the
-key.  If the DLV record validates a DNSKEY (similarly to the way a DS
-record does) the DNSKEY RRset is deemed to be trusted.
-</p></dd>
+                When set, <span><strong class="command">dnssec-lookaside</strong></span>
+                provides the
+                validator with an alternate method to validate DNSKEY records
+                at the
+                top of a zone.  When a DNSKEY is at or below a domain
+                specified by the
+                deepest <span><strong class="command">dnssec-lookaside</strong></span>, and
+                the normal dnssec validation
+                has left the key untrusted, the trust-anchor will be append to
+                the key
+                name and a DLV record will be looked up to see if it can
+                validate the
+                key.  If the DLV record validates a DNSKEY (similarly to the
+                way a DS
+                record does) the DNSKEY RRset is deemed to be trusted.
+              </p></dd>
 <dt><span class="term"><span><strong class="command">dnssec-must-be-secure</strong></span></span></dt>
 <dd><p>
-Specify heirarchies which must be or may not be secure (signed and validated).
-If <strong class="userinput"><code>yes</code></strong>, then named will only accept answers if they
-are secure.
-If <strong class="userinput"><code>no</code></strong>, then normal dnssec validation applies
-allowing for insecure answers to be accepted.
-The specified domain must be under a <span><strong class="command">trusted-key</strong></span> or
-<span><strong class="command">dnssec-lookaside</strong></span> must be active.
-</p></dd>
+                Specify hierarchies which must be or may not be secure (signed and
+                validated).
+                If <strong class="userinput"><code>yes</code></strong>, then named will only accept
+                answers if they
+                are secure.
+                If <strong class="userinput"><code>no</code></strong>, then normal dnssec validation
+                applies
+                allowing for insecure answers to be accepted.
+                The specified domain must be under a <span><strong class="command">trusted-key</strong></span> or
+                <span><strong class="command">dnssec-lookaside</strong></span> must be
+                active.
+              </p></dd>
 </dl></div>
 <div class="sect3" lang="en">
 <div class="titlepage"><div><div><h4 class="title">
 <a name="boolean_options"></a>Boolean Options</h4></div></div></div>
 <div class="variablelist"><dl>
 <dt><span class="term"><span><strong class="command">auth-nxdomain</strong></span></span></dt>
-<dd><p>If <strong class="userinput"><code>yes</code></strong>, then the <span><strong class="command">AA</strong></span> bit
-is always set on NXDOMAIN responses, even if the server is not actually
-authoritative. The default is <strong class="userinput"><code>no</code></strong>; this is
-a change from <acronym class="acronym">BIND</acronym> 8. If you are using very old DNS software, you
-may need to set it to <strong class="userinput"><code>yes</code></strong>.</p></dd>
+<dd><p>
+                  If <strong class="userinput"><code>yes</code></strong>, then the <span><strong class="command">AA</strong></span> bit
+                  is always set on NXDOMAIN responses, even if the server is
+                  not actually
+                  authoritative. The default is <strong class="userinput"><code>no</code></strong>;
+                  this is
+                  a change from <acronym class="acronym">BIND</acronym> 8. If you
+                  are using very old DNS software, you
+                  may need to set it to <strong class="userinput"><code>yes</code></strong>.
+                </p></dd>
 <dt><span class="term"><span><strong class="command">deallocate-on-exit</strong></span></span></dt>
-<dd><p>This option was used in <acronym class="acronym">BIND</acronym> 8 to enable checking
-for memory leaks on exit. <acronym class="acronym">BIND</acronym> 9 ignores the option and always performs
-the checks.</p></dd>
+<dd><p>
+                  This option was used in <acronym class="acronym">BIND</acronym>
+                  8 to enable checking
+                  for memory leaks on exit. <acronym class="acronym">BIND</acronym> 9 ignores the option and always performs
+                  the checks.
+                </p></dd>
 <dt><span class="term"><span><strong class="command">dialup</strong></span></span></dt>
 <dd>
-<p>If <strong class="userinput"><code>yes</code></strong>, then the
-server treats all zones as if they are doing zone transfers across
-a dial-on-demand dialup link, which can be brought up by traffic
-originating from this server. This has different effects according
-to zone type and concentrates the zone maintenance so that it all
-happens in a short interval, once every <span><strong class="command">heartbeat-interval</strong></span> and
-hopefully during the one call. It also suppresses some of the normal
-zone maintenance traffic. The default is <strong class="userinput"><code>no</code></strong>.</p>
-<p>The <span><strong class="command">dialup</strong></span> option
-may also be specified in the <span><strong class="command">view</strong></span> and 
-<span><strong class="command">zone</strong></span> statements,
-in which case it overrides the global <span><strong class="command">dialup</strong></span>
-option.</p>
-<p>If the zone is a master zone, then the server will send out a NOTIFY 
-request to all the slaves (default). This should trigger the zone serial
-number check in the slave (providing it supports NOTIFY) allowing the slave
-to verify the zone while the connection is active.
-The set of servers to which NOTIFY is sent can be controlled by
-<span><strong class="command">notify</strong></span> and <span><strong class="command">also-notify</strong></span>.</p>
-<p>If the
-zone is a slave or stub zone, then the server will suppress the regular
-"zone up to date" (refresh) queries and only perform them when the
-<span><strong class="command">heartbeat-interval</strong></span> expires in addition to sending
-NOTIFY requests.</p>
-<p>Finer control can be achieved by using
-<strong class="userinput"><code>notify</code></strong> which only sends NOTIFY messages,
-<strong class="userinput"><code>notify-passive</code></strong> which sends NOTIFY messages and
-suppresses the normal refresh queries, <strong class="userinput"><code>refresh</code></strong>
-which suppresses normal refresh processing and sends refresh queries 
-when the <span><strong class="command">heartbeat-interval</strong></span> expires, and
-<strong class="userinput"><code>passive</code></strong> which just disables normal refresh
-processing.</p>
+<p>
+                  If <strong class="userinput"><code>yes</code></strong>, then the
+                  server treats all zones as if they are doing zone transfers
+                  across
+                  a dial-on-demand dialup link, which can be brought up by
+                  traffic
+                  originating from this server. This has different effects
+                  according
+                  to zone type and concentrates the zone maintenance so that
+                  it all
+                  happens in a short interval, once every <span><strong class="command">heartbeat-interval</strong></span> and
+                  hopefully during the one call. It also suppresses some of
+                  the normal
+                  zone maintenance traffic. The default is <strong class="userinput"><code>no</code></strong>.
+                </p>
+<p>
+                  The <span><strong class="command">dialup</strong></span> option
+                  may also be specified in the <span><strong class="command">view</strong></span> and
+                  <span><strong class="command">zone</strong></span> statements,
+                  in which case it overrides the global <span><strong class="command">dialup</strong></span>
+                  option.
+                </p>
+<p>
+                  If the zone is a master zone, then the server will send out a
+                  NOTIFY
+                  request to all the slaves (default). This should trigger the
+                  zone serial
+                  number check in the slave (providing it supports NOTIFY)
+                  allowing the slave
+                  to verify the zone while the connection is active.
+                  The set of servers to which NOTIFY is sent can be controlled
+                  by
+                  <span><strong class="command">notify</strong></span> and <span><strong class="command">also-notify</strong></span>.
+                </p>
+<p>
+                  If the
+                  zone is a slave or stub zone, then the server will suppress
+                  the regular
+                  "zone up to date" (refresh) queries and only perform them
+                  when the
+                  <span><strong class="command">heartbeat-interval</strong></span> expires in
+                  addition to sending
+                  NOTIFY requests.
+                </p>
+<p>
+                  Finer control can be achieved by using
+                  <strong class="userinput"><code>notify</code></strong> which only sends NOTIFY
+                  messages,
+                  <strong class="userinput"><code>notify-passive</code></strong> which sends NOTIFY
+                  messages and
+                  suppresses the normal refresh queries, <strong class="userinput"><code>refresh</code></strong>
+                  which suppresses normal refresh processing and sends refresh
+                  queries
+                  when the <span><strong class="command">heartbeat-interval</strong></span>
+                  expires, and
+                  <strong class="userinput"><code>passive</code></strong> which just disables normal
+                  refresh
+                  processing.
+                </p>
 <div class="informaltable"><table border="1">
 <colgroup>
 <col>
@@ -1387,818 +2165,1377 @@ processing.</p>
 </colgroup>
 <tbody>
 <tr>
-<td><p>dialup mode</p></td>
-<td><p>normal refresh</p></td>
-<td><p>heart-beat refresh</p></td>
-<td><p>heart-beat notify</p></td>
+<td>
+                          <p>
+                            dialup mode
+                          </p>
+                        </td>
+<td>
+                          <p>
+                            normal refresh
+                          </p>
+                        </td>
+<td>
+                          <p>
+                            heart-beat refresh
+                          </p>
+                        </td>
+<td>
+                          <p>
+                            heart-beat notify
+                          </p>
+                        </td>
 </tr>
 <tr>
-<td><p><span><strong class="command">no</strong></span> (default)</p></td>
-<td><p>yes</p></td>
-<td><p>no</p></td>
-<td><p>no</p></td>
+<td>
+                          <p><span><strong class="command">no</strong></span> (default)</p>
+                        </td>
+<td>
+                          <p>
+                            yes
+                          </p>
+                        </td>
+<td>
+                          <p>
+                            no
+                          </p>
+                        </td>
+<td>
+                          <p>
+                            no
+                          </p>
+                        </td>
 </tr>
 <tr>
-<td><p><span><strong class="command">yes</strong></span></p></td>
-<td><p>no</p></td>
-<td><p>yes</p></td>
-<td><p>yes</p></td>
+<td>
+                          <p><span><strong class="command">yes</strong></span></p>
+                        </td>
+<td>
+                          <p>
+                            no
+                          </p>
+                        </td>
+<td>
+                          <p>
+                            yes
+                          </p>
+                        </td>
+<td>
+                          <p>
+                            yes
+                          </p>
+                        </td>
 </tr>
 <tr>
-<td><p><span><strong class="command">notify</strong></span></p></td>
-<td><p>yes</p></td>
-<td><p>no</p></td>
-<td><p>yes</p></td>
+<td>
+                          <p><span><strong class="command">notify</strong></span></p>
+                        </td>
+<td>
+                          <p>
+                            yes
+                          </p>
+                        </td>
+<td>
+                          <p>
+                            no
+                          </p>
+                        </td>
+<td>
+                          <p>
+                            yes
+                          </p>
+                        </td>
 </tr>
 <tr>
-<td><p><span><strong class="command">refresh</strong></span></p></td>
-<td><p>no</p></td>
-<td><p>yes</p></td>
-<td><p>no</p></td>
+<td>
+                          <p><span><strong class="command">refresh</strong></span></p>
+                        </td>
+<td>
+                          <p>
+                            no
+                          </p>
+                        </td>
+<td>
+                          <p>
+                            yes
+                          </p>
+                        </td>
+<td>
+                          <p>
+                            no
+                          </p>
+                        </td>
 </tr>
 <tr>
-<td><p><span><strong class="command">passive</strong></span></p></td>
-<td><p>no</p></td>
-<td><p>no</p></td>
-<td><p>no</p></td>
+<td>
+                          <p><span><strong class="command">passive</strong></span></p>
+                        </td>
+<td>
+                          <p>
+                            no
+                          </p>
+                        </td>
+<td>
+                          <p>
+                            no
+                          </p>
+                        </td>
+<td>
+                          <p>
+                            no
+                          </p>
+                        </td>
 </tr>
 <tr>
-<td><p><span><strong class="command">notify-passive</strong></span></p></td>
-<td><p>no</p></td>
-<td><p>no</p></td>
-<td><p>yes</p></td>
+<td>
+                          <p><span><strong class="command">notify-passive</strong></span></p>
+                        </td>
+<td>
+                          <p>
+                            no
+                          </p>
+                        </td>
+<td>
+                          <p>
+                            no
+                          </p>
+                        </td>
+<td>
+                          <p>
+                            yes
+                          </p>
+                        </td>
 </tr>
 </tbody>
 </table></div>
-<p>Note that normal NOTIFY processing is not affected by
-<span><strong class="command">dialup</strong></span>.</p>
+<p>
+                  Note that normal NOTIFY processing is not affected by
+                  <span><strong class="command">dialup</strong></span>.
+                </p>
 </dd>
 <dt><span class="term"><span><strong class="command">fake-iquery</strong></span></span></dt>
-<dd><p>In <acronym class="acronym">BIND</acronym> 8, this option
-enabled simulating the obsolete DNS query type
-IQUERY. <acronym class="acronym">BIND</acronym> 9 never does IQUERY simulation.
-</p></dd>
+<dd><p>
+                  In <acronym class="acronym">BIND</acronym> 8, this option
+                  enabled simulating the obsolete DNS query type
+                  IQUERY. <acronym class="acronym">BIND</acronym> 9 never does
+                  IQUERY simulation.
+                </p></dd>
 <dt><span class="term"><span><strong class="command">fetch-glue</strong></span></span></dt>
-<dd><p>This option is obsolete.
-In BIND 8, <strong class="userinput"><code>fetch-glue yes</code></strong>
-caused the server to attempt to fetch glue resource records it
-didn't have when constructing the additional
-data section of a response.  This is now considered a bad idea
-and BIND 9 never does it.</p></dd>
+<dd><p>
+                  This option is obsolete.
+                  In BIND 8, <strong class="userinput"><code>fetch-glue yes</code></strong>
+                  caused the server to attempt to fetch glue resource records
+                  it
+                  didn't have when constructing the additional
+                  data section of a response.  This is now considered a bad
+                  idea
+                  and BIND 9 never does it.
+                </p></dd>
 <dt><span class="term"><span><strong class="command">flush-zones-on-shutdown</strong></span></span></dt>
-<dd><p>When the nameserver exits due receiving SIGTERM,
-flush or do not flush any pending zone writes.  The default is
-<span><strong class="command">flush-zones-on-shutdown</strong></span> <strong class="userinput"><code>no</code></strong>.
-</p></dd>
+<dd><p>
+                  When the nameserver exits due receiving SIGTERM,
+                  flush or do not flush any pending zone writes.  The default
+                  is
+                  <span><strong class="command">flush-zones-on-shutdown</strong></span> <strong class="userinput"><code>no</code></strong>.
+                </p></dd>
 <dt><span class="term"><span><strong class="command">has-old-clients</strong></span></span></dt>
-<dd><p>This option was incorrectly implemented
-in <acronym class="acronym">BIND</acronym> 8, and is ignored by <acronym class="acronym">BIND</acronym> 9.
-To achieve the intended effect
-of
-<span><strong class="command">has-old-clients</strong></span> <strong class="userinput"><code>yes</code></strong>, specify
-the two separate options <span><strong class="command">auth-nxdomain</strong></span> <strong class="userinput"><code>yes</code></strong>
-and <span><strong class="command">rfc2308-type1</strong></span> <strong class="userinput"><code>no</code></strong> instead.
-</p></dd>
+<dd><p>
+                  This option was incorrectly implemented
+                  in <acronym class="acronym">BIND</acronym> 8, and is ignored by <acronym class="acronym">BIND</acronym> 9.
+                  To achieve the intended effect
+                  of
+                  <span><strong class="command">has-old-clients</strong></span> <strong class="userinput"><code>yes</code></strong>, specify
+                  the two separate options <span><strong class="command">auth-nxdomain</strong></span> <strong class="userinput"><code>yes</code></strong>
+                  and <span><strong class="command">rfc2308-type1</strong></span> <strong class="userinput"><code>no</code></strong> instead.
+                </p></dd>
 <dt><span class="term"><span><strong class="command">host-statistics</strong></span></span></dt>
-<dd><p>In BIND 8, this enables keeping of
-statistics for every host that the name server interacts with.
-Not implemented in BIND 9.
-</p></dd>
+<dd><p>
+                  In BIND 8, this enables keeping of
+                  statistics for every host that the name server interacts
+                  with.
+                  Not implemented in BIND 9.
+                </p></dd>
 <dt><span class="term"><span><strong class="command">maintain-ixfr-base</strong></span></span></dt>
-<dd><p><span class="emphasis"><em>This option is obsolete</em></span>.
- It was used in <acronym class="acronym">BIND</acronym> 8 to determine whether a transaction log was
-kept for Incremental Zone Transfer. <acronym class="acronym">BIND</acronym> 9 maintains a transaction
-log whenever possible.  If you need to disable outgoing incremental zone
-transfers, use <span><strong class="command">provide-ixfr</strong></span> <strong class="userinput"><code>no</code></strong>.
-</p></dd>
+<dd><p>
+                  <span class="emphasis"><em>This option is obsolete</em></span>.
+                  It was used in <acronym class="acronym">BIND</acronym> 8 to
+                  determine whether a transaction log was
+                  kept for Incremental Zone Transfer. <acronym class="acronym">BIND</acronym> 9 maintains a transaction
+                  log whenever possible.  If you need to disable outgoing
+                  incremental zone
+                  transfers, use <span><strong class="command">provide-ixfr</strong></span> <strong class="userinput"><code>no</code></strong>.
+                </p></dd>
 <dt><span class="term"><span><strong class="command">minimal-responses</strong></span></span></dt>
-<dd><p>If <strong class="userinput"><code>yes</code></strong>, then when generating
-responses the server will only add records to the authority and
-additional data sections when they are required (e.g. delegations,
-negative responses).  This may improve the performance of the server.
-The default is <strong class="userinput"><code>no</code></strong>.
-</p></dd>
+<dd><p>
+                  If <strong class="userinput"><code>yes</code></strong>, then when generating
+                  responses the server will only add records to the authority
+                  and additional data sections when they are required (e.g.
+                  delegations, negative responses).  This may improve the
+                  performance of the server.
+                  The default is <strong class="userinput"><code>no</code></strong>.
+                </p></dd>
 <dt><span class="term"><span><strong class="command">multiple-cnames</strong></span></span></dt>
-<dd><p>This option was used in <acronym class="acronym">BIND</acronym> 8 to allow
-a domain name to have multiple CNAME records in violation of the
-DNS standards.  <acronym class="acronym">BIND</acronym> 9.2 always strictly
-enforces the CNAME rules both in master files and dynamic updates.
-</p></dd>
+<dd><p>
+                  This option was used in <acronym class="acronym">BIND</acronym> 8 to allow
+                  a domain name to have multiple CNAME records in violation of
+                  the DNS standards.  <acronym class="acronym">BIND</acronym> 9.2 onwards
+                  always strictly enforces the CNAME rules both in master
+                  files and dynamic updates.
+                </p></dd>
 <dt><span class="term"><span><strong class="command">notify</strong></span></span></dt>
 <dd>
-<p>If <strong class="userinput"><code>yes</code></strong> (the default),
-DNS NOTIFY messages are sent when a zone the server is authoritative for
-changes, see <a href="Bv9ARM.ch04.html#notify" title="Notify">the section called &#8220;Notify&#8221;</a>.  The messages are sent to the
-servers listed in the zone's NS records (except the master server identified
-in the SOA MNAME field), and to any servers listed in the
-<span><strong class="command">also-notify</strong></span> option.
-</p>
 <p>
-If <strong class="userinput"><code>explicit</code></strong>, notifies are sent only to
-servers explicitly listed using <span><strong class="command">also-notify</strong></span>.
-If <strong class="userinput"><code>no</code></strong>, no notifies are sent.
-</p>
+                  If <strong class="userinput"><code>yes</code></strong> (the default),
+                  DNS NOTIFY messages are sent when a zone the server is
+                  authoritative for
+                  changes, see <a href="Bv9ARM.ch04.html#notify" title="Notify">the section called &#8220;Notify&#8221;</a>.  The messages are
+                  sent to the
+                  servers listed in the zone's NS records (except the master
+                  server identified
+                  in the SOA MNAME field), and to any servers listed in the
+                  <span><strong class="command">also-notify</strong></span> option.
+                </p>
 <p>
-The <span><strong class="command">notify</strong></span> option may also be
-specified in the <span><strong class="command">zone</strong></span> statement,
-in which case it overrides the <span><strong class="command">options notify</strong></span> statement.
-It would only be necessary to turn off this option if it caused slaves
-to crash.</p>
+                  If <strong class="userinput"><code>master-only</code></strong>, notifies are only
+                  sent
+                  for master zones.
+                  If <strong class="userinput"><code>explicit</code></strong>, notifies are sent only
+                  to
+                  servers explicitly listed using <span><strong class="command">also-notify</strong></span>.
+                  If <strong class="userinput"><code>no</code></strong>, no notifies are sent.
+                </p>
+<p>
+                  The <span><strong class="command">notify</strong></span> option may also be
+                  specified in the <span><strong class="command">zone</strong></span>
+                  statement,
+                  in which case it overrides the <span><strong class="command">options notify</strong></span> statement.
+                  It would only be necessary to turn off this option if it
+                  caused slaves
+                  to crash.
+                </p>
 </dd>
 <dt><span class="term"><span><strong class="command">recursion</strong></span></span></dt>
-<dd><p>If <strong class="userinput"><code>yes</code></strong>, and a
-DNS query requests recursion, then the server will attempt to do
-all the work required to answer the query. If recursion is off
-and the server does not already know the answer, it will return a
-referral response. The default is <strong class="userinput"><code>yes</code></strong>.
-Note that setting <span><strong class="command">recursion no</strong></span> does not prevent
-clients from getting data from the server's cache; it only
-prevents new data from being cached as an effect of client queries.
-Caching may still occur as an effect the server's internal
-operation, such as NOTIFY address lookups.
-See also <span><strong class="command">fetch-glue</strong></span> above.
-</p></dd>
+<dd><p>
+                  If <strong class="userinput"><code>yes</code></strong>, and a
+                  DNS query requests recursion, then the server will attempt
+                  to do
+                  all the work required to answer the query. If recursion is
+                  off
+                  and the server does not already know the answer, it will
+                  return a
+                  referral response. The default is
+                  <strong class="userinput"><code>yes</code></strong>.
+                  Note that setting <span><strong class="command">recursion no</strong></span> does not prevent
+                  clients from getting data from the server's cache; it only
+                  prevents new data from being cached as an effect of client
+                  queries.
+                  Caching may still occur as an effect the server's internal
+                  operation, such as NOTIFY address lookups.
+                  See also <span><strong class="command">fetch-glue</strong></span> above.
+                </p></dd>
 <dt><span class="term"><span><strong class="command">rfc2308-type1</strong></span></span></dt>
 <dd>
-<p>Setting this to <strong class="userinput"><code>yes</code></strong> will
-cause the server to send NS records along with the SOA record for negative
-answers. The default is <strong class="userinput"><code>no</code></strong>.</p>
+<p>
+                  Setting this to <strong class="userinput"><code>yes</code></strong> will
+                  cause the server to send NS records along with the SOA
+                  record for negative
+                  answers. The default is <strong class="userinput"><code>no</code></strong>.
+                </p>
 <div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
 <h3 class="title">Note</h3>
-<p>Not yet implemented in <acronym class="acronym">BIND</acronym> 9.</p>
+<p>
+                    Not yet implemented in <acronym class="acronym">BIND</acronym>
+                    9.
+                  </p>
 </div>
 </dd>
 <dt><span class="term"><span><strong class="command">use-id-pool</strong></span></span></dt>
-<dd><p><span class="emphasis"><em>This option is obsolete</em></span>.
-<acronym class="acronym">BIND</acronym> 9 always allocates query IDs from a pool.
-</p></dd>
+<dd><p>
+                  <span class="emphasis"><em>This option is obsolete</em></span>.
+                  <acronym class="acronym">BIND</acronym> 9 always allocates query
+                  IDs from a pool.
+                </p></dd>
 <dt><span class="term"><span><strong class="command">zone-statistics</strong></span></span></dt>
-<dd><p>If <strong class="userinput"><code>yes</code></strong>, the server will collect
-statistical data on all zones (unless specifically turned off
-on a per-zone basis by specifying <span><strong class="command">zone-statistics no</strong></span>
-in the <span><strong class="command">zone</strong></span> statement).  These statistics may be accessed
-using <span><strong class="command">rndc stats</strong></span>, which will dump them to the file listed
-in the <span><strong class="command">statistics-file</strong></span>.  See also <a href="Bv9ARM.ch06.html#statsfile" title="The Statistics File">the section called &#8220;The Statistics File&#8221;</a>.
-</p></dd>
+<dd><p>
+                  If <strong class="userinput"><code>yes</code></strong>, the server will collect
+                  statistical data on all zones (unless specifically turned
+                  off
+                  on a per-zone basis by specifying <span><strong class="command">zone-statistics no</strong></span>
+                  in the <span><strong class="command">zone</strong></span> statement).
+                  These statistics may be accessed
+                  using <span><strong class="command">rndc stats</strong></span>, which will
+                  dump them to the file listed
+                  in the <span><strong class="command">statistics-file</strong></span>.  See
+                  also <a href="Bv9ARM.ch06.html#statsfile" title="The Statistics File">the section called &#8220;The Statistics File&#8221;</a>.
+                </p></dd>
 <dt><span class="term"><span><strong class="command">use-ixfr</strong></span></span></dt>
-<dd><p><span class="emphasis"><em>This option is obsolete</em></span>.
-If you need to disable IXFR to a particular server or servers see
-the information on the <span><strong class="command">provide-ixfr</strong></span> option
-in <a href="Bv9ARM.ch06.html#server_statement_definition_and_usage" title="server Statement Definition and Usage">the section called &#8220;<span><strong class="command">server</strong></span> Statement Definition and Usage&#8221;</a>. See also
-<a href="Bv9ARM.ch04.html#incremental_zone_transfers" title="Incremental Zone Transfers (IXFR)">the section called &#8220;Incremental Zone Transfers (IXFR)&#8221;</a>.
-</p></dd>
+<dd><p>
+                  <span class="emphasis"><em>This option is obsolete</em></span>.
+                  If you need to disable IXFR to a particular server or
+                  servers see
+                  the information on the <span><strong class="command">provide-ixfr</strong></span> option
+                  in <a href="Bv9ARM.ch06.html#server_statement_definition_and_usage" title="server Statement Definition and
+            Usage">the section called &#8220;<span><strong class="command">server</strong></span> Statement Definition and
+            Usage&#8221;</a>.
+                  See also
+                  <a href="Bv9ARM.ch04.html#incremental_zone_transfers" title="Incremental Zone Transfers (IXFR)">the section called &#8220;Incremental Zone Transfers (IXFR)&#8221;</a>.
+                </p></dd>
 <dt><span class="term"><span><strong class="command">provide-ixfr</strong></span></span></dt>
 <dd><p>
-See the description of
-<span><strong class="command">provide-ixfr</strong></span> in
-<a href="Bv9ARM.ch06.html#server_statement_definition_and_usage" title="server Statement Definition and Usage">the section called &#8220;<span><strong class="command">server</strong></span> Statement Definition and Usage&#8221;</a>.
-</p></dd>
+                  See the description of
+                  <span><strong class="command">provide-ixfr</strong></span> in
+                  <a href="Bv9ARM.ch06.html#server_statement_definition_and_usage" title="server Statement Definition and
+            Usage">the section called &#8220;<span><strong class="command">server</strong></span> Statement Definition and
+            Usage&#8221;</a>.
+                </p></dd>
 <dt><span class="term"><span><strong class="command">request-ixfr</strong></span></span></dt>
 <dd><p>
-See the description of
-<span><strong class="command">request-ixfr</strong></span> in
-<a href="Bv9ARM.ch06.html#server_statement_definition_and_usage" title="server Statement Definition and Usage">the section called &#8220;<span><strong class="command">server</strong></span> Statement Definition and Usage&#8221;</a>.
-</p></dd>
+                  See the description of
+                  <span><strong class="command">request-ixfr</strong></span> in
+                  <a href="Bv9ARM.ch06.html#server_statement_definition_and_usage" title="server Statement Definition and
+            Usage">the section called &#8220;<span><strong class="command">server</strong></span> Statement Definition and
+            Usage&#8221;</a>.
+                </p></dd>
 <dt><span class="term"><span><strong class="command">treat-cr-as-space</strong></span></span></dt>
-<dd><p>This option was used in <acronym class="acronym">BIND</acronym> 8 to make
-the server treat carriage return ("<span><strong class="command">\r</strong></span>") characters the same way
-as a space or tab character,
-to facilitate loading of zone files on a UNIX system that were generated
-on an NT or DOS machine. In <acronym class="acronym">BIND</acronym> 9, both UNIX "<span><strong class="command">\n</strong></span>"
-and NT/DOS "<span><strong class="command">\r\n</strong></span>" newlines are always accepted,
-and the option is ignored.</p></dd>
+<dd><p>
+                  This option was used in <acronym class="acronym">BIND</acronym>
+                  8 to make
+                  the server treat carriage return ("<span><strong class="command">\r</strong></span>") characters the same way
+                  as a space or tab character,
+                  to facilitate loading of zone files on a UNIX system that
+                  were generated
+                  on an NT or DOS machine. In <acronym class="acronym">BIND</acronym> 9, both UNIX "<span><strong class="command">\n</strong></span>"
+                  and NT/DOS "<span><strong class="command">\r\n</strong></span>" newlines
+                  are always accepted,
+                  and the option is ignored.
+                </p></dd>
 <dt>
 <span class="term"><span><strong class="command">additional-from-auth</strong></span>, </span><span class="term"><span><strong class="command">additional-from-cache</strong></span></span>
 </dt>
 <dd>
 <p>
-These options control the behavior of an authoritative server when
-answering queries which have additional data, or when following CNAME
-and DNAME chains.
-</p>
+                  These options control the behavior of an authoritative
+                  server when
+                  answering queries which have additional data, or when
+                  following CNAME
+                  and DNAME chains.
+                </p>
 <p>
-When both of these options are set to <strong class="userinput"><code>yes</code></strong> 
-(the default) and a
-query is being answered from authoritative data (a zone
-configured into the server), the additional data section of the
-reply will be filled in using data from other authoritative zones
-and from the cache.  In some situations this is undesirable, such
-as when there is concern over the correctness of the cache, or
-in servers where slave zones may be added and modified by
-untrusted third parties.  Also, avoiding
-the search for this additional data will speed up server operations
-at the possible expense of additional queries to resolve what would
-otherwise be provided in the additional section.
-</p>
+                  When both of these options are set to <strong class="userinput"><code>yes</code></strong>
+                  (the default) and a
+                  query is being answered from authoritative data (a zone
+                  configured into the server), the additional data section of
+                  the
+                  reply will be filled in using data from other authoritative
+                  zones
+                  and from the cache.  In some situations this is undesirable,
+                  such
+                  as when there is concern over the correctness of the cache,
+                  or
+                  in servers where slave zones may be added and modified by
+                  untrusted third parties.  Also, avoiding
+                  the search for this additional data will speed up server
+                  operations
+                  at the possible expense of additional queries to resolve
+                  what would
+                  otherwise be provided in the additional section.
+                </p>
 <p>
-For example, if a query asks for an MX record for host <code class="literal">foo.example.com</code>,
-and the record found is "<code class="literal">MX 10 mail.example.net</code>", normally the address
-records (A and AAAA) for <code class="literal">mail.example.net</code> will be provided as well,
-if known, even though they are not in the example.com zone.
-Setting these options to <span><strong class="command">no</strong></span> disables this behavior and makes
-the server only search for additional data in the zone it answers from.
-</p>
+                  For example, if a query asks for an MX record for host <code class="literal">foo.example.com</code>,
+                  and the record found is "<code class="literal">MX 10 mail.example.net</code>", normally the address
+                  records (A and AAAA) for <code class="literal">mail.example.net</code> will be provided as well,
+                  if known, even though they are not in the example.com zone.
+                  Setting these options to <span><strong class="command">no</strong></span>
+                  disables this behavior and makes
+                  the server only search for additional data in the zone it
+                  answers from.
+                </p>
 <p>
-These options are intended for use in authoritative-only 
-servers, or in authoritative-only views.  Attempts to set
-them to <span><strong class="command">no</strong></span> without also specifying
-<span><strong class="command">recursion no</strong></span> will cause the server to
-ignore the options and log a warning message.
-</p>
+                  These options are intended for use in authoritative-only
+                  servers, or in authoritative-only views.  Attempts to set
+                  them to <span><strong class="command">no</strong></span> without also
+                  specifying
+                  <span><strong class="command">recursion no</strong></span> will cause the
+                  server to
+                  ignore the options and log a warning message.
+                </p>
 <p>
-Specifying <span><strong class="command">additional-from-cache no</strong></span> actually
-disables the use of the cache not only for additional data lookups
-but also when looking up the answer.  This is usually the desired
-behavior in an authoritative-only server where the correctness of
-the cached data is an issue.
-</p>
+                  Specifying <span><strong class="command">additional-from-cache no</strong></span> actually
+                  disables the use of the cache not only for additional data
+                  lookups
+                  but also when looking up the answer.  This is usually the
+                  desired
+                  behavior in an authoritative-only server where the
+                  correctness of
+                  the cached data is an issue.
+                </p>
 <p>
-When a name server is non-recursively queried for a name that is not
-below the apex of any served zone, it normally answers with an
-"upwards referral" to the root servers or the servers of some other
-known parent of the query name.  Since the data in an upwards referral
-comes from the cache, the server will not be able to provide upwards
-referrals when <span><strong class="command">additional-from-cache no</strong></span>
-has been specified.  Instead, it will respond to such queries
-with REFUSED.  This should not cause any problems since
-upwards referrals are not required for the resolution process.
-</p>
+                  When a name server is non-recursively queried for a name
+                  that is not
+                  below the apex of any served zone, it normally answers with
+                  an
+                  "upwards referral" to the root servers or the servers of
+                  some other
+                  known parent of the query name.  Since the data in an
+                  upwards referral
+                  comes from the cache, the server will not be able to provide
+                  upwards
+                  referrals when <span><strong class="command">additional-from-cache no</strong></span>
+                  has been specified.  Instead, it will respond to such
+                  queries
+                  with REFUSED.  This should not cause any problems since
+                  upwards referrals are not required for the resolution
+                  process.
+                </p>
 </dd>
 <dt><span class="term"><span><strong class="command">match-mapped-addresses</strong></span></span></dt>
-<dd><p>If <strong class="userinput"><code>yes</code></strong>, then an
-IPv4-mapped IPv6 address will match any address match
-list entries that match the corresponding IPv4 address.
-Enabling this option is sometimes useful on IPv6-enabled Linux
-systems, to work around a kernel quirk that causes IPv4
-TCP connections such as zone transfers to be accepted
-on an IPv6 socket using mapped addresses, causing
-address match lists designed for IPv4 to fail to match.
-The use of this option for any other purpose is discouraged.
-</p></dd>
+<dd><p>
+                  If <strong class="userinput"><code>yes</code></strong>, then an
+                  IPv4-mapped IPv6 address will match any address match
+                  list entries that match the corresponding IPv4 address.
+                  Enabling this option is sometimes useful on IPv6-enabled
+                  Linux
+                  systems, to work around a kernel quirk that causes IPv4
+                  TCP connections such as zone transfers to be accepted
+                  on an IPv6 socket using mapped addresses, causing
+                  address match lists designed for IPv4 to fail to match.
+                  The use of this option for any other purpose is discouraged.
+                </p></dd>
 <dt><span class="term"><span><strong class="command">ixfr-from-differences</strong></span></span></dt>
 <dd>
 <p>
-When  <strong class="userinput"><code>yes</code></strong> and the server loads a new version of a master
-zone from its zone file or receives a new version of a slave
-file by a non-incremental zone transfer, it will compare
-the new version to the previous one and calculate a set
-of differences.  The differences are then logged in the
-zone's journal file such that the changes can be transmitted
-to downstream slaves as an incremental zone transfer.
-</p>
+                  When <strong class="userinput"><code>yes</code></strong> and the server loads a new version of a master
+                  zone from its zone file or receives a new version of a slave
+                  file by a non-incremental zone transfer, it will compare
+                  the new version to the previous one and calculate a set
+                  of differences.  The differences are then logged in the
+                  zone's journal file such that the changes can be transmitted
+                  to downstream slaves as an incremental zone transfer.
+                </p>
 <p>
-By allowing incremental zone transfers to be used for
-non-dynamic zones, this option saves bandwidth at the
-expense of increased CPU and memory consumption at the master.
-In particular, if the new version of a zone is completely
-different from the previous one, the set of differences
-will be of a size comparable to the combined size of the
-old and new zone version, and the server will need to
-temporarily allocate memory to hold this complete
-difference set.
-</p>
+                  By allowing incremental zone transfers to be used for
+                  non-dynamic zones, this option saves bandwidth at the
+                  expense of increased CPU and memory consumption at the
+                  master.
+                  In particular, if the new version of a zone is completely
+                  different from the previous one, the set of differences
+                  will be of a size comparable to the combined size of the
+                  old and new zone version, and the server will need to
+                  temporarily allocate memory to hold this complete
+                  difference set.
+                </p>
+<p><span><strong class="command">ixfr-from-differences</strong></span>
+                  also accepts <span><strong class="command">master</strong></span> and
+                  <span><strong class="command">slave</strong></span> at the view and options
+                  levels which causes
+                  <span><strong class="command">ixfr-from-differences</strong></span> to apply to
+                  all <span><strong class="command">master</strong></span> or
+                  <span><strong class="command">slave</strong></span> zones respectively.
+                </p>
 </dd>
 <dt><span class="term"><span><strong class="command">multi-master</strong></span></span></dt>
 <dd><p>
-This should be set when you have multiple masters for a zone and the
-addresses refer to different machines.  If <strong class="userinput"><code>yes</code></strong>, named will not log
-when the serial number on the master is less than what named currently
-has.  The default is <strong class="userinput"><code>no</code></strong>.
-</p></dd>
+                  This should be set when you have multiple masters for a zone
+                  and the
+                  addresses refer to different machines.  If <strong class="userinput"><code>yes</code></strong>, named will
+                  not log
+                  when the serial number on the master is less than what named
+                  currently
+                  has.  The default is <strong class="userinput"><code>no</code></strong>.
+                </p></dd>
 <dt><span class="term"><span><strong class="command">dnssec-enable</strong></span></span></dt>
 <dd><p>
-Enable DNSSEC support in named.  Unless set to <strong class="userinput"><code>yes</code></strong>,
-named behaves as if it does not support DNSSEC.
-The default is <strong class="userinput"><code>no</code></strong>.
-</p></dd>
+                  Enable DNSSEC support in named.  Unless set to <strong class="userinput"><code>yes</code></strong>,
+                  named behaves as if it does not support DNSSEC.
+                  The default is <strong class="userinput"><code>yes</code></strong>.
+                </p></dd>
+<dt><span class="term"><span><strong class="command">dnssec-validation</strong></span></span></dt>
+<dd><p>
+                  Enable DNSSEC validation in named.
+                  Note <span><strong class="command">dnssec-enable</strong></span> also needs to be
+                  set to <strong class="userinput"><code>yes</code></strong> to be effective.
+                  The default is <strong class="userinput"><code>no</code></strong>.
+                </p></dd>
+<dt><span class="term"><span><strong class="command">dnssec-accept-expired</strong></span></span></dt>
+<dd><p>
+                  Accept expired signatures when verifying DNSSEC signatures.
+                  The default is <strong class="userinput"><code>no</code></strong>.
+                </p></dd>
 <dt><span class="term"><span><strong class="command">querylog</strong></span></span></dt>
 <dd><p>
-Specify whether query logging should be started when named starts.
-If <span><strong class="command">querylog</strong></span> is not specified, then the query logging
-is determined by the presence of the logging category <span><strong class="command">queries</strong></span>.
-</p></dd>
+                  Specify whether query logging should be started when named
+                  starts.
+                  If <span><strong class="command">querylog</strong></span> is not specified,
+                  then the query logging
+                  is determined by the presence of the logging category <span><strong class="command">queries</strong></span>.
+                </p></dd>
 <dt><span class="term"><span><strong class="command">check-names</strong></span></span></dt>
 <dd>
 <p>
-This option is used to restrict the character set and syntax of
-certain domain names in master files and/or DNS responses received
-from the network.  The default varies according to usage area.  For
-<span><strong class="command">master</strong></span> zones the default is <span><strong class="command">fail</strong></span>.
-For <span><strong class="command">slave</strong></span> zones the default is <span><strong class="command">warn</strong></span>.
-For answers received from the network (<span><strong class="command">response</strong></span>)
-the default is <span><strong class="command">ignore</strong></span>.
-</p>
-<p>The rules for legal hostnames and mail domains are derived from RFC 952
-and RFC 821 as modified by RFC 1123.
-</p>
-<p><span><strong class="command">check-names</strong></span> applies to the owner names of A, AAA and
-MX records.  It also applies to the domain names in the RDATA of NS, SOA and MX
-records.  It also applies to the RDATA of PTR records where the owner name
-indicated that it is a reverse lookup of a hostname (the owner name ends in
-IN-ADDR.ARPA, IP6.ARPA, IP6.INT).
-</p>
+                  This option is used to restrict the character set and syntax
+                  of
+                  certain domain names in master files and/or DNS responses
+                  received
+                  from the network.  The default varies according to usage
+                  area.  For
+                  <span><strong class="command">master</strong></span> zones the default is <span><strong class="command">fail</strong></span>.
+                  For <span><strong class="command">slave</strong></span> zones the default
+                  is <span><strong class="command">warn</strong></span>.
+                  For answers received from the network (<span><strong class="command">response</strong></span>)
+                  the default is <span><strong class="command">ignore</strong></span>.
+                </p>
+<p>
+                  The rules for legal hostnames and mail domains are derived
+                  from RFC 952 and RFC 821 as modified by RFC 1123.
+                </p>
+<p><span><strong class="command">check-names</strong></span>
+                  applies to the owner names of A, AAA and MX records.
+                  It also applies to the domain names in the RDATA of NS, SOA
+                  and MX records.
+                  It also applies to the RDATA of PTR records where the owner
+                  name indicated that it is a reverse lookup of a hostname
+                  (the owner name ends in IN-ADDR.ARPA, IP6.ARPA or IP6.INT).
+                </p>
 </dd>
+<dt><span class="term"><span><strong class="command">check-mx</strong></span></span></dt>
+<dd><p>
+                  Check whether the MX record appears to refer to a IP address.
+                  The default is to <span><strong class="command">warn</strong></span>.  Other possible
+                  values are <span><strong class="command">fail</strong></span> and
+                  <span><strong class="command">ignore</strong></span>.
+                </p></dd>
+<dt><span class="term"><span><strong class="command">check-wildcard</strong></span></span></dt>
+<dd><p>
+                  This option is used to check for non-terminal wildcards.
+                  The use of non-terminal wildcards is almost always as a
+                  result of a failure
+                  to understand the wildcard matching algorithm (RFC 1034).
+                  This option
+                  affects master zones.  The default (<span><strong class="command">yes</strong></span>) is to check
+                  for non-terminal wildcards and issue a warning.
+                </p></dd>
+<dt><span class="term"><span><strong class="command">check-integrity</strong></span></span></dt>
+<dd><p>
+                  Perform post load zone integrity checks on master
+                  zones.  This checks that MX and SRV records refer
+                  to address (A or AAAA) records and that glue
+                  address records exist for delegated zones.  For
+                  MX and SRV records only in-zone hostnames are
+                  checked (for out-of-zone hostnames use named-checkzone).
+                  For NS records only names below top of zone are
+                  checked (for out-of-zone names and glue consistancy
+                  checks use named-checkzone).  The default is
+                  <span><strong class="command">yes</strong></span>.
+                </p></dd>
+<dt><span class="term"><span><strong class="command">check-mx-cname</strong></span></span></dt>
+<dd><p>
+                  If <span><strong class="command">check-integrity</strong></span> is set then
+                  fail, warn or ignore MX records that refer
+                  to CNAMES.  The default is to <span><strong class="command">warn</strong></span>.
+                </p></dd>
+<dt><span class="term"><span><strong class="command">check-srv-cname</strong></span></span></dt>
+<dd><p>
+                  If <span><strong class="command">check-integrity</strong></span> is set then
+                  fail, warn or ignore SRV records that refer
+                  to CNAMES.  The default is to <span><strong class="command">warn</strong></span>.
+                </p></dd>
+<dt><span class="term"><span><strong class="command">check-sibling</strong></span></span></dt>
+<dd><p>
+                  When performing integrity checks, also check that
+                  sibling glue exists.  The default is <span><strong class="command">yes</strong></span>.
+                </p></dd>
+<dt><span class="term"><span><strong class="command">zero-no-soa-ttl</strong></span></span></dt>
+<dd><p>
+                  When returning authoritative negative responses to
+                  SOA queries set the TTL of the SOA recored returned in
+                  the authority section to zero.
+                  The default is <span><strong class="command">yes</strong></span>.
+                </p></dd>
+<dt><span class="term"><span><strong class="command">zero-no-soa-ttl-cache</strong></span></span></dt>
+<dd><p>
+                  When caching a negative response to a SOA query
+                  set the TTL to zero.
+                  The default is <span><strong class="command">no</strong></span>.
+                </p></dd>
+<dt><span class="term"><span><strong class="command">update-check-ksk</strong></span></span></dt>
+<dd><p>
+                  When regenerating the RRSIGs following a UPDATE
+                  request to a secure zone, check the KSK flag on
+                  the DNSKEY RR to determine if this key should be
+                  used to generate the RRSIG.  This flag is ignored
+                  if there are not DNSKEY RRs both with and without
+                  a KSK.
+                  The default is <span><strong class="command">yes</strong></span>.
+                </p></dd>
 </dl></div>
 </div>
 <div class="sect3" lang="en">
 <div class="titlepage"><div><div><h4 class="title">
-<a name="id2581312"></a>Forwarding</h4></div></div></div>
-<p>The forwarding facility can be used to create a large site-wide
-cache on a few servers, reducing traffic over links to external
-name servers. It can also be used to allow queries by servers that
-do not have direct access to the Internet, but wish to look up exterior
-names anyway. Forwarding occurs only on those queries for which
-the server is not authoritative and does not have the answer in
-its cache.</p>
+<a name="id2580408"></a>Forwarding</h4></div></div></div>
+<p>
+            The forwarding facility can be used to create a large site-wide
+            cache on a few servers, reducing traffic over links to external
+            name servers. It can also be used to allow queries by servers that
+            do not have direct access to the Internet, but wish to look up
+            exterior
+            names anyway. Forwarding occurs only on those queries for which
+            the server is not authoritative and does not have the answer in
+            its cache.
+          </p>
 <div class="variablelist"><dl>
 <dt><span class="term"><span><strong class="command">forward</strong></span></span></dt>
-<dd><p>This option is only meaningful if the
-forwarders list is not empty. A value of <code class="varname">first</code>,
-the default, causes the server to query the forwarders first &#8212; and
-if that doesn't answer the question, the server will then look for
-the answer itself. If <code class="varname">only</code> is specified, the
-server will only query the forwarders.
-</p></dd>
+<dd><p>
+                  This option is only meaningful if the
+                  forwarders list is not empty. A value of <code class="varname">first</code>,
+                  the default, causes the server to query the forwarders
+                  first &#8212; and
+                  if that doesn't answer the question, the server will then
+                  look for
+                  the answer itself. If <code class="varname">only</code> is
+                  specified, the
+                  server will only query the forwarders.
+                </p></dd>
 <dt><span class="term"><span><strong class="command">forwarders</strong></span></span></dt>
-<dd><p>Specifies the IP addresses to be used
-for forwarding. The default is the empty list (no forwarding).
-</p></dd>
+<dd><p>
+                  Specifies the IP addresses to be used
+                  for forwarding. The default is the empty list (no
+                  forwarding).
+                </p></dd>
 </dl></div>
-<p>Forwarding can also be configured on a per-domain basis, allowing
-for the global forwarding options to be overridden in a variety
-of ways. You can set particular domains to use different forwarders,
-or have a different <span><strong class="command">forward only/first</strong></span> behavior,
-or not forward at all, see <a href="Bv9ARM.ch06.html#zone_statement_grammar" title="zone
-Statement Grammar">the section called &#8220;<span><strong class="command">zone</strong></span>
-Statement Grammar&#8221;</a>.</p>
+<p>
+            Forwarding can also be configured on a per-domain basis, allowing
+            for the global forwarding options to be overridden in a variety
+            of ways. You can set particular domains to use different
+            forwarders,
+            or have a different <span><strong class="command">forward only/first</strong></span> behavior,
+            or not forward at all, see <a href="Bv9ARM.ch06.html#zone_statement_grammar" title="zone
+            Statement Grammar">the section called &#8220;<span><strong class="command">zone</strong></span>
+            Statement Grammar&#8221;</a>.
+          </p>
 </div>
 <div class="sect3" lang="en">
 <div class="titlepage"><div><div><h4 class="title">
-<a name="id2581362"></a>Dual-stack Servers</h4></div></div></div>
-<p>Dual-stack servers are used as servers of last resort to work around
-problems in reachability due the lack of support for either IPv4 or IPv6
-on the host machine.</p>
+<a name="id2580467"></a>Dual-stack Servers</h4></div></div></div>
+<p>
+            Dual-stack servers are used as servers of last resort to work
+            around
+            problems in reachability due the lack of support for either IPv4
+            or IPv6
+            on the host machine.
+          </p>
 <div class="variablelist"><dl>
 <dt><span class="term"><span><strong class="command">dual-stack-servers</strong></span></span></dt>
-<dd><p>Specifies host names or addresses of machines with access to
-both IPv4 and IPv6 transports. If a hostname is used, the server must be able
-to resolve the name using only the transport it has.  If the machine is dual
-stacked, then the <span><strong class="command">dual-stack-servers</strong></span> have no effect unless
-access to a transport has been disabled on the command line
-(e.g. <span><strong class="command">named -4</strong></span>).</p></dd>
+<dd><p>
+                  Specifies host names or addresses of machines with access to
+                  both IPv4 and IPv6 transports. If a hostname is used, the
+                  server must be able
+                  to resolve the name using only the transport it has.  If the
+                  machine is dual
+                  stacked, then the <span><strong class="command">dual-stack-servers</strong></span> have no effect unless
+                  access to a transport has been disabled on the command line
+                  (e.g. <span><strong class="command">named -4</strong></span>).
+                </p></dd>
 </dl></div>
 </div>
 <div class="sect3" lang="en">
 <div class="titlepage"><div><div><h4 class="title">
 <a name="access_control"></a>Access Control</h4></div></div></div>
-<p>Access to the server can be restricted based on the IP address
-of the requesting system. See <a href="Bv9ARM.ch06.html#address_match_lists" title="Address Match Lists">the section called &#8220;Address Match Lists&#8221;</a> for
-details on how to specify IP address lists.</p>
+<p>
+            Access to the server can be restricted based on the IP address
+            of the requesting system. See <a href="Bv9ARM.ch06.html#address_match_lists" title="Address Match Lists">the section called &#8220;Address Match Lists&#8221;</a> for
+            details on how to specify IP address lists.
+          </p>
 <div class="variablelist"><dl>
 <dt><span class="term"><span><strong class="command">allow-notify</strong></span></span></dt>
-<dd><p>Specifies which hosts are allowed to
-notify this server, a slave, of zone changes in addition
-to the zone masters.
-<span><strong class="command">allow-notify</strong></span> may also be specified in the
-<span><strong class="command">zone</strong></span> statement, in which case it overrides the
-<span><strong class="command">options allow-notify</strong></span> statement.  It is only meaningful
-for a slave zone.  If not specified, the default is to process notify messages
-only from a zone's master.</p></dd>
+<dd><p>
+                  Specifies which hosts are allowed to
+                  notify this server, a slave, of zone changes in addition
+                  to the zone masters.
+                  <span><strong class="command">allow-notify</strong></span> may also be
+                  specified in the
+                  <span><strong class="command">zone</strong></span> statement, in which case
+                  it overrides the
+                  <span><strong class="command">options allow-notify</strong></span>
+                  statement.  It is only meaningful
+                  for a slave zone.  If not specified, the default is to
+                  process notify messages
+                  only from a zone's master.
+                </p></dd>
 <dt><span class="term"><span><strong class="command">allow-query</strong></span></span></dt>
-<dd><p>Specifies which hosts are allowed to
-ask ordinary DNS questions. <span><strong class="command">allow-query</strong></span> may also
-be specified in the <span><strong class="command">zone</strong></span> statement, in which
-case it overrides the <span><strong class="command">options allow-query</strong></span> statement. If
-not specified, the default is to allow queries from all hosts.</p></dd>
+<dd>
+<p>
+                  Specifies which hosts are allowed to ask ordinary
+                  DNS questions. <span><strong class="command">allow-query</strong></span> may
+                  also be specified in the <span><strong class="command">zone</strong></span>
+                  statement, in which case it overrides the
+                  <span><strong class="command">options allow-query</strong></span> statement.
+                  If not specified, the default is to allow queries
+                  from all hosts.
+                </p>
+<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
+<h3 class="title">Note</h3>
+<p>
+                    <span><strong class="command">allow-query-cache</strong></span> is now
+                    used to specify access to the cache.
+                  </p>
+</div>
+</dd>
+<dt><span class="term"><span><strong class="command">allow-query-cache</strong></span></span></dt>
+<dd>
+<p>
+                  Specifies which hosts are allowed to get answers
+                  from the cache. The default is the builtin acls
+                  <span><strong class="command">localnets</strong></span> and
+                  <span><strong class="command">localhost</strong></span>.
+                </p>
+<p>
+                  The way to set query access to the cache is now
+                  via <span><strong class="command">allow-query-cache</strong></span>.
+                  This differs from earlier versions which used
+                  <span><strong class="command">allow-query</strong></span>.
+                </p>
+</dd>
 <dt><span class="term"><span><strong class="command">allow-recursion</strong></span></span></dt>
-<dd><p>Specifies which hosts are allowed to
-make recursive queries through this server. If not specified, the
-default is to allow recursive queries from all hosts. 
-Note that disallowing recursive queries for a host does not prevent the
-host from retrieving data that is already in the server's cache.
-</p></dd>
+<dd><p>
+                  Specifies which hosts are allowed to make recursive
+                  queries through this server. If not specified,
+                  the default is to allow recursive queries from
+                  the builtin acls <span><strong class="command">localnets</strong></span> and
+                  <span><strong class="command">localhost</strong></span>.
+                  Note that disallowing recursive queries for a
+                  host does not prevent the host from retrieving
+                  data that is already in the server's cache.
+                </p></dd>
+<dt><span class="term"><span><strong class="command">allow-update</strong></span></span></dt>
+<dd><p>
+                  Specifies which hosts are allowed to
+                  submit Dynamic DNS updates for master zones. The default is
+                  to deny
+                  updates from all hosts.  Note that allowing updates based
+                  on the requestor's IP address is insecure; see
+                  <a href="Bv9ARM.ch07.html#dynamic_update_security" title="Dynamic Update Security">the section called &#8220;Dynamic Update Security&#8221;</a> for details.
+                </p></dd>
 <dt><span class="term"><span><strong class="command">allow-update-forwarding</strong></span></span></dt>
 <dd>
-<p>Specifies which hosts are allowed to
-submit Dynamic DNS updates to slave zones to be forwarded to the
-master.  The default is <strong class="userinput"><code>{ none; }</code></strong>, which 
-means that no update forwarding will be performed.  To enable
-update forwarding, specify
-<strong class="userinput"><code>allow-update-forwarding { any; };</code></strong>.
-Specifying values other than <strong class="userinput"><code>{ none; }</code></strong> or
-<strong class="userinput"><code>{ any; }</code></strong> is usually counterproductive, since
-the responsibility for update access control should rest with the 
-master server, not the slaves.</p>
-<p>Note that enabling the update forwarding feature on a slave server
-may expose master servers relying on insecure IP address based
-access control to attacks; see <a href="Bv9ARM.ch07.html#dynamic_update_security" title="Dynamic Update Security">the section called &#8220;Dynamic Update Security&#8221;</a>
-for more details.</p>
+<p>
+                  Specifies which hosts are allowed to
+                  submit Dynamic DNS updates to slave zones to be forwarded to
+                  the
+                  master.  The default is <strong class="userinput"><code>{ none; }</code></strong>,
+                  which
+                  means that no update forwarding will be performed.  To
+                  enable
+                  update forwarding, specify
+                  <strong class="userinput"><code>allow-update-forwarding { any; };</code></strong>.
+                  Specifying values other than <strong class="userinput"><code>{ none; }</code></strong> or
+                  <strong class="userinput"><code>{ any; }</code></strong> is usually
+                  counterproductive, since
+                  the responsibility for update access control should rest
+                  with the
+                  master server, not the slaves.
+                </p>
+<p>
+                  Note that enabling the update forwarding feature on a slave
+                  server
+                  may expose master servers relying on insecure IP address
+                  based
+                  access control to attacks; see <a href="Bv9ARM.ch07.html#dynamic_update_security" title="Dynamic Update Security">the section called &#8220;Dynamic Update Security&#8221;</a>
+                  for more details.
+                </p>
 </dd>
 <dt><span class="term"><span><strong class="command">allow-v6-synthesis</strong></span></span></dt>
-<dd><p>This option was introduced for the smooth transition from AAAA
-to A6 and from "nibble labels" to binary labels.
-However, since both A6 and binary labels were then deprecated,
-this option was also deprecated.
-It is now ignored with some warning messages.
-</p></dd>
+<dd><p>
+                  This option was introduced for the smooth transition from
+                  AAAA
+                  to A6 and from "nibble labels" to binary labels.
+                  However, since both A6 and binary labels were then
+                  deprecated,
+                  this option was also deprecated.
+                  It is now ignored with some warning messages.
+                </p></dd>
 <dt><span class="term"><span><strong class="command">allow-transfer</strong></span></span></dt>
-<dd><p>Specifies which hosts are allowed to
-receive zone transfers from the server. <span><strong class="command">allow-transfer</strong></span> may
-also be specified in the <span><strong class="command">zone</strong></span> statement, in which
-case it overrides the <span><strong class="command">options allow-transfer</strong></span> statement.
-If not specified, the default is to allow transfers to all hosts.</p></dd>
+<dd><p>
+                  Specifies which hosts are allowed to
+                  receive zone transfers from the server. <span><strong class="command">allow-transfer</strong></span> may
+                  also be specified in the <span><strong class="command">zone</strong></span>
+                  statement, in which
+                  case it overrides the <span><strong class="command">options allow-transfer</strong></span> statement.
+                  If not specified, the default is to allow transfers to all
+                  hosts.
+                </p></dd>
 <dt><span class="term"><span><strong class="command">blackhole</strong></span></span></dt>
-<dd><p>Specifies a list of addresses that the
-server will not accept queries from or use to resolve a query. Queries
-from these addresses will not be responded to. The default is <strong class="userinput"><code>none</code></strong>.</p></dd>
+<dd><p>
+                  Specifies a list of addresses that the
+                  server will not accept queries from or use to resolve a
+                  query. Queries
+                  from these addresses will not be responded to. The default
+                  is <strong class="userinput"><code>none</code></strong>.
+                </p></dd>
 </dl></div>
 </div>
 <div class="sect3" lang="en">
 <div class="titlepage"><div><div><h4 class="title">
-<a name="id2581677"></a>Interfaces</h4></div></div></div>
-<p>The interfaces and ports that the server will answer queries
-from may be specified using the <span><strong class="command">listen-on</strong></span> option. <span><strong class="command">listen-on</strong></span> takes
-an optional port, and an <code class="varname">address_match_list</code>.
-The server will listen on all interfaces allowed by the address
-match list. If a port is not specified, port 53 will be used.</p>
-<p>Multiple <span><strong class="command">listen-on</strong></span> statements are allowed.
-For example,</p>
+<a name="id2580942"></a>Interfaces</h4></div></div></div>
+<p>
+            The interfaces and ports that the server will answer queries
+            from may be specified using the <span><strong class="command">listen-on</strong></span> option. <span><strong class="command">listen-on</strong></span> takes
+            an optional port, and an <code class="varname">address_match_list</code>.
+            The server will listen on all interfaces allowed by the address
+            match list. If a port is not specified, port 53 will be used.
+          </p>
+<p>
+            Multiple <span><strong class="command">listen-on</strong></span> statements are
+            allowed.
+            For example,
+          </p>
 <pre class="programlisting">listen-on { 5.6.7.8; };
 listen-on port 1234 { !1.2.3.4; 1.2/16; };
 </pre>
-<p>will enable the name server on port 53 for the IP address
-5.6.7.8, and on port 1234 of an address on the machine in net
-1.2 that is not 1.2.3.4.</p>
-<p>If no <span><strong class="command">listen-on</strong></span> is specified, the
-server will listen on port 53 on all interfaces.</p>
-<p>The <span><strong class="command">listen-on-v6</strong></span> option is used to
-specify the interfaces and the ports on which the server will listen
-for incoming queries sent using IPv6.</p>
-<p>When </p>
+<p>
+            will enable the name server on port 53 for the IP address
+            5.6.7.8, and on port 1234 of an address on the machine in net
+            1.2 that is not 1.2.3.4.
+          </p>
+<p>
+            If no <span><strong class="command">listen-on</strong></span> is specified, the
+            server will listen on port 53 on all interfaces.
+          </p>
+<p>
+            The <span><strong class="command">listen-on-v6</strong></span> option is used to
+            specify the interfaces and the ports on which the server will
+            listen
+            for incoming queries sent using IPv6.
+          </p>
+<p>
+            When </p>
 <pre class="programlisting">{ any; }</pre>
-<p> is specified
-as the <code class="varname">address_match_list</code> for the
-<span><strong class="command">listen-on-v6</strong></span> option,
-the server does not bind a separate socket to each IPv6 interface
-address as it does for IPv4 if the operating system has enough API
-support for IPv6 (specifically if it conforms to RFC 3493 and RFC 3542).
-Instead, it listens on the IPv6 wildcard address.
-If the system only has incomplete API support for IPv6, however,
-the behavior is the same as that for IPv4.</p>
-<p>A list of particular IPv6 addresses can also be specified, in which case
-the server listens on a separate socket for each specified address,
-regardless of whether the desired API is supported by the system.</p>
-<p>Multiple <span><strong class="command">listen-on-v6</strong></span> options can be used.
-For example,</p>
+<p> is
+            specified
+            as the <code class="varname">address_match_list</code> for the
+            <span><strong class="command">listen-on-v6</strong></span> option,
+            the server does not bind a separate socket to each IPv6 interface
+            address as it does for IPv4 if the operating system has enough API
+            support for IPv6 (specifically if it conforms to RFC 3493 and RFC
+            3542).
+            Instead, it listens on the IPv6 wildcard address.
+            If the system only has incomplete API support for IPv6, however,
+            the behavior is the same as that for IPv4.
+          </p>
+<p>
+            A list of particular IPv6 addresses can also be specified, in
+            which case
+            the server listens on a separate socket for each specified
+            address,
+            regardless of whether the desired API is supported by the system.
+          </p>
+<p>
+            Multiple <span><strong class="command">listen-on-v6</strong></span> options can
+            be used.
+            For example,
+          </p>
 <pre class="programlisting">listen-on-v6 { any; };
 listen-on-v6 port 1234 { !2001:db8::/32; any; };
 </pre>
-<p>will enable the name server on port 53 for any IPv6 addresses
-(with a single wildcard socket),
-and on port 1234 of IPv6 addresses that is not in the prefix
-2001:db8::/32 (with separate sockets for each matched address.)</p>
-<p>To make the server not listen on any IPv6 address, use</p>
+<p>
+            will enable the name server on port 53 for any IPv6 addresses
+            (with a single wildcard socket),
+            and on port 1234 of IPv6 addresses that is not in the prefix
+            2001:db8::/32 (with separate sockets for each matched address.)
+          </p>
+<p>
+            To make the server not listen on any IPv6 address, use
+          </p>
 <pre class="programlisting">listen-on-v6 { none; };
 </pre>
-<p>If no <span><strong class="command">listen-on-v6</strong></span> option is specified,
-the server will not listen on any IPv6 address.</p>
+<p>
+            If no <span><strong class="command">listen-on-v6</strong></span> option is
+            specified,
+            the server will not listen on any IPv6 address.
+          </p>
 </div>
 <div class="sect3" lang="en">
 <div class="titlepage"><div><div><h4 class="title">
-<a name="id2581834"></a>Query Address</h4></div></div></div>
-<p>If the server doesn't know the answer to a question, it will
-query other name servers. <span><strong class="command">query-source</strong></span> specifies
-the address and port used for such queries. For queries sent over
-IPv6, there is a separate <span><strong class="command">query-source-v6</strong></span> option.
-If <span><strong class="command">address</strong></span> is <span><strong class="command">*</strong></span> (asterisk) or is omitted,
-a wildcard IP address (<span><strong class="command">INADDR_ANY</strong></span>) will be used.
-If <span><strong class="command">port</strong></span> is <span><strong class="command">*</strong></span> or is omitted,
-a random unprivileged port will be used. The <span><strong class="command">avoid-v4-udp-ports</strong></span>
-and <span><strong class="command">avoid-v6-udp-ports</strong></span> options can be used to prevent named
-from selecting certain ports. The defaults are:</p>
+<a name="id2581099"></a>Query Address</h4></div></div></div>
+<p>
+            If the server doesn't know the answer to a question, it will
+            query other name servers. <span><strong class="command">query-source</strong></span> specifies
+            the address and port used for such queries. For queries sent over
+            IPv6, there is a separate <span><strong class="command">query-source-v6</strong></span> option.
+            If <span><strong class="command">address</strong></span> is <span><strong class="command">*</strong></span> (asterisk) or is omitted,
+            a wildcard IP address (<span><strong class="command">INADDR_ANY</strong></span>)
+            will be used.
+            If <span><strong class="command">port</strong></span> is <span><strong class="command">*</strong></span> or is omitted,
+            a random unprivileged port will be used. The <span><strong class="command">avoid-v4-udp-ports</strong></span>
+            and <span><strong class="command">avoid-v6-udp-ports</strong></span> options can be used
+            to prevent named
+            from selecting certain ports. The defaults are:
+          </p>
 <pre class="programlisting">query-source address * port *;
 query-source-v6 address * port *;
 </pre>
 <div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
 <h3 class="title">Note</h3>
-<p>The address specified in the <span><strong class="command">query-source</strong></span> option
-is used for both UDP and TCP queries, but the port applies only to 
-UDP queries.  TCP queries always use a random
-unprivileged port.</p>
+<p>
+              The address specified in the <span><strong class="command">query-source</strong></span> option
+              is used for both UDP and TCP queries, but the port applies only
+              to
+              UDP queries.  TCP queries always use a random
+              unprivileged port.
+            </p>
 </div>
 <div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
 <h3 class="title">Note</h3>
-<p>See also <span><strong class="command">transfer-source</strong></span> and
-<span><strong class="command">notify-source</strong></span>.</p>
+<p>
+              Solaris 2.5.1 and earlier does not support setting the source
+              address for TCP sockets.
+            </p>
 </div>
 <div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
 <h3 class="title">Note</h3>
 <p>
-	    Solaris 2.5.1 and earlier does not support setting the source
-	    address for TCP sockets.
-	  </p>
+              See also <span><strong class="command">transfer-source</strong></span> and
+              <span><strong class="command">notify-source</strong></span>.
+            </p>
 </div>
 </div>
 <div class="sect3" lang="en">
 <div class="titlepage"><div><div><h4 class="title">
 <a name="zone_transfers"></a>Zone Transfers</h4></div></div></div>
-<p><acronym class="acronym">BIND</acronym> has mechanisms in place to facilitate zone transfers
-and set limits on the amount of load that transfers place on the
-system. The following options apply to zone transfers.</p>
+<p>
+            <acronym class="acronym">BIND</acronym> has mechanisms in place to
+            facilitate zone transfers
+            and set limits on the amount of load that transfers place on the
+            system. The following options apply to zone transfers.
+          </p>
 <div class="variablelist"><dl>
 <dt><span class="term"><span><strong class="command">also-notify</strong></span></span></dt>
-<dd><p>Defines a global list of IP addresses of name servers
-that are also sent NOTIFY messages whenever a fresh copy of the
-zone is loaded, in addition to the servers listed in the zone's NS records.
-This helps to ensure that copies of the zones will
-quickly converge on stealth servers. If an <span><strong class="command">also-notify</strong></span> list
-is given in a <span><strong class="command">zone</strong></span> statement, it will override
-the <span><strong class="command">options also-notify</strong></span> statement. When a <span><strong class="command">zone notify</strong></span> statement
-is set to <span><strong class="command">no</strong></span>, the IP addresses in the global <span><strong class="command">also-notify</strong></span> list will
-not be sent NOTIFY messages for that zone. The default is the empty
-list (no global notification list).</p></dd>
+<dd><p>
+                  Defines a global list of IP addresses of name servers
+                  that are also sent NOTIFY messages whenever a fresh copy of
+                  the
+                  zone is loaded, in addition to the servers listed in the
+                  zone's NS records.
+                  This helps to ensure that copies of the zones will
+                  quickly converge on stealth servers. If an <span><strong class="command">also-notify</strong></span> list
+                  is given in a <span><strong class="command">zone</strong></span> statement,
+                  it will override
+                  the <span><strong class="command">options also-notify</strong></span>
+                  statement. When a <span><strong class="command">zone notify</strong></span>
+                  statement
+                  is set to <span><strong class="command">no</strong></span>, the IP
+                  addresses in the global <span><strong class="command">also-notify</strong></span> list will
+                  not be sent NOTIFY messages for that zone. The default is
+                  the empty
+                  list (no global notification list).
+                </p></dd>
 <dt><span class="term"><span><strong class="command">max-transfer-time-in</strong></span></span></dt>
-<dd><p>Inbound zone transfers running longer than
-this many minutes will be terminated. The default is 120 minutes
-(2 hours).  The maximum value is 28 days (40320 minutes).</p></dd>
+<dd><p>
+                  Inbound zone transfers running longer than
+                  this many minutes will be terminated. The default is 120
+                  minutes
+                  (2 hours).  The maximum value is 28 days (40320 minutes).
+                </p></dd>
 <dt><span class="term"><span><strong class="command">max-transfer-idle-in</strong></span></span></dt>
-<dd><p>Inbound zone transfers making no progress
-in this many minutes will be terminated. The default is 60 minutes
-(1 hour).  The maximum value is 28 days (40320 minutes).</p></dd>
+<dd><p>
+                  Inbound zone transfers making no progress
+                  in this many minutes will be terminated. The default is 60
+                  minutes
+                  (1 hour).  The maximum value is 28 days (40320 minutes).
+                </p></dd>
 <dt><span class="term"><span><strong class="command">max-transfer-time-out</strong></span></span></dt>
-<dd><p>Outbound zone transfers running longer than
-this many minutes will be terminated. The default is 120 minutes
-(2 hours).  The maximum value is 28 days (40320 minutes).</p></dd>
+<dd><p>
+                  Outbound zone transfers running longer than
+                  this many minutes will be terminated. The default is 120
+                  minutes
+                  (2 hours).  The maximum value is 28 days (40320 minutes).
+                </p></dd>
 <dt><span class="term"><span><strong class="command">max-transfer-idle-out</strong></span></span></dt>
-<dd><p>Outbound zone transfers making no progress
-in this many minutes will be terminated.  The default is 60 minutes (1
-hour).  The maximum value is 28 days (40320 minutes).</p></dd>
+<dd><p>
+                  Outbound zone transfers making no progress
+                  in this many minutes will be terminated.  The default is 60
+                  minutes (1
+                  hour).  The maximum value is 28 days (40320 minutes).
+                </p></dd>
 <dt><span class="term"><span><strong class="command">serial-query-rate</strong></span></span></dt>
-<dd><p>Slave servers will periodically query master servers
-to find out if zone serial numbers have changed. Each such query uses
-a minute amount of the slave server's network bandwidth.  To limit the
-amount of bandwidth used, BIND 9 limits the rate at which queries are
-sent.  The value of the <span><strong class="command">serial-query-rate</strong></span> option,
-an integer, is the maximum number of queries sent per second.
-The default is 20.
-</p></dd>
+<dd><p>
+                  Slave servers will periodically query master servers
+                  to find out if zone serial numbers have changed. Each such
+                  query uses
+                  a minute amount of the slave server's network bandwidth.  To
+                  limit the
+                  amount of bandwidth used, BIND 9 limits the rate at which
+                  queries are
+                  sent.  The value of the <span><strong class="command">serial-query-rate</strong></span> option,
+                  an integer, is the maximum number of queries sent per
+                  second.
+                  The default is 20.
+                </p></dd>
 <dt><span class="term"><span><strong class="command">serial-queries</strong></span></span></dt>
-<dd><p>In BIND 8, the <span><strong class="command">serial-queries</strong></span> option
-set the maximum number of concurrent serial number queries
-allowed to be outstanding at any given time.
-BIND 9 does not limit the number of outstanding
-serial queries and ignores the <span><strong class="command">serial-queries</strong></span> option.
-Instead, it limits the rate at which the queries are sent
-as defined using the <span><strong class="command">serial-query-rate</strong></span> option.
-</p></dd>
+<dd><p>
+                  In BIND 8, the <span><strong class="command">serial-queries</strong></span>
+                  option
+                  set the maximum number of concurrent serial number queries
+                  allowed to be outstanding at any given time.
+                  BIND 9 does not limit the number of outstanding
+                  serial queries and ignores the <span><strong class="command">serial-queries</strong></span> option.
+                  Instead, it limits the rate at which the queries are sent
+                  as defined using the <span><strong class="command">serial-query-rate</strong></span> option.
+                </p></dd>
 <dt><span class="term"><span><strong class="command">transfer-format</strong></span></span></dt>
 <dd><p>
-Zone transfers can be sent using two different formats,
-<span><strong class="command">one-answer</strong></span> and <span><strong class="command">many-answers</strong></span>.
-The <span><strong class="command">transfer-format</strong></span> option is used
-on the master server to determine which format it sends.
-<span><strong class="command">one-answer</strong></span> uses one DNS message per
-resource record transferred.
-<span><strong class="command">many-answers</strong></span> packs as many resource records as
-possible into a message. <span><strong class="command">many-answers</strong></span> is more
-efficient, but is only supported by relatively new slave servers,
-such as <acronym class="acronym">BIND</acronym> 9, <acronym class="acronym">BIND</acronym> 8.x and patched
-versions of <acronym class="acronym">BIND</acronym> 4.9.5. The <span><strong class="command">many-answers</strong></span>
-format is also supported by recent Microsoft Windows nameservers. The default is
-<span><strong class="command">many-answers</strong></span>. <span><strong class="command">transfer-format</strong></span>
-may be overridden on a per-server basis by using the
-<span><strong class="command">server</strong></span> statement.
-</p></dd>
+                  Zone transfers can be sent using two different formats,
+                  <span><strong class="command">one-answer</strong></span> and
+                  <span><strong class="command">many-answers</strong></span>.
+                  The <span><strong class="command">transfer-format</strong></span> option is used
+                  on the master server to determine which format it sends.
+                  <span><strong class="command">one-answer</strong></span> uses one DNS message per
+                  resource record transferred.
+                  <span><strong class="command">many-answers</strong></span> packs as many resource
+                  records as possible into a message.
+                  <span><strong class="command">many-answers</strong></span> is more efficient, but is
+                  only supported by relatively new slave servers,
+                  such as <acronym class="acronym">BIND</acronym> 9, <acronym class="acronym">BIND</acronym>
+                  8.x and <acronym class="acronym">BIND</acronym> 4.9.5 onwards.
+                  The <span><strong class="command">many-answers</strong></span> format is also supported by
+                  recent Microsoft Windows nameservers.
+                  The default is <span><strong class="command">many-answers</strong></span>.
+                  <span><strong class="command">transfer-format</strong></span> may be overridden on a
+                  per-server basis by using the <span><strong class="command">server</strong></span>
+                  statement.
+                </p></dd>
 <dt><span class="term"><span><strong class="command">transfers-in</strong></span></span></dt>
-<dd><p>The maximum number of inbound zone transfers
-that can be running concurrently. The default value is <code class="literal">10</code>.
-Increasing <span><strong class="command">transfers-in</strong></span> may speed up the convergence
-of slave zones, but it also may increase the load on the local system.</p></dd>
+<dd><p>
+                  The maximum number of inbound zone transfers
+                  that can be running concurrently. The default value is <code class="literal">10</code>.
+                  Increasing <span><strong class="command">transfers-in</strong></span> may
+                  speed up the convergence
+                  of slave zones, but it also may increase the load on the
+                  local system.
+                </p></dd>
 <dt><span class="term"><span><strong class="command">transfers-out</strong></span></span></dt>
-<dd><p>The maximum number of outbound zone transfers
-that can be running concurrently. Zone transfer requests in excess
-of the limit will be refused. The default value is <code class="literal">10</code>.</p></dd>
+<dd><p>
+                  The maximum number of outbound zone transfers
+                  that can be running concurrently. Zone transfer requests in
+                  excess
+                  of the limit will be refused. The default value is <code class="literal">10</code>.
+                </p></dd>
 <dt><span class="term"><span><strong class="command">transfers-per-ns</strong></span></span></dt>
-<dd><p>The maximum number of inbound zone transfers
-that can be concurrently transferring from a given remote name server.
-The default value is <code class="literal">2</code>. Increasing <span><strong class="command">transfers-per-ns</strong></span> may
-speed up the convergence of slave zones, but it also may increase
-the load on the remote name server. <span><strong class="command">transfers-per-ns</strong></span> may
-be overridden on a per-server basis by using the <span><strong class="command">transfers</strong></span> phrase
-of the <span><strong class="command">server</strong></span> statement.</p></dd>
+<dd><p>
+                  The maximum number of inbound zone transfers
+                  that can be concurrently transferring from a given remote
+                  name server.
+                  The default value is <code class="literal">2</code>.
+                  Increasing <span><strong class="command">transfers-per-ns</strong></span>
+                  may
+                  speed up the convergence of slave zones, but it also may
+                  increase
+                  the load on the remote name server. <span><strong class="command">transfers-per-ns</strong></span> may
+                  be overridden on a per-server basis by using the <span><strong class="command">transfers</strong></span> phrase
+                  of the <span><strong class="command">server</strong></span> statement.
+                </p></dd>
 <dt><span class="term"><span><strong class="command">transfer-source</strong></span></span></dt>
-<dd><p><span><strong class="command">transfer-source</strong></span> determines
-which local address will be bound to IPv4 TCP connections used to
-fetch zones transferred inbound by the server.  It also determines
-the source IPv4 address, and optionally the UDP port, used for the
-refresh queries and forwarded dynamic updates.  If not set, it defaults
-to a system controlled value which will usually be the address of
-the interface "closest to" the remote end. This address must appear
-in the remote end's <span><strong class="command">allow-transfer</strong></span> option for
-the zone being transferred, if one is specified. This statement
-sets the <span><strong class="command">transfer-source</strong></span> for all zones, but can
-be overridden on a per-view or per-zone basis by including a
-<span><strong class="command">transfer-source</strong></span> statement within the
-<span><strong class="command">view</strong></span> or <span><strong class="command">zone</strong></span> block
-in the configuration file.</p></dd>
+<dd>
+<p><span><strong class="command">transfer-source</strong></span>
+                  determines which local address will be bound to IPv4
+                  TCP connections used to fetch zones transferred
+                  inbound by the server.  It also determines the
+                  source IPv4 address, and optionally the UDP port,
+                  used for the refresh queries and forwarded dynamic
+                  updates.  If not set, it defaults to a system
+                  controlled value which will usually be the address
+                  of the interface "closest to" the remote end. This
+                  address must appear in the remote end's
+                  <span><strong class="command">allow-transfer</strong></span> option for the
+                  zone being transferred, if one is specified. This
+                  statement sets the
+                  <span><strong class="command">transfer-source</strong></span> for all zones,
+                  but can be overridden on a per-view or per-zone
+                  basis by including a
+                  <span><strong class="command">transfer-source</strong></span> statement within
+                  the <span><strong class="command">view</strong></span> or
+                  <span><strong class="command">zone</strong></span> block in the configuration
+                  file.
+                </p>
+<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
+<h3 class="title">Note</h3>
+<p>
+                    Solaris 2.5.1 and earlier does not support setting the
+                    source address for TCP sockets.
+                  </p>
+</div>
+</dd>
 <dt><span class="term"><span><strong class="command">transfer-source-v6</strong></span></span></dt>
-<dd><p>The same as <span><strong class="command">transfer-source</strong></span>,
-except zone transfers are performed using IPv6.</p></dd>
+<dd><p>
+                  The same as <span><strong class="command">transfer-source</strong></span>,
+                  except zone transfers are performed using IPv6.
+                </p></dd>
 <dt><span class="term"><span><strong class="command">alt-transfer-source</strong></span></span></dt>
 <dd>
 <p>
-		  An alternate transfer source if the one listed in
-		  <span><strong class="command">transfer-source</strong></span> fails and
-		  <span><strong class="command">use-alt-transfer-source</strong></span> is
-		  set.
-		</p>
+                  An alternate transfer source if the one listed in
+                  <span><strong class="command">transfer-source</strong></span> fails and
+                  <span><strong class="command">use-alt-transfer-source</strong></span> is
+                  set.
+                </p>
 <div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
 <h3 class="title">Note</h3>
-		  If you do not wish the alternate transfer source
-		  to be used, you should set
-		  <span><strong class="command">use-alt-transfer-source</strong></span>
-		  appropriately and you should not depend upon
-		  getting a answer back to the first refresh
-		  query.
-		</div>
+                  If you do not wish the alternate transfer source
+                  to be used, you should set
+                  <span><strong class="command">use-alt-transfer-source</strong></span>
+                  appropriately and you should not depend upon
+                  getting a answer back to the first refresh
+                  query.
+                </div>
 </dd>
 <dt><span class="term"><span><strong class="command">alt-transfer-source-v6</strong></span></span></dt>
-<dd><p>An alternate transfer source if the one listed in
-<span><strong class="command">transfer-source-v6</strong></span> fails and
-<span><strong class="command">use-alt-transfer-source</strong></span> is set.</p></dd>
+<dd><p>
+                  An alternate transfer source if the one listed in
+                  <span><strong class="command">transfer-source-v6</strong></span> fails and
+                  <span><strong class="command">use-alt-transfer-source</strong></span> is
+                  set.
+                </p></dd>
 <dt><span class="term"><span><strong class="command">use-alt-transfer-source</strong></span></span></dt>
-<dd><p>Use the alternate transfer sources or not.  If views are
-specified this defaults to <span><strong class="command">no</strong></span> otherwise it defaults to
-<span><strong class="command">yes</strong></span> (for BIND 8 compatibility).</p></dd>
+<dd><p>
+                  Use the alternate transfer sources or not.  If views are
+                  specified this defaults to <span><strong class="command">no</strong></span>
+                  otherwise it defaults to
+                  <span><strong class="command">yes</strong></span> (for BIND 8
+                  compatibility).
+                </p></dd>
 <dt><span class="term"><span><strong class="command">notify-source</strong></span></span></dt>
 <dd>
-<p><span><strong class="command">notify-source</strong></span> determines
-which local source address, and optionally UDP port, will be used to
-send NOTIFY messages.
-This address must appear in the slave server's <span><strong class="command">masters</strong></span>
-zone clause or in an <span><strong class="command">allow-notify</strong></span> clause.
-This statement sets the <span><strong class="command">notify-source</strong></span> for all zones,
-but can be overridden on a per-zone or per-view basis by including a
-<span><strong class="command">notify-source</strong></span> statement within the <span><strong class="command">zone</strong></span>
-or <span><strong class="command">view</strong></span> block in the configuration file.</p>
+<p><span><strong class="command">notify-source</strong></span>
+                  determines which local source address, and
+                  optionally UDP port, will be used to send NOTIFY
+                  messages.  This address must appear in the slave
+                  server's <span><strong class="command">masters</strong></span> zone clause or
+                  in an <span><strong class="command">allow-notify</strong></span> clause.  This
+                  statement sets the <span><strong class="command">notify-source</strong></span>
+                  for all zones, but can be overridden on a per-zone or
+                  per-view basis by including a
+                  <span><strong class="command">notify-source</strong></span> statement within
+                  the <span><strong class="command">zone</strong></span> or
+                  <span><strong class="command">view</strong></span> block in the configuration
+                  file.
+                </p>
 <div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
 <h3 class="title">Note</h3>
 <p>
-                   Solaris 2.5.1 and earlier does not support setting the
-                   source address for TCP sockets.
-                 </p>
+                    Solaris 2.5.1 and earlier does not support setting the
+                    source address for TCP sockets.
+                  </p>
 </div>
 </dd>
 <dt><span class="term"><span><strong class="command">notify-source-v6</strong></span></span></dt>
-<dd><p>Like <span><strong class="command">notify-source</strong></span>,
-but applies to notify messages sent to IPv6 addresses.</p></dd>
+<dd><p>
+                  Like <span><strong class="command">notify-source</strong></span>,
+                  but applies to notify messages sent to IPv6 addresses.
+                </p></dd>
 </dl></div>
 </div>
 <div class="sect3" lang="en">
 <div class="titlepage"><div><div><h4 class="title">
-<a name="id2582444"></a>Bad UDP Port Lists</h4></div></div></div>
-<p>
-<span><strong class="command">avoid-v4-udp-ports</strong></span> and <span><strong class="command">avoid-v6-udp-ports</strong></span>
-specify a list of IPv4 and IPv6 UDP ports that will not be used as system
-assigned source ports for UDP sockets.  These lists prevent named
-from choosing as its random source port a port that is blocked by
-your firewall.  If a query went out with such a source port, the
-answer would not get by the firewall and the name server would have
-to query again.
-</p>
+<a name="id2581778"></a>Bad UDP Port Lists</h4></div></div></div>
+<p><span><strong class="command">avoid-v4-udp-ports</strong></span>
+            and <span><strong class="command">avoid-v6-udp-ports</strong></span> specify a list
+            of IPv4 and IPv6 UDP ports that will not be used as system
+            assigned source ports for UDP sockets.  These lists
+            prevent named from choosing as its random source port a
+            port that is blocked by your firewall.  If a query went
+            out with such a source port, the answer would not get by
+            the firewall and the name server would have to query
+            again.
+          </p>
 </div>
 <div class="sect3" lang="en">
 <div class="titlepage"><div><div><h4 class="title">
-<a name="id2570036"></a>Operating System Resource Limits</h4></div></div></div>
-<p>The server's usage of many system resources can be limited.
-Scaled values are allowed when specifying resource limits.  For
-example, <span><strong class="command">1G</strong></span> can be used instead of
-<span><strong class="command">1073741824</strong></span> to specify a limit of one
-gigabyte. <span><strong class="command">unlimited</strong></span> requests unlimited use, or the
-maximum available amount. <span><strong class="command">default</strong></span> uses the limit
-that was in force when the server was started. See the description
-of <span><strong class="command">size_spec</strong></span> in <a href="Bv9ARM.ch06.html#configuration_file_elements" title="Configuration File Elements">the section called &#8220;Configuration File Elements&#8221;</a>.</p>
-<p>The following options set operating system resource limits for
-the name server process.  Some operating systems don't support some or
-any of the limits. On such systems, a warning will be issued if the
-unsupported limit is used.</p>
+<a name="id2581793"></a>Operating System Resource Limits</h4></div></div></div>
+<p>
+            The server's usage of many system resources can be limited.
+            Scaled values are allowed when specifying resource limits.  For
+            example, <span><strong class="command">1G</strong></span> can be used instead of
+            <span><strong class="command">1073741824</strong></span> to specify a limit of
+            one
+            gigabyte. <span><strong class="command">unlimited</strong></span> requests
+            unlimited use, or the
+            maximum available amount. <span><strong class="command">default</strong></span>
+            uses the limit
+            that was in force when the server was started. See the description
+            of <span><strong class="command">size_spec</strong></span> in <a href="Bv9ARM.ch06.html#configuration_file_elements" title="Configuration File Elements">the section called &#8220;Configuration File Elements&#8221;</a>.
+          </p>
+<p>
+            The following options set operating system resource limits for
+            the name server process.  Some operating systems don't support
+            some or
+            any of the limits. On such systems, a warning will be issued if
+            the
+            unsupported limit is used.
+          </p>
 <div class="variablelist"><dl>
 <dt><span class="term"><span><strong class="command">coresize</strong></span></span></dt>
-<dd><p>The maximum size of a core dump. The default
-is <code class="literal">default</code>.</p></dd>
+<dd><p>
+                  The maximum size of a core dump. The default
+                  is <code class="literal">default</code>.
+                </p></dd>
 <dt><span class="term"><span><strong class="command">datasize</strong></span></span></dt>
-<dd><p>The maximum amount of data memory the server
-may use. The default is <code class="literal">default</code>.
-This is a hard limit on server memory usage.
-If the server attempts to allocate memory in excess of this
-limit, the allocation will fail, which may in turn leave
-the server unable to perform DNS service.  Therefore,
-this option is rarely useful as a way of limiting the
-amount of memory used by the server, but it can be used
-to raise an operating system data size limit that is
-too small by default.  If you wish to limit the amount
-of memory used by the server, use the
-<span><strong class="command">max-cache-size</strong></span> and 
-<span><strong class="command">recursive-clients</strong></span>
-options instead.
-</p></dd>
+<dd><p>
+                  The maximum amount of data memory the server
+                  may use. The default is <code class="literal">default</code>.
+                  This is a hard limit on server memory usage.
+                  If the server attempts to allocate memory in excess of this
+                  limit, the allocation will fail, which may in turn leave
+                  the server unable to perform DNS service.  Therefore,
+                  this option is rarely useful as a way of limiting the
+                  amount of memory used by the server, but it can be used
+                  to raise an operating system data size limit that is
+                  too small by default.  If you wish to limit the amount
+                  of memory used by the server, use the
+                  <span><strong class="command">max-cache-size</strong></span> and
+                  <span><strong class="command">recursive-clients</strong></span>
+                  options instead.
+                </p></dd>
 <dt><span class="term"><span><strong class="command">files</strong></span></span></dt>
-<dd><p>The maximum number of files the server
-may have open concurrently. The default is <code class="literal">unlimited</code>.
-</p></dd>
+<dd><p>
+                  The maximum number of files the server
+                  may have open concurrently. The default is <code class="literal">unlimited</code>.
+                </p></dd>
 <dt><span class="term"><span><strong class="command">stacksize</strong></span></span></dt>
-<dd><p>The maximum amount of stack memory the server
-may use. The default is <code class="literal">default</code>.</p></dd>
+<dd><p>
+                  The maximum amount of stack memory the server
+                  may use. The default is <code class="literal">default</code>.
+                </p></dd>
 </dl></div>
 </div>
 <div class="sect3" lang="en">
 <div class="titlepage"><div><div><h4 class="title">
-<a name="id2570205"></a>Server  Resource Limits</h4></div></div></div>
-<p>The following options set limits on the server's
-resource consumption that are enforced internally by the
-server rather than the operating system.</p>
+<a name="id2581976"></a>Server  Resource Limits</h4></div></div></div>
+<p>
+            The following options set limits on the server's
+            resource consumption that are enforced internally by the
+            server rather than the operating system.
+          </p>
 <div class="variablelist"><dl>
 <dt><span class="term"><span><strong class="command">max-ixfr-log-size</strong></span></span></dt>
-<dd><p>This option is obsolete; it is accepted
-and ignored for BIND 8 compatibility.  The option
-<span><strong class="command">max-journal-size</strong></span> performs a similar
-function in BIND 8.
-</p></dd>
+<dd><p>
+                  This option is obsolete; it is accepted
+                  and ignored for BIND 8 compatibility.  The option
+                  <span><strong class="command">max-journal-size</strong></span> performs a
+                  similar function in BIND 9.
+                </p></dd>
 <dt><span class="term"><span><strong class="command">max-journal-size</strong></span></span></dt>
-<dd><p>Sets a maximum size for each journal file
-(see <a href="Bv9ARM.ch04.html#journal" title="The journal file">the section called &#8220;The journal file&#8221;</a>).  When the journal file approaches
-the specified size, some of the oldest transactions in the journal
-will be automatically removed.  The default is
-<code class="literal">unlimited</code>.</p></dd>
+<dd><p>
+                  Sets a maximum size for each journal file
+                  (see <a href="Bv9ARM.ch04.html#journal" title="The journal file">the section called &#8220;The journal file&#8221;</a>).  When the journal file
+                  approaches
+                  the specified size, some of the oldest transactions in the
+                  journal
+                  will be automatically removed.  The default is
+                  <code class="literal">unlimited</code>.
+                </p></dd>
 <dt><span class="term"><span><strong class="command">host-statistics-max</strong></span></span></dt>
-<dd><p>In BIND 8, specifies the maximum number of host statistics
-entries to be kept.
-Not implemented in BIND 9.
-</p></dd>
+<dd><p>
+                  In BIND 8, specifies the maximum number of host statistics
+                  entries to be kept.
+                  Not implemented in BIND 9.
+                </p></dd>
 <dt><span class="term"><span><strong class="command">recursive-clients</strong></span></span></dt>
-<dd><p>The maximum number of simultaneous recursive lookups
-the server will perform on behalf of clients.  The default is
-<code class="literal">1000</code>.  Because each recursing client uses a fair
-bit of memory, on the order of 20 kilobytes, the value of the
-<span><strong class="command">recursive-clients</strong></span> option may have to be decreased
-on hosts with limited memory.
-</p></dd>
+<dd><p>
+                  The maximum number of simultaneous recursive lookups
+                  the server will perform on behalf of clients.  The default
+                  is
+                  <code class="literal">1000</code>.  Because each recursing
+                  client uses a fair
+                  bit of memory, on the order of 20 kilobytes, the value of
+                  the
+                  <span><strong class="command">recursive-clients</strong></span> option may
+                  have to be decreased
+                  on hosts with limited memory.
+                </p></dd>
 <dt><span class="term"><span><strong class="command">tcp-clients</strong></span></span></dt>
-<dd><p>The maximum number of simultaneous client TCP
-connections that the server will accept.
-The default is <code class="literal">100</code>.</p></dd>
+<dd><p>
+                  The maximum number of simultaneous client TCP
+                  connections that the server will accept.
+                  The default is <code class="literal">100</code>.
+                </p></dd>
 <dt><span class="term"><span><strong class="command">max-cache-size</strong></span></span></dt>
-<dd><p>The maximum amount of memory to use for the
-server's cache, in bytes.  When the amount of data in the cache
-reaches this limit, the server will cause records to expire
-prematurely so that the limit is not exceeded.  In a server with
-multiple views, the limit applies separately to the cache of each
-view.  The default is <code class="literal">unlimited</code>, meaning that 
-records are purged from the cache only when their TTLs expire.
-</p></dd>
+<dd><p>
+                  The maximum amount of memory to use for the
+                  server's cache, in bytes.  When the amount of data in the
+                  cache
+                  reaches this limit, the server will cause records to expire
+                  prematurely so that the limit is not exceeded.  In a server
+                  with
+                  multiple views, the limit applies separately to the cache of
+                  each
+                  view.  The default is <code class="literal">unlimited</code>, meaning that
+                  records are purged from the cache only when their TTLs
+                  expire.
+                </p></dd>
 <dt><span class="term"><span><strong class="command">tcp-listen-queue</strong></span></span></dt>
-<dd><p>The listen queue depth.  The default and minimum is 3.
-If the kernel supports the accept filter "dataready" this also controls how
-many TCP connections that will be queued in kernel space waiting for
-some data before being passed to accept.  Values less than 3 will be
-silently raised.
-</p></dd>
+<dd><p>
+                  The listen queue depth.  The default and minimum is 3.
+                  If the kernel supports the accept filter "dataready" this
+                  also controls how
+                  many TCP connections that will be queued in kernel space
+                  waiting for
+                  some data before being passed to accept.  Values less than 3
+                  will be
+                  silently raised.
+                </p></dd>
 </dl></div>
 </div>
 <div class="sect3" lang="en">
 <div class="titlepage"><div><div><h4 class="title">
-<a name="id2584723"></a>Periodic Task Intervals</h4></div></div></div>
+<a name="id2582178"></a>Periodic Task Intervals</h4></div></div></div>
 <div class="variablelist"><dl>
 <dt><span class="term"><span><strong class="command">cleaning-interval</strong></span></span></dt>
-<dd><p>The server will remove expired resource records
-from the cache every <span><strong class="command">cleaning-interval</strong></span> minutes.
-The default is 60 minutes.  The maximum value is 28 days (40320 minutes).
-If set to 0, no periodic cleaning will occur.</p></dd>
+<dd><p>
+                  The server will remove expired resource records
+                  from the cache every <span><strong class="command">cleaning-interval</strong></span> minutes.
+                  The default is 60 minutes.  The maximum value is 28 days
+                  (40320 minutes).
+                  If set to 0, no periodic cleaning will occur.
+                </p></dd>
 <dt><span class="term"><span><strong class="command">heartbeat-interval</strong></span></span></dt>
-<dd><p>The server will perform zone maintenance tasks
-for all zones marked as <span><strong class="command">dialup</strong></span> whenever this
-interval expires. The default is 60 minutes. Reasonable values are up
-to 1 day (1440 minutes).  The maximum value is 28 days (40320 minutes).
-If set to 0, no zone maintenance for these zones will occur.</p></dd>
+<dd><p>
+                  The server will perform zone maintenance tasks
+                  for all zones marked as <span><strong class="command">dialup</strong></span> whenever this
+                  interval expires. The default is 60 minutes. Reasonable
+                  values are up
+                  to 1 day (1440 minutes).  The maximum value is 28 days
+                  (40320 minutes).
+                  If set to 0, no zone maintenance for these zones will occur.
+                </p></dd>
 <dt><span class="term"><span><strong class="command">interface-interval</strong></span></span></dt>
-<dd><p>The server will scan the network interface list
-every <span><strong class="command">interface-interval</strong></span> minutes. The default
-is 60 minutes. The maximum value is 28 days (40320 minutes).
-If set to 0, interface scanning will only occur when
-the configuration file is  loaded. After the scan, the server will
-begin listening for queries on any newly discovered
-interfaces (provided they are allowed by the
-<span><strong class="command">listen-on</strong></span> configuration), and will
-stop listening on interfaces that have gone away.</p></dd>
+<dd><p>
+                  The server will scan the network interface list
+                  every <span><strong class="command">interface-interval</strong></span>
+                  minutes. The default
+                  is 60 minutes. The maximum value is 28 days (40320 minutes).
+                  If set to 0, interface scanning will only occur when
+                  the configuration file is  loaded. After the scan, the
+                  server will
+                  begin listening for queries on any newly discovered
+                  interfaces (provided they are allowed by the
+                  <span><strong class="command">listen-on</strong></span> configuration), and
+                  will
+                  stop listening on interfaces that have gone away.
+                </p></dd>
 <dt><span class="term"><span><strong class="command">statistics-interval</strong></span></span></dt>
 <dd>
-<p>Name server statistics will be logged
-every <span><strong class="command">statistics-interval</strong></span> minutes. The default is 
-60. The maximum value is 28 days (40320 minutes).
-If set to 0, no statistics will be logged.</p>
+<p>
+                  Name server statistics will be logged
+                  every <span><strong class="command">statistics-interval</strong></span>
+                  minutes. The default is
+                  60. The maximum value is 28 days (40320 minutes).
+                  If set to 0, no statistics will be logged.
+                  </p>
 <div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
 <h3 class="title">Note</h3>
-<p>Not yet implemented in <acronym class="acronym">BIND</acronym>9.</p>
+<p>
+                    Not yet implemented in
+                    <acronym class="acronym">BIND</acronym>9.
+                  </p>
 </div>
 </dd>
 </dl></div>
@@ -2206,83 +3543,115 @@ If set to 0, no statistics will be logged.</p>
 <div class="sect3" lang="en">
 <div class="titlepage"><div><div><h4 class="title">
 <a name="topology"></a>Topology</h4></div></div></div>
-<p>All other things being equal, when the server chooses a name server
-to query from a list of name servers, it prefers the one that is
-topologically closest to itself. The <span><strong class="command">topology</strong></span> statement
-takes an <span><strong class="command">address_match_list</strong></span> and interprets it
-in a special way. Each top-level list element is assigned a distance.
-Non-negated elements get a distance based on their position in the
-list, where the closer the match is to the start of the list, the
-shorter the distance is between it and the server. A negated match
-will be assigned the maximum distance from the server. If there
-is no match, the address will get a distance which is further than
-any non-negated list element, and closer than any negated element.
-For example,</p>
+<p>
+            All other things being equal, when the server chooses a name
+            server
+            to query from a list of name servers, it prefers the one that is
+            topologically closest to itself. The <span><strong class="command">topology</strong></span> statement
+            takes an <span><strong class="command">address_match_list</strong></span> and
+            interprets it
+            in a special way. Each top-level list element is assigned a
+            distance.
+            Non-negated elements get a distance based on their position in the
+            list, where the closer the match is to the start of the list, the
+            shorter the distance is between it and the server. A negated match
+            will be assigned the maximum distance from the server. If there
+            is no match, the address will get a distance which is further than
+            any non-negated list element, and closer than any negated element.
+            For example,
+          </p>
 <pre class="programlisting">topology {
     10/8;
     !1.2.3/24;
     { 1.2/16; 3/8; };
 };</pre>
-<p>will prefer servers on network 10 the most, followed by hosts
-on network 1.2.0.0 (netmask 255.255.0.0) and network 3, with the
-exception of hosts on network 1.2.3 (netmask 255.255.255.0), which
-is preferred least of all.</p>
-<p>The default topology is</p>
+<p>
+            will prefer servers on network 10 the most, followed by hosts
+            on network 1.2.0.0 (netmask 255.255.0.0) and network 3, with the
+            exception of hosts on network 1.2.3 (netmask 255.255.255.0), which
+            is preferred least of all.
+          </p>
+<p>
+            The default topology is
+          </p>
 <pre class="programlisting">    topology { localhost; localnets; };
 </pre>
 <div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
 <h3 class="title">Note</h3>
-<p>The <span><strong class="command">topology</strong></span> option
-is not implemented in <acronym class="acronym">BIND</acronym> 9.
-</p>
+<p>
+              The <span><strong class="command">topology</strong></span> option
+              is not implemented in <acronym class="acronym">BIND</acronym> 9.
+            </p>
 </div>
 </div>
 <div class="sect3" lang="en">
 <div class="titlepage"><div><div><h4 class="title">
 <a name="the_sortlist_statement"></a>The <span><strong class="command">sortlist</strong></span> Statement</h4></div></div></div>
-<p>The response to a DNS query may consist of multiple resource
-records (RRs) forming a resource records set (RRset).
-The name server will normally return the
-RRs within the RRset in an indeterminate order
-(but see the <span><strong class="command">rrset-order</strong></span>
-statement in <a href="Bv9ARM.ch06.html#rrset_ordering" title="RRset Ordering">the section called &#8220;RRset Ordering&#8221;</a>).
-The client resolver code should rearrange the RRs as appropriate,
-that is, using any addresses on the local net in preference to other addresses.
-However, not all resolvers can do this or are correctly configured.
-When a client is using a local server, the sorting can be performed
-in the server, based on the client's address. This only requires
-configuring the name servers, not all the clients.</p>
-<p>The <span><strong class="command">sortlist</strong></span> statement (see below) takes
-an <span><strong class="command">address_match_list</strong></span> and interprets it even
-more specifically than the <span><strong class="command">topology</strong></span> statement
-does (<a href="Bv9ARM.ch06.html#topology" title="Topology">the section called &#8220;Topology&#8221;</a>).
-Each top level statement in the <span><strong class="command">sortlist</strong></span> must
-itself be an explicit <span><strong class="command">address_match_list</strong></span> with
-one or two elements. The first element (which may be an IP address,
-an IP prefix, an ACL name or a nested <span><strong class="command">address_match_list</strong></span>)
-of each top level list is checked against the source address of
-the query until a match is found.</p>
-<p>Once the source address of the query has been matched, if
-the top level statement contains only one element, the actual primitive
-element that matched the source address is used to select the address
-in the response to move to the beginning of the response. If the
-statement is a list of two elements, then the second element is
-treated the same as the <span><strong class="command">address_match_list</strong></span> in
-a <span><strong class="command">topology</strong></span> statement. Each top level element
-is assigned a distance and the address in the response with the minimum
-distance is moved to the beginning of the response.</p>
-<p>In the following example, any queries received from any of
-the addresses of the host itself will get responses preferring addresses
-on any of the locally connected networks. Next most preferred are addresses
-on the 192.168.1/24 network, and after that either the 192.168.2/24
-or
-192.168.3/24 network with no preference shown between these two
-networks. Queries received from a host on the 192.168.1/24 network
-will prefer other addresses on that network to the 192.168.2/24
-and
-192.168.3/24 networks. Queries received from a host on the 192.168.4/24
-or the 192.168.5/24 network will only prefer other addresses on
-their directly connected networks.</p>
+<p>
+            The response to a DNS query may consist of multiple resource
+            records (RRs) forming a resource records set (RRset).
+            The name server will normally return the
+            RRs within the RRset in an indeterminate order
+            (but see the <span><strong class="command">rrset-order</strong></span>
+            statement in <a href="Bv9ARM.ch06.html#rrset_ordering" title="RRset Ordering">the section called &#8220;RRset Ordering&#8221;</a>).
+            The client resolver code should rearrange the RRs as appropriate,
+            that is, using any addresses on the local net in preference to
+            other addresses.
+            However, not all resolvers can do this or are correctly
+            configured.
+            When a client is using a local server, the sorting can be performed
+            in the server, based on the client's address. This only requires
+            configuring the name servers, not all the clients.
+          </p>
+<p>
+            The <span><strong class="command">sortlist</strong></span> statement (see below)
+            takes
+            an <span><strong class="command">address_match_list</strong></span> and
+            interprets it even
+            more specifically than the <span><strong class="command">topology</strong></span>
+            statement
+            does (<a href="Bv9ARM.ch06.html#topology" title="Topology">the section called &#8220;Topology&#8221;</a>).
+            Each top level statement in the <span><strong class="command">sortlist</strong></span> must
+            itself be an explicit <span><strong class="command">address_match_list</strong></span> with
+            one or two elements. The first element (which may be an IP
+            address,
+            an IP prefix, an ACL name or a nested <span><strong class="command">address_match_list</strong></span>)
+            of each top level list is checked against the source address of
+            the query until a match is found.
+          </p>
+<p>
+            Once the source address of the query has been matched, if
+            the top level statement contains only one element, the actual
+            primitive
+            element that matched the source address is used to select the
+            address
+            in the response to move to the beginning of the response. If the
+            statement is a list of two elements, then the second element is
+            treated the same as the <span><strong class="command">address_match_list</strong></span> in
+            a <span><strong class="command">topology</strong></span> statement. Each top
+            level element
+            is assigned a distance and the address in the response with the
+            minimum
+            distance is moved to the beginning of the response.
+          </p>
+<p>
+            In the following example, any queries received from any of
+            the addresses of the host itself will get responses preferring
+            addresses
+            on any of the locally connected networks. Next most preferred are
+            addresses
+            on the 192.168.1/24 network, and after that either the
+            192.168.2/24
+            or
+            192.168.3/24 network with no preference shown between these two
+            networks. Queries received from a host on the 192.168.1/24 network
+            will prefer other addresses on that network to the 192.168.2/24
+            and
+            192.168.3/24 networks. Queries received from a host on the
+            192.168.4/24
+            or the 192.168.5/24 network will only prefer other addresses on
+            their directly connected networks.
+          </p>
 <pre class="programlisting">sortlist {
     { localhost;                                   // IF   the local host
         { localnets;                               // THEN first fit on the
@@ -2300,13 +3669,18 @@ their directly connected networks.</p>
     { { 192.168.4/24; 192.168.5/24; };             // if .4 or .5, prefer that net
     };
 };</pre>
-<p>The following example will give reasonable behavior for the
-local host and hosts on directly connected networks. It is similar
-to the behavior of the address sort in <acronym class="acronym">BIND</acronym> 4.9.x. Responses sent
-to queries from the local host will favor any of the directly connected
-networks. Responses sent to queries from any other hosts on a directly
-connected network will prefer addresses on that same network. Responses
-to other queries will not be sorted.</p>
+<p>
+            The following example will give reasonable behavior for the
+            local host and hosts on directly connected networks. It is similar
+            to the behavior of the address sort in <acronym class="acronym">BIND</acronym> 4.9.x. Responses sent
+            to queries from the local host will favor any of the directly
+            connected
+            networks. Responses sent to queries from any other hosts on a
+            directly
+            connected network will prefer addresses on that same network.
+            Responses
+            to other queries will not be sorted.
+          </p>
 <pre class="programlisting">sortlist {
            { localhost; localnets; };
            { localnets; };
@@ -2316,21 +3690,34 @@ to other queries will not be sorted.</p>
 <div class="sect3" lang="en">
 <div class="titlepage"><div><div><h4 class="title">
 <a name="rrset_ordering"></a>RRset Ordering</h4></div></div></div>
-<p>When multiple records are returned in an answer it may be
-useful to configure the order of the records placed into the response.
-The <span><strong class="command">rrset-order</strong></span> statement permits configuration
-of the ordering of the records in a multiple record response.
-See also the <span><strong class="command">sortlist</strong></span> statement,
-<a href="Bv9ARM.ch06.html#the_sortlist_statement" title="The sortlist Statement">the section called &#8220;The <span><strong class="command">sortlist</strong></span> Statement&#8221;</a>.
-</p>
-<p>An <span><strong class="command">order_spec</strong></span> is defined as follows:</p>
-<pre class="programlisting">[<span class="optional"> class <em class="replaceable"><code>class_name</code></em> </span>][<span class="optional"> type <em class="replaceable"><code>type_name</code></em> </span>][<span class="optional"> name <em class="replaceable"><code>"domain_name"</code></em></span>]
-      order <em class="replaceable"><code>ordering</code></em>
-</pre>
-<p>If no class is specified, the default is <span><strong class="command">ANY</strong></span>.
-If no type is specified, the default is <span><strong class="command">ANY</strong></span>.
-If no name is specified, the default is "<span><strong class="command">*</strong></span>" (asterisk).</p>
-<p>The legal values for <span><strong class="command">ordering</strong></span> are:</p>
+<p>
+            When multiple records are returned in an answer it may be
+            useful to configure the order of the records placed into the
+            response.
+            The <span><strong class="command">rrset-order</strong></span> statement permits
+            configuration
+            of the ordering of the records in a multiple record response.
+            See also the <span><strong class="command">sortlist</strong></span> statement,
+            <a href="Bv9ARM.ch06.html#the_sortlist_statement" title="The sortlist Statement">the section called &#8220;The <span><strong class="command">sortlist</strong></span> Statement&#8221;</a>.
+          </p>
+<p>
+            An <span><strong class="command">order_spec</strong></span> is defined as
+            follows:
+          </p>
+<p>
+            [<span class="optional">class <em class="replaceable"><code>class_name</code></em></span>]
+            [<span class="optional">type <em class="replaceable"><code>type_name</code></em></span>]
+            [<span class="optional">name <em class="replaceable"><code>"domain_name"</code></em></span>]
+            order <em class="replaceable"><code>ordering</code></em>
+          </p>
+<p>
+            If no class is specified, the default is <span><strong class="command">ANY</strong></span>.
+            If no type is specified, the default is <span><strong class="command">ANY</strong></span>.
+            If no name is specified, the default is "<span><strong class="command">*</strong></span>" (asterisk).
+          </p>
+<p>
+            The legal values for <span><strong class="command">ordering</strong></span> are:
+          </p>
 <div class="informaltable"><table border="1">
 <colgroup>
 <col>
@@ -2338,38 +3725,65 @@ If no name is specified, the default is "<span><strong class="command">*</strong
 </colgroup>
 <tbody>
 <tr>
-<td><p><span><strong class="command">fixed</strong></span></p></td>
-<td><p>Records are returned in the order they
-are defined in the zone file.</p></td>
+<td>
+                    <p><span><strong class="command">fixed</strong></span></p>
+                  </td>
+<td>
+                    <p>
+                      Records are returned in the order they
+                      are defined in the zone file.
+                    </p>
+                  </td>
 </tr>
 <tr>
-<td><p><span><strong class="command">random</strong></span></p></td>
-<td><p>Records are returned in some random order.</p></td>
+<td>
+                    <p><span><strong class="command">random</strong></span></p>
+                  </td>
+<td>
+                    <p>
+                      Records are returned in some random order.
+                    </p>
+                  </td>
 </tr>
 <tr>
-<td><p><span><strong class="command">cyclic</strong></span></p></td>
-<td><p>Records are returned in a round-robin
-order.</p></td>
+<td>
+                    <p><span><strong class="command">cyclic</strong></span></p>
+                  </td>
+<td>
+                    <p>
+                      Records are returned in a round-robin
+                      order.
+                    </p>
+                  </td>
 </tr>
 </tbody>
 </table></div>
-<p>For example:</p>
+<p>
+            For example:
+          </p>
 <pre class="programlisting">rrset-order {
    class IN type A name "host.example.com" order random;
    order cyclic;
 };
 </pre>
-<p>will cause any responses for type A records in class IN that
-have "<code class="literal">host.example.com</code>" as a suffix, to always be returned
-in random order. All other records are returned in cyclic order.</p>
-<p>If multiple <span><strong class="command">rrset-order</strong></span> statements appear,
-they are not combined &#8212; the last one applies.</p>
+<p>
+            will cause any responses for type A records in class IN that
+            have "<code class="literal">host.example.com</code>" as a
+            suffix, to always be returned
+            in random order. All other records are returned in cyclic order.
+          </p>
+<p>
+            If multiple <span><strong class="command">rrset-order</strong></span> statements
+            appear,
+            they are not combined &#8212; the last one applies.
+          </p>
 <div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
 <h3 class="title">Note</h3>
-<p>The <span><strong class="command">rrset-order</strong></span> statement
-is not yet fully implemented in <acronym class="acronym">BIND</acronym> 9.
-BIND 9 currently does not support "fixed" ordering.
-</p>
+<p>
+              The <span><strong class="command">rrset-order</strong></span> statement
+              is not yet fully implemented in <acronym class="acronym">BIND</acronym> 9.
+              BIND 9 currently does not fully support "fixed" ordering.
+            </p>
 </div>
 </div>
 <div class="sect3" lang="en">
@@ -2377,143 +3791,370 @@ BIND 9 currently does not support "fixed" ordering.
 <a name="tuning"></a>Tuning</h4></div></div></div>
 <div class="variablelist"><dl>
 <dt><span class="term"><span><strong class="command">lame-ttl</strong></span></span></dt>
-<dd><p>Sets the number of seconds to cache a
-lame server indication. 0 disables caching. (This is
-<span class="bold"><strong>NOT</strong></span> recommended.)
-The default is <code class="literal">600</code> (10 minutes) and the maximum value is 
-<code class="literal">1800</code> (30 minutes).</p></dd>
+<dd><p>
+                  Sets the number of seconds to cache a
+                  lame server indication. 0 disables caching. (This is
+                  <span class="bold"><strong>NOT</strong></span> recommended.)
+                  The default is <code class="literal">600</code> (10 minutes) and the
+                  maximum value is
+                  <code class="literal">1800</code> (30 minutes).
+                </p></dd>
 <dt><span class="term"><span><strong class="command">max-ncache-ttl</strong></span></span></dt>
-<dd><p>To reduce network traffic and increase performance,
-the server stores negative answers. <span><strong class="command">max-ncache-ttl</strong></span> is
-used to set a maximum retention time for these answers in the server
-in seconds. The default
-<span><strong class="command">max-ncache-ttl</strong></span> is <code class="literal">10800</code> seconds (3 hours).
-<span><strong class="command">max-ncache-ttl</strong></span> cannot exceed 7 days and will
-be silently truncated to 7 days if set to a greater value.</p></dd>
+<dd><p>
+                  To reduce network traffic and increase performance,
+                  the server stores negative answers. <span><strong class="command">max-ncache-ttl</strong></span> is
+                  used to set a maximum retention time for these answers in
+                  the server
+                  in seconds. The default
+                  <span><strong class="command">max-ncache-ttl</strong></span> is <code class="literal">10800</code> seconds (3 hours).
+                  <span><strong class="command">max-ncache-ttl</strong></span> cannot exceed
+                  7 days and will
+                  be silently truncated to 7 days if set to a greater value.
+                </p></dd>
 <dt><span class="term"><span><strong class="command">max-cache-ttl</strong></span></span></dt>
-<dd><p>Sets
-the maximum time for which the server will cache ordinary (positive)
-answers. The default is one week (7 days).</p></dd>
+<dd><p>
+                  Sets the maximum time for which the server will
+                  cache ordinary (positive) answers. The default is
+                  one week (7 days).
+                </p></dd>
 <dt><span class="term"><span><strong class="command">min-roots</strong></span></span></dt>
 <dd>
-<p>The minimum number of root servers that
-is required for a request for the root servers to be accepted. The default
-is <strong class="userinput"><code>2</code></strong>.</p>
+<p>
+                  The minimum number of root servers that
+                  is required for a request for the root servers to be
+                  accepted. The default
+                  is <strong class="userinput"><code>2</code></strong>.
+                </p>
 <div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
 <h3 class="title">Note</h3>
-<p>Not implemented in <acronym class="acronym">BIND</acronym> 9.</p>
+<p>
+                    Not implemented in <acronym class="acronym">BIND</acronym> 9.
+                  </p>
 </div>
 </dd>
 <dt><span class="term"><span><strong class="command">sig-validity-interval</strong></span></span></dt>
-<dd><p>Specifies the number of days into the
-future when DNSSEC signatures automatically generated as a result
-of dynamic updates (<a href="Bv9ARM.ch04.html#dynamic_update" title="Dynamic Update">the section called &#8220;Dynamic Update&#8221;</a>)
-will expire. The default is <code class="literal">30</code> days.
-The maximum value is 10 years (3660 days). The signature
-inception time is unconditionally set to one hour before the current time
-to allow for a limited amount of clock skew.</p></dd>
+<dd><p>
+                  Specifies the number of days into the
+                  future when DNSSEC signatures automatically generated as a
+                  result
+                  of dynamic updates (<a href="Bv9ARM.ch04.html#dynamic_update" title="Dynamic Update">the section called &#8220;Dynamic Update&#8221;</a>)
+                  will expire. The default is <code class="literal">30</code> days.
+                  The maximum value is 10 years (3660 days). The signature
+                  inception time is unconditionally set to one hour before the
+                  current time
+                  to allow for a limited amount of clock skew.
+                </p></dd>
 <dt>
 <span class="term"><span><strong class="command">min-refresh-time</strong></span>, </span><span class="term"><span><strong class="command">max-refresh-time</strong></span>, </span><span class="term"><span><strong class="command">min-retry-time</strong></span>, </span><span class="term"><span><strong class="command">max-retry-time</strong></span></span>
 </dt>
 <dd>
 <p>
-These options control the server's behavior on refreshing a zone
-(querying for SOA changes) or retrying failed transfers.
-Usually the SOA values for the zone are used, but these values
-are set by the master, giving slave server administrators little
-control over their contents.
-</p>
+                  These options control the server's behavior on refreshing a
+                  zone
+                  (querying for SOA changes) or retrying failed transfers.
+                  Usually the SOA values for the zone are used, but these
+                  values
+                  are set by the master, giving slave server administrators
+                  little
+                  control over their contents.
+                </p>
 <p>
-These options allow the administrator to set a minimum and maximum
-refresh and retry time either per-zone, per-view, or globally.
-These options are valid for slave and stub zones,
-and clamp the SOA refresh and retry times to the specified values.
-</p>
+                  These options allow the administrator to set a minimum and
+                  maximum
+                  refresh and retry time either per-zone, per-view, or
+                  globally.
+                  These options are valid for slave and stub zones,
+                  and clamp the SOA refresh and retry times to the specified
+                  values.
+                </p>
 </dd>
 <dt><span class="term"><span><strong class="command">edns-udp-size</strong></span></span></dt>
 <dd><p>
-<span><strong class="command">edns-udp-size</strong></span> sets the advertised EDNS UDP buffer
-size in bytes.  Valid values are 512 to 4096 bytes (values outside this range will be
-silently adjusted).  The default value is 4096.  The usual reason for
-setting edns-udp-size to a non-default value it to get UDP answers to
-pass through broken firewalls that block fragmented packets and/or
-block UDP packets that are greater than 512 bytes.
-</p></dd>
+                  Sets the advertised EDNS UDP buffer size in bytes.  Valid
+                  values are 512 to 4096 (values outside this range
+                  will be silently adjusted).  The default value is
+                  4096.  The usual reason for setting edns-udp-size to
+                  a non-default value it to get UDP answers to pass
+                  through broken firewalls that block fragmented
+                  packets and/or block UDP packets that are greater
+                  than 512 bytes.
+                </p></dd>
+<dt><span class="term"><span><strong class="command">max-udp-size</strong></span></span></dt>
+<dd><p>
+                  Sets the maximum EDNS UDP message size named will
+                  send in bytes.  Valid values are 512 to 4096 (values outside
+                  this range will be silently adjusted).  The default
+                  value is 4096.  The usual reason for setting
+                  max-udp-size to a non-default value is to get UDP
+                  answers to pass through broken firewalls that
+                  block fragmented packets and/or block UDP packets
+                  that are greater than 512 bytes.
+                </p></dd>
+<dt><span class="term"><span><strong class="command">masterfile-format</strong></span></span></dt>
+<dd><p>Specifies
+                  the file format of zone files (see
+                  <a href="Bv9ARM.ch06.html#zonefile_format" title="Additional File Formats">the section called &#8220;Additional File Formats&#8221;</a>).
+                  The default value is <code class="constant">text</code>, which is the
+                  standard textual representation.  Files in other formats
+                  than <code class="constant">text</code> are typically expected
+                  to be generated by the <span><strong class="command">named-compilezone</strong></span> tool.
+                  Note that when a zone file in a different format than
+                  <code class="constant">text</code> is loaded, <span><strong class="command">named</strong></span>
+                  may omit some of the checks which would be performed for a
+                  file in the <code class="constant">text</code> format.  In particular,
+                  <span><strong class="command">check-names</strong></span> checks do not apply
+                  for the <code class="constant">raw</code> format.  This means
+                  a zone file in the <code class="constant">raw</code> format
+                  must be generated with the same check level as that
+                  specified in the <span><strong class="command">named</strong></span> configuration
+                  file.  This statement sets the
+                  <span><strong class="command">masterfile-format</strong></span> for all zones,
+                  but can be overridden on a per-zone or per-view basis
+                  by including a <span><strong class="command">masterfile-format</strong></span>
+                  statement within the <span><strong class="command">zone</strong></span> or
+                  <span><strong class="command">view</strong></span> block in the configuration
+                  file.
+                </p></dd>
+<dt>
+<span class="term"><span><strong class="command">clients-per-query</strong></span>, </span><span class="term"><span><strong class="command">max-clients-per-query</strong></span></span>
+</dt>
+<dd>
+<p>These set the
+                  initial value (minimum) and maximum number of recursive
+                  simultanious clients for any given query
+                  (&lt;qname,qtype,qclass&gt;) that the server will accept
+                  before dropping additional clients.  named will attempt to
+                  self tune this value and changes will be logged.  The
+                  default values are 10 and 100.
+                </p>
+<p>
+                  This value should reflect how many queries come in for
+                  a given name in the time it takes to resolve that name.
+                  If the number of queries exceed this value, named will
+                  assume that it is dealing with a non-responsive zone
+                  and will drop additional queries.  If it gets a response
+                  after dropping queries, it will raise the estimate.  The
+                  estimate will then be lowered in 20 minutes if it has
+                  remained unchanged.
+                </p>
+<p>
+                  If <span><strong class="command">clients-per-query</strong></span> is set to zero,
+                  then there is no limit on the number of clients per query
+                  and no queries will be dropped.
+                </p>
+<p>
+                  If <span><strong class="command">max-clients-per-query</strong></span> is set to zero,
+                  then there is no upper bound other than imposed by
+                  <span><strong class="command">recursive-clients</strong></span>.
+                </p>
+</dd>
 </dl></div>
 </div>
 <div class="sect3" lang="en">
 <div class="titlepage"><div><div><h4 class="title">
 <a name="builtin"></a>Built-in server information zones</h4></div></div></div>
-<p>The server provides some helpful diagnostic information
-through a number of built-in zones under the
-pseudo-top-level-domain <code class="literal">bind</code> in the
-<span><strong class="command">CHAOS</strong></span> class.  These zones are part of a
-built-in view (see <a href="Bv9ARM.ch06.html#view_statement_grammar" title="view Statement Grammar">the section called &#8220;<span><strong class="command">view</strong></span> Statement Grammar&#8221;</a>) of class
-<span><strong class="command">CHAOS</strong></span> which is separate from the default view of
-class <span><strong class="command">IN</strong></span>; therefore, any global server options
-such as <span><strong class="command">allow-query</strong></span> do not apply the these zones.
-If you feel the need to disable these zones, use the options
-below, or hide the built-in <span><strong class="command">CHAOS</strong></span> view by
-defining an explicit view of class <span><strong class="command">CHAOS</strong></span>
-that matches all clients.</p>
+<p>
+            The server provides some helpful diagnostic information
+            through a number of built-in zones under the
+            pseudo-top-level-domain <code class="literal">bind</code> in the
+            <span><strong class="command">CHAOS</strong></span> class.  These zones are part
+            of a
+            built-in view (see <a href="Bv9ARM.ch06.html#view_statement_grammar" title="view Statement Grammar">the section called &#8220;<span><strong class="command">view</strong></span> Statement Grammar&#8221;</a>) of
+            class
+            <span><strong class="command">CHAOS</strong></span> which is separate from the
+            default view of
+            class <span><strong class="command">IN</strong></span>; therefore, any global
+            server options
+            such as <span><strong class="command">allow-query</strong></span> do not apply
+            the these zones.
+            If you feel the need to disable these zones, use the options
+            below, or hide the built-in <span><strong class="command">CHAOS</strong></span>
+            view by
+            defining an explicit view of class <span><strong class="command">CHAOS</strong></span>
+            that matches all clients.
+          </p>
 <div class="variablelist"><dl>
 <dt><span class="term"><span><strong class="command">version</strong></span></span></dt>
-<dd><p>The version the server should report
-via a query of the name <code class="literal">version.bind</code>
-with type <span><strong class="command">TXT</strong></span>, class <span><strong class="command">CHAOS</strong></span>.
-The default is the real version number of this server.
-Specifying <span><strong class="command">version none</strong></span>
-disables processing of the queries.</p></dd>
+<dd><p>
+                  The version the server should report
+                  via a query of the name <code class="literal">version.bind</code>
+                  with type <span><strong class="command">TXT</strong></span>, class <span><strong class="command">CHAOS</strong></span>.
+                  The default is the real version number of this server.
+                  Specifying <span><strong class="command">version none</strong></span>
+                  disables processing of the queries.
+                </p></dd>
 <dt><span class="term"><span><strong class="command">hostname</strong></span></span></dt>
-<dd><p>The hostname the server should report via a query of
-the name <code class="filename">hostname.bind</code>
-with type <span><strong class="command">TXT</strong></span>, class <span><strong class="command">CHAOS</strong></span>.
-This defaults to the hostname of the machine hosting the name server as
-found by the gethostname() function.  The primary purpose of such queries is to
-identify which of a group of anycast servers is actually
-answering your queries.  Specifying <span><strong class="command">hostname none;</strong></span>
-disables processing of the queries.</p></dd>
+<dd><p>
+                  The hostname the server should report via a query of
+                  the name <code class="filename">hostname.bind</code>
+                  with type <span><strong class="command">TXT</strong></span>, class <span><strong class="command">CHAOS</strong></span>.
+                  This defaults to the hostname of the machine hosting the
+                  name server as
+                  found by the gethostname() function.  The primary purpose of such queries
+                  is to
+                  identify which of a group of anycast servers is actually
+                  answering your queries.  Specifying <span><strong class="command">hostname none;</strong></span>
+                  disables processing of the queries.
+                </p></dd>
 <dt><span class="term"><span><strong class="command">server-id</strong></span></span></dt>
-<dd><p>The ID of the server should report via a query of
-the name <code class="filename">ID.SERVER</code>
-with type <span><strong class="command">TXT</strong></span>, class <span><strong class="command">CHAOS</strong></span>.
-The primary purpose of such queries is to
-identify which of a group of anycast servers is actually
-answering your queries.  Specifying <span><strong class="command">server-id none;</strong></span>
-disables processing of the queries.
-Specifying <span><strong class="command">server-id hostname;</strong></span> will cause named to
-use the hostname as found by the gethostname() function.
-The default <span><strong class="command">server-id</strong></span> is <span><strong class="command">none</strong></span>.
-</p></dd>
+<dd><p>
+                  The ID of the server should report via a query of
+                  the name <code class="filename">ID.SERVER</code>
+                  with type <span><strong class="command">TXT</strong></span>, class <span><strong class="command">CHAOS</strong></span>.
+                  The primary purpose of such queries is to
+                  identify which of a group of anycast servers is actually
+                  answering your queries.  Specifying <span><strong class="command">server-id none;</strong></span>
+                  disables processing of the queries.
+                  Specifying <span><strong class="command">server-id hostname;</strong></span> will cause named to
+                  use the hostname as found by the gethostname() function.
+                  The default <span><strong class="command">server-id</strong></span> is <span><strong class="command">none</strong></span>.
+                </p></dd>
 </dl></div>
 </div>
 <div class="sect3" lang="en">
 <div class="titlepage"><div><div><h4 class="title">
-<a name="statsfile"></a>The Statistics File</h4></div></div></div>
-<p>The statistics file generated by <acronym class="acronym">BIND</acronym> 9
-is similar, but not identical, to that
-generated by <acronym class="acronym">BIND</acronym> 8.
-</p>
-<p>The statistics dump begins with a line, like:</p>
-<p>
- <span><strong class="command">+++ Statistics Dump +++ (973798949)</strong></span>
- </p>
-<p>The numberr in parentheses is a standard
-Unix-style timestamp, measured as seconds since January 1, 1970.  Following
-that line are a series of lines containing a counter type, the value of the
-counter, optionally a zone name, and optionally a view name.
-The lines without view and zone listed are global statistics for the entire server.
-Lines with a zone and view name for the given view and zone (the view name is
-omitted for the default view).
-</p>
+<a name="empty"></a>Built-in Empty Zones</h4></div></div></div>
 <p>
-The statistics dump ends with the line where the
-number is identical to the number in the beginning line; for example:
-</p>
+            Named has some built-in empty zones (SOA and NS records only).
+            These are for zones that should normally be answered locally
+            and which queries should not be sent to the Internet's root
+            servers.  The offical servers which cover these namespaces
+            return NXDOMAIN responses to these queries.  In particular,
+            these cover the reverse namespace for addresses from RFC 1918 and
+            RFC 3330.  They also include the reverse namespace for IPv6 local
+            address (locally assigned), IPv6 link local addresses, the IPv6
+            loopback address and the IPv6 unknown addresss.
+          </p>
+<p>
+            Named will attempt to determine if a built in zone already exists
+            or is active (covered by a forward-only forwarding declaration)
+            and will not not create a empty zone in that case.
+          </p>
+<p>
+            The current list of empty zones is:
+            </p>
+<div class="itemizedlist"><ul type="disc">
+<li>10.IN-ADDR.ARPA</li>
+<li>127.IN-ADDR.ARPA</li>
+<li>254.169.IN-ADDR.ARPA</li>
+<li>16.172.IN-ADDR.ARPA</li>
+<li>17.172.IN-ADDR.ARPA</li>
+<li>18.172.IN-ADDR.ARPA</li>
+<li>19.172.IN-ADDR.ARPA</li>
+<li>20.172.IN-ADDR.ARPA</li>
+<li>21.172.IN-ADDR.ARPA</li>
+<li>22.172.IN-ADDR.ARPA</li>
+<li>23.172.IN-ADDR.ARPA</li>
+<li>24.172.IN-ADDR.ARPA</li>
+<li>25.172.IN-ADDR.ARPA</li>
+<li>26.172.IN-ADDR.ARPA</li>
+<li>27.172.IN-ADDR.ARPA</li>
+<li>28.172.IN-ADDR.ARPA</li>
+<li>29.172.IN-ADDR.ARPA</li>
+<li>30.172.IN-ADDR.ARPA</li>
+<li>31.172.IN-ADDR.ARPA</li>
+<li>168.192.IN-ADDR.ARPA</li>
+<li>2.0.192.IN-ADDR.ARPA</li>
+<li>0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA</li>
+<li>1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA</li>
+<li>D.F.IP6.ARPA</li>
+<li>8.E.F.IP6.ARPA</li>
+<li>9.E.F.IP6.ARPA</li>
+<li>A.E.F.IP6.ARPA</li>
+<li>B.E.F.IP6.ARPA</li>
+</ul></div>
+<p>
+          </p>
 <p>
-<span><strong class="command">--- Statistics Dump --- (973798949)</strong></span>
+            Empty zones are settable at the view level and only apply to
+            views of class IN.  Disabled empty zones are only inherited
+            from options if there are no disabled empty zones specified
+            at the view level.  To override the options list of disabled
+            zones, you can disable the root zone at the view level, for example:
 </p>
-<p>The following statistics counters are maintained:</p>
+<pre class="programlisting">
+            disable-empty-zone ".";
+</pre>
+<p>
+          </p>
+<p>
+            If you are using the address ranges covered here, you should
+            already have reverse zones covering the addresses you use.
+            In practice this appears to not be the case with many queries
+            being made to the infrustructure servers for names in these
+            spaces.  So many in fact that sacrificial servers were needed
+            to be deployed to channel the query load away from the
+            infrustructure servers.
+          </p>
+<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
+<h3 class="title">Note</h3>
+            The real parent servers for these zones should disable all
+            empty zone under the parent zone they serve.  For the real
+            root servers, this is all built in empty zones.  This will
+            enable them to return referrals to deeper in the tree.
+          </div>
+<div class="variablelist"><dl>
+<dt><span class="term"><span><strong class="command">empty-server</strong></span></span></dt>
+<dd><p>
+                  Specify what server name will appear in the returned
+                  SOA record for empty zones.  If none is specified, then
+                  the zone's name will be used.
+                </p></dd>
+<dt><span class="term"><span><strong class="command">empty-contact</strong></span></span></dt>
+<dd><p>
+                  Specify what contact name will appear in the returned
+                  SOA record for empty zones.  If none is specified, then
+                  "." will be used.
+                </p></dd>
+<dt><span class="term"><span><strong class="command">empty-zones-enable</strong></span></span></dt>
+<dd><p>
+                  Enable or disable all empty zones.  By default they
+                  are enabled.
+                </p></dd>
+<dt><span class="term"><span><strong class="command">disable-empty-zone</strong></span></span></dt>
+<dd><p>
+                  Disable individual empty zones.  By default none are
+                  disabled.  This option can be specified multiple times.
+                </p></dd>
+</dl></div>
+</div>
+<div class="sect3" lang="en">
+<div class="titlepage"><div><div><h4 class="title">
+<a name="statsfile"></a>The Statistics File</h4></div></div></div>
+<p>
+            The statistics file generated by <acronym class="acronym">BIND</acronym> 9
+            is similar, but not identical, to that
+            generated by <acronym class="acronym">BIND</acronym> 8.
+          </p>
+<p>
+            The statistics dump begins with a line, like:
+          </p>
+<p>
+            <span><strong class="command">+++ Statistics Dump +++ (973798949)</strong></span>
+          </p>
+<p>
+            The number in parentheses is a standard
+            Unix-style timestamp, measured as seconds since January 1, 1970.
+            Following
+            that line are a series of lines containing a counter type, the
+            value of the
+            counter, optionally a zone name, and optionally a view name.
+            The lines without view and zone listed are global statistics for
+            the entire server.
+            Lines with a zone and view name for the given view and zone (the
+            view name is
+            omitted for the default view).
+          </p>
+<p>
+            The statistics dump ends with the line where the
+            number is identical to the number in the beginning line; for example:
+          </p>
+<p>
+            <span><strong class="command">--- Statistics Dump --- (973798949)</strong></span>
+          </p>
+<p>
+            The following statistics counters are maintained:
+          </p>
 <div class="informaltable"><table border="1">
 <colgroup>
 <col>
@@ -2521,148 +4162,378 @@ number is identical to the number in the beginning line; for example:
 </colgroup>
 <tbody>
 <tr>
-<td><p><span><strong class="command">success</strong></span></p></td>
-<td><p>The number of
-successful queries made to the server or zone.  A successful query
-is defined as query which returns a NOERROR response with at least
-one answer RR.</p></td>
+<td>
+                    <p><span><strong class="command">success</strong></span></p>
+                  </td>
+<td>
+                    <p>
+                      The number of
+                      successful queries made to the server or zone.  A
+                      successful query
+                      is defined as query which returns a NOERROR response
+                      with at least
+                      one answer RR.
+                    </p>
+                  </td>
 </tr>
 <tr>
-<td><p><span><strong class="command">referral</strong></span></p></td>
-<td><p>The number of queries which resulted
-in referral responses.</p></td>
+<td>
+                    <p><span><strong class="command">referral</strong></span></p>
+                  </td>
+<td>
+                    <p>
+                      The number of queries which resulted
+                      in referral responses.
+                    </p>
+                  </td>
 </tr>
 <tr>
-<td><p><span><strong class="command">nxrrset</strong></span></p></td>
-<td><p>The number of queries which resulted in
-NOERROR responses with no data.</p></td>
+<td>
+                    <p><span><strong class="command">nxrrset</strong></span></p>
+                  </td>
+<td>
+                    <p>
+                      The number of queries which resulted in
+                      NOERROR responses with no data.
+                    </p>
+                  </td>
 </tr>
 <tr>
-<td><p><span><strong class="command">nxdomain</strong></span></p></td>
-<td><p>The number
-of queries which resulted in NXDOMAIN responses.</p></td>
+<td>
+                    <p><span><strong class="command">nxdomain</strong></span></p>
+                  </td>
+<td>
+                    <p>
+                      The number
+                      of queries which resulted in NXDOMAIN responses.
+                    </p>
+                  </td>
 </tr>
 <tr>
-<td><p><span><strong class="command">failure</strong></span></p></td>
-<td><p>The number of queries which resulted in a
-failure response other than those above.</p></td>
+<td>
+                    <p><span><strong class="command">failure</strong></span></p>
+                  </td>
+<td>
+                    <p>
+                      The number of queries which resulted in a
+                      failure response other than those above.
+                    </p>
+                  </td>
 </tr>
 <tr>
-<td><p><span><strong class="command">recursion</strong></span></p></td>
-<td><p>The number of queries which caused the server
-to perform recursion in order to find the final answer.</p></td>
+<td>
+                    <p><span><strong class="command">recursion</strong></span></p>
+                  </td>
+<td>
+                    <p>
+                      The number of queries which caused the server
+                      to perform recursion in order to find the final answer.
+                    </p>
+                  </td>
 </tr>
 </tbody>
 </table></div>
 <p>
-Each query received by the server will cause exactly one of
-<span><strong class="command">success</strong></span>,
-<span><strong class="command">referral</strong></span>,
-<span><strong class="command">nxrrset</strong></span>,
-<span><strong class="command">nxdomain</strong></span>, or
-<span><strong class="command">failure</strong></span>
-to be incremented, and may additionally cause the
-<span><strong class="command">recursion</strong></span> counter to be incremented.
-</p>
+            Each query received by the server will cause exactly one of
+            <span><strong class="command">success</strong></span>,
+            <span><strong class="command">referral</strong></span>,
+            <span><strong class="command">nxrrset</strong></span>,
+            <span><strong class="command">nxdomain</strong></span>, or
+            <span><strong class="command">failure</strong></span>
+            to be incremented, and may additionally cause the
+            <span><strong class="command">recursion</strong></span> counter to be
+            incremented.
+          </p>
+</div>
+<div class="sect3" lang="en">
+<div class="titlepage"><div><div><h4 class="title">
+<a name="acache"></a>Additional Section Caching</h4></div></div></div>
+<p>
+            The additional section cache, also called <span><strong class="command">acache</strong></span>,
+            is an internal cache to improve the response performance of BIND 9.
+            When additional section caching is enabled, BIND 9 will
+            cache an internal short-cut to the additional section content for
+            each answer RR.
+            Note that <span><strong class="command">acache</strong></span> is an internal caching
+            mechanism of BIND 9, and is not related to the DNS caching
+            server function.
+          </p>
+<p>
+            Additional section caching does not change the
+            response content (except the RRsets ordering of the additional
+            section, see below), but can improve the response performance
+            significantly.
+            It is particularly effective when BIND 9 acts as an authoritative
+            server for a zone that has many delegations with many glue RRs.
+          </p>
+<p>
+            In order to obtain the maximum performance improvement
+            from additional section caching, setting
+            <span><strong class="command">additional-from-cache</strong></span>
+            to <span><strong class="command">no</strong></span> is recommended, since the current
+            implementation of <span><strong class="command">acache</strong></span>
+            does not short-cut of additional section information from the
+            DNS cache data.
+          </p>
+<p>
+            One obvious disadvantage of <span><strong class="command">acache</strong></span> is
+            that it requires much more
+            memory for the internal cached data.
+            Thus, if the response performance does not matter and memory
+            consumption is much more critical, the
+            <span><strong class="command">acache</strong></span> mechanism can be
+            disabled by setting <span><strong class="command">acache-enable</strong></span> to
+            <span><strong class="command">no</strong></span>.
+            It is also possible to specify the upper limit of memory
+            consumption
+            for acache by using <span><strong class="command">max-acache-size</strong></span>.
+          </p>
+<p>
+            Additional section caching also has a minor effect on the
+            RRset ordering in the additional section.
+            Without <span><strong class="command">acache</strong></span>,
+            <span><strong class="command">cyclic</strong></span> order is effective for the additional
+            section as well as the answer and authority sections.
+            However, additional section caching fixes the ordering when it
+            first caches an RRset for the additional section, and the same
+            ordering will be kept in succeeding responses, regardless of the
+            setting of <span><strong class="command">rrset-order</strong></span>.
+            The effect of this should be minor, however, since an
+            RRset in the additional section
+            typically only contains a small number of RRs (and in many cases
+            it only contains a single RR), in which case the
+            ordering does not matter much.
+          </p>
+<p>
+            The following is a summary of options related to
+            <span><strong class="command">acache</strong></span>.
+          </p>
+<div class="variablelist"><dl>
+<dt><span class="term"><span><strong class="command">acache-enable</strong></span></span></dt>
+<dd><p>
+                  If <span><strong class="command">yes</strong></span>, additional section caching is
+                  enabled.  The default value is <span><strong class="command">no</strong></span>.
+                </p></dd>
+<dt><span class="term"><span><strong class="command">acache-cleaning-interval</strong></span></span></dt>
+<dd><p>
+                  The server will remove stale cache entries, based on an LRU
+                  based
+                  algorithm, every <span><strong class="command">acache-cleaning-interval</strong></span> minutes.
+                  The default is 60 minutes.
+                  If set to 0, no periodic cleaning will occur.
+                </p></dd>
+<dt><span class="term"><span><strong class="command">max-acache-size</strong></span></span></dt>
+<dd><p>
+                  The maximum amount of memory in bytes to use for the server's acache.
+                  When the amount of data in the acache reaches this limit,
+                  the server
+                  will clean more aggressively so that the limit is not
+                  exceeded.
+                  In a server with multiple views, the limit applies
+                  separately to the
+                  acache of each view.
+                  The default is <code class="literal">unlimited</code>,
+                  meaning that
+                  entries are purged from the acache only at the
+                  periodic cleaning time.
+                </p></dd>
+</dl></div>
 </div>
 </div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="server_statement_grammar"></a><span><strong class="command">server</strong></span> Statement Grammar</h3></div></div></div>
-<pre class="programlisting">server <em class="replaceable"><code>ip_addr</code></em> {
+<pre class="programlisting">server <em class="replaceable"><code>ip_addr[/prefixlen]</code></em> {
     [<span class="optional"> bogus <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
     [<span class="optional"> provide-ixfr <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
     [<span class="optional"> request-ixfr <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
     [<span class="optional"> edns <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
+    [<span class="optional"> edns-udp-size <em class="replaceable"><code>number</code></em> ; </span>]
+    [<span class="optional"> max-udp-size <em class="replaceable"><code>number</code></em> ; </span>]
     [<span class="optional"> transfers <em class="replaceable"><code>number</code></em> ; </span>]
     [<span class="optional"> transfer-format <em class="replaceable"><code>( one-answer | many-answers )</code></em> ; ]</span>]
     [<span class="optional"> keys <em class="replaceable"><code>{ string ; [<span class="optional"> string ; [<span class="optional">...</span>]</span>] }</code></em> ; </span>]
     [<span class="optional"> transfer-source (<em class="replaceable"><code>ip4_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
     [<span class="optional"> transfer-source-v6 (<em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
+    [<span class="optional"> notify-source (<em class="replaceable"><code>ip4_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
+    [<span class="optional"> notify-source-v6 (<em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
+    [<span class="optional"> query-source [<span class="optional"> address ( <em class="replaceable"><code>ip_addr</code></em> | <em class="replaceable"><code>*</code></em> ) </span>] [<span class="optional"> port ( <em class="replaceable"><code>ip_port</code></em> | <em class="replaceable"><code>*</code></em> ) </span>]; </span>]
+    [<span class="optional"> query-source-v6 [<span class="optional"> address ( <em class="replaceable"><code>ip_addr</code></em> | <em class="replaceable"><code>*</code></em> ) </span>] [<span class="optional"> port ( <em class="replaceable"><code>ip_port</code></em> | <em class="replaceable"><code>*</code></em> ) </span>]; </span>]
 };
 </pre>
 </div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="server_statement_definition_and_usage"></a><span><strong class="command">server</strong></span> Statement Definition and Usage</h3></div></div></div>
-<p>The <span><strong class="command">server</strong></span> statement defines characteristics
-to be associated with a remote name server.</p>
-<p>
-The <span><strong class="command">server</strong></span> statement can occur at the top level of the
-configuration file or inside a <span><strong class="command">view</strong></span> statement.  
-If a <span><strong class="command">view</strong></span> statement contains
-one or more <span><strong class="command">server</strong></span> statements, only those
-apply to the view and any top-level ones are ignored.
-If a view contains no <span><strong class="command">server</strong></span> statements,
-any top-level <span><strong class="command">server</strong></span> statements are used as
-defaults.
-</p>
-<p>If you discover that a remote server is giving out bad data,
-marking it as bogus will prevent further queries to it. The default
-value of <span><strong class="command">bogus</strong></span> is <span><strong class="command">no</strong></span>.</p>
-<p>The <span><strong class="command">provide-ixfr</strong></span> clause determines whether
-the local server, acting as master, will respond with an incremental
-zone transfer when the given remote server, a slave, requests it.
-If set to <span><strong class="command">yes</strong></span>, incremental transfer will be provided
-whenever possible. If set to <span><strong class="command">no</strong></span>, all transfers
-to the remote server will be non-incremental. If not set, the value
-of the <span><strong class="command">provide-ixfr</strong></span> option in the view or
-global options block is used as a default.</p>
-<p>The <span><strong class="command">request-ixfr</strong></span> clause determines whether
-the local server, acting as a slave, will request incremental zone
-transfers from the given remote server, a master. If not set, the
-value of the <span><strong class="command">request-ixfr</strong></span> option in the view or
-global options block is used as a default.</p>
-<p>IXFR requests to servers that do not support IXFR will automatically
-fall back to AXFR.  Therefore, there is no need to manually list
-which servers support IXFR and which ones do not; the global default
-of <span><strong class="command">yes</strong></span> should always work.
-The purpose of the <span><strong class="command">provide-ixfr</strong></span> and
-<span><strong class="command">request-ixfr</strong></span> clauses is
-to make it possible to disable the use of IXFR even when both master
-and slave claim to support it, for example if one of the servers
-is buggy and crashes or corrupts data when IXFR is used.</p>
-<p>The <span><strong class="command">edns</strong></span> clause determines whether the local server
-will attempt to use EDNS when communicating with the remote server.  The
-default is <span><strong class="command">yes</strong></span>.</p>
-<p>The server supports two zone transfer methods. The first, <span><strong class="command">one-answer</strong></span>,
-uses one DNS message per resource record transferred. <span><strong class="command">many-answers</strong></span> packs
-as many resource records as possible into a message. <span><strong class="command">many-answers</strong></span> is
-more efficient, but is only known to be understood by <acronym class="acronym">BIND</acronym> 9, <acronym class="acronym">BIND</acronym>
-8.x, and patched versions of <acronym class="acronym">BIND</acronym> 4.9.5. You can specify which method
-to use for a server with the <span><strong class="command">transfer-format</strong></span> option.
-If <span><strong class="command">transfer-format</strong></span> is not specified, the <span><strong class="command">transfer-format</strong></span> specified
-by the <span><strong class="command">options</strong></span> statement will be used.</p>
-<p><span><strong class="command">transfers</strong></span> is used to limit the number of
-concurrent inbound zone transfers from the specified server. If
-no <span><strong class="command">transfers</strong></span> clause is specified, the limit is
-set according to the <span><strong class="command">transfers-per-ns</strong></span> option.</p>
-<p>The <span><strong class="command">keys</strong></span> clause identifies a
-<span><strong class="command">key_id</strong></span> defined by the <span><strong class="command">key</strong></span> statement,
-to be used for transaction security (TSIG, <a href="Bv9ARM.ch04.html#tsig" title="TSIG">the section called &#8220;TSIG&#8221;</a>)
-when talking to the remote server. 
-When a request is sent to the remote server, a request signature
-will be generated using the key specified here and appended to the
-message. A request originating from the remote server is not required
-to be signed by this key.</p>
-<p>Although the grammar of the <span><strong class="command">keys</strong></span> clause
-allows for multiple keys, only a single key per server is currently
-supported.</p>
-<p>The <span><strong class="command">transfer-source</strong></span> and
-<span><strong class="command">transfer-source-v6</strong></span> clauses specify the IPv4 and IPv6 source
-address to be used for zone transfer with the remote server, respectively.
-For an IPv4 remote server, only <span><strong class="command">transfer-source</strong></span> can
-be specified.
-Similarly, for an IPv6 remote server, only
-<span><strong class="command">transfer-source-v6</strong></span> can be specified.
-For more details, see the description of
-<span><strong class="command">transfer-source</strong></span> and
-<span><strong class="command">transfer-source-v6</strong></span> in
-<a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called &#8220;Zone Transfers&#8221;</a>.</p>
+<a name="server_statement_definition_and_usage"></a><span><strong class="command">server</strong></span> Statement Definition and
+            Usage</h3></div></div></div>
+<p>
+            The <span><strong class="command">server</strong></span> statement defines
+            characteristics
+            to be associated with a remote name server.  If a prefix length is
+            specified, then a range of servers is covered.  Only the most
+            specific
+            server clause applies regardless of the order in
+            <code class="filename">named.conf</code>.
+          </p>
+<p>
+            The <span><strong class="command">server</strong></span> statement can occur at
+            the top level of the
+            configuration file or inside a <span><strong class="command">view</strong></span>
+            statement.
+            If a <span><strong class="command">view</strong></span> statement contains
+            one or more <span><strong class="command">server</strong></span> statements, only
+            those
+            apply to the view and any top-level ones are ignored.
+            If a view contains no <span><strong class="command">server</strong></span>
+            statements,
+            any top-level <span><strong class="command">server</strong></span> statements are
+            used as
+            defaults.
+          </p>
+<p>
+            If you discover that a remote server is giving out bad data,
+            marking it as bogus will prevent further queries to it. The
+            default
+            value of <span><strong class="command">bogus</strong></span> is <span><strong class="command">no</strong></span>.
+          </p>
+<p>
+            The <span><strong class="command">provide-ixfr</strong></span> clause determines
+            whether
+            the local server, acting as master, will respond with an
+            incremental
+            zone transfer when the given remote server, a slave, requests it.
+            If set to <span><strong class="command">yes</strong></span>, incremental transfer
+            will be provided
+            whenever possible. If set to <span><strong class="command">no</strong></span>,
+            all transfers
+            to the remote server will be non-incremental. If not set, the
+            value
+            of the <span><strong class="command">provide-ixfr</strong></span> option in the
+            view or
+            global options block is used as a default.
+          </p>
+<p>
+            The <span><strong class="command">request-ixfr</strong></span> clause determines
+            whether
+            the local server, acting as a slave, will request incremental zone
+            transfers from the given remote server, a master. If not set, the
+            value of the <span><strong class="command">request-ixfr</strong></span> option in
+            the view or
+            global options block is used as a default.
+          </p>
+<p>
+            IXFR requests to servers that do not support IXFR will
+            automatically
+            fall back to AXFR.  Therefore, there is no need to manually list
+            which servers support IXFR and which ones do not; the global
+            default
+            of <span><strong class="command">yes</strong></span> should always work.
+            The purpose of the <span><strong class="command">provide-ixfr</strong></span> and
+            <span><strong class="command">request-ixfr</strong></span> clauses is
+            to make it possible to disable the use of IXFR even when both
+            master
+            and slave claim to support it, for example if one of the servers
+            is buggy and crashes or corrupts data when IXFR is used.
+          </p>
+<p>
+            The <span><strong class="command">edns</strong></span> clause determines whether
+            the local server will attempt to use EDNS when communicating
+            with the remote server.  The default is <span><strong class="command">yes</strong></span>.
+          </p>
+<p>
+            The <span><strong class="command">edns-udp-size</strong></span> option sets the EDNS UDP size
+            that is advertised by named when querying the remote server.
+            Valid values are 512 to 4096 bytes (values outside this range will be
+            silently adjusted).  This option is useful when you wish to
+            advertises a different value to this server than the value you
+            advertise globally, for example, when there is a firewall at the
+            remote site that is blocking large replies.
+          </p>
+<p>
+            The <span><strong class="command">max-udp-size</strong></span> option sets the
+            maximum EDNS UDP message size named will send.  Valid
+            values are 512 to 4096 bytes (values outside this range will
+            be silently adjusted).  This option is useful when you
+            know that there is a firewall that is blocking large
+            replies from named.
+          </p>
+<p>
+            The server supports two zone transfer methods. The first, <span><strong class="command">one-answer</strong></span>,
+            uses one DNS message per resource record transferred. <span><strong class="command">many-answers</strong></span> packs
+            as many resource records as possible into a message. <span><strong class="command">many-answers</strong></span> is
+            more efficient, but is only known to be understood by <acronym class="acronym">BIND</acronym> 9, <acronym class="acronym">BIND</acronym>
+            8.x, and patched versions of <acronym class="acronym">BIND</acronym>
+            4.9.5. You can specify which method
+            to use for a server with the <span><strong class="command">transfer-format</strong></span> option.
+            If <span><strong class="command">transfer-format</strong></span> is not
+            specified, the <span><strong class="command">transfer-format</strong></span>
+            specified
+            by the <span><strong class="command">options</strong></span> statement will be
+            used.
+          </p>
+<p><span><strong class="command">transfers</strong></span>
+            is used to limit the number of concurrent inbound zone
+            transfers from the specified server. If no
+            <span><strong class="command">transfers</strong></span> clause is specified, the
+            limit is set according to the
+            <span><strong class="command">transfers-per-ns</strong></span> option.
+          </p>
+<p>
+            The <span><strong class="command">keys</strong></span> clause identifies a
+            <span><strong class="command">key_id</strong></span> defined by the <span><strong class="command">key</strong></span> statement,
+            to be used for transaction security (TSIG, <a href="Bv9ARM.ch04.html#tsig" title="TSIG">the section called &#8220;TSIG&#8221;</a>)
+            when talking to the remote server.
+            When a request is sent to the remote server, a request signature
+            will be generated using the key specified here and appended to the
+            message. A request originating from the remote server is not
+            required
+            to be signed by this key.
+          </p>
+<p>
+            Although the grammar of the <span><strong class="command">keys</strong></span>
+            clause
+            allows for multiple keys, only a single key per server is
+            currently
+            supported.
+          </p>
+<p>
+            The <span><strong class="command">transfer-source</strong></span> and
+            <span><strong class="command">transfer-source-v6</strong></span> clauses specify
+            the IPv4 and IPv6 source
+            address to be used for zone transfer with the remote server,
+            respectively.
+            For an IPv4 remote server, only <span><strong class="command">transfer-source</strong></span> can
+            be specified.
+            Similarly, for an IPv6 remote server, only
+            <span><strong class="command">transfer-source-v6</strong></span> can be
+            specified.
+            For more details, see the description of
+            <span><strong class="command">transfer-source</strong></span> and
+            <span><strong class="command">transfer-source-v6</strong></span> in
+            <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called &#8220;Zone Transfers&#8221;</a>.
+          </p>
+<p>
+            The <span><strong class="command">notify-source</strong></span> and
+            <span><strong class="command">notify-source-v6</strong></span> clauses specify the
+            IPv4 and IPv6 source address to be used for notify
+            messages sent to remote servers, respectively.  For an
+            IPv4 remote server, only <span><strong class="command">notify-source</strong></span>
+            can be specified.  Similarly, for an IPv6 remote server,
+            only <span><strong class="command">notify-source-v6</strong></span> can be specified.
+          </p>
+<p>
+            The <span><strong class="command">query-source</strong></span> and
+            <span><strong class="command">query-source-v6</strong></span> clauses specify the
+            IPv4 and IPv6 source address to be used for queries
+            sent to remote servers, respectively.  For an IPv4
+            remote server, only <span><strong class="command">query-source</strong></span> can
+            be specified.  Similarly, for an IPv6 remote server,
+            only <span><strong class="command">query-source-v6</strong></span> can be specified.
+          </p>
 </div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="id2586290"></a><span><strong class="command">trusted-keys</strong></span> Statement Grammar</h3></div></div></div>
+<a name="id2585018"></a><span><strong class="command">trusted-keys</strong></span> Statement Grammar</h3></div></div></div>
 <pre class="programlisting">trusted-keys {
     <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>string</code></em> ;
     [<span class="optional"> <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>string</code></em> ; [<span class="optional">...</span>]</span>]
@@ -2671,41 +4542,41 @@ For more details, see the description of
 </div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="id2586338"></a><span><strong class="command">trusted-keys</strong></span> Statement Definition
-	    and Usage</h3></div></div></div>
-<p>
-	    The <span><strong class="command">trusted-keys</strong></span> statement defines
-	    DNSSEC security roots. DNSSEC is described in <a href="Bv9ARM.ch04.html#DNSSEC" title="DNSSEC">the section called &#8220;DNSSEC&#8221;</a>. A security root is defined when the
-	    public key for a non-authoritative zone is known, but
-	    cannot be securely obtained through DNS, either because
-	    it is the DNS root zone or because its parent zone is
-	    unsigned.  Once a key has been configured as a trusted
-	    key, it is treated as if it had been validated and
-	    proven secure. The resolver attempts DNSSEC validation
-	    on all DNS data in subdomains of a security root.
-  	  </p>
-<p>
-	    All keys (and corresponding zones) listed in
-	    <span><strong class="command">trusted-keys</strong></span> are deemed to exist regardless
-	    of what parent zones say.  Similarly for all keys listed in
-	    <span><strong class="command">trusted-keys</strong></span> only those keys are
-	    used to validate the DNSKEY RRset.  The parent's DS RRset
-	    will not be used.
-  	  </p>
-<p>
-	    The <span><strong class="command">trusted-keys</strong></span> statement can contain
-	    multiple key entries, each consisting of the key's
-	    domain name, flags, protocol, algorithm, and the Base-64
-	    representation of the key data.
-	  </p>
+<a name="id2585136"></a><span><strong class="command">trusted-keys</strong></span> Statement Definition
+            and Usage</h3></div></div></div>
+<p>
+            The <span><strong class="command">trusted-keys</strong></span> statement defines
+            DNSSEC security roots. DNSSEC is described in <a href="Bv9ARM.ch04.html#DNSSEC" title="DNSSEC">the section called &#8220;DNSSEC&#8221;</a>. A security root is defined when the
+            public key for a non-authoritative zone is known, but
+            cannot be securely obtained through DNS, either because
+            it is the DNS root zone or because its parent zone is
+            unsigned.  Once a key has been configured as a trusted
+            key, it is treated as if it had been validated and
+            proven secure. The resolver attempts DNSSEC validation
+            on all DNS data in subdomains of a security root.
+          </p>
+<p>
+            All keys (and corresponding zones) listed in
+            <span><strong class="command">trusted-keys</strong></span> are deemed to exist regardless
+            of what parent zones say.  Similarly for all keys listed in
+            <span><strong class="command">trusted-keys</strong></span> only those keys are
+            used to validate the DNSKEY RRset.  The parent's DS RRset
+            will not be used.
+          </p>
+<p>
+            The <span><strong class="command">trusted-keys</strong></span> statement can contain
+            multiple key entries, each consisting of the key's
+            domain name, flags, protocol, algorithm, and the Base-64
+            representation of the key data.
+          </p>
 </div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="view_statement_grammar"></a><span><strong class="command">view</strong></span> Statement Grammar</h3></div></div></div>
-<pre class="programlisting">view <em class="replaceable"><code>view_name</code></em> 
+<pre class="programlisting">view <em class="replaceable"><code>view_name</code></em>
       [<span class="optional"><em class="replaceable"><code>class</code></em></span>] {
-      match-clients { <em class="replaceable"><code>address_match_list</code></em> } ;
-      match-destinations { <em class="replaceable"><code>address_match_list</code></em> } ;
+      match-clients { <em class="replaceable"><code>address_match_list</code></em> };
+      match-destinations { <em class="replaceable"><code>address_match_list</code></em> };
       match-recursive-only <em class="replaceable"><code>yes_or_no</code></em> ;
       [<span class="optional"> <em class="replaceable"><code>view_option</code></em>; ...</span>]
       [<span class="optional"> <em class="replaceable"><code>zone_statement</code></em>; ...</span>]
@@ -2714,53 +4585,91 @@ For more details, see the description of
 </div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="id2586420"></a><span><strong class="command">view</strong></span> Statement Definition and Usage</h3></div></div></div>
-<p>The <span><strong class="command">view</strong></span> statement is a powerful new feature
-of <acronym class="acronym">BIND</acronym> 9 that lets a name server answer a DNS query differently
-depending on who is asking. It is particularly useful for implementing
-split DNS setups without having to run multiple servers.</p>
-<p>Each <span><strong class="command">view</strong></span> statement defines a view of the
-DNS namespace that will be seen by a subset of clients.  A client matches
-a view if its source IP address matches the 
-<code class="varname">address_match_list</code> of the view's
-<span><strong class="command">match-clients</strong></span> clause and its destination IP address matches
-the <code class="varname">address_match_list</code> of the view's
-<span><strong class="command">match-destinations</strong></span> clause.  If not specified, both
-<span><strong class="command">match-clients</strong></span> and <span><strong class="command">match-destinations</strong></span>
-default to matching all addresses.  In addition to checking IP addresses
-<span><strong class="command">match-clients</strong></span> and <span><strong class="command">match-destinations</strong></span>
-can also take <span><strong class="command">keys</strong></span> which provide an mechanism for the
-client to select the view.  A view can also be specified
-as <span><strong class="command">match-recursive-only</strong></span>, which means that only recursive
-requests from matching clients will match that view.
-The order of the <span><strong class="command">view</strong></span> statements is significant &#8212;
-a client request will be resolved in the context of the first
-<span><strong class="command">view</strong></span> that it matches.</p>
-<p>Zones defined within a <span><strong class="command">view</strong></span> statement will
-be only be accessible to clients that match the <span><strong class="command">view</strong></span>.
- By defining a zone of the same name in multiple views, different
-zone data can be given to different clients, for example, "internal"
-and "external" clients in a split DNS setup.</p>
-<p>Many of the options given in the <span><strong class="command">options</strong></span> statement
-can also be used within a <span><strong class="command">view</strong></span> statement, and then
-apply only when resolving queries with that view.  When no view-specific
-value is given, the value in the <span><strong class="command">options</strong></span> statement
-is used as a default.  Also, zone options can have default values specified
-in the <span><strong class="command">view</strong></span> statement; these view-specific defaults
-take precedence over those in the <span><strong class="command">options</strong></span> statement.</p>
-<p>Views are class specific.  If no class is given, class IN
-is assumed.  Note that all non-IN views must contain a hint zone,
-since only the IN class has compiled-in default hints.</p>
-<p>If there are no <span><strong class="command">view</strong></span> statements in the config
-file, a default view that matches any client is automatically created
-in class IN. Any <span><strong class="command">zone</strong></span> statements specified on
-the top level of the configuration file are considered to be part of
-this default view, and the <span><strong class="command">options</strong></span> statement will
-apply to the default view. If any explicit <span><strong class="command">view</strong></span>
-statements are present, all <span><strong class="command">zone</strong></span> statements must
-occur inside <span><strong class="command">view</strong></span> statements.</p>
-<p>Here is an example of a typical split DNS setup implemented
-using <span><strong class="command">view</strong></span> statements:</p>
+<a name="id2585216"></a><span><strong class="command">view</strong></span> Statement Definition and Usage</h3></div></div></div>
+<p>
+            The <span><strong class="command">view</strong></span> statement is a powerful
+            feature
+            of <acronym class="acronym">BIND</acronym> 9 that lets a name server
+            answer a DNS query differently
+            depending on who is asking. It is particularly useful for
+            implementing
+            split DNS setups without having to run multiple servers.
+          </p>
+<p>
+            Each <span><strong class="command">view</strong></span> statement defines a view
+            of the
+            DNS namespace that will be seen by a subset of clients.  A client
+            matches
+            a view if its source IP address matches the
+            <code class="varname">address_match_list</code> of the view's
+            <span><strong class="command">match-clients</strong></span> clause and its
+            destination IP address matches
+            the <code class="varname">address_match_list</code> of the
+            view's
+            <span><strong class="command">match-destinations</strong></span> clause.  If not
+            specified, both
+            <span><strong class="command">match-clients</strong></span> and <span><strong class="command">match-destinations</strong></span>
+            default to matching all addresses.  In addition to checking IP
+            addresses
+            <span><strong class="command">match-clients</strong></span> and <span><strong class="command">match-destinations</strong></span>
+            can also take <span><strong class="command">keys</strong></span> which provide an
+            mechanism for the
+            client to select the view.  A view can also be specified
+            as <span><strong class="command">match-recursive-only</strong></span>, which
+            means that only recursive
+            requests from matching clients will match that view.
+            The order of the <span><strong class="command">view</strong></span> statements is
+            significant &#8212;
+            a client request will be resolved in the context of the first
+            <span><strong class="command">view</strong></span> that it matches.
+          </p>
+<p>
+            Zones defined within a <span><strong class="command">view</strong></span>
+            statement will
+            be only be accessible to clients that match the <span><strong class="command">view</strong></span>.
+            By defining a zone of the same name in multiple views, different
+            zone data can be given to different clients, for example,
+            "internal"
+            and "external" clients in a split DNS setup.
+          </p>
+<p>
+            Many of the options given in the <span><strong class="command">options</strong></span> statement
+            can also be used within a <span><strong class="command">view</strong></span>
+            statement, and then
+            apply only when resolving queries with that view.  When no
+            view-specific
+            value is given, the value in the <span><strong class="command">options</strong></span> statement
+            is used as a default.  Also, zone options can have default values
+            specified
+            in the <span><strong class="command">view</strong></span> statement; these
+            view-specific defaults
+            take precedence over those in the <span><strong class="command">options</strong></span> statement.
+          </p>
+<p>
+            Views are class specific.  If no class is given, class IN
+            is assumed.  Note that all non-IN views must contain a hint zone,
+            since only the IN class has compiled-in default hints.
+          </p>
+<p>
+            If there are no <span><strong class="command">view</strong></span> statements in
+            the config
+            file, a default view that matches any client is automatically
+            created
+            in class IN. Any <span><strong class="command">zone</strong></span> statements
+            specified on
+            the top level of the configuration file are considered to be part
+            of
+            this default view, and the <span><strong class="command">options</strong></span>
+            statement will
+            apply to the default view. If any explicit <span><strong class="command">view</strong></span>
+            statements are present, all <span><strong class="command">zone</strong></span>
+            statements must
+            occur inside <span><strong class="command">view</strong></span> statements.
+          </p>
+<p>
+            Here is an example of a typical split DNS setup implemented
+            using <span><strong class="command">view</strong></span> statements:
+          </p>
 <pre class="programlisting">view "internal" {
       // This should match our internal networks.
       match-clients { 10.0.0.0/8; };
@@ -2795,17 +4704,22 @@ view "external" {
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="zone_statement_grammar"></a><span><strong class="command">zone</strong></span>
-Statement Grammar</h3></div></div></div>
-<pre class="programlisting">zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em></span>] { 
+            Statement Grammar</h3></div></div></div>
+<pre class="programlisting">zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em></span>] {
     type master;
-    [<span class="optional"> allow-query { <em class="replaceable"><code>address_match_list</code></em> } ; </span>]
-    [<span class="optional"> allow-transfer { <em class="replaceable"><code>address_match_list</code></em> } ; </span>]
-    [<span class="optional"> allow-update { <em class="replaceable"><code>address_match_list</code></em> } ; </span>]
-    [<span class="optional"> update-policy { <em class="replaceable"><code>update_policy_rule</code></em> [<span class="optional">...</span>] } ; </span>]
+    [<span class="optional"> allow-query { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
+    [<span class="optional"> allow-transfer { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
+    [<span class="optional"> allow-update { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
+    [<span class="optional"> update-policy { <em class="replaceable"><code>update_policy_rule</code></em> [<span class="optional">...</span>] }; </span>]
     [<span class="optional"> also-notify { <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; [<span class="optional"> <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; ... </span>] }; </span>]
     [<span class="optional"> check-names (<code class="constant">warn</code>|<code class="constant">fail</code>|<code class="constant">ignore</code>) ; </span>]
+    [<span class="optional"> check-mx (<code class="constant">warn</code>|<code class="constant">fail</code>|<code class="constant">ignore</code>) ; </span>]
+    [<span class="optional"> check-wildcard <em class="replaceable"><code>yes_or_no</code></em>; </span>]
+    [<span class="optional"> check-integrity <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
     [<span class="optional"> dialup <em class="replaceable"><code>dialup_option</code></em> ; </span>]
     [<span class="optional"> file <em class="replaceable"><code>string</code></em> ; </span>]
+    [<span class="optional"> masterfile-format (<code class="constant">text</code>|<code class="constant">raw</code>) ; </span>]
+    [<span class="optional"> journal <em class="replaceable"><code>string</code></em> ; </span>]
     [<span class="optional"> forward (<code class="constant">only</code>|<code class="constant">first</code>) ; </span>]
     [<span class="optional"> forwarders { [<span class="optional"> <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; ... </span>] }; </span>]
     [<span class="optional"> ixfr-base <em class="replaceable"><code>string</code></em> ; </span>]
@@ -2814,7 +4728,7 @@ Statement Grammar</h3></div></div></div>
     [<span class="optional"> max-ixfr-log-size <em class="replaceable"><code>number</code></em> ; </span>]
     [<span class="optional"> max-transfer-idle-out <em class="replaceable"><code>number</code></em> ; </span>]
     [<span class="optional"> max-transfer-time-out <em class="replaceable"><code>number</code></em> ; </span>]
-    [<span class="optional"> notify <em class="replaceable"><code>yes_or_no</code></em> | <em class="replaceable"><code>explicit</code></em> ; </span>]
+    [<span class="optional"> notify <em class="replaceable"><code>yes_or_no</code></em> | <em class="replaceable"><code>explicit</code></em> | <em class="replaceable"><code>master-only</code></em> ; </span>]
     [<span class="optional"> pubkey <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>string</code></em> ; </span>]
     [<span class="optional"> notify-source (<em class="replaceable"><code>ip4_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
     [<span class="optional"> notify-source-v6 (<em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
@@ -2826,30 +4740,34 @@ Statement Grammar</h3></div></div></div>
     [<span class="optional"> min-retry-time <em class="replaceable"><code>number</code></em> ; </span>]
     [<span class="optional"> max-retry-time <em class="replaceable"><code>number</code></em> ; </span>]
     [<span class="optional"> key-directory <em class="replaceable"><code>path_name</code></em>; </span>]
+    [<span class="optional"> zero-no-soa-ttl <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
 };
 
-zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em></span>] { 
+zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em></span>] {
     type slave;
-    [<span class="optional"> allow-notify { <em class="replaceable"><code>address_match_list</code></em> } ; </span>]
-    [<span class="optional"> allow-query { <em class="replaceable"><code>address_match_list</code></em> } ; </span>]
-    [<span class="optional"> allow-transfer { <em class="replaceable"><code>address_match_list</code></em> } ; </span>]
-    [<span class="optional"> allow-update-forwarding { <em class="replaceable"><code>address_match_list</code></em> } ; </span>]
+    [<span class="optional"> allow-notify { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
+    [<span class="optional"> allow-query { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
+    [<span class="optional"> allow-transfer { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
+    [<span class="optional"> allow-update-forwarding { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
+    [<span class="optional"> update-check-ksk <em class="replaceable"><code>yes_or_no</code></em>; </span>]
     [<span class="optional"> also-notify { <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; [<span class="optional"> <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; ... </span>] }; </span>]
     [<span class="optional"> check-names (<code class="constant">warn</code>|<code class="constant">fail</code>|<code class="constant">ignore</code>) ; </span>]
     [<span class="optional"> dialup <em class="replaceable"><code>dialup_option</code></em> ; </span>]
     [<span class="optional"> file <em class="replaceable"><code>string</code></em> ; </span>]
+    [<span class="optional"> masterfile-format (<code class="constant">text</code>|<code class="constant">raw</code>) ; </span>]
+    [<span class="optional"> journal <em class="replaceable"><code>string</code></em> ; </span>]
     [<span class="optional"> forward (<code class="constant">only</code>|<code class="constant">first</code>) ; </span>]
     [<span class="optional"> forwarders { [<span class="optional"> <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; ... </span>] }; </span>]
     [<span class="optional"> ixfr-base <em class="replaceable"><code>string</code></em> ; </span>]
     [<span class="optional"> ixfr-tmp-file <em class="replaceable"><code>string</code></em> ; </span>]
     [<span class="optional"> maintain-ixfr-base <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
-    [<span class="optional"> masters [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] { ( <em class="replaceable"><code>masters_list</code></em> | <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] [<span class="optional">key <em class="replaceable"><code>key</code></em></span>] ) ; [<span class="optional">...</span>] } ; </span>]
+    [<span class="optional"> masters [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] { ( <em class="replaceable"><code>masters_list</code></em> | <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] [<span class="optional">key <em class="replaceable"><code>key</code></em></span>] ) ; [<span class="optional">...</span>] }; </span>]
     [<span class="optional"> max-ixfr-log-size <em class="replaceable"><code>number</code></em> ; </span>]
     [<span class="optional"> max-transfer-idle-in <em class="replaceable"><code>number</code></em> ; </span>]
     [<span class="optional"> max-transfer-idle-out <em class="replaceable"><code>number</code></em> ; </span>]
     [<span class="optional"> max-transfer-time-in <em class="replaceable"><code>number</code></em> ; </span>]
     [<span class="optional"> max-transfer-time-out <em class="replaceable"><code>number</code></em> ; </span>]
-    [<span class="optional"> notify <em class="replaceable"><code>yes_or_no</code></em> | <em class="replaceable"><code>explicit</code></em> ; </span>]
+    [<span class="optional"> notify <em class="replaceable"><code>yes_or_no</code></em> | <em class="replaceable"><code>explicit</code></em> | <em class="replaceable"><code>master-only</code></em> ; </span>]
     [<span class="optional"> pubkey <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>string</code></em> ; </span>]
     [<span class="optional"> transfer-source (<em class="replaceable"><code>ip4_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
     [<span class="optional"> transfer-source-v6 (<em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
@@ -2865,25 +4783,27 @@ zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"
     [<span class="optional"> min-retry-time <em class="replaceable"><code>number</code></em> ; </span>]
     [<span class="optional"> max-retry-time <em class="replaceable"><code>number</code></em> ; </span>]
     [<span class="optional"> multi-master <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
+    [<span class="optional"> zero-no-soa-ttl <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
 };
 
-zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em></span>] { 
+zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em></span>] {
     type hint;
-    [<span class="optional"> file <em class="replaceable"><code>string</code></em> ; </span>]
+    file <em class="replaceable"><code>string</code></em> ;
     [<span class="optional"> delegation-only <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
     [<span class="optional"> check-names (<code class="constant">warn</code>|<code class="constant">fail</code>|<code class="constant">ignore</code>) ; // Not Implemented. </span>]
 };
 
-zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em></span>] { 
+zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em></span>] {
     type stub;
-    [<span class="optional"> allow-query { <em class="replaceable"><code>address_match_list</code></em> } ; </span>]
+    [<span class="optional"> allow-query { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
     [<span class="optional"> check-names (<code class="constant">warn</code>|<code class="constant">fail</code>|<code class="constant">ignore</code>) ; </span>]
     [<span class="optional"> dialup <em class="replaceable"><code>dialup_option</code></em> ; </span>]
     [<span class="optional"> delegation-only <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
     [<span class="optional"> file <em class="replaceable"><code>string</code></em> ; </span>]
+    [<span class="optional"> masterfile-format (<code class="constant">text</code>|<code class="constant">raw</code>) ; </span>]
     [<span class="optional"> forward (<code class="constant">only</code>|<code class="constant">first</code>) ; </span>]
     [<span class="optional"> forwarders { [<span class="optional"> <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; ... </span>] }; </span>]
-    [<span class="optional"> masters [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] { ( <em class="replaceable"><code>masters_list</code></em> | <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] [<span class="optional">key <em class="replaceable"><code>key</code></em></span>] ) ; [<span class="optional">...</span>] } ; </span>]
+    [<span class="optional"> masters [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] { ( <em class="replaceable"><code>masters_list</code></em> | <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] [<span class="optional">key <em class="replaceable"><code>key</code></em></span>] ) ; [<span class="optional">...</span>] }; </span>]
     [<span class="optional"> max-transfer-idle-in <em class="replaceable"><code>number</code></em> ; </span>]
     [<span class="optional"> max-transfer-time-in <em class="replaceable"><code>number</code></em> ; </span>]
     [<span class="optional"> pubkey <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>string</code></em> ; </span>]
@@ -2893,7 +4813,6 @@ zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"
     [<span class="optional"> alt-transfer-source-v6 (<em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
     [<span class="optional"> use-alt-transfer-source <em class="replaceable"><code>yes_or_no</code></em>; </span>]
     [<span class="optional"> zone-statistics <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
-    [<span class="optional"> sig-validity-interval <em class="replaceable"><code>number</code></em> ; </span>]
     [<span class="optional"> database <em class="replaceable"><code>string</code></em> ; </span>]
     [<span class="optional"> min-refresh-time <em class="replaceable"><code>number</code></em> ; </span>]
     [<span class="optional"> max-refresh-time <em class="replaceable"><code>number</code></em> ; </span>]
@@ -2902,24 +4821,25 @@ zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"
     [<span class="optional"> multi-master <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
 };
 
-zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em></span>] { 
+zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em></span>] {
     type forward;
     [<span class="optional"> forward (<code class="constant">only</code>|<code class="constant">first</code>) ; </span>]
     [<span class="optional"> forwarders { [<span class="optional"> <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; ... </span>] }; </span>]
     [<span class="optional"> delegation-only <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
 };
 
-zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em></span>] { 
+zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em></span>] {
     type delegation-only;
 };
+
 </pre>
 </div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="id2587635"></a><span><strong class="command">zone</strong></span> Statement Definition and Usage</h3></div></div></div>
+<a name="id2586586"></a><span><strong class="command">zone</strong></span> Statement Definition and Usage</h3></div></div></div>
 <div class="sect3" lang="en">
 <div class="titlepage"><div><div><h4 class="title">
-<a name="id2587641"></a>Zone Types</h4></div></div></div>
+<a name="id2586594"></a>Zone Types</h4></div></div></div>
 <div class="informaltable"><table border="1">
 <colgroup>
 <col>
@@ -2927,324 +4847,587 @@ zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"
 </colgroup>
 <tbody>
 <tr>
-<td><p><code class="varname">master</code></p></td>
-<td><p>The server has a master copy of the data
-for the zone and will be able to provide authoritative answers for
-it.</p></td>
-</tr>
-<tr>
-<td><p><code class="varname">slave</code></p></td>
-<td><p>A slave zone is a replica of a master
-zone. The <span><strong class="command">masters</strong></span> list specifies one or more IP addresses
-of master servers that the slave contacts to update its copy of the zone.
-Masters list elements can also be names of other masters lists.
-By default, transfers are made from port 53 on the servers; this can
-be changed for all servers by specifying a port number before the
-list of IP addresses, or on a per-server basis after the IP address.
-Authentication to the master can also be done with per-server TSIG keys.
-If a file is specified, then the
-replica will be written to this file whenever the zone is changed,
-and reloaded from this file on a server restart. Use of a file is
-recommended, since it often speeds server startup and eliminates
-a needless waste of bandwidth. Note that for large numbers (in the
-tens or hundreds of thousands) of zones per server, it is best to
-use a two-level naming scheme for zone file names. For example,
-a slave server for the zone <code class="literal">example.com</code> might place
-the zone contents into a file called
-<code class="filename">ex/example.com</code> where <code class="filename">ex/</code> is
-just the first two letters of the zone name. (Most operating systems
-behave very slowly if you put 100 000 files into
-a single directory.)</p></td>
-</tr>
-<tr>
-<td><p><code class="varname">stub</code></p></td>
-<td>
-<p>A stub zone is similar to a slave zone,
-except that it replicates only the NS records of a master zone instead
-of the entire zone. Stub zones are not a standard part of the DNS;
-they are a feature specific to the <acronym class="acronym">BIND</acronym> implementation.
-</p>
+<td>
+                      <p>
+                        <code class="varname">master</code>
+                      </p>
+                    </td>
+<td>
+                      <p>
+                        The server has a master copy of the data
+                        for the zone and will be able to provide authoritative
+                        answers for
+                        it.
+                      </p>
+                    </td>
+</tr>
+<tr>
+<td>
+                      <p>
+                        <code class="varname">slave</code>
+                      </p>
+                    </td>
+<td>
+                      <p>
+                        A slave zone is a replica of a master
+                        zone. The <span><strong class="command">masters</strong></span> list
+                        specifies one or more IP addresses
+                        of master servers that the slave contacts to update
+                        its copy of the zone.
+                        Masters list elements can also be names of other
+                        masters lists.
+                        By default, transfers are made from port 53 on the
+                        servers; this can
+                        be changed for all servers by specifying a port number
+                        before the
+                        list of IP addresses, or on a per-server basis after
+                        the IP address.
+                        Authentication to the master can also be done with
+                        per-server TSIG keys.
+                        If a file is specified, then the
+                        replica will be written to this file whenever the zone
+                        is changed,
+                        and reloaded from this file on a server restart. Use
+                        of a file is
+                        recommended, since it often speeds server startup and
+                        eliminates
+                        a needless waste of bandwidth. Note that for large
+                        numbers (in the
+                        tens or hundreds of thousands) of zones per server, it
+                        is best to
+                        use a two-level naming scheme for zone file names. For
+                        example,
+                        a slave server for the zone <code class="literal">example.com</code> might place
+                        the zone contents into a file called
+                        <code class="filename">ex/example.com</code> where <code class="filename">ex/</code> is
+                        just the first two letters of the zone name. (Most
+                        operating systems
+                        behave very slowly if you put 100 000 files into
+                        a single directory.)
+                      </p>
+                    </td>
+</tr>
+<tr>
+<td>
+                      <p>
+                        <code class="varname">stub</code>
+                      </p>
+                    </td>
+<td>
+                      <p>
+                        A stub zone is similar to a slave zone,
+                        except that it replicates only the NS records of a
+                        master zone instead
+                        of the entire zone. Stub zones are not a standard part
+                        of the DNS;
+                        they are a feature specific to the <acronym class="acronym">BIND</acronym> implementation.
+                      </p>
 
-<p>Stub zones can be used to eliminate the need for glue NS record
-in a parent zone at the expense of maintaining a stub zone entry and
-a set of name server addresses in <code class="filename">named.conf</code>.
-This usage is not recommended for new configurations, and BIND 9
-supports it only in a limited way.
-In <acronym class="acronym">BIND</acronym> 4/8, zone transfers of a parent zone
-included the NS records from stub children of that zone. This meant
-that, in some cases, users could get away with configuring child stubs
-only in the master server for the parent zone. <acronym class="acronym">BIND</acronym>
-9 never mixes together zone data from different zones in this
-way. Therefore, if a <acronym class="acronym">BIND</acronym> 9 master serving a parent
-zone has child stub zones configured, all the slave servers for the
-parent zone also need to have the same child stub zones
-configured.</p>
+                      <p>
+                        Stub zones can be used to eliminate the need for glue
+                        NS record
+                        in a parent zone at the expense of maintaining a stub
+                        zone entry and
+                        a set of name server addresses in <code class="filename">named.conf</code>.
+                        This usage is not recommended for new configurations,
+                        and BIND 9
+                        supports it only in a limited way.
+                        In <acronym class="acronym">BIND</acronym> 4/8, zone
+                        transfers of a parent zone
+                        included the NS records from stub children of that
+                        zone. This meant
+                        that, in some cases, users could get away with
+                        configuring child stubs
+                        only in the master server for the parent zone. <acronym class="acronym">BIND</acronym>
+                        9 never mixes together zone data from different zones
+                        in this
+                        way. Therefore, if a <acronym class="acronym">BIND</acronym> 9 master serving a parent
+                        zone has child stub zones configured, all the slave
+                        servers for the
+                        parent zone also need to have the same child stub
+                        zones
+                        configured.
+                      </p>
 
-<p>Stub zones can also be used as a way of forcing the resolution
-of a given domain to use a particular set of authoritative servers.
-For example, the caching name servers on a private network using
-RFC1918 addressing may be configured with stub zones for
-<code class="literal">10.in-addr.arpa</code>
-to use a set of internal name servers as the authoritative
-servers for that domain.</p>
-</td>
+                      <p>
+                        Stub zones can also be used as a way of forcing the
+                        resolution
+                        of a given domain to use a particular set of
+                        authoritative servers.
+                        For example, the caching name servers on a private
+                        network using
+                        RFC1918 addressing may be configured with stub zones
+                        for
+                        <code class="literal">10.in-addr.arpa</code>
+                        to use a set of internal name servers as the
+                        authoritative
+                        servers for that domain.
+                      </p>
+                    </td>
 </tr>
 <tr>
-<td><p><code class="varname">forward</code></p></td>
-<td>
-<p>A "forward zone" is a way to configure
-forwarding on a per-domain basis.  A <span><strong class="command">zone</strong></span> statement
-of type <span><strong class="command">forward</strong></span> can contain a <span><strong class="command">forward</strong></span> and/or <span><strong class="command">forwarders</strong></span> statement,
-which will apply to queries within the domain given by the zone
-name. If no <span><strong class="command">forwarders</strong></span> statement is present or
-an empty list for <span><strong class="command">forwarders</strong></span> is given, then no
-forwarding will be done for the domain, canceling the effects of
-any forwarders in the <span><strong class="command">options</strong></span> statement. Thus
-if you want to use this type of zone to change the behavior of the
-global <span><strong class="command">forward</strong></span> option (that is, "forward first"
-to, then "forward only", or vice versa, but want to use the same
-servers as set globally) you need to re-specify the global forwarders.</p>
-</td>
+<td>
+                      <p>
+                        <code class="varname">forward</code>
+                      </p>
+                    </td>
+<td>
+                      <p>
+                        A "forward zone" is a way to configure
+                        forwarding on a per-domain basis.  A <span><strong class="command">zone</strong></span> statement
+                        of type <span><strong class="command">forward</strong></span> can
+                        contain a <span><strong class="command">forward</strong></span>
+                        and/or <span><strong class="command">forwarders</strong></span>
+                        statement,
+                        which will apply to queries within the domain given by
+                        the zone
+                        name. If no <span><strong class="command">forwarders</strong></span>
+                        statement is present or
+                        an empty list for <span><strong class="command">forwarders</strong></span> is given, then no
+                        forwarding will be done for the domain, canceling the
+                        effects of
+                        any forwarders in the <span><strong class="command">options</strong></span> statement. Thus
+                        if you want to use this type of zone to change the
+                        behavior of the
+                        global <span><strong class="command">forward</strong></span> option
+                        (that is, "forward first"
+                        to, then "forward only", or vice versa, but want to
+                        use the same
+                        servers as set globally) you need to re-specify the
+                        global forwarders.
+                      </p>
+                    </td>
 </tr>
 <tr>
-<td><p><code class="varname">hint</code></p></td>
-<td><p>The initial set of root name servers is
-specified using a "hint zone". When the server starts up, it uses
-the root hints to find a root name server and get the most recent
-list of root name servers. If no hint zone is specified for class
-IN, the server uses a compiled-in default set of root servers hints.
-Classes other than IN have no built-in defaults hints.</p></td>
+<td>
+                      <p>
+                        <code class="varname">hint</code>
+                      </p>
+                    </td>
+<td>
+                      <p>
+                        The initial set of root name servers is
+                        specified using a "hint zone". When the server starts
+                        up, it uses
+                        the root hints to find a root name server and get the
+                        most recent
+                        list of root name servers. If no hint zone is
+                        specified for class
+                        IN, the server uses a compiled-in default set of root
+                        servers hints.
+                        Classes other than IN have no built-in defaults hints.
+                      </p>
+                    </td>
 </tr>
 <tr>
-<td><p><code class="varname">delegation-only</code></p></td>
 <td>
-<p>This is used to enforce the delegation-only
-status of infrastructure zones (e.g. COM, NET, ORG).  Any answer that
-is received without an explicit or implicit delegation in the authority
-section will be treated as NXDOMAIN.  This does not apply to the zone
-apex.  This should not be applied to leaf zones.</p>
-<p><code class="varname">delegation-only</code> has no effect on answers received
-from forwarders.</p>
-</td>
+                      <p>
+                        <code class="varname">delegation-only</code>
+                      </p>
+                    </td>
+<td>
+                      <p>
+                        This is used to enforce the delegation-only
+                        status of infrastructure zones (e.g. COM, NET, ORG).
+                        Any answer that
+                        is received without an explicit or implicit delegation
+                        in the authority
+                        section will be treated as NXDOMAIN.  This does not
+                        apply to the zone
+                        apex.  This should not be applied to leaf zones.
+                      </p>
+                      <p>
+                        <code class="varname">delegation-only</code> has no
+                        effect on answers received
+                        from forwarders.
+                      </p>
+                    </td>
 </tr>
 </tbody>
 </table></div>
 </div>
 <div class="sect3" lang="en">
 <div class="titlepage"><div><div><h4 class="title">
-<a name="id2588084"></a>Class</h4></div></div></div>
-<p>The zone's name may optionally be followed by a class. If
-a class is not specified, class <code class="literal">IN</code> (for <code class="varname">Internet</code>),
-is assumed. This is correct for the vast majority of cases.</p>
-<p>The <code class="literal">hesiod</code> class is
-named for an information service from MIT's Project Athena. It is
-used to share information about various systems databases, such
-as users, groups, printers and so on. The keyword 
-<code class="literal">HS</code> is
-a synonym for hesiod.</p>
-<p>Another MIT development is CHAOSnet, a LAN protocol created
-in the mid-1970s. Zone data for it can be specified with the <code class="literal">CHAOS</code> class.</p>
+<a name="id2587013"></a>Class</h4></div></div></div>
+<p>
+              The zone's name may optionally be followed by a class. If
+              a class is not specified, class <code class="literal">IN</code> (for <code class="varname">Internet</code>),
+              is assumed. This is correct for the vast majority of cases.
+            </p>
+<p>
+              The <code class="literal">hesiod</code> class is
+              named for an information service from MIT's Project Athena. It
+              is
+              used to share information about various systems databases, such
+              as users, groups, printers and so on. The keyword
+              <code class="literal">HS</code> is
+              a synonym for hesiod.
+            </p>
+<p>
+              Another MIT development is CHAOSnet, a LAN protocol created
+              in the mid-1970s. Zone data for it can be specified with the <code class="literal">CHAOS</code> class.
+            </p>
 </div>
 <div class="sect3" lang="en">
 <div class="titlepage"><div><div><h4 class="title">
-<a name="id2588115"></a>Zone Options</h4></div></div></div>
+<a name="id2587046"></a>Zone Options</h4></div></div></div>
 <div class="variablelist"><dl>
 <dt><span class="term"><span><strong class="command">allow-notify</strong></span></span></dt>
-<dd><p>See the description of
-<span><strong class="command">allow-notify</strong></span> in <a href="Bv9ARM.ch06.html#access_control" title="Access Control">the section called &#8220;Access Control&#8221;</a>.</p></dd>
+<dd><p>
+                    See the description of
+                    <span><strong class="command">allow-notify</strong></span> in <a href="Bv9ARM.ch06.html#access_control" title="Access Control">the section called &#8220;Access Control&#8221;</a>.
+                  </p></dd>
 <dt><span class="term"><span><strong class="command">allow-query</strong></span></span></dt>
-<dd><p>See the description of
-<span><strong class="command">allow-query</strong></span> in <a href="Bv9ARM.ch06.html#access_control" title="Access Control">the section called &#8220;Access Control&#8221;</a>.</p></dd>
+<dd><p>
+                    See the description of
+                    <span><strong class="command">allow-query</strong></span> in <a href="Bv9ARM.ch06.html#access_control" title="Access Control">the section called &#8220;Access Control&#8221;</a>.
+                  </p></dd>
 <dt><span class="term"><span><strong class="command">allow-transfer</strong></span></span></dt>
-<dd><p>See the description of <span><strong class="command">allow-transfer</strong></span>
-in <a href="Bv9ARM.ch06.html#access_control" title="Access Control">the section called &#8220;Access Control&#8221;</a>.</p></dd>
+<dd><p>
+                    See the description of <span><strong class="command">allow-transfer</strong></span>
+                    in <a href="Bv9ARM.ch06.html#access_control" title="Access Control">the section called &#8220;Access Control&#8221;</a>.
+                  </p></dd>
 <dt><span class="term"><span><strong class="command">allow-update</strong></span></span></dt>
-<dd><p>Specifies which hosts are allowed to
-submit Dynamic DNS updates for master zones. The default is to deny
-updates from all hosts.  Note that allowing updates based
-on the requestor's IP address is insecure; see
-<a href="Bv9ARM.ch07.html#dynamic_update_security" title="Dynamic Update Security">the section called &#8220;Dynamic Update Security&#8221;</a> for details.
-</p></dd>
+<dd><p>
+                    See the description of <span><strong class="command">allow-update</strong></span>
+                    in <a href="Bv9ARM.ch06.html#access_control" title="Access Control">the section called &#8220;Access Control&#8221;</a>.
+                  </p></dd>
 <dt><span class="term"><span><strong class="command">update-policy</strong></span></span></dt>
-<dd><p>Specifies a "Simple Secure Update" policy. See
-<a href="Bv9ARM.ch06.html#dynamic_update_policies" title="Dynamic Update Policies">the section called &#8220;Dynamic Update Policies&#8221;</a>.</p></dd>
+<dd><p>
+                    Specifies a "Simple Secure Update" policy. See
+                    <a href="Bv9ARM.ch06.html#dynamic_update_policies" title="Dynamic Update Policies">the section called &#8220;Dynamic Update Policies&#8221;</a>.
+                  </p></dd>
 <dt><span class="term"><span><strong class="command">allow-update-forwarding</strong></span></span></dt>
-<dd><p>See the description of <span><strong class="command">allow-update-forwarding</strong></span>
-in <a href="Bv9ARM.ch06.html#access_control" title="Access Control">the section called &#8220;Access Control&#8221;</a>.</p></dd>
+<dd><p>
+                    See the description of <span><strong class="command">allow-update-forwarding</strong></span>
+                    in <a href="Bv9ARM.ch06.html#access_control" title="Access Control">the section called &#8220;Access Control&#8221;</a>.
+                  </p></dd>
 <dt><span class="term"><span><strong class="command">also-notify</strong></span></span></dt>
-<dd><p>Only meaningful if <span><strong class="command">notify</strong></span> is
-active for this zone. The set of machines that will receive a 
-<code class="literal">DNS NOTIFY</code> message
-for this zone is made up of all the listed name servers (other than
-the primary master) for the zone plus any IP addresses specified
-with <span><strong class="command">also-notify</strong></span>. A port may be specified
-with each <span><strong class="command">also-notify</strong></span> address to send the notify
-messages to a port other than the default of 53.
-<span><strong class="command">also-notify</strong></span> is not meaningful for stub zones.
-The default is the empty list.</p></dd>
+<dd><p>
+                    Only meaningful if <span><strong class="command">notify</strong></span>
+                    is
+                    active for this zone. The set of machines that will
+                    receive a
+                    <code class="literal">DNS NOTIFY</code> message
+                    for this zone is made up of all the listed name servers
+                    (other than
+                    the primary master) for the zone plus any IP addresses
+                    specified
+                    with <span><strong class="command">also-notify</strong></span>. A port
+                    may be specified
+                    with each <span><strong class="command">also-notify</strong></span>
+                    address to send the notify
+                    messages to a port other than the default of 53.
+                    <span><strong class="command">also-notify</strong></span> is not
+                    meaningful for stub zones.
+                    The default is the empty list.
+                  </p></dd>
 <dt><span class="term"><span><strong class="command">check-names</strong></span></span></dt>
 <dd><p>
-This option is used to restrict the character set and syntax of
-certain domain names in master files and/or DNS responses received from the
-network.  The default varies according to zone type.  For <span><strong class="command">master</strong></span> zones the default is <span><strong class="command">fail</strong></span>.  For <span><strong class="command">slave</strong></span>
-zones the default is <span><strong class="command">warn</strong></span>.
-</p></dd>
+                    This option is used to restrict the character set and
+                    syntax of
+                    certain domain names in master files and/or DNS responses
+                    received from the
+                    network.  The default varies according to zone type.  For <span><strong class="command">master</strong></span> zones the default is <span><strong class="command">fail</strong></span>.  For <span><strong class="command">slave</strong></span>
+                    zones the default is <span><strong class="command">warn</strong></span>.
+                  </p></dd>
+<dt><span class="term"><span><strong class="command">check-mx</strong></span></span></dt>
+<dd><p>
+                    See the description of
+                    <span><strong class="command">check-mx</strong></span> in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called &#8220;Boolean Options&#8221;</a>.
+                  </p></dd>
+<dt><span class="term"><span><strong class="command">check-wildcard</strong></span></span></dt>
+<dd><p>
+                    See the description of
+                    <span><strong class="command">check-wildcard</strong></span> in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called &#8220;Boolean Options&#8221;</a>.
+                  </p></dd>
+<dt><span class="term"><span><strong class="command">check-integrity</strong></span></span></dt>
+<dd><p>
+                    See the description of
+                    <span><strong class="command">check-integrity</strong></span> in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called &#8220;Boolean Options&#8221;</a>.
+                  </p></dd>
+<dt><span class="term"><span><strong class="command">check-sibling</strong></span></span></dt>
+<dd><p>
+                    See the description of
+                    <span><strong class="command">check-sibling</strong></span> in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called &#8220;Boolean Options&#8221;</a>.
+                  </p></dd>
+<dt><span class="term"><span><strong class="command">zero-no-soa-ttl</strong></span></span></dt>
+<dd><p>
+                    See the description of
+                    <span><strong class="command">zero-no-soa-ttl</strong></span> in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called &#8220;Boolean Options&#8221;</a>.
+                  </p></dd>
+<dt><span class="term"><span><strong class="command">update-check-ksk</strong></span></span></dt>
+<dd><p>
+                    See the description of
+                    <span><strong class="command">update-check-ksk</strong></span> in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called &#8220;Boolean Options&#8221;</a>.
+                  </p></dd>
 <dt><span class="term"><span><strong class="command">database</strong></span></span></dt>
 <dd>
-<p>Specify the type of database to be used for storing the
-zone data.  The string following the <span><strong class="command">database</strong></span> keyword
-is interpreted as a list of whitespace-delimited words.  The first word
-identifies the database type, and any subsequent words are passed
-as arguments to the database to be interpreted in a way specific
-to the database type.</p>
-<p>The default is <strong class="userinput"><code>"rbt"</code></strong>, BIND 9's native in-memory
-red-black-tree database.  This database does not take arguments.</p>
-<p>Other values are possible if additional database drivers
-have been linked into the server.  Some sample drivers are included
-with the distribution but none are linked in by default.</p>
+<p>
+                    Specify the type of database to be used for storing the
+                    zone data.  The string following the <span><strong class="command">database</strong></span> keyword
+                    is interpreted as a list of whitespace-delimited words.
+                    The first word
+                    identifies the database type, and any subsequent words are
+                    passed
+                    as arguments to the database to be interpreted in a way
+                    specific
+                    to the database type.
+                  </p>
+<p>
+                    The default is <strong class="userinput"><code>"rbt"</code></strong>, BIND 9's
+                    native in-memory
+                    red-black-tree database.  This database does not take
+                    arguments.
+                  </p>
+<p>
+                    Other values are possible if additional database drivers
+                    have been linked into the server.  Some sample drivers are
+                    included
+                    with the distribution but none are linked in by default.
+                  </p>
 </dd>
 <dt><span class="term"><span><strong class="command">dialup</strong></span></span></dt>
-<dd><p>See the description of
-<span><strong class="command">dialup</strong></span> in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called &#8220;Boolean Options&#8221;</a>.</p></dd>
+<dd><p>
+                    See the description of
+                    <span><strong class="command">dialup</strong></span> in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called &#8220;Boolean Options&#8221;</a>.
+                  </p></dd>
 <dt><span class="term"><span><strong class="command">delegation-only</strong></span></span></dt>
-<dd><p>The flag only applies to hint and stub zones.  If set
-to <strong class="userinput"><code>yes</code></strong>, then the zone will also be treated as if it
-is also a delegation-only type zone.
-</p></dd>
+<dd><p>
+                    The flag only applies to hint and stub zones.  If set
+                    to <strong class="userinput"><code>yes</code></strong>, then the zone will also be
+                    treated as if it
+                    is also a delegation-only type zone.
+                  </p></dd>
 <dt><span class="term"><span><strong class="command">forward</strong></span></span></dt>
-<dd><p>Only meaningful if the zone has a forwarders
-list. The <span><strong class="command">only</strong></span> value causes the lookup to fail
-after trying the forwarders and getting no answer, while <span><strong class="command">first</strong></span> would
-allow a normal lookup to be tried.</p></dd>
+<dd><p>
+                    Only meaningful if the zone has a forwarders
+                    list. The <span><strong class="command">only</strong></span> value causes
+                    the lookup to fail
+                    after trying the forwarders and getting no answer, while <span><strong class="command">first</strong></span> would
+                    allow a normal lookup to be tried.
+                  </p></dd>
 <dt><span class="term"><span><strong class="command">forwarders</strong></span></span></dt>
-<dd><p>Used to override the list of global forwarders.
-If it is not specified in a zone of type <span><strong class="command">forward</strong></span>,
-no forwarding is done for the zone and the global options are not used.</p></dd>
+<dd><p>
+                    Used to override the list of global forwarders.
+                    If it is not specified in a zone of type <span><strong class="command">forward</strong></span>,
+                    no forwarding is done for the zone and the global options are
+                    not used.
+                  </p></dd>
 <dt><span class="term"><span><strong class="command">ixfr-base</strong></span></span></dt>
-<dd><p>Was used in <acronym class="acronym">BIND</acronym> 8 to specify the name
-of the transaction log (journal) file for dynamic update and IXFR.
-<acronym class="acronym">BIND</acronym> 9 ignores the option and constructs the name of the journal
-file by appending "<code class="filename">.jnl</code>" to the name of the
-zone file.</p></dd>
+<dd><p>
+                    Was used in <acronym class="acronym">BIND</acronym> 8 to
+                    specify the name
+                    of the transaction log (journal) file for dynamic update
+                    and IXFR.
+                    <acronym class="acronym">BIND</acronym> 9 ignores the option
+                    and constructs the name of the journal
+                    file by appending "<code class="filename">.jnl</code>"
+                    to the name of the
+                    zone file.
+                  </p></dd>
 <dt><span class="term"><span><strong class="command">ixfr-tmp-file</strong></span></span></dt>
-<dd><p>Was an undocumented option in <acronym class="acronym">BIND</acronym> 8.
-Ignored in <acronym class="acronym">BIND</acronym> 9.</p></dd>
+<dd><p>
+                    Was an undocumented option in <acronym class="acronym">BIND</acronym> 8.
+                    Ignored in <acronym class="acronym">BIND</acronym> 9.
+                  </p></dd>
+<dt><span class="term"><span><strong class="command">journal</strong></span></span></dt>
+<dd><p>
+                    Allow the default journal's file name to be overridden.
+                    The default is the zone's file with "<code class="filename">.jnl</code>" appended.
+                    This is applicable to <span><strong class="command">master</strong></span> and <span><strong class="command">slave</strong></span> zones.
+                  </p></dd>
 <dt><span class="term"><span><strong class="command">max-transfer-time-in</strong></span></span></dt>
-<dd><p>See the description of
-<span><strong class="command">max-transfer-time-in</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called &#8220;Zone Transfers&#8221;</a>.</p></dd>
+<dd><p>
+                    See the description of
+                    <span><strong class="command">max-transfer-time-in</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called &#8220;Zone Transfers&#8221;</a>.
+                  </p></dd>
 <dt><span class="term"><span><strong class="command">max-transfer-idle-in</strong></span></span></dt>
-<dd><p>See the description of
-<span><strong class="command">max-transfer-idle-in</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called &#8220;Zone Transfers&#8221;</a>.</p></dd>
+<dd><p>
+                    See the description of
+                    <span><strong class="command">max-transfer-idle-in</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called &#8220;Zone Transfers&#8221;</a>.
+                  </p></dd>
 <dt><span class="term"><span><strong class="command">max-transfer-time-out</strong></span></span></dt>
-<dd><p>See the description of
-<span><strong class="command">max-transfer-time-out</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called &#8220;Zone Transfers&#8221;</a>.</p></dd>
+<dd><p>
+                    See the description of
+                    <span><strong class="command">max-transfer-time-out</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called &#8220;Zone Transfers&#8221;</a>.
+                  </p></dd>
 <dt><span class="term"><span><strong class="command">max-transfer-idle-out</strong></span></span></dt>
-<dd><p>See the description of
-<span><strong class="command">max-transfer-idle-out</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called &#8220;Zone Transfers&#8221;</a>.</p></dd>
+<dd><p>
+                    See the description of
+                    <span><strong class="command">max-transfer-idle-out</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called &#8220;Zone Transfers&#8221;</a>.
+                  </p></dd>
 <dt><span class="term"><span><strong class="command">notify</strong></span></span></dt>
-<dd><p>See the description of
-<span><strong class="command">notify</strong></span> in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called &#8220;Boolean Options&#8221;</a>.</p></dd>
+<dd><p>
+                    See the description of
+                    <span><strong class="command">notify</strong></span> in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called &#8220;Boolean Options&#8221;</a>.
+                  </p></dd>
 <dt><span class="term"><span><strong class="command">pubkey</strong></span></span></dt>
-<dd><p>In <acronym class="acronym">BIND</acronym> 8, this option was intended for specifying
-a public zone key for verification of signatures in DNSSEC signed
-zones when they are loaded from disk. <acronym class="acronym">BIND</acronym> 9 does not verify signatures
-on load and ignores the option.</p></dd>
+<dd><p>
+                    In <acronym class="acronym">BIND</acronym> 8, this option was
+                    intended for specifying
+                    a public zone key for verification of signatures in DNSSEC
+                    signed
+                    zones when they are loaded from disk. <acronym class="acronym">BIND</acronym> 9 does not verify signatures
+                    on load and ignores the option.
+                  </p></dd>
 <dt><span class="term"><span><strong class="command">zone-statistics</strong></span></span></dt>
-<dd><p>If <strong class="userinput"><code>yes</code></strong>, the server will keep statistical
-information for this zone, which can be dumped to the
-<span><strong class="command">statistics-file</strong></span> defined in the server options.</p></dd>
+<dd><p>
+                    If <strong class="userinput"><code>yes</code></strong>, the server will keep
+                    statistical
+                    information for this zone, which can be dumped to the
+                    <span><strong class="command">statistics-file</strong></span> defined in
+                    the server options.
+                  </p></dd>
 <dt><span class="term"><span><strong class="command">sig-validity-interval</strong></span></span></dt>
-<dd><p>See the description of
-<span><strong class="command">sig-validity-interval</strong></span> in <a href="Bv9ARM.ch06.html#tuning" title="Tuning">the section called &#8220;Tuning&#8221;</a>.</p></dd>
+<dd><p>
+                    See the description of
+                    <span><strong class="command">sig-validity-interval</strong></span> in <a href="Bv9ARM.ch06.html#tuning" title="Tuning">the section called &#8220;Tuning&#8221;</a>.
+                  </p></dd>
 <dt><span class="term"><span><strong class="command">transfer-source</strong></span></span></dt>
-<dd><p>See the description of
-<span><strong class="command">transfer-source</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called &#8220;Zone Transfers&#8221;</a>.
-</p></dd>
+<dd><p>
+                    See the description of
+                    <span><strong class="command">transfer-source</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called &#8220;Zone Transfers&#8221;</a>.
+                  </p></dd>
 <dt><span class="term"><span><strong class="command">transfer-source-v6</strong></span></span></dt>
-<dd><p>See the description of
-<span><strong class="command">transfer-source-v6</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called &#8220;Zone Transfers&#8221;</a>.
-</p></dd>
+<dd><p>
+                    See the description of
+                    <span><strong class="command">transfer-source-v6</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called &#8220;Zone Transfers&#8221;</a>.
+                  </p></dd>
 <dt><span class="term"><span><strong class="command">alt-transfer-source</strong></span></span></dt>
-<dd><p>See the description of
-<span><strong class="command">alt-transfer-source</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called &#8220;Zone Transfers&#8221;</a>.
-</p></dd>
+<dd><p>
+                    See the description of
+                    <span><strong class="command">alt-transfer-source</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called &#8220;Zone Transfers&#8221;</a>.
+                  </p></dd>
 <dt><span class="term"><span><strong class="command">alt-transfer-source-v6</strong></span></span></dt>
-<dd><p>See the description of
-<span><strong class="command">alt-transfer-source-v6</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called &#8220;Zone Transfers&#8221;</a>.
-</p></dd>
+<dd><p>
+                    See the description of
+                    <span><strong class="command">alt-transfer-source-v6</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called &#8220;Zone Transfers&#8221;</a>.
+                  </p></dd>
 <dt><span class="term"><span><strong class="command">use-alt-transfer-source</strong></span></span></dt>
-<dd><p>See the description of
-<span><strong class="command">use-alt-transfer-source</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called &#8220;Zone Transfers&#8221;</a>.
-</p></dd>
+<dd><p>
+                    See the description of
+                    <span><strong class="command">use-alt-transfer-source</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called &#8220;Zone Transfers&#8221;</a>.
+                  </p></dd>
 <dt><span class="term"><span><strong class="command">notify-source</strong></span></span></dt>
-<dd><p>See the description of
-<span><strong class="command">notify-source</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called &#8220;Zone Transfers&#8221;</a>
-</p></dd>
+<dd><p>
+                    See the description of
+                    <span><strong class="command">notify-source</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called &#8220;Zone Transfers&#8221;</a>.
+                  </p></dd>
 <dt><span class="term"><span><strong class="command">notify-source-v6</strong></span></span></dt>
-<dd><p>See the description of
-<span><strong class="command">notify-source-v6</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called &#8220;Zone Transfers&#8221;</a>.
-</p></dd>
+<dd><p>
+                    See the description of
+                    <span><strong class="command">notify-source-v6</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called &#8220;Zone Transfers&#8221;</a>.
+                  </p></dd>
 <dt>
 <span class="term"><span><strong class="command">min-refresh-time</strong></span>, </span><span class="term"><span><strong class="command">max-refresh-time</strong></span>, </span><span class="term"><span><strong class="command">min-retry-time</strong></span>, </span><span class="term"><span><strong class="command">max-retry-time</strong></span></span>
 </dt>
 <dd><p>
-See the description in <a href="Bv9ARM.ch06.html#tuning" title="Tuning">the section called &#8220;Tuning&#8221;</a>.
-</p></dd>
+                    See the description in <a href="Bv9ARM.ch06.html#tuning" title="Tuning">the section called &#8220;Tuning&#8221;</a>.
+                  </p></dd>
 <dt><span class="term"><span><strong class="command">ixfr-from-differences</strong></span></span></dt>
-<dd><p>See the description of
-<span><strong class="command">ixfr-from-differences</strong></span> in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called &#8220;Boolean Options&#8221;</a>.</p></dd>
+<dd><p>
+                    See the description of
+                    <span><strong class="command">ixfr-from-differences</strong></span> in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called &#8220;Boolean Options&#8221;</a>.
+                  </p></dd>
 <dt><span class="term"><span><strong class="command">key-directory</strong></span></span></dt>
-<dd><p>See the description of
-<span><strong class="command">key-directory</strong></span> in <a href="Bv9ARM.ch06.html#options" title="options Statement Definition and Usage">the section called &#8220;<span><strong class="command">options</strong></span> Statement Definition and Usage&#8221;</a>.</p></dd>
+<dd><p>
+                    See the description of
+                    <span><strong class="command">key-directory</strong></span> in <a href="Bv9ARM.ch06.html#options" title="options Statement Definition and
+          Usage">the section called &#8220;<span><strong class="command">options</strong></span> Statement Definition and
+          Usage&#8221;</a>.
+                  </p></dd>
 <dt><span class="term"><span><strong class="command">multi-master</strong></span></span></dt>
-<dd><p>See the description of
-<span><strong class="command">multi-master</strong></span> in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called &#8220;Boolean Options&#8221;</a>.</p></dd>
+<dd><p>
+                    See the description of <span><strong class="command">multi-master</strong></span> in
+                    <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called &#8220;Boolean Options&#8221;</a>.
+                  </p></dd>
+<dt><span class="term"><span><strong class="command">masterfile-format</strong></span></span></dt>
+<dd><p>
+                    See the description of <span><strong class="command">masterfile-format</strong></span>
+                    in <a href="Bv9ARM.ch06.html#tuning" title="Tuning">the section called &#8220;Tuning&#8221;</a>.
+                  </p></dd>
 </dl></div>
 </div>
 <div class="sect3" lang="en">
 <div class="titlepage"><div><div><h4 class="title">
 <a name="dynamic_update_policies"></a>Dynamic Update Policies</h4></div></div></div>
-<p><acronym class="acronym">BIND</acronym> 9 supports two alternative methods of granting clients
-the right to perform dynamic updates to a zone, 
-configured by the <span><strong class="command">allow-update</strong></span> and
-<span><strong class="command">update-policy</strong></span> option, respectively.</p>
-<p>The <span><strong class="command">allow-update</strong></span> clause works the same
-way as in previous versions of <acronym class="acronym">BIND</acronym>. It grants given clients the
-permission to update any record of any name in the zone.</p>
-<p>The <span><strong class="command">update-policy</strong></span> clause is new in <acronym class="acronym">BIND</acronym>
-9 and allows more fine-grained control over what updates are allowed.
-A set of rules is specified, where each rule either grants or denies
-permissions for one or more names to be updated by one or more identities.
- If the dynamic update request message is signed (that is, it includes
-either a TSIG or SIG(0) record), the identity of the signer can
-be determined.</p>
-<p>Rules are specified in the <span><strong class="command">update-policy</strong></span> zone
-option, and are only meaningful for master zones.  When the <span><strong class="command">update-policy</strong></span> statement
-is present, it is a configuration error for the <span><strong class="command">allow-update</strong></span> statement
-to be present.  The <span><strong class="command">update-policy</strong></span> statement only
-examines the signer of a message; the source address is not relevant.</p>
-<p>This is how a rule definition looks:</p>
+<p>
+              <acronym class="acronym">BIND</acronym> 9 supports two alternative
+              methods of granting clients
+              the right to perform dynamic updates to a zone,
+              configured by the <span><strong class="command">allow-update</strong></span>
+              and
+              <span><strong class="command">update-policy</strong></span> option,
+              respectively.
+            </p>
+<p>
+              The <span><strong class="command">allow-update</strong></span> clause works the
+              same
+              way as in previous versions of <acronym class="acronym">BIND</acronym>. It grants given clients the
+              permission to update any record of any name in the zone.
+            </p>
+<p>
+              The <span><strong class="command">update-policy</strong></span> clause is new
+              in <acronym class="acronym">BIND</acronym>
+              9 and allows more fine-grained control over what updates are
+              allowed.
+              A set of rules is specified, where each rule either grants or
+              denies
+              permissions for one or more names to be updated by one or more
+              identities.
+              If the dynamic update request message is signed (that is, it
+              includes
+              either a TSIG or SIG(0) record), the identity of the signer can
+              be determined.
+            </p>
+<p>
+              Rules are specified in the <span><strong class="command">update-policy</strong></span> zone
+              option, and are only meaningful for master zones.  When the <span><strong class="command">update-policy</strong></span> statement
+              is present, it is a configuration error for the <span><strong class="command">allow-update</strong></span> statement
+              to be present.  The <span><strong class="command">update-policy</strong></span>
+              statement only
+              examines the signer of a message; the source address is not
+              relevant.
+            </p>
+<p>
+              This is how a rule definition looks:
+            </p>
 <pre class="programlisting">
 ( <span><strong class="command">grant</strong></span> | <span><strong class="command">deny</strong></span> ) <em class="replaceable"><code>identity</code></em> <em class="replaceable"><code>nametype</code></em> <em class="replaceable"><code>name</code></em> [<span class="optional"> <em class="replaceable"><code>types</code></em> </span>]
 </pre>
-<p>Each rule grants or denies privileges.  Once a message has
-successfully matched a rule, the operation is immediately granted
-or denied and no further rules are examined.  A rule is matched
-when the signer matches the identity field, the name matches the
-name field in accordance with the nametype field, and the type matches
-the types specified in the type field.</p>
-<p>The identity field specifies a name or a wildcard name.  Normally, this
-is the name of the TSIG or SIG(0) key used to sign the update request.  When a
-TKEY exchange has been used to create a shared secret, the identity of the
-shared secret is the same as the identity of the key used to authenticate the
-TKEY exchange.  When the <em class="replaceable"><code>identity</code></em> field specifies a
-wildcard name, it is subject to DNS wildcard expansion, so the rule will apply
-to multiple identities.  The <em class="replaceable"><code>identity</code></em> field must
-contain a fully qualified domain name.</p>
-<p>The <em class="replaceable"><code>nametype</code></em> field has 4 values:
-<code class="varname">name</code>, <code class="varname">subdomain</code>,
-<code class="varname">wildcard</code>, and <code class="varname">self</code>.
-</p>
+<p>
+              Each rule grants or denies privileges.  Once a message has
+              successfully matched a rule, the operation is immediately
+              granted
+              or denied and no further rules are examined.  A rule is matched
+              when the signer matches the identity field, the name matches the
+              name field in accordance with the nametype field, and the type
+              matches
+              the types specified in the type field.
+            </p>
+<p>
+              The identity field specifies a name or a wildcard name.
+              Normally, this
+              is the name of the TSIG or SIG(0) key used to sign the update
+              request.  When a
+              TKEY exchange has been used to create a shared secret, the
+              identity of the
+              shared secret is the same as the identity of the key used to
+              authenticate the
+              TKEY exchange.  When the <em class="replaceable"><code>identity</code></em> field specifies a
+              wildcard name, it is subject to DNS wildcard expansion, so the
+              rule will apply
+              to multiple identities.  The <em class="replaceable"><code>identity</code></em> field must
+              contain a fully qualified domain name.
+            </p>
+<p>
+              The <em class="replaceable"><code>nametype</code></em> field has 6
+              values:
+              <code class="varname">name</code>, <code class="varname">subdomain</code>,
+              <code class="varname">wildcard</code>, <code class="varname">self</code>,
+               <code class="varname">selfsub</code>, and <code class="varname">selfwild</code>.
+            </p>
 <div class="informaltable"><table border="1">
 <colgroup>
 <col>
@@ -3252,69 +5435,151 @@ contain a fully qualified domain name.</p>
 </colgroup>
 <tbody>
 <tr>
-<td><p><code class="varname">name</code></p></td>
-<td><p>Exact-match semantics.  This rule matches when the
-name being updated is identical to the contents of the
-<em class="replaceable"><code>name</code></em> field.</p></td>
+<td>
+                      <p>
+                        <code class="varname">name</code>
+                      </p>
+                    </td>
+<td>
+                      <p>
+                        Exact-match semantics.  This rule matches
+                        when the name being updated is identical
+                        to the contents of the
+                        <em class="replaceable"><code>name</code></em> field.
+                      </p>
+                    </td>
+</tr>
+<tr>
+<td>
+                      <p>
+                        <code class="varname">subdomain</code>
+                      </p>
+                    </td>
+<td>
+                      <p>
+                        This rule matches when the name being updated
+                        is a subdomain of, or identical to, the
+                        contents of the <em class="replaceable"><code>name</code></em>
+                        field.
+                      </p>
+                    </td>
+</tr>
+<tr>
+<td>
+                      <p>
+                        <code class="varname">wildcard</code>
+                      </p>
+                    </td>
+<td>
+                      <p>
+                        The <em class="replaceable"><code>name</code></em> field
+                        is subject to DNS wildcard expansion, and
+                        this rule matches when the name being updated
+                        name is a valid expansion of the wildcard.
+                      </p>
+                    </td>
 </tr>
 <tr>
-<td><p><code class="varname">subdomain</code></p></td>
-<td><p>This rule matches when the name being updated
-is a subdomain of, or identical to, the contents of the
-<em class="replaceable"><code>name</code></em> field.</p></td>
+<td>
+                      <p>
+                        <code class="varname">self</code>
+                      </p>
+                    </td>
+<td>
+                      <p>
+                        This rule matches when the name being updated
+                        matches the contents of the
+                        <em class="replaceable"><code>identity</code></em> field.
+                        The <em class="replaceable"><code>name</code></em> field
+                        is ignored, but should be the same as the
+                        <em class="replaceable"><code>identity</code></em> field.
+                        The <code class="varname">self</code> nametype is
+                        most useful when allowing using one key per
+                        name to update, where the key has the same
+                        name as the name to be updated.  The
+                        <em class="replaceable"><code>identity</code></em> would
+                        be specified as <code class="constant">*</code> (an asterisk) in
+                        this case.
+                      </p>
+                    </td>
 </tr>
 <tr>
-<td><p><code class="varname">wildcard</code></p></td>
-<td><p>The <em class="replaceable"><code>name</code></em> field is
-subject to DNS wildcard expansion, and this rule matches when the name
-being updated name is a valid expansion of the wildcard.</p></td>
+<td>
+                      <p>
+                        <code class="varname">selfsub</code>
+                      </p>
+                    </td>
+<td>
+                      <p>
+                        This rule is similar to <code class="varname">self</code>
+                        except that subdomains of <code class="varname">self</code>
+                        can also be updated.
+                      </p>
+                    </td>
 </tr>
 <tr>
-<td><p><code class="varname">self</code></p></td>
-<td><p>This rule matches when the name being updated
-matches the contents of the <em class="replaceable"><code>identity</code></em> field.
-The <em class="replaceable"><code>name</code></em> field is ignored, but should be
-the same as the <em class="replaceable"><code>identity</code></em> field.  The
-<code class="varname">self</code> nametype is most useful when allowing using
-one key per name to update, where the key has the same name as the name
-to be updated.  The <em class="replaceable"><code>identity</code></em> would be
-specified as <code class="constant">*</code> in this case.</p></td>
+<td>
+                      <p>
+                        <code class="varname">selfwild</code>
+                      </p>
+                    </td>
+<td>
+                      <p>
+                        This rule is similar to <code class="varname">self</code>
+                        except that only subdomains of
+                        <code class="varname">self</code> can be updated.
+                      </p>
+                    </td>
 </tr>
 </tbody>
 </table></div>
-<p>In all cases, the <em class="replaceable"><code>name</code></em> field must
-specify a fully qualified domain name.</p>
-<p>If no types are explicitly specified, this rule matches all types except
-SIG, NS, SOA, and NXT. Types may be specified by name, including
-"ANY" (ANY matches all types except NXT, which can never be updated).
-Note that when an attempt is made to delete all records associated with a
-name, the rules are checked for each existing record type.
-</p>
+<p>
+              In all cases, the <em class="replaceable"><code>name</code></em>
+              field must
+              specify a fully qualified domain name.
+            </p>
+<p>
+              If no types are explicitly specified, this rule matches all
+              types except
+              RRSIG, NS, SOA, and NSEC. Types may be specified by name, including
+              "ANY" (ANY matches all types except NSEC, which can never be
+              updated).
+              Note that when an attempt is made to delete all records
+              associated with a
+              name, the rules are checked for each existing record type.
+            </p>
 </div>
 </div>
 </div>
 <div class="sect1" lang="en">
 <div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id2589173"></a>Zone File</h2></div></div></div>
+<a name="id2588846"></a>Zone File</h2></div></div></div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="types_of_resource_records_and_when_to_use_them"></a>Types of Resource Records and When to Use Them</h3></div></div></div>
-<p>This section, largely borrowed from RFC 1034, describes the
-concept of a Resource Record (RR) and explains when each is used.
-Since the publication of RFC 1034, several new RRs have been identified
-and implemented in the DNS. These are also included.</p>
+<p>
+            This section, largely borrowed from RFC 1034, describes the
+            concept of a Resource Record (RR) and explains when each is used.
+            Since the publication of RFC 1034, several new RRs have been
+            identified
+            and implemented in the DNS. These are also included.
+          </p>
 <div class="sect3" lang="en">
 <div class="titlepage"><div><div><h4 class="title">
-<a name="id2589191"></a>Resource Records</h4></div></div></div>
-<p>A domain name identifies a node.  Each node has a set of
-        resource information, which may be empty.  The set of resource
-        information associated with a particular name is composed of
-        separate RRs. The order of RRs in a set is not significant and
-        need not be preserved by name servers, resolvers, or other
-        parts of the DNS. However, sorting of multiple RRs is
-        permitted for optimization purposes, for example, to specify
-        that a particular nearby server be tried first. See <a href="Bv9ARM.ch06.html#the_sortlist_statement" title="The sortlist Statement">the section called &#8220;The <span><strong class="command">sortlist</strong></span> Statement&#8221;</a> and <a href="Bv9ARM.ch06.html#rrset_ordering" title="RRset Ordering">the section called &#8220;RRset Ordering&#8221;</a>.</p>
-<p>The components of a Resource Record are:</p>
+<a name="id2588865"></a>Resource Records</h4></div></div></div>
+<p>
+              A domain name identifies a node.  Each node has a set of
+              resource information, which may be empty.  The set of resource
+              information associated with a particular name is composed of
+              separate RRs. The order of RRs in a set is not significant and
+              need not be preserved by name servers, resolvers, or other
+              parts of the DNS. However, sorting of multiple RRs is
+              permitted for optimization purposes, for example, to specify
+              that a particular nearby server be tried first. See <a href="Bv9ARM.ch06.html#the_sortlist_statement" title="The sortlist Statement">the section called &#8220;The <span><strong class="command">sortlist</strong></span> Statement&#8221;</a> and <a href="Bv9ARM.ch06.html#rrset_ordering" title="RRset Ordering">the section called &#8220;RRset Ordering&#8221;</a>.
+            </p>
+<p>
+              The components of a Resource Record are:
+            </p>
 <div class="informaltable"><table border="1">
 <colgroup>
 <col>
@@ -3322,34 +5587,78 @@ and implemented in the DNS. These are also included.</p>
 </colgroup>
 <tbody>
 <tr>
-<td><p>owner name</p></td>
-<td><p>the domain name where the RR is found.</p></td>
+<td>
+                      <p>
+                        owner name
+                      </p>
+                    </td>
+<td>
+                      <p>
+                        The domain name where the RR is found.
+                      </p>
+                    </td>
 </tr>
 <tr>
-<td><p>type</p></td>
-<td><p>an encoded 16-bit value that specifies
-the type of the resource record.</p></td>
+<td>
+                      <p>
+                        type
+                      </p>
+                    </td>
+<td>
+                      <p>
+                        An encoded 16-bit value that specifies
+                        the type of the resource record.
+                      </p>
+                    </td>
 </tr>
 <tr>
-<td><p>TTL</p></td>
-<td><p>the time-to-live of the RR. This field
-is a 32-bit integer in units of seconds, and is primarily used by
-resolvers when they cache RRs. The TTL describes how long a RR can
-be cached before it should be discarded.</p></td>
+<td>
+                      <p>
+                        TTL
+                      </p>
+                    </td>
+<td>
+                      <p>
+                        The time-to-live of the RR. This field
+                        is a 32-bit integer in units of seconds, and is
+                        primarily used by
+                        resolvers when they cache RRs. The TTL describes how
+                        long a RR can
+                        be cached before it should be discarded.
+                      </p>
+                    </td>
 </tr>
 <tr>
-<td><p>class</p></td>
-<td><p>an encoded 16-bit value that identifies
-a protocol family or instance of a protocol.</p></td>
+<td>
+                      <p>
+                        class
+                      </p>
+                    </td>
+<td>
+                      <p>
+                        An encoded 16-bit value that identifies
+                        a protocol family or instance of a protocol.
+                      </p>
+                    </td>
 </tr>
 <tr>
-<td><p>RDATA</p></td>
-<td><p>the resource data.  The format of the
-data is type (and sometimes class) specific.</p></td>
+<td>
+                      <p>
+                        RDATA
+                      </p>
+                    </td>
+<td>
+                      <p>
+                        The resource data.  The format of the
+                        data is type (and sometimes class) specific.
+                      </p>
+                    </td>
 </tr>
 </tbody>
 </table></div>
-<p>The following are <span class="emphasis"><em>types</em></span> of valid RRs:</p>
+<p>
+              The following are <span class="emphasis"><em>types</em></span> of valid RRs:
+            </p>
 <div class="informaltable"><table border="1">
 <colgroup>
 <col>
@@ -3357,160 +5666,463 @@ data is type (and sometimes class) specific.</p></td>
 </colgroup>
 <tbody>
 <tr>
-<td><p>A</p></td>
-<td><p>a host address.  In the IN class, this is a
-32-bit IP address.  Described in RFC 1035.</p></td>
+<td>
+                      <p>
+                        A
+                      </p>
+                    </td>
+<td>
+                      <p>
+                        A host address.  In the IN class, this is a
+                        32-bit IP address.  Described in RFC 1035.
+                      </p>
+                    </td>
 </tr>
 <tr>
-<td><p>AAAA</p></td>
-<td><p>IPv6 address.  Described in RFC 1886.</p></td>
+<td>
+                      <p>
+                        AAAA
+                      </p>
+                    </td>
+<td>
+                      <p>
+                        IPv6 address.  Described in RFC 1886.
+                      </p>
+                    </td>
 </tr>
 <tr>
-<td><p>A6</p></td>
-<td><p>IPv6 address.  This can be a partial
-address (a suffix) and an indirection to the name where the rest of the
-address (the prefix) can be found.  Experimental.  Described in RFC 2874.</p></td>
+<td>
+                      <p>
+                        A6
+                      </p>
+                    </td>
+<td>
+                      <p>
+                        IPv6 address.  This can be a partial
+                        address (a suffix) and an indirection to the name
+                        where the rest of the
+                        address (the prefix) can be found.  Experimental.
+                        Described in RFC 2874.
+                      </p>
+                    </td>
 </tr>
 <tr>
-<td><p>AFSDB</p></td>
-<td><p>location of AFS database servers.
-Experimental.  Described in RFC 1183.</p></td>
+<td>
+                      <p>
+                        AFSDB
+                      </p>
+                    </td>
+<td>
+                      <p>
+                        Location of AFS database servers.
+                        Experimental.  Described in RFC 1183.
+                      </p>
+                    </td>
 </tr>
 <tr>
-<td><p>APL</p></td>
-<td><p>address prefix list.  Experimental.
-Described in RFC 3123.</p></td>
+<td>
+                      <p>
+                        APL
+                      </p>
+                    </td>
+<td>
+                      <p>
+                        Address prefix list.  Experimental.
+                        Described in RFC 3123.
+                      </p>
+                    </td>
 </tr>
 <tr>
-<td><p>CERT</p></td>
-<td><p>holds a digital certificate.
-Described in RFC 2538.</p></td>
+<td>
+                      <p>
+                        CERT
+                      </p>
+                    </td>
+<td>
+                      <p>
+                        Holds a digital certificate.
+                        Described in RFC 2538.
+                      </p>
+                    </td>
 </tr>
 <tr>
-<td><p>CNAME</p></td>
-<td><p>identifies the canonical name of an alias.
-Described in RFC 1035.</p></td>
+<td>
+                      <p>
+                        CNAME
+                      </p>
+                    </td>
+<td>
+                      <p>
+                        Identifies the canonical name of an alias.
+                        Described in RFC 1035.
+                      </p>
+                    </td>
 </tr>
 <tr>
-<td><p>DNAME</p></td>
-<td><p>Replaces the domain name specified with
-another name to be looked up, effectively aliasing an entire
-subtree of the domain name space rather than a single record
-as in the case of the CNAME RR.
-Described in RFC 2672.</p></td>
+<td>
+                      <p>
+                        DNAME
+                      </p>
+                    </td>
+<td>
+                      <p>
+                        Replaces the domain name specified with
+                        another name to be looked up, effectively aliasing an
+                        entire
+                        subtree of the domain name space rather than a single
+                        record
+                        as in the case of the CNAME RR.
+                        Described in RFC 2672.
+                      </p>
+                    </td>
 </tr>
 <tr>
-<td><p>GPOS</p></td>
-<td><p>Specifies the global position.  Superseded by LOC.</p></td>
+<td>
+                      <p>
+                        DNSKEY
+                      </p>
+                    </td>
+<td>
+                      <p>
+                        Stores a public key associated with a signed
+                        DNS zone.  Described in RFC 4034.
+                      </p>
+                    </td>
 </tr>
 <tr>
-<td><p>HINFO</p></td>
-<td><p>identifies the CPU and OS used by a host.
-Described in RFC 1035.</p></td>
+<td>
+                      <p>
+                        DS
+                      </p>
+                    </td>
+<td>
+                      <p>
+                        Stores the hash of a public key associated with a
+                        signed DNS zone.  Described in RFC 4034.
+                      </p>
+                    </td>
 </tr>
 <tr>
-<td><p>ISDN</p></td>
-<td><p>representation of ISDN addresses.
-Experimental.  Described in RFC 1183.</p></td>
+<td>
+                      <p>
+                        GPOS
+                      </p>
+                    </td>
+<td>
+                      <p>
+                        Specifies the global position.  Superseded by LOC.
+                      </p>
+                    </td>
 </tr>
 <tr>
-<td><p>KEY</p></td>
-<td><p>stores a public key associated with a
-DNS name.  Described in RFC 2535.</p></td>
+<td>
+                      <p>
+                        HINFO
+                      </p>
+                    </td>
+<td>
+                      <p>
+                        Identifies the CPU and OS used by a host.
+                        Described in RFC 1035.
+                      </p>
+                    </td>
 </tr>
 <tr>
-<td><p>KX</p></td>
-<td><p>identifies a key exchanger for this
-DNS name.  Described in RFC 2230.</p></td>
+<td>
+                      <p>
+                        ISDN
+                      </p>
+                    </td>
+<td>
+                      <p>
+                        Representation of ISDN addresses.
+                        Experimental.  Described in RFC 1183.
+                      </p>
+                    </td>
 </tr>
 <tr>
-<td><p>LOC</p></td>
-<td><p>for storing GPS info.  Described in RFC 1876.
-Experimental.</p></td>
+<td>
+                      <p>
+                        KEY
+                      </p>
+                    </td>
+<td>
+                      <p>
+                        Stores a public key associated with a
+                        DNS name.  Used in original DNSSEC; replaced
+                        by DNSKEY in DNSSECbis, but still used with
+                        SIG(0).  Described in RFCs 2535 and 2931.
+                      </p>
+                    </td>
 </tr>
 <tr>
-<td><p>MX</p></td>
-<td><p>identifies a mail exchange for the domain.
-A 16-bit preference value (lower is better)
-followed by the host name of the mail exchange.
-Described in RFC 974, RFC 1035.</p></td>
+<td>
+                      <p>
+                        KX
+                      </p>
+                    </td>
+<td>
+                      <p>
+                        Identifies a key exchanger for this
+                        DNS name.  Described in RFC 2230.
+                      </p>
+                    </td>
 </tr>
 <tr>
-<td><p>NAPTR</p></td>
-<td><p>name authority pointer.  Described in RFC 2915.</p></td>
+<td>
+                      <p>
+                        LOC
+                      </p>
+                    </td>
+<td>
+                      <p>
+                        For storing GPS info.  Described in RFC 1876.
+                        Experimental.
+                      </p>
+                    </td>
 </tr>
 <tr>
-<td><p>NSAP</p></td>
-<td><p>a network service access point.
-Described in RFC 1706.</p></td>
+<td>
+                      <p>
+                        MX
+                      </p>
+                    </td>
+<td>
+                      <p>
+                        Identifies a mail exchange for the domain with
+                        a 16-bit preference value (lower is better)
+                        followed by the host name of the mail exchange.
+                        Described in RFC 974, RFC 1035.
+                      </p>
+                    </td>
 </tr>
 <tr>
-<td><p>NS</p></td>
-<td><p>the authoritative name server for the
-domain.  Described in RFC 1035.</p></td>
+<td>
+                      <p>
+                        NAPTR
+                      </p>
+                    </td>
+<td>
+                      <p>
+                        Name authority pointer.  Described in RFC 2915.
+                      </p>
+                    </td>
 </tr>
 <tr>
-<td><p>NXT</p></td>
-<td><p>used in DNSSEC to securely indicate that
-RRs with an owner name in a certain name interval do not exist in
-a zone and indicate what RR types are present for an existing name.
-Described in RFC 2535.</p></td>
+<td>
+                      <p>
+                        NSAP
+                      </p>
+                    </td>
+<td>
+                      <p>
+                        A network service access point.
+                        Described in RFC 1706.
+                      </p>
+                    </td>
 </tr>
 <tr>
-<td><p>PTR</p></td>
-<td><p>a pointer to another part of the domain
-name space.  Described in RFC 1035.</p></td>
+<td>
+                      <p>
+                        NS
+                      </p>
+                    </td>
+<td>
+                      <p>
+                        The authoritative name server for the
+                        domain.  Described in RFC 1035.
+                      </p>
+                    </td>
 </tr>
 <tr>
-<td><p>PX</p></td>
-<td><p>provides mappings between RFC 822 and X.400
-addresses.  Described in RFC 2163.</p></td>
+<td>
+                      <p>
+                        NSEC
+                      </p>
+                    </td>
+<td>
+                      <p>
+                        Used in DNSSECbis to securely indicate that
+                        RRs with an owner name in a certain name interval do
+                        not exist in
+                        a zone and indicate what RR types are present for an
+                        existing name.
+                        Described in RFC 4034.
+                      </p>
+                    </td>
 </tr>
 <tr>
-<td><p>RP</p></td>
-<td><p>information on persons responsible
-for the domain.  Experimental.  Described in RFC 1183.</p></td>
+<td>
+                      <p>
+                        NXT
+                      </p>
+                    </td>
+<td>
+                      <p>
+                        Used in DNSSEC to securely indicate that
+                        RRs with an owner name in a certain name interval do
+                        not exist in
+                        a zone and indicate what RR types are present for an
+                        existing name.
+                        Used in original DNSSEC; replaced by NSEC in
+                        DNSSECbis.
+                        Described in RFC 2535.
+                      </p>
+                    </td>
 </tr>
 <tr>
-<td><p>RT</p></td>
-<td><p>route-through binding for hosts that
-do not have their own direct wide area network addresses.
-Experimental.  Described in RFC 1183.</p></td>
+<td>
+                      <p>
+                        PTR
+                      </p>
+                    </td>
+<td>
+                      <p>
+                        A pointer to another part of the domain
+                        name space.  Described in RFC 1035.
+                      </p>
+                    </td>
 </tr>
 <tr>
-<td><p>SIG</p></td>
-<td><p>("signature") contains data authenticated
-in the secure DNS.  Described in RFC 2535.</p></td>
+<td>
+                      <p>
+                        PX
+                      </p>
+                    </td>
+<td>
+                      <p>
+                        Provides mappings between RFC 822 and X.400
+                        addresses.  Described in RFC 2163.
+                      </p>
+                    </td>
 </tr>
 <tr>
-<td><p>SOA</p></td>
-<td><p>identifies the start of a zone of authority.
-Described in RFC 1035.</p></td>
+<td>
+                      <p>
+                        RP
+                      </p>
+                    </td>
+<td>
+                      <p>
+                        Information on persons responsible
+                        for the domain.  Experimental.  Described in RFC 1183.
+                      </p>
+                    </td>
 </tr>
 <tr>
-<td><p>SRV</p></td>
-<td><p>information about well known network
-services (replaces WKS).  Described in RFC 2782.</p></td>
+<td>
+                      <p>
+                        RRSIG
+                      </p>
+                    </td>
+<td>
+                      <p>
+                        Contains DNSSECbis signature data.  Described
+                        in RFC 4034.
+                      </p>
+                    </td>
 </tr>
 <tr>
-<td><p>TXT</p></td>
-<td><p>text records.  Described in RFC 1035.</p></td>
+<td>
+                      <p>
+                        RT
+                      </p>
+                    </td>
+<td>
+                      <p>
+                        Route-through binding for hosts that
+                        do not have their own direct wide area network
+                        addresses.
+                        Experimental.  Described in RFC 1183.
+                      </p>
+                    </td>
 </tr>
 <tr>
-<td><p>WKS</p></td>
-<td><p>information about which well known
-network services, such as SMTP, that a domain supports. Historical.
-</p></td>
+<td>
+                      <p>
+                        SIG
+                      </p>
+                    </td>
+<td>
+                      <p>
+                        Contains DNSSEC signature data.  Used in
+                        original DNSSEC; replaced by RRSIG in
+                        DNSSECbis, but still used for SIG(0).
+                        Described in RFCs 2535 and 2931.
+                      </p>
+                    </td>
 </tr>
 <tr>
-<td><p>X25</p></td>
-<td><p>representation of X.25 network addresses.
-Experimental.  Described in RFC 1183.</p></td>
+<td>
+                      <p>
+                        SOA
+                      </p>
+                    </td>
+<td>
+                      <p>
+                        Identifies the start of a zone of authority.
+                        Described in RFC 1035.
+                      </p>
+                    </td>
+</tr>
+<tr>
+<td>
+                      <p>
+                        SRV
+                      </p>
+                    </td>
+<td>
+                      <p>
+                        Information about well known network
+                        services (replaces WKS).  Described in RFC 2782.
+                      </p>
+                    </td>
+</tr>
+<tr>
+<td>
+                      <p>
+                        TXT
+                      </p>
+                    </td>
+<td>
+                      <p>
+                        Text records.  Described in RFC 1035.
+                      </p>
+                    </td>
+</tr>
+<tr>
+<td>
+                      <p>
+                        WKS
+                      </p>
+                    </td>
+<td>
+                      <p>
+                        Information about which well known
+                        network services, such as SMTP, that a domain
+                        supports. Historical.
+                      </p>
+                    </td>
+</tr>
+<tr>
+<td>
+                      <p>
+                        X25
+                      </p>
+                    </td>
+<td>
+                      <p>
+                        Representation of X.25 network addresses.
+                        Experimental.  Described in RFC 1183.
+                      </p>
+                    </td>
 </tr>
 </tbody>
 </table></div>
-<p>The following <span class="emphasis"><em>classes</em></span> of resource records
-are currently valid in the DNS:</p>
+<p>
+              The following <span class="emphasis"><em>classes</em></span> of resource records
+              are currently valid in the DNS:
+            </p>
 <div class="informaltable"><table border="1">
 <colgroup>
 <col>
@@ -3518,72 +6130,131 @@ are currently valid in the DNS:</p>
 </colgroup>
 <tbody>
 <tr>
-<td><p>IN</p></td>
-<td><p>The Internet.</p></td>
+<td>
+                      <p>
+                        IN
+                      </p>
+                    </td>
+<td>
+                      <p>
+                        The Internet.
+                      </p>
+                    </td>
 </tr>
 <tr>
-<td><p>CH</p></td>
-<td><p>
-CHAOSnet, a LAN protocol created at MIT in the mid-1970s.
-Rarely used for its historical purpose, but reused for BIND's
-built-in server information zones, e.g.,
-<code class="literal">version.bind</code>.
-</p></td>
+<td>
+                      <p>
+                        CH
+                      </p>
+                    </td>
+<td>
+                      <p>
+                        CHAOSnet, a LAN protocol created at MIT in the
+                        mid-1970s.
+                        Rarely used for its historical purpose, but reused for
+                        BIND's
+                        built-in server information zones, e.g.,
+                        <code class="literal">version.bind</code>.
+                      </p>
+                    </td>
 </tr>
 <tr>
-<td><p>HS</p></td>
-<td><p>
-Hesiod, an information service
-developed by MIT's Project Athena. It is used to share information
-about various systems databases, such as users, groups, printers
-and so on.
-</p></td>
+<td>
+                      <p>
+                        HS
+                      </p>
+                    </td>
+<td>
+                      <p>
+                        Hesiod, an information service
+                        developed by MIT's Project Athena. It is used to share
+                        information
+                        about various systems databases, such as users,
+                        groups, printers
+                        and so on.
+                      </p>
+                    </td>
 </tr>
 </tbody>
 </table></div>
-<p>The owner name is often implicit, rather than forming an integral
-part of the RR.  For example, many name servers internally form tree
-or hash structures for the name space, and chain RRs off nodes.
- The remaining RR parts are the fixed header (type, class, TTL)
-which is consistent for all RRs, and a variable part (RDATA) that
-fits the needs of the resource being described.</p>
-<p>The meaning of the TTL field is a time limit on how long an
-RR can be kept in a cache.  This limit does not apply to authoritative
-data in zones; it is also timed out, but by the refreshing policies
-for the zone.  The TTL is assigned by the administrator for the
-zone where the data originates.  While short TTLs can be used to
-minimize caching, and a zero TTL prohibits caching, the realities
-of Internet performance suggest that these times should be on the
-order of days for the typical host.  If a change can be anticipated,
-the TTL can be reduced prior to the change to minimize inconsistency
-during the change, and then increased back to its former value following
-the change.</p>
-<p>The data in the RDATA section of RRs is carried as a combination
-of binary strings and domain names.  The domain names are frequently
-used as "pointers" to other data in the DNS.</p>
+<p>
+              The owner name is often implicit, rather than forming an
+              integral
+              part of the RR.  For example, many name servers internally form
+              tree
+              or hash structures for the name space, and chain RRs off nodes.
+              The remaining RR parts are the fixed header (type, class, TTL)
+              which is consistent for all RRs, and a variable part (RDATA)
+              that
+              fits the needs of the resource being described.
+            </p>
+<p>
+              The meaning of the TTL field is a time limit on how long an
+              RR can be kept in a cache.  This limit does not apply to
+              authoritative
+              data in zones; it is also timed out, but by the refreshing
+              policies
+              for the zone.  The TTL is assigned by the administrator for the
+              zone where the data originates.  While short TTLs can be used to
+              minimize caching, and a zero TTL prohibits caching, the
+              realities
+              of Internet performance suggest that these times should be on
+              the
+              order of days for the typical host.  If a change can be
+              anticipated,
+              the TTL can be reduced prior to the change to minimize
+              inconsistency
+              during the change, and then increased back to its former value
+              following
+              the change.
+            </p>
+<p>
+              The data in the RDATA section of RRs is carried as a combination
+              of binary strings and domain names.  The domain names are
+              frequently
+              used as "pointers" to other data in the DNS.
+            </p>
 </div>
 <div class="sect3" lang="en">
 <div class="titlepage"><div><div><h4 class="title">
-<a name="id2590180"></a>Textual expression of RRs</h4></div></div></div>
-<p>RRs are represented in binary form in the packets of the DNS
-protocol, and are usually represented in highly encoded form when
-stored in a name server or resolver.  In the examples provided in
-RFC 1034, a style similar to that used in master files was employed
-in order to show the contents of RRs.  In this format, most RRs
-are shown on a single line, although continuation lines are possible
-using parentheses.</p>
-<p>The start of the line gives the owner of the RR.  If a line
-begins with a blank, then the owner is assumed to be the same as
-that of the previous RR.  Blank lines are often included for readability.</p>
-<p>Following the owner, we list the TTL, type, and class of the
-RR.  Class and type use the mnemonics defined above, and TTL is
-an integer before the type field.  In order to avoid ambiguity in
-parsing, type and class mnemonics are disjoint, TTLs are integers,
-and the type mnemonic is always last. The IN class and TTL values
-are often omitted from examples in the interests of clarity.</p>
-<p>The resource data or RDATA section of the RR are given using
-knowledge of the typical representation for the data.</p>
-<p>For example, we might show the RRs carried in a message as:</p>
+<a name="id2590279"></a>Textual expression of RRs</h4></div></div></div>
+<p>
+              RRs are represented in binary form in the packets of the DNS
+              protocol, and are usually represented in highly encoded form
+              when
+              stored in a name server or resolver.  In the examples provided
+              in
+              RFC 1034, a style similar to that used in master files was
+              employed
+              in order to show the contents of RRs.  In this format, most RRs
+              are shown on a single line, although continuation lines are
+              possible
+              using parentheses.
+            </p>
+<p>
+              The start of the line gives the owner of the RR.  If a line
+              begins with a blank, then the owner is assumed to be the same as
+              that of the previous RR.  Blank lines are often included for
+              readability.
+            </p>
+<p>
+              Following the owner, we list the TTL, type, and class of the
+              RR.  Class and type use the mnemonics defined above, and TTL is
+              an integer before the type field.  In order to avoid ambiguity
+              in
+              parsing, type and class mnemonics are disjoint, TTLs are
+              integers,
+              and the type mnemonic is always last. The IN class and TTL
+              values
+              are often omitted from examples in the interests of clarity.
+            </p>
+<p>
+              The resource data or RDATA section of the RR are given using
+              knowledge of the typical representation for the data.
+            </p>
+<p>
+              For example, we might show the RRs carried in a message as:
+            </p>
 <div class="informaltable"><table border="1">
 <colgroup>
 <col>
@@ -3592,43 +6263,116 @@ knowledge of the typical representation for the data.</p>
 </colgroup>
 <tbody>
 <tr>
-<td><p><code class="literal">ISI.EDU.</code></p></td>
-<td><p><code class="literal">MX</code></p></td>
-<td><p><code class="literal">10 VENERA.ISI.EDU.</code></p></td>
+<td>
+                      <p>
+                        <code class="literal">ISI.EDU.</code>
+                      </p>
+                    </td>
+<td>
+                      <p>
+                        <code class="literal">MX</code>
+                      </p>
+                    </td>
+<td>
+                      <p>
+                        <code class="literal">10 VENERA.ISI.EDU.</code>
+                      </p>
+                    </td>
 </tr>
 <tr>
-<td><p></p></td>
-<td><p><code class="literal">MX</code></p></td>
-<td><p><code class="literal">10 VAXA.ISI.EDU</code></p></td>
+<td>
+                      <p></p>
+                    </td>
+<td>
+                      <p>
+                        <code class="literal">MX</code>
+                      </p>
+                    </td>
+<td>
+                      <p>
+                        <code class="literal">10 VAXA.ISI.EDU</code>
+                      </p>
+                    </td>
 </tr>
 <tr>
-<td><p><code class="literal">VENERA.ISI.EDU</code></p></td>
-<td><p><code class="literal">A</code></p></td>
-<td><p><code class="literal">128.9.0.32</code></p></td>
+<td>
+                      <p>
+                        <code class="literal">VENERA.ISI.EDU</code>
+                      </p>
+                    </td>
+<td>
+                      <p>
+                        <code class="literal">A</code>
+                      </p>
+                    </td>
+<td>
+                      <p>
+                        <code class="literal">128.9.0.32</code>
+                      </p>
+                    </td>
 </tr>
 <tr>
-<td><p></p></td>
-<td><p><code class="literal">A</code></p></td>
-<td><p><code class="literal">10.1.0.52</code></p></td>
+<td>
+                      <p></p>
+                    </td>
+<td>
+                      <p>
+                        <code class="literal">A</code>
+                      </p>
+                    </td>
+<td>
+                      <p>
+                        <code class="literal">10.1.0.52</code>
+                      </p>
+                    </td>
 </tr>
 <tr>
-<td><p><code class="literal">VAXA.ISI.EDU</code></p></td>
-<td><p><code class="literal">A</code></p></td>
-<td><p><code class="literal">10.2.0.27</code></p></td>
+<td>
+                      <p>
+                        <code class="literal">VAXA.ISI.EDU</code>
+                      </p>
+                    </td>
+<td>
+                      <p>
+                        <code class="literal">A</code>
+                      </p>
+                    </td>
+<td>
+                      <p>
+                        <code class="literal">10.2.0.27</code>
+                      </p>
+                    </td>
 </tr>
 <tr>
-<td><p></p></td>
-<td><p><code class="literal">A</code></p></td>
-<td><p><code class="literal">128.9.0.33</code></p></td>
+<td>
+                      <p></p>
+                    </td>
+<td>
+                      <p>
+                        <code class="literal">A</code>
+                      </p>
+                    </td>
+<td>
+                      <p>
+                        <code class="literal">128.9.0.33</code>
+                      </p>
+                    </td>
 </tr>
 </tbody>
 </table></div>
-<p>The MX RRs have an RDATA section which consists of a 16-bit
-number followed by a domain name.  The address RRs use a standard
-IP address format to contain a 32-bit internet address.</p>
-<p>The above example shows six RRs, with two RRs at each of three
-domain names.</p>
-<p>Similarly we might see:</p>
+<p>
+              The MX RRs have an RDATA section which consists of a 16-bit
+              number followed by a domain name.  The address RRs use a
+              standard
+              IP address format to contain a 32-bit internet address.
+            </p>
+<p>
+              The above example shows six RRs, with two RRs at each of three
+              domain names.
+            </p>
+<p>
+              Similarly we might see:
+            </p>
 <div class="informaltable"><table border="1">
 <colgroup>
 <col>
@@ -3637,45 +6381,83 @@ domain names.</p>
 </colgroup>
 <tbody>
 <tr>
-<td><p><code class="literal">XX.LCS.MIT.EDU. IN</code></p></td>
-<td><p><code class="literal">A</code></p></td>
-<td><p><code class="literal">10.0.0.44</code></p></td>
+<td>
+                      <p>
+                        <code class="literal">XX.LCS.MIT.EDU.</code>
+                      </p>
+                    </td>
+<td>
+                      <p>
+                        <code class="literal">IN A</code>
+                      </p>
+                    </td>
+<td>
+                      <p>
+                        <code class="literal">10.0.0.44</code>
+                      </p>
+                    </td>
 </tr>
 <tr>
-<td><p><code class="literal">CH</code></p></td>
-<td><p><code class="literal">A</code></p></td>
-<td><p><code class="literal">MIT.EDU. 2420</code></p></td>
+<td> </td>
+<td>
+                      <p>
+                        <code class="literal">CH A</code>
+                      </p>
+                    </td>
+<td>
+                      <p>
+                        <code class="literal">MIT.EDU. 2420</code>
+                      </p>
+                    </td>
 </tr>
 </tbody>
 </table></div>
-<p>This example shows two addresses for <code class="literal">XX.LCS.MIT.EDU</code>,
-each of a different class.</p>
+<p>
+              This example shows two addresses for
+              <code class="literal">XX.LCS.MIT.EDU</code>, each of a different class.
+            </p>
 </div>
 </div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="id2590605"></a>Discussion of MX Records</h3></div></div></div>
-<p>As described above, domain servers store information as a
-series of resource records, each of which contains a particular
-piece of information about a given domain name (which is usually,
-but not always, a host). The simplest way to think of a RR is as
-a typed pair of data, a domain name matched with a relevant datum,
-and stored with some additional type information to help systems 
-determine when the RR is relevant.</p>
-<p>MX records are used to control delivery of email. The data
-specified in the record is a priority and a domain name. The priority
-controls the order in which email delivery is attempted, with the
-lowest number first. If two priorities are the same, a server is
-chosen randomly. If no servers at a given priority are responding,
-the mail transport agent will fall back to the next largest priority.
-Priority numbers do not have any absolute meaning &#8212; they are relevant
-only respective to other MX records for that domain name. The domain
-name given is the machine to which the mail will be delivered. It <span class="emphasis"><em>must</em></span> have
-an associated A record &#8212; CNAME is not sufficient.</p>
-<p>For a given domain, if there is both a CNAME record and an
-MX record, the MX record is in error, and will be ignored. Instead,
-the mail will be delivered to the server specified in the MX record
-pointed to by the CNAME.</p>
+<a name="id2590800"></a>Discussion of MX Records</h3></div></div></div>
+<p>
+            As described above, domain servers store information as a
+            series of resource records, each of which contains a particular
+            piece of information about a given domain name (which is usually,
+            but not always, a host). The simplest way to think of a RR is as
+            a typed pair of data, a domain name matched with a relevant datum,
+            and stored with some additional type information to help systems
+            determine when the RR is relevant.
+          </p>
+<p>
+            MX records are used to control delivery of email. The data
+            specified in the record is a priority and a domain name. The
+            priority
+            controls the order in which email delivery is attempted, with the
+            lowest number first. If two priorities are the same, a server is
+            chosen randomly. If no servers at a given priority are responding,
+            the mail transport agent will fall back to the next largest
+            priority.
+            Priority numbers do not have any absolute meaning &#8212; they are
+            relevant
+            only respective to other MX records for that domain name. The
+            domain
+            name given is the machine to which the mail will be delivered.
+            It <span class="emphasis"><em>must</em></span> have an associated address record
+            (A or AAAA) &#8212; CNAME is not sufficient.
+          </p>
+<p>
+            For a given domain, if there is both a CNAME record and an
+            MX record, the MX record is in error, and will be ignored.
+            Instead,
+            the mail will be delivered to the server specified in the MX
+            record
+            pointed to by the CNAME.
+          </p>
+<p>
+            For example:
+          </p>
 <div class="informaltable"><table border="1">
 <colgroup>
 <col>
@@ -3686,56 +6468,152 @@ pointed to by the CNAME.</p>
 </colgroup>
 <tbody>
 <tr>
-<td><p><code class="literal">example.com.</code></p></td>
-<td><p><code class="literal">IN</code></p></td>
-<td><p><code class="literal">MX</code></p></td>
-<td><p><code class="literal">10</code></p></td>
-<td><p><code class="literal">mail.example.com.</code></p></td>
+<td>
+                    <p>
+                      <code class="literal">example.com.</code>
+                    </p>
+                  </td>
+<td>
+                    <p>
+                      <code class="literal">IN</code>
+                    </p>
+                  </td>
+<td>
+                    <p>
+                      <code class="literal">MX</code>
+                    </p>
+                  </td>
+<td>
+                    <p>
+                      <code class="literal">10</code>
+                    </p>
+                  </td>
+<td>
+                    <p>
+                      <code class="literal">mail.example.com.</code>
+                    </p>
+                  </td>
 </tr>
 <tr>
-<td><p></p></td>
-<td><p><code class="literal">IN</code></p></td>
-<td><p><code class="literal">MX</code></p></td>
-<td><p><code class="literal">10</code></p></td>
-<td><p><code class="literal">mail2.example.com.</code></p></td>
+<td>
+                    <p></p>
+                  </td>
+<td>
+                    <p>
+                      <code class="literal">IN</code>
+                    </p>
+                  </td>
+<td>
+                    <p>
+                      <code class="literal">MX</code>
+                    </p>
+                  </td>
+<td>
+                    <p>
+                      <code class="literal">10</code>
+                    </p>
+                  </td>
+<td>
+                    <p>
+                      <code class="literal">mail2.example.com.</code>
+                    </p>
+                  </td>
 </tr>
 <tr>
-<td><p></p></td>
-<td><p><code class="literal">IN</code></p></td>
-<td><p><code class="literal">MX</code></p></td>
-<td><p><code class="literal">20</code></p></td>
-<td><p><code class="literal">mail.backup.org.</code></p></td>
+<td>
+                    <p></p>
+                  </td>
+<td>
+                    <p>
+                      <code class="literal">IN</code>
+                    </p>
+                  </td>
+<td>
+                    <p>
+                      <code class="literal">MX</code>
+                    </p>
+                  </td>
+<td>
+                    <p>
+                      <code class="literal">20</code>
+                    </p>
+                  </td>
+<td>
+                    <p>
+                      <code class="literal">mail.backup.org.</code>
+                    </p>
+                  </td>
 </tr>
 <tr>
-<td><p><code class="literal">mail.example.com.</code></p></td>
-<td><p><code class="literal">IN</code></p></td>
-<td><p><code class="literal">A</code></p></td>
-<td><p><code class="literal">10.0.0.1</code></p></td>
-<td><p></p></td>
+<td>
+                    <p>
+                      <code class="literal">mail.example.com.</code>
+                    </p>
+                  </td>
+<td>
+                    <p>
+                      <code class="literal">IN</code>
+                    </p>
+                  </td>
+<td>
+                    <p>
+                      <code class="literal">A</code>
+                    </p>
+                  </td>
+<td>
+                    <p>
+                      <code class="literal">10.0.0.1</code>
+                    </p>
+                  </td>
+<td>
+                    <p></p>
+                  </td>
 </tr>
 <tr>
-<td><p><code class="literal">mail2.example.com.</code></p></td>
-<td><p><code class="literal">IN</code></p></td>
-<td><p><code class="literal">A</code></p></td>
-<td><p><code class="literal">10.0.0.2</code></p></td>
-<td><p></p></td>
+<td>
+                    <p>
+                      <code class="literal">mail2.example.com.</code>
+                    </p>
+                  </td>
+<td>
+                    <p>
+                      <code class="literal">IN</code>
+                    </p>
+                  </td>
+<td>
+                    <p>
+                      <code class="literal">A</code>
+                    </p>
+                  </td>
+<td>
+                    <p>
+                      <code class="literal">10.0.0.2</code>
+                    </p>
+                  </td>
+<td>
+                    <p></p>
+                  </td>
 </tr>
 </tbody>
 </table></div>
-<p>For example:</p>
-<p>Mail delivery will be attempted to <code class="literal">mail.example.com</code> and
-<code class="literal">mail2.example.com</code> (in
-any order), and if neither of those succeed, delivery to <code class="literal">mail.backup.org</code> will
-be attempted.</p>
+<p>
+            Mail delivery will be attempted to <code class="literal">mail.example.com</code> and
+            <code class="literal">mail2.example.com</code> (in
+            any order), and if neither of those succeed, delivery to <code class="literal">mail.backup.org</code> will
+            be attempted.
+          </p>
 </div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="Setting_TTLs"></a>Setting TTLs</h3></div></div></div>
-<p>The time-to-live of the RR field is a 32-bit integer represented
-in units of seconds, and is primarily used by resolvers when they
-cache RRs. The TTL describes how long a RR can be cached before it
-should be discarded. The following three types of TTL are currently
-used in a zone file.</p>
+<p>
+            The time-to-live of the RR field is a 32-bit integer represented
+            in units of seconds, and is primarily used by resolvers when they
+            cache RRs. The TTL describes how long a RR can be cached before it
+            should be discarded. The following three types of TTL are
+            currently
+            used in a zone file.
+          </p>
 <div class="informaltable"><table border="1">
 <colgroup>
 <col>
@@ -3743,46 +6621,79 @@ used in a zone file.</p>
 </colgroup>
 <tbody>
 <tr>
-<td><p>SOA</p></td>
 <td>
-<p>The last field in the SOA is the negative
-caching TTL. This controls how long other servers will cache no-such-domain
-(NXDOMAIN) responses from you.</p>
-<p>The maximum time for
-negative caching is 3 hours (3h).</p>
-</td>
+                    <p>
+                      SOA
+                    </p>
+                  </td>
+<td>
+                    <p>
+                      The last field in the SOA is the negative
+                      caching TTL. This controls how long other servers will
+                      cache no-such-domain
+                      (NXDOMAIN) responses from you.
+                    </p>
+                    <p>
+                      The maximum time for
+                      negative caching is 3 hours (3h).
+                    </p>
+                  </td>
 </tr>
 <tr>
-<td><p>$TTL</p></td>
-<td><p>The $TTL directive at the top of the
-zone file (before the SOA) gives a default TTL for every RR without
-a specific TTL set.</p></td>
+<td>
+                    <p>
+                      $TTL
+                    </p>
+                  </td>
+<td>
+                    <p>
+                      The $TTL directive at the top of the
+                      zone file (before the SOA) gives a default TTL for every
+                      RR without
+                      a specific TTL set.
+                    </p>
+                  </td>
 </tr>
 <tr>
-<td><p>RR TTLs</p></td>
-<td><p>Each RR can have a TTL as the second
-field in the RR, which will control how long other servers can cache
-the it.</p></td>
+<td>
+                    <p>
+                      RR TTLs
+                    </p>
+                  </td>
+<td>
+                    <p>
+                      Each RR can have a TTL as the second
+                      field in the RR, which will control how long other
+                      servers can cache
+                      the it.
+                    </p>
+                  </td>
 </tr>
 </tbody>
 </table></div>
-<p>All of these TTLs default to units of seconds, though units
-can be explicitly specified, for example, <code class="literal">1h30m</code>. </p>
+<p>
+            All of these TTLs default to units of seconds, though units
+            can be explicitly specified, for example, <code class="literal">1h30m</code>.
+          </p>
 </div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="id2591102"></a>Inverse Mapping in IPv4</h3></div></div></div>
-<p>Reverse name resolution (that is, translation from IP address
-to name) is achieved by means of the <span class="emphasis"><em>in-addr.arpa</em></span> domain
-and PTR records. Entries in the in-addr.arpa domain are made in
-least-to-most significant order, read left to right. This is the
-opposite order to the way IP addresses are usually written. Thus,
-a machine with an IP address of 10.1.2.3 would have a corresponding
-in-addr.arpa name of
-3.2.1.10.in-addr.arpa. This name should have a PTR resource record
-whose data field is the name of the machine or, optionally, multiple
-PTR records if the machine has more than one name. For example,
-in the [<span class="optional">example.com</span>] domain:</p>
+<a name="id2591419"></a>Inverse Mapping in IPv4</h3></div></div></div>
+<p>
+            Reverse name resolution (that is, translation from IP address
+            to name) is achieved by means of the <span class="emphasis"><em>in-addr.arpa</em></span> domain
+            and PTR records. Entries in the in-addr.arpa domain are made in
+            least-to-most significant order, read left to right. This is the
+            opposite order to the way IP addresses are usually written. Thus,
+            a machine with an IP address of 10.1.2.3 would have a
+            corresponding
+            in-addr.arpa name of
+            3.2.1.10.in-addr.arpa. This name should have a PTR resource record
+            whose data field is the name of the machine or, optionally,
+            multiple
+            PTR records if the machine has more than one name. For example,
+            in the [<span class="optional">example.com</span>] domain:
+          </p>
 <div class="informaltable"><table border="1">
 <colgroup>
 <col>
@@ -3790,95 +6701,167 @@ in the [<span class="optional">example.com</span>] domain:</p>
 </colgroup>
 <tbody>
 <tr>
-<td><p><code class="literal">$ORIGIN</code></p></td>
-<td><p><code class="literal">2.1.10.in-addr.arpa</code></p></td>
+<td>
+                    <p>
+                      <code class="literal">$ORIGIN</code>
+                    </p>
+                  </td>
+<td>
+                    <p>
+                      <code class="literal">2.1.10.in-addr.arpa</code>
+                    </p>
+                  </td>
 </tr>
 <tr>
-<td><p><code class="literal">3</code></p></td>
-<td><p><code class="literal">IN PTR foo.example.com.</code></p></td>
+<td>
+                    <p>
+                      <code class="literal">3</code>
+                    </p>
+                  </td>
+<td>
+                    <p>
+                      <code class="literal">IN PTR foo.example.com.</code>
+                    </p>
+                  </td>
 </tr>
 </tbody>
 </table></div>
 <div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
 <h3 class="title">Note</h3>
-<p>The <span><strong class="command">$ORIGIN</strong></span> lines in the examples
-are for providing context to the examples only-they do not necessarily
-appear in the actual usage. They are only used here to indicate
-that the example is relative to the listed origin.</p>
+<p>
+              The <span><strong class="command">$ORIGIN</strong></span> lines in the examples
+              are for providing context to the examples only-they do not
+              necessarily
+              appear in the actual usage. They are only used here to indicate
+              that the example is relative to the listed origin.
+            </p>
 </div>
 </div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="id2591208"></a>Other Zone File Directives</h3></div></div></div>
-<p>The Master File Format was initially defined in RFC 1035 and
-has subsequently been extended. While the Master File Format itself
-is class independent all records in a Master File must be of the same
-class.</p>
-<p>Master File Directives include <span><strong class="command">$ORIGIN</strong></span>, <span><strong class="command">$INCLUDE</strong></span>,
-and <span><strong class="command">$TTL.</strong></span></p>
+<a name="id2591546"></a>Other Zone File Directives</h3></div></div></div>
+<p>
+            The Master File Format was initially defined in RFC 1035 and
+            has subsequently been extended. While the Master File Format
+            itself
+            is class independent all records in a Master File must be of the
+            same
+            class.
+          </p>
+<p>
+            Master File Directives include <span><strong class="command">$ORIGIN</strong></span>, <span><strong class="command">$INCLUDE</strong></span>,
+            and <span><strong class="command">$TTL.</strong></span>
+          </p>
 <div class="sect3" lang="en">
 <div class="titlepage"><div><div><h4 class="title">
-<a name="id2591227"></a>The <span><strong class="command">$ORIGIN</strong></span> Directive</h4></div></div></div>
-<p>Syntax: <span><strong class="command">$ORIGIN
-</strong></span><em class="replaceable"><code>domain-name</code></em> [<span class="optional"> <em class="replaceable"><code>comment</code></em></span>]</p>
-<p><span><strong class="command">$ORIGIN</strong></span> sets the domain name that will
-be appended to any unqualified records. When a zone is first read
-in there is an implicit <span><strong class="command">$ORIGIN</strong></span> &lt;<code class="varname">zone-name</code>&gt;<span><strong class="command">.</strong></span> The
-current <span><strong class="command">$ORIGIN</strong></span> is appended to the domain specified
-in the <span><strong class="command">$ORIGIN</strong></span> argument if it is not absolute.</p>
-<pre class="programlisting">$ORIGIN example.com.
-WWW     CNAME   MAIN-SERVER</pre>
-<p>is equivalent to</p>
-<pre class="programlisting">WWW.EXAMPLE.COM. CNAME MAIN-SERVER.EXAMPLE.COM.</pre>
+<a name="id2591569"></a>The <span><strong class="command">$ORIGIN</strong></span> Directive</h4></div></div></div>
+<p>
+              Syntax: <span><strong class="command">$ORIGIN</strong></span>
+              <em class="replaceable"><code>domain-name</code></em>
+              [<span class="optional"><em class="replaceable"><code>comment</code></em></span>]
+            </p>
+<p><span><strong class="command">$ORIGIN</strong></span>
+              sets the domain name that will be appended to any
+              unqualified records. When a zone is first read in there
+              is an implicit <span><strong class="command">$ORIGIN</strong></span>
+              &lt;<code class="varname">zone-name</code>&gt;<span><strong class="command">.</strong></span>
+              The current <span><strong class="command">$ORIGIN</strong></span> is appended to
+              the domain specified in the <span><strong class="command">$ORIGIN</strong></span>
+              argument if it is not absolute.
+            </p>
+<pre class="programlisting">
+$ORIGIN example.com.
+WWW     CNAME   MAIN-SERVER
+</pre>
+<p>
+              is equivalent to
+            </p>
+<pre class="programlisting">
+WWW.EXAMPLE.COM. CNAME MAIN-SERVER.EXAMPLE.COM.
+</pre>
 </div>
 <div class="sect3" lang="en">
 <div class="titlepage"><div><div><h4 class="title">
-<a name="id2591283"></a>The <span><strong class="command">$INCLUDE</strong></span> Directive</h4></div></div></div>
-<p>Syntax: <span><strong class="command">$INCLUDE</strong></span>
-<em class="replaceable"><code>filename</code></em> [<span class="optional">
-<em class="replaceable"><code>origin</code></em> </span>] [<span class="optional"> <em class="replaceable"><code>comment</code></em> </span>]</p>
-<p>Read and process the file <code class="filename">filename</code> as
-if it were included into the file at this point.  If <span><strong class="command">origin</strong></span> is
-specified the file is processed with <span><strong class="command">$ORIGIN</strong></span> set
-to that value, otherwise the current <span><strong class="command">$ORIGIN</strong></span> is
-used.</p>
-<p>The origin and the current domain name
-revert to the values they had prior to the <span><strong class="command">$INCLUDE</strong></span> once
-the file has been read.</p>
+<a name="id2591629"></a>The <span><strong class="command">$INCLUDE</strong></span> Directive</h4></div></div></div>
+<p>
+              Syntax: <span><strong class="command">$INCLUDE</strong></span>
+              <em class="replaceable"><code>filename</code></em>
+              [<span class="optional">
+<em class="replaceable"><code>origin</code></em> </span>]
+              [<span class="optional"> <em class="replaceable"><code>comment</code></em> </span>]
+            </p>
+<p>
+              Read and process the file <code class="filename">filename</code> as
+              if it were included into the file at this point.  If <span><strong class="command">origin</strong></span> is
+              specified the file is processed with <span><strong class="command">$ORIGIN</strong></span> set
+              to that value, otherwise the current <span><strong class="command">$ORIGIN</strong></span> is
+              used.
+            </p>
+<p>
+              The origin and the current domain name
+              revert to the values they had prior to the <span><strong class="command">$INCLUDE</strong></span> once
+              the file has been read.
+            </p>
 <div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
 <h3 class="title">Note</h3>
 <p>
-RFC 1035 specifies that the current origin should be restored after
-an <span><strong class="command">$INCLUDE</strong></span>, but it is silent on whether the current
-domain name should also be restored.  BIND 9 restores both of them.
-This could be construed as a deviation from RFC 1035, a feature, or both.
-</p>
+                RFC 1035 specifies that the current origin should be restored
+                after
+                an <span><strong class="command">$INCLUDE</strong></span>, but it is silent
+                on whether the current
+                domain name should also be restored.  BIND 9 restores both of
+                them.
+                This could be construed as a deviation from RFC 1035, a
+                feature, or both.
+              </p>
 </div>
 </div>
 <div class="sect3" lang="en">
 <div class="titlepage"><div><div><h4 class="title">
-<a name="id2591346"></a>The <span><strong class="command">$TTL</strong></span> Directive</h4></div></div></div>
-<p>Syntax: <span><strong class="command">$TTL</strong></span>
-<em class="replaceable"><code>default-ttl</code></em> [<span class="optional">
-<em class="replaceable"><code>comment</code></em> </span>]</p>
-<p>Set the default Time To Live (TTL) for subsequent records
-with undefined TTLs. Valid TTLs are of the range 0-2147483647 seconds.</p>
-<p><span><strong class="command">$TTL</strong></span> is defined in RFC 2308.</p>
+<a name="id2591767"></a>The <span><strong class="command">$TTL</strong></span> Directive</h4></div></div></div>
+<p>
+              Syntax: <span><strong class="command">$TTL</strong></span>
+              <em class="replaceable"><code>default-ttl</code></em>
+              [<span class="optional">
+<em class="replaceable"><code>comment</code></em> </span>]
+            </p>
+<p>
+              Set the default Time To Live (TTL) for subsequent records
+              with undefined TTLs. Valid TTLs are of the range 0-2147483647
+              seconds.
+            </p>
+<p><span><strong class="command">$TTL</strong></span>
+               is defined in RFC 2308.
+            </p>
 </div>
 </div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="id2591377"></a><acronym class="acronym">BIND</acronym> Master File Extension: the  <span><strong class="command">$GENERATE</strong></span> Directive</h3></div></div></div>
-<p>Syntax: <span><strong class="command">$GENERATE</strong></span> <em class="replaceable"><code>range</code></em> <em class="replaceable"><code>lhs</code></em> [<span class="optional"><em class="replaceable"><code>ttl</code></em></span>] [<span class="optional"><em class="replaceable"><code>class</code></em></span>] <em class="replaceable"><code>type</code></em> <em class="replaceable"><code>rhs</code></em> [<span class="optional"> <em class="replaceable"><code>comment</code></em> </span>]</p>
-<p><span><strong class="command">$GENERATE</strong></span> is used to create a series of
-resource records that only differ from each other by an iterator. <span><strong class="command">$GENERATE</strong></span> can
-be used to easily generate the sets of records required to support
-sub /24 reverse delegations described in RFC 2317: Classless IN-ADDR.ARPA
-delegation.</p>
+<a name="id2591803"></a><acronym class="acronym">BIND</acronym> Master File Extension: the  <span><strong class="command">$GENERATE</strong></span> Directive</h3></div></div></div>
+<p>
+            Syntax: <span><strong class="command">$GENERATE</strong></span>
+            <em class="replaceable"><code>range</code></em>
+            <em class="replaceable"><code>lhs</code></em>
+            [<span class="optional"><em class="replaceable"><code>ttl</code></em></span>]
+            [<span class="optional"><em class="replaceable"><code>class</code></em></span>]
+            <em class="replaceable"><code>type</code></em>
+            <em class="replaceable"><code>rhs</code></em>
+            [<span class="optional"><em class="replaceable"><code>comment</code></em></span>]
+          </p>
+<p><span><strong class="command">$GENERATE</strong></span>
+            is used to create a series of resource records that only
+            differ from each other by an
+            iterator. <span><strong class="command">$GENERATE</strong></span> can be used to
+            easily generate the sets of records required to support
+            sub /24 reverse delegations described in RFC 2317:
+            Classless IN-ADDR.ARPA delegation.
+          </p>
 <pre class="programlisting">$ORIGIN 0.0.192.IN-ADDR.ARPA.
 $GENERATE 1-2 0 NS SERVER$.EXAMPLE.
 $GENERATE 1-127 $ CNAME $.0</pre>
-<p>is equivalent to</p>
+<p>
+            is equivalent to
+          </p>
 <pre class="programlisting">0.0.0.192.IN-ADDR.ARPA NS SERVER1.EXAMPLE.
 0.0.0.192.IN-ADDR.ARPA. NS SERVER2.EXAMPLE.
 1.0.0.192.IN-ADDR.ARPA. CNAME 1.0.0.0.192.IN-ADDR.ARPA.
@@ -3893,72 +6876,168 @@ $GENERATE 1-127 $ CNAME $.0</pre>
 </colgroup>
 <tbody>
 <tr>
-<td><p><span><strong class="command">range</strong></span></p></td>
-<td><p>This can be one of two forms: start-stop
-or start-stop/step. If the first form is used, then step is set to
-        1. All of start, stop and step must be positive.</p></td>
-</tr>
-<tr>
-<td><p><span><strong class="command">lhs</strong></span></p></td>
-<td>
-<p><span><strong class="command">lhs</strong></span> describes the
-owner name of the resource records to be created. Any single
-<span><strong class="command">$</strong></span> (dollar sign) symbols
-within the <span><strong class="command">lhs</strong></span> side are replaced by the iterator
-value.
-To get a $ in the output you need to escape the <span><strong class="command">$</strong></span>
-using a backslash <span><strong class="command">\</strong></span>,
-e.g. <span><strong class="command">\$</strong></span>. The <span><strong class="command">$</strong></span> may optionally be followed
-by modifiers which change the offset from the iterator, field width and base. 
-Modifiers are introduced by a <span><strong class="command">{</strong></span> immediately following the
-<span><strong class="command">$</strong></span> as <span><strong class="command">${offset[,width[,base]]}</strong></span>.
-For example, <span><strong class="command">${-20,3,d}</strong></span> which subtracts 20 from the current value,
-prints the result as a decimal in a zero-padded field of width 3.  Available
-output forms are decimal (<span><strong class="command">d</strong></span>), octal (<span><strong class="command">o</strong></span>)
-and hexadecimal (<span><strong class="command">x</strong></span> or <span><strong class="command">X</strong></span> for uppercase).
-The default modifier is <span><strong class="command">${0,0,d}</strong></span>.
-If the <span><strong class="command">lhs</strong></span> is not
-absolute, the current <span><strong class="command">$ORIGIN</strong></span> is appended to
-the name.</p>
-<p>For compatibility with earlier versions, <span><strong class="command">$$</strong></span> is still
-recognized as indicating a literal $ in the output.</p>
-</td>
+<td>
+                    <p><span><strong class="command">range</strong></span></p>
+                  </td>
+<td>
+                    <p>
+                      This can be one of two forms: start-stop
+                      or start-stop/step. If the first form is used, then step
+                      is set to
+                      1. All of start, stop and step must be positive.
+                    </p>
+                  </td>
 </tr>
 <tr>
-<td><p><span><strong class="command">ttl</strong></span></p></td>
 <td>
-<p>Specifies the
-	  ttl of the generated records. If not specified this will be
-	  inherited using the normal ttl inheritance rules.</p>
-	  <p><span><strong class="command">class</strong></span> and <span><strong class="command">ttl</strong></span> can be
-	  entered in either order.</p>
-</td>
+                    <p><span><strong class="command">lhs</strong></span></p>
+                  </td>
+<td>
+                    <p><span><strong class="command">lhs</strong></span>
+                      describes the owner name of the resource records
+                      to be created.  Any single <span><strong class="command">$</strong></span>
+                      (dollar sign)
+                      symbols within the <span><strong class="command">lhs</strong></span> side
+                      are replaced by the iterator value.
+
+                      To get a $ in the output you need to escape the
+                      <span><strong class="command">$</strong></span> using a backslash
+                      <span><strong class="command">\</strong></span>,
+                      e.g. <span><strong class="command">\$</strong></span>. The
+                      <span><strong class="command">$</strong></span> may optionally be followed
+                      by modifiers which change the offset from the
+                      iterator, field width and base.
+
+                      Modifiers are introduced by a
+                      <span><strong class="command">{</strong></span> immediately following the
+                      <span><strong class="command">$</strong></span> as
+                      <span><strong class="command">${offset[,width[,base]]}</strong></span>.
+                      For example, <span><strong class="command">${-20,3,d}</strong></span>
+                      subtracts 20 from the current value, prints the
+                      result as a decimal in a zero-padded field of
+                      width 3.
+
+                      Available output forms are decimal
+                      (<span><strong class="command">d</strong></span>), octal
+                      (<span><strong class="command">o</strong></span>) and hexadecimal
+                      (<span><strong class="command">x</strong></span> or <span><strong class="command">X</strong></span>
+                      for uppercase).  The default modifier is
+                      <span><strong class="command">${0,0,d}</strong></span>.  If the
+                      <span><strong class="command">lhs</strong></span> is not absolute, the
+                      current <span><strong class="command">$ORIGIN</strong></span> is appended
+                      to the name.
+                    </p>
+                    <p>
+                      For compatibility with earlier versions, <span><strong class="command">$$</strong></span> is still
+                      recognized as indicating a literal $ in the output.
+                    </p>
+                  </td>
 </tr>
 <tr>
-<td><p><span><strong class="command">class</strong></span></p></td>
 <td>
-<p>Specifies the
-	  class of the generated records.  This must match the zone class if
-	  it is specified.</p>
-	  <p><span><strong class="command">class</strong></span> and <span><strong class="command">ttl</strong></span> can be
-	  entered in either order.</p>
-</td>
+                    <p><span><strong class="command">ttl</strong></span></p>
+                  </td>
+<td>
+                    <p>
+                      Specifies the time-to-live of the generated records. If
+                      not specified this will be inherited using the
+                      normal ttl inheritance rules.
+                    </p>
+                    <p><span><strong class="command">class</strong></span>
+                      and <span><strong class="command">ttl</strong></span> can be
+                      entered in either order.
+                    </p>
+                  </td>
+</tr>
+<tr>
+<td>
+                    <p><span><strong class="command">class</strong></span></p>
+                  </td>
+<td>
+                    <p>
+                      Specifies the class of the generated records.
+                      This must match the zone class if it is
+                      specified.
+                    </p>
+                    <p><span><strong class="command">class</strong></span>
+                      and <span><strong class="command">ttl</strong></span> can be
+                      entered in either order.
+                    </p>
+                  </td>
 </tr>
 <tr>
-<td><p><span><strong class="command">type</strong></span></p></td>
-<td><p>At present the only supported types are
-PTR, CNAME, DNAME, A, AAAA and NS.</p></td>
+<td>
+                    <p><span><strong class="command">type</strong></span></p>
+                  </td>
+<td>
+                    <p>
+                      At present the only supported types are
+                      PTR, CNAME, DNAME, A, AAAA and NS.
+                    </p>
+                  </td>
 </tr>
 <tr>
-<td><p><span><strong class="command">rhs</strong></span></p></td>
-<td><p>A domain name. It is processed
-similarly to lhs.</p></td>
+<td>
+                    <p><span><strong class="command">rhs</strong></span></p>
+                  </td>
+<td>
+                    <p>
+                      A domain name. It is processed
+                      similarly to lhs.
+                    </p>
+                  </td>
 </tr>
 </tbody>
 </table></div>
-<p>The <span><strong class="command">$GENERATE</strong></span> directive is a <acronym class="acronym">BIND</acronym> extension
-and not part of the standard zone file format.</p>
-<p>BIND 8 does not support the optional TTL and CLASS fields.</p>
+<p>
+            The <span><strong class="command">$GENERATE</strong></span> directive is a <acronym class="acronym">BIND</acronym> extension
+            and not part of the standard zone file format.
+          </p>
+<p>
+            BIND 8 does not support the optional TTL and CLASS fields.
+          </p>
+</div>
+<div class="sect2" lang="en">
+<div class="titlepage"><div><div><h3 class="title">
+<a name="zonefile_format"></a>Additional File Formats</h3></div></div></div>
+<p>
+            In addition to the standard textual format, BIND 9
+            supports the ability to read or dump to zone files in
+            other formats.  The <code class="constant">raw</code> format is
+            currently available as an additional format.  It is a
+            binary format representing BIND 9's internal data
+            structure directly, thereby remarkably improving the
+            loading time.
+          </p>
+<p>
+            For a primary server, a zone file in the
+            <code class="constant">raw</code> format is expected to be
+            generated from a textual zone file by the
+            <span><strong class="command">named-compilezone</strong></span> command.  For a
+            secondary server or for a dynamic zone, it is automatically
+            generated (if this format is specified by the
+            <span><strong class="command">masterfile-format</strong></span> option) when
+            <span><strong class="command">named</strong></span> dumps the zone contents after
+            zone transfer or when applying prior updates.
+          </p>
+<p>
+            If a zone file in a binary format needs manual modification,
+            it first must be converted to a textual form by the
+            <span><strong class="command">named-compilezone</strong></span> command.  All
+            necessary modification should go to the text file, which
+            should then be converted to the binary form by the
+            <span><strong class="command">named-compilezone</strong></span> command again.
+          </p>
+<p>
+             Although the <code class="constant">raw</code> format uses the
+             network byte order and avoids architecture-dependent
+             data alignment so that it is as much portable as
+             possible, it is primarily expected to be used inside
+             the same single system.  In order to export a zone
+             file in the <code class="constant">raw</code> format or make a
+             portable backup of the file, it is recommended to
+             convert the file to the standard textual representation.
+          </p>
 </div>
 </div>
 </div>
diff --git a/contrib/bind9/doc/arm/Bv9ARM.ch07.html b/contrib/bind9/doc/arm/Bv9ARM.ch07.html
index f4e26f06..7286dc9 100644
--- a/contrib/bind9/doc/arm/Bv9ARM.ch07.html
+++ b/contrib/bind9/doc/arm/Bv9ARM.ch07.html
@@ -1,5 +1,5 @@
 <!--
- - Copyright (C) 2004-2006 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2004-2007 Internet Systems Consortium, Inc. ("ISC")
  - Copyright (C) 2000-2003 Internet Software Consortium.
  - 
  - Permission to use, copy, modify, and distribute this software for any
@@ -14,12 +14,12 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-<!-- $Id: Bv9ARM.ch07.html,v 1.50.2.9.2.33 2006/09/13 02:56:21 marka Exp $ -->
+<!-- $Id: Bv9ARM.ch07.html,v 1.75.18.54 2007/01/30 00:23:46 marka Exp $ -->
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
 <title>Chapter 7. BIND 9 Security Considerations</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.70.1">
+<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
 <link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
 <link rel="up" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
 <link rel="prev" href="Bv9ARM.ch06.html" title="Chapter 6. BIND 9 Configuration Reference">
@@ -46,11 +46,10 @@
 <p><b>Table of Contents</b></p>
 <dl>
 <dt><span class="sect1"><a href="Bv9ARM.ch07.html#Access_Control_Lists">Access Control Lists</a></span></dt>
-<dt><span class="sect1"><a href="Bv9ARM.ch07.html#id2591971"><span><strong class="command">chroot</strong></span> and <span><strong class="command">setuid</strong></span> (for
-UNIX servers)</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch07.html#id2592480"><span><strong class="command">chroot</strong></span> and <span><strong class="command">setuid</strong></span></a></span></dt>
 <dd><dl>
-<dt><span class="sect2"><a href="Bv9ARM.ch07.html#id2592046">The <span><strong class="command">chroot</strong></span> Environment</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch07.html#id2592172">Using the <span><strong class="command">setuid</strong></span> Function</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch07.html#id2592625">The <span><strong class="command">chroot</strong></span> Environment</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch07.html#id2592684">Using the <span><strong class="command">setuid</strong></span> Function</a></span></dt>
 </dl></dd>
 <dt><span class="sect1"><a href="Bv9ARM.ch07.html#dynamic_update_security">Dynamic Update Security</a></span></dt>
 </dl>
@@ -58,26 +57,37 @@ UNIX servers)</a></span></dt>
 <div class="sect1" lang="en">
 <div class="titlepage"><div><div><h2 class="title" style="clear: both">
 <a name="Access_Control_Lists"></a>Access Control Lists</h2></div></div></div>
-<p>Access Control Lists (ACLs), are address match lists that
-you can set up and nickname for future use in <span><strong class="command">allow-notify</strong></span>,
-<span><strong class="command">allow-query</strong></span>, <span><strong class="command">allow-recursion</strong></span>,
-<span><strong class="command">blackhole</strong></span>, <span><strong class="command">allow-transfer</strong></span>,
-etc.</p>
-<p>Using ACLs allows you to have finer control over who can access
-your name server, without cluttering up your config files with huge
-lists of IP addresses.</p>
-<p>It is a <span class="emphasis"><em>good idea</em></span> to use ACLs, and to
-control access to your server. Limiting access to your server by
-outside parties can help prevent spoofing and denial of service (DoS)
-attacks against your server.</p>
-<p>Here is an example of how to properly apply ACLs:</p>
+<p>
+          Access Control Lists (ACLs), are address match lists that
+          you can set up and nickname for future use in <span><strong class="command">allow-notify</strong></span>,
+          <span><strong class="command">allow-query</strong></span>, <span><strong class="command">allow-recursion</strong></span>,
+          <span><strong class="command">blackhole</strong></span>, <span><strong class="command">allow-transfer</strong></span>,
+          etc.
+        </p>
+<p>
+          Using ACLs allows you to have finer control over who can access
+          your name server, without cluttering up your config files with huge
+          lists of IP addresses.
+        </p>
+<p>
+          It is a <span class="emphasis"><em>good idea</em></span> to use ACLs, and to
+          control access to your server. Limiting access to your server by
+          outside parties can help prevent spoofing and denial of service (DoS) attacks against
+          your server.
+        </p>
+<p>
+          Here is an example of how to properly apply ACLs:
+        </p>
 <pre class="programlisting">
-// Set up an ACL named "bogusnets" that will block RFC1918 space,
-// which is commonly used in spoofing attacks.
-acl bogusnets { 0.0.0.0/8; 1.0.0.0/8; 2.0.0.0/8; 192.0.2.0/24; 224.0.0.0/3; 10.0.0.0/8; 172.16.0.0/12; 192.168.0.0/16; };
+// Set up an ACL named "bogusnets" that will block RFC1918 space
+// and some reserved space, which is commonly used in spoofing attacks.
+acl bogusnets {
+        0.0.0.0/8; 1.0.0.0/8; 2.0.0.0/8; 192.0.2.0/24; 224.0.0.0/3;
+        10.0.0.0/8; 172.16.0.0/12; 192.168.0.0/16;
+};
 
 // Set up an ACL called our-nets. Replace this with the real IP numbers.
-acl our-nets { x.x.x.x/24; x.x.x.x/21; }; 
+acl our-nets { x.x.x.x/24; x.x.x.x/21; };
 options {
   ...
   ...
@@ -94,91 +104,132 @@ zone "example.com" {
   allow-query { any; };
 };
 </pre>
-<p>This allows recursive queries of the server from the outside
-unless recursion has been previously disabled.</p>
-<p>For more information on how to use ACLs to protect your server,
-see the <span class="emphasis"><em>AUSCERT</em></span> advisory at
-<a href="ftp://ftp.auscert.org.au/pub/auscert/advisory/AL-1999.004.dns_dos" target="_top">ftp://ftp.auscert.org.au/pub/auscert/advisory/AL-1999.004.dns_dos</a></p>
+<p>
+          This allows recursive queries of the server from the outside
+          unless recursion has been previously disabled.
+        </p>
+<p>
+          For more information on how to use ACLs to protect your server,
+          see the <span class="emphasis"><em>AUSCERT</em></span> advisory at:
+        </p>
+<p>
+          <a href="ftp://ftp.auscert.org.au/pub/auscert/advisory/AL-1999.004.dns_dos" target="_top">ftp://ftp.auscert.org.au/pub/auscert/advisory/AL-1999.004.dns_dos</a>
+        </p>
 </div>
 <div class="sect1" lang="en">
 <div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id2591971"></a><span><strong class="command">chroot</strong></span> and <span><strong class="command">setuid</strong></span> (for
-UNIX servers)</h2></div></div></div>
-<p>On UNIX servers, it is possible to run <acronym class="acronym">BIND</acronym> in a <span class="emphasis"><em>chrooted</em></span> environment
-(using the <span><strong class="command">chroot()</strong></span> function) by specifying the "<code class="option">-t</code>"
-option. This can help improve system security by placing <acronym class="acronym">BIND</acronym> in
-a "sandbox", which will limit the damage done if a server is compromised.</p>
-<p>Another useful feature in the UNIX version of <acronym class="acronym">BIND</acronym> is the
-ability to run the daemon as an unprivileged user ( <code class="option">-u</code> <em class="replaceable"><code>user</code></em> ).
-We suggest running as an unprivileged user when using the <span><strong class="command">chroot</strong></span> feature.</p>
-<p>Here is an example command line to load <acronym class="acronym">BIND</acronym> in a <span><strong class="command">chroot</strong></span> sandbox, 
-<span><strong class="command">/var/named</strong></span>, and to run <span><strong class="command">named</strong></span> <span><strong class="command">setuid</strong></span> to
-user 202:</p>
-<p><strong class="userinput"><code>/usr/local/bin/named -u 202 -t /var/named</code></strong></p>
+<a name="id2592480"></a><span><strong class="command">chroot</strong></span> and <span><strong class="command">setuid</strong></span>
+</h2></div></div></div>
+<p>
+          On UNIX servers, it is possible to run <acronym class="acronym">BIND</acronym> in a <span class="emphasis"><em>chrooted</em></span> environment
+          (using the <span><strong class="command">chroot()</strong></span> function) by specifying the "<code class="option">-t</code>"
+          option. This can help improve system security by placing <acronym class="acronym">BIND</acronym> in
+          a "sandbox", which will limit the damage done if a server is
+          compromised.
+        </p>
+<p>
+          Another useful feature in the UNIX version of <acronym class="acronym">BIND</acronym> is the
+          ability to run the daemon as an unprivileged user ( <code class="option">-u</code> <em class="replaceable"><code>user</code></em> ).
+          We suggest running as an unprivileged user when using the <span><strong class="command">chroot</strong></span> feature.
+        </p>
+<p>
+          Here is an example command line to load <acronym class="acronym">BIND</acronym> in a <span><strong class="command">chroot</strong></span> sandbox,
+          <span><strong class="command">/var/named</strong></span>, and to run <span><strong class="command">named</strong></span> <span><strong class="command">setuid</strong></span> to
+          user 202:
+        </p>
+<p>
+          <strong class="userinput"><code>/usr/local/bin/named -u 202 -t /var/named</code></strong>
+        </p>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="id2592046"></a>The <span><strong class="command">chroot</strong></span> Environment</h3></div></div></div>
-<p>In order for a <span><strong class="command">chroot</strong></span> environment to
-work properly in a particular directory
-(for example, <code class="filename">/var/named</code>),
-you will need to set up an environment that includes everything
-<acronym class="acronym">BIND</acronym> needs to run.
-From <acronym class="acronym">BIND</acronym>'s point of view, <code class="filename">/var/named</code> is
-the root of the filesystem.  You will need to adjust the values of options like
-like <span><strong class="command">directory</strong></span> and <span><strong class="command">pid-file</strong></span> to account
-for this.
-</p>
-<p>
-Unlike with earlier versions of BIND, you will typically
-<span class="emphasis"><em>not</em></span> need to compile <span><strong class="command">named</strong></span>
-statically nor install shared libraries under the new root.
-However, depending on your operating system, you may need
-to set up things like
-<code class="filename">/dev/zero</code>,
-<code class="filename">/dev/random</code>,
-<code class="filename">/dev/log</code>, and
-<code class="filename">/etc/localtime</code>.
-</p>
+<a name="id2592625"></a>The <span><strong class="command">chroot</strong></span> Environment</h3></div></div></div>
+<p>
+            In order for a <span><strong class="command">chroot</strong></span> environment
+            to
+            work properly in a particular directory
+            (for example, <code class="filename">/var/named</code>),
+            you will need to set up an environment that includes everything
+            <acronym class="acronym">BIND</acronym> needs to run.
+            From <acronym class="acronym">BIND</acronym>'s point of view, <code class="filename">/var/named</code> is
+            the root of the filesystem.  You will need to adjust the values of
+            options like
+            like <span><strong class="command">directory</strong></span> and <span><strong class="command">pid-file</strong></span> to account
+            for this.
+          </p>
+<p>
+            Unlike with earlier versions of BIND, you will typically
+            <span class="emphasis"><em>not</em></span> need to compile <span><strong class="command">named</strong></span>
+            statically nor install shared libraries under the new root.
+            However, depending on your operating system, you may need
+            to set up things like
+            <code class="filename">/dev/zero</code>,
+            <code class="filename">/dev/random</code>,
+            <code class="filename">/dev/log</code>, and
+            <code class="filename">/etc/localtime</code>.
+          </p>
 </div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="id2592172"></a>Using the <span><strong class="command">setuid</strong></span> Function</h3></div></div></div>
-<p>Prior to running the <span><strong class="command">named</strong></span> daemon, use
-the <span><strong class="command">touch</strong></span> utility (to change file access and
-modification times) or the <span><strong class="command">chown</strong></span> utility (to
-set the user id and/or group id) on files
-to which you want <acronym class="acronym">BIND</acronym>
-to write.  Note that if the <span><strong class="command">named</strong></span> daemon is running as an
-unprivileged user, it will not be able to bind to new restricted ports if the
-server is reloaded.</p>
+<a name="id2592684"></a>Using the <span><strong class="command">setuid</strong></span> Function</h3></div></div></div>
+<p>
+            Prior to running the <span><strong class="command">named</strong></span> daemon,
+            use
+            the <span><strong class="command">touch</strong></span> utility (to change file
+            access and
+            modification times) or the <span><strong class="command">chown</strong></span>
+            utility (to
+            set the user id and/or group id) on files
+            to which you want <acronym class="acronym">BIND</acronym>
+            to write.
+          </p>
+<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
+<h3 class="title">Note</h3>
+            Note that if the <span><strong class="command">named</strong></span> daemon is running as an
+            unprivileged user, it will not be able to bind to new restricted
+            ports if the server is reloaded.
+          </div>
 </div>
 </div>
 <div class="sect1" lang="en">
 <div class="titlepage"><div><div><h2 class="title" style="clear: both">
 <a name="dynamic_update_security"></a>Dynamic Update Security</h2></div></div></div>
-<p>Access to the dynamic
-update facility should be strictly limited.  In earlier versions of
-<acronym class="acronym">BIND</acronym>, the only way to do this was based on the IP
-address of the host requesting the update, by listing an IP address or
-network prefix in the <span><strong class="command">allow-update</strong></span> zone option.
-This method is insecure since the source address of the update UDP packet
-is easily forged.  Also note that if the IP addresses allowed by the
-<span><strong class="command">allow-update</strong></span> option include the address of a slave
-server which performs forwarding of dynamic updates, the master can be
-trivially attacked by sending the update to the slave, which will
-forward it to the master with its own source IP address causing the
-master to approve it without question.</p>
-<p>For these reasons, we strongly recommend that updates be
-cryptographically authenticated by means of transaction signatures
-(TSIG).  That is, the <span><strong class="command">allow-update</strong></span> option should
-list only TSIG key names, not IP addresses or network
-prefixes. Alternatively, the new <span><strong class="command">update-policy</strong></span>
-option can be used.</p>
-<p>Some sites choose to keep all dynamically-updated DNS data
-in a subdomain and delegate that subdomain to a separate zone. This
-way, the top-level zone containing critical data such as the IP addresses
-of public web and mail servers need not allow dynamic update at
-all.</p>
+<p>
+          Access to the dynamic
+          update facility should be strictly limited.  In earlier versions of
+          <acronym class="acronym">BIND</acronym>, the only way to do this was
+          based on the IP
+          address of the host requesting the update, by listing an IP address
+          or
+          network prefix in the <span><strong class="command">allow-update</strong></span>
+          zone option.
+          This method is insecure since the source address of the update UDP
+          packet
+          is easily forged.  Also note that if the IP addresses allowed by the
+          <span><strong class="command">allow-update</strong></span> option include the
+          address of a slave
+          server which performs forwarding of dynamic updates, the master can
+          be
+          trivially attacked by sending the update to the slave, which will
+          forward it to the master with its own source IP address causing the
+          master to approve it without question.
+        </p>
+<p>
+          For these reasons, we strongly recommend that updates be
+          cryptographically authenticated by means of transaction signatures
+          (TSIG).  That is, the <span><strong class="command">allow-update</strong></span>
+          option should
+          list only TSIG key names, not IP addresses or network
+          prefixes. Alternatively, the new <span><strong class="command">update-policy</strong></span>
+          option can be used.
+        </p>
+<p>
+          Some sites choose to keep all dynamically-updated DNS data
+          in a subdomain and delegate that subdomain to a separate zone. This
+          way, the top-level zone containing critical data such as the IP
+          addresses
+          of public web and mail servers need not allow dynamic update at
+          all.
+        </p>
 </div>
 </div>
 <div class="navfooter">
diff --git a/contrib/bind9/doc/arm/Bv9ARM.ch08.html b/contrib/bind9/doc/arm/Bv9ARM.ch08.html
index 98dbbed..c2a4827 100644
--- a/contrib/bind9/doc/arm/Bv9ARM.ch08.html
+++ b/contrib/bind9/doc/arm/Bv9ARM.ch08.html
@@ -1,5 +1,5 @@
 <!--
- - Copyright (C) 2004-2006 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2004-2007 Internet Systems Consortium, Inc. ("ISC")
  - Copyright (C) 2000-2003 Internet Software Consortium.
  - 
  - Permission to use, copy, modify, and distribute this software for any
@@ -14,12 +14,12 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-<!-- $Id: Bv9ARM.ch08.html,v 1.50.2.9.2.33 2006/09/13 02:56:22 marka Exp $ -->
+<!-- $Id: Bv9ARM.ch08.html,v 1.75.18.53 2007/01/30 00:23:46 marka Exp $ -->
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
 <title>Chapter 8. Troubleshooting</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.70.1">
+<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
 <link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
 <link rel="up" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
 <link rel="prev" href="Bv9ARM.ch07.html" title="Chapter 7. BIND 9 Security Considerations">
@@ -45,62 +45,77 @@
 <div class="toc">
 <p><b>Table of Contents</b></p>
 <dl>
-<dt><span class="sect1"><a href="Bv9ARM.ch08.html#id2592243">Common Problems</a></span></dt>
-<dd><dl><dt><span class="sect2"><a href="Bv9ARM.ch08.html#id2592248">It's not working; how can I figure out what's wrong?</a></span></dt></dl></dd>
-<dt><span class="sect1"><a href="Bv9ARM.ch08.html#id2592260">Incrementing and Changing the Serial Number</a></span></dt>
-<dt><span class="sect1"><a href="Bv9ARM.ch08.html#id2592277">Where Can I Get Help?</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch08.html#id2592764">Common Problems</a></span></dt>
+<dd><dl><dt><span class="sect2"><a href="Bv9ARM.ch08.html#id2592838">It's not working; how can I figure out what's wrong?</a></span></dt></dl></dd>
+<dt><span class="sect1"><a href="Bv9ARM.ch08.html#id2592850">Incrementing and Changing the Serial Number</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch08.html#id2592867">Where Can I Get Help?</a></span></dt>
 </dl>
 </div>
 <div class="sect1" lang="en">
 <div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id2592243"></a>Common Problems</h2></div></div></div>
+<a name="id2592764"></a>Common Problems</h2></div></div></div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="id2592248"></a>It's not working; how can I figure out what's wrong?</h3></div></div></div>
-<p>The best solution to solving installation and
-      configuration issues is to take preventative measures by setting
-      up logging files beforehand. The log files provide a
-      source of hints and information that can be used to figure out
-      what went wrong and how to fix the problem.</p>
+<a name="id2592838"></a>It's not working; how can I figure out what's wrong?</h3></div></div></div>
+<p>
+            The best solution to solving installation and
+            configuration issues is to take preventative measures by setting
+            up logging files beforehand. The log files provide a
+            source of hints and information that can be used to figure out
+            what went wrong and how to fix the problem.
+          </p>
 </div>
 </div>
 <div class="sect1" lang="en">
 <div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id2592260"></a>Incrementing and Changing the Serial Number</h2></div></div></div>
-<p>Zone serial numbers are just numbers-they aren't date
-    related.  A lot of people set them to a number that represents a
-    date, usually of the form YYYYMMDDRR. A number of people have been
-    testing these numbers for Y2K compliance and have set the number
-    to the year 2000 to see if it will work. They then try to restore
-    the old serial number. This will cause problems because serial
-    numbers are used to indicate that a zone has been updated. If the
-    serial number on the slave server is lower than the serial number
-    on the master, the slave server will attempt to update its copy of
-    the zone.</p>
-<p>Setting the serial number to a lower number on the master
-    server than the slave server means that the slave will not perform
-    updates to its copy of the zone.</p>
-<p>The solution to this is to add 2147483647 (2^31-1) to the
-    number, reload the zone and make sure all slaves have updated to
-    the new zone serial number, then reset the number to what you want
-    it to be, and reload the zone again.</p>
+<a name="id2592850"></a>Incrementing and Changing the Serial Number</h2></div></div></div>
+<p>
+          Zone serial numbers are just numbers-they aren't date
+          related.  A lot of people set them to a number that represents a
+          date, usually of the form YYYYMMDDRR. A number of people have been
+          testing these numbers for Y2K compliance and have set the number
+          to the year 2000 to see if it will work. They then try to restore
+          the old serial number. This will cause problems because serial
+          numbers are used to indicate that a zone has been updated. If the
+          serial number on the slave server is lower than the serial number
+          on the master, the slave server will attempt to update its copy of
+          the zone.
+        </p>
+<p>
+          Setting the serial number to a lower number on the master
+          server than the slave server means that the slave will not perform
+          updates to its copy of the zone.
+        </p>
+<p>
+          The solution to this is to add 2147483647 (2^31-1) to the
+          number, reload the zone and make sure all slaves have updated to
+          the new zone serial number, then reset the number to what you want
+          it to be, and reload the zone again.
+        </p>
 </div>
 <div class="sect1" lang="en">
 <div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id2592277"></a>Where Can I Get Help?</h2></div></div></div>
-<p>The Internet Software Consortium (<acronym class="acronym">ISC</acronym>) offers a wide range
-    of support and service agreements for <acronym class="acronym">BIND</acronym> and <acronym class="acronym">DHCP</acronym> servers. Four
-    levels of premium support are available and each level includes
-    support for all <acronym class="acronym">ISC</acronym> programs, significant discounts on products
-    and training, and a recognized priority on bug fixes and
-    non-funded feature requests. In addition, <acronym class="acronym">ISC</acronym> offers a standard
-    support agreement package which includes services ranging from bug
-    fix announcements to remote support. It also includes training in
-    <acronym class="acronym">BIND</acronym> and <acronym class="acronym">DHCP</acronym>.</p>
-<p>To discuss arrangements for support, contact
-    <a href="mailto:info@isc.org" target="_top">info@isc.org</a> or visit the
-    <acronym class="acronym">ISC</acronym> web page at <a href="http://www.isc.org/services/support/" target="_top">http://www.isc.org/services/support/</a>
-    to read more.</p>
+<a name="id2592867"></a>Where Can I Get Help?</h2></div></div></div>
+<p>
+          The Internet Systems Consortium
+          (<acronym class="acronym">ISC</acronym>) offers a wide range
+          of support and service agreements for <acronym class="acronym">BIND</acronym> and <acronym class="acronym">DHCP</acronym> servers. Four
+          levels of premium support are available and each level includes
+          support for all <acronym class="acronym">ISC</acronym> programs,
+          significant discounts on products
+          and training, and a recognized priority on bug fixes and
+          non-funded feature requests. In addition, <acronym class="acronym">ISC</acronym> offers a standard
+          support agreement package which includes services ranging from bug
+          fix announcements to remote support. It also includes training in
+          <acronym class="acronym">BIND</acronym> and <acronym class="acronym">DHCP</acronym>.
+        </p>
+<p>
+          To discuss arrangements for support, contact
+          <a href="mailto:info@isc.org" target="_top">info@isc.org</a> or visit the
+          <acronym class="acronym">ISC</acronym> web page at
+          <a href="http://www.isc.org/services/support/" target="_top">http://www.isc.org/services/support/</a>
+          to read more.
+        </p>
 </div>
 </div>
 <div class="navfooter">
diff --git a/contrib/bind9/doc/arm/Bv9ARM.ch09.html b/contrib/bind9/doc/arm/Bv9ARM.ch09.html
index ccf9ee1..e8bbea8 100644
--- a/contrib/bind9/doc/arm/Bv9ARM.ch09.html
+++ b/contrib/bind9/doc/arm/Bv9ARM.ch09.html
@@ -1,5 +1,5 @@
 <!--
- - Copyright (C) 2004-2006 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2004-2007 Internet Systems Consortium, Inc. ("ISC")
  - Copyright (C) 2000-2003 Internet Software Consortium.
  - 
  - Permission to use, copy, modify, and distribute this software for any
@@ -14,15 +14,16 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-<!-- $Id: Bv9ARM.ch09.html,v 1.50.2.9.2.35 2006/11/15 04:33:42 marka Exp $ -->
+<!-- $Id: Bv9ARM.ch09.html,v 1.75.18.56 2007/01/30 00:23:46 marka Exp $ -->
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
 <title>Appendix A. Appendices</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.70.1">
+<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
 <link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
 <link rel="up" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
 <link rel="prev" href="Bv9ARM.ch08.html" title="Chapter 8. Troubleshooting">
+<link rel="next" href="Bv9ARM.ch10.html" title="Manual pages">
 </head>
 <body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
 <div class="navheader">
@@ -32,7 +33,8 @@
 <td width="20%" align="left">
 <a accesskey="p" href="Bv9ARM.ch08.html">Prev</a> </td>
 <th width="60%" align="center"> </th>
-<td width="20%" align="right"> </td>
+<td width="20%" align="right"> <a accesskey="n" href="Bv9ARM.ch10.html">Next</a>
+</td>
 </tr>
 </table>
 <hr>
@@ -43,205 +45,167 @@
 <div class="toc">
 <p><b>Table of Contents</b></p>
 <dl>
-<dt><span class="sect1"><a href="Bv9ARM.ch09.html#id2592339">Acknowledgments</a></span></dt>
-<dd><dl><dt><span class="sect2"><a href="Bv9ARM.ch09.html#id2592344">A Brief History of the <acronym class="acronym">DNS</acronym> and <acronym class="acronym">BIND</acronym></a></span></dt></dl></dd>
-<dt><span class="sect1"><a href="Bv9ARM.ch09.html#historical_dns_information">General <acronym class="acronym">DNS</acronym> Reference Information</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch09.html#id2592997">Acknowledgments</a></span></dt>
+<dd><dl><dt><span class="sect2"><a href="Bv9ARM.ch09.html#historical_dns_information">A Brief History of the <acronym class="acronym">DNS</acronym> and <acronym class="acronym">BIND</acronym></a></span></dt></dl></dd>
+<dt><span class="sect1"><a href="Bv9ARM.ch09.html#id2593159">General <acronym class="acronym">DNS</acronym> Reference Information</a></span></dt>
 <dd><dl><dt><span class="sect2"><a href="Bv9ARM.ch09.html#ipv6addresses">IPv6 addresses (AAAA)</a></span></dt></dl></dd>
 <dt><span class="sect1"><a href="Bv9ARM.ch09.html#bibliography">Bibliography (and Suggested Reading)</a></span></dt>
 <dd><dl>
 <dt><span class="sect2"><a href="Bv9ARM.ch09.html#rfcs">Request for Comments (RFCs)</a></span></dt>
 <dt><span class="sect2"><a href="Bv9ARM.ch09.html#internet_drafts">Internet Drafts</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch09.html#id2594702">Other Documents About <acronym class="acronym">BIND</acronym></a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch09.html#id2596326">Other Documents About <acronym class="acronym">BIND</acronym></a></span></dt>
 </dl></dd>
 </dl>
 </div>
 <div class="sect1" lang="en">
 <div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id2592339"></a>Acknowledgments</h2></div></div></div>
+<a name="id2592997"></a>Acknowledgments</h2></div></div></div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="id2592344"></a>A Brief History of the <acronym class="acronym">DNS</acronym> and <acronym class="acronym">BIND</acronym></h3></div></div></div>
-<p>Although the "official" beginning of the Domain Name
-      System occurred in 1984 with the publication of RFC 920, the
-      core of the new system was described in 1983 in RFCs 882 and
-      883. From 1984 to 1987, the ARPAnet (the precursor to today's
-      Internet) became a testbed of experimentation for developing the
-      new naming/addressing scheme in a rapidly expanding,
-      operational network environment.  New RFCs were written and
-      published in 1987 that modified the original documents to
-      incorporate improvements based on the working model. RFC 1034,
-      "Domain Names-Concepts and Facilities", and RFC 1035, "Domain
-      Names-Implementation and Specification" were published and
-      became the standards upon which all <acronym class="acronym">DNS</acronym> implementations are
-      built.
-</p>
-<p>The first working domain name server, called "Jeeves", was
-written in 1983-84 by Paul Mockapetris for operation on DEC Tops-20
-machines located at the University of Southern California's Information
-Sciences Institute (USC-ISI) and SRI International's Network Information
-Center (SRI-NIC). A <acronym class="acronym">DNS</acronym> server for Unix machines, the Berkeley Internet
-Name Domain (<acronym class="acronym">BIND</acronym>) package, was written soon after by a group of
-graduate students at the University of California at Berkeley under
-a grant from the US Defense Advanced Research Projects Administration
-(DARPA).
-</p>
+<a name="historical_dns_information"></a>A Brief History of the <acronym class="acronym">DNS</acronym> and <acronym class="acronym">BIND</acronym>
+</h3></div></div></div>
 <p>
-Versions of <acronym class="acronym">BIND</acronym> through 4.8.3 were maintained by the Computer
-Systems Research Group (CSRG) at UC Berkeley. Douglas Terry, Mark
-Painter, David Riggle and Songnian Zhou made up the initial <acronym class="acronym">BIND</acronym>
-project team. After that, additional work on the software package
-was done by Ralph Campbell. Kevin Dunlap, a Digital Equipment Corporation
-employee on loan to the CSRG, worked on <acronym class="acronym">BIND</acronym> for 2 years, from 1985
-to 1987. Many other people also contributed to <acronym class="acronym">BIND</acronym> development
-during that time: Doug Kingston, Craig Partridge, Smoot Carl-Mitchell,
-Mike Muuss, Jim Bloom and Mike Schwartz. <acronym class="acronym">BIND</acronym> maintenance was subsequently
-handled by Mike Karels and O. Kure.</p>
-<p><acronym class="acronym">BIND</acronym> versions 4.9 and 4.9.1 were released by Digital Equipment
-Corporation (now Compaq Computer Corporation). Paul Vixie, then
-a DEC employee, became <acronym class="acronym">BIND</acronym>'s primary caretaker. He was assisted
-by Phil Almquist, Robert Elz, Alan Barrett, Paul Albitz, Bryan Beecher, Andrew
-Partan, Andy Cherenson, Tom Limoncelli, Berthold Paffrath, Fuat
-Baran, Anant Kumar, Art Harkin, Win Treese, Don Lewis, Christophe
-Wolfhugel, and others.</p>
-<p><acronym class="acronym">BIND</acronym> version 4.9.2 was sponsored by Vixie Enterprises. Paul
-Vixie became <acronym class="acronym">BIND</acronym>'s principal architect/programmer.</p>
-<p><acronym class="acronym">BIND</acronym> versions from 4.9.3 onward have been developed and maintained
-by the Internet Software Consortium with support being provided
-by ISC's sponsors. As co-architects/programmers, Bob Halley and
-Paul Vixie released the first production-ready version of <acronym class="acronym">BIND</acronym> version
-8 in May 1997.</p>
-<p><acronym class="acronym">BIND</acronym> development work is made possible today by the sponsorship
-of several corporations, and by the tireless work efforts of numerous
-individuals.</p>
+            Although the "official" beginning of the Domain Name
+            System occurred in 1984 with the publication of RFC 920, the
+            core of the new system was described in 1983 in RFCs 882 and
+            883. From 1984 to 1987, the ARPAnet (the precursor to today's
+            Internet) became a testbed of experimentation for developing the
+            new naming/addressing scheme in a rapidly expanding,
+            operational network environment.  New RFCs were written and
+            published in 1987 that modified the original documents to
+            incorporate improvements based on the working model. RFC 1034,
+            "Domain Names-Concepts and Facilities", and RFC 1035, "Domain
+            Names-Implementation and Specification" were published and
+            became the standards upon which all <acronym class="acronym">DNS</acronym> implementations are
+            built.
+          </p>
+<p>
+            The first working domain name server, called "Jeeves", was
+            written in 1983-84 by Paul Mockapetris for operation on DEC
+            Tops-20
+            machines located at the University of Southern California's
+            Information
+            Sciences Institute (USC-ISI) and SRI International's Network
+            Information
+            Center (SRI-NIC). A <acronym class="acronym">DNS</acronym> server for
+            Unix machines, the Berkeley Internet
+            Name Domain (<acronym class="acronym">BIND</acronym>) package, was
+            written soon after by a group of
+            graduate students at the University of California at Berkeley
+            under
+            a grant from the US Defense Advanced Research Projects
+            Administration
+            (DARPA).
+          </p>
+<p>
+            Versions of <acronym class="acronym">BIND</acronym> through
+            4.8.3 were maintained by the Computer
+            Systems Research Group (CSRG) at UC Berkeley. Douglas Terry, Mark
+            Painter, David Riggle and Songnian Zhou made up the initial <acronym class="acronym">BIND</acronym>
+            project team. After that, additional work on the software package
+            was done by Ralph Campbell. Kevin Dunlap, a Digital Equipment
+            Corporation
+            employee on loan to the CSRG, worked on <acronym class="acronym">BIND</acronym> for 2 years, from 1985
+            to 1987. Many other people also contributed to <acronym class="acronym">BIND</acronym> development
+            during that time: Doug Kingston, Craig Partridge, Smoot
+            Carl-Mitchell,
+            Mike Muuss, Jim Bloom and Mike Schwartz. <acronym class="acronym">BIND</acronym> maintenance was subsequently
+            handled by Mike Karels and O. Kure.
+          </p>
+<p>
+            <acronym class="acronym">BIND</acronym> versions 4.9 and 4.9.1 were
+            released by Digital Equipment
+            Corporation (now Compaq Computer Corporation). Paul Vixie, then
+            a DEC employee, became <acronym class="acronym">BIND</acronym>'s
+            primary caretaker. He was assisted
+            by Phil Almquist, Robert Elz, Alan Barrett, Paul Albitz, Bryan
+            Beecher, Andrew
+            Partan, Andy Cherenson, Tom Limoncelli, Berthold Paffrath, Fuat
+            Baran, Anant Kumar, Art Harkin, Win Treese, Don Lewis, Christophe
+            Wolfhugel, and others.
+          </p>
+<p>
+            <acronym class="acronym">BIND</acronym> version 4.9.2 was sponsored by
+            Vixie Enterprises. Paul
+            Vixie became <acronym class="acronym">BIND</acronym>'s principal
+            architect/programmer.
+          </p>
+<p>
+            <acronym class="acronym">BIND</acronym> versions from 4.9.3 onward
+            have been developed and maintained
+            by the Internet Systems Consortium and its predecessor,
+            the Internet Software Consortium,  with support being provided
+            by ISC's sponsors. As co-architects/programmers, Bob Halley and
+            Paul Vixie released the first production-ready version of
+            <acronym class="acronym">BIND</acronym> version 8 in May 1997.
+          </p>
+<p>
+            <acronym class="acronym">BIND</acronym> development work is made
+            possible today by the sponsorship
+            of several corporations, and by the tireless work efforts of
+            numerous individuals.
+          </p>
 </div>
 </div>
 <div class="sect1" lang="en">
 <div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="historical_dns_information"></a>General <acronym class="acronym">DNS</acronym> Reference Information</h2></div></div></div>
+<a name="id2593159"></a>General <acronym class="acronym">DNS</acronym> Reference Information</h2></div></div></div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="ipv6addresses"></a>IPv6 addresses (AAAA)</h3></div></div></div>
-<p>IPv6 addresses are 128-bit identifiers for interfaces and
-sets of interfaces which were introduced in the <acronym class="acronym">DNS</acronym> to facilitate
-scalable Internet routing. There are three types of addresses: <span class="emphasis"><em>Unicast</em></span>,
-an identifier for a single interface; <span class="emphasis"><em>Anycast</em></span>,
-an identifier for a set of interfaces; and <span class="emphasis"><em>Multicast</em></span>,
-an identifier for a set of interfaces. Here we describe the global
-Unicast address scheme. For more information, see RFC 2374.</p>
-<p>The aggregatable global Unicast address format is as follows:</p>
-<div class="informaltable"><table border="1">
-<colgroup>
-<col>
-<col>
-<col>
-<col>
-<col>
-<col>
-</colgroup>
-<tbody>
-<tr>
-<td><p>3</p></td>
-<td><p>13</p></td>
-<td><p>8</p></td>
-<td><p>24</p></td>
-<td><p>16</p></td>
-<td><p>64 bits</p></td>
-</tr>
-<tr>
-<td><p>FP</p></td>
-<td><p>TLA ID</p></td>
-<td><p>RES</p></td>
-<td><p>NLA ID</p></td>
-<td><p>SLA ID</p></td>
-<td><p>Interface ID</p></td>
-</tr>
-<tr>
-<td colspan="4"><p>&lt;------ Public Topology
-------&gt;</p></td>
-<td><p></p></td>
-<td><p></p></td>
-</tr>
-<tr>
-<td><p></p></td>
-<td><p></p></td>
-<td><p></p></td>
-<td><p></p></td>
-<td><p>&lt;-Site Topology-&gt;</p></td>
-<td><p></p></td>
-</tr>
-<tr>
-<td><p></p></td>
-<td><p></p></td>
-<td><p></p></td>
-<td><p></p></td>
-<td><p></p></td>
-<td><p>&lt;------ Interface Identifier ------&gt;</p></td>
-</tr>
-</tbody>
-</table></div>
-<p>Where
-</p>
-<div class="informaltable"><table border="1">
-<colgroup>
-<col>
-<col>
-<col>
-</colgroup>
-<tbody>
-<tr>
-<td><p>FP</p></td>
-<td><p>=</p></td>
-<td><p>Format Prefix (001)</p></td>
-</tr>
-<tr>
-<td><p>TLA ID</p></td>
-<td><p>=</p></td>
-<td><p>Top-Level Aggregation Identifier</p></td>
-</tr>
-<tr>
-<td><p>RES</p></td>
-<td><p>=</p></td>
-<td><p>Reserved for future use</p></td>
-</tr>
-<tr>
-<td><p>NLA ID</p></td>
-<td><p>=</p></td>
-<td><p>Next-Level Aggregation Identifier</p></td>
-</tr>
-<tr>
-<td><p>SLA ID</p></td>
-<td><p>=</p></td>
-<td><p>Site-Level Aggregation Identifier</p></td>
-</tr>
-<tr>
-<td><p>INTERFACE ID</p></td>
-<td><p>=</p></td>
-<td><p>Interface Identifier</p></td>
-</tr>
-</tbody>
-</table></div>
-<p>The <span class="emphasis"><em>Public Topology</em></span> is provided by the
-upstream provider or ISP, and (roughly) corresponds to the IPv4 <span class="emphasis"><em>network</em></span> section
-of the address range. The <span class="emphasis"><em>Site Topology</em></span> is
-where you can subnet this space, much the same as subnetting an
-IPv4 /16 network into /24 subnets. The <span class="emphasis"><em>Interface Identifier</em></span> is
-the address of an individual interface on a given network. (With
-IPv6, addresses belong to interfaces rather than machines.)</p>
-<p>The subnetting capability of IPv6 is much more flexible than
-that of IPv4: subnetting can now be carried out on bit boundaries,
-in much the same way as Classless InterDomain Routing (CIDR).</p>
-<p>The Interface Identifier must be unique on that network. On
-ethernet networks, one way to ensure this is to set the address
-to the first three bytes of the hardware address, "FFFE", then the
-last three bytes of the hardware address. The lowest significant
-bit of the first byte should then be complemented. Addresses are
-written as 32-bit blocks separated with a colon, and leading zeros
-of a block may be omitted, for example:</p>
-<p><span><strong class="command">2001:db8:201:9:a00:20ff:fe81:2b32</strong></span></p>
-<p>IPv6 address specifications are likely to contain long strings
-of zeros, so the architects have included a shorthand for specifying
-them. The double colon (`::') indicates the longest possible string
-of zeros that can fit, and can be used only once in an address.</p>
+<p>
+            IPv6 addresses are 128-bit identifiers for interfaces and
+            sets of interfaces which were introduced in the <acronym class="acronym">DNS</acronym> to facilitate
+            scalable Internet routing. There are three types of addresses: <span class="emphasis"><em>Unicast</em></span>,
+            an identifier for a single interface;
+            <span class="emphasis"><em>Anycast</em></span>,
+            an identifier for a set of interfaces; and <span class="emphasis"><em>Multicast</em></span>,
+            an identifier for a set of interfaces. Here we describe the global
+            Unicast address scheme. For more information, see RFC 3587.
+          </p>
+<p>
+            IPv6 unicast addresses consist of a
+            <span class="emphasis"><em>global routing prefix</em></span>, a
+            <span class="emphasis"><em>subnet identifier</em></span>, and an
+            <span class="emphasis"><em>interface identifier</em></span>.
+          </p>
+<p>
+            The global routing prefix is provided by the
+            upstream provider or ISP, and (roughly) corresponds to the
+            IPv4 <span class="emphasis"><em>network</em></span> section
+            of the address range.
+
+            The subnet identifier is for local subnetting, much the
+            same as subnetting an
+            IPv4 /16 network into /24 subnets.
+
+            The interface identifier is the address of an individual
+            interface on a given network; in IPv6, addresses belong to
+            interfaces rather than to machines.
+          </p>
+<p>
+            The subnetting capability of IPv6 is much more flexible than
+            that of IPv4: subnetting can be carried out on bit boundaries,
+            in much the same way as Classless InterDomain Routing
+            (CIDR), and the DNS PTR representation ("nibble" format)
+            makes setting up reverse zones easier.
+          </p>
+<p>
+            The Interface Identifier must be unique on the local link,
+            and is usually generated automatically by the IPv6
+            implementation, although it is usually possible to
+            override the default setting if necessary.  A typical IPv6
+            address might look like:
+            <span><strong class="command">2001:db8:201:9:a00:20ff:fe81:2b32</strong></span>
+          </p>
+<p>
+            IPv6 address specifications often contain long strings
+            of zeros, so the architects have included a shorthand for
+            specifying
+            them. The double colon (`::') indicates the longest possible
+            string
+            of zeros that can fit, and can be used only once in an address.
+          </p>
 </div>
 </div>
 <div class="sect1" lang="en">
@@ -250,173 +214,355 @@ of zeros that can fit, and can be used only once in an address.</p>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="rfcs"></a>Request for Comments (RFCs)</h3></div></div></div>
-<p>Specification documents for the Internet protocol suite, including
-the <acronym class="acronym">DNS</acronym>, are published as part of the Request for Comments (RFCs)
-series of technical notes. The standards themselves are defined
-by the Internet Engineering Task Force (IETF) and the Internet Engineering
-Steering Group (IESG). RFCs can be obtained online via FTP at 
-<a href="ftp://www.isi.edu/in-notes/" target="_top">ftp://www.isi.edu/in-notes/RFC<em class="replaceable"><code>xxx</code></em>.txt</a> (where <em class="replaceable"><code>xxx</code></em> is
-the number of the RFC). RFCs are also available via the Web at
-<a href="http://www.ietf.org/rfc/" target="_top">http://www.ietf.org/rfc/</a>.
-</p>
+<p>
+            Specification documents for the Internet protocol suite, including
+            the <acronym class="acronym">DNS</acronym>, are published as part of
+            the Request for Comments (RFCs)
+            series of technical notes. The standards themselves are defined
+            by the Internet Engineering Task Force (IETF) and the Internet
+            Engineering Steering Group (IESG). RFCs can be obtained online via FTP at:
+          </p>
+<p>
+            <a href="ftp://www.isi.edu/in-notes/" target="_top">
+              ftp://www.isi.edu/in-notes/RFC<em class="replaceable"><code>xxxx</code></em>.txt
+            </a>
+          </p>
+<p>
+            (where <em class="replaceable"><code>xxxx</code></em> is
+            the number of the RFC). RFCs are also available via the Web at:
+          </p>
+<p>
+            <a href="http://www.ietf.org/rfc/" target="_top">http://www.ietf.org/rfc/</a>.
+          </p>
 <div class="bibliography">
 <div class="titlepage"><div><div><h4 class="title">
-<a name="id2593259"></a>Bibliography</h4></div></div></div>
+<a name="id2593347"></a>Bibliography</h4></div></div></div>
 <div class="bibliodiv">
 <h3 class="title">Standards</h3>
 <div class="biblioentry">
-<a name="id2593270"></a><p>[<abbr class="abbrev">RFC974</abbr>] <span class="author"><span class="firstname">C.</span> <span class="surname">Partridge</span>. </span><span class="title"><i>Mail Routing and the Domain System</i>. </span><span class="pubdate">January 1986. </span></p>
+<a name="id2593357"></a><p>[<abbr class="abbrev">RFC974</abbr>] <span class="author"><span class="firstname">C.</span> <span class="surname">Partridge</span>. </span><span class="title"><i>Mail Routing and the Domain System</i>. </span><span class="pubdate">January 1986. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2593293"></a><p>[<abbr class="abbrev">RFC1034</abbr>] <span class="author"><span class="firstname">P.V.</span> <span class="surname">Mockapetris</span>. </span><span class="title"><i>Domain Names &#8212; Concepts and Facilities</i>. </span><span class="pubdate">November 1987. </span></p>
+<a name="id2593381"></a><p>[<abbr class="abbrev">RFC1034</abbr>] <span class="author"><span class="firstname">P.V.</span> <span class="surname">Mockapetris</span>. </span><span class="title"><i>Domain Names &#8212; Concepts and Facilities</i>. </span><span class="pubdate">November 1987. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2593317"></a><p>[<abbr class="abbrev">RFC1035</abbr>] <span class="author"><span class="firstname">P. V.</span> <span class="surname">Mockapetris</span>. </span><span class="title"><i>Domain Names &#8212; Implementation and
-Specification</i>. </span><span class="pubdate">November 1987. </span></p>
+<a name="id2593404"></a><p>[<abbr class="abbrev">RFC1035</abbr>] <span class="author"><span class="firstname">P. V.</span> <span class="surname">Mockapetris</span>. </span><span class="title"><i>Domain Names &#8212; Implementation and
+                  Specification</i>. </span><span class="pubdate">November 1987. </span></p>
 </div>
 </div>
 <div class="bibliodiv">
 <h3 class="title">
 <a name="proposed_standards"></a>Proposed Standards</h3>
 <div class="biblioentry">
-<a name="id2593354"></a><p>[<abbr class="abbrev">RFC2181</abbr>] <span class="author"><span class="firstname">R., R. Bush</span> <span class="surname">Elz</span>. </span><span class="title"><i>Clarifications to the <acronym class="acronym">DNS</acronym> Specification</i>. </span><span class="pubdate">July 1997. </span></p>
+<a name="id2593441"></a><p>[<abbr class="abbrev">RFC2181</abbr>] <span class="author"><span class="firstname">R., R. Bush</span> <span class="surname">Elz</span>. </span><span class="title"><i>Clarifications to the <acronym class="acronym">DNS</acronym>
+                  Specification</i>. </span><span class="pubdate">July 1997. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2593380"></a><p>[<abbr class="abbrev">RFC2308</abbr>] <span class="author"><span class="firstname">M.</span> <span class="surname">Andrews</span>. </span><span class="title"><i>Negative Caching of <acronym class="acronym">DNS</acronym> Queries</i>. </span><span class="pubdate">March 1998. </span></p>
+<a name="id2593467"></a><p>[<abbr class="abbrev">RFC2308</abbr>] <span class="author"><span class="firstname">M.</span> <span class="surname">Andrews</span>. </span><span class="title"><i>Negative Caching of <acronym class="acronym">DNS</acronym>
+                  Queries</i>. </span><span class="pubdate">March 1998. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2593405"></a><p>[<abbr class="abbrev">RFC1995</abbr>] <span class="author"><span class="firstname">M.</span> <span class="surname">Ohta</span>. </span><span class="title"><i>Incremental Zone Transfer in <acronym class="acronym">DNS</acronym></i>. </span><span class="pubdate">August 1996. </span></p>
+<a name="id2593493"></a><p>[<abbr class="abbrev">RFC1995</abbr>] <span class="author"><span class="firstname">M.</span> <span class="surname">Ohta</span>. </span><span class="title"><i>Incremental Zone Transfer in <acronym class="acronym">DNS</acronym></i>. </span><span class="pubdate">August 1996. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2593430"></a><p>[<abbr class="abbrev">RFC1996</abbr>] <span class="author"><span class="firstname">P.</span> <span class="surname">Vixie</span>. </span><span class="title"><i>A Mechanism for Prompt Notification of Zone Changes</i>. </span><span class="pubdate">August 1996. </span></p>
+<a name="id2593517"></a><p>[<abbr class="abbrev">RFC1996</abbr>] <span class="author"><span class="firstname">P.</span> <span class="surname">Vixie</span>. </span><span class="title"><i>A Mechanism for Prompt Notification of Zone Changes</i>. </span><span class="pubdate">August 1996. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2593522"></a><p>[<abbr class="abbrev">RFC2136</abbr>] <span class="authorgroup"><span class="firstname">P.</span> <span class="surname">Vixie</span>, <span class="firstname">S.</span> <span class="surname">Thomson</span>, <span class="firstname">Y.</span> <span class="surname">Rekhter</span>, and <span class="firstname">J.</span> <span class="surname">Bound</span>. </span><span class="title"><i>Dynamic Updates in the Domain Name System</i>. </span><span class="pubdate">April 1997. </span></p>
+<a name="id2593541"></a><p>[<abbr class="abbrev">RFC2136</abbr>] <span class="authorgroup"><span class="firstname">P.</span> <span class="surname">Vixie</span>, <span class="firstname">S.</span> <span class="surname">Thomson</span>, <span class="firstname">Y.</span> <span class="surname">Rekhter</span>, and <span class="firstname">J.</span> <span class="surname">Bound</span>. </span><span class="title"><i>Dynamic Updates in the Domain Name System</i>. </span><span class="pubdate">April 1997. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2593577"></a><p>[<abbr class="abbrev">RFC2845</abbr>] <span class="authorgroup"><span class="firstname">P.</span> <span class="surname">Vixie</span>, <span class="firstname">O.</span> <span class="surname">Gudmundsson</span>, <span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>, and <span class="firstname">B.</span> <span class="surname">Wellington</span>. </span><span class="title"><i>Secret Key Transaction Authentication for <acronym class="acronym">DNS</acronym> (TSIG)</i>. </span><span class="pubdate">May 2000. </span></p>
+<a name="id2593596"></a><p>[<abbr class="abbrev">RFC2671</abbr>] <span class="authorgroup"><span class="firstname">P.</span> <span class="surname">Vixie</span>. </span><span class="title"><i>Extension Mechanisms for DNS (EDNS0)</i>. </span><span class="pubdate">August 1997. </span></p>
+</div>
+<div class="biblioentry">
+<a name="id2593623"></a><p>[<abbr class="abbrev">RFC2672</abbr>] <span class="authorgroup"><span class="firstname">M.</span> <span class="surname">Crawford</span>. </span><span class="title"><i>Non-Terminal DNS Name Redirection</i>. </span><span class="pubdate">August 1999. </span></p>
+</div>
+<div class="biblioentry">
+<a name="id2593650"></a><p>[<abbr class="abbrev">RFC2845</abbr>] <span class="authorgroup"><span class="firstname">P.</span> <span class="surname">Vixie</span>, <span class="firstname">O.</span> <span class="surname">Gudmundsson</span>, <span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>, and <span class="firstname">B.</span> <span class="surname">Wellington</span>. </span><span class="title"><i>Secret Key Transaction Authentication for <acronym class="acronym">DNS</acronym> (TSIG)</i>. </span><span class="pubdate">May 2000. </span></p>
+</div>
+<div class="biblioentry">
+<a name="id2593712"></a><p>[<abbr class="abbrev">RFC2930</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>. </span><span class="title"><i>Secret Key Establishment for DNS (TKEY RR)</i>. </span><span class="pubdate">September 2000. </span></p>
+</div>
+<div class="biblioentry">
+<a name="id2593741"></a><p>[<abbr class="abbrev">RFC2931</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>. </span><span class="title"><i>DNS Request and Transaction Signatures (SIG(0)s)</i>. </span><span class="pubdate">September 2000. </span></p>
+</div>
+<div class="biblioentry">
+<a name="id2593771"></a><p>[<abbr class="abbrev">RFC3007</abbr>] <span class="authorgroup"><span class="firstname">B.</span> <span class="surname">Wellington</span>. </span><span class="title"><i>Secure Domain Name System (DNS) Dynamic Update</i>. </span><span class="pubdate">November 2000. </span></p>
+</div>
+<div class="biblioentry">
+<a name="id2593798"></a><p>[<abbr class="abbrev">RFC3645</abbr>] <span class="authorgroup"><span class="firstname">S.</span> <span class="surname">Kwan</span>, <span class="firstname">P.</span> <span class="surname">Garg</span>, <span class="firstname">J.</span> <span class="surname">Gilroy</span>, <span class="firstname">L.</span> <span class="surname">Esibov</span>, <span class="firstname">J.</span> <span class="surname">Westhead</span>, and <span class="firstname">R.</span> <span class="surname">Hall</span>. </span><span class="title"><i>Generic Security Service Algorithm for Secret
+                       Key Transaction Authentication for DNS
+                       (GSS-TSIG)</i>. </span><span class="pubdate">October 2003. </span></p>
 </div>
 </div>
 <div class="bibliodiv">
-<h3 class="title">Proposed Standards Still Under Development</h3>
-<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
-<h3 class="title">Note</h3>
-<p><span class="emphasis"><em>Note:</em></span> the following list of
-RFCs are undergoing major revision by the IETF.</p>
+<h3 class="title">
+<acronym class="acronym">DNS</acronym> Security Proposed Standards</h3>
+<div class="biblioentry">
+<a name="id2593880"></a><p>[<abbr class="abbrev">RFC3225</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Conrad</span>. </span><span class="title"><i>Indicating Resolver Support of DNSSEC</i>. </span><span class="pubdate">December 2001. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2593653"></a><p>[<abbr class="abbrev">RFC1886</abbr>] <span class="authorgroup"><span class="firstname">S.</span> <span class="surname">Thomson</span> and <span class="firstname">C.</span> <span class="surname">Huitema</span>. </span><span class="title"><i><acronym class="acronym">DNS</acronym> Extensions to support IP version 6</i>. </span><span class="pubdate">December 1995. </span></p>
+<a name="id2593907"></a><p>[<abbr class="abbrev">RFC3833</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Atkins</span> and <span class="firstname">R.</span> <span class="surname">Austein</span>. </span><span class="title"><i>Threat Analysis of the Domain Name System (DNS)</i>. </span><span class="pubdate">August 2004. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2593691"></a><p>[<abbr class="abbrev">RFC2065</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span> and <span class="firstname">C.</span> <span class="surname">Kaufman</span>. </span><span class="title"><i>Domain Name System Security Extensions</i>. </span><span class="pubdate">January 1997. </span></p>
+<a name="id2593943"></a><p>[<abbr class="abbrev">RFC4033</abbr>] <span class="authorgroup"><span class="firstname">R.</span> <span class="surname">Arends</span>, <span class="firstname">R.</span> <span class="surname">Austein</span>, <span class="firstname">M.</span> <span class="surname">Larson</span>, <span class="firstname">D.</span> <span class="surname">Massey</span>, and <span class="firstname">S.</span> <span class="surname">Rose</span>. </span><span class="title"><i>DNS Security Introduction and Requirements</i>. </span><span class="pubdate">March 2005. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2593731"></a><p>[<abbr class="abbrev">RFC2137</abbr>] <span class="author"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>. </span><span class="title"><i>Secure Domain Name System Dynamic Update</i>. </span><span class="pubdate">April 1997. </span></p>
+<a name="id2594008"></a><p>[<abbr class="abbrev">RFC4044</abbr>] <span class="authorgroup"><span class="firstname">R.</span> <span class="surname">Arends</span>, <span class="firstname">R.</span> <span class="surname">Austein</span>, <span class="firstname">M.</span> <span class="surname">Larson</span>, <span class="firstname">D.</span> <span class="surname">Massey</span>, and <span class="firstname">S.</span> <span class="surname">Rose</span>. </span><span class="title"><i>Resource Records for the DNS Security Extensions</i>. </span><span class="pubdate">March 2005. </span></p>
+</div>
+<div class="biblioentry">
+<a name="id2594073"></a><p>[<abbr class="abbrev">RFC4035</abbr>] <span class="authorgroup"><span class="firstname">R.</span> <span class="surname">Arends</span>, <span class="firstname">R.</span> <span class="surname">Austein</span>, <span class="firstname">M.</span> <span class="surname">Larson</span>, <span class="firstname">D.</span> <span class="surname">Massey</span>, and <span class="firstname">S.</span> <span class="surname">Rose</span>. </span><span class="title"><i>Protocol Modifications for the DNS
+                       Security Extensions</i>. </span><span class="pubdate">March 2005. </span></p>
 </div>
 </div>
 <div class="bibliodiv">
-<h3 class="title">Other Important RFCs About <acronym class="acronym">DNS</acronym> Implementation</h3>
+<h3 class="title">Other Important RFCs About <acronym class="acronym">DNS</acronym>
+                Implementation</h3>
 <div class="biblioentry">
-<a name="id2593767"></a><p>[<abbr class="abbrev">RFC1535</abbr>] <span class="author"><span class="firstname">E.</span> <span class="surname">Gavron</span>. </span><span class="title"><i>A Security Problem and Proposed Correction With Widely Deployed <acronym class="acronym">DNS</acronym> Software.</i>. </span><span class="pubdate">October 1993. </span></p>
+<a name="id2594147"></a><p>[<abbr class="abbrev">RFC1535</abbr>] <span class="author"><span class="firstname">E.</span> <span class="surname">Gavron</span>. </span><span class="title"><i>A Security Problem and Proposed Correction With Widely
+                  Deployed <acronym class="acronym">DNS</acronym> Software.</i>. </span><span class="pubdate">October 1993. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2593793"></a><p>[<abbr class="abbrev">RFC1536</abbr>] <span class="authorgroup"><span class="firstname">A.</span> <span class="surname">Kumar</span>, <span class="firstname">J.</span> <span class="surname">Postel</span>, <span class="firstname">C.</span> <span class="surname">Neuman</span>, <span class="firstname">P.</span> <span class="surname">Danzig</span>, and <span class="firstname">S.</span> <span class="surname">Miller</span>. </span><span class="title"><i>Common <acronym class="acronym">DNS</acronym> Implementation Errors and Suggested Fixes</i>. </span><span class="pubdate">October 1993. </span></p>
+<a name="id2594172"></a><p>[<abbr class="abbrev">RFC1536</abbr>] <span class="authorgroup"><span class="firstname">A.</span> <span class="surname">Kumar</span>, <span class="firstname">J.</span> <span class="surname">Postel</span>, <span class="firstname">C.</span> <span class="surname">Neuman</span>, <span class="firstname">P.</span> <span class="surname">Danzig</span>, and <span class="firstname">S.</span> <span class="surname">Miller</span>. </span><span class="title"><i>Common <acronym class="acronym">DNS</acronym> Implementation
+                  Errors and Suggested Fixes</i>. </span><span class="pubdate">October 1993. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2593860"></a><p>[<abbr class="abbrev">RFC1982</abbr>] <span class="authorgroup"><span class="firstname">R.</span> <span class="surname">Elz</span> and <span class="firstname">R.</span> <span class="surname">Bush</span>. </span><span class="title"><i>Serial Number Arithmetic</i>. </span><span class="pubdate">August 1996. </span></p>
+<a name="id2594241"></a><p>[<abbr class="abbrev">RFC1982</abbr>] <span class="authorgroup"><span class="firstname">R.</span> <span class="surname">Elz</span> and <span class="firstname">R.</span> <span class="surname">Bush</span>. </span><span class="title"><i>Serial Number Arithmetic</i>. </span><span class="pubdate">August 1996. </span></p>
+</div>
+<div class="biblioentry">
+<a name="id2594276"></a><p>[<abbr class="abbrev">RFC4074</abbr>] <span class="authorgroup"><span class="firstname">Y.</span> <span class="surname">Morishita</span> and <span class="firstname">T.</span> <span class="surname">Jinmei</span>. </span><span class="title"><i>Common Misbehaviour Against <acronym class="acronym">DNS</acronym>
+                Queries for IPv6 Addresses</i>. </span><span class="pubdate">May 2005. </span></p>
 </div>
 </div>
 <div class="bibliodiv">
 <h3 class="title">Resource Record Types</h3>
 <div class="biblioentry">
-<a name="id2593901"></a><p>[<abbr class="abbrev">RFC1183</abbr>] <span class="authorgroup"><span class="firstname">C.F.</span> <span class="surname">Everhart</span>, <span class="firstname">L. A.</span> <span class="surname">Mamakos</span>, <span class="firstname">R.</span> <span class="surname">Ullmann</span>, and <span class="firstname">P.</span> <span class="surname">Mockapetris</span>. </span><span class="title"><i>New <acronym class="acronym">DNS</acronym> RR Definitions</i>. </span><span class="pubdate">October 1990. </span></p>
+<a name="id2594322"></a><p>[<abbr class="abbrev">RFC1183</abbr>] <span class="authorgroup"><span class="firstname">C.F.</span> <span class="surname">Everhart</span>, <span class="firstname">L. A.</span> <span class="surname">Mamakos</span>, <span class="firstname">R.</span> <span class="surname">Ullmann</span>, and <span class="firstname">P.</span> <span class="surname">Mockapetris</span>. </span><span class="title"><i>New <acronym class="acronym">DNS</acronym> RR Definitions</i>. </span><span class="pubdate">October 1990. </span></p>
+</div>
+<div class="biblioentry">
+<a name="id2594448"></a><p>[<abbr class="abbrev">RFC1706</abbr>] <span class="authorgroup"><span class="firstname">B.</span> <span class="surname">Manning</span> and <span class="firstname">R.</span> <span class="surname">Colella</span>. </span><span class="title"><i><acronym class="acronym">DNS</acronym> NSAP Resource Records</i>. </span><span class="pubdate">October 1994. </span></p>
+</div>
+<div class="biblioentry">
+<a name="id2594485"></a><p>[<abbr class="abbrev">RFC2168</abbr>] <span class="authorgroup"><span class="firstname">R.</span> <span class="surname">Daniel</span> and <span class="firstname">M.</span> <span class="surname">Mealling</span>. </span><span class="title"><i>Resolution of Uniform Resource Identifiers using
+                  the Domain Name System</i>. </span><span class="pubdate">June 1997. </span></p>
+</div>
+<div class="biblioentry">
+<a name="id2594520"></a><p>[<abbr class="abbrev">RFC1876</abbr>] <span class="authorgroup"><span class="firstname">C.</span> <span class="surname">Davis</span>, <span class="firstname">P.</span> <span class="surname">Vixie</span>, <span class="firstname">T.</span>, and <span class="firstname">I.</span> <span class="surname">Dickinson</span>. </span><span class="title"><i>A Means for Expressing Location Information in the
+                  Domain
+                  Name System</i>. </span><span class="pubdate">January 1996. </span></p>
+</div>
+<div class="biblioentry">
+<a name="id2594574"></a><p>[<abbr class="abbrev">RFC2052</abbr>] <span class="authorgroup"><span class="firstname">A.</span> <span class="surname">Gulbrandsen</span> and <span class="firstname">P.</span> <span class="surname">Vixie</span>. </span><span class="title"><i>A <acronym class="acronym">DNS</acronym> RR for Specifying the
+                  Location of
+                  Services.</i>. </span><span class="pubdate">October 1996. </span></p>
+</div>
+<div class="biblioentry">
+<a name="id2594613"></a><p>[<abbr class="abbrev">RFC2163</abbr>] <span class="author"><span class="firstname">A.</span> <span class="surname">Allocchio</span>. </span><span class="title"><i>Using the Internet <acronym class="acronym">DNS</acronym> to
+                  Distribute MIXER
+                  Conformant Global Address Mapping</i>. </span><span class="pubdate">January 1998. </span></p>
+</div>
+<div class="biblioentry">
+<a name="id2594638"></a><p>[<abbr class="abbrev">RFC2230</abbr>] <span class="author"><span class="firstname">R.</span> <span class="surname">Atkinson</span>. </span><span class="title"><i>Key Exchange Delegation Record for the <acronym class="acronym">DNS</acronym></i>. </span><span class="pubdate">October 1997. </span></p>
+</div>
+<div class="biblioentry">
+<a name="id2594664"></a><p>[<abbr class="abbrev">RFC2536</abbr>] <span class="author"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>. </span><span class="title"><i>DSA KEYs and SIGs in the Domain Name System (DNS)</i>. </span><span class="pubdate">March 1999. </span></p>
+</div>
+<div class="biblioentry">
+<a name="id2594691"></a><p>[<abbr class="abbrev">RFC2537</abbr>] <span class="author"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>. </span><span class="title"><i>RSA/MD5 KEYs and SIGs in the Domain Name System (DNS)</i>. </span><span class="pubdate">March 1999. </span></p>
+</div>
+<div class="biblioentry">
+<a name="id2594717"></a><p>[<abbr class="abbrev">RFC2538</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span> and <span class="firstname">O.</span> <span class="surname">Gudmundsson</span>. </span><span class="title"><i>Storing Certificates in the Domain Name System (DNS)</i>. </span><span class="pubdate">March 1999. </span></p>
+</div>
+<div class="biblioentry">
+<a name="id2594757"></a><p>[<abbr class="abbrev">RFC2539</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>. </span><span class="title"><i>Storage of Diffie-Hellman Keys in the Domain Name System (DNS)</i>. </span><span class="pubdate">March 1999. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2593959"></a><p>[<abbr class="abbrev">RFC1706</abbr>] <span class="authorgroup"><span class="firstname">B.</span> <span class="surname">Manning</span> and <span class="firstname">R.</span> <span class="surname">Colella</span>. </span><span class="title"><i><acronym class="acronym">DNS</acronym> NSAP Resource Records</i>. </span><span class="pubdate">October 1994. </span></p>
+<a name="id2594787"></a><p>[<abbr class="abbrev">RFC2540</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>. </span><span class="title"><i>Detached Domain Name System (DNS) Information</i>. </span><span class="pubdate">March 1999. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2593996"></a><p>[<abbr class="abbrev">RFC2168</abbr>] <span class="authorgroup"><span class="firstname">R.</span> <span class="surname">Daniel</span> and <span class="firstname">M.</span> <span class="surname">Mealling</span>. </span><span class="title"><i>Resolution of Uniform Resource Identifiers using
-the Domain Name System</i>. </span><span class="pubdate">June 1997. </span></p>
+<a name="id2594817"></a><p>[<abbr class="abbrev">RFC2782</abbr>] <span class="author"><span class="firstname">A.</span> <span class="surname">Gulbrandsen</span>. </span><span class="author"><span class="firstname">P.</span> <span class="surname">Vixie</span>. </span><span class="author"><span class="firstname">L.</span> <span class="surname">Esibov</span>. </span><span class="title"><i>A DNS RR for specifying the location of services (DNS SRV)</i>. </span><span class="pubdate">February 2000. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2594032"></a><p>[<abbr class="abbrev">RFC1876</abbr>] <span class="authorgroup"><span class="firstname">C.</span> <span class="surname">Davis</span>, <span class="firstname">P.</span> <span class="surname">Vixie</span>, <span class="firstname">T.</span>, and <span class="firstname">I.</span> <span class="surname">Dickinson</span>. </span><span class="title"><i>A Means for Expressing Location Information in the Domain
-Name System</i>. </span><span class="pubdate">January 1996. </span></p>
+<a name="id2594859"></a><p>[<abbr class="abbrev">RFC2915</abbr>] <span class="author"><span class="firstname">M.</span> <span class="surname">Mealling</span>. </span><span class="author"><span class="firstname">R.</span> <span class="surname">Daniel</span>. </span><span class="title"><i>The Naming Authority Pointer (NAPTR) DNS Resource Record</i>. </span><span class="pubdate">September 2000. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2594086"></a><p>[<abbr class="abbrev">RFC2052</abbr>] <span class="authorgroup"><span class="firstname">A.</span> <span class="surname">Gulbrandsen</span> and <span class="firstname">P.</span> <span class="surname">Vixie</span>. </span><span class="title"><i>A <acronym class="acronym">DNS</acronym> RR for Specifying the Location of
-Services.</i>. </span><span class="pubdate">October 1996. </span></p>
+<a name="id2594892"></a><p>[<abbr class="abbrev">RFC3110</abbr>] <span class="author"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>. </span><span class="title"><i>RSA/SHA-1 SIGs and RSA KEYs in the Domain Name System (DNS)</i>. </span><span class="pubdate">May 2001. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2594125"></a><p>[<abbr class="abbrev">RFC2163</abbr>] <span class="author"><span class="firstname">A.</span> <span class="surname">Allocchio</span>. </span><span class="title"><i>Using the Internet <acronym class="acronym">DNS</acronym> to Distribute MIXER
-Conformant Global Address Mapping</i>. </span><span class="pubdate">January 1998. </span></p>
+<a name="id2594919"></a><p>[<abbr class="abbrev">RFC3123</abbr>] <span class="author"><span class="firstname">P.</span> <span class="surname">Koch</span>. </span><span class="title"><i>A DNS RR Type for Lists of Address Prefixes (APL RR)</i>. </span><span class="pubdate">June 2001. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2594152"></a><p>[<abbr class="abbrev">RFC2230</abbr>] <span class="author"><span class="firstname">R.</span> <span class="surname">Atkinson</span>. </span><span class="title"><i>Key Exchange Delegation Record for the <acronym class="acronym">DNS</acronym></i>. </span><span class="pubdate">October 1997. </span></p>
+<a name="id2594942"></a><p>[<abbr class="abbrev">RFC3596</abbr>] <span class="authorgroup"><span class="firstname">S.</span> <span class="surname">Thomson</span>, <span class="firstname">C.</span> <span class="surname">Huitema</span>, <span class="firstname">V.</span> <span class="surname">Ksinant</span>, and <span class="firstname">M.</span> <span class="surname">Souissi</span>. </span><span class="title"><i><acronym class="acronym">DNS</acronym> Extensions to support IP
+                  version 6</i>. </span><span class="pubdate">October 2003. </span></p>
+</div>
+<div class="biblioentry">
+<a name="id2595000"></a><p>[<abbr class="abbrev">RFC3597</abbr>] <span class="author"><span class="firstname">A.</span> <span class="surname">Gustafsson</span>. </span><span class="title"><i>Handling of Unknown DNS Resource Record (RR) Types</i>. </span><span class="pubdate">September 2003. </span></p>
 </div>
 </div>
 <div class="bibliodiv">
 <h3 class="title">
 <acronym class="acronym">DNS</acronym> and the Internet</h3>
 <div class="biblioentry">
-<a name="id2594186"></a><p>[<abbr class="abbrev">RFC1101</abbr>] <span class="author"><span class="firstname">P. V.</span> <span class="surname">Mockapetris</span>. </span><span class="title"><i><acronym class="acronym">DNS</acronym> Encoding of Network Names and Other Types</i>. </span><span class="pubdate">April 1989. </span></p>
+<a name="id2595032"></a><p>[<abbr class="abbrev">RFC1101</abbr>] <span class="author"><span class="firstname">P. V.</span> <span class="surname">Mockapetris</span>. </span><span class="title"><i><acronym class="acronym">DNS</acronym> Encoding of Network Names
+                  and Other Types</i>. </span><span class="pubdate">April 1989. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2594212"></a><p>[<abbr class="abbrev">RFC1123</abbr>] <span class="author"><span class="surname">Braden</span>. </span><span class="title"><i>Requirements for Internet Hosts - Application and Support</i>. </span><span class="pubdate">October 1989. </span></p>
+<a name="id2595058"></a><p>[<abbr class="abbrev">RFC1123</abbr>] <span class="author"><span class="surname">Braden</span>. </span><span class="title"><i>Requirements for Internet Hosts - Application and
+                  Support</i>. </span><span class="pubdate">October 1989. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2594235"></a><p>[<abbr class="abbrev">RFC1591</abbr>] <span class="author"><span class="firstname">J.</span> <span class="surname">Postel</span>. </span><span class="title"><i>Domain Name System Structure and Delegation</i>. </span><span class="pubdate">March 1994. </span></p>
+<a name="id2595080"></a><p>[<abbr class="abbrev">RFC1591</abbr>] <span class="author"><span class="firstname">J.</span> <span class="surname">Postel</span>. </span><span class="title"><i>Domain Name System Structure and Delegation</i>. </span><span class="pubdate">March 1994. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2594257"></a><p>[<abbr class="abbrev">RFC2317</abbr>] <span class="authorgroup"><span class="firstname">H.</span> <span class="surname">Eidnes</span>, <span class="firstname">G.</span> <span class="surname">de Groot</span>, and <span class="firstname">P.</span> <span class="surname">Vixie</span>. </span><span class="title"><i>Classless IN-ADDR.ARPA Delegation</i>. </span><span class="pubdate">March 1998. </span></p>
+<a name="id2595104"></a><p>[<abbr class="abbrev">RFC2317</abbr>] <span class="authorgroup"><span class="firstname">H.</span> <span class="surname">Eidnes</span>, <span class="firstname">G.</span> <span class="surname">de Groot</span>, and <span class="firstname">P.</span> <span class="surname">Vixie</span>. </span><span class="title"><i>Classless IN-ADDR.ARPA Delegation</i>. </span><span class="pubdate">March 1998. </span></p>
+</div>
+<div class="biblioentry">
+<a name="id2595149"></a><p>[<abbr class="abbrev">RFC2826</abbr>] <span class="authorgroup"><span class="surname">Internet Architecture Board</span>. </span><span class="title"><i>IAB Technical Comment on the Unique DNS Root</i>. </span><span class="pubdate">May 2000. </span></p>
+</div>
+<div class="biblioentry">
+<a name="id2595173"></a><p>[<abbr class="abbrev">RFC2929</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>, <span class="firstname">E.</span> <span class="surname">Brunner-Williams</span>, and <span class="firstname">B.</span> <span class="surname">Manning</span>. </span><span class="title"><i>Domain Name System (DNS) IANA Considerations</i>. </span><span class="pubdate">September 2000. </span></p>
 </div>
 </div>
 <div class="bibliodiv">
 <h3 class="title">
 <acronym class="acronym">DNS</acronym> Operations</h3>
 <div class="biblioentry">
-<a name="id2594311"></a><p>[<abbr class="abbrev">RFC1537</abbr>] <span class="author"><span class="firstname">P.</span> <span class="surname">Beertema</span>. </span><span class="title"><i>Common <acronym class="acronym">DNS</acronym> Data File Configuration Errors</i>. </span><span class="pubdate">October 1993. </span></p>
+<a name="id2595230"></a><p>[<abbr class="abbrev">RFC1033</abbr>] <span class="author"><span class="firstname">M.</span> <span class="surname">Lottor</span>. </span><span class="title"><i>Domain administrators operations guide.</i>. </span><span class="pubdate">November 1987. </span></p>
+</div>
+<div class="biblioentry">
+<a name="id2595254"></a><p>[<abbr class="abbrev">RFC1537</abbr>] <span class="author"><span class="firstname">P.</span> <span class="surname">Beertema</span>. </span><span class="title"><i>Common <acronym class="acronym">DNS</acronym> Data File
+                  Configuration Errors</i>. </span><span class="pubdate">October 1993. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2594337"></a><p>[<abbr class="abbrev">RFC1912</abbr>] <span class="author"><span class="firstname">D.</span> <span class="surname">Barr</span>. </span><span class="title"><i>Common <acronym class="acronym">DNS</acronym> Operational and Configuration Errors</i>. </span><span class="pubdate">February 1996. </span></p>
+<a name="id2595281"></a><p>[<abbr class="abbrev">RFC1912</abbr>] <span class="author"><span class="firstname">D.</span> <span class="surname">Barr</span>. </span><span class="title"><i>Common <acronym class="acronym">DNS</acronym> Operational and
+                  Configuration Errors</i>. </span><span class="pubdate">February 1996. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2594363"></a><p>[<abbr class="abbrev">RFC2010</abbr>] <span class="authorgroup"><span class="firstname">B.</span> <span class="surname">Manning</span> and <span class="firstname">P.</span> <span class="surname">Vixie</span>. </span><span class="title"><i>Operational Criteria for Root Name Servers.</i>. </span><span class="pubdate">October 1996. </span></p>
+<a name="id2595307"></a><p>[<abbr class="abbrev">RFC2010</abbr>] <span class="authorgroup"><span class="firstname">B.</span> <span class="surname">Manning</span> and <span class="firstname">P.</span> <span class="surname">Vixie</span>. </span><span class="title"><i>Operational Criteria for Root Name Servers.</i>. </span><span class="pubdate">October 1996. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2594400"></a><p>[<abbr class="abbrev">RFC2219</abbr>] <span class="authorgroup"><span class="firstname">M.</span> <span class="surname">Hamilton</span> and <span class="firstname">R.</span> <span class="surname">Wright</span>. </span><span class="title"><i>Use of <acronym class="acronym">DNS</acronym> Aliases for Network Services.</i>. </span><span class="pubdate">October 1997. </span></p>
+<a name="id2595344"></a><p>[<abbr class="abbrev">RFC2219</abbr>] <span class="authorgroup"><span class="firstname">M.</span> <span class="surname">Hamilton</span> and <span class="firstname">R.</span> <span class="surname">Wright</span>. </span><span class="title"><i>Use of <acronym class="acronym">DNS</acronym> Aliases for
+                  Network Services.</i>. </span><span class="pubdate">October 1997. </span></p>
+</div>
+</div>
+<div class="bibliodiv">
+<h3 class="title">Internationalized Domain Names</h3>
+<div class="biblioentry">
+<a name="id2595389"></a><p>[<abbr class="abbrev">RFC2825</abbr>] <span class="authorgroup"><span class="surname">IAB</span> and <span class="firstname">R.</span> <span class="surname">Daigle</span>. </span><span class="title"><i>A Tangled Web: Issues of I18N, Domain Names,
+                       and the Other Internet protocols</i>. </span><span class="pubdate">May 2000. </span></p>
+</div>
+<div class="biblioentry">
+<a name="id2595421"></a><p>[<abbr class="abbrev">RFC3490</abbr>] <span class="authorgroup"><span class="firstname">P.</span> <span class="surname">Faltstrom</span>, <span class="firstname">P.</span> <span class="surname">Hoffman</span>, and <span class="firstname">A.</span> <span class="surname">Costello</span>. </span><span class="title"><i>Internationalizing Domain Names in Applications (IDNA)</i>. </span><span class="pubdate">March 2003. </span></p>
+</div>
+<div class="biblioentry">
+<a name="id2595467"></a><p>[<abbr class="abbrev">RFC3491</abbr>] <span class="authorgroup"><span class="firstname">P.</span> <span class="surname">Hoffman</span> and <span class="firstname">M.</span> <span class="surname">Blanchet</span>. </span><span class="title"><i>Nameprep: A Stringprep Profile for Internationalized Domain Names</i>. </span><span class="pubdate">March 2003. </span></p>
+</div>
+<div class="biblioentry">
+<a name="id2595502"></a><p>[<abbr class="abbrev">RFC3492</abbr>] <span class="authorgroup"><span class="firstname">A.</span> <span class="surname">Costello</span>. </span><span class="title"><i>Punycode: A Bootstring encoding of Unicode
+                       for Internationalized Domain Names in
+                       Applications (IDNA)</i>. </span><span class="pubdate">March 2003. </span></p>
 </div>
 </div>
 <div class="bibliodiv">
 <h3 class="title">Other <acronym class="acronym">DNS</acronym>-related RFCs</h3>
 <div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
 <h3 class="title">Note</h3>
-<p>Note: the following list of RFCs, although
-<acronym class="acronym">DNS</acronym>-related, are not concerned with implementing software.</p>
+<p>
+                  Note: the following list of RFCs, although
+                  <acronym class="acronym">DNS</acronym>-related, are not
+                  concerned with implementing software.
+                </p>
+</div>
+<div class="biblioentry">
+<a name="id2595547"></a><p>[<abbr class="abbrev">RFC1464</abbr>] <span class="author"><span class="firstname">R.</span> <span class="surname">Rosenbaum</span>. </span><span class="title"><i>Using the Domain Name System To Store Arbitrary String
+                  Attributes</i>. </span><span class="pubdate">May 1993. </span></p>
+</div>
+<div class="biblioentry">
+<a name="id2595570"></a><p>[<abbr class="abbrev">RFC1713</abbr>] <span class="author"><span class="firstname">A.</span> <span class="surname">Romao</span>. </span><span class="title"><i>Tools for <acronym class="acronym">DNS</acronym> Debugging</i>. </span><span class="pubdate">November 1994. </span></p>
+</div>
+<div class="biblioentry">
+<a name="id2595595"></a><p>[<abbr class="abbrev">RFC1794</abbr>] <span class="author"><span class="firstname">T.</span> <span class="surname">Brisco</span>. </span><span class="title"><i><acronym class="acronym">DNS</acronym> Support for Load
+                  Balancing</i>. </span><span class="pubdate">April 1995. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2594459"></a><p>[<abbr class="abbrev">RFC1464</abbr>] <span class="author"><span class="firstname">R.</span> <span class="surname">Rosenbaum</span>. </span><span class="title"><i>Using the Domain Name System To Store Arbitrary String Attributes</i>. </span><span class="pubdate">May 1993. </span></p>
+<a name="id2595621"></a><p>[<abbr class="abbrev">RFC2240</abbr>] <span class="author"><span class="firstname">O.</span> <span class="surname">Vaughan</span>. </span><span class="title"><i>A Legal Basis for Domain Name Allocation</i>. </span><span class="pubdate">November 1997. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2594482"></a><p>[<abbr class="abbrev">RFC1713</abbr>] <span class="author"><span class="firstname">A.</span> <span class="surname">Romao</span>. </span><span class="title"><i>Tools for <acronym class="acronym">DNS</acronym> Debugging</i>. </span><span class="pubdate">November 1994. </span></p>
+<a name="id2595644"></a><p>[<abbr class="abbrev">RFC2345</abbr>] <span class="authorgroup"><span class="firstname">J.</span> <span class="surname">Klensin</span>, <span class="firstname">T.</span> <span class="surname">Wolf</span>, and <span class="firstname">G.</span> <span class="surname">Oglesby</span>. </span><span class="title"><i>Domain Names and Company Name Retrieval</i>. </span><span class="pubdate">May 1998. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2594506"></a><p>[<abbr class="abbrev">RFC1794</abbr>] <span class="author"><span class="firstname">T.</span> <span class="surname">Brisco</span>. </span><span class="title"><i><acronym class="acronym">DNS</acronym> Support for Load Balancing</i>. </span><span class="pubdate">April 1995. </span></p>
+<a name="id2595690"></a><p>[<abbr class="abbrev">RFC2352</abbr>] <span class="author"><span class="firstname">O.</span> <span class="surname">Vaughan</span>. </span><span class="title"><i>A Convention For Using Legal Names as Domain Names</i>. </span><span class="pubdate">May 1998. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2594531"></a><p>[<abbr class="abbrev">RFC2240</abbr>] <span class="author"><span class="firstname">O.</span> <span class="surname">Vaughan</span>. </span><span class="title"><i>A Legal Basis for Domain Name Allocation</i>. </span><span class="pubdate">November 1997. </span></p>
+<a name="id2595714"></a><p>[<abbr class="abbrev">RFC3071</abbr>] <span class="authorgroup"><span class="firstname">J.</span> <span class="surname">Klensin</span>. </span><span class="title"><i>Reflections on the DNS, RFC 1591, and Categories of Domains</i>. </span><span class="pubdate">February 2001. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2594553"></a><p>[<abbr class="abbrev">RFC2345</abbr>] <span class="authorgroup"><span class="firstname">J.</span> <span class="surname">Klensin</span>, <span class="firstname">T.</span> <span class="surname">Wolf</span>, and <span class="firstname">G.</span> <span class="surname">Oglesby</span>. </span><span class="title"><i>Domain Names and Company Name Retrieval</i>. </span><span class="pubdate">May 1998. </span></p>
+<a name="id2595740"></a><p>[<abbr class="abbrev">RFC3258</abbr>] <span class="authorgroup"><span class="firstname">T.</span> <span class="surname">Hardie</span>. </span><span class="title"><i>Distributing Authoritative Name Servers via
+                       Shared Unicast Addresses</i>. </span><span class="pubdate">April 2002. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2594599"></a><p>[<abbr class="abbrev">RFC2352</abbr>] <span class="author"><span class="firstname">O.</span> <span class="surname">Vaughan</span>. </span><span class="title"><i>A Convention For Using Legal Names as Domain Names</i>. </span><span class="pubdate">May 1998. </span></p>
+<a name="id2595766"></a><p>[<abbr class="abbrev">RFC3901</abbr>] <span class="authorgroup"><span class="firstname">A.</span> <span class="surname">Durand</span> and <span class="firstname">J.</span> <span class="surname">Ihren</span>. </span><span class="title"><i>DNS IPv6 Transport Operational Guidelines</i>. </span><span class="pubdate">September 2004. </span></p>
+</div>
+<div class="biblioentry">
+<a name="id2595802"></a><p>[<abbr class="abbrev">RFC2352</abbr>] <span class="author"><span class="firstname">O.</span> <span class="surname">Vaughan</span>. </span><span class="title"><i>A Convention For Using Legal Names as Domain Names</i>. </span><span class="pubdate">May 1998. </span></p>
+</div>
+</div>
+<div class="bibliodiv">
+<h3 class="title">Obsolete and Unimplemented Experimental RFC</h3>
+<div class="biblioentry">
+<a name="id2595833"></a><p>[<abbr class="abbrev">RFC1712</abbr>] <span class="authorgroup"><span class="firstname">C.</span> <span class="surname">Farrell</span>, <span class="firstname">M.</span> <span class="surname">Schulze</span>, <span class="firstname">S.</span> <span class="surname">Pleitner</span>, and <span class="firstname">D.</span> <span class="surname">Baldoni</span>. </span><span class="title"><i><acronym class="acronym">DNS</acronym> Encoding of Geographical
+                  Location</i>. </span><span class="pubdate">November 1994. </span></p>
+</div>
+<div class="biblioentry">
+<a name="id2595891"></a><p>[<abbr class="abbrev">RFC2673</abbr>] <span class="authorgroup"><span class="firstname">M.</span> <span class="surname">Crawford</span>. </span><span class="title"><i>Binary Labels in the Domain Name System</i>. </span><span class="pubdate">August 1999. </span></p>
+</div>
+<div class="biblioentry">
+<a name="id2595917"></a><p>[<abbr class="abbrev">RFC2874</abbr>] <span class="authorgroup"><span class="firstname">M.</span> <span class="surname">Crawford</span> and <span class="firstname">C.</span> <span class="surname">Huitema</span>. </span><span class="title"><i>DNS Extensions to Support IPv6 Address Aggregation
+                       and Renumbering</i>. </span><span class="pubdate">July 2000. </span></p>
 </div>
 </div>
 <div class="bibliodiv">
-<h3 class="title">Obsolete and Unimplemented Experimental RRs</h3>
+<h3 class="title">Obsoleted DNS Security RFCs</h3>
+<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
+<h3 class="title">Note</h3>
+<p>
+                  Most of these have been consolidated into RFC4033,
+                  RFC4034 and RFC4035 which collectively describe DNSSECbis.
+                </p>
+</div>
+<div class="biblioentry">
+<a name="id2595965"></a><p>[<abbr class="abbrev">RFC2065</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span> and <span class="firstname">C.</span> <span class="surname">Kaufman</span>. </span><span class="title"><i>Domain Name System Security Extensions</i>. </span><span class="pubdate">January 1997. </span></p>
+</div>
+<div class="biblioentry">
+<a name="id2596005"></a><p>[<abbr class="abbrev">RFC2137</abbr>] <span class="author"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>. </span><span class="title"><i>Secure Domain Name System Dynamic Update</i>. </span><span class="pubdate">April 1997. </span></p>
+</div>
 <div class="biblioentry">
-<a name="id2594630"></a><p>[<abbr class="abbrev">RFC1712</abbr>] <span class="authorgroup"><span class="firstname">C.</span> <span class="surname">Farrell</span>, <span class="firstname">M.</span> <span class="surname">Schulze</span>, <span class="firstname">S.</span> <span class="surname">Pleitner</span>, and <span class="firstname">D.</span> <span class="surname">Baldoni</span>. </span><span class="title"><i><acronym class="acronym">DNS</acronym> Encoding of Geographical
-Location</i>. </span><span class="pubdate">November 1994. </span></p>
+<a name="id2596032"></a><p>[<abbr class="abbrev">RFC2535</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>. </span><span class="title"><i>Domain Name System Security Extensions</i>. </span><span class="pubdate">March 1999. </span></p>
+</div>
+<div class="biblioentry">
+<a name="id2596061"></a><p>[<abbr class="abbrev">RFC3008</abbr>] <span class="authorgroup"><span class="firstname">B.</span> <span class="surname">Wellington</span>. </span><span class="title"><i>Domain Name System Security (DNSSEC)
+                       Signing Authority</i>. </span><span class="pubdate">November 2000. </span></p>
+</div>
+<div class="biblioentry">
+<a name="id2596087"></a><p>[<abbr class="abbrev">RFC3090</abbr>] <span class="authorgroup"><span class="firstname">E.</span> <span class="surname">Lewis</span>. </span><span class="title"><i>DNS Security Extension Clarification on Zone Status</i>. </span><span class="pubdate">March 2001. </span></p>
+</div>
+<div class="biblioentry">
+<a name="id2596114"></a><p>[<abbr class="abbrev">RFC3445</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Massey</span> and <span class="firstname">S.</span> <span class="surname">Rose</span>. </span><span class="title"><i>Limiting the Scope of the KEY Resource Record (RR)</i>. </span><span class="pubdate">December 2002. </span></p>
+</div>
+<div class="biblioentry">
+<a name="id2596150"></a><p>[<abbr class="abbrev">RFC3655</abbr>] <span class="authorgroup"><span class="firstname">B.</span> <span class="surname">Wellington</span> and <span class="firstname">O.</span> <span class="surname">Gudmundsson</span>. </span><span class="title"><i>Redefinition of DNS Authenticated Data (AD) bit</i>. </span><span class="pubdate">November 2003. </span></p>
+</div>
+<div class="biblioentry">
+<a name="id2596186"></a><p>[<abbr class="abbrev">RFC3658</abbr>] <span class="authorgroup"><span class="firstname">O.</span> <span class="surname">Gudmundsson</span>. </span><span class="title"><i>Delegation Signer (DS) Resource Record (RR)</i>. </span><span class="pubdate">December 2003. </span></p>
+</div>
+<div class="biblioentry">
+<a name="id2596213"></a><p>[<abbr class="abbrev">RFC3755</abbr>] <span class="authorgroup"><span class="firstname">S.</span> <span class="surname">Weiler</span>. </span><span class="title"><i>Legacy Resolver Compatibility for Delegation Signer (DS)</i>. </span><span class="pubdate">May 2004. </span></p>
+</div>
+<div class="biblioentry">
+<a name="id2596240"></a><p>[<abbr class="abbrev">RFC3757</abbr>] <span class="authorgroup"><span class="firstname">O.</span> <span class="surname">Kolkman</span>, <span class="firstname">J.</span> <span class="surname">Schlyter</span>, and <span class="firstname">E.</span> <span class="surname">Lewis</span>. </span><span class="title"><i>Domain Name System KEY (DNSKEY) Resource Record
+                      (RR) Secure Entry Point (SEP) Flag</i>. </span><span class="pubdate">April 2004. </span></p>
+</div>
+<div class="biblioentry">
+<a name="id2596284"></a><p>[<abbr class="abbrev">RFC3845</abbr>] <span class="authorgroup"><span class="firstname">J.</span> <span class="surname">Schlyter</span>. </span><span class="title"><i>DNS Security (DNSSEC) NextSECure (NSEC) RDATA Format</i>. </span><span class="pubdate">August 2004. </span></p>
 </div>
 </div>
 </div>
@@ -424,24 +570,27 @@ Location</i>. </span><span class="pubdate">November 1994. </span></p>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="internet_drafts"></a>Internet Drafts</h3></div></div></div>
-<p>Internet Drafts (IDs) are rough-draft working documents of
-the Internet Engineering Task Force. They are, in essence, RFCs
-in the preliminary stages of development. Implementors are cautioned not
-to regard IDs as archival, and they should not be quoted or cited
-in any formal documents unless accompanied by the disclaimer that
-they are "works in progress." IDs have a lifespan of six months
-after which they are deleted unless updated by their authors.
-</p>
+<p>
+            Internet Drafts (IDs) are rough-draft working documents of
+            the Internet Engineering Task Force. They are, in essence, RFCs
+            in the preliminary stages of development. Implementors are
+            cautioned not
+            to regard IDs as archival, and they should not be quoted or cited
+            in any formal documents unless accompanied by the disclaimer that
+            they are "works in progress." IDs have a lifespan of six months
+            after which they are deleted unless updated by their authors.
+          </p>
 </div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="id2594702"></a>Other Documents About <acronym class="acronym">BIND</acronym></h3></div></div></div>
+<a name="id2596326"></a>Other Documents About <acronym class="acronym">BIND</acronym>
+</h3></div></div></div>
 <p></p>
 <div class="bibliography">
 <div class="titlepage"><div><div><h4 class="title">
-<a name="id2594712"></a>Bibliography</h4></div></div></div>
+<a name="id2596336"></a>Bibliography</h4></div></div></div>
 <div class="biblioentry">
-<a name="id2594714"></a><p><span class="authorgroup"><span class="firstname">Paul</span> <span class="surname">Albitz</span> and <span class="firstname">Cricket</span> <span class="surname">Liu</span>. </span><span class="title"><i><acronym class="acronym">DNS</acronym> and <acronym class="acronym">BIND</acronym></i>. </span><span class="copyright">Copyright © 1998 Sebastopol, CA: O'Reilly and Associates. </span></p>
+<a name="id2596338"></a><p><span class="authorgroup"><span class="firstname">Paul</span> <span class="surname">Albitz</span> and <span class="firstname">Cricket</span> <span class="surname">Liu</span>. </span><span class="title"><i><acronym class="acronym">DNS</acronym> and <acronym class="acronym">BIND</acronym></i>. </span><span class="copyright">Copyright © 1998 Sebastopol, CA: O'Reilly and Associates. </span></p>
 </div>
 </div>
 </div>
@@ -454,12 +603,13 @@ after which they are deleted unless updated by their authors.
 <td width="40%" align="left">
 <a accesskey="p" href="Bv9ARM.ch08.html">Prev</a> </td>
 <td width="20%" align="center"> </td>
-<td width="40%" align="right"> </td>
+<td width="40%" align="right"> <a accesskey="n" href="Bv9ARM.ch10.html">Next</a>
+</td>
 </tr>
 <tr>
 <td width="40%" align="left" valign="top">Chapter 8. Troubleshooting </td>
 <td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
-<td width="40%" align="right" valign="top"> </td>
+<td width="40%" align="right" valign="top"> Manual pages</td>
 </tr>
 </table>
 </div>
diff --git a/contrib/bind9/doc/arm/Bv9ARM.ch10.html b/contrib/bind9/doc/arm/Bv9ARM.ch10.html
new file mode 100644
index 0000000..03cce5a
--- /dev/null
+++ b/contrib/bind9/doc/arm/Bv9ARM.ch10.html
@@ -0,0 +1,102 @@
+<!--
+ - Copyright (C) 2004-2007 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2000-2003 Internet Software Consortium.
+ - 
+ - Permission to use, copy, modify, and distribute this software for any
+ - purpose with or without fee is hereby granted, provided that the above
+ - copyright notice and this permission notice appear in all copies.
+ - 
+ - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ - PERFORMANCE OF THIS SOFTWARE.
+-->
+<!-- $Id: Bv9ARM.ch10.html,v 1.2.2.6 2007/01/30 00:23:46 marka Exp $ -->
+<html>
+<head>
+<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
+<title>Manual pages</title>
+<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
+<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
+<link rel="up" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
+<link rel="prev" href="Bv9ARM.ch09.html" title="Appendix A. Appendices">
+<link rel="next" href="man.dig.html" title="dig">
+</head>
+<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
+<div class="navheader">
+<table width="100%" summary="Navigation header">
+<tr><th colspan="3" align="center">Manual pages</th></tr>
+<tr>
+<td width="20%" align="left">
+<a accesskey="p" href="Bv9ARM.ch09.html">Prev</a> </td>
+<th width="60%" align="center"> </th>
+<td width="20%" align="right"> <a accesskey="n" href="man.dig.html">Next</a>
+</td>
+</tr>
+</table>
+<hr>
+</div>
+<div class="reference" lang="en">
+<div class="titlepage">
+<div><div><h1 class="title">
+<a name="Bv9ARM.ch10"></a>Manual pages</h1></div></div>
+<hr>
+</div>
+<div class="toc">
+<p><b>Table of Contents</b></p>
+<dl>
+<dt>
+<span class="refentrytitle"><a href="man.dig.html">dig</a></span><span class="refpurpose"> &#8212; DNS lookup utility</span>
+</dt>
+<dt>
+<span class="refentrytitle"><a href="man.host.html">host</a></span><span class="refpurpose"> &#8212; DNS lookup utility</span>
+</dt>
+<dt>
+<span class="refentrytitle"><a href="man.dnssec-keygen.html"><span class="application">dnssec-keygen</span></a></span><span class="refpurpose"> &#8212; DNSSEC key generation tool</span>
+</dt>
+<dt>
+<span class="refentrytitle"><a href="man.dnssec-signzone.html"><span class="application">dnssec-signzone</span></a></span><span class="refpurpose"> &#8212; DNSSEC zone signing tool</span>
+</dt>
+<dt>
+<span class="refentrytitle"><a href="man.named-checkconf.html"><span class="application">named-checkconf</span></a></span><span class="refpurpose"> &#8212; named configuration file syntax checking tool</span>
+</dt>
+<dt>
+<span class="refentrytitle"><a href="man.named-checkzone.html"><span class="application">named-checkzone</span></a></span><span class="refpurpose"> &#8212; zone file validity checking or converting tool</span>
+</dt>
+<dt>
+<span class="refentrytitle"><a href="man.named.html"><span class="application">named</span></a></span><span class="refpurpose"> &#8212; Internet domain name server</span>
+</dt>
+<dt>
+<span class="refentrytitle"><a href="man.rndc.html"><span class="application">rndc</span></a></span><span class="refpurpose"> &#8212; name server control utility</span>
+</dt>
+<dt>
+<span class="refentrytitle"><a href="man.rndc.conf.html"><code class="filename">rndc.conf</code></a></span><span class="refpurpose"> &#8212; rndc configuration file</span>
+</dt>
+<dt>
+<span class="refentrytitle"><a href="man.rndc-confgen.html"><span class="application">rndc-confgen</span></a></span><span class="refpurpose"> &#8212; rndc key generation tool</span>
+</dt>
+</dl>
+</div>
+</div>
+<div class="navfooter">
+<hr>
+<table width="100%" summary="Navigation footer">
+<tr>
+<td width="40%" align="left">
+<a accesskey="p" href="Bv9ARM.ch09.html">Prev</a> </td>
+<td width="20%" align="center"> </td>
+<td width="40%" align="right"> <a accesskey="n" href="man.dig.html">Next</a>
+</td>
+</tr>
+<tr>
+<td width="40%" align="left" valign="top">Appendix A. Appendices </td>
+<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
+<td width="40%" align="right" valign="top"> dig</td>
+</tr>
+</table>
+</div>
+</body>
+</html>
diff --git a/contrib/bind9/doc/arm/Bv9ARM.html b/contrib/bind9/doc/arm/Bv9ARM.html
index 6c62d12..bf70423 100644
--- a/contrib/bind9/doc/arm/Bv9ARM.html
+++ b/contrib/bind9/doc/arm/Bv9ARM.html
@@ -1,5 +1,5 @@
 <!--
- - Copyright (C) 2004-2006 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2004-2007 Internet Systems Consortium, Inc. ("ISC")
  - Copyright (C) 2000-2003 Internet Software Consortium.
  - 
  - Permission to use, copy, modify, and distribute this software for any
@@ -14,14 +14,14 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-<!-- $Id: Bv9ARM.html,v 1.60.2.9.2.38 2006/11/15 04:33:42 marka Exp $ -->
+<!-- $Id: Bv9ARM.html,v 1.85.18.57 2007/01/30 00:23:46 marka Exp $ -->
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
 <title>BIND 9 Administrator Reference Manual</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.70.1">
+<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
 <link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
-<link rel="next" href="Bv9ARM.ch01.html" title="Chapter 1. Introduction ">
+<link rel="next" href="Bv9ARM.ch01.html" title="Chapter 1. Introduction">
 </head>
 <body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
 <div class="navheader">
@@ -40,8 +40,8 @@
 <div class="titlepage">
 <div>
 <div><h1 class="title">
-<a name="id2482844"></a>BIND 9 Administrator Reference Manual</h1></div>
-<div><p class="copyright">Copyright © 2004-2006 Internet Systems Consortium, Inc. ("ISC")</p></div>
+<a name="id2563153"></a>BIND 9 Administrator Reference Manual</h1></div>
+<div><p class="copyright">Copyright © 2004-2007 Internet Systems Consortium, Inc. ("ISC")</p></div>
 <div><p class="copyright">Copyright © 2000-2003 Internet Software Consortium.</p></div>
 </div>
 <hr>
@@ -49,41 +49,41 @@
 <div class="toc">
 <p><b>Table of Contents</b></p>
 <dl>
-<dt><span class="chapter"><a href="Bv9ARM.ch01.html">1. Introduction </a></span></dt>
+<dt><span class="chapter"><a href="Bv9ARM.ch01.html">1. Introduction</a></span></dt>
 <dd><dl>
-<dt><span class="sect1"><a href="Bv9ARM.ch01.html#id2569434">Scope of Document</a></span></dt>
-<dt><span class="sect1"><a href="Bv9ARM.ch01.html#id2569460">Organization of This Document</a></span></dt>
-<dt><span class="sect1"><a href="Bv9ARM.ch01.html#id2569736">Conventions Used in This Document</a></span></dt>
-<dt><span class="sect1"><a href="Bv9ARM.ch01.html#id2569994">The Domain Name System (<acronym class="acronym">DNS</acronym>)</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch01.html#id2564115">Scope of Document</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch01.html#id2564138">Organization of This Document</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch01.html#id2563473">Conventions Used in This Document</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch01.html#id2564746">The Domain Name System (<acronym class="acronym">DNS</acronym>)</a></span></dt>
 <dd><dl>
-<dt><span class="sect2"><a href="Bv9ARM.ch01.html#id2570014">DNS Fundamentals</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch01.html#id2570323">Domains and Domain Names</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch01.html#id2570407">Zones</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch01.html#id2570550">Authoritative Name Servers</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch01.html#id2570642">Caching Name Servers</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch01.html#id2570699">Name Servers in Multiple Roles</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch01.html#id2564768">DNS Fundamentals</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch01.html#id2564802">Domains and Domain Names</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch01.html#id2564886">Zones</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch01.html#id2567284">Authoritative Name Servers</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch01.html#id2567525">Caching Name Servers</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch01.html#id2567587">Name Servers in Multiple Roles</a></span></dt>
 </dl></dd>
 </dl></dd>
 <dt><span class="chapter"><a href="Bv9ARM.ch02.html">2. <acronym class="acronym">BIND</acronym> Resource Requirements</a></span></dt>
 <dd><dl>
-<dt><span class="sect1"><a href="Bv9ARM.ch02.html#id2570868">Hardware requirements</a></span></dt>
-<dt><span class="sect1"><a href="Bv9ARM.ch02.html#id2570892">CPU Requirements</a></span></dt>
-<dt><span class="sect1"><a href="Bv9ARM.ch02.html#id2570903">Memory Requirements</a></span></dt>
-<dt><span class="sect1"><a href="Bv9ARM.ch02.html#id2570918">Name Server Intensive Environment Issues</a></span></dt>
-<dt><span class="sect1"><a href="Bv9ARM.ch02.html#id2570995">Supported Operating Systems</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch02.html#id2567621">Hardware requirements</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch02.html#id2567648">CPU Requirements</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch02.html#id2567660">Memory Requirements</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch02.html#id2567687">Name Server Intensive Environment Issues</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch02.html#id2567698">Supported Operating Systems</a></span></dt>
 </dl></dd>
 <dt><span class="chapter"><a href="Bv9ARM.ch03.html">3. Name Server Configuration</a></span></dt>
 <dd><dl>
 <dt><span class="sect1"><a href="Bv9ARM.ch03.html#sample_configuration">Sample Configurations</a></span></dt>
 <dd><dl>
-<dt><span class="sect2"><a href="Bv9ARM.ch03.html#id2571026">A Caching-only Name Server</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch03.html#id2571042">An Authoritative-only Name Server</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch03.html#id2568003">A Caching-only Name Server</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch03.html#id2568019">An Authoritative-only Name Server</a></span></dt>
 </dl></dd>
-<dt><span class="sect1"><a href="Bv9ARM.ch03.html#id2571064">Load Balancing</a></span></dt>
-<dt><span class="sect1"><a href="Bv9ARM.ch03.html#id2571484">Name Server Operations</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch03.html#id2568041">Load Balancing</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch03.html#id2568465">Name Server Operations</a></span></dt>
 <dd><dl>
-<dt><span class="sect2"><a href="Bv9ARM.ch03.html#id2571490">Tools for Use With the Name Server Daemon</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch03.html#id2572723">Signals</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch03.html#id2568470">Tools for Use With the Name Server Daemon</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch03.html#id2569972">Signals</a></span></dt>
 </dl></dd>
 </dl></dd>
 <dt><span class="chapter"><a href="Bv9ARM.ch04.html">4. Advanced DNS Features</a></span></dt>
@@ -92,33 +92,33 @@
 <dt><span class="sect1"><a href="Bv9ARM.ch04.html#dynamic_update">Dynamic Update</a></span></dt>
 <dd><dl><dt><span class="sect2"><a href="Bv9ARM.ch04.html#journal">The journal file</a></span></dt></dl></dd>
 <dt><span class="sect1"><a href="Bv9ARM.ch04.html#incremental_zone_transfers">Incremental Zone Transfers (IXFR)</a></span></dt>
-<dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2573147">Split DNS</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2570429">Split DNS</a></span></dt>
 <dt><span class="sect1"><a href="Bv9ARM.ch04.html#tsig">TSIG</a></span></dt>
 <dd><dl>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2573709">Generate Shared Keys for Each Pair of Hosts</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2573776">Copying the Shared Secret to Both Machines</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2573784">Informing the Servers of the Key's Existence</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2573824">Instructing the Server to Use the Key</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2573876">TSIG Key Based Access Control</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2573920">Errors</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2570949">Generate Shared Keys for Each Pair of Hosts</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571022">Copying the Shared Secret to Both Machines</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571033">Informing the Servers of the Key's Existence</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571141">Instructing the Server to Use the Key</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571198">TSIG Key Based Access Control</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571243">Errors</a></span></dt>
 </dl></dd>
-<dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2573933">TKEY</a></span></dt>
-<dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2573982">SIG(0)</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2571257">TKEY</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2571306">SIG(0)</a></span></dt>
 <dt><span class="sect1"><a href="Bv9ARM.ch04.html#DNSSEC">DNSSEC</a></span></dt>
 <dd><dl>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2574049">Generating Keys</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2574116">Signing the Zone</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2574259">Configuring Servers</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571579">Generating Keys</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571649">Signing the Zone</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571728">Configuring Servers</a></span></dt>
 </dl></dd>
-<dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2574396">IPv6 Support in <acronym class="acronym">BIND</acronym> 9</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2571802">IPv6 Support in <acronym class="acronym">BIND</acronym> 9</a></span></dt>
 <dd><dl>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2574455">Address Lookups Using AAAA Records</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2574475">Address to Name Lookups Using Nibble Format</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2572001">Address Lookups Using AAAA Records</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2572022">Address to Name Lookups Using Nibble Format</a></span></dt>
 </dl></dd>
 </dl></dd>
 <dt><span class="chapter"><a href="Bv9ARM.ch05.html">5. The <acronym class="acronym">BIND</acronym> 9 Lightweight Resolver</a></span></dt>
 <dd><dl>
-<dt><span class="sect1"><a href="Bv9ARM.ch05.html#id2574507">The Lightweight Resolver Library</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch05.html#id2572055">The Lightweight Resolver Library</a></span></dt>
 <dt><span class="sect1"><a href="Bv9ARM.ch05.html#lwresd">Running a Resolver Daemon</a></span></dt>
 </dl></dd>
 <dt><span class="chapter"><a href="Bv9ARM.ch06.html">6. <acronym class="acronym">BIND</acronym> 9 Configuration Reference</a></span></dt>
@@ -126,79 +126,118 @@
 <dt><span class="sect1"><a href="Bv9ARM.ch06.html#configuration_file_elements">Configuration File Elements</a></span></dt>
 <dd><dl>
 <dt><span class="sect2"><a href="Bv9ARM.ch06.html#address_match_lists">Address Match Lists</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2575672">Comment Syntax</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2573470">Comment Syntax</a></span></dt>
 </dl></dd>
 <dt><span class="sect1"><a href="Bv9ARM.ch06.html#Configuration_File_Grammar">Configuration File Grammar</a></span></dt>
 <dd><dl>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2576157"><span><strong class="command">acl</strong></span> Statement Grammar</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574151"><span><strong class="command">acl</strong></span> Statement Grammar</a></span></dt>
 <dt><span class="sect2"><a href="Bv9ARM.ch06.html#acl"><span><strong class="command">acl</strong></span> Statement Definition and
-Usage</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2576326"><span><strong class="command">controls</strong></span> Statement Grammar</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#controls_statement_definition_and_usage"><span><strong class="command">controls</strong></span> Statement Definition and Usage</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2576672"><span><strong class="command">include</strong></span> Statement Grammar</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2576686"><span><strong class="command">include</strong></span> Statement Definition and Usage</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2576709"><span><strong class="command">key</strong></span> Statement Grammar</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2576730"><span><strong class="command">key</strong></span> Statement Definition and Usage</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2576870"><span><strong class="command">logging</strong></span> Statement Grammar</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2577064"><span><strong class="command">logging</strong></span> Statement Definition and Usage</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2578270"><span><strong class="command">lwres</strong></span> Statement Grammar</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2578343"><span><strong class="command">lwres</strong></span> Statement Definition and Usage</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2578406"><span><strong class="command">masters</strong></span> Statement Grammar</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2578518"><span><strong class="command">masters</strong></span> Statement Definition and Usage </a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2578533"><span><strong class="command">options</strong></span> Statement Grammar</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#options"><span><strong class="command">options</strong></span> Statement Definition and Usage</a></span></dt>
+          Usage</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574341"><span><strong class="command">controls</strong></span> Statement Grammar</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#controls_statement_definition_and_usage"><span><strong class="command">controls</strong></span> Statement Definition and
+          Usage</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574770"><span><strong class="command">include</strong></span> Statement Grammar</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574785"><span><strong class="command">include</strong></span> Statement Definition and
+          Usage</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574808"><span><strong class="command">key</strong></span> Statement Grammar</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574829"><span><strong class="command">key</strong></span> Statement Definition and Usage</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574920"><span><strong class="command">logging</strong></span> Statement Grammar</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2575046"><span><strong class="command">logging</strong></span> Statement Definition and
+          Usage</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2576396"><span><strong class="command">lwres</strong></span> Statement Grammar</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2576470"><span><strong class="command">lwres</strong></span> Statement Definition and Usage</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2576534"><span><strong class="command">masters</strong></span> Statement Grammar</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2576578"><span><strong class="command">masters</strong></span> Statement Definition and
+          Usage</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2576593"><span><strong class="command">options</strong></span> Statement Grammar</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#options"><span><strong class="command">options</strong></span> Statement Definition and
+          Usage</a></span></dt>
 <dt><span class="sect2"><a href="Bv9ARM.ch06.html#server_statement_grammar"><span><strong class="command">server</strong></span> Statement Grammar</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#server_statement_definition_and_usage"><span><strong class="command">server</strong></span> Statement Definition and Usage</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2586290"><span><strong class="command">trusted-keys</strong></span> Statement Grammar</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2586338"><span><strong class="command">trusted-keys</strong></span> Statement Definition
-	    and Usage</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#server_statement_definition_and_usage"><span><strong class="command">server</strong></span> Statement Definition and
+            Usage</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2585018"><span><strong class="command">trusted-keys</strong></span> Statement Grammar</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2585136"><span><strong class="command">trusted-keys</strong></span> Statement Definition
+            and Usage</a></span></dt>
 <dt><span class="sect2"><a href="Bv9ARM.ch06.html#view_statement_grammar"><span><strong class="command">view</strong></span> Statement Grammar</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2586420"><span><strong class="command">view</strong></span> Statement Definition and Usage</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2585216"><span><strong class="command">view</strong></span> Statement Definition and Usage</a></span></dt>
 <dt><span class="sect2"><a href="Bv9ARM.ch06.html#zone_statement_grammar"><span><strong class="command">zone</strong></span>
-Statement Grammar</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2587635"><span><strong class="command">zone</strong></span> Statement Definition and Usage</a></span></dt>
+            Statement Grammar</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2586586"><span><strong class="command">zone</strong></span> Statement Definition and Usage</a></span></dt>
 </dl></dd>
-<dt><span class="sect1"><a href="Bv9ARM.ch06.html#id2589173">Zone File</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch06.html#id2588846">Zone File</a></span></dt>
 <dd><dl>
 <dt><span class="sect2"><a href="Bv9ARM.ch06.html#types_of_resource_records_and_when_to_use_them">Types of Resource Records and When to Use Them</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2590605">Discussion of MX Records</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2590800">Discussion of MX Records</a></span></dt>
 <dt><span class="sect2"><a href="Bv9ARM.ch06.html#Setting_TTLs">Setting TTLs</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2591102">Inverse Mapping in IPv4</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2591208">Other Zone File Directives</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2591377"><acronym class="acronym">BIND</acronym> Master File Extension: the  <span><strong class="command">$GENERATE</strong></span> Directive</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2591419">Inverse Mapping in IPv4</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2591546">Other Zone File Directives</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2591803"><acronym class="acronym">BIND</acronym> Master File Extension: the  <span><strong class="command">$GENERATE</strong></span> Directive</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#zonefile_format">Additional File Formats</a></span></dt>
 </dl></dd>
 </dl></dd>
 <dt><span class="chapter"><a href="Bv9ARM.ch07.html">7. <acronym class="acronym">BIND</acronym> 9 Security Considerations</a></span></dt>
 <dd><dl>
 <dt><span class="sect1"><a href="Bv9ARM.ch07.html#Access_Control_Lists">Access Control Lists</a></span></dt>
-<dt><span class="sect1"><a href="Bv9ARM.ch07.html#id2591971"><span><strong class="command">chroot</strong></span> and <span><strong class="command">setuid</strong></span> (for
-UNIX servers)</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch07.html#id2592480"><span><strong class="command">chroot</strong></span> and <span><strong class="command">setuid</strong></span></a></span></dt>
 <dd><dl>
-<dt><span class="sect2"><a href="Bv9ARM.ch07.html#id2592046">The <span><strong class="command">chroot</strong></span> Environment</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch07.html#id2592172">Using the <span><strong class="command">setuid</strong></span> Function</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch07.html#id2592625">The <span><strong class="command">chroot</strong></span> Environment</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch07.html#id2592684">Using the <span><strong class="command">setuid</strong></span> Function</a></span></dt>
 </dl></dd>
 <dt><span class="sect1"><a href="Bv9ARM.ch07.html#dynamic_update_security">Dynamic Update Security</a></span></dt>
 </dl></dd>
 <dt><span class="chapter"><a href="Bv9ARM.ch08.html">8. Troubleshooting</a></span></dt>
 <dd><dl>
-<dt><span class="sect1"><a href="Bv9ARM.ch08.html#id2592243">Common Problems</a></span></dt>
-<dd><dl><dt><span class="sect2"><a href="Bv9ARM.ch08.html#id2592248">It's not working; how can I figure out what's wrong?</a></span></dt></dl></dd>
-<dt><span class="sect1"><a href="Bv9ARM.ch08.html#id2592260">Incrementing and Changing the Serial Number</a></span></dt>
-<dt><span class="sect1"><a href="Bv9ARM.ch08.html#id2592277">Where Can I Get Help?</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch08.html#id2592764">Common Problems</a></span></dt>
+<dd><dl><dt><span class="sect2"><a href="Bv9ARM.ch08.html#id2592838">It's not working; how can I figure out what's wrong?</a></span></dt></dl></dd>
+<dt><span class="sect1"><a href="Bv9ARM.ch08.html#id2592850">Incrementing and Changing the Serial Number</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch08.html#id2592867">Where Can I Get Help?</a></span></dt>
 </dl></dd>
 <dt><span class="appendix"><a href="Bv9ARM.ch09.html">A. Appendices</a></span></dt>
 <dd><dl>
-<dt><span class="sect1"><a href="Bv9ARM.ch09.html#id2592339">Acknowledgments</a></span></dt>
-<dd><dl><dt><span class="sect2"><a href="Bv9ARM.ch09.html#id2592344">A Brief History of the <acronym class="acronym">DNS</acronym> and <acronym class="acronym">BIND</acronym></a></span></dt></dl></dd>
-<dt><span class="sect1"><a href="Bv9ARM.ch09.html#historical_dns_information">General <acronym class="acronym">DNS</acronym> Reference Information</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch09.html#id2592997">Acknowledgments</a></span></dt>
+<dd><dl><dt><span class="sect2"><a href="Bv9ARM.ch09.html#historical_dns_information">A Brief History of the <acronym class="acronym">DNS</acronym> and <acronym class="acronym">BIND</acronym></a></span></dt></dl></dd>
+<dt><span class="sect1"><a href="Bv9ARM.ch09.html#id2593159">General <acronym class="acronym">DNS</acronym> Reference Information</a></span></dt>
 <dd><dl><dt><span class="sect2"><a href="Bv9ARM.ch09.html#ipv6addresses">IPv6 addresses (AAAA)</a></span></dt></dl></dd>
 <dt><span class="sect1"><a href="Bv9ARM.ch09.html#bibliography">Bibliography (and Suggested Reading)</a></span></dt>
 <dd><dl>
 <dt><span class="sect2"><a href="Bv9ARM.ch09.html#rfcs">Request for Comments (RFCs)</a></span></dt>
 <dt><span class="sect2"><a href="Bv9ARM.ch09.html#internet_drafts">Internet Drafts</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch09.html#id2594702">Other Documents About <acronym class="acronym">BIND</acronym></a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch09.html#id2596326">Other Documents About <acronym class="acronym">BIND</acronym></a></span></dt>
 </dl></dd>
 </dl></dd>
+<dt><span class="reference"><a href="Bv9ARM.ch10.html">I. Manual pages</a></span></dt>
+<dd><dl>
+<dt>
+<span class="refentrytitle"><a href="man.dig.html">dig</a></span><span class="refpurpose"> &#8212; DNS lookup utility</span>
+</dt>
+<dt>
+<span class="refentrytitle"><a href="man.host.html">host</a></span><span class="refpurpose"> &#8212; DNS lookup utility</span>
+</dt>
+<dt>
+<span class="refentrytitle"><a href="man.dnssec-keygen.html"><span class="application">dnssec-keygen</span></a></span><span class="refpurpose"> &#8212; DNSSEC key generation tool</span>
+</dt>
+<dt>
+<span class="refentrytitle"><a href="man.dnssec-signzone.html"><span class="application">dnssec-signzone</span></a></span><span class="refpurpose"> &#8212; DNSSEC zone signing tool</span>
+</dt>
+<dt>
+<span class="refentrytitle"><a href="man.named-checkconf.html"><span class="application">named-checkconf</span></a></span><span class="refpurpose"> &#8212; named configuration file syntax checking tool</span>
+</dt>
+<dt>
+<span class="refentrytitle"><a href="man.named-checkzone.html"><span class="application">named-checkzone</span></a></span><span class="refpurpose"> &#8212; zone file validity checking or converting tool</span>
+</dt>
+<dt>
+<span class="refentrytitle"><a href="man.named.html"><span class="application">named</span></a></span><span class="refpurpose"> &#8212; Internet domain name server</span>
+</dt>
+<dt>
+<span class="refentrytitle"><a href="man.rndc.html"><span class="application">rndc</span></a></span><span class="refpurpose"> &#8212; name server control utility</span>
+</dt>
+<dt>
+<span class="refentrytitle"><a href="man.rndc.conf.html"><code class="filename">rndc.conf</code></a></span><span class="refpurpose"> &#8212; rndc configuration file</span>
+</dt>
+<dt>
+<span class="refentrytitle"><a href="man.rndc-confgen.html"><span class="application">rndc-confgen</span></a></span><span class="refpurpose"> &#8212; rndc key generation tool</span>
+</dt>
+</dl></dd>
 </dl>
 </div>
 </div>
@@ -214,7 +253,7 @@ UNIX servers)</a></span></dt>
 <tr>
 <td width="40%" align="left" valign="top"> </td>
 <td width="20%" align="center"> </td>
-<td width="40%" align="right" valign="top"> Chapter 1. Introduction </td>
+<td width="40%" align="right" valign="top"> Chapter 1. Introduction</td>
 </tr>
 </table>
 </div>
diff --git a/contrib/bind9/doc/arm/Bv9ARM.pdf b/contrib/bind9/doc/arm/Bv9ARM.pdf
index cf61e9c..ea25edd 100755
--- a/contrib/bind9/doc/arm/Bv9ARM.pdf
+++ b/contrib/bind9/doc/arm/Bv9ARM.pdf
@@ -609,1719 +609,3231 @@ endobj
 << /S /GoTo /D (subsubsection.6.2.16.17) >>
 endobj
 412 0 obj
-(6.2.16.17 The Statistics File)
+(6.2.16.17 Built-in Empty Zones)
 endobj
 413 0 obj
-<< /S /GoTo /D (subsection.6.2.17) >>
+<< /S /GoTo /D (subsubsection.6.2.16.18) >>
 endobj
 416 0 obj
-(6.2.17 server Statement Grammar)
+(6.2.16.18 The Statistics File)
 endobj
 417 0 obj
-<< /S /GoTo /D (subsection.6.2.18) >>
+<< /S /GoTo /D (subsubsection.6.2.16.19) >>
 endobj
 420 0 obj
-(6.2.18 server Statement Definition and Usage)
+(6.2.16.19 Additional Section Caching)
 endobj
 421 0 obj
-<< /S /GoTo /D (subsection.6.2.19) >>
+<< /S /GoTo /D (subsection.6.2.17) >>
 endobj
 424 0 obj
-(6.2.19 trusted-keys Statement Grammar)
+(6.2.17 server Statement Grammar)
 endobj
 425 0 obj
-<< /S /GoTo /D (subsection.6.2.20) >>
+<< /S /GoTo /D (subsection.6.2.18) >>
 endobj
 428 0 obj
-(6.2.20 trusted-keys Statement Definition and Usage)
+(6.2.18 server Statement Definition and Usage)
 endobj
 429 0 obj
-<< /S /GoTo /D (subsection.6.2.21) >>
+<< /S /GoTo /D (subsection.6.2.19) >>
 endobj
 432 0 obj
-(6.2.21 view Statement Grammar)
+(6.2.19 trusted-keys Statement Grammar)
 endobj
 433 0 obj
-<< /S /GoTo /D (subsection.6.2.22) >>
+<< /S /GoTo /D (subsection.6.2.20) >>
 endobj
 436 0 obj
-(6.2.22 view Statement Definition and Usage)
+(6.2.20 trusted-keys Statement Definition and Usage)
 endobj
 437 0 obj
-<< /S /GoTo /D (subsection.6.2.23) >>
+<< /S /GoTo /D (subsection.6.2.21) >>
 endobj
 440 0 obj
-(6.2.23 zone Statement Grammar)
+(6.2.21 view Statement Grammar)
 endobj
 441 0 obj
-<< /S /GoTo /D (subsection.6.2.24) >>
+<< /S /GoTo /D (subsection.6.2.22) >>
 endobj
 444 0 obj
-(6.2.24 zone Statement Definition and Usage)
+(6.2.22 view Statement Definition and Usage)
 endobj
 445 0 obj
-<< /S /GoTo /D (subsubsection.6.2.24.1) >>
+<< /S /GoTo /D (subsection.6.2.23) >>
 endobj
 448 0 obj
-(6.2.24.1 Zone Types)
+(6.2.23 zone Statement Grammar)
 endobj
 449 0 obj
-<< /S /GoTo /D (subsubsection.6.2.24.2) >>
+<< /S /GoTo /D (subsection.6.2.24) >>
 endobj
 452 0 obj
-(6.2.24.2 Class)
+(6.2.24 zone Statement Definition and Usage)
 endobj
 453 0 obj
-<< /S /GoTo /D (subsubsection.6.2.24.3) >>
+<< /S /GoTo /D (subsubsection.6.2.24.1) >>
 endobj
 456 0 obj
-(6.2.24.3 Zone Options)
+(6.2.24.1 Zone Types)
 endobj
 457 0 obj
-<< /S /GoTo /D (subsubsection.6.2.24.4) >>
+<< /S /GoTo /D (subsubsection.6.2.24.2) >>
 endobj
 460 0 obj
-(6.2.24.4 Dynamic Update Policies)
+(6.2.24.2 Class)
 endobj
 461 0 obj
-<< /S /GoTo /D (section.6.3) >>
+<< /S /GoTo /D (subsubsection.6.2.24.3) >>
 endobj
 464 0 obj
-(6.3 Zone File)
+(6.2.24.3 Zone Options)
 endobj
 465 0 obj
-<< /S /GoTo /D (subsection.6.3.1) >>
+<< /S /GoTo /D (subsubsection.6.2.24.4) >>
 endobj
 468 0 obj
-(6.3.1 Types of Resource Records and When to Use Them)
+(6.2.24.4 Dynamic Update Policies)
 endobj
 469 0 obj
-<< /S /GoTo /D (subsubsection.6.3.1.1) >>
+<< /S /GoTo /D (section.6.3) >>
 endobj
 472 0 obj
-(6.3.1.1 Resource Records)
+(6.3 Zone File)
 endobj
 473 0 obj
-<< /S /GoTo /D (subsubsection.6.3.1.2) >>
+<< /S /GoTo /D (subsection.6.3.1) >>
 endobj
 476 0 obj
-(6.3.1.2 Textual expression of RRs)
+(6.3.1 Types of Resource Records and When to Use Them)
 endobj
 477 0 obj
-<< /S /GoTo /D (subsection.6.3.2) >>
+<< /S /GoTo /D (subsubsection.6.3.1.1) >>
 endobj
 480 0 obj
-(6.3.2 Discussion of MX Records)
+(6.3.1.1 Resource Records)
 endobj
 481 0 obj
-<< /S /GoTo /D (subsection.6.3.3) >>
+<< /S /GoTo /D (subsubsection.6.3.1.2) >>
 endobj
 484 0 obj
-(6.3.3 Setting TTLs)
+(6.3.1.2 Textual expression of RRs)
 endobj
 485 0 obj
-<< /S /GoTo /D (subsection.6.3.4) >>
+<< /S /GoTo /D (subsection.6.3.2) >>
 endobj
 488 0 obj
-(6.3.4 Inverse Mapping in IPv4)
+(6.3.2 Discussion of MX Records)
 endobj
 489 0 obj
-<< /S /GoTo /D (subsection.6.3.5) >>
+<< /S /GoTo /D (subsection.6.3.3) >>
 endobj
 492 0 obj
-(6.3.5 Other Zone File Directives)
+(6.3.3 Setting TTLs)
 endobj
 493 0 obj
-<< /S /GoTo /D (subsubsection.6.3.5.1) >>
+<< /S /GoTo /D (subsection.6.3.4) >>
 endobj
 496 0 obj
-(6.3.5.1 The \044ORIGIN Directive)
+(6.3.4 Inverse Mapping in IPv4)
 endobj
 497 0 obj
-<< /S /GoTo /D (subsubsection.6.3.5.2) >>
+<< /S /GoTo /D (subsection.6.3.5) >>
 endobj
 500 0 obj
-(6.3.5.2 The \044INCLUDE Directive)
+(6.3.5 Other Zone File Directives)
 endobj
 501 0 obj
-<< /S /GoTo /D (subsubsection.6.3.5.3) >>
+<< /S /GoTo /D (subsubsection.6.3.5.1) >>
 endobj
 504 0 obj
-(6.3.5.3 The \044TTL Directive)
+(6.3.5.1 The \044ORIGIN Directive)
 endobj
 505 0 obj
-<< /S /GoTo /D (subsection.6.3.6) >>
+<< /S /GoTo /D (subsubsection.6.3.5.2) >>
 endobj
 508 0 obj
-(6.3.6 BIND Master File Extension: the \044GENERATE Directive)
+(6.3.5.2 The \044INCLUDE Directive)
 endobj
 509 0 obj
-<< /S /GoTo /D (chapter.7) >>
+<< /S /GoTo /D (subsubsection.6.3.5.3) >>
 endobj
 512 0 obj
-(7 BIND 9 Security Considerations)
+(6.3.5.3 The \044TTL Directive)
 endobj
 513 0 obj
-<< /S /GoTo /D (section.7.1) >>
+<< /S /GoTo /D (subsection.6.3.6) >>
 endobj
 516 0 obj
-(7.1 Access Control Lists)
+(6.3.6 BIND Master File Extension: the \044GENERATE Directive)
 endobj
 517 0 obj
-<< /S /GoTo /D (section.7.2) >>
+<< /S /GoTo /D (subsection.6.3.7) >>
 endobj
 520 0 obj
-(7.2 chroot and setuid \(for UNIX servers\))
+(6.3.7 Additional File Formats)
 endobj
 521 0 obj
-<< /S /GoTo /D (subsection.7.2.1) >>
+<< /S /GoTo /D (chapter.7) >>
 endobj
 524 0 obj
-(7.2.1 The chroot Environment)
+(7 BIND 9 Security Considerations)
 endobj
 525 0 obj
-<< /S /GoTo /D (subsection.7.2.2) >>
+<< /S /GoTo /D (section.7.1) >>
 endobj
 528 0 obj
-(7.2.2 Using the setuid Function)
+(7.1 Access Control Lists)
 endobj
 529 0 obj
-<< /S /GoTo /D (section.7.3) >>
+<< /S /GoTo /D (section.7.2) >>
 endobj
 532 0 obj
-(7.3 Dynamic Update Security)
+(7.2 chroot and setuid)
 endobj
 533 0 obj
-<< /S /GoTo /D (chapter.8) >>
+<< /S /GoTo /D (subsection.7.2.1) >>
 endobj
 536 0 obj
-(8 Troubleshooting)
+(7.2.1 The chroot Environment)
 endobj
 537 0 obj
-<< /S /GoTo /D (section.8.1) >>
+<< /S /GoTo /D (subsection.7.2.2) >>
 endobj
 540 0 obj
-(8.1 Common Problems)
+(7.2.2 Using the setuid Function)
 endobj
 541 0 obj
-<< /S /GoTo /D (subsection.8.1.1) >>
+<< /S /GoTo /D (section.7.3) >>
 endobj
 544 0 obj
-(8.1.1 It's not working; how can I figure out what's wrong?)
+(7.3 Dynamic Update Security)
 endobj
 545 0 obj
-<< /S /GoTo /D (section.8.2) >>
+<< /S /GoTo /D (chapter.8) >>
 endobj
 548 0 obj
-(8.2 Incrementing and Changing the Serial Number)
+(8 Troubleshooting)
 endobj
 549 0 obj
-<< /S /GoTo /D (section.8.3) >>
+<< /S /GoTo /D (section.8.1) >>
 endobj
 552 0 obj
-(8.3 Where Can I Get Help?)
+(8.1 Common Problems)
 endobj
 553 0 obj
-<< /S /GoTo /D (appendix.A) >>
+<< /S /GoTo /D (subsection.8.1.1) >>
 endobj
 556 0 obj
-(A Appendices)
+(8.1.1 It's not working; how can I figure out what's wrong?)
 endobj
 557 0 obj
-<< /S /GoTo /D (section.A.1) >>
+<< /S /GoTo /D (section.8.2) >>
 endobj
 560 0 obj
-(A.1 Acknowledgments)
+(8.2 Incrementing and Changing the Serial Number)
 endobj
 561 0 obj
-<< /S /GoTo /D (subsection.A.1.1) >>
+<< /S /GoTo /D (section.8.3) >>
 endobj
 564 0 obj
-(A.1.1 A Brief History of the DNS and BIND)
+(8.3 Where Can I Get Help?)
 endobj
 565 0 obj
-<< /S /GoTo /D (section.A.2) >>
+<< /S /GoTo /D (appendix.A) >>
 endobj
 568 0 obj
-(A.2 General DNS Reference Information)
+(A Appendices)
 endobj
 569 0 obj
-<< /S /GoTo /D (subsection.A.2.1) >>
+<< /S /GoTo /D (section.A.1) >>
 endobj
 572 0 obj
-(A.2.1 IPv6 addresses \(AAAA\))
+(A.1 Acknowledgments)
 endobj
 573 0 obj
-<< /S /GoTo /D (section.A.3) >>
+<< /S /GoTo /D (subsection.A.1.1) >>
 endobj
 576 0 obj
-(A.3 Bibliography \(and Suggested Reading\))
+(A.1.1 A Brief History of the DNS and BIND)
 endobj
 577 0 obj
-<< /S /GoTo /D (subsection.A.3.1) >>
+<< /S /GoTo /D (section.A.2) >>
 endobj
 580 0 obj
-(A.3.1 Request for Comments \(RFCs\))
+(A.2 General DNS Reference Information)
 endobj
 581 0 obj
-<< /S /GoTo /D (subsection.A.3.2) >>
+<< /S /GoTo /D (subsection.A.2.1) >>
 endobj
 584 0 obj
-(A.3.2 Internet Drafts)
+(A.2.1 IPv6 addresses \(AAAA\))
 endobj
 585 0 obj
-<< /S /GoTo /D (subsection.A.3.3) >>
+<< /S /GoTo /D (section.A.3) >>
 endobj
 588 0 obj
-(A.3.3 Other Documents About BIND)
+(A.3 Bibliography \(and Suggested Reading\))
 endobj
 589 0 obj
-<< /S /GoTo /D [590 0 R  /FitH ] >>
+<< /S /GoTo /D (subsection.A.3.1) >>
+endobj
+592 0 obj
+(A.3.1 Request for Comments \(RFCs\))
+endobj
+593 0 obj
+<< /S /GoTo /D (subsection.A.3.2) >>
+endobj
+596 0 obj
+(A.3.2 Internet Drafts)
+endobj
+597 0 obj
+<< /S /GoTo /D (subsection.A.3.3) >>
+endobj
+600 0 obj
+(A.3.3 Other Documents About BIND)
+endobj
+601 0 obj
+<< /S /GoTo /D (appendix.B) >>
+endobj
+604 0 obj
+(B Manual pages)
+endobj
+605 0 obj
+<< /S /GoTo /D (section.B.1) >>
+endobj
+608 0 obj
+(B.1 dig)
+endobj
+609 0 obj
+<< /S /GoTo /D (section.B.2) >>
+endobj
+612 0 obj
+(B.2 host)
+endobj
+613 0 obj
+<< /S /GoTo /D (section.B.3) >>
+endobj
+616 0 obj
+(B.3 dnssec-keygen)
+endobj
+617 0 obj
+<< /S /GoTo /D (section.B.4) >>
+endobj
+620 0 obj
+(B.4 dnssec-signzone)
+endobj
+621 0 obj
+<< /S /GoTo /D (section.B.5) >>
+endobj
+624 0 obj
+(B.5 named-checkconf)
+endobj
+625 0 obj
+<< /S /GoTo /D (section.B.6) >>
+endobj
+628 0 obj
+(B.6 named-checkzone)
+endobj
+629 0 obj
+<< /S /GoTo /D (section.B.7) >>
+endobj
+632 0 obj
+(B.7 named)
 endobj
-592 0 obj <<
-/Length 223       
+633 0 obj
+<< /S /GoTo /D (section.B.8) >>
+endobj
+636 0 obj
+(B.8 rndc)
+endobj
+637 0 obj
+<< /S /GoTo /D (section.B.9) >>
+endobj
+640 0 obj
+(B.9 rndc.conf)
+endobj
+641 0 obj
+<< /S /GoTo /D (section.B.10) >>
+endobj
+644 0 obj
+(B.10 rndc-confgen)
+endobj
+645 0 obj
+<< /S /GoTo /D [646 0 R  /FitH ] >>
+endobj
+649 0 obj <<
+/Length 236       
 /Filter /FlateDecode
 >>
 stream
-xÚ��ÍjÃ0„ï~Š=&PmµÚ][:6$--4‡¢[ÉÁM”ˆp~ž¿rì†B{(:hVû1ƒ†ÀæCà-�*ª%…uSXøÌ»§‚FF”Q…9l
F/ìÁ8ïQµt?±_8‰`Å>€Q«²y�Ïbqÿ(¨BG*·@°r–áÆÅÍûdö¼œO�S;	Ãõ°ivíîxêêÓ¡žÞÒ6u©]§a|­Ûs½Ÿ®âKŽ`  ê®YsÈÚxÁÒ;½F,—Ô|¤ÑÌù»QX[ö&Å"Þ~ó]+öý»¼/g—RÇendstream
+xÚ��ÁJA†ïó9¶‡M'™d2s´T¥‚Beoâai·Rp·t­ïïÔÕ*êArÉÿ‘ü	�/A�}È–ՓºsžŠvíèƒ
¨B)þP+!ÃlQ¡bJÕÂwìNì1úÈP©)&>áóÚÍ®˜€-A½bEM¦pæêÍÃd¾¼[L+V?ÉcºØt»~÷ršã~[÷í¶Ú~ÝNë a¤(±ø˘’å÷9·MÿÚ<Ÿ
 endobj
-590 0 obj <<
+646 0 obj <<
 /Type /Page
-/Contents 592 0 R
-/Resources 591 0 R
+/Contents 649 0 R
+/Resources 648 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 601 0 R
+/Parent 655 0 R
 >> endobj
-593 0 obj <<
-/D [590 0 R /XYZ 85.0394 794.5015 null]
+647 0 obj <<
+/Type /XObject
+/Subtype /Form
+/FormType 1
+/PTEX.FileName (./isc-logo.pdf)
+/PTEX.PageNumber 1
+/PTEX.InfoDict 656 0 R 
+/Matrix [1.00000000 0.00000000 0.00000000 1.00000000 0.00000000 0.00000000]
+/BBox [0.00000000 0.00000000 255.00000000 149.00000000]
+/Resources <<
+/ProcSet [ /PDF /Text ]
+/ColorSpace <<
+/R15 657 0 R
+/R9 658 0 R
+/R11 659 0 R
+/R13 660 0 R
+>>/ExtGState <<
+/R17 661 0 R
+/R8 662 0 R
+>>/Font << /R19 663 0 R >>
+>>
+/Length 664 0 R
+/Filter /FlateDecode
+>>
+stream
+xœu˜;“d9…ýû+®Ùe´�R©—�
lG`XËkz#†10gwÙ~6ßÉ[53}+ˆ}tI%åóäÉT½ßs*{Ö?·¿××í'¿�ûŸ?lï·¼Ÿ#5Û_7}÷n³æ3õùæóýÌ»íwû7\^ûõÃVö×oøÿ_·ÒvþmÕSéœmqöÚ¾æh)ŸÏŽ™,ײ—Zjj•ÅVÊ•ëµÍÔÆn¹§±†Ö5͵[+i6}Ÿk’¨Í–§ºØ±ÖRöÝVIƒe´Ä¶yKfZWTp¾ÜÏç9ùÀ–ÆŒõÒý>R_­êÂJsJƒ¥.ŸËÊiôÝ×\
+û”_g'®Û_6´§ÖØËÍ“[8føƒ”œKj“È4­¹¯5Ã#6ÆJ²4·œª+ÚøاkÇä~¤ž19wR7ñm¦U%s˜,ÃT|
+Û2Æ�‚ŒjUçq¥K"ηbøR<™¬¨™ãŸ¹×²RU|Ñ$ÞÕZ*Š–ŒCõu«|ˆhL$,I˜–¼`¥Y|ÃNżŠLó’#pÕ‹BÖŽj9--	9@‘
€DÌ©….¶áJ{N]Á©¥Z*zÃ3…?´T®²$À“%ÁXF°Zê%.ä’@ŽO­—€!$t\'<Ž¶*W
+èj˵ãB;Žþ"%«ê;¥+ßÚ)Éú¾Œ¤IJ�5yÝGN>³ʧ*=5Dt'ŸtˇÀùiQ{
+˜‚ÚIq%˜3vH­wÁKAįr‹þq n[Uz¯!*â)ôàKG°€ÝgG-dL#¹X0¹Â“@ñ´×£^ëµ½æ
HÕÊ_7S41Ã,ëÀO%ê*\ç/1v¢\¨Î¡¨êG´P:‘Sœ¸1ÀÞ£q‹uc¤,¯J¶”e—	'‚;	F/É&N(AWÖšNfãÀŠq‚ì’htËØ“ªØOàÙ‰GÎ4óHD'ª:SÙ#Oœ™äD4�Ltæª3—=�Ý™p�ÂSè¬F$_)^"åÛ•.ªd­Ôd´ÁJŒÓ¤¨,à}‹F:I
òP<Á:‚é¡û½¶H­JŒŒÀvÎ9±”8G
+%S}8\Ž»Ä{!•pŸjyî8NíÖL-»Ä¼1_yk¦“ˆÔøèus‘#¸W�™˜ÁAŹ{�0º¤Œ4±�à8pª0ŠÚž]#HªiÓºhS”28Ú*7»Å'¤«ÎwMpíD¦9d=‹rêÀ Öd
ðlÎmF1Û\Ój�Í J$¾›ƒlHO†¯,x!Fàqê*i!ߪ‰ž£‘\·î"o6,âM(¨$‡^êP^Å>˜³ÔV¬ˆ¦#Z†ª¼§?Áj¹“LÃ¥R»š¨¦VÅo€Ž
–eõT¥Ø€ùU¢Ù�Ü*
„2ÊNvÊ@ÈËY#E?°+êEn�£±¦h“ÊFØläƒbY3Âc0CEW'ñÖÆ4€»Öm"ŒÙ©˜94A¬#—ª Áõ¢ÙëN)ÅZþÅÖ…µˆ‘ç#µxì‡Ð:Å ÑqYŠ�¢ŽÞ\U¢ÜÆÕ²hb	\´ÑP£’šð¢>�Ô9Ž¨Ñ¸ˆùUm!‰§¢�Zh!ú‹~(Ât~¿ÙA,«×
>*"œD�
0QEuÑ|Îóî`‰ö™%„U™&2WjDó5EŠ)€®ä
+«SÕ0Ý4jÆ0çU6Ñœ5Õ”ê0*ÊBóî"gܲ¥–ÃÄHgæ:2®xļô¨	¤èC�úð¨�˜*#{ëÖâsôÎ
+¯Éæ’×M�¼1ÖQQ½»î0@yP,£§"cf
6‹ÃH%aDšjÑ÷ÄPjëš(²f§ Ø®ì·q,fÙLhgÌŒ#Çd±0xDÉYWíû¾0yš’*á_�àºFî®.˜tƨj²ùKÐõàº5£7¬bi«¸3׽Ŕ
+óÔPĮ́Yu¢e¢�a�5
エ0kÓ,¤×äþ¤V��¡Ò(*�Gãë0[;=‚ÃátçX3pD¦iÜ'ÃëÑ+a�qz JC	"Ê1�ô(Œ
+FÑÞIca­Ç0Ú)	¹A¿+�ÇÀº
�¸|-Tuùa>‚s:½¯•~K
“ÒÞV�׋„OÒAŠI…
�ɪÁr2Q“°Ø¨Á>.z
+ÏÆ狼eÇNdæÌdï"gK2cëÉ—GoOá8GëÏϦ:B
Àht[
+endobj
+656 0 obj
+<<
+/Producer (AFPL Ghostscript 8.51)
+/CreationDate (D:20050606145621)
+/ModDate (D:20050606145621)
+/Title (Alternate-ISC-logo-v2.ai)
+/Creator (Adobe Illustrator\(R\) 11)
+/Author (Douglas E. Appelt)
+>>
+endobj
+657 0 obj
+[/Separation/PANTONE#201805#20C/DeviceCMYK 665 0 R]
+endobj
+658 0 obj
+[/Separation/PANTONE#207506#20C/DeviceCMYK 666 0 R]
+endobj
+659 0 obj
+[/Separation/PANTONE#20301#20C/DeviceCMYK 667 0 R]
+endobj
+660 0 obj
+[/Separation/PANTONE#20871#20C/DeviceCMYK 668 0 R]
+endobj
+661 0 obj
+<<
+/Type /ExtGState
+/SA true
+>>
+endobj
+662 0 obj
+<<
+/Type /ExtGState
+/OPM 1
+>>
+endobj
+663 0 obj
+<<
+/BaseFont /NVXWCK#2BTrajanPro-Bold
+/FontDescriptor 669 0 R
+/Type /Font
+/FirstChar 67
+/LastChar 136
+/Widths [ 800 0 0 0 0 0 452 0 0 0 0 0 0 0 0 0 582 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 841 633 576 686 590 540 923 827 407 760]
+/Encoding 670 0 R
+/Subtype /Type1
+>>
+endobj
+664 0 obj
+2362
+endobj
+665 0 obj
+<<
+/Filter /FlateDecode
+/FunctionType 4
+/Domain [ 0 1]
+/Range [ 0 1 0 1 0 1 0 1]
+/Length 39
+>>
+stream
+xœ«N)-P0PÈ-ÍQH­HÎP
+endobj
+666 0 obj
+<<
+/Filter /FlateDecode
+/FunctionType 4
+/Domain [ 0 1]
+/Range [ 0 1 0 1 0 1 0 1]
+/Length 36
+>>
+stream
+xœ«N)-P0PÈ-ÍQH­HÎP
+endobj
+667 0 obj
+<<
+/Filter /FlateDecode
+/FunctionType 4
+/Domain [ 0 1]
+/Range [ 0 1 0 1 0 1 0 1]
+/Length 40
+>>
+stream
+xœ«N)-P0TÈ-ÍQH­HÎP
+endobj
+668 0 obj
+<<
+/Filter /FlateDecode
+/FunctionType 4
+/Domain [ 0 1]
+/Range [ 0 1 0 1 0 1 0 1]
+/Length 50
+>>
+stream
+xœ«N)-P0Ð365³TÈ-ÍQH­HÎP€Š™X ‹™›#Äô-,ŒÀüZ
+endobj
+669 0 obj
+<<
+/Type /FontDescriptor
+/FontName /NVXWCK#2BTrajanPro-Bold
+/FontBBox [ -45 -17 923 767]
+/Flags 4
+/Ascent 767
+/CapHeight 767
+/Descent -17
+/ItalicAngle 0
+/StemV 138
+/MissingWidth 500
+/CharSet (/Msmall/C/Ysmall/Nsmall/Osmall/Esmall/Rsmall/S/Ssmall/I/Tsmall/Ismall/Usmall)
+/FontFile3 671 0 R
+>>
+endobj
+670 0 obj
+<<
+/Type /Encoding
+/BaseEncoding /WinAnsiEncoding
+/Differences [ 127/Nsmall/Tsmall/Esmall/Rsmall/Ysmall/Ssmall/Msmall/Osmall/Ismall/Usmall]
+>>
+endobj
+671 0 obj
+<<
+/Filter /FlateDecode
+/Subtype /Type1C
+/Length 2657
+>>
+stream
+xœ}VkpUž!!i0dHÈ:=«°î"ŠÏ*QpYWÊD@p• ‘$$�ç$!a2ïžé×éîéǼ’ÌäÍC
Ãû)Á]^º+–B-®k)ZˆËµîÄf‹½´J«¬ýÓÕ÷ÜÛçÜïœï|§Í¦Ì1&³Ù<q™£d]IM‘£ö¾§j«J
ÓŒt�y•óûÙ#ÚØ;M¦7Õ	�“
9™§~•c�Œ†oGÛ&¢ŽIÆÁãjë6:*×V4Úzà�ìóKk_+³/ÝØÐXVÝ`/¬YS먫u”4–•ÞoŸ_Ue_bm°/)k(slÀÆ[¡í•
ö²ÊÆŠ2‡½Äî([[‰?w”•Ú%¥eÕ%ŽõöZcç'ËòÿÉ^YcǾì/ÖT«¥�ØØ`/©)��½ÔŽFYSÛTÓè¨,k¸ßd2MX°´0Dyi ècX“iºéÓL³Í<ÓLšíæ)æ»ÍÓÍ3ÌÓÌ¿1åâ|™^0!óæ13ò2­™h쬞ì=ÄêqóÇ}>þdš…Ãhëôõa3NO?œ
™iv¤è›…$}ت?‰´±èË,Ý®³"cqC;‘µjô=©ãuVú¨ÕxÓ�UîÈçðÈœCæè×éÎþŒt§Óz>Tww$Õ°,'£ÛãŸBœÐ85HqL+kc6zjœ-kŠ_ô?„>M/DãQàZçÕçɽ»Oö|
+_Àź�ŠþúD…PE¸EJ‹ˆZ»`»øâ€8(ÅA…‘}Bµ´>R&+åáE ÿf­YPxïÃôñðÌܤg~ý(qe.Ê®Fw‘›¾ä<8ò§ý“?ßúzñÛW»§Z>CšÓjùè¼9üÆûzÞƒa¸ºú=}•Úî¼ÇN7Â~â�}CØ,ÎÂÖêö–îz¹
+„W
+©š¤õ\o…„
TZ
+ˆõjIt!†CΞ«�y|×ÓhÌ£¤åËýk?^Ø^/ç/õùmþ ÉF'™nH	P¬ÏÅÛøVf1,ƒ&‰î–ÏZ†ö‡rÓ/±©‘Ò”=†&eàÇn+Ì„¹t	[r63
Î˹€ð2,TÙ¹NK½°N³çàpÎÝ1MReZò¹šDÑMV‡ƒ)v33—à�þ˜
hlßµäf9.jBˆ¨"j
+%zÈ2(bPÏIe†§VŠQ
+�'x6FöÐQ§X)®‡ZÐg¹ßÏÆwÌk6'¾¿+ãóËV¦–ªl`Ý\‚@h†¡T.Bn�·¤$tÀnv§á0¡‰Z8¦(J�\¤Kò*x¯Mˆ‰ío¡Oò¤¬­EGíjk´áïú”îÒ¶ú¨3Q�µ®Ýè…ô$¼èF¦ÔÀùi.?Ä1,0@ËL7?È¡Û™ Q<$Q>· :È:�ꥎ=‘îÉcSþH( ‚A·î»Ñ˜§ûÒ5ÞÞP8
+n¨`×rŽ`ëF†â|¼?C3A•‹“pJê�>8Åž0`ÅUI	Ó²ßÛ"à$Ö‡©®ŸÛ
ƒÐF¼›
[¸M‰m;Ðd´jëöÎ^MëŒ$”Žpç]
+rHô“Nx�k�z¨k`(¨ñG¶³a|oð1®@‹§Þ®/ô5»úôlôJë¦`œ‰‚
+ªVŶ° 
+-R¶5ðöU…¢Ëðåq¡�ª±v:#“�TsOÕ¶U(G_¬xâm#¹#—ÙTpÃȤd{ód4åÌMóqŸé¦ižÏ4Õ2€3¿Ú*e%]_Nÿj6a©úâ!4æ®/Eñ@;ªªu’Ñô€pPmïSóc’
+.9,«”à%WÃ:Î-°R,6îâ	ðAZbbñn d7¥¹„‘¹yL–'®�C9‹O–¤~º]ÏC¾˜«Ý›ða2…¼N’º!ðóÙÆÆP¾—m5jA…šÒø8¹SLÃ4ÚÞ­…&bö‡ýn§ »H§âëâÎa„ïº÷§ßßg>ˆ¦¤+ÐÔŒô,·5£»Ð}hZ¡ÛÐDÝ¡wÍЋôú½ßèQ„ܱߪ?~²¡¨eý«ø­Ûk‘¹éô¡•)eúÇ~Ô|À•Tqî¦c1[Ö5ÕÒæï¬Õ2ÇóàYf-ë 1‹Ë_|åç=>–fH|
+&–ê„n>ÚÝ)D6Á
+x¸
\3§gA34–ITž-‹R8õ-ǵÛö2ªWuÉ~Á!"(0Š*FÂ͢ùĨ¸SˆˆoÊQPˆ0¦šåiFäݸVN^_!Ô‚–bž "-Qy$ÑÎsªm¥Ä¡@·âJ=Ŧ¿íÝëL	ÍDËQÆTË?GúÓlRÎ$F*�4’ƒð6–š\`�Œª Ñ“Œô�öd]˜é`û™ü9¸DijeIÛ.q
+ȼLçÇ<;—*X³«¥×ÛGâ_Y1ET�ïƒ4ˆ
Ò-U…_>´üØ¢�æ}õï÷v¼
§ádù�#¹rÛŸå¥@ÔÁ\5l…hð<8Ús·
+»O·Øèv61Bá5*È<6ÞÍ,‡bh‘˜¶ž\Î]Çé#¹#ØÔÍ1Oúñ°Ï¤5oÂ]цÆß4}h˜î0$å,6ü¼”A,¯?/å;Rôcy6Ò½UJ¿§Y½X^é¶�ÙÉŸ‡‹º–�2¸K|o½Ø”/�Ȩ�/ƒ(Â2Ð#žNMKðrˆ
rœÛf9ËyZ¸Ú}$«Ö	õ–©) h`iÎGàAç÷´€H+Šˆ…Õ&*áX$žèìVŽhª”—›¾÷‡A1Ý£¤œÏ0‰÷—Hi éƒw~I(Áö2;à]¸L ™x4[¡OÜ,¾®ÆûÂQQ°”FdQ“ƒ¢�¬„%\î¢Åâ:Ó;ÈÑ”ÌEb1ž�’�¡ˆÿ§=$¸¥?Iš¿CÐõ�3¾C=VÐ'>·¯ôÌÒ+Ü~8	ç#;úÁ_£×á*qň+ô	8®‚ãÆpêŒ_YR”¾d%a	ç¡H\eÄõãDf£Ñ¨­ŽR[�kφG¸ù/WT®ò•A5”H¥ÛVoo8h�nû)¼ÞÃDn…ñ�ëqÌzfåhý&þcQbµXÇß‚çLŽúõ;{²Ðñðué¿ÊÛÙ†-©[SÄ-Û¼ÔyubÜ�ñhüm´œ4^Ë™ ääšLÿQ‹¡endstream
+endobj
+650 0 obj <<
+/D [646 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
-594 0 obj <<
-/D [590 0 R /XYZ 85.0394 769.5949 null]
+651 0 obj <<
+/D [646 0 R /XYZ 85.0394 769.5949 null]
 >> endobj
-591 0 obj <<
-/Font << /F42 597 0 R /F43 600 0 R >>
+648 0 obj <<
+/Font << /F21 654 0 R >>
+/XObject << /Im1 647 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-604 0 obj <<
-/Length 308       
+674 0 obj <<
+/Length 994       
 /Filter /FlateDecode
 >>
 stream
-xÚµ’ÁnÂ0†ï}Š©DŒ�ÄIs»ÒÛØab…q€N¥ÓÄÛÏQ­›vA9ä·üɱÿ˜Ê!Å|4Q…耑X­vª�ä2úf[`g­W²ÚFÏ\ˆrPHµ!õƒ&ŠÀ:¥GðÖØ„ß•Ùd權½ñª\+2Ò�§ ÎXùú4šÖïÇf»ykóçòQ1BÀ(}�Eì€UJLf䥴�àcPzÀ-eÖ½xdÚ4i‚¢çÚ0&ɽô�šïÛªÙWm-Ž‡¶Úº`ZïuÓn?v㻂\[ByšqiŒ›/¦é’�R'Ù}yv‰¬‘á½WÁ‘üOä¿-=Ñzˆ_±ÔùÇûª¿Yjni)ö>R/M/íUwëuûùÒäTŒªK‹áÒ¿ÓV[†´·ÿÞé/6
¯žendstream
+xÚµVË’¢JÝû,5¢­©¯Z҈ʂ83³°»‰hÅ+8ý÷7¡ªDÐÛ›‰.*«ò˜yòd@4?¢&29åšÅud`bh›ý
+Qm]»ÀÒíÏ¡[?NùËk5ú�~ÕŒ,ÌrÀ¦v|™ý*Ô˜"ËäV£ŠÂýí´›•"("6 Š±þ0SצњfkZÂòUv:d•Ø%e•íK±q‹CYœªü¼PØ
�ÁÀÂÀ¿(ÕýÄ­Ø’šÔÀK/‚F‘aš¦féZÏ�ÏÕUèñ5üŽºÌ‚¾Z¼�ú_êÒÿS]ÜêHZ“¶&»«n±«Þק±‡Y_bÔ×ÏĈSÓÖ,Ê€'ŸÉ§Àãkô­z¦�8¶I³.g™�öyYæÅApª
+±žËLÖ³
yG„�¡Üï‹m¾ëœ¬[aló²:åÏçJX½æršÊ›âwÅIýûCÇóéX”ÒýžW¯ÂR¸ú¤8K1w™ÄA‚ºëpß
AÜ0hSÚk&ò=Ëø/§54d+Igñ'ßf[Åv])KF_?²V1eÍöPTù&ëÕßÖ{ìÉÚ��ÙZ•Kÿúí­©ƒpšTß„ëJ wž•Í�ÀàbŽ˜Îêb-ĵH:÷ä˜EÓôiÄéЉ剟ˆuGßý‰7»úæ:‰BÔ;a;áDºÂ˜€8þB‚� †Ì;aê{Òùä§saÅÞ̉'âJÂó•‘nIi­~$ é\Q¼C>tƒÕÄg½äþbøª–{L¢©X^ìÎÁ1²ô¡óè~ú£-´fg"®Û–bGvS?
½$AŠƒXCÉ×ûîA<AxÞ2Rz=Jê�ï<ÒžF±Ê*Ó'KÏõ�àAi{nÃQ=mÛ#Ñ
+½YàϼÐõº™¢&ró°Ðµ	é¶\d<b­’ëœ2²ûÉE‹h•v©D=Ú@-ô®(·WãrWA NkëË—^ópÚz¦ŸÝš›7‰úôbª¿ˆî~x©|ýá5VÙƺ…˜mÓûo"jÃËbRÍ{õ†8Ì9e&½Ãü_®…dµendstream
 endobj
-603 0 obj <<
+673 0 obj <<
 /Type /Page
-/Contents 604 0 R
-/Resources 602 0 R
+/Contents 674 0 R
+/Resources 672 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 601 0 R
+/Parent 655 0 R
 >> endobj
-605 0 obj <<
-/D [603 0 R /XYZ 56.6929 794.5015 null]
+675 0 obj <<
+/D [673 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
-602 0 obj <<
-/Font << /F43 600 0 R /F14 608 0 R >>
+672 0 obj <<
+/Font << /F23 678 0 R /F14 681 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-611 0 obj <<
-/Length 2200      
+684 0 obj <<
+/Length 2884      
 /Filter /FlateDecode
 >>
 stream
-xÚÝYK�ã6¾ûWø¨ÆZ>ÄWn;3›Å‹Yìv9$9¨%¶-Œ,)ztÇùõ[d‘¶lË3ƒ�6X4ЦJUd±ê«�E›®	üѵ)á&[+“¥‚P±.ö+²Þ»¿¯hÐÉOEÆ9<,¼Ý®S¡™Zo擼}XýåûŒ­I¥dbýðt\K*�ž™õCùsòn—w£íï6L�„Þýúðše©ÒŠ:3KˆT¢½Á‡fìÛr*ƪm‚:_›ÔH&£¶[p×i?ì,L­¥3³}cG|zßîóªÁñÇ|tîÃh÷8þ…òþã=|P'PIÑ6C5Œ¾nŸðsŒó‡fÌÂ6È:[TO‡ÍÖ»˜Å6c5V(UIuG“‡ÎöèvEij„`1a3œ‘Äm„3šäø¸«lŸ÷wT'Å®*ò¥û¼i Ì*KÞ€€kôǽéït2Õnq7É4ØåOm�ƒÒÖv›�U³
ëLã®í«Ü< ¤}¶A×o.¬�7a¦°… ù
-v¶yÆÉÚÆÏ¥ž1¹šW-_Ç�3™f\_ÅÁðå80atÌÒ°0%%)!1�c>|ÚÀQŽ
Û_Ï'²TnŽY®ŽÆ0ã4Fdç1ìBÀg‡¡f�oàøò¸AëÕ<þmxõ45~ƒþ¨¤”º£ž™Pvð>¯J´EO"K� 0$€qÀ7HÄ,_ÈÖÌ"¦�{î
Áœ{\’ˆöçÍÂY5’ažÜ¡ÈÔuûUKÙ�z=A—œ-$„«”+«Ö‡Ç$/;èdªb‡fPW®ðÛ·G6…§¼|ΡêÊ£¦¯@ô6t+ 12óvgC�N©k„Ï�²9ùºr“@¢4ÖwbPêOñÝñÌÅ^$…íGÞº‡¶s»_f	
5—ôšd"n0‚á|‰d¤*9c#ƒ‚ºÚîÆëþš "åÌdK41´õ3¶¤îüV2ô'Šùزâƒlµ.“Sf<»â`g —’Cª"œŽIu]L ÊÃÒU˜Ñw+4¸þ„í‰
-Ç�ݘšrÁèyÅ49.ÄÂ
G#ȹ¨»ë(
\S ˜ª¥ ÉTj�‚³þ9¬g‹	šÿºáoE%4¸y® ˜ô\µ�.˜¢š/y¢—<Ñ©V:z2+Kw£�ø#Ü[vmëë
ñ–ÁÀ~Ž·�­;‡1IƤNB›*UòØ–ùàJ‚ƒY	Ož˜ä19ó`<X@3``©øÜ�uê_»Î6eåNþ…ÂÓ@hÇ]¿ì�—¤Š
À¸¥=M5Ž¯‰‘ ¸NÊóH̺Ý7Ž¤�·'·ˆçÊÝ#—Ž=à£DðëmõXWí¶Ï»Ýaé܃¢ZFù怾
-hÎ77°ÌYãí^ã É¶Aß’Ó4£Øi*¤ x/)Nè¯.XFp.P!/Êï÷_×bòÐbBGþì·mB?ùã/vUóm½&öÎÑöÔkúÇ—ÐSC¦/ºlD_¸‘dk;T:t˜¼Ý¸6üèþwΫÕߎßÜ	M¢¦k*tJ$´rÅ~õÛêç_ɺ\‘õ+’r£Åú šHa¿Ê8‰ÐQR¯îWÿú/­¢³öà¦hG`®0Œ >Ÿj÷´¡™„%5=~u
gžRî!`Ri²pÏñMS¸£Ä3ï*lœ‰ôôz¾Ä·y}œònsh3­Ì¹Û?Ý
#Þ„Ë0êëM×K!^qƒK�æjlÿwpbNzèÒ¿~OÑâ&œþ3üôÕ&_„“k03d›Üñk7ðqç¾qt›q¸ÑVÛ£€%?þûoPs×ãLx­ŽçÚÅ5)f7èû«o¸Ü7ö%@ÀöûóW¡c½�èÙ.¿-p3D_FN¨EDÏ"÷}õ»ãX	ôûR•ãî6x_Íß?xc¢_‘‰�˜äà¥<%œEˆ�§cX¥�g^7}?³…^�/�‡Ð-ágîü@?y
+xÚí�]wÛ¸†ïó+tWûB(¾	^:Ž“u·ÉæÄÎé×ö‚GflõX¤KQÞº¿¾ 	€#œÍ&»±tra9Òp&ó>ÀPa3jÿ°™Q„Š\β\E™š-V/èìÚ¾÷æsŸ‘J%…°¿DÞ�+aˆ2<›ÍáE^^¾øãkÎf\’Ìdlvùiô¥8á\ä³Ë«�ÖU[VíúøŸ—ê
r’k®»ÏÓÙ\s"�0ý'ÙñœQJ�Ϋ¶©¯6‹vYW�Õ‹³ËŒ‚hÊäL›œd’².”áÍæz6¼ø°»ûüøØÇPv¯ÛE”íºw©€WC¶ëT
+ËLƒ	uÎ8'&Ϭsž.�¯Yd_µp›+þ@ÂëMuUtCDqÛ�Fì]òDL|&“1
†&P)“H&¨ó–¦¨˜p�I?’¸É¤¨®âã‹}_hù,©˜ÄÁg,`ˆá
+�P	£
+jŠ×uóKÑï°_õ¬Èïd
ó
&” �Ï^2ÀccK„�H¨÷qøà”-ÇJC»á#¶Þ
+9>¹Éä
+€°'u^-Æ6N÷(eXRУ¦¨ÖŸBûi÷xþù__žÏ×yöœÁ™DÅg3`ˆ¡ÕâÓM¨±80TPï
;Þ¨ÜøŠÈw©\ÜÝ.[X*}¨…¾æpäeHfbŒA™1Æ"q`Œ¡ÞcŒ›½Ü1æû_./ÎßÏí‡Åö7[÷)’9†gPj>}®‹ãõj&–")ó5“
+5Ó›²ê^üþø�ëw‹áˇǛígÅÂí¯¿/–Íö—`ýP¯ÛþY?ý}õØ…ì¤j
í·²�h‹Ñ÷öO™ÑDP¡FíÃŽúɦ­WEØPw0_n¦÷äÆéIbâÃôcâGâÀÄG½�âgv…DâûÍó·Eµñµ.T>3j¯Fþ�¢d
+ad7‚DÂ4ç91±¯$ï†C×”8v±.&º^Í­7*gîCÃÐÓdø+yoÿ)X¯öendstream
 endobj
-610 0 obj <<
+683 0 obj <<
+/Type /Page
+/Contents 684 0 R
+/Resources 682 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 655 0 R
+/Annots [ 687 0 R 688 0 R 689 0 R 690 0 R 691 0 R 692 0 R 693 0 R 694 0 R 695 0 R 696 0 R 697 0 R 698 0 R 699 0 R 700 0 R 701 0 R 702 0 R 703 0 R 704 0 R 705 0 R 706 0 R 707 0 R 708 0 R 709 0 R 710 0 R 711 0 R 712 0 R 713 0 R 714 0 R 715 0 R 716 0 R 717 0 R 718 0 R 719 0 R 720 0 R 721 0 R 722 0 R 723 0 R 724 0 R 725 0 R 726 0 R 727 0 R 728 0 R 729 0 R 730 0 R 731 0 R 732 0 R 733 0 R 734 0 R 735 0 R 736 0 R ]
+>> endobj
+687 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [532.6051 688.709 539.579 697.2967]
+/Subtype /Link
+/A << /S /GoTo /D (chapter.1) >>
+>> endobj
+688 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [532.6051 676.5858 539.579 685.4425]
+/Subtype /Link
+/A << /S /GoTo /D (section.1.1) >>
+>> endobj
+689 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [532.6051 664.4876 539.579 673.3442]
+/Subtype /Link
+/A << /S /GoTo /D (section.1.2) >>
+>> endobj
+690 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [532.6051 652.3894 539.579 661.246]
+/Subtype /Link
+/A << /S /GoTo /D (section.1.3) >>
+>> endobj
+691 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [532.6051 640.1914 539.579 649.1477]
+/Subtype /Link
+/A << /S /GoTo /D (section.1.4) >>
+>> endobj
+692 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [532.6051 628.0932 539.579 637.0495]
+/Subtype /Link
+/A << /S /GoTo /D (subsection.1.4.1) >>
+>> endobj
+693 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [532.6051 615.995 539.579 624.9512]
+/Subtype /Link
+/A << /S /GoTo /D (subsection.1.4.2) >>
+>> endobj
+694 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [532.6051 603.8967 539.579 612.853]
+/Subtype /Link
+/A << /S /GoTo /D (subsection.1.4.3) >>
+>> endobj
+695 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [532.6051 591.7985 539.579 600.7547]
+/Subtype /Link
+/A << /S /GoTo /D (subsection.1.4.4) >>
+>> endobj
+696 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [532.6051 579.7002 539.579 588.6565]
+/Subtype /Link
+/A << /S /GoTo /D (subsubsection.1.4.4.1) >>
+>> endobj
+697 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [532.6051 567.6019 539.579 576.5582]
+/Subtype /Link
+/A << /S /GoTo /D (subsubsection.1.4.4.2) >>
+>> endobj
+698 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [532.6051 555.5037 539.579 564.46]
+/Subtype /Link
+/A << /S /GoTo /D (subsubsection.1.4.4.3) >>
+>> endobj
+699 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [527.6238 543.4055 539.579 552.5112]
+/Subtype /Link
+/A << /S /GoTo /D (subsection.1.4.5) >>
+>> endobj
+700 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [527.6238 531.3072 539.579 540.413]
+/Subtype /Link
+/A << /S /GoTo /D (subsubsection.1.4.5.1) >>
+>> endobj
+701 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [527.6238 519.209 539.579 528.3147]
+/Subtype /Link
+/A << /S /GoTo /D (subsection.1.4.6) >>
+>> endobj
+702 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [527.6238 496.7003 539.579 505.4125]
+/Subtype /Link
+/A << /S /GoTo /D (chapter.2) >>
+>> endobj
+703 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [527.6238 484.5772 539.579 493.5832]
+/Subtype /Link
+/A << /S /GoTo /D (section.2.1) >>
+>> endobj
+704 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [527.6238 472.4789 539.579 481.485]
+/Subtype /Link
+/A << /S /GoTo /D (section.2.2) >>
+>> endobj
+705 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [527.6238 460.3806 539.579 469.3867]
+/Subtype /Link
+/A << /S /GoTo /D (section.2.3) >>
+>> endobj
+706 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [527.6238 448.2824 539.579 457.2885]
+/Subtype /Link
+/A << /S /GoTo /D (section.2.4) >>
+>> endobj
+707 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [527.6238 436.1841 539.579 445.1902]
+/Subtype /Link
+/A << /S /GoTo /D (section.2.5) >>
+>> endobj
+708 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [527.6238 413.4314 539.579 422.288]
+/Subtype /Link
+/A << /S /GoTo /D (chapter.3) >>
+>> endobj
+709 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [527.6238 401.353 539.579 410.4588]
+/Subtype /Link
+/A << /S /GoTo /D (section.3.1) >>
+>> endobj
+710 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [527.6238 389.2548 539.579 398.3605]
+/Subtype /Link
+/A << /S /GoTo /D (subsection.3.1.1) >>
+>> endobj
+711 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [527.6238 377.1565 539.579 386.2623]
+/Subtype /Link
+/A << /S /GoTo /D (subsection.3.1.2) >>
+>> endobj
+712 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [527.6238 365.1579 539.579 374.164]
+/Subtype /Link
+/A << /S /GoTo /D (section.3.2) >>
+>> endobj
+713 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [527.6238 353.0597 539.579 362.0658]
+/Subtype /Link
+/A << /S /GoTo /D (section.3.3) >>
+>> endobj
+714 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [527.6238 340.9614 539.579 349.9675]
+/Subtype /Link
+/A << /S /GoTo /D (subsection.3.3.1) >>
+>> endobj
+715 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [527.6238 328.7635 539.579 337.8693]
+/Subtype /Link
+/A << /S /GoTo /D (subsubsection.3.3.1.1) >>
+>> endobj
+716 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [527.6238 316.6653 539.579 325.771]
+/Subtype /Link
+/A << /S /GoTo /D (subsubsection.3.3.1.2) >>
+>> endobj
+717 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [527.6238 304.567 539.579 313.6728]
+/Subtype /Link
+/A << /S /GoTo /D (subsection.3.3.2) >>
+>> endobj
+718 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [527.6238 281.9139 539.579 290.7706]
+/Subtype /Link
+/A << /S /GoTo /D (chapter.4) >>
+>> endobj
+719 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [527.6238 269.8356 539.579 278.9413]
+/Subtype /Link
+/A << /S /GoTo /D (section.4.1) >>
+>> endobj
+720 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [527.6238 257.7373 539.579 266.8431]
+/Subtype /Link
+/A << /S /GoTo /D (section.4.2) >>
+>> endobj
+721 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [527.6238 245.6391 539.579 254.7448]
+/Subtype /Link
+/A << /S /GoTo /D (subsection.4.2.1) >>
+>> endobj
+722 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [527.6238 233.5408 539.579 242.4971]
+/Subtype /Link
+/A << /S /GoTo /D (section.4.3) >>
+>> endobj
+723 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [527.6238 221.4426 539.579 230.3988]
+/Subtype /Link
+/A << /S /GoTo /D (section.4.4) >>
+>> endobj
+724 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [527.6238 209.3443 539.579 218.3006]
+/Subtype /Link
+/A << /S /GoTo /D (section.4.5) >>
+>> endobj
+725 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [527.6238 197.2461 539.579 206.2023]
+/Subtype /Link
+/A << /S /GoTo /D (subsection.4.5.1) >>
+>> endobj
+726 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [527.6238 185.1478 539.579 194.1041]
+/Subtype /Link
+/A << /S /GoTo /D (subsubsection.4.5.1.1) >>
+>> endobj
+727 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [527.6238 173.1492 539.579 182.1553]
+/Subtype /Link
+/A << /S /GoTo /D (subsubsection.4.5.1.2) >>
+>> endobj
+728 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [527.6238 161.051 539.579 170.0571]
+/Subtype /Link
+/A << /S /GoTo /D (subsection.4.5.2) >>
+>> endobj
+729 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [527.6238 148.9527 539.579 157.9588]
+/Subtype /Link
+/A << /S /GoTo /D (subsection.4.5.3) >>
+>> endobj
+730 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [527.6238 136.8545 539.579 145.8606]
+/Subtype /Link
+/A << /S /GoTo /D (subsection.4.5.4) >>
+>> endobj
+731 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [527.6238 124.7562 539.579 133.7623]
+/Subtype /Link
+/A << /S /GoTo /D (subsection.4.5.5) >>
+>> endobj
+732 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [527.6238 112.5583 539.579 121.5146]
+/Subtype /Link
+/A << /S /GoTo /D (subsection.4.5.6) >>
+>> endobj
+733 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [527.6238 100.4601 539.579 109.4163]
+/Subtype /Link
+/A << /S /GoTo /D (section.4.6) >>
+>> endobj
+734 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [527.6238 88.3618 539.579 97.3181]
+/Subtype /Link
+/A << /S /GoTo /D (section.4.7) >>
+>> endobj
+735 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [527.6238 76.2636 539.579 85.2199]
+/Subtype /Link
+/A << /S /GoTo /D (section.4.8) >>
+>> endobj
+736 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [527.6238 64.1653 539.579 73.1216]
+/Subtype /Link
+/A << /S /GoTo /D (subsection.4.8.1) >>
+>> endobj
+685 0 obj <<
+/D [683 0 R /XYZ 85.0394 794.5015 null]
+>> endobj
+686 0 obj <<
+/D [683 0 R /XYZ 85.0394 711.9273 null]
+>> endobj
+682 0 obj <<
+/Font << /F21 654 0 R /F23 678 0 R >>
+/ProcSet [ /PDF /Text ]
+>> endobj
+739 0 obj <<
+/Length 3160      
+/Filter /FlateDecode
+>>
+stream
+xÚí�[wÛ¸Çßý)ôh?Åýò˜ëžìi“lâ¾t»ŒÌØ:‘DW’“z?}A‘
+0ÄH�ba¤$âÀHÙñžls%'V²SÝ·¹;MíPÁUëi³ä|®—õbRç3N~ïö`í-Z°|ÆÀé°LíxM~§%–ºN&ÛÛdj^OÃØâÕ¬ž×‹µ€(fµ^ÉòRZü͆Ø7J†q’ˆãõÞZ5³Ä˜~"Ðã’/TþV­'W¡S^µ¨hÃ�5íTB:‹Q
†*P.Áó¨$âÀPA½3®‰LŽ4ÕÄH­X6¸ˆv>äv±®þ}6N§VïJHe1(ÀJ…�’ˆõAQ¾u1LZ
+ïAyY·ýÐb:ôBÕâ"Ô½Õe;;ÿ3ŒôÄ,{ÌR)Ða`K„�T¸÷¾_Q–mÅЯð8Ë>oGý,jßj(kŽ­ŠJHg1*ÀCÊ%D•D*¨÷¡¹0”håßDXŽýÊJHe1(ÀJ…�’ˆõ>€¢,ÑÌ
+ý¢Ý`׶ͬí4Ž×=‰+ÆbX@a0,q`X Þ,´#V¹­¾CuX¼YøösåÙ8kÊŽ—/¦ñ	,Æbx@�T¾IÅ�á�zðP†Xn¶ºÝáñÛMÝÞ¼hsC7xCaÌ‘Š˜·b*€!FÔEå¯SKÅ�Q�z¨�Š§¤ÂtTtw¡m¡8?sôtY-VŸ7ƒ
+eØ‹˜¸b,€!†Ã"†ê}ÀBbôvbû¢´
+“/ßwoÞÇ[Œö·\±\![Å,
+endobj
+738 0 obj <<
 /Type /Page
-/Contents 611 0 R
-/Resources 609 0 R
+/Contents 739 0 R
+/Resources 737 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 601 0 R
+/Parent 655 0 R
+/Annots [ 744 0 R 745 0 R 746 0 R 747 0 R 748 0 R 749 0 R 750 0 R 751 0 R 752 0 R 753 0 R 754 0 R 755 0 R 756 0 R 757 0 R 758 0 R 759 0 R 760 0 R 761 0 R 762 0 R 763 0 R 764 0 R 765 0 R 766 0 R 767 0 R 768 0 R 769 0 R 770 0 R 771 0 R 772 0 R 773 0 R 774 0 R 775 0 R 776 0 R 777 0 R 778 0 R 779 0 R 780 0 R 781 0 R 782 0 R 783 0 R 784 0 R 785 0 R 786 0 R 787 0 R 788 0 R 789 0 R 790 0 R 791 0 R 792 0 R 793 0 R 794 0 R 795 0 R 796 0 R 797 0 R 798 0 R 799 0 R 800 0 R ]
+>> endobj
+744 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [499.2773 758.4766 511.2325 767.4329]
+/Subtype /Link
+/A << /S /GoTo /D (subsection.4.8.2) >>
+>> endobj
+745 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [499.2773 746.5446 511.2325 755.4012]
+/Subtype /Link
+/A << /S /GoTo /D (subsection.4.8.3) >>
+>> endobj
+746 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [499.2773 734.4133 511.2325 743.3696]
+/Subtype /Link
+/A << /S /GoTo /D (section.4.9) >>
+>> endobj
+747 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [499.2773 722.3816 511.2325 731.3379]
+/Subtype /Link
+/A << /S /GoTo /D (subsection.4.9.1) >>
+>> endobj
+748 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [499.2773 710.3499 511.2325 719.3062]
+/Subtype /Link
+/A << /S /GoTo /D (subsection.4.9.2) >>
 >> endobj
-612 0 obj <<
-/D [610 0 R /XYZ 85.0394 794.5015 null]
+749 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [499.2773 688.0297 511.2325 696.7618]
+/Subtype /Link
+/A << /S /GoTo /D (chapter.5) >>
+>> endobj
+750 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [499.2773 676.0179 511.2325 684.9742]
+/Subtype /Link
+/A << /S /GoTo /D (section.5.1) >>
+>> endobj
+751 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [499.2773 663.9862 511.2325 672.9425]
+/Subtype /Link
+/A << /S /GoTo /D (section.5.2) >>
+>> endobj
+752 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [499.2773 641.666 511.2325 650.5226]
+/Subtype /Link
+/A << /S /GoTo /D (chapter.6) >>
+>> endobj
+753 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [499.2773 629.6542 511.2325 638.7599]
+/Subtype /Link
+/A << /S /GoTo /D (section.6.1) >>
+>> endobj
+754 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [499.2773 617.6225 511.2325 626.5788]
+/Subtype /Link
+/A << /S /GoTo /D (subsection.6.1.1) >>
+>> endobj
+755 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [499.2773 605.5908 511.2325 614.5471]
+/Subtype /Link
+/A << /S /GoTo /D (subsubsection.6.1.1.1) >>
+>> endobj
+756 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [499.2773 593.5591 511.2325 602.5154]
+/Subtype /Link
+/A << /S /GoTo /D (subsubsection.6.1.1.2) >>
+>> endobj
+757 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [499.2773 581.5275 511.2325 590.4837]
+/Subtype /Link
+/A << /S /GoTo /D (subsection.6.1.2) >>
+>> endobj
+758 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [499.2773 569.4958 511.2325 578.4521]
+/Subtype /Link
+/A << /S /GoTo /D (subsubsection.6.1.2.1) >>
+>> endobj
+759 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [499.2773 557.4641 511.2325 566.4204]
+/Subtype /Link
+/A << /S /GoTo /D (subsubsection.6.1.2.2) >>
+>> endobj
+760 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [499.2773 545.4324 511.2325 554.5382]
+/Subtype /Link
+/A << /S /GoTo /D (section.6.2) >>
+>> endobj
+761 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [499.2773 533.4007 511.2325 542.357]
+/Subtype /Link
+/A << /S /GoTo /D (subsection.6.2.1) >>
+>> endobj
+762 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [499.2773 521.3691 511.2325 530.3254]
+/Subtype /Link
+/A << /S /GoTo /D (subsection.6.2.2) >>
+>> endobj
+763 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [499.2773 509.3374 511.2325 518.2937]
+/Subtype /Link
+/A << /S /GoTo /D (subsection.6.2.3) >>
+>> endobj
+764 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [499.2773 497.3057 511.2325 506.262]
+/Subtype /Link
+/A << /S /GoTo /D (subsection.6.2.4) >>
+>> endobj
+765 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [499.2773 485.274 511.2325 494.2303]
+/Subtype /Link
+/A << /S /GoTo /D (subsection.6.2.5) >>
+>> endobj
+766 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [499.2773 473.2424 511.2325 482.1986]
+/Subtype /Link
+/A << /S /GoTo /D (subsection.6.2.6) >>
+>> endobj
+767 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [499.2773 461.2107 511.2325 470.167]
+/Subtype /Link
+/A << /S /GoTo /D (subsection.6.2.7) >>
+>> endobj
+768 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [499.2773 449.179 511.2325 458.1353]
+/Subtype /Link
+/A << /S /GoTo /D (subsection.6.2.8) >>
+>> endobj
+769 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [499.2773 437.1473 511.2325 446.1036]
+/Subtype /Link
+/A << /S /GoTo /D (subsection.6.2.9) >>
+>> endobj
+770 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [499.2773 425.1157 511.2325 434.0719]
+/Subtype /Link
+/A << /S /GoTo /D (subsection.6.2.10) >>
+>> endobj
+771 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [499.2773 413.084 511.2325 422.0403]
+/Subtype /Link
+/A << /S /GoTo /D (subsubsection.6.2.10.1) >>
+>> endobj
+772 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [499.2773 401.0523 511.2325 410.158]
+/Subtype /Link
+/A << /S /GoTo /D (subsubsection.6.2.10.2) >>
+>> endobj
+773 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [499.2773 389.1203 511.2325 398.1264]
+/Subtype /Link
+/A << /S /GoTo /D (subsection.6.2.11) >>
+>> endobj
+774 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [499.2773 377.0886 511.2325 386.0947]
+/Subtype /Link
+/A << /S /GoTo /D (subsection.6.2.12) >>
+>> endobj
+775 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [499.2773 365.0569 511.2325 374.063]
+/Subtype /Link
+/A << /S /GoTo /D (subsection.6.2.13) >>
+>> endobj
+776 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [499.2773 353.0252 511.2325 362.0313]
+/Subtype /Link
+/A << /S /GoTo /D (subsection.6.2.14) >>
+>> endobj
+777 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [499.2773 340.9936 511.2325 349.9997]
+/Subtype /Link
+/A << /S /GoTo /D (subsection.6.2.15) >>
+>> endobj
+778 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [499.2773 328.9619 511.2325 337.968]
+/Subtype /Link
+/A << /S /GoTo /D (subsection.6.2.16) >>
+>> endobj
+779 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [499.2773 316.8305 511.2325 325.9363]
+/Subtype /Link
+/A << /S /GoTo /D (subsubsection.6.2.16.1) >>
+>> endobj
+780 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [499.2773 304.7989 511.2325 313.7552]
+/Subtype /Link
+/A << /S /GoTo /D (subsubsection.6.2.16.2) >>
+>> endobj
+781 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [499.2773 292.7672 511.2325 301.873]
+/Subtype /Link
+/A << /S /GoTo /D (subsubsection.6.2.16.3) >>
+>> endobj
+782 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [499.2773 280.7355 511.2325 289.8413]
+/Subtype /Link
+/A << /S /GoTo /D (subsubsection.6.2.16.4) >>
+>> endobj
+783 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [499.2773 268.7038 511.2325 277.6601]
+/Subtype /Link
+/A << /S /GoTo /D (subsubsection.6.2.16.5) >>
+>> endobj
+784 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [499.2773 256.6722 511.2325 265.6285]
+/Subtype /Link
+/A << /S /GoTo /D (subsubsection.6.2.16.6) >>
+>> endobj
+785 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [499.2773 244.6405 511.2325 253.5968]
+/Subtype /Link
+/A << /S /GoTo /D (subsubsection.6.2.16.7) >>
+>> endobj
+786 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [499.2773 232.6088 511.2325 241.5651]
+/Subtype /Link
+/A << /S /GoTo /D (subsubsection.6.2.16.8) >>
+>> endobj
+787 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [499.2773 220.5771 511.2325 229.5334]
+/Subtype /Link
+/A << /S /GoTo /D (subsubsection.6.2.16.9) >>
+>> endobj
+788 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [499.2773 208.5455 511.2325 217.5017]
+/Subtype /Link
+/A << /S /GoTo /D (subsubsection.6.2.16.10) >>
+>> endobj
+789 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [499.2773 196.5138 511.2325 205.4701]
+/Subtype /Link
+/A << /S /GoTo /D (subsubsection.6.2.16.11) >>
+>> endobj
+790 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [499.2773 184.4821 511.2325 193.4384]
+/Subtype /Link
+/A << /S /GoTo /D (subsubsection.6.2.16.12) >>
+>> endobj
+791 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [499.2773 172.4504 511.2325 181.4067]
+/Subtype /Link
+/A << /S /GoTo /D (subsubsection.6.2.16.13) >>
+>> endobj
+792 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [499.2773 160.4187 511.2325 169.375]
+/Subtype /Link
+/A << /S /GoTo /D (subsubsection.6.2.16.14) >>
+>> endobj
+793 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [499.2773 148.3871 511.2325 157.3433]
+/Subtype /Link
+/A << /S /GoTo /D (subsubsection.6.2.16.15) >>
+>> endobj
+794 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [499.2773 136.3554 511.2325 145.4611]
+/Subtype /Link
+/A << /S /GoTo /D (subsubsection.6.2.16.16) >>
+>> endobj
+795 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [499.2773 124.3237 511.2325 133.4295]
+/Subtype /Link
+/A << /S /GoTo /D (subsubsection.6.2.16.17) >>
+>> endobj
+796 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [499.2773 112.292 511.2325 121.2483]
+/Subtype /Link
+/A << /S /GoTo /D (subsubsection.6.2.16.18) >>
+>> endobj
+797 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [499.2773 100.2604 511.2325 109.3661]
+/Subtype /Link
+/A << /S /GoTo /D (subsubsection.6.2.16.19) >>
+>> endobj
+798 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [499.2773 88.2287 511.2325 97.3344]
+/Subtype /Link
+/A << /S /GoTo /D (subsection.6.2.17) >>
+>> endobj
+799 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [499.2773 76.197 511.2325 85.1533]
+/Subtype /Link
+/A << /S /GoTo /D (subsection.6.2.18) >>
+>> endobj
+800 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [499.2773 64.1653 511.2325 73.1216]
+/Subtype /Link
+/A << /S /GoTo /D (subsection.6.2.19) >>
+>> endobj
+740 0 obj <<
+/D [738 0 R /XYZ 56.6929 794.5015 null]
+>> endobj
+737 0 obj <<
+/Font << /F37 743 0 R /F23 678 0 R /F21 654 0 R >>
+/ProcSet [ /PDF /Text ]
+>> endobj
+803 0 obj <<
+/Length 3296      
+/Filter /FlateDecode
+>>
+stream
+xÚí�Ys7€ßõ+ø�ª•„Å}ì>lé²£”-{%¹²µIhrL±,>ö×/†3À4ELKHbÙ–èTJ”4=ÝìþÐè0ëQÿëYE¨p²gœ$Š2ÕLvhoä÷|‡5×쇋öáU‡—;&Lϧ¹î]¾÷²„ZËz—Ã_v�^�]žœ]^ìývùÓÎÉe¼)T̨¨îøûÎ/¿ÑÞÐëÿi‡á¬ê}ôßPÂœã½ÉŽT‚()DøÉõÎÅοã
ÁoW¢©7¢„%Êr“x'\€wÂ8'Öo�rDÿ»ê­hÂ	§Õñ—3p¹`ÄZ*½Žê²Ål9_Ãý÷Åçys1¼·²Äq«›‹/ýE1)ÊÅÞ>Wt÷¸ø•R^ŽãiYÿ¤_ëoæýQQ½»do_Qú…¿Hç²nÅWqK4§¬uáF@f£^ýâ†(ÈíCÁÍmÞ"½aGyÊT{ˆ4DÃZ@Ø�€|`péß�Qi0žÏú“Iæ�-(þÅMLÁÝÙ0
A¦µp"0%ìÀ`Bµ·0	Eg®…‰˜îÎ2Úéï��Nh‚[³¡
‚4kaC IØ�Aƒjo¡á‚­m�¸šÿMË"

5ÎÜ•�¬}Ì©ç.˜‚»³a‚Lká4Ý0%ìÀ`Bµ·01Ï	cº…I~˜îÎ@F±G4m·fC1h`Øí†&a
ª�)IŒ1®§�#Vi	 !lÏw
t÷¿«°^î9ºûù¦˜{_Éo¼„yø¬]˜D
+`L÷âWÊŒT{;	Pß–2Å"¼™ŽÇóÁ2î—ÿI$ùUÃÿµ×Ú£³	
‚!0FÆv’°#Õ	QÎ7ʹHˆh¹(‹q9jfõË+䶾Ìæ'z8—(ˆð³A„Ÿ”?¸ö–K‰ 2ö2Uûºâç´üPÌBUø²sa79çôõ1·bÛŠD/f31F`”Œëf$aƪ½eD["¤k[Õ0òjqUÌjn7¿«-•q]–ãU»"${ÂóPôb6#@cF	c$aƪ=Ö«Jy0œlÛÛßR&vì´ïŠ˜›q?¼:?}~z–Ø´“†ObsÝR{ûN±ï�šN\‚C³q
‚.0`.	;0\Pí-.R)¸ð\NÏŽ^¼9>IfS„jÑÅ�/¯Wfƒ1P`¨0Pv`  Ú[P'ÒJ@9 øÊ7u@+]$æë,˽â%¸8  ˆ
Ch»wzSv`
+ÇÚ~x~rvr~P­Ð\¦²“„R!ÓàéêÓ;A®Ê
b ÀP` $ìÀ@@µ· P/`„‰ ˜„ƒápuê',§µ<›Î&ý…¯\µÑÛ&':0 ˆá
d»·rSv`xlhg‰'¤ÕD+ÕtáÕŽÞZŠpõ—‹b°œ�Ÿë>?‹Y¿Þ÷ïò[¼µ7à^þ‚›oÞwå/Ñé/x;ÄO›ZS{ŸÒø‰™Ò¦]ÕøÕÞçÁ`PÌçÑ-‹U^›6êÅx¾XýNn÷<³G]tx‚Ȩ[(FQÂŒ&T{¤Isb¤jzV’:[îÓ·c’53æàj6�.«`„&Öj§31W;"|&h®™‹åx˜º•/2�Ã<ñü?
nˆm6¸@²c»�€¤ìÀÀEµÇjB*JŒ£2�ÛnÏ'ËDÅ•VäQ|R~¨ÄiYŸSZ<�¼ØÉUð|6W@ã
+Fã*aƪ½åÊX¡Dä*ìø½™Çøt'âë»3»y3hì�Ÿ-ËA}â]š§0çvBÜž
Ä ‚aÅ JØ�A…j�³lµÜai³CÏ«užPl«\£ôß#ì&ø4 ˆ
c†
“°fC{²¢²úYCkÓ]î1ÆvgÓåÛëb~åç¯*uº'ÜáÞ=Àzž5˺�cÀÛaîØК?ÂU«6Í#˜6ö<GÓÉ$œ¿x]ÏÓÞ5“j¹@Êm‹“=¤¢›s‡D†Ôz»ÙIÙ�0„k�»°¾T<0ëÅÓÅßš¾¹œ6�¢}œÎÞûÁõÏú»«éÇúÅ 6Þë/Õój£ú\`“¸§Ëp‡«~¼íǦ„ýËçsf¿¡I7¸$;Þ­nèp$Ú›F`ÁÆTÇ|¡¡®y`Ò®*¸*_œ–ƒ:XU1‹¹x(÷èª_ŽÖj¼f2ž�ÃÊäÙrò¶Z¨ö
+A!Ý” ˆ
°„€„¨öÈ€2„ÉæùGk®Ÿ«í€=º5¤ŸÍ
+"`¬ÅÆuŸ
HÙ�€�k�9‚[C$,�rÄéëºôÃaxÆ&<y÷«/èü?ÿÕ_®…Ùˆ~̦b”À8a”$ìÀ(AµÇôa‘Í샪¢¯²Çáøíõx:šõo®>·XÄ)âb9Õgï…¬Òú¯&FpþDrGã¸l(Z9Œ	‰M#0"0ÕmÚЂHÇ#!mœ¿/}Ôë˜ûI#œ‹˜4ejÀäüÙѼfÁ
+þ4jÍè²l€ F	†CÂŒT{„bD	£#¼™GÊE1+Cs<ë¿«0pŽo“û0¼šÍĘ�QsÝ{-);0fPí-3ÂU*2#jfÀÃ5ÇÓÁ¤Žƒ·q¡·nA{*Ù#ø*› ˆ‘
+Œ!LwDHbý¿†!U3Tö'ÅppUަ廽ês˶ðüax‚�³é
‚>0†ŒvïP§Á
+endobj
+802 0 obj <<
+/Type /Page
+/Contents 803 0 R
+/Resources 801 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 655 0 R
+/Annots [ 805 0 R 806 0 R 807 0 R 808 0 R 809 0 R 810 0 R 811 0 R 812 0 R 813 0 R 814 0 R 815 0 R 816 0 R 817 0 R 818 0 R 819 0 R 820 0 R 821 0 R 822 0 R 823 0 R 824 0 R 825 0 R 826 0 R 827 0 R 828 0 R 829 0 R 830 0 R 831 0 R 832 0 R 833 0 R 834 0 R 835 0 R 836 0 R 837 0 R 838 0 R 839 0 R 840 0 R 841 0 R 842 0 R 843 0 R 844 0 R 845 0 R 846 0 R 847 0 R 848 0 R 849 0 R 850 0 R 851 0 R 852 0 R 853 0 R 854 0 R 855 0 R 859 0 R 860 0 R ]
+>> endobj
+805 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [527.6238 758.4766 539.579 767.4329]
+/Subtype /Link
+/A << /S /GoTo /D (subsection.6.2.20) >>
+>> endobj
+806 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [527.6238 746.5215 539.579 755.4777]
+/Subtype /Link
+/A << /S /GoTo /D (subsection.6.2.21) >>
+>> endobj
+807 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [527.6238 734.5663 539.579 743.5226]
+/Subtype /Link
+/A << /S /GoTo /D (subsection.6.2.22) >>
+>> endobj
+808 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [527.6238 722.6111 539.579 731.5674]
+/Subtype /Link
+/A << /S /GoTo /D (subsection.6.2.23) >>
+>> endobj
+809 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [527.6238 710.656 539.579 719.6122]
+/Subtype /Link
+/A << /S /GoTo /D (subsection.6.2.24) >>
+>> endobj
+810 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [527.6238 698.7008 539.579 707.6571]
+/Subtype /Link
+/A << /S /GoTo /D (subsubsection.6.2.24.1) >>
+>> endobj
+811 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [527.6238 686.8453 539.579 695.8514]
+/Subtype /Link
+/A << /S /GoTo /D (subsubsection.6.2.24.2) >>
+>> endobj
+812 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [527.6238 674.8901 539.579 683.8962]
+/Subtype /Link
+/A << /S /GoTo /D (subsubsection.6.2.24.3) >>
+>> endobj
+813 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [527.6238 662.935 539.579 671.941]
+/Subtype /Link
+/A << /S /GoTo /D (subsubsection.6.2.24.4) >>
+>> endobj
+814 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [527.6238 650.8801 539.579 659.8364]
+/Subtype /Link
+/A << /S /GoTo /D (section.6.3) >>
+>> endobj
+815 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [527.6238 638.925 539.579 647.8812]
+/Subtype /Link
+/A << /S /GoTo /D (subsection.6.3.1) >>
+>> endobj
+816 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [527.6238 626.9698 539.579 635.9261]
+/Subtype /Link
+/A << /S /GoTo /D (subsubsection.6.3.1.1) >>
+>> endobj
+817 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [527.6238 615.1143 539.579 623.9709]
+/Subtype /Link
+/A << /S /GoTo /D (subsubsection.6.3.1.2) >>
+>> endobj
+818 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [527.6238 603.0594 539.579 612.0157]
+/Subtype /Link
+/A << /S /GoTo /D (subsection.6.3.2) >>
+>> endobj
+819 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [527.6238 591.1043 539.579 600.0606]
+/Subtype /Link
+/A << /S /GoTo /D (subsection.6.3.3) >>
+>> endobj
+820 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [527.6238 579.1491 539.579 588.1054]
+/Subtype /Link
+/A << /S /GoTo /D (subsection.6.3.4) >>
+>> endobj
+821 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [527.6238 567.1939 539.579 576.1502]
+/Subtype /Link
+/A << /S /GoTo /D (subsection.6.3.5) >>
+>> endobj
+822 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [527.6238 555.2388 539.579 564.1951]
+/Subtype /Link
+/A << /S /GoTo /D (subsubsection.6.3.5.1) >>
+>> endobj
+823 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [527.6238 543.2836 539.579 552.2399]
+/Subtype /Link
+/A << /S /GoTo /D (subsubsection.6.3.5.2) >>
+>> endobj
+824 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [527.6238 531.3284 539.579 540.2847]
+/Subtype /Link
+/A << /S /GoTo /D (subsubsection.6.3.5.3) >>
+>> endobj
+825 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [527.6238 519.3733 539.579 528.3296]
+/Subtype /Link
+/A << /S /GoTo /D (subsection.6.3.6) >>
+>> endobj
+826 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [527.6238 507.4181 539.579 516.5239]
+/Subtype /Link
+/A << /S /GoTo /D (subsection.6.3.7) >>
+>> endobj
+827 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [527.6238 485.4804 539.579 494.2126]
+/Subtype /Link
+/A << /S /GoTo /D (chapter.7) >>
+>> endobj
+828 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [527.6238 473.5451 539.579 482.5014]
+/Subtype /Link
+/A << /S /GoTo /D (section.7.1) >>
+>> endobj
+829 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [527.6238 461.59 539.579 470.6957]
+/Subtype /Link
+/A << /S /GoTo /D (section.7.2) >>
+>> endobj
+830 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [527.6238 449.6348 539.579 458.7405]
+/Subtype /Link
+/A << /S /GoTo /D (subsection.7.2.1) >>
+>> endobj
+831 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [527.6238 437.6796 539.579 446.7854]
+/Subtype /Link
+/A << /S /GoTo /D (subsection.7.2.2) >>
+>> endobj
+832 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [527.6238 425.7245 539.579 434.8302]
+/Subtype /Link
+/A << /S /GoTo /D (section.7.3) >>
+>> endobj
+833 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [527.6238 403.7868 539.579 412.5189]
+/Subtype /Link
+/A << /S /GoTo /D (chapter.8) >>
+>> endobj
+834 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [527.6238 391.8515 539.579 400.8078]
+/Subtype /Link
+/A << /S /GoTo /D (section.8.1) >>
+>> endobj
+835 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [527.6238 379.8963 539.579 388.8526]
+/Subtype /Link
+/A << /S /GoTo /D (subsection.8.1.1) >>
+>> endobj
+836 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [527.6238 367.9411 539.579 376.8974]
+/Subtype /Link
+/A << /S /GoTo /D (section.8.2) >>
+>> endobj
+837 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [527.6238 355.986 539.579 364.9423]
+/Subtype /Link
+/A << /S /GoTo /D (section.8.3) >>
+>> endobj
+838 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [527.6238 334.0483 539.579 342.7804]
+/Subtype /Link
+/A << /S /GoTo /D (appendix.A) >>
+>> endobj
+839 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [527.6238 322.113 539.579 331.0693]
+/Subtype /Link
+/A << /S /GoTo /D (section.A.1) >>
+>> endobj
+840 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [527.6238 310.1578 539.579 319.1141]
+/Subtype /Link
+/A << /S /GoTo /D (subsection.A.1.1) >>
+>> endobj
+841 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [527.6238 298.2027 539.579 307.1589]
+/Subtype /Link
+/A << /S /GoTo /D (section.A.2) >>
+>> endobj
+842 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [527.6238 286.2475 539.579 295.2038]
+/Subtype /Link
+/A << /S /GoTo /D (subsection.A.2.1) >>
+>> endobj
+843 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [527.6238 274.2923 539.579 283.2486]
+/Subtype /Link
+/A << /S /GoTo /D (section.A.3) >>
+>> endobj
+844 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [527.6238 262.3372 539.579 271.2934]
+/Subtype /Link
+/A << /S /GoTo /D (subsection.A.3.1) >>
+>> endobj
+845 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [527.6238 250.382 539.579 259.4877]
+/Subtype /Link
+/A << /S /GoTo /D (subsection.A.3.2) >>
+>> endobj
+846 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [527.6238 238.4268 539.579 247.5326]
+/Subtype /Link
+/A << /S /GoTo /D (subsection.A.3.3) >>
+>> endobj
+847 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [527.6238 216.4891 539.579 225.2213]
+/Subtype /Link
+/A << /S /GoTo /D (appendix.B) >>
+>> endobj
+848 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [527.6238 204.5538 539.579 213.5101]
+/Subtype /Link
+/A << /S /GoTo /D (section.B.1) >>
+>> endobj
+849 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [522.6425 192.5987 539.579 201.7044]
+/Subtype /Link
+/A << /S /GoTo /D (section.B.2) >>
+>> endobj
+850 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [522.6425 180.6435 539.579 189.7493]
+/Subtype /Link
+/A << /S /GoTo /D (section.B.3) >>
+>> endobj
+851 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [522.6425 168.6883 539.579 177.7941]
+/Subtype /Link
+/A << /S /GoTo /D (section.B.4) >>
+>> endobj
+852 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [522.6425 156.7332 539.579 165.8389]
+/Subtype /Link
+/A << /S /GoTo /D (section.B.5) >>
+>> endobj
+853 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [522.6425 144.778 539.579 153.8838]
+/Subtype /Link
+/A << /S /GoTo /D (section.B.6) >>
+>> endobj
+854 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [522.6425 132.8228 539.579 141.9286]
+/Subtype /Link
+/A << /S /GoTo /D (section.B.7) >>
+>> endobj
+855 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [522.6425 120.8677 539.579 129.9734]
+/Subtype /Link
+/A << /S /GoTo /D (section.B.8) >>
+>> endobj
+859 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [522.6425 109.0122 539.579 118.0182]
+/Subtype /Link
+/A << /S /GoTo /D (section.B.9) >>
+>> endobj
+860 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [522.6425 96.9573 539.579 106.0631]
+/Subtype /Link
+/A << /S /GoTo /D (section.B.10) >>
+>> endobj
+804 0 obj <<
+/D [802 0 R /XYZ 85.0394 794.5015 null]
+>> endobj
+801 0 obj <<
+/Font << /F37 743 0 R /F23 678 0 R /F21 654 0 R /F39 858 0 R >>
+/ProcSet [ /PDF /Text ]
+>> endobj
+863 0 obj <<
+/Length 69        
+/Filter /FlateDecode
+>>
+stream
+xÚ3T0
+endobj
+862 0 obj <<
+/Type /Page
+/Contents 863 0 R
+/Resources 861 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 655 0 R
+>> endobj
+864 0 obj <<
+/D [862 0 R /XYZ 56.6929 794.5015 null]
+>> endobj
+861 0 obj <<
+/ProcSet [ /PDF ]
+>> endobj
+867 0 obj <<
+/Length 2199      
+/Filter /FlateDecode
+>>
+stream
+xÚÝYÝ�ã¶÷_áG-pVù-2o½»¦¸ ¸¢Ý
ò�äA+qmádIÑÇnœ¿¾Ci˶|wè-РX`M�†äpæ7¿ÚtMà�®µL	7b�‘JBåºØ¯Èzïþ¾¢AGHžJÁ9<,¼ÝH®S©Y¶ÞÌyû°úË÷Œ®I•brýðtÜKe:5\˜õCùsòn—w£íï6L’„ÞýúðNi¦3ê¦ØB¦™!ÚOøÐŒ}[NÅXµMPçk“ÅTÔÎ`.˜ë´v–ÖÊM³}cG|zßîóªÁñÇ|tîÃh÷8þ…Hòþã=|P'È’¢m†j|Ý>áç×͘ÿ„m�u¶¨žš
ìw±ŠmÆj¬Pš%ÕMºIpFw*JS#%‹>‡áŒ$î œÑ$ÇÇ]eû¼¿£:)vU‘×(ÝçMnÎDò\£=îM§“©v›»E¦Á–(j{”¶¶Û|¬šmØgwm_�`æ
%í³
ºþpa‡¼	+…­(8É;øìDÔŸ¨ÚwµÝƒr×
CÇ]î•É$/Æ)¯ëÊ÷y7à(ºT¼ÏA4‹³›X–Þvì�‚š'UT-ó1Gµjˆ+W`AÕ8¸g·>nýZíÔ¡¢·›@ÒW�Óè‘KñpR·ùcî­Š˜§"åB±€bAR¦8bž¦
+ôœA)*l7Fê8³�“fDÖ±›Ö± 	R
++úF…ÓŸ°3±
+šD
n�:%
+Z¹b¿úmõó¯d]®Èú‡I¹
оÀxÓ¶Þ¯‡!‘:JêÕýê_ÿå¬hǬ=¸i
Î#°VFPŸ/µ‰gÚP¡`KM�_C]À™§”XF˜Tî9¾i
+w”Xó®ÜÆ™LAO¯ç[|›ÕÇ%¿`6‡†QèÌœ›ýÓ#ÉM¸㡾>„t�±’ò!\:”ŽM˜û¿ƒãPé¡Kÿú3Å7áÄ(ðŸá§o5ù"œ\ƒ)�mrǯnàãÎ}âèVp¸ÑVÛ£€%?þûoPs×ãLx­Žuíâ;ƒˆ£ôýÕ7\îû `ûýù«Ð±ÞFôì”ß渢/=÷¡%DÏ<÷}õ»ãXôûR•ãî6x_ÍÞ?xc _‘‰I…�êKà¥<%œEˆ�§²¬ÒÇš×MŸÁÏl£WcÄKã…^ÄÏÜø€~ò
+B·€ójæþYpÃÜW\Uî
+
7&æ?ø]ýðÇ<¡nÀ|­õ⯃ñG¿
—©û
q=2�3"ÖAÉE!»r{ü�ñ´RÜí?q7{endstream
+endobj
+866 0 obj <<
+/Type /Page
+/Contents 867 0 R
+/Resources 865 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 881 0 R
+>> endobj
+868 0 obj <<
+/D [866 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
 6 0 obj <<
-/D [610 0 R /XYZ 85.0394 769.5949 null]
+/D [866 0 R /XYZ 85.0394 769.5949 null]
 >> endobj
-613 0 obj <<
-/D [610 0 R /XYZ 85.0394 582.8476 null]
+869 0 obj <<
+/D [866 0 R /XYZ 85.0394 582.8476 null]
 >> endobj
 10 0 obj <<
-/D [610 0 R /XYZ 85.0394 512.9824 null]
+/D [866 0 R /XYZ 85.0394 512.9824 null]
 >> endobj
-614 0 obj <<
-/D [610 0 R /XYZ 85.0394 474.7837 null]
+870 0 obj <<
+/D [866 0 R /XYZ 85.0394 474.7837 null]
 >> endobj
 14 0 obj <<
-/D [610 0 R /XYZ 85.0394 399.5462 null]
+/D [866 0 R /XYZ 85.0394 399.5462 null]
 >> endobj
-615 0 obj <<
-/D [610 0 R /XYZ 85.0394 363.8828 null]
+871 0 obj <<
+/D [866 0 R /XYZ 85.0394 363.8828 null]
 >> endobj
 18 0 obj <<
-/D [610 0 R /XYZ 85.0394 223.0066 null]
+/D [866 0 R /XYZ 85.0394 223.0066 null]
 >> endobj
-619 0 obj <<
-/D [610 0 R /XYZ 85.0394 190.9009 null]
+875 0 obj <<
+/D [866 0 R /XYZ 85.0394 190.9009 null]
 >> endobj
-620 0 obj <<
-/D [610 0 R /XYZ 85.0394 170.4169 null]
+876 0 obj <<
+/D [866 0 R /XYZ 85.0394 170.4169 null]
 >> endobj
-621 0 obj <<
-/D [610 0 R /XYZ 85.0394 158.4617 null]
+877 0 obj <<
+/D [866 0 R /XYZ 85.0394 158.4617 null]
 >> endobj
-609 0 obj <<
-/Font << /F42 597 0 R /F43 600 0 R /F56 618 0 R /F57 624 0 R /F58 627 0 R >>
+865 0 obj <<
+/Font << /F21 654 0 R /F23 678 0 R /F47 874 0 R /F39 858 0 R /F48 880 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-630 0 obj <<
-/Length 3297      
+884 0 obj <<
+/Length 3270      
 /Filter /FlateDecode
 >>
 stream
-xÚÍZÝsÛÆ×_ÁGhÆDï8àúæÄv£ÌÄN-u2m’�
-·ú]ù=ÛüTæýÃóÚ"FìŸ\]FB'_W—T°› xð˜ÊlS¨®F\üyue,ÄÇ(�¿®+�±6¦4óÁ…»¬ò‘°=öp�qðóݵUAñ¥ç9Ž‰E½­šYìì>'ÑusȶŸŠ¾ûõY�Žyý£4zÎ0ÿ�ðª„
Ó’Ò�Lk=Nu³”§’4ŒR
)Ï€ý4$ë³Õ@Ô(ÔäÃQÎ3°«° 9†`'
~;d¿7Í>óæxŸí™zûÔõÅ~ÜÕ˜¸dOØÄŽ²jª‚öxh‰SIˆýƒó äÍö¸‡4Kt¢Â|C³Å—¶"®ÜK¼KYw}VU>sÂTVç48¶ŸŠ¢½<Œßãô¤®Ùõ§³Ç!›àpÙ}ñ
-%g:”…vQpÂÅàÛ›âÞ1¤Í‘h¯Ç²`
-ßV%˜ÞÅî8¨šæ�Ž-='*%=rÅÞ�L°¹–Á
Á”ÃlpcN³f’f!$§&â4ËÚl*ÐÙ‚j
)AK^\•�<O%¾¢óNà=tZWÔ9KóùXJg ˜mĦf¾›=÷ìC\®•Ñ¡²6ö:§œX“·»Ãhå–!(§ŠÅ9¼h§<°MKç¡ÎµW$X	-XªèÐÓUÌ·-Ž9²áÈòÑ“
-^
±c$<‹0q7|9_²�­Õ†å}žW³kö'Fó;;
-¬´Ä‚T*L’T�
_�Å’º#H¸Âª‘¾v—‹17ûÍ6e½(¤V!ý^‹au­¢$Œ5:ÆexU>¼ºðØ]hâ2%àšQ¸•
-
-^OaÝÇ…¥ºðˆ¢©+Æßp©KHª4>•€ñ9”•=º–o~Íðƒox¼Ã{©¥… Û·^&­
-	v}¬ÏX0Ú¹w”ð«­á(ã'A…ý·}›ÕKaNÅ
-®ˆðNóvrüM½
—�J”¿šÛæXåtÞ¦Xh"D�°’Œ6Ë*d!C`ka{GR7Ÿ<3–¡ˆaÁÄ3O	Gx%™�ªdàré(È‚V¤^ôniSR”¬àZ-Qªâ=‡ÞnaCëqÍY��‰¡²õ±®9ÐF/ˆ/eÆ‘õ™\±©ï="˜l¯1’
-/!ﺄt˜Ê!âz)3â½;nÎ1Bfš„IES=Ãå\�Ü J^P0Öö*�C¡{
Ò
-B†O�ƒ³qù°à®ié	ŽÁtáK4¼Ý	«&÷cT¤Áà±þÂ…ãŠ
Ûýç›e8 ÀµÓÈxV‡eí¦o¶MµT«AôUƒ€¡�
-2”6¾¸/d€$e8Ž£¬ëšmÉ)~c^¤›#9GP³aäŒ
ω1�Î+{£	
Qir_T©ÑPýø"ëH�Þƒ¨€¬óE Ÿ
-nÏ´1Ì)*¡q<u´îض͡÷þµÀÓ@õhŸ-ûÔKŸãü‡ ³Ã^4ŽU1‚©‚úÍJ)±[Js‡û
>NÚ«´|=^?ï‰ÏvEán‹íù›ÔL¡¼d!¿”JN¸™µx‡U/01ßmä¨*
´!­ZDWæÜÞp•V^¸¸QVT‰%-3¬¾è
-N
-JÐ}y_s5·[®6¹æʹÙÔø: 5
-�ê<eX¿¿0·Ò|ß™¯¼^òñÒ)'üÌ?øU/p1ßíù.rlMªæ]Í]Œ=“{§=
-ü„6ÓC¨m‹ÖHÁ±kXkenׂÐbÒƒ‚âK	špxÞ(÷G²šÉ=Ÿe;¤�ž|NsºÀA^î�ƒgÖzË'oŠþT`y†‹–Ò\$L˜¥G¨c	tH@ª‰œ4öžÙЕ–PœG‹µøKå¿¿ÝLäËM
-�º±±ûZ�Ñô@­r µþ;Esì*בå>i¤`À5”RñÍ’wÊègÛ”NÑ@q÷HyQ÷>>Xêÿ"�n¹ÿë(Ü�”
pêLGõg¹nd³#:í�íOüv´pͱyYÞAjà¶x$F‹ g"
^sîF™‰C[	g%MšÅQ<¦ñ
]¢>d|ȶ�±ÐpŸ]bsÙ÷Ýl*oÒ‚õ„Úx{ê:8”=YÊ!½Ø}âÀUç®[êZ-ˆÿ1¹¡8‘Áà¹i
-endobj
-629 0 obj <<
+xÚÍZK“Ûƾï¯à‘[%Næ�gnkKŠå*­l-S®ÄÖ
$†$J 
+“&áì?¤Piªgû› 4"Œñ3åÍÃÍÏý†ƒU÷ꤦ”ÚDzBUÚL©*LEd`	UµÜYoS—e}*ª-ý\×Õ£­º¢®ZšÈ·*™3ñ±µ9�ŠŠž¹mׇ¢¼PoèÙù¾{sÿ²ßü7)õöxÈð¯©Kû×K•F‰ˆ”®ƒ@ÀÿïÒ©NE,ã�þgoy>äœB¤aøè=	{ñп1ÞjáeZÄF‹P½½‚¡kÇ�H“x›|IFd®[¥Ô¼ê|:[¨D3ÿåVË�‰.ôßvOú
ÒX¤*Åsz^þ;éP�îâÿDaZŠ0„½'=ÜkLÃíÂÀiì£}:ÕÎwóe‡ø‘^Ñ:¦¥£~]|FÏŽ¤œÿRäÝîym#éŸ\]FæWÕ¥4ì&)<f‡"[•öÕÕ€‹?¯®¢âc�„_וÄXRšyçÂ]VúHØ;¸‰‘‘áü×åmªçösÇkmµ.ë«ØÙ~:Ž¢ëê�­?Ú®ýð¬F‡¼þQ=g˜ÿGxÕ2I*_ “c†©î*åé8Ab åE`?Éúl55S�0
äÃA΋`W™‚æ€�$ømŸý^ÖûÌ›ã>ÛóìÃSÛÙý5<pWcä�@<™Æé «&zÞMí"q¢(#Âd·sþ
+`{<gV‘¼z†ÕH‰(¼ªº]ÖýÙ/�âv›UÅ|ÆŒ±D‘3ûÙzÍ�!N´šž4O
””©%
/§;'ë‘kbè¢Ã3Ë÷E…wV-Í­jÌ€èpá™Î_e.�ÀRUçLDXÃx¬az~ÑÏSå¢�KXxÈ„^�NDŒUÝH±×Ú„˜˜$q8¸D°9¡&3ßÏ•?Ã=ÊleKfÝÄ)Å€R¢ 2ãkëm©•æû¯Ë¥<†R½ÈŠ±Úp	B	d[ùL
+âNœªa©ënB·
+`wù
+!A=]Ĺ%aØ€�<Éä»!ÉDA‚Šž§CÑu–`Ò¤QÆïgôÀícÀ@ž¥×ŽÁAýÎå Åv×ÑÐ)‰í†g(Ààþ¶ÉÀÁýÀ3¯;ôp(…æwcð@·Æ±@a©²¾€««’1ÅÊw]ª’*�O
+Ý€+ë}“USaNC²0&ò×ñÕèø7ÕZL¥óX$‘ñ¡q]ËœŽYÙ‰N‚I…†¼ÅÔõñ€|
+–S
+L.ß»Çeð¨ï³gLÉ©s"gÀÒ&ñÂØk
+€
+¾
+ŠÆáîW}ÞžêL\ï6pTCÙ©R=Ô
Ðôí
WiåÖÅ�¢¤J,÷w\õEWpTP‚î‹mÅÕÜfºÚŒ¸Ë¡â‰¥áÄ m €`Ù2q¸±‡aµ÷.và  bÍÆß¼fR£¹õM…¶{ÞQT
+U+”­3-›Ä|ÃSzúÅð…k+]ï{å+wS¾¢!^F‘R#~®¿	xªopq½Ûó]ä8�}ÝÅ0ÜÅøç3ywÜ£À�Ah3Ó‡ÚÆ°vÀ»®µÑ©+øM�Œõ  xÅR‚–€7Š=Æ‘¬âéŽÏ�²RHG>g8]à /6ÈÁ†3kµæ“W¶;Y,Ï�h*Í2Œ¯Í
+endobj
+883 0 obj <<
 /Type /Page
-/Contents 630 0 R
-/Resources 628 0 R
+/Contents 884 0 R
+/Resources 882 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 601 0 R
-/Annots [ 640 0 R 641 0 R ]
+/Parent 881 0 R
+/Annots [ 891 0 R 892 0 R ]
 >> endobj
-640 0 obj <<
+891 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [272.8897 231.1055 329.1084 243.1651]
 /Subtype /Link
 /A << /S /GoTo /D (types_of_resource_records_and_when_to_use_them) >>
 >> endobj
-641 0 obj <<
+892 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [190.6691 203.5826 249.6573 212.9922]
 /Subtype /Link
 /A << /S /GoTo /D (rfcs) >>
 >> endobj
-631 0 obj <<
-/D [629 0 R /XYZ 56.6929 794.5015 null]
+885 0 obj <<
+/D [883 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
-635 0 obj <<
-/D [629 0 R /XYZ 56.6929 756.8229 null]
+886 0 obj <<
+/D [883 0 R /XYZ 56.6929 756.8229 null]
 >> endobj
-636 0 obj <<
-/D [629 0 R /XYZ 56.6929 744.8677 null]
+887 0 obj <<
+/D [883 0 R /XYZ 56.6929 744.8677 null]
 >> endobj
 22 0 obj <<
-/D [629 0 R /XYZ 56.6929 651.295 null]
+/D [883 0 R /XYZ 56.6929 651.295 null]
 >> endobj
-637 0 obj <<
-/D [629 0 R /XYZ 56.6929 612.4036 null]
+888 0 obj <<
+/D [883 0 R /XYZ 56.6929 612.4036 null]
 >> endobj
 26 0 obj <<
-/D [629 0 R /XYZ 56.6929 567.3837 null]
+/D [883 0 R /XYZ 56.6929 567.3837 null]
 >> endobj
-638 0 obj <<
-/D [629 0 R /XYZ 56.6929 542.6255 null]
+889 0 obj <<
+/D [883 0 R /XYZ 56.6929 542.6255 null]
 >> endobj
 30 0 obj <<
-/D [629 0 R /XYZ 56.6929 441.1968 null]
+/D [883 0 R /XYZ 56.6929 441.1968 null]
 >> endobj
-639 0 obj <<
-/D [629 0 R /XYZ 56.6929 415.1634 null]
+890 0 obj <<
+/D [883 0 R /XYZ 56.6929 415.1634 null]
 >> endobj
 34 0 obj <<
-/D [629 0 R /XYZ 56.6929 188.7253 null]
+/D [883 0 R /XYZ 56.6929 188.7253 null]
 >> endobj
-642 0 obj <<
-/D [629 0 R /XYZ 56.6929 161.3171 null]
+893 0 obj <<
+/D [883 0 R /XYZ 56.6929 161.3171 null]
 >> endobj
-628 0 obj <<
-/Font << /F62 634 0 R /F43 600 0 R /F56 618 0 R /F57 624 0 R /F42 597 0 R >>
+882 0 obj <<
+/Font << /F37 743 0 R /F23 678 0 R /F47 874 0 R /F39 858 0 R /F21 654 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-647 0 obj <<
-/Length 3284      
+898 0 obj <<
+/Length 3430      
 /Filter /FlateDecode
 >>
 stream
-xÚ¥ZKsÛF¾ëWð¶TÕ™f
->悺¾­ßó=ñä-„¸Éüò~T”¡Òå6¯™tÈ�<€­·é¦»†‰9ÿ´eýPÉ›ì¾*:YnúŽUe@Vk¼
ªÒâ_}µ»]Y­—yÕ6<;àƒ3 ù˜Ÿ:5÷ò
-ÿaR>½xºÕé²h/^‘xÂá„÷FÞKBîD 6=ñÃŽGmqz*N-‡�:÷€·0CŠrò‚Q~I!­Øi
-ì(ÏÀ¸kŽåv?¬I6IiùZª…Ujùýû�oxÄü zçUE®8ƒ
-t6ƒôÎ.ž�EÛ
œ˜®ý"´†)ÐPÖ'Y >sú®Ø@1çL
ä8
-N]6öÌšbóg&r™¦Öž'O|žöäaýjúÂuO~½/Jð¥Ø²êW±…–êÂù†¼g#éèêB[
zOqª Ñ÷zöÖ`Xµš.»–ðz7Ñ‘ŽfÔ
¥12Ô-Æp0“Ú1ß‚ œq‚ü?¨xá‡¾™iS$ÉU*œ¤	œ~ÆÂ+u)d¤PÆÛæøÂÓ„^’$,ó!�IÒ^€ç°Jbº¤¤>¡¨K6ºÎæ1š;<í(
-`S‡¹3k^SÔd
gh&øäIL½Il9©A’oKHá¨âؼ"8žÎŒ»é²2‘.":ï;æR5ù®™MúìXSu�À—“,ˆòTâ=@<¸—»’šU¤o^øwßòZ¶÷ÚAJô…úŽìûü(IE
õ…w„àPl÷y]n²à‚i’Žƒx@$‡Ã )Ì’y¸Çb솤Ax“ð0Ç“�¤ÐË�ÂëâP3hyÞ”ÚGÐwøó[º±¤½glê"'á…f#ê(õ.´È!z¾ºk¬#§­\e&M "I-FòD<ÉFòÄƉ	‡qv@4%ÀPÌf’BK@H½ªL)FÒÌÄ!ä`
-‰\ù€�uó\ú›»‹ÐÊE&KÆ� lvó¡ÛbÜœóäzO ²¡®×˜€äFTŠ˜®–Úb1¢ÓËëP‰T�ù
-–Úñ S;É´v¬Ç@Ι‰÷XA\u·zIéGÞp[´Â!è·oÃת1ø©KÝ™cãâ b{?›ØÅÇzÌWÎgˆBÕòåâ݆û
ÜKò<Š"…ƒµ£{Ážçñ'Œy%
R¨%?Êbr†ø’€¶’dH²ô !%©;�é>‘Öl“ú‚¿rׂ4m[n(]$rQ‰5'hƒßêæd¬ˆSäÓ˜‰
-f²}¿¾e�wÅk<A{syFÍáòKWäU·ÿ‹æ—6ô·´YU8H?811ÐGÿÖʪ‹ä&HŸæ âǶ|9tí
¿„‡]ˆ«m0ÄtQpd‡È�×aD
#{k1=¶Å°çŒ½¯8`s€ß‚º²ë;iæB4M
->ðű„€q™°?
BBGÏ$3)ɶN.Žq
-,õ@ž/$½ñ�ŸI�:,ºHˆ>\)�H�÷R§oó…,È8šÊ/>R"<ã7$a RÚ…ÛɧaÝ”µé¹Û�ÂN‰
_�º‘o}K	¦è Hz,Š#
£áãH:t6ôžH¤(? „�µRבõ±(äƒMä©|Ë Š>¬4²<|i\ÃΔâxš½ÕjB5~ŵÃM
|á„RæCEÊË*ß„ò=€%ól¼¸jÆï#e^ÉUÖx»Æ¬ÚyþùTR€
-¤„H¯DÃÊhuy¿ÄÄÉÅ
>2/­& MO‹žÀ=A;ZT¢Éà²Á›.ß‘uÍ}Wˆ,À¾Ô�´ 'þ6Œ�¨­}¹Ûõ\§(b‹J!.�éÞÅËO\Ïbôd°¶½“ÏX3¯2‘'�\ç
-À‚I£Ê€:¨lòΦؗt�Ë��$dÀ§~FWùÚ—².Xê¾™Z¿¯Gÿ>½m‡ûü
+xÚ¥ZÝsÛ6÷_¡·È35@>ºMrMg’ôwn:m(‰²8¦H�HÅõýõ·‹]€”'íÜøAà\,»¿ý åBÀŸ\&ºÌ®Ì3#¤Y¬÷Wbqsÿ¼’¼æ&,º™¯úþîêoµ[”Yi•]Ümg¼ŠL…\Üm~[þðãíÏwo>]ß(#–2»¾1V,ß}¸ûôñõ/?ܽûøáúFJëp.çÙ»ßÐò×ßß¾û@ã·ï™úù×ÏwoÞÓøwaÄëŸáG^ÿq÷ÓÕ›»(õüdRhù?W¿ý!8àOW"Óea�ð 2Y–j±¿Ê�ÎL®u ´WŸ¯þÎfý«)M]d¦P.¡*¥Sª2ef5L¡ªÞöG8•Ê—M7ŒU·®¿ƒG-–뾚Mí'ÍrÜÕxTÐ}9c(¥ÎÊ6žUýgµ?´u¶î÷´ølwë²²’×nú}Õt´óã®YïhŸ¦[·§M=ÐDWíih–É–äËjHIba\JËÜwý0fUUeA$|eq£�ÌJ•ƒMI£üâ´¸JdÊšVÝ&µk™)¡Ô|ÓÕj•}]Rɬ(\x«þR£t:îO÷xHý’¾�ά2QÝè%/ýoßÕ´ÉLÁ°MßµODßÔm}_�
Ü:MmÁ.HiBg©¥½`&+Jk‚Òf�²”™ËÕ7”\€�™ ®oë÷œ'ž|
+ýÄ
�¿W¾ñx-‹e=\¼Âþ„ÃÙÞ+~‡oºfòÈõÀôHCt;
õñK}È}Ĺ¼�¯(Ã/(a—Þ¥Ù¯
+Ææï"î„¢ly«1nù|/@We]Î<Æú¸oºªMl¦s¸YaÏ7wÕÈ›
LÚU|²®Olgm&TpÊá´¢³
‰ýr—¹°Ð›¯™+<¾Ê.ê :X)Ï/ÈëX;o¾ÚNˆ‹$ð4?¨™'§yn°®#Ñé*aà/°ïGZ¹{“Žû¸I6[ƒ¬wá}Ònßö÷¼#±° *ÞªéÆS36_êIÊ3Ã#zDãN÷÷dûàœtH~êOD"ƒ«6Dþôö‡�F—µw¤‡9½FxÖ0Ëž(÷^-š€
+ÔXCõ@Ï�MÛ’ia’ÐÑ£9<Wô”ºM"c÷Dñ˜‚ZÈ
+¸{|*./ðÎ4ÏçR!`Ã
+Öë
Óè‚
9„ó÷?ÄTvODp„'¦õD�ò³	’�úHxôM½‚ÐO¸Þtp
+üÈ4vÕ�'îëbq„Ç}½ÞU]<PfâÁ‹‡)Äa�†QR‡^˜¡ô
£ð†Òü%13JP=°&¢ÔÄW0³©0ðÅEò‚¡–´6?où¦§g–¸h“ÉÜËê“i¦›1�gp©¯rÍef¤6Ñ~øÊJ@^(€Î*¡wˆoÒ5C¾®J …Ùõ�õÌÖ•dã’f^‰ºòô'"Ra*)ÛöÝ…pHãEÑb€æÛ
@%óöØ:gŠ}V_•ÎG™8²¾P#öÛ´vUîbÿù`³&õž
+L8éí”_éü%›•VfBä¡
+¥BÒ=ó8°k„Óâ²sÍ€¨µ�!Žö�“ S=szJ†€\…îÐ|�€Å>[@ú�®ë�w:AöC`ñ\5ª<0…9\<BV?l“ÁÉÀ½Ø\NÁÂØò2XèЊB^dQŽÚ¤¥û¯Àó\K¼1­ôµ„醹ÛëÎÒmR]çb„óŒŒ%EÎî
ë}ÎÌÁ¹-†úahV[÷”1àmÐ[cJ†x‹8åm
ʨw]
+îcpËGªd6¡*©¸T™¼4TF04a�‡ºåZêxg<æèí3cZñ¾M‡°óž ½̈¾è€/
+#qÙÜ#â¬kƒ�\E‰YÒ&g‹œ¥=r–íHV‰¤L—Ekº|‡×õÛ±fH€³üRrj$9{¢ÏøøˆÚÚ5›M�ÌàXlV)8ÂÅ¡îM¾üHñ,GK¦
iÛþâ˜x•ˆ4i¸—ªl(<�4©¨Qe³wVõ®ñ�wr|$átêG4•¯}ÔÃMmûùퟺÉþ‚M¯ûýþ„í”�B^äê˜ß6!ŒæÕŸFü¥˜ÿ¶›ì¥ÎÒ&Ãÿ¨J´9EüfôÿãÖôÿk¹Ã¬V¥û¥Z”ø�Q(TZù¬�þÁë¹äÿ2/I¾endstream
 endobj
-646 0 obj <<
+897 0 obj <<
 /Type /Page
-/Contents 647 0 R
-/Resources 645 0 R
+/Contents 898 0 R
+/Resources 896 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 601 0 R
-/Annots [ 650 0 R 651 0 R ]
+/Parent 881 0 R
+/Annots [ 901 0 R 902 0 R ]
 >> endobj
-650 0 obj <<
+901 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [519.8432 488.7856 539.579 500.8452]
+/Rect [519.8432 497.8292 539.579 509.8889]
 /Subtype /Link
 /A << /S /GoTo /D (diagnostic_tools) >>
 >> endobj
-651 0 obj <<
+902 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [84.0431 477.498 133.308 488.8901]
+/Rect [84.0431 486.5416 133.308 497.9337]
 /Subtype /Link
 /A << /S /GoTo /D (diagnostic_tools) >>
 >> endobj
-648 0 obj <<
-/D [646 0 R /XYZ 85.0394 794.5015 null]
+899 0 obj <<
+/D [897 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
 38 0 obj <<
-/D [646 0 R /XYZ 85.0394 599.0929 null]
+/D [897 0 R /XYZ 85.0394 603.5324 null]
 >> endobj
-649 0 obj <<
-/D [646 0 R /XYZ 85.0394 568.7172 null]
+900 0 obj <<
+/D [897 0 R /XYZ 85.0394 575.1064 null]
 >> endobj
 42 0 obj <<
-/D [646 0 R /XYZ 85.0394 457.9037 null]
+/D [897 0 R /XYZ 85.0394 470.0596 null]
 >> endobj
-652 0 obj <<
-/D [646 0 R /XYZ 85.0394 429.0681 null]
+903 0 obj <<
+/D [897 0 R /XYZ 85.0394 443.1738 null]
 >> endobj
 46 0 obj <<
-/D [646 0 R /XYZ 85.0394 352.2747 null]
+/D [897 0 R /XYZ 85.0394 339.8943 null]
 >> endobj
-653 0 obj <<
-/D [646 0 R /XYZ 85.0394 326.5176 null]
+904 0 obj <<
+/D [897 0 R /XYZ 85.0394 316.1468 null]
 >> endobj
 50 0 obj <<
-/D [646 0 R /XYZ 85.0394 247.1936 null]
+/D [897 0 R /XYZ 85.0394 241.2623 null]
 >> endobj
-654 0 obj <<
-/D [646 0 R /XYZ 85.0394 221.4964 null]
+905 0 obj <<
+/D [897 0 R /XYZ 85.0394 217.5147 null]
 >> endobj
-645 0 obj <<
-/Font << /F62 634 0 R /F43 600 0 R /F57 624 0 R /F56 618 0 R /F42 597 0 R >>
+896 0 obj <<
+/Font << /F37 743 0 R /F23 678 0 R /F39 858 0 R /F47 874 0 R /F21 654 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-658 0 obj <<
-/Length 2399      
+909 0 obj <<
+/Length 2282      
 /Filter /FlateDecode
 >>
 stream
-xڥ˒ã¶ñ>_¡[4UM|VNkï8;.ïl¼#RŽ�XK‚²HÎDùút£ )q*©Jé@ 
t7úÝ�X…ð«$
Ò"*VYI(’UÙÜ…«XûÛ�à=·i3ÝõÃöîûŸÒhUE¥«ía‚+Â<«íþ÷µâà0„ëí§‡ûM”„ë�_>x|¢ñÓ‡Ï}þÇóöá3�ÿ&áǧgøˆû�i®üôáïÛ‡¯´.åãÓöë—�¿ý¸}üòtÿÇö织­çzz3JdùÏ»ßÿW{¸àÏwa ‹<Y½Á$DQD«æ.Nd�ÄR:H}÷|÷«G8YµG%% ’ •[QÅÑJˆ H’h&«¤RI/«.†p_U+óÂRR�f)éó«>wxY@)'ÒW›(ŠXÄ×öˆ'òx}¾ùZwm
çRW»³:Wº£éÉîh_«½Þdw¡oÓv=�Ú“>«žø�iwézÝØóÉZb)I',EYˆ<Š€7d©ë‡Ý-OKwI’ Ž"Á羃C…\7ZÏAT½if×1b'¦íñj#¥ÒÐo¼ø
g©NjWãÞnw /\òО"’ZÔ48uM#°Jø+}Õ>O’,u×À
-’5�†Û^ÃUýÍSÛW„³ìk·Ü^ñ¡†þØž«�½YènDŽÖƒ~^q_–¬;´’{±>wà(¤ñh@aj�’Ì…YænaéÁ1{ø*Z¬ÛRÕ1d€
-ò4—lK,âáÜ¡°n-OA(Á/i·ñ~G”ÿʤ{úò½»ªAÉb‘¬=\·í·á´dý^Ü�n?i¯\WÚô [2ð0â<†è#² �QNþ_DkÐ�LóuÕ8×(ãÊ”L¢Ù5ƒxªãPcO”ŽÞ+x¨ûŽVÐ�p¡w[Ýݹˌ<è<M“õslŒL{âWÖƒdA.‡S¾­mÁ’2{Z+}E¨0©L_5ª'ÃÇ�­1àwÚ:H,؆a¡×Ëê•À^˜Éw´ØRo•›&
¤3§]äuÁxŠ J„Û3»Æ»xA‹IPI~å8þÚ`7í¡×††Cç|¦»˜Ö\švè@BˆuàU`Í)›¤‘­km^ú#�­
-U†u1
-Ž&lY9ḃ¬Ý.49�I6„¶‹uGc~_Ëä
ÇQŸJVN¬’ljH#	Y:�¦¬9ÈÂßq:i›¦5õejk}¦
Ûjß:~?ÓŠ¸„,ä\²‹Ñ
-ÒlTøljLäyK]%2¼$Å0	F`Cvh�$¤ÜÑN÷Öo ™a¶Ë#J’‘Ñ©é!R ïÁd÷g
�>j"J:GC­°V¶û;úêÕÐõ�c�lò¦À1Ý›UfL•
*ýÐf��NV°»kо‘e4¾Ë©ÂRèBkßqáíˆ�°K;h߀¬0ÆHÔi‰Œ:�1“2
-Ä,ÜøŃVýà}Up„°§¬?‰Ô�O ãCaB¬b¬Ã¨®—4¶×¯ºnO>ÛO3¸2bŒ�à}–
}
eBnhŒm¸O³U�âÇ„Y!Ä݇CæN¨o¼®ö¯ÊôêÅÓë•É,P¡ˆ0õKÊåÊík3IßÏÐpT§š·|mký??‡dáú‡Ç§�4r=í¤­ÌÜ…X5@HM•1ôßö0~á¢Mƒ	>�‚8ϨF­ÃÿoÈQ˜z|o
‹µzÕW8Ÿßœ0‹ªšë¾œ¾a:+¦ÆŠtÚBûÞÒ·×ýÜ.Þë9¯šƒOí›KŠ8'ãž®à^J@m0%ZXGSëE°Îoîù—H38Bn«’'Máßõûë¦õ½£búFu-Ǻ}ñ‰3Çc'u†/""ªÙrÎÉYáZ(y;!ˆ�Ð6Æ9Dn†uC£ÖÌ)Ð^§\a·I¬(lËÃÙë—KIɸ7œÉkžµÑôZÀÓçœt”‚Ñl–KæP"’îAn†qci/¼b$A–™+Ÿí%Ø�»Yêe…@nˆ²ô¦­‡Å}Õa.äŠwAyåW¡Þ¿tPôSä'®Jíªºê/$SBCE"¦Îw“@¾D¹GãKnãH
#kð¥Ú	Q]Ù/€¬_¦gýùŠ4éG3�-h÷º/*â‰Þ
-I)ºì
-4¸ÒÔÈhÛ=LÜ1÷t! Ço°°eì}p%
+xÚ¥Ërã¸ñî¯Ð-tÕŠK
+¾÷\*TÐÝŽ؃¶~eX\/ˆÛ´�E«µR*L£X­Ö£ú�f©_õ¶FÜ^·§_xä¾;6Ä$u¤i±êšVà•´Ÿ0تkù>i²4}O
+â’°Û1îˆóŸ™µ¥_~w¿ÀU@"H¥*ÙºËu×}^—¼?Çû›ÀÀã“5ðÉueZ¶%�â0ÎcÈ>"%sŠÿûB`•æAÕø7(¼àº-
¸d³k
ñVÏ©ÆÝ(!1ܘ
+x¨mO'Gx`=ª£¿w¾`6OÓ$x®@Œéâ‚kÏâÊE�*(dãh.·ó-8ÒíŽÎÊ1…"tL°©Z[5Ú’ã#f׶wÆH,؇áÀšeó*/ÊÔ;Öì©·ÆM“Ê™·.ʺà<E(áq.žñ.]°bE’_Îølð›noMKË¡÷1ÓŸÛ®=7ÝЃ6„A8šÀ¹S6+'"jӾح�€<(“OÉ[aq:T%ciúa%uîwG°FŸ‰ÂÖÌ‘¬®ZÃ(UK¿ÖÀžˆ·ˆÿÈaRl8ta5&
¤ÖÓM0¸%§rÉc!ã¸
ê!¾°ØÜ'IP5ãŽÂ׿Œ1�}Ëfóõ-ˆ¤©}vêû®¬Àíxªœ"aetÉ+Ÿ4·(Íêu²ùÅeõ‡:'ĬëJBÁ½ÄOÝñ¤�;ÔÍíÞÈERʹéL«°ñ	1�¥â,Øu.,ñ¼³¼0­Ðe¸ÀT#`ÃJâ]óZË»›,™r¡ue¡†ºJ!‹©¢-Øó³R >Ý.u%Ø�fñ”_Q7K¥
+s­;Þ1~e1½¨”û1¤4"ÏIŒ¼¥»ó·Ic¦ñk¢'(u~ê½öq²Ô|†€ü÷'Nf~ñeu6§c]…B*¢l¬«)WÕÛ¡œ†î°>C_\½ÖŒòµ«Íÿ<µgQðÃãÓGZùÑk6ýd«�UŒtk¨�ƒ1¢Ã]¶Æ_úi4¤#&@�è<ýA*Å9Ž€pXë7su�ËÎÍ�v·¤ü©`ð´6û¬�íÒEÍŸ§ù¤7Ž@ãh}?ûŸG£è²’|êNfª|±„9™G�‚[~U
+¿õûëÙ꽫bþ)åZ�u÷2æ÷¯½ê#´’ø!©µÈ¹td…ïô¤woºµú„ .‘d8¿å�`v0
­ºö’áz{àIãÞe\®-
+—kóèÃEúRîlý§†ÙG'ç£éµ‚ç_ÒIKF·Yîì"
+©üw£ŠkÇ{aØNÂ,/2ßå¹G°+³tÔ¹oÏÒ›éwU�)›SÄ‚.R^MeÓ@NM¸"‰©ô¶ª+{& ¹:*2A0
hëÒ:ê]Nd�{MX9G€_*ñHêÊ
äâŠØ0?ÏW¬Éf¸º°Ù‚‹^·ïE<³[¡¨’Ów%
+
ejÑ�ª€Ç*EF� ½ÍRqÕâqÖª)Ê_¸2PyL|Jwåˆ?/ÕºôýwÕö ö‹4xÝ=¼óýÊ~´^øZ�…îÿþ6>ý‹ ÎB•çrúì­®>Ç9a¡\I�n$÷ÑoEÿ7>�“endstream
 endobj
-657 0 obj <<
+908 0 obj <<
 /Type /Page
-/Contents 658 0 R
-/Resources 656 0 R
+/Contents 909 0 R
+/Resources 907 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 601 0 R
+/Parent 881 0 R
 >> endobj
-659 0 obj <<
-/D [657 0 R /XYZ 56.6929 794.5015 null]
+910 0 obj <<
+/D [908 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
 54 0 obj <<
-/D [657 0 R /XYZ 56.6929 769.5949 null]
+/D [908 0 R /XYZ 56.6929 769.5949 null]
 >> endobj
-660 0 obj <<
-/D [657 0 R /XYZ 56.6929 749.4437 null]
+911 0 obj <<
+/D [908 0 R /XYZ 56.6929 749.4437 null]
 >> endobj
 58 0 obj <<
-/D [657 0 R /XYZ 56.6929 609.0996 null]
+/D [908 0 R /XYZ 56.6929 609.0996 null]
 >> endobj
-661 0 obj <<
-/D [657 0 R /XYZ 56.6929 584.3177 null]
+912 0 obj <<
+/D [908 0 R /XYZ 56.6929 584.3177 null]
 >> endobj
 62 0 obj <<
-/D [657 0 R /XYZ 56.6929 437.466 null]
+/D [908 0 R /XYZ 56.6929 452.0712 null]
 >> endobj
-662 0 obj <<
-/D [657 0 R /XYZ 56.6929 410.2571 null]
+913 0 obj <<
+/D [908 0 R /XYZ 56.6929 422.2123 null]
 >> endobj
-656 0 obj <<
-/Font << /F62 634 0 R /F42 597 0 R /F43 600 0 R /F56 618 0 R >>
+907 0 obj <<
+/Font << /F37 743 0 R /F21 654 0 R /F23 678 0 R /F47 874 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-665 0 obj <<
-/Length 1888      
+916 0 obj <<
+/Length 2095      
 /Filter /FlateDecode
 >>
 stream
-xÚ•XK“Û6¾çWø¨�‰UIÔÃ:6iÚ¦3Ítší©é�kÑgõpEÊŽóë -oÔN:>
�
-Œì„SxóþÃ$ý»2ã<í•ý=ëIõj°&˜IóXäeÆfÊ".ÅŽÖÍâôa›&Iý,§æ"'63}mFlê¸.³’­ˆ4Îïþ‡A­Ì¢VNé.BCøEc¥ˆˆFƒŽ@£idh²•gEÊv’�¶zd×]‰õ¤Ô@h[6×��26~ØŠ¼Š~'èåÀJz0LH4e^#¯ˆŒšÎjâ%m+-:…n¤i\EæÜà­€û¼.P'5°£Žtá@ƒƒógìi$÷V{ýf¶W¢n6Oj:ŒSï-ɦד|êXNúR(�àÇa£u¼KÚèc‹6«J|÷–h94D¼ÿí\uPÒÎtCœñ@_N júôòJĉœ:ó
-v¤ï�ý9
-Íž3
_·F^¢vß2Ëm	@=¦Â­FÍ�4F€!g,©£ïÖ‹HúÔ…ˆ‹Rφ´‚ñ¥É{ìÅI@Á®!šë8ìnåè$÷ØNý;+ß‚ÇO7Œî®:êÒª�‚0è»áª¼›ù|ÒS
-½z÷þËòÿP‰"Æÿ»Öþíò"Û›ýÕµDg(°±È’`Ý«^.þ7ûzµ
+xÚ•XK“Û8¾çWø¨®jkõ~g2™ÝlÕ¦¶&½§ÉØm±Z�HÙq~ý
+´
+}ˆM“­¸HÚl&Ñ(£ÆAtÝ�XÏRDÁnÃâú±‘Ú„û4+ƒ_ljôbàMjÐD¥‘—ZN9ñ‘¦�B3â8¬ó<±f°*`>ŸÔYäȆ†ãM8Òàhí{‰ƒQn3›Q‹Ì³œŽãÔ;I¢éÕ$ž;^'4ýÓUÁ‡^Ñ:L¢š¼öÔ‚Ì4Jqõçï‰>JafºaMPÖþS¨ UÓ_/nDœÉ‚‹3#ý?ó˜/É÷ÿýj0x%nK;^%èùPf
\u—�f!£•}ƒúF®à3¾sù½x±U­—‘³fÞx¤ÓBäHÇÝšŒkW¥[Þ2Òÿ
TP
¥Xt¡'7Ö7mdo¥äÁqœÜqþ,q>wê@–`ì%•OÁïÿ”ÞZ[ËŽsç¼ÜÏ�Q¦%•E#›Gö~×�W5œ8®`Q³Q_Ÿ�¿E{ï µ9VfDÎŒh›IJn°Ô ]H*~12
+€—%
+4±NãØó<aÿi
÷<0ÏÝ'p<ªEK¾â
+ZYX¸"J8áfÌ¢ÊRú4A0>Žß)0_’¤$ÏÍÔb3�œK*QcÈ
+w
ÑÜ9’®^6qѾ‹´­&L�Å�/,
Ãßr¯­ô˜WÛ†…+9Ü›íŽû
+Ñižü+
+×Ûöçé-Ä3‹B¼	ï9‘Z¦’
+Ûdƒºkú_GF	™Þ)jÇqŽòß7"¨ÙÛwðöëXÎ`ççNI¡�o¶‰eaóÈBýõB
÷vùWeRå ž‚ ¿ûh×ÔWY„Ãvâu_èÚ8@–YuÜ’1Nlz?îélsÁu)–O?r'çà» |“zÓoÂ
pSWÕÖ�¡¿fèG%¿ò-ÝÁŽ-æn_泶XR»V·æK§%›8ÁI¥i‚ÞðØ�š˜ÏŽ±vr#½×�±h°|/
	N$=Ñ‘r/€;þPC#¡�k zßÑŒ8…\$O2hC|Ú�tE•_MsWj3”­.ª™m”ÁÄêe³ø�Õ¼c$×?à^ÔÏÖ‡¸ù»ÅÊ&ûòÍ#	ÎãÕ¦:�B»Ï 46îSŒO*€‚�ïÎAöÃ4ijq•Žœ•Pðúâ‡xˆæ"#Nrý?p½XŒ¤8Ã�¹¾‡Eþß…ûìq‹Ç|Û«×�ÇóÁCê
8h7È
ËÕ´*
 endobj
-664 0 obj <<
+915 0 obj <<
 /Type /Page
-/Contents 665 0 R
-/Resources 663 0 R
+/Contents 916 0 R
+/Resources 914 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 672 0 R
+/Parent 881 0 R
+/Annots [ 922 0 R 923 0 R ]
 >> endobj
-666 0 obj <<
-/D [664 0 R /XYZ 85.0394 794.5015 null]
+922 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [519.8432 268.1131 539.579 280.1727]
+/Subtype /Link
+/A << /S /GoTo /D (acache) >>
+>> endobj
+923 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [84.0431 256.1579 143.605 268.2175]
+/Subtype /Link
+/A << /S /GoTo /D (acache) >>
+>> endobj
+917 0 obj <<
+/D [915 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
 66 0 obj <<
-/D [664 0 R /XYZ 85.0394 769.5949 null]
+/D [915 0 R /XYZ 85.0394 769.5949 null]
 >> endobj
-667 0 obj <<
-/D [664 0 R /XYZ 85.0394 573.1436 null]
+918 0 obj <<
+/D [915 0 R /XYZ 85.0394 574.3444 null]
 >> endobj
 70 0 obj <<
-/D [664 0 R /XYZ 85.0394 573.1436 null]
+/D [915 0 R /XYZ 85.0394 574.3444 null]
 >> endobj
-668 0 obj <<
-/D [664 0 R /XYZ 85.0394 538.4223 null]
+919 0 obj <<
+/D [915 0 R /XYZ 85.0394 540.5052 null]
 >> endobj
 74 0 obj <<
-/D [664 0 R /XYZ 85.0394 433.7668 null]
+/D [915 0 R /XYZ 85.0394 447.7637 null]
 >> endobj
-669 0 obj <<
-/D [664 0 R /XYZ 85.0394 392.81 null]
+920 0 obj <<
+/D [915 0 R /XYZ 85.0394 410.3389 null]
 >> endobj
 78 0 obj <<
-/D [664 0 R /XYZ 85.0394 329.225 null]
+/D [915 0 R /XYZ 85.0394 348.7624 null]
 >> endobj
-670 0 obj <<
-/D [664 0 R /XYZ 85.0394 290.8035 null]
+921 0 obj <<
+/D [915 0 R /XYZ 85.0394 311.223 null]
 >> endobj
 82 0 obj <<
-/D [664 0 R /XYZ 85.0394 191.4678 null]
+/D [915 0 R /XYZ 85.0394 189.9853 null]
 >> endobj
-671 0 obj <<
-/D [664 0 R /XYZ 85.0394 156.6041 null]
+924 0 obj <<
+/D [915 0 R /XYZ 85.0394 156.0037 null]
 >> endobj
-663 0 obj <<
-/Font << /F42 597 0 R /F43 600 0 R >>
+914 0 obj <<
+/Font << /F21 654 0 R /F23 678 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-675 0 obj <<
-/Length 561       
+928 0 obj <<
+/Length 611       
 /Filter /FlateDecode
 >>
 stream
-xÚ¥T]o›0}çWø¤áúƒý˜¦´K¥¤)MSׇ4¸
ÆÇÚþûl¢tOŠÌ=çúúÜÃu0@êÁ€ùÐD€@x�!ÌÀî`!°WÜ�…MŽ;&¹Ó¬ëĺºõ	PøÄÉ뤇ˆs’ôÉ&�AGU@v¼Y¯"‡vÞ8.aÈ~X‡ÑÌ	<;Y¬î4�“p;.¶ç_gë$Œ4EL¡ëÅÊì�ÂøaÍÃ1zÜ,¢p®’ØyNî­09ö0í#Ú7ðÛzzF UíÞ[RÁxS
‚X–Ç(d¥#’[±õx,8a‡­Ÿú†$TytiœG
-.â¹ÚáñÑ@/°…vå¡ÊrÙèh[¤ú¥v¸Ý�N-Ãê%ßÖæö^j¶è/²ÖTùª×M‘½»yöˤ”ÙŠmÙg'žùæ0fgEZ¾M«D¯W}›}cCÁ˜qJ™¤fƒ*þ¶ìEøD•ìWjw•Û–nºm¥Æó¬i53ÈTH3qWÁZWó¥�˜ÝH©áö§)…³›e¨Á‘ÜàYq–¨^ÊÊ)ÿÈ\ci6¸&wmYhVËÐûÎzÓ÷ç4ìB/MÙ
5vRÇ©j¨Î^º6+ø¯±§ö³úÉ�ªŸqò¿¯Äé 圜¦}:•„#(zÕwÉ/„�WçRù_`éendstream
+xÚ¥TMs›0½ó+t3EÕtÌI�;ŽÁÓvÒ£$šbp$Í¿¯@Â&Mzêx<ˆ÷vŸvßzM
+ˆ,}Q7c‚}vû ­ƒbÓJP*ݾ-Wfü¦=»DÖ+ýÉ\Kií“ù'çs·?0¦¥ÃUõW`[ïí¡”Ï²´ÇB
>Ém[7¯ŠšæWN¸ênÈÚÊQD·�ºïZ3ô¯åcõóÁª˜¯›æ/æñß*ŒKzܹénÐ8AabD\Q½Í„¾«|Üà÷¥ÿ
¦œ@šendstream
 endobj
-674 0 obj <<
+927 0 obj <<
 /Type /Page
-/Contents 675 0 R
-/Resources 673 0 R
+/Contents 928 0 R
+/Resources 926 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 672 0 R
+/Parent 881 0 R
 >> endobj
-676 0 obj <<
-/D [674 0 R /XYZ 56.6929 794.5015 null]
+929 0 obj <<
+/D [927 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
 86 0 obj <<
-/D [674 0 R /XYZ 56.6929 769.5949 null]
+/D [927 0 R /XYZ 56.6929 769.5949 null]
 >> endobj
-677 0 obj <<
-/D [674 0 R /XYZ 56.6929 744.7247 null]
+930 0 obj <<
+/D [927 0 R /XYZ 56.6929 744.7247 null]
 >> endobj
-673 0 obj <<
-/Font << /F62 634 0 R /F42 597 0 R /F43 600 0 R >>
+926 0 obj <<
+/Font << /F37 743 0 R /F21 654 0 R /F23 678 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-680 0 obj <<
-/Length 1190      
+933 0 obj <<
+/Length 1222      
 /Filter /FlateDecode
 >>
 stream
-xÚÍW;�ã6î÷W[É@D‹¤ž¸j³y )‚
-.AŠ.D‡óøfæ“EW	üèªÌH«tUT)Éš­êÓC²:ÀÙ·Ôë¤'YÊ9lN㌗$+Y±Šo�|¹}Ø|“²KHž³lµmf_y
8\Ø�b0r\Ç,K"¾þeû=^KIQÔ^KÀENhÅ�þâ$Qù'9žÃÅgÕHv˜FaZÕ{3|U‘*g¹·’S’EêÌ|×ÃÅ*�̱ÕvÅ#-kwÕ‰/ŸÃ¸¦e¤Îkµ{/ÓêVÓá µ‘{´Pß¡QItª?x«­9¢êas]ÛK¯Ô¨ÌQ¶#Ê&-É:NS½_W,’ÁœV6=›¥¤Ê2æû½‹Uj��€%¿PC[ãR5øDM¡U/v�WSƒOÖZÓö2—ƒ¦„§9ó@¦”äIE�_Nè:¦Iõ§!{~
Ål(„ìqJXî
ͦž¼Q!ŒXõÝJÞT±Ð,³ý…¸l-<Ï
-¡Ä¸ØyýºkeoôR�ÛƤ(fÕ>Sç9³á�ƒÂСgr–FO�×üu’ckûÌnÌã„;5íÚÚZ
-®Ý‰ÀÁ
®v�ª“Fm
-�ó:ó=|ïß;O“9ª¦ÎÎö¿¤}GÞ´rDïXF÷-˃*–ž•A ü�XˆÆ*ÎT:æ(Jƒ?W{»@àß^™ý|`,] Ž4ÉHÁà­ˆ„(s	F‡w€×Àèo!¡©8+½ç
	¯÷\'<ÏuâìáÅÿ!wT:íöê$Z_¡¿ˆ™Be“„ç!føïâ^Ž­¬ào!¿�m‰CÁe5€B=—Òÿ1ëˆþåJ8q™ÞÇn´«ðœb/1ufi<!†iÔ®OÃÌÅ”³»_©pdp1Üò•¿oèÁ¶–‹'MøÌ…ìŸráÃ×Ûù»$|mðŒØo—¥/— _uð³å¶SyR
+xÚÍWI�ãD¾÷¯ˆúäH¸âZ¼©OÍ°‰Hs`8Tìrb�SeìrBƒæ¿ójs6sà
+©Ç¥·†EòS€Š2Of=§&ü¡W.tÀLFXôÚyÉß'1´¦÷fÓ¸<Žn§&=Z|KÁµ½áDnãÖ
[;ÑiteL-dçÞ^z@3Š Ñr0¡sSùØò¶Ð°´@EžQ/ëph‘@#†I¨„ƒÜkg+¡Û“€:cŒ£¯&L0À3LDc‚o`Â=æÕÔÕn¹ó"¦iâ$ü©ÏÍZ™Z}!W‰37µu£VDS' Ðò‡4A¤L\û6è@{{VnZ&ÜvœvR˜ò›ÍÙžÛñàVÚkÙRºåÜX³iuD·°qÅâUwñwñð—{à’ œˆ¡dCØËía~}øée	”®[³M#AJTyy+W·´@Aÿ­äóFèjc†£Þ=æ0Tè½>Ú˜ÍEq)·+\]gR½
=^Œl9¯ËσØÚ»Ç
+ÿ¨2ûù@[ –¤('ðVt„(þ°	F—7¯€ÑK‚sTRRx;Ö›#<鹎{žëøIÜý7¸Pé´«Õqþ›ð™˜1t6Ihb–{â^Ž­(áÏ!½Žm‰CÁe
+5€B=—âÿëÄæ�/n¸GÂä^xÞ`W>¾QAF?°9¯ª™Ù;ëƒû9âãòíÊwÁ®|»�0«ðœIª
Ÿ:½äÊ0
£•0ö1¦ÿ˜SM™^ÿ^r0m%©ßÑ1¡¨Ä	ûOèøéÛíü•¾]hŠÌ—ÐÒwP‰/2î#èñ4ÉPAÊ<2yazïmþ¤zt÷7¯Ì™øendstream
 endobj
-679 0 obj <<
+932 0 obj <<
 /Type /Page
-/Contents 680 0 R
-/Resources 678 0 R
+/Contents 933 0 R
+/Resources 931 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 672 0 R
+/Parent 939 0 R
 >> endobj
-681 0 obj <<
-/D [679 0 R /XYZ 85.0394 794.5015 null]
+934 0 obj <<
+/D [932 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
 90 0 obj <<
-/D [679 0 R /XYZ 85.0394 769.5949 null]
+/D [932 0 R /XYZ 85.0394 769.5949 null]
 >> endobj
-682 0 obj <<
-/D [679 0 R /XYZ 85.0394 575.896 null]
+935 0 obj <<
+/D [932 0 R /XYZ 85.0394 575.896 null]
 >> endobj
 94 0 obj <<
-/D [679 0 R /XYZ 85.0394 529.2011 null]
+/D [932 0 R /XYZ 85.0394 529.2011 null]
 >> endobj
-683 0 obj <<
-/D [679 0 R /XYZ 85.0394 492.9468 null]
+936 0 obj <<
+/D [932 0 R /XYZ 85.0394 492.9468 null]
 >> endobj
 98 0 obj <<
-/D [679 0 R /XYZ 85.0394 492.9468 null]
+/D [932 0 R /XYZ 85.0394 492.9468 null]
 >> endobj
-684 0 obj <<
-/D [679 0 R /XYZ 85.0394 466.0581 null]
+937 0 obj <<
+/D [932 0 R /XYZ 85.0394 466.0581 null]
 >> endobj
 102 0 obj <<
-/D [679 0 R /XYZ 85.0394 237.1121 null]
+/D [932 0 R /XYZ 85.0394 237.1121 null]
 >> endobj
-685 0 obj <<
-/D [679 0 R /XYZ 85.0394 206.4074 null]
+938 0 obj <<
+/D [932 0 R /XYZ 85.0394 206.4074 null]
 >> endobj
-678 0 obj <<
-/Font << /F42 597 0 R /F43 600 0 R /F57 624 0 R >>
+931 0 obj <<
+/Font << /F21 654 0 R /F23 678 0 R /F39 858 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-688 0 obj <<
-/Length 1948      
+942 0 obj <<
+/Length 1842      
 /Filter /FlateDecode
 >>
 stream
-xÚÍXë�Û6ÿî¿BØO23|I¢.Ÿ6¯v‹d“sÜ.Š^?h-îZˆ®$ïvïÐÿ½C)Ë^9›Þ¸Â€5$‡Ãá�Ãy�~,ˆb§<
’T’ˆ²(XW3ÜÂØw3æxži1æz¹š=ó %iÌã`u3’¥UŠ«ü—PAæ �†—çïßÌ<¢á§7Ëy…?ÁǶ?||³<Ÿ'2\]|¸ü4_$4•á«ïÏ?®<ÇÓ2^}¸|{ñÝ�{9ó_W?ÌÞ¬†]Œwʨ0[ømö˯4ÈaÃ?Ì(©Š‚{hPÂÒ”ÕLF‚DRßSÎ>Íþ9�Ú©“È1J¸
-:ýÀ²¦ÜeVi2$$\Ù�·f"WÂ_àgÐJyXܘ^>4sî�ÞX»7¼ý•Ð8puu…ýƒÓ0�û¢ßàx­ûû¦ýŒÝÆ°ìdt?f¼¹Á!1æÇœ®Éݼ:Gn×-žMú@�JP¤GÂ�ÍpíÖ¤2Û¹S¡Oã°ð  Yip\Hö›ÌÉ^—…®{×}_”¥ënêZ¯�q–æ«3¿Teì¡vË4žè7ª†zxµ�>§Ù•þÇqZ�@Z�Pˆ2–~]^À ò+¥ó‚ÿn–×c¤ëI
pYŽô3E-üž"fDÄ’
IÇÁV‚P‹
-&�Ã¥îš�=€µF—±ŒÛÿ¢].áŸaûuÖgÇ' x­˜FÁXÛÿ

-<¯ŠºèzÀ�—hƒ NÑ7xn¦Ýã^-�Çß�¸ïÆ+òÐ-&Ë3ú¸âã…±Ìæ?  Lì1h–e
ÎÈÚ�™ƒu®1šëÝímáûX j(ÿüd¹-°`ÿÊÇ«9”ÏÚ‹AÛóSv¦aMÝŠ.º©(ÓA[àiM9
¹™˜¼Ã4x2õüÚ·é½S’	Üŧ½Á�)9¥ì!}¤¹Ä~¬úŸ<SÝendstream
+xÚÍXYoÛF~ׯ üD
Ñf/^Í“s8u�8®¢Ô(Ò<ÐäÚ"ÂC!)«nÑÿÞÙ�%EÉ”í¶Z÷˜��ùvvŽe…s<Ÿø�œ ’Ä£Ìs’bB�k˜{;a–fÖ͆T/“ç'"p"ùÜwW^!¡aÈœEúÅD�)p îÙñ‡7Ó÷¨ûéÍ|êyîÏð1ý�çoæÇÓ@º‹Ó�gŸ¦³€FÒ}õãñù¢£x˜Ç«�g'§o?oùL¿.ÞMÞ,z-†š2*´
+ß'_¾R'…ßM(Qè9èP¢ˆ;ÅDz‚xRˆn$Ÿ|šüÔ3Ìš¥£È1J¸ðùtÑt^D|Á…�î÷ªTÓ™O©{D	ˆÀ’•³8Mk׫øçþЊ:<"aÀ1F"Ïã†A{»²Š¸iUýÂ�Ò]¢«,ïvÉ«$ΗUÓ’ZÝíQãq–U›]Ý"}Y!Éltó?Gw{þ×^Ø=ãÚ6Ú厨ØnT}Óµ¯*ÛP¿ÅÅ*W$©Š1	¨
(Ÿ¬
s’^Ž£Õi{znµ…³SM£ìVWVÍ<¾QC�í|œçÕF¥ Ê~ë¸l®ÔC` ¼†ÃlwÉ=°ˆæ‡nˆU¨#ðˆ'qø�³v¿eÄ@Ú7‹òš<€ÆÐ4v©ÿŽyAFUZÇ.rùíèÞû°g!»ö±¯Ú¡{2©šN=óœ2�C΋
Îëù	g“DHpgà²`#�Î"ëæùtÆ(°z_Å)ºä—q—IV^Ûåbàð`5‰Dèꎧ3!¥»ª³"k3}κg[è–g�Ð#¹a®[—=sÓMâÒŽ+\'ËLÝ(K�ÙYãet㵎3†þé×MÏ«Xçm¶Ê-¥­ž²ÐUIe¾iÓhåÃA¿ŒEú‰€D‚fâD/ä¡èîï3èEÜÍ®ô¨to«)s×Ø^³×´í…P8qqq�ã½ÏÐ�MÖ.q¾Tí¦ª¿á°¶+³½�ž¯®pŠéàáÅÊ`»Ü®+S¤¶ÃâÙ¨›
¨AZl˜ã¢c iªu²ÄVlF<{*Tã©ýt~›í2¶¼“<Sek‡7YžÛáª,Ubi´¯Ô_w[ÚJ»MÕ5Úe†¢¡�ØZž-Û¬P?ì§
Dî€rGøŒ_²Gå2‡0w󊶪“càŠJ€ë(ð²ÍN»]V³N'0íˆHõ9ËΡҎ
+yÌêŠC—­N! �Å5
+r›ZWéPÓÃ9º§v±G7lNdY^V7&=
+ƒmè׈�nAu“VE~k{( 2Yä``\â~ÓN¸ee£yfŸ#^à·ïÛ/³ã˜5
'ì—k�u?@‘�#[� cu‚Öº±!4±�òº[µ«Óp¬]×¥J÷ÄH³&‰‡´=WkmŸ¥rHcd²T°…7RØKUg9¶+�£ä[øLòÆwÌ2N­>¤ÉÉR~ò
)¬…™Âb{©8óÀ1„1öVCV9«êë›ýH‰ç‡ÂÒ6ëËF_…M¶0Ç|p«*Ê¥]]­Ú„ÙEø$´“¨ßÂ(¥³^uè­‰E’ø&àL}í`c>öº¶¥>ìj,�–c>7ù¶y@¢¿'ƒ'<„¹ãðzš{eØ礅 c¥áŠKßg¡~ÿ"~ðî%Жˆ˜$šW<[É%VªŽ‡GÀú¨‚£ð€Yè÷ϊ̲[LcnUåö�ªŸ»Kt1�‹…ÑÐøÇåx«Ìz¼f…žg_6ËÌT!X@¢åÆNªš¤Î.�{§!Ì
ã8ǹ¬„›¸Re_šòR“gñu	Þ K´—çºR+²2kZ�Å�%B_
,k«ÚVHà¾PkCs—Òð+]ª=՛ۦՑ¸‰íŽr=„PVµcò¯öŽ_Q—ëëë~¼ç^öÀ6`S,9tYàx¥£J�“ªÇ¾Ún¯›ˆÃ¡½O
:©Ìë—¼#{÷¾;"ü_Gƒž†endstream
 endobj
-687 0 obj <<
+941 0 obj <<
 /Type /Page
-/Contents 688 0 R
-/Resources 686 0 R
+/Contents 942 0 R
+/Resources 940 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 672 0 R
-/Annots [ 693 0 R ]
+/Parent 939 0 R
+/Annots [ 947 0 R ]
 >> endobj
-693 0 obj <<
+947 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [55.6967 208.0574 126.0739 220.117]
+/Rect [55.6967 190.8043 126.3509 202.8639]
 /Subtype /Link
 /A << /S /GoTo /D (rrset_ordering) >>
 >> endobj
-689 0 obj <<
-/D [687 0 R /XYZ 56.6929 794.5015 null]
+943 0 obj <<
+/D [941 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
 106 0 obj <<
-/D [687 0 R /XYZ 56.6929 492.2203 null]
+/D [941 0 R /XYZ 56.6929 480.2651 null]
 >> endobj
-690 0 obj <<
-/D [687 0 R /XYZ 56.6929 453.7474 null]
+944 0 obj <<
+/D [941 0 R /XYZ 56.6929 441.7923 null]
 >> endobj
-691 0 obj <<
-/D [687 0 R /XYZ 56.6929 385.673 null]
+945 0 obj <<
+/D [941 0 R /XYZ 56.6929 373.7178 null]
 >> endobj
-692 0 obj <<
-/D [687 0 R /XYZ 56.6929 373.7178 null]
+946 0 obj <<
+/D [941 0 R /XYZ 56.6929 361.7627 null]
 >> endobj
 110 0 obj <<
-/D [687 0 R /XYZ 56.6929 177.8714 null]
+/D [941 0 R /XYZ 56.6929 167.4388 null]
 >> endobj
-694 0 obj <<
-/D [687 0 R /XYZ 56.6929 136.2124 null]
+948 0 obj <<
+/D [941 0 R /XYZ 56.6929 126.8733 null]
 >> endobj
 114 0 obj <<
-/D [687 0 R /XYZ 56.6929 136.2124 null]
+/D [941 0 R /XYZ 56.6929 126.8733 null]
 >> endobj
-695 0 obj <<
-/D [687 0 R /XYZ 56.6929 109.3045 null]
+949 0 obj <<
+/D [941 0 R /XYZ 56.6929 98.4089 null]
 >> endobj
-686 0 obj <<
-/Font << /F62 634 0 R /F57 624 0 R /F42 597 0 R /F43 600 0 R >>
+940 0 obj <<
+/Font << /F37 743 0 R /F39 858 0 R /F21 654 0 R /F23 678 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-699 0 obj <<
-/Length 2677      
+953 0 obj <<
+/Length 2679      
 /Filter /FlateDecode
 >>
 stream
 xÚÕZÝsÛ¸÷_¡—N¥éÅA°O—Ë%×ÜÌ%×ÄiÒÌ”– ‹w©);Îô�ïÀ$EJÎø©ã
àò·ËÅ~f3
-l¦SBE.gY.IJY:[î®èìžýtÅ<Mˆ’.Õ×W}­ø,'¹âjv½î`iBµf³ëÕ§ùË¿¿øõúÕûEÂS:d‘¤ŠÎß¾øå®|€Gi:ÿg xùîíë7?}|ÿb‘Éùõ›woIFs	o^~÷ݯ¯ßû°ø|ýóÕ«ëøÝ/eTØOøãêÓg:[Áÿ|E‰Èu:»‡	%,Ïùlw%SAR)DXÙ^}¸úGì<u¯Ži.š¤šg#ª“£ªKs¢Nuö›a‹„QJç?–ÅmU7m¹Ä¯½^0Ææu½mì—žèàÑYÂÉy–;¤ë�ñD]¦,'4eVVK³*oG€˜$¹ÚÓ|7‚"‰ÖÀ	6 àJN„ÊxDI¸dó¢Z�ÀqØ®¥'­šm]ÿ~Ü�`Ê´Ï2O¸?,˜ž×·‡b×
-;ÏÉÓ”õ?ভʵ•jm8/+ümÚ‡­Á!JƒúØî�-ŽA¨]Ñ’›¦°ƒàhJç`\9÷^O”t©¦M0RuŒ¢Ë3‡W´àçy¢ž=» `^J¦}¦ÖZN³ùªÞNCTƒ¦Pe]áÃ[Üñ½S%ÌÿMS:fäR°6ñ
VH1Ë™·A¢�µo7²›Ò¸]
-Ü5XÛoMëéëuhü’7h7vfq�çjþÆoŠÆÛR
-’S¡ú¶ÔÞ׋DP¢¬Ló·E"Ÿ7¥eŠëeÕšC±lË;óHˆ#gÚbI�óì9¼æìÛ…pOÁ$~‘}rS´ËÍê~S†EóÅ,�­ipVtáìwоüè^`Ò¦°
-¿rL6È‚ëær[4ͨJI–
-9
-˜êUM—jºª‰TÝ*µËÔ†<I•:Ï5R�°ƒÀ(lYÜã;]†3ÉÏWÐÜ™Æxx„£l]ešÎÍn5C¹`ó¯¦Á%gõå2’øŠWBÒu>
-\ñN
-‰S=ë4¡‹1�à#UÏE}6ÂpH�üÄøT¯+‘ª›K’¶NÖe8Ýíw¥š0ý¿È'ñìÐu>�&a4Uy/9ô=[çÁ(aäŒ~�%qVµÂ…û�+Zs
-ÑWðXèöh{Ѧ»ä¡n
¾Â¡=aDû…‰¯’qâ�Y‡ã`Ï»J¹ò4wÕçÊ�.Ž.škQÅ¢Õ2¦ü€fÝéÐsç½0Ý<ì"E‘ÿ“üÙŸhZçl]ðÆ@i¿º„�佂ÎQtÕ©êGBL§Ædfü	h4¨0“s�Ü®#ÐI<<
“0²Û_ŒGv„
-µ#÷‚+ÏÌ.¹Qø}lHì¬'¬#[÷BÏã–jü½ñO¬ÖÖ•,¿r4êÓ’À°Á_T3·Ü>íl‹kÖ´?ë€gè£î¸fq3où§{³,-²²ó»
-#¿UÃ¥ìœô­£e0fÆOØGG÷ãÑê‹aº°¿®Ï³”Z;Gà32’ØMZKÿ&žPÃ`3GÕÚû¤M4�Ý×Û•³)îÊÚIdϸ¹žß{¤•—¡ª=-âÕ
-ÅðEàð{»
åÈm–&™Œ%â¹J&•…S4¦ý±1ã7dh¿á¸Š†Ö+2–0‘Û®SÙ$F”d²sõÈýÕã‹Õ®¬@•‡"T
-ñPà·æ6žøï‹CÛ¿)ˆí<ÔÓ�F½…Ÿ•�	ŽÕÚLf„ju¡ÖîRM×Ú‘*8Â*YnÌòw°ÄõIÉ­R5Y~^€H5"A¿)�HÌû"Lž71;’1Øš“Œçüô¢Õ·RöÕf°/ÍCÕ_†{rZ8ë“ñfØ	C&äPœp¥ÒxIGùvú>Æ^ÄjÊÄs*¨.ÆtU©.VuŒAŸcK¥çÈÔÁ˜®ê"ÕØûâî·»¯gOF˜bŒZÇ8s0˶ÆK½á)�$Š§ì[ïEÖåÖLœ;€kNU÷¼`Ìy50¦ê¼ë>ÒL;®§hëk]™S·…�’LŸciNx÷]²¼ËüœÃêS‡
VÂƉ'9lÂhÓ†;t¬xõqêÏñ´$&Ø%^O_Ž¦Dpö¬kȈpæbi¦ÝÐo¶H‰ý¯�†4Œ=ûŸƒÿg
-LYhÍÇ�@P†žgA(+<cCÉã�Šþ?H·endstream
+l¦SBE.gY.IJY:[î®èìžýtÅ<Mˆ’.Õ×W}-²YNrÅÕìzÝÁÒ„jÍf׫Oó—ñëõ«÷‹„§t.È"I�¿}ñË+\ù
+›öakpˆÒÁ >¶ûc‹cjW´äĦ)ì 8šÒ9WÎƽ×%]ªiŒT£èòÌá-øyž�h„gÏ.(˜—’iŸ©µÖ„Ól¾ªw…ÓÕ )ÔAYWøðw|ïT	óÓ”Ž¹”¬M|ƒ•C̲Aæm�hgíÛ�즃4n×€w
ÖÁÀö[Ózúz
¿ä
Ú��ÙA\㹚¿ñÀ›¢ñ¶”‚äT¨¾-µ÷õ"”�(+Óüm‘HÆçMi™âzYµæP,ÛòÎ<âÈ™¶€XRà¼
{¯9ûv!ÜS0‰_dŸÜír3„ºß”aÑ|1Ëckœ]8û´/?º˜´),@×	
+üÙ–�·z§=ë´]lq‚Èž²2V}‚Ñù‹íéózoÍ¥ñè1ØÉriš¦¼	N·FcÚá·�ÑÂs;õ@Hu\ƒ7HEƒt8â
"±P)ŒÇ\Åû
+c©9Ym~lŠ[3)“�D¤Z=K¦fü|L¦@\,Q`eŸ¾GWK»®&R¢UšzWÃè‰d=d¡·õdŸG€‚Qy¿ÆPq
+$ÑR O#@)ɳLyg=Iû°7#X�œ³,ÕQ(üÊ1Ù ®{˜ËmÑ4# *%Y*ä
+�²u•i:7»=Ôå‚Í¿š—œÕ—ËHâ+^	I×ù
+›Ai:ÿÁ¯Ìº8n[»ùJ W—ufÝ6øÖ�iï�©ðÑ‹"X¶e±¯^$ôLŠòkP
ÑÀÞØ"¥2Þ8‹Õ
+ͺiL0º›Pú–­·Îõ±ZZ³,ü§[ó
vtã-Ô|iMµ2«àÖífàÌ'1À›údbO)'TÁN>#‰v1¦{¤º˜ØeÊ….é92u1¦{¤Š¦‰á=)^®¶‡ëû»ï“åXáУñ<Fü‰Èónß^¬ªUÝ~`{p"ïcâ¦èä_—ñÊ��6î	9ÎC¾�LC™ÈD?oL{(MóÔüy&½Û}u
íHr$Ë5jõômåÜ ¥ÛŠ…©ÿÛ¼7¸umñi‰OòÌžÉó‰¯K5�ø"Õð8¥—ü¸†V3ãç9Gª¬ä<¦a'yŸåh�‡£Û
+î7®hÍ)D\Ác¡Û£íE›î’‡ºø
+‡ö„í&¾JƉ7fŽƒ=3ì*aäÊÓÜUŸ+wº8b¸h®QD‹V˘òšu_`¤CÌ�÷Âtó°GˆEþOòg¢iiœ³uÁ¥ýê6’[ô:<8GÑU§ª	1��™ñ' Ñ ÂLÎIr»Ž@'ñHð4LÂÈ
+l1Ù*ÔŽÜG®<3»äNDá÷±!±³ž°ŽlÝC=�[ªñ÷Æ?±.X[W²üÊѨLKÃQÍ0xÜrû´³-®YÓþ¬ž¡�ºã˜ÅͼåŸîͲ´ÈfÈÎï*Œü>HT
—j°sÒ·Ž–Á˜?aÝ�G«/†éÂþº>ÏPnhí�ÏÈHb7i],ý›xB
ƒuÌUkïk�4Ñ@
+t_oWn̦¸+k'‘=ãæz~ï‘V^†ªö´ˆGT+Ã�Ãïí6”#·Yšd2–ˆçJ (™TNÑü™öÇÆŒß�i ý†ã(ZS¬ÈXÂDn»Ne“Q’ÉÎÕ#÷W�/V»²UŠP
<õúDZ÷Ã�›­…·ÅC(ÄC�ßšÛxâ¿/mÿ¦ ¶óPOCõ~T&8Vk3™ªÕ…Z»K5]kGªà«d¹1ËßÁ×'%·J	Ôdùy
"Õˆýý¦"1ï‹0yÞÄTìHFÄ`kN2žóÓ‹VßJÙW›Á¾4U[|îÉi=à¬OÆ›a'™�Cq•Jã%åÛéû{«)Ï© ºÓU]¤ºXÕ1}Ž-•ž#Scºª‹Tc;ì‹»ß=aŠ0jãÌÁ,Û/õ†§’(ž²o½Y—[3qî
+=Ï‚PVx–%�ÿEt*úÿ
 endobj
-698 0 obj <<
+952 0 obj <<
 /Type /Page
-/Contents 699 0 R
-/Resources 697 0 R
+/Contents 953 0 R
+/Resources 951 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 672 0 R
+/Parent 939 0 R
 >> endobj
-700 0 obj <<
-/D [698 0 R /XYZ 85.0394 794.5015 null]
+954 0 obj <<
+/D [952 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
 118 0 obj <<
-/D [698 0 R /XYZ 85.0394 769.5949 null]
+/D [952 0 R /XYZ 85.0394 769.5949 null]
 >> endobj
-655 0 obj <<
-/D [698 0 R /XYZ 85.0394 749.3395 null]
+906 0 obj <<
+/D [952 0 R /XYZ 85.0394 749.3395 null]
 >> endobj
 122 0 obj <<
-/D [698 0 R /XYZ 85.0394 221.8894 null]
+/D [952 0 R /XYZ 85.0394 221.8894 null]
 >> endobj
-704 0 obj <<
-/D [698 0 R /XYZ 85.0394 197.4323 null]
+958 0 obj <<
+/D [952 0 R /XYZ 85.0394 197.4323 null]
 >> endobj
-697 0 obj <<
-/Font << /F62 634 0 R /F42 597 0 R /F43 600 0 R /F57 624 0 R /F77 703 0 R >>
+951 0 obj <<
+/Font << /F37 743 0 R /F21 654 0 R /F23 678 0 R /F39 858 0 R /F53 957 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-707 0 obj <<
+961 0 obj <<
 /Length 3210      
 /Filter /FlateDecode
 >>
 stream
-xÚÝZK“Û6¾Ï¯Ð-œªÁƒàcoÞÄÎ:U›‡=ÙÝ*ÇŽÈ‘K¤"R3W~üv£
”H)v+¥ƒ@°Ùh4º¿~�bÁá':aI.óEšÇLs¡«Ý
_¬áÞ·7ÂÒ,Ñ2¤úûÝÍW¯¹ÈYžÈdq÷ðÊÏ2±¸+ßEŠ)vxôý‹¾¼]JÍ£·/ßÜjýþÌõ?¾|óâ6�£»×?|ÿöv™ò<Ž¾þÇ‹ïÅu_ÿðý«×ßþ<ð¹}÷ÝÍË;¿‹p§‚+ÜÂo7ïÞóE	þî†3•gzñœ‰<—‹ÝM¬Ó±Rnf{óöæ'Ï0¸k�Ò\¬9Ó:Ö‹¥ŠYëOQ‰„å*Ñ0žb‘‚Ü"“0Ð9K”T^ù:
”Ÿ	¦ó\/<*¿)vU¹\mªÕ‡OmSÝ.ΣwËò×ß¿yï®V¨©¯^¥!7‘¹¡DÈeµ-ºŽˆFKÊœeYš[*ϯ�à§4ì^;†í±ßû	Žc2ϱ¿Ê±¬ÕªoÏLuÌ©Å)Ó§	¦pJx¦"],…`¹ÖòÏrÿpUä_¸æõºi‘Š8 �Ëbå¸þ:ÁL²4IcKðTš	.R±Mýry(ê-H%æŽ:;ÝdóÜd`Ïna�‚(ŒK�³
#â,IT26¢wü4ËÓ4q’ÕÛ
-v‚eœ²Lò4”lm‚¥B$‹”k¦Ò8�qK´©ŽÄ“ î¨pÅCS®NMS&�_^ÔM,ªBð’LÄ©/z·
À’™Œ·"‹ª]ÛÛk£$‰¨,`º¡ÙUÛô†²ÝÒÚér´A
;ä±?D·µ‰$g(�·bA<÷´ÂúPìh¢ØnÛ§Ž¤é�ÀÝs×WŽ ÜÕMÝõ‡
-¥úÙˆ?'¸¢éçä!‹ù\ÀSù³¼ò!›�ÄÍ�<ØæC½ž
-Ñ	ƒœG�†‚îj(°V9ÉQÊXžrÜ_å¸oSIÄ8 x~ÏWù}¨¦¼ÈäTÉŽ
-«v·+šr
-Å3&EîâÝÕxp�‘	œ–Œ1ö~ÂG—*‹
ðS°Ø�Ê¥ÇÔ	¯Ï
¥}à­;â	aHIé6Zw”y›ÄÒèŸpä›u³>óNgÈ	—
-¨l²>cqRfÓ½£Á&Bªy›ðT&w>TÕ'×úK¢ÄLdÀFä—•ê©Îµ:¶Hšs­äX­o�ݾÂð®T÷eÑW]`å‡ÿý•ÏP´Õ+º XXêDšz
§šv¸E£Ú2‚VõÒÖEjU5‹ÒÖ¬\Vå—`d¹Bk3U²Æzij³sT`ÓEGÂW%È‹2F“çÁC©«Áj›ca9UeÝÛiªlut_Ñ­]QVá³s¼´n
£¦=쀳ɼAù£‚—t‡Š½Æ�J»…¢�ô×D„Ò&"zÝq±íZ­ŠcgÔ�ãMѬéŠÒ†&�'âà×öxhpSxáR5¤ì-«{KØ=Ð[©
- ˜¶,—$B“A\
-©æýËS™ön_ôÝyËM
-r YÑÚANÝÆ5
c)‹óÄeˆN<S¦’|xg²€
+xÚåZY“Û6~Ÿ_¡·PU‚ƒà±ûäMì¬S;ñL6»åø�#RÆ)‹ÔLäÊ�ßn\ÅC®d«v+[z
+?¶�‰Rž.â4$’2¹XïoèbϾ¹a†fe‰V>Õßîn¾|)âEJÒˆG‹»�Ç+!4IØâ."È8Ðàõóï^,W\ÒàöÅÛ¥”Á?àOõß|ÿâíóew¯Þ¼¾]®bš†ÁWþý�¥¸Îã«7¯_¾úæÇŽÏòýÝ·7/îÜ*ü•2*p	oÞ½§‹üí
%"Mäâ	:”°4å‹ýM(‘¡vdws{óƒcè=U¯Ži.””HÊÅJ„$�ùǨXDRIh�±ˆAn–phÈ”D‚‹Nù©§ü„™¦rá¨PùU¶/òÕú¡XøTWÅrQ¼[å¿||üú½í­QS_¾”ÂãÆbØ7”¹¬wYÓh¢Þ”<%I§†Êñ«Gø		«—–a}j§v„cŸÌql¯rÌËc±nëãy„©IÄ%»dú4Âv	÷”Å‹c$•’ÿ^ü3•´ÜVõ±Ð¤,ôHCF’PX®¿Œ0ã$ŽâÐ<eÇj„$ESÿL.›¬Ü�Tlj«“ËEVÂEíù§QCá	‰iö
å?½ÜÏtäü¡4…:û×ؼa#IÇ‘Õ\¹+PF8…1I8�}�zÐËHÌX´ˆ©$”§É¸“1D+ŸJágcNÆRy8Wï £]­/
S˜ŒçEpT#2ô´‡ž¦1ëq[îË]vw$dÐìÉ5eVáàü̼àO”D`N¯÷€™Šy©þà Û=eçF�å§ý¡ÑÃíC¡Ç4æãк®Ú¢j�lúuÝmźü™R^ä(ÂbÅiHxD™µmfl›ò]¡�-Úy{>”ël·;롲Òÿ™þËËÍ’%Á¦8⟞†7õqŸµhÖdÊH¢ˆ‘Àúg�ħš6G…8VùúrÒ8&,’éü¤–hdÒÞfqÂÂXô'½S{‘ð@ëa_·¦¯N´X�g0\éQÜ'EYïô
+ÚèNiž>•»�nåesØeçÞNM¶U+ Á¾hl7F))%‰
+€S„¾{r¸­"€.@=«Æ
™T�	¸ƒkjò¨fÔd©újK”“w÷XöR›w#\”=�äÂ=.ýC8ÉƋDzx“¥ê�4àRÁÊçu騆Êì{@ÐOš&¬¯MëÝ!Ø–�EÕmòä‡)@?Ì<»ÅÑô["½Á›cÑ<Œíp/ñ˜ÛáAž3¹7ÿå-9l
+
+"ð†q˜^1�jÆ,•6A«fc]pOû‘çŠV
+[ˆ(I9x¿Y…:ª¡FûÖ
+J±dÑSéÛN¥³›mlB‡úûÚ}¹‚	Ö§lT&ž\±	�jÆ&,•Š��EñÉ–6ÿ”1‚	°aé¼RÕP«}»€ 9•‚÷Õz{j:v!Âàtȳ¶ht3?¡Ëø—Ÿ!i+׺£aa%#®ò5ªêî‘n•†‘*<¬L^$!W—É¢®J<#KZ›Ê’%æ«ØÐ<3¦lÝi´ðE²„,„ˆQÅyI襺¬¶:e†S‘—­Ö™­îýhŸå…ÿDNW^�V…e
,…àZh
Zw¨H0Ðû3þ3TÚ’B­7èk"”6bÁ«Vg»¦Ö­uvj”ú±ý�U[Ýaªê‚ƒê$bã—út¬pQرAR¶†Õ½!lÎ
+^ÿW`ËÆ¥3ºìb×eŽG®ž6_TÙ½2¼(éðŠG©¶BÌt·Ûk=ÜY<4ø%¢H×›àyUw�ôHi#~Yø		zñݨôð+vø[üŠû²@ßáYìãÖOqm
+ÍÀÂ-š%ðS¸‹m�BÖšP33�½Ol1,ö];¼�—͇gcP Ž?$ІåJ‹†pę瀠sÐÉ6
+@„Å
Óâ`ë!3°„¿+ZµTÉeðܾƕ»�?ãF€¶4¬ñ)%‹qd5vöíKêÙ†tx-µÍð¿«
]M,to`ÂØI|à)%’ñp!|ªiŒpTJôº-7çÿ«ìvV—B”9Ž=m¾-šÂ–+^¿¹{õò_&‚ÕÅÚf*õ™Íw¸L1ÆWöÞ£šÙ{K¥ó�®„Ù+
Á¶†œ^™ÙQ
§î—€DHB¼ÕÑ›ÛÕ
Dd¿(E#µ t.Ú::€F÷rÆ 
+ÝEj¿eEA^ªÚô 
+úůeÓ–Õ¶ãáÏjÊê‚‚™‡¼U…N`Ò4(ËÓ×qÖ#Ùc¡Çt<¥°UF[ñ�F?ßØØÆ
+±LËû(hÝ‹‚6å;Ld¾Îe�u™7–_…­ˆ,~4µ!T—Ö¹òwk¯JØ–{;á ®ê	c¶rú|Q	«‰¯Ô|ª™óe©T9¿ÍÚfX_eàËc9?­£ÎÛ?\,S
+ö½ú_bj“z�¿Ÿ¶z ËÅiâ*jØ®�
{@¹}|õÏ—x¡šù¦ƒícÓê'
ÄιWVÈl=
\¥m„®¨øϧtuQ5_ŽU<«lVýLYNk-tfßSø…!0÷šÖEÓL]þ†ÅÛ#»MÝ
ˆ?|1¼»/�w
’„O$¨1ÖŒ€‰
+ÕÏ¢áµ8
+§?â#¢ÿÐü�#endstream
 endobj
-706 0 obj <<
+960 0 obj <<
 /Type /Page
-/Contents 707 0 R
-/Resources 705 0 R
+/Contents 961 0 R
+/Resources 959 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 672 0 R
+/Parent 939 0 R
 >> endobj
-708 0 obj <<
-/D [706 0 R /XYZ 56.6929 794.5015 null]
+962 0 obj <<
+/D [960 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
-705 0 obj <<
-/Font << /F62 634 0 R /F57 624 0 R /F77 703 0 R /F14 608 0 R /F42 597 0 R /F43 600 0 R /F58 627 0 R /F79 711 0 R >>
+959 0 obj <<
+/Font << /F37 743 0 R /F39 858 0 R /F53 957 0 R /F14 681 0 R /F21 654 0 R /F23 678 0 R /F48 880 0 R /F55 965 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-714 0 obj <<
-/Length 3636      
+968 0 obj <<
+/Length 3905      
 /Filter /FlateDecode
 >>
 stream
-xÚ­Zm�Û6þ¾¿Âè—óµÂwQ—OI›æ¶‡K{É6EßpÐÚZ[ˆ,m-9Û½Ãý÷›á�z±i{�Qäˆ3gžšÏüñ™Õ	“™š¥™J4ãz¶Ü^±ÙÆÞ^qO³D‹1ÕëÛ«ß1Ë’Ì3»½Íef-ŸÝ®~™õ·Wßß¾y½šÍer½Ð†Íß½úÇêù
-¾¼üíwß¿¾ûpýÛí·WonûUŒWÊ™Ä%ü~õËol¶‚{Å™Y={„–ð,³í•Ò2ÑJÊÐS]}¸úg?áhÔ}Ó'†ÛÙh…á2JÄ™ªô«x"½~µé—3h+3ë©P¿Ý._‡kå2K¬”Ùl<á1ß@uÌWÉ1_¥˵˜2¾©—»knçŶ¨;Ú€nSP£-vŸ‹]K/«ân¿^—õš^«âsQQóM]$GKJI9KlvQsÕÅy¢‰Þ^|“f#Z©k´†ù‘Š„=-Õ‰ÉДΉˆŽD›êÖ²ÄXf'²}(º6ªQ8jþ—‹zízæ5=‹?ªrYú]úœWû3úiÀ¬Aç>&;­ñž
-—U7qcÕ<ImÆ/pTÇœ§
-Õ&IS¦¦¬ÿ_egô¦ÑKXsIo#²3zT(ü}µo7'�øy¾ý?â?âÆß ãâŠ[æËÍ9“â …æê’jFdgT¨zÕÔù6v’Á„µ™?É�h"`‹7~AÀ@u,àT‡™N¸0Æu¸.?þp:Á\ëÞùÓfû§õ­maZ‰ú“�ÖwO…«i»¼Û·GŒ8M°à<ã@uÌøà³$Í„�rþºlªA×nîñ)½¾p�ôêÄ 
-šJÌÿ

ÉÏ^ÖËj¿
-oýWeÝ»:¯ÈìÔI•¢ÞîîÊzõâ«¿yÂñ:ÒTÓLkLÈ<¸ïÕ�)¬Šû|_u®™€X[É‹›wŽ™)å‰6eˆÛËò¾çHÁÝw{»~.²�ý6G³.›úWÆÄzOs®ÎX.(O0ž]²ÜÙË
T¸Ú]±ÜïZô퇼�LRz:Ï;P󞯱I*ô
ó¯÷Û‡ƒ­¬ÊÖë©ñ:ÿ}_ìÊà)Ð+¬¦ÊùIuW=�Þ/Ìc)§]<d`†™
Ñ-àÓ€Ù€ÈÚùë›w_S+KÄ—s‚�…’ÁwîêÕ2fN
-@Ç}³¯W±‚Ú‡\šú¼“ÁD¥"ùXºÓ͸wmتšæµ‚3›h"U‰6Ümé§â)¶£€1Yj=õ¯L3´LœüŽM�®â˜.U°šö©EsY•»ÈüF€ÿÖ<,'oiòU�º¬�·q¼0Àù)h¸8èìÞ£!Læݾ¬Ð6ÐWå.˜ã+X‡
V
-$p¡žm¹-«|ç?oˆ�"ö4÷1_¦á+ÎGûê”GÖž/;à#X9_œ¾îÒGÜ›c2-q¿óÖ¾Qr“MϦ—®¬ÙbP6é‰hP?c|âVÛˆ¨Yðqì8ÛFÒ
-Àó““ì356Eŵ4â>‰4•£¡×GTly8mÝ?Qç ¼l‹¼öÓ‡IïûÈ¡§å™‡?@Ù¸þ•CX@H™Ž™*
È—âÌ
¿ÆtH
-ÈxrzlW.€–¯r1wXIV+ŸŠ„oÜëzïw{\V

"|ðôÞy¨ža†åó$dà3è%<†­;O~¹Ë—öáÕŽPº&âØau/»hO`Ռىýâ�Pxêqž³¢¢Ð
ĪPj Þªô·KG%¼’KÅó,Ü+³â`{´
-<u_ÆÕ¾žC‰¼~ržßýÊÎ;Þ&ŸS0ekŒ˜Z�û2Õcôˆ¯jÁ3�Y&V!ú€q"¨d‰T鑈)KALàÒ>óܤ‰2ðR¿
-R4ÜçÔÕГ<rd¯PT¼Ô¹T�«íùnš}å5ÆZ£gªð$S…“*-W}�ÈyáFõ·QÍ> ¹QÚÔ[sçév}õ…’Á¨ªB»yFèæ¦÷ìÓÝÂ`	àX
 î|ˆP™¹d
-xBÄp©�@{�H–*´}ÆÖf<Ø¥MŽùPÁ¡
-¨•}	çȆ҄‰þHP�5ªæ,ë�×eQÙü¦ó‹mŸÀëý2
T¤:H4ÿ¢·Z‘X˜Åj2p©O•=,ORœàÜ–`í^V2l‰ãV›
2ƒàFH�ê�&}ôÀÄ;èIÅÜB°†Ÿ—€'ÊôÇ+,ô¾©ªæÑamM.I’ïó\Á¾i­N2Ë‚AÀbÂη{ꄯŠ@ON�ÏyU®¨¹j¶¹;T@Esû’W³_o¨Û]J
-)’2‡�Qù,
-G‚rð¨ôè
-H(³žÌç™E*ËÏ9›m¾\lW:¾Vô‰ƒ7=Øö~ÿi½x+
ÉÈ0²:�>ÊGá=÷¿IÊÛbaü¤E½lVá
-…–n×°-ŽK(±øŽ—–öRxØ”:bÜ’
™qK^'§nŠ¹ð>†Ð¿÷×�’�8î§
-iUvâ¸ÙÄfZÆ%òYô ËäÖR¬pÀ.„ÌüñX–`N p¦¯»($ø8
-	ªAâ£�`>wÂéØrÕ^$r'ü}¡™1�Y,F¤Ï@i60è(L3g£Øp>
-g3jÀ<¬O…NºDËÔùzÎB�bÓ4oã{γ‘‹2–ŸÐ¬ ùIÐ"E?-FⲂkºþC«Æ>ª2BÃoSê�Ã�‡™®§¡Ž;ÿ
ÁLìñEõT�oñ<¸AºtSú
-¬mã™:~ù5F$áJáDõÉÔ	õ„’,Ëô1Ü¡ÿñ6�~{æTvÿt�yŒ8Ma5«/Þ¤�Ï9J˜èÈ'L#
Ž²žñ™§,$…ÔOºâûäö×çۇʸ-ër›W§®œ ³¿i{hÿ¤ÃͤÒÀ_bV+z«\ÆœþÕ¿ýÇIlmzpQ0@
GùEˆD_¼ŒÅ2ê‰t)ß?Ý	]ß¼ý¸¿“ëü«×Û;y³þéÃëî§Õú§ú#»yË7?¿ýaýó6{ºyûf½ŽýÝO¿ˆÊôß—1„j{§WÄc¥8GŽÕ:üå©_IK�àO›#wðï¥øÓ¿ ~XŽ(ËÚ?“Ì�ïõB᪸<”\C¯­H#¢ÿþ;¶Æendstream
+xÚ­Ùrã¸ñÝ_á·ÈU#qLžf�ÙLª2›Ì8GÕî>Ð$m1C‘Z‘¯óõéF<$Hr%)—‹ Ð@7}ƒâ·	üñ[«Y"3u›fŠé„ëÛb{“Ü>ÁØ7ÜìÐzõÍýÍÛ÷2½ÍXf„¹½œ­eYb-¿½/Z}ûÇw¹ÿþÓÝZèd%ÙÝZ›dõñÝŸ¿§žÏ0¤õêï
âÛ?¾ÿðÃß>½»KÕêþÃ�ïÖi’)˜y}î�ù~š÷ùî—û?Ý|?îb¾SžHܯ7?ý’Ü–°á?Ý$LfVß>ÃKÂx–‰Ûí�Ò’i%eèin>ßüu\p6ê¦Æ8§¥eÚŠ4Â:!g¬ã’3k¤½MuÆŒ„1ä]]Þ­¥±«º§çþŽÛU5ömU7ŒÑ«ûMÌ›¦{í–žÕoCµoóß²ÕÎÍ÷`CGϲ°mÝVôú¼©üü6ßVž†M^Ò*E·Ý50¡DÃ.ל³Lká(î‡n·«Û'vÌ}ž(جJoSž2)²,Ê®j=sìRvήÚÊL‹!îMÞÀ”$Yý´ÞýrB€‘,UJ^! @�°</cY*ôŸa÷ ŠB®†M…
±ê«ý×jO�õ¸YçCÕ¼ÜqÎWp„2á«OUQµ�›¼}ªîøª§÷m^VaE:½ÃÓ†:Ê8�º 4‡]	ëÒ@çÑ}øçûOîŒàØ@¸¸]UNÒ4p½j»�}þÕ�84�tpE{ÁŽmÞ¸lÿœ$¢©ú7ð&ùêáà§?×MC­?‰¨nš°êc·&Ô%-ÿH[�4 ûWwð’;aó8H<=ðBÉäŒ<ÏŒS‘y2ª~È÷ƒÓ¥ÒÕ‡G[ï–°ý®*jD‰4ã€Sƒßõô²Ð"¯ËªQKi)æwk¾jà€IYq*+>Ge�èÕ)Ø:<|ÎT_‰7Øòª‹M§ºØ˜T×÷7ÃE]5š3ÎSqEWç`çuu„Âýû¼¨NðÊŒY)³+xÔ)Þ¥Š*Å,þ-h:Ÿ-é²rã™GrÓÆ>žž€=ôÚT_«†š/ôìÚêëDÂÒôãF l#˜ÓÞ¾×z*5¨7ô$Š(=¦+ÕÌdàý.Ñ`ŽéZ²Õ&ÌØÄÎ	û\
}”—à¼ÕêwW9„9÷²[ý¶kê¢öçó5o8­³„)!ì^ÏÁÎs{„Âm�QŒŠ)ÈSj3~s€:żä§6ÀÆD-Qÿ¿8š\à›IX’‚»Â·Ø¾($þ±9ô›³Ê}ï¨Ü'xãʽ@üW¯`\‘›K"%2ðîV]cÍìkÔÈ4Í5AÖf^�Ђ@açÔ)�KfšqaŽ(Œóð©þ:w,Ôš<÷ÿÈo•eLZ~ÍÏÌÁÎó{„¢x4ý	b“C,~q€:E|¤Á`3PÜæïê~×äè*Èpí£Ž$„ˆÉ"»jõ±üаɇÐò]íaûà‚X‚–«ƒ+ò«×mÑÊð6ΪÛ)¶
+$½¨‰NAÉ:´u1.
+쩇
µ(¨àG±3 É0Ü8Õ%Ô
+J¿Tå3¨
YoöÝ‚Ó ³ðl;~vÞ:ßá“Ú¯uégŠä	�tní@vK‘‰ƒB*"\�ž�¡’à*/
+ÒòŠzƒŸróš®'(¬WPÃŽ$ˆc೯ØÁlb‚qŠÐ¥<]Ô®{Z”oV\M™Ôctø¶Š·ˆ�Áj�”VB–fĨŽ¤ÒÂ@dh–|sµ¡²ÑGæ�‹\Ý3v¸H®¥î‡í-Š%0àÏ
Z#Çóœ$ؤuT…S*	&©Û!~<3žPÑÆ/~䬙0:²ÚË`
+ZH›G–öž~ðôµL%˄Ζ\#‰Y~‚ÃaW¤„8<±.5¦ÁýÓ-5>ÍCÀ
+B�
+=<�}](S&äxÈ#mX1‘«�3­ÙxKVUôZ4ù¡¯úßG
z
+	šÒà#ÀõYA4è’Ë
®�­wÆG	¦!랈FãÂ
~gÚvX¥Ø²Š¥VXÌ@x3†a5oY2ÁLz|Kx–X3ÌL^†ü‹K+ áÉé±é\½
+hàÎÃ{iä¡|†	V¸íãc
½ŽaëÁÃ�]ò‚¼>¼ºÊR×Eû:ìnÁ‹u&TÍ»�_TåãN=OsJ!bXJ
ÔÛÔþb餤 Øvñ:	óšXqt<Zœz¬ãj_С¼	^¿8Ë‚ï~õàçÎ�ɧDÙ#–6ÏÍLõ<xÄWi¥x	‘L¬BŒãŒSɘTé‰
ˆ1K�OàÒ¾RoR¦…¸§ŒÆï‚X
7�º:z’EŽœ’Š·:×êQ µ#ÞMwh<§@X[Àèʼnjª½¨b eÁ¹ê#éôÄÍ
+p³¢}äfYÓ(q‰“8·«/”FåP1píæ®››Ñ²/O�%ÄÆ*Ó�ñïæšd@r«"ÞÁÊQ
+{zÍéAb
r”ÞPÀ<†ËÊk„�T¡í+Ž6ãAþüµ<"Ÿ
+8Tµr¬àœÈPÊ1ªUX£lβQx]•­>~³ýX½ßB¢�ŒTGyÆ¿h­J"“Xí?þÐ窖³¸t$X¼—“”LGâ°µ„f
+™ñ{&!}T°è³LhñeÉÜ‚³†_¦€3eFõ
+}ìðC)kk2I’lŸÇ:ö&dµše–›¥‰±˜°«íÁ¹:á‹"ГÓãkÞ¸�C YvÛÜ)@ÑÚ¾â>èÉVîV@Ûªò“(¶ÂõŠá�7®@7ò©!�u,*6xr bÖ°9¸4@Ê@G?ìIØ`rS©bqÜÏB¨£n]Éúñ½®Ö�^pfm’½æÃ:
«Zÿ¬n=®¸ž/¹6Q�”
+È®G°ö!e™ƒ=·×Em(§×p`ŠÉ—œâV)C#|Õ*%XQ>µJ€€bV´ÉÏõ\ŠVa)£Fž7OݬÆ6VñO!{ͳ“ÔcŠ‡‰I­é†SL¦¹ñ�M*káû+,M“ý]ˆT¤2gV»|ß»pM™¤A+/ÜuµÛjŒb«4E*¤HʇŒÊgQ8˜ƒJ Ò“{(
+qJú
 endobj
-713 0 obj <<
+967 0 obj <<
 /Type /Page
-/Contents 714 0 R
-/Resources 712 0 R
+/Contents 968 0 R
+/Resources 966 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 717 0 R
-/Annots [ 716 0 R ]
+/Parent 939 0 R
+/Annots [ 970 0 R ]
 >> endobj
-716 0 obj <<
+970 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [120.1376 425.576 176.3563 434.7914]
+/Rect [120.1376 335.453 176.3563 344.6684]
 /Subtype /Link
 /A << /S /GoTo /D (controls_statement_definition_and_usage) >>
 >> endobj
-715 0 obj <<
-/D [713 0 R /XYZ 85.0394 794.5015 null]
+969 0 obj <<
+/D [967 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
-712 0 obj <<
-/Font << /F62 634 0 R /F58 627 0 R /F43 600 0 R /F79 711 0 R /F42 597 0 R /F57 624 0 R >>
+966 0 obj <<
+/Font << /F37 743 0 R /F23 678 0 R /F48 880 0 R /F55 965 0 R /F21 654 0 R /F39 858 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-721 0 obj <<
-/Length 1521      
+974 0 obj <<
+/Length 1632      
 /Filter /FlateDecode
 >>
 stream
-xÚÝXKoÛF¾ëWðЃ„ë}?š“k8‰ÄIc¥(�#ÒŠtEÊ®Qä¿wöEQ]©Q…ÚåÎÎÎ~ó̓$	†I„DÒP“(ÑÀD$‹Õ'W°örB‚L…Ò¡ÔOóÉÑIƒŒ¤2™_ti„µ&É<ÿ8eˆ¡hÀÓóã7§³”
-<½8}?búü¹ùÛw§ï�gŠOçgoÏ/f©Â†OO^¿›G‰‡uœ¼=qöòÃVÏìÓüõätÞßbxS‚™½Â“�Ÿp’Ã…_O0bF‹ä&ch²špÁ�àŒÅ'Õäbòs¯p°ê¶Ž"G0¢P:„N¨
t„ĵ‰IF™Ã./.³MÕ¥_Š;¸$Çxº®óÅï0}no—¤Ô ­8¶!¨ÛõÕ-½àlp
-[™ù²l=n¿aL«â™Ÿ”—á¿n»¬ªŠÜO³ÖkÜ5cd0
-vv^h
-øc¯žÅ+¥œC0¦ûr¶¢¡Hi¥É:]O¾‹³—¯>¼Û‰(HBR°d¨ñßÙ«±r׋;fžXþ·{íô–ö¸OB¡ åcI˜0È\}C6ˆgۻgY[Ð�CƒCˆyB ™aHa@n_Ôþ?fйIL`0ô	‚KïÕoî§ð@å“QøÀÌq
-í|4…USe_I#
‹?Ëî~Ž=ÙM¿;Ž‘§äÅоHñ
+xÚÝX[oÛ6~÷¯Š=ØÀÄð"ÞÖ§4HSwhÚ%N¶¶+Ebl¡²”Yr³`èß‘Hʲ­´AÅà‹ä¹ñœï\$`ø‘€$4Õ�Ôâ˜ð YŽp0‡³“q4¡'
+ûTÏf£ƒçLiAE0»îÉR+E‚Yú~ÌC�€Ç§‡¯Ž'!åx|~|6á||	íúõ›ã³Ã‰ŒÆ³éëÓóI(±ŽÆG/ßÌ<Å×e½>}>=¹ØÈ™|˜½Ϻ[ôoJ0k®ðçèý¤pá—#Œ˜V<¸…FDk,GgˆGŒù�|t>ú¥Ø;mY=G0¢LÐ!×éžëA\kÈH"!¥uÝGs7	ÆãU‘&t«¿››T#¥T‚4ç´eˆóy¹ÊêÅÒ>Y,ã$\¦üÉÓ–{j+¾2ÉÊÔŽ4agwW”Ó“Ëõ»,â£gË+6�¿=V¿ý5š¿-.ñô„,Þ�\Ìß-õÝôäxžRÝœýìćC&}ÞQmwË›:+‹êþûXSs¯ó:¬Ìê“YYjB%Âð#ƒ‚=Gë,õ|÷UžSÖ‹v´R·4³EVY ýŽ1ÍÍ�v‘]»ÿ¢ªã<7©]Æ••¸c‚1Ò�‡[‰¦NëPR×(†„èXr§ð¶\ç^Iž—·ö±^û�”Ëe\¤?
¨‰*ÁáI"ͨjåþ`I#ÕOd¤¥Nqc¢ƒ¡ÉË8°4tN°lùêL’L*
+“Ôvá7»(ÚåM¹rš3û
+eX�‡ôŠtsƒÁÎvþÈý²O•FŒ(±Ñìëþ¾×|nÙ{ WÎ(G‚¹�zgµlñl¥‘~Š+ð
+‹z^	›247Å€jÁ•ÊßXÜÎWñÒj¸Íò&4Z4°üdŠB’ßÙ³ÄfÊRÄC!cˆ}cÐÄ%ï̶¥Ø*j¢ßj¸+×�ök‡¬Fi^•Ö_Œ	Q²“$iVÝäqc1¡.ÿ	ƒË¬¬ñÕMY¤�?÷ÝHˆ
+™ÏR[ú† Æ!èÒZ¾00QBïÃ]œ[4	o\ª¯o\…ðDS‡„Ö}0
'‡´&„íb©-<®¥S¸,Óìún@›‚¢ª)ˆÛETO×]G�Ó:CO�0AL‚ãBÆ!Xtã4�„0KÀœÍ‹xmM…��ŽHÔ2™Ug­¿Éøâtú›}ª?,h×faßMÄ7ʆÔ7Ê渴uüÑŸÞ˜$k˜Øuœ´ãÝ�–.®ìnjªd•]Ù	šr±£m«C6â¯rƒ†úïla*©ÞzP¼ò§]oXW]箇Pu‰ü±©h%X!ÎpÔe{;k¡Ývµ?"Pb€˜+³ÐMXûRÂwúÉ·qy;z^»×ˇA–{ô;
Íß	ª
A‚¬çûÙ–5ERI0Á%‘
×ùôäÅÅ›]/	UHpô%þ;#;‘Vn‡Q ÒäÆ–™GMT;óô÷¸«B®£¥CU˜0(‘ü†ràKÎfxÝ1%�!#âÊìá-‚	‡ýˆŽdš!‰%8rójûÿAp¤aš�°}ÁœBÁÜ#xv|öê~÷D>„÷̆pßÎC8É�¯•]+õ
 endobj
-720 0 obj <<
+973 0 obj <<
 /Type /Page
-/Contents 721 0 R
-/Resources 719 0 R
+/Contents 974 0 R
+/Resources 972 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 717 0 R
+/Parent 939 0 R
 >> endobj
-722 0 obj <<
-/D [720 0 R /XYZ 56.6929 794.5015 null]
+975 0 obj <<
+/D [973 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
 126 0 obj <<
-/D [720 0 R /XYZ 56.6929 526.4445 null]
+/D [973 0 R /XYZ 56.6929 442.7583 null]
 >> endobj
-723 0 obj <<
-/D [720 0 R /XYZ 56.6929 499.14 null]
+976 0 obj <<
+/D [973 0 R /XYZ 56.6929 415.4538 null]
 >> endobj
-724 0 obj <<
-/D [720 0 R /XYZ 56.6929 469.6226 null]
+977 0 obj <<
+/D [973 0 R /XYZ 56.6929 385.9365 null]
 >> endobj
-725 0 obj <<
-/D [720 0 R /XYZ 56.6929 457.6675 null]
+978 0 obj <<
+/D [973 0 R /XYZ 56.6929 373.9813 null]
 >> endobj
-719 0 obj <<
-/Font << /F62 634 0 R /F57 624 0 R /F43 600 0 R /F58 627 0 R /F42 597 0 R >>
+972 0 obj <<
+/Font << /F37 743 0 R /F39 858 0 R /F23 678 0 R /F48 880 0 R /F21 654 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-728 0 obj <<
-/Length 2282      
+982 0 obj <<
+/Length 2297      
 /Filter /FlateDecode
 >>
 stream
-xÚ�XK“Ü6¾ûWô-š*·V"%JÚ[Öɤ¼o•=[[©x‰=­X-õêáÉä× @êÑ{Kñ
‚ @Ƈ¾ø�§a$‹ä�I˜Fqz(/o¢ÃÌýò&fš$•ašH	��Ùc*ó0ÍEv8.™üãáÍßîqQ¨”H'¿—Ê`A&³ÃCõ[ð£éïŽ"�‚äî¿ÿ¤eI˜åYŒË"ØB…q*,ý�ÕWÝ–¦¢?}øD�{£Ç©7ƒg'¡L”`*	c!bË
šwÇ8Š¢àC7Ö§^"EX(¡x…(B¦·{H©‚ÿzxÿ+µë
ÿY ©{1åY·õp¡îxÖ#Ï7M÷<0‘ìI±=˜þ«éyb숸%y˜…©m£¿š›eYÐ�h·~2^�…‰ã°HYyv­ù
…LƒJ�:Ú(
Þ·4ÔßÅy`†k׆F�þµ×묤X¨PÆY› oÖέ2“8T	X›ÈNv“îâøÚŸÓ¶éˆwY¼Å�5Á3¤l>×MC­òlÊ/ka㤷fÀV=ò©Q{uÇ碒Ž±Ê@Zð[VÙ�ößB­Q­Ž?UN=)­i`æÝVoyá‰þ`a7ÒÖc­G棷;�½n‡é!ô¦ÌC
ñ3;e”÷]O�KG’P¯nO]Ñ£•ôc7�{VLáÈ"ɾgEY„2‚ÉÞS«ilX…`£2CÙ××y_ë¤L±çCQ˜Å±Û½}- %�IïCÝ‚Ý"ù›Ÿf¸Êâ"
¹
-ó<•G4Ù?¨ñq�_žþ¸\@øµòã¾(Ë'SΨP„1`ÕV$‘˾
¤ßÄáh’%a!#òVð5ðœ$eß„šâ.¼5p­±"b�K§Ô©"Ì“$aåëf莯
-¼Iҹɭq
-M¿‹Ïºr'Ä6;WUuû„È	pH0wmt	c4ïè*Ó˜Ñ�aI¸Xñ6öð‹í\æ�6gÛ~|! ÆA[Oè×ã:¯rð‘&¬þuCÄ_ju§M±r1à!c£oÄ‘õ
¿D�>w8b(,ìöV¿ƒY3[g¨¥+p¾Ù]ÄRífg()E0±¡°M%�€\§d‹‹|ð×ôC89>¾	VpäQõ€é"•V©–S[6éÔ®ÝC	n§jF¨£ŽÓk®¦d¨à@.?ô»©&T¹pADœŽ×®©Ë=;Ê"
-Éuè”�žœâ�F÷3[š¡F�øV·»@üGYádF饙å˜C¾
p ãÈÂÒØÈao”äƒ�B„³?öívq0Pïs”F8ÂÝiðëÁ#?ýüæcš:u\®â$y
-ŒÊ(ÊþŽÌ‚�?½ÿ…¦ÉAaú° ¡Û€ƒi}ÂÞ	�˜QiS“ÚHKr¶È@íOƒ�iì°”)Á	˜˜¦ŸLkz=Z‡Alj“[>4²çS#¿–þ]ÛÔ-“º<˜_ÌË]Ç
§‡*äÜõõŸÚeÊíY\ô�Ó»¸sµ -è´KG¡õS‹wª¹7A¯™Èüq­üy ÍžK’zèv²Xð•XŸç…Ãníñxó{7õ­Ã+‹æ5O}øoHt‹[t.º2Ô²÷økú1äÞí°YyˆÉå1¸È—°ÐF®h+êc¼ÙÎfæýà�‚:
-*8m=,‡™Ù°g¿O+I†­—û^ö|6íÆ	q×~i‘?ùìñL®¿8ßÇÌfV©
a·¨„óþè;yÉ�Øg Ç$ãœÓ�E_¯Æ%¹åõÆü1švðeaš-ñÊP™{€o›=„,2Ìö†æ7€�ùX.³yµâÕªëçûè,›Ôb¶ò*‡.µq Œ,‡{ÃÊÊ7ZY€9gòǺÕýË7²òpò—:^åÔVÕ£SñE·“õ&©›|K’«lQ~dî~«2[nS«+K�¶`ßDª¾y1büg!’jº\ñϘ®øj†�²»\¡<ò½lk¯ÅŠni+bòÍŠ:¬s•“
a¤v]bÛF’7N÷l
-AQP
�R4*b�SpK¼ÛÓ1$ªÌ`ÎèòÌô>€
-W�Ø»(¦äÜ3|ó‡Ö3Û	>ºÉ®£Æ
-H2! U‚ÑÖü �Õ/ŽŸ�R»	ý­à§ô¿Ôí™Ór•T)Q¸ªœGë4{Všs.¥N€"Î1„DKŸå2ä?¤/A/8BÍÎ+ø:"üsÒ¨{V�²6Å;)÷ˆn8OcÕ=3ÃŽ'Ë^g{&[uÛ9˜õ—€ša]¦‹œéB±ÖR,>»þÚõ½v€¦”«äö^Í\ø3&¬wvð
-‹ðâÅ©¥ƒt<M”3b'Ñ‹vð
ÁT[}Š�\à‹œ5rá¼µ¤WBè/P,›)œ
ìÎhJMB3µ
:Pµ¾Å͆³ï#'�À�+Iç«ÕÏ6t
-€Lï.;A°pòÛwÑeFuWTv‹jùTpû’j1m
>•­7°ÔßAÅ´wSif*vïÐ}[ñnP@^÷^SD(eT¸ºeûä^×$Ô¼rÿ¡Î‘gš�Ç H…9èÕ1ÂÍ
+xڥ˒۸ñ>_¡[¨*K<ÉiãÇ–÷0®x&‡Ôz’šáš"µ"egüõéF7(JâØ©ÚR•Ø
+ë2‡‰�+>ÎBØ„¿™o vfÈWt‘—»º<1c…âÕ%KS”œŸð�Xú}Fb(59J“R`cÓ1'
+cß·C¿yQQ`MÖéh&×Ê�ˆ

+GID濯œ	3ßp-“kºgÊÁ«²rò+–
+Ìg]©†q~ÄÄ%d!ÄØ"¹_4Èt6ÏÍÿB�že´=…б/û–nâ¨pØ×eó)MdÈÙ´Í@*28²É¨•d>¾{M€tΊK±LV¦¥�tã?o~û=]U ž_oR¡]‘­¾Â @@­v7F*á\fâL{swó¯‰ D°BË%Â2-Ú—-ãŽsR›ÈÜF›ªŽ,›+dŠâÛ•ÃðR€Ë‚y9×
+ln¯·Ö&MN¾q&
ÈK&s’·«‡Ás1d’p^H”0¨q@܆ԙ„JKÏÄ‚XÍH߶÷U¸øo&er‡®µ}nºÇ~UjPY,Ða!‚6}×"Áç,ÜÂia
+�1�PÞ�몧LŸ—&¥?†
+-/HØÁÎy&å»À®”N¤Vº)ì|O¼…p©ŽEÞ$P¤>ÙG~²­�Y¡Ê †¿3y^¦kWÔÀàÜ•ÿZtÀ8”9ëVÞû—c×yÀ‘ópÖmD4( ×p×b„âžãÍ3è«))êþ{_a
øãdÚd]Üàöáë鳫ǧ>ØBšlƒ’p­ªÀf±è„J’*Å}ëK´ã°ñªº­Çi–K*-+>&¤�ÙqQý
+oQÈ"ú5QÚìû¶)—ª:kE¦òXÕ•-Åä…£¹ ¼>Å‚3eSojÍkâ
+}FÇ>ŒÈ	E?n�gÊ�›Ìº­Eñß`{Ó¤p0ú¡†.�[$.d2ÐèSš¥ßbà2Éq˜öƒÍݽ}
ë’–¶=÷ò¸H¶
+–ýG[¨R¹b»ðŽàK¦`ý4ðÓmpp{ì÷J0	F¦åǺ«~F“‘þÅÉe‘<ßéuô…$ÒtŒ{„"ù\?¯%dCv¿)#Oý¡ùæcq™Å£=ø!zVl”C·ëc©Ž>Ø<vø¤Cní©þï̵a¯Ÿî0Û1q:½	�ªÂ+ca´)b|ž^…¦ˆòG<t1"a8h_
+Õø†¢fðçð,‘ÍÞdT†ÏUMÓ!EÃ×Ó'öûÙ¤
˜¬N9âD¦Iï°a¹ï¯h‘‚”�OöôÖȳ»X¾jPåp]RKœfb<‡ÆµYÒåÜâ¤NJb…­
&x�¸‘ú¤€¿>ÕÝÅ2~F�
+f2€ïFt-˜¢~¶åônwâ-ú¬;]àc×BλÈs¤Hz	ƒúÅå©9Eª;4UUw—iwÉIÎ’iÌ�œæšÎž¿“²‡§þØVÓcïb¢uÕŒ1tì|w|ON~™
ˆI›ÏŠ“<>Ú<¶=
+ö
 endobj
-727 0 obj <<
+981 0 obj <<
 /Type /Page
-/Contents 728 0 R
-/Resources 726 0 R
+/Contents 982 0 R
+/Resources 980 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 717 0 R
-/Annots [ 732 0 R 733 0 R ]
+/Parent 996 0 R
+/Annots [ 986 0 R 987 0 R ]
 >> endobj
-732 0 obj <<
+979 0 obj <<
+/Type /XObject
+/Subtype /Form
+/FormType 1
+/PTEX.FileName (/usr/local/share/db2latex/xsl/figures/note.pdf)
+/PTEX.PageNumber 1
+/PTEX.InfoDict 997 0 R 
+/Matrix [1.00000000 0.00000000 0.00000000 1.00000000 0.00000000 0.00000000]
+/BBox [0.00000000 0.00000000 27.00000000 27.00000000]
+/Resources <<
+/ProcSet [ /PDF ]
+/ExtGState <<
+/R4 998 0 R
+>>>>
+/Length 999 0 R
+/Filter /FlateDecode
+>>
+stream
+xœeU9²,GôûeË@@Q‡�!é¡%bd(dèúʤ—÷ÿ(žÑ¯
+’$¡T¬)ÿ®ïë¯ãïãÇ_¢ýþÏaíÏc‹®½Ú¿G—=ûÌöÓ1ÄF¬lÖ]töö×ãqu‰Ý¦‹÷5š�”�<8Ç—ý:\;âúãñ‰ü<q¸Í;.\ži2c¶û~ð¶e¸í×qc¸=7Ä+Àg
¯ã�ã×ctéa³ÙL1ca·cu™šmQOƒ½¥ì-¡
{wñ¨¼&kñÄÞ
+¨9xcH
+¤Ï’ÃigÙ¥—ÇáC6uéíÛ&”\ÊGTœ„Méêö–KòlÜ’Fyu|?é%åiÈ¥K”êNÊq{vˆ�*êèJE¢]8hÍò¤p0R±ˆ$Á(+ÁnÖN¬
+q�ª„Ñ«ò�^ÿï>‹«>÷—
.13×…Óƒ!¶3¢SËAÕ”ih¥Å¨Š^…(€<Îm䦽ªšÛÆlLÊâ³ò7Ù
+г2"ïE9~ 
+n*Œ1½÷¨¾x¥Æˆpîâ‹
&Xî
Ãœ§³±è\íD¤ß�ä0}#XŒûž˜‹¸À>#^V°¡|2Îi‰9ÊÎ�r)`˜¢Xh¡Ò& „hb—H°Œe"Ãê
+þrÓGçX5¾ûû8‡´ÕªOª«t–Ô³$Ây°‰—BÒ›ÀÄ5
©/¨�vp�÷o`kA“ôr±ñœÓ4N.4Žæ
+endobj
+997 0 obj
+<<
+/Producer (AFPL Ghostscript 6.50)
+>>
+endobj
+998 0 obj
+<<
+/Type /ExtGState
+/Name /R4
+/TR /Identity
+/OPM 1
+/SM 0.02
+/SA true
+>>
+endobj
+999 0 obj
+1049
+endobj
+986 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [470.3398 483.0796 539.579 495.1392]
+/Rect [470.3398 482.8902 539.579 494.9499]
 /Subtype /Link
 /A << /S /GoTo /D (boolean_options) >>
 >> endobj
-733 0 obj <<
+987 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [316.7164 471.1244 385.3363 483.1841]
+/Rect [316.7164 470.9351 385.3363 482.9947]
 /Subtype /Link
 /A << /S /GoTo /D (zone_transfers) >>
 >> endobj
-729 0 obj <<
-/D [727 0 R /XYZ 85.0394 794.5015 null]
+983 0 obj <<
+/D [981 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
 130 0 obj <<
-/D [727 0 R /XYZ 85.0394 769.5949 null]
+/D [981 0 R /XYZ 85.0394 769.5949 null]
 >> endobj
-730 0 obj <<
-/D [727 0 R /XYZ 85.0394 582.1251 null]
+984 0 obj <<
+/D [981 0 R /XYZ 85.0394 582.0558 null]
 >> endobj
 134 0 obj <<
-/D [727 0 R /XYZ 85.0394 582.1251 null]
+/D [981 0 R /XYZ 85.0394 582.0558 null]
 >> endobj
-731 0 obj <<
-/D [727 0 R /XYZ 85.0394 543.5676 null]
+985 0 obj <<
+/D [981 0 R /XYZ 85.0394 543.4475 null]
 >> endobj
 138 0 obj <<
-/D [727 0 R /XYZ 85.0394 445.615 null]
+/D [981 0 R /XYZ 85.0394 324.8439 null]
 >> endobj
-734 0 obj <<
-/D [727 0 R /XYZ 85.0394 406.7709 null]
+994 0 obj <<
+/D [981 0 R /XYZ 85.0394 292.4184 null]
 >> endobj
 142 0 obj <<
-/D [727 0 R /XYZ 85.0394 289.0425 null]
+/D [981 0 R /XYZ 85.0394 174.5048 null]
 >> endobj
-735 0 obj <<
-/D [727 0 R /XYZ 85.0394 261.2074 null]
+995 0 obj <<
+/D [981 0 R /XYZ 85.0394 146.6189 null]
 >> endobj
-726 0 obj <<
-/Font << /F42 597 0 R /F43 600 0 R /F57 624 0 R >>
+980 0 obj <<
+/Font << /F21 654 0 R /F23 678 0 R /F62 990 0 R /F63 993 0 R /F39 858 0 R >>
+/XObject << /Im2 979 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-740 0 obj <<
-/Length 3597      
-/Filter /FlateDecode
->>
-stream
-xÚ¥ZYsÛF~ׯÐ[¨*‹¹päM±å�R‰ã•´»©™Xƒ
-iÉØHÀ¯»ö-.¤�ÒÆðS(7I˜eïê•~ØÅ—‚߈ӱš
œÊ(y�f`±ã³Ð&H <PgAwë²eá¼e\WVµ²hVɦy,Æ›€!8ÅW-OââñÚq)©Šý,ÿ««¹¥D
àÎÊ _ÃPW2CV¯H¿K«Ò I#3Õ3«NFk9R(l²¶+v\fY

-W«²;+(™ŽT‹›}=s:„ƒHãhr,.;̃�—„ñÇJ+¸„h�Èš®šlu´`Æÿêxõ¨§Ñ‹Ë¢î¡¹Ô±
Â0T^uj
-Q$�hÐoZÁ±Y°gX @Û†Xsž÷.–
-ä-®ë|WlŠºË*á<^rÙÚ.«Û‡b×Îß©`�±rMsÇ.J˜…açgJÂÞ¸Õ¢“I¸}J®Ø"Ý5y#ï–-¿™qõ�=qá¡!m%üÅb÷ÈÀ©nœNÙÔ•Žƒ>³WsÔPÖ€N:Vç
RŸ‹�ñ˜‚ �¦�¶Ñ4ØJú€fÐBÙSt *µ:�Aª€KGÛ‡÷iûÐÓn‹¼DÐÓŠ±£æŽ›·¯¹
|�#ÉÑâ¶(Žýà
¼œVduÛ”Ÿ;wιp3rýøåø…Sq*µöË{ÞȶiÏažFÇSõÞv`
-
^µ¿/Z…6°¡‰Ï#àªÌ¬7ëG-ÇÃN—z*�™”—˜Ã¤Å°ºØRß×hÙX»ÈòŽNœÊ­<ù!üœ•‰’Å7×ïÞpWÊ�v¿Ý6»N^ãÓÆAÝôÄEć<¬�$…ºÈ‹¶ÍvOXu‚cîwÐ5Ð1d˜n“ueƒ[R–�e”[d�YY!ý`$„%-‡Ôyµ_IÅó4–ý*áõMV‚¡—5â»îŸø9øTä‰;ˆû° †‹ý,ofÕÖŒÖ!™(—xZ«EsïgÆfœŸ¨à€‹o‰$ ÐRÖŒrÄ\ÕbØ
v$4íÉFdã­c²&nZ•±‹m±Ã`Þ0ŽøšöªëIºFTíH’—B’¯¸IÃð!â+1Ú4ËထIdƒ][‚À©»4ø<´>Â(??ú–»f³\�¨À¢Š:/Ú‡�¢
¹Ô¿ÝŠYÙ(°:ÔÓSm‹Ž��'!ÉØÅ:ˆt´IO³³¡•‡öÑOf‚Ä:ímØ�m8Õƒ
§ŠmÛøAÇ
-ʵ@Ëb¾ÐšòX	­pt×›mÇ
-
á¹'k�qbØØTW`¡\.;î-¥^|ÞVe^vx@X_qXºÄÆpN„Xlß4bü/Ù²Èî›}ÇE–Ç0¶yÅ=mQp�±€c‹6ß•ÛA981P
ׇIêOfW|Úm·$¤œ‘s�s©?¢¼ÊHQ/Ïââ
-Z®4
-Óx
-ª"ûØr‘ȘñÂ�'.ÁÁÈ ôë�eÆ•B™a
×
0Uä„ÔLj8âs¶ÙV…ä¡ �M…7­L×f��OÏ�8¯,ÿ’å°
«9Y
-]öBM±úäµÜ
-§àž'.ÕE!£9Bņõ�ÅM
Ì‘°;¾¬ý0pv½˜hjÐÇV
-æ隆HT©J×Bê±&,Q£¿[‰y¼
Äè$Ô=ìWM¾GçÇÎÎã“–ƒ•Œ¼
70žqÁ#ã|Ö
-ÈT1ƒtä0§hâ–î��—®ñcøEã’‘è)†ñ´ïZf+”Øõ°œJáµ?N‚(ç,¿<‹“.I‹¥É"¤“í̾Éi}=7Ï÷E÷…}€ÊŒâ½˜#Ρ¿”2/@.K|8r§ÊÀ!Ä©Ob]ñÚÆ`J'˜ñ©‘
œÒs.œÉô™À¨ØGr²ã gv?ç‚Ø7ÈS¼äuæ÷æ½1Vòf7¦iÔ–œKM½Iñ›¿ãIzÁ$.µÑt£�{åÊ¡ìÖ\šÚ
¶x¬b-Z¼ŸæTbfÞë÷’tŠ�7D,ò��
-üô^�k«bƒQ[¶+¿øÉäÚ¡Ø7?üÌ÷´†h„‘Û·E>íèdã¯<Þ³î¸þÿŒal÷p!ðH™ ë¯ºà2ø,ºTÅÖÃ
C(
-'S•ŒN&¡i:Š ÂÑkJÄ€CyÕãž)CÁ�á°{
ÎmEäIÜë_ÇÑ}>Z‰Z`~ÕÓì�ÈD1ÜÎ2y,³C�%LÁ>,ŒR"Íi;lF¿û¬;”¼F Xö…Qq’GüiŸb(0Ïù%}o^ì0Ñ0ÇÏ~†¥\ýÝ� ˜`&3…G3êWÕ{tþâ½®Ù}pd¾¢p-”ÃÃO9ê´*Ûµÿ`QR¤Ýð
fÐ:¼ Wsh¦À�>Ëlå݃…ùFB÷+hAüø·(aL_SRŽÎ'†¯*÷ÒÕÈNÜdŸ.f=%ᘯR"ò\‰WŽ©+%—O™l¤¤!-.´”¯ú(Š²ÞwúÏ^âw)ÛÍ=÷Y+ì�hB”áÂïcë2_ËÃ4æ(IF~"–šÁ	:XtYõqJH÷
q6²(©�¢©ô¢¦lWÖG`†�…›¥›ØÔúOÆ%þ8¡ù^çM��Û‡}ÏÅVÂ#<!=HršdþýOûbWRžÐ$I§ ´ÐÐÓ˜ó½Q˜(òŠ.Rý²O71A”DþJýjFâÒ:„î8»Ž’õß“*Vf²Òß�TL«’´—¹´qè?	×I
-¬U/éÂ+?á=Nø‚²]Y5ʉ¨à¹_âàÏçf~i
+1004 0 obj <<
+/Length 3372      
+/Filter /FlateDecode
+>>
+stream
+xÚ¥ksÛ6ò»…¾•ž‰x$Ad¿¹‰su§uS[÷˜&ù@“�ņ"U�²¢üúÛÅ.ø�èëÍÜx<x-‹}c©pÀ_¸�‰ŸdQ¶PYìË ”‹b{,žaíïW!Ã,ÐrõÃêêoï…Zd~–DÉbµáJý MÃŪüèžð¯
CàÝÝ¿}¸ýåö~u­bïæçëe$ï÷_ïo©·z¸¹|ûðHÃO�îþýþ
Úðz)Tyo¼ù°º} õ˜±Þ¼ûçu†ÞÍýÛÛw´ôîžq¼¿½Á³Vÿx¸}¼þ¼úéêvÕ_j|ñ0x£?¯>~%Üÿ§«ÀY*G~˜eÑb{KáËX7S_=^ýÖ#­Ú­³Œ?I4ÃÉHÌqRf~"`	9Yçûë0õž5\.ʼomýÊP{Ø•y§K¬-°þó ›®>Y
ÇDyw�ét^¾
8{ÝÆbI½ò°ÝMñ•ºÎOßÓÉBm×RJj·Usè´±X…—×u{¬šgZË˲ꪶÉk”°b†~&edïEd™E‹mþESoWç…öû�™†Ib7þk£<@z96‰gôþEïiŠ.!=bƒéò=³&ñòuç rjÌæЕ푱µ{‚+ö¹ÙØ^ÕÑÚ±ªkZ%Ä@݉V˜‘Òû£=ìñªvð)¢ZÓb�Öí~×îáÖn‚–‹d†E,kàFÞœ¨3åÚ&ïÿÚ/#¾ñ&¾°…ä¹:7¼e@Ž*0Ëé·›¼y¾<Œy{¨yL:×ni„×Ü’ЈÀ· �–;“£»}Þ˜µÞó¤êŽüÚ°V0kk+I‹”!¨1Õ¶B+±ƒcî´~æB+bƒè)ˆXR†¦Û5M–§&ßVÅ
+~'Ž3æùd÷ÑOƦ
º1>hÆFjîÔxРÞÒ Oâëõb$ÅñŽÊ8Sšúž’sáVöשwh�4pØáÈaG2öUf@1ºoJ>ÍtíŽáÇ>Ž|!‚”ÁIE‘
~�Ejªªwx—Ty§ö@�Mþ‚ä¥)‘3[r–éXŽ0pË9A\€9æ‚Ýܬú¢±¼Kö¬ÛÁ‘ìŽ¼Ðå¡W˜f§ˆ½vÿå{3©ôÞU&ªgåØS"‚lpd"$Fã¤%
+\†K§¾
+bÖ«¯ôzZ®÷ívY
+ßµ8ýRé#:ôÕV¸vÎTOœÙ¿róEpÑÅvlá;fgk'‚‹6Ø‚Óô°ÎSaR¡¿vסׯ(WikÊŒìVn†|âL´ ]pêX7sº+<ò¿
ÉzÇE×2ŠX.Ž±
+wƒ¡%’M2‘gùLÔ:ÿb¨k�1
Q»µeRì�`ãúK•Ó@CJÂ'là¹
¦Š>!s9"B|Í·»Zóç˜ “G䶤†=“¿¼œ^“¯¼ø˜Y@2ê!n¤Z•E']•
+øbz
+g‹Å¦Ïse9�éõ…
+>…²G
+UZJ�Æðz¦åY~
+‚Ê\Uó–hCek|þL’•Ä¾Œã¾^+ƒ™Ò¯ðE¨\jÏ7ö
+÷ç褯¤�¾�HÞäîn.=ÃÁèÛ"™ŠŠë™3)ÚiÕ?ë4\…Cd'çŸ^¢ª7P«nC½©ÝàŒÓU%Þ‡i‘MQ(¾ûÀUH%�!’G.Ç®YŽÃŠÂÔÓø|_}s‡ñ;^%í»_~§‡ûŒ	µüe2ë6'bV‰\X¹T:¾ø›ó⺒Î+†±;ÀÑiÊD»ÎôuÐ.§¯jWè'*vê€9µ}_d”;‹(�¼U²QZÈŸí±}ÒJT�W¦
+@	àò²´ÆÇ!·¡ûþ*
 endobj
-739 0 obj <<
+1003 0 obj <<
 /Type /Page
-/Contents 740 0 R
-/Resources 738 0 R
+/Contents 1004 0 R
+/Resources 1002 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 717 0 R
-/Annots [ 743 0 R 744 0 R ]
+/Parent 996 0 R
+/Annots [ 1007 0 R 1008 0 R ]
 >> endobj
-743 0 obj <<
+1007 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [464.1993 638.9439 511.2325 651.0035]
+/Rect [464.1993 509.0768 511.2325 521.1365]
 /Subtype /Link
 /A << /S /GoTo /D (proposed_standards) >>
 >> endobj
-744 0 obj <<
+1008 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [55.6967 628.0049 105.4 639.0483]
+/Rect [55.6967 498.1379 105.4 509.1813]
 /Subtype /Link
 /A << /S /GoTo /D (proposed_standards) >>
 >> endobj
-741 0 obj <<
-/D [739 0 R /XYZ 56.6929 794.5015 null]
+1005 0 obj <<
+/D [1003 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
 146 0 obj <<
-/D [739 0 R /XYZ 56.6929 704.5459 null]
+/D [1003 0 R /XYZ 56.6929 577.5408 null]
 >> endobj
-742 0 obj <<
-/D [739 0 R /XYZ 56.6929 671.1703 null]
+1006 0 obj <<
+/D [1003 0 R /XYZ 56.6929 542.4624 null]
 >> endobj
 150 0 obj <<
-/D [739 0 R /XYZ 56.6929 515.8828 null]
+/D [1003 0 R /XYZ 56.6929 380.9794 null]
 >> endobj
-745 0 obj <<
-/D [739 0 R /XYZ 56.6929 480.2977 null]
+1009 0 obj <<
+/D [1003 0 R /XYZ 56.6929 343.6916 null]
 >> endobj
-738 0 obj <<
-/Font << /F62 634 0 R /F43 600 0 R /F42 597 0 R /F79 711 0 R /F57 624 0 R /F58 627 0 R /F56 618 0 R >>
+1002 0 obj <<
+/Font << /F37 743 0 R /F23 678 0 R /F21 654 0 R /F55 965 0 R /F39 858 0 R /F48 880 0 R /F47 874 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-749 0 obj <<
-/Length 2237      
+1013 0 obj <<
+/Length 2880      
 /Filter /FlateDecode
 >>
 stream
-xÚå]oã6ò=¿ÂØ—ÊEÅ�¢>¨æ)ífoS´A»›kè8EfbÝ*’kÉñ¦Eÿû
9¤LÉ´�öpOE€h4Î÷‡4›Qøc3‘Êóx–å1I(Kfåã�=À·œ1CZ¢Ð¥úêöìüMÍr’§Q:»½wx	B…`³ÛÅÏÁ×o/¿¿½z7£„1™‡IJƒË×?ÎcÁåÍ×W¯ñÓë›÷¼¹ºœgqpûÏwW€a"N¬³+ßÿíõínÅ/·ßœ]ÝšºÖ0Ê•š¿žýü�-À¨oÎ(á¹Hf[x¡„åy4{<‹N’˜s‹©ÏÞŸý00t¾ê¥>ï$\�DD™Ç=1÷¹'ÉIÊ#®ÝsÝÌC± X,ª¾j›/à•‹ _J…§ÁjsWW¥²óüM’9ÜÀ<�ÊrÐAñéª^2$	åBE†ªhV%4e£ˆÈOÅ㪖¤l=L�‰`Ürý­md‡ftËvS/Põeñ$
v%˪¨ýÝ¿¹ž3ȲÕÏ…Yß/‹^	œ…QÊx–ÏBÆHž$‘U¶M_TೈÇÁ¶ªe�ë†hBÿýùgð`H²'D!WmÕôUó€kú±Úå
-¸+:	üºl»¾ƒÜã4	n—U‡ØÊpj¤\È…Y&ËbÓI$�Ÿz¹n”ÉêÓcQ¨“ë'¹î´‰tlÚBé‘DAÓö ÿT4Ï´ äÁmaq÷êɃºm?¢Q€Ü¬�v‹@o¸/d]=YF/çsö¡à#k‚fdüÀÒà§y’U¿D¹è7¥‘Ž‘�Ø	&±ø«Ø,§ƒ2T12Ð�ùfµVf];Y¿¼(u�€í²*—–E3,2Ð}»ÞîRU�OËÉÊqÝA­;¬•ÉE.´•o�šŸuHiEšŠ2ÌïÍÇÁ`7‘,õûìKOñ*ñ9É8Ç,ú\ëq’«þÇHóÍÍ<L)rVOFñi3•¹5O<EZ¦ÆÜL³½Q	Æy‚•k ùŒPQ–re°^)Ïr]0Ë¢¾78ó„Lï—:‹Õ[Õ-ÂA½5²ß¶ë�ªe&éŽhHõ¢… ¦.”_	ªXsšm@Kà'±«…46
ŸsWA½‹&)6zÀ™PZ�†ƒn../eB+½¦]Éu=gÁ³Þ:•Õ‘éZŠ3¥kkÝ_PTcYK_=îL7-?í§QØ‚„>ü�Òèaã­IÝ`”鸎šâÑàmg´U9™
-ó6Jgoåý°‘ëJmD‘à†ƒµ1�í\Éìð£1>hÄjµÝÖi4êË3>Ñ‚=ŽFoÕlrª7X�þu§Ld•mF™Ð«¡·:Ëúý®(?šÆ²9ä÷Á“#G·Í©.êïr*›#Ø
-œlV¯h(ƒ:ÖZ³Ô¤µ†Z|bZ+h5×S@´
-+®–e_=Jå›Ô5ƒ'Lwõ‡ßì_,°
['LÑY…ìÛI“‘N³qÞ÷?K2ÂãÌNµW¸%™�üº)}S’?ì0j÷ÝqŸÙ¥Ï¸Ááx´s`qg·è¾ýòÐé"I``fâøQÉ!ÒG
;*ç
-¾ã¤ÿ@Y6•¨í<�³£"¢=™“¡à8ÉüfF4FjGM:ê”Ú�»ôðFxBàtÆOF"Â3‘=Œ@mñ$‹ÿäiŒKÝÓ9;Ð�Bó=<‡êHô,Õéð“êÄo*Ö@Wìÿ3‚ÄmhÓÃlJX–Š„’�By’¥-ýEÓUs$�,@¤'éP	¤¥:ÈcR�@NÅúéŠ}y ÷:õµö©ìú*ÎSBcq¢c¹T‡}5P�ôÕQ©;_í‰õúj$öêS¹,šÏÁ±7'½»ÖBã}àòæµ=Ž¹è•lU17 MÓñ9çín>>èÿCÛ‹6•8U·0
-yQ“ˆÀl—½(ŠéŸÞUþbg!‰9ÍóI±› X”ÅxÙO}“ÏÝM¼Çu–)ÌÑ	ð8ÐgöZ1SW½®
-öñP?¡4­u“Ô?¥x܉KñÅ•=dØÅ$%…xêè³–]¿®Ê߆êò¸ëË^Ër³ît	‘¯äeâ ¼�‹O$X8ÉÊi´ÜÁ6¨$¾Â£•³c½Ú¥�DêRÆFHóR2¬Øñöój´ÆŸæ•eüêñ|_¡‹#ä–Æ�aÂ�袵i;ˆm< I¡oŸtUdj,b,À‰�¹æÝeäŽg?ªÃ!=CÃ3÷UÉ_JÓƒ‰ç­9OÞažU?({¶:DôþÝÚ™73Â…ˆü§)ì9F)eäþ¬9üÀ½¯ú
9Èúendstream
+xÚå]sÛÆñ]¿‚o¡2æù¾qˆŸÜDi”‰ÇVÛLãÌ"!‘5E($Yéô¿w÷ö8€ )5Ó§NÆÁÝa±·ß_”˜pøOLœa\åz’åš.Ìd~sÂ'×ðîÏ'"ÀÌ"Ð,…úÓÅÉËoU6ÉYn¥�\\%¸ãΉÉÅâ—é×ß½~wqöþt&
Ÿjv:3–O_ó×S!ÄôõۯϾ¡Wß¼ý@‹oÏ^Ÿfzzñ—÷gp"œ6¾‹_~x÷ÃùE÷ůߟœ]´”¦Ü®�ÌßN~ù•OÀÔ÷'œ©Ü™Él8y.'7'Ú(f´Rñd}òáä§aòÖ:&£3Nf#â‘jL<&gVÁ+Ïùæt¦ŸVÛSᦋr[žO›ŠŽ‹ù¼º¹]¯êe8_®ê°”–%�!D±y¤Vë5×eCGw·áÛ‡€ÞÔtT]Ñɦ¸)ãWÛûr[ƒ´µË§?nÊ
²€V—áU8@z@ “™,7FzW›zµ
+BÌò�aΘȄìQZ~.ÀIKž8‚RpÁ¬È[”3�‘ýîâ–Ž�­¥b�OBîØQ]ZZ²
Á¢U:ž¢%omgAX$S™qQj"ZR
 "ç‰-á®E‹²%\-‹û
+¸ K{ñƒ©CºäÜé 0u›)ñE›)qãx6I{)n"•e	 #Ù1UÉýä>/ß]®WsŸ”ý‰ŽdhŸ\�Øc¼…kCµ7ÞS’Ù¼õä½6k3.žÉÁs€…ðÉïÕ¦ôe‡Zª>$[‚|îÖâ€T\Fv@×
¦¾£FL‹ºcÖ¿BáÓÉwÊÎðe¾¬º�.3°s3Rë(¸ÁRn,@ª”<zâÃÃÃ	äx—Í�ÉU˜Ü˜«æöNz°*Âcýè=D‡ˆ7[Ó
+Š–e±¹ö®"<So~§â#ÛϹ0†eÐ7DVØÍçgµ„èkŒî'ØÃ<X¨
+´ÇäåU¼ð/<"lìn�ÙdQ÷
+®“®|Ÿ"Á¤‹:3z°jÝ�GÛ!ŒCõŸRÐ2Jy�GÉ·Ïu)'”L]ŠØ¨—äHH:U+þô¶œ¯(Øñ雟épGïxè«{J	V0è
+_©ƒ©A˜[ÌÛªÃ3šÍ?¾ü"—3.=½­ MQ‡o(GèËuËámˆå�­L˜¦MY.|^ÂÏÊyqç³
+-Âm¹]ŸŠé£ñùÊ[wÓª0á©Ö±Î$žï› í8L=t?/§þ`%ðHiž@ù
+ªºìIú³ÏÎ$ÿ¥þ08Kpó<ŸÞà3hóešf8™Nf8°iìbÂ/­xN¥|Šýï°|Gÿô?�ájQÖóíê’þ,®º¬îK,ú�˜¾­š2¢*š¸ŠDŧïQúÍFÇoE×Ø%?¿4 ½_ŽÓp·Œµrl->Vw
Ñï­�ø^£Œ¿º,‡ö¬…cN+7‘ P…ÿCz¹½žÐâ}bÚ-ü,ý`׶wñ¢ >`¹RLìPc!âä}bv¼+£`ˆ+ùiXA¸4Æ
Íy/_
ºö¾à÷Œµ`Î9*‹ùšÆ|1
Ö´ýWfàœ–ÁÿùK©_…Ãéá¿_E›¢1 î£�é´�>f«Ûzv]Í–å¶ÜƒŽrFu‹à-Žt’Ùk¢cc¾sLÐ40YVô–W |GX
+Ã?�1>øÿÇ×%&
�·srÜŒ·ÌÉ<‹D!/rÇqÚ?ØÛ%ý?mwendstream
 endobj
-748 0 obj <<
+1012 0 obj <<
 /Type /Page
-/Contents 749 0 R
-/Resources 747 0 R
+/Contents 1013 0 R
+/Resources 1011 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 717 0 R
-/Annots [ 751 0 R ]
+/Parent 996 0 R
+/Annots [ 1015 0 R ]
 >> endobj
-751 0 obj <<
+1015 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [417.8476 408.3291 466.5943 420.3887]
+/Rect [417.8476 228.9788 466.5943 241.0384]
 /Subtype /Link
 /A << /S /GoTo /D (sample_configuration) >>
 >> endobj
-750 0 obj <<
-/D [748 0 R /XYZ 85.0394 794.5015 null]
+1014 0 obj <<
+/D [1012 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
-747 0 obj <<
-/Font << /F62 634 0 R /F43 600 0 R /F57 624 0 R /F56 618 0 R /F14 608 0 R >>
+1011 0 obj <<
+/Font << /F37 743 0 R /F23 678 0 R /F39 858 0 R /F47 874 0 R /F14 681 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-754 0 obj <<
-/Length 767       
+1018 0 obj <<
+/Length 837       
 /Filter /FlateDecode
 >>
 stream
-xÚ½W[OÛ0~ϯˆxJâø–Ûxê lCb4Û ‚•r)q¸”‰ÿ>;ICÚ:¥P˜*µÎÉñwŽ¿Ï>ÇE:¤;.pè^@�‘£Ç©õkñkîdu½¾†š}àb=
-Š&yVnr^
-#Zªôœ÷219ŽóìB|ý¥¶PX—‚Eq¢daEhcÚ,ÒèÔ5ª7[ß–”øfaÖdÊ­ëܺaë�«‹B>•îüÕ
-
+xÚÅWKSÛ0¾ûWx8%+zÙ–Ë)…Жé0”¸½
+g­Vé…³ Œ´QXK`ZyÊÈ
 endobj
-753 0 obj <<
+1017 0 obj <<
 /Type /Page
-/Contents 754 0 R
-/Resources 752 0 R
+/Contents 1018 0 R
+/Resources 1016 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 717 0 R
+/Parent 996 0 R
 >> endobj
-755 0 obj <<
-/D [753 0 R /XYZ 56.6929 794.5015 null]
+1019 0 obj <<
+/D [1017 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
-752 0 obj <<
-/Font << /F62 634 0 R /F57 624 0 R /F43 600 0 R >>
+1016 0 obj <<
+/Font << /F37 743 0 R /F39 858 0 R /F23 678 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-758 0 obj <<
-/Length 2220      
+1022 0 obj <<
+/Length 2146      
 /Filter /FlateDecode
 >>
 stream
-xÚ¥X[—Û6~Ÿ_áGù$VDQ*=}pg&É´MšÍx÷¥é-ɶ]]fêýõ�,y4Ív7sNB 	.´X8ð'Ê·y‹0òlßþ".®œÅ¾½½,³ê…Vc©Ÿ6W¯Þî"²£À
›Ýh/e;J‰Å&ùݺ~·þ¸¹ý´\¹¾cyör厵¾ù×Ra­?\ßÞЧ›÷D¼¹]/CÏÚüóÓ-r„á:ŸWnîïÞ.ÿØü|u»ôßA8•ûvõûÎ"�«ü|åØ2Rþâ&Ž-¢È]Wž/mß“²çäW÷Wÿ6}5KçlâKeûÊ
gŒâÉ9£ÈÈö}72F¹+é®í!Å˼z㇣%nhG¾§à”­Ó¦Êì¸*w$;Ù>P¶ëy‚e?;¾SÕ´wú­Ëtž–-pñªÑ¹†Øê¦Ízî¡jPÖipÁëÅVQ
-Dzm×�:+!à¾kDJ]¤MZ?¤5‰‰ÐµE`Ãÿîß—Sqñq�-æ.„gKÐ
-·€Õ~Ž�¤Y
Î[®„㜱uab�—ÂV|�ò›CÖ€½‚ÀêGMCs¨êIßÚwY’·­økÚ¶Y¹§Iw¤q³p׺ltÌn
-ⱇ[
Ž¤
 ÃÀð
-X�µ‚KÉÔSÕ2MºÍ7ƒ¢)�·]}�9Š!4=!‹`@Îì¤34«Ów·ÁÂ[- d#Û…Îjjù<+9ÙVGL3�}®Ï½˜©·æ¢/϶àý6-Ó�iö¸?è:ålûË�€w}ÿs«cN¨uVOSú;ˆÂf¾Ô»Ð»F•zˆ9)=ˆ}.A8O¹$`É‘àïY=3õF}»Üf›¶�iZ²íƒqèB"—-‹}™˜ÑÖû;Ñ/NvÂþ6P£�ܹ�„퇪ßÉtÚÒZ—¤¦®·¤yÌ98…RGv]ÓûÇ°Z¾&¸Ð+:»@Àg×õÌuVFç˜à„ÃÑMÅ”:
©¢3YÖô¢l7ƒP_]·U_IñŒÆ&~ö
-“
cÊÖ][PcÚ„A‡Åû»€¡; 0Ï«Gî÷¢!6Ìä1Ãn©ýÏ0Ó4W­Àâ4Á¾ODoOmÚ7‘õîýúzõþƧÙ7ihì9>So«SI‚Ðúµ‚†«žËŒÜÆ„ê܈á€ÚŽJ¼ÏÙ¾˜–—:õÜêT7Y/B½‡âүԪŇªeáÖô…D1«ÐfEWg
ïš½q3ÐÔ¤D–/\V8k›°¹¤ÔÌUs2cIï"Ýöí˜qÒqIÝHÛ'œs»F>ÀÅÕ¤‘Lº˜WjÎŽe�c‹ÄèôÕ¨L?A”¤l ã¬`à…^8+Mã¡ÐñªH|ænùýã*f°ø»ßî7¼`{ÏÀyÜÉD}HaL	zPD}ÁmÿÓ:I(Cùe¬Àá‡/ügC[ó0_%< ¡ì‰srò¤@Ä(º"ô·’mÎjBgÓô
-ö*“†/±v:Œàhx�/7¶/"w
-ì]V�Ç/ê2®’
-˜<è<KæÒõ9¥š®Ç
-©›¦+&²¯ði¨’kDO(*]ÞfÇ|r7eñþ'È/É<Š3̬‹qgž¢RM/€HÁÍjª‰Jjìš™[N5ÄÂ@#çþhè7/ž¡†ë¼©P�PPgZ_Ëê±$r+ é Ì)0ÖKeuÌk”Wºýaî±£\[Qß_Ab«¤^8©éу°W€˜åšy“‡�Q¡¢qÜ-…#DÀ¤G"eréÙ
-ŠÄÅ/[ºÕös¿KßÆŸ{g~çu†—Éÿý«òùgt/´¥RîüÆÒ	låFa¯*/¢K͇ŸŸŸªþU)�endstream
+xÚ¥ÛrÛ¶òÝ_¡É“4	a¼"�>¸‰“¸—4'Ö9/M'‘�ÄT$^ì¨gοŸ],@‰2ݤSkÆ
+ƒÀAv·ÿžìš£S:‰‚”E©H¦”"§”I"0Jùßw(òDÀ$÷Cý³®ô‹}þ¤-:Í™þ¢ÊýN³¬.ŸÐÆL./	Ð;ß©;;5¤ð
+ΙŒ"1óhB6é{‹Wª¶ÓÍÀ�ÃF¤uáè>)/‰Ÿu]^&ñÕnWß{]£ªv­›�]Š
+.©Ô®ýŽÖúËxmÕáM2ûMº“ºú�}Mþö’îøKùI•íHpUÕÝV7W°WÔÕÇmÝvKuXé±äþ˜½¢ÊIMŠM^¾'<ú'\@ðXœ›Š¢Ø&ä‘3‹¨…!n£Ûzw©Ö„㔉0ä÷ƒùuC´õ羸S;]u
+´	²gíW€Ùtn¯8§Ðê¬oŠî`Ù´ÐnÞ¾d4½é¦Ô˜ë6kŠÞðhžmUµqÃŒè6f·®>ø¾Øô�¢‹ˆ��EPöä½ÞíÎ [ÕM\¡HbZÐü—&9A×èÙ8É‹5Â1hq»²ôÖú¨¸gS"U¶ës²ÃiìÍ¡:ÓmkÃdMcFÔTw<3Ò6
+‚!æò&tÏ
+™XDËU7ÚгvW(šL7ÈJ™
+KÖûcâf±$îfˉ&Ägqdd<h< ;‡'ȨÜc>’ᮨl–­÷��L\Ø&¥¨ŽhÊŸzœ†»IEC#Â÷#Ë!$â)IcûIlqر!pRPGÊQŠ
+ð�eÏ¢™˜…¢�“Yéî^ëŠØOŸ–�XøÎèØò	nEȤ/ϽgL	_|qzBHL÷IR9XÞž�ð*bS5«Šæ<\¢}Íû½±üÐ×ÕsêÉô¨>‡îy”>q<ÃÃ5&XHUKטpB7à¬ìÛÎ:§>kÚ
ÉÕöUíê8ÞѲ	ŸÅg@ÀÒ4G¼ìªïêŠpFD¬ÓaëðU‡!b¬ø¨±­¦<	EXÜØ‹álsôgX)¸H=Ð8-°åä1ÍW‡N»ÖSÎßürõÂûåeD+Òiitm¤½S­ê;SÉâdþs
íÞdAµM×âµ;i0"ª*¸cºmê_ÒÇNkÕ…:ŸÔ6*GŽd8[w¹3]©p•'¥úR”}9ÜAxOmŒ™mÁ�ˆ#.,ÃE‡/D!15ñÚ‘¬/©á=¦:×#�x\^@/Ô¹„slÉx¸µ±yŸÙ“Š†£a­“cƒf½3LÇNEÝ9U^µ�q<8
þBo+OѸ-Uæ•yd¡+ûò©Xô7¿Þ.í�“Ø›vçÓ›É�¥I˜UKNÏéÂ&öÑñ°~É
 endobj
-757 0 obj <<
+1021 0 obj <<
 /Type /Page
-/Contents 758 0 R
-/Resources 756 0 R
+/Contents 1022 0 R
+/Resources 1020 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 764 0 R
+/Parent 996 0 R
 >> endobj
-759 0 obj <<
-/D [757 0 R /XYZ 85.0394 794.5015 null]
+1023 0 obj <<
+/D [1021 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
 154 0 obj <<
-/D [757 0 R /XYZ 85.0394 638.3105 null]
+/D [1021 0 R /XYZ 85.0394 479.27 null]
 >> endobj
-760 0 obj <<
-/D [757 0 R /XYZ 85.0394 600.2421 null]
+1024 0 obj <<
+/D [1021 0 R /XYZ 85.0394 444.0186 null]
 >> endobj
 158 0 obj <<
-/D [757 0 R /XYZ 85.0394 433.5475 null]
+/D [1021 0 R /XYZ 85.0394 287.5734 null]
 >> endobj
-761 0 obj <<
-/D [757 0 R /XYZ 85.0394 403.0897 null]
+1025 0 obj <<
+/D [1021 0 R /XYZ 85.0394 259.9325 null]
 >> endobj
 162 0 obj <<
-/D [757 0 R /XYZ 85.0394 351.2066 null]
->> endobj
-762 0 obj <<
-/D [757 0 R /XYZ 85.0394 325.7421 null]
+/D [1021 0 R /XYZ 85.0394 214.4637 null]
 >> endobj
-166 0 obj <<
-/D [757 0 R /XYZ 85.0394 166.6305 null]
->> endobj
-763 0 obj <<
-/D [757 0 R /XYZ 85.0394 141.1659 null]
+1026 0 obj <<
+/D [1021 0 R /XYZ 85.0394 191.8161 null]
 >> endobj
-756 0 obj <<
-/Font << /F62 634 0 R /F43 600 0 R /F57 624 0 R /F42 597 0 R /F56 618 0 R /F58 627 0 R >>
+1020 0 obj <<
+/Font << /F37 743 0 R /F39 858 0 R /F23 678 0 R /F21 654 0 R /F47 874 0 R /F48 880 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-767 0 obj <<
-/Length 2286      
+1029 0 obj <<
+/Length 2336      
 /Filter /FlateDecode
 >>
 stream
-xÚ¥YY“Û¸~Ÿ_¡ÚK‹ƒà×>ŒÇcg6»ŽãѦ*µÙJ„$:)“”e%µÿ=
4@‘æp¶¦j„£Ñht7úëل›ȈD)O'qI™œ,·Wt²†¹wWÌÒŽ(R½ž_}ÿ6â“”¤�&óÕ€WBh’°É<ÿu
-È8ÐéüþîÝ,àŒ§tzó—ëóÛ�ЕH�àúÍ?fŒ±éõû›Û78õæý=6ÞÞ^Ïâp:ÿåãíýì·ù�W·ó^¾áZ¸ÏW¿þF'9åÇ+JDšÈÉ
:”°4å“íU(‘¡n¤¼º¿ú{Ïp0k–zuÂ(áΩ”�O#©”|¤™’HpÑk…ÏF)è¢Þ‹j�çì6
-÷›¬Q¹m«e£:KPãïëºÛ`ëçl¹)*ÕjµÀæb`:	xD$èÜì:ß-¬I¢)þÊéBë*Ç1ÜÛe½S8V¯ðì@pòZµÜ73–L-a7cÓ&«Ú]Ýt8²UËMVíÖ.ØÔû2w»âؾU9°
YÜ‹&§KGõtƒÍàŒúT¨_ô°·ó3pªéKTGÛnl«S¥ÚmêJÙ¾ê–Ä*id!à'Ó8ém#¬mîªUÝl=ÖQÍÕ´Ø1JÎþU_Ì$(»·_‹¶SÕR=m¡»m¶["¡Œ„ a$ÂhºMÝvÌÃŽ‡„F©´T˜ö’K‰�±pB1¹�ÈQîøõòEï€-*,)\s§…U]–õ¡×]aµ‘å¹ókçË
-<xÈjÀUaZÆCy$#”J§†*Û‚-ëjå‘=â„G‘ÓÅ¿(å¥ú³‡grF’4„K-(Œ
-¼¢ÿVÇY�]ú?'8ò_ã†Îƒ‚Þ•´ŠÊuÝÝfk×n³e°Íå+Ÿã¶öZkÂï~ʾ¿•7ŸÞ¥ûSݲOŸiÆ?å×?üð.
¼»ýþÊïRÃs{ÊO¢½Ô†
-{ÙlWÛG“uŽ¾®Ê£n1hÙ¡v¿Ó\ÛO�/Ž8üúîý‚CýnúpÆ[:œð°W8³V•j2ËÄ\Ô_ëO{_è;ˆ(.†_dņßLÿÈÁ¶úX)ŸÝ�NNqvYo·ª2Žˆì2K¦@Aà€Ï’0–ˆgyž !©%]X™«º
-uSÚ=Q�,Ï¥2²ŠiÝ8qìíƒÆú UrÎÇ”ö4]ñÅÝJõà-Ëðg †îÅÀ¼).¤eÝøú‚
Ê}Ï{qô©*
-P)ÝaaíÊ�X®..é¶e¨@çvaæXµm¶v+Šu…ZŠÍ=‹®¥Ô©ÎKŸŸ—¥át™UØ€­‹ÕÛöþ„fƒ¬³¸¨Q4fÓ»ÕcD8„¦öË%¼Ú—åñ´�6¾ÊMHˆOlp=€{Õžs±ÇÔíÅ…ˆ`z_às§.‡=·]³o
-®ËŠ
-G³ÊnwJÚ—¶‚¨
-´Úrx¨
zŽ'È4p<„”§\Å ^¯;Ÿw¥$‰x:…!w)7è57‡F”ÑèQ&î!ZNovQØÏ{ÕZM™Û<Z1¸FKáÉL£=EYbka§{l3³¦ˆÃP»SK$Љ*/Üx#Eq(¼¡¸þ¦bÇŠ©Ë‰¯ €5-úDŸç „µã
-û mÚ’šÓ{6f°±ü¶Èíöø#ìÀpБÔÁ”=¦CÖocliô½®¬U¸ Rã‘_ŽoŽÏ%<›�X|Ó±½ÉH8
eÐe$mdŸÑl:ƒoAYë¼òÚ$uؾ�àØÔåc)z¢®ß´rÔˆ�{pDN=v²‹Q‚Â7#ó䃚
zT0³®ÊFaÀ˜¨
-×7?a#Wzº*´›Y&ý“E8|YÔèIAwîBK ‡��‡•‡S‘(´ó`ãæèã’BúÑ'
Ÿ<\À®¼éô«×Ê•Œ#>`AÎÒð>A(©.€Ò±îw9„
Ç�°Ø…ŵǰ1‰X/ÚBÍóŒa¡Þd¦
y»I^uK}ílU¬	ŒAui­Õ�CÖù°4mÝt[æ¡}ûÑcºˆÇ%X�ÁØÁ>ì™q.W€ä*÷j†‘8eñ%f×¥<^ÿEÚÊ
C¶Ý9ðv¯v™ÃzãTVõfÄS^»3Lð%zgiÔ˜é g{äuéÕó^uúŒÝ]Y-ñòðb‰ÜõëtÕç‚…MÐ|ióE<dí%.Ž£<©7�©lŽÄyè»Ñ©¾ÑýåxžR¿°K—i–=°ÂUŒÂhüTðÏYʧõþ,¹;dÕÙºËèì!õ¾;Sö>yîêƒj `öœ‡k7í«!T}°«Ëbé+9#@ú’!ècòyö�C
+xÚ¥]sÛ6òÝ¿BÓ—HsŠ‚—éƒâ8©{M.W«÷Òö�!‰)E*"G×éï» H›¶“ëxÆ‹Åb¿b¢C&2™DIÀ4z²Þ_ðÉÖÞ\™{¤yëåòâÛ×*š$,	e8Ynz´bÆãXL–Ù/SØÀf@�O—7×ofs)d§—ß/Þ/¯~‚©æ€‚‹Wÿ�	!¦‹w—W¯péÕ»¼¾ZÌ¢`ºüù§«›ÙoË.®–ý;®,s/~ù�O2¸Êœ©$Ö“[˜p&’DNö�VLJyHqqsñŸŽ`oÕm•‰àLªPŽEŠ1¡è„…JªN(‚ÉÙ\pΧoÓ²M¼çSšcÚäUio	´T�Ÿ
+‹UæÉKÄ[¥µ™‡V‡ŠëéÛª¦C7—××D¸9æ嶦ƒ‘5œ|J‹<³7µw‚%Zã݈ªÅŠ‡û嚧uÝî
„Ë�—CaÊm³C`^÷îO÷mÑä‡bp·xJôA/Q<11æ€k�nºṉ&ìþÚÚdÀ‘ 	ÕÕ€¥¸¯šÁ-Ñ9Ší¯Ó+ƒß½3
Ç̶h&c±˜)ŽØ¢¨+ËF$Ü¥Ãhú{YÝ–8DâO��;¾ÇY<m	ÖìGU»Ý‘ö­YÄ’©0‰ál{ä~�&1b«Z² ².ä«#R'ÆÀó"%Ø
ÜÓ=±Pá×_—˜í,&Þ­@Î
‹%†²ÍÒ&eÝ:Ûr^¤B¸?û¢÷ÄËêpB1�´Q‡0¸
:«·cИזã¾/+gtÚzòz——¦~Ìwù®3Ð8DC�5(ãT9;
Àz]ÂœÍÂB"ÃÅÀˆÚÎ$íæ™°n]ªcƒ�½
.ózOvU[dþT„Y;²�ˆ:Öôtíñ¯w؈׾^¾ŸA|Ÿ>GqÔõŽF�)ÌaW•†æ¦Y?®ÙéF‘n®ËMuÜ�hÇ?¡oÂÄ	©¿ú/sz6Ó Hœ^}ÎëÆŸ'£ëõ>Ý‚.1èç9C$¼ì â‰r2`<L4aÙsŸ’H˜Ò‘êQB6å½�i+¢×iÜF‹Î
+êÓ(êܵ>WP	s!ã;•†c$$ÕK
9¼ÊËÆÅv_ûÀ²s[;ðX^áÛ2ÿŸK7
+r¥mÓd-Äô—…½!ª>.Ù14 sÚ˜zRu�nýŽ|[¢”"ç'CÖ-—¶ëx>œÉò
+%Øõæ1$¡#ÂR»^Û¶(Nçc¬òMæBBt&ƒû!¹—õ]*tM;^ÝcT?æÈþö_š�ƒ.CEÙ‚µ?��‡öþsmîçå§S°�2<¶|Ö8JÏL��]\™æÖ˜'Ím…›0h·‹¤¨n°>åwfeÇû¶n�þŠV›ª nwžü,5•g¿¾²‚zÊFä|yvnvfÄÉ…�P�„êÿÍľF8ŽÕ:‚©H$OÕ:‚é(öXTãåwk±ë÷ÝÅÈŠÏUÛý“cˆGJö«,ùd•åE½9´×L�Ö*,Ô:æf¯[
øí�”Â{Oí‘(P^üùw«†·çÖ5JèH�•¦'­hé@R5Šmuß6¸D�-ŒP°ÝêþXÓº|ÉXUú¸˜wsàe•¡eÕ \“ºG
€¦%w.Ü#‚í ª1Èßðž†Ù3/)Ó¥ËùC™òN_Œ
Þõ˜u%,P±zº„W�ô%7È5s—Æ,c5Ðe™¨KY=·ÀrŠSdöckj’”óæÁŽžG8)g5
θ͋G+Zîr›[um@äS0€êƒYS"¡„®XsýhJrq2üªf‡Ø´íÄg`€T‹6ÑÕ9˜Âêa€;§jîo~ÃÛE“.Þ�5.ß¹ÑàrÐa€N÷VÐ3‘uÛݳ„�4PCeÚàs¹eÖ}wC@^Žµx«aðdDÐg]^Zåm[ztÀ.h»±æîö#8X]äöçöìÑ>n!p<A„ÚSñt˜DwŒÓ¥“÷¶$­HÅ´ÖáÐ.‡ž3f#ŽÍp¬¾êÚ£ÅpyÚ ûE�¦"ˆ^´©œÁ· ´öV¹pEŽ/!8«âé’ÇöoV8zD(
+œ>$fN;ëÅ	Á‚ðÍÈ=ù d
 endobj
-766 0 obj <<
+1028 0 obj <<
 /Type /Page
-/Contents 767 0 R
-/Resources 765 0 R
+/Contents 1029 0 R
+/Resources 1027 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 764 0 R
-/Annots [ 773 0 R ]
+/Parent 996 0 R
 >> endobj
-773 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [389.9997 61.5153 458.6717 73.5749]
-/Subtype /Link
-/A << /S /GoTo /D (dynamic_update_policies) >>
+1030 0 obj <<
+/D [1028 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
-768 0 obj <<
-/D [766 0 R /XYZ 56.6929 794.5015 null]
+166 0 obj <<
+/D [1028 0 R /XYZ 56.6929 769.5949 null]
+>> endobj
+1031 0 obj <<
+/D [1028 0 R /XYZ 56.6929 752.2692 null]
 >> endobj
 170 0 obj <<
-/D [766 0 R /XYZ 56.6929 769.5949 null]
+/D [1028 0 R /XYZ 56.6929 663.7495 null]
 >> endobj
-769 0 obj <<
-/D [766 0 R /XYZ 56.6929 748.9393 null]
+1032 0 obj <<
+/D [1028 0 R /XYZ 56.6929 633.2462 null]
 >> endobj
 174 0 obj <<
-/D [766 0 R /XYZ 56.6929 700.6394 null]
+/D [1028 0 R /XYZ 56.6929 587.2939 null]
 >> endobj
-770 0 obj <<
-/D [766 0 R /XYZ 56.6929 671.7552 null]
+1033 0 obj <<
+/D [1028 0 R /XYZ 56.6929 559.4406 null]
 >> endobj
 178 0 obj <<
-/D [766 0 R /XYZ 56.6929 470.7895 null]
+/D [1028 0 R /XYZ 56.6929 362.928 null]
 >> endobj
-771 0 obj <<
-/D [766 0 R /XYZ 56.6929 441.9053 null]
+1034 0 obj <<
+/D [1028 0 R /XYZ 56.6929 335.0747 null]
 >> endobj
 182 0 obj <<
-/D [766 0 R /XYZ 56.6929 233.8866 null]
+/D [1028 0 R /XYZ 56.6929 132.2109 null]
 >> endobj
-772 0 obj <<
-/D [766 0 R /XYZ 56.6929 205.0024 null]
+1035 0 obj <<
+/D [1028 0 R /XYZ 56.6929 104.3577 null]
 >> endobj
-765 0 obj <<
-/Font << /F62 634 0 R /F42 597 0 R /F43 600 0 R /F56 618 0 R /F57 624 0 R /F14 608 0 R >>
+1027 0 obj <<
+/Font << /F37 743 0 R /F21 654 0 R /F23 678 0 R /F47 874 0 R /F39 858 0 R /F14 681 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-777 0 obj <<
-/Length 3192      
+1038 0 obj <<
+/Length 2907      
 /Filter /FlateDecode
 >>
 stream
-xÚ¥ZÝsÛ6÷_¡·“g"–$~LŸœÄiÒ›¦½D½››¦´Y¸R¤JPv|ýíøe&éÌ�,€Åb±ØýíÊÑ*„¿h•ë TE²ÊŠ$Ða¤W»ÓU¸º‡±®"™³ñ“6ãY/·Wß½IãUiœ®¶‡¯<ó<Zm÷¿­_½½ùe{ûázëp�×�†ë›×ÿ¼Ž¢h}óþÕíkzýþ#7ÞÜÞ\gÉzûë‡[¤„ÌK‚TVnÿ~ûïëß·?^Ýn{ùÆgˆB…ÂýyõÛïájGùñ*T‘ëÕ#t *ŠxuºJ´
-t¢”§TW¯þÑ3�ÒÒ%�h•:�³¥$ñ*Š‚Bëx¢]©ŠiVéõ&
-Ãp}Û¶MëðP°T�ô®6qÄ…NiÍöh@Q¶>·×Q¾nvÆ9[ß3­9à7]o?¾û�)ÎÞ×fÏíL-ï�ãÞ®¬y2ñ1îRu<`kYjL[VÜ1-o×:¸‚¸È×ï<P~qáæxgjáß5“•uSoðØxÐ^axP>Cœ¬ËÇ’eä®3-†Öñ	1ú›Ÿ?ütûáw>…:<4í©ì¸ßË“mUqëN8ó.Ý¥…£oÐíNF»ãT€“º‘­.õÞ´®+ëý°ná|¼Ù®¡ï´ªÂn—ôëµÿ–cÑä’€L7
ß“u»¦þ†ñý¥-;ÛÔ(¸
-Áµ\�‡…'¬îdÔ|>Wvg»ê‰û_Ú{/ÌÏ«Þ�$Ô|_“sòÓï-^õ`Ð!Nð-ùãÎfgqÃ�ôûkz¶y�ë$#¶h*Îq5~ØZTœ�­ü™±-*7ö
A¿zd±´BÆöÝ“Ì«ù{©ÿ¨›ÇšWýažÈ�ÆU’³š‘.wunj',ÙJˆ¡ñŒd›Ëx´Ýf©HXBCŽ÷j>w y’è½Ysw×ì
Os¦
_Þ¼F§‰òL!
·ä~‹h¢Aèö„öLƒ*äÕÑHƒÐP~É"ÊîÒï¦pP|¨*ÌÖû†8�’ÊÊîËΠžãP”>Ó3,=ÃØ�Pz=U£
…‰H#͆ÙD³0(š
3ÒìÂ¥‘ž�zŽ
wHÅIJJJ´ßZc'ÃÃÄöLÅÃêAÅБ“$šGá@ö$CÍ¥svï;þòyqzU5�tHXÔ–õ=©5-¾î¦¼’c¥½ËS){ ôO\yÁp”ÝŽòÇFÒ b¤�TŒ]V1N#ãE¹EJݾûéö³gUÞ±)x$�­\(ÂÍ]°Ãrÿp‚$M¯î•+1E¤0{hÌt
-
÷(ž?š58q(�0'qÜK8ª(8ûîXÖÖ�˜z c
:Ü@p�Yá0vojƒ!�ÀN‘h},G
L�fvç}ðï�©y°{l˜zl\ç((G¹ÆøcFT’ð
-6þ$“›økNp[x³^üseé$ÃH‰¾ +Pgæ‰LSŽ<OÜ96�(¸xJ¤`¤¢i¾¢+Ò	
-Ôò‚ÒñSF‹ÕÙúå»÷¯yB!ËOçÊœÀPÏoêJ7µŸ
²DáE6s’bé0�T‚®'Š½3øo¨[z6›·¦ªNôÎü	pŠùŒqoHÄ|ý²!wC§v^¬á†€Îí?/¶·RM#«ÊÙ»d²8AndîE¦8ýMNo«¬ºcs¹'gˆÞÕ^C(åÎÒºøò“TKrã0{Ä\\o.Y€t
˽+B6øù/\¿g
-c[vò3ÓSQ$…ʾn{`Ý�àä2i”~ðN(A„‹áFÃMP€Ò¦áSòìj$€¼
«Á°¸GyHid¨ì°?£’).f˜ùÏ.Nt�…qôͳƒ×%‰G1ó0ùÌÃþ™B‹ÃHDUÉqW³ÎÄ›dŸPº¬1öÛm5÷`á|�–†Iš|óxi”ûûg)1*TN¢Ç�`v‘wWö¦2�ŒNAÞ+BÄM@ËÊ÷XÊ\1äÛ\9 õ^Š3€M« MáÝI&0dÄ÷±†œù[î4u²dÒJ³·¤om;ËÞ»”¤}¡»«,½>l“#…oèüt¢Õ{
-N£µÃ™‹ŸÁs	ÿ$¿�^L+{ᛀ°ºÈŽ@BØÁ/Qç�NÓY˜*Ïrüs‹GEÇœ¡Ësœ0+IÜ'îø!™Šx½ƒYª‰ÛFG?Èѵ{Ln`F•¬í�GÑ<è*CLâ„
£,™,hkMÝ•èùX¼E$2©-|ñDÐu>óÒa.ÐÀƒ8¤Ìõ†£­¸N’®oy±DrÐòAì×Fî8ˆÁÂsÙ¦±ç’B,Nå
--¿Àéb0Áñ÷Ü8gï*ýðÛ‘Ý£“ÂWþŠt`öÑì.­íž¸‡jfÁ
 �ôW¤pâ>
ánîìÒ¯bZ
�ȼ}$]iÀý±Î§ž�êŽNB‰fž€¯ÂGΗ›ÉO^ðåÈ�¥ëÔ'S�½„'ð›â™@Õ
{\ùÙ&Cˆë£töÆíZ{gdŒÕ
	âå0³ç˹s–ù:ÊÌSôáqf�˜æ»Å—û®æÌ_`,Áï�+«Hæß	€p93¡ä®ßˆçìFÅzM›
µøñH9®é'pcÖ—ô©�´Îœ…ôVyd*W�x'ü
W«
-Àsíýý¯˜X»Goᦿ8¤S¡9ÁŹ¶ö­,!_9~/|6å‚?¥A>¬ҞթOT^Úþç
-8'&StÒ\n-ÃjýÒIû2ñP·‡·”�=LÄIáS™Íqá	�³ÑEâ�lskL5ÆÎ?RŽÀðÁÂ6·*Kuž4a—�ÓË"9¤T0Õzý¾¡è’jïlS@ÓÁ²ˆÈ÷�ÍY¹‹wè!81Â	_ne¸ê½�\6O”~ž÷?¶ÉUÆ£_è›öNŒ�º—-w]Cé3Œ7ílÁ³9ù^âÿ[áò…ĹtRè¯Þˆâ(�'7B?.ŠƒÀ]ÄnÇÂy«F¡$rú†A–fÙÒ¯‹³ÐÄÁçj0e[Ù.ö·2ŽÖ»æt'Ʊ`u{T
žƒ—Ö�Ý⨖þw*þÃÅÂZ„ý?Süßÿ×1ü#K’*Ïãá_6¦y^äq‘y¡Pwq4—¼ÿ�ç¢ÿÝÕ;endstream
+xÚ¥YYoÜÈ~ׯ˜·Œ
+PÈŽ‡•U]mÈ-@Ð^c((Ë„ëì1ëíº6o€1ÿ/��ÒF@÷óÕO—WWÜù¤Œº­›CÖr¿ç|&=eÉ­Ù™Oi»D‘½A·;e÷˜mRÕrTWíó¼£Úëä“(Í®º­j¸
+i~3^áŽð'„n¯AhÏ4¨¯öG„Î @¶$Jžµ]†Š@PtT­âõ¾¦��F…¤‡¬,03¡žIsHŸé–ˆžaìF(½ž‰*ŒÑ�²‰ˆ
¤‘fU<Ñ,ŠfULš]0sÒshPÏ°£ÇRq‘’Bã΂ÖXÅáà˜Øž©xX=¨:"Ihx*2xÀ{×¹å_–§#ð"!aQ“Uw¤Ö(ýz˜rJ´q!OG9€Ò»¸vŒá(‡íÄFÒ b¤�TŒ]V1N#ãE…MJÝ~øéòsdÕ.°i'<’ÀV:ÊpsFDËöÿ‚ HÜ$ÁÚâY‰SD
+o�™€ÂÉfß�ªµ
+Òl~ÆóxŽÇð�û¦ìÅÍ$LÉÛ#�™ddRç©ÐâÌ�	‹ *—¡5ëLJlÐ…¢©¹�ÞqX à„kÁyò¥YÂ(ü¦x‘Ÿ¸ûß
õ%[»Ê‘h¬Có.µìó2wÕ§‰"Å;E¸’k+ò{ïJbÈEÝYWâé•”Nü@{Q¦3y,Û4ÌŒ‰¾QceÂ%“Ö†&ýVE[pÀÄ.½"F¿ÐÝ•y¶)–Âo�éÜt¢U{ÊO£µƒ‡ÌÙ�Á]”ú.þ]	çs—7rú¼
ËNN"öD“x&ŠÒ:ŠøǦ Êy–ßÌZÞîšßîøC<¥Áz3ƳT:Þnãûì�£j÷°
+Â" +Ì:¤¢Ž¢yÐ/¨lÇ%AÚ€�–LÀ�区j3Œ|ÌÞ"‡�çÝÀ‡¶¨ó$J«DÐ'à9ÆqH™ë
G![q©$Z_ܶž)p@Ë%±\¹á$�Y°¦8f”bq*'(Ë+I'@-*®o`ÑË¡b}šn%ÉíÁC›CáRt�&þŠýÞ__ákK3ó/ÙNÐÆ4ðÓîG°lëp
 endobj
-776 0 obj <<
+1037 0 obj <<
 /Type /Page
-/Contents 777 0 R
-/Resources 775 0 R
+/Contents 1038 0 R
+/Resources 1036 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 764 0 R
+/Parent 1044 0 R
+/Annots [ 1040 0 R ]
 >> endobj
-778 0 obj <<
-/D [776 0 R /XYZ 85.0394 794.5015 null]
+1040 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [418.3461 669.297 487.0181 681.3566]
+/Subtype /Link
+/A << /S /GoTo /D (dynamic_update_policies) >>
+>> endobj
+1039 0 obj <<
+/D [1037 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
 186 0 obj <<
-/D [776 0 R /XYZ 85.0394 769.5949 null]
+/D [1037 0 R /XYZ 85.0394 648.2128 null]
 >> endobj
-779 0 obj <<
-/D [776 0 R /XYZ 85.0394 751.9762 null]
+1041 0 obj <<
+/D [1037 0 R /XYZ 85.0394 619.5539 null]
 >> endobj
 190 0 obj <<
-/D [776 0 R /XYZ 85.0394 586.2284 null]
+/D [1037 0 R /XYZ 85.0394 445.0359 null]
 >> endobj
-780 0 obj <<
-/D [776 0 R /XYZ 85.0394 552.101 null]
+1042 0 obj <<
+/D [1037 0 R /XYZ 85.0394 407.9434 null]
 >> endobj
 194 0 obj <<
-/D [776 0 R /XYZ 85.0394 373.7735 null]
->> endobj
-781 0 obj <<
-/D [776 0 R /XYZ 85.0394 339.0798 null]
+/D [1037 0 R /XYZ 85.0394 220.8457 null]
 >> endobj
-198 0 obj <<
-/D [776 0 R /XYZ 85.0394 207.963 null]
->> endobj
-782 0 obj <<
-/D [776 0 R /XYZ 85.0394 174.5031 null]
+1043 0 obj <<
+/D [1037 0 R /XYZ 85.0394 183.187 null]
 >> endobj
-775 0 obj <<
-/Font << /F62 634 0 R /F42 597 0 R /F43 600 0 R /F56 618 0 R /F57 624 0 R >>
+1036 0 obj <<
+/Font << /F37 743 0 R /F23 678 0 R /F39 858 0 R /F21 654 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-785 0 obj <<
-/Length 2942      
+1048 0 obj <<
+/Length 3089      
 /Filter /FlateDecode
 >>
 stream
-xÚ­]sãÆíÝ¿Â�9yrÚì¿Ò'çìK.i/­ít¦—ä�i›‰TDÊ®òë,°+RZŸ“iG±ØÀâc)u.á§Î“T¤….γŠDªä|¹>“ç0öÍ™bš¹'š�©¾¾;ûò}ªÏQ¤:=¿»­•™çêü®úifE..`9»úx{{ýîb®Š$1³wß^þãîúæb®	DDryõ¯¥Ôìòã»ë+‚Y¼¿¾¼ÈììîÇ›ëÛ‹_î¾;»¾Žw¡¤Añ~;ûéy^Áf¾;“Âyrþ/R¨¢Ðçë3›‘Xc<fuv{öÏ°àhÔM�jEI¡
hàT-ÖÄÔ’"5Ú8µÜ=ÖÛ•ÏjÜ\:[ïú
¡dV®úŽp[vëõ®m–åÐt-=7Ã#
�5Ï«ÖMÛôöºmOƒÝýѦ$¦í@e[}Ùm™Íc³ªˆì÷®eÞË˶ýºPñ°û¹R¬¨ÝV~­÷=ØÏZ°PÖ̓2fÖ×Ëݶö4Òå°ãÞ3`ÝN
Ó´n³®½'4‰ÀD|æC#÷n€*éÝû¢–å¦\¬˜�è»ÕSÍ3`‹‘M
Û‹|ÆF‘³fè	¨Ê¡„½%Á‚
#ý³bµI�Øñév�Á# n—Œ!ýËY¹#}ù>ÉFþ¤³BØ4ÏAd”ôê–h&>§¬°6ñ$ÄsÙ¹gÅ+G’Uõª~>’vM;§Ôœ(”MAG…�ÚnÙ÷(º±zÖ
èÍ
-¡Ò¬`ŸªÚŽö6þP·‘%SpR[(¦&·ï¶åzzfv}ÍI¡FÎHäƒb{vÂ<©Ê¦.ˆ
GK
-2>œê p€8È
-7q^æon/o¿½T"ÐŒô�}÷ÝjÕ=‡À…%ƒ%á°�‹’YšÏÍ0av¦ïDZü4Åé¼J³Ã¸ÒHÔÿ)Q_÷Ê]
i˜mü/š�¨ HC•Y2Ýñ4�ÎSˆ4ó’žAv‡\ÐvǦv>ï ‰œ"ç'ʾ(@™˜¤M
ÅÊ°Ù¹<+g˜=WuO¤m„ðxà“£yµ[ÖÕWõ©TŠ™�B¾ŸÊõ…”ÉJ›´G¤xÉR‘éµ�f�TAP|Ûô%t’L’�õÔÜ7Ûæ	}'"�´hŸ½~–‰|>ìÆÈ™[�@WKLùø„¢„ýÄ!1òºAz8D`(`U…}O¢Èë'ãd
‚12��ÄÜãYnÃAîIH¥Xjlî6sw%”Ž{{Ì‹r#Ò<Õå(,Ù²ID26sÜ1¦z+ƒbõò-a!h GWÿûUÂë$'cxx°–b̳­ˆš´
ä¤CÄ”¬(‡seíÔP<6ã!	ûâ1˲¯ÙH£ü¯fÞo9…Àâr´†z!ª¨<™•–÷ÿK$Òä aô”„%í‰5×Nȯ£ç(ÂåÎó=f=�qÖÓ>nãvv‹ä*ô
ˆ˜&éI‡GÑ2ìñÅÈi!Ä%‰ßaü|C©i¥Šm.Z†X=Ù¡ ×hpŸ“Ý&²D$Izê /Á¤,k)+F•zƾƒXî°
Ez×5€âø·©·Cƒ'GQ5‹dÍáx�’Us�³îëQ;æÈÁ'	×›ºäåXŠ<t€ƒœ8�åYL”/'W“KorS!b bè»^
 vÁ”M�«)è͵t¹âÓ–ûb¡²púÞOX®v•Ëâ~V$üh#ŒLÌ+^“‰´ÈÓ‰ÛôÄe×#‡ÓÚÐ"rÄ_>||÷·¯bõ!”r�±2™O‰}¥«�ú?Úwiî»nÁUCíÚ¹O\ýߺ/<¿ÇÍ2¨Iþ|÷ÅÝË¡˜Âåù\©€ŒZu`í>–�µ€òÉÇ
t±zˆ	êË“¢8±©„àÛq¥Ùoº¶jà`9'’ìð9îa0>÷»…ë[xÔ;³dg–jtù2`ùžúÄCìÆ’4àî¤ò¥�‘ÕÝ9œnwŽ�ÕG	æ#^AEÃ_fÒä³Õ
h8-ŒO
-Ÿ…)¡½�´’µR„DûÂ?.L"ðo‘ÿGÈp´ÿçcþ€Ù乎ÿÑBg9$eX„…BÁµ>‘ÜÿmãTôÿù�endstream
+xÚ­Ërã6òî¯Ða«F®Œ€
+F;·béù»Õ¾^:WG’Э¼ø\õpƒCçˆÔƒçãs×@;ïê':ÀŸÚÆuIœQ$Ú¦d
ïäÔí÷¬Ü_ͼo	ݹž‡!Jz

èÒsLc¸ÈJ¥�4)�/q¥Îík×1�ŒëÝŽQÀHׄݺž�K^ï±ÝlÚ®Ië<ŸýîöšŠ±p(‚të:®Z÷ëÀü{·/7ø’éÛ
Sôë’71
ò¯ˆ¶naÍSvdõ+×u|üÈ|>^Å}Ümʺ¡¥²¸Ô¶U®/kfléàœ—E:÷'µ¬5Xu³™2ƒUÙ9oÙY•wUÜEë¬(ewY¬'<
+�)´b’vÇÖ˜8hÝôÁ%=À‰‡65j)Í4E$/÷åÖõnß¡G3¿m{GC$e‚M‘¤I2¿ê "Ü!NúÍ={KEyã:rc«•‹ÇwjÉŒRV%¼ûåñ¡ÝÿV7O„­xËUßîŸi¼ÝŸL8£
gß¹U�¼x-Íòù8é\!©5Ó4RMiÄ$©´éH#hi:§
+&@íç¿òéTQ8åÔ¨!–ý�GøÌ€õ'LÝTxLæýLhηjÌ>ïC#�þ€*é=º Vå®ä|®ØñºvóÞñ8âÄ¡úý%¦'Vcíã
+–‹	(Ó·cŸ¡
+ı¥ç±|,Ð…µI&ó±	bÀ�ÊdX³á; 2)†ï*�†^â¸×)ÒµÓó9¸ArñR™%èCí+†”
+U‚Ê€
+¦
+9a¼Áçïî¯î¿½’/ÕEDDÍP\(ÑX¬±³�‹’yf¡­îG›�„éÇa,?O±Jx«
+µ©/�÷±DyM˜—õ—%¡·@Åý¿P-”…*r3>ñ8�.2ˆ4‹’ž‘w�\ÒNǦö6ï¡ŸÉtœ	û²
+z
+r²?Dnc²³Py	&åv(¥¼Tê9Ûb¹ÃÎùâ
Q\×
 endobj
-784 0 obj <<
+1047 0 obj <<
 /Type /Page
-/Contents 785 0 R
-/Resources 783 0 R
+/Contents 1048 0 R
+/Resources 1046 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 764 0 R
+/Parent 1044 0 R
 >> endobj
-786 0 obj <<
-/D [784 0 R /XYZ 56.6929 794.5015 null]
+1049 0 obj <<
+/D [1047 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
-202 0 obj <<
-/D [784 0 R /XYZ 56.6929 684.186 null]
+198 0 obj <<
+/D [1047 0 R /XYZ 56.6929 769.5949 null]
 >> endobj
-787 0 obj <<
-/D [784 0 R /XYZ 56.6929 655.2772 null]
+1050 0 obj <<
+/D [1047 0 R /XYZ 56.6929 747.8139 null]
 >> endobj
-206 0 obj <<
-/D [784 0 R /XYZ 56.6929 387.8252 null]
+202 0 obj <<
+/D [1047 0 R /XYZ 56.6929 540.916 null]
 >> endobj
-788 0 obj <<
-/D [784 0 R /XYZ 56.6929 356.2664 null]
+1051 0 obj <<
+/D [1047 0 R /XYZ 56.6929 511.3349 null]
 >> endobj
-210 0 obj <<
-/D [784 0 R /XYZ 56.6929 153.01 null]
+206 0 obj <<
+/D [1047 0 R /XYZ 56.6929 239.6059 null]
 >> endobj
-789 0 obj <<
-/D [784 0 R /XYZ 56.6929 124.1011 null]
+1052 0 obj <<
+/D [1047 0 R /XYZ 56.6929 207.3747 null]
 >> endobj
-783 0 obj <<
-/Font << /F62 634 0 R /F43 600 0 R /F57 624 0 R /F42 597 0 R /F58 627 0 R >>
+1046 0 obj <<
+/Font << /F37 743 0 R /F21 654 0 R /F23 678 0 R /F47 874 0 R /F39 858 0 R /F48 880 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-793 0 obj <<
-/Length 2675      
-/Filter /FlateDecode
->>
-stream
-xÚµXY“£8~¯_áè—umMa$qFÇ>ø*ß7øš™°9lÀÞØÿ¾®öìôÄĆ#L’J¥2S_&J�‹ $ñ‹d®$Êó€/éÞ[²ðXëd2ï¹Ð{Qª¦¼T>X’Y€BIÙtI+I ¤¿–ëíêXiN_ß!Ï–9æõ�Ørµ1
-sx‰áX²|*¬…¯@*›$bYŽZ*[ÊÃQé5W”žN#Jlƒ�JÝßÌx±­Å”zÐyŠLƒÊÆÁ}²—OÉ„~cYF1•sOÙŽÿEN“CX¡v°�ø†C•¹ó
-¡1PÌ8×î”™PêÓ5ü²M_�yq[/á7ág‘-CIøŠl²ˆaFzèlr£Spà§<
-Åš“ùïbÃGáØv²0�~òL?fîL×ÍlåÒåUßuöD±ˆÊµÎ�”"\z¤_ÈS¾sPY¦F@òˆ0ü ¦¬³:Û„2#Çòµø”Á†òŸÊ¹�fdj£€(ÑÁlo1/ÍYBh§ØB'ÖbçœIeiLF�€²ˆÄ;ö@¾ù9R¢ƒ©;$‘¿ùŽ=ðɸu
-ñÒA6J8®ÉÜ×*lwuK÷
-ymNiËŒ#J™Q¬m0’m3

-½˜ºîF™‰ŠmFÙœ¼T<8F϶™ï
âPò4ýèôÀO‹â`j–A™d3Ò§ç�ü/
-ôÀ;d[áDf.èçÚLª,‡m>#Ç�3a�‚0.¦~ÂY�܇ŸlÓ!óÔÏJrš÷YáåÅÇ‹X\ÕðÁã‡Âû.°lùß©z 22‚þÚ F&§#"\I‡xFE/ψ¢ZþIçdö¦
©yDmϤŸ/|FÂG=ôdzªW(Φë½Ë<#p€{tøó�*†¼H	ôðøV®¸K¸
-=Câ-�Ë„Û»‹Qµ¡Œo³³ljÞNšiÜníj}m¯ÎûŠëóëêa·²ìí›°mº¡×ßÚí8ªûÕúTbルÕ4Q�V6f£�xg¡,3GXzA·¿iÉ3ý¨‹®ÈöG÷¼œ¢Á3�WUçÓÍÞ´@gÜ�9†×Cë¤îº6·œõ6;³Âñ³ÞIo[þEåwævÁêÆd÷6xæµS… ºUç¦x’åÅMéãèÝkþ®&È~LdqöÖï©Êa¢¡8«
-ªÌy{:¹ÎôÎ3‡Ç‹~ãv«ãº
·únô†RwU¶>­Žc&ýÁð¶l¡oß)®îÛû~ãÙ)äÒêFˆà”ág¹úGt—ºh¡A_ÒÏ9Ñ‘Lš�¿”P@Ð|šWÍ;àï®N^O3„Ï2¤ziV«Úu<Чðʶ7“9·0×5!h6–o!;|oc+»p
ÖZuê�íæzMÍàæE�—F+ÙÙZÍÓQ<¯+·ÖZ5š­á"yë®o§ˆuÕC|±v­‹­Î
-@F–yîùµ6Rð	‹…¬‹Îc±®ŒÌg<ªú¼ôXS	|^n¡{õÀ‡P�<
- Ç
-þ‡åæ׸`•.%‰ÅßDŽ¬[:âJÂr²Œ¨H�Nýüô?eT:(5ìM©àP®öýSoê�į� È°"¹ßÀ%	@Š�aÖ©Ë´Ã¥¬“ÁŒý+dqƒ�ÿh/}^ÚàÑ´»NÅÓ¦sÌWÄ–ég�ia¦éü
-ù2éÐHëÃñåŽOù¤xçpóäè'Ó¸#øå‹a@¯#¤¢9™™U?ÜPÏ
-‹~ÙN
á&¿°ýPº¼,àúðy©ú·áŽQ'³‚ðì‚–½Ãôo_&>h"I‚Ådøb|•ÅÂßED¿Ã}�ìýÞ8“*˜þ_þ]Aendstream
-endobj
-792 0 obj <<
-/Type /Page
-/Contents 793 0 R
-/Resources 791 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 764 0 R
->> endobj
-790 0 obj <<
-/Type /XObject
-/Subtype /Form
-/FormType 1
-/PTEX.FileName (/usr/local/share/db2latex/xsl/figures/note.pdf)
-/PTEX.PageNumber 1
-/PTEX.InfoDict 798 0 R 
-/Matrix [1.00000000 0.00000000 0.00000000 1.00000000 0.00000000 0.00000000]
-/BBox [0.00000000 0.00000000 27.00000000 27.00000000]
-/Resources <<
-/ProcSet [ /PDF ]
-/ExtGState <<
-/R4 799 0 R
->>>>
-/Length 800 0 R
+1055 0 obj <<
+/Length 2920      
 /Filter /FlateDecode
 >>
 stream
-xœeU9²,GôûeË@@Q‡�!é¡%bd(dèúʤ—÷ÿ(žÑ¯
-’$¡T¬)ÿ®ïë¯ãïãÇ_¢ýþÏaíÏc‹®½Ú¿G—=ûÌöÓ1ÄF¬lÖ]töö×ãqu‰Ý¦‹÷5š�”�<8Ç—ý:\;âúãñ‰ü<q¸Í;.\ži2c¶û~ð¶e¸í×qc¸=7Ä+Àg
¯ã�ã×ctéa³ÙL1ca·cu™šmQOƒ½¥ì-¡
{wñ¨¼&kñÄÞ
-¨9xcH
-¤Ï’ÃigÙ¥—ÇáC6uéíÛ&”\ÊGTœ„Méêö–KòlÜ’Fyu|?é%åiÈ¥K”êNÊq{vˆ�*êèJE¢]8hÍò¤p0R±ˆ$Á(+ÁnÖN¬
-q�ª„Ñ«ò�^ÿï>‹«>÷—
.13×…Óƒ!¶3¢SËAÕ”ih¥Å¨Š^…(€<Îm䦽ªšÛÆlLÊâ³ò7Ù
-г2"ïE9~ 
-n*Œ1½÷¨¾x¥Æˆpîâ‹
&Xî
Ãœ§³±è\íD¤ß�ä0}#XŒûž˜‹¸À>#^V°¡|2Îi‰9ÊÎ�r)`˜¢Xh¡Ò& „hb—H°Œe"Ãê
-þrÓGçX5¾ûû8‡´ÕªOª«t–Ô³$Ây°‰—BÒ›ÀÄ5
©/¨�vp�÷o`kA“ôr±ñœÓ4N.4Žæ
-endobj
-798 0 obj
-<<
-/Producer (AFPL Ghostscript 6.50)
->>
-endobj
-799 0 obj
-<<
-/Type /ExtGState
-/Name /R4
-/TR /Identity
-/OPM 1
-/SM 0.02
-/SA true
->>
-endobj
-800 0 obj
-1049
+xÚµYI“«8¾×¯¨x—qMua$±FǼ=ï;xëYlÀëÄü÷Ñ.\�™×> R©T._¦R¼òø^‘ã‘*¼ÊªÀ‰<_Mÿ…uð\ó¤<ÓGž«ª½”¿#ùUåT	J¯Ú&'KáxE
¯šõ[©ÖªŒ´ÆäíŠ|IàÞ>D‰/Uê³7
+PEáuJº³Mµ·?´ÎKC{h˜·ðˆ¨w|ùíþÕÂÆt^x©ŠøzÁ/<T¾ú/‚ˆ8Q@(£x/Ó—ñC`n–.-òŠˆNT \àŠÜ"ªœ„ ¢n±‚8¶Í�Øu‚{ØÄ ¼å–É2'ŠªŒ÷"ü×ó°¹dxqÈF‡è
(¥Ð:™v:Å{ûÛIJ
+,2PJVü ýÎóгã'¹7Ï»=	³¼ó—…8%mkÇÙ¾T›mtŠm‹˜ƒÝ’Zð

+�ÃXÌÀ˜V‚'Ëó6á(«’ôeÿ§
\?Âý%¢7;¦q$2§ª¸B=9\”þ‹ÃN�äŸû[$”÷7–y6<×Â~eoF_lš¨¢œ÷ž
+1æ"6ŒS´Ð—5ž(P	à2
ýIÇIÎy ¥Ü¤Î‰Ä	¤~‘øп (CN
J&“Æ€f¢€
+jæð|j=ŒÅãÔ"Ÿõ?9x³ðåë]–·Ö—-
+c <Ê$;Tgz.ùó2+VEçÿ*²s©ú´‰eÇfä®?Ó“=ýð™)1ÜÔ~[=3'[7u“š'<Ü‚tß']õÀs÷D°ŒJÕö€ô߸ßV~!OõAA%•MX!m1!F•ÚÝÜ‘t°F’Ö˜”1ŸV*–ö¬x*íäðd[L£9KÆ)Ù†‘‹›;÷œr¥iLf­�‘ˆÙ©–ˬÀþŠ‡Gù=ئKù«“ù,•i‚1ëvNÐʆÅ
+B*³]z<J/T¢ŠýAa'‘cÜHRCñˆŠ9ñ%Ii´ŒK0©ô쌆içé„ñGí%
+½„™îÅ©ŠÙÍJâŸÚý/A$­‹
XïJžvŸžè´È!
¦=%’`Ч/ÌÐO›cß�íŒ1ȤÙLXÛlFN�¤ÌÄ!9fÄî!nr{LXótãK/!1WШ�Ë~$éÇÂû!á«È?©xAæÈã»'DœŠob”¹L§DN•eR9Y@lâït"ƒMnb’šGÄvmv|‰ô"‚
+–§rst¶ßÀ·ªè˜ß¸oL2î‹Ù
+‘J>½ý¥Ä€âx€äg/ØWÃ?àƒ×$�Wa†ˆi†T.�JŸŽúæ^ùÖz<æöª*…�úâ=âÇ}Iì®·Ú.šƒ•Q™ø£mcµbê|ayIy)ZªîÆiœŽòyU¾7WºÕhæ·÷Îê~ŠyO?$g×¼lõ)E¥µ:]}½.ÇP3ûÊá²ðv|Ã] °þ}æïZCAœÞ¾:dè]}Sökrë¼¹,[åª
a3¨!ËܠÛ9€¡#Ü.÷¡:w¼þ^Þ­7s„½{v#­A±Ù“§ÚX¿W×¢_Û$Ås‚›¦·b� Î¥¶·Ý•T;~¿ú•Ùjy×ÑÜ«”AÏŒœE¹Ûo4­r¡‰îéü]8vj7ëäÚ­Óþ´D-aѯ˜“÷«k@fbÐÖGg¿Þæ¥:/oçÖ}xŠLœÖ´­×Ú «»ôìú:)‡`¨�yµÂÿ#ÃûgÐþo€�ÈÁONßܬ�Âáæ@ï÷¾ìËø¢eñÙLÈ‘Î�k>*õúdTá
íg8ƒ©p
Êmg¨ª£Z‡Îýb^‡ÖÀ¸ò2è
e|\ãñ¸ÂÔU
é§é|Àf³èÝím›Z0hP+œ�{zûÞ�:³º;Î
Í/MÚ¯BÉä‹žÄ÷åq�œÍ­ïŒkJíÞ
wýòH®Ôo–m#õiSG±k­)_æÛ°-U�Q|y_®¬»·ìíNs#ôëvÛÛ»µº�áz9Žv·q‘B¯Ê{5Ùqÿ¶ì¶ZK{rf;�®»öxá[GgØißϸ‰kòRá�5WgÙÙªQ­½	|Ð$Hw®½QžZ½<	z‹÷:Ò�Þ+2Bnu–­Î¶²ª‹=Q��wÓQ¼ê´ìzM¿Í—Ñy´²ãU½=9oëõ¢ýE8íž×[ÛÖ:º/5¶ûû-àt JãÉ^ٕݶâ®°/Œæ¿~Í$³d`ÿ+°¯øÅ­P~5ÇqÿéO„¡ŽPÑ_ü#™þç?X>ÿSÂê!E�Ÿÿ�<}`ä%¬¼*gJÑ’¿jþø'æGÕÿ
¼!Xendstream
 endobj
-794 0 obj <<
-/D [792 0 R /XYZ 85.0394 794.5015 null]
+1054 0 obj <<
+/Type /Page
+/Contents 1055 0 R
+/Resources 1053 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 1044 0 R
 >> endobj
-791 0 obj <<
-/Font << /F62 634 0 R /F42 597 0 R /F43 600 0 R /F57 624 0 R /F84 797 0 R >>
-/XObject << /Im1 790 0 R >>
+1056 0 obj <<
+/D [1054 0 R /XYZ 85.0394 794.5015 null]
+>> endobj
+210 0 obj <<
+/D [1054 0 R /XYZ 85.0394 717.5894 null]
+>> endobj
+1057 0 obj <<
+/D [1054 0 R /XYZ 85.0394 690.1986 null]
+>> endobj
+1053 0 obj <<
+/Font << /F37 743 0 R /F21 654 0 R /F23 678 0 R /F39 858 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-803 0 obj <<
-/Length 2020      
+1060 0 obj <<
+/Length 2379      
 /Filter /FlateDecode
 >>
 stream
-xÚ¥XOwã6¿ûSø°ù½˜%E‰’rsg2múö¥iâéÚ›ŽÕ‘%W’ãÎ~úH–dMzØä �Aüý´šKøWóГøÉ<JJÎ7‡™œ¿ÂÚ3Å<Ë–iÙçú~=ûî“ñç‰HŒoæë]OV,d«ùzû›ˆD,@‚ôî5‹¥JïùóããÏOykš¸ ï÷÷‰JK¥ŒÔÞ‡W�ë»'š
XÔê㯥”·zøpÇ>><ñénµˆoýùéîyñÇú§Ùݺ³¤o­’ÍøköÛr¾£šI¡“8œŸa …J~˜¡a u;“Ïžg¿t{«në¤÷”¾O]»/ðç*:€Å¾ÿ„†aë?p…”迷֧㱬dŵïÀl®{±‘ó¥%ÚIef¡£ñ³;åùW$�W“ôšÒ<'bsªª…Š=[4Äy[û»”~a·,£¬5É(w4Å:U¤KTS²äí–Ö¼)-¶“+—-!yY~9k�¦¢qJ‰$}gÜ={æœ9Ý�Jóº$êT[N¹Î›½ÓlMS
sÒ/Ìþ×ÉVY»|Þ[vzµˆ½SQdÅ+�KžO‹ñ)›ô˜¾ä,­þZ7öpQ>‰öc§ü§²P¼yN�bèÕ™|#?h#Ë	}zaæ²pA‚ùüÑY¹)I(øn©!­Ö{KËäXrÁƒ‰•¡ñhMf|ÐÖy=m\"
-‰zbT[\¦Ý†Ž¶´Ô«£Ûøw­àr¯V`’r¦AûmÖde‘æ´ò;TZ‘½@Ý"ELˆriCëP2[šu)ˆ"ö–Ð74=ôÕ±¡÷ƒtdG#Òê˜Nà´�Ñg¾my
-= Ýíä¾ä1ímöiñjk`&êÐwàë&n1"*ñVÅWšK�Ç<ƒØC®¶¹Z
hùHƒ„>[>°("N¤SÝ80hÒ‡;›0ç@æXO’
ÅÛÛÚoÓœª‚Æ)-!Á€ûŽ¾¯€Ê…»Ì|ïžY�iÕd›Sž¶¡£XÞ
-:|›ÓÈ¥³f,F! }“"]Õ…ÔpO}´›3ÜÖ#9ðhȺDÓã&Üý	"X-ôDn¿y¤qE0
.öïAö†o´hä®DÄq”8Îýütÿ¾;
Ä„·	€èÉž¬ÁÄÈV
ü W éÕŠÃÖã8,êvûßÞªo„¬§ƒó[d(&‘é,=,
-Y訔w;xác™÷rB
ôøf˜ì9�§º:FRîÒ¢oÚ‡[³Ÿˆ Ò@Ë@q¯q{»ƒ¿[•@ý›X#—+e„4AÄ›Òz„Ž=›¦ÚCÇ×íOUtût| ä�p�%ÿhAý�Eþ÷òÔR»—:œŽôMyqP^8‘ñBÁg"M÷v+ªí¾¦¶bÛ×WÑð8mëuuó•è^¾uR�÷ç	³JC[•^™z±CŠ±"xC]‡>€¶X%zÔ?‹	‡…�	q›"Y«3”	Uêâú'©/6³Á§¼a�îþÇa$é¾E¶\†Û•y^ž»XœËSÎQ�]¾e[ËݪdŒ6	Ã×–F—;ôŽ™~Mqɶõ2Îæ©Jbá«®ÞÇ*Š(Ô
óŠ	qø¶ÂÒPï «ÃÿX¼ˆ-|•ùbÊqZ(!ßû‡ò‹áïI§uˆü¸~r¿n�—Äߧ~„êÆò&úÙáÁÿý{áå§Ô ›É†Ã�0‹A+å¢\iÞþ°x­úÿ
+xÚ¥YKsã6¾ûWð°ªÊBð"H:'gÆ“8•õxmMö�É�¡1w(RCRÖz«ö¿o7¤(šv¶jì*£
4�~|hÐ"àð+‚È0“Ê4ˆSÍ".¢`½=ãÁ˜ûùLxžeÏ´sý´:û჊ƒ”¥Fš`µÉJO¬ò?BÍR¶
+F‡ê/Ç’Ý¡ nŽ!‰\°?xRˆ8¥3Õ†ŒÓ°Þ`›„Ý£øº�<´øç¹¥©²h;›ÓlQõìEK#v¡xøïl»+-Me�—ô´�Qˆ�¨t^W4¾ËšÅRó°+ÖûhHÀó‰M]w44RÇk൪€c& G›N¡
85I“`ßWÁQj °Ž¹ü}QªZߪ"š)mä8£8àŒuœ€�œ#p>õÀ¹ßíꦣŽsß4�Ñ݇˜T&’€àÄ3ó›Í¾,ÑÜ„-Ioi"+K"Öû¦Yˆ$´UGœq˜ÛÏœËÊʨ›mK2\Â�ר*ÛZ¢ºÚKÎsØúEY•ÏΗ…”uýu¿kÙ\¼\{Ë
+§;PYÙÖDí[ëïšÁš£ÝlKC�çÞf_=û·½mŠ~úðh½Ñ›E¨¾P¿öãY5Ýe�íº±Ó>Cúm�ÊÇ,U2qʨ!“¤ThÍCæËiÀóJ&½a<¥Æ»m!–êÊù	¨Kø!Šº®In‹YÌEx÷áM+eQ¹Ý�$ÏžVÀ0e3dGÜeã÷0³;œŸ:ˆŠ
r´IÃuY@8-Û"·4Б
��3N6´Ù4xÈ<‘­ûp‡;ú°d[?Y¿åÆ�Ô[Dœ!i`Ëeâð—ú`ŸlƒµƒC0fûî±nŠîÒ';o½+rEÒ‡)P­m@Xë;$�e�åDý‡`(Ì¥ÒzÞu]uYáúdÞd0
9'&+HÈÎÚg糋"Ô^)°u{°
->1tȺ3¢ç='GžÃ
+ç3{œÖ/µZ0)¢t¤mQu3ÊJ,ž†Š‰´Å,Šãð£ÛÔí�n
›¶¤Õ&²÷	P)MxŸPQ2R-ÿPTYóL|eö`Kçgslj:˜Ï`)�ù&
+¿Võ¡"’°Âx©]Û5ƒØ�‚XÈÁç„
+ûŽFGÀÑ! ô‰%d$ªæ7x¤�€ÇZ¿÷ºÆ‚ª³MÑš¢pçL‹�g’ÑÙÕ]&ü{V9)2Ìv»²X»:¿¥ŠÅÁÄFöaŸ×Ô­\!ľ/µ�‡ãÞè@&ÉàDcöíÛÒOm)}í¹7y/Ý]Ç3Ç"înßTx¶ÔÝ�ØZB4Lwìj¿
+c˜,/<+”Ÿ}åI�®0zy'øí†È4H¥Ôb#EˆM4nM†
·K
�R„ßs÷ÝîóíÌÛ¾Q
+Œª	•æ©°ßÛxÐ}´Þ’{ÜÔâX£¬Á¾ÎΧk_©‚ÎýZk§·Š8<	˜x$”{<ÓdóÅ?oîF¯Þ�9^пÓÆÀ7•‹¸‡ë¬èkªK&™xñà1¬ƒÂ,þÅÛ{àú-^JC-˜Ç>1~Wº“Å©;"<Âx<|æ¾^¿‹RÊÿF7u>µÇ›�J3 îðÞƒë|¾vÁZЋ`E5XÔ;(�!Bªñ¢É%Jcî……¯(jð¹&0u]fÀ+x±ÉÆOêpVª+.\”yj_•ÅW{"DO¯RÕ¼!¯ÝÙu�ydÛ¹<"ŠÆbγa|ú<ò5Z¾¯ÂOU@dü˜t–Àçä�“O4è�”%	¥éß>Þ]ÿŒŸ®ð+‹_Å
+tÒ“'--$¤ƒ�Þ:Û­…k"wŸÜTx½ñ¨¡ãà:wá¹™ŠZŠ œí†ÐEôz82CT¼~1ŒCÜB—×Ñ¡h±óþ½×=ÎxKoö¡N¹¸ØÀÏ…H
ML´•‰}q7:ñ‹²v‚µ£3ÍÃT’é(–=>˜
ä>ô/Îz:¼�7® õ9	ñÿ2þ鬊Ó#Ò‰ÂÎ~Gmæ'O’
+?Qù=‘ê#Ïg�Ù¥XíÀÕXu¾ŸõùŠ�¶€$y&zT¼çNª	ÿµwQŵ³»Wdî¡!æÁûî¥ë5”ÓÂ}…×ÝlÆ`DB"zÆ^gÈŒ}Ò]„£Ã™ý�÷eç-ª]
™¢c$È6
+£”òåjÎ$PšÀƒ
 endobj
-802 0 obj <<
+1059 0 obj <<
 /Type /Page
-/Contents 803 0 R
-/Resources 801 0 R
+/Contents 1060 0 R
+/Resources 1058 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 764 0 R
-/Annots [ 806 0 R ]
+/Parent 1044 0 R
+/Annots [ 1063 0 R ]
 >> endobj
-806 0 obj <<
+1063 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [349.4919 566.941 408.4801 577.7254]
+/Rect [349.4919 384.4828 408.4801 395.2672]
 /Subtype /Link
 /A << /S /GoTo /D (ipv6addresses) >>
 >> endobj
-804 0 obj <<
-/D [802 0 R /XYZ 56.6929 794.5015 null]
+1061 0 obj <<
+/D [1059 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
 214 0 obj <<
-/D [802 0 R /XYZ 56.6929 769.5949 null]
+/D [1059 0 R /XYZ 56.6929 594.1106 null]
 >> endobj
-805 0 obj <<
-/D [802 0 R /XYZ 56.6929 745.0977 null]
+1062 0 obj <<
+/D [1059 0 R /XYZ 56.6929 562.6395 null]
 >> endobj
 218 0 obj <<
-/D [802 0 R /XYZ 56.6929 552.7519 null]
+/D [1059 0 R /XYZ 56.6929 370.2937 null]
 >> endobj
-807 0 obj <<
-/D [802 0 R /XYZ 56.6929 524.1722 null]
+1064 0 obj <<
+/D [1059 0 R /XYZ 56.6929 341.714 null]
 >> endobj
 222 0 obj <<
-/D [802 0 R /XYZ 56.6929 397.0585 null]
+/D [1059 0 R /XYZ 56.6929 214.6004 null]
 >> endobj
-808 0 obj <<
-/D [802 0 R /XYZ 56.6929 368.4788 null]
+1065 0 obj <<
+/D [1059 0 R /XYZ 56.6929 186.0207 null]
 >> endobj
-801 0 obj <<
-/Font << /F62 634 0 R /F42 597 0 R /F43 600 0 R /F56 618 0 R /F57 624 0 R >>
+1058 0 obj <<
+/Font << /F37 743 0 R /F39 858 0 R /F23 678 0 R /F62 990 0 R /F21 654 0 R /F47 874 0 R >>
+/XObject << /Im2 979 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-812 0 obj <<
-/Length 1920      
+1069 0 obj <<
+/Length 1913      
 /Filter /FlateDecode
 >>
 stream
-xÚ�XO“Û¶¿çSø¨�‰‘ÔßcÒm;yÓf:íöÔô@Kôš™ô3¥õÛoÿ
-A®¤Ç�ÓIÈ !íÙ9ˆêu2¼	)Špšæ;É
*
-®¨kÄI§ˆ=ŽÁ,0¦X O‹­0ÚŠÏ>n–üùøÛv'sÞ4ѽÁ¶¶Çô±àʾrž÷sTÆõ7»ÎÜ.¡Å„�(׎ž�vƒ6í@ò=­:’Œb
-¹,ƒ
³Š‰±gìÇ>¬‡R$æÞ¤w:Qž¥¼uèD<t¢ßcVfcÙƒ)¯ßÓ‚x‚õ+rÈ�"‚ò+°˜æ!ÉMH�«Î{Ù*LIQ\׺W8hGR:Žn2€%µøÌ[«SYƘ\ÝU#E^À>ÐýþrV®[Ù¦€(f
j68+éAe‹ÙÚæ�¬ºÕ2koZu1k¾fÉß
-ÕV�µ2,Û
è_ç³î:ù¯ke—U)¯Å5�¡.Þf2g)¯ò2*j£Â‡u(碚Û)/ò<hPCûáìÓR/j(OÆÅ2VPˆûµ"iòh,XˆÌEíÐ$[Öü#
ó…Ê8‰"ËšHá$âˆÔAˆF
-jSlïíùn°+¼²±œ Ç9hÉÞY¢Zy’þ–
hJ“60;Kƒ(�±šßŽúÔ|žVü¶¨å8Xc�pQó
+xÚ�X_�Û8ï§È£h\KòßÇöfoÑÅ]±èÎ>]ïA±•‰P[ÊFöäæÛ)JNœqºE€˜¦(Š"©)³M?¶©‹4M¾©š<-2VlÚá]¶y†±_ß± “"-r!àeet[ˆ:-j^m¶×J>=½ûðOÎ6<KË’›§ý¼VYÕi#òfóÔý'ùÇAGuzØò"KŠ‡ÿ>ýFÓò´ª+†Ó2X¢H«&«ý„§ƒ"áOŸ¿<ÕÐã_úù0žþã«r¶
åQ+ËS‘—<h-EZ•™Q¤ìa˲,»è¿¯.ïNòôt‹M“6%/ƒj^§eÕ2ø¡É’“ìô¨­‘}ÿ
+5e"�Ç^·™Ž8ù¢�ª’�R†x½6ßUGôY�—Äpã´#êôÀêd6�&’y^~<È1LQ¦s×sÚéä4­[&�_þ 	MꤕÃÍávK›¢à~;£¥ýKzô¶•=‘­lÚ<Ó‹‘Cð£S'´ªÊ“tÖWA@Æ ¾Ï¿¿”[
«[Ó*¤ªD›Ñ[g»©ÅÝã¨QglípìÕÿôøJ lid<(bÍî˜Ð½Ä;’ÆV9÷þa霸©=ÐDéHfoûÞžý�ý1Ö¤6.ˆšnÍ+�_>þûØ/¯£_­v¸Üσá*qz˜úQe'Gzk¿OGµ{â�Wr¢æ‰ä(Ï꺰C§\
+veÒÖNϬ—ê¼g�¸rÞÊ.ÎèŒÈ¢h¡Á¾¨îý<æBh%�ÒË�Þ:z³á˜èáh�Ó»>HÅôÑhÇ L8[Ú,²j¼œ—�D>Õ/…T¿—T„
¬ñØ€0š&îm´Ù­4DÈÞY¢Bž¼è.ÈÜ&ò0§5¤RP¦†³à÷öÆ'çSʯ†í°ÓF^b ®Æû+ìY‰Óò¸ó†_Ž;oDHàJz+ÞI©!úê`Dñ:™Œ¡£Q�’â™Þ
R-ÅãT!pº 
+M&PÄqíèÙi7jÓŽ4¾§Y�yŸ"A¦͠ì‚d,"û©ì±‰kkÒ;¥)ÏR^Š:”&JÓ×9*—“²,J�ן©IW؃È!6Š‚O
 endobj
-811 0 obj <<
+1068 0 obj <<
 /Type /Page
-/Contents 812 0 R
-/Resources 810 0 R
+/Contents 1069 0 R
+/Resources 1067 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 817 0 R
+/Parent 1044 0 R
 >> endobj
-813 0 obj <<
-/D [811 0 R /XYZ 85.0394 794.5015 null]
+1070 0 obj <<
+/D [1068 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
 226 0 obj <<
-/D [811 0 R /XYZ 85.0394 769.5949 null]
+/D [1068 0 R /XYZ 85.0394 769.5949 null]
 >> endobj
-814 0 obj <<
-/D [811 0 R /XYZ 85.0394 576.7004 null]
+1071 0 obj <<
+/D [1068 0 R /XYZ 85.0394 576.7004 null]
 >> endobj
 230 0 obj <<
-/D [811 0 R /XYZ 85.0394 576.7004 null]
+/D [1068 0 R /XYZ 85.0394 576.7004 null]
 >> endobj
-815 0 obj <<
-/D [811 0 R /XYZ 85.0394 544.8207 null]
+1072 0 obj <<
+/D [1068 0 R /XYZ 85.0394 544.8207 null]
 >> endobj
 234 0 obj <<
-/D [811 0 R /XYZ 85.0394 403.9445 null]
+/D [1068 0 R /XYZ 85.0394 403.9445 null]
 >> endobj
-816 0 obj <<
-/D [811 0 R /XYZ 85.0394 368.2811 null]
+1073 0 obj <<
+/D [1068 0 R /XYZ 85.0394 368.2811 null]
 >> endobj
-810 0 obj <<
-/Font << /F42 597 0 R /F43 600 0 R /F57 624 0 R >>
+1067 0 obj <<
+/Font << /F21 654 0 R /F23 678 0 R /F39 858 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-820 0 obj <<
+1076 0 obj <<
 /Length 69        
 /Filter /FlateDecode
 >>
 stream
 xÚ3T0
 endobj
-819 0 obj <<
+1075 0 obj <<
 /Type /Page
-/Contents 820 0 R
-/Resources 818 0 R
+/Contents 1076 0 R
+/Resources 1074 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 817 0 R
+/Parent 1044 0 R
 >> endobj
-821 0 obj <<
-/D [819 0 R /XYZ 56.6929 794.5015 null]
+1077 0 obj <<
+/D [1075 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
-818 0 obj <<
+1074 0 obj <<
 /ProcSet [ /PDF ]
 >> endobj
-824 0 obj <<
-/Length 3061      
+1080 0 obj <<
+/Length 3113      
 /Filter /FlateDecode
 >>
 stream
-xÚÍË’ã¶ñ>_¡K*ÚÔÆ›àæä×&냓Ø{³]ŠÂŒX+‘²HíxòõéF)Q£uF©ré
-£óuóä?
«™žßã7ïÖ>àòXŒhxðO„¯¦IUDjš‡)ªë{dY‚å&²ÚÊ5@;3_Ãø©òO-{³ÐÂ&ŠaÕá0D	B
-§‡8Ö¾üHÓê!¾Zûçø²¨‡xÄ‘´°êð
I(+_w›øU…$na!íuh«úqÌ�ÜÀN¤Åtæ0yðEw =Ú¸ÒêM«¨óË`=ÚLMŽ-GÎ5*	
-Îth<jp°
-Ãb(³a%Öq:öj4u„`øæûiɸ§µ8ñ¿ÛÅT‡d—ª¹Ÿ¥Ôžê	¡xrµÛgÖù¶cÇ“8áÕ)ˆk6.â|AM
-ðÎÌ ¿¦¦J2Ãó,*j‡{QQì
Uu€ò%eQéËj[l®kì?0™R"=�6™ö´RÕ�ôû–Ö?›C¨0à
�Ÿ›
#�¡7­ßû¢#x+’e×N)êÏÜð³?à R ®%¶@Ú‰"Æ@©äLªƒ †�bT³\«|œHŒ°
-·»}Uड़§õ°Q˜½ÿ†¾$�£c0¼ÚÑ¥c	Nfêö©\C¸.Ã�¬ŠâñŸB<¦LGq\ùMµ­:ºÐDys>ßÑ»*Â@¶Ȭ7Ï´B²-›-ø¸±î�&ä
-2ïsf¨¢#‡¸ŠéoK‹�^àMjX†Ãªiµ>lý¾*i¹Z
»öF!‹

T:gH-£É´y®¦]¼Ö…1¤ç0_Ëp”ø\<B¢L lÏmç·§—¨éz�ÈGO¯nþ÷æi1uƒÛb…¬ð>b^ãcÕÒX74¶]Q¯èžxE+[Ð’!çT-¸`‚áË(LŽ½ýÕ”$†$À�Y
-9/{¢(^xæ9œ:Î}�=îŠDýp³–`7Uý1ÂÂ>“GÑŸ^¼î¯\sÍa·kðN©áèQÚÖê,
-Puçã0ÿŒ¡�27š/ý¦Á?l
2Á¥¦ÅîyWA ™<Æ8ixI�ìØ#Ä�B–EàX™”Ǹy’VíßÀWuÓQÿº�RjüÃe‡¹UææïkzÓ6ô‰EK)§B‰ßCîRµ	"Ô+‰õ
-¾Ô3ᱨ§²Ë�¨@IFmwœ²Lh»ããnÙѺلŠ
+xÚÍË’ã¶ñ>_¡K*šªŒ7�ÍiýØd}p{o¶«Â‘8#ÖJ¤,R;ž|}ºÑ
+Waƒš)m%ÂÌ ™æLZEBµL€ap~ƽ¯Wq/¿£ÍïòI:pH^”ïÛÕª}Žòâäv -©YÕ]O½`ùÐV	sø·ëª¨ý’XP»ëÓXu¬,óݤÔ_´ó.>¿Eúï¾û8øoAè…žh!™å^¢óÿíîç_ùd
±âû;Δwfò8
+h\±›f¢š%žfÊÁ¾x燈v œ0“)¥ÌDsͤæEؾr¾:–‘�‚9sÀ/’dÞ9—gv6`œ�QfH„@ê8€Ñ&rf€â
+ñŸ‹S5Ë~ÐhÙx“áÔ1·ÏfNùÔP”yÃííø0^áS#íXð¹ÙV�õïN•� 7Ä£³œªð	ôcV¸}ÅéíXM¯±êa¾Gž£^äânô«‰Í™…z¯ÝfØÅ\mM:ãLÊ!!Þ©ÍÜ:èùjÆŒ³1ÊSÆe
¨-šy»�r@¬ÐƒE¦Dö
å�]U�X¨)˜Ä 7&�>nŸ&Ôùqt61ÀŸÒ|¤hÇx‘žŸªù>#†DRýcõ‚]0¢ôœœ�PW¨8Å6T#ù
+]·
+°Éä¾ešq6ÀBmã%Ħ+
Ö€*È·º¾Ú^¯zÃà: ¼Z÷ž‰YP2îC† œÍÇlLé¿p0$ÒØbü
+�-�\Š_J@…eÏûuåãd~#

ø.
+Hy‰¨Uc
�‹\`e*Y;�
Þ7hfå*óUÌ8ëÏ;xÃ
”èÚÞŠç
ßEž
w¨µzÌsÖµƒëðL;s”=—Í⫬ƒWŽi
}n‹¥÷ñ<¸u­™†šâõn=aœ�Qf¶™CyÇ�´
,„îvÛ_MQØ=Ø#ïrs`X¥<ïŒå+ Ñè$nÅõ€ñ
+׸6VêC®ÏØ?ðÂ
—/P{Ya§u3_íþ)¦m8óÍDváøôFcE9#é1•õ ôq_Ü@
"ÆÙe&º{¨L·_8É#w°QŹÂ��Õò�l"^uŽ+E}ËJ\²¸È 6F›Àó¢]—usÉ”g…·ÅöÕ±,aœ�Q梙„”ÁQyî<ˆ[ÆñÌdˆgRÛéo»{
jNáo×oé¨R›éó²0ü\‡³]çÆ0&u¼|ÐtÅ
Í·?üDãHÆ{Äxˆ�ê÷r=ËùoÒñä/RêŒAIH×`Ç’1¾°¾êz¶ß�#^Áú¬³)6!Îê:R„?îÁ†t 
.õu•0Áj-¢ºö¸±çÔu€½�ºŽQ^P×C*«y½.W×5öï!»¯‹—J Zí¶4R7}õ„ž5Œ.W»�¤Á§ìOÏ	FC_ºjSnËžàm<b+Pv]î6çˆ	ÿb†F¤Â†®áðL¿ËœÊð°Î$¯)¤Ê1ª™×ÊVÆX
+…—×*Y€’ªxToôÙÓÿ
ðv§ÿc”NÿH<“œ�þ¿ƒº†ÄôÃ?>ëØ
3Ã%dG(‰‡.GO=—�áYZèîï§Âß:wwpäÜó~¬‚)!ìDZ•Û¥Â÷K³ž„q6F™Ézäû²‰
첂dT#eµMKwgìa¤i·²‡á¾òËqSÎY„àKæk÷ajf'•‰aÏ[D¼¡EŒP^²ˆ1‰_nJt0‹=3¶píÚ%×¾å\;’é�†ˆQr.Þ.ÜÛ·°”Î�‚CÑQ8±¯£€ÇÑúݼÝ`BªÊtå#H2ŸC‹J„â½¾6ßðn{Ëòs…=7-×õÓ®î_è}hUo©V$àãÙ…˜vôo½ë"º‡*uGØ)pjÁCàÔBàe"µ›
…ÜͶ.ñ¥IEãa¡Ðûð-Í$¯£ã½Vø´¡—4sp4Ù"KÙóðÐÊMŠÉ
+1™0%ÅvQ­êuÝÓ+”7çÓ=}«#d¼�ÌæiõB#$Ûy»?· öÂÈ!�Cº ý�7+p�Ä!Žb
+ÜÑ ¤X*†aج†F›ÝºÚÖs®Àn�~�É€*íÃk¤s¤Yv/Â{+ß*ARth‰¯‡°•ø¿|‚d™þ€²½@)º>~”Þà ùTÑk"7ý[ûœÍÛGO 
+³ÆGZP[ññk(ü[wÔ6-µ]_6zü´ ‘5hÉ�sª\0Á03
+“ã…õ"GÌX€2Á K!§óÝ–(Š¯x¼‡]Ç^ 2Èíc™¨/Öìªn>EXX'»ÃîÅOÃ;"¢Ùmðx¥Z 5=J·[S­  2³¾�ÍAèAøñ¡êŸ«ªÉ²œÈK’dB©
›Êó>”_>u|¶ô&2¶‡œ­Úy¹Š(FiÁ©Ï“�Ã[ã’Ï{¬—=+K�£z©Â�©«Â&±ÂPÙ÷å|qh�
 endobj
-823 0 obj <<
+1079 0 obj <<
 /Type /Page
-/Contents 824 0 R
-/Resources 822 0 R
+/Contents 1080 0 R
+/Resources 1078 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 817 0 R
-/Annots [ 830 0 R ]
+/Parent 1087 0 R
+/Annots [ 1086 0 R ]
 >> endobj
-830 0 obj <<
+1086 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [356.2946 363.7923 412.5133 376.6291]
 /Subtype /Link
 /A << /S /GoTo /D (address_match_lists) >>
 >> endobj
-825 0 obj <<
-/D [823 0 R /XYZ 85.0394 794.5015 null]
+1081 0 obj <<
+/D [1079 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
 238 0 obj <<
-/D [823 0 R /XYZ 85.0394 769.5949 null]
+/D [1079 0 R /XYZ 85.0394 769.5949 null]
 >> endobj
-826 0 obj <<
-/D [823 0 R /XYZ 85.0394 576.7004 null]
+1082 0 obj <<
+/D [1079 0 R /XYZ 85.0394 576.7004 null]
 >> endobj
 242 0 obj <<
-/D [823 0 R /XYZ 85.0394 479.565 null]
+/D [1079 0 R /XYZ 85.0394 479.565 null]
 >> endobj
-827 0 obj <<
-/D [823 0 R /XYZ 85.0394 441.8891 null]
+1083 0 obj <<
+/D [1079 0 R /XYZ 85.0394 441.8891 null]
 >> endobj
-828 0 obj <<
-/D [823 0 R /XYZ 85.0394 424.9629 null]
+1084 0 obj <<
+/D [1079 0 R /XYZ 85.0394 424.9629 null]
 >> endobj
-829 0 obj <<
-/D [823 0 R /XYZ 85.0394 413.0077 null]
+1085 0 obj <<
+/D [1079 0 R /XYZ 85.0394 413.0077 null]
 >> endobj
-822 0 obj <<
-/Font << /F42 597 0 R /F43 600 0 R /F57 624 0 R >>
+1078 0 obj <<
+/Font << /F21 654 0 R /F23 678 0 R /F39 858 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-834 0 obj <<
-/Length 3530      
+1091 0 obj <<
+/Length 3627      
 /Filter /FlateDecode
 >>
 stream
-xÚÍ[[sÛ6~÷¯Ð>UîD0î—vö!m�nºmÚMÝÙ‡¶“Òíp"QIÅqw÷¿ïÁU$ÑîÚ�ÙÉ$„@ð
-`Áå]`…çL».Ú·–ØlA¨’‘Z!¨£óø·³OàANÜò²J(toËÚwAË7êÝæ²lüëí•ï»¬ºÖ·ª:}†—ݦhß�qk®ç§Ï›¢ZWõµ[®äw Lô|ke©ˆ£fŸEF¤\!Ã?*Qª12†_™@Šóh‰&Š‹>ÉC‰R
RÒ�â°)‰*$±ŒÝw~ÇÛMÕuå
-Ø&›¿Ø6¾»üXlnÖå³@ˆŽŒ‡p€O‰Pu¦sóI$Ž&VF[q9¡\"��bñ-ïpV:KŒÚOŠ°ý“™F¦My[uo-Ž'ÉЖp‘D	S!¦iGÒVy3ì1ì?-QÄ>£9q
-©L�Ea�‹È#2£j¨ºGDAãÃysr1ýI#{ð4{„á²Çžô—çf�
-^¨¨hl/Ü€AYQöÜÍã˜?b&
-s-—åMW\®í©œ(Ö»Ò¿ÚT×o;ß{µk
-iÓ�´e‚&Jè¨t™ìÀÉ"ÚFZ·E;Œ
®¼µ,£ñ¸òæÀžÚ²ùP6£ÏÛ®hº:Œ�@V4 Ž4åG#<fkRIÖEĶ76Á,Öë;ÿÛ91xº:¯/òÚÞðÖ…uà
-—ÅÚûB;rÔmóY(á"’ý=³*Èíâr\ßÚ6r„!ŠEÜÁ»5Èúq1—H3Íçïªõöòüå³Q	Dyúæ»#DeTü,lóà…m ´[pböÅÄ1ˆS¡#õ¯Ÿ`…×^áu•Ê�AL1Ó~ùŒ±é¤ôM§:ðÈÝ@ꚟ¦ßÌŸ
-4`Í6'Y÷j!ã`þÂÃût
-ÿ°5°Ü^ˆMŸiºØðÜ�ðH#ˆ0D»ã|îÉâ!QÇÀ|´Iz7Á&‹)FŒá™bÃன–¾`�Ã9#¼k×ŇÒw¹ÀÚõu»KßreÄ	èë�ÊS•¥÷7Ùî½ß(¬FWãþ·¯Òq4ìH+püPÐxÞ¿RwpµŽ*muÔ^©²’Pû‚§ÉÚ{·§"y“n'PgŒñüùjªâwE�	¾­lQçð†¶U»Rº'•ˆýx™ÉÇ|‘¸ÿUá'}³±ó½ñ‡Œ¶DóWÿ8|ý¦\—H{üûÏ�§�¸8ÐüãŸ~î¿EÅk_ƒÏÉ=Ÿ§
-Ï¿„§;NºySD&Ú1gë²¾¶gyöÇ¿�/Õž‡º1ÐxS­âxÏ�åú�?Èïuþëw|ÿüÃÝX;”Û~¿\�þ/æÅGƒø¾*íåÁºÚŸå{Ë„ÆOmq�3þ‘`­6y›oým‚MÐ(h®�FA“ö@úošjS4•KÅàg¸b`¯4„	«²+›MU—áãå2‘·‡]þvÜÚwøk	Ðø
-�Ž*czî*y>c�ªrowM¥€ûš^U_vì3aÀ-ùô½íþ(�„÷#OH¢˜ìÑò…¢Æ“* G4�ž4:œtèÑ	øTð•ƒI#gì�^Ç™
›…G™—?|àÃãè‘ÑسL‚4SLîaRoÔ“â¨{™45éžIãIóLêO:fR¨…YÀú¸çR¬iÿvöIHæ¶�3öIFÙS/ÁÔ=Œê�š`Tu/£¦&Ý3j<ižQýIC…ËyÇ°¯FYïÊ£|îAtÜQB†wxÆÙ…
ôJUÙ8Çø
a­ÖŠM³»7è8·ã û˜=5câõxÆ,«û3î+þÊ]Ë¢¶˜òfaí±q$‘ýM ¼L(åàqSýb…œLlm€š‡ÊD
-Äè=P±s\"aÌ}™˜.Éc4]V½éŠx7¸MwcÆý²^®·é^cD�˦XBS8-�ýÏ/™õã}?úÿØì9!Óšæy‘r�°(wóY¬œ`ˆ
-$Í,ý¿LËUæendstream
+xÚÍ[[sã¶~÷¯PŸ"gV0î—dú°I¼©Ód“nœéC’ÙÐms–"µ"µ^§íïÁ�")HVje¦³“Áƒƒƒs¾s
L&þ‘‰�Hj&Êp$0“ùòOîàÝ×g$Œ™ÅA³þ¨/®Ï.^151ÈH*'×·=Za­ÉäzñóT"‚Î�ž~ùýëWW_ÿôæå¹âÓë«ï_ŸÏ¨ÀÓWWß^úÖå·—ß]¾¾þ~af¦_þíå×—oü;ˆ|qõú+ßcücÕ7—¯.ß\¾þòòü×ëoÎ.¯»ÅôL0³+yöó¯x²€us†3ZLàFÄ:YžqÁ�àŒÅžòìdzt{oݧ)
rN�¤‚MfZ"ª¤Ø?­Ÿô¡)RJèѬ3©‘$Øî	ÖˆÒÞ–˜Þ–(ŽŒVD$£ÌíH±ËD+$˜1ÛaG…a­Ó"™E‚³>Å]îF‚ŽÙ[ÕëÖ2xñ
+:¶c	…¶bv
+;êeu>c°ãW?øçö«Á‚"……	U›åM¾Ngi)D†„¢‹'éÔMV4ž³²Xm¾ð?ÚÚ>Ù‡Ÿ÷ës¢§õæîÞw
+ƒWž±yÞ40‡åùXŸÃWUUTwÀ9–Ó¬ñOÿ]}N¦-˜,WzzUù7M½ÌmKLç}
mŠ§Y¿oóuѼó#~Áÿöé'ð þõü>[gÀ÷:ü„ÏLy°¹±e—³ð-Ç–
+’ -!PP$î0â0íHÚ*oB<@TtŒ"ŠÂ4%"NÁ U?f|΢Œ8ìUC#Ú# *�"ŒçMí‹éOŃ‹G€võÄÓýÇS3H/”îTI§Ø÷7§òŠ·ø ‘n¯W¤�ö0­{Eú¢±t+~—?Ž×l M JlÇ=""ÁYŸbÂ-‚Z£ðW,’.ä`º0øeÊ·aÄ�š
áQVT;`›Ï™R§[iGñ‰¥RìQ)†k­²ež'È9¢±ø°nbä¼j]`K
�w±
GZܹ"Û“ùG±iˆ
+Ýo»ù„ë2©2>Ɔî›
+6D(2D=±Rça×¾ÑB
+rÑ“I¦£ø„h˜õ�€ýCÙ¤ñ&è¿_…K…
+±ç‹,=ø(!øW®ûQAÒtþuSE|Û�S0¤Œî•z,å.=b*HÊ(S1˜^ä·Ù¦LCœ Í»¢ÚÖ
|<Pø—ÉÒˆFt…íŠf\ÐäŽ3
+†
+Y0!Ã\äýL¼ñK­ÔVë]z!0sÛd;»²
+aÖã+5”ç2ûX,7K‹Áï~ÈŠÒ{L÷sYo*[®Wàš“i7clFûkƒø¤Øíy—fDLÖ°µL=[ìÅYŸä®Ø9çHS€§nØ!±+¤
ï$žt€²ƒ	U.;;p{m#­‡¬†·ÞZæÑx\us`OM¾þ�¯GŸ7m¶nCä0vÉ­
u¤â˜“)aÔ°yâ°zeÓKFdûã˼¾Æk{Ã[Õ�+œg¥÷…v$d¨õú³&PÂ-þD$û{‚+Èìâ’Žtµ^'Ȇ(qïÔÒ¸1—F3ͧ¾ylí�Ó.Q	Dy÷Íw{ˆÊ¨øG0¶<š±%DÖ�±'f[Kƒ8:RÿúÞÍá]ÑU!‚˜bT…ܲÏë‚""�‚ä¾éTžöTÒ
¤®ùi÷›ù€8æÓîéCGWž
k¶)IÙ«„ŒG^ßçþ¤0fÐ\n\Î�•WóxXÙ¯ú„,¢wž™ù/$‰tmª¦¸«œq`Ù¥A‰„Â&E6ÓÁÔŸ3Z͹Tœc€&lJâ’"v’7ý©	‡ãJV6`’Çøv‰4Ár[aö;
+ù#jT{ï é&o:\‹‰P
+|+2JyÙ>zï’*_uãNV¾êSÜ_¾ðç‘£Ï,Â-˜ådüuŸ`�Š0@Ø€ÁªNEËàæ¹`ÑÉ\.Éß…@†­Ÿ‰öb@¼,ºc›}HŠ�ŠÆ”æhPÕ²‡jš8Å�1t“rF
+Ÿû
!ßø5”¡†Äö±9ä#°æüK$èîˆiõ6‹âu/ʼºkïÃ�ûel,Ã’º1Ðx[,âx¿¶yùÖŸî÷:ÿµoݾÿ?S$±§³Ž.m:#{[KÃÖ~•Û+…U±=à÷&�Ÿšì.…
+£M·šæÁ ñW–AÛ Y:mƒ&í¡ô¯ÖÅ2[.CƒŸáÞ�½ç®),ò6_/‹*Ïçy{æïÌ•¾ÃßU€Æ YoÂ|]]^Ô«|�Ùî@D`l$ü˜JØ{LÒÚÖæœL‹Ô—ÖTWêÉ\k
+|>‘�ªRrww¥—ûR_QÝ}¶ïO%¬ÇdþlcÿŸ†ô9Ì$¼�BfÅä–’/Ž5žQ
5qþ¡ã˜�‡^ž€ŸÿÙŸ1ÊÄÞñu2Xx„¹úáž@�Œfž�ˆÑ'¤³³_8aÌS²90]'šÑtIÉô¦&Ä,<}ÜJ&¶»ø$dtuëLû�p˜Í¥XŠ[ܹ›gÿ	ÎVÎ\!¦5M¯¼óð�)»tFw8'�è2I¬ÿ‹²l½endstream
 endobj
-833 0 obj <<
+1090 0 obj <<
 /Type /Page
-/Contents 834 0 R
-/Resources 832 0 R
+/Contents 1091 0 R
+/Resources 1089 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 817 0 R
+/Parent 1087 0 R
 >> endobj
-835 0 obj <<
-/D [833 0 R /XYZ 56.6929 794.5015 null]
+1092 0 obj <<
+/D [1090 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
 246 0 obj <<
-/D [833 0 R /XYZ 56.6929 363.2968 null]
+/D [1090 0 R /XYZ 56.6929 304.8746 null]
 >> endobj
-831 0 obj <<
-/D [833 0 R /XYZ 56.6929 335.217 null]
+1088 0 obj <<
+/D [1090 0 R /XYZ 56.6929 277.1668 null]
 >> endobj
 250 0 obj <<
-/D [833 0 R /XYZ 56.6929 335.217 null]
+/D [1090 0 R /XYZ 56.6929 277.1668 null]
 >> endobj
-836 0 obj <<
-/D [833 0 R /XYZ 56.6929 306.9099 null]
+1093 0 obj <<
+/D [1090 0 R /XYZ 56.6929 249.2319 null]
 >> endobj
 254 0 obj <<
-/D [833 0 R /XYZ 56.6929 226.5017 null]
+/D [1090 0 R /XYZ 56.6929 169.6708 null]
 >> endobj
-837 0 obj <<
-/D [833 0 R /XYZ 56.6929 197.9796 null]
+1094 0 obj <<
+/D [1090 0 R /XYZ 56.6929 141.5207 null]
 >> endobj
-832 0 obj <<
-/Font << /F62 634 0 R /F57 624 0 R /F43 600 0 R /F42 597 0 R /F58 627 0 R /F14 608 0 R >>
+1089 0 obj <<
+/Font << /F37 743 0 R /F39 858 0 R /F23 678 0 R /F21 654 0 R /F48 880 0 R /F14 681 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-840 0 obj <<
-/Length 2750      
+1097 0 obj <<
+/Length 2803      
 /Filter /FlateDecode
 >>
 stream
-xÚ­]sÛ6òÝ¿B�{(G4Hð³}j\¹u§u{‰2w3Mg"!‰cŠTI*Šþýíb$%ÓIgÚÑ�]`±‹ý†¼™€Ÿ7KBWÈ4˜Åià†ÂgÙîJÌ6€ûáÊã5s»h>^õfyu{ù³ÔM#?š-×#Z‰+’Ä›-óß�»¿ûm¹x{=÷CáDîõ<Œ„óæáñ{‚¤ô¹ûõñþá‡÷o¿»Žgùðë#�ß.îo�w˜iØï1…6Ü?ü¼ ÑâçÅ/‹Çå»ë?–?]-–½0c�=!Q’?¯~ÿCÌr�û§+áÊ4	gG˜×KS¶»
-Bé†�”R^½»úwOp„5[§.0”‰&~<qƒ�œºÁ0u#éKsƒ‹RïtÕµ —”N¦*¬4~}§ÒÕ需ǢÛÒHѧÔ*/ª
Mô§¬T;ÕuE{wªy"ÔŠÿ}õ5|¼×‰U1Ín«i
-«[6-ÄôT{¡)¹®°)	×T'òÞ4výÔ;WmY×O‡=Z‚4‚¯6žéYez²¿ëïžPfâ¼o‡xÖ<H(~`CàW´z¸Jcã=íçÇnâE6曺ÒØ:²ÈNpÕY¯à~	µ:b«>R•ã�tAA
Új?éùŬ s|²u´!2Ž
-$kZRzIX¹
-
-œ„›ˆk%èç”@ŒÁ°²w‡²+öe_uWøøò9Íûgš‡>
%¢R0ëwK…¢’E€ö…"ÌìÃ'€×5¦>~§ÎéöDÍÛ¢¥o«é
€—¢w’�¿©;áG!ôz‹—Ü=ÐäÕí7ÓÁü,þÁÜob¹Q¯£�ǹS='Èï”&²=£ØŸvFsîÅn*ý‹®sBºð%é—RUeÃrV7�éÄòönßOè‹VcÌà%Ñ¥Ü$Œ’	fÆ9l¬›¹ô„›È øÒ­áƒ~˺Ú`a9Î%¦~Æ�/¤ëC#ò×3êEB€r<v½ ñ�KáÆø’b|íæ¦÷¶ {ÌØHpÈl_iÍ
+xÚ­]sÛ6òÝ¿B™{¨œX4@ðóúÔ¸NÏ�Öí%ÎÜÍ4�9Š‚lŽ)R%©8þ÷·‹]€�DÛ¹kG
+²h</æ8*'fybÎaš)¸�]…bþ$dzxU)"Ø¥3ŸÞÑ©nÕñ±0�•æQ²lA¾×�4¹úþŒ&EOãJ"lôŠ>—¼n¸ÓÈ-!ý#dD‘DÖ�8R¥E{|ä�€ûóš~(½ÑÍð¤ž#$ðy‰{«ž‘¸]õ²ÄŸ;Õ“øá±Ó÷�EÉ6ņgíšeÞð¸Zu§2›ëž•°)†òŽ¦uÕ“šy¨†»çt†`¹i³Ü‹²žÒM„2̾Z7¡’X¼t¼UÏèÆ®zY7Ï�êéæðØiÝøDz74º¬X¿Nº)붷{*Öã²+JÝã=f�~.’Ì‚<™9ï²6âEÊJÍK£˜,Ñ.T|ÜÄ
+ùÆÓauÊF
ãŽÜPCK�ÏE]­@Z-Ê’|-%›ow}�ÊoÉ>H4 ©Ä@À¶Zã	HÚúò©œ÷=Ø’ÊäüŒäXágS:wªt·¡™ñ†â´‰½µˆªfãعP1Ü*íî–/êÓª-w¨+cÚ“vô¯;�«J@…ùü¶úl!W¿h�SD lÁÎ…®õ…0È*bÊv³e?\mˆÙãöˆ‚¯�8¼>˜‹ŠrºŠ…ÑŠ¹ºâ³îŒ ¸qÌ¡zÁè&Œl×€A6yB¹2÷Í9Oˆ	�š�¢„�ÀUºãÛ6FÂ^cî9™»ÝM˜•ÞêfÕÜ.¸CCéHJ(ÇK<†×/Á¼4ù|±®aQjÊÀœÁƒÆ˶È ê³½,Ï.J‚ÔÍ mÛ
=/56ï¥Îf=,a•P‘awßæ¼ð
+G¨I°> »
‹«ýÍ´§�’н�†•Mß«–ƒ^;¥v'ñÂá�jú·Ú^SæÄVh·

+¸E
++Æ/õÚUçøí6.)è+s*ìáSñfùayWSJ„U†aØ>¦+øÐÕ87iÆ£)§)ˆÇáü]kW)6ÛZO¶)tÛ£wŒ —Ò¶Á2uFßb.Éç¯N18��R};á‰ÐúªÔ…o*‚Bå¶àW8
+QTy9§ƒ73‹À’jöW,¡Ù´ã¨:¡Or7\a“®iÉÏó4
+!æíf¬×>`«÷eBn°òHÉÊo?S÷Ž›Ð;nŠöçu‡DÎ lÙ…p2’q5ƒ�‘àÒíVw’ÍãÃXA!–õ8¹ûmQòtSpË;’IŸˆIÞw‰ùiÐ&nw�ÕL’+©5v{‰œßœæá¼%„9 ¦�†wÙvn»nÖõ4!7Ô¼ú¾‚æ
+ª×~(º�ô�ªìó'‚†‡– å]Ñå`<ç¯	Žo¨}]ôØ꩘Èáƒ*­¢Ö_aiâŸñúœ †ìâ·4C	"üK,Î\å8]}aA RïyT¤ûÕ|¯t
U:u½ðÉ\óZÑÛ=îŠg\H@òväéqTPÑ{zA!’åº>ÚÆž]Ѐô+(pn"®ÕPžï?\­3VöfWÕ¶v5wƒ�;Ïi>ÜÓ|¨Ìs/ò€Ö{*•P\&Ô•‰ðeßV
¼n1õñK{H妲M
+
+*â=ß8fœp¬ÛæËJ?—˜.øˆ›P¨ „6äë3êÔ_|*ðڄ“ðŸþ~ü¯0J•eáôvÉ‚,ÌSË2®Ô!ç1Êq¦¬ÿÕ
+€endstream
 endobj
-839 0 obj <<
+1096 0 obj <<
 /Type /Page
-/Contents 840 0 R
-/Resources 838 0 R
+/Contents 1097 0 R
+/Resources 1095 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 817 0 R
+/Parent 1087 0 R
 >> endobj
-841 0 obj <<
-/D [839 0 R /XYZ 85.0394 794.5015 null]
+1098 0 obj <<
+/D [1096 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
 258 0 obj <<
-/D [839 0 R /XYZ 85.0394 497.0473 null]
+/D [1096 0 R /XYZ 85.0394 438.8479 null]
 >> endobj
-842 0 obj <<
-/D [839 0 R /XYZ 85.0394 468.4726 null]
+1099 0 obj <<
+/D [1096 0 R /XYZ 85.0394 409.9891 null]
 >> endobj
 262 0 obj <<
-/D [839 0 R /XYZ 85.0394 408.9221 null]
+/D [1096 0 R /XYZ 85.0394 349.7918 null]
 >> endobj
-843 0 obj <<
-/D [839 0 R /XYZ 85.0394 382.8699 null]
+1100 0 obj <<
+/D [1096 0 R /XYZ 85.0394 323.4555 null]
 >> endobj
 266 0 obj <<
-/D [839 0 R /XYZ 85.0394 310.3501 null]
+/D [1096 0 R /XYZ 85.0394 249.9022 null]
 >> endobj
-844 0 obj <<
-/D [839 0 R /XYZ 85.0394 283.0525 null]
+1101 0 obj <<
+/D [1096 0 R /XYZ 85.0394 222.3206 null]
 >> endobj
-838 0 obj <<
-/Font << /F62 634 0 R /F43 600 0 R /F42 597 0 R /F57 624 0 R >>
+1095 0 obj <<
+/Font << /F37 743 0 R /F14 681 0 R /F23 678 0 R /F21 654 0 R /F39 858 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-848 0 obj <<
-/Length 2299      
+1105 0 obj <<
+/Length 2453      
 /Filter /FlateDecode
 >>
 stream
-xÚÍZmoã6þž_! j£k.ß%ö>¥Ù$—¢›ö‡C[àY±…Ê’+ÉI³¿þ†o2+qÒøŠ`�_†CòÎÌC:$Âð�DB"©¨ŠbÅ‘ÀDDÙòGsè;?"Nfâ…&¡ÔwÓ£�g’F
-)Ie4½
t%'	‰¦³_FQ4
xtòãåÙÅùÏWÇã˜�¦?^Ž'TàÑÙŧ¶t~uüùóñÕxBAF'ÿ<þizze»¤ÓñÝÅå'Û¢ìç	¥W§g§W§—'§ãߦß�Nû½„û%˜é�üqôËo8šÁ¶¿?ˆ©DD÷PÁˆ(E£å	Θo)�®�þÕ+zÍÐAüF”
V»
-fÁ1LÁ‚Óf°Šþ
-Ëf÷TLÃÇ‹%�>Õ°Ç(ئW<	5›m&<8è�,A
-æ1ÌlÄúϘp°> Žå(K«ªîlyÝæ¶`Ž„.´ù²Èê²®lUGˆÿþãkxŒMø8½&Ù±µ
->£K#§<uóÙcådÖÙÂõ¶öû0¦fmø^OT¯K$Lp˜`Z¯®~1ªÁÕLíWŒ)dhÒÉ=&Ö1uO°#=º¨fà2]ÞÚÞ΋™x¥´—è7
?­{¾¶Ûî
-¯¶Ûå“!Gô".¢‰J¢ðœ¾íèk'JÂÙßÐ…·9fèM1’1°ŒÞ›hD8b\Ò�\è]a¡”gg1„’“4˜áfEé2Ày“.—ióD®M`bż÷Qp3GÔ ¤ì'ÛÑ/™nl‹ÖdQ1i¾ÆL>»BÝf5£Ã'•	ãñèú‘\îå\ÖC�F Â‘“¡Ü'uá“©ØÊõÐlÙ€­¸¯O5DtSÊË<�îiç´¤•S°ZåicËz¥õÚHèóœ•u[TsÛw¤!7{Åjô9­œþ
-y³,*æˆÂ†ì¸© ·ò¾MâSÏ'n벬ïíNÞ6øãÙÛõjU70å·�ý3‰Æqį1‘/1¾DÀÖ[¾ô×F©‘2èUj´#Øcgv[‚h¥ åqúr�2`Ã	#‹ˆëÊiVx'�ÐE rÙÔ8˵V&’Jeâ%$ˆ*]jƒê–‹ŸlS:›Y´Nt™vÙÂLw—à´ph˜R`ÊÆ)Ë2+­SœB3¾.‡œ,í‰&ø�£‚�×ÚÝC’§làñ6„µ-‘ñÆm^®Òïá)£ñ.wj�Í Íc%dï­M]¶/0\V:¯h=ÁÞ@lÀòÒu{r“÷ð:Ìo6äÞN.“
-�¸àÊ´rß¾ŠAÆÂÚ’÷Z¼"SÑ<ÑJXšM&¶öJnª¶¿íÖ7Neå4µez7ø*÷Å<!h»÷“T¦Ï“È–÷ëïDB�îaþ”ý«ƒ
ÏõJçªy¼§Œ2•Œæe}c^u�È÷�Úw/ë à§16^+ÏÍ­
úgùmº._Kíñºõ/¾
ãßÜúž1Y€Æ»åýs„ÃWÌA‹é×ƤËKë½ù4÷7â,o6×úlè©fc]Ù~
+xÚÍZëoÛFÿî¿B@?TB¢Í>¹Üö“ë8>—´µ}8ÚGS´E”"U>â:ý;ȕDKN¢+Œ
+©ˆF“›»€WŒp“ÉÍâ×i„(š
<=ûéûˋ]�Î$ŸÞ\þôa6§Oß]þóܶ.®Nß¿?½šÍI,Èôì§?ßœ_Ù©ÈñøáòÃ[;¢ìç	¦WçïίÎ?œ�Ï~¿ùñäü¦—%”—`¦ùóä×ßñd
bÿx‚S±˜<@#¢�¬N¸`HpÆüHqr}òKÏ0˜5KGõG0¢,¢#
+¤lL�B¡ˆÁ”VàÙ«Wó¦},2�Œ«iZ­VYÙ6¶×´IÝÚæCÞ.m«]:Úö¡r‹–I�¤mV»eoÞØïoXà¦HšåkÇN·a�ØnR.ü¦e›—�g[mí“yºênkf½|læÚ ˆ9!H	A�Tyš³9£Ñ´ÈËL[—ÅÓ›eöhÓ¤,«Ö¶o37æ±°Ý$­g$žVMcû«®hóuáˆõÆ›{4ßC;âæôzl™|t´UéEu?¬qŠ¶�f�”cb›ê[g¶ymÛY’.‡QÛZuMk[]ㆬ¦ aLßu’×ú.£~;‰£Òl÷®ª÷¿’lû�&/TÁ%ê—Äf‰æaºÍÛò_³µn¸K¤›Ú€ú›Ø�Ó
˜‡PÃí(³¿Ü#܆bÈƶ~³Ä/|ØàüÚö²�YéUu÷K·¶ÝäáÌS<ŽYÂo¸Þ‘¥—s]góªk¶d3*ÜðC`MŠc©ëëeV¡j·ñ–Xgµ›s>”;x¬:Gaîiv—Õƒgòâþf„Î;blF)âãpd}ÒoF„‰�
+¶Üõw­è9c)ÞT¸‰á
¶Q@XÅoÌÎèýÁ9IÒØo^ºhþê•mxý˾ù›�€†»þ
>@Âý¾ÈÆ’¤`¹z^–$)%øx–„ƒÆI…ùÓ¼ì:¼\Ó¯Ød5 ÎcDU¬ÂdÚ«ÿnQÄ$‰&.B‹È¨èß�‡ˆˆMk„„kc]ätC§Wæ@™^öm:½ØÖì‚%\L.
jt5ù´ çÌ…m#ý 3ðærÅ&o+�qˆéÏCÎFL
+3Ð>÷Èè¢NV«¤~"×Æ(’Šyï£àfçCKÙOºÃ?bz°É“E�Ĥø3ùì
+}›ÕŸTæŒËéõ]æé\ÖKG¡Â•£°¶OêÂ'S±‘ëaØ¢
Ûq9^ßjˆè¦•Y@Ý.“ÖqIJÇ`½Î’Ú¶õI«ÎPèûœU“—÷vî@CfdÅjú>)ÿ@;#Y'þÄgãÄ~n‹*ýc3³7Ýí|`ä’ùÃ2÷�wRwŠÆC…¬^å%,s@a
+LY;fij©uÊ�[h‹»bÌÉ’h‚ÿÔ}AÕìF`	Iž29	õñuÖ¶$’ÉžÏÒ¯xÊhÐ�ì²×hò<#JöîZWEóË¥…s‹Æ#ìAÇv`	0!+Ü´G÷·Y¯_§ôÛÇ
ÝÛmÃc…uAâÁT].Ò‘ÃAÕ¢"æ×µy‘·�3BÈt�
õ|�·mHŽhC)�”ñ
‚H,â�æµ»EvЂŽ®Ùˆ—íÑÙpœc©Ìú?b¬Å‘Œè,’ 7ºø#{<¨¯f�¥¹Ö�QY„Í"Ø
+ô‚Ϊ‡ØÆ =c_e"W�Â7éà–C)œö Æ?Š¹ÉjÔù§
+ë{sšx¹æÂaÐð~k)ŽmN)êìpB	‹$“TvS
‡œEþåÉ¢„]¶ŒøgŽÈ¼Íj0` £Aië†6AG‘ß/ÛùC¦?v¤*ÌýÐ#‹Ä�ôyuƒà±‰Õ½ƒê’wäüT ˜CѵŒ
+
+kJÞãGñŒLG£DKaA"™$ØØ‚Ütí|Óv·Žeé85…~ÞñéOUÿï73è§HöCÈP-/ÖÛ	Té*㶓ÉÈ=Uk�©žåð/j•©xz_T·æM`|–a|·T¿�¡°ÑZéhnj6˜_dwIWl¥Ödwþ½7ÀûCÍ·Çd�6^,ê'œ#*É
Ôv@±�Ò¥%£ìƒé4óqšÕCUŸŽ½ÔæÑ�Íúm3ê¼·±.’&ߧù@¨‹Õ	£PIŠsL …©ÅêmÝAÈXÌ
J~V°3åR=‹§f¹í¿ýp}}~fÛšßeç<®.�y‹)¬�ð�‡h÷âÒ&��yöð¹Jt7Ò,UtO±žçå*
DåXº�š‹¢Aöú2¥é¥{œåX
+{þõÿã]�(‚¸„è’‚ñð§;?Ñ ä�PÇQÁäþ_hD1ŠUÿ,9ö‚@	=z|²b.ªòðQgÆQ^Lô ùéŒÍ"cÒÇÿ­gÑUòèã{á[iÚùÜZ¦ÙïÇ2Å“&„©
+ÐXÓqõvt‡ÒŠ`|çäþ9»Gÿ²Ë÷endstream
 endobj
-847 0 obj <<
+1104 0 obj <<
 /Type /Page
-/Contents 848 0 R
-/Resources 846 0 R
+/Contents 1105 0 R
+/Resources 1103 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 817 0 R
+/Parent 1087 0 R
 >> endobj
-845 0 obj <<
+1102 0 obj <<
 /Type /XObject
 /Subtype /Form
 /FormType 1
@@ -2341,2980 +3853,4560 @@ xÚm”In1EOPw¨u€$ÅIg0²Êľÿ6¤¤êV5oʯÅésÀó�ή¯�ƒÖ×O²Î Ž¢‘ÿ¨#h8Çùø:„5?ù
 6\>RgÈbÏWÖ¹j[†�›
 WŒÏ¢®{6;»²þFÃÇñ÷ø]š¨)Õ/Ô¬Mu;pk;Ì©Ëdh<åE–ñ¬AÏw³ð¬±±Nê¦ó¡Ä½�t•‹ùD„™Â²]°Ä(�‡;�„ ·åŽ°Š­r²ÂÙÄLûˆ
T¥Í¡誋ŠŽt’¹w_=Î]ˆ‹=¦uSä÷—ä"ï±yl±‡µÃ-ËkHsŠöreOÚ³êvg›<7ºt,‡Ýe—;ãÒèЭ/I…B÷&ê(ýê³ö󻉨YÙ¹Ç,çkRÔšÚ'^
m"	^�˜h±�ÎW9AVªy­Â©/f�ýÆ"•œãûFy-Sng	\Çdª¼˜©Æ¥†Í}B©•µŒÎ$âw1.¶&�Øíþ²C¶O–ÃVç X×9g¹E{îÇ<•ãóP)!ÍZÜÅŸLÞª~ÑÔ'¯UâXLµüc“ÅXsЖõÚ¯½˜Ó’~òBL–§èªÆ¹O¦ºNZ�_[Èü.øšŠû*]3QôçÇñ!Ö-žendstream
 endobj
-849 0 obj <<
-/D [847 0 R /XYZ 56.6929 794.5015 null]
+1106 0 obj <<
+/D [1104 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
 270 0 obj <<
-/D [847 0 R /XYZ 56.6929 486.3415 null]
+/D [1104 0 R /XYZ 56.6929 426.5656 null]
 >> endobj
-850 0 obj <<
-/D [847 0 R /XYZ 56.6929 454.4975 null]
+1107 0 obj <<
+/D [1104 0 R /XYZ 56.6929 394.7216 null]
 >> endobj
-851 0 obj <<
-/D [847 0 R /XYZ 56.6929 395.7282 null]
+1108 0 obj <<
+/D [1104 0 R /XYZ 56.6929 335.9523 null]
 >> endobj
-852 0 obj <<
-/D [847 0 R /XYZ 56.6929 383.773 null]
+1109 0 obj <<
+/D [1104 0 R /XYZ 56.6929 323.9972 null]
 >> endobj
-846 0 obj <<
-/Font << /F62 634 0 R /F57 624 0 R /F43 600 0 R /F84 797 0 R /F42 597 0 R >>
-/XObject << /Im2 845 0 R >>
+1103 0 obj <<
+/Font << /F37 743 0 R /F23 678 0 R /F39 858 0 R /F62 990 0 R /F21 654 0 R >>
+/XObject << /Im3 1102 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-855 0 obj <<
-/Length 3170      
-/Filter /FlateDecode
->>
-stream
-xÚÅZKsãƾëWð*µÏƒÝ“,k¹ÖëÍ®|²].ˆ„$dI@! ••Äÿ=ÝÓ3x� %[J¥xÀ`==ýüz@1ãð3gW™ž¥™f†3[¬�øìƾ=aN'%ÃY__}õÖÊYÆ2+íìâj@Ë1],šŸþíäÃÅÙÇãD>·ì81–Ï¿>ÿ
õdô8ýáýÛóoüxrœêùÅùï©ûãÙÛ³�gïOÏŽጀõ2Pسàíù»3j}ûñäûïO>ÿrñÝÑÙEw–áyWx�ýôŸ-áØßq¦2gf÷ð™È29[i£˜ÑJÅžÕѧ£¿w£~é”üŒrÌ8™NPË™,3FŽ$h2f•T^‚xh
àœÏóÅŠŽ÷©ÍÛb]Tm8í&_¯ó
žö«·&(…Ï©Y¦…öÄ<
K”’*_ôöo\9“Še(”¤c	W,—›¢i~]çíâæ×UÙ´~n²5™´ýûba|,àA§Œ[ãºÉGôMñ3ç²*Û²®¨'¯–Ôø±É¯‹°�ÚÒ‹›¢ã¥Ÿ$2&„Ë`r”Æ.!a˜°*ÎiŒi3Ï›¦¼®šðB�æa}Y¯Ê½‘T±ÕÖaZž Êcáæ Nì°s/SCÁ‚m+îæça«ë¢
û”±ÑÓ¾ò”êõˆ‘ÛM	Vð@/wMAšRšI'ÝX­õUëˆ'èˆ<Ayj^S‚ÏO‹nÊi]µ´}PÞ;œHÍŸ¹á'§ïx
-æ÷½ˆ”e
-ì7~_·p¥@<7y‹-ë„=#fp 0ƒcÈÌ_B7‰
{×wM qz–d9Å’ºïËöfÂdêXÆSqØ,­NÃœËâª&îh£2l¼ˆÜ¿¤žbÕ÷7­z}i6¯êà?
-²Tl©¶¸Ïýü`í´ö*Ш@	Ao‘ÿ²ZÕ÷ÅrRÞè~ÒU�³Êêš^QI¤.ïÊU›”ÕëíÈ)„fišÊ™±Š9¥õSb'3ašŽcçŸ[á½Äör@ë8Ð
-͸bL*é•@c.Íä02,A
-&DycÓ1�åÕÄÕdŠ)aL°šïÑ‚;¥­‚ÃÜÔà0l[Ć;¦µÕ³ÀŒzþ
pc-ŒÿOd¦àÔR‹Çd¦!E
-NæXÕUñÇ„VÕO“Ù€™—’YÌqO'Wì—¡Üc2S‚�­/ŽU½ÈWxü? ¸TA|EŸNåüüÃM]”D©Ë†®>æÆ…>7À$2W訊ö¾Þ|¦—²j‹ÍU¾(ŽÅ<.¨ºÈ3ˆemŒ<ÍC)ô€ê2yžœ{Õ
àplîé$㊽ªÓÖÁLõ¨¹ó”YdàUWa"²êD¦}d�†òFO]ˆƒhˆFH©~dCOÒ)ŽuúÂî«8~Sb2Å	^5ØGª™ÒÞMŽÊŠÐ‹�½Þ
¦ÈÌÍ?Õ‹À"ÒдeM�UÝRã– Â0—rVäô¸Ï¨ÑÂ`X·,`›uIQ¢gJLJê@Ô§úߨgUT@亽ièÝ1ö£¨ŒZ#£÷°KÌÏ+kî<þ‘Ä%t,ò¦x5…!Àb, É ÀCªNº¹cV­¨+F¼Îq"ïÐ¼�[Ѽ¢¾xD˜íóîÃëvjÈ랈¢9€h‘Ñ~¯ºÃó\¬÷Ú¾ˆú ‘IÆ�4ÎX–ebXÍíTuŠ[8MU�V)KA©�Tu*˘–NwE�
-EÐñt½jþDig™JCÁÓSé+ºGV¾ÕÒ$ëÔ*oõvå_þCk¹
-§,nòª*Va[ìõ<CÅ#—ÔòŠïË—ÎA;›¼­7
�G
-ã�RŠ}^)–3c¹Ý
-˜·P!Ú”b¼u!`BG¨�¡«)6_ hJõû•(¿&Œ�6Åeýép¸¯‡`ˆŽ†-<ZÜlW
$×AÀ›j¹˜PšPi,(ïÚrU¶DÝßx¾«°ß¢¿¯–�©6”�
-B“Ò}"¡•‹í¦,¾>WÉ7ï?
‡›»U,××h“a	I‘Û@Š1cáléjꤚºb
ŸŽÃ!½¿M”ÖÐtB
í¶SˆìÌ
_ܼl¨3§×‹ÓôÞÔ‹ÏèÌØFï/**naNº^
-Šîž-ÖŽb2$¹+Wi
-/q¥¿ÜŠàc:€»¥{­UXˆ’25ÐÈ
-œëû"FÓü2`pŒµmˆ¿eÓÜ…ñ„û�`˜¦ÞtFŒé¡«§Dw¤ØÐ|Ñ¥�ˇ>¸O”ZC»ÿXéË牠‘¡ê¢¿`%0Y&BÉÕëèÉÀ™Z=JÂ;Ÿž<
`7Rl}î=æLiU1FÆ,µ…ì±£Cö0mðåIÍoñÚ¯¥$¯—y0YIXÖ¨=b‚üÁ²�„…
-öf·0é°?Ëd¦^ŽÃHð0‡šƒ]
-'Fîs ÆÆ;¸Ñ×ôòº
-ÿXÆ|>ÕFMä#H‡ƒpÀK~×ÞÔ›ò_Ý�W6_@ËfM·Bt
«|ŸæóUxéb-¼x¿S'r
úaÖÿ	gÑà÷R�@Ó”Ið«ç§H0PœÐàA)AqÖ“Câ´´ûì/þò²
-’ÈéAÇØŠµÂhÿDáå�Õvœú&$$¸dRk7³|ïùêè%=Á‰Úˆ�RP͆I{c‰Ç½±ºó÷ÚÍÏòÅÔßc”�œÅ„N
Ž.,¼ÔY#½Ãg…¸
iD?zV!ñvÍvw�XÙ}øÁ1-¾DŠŸÎ^訽ƒG•J0) `uŸÕCi	9¶¡ÃÆàá(¾¦gñEmA/ƒ;fx#x%�t¿á
-Š)Á|>žX¢	)5õH>{ô¿(Oý÷eÿ×T
Bpnð÷µu9ï?Õ¦PNJì|ÙŒÓÜeý¿@{Lþendstream
+1112 0 obj <<
+/Length 2937      
+/Filter /FlateDecode
+>>
+stream
+xÚÅZ_sÛ6÷§ÐÛÉ7ÿ	$O®ãäÜiÓ\â>µ�-Ñ6/驸ž»~÷ÛÅ$%Q¶çæFÀb±»Øý-(1áðgW^O2¯™áÂLæ«#>¹†¾·G"Ž™¥A³á¨ï.ŽþöFeϼ•vrq5àåwNL.¿LOÿ~òþâìÃñL>µìxf,Ÿ~wþî5Q<=Nz÷æüíÏNŽ3=½8ÿé‘?œ½9ûpöîôìx&œ0_F&¼9ÿáŒZo?œüøãɇãß.¾?:»èö2ܯà
+7ò¯£_~ã“lûû#Δwfr/œ	ïådu¤�bF+•(Ë£�GÿèzÃÔ1ýå˜q2Q !˜7FniÐxf•TAƒ¸i

+àœOóù’¶÷±ÍÛbUTmÜí:_­ò5îŒâFá“™ÔÌk¡³ÀÀ§Y•¯
+zû7ÎœHÅ<*eÖ‰„3‹uÑ4ŸVy;¿ù´,›6Œ�í&kÿñŠDØÞÈ 3Æ­q݆ä#z]üʹ¬Ê¶¬+¢äÕ‚?7ùu—Q‡wzqSt²ôƒ„gB8ƒ“6ö	ÄUiL3L›iÞ4åuÕÄz4÷«ËzYÎé�´Š­¶ŽÃªøU7u"ÁNƒN©¾­¸›žÇ¥®‹6®S¦FÏû*pªW[‚Ü®Kð‚{zÙ4YJi&�tÛf­¯¢Z·dB’	š(Só„|z2ŸwCN몥å£ñ~À�Ôü•~rúCOÁÂú`‘1¯Àÿqáwu[P
+Ôs“·Ø²AAHÙ;¢0؇Âü%’I
H]mšÈã2Rä9Å‚Èwe{3â2sÌóL<ìœVgqÌeqU“t´Pž'éI‹Š_¥X6ÅÝMA³^
-óÓªŽçB�ÏÄŽY`‰»<Œ�ÞNs¯"�
+Œí–D	/Ëe}W,Fõ�ç ºªqTY]Ó+i„Õå¦\¶³²z¹9…Ð,Ë291V1§´~Jì„`*̲íØùu³’ ¼×ØA	h^±™fl³šu›šAc.ór™ž ¢¼1†éÈòê~Äk¼bJ½æGôàÎhËx`nj80lWņ;¦µÕ“(ŒzþHc-ôÿOt¦`×R‹Çt¦!E
+NîXÕUñç”VÕOÓÙ@˜o¥³”ãžÎ2Í8¬3*B¹Çt¦_3AËzž/qûBq™‚øŠg:“Óó÷_4‘(‰ÉFRsÓÄ�`¹+ª¢½«×Ÿé¥¬Úb}•Ï‹c1Mª.òbY›"Osß@
+}Àt�<OϽé
+clk¿©ÊßãNs¨4¨
ŒZÕfuYDuÖwUjÉ×ëzs»OþS;Ú‰’{¢ín%;Ñè`ñŽhTt^«Ÿâµ_Y¿Üy¼~—pªM–J²N„Ñ(&¹Ú¯á•õ�bæËXô`A™Å½¤Š‡Ìoòª*–±y¤†
+ž±ÂƒžË{¢Ä<hùÒXj�·õº¡þÄa{¡Œb}0‰åÌX¾sTkp¥<êÐf”Ó¬‹	ñ>
+™IS²J>Ÿ·-%<ö†
+5®èÄÂ¥ÂpU›é(dà³SsY§§Ç^bá‡ýÑh­2`J^ì÷:‚Ë˼À«k.Â
­#pÞ²ƒÞ*,„J™™‰Pž�Úg{kÇq6d9r£`=„
¨ºay+6šG¼5ƒS‡¼|9–¥¢"Sí7ÓüìŠÔw_o°ò÷ÉGÓ†[ñkÃÎ<}•ÉGA‚6Î¢82$7‡ÕbŒ4¬X;£†Ü·3²¾½Ì矣µè4‹ÝA½¡øÙWÞÍdI&�À~bDz8Èu_”êõ¸â�5ºSü›„Èù ŒB@R6C ƒ	ðR±HWúët}ð{¹Ú¬†™oÖˆ³„ÆÌœgšk›ÐLXäüjû‚•ª³á¢ƒúbwŒ7j{0"GF‹ºo)ÄÅoCRêõ@Æ‚¢#…Qs0Œæ³ÌN£ÇÀ2Ý8á7Œ¢—¨WÔˆw
+&\÷
h
Häõ�.xø€«Ÿ�
 endobj
-854 0 obj <<
+1111 0 obj <<
 /Type /Page
-/Contents 855 0 R
-/Resources 853 0 R
+/Contents 1112 0 R
+/Resources 1110 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 862 0 R
+/Parent 1087 0 R
 >> endobj
-856 0 obj <<
-/D [854 0 R /XYZ 85.0394 794.5015 null]
+1113 0 obj <<
+/D [1111 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
 274 0 obj <<
-/D [854 0 R /XYZ 85.0394 769.5949 null]
+/D [1111 0 R /XYZ 85.0394 769.5949 null]
 >> endobj
-857 0 obj <<
-/D [854 0 R /XYZ 85.0394 752.4085 null]
+1114 0 obj <<
+/D [1111 0 R /XYZ 85.0394 752.4085 null]
 >> endobj
 278 0 obj <<
-/D [854 0 R /XYZ 85.0394 683.64 null]
+/D [1111 0 R /XYZ 85.0394 683.64 null]
 >> endobj
-858 0 obj <<
-/D [854 0 R /XYZ 85.0394 653.5261 null]
+1115 0 obj <<
+/D [1111 0 R /XYZ 85.0394 653.5261 null]
 >> endobj
-859 0 obj <<
-/D [854 0 R /XYZ 85.0394 576.1881 null]
+1116 0 obj <<
+/D [1111 0 R /XYZ 85.0394 576.1881 null]
 >> endobj
-860 0 obj <<
-/D [854 0 R /XYZ 85.0394 564.2329 null]
+1117 0 obj <<
+/D [1111 0 R /XYZ 85.0394 564.2329 null]
 >> endobj
 282 0 obj <<
-/D [854 0 R /XYZ 85.0394 420.3273 null]
+/D [1111 0 R /XYZ 85.0394 417.9499 null]
 >> endobj
-861 0 obj <<
-/D [854 0 R /XYZ 85.0394 391.7481 null]
+1118 0 obj <<
+/D [1111 0 R /XYZ 85.0394 388.7174 null]
 >> endobj
 286 0 obj <<
-/D [854 0 R /XYZ 85.0394 295.8129 null]
+/D [1111 0 R /XYZ 85.0394 267.384 null]
 >> endobj
-718 0 obj <<
-/D [854 0 R /XYZ 85.0394 264.2689 null]
+971 0 obj <<
+/D [1111 0 R /XYZ 85.0394 235.1866 null]
 >> endobj
-853 0 obj <<
-/Font << /F62 634 0 R /F42 597 0 R /F57 624 0 R /F43 600 0 R >>
+1110 0 obj <<
+/Font << /F37 743 0 R /F21 654 0 R /F39 858 0 R /F23 678 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-865 0 obj <<
-/Length 3251      
+1121 0 obj <<
+/Length 3451      
 /Filter /FlateDecode
 >>
 stream
-xÚµ]�ã¶ñ}…½À™á§(%O—ËÞuÛæ’îm€IPh-ÙΖ\K>g[ô¿w†CÒ’¥ýhƒÂ¢†£áp8ß´˜qø‰™IX’Élf3Íf¶Ü]ñÙæ>\	�³H‹>Ö·÷W_½Oä,cY"“ÙýªG+e<MÅì¾øyž0É®�Ÿ¿ûáãûÛ?ݽ½¶z~ûÃÇë…4|þþöÏ74úp÷öûïßÞ]/DjÄüÝÞþxsGS‰§ñííÇï’Ñã	¢w7ïoîn>¾»¹þõþ�W7÷q/ýý
-®p#ÿ¸úùW>+`Û¼âLe©™�à…3‘er¶»ÒF1£•
-�íÕ§«¿D‚½Y÷é”ü"ÎBi–ÂúˆE³‡õŒw“ò6K”TQÞZMÉ;`¡¼¾+wMW‚¬œÌwn¤æßå
-©»¬	žM�U\
-͇f6Õzã±Ë5}\ÒŒs¹*ë[ìCµ­ºÇk
)'LžÌÿææÑc‚ã…ÐÍ·•ÓN„;»¥q0&>t.”ôãò-¹´Á„mõÏ0µLiHï}péœqØ9fºˆñèxCŒMsÜD—G£©˜ÊÞ/æ´N«Ð"¦Ô
-r+s«SÕm⪞ùæTÓ n°Z
83ðY»!»ÆÛOÀÈ›‰RtoÚ8soñ8 e|"’	|ª×å€P=‰Avâ%µ
"ݸxŽ;éü`_v‡¦ö
-ÊX;ÀtÉ\^
-×ùʱO>ÄÅ8ÓHx_•fj˜`œÑÀÚ€*8îfW„rU‚ºn/}ÃÃP"ƒ™¬¶vþÓ„–¿åPç¢×…
e—´š9¶\Å™h,ߪ/.ÍÀÌyż
¼äþÛÜëÔ„c¾È
-À¦BöÊIt}Jˆèå
ûœVOûž	K·ÞÒ}™ð¿ûG !JÇžŽÿåöy[†·¤Ã‰íº�CÛìôŽè›©
k,Ìë/Ñ“tÿý”�ƒCr7ž¾°ñÿ—{“Œ_ön¦oÉŒUBAZXc®wæ²D÷h7yLÜ{,LéÝmîN.6ã€ÊGݺý@#,mÚ²]_ZHªl¢¹I_ºP�ø‹þ™#ºƒUäHCx¼àFKË‡ü»O||m°^àaLí|™Š¹‘'ÀbâÜÛÂ�r–
-iÆ¥3%à6OÈTÅ$äž3ÁñVªåçeñýÆûÓ^R»ÿC@¾2â'±�å$zÀÏHªë%.FÔ‚TÃÍ€àPD©§n†-eè<k;€“èxÏÑ�f\ûZÍré:%\SÜçá†üx×ì	²-¿¸³CüÕ
-›ì§sÃŒŒ—Ù_ªò4ÝO6Þ‘Å]1¬ÍüOØ„w+¥oé)�;è›÷ôjJ~|U¯°û³_ÐVÇÜYËÆKÏ4I¼%ê$r<”ô¿3`
-–�¨uì©?W)ÃðßN|óÚ÷¯Îÿ’Òï«åÿø±)Ó)ñL¡Ôèß=ÔDâ¿@Ƭÿ——Õendstream
+xÚ­Z_sã¶÷§Ð#=sB
+jz_ŠÙÞçx	
$|R†<ÖéæXàe‚)ÝÅ9–Y
çÁ�í–jÜŽ¡Ï>ýyðÔQáR½-6”þLšÜä>í™ü�CwE½ïòàÏ$3c?=ÕšA˜’ÙOð^Gõ‚È°%
+5ؤéãH"˜°&¹]5Ÿ�AΔ‘�†„
+`²Ñ �_c>:©ê±à’B0¶Ðëu3-pÖî7m9@™
+Q=–ë51oŠ0 OÿÌé1/ù~Ɔ‘
+ˆQFˆäº"’vU†ÏfyS¼!øÜñÌ×MMt�«¢¢¾3à	ê7‘éW쬂ü º\ÔÛY¿ˆXú8tS®†p²·ßX:©äaóºðåš]èZåŸjåc&Ÿ¼w²—Ø›qžfT cÌÒ Rãö†åžŠ×‚¶AjŸ�R4�|zVa\‹/‡RVù,í¿Z�-n_R(€âYeÖ
-+Ô ^PPDO7„r+zá€pœ8n’>ÀŠ^xE~S´£‘Ò¦„®Øáü8XXÇçXGk4�ÎÞ †“[`�sÊ?Kaõ:ZÜ£¯z€ù°H†Ž8@¶Ž­pö‚}qða_®[ŒÓX°Ãûý¥K“šÆfdŸ9e_
o 7–ÿÌf樰|^ËPšÈN=¸ko¨¤Ú]ÚdÔ®lßÖ`Ù¡8d>Eý,qa ëdš�LdÄ\i†!^ ®æ™1àf,ÖF6öDsó*ÃÉœŠ1w
Ûw•¢µAÙÖõ:§:ýpÐÕÚp�]^5eÈ“ÖQ]ýt¼ö†ÂöBË¢B�Ã*éR$¾Pêy¦¥ =>¨x½ÎR¥Ž\j^.Ë6_ãQLo·0²œêi£`ÍÍÁ©±·sj|Ù@ÄÏ—ñÃŽ¦]íC——»¼tØ �çÉÇ‚”2,SJ¼òãîÇ}ÈC\9àº%æ›ü‰…ëñÚ@®… =TǶnšòÁŸsÉ€µ¥IöMèÈ+z_ OR–„á°)Ðoéq@9Is8@‚2ð‰_R
+û
+5º,渻ґq
+Ö
á¢)7ÛõõùA ¢Ê‡´¯â)Š:œ¢œÆ–2¸€þÇ‚”lB¥qMù¢õUUOL»r¿�úW�{ż§H@†õzü鮬f¤¶£JA!ª»Àó|„‚�Uc
+¹{ÐϺB}J.@.€zóbf¯é	’Ö��<%"¾G:›ƒâ6[0kï$HµGŸ¼ô$á—–:@ÙSR•“Ìà©ÐI^ï;‹ÎÒ ( ö/t%cÄ“.Â(IE0²*—«@],éã‚F|Ä•®ï°åºlŸ. NÀ�%ÿðùr(!ÞÑDå›Ò§¤S»e˜6úúa­=Ü¢–G
:âkh4P臡Å`H
º¹¥õ¾�›DñäeCŠU½_Ï©#µÆR:Ø.¿Òz«B‡3+€V²ƒV�¥¿  YƒðõcE�n�åb ™†ÏšÉØÖÁexÑ =r™N‹~áuÓ5ÁÛñØKb<“ÈñÀJÔWù	Ob
+BȤ†µ‡%ãâCÉåS ^Fçc6Š8’ªðÀÙÒ¤ÖÀ�ÇkàxR`8òh&¡¥:“T�ÏÙnþ
²FyFË€Ÿf Ë3nh2­Ž­Waæàò¯9¨‡^ûã
+K¹Îº{}9œ#L™­÷ó ¹»Þñ^úïrÐöXQËñ �´
u`‚¨jQ®>ß�IÄ£$¦“${…$?hûU¬šü&#øÅ‘Sít"ša!x|ƒËà9J0b	V$jä”OjDzÅÎg£;4†U»ì]¥Ã`ÞQoë2²{Ä ¡ÎÙË08gÒì+%BU8�ëßzN%Þ¶[a‡qá¬"µ|�8]ÏŒˆcM²Èg˜ ¯üw
+­qjˆ>û"»‘zG*À‹ëäP�»’x L$ð«Ã½=öl¡^î‡�¡ôÕ”Óü]ž1É{D‚Ø[|É¡âÁÓ¨å"׃CGŽ¦�¦8Ò9öowågŸqðá�Hš(K¾�7Ü#õ(A€OE ÃIuý
 endobj
-864 0 obj <<
+1120 0 obj <<
 /Type /Page
-/Contents 865 0 R
-/Resources 863 0 R
+/Contents 1121 0 R
+/Resources 1119 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 862 0 R
-/Annots [ 867 0 R 868 0 R 873 0 R 874 0 R 875 0 R ]
+/Parent 1087 0 R
+/Annots [ 1123 0 R 1124 0 R 1129 0 R 1130 0 R ]
 >> endobj
-867 0 obj <<
+1123 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [55.6967 755.8266 256.3816 767.8862]
+/Rect [55.6967 676.8938 256.3816 688.9534]
 /Subtype /Link
 /A << /S /GoTo /D (rndc) >>
 >> endobj
-868 0 obj <<
+1124 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [268.5158 755.8266 332.4306 767.8862]
+/Rect [268.5158 676.8938 332.4306 688.9534]
 /Subtype /Link
 /A << /S /GoTo /D (admin_tools) >>
 >> endobj
-873 0 obj <<
+1129 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [378.2799 116.2526 428.5017 128.3123]
+/Rect [378.2799 73.4705 428.5017 85.5301]
 /Subtype /Link
 /A << /S /GoTo /D (tsig) >>
 >> endobj
-874 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [112.234 104.965 168.4527 116.3571]
-/Subtype /Link
-/A << /S /GoTo /D (controls_statement_definition_and_usage) >>
->> endobj
-875 0 obj <<
+1130 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [75.273 61.5153 131.4917 73.5749]
+/Rect [112.234 62.1828 168.4527 73.5749]
 /Subtype /Link
 /A << /S /GoTo /D (controls_statement_definition_and_usage) >>
 >> endobj
-866 0 obj <<
-/D [864 0 R /XYZ 56.6929 794.5015 null]
+1122 0 obj <<
+/D [1120 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
 290 0 obj <<
-/D [864 0 R /XYZ 56.6929 441.8384 null]
+/D [1120 0 R /XYZ 56.6929 403.8784 null]
 >> endobj
-869 0 obj <<
-/D [864 0 R /XYZ 56.6929 416.1193 null]
+1125 0 obj <<
+/D [1120 0 R /XYZ 56.6929 377.7405 null]
 >> endobj
 294 0 obj <<
-/D [864 0 R /XYZ 56.6929 378.9792 null]
+/D [1120 0 R /XYZ 56.6929 339.6466 null]
 >> endobj
-870 0 obj <<
-/D [864 0 R /XYZ 56.6929 348.5817 null]
+1126 0 obj <<
+/D [1120 0 R /XYZ 56.6929 308.8302 null]
 >> endobj
 298 0 obj <<
-/D [864 0 R /XYZ 56.6929 276.8275 null]
+/D [1120 0 R /XYZ 56.6929 236.1221 null]
 >> endobj
-871 0 obj <<
-/D [864 0 R /XYZ 56.6929 248.1435 null]
+1127 0 obj <<
+/D [1120 0 R /XYZ 56.6929 207.0192 null]
 >> endobj
 302 0 obj <<
-/D [864 0 R /XYZ 56.6929 167.2435 null]
+/D [1120 0 R /XYZ 56.6929 125.1654 null]
 >> endobj
-872 0 obj <<
-/D [864 0 R /XYZ 56.6929 135.7502 null]
+1128 0 obj <<
+/D [1120 0 R /XYZ 56.6929 93.2531 null]
 >> endobj
-863 0 obj <<
-/Font << /F62 634 0 R /F43 600 0 R /F42 597 0 R /F57 624 0 R /F58 627 0 R /F14 608 0 R >>
+1119 0 obj <<
+/Font << /F37 743 0 R /F23 678 0 R /F21 654 0 R /F39 858 0 R /F48 880 0 R /F14 681 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-879 0 obj <<
-/Length 2414      
+1134 0 obj <<
+/Length 2601      
 /Filter /FlateDecode
 >>
 stream
-xÚ¥Ù’Û6ò}¾B�š*‹&^ñ“㌽“ÚØÙñ¤ò`»\	Ò°Ìc"RV´›üûv£!qâ©réA@hô}€bÃOÌò$ŠU¡gY¡£$ÉlY_ij
¬½¹¼gá7-Æ»~¼½xþ:•³"*R™În×#\y繘ݮ>Ì_ýë寷W7—™Äó4º\$i<ÿñúíO)èïÕ»·¯¯ßüvóò2ÓóÛëwo	|sõúêæêí««Ë…È
ç%cxäÀëë_ÑèÍÍË_~yysùéöç‹«Û�—1¿"VÈÈ>ų°ýóE©"Of{˜Ä‘(
-9«/t¢¢D+å!ÕÅû‹ÿG«îè”ü•GI.³	
j5%À¤ˆR%•àí½E&ž¿Î²ÑV‘G…J3À�{¾ØÃ)£BJ¸)M�ÈžÀªŒŠ<ϧ]c”Ž‹�4™DºHNØ(WÄEÀ°Q‘$’¹xšSbnª®…‘Ìæ_švßÐÐtô߃4h
X†A:oLmÝI9/y“¡•U[›’Ïã.íšò��­4+W¶éËõ¡l6t(¸@1ƒS±œ_÷^ÆxçñuÖ±j–‘B‚¤˜-Ç7nWh"öe¨D•Ä³ßÙíW»��’Š£Xx!u½ém
DÚE¥ è ÐöRäs<v}G‹ÝÙöþÞ0„o%hK0Çž+7
0ç`û²¿÷g�œ
æEäÄŸÏÛ-�‰ådnV+¢¥ãýµé—÷$+
¬§²eU•Drž)y>Ú@;#¢aT6˶&•Áž†aýÞ|µ´vgmC°�33°n@ÖG’YͳÁÊ
-°®jÓn
Aíç
é?öÌVç’ë£a˜ÖÙ?yuåR&¬êá¢3ßÇ’IV̲\Mù÷û¶Ç¸£œðíTFRCܶ=îÛ	ØX3/(G%R”·`YýÖ	A¤VuvY~Œci;Úfn—;Äá¹Ù�{‚¿.M_¶
côRÂÌgN²n¡mÐÉš± g‹BF*¶ÛƒH]MïŽi5ïví¶G£Á)�Òr~ûþú
ÁΰꤑŒ'AµY¦RÇ}m–‹z•LÈMg`±�ìÈT^<b.2�´ÎÒ!~,·¶?µ-2ÈO:™¥…ŠtªÓﶕ
ãbŒòÜV´Œ£DAf¶QüršŸˆr`�¹Pc{
aºpì”1¸/´¤‹;KJU™
'2tBœ]=pw Šï0Üç
ït.�;é>Ó{†c4�]¤š&"ÒÊo$£!âv¶Æ( RH�)Y4P�£ÄóªÝl(ò
-ÿçDê*”<1÷´cyošÆVÁä3åÊ> ø'1mZ—o0è!8r(ð¬TQ�uV ¾b{^ÓÑ숰ÙÕw˜’püòQ(
ûïhºkª².A1g�>…¡8`¶+ÿkÏFrÆ'“Ì2Ý¡ùŽÇŸ×fYVš¦2€?Õ¯ìv;E×_žßª:òñbL‡˜fÄbZ„KÁ-a
-A¨
-„·¶¡÷fÛÖáooá¤õ ¼;Q¦DÈKÙ¬ÛàØÊÞíSU
U•—e°õ
-&’VIUˆóÚ\)hÚ©Ûì¸
-F¨«8qq��¾šmiÑ&qÒ®i×À´>ô'q²F;Ã
¥FØK:DóÐcÝ�a×ÒMp§ ÚS±ð5†OçìQ®Ïrjøá~k¨ÛÀ¤ØµËøî¨{kwýÚö÷íª{FÕ?^^8r
ŸS™Ç5œ¹xÂ[ö奘S"\þU±oéT<t3‚»3²<¢fFû´så^€Kƒ	aQœø²dpɉº-ŽÒÜ‹t�¢m¹*°•]²ÝÞ·{ òÛË
-¤iy‚–€ÿ5´O`ɾö [¢	‰]±·eP`jî1ÒÂQñÎUÀRk¨…§XÓP|è�æ°ò,RBç( vå’N|©¥¹ÉÈŠœÓÔð¾Ú4LÛÃÉ
-L2.­_èÁÀ:
-«ƒRa¼iùDœÔƒsM9	G9î‘lœz|L5·’žLnG×'Q壔z"TàÓLZä^_‹Í7ß[""êa’|›{|�YEfå�ŽÒãªÂGm•�J·Hpñvë©:MœüJéñ›ÅÙK]Ûå(õåŒ7­ÏŠ^˜mcC)×-;-É+
Þ§ð@,Â"¨›òƒ*
+xÚ­]“Û6î}…µ3‘ÊQ”.OiºÉm¯Mî6Û¹‡4“ÑÚ\[S[r-9¾½Þý÷RÖ7»�ÜøÁ$‚
+R *’LÂ*ðvcP@åTž'š³è#ÎoæÁáÈ1N–répÚ®ìÌÎÔ臥Ѳ¬iÐ,—Ç
K·ÖÁ‘0PQ×ì	²5_ÌÖáß��€RSÿʘXeW5Ž*B¶¡q䫺­VVd’L%Jh/Ô—ÊœR	¸8ÍÔT*°Q¨èoæ¡¥V&ÆÝ‹Xf:aŠ�ùržJ	»¬Í
+p%rFÿ oL¢Î¹Ó:‘)Üá/R6ÓxKÔIå0¸3ôlÇ¨¨Ün	€Â· “IœL­3õŠ6©èÞ*–èŒåiWh•H®SÇÜZwh¶m@
+°Ö\)>³«Í”³$UJMµ©XkÌÔÛ8K“Œ+½ÐR%Zðížë
nŽÒãÇÃ
sG™ÓE&>˜¥3@jD’ÎøQ Z
+èCò3wí±žâbFÍ©‚»cÛÑÈ^8ü¯ÌÙì`Zºer%Xƒ�5„4®e’3

+,a,ÔÔþÀÜÇ6:R€²l¡¹e9}N
+ï~æðÅB^
+ÖÀE ¸Û8FbYö¡ápÉóÈ€Œ-…#”§èݦtw*A›aÔ‚}Õºœ§ªÛø½•R^EVýyäƒTâV+â¥uø»²[n\p
Ñ3Qx]Q±­ˆå\+y
op;FL誗͎®p&Ãú¦übhíΘš`½00vÂÀzI
+=8øq×V 
+ž9IP�)ã¨nük»ƒÕ1ŽéVSp±vo–Õ%·¶i	æ7H]ªîá»ò
+»tˆ%êÕ®ª3½ƒ»Z¹}Çý¾9tîí“Å€Á4ÆßÚfW.ãÝJ$Ju’¦û`5'	áNõyƒ¥ÔnJ ™$¤Îò)Rù„”i€X†¸2ý³|	•=JLýYb2r¯fÖ§¥ÎO&ä8uª&ô�Òó‘ðöÃõ[ˆÍŒäû”^P)óqXZFsÁ¢ÛË‚AÜÈá5
+B}ÜnÏr¼ü
+^ƒ	Ú+j	Sˆ­Û‘’àÔf¬¶Sy¨{kð§7°ÓxžíÎ$�¾oFÛVæîè9®\Ï‚t9B}€ë¯–C‡çHîÁoºßðX'îƒqâe«›—Á»çsJcÅ=›R€§®ò>ñ•éM±ÿ>ƒç±Ü~öˆ;NèÏ}÷åè²]O’ä¹G
+´Õ=Ûƒ
+‘öa�³gÄÁ¨À¯Î}ˆ>lÿÒ–kxW&
2ÜîÃAjÿ’z‚�¼|óÖM,¥4ê¨þB¨­upñd[s8úR*ƒ6‰ÌM«Ú÷ÅEœØ.ì{†¸t‡re¤N1OPëå6ÔøƒºA2îÓGôçâA*§¥!GÝá~s(©ÎÅG°m–ÈÝRß 9vûcGk;ÓmšUû‚êN`|Wº•^"Ûj°W&‡q
g6ž8”V$TúÚò×]3A²¾Žæ¾åg[<nDe4?w&níªP×
+(«H˜òÙsï’�ŠÆÜ«´×�m2¹,ÀlÍÒÙí¦9Ñ
+ƒãMéαͯÀ;¹/­5aÅ4IÆ•—ŒgQŽ’a;µ£•“¥cn
@*jËÇ
 endobj
-878 0 obj <<
+1133 0 obj <<
 /Type /Page
-/Contents 879 0 R
-/Resources 877 0 R
+/Contents 1134 0 R
+/Resources 1132 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 862 0 R
+/Parent 1139 0 R
+/Annots [ 1136 0 R ]
 >> endobj
-880 0 obj <<
-/D [878 0 R /XYZ 85.0394 794.5015 null]
+1136 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [103.6195 731.9163 159.8382 743.9759]
+/Subtype /Link
+/A << /S /GoTo /D (controls_statement_definition_and_usage) >>
+>> endobj
+1135 0 obj <<
+/D [1133 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
 306 0 obj <<
-/D [878 0 R /XYZ 85.0394 662.5434 null]
+/D [1133 0 R /XYZ 85.0394 589.1911 null]
 >> endobj
-881 0 obj <<
-/D [878 0 R /XYZ 85.0394 634.6304 null]
+1137 0 obj <<
+/D [1133 0 R /XYZ 85.0394 558.8491 null]
 >> endobj
 310 0 obj <<
-/D [878 0 R /XYZ 85.0394 376.1585 null]
+/D [1133 0 R /XYZ 85.0394 294.8462 null]
 >> endobj
-882 0 obj <<
-/D [878 0 R /XYZ 85.0394 345.4362 null]
->> endobj
-314 0 obj <<
-/D [878 0 R /XYZ 85.0394 136.7105 null]
->> endobj
-883 0 obj <<
-/D [878 0 R /XYZ 85.0394 113.7908 null]
+1138 0 obj <<
+/D [1133 0 R /XYZ 85.0394 261.6947 null]
 >> endobj
-877 0 obj <<
-/Font << /F62 634 0 R /F43 600 0 R /F77 703 0 R /F42 597 0 R /F57 624 0 R /F56 618 0 R >>
+1132 0 obj <<
+/Font << /F37 743 0 R /F23 678 0 R /F21 654 0 R /F53 957 0 R /F39 858 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-886 0 obj <<
+1142 0 obj <<
 /Length 4109      
 /Filter /FlateDecode
 >>
 stream
-xÚ­]sã¶ñݿ“—È3ƒ/’`îé’Þ¥×6—öz}è´™-Q2{©Š”·ÓÿÞ]ì$eÈÖµ7Á,û½�¼ð'¯Ó,É
-U\ç…IR!ÓëÅöJ\¯¡ï‡+Écæ~Ð|<ê»�Wß¼ÍÔu‘™Ê®?®FsÙDX+¯?.ÿ6Ë•ÜÀböýOïß¾ûá/^ßäföñÝOïoæ*³·ïþð†Z?|xýã�¯?ÜÌ¥Måìûß¾þãÇ7¨+ã9¾{÷þ7)èqfÒoÞ¾ùðæý÷on~þø»«7Ã^Æû•BãFþyõ·ŸÅõ¶ý»+‘è¦×Gx‰,
-u½½2©NR£µ‡l®þ|õ§0á¨×}¥Ÿ‰Ò@«§4:FÀ´H2­´#`»ëë¶)7›GØšÎgå¦k±eg›z[÷ìï+‚m«®+×A»ê¡Ú×ý#‡·�^ö<Ö†ÝñGåbQíújIýw�',î˦ñóü]¤"ô,«UyØ0Bu‡”‡ý�Ä(›2¢àÆêfÕò 1¤M¬2Ó XAÞâ¨ë¹1y’ë¨(eR¤ÐÀ
e˜j™ÏŽ÷ ²§—¾¥gÝ,6‡eE/e%)ÓÄš”WkÊ-lü)NZ$E¡=âóuÕTûÒÑÈ-Voy…®/·»[hkCCàF®Ûý#½áŒN³ü¦e|‡“Â7>)lz
-;
-H“%VÛlJ��îÀø@w÷lZ %\‡§¾”Í#6qÓ
-˜VØÜM÷‘V;¥r¤(<�À5Oɤd’gšÇ,«®¯›™-²ÙbS:D @š@³#xé8€Ì»'¸Û@ˆÓðëÀƒm	èøÞ—u·(÷7rù
-¨¨pó~†²÷t”°³Ö±
±˜!ÖÅ”¾$€Lמ˜£ë=Ór@	ëæžmU6u³ÞÀ¶>ƒÒJ$Ff6ð¿P›*.&R¥YŒØ:O±uŽ!¬}G�Äš8ÊãŽÃœÌ
-oíê™YIºÙéÙ•~áª\Üó·N¨L�EÛ3�Û°dîe²ŒòÇ;ÀI›böØ 
E'
-�>Ê9Y–¡=ç„ý=å`ó,Ër¸i×4«G—"¦G	É�*k"ë
-¦Ñê%Ýi“k¯9ˆ”¸ñd_¢lj'P(›ØCg„­»rñé°£þá¼°§]
”p݃ \ƒ
J%ò=‰¦LçŠtA6	“l©uÄ�ºž@®ÏóÙ[§¨
\ý
-~ƒü¤žÕ+‚Ò	Acq߶$vŠåIÍ>UÕίCkó€v³¤Æhk^¬°¡': ÍG¤§²³…‰<ϧÇ
-Q¥){‘h³]Ô
­eÛTÔwß±”
Vºï*ž%óšÂ�«_UµìN>¬›e½à
Á ¤L‚�ÏÞ·4Â[
-(Ö=r¸HIc@Wàph�´Nx^�§o‡XœäZèDgö$"ñˆæÐR’ ·›
±tò ˆûú.€ïÚþ‚£kå‚x4Õ‘°QIÓ*ùõ¡A=X¤ÌTÎyVV̪ð}ãŒer›^个BÉ	ÁoIa4-­°mÇë.˾äh “‹lª6ØäÙãùªw^‘  Â=ï¹—¤	‡¦¯ùË®Ýro{èçíj~GTÀ¶Â«î¶ôJ˜m�º°çù÷7¦DUØ�[ÑãBÌLcÊfªƒfç
-& {vÏËTulGÎ3QöRdÊØþsÈ\¼¥³‡«lL”_:Ïf¥¯NžÝÐÜ
-ôu&Ú
Ü�˜Âµ�â9”ÒDJãùöpXìb³¨$³Æ¾4‹wûèa
ç*½<+Py±S/Ð÷0—δêwçè,䥓lÚE¹‰EÑ
-X0ê³æ‘ÿû<éxõ…ðÑ_hó…ö•~!|²Ø<D9!euÖ1YHߺ©òPš«Lc~ÛEl:	Ìõ™³Ìéë-r¢é]Gˆ7à¥;ìvížs
rFÆ5|Œ	b,�Q†Ã�ÁtÙ­g¿¥ÿieÌUZ®Ûsö݆ròÖ
-k¢€4\æÔTØ7㢿ÙA|£ÄÝGApì2�2‘ª—¢%#0ø|Þõ�X(-ÄÑß΄±©Wî=aG&±†›³Ñ/8S"�Z³uœ« ÐÈmQL6’Ë}3Ÿ�`CÊ„¼QO!'©Òæ2f2ãøÌg$5Ý‘Á¦É&v¸1@O¬ÉT¿IÁLþüU+Í­,Ö+Å«|«˜zQÅ/H�˦GE5DôŽÑ_ÃîvÁ„j›'…¶vÊÙ.y,üý�!
.ƒÀëqÈ)_¶BϦZÞRyÂ¥Ù#{H¡-ÓôåR„ÐÁ
\y|
-yJ§^åg»]ç
-,à¯�“?͖Ŷ…ú'Érsb.ŽíaæÁ%ùXo{E>5>ãËÙ´ª~f…Îv·-ŸW!Ÿ*l§_Vûý™Hʨ<šüK‹‘çTœ$ÿ²€]1¾³ÅNEZ½]µwÕ/8�¯ùË®éà[e4±Ã�ïù›žÖ*·è$h›$w²˜…gÓ»ª!ià´	u¢ÚÉF[E7}¨v®¶ZŸ›´* ‡m7·ÅÊÖHÕ#Ü•·,¥#ááotp
ðà®EÁg;z_ÀYßRX0¨Br~‚…ÓÍëaz€fCS³>ìËy,‹Œçs–8‚ãM
äYrêÜðKµ@½®~àñc<àÜ~’ÀÂcŒ]R†Öß<™
ø½]V.zU\Ë÷wÁFÈCD²éëM{W";ÙŒ­4Ã=N„ÒAe\…­ÊžN0÷¾*tý‹´[{n44dBóÌaJGÌ*;�µ|ÿºKyÜV@u}¡7Ša6`˜?¹žÆþwÕ“j­êáv­»I0�Š=ëH®
Ç”¡‚N_Tõq¦wPé¡Ný´æ’°a©÷Bæ±¹1NW"nTê’Q^µþ
-áx[%=v-˜Ÿú�‹ã(½@íõ ™u:óeyÿåH#¶F›!Â!ÙØ7Ë+ }5®Æ$pÄ(Ñ™¯áÃÉ¢Æã“M‡ÛÞiá#µ‚�sK‡:V}cÖ˸ê‹ÇœØóðÃÞ¯v¸`IyKš’n\Ï“,bŒðÊÞ‘€«þ:¹xšº:C'«F׉T:{M"QLÇŽMšµ¤¬WûÖŽôjás/Ö’†³ƒÌptæ„Ô2¥ ?ÄI‘±¼àš”—-†5ùB¼‡“2P_ÖodÛC¿;ô\½ýžŒ—O „ÔK·«õÊ_QÁP5/|Á—dÍI)g·'1"kÿoÏ\:<WÜ$êÅ/n�_˜//o®Úö«hrˆGpïÂ<_�û…‡NüYFä÷ðÏËÿß¿þ~cò¸ZÅØ¡0E®¶G
-·¤ÍÌýÏDž¢þ_ûîl¯endstream
+xÚ­]sã¶ñÝ¿ÂÓ—È3'?zO—Ô—\Ú\Ò«ûÐI2J¢$ö(R)ëœNÿ{w±�”!Ûio<‚X,ö{!y-àO^›$Jr•_§y!Íõrw%®7Ð÷Í•ä1s7h>õÕÝÕ—ouz�Gy¢’ë»õh®,Y&¯ïV?Í’HE70ƒ˜}ýÃû·ï¾ùû‡77i<»{÷Ãû›¹2bööÝ_n©õ͇7ßÿæÃÍ\fFξþöÍ�w·¨+á9¾z÷þOÉéqaÒ·oo?ܾÿúöæ—»ï®nïü^Æû•BãFþuõÓ/âzÛþîJD:ÏÌõ	^D$ó\]ï®b£#kí õÕß®þê'õÚOƒô“"R:Q
*" É£D+í	ßK ‹bv·-i‹ËmÑ4eM/?nEWâfaJ=šR\ÏÌà&{Sóu»¡F{ì÷ÇžÚ›¶ì¨Õ·ÜÛðjí�ž;hÈlÆKÅãã—I*p׸ã×�Ò&&ãq¯iâ‡öÈû*^ªøÈ‹�ƒ4ŒÎšñÜ–»é?Ï©hú¿~Ê#i€!¡eÈ�ßÞ—œ.IG´L’ÙªüYÕT}Õ6Ô½;v=õUͲ>®Jn|×WM1_Öű+©³ß=A»â¡#Øi[Þž»ìºbc鎃ʺ\öå�œ­°ny|a7*e”#ÇT†1™�ó£gÏOD0Kf¸�º|/y<í3³}qè«å±.ôÞ=tÄÐ^˪®ú‡)åììóÞ²!~Ðͪ°L±¢åʃ}kÝŒ=qL±ã)\GÁœd_VU·äYÊ{,Íì]O"GL¶®ìÖÛ=’¼¨k<D
ÇQwˆœÎfuµ«zž
+ò±w§Qª�*òÀ±Ü̵LvÃ<?|zFÆ—"€HI”ņWkŠl< É"ÊsíŸoʦ<–Fv±jÇ+
+-¸ŽÏÞ¬¥½´ +I;;=»âÞ-\Ë-kõ€JÔE´–­Ýƒ2Yùãà¤ãœl½†¢Häœ$‰b¡çøý=æ`ó$IRh
!Îê�Å¥ˆéQBR«ÊšÀz¹‚i´zNwÆQœj§9ˆ”¸ñd_ lj+P(›ØCg„­E±üxÜSÿp^ØÓ®JØîAPÀÏK‰4™²š2�*^ÐÙ$¹WØ:áNmÏ קéì­UÔ
+ô>Vìag«Vû¢ÿœy#x™²Äœs
+öˆGÔ0‡–’½­kbe“Iø„èay¨¼hïùŽ®•

+àÑ”'jÀF%M«@ä7Çõ`n˜©¬ó2¬¬˜Uáû6Ä)ˤ™y‘ãªr%'E
+£ii…];^wUôGà
+ò`ÀG*µéúõƺâ[_ŒøSpðã<~–`*ÿÉÅZ»‚ç܃Äa|+’ÙŸ›öÄPN‡W%GÚŸ2=®b'í%ècyhÂIAq€MÓ‘’Ò!'we»@V“T½t–]QÕa­{t/NâøoU€ªíÈz&*{)2Ålÿ%d^¼¥‹‡«²˜(}é<õ>H_=¹¡yÌ*Ð×™0+¸!…	j!ÍÅS(™Œ€ãÛãq¹Í¢¢$‹³çfqnÃò<,àœ\™—¢‚g*ï>tê9úñKgZ÷ûKtò¥“Ôí²¨CQ´L„ú]óÈÿ}3žG}&|ôgš'þLû2Ÿ	Ÿ$4Vf}Êê¢?'>}k§J_€Ò\%óÛ6b£ÐI`®/ÖSKÎéê-r¢ém‡�7à¥;î÷í�s
rFÆÕŒ	b,�Q†Ã­Á´Ù­gßRŽÿ¼²
æÊäƒëö”}Ïü9ùk€Å^Ռ޸V$}­ˆË
+[@Ŧ?Òõ|ß*NR4p¼:/å,½Cy¼ãfkkòÒU'ãIuÒø^TæÔTØ�ÇEÿxdñ�W0ttÁ¡Ë<ZÈHŠL=-Ńϧ]ˆ…L.†ˆ~q¼Æá¯<,Ž=aG&±†›³ÑÏcp¦„™*“M˜« ÐH³<Ÿl$:‡f>) Á†TìóFU8…¥ã—1S<ŽÏ\FRÓlª‘lb‡-ôÌšLõ›„,NŸ¾j¡y¦=Ë_ôJñŽ«p*¦Z–áRà²éQQ
]0ú+bØýÞ›P�¥Q®³lÊÙ6y,Üý�!
.ƒÀëiÈ)W¶BϦ\½¢ò„M³ö` -�y¾!´wÀ}�
W€á0Äy!Ç0ŽR;F½ÌI˜ÎV>/CÉ`ãT.p¶ÝU~©Àþ8ùÓlYh[¨¢$�ÏÌÅ©=Öll’�õ¶SäSsà2¾œM+«{oVèlwaÛÌû^ö”Œ¯Ëvý
+/X†#©X¥ÁäŸÉGžS~–üK<vùøÎ;&z»ò`«_p_ð—g×?aÐøú'~㯢“ 3Ø$¹“ùÌ?›ÞV
9H§M¨3ÕN6:StÓG�jçjkær“™òèaÛÎ�ae
ë¤ênË[¥#áántp
ðh¯EÁg{z_ÂY¿¢°ÎcPúäü«›7Ã:ô
 endobj
-885 0 obj <<
+1141 0 obj <<
 /Type /Page
-/Contents 886 0 R
-/Resources 884 0 R
+/Contents 1142 0 R
+/Resources 1140 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 862 0 R
+/Parent 1139 0 R
 >> endobj
-887 0 obj <<
-/D [885 0 R /XYZ 56.6929 794.5015 null]
+1143 0 obj <<
+/D [1141 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
-884 0 obj <<
-/Font << /F62 634 0 R /F43 600 0 R /F42 597 0 R /F57 624 0 R >>
+314 0 obj <<
+/D [1141 0 R /XYZ 56.6929 769.5949 null]
+>> endobj
+1144 0 obj <<
+/D [1141 0 R /XYZ 56.6929 752.0323 null]
+>> endobj
+1140 0 obj <<
+/Font << /F37 743 0 R /F21 654 0 R /F23 678 0 R /F47 874 0 R /F39 858 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-890 0 obj <<
-/Length 2474      
+1147 0 obj <<
+/Length 2579      
 /Filter /FlateDecode
 >>
 stream
-xÚÍMsÛ6öî_¡é%ôL„àƒ Áô”¦vâÎ6ÙuÝSÛÙ¡%Hæ,Eº$­v§ÿ½ïá
)#q:{ÙñAàðð¾¿,þÄÂhÆU‘.ò"eš½Xí.øb{ï.„?³‡–ÓSßÝ]¼ºÎä¢`E&³ÅÝf‚Ë0nŒXÜ­IÞ¾ó÷»«ÛË¥Ô<ÉØåRg<ùîæÃ÷)èçíÇ×7ï~¾}s™§ÉÝÍǾ½º¾º½úðöêr)Œp_zŸ¹p}ó·+Z½»}óã�on/»ûáâênäeʯà
-ùýâ—ßøb
lÿpÁ™*Œ^àƒ3Qr±»Hµb:U*@ê‹Ÿ.þ1"œìº«1ùie˜62�Pç1
ê‚eJ*'À?¾E^]§jr’/–J³"/´;s¨êú "ÙÚ�k{¿ßn«f‹Ÿ<i÷ÃãÞoµú­í'ë¯)¿ÓÑéÚö=AÊæH‹¡ÚY¿zð‹ÞvŸ¬¿QùóUy^$»vm_Â2Ï’îR˜ÄnK÷»>½T
ŸÈ™¬ÐZ:Îè1£’mÝÞ—H­IgÈaËñ
v‘‘¼}(›ÆÖ=íªáÁKoj¨’sÆy®á1|c}lÊ]µŠˆ9ULå�õðLW
GB½ï-3RÄ
ù¢§½ÑŠˆ&p<@‡Öq½”ø”ä:pO㶃ívUcɦå@«ˆ­ÜÚž¾
-Æs%<wîîÒi9"ÃL®Rô¡ÄwS‘Ü[Ûà
-(Øw�]´m^âB¡dÂ6Ê÷ÖåàWe³ö{ΰDVLˆé·n·[»f1jˆ1©Ö�ú]yœ>“þÑ®ª_9—��
¸�SŠÊRf2�ÎM²Œ�“CÈ1ý±Â#„(ÁTšþØŠL…¥‹ä~ïTkœ'I�ƒ�í˺>ð±þÈWp¯¯š•��!2ÃR9²ú•„”uß^'Æžž$�
Ðë@¤3
-¾B¸�¥ýBœNŽrÀŸF`uï!Á
—i‘%w1›“ª`JféŒÇo²€„[i‡ªmzODyœ?ÁuM+—ODÈC
-
ÿÕ+÷®°ºsw	-çt�ž:5�
Ϧ\UµÏ6ÀÀü¨<+lñBÕlÚ'Ô´M}<§âI;¿£FΨ)Ãå‡j‹ŽKD)L
êŒ
ê{œ»;¦Ÿ—º/­?+tB¸©0²â¡oœ“2ˆ1ß §P­œ8=
-¨\ǒ¨¶Í†¿ôtµ9£>´4Sú¡ì»þ×vÍ1½Xn^xš\~aQ{{ôÝÙE�„Q;Bõ‹þy5­ö]g›!XÓhET1E�SF�óK!a¢Ä/…w¹ÌŸ˜ccDïÿožüÕÂjöu=‘È!&ãÀdŠ!?Å”Ÿ¡íû@Ñqx}­õê[l)9Ïâž7=š@×”¡4ÆÐçF2i¨K¢“èhB’ÿyêUº
-ŽÐ¯üüÙ
7”‘8Çr{ÇvO‹ÆZÿŽ“&ü®ÊÇa?¶†¹òI·H^nLÃO(vû~˜ÒçÑÑ*ý×aR�»X÷(HjÒ!$,·_ëPšŸ<Gó`Ü{÷)RøÈ2À
/1‚`
‚¢í¾øBt�–4Õb\>â
+xÚÅËrÛFò®¯`ùb¨J„ç�ÇÀ>9Žd+µq²ŠrJR.’¨

+îoúHà»ë›ë»ë�ï®/—\ÅÎ{ÃÜÜþãšVïïÞþøãÛ»Ë?¾y™òË™DFþ¼øí¶(�í.X(3/öðÁBžeb±½ˆbÆ‘”R_ürñÏñÂÉ®9ê“_,U+‘z(¸O€q&RH#À®)d)†./42ÇääX…‰ÈbxñA@R&ÁýFÓ©uÝ>ä5­Ký°[ãRµþ¬-´ÈZ<hÚëõ`_lé÷?º»ä*h¯à3áAÞ”„hî[W͚жmiv]£KZ·+<»2gYðp hw©‚]ÓàYâh*©TELY–Œ
+ú
¶€´®—œóàŠ`«¶£…þw¾}¬õk¹Ì&"g@(ø”¤†Ð‚¨¹\&Ì‘PŸÌ;Ÿ¬
âÎ
¯B†?Õî
+ø$¤«¶}ñÆ`2‡CQf$ÖàY.p)	}é½ù¯7“�›%ãÊàì+´	Ág�^�‹‰ÙÈQø´¶n~-g¸”v§#쌌 ys ÅPmµ]mìÂÙž¨,>äÙóÜ8¨G¦I@V³ÎÍoy|	¨šÉŒ¸§Ç”#„TÑìrØ2|€]¥`G»Â�}5l<ž+Ê.uÁ¨<4ù¶*|AK†œK‹vT^½ë53RèÄ
±þeO{G¢¥Ó7‚�à

+Á‹T�O��9�î¶U£É ÷£›L¢
+cä.Ž¿�úm~˜>2	/Ž
 Ô’(TIÍ•’{ÈI!½&Ž˜þÐá¾@ÏC%™E³AçʦµÝ@éª2JMÁÀvy]øØä+¸×W͘I¦dðR’YýJBòºoé^#Æžž$�
Ðê,v‰@(h“¥߲xÄB¨BÒ™v
+¸gÝv=I¦‰t™$@y4J€&æQ”âÇŸ;ݺDá)î,
¢Q�ÆÁøšùÂ�‡¿ã¶u :d
Àv›�ÖÆÚáw¯kŒ2R%ÁMÕݸ¬£DPùä #*ŒèS9ŒqÄ#‡(L¹šÈ�ˆoì†M
‹÷K.¦¡
+¾\¸�¥	ýœ1G9à‡M#°z°ç€Ë(£jÍã‰2¥H¢�ÞDµìX
+>´{ƒ‰èT>-Ãa+*:)#,¶L£º/ºêa7§-(O±_Ñ"f"dèÞÐÒf·^ÐânÒ=ŽøËé
ê§b8¿	üEht®ÿ)BqJ¤æPbÅ;}á¬�±ž!äü6j¾<Îc )Ñ=ƒÕã'›qŸë¦he®·móì^¢á¿ze»�
WX݈9„–s<FOðš~9�îžU^TµÍ6 �9ªðô%U³jϨi›úpJÄ“v~ÌG�˜Q“»Ã¶Õ´m¦yÂÀ_cE"Œ¾,õI+å:?mÑŒ“†c^ §P­9ÝKz.øÛqú<Ÿ&ƒ˜ëÚî_Ƨ
½U†nK ÓNÇýØ�¬È5�}Õê�|™è€
+(/}IaTÛêŒá§ž®V'Ô»–fJ@?äݠ˧î1m×ü¦—ËÕKK“É/¡×½}2uggŠ£¶‡ê—ýój*v]§›á¬!§ŠÉkœÂkœò‰�0QâS!Á !—é™9ö'�€n|vÂðÿ÷ä¯V³«g3ž†™ÄYäl‚HÈO6åghûÞQt6£¯õ£^m‹-yÊ¿§ÀI{�£kÊPô-#™ÌÕ%ÞÉt4®pÉÿ4õJ]
+p�H�ÅïPâyxå‘UÆÝÌi¹ó0é4D(æ"s%4~[jêࣦ™XÛtBP£:øÅih£VÎC‡ùßÅØ=#óTdÎeG�N^+¬D¨�D’ÐtI°)ô\D󘓯íí$pX Äs�„ãXñÙ,.N�ÿÑÈg7vžcMC�Þä×Ûï¯h5þÄ´ÖfÐsüÇ‹ó0SŸFÜÅèpXGyf,#•¥ßD¾v™¢Âª
+v�V|\	…º¯³#ï;·‰¦ÿ¨1ß4³±ÆÚ¶ÈI*í@%Gè;6Ã
©αÌÞ¡ÝÑ¢ÑÚ¾c¤	¿Eþ8ìÆÖ0•6iàÉËŒiØñŠí®¦ôÙëhÿWk7©öοM,ñ{$5¡2–ë¯u¨˜='fΘõîc¤°‘e
+e$³SÊÇŽž“þ7½6Òóendstream
 endobj
-889 0 obj <<
+1146 0 obj <<
 /Type /Page
-/Contents 890 0 R
-/Resources 888 0 R
+/Contents 1147 0 R
+/Resources 1145 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 862 0 R
-/Annots [ 892 0 R ]
+/Parent 1139 0 R
+/Annots [ 1149 0 R ]
 >> endobj
-892 0 obj <<
+1149 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [173.6261 554.783 242.2981 564.1926]
+/Rect [173.6261 500.8708 242.2981 510.2804]
 /Subtype /Link
 /A << /S /GoTo /D (the_category_phrase) >>
 >> endobj
-891 0 obj <<
-/D [889 0 R /XYZ 85.0394 794.5015 null]
+1148 0 obj <<
+/D [1146 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
-888 0 obj <<
-/Font << /F62 634 0 R /F57 624 0 R /F43 600 0 R /F42 597 0 R >>
+1145 0 obj <<
+/Font << /F37 743 0 R /F21 654 0 R /F23 678 0 R /F39 858 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-896 0 obj <<
-/Length 2361      
+1153 0 obj <<
+/Length 2502      
 /Filter /FlateDecode
 >>
 stream
-xÚÍZÝoÛ8Ï_aìK æñ[Òõ)ÛMzY\Ò^Ö÷°·»(d›Ž…Ê’×”“õ-ö¿’²%G¶Ók
-i8’¿ù¦Ìþ±�ÒD§<Ä©$Š25˜,ÎèàÆÞ�±À3l˜†m®ïGg»Ò|�’Ts=ÍZ²B“„
FÓ_"M89	4zûþöêúÝ¿ï.Îc�®ßßž¹¢ÑÕõ?/ýÓ»»‹››‹»ó!K‹ÞþãâÃèòÎé ãûëÛ<%õ½»¼º¼»¼}{yþÛèdzËÑö,íó2*ð ¿ŸýòLáØ?žQ"ÒD
á…–¦|°8“J%…h(ÅÙOgÿÚ
-l�º©½ø1J¸
-ëßfժÿÕc,‚3ê
-è"p:”�‚:ñ6Ѷ3&IR6똚Y¶.ê㊀Á{®öâ	lÕÖ&›¢[JíÐDª×¬ÐDÚM¤gžÖ¬èhO ’I³o
-S¿²~ÀfÏ€Ö�c
É«\yÛrÌf²^åu˜
îUÖALÚù×_)åÛÕÆëzo‰¬°�¿YLGŸŒY†e�שeEû
-[ºß*klæÙCî
ÌG0ý|žò¨Z¿šzŽ�ÿÁKÝÄ»­Î�ê/öúó¾é5°Ø|l øØøÓí•’2*÷,/Œgú®=Éß½ésR‹áË��“òrVy¶a¯ø¿ÞôÁÔµº�úîÕ/Ýs¾^ñû&{„%pß
Xë
-²Âc3£+j¸=ÔP$’ĉ`ýU(ï‘`ï’q\ùp…
-ãMñqp[»þ–ÁU‚ðXóà*
}èŸBoÿ¬¢¡º}?º¾ú¹ôëjRG°ó›úÖ“*—ŒÎN$U.%Ii’ª–'±ûÐÉ�}ñösj”ö>_
-N•B@SŸ�›áÄÛq%Õ‰Ú�[ã>ƒ®Ëvd�¦ž_ä³T…¯ØtaRšzâcú·u™�8Cs65P×/ò²!ÏÃkèúÒ'ªK$iT¹ï@ÔSAÂã<Ç|�´ºõý
-G2ëéØâ#Á
 ç«€¥cN÷�›Ç¾KAN˜Ði`‚ž½è¯�QÏ_‰R
�?ˆ¶o
-wT. Ò­‹Ì}™!ü	®Ñ!¾¹›W&ˆÐ·ˆC™º3&Ó¤¹¦<ä
-<&±ˆÕþ—¼5Å+v¨aFó܆/*±»2‡î"…nÏBH(^ð«R§% ¹Æ(™mªV$9}	ìæ§f劕׾ÅoüÀî».æ¶ÿ«^ã±Mk׸e©øÜ«Þîßö©/óÓ¯I™N¡¡£'")‹a±ö‘´4õcµútÒñoŸ�¡Pðº&åH´lïåN>ö«…LO@¦ᜅh¹œ‚cœî66óIs“„sŽÁÕÚÇ·—T/a¿Çá’)áZ‹\ïu¿´ñy¼}†/ÃERèG bF¨)áRÇ}?õ ƒ“ŠxîKv¿º‘1IÒª7»¡?
=€
ú^
B?ùÙKó”ÀÕÚúÿ
+xÚÍZ_sÛ6÷§Ðô%ÔL„#’ /OnjçÜ9;9W÷Ðk;J„,N(RH»ºN¿ûíbAŠ”)É>;3?˜\,Àoÿƒâ#þø(Y{ñHÆ>\Œæ«3wtcθå™4L“.×÷Ó³¿]
+9ŠYzáhºèÈŠ˜E|4MqBæ±1Hp�÷o.¯>üûö|,}gzõñf<ñ×¹¼úç=}¸=¿¾>¿Oxpçý?Î?M/ni(´2¾¿ºù�(1ý; ôöâòâöâæýÅø·é�gÓö,ÝórWàA~?ûå7w”±<s™ˆ£`ô
+쌚©ƒøq—y"ô
+δR.z¾b
rQnzü­vÈ8Áq@1Á6‰m¥´Nî”Ý3Øzï|d
+æ#¸ëü<Ž=§¬ß¤Ä±ó¿npnu~T’ô×ä1ÔÀjû¹�âsoàO³WO°˜»þž�e¹"¦ïºÓ‘üÝ»!'Õ¾Ø8)+%±MÅÿõn¦¾ÕíÔwp¯´ôÀùÅï›ìkÀCà�<¶ê®M�V­CfzN¹Æê8ÁØeñ.¢ŸÚôœìå8­ãq|óxÀ¤ˆ¤�\E
‹=Þ®ÇY
-lC–ç—ÌEa}ëéê�…ÚL0=uC.ÛÇõ
å�9Ö1	ÇÃÈe'*ºþ.·ã¹Rï“,Of9\–Ò«b�:>Ì€¶ ÇTéù&[WYYX®rÑ,œj»V{c”æà
ýa³Jpz;kkW/‹*É
+6ÐuÙa ÚZ%Û&¢X£IS•öíhQWuWÆ®È'j® jÒl¿”çn˜�„X ƒ'ó�·˜tå^1ÿÿÍj6‚µ äê0ï€æ¹ Ë>63ú¢&í¡ ¼ŒaÍ8Úµ
+½ê
+·“°§
P§Ú ‘-�@·=èí6ˆÉÊ>iµ1]£Q­-5tÕËÿ-µgódÞvü°¥ÃzîøZzn"ÊÓE6Ö³-	ÿ¸š½H°
+GMtlï‘`‡úøæqÊОî>SCW‚ÝE[&èW¥9ç´†<ºu‹8~³îæþÜÕæêÕ*1ßå„�}µ—èžàæ–Ã	Âö,âÐ5&`;~5—”‡<Á“L
+ì§Á;S¼`‡
+fºÌ´ýž"Í…¡8t)„0{‡Ò¿y!Å~XšiꀒÐkS³"ÉèK`'Ÿª�)UÞR{7ÛÒÀî«.bfzø›^ã°M[7x—ËcñÜ‹Þ#ž¿s©—yé×�£žÏžŠ£^„?D 8Z¨ê¡Ü|9é÷7–�"(T»¦C9+;{ù–S÷ Qãá	Èx.Ù`¹NÁ/N·[ˆ‰Ù¼¹DÂ9Çàêìã[†ËuYè†'.¸ë3t¿Z“¯uµ`•ñœ$NG^‹’¤&>	Æ%]]ìÿÇ�,5Ÿúßݯ¢|ÉDyÿéñdZ
 endobj
-895 0 obj <<
+1152 0 obj <<
 /Type /Page
-/Contents 896 0 R
-/Resources 894 0 R
+/Contents 1153 0 R
+/Resources 1151 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 862 0 R
+/Parent 1139 0 R
 >> endobj
-897 0 obj <<
-/D [895 0 R /XYZ 56.6929 794.5015 null]
+1154 0 obj <<
+/D [1152 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
 318 0 obj <<
-/D [895 0 R /XYZ 56.6929 769.5949 null]
+/D [1152 0 R /XYZ 56.6929 729.6823 null]
 >> endobj
-893 0 obj <<
-/D [895 0 R /XYZ 56.6929 749.9737 null]
+1150 0 obj <<
+/D [1152 0 R /XYZ 56.6929 704.9004 null]
 >> endobj
-898 0 obj <<
-/D [895 0 R /XYZ 56.6929 433.0023 null]
+1155 0 obj <<
+/D [1152 0 R /XYZ 56.6929 387.929 null]
 >> endobj
-899 0 obj <<
-/D [895 0 R /XYZ 56.6929 421.0471 null]
+1156 0 obj <<
+/D [1152 0 R /XYZ 56.6929 375.9738 null]
 >> endobj
-894 0 obj <<
-/Font << /F62 634 0 R /F42 597 0 R /F43 600 0 R /F57 624 0 R >>
+1151 0 obj <<
+/Font << /F37 743 0 R /F23 678 0 R /F21 654 0 R /F39 858 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-902 0 obj <<
-/Length 2754      
-/Filter /FlateDecode
->>
-stream
-xÚ¥koÛFò»…€ûp4zb¸O.“Onâä\$NÏv�Ú¢ ¥•D”"U‘²ë;Ü¿™�åK¢¬¸n€îr3³óž‘Ù$‚lbT‰DNâD†*bj2[ŸE“%ì}:cþÌ´94íŸúþîìÍGÍ'I˜h®'w‹,FÆ°ÉÝüçàý?/~¼»¼9Ÿr:<Ÿ*ß_] •„†÷_¯?^}úéæâ<–ÁÝÕ×kZ¾¹üxysyýþò|ÊŒbpŸ{G.|¼ú|I³O7_¾\Üœÿz÷ÃÙå]û–þ{Y$ð!œýük4™Ã³8‹B‘5y„�(dIÂ'ë3©D¨¤ÍJ~v{ö¯`o×]㟌Xȸx›ãx	Gxý”)Jïã�2‡RÅ Íx¨Œˆ[©È¾T˜¡BMb•„ZpáÄòÇÎn3[!{à¼è�ÆÄJÆ€ÏÝnì,[<OWv{ÎL`é³�á>ªU¹Ëç4¿÷òr¹´~­.CD`§x wð/êó)p/¨êt[ï6ÿ€/ÀkV,i·^YšÌÒÚ.Ë퓧{ðN-C®™ð„ 
-š"-nb‹ºY#qoÊmí×ÍÅYžÁ¹¿û嫉Àt>§+•ßH‹ù~„x>:ŠÝú´
-¬d/ín¸‡
-'žF¡uP¤këÏÍò‘à�îÊÓÆ‚ƒÐšWõ/ñÅÉxÊ™Ú{,€rרß	“;Ûm+
-«âžÂîq™täE
j}ÿØß4x@ý<9�Èw<½ÅþøÚ?Óõ&·á¬\”«k/à?š}w{9v»�úí[B?‡” -l}é”�öŠ„ˆkˆƒ}/üJ×.¤	DPðDÂE$_
-âŸ{\˜±cfø	a*H"iH˜<}vZ”×··—ï=Gïîn¯>
øX—³2?à,úÖöh~:Ö
-­Ô@67Ž³VF¡QüTV¥4Ð íx–Cxš’úžN­>Ãa[*ñ
-_aä1ÆæÊo´šŒ묚•õån›bRàÂ_ä"
-à˜ÒÐ{òR÷¢©:øOYXša¬‡‰5X ŒD“WŸæg¬BžÈæ¼³À�Ò
-õËü\ñ¿M×kpž‡²Uã2L$“¾Ê<„f¤,&KÃ}¸4ÆïŽTv4PIå5Šè:Ä
™°0�WCŠ]ßG0ȯcP™¸
�5ÐRãb1‚Cs(‚usƒEnߎ@œrl5Ø’ˆÃDpӣܥºÿuŠÎ“И8ªyžUµEëjNº!Ûüæª?÷Aõ�_î>ÞùDüÏ↡¿ô¿wcÎâ!³�tg¿!sÞ�‡¿t	lŸây¹N³Â]’7¶ñ<-Ęb^Öž}TÖ¾óý„!‰ ±¯õÚDõô�ŸÔ÷%]d¾SÐÏØ~ªÒ¥ýCUl ¼ëDÕkF B‡Š-8º”…b­Rmâ±àQ›õ»í’F*×Ýlæá¥BJCž-Wõ£ÅÿÓB›Px`-`ˆrØ;ä‚JYk÷=´â�b ÇáJ‡:¢JŽ6·Ë	Mnzž¬=?í_ OÖgÏ!\×X³3
-~S‰‰ÊP7HŽÂ˜
-Kyû*`̾
-ÀJ›~âÇcV¯|OœGÞëóͳXøg76æË›�ÝÖ�Tu]5ç>ãgŒÄ±æI�ïoû‰+‚\¤ëçU½lE9p>AZø©ëÀÑYåô�ZdpÎu¼Hº¸Gi!nÔ.âZV
-œàf�÷ªÖÑÞïˆÙz·`R7¿ÓÁœÚ9¸F宸&Š¤´DÆ{r¦£¨4´ës~Ù¸hœµÉ€v�p¯¹—z$öOª`ÉùOZÍËò÷݆–ï­o\Ùc¥ ëjyÅݤµŸÙ¼I7�*txì/
- ‹—ô{Á~.µÞ«ÿÚ ûS‰©k¿ñ?ð0M“Å…¯ñAÁ#L¨�GHÿ?¤Àƒžendstream
+1159 0 obj <<
+/Length 2765      
+/Filter /FlateDecode
+>>
+stream
+xÚ¥koÛFò»…€ûp4zb¸O’é'7Vr.§g»À
iPÐÒJ"J‘ªHÙõî¿ßÌÎ.EJ”Ç1�}ÏìÎ{†b£þØ(Qa$R9ŠSªˆ©Ñtu�°öጹ=c¿iÜÝõÓÝÙ›÷"¥aª¹ÝÍ;°’0J6º›}	Þýóâ—»ÉÍù˜«(ÐáùXé(øéêú’fRjÞ}¾~õá×›‹óXwWŸ¯iúfò~r3¹~79³D18Ï„#Þ_}œPïÃÍŧO7ç_ï~>›Üµoé¾—EòçÙ—¯ÑhÏþù,
+Eš¨Ñ#¢�¥)­Î¤¡’Bø™âìöì_-ÀΪ=:D?±�q%Fð
+¦,NŽã%àu]¦T(Y¼�wÌDJW4ã¡J€ž+œu¸Â¤!Ô(Vi¨–-nÍ&75’ö‹Î~ L¬dHpßíÚLóùÑôqi6ç,	
=;¨—Õ¶˜QÿÞm(ªÅ¸¹¦
+€3 �RÜ¿hÎÇ@½ n²M³]ÿF	
+�Θq·ï1/
+‚�ue¯8æ…àªUSf÷¾,Nú96O4ÂwÚ»â`[¦®‡.Èã�Kžt.ø'n‹%sûªu“W%Á^fHí8

+›’îÊâ(L‘ø»’ÖYþEÜÌÉ~·4ÈÞ‚ºxÛ1eãçˆÝëjÓ8Ä�?8-rØ÷w7}õ]0›ÍèHí²r6„!ž�…Žƒr»º©-Þ‹TÛvގ»£Ð:(³•qû¦E†HpÃîÈÓÚ€�КWM/ÑÅòxÌ™Ú{L€p7(ßv@Ï„Î�™n751
+ʪiwÀ9ævM.¯o{Èà„»Ú¶64�h&x†æ«M²{švd¸'�F�Î¥×_„z‹PCX‘vv�Ê$À‡(
+Pê#øcÓ`
õ[°ä<"ÛñôvûãchþÊVë„ÓjEP®®©½€Ôûáv2tº‹úí[B?‡” -Msé˜�vŠ�kÍG]+üJÓ.d
+ð `‰¸‹H¾
+TsjóxéfY°Î¦«x°ÔT®µ‚	�Úl¬"BUͶ™ñAé{#8îÜTÖ›®ú>im«)X(g¹Ù¥Òë(¿c¦¸ˆ{îqfÆ:ŒYÂO0S%€$’	1³„§OO³òúövòÎQ´tVàîöêC�ŽM5­ŠÊ£Ÿ!mçί£ÃŽ´B…‰Vê ý‰ã¤•Q˜(~*ªRî SmiV€{“øž­>Âfp[*u_£ç1úæÚ-´’ŒƒU^O«�úb»É0(°î/²
+ÊD:Ûj
+³°ìWeñtZ/ÛýÀI›ì!ÆX
+=ÈŽ
+©Ã
B0þ®ò¦±¨v	’¿¹­ÂÛŠu·¦A/õ•:o®ÛÊ›ƒD—¶]8{�¬�ÁÆü–dÈzÒ
“xÿ¡Ø&Á}^Îjê)°·Ùø
+ÚŒš}
Ĺ¾âŒg¼\õ
+Õmª­çÂÞ*+Kª�QzÅI[°)«Í*sÐé10éëøöè®
+€Ií¿ýAŸJD8GYÎØÂŒ¤°DÆ{|¦­(4´êb~éM4öÚ`@ö+R¸æÏe‰ù‹²
˜²ö“f‹ªúc»¦é{ãŠaGª«$ª^p×Yãz¦ðáæQ��ýJ
¢xIß öcñ¨Mð^ý†ÝÏ;$†®Ý�	=ã7îRøjÉ‘„*áñÀÕÿÚÁ”úendstream
 endobj
-901 0 obj <<
+1158 0 obj <<
 /Type /Page
-/Contents 902 0 R
-/Resources 900 0 R
+/Contents 1159 0 R
+/Resources 1157 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 908 0 R
-/Annots [ 906 0 R 907 0 R ]
+/Parent 1139 0 R
+/Annots [ 1163 0 R 1164 0 R ]
 >> endobj
-906 0 obj <<
+1163 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [519.8432 252.798 539.579 264.8576]
 /Subtype /Link
 /A << /S /GoTo /D (lwresd) >>
 >> endobj
-907 0 obj <<
+1164 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [84.0431 240.8428 119.7369 252.9024]
 /Subtype /Link
 /A << /S /GoTo /D (lwresd) >>
 >> endobj
-903 0 obj <<
-/D [901 0 R /XYZ 85.0394 794.5015 null]
+1160 0 obj <<
+/D [1158 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
 322 0 obj <<
-/D [901 0 R /XYZ 85.0394 451.0558 null]
+/D [1158 0 R /XYZ 85.0394 451.0558 null]
 >> endobj
-904 0 obj <<
-/D [901 0 R /XYZ 85.0394 423.9067 null]
+1161 0 obj <<
+/D [1158 0 R /XYZ 85.0394 423.9067 null]
 >> endobj
 326 0 obj <<
-/D [901 0 R /XYZ 85.0394 301.4703 null]
+/D [1158 0 R /XYZ 85.0394 301.4703 null]
 >> endobj
-905 0 obj <<
-/D [901 0 R /XYZ 85.0394 271.3564 null]
+1162 0 obj <<
+/D [1158 0 R /XYZ 85.0394 271.3564 null]
 >> endobj
-900 0 obj <<
-/Font << /F62 634 0 R /F42 597 0 R /F43 600 0 R /F57 624 0 R >>
+1157 0 obj <<
+/Font << /F37 743 0 R /F21 654 0 R /F23 678 0 R /F39 858 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-911 0 obj <<
-/Length 1236      
+1167 0 obj <<
+/Length 1235      
 /Filter /FlateDecode
 >>
 stream
-xÚ¥XÝs›8÷_Á£ó U|ÃÝSš:½t®é�ë>µ�Âhˆ"Ñ8w×ÿý$KØà‡L&“Ñ"vW»¿ý`eÛBò϶ü
-{o÷¢£øÙ:®Äê1€žcÙ6Œ}ß èÇ0p÷€ íJTBósA®½ü,° %©„Á¯Áe‰åò›k?ìEYÀ
¥™(Þk<(	¤Æ
-—DS5k„¦h½>>ü«—oÈGš2âë‚rÃòßA§isVÛy8!¤b[S¿ëB¨‰_ÝöÞ£!TÒ%/‚¾ëÄG�¼	 ½#ßr**(«ô®RM|áxKg
Ðs|èGÒ>zšÑí1JŒ]/¤€âSðpQ°{Mf¬1{zIXYv–pbŒd™^Ž¦×
Ñ+Áœšn91NlÌNÙ‚Ö…áå¢ÝœxËüÓ¼ý‡U„Ã1”Açpè‡atÛ7`³ZA9!#P0
öW95ºUäƸ­Ñ1
-8GÜÁ.#Ín±×ÏJL
Jš~ÒÍŸ÷[Õúˆ˜zxÜë'9
-ȻҶ¬'0k£JRªD•M…&|ò5M'ó¾H½6Jup”Ó"„¯Y³®Øè)¸9¨výpœH‰jŸ‰¬QÀ*@vTœ—²Mþ᢭M¸÷ôZÔè¾#€þhI—~çMʈHr°-Z2Å”¬hyöMVyÀóV¤ì~’ï9–"E
-’‚Êþ4	_UГCb�‰€ïÌlЖÒŒSÒŠ–¸
-ûxúQ�„¿†
ÓbèѶb
y&�û±ô+Ü
+xÚ¥X[s›8~÷¯àÑy�VÜaû”¦N7�mºëºOnÆ#ƒš
+Bhžãš“ªVV~易œ\óWá<Ç•4Yx&ìyÀö…š(Ü#v ž@,pNTm]²Š«*-7²q§Zÿ¨â+r‘ªi€MFk-ð£“Ãq\½‚·~ Ϫ&*w¸©joô$¡û÷�²iH–0Ê	 k[á�&gMïÈW„¬‚rÊ
+Õƒ‹XU¾Ôøžtk
ø³\è®?àOM´{˶zB@Γôhp–±'UMX¥ûT±<o5©‰V’%ª™*·D•×4{Võ¦&Úˆ­îÉ›ŒÓ2ÓskÞl�¬­3ü¨G¿³‚ÔðË 5	Øt}?8�íj²Y)©±'Tuœz{ÄUJ5B[òT+w¯1ÄÈÑ—Ž2Í
+6BÜð»¾ûÏ�‰¼"|
+Þœ5e¿¾QqcÄú	~ €~kH{hÎQ>!<JÁ}Ö�ó•N²¦NÁþÖ‘–×iÃcö4�Á€,QFEøžàAèÎÝæ/
 endobj
-910 0 obj <<
+1166 0 obj <<
 /Type /Page
-/Contents 911 0 R
-/Resources 909 0 R
+/Contents 1167 0 R
+/Resources 1165 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 908 0 R
+/Parent 1139 0 R
 >> endobj
-912 0 obj <<
-/D [910 0 R /XYZ 56.6929 794.5015 null]
+1168 0 obj <<
+/D [1166 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
 330 0 obj <<
-/D [910 0 R /XYZ 56.6929 769.5949 null]
+/D [1166 0 R /XYZ 56.6929 769.5949 null]
 >> endobj
-913 0 obj <<
-/D [910 0 R /XYZ 56.6929 752.2028 null]
+1169 0 obj <<
+/D [1166 0 R /XYZ 56.6929 752.2028 null]
 >> endobj
 334 0 obj <<
-/D [910 0 R /XYZ 56.6929 693.9224 null]
+/D [1166 0 R /XYZ 56.6929 693.9224 null]
 >> endobj
-914 0 obj <<
-/D [910 0 R /XYZ 56.6929 663.1642 null]
+1170 0 obj <<
+/D [1166 0 R /XYZ 56.6929 663.1642 null]
 >> endobj
 338 0 obj <<
-/D [910 0 R /XYZ 56.6929 628.9495 null]
+/D [1166 0 R /XYZ 56.6929 628.9495 null]
 >> endobj
-915 0 obj <<
-/D [910 0 R /XYZ 56.6929 601.0964 null]
+1171 0 obj <<
+/D [1166 0 R /XYZ 56.6929 601.0964 null]
 >> endobj
-909 0 obj <<
-/Font << /F62 634 0 R /F42 597 0 R /F57 624 0 R /F43 600 0 R >>
+1165 0 obj <<
+/Font << /F37 743 0 R /F21 654 0 R /F39 858 0 R /F23 678 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-918 0 obj <<
-/Length 1174      
+1174 0 obj <<
+/Length 1161      
 /Filter /FlateDecode
 >>
 stream
-xÚ­XÝsâ6ç¯ðcèŒTK²ü1÷”KIš›^®¥ôézÃ(¶j�ÍI‚mï¯ü…m°Á!òþv»ÚÕ.B–m>Èò)´IàX^à@j#j…«‘m=™ww#TÊ€J4¥ÞÏF?ÞºØ
-`àbך-º|hû>²fÑç«›Ÿ¯�M¦c€©}åÂ1 ®}õþþá§b%(7Ÿnïïþ˜^�=çjvÿé¡XžNn'ÓÉÃÍd�O‘ÁãRCàöþ—Iñínzýñãõtüeöa4™í}iú‹l’9òuôù‹mEÆí#’À§Ö³ùaCØZ�J u©VâÑï£ßö
-oshWü(ñ!õ±×@ê5ˆ�ìË£
t	&yY§Ï`ëµKô’+¡ÆÀµí«‹‹"É•š¯˜—óX(]¬—ùn
-ƒ"_$Óü,ŸBðó2úe}ȆŸTZ¤Ò”÷a2¥	Fà™ïó5¬X²+×ëüFÝ
-
¨|ÏòÂ@G
Ê‹Zzm<HÔùÝ­¼­N§Ê[±vŽª¹$v:ª†Â ;:‹¦ã,mÔò$NôìBã©©¹ÇÔL³'Æb5÷"j
‚8ïå­–kð²°Õj2N7ç…Ü<ˆ]›´ÚcngC‡í
-^WMgˆ
¥Íþ2NaÌY"’'Ó4—[Ÿ�Õ’3©9ÓC …‘\pÁB>b\Ѧ�ŠP
g¦Óuj¶|÷Š? ÊäZ-s‘
-)× •QÕ³K-ùJk;ŠîX¯“Üï�òcf†7­ãAsX²p9\|ˆt9‰'`¶FDBï:7êDê­DdšÛ²“<+胣ûDá¬eºQ'ªg”4ãšÒƒåµÌ
- ”€) Ö쨫œ –»Í&£–ù>4Zf_.�åÖ´w�PÃÖ`PaéèÌîþ‡™TivÐ.dºl£—ÃcwˆÎu¼Üe–Dñ­¨vlÍôrž°ÊËw}·:ÄtyBºî`ìý¸WßøÔ×aŽ}}ï/sÒ¸Ì!¶}x©Ì52ß_
SÿëìM�endstream
+xÚÍYMsÛ6½ëWðhu(>Ibrr\9u¦qZU=©
MB2kŠTJ¶Óä¿¿-Ê"e9ÓñAÀ}ûöa…]ÀØ@ú6‡ˆ
+fX‚AŽ07Üå
+O,Äzå9É©5È@Á<Šuªze>�
+%ØlÔ&êl2L@F…Ùº>?F�jàÝ‹ÔȾÔ)ó¶={Ì]Í„‰‰HïìÑ�,ÕßN˜=lŸoÖ+{p§ì1÷eë¿t‡—èœ=Kç±l/@â/¥nk³™p½¼•q‡½k"Z'‡1öÓð½ ��h4BIÜp_†E	ëì=ï¥6òH{%cß	ò2.Û§ÎÌkö¾ìë<
;¯}`-ûšªëæL¿ç™…èdÜ8O,�ð)W½N…;µÍLŽ¡ªŽÈÑÊv¥c
UßÜ*Tz^å{Vu…e™í;Át§Q¹iÝ^Ú½Ÿñl””J}ªQH¨%öœÐKÖÚó’SçÊŽå* Áœï9#ìp=(-!b™o$-± f6i?)ý£Ý'oŸC|v|ï–ôUKÚº:üU«ƒ-
+)¢uu,§|õûy‹_§À�l¯ëZS^EmW"°byÈÑôa£ÛøÞ±$û�óÑ(ÿ«<¢³øG/I¨+[ež>ÍÔJº]n½"ÝÿíZ¶ÈÞnï9‰ÓÓ¾ÁÜŠjÜß¹JôÙÿ5ìÝ@:¡.¶W•ñÆ	zê'�8¹•NÒ A`k6w\y í’œr˜Þl·\i£²!~õzõߦwÛ&åÝ8¡µ»qŠLha¤Ò }μ¼iߥþÝilÏendstream
 endobj
-917 0 obj <<
+1173 0 obj <<
 /Type /Page
-/Contents 918 0 R
-/Resources 916 0 R
+/Contents 1174 0 R
+/Resources 1172 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 908 0 R
+/Parent 1176 0 R
 >> endobj
-919 0 obj <<
-/D [917 0 R /XYZ 85.0394 794.5015 null]
+1175 0 obj <<
+/D [1173 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
-916 0 obj <<
-/Font << /F62 634 0 R /F57 624 0 R /F43 600 0 R >>
+1172 0 obj <<
+/Font << /F37 743 0 R /F39 858 0 R /F23 678 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-922 0 obj <<
-/Length 3234      
+1179 0 obj <<
+/Length 1707      
 /Filter /FlateDecode
 >>
 stream
-xÚ¥]“Û¶ñý~…Þ¢›D0
$8yrâsric§Îe:�$“R"$qL‘2Iù|ióß»‹ø%J×´w
-ixH?­6éfoVMþ»¹]EA°ÄÞoÍÑlèóK<%�ZqÎ¥„›×nö«Cz<šl•fYmšÆ44áÉ4¿Uõoe5;óX›­©k˜¶+NŽâ/�
-¨÷’š»/ø
Þ¼}s×Má“õI$LV6«Sv¨<Ö¦žÝM]Uí*3…Ù¥m^•«ª,ž@DÌ2Ÿ6Å)sKüË­”L‘7-}ýá0gWþp2õSQí&<™å)í<Ë›t]˜UZìª:o÷ÇϬ:¤y9ÚG‡ò¥ÛÂà"±	Ó:NÆ{£Á¯C±èÀ[ÜN¨YŽnñ–`¹êˆìiHþlÓÖLÙÒç+óKˆ2G‚¤eF�Ÿštg-9�E %‹Â0²¤ö¦ÛP�Ä5K’$dÄñ;8_L‚ÖI©^3Øœ”ËÆ´
õNGjwEµNê÷Ç‚�¶Â6\®�›Ð˜Œzë'jÑ@0ê>ìs7mBð�:dÔ�´vt¬XQocèf”ÂmóñÍà=Ë(Z¦ØÄËMU"ow§:%îâB
-ûˆT²¼ß°Ý›ú–륡‰¸9ƒÀÍ06ÒL'	ž³1tÁdL8û¬�(¸e¢Õ1	®‹jóžº� �„aÀÂŒp©WCÃÈxämã„6ˆ˜VI2ѳMO…ºÇ¼(¨g¯Z¼.vf‘9‹9�*Œ™TqxÁ‚Òjˆe
h8ç�:,RÚÚlÚª~šRNb�o­¯SöH3”‡÷À
²ˆ1iÔš•jùXÕïórG°!+›ö–/q_Zm©mýœÆÔAbÀ¯¡ó©Y:ÔÌ`ºnªâÔ:ÜcÚîÑòá‹�dt¸Ö¹”�¤ÔÝ'g�¢±¨Ó
Ê�N† €é{S(m¨¥³°îG�TÑHk{ý‰ñ¸œs{¤„;!†—\
-]4Na”0üºqb]6NR}ožV
ç1CSr•ºGš¡>2Pp‹J)9&ÿ÷½Ug,�¦E;8±‚ë|•È74x:f©55зv
-³9uþà¿W¥i¾ ûC’ʃ3áÐãÀ
Â2êñ´.<=ŒN¬Y
-¼ =�Oó�´` uzźX;Ìmu*­*…É2ß^ØËÖm	#Dm÷Ös
-¿=èÀaÇ8“®/¸0ö`ª3±åX�Á[NM;öŸ©Þ:Û�_×—‡HÈçw€uEp=Vg0WŸ�sS©
4,‹b{�v‡uN\EC¹å¨ƒQ§ØNJ݇+Ò…TCþ˜ÖÌ™³$a²0gðî[šam.A%‚¬…–RNÓ°öZ{aÛ'´÷HÞ�qÛÙðY„
-òÂ..³tj†e×ÀKÍ‘Lì®NI�«±B¢»TY/zqŒ4íwcŽi�¶³
=F/RñÿfG
-RÙDy×1ØQ±Á7´¥1™É¾Ä-?ZèöTnðâÒ"oŸ†@_O9…�x­Û³c žpúiLNGeMTBF
0²ñ«*1ĺ¬ƜRÁ3K„Ïï°f¨�l9OXÑ÷˜<™à•ÏF±)¸KSfV¬•“HåïÇ…�е¦]Å�ªhö)Y-7èPw¦4(CÍ°‰Ä¹8Ip:2	|‚øð—»Ì’ˆºAìúÎ1á	èÞ¥ŽY¨ñ½oŠœìq»8rúÆ>‰›9ÙQ³‚¹ë’kåÕÒ|Ú€;ØТô+oiu›E"ažBë
-B‚0š0[tH3ÄÇö8„l@#ê®0�WäZë÷-Ó zé®È–¤7óªr<«Ú®žz‘w<‰1F”×y7ĺ̻ËäÓáx�uè~Ÿ!ÞaÍP3/b!&#òåÊh”h¹¨FFÞû<ådXgõù™—FÄÁ£4“yYÚ¦kx®¨}¤pzyÙ´õ­^ž6ü�²Ê‘ð“æƒâ•ÀD6
-'Ï\e¶qš	»ÊÖ¼�ŠÄ PFuÝN„b\7iâ¨<Ÿ73‘€5+Àïaþ7½e >‡ëÖŠiI§çQƒ^Ï?¡®ºWÃ%ÏßG%‡eÂ$é){�d³9Ó¡äÃâ欪(ÅÂH>óò0ĺ¢*ËF=æ€/29èô¦¹¤32bª«»è°f¶1Ò8²”ÌŽöá\V0ÐüB�Á¶õÃ^g@>psàAê¼µîúp8*Âj4Døˆh»ý�Ý:•#VRk>å-VvN¢«Ité½
ÒZÙ'5gu±ÿAž‰ïhCqfîVæâg
a’hØ%��p
-8=#0¬+ã±l—gÄDã#±–×I{¤Ò£ØŸ(‰Æ¤æXdWã¾¾ÕÛÕAÑ«7ªq'#¶†Öº²š«mLã
-ŸedÕ‰2è8
'vé·Wcà¦f,XÐýØåÿþ]Vÿ£5,ik}¡”*bÍB
‹¸MáIÃàÜð»p�oý?4ħendstream
+xÚ¥ËrÛ6ð®¯Ð­ôL€|srrS;u§uZG™�‘�Ä	E²Giûï]pI‰”hW’í‹Å¾€ø”Á?Ÿz>õ#;š‘K=ƽi¼ž°éöÞNxKC:"Ò§úa6ùþÚ	¦�|ÛŸÎ=^!eaȧ³ä£åS›^
+ÊyW{Z~ÕÿTâÑÕÑü亄Á¯ÀÃ�'u%<¹±>îüˆøoE.Õéi3šø;Žˆ7Ði�ö›¬
+’Dbw¡:]¡=6ÇŽb;4âÌòÄ;ç÷×6ŸnÑ#Ø
¨ÁöqÄ}xð0s§-MÏRø€y×}¹†ôÃå�òcvÞL8ÄÀ„BàƒKÙÊrz�	e{”!>#f+¹UhGÄCEQ
+	ÉŠ8¤EBƒÛÆñ‘jÕ&-óièEÑÐ7‰\ˆ:k“î1Í2„špyÍÍ?¡OjNÎý)wÊm;|â	ŒD¤OÕ¼€nëžç[ªF©´’±. ÿîIŽê»aø¼äŽhDr?œÙ�+ÌŠ6UCÛ³‹ê3Ì6\€BM@å–Ñ«ÁüêîLÛ£×2¿^@Ö_æ-iw1WEVë–Ö\/MÏ3!¶]ÌÑ>¯Ã,$fiON™Ãüa81‚Ž‹ç¸P€â³Ì%~Ñ–ø~éˆ
+ÜÑM
hg±1—sÞ˜ñÖA†¢ËÃ
+í¶ÆpÚÚ–¦½��µÓ	í¦1F7`–
skI�52�j¶C†Ñ4[Ûlå	f|ÓøS!¢é›@ûçˆ#ß¡0�º&NÇ@£ ð[‚ï^aƸ0·œÀ÷†)ƒçò}µ׶
¦X#Áã*mZ€í!»KyÜÇ㦩UÚ4â…^—1#xße-¿UQg	nÎÛsMO„½m
�LtSNO6*ߣt�gÛÔŽæé&ÕÒyŸå†<Ù¦8¨¸ÏÉíHäZ”mSÏóœ¾à?VM9sxàÁ%î—ؤXd%(‰4ÆͺLDÓj
 endobj
-921 0 obj <<
+1178 0 obj <<
 /Type /Page
-/Contents 922 0 R
-/Resources 920 0 R
+/Contents 1179 0 R
+/Resources 1177 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 908 0 R
+/Parent 1176 0 R
 >> endobj
-923 0 obj <<
-/D [921 0 R /XYZ 56.6929 794.5015 null]
+1180 0 obj <<
+/D [1178 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
 342 0 obj <<
-/D [921 0 R /XYZ 56.6929 647.683 null]
+/D [1178 0 R /XYZ 56.6929 242.1112 null]
 >> endobj
-924 0 obj <<
-/D [921 0 R /XYZ 56.6929 616.8659 null]
+1181 0 obj <<
+/D [1178 0 R /XYZ 56.6929 211.8603 null]
 >> endobj
-920 0 obj <<
-/Font << /F62 634 0 R /F57 624 0 R /F42 597 0 R /F43 600 0 R /F56 618 0 R >>
+1177 0 obj <<
+/Font << /F37 743 0 R /F39 858 0 R /F21 654 0 R /F23 678 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-927 0 obj <<
-/Length 3384      
-/Filter /FlateDecode
->>
-stream
-xÚ¥ZÝsÛ6÷_¡éËÉ3CðàäÉ�Ý^z�Ó³�û˜¶4	YœP¤JRv|7÷¿ß.v
‘¥ôæ’–ÀbñÛOH,|ø/*öü0�2�¼Øñ"ß^ø‹'ûáB0ÍÊ­†Tß=\¼ù>	©—&A²xXæRž¯”X<¿,ßýùê燛»ËUûËÄ»\ʼn¿üîýí5õ¤ôx÷ñöû÷?|º»º”ÑòáýÇ[ê¾»ùþæîæöÝÍåJ¨XÀ÷
ÏpâƒïßÿtC­î®>|¸º»üíáÇ‹›·—á~…âF~¿øå7QÀ¶¼ð½0Uñâ^|O¤i°Ø^DqèÅQÚžêâþâ¯nÂÁ¨ùtN~Q¬¼8ˆ’Å
-ˆÃ„6+eßóc�ÚJFÂq:)G³R¶T(å®Ïú²ë˼[ýêûA¥§ûQàù~,†“±à¨fx<ˆ(ñR•Äc&6úrúÑr—õ›:Ûò[³Æg¼ìí0shÚ®³Óí³n‰2Ûít]t<à¶Æ_4ô|ÙèšÈ˺ëÛKµÜç½.ÆD?»†H÷]Y?¡l&B]…Òó#?/�cÂn[9|—7Dú�€ì��™
-ý\æÇ~NKˆ09¿¼£šY„vpô~¥cÚEêƒÚÈåüŽ†Ÿ`}	Š»Wê@ùâó‘	
î÷X
-7'A
-qŸJ’1î˺ìKkxó¦ÆSzÚ²¨³j2Ž¾lävð'>†¼m¿ß±5/·Ö	ÔÅ8�=mH†<`§ïö�ÈÞ„–øND¸hwÒ	Ä�€(Ÿ³N`HuÚ	8*é´z­ÛV«'Dâ‘ð1*Tç×wT3Œ½@ì)Š1FwT0U™Ô*¤
-—UÙ™Éú×�¦"üŠL`
-¶§`v½´¬U#‹®n?Ûè?£
-6©¼XJužG5ÃÆl
-2‰8c>.1jh1T¤‘¡s¶½f0äzKIôŸ«ðÆŒ›Î’'yøéº#rqß쨻ÒϺâÏŒi;öžŠm~AΪé	O2ôNðd|ü4ˆÌ,¦vC¸é/yµ/ø¼Qg<çÁ3È„rŒÛÆ¥]c�íÁÌì4bˆ³ƒ
-ç¨LVv˜–¬²ê©i
7ÛîXÝ|Oùò<–h†…‘²ÉØ“`ÚÇ<\˜™qˆ`µå`çi„ck38`׌ŒO xGùòµ±„ˆŒÅòOk¯p?QŽa±«æB,tD©à d^˜(åAöh‹LXŠ2–dN¯²
-6AÁ#(ÍG§L.7Ü6��<ìÞrklê²ÏÝ®*q²Se�àë+6}Hub–ÊH¥îÀÁ­ª¦ùœueq<$!LÄg9pT3,Œ Ñ­ÊdÌÃß)^M°”
qêñAF‰Å¡;È–§Çè{	Öè}�Œ…~ÚŽÖaÔ)ÝKHÏLè
¯lœEÆŸU¯ÛšJ
-qpd³J›ÿIÔÎ[Ò!‡UpÁ'ã×… a\�SêhÊø@�bj8>‹o06\¥œLL¥Äªàà+rpÔ*ãL
-†yzYå�Bp-z§»~æè’Äó…HþøÑAdàðrô�ÉZb›µV¬±$[Q'ÍJm>PN7BNý` Ò랺xŽhùYó>ö5•Ø1@å]þ!¢Èó5)ž[úUVç’©dµ&é²hM­ßžäèhZÞù6AÚ
-ŸI²¼&·K}cÀœZe«yt¿.�€z1QÉ`*yVÏ�3SÏ0΀Hq

-Mݱcü¡€!覱§ðTâ
-`,d‰}ik„¬Ã1ïËgíÍ]ï
-) p�0À�
-Á`$mzu57¯òâDX’GëŽ]ÐV��ã¶qG¸XÃ1Úí?®?~¸z;tzT~ê˜AýlCëïg®%׬1Ò^ •kYa•"
-=؊̺áé¸XB«`N˜q–ˆTãPâoê‚3RÃ))—¡žƒ«r?Ý8¡æRÂy'â+¿×9�ù¹ѵ1Ú}¼5]5õJ)�/á1‡âô,Žè˜ƒñVMm#±`ï¦ýÁÝ4dÝ&ˆ_8ò3Ìóð“-E$ˆë†šº>\
ç�æ›hß^eéêmCu`
yFö¹ß L™@ÐBTÇ
-Ãý¸Š›5¦ˆ¬[üµÊô;ÃøÌÍ„-	ÄþÊkæ|§ƒÿ÷�É¿´‹¤*œøõˆŸÀÁ§Ò2…r‰Ä”ó8Ó©9Ãú
\#ñUendstream
+1184 0 obj <<
+/Length 3757      
+/Filter /FlateDecode
+>>
+stream
+xÚ¥]sÛ6òÝ¿Bo'O+†
+¤H¹×K&!´X`—‹ýÅ,„¿bftª4š%ièPèÙj{Î`î§Á8‡´ð±~\^¼z«’Y¤±ŒgË{o/„ƈÙ2ÿmþæç×–×/R‡ó8¸\è8œÿxs{E�”oÞß¾½ùéóÇ×—I4_Þ¼¿%ðÇë·×¯oß\_.„ÑÖKÞabÁÛ›_¯iôÓÇ×ïÞ½þxùÇò—‹ëe÷.þûŠPá‹|½øí�p–Ãkÿr*5zö?Â@¤©œm/"­)å ›‹Oÿè6ôfíÒ1ùiemd2"@©<
ŠÆQ<KtÄ
+¦P€»}ù˜µÅåBÉtþ¥x¦Áïa(7Eƒ?̼YׇMNwŒy_ªü{Gé¼¼'¼ÂÌï‹=>Šª%Ôv�UnÄ«W‡}ç©Þ)«·M®Úzÿ|)„˜ã©DÉ|éÖ÷1à@!‚TkiߪÙ«_¢È鼶‡¦¥¾
>‘)û¼kêÍ¡eè.k×ÁÉ©†A¨Aá‘RÃ�j1#-|,:1¦ÅÙ­²m‘/¾¡ä¤…J‚0VéyÚÖ)ñÈ7!É Œ@F=êËu‰'­Ì¼Þµe�‡¥’yCùma¥2Ш4
$è0�ûÜ´´â)kh‹CƒâGPYÑ“,ç
ÚšžöÀîŸhÏ�ð4P6}\œ&^|ÁÊHR©˜™é‹tÀ÷B%q)�Ö¶ÔªúaŸm$Ío¬’˜Î£˜y
+J/c1¯júÝ»l�tÊ‘ˆ’@)-þG7Õ)£zŒ<|VE‘ùÈ‚œ—-CïÕ
+.Û”í³¿
+<
+{vá©B¤ê¦Â¾ 
õK
Æ÷Lc–¥¢0ŽÏ©w Ë8UÌè>«à•Hxëâ
òò
]èˆÁ-Ƥ}9±ïˆ‹)šÒ°0úËr\€=bÄ!y¢2Ô¶vYÌ*kŠæ{�Çü›Pîˆ+õfd ãØÅ)—îùÉ’=/$, &ü­!�ó”8F“±B›(ˆS©Ïk:ZtXGQ¯ÑâFÓ§è<i‡4BZ�&OªOÛ	.抲_›t.~.6›­Í0SCž
+VÑ3Ò	Î�
+Ñ܆¤ªÂ´�{ÌîXsÌ$½æH%œ¢6op’*ƒ[IR×Ä齬Á«F3`!ÔnQ^6˜7´„Ý‹­*p³7Jæ=> ~àÀ'•fâHÒ*–ÊkÝ9hb[T¼q•³l#fèg²Ê:³=”˿ྚ¸ÝSÞ=åfÓ¶~¥A!&óÛºå9{¦#‚Äžó1¼ŽË
û ‰rHV“`ÇŒ�tC�”­;LSŽüGŒ£H¨³Çh\\Ø{âüžöaŽÉŠ ;Áô$	“¾‰téEQ­6uã.&\�‘×*v`üõ
+¨TY�ä¥ØHˆB=–—BÙ2Ÿ
+šQtFvkŠì¸„\9®í»òTºÎcä¹òXMq�4ø3Ó‹âSÜ@¤’ÄuÎl<îZ jX‰â\ÿ:9«‹ñµ–ÝÍC¢ÂØÓ6c3©ï¹Ê18+¾¼hVûòÎ3¦�ÆJ
Û‡ ZJ(0ˆØ Š4¹˜Ñࣧ»þÂ_pª»§û"ÿŸŠ] Ñm´ÈÝœ¤ÿ�;@’ôx:±¢ëNNw;›yIñbþyçácM;�ˆ´šzÒ=�É£6ñyªÖY5h7¹h�.û3ÿ|õáÕòÍúa¹�ĹÃöŽ\‚K¶Bãù	ƒñ³!Tº7
+‡ÏݾÜfûrÃ`º–¦±Õ8À
}º~ÃUƒ	Dd׎õÛÛ ÌØUBΛÃj�ÆêÑÐÓ¶”íÌ©j2ë^/雨Ø
Ƈ]NŸ³„|µ„·g�øŒüÈ4G�ºsÇ+wÙ¶û¬ÄÆ_Ä. 
+¿VÐM‚­.A
ˆ ß]ïÙþzZ—öe•""¯ƒýmüå¤û†K~"_2#î™9�ì÷|¹Ö‰Ø'ñõPîÉ…
茼2Ûp›•<¢¤I&®	ŸxÁÆk<=œ½Ã[s‡Z|[g‡¦µ™¾J¸w‘8×�œ´Ýívžo¼Çls`J£ÉTïA„í3®[á|^ñýßH²c‚(r¹Ÿi,öié¾Ê¢è€>ÈŒÎUF©“ŒúÇ¡’!J©P±£Ú]‰¢ÂÔÅ„á×,c�Œ{÷—žß¼Fº»iï"Pk³/¶`„aÁ_g­Zú�H	,Z——¥XôÇq_	ʪlKçxWu…§ôp Í" ßË goû7vÜfûö°co^n»O°ò~:vZ/¹4÷¼pƒÃ]ƒ%T¼9!!Ñé2I(¼
…¤÷l𱦃@‡Eß÷Å~_ä‹ÔÄ“(bfhÎÓï°FèG
£DŸêûɡɤݭ˜šoÊÆÖ1ˆÖ>ïø®5ü5!ØÄ
+
+S®Õ�¨ Ão×lt¦�îKOò‹NÑŠo«Í!ç“Fk	ºð1ÁŠ6ä~*fíܽƒÝ¹³_ÃŽð. ;…*‚VXüêãêÿç¶<½„ÒþŸàçOô
JÏi"èÝçOןßáh\G]—Gø
ñˆ~À?ßÿý©òñ;nüîÑ9Q¯†q`°ƒÇL¡”#=ä¼û¦ù”õÿ<xm�endstream
 endobj
-926 0 obj <<
+1183 0 obj <<
 /Type /Page
-/Contents 927 0 R
-/Resources 925 0 R
+/Contents 1184 0 R
+/Resources 1182 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 908 0 R
-/Annots [ 929 0 R ]
+/Parent 1176 0 R
+/Annots [ 1186 0 R ]
 >> endobj
-929 0 obj <<
+1186 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [250.9056 716.0894 324.559 725.499]
+/Rect [250.9056 311.8959 324.559 321.3055]
 /Subtype /Link
 /A << /S /GoTo /D (statsfile) >>
 >> endobj
-928 0 obj <<
-/D [926 0 R /XYZ 85.0394 794.5015 null]
->> endobj
-346 0 obj <<
-/D [926 0 R /XYZ 85.0394 185.1414 null]
->> endobj
-736 0 obj <<
-/D [926 0 R /XYZ 85.0394 159.4803 null]
+1185 0 obj <<
+/D [1183 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
-925 0 obj <<
-/Font << /F62 634 0 R /F42 597 0 R /F43 600 0 R /F57 624 0 R /F58 627 0 R >>
+1182 0 obj <<
+/Font << /F37 743 0 R /F23 678 0 R /F21 654 0 R /F47 874 0 R /F39 858 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-933 0 obj <<
-/Length 3394      
+1190 0 obj <<
+/Length 3440      
 /Filter /FlateDecode
 >>
 stream
-xÚÍ]sãÆíÝ¿Âo•gŽÌ~‘\>^ûêLã4Ž3�4É-R{©Š”}î¯/°ÀR$EINz3½ñx-Á],¾Xy)àO^Fq§*½LRFBF—óõ…¸|‚w.$ã)èc}ýpñÕM¬.Ó0�U|ù°èÍeCa­¼|È�Å¡
-¯`1û懻›Û?ß¿¿JÌìáö‡»«@Ebvsû·k‚>Ü¿ÿþû÷÷W�´‘œ}ó×÷¸¾§W1ÏñõíÝ·4’ÒãȤ÷×7×÷×wß\_ýþðÝÅõC·—þ~¥Ð¸‘_üú»¸ÌaÛß]ˆP§6º|�"”iª.×&Òad´ö#«‹Ÿ.~ì&ì½uŸNñÏD6Œ”‰�“*´BM3Y†‰”€“	4¦{&›I&{,dr^f«Ýf¼W‡Q"’Ëþ„Ëz¤‰euoÙT†Q¤äpÙÛ.ùÕMd{˜6Œãµhe0™LÂT«„qÞ�Ȥ˜µË¢ѧ)B0$Ĭ)¶ÏÅ–·WÒΊ¬mè]¶ZÑ‹ÿÔUáÇ*ô&z¥‘Œ¾¦á¼.«§ýÇŒ»ÍªfQlyŠl?5
#£ƒº
-òb�U9ní2ÐÀA“€uH¦À¤¾DE³UY}„Mj«f/Ër¾¤ÑyVðXà3ž=ÒŠ»§eK/ü÷�¯ôˆò›jNßÔÛò©¬²Ömq4Éš¿X–
AÌJ0°$Ãì¡{µÌš,/ÝôÀǬªuû~cdÏãÌQZàÔ¼väDµ5=‰»näuò

-
üøCy…	…ðšP|Ú”L-­SòzYž—l¸zMOôhh�,îÏwj¨ô}Mﹶ&ì8ÕÓ�›²rÞE¥}•ç
—òàR^�†¹,!ÁÊyô•ž»†	¥2IB›ó–‘‚ΟZø”&&á „»nì7ÀkЪ쩀09µ:œðl—½Ñê5œ¢’TÇC¾m²¦
¿3ekQ¨t$GÑÑeäž.ötÑJ¡�§{î%ùo³Oãp��:%&V੽Â7pÜëBð>ÅÏ7r°sÕß‘LiÄ1OÂ¤á ›9|ÃG5A»v3�Ž~Ü&þxáS¥8bnÚÀÑÜvÉß›Ì-è>lºgxï8îx§<`n…Ö¦>+=¡$&ÔZ'C%Áiÿµk8Êäe“=®|ÖOÜ8ƒƒC¶†ãzAªAèq‘
-|­ŒŒ:�/¹5¡W§¸Õ£ãV,H‰b©Ìn�Ó�	ùguë„öÈø‚™¥’0Žu†YZ†Êh{&ˆáÖ[\V�Œ/ØeÂaUžaD•µI?sþó<;eŽ=r>Óö��ÿG2É$cX~SZG½<­C.SZ®‘!“ÙŽŸ…=
‘ÄFÅỺíê)û”dŸêôO�ãü¼_
ñröÛu
-NÖ;†àÀ{¶*¨€Kû‚ñAòêÛg�1‡:²út�­�u¼ÇÖa¹@ö±J<\äh�C«´>½x‡5±ºu¬0ñpù[<·CÚÃPkfO©á&¾ëJ×ð¶¨ðd�Ó‹¦\ïVÜ%R¾üˆXõcS¯
-'xþöî'h—ƒ:78xûãÏ×÷W�¸þr%¥Ä>RŸžh–òYX‡JŒŽFUA¥<²Ôþ¸Ò›�ŠgL${§„ÛE+8-ÛÒqÑz$'Ù¢�/ƒ§Õ®8¬
-c%ôÉ…;¤Ã•bàÏEoÔ· ‚™ÝË+6~Œ¥ƒ•ËX“
-À0³ ;Y¨€¤ÇØîàØÛ]q$cDißU˜g»Æé¬Áõµ¤W�³\=²³¬m‹õ¦í—”,­È%ô0zÔ%Z°ÅÀ'¢zç€ù`Ôw›aW"/óê//©¸WÕ°�QWM»½²³Ýœõ=õ{
-XÉŠò™úðåO·®ï¿G¼OzUódyÍ‹`�ëc9mOãP%V
µ=«^9hr¥uÜÈØ–mѼ©�:¬íc5Tv&{R,c!-¶WH}[óuJÍ°»±êÌ•–>Öq5ë°\%.ƒ]¬ò`¾*±qy \J‡±–æ4
ÖƒÍBv“dH÷Ú’¸sοd<X‚VUà¥X“ZW[Æñõf庭®®�ü%Ù4Bº�à¶�Cñs>Uuç*tÂw?ߦØ	´vöp•‚^’â™$RË¡Sââú¾úé
-o
+xÚÍZÝsÛ¸÷_¡¹'z&d
Á¹§\â\Ó^œ6q?nîî�a‹
EêDÉŽÛéÿÞ]ì‚")JNz}èø�Kp
,ûñÛ•åBÀŸ\¤:Òyœ/²\E©�éb¹¾‹{øöý…džÐ3…C®ïn.~÷&Éy”ëX/nîk™H#7åO�ŽâèVÁ«÷×oÞ~ÿ—//3ܼ}}Æ©Þ¼ýከï?¼|÷îå‡ËPšT¯~ÿòO7Wè“æ5¾{{ýšFrzœXôÃÕ›«Wׯ®.¹ùÃÅÕM–áy¥Hð ¿^üô‹X”pì?\ˆ(ÉMºx„É<�ë•&Qª’Ä�Ô/þÜ/8øê¦ÎêOŠ(Nt<§À| @#£4ÏÓE¦²Hg)°Ý쪶é.C-Dð/<Ï>›Xd‹PÊ(OÓØñmÛv–¶¶÷NÛ¦~¢Iöó²Þ—Ö¯àß”ö›o™¬zrßõäzßÙýÚ¿þû[·s8ÙšD¤�#5Ë(“R/4)�ÁJæÕBLá�Ëi%–3fÕsá–eÕ·µ
‹ú¾ÝV»Õº›Š U)-Òó2ô\3B$!$\)iÆR¼&)Àæ´
+v+G$A·±Ëêg!b[Ò—××?^½¢��Ý·bÇϦ$†[[·�Ï­Øk.‘€Ÿ¼Û×»*¤ÛÑidÈ=2Œ
_'Z•:’
+¬YœQçDÆDqjü”nWììÚ6»Ž\®Ø^JX~©á¶D¥Þ;SÄq:ë¶ÛÕŸmIï�U]uëÛlê
+;edJ@¼ú#p�12Ïå´Òt�]†uÛ~*ºª´G&–¨(¹9/AÏ5#ÂÈÄ’d�r,ÃßV¶Á;7Agw/f.RébP‘3"O¯QDÚæ߸[k€µ£mØèLðPÔUYìÚ-½>‚YU°@Dê ¾”ÁÎn0̓µÝ­Ú’×jû¥ØB!´C(ŒÍØDq˜žˆ}å�W?"­²¨eëžeGè0øtr:¢Ý{{ÇôøgÛ �(#X‰ƒoÃ]ªÉÂx`gGÌ*ÛuQñBC—Ä“‰qH¼EƒWÞ…U”Ön,Øüñj	´Ð/¾ÀÒ«Ô9Ox�ë§?†;6ív]Ô4H«Í÷
+9‚øVEGj{·£!^CŸ,Ÿcß춗&Øw;[òŽÈDwªT$bÈ}£;õüaÑ,W¤ÓŒ�›´ËªÝl,ŠN79ºZMÛãÆ;æ÷̱¼þá2�ƒ¿ÒØØ`Nm‰ºµüu¿n­Áɘ©bcªØ*–`õ£{¦S²2íŒàRÊÀÙŸÞÞÑpo³ÏH­ûu»f›?‹TtÕºª‹mýÄË·×x,ø‹Ÿÿñ´žÊÖv°¦œ³æ>l{
Æú
+‰´4ŠГ�2‹rŒó‡ EöAGæ©sè’HrP¤²"U,—v³cºéí¶£tK|ÂJžÕWæzp|ð¼8—óâÇ€ÙMžûÚ´sò³“Ÿ’Ÿƒ+Ò>¸"=®N¥qøRè	$#Dƒ¾�+ÂJUs�oIpçB%WÍð.£Wò9_‡Á[ÿÑiÌA®LÉàÆ…€|‘±Ob@“…!›_fß”–(fr•˜ÆxçÐ!†»c¦Xëô*„sÍ P�ª¯/©
+PrA–*ˆ¾Î=ñ{iï
+(àðÅðµKˆÊ™Iõ—«o½¶]Z†Mü³ ÇrU4÷–¶¼#ü¿¦/Ü^
Ê8AµC.øþÔîy�>»À˾sq5=±~r¨w”˜@ü¶.{Á…_{·{äå^Ðí‚åaÁcc§xâ
+3‹T–«ó2ô\3BŒ›®ÙaÆRܬ<|£V—á®*H%ܱ¿�Š?šp†Xк["mÃ
øº\Ùå'2xs‰ÍÝ­]·Û'b‡XûÉoΫ£\ß@ÒFÔØ�'d<6)n
ºiÙ­'M†áyø¸Ö¤7vb­§óœàÝi{PàCš<c®3ö๨SÔP�L¶5€¤ÈÎoë™f¶Z@.#Оo{
+â!õ¼ûdˆ$E‘rV§}uƒtS…ë	×(¢X­û±Ž†0ã»ÇzÃàÃeëlËOfÞ- ¤;†‹Œ)¾u~iFE£Ë•v�váL,

‚�MŒo$LÒ4¨«æf{�Ž£X:Â!¨ªLÚq¿ÚÑ?[øï�…{^82Ä}Õ@‚p(xaÙÍpŠ«2SXYÂ5°óâ'WÆãbeå–%8e5»¹ŠÎ2Ï/"‘?r9HBÀ�ƒ˜ð$íº‘§
ST†K8Û,a�-ת’ãyˆcv€•ºÖóº®P?�A ±r�
^Ó
VØ­˜«Á;È°.Ä
n³þ‚^[·!RÖç§#
+(ÁˆÎQ„RÑl«:�´2yߪöAr²OGFå¾4ècnM`8 Ã�«à9î¬Ã€Kr½fDI
dÐÄoòPÙÇIâ4’¤™=”Iz|â.hf!
+ˆÔ
+zî_œ’ШLóñ¿8ýw³¼ƒÐ{Rš'`-&ýEŒ—
+ý‘Â\E:†R`¾¹‘–ÄJI¦é¨€§ÿ9)\Séy'B&dB!ÚÐ	.™%Ù×!˜
oDeøÚZ¤ÿmú@Í+™
@üÿNÅ&Žtvê±¼Š!\ÄZ$gŠ>Ié�~‚�±³˜›J¡PùÂ
+!C¼ÔœêRýÿªRK&Mz^uÄÁ©e¾¯†ýó„ë•sÐO›ÓÓ@„ßv(%áŠ
þ€”@–3éì6ŠÅ³JüÒÿ£<ü“©Ê A›xÞÇã
+p•#H…k¡†”>îÔò?\2×@ôÿ
 endobj
-932 0 obj <<
+1189 0 obj <<
 /Type /Page
-/Contents 933 0 R
-/Resources 931 0 R
+/Contents 1190 0 R
+/Resources 1188 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 908 0 R
+/Parent 1176 0 R
 >> endobj
-934 0 obj <<
-/D [932 0 R /XYZ 56.6929 794.5015 null]
+1191 0 obj <<
+/D [1189 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
-935 0 obj <<
-/D [932 0 R /XYZ 56.6929 511.7419 null]
+346 0 obj <<
+/D [1189 0 R /XYZ 56.6929 496.716 null]
 >> endobj
-936 0 obj <<
-/D [932 0 R /XYZ 56.6929 499.7867 null]
+1000 0 obj <<
+/D [1189 0 R /XYZ 56.6929 471.8543 null]
 >> endobj
-931 0 obj <<
-/Font << /F62 634 0 R /F42 597 0 R /F43 600 0 R /F58 627 0 R /F56 618 0 R >>
+1192 0 obj <<
+/D [1189 0 R /XYZ 56.6929 118.9377 null]
+>> endobj
+1193 0 obj <<
+/D [1189 0 R /XYZ 56.6929 106.9825 null]
+>> endobj
+1188 0 obj <<
+/Font << /F37 743 0 R /F39 858 0 R /F21 654 0 R /F23 678 0 R /F48 880 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-939 0 obj <<
-/Length 3651      
-/Filter /FlateDecode
->>
-stream
-xÚ­]sÛ6òÝ¿Bo•g*Ÿ$8÷”&vÏ�‹sç¸3½iû@S”Í	E*"W÷ëoPü•^n<c�Àrw±Øo�/üñ…Ñ
“±ZD±
-4ãz‘n¯ØâÖ~ºâfå�V]¨¯~¸
Å"âP„‹ÇM—	˜1|ñ¸þmùöïoþùxóp½š-Ãàz¥C¶üñîþÍÄôóöÃýíÝO¿<¼¹ŽÔòñîÃ=M?ÜÜÞ<ÜÜ¿½¹^q£9¼/†3/ÜÞýã†F?=¼yÿþÍÃõ�?_Ý<¶{éî—3‰ù|õÛl±†mÿ|Žx…ð8‹í•Ò2ÐJJ?S\}¼úW‹°³j_�’ŸÒ&ÐB…‹•T�	
Ǥ”YÀ4Hmé8¥�­”Õ¤”=Jy›—ù6)Vû¬ÞUe�ÕÃ}óˆ1fÑE>b¡…šàAvxàQ˜Xñ>w¤úí6Ð8Ü„€!ŽÄØ[K J0ßãùEËæ%+q¤—¯íè9+³}Òäå3>‡Ëý57ËvÇ^£A�í¿d{‡!/
-z£*‹#Í%ë5
IZÙßuMpM5@—VÈùbzÃâXƒ¬@TZËsóRíó1K±LJÄ,9’È›¼*“‚ÖI“ÐJ�¥¸PÓ¼Û Ì9�„Ø¢i>ä4XÈïL³,xƒ�L-×Y‘='+JPêeiŸ¿dÝ“¼Ê»ÖßÈãK^“ýl“#
òíξ[YL0ád–»l¿©öÛ¤LÝDµ@¸C
-:v[ÃUð:Ÿ¯ÉÑѨ›}ž6è
-#ƒ�³xJH
öR¦Åýó‚ÝSñð«îÇ2‹|}¤XD¼AR4äFH›7#Íh¡.ð0ÆFž{¥BCÑ
ÙèëÄB\r#ôC¸Ü¼´Kx:5=9˜âš r·»�ö;‡Ý*“#·dO’ÄJ<˜�¼¦Ù9‘Ê;ÕÚ?Ž[]�q¾®sô–%œ)¯~üð†ï½óQÖ…dÅÚ«7¦!¥{ßn~“òØ%WÓC»ù
%2®®ƒ¸´¤¨«ÕÉA’†Hµ™âMà<½[e"ÌgBGÞš³?wEžæÍ1F°¨“F±õ]V*èW#ÙI“"åT§]š‘’КNzªÈ‹LJÓ˱ „˜òz~æ¥ þèsÃÎ8@„‘Ô_Ÿä´‚ v;!×™yŒ®·¬­˜4¹¼Sò×9®ÇI

?¥ag¶,9€1ÞÓ
Ø7ä6“Ä
ÊŒFOýÖ»,=™…KRpaZYy¨
ñDZz"^è@C€w@�'4Ù¶‚SR´^_òô…†iR;~ò†~!×ÝïÁhë9nVà⦠îÉš¶Žšfâóâ
-#°—!‹èE¸¼kèå×êP¬ièÚ+:‹9KÑIî�ôhõ–›Ã¾t¯lðÌ7n™²DœöY"
-1)©“‘òB¦�Ï!5J`žvNsŸ×|™ís¬áø ŽôD ©ƒº!ýC,)œÍÚrKZêô"‚…¡ˆ$Æ\ÈY]“
-»¶Åf½Š�Pò LN˜Aâ*[_gÙ*w½vªî‹ªútØÕ®ùó1sˆM¦Â;ä.Fø°¸Éšôeõ\¦‚¼2�â^ß“'Øgƒ�â1­ñ…2ºu>µPÖF6)”3fÕwÙ¨lâJ2Ñ<ùj‚~Ͼ±�Vú½qH¹oGÕ„	U…LÏÚPë@Šë`ÈÏ!B›x*)g[ÝAû‰åšFTSE­†i`å™~ͱƒÒA¹:ˆ…ƒw}9\EñDe�zÕéxÚžúóú¯w¹¶BæßÐy„*êÆp!#MiñWÜ3Hc¯MÌô=˜_)6Ãó¸è=¸Ü�ÞÐT+Ï6ŽÆ¥î*]+YÜ$ru¨h MÙÍÞwÄ¡C¬lGËÖr?\¯B¾|„ÿby3n4�ʸ„ÚChl@|ñy
áGű$¨ÎØîö$;ñÃÝ–/ÞU°§Ew[óª‹Úî˨ÞùÂ
 T Sº·!+2Ëãµ`Óé!ßî
-›˜“—7Ôçƒ_×C…Q<:zá:”¡\t…ûmç%
öÓ˜\¬N—LߦM�u¸5ÄpÍøÆî30xÅ5ë[(”'8ŒU¾^íªª�¿Œ
-©&Øæ;”e3ˆÆw+
-¼s§#Ò=a‹`2~A¶o$÷!®Û �è
->MèÂOØúkïV�>û
‡Ì-ßtØ€gz�}Ž‡ºÄÈÛì­0‚C.yácŒ.Ôy7ÛBµÁïOðú£Ì‚n%ö,åjLºùÀâL‡}Úù€¥NV-Û¹ó‘/X t´)RÂöeð½cu A™Q§Ö]@Àï:¯“§"£‡»_oúË	ýì’=(ó¡HöôÜ–ÈTo®ö¥3ÔFL‚Ô ÿ˜—ö„“®ùßi3ÃóŠboe»}õ%_Ÿkh``’F…ƒ–¶»ïÞ’Åp
-,ÚË¿¦Õ‚¯:ð·eC¬Ó¦e†ÜH¿³ƒ|¤gfžƒ!¦NZ4*ç{Ä!$˜¡ùJy´à¸bÉCr”�ƒƒÇ2eNfžüÓ¼{‘ØSÑ÷Ò�šq/jJkûÉ58	Yð,õj‚|Ï¡*P?Уߞ{s*©ëtŸwì£ÚLØÔEÒÁÿÅöÆö
-@þ÷6:§`þ–Çx¿ÖäP'x÷¬&�ÎC]bc„m^×dÙB_(ºP3ºæ¡¨
loÎèš	¸Æ
-¤1⼿0"Ž<S(5Êv4ø[mD4Áú
V
+1196 0 obj <<
+/Length 3558      
+/Filter /FlateDecode
+>>
+stream
+xÚÍ]sÛ6òÝ¿Bo•gB>I`î)M�œ;皸sÓkû@K”ʼnLª"eÅ÷ëo@¤DIM¯�GK`
,ö{—ä|btʤU“ܪT3®'³§+6y„¹wWÜã$
)éc}{õ··2ŸØÔf"›Ü/z{™”Ã'÷óŸ§oþñú_÷7¯¡Ù4K¯�±é··wßш¥Ÿ7îÞÞ¾ûñãëë\Mïo?ÜÑðÇ›·7oîÞÜ\'Ühë…ßáÄ‚··ÿ¼!èÝÇ×ïß¿þxýëý÷W7÷ñ.ýûr&ñ"¿]ýü+›ÌáÚß_±TZ£';x`)·VLž®”–©VR†‘ÕÕ§«↽Y·tŒŠgi–Ûl’H“*­ÍécéÇz�óÔj}xjÂŒ3	P®³”)�G™Þ“	&9ì“k›fRH'”ºéªÅòÐe¸’k•ÃˆöR¶×‰aZÀ
+‚ZpS$
+œØYR"Ö-ïÏ $Ä!1ÿvr—R’ˆ¥„,´x*ƒªâDù¥êZššoKóVVÏNEpîÓí;(ÞÞ¿"IšjüNóÆŸ€
®�åTÝ}¹CÅ(ê0Ëz#%²Ž Ý¦êÊí›3Ð"?:/ÅvÕE�:Ž™<ÏSÁ¥òözV&‡î�ƒÿ±Šïó«co®p!ÔbÚhú‚Žõ°ÎèXÀ—Üb5Of«ª¬»£t"dj18K@Ä¡`pY(欶|H™´Ì³è™Þ~°ºæÓ\”פnõâÇŸÖ«ò	ˆF[w~%4B½ËÉÖJØó±n¢ŸÀ�8äåp¹mÉŒ™Þ_[PMÒ=(àÇ„¼z‹Ù²*ÑArËÈ<¨€´zŽ'àSS4zÇ7¢l�Ç+´á¨XfÀésÕ«­GT,O­aOLh˜˜¶ër†åú�än×ЖëbSt~˜ä2j�QÃþÛn™Ô_æÍSQ�YWÕé�鎓
õ…ÑîP„#Ç[ˆ¥yˆ¥›ÅLHfL§ø³dÿê¬5*`?Ö¥‚øVó“F©P„ÌÎeë´QF,'÷¦í’¶ƒ<­íªÙ±Q*0#“©óD¬
+†F	¢È 2�à2 Í{ÑÑ¥Â0âSa€(ýõ
òsY®½ÛåÕá·w‡´h6~é3%¿
+–v¡ÑÐÇ:myËY^UWOÅ*ÙøŠãØÓæ@!åó$D¬†�8K
æƒ"n#̳�sšìw„uÓë:GÇéŒA‡:
 GбMhLèlPcµ„âý­îyYØ¡Z­hES¯^hª:Ž+GÀ#EìmWlŸ²cSÚê¡AvË’rÜR}ªÇ$ŽXJPá(y([÷”.Z„Mˆ,&ø·mµ¯
å¦Y™>:CO³*]?Ä©¾Ô`Vøìª]Àð
+–òEéSñC
5îžc§¯õÉf�½¾z,uq€á…àýÌÅre 8ìA2­þ„šCX�JË/˜]ë´ÙE,gvp…
+"q2säq¤ã€ÅÁY"ÖƒËfY*si†$x‰Ù^?`Š6±
+†*?å]=@†Pœ®Ãc±Z¹‚ôã³_‡åó
ø¡“¢#óÍÝë÷7d,P%)�ÕT_ÇŽ
NH¢NˆésÕPW�†�FÁ0iPÓF !«ç…ßÃÙ@Lñ`¼Žß ÞƒƒŠÕ®xiÛŠÊ0œ)ëEã{JíÁ©û+Ä0×4Š™ãCÓ-‡éØS
‰·oÁ@Á-"jlÚÌ_€³ÕÌG«5ø¬íO)²b·.ôgzHgÔØ#
ßw”—‹4çZž=4"Ÿ:´Ó<Íl–
Ž
œ¥àýíÙx! äæÚÄ>†fÔÈÉ¢[Aÿ†]““ÂHmã«D[m‹G”ÎD_‹S-¤‘[v4@YBtÌĦQFm<‡½¥p@ΗºÜ6ÕBdq.e“LNgË¢b�`Ž�ë8c62Í8DY
Uµe¹K†iró8!àc_*
?é/ËѾHקÐÕDÚTÊ�ztdh Õîo~Ü£Xh8ÞͧÞ*3.�ŒžÀX/8┣¤§»eœBé´ô°‚òÍ5I
+*¸ÏÐá9|`E,`˶k	ËWâÁ«·kÂ÷ï^žŠ‡%¾ŠÇ“âdË}9"Ü›67IX|¿É®Ù|öA	?—¯GÕ5£x* (êvç(`>6#@Wß5X1ÜÄàZ´�Ó[˜Ú«3Sži!Á‘xS¬åée-“þ»\°¢­‹ùÍ|¦·Å}ª<©Pm£SårJÑé°Æ÷|áµ·8x.úÃð Å
 endobj
-938 0 obj <<
+1195 0 obj <<
 /Type /Page
-/Contents 939 0 R
-/Resources 937 0 R
+/Contents 1196 0 R
+/Resources 1194 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 947 0 R
-/Annots [ 941 0 R 942 0 R 943 0 R 944 0 R 945 0 R 946 0 R ]
+/Parent 1176 0 R
+/Annots [ 1198 0 R ]
 >> endobj
-941 0 obj <<
+1198 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [182.6146 634.5522 231.8861 646.6118]
+/Rect [182.6146 225.1021 231.8861 237.1618]
 /Subtype /Link
 /A << /S /GoTo /D (notify) >>
 >> endobj
-942 0 obj <<
+1197 0 obj <<
+/D [1195 0 R /XYZ 85.0394 794.5015 null]
+>> endobj
+1194 0 obj <<
+/Font << /F37 743 0 R /F21 654 0 R /F23 678 0 R /F48 880 0 R /F47 874 0 R >>
+/ProcSet [ /PDF /Text ]
+>> endobj
+1201 0 obj <<
+/Length 3695      
+/Filter /FlateDecode
+>>
+stream
+xÚ­]sã¶ñÝ¿Bo¥gN>H|tî|Ww_ës¦é$y )ÈæE*"eÅýõÝÅ)Òòµ‰5c€‹°Xì'
+’‚nÚµÞ¸‘ª„[n°8•Au?_.�îῈ&f\ƒ
+nÖ36Â&Ð̳î	|e.…ß™wä%(´ÉÓà�°N®KäIT¶uMa¢øUÛh
+ÜÛp†©ÍñXo2m6Bó64É4¸�·Òƒ!Öë†6`ø;Xþ“‰sŽj¤ÏO쑦�|_® î’|<1¹>	–Ë»>¬Øë®/˜#äGQÊ�ÖÚö{i÷TiÊ2ÖlÜåªêŠvü¸ùéãݸ¹ b[ì@’÷u±£ï�A Q#Xç?Ü�NW0$À8(IÇv¡j 
ØGAó弎é4fYîW¹ÝµÏÕê¸S§Úú¨å�G¡Dsº±ØŒVe&É%žÑ+�¾âOÅy2ê¼^M”
+Œ_¬ ‘3‘³€õÓÑÑÑ$³Ñ¡Àm$ì›Ùðߢh2î„1I,'Á9ä%è,WÖ4LG;ojd
+	¶”o˜š
ÖSã±æ„x|
¡�†€öìì
kfúqÚÒ¨ Í ?&Ù]¹«êÒ®gT1Ïb&ýÿ¨âŒú�O˜ŽzNÿ<þKžŽû­˜ð˜gýšÕ@�õÓÑÎËєɢvD:#iɆQ²›®Ÿ4p·šKqvê€4�{,f�•ZÅLþçHÙéN¥ì>pFÊÐÓâÑã€þsBæÑϯw2ê·Š˜Ìb
qÞYž¤ó4LÆ:+_2KÀ`$oœ±^—°€…3ö;SôË’2¢¢[vÛ¢4Ó,5‡À'ççÉX3tŒ¤M&q*X:&Ä� $üèö¡~(pOHÂ(¤ˆ;$€š¦Â&PnŠ¯ÆA¬äBŸ�­"�N:‹ž>Ëb·«ŠG׃Ú0½¤oLF"!ÑåÉÈGƒÃç0ÍŒ*$`9¸Ï²çÄ_Æ:Ký8fnŽ®§bW”KŠÄ$dhâÍQ ÖÛÐMd>
Ê Û*6†@{…
Ë@h*è“ö×Ví1.´ôÅ
hJ¯ˆ0%Ó’˜
+m뢬ê
+Lú®ÛbE÷%0‚½a
 eÔX£üÉMm7I¡âÇÛ›Ÿ¹/�©mÆ”?ôO´?°ÊÖ
}=šoLHÜ9€WÞÞSi—å‡Ï_¨²±×;Æ^öèèÆ¡{RQþŽÊ‡Oȱ樄ÚkûÏ3:xüÆýofövUgb°ÿ~9+¿žïÜÒ×ÈÈÒ’®ü”ÂñJ†Rø'­ÃŠm‚‡¿ééÁBcuÕøó»"lïé9_Yš-ìô;½°:qGs'�ÕcC7fõº-…´F«<Ö°ÎØR�e/ÆV«
+I*êåz×n–žz.ëFM%ÈãÄÌŠÜR&õy
+Ö‰ãLÆ2Ÿ�iôçA!]uÙ_Ù6d[¼…Ê¥»!‚–óT<W>el]~Z¸<×ØîÐ0àE¥�ZÄ,MOÒFo‚Á¢Ã“i°ÆÝ¥‘5$Ø€‡¹JaÙÓ ¬ÆuŒ¤<S|‡G]Ò*ýpt­Ûºnaô÷·W?\ûyWsfçaàŽ�1¬š.X#$ZÊ¿ì’g.°fùeïøËù€¿
+`³râìD:/�<nt�û0!¶W
ïyU	®éÝIËPlŒJ3Ú>å(RµÀ`<hÆ­=P¸?ndxì9#ÖŸÕtäœS’kwjAþl[/
+åÁÔ5ò
"?}mÚCã`æÙZ\ŽgðíþÍ·öôÅ
¬0|4ö
TªÐǵ¥ÊÐ"Æäü#&ºøs91?6‚J#ˆ%C¬2Šƒ3K‚•ù§;Iù¬
+å./:šÀ™:ýe"ÜÙfisù€kÌRØXn¡Cã*Ü+%h™
+hpFTIwÜdŸ²(!O³kojŽáJÕ�^:�ßÌšmK9ˆáã
JiŸ6VTðËÒ�•}Ú±‡Ú— ,KZ<69?‰^4%/ŠPê(Ç�Gè%£çÊî`ñW=äåÛ—(R2êBQØj
tKM3×ã,‰3)ÏK&�üøø
Þ�n¯5h³—ð0TÕ³)÷»Ž>dvRÈœ2Øø±â²{q‡SÒ¶‹Á‡
ŽÙeàƒ¿AGæe'áðQ}†ùkÝ>ŽÞ¥Š]C±|lÀþ�fV˜¾œãF¢cÍ•ÏæÓMˆtÅkÏ벘«`‹¢Izl
=*›x5„
+±,.¶´ŒfëRã‡#ÅLœb‚ “n¾òüX¦q‚W®3™0oçþðÛäãÃí$ƒ¦åëçÆ	Þxª�Y‰ž4¸WÌ3Äÿ%õU¡endstream
+endobj
+1200 0 obj <<
+/Type /Page
+/Contents 1201 0 R
+/Resources 1199 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 1176 0 R
+/Annots [ 1203 0 R 1204 0 R 1205 0 R 1206 0 R 1207 0 R ]
+>> endobj
+1203 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [108.9497 211.0729 182.6031 220.2883]
+/Rect [80.6033 508.2814 154.2566 517.4968]
 /Subtype /Link
 /A << /S /GoTo /D (statsfile) >>
 >> endobj
-943 0 obj <<
+1204 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [293.8042 165.7184 355.0043 177.778]
+/Rect [265.4578 462.9269 326.6578 474.9865]
 /Subtype /Link
 /A << /S /GoTo /D (server_statement_definition_and_usage) >>
 >> endobj
-944 0 obj <<
+1205 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [395.8905 165.7184 444.6373 177.778]
+/Rect [367.5441 462.9269 416.2908 474.9865]
 /Subtype /Link
 /A << /S /GoTo /D (incremental_zone_transfers) >>
 >> endobj
-945 0 obj <<
+1206 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [309.3157 134.9691 370.5157 147.0287]
+/Rect [280.9692 432.1776 342.1692 444.2372]
 /Subtype /Link
 /A << /S /GoTo /D (server_statement_definition_and_usage) >>
 >> endobj
-946 0 obj <<
+1207 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [305.9683 104.2198 367.1684 116.2794]
+/Rect [277.6219 401.4283 338.8219 413.4879]
 /Subtype /Link
 /A << /S /GoTo /D (server_statement_definition_and_usage) >>
 >> endobj
-940 0 obj <<
-/D [938 0 R /XYZ 85.0394 794.5015 null]
+1202 0 obj <<
+/D [1200 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
-937 0 obj <<
-/Font << /F62 634 0 R /F42 597 0 R /F43 600 0 R /F58 627 0 R /F84 797 0 R /F56 618 0 R /F14 608 0 R >>
-/XObject << /Im1 790 0 R >>
+1199 0 obj <<
+/Font << /F37 743 0 R /F23 678 0 R /F21 654 0 R /F48 880 0 R /F62 990 0 R /F47 874 0 R /F14 681 0 R /F39 858 0 R >>
+/XObject << /Im2 979 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-951 0 obj <<
-/Length 3814      
+1211 0 obj <<
+/Length 3636      
 /Filter /FlateDecode
 >>
 stream
-xÚ¥]sÛ6òÝ¿Âo§ÌD,
ðóÑMœž;MšKœigÚ>ÐdñB‘ªHZqýí@R¢Ü»9û�Àb
,û
©ëþÕuœI®óë4�‚8Tñõjw^?ÂØWJp–i9Æúþþê»w‰¾Îƒ<ÑÉõýf´V„Y¦®ï׿-’@¯`…pñæçïî~øòéæU-îï~þðj©ãpñîî§[nýðéæýû›O¯–*‹ÕâÍ?o>Þß~â¡DÖøþîÃ[†äü¹°è§Ûw·Ÿn?¼¹}õÇý�W·÷þ,ãóªÐàAþ¼úí�ðz
Çþñ*LžÅ×Gè„�Ês}½»ŠbÄ‘1R]}¾ú—_p4JSgù§Â@àÕ9#3b`¦‚8Ïãë4΃ÄhCì¶E‡Š’ÅÑ^©la¹÷hk{(:»Æn¼hjòýpÏßæÀß·?æÆ®XmËÚCM˜-î]­ü5šnË­/î~åÖïZGÈÑïÞ©hD·Qi ³<ƒÓ"Å5£DcÙˆ‚<ƒ9S„ñÙ™T	í#ÇY»ó|'Gˆ/‘‘Æ�IUþwTA8Ì�$ÈÒ8úoW¸x=>à\/#m‚$†¥—Jyk^À+¸‹–…¶ð׋�êX<»�ÕÊîá¦_K—x�n+È;+I
-^Ö�<ðg”Æ*W[nV&xFòȺè
-àq”RúñêábÓTUsô«¿ùpóþÖí»&bCG$Ûí·Œ�7¶ÚeÝ+´Ê#Âú…60J‹¹Àñ¾�ðW©
îÅ;­í»aeŠ³ÑÅ©
§(Ó3pã\ß´
-B“;¥ÿ=ŒC¾.Xrm7E_u
-Lˆhd‰Rå{è*f.¨­ÈDèd`j’�Ûf؃Œ�¸Ð%&Žá
-tÉ£¬Ë�Nˈ©ƒÕ‡(áb›
ÜÔ×
×2Ì›7¤°&NбqÕ¬�8010 F4!/ClÈ ˜×”c›–!\);—Š`Œ$‡s׳‘¢‹¶�EƒÐ¢Aƒdt¶&QÁÑ��¾õãø�†Ú¯@X–|x?‰^4f/ŠPžh¦�‡ŸeO¥=Ž"Ü‘Üt�Ýí;<¢ŽÙ¨ë„ÃVlíÎ�…
-£ 5æe©À¤ÓçÆÇ^V/À‘ʆ{»*7Ï"¯3»@Ó™Óƒ]õ‡–>XdvSÈœR¸ø©âòª fã–|í
-kd]óµß£Å¦¡¼ ”å[±â brN`Œ‹È9Râ‹g`“ƒžR*”p!
qûV8€@?‘‚fŸ!Crœp˜ÂëÏÅFsjȱ‹H…Iv\ñFè<”vIÍ¿ž$B£ÚHák%mog#%NlÉÓ°ë©‹�øO¤’øŸ<P½ªPõž,�8@ßÇ÷
ÐBfÉšÆùÐ…µ²Ÿóiwïþ„¦½ýÆ-:8®X?�¨›ÍèÑz£Y4™o£ÃQ‚=o̱ƒvÈ�ù‹‘K¿?>A zc‡¢âª�
ï�VGYZZÓȶ>—ÁIÌw:ºá)¿›1Ï’Tðf>ps/^¥î¸O«8lj
—ùC/
e?JŸKÈâN0�ÊiiÍüH0Çó
-�˸	µø»] É%U£Hi88€q<#ŒÈÀ:[-nk°/““Älö¶°¼a—Ál®»rçÈ
ÍÙôÕ¬ýFAMiïdiqp€üTÖý7n¶Ï`
v-•”Vo€›ÃWn±ÞpžO}þ|µ‡ÚVÜFõlñµÐ"•n=
·îß|”᦮¹˜2[àqæEqN_—Áp¦ÉŒ´X$%eåt¸Çʪ$*Q"=8¯mV_)Ó
-¢Ao>~‘j�ì쮡”
Úà˜Û~çüÆù>‘³.\Öˆ’œÞ	ƒªPð½BªЗ´=(i6¼Öa‡KškWÚ_¯–"%ûÊv\
-ˆÍ '1
é)ŽŒÞ9c=ì;UcÚ“2ø	W"==f^�ÌÍÌ}qP’Ë9ßQÿ²œ±uâüG\~%4äˆðPÖ‘‡Q!8RÌo‡§poÛ$ßó˜~·¡H”_<Sm]žäÐínߊCéjM¨\+²\mdñOÙ6•ÿ¡�«¹K•ÊÒ¯]«»¨P*Kþæ77c¬Ëñ‡Ç¢H®¯ºr)’n¨8€ä<zyw�5³ý$ÜÐa`´I§ûKþwæóçDËs³9…†¼¥Cë¹ég+ÖŠÏ°¯\�ÎÒN^18ºO|°íEdx9	ŠäÓmAmä±ëà‘:
#§×JÅ¡ûå½rçù|R™g�•ùß²J�¥T†Zó>îEÛÕ
+xÚ­Mw¤6òî_áÛâ÷Òô
è8q<Yç%“Y�çå�É
íf‡†ö8¿~«T%0ng6y}h©T’J¥úáy
+'æH†ÂO´Rà</û²©Ój³m›ýÆîãéSk¶çÏno—Z…LàVÝÀŒt‡"+?�(r…U{×u×ilQhEg'p¢;4uNCx~»Ô�íBZع™ýŽÀ¥|üpõ½Op²|vâ®*^Œô€Y:t«"HªÖ„ù
÷°g;Ó‘@asÆ{,xoÍÒÔàñÆñ�áhnJ¶djò˜M5àÍÌHÊÀPúÏܘ;
ž9’<�ŒÖÝ=#m¦Xä­Âw?b!cöiŸí6ûôp(ò
HLTÀ%,ÈAàG‰2§é±V™
+š´E‘œSr½%™TÉÌÃúB:�~"–N8ö�_M8¨˜‰B†[ך�%бwýþAñ9i
+
+Ž$¹®”ˆ`�ΊRtbx
CgƒPþYP.D6ŠMq‰Ó`ᮬ)49N<®ÈˆpÄŠqÒšÌ^3²p´pœø�˜ãnÇj‘Y9]_]¸„‰ˆ…ÿbhÚ´-]Ñ	U,³V{N¦SvLnàôÁ–¡è^¹ÄôŒ×® Õû+ÙôBÙ_
¾Ù$>dÚÊùf[ô&æ°²[ÙPk_í’Ö‹çKéKE§ÿ|©‚'ŒCNr%|ˆ|H‡em²áè
¥½nÃÞAd`:êTÅCQqûqWZëMØŸ¶HúzóÛÿjÆÆ~&ÚÝ>ÛÕB R¶‘ôu˜W™,|#"·KÓ®ñ8ô“H«×x¬ýXJÆY³=«0y±¥È0½£a)?ÒÚœŽ†§X/GÃ#–åÀPõåæȇYð«$äóIrz÷keûYð«?Šƒp¾?tÀvŒ�H�•C˜µ—РR9¶žš�pv6òC�=ár={–Ž�¨Qº�Ùßhª\ÑB¦Y�Æú£6ÝÊÄ�…
+—IÍܼ å	ت4Û�¹ÅpL³^å
+Gêa©ŒIE³<´ŽGNiw©ePP¼jÍu±MábÇG�•âP"ý%�x²ZÔtÄÊËúÀ•B¾õŠ~M°Nè—òRQƒ4e\5y®`òÀD�Þ~ÄZÙvT­ðÁ+žpUs,�$Þ÷ï>|¸ºÄ6^àb{°=
+ö
+ÖÍÿ6N?HÔ?`âЉqãi	<"�@Fš\EµHË–^6çU4ðø�aDzNļ†fü(€Ñ)oìöXÁ=KÃøè-ñ�ç¾Nû�};!ñÓ;ŒBvRnŸ¨j.'âíùD”Wíj¥0:ÞvVïn©@ë<Nø;wÆ14”>}‰S¬—oqÄÂí[+ÆË›ƒ!
+“0å\CÉ…+Š¼p«V²
‡‹ JEc¨ߌ/„õâ­Ð�^“ÓO>�È!³m÷.•lÑs¶
+-ת 	äzj–íÓÜŠ;о2á1ªÒÃH p&Ž^/C9ÆGÿå�i[¯má¸_ã'”Ó£/½DÂA„eÐáOÝã\xìW“‚ëÄt±ðPçS ƒµ�>Vˆš–ÅtÍžÛ¯
�Ù‚ÕÂÅn«‘Ú¼²¤}}´�:4íêM_JO
$D<:óHWr”lL
+ª;´‰7TT”�®¦! 
¿·)<ÀvM׳~ûùSNð½}úEY^âøŽ€-'fÏ>�B¼›·—6ZðLW6á!é%"äMyñ}“—›µÚ59¼¹³¢e â§/}ý)A¤\³×Á:ýí/C�ŸÍªØ—IòBš-ƒÈOÐ
+0Qx2e–”�Ÿ�>'ý‹í,
+endstream
 endobj
-950 0 obj <<
+1210 0 obj <<
 /Type /Page
-/Contents 951 0 R
-/Resources 949 0 R
+/Contents 1211 0 R
+/Resources 1209 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 947 0 R
+/Parent 1213 0 R
 >> endobj
-952 0 obj <<
-/D [950 0 R /XYZ 56.6929 794.5015 null]
+1212 0 obj <<
+/D [1210 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
-949 0 obj <<
-/Font << /F62 634 0 R /F43 600 0 R /F14 608 0 R /F42 597 0 R /F58 627 0 R /F57 624 0 R >>
+1209 0 obj <<
+/Font << /F37 743 0 R /F23 678 0 R /F21 654 0 R /F48 880 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-955 0 obj <<
-/Length 3474      
+1216 0 obj <<
+/Length 3228      
 /Filter /FlateDecode
 >>
 stream
-xÚ­]sã¶ñÝ¿Bo•gN8âƒùèÜÙ©3�sµ�™v’<Ð%qŽ"‘²ãþúîb)QöC;7sìb±ß�œEðOÎÒXD:33›G2žÛ‹h¶†¹/$ã,<ÒbˆõÃãÅç›DÍ2‘%*™=®{¥"JS9{\þ6ÿò÷«o�×÷—GóD\.â$šÿp{÷• ýùòËÝÍí�¿Þ_]Z3¼ýåŽÀ÷×7×÷×w_®/2�%¬W¼Ã™7·ÿ¸¦Ñ�÷W?ÿ|uùÇãO×�á,ÃóÊHãAþ¼øí�h¶„cÿt	�¥ñì>"!³LͶ&Ö"6Z{H}ñpñÏ°á`Ö-�’Ÿ‰S+“ÌÚˆ4�=&¥‰(©-lœ‰D+¤l&¥ì±PÊ˦ëÊbQ6ùS]ŸYšL(™–L‘Xôõ€¾Œ
ÊÁŽ¸&Ê•¦ó¯w×_pœÍ»ýós»ëi¢jØäÛr	iT<ÿµ©Ë®£ù®ì	¡oñŸoât@X)	B~‘à[ÙΘ9+2­RÆù»e)‘#
-Oå&);¢’3ÙjEß³¹l=FÓöHdZ(mc“Y+·ÿáp ptjA�›’Ër•ïkF©º‰cIc„I“„ynÚ©c1QB'JÍšcáø6�“Ôk€õŽzy,¤øç¾Ü½ÕíúD³T"¢(6ïSX¤G§Ô‘ÈÒÄŽi?<—Eµz	3Ý”ý¦Üá‡&®¼­«fMݦÝ×K?•„Ûõù®/—a—†F^5pbtp:Jç·+¾…¡h´ÙHé¯a(”£“
ÎÀø+­:&ÖöLê¹¼”óbAº¥m&ŒI‚n‘߬~�"U.?‘æôÄ1�hàOÃÃéIÉXóúr·­w>ø~z;Úàyw)ÓyÙ•MÁ�vu„2Ú¸ÈûrÝÍ	É$±Hµ6ÉT“ö©µ°±þP‘ƒgïëñ
-�ècŠ©‹h_\NcàÖ«æ{GCǵÎæå_ðt¦¥[ÅSÅÅ›†‰XÆ9ŽžxÁÞ¥iËÁî­n_ièSfZôFÔ™
-/rZŒ£%/wõ6Û�³�eÅ–…xÊbšäjm;Tʆ
-€Û�Zö(I“ÌŸö=!¼VÝf¸Ä:ë Úâ81U.¨÷LH±y{Íß.¥”òc£XÊXmQìw¼¢mê7Ú´m¦®«T@ä@1pÁ¯›ªØiä¸>¢j“æ=칫ú¼‡hÇ †£·†èNØãí){áíÙ®«¾óeèðÙJÇhHDÔ¼ï–:C¬óµNÀr	$YúiÅ.Eleö>á€5Ay”ŽBeCr3&͵¸®Pëdr`tÁ
-s.D›(‘…k %‡èÀš°ï(ã3â ¨&[úëKû!Þ±,†>
™¥¥,�8“ÔØr›äŒ„úÜü­÷x¬¶C:@»ÃKû4m|.ªÅ®S¢®	Ê]
-‘‹ÀY²Kš¤A ³`%e½ÂCšÐt]Ž‚’Ǫ w§=—“kB�Fá=Æ>K1è£dú£�nâÄ
-ygþä‹4Øl¹/mÖ	{¨ƒTü;Àè}+$ØeÅO0®&}1c=Hâ-ã(MÆÒ™F[à­jÎgÅJj%æƒH9Ä:)–KÈÂ5.ºÃÕ�"fb!Âgñû<¬	&Æï‘�/$Q:æb3µ‰Y2XvùÚ	€®œ‚¿Gñ±¨¥{9ò‚W¸š…žáº–fc¾4·5½$tkÔk‚D^šô(ïÛAÒ†ª€N=Án2`SW�C
|hŠ Ð%æ–^50O–>¥·iÈ»p~»w§¶)UÉ
-eùÁo2Hïü$ƒ‘œýbþ¿€¤Ù;y̖¤ö}Ò
é”öø1Œ%IÇÄÇ5Ÿ’¡ç¦”=<&
Ü1LÅ×ð—ùw½ë!”Mˆsdì"†{Ãd�3
+xÚÅZYsã6~÷¯ÐÛÊU#,‚$•Ϭ“ŒÇ+;{T’ŽDY¬‘IG¤Æq~}ºÑ
%ïÔnÕ–«L°Ñ@7Ð?4¤&þÔÄÆ"vÚM	+•�,/ää
ú>\(晦YŸë»û‹¿¾7ÉÄ	ëxr¿îÍ•
+™¦jr¿úy-.a9}ûéæýõ‡ŸóË$šÞ_º¹œi+§ï¯¼¢Ö‡ÅüãÇùâr¦R«¦oÿ6¿½¿ZPWÌs|w}óŽ(Ž'&]\½¿Z\ݼ½ºüõþû‹«ûv-ýõ*ip!¿]üü«œ¬`Ùß_Ha\j'Ïð"…rNO/"k„�Œ	”íÅÝÅßÛ	{½~èèþ))´‰õÈjÕÛÀT	ëœ�$Ö‰Øhã7p¹É—_feö˜×¸bzCb)“¤ y³§§m
|3­ä´©à)Ý´ÙäD¨žË|G4šŽ¨k"ÍßÐû|>§FV®¨ç㿈°»Té4_Vþ¹ªÁ$ÚÅÓë†Ù·5<¯ÅªzÌŠ—2™‘öÉd¦”pÖj¿ÖÍÈd
+|ðŒi0ïÈÐøoN}¨?vÝܽ!Âݧ9Qü�‚@Âñ¢Äùxv¿
+ÌYÃ
QŠšÞ3z¥™¿æ»š§ßVÕ—ýKX-£×MU7A’œþ"­<¯K^.ˆ"�…±w}3›¿{·óÅí¥ÓäWH¾�[Qª]×s}s’•8ŠW%¥â	­°Išœˆ/bšõ¹ŽÃ+Ä~ËÕ…×ã�©•éyÁ�iDp?H•ŒDj@—�ä·(wÀ /4¿ÓðB»
wð:ÑÀEólWóˆªÏ¸n'brF�ë[~]­ˆ±Æ0ÊMïƒÄU¾ÎöÛ†^ŠnvÊ;ý½4V
+'!RâyÎvåHvÒFèH'ÌÄÒ>ù¥úø7.&�¢ad<Uu]|Þæä_³íÞ'hg1Çú¤VDQ±¤uVlGÔQ‰p©L˜Ž'RN›æ)Êj—�­Ø@ûve§Ü6r"2Ö¾â¶=®3n¸:·}.¶«e¶[ŠW:‘TçŦñƒM3
+l¤�üû�wM«§¦¨JjÚ¾ö™Ê°eÉÎ͵�{h”U9kòÝcQf[¢ðzÚôldÄÎI“²Äõ¹ñ3r-P6Iu:ô¬vn`×ìáð̶��±Aû9{¹TÓš_=8p(FàÝ«º#ïwû6«k^><÷å
+rqCŸTbýå1k–›¢|ª=T»¢Ù<’
+4½¯`ß�­¡kà+dsmµˆ•uÃïmºÅod½ç¤’ÑÓlõÉðµ©ßWî|øö¹N‡oËÕ…oQ6ùX÷å8~­0Òž—˜FäãÀg›¡·ùöÖ{•Ä„ëýY
LÈVDCO V§¥gñª×ÔåãžÁ…°?¸Z�³pt£T@/@õ_8 &tÝ-.­�þƒC8q„ð!²š£ú>c4A6 ÷¾tD@ç�SÓ;<
îÎÉqäèì„#MP[[ô$q$ctŠü÷¢æ¡äÒ0r•oó�éF¢¹
DØ�÷>a¦„cuÊÀ	a»<õH0rTåö…º‹rÆ6rÀ|5OØ!јLEH3ñ;¶ò«}3«Öí4Ioš<HùæEŽÕÌO‹C9IaÓÊ
+“["à
5¸^�ì�VË
+.•˜àR@ô.Ï�KÁ°î�åO ²_µÝäW(±"ò‘_Yuˆœÿß~G7™Æñ+~Õã:ãW�«çWpÜDÈ}èU*Jj}^|Ë5"àW°V™;TàŸdõ(ž>$#è%Üñg¹~C}\lƒV
+>
(ç‹Hë\
ßú®Flh-ìavïpHG‡{!šw7lxóc§w7OáÑ=[k§ÈÖH¶ö˜DBEJ
?1£àà@ßš¶¬Æ¬¯´ÌkÖ‡ï8L¥Ï¿ÇtÚö�ÉŸqžVp‚#X?ûR9Æ%€%bw^|Ët,èæ
+…ÅçvvÏæ«+Ølñ†ôBÒY
+¢²X„w»¬NÅ„Mö5«
­
+Æȧ
Ï.—T@Ó|áªS¾pÂu‰KÍÜI€¨Ÿ÷
1<õ¦?$ñ·œÔ»NäñÛTø’PÃÕ2J,_|¡€îU¤Ù{Î\Õr� 2NZ•c您Åž£YÉ÷XmÞËÍ
|¢�ž¦(ö{Ø* Ä~ýiUå‡ì~³ÐYY?·Ó3*+è}øäSE‘0Ú½rãÚç:ýÉl¹üåEúÑ…+œµµç妹ý|áRH\q:”Ë7"N·WV
+‚IX)\Ý!]‘#w¬úŸÈYendstream
 endobj
-954 0 obj <<
+1215 0 obj <<
 /Type /Page
-/Contents 955 0 R
-/Resources 953 0 R
+/Contents 1216 0 R
+/Resources 1214 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 947 0 R
-/Annots [ 958 0 R 961 0 R ]
+/Parent 1213 0 R
 >> endobj
-958 0 obj <<
+1217 0 obj <<
+/D [1215 0 R /XYZ 56.6929 794.5015 null]
+>> endobj
+350 0 obj <<
+/D [1215 0 R /XYZ 56.6929 254.6581 null]
+>> endobj
+1218 0 obj <<
+/D [1215 0 R /XYZ 56.6929 227.9662 null]
+>> endobj
+1214 0 obj <<
+/Font << /F37 743 0 R /F21 654 0 R /F23 678 0 R /F39 858 0 R >>
+/ProcSet [ /PDF /Text ]
+>> endobj
+1221 0 obj <<
+/Length 3314      
+/Filter /FlateDecode
+>>
+stream
+xÚ¥]oã¸ñ=¿Âou€µNüѧ½Ýì6‡^îšMŠ»{Pl%V–²–� -úß;Ã!%êÃ΢‡
++ÆÊD¥L-Ö»‹tñsŸ/˜ÇY¤UŒõãÝÅŸ„YØÄj®w­,I³Œ-î6¿-?üíý¯wW·—+®Ò¥N.WJ§Ë¯o>ÄÒãÃ/7Ÿ®?ÿóöý¥‘Ë»ë_n|{õéêöêæÃÕåŠeŠÁzî)œXðéúïW4ú|ûþçŸßß^þq÷ÓÅÕ]w–ø¼,x�o¿ý‘.6pìŸ.ÒDØL-^à%M˜µ|±»�J$J
+ ÕÅ—‹t£Y·tN~Jd‰Ê¸™ sT6ѦP€ŸšýK¾¿dÙrSÖ�p8®–뼦A^µ
�î?ÕÔ¿§)<º%ņ MÀ§ÇSáfW›f——~ê>oËöŒE
+d«æ¥Ûí¡ÙÓà°õ›<VÍ}^u³þš§CÙÔ­_Õà%€$VŒ%V)îŽåøÕbÙ<û}¹ÙȆ–KÇÀsz<çû²8¼Ò\ó@À—üµ=pÍÿº´|Ù	Nb
Ķ8ä)ßÊõ±Ê÷ôNn	ëÐðØz^6åžã�¤SÔ‹NXì�ˆ´^:™Àä6.æΗ“NI.\;‹®]šÄ¨T\H»mhySW¯?à}îÛ°r 0<ÑT2õ"fJ`Lâ�_¿§gÝh�…
+‡}^·¨
+èܵ|dÀdèK…±Ž䜀eKP4ð\’1Ò
œ#©ÓüîèN
Ðû‚ 9(3A×
+\-q�ÍíP7ô,|([û³ë
+ïß](X|Â2TÕAôâ´ñ�Æ¿FòA«Í=Ú}QÔ!t¶xS›v¾nv;§YøR‘à`ô{ªÒ"yœsÞ<ƒ´Ê€›§âÕúå+9#É“	æ±�.›�
+¿†ð=¤�ï#A|hêþ©ÞŽÝ"ÉIzÒ«8‚Šã˜ò˜½÷“^Ÿûr}pgäw4d$KÉ{b׿ÒDähÂùèÓGƒâÛˆS¶‡¬¼¶‡b‡	¨õ—iö 3™HaÅBIL’SýFöÐá¯â3a{Bw˜=
+IœWââ�—U;Ôámó2´‰]õÃkˆmÞP—ᔼE×x"šI¨ºä‰³tÁ,B:Ë’³`¬V�>"{ã "3s~ëiº÷ „I0�
7D0ÎÙòe[®·8ä.xh—!Ü1Le#ùÂÓóïÛÒ¯ó&ä³en¨:}®Àõy�3
+}›â!?V>r–£øúD	{o:åÇ” 9i¯¯.}ÚM‹vƒ�<ÿ¥
¹4ª(ÚÊi$0©cì
a�qA
«W{ˆ9û:Ÿ1y~ókf÷¡RÊÁå¶z¡^‡!�輚Yç…
+tx¸é_ÀɲåüçË«‰h€¨à*[f“Œq×ÿ]|[0ˆoÖ
+ŠÆî´½à‡ë_|làL‹øX�ò*&íÎ¥.ª›A©.¸4_ªã½_2¨­�VbÍ°|]­óõ%‚zƒ)Gæf©oFgvjUkMDè…ÚCÜW¹øì³L¬©Cq!�’Ík­‰rIk
W²ð×'þ¼FˆHZ ´ê[èN_¡BNpJ
+Ê×U;ã¹8n�…d¬jÖyU‡¹~…äIf².9®7sqÀ&BSsm°j)º™àø½¿g
+œ�Â}3’NA°¿C`Ñëý7
+É♾ƒÚ�ÖEñÞhÁ
ö{&–�p~ÈgûãÛ|”ç•ÿ¢´ñEi9nù†ž'(a¨K}d:á\3o•¤1ÖiÇÐaõžáø§›&
+¡üÕÚŒ^§]æOÿ8®ÿå 4æ”jð(Ö¦ð8êôg»)ëÿ=¼endstream
+endobj
+1220 0 obj <<
+/Type /Page
+/Contents 1221 0 R
+/Resources 1219 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 1213 0 R
+/Annots [ 1223 0 R 1226 0 R 1227 0 R ]
+>> endobj
+1223 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [367.5469 309.3417 428.747 321.2419]
+/Rect [367.5469 732.0757 428.747 743.9759]
 /Subtype /Link
 /A << /S /GoTo /D (zone_statement_grammar) >>
 >> endobj
-961 0 obj <<
+1226 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [483.4431 115.3171 539.579 127.3767]
+/Rect [483.4431 536.585 539.579 548.6446]
 /Subtype /Link
 /A << /S /GoTo /D (address_match_lists) >>
 >> endobj
-956 0 obj <<
-/D [954 0 R /XYZ 85.0394 794.5015 null]
->> endobj
-350 0 obj <<
-/D [954 0 R /XYZ 85.0394 539.0447 null]
+1227 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [213.0783 116.7303 261.825 127.5147]
+/Subtype /Link
+/A << /S /GoTo /D (dynamic_update_security) >>
 >> endobj
-957 0 obj <<
-/D [954 0 R /XYZ 85.0394 513.59 null]
+1222 0 obj <<
+/D [1220 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
 354 0 obj <<
-/D [954 0 R /XYZ 85.0394 295.1443 null]
+/D [1220 0 R /XYZ 85.0394 717.5548 null]
 >> endobj
-959 0 obj <<
-/D [954 0 R /XYZ 85.0394 272.6685 null]
+1224 0 obj <<
+/D [1220 0 R /XYZ 85.0394 694.8763 null]
 >> endobj
 358 0 obj <<
-/D [954 0 R /XYZ 85.0394 159.1962 null]
+/D [1220 0 R /XYZ 85.0394 580.8047 null]
 >> endobj
-960 0 obj <<
-/D [954 0 R /XYZ 85.0394 136.8798 null]
+1225 0 obj <<
+/D [1220 0 R /XYZ 85.0394 558.2856 null]
 >> endobj
-953 0 obj <<
-/Font << /F62 634 0 R /F42 597 0 R /F43 600 0 R /F58 627 0 R /F57 624 0 R >>
+1219 0 obj <<
+/Font << /F37 743 0 R /F23 678 0 R /F21 654 0 R /F63 993 0 R /F62 990 0 R /F48 880 0 R >>
+/XObject << /Im2 979 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-965 0 obj <<
-/Length 3270      
+1232 0 obj <<
+/Length 2980      
 /Filter /FlateDecode
 >>
 stream
-xÚµ]“Û¶ñý~…úTÝŒ…ÀÉ““œ“ËÄŽs¾N’<Peq,‘ŠHÝEíô¿w�]@$Eéœ&=�‡K`±X,ö›â“þñIª™ÎD61™biÂÓÉb{“L>ÂÜ·7œpf
iÖÅúêñæ‹7ZL2–i¡'�«-ËkùäqùóT3Án�B2ýúÇwoî¿ýÇÃë[£¦�÷?¾»�‰4™¾¹ÿá¡o^¿}ûúávÆmʧ_÷úýãÝNi¢ñÕý»op$ÃÇ¢woîîÞ}}wûëã÷7w�ñ,ÝóòDºƒüvóó¯Éd	Çþþ&a2³éä^ƳLL¶7*•,UR†‘Í͇›Ÿ"Áά_:*?ž0!AVçT²#@ËYšeéĤÓRH/À²½�I#¦õS±ß—Ë¢Á×v]¸³
…îÁŒÎ4lë–Ö»¶¬+Z�o6õó¬ªÛru¤•Ý½áθÖaeÓæm±-ªä®M:½'&J"VW›#BÛ"¯Êêãê°qï|ºª÷´>šMþT ø¯º*½
;Ž—ÉŒ›„e^Dœ³,M²±+å/I"Šå+¼Xwl,‹U~Ø´øâØò³5>wû[n§õ¢hh‚Žíá-ŒæšÁ“8h…‹¶ø–ãÃñüwBÝæM[ì�¢±3µâÌp®'†&S•]PDšu±PFÍ(`9Iàíýv(öÇáÞœ–H•]ß<b�ìÞÕ³	ײ¿ý‡xNÖNŸ×åbíÀlº®›–Fs/ÂÇ=ËÅgü͸ÁæÔuYVùþˆSß¼û€SpÊÆ+.Ñp‘¥Lh+HQr&µLpÍ	w›‰ÍMS£ÚIkY–pÞW»¹;
\sGýp ¬ð9n|V
-Œc¨ŽÏÈ×Ò3Sˆ"ƒ[–½äf&¹™>†™ŽÃö*åCFj»1MhÈb°ù7äx‰Uñ%‚ÿ‹Í’A¡Ö¼BòA¦Ž!H,bíÒ
>QB8»ÂTb†²&c–‹´/œp|´ge¦Ï¥wÊ¢�`dWì�Ò¶X’{¼Í ÏEœ¢Êç‹[Ü,P~…ÈÞ«…»/§Œ3žŠ~î2ªÜpÄ•}/C¢Í«c�ì—/ŠÖ•NPO}@¶ÐaÈdú”oÞ
\ƒìYW#¬s™A´ö�]±qu`8.\Ó]Á´V¦O¶s¼1ª ž„J¥¤#šÈóˆ/‹úP�6S°<,H9$É8ƒî)G.ý•»t0²²Z¸»Í‚e€ A7;ÈŸÊy¹)Û#"x'ï¢FÀ`¾ ¢à¤|Ú"kÖõa³D˜·Hå¹l׃�É&qa±Ä*æZ„>â±½¿ÀäÈOY&µñ3ð¤
-
O
GÝ
-ê¶Të>/g±0b½À‚	dŸ:ëó€ªïJâº+ïeÑæåærB® °¦¢þÕ4¡‹u9MˆX'Oú¤gͱÝm0Jõ2*”s�‡ˆ5ÂD/CP «úL<b:lRª¶~Îý õl£;Âz2%9š˜÷¦Óf[×Þ¸Á=DÀ2�Ò½\6�¾†?«iDã3¯–ƒÞùi(œ­Rý€ò‹ª*çÝ`É&Ÿ›Æ�â;Ò6Óy(Ô#Ž“Pµ	ÎÉ1	{ò¡€9§³hâMÞÆ"ü\D�rÛ¯‹*”'/À!A¹0â¨q.aw2¼
-©•hWG¨g~Úå[Y¯Í$³ p
-Ÿ%
-¬mÝ
-ÑYƒ[6NKMbã÷8YË-¨X÷®NZå��lñ||j2E	Ž¯KœO‰‹|�‚A&võÞ÷A
-‡°ß|Ì�)¨þ¸K|PhN±‹jVW#'ŸEÜž¡Ï
'�&©ýÒJ2mƒ³kóOXƒs�>q�|ƒ•¬“¨+øRŽR&LTÓ+Ð-ðyú.ªëêša�e`j¹�@¢Æ2‹ß+_ú
-·ÞcÒ{À—MpZ‚6â.)º?”ÝA¨tÑ^±‹:8]¥‡­«ž±…0Ìü8ˆ€g¥.J؃nóAP¥¯œNˆÙïÅh{BNåÐ)_îz9Özx¾¯ÜmF­3a
-…¹9!úÓî½ôH§Rÿe›ƒØôlÎy®Éœ^
-`­^›#ˆk‹ð:':EE?U
+xÚ­]sã6î=¿Â÷fϬ¹üÐg÷)ÝKÚtn·Û47÷ÐöA¶™X³¶äZrÒÜÍý÷�–dÙ»7ífvD� €
+õöæ;º7Ô\¸5¨-PáÏ;»,_Ëêi67FNŸ‹ÍÁ64®ÛµÝÓ°]‘ìq£L.dª3¦É|Tue=#c|¤xôš×Ôû1ºZ$I”öÉvÄ£ª„R2á%%‹phÅfóJ/ËúPµv¿ÛÏT6­W‡åéLæF�fL”LæJ‰<Žµ#Ñ–Ïö
,”fÚ”ÕÒ‚ÕäázêˆØfWWM¹(7eûJ� �C8ìVEË«ŠåÒ6
�—u5SÓ–˜Ø¬Yׇ͊ÆL¸%*/e»ì¼-šÖîy¡Ý?Ã›Y­êöˆŽÒɾTͦx¶�S™ÈÒ˜¬èc�ìš(ÃÓnid«b±!ãˆRb
Á^6ƒÀ/…czň
+�ì7i&tœy�‘�5^ÔŽúà:UÉÀ9/ª/—i4Àûå£÷GvÐŽßð½WÏcqØ9\ßÈ#ƒŽ4À �3Ô³Þ'�²CÞ~Ù{»Xç½7`¡è‹
äëzs’X(	u
+{@£«²…KiÈd¬±Ø0!“žâ—˜„œ@FpØ=&]
+ö›¦YßoËjYoCEÿ{7_l Øø80î>='£¶ô/laœÆ™
ÖW5½kœze:H…d6-x"äA½�Ó
+ß(¿œ)¨\2ȉNR¡©’øSwp 8ïP<½‚Uš‹ü>ì{6MÐø	EAqüWq^æP„–*ïqx.Gˆ¡4O|ZHµ{.ý.Àc±ÿe§ƒ,8í9†•° ]x
+$)ÜÝ�±r
+ÎpŽÖ»ž†RÜ3Q�ž	sçNÜ1è·òx7•gܳ«
+öÏ~úqR2¼é62žØŠ6¡–¨9+zY[úT<è½5e¯MN†ÑI½Ø@Î/dxQÝp6l¦* [˜øÙ¯¨ÆŠ˜¯/òT˜Èœ+�Ÿn¶?üz¶n/•ZJõÍj‘}óÍ[£ß}ÕïF«xÕƒ‘œû#�ª¨3K€kÁt!Îò
+u€ŠžNM8Ãߕпþ ©ÞÉè(,.	¾ìæH*ÞÇ)¡ä¾8r©�ýbhGµŒùÑÃ,×ÓÚ·>ÛH(”Æêwª>í=G°g{æÇ6&ø™‘.6üçCûÓ?Ä9þJ)×Äß Œ¶Ãuš‰("Ìê)Ö§ÍþÅÎ)ëÿ£Â`˜endstream
 endobj
-964 0 obj <<
+1231 0 obj <<
 /Type /Page
-/Contents 965 0 R
-/Resources 963 0 R
+/Contents 1232 0 R
+/Resources 1230 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 947 0 R
-/Annots [ 967 0 R ]
+/Parent 1213 0 R
+/Annots [ 1234 0 R ]
 >> endobj
-967 0 obj <<
+1234 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [369.8158 503.0308 418.5625 515.0904]
+/Rect [369.8158 701.0858 418.5625 713.1454]
 /Subtype /Link
 /A << /S /GoTo /D (dynamic_update_security) >>
 >> endobj
-966 0 obj <<
-/D [964 0 R /XYZ 56.6929 794.5015 null]
+1233 0 obj <<
+/D [1231 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
 362 0 obj <<
-/D [964 0 R /XYZ 56.6929 337.0807 null]
+/D [1231 0 R /XYZ 56.6929 532.4192 null]
 >> endobj
-968 0 obj <<
-/D [964 0 R /XYZ 56.6929 314.1315 null]
+1235 0 obj <<
+/D [1231 0 R /XYZ 56.6929 508.7234 null]
 >> endobj
-963 0 obj <<
-/Font << /F62 634 0 R /F43 600 0 R /F42 597 0 R /F58 627 0 R /F57 624 0 R >>
+1230 0 obj <<
+/Font << /F37 743 0 R /F48 880 0 R /F23 678 0 R /F21 654 0 R /F39 858 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-972 0 obj <<
-/Length 2358      
+1238 0 obj <<
+/Length 2534      
 /Filter /FlateDecode
 >>
 stream
-xÚÍY_sÛÈ
÷§`Ÿ*u¢Íþ'7~òÙNª›Æñ9º‡ÎÝ=Ðq,‘Š(Ùçéô»X,)R¦ì¤Ng:ž1—X,À?`)qøQbWNG±ÓÌpa¢éê„G_`îÉ<£šiÔæúiròö½•‘cÎJMæ-Y	ãI"¢Éì·ÁùßÏ®'—7Ñ4|`Ùpd,ü4¾º Š£Çù§«÷ã¿Þœ
c=˜Œ?]ùæòýåÍåÕùåp$#`½Ž,x?þÇ%�>Üœ}üxv3ücòóÉ失¥m¯à
-
ùzòÛ<š�Ù?Ÿp¦\b¢xáL8'£Õ‰6Š­TMYž|>ù¥ØšõKûügTÂL"ãjÕç@ã˜URyÎË
X»ÁøúÞÂ(áƒß¹áÕ:›æ¿s.§érùHù<<·Ä7-X½ªˆº-‰zó~(ç4VÚ)šM‹Y=}Ne´„�x,Œ‹j›¥³7ÈÓÀ´Ì�ZT´´,ÂN‹ìPå‡|9›¦›¡H3<pÌH挑ÞÊt6ó“YUùý`í¼-DT�°ÕŠˆeámê"
æåÅ´\­—Ù6°Ÿ]�i¢Ú­×å&¸¤ãÍ`Ë¢|Èî³
FR 4{Þf‹ôÜ•ûe@ȃ©�‰Uº
-¼ H�aÛEº¥ˆ¤­a
-zÂY™UÅ_·4qW”¼iQ=/÷-®Iéõë.«Ð�˜¨±ñ=�jPY\RRiAjÀœF�^g@ÇÀõyyI£ªÜm¦Y�Á£†½[3›E<²6Xe;x@3„20˜<X(ˆF¨ƒjç«<L¢By†Í–51däÀ�ATIîZ蛡é@<y­I½xßøæ
-¨¹eŒÏ n “Ë1îŠõ&¿Ï—ÙŸÉ0²[éÆj¬Öm«'‹¾¼“�GŽÇ5&¥÷e>ÝëÑn¶‘ƒUâ YÔ¦› ¸i_þH‹uNÔâŠYŸ‹ ƒ¤QÝ-­ßò˜X1ø¤†[uÂ0ð�0<	àü…­¤gèsî=pÉÄz¬<s?‡®Å·*[fÓ-trAv¶Ù¦y�ïOjÙx¢ÀZÈË®kfÙ<…;@¨À”¿Ù»—Û‹N= ¶xS‘€êg¤S°âG™}xEuà·&êø�¤c˜§OÁ±Ç±i¯9
FA&(íÜó€üT?­˜¶2줟¨'£ÖDW½Øõ¬òúÙö¢Ócn :™1ßøå ÇyDìC.8‘D1«•;.‹Öq�†õŠl¾�IË!Å JZx×úÐŽE""¥”{oéU+ŒÕ"àŠQ²FòOp
-Ò¡%zº^/}¿…sõW-ð,è‚„Ã=°û�V _’¼|@Æ�|„›Ï“~ÊJðû
-¶Ë¾úà;V’Ù” $7°ÃXÔ.fÔŠÚYðºÄÂ6®=£ý÷ÕW§=¢«ø¶ÖçEY±`Ö
-õ–Ò
-}B„L–±{
B¤¸4‰û‘ "b8@©Ý�G‘¶äg`D$€î±£õ9Ë(âü‡Ì§¡¨êîk�S5ÇÎ<<<�Ð	©}çÖ´.]‚^(©û?¸+çó—Àb…«º­<ží~]Ðüÿ§Üüci¿ÇÒ°âXz
-âÿùìRC=âúGfGÂ!Ô~lr´?“N2.$]y>—þ·
-³!
-~,¡‘ÿöƒúú]×$OɶÔ«úçO
½ªß¡.ìøÒ”Q|Á‚Ôó‘³*§˜5wø?#ú
-v,=Z'üº˜ùßd‡ÆÒfû~èãM$¾úgÅ}¼ëP(‘ý¿bÛ•HGÊ0”…¾Öñ“Kýûcàj©þÎ?=�endstream
+xÚÍYÝsÛ6÷_¡·Ê7%‚O‚¸<¹±�s§uRG�N¯í#Ñ6'©ˆ”=îÍýïÝÅ)QN:ÉÍÜxÆ�°XìþöbÂáOL2ørzb�f†3™¯NøäÆ^Ÿˆ@“D¢¤OõÝìäÅ¥²Ç\*ÓÉ춷VÆx–‰ÉlñÛôÕ¿ÎÞÎ.nNiø4e§‰Iùô»«ësêqôóêÍõåÕëŸoÎN­žÎ®Þ\S÷ÍÅåÅÍÅõ«‹ÓDdFÀ|V82áòê‡j½¾9ûñdz›Ó?fߟ\̺³ôÏ+¸Âƒ|<ùí>YÀ±¿?áL¹ÌLáƒ3᜜¬N´QÌh¥bÏòäÝÉOÝ‚½Q?uL~FeÌdÒŽ	Ð�	Ð8–*©¼
+äùQ5S–éLDû+›‘•³Ú˜@ñ�1Ö×&rö;7<SÚ”ÍhÐóTMQ¶øëí4ÕÓzU¶-Ù(‰AéóÜËsAdWoidpÕØ�»Œ�	O
)M<ÎÕõÙùù
î
+$š$Úp&%ˆ{`%Á^•ž¾GUTÊk¾÷Xb\?¬/Äãµz‹eBhiŸÓÁ™Ö
+°¹SeŒ·èÜ€%×+"ÜVëMùP.‹;oÉ0¬Æâ©U8µîŸzv?fwìÈq1)¨ËEò “íb��€Uæ˜ÒÚ
7³ÀhÁ…ˆË
�ˆ,H5Ü2õ[[Ö�Lõ>³Óy^QŒ¿pØB`Çß5Yʃ.™¥«Í­CÑâWS,‹y[VwaíbÓæeXß3’Ô²“$œš
+pß}V	�ã<"Ž!ÜH¦XªÕ3kÑ<k…fœ±‚]¨pÀ,·;T�HH³­€ÝºÄ)º¹î™€
pÀb”ŒPþn
+£È)éæ©äÓL
8J-“
+
+®±g	_f[hÅÆAæ“ìr½/¶|p]*¥ýkYÈn¬LÿÆIãŒc(¢
+
+ü@£±¢¦ž£ÅÀE¬ô˜…ôoùËçÿßDKSÈ´þÆIÃŒc&"!Ç˸M?a"ŠƒŒUöU=-¤é÷êÿ�§í¯üŒ‰@Úȸq¤r09_6õˆÅlK©˜£´�^4·ò…w Ï{RÈÔ.¿éü¡“†Œ!‹YX[yû)÷ºÂUL¾Ž›Gÿ†¿Li¾¾yõPs'Æ“ÞH†¹9伃Š˜
±×U¨ÒÍN…SCÅæ3êbTÏÅbË}Š/«b~ŸWe³
+ß`ùªÐ2÷ †5$,‚¥�åóòT
+ÈWõ¶
+„õm˜PçÚ¥½ÏÛ1ðìí‰Ò,÷k’»zæSÓ+€@“g±÷¶^.ëGÊépV—<bjAV¨;úÀ
+~ÿìßí| �K
+lÏÈñ:} IzDÇU!y‹“MÈfö7ÆØW:ýüÎÑáÖÃ8Ú1Èý‡{ŸˆWÞOÊÌW¤�Þ-ë÷ù’º°*L-‡0Š%)O¼+IÅù‘$G¡'G©Ûß9Ííj†2`–'µFè»~3»ºü•Ú+Ø!¿+šƒÔH·—�?ÞUÊ“œŠ�"äúEsO½ózýD-ÒFU•w*ÏCýRxE¥¢L–ûñ‘@Iy~‘	õVÙ�5
ÕôQÄùƒý¾	;]¿3b}^S-Ð×!Ö!|ùÐñé}±\‡¦×dø-ªfÅ*�ÒÆ89eŽÎîgÝ2ä%Œ…G
‡5ïrþÁ›ŠŸ^=P‘÷®‹T4Ž˜/1]ÂήîY¥’Û~•7¯ÆªC
+�GWAšÃþ$`©T½×,‡ÊPVÓ»òÁ¿a`WøÍÇjXeè|š¿þ‘Ê–ÔO£�j!W  ¾dK¸cl„õñM¹(è«­¾	¥Ï´;(m!£Ïž<˘͸Ûç†Åš�Bü‘C-úåÞéQ!
 endobj
-971 0 obj <<
+1237 0 obj <<
 /Type /Page
-/Contents 972 0 R
-/Resources 970 0 R
+/Contents 1238 0 R
+/Resources 1236 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 947 0 R
+/Parent 1213 0 R
 >> endobj
-973 0 obj <<
-/D [971 0 R /XYZ 85.0394 794.5015 null]
+1239 0 obj <<
+/D [1237 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
 366 0 obj <<
-/D [971 0 R /XYZ 85.0394 518.4711 null]
+/D [1237 0 R /XYZ 85.0394 708.1399 null]
 >> endobj
-974 0 obj <<
-/D [971 0 R /XYZ 85.0394 493.3754 null]
+1240 0 obj <<
+/D [1237 0 R /XYZ 85.0394 681.7727 null]
 >> endobj
-970 0 obj <<
-/Font << /F62 634 0 R /F43 600 0 R /F42 597 0 R /F57 624 0 R /F84 797 0 R /F86 977 0 R >>
-/XObject << /Im1 790 0 R >>
+370 0 obj <<
+/D [1237 0 R /XYZ 85.0394 221.7119 null]
+>> endobj
+1001 0 obj <<
+/D [1237 0 R /XYZ 85.0394 198.8068 null]
+>> endobj
+1236 0 obj <<
+/Font << /F37 743 0 R /F39 858 0 R /F23 678 0 R /F21 654 0 R /F62 990 0 R /F63 993 0 R >>
+/XObject << /Im2 979 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-980 0 obj <<
-/Length 3477      
-/Filter /FlateDecode
->>
-stream
-xÚÝZKsã6¾ûWø¹*ÂâE8NOÖ©�';ã­Ôæq %Êb�D*"5Žóë·Ý HŠ’'»‡­Jé 
-ã]rý)”÷úz{e#kLlÙ\}¸úg7`ïkè:)?%…6 «S
ÚI
&^¤F›N€*ˆEJ9û©®
-ZãÃ�Rj¶Ï«fUì\(gzÃÉk ƒ�T"Ù™4�­ó†
-Ûb±Î«²Ùr½¬è·ÉÛÿ³Ù*_”7j¶)Û¼-¨é�ÀJ ê¸Õ¼ZR¡)Z*lÊmÙòך'i×Ü;ßÖ‡Š	ëw¨ó%ÍÒ®ó‡ËQJø$!`õæDi0ËXÄ	ð?L€…æ¥i‹-@È([l]Õ›Mý\VOÜk×–uÅ£å»Ýæ…G©éÿ�NðÝÌâ]Jd
-Ä�z%R—¹3h ¢yŸê<:*\t¾iêyU·åêe<·’‰ð6Ë.OÞQMÌÞÇŽÈžÌþMñ‹”º*p#µ›åø—Íž6õc¾¡¦MÙ´T
-	_ï~`âår£Ü¬hêŸ1‰›Uù¶ RSì?Š4o<õ¥ž\
ASTLpÿîáîí¿©¼…ò§"((€F{;„Îóº¨
-˜
&Ã2R5[1{kj]Ô»*$UÄ«ìp/geCŸ­ÅòK¨8ÇJ$qÅ%BŠj¤G½QŽk…
-Ê­XEì?˜ïžéþÃPtX±¾¨Ãÿp9·F
Ò‘?íål]lv\p†ÿ¢jQ¬Ú+–6~�•—SãÚC¯5“!/üí¹Ül¨ôÛ¡\|úºW(Zù©àA*êKÌ7íšyùÌêÝjjYyÅV­¯Êã2 �ЇˆAÓ\
-f”h	›:ÕaÛ4ó©üTTÜÄÿùÄŒ(¬MS&ìþé\ü‰O&jÐJn
Ÿ_â°É¬liF–LTÃê÷å² Êwj©©õ<èÑB!£WîœÈœôcn)…q0nâôP+~\ax3)“	•ßB =/üljÇ,P/¦!�€åéœN§“¸U=1,
->I!‹¥àT ´Í«ê¹-«C[p3!	K�qžb¿-çªÌ
-|œÖÿ-¸ÒsØRGlýÿ g,¯�}Z=ªЊTç�T}hO­T*”òê2+Õ/l¥°Y‘ÚgæÝ¡epa4Â^£ÒÞa
-ª}S…õ
€„­U ÖŠJ1–"L…R·½½€G‘cÃ.}@y8
KÿµV6³"�qR}ªó�ê¨Î[«IHA°lý+¬tT¼Í•ÆÈ3GH!e¤Ø+©Žö
-ÊÁ^Áÿ„½‚ŽÁ^Ɉ-êì•$lÝ †øÛ+Ið
-½X$°Td`ņ
-³:�Ýæ‹5µ7‡XŠÌBñ@g(åôG[ÏMœÓŽR*ØF¡;·éf¤UÞÌ3;û‚G«Šö¹Þ¤Êc^-ŸËe»Sí‡'R ‡RuXLx"h븀rà„8"ÑÂ*0
¢µŠIZ ñ½!›Ñ˜
V4:O÷¼Æã‚D	QIºTTšp’…Ôc}jR±‰¥v并NEâU<£N¡~×,º;åÓ�W­Ô,¸D‰™„¶@O	;Á_‚ÎKNý ÉÑ8Ȉ+¢ˆÌ×.U<	Ê€ùØ´¨«¥ ì­s{F8%‡¨œ4kZž5*&±Bé×Nk}ªóF¥£‰·¤ôÜÀ¢('ÒWfgš‰ÉE‘b0=˜ý·GûNíf·Ç˜3ÈH8œƒ†Ë3¼�&M-ðÖ€ARŠæ£í‡–ãöcò3n?|Ûm°¹‹Ãž ö>æˆú°S’ŸØ¡0ž1î#cÀ’`¶;äáKÈFÂðšð6°iA¡ÉE#uKÈóB�seø
X¼�É’x§
-ñ$ º;Ô0»�'åXb®‹ÎÁe3ͱʼnߙ˜|ªƒ]lë‚+8.ß@©Œý
­ð"tŠŸVþÑþëBwï°Ð;mô¬ö>^cé(ËP
Ró>‚‡/žÜìûrAI‡¦^qÓ�7IÈYÖÏ<(ÞG÷®'ËÇnYÀ	…âé°e‘ÃÁŽ•ÍÜ$(GwoùY66éÛØñ�¤ðÞ¸?gDµÐ>ñ!°ãÄ	ƒéBrIQÝÚb{N;>ZÐÐ5oBŠ¨y4vpX<sâ²Vïý1Þø4iÁnJ¨È‘l‡W™S
‡Êð”½qô©Î‡ÕàÁÉÔ½€¯†<^œ½£š˜~x©iñ½P2œ?€Ðh{<?`¥‹¤µå˜ñ�9ÝÝ èá
‚¶Ýû
-K
™rpU…ƒ	X|y„G
-Zâü+ús$º >L4”úTž
+1243 0 obj <<
+/Length 3560      
+/Filter /FlateDecode
+>>
+stream
+xÚÝZÝoã6Ï_‘·:ÀšÇOI|Ün³½×íÞ6Å
×öA¶•DX[r-9ÙÜ_3œ¡,ɲ“½;à€Â¢È9þæ“V—~êÒ%"ñÚ_¦Þ
+'•»\n.äå=Œ}¡˜f‰æ}ªoo/þòÞ¤—^øD'—·w½¹2!³L]Þ®~�%B‹+˜AÎÞýôáýÍ÷¿|z{•ÚÙíÍO®æÚÉÙû›¿]SëûOoüñí§«¹Êœš½ûëÛ�·×Ÿh(á9¾½ùðõxzœ˜ôÓõûëO×Þ]_ý~ûÃÅõm·—þ~•4¸‘?.~ý]^®`Û?\Ha|æ.ŸàE
+å½¾Ü\Xg„³ÆÄžõÅÏï&ì�†O§äg]&œ¶ÉåÜX‘ÁúÓRV"U
+ˆRçEb´é¤¬Õ””#Jy“™·»¼jîŠÝ•Êfó¶Üó²o_9)\vÙ_ሦ™`ÃôØPÎ	—(3äã¦ZÔûju57™�ý«®
+jEÖ|5³ÝU6ÛWUYÝÓðº®î�o"}È«Ø*jmò꙾ܔվ-¸û©\¯©µˆë»M9ÇMûxU)ìG	ïœüUy[¬
+[‹¸TP«ôPêÏe­À?­­z
R=ª3�ŠT§­Õ$¤Œ0Ö¿ÀJG5ÁËÐ\eÂ9bæ
+"9qE‘ÙÃÞ¥
+Û¥îm¤kŠe]­‚l�A
+M.©[ Ï�ûò±¨hX¬L¤Ž¥‰ãž«šÖ&ë–ÈÙ „ex½¸k‡]OémŸ#ÒzÀ‘m†�ûªæPâ`kŽOVep´Þ™¯8Z%¡Ù?Z6?7ø™œìh~;6w6š;wdî,š;°uáµõ�Y¥#Ímc0qØ.¼L!¼°mÀî&F1Á·áAãë¾!
Bó„4ÒL8É×ÙÀÔ¦ÙH '̉µ m+_(þô©N›“Ž*H§
+ÍýŸácˆç‘ôᾨ–Ü?dÓM<Š`˜�2¸… Š–:ïðŽe$@6k¡®È:U¶[T+4Öu¾ªkohr(Lž! ÚœT�e¤Ҟ×�>Õiå騆‚Ÿ*XäSyôÙå;ª‰õ‡8ñ"M]:d h�U½<_¢Y-áa_Ý•¶ñ�T[=BrR!*„�SöUIO¨iN&Tš¨¡3¤ô"œa´çá�¦€4­i›z_–¡”Îÿn|þ\܃&—R{Æžæ¼Ã úlm|XÎ>Ö`ã$Ø]Lõ*>…BHµ¼T/\¡ô©Î 0R
Q}Xu\’Ò™°Ö¨ó\tTlÓG#,�ùàfÿÂ
+)y0çøÂ%j5¸f	¯1±kÁ”GØ|¿c£ÄšéqXrGQòçÉýÃkBؤi7u(rÀ;ÆLÔbg:”Ã=oÙ÷Aå ò'@¥-è|¢¢ùÖS6[ø4Mz^ÁÈWy�–?ò
+CXŒ£&N.ËQn5xVfü;ɸ¢|†âJ°QzÂg(ªã`ΫƒÏÐ)û¬+·DGÞ
{ÈO)=ò½%{$ª«7ýCÄ
:ÄÀJï�e8*ݽVˆàb]/0vÑü¯3=±¿ægNÃãÐ3|J¡ghò_g8ôÄ®¡§…„Æ$f€	†-Ö•}¤Ü>ìH¸ÈÛ­6½ä¹�ü[7ÄÂÿ,ÈUI*\’¼PaëS�¶‘ÕQ�ùøòøP[È9Ò˜è¨^àBi��xc0�ÐÒ,F�]1'\ûÉ®šc�Q³|µ:Ü<2¾]d›‰O6¹@MW‡`Q>>ZjݾûH
ÐâªXb9Š¯ñ¢B
0FÚßU§bÑé®h©Ê”‘†óè°$Õ§Îü;ωU¯º50²Æ@4Ì…ª9fC™¾íWZà�7ËôôfêÚ�*ï.áZ_ÅÂ;Ï�Î~ùî#õ`.þfX¤•µ
}C^õ�:{åïä°&|ëq¾Õ3X¬rIãûí
+43v£aSwD‚··
MA…®ðé.³oè-˜Æ;S¿%ç¸^F /:3hFèa“à­}³gai2xa�nq©5ß¡y¹R¡Ìm¼fÜÝåKþæ7­ír]7ó©s‚ ¥
+4–�h³�sæÛm‘ï¨7üuC›8÷È£À
 endobj
-979 0 obj <<
+1242 0 obj <<
 /Type /Page
-/Contents 980 0 R
-/Resources 978 0 R
+/Contents 1243 0 R
+/Resources 1241 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 947 0 R
->> endobj
-981 0 obj <<
-/D [979 0 R /XYZ 56.6929 794.5015 null]
->> endobj
-370 0 obj <<
-/D [979 0 R /XYZ 56.6929 769.5949 null]
+/Parent 1213 0 R
 >> endobj
-737 0 obj <<
-/D [979 0 R /XYZ 56.6929 752.2241 null]
+1244 0 obj <<
+/D [1242 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
-978 0 obj <<
-/Font << /F62 634 0 R /F42 597 0 R /F43 600 0 R /F57 624 0 R >>
+1241 0 obj <<
+/Font << /F37 743 0 R /F21 654 0 R /F23 678 0 R /F39 858 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-984 0 obj <<
-/Length 3053      
+1247 0 obj <<
+/Length 2459      
 /Filter /FlateDecode
 >>
 stream
-xÚµ]sÛ6òÝ¿BoGÏ„,¾?ÓÄé¹Ó&¹Ôy¸iú@K”͉$ª"eŸûëoФDËî$Ϙ`
,û
ñƒ?>sº`Ò«™õªÐŒëÙ|}Æf70öÓ�8yBʇX?^�ýðΈ™/¼fvµ¬å
-æŸ]-~ÏÞüûõÇ«‹Oç¹Ð,3Åy®
Ë~¼|ÿ–z<}Þ|xÿîò§ÏŸ^Ÿ[•]]~xOÝŸ.Þ]|ºxÿæâ<çNs˜/â
-OLxwùËA?}zý믯?�ÿqõóÙÅU–áy9“x�?Ï~ÿƒÍpìŸÏX!½Ó³{h°‚{/fë3¥e¡•”©guöÛÙú£aêÿ´t…vÂN0PÉ
9X™™Õ¾0RÈÀÀýö<—œgÝm…€ÈæÍæ®Ú�s—ÝT›yE£Í’ÛUy»þj6Uû
-`a³ë}G�uGxåªm¨g]>PW½™‡U«²­F[òlÕ”Bj6ÔДuÓEÔM¹Ž#mµC:á~
-¼8ëPXØ,ç¼ðZ‹pÊnWnÚeµkó-�-ß´qÖ�CVZÃõ±0‰Hw"»Æ-�ÌØpW/Õ†ú›ø-i8-)£©e[·| ´}[on¨�yL»P¾ÐÒÈHFOûÁJFù„¹½Ýs‘¶%í6½E.�+¬Òc.EÂ�·‘ ›Æè¸MÛ•]µ®6]q$þ¬`4Ó2«z?­î)b‘´Nª{Âò‚øÜìwóê�®Eá…z†ˆë*¸¶…gúedJpÍ:¹¶¨ºj·®AiÀ‚H–ÝßÖó[Wͼ\!ȳr± ‘oZ½Z„R¾Í~³ 쮡®Ë�wŠ «7	
-®Ï&j›ÝÄ:°«3:ø3¹³ÞD¤kpX_‰¶!�

-º~Ú+õX'¼ÒTXáÀ$CÌ4ÜäØ1E¤	RFŽÉ™ÂX+Ç´ c–
6¶F©´å”6ر
@Á

-Eª¥á&€]+ИiªmÀæ%m\²6¡�£ÒhG)ªsÃ*ö7SåKÐ)ÕX6ÍÄ¥C¾†1xL€à|;pP1â­c|<ØQ³é9“…>eRÕT5â6üΦY¬&
Ÿ$\Ê“Ö[È�®ëUÝ=
-ƒ8'™êc8z]E猒 ¥Ÿª£JC¿mpìÒØìý‡«Ëwÿ¥Þ5ÐQÞ„ 12U³``\ÍBLªfáPªfGÕ,“Ò
-Ü&¾È˜¾àš[•M´Œ‡äR<>o€¹Ÿ|UÀ÷$!ÅAI
-8»ñU»${±¦¢ÀújZ´è„[·`#µ2/góìè1ˆÖïëV1õ�zz’�S(ÍÇyQá鬾W
+¥‰Jzÿ]rX‹‘ýòØ:Íx*‡åàê-ÖŸÉa…€ðÎ8û]sXÁ“Êþ9ìpé9,÷¦`Œ‘Ëù­Y•1ivÖg¢Ð'�<
-`ˆ—î% Ï¿‚ÁüŒaìTQÎÇÃyÛ¸
+xÚåZKoÛH¾ûWð¶0ìéw7�™ÄÉz0ãd=Êa13Z¢l"©ˆ”µÞ_¿Uý H‰’3HìbÀ,v«««ëñU+,¡ð�%V*2™˜LE™Jæë+š<ÀÜ»+xÒÈ”ö¹~š]ýøV˜$#™æ:™-{²,¡Ö²d¶ø}òúï¯>Ì®ï¦)Wt¢É4UšN~º¹}ãG2ÿxýþöíÍ»�w¯¦FNf7ïoýðÝõÛë»ëÛ××Ó”YÅà{$œùàíÍ/מzw÷ê×__ÝMÿœý|u=ëöÒß/£7òùê÷?i²€mÿ|E‰È¬JöðB	Ë2ž¬¯¤DI!âÈêê·«t{³îÓ1ûIn‰Ú$©€hù%«
+ëŒhÇW¥pšh†?+ËGAV ãCQ)£p„R'©¶Œ(-³ît¹H#™R�—1E4—&1ŒH
wç{‹v¬~Ì'%Jp	â‘ãý4Õl2ƒ¿|r}|(TpeC)±F0\<ùœ0Be–	ÏÕ£ÝnVp?Þ¬yò¦†=%ýmEÉi_´Û—æ=¯e
+¶h)hÀ8±ÂfNéßêU¾¯S“²™Â±eNažÌ«…'ŠÀ³*‹­YÔEà¯êÖÍn³©aZÒI)Ú¶¬üKûX„Ñz·�:_,¶E$-§‚N@˜¾;Psöú¸»±ðñ|Êéäþ)Úf
+J‘c[ËÌ Š¤Ð_ç;‚Èâ(=¸ÿ×yvÊ3‚“)ÄUÙx>¢0,b�Q#ËFÒQÇ…k·yÕ,á´˜�¤Þâé“>ñJ­‰Ñ ­¿Â‰׈"¢ïa†#Å‘&3<wÌTM¾TÞ„`êoCiÂxÆB0�èßÀø�6`CˆTÿÍ^zñ¯y±i=ýïº
+kF�MPÁIs›b»¬·ëbá_w�sZ$o><éÿòÇFc¡†^:;´Y�ëÂáE.ÜH¾jÓ3žlü㢑iD�áÙaR€ä3PäU‘i*Tl«¼Å¨5úp8n•C-]LÃ{¹ôOðÀîÎ
+0*Ê-ƒ›A<qŸX‡*nå·©’V-Å_Étñ‹sURâ’’ª—ª¤R–H%¿i‘TLñJäAð…©„
+bÓŠËå(2]¨Fcpð–ÎtÒ[â´žS=åÈ"3b V#nh¿áë¡á[¿qÃ\5r\��Ý# b5Bz¼QKøåùjlp¤¼•D2ɇÉ)>^‘ AjzÉG„„Ll9 ¨AD\ÀÇj@Ò£.W¾T‘"V‘z¼ŒñË€¦ÏuÁƒ"×iö¹jðä5žü%e:®m~”�·I«‡ê|lÐlL6¸Ž\Êf=—jüt& ¥ÌcÊ•	œy*‹}DvÆ›M1/19‡³Ø
•AØ¢Xæ»U¾‚Ôuê!)ÄŒ¡@<¡ªGêcÑ—jØßjS€¹e
+dÑx°\ÓB¦ZU^ñ"ÄQh¦‘`–
 endobj
-983 0 obj <<
+1246 0 obj <<
 /Type /Page
-/Contents 984 0 R
-/Resources 982 0 R
+/Contents 1247 0 R
+/Resources 1245 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 987 0 R
+/Parent 1250 0 R
 >> endobj
-985 0 obj <<
-/D [983 0 R /XYZ 85.0394 794.5015 null]
+1248 0 obj <<
+/D [1246 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
 374 0 obj <<
-/D [983 0 R /XYZ 85.0394 119.499 null]
+/D [1246 0 R /XYZ 85.0394 151.4942 null]
 >> endobj
-986 0 obj <<
-/D [983 0 R /XYZ 85.0394 95.9037 null]
+1249 0 obj <<
+/D [1246 0 R /XYZ 85.0394 123.0886 null]
 >> endobj
-982 0 obj <<
-/Font << /F62 634 0 R /F43 600 0 R /F42 597 0 R /F84 797 0 R /F86 977 0 R >>
-/XObject << /Im1 790 0 R >>
+1245 0 obj <<
+/Font << /F37 743 0 R /F23 678 0 R /F62 990 0 R /F21 654 0 R /F63 993 0 R >>
+/XObject << /Im2 979 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-990 0 obj <<
-/Length 3129      
-/Filter /FlateDecode
->>
-stream
-xÚ­ZÝsÛ6÷_¡·Ê3Žø$8÷”¦N.�6éÙ¾¹‡^(‰¶y‘HU¤âøþúÛÅ.ø!QrÛ»Éd´
-ž±Ù«òá÷aÂŽõAyŠ¤7 Ü87Wï±W΋¯ùv·)¾�8	©µ�V˜g•ï'vŽFùT3KX1ÊZ²ÌCƒº#UV°_97`;'Ä%Jè4sQ\’êÔH¯Ì„X«„WIƬh^8-ï
-5òÁªi©xˆAzÅÚ=–�ùò¥-¦ÌŒp&Qã­=T|ˆJ™T¤ 5+E‡
-LÀ7©Ò´Wóu]}ƒøå1&ØQt‚ýM˜©€äð\òœóŠôC¢Cþ4±óOO"Œ@‘<
-îªÞS‘i౯ŽL‚‡¶‘¼ÌÜ‘àûˆj=Ð#¢*Û(H¢ŸUÝ…ˆ„‡íŽaò¾GGÂú¸©
Ol:‰)…{Õ9p"FKæ;(&Þ›ì•Cp]8”È4ËÛüÌ¡¤èl.
-ŽL‚�%5`ž#Á´™™
-4ÈÝŽ%K‚ŠÌZlëÑÝÆï;sñ(X8†^ZõrúCËäô¡iˆÀÒ,µøÐ@�Aázu“vfJ¤ÞÅ4a-Âõ`ekjÅK
-dÀ}øí×e·'£LÃéNC‰ÑGº´€3»kت†¹j
-€ºÅ*_=‹¹GÀ’BÈ«eC±0‘¸y‘sÀ}±:ì›òK±`ÌñZxiõØV›²¨&ós
Y õ1éìã7tl”CžõIF§.:{Ù'
¹Îû¤ŽµÀ‚ȦhŽå¦÷'àÒ/Ê�Lr‡Ëö‰0^»±\ŽjÓaB˜Î«ÃvIAfJæ¿QÃÐhãg}8š2 A¶Éeüxr3 Vu§FÐQµ
-0Ôæ«Ï“AF*8Ì‹b#Ï©X}TÍp’½¡Ü鸯»þƒÈ/hȼ	ÎåÐt²EÿñÀPkˆ�ëÿL`x\31
-
- {Ïñ¾yy�³®§7JK¡5ôÖÿ†ë–tÖ_{ámÀu6£l²�û°ÉÙ¤Õ ²SòoÿHäÏÛ’5èöÝ+¶4àº`K‘ëÜ*�͑࢑iB�c#JÀk�5¸+^˜°eøÓÁ56(†DŠì
-ÕÙù…ã0ʼâö‡\N4r�s½A>7Æjp``è¢
-ׄc´v¶ÊŒ•˜
-ªeHà†7m^õ¡!.ºz¼®N×õçîÅYrüfUÆGñ¾ª,5?‹
Ô¥Nûñù-‹§|ƒjp}^
øñžaå,Ѽ?¼óþLYPêLøLv³TO½ i‘ÉÄj‚‰šW¬r*Àää¶�ìC%;íh˜Ÿ�Êið!/÷Ô±,Û᪺’(Æ>
i}·1ÒiÈ4¤Ÿˆzµ¯ X~Ä]Ö’P»UBíÏå¦ÆÇZ|§Ðñ±ÂÛ9Oñ@]Óµé1bLÜI¡â|1"…dܪlTŒ Q!éBY”NcWx†–ü:,eEûšS…Å[¡$ENÛñV ˆ4ÑÆè/A’yÿfÜç‚Xž¹í>JËW^KLçïzd
-Ç´Ú�½äàå
]ÕEÉÓ©èqÚì…ó©ɾ�UÖAeÞõ7h*	»ã=�}ÿögªè|zÖ•
+1253 0 obj <<
+/Length 3339      
+/Filter /FlateDecode
+>>
+stream
+xÚ­ZÝsã6Ï_á·*3µNü5÷´»Íîm§Ýí%¾¹‡^d[ItkK®%'›þõ >lÙ¹½Þd2‚Hˆ
+J\07��ónÄùpÈS€SÒÅF&¦—ìu£�Ø#)c�˜`á´ä£iX
+óŠàÀ4!xhÊhÀ™=¼ Öã<" ª Í?sz¬ê.#@ <lwŒ’‹	êâz8QÙNf¥öÕØ !†h%˜ï즘ÌÄR§ÙåMr�ß”ŽËk–·ù™MI1Ö\˜&mJª! �Óbfb°)ðBÑ–h¿-YâUdÖb[ï_ˆnÃ÷ø±¸,3/%{9ý¦ÁËä¦)HÀÒ,5ß¼i H� ï^Ýà
+"IR~9�{Ÿ—
wþQL7ƒ˜nƒ¿Å;Ìpm—áZ
+G˜óÖ5óoso&¨Ïõ±ú�nÑÞ'¦ùR€9�[Ù =�iyÍ¡%ÈÅ&o<ÐÖaLÂMhëœ qaþк|9út¼ "EÞže"?†xª²€
+"ʽšO�ÉÝ…Ðöh�w\Q©ÇeQ
+~g�JY
+á¤üzïg=ßÔó)ê¢VZ_V£ãšÐcäbÊA/îHJ}U¦ú$)ã$	Û–M½)Úâ¯X
+Õ>õvç«U±ó§UÿV­¹û¡âLŒ{|!
+QÁk¬Á]áñBû%ÃG‡×øB©$Rd@¹/©
+.+±Ãß�ó÷Ô4]üsÅÄžT*ÎW#Ò)™�ª$ÊŸ·P�§±É_C‚|姲¢uÍ©D†“â¥�ÎCV™qCi‚�µ�ƒë’àõƒÅ=ëí˜XKuÙÙLç}=0ùmZíÎ:9Ä÷4�lö’äŽéTôøÈìbëR3’½eÖAiÞö4Õ„í±‡CKgÆ@/ÞýÂ�uU]4Ϻ`_ÒMG%ݾZL‡¾Š”)Þ©ŒÍù‚¶•x<6½Oý¾"�38M¾­…P±Ðâ•p=亰ë�kºB8Úy	X§!q¾(¿ãšP`4W™Å©tv¬
óµ¦ß}Í;¼×#C¨JC¿÷Eí¨ŠgéáЯO~ñƒM~¦ˆ/©ò
Û<æ
 endobj
-989 0 obj <<
+1252 0 obj <<
 /Type /Page
-/Contents 990 0 R
-/Resources 988 0 R
+/Contents 1253 0 R
+/Resources 1251 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 987 0 R
-/Annots [ 993 0 R 995 0 R ]
+/Parent 1250 0 R
+/Annots [ 1256 0 R 1258 0 R ]
 >> endobj
-993 0 obj <<
+1256 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [361.118 643.0167 409.8647 655.0763]
+/Rect [361.118 694.3759 409.8647 706.4356]
 /Subtype /Link
 /A << /S /GoTo /D (configuration_file_elements) >>
 >> endobj
-995 0 obj <<
+1258 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [347.1258 251.1389 404.2417 263.1986]
+/Rect [347.1258 314.3269 404.2417 326.3865]
 /Subtype /Link
 /A << /S /GoTo /D (journal) >>
 >> endobj
-991 0 obj <<
-/D [989 0 R /XYZ 56.6929 794.5015 null]
+1254 0 obj <<
+/D [1252 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
 378 0 obj <<
-/D [989 0 R /XYZ 56.6929 726.3067 null]
+/D [1252 0 R /XYZ 56.6929 769.5949 null]
 >> endobj
-992 0 obj <<
-/D [989 0 R /XYZ 56.6929 699.4102 null]
+1255 0 obj <<
+/D [1252 0 R /XYZ 56.6929 749.7681 null]
 >> endobj
 382 0 obj <<
-/D [989 0 R /XYZ 56.6929 385.1287 null]
+/D [1252 0 R /XYZ 56.6929 443.842 null]
 >> endobj
-994 0 obj <<
-/D [989 0 R /XYZ 56.6929 360.7028 null]
+1257 0 obj <<
+/D [1252 0 R /XYZ 56.6929 420.887 null]
 >> endobj
-988 0 obj <<
-/Font << /F62 634 0 R /F43 600 0 R /F42 597 0 R /F57 624 0 R >>
+1251 0 obj <<
+/Font << /F37 743 0 R /F21 654 0 R /F23 678 0 R /F39 858 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-998 0 obj <<
-/Length 3097      
+1261 0 obj <<
+/Length 2859      
 /Filter /FlateDecode
 >>
 stream
-xÚ­]sã6î=¿Â÷tÎÌZËO‰š}J·Ù^:mº—ËÝ=ôú Ør¢YYòZr²i§ÿý
-ÈPI%Y…B^Ê9ÈI=/:´UÍtù—ež¯òì§b~SÑxF�Wæï¨ûR´Omö% Ûb[ò2ÏEþÒà^¨d¸6/,çÙv[yØn³]Ö¢2$l'~>ÖŽŸ††óö–-A¸ðeªæ €I,'àWù:Û—-u@màûöƒMFÖmÀ‘MËá*ûÊ‹›¯ˆtäà/ê4S¢=ʬ;«Šê‘V �Gèè|™…CÅΖÎò–òýµïÖ›À‰ÉHmoÓJ€Q§z|èuå÷"à‹÷„`r±#ðþþ‡† Þ¨¢£ É‘(v2rÊ��V¢ÓÁ*¡„ír»(‹¦Í«Åç}¾ŸˆVi$‘ž]¾#:^«bóBÔP
-–Z×]„‘‡¼›·ÍšWGØÇ
hi×à,TšÌÿ…Ñ +÷>ØÀ`™7�RAš¢øìdaŠ2¯Úé »ËŠ%…‡¡í/”‰Rã­¯#£9ÂFÆ‘”�Òˆ­ó]Q¯Š%»ç¥DÉ›OÔ½©à¤ŸáüNy¨Mld\bλè�ê´�vT>º–Ç‹p䥱‚T¢ßY:ª	Æ~šÀh�…ðÎgtìo¸YÐê±K'„_„õ³'´ƒ ¶45×%“Ec$í.’´am¾g<w¸Ã_'NZ«4FJ¾	º½#—Ö.Ž¬ƒed7Ã}=Ø�bjj™„˜=§6‰àx”ˆA<J8ò@jOÌéS3è<£7Œ§+Ǽ³W�‘m¬0B«1_Àʈ•cYGºaàCómò–/ šZñ†ÚŠûÛ‘ñ‡}ãë‹Ü z¹„ãƒüïäEe•ŒlªÿÈ
TgÜ P¡&Oy¶kò¬=ãq¤�vçeè¨&„ùA"#[9–‚ü@ô¹°!#vã†Ð¿Öo2”¹Ê*oõ0ÔB\ihÌÇYÄe�	Îk·ÉvŸ¼ÿ
-.c¯ç"e\HhXÁºš¼1í¸Ö	Zg¾©¦­·ÑJ]FQs9<Ô›¢^ÆyÊSöÌáï‘b'®ðW
-,Ñ%°_ý’þÏ6&‰ ¥RÓ•šqäTš¡Pr+%·ÚEÖ©dBôÿàŠþêendstream
+xÚ­]sÛ¸ñÝ¿B}£g"ß'O¾œ“ú¦—¤®Û—ë=ÐeqB‘ŠHÛñÝô¿wP D)餓ñp±X,v�ý„Âgþñ™Õ)“¹še¹J5ãz¶Ø\°Ù̽¿àžfˆæ1ÕOw¯ßÉl–§¹fv·ŠxÙ”YËgwËß’·½útw}{9š%&½œkÃ’Ÿn>üL˜œ>o?~xwóþŸ·W—™Jîn>~ ôíõ»ëÛëo¯/çÜjë…çpbÁ»›¿]ôþöê×_¯n/¿ûåâúnÐ%Ö—3‰Š|¹øíw6[‚Ú¿\°TæVÏžaÀRžçb¶¹PZ¦ZI0õÅ?.þ>0ŒfÝÒ©óSÚ¦Z(3›k‘Zkìô)³”i8µy¦xj¸Ê†S|ꔞr¿ØÎëªëËfþå±|,Õæ:OyÆòYÌûH‚�jB‰À
žÔH†»uy9—*OH‚Iš¹„Y–Û~
×g˜ÝÓ.ËUñX÷4(š%
›ª©6�ZWu„”~íÍŠÆ}àñ¹Ü5eMp÷¸Ý¶»¾£¥H'
ç®RÁŒyšk-œÀÅb
"
¥Í’3&ê¾Üù‘jYôÅî’Û¤,–/ˆ ©~íä
¨¨»– EÛôŽ´­ýܺ}&`S4/ݽý4P7墯ڦ,/ÅsU×Ý£nÖÒù-	W5N´ ÚΓn[,JŸ‹ª¯š¬Ú�'h7~ÕCHÀV8�ŠÒÌ}9¬Û]‡»#Ü·ô¥Sƒ»y–üë2p�eG“uÙy”j’^ §mè…©ê²éë—±Vt7»¢‚�Sœ:°ÿ¹PiÎ8“”©bÜ:zŒܤœC¤`Œ%ŸÊ]Õ.«ƒ»KŽ’wŸixÓÀM?ÁýEï‚FêT
+#ÏûiLuÚO*sQ—EÇ;¯¼GŽjDX+Ï‹0PMÈ0vÔ,U67c!œó)i’D¸ä	Z=é†"sØ´OŽP'å×mE¸eLе�Xx2Â.Èš–‘®È36DÒ‡½Åb¸?•»—‰›–"O™â¨õèìÈ¥¥5©¶{FvŸëÁaÈ#¾öÜ Ä<öe‡1%c>e,ŠG™�<ð5Œ¾'ÖlŠ¯>ZÁà	½a¼\XÏ»xqÑF3Ťó,O½r^Ö‘§càCóíÊž
+^,¯wV½´ÄÜžÀy-|ë¶XbÑ7WÂ&W+WŽ�8¡\ ´d,ÂÓÁÍÙîˇÊïäû¢)uYQB	â\
¨·w•‹dR%(+"©† )Ÿk.«nÑâƾ*BÜ`O�ñj¶Tþ<UK¢R(¹ç±�”8¨ëö9pº÷¾�9LÖ¦BÙPÊxÛf2WÚ‘âW‚Öâk׃�ÃS×·[‚h§¡–pw©ÙHoŠw…¯PÖÅ“|5q‡gþX�ŸŒv
+¡åÜœw1Õéx7P¡Ú]êv}µèÎF<&Í7„¨&¤8ŒzŒgb|(°“QåáàA8Í ÌÜ{êº}xpð©Çs¨ôsÖ	��ctÇÇ¥±²Ò—l_PÄ“*Õ";¬¾½
†’³à£!aûæ¿.aëP##'lÍ6ðþîr8>رeß{)è`�ì‘38"e sPÐFA½õ¯EèoÌZ;ýZñJQÃŒ>Í‹Ö1àåÁ°bÌj¤›K�¯JBÅ&8Ü
+X&\
�’„kÚzŒÌ@Å%dG	|È>B©Ç¡už‘\
džò"­߶`óÙ—’ÊsITì´ÝŸ‚C¼¾ÙˆÙÏ-è4‹Õ
+œç1k§—±¡ƒ!ä–�JAë·ãÔj]õf“—KÁ’ҪͶ.7%8ÀÒ#úâCd~tï*ÏR#¡[ŽOöÇ.ª×Ôä:öý;á�™ÒøþÁSóó�P€9ó(<—ÿ\B$í¶Ox™`·øM§|åÚ\
	
+[.°áh:Bû'$D—_‹Riîk".‰rh½
+E‘Ûˇ¶™7åCá‚/èØ#_ˆÑ¤]Ð8°$ä}Ñ…e®®ò¯v„Ú¶]E-N¸CÜ;© r=Zº¶d(¶$œ<sw€$ãq`ÕMõ@Î…¥õ+€=ˆ¼ë	‡‘Q~ÎRѯÛýÚs‰T—þFbõ×?—î÷ ©ü.Þ*¢m||t¯pÑ:¹"üþè�:hx_^J앦"btßbØ&~ì#�a´Á£cÁ”ÿ
‡(öw’{}©lñ“õUü[ ‹åÒ¿^yj¯LyCÊÉ6#CšPîy]á9ÄèêqGÉÌw0Mè‡^B5™qh†ò}ØAÛ:Å0fæYøÒö]x9*¿Xº¼¢(
)~”’¹k.ô87Ì
äó?�ÒB¦9þÈ9R�³×öÍÔ™üªÃT¾êÍ”ÉÿIŒ�æ57oh ‘“ƒþCkæ“;ÒäqE‹:wå\ûÌLop®ãäþœÑ×?	ˆdÓ:�Ãw€UÚj¤À¶¿k 8ËNÚL`#³úù–­Sü
+lG&�ÇÙ€R[%‰B)
Êökš&‘
(¿â¯jô:”DUô�SGå•ŽÅ ¦5tø¸»·}XSyÞû3ï:Õe¾õ­T8é@ÝæÐö
O`ÔŸõ~wâ·y©SüA}¢ïfC_óÿÛïÿSƒÊR¨´Oür ™I­È³ j§³CÉ5dumE6!ú
O³Vòendstream
 endobj
-997 0 obj <<
+1260 0 obj <<
 /Type /Page
-/Contents 998 0 R
-/Resources 996 0 R
+/Contents 1261 0 R
+/Resources 1259 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 987 0 R
+/Parent 1250 0 R
 >> endobj
-999 0 obj <<
-/D [997 0 R /XYZ 85.0394 794.5015 null]
+1262 0 obj <<
+/D [1260 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
 386 0 obj <<
-/D [997 0 R /XYZ 85.0394 630.3935 null]
+/D [1260 0 R /XYZ 85.0394 690.2056 null]
 >> endobj
-1000 0 obj <<
-/D [997 0 R /XYZ 85.0394 605.2917 null]
+1263 0 obj <<
+/D [1260 0 R /XYZ 85.0394 665.1198 null]
 >> endobj
 390 0 obj <<
-/D [997 0 R /XYZ 85.0394 242.2106 null]
+/D [1260 0 R /XYZ 85.0394 302.1184 null]
 >> endobj
-1001 0 obj <<
-/D [997 0 R /XYZ 85.0394 218.2795 null]
+1264 0 obj <<
+/D [1260 0 R /XYZ 85.0394 278.2032 null]
 >> endobj
-996 0 obj <<
-/Font << /F62 634 0 R /F42 597 0 R /F43 600 0 R /F57 624 0 R /F84 797 0 R >>
-/XObject << /Im1 790 0 R >>
+1259 0 obj <<
+/Font << /F37 743 0 R /F21 654 0 R /F23 678 0 R /F62 990 0 R /F39 858 0 R >>
+/XObject << /Im2 979 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1004 0 obj <<
-/Length 3112      
+1267 0 obj <<
+/Length 2998      
 /Filter /FlateDecode
 >>
 stream
-xÚµ]sÛ6òÝ¿BoGÏDñE‚“§4qRwZ§u|smh‰²9‘HG¤âx:ýï·‹]P EÙ¹s:`±X,ûE‰YÿÄ̤qšË|–å:6‰0³Åæ$™ÝÀÜûÁ8s�4±~¸:yù.•³<ÎS™Î®V
-'ÖŠÙÕò÷(�e|
-’è͇‹wçïÿ}ùú4ÓÑÕù‡‹Ó¹4Iôîüç3‚Þ_¾þå—×—§sa�ˆÞüøú׫³KšJ™Æçoi$§æÑ˳wg—goÎNÿ¼úéäìª?Kx^‘(<Èç“ßÿLfK8öO'I¬rkf÷ÐIb‘çr¶9ÑFÅF+åGÖ'O~ë	³né¤üDK²: VS4yœ*©œ
-ƒÇÓ_Ãj–Â…g"�¥ÆTB¯ç‚Déž™�D„×h”ÎÆ�Šˆ®à˜ ™d2›™<‹³<uöböy&âDç¹"¤
-Bé!4D	
øbJËÉGh‹�
¡`[Z¸gÀ7Õ9p^ñT³åå´ŒñŽ²�{Òn¨þ#IäÍŽÃ/d/É£ÿÜ–Lº ÊýköcÐz±z,Û@¶'î|Ìs�VN-:�Í¢ë’Ú»r‹V‘¢èŒ„oSog£]@'¯‹Ö#7L«G¦3ü«¥^p+h%ú™ªõK�|¬WÓÏ»Šq™R/5’@¸‹3©“Ùe/ÈyÑýR Ë1ª÷rÄf{4¼=4sš¤©öf®÷’‡6NAv$ ª9°q
-Ü,VgO±s]Bò®)‡Ë+>áÙq¦¨§8P6¶0e”-ÈuÊ>I%åL+
gßh@˜a­=fôç!ÉÃ8CZK4e¹Ü¤##XVmµý~<öŸàQÁ5êL¥C&�ܤÈb•*áå�I^N±ä–MSÇVut‡`ojÙ4Þ*`¯½+ªóÂyz2¼΢•ª0˜V|S©8ânQ	ÀYLÆÈÁ±LùZ ½lÜ3ƒt
5òÐï&2ZÐ!—¡ÀþQ¿ËøópÁ”ßÓú]`Ìû]y¨×n.,ÜbÂï2ÖSœPü®‚œù¬pY4^CsGÀ.wMBI³zôÆÄÝ*ﳕÇM‡PÚ#nv­§ßµåzEZa~¬�]Úr•IóA•_ïÖÕ¢ê&ØIu¬
õq+" i0²ÜÎ$B>û…öç!ÉÃ*$¹™Éö;5#`°!
Ä0î»1é)>ÅdžÄVZ5dò˜±�&÷�ªCxWM]Òea�Ý}C@I+úÌ43""�-*E€ägL•œsÙ×¼’ôBFç¿’	#!×£˜oï­Áƒ*ˆ
Ü2“ã2ײÕC>¾ŽP^¿ù™
-÷x
+xÚµ]sÜ6îÝ¿bßNžÉ*â—DMžÒÄIÝi�ÖñÍ=´}�we[“]É‘´u3�þ÷PKiµ±ïœNfBˆA
+BĹ1%”ÊXe"]d‰ŒM–“‰]à]f›TD‰%�s‡ñ
¤"¢+ø_F&
4“Lf‹ÔØXkw™Åç…ˆ�çŠpØ]u/7ñò|+o¸Ð"¸“§»»+�!ìuo�àôÔ€ehÒùÕ]IwJU€*
+ú|{ñ‘¾?ïÊö�Ûâ-®`³Í
Mnw›¾5ŽhvX�fW�×mü-1Éåeƒ ¬›¦ÝVõ-­ÿ=
+´õgS Rô´^un*‹v=+ÜSa`½fV»’é‘›Ì
+ÚF…{Š
+zE‰q¦êüV'ëÍôó®b\¦4H�$žâ\ê¬CFV�IBð"ý@ú ÷QŽØìâ�ˆ��€e”™ŒÜd&)$Þuù(yè㤿¦‡>NA˜EÇêü)~\—›æ�CSÊ+>áÝq¥¨ç8P6¶�
0e”-ÈuÎ?I%åBç"ÖV?)Ï€,ÃZ{$Ë(.C’‡i†´6–03`!—Û¢_ÝMyTàY
Ã~;Š�ð¨@�:Sé˜É#šY¬R%¼¼ë5)§‚T²e×Գªžtþ¦¦™mã½~u÷åªBs^¹HOŽj!¡•›0¸V|S©8nÑtžÍ¦È#î!%„À2k�öºqÏj´ÈøUZnÁ†2(7d®�»Œ¿7ÌÅÝ)ÝqÜÆ|Ü•‡v-As�V‡GÌÄ]ÆzŒ“jAÜUZGg˜-©¡¹'`ÊÝ�Ð&Ò¬¾ª1¡ÁŽò¡XùºëJ{Äí®óôû®ÜÜ�ÕhHâU¢Ó±Õ /W™t9T�Qùçý¦ZUý;©Ž5 ~Ý‹¨Œ…bE§P3dPp>÷…—!ÉÃ*($3Ùþä£nê2¨Á!~;&=ÅǘÌÈÖ¬3yÌ�X(’‡€€Ù;骩KRæ8Ñ?4”T°bÌL3C9 "¢iÑ($¿b’‡»jŤ]5…À5ï$»�ÑùÏdEÂHÈÄõ$çÛGkˆ 
+r
+Ž­†à†-ïœdûÉ5… Øº(ÿì	oëî�(
Ô5#„}¯
?ÖË9Å�™Ml䛺Üü´‘ȱʴ±x)5-1GèªEÊv
ˆÅMO-Vë{ž€[VÜwL쾟êIJ&ÉíÁ`E
+|}8ëŸíN‚êÔ|ç»»æ¡&ðèQÞ¡$rÔ1
+J„ò6FE¿†	øÃìÀ0á« �-LQ×QwÆFÒœ»‰¿®2™·I€‚‹¹oîæ"85yC:Ä%NSL6&ëR
ã#¢™êÃu±ÕLB¥‰—ÏŒ9í¥eò©´Ìèïk–fÖ5Í0cùpºæÓ}�4ƒb¦Ò²¡õ9á¾2caæ,ÌeLß2:ÄzpˆUKàº5±±c¼`ì­†›üÆ?é§îQ¤_÷‘)	•
þmˆµ™þ¥ûqòåKZ9‡8‘°ëp	t"ßÓÖÇió›´¯¾?» è¦j=³7(¢”žáŸ%|HßxúŽç fà<21§f44ßWã)µŸúûp¤&þ˜”d_¥ì¹Ì圄ý…W›#9‚o&ûç„-¾vRjgå½ëX™±xÁÒnyBN¾Õ£ÆóÏËM>SnòÉr“O•›œÊMüßrÿ˜ÜÔ3妞,7õT¹©Çä&Ÿ#7ù<¹MЇ˜ñ
Yx]ì7¸+èÉ•ßù¾¥`A^­è¯4=¿³’8þ‡XÊÄøgc3�údø‹§gÿuÚþ¯`°Ïn­<ÒñÏ@†ˆ0Sȹ±œû?c;dý¿?¿Évendstream
 endobj
-1003 0 obj <<
+1266 0 obj <<
 /Type /Page
-/Contents 1004 0 R
-/Resources 1002 0 R
+/Contents 1267 0 R
+/Resources 1265 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 987 0 R
-/Annots [ 1007 0 R 1008 0 R ]
+/Parent 1250 0 R
+/Annots [ 1270 0 R 1271 0 R ]
 >> endobj
-1007 0 obj <<
+1270 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [213.6732 493.8452 286.8984 505.9049]
+/Rect [213.6732 554.0172 286.8984 566.0768]
 /Subtype /Link
 /A << /S /GoTo /D (rrset_ordering) >>
 >> endobj
-1008 0 obj <<
+1271 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [209.702 415.6507 283.4678 427.7103]
+/Rect [209.702 475.7236 283.4678 487.7833]
 /Subtype /Link
 /A << /S /GoTo /D (topology) >>
 >> endobj
-1005 0 obj <<
-/D [1003 0 R /XYZ 56.6929 794.5015 null]
+1268 0 obj <<
+/D [1266 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
 394 0 obj <<
-/D [1003 0 R /XYZ 56.6929 561.8344 null]
+/D [1266 0 R /XYZ 56.6929 622.2509 null]
 >> endobj
-1006 0 obj <<
-/D [1003 0 R /XYZ 56.6929 539.8007 null]
+1269 0 obj <<
+/D [1266 0 R /XYZ 56.6929 600.0717 null]
 >> endobj
-1002 0 obj <<
-/Font << /F62 634 0 R /F43 600 0 R /F57 624 0 R /F84 797 0 R /F86 977 0 R /F42 597 0 R >>
-/XObject << /Im1 790 0 R >>
+1265 0 obj <<
+/Font << /F37 743 0 R /F39 858 0 R /F23 678 0 R /F62 990 0 R /F63 993 0 R /F21 654 0 R >>
+/XObject << /Im2 979 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1011 0 obj <<
-/Length 2396      
+1274 0 obj <<
+/Length 2668      
 /Filter /FlateDecode
 >>
 stream
-xÚÅYmo#·þî_±¸Oë"¢ùNîå“s±/_«sQIPìI+[ˆ¤Õi¥ó©Eÿ{‡rÅ]­l_¯AaÀœåËpÞ8|†b…?–YE¨(df
-Ie*›,ÏhvcoÏX˜3Š“Fé¬ïîÎ.®5Ï
-Rh®³»YÂËj-Ëäo~¸üóÝÕø|ÄÍ59)Móïnn¿Çž›7ïn¯oÞþu|ynd~wóî»ÇW×Wã«Û7Wç#fƒõ<p8±àúæ§+¤ÞŽ/þùr|þÛÝ�gWw­.©¾Œ
-§Èdz_~£ÙÔþñŒQX•=Â%¬(x¶<“J%…ˆ=‹³÷gi&£~é�ý”°DYn¨Lb@&8±š²Ì¨‚hÁ…·à¿ÎGšÒœœ0m‰¸àò[°‡¶Ðyq�ƒw?\Ý"µk*$ˆø‰z:Xï›;ãd\�ÂYbÄ)”âC{2Ü3í⇮·ŽñHb95ƒœ{Èã
Tw“ª;ŸdO%t^oªY:·å©Uµõ’Ñ(†h”wÐ8xq-Eâ(ÇÀ�BpëçÜ=€Í¹Öù¬^,êÇùê?«Ïår½c�óÅ©ûù§Ð·9g6¯Ê¦^•â¼ÕCùiî4BŽ�ØÆ=õ¤Œêf‹T¹šº$ë¶Ó9n3Ù.öØ3©W+ø¬¦CÖ
-³Ö¸lwHüçm
]¸§Ìõ4å²êpå%íúAå�è‹ê@O\J£L@­ê-*l]US‚Ç´“O{ÇÔM\Ì›mÌ@n{­ˆQBv…ÉÉGˆ3ê·É7èÔtóLp'&�zö’ïJ/á¶2¯
w÷1M¤<F�áxÜTÁï6S0d�ÁLÅá I†LþöPù¬ òån±�·É)„GíÛiƒSJìMglw›•�ž¯bî	ÓWÍ£÷�yiYî±ãC`×Ól·À>v¡…Xü•R~¿K÷ùNåA¦*äAŸSÜ⇢¸d½('^j)@j¿­”�t…�öÁéò
ĪËèÇa‚H6ø;¶›
x`T;ãX^Q¢/ÂÜf[n«%¦-Ør]m–sXA�ƒþåvîÏÌðzBÛJÙÚ
¯Xw4eÈ
-õ§
±%hx
-d\ÑÏfQ)ˆF´V'’™ÄBÊ΄6„S�nqñ󫬞E
z´‰w�—¤	ò’¬�¼`Ø_Þ2†$LI1öï�uó%,êq¡ù?ëU5„ÉݪEEŽî<PVkž%–ù:c;·ú²‡£ør–qÅiÿ‰b¦°Ï9½z„u5–‘_à?•š½EN­ÿmÁWS/ãÜÈÓg™?aõDŸ¯³Ñkvn à�´üŒÙ
Z²Áä;ÙOóÉfö2™PïVÓRâøK€š™ÿ¥�ˆÿ�ÄÉtA„áò'€\�È-¢Ø#4+¨…… ØÉa0_\¡æ'\‡:ôºE~x"{ý|õžV[I
¯ÁNÆJÝÍí
¾!uøÍÕø$HB&õòU‚Ò�Äó9Xï'³0nC¡ßìé×Äë
-'¥ÍÅ"{Ÿ–»‡—m’7B¯££.O–õº­Ûƒ‘éŒä8…G÷ŽXÆ7ʲéx‡b…EôÐ7ယ…"Z¶Òqª!JlšÝÌIëïN½‹OE
-F#,OS[{Ò0ʬ«¢aFb<Þ&ŽPñX%xtÄ;H,¿ƒÿ<¿ê¦p%*Hf¡’2·sö1sE!pNB{Mð7K–}_ƒ>Y¢Rä;J{•¬ìTå†P§I!	Õà–X^x�¬N3
+xÚÅ]sÛ¸ñÝ¿B“'ºsÂá›@òäË9©ozNë¨Óéäò@K´Ã9ŠTD)Ž›éïP DÙÎ%7Ï °Xì.ö±	…?61ŠPaå$·’(ÊÔd¾<¡“[˜{}ÂÌ4MS¨Ÿf'?¾ùÄ«¹žÌn\†PcØd¶x—½üëÙßgçW§S®h¦ÉéTišýtqù3ŽXl^¾¹|uñúŸWg§¹Ìfo.qøêüÕùÕùåËóÓ)3ŠÁz0YðêâoçØ{}uöë¯gW§ïg¿œœÏz^R~Ž‘�'ïÞÓÉØþå„a�šÜÁ%ÌZ>YžH%ˆ’BÄ‘úäíÉ?z„ɬ_:&?%Q†ç#äbL€Ê-`Ê	pö¡Ž´ÎnÚºnïªæ?ËÏÅrU‡¹»ª®±w[}
+cëSf²²èÚ¦¸Žp×å‡âSÕ®#ÆÐÙÄ=êv^DÚnƒ½¢Yì†:ì¶
¶‹
+·™oê{™·MŸå‰øŸ2F¬RÜ3Ó”›»vý{§(¸É.ÜJg•Ãªò¬«–U]¬qpÓ†Ö§ÄÃW{³7],HK×á@×®7ˆ·jp$ê�Î$±äs âªìVmÓ•qYÙl†|Ü–ëª4ÞøMÚå{ž!l”£ë¢]I“ÝŸn°hî±ãøqm�c(Z7²­ÿL„©r�²áf‘
�±Å¶gÃ}ôlôTøAãm�'n#ú³7φ
+löT
+—ÝÄ’óó²†!܉ƒLŠ
ŽtŲ`æ%ž!LË#ÇÙ
÷�)�4A¯i7ع.±u:T.ˆÃÞÎ&ÆêpçÄ‚yÜ°®ÜQkJ³/~{­H®„ÊôBx
qB}‘|O]øþï‹1¾<<ÝÛ×à$¸6¤^‚·ÉÂ8ÇÊ4a-„WW]$ñf½
+	JhµŒ¾-÷“gܵ͘KVò Î^QSÂw0`'J_J駤[œXcÌx²5í1NS”Èä€8ná¬åncä«r>¢œIU´»*Ä„EéÌý‘ÓÂ0ŒIX÷<ø[¥¥r	ÞÍë¢ëp#5ØHH]Yب‡HLr8'1nç€ñ›%1NS”^bâ˜r·±O×\´‘˜ Ö%ÏÈÈ{”Ì»ÍýªáÜÓ<êIJ™æD´óß�éã#Lsž-!¬ÿq®wÀC®tetÐÏí²¨šOZj•µß�ñã#Œ
h$ 9`üÙç–“Û!ç»Ð9Â='Ü�ú†ñ¹z§žvèp.\.¬ Ãu™«2ÁVüPuʲÐuö\9+-?Àˆ	qÝ-X”7D�°¤u_p'Óy4û³Ë�»meÔ]‚è�8ˆƒôúHZ•ý^~ò(m6¥Í¡-Dò>¤=D›~˜6¯�ÉF p—Â0=Lb†äÆ`a ×}DïøXØáÔ€¦ô6ò—²%p*x4ˆ�*ZtГîwè³�DP‘Õci«ËÛ"dz[öNz=Bœ1€A‰Ç•b`nûä*$ªÏ\µÈ‰Tà1%dÝ\XöãÒ�²î¡ùþ±U‘—…×t”\G
WèÆûÑ"25• ˆhæH|•‚È"&Ribrªð8A�>ãÅO¤ "Ÿ¢H¯—
I“Ë€dû—
˜öù¤Œ:	 iÚŽã÷ˆ†!ía¡ÙÚ¦Ëèݪº$i˜�Û•Ö|’ŠæÛÄínf·ÿÓQÆÇOܶȅ~ì](ÐY_ÍK_q€*•{ŸÍ÷¨h!èÚe„Á�ö"I.³Äžðóm2úsÅžJ2#;g„»™ßÏëjþ§I½H
+$>…<�k©Ó‹ÕÁKPîºÂX’+%®âŠâˆGüª
…§P¶}~¼¢yÙA )*Å@8pY!ArP—ØúLÛ÷ΰÁ\Àõž¹º	”�y»|†ãÉ^hŸ/F‹‚;(TÜP|%¬/>í×�\žê!v¥ëy±íÊXö¹O0»ÚžÎ“ªµçÐõÎŽšt_I
+"r]'"‡)”]e»ˆUó]f38n9¨
+‹Ùþ
+®ý‚�é8Ö6ÝöÆQëC§K½r‹— f†P¸ñÅ_ÔwÅ}7¬R·ýü¬/³œÅÊgR=ãÓ}MpeGüʾŠ_ÜìUˆ³6iáú(Ÿ\ÓÎòö*<‘ƒÕª,<-»÷~„¹¾ç
+>2r'˜ï¥Æ Q
Ôeq“º*;rì݉sín¦Ory’Ad¶JMûr¸½jý5i_\±ç�û>þÒËSÏÖ›3è4%93pcgî‚Lü29	*�
¢�'ñ¼ËfðŸgçû’
œ’¹X
Θ[æ·ž|œ@t”Ö
+Júž×�üÀ�K>ù¹Ž&	Sñ4Å왂`––ŠrWø
 endobj
-1010 0 obj <<
+1273 0 obj <<
 /Type /Page
-/Contents 1011 0 R
-/Resources 1009 0 R
+/Contents 1274 0 R
+/Resources 1272 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 987 0 R
-/Annots [ 1013 0 R ]
+/Parent 1250 0 R
+/Annots [ 1276 0 R ]
 >> endobj
-1013 0 obj <<
+1276 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [353.6787 494.5292 427.332 506.5889]
+/Rect [353.6787 560.2827 427.332 572.3423]
 /Subtype /Link
 /A << /S /GoTo /D (the_sortlist_statement) >>
 >> endobj
-1012 0 obj <<
-/D [1010 0 R /XYZ 85.0394 794.5015 null]
+1275 0 obj <<
+/D [1273 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
 398 0 obj <<
-/D [1010 0 R /XYZ 85.0394 565.1194 null]
+/D [1273 0 R /XYZ 85.0394 630.8728 null]
 >> endobj
-696 0 obj <<
-/D [1010 0 R /XYZ 85.0394 537.528 null]
+950 0 obj <<
+/D [1273 0 R /XYZ 85.0394 603.2815 null]
 >> endobj
-1014 0 obj <<
-/D [1010 0 R /XYZ 85.0394 387.929 null]
+1277 0 obj <<
+/D [1273 0 R /XYZ 85.0394 477.5928 null]
 >> endobj
-1015 0 obj <<
-/D [1010 0 R /XYZ 85.0394 375.9738 null]
+1278 0 obj <<
+/D [1273 0 R /XYZ 85.0394 465.6376 null]
 >> endobj
-1009 0 obj <<
-/Font << /F62 634 0 R /F57 624 0 R /F43 600 0 R /F42 597 0 R /F84 797 0 R /F86 977 0 R >>
-/XObject << /Im1 790 0 R >>
+402 0 obj <<
+/D [1273 0 R /XYZ 85.0394 128.2785 null]
+>> endobj
+1279 0 obj <<
+/D [1273 0 R /XYZ 85.0394 104.5761 null]
+>> endobj
+1272 0 obj <<
+/Font << /F37 743 0 R /F23 678 0 R /F39 858 0 R /F21 654 0 R /F53 957 0 R /F62 990 0 R /F63 993 0 R >>
+/XObject << /Im2 979 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1018 0 obj <<
-/Length 3333      
-/Filter /FlateDecode
->>
-stream
-xÚ¥Z_sã6ϧðÛ)3•*þ‘DÎ=mw³Ût®Ù^’ÞKÛÙ¢cÝÚ’kIɦŸþ
-diÄÐKÇÁã5ã:課zš,ŽEcé"ãq¤t¢ÏCLá�ë‚,žeÙæ;¶íötbÍ£XkuybÏ43±L¬30ÆÆ?˜¶��•<h7"¨ºÝÒˆX¯éÛ˜U]
1´5WùŠúð §\†ïpxöƒ”UQ®ò¶¬+06« &zQ6ùrkܨ8ªžŽë÷8‰7¥¾ ›]
-eÆÐ.æîó£c®;”q&$!c‘Nny×L°ªÝÎT…)"˜�Á¼ìÀ.
-l½0ë¼Û¶Tñó'Ù`h&d¤ØÍŸÆñÌü nÉ…t<¸*Ó˜»²êZÓÐÔHÈ«‚
-­—a—-wÝŽ*Ïù¶3—ÄɲˆkáÅaj^ž4’1ˆ#¦âDç< …)`XyÙ†\ç= çBA`¡ae-jÎ`¼"¹<Ï5#ÀPŒŽ¦R�%x¼Ö`ð 
-ž8ë(ºª›Ë 2íK}øB�í!_cûïqÌWÔNmeµ¢¾ycˆ²7‡u}ØåÕÊ|‡í6šz'�š¶¦Ž
µUæ	\æÙqæUóbM4ã¡„ýL16ï©:Ot�ª(e½UZ/ã"èSPÉ:9|ÓR!'9�	4’¸5:·ëWZ€¬Ú‘6¦q4·ª”Ußîçòúð�Ò#�]9ì«“Ú­•NBç°Yï°S%ÁYÂŽ8ñ-ÊÑ	gGåL}
%3ïiñ¼«	I©ý´GY­ãQqSw‡£×�H®x¤c ü_’¯òªª[šÅ|]»¹PÎœ¾òW'
Ú¯U°€1FÅŽ¬é¥Ün	#–šr»¾}upu¸VprÈ`5}3¥n&
-®¬ÛY›‘¡eêÄdNOû­+g>/Æ|¡N60’‹‡O’f°Sš]Þì!×ùÍî¹ìf—Ux¨ë¶™ltCOØ‹S÷\3s�6-³l<¹ƒ/…RøíÕÇ(l_»S59´v;ÛPS»É[*‘®µÃæ?»Ò�eÔêlE‘»¹LÓž08Ò£YÕɬ5±,�%p	yj	ùjeö
-P›
-ÎQ6ñSi¤\ªt$ÍÄz®7d˜Žæ’L—[S‚š1_÷îd‚sAjFç‚Õ¦?°Ã|ž®“²ÔGßb.ôf	À—ò¡7ZW䣕$LŠ™Bă„+.áÆbÙÐswü¾šüàH6”OSÌ¢µD1
-´¯k?ïèvaÕˆ^ù`Ü•ƒ°|»­_¨èBƒ>Tß–»²øó]ÝùQj㯶õÊ…yÍó‚ùõÙØN$ ƒ¿È¹ÎÃaÏÕÇvf}0Í&Äå}×_¬Ì’-w{x�òzâăR8mâT^^BÏ5³†‘¥i”(ˆG‹x¤šiP®µ˜†*`-Åg["Ø­Å‚�û3ü£qÑ™ÂÛªÓðli6ùsi·V
-^‚|GX´ìZ¢ù;Œ“1ý”Ki�º|í;Qa—7˜ÏÂ^¸qŸÊgZ/46ÛüÙñõÉ]„ã¥õ©JÙ€ZÚúÐx7„Õ;ôЬ+>û<„)G.py‡ˆ8�Ž˜rºs¦&Rq45‘JH§siÅ@×VÓ×*ÃòP½On,
¯Ë,µGÛtbs'¬½¡Ý{âéÖ›¤;ЕòÞØN!î3º²”=é¹$<²ä„¬Qòài[/­u1ÖßC;…à€½B°rÜ{¨Ø€‹ŠdgPð‹¼ö~ïÅÛnI$ªqÓ»fp“m¾ÛÏm{ÙdÚP˜hkt�<ЖÇõfìýˆM§ƒ—æ,RÃùhÅøe¤r�GêžËn]Q5aWìæüËLo€!v˘¾<}ÏõÆüA(È•Þàôr
ÒQ-U�g/h2�™qðp·¶¤KTh¸�ð”Z~ýð‘–�½;^[…;•m¡8^[cñ.Ë‚ÿ �:ÓÊÄzp®Þü !aœ0ì6bRÉ™Ø
-ûhP|oayÜÇ
-=a>ßVF×±Ž¯š[Z ›d¾3Â�¢v°ìHÄ™½Â¦îö‡®Ü¶¡õ…$Ü^b´lßQÜS,‚θ)Hyh†o�ÇÐ^Š{Rù3zãZë�ãÛ˜í~Ým‰±(ó§ªnZ›Þ©)�0Ü[Û#'zŸäÉ&Š@[ö‹ÃÉoºª
-ΰoLWÔa[ïíy6Û°€¼¶¬f%y”oÍ–%ÝíŸf‹x©ÄüS¡	fqñÔÉÎqqá³­÷?¾ûü03 Œ1¸ô\p�5b	 •�(`|¿d¡f†«Ë-•¬ª„½ŸÄê@cP³§¶mFÐjŒ9÷/H=
YúFjÝÿÿbÈ?�É'£ŽkδµbΦÏI”h¡FâÌ<8®7¤˜ŽvÌ­Q›uÁת~î±\ã5}úÆ6—bý¢Q€a-@3ŒQa³
-Ò8b"KÇàãCT‘*LŠ  ¥C$(³ˆ`—³
-¨EšÙ€éIŒúõ.=³ÿpDÀΨ· †Eq’y+q €#¿Ò¤…ÁÔþ‘ÇÒóŠ¾æë~[®ð@Çšï—æ
-qBÙƒ_N÷¯¬©èÿ3°®gendstream
+1282 0 obj <<
+/Length 3614      
+/Filter /FlateDecode
+>>
+stream
+xÚ¥ZIwã6¾ûWè6ô{‚•
+,îšSÛA�-©×pb©äÿßÊ7E]7=ÎR~Ý”^¹PÖA^ÅsX�³_/`ÁrB�`GÖôTí÷Kw%~»jZß?c­o¯Mv‚…õ8Eó�¯ÆOœ‰fÕ}ÀÛÕ€³ÀÏCpŸÞ‹ý©$3P“kIŒÍÕËx4二G‰+Jú2�”¬ÍÅËÓ'®…ùÇp¢Ö:/àsÙ{‘åÁ? pö=¥¢£


+O»j³õ`ŒkjÌ3¿3,"ìl«ºhŸ‘âLóØtU_]³ì±t–‰
	…Ö‚ïvÞf$Ú°±SF_D¥å7u0Ÿ§²ü‚%7ÙÀH’,*üIq£_Qö€ëeG.¯ìª^·MÓw3ES
+=�¢_š:q-Ì=R4UÄJ­Ç“ø2nQ½6«O‡;ԛɚ{üzM5èÐ6h¶Ã¦~WôXBYۀͿŸªp–ak°ƒîvæ*»~Â,ÈŽf5“Yd¹–À%ÒLÀ£ØlÊ#
+c…bì1jW¦«	3¹ZM’ 
špmøJiE”Ph5ÂP¹d(/hçñLÿñz�3ˆjÖ9ÏfQ¤
h‚FF$eÞ`W¿¯¡ÒZ�Lƒ²ßëYžðí‡_½m`G«á¦ÂÀëáÈ~S9až ¹�`ˆ„Í㦼•i0âÃq_à„ñvë5~Cø%;Ó¶Ì-áÆšÕPžMEdŸ[ˆ²×çàø¯К[bŒ¶ÞY¤Pìe0“–¡„xÌ—3ª‡5šÕ¶êŸ×ˆ°…Úؤ†Ð´3œ`l‘ka#`Sè
+Õ÷Õ¡J
qhNq”&Äø›}³	a^÷¥|r÷닱�äpñЯÂá€ë8Œ\)¶+ïÛ²Û­Ýö¾Á¹ø~‰ì¹ûöyΉ3ÊÉi._ÞBâZØÃȃòœ(1âh·x…f„ë-¦Ã
+˜G�ñÙ	^µ®ã~-³¿u!:3’X3
ÏîÊ]ñXyÕ
+€ã¿h÷
ñvUý€ô? •	‰Ç2ˆ ÛçÀ%ƒ¥
+Ò£'NåSV°:·O)\êÍuZ;=;W–2‘+Ä#OVh�’gûæÎ[%y›3Q nÀ$W9ë*>àÂ"Ú¢b¯ÏÂ]ºC’[T¦Íà&ûâp\ÚV‚l4m(̤åQ¸Þ[ûöùŒëÝØÓˆ]ŠÓ¶ƒŒKw©D×’Û—�zÀt§#“×Û¶îÖ§íqÝU”óô/nšÙçNLóÉÅ$x0pMÍ“-úœl)¶à:}ÕÅœÙ
„šØòóÛŸ�twòyà{t1�ù¥{]qÏ}é±KÐìßÎÞ‚™
+‚«9*8":ª+ŸvÅ!¸zrmá_þ&}Ð*§Ìçá“͸Ê_½7ÿIT`šËô+�.C®Ë¨�¸\œì$·/×þÕ´Ÿ�ƒP„k-_^DâZXÅ$…Ôèñ2Æ™+n"<ùîC9¬Ï—1dÂ�âÌÙÅŠ¢]9¿9B(2У½¼�	Jü¯ìj>î$d²œ¢gë1A	!^–mâzm³Ñb.Èý‚ɘñ1ÃŒ�I9f.$(à9�¢}ùµ_Èþ
+ÿP
„âxôqº36.oÕ=ð+žæÚâii«”¡—vz»«Bt~Lv"úCYÔ!èò™Y}B‰³>TøK�—Iá^œKûÚ"¥¢j´JôpÂdBI1‚
¨>UýÂ[d]q%/h,îËÇr�ŒEgæ*н…¨IÄŒ–'.@”ƒLeó×ýL2•,¡©Ý´§¶ÿu’Q¸)MT…Ľ¼U¼¦]\3ì3áÄ…h²:vJó�¹„<“�ç'Ù%LbºìRßë] @Íä(p)öÚn=Î
+RÂø�
ø“j�¡·øÜšo¹+:/hô§�ªz³?mC²×
º ¥áÆ–óÿM v@£º†*ÚÛ^¶±¬„5
 endobj
-1017 0 obj <<
+1281 0 obj <<
 /Type /Page
-/Contents 1018 0 R
-/Resources 1016 0 R
+/Contents 1282 0 R
+/Resources 1280 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 987 0 R
-/Annots [ 1021 0 R 1023 0 R ]
+/Parent 1250 0 R
+/Annots [ 1284 0 R 1285 0 R ]
 >> endobj
-1021 0 obj <<
+1284 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [297.8955 410.3076 347.2449 422.3672]
+/Rect [297.8955 476.5924 347.2449 488.6521]
 /Subtype /Link
 /A << /S /GoTo /D (dynamic_update) >>
 >> endobj
-1023 0 obj <<
+1285 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [55.6967 109.336 116.59 121.3956]
+/Rect [324.9335 169.1118 381.8296 181.1714]
 /Subtype /Link
-/A << /S /GoTo /D (view_statement_grammar) >>
+/A << /S /GoTo /D (zonefile_format) >>
 >> endobj
-1019 0 obj <<
-/D [1017 0 R /XYZ 56.6929 794.5015 null]
+1283 0 obj <<
+/D [1281 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
-402 0 obj <<
-/D [1017 0 R /XYZ 56.6929 769.5949 null]
+1280 0 obj <<
+/Font << /F37 743 0 R /F21 654 0 R /F23 678 0 R /F39 858 0 R /F48 880 0 R /F62 990 0 R >>
+/XObject << /Im2 979 0 R >>
+/ProcSet [ /PDF /Text ]
 >> endobj
-1020 0 obj <<
-/D [1017 0 R /XYZ 56.6929 749.3863 null]
+1289 0 obj <<
+/Length 3521      
+/Filter /FlateDecode
+>>
+stream
+xÚ­ksã¶ñ»…¾Už9!xñÕt:ãÜùRg_ês;™&ù@“”Å9ŠÔ‰”}ʯï.€@‰²/ÓÎ=,€ÝÅbŸ€ÄŒÃ1K#ÆU¦gI¦YÄE4+Ö|öcß_;gá&-ÂYßÝ_|ó^%³Œe±Œg÷Ë
+®p#Ÿ/~ý�ÏJØöœ©,�fÏÐáLd™œ­/t¤X¤•r�æâãÅ?=Â`Ô,�’ŸŽRIÏJ³4“RæŒG µEe,VRy)K1%e7¥\4uÕýbSm/E:_|ÞUÛý’Ä:ÿ²˜?–�Œ–*ÍBNØô³&øT
Ÿ2‘,*3z¿ªú
+øâñ¼¯lDóae!u[uÞô)ovþ�ø×»54�çmI£°?¡N»[?Àag³…ˆ�ƒ8É %XEÒpÐ-Q,ÑÜ¢*vÛ¾~ºóŠ = j†¼­»]�íDKÃËnK�¼ÝÓðcýTµ#¡(rŒL|ó^„g'UÂ2� ,‘•¿Ñ”‘Ø–è4±>·ùºzóyØoàÿ¢Éû~i3GÊ.ùûk8­#”{>»t¸ýjûTm	ø\7
	R©Œ¥<KÇ‚Ì‹¢Ú ‚XÎ*”
+”ú¥ét›MÝ>$/K8Ü®5Ç'V0g¥áØ`Ÿ%M4diÉ0Tk¢ æCGÀ¾j–Ôv­¥6¬êžZNipuk«¼}¬Œä@väœ,-0’‡Š¾M÷øX•È•à¨¬-«ejAC£§vî7
Á-ÐP6
+¶ÀêKQ­€
{Ä
+Õqk3ŠÊmz*k§�Ò6Ùò+‹R½,�Rmfbö+bøÙ0ÓønW7ÃÂxp8«CèFSçfZwv=Õ+pž2b2†ã²Ù˜_z@¦R1ß�´ŸêÒ+ŽšXƒ­UÕl–»†&–uþØvà 
+q�€aE¨v�+Z‘Ü)8‚PÁöà7‡=âßL€ƒ³	ÞIÔA¦ÀûmújWv‹¡Û,šê©je‡þƒ¶	i pJ²8Jœ/x¨ÛrBH2a2î¼K@É�žœç¢|‚Åχ�5˜Hê32“Øa]Êlóc$àö¬ÒCša¶—ojYá0u‘Aï©®ži“ѾªÎ•B‘€¢N¥¦(¡±íãŒwSE`8ÿ4í?ÁŠ;üié¢ÈŒKqÌ�Ð
+Rc.Gìœ~Ö+\œbR_àÁ¸Qø9õè!áUI¿rŒ˜©í¬çU]¬-¥w˜–‰–2 %iÿšÆlÆ•É%tèÔ<‹°ê‹’§LƒòZê7·SF¢�æ~ë	“:¹”c•ŒmI›î!w©?”®‰ÉØÔ¼¯É0:àÑöÔéwFä'ýdh,•©³·¼�$ál4
+³ºÎ©a?.U„¦ñ4!NSžFK¼Ñ‰ ´8]"~Ø™¨™àU!wi ­°�Ê~38uÄ”Ê\à¼ÿå~Ê�AS9ŒTÜ@‚‘>2Ƴ>Sc¸—¯¹õ„ÅÒGg,Ñ2iS#hxw��º§ïàFIìyC=dØñY´�eîæ[ö�¨ê>nª¢^îÑ0'â� ƒHŽŽÂÒÁªôtWè™ �QñØ0­—³–fs½¢ê{[s[rpW�ðCízÆ
+ÞkP�­0œuÞ
+ý,äuÉ¥ÓÍ‘BÖ¥„z™°›4Ax¤c
+j�LQ&#Œã¦78°·Â8¸È
×>²B#+Œ©®�co…Ð4bqž³ÂT0�Ä™=zÇÐ934uëØ‘È´B‚
Ö”B™;Ò‘¯²FX�ϧ á•\ýiÔtYŒ9Ëë	ŽaÚ|©f	�ÁTGøá"J±ªÛ`.…¼pŠ[õOd3Ð\È· IfIu¤Ô‰	¨R;/ªÍ%Žc	3p›|ÂŒå®5é°¹üɬnÁ‚Ͷ^çF°³Ûb	J+Œn
+w
+2l¼-©ËS5{EÍK´ý¤SâcÇ¡b…t-¤nÝ]2¿y:§dÊá%�Ë�^räð’S‡—¼îð ßÎtìœÇÍ;öñúîß×wS%CÌ ß×_ëî ç‚Ç&ç0ŸÍ}¡â„œ<M¿.÷=qwÒå2�7
+7Í=ëÔ{©ð¡3ÒkhÛË ò]�i‘÷s?.
+�üp)Å©°î7yQÙ$†a·m©ûË»?]Ý܆£ôèg˜]�qŽÓª‹	/‰ëb·˜:—&7u¦¹ö“•Ðžiោû™îÑNò{ qûʬñ…Ó2Ü»7éðÂSÏïÞ¿%°ÈDjטÃ�Ós>‡Ñ•žFó¦ïh¸n‹fWZÒÃjòõy̱s]â7??ÅÔ2HÍ`ˆŒ]4g@˜xl«-ÇÈ01Õí§—pš;B\Bü!Ýæ!/>Mæè#¶ÂøDÕ"‚Ö®ýÔvÏÖ+ûÉG<ëz�)û­Ão/0|t,+0¡µ)¢°[/í\ú'EŒ�} Ç9�½)÷¨¾Ô½y¿„¶9\fû�8Ð;´Qü¤—Îc ©ý�²‰_ÛgòXå}Ú”Vs|®_V�ÉmÍÕ!tyÁžCÉÍ„�Âîf°²ÏéSü¾Ýzd…aÊ]nB2U�ùaˆ]Sì¶D¡µKšºÆÊ-«uÿ×sï<©b:yå~‡9¦R€„)ˆ§ÐL•ÇC*
+ÎnnWïÞݱ«»ŸñýêÜvãˆ)ˆä/n÷0çüvíœW·û½Ãv�Nn7 (dòÕûUß!NЇÖþç_;D§…Ιç7Åc–JHv-S&c:yò‹TÊ @M&Xÿ/Vãšendstream
+endobj
+1288 0 obj <<
+/Type /Page
+/Contents 1289 0 R
+/Resources 1287 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 1297 0 R
+/Annots [ 1295 0 R ]
+>> endobj
+1295 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [84.0431 510.7325 144.9365 522.7922]
+/Subtype /Link
+/A << /S /GoTo /D (view_statement_grammar) >>
+>> endobj
+1290 0 obj <<
+/D [1288 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
 406 0 obj <<
-/D [1017 0 R /XYZ 56.6929 180.2089 null]
+/D [1288 0 R /XYZ 85.0394 581.6899 null]
 >> endobj
-1022 0 obj <<
-/D [1017 0 R /XYZ 56.6929 156.0579 null]
+1294 0 obj <<
+/D [1288 0 R /XYZ 85.0394 556.4234 null]
 >> endobj
-1016 0 obj <<
-/Font << /F62 634 0 R /F42 597 0 R /F43 600 0 R /F57 624 0 R /F58 627 0 R /F84 797 0 R >>
-/XObject << /Im1 790 0 R >>
+410 0 obj <<
+/D [1288 0 R /XYZ 85.0394 250.947 null]
+>> endobj
+1296 0 obj <<
+/D [1288 0 R /XYZ 85.0394 225.1724 null]
+>> endobj
+1287 0 obj <<
+/Font << /F37 743 0 R /F21 654 0 R /F23 678 0 R /F11 1293 0 R /F39 858 0 R /F14 681 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1027 0 obj <<
-/Length 2858      
+1301 0 obj <<
+/Length 1676      
 /Filter /FlateDecode
 >>
 stream
-xÚÍZÝsÛ6÷_¡Gy¡ >°}J;çLëÜ9îMgÚ>ÐmsŽ"U‘Šëþõ·‹ R¢$·ÍÍu<ËÅØ�vA%ÉÄjÆe¦&&SLóDOæË3>y€wïÏÏ3L³>×··g_]¦b’±,éäö¾'Ë2nm2¹]ü4}û�7ÿ¼½¸9Ÿ	ͧ);Ÿé”O¿½º~G”Œo?^_^½ÿáæ͹QÓÛ«�×D¾¹¸¼¸¹¸~{q>K¬N`¼ð¸¼úî‚ZïoÞ|ÿý››ó_n?œ]Üƽô÷›p‰ùõì§_ød
Ûþpƙ̬ž<A‡³$ËÄdy¦´dZI(ÕÙ§³E�½·nè˜þ”¶L•NfR1›‚ŒQ-sÆ5hmftÆR)dÔ²ÕràB-.ÖmÙÔ»»MË,=汉#×È̲7s"$3VšáÔ·�hÜظ×éµ-Öð·›Mµ öú<±ÓbÕ¬;?ºÌ©á¿nŠõ35›û™u¾,p«_]jÓ[Ÿ0‚i	ëã}�°»²^÷`7]™kÏüTv�~–ç•>P»ÒLÊ,ñì·?ÞŽˆL )ƒÄ×È
-?OS#»šÉÔ2
’‡ªZ”m~W-EõÊ­¿™m‹;šsx’{@]§,Z¶û>À,ÎJu"·LGbÐ3áB›¶Ž9ˆA‘1™È£³žýYîè!25œ–Â/M·ó»^È1þ°â/5ÃøƒwÐð�Ðt
-îË<6aʤ™7zXС
-ø	„‡¢Kú™kÿ	qÜoêy‡˜	òyæ}¬Öå2wî€�ÍzÕ´�p¾
Äv3$Š�>"—þ‰*Á—墨;@
¢>=–aÈÁ­ð¡yÑaõ›uÝœðÌëçyÞvÔ!½àtÜÒ´È1ï6yU=þö	ÖæpºÏÍfM­3‘�6ð-a…Þñq’ƒÈöÍØQç&‚
-"š³�Ì$ãŠï ÞÁ9ðX–}èú\‡‘.ráê¼Â
-gåbï4ÚŠãÓG®‘ù‡˜Ç™�™.Àƒž™^½ëC”ƒ=Óƒ½töÌì™}Ø3§a/Qi€�«wìÓÅÍ¿/nFA§òEõRЃœ#IxúGr·âCX7S\0#­:Û‹AO„<CdI€ºÅŸ<àÓcðn1Áç$øt˜€}Ä„ódJ°
-2¶×¡ùŸâëÓÄ­›ñÕ«Wã&xgŒ,è­P&³™ÊœÛŽšhoCR_Ç­©SbÑ¥ít•ÓÉWCà´,î¥æô
-Ç8Z’#©éïùŽ€0õšˆ¹ËÝ¡1:HBÚR<ƒ«°`
"ƸÅ&úmCQ¥â(¹•¿�½—¤ ’[�"ËCÕÜåÕpG2ƒÐ�mß7kjø›…þVFYÐÜ"H+§ß•à[´Z£ã-Œ¢[ ¸<4bâ&ŒòEÑøÄåç¢Þe±ÚZä8G,ç'êAW³,»94{?3�w0ØA©‡ab KxéaßD@#õ �œH>
-€ôôXÄ8èsÄkAuÒ"ªzÞ†È]XÌ`h Ó2Ö>�ØÕ.é›Í¿
bT/AÉŸ…0§`rËógq’‘eìðáì{½ˆàP°—>ŠÅ×{ÕdœJ5‘2ÃÀ¾ä†Y*¼fç†ùÏ�
-�]+Ã,d¤‡W@ã8ÈòÍ0b(j7…I8³6KÆ‹E̾¬„j24&UBþ
-Üú
Qúsa?Ô„ÐtñÏE�‰Oí
-æ[Û7~n'ƒ(³1Û��Û#êíü¯iók ¥O­>e ü|”p¶þ¶^·E÷Bt°½³ÉZ•šõÐÀÚ`l탗ÈmÔÛd7û¯}ý±È»üˆ½zŠø²öR_Ô^8ñð„½¤Æ«�ÌÛkÑàù÷2ƒ	­£Á°Mw˜ºw!�pßÍ¡Á„NCú�Íëß}üþÍÕõX
ŒvÄ0½ÿ�)É ~Wæ$Ò�ŒÍéîó²Ú¬‹–`P®‹%èºXÒ=¬“:bÒwbI_[J*…_@HAõÏçÒÝcè¼­&¼ÏïšÏÅa“öuõw6©LBFr¤‰5x›ã�º˜oâwý[šlƒ-õ×£iÿö:!ØR9· Þ.Ø^œÓ=¾\ù›®1KBŠ¿$;‘¹ÃŠ©\òφ.¢™›íåQ½Ø©�Mg{Êg\½xÐ
zšýR°ý1Çÿ#wOÒŒI#äd–*&aýO({ŸR$O!Ëð’›ãuwbÇ?¥Ä�Ö†	“ÒYw‘»ðNãï-dšCPB/襻uMC
˜fÛ¯�@ô·½Ð
-·½À
+xÚ½šËnÛ8†÷~
+£+¨Y^D]fVnãt\LÓŒëYµ](¶Òp$×R’É<ý�")+4Y¡À (ÌËOþç;"i*
™bñC¦<BQJÓiœ†ˆc§Ûû	ž~}ï'DkæF4‡ª·›É›KOS”F4šnnÁ\	ÂIB¦›Ý— BÍÄ8x÷éêrõþïõb‡Áfõéj6§—«?—ªô~½øøq±žÍIÂIðî�Åõf¹V]‘žãíêêBµ¤êã̤ëåår½¼z·œ}Û|˜,7ä%˜I�“/ßðt'°?L0bi§O¢‚IS:½Ÿ„œ!2fZö“Ï“¿º	Ao;Ô–¿N3g!J„¿'Ë<E£¬Ë2	A–c":#A`T2Ë_1‰‡¨±˜�$t
+§{ajD/ME±7MâiÊOM)9ŒR´ºš/..Öh±¾ž¥4XœÍ9KPš$¾5Tz£òÒ»L{ú¡©�š’‘˜þ<<IÃØTx£ò»L{ø¡©š’x|”Æ(Æ8uÃCÕyøNåƒwšvð/L­ð'¦"£àãa<P9à�Êï2íᇦvxhJÒqð¢Æ<ð@å€7*/¼Ë´‡šÚá¡)ÅãàGq”z<¨rÀ•ÞeÚÃMíðД’qð„#B¹çÀƒ*¼Qyá]¦=üÐÔM)ÏÅõ"LˆçÀƒªóð�Êï4íà_˜ZáOL)3”°ÄsàA•Þ¨¼ð.Ó~hj‡‡¦4/îz$
C<P9à�Êï2íᇦvxhJù8xFç8òÀ•Þ¨¼ð.Ó~hj‡‡¦tÜ
�‚R%x rÀ•ÞeÚÃMíðДŽ»á…)A4ò|ÍÑyt#ò‘»;𡣕:Òqw»0ÆÂÉ÷BUp£ò’»L{ô¡©�šÒqw»0óÅÜsÔA•Þ¨¼ð.Ó~hj‡‡¦lÜÝ.ÉbŒxŽ:¨rÀ•ÞeÚÃMíðД�»Û…8AQ{Ž:¨rÀ•ÞeÚÃMíðДDbÓ§?OÏ’aß7<�g7"ºË±#:ZÁ¡#Exw£cÏaUr£ò¢»L{ö¡©šbôk?«ëÈŸ±0B1�|K¨3*oÆ\¦}Ɔ¦öŒASòdL^ºõ«PåȘQy3æ2í364µgš^ KIûs䘣0J<¯ŒPå 7*/¹Ë´'šÚÉ¡i‚–#Øi¢„rÏ#T�gïT>v§iÇþÂÔÊ~bšŽc�ÄfB<Wg¨r°•—ÝeÚ³MíìÐt1Ž=dˆ³Øó2¨r°•—ÝeÚ³MíìÐôíYv9�|µŠDAÜ·C¦.ËûCó<›Sƒ«2¯e1²ãŒ$A®Úë¼i²›½®e�’4wºá±ÈŸTiŸ?æ{=A¹SmU¹×Óg‡ƒ*Š±U?´Öº[ÕµÝgµnZ]!U¸(jé¿SŠÜ1ï"–¤x:—¯‘œ«oYãAQÞåÇ¢igbQpÛŽ©îUguhŠª¬UWq«e—
+ÑÜçEô••jÜõá‰Vžè0á‰Öú�o‹¯â{ßx·iTªA§‘é4
+tq˜ùü´Oõ˜�ÅnÀ¨ö»š†c@!*û¢ntó­ú±ŠZàkU~®Ta›•'ZUéTΪ¦ŸA•²f Ô@2	¤mn«£*äÿd÷‡}þ›¤ysÉÒÓí3"¿íä
+oùt,ó6»såa¼B¯~W3œì�¹eŠ•LAiÐ>LQy˜‘ .Ê益 ¤f·SªvQŠ†cV~Ïuy+ŸHÛ»S
f±¼–/î�ê»êa¯5Ù^i²�\%)î²Gm¦:Äœµn0Èx�ÄgY Z9ŽñPÅ u.ÖTDY°*UËá˜m›b›«ZsWè!b£æÙQWäV•Ÿ¥|â²pÓêõ•
Û¬Ö¥§¢¹S¥û¬|V¥"lÌMÞ(Å.‡ü%“Ú½E)¶i"ÂoÚ�móÐ=¶Hd6?Ê|É
+×kK´–Ù}›7Q,JÕ'f¯Í˜C¶Ík¹Áx|®T¿Š¸!N‘3¶]Ürh¶=¶Ûx[d{KO9®Ìó]»4DYPZànô^Ùå‡}õl¶e{<Ê�x—•e{¢Â}%3ú¬7V•é!ÙS¦ÛÀ¡G9Ò(z5:{1×*ûÿe‰šç—ÿŒ
þ²
+‰—Ä3oR4NP˜0j‚jÿƒ¾ˆœ`$Mj	ý?„{“endstream
 endobj
-1026 0 obj <<
+1300 0 obj <<
 /Type /Page
-/Contents 1027 0 R
-/Resources 1025 0 R
+/Contents 1301 0 R
+/Resources 1299 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1031 0 R
+/Parent 1297 0 R
 >> endobj
-1028 0 obj <<
-/D [1026 0 R /XYZ 85.0394 794.5015 null]
+1302 0 obj <<
+/D [1300 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
-410 0 obj <<
-/D [1026 0 R /XYZ 85.0394 562.9775 null]
+1299 0 obj <<
+/Font << /F37 743 0 R /F14 681 0 R /F23 678 0 R /F39 858 0 R >>
+/ProcSet [ /PDF /Text ]
 >> endobj
-930 0 obj <<
-/D [1026 0 R /XYZ 85.0394 539.9988 null]
+1305 0 obj <<
+/Length 2717      
+/Filter /FlateDecode
+>>
+stream
+xÚÍ]oÛFòÝ¿‚oG!á–ûÍí=9±�sÐØwŽÐô�)›8‰TDÊŽûë;ûIJ¢d]œM
+qÁ°FÄ)â”
+�‘E%�/‚ ™ÝÄ
+¸*Jú$óºô‘0¤2¬EÊåÁÝ´Ÿ¢”C¼'ëˆbÊú¼€GÒ~ÀÒ2æLÀCAƒ[ÂŒ¡3
éîì°F¶§Ãf
+IÅÕæþŸ—å´š�CQªâ§‡¼³�cÈÀu¾(ݼq"
åËe™»ymrý4&×
+1ù¢S°8…Çê�bÚÔ]>ív½B!B^Ú>`�ì¿áœ!’n3¼‚dÌyÉxì92ÃNm0ìÔcÞ-4l÷©‘m¹…ž2nÑOõn¡'g�#2nÁ0n
îOxó+Üâ!é?ßå\B"#’vƒ!Ö~7X½™�µçåŽ/H�TÊØaÖ¾�A	�q¹ÉŹÝÙèÁ˜žæDöƒ¹×–7”‹/m(
+çÅ;7V”³|mŽ3«|7œ[ã;f³ºfIª^¹!Ö
]{,-¥“(éu¾«kŽKÅaÖ›ºN!>±Úäâ¬×+…
+a`¡‘!·cPoUFN€›Y¿¢µXæà­jGVøUÓf]wFwz«çeéø±• <æóµÛÈS
s~±qçálJ€äþìIŸz\Ž�à­KX`t�«òÉ"èE!û8BNP
j¿mlT±°ŠöôûÝçà’6ˆ6r‹ïçͤÌ
‰l’ÙÛV
+`èé¡q0Äé€ØžX�…¬êp;Üyf6ÖhmÐÌlf4Ñ3⚥ni¦üYc~L–„ªQ¾”&{œïÍ“–¹�YÆÎ
ÎíHQµ€Ô¡ÓGYü¼SÔP‰´ÒQN_EŽi™)Ë�LåÖEß÷­ÜÓA!”‘Tþ×
+‡Ô.›Ú\çQû¿³Ï9œ¾´éLÏÕíÓ¸¸77»FP¸K!H4´êë<Eû$M³lã~çH’~Å~çÆ3ò’óÑ)øgµ]ÎÊÕÊ_/{Ã$xŸ†µ÷1L{oÓƒÖ²tf‚T¯=A�è‚«Ÿq{v$=G��ÛHþ:mþ¥,U/CØ)›êo«U[vGf‡lp6
l²ƒ‹;›
²ÌÛGƒ›ö¡îÖW¯ðÑ6)ÃØÛ©þk×y—ï·×P?Ö^ì‡Úzk
Yò{a…–®£®¿�>ÿŽ3á<LÃÚ`ú¦_œÁ4¸i0Â…/?4xõß³ëO§—W/í€aÿ�	ªE¹÷n«7Œ�ˆˆÌfºY^Í׫òÈ@ÒíØ”kbIßXÌì³�%r�ߊ%nsµ=‰~µø”‘ñ\-Ý=”¡€ÎÃÅrãçó»æ±<`Ò�®þαFàÄÄ"{ɤ
+Q	æNhŠrx3ºsCJS]l+%J ¦°¿ 
?@€œ!Ý7ôóÜD·È|åJEø¤TB]ØÉ»gûtWƒ¯YÂÕ�ñ'‹
+endobj
+1304 0 obj <<
+/Type /Page
+/Contents 1305 0 R
+/Resources 1303 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 1297 0 R
 >> endobj
-1029 0 obj <<
-/D [1026 0 R /XYZ 85.0394 352.0635 null]
+1306 0 obj <<
+/D [1304 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
-1030 0 obj <<
-/D [1026 0 R /XYZ 85.0394 340.1083 null]
+414 0 obj <<
+/D [1304 0 R /XYZ 85.0394 517.7894 null]
 >> endobj
-1025 0 obj <<
-/Font << /F62 634 0 R /F42 597 0 R /F43 600 0 R /F57 624 0 R >>
+1187 0 obj <<
+/D [1304 0 R /XYZ 85.0394 495.4781 null]
+>> endobj
+1307 0 obj <<
+/D [1304 0 R /XYZ 85.0394 307.5429 null]
+>> endobj
+1308 0 obj <<
+/D [1304 0 R /XYZ 85.0394 295.5877 null]
+>> endobj
+1303 0 obj <<
+/Font << /F37 743 0 R /F23 678 0 R /F62 990 0 R /F21 654 0 R >>
+/XObject << /Im2 979 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1034 0 obj <<
-/Length 3403      
-/Filter /FlateDecode
->>
-stream
-xÚ­ÙrãÆñ]_ÁG*e˜3(?ɶv#W¼v´r%)Ûå‚HˆB-	Ð
-	ùõìÇŸãÅÈþæ,ŽTêÌâ:q$ÒT.ögÚ¨Èh¥dwöþìï݆ƒQ¿t–"Ž¤^�2PË…QjŒqФQ¢¤ê8(,p%Žãe“×yMD¾o³6ßçeË쫳ý>«‘âÏß;¸˜x±’:JµÐ~ðGû‡_²Í†;ÿÁµ™FÎY¸í1Xs[m�
ÍzÊ›_ªú—²¢î~Q¦Ó­êê¡Øä«â·»ú5«è�:ÿõ˜7í'®Ê7å'`ÖÖYÙÜå5/)�ûÛÀ‹ÙÝÃüÕ]Uï³–fþ›˜ZU™¯`ÂcØãwúì³ò‰áM·D„cüçç¹Ó>äOM¸ÿiÚº(·ÝB!Oaø‰¢ˆ¼‚ôUSëuÞ“Rô@
-~÷kEb#e¥†-"«•ñ;üÅ™(µ6Yà=q‡ªn;Éê;„ÏJXÁ’yV«‡dˆXrŠ˜3‘‚óþ¯ˆI)@ÇâdŒÚ_�2�•¸ªAOmÜ8á^VϯóŸâX–E[T%A²rC�šl›óQêy½½¹Ï;|úI"�à®R˜<ÐíÓ½X¯$1aÚ·
á–7Ô]ßgu¶nóºhÚbÍÀ¶¢ïmÎØ7Mµ.`&â±hïy„>õ¹pË|_µ¼ ÌöÜb$ÁbGÄ~�FJi”5¥JÚ�“vV¿‚\•Z1C®UËuVR£Z¯�553kïI@­­ÙåùŽçß�&ÁNU‰œÛëŒï€Ùñ„Š·/Êì!íœÍ�¥„‰„QŽ~(òǪ@œq'T�î+›.¯îžß¥˜õØ걄?Ž�ÁýÌ‹EšÛ¬(½X84€ö”`_ÑÅÏÝ�Ž#gÍk.Ojqr|óž�‘»':«½¯>>;:hE º%
-þ$©“süQÂmxȈ¶éYBGÒiù¿ž5Ã�cƒ¶Àƒâ¦2hïS1öC›ü.;îÚ&꜔×zç=µY>UGjlŠf]y£Š½öUéÄó
-j…�	 Ô¯±Ý2Ž´îÄ{#žžf€°Ä„Óֻ숪Žvn“ƒkÍÚ¤—
-]ss€c+´!þPïñü%1æQŒL]{Q®YHAH<>q²ü··›Ø
-ñöR2üž'€ôØHØ¡?¢J‰”ÀwÙCŽ Ü°¬õ"§­es…Û´|æœUR.Žl`@Œ='¦¨0‡OžN&
¬•2�MÉYÛ¥•l
-a@.Øqœ
-Súa|°ŽBzlmÂñUû´t0ß0Ô]/÷Q®žÅ´‚ˆ%MÍG媛5òÍ}uÜ!–„f»Ç«@Ø~¬ê¨9IÂñ!ÀÇú@iO’’‚$ésæÜÉH+e^mε•!HD®ÍJ£;%zYãlšŽì$ÓUð×ß´¼?x‚œ�º=•ìÑ»y=@š:3qŒ�"d4Õ…ÛƒFg•Éåu2­œ™Soá¬ÛÊ×/
-ØÞ¾fà�cWÞƒž‡�ˆu
á&Ú=
±ÖXp2-’¡b�eõXÐc¯9ý�þ±Ü
-¼ïR3¡F·j\Ìôq*&�Î'Ê3�æ7ñ§fe»®bìoqJ±'BÏ1“|ã‹úB]Š–÷Oœ<8ˆP@)BæÏÃ÷¨XëQN0[?³‘J;þ
-âx„÷>\܈#•ØI
(¼˜tu‚ÄĽöÉØ)l&VJ:i»ÔÂ
-®@Ä+ï} eƒ·²ýS'Σ¼
-Cƒr}dÛWò‚¢¼­Ž^› rD1ÎãQŽ88dÄ\6ö‰T#''ˤŒX5_Ó%»'ŸØ£T즙ù ¨âÈ›ž
gçÈÖÁ$Sv>(àΖ”ñ öíp^Xœg¥ÌêHêNñ‚¢r%]Dqê+é¯)³
-#¿ü“òl$fâDN#1
±ùD�xÔdîAÉ©H÷¸Â!ÓZÈî5]
-P· d¯ø¯…ŒRçÜü?-VÝŽ«á–áoCúÁ„»$éOöʲ™¨däúk
-Ï "Û›ý\n®Å)3aÀ”É1Ú¦³�&�Ë…þf<¿Ÿ@‹|�‚ƒ5!,U  ÉA_ñY©}ₘ�3R9)ˆáãùÍû«·ŸMoŹ(1±X|6Àcà �ÕÛ5®ÿ\	ÓWÃùÄñ!�'»"ïó€·³àTÍ¡’Èâ“ôpï“ÿÎt³^@át·þýà€ß%Ë6Ûñ#(+þRpkÇ%v—Œí—•ñò¼‘õŽ¼[Á8ÅUKZZ¶?_Z
Khþf\¬U“¿$à™&�œ	€¦Ø–Y{ìžãL—0ønó2¯éŻdžØ`“	,B9¦
GŽ
-иk¶ÛU�
µ½ÁÆ2Ïâ°ã)¸'&[
-ßîwp_O÷I£L¦R½�2±]ð#¯H ©¼™Ó•Šs‘³O‚æþ•§–«æì@ÜýçOÿc¯ÿ;£†¨Î¹gŠ´ßT@
-‰2É	æá¯}§¨ÿU	¾Ñendstream
+1311 0 obj <<
+/Length 3077      
+/Filter /FlateDecode
+>>
+stream
+xÚ­Z[sÛ6~÷¯ÐÛÊ;ŠA³Oi›´î´É®ãNÒL‡– ™SŠTy±£îîßsp
+Ô†ÅJª^�"†­A/œóåËÍ&oóªÌ
+:ê;»Æ®WG¶¾ËËžx«o¾XɈ™HDŽëÍ�½\©H/³;EË&°ÃÁ5°³/ §Ë¬h*š²ÎŠÂnücùE
+J•i›á™[>#‹4,M’ÔOóüóÆTÒ.yÙÚÚ‹å%¡�¶"R¾?Ô—"]V÷þ(m˜áȶ9TeㇶÞVŽ¼By@"bœ£I„`FkéDÙgåVÈÄ,«-|ÓÞã€bÀÁÄË_îlIc¨»K±ì­
¤^}¸bí­áFð|H´evê{�ÔdÌž>yáYù##1ó�¸½îªº]­»Ö‰‡£PÜ¡–¤LH)ØZÊt$)®+à\¶ÔAM¹†	hrV6ÖS¯¯5ÞT­
›díŒ?ÈD3ðeýœ?(ððHpŠB�½l£Cƒ$ƒNaho×wY™7{2ªâ	3\¨©Q�%õ$w¼ oVn¨á¶„oYµÔ *²ÖúN�øuê„Æ·oÞQcH£ùë{§'ho»Òi˜õæ
é”L�Pã(V`Ù!ìÆ~£ÀÊ›Ê6DvÒ¹q8ôÎR›œ'N�üÀ;�]±ÿ+×Ü~\ÛC{²ôúº±­ß„¢dckÀG.oÉv§Ž6ñ+Õ'T±B/³D¾µEõ
+T®[KtÄ\Ô»=Òèùt"ÎÒÈL…Xp›‘%ŽYÄ#õd,Š¹~2‹­À…Q€ºÂ•¤=x$Ž”CÕ49Êãzžà™v�o�žè6”@Ãtzê@Ýá J‘ïó“ ïýVŸØÝÅtåf£è½õ³»f^«R¦•ŠƒÑ²�+¯Ù&ÿsN¯‰b\é¤×�n1:6jZ½^΃ªöBƒ¯A*«¢êý}^R|F£úOCÄ©G$šѦ€É¡¿o�_¦Ié<8ùåRCÊoïVs…»êÚYeI¢ÒϽg=fø\Ä¡þ­�ë"_ÏñI™†søic„À
å
+>Ã^ôœlQL)´^ðþâ]ŠÂ†GYÇž§¿ä¥‚¥F˜©FnBÕKµü¾z°ˆÆ
+ßßÝ­
[λ‘·^[ë.ÀaÙ¸ì4~c¢í2Ú£°Mã7ÝNä‰útFŸEyu
KVU�žøØg£î”=(Ãç#p
zõñ$À•HèŽ#°0;w
+`Ÿ®ØõÖ¯¢A΢”ZÞMÜ)
Þ	º¾â"oIl:
+ hŽz?/ˆ>ª¾tïp¼³Æú™èÊŸ²1´°aû3¸Ë
9Ìx2îu‚OC+`˜ÉÅ=`×T2'oËmUÀ­´çž
2�k»ý>50ÔÅê.^gž	f
+ìÍ…J>/]³GO—’µˆê	_9æŸiÒj<ëüKc?kçŒw’3¨½âéíûY3ûOÀŽÔ²C4àj.ê
± áŸ�Nø°©Fï‰ÏÞR&�6ÁìþeŽQ©é�dc·YWxÿºÏú›tÞÌÙ:†š#"ó9HïŒ�U*Ñm¢§í<žuÞÎý¬‘�×…Ð\îVî{dò8a€¿äÓ’ô³fD™œ:‘L©TOe!-K3¼‹Èþ
T†‹Ìžž„pV›9È«†{£Ä'Õ¶Î]Å‘�ƒo!ulh€ž7ýû)|¼þ™�ædÅÁÃÝž.)+Ã@«Ѐiþ8kn–òhúÀ9¯ØG> Y*EX	•¥k-Âi|™’P׃zà܈1§þtÍÕ–F	6`ù¨ˆÀQ-2BWt}
+Ô=„Y~p¹z÷¹}péæøŠñ–ÙáPä¤dxÈj€
+ÏØÿOº<zzÓ/ÓMŸÚõw{l‚�¹OÓÒÅhÄàýùÆØï£ÿýl=­šª«×v8i~ˆ\
+$øèÈ’HQþÝ
if’$^ŒèÃÙߪºí£
+;fäÃÁ„xÚ"$çê>‹?Õ$LÆ.@Q¤èŒ¨Ñ—‰*¹bR%fVT(Zùöøi
+E �È蜔ú/I)ÅTd̬á'R>¯ÎÁ6ÿwËÏý/�Òÿ
gññ¾,üåÿóþ	*3¤éè(“”E)0ñB¹Ò=†Ëþ‚‹þ?]˜Ãýendstream
 endobj
-1033 0 obj <<
+1310 0 obj <<
 /Type /Page
-/Contents 1034 0 R
-/Resources 1032 0 R
+/Contents 1311 0 R
+/Resources 1309 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1031 0 R
-/Annots [ 1037 0 R ]
+/Parent 1297 0 R
 >> endobj
-1037 0 obj <<
+1312 0 obj <<
+/D [1310 0 R /XYZ 56.6929 794.5015 null]
+>> endobj
+418 0 obj <<
+/D [1310 0 R /XYZ 56.6929 769.5949 null]
+>> endobj
+925 0 obj <<
+/D [1310 0 R /XYZ 56.6929 749.9737 null]
+>> endobj
+422 0 obj <<
+/D [1310 0 R /XYZ 56.6929 262.7954 null]
+>> endobj
+1313 0 obj <<
+/D [1310 0 R /XYZ 56.6929 238.4558 null]
+>> endobj
+1309 0 obj <<
+/Font << /F37 743 0 R /F21 654 0 R /F23 678 0 R /F39 858 0 R >>
+/ProcSet [ /PDF /Text ]
+>> endobj
+1316 0 obj <<
+/Length 3978      
+/Filter /FlateDecode
+>>
+stream
+xÚ­ZY“ÛÈ‘~ï_Ñ�l‡£.TUÌ“<#ÍʱÖx¥ž];Æ4
²±"
š
+s½9\¥×;hûñJpŸuì´÷úÃíÕïß*{íŸÉìúv;šË%©sâú¶øeõý¿½þóí›7kiÒU–ܬM–®þðîýDñô÷ýOïß¾ûñç¯o¬^ݾûé=‘?¼yûæÛ÷ß¿¹YgŒ—<Ã…
oßýû*ýøáõŸþôúÃͯ·¼zsÛŸe|^‘*<È?®~ù5½.àؼJå�¹~„JšïåõáJ•­T¤ì¯>^ýG?á¨5]âŸQ.1NÚ%úE꯽½¶Æ'™’*pð—›u–¦«œËÓÓºmΧMInÈ‹âT¶-Uþ–š”JÕñïØB•ÿA>\K)aÓìz-«•	Óÿ.4	‘xcäõ¨
¦4ú×ÉzÇæÔ-,6�i1¡l¢�Öß¼ØwqQìºVN&&38
�ºÀ“õCö[Ù¢<ÊÂå�Šÿ¶˜o^lÊ-u¢S7cËÿ~‡­¿+EÏc«º[�]I�P‰„�Jaº¶<=”'R™�]Þ•‡²î¨úCù·4•uÕUMM”¼.¨ðs›ïJ^J�V‚}yŸù°Òí}Ùïg$å.É\j 3öá
<ŸK‚
+XP7î6Ú[*Ví­l©º¹ÏOù¦+OUÛU&v
ýß•ôŸ·m³©`š‚ê�UwÏ-ôwºnUš.�«:?ðPÞ$@
À�ôjõn;y¤¡¸§Ï4v_ÞˆU½ƒèº\¢(öä¶*ܨ‚Ù�å¦Â±eñ
+)fÕÝ—Èr%ÃÐå”×»’ŠÍ–G…=µÔ-NµipŸ¸—vªR½ú©Þ?QLJ…CÓv³•74M/
8Õ>?·<"?÷UÉkÐü»<üû c86†gMã!	ÿiU�™†úGa«jºó	
+ž9_8–&`pxÃUù¸¤\:qÆ=;ÊŒõ$Ýæ@ö‰K­ž^óåul
+”çÜ3ÏÜåp¬¹US—D'Â�$fñîtš8k¾æò¤Ï–oQÍŒ‡%ƒnÀZÝ}Óòò(ë‘Ú‰eØÑ)©A¡ƒÂwjŽkºaEo'üT㛀X*)á³­vu3h­¶i¸�Ð�:<T€&¸4V¶a�ºYâ�µ
+^¢tVgatG84îÓ³!)¢îÞ-{WÖ$FôþÙK*
+æʨ¨ÏÍ‘] ˜½ª‡Uhd‚û	ð¿Û7w¨
�†¶T¹µýÄÓ0)XâŒR€d~@åªùAíËE¯R;­Ü‰Ôåâ±Mâ™èn'	™–¤,a#óBDXBÚD�¥`	û…S9
+&°/+µt>
+�“cõ¦Q‹ZתSo¦\#’6›Ê±YmIÛÜHÒl"!m*ØfvÞ3ô5Óe¬™KkÙ½óÚ¢´Bk³ö°€L €ZöFëåks™y&­0{Åð
>'øD^]…¢™²¯›2Œ´^†¡e
<“È;
+Rú5ÒJ1л¿¼ÅœÒ35 ´�–QD©Ù?Âæ‚›‰ÓØï|¤¬¶³(
-?wÍ
â�N
+>õjKP¥»<h´îk˜"¡âí=‡¯[vˆC@Ôæ!&¿qþݪ.ƒ€B+ ;VŸã^ÀšWÿ¢µ¯6÷TÞ�Oèûzvú¡}4Ž\z,qù¦ûJ:Â74õ׫ÜÈ+ÃÑK®˜Æt¡÷拆rÝ÷š¨b{ßœ÷¸KpBóýcþÔRù±9}BÍÉ2ö�v<ŸŽödž$ó—àÜÉD+e¾ε•ÑID®-¥Ñ½½¬qÖû	Nò¹*þ7ïOá@.xÝá”lÑû~ä=@˜:33Œ"äÔÕÅÛƒB�Êdòz™‡RI@æû[Øë®	y% 1h…2ÉúRO8IuàÅní%*Ù_±Ú6<Kù9? ë÷XñŽ€�ê·È×8W•AÊG€rwÞížf¾Í)oïcˆQjÓœN7nu>vÜ€•øøPbæÌ
+jÎFK
Ë�Í€#$QIŠü
+¨Œ(wO‰©�ã)šsG‰>lìî+&s"‰,«8MÜbµW
Í\ØDñßgÀŸß’%0¸¥Yu:܈ò«HYßž÷Dc•³)ÀÓª½§Æp,�Ñ='r
Ìز
§ôø@€bäža-ÎÁííq¤æ¼9ݧ3â–’$ývÆðF@8þŠhÛl
V÷å«9–
nÇÐó0=KÍ�äÝ`S÷’jW±ÄÖˆÑÙ#¯j{’¢Ýd¢�‡ÿ¶xÄ‚¦³æòÏ_TS€+ÕÇ#½PÕT¨ˆ hÜ>W‡ó
+²ÇCÅ:‹íe^‰h<)0”¢Z
+Õƒ-F/uÈ|ú™V©¨U¤¥:Q*�©i¯jRJR5)ùí¤jHaUCâXÕ°©W5l$	Dr|s
"»¶’“€2¨R§ª¶V©`å
+ÓÇ
+'0ÙM
r¾¶Ñø!9«§hÁÙ¼a—EÙ­Ë5Lø¸˜‰621Vš!£EÈ
+”Ñ[C|‰yyìLƒd|å

+*RMÄ°{Í)3¨ŸëöÑ5MÁô'¢ó—*@ñ<ÿ@qÉg¦‘ÛÝ�y·¹�)&>ÂD6Ðû¦èÓ‹è­ã?͉%ðËrŸy½ú+Ba°·Ðž±Þl·OTá@4䜃ÎP9˜SýU(K‡…œ'‰º‰spöÙ]JŽ
+¼_üè/…§ý¨éXÀB„z’«Á/æÄÒo[ÌÊ$uý+cð ROù
+tž§ïëJêu½õaåÑB´…à‹ŠôÂzV�fk=1·‹o.6Q¾çÿè—¦‰âi¢2ë¦jvW΂°Ù&f!Ù�À{¾
¸©¤ë¤íÓQ–�.PöÕ!ß6ºAP¨Ï‡;JXóÃÉzs>
n!Òªú®9m‚JÌ+Ši^qb‹Æ‹Lø�æq½«òç3t”	«–ŸR
ºdÿ™Àì
÷Äͳ¹#ƒ;ûÐcì&Fž�{—LÈ7’{cý–KBt6äKú=¯�,΋Rfu"u:�Ñ’øú*’Ô‡××£wXZùõ©|º½›4“óè]CôQ€(�Z¢,}„àT¢‡½Â"óÏü$~¶¡µ„ë‰R~͇~2ñιåÏüÖýŒëñ”á¾Ù[hµRbX9(K±„ËÄ
×?i*èØ
:ô¥|˜§ÌŒ
s&§ˆMn�üÄÖaÆó›;”ÈVàÒ(8øŽ¢
+FŸMöÝ×£þÄñéËÚlVÜÃÇ2îÛY0ªæÙV2·£Æ;yöÙfìóÂò³™†Ïöpé˜zÈV]¾çOð9«ármí4Ûà²)rYˆæÿ‹'²Á„÷#ø½Fñ
­»/®‚/Þ¼��<¸P”WjçÉ\ÓøÙš3»:ïÎ}ºÃô)4âÿ»².OôÝVÏ-±ÁÄp¡Ó„
+„!ÎÁZp´Báx„˜1vB‘l&SúÁ!]gÊ®^/%@¦O^!ÑYíª:ïzœ�=/åë&ðMÏ%fx7¯ØËŸ"ø]ŸØÕ±íî)®'Cþ`âb1�úzžßyNœNy“XØ�òÃ
‚ºPA›[—ŒœOlf²PÛ$©xö\‰³B�Ù<¶Tð�…ÃyßUÇ=wÁ91ÔRø¥f°Ÿ�ÂlF™u¥Ú+jeþb¹âl€ÈtbŸ}a5r(öÌEŽ=ÙýYú\|ÜX€´ÿŽö_þP|øŠ^ƒ?çœ\†•f‰“ÞÆM…/vŸÁWÿEùó­ÿ™¹lùendstream
+endobj
+1315 0 obj <<
+/Type /Page
+/Contents 1316 0 R
+/Resources 1314 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 1297 0 R
+/Annots [ 1318 0 R ]
+>> endobj
+1318 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [87.6538 115.3135 137.7628 127.3732]
+/Rect [116.0003 115.3513 166.1092 127.411]
 /Subtype /Link
 /A << /S /GoTo /D (tsig) >>
 >> endobj
-1035 0 obj <<
-/D [1033 0 R /XYZ 56.6929 794.5015 null]
->> endobj
-414 0 obj <<
-/D [1033 0 R /XYZ 56.6929 769.5949 null]
->> endobj
-1036 0 obj <<
-/D [1033 0 R /XYZ 56.6929 752.4085 null]
+1317 0 obj <<
+/D [1315 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
-418 0 obj <<
-/D [1033 0 R /XYZ 56.6929 588.3944 null]
+426 0 obj <<
+/D [1315 0 R /XYZ 85.0394 708.4928 null]
 >> endobj
-948 0 obj <<
-/D [1033 0 R /XYZ 56.6929 558.2805 null]
+1208 0 obj <<
+/D [1315 0 R /XYZ 85.0394 678.3234 null]
 >> endobj
-1032 0 obj <<
-/Font << /F62 634 0 R /F42 597 0 R /F57 624 0 R /F43 600 0 R >>
+1314 0 obj <<
+/Font << /F37 743 0 R /F39 858 0 R /F21 654 0 R /F23 678 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1040 0 obj <<
-/Length 2900      
-/Filter /FlateDecode
->>
-stream
-xÚµËrã6òî¯Ð-tÕK
-vGÜh¿ˆòÍŽùÖð:>	Ö¡•Õ_täÓnÖ@sKˆ @øõ‡ô!ME±`(–HÞ—ër•oö@4!9ééi¾‰g˜þ¶<Çþ¶pîÛ*¹„úb‹“Ì™¨ŒÏØÏkÝ$ëšD%{‘àšN€ßýPÐZm^®šgJš¢ €¬€EÑÌ·å¦-ëŠõí˜/Iˆd¾ÔI�ÊN:©2ò+œTpY—ÕalÌÒ”	+ÍÄɌ֣}ÜÞM¸ê…µŽ~ÚŸpÖŽùâúïÑo¢þ0°sÍÌ‘HZ)"Å×Žê” GÜPÖi¸sï80Òd˜1ÚyZ/'ä,ž¦`Û]Ó‹éÇⱡm¼oó¶XUrÐ6_¯ó-ñW¦'I:™
-
Æ!D8Â>'
¼ÿëÍÄth@çmÚmYÝYµ[Ï0†}
-îÓÿèÙ*p£¿'WÿÃ#§ŽYkÜЧþúqLÏ ˆÌ1#E§^‘~®z_èáU¹7#Ê%
-D'$8âE~‹(yõ9%ãË„¹Ôf¼¨lÈDQÙ4òê…ßxV¨^™&Ë¢¢õ
Øìf«rN0XC?%�ÓOUWÓ|×.kX/Ç€ÐTx ã¸ÞǪ~¨|nTÉl„�DVEÁfaª·Ÿ²(�¢÷·VÏ Yy¹%Ç
-‹¶·»[LéA9¾àá˜(çX£Ñ lñWyшGÑÍ%`¯2…*
- zœ]à³ÉIîêh^\iW5å]…Iz°1Šï*,
-Îz……Å»¢Í¦
á±
-¨ÓÀãÚ1ÐŽûÙʱֺ@ìköиÕMq¸ô^w0ð=цî,Úÿ õóAåÿz‘P‘q}P*\]5E{hý{•þí=X°''ð¡ŒöMa€Y˜�ò©ût�*å>_k\ë‘"@ºÐœH‹!
-#5a×»U[nV�B:q¸½mYøÎ#ƒH’Ï—ÝÜ:¸ˆ&çbrò¼^€–œ—ÐU¾.ž‘®�aÖ54Aˆ™2¿‹�NˆLm=¯WÏbÀ¸ÃT¶\?;(±ºfèE¹Wgýµ	^
»ÉMÒp&í:Ä öDyHå·Ýׇ<Ô‡÷eñðµe7•ÄA^7¨+¯*©˜Õê 'œ¯òfPœÄíuÞΗÓùª9::ÿƒ×+n<ÅÍʇÄÿÕ¯ÉG¹AÉGîUø-,y�å£wuÉ”œÉ‹æ¦ÞÞTõ©&Á«©ö}ïAÍŸG¶›ÎûƒŒ3›Iþ•ý�8uþÿǾ@‡_þ˜“PŒãýÓQ(�)Õš2¥z†›ú¡ØÞîV„¬p;ˆ¾…ŠcC+~AÇÁtmŠGˆÖ'„VE;äí�Ù#ÂMŒÇæUó@pGH5ŒÿØÛÇp@Pϧû"å/ ê
™ÂMì	ÍGê²æ¦Ù‡¨tü}XÖ„²yóˆ ®k%’ËvøÂ{[Îw!é!6é`ºÀ \CÌD…vË5›UxÑVW´»M3æxÑWï‚¡,ó{
-¨”êÀ BfÓ‹Ñ*ê±Í!¨G.·2&�:i0ê݈ÁpÑo %§2°dùyËà<Vì"VìtþÍ&Ÿ|°€(E"É,|k¨ˆhö8X
-AŸYû+…
-b½Nc­J+¶õ‚A=fÇll¬$“’�æÕàE‚îש ô©6é¥YB ±yÒ¾±!¢36<al ¨UÝÊO›dÓ‡ú&…ûí¶N{ÇLM3©÷Ë~ÂÐ4$ic¾›€ÃO¡�Y<¸¾„OYPÇ{V�ÅOZ™N™†5>ÃÊBæë—a£W€ÜÙl`jøL©\r‰2IIݽ‡	¼tPY2«Ûåèã
!-ù´¹k|€Û7µ£Ïƪ!Ç[s8¥KN‹â6‡”H;Á„‰¿ž¦QzOÑŠe›aO�áÖÁõªÀ"¥N.«î[W²¹��¡{Zó�!K;ʇ|ƶ
-™×Øîéå¤ö$Ëd*N=ºd™R_¢=‹Sº§-êQøU6×æÇ
-Í©t`ÙîðUê‰æ¶ªUÍïaYbÏèKªpÏT.Ð!´¤ÇHø°.æ˼*›õ ¸’Ás
-7‘¨·¬÷› êQ·”‹Çt"UB˜	ˆÃ[úmG›g™…¯'jÐŒad>(Aâ[†_¼©õ‡ÚꃡŒn¿Õ¾æ“ª¯,Bà}wÑ'ñ7š‹°XµßŒgŒ—&ÅŸm·Uzå�ìÒôÀ?º{rÛeŒÁ#:¨Yv‘ÿimhaºi2
¼
¿¡`Oýo‰„(åØ{GÚµ¶ßü'ûÊÉ“ÖŠñ—™BÖ�‚P¸#uôÌÚýƒÊ±èÿßi9€endstream
+1321 0 obj <<
+/Length 2790      
+/Filter /FlateDecode
+>>
+stream
+xÚÅZÝsÛ¸÷_¡·“g,Ä'ONb§¹ö’«í{èä2J¢-N$R'RvÝÎýïÝÅ)Q±}—NGÀÅb±Øýí.(1âð#m˜Ie:²iÂ4z4[�ðѼ{w"Í$MºT¯oNþr©ì(e©‘ftsÛáåwNŒnæŸÆ†Iv
+øøÍÇ—ïßýru~j“ñÍû�N'Róñåû¿_PëÝÕùO?�_�N„Óbüæ¯ç?ß\\Ñ+x¼~ÿá-�¤ô8ÂôêâòâêâÛ‹ÓÏ7?ž\Ü´{éîWp…ùíäÓg>šÃ¶<áL¥N� Ã™HS9Z�$Z1�(G–'×'ÿhvÞú©ƒúœIe䀥R N™Qð
+x³Èq@*:¤"eBJ	ü‘¦Ùde}›oN…Oêj»™Å9]öD”©s²r>ÌW	a�ó�Ü›
Ö´ilœ6[fÛ:¯á(=®×ù¬¸}ÄŽ7°?úþçû„†PŽ8dÂX	—œå�d>÷ý¼<›Š^L7XÍof4©d©	´Kµ–^ Ûjs:Q<ÿ»*sléÝÖüøCÑ,Âø"§!ZqU5aB�oî�Ììà]	¶×÷ùòñT1;M¬_Ò‚vGÜh¿8Òç›ò­Jàux2Êif´3/:òI;«§�Š%eP <ý!ýʹÌçÅ’ãëbU,³M؈&• ="=Í·ñÌ`¤»-ϱ»-œ{d[R' —Ô/¶8ÅR•ñŒý\’èv¼ªHT²¥K%ømÐ�Ö<o²bYŸ˜ÔyN
²^hÌóz¶)ÖMQ•4PÝù’Ä@�y©“Z�<é¤Úª?à¤R¨Èº(÷±QYP�²rd¥bÖ‡(E/7w#j\u`­¥Ÿt'ÂÚ!_\ÿý&꣄0Ìî‹”Àñ@–žHøÚR=!È!7„Kp ¥T,Á1a…|
+}E<€²j
+6
S½±xø$„Üù1
C5…"ÊË
©
+‚çÃ"”˧¨¨¦S»ý>©Þ«³]�ÅÓNzåßÈà
�W(4‚B¡ÕjÚÃÚ±Žqéž­ç\Lè}RÊÛªÎ÷—Þé:±R5m
í¿W {PùÛÅ?c¶` ]0{éæÕU�7ûÖ¿SéÑÞƒ{rj>Ѿ	F;©Ê·g¤O\ür­ÓçkM3�¨4$¡Ê!D!RÓèj»lŠõ2§^')nŒ	 I6[´sk8èà"i0¹4'ÏÁëhÉyi¸ÌVùé¯
¬Ü»�ÌTÙ]¼�ÈÔT³jy
ãCÙbu¶—eµ—t¯3ˆ½&ébÔ:x5ì&ë]ÞõgÒ®±#)"åáj—"Š�"Þùß˿‰ƒ	¼¾ ®¼ª`Igô^mø	ªÕºþÜÍÓ÷�{•5³Åd¶,@’6Ÿ÷,L
-¾xŠ/K(8þû«¡€N| ãƒãöêûc̺Bm³kÈF&äÒHÿ˜×_ªÍ—²zºFðê©ü=lHù1ã’=L@dûÒúÁþœÉ ‚Ÿ_$ȧ,àXH 	~î—?äù§

+/Ó.Û÷�€.e
+§ï'`dø„€©dVò¤'¡=Öl˜µ"š|u»;ß@Ëý¡ðÐ�5í§Š[±¤—r17d\Cé˜RŒ+£{·ÌôÍ—j0h„‘«
³4€VæI{—É¢ceØ9be ¨ÓíÊG­LCBnìÈh¦ä÷0²Ào²c8dcPmâªß°1‡ÿ��ßM¼ÈïÛ⥂%iW¸cæe·m&LrýÜqó2²2æ5ô¯ÈOð¯&wV¼ÍMþô?Zv÷�”$‡/¿ €±Ä
“ ”Ï‚Ì�äñ¯/‡¢ÿ¤¼Oendstream
 endobj
-1039 0 obj <<
+1320 0 obj <<
 /Type /Page
-/Contents 1040 0 R
-/Resources 1038 0 R
+/Contents 1321 0 R
+/Resources 1319 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1031 0 R
-/Annots [ 1042 0 R 1045 0 R ]
+/Parent 1297 0 R
+/Annots [ 1323 0 R 1326 0 R ]
 >> endobj
-1042 0 obj <<
+1323 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [399.2874 719.9611 467.9594 732.0207]
+/Rect [370.941 719.9611 439.613 732.0207]
 /Subtype /Link
 /A << /S /GoTo /D (zone_transfers) >>
 >> endobj
-1045 0 obj <<
+1326 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [461.1985 544.3622 510.2452 556.4218]
+/Rect [432.8521 465.5772 481.8988 477.6369]
 /Subtype /Link
 /A << /S /GoTo /D (DNSSEC) >>
 >> endobj
-1041 0 obj <<
-/D [1039 0 R /XYZ 85.0394 794.5015 null]
+1322 0 obj <<
+/D [1320 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
-422 0 obj <<
-/D [1039 0 R /XYZ 85.0394 703.9029 null]
+430 0 obj <<
+/D [1320 0 R /XYZ 56.6929 621.0496 null]
 >> endobj
-1043 0 obj <<
-/D [1039 0 R /XYZ 85.0394 675.4275 null]
+1324 0 obj <<
+/D [1320 0 R /XYZ 56.6929 593.3949 null]
 >> endobj
-426 0 obj <<
-/D [1039 0 R /XYZ 85.0394 595.0025 null]
+434 0 obj <<
+/D [1320 0 R /XYZ 56.6929 514.8384 null]
 >> endobj
-1044 0 obj <<
-/D [1039 0 R /XYZ 85.0394 563.7177 null]
+1325 0 obj <<
+/D [1320 0 R /XYZ 56.6929 484.3742 null]
 >> endobj
-430 0 obj <<
-/D [1039 0 R /XYZ 85.0394 407.1582 null]
+438 0 obj <<
+/D [1320 0 R /XYZ 56.6929 330.8003 null]
 >> endobj
-1024 0 obj <<
-/D [1039 0 R /XYZ 85.0394 381.6476 null]
+1298 0 obj <<
+/D [1320 0 R /XYZ 56.6929 306.1104 null]
 >> endobj
-434 0 obj <<
-/D [1039 0 R /XYZ 85.0394 250.4371 null]
+442 0 obj <<
+/D [1320 0 R /XYZ 56.6929 176.7683 null]
 >> endobj
-1046 0 obj <<
-/D [1039 0 R /XYZ 85.0394 219.1523 null]
+1327 0 obj <<
+/D [1320 0 R /XYZ 56.6929 146.3041 null]
 >> endobj
-1038 0 obj <<
-/Font << /F62 634 0 R /F43 600 0 R /F42 597 0 R /F57 624 0 R >>
+1319 0 obj <<
+/Font << /F37 743 0 R /F23 678 0 R /F21 654 0 R /F39 858 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1049 0 obj <<
-/Length 2026      
+1330 0 obj <<
+/Length 2380      
 /Filter /FlateDecode
 >>
 stream
-xÚ­Y[sÛÆ~ׯÐäIš‰6Üåmyüä¤NêN㶎O;sšŽ‡&W6'©’”·Í/°ÀJ¤Ì+MÇÄb!,.€%-§üÉi‰(QÉ4Nz2œf«‰7½…½7É2'´èK½¼š¼x©i"’HEÓ«eO—žÖrz•ÿ:‹„sÐàÍ^ýpñúüÍ/Oçq0»:ÿáb¾P¡7{}þýQo.Oß¾=½œ/¤åìÕ·§?^�]ÒVÄ:^ž_|Cœ„ŸQzyöúìòìâÕÙü·«ï&gW;_úþJÏGG~Ÿüú›7ÍÁíï&žðNïaá	™$jºš¡/ÂÀ÷§œ¼›ü´SØÛµ?�Ÿô„ò!V�øc
ùÊ·
ü_]™v¾ð!$¹yïyª29-ï‹î®¨ˆNÑQP×χô´ð/
-42Ö]QW--\€,ª½àÀƒHÈ0ˆNÉc°ø‘оÁ8ê¦
-•Œ~jv
-@ã½Ð•+ˆìÁ	BwéÖTкʲ»p¹³þí¸»%‰ŽºÖÿ�’ŠÃC¯O¨á€Öù8qÀd“¹ª»ô¯	;™ÉM•1¯ÞšÆi­�V×Æ=�ÞÓ0PG¦'ãC/£_K¡•ÛÈÏó0œa» O)™L‹¬L[æï]ôpv¾¤
‹è¡lÁO^%ƒþöùÅP66+“³Þ‹ºãÓ¹œ¼ZIé«îç۽ѫMÛ±uÕ¥‡EÁeN!†¾Ã=!É­¼-öù¡ÀÉ°Äù…ëÝäjI™ÈêÕº(M¾p)Ü×kG»·
_¨ð�]Äqúï
-Cû‘9öŽèŒA�¡%½dªk(À€¨ajoi…$9EQS}¯ÊRæÙ{ˆáx2Ižv|ªÛÜt5Hd•/Z‹ å°R3
-˜å.2[&Ò¥
Y炈Óêaôʘ
-8
¼2:Ö·¦�Â…¥\�ÙÐåà^Û=¬±ÚŸ¸ä²^Ô‚¶¾FoZ¼v�¼×Àk1Ü­þ™Ÿÿ!Yøy,ðŠ/ÚÁ�ÛÔì"@Þ3wÙFë?m°üPè(‡eùâ‰\ÙâCª½«7eN4¿³!YcB‘pºiU™î¾n>ôFG¾öç‹Ý‹™bðblÿ^èb|:q
-À·ÚáÀº›z‹(²‹Æ
+xÚ­ksÛ¸ñ»…&Ÿ¨™ˆÁƒ/ÔŸœœ“óÍÅ—:n;Ó\¦C“PÄ	EêDJŽÛ¹ÿÞ]`Á‡ÄTrïF°X
+ß9ðöæçk½»»zÿþênþùþ§‹ëûN–¡¼œIä·‹OŸÙ,±º`¾TI8{„	ó¹Rb¶¾Bé‡�”S^|¼økGp°jŽNé/”‰&"žP àS
+•I!�sÝ´E•¶E]5(
œ‘ƒ3°•«$€‹psV¦»F£ŽBåÝ,ç)¥WÕ­š�Ί_:	˜0ðêvED‡ŒpÉý-h©®Ó6[-²²ÐU;ÅCºŒTL»Ó*Ÿ )@{`ÂÅ¢)<ÂÉõ2Ý•$I[ÛÑÐ)ª/xz¶�QèBŠÙ‚s_…¡°ü”%º„òÒ<ßÎyâé¦Ñ��"ï¦êÖ
+äÃÎ�<ŽÙJg_‘¼™Ý|˜ 3%ªü8
ç:S{Ò$ÿS{\ùA†ÏÑ^‚G„;’¥Nв!áÚô«ž¸j!Uì3t呿ꧩ[@Ô(œû=®ŠlŠ�ocTTï‹\#BzÈ
+„B�À*)Á�œt¡ vÉ£iÓV¯‰s [ÐØ_*c00jkQ¿
+#Ƴç8”e¤€ôpKS—{tsYÕcguÕêom'ªÑÒ—Œć=…™Ü6í„6$¨rÎImD"v*#×
+¦ÆF%õÙ ‰q4¡¼ƒ‚-¸?ŒÖú°Ô¤kZª:ȸ¬­¡|›’°Èeƒy
ÊX^,Ñ—Úú¤qbØâîQ^ž¶©ÅÙDÀ-}�A(S¶`œ$§œz_‰Ù8©™4Œþ¥¿¥kàñ%93Ô²b`[¥%‹5ª[†ø8XîSúmEgìÐlJçÉ?Ü~$œnw¿ãjàÉïÓ
+óa(­¢CéÂ[øÌÄé
+'Ñ+Å\V-Üñ}Ïôzg:äš’t:((ÉBÞ¡‹.I©¼)zûØ@Æ0ÀÍ­ËÝV¤’�ÕëMQê|áLØ»/]ÖLfo£¾Pà%�Ʊú÷�ª=vx%Œ�‘ƒ@Mõ�@ײê
+ @khÚ/v† 9aµ&†R	zEˆ®Aµ^tÈV&Þw�x«[ܵ5ì.2°*5I‚/¸ƒ´œYU
+ôb£ødè™q_¡ÐÌIBÅ2ù^â±€¤ÎªL©d¢z
+N`qƒŒõ£j pj©F­11ºõµíÓ£ýD“Kt‘
+ò¢©�Þ5ô	ëð]ïgè­þ?9ÿb÷J5ú¶‰€%Á�Ø6ÙEày/\³ÿÂÎÿc”%Cxe†ÞW¯ì–{|5«zWæ¦7‚5
GÛÎ*Ý>ÖÛ¯ƒÒqô�¥{HXVÌÀ™o~¯’K‹øýÒ
+'ÛþƒŠáWo÷EFŒÑc&G`Ùœä–èbÊÃ}Oº9Ÿ§”.ªÑ)ZBöA73ì­h‰œÐÏð³"\À2ånƒ²_îrÓ×›ûò|k?\Žè�ņ®­=4ŒèÃۺʀ“ÓÞñ¡�g4pÕåä#´(ˆ/_~þðâ’"wŠþïg,væ�‡^ïÞ°ç{ýûÞ¿Mçvä,æ£{	šÂâáéÀœ›­Þõ®éíþÌx€qV Üéå®yF8•ŒD;Çû«úÙÎÙn‹¬uZú3ÝŸºåÎÿmïkT¿{€¢êfÃoR8„ò“$VN8KB`’þ!`êK‡^âå
¼„#ú«	ÿ^Ú3ækÊÓÇá×æ½Û¦ë5´
+ÇåMúLÄñ�¢ú—ý †ÓO¦½ý<Òæi�Mý›"ã_pÿ½±NÜ?üO_ÿ7(èL&‰èÿĵ‡^¨ú1bÊ(6>ä¼ûKð˜õÿxÅÃ…endstream
 endobj
-1048 0 obj <<
+1329 0 obj <<
 /Type /Page
-/Contents 1049 0 R
-/Resources 1047 0 R
+/Contents 1330 0 R
+/Resources 1328 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1031 0 R
+/Parent 1332 0 R
 >> endobj
-1050 0 obj <<
-/D [1048 0 R /XYZ 56.6929 794.5015 null]
+1331 0 obj <<
+/D [1329 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
-438 0 obj <<
-/D [1048 0 R /XYZ 56.6929 195.5375 null]
+446 0 obj <<
+/D [1329 0 R /XYZ 85.0394 122.2879 null]
 >> endobj
-962 0 obj <<
-/D [1048 0 R /XYZ 56.6929 167.3986 null]
+1228 0 obj <<
+/D [1329 0 R /XYZ 85.0394 95.0525 null]
 >> endobj
-1047 0 obj <<
-/Font << /F62 634 0 R /F43 600 0 R /F42 597 0 R /F57 624 0 R >>
+1328 0 obj <<
+/Font << /F37 743 0 R /F21 654 0 R /F23 678 0 R /F39 858 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1053 0 obj <<
-/Length 1020      
+1335 0 obj <<
+/Length 1016      
 /Filter /FlateDecode
 >>
 stream
-xÚÝXÝrÚ8¾ç)|vFZK²lkz•fI6�mÚeÙ«n‡q° šÛ•Dúî+,cLbÀ¶³ÓaýXßùÓ‘ôIÈqÍ9!….až0RQg4í¸ÎÄ|»ê rX
õQo�_/}ì0È|ì;ƒqMVÝ0DÎ þtvñûùÇA¯ß˜ºg>ìê»go¯o~³=Ìn.¯¯þîŸwïlpýáÆv÷{—½~ïæ¢×(¤Èàq)aàòú�ž­]õÏß¿?ïw?ÞuzƒÊ—º¿È%KG¾v>}v�ظý®ãBÂBê<˜†cØ™v<J õYõ$�¿:Vk_hSü(	!
qÐ@Ôˆ�ˆP}‚IÁXDÉ,ïßuËú0˵ÈRÛõfé¢Ñ‚ŒR\`Æ"áö³ÒR¤“]C3ùÉØŽøÇ¥n–&óÅXH¥M5"QÉ¥²ƒžÌ,aSŠ|ű´�y&µ­™îuã�- „%è{£qâq,Ám¤Ú:SŒ×Ó´
-€uc‰T›?x¦lÎÕ0“Ã4Û¡o=ZX’M€ßJh:›Þr¹§e”ª1—@Ä	ÙLïÅ¢—X-¦í°Voši1ž7ú·°Ì1z‡�|vû…Ï_jÜVß;Ö* ²™ñu"ŠÜ«%Ò¢@"J¡‡lÀÀ#´ÀÿR|¢��ïÔú×ù»5—@€|d¯6Ū´
-ÜûuÃü—†�±Ó0Hp@7
û–¥(i¡´©6Ùjã¬ÄÜG‰ˆ…ž“ô\šVË̉#°§f=I>–\Ý9z@n«kÓr~¨ÐÕd
4‰b!ùHg²\y¤ï†i4åå¤aÃ0`›ÊÖÛ&�-OžÕLZ!ËZ!Ä6GI¤ª]u	\¡6„êy¾š�$º/õ—Ù¶10J’ì
Ôÿ“-–YÌ•N#=º&&¡lÿ÷!°Â¾Î¸<FVÝ°Õnv"q³Ü$+åñTåéQ.«¬)|-OºSŸŠ£;>ú–Ù¢Ö›’ñ5]Œ#‘,Ä$Í$ßzxãW°
-ô#XþïYú
¬Á*V» Ò•ÿ[\}Z‡ÖÖJP-£í“´:Ï«J}–ÖAÝ·
+xÚíX]sÚ8}çWøvFªåoOŸÒ,ɦ³MwYúDF±ÑÆ_•D€”þ÷•-ì@
+†ffw¶Ã0¶¯¬££«{¥ã‹4]þ�f;Ðñ
_s}Ú:²µ îèÚL¶]wPù¨^õ·Þ
;o®LWó¡ïŽ6œÖ°<¨{Ò†á¨ë@ö$‚Þ½üx{usýipÑs­îðæãm¶Þ½ºù½¯î®>\z
 endobj
-1052 0 obj <<
+1334 0 obj <<
 /Type /Page
-/Contents 1053 0 R
-/Resources 1051 0 R
+/Contents 1335 0 R
+/Resources 1333 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1031 0 R
+/Parent 1332 0 R
 >> endobj
-1054 0 obj <<
-/D [1052 0 R /XYZ 85.0394 794.5015 null]
+1336 0 obj <<
+/D [1334 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
-1051 0 obj <<
-/Font << /F62 634 0 R /F57 624 0 R /F43 600 0 R >>
+1333 0 obj <<
+/Font << /F37 743 0 R /F39 858 0 R /F23 678 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1057 0 obj <<
-/Length 1196      
+1339 0 obj <<
+/Length 1041      
 /Filter /FlateDecode
 >>
 stream
-xÚÍX_s›8÷§àѾ)’�š{JS§—Î5½sÝ—ëu<Ø`[S᤾&ßý$˜œ8IïÏø�eÙ]íþ´Ú];Hÿ°Ã<è	".(d3g± g¥¿½àJÔB -õj:89÷ˆ# ðˆçL—-[>D¾��iøièAGÚž½¿<¿xóqr:ât8½x9„¡áùůcK½™œ¾{w:
ì3<<ûåô·éxb?y•�W—¯-GØÇ
£“ñùx2¾<�>OßÆÓ&–v¼¹&�¯ƒOŸ‘ê°ßt…Ïœký‚ ‚8›
e.dÔukN<ø0ø½1ØúZªöâ‡$®Æê>€Œ·
-bÊb§Ï™.úíÈÓE0Ô±]{#=Ï,u÷Y7ÑàÖôµöjO�žž6ráÿýÈUõ¨ÃcÂsÚþ·Úßñýÿ?
·ã^íIßÔf=99§Äil-�c”Cä1¿¹1ªA•oöJóAërÚ´¯¯õ¤…H"íìd8AZâ£
-VQ³Ðþza
+xÚíX[oâ8~çWäV²ëKœÄêS§K»Œv˜]†ybJÁ´ÑäÂÄf[f˜ÿ¾��Ps-h´ÚBqœøËw>Ÿãcl!ýÃ–Ç ¢Ü¶\nC†0³†Q
Y�úÙ}
/ß
«—@ù­wÝÚÕu-¹C«;.ayy¶º£^ýö·›?ºÍN†êl
+™Méª'¬}ªýY
+¿æq,D•Å4T
ÈSΩòM¤	ˆí�>P*Ü…/Ânɨ׫oä�óµ’9ÍÚ}±¿2´7})—^ø=�9&X5›,G<±º6Ù1B£7íðAŠGíÈI\ÊÓ)W™Àá“~
™Mr½jŸý4ž�ý œ�q’Šõ"\"^]å×v²\‘­hŠHÄJŒà.�‰QgúV�ɆÎRMv‰ç‡aò¾NE:[¡æý:T	)‘¯†OƒPG‰¼ÿÇÅ”Üf?œNÊíA2Éfüp„ó8É6ï< Le«:ÆIªU]+£Ä‹š§þóQŠh­èh�’Y5©Tûp°
G¤²2ý½"½¬sÖ¾´aáð»\Å ‹Üó�ïk3+ÃJ~9?†p¯ØŸëF¿
 endobj
-1056 0 obj <<
+1338 0 obj <<
 /Type /Page
-/Contents 1057 0 R
-/Resources 1055 0 R
+/Contents 1339 0 R
+/Resources 1337 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1031 0 R
+/Parent 1332 0 R
 >> endobj
-1058 0 obj <<
-/D [1056 0 R /XYZ 56.6929 794.5015 null]
+1340 0 obj <<
+/D [1338 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
-442 0 obj <<
-/D [1056 0 R /XYZ 56.6929 158.6437 null]
+1337 0 obj <<
+/Font << /F37 743 0 R /F39 858 0 R /F23 678 0 R >>
+/ProcSet [ /PDF /Text ]
 >> endobj
-1059 0 obj <<
-/D [1056 0 R /XYZ 56.6929 128.5298 null]
+1343 0 obj <<
+/Length 2934      
+/Filter /FlateDecode
+>>
+stream
+xÚ¥]sÛ6òÝ¿B�ôLÄ
+&¡äp¬ß�ƒªMÕ<ü¾úE©¤­q[ƸvÉÀϽ{¬Â>'Y£Ò¸LµíkÙéïa§ûËä¼­ú§–TèØÚ,ª41{ñ?™’c)³sKú¿ùS¨“l_ÜŸ×)`% Wý9«¹¿xÈ)×é´•j�rëÌŠ,δaen\?T;´‘çiœë²€-�ì~�r‘öÕîмv=
+T”`߸/Õ”	è87Z,à-ª%Z½®Š¨îãøC⯶M½p<Ï&æƒ�Hi’��=wøD•qžæ©ƒ×ö§5yœ'þ´MÝràmµ¨çÎÒ<Nmñ$žaªÈòHâyLjMÇ·áÑÍO<ë–KF÷}X¹’þr@ÆÎ"ÃÚ
’M¼0
·€À;e݃[ž
™·�ö[ð YVó¤õþbý.AÄƨèƒH�DF@
±ƒ²gåZF»¦ïÎÏÄÁüpn@´˜ozqSú®;‹ )Âã^=4}wdܲZ¹}3¼bí;pÉUXà¼Ø
ÌrÒõWìè8n®£m·ÃûäI”ÆPV�/‹
+P8.†
*¾ÆxŽªÕý”úÄ2Qã:ã,iT"gk:ðÁœœGr€Â
+{õ¤æ~Q™ªQà>"™8VmÏ(r^À¬÷­xÙÒϬ„vÝí{8[œôxJ“ÕôLµ%
†`‡
†X¥HÊ8ñÔ°‰ê”Œf†ïŽ
+²Çpèæ
˜lÃXÿÝîëj#Ô,£}�
+^VQøP&ºö¤Õ×Iå¹Í¶©^�ŠLÚ¡
+
+•¡¬Ã"'µÑG‘ãS—\€i1TÑ	„ÿ¶“,ëx™´]2…dÑ­£
+ZI*T>šâûÛ�oêȸ÷ÀtU¹a?Ƈ:k1Yeu>±Jþ<½ÖÖ°-¡Ò2žÒI
+)5§úÿZøïéñ�\Ÿd¹'µç@&mLþ´Âd$+€¶:0
+Ë1‚ R|ÁÚ)°yÛÔp'aš`8ë��ÊŽ
+†ˆH¾S¦Â�2õìN”U²£*$; /.
+ö�ºgÂQ–lwõ)-`I}Îî7ìûù”ž˜¿µÑÝõ;]ê‚£´+Xy’Tfí3;`¬>êkƒ	XNÏÓ÷Áh×í»ÝÖMäðÒÄ�µ}í›YR˜±¥ïjIAFòƒô½Õ®u
S‰Híè­œZ➧Coí7;7¡ç?ëŒ^ÜG?뜞mØÆ^þ‘gÔÎ|c‡”&E¬sìŠ3g×ùÔOÌ*ü‚úÍ?hŸ~íO¡ç/Š$´dç-|^Äi
LL#/”c®žýÜîùªÑÑÿ…wQÒendstream
+endobj
+1342 0 obj <<
+/Type /Page
+/Contents 1343 0 R
+/Resources 1341 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 1332 0 R
 >> endobj
-446 0 obj <<
-/D [1056 0 R /XYZ 56.6929 128.5298 null]
+1344 0 obj <<
+/D [1342 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
-1060 0 obj <<
-/D [1056 0 R /XYZ 56.6929 104.1184 null]
+450 0 obj <<
+/D [1342 0 R /XYZ 56.6929 660.7607 null]
 >> endobj
-1061 0 obj <<
-/D [1056 0 R /XYZ 56.6929 104.1184 null]
+1345 0 obj <<
+/D [1342 0 R /XYZ 56.6929 630.6469 null]
 >> endobj
-1062 0 obj <<
-/D [1056 0 R /XYZ 56.6929 92.1632 null]
+454 0 obj <<
+/D [1342 0 R /XYZ 56.6929 630.6469 null]
 >> endobj
-1055 0 obj <<
-/Font << /F62 634 0 R /F57 624 0 R /F42 597 0 R /F43 600 0 R >>
-/ProcSet [ /PDF /Text ]
+1346 0 obj <<
+/D [1342 0 R /XYZ 56.6929 606.2355 null]
 >> endobj
-1065 0 obj <<
-/Length 3602      
-/Filter /FlateDecode
->>
-stream
-xÚ¥Ërã6òî¯Ð‘®Š8x|TN“‰gÖ©'ëqjI´HYÜP¤V¤¬x¿~û’’©™IM¹\
 Ñè7¤
-þô"u¡²Y´H²(tJ»Åj{¥O0öáJÎÒ#-§X?<\½y›Ef±‰ëÉZi¨ÒT/Šß‚wÿxûËÃÍýõÒ8ÄáõÒÅ*øáöîG†düy÷óÝûÛ¿Þ¿½N¢àáöç;ßß¼¿¹¿¹{ws½Ô©Ó0ßÈ
-&¼¿ýç
·>Ü¿ýøñíýõ?]Ý<g™žW+‹ùïÕo¨E
ÇþéJ…6KÝâê,3‹íUälè"k=¤¾útõ¯aÁÉ(M�ã_dlgKé0Îlry_ÞCÁ¾Ò4ÚAÞm»Ô:
-3—À¥8gÂT%ép).™\Š6:´ÖºEâ²0¶ÆÒ­tuþ\"oÞ¼�ì;I
-’ÑÈ<µ›¡Ö&a¦T,xuÕõBð®\U¿+eJš…l‡I)L¶
ל¡	t“© ÝówÛò1°§ƒÛ_šƒ»Öã	k™ §ÂvWLšÛoòžÁýF6.bsÕ6}¾êe±¾%"Õ)q‡]‘÷ˆŸ¦AE¨ÐXµ»l%L
@xyhx¦š(øˆT]ë`/³˜1Ø*ër[6ÃjyÃ�¼îZn=–¼|“o…wY¬Î´oûÃÆxð$î‡à¸WtØÌ?¼0BQ®óC݇KGA¿Ï›n=LÈ–ÓREÉà5�Û-Ãwí¾g¸³²3Ç4â†�œ¿Œï‘`’Ö(æ##Âc)€MÞ<•×(ØÈ뚇‡K¥9/DñZ¿TÍ“`󇈜!ª9lIôµ…m׃ŒY	Á0 Â-Rø¢ø!ʉø
­ÉH`	·áoΨ»’0—Lµì˜wtxÄZ£°Î\ª°MñžÑ‰È£½MUðö
-~íü¬õɬaA
-³�3¹â8õq€Ð—³KExÕ£cÒ)F[× Â3gÐØÆq2œáÍÙ1 ÐIÁÜ�JÆÅc˜Ìøc7¥¸›×»Z&'›~q5+›ÿ9�XA‹bùœû
zl¹Q—=‡Ø!I¶©Ÿ“x&Z7ÐÑ€î¢F}l;ö¤ËĆ ‡ÉYÜ
-
-BÛPé¿—jø)s
PÍR'ý…\ÃEQAÈŒé�_“j]	ZÖÛ€±«�1°üh‹©C.×°ýÇ1±"Ðĉä†2�éU¹ëQ"r\O¾ŸÏî`mƒbÂø³~ÿî[;ø=ú’û²;ËDAwÈìphU
@óât[9
-iÁ–¸=xRÚE’<?äãìä<ÝÅ	|Üsew1èø�}ãbEÞp=£ë¬FâRAÅØÝÈý9DOàÆò'¡¤’-QxÙ÷¡oTqtz¤³°CLIߌÆ{=2ÈAQ|:ìI¨:²Z¢I—:LÉÐv˜ÆuäØÕy«€�Kob ”õDtŽ¹~–¢Û†Á²#´¢7)’GÞ6
-ÃÛ2'LP�{Å?ñíVŒÃ*ç$­7è11Áí¡.Øž<•Þª!‡	DY¤àùû&Í!`t.²àhççotÈˇ”V�Ù	¶×>ïA…=ò‰æëÁxGY&÷ŽÀŒ?’ÒÕ_°H)YzßÂ7åg‚mÔú"ïÅÜLnL@
á
t×åÔeƒ½„&¥+d„*	Z'¢
-ñ Öäx²/UàÝAÀ^­'¶h8ÌÏæHœd'È8¾èäü9ædPÈn7yÇ uÉžn›S+Jœopü•דÚçÒ¨lR³S>åPbž
„'4*ot±%3h±¡iÙËËB°YZlÁ™à®k™âC£¹{î8”<?ä磋Æ4ÑŠc˜T`œ¸H7¸H€ä�àp—t
-ûœv²œÃ¾+I	}ÅÊù¨këƒT„&³ò9¾?UÏT0
+_´èá¸Ml#' µGI18©VŽø¼ûKŸ€w€äy_a¼ð\zºOJ<µO<ˆ—³~Ñg£ÆÉUáIs¸"’U�Š‡ÄòÅ()¨l
sþìöÕ3×j5Êd?û?yäÐ
KÝ¿§3�ÎÒ1z\B�,VB_¸�W†ßs9`(›>l±†D’Vu”œý<Ýôé$»c­ÂªY"ŸM7óý.ŸË)uÕ²]¦�å2-_¦�åò$	D
-Ÿí¤àJ“;Jt<\9hÐpëv¸u!^è9á0«¶óåJÑHË)Ù4ÓùÆôiÌÉ´ÎB‡ùì×/:L¹˜“éD…&2Ñr2“ê02Îy†ó}ñUiY¢‚ßÁ}òŸ=
-“1£>Tá•Ï2ô¾~MŠâ0±ÚKûXF:c¥‘ AªÔS.‚¯T0G	˜ª—ÝÜsUêÂ8Î| |™µS�¬3.N�AUÃ;ä3ËÇI¨ „øâò ú€™i}¦·MñÆ›�“u-ð%Iíéºóm.
-�ƒæœ;`;�2ÁqS­Ð
-9#eóë‹»†XDÀï%é.Y'B†„¯t™i ]¹ÙçœÑ_`[Ü>ÄðƒL2âI|
¥X)~#@P;Ã�ÅaœféWqÁ‚iH’×2‚«WÓ§F—œ�d'žC	ÌÁÄ5ù'¸r»ë_ΟëÖ³÷¦M�|Å&Œ“ÌNÊw¸,q�ª°‰¼…PÉVüð™NÒ¡t‡iÛSÉ’7-/;AÊËŽöÕsí«â4W�×HoXô·‚ÄœâŠOAØÉ
,½�âD~ƒÐ¼k{
-½Ù?¯%à™œöàùór:ã¼Bµ;J
çž—áÐ:~eB~l{Ø(D3ãnTQDÀ‘R#ew„°?$Š*™EÆ„`ä
"á%O#¾Ç w‘±gåkz&ÂÔÊøäÎrݳ"¦[#9š¯t
-
-ÉÍ;¤ŽXd†ŸÕdRX¢ð
-endobj
-1064 0 obj <<
-/Type /Page
-/Contents 1065 0 R
-/Resources 1063 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 1067 0 R
+1347 0 obj <<
+/D [1342 0 R /XYZ 56.6929 606.2355 null]
 >> endobj
-1066 0 obj <<
-/D [1064 0 R /XYZ 85.0394 794.5015 null]
+1348 0 obj <<
+/D [1342 0 R /XYZ 56.6929 594.2803 null]
 >> endobj
-1063 0 obj <<
-/Font << /F62 634 0 R /F57 624 0 R /F43 600 0 R /F42 597 0 R >>
+1341 0 obj <<
+/Font << /F37 743 0 R /F39 858 0 R /F21 654 0 R /F23 678 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1070 0 obj <<
-/Length 3274      
+1351 0 obj <<
+/Length 3085      
 /Filter /FlateDecode
 >>
 stream
-xÚ­Ûrë6î=_á·*35Ë›Dqö)íINÓéIºI:³»m[ŽÕÚ’kÉÉÉ~ý%ëfù̶ãñˆA q#(1ãð³0b‘•vf¬f!ál±½à³èûx!<μFš·±¾}ºøæ&’3Ël$£ÙÓª5WÌx‹ÙÓò— b’]Â<øîþîæöãÏW—FO·÷w—sòàæöÇkj}|¸úôéêár.âPß}õÓÓõuE~Žooï>ÄÒãĤ×7××wß]_þöôÃÅõS#K[^Á
-òçÅ/¿ñÙÄþá‚3eãpö/œ	kål{¡CÅB­T
Ù\<^ü³™°Õ놎­Ÿ–ŠE2T³¹0Iŧé
t}3†±qÔ';�AÁaO¢X3%´iö$4­=±’ÙØÌLhY¤¤r[²L7éKReE>/òÍ;.Ñ77ZµFÔ‚mæÿi�•—s-T@OÊtI�ª gš¯Šý¥ˆƒEê;Ö)áö©¹Þ²JªƒŸ´Xb–¯öIYí/ãà°¨n¶™6`á˜
Céøùo‘§0VŠ(ø•‡<e/ ÒZP†O_üîú	½™àþá# 
-F}Wù;5’¼|K÷Ô®ÖIEÈ™Ÿšè/ÒìeEÈ[V­‹CUc-ý¼Ûd‹q,
-œÜŠ Û¶¡Ç¡÷,',·bH@gŸUïôZ¦‹Y
-
ÖnC%½B¯qQB%€!z¦+\Ã,4½ãjã“4Ä#w"T<X9P±¥~o
-A‚ZÛä÷ÚOÂ[á½Æ")½×p~"f
-bC³Í#"C“‡õÒ¬Ó2+–#+˸UÖ£ù�SR;Öñ‰ú²¤¦c%ÃãÖ;}”éþ5ÃXéÐ?‚oŸnŸ¾òSþD¿»Õ@À¬Bž ËU2¸­ºPTÆ–sÙ2Wœ´Âè<Œ™µ`}ŸÔaÍ…Ÿg
-rm^“}V`œvq转ÒmI=ˤJžq¡A7AyX¬ýp�
Üì©—/$ÇaW£ïöª–Ÿ9É—4¦,èYä ¢ŸúD1Q¤ïoä_—çãÁ÷�c ™Öaì÷¯ÑGz”ïy‘¿o{*Gº@ª4¯Çw4ê
-Ìuírå6!ø÷×tSì¶i^Q�£OÈiïÁžÐ UìˆôÇ«;·£eªŠE±¡®E+¸ÓL9¡’5
-XÜi¯©Í
-E5:øÊ�ºýi,
M–KRöŽ…Y^¦_ü‡ORÓ¡®@Ú`df‚™¢–ñƒmðçí
#Z3˜w`°2Ó~À‚„Wƒïp3¬vÔXgx€ô�Yƒ–Óæ¡9ª,Ó*É6åIÛ•V3šxÚvÛX§m·ÁBHæ»b“-Fri&´Óä¬ú]ãÕà7�ê2Ð5Þã‘îW)õ#V^}ylˆÞvŒ#½{	„�¯N<5L)XªÒÀ6§S!¡Æ?#ÚpÞÑ�
-f‹9WÓŒ4X#œtÌD°m±þz6b;ÙȨ@#)xhcq2/Ñ\‚;BO(aƒFüá¼_œ—èÈÂ�MØé}h°Î12˜mZ	•j¢3JØšP‹ö¬,N�ðyȬ†Db’xƒ5B½»åœ
¨ß»Û2)m°M“teuØÐ{6¦n£Zgõ“Gz	ÍÐØvfL`�_SjSL‘þënÌI\}IùŠÀÊ´¢†«»"—Éb�ÑÍœlrhù++iÛ7(žìH-IF!Ó&®ïj0s¢ÖÈpÝMîîŸnoþ=VlŠaá›’øŠä«­Üˇ
’Oùœ‹`Aa–rØÑÅT”øÕÃ=Æ&+]}Ûti€-¬ðº
-'‚»¯ÒPWnO²ÛgÛ„Æà­=÷�B-%‰Xi‡Zz9 AshU‹
 Ý«¶ØJ0
Äd\8æXîÖÆuê}ˆãê}C“„ 0:°:æÑ7b°áP×çy,YÇ&¸òìûŠZîjÏi�—KøMÆ‚…Bô®¨(‰«›‚æ�°«#¦Œ¿ˆÛP2%£šÛNŠ\AÝmj¾ôÚ¸¸¶4ÒҳΠWæu;LBs¬ðzMˆ‡šÓz‡º¢ÞP�ÖJ!ZGxßÖÍ¢§%‡¨CÝ«ƒ7W³_Ó.†—Õá¹s-ëopš˜XFZi{1Óí®¾¦Ak9éÊEÂA<ÿ¤+oc�vå
–+7¯ÓÅs´Îr˜¤†˜PŸ!Þ`�Pï&©pT“ªGÞߎk믡í—	aþâÆß�#Äk_µÏÜÍO½”صX'{p×N�Ü1¨"¸»DÁFùžWÉgêuꃃÒ=œ<Ùe±¥¶&UznòÆù©{Ž¶>¡*…]p¹q£~±ü¦ð
Ïþ®È˯{{Ž�Ö­—Š¼|ÐÈÓê­Øÿá>ø‰I¿|´
-xÁ{©†�ÅÂ_¹ó©›«8õÙˆWË÷]êõ÷¦¾í¨P1iX=HöÑ
>Ñ£ÕŸ¥t3Å®UŒ„m,Áˆ:Ù[Á!n,%„�hEË—žf]â?ª|å&yMDz
+xÚµZYsã6~÷¯Ð[誂›ä£3ñLœÊx²§v+Ç-Q³©ˆ”í¯ßn4Hñ5ÙÉÖÔ@ 
ôñ¡ÈbÆ៘E†qëYkf¸0³ÅöŠÏžaîý•ð4óšhÞ¦úæñêëw*œÅ,¶ÒÎW­½"Æ£HÌ—¿o¿»ùññöáz.
,»ž˃oîî¿¥‘˜š·ïßݽÿéáæ:ÔÁãÝÇ{~¸}wûp{ÿööz."#`½ô;œYðîî‡[꽸ùðáæáú·Çï¯nYÚò
+®P�?®~ù�Ï– ö÷Wœ©82³WøàLıœm¯´QÌh¥ê‘ÍÕ§«4¶fÝÒ1ýi1ccè	ªá¡9.�Áá\ßJ€ÎmÔ;w.g\(;›[e™™£Ä-£
{ÏB3«¤r&Yû×d¿DÕ|ýÆNÄaÈBY8
+[TÇ]:¶È")¿ö¼~UÄlIO·H<û žÊËbAôáþ`=y²ìÒÊ\†’…±	»Ú9À´ÌFQä7Jòå×°×ð<eX(uÔ•'Ý—#;ü¥‰j{s=W!^×Ùb
]mƒ×l³¡^²ÛmŽØ5 8ôÇ!ÝgiI	a@MRÖ‘#yͪµÓƒj�b':�
+;ü%™¡(ühî,M„ÞÒnß:à \ј8p(�/Ã�A<:þÜW�Q±13ÿ“Ð-bocèЩ¾_%ûª¤þa‡—&È*?P¦eom[’Ø騦(¨EÆó%õ“±5Nú‘ËÒpe-¦Ôyvš§HÀȶ(+궔iÁ7E7ì9µÃ¢ÖÁ0êÕn›†þÖ„Ìq¾ ¶6|_“Þ_JŠ½Øv-%)¬º™Å&)=ÑÝýê�¸¬–ú^Å’L‹+‹í.ۤ˹‹40°LWÉa3ÊùK8Ãö$0~�ü”=ÎT ±�÷¹KK¿øÚS|iN½»{¿*yIiµƒíÓ!ÛTÈ܈	=«>âøǽFëB~Ñ?ùŒHAîbå_ر^qÖkèH0‚£wÂ2Åvftb­½6és‚1jŽ‘căY–ˆBZu�XR�â²ÒÜ'î.ä˜J0Ó?Í
bBqð›Q¼†ÍóÕ>)«ý5¤‹ª®¦Î ×ráÂk
+Ñ�=»´WCéüá
MÝß>bùì¾xðñá=F#Fs7.‚á$/_ιƒVE£™ß½¾¾Ùá$†ALÕ‹C5ž–QÒ–þ¹ÛdtQ
+
+Æ:̶íÑ“ZülÞI£ 9À9ûÌ%Æ0^BN艣&ù1ùÑPEœCÒL‹Xº-bÜÿëÛ�nîî
“e±·,RO’ãÝtk¨’Á.Zçs8@Ž†¨Ò?�îí6æ@_›%Ý8·;vž|4ÇS²tÙÍò6iÒÊ
+àfO³P±‘‡]M¾Ûg-¿3¥Ò°¦,¨-rQ+ákùwz|-|É{1|÷iì@�…~ë5Èá‘šò˜ùqÛƒa�ùÇ¿Þ#Š›orŸšJå‡¾ý%Ý;ÿÀªÈBؾýîæã'¸Ox¡Uä‡Ñnîi½“U±(64µhÇq·SN¤t``›-�£�»J�›àgª
+ÿæ&ìœþ©É¤»õþò	ß=üÀ:Í_�à÷OŽkÿC |{ö…�/�Â}ëY΄‚ØÛâs
+O5ù´\ƒ]GÑ©ù
+qKÜ	Ä5Ô“‚÷÷ülï¥ALÈ×õ”îšiz;�ƒÍƒD¹?‚;
þûêú‹ÿïôWŠ:„¬>:àë·SÏ2ŠÁ3³ŠàÉp„õÿ˜Þç×endstream
 endobj
-1069 0 obj <<
+1350 0 obj <<
 /Type /Page
-/Contents 1070 0 R
-/Resources 1068 0 R
+/Contents 1351 0 R
+/Resources 1349 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1067 0 R
-/Annots [ 1074 0 R 1075 0 R 1076 0 R 1077 0 R 1078 0 R 1079 0 R ]
+/Parent 1332 0 R
+/Annots [ 1355 0 R 1356 0 R 1357 0 R 1358 0 R 1359 0 R 1360 0 R ]
 >> endobj
-1074 0 obj <<
+1355 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [284.2769 435.3027 352.9489 447.3624]
+/Rect [312.6233 217.8123 381.2953 229.872]
 /Subtype /Link
 /A << /S /GoTo /D (access_control) >>
 >> endobj
-1075 0 obj <<
+1356 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [282.0654 405.0176 350.7374 417.0773]
+/Rect [310.4119 186.5529 379.0839 198.6126]
 /Subtype /Link
 /A << /S /GoTo /D (access_control) >>
 >> endobj
-1076 0 obj <<
+1357 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [299.7586 374.7326 368.4306 386.7922]
+/Rect [328.1051 155.2935 396.7771 167.3532]
 /Subtype /Link
 /A << /S /GoTo /D (access_control) >>
 >> endobj
-1077 0 obj <<
+1358 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [184.7318 321.8124 233.4785 332.5968]
+/Rect [320.3548 124.0341 389.0268 136.0937]
 /Subtype /Link
-/A << /S /GoTo /D (dynamic_update_security) >>
+/A << /S /GoTo /D (access_control) >>
 >> endobj
-1078 0 obj <<
+1359 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [330.7921 290.2521 399.4641 302.3117]
+/Rect [359.1386 92.7747 427.8106 104.8343]
 /Subtype /Link
 /A << /S /GoTo /D (dynamic_update_policies) >>
 >> endobj
-1079 0 obj <<
+1360 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [401.5962 259.967 470.2682 272.0267]
+/Rect [429.9426 61.5153 498.6146 73.5749]
 /Subtype /Link
 /A << /S /GoTo /D (access_control) >>
 >> endobj
-1071 0 obj <<
-/D [1069 0 R /XYZ 56.6929 794.5015 null]
+1352 0 obj <<
+/D [1350 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
-450 0 obj <<
-/D [1069 0 R /XYZ 56.6929 639.3701 null]
+458 0 obj <<
+/D [1350 0 R /XYZ 85.0394 430.9244 null]
 >> endobj
-1072 0 obj <<
-/D [1069 0 R /XYZ 56.6929 613.6661 null]
+1353 0 obj <<
+/D [1350 0 R /XYZ 85.0394 403.7891 null]
 >> endobj
-454 0 obj <<
-/D [1069 0 R /XYZ 56.6929 492.1088 null]
+462 0 obj <<
+/D [1350 0 R /XYZ 85.0394 277.0241 null]
 >> endobj
-1073 0 obj <<
-/D [1069 0 R /XYZ 56.6929 466.8231 null]
+1354 0 obj <<
+/D [1350 0 R /XYZ 85.0394 250.3071 null]
 >> endobj
-1068 0 obj <<
-/Font << /F62 634 0 R /F57 624 0 R /F43 600 0 R /F42 597 0 R >>
+1349 0 obj <<
+/Font << /F37 743 0 R /F39 858 0 R /F23 678 0 R /F21 654 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1082 0 obj <<
-/Length 3028      
+1363 0 obj <<
+/Length 3306      
 /Filter /FlateDecode
 >>
 stream
-xÚµ[[“Û¶~ß_¡éKµ3BÜ�GÇY§›iìv½™v&ÉW¢vS¤*RÞl~}n¯ ÝØ“É,|À¹àÃÁ
 ãUÿá•â(¡š­¤fˆ'˜¯¶‡«dõmß_a�ÙЦ‹úöþê›7‚¬4Ò‚ˆÕý¾3–B‰Rxu¿ûyýúï¯þysw½!<Yt½á"Y{ûö;W£ÝŸ×ïÞ¾¹ýþ§»W×’­ïoß½uÕw7onînÞ¾¾¹Þ`Å1ô'~„™onÿqãJßß½úñÇWw׿ÞÿpusßÚÒµ'Ôòß«ŸMV;0û‡«Q­øê>„µ&«ÃãqFi¨)®Þ_ý«°Ój»Nù�S…¸"rÂ�Œvˆ(3±’\#A	µ¼ÊÀ"†×»lŸž‹Æ}äµ±ì›7\uú‚(N$5ÿrzhþâP=)D#¥¤ö¨¿™ñh˜Yÿõ¯kW.Ó&ÿèÅçåæ�ªÓ‹û<]cµÎv›‡"Ý~Ø4î3hš6éCZg0W4‘`AnÇKÚ«² §jŒ¢«�&àc%VŒ‘æœX›ôCæ&5µbχ¬ljd»$€Uˆhî¼õ®yÊN –²õÇ´8
”Rß1s
Ǫ®ó‡"sMùÞÕ¦»]ÞäU™®þ¢«iÝ�À'?ÚSúÑW?dYéꊼü�í\m^6•«mž<°ÎNÐß�Õ¯ßW‡¬5 cl�Ž…7·z±Ý·äå¶8ïŒ<óõœ7O®dåÙ®yÝœò‡³±ÈÕ@ÙʪÌ&†¸á}Ÿ?š£­¦%ºPa)ðtôð MåÈ?=Z”ñÆ.‡I<ÅbÌ�Æ’Ä嶨	Á½U‡aA˜¥Û“ü>ˆ.Íêí)?^<Zíýêêš¡%J«ë¢ÿ@(…¥*@¦ƒ�¿&‘ &µì™èO�+W¸ëÛâŒ�ëŒÝ^Ì2A„‡*Q=¸^ðz‹ZPd<šQdža\ M¸X`XaX@ÙÊŠì15Öoª²xQÍ`•ŽË 	ù=¢	Xç2(àâ»ë_’„¦�¦Ì×V[›�Enã$|˜°bþ>A„qÀ´Ü¹ªº9?¸Ò°¾!8n“ëÛ½oÍ<Fï„j„ž�/Y=ÁX,‘¦D]¶
Úaq”^µ`Æ.¼€¬ç¼(¼Eí5pA:k”h¥‘Þ¤´	�(õÁÏiû×Ç°<E7°)…EÚŸN·„_Ž~
åæ9
C¿À±*±€2fí«ÓszÚ�¸E0â
-€0¦ ëêËþ©¶ÁKç"˜ç
-’ªS¾Ë|í“/F»RµwÀÇ¢z°¾†º>M�‰fÚ…WhÌ}G–
-GIต#Êp_…(@‰hô%ƒØ€™¬ŒÒ‡ÎŽiŽë�
-[r\|‹š�ß�Îp¤ƒH×WàßךØ=Ãvy¶DÅšY’˜w(3%åƒÍ§¥ÕþÅ}XŸ›Ö2=d®Ê�©Ó…­Ô'y[T�®å—„'¿Uçœ{ ˆCeB
-?ª�wS¹{

ùÖ+{„ó‘5�?KÊå ìZJÀAçö?oî�+‚=p¶üÎ}h÷'„ˆf)Q»
-G!hã*ÛѶ@$ÈÔú¼m†œý¦Ê.¦K^{.Xgì	Ç8³ÒÓ>!„ùDIvf‘‚„	,É%[5«Ë×öBíoe±˜EY1náTƒä�qÇŒ¹uç,™]8L08N“…¤¹‹š_8-ª·pšÃqãÝ9\>Ì\—�%ZÔ„=·1‡:P£]>.ùPR½!IdÕ9³…“íåJ™[
-œ¬o["îæ zÞÓ”"
~‹;úŠøÙƒŒ}‡ô÷�]¹ûÌ»;?d›ñaKç	Á¢j´ ±=O+hL¤ê)òçÃ�í1sZh�¨”röxL•BL+Òµ8r:náqÛG£Î��åPÆ
?AáØ´ ¸£±¢c–P$ôÜÅmK½*½€šœ­|WL“r.t\“5¡JŸ~&‡7SÐÕåË\ÆÄ,ò„'ŠDøG ÒkÒ3:J@�_0<î§S�™Kc%âóТ�e!•1¶ppè€æ9@ó
£:7#*†˜à"ªG+Òg †F`jW“¯DÀ®=£·
-XÓ¡�•èç€�|`^W‹/³9ÏÚ2>
-”hQZô#©„Ôø2Ä›1f �Läþ‘SˆiÊ{öÆxð–�ÇýôSGBÍÕt|hA�ÑXqâŽY¸tî€"´ó ™‰Ú|#âÁ]
-W¢�µèo�IFûj|5Öyc:(†¦â™w’/–ÄxàqËG£~:ëà0¥˜Žº?`â:GŠRNsó[”…P×
ÍS.€ì[aÑl>%Ø	‰”É»"JÌX‰>ãRTÓž_†q[†”ãˆ&šF(›�À´ko”r7}4êgPŽ¢„%2êÿ×b4ÖÂ�ÿ`^úqi‹‰ýðÏb"Ó4éÜÅ]L‰
+xÚ­ZmsÛ6þî_áé—“g*”x#Á�ijçܹ&=Ç�»›¶h‰²YS¤JRqÝ_»X€ï¢Òi&“1<Äîv�øe
+C.âÕ>MŠ¬xÜsú�íP—‘öI£@,~Ü©<’$ ¨£ØÁ²šzL6Mö)¥ò®¬¨Ð<ùæ?Ë"šÈ@®îŸ¬N*”;§e²yÊŠ´ö'®ý%Ë�ÞÕ7«t“¶¢RPÆ}CÍTd„Óð»÷3
C
+†”ƒZØÖ÷îooþ7c¦40ì0ãÔÉ>­ëä1Eœ}X ûd`¬}TG5hÌÖÕôÍDl‚ÖÐç‘gu“n©\${W[§Õ§´r~	tP­ä¤ur¨²}R½’­^{g+ñaŸ€˜
+zâð…Î(PJz3 ê�k*%Å+ntÛ-ÍC]§5}WÒMöKk`^²æi†b"LèиQ­�Ñ¨°*rXt2&Z½qê•UC¥}âÔ{HGº\ñ¨CÃ
à9øÆÁÜ[%íè¦À¼uUÈd$ôgi«“"ôÚöƈ$4¥ŸÔbëjhâŒ_iÄâÙà#`Œ›a2*Z&˜)Ìj›î’cî¡;jï6cáÂAˆŽs00g,_¨´ê;
+ܵ%NKÚP}b™	…úµh’?¨ÕÒ?J«&ÉœØm¹§²"U;mŠÖùDB©9ç@®puæö+ø
b¿)]új[pêÊ¢ö¸žïßRÍÎV•{úEöA¡H›—²z¶»CüÂênUÀ�OI•µ
+l6¥íi´u}•Ö’`¸,È;ZZ¾RÇßøvº®Â�œ{oàlŸ	2‚vè#•]#Þ�WÅLØŽ˜ÿæúØ%Y>#¸§bÞó¥§U “‘>ðÕy±vf Y$qgõÅ4IªbN�dB‰NóSë>™	#qfÝ÷PëÞ£ºu¿ÿc,8Ž™Ñ�YìA3‚³(f$è2�ü1M'CZoªÌ­A«s:¬qÄ¡|Œíë?°š…Êø™¦ÕÛ7QhR
l¤Æêñ’
+w=k[üs§ý’¹›Î0<™ð�ñ±Jx!ùÌ°·¨3ŠL{[䘎43Lç"Çú¨ÓkQÝÁ6w»Iªí$¼ˆ�©€/‹÷ ñ¦IΤ�ª�ü¿Ç´xÀ´¾#áÌil¢“|Ã]ZG��¥|kñgŒžöûù|‹œ%¤\üuN‘IoË|Sà"¤Ë|ë¡øæQÝLeE“>VY3=—â²€ƒð¢|š‘?$\À„	åP�/I¸�cÆqƱÀ¸ faÀÍÀÔ%Æyü«§ýþÆA‹áryô[Ô9E&½-3ŽK@�sph�oÔÍS�=ä¸Ášlž
ΑX”Ý‚¦Â‡[gÉ#õ@ú—£=F¢CÇñéXkp~!J=|ÙàI¯ŸO38\˜H/OyZÖbÒ×"Ç”Ì(,’¬�:Ͳe7¡i…§Öu]&ë¦É§^M0­´\V EÍh0¤ZÄ4ž÷*|®Í2f›�£¤ä~MÁBz`ë¢_sø3VOûý~-`QÈãåáoQç™ô¶Ì9(£Ïœú¨ÎyJ<¶I“®É;<×ÏÒI8ã„ñ
ZԌ
+Ò)Á”F:|™`:gÉH¼�£XÉÓ¬“’Å’l]"�ƒŸ1zÒëgSN
1£¿8ø-êŒÓÞ–)'@™3±´�Z œG¡D˜¦ä!©ÓÉ�4dZ¡jQ°ÍH1_ª¢¡ä�˜Yµ™JåÓI2¶¹ª¢\QÐiHí%Õ>8”ËU)—DHÝ”å^ÚŽUà“ÑÐŽÚüoàÓ9øM÷É®ÌóòeÐÃLª“C™ëQª³?šã	—°ç¼S~N__\š¤ˆˆroøöŸÕ�²S”Åf•¸Æ„þ`Ê’JvŒ
+6Д„E„â½Üüð¹-ˆß½-˜ä�?y|U=4_ÍߥÓÞ¥}�ýI�
+=Çÿ¸â«šÊEâ.ØPb±Þ§û²z¥Ÿ4
+ÛõCž€ïnè§×ÔYf/ß"—FƒEjaeêå”
Ñ(¶§õpH£&yvƒ4˜ÐÑhöƒ»¤�jõ)É�”n•U°áPÖ¸§N©)ÛQm²ÝfèÞ“œêûE­¶UæîÅ é	Ó“¶ú!Mªƒ-ú3åˆò¤¤Zç°”»WÃ;i›"æ«�å>�Ë÷ÖÉþ�{†x¡�í©'Ý&?n=éNiH®}ÕñXPö—&E:Ó¥7 Ïé‡×AZõdÜ0o�<“3è�NG²n2ƒ<Œeˆ&�|I¦ÇLeöBñF>�ùe6Ó�æÓÜ»�>}b
+k¯Ëcîä'xšp:QMQV{ÜŒ`•k[Iu~]‰H 	Ôx]eéö$ïyûõ(–ËÄï£N3¿Eõ¨�ã;yxA9
+�™ûÐú#nܨ¼G²ˆ‚	ýt^²•I‡Ÿ2I³¨»¡ïy“IÖ"lý3�ÄÄq5ÚBeû.Æ[Fdï9Öm»/l_Ï´› î-˜~[;r¸7²û¤¹kûT�â§y	ëCˆ(:ÃËj�—e·ZÐÃ�õ‰,†Ô2^–îA3ÒÇYpZb(þ?W±°‘�C�¤d�•eÖÐéK†�¾ø³öÙüaG[é¹V!“zMP¨Àg%ng‡Ø¼|¤|Ì÷[y¬à€C¯ñ¨ÅÒÎ:Vn_A@¶qÊÚQZ‘ÔÑèÝ–%œhnÿ{sǨèN“!½Ê…Šì±(Ýóª ö„Aû²+Û®6À!ؘÕqÓŒ? ã±Ê.£®‰¯œy„ó¦aƒ=Ç €Ã!-óáç/B¨™·œJêXôŸàºrµƒ˜ó[‘ŸÝ8Y1ó9
 endobj
-1081 0 obj <<
+1362 0 obj <<
 /Type /Page
-/Contents 1082 0 R
-/Resources 1080 0 R
+/Contents 1363 0 R
+/Resources 1361 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1067 0 R
-/Annots [ 1084 0 R 1085 0 R 1086 0 R 1087 0 R 1088 0 R 1089 0 R 1090 0 R 1091 0 R 1092 0 R 1093 0 R 1094 0 R ]
+/Parent 1332 0 R
+/Annots [ 1365 0 R 1366 0 R 1367 0 R 1368 0 R 1369 0 R 1370 0 R 1371 0 R ]
 >> endobj
-1084 0 obj <<
+1365 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [259.4835 683.3704 328.1555 695.4301]
+/Rect [257.6971 603.0615 326.3691 615.1212]
 /Subtype /Link
 /A << /S /GoTo /D (boolean_options) >>
 >> endobj
-1085 0 obj <<
+1366 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [310.7975 572.0651 379.4695 584.1248]
+/Subtype /Link
+/A << /S /GoTo /D (boolean_options) >>
+>> endobj
+1367 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [308.6055 541.0687 377.2775 553.1283]
+/Subtype /Link
+/A << /S /GoTo /D (boolean_options) >>
+>> endobj
+1368 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [294.1999 510.0723 362.8719 522.1319]
+/Subtype /Link
+/A << /S /GoTo /D (boolean_options) >>
+>> endobj
+1369 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [303.0862 479.0759 371.7582 491.1355]
+/Subtype /Link
+/A << /S /GoTo /D (boolean_options) >>
+>> endobj
+1370 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [332.9347 448.0795 401.6067 460.1391]
+/Subtype /Link
+/A << /S /GoTo /D (boolean_options) >>
+>> endobj
+1371 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [231.137 288.2283 299.809 300.288]
+/Subtype /Link
+/A << /S /GoTo /D (boolean_options) >>
+>> endobj
+1364 0 obj <<
+/D [1362 0 R /XYZ 56.6929 794.5015 null]
+>> endobj
+1361 0 obj <<
+/Font << /F37 743 0 R /F21 654 0 R /F23 678 0 R /F39 858 0 R /F48 880 0 R >>
+/ProcSet [ /PDF /Text ]
+>> endobj
+1374 0 obj <<
+/Length 2658      
+/Filter /FlateDecode
+>>
+stream
+xÚµ[MsÜ6½ëWÌm¥*‹ï�£ãÈ^¥6ή¬=esk(‹ñhF;3’¢üúm�† Ȇ\‘Ëå�|ì~
<Ý Åþ±…U„
+'ÆI¢(S‹ë»ºø×>œ°SP5Dýpuò÷÷Â,qšëÅÕÍÀ–%ÔZ¶¸Zýzúîoÿuu~yVqEO59«”¦§?\|ü±;㺟w¿||ñá?—oÏŒ<½ºøåcwúòüýùåùÇwçg³ŠÁý¼·0sÃû‹žw­—oþùíåÙoW?�œ_ÅX†ñ2*| ÿ;ùõ7ºXAØ?�P"œU‹'8 „9Çw'R	¢¤áÌúäÓÉ¿£ÁÁÕöÖ©þ“ÊÅ¥^T
+¼
+é¦{™ª ×*#Á–Ö:ö2gS½P¾—ß>ì6Ëõ8ZÆ,áMfŽ#j³xf\ΕK]¿]¯·Og•àêôp[w�U}ÆNo–ëCwÜÓûÛ¾;ü/¥|ÝC7Ë»¾uØú_yú¹?Þ>Ö»]³ZÕ?æ†ùh~`»Ù'ÎåéŸÛM=åé©9Üög9—¾«@¿nŸ¤Ž#LÛÀˆ‡ÀàqN´rm?§T'ëß7ëÎBÚC†8Ámo uÓŠqy_oVõ
+ŒB ž´¿~
°n®—Ÿ=W}ÑYŽ<“†h-Eoþn¹?Ô»	‚Çuc¹YMÙ‚P•‘=f¿^>Ö–¸"FˆàÐwìždOT/[í<ÔàÚ¢æµQ]œT‡Ýr³¿�h™=­Í]]5›LìÆú¸%Î$¢&¨$Ci�‹6åò©tÛ7Võþz×Üší¦;±½™èn°A¹´qäæ#Ñp$iLc´°–Hgytwq÷eÑ5.áG|!üÜnþõ1P?3M̘’TŠ0χˆ*É­ÅgsR…ZÁ­®0ÃQˆ
+jrÌšÕzZ…š0¥Î$¢&¨¤*d°`øarùk*ts*D4V¡ šZŽ¨¦åx4ªÂ_?·ûrJG´°‡ˆ*É­á*’	k®Â

+Qa@ÍÏÛ‡C&C+‰ÔJãT"j‚K*CG Ap)™ï$ÃaHc–`¦Ý¼�#Êh•„�	1à�Û}¹5\)
D
+j~æ˜T!#Ú镈šà’ªPm̈ÌwZ’‡!�gCG “ˆ%tšQIÔ¨{|!þÜî7ˆ�Ã>
T ‘ÙBE¨'‚�‹pˆšaDy�›í¡¹yÎ+ä”ÀýFÔ„ãDq�Ѓ2uêùuwä?f¨3}q5'/˜
+“ŒP«mAa¢°€òï>­'·Q¨ôQ¿5á8­©%±ÖÙÔó…ïo#Ã>	´ìøµ$×–Œpfäí§e²ÙÚBÓ©Ó›í®;½¿¯¯AlÍæKw¼ì~ @¨:»¶/|Ìí©x;â�¯¤¯—G— ð½o¾l–UW*3Iœ6Tʼ�åðÐN¨µgÈ=Ãî÷Ç�Ÿ>�¿ëÚÞF˹¯Þ{èÓm݃áA{îZËÎXw°Þ.Wá¾›öÂö®;Z5û¯¾Ø¦,ô!œtýµmp
+U ’[ÃIµuº°3D!
+(dȦ&Án»§@T&¶EÊ廊pzìöEiOP$Q—÷E©r»ß¸'¨
>U ’[CuÈÛ�S…M›!j^‡å=>ìëꥳ¡¿OCß¡d"j‚M"EŠ…².¥ó:ïH
+AeoI`iÚ³bô)“3Î%�#bŒøBäv_.FH`µæ¤ªD$³†‹Q)(¯UáuÝ…ˆ1 Ž{¼sò“°vi¨“P÷5á?­@ 
ñ›o	�×ܪžœ†L€ÅÍœ‰É�3¨N¨H"Å&¿€/ÄœÛ}±Þü÷
T:‹w~D•ˆdÖp½qHša°
+z ½T6PSK¯òûxTá"j‚B"9Ÿ‚[fSßArÓK®�G[1Du�Q©E,¦º€/„�Û}ù,Ç1\Y¼ÿ#ª@$·†ªŽ9È™P¸ê†¨yÕETûî´ÙT»úfWïoÛ—÷oºNð¯T§N·èÃî9dž“ùÃ
+·x5Ã8erBò4ˆV¶Ìõ²õ�D¶þÄÄB
+.•ßzÄÒ€/PÌí&ódf7ó$bÊ@e‚vVD˜äÖp�iFŒã…Ýä!
+ÑX@µ�÷Ýžêf·½«VÍ�?€L¨Þ\×ùK
ð$9ÔD(�ˆšà“Ö0§Sžòy�¼®ոʀÔÚ ŸaA
+*ý;Äa@h‘Ñã=�Û}ñ›aÿé3ÓšãCQ"¹5\�¢oaoyˆBÔPÞã×úFk°Ý=OåuŽS‰»�¨	ÿã¼ÎQX毳ÈfaŒó:
éC>>åÜë‚'‘¢y]�/ÄœÛ�Ñ[¾Pø]að®�¨�̪6ç?©f…­å
h^k
Ô.®ëCS¿õN•&ˆ¶Ö¢®#(÷�èLZ¨”(Kœ¿Ò~£Æ*c„IÊæUÆ ¹öwécëÑx´c›/ÿÒÅJb(”cX—GP�ÄØþ5L}‚–>æ;‚�oùzÐñ�º÷ÎU÷~<ß4Ý»zŒAåÒ’
TFO8¼Ö|“‘Œ÷‹™ÿÆ	›ò»Wb+&¶�=¶ù
/f9ä�ªÐõ„³ÈlM«-ìíBÎ#&Ëøßèð—ÿvêø‡eÒag_õPM,w&�òÄ�Èò^a‰²ÜLPÿ?¡xdendstream
+endobj
+1373 0 obj <<
+/Type /Page
+/Contents 1374 0 R
+/Resources 1372 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 1394 0 R
+/Annots [ 1376 0 R 1377 0 R 1378 0 R 1379 0 R 1380 0 R 1381 0 R 1382 0 R 1383 0 R 1384 0 R 1385 0 R 1386 0 R 1387 0 R 1388 0 R 1389 0 R 1390 0 R 1391 0 R 1392 0 R 1393 0 R ]
+>> endobj
+1376 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [387.5019 430.1364 456.1739 442.196]
+/Rect [387.5019 693.385 456.1739 705.4447]
 /Subtype /Link
 /A << /S /GoTo /D (zone_transfers) >>
 >> endobj
-1086 0 obj <<
+1377 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [381.9629 399.8859 450.6349 411.9455]
+/Rect [381.9629 662.1643 450.6349 674.2239]
 /Subtype /Link
 /A << /S /GoTo /D (zone_transfers) >>
 >> endobj
-1087 0 obj <<
+1378 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [398.5803 369.6354 467.2523 381.695]
+/Rect [398.5803 630.9435 467.2523 643.0031]
 /Subtype /Link
 /A << /S /GoTo /D (zone_transfers) >>
 >> endobj
-1088 0 obj <<
+1379 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [393.0412 339.3849 461.7132 351.4445]
+/Rect [393.0412 599.7227 461.7132 611.7823]
 /Subtype /Link
 /A << /S /GoTo /D (zone_transfers) >>
 >> endobj
-1089 0 obj <<
+1380 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [255.0796 309.1343 323.7516 321.194]
+/Rect [255.0796 568.5019 323.7516 580.5616]
 /Subtype /Link
 /A << /S /GoTo /D (boolean_options) >>
 >> endobj
-1090 0 obj <<
+1381 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [381.2254 182.5173 454.8788 194.5769]
+/Rect [381.2254 438.9741 454.8788 451.0337]
 /Subtype /Link
 /A << /S /GoTo /D (tuning) >>
 >> endobj
-1091 0 obj <<
+1382 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [335.4973 152.2668 404.1693 164.3264]
+/Rect [335.4973 407.7533 404.1693 419.8129]
 /Subtype /Link
 /A << /S /GoTo /D (zone_transfers) >>
 >> endobj
-1092 0 obj <<
+1383 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [363.1733 122.0163 431.8453 134.0759]
+/Rect [363.1733 376.5325 431.8453 388.5921]
 /Subtype /Link
 /A << /S /GoTo /D (zone_transfers) >>
 >> endobj
-1093 0 obj <<
+1384 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [365.365 91.7658 434.037 103.8254]
+/Rect [365.365 345.3117 434.037 357.3714]
 /Subtype /Link
 /A << /S /GoTo /D (zone_transfers) >>
 >> endobj
-1094 0 obj <<
+1385 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [393.041 61.5153 461.713 73.5749]
+/Rect [393.041 314.0909 461.713 326.1506]
 /Subtype /Link
 /A << /S /GoTo /D (zone_transfers) >>
 >> endobj
-1083 0 obj <<
-/D [1081 0 R /XYZ 85.0394 794.5015 null]
->> endobj
-1080 0 obj <<
-/Font << /F62 634 0 R /F43 600 0 R /F58 627 0 R /F42 597 0 R /F57 624 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-1097 0 obj <<
-/Length 3167      
-/Filter /FlateDecode
->>
-stream
-xÚµZ[“Û¶~ß_¡GíŒÅâFlŸœdíºmœt½™N'ÉMQ»¬%j#R»V¦?¾çà
-fÝmFª	idGžÈH2!úâ|(
-rCóàë¢ÎåcSî+šØoP°�n©Ž˜PDx�RCI8”›Ä=\VCÅ¥Ž£Dʸ§8-î4¸í˜ Ð_0Á˜/™ o•ÅàI¤‡")%"Éå¼+<Ñ1F¼PŠh2øÌ#±C5ƒDO…;Vû¦ÜœÎa�ƒƒ/íî‰&vïù[ð(MµìoÿeÈKxFJöN Š¹Ôg¡&R	ì¤é):µ@Aç1ßCMÆi¤™”ó¶—LƒQ¹F‘"ct:��Ä€b�jdÚÕS2‚ˆd‘‰Õ¢ËzG4!@"2ŽŒŒe_‚ÿDœƒí5èóó(�üŠ‘jzºÎ%$OAí1ß—£ÄèHêTΛ?P]dÄm6'%P™ŒÍÌu¨f0ç©pÇ]Y­ÅæPÔ«¦Ü¯È»ìóä´¥n§1­Ÿ™-�œË5¯B šÐ¡g¶$‰b£u_	[ž:Øâ [œCLÁ–<á¦'ØÄýÇ|{CaÄx<r·‘À*?ïoOuA’1·yŒ	�JéKëPÍ`ÌSÙðþ¼¡esØïVërƒ7дU^ÔãdՠǬ8�jBž^š‹!3ÅqÒèëô`ÕÈO-Χ<h¹b}ÅçRž§¿`‚1ßs)��B+Çl9ç‹@uA�1·Y8Æ) 7N/”Ù.Õy8*ÜñSqoÀ
-ð˜„M$2–xoßü)ècËïNU¶+sþ§ÇuÖ8Ÿý¸ß–y9YNðVQª¸²ÝÛ•Ø·?p©���ûCSã]¼lž÷4�mÁ•UÖ”OMìŠæa¿®é a¯÷‡¬jÊk¾¬îi"ß–EÕ8*‚åýCãæö´ÑcqØì;š\½àæhõª»ä j†ºÀÑ+�c2äïûÊ7—ù¾ú…1q´¥¶XÓìÇS‹í±Í9×'Ìc8Ûn÷Ï+ÚýÌ�•)_—³j=Å1gC6q/_,«Õ#úf2÷ÆPÂxo#ΩCZÔ�Ö§b{ºæœnÀ›�³L
-Àƒê’JA'‚»i
áÀ*ãêg+�rÄù6;Öà=8Í.Ÿ÷‡O5
­GqPg;¿š�h�9o¸&ËGRâ©ÜÝÊSq¨AGw‡Â+"2¢á»†®VŽìPÑЃ˚Á@˜Ø“@!‰
¼ve]‡H·8‚ë±4YuêZ;ßÛë:$½>Qe5ÆQY
2&â0
-
-,_V…£† j,Í~KŒ÷àAZz~ȵáŠüKò$.ÆxßCV‚b�rù
/ë™ÅÊY]�GÌò¸µ\aÙ*
-³%
-Z¬mœ$ äž"è
´E–?ôx¸é¼u �.»á�Ö×EUn®ÅŽ›Øx*ðsÿ±`É섀A&&ôµüXÐ=Ùlí&O4IÌqp …Žƒ`¶›²
)Áv�Í—ï6DF0Š6‹†-ˆ‚Øüv,ê†A°:»w«¥².ïÉó0þ…ŬA÷ô¢šTÖ.I•��‡|{\“õXÇÒ<t¹ûðî­‹*·
-ˆ�Ë”tYÓ˜Rª=]7ǃ«ðD§ä#m[úR�il”HlÓ
-žÍIñîSÖ¢IÀÛ7†Ä{BpÙ¶º[`R1üˆêÞkyIÇÅ@ÁPißµ1
-meèßB2ŸTLòжŠac”¹$­èò”m!oLµ>†GR†·U6Õ�wÂ~
ÀED¯&ب(5á�€¬µÊè"t§F\bå÷rˆ\O…ŠŽŒ`:proaÖ,¸EOZÛÍE%G¯ö9¿ÀŸ—<Ò2Õ/ù9›T&ÒL~Îö¿=åÁ~щzVzŽ
/7ôOôY­‚R0Bs¦*¼�î?(0 vîRs>Í00½‡o>gy³²Íq �;|œcx'†¹®WBÒÀ›Ð~à
õgR»SNù͇ÅçcQÚWÌáÞºd D‘gÛþë¾Ð³`"p/¦/¦r�D{Œ?<IÔ~Òè6B½/£±ŽPuýðe¾EIgõ5áb� �KšF
-ßš_J	}ÀøS^·ˆÀM§å¾_‡‘óo]y‹
-endobj
-1096 0 obj <<
-/Type /Page
-/Contents 1097 0 R
-/Resources 1095 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 1067 0 R
-/Annots [ 1099 0 R 1100 0 R 1101 0 R 1102 0 R 1103 0 R 1104 0 R 1105 0 R ]
->> endobj
-1099 0 obj <<
+1386 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [374.6372 737.8938 443.3092 749.9535]
+/Rect [402.9837 282.8702 471.6557 294.9298]
 /Subtype /Link
 /A << /S /GoTo /D (zone_transfers) >>
 >> endobj
-1100 0 obj <<
+1387 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [292.0276 708.0059 360.6996 720.0656]
+/Rect [320.374 251.6494 389.046 263.709]
 /Subtype /Link
 /A << /S /GoTo /D (zone_transfers) >>
 >> endobj
-1101 0 obj <<
+1388 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [319.7036 678.118 388.3756 690.1776]
+/Rect [348.05 220.4286 416.722 232.4882]
 /Subtype /Link
 /A << /S /GoTo /D (zone_transfers) >>
 >> endobj
-1102 0 obj <<
+1389 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [460.1655 648.2301 533.2211 660.2897]
+/Rect [488.512 189.2078 561.5676 201.2675]
 /Subtype /Link
 /A << /S /GoTo /D (tuning) >>
 >> endobj
-1103 0 obj <<
+1390 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [362.144 618.3422 430.816 630.4018]
+/Rect [390.4905 157.987 459.1625 170.0467]
 /Subtype /Link
 /A << /S /GoTo /D (boolean_options) >>
 >> endobj
-1104 0 obj <<
+1391 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [293.1435 588.4542 354.3435 600.5139]
+/Rect [321.49 126.7663 382.69 138.8259]
 /Subtype /Link
 /A << /S /GoTo /D (options) >>
 >> endobj
-1105 0 obj <<
+1392 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [288.6803 558.5663 357.3523 570.626]
+/Rect [317.0267 95.5455 385.6987 107.6051]
 /Subtype /Link
 /A << /S /GoTo /D (boolean_options) >>
 >> endobj
-1098 0 obj <<
-/D [1096 0 R /XYZ 56.6929 794.5015 null]
+1393 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [356.8967 64.3247 430.5501 76.3843]
+/Subtype /Link
+/A << /S /GoTo /D (tuning) >>
 >> endobj
-458 0 obj <<
-/D [1096 0 R /XYZ 56.6929 544.3772 null]
+1375 0 obj <<
+/D [1373 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
-774 0 obj <<
-/D [1096 0 R /XYZ 56.6929 519.5953 null]
+1372 0 obj <<
+/Font << /F37 743 0 R /F21 654 0 R /F23 678 0 R /F39 858 0 R /F48 880 0 R >>
+/ProcSet [ /PDF /Text ]
 >> endobj
-1106 0 obj <<
-/D [1096 0 R /XYZ 56.6929 144.0934 null]
+1397 0 obj <<
+/Length 3410      
+/Filter /FlateDecode
+>>
+stream
+xÚÅZÝsÛ¸÷_áGºc¡ø"¶O¾œ“ºí9WÇ7�›»{ %Úf#‘ŠHÅñMÿøîb
�”(Û¹x¦“‰
.€°øí qÌáŸ8N
3¹Ì�³\³”‹ôx¾:âÇwÐöîHø>³Ði6ìõÝõџߪì8g¹‘æøúvÀË2n­8¾^ü’&Ù	pàÉ›÷—o/Þýtuv’éäúâýåÉL¦<y{ñÏsª½»:ûᇳ«“™°©HÞüíìÇëó+j2žÇw—ß%§â
+D+U~ØŠö뙡öÔå$_Õ¥ï
JÕ¹>Í’7p‚Ôôp_tTëÕù{–tB`¸8ãr+(xàR%g(À4iKd–j/u
'b“íÒq…f·Q ¢>T¸ÐráôÄÀ2Àö”qз,æ÷#ž\Áim¨! ËM¸¡öEYW¥§õØñ„ÛÐÎy<,ÊpÂ:!`��M	}V'7%}“ÌžøHDbŽ•
5¨,±«:X%ȬyrqK݆У·¢q
+êAl>m˶£FXX[ÜùÖÊ/²­îèä¡þ+Oy‡G<Ú9õªõFªê‚>Ì—ÛI�$
ÊCÅõ‡‹w^«|p
+Ä”"ýtG˼
+úì}{Ñ‘Ab¹!Ë´¡OÚ¶=t2RsÆÅ‹¡0fzí¤ÈâʉPY8C+Ç
+2ØÊ<Ëø�Ô2ÉÅWDYžåëÊdÀC¦’òK�8o‰NÚ
ä¨Øù–h}zcðס5Á
ÅR󒺋…ßWK*?GÝtOR�cËåO4hY~.P“N²ò¦#”÷ÍÃÈ~,9ª²sUU}û²i>¶!‘©|'ôÍ™µ¤ähpNfÂhç
+y“ ¤9íeAu²kP©*o·ï8`ÄÀÿcßÞæ
àAhi\
Ô^ŽðAöÃv	Ä´{®æf”bÂÇÑH—ƒd!�±Cdç–.�¶ØÉlj:2‰íYl·�
‘�g
b1>° Ã…¶p©\ŽN~)>7Ù=£è)ý8¨õ+zR�eçTGp*öí™ùE„÷D˜%`sy‘Ô©˜ÃP
+ú|¨–‹yƒv/{T
Á“KH.‹¥ÏœNi\G–—1>•Ñ$·;M>zÌ?Š^&$ý±t)Qž@¨¾ :\BÎS(•Êc¤†õA¤†ø;wíÚ
+*®ÿqþ3ÕÊ/óû¢¾óC�¶ãà› &®écgPÎiŽ8¥gÛÞ1uv-}Gp·À¤ôÐJâ—Ëé4ï›Glõ�­Þú
°æ8†rK¨í»gf#Áë¸mM‰Ÿcµ…^0vNŽr�0A¾£“pR¨>ÆH‡6>ŒÛ4$Ðq¥ûÎ@CUg!:êu
+
+›„wÈÐÔnoþSÎ=ÑE,P~ù�ZwYaÈ°.êÖ…œäÇ5ìDÉ�¸°EF&„H\—D®Kªë5yéÕ�Zm—]µ½G¹ŒÒi �$
+‹c¹Œ7$Oˆ4åLK+öDêfvY,ÓÙ‚"xINO&Ñ'ÊäÓ–d‘,¡2ûe²hV8�®_Œf*v?Ù{ú
+`´3‘CŒƒ¹hÌ'7¦DŒû�a”Tx#m¨ø\,ÁnLÅAV0¥âÕ•3uû3að†—¢Ôét‚�f¹�D
+ü9VFB0þ‚[k¥-Ëx¶skýÇF……`ë!rp4Ž/_
#ƬfqS3�$A™íòQB�2m³c…ˆÒyú~3Ž¶"€îüK1ïf.¾Á,k¹Â«ê9Zc¹Ï:°%Ú1üˆ~PȨ2Ÿ!)L¾ëoÊÊ]�Ç+ÆÅ8¥!Û5/–ãëÈF¡mòç;—SfQ0Ù_3ÒgÃ4ß±ˆ{èÒiÆ´ÈAƒsø¶³E)9×,¨ÝkÂEh&óL?̵T.Ÿ5TcÌ„DtèÚàc$‹�E@Í�ˆâ�‚@$�mA…[Ñl
+E«"Ä×ÍíéøÆl@§ß€ a-ãZ¦¯Š ÁѼ‚TʬIÓ¯`FD�Ì,ž?ƒ ž2üÅÁþi@“ê
+ËÕâ9mÍX
+n×Ï+C¹
+–1¬Sx
ÙÑ…uX‡uH„u3•g1-œ�ÇÉ!ú»”A”0°‡zh¡ÅÛC-Cì,=ø±§?#ø‡=¤�õÕô[D/•·™qánz‡[=ŒÇáAxz<ZÅŒ5ò+X†ñ(r
®-͞ƣ q£ÔSQΔ1Aôç)rÓŸ'¶ÐybÍÉÛé´�äωñ<‘>âàÍËîaö¶HIzÔÁrÚ™œ�C{IŒY‰ÎÕ®=š¥JÐ<
+)Ì~¦C—>`Õ’`4VMÛRo÷14‚îܽ�À>ÑV¸W¤ùÜ]âóÛ¡ç4è€WÔhûlxy<Å×0‡åpK¨Â56Vˆ-ô¦û‘a“?	«¼‡�&®¼¯W&æ¶P½ñ¤íhNS½€Èý„dÜÆŸ<�Õ¢�öYaÊMˆ<T_Ð)ªýóÎ
³ÜàA‚­QFÿiòÈÓœñTã«:'µ7çáEͽ*UíÇþ宿Áî¼hËÆyhñ¾ÍŠî†š¯š™°§V¥Ï„šÂ¦²L>“8Nšfô²á¯­
Þ®ªe±!"€}â<ñ}-&؇²^ßrìGùe^®;š £Ç{àƒc?us;1d�(þ?f.âSl±l›ñ£¬w+O ep¯›”¼.R´�ÓMÅ3H�ü]cŸ»˜‚ŠâðŒûP
+Êü˜†
+Dúi¼•<•öºÇÓAkôÄè&€ÆµL�f&ðWgYªvnc5¦{¯÷Ïep¯”þ'}ÿ�Û
a‘Ê@F�ò2eøè·…{¿1t±®Uîå5Å×ë‹c‡âcþ@‚uwÒ¾ˆú¹ì­w{úTúh,¨¥�_Ÿ=úW'º‘
ÏK·�£ÇÞp#ÕO[H
+†¯O>‘�¿Çò¿ˆsƒ»·,×äÞܯcÀAºçE•ÅG- õω@‡d:Ù¹9Çe â«‘DÒر¿€†aš¬·¸@¾ºúpñî”è—N‰øáý™'ùßgh;Èv}’óÄq›|Ÿ|WþNa÷¡î汿�8õ×îw:ñŠâW)õÙåÏXx¸y ì=
Š€
Ñ?
Š~{З}.H*ú
–zk(éwc´Þ?Ê…äK+%¦~CÿýÞ¿ù»ýÏ™!9PÖÊiEñ
+¥âªPè™Þ[{ømïÄâÿ’:eendstream
+endobj
+1396 0 obj <<
+/Type /Page
+/Contents 1397 0 R
+/Resources 1395 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 1394 0 R
 >> endobj
-1107 0 obj <<
-/D [1096 0 R /XYZ 56.6929 132.1382 null]
+1398 0 obj <<
+/D [1396 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
-1095 0 obj <<
-/Font << /F62 634 0 R /F42 597 0 R /F43 600 0 R /F57 624 0 R /F77 703 0 R >>
+466 0 obj <<
+/D [1396 0 R /XYZ 56.6929 769.5949 null]
+>> endobj
+1045 0 obj <<
+/D [1396 0 R /XYZ 56.6929 749.9737 null]
+>> endobj
+1399 0 obj <<
+/D [1396 0 R /XYZ 56.6929 374.4718 null]
+>> endobj
+1400 0 obj <<
+/D [1396 0 R /XYZ 56.6929 362.5166 null]
+>> endobj
+1395 0 obj <<
+/Font << /F37 743 0 R /F21 654 0 R /F23 678 0 R /F39 858 0 R /F53 957 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1110 0 obj <<
-/Length 3017      
+1403 0 obj <<
+/Length 2993      
 /Filter /FlateDecode
 >>
 stream
-xÚÍÛvÛ6òÝ_¡Gz��âNpßÜÄIÝÓãteõì¥í%Á·’¨ŠTÜì×ï )Y²ÒMzºÉI·¹Ï@bÄá¯9ø*ô(/43\˜ÑluÁGïaìí…ˆ8×	ézˆõõäâ«7VŽ
-VXiG“ÇÁZŽqçÄh2ÿ1{õÍÍ÷“Ûñåµ4<³ìòÚXž}}wÿš }^½»s÷ö‡ñÍe®³ÉÝ»{�oßÜŽoï_Ý^^¥�„T\â_ïîo	éÍÝw·—?O¾½¸�tG^Kp…çýõâÇŸùh·ûö‚3U83z‚g¢(ähu¡�bF+• Ë‹‡‹¿uFÃÔcdÒ\0!�][É”ڜܖ¶à°ml*Ãœ5æ`W¸uδɑôJ2¡ŒêHoò
é…VÌ)eF¹)˜URÚ?UËù¬ÜΑ:_½Ñj0!ç¬�
-�€ˆ“…'œ|¸¨„ój‘Gœu¹òG’93¹‰8?q.ýr~y­¬Ëª†¾Ínúo?k±“gmMÀ×÷Ôˆg¼.‹óüo›rÝTõú
-úEž•ëp
 oÎ
-as Š`…12lÙ.Â>ZfÛK—í–;*[•íláãÈÓ¯©Õ.<5ÂmæÔWë÷Ümæeëçû’.˜e8ßßÿC¹¬æ$ˆÝÁ©[?Ò7ì‰�áUÙ¡ÄjÙefÈèÏ¥S ˆ ÀŠYgÅïX’fÈÓòhaq­yN¥Âk¹@«Æ/?A‘Þß1T¶g(ŽC±ˆ‹ãÄ.E†"°c(Â÷VhIâ¹9«×­_·Èp©ñÛU[0):õ¨æ0¯j?¹ŸŒëBíëš1%OhHºvZ�Õ<¡Šgšç­âù«÷ë:ˆ›Ÿ_‘
-	°‡WÞ»õt´ÓdÍ¢Þ‘ú #~uT$…€VÙÐ÷8]„æÌg>‰0ÏpHktO˜=¹Ò˜ó<]ú„<]K�†XØtKÑ‘±ý¸	J-²d5VuÓd×øÇÝrßbˆ¬\.ë§h!§3õ:®ô‹ÿH��ß“©hHœ&ãçTK0o`]q+âQÄYÄ-Ø‹@îáPäŒõk‘NB*›µ—"«©9� Ý`AS€øŠÛR)„¿ÎÝ'0¬ˆMšñD26„}âžÍÆϪÀò0„ê9¿Ë·ÈH–k¥Ãz9Êrð{Üh0L‚“Z†#®“	FvckV6þ´íµÏ3”½íí†sÎÉy~�üo³ÒAX)F(’`/‘˳xÏœ,ÀÅZQ°\‚ÝNæ}�Ü)¼²ñ@ˆEúu‰
ÓÓº¹ê�àêÀKyÆÎY‘Õ¡�ÃEW;Ô]lizü@Pæe„üº/Ý	
-Û
Z×ùlÇX�çC44VF”zî‘7ÙÝã"�Z	öè�oiÁÀ#žLОH
´ZƒiX•IÞ¥LfƒùÇÆ4b£ýûx)„ÈØ1A›,bØK›C#l®Å±Í5nê�EÄ>YÄ0BŸM¹m«Ùu2ôS"žbvpõjS7i�´ãafÙF\BL±€’“ãqÔ2¿%ÿ@$,¢ðBƒØFš*x¢uA‡€ïºŽ€Ò¬ÀLðPD~‘¼Ÿ �‹léå·Ž Gp£¤ ¥‚ÑmsEù\¢ðr
-bv©÷Îô¼6™°ÎœDÃ`¦ÅþI¢ÓÙÛVpñÜ|*):üsx¶îIRèÃ3ž3…ùÄ‹¤è°Îœäùjx’˜)h€AøéöS…IrMÁB­©’4tÊa¼“ÌdçXqYtc=¼bW€“®À\åOK,ºùéÉršq²ª(óœÁ¿骊Òqæ,$³Á�?­“NÇ*‡K…Ác©^¬ÅöU—½˜b_*R½à±Þ­_(ÖÏûy4èR±âÅ7‹gK¦§ÉjS6?GUHÇî¨tB•2«±Ü·&W!„Í�Ä2£°×Ó
-½šTXßùT--#°Ï$›¾�Fb®«±ª4”œÜuP3§È�í¹�CÕÙOk^àUO„Ï£kÏ*�ƒQå¿gÉ4ã4«¸aFÛ³ !Ø,\Ìl&ßaÑ´ˆr¬8ÄóÕÊ_·õõ²
-!8�aO‘>lj$&FÐê«È<F[
-ôÃÆ …Ãî¢~ÂÏ–u„lˆQi‘´îšÇËaÛyŠ7ë¡É©Ré*Ö܇1ɼjÒC‘I¢²òyò÷‡ZH¬˜UöŒD‹"g"ÏÉúÌ–�&€L+­Éü(He×Éö¨�íQ½íQ*Ù@8ȱ”
-rŠ»ë¶žÕKB},W(o'…8ÕU ½nËu2;.}¸ìiŽ
Hñ¥l!è/Ê0“³\š³Ë“6'4~Mo÷øß
–ÒÓ‘æöHj¨¹Á‡T1Ï©"Â(Y¤YHaü¶‹Á¡µCÁ�`ë$©6rÂm¬<ZÅô€Fe•.§IÜÌ�åKqïÿæu g<ßÿ]ïBq&µ³/¿à{‘æ 4~¬»µa½†Þ~ìp<²K� mª_¾(f¤H��I)¯ò`ïOGÑhsŒtbý¨/ª¥–úŒö:8˜Ó2U«@�-U`$ø=z›9ŸGÝ¥jŠ¯<ƒ_R¨ìîž
-4¾`öc“îlòc5$ÒªøöO$çUj�iXÊ8K<ç쯢ý±>連szT„M™3ZËÏùè,e?õG[ý× ìQÎÉÕ—d×@‚p­P6ÏŠÊ1ãd‡58ú
¹ÁcLendstream
-endobj
-1109 0 obj <<
+xÚÍksÛFî»…>Ò3»O>î›ËMz9''«ss×öE­-N)R'RvÒ_Àb—"e=Ò‹3M<‚Xì.¯@ñƒ?>JtÈdªFqªB͸å«6z€±/¸£{¢qŸêõìâ‡�Ò0�D4šÝ÷ÖJB–$|4[ü¼y{õq6™^Ž…fA^ŽuÄ‚×ïn¯	“Òã͇ۛw?þ<½ºŒU0{÷á–ÐÓÉÍd:¹}3¹s©´€¤[â?n'Dtóîýäò·ÙO“YÇrÿXœIä÷¿¿üÆF8ÝO,”i¢GOðÂBž¦b´ºPZ†ZIé1åÅÝÅ?»{£vê!1i™„:ñ
9	yHN:
#	C(§íz‘µfñ+ÓN(YÜÖ­�ª4h—Y‹P<-MEPVÑXÖ¶fµvÃECÏU¶0µ5‘-LiZ‡ËÊ’€Í%O“×ö¹hÜ‚MSçòâ¶,Ú¥›G�*[™Wž1ãWJ‚miü´0*$3æ<Lµö˜ùÒä¿Û¥As÷°³L–/ô©hÚ¢z ·!ƒ„k?¯MˆKƒTùˆ«PªH Xa'ÅBÉÄî¦VØJ]g*EivS=[vªdaónjÈÝäÙeÊز¡ê{g™¦©·›Üø7àqáH²Êqú/Rò\ÓóçÆM˜-ÍÊ1Ò·àC¨0U\Y>fKT¨ÔIИ¼-ê
+Ä.“((IÀ¦üŒÃi0¯7S?¡hqÂ=½¯h|zó†ÐàÊ-²0M¾)æÆí`U‰´y]å

+±x\DfôJ§Æ•sG=íi)À~ÙtŠVì&‚0˜�ù´.³¢Â½¹pV-¹t†€¸Â�m³
+ö€0͇œ¸Kg°­Ôp¿3ý¥¢èèÏ1ðlÝ£¢Pû<i‡®›Ó¢è¨Îpò|5ä„‚âX
N¤�ÞŒy¦pî‚#²h#TQ~/ËÉúÉŽ“ÝÅÒKÊÜ5ö·ý#r‡JÇj¤’$LáíK2q©’0fñ^&þÿÍòŒô|ó(4�ÁZôqi¸Ô¸;ÔXÅP$G4±”Ï xð�ü©ò>M�S$�ÛtªðWpo 'Œ–»D¡Ë)¦®°*ŸQo+JÆGA–Üç÷ëd€Ò†ëJHP,SbIš!OˆŠ-¦qN¬Ô[)ÅZÈÐ/Ç‘Štp…ÂK£ÀT9d"hŸ©x4ž-
<fåÖè¢1Ø íSò4vi¤±^Ñ"•Œ­‹%’¬kp™í»Í°ž9¡§ž
+Ÿ5¥ Fº€4›½Eé”9“�AžÅÊŒá¶äÁ¸,Ò
+;öÂŽ5˜zHªŠeõU.푽Já4¨²òëtHWÒ]ÙÛª°!PRŽŠO¨¼êja/~åk;@Žl½)VÙ¦ÀB_·6ÍChî0ƒ$ˆP¶Ü9�úÀQqRă²iC %†pã:y
ÊŠ�^	‡¯Ëú	
”µM„"›£Ò"~ÝŠ€ùáâ·]ø|ã¾î‡œÂ¥-Ͳޖ‹aN²(š<sùé)«î™Ë×™à7�>2á�SÄç¢�L£0qá'/¡L
+û‘rÅb"Õ†€]dm¾ÙÞŽ’ªE‚mM–pלp²U<é2A%¾9r05õÊ`dt7»51ê«tE…­âNh¯'–—ÒÞ®ýùWdq<JCТ+ŠCû°Ï2gÉÀCE
+åŒ`à;§û±ÅŸÆ|˜ß×eY?u-É^oó‡5h#Ë	pÞe$‡/ a-¸vTÞ+!&ŸÒ5ÇÓh�AG*þ¦Ñß â
+tLAÅÁ	ÿPC@†§}Ç*ŠUd;WBÂÝ×´e‹…s_ÛQið®¢òK
+µmWðB®â$ú9Çè
;gå—$Ñ	ùõ{©Zô• 
~ù’~Æqù	í¿P�ŸPꤔm\�Ä"
¶\xÜgÉxsdU?]ãƒÎvÃ÷ "{?¹»f{�CxÛ|ÚÝ@®óÍñKÔ
 MÕ¢pE�k©jacöIŸ„o jѯs¥æ;
+Ç[KoôU¢·À€{D ÷íáFªkdöO¢$!
`…OWIÛfåäÓÚ@žZV:Tß6UD¶	O²M
+þLâ€ÚIü„µíG©Õq-ôÎ÷GXž¤!Üç",œ²å"ìG(µ–<¸:6Ø?aÊ¢k"ïË}…¡:?ˆ%'ÄÜçÿ¥ñ7èåñ8ðœ˜!ÍK"
+Äo&ÓK¨çg¶|`ÁÛºì¾
ûÂø¡h}ˆÍͦu^ZsæŠi{á
+üYÁqáö¸þŽ;z\KLÜÏÉ6²MbjN¿¹½úǤ)Èà†Õ1”l][w]¹2à]Ë4vÝ:ÀØÀŽ}¡²ÈlxIÔ@ì@R84è£ÙÜél­wÀ—mØÅ/Ù°ãLCÆÏe\AEÄ$Eôk§
r›šu™åÔ¡ˆƒ¬”Z¡ñ®m
°Ó
@»®ê‚îÇ$
+ÝaÍ#ô@K<uîÁS�¿6Y„�ÏŒ(¼ehÇz
+D"R`7Kw
+Dx4*
”ú5šë	åëä¬c¡êð«oú®ÌFgSÕ/ýmäî÷¡àô29öÝ®kÇÁ=Šk¡ðbý죸ÿ¥£ê±þ?+–ý`endstream
+endobj
+1402 0 obj <<
 /Type /Page
-/Contents 1110 0 R
-/Resources 1108 0 R
+/Contents 1403 0 R
+/Resources 1401 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1067 0 R
-/Annots [ 1114 0 R 1115 0 R ]
+/Parent 1394 0 R
+/Annots [ 1407 0 R 1408 0 R ]
 >> endobj
-1114 0 obj <<
+1407 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [341.1654 318.5226 414.8187 330.5822]
+/Rect [341.1654 518.2039 414.8187 530.2635]
 /Subtype /Link
 /A << /S /GoTo /D (the_sortlist_statement) >>
 >> endobj
-1115 0 obj <<
+1408 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [434.6742 318.5226 508.3275 330.5822]
+/Rect [434.6742 518.2039 508.3275 530.2635]
 /Subtype /Link
 /A << /S /GoTo /D (rrset_ordering) >>
 >> endobj
-1111 0 obj <<
-/D [1109 0 R /XYZ 85.0394 794.5015 null]
+1404 0 obj <<
+/D [1402 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
-462 0 obj <<
-/D [1109 0 R /XYZ 85.0394 528.8329 null]
+470 0 obj <<
+/D [1402 0 R /XYZ 85.0394 728.5142 null]
 >> endobj
-1112 0 obj <<
-/D [1109 0 R /XYZ 85.0394 496.7273 null]
+1405 0 obj <<
+/D [1402 0 R /XYZ 85.0394 696.4086 null]
 >> endobj
-466 0 obj <<
-/D [1109 0 R /XYZ 85.0394 496.7273 null]
+474 0 obj <<
+/D [1402 0 R /XYZ 85.0394 696.4086 null]
 >> endobj
-643 0 obj <<
-/D [1109 0 R /XYZ 85.0394 466.8716 null]
+894 0 obj <<
+/D [1402 0 R /XYZ 85.0394 666.5529 null]
 >> endobj
-470 0 obj <<
-/D [1109 0 R /XYZ 85.0394 410.2137 null]
+478 0 obj <<
+/D [1402 0 R /XYZ 85.0394 609.895 null]
 >> endobj
-1113 0 obj <<
-/D [1109 0 R /XYZ 85.0394 387.9025 null]
+1406 0 obj <<
+/D [1402 0 R /XYZ 85.0394 587.5837 null]
 >> endobj
-1116 0 obj <<
-/D [1109 0 R /XYZ 85.0394 301.5861 null]
+1409 0 obj <<
+/D [1402 0 R /XYZ 85.0394 501.2674 null]
 >> endobj
-1117 0 obj <<
-/D [1109 0 R /XYZ 85.0394 289.631 null]
+1410 0 obj <<
+/D [1402 0 R /XYZ 85.0394 489.3122 null]
 >> endobj
-1118 0 obj <<
-/D [1109 0 R /XYZ 85.0394 109.5064 null]
+1411 0 obj <<
+/D [1402 0 R /XYZ 85.0394 309.1877 null]
 >> endobj
-1119 0 obj <<
-/D [1109 0 R /XYZ 85.0394 97.5513 null]
+1412 0 obj <<
+/D [1402 0 R /XYZ 85.0394 297.2325 null]
 >> endobj
-1108 0 obj <<
-/Font << /F62 634 0 R /F57 624 0 R /F43 600 0 R /F77 703 0 R /F42 597 0 R /F56 618 0 R >>
+1401 0 obj <<
+/Font << /F37 743 0 R /F23 678 0 R /F21 654 0 R /F47 874 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1122 0 obj <<
-/Length 2987      
+1415 0 obj <<
+/Length 2737      
 /Filter /FlateDecode
 >>
 stream
-xÚÍ[_sÛ8ϧð£2ÓpÅÿä½eÓ¤›Ým’³½w½ÛÝÅVM]Ëg)I{Ÿþ
-d—£€­#¿/¬G¯]΋I2t)Ž ¼
Œ^úÙ¬ÈBdôfCìð¨ˆCРwºXŸîÐCk�ûr%Ê2'Ró>IoØ=pÁ´“}F®ƒÕ’?õ �J†ùb–M‚¼Mj°Ò  §å—,ˆè¨ ªE>!µM‰ñXÔwD�ÚjŒô[o
-÷[u²û¬:IÃ
ké>;‡”Ø[K¸ø4(@ÆtP§.øl
`�NOˆÆƒ$�zÐÄäžb
Ö~hô´ÀJ+=¯ï²šøÃaE¡h|Øu|U>ÎQ½
-SÒ»Šù&r2j°²›O¬FA|E×ö€…äOËø•²&"ÿZTõö÷ž	Fÿ-çáŒËPªŒÄzmØ{kCj8¤¶þ¶!óŠõaÚ*cæGŠèáÓÔ†I=WõZ
°Ö¾ vçm³ØWUé;¸)- SÕãF¤–Œkä(«ù´‘> *cWq.tÂá§i•@Ñ9àQ,±CõÑD
-Ï„2dÎW˜ò�}Æ=Q>
-Ьˆ8‚ón
®¯�@pWü;œ¨1z«€�¶jžÎ>¹Šà¬[9Ü­ù*+i‰ÿ
_Á¢T
-é±HÀ¢�ŒÎ?@,tÞ‡tþ!TUÜγ:Â5dP*o`[NÊ9"©
-{.Ü!
-Q8+&T5
bö7k¸;t|é�X'tiKá
ÇE
YO{�‹œå)¿]#î–úÉ™»nÎÜMRÕ
¬ �NÙ)…†°êƃUÂÏ9I¾Û:�W§¬yÍñMk¥o8r'`¤íq±0‚Yé©Z7j�üá¤Q›
Q‚˜³kð¸HB�ÏfÄü<Gǘ+ç†üX¨ènÇx D‡ú;EÿÏ_F¸E_ºs¬ë8Jn‹à
×­¹M
+
-Õ£)+!!Ð2«‘Âò¯5‰bó|¿z)šè´ô83ýÆoüpe
-endobj
-1121 0 obj <<
+xÚíZKs¹¾ëWð8ª²°x?’“W–¼Ú‡¤�ÜÄÉîFäHšZšär†–�_Ÿn4†Ò"G^щ)U	

+X*¼Ì.ÆÅ´^óT¸ÄS N¯&"Ÿ"ß„ÏPØ°¬"'�Šœ„/9UïgU
l—!doŠj´(ošŽå”:öÏO‘ã° bÕIÃ3\lÔìHk§ÏãÞ¶@ôAÂ=“ÒtȦqÖú¸í‹Áð†—õ‹ùâØTT –µ>H™Ín±TMWhÉÇãÔ³**à¹ÒggçÅ¢|�c'MÛ›âd7Ç×2sˆ2B2Š„^í‘Çz£‡ˆß[ó%S6#vŠÃ:É”	ò°!0o¬ŽLùáìŸÀc#ÁwÔ³Ädð%Ê šc1_ÞLÊÑ¿ŸÒ·ªš�ʼFnbý¡¬ï7F½¹1Íß1D˜ìçªéÌDJd°³EyWN££yg§¥
+-o>ÉGQŠÐM’ºÅ�Hš¼5ô¦¬^aÝg7Ë:þ*ßÒŠºœ$gšL(ÚRƒ‹·¿rÃ9üÉɶ­}S“’§†€bˆ"o‚MA‰ÝÚÕ–Ûót᫺_“k
=÷«—…yô�êõîøÄ
+%¶}/˜?ºQãI§�(>Žîóé]± êí,õ}Y•
+‡&¥RJo
+ÃïÐ,’ôÊÔ¥T|�0Z»<”­7Ë8 º°Ê2:B¡Õp·qÿ€
+:Í4ˬ&¢øXVõö|�d
+šÁ
SÊÐ)U´DãChY¢“|Ò‘Þ2CljÌiB‘H!SààŠÜÅd©Äöµ‘„,ñKòرŒØ¼5RJÄ[£Ø!ÝaŸxOôˆ¤+‹ÿÒ¥QK‡½3:(‚m± }’60
@:sõ“;ð[GéN¬#gUGlð-•9u¡„hãÃêPbD<u›FŽ¼;–ϸ³ooõÇS¼üâà�:$i�¡d{Ð?6&û;&Voâe
YÞÌ¢�XŸ=ÑD€ú}Šî9’+‹•t€ZQ
�¤e�Õî|á?’1¡at‚Tçå9µð‚/ø¤ðŒ[Õ‘â
>eVB>Ãx,c 	ÙzMüH±�î÷ÇOÍ“;´½µ¼üdHàs2#;©%ô·
âoÒ5|v8}C×�4�®#ùp_Žî‘´Ií±1©=’+µÇ�Ú¿Ú“/GéÉAž"Âà§áõ±�!{Õ<
+yª%s	¿~.ö浨�@P:á6÷Ëtc�Ùðù›sÝ~òjAéƒ×ðs8d4ÉQÄÔoãd`R�D¨_„+OZÍ­67�[þ5ih±2Z.Ò=|=Iw³òI¹¥$«r@¡ÙÖ‘•E am°ÿ+‰ò¯rYs¢+뜎þâKÂKH8ñPz%ö<Î;Þm^­yÞº5çÌIÖe%“^èÇžó^',xêcæõƒní˜ò»Ð[2…Pæ"F9ûÙ[k
^FY¹êÖZü
+endobj
+1414 0 obj <<
 /Type /Page
-/Contents 1122 0 R
-/Resources 1120 0 R
+/Contents 1415 0 R
+/Resources 1413 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1067 0 R
+/Parent 1394 0 R
 >> endobj
-1123 0 obj <<
-/D [1121 0 R /XYZ 56.6929 794.5015 null]
+1416 0 obj <<
+/D [1414 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
-1124 0 obj <<
-/D [1121 0 R /XYZ 56.6929 75.7394 null]
+1417 0 obj <<
+/D [1414 0 R /XYZ 56.6929 122.0233 null]
 >> endobj
-1120 0 obj <<
-/Font << /F62 634 0 R /F43 600 0 R /F56 618 0 R >>
+1418 0 obj <<
+/D [1414 0 R /XYZ 56.6929 110.0681 null]
+>> endobj
+1413 0 obj <<
+/Font << /F37 743 0 R /F23 678 0 R /F47 874 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1127 0 obj <<
-/Length 3270      
+1421 0 obj <<
+/Length 3228      
 /Filter /FlateDecode
 >>
 stream
-xÚÍZ_sÛ6÷§ÐÛÉ3J
-µö”òìíÙ?{†ƒV7tLMa …T‘žÌt(Òx|Ä´:LE$GÓþw£¼$Ád&¥0Qô
	h\
-4¼«\`�be×L$G‚Æû6¯˜´Þ”Å¢À­u:ÝZp@×®,wB¯*ª%U<
¼Üb„ÄÚÆn[ÏÜçYoo®jæœÿaaÚœç\ÛêqÌInÜ‚&Ñ™ÒÈÍ»­léâ84¢pTji/äÔÏu ®l³"JÒi·h;êØôxüŠ‡fÞØ…ûF³q±²À±çí-3�UË{ªTu–cÚ	eè,2²8’`
ŒœbU(�~•SeC¤~wc…ăÂ/A þp‘z¯r›¡Å¨!
-ÚÇ�8„tZÚ¦áòÝÝ÷Ð*©ßnU¸ÝRlAÒ¢®HzyÕR�”@Ñ^<Ï‹�âQ-v^æc¹�ü÷<
-wûŠ°/þ»`y"çi}§@µ�§2šªò<c:×A[²&“.˜:ÏI«Èòf±-æy&zña´Jû¤Yç–,¡“ˆ\8a‡@h�((_^fTqÛ	Z-÷.Öܽ,ÖEKDJæà…õŽÛjš…RÐîX_Xî;g6ïò
s)ªƒ™v±ÊÁ¿b
-Ûrõž¾™}d.dÇሔ„𱲪›ÖÁ®xzÍc-} ÚWËÑØFV–
-õÝ‚Ãnðü‚¹-Lýd†=
-O‘N³nAàÎ v"Y
ã¼
fÐh€µ¢êCùâ‘HY·åìM¦±ñ}q׌R	¸²íÉ
1ÆÚÅ;îƨ®ð‘�ír”lÙåž\–õ®�Ì}§É�âs²�Ï*xKaÉ¥ÞاC $"5
-•7œ$@nõ†Rvè
c”Ç„Fq«÷ƒèjñ.oy'—QûVX>õ^Nà^<ì1òP®®é‹žÒ‰1â«b¹¢ë3…í
-¨1£
-˹qG[hx#A¡‚êÓ-}³&A©€Ôš¿&•ØûÄ݉$´iï%ã‘yC5VÂC‘Oz{õ’FÊ@‡/Æ‚#FÏ
-úàøÔ†46໶Ÿ?/'Vv–9[?�æ‚~*‰ydç'e‘ T"äen.iÀÁ{;ýЀ¢3 ·1lªhº®1£)˜š<Xš�§À篨èö…$ÛaD‘2'RYT.+@#% ²n¹¢”µ¨:’`vm¨8˜ÌVÃÖ›—<m×PÄÅîV¹DÛœFÄ*Ö`9‚îP¤Ø§½›h73–Ôt	`±9jå³çèHwÄÂ5·Xâã9jÈ‹€˜˜å®hWƒnÐXÚꪌÃÙéÄ̳
-(å“è‰ý]ÜCš;O2Ïû£‘tȇÂË}§~ 2£R×äG×U¾®«bÑŒY(ËqßW}Žž×nsÄ>ÇÆÆAŸÖ-ç^wAAî€6¾¯{½ÑɆ%>Ûá:BI¡óþ>˜¸î5‘íC]x©
-ǽxéîÀ®“ý$´j,Ъ“a-""·rç�3–A0„Æ:98@?|òØK}r]à¾dŸÙ5œ`Û~PöY{HÑg¦1ÜâP%¹öè®
-ãCÏð»CŸÖÁžûRÁ'<Qþ2�L"¡CcÜ5$	ù‘O”€ƒR&üð¥�NÑÁ‹‹Ò.`kb@ÂÊ>p]‘>ÁYîåÚã,¬ð;våKOfE׿š®péŒgs÷Z
¤ª[Ïé–Xó…$Ý»òk€¤û{9lÂË•ßâÙ,cÖ
!wä€8WW
AFG×oNð ë…Ãk<¼°GxJ+Z_„ñþ˜å^~0PÇGòãÑê
-endobj
-1126 0 obj <<
+xÚÍZÝsÛ6÷_¡·“g"
ð½'7±[wR§ç¨w�kû
+ƾº<gæ'͆³¾œ_üýF¥èD&“ùÀW„Y&&óüÇé믯¾›_ß_ÎdN“àr'áôËÛ»7DÑôyýîîæö«ïï¯.Óh:¿}wGäûë›ëûë»××—3¡¢XÅ,þóîîš&Ýܾ½¾üyþÍÅõ¼yx,*”÷׋'9œî›‹0P:‹'{è„�ÐZN6Q¬‚8RÊSÊ‹÷ÿìFÝÒ15E¡„Œè)
+”Ù–¶a[nFi�É0=ÙN�Qœ¢ê%ÌÌBÙ«^ª�êE¤‚L©x’Æ:HŒ‘îAW:Sh„wï+Û¾‚¾H¦ær%rúöêjºÝ]ŠlZ·õ².‰²tkZ›Á´´æÛÛ9ŠŠ¾íÚRcSä34ïã…Ø�N¡Ó°
Ó)àqoˆ{ùLÒi×à.Øz¨wÔ(Ú†ë¢ië]±4%õ·Ýn[7"S9]t-‘‰á1#”%<–ýîoÀY¹µEÙÎð*UÓÆîíŽFŠ
+–oL[Ô~¯+ÛÀ–Q¨¦6X¯�78¿X
+­žÛ	h¼bi©“ÛG[Ö[ç	Ð]<Ñ-�ÍïÈݱËö¼Ã^�cW“�̦·àfJ‚g ïHÅ‹”¶&J³f§æ‰G.ãfQwÌäÑ슺cNÍS3;öTò�ÖnJo¹iÍÂ4Î
±ßtË5µÏ
+ á}å4+³a"9>´¶bÒf[Ës´RÙtgÀ
y]»6<	½ª¨VÔñD4ðj‡{[³k=s¿œw½¿¨qS3gû›�m-ï¹1ÕÓ˜3’Ü‚”&Ñ™²Øí»«Léò8¢pÔj),ÍsI¨kÓ¬‰ÒÀ„lÚ-ÛŽ&6=^¿æ¥ƒ�·féÒ¾VìÅ@\®
&pœyÏLàÔÀò�:U�[,;‘ˆœEFjI°
FN±2À¿Ò©²!RÝØ!ñ ñSÊß\¦�Ùkkr´
Äaû´uGPNKÓ4ÜžÏߨ yûuá¢9¢Ü‚¤e]5PôlÕRŸ”@Ñ^<Ï‹�âÑL-fQŽž“üc…»CPÿ»bybçiý¤P¶�§ZjTÖæLCç:cKÖdÒ%S–´Š‰Ì6Ë]±°yЋ—ZÉt/ ÍƲ„Jcrá”	 =¢ |¶Ì©ãÂ	F
Ï.6<½,6EKD*æà…õžÇjÚ…
+RÐîØ_ž»`6ì–¹ÕÑNK³\[ð¯@Ö|íÅ ]Gl�×ÖMà˜Ž!ñv‹ñƒ4WK�ÔµkÀ<-”�GKCX¨E„„Iþ
ž­€Öò37eìP9¡þ8#5áèÂoLÚõ6|`S®Ùbº­15yÙÏ€+â¢#'è$¿œ{ÙM³©0†›¦XUN8 :IttàarÈs�]®ÒœpéÑFÔÚc®äò{`£¼Þ€
+]
+TøüNâÖý6Ô` ¾.€ŸñáÄ(ØR¦,ÚÂòL‘ð½uiÙŽ:àÖî0©–Tšnµ²
#Š~jÙ†g 5<y]w%ŸÀ‘¾ÈHÌöQØŽ»ôÍÍs!;—@¦$„��uÝ´v%Ó[^kèÙ¾Z�æ6
+X©Y*Ôw»ÅûÖ¶(ó›iöDh<[D:Í»%�;�؉dÕŒólX˜Á x
+A á‹¥
+êL7ôaÌš†ý£Rkþz˜Tâĉ{I!iÓŽ%í‘yC=VÂc‘ŸnzóšVŠPE¯ÆΆÙ3„äÝ>•–›�¥J³£ŽK^aŸüC_Ú�æÀ|7²ÏGàåäÂÎÞp°õÓéºa-è·XGö~S	R%B^ææŠ|Á
¼'‰Ó-(š± ¦ë6¦MO75V4	[“=ðøàþ5]\²Ž@)-‘Ê¢ryX)
‘u«5
 ¬EÕù”ËpjCÍÁF`¶BoQò¶]CxZå
+m󱌫ÀrÝ¡I¹Oy7QnglÉé
+Àbs2ÊwÏÑ•î2ˆ�[1ÄÇsTP
11Ë}Ñ®Ó`°4ÕT‡«Ó™�f
ˆ¯C4:öÚQûÛÂIl(–©õpCyváh¤×Êr
5¾Di©émušÙù*Î5¶ìrŸÔéÖßpLnà®'—kG-ws(¯ÛääÐ ¥@ÐcÓÉtÏô²pl8PÊ+&Ñ5综‡4wŸdž'+é’�ׇIýBdF­®±'7•ÝÔU±lFo.ã¾êkô¢~tÁ‘ølœx›„}Y7\{ݹÚø¡îõ>D$¶øn‡çˆ¥F¬û‡dâ¦×D6�uᥤ°êÐ4Gø‚­a�.ŠÛŒø CE^¹Ø<¨Äuþ�¼h~Á�lUæ¯
+§³øèî®ÒÃ&tjlЩ›a/&"·rï�3¶A0„Æ*Œ89À¼Û»¡ÔcéßcH2�‚/„@
7ض�
+:
+MßÓ’ƒ¤Ö~qîϲTàßR�üU8y1-êŸlþl-J•egþtª
+O—>˸±Ê‚8“éˆèÿnÿ¸Nendstream
+endobj
+1420 0 obj <<
 /Type /Page
-/Contents 1127 0 R
-/Resources 1125 0 R
+/Contents 1421 0 R
+/Resources 1419 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1133 0 R
+/Parent 1394 0 R
 >> endobj
-1128 0 obj <<
-/D [1126 0 R /XYZ 85.0394 794.5015 null]
+1422 0 obj <<
+/D [1420 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
-1129 0 obj <<
-/D [1126 0 R /XYZ 85.0394 769.5949 null]
+482 0 obj <<
+/D [1420 0 R /XYZ 85.0394 465.493 null]
 >> endobj
-474 0 obj <<
-/D [1126 0 R /XYZ 85.0394 445.1692 null]
+1423 0 obj <<
+/D [1420 0 R /XYZ 85.0394 440.7907 null]
 >> endobj
-1130 0 obj <<
-/D [1126 0 R /XYZ 85.0394 420.4669 null]
+1424 0 obj <<
+/D [1420 0 R /XYZ 85.0394 255.2465 null]
 >> endobj
-1131 0 obj <<
-/D [1126 0 R /XYZ 85.0394 234.9227 null]
+1425 0 obj <<
+/D [1420 0 R /XYZ 85.0394 243.2913 null]
 >> endobj
-1132 0 obj <<
-/D [1126 0 R /XYZ 85.0394 222.9676 null]
+1426 0 obj <<
+/D [1420 0 R /XYZ 85.0394 76.199 null]
 >> endobj
-1125 0 obj <<
-/Font << /F62 634 0 R /F43 600 0 R /F57 624 0 R /F42 597 0 R >>
+1419 0 obj <<
+/Font << /F37 743 0 R /F23 678 0 R /F39 858 0 R /F21 654 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1136 0 obj <<
-/Length 2988      
+1429 0 obj <<
+/Length 2977      
 /Filter /FlateDecode
 >>
 stream
-xÚÍ]sÛ6òÝ¿B÷@ÏT8|ì[š8­;‰ÓsÜ™Ì5} %Úâ”"u"Çýõ·‹HJ¦çâÎuô@`
,û…Ý…ÄŒÃOÌŒe6“Ù,Í43\˜Ùb}Âg·0öã‰sæqÒ|<뇫“¾¶r–±ÌJ;»ºárŒ;'fWËßË;<ù÷»‹³Ó¹4<y}þZBi#“—?½øåêì’l˜úÃùÅ+‚dôyùîâõù�¿^¾8Muruþî‚À—g¯Ï.Ï.^ž�þ~õóÉÙUOòøX‚+¤÷?'¿ýÎgK8ÝÏ'œ©Ì™Ùt8Y&gëm3Z©©NÞŸü«G8õK'Ù$8“
-Xò�OZMñÉdÌ*©<ŸÞ—ë²Ê·Õ=�쮠ﺼ]uÔl‹âûÃs§­ªR­™¤O9¨²°­•fÿ ÿÛªHŸÍ¥b™àú8´Ž®Ð¤ê
-	ø8éáËŸÀ2yššÀ™ô¼œ[Ω%?Εцßv†ž+ƒ½ý?ôZ¤s:×'SÆÓ}Ãà
-€u‚	iÓÇ€µ
-6U™güÕªlÉЋÏùzSЮš»
-•¬š¶ƒ¸�¥`
ÁÛm¡í°'ÀBà®!@·*ë?ä™'dDxyI]¤ûyü†…÷¯
-£þ]Ù­â.Ò#ñWŧÜÛŠÖ¸Ñn�\Ó&Éë%
{õ}ÂêG/h�(Qšy…}å�C#û¢
-¿«¢Ú4÷mW¬Û@BÑÛuY‡åw«"®ƒ“Mâ2ÄjÑ[�5Ü·)Ë”Lý4]:p üÌ{CóªäE-/^ÐMÔw?£©h`YT §Û{êyyÁ·
-¹Ÿ”¡ˆXeÈ8F•Å³ÌÙ.…Ï’}ysà«áGØfAe”ÈÆl¼ì×$”ˆ�ãCB;¬¬FY©ŸZ�Zý°~ªBýô}Ñu”¸
¶««7O¨”^QÔf“®\ó®™W”¨
„x”ÆÀΆâ�õÁQ-©C…èÐUr~]vaBÇ[â¸
Ñå&d„Eˆ*ý,B°«Ë®ïl!Ž]@úÝz‘Äð¾ßÒbZ¼Î·%½š¥T@: Žª²U¨øR+å%*&·ÐZäÊ°ŠØâM¡]`€€«Ôˆ¥å€iÕÜQ£j¼
-ÕŒýðšpàõÏf"…ÚHý¤×�L±”§ê+_w&W�

nLò¯y°Š+î©x¦¹�ÐRâÈÓ8€®ga-ãNQ®üþÜ«üH”šNªÜ~ rYš
-ŒÖÑ-•¡€�€.b¨‹Û<T\)ZÐ
¯ÀŒ&Å7'uP€Ä1TgT6kÈŽö*¨¸1}
šCý
,3ú6Ó[4ëf>v5ï
-ýŒZ
A¬âQ�È4ƒÂí½ù°BàT%gôv,

Jî@hÄ´ñœ„qû-}É—I‚
-endobj
-1135 0 obj <<
+xÚÍ]sÛ6òÝ¿B÷@ÏT8|“¼77qZw§ç¸3™kû@S´Å)EêH*Žï×ß. )™rœ‹3Wû
ÀØö»K‰‡±0–ÙT¦‹8ÕÌpaùæ„/î`î‡á×,âåtÕ÷×'£âEÊR+íâúv‚+a<IÄâzõ[d™b§€�Gÿzwy~º”†Go.~†žPÚÈèÕ�g¿\Ÿ_Ñ„õK¿¿¸|M�”šWï.ß\üðëÕÙi¬£ë‹w—¾:s~u~ùêüô�ëŸNί‡#O¯%¸Âóþûä·?øb·ûé„3•&fqÎDšÊÅæDÅŒV*@ª“÷'ÿNfÝÖ96i!˜åÈ'¥YôŸCVÙ”Y+Í>ÙÿmW8	_,á(©1Oœ€öqÀå»aÇ>ª%ÈÒ*¸÷2Ö1³q,FÙ§Ùnç©^ÄF0iA/Pø>°Ÿ_½go/®Ùùë_A¸2�Mt
Ò³œGgÐ!#Áþk}(Emc–¤±ZLiÝu�qÒêo eX,E:Ï )5S(Ç*eŠ
dЫ§¬ÑÈ)„J-ùqžLȽOFÝþh­ˆS–èÌGÆŒÇûFöÈØdœ0�(	|ç	“Z�|—jÆ)ÙN$¤tl¿^—y�âS¶ÙV
ºusïáý}C�lµjOE]Wø¹Û¦E©Z@,™P@‰Ï¨>­ß;X¢˜M¬ôË¿óÇÉò5õš[OŸšUy‹§¸-è0uOà¼ÊºŽyìb0 ‡iÑ¢|
‚ǃ;–à{9¨×ë²Ëw]W6õ>É·¼w-ò¦]u3gêœj¡Ò3`Œ²2Z]Þ–7Å
+‡*Ênš�\L¥pþf“•5Á»¢ýX´~O×7t%š+kàî&ëÝ¡p>óë²aoYxža^>ÍÎuò‚f	šöUçÎ!<ƒ§»ï×%€àŽ£Û¤—+oêÎŒBWÂÉ
šmÖöe¾«²Ö�Ë	b×±Ú½+¸­7Íå¥xÀrW~,üd`öëlãqýÎ
§ƒJˆ]·ËªêáT€«@�Q&º!Ô°¹ñ�¬ºÏà¾{W"½G&
+­›®
+ÜŒNc°†‚à]‰¶Ðõ8’`!pß _—õŸrÌ2 ¼º¢!žÇYhýƇ­Ó	€l³²% ¡PÑ*ë3ŽLÂòAW`–X‚=àhŽÑø¾ì×�ÊÌUIüUñ1s¶¢5Úm�kÚDY½"à ~~LXÝLã„
=p
%J3«p¬Üuhf_Ô
+^ù¸(x«é¥Ø°!f)pÏm@ÓU ÊOÀl04§JN$ÐsâÝD}w+šŠ&VEzÚ>ÐÈÉÚ„Saœf”×\
+B¤^·yù;ç2PpÂDJaùþñü¢pJj¶mÙ´eï‰;yÑì›…ѱSÿ|Òé
+Jü@ ì¦kª]_ÐhSd5Ü™Öü.eL`8iX>0
+ø5˜nêÊ/L,ò¾DÝÅqàk©ëÞ÷
ÕÄIà$7ž¾+¬óæ5§¯ÞؤôÆfôhŒÐ÷Þz^'°ë,Åho¥›¯�OtІÚ`sû�í™ lìݲd�äËý™.zŠ]ô4KU�r‡Àk³ëú™ÂHg¬_D2D2ñ
tr\c“•îº&/³Þ½&ûÁãÔ��ŽaøÖŸù¬¥öþð�öH'0
¾<{{¾ÿ$�žaðºs"º�¼,½þ½q,™ªMº$7´¼ò[:¥ñÊCGڛƽ’6xÂÁlòøŠH­:Ô:|´Ø'=ºjzòÑ8.Zòé-V"åÈÎh­÷•¢ò`[ÞÕͨ:tþ¢†g;sN^ï5Òàˆ`Ëc${H ò:©ß€Áõb;y&Ý)j¿+Ps÷Og´`Û¦¬û	�™{Þ<ø\f]LÔç	½ó¡¦�²Ü8‰v%
+ôþ9™2‹øË’Äù]ߢ´î´ÔR¥DØùÌ=6`é:Yhž2mâ­çË›
:1–5”ä$6è$‘à§��zÇÅö¶fõ)°Õ@2?=Ê×Ýù(bL�óôrS©b©´æH©˜5¸Ú˜¡Ã¹“î(Çù<öL	¿,{^RŸTb¡>ÇžÄ0câôä”?C™Ý–5íÝÜ™Ðýs'æŒ+ž¶6+,¦’{zl?�Œ&—`ýL%N§\)QgÑ„ø_˜E¢ËÓÏ°È
+ful¼�OðHç‘£þ¢,z~eñ[<hq	×æK+‹�3“觋JH†elÊ¿)>�r’J)B´
+ÚlÔ—›bÙ7ËŠR:€�â×Y_&².ö/ª
(A †J.oÊÞOAäxG·>¸Üú<¥ðA¥[EvuÙwSÊÂØõΉ$D÷I‹	ô&kK—–",5‹O'õÛÊW\Q–ÒÒ`èåYN‰
Ö;|tâÙ à*uBÚcZ7÷Ô©'
+ﮀsINÊùþ¼—ÜHšŽªÌUˆ "›šò|ÖÁm•¾Ò�€>`¨‹»Ì—fé™W
§¿Œ…�Sê R‰s¨Í¨kÖ�íÙ“×pc†btÇBfpmf0&èÖÍ\ìz9|‰
+6Ù§r³ó«ÑÏ�ß×üË0²‹OÙ5–?5`�m7–SÔš>oF81ˆ\¤ è‰6|�‚¡*+ž$à¼!3yò§�P†Gu‚šD¥öi�Õ†AÜOIÖßœ›ÐX¢¤z¼ÂƒD<’/$OÝ—žZ*±Áš¾ÙÄ•ûe¨Z€üöÈÐ4r{ê#÷��!�ò KM]øÎ3£ÃÞk·Ù®êœÞ Åøô‡o#X`§ïk£¯J+ù
¢®èŸÐŠ	¿¿N„‡Z¡_R+8ðMÒ�KŽk…LÇû‘\Ü
Ñm¬¢súÌ,
MJãAè„rµq¼„†x‡ãŽZòfÒø(€ú£G„AY¬¼ºr!áð%a!$6{žŽ:7zÇáÁËñÑËñ©—ãþ.Þc5°ò)˜°ö¥à~Sñ
ÞR‘B䃆,5d|<�ŸÎ|@kân³DKH’¹_9ñÅgÓÝçþ¦jü]8W•$GTzÈÇ ºF\¨
qòè_�ÖJe‡U“£ÿ	ùM%endstream
+endobj
+1428 0 obj <<
 /Type /Page
-/Contents 1136 0 R
-/Resources 1134 0 R
+/Contents 1429 0 R
+/Resources 1427 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1133 0 R
->> endobj
-1137 0 obj <<
-/D [1135 0 R /XYZ 56.6929 794.5015 null]
+/Parent 1394 0 R
 >> endobj
-1138 0 obj <<
-/D [1135 0 R /XYZ 56.6929 756.8229 null]
+1430 0 obj <<
+/D [1428 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
-1139 0 obj <<
-/D [1135 0 R /XYZ 56.6929 744.8677 null]
+1431 0 obj <<
+/D [1428 0 R /XYZ 56.6929 769.5949 null]
 >> endobj
-478 0 obj <<
-/D [1135 0 R /XYZ 56.6929 645.1992 null]
+486 0 obj <<
+/D [1428 0 R /XYZ 56.6929 672.3174 null]
 >> endobj
-1140 0 obj <<
-/D [1135 0 R /XYZ 56.6929 620.8596 null]
+1432 0 obj <<
+/D [1428 0 R /XYZ 56.6929 647.9778 null]
 >> endobj
-1141 0 obj <<
-/D [1135 0 R /XYZ 56.6929 421.005 null]
+1433 0 obj <<
+/D [1428 0 R /XYZ 56.6929 430.1905 null]
 >> endobj
-1142 0 obj <<
-/D [1135 0 R /XYZ 56.6929 409.0498 null]
+1434 0 obj <<
+/D [1428 0 R /XYZ 56.6929 418.2353 null]
 >> endobj
-482 0 obj <<
-/D [1135 0 R /XYZ 56.6929 255.583 null]
+490 0 obj <<
+/D [1428 0 R /XYZ 56.6929 282.7013 null]
 >> endobj
-1143 0 obj <<
-/D [1135 0 R /XYZ 56.6929 228.2785 null]
+1435 0 obj <<
+/D [1428 0 R /XYZ 56.6929 255.3968 null]
 >> endobj
-1144 0 obj <<
-/D [1135 0 R /XYZ 56.6929 186.806 null]
+1436 0 obj <<
+/D [1428 0 R /XYZ 56.6929 213.9243 null]
 >> endobj
-1145 0 obj <<
-/D [1135 0 R /XYZ 56.6929 174.8508 null]
+1437 0 obj <<
+/D [1428 0 R /XYZ 56.6929 201.9691 null]
 >> endobj
-1134 0 obj <<
-/Font << /F62 634 0 R /F43 600 0 R /F57 624 0 R /F42 597 0 R /F56 618 0 R >>
+1427 0 obj <<
+/Font << /F37 743 0 R /F39 858 0 R /F23 678 0 R /F21 654 0 R /F47 874 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1148 0 obj <<
-/Length 2593      
+1440 0 obj <<
+/Length 2405      
 /Filter /FlateDecode
 >>
 stream
-xÚÅYÝoÛ8Ï_¡‡{��Šå‡¨�Åa�lêô¼h“^ê½.¶ÛÅ–c
²äZrÒì_3R–l¥iw÷p(P1äp83œ�ßÐÂãðOx‰f\¥¡§!Ó\ho±9ãÞ¬½>–&pDAŸê§ùÙËËHz)K#yóU�WÂx’o¾üè_üëüÝ|z3	¤æ~Ä&�Ž¸ÿÓìêͤô¹¸¾ºœ½þåæ|‡þ|v}EÓ7ÓËéÍôêb:	„
-µʲøíújJD—³7ÓɧùÏgÓy'r_-ÁÊûùìã'î-A»ŸÏ8Si¢½øƒ3‘¦ÒÛœ…Z1*åfʳ÷gÿîöVÍÖ13I%X¬•¨�%°è�+±D¦1U§,RRuF
Õ˜QCÁ¢4Õƨçe9	T*üz…_é·ë¼Éij>ÓÐä2Ÿ•íËÖÕD±¯ŠÖ’Ð~á7ù¢®–Í‹IʸÕû»õ±ðYE»níQù—mY,Š¶|¤ùf›/Šß9—ùÒpŠüU½£¥üK¶Ù–ù¼¨——:îiȽ@–j-�nb­ø†È†�)K’8r¤b–BzÝÞÜ€¥	”fBðÈ�¢Ï„à@œsVÝç;´:ÎÛl»-ª;ú£¨è;{wŽœBÊ�¥¡
Ï›ÜòQ)÷«lƒ£$õw‘øyS—û¶¨+Zý�kÞ®³–(
-²±öÛ]V5efé`ee6×Ú5{G³Ùri™6´`.ðP`-h¶h,ùb]€hKš½}¤ÙMgÑ]8G‡±W=}E˜ó!&Y¶Ûf#v�°)�Ó­,ëMV}b?«PŠ$òßÍoh@Š,jó]6ȱäþ´jwEÞÐ&ÚñìÄ‘fyp±¥…M¶Ì‡œÊ<kÚ ­ƒMÝ´¨€8™­®”§šâ®2¾^w%47§ÃµIpy:,[E™¯­2ׂ3»ânÝ‚f!�ýù¯gé«H-Ãz»­›¢Íiúp�Yt¼,µò²GšA¯ÀoÏ+r˺3®ï›}V–�v÷®h£ùÑõ¶y…’Ê$Ý£_*ˆ�7�Ë 'UÈœå¡h×4�@Z÷”Çî)­á‚€,Ê$S–A½/—´°Îî-W{øƒe±…Dñˆ}rñÒz}wЈJ
-Î�ñÙñvPT)é®D'Ž“Žýfm¥ƒY+Ìf4aœÿv¡½7ƒENËC—&ʇuÝØåeÖf4i²¢;…dˆí„1öƒŸýÈK{×bü“Sqô(L%æÖ…4«ü
$ÿò.m e`p‰4Y¬èKRÁÀ%Ä�·Î,å¦îœÍГW€ŽõA×R‘‰@ö+€ÂsÌ#×65´ÔlQo>ÑÅüÇ•^HË:=�HÈC~K­W©b1��jýŸÛåéÝÔ“Ð>¼ìÐ)?dtJ:æ,	•èÀÁ t
-)˜RJ{@ËBDhÅ\ßÌ^Ï
-õUÄ*Á®qÊß
-ÄÂÑ7¡j! ÖðɘIœœ|�ǹGFíš”Ph&Eöñt$¦œÅ¶‡°!Ñ!åÕ«´ÑN‚q¦•-´¹o
p
ÿKÿ¤Ý
-0+  �¹Q˜}0*Á+/ÚÂatÄþ+sOf•¶Þ\^ЄàJÓÈ´U8 4DÍþ¶É?ïóªuÜnó¼¢Qþ@þ2_2j:?¬Qª¯
¯N…�5:°Qn›¼\ÙqCßE™5�룗ùϬ,}†o88�½¶;ûÚñ›}c™ÝÚ™Ú
-ÐÉÝXmea�’	¸‘¢‡€qæpÓ$ݶ•jQî—y÷ÆÐË´
-\=ŽÄXúø¦O)´¥{1Â
-ÐL"”c4»ºxóË«éX‹
AË'²Wµa)C@>IìxÎçoÈ�„º SŽØCAxñôL؈˜;[vøqÏÇÁûǪ;ü0"—ÒLcF1ZŸ-¼&¦9:=<‚À†ªhi?Žp�%bg7€vôÉ‘›„y‰îÓˆø�@ÊØùSüÜåÇdbÙä­ñ+áÜUtRË®ù.óÃè¡ ¨Öã©Na$[Êš¾YõHƒ}õ*•}|£§Ï-J(H
¹=7£�Øì'l4Ó«îÜc‰Se�.z¯ "¤†¯É¨¶/Ä醾¦;„“‹
½ŽE”ÈÔ阃Ñ7lBHwWÿyMŒá¢º@Ýzþ3`¥¶‹.þ~‘jÀŠ�E&uê„¡ð
}{û Q�©
-ќć}Ú…Œ¦–¬3åÁ	ÐÞugw²°õ*soJ
é£W®Ãí0ÿvï�a£”A‰�žœDH'-=EÝí7]
(\½h‡uÃ`3“ÎnÍ£iÎFnˆ
-*í)\
-endobj
-1147 0 obj <<
+xÚÅ]oÛ8ò=¿B÷ —¢D.dS§çE›äRïu±Ý>(¶�%×’“æ~ý
9¤,ÙJÓîÞáP b†Ãá|Ð, ð�J*t¤:&’2,6g4¸‡½7gÌáD)êcý<?ûáR¤�&:áI0_õh)B•bÁ|ù1¼øÇùÍ|z;‰¸¤aB&‘Lhøóìê5B4~.®¯.go~½=Ÿ¤q8Ÿ]_!øvz9½�^]L'±ä@@8¿__Méröv:ù4ÿål:ïXî‹Å¨0ü~>ûø‰K�î—3J„V2x„?(aZó`sKAd,„‡”gïÏþÙìíÚ£cj’B©x:¢'.Æô$5Il=�—å$š…õÊ|yØ®ó&GÐ|þ¶Aà2Ÿ°p•íËÖ!Õˆ±¯ŠÖ¡ày6ù¢®–Í«Ió¨Õûûõ2Y…§îÜUù—mY,Š¶|Bx³ÍÅ”ò|i)%áªÞáVþ%ÛlËü•Ñ=x‚îIHƒˆ1¢¥äV6¶tƒhEpM”J5 ,â0XÐ�]‘lj„$ŒÑÄ¢7ˆÁ'(¥á¬zÈwFSÆÞeÛmQÝãE…ßÙÍC<r;0Éc¢c[š·¹£#4
«lcVJ‡»	SaÞÔå¾-ê
+wÿ ’¶ë¬EŒu,Ãv—UM™9<ØYÙÃõOÍnš-—ŽhƒÖˆ°a.Ò¡EãÐëX["ôî	¡›îBœ‡A)ãôySUdï‡0#Ùn›�è<�i@G«,ëMVXyÒ0«*	oæ·¸@Aµý.ˆÍ”ÓpZµ»"oðN,{pÄ‚Ý܃dqc“-ó!¥2Ïš6jëhS7­À„òìdÅÔÓ÷•õ]ðr°WÈhno³qpy¼,["F™¯,®°f1�]q¿nA²˜¦á|mÌb ø(–%½ÝÖMÑæ>\d7=-‡-ÂÇì	!Æ+Ì·ç¹#Ý©Áìï›}V–Oîô®h#+ù‘yÛ¼2œrœî�_
+ˆ�Ì—1žTrà,�E»F°É
+ö2(!þ¾uæ07uçl½xð˜FãZ"	/Màý
+`ƒðóȵKÍ6YÔ›O˜ÿñ¸x3iY¦q�PJRÁ¾¥z-HJÓ£êýçNy>z’<Ë
ž£@Ë-ý‰!©¨“)’J‘4•êÐCõ+'ãŒ!d 5„Z±6ýíúvöfM‘d‚†ÃxèÒx_…’*“„ýÛþšFWÚºÿ�RÒ„(Õý¥(J 
»Ä0‰T
+ê0z
OÁP0‹U]“ž³‘畃·¦ÿMåúÃÿ‡Ë2͈J¡œG<%JÇi¿Q=iX9è5ÕÐG‚)cõM}2ãDk?3J•(öJõ'Ž”Ú�ÐwƒÃÇI¿�îõˆ²SÆ® šØ…ÌU¯³‘I̬Q"ìcgs
Þ½5üÏÓ
hÆX‹M�NUl®>ŒÐXk�H½µ•õ øa¶áÁë$
+zByÂQŸ²
+²ïò)¡ L§Š@Óƒ.?÷-^2h£�ɼX>W ^Ÿf%!Ư„¢ã:È¢:t�v‘O ®0‚J¶s[+³…#
+$$Öf%
�Ôz8âš	îxz;®n>|°O[4¼¸:g~P°~w>»ŠÞOoÿ5½Ïmæ¾ä`
`Êlñ�•�d`ƒÑ×ìÃI¸šL;wóvJ.®ßdر‘¹"žÚƒš)
+endobj
+1439 0 obj <<
 /Type /Page
-/Contents 1148 0 R
-/Resources 1146 0 R
+/Contents 1440 0 R
+/Resources 1438 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1133 0 R
+/Parent 1448 0 R
 >> endobj
-1149 0 obj <<
-/D [1147 0 R /XYZ 85.0394 794.5015 null]
+1441 0 obj <<
+/D [1439 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
-486 0 obj <<
-/D [1147 0 R /XYZ 85.0394 714.4345 null]
+494 0 obj <<
+/D [1439 0 R /XYZ 85.0394 732.3673 null]
 >> endobj
-1150 0 obj <<
-/D [1147 0 R /XYZ 85.0394 684.4451 null]
+1442 0 obj <<
+/D [1439 0 R /XYZ 85.0394 702.3779 null]
 >> endobj
-1151 0 obj <<
-/D [1147 0 R /XYZ 85.0394 595.1519 null]
+1443 0 obj <<
+/D [1439 0 R /XYZ 85.0394 613.0847 null]
 >> endobj
-1152 0 obj <<
-/D [1147 0 R /XYZ 85.0394 583.1967 null]
+1444 0 obj <<
+/D [1439 0 R /XYZ 85.0394 601.1295 null]
 >> endobj
-490 0 obj <<
-/D [1147 0 R /XYZ 85.0394 394.0393 null]
+498 0 obj <<
+/D [1439 0 R /XYZ 85.0394 411.9014 null]
 >> endobj
-1153 0 obj <<
-/D [1147 0 R /XYZ 85.0394 370.8687 null]
+1445 0 obj <<
+/D [1439 0 R /XYZ 85.0394 388.7145 null]
 >> endobj
-494 0 obj <<
-/D [1147 0 R /XYZ 85.0394 305.4099 null]
+502 0 obj <<
+/D [1439 0 R /XYZ 85.0394 323.2073 null]
 >> endobj
-1154 0 obj <<
-/D [1147 0 R /XYZ 85.0394 280.4837 null]
+1446 0 obj <<
+/D [1439 0 R /XYZ 85.0394 298.2648 null]
 >> endobj
-498 0 obj <<
-/D [1147 0 R /XYZ 85.0394 138.799 null]
+506 0 obj <<
+/D [1439 0 R /XYZ 85.0394 108.8668 null]
 >> endobj
-1158 0 obj <<
-/D [1147 0 R /XYZ 85.0394 112.5279 null]
+1447 0 obj <<
+/D [1439 0 R /XYZ 85.0394 82.3901 null]
 >> endobj
-1146 0 obj <<
-/Font << /F62 634 0 R /F43 600 0 R /F57 624 0 R /F42 597 0 R /F56 618 0 R /F84 797 0 R /F86 977 0 R /F77 703 0 R /F11 1157 0 R >>
-/XObject << /Im1 790 0 R >>
+1438 0 obj <<
+/Font << /F37 743 0 R /F23 678 0 R /F39 858 0 R /F21 654 0 R /F47 874 0 R /F62 990 0 R /F63 993 0 R /F53 957 0 R /F11 1293 0 R >>
+/XObject << /Im2 979 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1161 0 obj <<
-/Length 3047      
+1451 0 obj <<
+/Length 2130      
 /Filter /FlateDecode
 >>
 stream
-xÚµ]sÛ6òÝ¿B~ g,ŸÑ77Qrî$NÎQ;�Kó@I´Å9ŠTD*‰ûëoH”E¹îe:ž1– °À~PbÄáOŒLÊR'ÝÈ:Íf4_�ñÑ=¼{s&šq\4î¯úyzöâu*GŽ¹T¦£é]WÆx–‰Ñtñ)I™b€�'ÿy3¹KÓ××o
J™¼ü×Õ‡éä–^¤aéÏ×7¯hÆÑðòýÍëë7¿Þ^]X�L¯ßßÐôíäõävrórrñyúËÙdº»rŸ,ÁÞ÷ËÙ§Ï|´
-Éœ3zXøhì“2u§qÑ>¸w¢Ú[T*©=Дùw£T2Œ,ÇešLê¦Ç]ã'ïF zFI¸ûþbœŠd
-ÿerd€“[iG)HD"
-> ¯ïƒ.ð±ÚêL¥ÚÒL«-�4?äÙ^Ô\?u{Ÿ$x,C”'‹@*žíÏìÊqÄ7E‚§;ÕNƒbïsÊwyëݾOE˘\L¾wEÝ‚;ù	üŽˆ"FCx3¹™@æ	,�Nþ9‹88åX™SÅ8W1À÷dS-Û¡lK²ŒËçÇ°…E)FÃðÇ
árLHc£¡Uy;t#éX–Y×7³Gh\9‹wîÖ�ÀÍ �ä
öÿ�˜ÿ#A�w�†¹¨×ö”Àýøa“ª¾‚Kˆr­×m€|^-ÓdRØ® ùœ†¶Ø”EØä
FZÙ6[øû	Äî“%¿¹®Z”w¸äÎë><ßù>jš"Ÿ/ÃJ3œ…­yMc	†“CäÇ2lÈöÇ‘êƒ ý—¬‚"-Qs<L¥)%	©
<ÃäŽE	ÒÁ÷E�w
-k½Õât[t-A>'�WG|—4ùe[ppŽ—¼^7XCyŒÛ
/¤îo†*«
¹T$ä€úEQ÷9&*;'×Î7åì	''lpB/јª¢
;!ÿ¼zõê–]Ý~@f^E|ñ€ c‡ÜqPÛ÷·×o®¡~NÁ'r†Ù„d=¼Wl(Í
-Dÿ‡ûÄX4Ü|¤ñãäö·Éí9›ü~õîÃÛÉóP	i	<§áåÍÕ»ðòœñaÛ§(Æ”"”µ?á„ø7(8!ŽY0D”8A”xB$ŸäŽx
-Q�3´î™Ò“ÏD*Ÿ‡”Hfl˜
-¤‡Õ¬©Zz…U›ó)?ÑGhß)�¸‡ù
z¦!ÓkÚrQú}U—Ʋq]åsJ0&qž-RdŒËìÐIÒíS;x
-ýaìƃˆ…,®ºGÄ9=Ÿ‡Í5Íî°5Ûn½í~h¶ô¶.|‚%É|q�É×Å~ï@•Ä!Ô‰,}B*ãÝš�oQЀû|4Ìòù[Ȩ–„Dô{tXžÛõèê¡B
D¨^O¨¤`÷l
-p£ä.��wƒnÂB+?(<%x§* %þzÝijNøÉ™VÜ>éŒà”èòv¨“.eÖió( ê@ïþJa÷RütéEñéùýùó
-z-vß<~œª±ä—êr1dÏPÿ«'(Ș.š{4
¸<”ŒÝ&ŸûJ%Ž{´êq€ê•ã*DF¿øÁ„wÍعV¿ÓÕˆý`Gˆ¥Ô–„gÿÕ‚xN�‹b^®òŠ|TÂ54üYÐ%Æë|±(
kg‡>%¼£<2Ø#N)Ÿbq
-Qãk^Vù¬Šig
-¸Ã'š4Ý_ýÛùÒð!�§RÆ•Œ¶j)0žY¹�Ô·ú!ŒÍ;BnO!‡ÔL»½¦õÖ˜Q®�;�Xµ‚|�?j‚,A“÷Äñ“Ä�{q*�‰À÷AÃçÚEÃ;ð‚i-c&óûpH»Öµ áJÛõš`ÖŒ”1ÌŒMø(
-endobj
-1160 0 obj <<
+xÚµMsÛ¶òî_ÁƒÒLˆàDo®­ä©ãÈyŠÚyÓ4Z¢,ÎH¤"Rqýï»Àe1®û2ÍËÅb±»Ø/€%~,QšhËmb¬$Š2•Ì74y€¹÷,Ф‘(íRý<»xûN˜Ä«¹Nf˯ŒÐ,cÉlñy ‰ Cà@¿ßMFÔ+:x7¾ˆ	©øàú?Wg£)Nè@úóxrƒ‹ÃõÝäÝøý¯Ó«¡‘ƒÙøn‚èéèÝh:š\�†_f¿\Œf‘»j1*œ¼_/>¡É´ûå‚a3•<Â%ÌZžl.¤DI!"f}ñé⿆�Y¿´×LŒ.4ï±}vR–h
SÎNÓ"_€R"ä•Ì`»²lPÏ‹¦Á™vU ð¥|]8¥ál‡5cÄ”rL—庨òM <ÔÌ2ó°C¹Ä­Ë¿/Cض¬æëý¢â•U[÷Ëå§ó6N–�ù¶†%p‚êÁxdb™8à8\¡ê]ùPV=²J¨Y ‹ì›m1/�  ¬IRI%É”5I
+V±JqOŽÂ‚ó„Øó€±cr¯& ËvÕ#«³4œ!.ï¦ã÷ãI�°ÒÁtMÑ"[o;7®ò€ù–¯÷Å„k�r÷X6E$
+À|¿Ã©Ú>™œ¾‘ÿT¦¨üt&h:a¸2ÍÀt†XÁ3O8óbÈ,žŒ‡Ñ]eôiO„ô3‹z“GrïŽBšoÅ.Py‹ùdh�yò	±«<ì·Ý•õî|é¹Y„fÄ­2ž\ßþz3ê‹	~užºš'lÁ£˜&d‡èQ˜âºŽ´Êƒ1ï‹¢BõÌÑ´}IJg²…V¯ÊRŒk•ìÏR4I­ œkû}^¸Ž¯
+¤qÑà#Áa�Ã25ÀèqˆfUïפ¼/·+š¶Þ
›/[HÂ~"ÉPŸ$CÁ‰VÇ OÒÃqâ$ýu|ÿDe!!%°ÈÒ�”jp?ä�œìRûšà�.]¸±qÅ%àê
+iW…Ë\ˆD
+�ò;ûu›p¸ÅkFmÂ9'Lð×4ÌšoCͳ7ÇÿoUç

+endobj
+1450 0 obj <<
 /Type /Page
-/Contents 1161 0 R
-/Resources 1159 0 R
+/Contents 1451 0 R
+/Resources 1449 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1133 0 R
+/Parent 1448 0 R
 >> endobj
-1162 0 obj <<
-/D [1160 0 R /XYZ 56.6929 794.5015 null]
+1452 0 obj <<
+/D [1450 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
-502 0 obj <<
-/D [1160 0 R /XYZ 56.6929 602.6023 null]
+510 0 obj <<
+/D [1450 0 R /XYZ 56.6929 572.7144 null]
 >> endobj
-1163 0 obj <<
-/D [1160 0 R /XYZ 56.6929 580.3261 null]
+1453 0 obj <<
+/D [1450 0 R /XYZ 56.6929 550.4382 null]
 >> endobj
-506 0 obj <<
-/D [1160 0 R /XYZ 56.6929 499.3874 null]
+514 0 obj <<
+/D [1450 0 R /XYZ 56.6929 469.4994 null]
 >> endobj
-1164 0 obj <<
-/D [1160 0 R /XYZ 56.6929 472.2263 null]
+1454 0 obj <<
+/D [1450 0 R /XYZ 56.6929 442.3384 null]
 >> endobj
-1165 0 obj <<
-/D [1160 0 R /XYZ 56.6929 264.3736 null]
+1455 0 obj <<
+/D [1450 0 R /XYZ 56.6929 234.4857 null]
 >> endobj
-1166 0 obj <<
-/D [1160 0 R /XYZ 56.6929 252.4185 null]
+1456 0 obj <<
+/D [1450 0 R /XYZ 56.6929 222.5305 null]
 >> endobj
-1159 0 obj <<
-/Font << /F62 634 0 R /F43 600 0 R /F42 597 0 R /F84 797 0 R /F86 977 0 R /F77 703 0 R /F57 624 0 R /F14 608 0 R >>
-/XObject << /Im1 790 0 R >>
+1449 0 obj <<
+/Font << /F37 743 0 R /F23 678 0 R /F39 858 0 R /F21 654 0 R /F62 990 0 R /F63 993 0 R /F53 957 0 R >>
+/XObject << /Im2 979 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1169 0 obj <<
-/Length 1031      
+1459 0 obj <<
+/Length 3279      
 /Filter /FlateDecode
 >>
 stream
-xÚåWKsÛ6¾ëWðÐ5c¡x¯£âЮ2®œJì¥iŒYœ¡H•¤›¤¿¾xQb(ZÊÔ¹U:`µX,ß~X¬P
-
6û	žôÜýy›Yg4ë[½I&?ß1H fA²íù
-�‚$ûÞþ2ŸÄ«éS20�QÃ7‹å[§‘n¸}\Þ-î_ͧ<
-“ÅãÒ©Wñ]¼Š—·ñt†HD±v@¼‹?—±3º[<ÄÓ�É»IœCîAbâýkòá#2}ºwˆ4ø¬@€¤ÄÁ~QhDH§)&ëÉoG‡½Y»t¦À0%ÁŒa@˜ÆæÅmÝPoëEB�`”v�!
I¹�ž`€%Gè£>ô#@¡
§0‚‰Å¾mŒ¶%=[n\R³…±YÔ&ÿB¬šéŒ ¶;elW[Mµõ
-7CÂ'Uª:mUæôõ‰Pm*;f�NP$E¸Ø:ã²j�YsÜ)ëvÊ7õ9/ü^Ÿ”‰XǦ�nÂÄ6ȼܩ:·šŒ?7yùäD“ʪާ…W¶^ðëÒrã­ê©Ÿ¥ct¸ô1ì¹)Ò¦�G
-o™à@BäKó׃ºJÛyë8vp€6[£]%æaU_�ªy>ªÚ×dný7n&u«�þ}²ºqêÛåü×øÆißeÎoÆ*ð\\îs¬°\_È\’×Á|Ê\Î÷»ìV¼œ9A£k�*c:6	¥E¢Þ]¯7ª¬Ú§ýËt¯lÉ€ábp¿]z«�jšîÒ4ù>/ÒÚ$×>h•‹]s
óÞa^Ð	óS·s­}2k8äƒöé¿­êA
¡Ë½¾µÁe¿í:k¿d@`ÉuZ‰v‡œ¹K+iS™®dHx~';5^Ó~\Vº�—±nQ%“x„š%’È[g¹0ÚüoõmÂS7œº`õ¥Ue“WåàŠÙÞÉR$­½Tm�O£Û›ÌÝq¿Ê>5V2�Fáå­i�ZKÝÑë£s]ŠfH×$‚…�ø�èø«šA ¾Ìb¨­¾k¿’äapŽÛ‡ùz}
-IÙ9�»´è
-núì‘WKÀ÷¶ó§¿4D<N•#¥|P%ŽÎn €
-ÌGBÿ�wendstream
+xÚåËrÛÈñ®¯àÁU�ªDd^
+™LÕ,IU1Í–›36{€µwgÜî™»MóᮟîÏþz-“Y¦±ˆg÷«
,2­ùì>ÿ¼ýÛåo÷Wwçs± ÏçQÌ‚Ÿnn¦™”š·n¯oÞýãîò<QÁý͇[š¾»º¾º»º}{u>çRE
+wçE»Ü•‹¾‘‘ºuA�æ©.vÔ­³�›\a›ô»vç\EÛìMgy4»lL›;È
µ»iI»²®ÈCÄ®�
+:‘¼0�÷iyÊÑ�ÉæÿVÜu$^«zDÎC&¿È¥—>Nl¤ýÞÌI®
Åæ'Äœ'àlÉzË`³o;Ú¹É:̪pÒÁ·¦.¦„Ý#
+OwƒEo	hYP42¥mi/ƒ�c‚š%àÏÆ
Ñm¥g!N§öc¢O;‚™ùLlp¢}±‡˜Ô
Ú|¿Ùï#~b�ø9Š™ÉŸPE?
+r²Ø%L1N‰dÔK¸L‡ÎXÈTì¼ù.{šŠ8JK_}
+ß&Û}
JعrcÍýãó¦j²¼Ÿ-]¶Ïœžê>Ë`…2j¶»rc#RH²ŠÝcáëðÌo²F!½Q€¾qN©èë)Ç‘Hõxò²p@ˆ&}Xé¤Ã
+æëpäI¨X‹>­‹©ç¸sÿ8bØ6
Z«ðeÞ:d0¬ö^d—¡ã“2|I¥£÷2`xfW¹ÏV�K`zÛí²º]
Ó¼]M¯:x¥]u[ö[°3¶Ñ«8y>ªs’P0åNcªW^èåí79óˆ}¯†ÐÇWÜ–º ª¤CØ·å`¬±55J—$eö˜]k6¯Å#ÌÉX^¬Av
+J7pE©¡®E§WX‹�q˜Ê.NÈ
+
+Ìîª|¨mÝZ«�©F¯ìô¨DÐ6ÔvëÌΔ®µO�æÑÆ›½èaühßâ`äÖ·MÛ–2¥F`\Pš C‘˵þVY«¬¿…vߺ•²¶?KQ®ì(µæw?}ÿÛ›q¸ÙÀ¶o@³â8¦À:ÖG¤Ží�F`�1)Îe4eCZ˜p
gM§'lKqþªÄÄL=“
 endobj
-1168 0 obj <<
+1458 0 obj <<
 /Type /Page
-/Contents 1169 0 R
-/Resources 1167 0 R
+/Contents 1459 0 R
+/Resources 1457 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1133 0 R
+/Parent 1448 0 R
 >> endobj
-1170 0 obj <<
-/D [1168 0 R /XYZ 85.0394 794.5015 null]
+1460 0 obj <<
+/D [1458 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
-1167 0 obj <<
-/Font << /F62 634 0 R /F42 597 0 R /F43 600 0 R >>
+518 0 obj <<
+/D [1458 0 R /XYZ 85.0394 420.8405 null]
+>> endobj
+1286 0 obj <<
+/D [1458 0 R /XYZ 85.0394 396.5009 null]
+>> endobj
+1457 0 obj <<
+/Font << /F37 743 0 R /F21 654 0 R /F23 678 0 R /F14 681 0 R /F39 858 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1173 0 obj <<
+1463 0 obj <<
 /Length 69        
 /Filter /FlateDecode
 >>
 stream
 xÚ3T0
 endobj
-1172 0 obj <<
+1462 0 obj <<
 /Type /Page
-/Contents 1173 0 R
-/Resources 1171 0 R
+/Contents 1463 0 R
+/Resources 1461 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1133 0 R
+/Parent 1448 0 R
 >> endobj
-1174 0 obj <<
-/D [1172 0 R /XYZ 56.6929 794.5015 null]
+1464 0 obj <<
+/D [1462 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
-1171 0 obj <<
+1461 0 obj <<
 /ProcSet [ /PDF ]
 >> endobj
-1177 0 obj <<
-/Length 1550      
+1467 0 obj <<
+/Length 1368      
 /Filter /FlateDecode
 >>
 stream
-xÚ•ÛnÛ6ôÝ_!äÉ*Z¤îí0 MÛ-]1lMúÔöA–i[ˆ,ºº$͆ýûÎá!eÙR/Aè�<<÷Íþ¸“„ÌóÓÀ‰Ó€…�|?óœ-œý6ã'}¾‹‰S7ô&"vÜ!‘—·³å›@8ÂcQ$BçvÓóŠâ�…©pn×çW»ìÐÊzáŠÐ›Ç‹Ï·oéVÀâ$æxË)ã¾ë/¯ÿ|EØ)}ndÞÕEûH«+U5ÅZÖY[
-�¡ Ï>y¡wyõ®�/†[Ñ<Ó¸’γõš–D,˜ï³6ßÑYy$Óî²–ÎUG[yVÐHsÔÍjM@UäwU¶7¬6ª&¼M×vCºÆ
+xÚ•]oÛ6ð=¿ÂÈ“Ä)ês}jÓvëPCã>­{ eÚ*‰šD%͆þ÷ñx¤,Ǫ·À0t<ïŽ÷M¶ æÇYL(Ï£EšG$¦,^õ]ìÍÞÏWÌÑD1'qĹYÌì®bž‘8ÓÅjÊäÍúêö}È!%IÆ‹õn”•¤)ÉÒ8_¬·wÑjÙ-WaLƒtùçúW<‘4K£FDB²(Ïì�7~{‹Ô9~îe1t¥~ÂÕ�júr+;¡K�üXDx”„Ž_‘Œå¨@JØrÅ(¥Áë¢�}?²Ñ�ªpñ±ìµgÅ9É“0qœ8%!��Óñ|Œç—,�Gäxؽ/4¦¯ï>öæËn
+Ñ ÐK·5´Žg³E )‹¯�¨�¨�ê�n7èaªÃÐ; lFž\œ1’Çqh/.ªJ=®¥ËÝÓŒ™Œ÷¢(MÍ) ¾™á‘<cÜ ·¿ÙÍ2‹�#Cö2f„Hob†aÊÏXòn*Q|=¨JΰŠLX…ì…Õ�hú�É€s~&LY–U³Á(uA€ÖÄ	£Inœ‘‘<7‚�ìs_6{Cš˜€6A†�å`Œh…߃x�}¡4ll2&,(Ô’Ó(68õ€»4x<¸Ós Ç?Êpt.ÖÔËN§‘½IƒÇRÔ ›jЦ€îp¹g†a<ò5P¡Ðv�+
+ôU”N|æ$LŒ/ÐW{¥¶îÌVŠ¹Pa$ËSÆà	 ¶Y
+ýM#
 endobj
-1176 0 obj <<
+1466 0 obj <<
 /Type /Page
-/Contents 1177 0 R
-/Resources 1175 0 R
+/Contents 1467 0 R
+/Resources 1465 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1183 0 R
-/Annots [ 1181 0 R 1182 0 R ]
+/Parent 1448 0 R
 >> endobj
-1181 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[0 1 1]
-/Rect [513.6761 73.4705 539.579 85.5301]
-/Subtype/Link/A<</Type/Action/S/URI/URI(ftp://ftp.auscert.org.au/pub/auscert/advisory/AL-1999.004.dns_dos)>>
->> endobj
-1182 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[0 1 1]
-/Rect [84.0431 62.7606 448.7754 72.9224]
-/Subtype/Link/A<</Type/Action/S/URI/URI(ftp://ftp.auscert.org.au/pub/auscert/advisory/AL-1999.004.dns_dos)>>
+1468 0 obj <<
+/D [1466 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
-1178 0 obj <<
-/D [1176 0 R /XYZ 85.0394 794.5015 null]
+522 0 obj <<
+/D [1466 0 R /XYZ 85.0394 769.5949 null]
 >> endobj
-510 0 obj <<
-/D [1176 0 R /XYZ 85.0394 769.5949 null]
+1469 0 obj <<
+/D [1466 0 R /XYZ 85.0394 574.5824 null]
 >> endobj
-1179 0 obj <<
-/D [1176 0 R /XYZ 85.0394 570.0146 null]
+526 0 obj <<
+/D [1466 0 R /XYZ 85.0394 574.5824 null]
 >> endobj
-514 0 obj <<
-/D [1176 0 R /XYZ 85.0394 570.0146 null]
+1470 0 obj <<
+/D [1466 0 R /XYZ 85.0394 544.7049 null]
 >> endobj
-1180 0 obj <<
-/D [1176 0 R /XYZ 85.0394 536.782 null]
->> endobj
-1175 0 obj <<
-/Font << /F42 597 0 R /F43 600 0 R /F56 618 0 R /F57 624 0 R /F11 1157 0 R >>
+1465 0 obj <<
+/Font << /F21 654 0 R /F23 678 0 R /F47 874 0 R /F39 858 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1186 0 obj <<
-/Length 3204      
-/Filter /FlateDecode
->>
-stream
-xÚ¥ZKsã6¾ûWè¶t•EøÚÛ$ãIœÃÌd¬ÙÝT’DÁw(RáÊòë·Ý H‰.§jgÍÐèÇ×-‹E
-D´È÷7Ábs?ÜæY:¦å˜ë»ÕÍý‡8\d~‡ñbõ<’•úAšŠÅjó«—ø¡ûûê§ûY0â
?
-%ˆGžïüòéÓŠ¸&Uê+‘†Ìöîãû9I±J¡˜çéaõõñýœ(
lsýDÁ‡O_n—ax_?>þ‡FO_n£Èû××'à·ð�‚ͽû¼z`ÞÄ¿mÞw�°KÉܧßýò¸ú…Þ¾ÿôñéñý×w·‰òV�ð†;ºyX
:ë]úÇͯ¿‹
¨ÿ§›À—Y-Žðø"ËÂÅþFEÒ�””ŽRÞ<Ýü<ÍÚOgïQ PËõEªp!”/LŽo2Êü0MBw“·K�—î診ÚР5]_ðõû\7—úmMóbšÖêÖÞ�’£
-Ë0õã$“v¹O|”Fîó4vŸßÁ[¦¼¢#jÑß¡nÛb]¢v5Q›ÛÔë+¢ñ¥
µ`Ùš¶Åc{‰ŸÎæ਷"õà¸f3³gûQ–8fS½Ä^íMÕѨ‹¾-ª-olgXÎØ:Eû©‚Œ_¾¢+™úadÌþÜWyWÔ•e¶‹®OøÑb)³ÌWA¨K!ü,Šè&ۃɋç“Ý“”Òî	¡÷[*VI2Z-	ü4Lb^mÙÍlˆÄç_(ÇŠ®¸1ôš(õV;¼,\(×ÍïLy Q±?�î^ÚSÛ™=ñ·&;ÑÌšŸ‡Rç|ˆ�o×JbÙú|¨Ìt]ÿ‰Ã;ÒLú	Ê)†‚ÕqWä;²ÕcQ–4*‹}ÁÆn…ƒ�Þë­×�Šgö‰±¹óTKϼvÇÜ­ÙØЈ–F—É0¥8WÕ°~¨¯oÍs�;QÂ{6ºëí׆&­ÃíK
¾$\Yx-(ŸÞëgâ`'
-cϢ
-sÄØ<§bÀ1Iš‰¿bÈìQââfÁëÆ	0Êž#²[›R~‚°4„=àd
-`Ë/¸)¼œç+
-Eé¢%@ûø"í4…-Üa‚i|Ý覰—"d±‘gÈÂS´Û#Qœ' .ÊRïÇúˆÞ�%+ª6M ŠLµ!8üñ�
-{§Ú&`Ä~G…ÝP÷úDܬÇÔ‚Ë	2.­rÂ<æSmÛK/˜–&�B„K¸÷órÿ—iê9„ ý$Z	s!F!*ScQ
ø
-´ËAˆ‘ê-ar,¬¬·s¾‰)0HÎÀÅÕÔ3¸XÜc™¦Ë	tÅ~ÎMS‰nêìÏ
°)é‹$N¯��+õ¿NÑìU¥ÿ�KÏ·
Â禨›±…SÀÍõŵKe�©0þ;.•9Ç£ÅF‰ø‹Ö›—Ÿ@1†ç€ÖC	8“œá¢âÀѾJ%aa‚;R¾ÓÕÖ8º� –ñÑ´-WL¶eÄ}½)�)×ÝP§ámÐ`¦&U4õ«H½Z`@îUÙ
-ôðeˆ¶kŠ¼s•
N˜SMê¦k§½Œ‘×_w3H0ŠÜʸl$BP�Æ2åÈ"9®¼?�~‹œ;„‡�îx™'×éy³AøŽ]J
-Éžëd‰ÐÛ8ùHíY>ŽŸuΖŽoí®îË
�×ü)é©dÛýÁÓ-
-aôŠ]�J/´YL5kâ8A�¶Ô/Ì:D®ðœf°

-`èÌ3õvd`ͧµuyÂ
G·¸1¾… Ï$
-¢ÚÜG‚ýí›9Ñ _ÇÞ�’¶¹â|�¡¢ååÏX3¶eغ\b”fn	RŽ1-ÿð®ƒ5/ö'„pEØ`“£f@¶Êü –®ÿBjZê²ÈOóc”ÈøR[Öx°6C»xãZü
-endobj
-1185 0 obj <<
+1473 0 obj <<
+/Length 3343      
+/Filter /FlateDecode
+>>
+stream
+xÚ¥Zm�ÛFþ¾¿ÂßN¬eÍ‹ÞŠÃ
ÛfÓnï�ô/dKkë"KŽ$¯ëþú#‡œ±dk›
+Î1äHÿ/Ý�ôÓ$I¦o`î$~aƒpK¾/Ž7o®5…¤W'|q©ŽëzÕÑ¥^KÃeÿA ÅLh_i°
`�+0Ø|‚{òµBë ·s�·Þ¶MÓ“­guNƒ®èeÎòÔ`å
+‘xÁ,FŽÝìQ1‡aâ-·xY¸Ð:«i~[T{•»=�ÝKA„îÔõÅŽø»b}hËþD3+~î«lÍ›�|»FËÎΛêÀüVÍï8¼£“I¤æìÁPn9nËõ–ÌôXV�ªrW²›ƒÂAží²�75�Êg¶ukéh¯<ÕÑsÝØmîÊ®ÈM&Cˇd’Ä9Ð}ÝÀBø¡¼CW<P-¼ç"ëæë‚&�Ãév áÊÂëàðé½y&v •´Ý²UY™36Ô†žÎ�†ËäY±³‚3“ñû¡Þ·åKYò³»�ñÁ†øLо'¬MB
+k J¤æŽñiÜ
žÅïÙn_ñ$Øâ΄e|©ÊšÉxó†Òd<Ç®bK–“MíKAÂHµúŠ}¥ajï—=ónB $•@VÞâ%ku¶›ŒÃp¹2‰-ë:~ä¹½Ù±-_¯H&Lû¹[òš”
+PÑ’îhhœç±!N9íK›Õi
+ÞkP?Vÿz2âà‰]:á‹FÁŠÅ•Õ+·Ê0¹Ì$×M¥¾w}Ö³¾f•ºi-¼ƒ)Ø¥{ˆ–
+h—!&„£ô—„©¡°ªÙLù&¦À >[+OàbMp�eýšÐA_î¦Ü4Qè¦vÃþ 
+ñ­7-?†bBÊs@;@	8‘œá¢¢ÀÑCïJ%a`‚ÝÒz›Õ›ÂÒM5tˆ�E×qÅdZ!@Ü5y‰Lë¬wuÞfg«~8A	¦¦ôe¦hÿ´ÀHàRµCUÍqêv”ôS©«ýp]fãºóIwûg4km
+3X|È<J©±g«[	I
}*&@�O¨óò1Šrà;ÒK[t=+µîæÜ›<££wÓ„B	[nüU
½•¡Gh !XlDb™Ï�¨QW9J
n@@ë_³ô4 ƒœ|økÞ9t)A�͹ԨUmùd
+@µuqÖÑpw
±Ø‰ñ]àŠ¶$�Áý"póQÅÎrg´8~zƒ§beý‰ðAâÔ*²®4…ŒŸ©´1‹ùûªkøěީšYÏ#åcºÅ±Ò/cΗڰ	™Â«7£RåKé ánfîØ'jsXÆ4’LÇ„^HYŒOÆÊq‚]•½0«ûa
+hDÙ† Ó|ßTåú4ÝÂc÷×+î´Œ#ð`u®øò×K­ÐÇ?'™ø“ƒÀÕ4ù¯VÎ8OhK9¬œ†5zâë„°R¸³D_inÿ¼åZõÿŸJ�endstream
+endobj
+1472 0 obj <<
 /Type /Page
-/Contents 1186 0 R
-/Resources 1184 0 R
+/Contents 1473 0 R
+/Resources 1471 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1183 0 R
+/Parent 1448 0 R
+/Annots [ 1478 0 R ]
 >> endobj
-1187 0 obj <<
-/D [1185 0 R /XYZ 56.6929 794.5015 null]
+1478 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[0 1 1]
+/Rect [63.4454 757.0719 452.088 767.2337]
+/Subtype/Link/A<</Type/Action/S/URI/URI(ftp://ftp.auscert.org.au/pub/auscert/advisory/AL-1999.004.dns_dos)>>
 >> endobj
-518 0 obj <<
-/D [1185 0 R /XYZ 56.6929 769.5949 null]
+1474 0 obj <<
+/D [1472 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
-1191 0 obj <<
-/D [1185 0 R /XYZ 56.6929 747.0488 null]
+530 0 obj <<
+/D [1472 0 R /XYZ 56.6929 739.5018 null]
 >> endobj
-522 0 obj <<
-/D [1185 0 R /XYZ 56.6929 613.0366 null]
+1479 0 obj <<
+/D [1472 0 R /XYZ 56.6929 704.7645 null]
 >> endobj
-1192 0 obj <<
-/D [1185 0 R /XYZ 56.6929 586.6546 null]
+534 0 obj <<
+/D [1472 0 R /XYZ 56.6929 563.5308 null]
 >> endobj
-526 0 obj <<
-/D [1185 0 R /XYZ 56.6929 473.2336 null]
+1480 0 obj <<
+/D [1472 0 R /XYZ 56.6929 535.7626 null]
 >> endobj
-1193 0 obj <<
-/D [1185 0 R /XYZ 56.6929 445.9291 null]
+538 0 obj <<
+/D [1472 0 R /XYZ 56.6929 418.2412 null]
 >> endobj
-530 0 obj <<
-/D [1185 0 R /XYZ 56.6929 376.148 null]
+1481 0 obj <<
+/D [1472 0 R /XYZ 56.6929 389.5504 null]
 >> endobj
-969 0 obj <<
-/D [1185 0 R /XYZ 56.6929 340.4845 null]
+542 0 obj <<
+/D [1472 0 R /XYZ 56.6929 228.1296 null]
 >> endobj
-1184 0 obj <<
-/Font << /F62 634 0 R /F90 1190 0 R /F42 597 0 R /F43 600 0 R /F56 618 0 R /F57 624 0 R /F77 703 0 R /F58 627 0 R >>
+1229 0 obj <<
+/D [1472 0 R /XYZ 56.6929 194.8993 null]
+>> endobj
+1471 0 obj <<
+/Font << /F37 743 0 R /F67 1477 0 R /F11 1293 0 R /F39 858 0 R /F21 654 0 R /F23 678 0 R /F47 874 0 R /F53 957 0 R /F48 880 0 R /F62 990 0 R /F63 993 0 R >>
+/XObject << /Im2 979 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1196 0 obj <<
-/Length 1975      
+1484 0 obj <<
+/Length 533       
 /Filter /FlateDecode
 >>
 stream
-xÚ¥Û’«Æñý|…ÞÌVY,'ÇÞÛ—].Ÿ­J99y@0’È#Ã eýõéžî
$qâTe÷AMߧoÓ 6
ü‹M&ý ÊãMšÇ¾„Ü”í»`s
-À„ôÓ<ȬÀ˃Âëõ¸kÔpÔÚÔÝa±ÅIÈbIä§I@v2_<lEÞ“n[Ý‘ÁŸz
jÚaV ü\J§ çS‘9“ŠgóÙƒ”Þ@J:m¸èþ¼ù=õ…€²`kÏôó1ÂÃØ+zÒ£“>Wj/½î_²gÑ&÷ó$LØ1O‹˜rMQ,¼�AƒnFSã!ñÉè	{Æ`Ù‡ºfáMSÌœEWPꎽ\PëaÕààkݦxe/NýƒÈ<uV�
Ù3c[U#QXr÷†GÃÃL1‡ÃÊØ„nÃ4õÆþ&^£‡	‰~5¨);µ×¤õ¾û 9( ,w'“²ƒú\WÌV~Ðä`Éh½'ü±î›³ñA\Ý�Ý–cƒÉ#e€�º> °UQ~1t‹r°§X)	† œ®,¬û6ðH.-Ëm©÷ߌ:²f>;Ö¼ÿ‰¦‰?L"Wó¡«ø®ìUNÔw†¡ƒ»Ã„žL}P}]4ÿ8¶;èñõRΠÇòÈÚû»î°^¢ꀤ£Hx�•ˆP¸@!å_£­x@3ÏÌ¿�»Ï˜£*K
ê^aÅH踯ˆ¥Ñ†80õˆ8)}jX
-*“�`¢%”-~ôiéÃZUsu„Î6÷È ¨²B«ÉèäçfP(#4çám-†!GX~„úþ~øáýûŸö‰ôáÙ›+qwÄ‹³"ìN©Žp&e’l
jí4S>Â$@Gø%üž€R·§FK]t¶•W+
+xÚ¥TM�›0½ó+|©¸6Æ`³IÚ²RÓ4a«ÕxT‚Ó@6Úýõµ3·¶ôTEóÆoÞ|x€"b~	Ž	“1JeŒ9¡•[� µ9ûêQÇ	Ϥð–u—{Ÿ¿°I,“(AùË�–ÀDŠòêÉÍóé"#Nü!Oˆ—Í&à‘ðXNÇ‹,4þ1[f“éb¤±Ÿga,ˆ0ñÌ)Lg£ïÙøó	P§Ôžó{oš_¹m–f»øí==T™žï=‚™
 ˜J¡­s†yÌØÙÓxKïçEðæô:4<Îæ"J¦±¡éq‰fŽìô–z«lO‰ßÕ½êÀ,7ZwÎÝkûäþ/¥và)šŒê­-¶uið[xØUE¯*8˜ØyžE_€U· ã`wXUz[€×H¶.²R�Z!—{Sô7üÐŽÛôRŠ%çÑ©
'ÂTÊä)…��Ú{�2è]·ÊÜ,#‰Ÿoê˜Çâ- ”úŸŒ‰I§Àßë]بWÕ\cÁ*uÛ›|u»vx_÷v
 endobj
-1195 0 obj <<
+1483 0 obj <<
 /Type /Page
-/Contents 1196 0 R
-/Resources 1194 0 R
+/Contents 1484 0 R
+/Resources 1482 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1183 0 R
-/Annots [ 1203 0 R 1204 0 R ]
+/Parent 1486 0 R
 >> endobj
-1203 0 obj <<
+1485 0 obj <<
+/D [1483 0 R /XYZ 85.0394 794.5015 null]
+>> endobj
+1482 0 obj <<
+/Font << /F37 743 0 R /F23 678 0 R >>
+/ProcSet [ /PDF /Text ]
+>> endobj
+1489 0 obj <<
+/Length 69        
+/Filter /FlateDecode
+>>
+stream
+xÚ3T0
+endobj
+1488 0 obj <<
+/Type /Page
+/Contents 1489 0 R
+/Resources 1487 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 1486 0 R
+>> endobj
+1490 0 obj <<
+/D [1488 0 R /XYZ 56.6929 794.5015 null]
+>> endobj
+1487 0 obj <<
+/ProcSet [ /PDF ]
+>> endobj
+1493 0 obj <<
+/Length 1978      
+/Filter /FlateDecode
+>>
+stream
+xÚ¥ÛŽë¶ñý|…ßâb­(êšM“=M²
9iOh™k«+‰ŽDÙu¾¾3œ¡$Û:M�î>x4wÎ�#‰Uÿb•'A(‹x•q�„"Y•Í»pµÚ·ïóĉ’XJxX n™Ie«Í\É×/￉Ä*
+ƒ4�’ÕËëh+Íò �q±zÙýcýtPG«»‡M”„ëüáŸ/%±8ÈòL X&’ +ÂÜ	¼<!Ö�¶µîÆتÝ�b"dœF,–Ê KC²“âa#Â0\?™¦1-ü©3 ¦é'"(’Ä+�à|&r¯`Tñl?{H’uOJZc	8›î
¼ù=Ì™€R±µgúù†Ñ~è4=™ÁKÔ•ÚsgÚý—ì™\A‘F);á)bS@ IÆb½Õ½%¨7õ`+<$>Y3bO,÷PµÀ,Öª®ÕÄ©Ú
¥iÙ˵êûA÷¾ÖmÕ{qìD¾Ö'ÝZ�=1¶ÑªˆÂ’Û
3ÆÓk뺉²l=ñ7]×f¿‘èW�J�²Õ¯†´À÷
+
+U[”Ár
Ö:i¸¸?\ ßÜÒ“i{ÓÙjhèëéùÃW  ¸áЯ4ÐAZúLÛ)@lWšht�c•� ”(z@ÅŽ­J–R{
+¦ÛÙغª�óëçß/E˜Öÿ0]¿ÿîé'„=Ž}Xi¿ÁÙqÔ°à×=Án[^ÞjwX$Œ~âô¸áÃIUµÚâšà1Þ¶VåafƒTWmY;Ý/èÅS-\âÔ;q´†h# ý»ïTÓcåÅÐÕ¾­pO.©J�}Wõ¥(fðèFÈ$¼JO¡¸`;(B˜â¬“ñÒeÈtìÒ€¥ßôÎk«à䦫ì…dV±aO·¼/·</SLÕvó:´;§5ƒULã��FàþÞÛ,&Q¦9T+‰ÃÌ«pF¢ßÐø'À_U$ò‘¦Þ‚aJ"۟ʹæG¨£*ßÔž9*ÈëÂqf©‰/b~êü›>¼R
+zr‘B€_sTm©+}Í#ʭ訉JÓ¸w
+endobj
+1492 0 obj <<
+/Type /Page
+/Contents 1493 0 R
+/Resources 1491 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 1486 0 R
+/Annots [ 1500 0 R 1501 0 R ]
+>> endobj
+1500 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[0 1 1]
 /Rect [348.3486 128.9523 463.9152 141.0119]
 /Subtype/Link/A<</Type/Action/S/URI/URI(mailto:info@isc.org)>>
 >> endobj
-1204 0 obj <<
+1501 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[0 1 1]
 /Rect [147.3629 116.9971 364.5484 129.0567]
 /Subtype/Link/A<</Type/Action/S/URI/URI(http://www.isc.org/services/support/)>>
 >> endobj
-1197 0 obj <<
-/D [1195 0 R /XYZ 85.0394 794.5015 null]
+1494 0 obj <<
+/D [1492 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
-534 0 obj <<
-/D [1195 0 R /XYZ 85.0394 769.5949 null]
+546 0 obj <<
+/D [1492 0 R /XYZ 85.0394 769.5949 null]
 >> endobj
-1198 0 obj <<
-/D [1195 0 R /XYZ 85.0394 576.7004 null]
+1495 0 obj <<
+/D [1492 0 R /XYZ 85.0394 576.7004 null]
 >> endobj
-538 0 obj <<
-/D [1195 0 R /XYZ 85.0394 576.7004 null]
+550 0 obj <<
+/D [1492 0 R /XYZ 85.0394 576.7004 null]
 >> endobj
-1199 0 obj <<
-/D [1195 0 R /XYZ 85.0394 548.3785 null]
+1496 0 obj <<
+/D [1492 0 R /XYZ 85.0394 548.3785 null]
 >> endobj
-542 0 obj <<
-/D [1195 0 R /XYZ 85.0394 548.3785 null]
+554 0 obj <<
+/D [1492 0 R /XYZ 85.0394 548.3785 null]
 >> endobj
-1200 0 obj <<
-/D [1195 0 R /XYZ 85.0394 518.5228 null]
+1497 0 obj <<
+/D [1492 0 R /XYZ 85.0394 518.5228 null]
 >> endobj
-546 0 obj <<
-/D [1195 0 R /XYZ 85.0394 460.6968 null]
+558 0 obj <<
+/D [1492 0 R /XYZ 85.0394 460.6968 null]
 >> endobj
-1201 0 obj <<
-/D [1195 0 R /XYZ 85.0394 425.0333 null]
+1498 0 obj <<
+/D [1492 0 R /XYZ 85.0394 425.0333 null]
 >> endobj
-550 0 obj <<
-/D [1195 0 R /XYZ 85.0394 260.2468 null]
+562 0 obj <<
+/D [1492 0 R /XYZ 85.0394 260.2468 null]
 >> endobj
-1202 0 obj <<
-/D [1195 0 R /XYZ 85.0394 224.698 null]
+1499 0 obj <<
+/D [1492 0 R /XYZ 85.0394 224.698 null]
 >> endobj
-1194 0 obj <<
-/Font << /F42 597 0 R /F43 600 0 R /F11 1157 0 R /F57 624 0 R >>
+1491 0 obj <<
+/Font << /F21 654 0 R /F23 678 0 R /F11 1293 0 R /F39 858 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1207 0 obj <<
+1504 0 obj <<
 /Length 69        
 /Filter /FlateDecode
 >>
 stream
 xÚ3T0
 endobj
-1206 0 obj <<
+1503 0 obj <<
 /Type /Page
-/Contents 1207 0 R
-/Resources 1205 0 R
+/Contents 1504 0 R
+/Resources 1502 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1183 0 R
+/Parent 1486 0 R
 >> endobj
-1208 0 obj <<
-/D [1206 0 R /XYZ 56.6929 794.5015 null]
+1505 0 obj <<
+/D [1503 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
-1205 0 obj <<
+1502 0 obj <<
 /ProcSet [ /PDF ]
 >> endobj
-1211 0 obj <<
-/Length 2583      
-/Filter /FlateDecode
->>
-stream
-xÚ}YÝsÛ8ï_‘·*3kWŸ–to‰Ó�´›\&Nogîöh‰±y‘DU”âzÿúPV¼Ú�NÇ$>H
-ñ¶—�'wªiT³#Šµfª~£k¡ß‹š©›£éeÍ*E1tn ÑÞ(óœ|�g¼ÑAõçvµÃ¶R…è•nÆ­áŒx*ò+yòñÓ�{yèÿB#öT욶ÅYÄŽÙ‘×ÈQŒ³ˆaˆXJStjkmºµÈ`sD#¢Dh
«dYH$ŽR¢åå"
-}ï“5E×ã*1[£I(©µ?±¾9iHñ{|¸ÌC晴=dNC¼ß'-\màÔ–„KÓo)Žï
Nï¶éeK€r@ì­,lÜp,XCšÞž'è7ü•?[Ù)Ìp
-ŸÝf¥|••nm¢Ø%È°Äzyæ4�¨Aöƒ(K2ÜʱÀ÷L±—6‘`l�¿‚~:Ѫ²:ÒGƒú-€
û¬i¢"
8æAw/,ݼ*ŠAƒg€°„ùÊ»·9
-.Ü52>õJ]'$¨‰¬ÈêVÃA%ïVSèõ«ÅSo+l1ãw{›rwÏ`€"×ÃÌ“¸&NR¾Y@ü(Gà„†ñÆçtãÍb­›B¶vk ‘[`ðIªR½’Õx…‘;]>±ÌpºüŒé´ÙmÝVr’…QÈ[â`ÓÊÂú—€ƒ�cPa–MöFÝ][áÀôÀV½4DZ·óa¯Š=¯RUs)3µzc¸a?!”ïmUAbºEòåÊÏ©0=f¥£;ÓÓäºó…ÃㆀFFv¯pô4ö,¸ä^
f¦¥ÖÝ_%\\ `
-¬k”x϶Þ60¯G³@¡P‹9ëeSXKâtL¯ú¡ç "*߬·›[ÂX”¡¬‡Áæñ–ćÁðÀ³ˆõžâ~Ä,»ôÔ ¬%ª�6‚å÷·kÜhIWô3f'ÀLbZèŽ묟4r.Æë%|€~-»YÉ#Í\	¡}9`ˆl/‘øØ–��Ò
-H��ä¥m–!yÌ2œ­y$ží9#€õ-o+æâ°#ìZ8­Pœáw׉r ˆôC¸ÁCÉÐ<›,ðKɃ7É2.NÒã­âÉ8šÒFĸyâϧªÿfÇ
)ÜÈgÙ˜ùj_¾
-È1î𥑈6Hy •ÿ'‹ž3窄Š
-�ãéVQŽÜ¸Æ�²d]þu
-i~„„DœCÐÓí†VJc‚£„¶'JŠÍTœBB5Gbj,@Äo¥nmú
-Ý@ýÜTÝrný@„M
-7Ûì!`•CÇ=ÜØl¢ЭÿöG¤�”ŸÅ7PƒÇfƒ°œ
äuBÁ2Q‚‰ß�%!vy›ZëžXkÑU‹;ÕCŸ^U¬y§^$qï†ÁVúªj"^WZó�º-U6Å’¯ÿœµ
-³¿¼
Xdƒ¸Hâ´„*7l�ü1€?*~6ïa›ÊÁç–‰´#Ž¾q®Wæì-ýÏ%$0˜.Yrïõ„š0‹—9ß<ZÎRð¡o«HÂŒ·—¶O·22ŸÞ„üíMÈÏoBná°ÑÇ­[ñã4¶;“·“U¸sH
-Núçˆ`›·ðnøA'»¾/„«¼ÿV¤Ö
-¿Ùø7Ä
“|ÎV¨Í¬w£™û«<¨yp\ï;üŒÕ:þÍ­zÞ;Yýrvë,(š¿¹kQ–º»†“Ì^¬�†”0 `àYfôø©	y¶yÌ&)Mä�XÓ!+�„Mi¹ìÿ³è˜ÓÙ$§�ÚM¡ZQÑÔ5-óÏ…Šö.àÐÖµËü¿@Ï	¸ÀlRm²Øž?"†n¸r—4ß‹WIB[ißo@ãŠ!Y„ƒ7½j‰N•§fg›·m(ÀÛ1~ˆC¯ù>Þ‹ ˜š¡è鉼•¶háÐ}ÃP¥�HÚÈáCi³¶.G”§øbÈV
$/“½½�Ž6gž¶Å(…ë«·´ô|çâ4&¤{ÒúÓtÀé9nO>ÌNÞæã�Ê¡@˜]�š(¹�©<ýÂëªÊ;ãÏ<½¼F�çéß%P�õ	Qì:@`)C¿Ü•¯Õ€·[Û�
-endobj
-1210 0 obj <<
+1508 0 obj <<
+/Length 2638      
+/Filter /FlateDecode
+>>
+stream
+xÚ}YÝsÛ8ï_‘·*3kW%Kº·ÄéGÚM6§·3w{´Äؼ諢×û×@€²âÕít:&
‚ññ¨>ü.Òxé‹,ºH²hûA|‘Wïü‹ð>¿xM‹e	
“î"é2NÃäb1Ýäúé݇OapúËÕ*Œ/žžÇ³VIºãhÅ¿½«¶Uu¡^.ÂØ÷®.ÿóô•ä¢e’&
ÊùpÆjÁ6S‰\™qq-E„l»x-#±´x\.߇­ó—º9”ªØUªî'²Á2‹c'+P7r¢'aRïºÓꙆ_´é›îH“†‰ý^Ñàæ~CY,z{ÃgŠ‹l™­ÂÆËL¶FÙï›a·‘ñv0ø##8#H½?|?̵,‘B¼íeà©�®k]ïˆbµ™Šß4•Ô5�ïeÅÔÍÑôªb‘<ºP¨¯H=·>ÈR>è ûs½Úa[ê\öº©Ç£áŽx«Ñ¬p«ÇOk4Bäe¡ÿ�ØR‘—7t,Îrd¯V¢§-Ò±P&ïôÖêt«3�AgA#¢Ô€EÒ4${)by¹¡ï}²ª4Õ¸KÄÚ4$”Äê[gnzõøp™…ÞU­zˆœ,ž½NZº*˜ÚÀ­-	·¦ßBßœÄÞmÝ«¶
+õªÊ¦µ�b· Åbkå7·	ìmjYÁÚ²(Hqc(Æß3ù^Ù@‚±52üJúéd«‹òHP
bh·
+F`4�†dƒ\#å¯hò�Є6DÖ5DuÛÀEŸV‘ë›W5.O¼­4pÄÌ
l6e.Ï`€"ÓÃÔS%˜&ŠÎ, ¾ˆÀÄlƒÐ0f|Foë¦ÎUk�™Ÿd®KÝkePŒw¹ÓícË§ÛÏ„v[µ¥šD¡ùHlZ•[ûp’!ct*ÌÒ©ÃÞˆ»TÀ±5L|iÅC¤¡u'ö:ßó.e9gð®õÅ
cø	¡|o;èÓm’.W~J›<f%£;ÓÓääºã…Ý㚀FFu¯põ$ò,¸d^j¦%ÖÜ_$®s.`
+¬õæñ3ç,
+;(“¶ðÕuóçÑž<N°Û+Yá�øö™a!±½C94Wz쇸^Ш©ÝbW'šçþ0)F‰ËWÂű(M­Þ‚ÿ£,Û=
ײj·ª,Y©oêõ¼�sIêR¶VÉÀ&
¾jôN÷¤¨ï}ü1èK%-YsÇ3†µ‚RÚ#.Q(	’ùÔT§7FŸg�Ð[¦nKt X\DRHó#$ âLŒM²ZI(�1Žb:ž(	6SQ
U‰Ù`
"~«šÖ†�eiX*oj¨ŸÛ�ª[Æ­,a�ÂÍ6[XÅÐq76›¨tëÿ€ói äç\ñ
Äà±Y#,§
+X`àYfšñSòló˜NBšÈ±¦CT‡.’P¸èÿëÒ1¦ÓIL¤ë\·²¤©kZæŸ=í\À¡=¬*ù3Ý_Ø�'à‚³SµÁÞ_а©¹r4ßËWÔ×ÇO;6q�ÆCñÂ`L{5œ[{ù®õ÷ãi³³±WÃ	<ûs¹	.èõ€zìb|øëÞ…¿T
+^Pè-ŠF®Ü{#xóÂð¡¡šö&È_[?ã!V2æï‡È2CØÆ’[e«"ÒÝG]Ø«>¿+à°Íú½™MK
+'Œ
%ô
+A>Äú¼��~5gŽÅÚ
+x&4ÐflI澺�4¦ Wp`4	9œžÕgœÞÿ0ás‹!G(_�˜Й¹Ì˜<ÓoÊ®ŽùoÙ)°àé�äòdYòwõPˆ³ÎDD®ç–6ôË}0ðÚ~k;  ÛÏ”4´è.ܧZ 8WìuKú
8¯³Å&ù©®‘\W~¶å\‚jgtÃ�k–¡Û$œ…¨2oÍW•â׉q&+4„Ø
+endobj
+1507 0 obj <<
 /Type /Page
-/Contents 1211 0 R
-/Resources 1209 0 R
+/Contents 1508 0 R
+/Resources 1506 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1183 0 R
+/Parent 1486 0 R
 >> endobj
-1212 0 obj <<
-/D [1210 0 R /XYZ 85.0394 794.5015 null]
+1509 0 obj <<
+/D [1507 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
-554 0 obj <<
-/D [1210 0 R /XYZ 85.0394 769.5949 null]
+566 0 obj <<
+/D [1507 0 R /XYZ 85.0394 769.5949 null]
 >> endobj
-1213 0 obj <<
-/D [1210 0 R /XYZ 85.0394 573.5449 null]
+1510 0 obj <<
+/D [1507 0 R /XYZ 85.0394 575.5478 null]
 >> endobj
-558 0 obj <<
-/D [1210 0 R /XYZ 85.0394 573.5449 null]
+570 0 obj <<
+/D [1507 0 R /XYZ 85.0394 575.5478 null]
 >> endobj
-1214 0 obj <<
-/D [1210 0 R /XYZ 85.0394 539.0037 null]
+1511 0 obj <<
+/D [1507 0 R /XYZ 85.0394 542.4777 null]
 >> endobj
-562 0 obj <<
-/D [1210 0 R /XYZ 85.0394 539.0037 null]
+574 0 obj <<
+/D [1507 0 R /XYZ 85.0394 542.4777 null]
 >> endobj
-1215 0 obj <<
-/D [1210 0 R /XYZ 85.0394 510.2426 null]
+1512 0 obj <<
+/D [1507 0 R /XYZ 85.0394 515.1876 null]
 >> endobj
-1209 0 obj <<
-/Font << /F42 597 0 R /F43 600 0 R >>
+1506 0 obj <<
+/Font << /F21 654 0 R /F23 678 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1218 0 obj <<
-/Length 3135      
-/Filter /FlateDecode
->>
-stream
-xÚÍZëoã6ÿž¿ÂßÎ
ÖZ¾$‘é]�l^M»—æb½C[àd[‰…•%×’“øþú›á�z$v²½Mq»‹À|g~3ä‡âÿù Œ‚È3ˆ�
-BÆÃÁlyÀwÐwqÀݘ‘4êŽú09x‰�	L$¢Áä¶CKLk>˜Ì28
-løáòÃÇË/nŽ¯¿û×áH„lø+ÙñÕ)UÆ?]\œ�'g®zsv|zyu
Cøá(Ž__Ÿ]�^þ“ú�‘*kZOÎƇ¿M¾?8›4lwEãL"Ï¿üòÌAÂïX �Pa
7F–*”A¨¤ô-ùÁøà
ÁN¯�º*Î!
–çX)1à*�
-:»`…&:,q8âĺH‹t�ä$ëéÕØ�’ަ봘¥T½,nËõ2©³²@ái	˜0´K°ÁH² Š¹öÄîÈ_^ßGD#™Ï×iU¥UG%ðÏâN4eGÅ@R¨À(®,IGFÇ–Ì!×COJëaB
ÔÏ…M³šz²yZÔÙ!‡Õ˜H×n<ÈBc³¢N׷ɬ!TÌ©£JëŠJå­£ÔÙláŠi»¾h«å|3Kç~ê«)ŠŠÂ5è�p„zl†uI¿°N–guR§T¯fIžLsW»DVŠ´¦-¶©³âUšx8Y´Á€¤[©TóÕíÊ
-E+(ïâ{Dš	£Žf¤ŠÐlR ó?Ù,©ê*”<ˆe3îB
Ä´i†Ôâ„­ 8#k˜È=F´»�Mñab"R±V%ßìàR‹@j)ÜâÇÅv“Æ©“2’–I\­Ï$¶XÓÁÅ=?¨, |=¦ªo Á
-<ßÁ×a ¥ˆÝºßäõ^M b.ß‚C‚W± ŒyÜ·Á–o´"ΆߵF»õÁýÎÓj¶Î¦®†ölwy9õgˆ7ˆfÓ;k¢†j¶H—©[ãÜnDh]–ÝŲö´yçf¥®ëæü„
-BÆ*h6S)èð™xž’»;"z—Ônóü!N‰Ç‘kKš¾</h{ìò‘TAÌA½Ÿá
-BPC,LØwÿÛ,ÏGç€ÙË
Íc@ËýŒ>©Ö'GBqwüL×L#°$xE›VŽà
-ã!t½™æٌʓC#†åªÌË»­QüXK³·8çQ
-'¾n�é(Ðf�ÊD̃Ð(¨0pj:ú<��ÆY�>WÒh‡^¢¨;ñÛ½ößaóë…<œ‘‘Þ�¥Œ¡Æz
-®(
-ÇýÚ³‹š
-K°"¥z¬‚tŠÆz1k†QÙUúX¿‘™u˜úzÍ,Œ
7 W�‹ (Š°ëG÷:
v
½v¶¾^ì�Öòè„Ù‘¡€òòjrvs~ÛñÉY¢â²5À—"Ÿ½pµœ¼ZŸÇü¾››8€p¿„¨\òÏŒb
-Iz¼mkV òl¿P]RÕ‹Ø	L‘ÇMê»sÖØEŸœ5O¯kpÚ°¸�Ÿö"맪ÔVÙVÇ…çyž�9o’Üå{…4„yý|zÖ?ÿ¼ÛH\–4»O]‹ÃÃelÑø>ÃaV/ÜÉy}½{–Bõ¯<Ó4/t›-.}z·ó”õuR/ü}³^$nÝe2[dEZ>F·W
�6);‰^ÑW.ÖgÉ*™âûÉ–êv7íß� dO{‹‚–Nj ™>f”4ÚsE¥úUu„Æ`v0âf妩ïY¯³t¾ë1¨ÜÔ}•ÐcÊM1O`^õÎé "1º	y»1(sŸlû¹ë“<©ª¼Is[ã<-—‰§vC�Ií=éäòô•ôµ :Z`QÏ¡²ði*
,76Õ¥©›²)²ß7n¼•ÚÀPj
.âÃ]Š¶âŠÐ�±€p$â(“Ð0ÀÚN+ª6·ËX€RVíÒ‚�'bz=Á!+¢'ïØSöFÄö­q]5óÚ7¨N·µ5{ DÔ™· —ºùCûb'zï�(¥ä˜“Qçççgøk›Ò(žð™'¯±÷XØ
†¢Þ.ÇCAgЕ—)½§ÀfÈî
-«Ø5u“%CÁ®ïY2¶¥lÐX”›|N­NDìw“får•ƒ§M—`jé< g¯ãÞ!ԓʽ$za¤ÔÇuV×H+¸CP)èÛ¦y9ûTQ¹JW	V]عöÄ		5ÌÀ%ö�ŽQ¸€}yšÌívÂÿ!'X:‚öѦ¡v-jY¢
Ûõ£å�[ê¼y+}¢°ô1
HÒ£æ�¾÷žÞ=<Á‹ò£ùT	ø5G	cPºEÞn�nSÍ�ÄTŠÝÏòÝÝïŽTóôùÌpðÜéÌé“Ê
k,	†äÙ§4ßR‡ÝE•ZÔtá
-~ÏI‹ƒ�|ò¬p�÷YB…ó	>,s5Ä�
-nëÕÑû÷(w�UY�Î7ï³bdUó?®°ö—…Î5“É
-endobj
-1217 0 obj <<
+1515 0 obj <<
+/Length 2940      
+/Filter /FlateDecode
+>>
+stream
+xÚ­ksÛ¸ñ»…¾Už‰` ÒétÆçØ©s�ãÚêcšËL)
+’8–H�HÙñýú.°
+à?‰ˆD	KF2	‰¨e›³`´„½�gÔÂLÐćúizvqËå(!IÄ¢ÑtááŠIÇt4�_FÎ
C0þxsóxõ—ó	ÁøÃýonooî¯opzwûåñóÕ¹ÇÓ»/÷ç“X&b|õðpsÿáîŸs¥�[½¾y:ÿ6ýtv3m8öoE®Ùýõìë·`4‡Ë}:Ob1z…I@h’°Ñæ,œˆ�s·²>{:ûkƒÐÛ5G¥DÂxÄÄÄ舆„‡°éËI$„Å’99�Oh
+µK×}9©…Ú©"SVNÅ¢ÜmÒ:/}y$AI"„!Œ&< 	�Z%P‹þîá%Bé|¾SU¥*œþˆà
+þÁ—ZœÜÓ. d‚ÐXHƒÒ¢‰¥AsNã±CÇãpŸ²x2ËkÜÉ窨ós
+Ô¦vî‚°yQ«Ý"ÍDÅ7*UW8*STŽ_Wy¶²CÕÒ7€fZÎ÷™š;:¸W¯”¾ª¾\#=¸J]&ãºÄ/ÐÉ×y�Ö
+çU–®ÓÙÚÎî4+…ªq†Äöu^,ÁPy"ÇÓUË
+9%’7pï´"1’AÍ Zì¥A+Z8.c8H�ŒÐ¦R¸[HÇ\SË�‡A«’÷\ÆŒð˜3Küªx;Æ$¸Ðc’GÜ0©©u™Ô+Æt4qÇ�Vƒhñu˜ªÞ¹ð|€=0lÂ9“–îçýº>*Æ„„’ò߃Co!©ìÚ`Ë·¶"ŒÿÜxë«ýÎU•íò™�i{6ƒåºœ¹â¢qzkM¸Pe+µQ–Æ­qDXÝ”>±¼�6ïì)e·o¯qÀE,IãL�
’„ú‘@öGq(+‹*wûÆü5Ü�² Gœ…Vþe=ïÃ…-RÑù> L0Ë€ùÊ<J“È°ÚÏÐáµt|•Rˆ”ÓØÌ`È£%‰ ƒÚ#�%üWä$'Lpw52	YH˜I§³75Æ“V~<îÉ6;ò3+y… ¸S¾
+ƒ¯J7>:sh‡+Æä
+¨MºRiQ!&“XŒÒ2+4Â�“�™€e–yÁ, ¢21+`îšqdžõÁÞM¥½©t¬Ç}ñÙÄï1—óÌhòè(š9�Ñ’ñl�ù‹²+öBï]¤³õ­wGÕL­K_ŒDЭGt Jë•Ú¹°œ]èMš­òBÇö�ˆ‰R²«˜gé6�éBDû™ˆlŒ”Mˆµb�-è‘É#]vqõ=ÇÒEȆ33ªqäa
/A�Œ0bOÍ”[Øír4‚}=ä{FPØc1¨徘§p®2µˆ•>lXîa„æ ¹³dXzMßp�Vø½^§UµF;�©©Æ>”›Ôa{lÂLt4¹¾ûð¨ÃÈ;‹ÇDš–Xèê¿pü0}2.”¨�Œ˜rjã€-£a,,òHY�p3¨�^Æž�©T­h!In½D¦^ F¶&ü[Y¸*­r°-`ð¸ýp¡(Ð	¸…vk
+œrý†‹KÓÎÔjŽ{é¾.u%‘µ�5¬•‘$θa”o¶k¨U¬¸uáEé8]×+�,Hm¿~Vôd[V•5ýÄf
+ø– ã$»êÈÎÕ"…"'­†4î~Î^¥»·s
+|@ÄE<¾²¨êóÌU(ݬS‹mòåÊë²|¶£üY]6MžW�DœÄœ»Š•
½œÏâKßä2
-4úÅåBÅô’Í8Hi“ÏPÕ–ô1´3ÕVeÆŠ2£‡
+ÁÊEmBj¢3¨Èx_¢må�¡
+•ë®q¹.7:BxoСT?zÓˆö§®a
+hìæe¶w£Ð‚uÔmúÝ?,Ûú¶.ÁNp¥ÚƒéjåDÎ\Qß‘K8
+ýdŒf{Ñç/ÔüDZìñ×{Þm yêã›æéOC™—˜˜kúÚÔÆôÚ¼*ŽCƒOý�Þ"&¯z¯CÅ~3s½‰{gi6Á\œãÌžNý¡t]ÙN&}Is÷êmƒïÚ*Õ¬cÁ=™M@‘~¬öŸ'ì(
+IR9b1të!?4#w`âŸ8´¢¼¦R¨[+Rõ‚”»åÅn‘$IÞçªg<
Ô!+Ab;f<’È0–þ+O?AO¨ˆ!Ü$¢›¨›ªcùV�(ŠPOÒçÕ±_Xh�Pñéß�|(üA„ünÔ@iÊ_ÁðhÀÃo}Ê”1"B!O“n i÷^õ$Lvi7Í#ì=ô�®˜`Lº"ä·uEFSÚÜâ¯y#ÚN¼•
‘Lºï€øäEþŽ\û\fÏéVA]XY¨{èQZ�¥‰}iTHÄ×�ɧâA�Pˆƒò"N(äiO!}ÚÃ
+ñiÿP!w�ΰ§–~Y7-)�Ô
N~G
…!a’ýHCÔ	
9(§¡Džò˜S”=õI+È'ýr€ÍþÛ{£‚&øš|zƒ6`3ä*�Ö©è*ãÚŠþ
j_èÖ—Ê®J‹½nÁ�Ü#2Ö&Œ…$‰CjÃrý°+¡s¥×c]ÌIÈNk­
9®2i<
+òÿq…§Øj«KrPU-É»"Ã,n|Ūì_¥«8§æ%c—Õ™²S–~ÐTH	�â°««ÏVW_Vuj—®ö˽ëÕàÎÑQïˆá »“RnaŽ‹ÙÂxrŽŽËùÑVÐ=ªƒ’ö¨^YY@ã”yµéõ©ØAl¶µ u·õôJ³VA×+ýÂPzaÀg$ÙÉ&Ä8ÿž«ÿU%à1úO¤4>öÿ…E«ÝPÇG¼ˆÉ˜„1 ±LéË&Á
çîO1Yÿ—ÌÉBendstream
+endobj
+1514 0 obj <<
 /Type /Page
-/Contents 1218 0 R
-/Resources 1216 0 R
+/Contents 1515 0 R
+/Resources 1513 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1183 0 R
-/Annots [ 1226 0 R 1227 0 R ]
+/Parent 1486 0 R
+/Annots [ 1519 0 R 1520 0 R ]
 >> endobj
-1226 0 obj <<
+1519 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[0 1 1]
-/Rect [401.6435 61.5153 511.2325 73.5749]
+/Rect [253.7995 314.5359 417.685 326.5956]
 /Subtype/Link/A<</Type/Action/S/URI/URI(ftp://www.isi.edu/in-notes/)>>
 >> endobj
-1227 0 obj <<
+1520 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[0 1 1]
-/Rect [55.6967 30.8502 511.2325 44.7979]
-/Subtype/Link/A<</Type/Action/S/URI/URI(ftp://www.isi.edu/in-notes/)>>
+/Rect [63.4454 279.5831 208.8999 289.7449]
+/Subtype/Link/A<</Type/Action/S/URI/URI(http://www.ietf.org/rfc/)>>
 >> endobj
-1219 0 obj <<
-/D [1217 0 R /XYZ 56.6929 794.5015 null]
+1516 0 obj <<
+/D [1514 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
-566 0 obj <<
-/D [1217 0 R /XYZ 56.6929 769.5949 null]
+578 0 obj <<
+/D [1514 0 R /XYZ 56.6929 769.5949 null]
 >> endobj
-1220 0 obj <<
-/D [1217 0 R /XYZ 56.6929 748.2826 null]
+1517 0 obj <<
+/D [1514 0 R /XYZ 56.6929 748.2046 null]
 >> endobj
-570 0 obj <<
-/D [1217 0 R /XYZ 56.6929 748.2826 null]
+582 0 obj <<
+/D [1514 0 R /XYZ 56.6929 748.2046 null]
 >> endobj
-809 0 obj <<
-/D [1217 0 R /XYZ 56.6929 720.3635 null]
+1066 0 obj <<
+/D [1514 0 R /XYZ 56.6929 720.0412 null]
 >> endobj
-1221 0 obj <<
-/D [1217 0 R /XYZ 56.6929 647.0664 null]
+586 0 obj <<
+/D [1514 0 R /XYZ 56.6929 449.6752 null]
 >> endobj
-1222 0 obj <<
-/D [1217 0 R /XYZ 56.6929 635.1112 null]
+1518 0 obj <<
+/D [1514 0 R /XYZ 56.6929 413.7675 null]
 >> endobj
-1223 0 obj <<
-/D [1217 0 R /XYZ 56.6929 529.3677 null]
+590 0 obj <<
+/D [1514 0 R /XYZ 56.6929 413.7675 null]
 >> endobj
-1224 0 obj <<
-/D [1217 0 R /XYZ 56.6929 517.4125 null]
+895 0 obj <<
+/D [1514 0 R /XYZ 56.6929 387.3208 null]
 >> endobj
-574 0 obj <<
-/D [1217 0 R /XYZ 56.6929 180.3481 null]
+1521 0 obj <<
+/D [1514 0 R /XYZ 56.6929 230.2407 null]
 >> endobj
-1225 0 obj <<
-/D [1217 0 R /XYZ 56.6929 143.7717 null]
+1522 0 obj <<
+/D [1514 0 R /XYZ 56.6929 230.2407 null]
 >> endobj
-578 0 obj <<
-/D [1217 0 R /XYZ 56.6929 143.7717 null]
+1523 0 obj <<
+/D [1514 0 R /XYZ 56.6929 198.3547 null]
 >> endobj
-644 0 obj <<
-/D [1217 0 R /XYZ 56.6929 116.6563 null]
+1524 0 obj <<
+/D [1514 0 R /XYZ 56.6929 198.3547 null]
 >> endobj
-1216 0 obj <<
-/Font << /F62 634 0 R /F42 597 0 R /F43 600 0 R /F56 618 0 R /F11 1157 0 R /F77 703 0 R /F57 624 0 R >>
+1525 0 obj <<
+/D [1514 0 R /XYZ 56.6929 198.3547 null]
+>> endobj
+1526 0 obj <<
+/D [1514 0 R /XYZ 56.6929 192.4259 null]
+>> endobj
+1527 0 obj <<
+/D [1514 0 R /XYZ 56.6929 177.6614 null]
+>> endobj
+1528 0 obj <<
+/D [1514 0 R /XYZ 56.6929 174.3269 null]
+>> endobj
+1529 0 obj <<
+/D [1514 0 R /XYZ 56.6929 159.5623 null]
+>> endobj
+1530 0 obj <<
+/D [1514 0 R /XYZ 56.6929 156.2278 null]
+>> endobj
+1531 0 obj <<
+/D [1514 0 R /XYZ 56.6929 98.4347 null]
+>> endobj
+1010 0 obj <<
+/D [1514 0 R /XYZ 56.6929 98.4347 null]
+>> endobj
+1532 0 obj <<
+/D [1514 0 R /XYZ 56.6929 98.4347 null]
+>> endobj
+1533 0 obj <<
+/D [1514 0 R /XYZ 56.6929 95.3752 null]
+>> endobj
+1534 0 obj <<
+/D [1514 0 R /XYZ 56.6929 80.6106 null]
+>> endobj
+1535 0 obj <<
+/D [1514 0 R /XYZ 56.6929 77.2761 null]
+>> endobj
+1513 0 obj <<
+/Font << /F37 743 0 R /F21 654 0 R /F23 678 0 R /F47 874 0 R /F53 957 0 R /F11 1293 0 R /F39 858 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1230 0 obj <<
-/Length 2591      
+1538 0 obj <<
+/Length 2936      
+/Filter /FlateDecode
+>>
+stream
+xÚµZ[sÛ6~÷¯Ð£4Sc
‚àåQ‘ÕN츒²ÝNÚZb,N(Ò);î¯ßâB�" tº;~0	â£Îwn8 aø#£ˆ!LcÆ>b˜°Ñöp…GO0·¼"RæZ	]›Rï6WÿzOÃQŒâÀF›¯ÆZÂQDF›Ý—ñôáaq?¿ùÏäÚcx<E“k†±�-Ö“ë0ˆùåS
¿»y÷ñæÓr5}øù7ñÐï˜áéý\ܬ?/—‹õf!oW‹éüæ~	"dòÇæöj±Ñ¯mþ4‚)ç?¯¾ü�G;ø…·WÑ8b£W¸ÁˆÄ±7:\ùŒ"æSªFò«õÕ/zAc¶ytHUZæšú(
+`
·BYŒêQ­P¸P¨’â
+ý²z?ó
þèÿ^Â0Šb�ŒÌEÏ µÔ9¶o’ICQHY|þV$‡l;¹¦A8þü¼Kê´â7Ñ8+Ä`½OÅż<$jð>9¤BlýVÕé�¿zï·0š��
+Ÿ%Û}V<‰›òk�…_Né1ßÐ>�ñ¯«ý;©ôi±;NH4N_+5“4Û½Ö{dÕ;Ä;K‡n½›Rv½k)­÷ tx€ºÕûö°Þ;à‹ïuZTÜ–…BÒí>)²ê ]ákyì)Ÿ'¬Üa•–ú„…¦C�ŽuüÆŒu
/§§SUÿ€é!EaL.˜¾)å @Ix
+\Ð}l&ø}Y\ošÀžY‘ä=�‹ÓD�t—	ÞZÃC^Èè°ÌŽÉ+gVØ
ë>¶ëV¦�O.èÞ�rè^IiÝG>sèÞmè¾�mѽ	¾N·B¡\”�?¤oâBrLŠ*º†Ñ
+‰Í\
+G
üù©xv:ý	ͽ“£“£Üa±#â/s—TUª¢µhˆJÈ�:«Ä°‚`9Ü!Ê™�rÂcÔ¿@º!å ]IÄ»â¦Ú ¾�m!ßI¯.·%ïL€ŸÜ•»^Ó4òdÊVžÌGD2âÎÛ&#¸'ØÛ6Ï9pˆ"?6svLD¢„E»f¡'Lçå£wR\™…ôb¹r‡}µ;ÆÒÍÒÿÐ. Qð®ä…``JÙíBKµváûv»pB·vq†=lpž?E
ÏBJ¹ËoK^V47�=PÉÈNe-Ç/Z{àwº9h„ŸGùF¯„²XlÚ‹íDd½“â:FðÁ¹<"Ñ£øßÃYÑ‚Â)Ç2‹¶O !YÜx’¨NÐ+7¥ÓÇòT÷º
+ œ7±UŸEü>Æ[ânã3¤Ƨ¤”ñæ
+JNhÃøúØã3Á§“kæù†%ñ;©s^)ð�†3cFÁ|dVÍNj3öëÄÃcØИw»4—«ÏÓç¼|SÏ7,4¯P~­_ÿ)°`
+¥bH#˱‚ ´>=Û±¾eò"^¸Ú�8¦ÖXãEá8¾ÐÜ1¥ìtk)ƒnÇѬº¥û{˜îø¬<D¿•¨6ë™ý7“Ájy¬„ŒðZ˜XŸžž`Öì�`ü}ö}ð
+Ò:õ¨u;<wv�ó¤ø+{²E›»,ÏõYïß4	?FAèÅLÂ�r˜„’Ò&GŽS'´a}l‹I˜àëô˜©£’ûS»Ãš6-‰´Î¶C'f柟Îê£XËöœ×˜vµS‚<L.Tƒ¦”CíJªÍú¡#ë;¡
µ÷±-j7Áµ'Bå—U�é>yÉx
+¬äÄç<‡°\Èu¥¡P#ó‡Ëí·ä9­Á¦Ô¾Q½U'~÷c°½Sµ"á¥�6L)ËJJ³bGZvB,÷±-,›àíõzúÐvÕÚ]Aë
ƒT{$Å0nÎß
KºYw‘gežæybI†ö¶Á�ˆ±wa/fJ9ˆPRšˆ(tá‚6ˆèc[ˆ0Á§ÜšÃñ]š4ÛqOuÐ=¾½zVÁUh&?–ºÙ7ô@Ð|îÆ'ÄNÞk?wã“òtF­Ÿ»QLTŠ�n"ê"¾$ŒJŽµ^çu>�µ±Z¦Ûìo"z¿LºQET¶å
>]8ß&Å)9¾ý@ºCä…Á…ž·!äø¨J
+é#QÌ%’×ø¤ªlù¢Ê@“ D~”@‰ßÄ_> öåpÑ|Ëöõ­1
+~/öé ÙZn´\\ýTÈ~jö\�\Šù“ËSþx¦ª´
+¡“®�„R†ø·ªzÅ:¡ÿãÏfͶ<¢Qd	Ý(òâP½ùøì£^F#Ä"/xõÿp=7endstream
+endobj
+1537 0 obj <<
+/Type /Page
+/Contents 1538 0 R
+/Resources 1536 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 1592 0 R
+>> endobj
+1539 0 obj <<
+/D [1537 0 R /XYZ 85.0394 794.5015 null]
+>> endobj
+1540 0 obj <<
+/D [1537 0 R /XYZ 85.0394 769.5949 null]
+>> endobj
+1541 0 obj <<
+/D [1537 0 R /XYZ 85.0394 771.5874 null]
+>> endobj
+1542 0 obj <<
+/D [1537 0 R /XYZ 85.0394 744.8677 null]
+>> endobj
+1543 0 obj <<
+/D [1537 0 R /XYZ 85.0394 741.1608 null]
+>> endobj
+1544 0 obj <<
+/D [1537 0 R /XYZ 85.0394 726.3962 null]
+>> endobj
+1545 0 obj <<
+/D [1537 0 R /XYZ 85.0394 722.6893 null]
+>> endobj
+1546 0 obj <<
+/D [1537 0 R /XYZ 85.0394 707.9846 null]
+>> endobj
+1547 0 obj <<
+/D [1537 0 R /XYZ 85.0394 704.2179 null]
+>> endobj
+1548 0 obj <<
+/D [1537 0 R /XYZ 85.0394 689.4533 null]
+>> endobj
+1549 0 obj <<
+/D [1537 0 R /XYZ 85.0394 685.7464 null]
+>> endobj
+1550 0 obj <<
+/D [1537 0 R /XYZ 85.0394 670.9818 null]
+>> endobj
+1551 0 obj <<
+/D [1537 0 R /XYZ 85.0394 667.2749 null]
+>> endobj
+1552 0 obj <<
+/D [1537 0 R /XYZ 85.0394 640.5552 null]
+>> endobj
+1553 0 obj <<
+/D [1537 0 R /XYZ 85.0394 636.8483 null]
+>> endobj
+1554 0 obj <<
+/D [1537 0 R /XYZ 85.0394 622.0837 null]
+>> endobj
+1555 0 obj <<
+/D [1537 0 R /XYZ 85.0394 618.3768 null]
+>> endobj
+1556 0 obj <<
+/D [1537 0 R /XYZ 85.0394 603.6122 null]
+>> endobj
+1557 0 obj <<
+/D [1537 0 R /XYZ 85.0394 599.9053 null]
+>> endobj
+1558 0 obj <<
+/D [1537 0 R /XYZ 85.0394 585.1408 null]
+>> endobj
+1559 0 obj <<
+/D [1537 0 R /XYZ 85.0394 581.4339 null]
+>> endobj
+1560 0 obj <<
+/D [1537 0 R /XYZ 85.0394 510.1696 null]
+>> endobj
+1561 0 obj <<
+/D [1537 0 R /XYZ 85.0394 510.1696 null]
+>> endobj
+1562 0 obj <<
+/D [1537 0 R /XYZ 85.0394 510.1696 null]
+>> endobj
+1563 0 obj <<
+/D [1537 0 R /XYZ 85.0394 506.8333 null]
+>> endobj
+1564 0 obj <<
+/D [1537 0 R /XYZ 85.0394 492.1286 null]
+>> endobj
+1565 0 obj <<
+/D [1537 0 R /XYZ 85.0394 488.3618 null]
+>> endobj
+1566 0 obj <<
+/D [1537 0 R /XYZ 85.0394 464.2921 null]
+>> endobj
+1567 0 obj <<
+/D [1537 0 R /XYZ 85.0394 457.9352 null]
+>> endobj
+1568 0 obj <<
+/D [1537 0 R /XYZ 85.0394 432.4907 null]
+>> endobj
+1569 0 obj <<
+/D [1537 0 R /XYZ 85.0394 427.5086 null]
+>> endobj
+1570 0 obj <<
+/D [1537 0 R /XYZ 85.0394 400.7888 null]
+>> endobj
+1571 0 obj <<
+/D [1537 0 R /XYZ 85.0394 397.0819 null]
+>> endobj
+1572 0 obj <<
+/D [1537 0 R /XYZ 85.0394 325.9133 null]
+>> endobj
+1573 0 obj <<
+/D [1537 0 R /XYZ 85.0394 325.9133 null]
+>> endobj
+1574 0 obj <<
+/D [1537 0 R /XYZ 85.0394 325.9133 null]
+>> endobj
+1575 0 obj <<
+/D [1537 0 R /XYZ 85.0394 322.4814 null]
+>> endobj
+1576 0 obj <<
+/D [1537 0 R /XYZ 85.0394 297.0369 null]
+>> endobj
+1577 0 obj <<
+/D [1537 0 R /XYZ 85.0394 292.0547 null]
+>> endobj
+1578 0 obj <<
+/D [1537 0 R /XYZ 85.0394 265.335 null]
+>> endobj
+1579 0 obj <<
+/D [1537 0 R /XYZ 85.0394 261.6281 null]
+>> endobj
+1580 0 obj <<
+/D [1537 0 R /XYZ 85.0394 246.8635 null]
+>> endobj
+1581 0 obj <<
+/D [1537 0 R /XYZ 85.0394 243.1566 null]
+>> endobj
+1582 0 obj <<
+/D [1537 0 R /XYZ 85.0394 171.8924 null]
+>> endobj
+1583 0 obj <<
+/D [1537 0 R /XYZ 85.0394 171.8924 null]
+>> endobj
+1584 0 obj <<
+/D [1537 0 R /XYZ 85.0394 171.8924 null]
+>> endobj
+1585 0 obj <<
+/D [1537 0 R /XYZ 85.0394 168.5561 null]
+>> endobj
+1586 0 obj <<
+/D [1537 0 R /XYZ 85.0394 144.4863 null]
+>> endobj
+1587 0 obj <<
+/D [1537 0 R /XYZ 85.0394 138.1294 null]
+>> endobj
+1588 0 obj <<
+/D [1537 0 R /XYZ 85.0394 123.3648 null]
+>> endobj
+1589 0 obj <<
+/D [1537 0 R /XYZ 85.0394 119.6579 null]
+>> endobj
+1590 0 obj <<
+/D [1537 0 R /XYZ 85.0394 92.9382 null]
+>> endobj
+1591 0 obj <<
+/D [1537 0 R /XYZ 85.0394 89.2313 null]
+>> endobj
+1536 0 obj <<
+/Font << /F37 743 0 R /F23 678 0 R /F47 874 0 R /F21 654 0 R >>
+/ProcSet [ /PDF /Text ]
+>> endobj
+1595 0 obj <<
+/Length 2839      
+/Filter /FlateDecode
+>>
+stream
+xÚµšÝs›¸ÀßóWøÑž©µHâóщ]ÇmãæÚIwwº} ¶’0µ!Ü6ÿýJH‚¢½wîä! :X?�OÀ#‡ÿá‘ç#?"Ñ(ˆ\ä9ØíŽÎè‰_[^`%3ÕBS(uywñÇ[Œ"ùÄÝ=‚¹Bä„!Ýí?�gˆ¢	ŸÁ_®.?¬>.7³Ûë¿'Sâ9ãÏ™­çòd{¿\.¶wuºYÌæ«õ’‹àÉ4ð#g<»½]¬ç«¿äõ™˜Õ©G¯ÛÉ—»w‹»ú±áOÃÏüíâóg´ç¿ðÝ…ƒhz£üÄA8ŠÈèxázy.¥zäp±½øO=!¸ZÝjZªZfJ]rýêEȧ„ÖÊ
ª¥Ä‚~Þ¼½"ا_º¿ÂU{ÁNz¦º–:×íB˜˜È#A[÷}‘¤O“)%d\>3y°JK–§¬”góõV]ÏÔ@R”yòp*•øÍê¯ÅF^eéc–ãTÝ»<dñAÏöû|‚Ã1+
+u_üò"”óÝY%êFÈÅ.ÇR=ã.ïÊýQMt˜Š{%6ÅEžG*éC¶Û='Ù¹©ÞÅé)Î_å	ß
!êÝT|y"Š£
¼@Ê‚WK
¼¡¯M5ÀÛÕmÆuoX‘Ne’¥|¨?ÎÅÿ`|Ÿ&”B§ŠÍŽÉ‘Õž¥eò�ã–rè$7Š¸¹Ú(blžãDͼŽ�L^Þ¾%;š°:¡°�7HM§	;È)ât/o�B­om¡¾añáÀK³>¥¬ô‚ö#Š];h(Õº–ªAêôƒ¶ªn@Ÿé6‚né~ÏÔ_üÜ=Çé“Zˆ9;°§Xñ>˜í²|/�ù�’§�^o
Øpèq=�š˜)§]~MÒ"KÕðÇ]™=°üW(>rCÀ›B)-USð¨o¡`S
(tu›)@ÝóíLþô÷‹¿y$·²ˆ†«¥JÒîºk;âÇÊŽÄ
ÒŽê¸ÊéT±óœá‘)
+ü6¡¹"´ˆ‹òej˜V†¾Wg7±´ûçšXÔOŒ®3à ¡”…˜–Ä1›j@¬«ÛLêÞlgÜÌ=YM�XRC’š8€Ä&¹Œ¦&%µêEMPó#ñ!ˆr�Ä&fØ\bg
¶Ê;Ö3µ¼£&ñ�ã:Ù!”²ÀÔR
+Ü0¯±²ÝóY¿ÆŽ�ÿlÇ
êN(eÁ¦¥jl^déXUl]ÝflP·ìª†<GüY²´àÁQ”™‘#»¬üqzyÉòR
+­nåàw–Uƒ¾©W`äø�.ñÆ[$ï¸{ÎŽ²‚£Wjôú”p»�Õè'
K\z_$iœ–ê’,Šù°îÊÕÚÚN6;%E‘˜:Bœ3íåL#�g÷Á@I
+¥ú9×R€³¥¿`UÝp>ÓmäÜÒ}Íí 2¢ÆäîÓ¯iö#íšn»Ûi×	T†×2ðÂ؈ﴎΔ	.OE?M-y%%>+_$�öQ´a	¢˜{ž)Oq@Ýf/·z]ug«~•ÐÇœøȆ*S(ea®¥4sc±…¹M5`ÞÕmfu×ë±HwÙþþš•?²ükSÕt;…ùòå¿
+žVv,õ2‹;=µ_é¥ðº….?PÊÂKK5íbi_[U^]Ýf^PwíéÜP{:7žnÂíÊÙ¹Q§»É%W³õL]ñŠ!Ù³¼²¿¢§Õé“Ö[A>cUdóÛa‘͇A‘-.*¡Ëªá•¦¬º:ý³²¹Ã!‰�…î²h%­
+ 6ÙK�zÄiÚ¼§ïëÂœ¥›�ƒBêâžlóãüõ¦�ƒ¹�pcðÍPªãÔRuˆt¨%o±ªn6ΙnãÆié†!2Þ“T|Ž—Y®ËúfYªó§ß&Èä¡}O¼¹îä�7
+Ù‡¬äsŠ6¬º°Î¾h<5é·/ž›úþ€ƒ…R–u×RMjb{SlU
Ö½«Û¼îP·ð¡Y·d›Çe¬ÚÃÉ�ig›ŠÖÉÓ)Ùá"—a-/Œ_XÈõ]×’É_2–«*Ýô�EU��€[èÐ[{(ea¡¥j¶¼Š°ª,ººÍ, n#‹Úè¨W»¡ß'B0OÃ�˜ß]Æ9´Œ³7ˆß„³o mBý8´PÊ[SÙ¦·�ÑUld
Ÿ­úUÎã~žÄ�zªÊ'ºy=ËEGËèœ^Üâ°óMK'žüN‚ص˜~@~ˆ0u†>k„,F(¡æã0lÉ5lzÁgÅæ¯"€âû‚µûµÁÌx$/X·ðmµ'¶ê�9~„( ]¯¥ãÇu|LåYq¬¿ûSØOž<=—¿ýååa‹?…uêìáþ2¾áATx#i"^®„|õPb!"röäØA„úÄðèÿå3fƒendstream
+endobj
+1594 0 obj <<
+/Type /Page
+/Contents 1595 0 R
+/Resources 1593 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 1592 0 R
+>> endobj
+1596 0 obj <<
+/D [1594 0 R /XYZ 56.6929 794.5015 null]
+>> endobj
+1597 0 obj <<
+/D [1594 0 R /XYZ 56.6929 769.5949 null]
+>> endobj
+1598 0 obj <<
+/D [1594 0 R /XYZ 56.6929 771.5874 null]
+>> endobj
+1599 0 obj <<
+/D [1594 0 R /XYZ 56.6929 744.8677 null]
+>> endobj
+1600 0 obj <<
+/D [1594 0 R /XYZ 56.6929 739.887 null]
+>> endobj
+1601 0 obj <<
+/D [1594 0 R /XYZ 56.6929 713.1673 null]
+>> endobj
+1602 0 obj <<
+/D [1594 0 R /XYZ 56.6929 708.1866 null]
+>> endobj
+1603 0 obj <<
+/D [1594 0 R /XYZ 56.6929 693.4819 null]
+>> endobj
+1604 0 obj <<
+/D [1594 0 R /XYZ 56.6929 688.4414 null]
+>> endobj
+1605 0 obj <<
+/D [1594 0 R /XYZ 56.6929 673.7366 null]
+>> endobj
+1606 0 obj <<
+/D [1594 0 R /XYZ 56.6929 668.6961 null]
+>> endobj
+1607 0 obj <<
+/D [1594 0 R /XYZ 56.6929 644.6264 null]
+>> endobj
+1608 0 obj <<
+/D [1594 0 R /XYZ 56.6929 636.9957 null]
+>> endobj
+1609 0 obj <<
+/D [1594 0 R /XYZ 56.6929 611.5512 null]
+>> endobj
+1610 0 obj <<
+/D [1594 0 R /XYZ 56.6929 605.2953 null]
+>> endobj
+1611 0 obj <<
+/D [1594 0 R /XYZ 56.6929 581.2255 null]
+>> endobj
+1612 0 obj <<
+/D [1594 0 R /XYZ 56.6929 573.5948 null]
+>> endobj
+1613 0 obj <<
+/D [1594 0 R /XYZ 56.6929 558.8901 null]
+>> endobj
+1614 0 obj <<
+/D [1594 0 R /XYZ 56.6929 553.8496 null]
+>> endobj
+1615 0 obj <<
+/D [1594 0 R /XYZ 56.6929 527.1298 null]
+>> endobj
+1616 0 obj <<
+/D [1594 0 R /XYZ 56.6929 522.1492 null]
+>> endobj
+1617 0 obj <<
+/D [1594 0 R /XYZ 56.6929 495.4294 null]
+>> endobj
+1618 0 obj <<
+/D [1594 0 R /XYZ 56.6929 490.4487 null]
+>> endobj
+1619 0 obj <<
+/D [1594 0 R /XYZ 56.6929 466.379 null]
+>> endobj
+1620 0 obj <<
+/D [1594 0 R /XYZ 56.6929 458.7483 null]
+>> endobj
+1621 0 obj <<
+/D [1594 0 R /XYZ 56.6929 444.0436 null]
+>> endobj
+1622 0 obj <<
+/D [1594 0 R /XYZ 56.6929 439.0031 null]
+>> endobj
+1623 0 obj <<
+/D [1594 0 R /XYZ 56.6929 413.5586 null]
+>> endobj
+1624 0 obj <<
+/D [1594 0 R /XYZ 56.6929 407.3026 null]
+>> endobj
+1625 0 obj <<
+/D [1594 0 R /XYZ 56.6929 346.1003 null]
+>> endobj
+1626 0 obj <<
+/D [1594 0 R /XYZ 56.6929 346.1003 null]
+>> endobj
+1627 0 obj <<
+/D [1594 0 R /XYZ 56.6929 346.1003 null]
+>> endobj
+1628 0 obj <<
+/D [1594 0 R /XYZ 56.6929 338.5253 null]
+>> endobj
+1629 0 obj <<
+/D [1594 0 R /XYZ 56.6929 323.7607 null]
+>> endobj
+1630 0 obj <<
+/D [1594 0 R /XYZ 56.6929 318.7801 null]
+>> endobj
+1631 0 obj <<
+/D [1594 0 R /XYZ 56.6929 304.0753 null]
+>> endobj
+1632 0 obj <<
+/D [1594 0 R /XYZ 56.6929 299.0348 null]
+>> endobj
+1633 0 obj <<
+/D [1594 0 R /XYZ 56.6929 284.3301 null]
+>> endobj
+1634 0 obj <<
+/D [1594 0 R /XYZ 56.6929 279.2896 null]
+>> endobj
+1635 0 obj <<
+/D [1594 0 R /XYZ 56.6929 264.5848 null]
+>> endobj
+1636 0 obj <<
+/D [1594 0 R /XYZ 56.6929 259.5443 null]
+>> endobj
+1637 0 obj <<
+/D [1594 0 R /XYZ 56.6929 244.7797 null]
+>> endobj
+1638 0 obj <<
+/D [1594 0 R /XYZ 56.6929 239.7991 null]
+>> endobj
+1639 0 obj <<
+/D [1594 0 R /XYZ 56.6929 163.7723 null]
+>> endobj
+1640 0 obj <<
+/D [1594 0 R /XYZ 56.6929 163.7723 null]
+>> endobj
+1641 0 obj <<
+/D [1594 0 R /XYZ 56.6929 163.7723 null]
+>> endobj
+1642 0 obj <<
+/D [1594 0 R /XYZ 56.6929 159.0666 null]
+>> endobj
+1643 0 obj <<
+/D [1594 0 R /XYZ 56.6929 144.3618 null]
+>> endobj
+1644 0 obj <<
+/D [1594 0 R /XYZ 56.6929 139.3213 null]
+>> endobj
+1645 0 obj <<
+/D [1594 0 R /XYZ 56.6929 124.6166 null]
+>> endobj
+1646 0 obj <<
+/D [1594 0 R /XYZ 56.6929 119.576 null]
+>> endobj
+1647 0 obj <<
+/D [1594 0 R /XYZ 56.6929 104.8115 null]
+>> endobj
+1648 0 obj <<
+/D [1594 0 R /XYZ 56.6929 99.8308 null]
+>> endobj
+1649 0 obj <<
+/D [1594 0 R /XYZ 56.6929 85.0662 null]
+>> endobj
+1650 0 obj <<
+/D [1594 0 R /XYZ 56.6929 80.0855 null]
+>> endobj
+1593 0 obj <<
+/Font << /F37 743 0 R /F23 678 0 R /F47 874 0 R /F21 654 0 R >>
+/ProcSet [ /PDF /Text ]
+>> endobj
+1653 0 obj <<
+/Length 2728      
 /Filter /FlateDecode
 >>
 stream
-xÚ­Z[s£8~ϯð£]µV�„lmm•c;wwÜ;½³³=ó@Û$¦Úà\æ×ï’@`�{j·ò!tÄùÎå“d<pà|†¸¸ˆ9˜
6‡+gðcwWXÉŒµÐØ”ºy¼º¾õÈ @�G¼Áã“1—�ßǃÇí×áäáa¾œ-þ=æ'h4fŽ£{§óõh̽@P1ä9ÛÅͧÅç»Õäá§_åK¿9Ì™,gòaýåîn¾~œ«ÇÕ|2[,ï@�~üp5¬–m~v¨XóW_w[øÂW¢�ϯðà dp¸rEÌ¥T÷ì¯ÖW?W£å«]¦bÔGÌ'¼ÃVŒwÙŠÈ£„–¶Š“±0Ï0I‹(¿n¦
¢”ùõ;]¨¤Æ¦X¹
-|·™â²ô˜æ‘ö”K	�AžÀܽ�ðL©~ì*©*¼‚À^VÕ5xgº»Ák(_$YõËR8þ'Md�# “üI;¸Fp¶\wÁçb„=ßmÂw¯àû¼+BÕ59=ŸòBx½1ÃD�
-%Åú0=Ž±WcA^c!f1±ƒkÕÿ¸Kyš¨Þ_ËØTC«èû®€实±Ì¿bè’L·RÜ`º7é)ÙjÌ�™Nå
-U
ùÿæ”ïdk¾ÿS¶ÓþýG�0æ�0¤,Hh©
-	êø$lª
$Úº{�0•/£g0é‹ÎjáfW±
-�ô*~>EYí†í9&é.E“d+ß«æq÷rÿ»ÙUv÷ûíDÂeÀRìv7¤,v×R•Ý}×B¬ª
»·u÷ØÝT¾ŽyŸ²áÇè]6jnT
¢”Š¤ˆ«¢’²‚AC
qÚñ¸^TçKg•‰"ÇgØ@	^ªK<@:t‡ñUu¢Áð³º;m�¿r™	õ‡352ób,_¥¢‘øöáw]ëhùÕ:VÄõF¹Š<ßØïÁ	©§ôŸÄqœnÖ	Û>ŸºøÇX§zŒ÷*
I¶šqÍ¢—hŸCëóGêäòK$É”ê÷ÇJª"I¾o)ÂVÕµ?žéîödžò*ÈçoE”äçI9?�i¦XÊâAþ‰²¼"I^Wb
-²ö
ÉÙR˜y¯:§ªs�Ê<.¹œž·�sã$c&ÆÏm2§Ëû=0¬jŸü×\û
‚
õ—0¥ú]¢’ªO¢|ÒïVÕµKœéîv‰†ò5ìŸôÁßòT³™	äƒÝ!zßy¡ÉsÏw¶Õ6¶e}s«k;`:Ëô˜{ˆr¯ut»Šòô”mT}ZE›4ÛêËÀ¾£Þc\ØŠKÛÖB•P… ö©A‹^À–âüÍËè¾SÎÐX­TG$'’¸è£[Ž‹<1M�aIŸnÅvÉ9æ/òšzfE)€‡ŸÔÐDý¿%+Ks%°R_ö{ˆÛDÍ+]
ºëX/›·)’›éU5¼¤No�Š›fâÛá­eúÑU2¸Ü±dl‹ÒÛ–Önh
µ?Y®'ÚÓ…ß—§
ßï„—À.'à­‹½§½dίjt˜NÓ=ìwÞéöŸsD¸‡/ü¦ê7¿ª÷ Üb›Þ€¶ânLÍ┞ðá}–;Oâ©ó
蛿%WÉsiGü”VG! ±H@øPuxò愨“cѨè6*º
½½'ÇÔÁˆCã¨Ë2)&_ä•$ôÕ1F§É’*éiT„ÉO}%µ«æB×Ôxó=NòŠGµîÝ,×”!ñ{Ÿdœ*ÑÿÏ?+2��Ûú=×oÔñ º®%¾›g?FÑ¿?:_ú
ƒ
+xÚÝZ[w£8~ϯð#>§Í"	q™7'N§Ó—$k§wv¶§ˆMÎbðNoæ×O	]‰ÞÝ·=~0H%}P_U©TÍ<ø¡YD]�Äþ,Œ}—zˆÎ¶‡o¶‡¾›$dRh¡K]>^üå=	g±8˜=>ksE®Ehö¸ûæ,®ïV·Ÿ/0õœ¥;_PÏ“­W×›ù"bÖAXWà9—·—ŸoïoÖˇ¿ñA¿{Ô[Þ­øÍæëÍÍõæñZÜ®¯—«Û»Aóï�/®Õc믆<žù_ß¾{³¼áÇÏ%qDg?àÆsQãÙá§ĥ>!²%¿Ø\üUM¨õ¶CÇTEIäÒ‡#ºÂh†�SŠ{Ê¢±LZeÝMZI“•E’g¤;þ’«ò�d¿¾Kim|Uâ»~ngQ“âOFÆX”RìÁ¾­ß_áÓïCdD=7ŠáÕ¬ÐJêÛ×-QêF!¡}ð%¼y8�s„�“û¼ÕK:¿Î±ç¤O¿ÌÄÇÎm]Ÿ@5mOùÌÇÜ¢èî¿TJ„îV‰¬=ô`Âh^RÞ{W•ß’6üîXÍQä”M¹-ó–ƒ�êŽ]Ï‹Á@Úç
+|ëvÿT—yÚ¤4°´Ã1O°ÈòÄõ¿á3Ö"_‘…“- KýTªKYlAJiû\ËÒh…Ölaˆm°œÛœë®²wmô„ÿ›´ÜWÉñœ4ç-Ÿ-ù€ÝˆÒX¯`#çÊåß'§9ÏEÏ—¶‡:›íË)ÿ#­!ÿ�§YS€€w‹.Î%ô­„ì	we‘½‰¨Äï9ø°ÃÆhÆŸJKu)3ÅJJe?Ah)eX¡;ŠÏ°Ç)î�_f…Z¶>'O©,idg+íè–OÔ©Û½Ø�ûÿE«äÇ3/díd08íOu£xˆÍ<¾‹Ã©,T—²ð ¥ºÄÐRé°Bk<±
<èàÜÕ"a§a¹Oyà¾)Ù¿^
�F›áJ[EÃ~Ïö‰Hf#é0Ë:-NÌÞÇ+%Äó\/õÊTsÒ¢>iÝ´bõûçF‚í§Œ$‘9Ô)žžÅîTI|4¨%‹Ð½ÔÚ6éöyÆÛtUÅÈ¥áT5R—2›Ž’R¦ã–J�º3�3ìqÓé�KÏô±ôLH£U™µvb=š…�¯Ôaj5? mHm‡B6–'ÿœ#§M¡`ïO¤=0œÖÌØÅ•�ÿ”œÄq#›åcR´92�ÇhX0zP
+€gÙTZ¡5&†Ø&tpU�"Yâ„+u6Æ®$
+ÛsOX6×WíÉ'—Èö?ƒ¹'}ÛñƒS’X#ÊÇعtùÀ¶
+É)ÌÔ”m<äKùá˜ßûPÆúIL¯:õiD'c&LÈttÙ>†±€vd
PÇ©Ò`
k±ò‘õåI•±Ï ¶IWg“ÿÿ(éiMÒœFk2(„,vt=_ºveqîGVO­Íõ˜0„,,˜Hë5!ËgIB¨û\Ávv`ÃÕ>J
+¿á3Eân„ãP>{ø˜Ÿ\}ŽyþèpnØMendstream
+endobj
+1652 0 obj <<
+/Type /Page
+/Contents 1653 0 R
+/Resources 1651 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 1592 0 R
+>> endobj
+1654 0 obj <<
+/D [1652 0 R /XYZ 85.0394 794.5015 null]
+>> endobj
+1655 0 obj <<
+/D [1652 0 R /XYZ 85.0394 752.341 null]
+>> endobj
+1656 0 obj <<
+/D [1652 0 R /XYZ 85.0394 752.341 null]
+>> endobj
+1657 0 obj <<
+/D [1652 0 R /XYZ 85.0394 752.341 null]
+>> endobj
+1658 0 obj <<
+/D [1652 0 R /XYZ 85.0394 746.4344 null]
+>> endobj
+1659 0 obj <<
+/D [1652 0 R /XYZ 85.0394 719.7147 null]
+>> endobj
+1660 0 obj <<
+/D [1652 0 R /XYZ 85.0394 716.4024 null]
+>> endobj
+1661 0 obj <<
+/D [1652 0 R /XYZ 85.0394 690.9579 null]
+>> endobj
+1662 0 obj <<
+/D [1652 0 R /XYZ 85.0394 686.3704 null]
+>> endobj
+1663 0 obj <<
+/D [1652 0 R /XYZ 85.0394 660.9259 null]
+>> endobj
+1664 0 obj <<
+/D [1652 0 R /XYZ 85.0394 656.3385 null]
+>> endobj
+1665 0 obj <<
+/D [1652 0 R /XYZ 85.0394 589.5443 null]
+>> endobj
+1666 0 obj <<
+/D [1652 0 R /XYZ 85.0394 589.5443 null]
+>> endobj
+1667 0 obj <<
+/D [1652 0 R /XYZ 85.0394 589.5443 null]
+>> endobj
+1668 0 obj <<
+/D [1652 0 R /XYZ 85.0394 583.6377 null]
+>> endobj
+1669 0 obj <<
+/D [1652 0 R /XYZ 85.0394 559.568 null]
+>> endobj
+1670 0 obj <<
+/D [1652 0 R /XYZ 85.0394 553.6057 null]
+>> endobj
+1671 0 obj <<
+/D [1652 0 R /XYZ 85.0394 538.901 null]
+>> endobj
+1672 0 obj <<
+/D [1652 0 R /XYZ 85.0394 535.5289 null]
+>> endobj
+1673 0 obj <<
+/D [1652 0 R /XYZ 85.0394 520.7643 null]
+>> endobj
+1674 0 obj <<
+/D [1652 0 R /XYZ 85.0394 517.4521 null]
+>> endobj
+1675 0 obj <<
+/D [1652 0 R /XYZ 85.0394 502.6875 null]
+>> endobj
+1676 0 obj <<
+/D [1652 0 R /XYZ 85.0394 499.3753 null]
+>> endobj
+1677 0 obj <<
+/D [1652 0 R /XYZ 85.0394 475.3056 null]
+>> endobj
+1678 0 obj <<
+/D [1652 0 R /XYZ 85.0394 469.3433 null]
+>> endobj
+1679 0 obj <<
+/D [1652 0 R /XYZ 85.0394 454.5787 null]
+>> endobj
+1680 0 obj <<
+/D [1652 0 R /XYZ 85.0394 436.5019 null]
+>> endobj
+1681 0 obj <<
+/D [1652 0 R /XYZ 85.0394 433.1897 null]
+>> endobj
+1682 0 obj <<
+/D [1652 0 R /XYZ 85.0394 418.4251 null]
+>> endobj
+1683 0 obj <<
+/D [1652 0 R /XYZ 85.0394 415.1128 null]
+>> endobj
+1684 0 obj <<
+/D [1652 0 R /XYZ 85.0394 391.0431 null]
+>> endobj
+1685 0 obj <<
+/D [1652 0 R /XYZ 85.0394 385.0808 null]
+>> endobj
+1686 0 obj <<
+/D [1652 0 R /XYZ 85.0394 327.3726 null]
+>> endobj
+1687 0 obj <<
+/D [1652 0 R /XYZ 85.0394 327.3726 null]
+>> endobj
+1688 0 obj <<
+/D [1652 0 R /XYZ 85.0394 327.3726 null]
+>> endobj
+1689 0 obj <<
+/D [1652 0 R /XYZ 85.0394 324.3353 null]
+>> endobj
+1690 0 obj <<
+/D [1652 0 R /XYZ 85.0394 300.2656 null]
+>> endobj
+1691 0 obj <<
+/D [1652 0 R /XYZ 85.0394 294.3033 null]
+>> endobj
+1692 0 obj <<
+/D [1652 0 R /XYZ 85.0394 279.5387 null]
+>> endobj
+1693 0 obj <<
+/D [1652 0 R /XYZ 85.0394 276.2265 null]
+>> endobj
+1694 0 obj <<
+/D [1652 0 R /XYZ 85.0394 206.4674 null]
+>> endobj
+1695 0 obj <<
+/D [1652 0 R /XYZ 85.0394 206.4674 null]
+>> endobj
+1696 0 obj <<
+/D [1652 0 R /XYZ 85.0394 206.4674 null]
+>> endobj
+1697 0 obj <<
+/D [1652 0 R /XYZ 85.0394 203.5257 null]
+>> endobj
+1698 0 obj <<
+/D [1652 0 R /XYZ 85.0394 179.456 null]
+>> endobj
+1699 0 obj <<
+/D [1652 0 R /XYZ 85.0394 173.4937 null]
+>> endobj
+1700 0 obj <<
+/D [1652 0 R /XYZ 85.0394 158.7292 null]
+>> endobj
+1701 0 obj <<
+/D [1652 0 R /XYZ 85.0394 155.4169 null]
+>> endobj
+1702 0 obj <<
+/D [1652 0 R /XYZ 85.0394 140.7122 null]
+>> endobj
+1703 0 obj <<
+/D [1652 0 R /XYZ 85.0394 137.3401 null]
+>> endobj
+1704 0 obj <<
+/D [1652 0 R /XYZ 85.0394 113.2704 null]
+>> endobj
+1705 0 obj <<
+/D [1652 0 R /XYZ 85.0394 107.3081 null]
+>> endobj
+1706 0 obj <<
+/D [1652 0 R /XYZ 85.0394 92.6034 null]
+>> endobj
+1707 0 obj <<
+/D [1652 0 R /XYZ 85.0394 89.2313 null]
+>> endobj
+1651 0 obj <<
+/Font << /F37 743 0 R /F21 654 0 R /F23 678 0 R /F47 874 0 R >>
+/ProcSet [ /PDF /Text ]
+>> endobj
+1710 0 obj <<
+/Length 1567      
+/Filter /FlateDecode
+>>
+stream
+xÚ¥XKsâ8¾ó+|[S5h%[~í�’e&K²ÀÖîÔdÆPÅÛÉ°¿~[ÆIÕ·¤~©¿n©10üˆá¸È
¬ÀðŠL#JzØØÀÚ}�hžAÅ4hrÝ,z¿ÞÙž Àµ\c±nèòö}b,VßÌ!²Q4`ófró0y¼Ÿ
Ÿ~ÿÚX6Ÿ±ƒ‡Ó‘Ìÿº¿Ïc=œ�‡£ÉôXHà¹
6‡OOãéhò�Z
+­¸ž½Ïûߟ{ãEívskÛÂç½oß±±‚~îad¾c¼Á
+»ÍH5�vá@õíƉ2Oa+¡aÏ®Ï4ÝBV˜<z‘çŒx)	…ŽswØóÍV^.ñ|Ø
 endobj
-1229 0 obj <<
+1709 0 obj <<
 /Type /Page
-/Contents 1230 0 R
-/Resources 1228 0 R
+/Contents 1710 0 R
+/Resources 1708 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1283 0 R
-/Annots [ 1231 0 R 1233 0 R 1234 0 R 1235 0 R ]
+/Parent 1592 0 R
 >> endobj
-1231 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[0 1 1]
-/Rect [84.0431 793.5053 539.579 807.4529]
-/Subtype/Link/A<</Type/Action/S/URI/URI(ftp://www.isi.edu/in-notes/)>>
+1711 0 obj <<
+/D [1709 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
-1233 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[0 1 1]
-/Rect [84.0431 756.4942 140.332 767.8862]
-/Subtype/Link/A<</Type/Action/S/URI/URI(ftp://www.isi.edu/in-notes/)>>
+1712 0 obj <<
+/D [1709 0 R /XYZ 56.6929 769.5949 null]
 >> endobj
-1234 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[0 1 1]
-/Rect [507.6985 756.4942 539.579 767.8862]
-/Subtype/Link/A<</Type/Action/S/URI/URI(http://www.ietf.org/rfc/)>>
+1713 0 obj <<
+/D [1709 0 R /XYZ 56.6929 771.5874 null]
 >> endobj
-1235 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[0 1 1]
-/Rect [84.0431 745.1168 199.6097 755.2785]
-/Subtype/Link/A<</Type/Action/S/URI/URI(http://www.ietf.org/rfc/)>>
+1714 0 obj <<
+/D [1709 0 R /XYZ 56.6929 747.5177 null]
 >> endobj
-1232 0 obj <<
-/D [1229 0 R /XYZ 85.0394 794.5015 null]
+1715 0 obj <<
+/D [1709 0 R /XYZ 56.6929 741.6995 null]
 >> endobj
-1236 0 obj <<
-/D [1229 0 R /XYZ 85.0394 694.0474 null]
+1716 0 obj <<
+/D [1709 0 R /XYZ 56.6929 726.9948 null]
 >> endobj
-1237 0 obj <<
-/D [1229 0 R /XYZ 85.0394 694.0474 null]
+1717 0 obj <<
+/D [1709 0 R /XYZ 56.6929 723.7668 null]
 >> endobj
-1238 0 obj <<
-/D [1229 0 R /XYZ 85.0394 660.6469 null]
+1718 0 obj <<
+/D [1709 0 R /XYZ 56.6929 709.0022 null]
 >> endobj
-1239 0 obj <<
-/D [1229 0 R /XYZ 85.0394 660.6469 null]
+1719 0 obj <<
+/D [1709 0 R /XYZ 56.6929 705.834 null]
 >> endobj
-1240 0 obj <<
-/D [1229 0 R /XYZ 85.0394 660.6469 null]
+1720 0 obj <<
+/D [1709 0 R /XYZ 56.6929 679.1143 null]
 >> endobj
-1241 0 obj <<
-/D [1229 0 R /XYZ 85.0394 654.2654 null]
+1721 0 obj <<
+/D [1709 0 R /XYZ 56.6929 675.9461 null]
 >> endobj
-1242 0 obj <<
-/D [1229 0 R /XYZ 85.0394 639.5008 null]
+594 0 obj <<
+/D [1709 0 R /XYZ 56.6929 645.9962 null]
 >> endobj
-1243 0 obj <<
-/D [1229 0 R /XYZ 85.0394 635.7135 null]
+1722 0 obj <<
+/D [1709 0 R /XYZ 56.6929 621.6566 null]
 >> endobj
-1244 0 obj <<
-/D [1229 0 R /XYZ 85.0394 620.9489 null]
+598 0 obj <<
+/D [1709 0 R /XYZ 56.6929 538.1235 null]
 >> endobj
-1245 0 obj <<
-/D [1229 0 R /XYZ 85.0394 617.1617 null]
+1723 0 obj <<
+/D [1709 0 R /XYZ 56.6929 513.7839 null]
 >> endobj
-1246 0 obj <<
-/D [1229 0 R /XYZ 85.0394 557.6417 null]
+1724 0 obj <<
+/D [1709 0 R /XYZ 56.6929 479.0839 null]
 >> endobj
-746 0 obj <<
-/D [1229 0 R /XYZ 85.0394 557.6417 null]
+1725 0 obj <<
+/D [1709 0 R /XYZ 56.6929 479.0839 null]
 >> endobj
-1247 0 obj <<
-/D [1229 0 R /XYZ 85.0394 557.6417 null]
+1726 0 obj <<
+/D [1709 0 R /XYZ 56.6929 479.0839 null]
 >> endobj
-1248 0 obj <<
-/D [1229 0 R /XYZ 85.0394 554.1294 null]
+1727 0 obj <<
+/D [1709 0 R /XYZ 56.6929 479.0839 null]
 >> endobj
-1249 0 obj <<
-/D [1229 0 R /XYZ 85.0394 539.3648 null]
+1708 0 obj <<
+/Font << /F37 743 0 R /F23 678 0 R /F47 874 0 R /F21 654 0 R /F14 681 0 R >>
+/ProcSet [ /PDF /Text ]
 >> endobj
-1250 0 obj <<
-/D [1229 0 R /XYZ 85.0394 535.5776 null]
+1730 0 obj <<
+/Length 1914      
+/Filter /FlateDecode
+>>
+stream
+xÚµXK�Û6¾çWh^ bøE©§æÕfdS4[ô�ìAkÓ¶YR%y7FÑÿÞ)[^9FQ¬ÉáðãpÞ”˜qø³T3®²xf²˜i.ôl±}ÆgkXûù™ð<±VLÇJÁdb5Ò*e:•fƒ¼º}öâ')f’³$‘zv»ÎJŒa<›Ý.?Í_6�­–Å׫Hj>uuwû튙I�À]N0,Q:q;ÞçÕ./‰¿É׶öˆ˜©8‘~O¢YÂuêö¼bâ*œóù²X#?2(ÃT’�7ùÖz5ËX–ÈÄÃ(ÁT
+2#nvç~–ÒÐèÍÍG”uýe×Ðx×eÑï‚	–i‹“© Ë|ÜWuÓîÏÞÞ:M8
+4‹„	�©)½�SêøŒQRÎàö�;@8›¨ìè†Á$×pÏ´õéÇ涽óÓèžî¤�•$¸a:K4œ‹›óå²µ�·Êè,¸x+áùÌŦÒ,Mt€\”ù$ ÌXššìpupU”¶L>Ò°TrsŠùåÀl&0#…¾®Ót
^{šºí¿;§�ôøϋžT*–	®Nñú‹xý¾ùx_/â¡MáÅL&O콿÷i³Í?Üá­øb÷ÈgqÆ“Sèx%w.oD
+�3ÅåØ>Ÿ:ð¢2Âعn˜ü¹³í¾nzÆØݹˆWF²ØˆÿñÇç#~àG|´9/š–,É”ù/¢A|C´À5m]Ö÷y�´	9h6¨õBÎ}óöãëß®½½þp3p�R¾Ä‡”ÿ´.(ŠGüÌ5_ÖÛ¼¨ ýÇ|^T«ºÝæ}Q#Aeóu{%ÒyÝØX…gêh-§égΕýZÜ—–È}]—´X
¶·-!­
¼Z'U Xw1íH”´;v)næ×=Qáx”«#nÜæ:ÜeäÏTÍ€U	±ZÂ@bñìš2ß{r¿±DΫîŽÔ¼÷Ûœ¬ž‡Æý®­ì’–Wt•í	ÝItTnGjÃå<ða†PØ%\YÃì}Ýõ¡Ì_ËéJ%ò˶¨Š+1ïú6ïk'<�w��p	
I6Ô™3.
=�JBŽïkìé’;°k·©k=á1Z†ÕmGK÷v‘£n¹^ÑoÑûÕà%Ô^€\óç°�‚òÓ=„;ë‘¡g¤ jk‹`®qÁÍîw×7»ýGðù°Mû´ÉAíüТ‡‘~7ùƒõ[°p£Õ®Z`LäåpX³šP¸Âl¢µù¶Âc–Å*Ô>²sÌÒ,ÓpÇŒc(â_–ý¦Þ­7GÅúL¥.™VB¦ô<¸JÉy…1^–{œ9u/‰þXô¢-êí´•Eei�Bb½ÛÚªïÐtZ‚q‰;/»š¸6yçI4¿Ïû…‡ÜÖKå쌿Ö”jœ’R(�Çn?¤Š˜|IÉ#>2(äZ„@êzŸ#!Š³C¦’¥u¹%™¿$Ú=ÄÞŠ†Ý.ÝîiR{¢s`<c¬‡z¬OrÞ„Û¼X7$̉ˆnZL‹Èo %l,fÜ”»tò´È›Œi{;F›i§2*“ž…Î'l—¯
y]<Ø
+oŸ¥óß«²øb‰nó¶,\œ
+Få–¨eÑ‘?â-«	'Z3!EhM_Ø~ñLuùrX
+ï$!ObxQW«	¹©ÃŽÇY0Gêÿƒ‚,TÕgÌF£ÓˆÄzàóÿ! >¿É…Ås{íáûœZÏï�/æ`azzXÇÿù)ÿÁËÈ÷ê›�Is�N’’S%M]ç;* :Çjg=[C
D©»¥¥¥]å­£PÍ€I îæ;ëM	ÏBmz(ò)?€·	0ßÿõîÃû·¿`€×.&SÅ’4‘ƒ�¡´«ùí&\•’òñõÓ!ÙÈyµ'ÊÁ˜¸É×™Å,R��Ï…ë©Éó¦�Œ·ÙÕuX<Ÿ&œlÒš·®#„s}C¿Ô†Âàõ;ú¥Ï®ÇÅ\е†X,ó†&¾è¿××
�•öÁ–D£¶Þ#»C@õ±IçoêŠ�N­–?câõ�xÐÛ…×ôȼÑÀ4Ò»ïÝN='c"‘Á»¢Åt“zHyK+Ÿß¡•pétµ÷DÊe‚òŽDFÃ6†ÔŒ4¦Ê7—aßÄ3�ÃCN¯ïð=bB >?–J¨Ãë
+ˆ!íOHƒ‰ãú&äl Bï+Ý‹’§ã*ˆŒ¯ßå›Ç!GbI¤.	¿ç5ƒSwÁ¿ë&ô·ÎYpè�…�¾ŸÏZ†Q'Èž%:ðÐ÷ÓÑ7
ž°Tf&
+endobj
+1729 0 obj <<
+/Type /Page
+/Contents 1730 0 R
+/Resources 1728 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 1592 0 R
 >> endobj
-1251 0 obj <<
-/D [1229 0 R /XYZ 85.0394 520.813 null]
+1731 0 obj <<
+/D [1729 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
-1252 0 obj <<
-/D [1229 0 R /XYZ 85.0394 517.0257 null]
+602 0 obj <<
+/D [1729 0 R /XYZ 85.0394 769.5949 null]
 >> endobj
-1253 0 obj <<
-/D [1229 0 R /XYZ 85.0394 490.306 null]
+1732 0 obj <<
+/D [1729 0 R /XYZ 85.0394 573.0107 null]
 >> endobj
-1254 0 obj <<
-/D [1229 0 R /XYZ 85.0394 486.5187 null]
+606 0 obj <<
+/D [1729 0 R /XYZ 85.0394 573.0107 null]
 >> endobj
-1255 0 obj <<
-/D [1229 0 R /XYZ 85.0394 471.7541 null]
+1733 0 obj <<
+/D [1729 0 R /XYZ 85.0394 538.4209 null]
 >> endobj
-1256 0 obj <<
-/D [1229 0 R /XYZ 85.0394 467.9669 null]
+1734 0 obj <<
+/D [1729 0 R /XYZ 85.0394 504.6118 null]
 >> endobj
-1257 0 obj <<
-/D [1229 0 R /XYZ 85.0394 453.2621 null]
+1735 0 obj <<
+/D [1729 0 R /XYZ 85.0394 432.7569 null]
 >> endobj
-1258 0 obj <<
-/D [1229 0 R /XYZ 85.0394 449.415 null]
+1736 0 obj <<
+/D [1729 0 R /XYZ 85.0394 303.3232 null]
 >> endobj
-1259 0 obj <<
-/D [1229 0 R /XYZ 85.0394 377.9399 null]
+1728 0 obj <<
+/Font << /F21 654 0 R /F23 678 0 R /F39 858 0 R /F53 957 0 R >>
+/ProcSet [ /PDF /Text ]
 >> endobj
-1260 0 obj <<
-/D [1229 0 R /XYZ 85.0394 377.9399 null]
+1739 0 obj <<
+/Length 3967      
+/Filter /FlateDecode
+>>
+stream
+xÚÍZësÛ6ÿî¿Â3ýPe&b
$ÀÞcÎy4q§qr±;×N{h‰¶8‘HE¤ìúþúÛÅ. R‚¢tîËÅ3!´x/öñÛä¹€?yžåI^¤Å¹)t’	™�ÏVgâüêÞœIn3õ�¦ÃV/nξûA™ó")ò4?¿¹Œea­<¿™ÿ6y‘ÈäŒ &¯.ß<›¦y&ÒÉŇ¯¯^]þ¿3
M �“wW?_üD´Ï
+höæõõ³ßüxöú&,f¸`)®äóÙoÿçsX÷�g"Q…ÍÎá‡HdQ¤ç«3�©$ÓJyÊòìúìŸaÀA­ëe€Iªò4Â�TžK™Y–ŽX�I®RåXp}ùîÃO¯i_?_æpOÐS
x'Ρ:Qyn\—jÝ?­ëY¹¤uóÐÎʾnúÝÞñ8r0°$†nœy}™LšD+�q›eÛ~êhÈeý©úž:¨bÐa*¥Nt¼›J›¤ð/Œ>ÍáäþÑU›‡jC?šrUQ	–_E¦ŸfIaL>ëq
ý¥�Ðü£—‰‘2?Þ$¹VöÈ	Q£é°•; m#"ZáÔ¼ø½i‹4É2«¿<­ot8íhÇ…I2U˜ñ´52Ý—À®ÔÌ8$µú^~ šr>'ætÜÎþX_Hí[¢}ÞV›§gRÊ	¨š*ŠÉÍÂÏ>+j{ËýÝo7÷ƒ>2{ÍMæmßWó)rNU”¯(!Õ¬^9
¶jÒ´½_øE{T<ŸÂùr¦ŒçS<ŸšÌÚeÛLçÕ²^Õ0ñxTØ™Åä_‹Š[o Ðm×ëe
í�(fÃQÆ$¶0’Ua'	{¨l’[]p³Ò-�÷­ežd6웬ÞývU5=ë-+WIŸEÛõxZÏ£ÚbldqZ{•_2sª]>T<O¿(yf
+(ÁáÊÉ]K�‰äd¢nî�wbní¤F‚HÜq“6ÂÊLž@m>ÍJ•�Ržfe:f¥¶ÄJø®]¯ö¡žWó™ØL§'Ù(óœÛÌÚ¦Û.û.bü`Ám?5ü®êgßmÃètÜØK@e3§E#ÃëŠw@©ƒâ‰8Æõ˺#	§¶tp	±)Õy"S)Ç|ºYð±QÛõò‰~Þ¯Vþœ«#Ǽ',W붙wc9ž×ÝzY>Uó䘥Î,x?�™/[êa«ã–:´Â=ºEïMjE’pß_œÔ7:œttr6ùÓùxÒº;ʺön¯ÊkãÖf#êŒÔo¾Ïé0~t•œ1øåŠ[o×Ç™
z§Á8�`ö Õ˜í[á¾½÷Ž2ûK“?iœÙÃIëfˆ§wjRH@ŽKPr«q%Çtø’SsÅš›£?ok*̉ú{š,
 ¼úÕyÁçTqÁßw¿páúò
—@Ë“˜‘+@õ¤ðÆàÀIóÄJ¡½iqƼå
”
/û¡\Öóáfœz+è^ˆ,«7Nõ5fXö–…:¹@-äÈÇ<–wœQk«­ü8ó±^2’]WðE«‘[Diß®ÙdµlŽJ†º1=Jª
+·¼žn
°õw£Ð‚¸Š'ª(×ë
+Tã„Eg¸-œñâ´i
+–ü�ü5r&1ÚúnY‡ƒ@¨Rí�áßO�â¸B˜JƒŒC-B
+<yuWèÁ¨¼’ôÙ²tG
+ÅßE&.¯¨Lj	MݱÀAA¥¤ªš›·€$6õ|î08üFÆa�>ªVÐ")dêw5�Åõ*×éX¯b–Y餰ÂÃJÚA|B¼f2o™ýªÉ Ã2½p{ 30ØÁÙ‚ms¦ÀþK3>ù’íåÛë=ûõ¶êêv3^ÜÃ7|ùv¯çË·ﯯ^ßDû&AüöN5j¹
+£½;˜Æà*Ì4¸Ý[.ˆ0@1>U]Äöç
+PEqÂöÃÒt8�L>xu¶æáoËøJ3µs®$Uó®¼tÊæ%~„ÆD 3"ƒçØõQîúŽ(ˆªðË!ÃÌ+$\LÑ+ø*isµçtISô�Á²Š‰]
+bç¥ó®^V¢î›[ˆ3SaæÖj¯ˆax'lTôe
áZÓ¡¤O³]¹(nC?�g€/ì‰X °Z錯«YS@ËšŠg|]"Ç‘ΞÔ=£ðH¼Ûl°=éív9'ú-›u
+!g(=¢Íå:.=ÂD°î{Ë
×ìb`½~X§nðÝT8NÔÔ°MÕÉx:ÚͶ£˜x¸ìY»ZA7EFú�±câ�L	p»0›WIJü!PSÂ� ðZ3íz¨ô�
+–ÁMÐþQôAåGÖ)ÆøÝ’Ö(:r÷#ÆƉ75v:_Ç/¼sº­*FÓ`aPÃï·»(i~ºÌC³çŽv¼B§ÕŒ�û¡X;ŒO|Ázâ‹K#ý¿eŠpŽS÷[¤پKå]³¸óÌa‚É>ê¼D.½v8„aÛs*X‚â%I±ÄðIÉtÒoʦÃýcJÒ%[£;4)º„
+¼aíô�¸�š\íË(YóÐ!ÿNËi¹–3=ô«¤Y$Lƒ2�À0Þƒi
+endobj
+1738 0 obj <<
+/Type /Page
+/Contents 1739 0 R
+/Resources 1737 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 1592 0 R
 >> endobj
-1261 0 obj <<
-/D [1229 0 R /XYZ 85.0394 377.9399 null]
+1740 0 obj <<
+/D [1738 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
-1262 0 obj <<
-/D [1229 0 R /XYZ 85.0394 374.4276 null]
+1741 0 obj <<
+/D [1738 0 R /XYZ 56.6929 752.2728 null]
 >> endobj
-1263 0 obj <<
-/D [1229 0 R /XYZ 85.0394 359.7228 null]
+1742 0 obj <<
+/D [1738 0 R /XYZ 56.6929 504.0748 null]
 >> endobj
-1264 0 obj <<
-/D [1229 0 R /XYZ 85.0394 355.8757 null]
+1737 0 obj <<
+/Font << /F37 743 0 R /F21 654 0 R /F23 678 0 R /F39 858 0 R /F48 880 0 R /F53 957 0 R /F11 1293 0 R >>
+/ProcSet [ /PDF /Text ]
 >> endobj
-1265 0 obj <<
-/D [1229 0 R /XYZ 85.0394 331.806 null]
+1745 0 obj <<
+/Length 2766      
+/Filter /FlateDecode
+>>
+stream
+xÚ­ZQoÛ8~ϯð£‚ݨ¤HJâ
û�6Ù"‹nšÝ¤ÀÚ<(–ì±¥¬%'çCIQ²$îjz8ä?~œÒ¡ÿè"!a’/ÉCA¨X,·gd±†¾ÏgÔè\X¥_ëãÃÙ‡_Y²�¡Œ£xñ°òæJC’¦tñ�.ïî®o¯nþ:¿ˆ	>†ç‚�à÷ËÛo—_Pvw.£àòóõ=|�‰@‰*µ˜W7ŸÏ~;»~pÎøS”'Ÿ}$‹üþ팄L¦bñ_HH¥ŒÛ3.X(8cV²9»?ûÃMèõê¡c
+€¢P”�P¦RÂdjµ"TòѤ2$2eFG-vd"2‘XõñT¶>Žc«Ö‚WÛ¢jô·¬p“Þ�<”„›!U¶Ø–uµ™v;�-7ª¡sÓÁ´Z\Dø•¤pˆ8
cB¼?¾]ÿy.DðOtäëÝÃÍ×Ûû‘uèQ&’r=./×c€%!�hbüè6¦Pë¤@õ‘Õ~û¤		¢z…2Eý¶e]™!ïÏå9
–Ïf‚•šrU,[üŽ”Ñ{f—•<—vЦ®_ö¯Ö픵Íòˆ5“ijg”
ê5û
l’bÝ…]œ!584¯›ì€Œ&qp_oÕx–âÂX¢&lŒ¨)ZÓ·Ã>cʲ5¶ŸJMPÒ+bÖ3ÖA}Ϭ`wžð@N‚ÆÙÏ‹¶ØmËÊ|µxÀ à3
+j�D@¤FÁ
+IJ²Ô‚ª‹Â[dÛÎ60wU¬UÀÖÓ;à[‘UÛAªùª½Ð9$Df]_Q­‡ŸÆ%")8Gé€ç
î' ¼e›½
+YŒ2혒¹ ¤„›ò¥@±öQ7,¯U¿:;˜Üá2Q0°ã9{\Õ»íyh&)†<¸ŽüíÛœ)ã4Ž\
+°†Ñ.ž½|™�'‚÷ãXsձĭÿÇQéCB" ¬1
+¬ñZÍ(]øZºRáéH¥â´ô*¿Wõc»|¦¨“–�Ö±é
ó8t`û[£±âÁ÷¼ÆFU·Ø€ŠåQµàÀ|ºCÑûsQaKC«Ù©Çd[3
–�®7™Ý	qq•ANÁ/O¢¬÷;üZ6øÙÖÎ.šývug¸žK18ÒûjS4vë*ü¼üë×?MP6ÁûÆIlÐT…GãÇ_èhº°^š©læ€æ2kLÏðCã¡{êªÂ´ÒŸ‹½)E,$‘ˆOðÈÓšá‘Õr<z[Ñ(‚ýN#1oØi[ЈÝXÚ7�4‚LŒ4‚ÒˆK#n`S
C#N}©1H#•Ð;¥0PWÇJžm ÄT:VjµCÕfÿÂvk­è <
Yê*Pÿ¤
s
#"©Q,MÔä
e¢6¼Ïdò•åÛS¶|yϺ̥I²}ÍÚò©Ü”íáœRªâ£O‡ÒøEüm©þ·…
+ÝBSsUT
xž6Æ^g¨·3&D.!Ecx‡Þ>VÔÞ½BeÂeÀúû“²
ó»	nA±(Y<Vê›$^øçj
8U“gŠAlI ÌŸ)_kúL9-&»UŒ†ÉYã]˜<²>&{æujV!I§f�bjVLͪe.²·£ªwTõä…¢u…Db.ˆ£#Íjª0ø4ŒÆyú´UÝ£´…œm!eÍ%otç'è…
'´»mÅ?¬æòÙËÆ=„ƒÀ+ï@S發°
+܃¦¾PB,ñrì*vý<5
1QOÔòÄžÖÄVËA<š02!|ÞºÓ:6ßÇ7¦a"hÒ·UØ׉¬»¯´(RlÓøPÕÕaÛ“#W]£HúEò8‹,zQ…PÃœ€Øך†Øi9ÛYVW›Ãd¬œ5ÞÅÊ#ëã±²gj�fðr§Jë,ëjs÷ZéÝ�2Þ1±ÄŸ‚ÂìtžÖtV˃nµÉÖÓÐÍ÷ ZŸ€Î7ùÓ-–°H÷Â?Øñ�­L	&ü'þQPIÆ‘8ª§5ªÕê¼ËçA�3î�:´>
ªoka!̵ZØ×�4Eûˆ"¬wAty…•ã²=ˆ«¶\bWžµ™Êu¨ðTšItq*„�‚÷|Gܼà@N.ìX÷ΆžªÝ°ïYWxÐÈf®:úr›Ù×gH ÝC§ú¢‰ &ÓÎ�¤wgSÕ¨ˆ
L8%ü=»“àioºqaÐÈÌõ¥5ZÐ�Ç=5\�7¯ë1ÏGÚ±¦ÿ“ÁÉG
õ°)Ú¢‚jx’ÃTDaš&'ît¾Ö4‡�–ãðržÃ³Æ;Yçpϼæ0°ÀTÐÀŠ ¥†Ãª…Ÿ®ðSqxù\,_°
+›ÉÂYÃÝá‘åñžé+üÉpª84¿(>ê§/—÷÷öA¶¨¼ßá\‘ètMmä~™
+endobj
+1744 0 obj <<
+/Type /Page
+/Contents 1745 0 R
+/Resources 1743 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 1748 0 R
 >> endobj
-1266 0 obj <<
-/D [1229 0 R /XYZ 85.0394 325.3687 null]
+1746 0 obj <<
+/D [1744 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
-1267 0 obj <<
-/D [1229 0 R /XYZ 85.0394 265.8487 null]
+1747 0 obj <<
+/D [1744 0 R /XYZ 85.0394 695.9587 null]
 >> endobj
-1268 0 obj <<
-/D [1229 0 R /XYZ 85.0394 265.8487 null]
+1743 0 obj <<
+/Font << /F37 743 0 R /F23 678 0 R /F21 654 0 R /F39 858 0 R /F48 880 0 R /F53 957 0 R >>
+/ProcSet [ /PDF /Text ]
 >> endobj
-1269 0 obj <<
-/D [1229 0 R /XYZ 85.0394 265.8487 null]
+1751 0 obj <<
+/Length 2849      
+/Filter /FlateDecode
+>>
+stream
+xÚ¥Z[oܺ~÷¯ØGITR¤(©@$=ÈA{êž8h�ÄòŠ¶…h¥ÍJÃùõrHŠÔmO[ìƒ(rÄÎ|s!¹tGàGw©ˆE‘»¬àqJhºÛ®ÈîÆ~¹¢†æ�%zãS½»½úÓ_Y¶+âB$bwûàÍ•Ç$Ïéî¶ú½‹i|
3�èýÇ_®ß$"%IôöææÃoï?þÞS$@@Hô÷·¿}~û7컹.€ì—Ÿ®ïn½úpë„ñ¦„)I¾_}¹#»
+äþõŠÄ¬ÈÓÝ3¼�˜E²;\ñ”Å)gÌö4WŸ®þé&ôFõ§K
+ài§	»7ŒÇ9ð_V�3J�(K‹X°„95ñ|IM–J©éÕ—¶»;ÉýùÔËé’i’Ç<aÞKÜÕœ=4Gö”±˜“4	ùß*}w���¼~Ãr
Oº‘D½†kÕí#¾w

�~�ϯ$%§kšGzu×"}%û»+  H{_بÛ	»ïgyz¹¦”F
+¢ž‚
+tú!Ofš
+m[ ¨†3ŠHŒ¡ÓI«ßz¹_´c«ZÅQj�CÓœ¼Â<¥¡uõ#´µ=„Ý
çS‹õ?/´ï­×,ÿuÕê	¯Á³_,ÂÊ Â¯C‚¨�OÆ/@£ڀ„¥r�«µð¢#�¼(Ø6sG5ç>‰ðYÌaW²ïgÕ¹Ÿš¤{·±´jór9�¹æ
+ã�gß Ý×ë†I2ÖèBØô©Ö
ã¨F؃Þù¦‚iVÐmþŽj.@hðQ&%mím¸µ
lÃÝ11‰F‘õëhV y8š‡/™‡dÆ<Ü77æáÆ<<8ZÞ6lYó"¿J}ª
óXªÑ<UU«Õ•ÍÜ>B]´dÛ8ª¹¡}@Rµï$ðÌ#¬y„5�Ìch ÛY¿�öáÂØG }Ä’}
+káÛGûcŸÌÙGSQÄË'…цÑh
›?Â/œÊûTëFsT£Ñšfõˆn“óxD7c½|Dðþ$M¤±ûF–¦©DšG�¯„°òq½b£‚ÇD\8Íðˆ6”dˆðê°>È¿Ü®”k[<mµ6e¹\¬ù<A7æŠqZ‘’¢Sç�ª/uÔM,¾›T¯?è–.CÁO²"±Ç·¹j1C
+ïý_’3Sàæ¹:F[
+endobj
+1750 0 obj <<
+/Type /Page
+/Contents 1751 0 R
+/Resources 1749 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 1748 0 R
 >> endobj
-1270 0 obj <<
-/D [1229 0 R /XYZ 85.0394 262.3364 null]
+1752 0 obj <<
+/D [1750 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
-1271 0 obj <<
-/D [1229 0 R /XYZ 85.0394 236.8919 null]
+1749 0 obj <<
+/Font << /F37 743 0 R /F48 880 0 R /F23 678 0 R /F21 654 0 R /F53 957 0 R >>
+/ProcSet [ /PDF /Text ]
 >> endobj
-1272 0 obj <<
-/D [1229 0 R /XYZ 85.0394 231.8294 null]
+1755 0 obj <<
+/Length 3318      
+/Filter /FlateDecode
+>>
+stream
+xÚ­ZÝsÛ6÷_¡™¾ÐÓ
+!¾HâfòàÔNÎmš¸µÓ»›¶”HÛœR¤*’NÜ¿þv±
+–D!_לp¬…°æ2f‰â¼oóö|)e´�95ªn³ÊwØŽ‚úžÆP>O–º	�é“›ÑÖôL·Ûüœ鎺E…zõV¥¡aQ¢ÈŽì«t“ÕHV3EÜÁúÓ…¸`¡’Žârf
äÊÜ×^¨v(s¬ÜÖuÕì›'Až¹ý¬šºìÚœáê‹¥H"&Ç#çÌh-ìÊwöÜ4œQ~ŸveK�§´ìÜxÑÐÓ�œ¥ü5EeÙ@·k
+8µêÁ“¹y•;th6mÚ曼róýÁJ3<²D1
Ør~•·ëW»6ðÄ`o÷s¤Y¤¸?Âo`íDöœ€w¬
+ªšÎ@Æ@[��UmE…Ý8iq¤po¶0Lj‘^ƒž+¥‚
+�…·ã–­Ú|·¥‘�ÒR¸…h¸LÛâ)§7ÕžKZ9êÏEYÒÐÊ‚NÂm‹ÌW“Çõ£]Ì•…6à
+ìÓÞ6²z“UC�²hZ?eH9½5',᱇)r\?ÎÜ•L\ƒ×�bf)f@û•Hž£+yÕÊ
+:ªµ;)xº¸ŒG2ú«àbKîÌeKPÓ(9mS‡TÇmjOemꪻoŠ?ó×o&VU)8r@îIÞ=Õ”ùت*Ãbé1wkU…×fl|º¼¡À°IÜ(‰Ço±ŽŠc+
+Òì)ßµEC0²F-6¯.?܆nù9Ë(¢]°Ë›™Û
�&cO°znó†¡Éãdͬ˜é—bÓm¨ƒCêÏ5S±6cõß•£��ÝBCMôøl72Ú/ô÷
�Hk©Ý¸UQh„ô ²fK8-ŸÏ9ç
Šlâàg!ÐÜz®]‹–|Ä:	ƒ]
+çÇ-/è�ÛvÝUYžÍ™�nKŠáu?«?;�‡Gs·»,ô@.ŽåÂ逅�·©[áOò85õœA‚Ö:í§�)=ðÖ©õG—ïžÝBnâÊÑ’Y=¦k<aBJó‚®
¨N蚧²º–gUóú«‰¢‰ˆ
õiÆ=Õ”óAø‚öM&cÖ·
+DŠðA'�8¤:ÄžÊîë—ªþmAXQU>Ác”°lëiþ=ÕT€1ÁÞÇadÆÜì
+Œ{”HÜ9­kûÌ,‹ßsjÙóÄÆíÇlÄó0|ÀgJ8ÚUݸ™v§K»UÛ‡èd“:îJaë±Û¤Õ’P�ÌQhÆö�ø¦Yº*q¡�C0¼Áø
�Bir
+8Þ‡¸ØAê cCbë¶Cyº~¤ÁñžhÕ©Rê¢c#Æ"À½@ ª¤é—½O×p›
+7õ×P‡—áN}t�ÜDûÙoîæd¡;Wš%"ác×7IãÓ,+Zˆ]zåÆŒ£®¦.e‰QÌÒ„’ò“0ØÓ�£é!ÐëÇ´™	r‹a…|=É!ßñõC#‡Œ¿µ—‚
+QB`ÒúP¥m׫£ÀŠ	CPÁc#f\™¡¡×èomÃÆ­«o›mQZåêcl-/gªÀ*L©{|©
+,À§%É|
xÙ¯wò@ÜPŠá�Ü^¿ûöŸ·WÇoânðK/Ýÿ€ê<•Å@»ë°Æ´ü=~ýü™à ‰X¤yZ„žj*Ã
†³Hšh,„M¾°”™[u·©
+>p¨Ì©�F°àTtgwž•Ç°ò»Éhñ¹r3»ÆÓX<ÌT<¥bÚôµ³¯‡*q ¿†¸¢š¾µ°ì•�R‘
 ùû«ÿø
+'\Kb"†Ã8ÖºØÆ8ýò†¢h}Îï+ز>f5�Àº3¼F›b\,#Àš5ý¡fsq«Á´|)nõ‰ž¯pÆAY׿ƒûÙê¡Ž!ï?[à@ŒÁ¿9NB0Æ~ØÅÙÊ4ÅÂËüòªF°ˆ÷¹ª5ÑÆWÒ@þ5Y—ÑHPÞ\Â\JSõŽÜ9롹>¼Š;e'>Œ/x`§tèí´f픈ф*³
+0-1—ñžóÿd­D.?2/-CªãÖª§ê=V[omålµDg„ê4÷žjÊþÀmqk�ùÿ�	Å cr)¢NÌL�˜qNŒH·ùÃ?z‘Ò6D/]A†ž°~”¶¶ø
¾ObJ†^g1cI¨ã±�ùk@ãXÝÁëÖ˜Ä)ý÷�æW\—œ
ê¶zÏy4kÀú-ÞcFƒÑ�6îaàJèŠ~øôs¤»ë›÷W´Õ?]ýt}u;c BD
Ktlö_à$}o®?\bˆŠÍ¶´_¢RÄ)[”žšUÌ’u$ø‹õ
+'õL-׉,±^ÜË¿6è–¶ÞìjŠYN¯ðíÒŽÈ`´Û–nœ¬�° A@pE×éÚxÛ¶©§„/؃A2GE„í.gËÓî,•r>@{ †>@»d
ÖJ‚- èïÞûëTj
+endobj
+1754 0 obj <<
+/Type /Page
+/Contents 1755 0 R
+/Resources 1753 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 1748 0 R
 >> endobj
-1273 0 obj <<
-/D [1229 0 R /XYZ 85.0394 205.1097 null]
+1756 0 obj <<
+/D [1754 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
-1274 0 obj <<
-/D [1229 0 R /XYZ 85.0394 201.3224 null]
+1757 0 obj <<
+/D [1754 0 R /XYZ 85.0394 204.5196 null]
 >> endobj
-1275 0 obj <<
-/D [1229 0 R /XYZ 85.0394 141.7069 null]
+1753 0 obj <<
+/Font << /F37 743 0 R /F48 880 0 R /F23 678 0 R /F53 957 0 R /F39 858 0 R /F21 654 0 R >>
+/ProcSet [ /PDF /Text ]
 >> endobj
-1276 0 obj <<
-/D [1229 0 R /XYZ 85.0394 141.7069 null]
+1760 0 obj <<
+/Length 2180      
+/Filter /FlateDecode
+>>
+stream
+xÚ¥ÛrÛÊíÝ_¡‡Î”š­÷Æ[ßœØÉÑ™Û�”9í$y IÊâ„E¤ì£vúï»4%Ñ£t:| ‹Åb
,.+&>1ñÄ2ž„±f>þ$­.øäæ>\K3sD³!ÕÛåÅå{Nb2˜,W^ãQ$&Ëì‹÷–I6Üûõn±œÎ¤Hî]ÝßßÜ^Ïÿ�c4@Á¹÷ûÕíç«�„»ŸÆÒ»úp³˜~[þvq³ì¥J,¸BQ~\|ùÆ'þÛg*ŽüÉ38q,'Õ…öóµRS^,.þÞ3Ìš¥£œIÈ1Äc*Ð!Â�T��ÓY
+C¦#Xs ºfÓ
˜Gñ¨É?Ø	$âÎ…~u])ÀE/31K6›²È3T¹”^Û¶['݈3G’ùQœWœâ“�ŽÆÞâ™PÔEW˜“ÃÀYñý«$³”d+
+	WÎèTBøõC:(ñ†Ü‚·	ÿ'·	‘ãQÜJk.ÿçÛä4Ö˱™¤f2ÂÈ£|‹XÚùõ-	°ø|÷iêûÞr<¸KŸÉ8hÕjÄ(1ÿóñ\E±39y›¼‡©€À[ÛÁ®(QÇÚ£ukB’˜€úÊ}fË·u‚N˜”Å¿L
+ÔeBž�_Zig±í4òvuûJ¸
r…Û÷ó�Ô[éû(¾^æ]z¹ÍÛ¦|bpÅW½FL„°?Òüåß¿Þý~óŸK¢nÓ1¸Û›,nnH
Wwçcüºi;Œ¶ãèZ‰ñ"Cd4@fuÛæéì{¾ÌëÁ¤ÙA[5@-¦{ý}zÿZ)¬4ˆXè÷tã
+–Duê÷íç‹óGßs±�6Ì>€í	Ó5

•é—r•
€T
�@3¥g
+Tú˜¨Æ{X
+�7tÀâõ¶§z9(6�_fÉ»¬¬·íòùé›C¥c¥§Â&A»Ôš–IÛŽö)ÌICÔ3¼aZŠß¹b�5Ý«üÂø˜á§ówÕC>Ú@LJ-Ž9vg9vûÍX¶‘
+¬Íõ1¿?Îò{NŠîU~ªçG-ZzŽË£/³jd—C�Veò8¶‹f:ŒN´ {(°U2G¥Á·Ñ *Lâ0h\ß,Þ}šß/çw·#ya$,Ž·�JGÃÒ/–4øk‹jƒéHÄQ'Í„©%Øä[€+S¬áØ\gì;$MC®ìëø×°&)KË�CÂzÿ¶<¤�M9z8?¿·rfÅ@ˆä­-tí�,IÕ1”OOEj1|~HL
¦¼?¨Klmk@
+­�;,Z[ymíŸç�ΰ½Çâ)¯ßŒ˜BB”àÚw>óš)$„Jß]nÓå¹]lí¸6e†
wU•˜Pû6¶„,½{<"…„ø¾xÜ1Û'¥>‹¼QF]'IÂ?Ší”Õɽêñ
+endobj
+1759 0 obj <<
+/Type /Page
+/Contents 1760 0 R
+/Resources 1758 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 1748 0 R
 >> endobj
-1277 0 obj <<
-/D [1229 0 R /XYZ 85.0394 141.7069 null]
+1761 0 obj <<
+/D [1759 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
-1278 0 obj <<
-/D [1229 0 R /XYZ 85.0394 138.2901 null]
+1762 0 obj <<
+/D [1759 0 R /XYZ 56.6929 626.4701 null]
 >> endobj
-1279 0 obj <<
-/D [1229 0 R /XYZ 85.0394 114.2204 null]
+1763 0 obj <<
+/D [1759 0 R /XYZ 56.6929 517.4334 null]
 >> endobj
-1280 0 obj <<
-/D [1229 0 R /XYZ 85.0394 107.7831 null]
+1764 0 obj <<
+/D [1759 0 R /XYZ 56.6929 438.0429 null]
 >> endobj
-1281 0 obj <<
-/D [1229 0 R /XYZ 85.0394 93.0186 null]
+1765 0 obj <<
+/D [1759 0 R /XYZ 56.6929 376.8269 null]
 >> endobj
-1282 0 obj <<
-/D [1229 0 R /XYZ 85.0394 89.2313 null]
+610 0 obj <<
+/D [1759 0 R /XYZ 56.6929 339.1376 null]
 >> endobj
-1228 0 obj <<
-/Font << /F62 634 0 R /F57 624 0 R /F11 1157 0 R /F43 600 0 R /F77 703 0 R /F42 597 0 R /F56 618 0 R >>
+1766 0 obj <<
+/D [1759 0 R /XYZ 56.6929 306.6767 null]
+>> endobj
+1767 0 obj <<
+/D [1759 0 R /XYZ 56.6929 271.6646 null]
+>> endobj
+1768 0 obj <<
+/D [1759 0 R /XYZ 56.6929 207.5268 null]
+>> endobj
+1769 0 obj <<
+/D [1759 0 R /XYZ 56.6929 137.3205 null]
+>> endobj
+1758 0 obj <<
+/Font << /F37 743 0 R /F39 858 0 R /F23 678 0 R /F21 654 0 R /F53 957 0 R /F47 874 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1286 0 obj <<
-/Length 2680      
+1772 0 obj <<
+/Length 4060      
 /Filter /FlateDecode
 >>
 stream
-xÚ¥Z[“Ú:~Ÿ_Á#T¯%ßÉÀ�ÉÉ\–™œs¶’<£
WŒMl3Éì¯ß–uA6²È©-Ð¥¥OîOÝjµ�F.üÐ(�0ÁÉ(J|'pQ0J÷Wîh}Ë+$d¦RhªK½¾ú×MˆG‰“„8=¿hsÅŽÇhô¼ù2ž9ž3�ÜñûÛ÷Ÿn–«Ùã‡ÿL¦8pÇ_ÝÀ�ÝÏyåéór¹xz^ˆêj1›ßÞ/AM¦Q˜¸ãÙããâ~~û7Y]Õz½xš|{þxµxVËÖ
¹[ó�«/ßÜÑžðã•ëxIŒ~BÅuP’àÑþÊ<'ð=O¶äWOWÿVj½íP“ª”ÌÔó�ð/(4HœÐÞR¨ï™*¥˜B¿¬n®±àoýçEt�ôIÏ •Ô9vjØGN€£.öl2õP0žß?±‚?^­xÃKYñÂÓ�¦ÙË[Vly½ÙQ.ù©LI“•o._„8­^³”Ö{–ÞÃc7q�‡1,›A¿ƒjig#—Ç|]‘bSÓ‚@™÷<NNÆBìÏIŒ³_ÃÒ¦\ÓŠÁ�¦
-aŠ�“
n�€øÐÜK†à8¼Àª&eaUJ)VQèYXµAk¬ö±Í¬êØŸkÎÆ‚/(Ü
­
-Úð'œõ—¢!«›*[!~wû÷bÅ‹×e
ÛaO
-1v™—k’óòl³©&(ÓºãÈáÀÀÏé÷üÄñ4�è÷¹Õ·åSΡëp˜—iºËÊwÜU|$Å‘To¼ôƃô†ÐâNP&W
-iÜÆÃÜÚpOÔö��ÌêÀ+Z—ù‘›öÂÖì°�?£ˆ72¡cËJJyËí†MöÕu1­jÞtä[„
n·k›—{’‰™ïÉžòº¡{¡®çDq Š½d¼rÄd¤ÈhΧhM™5Þ9‚d9´Cò%yË’,ª(Ž†)cØùÈ»À±&e!YJ)–±çZX¶Ak4÷±Í<ëØP±»¿Ò)¶BsšÓ­p»í™JÓ²Úðrë²Y�óɤïŸ´¡8p°§³Æ&rÄ!Ü|ÏŠº,D³ô®]`B<RĽ€ßý¹aíEŠ\þ­�a9ýúÊ”3âÔ
à„.œµº”…S)%9EÈENmЧ}l3§:¶ÒÇ¢HË
7?¨µ6ÿ÷´ùYVßE̯îiï
Ô'¨xž$xüv
-Þ¿²³C•å’ó8´¼ � #;KºÔ0KJêĶœ�VèKgØF–:Ø+úã˜ñ3m^³î×éeµe-%¦Rw‡<K5Uô=‡²jLŒ�Õ$�“‘É¿¯¸m³!ÚH
7âºñÓÑ¥,¤H)EJ�XLÇ
-­‘ÒÇ6“¢c«“I˜†Ð(?™x¹©ŽiÃ�=ÚÓ¼æ5
î0	œ0òü®ò?
-ãx‚i.ï?UwÊúÃ4°0&H.Ù†&e¡AJ©SÉC‘…´FCÛLƒŽ}�“ºÎÛX¯µ…ûél>_9³÷.³ßQ7<TÔSö¡ìE¶)¨tBKѸl.[Ý—eó®Çnϳ�®fÊâ�#Œ=oäaZµ�Tîƒñ}ïB¨©K
®¤NvçY·BŸ?Ã6ÞÁ¾.÷{éÈ”.æ¤!¼t“傸#°ðr{¬4×·¨8gUmC"Ç}ßrL½§´'Áˆ7h|~9qr‰Š“�…	!¤ˆH�åžnÃÕxè
›iЀ�,¨IòžAüs.0ǸËÅ\Ò@`läË溮&ñ¸s
¾_ûà?<?¼p¿Ö¥,dH©SÖY¢s+´FGÛ̇Ž}¦ûë*ƒ° #½`aîêìТÕ+ÜÂL	Aä†àß�dœFŠB�¿çýúc¡És�(‰Ñš4)MRêt‰B‰…&´FSÛL“Žý¹¦Ý[Ï,ÏHMû±]'·e²àêïD¸ï»îÈ>Ë›³øO^±þb¶TeÛ]ó/Y^QjtO(íR
-Y«Yëó!4.EGSÊ’õͪuÖT­«ã½•B˜5"afô¨pº¹ºCõ`N¶Ø,«²¦Åš÷¢ýŽ¼‰ü¥ÕO_Ÿtì]Šöu)�RJÑ!ËÌ
-­ÑØÇ6Ó¨cBʼo §„®�Û­9Ï÷mPbß8gŽtÉ{"Óˆ÷å+Ýë–7ÎM`ñI|AÏš”EÏRê¤çÄf.6hMÏ}l³žul¥Ny5íjûSI62ÈI‘¨Ûó!vèç“ž™““ñC•ÕiiÊ-ÀÕkPá®ë øRVO—²(\J�$ß7X¡5…÷±Í
-×±Åé\�r©Ù:;ÛåÆËî,ÏåSäàA9èr𠢂�Éq»#ÅÐÆήâ±·E6¾.5̃’:Ýcý`˜+ô‰‡3l#lu&„¾Ì´±"㸤x;	ðÒŠ%Éè+pgJ#`Ç�ãHóø‰×¦ØÈ?rZÀÙÔ¶be¬ç/FN™¿ˆ
j	KÑÿ°…ûöú­õˆb¸:.fÿ¼~‚ä@Àx!ÎÓ¥,tJ©�¶—˜Vh�Î>¶™N{¦î=¯ì=‡Œ¼n¤A‰° gzzŠµ6[žñd‡3Æý®­1¶.ä<ö&«t#»u]æ´é'³>Ùþ�·¹Iç-~Á}$c-òÙV«ÁÀűƒ.ùUMh˜)¤…úm¸'öûÀFòu`~†áPOªcñbþ—´ÜVä°ËÒV5ÐòÉâECìÄA�è/´ÐøÚáo¿BÓ<=mÀ�!*LwÇü¿T´>	ùÇœfMAÕÕº8‰Ð72p°nÊ"{'ìYâwìy J9ÛEìK¯ŸÀbkàɹn?u=¯ÈKcÚà.³A'öSk£â@Ž‚²ß~ìq;¯ù¬“¨ì+Txº
,aºacx#»^qŽ`ü¦L�2ÅóOØ?Iý]äE
ñ¥•ðw ¤þÎ…oJñÆ4ë#èÝQî%Ý®6Å�ß�Çí!Eìõ5-RÞšð{´‡ªŸß& p[ Ûg¿@cÝ�m{†@¹ýFnè+ÍË{>XQ˜ ñ­4[–ƒie”¾ØÀ”´ïu™M³jÁ2-tÙ}îòøÈ-Ÿ�m*ØdÀ/´î,òÆ2÷™Á‘Åv`,ÝHÔÞ�Þ¸T½+�¹hmQYaMùÿ�cÉÝ¶îÚÒL4ù­~ZÄBLÖ~(�óF�_¨‘9fòiZî§&~ìµ1›¹ãõÿç;
-$sž®’¤Q"Bø´	¡ò"=¶çj^m—ÿœEðâÓ‡Éñ.®D(ìÈ«˜„ð¿<{¡5,�×ÚÝ
-ÿuö‹öeÑìÄXØïr‰?ÁõìL*Vè+nÓÝÌçÇ®TÆʇÍéf¿~S/T3á`ûìJ‘W2Ô�þb2¸_W¹‘ÿûƒ*-U9^<tã„›.0‰XÓGìž­¹öBlXúÿ
+xÚÍ[ÝsÛ8’÷_á·“«"†
+6Τ U!¢LkIBÚ6}µ!�ø܇/Ô,ë¶+r¦#{øtìaÃ3å^Æ´–~T%|¾ñC7*q#U•ù=x[të·‡¢mª—hÝÔO3üÃ"ÓD(þ Â×K¥d¤l¬¯—Æ�î?Ÿ§S
+ØõÔx)-ó™9D%‰¶Üå×XÇyUÁCðR�fðªx¥Åç¾|É+§NF�Gוõó ¸†RPÖ8,iùr‘£1yÍòÍÛßp¢S½°2Jȯ«…‘ÕÆOà¹ßå¿ñVç'ª´áËžûÜÞÿÏ�"l
+Œ™&™�nÊ߶˜Pg¤‘¤°“Ò3²|7'Ðs#’#aà�ÎáÙ·ÅæÍŒ(@Ò±Tâ‚(d”ØÄwz-«ŠÍ»®Øí;f¾Á§\lÊv_å_†¹ÆÃ/·Ô û^7î¹aîž@ã_MÍ"ÐSD*n˜3lXK@¯'7C³cV=Ï,c°úÆ„µ{«§Íðö©d²ÈûnÛÊ.ïÊ—‚H~ô`ÕH&þ¡á€Èµp%è4”rVçh88}M¸6Œ—LÇ#øÔ‹MñkËÚ3´úâgá�î¨ß±Pq�ñΈ3§¸Ô›~<5½7—'X
Íh
<Ø7áHf¼–,×óz*“ìXM•p¨z¸±‹~ÝáÒÁ¾!ƒCJN„Ý¢¡�–w#_è—“(<×UÞ¶s*$âÈàvÓä£nSÊ"kâj	Ë-™«uÎ¯
+z¢]M®šæ·~O´?mÙl˜Áé�4:²"–Óíy·Í›¶.x‹ˆ;×dØô®±.ÆÔ°áêvLŠ†¯7ÅSÞW§ƒyl¾»§'ù]ݘÑüh³guVVMëF‡8 ïö}GmÑ,ž‹º8äìÚjê)Ö/´6â"îfÒ°qàˆCž
G¥à.¼Òmæ=…©WºÃœâ”J§Ü
"NÜÍ 
Ô„ˆ¶š÷
x~mXdîî92@3r“ì$$à}œ¢“ë‰^&1‹mŽ`$:èd´=aÝK¹q
+á â8f»šg[Št
+¹õÈåØ
+û§âã`]dvÑî‹u‰A/ä§à+!@ž‚äY[ú�þûß}|I‰2Ú™‚;ù;ö~·Ëظû˜Fw÷�ôcÓìò²¦®9>„_¾CÊ
AèD»JÎ:>}x',Ó×<±w¿>™è=  '·Ÿ¨îð’—qgÁ,—÷ó—2ú$äJæaÔ$>œRÝïV.¥¢‹§€¶i†n.¶¹ GCŸ@Íâ³Ú£
+›-d•EÜp³i¾6Qb¤þ¿¦ùoºÂ”‚åMY7óL-Y‘µŠDcSMfŽ¥eGe}кàæS‹{Ø9~ép˵žŠW‚{ËÚ‚­!ÈÁ
1ÆäÑØñ‘•áK"Wœe!¥f!ÜuÓ9x“–�
+žmAspÄ€Œ4?Mᓽ£\ˆl}¾"s\ÏñsLk:-\»dÀ圭ì€
Ø86ÿnesáDžâX€D¾Áìä@?ÉŠåâ/?b…-ñ¾¡;”EK¶3éÒ+xThÑœÁÀOJx AfÎk›×Ïdo’u
+à‰é�G€O?áWˆº‰2Z¤Ï©$$-"IOb[*cÁcÈ8^¬Ð
#É¡^ì÷)A}¡I
+e*‚(î(MÁrŸÉP?È8 ]Ï2�qGɊᇋ#”�Åï{ôÔþ[UÂsP�€ ÛN{u[W8�Cc;*®"¹o{Hʾ̅ Ô
2×C^e
™9$Á‡H³ÉÁ(“Ø<ÝÍ$‹â4½\äWÂcvïr(•B‡Øp)[Aøðšå€Îês¢‰£DÆ!Qy<s„!ìÉFì+n2—ÀÓ%Nø.§ß�ï˜G¤jÜ^úÖϤM:…4M¦Fí¬žÖ"°ÆeyôL²p+ÌüTY8‰É1
+سhGB¥—O¡â4LOhƒI”µ4>›ÒÝÇ—„HÞ7
ÑÉdß\&cä¹%ºó°P[¦ÿ�טúØFⵃtF±CiÔ¯ü{¶ZÛ$x•n^6•'°˜…rDIg#˜�vœ�’9eÎ!þ•îät.ö&ƒ“;`�^
+®0œÝ¸¸
]ñ<܇x¨y®ËÀáÿ‰.7Y¼»¿ýóû7DÆš !	d"i6TÉæ~¹ÅŽV.î~âÖŸÞãñ¯\ðO4BnBî‡xk>ýEšKÚí +ýI²åšP†zÙìq.¨øm«/ûm“x%?‚-7‹Û§–¦Î™¿|ÏÇûC	)#SQ’Êl^û²”·t™$Æù)™éqŽ’:HG"÷Z"Q�[zuTÏ|CP¿êýO<Ó||”,O&_=>O¢,ŽOw`ÌWW¤
+
+9‘TÙeUFO.P�_¥‘V&™Ê1 ¼¯
+÷ÆÎ�”‚a»R<¼Íé1�MÎXR!!³¥–3BƒÕ kî¿åîm—øL
�ŠäµC&‹ŸæüÝÊ64¿8ŠÉ¢ÀøŠzŽ»ò:\²É+|_UÍ«¯d­¾W²ö(œ,ý‡ãDc…"zæ*ö’Ói”À	©�;sN<ªAA'W<áVCÏ×Ü™¹â›ØÈéÁ5<ð“Ä£¨šìMÝêTt§0Õ%Jÿ¼åiÎdF22i€¹åßÎœ Øáeöà¯Ge&ļž&�à‡Ó4À÷yÿªM¤Ó`ßÀZ
+⤱Sû#
 
ër5ètJ…aÚ‚_Óõ
7†ƒì3÷|GK©³…N©DÙ¯)	ø@
Q•SË;kSöòæüm-‰4½œ•KNŒÙ?ÁàÅZÍÕ©ÉÓo™6õÁkAÕëÝ°¥,~¦ÊW‘±ÑC'6zË…�“¡]#§7ì ö`%ü�çÒ�áÛÔmŒÃü,Ž”5G×e|®üÕj!+ ýpü6nù~ß“(þ£õ—ý~/wýŽo
+�‡â—+#œ^±ú¦k¹»‹VÖ^ýY>'`ÓË·G«Û»ÆgŠ}›?‡sëÉõPTþ<{¯²!-&0Ôš»õ£4¤‹Z‡ãËÓ‘ ·á¨ˆX™¥ô98ìi¶˜EJ›P–Ä›AçnúÙñÙÚÜ¥~…çÖjî
+~|í5íß¾ð?ü=$+ Ä2Ü埮=N"¥2á™BÆE,ŽYpÊûÿª–³ßendstream
 endobj
-1285 0 obj <<
+1771 0 obj <<
 /Type /Page
-/Contents 1286 0 R
-/Resources 1284 0 R
+/Contents 1772 0 R
+/Resources 1770 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1283 0 R
+/Parent 1748 0 R
 >> endobj
-1287 0 obj <<
-/D [1285 0 R /XYZ 56.6929 794.5015 null]
+1773 0 obj <<
+/D [1771 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
-1288 0 obj <<
-/D [1285 0 R /XYZ 56.6929 769.5949 null]
+1770 0 obj <<
+/Font << /F37 743 0 R /F53 957 0 R /F23 678 0 R /F21 654 0 R /F39 858 0 R /F47 874 0 R >>
+/ProcSet [ /PDF /Text ]
 >> endobj
-1289 0 obj <<
-/D [1285 0 R /XYZ 56.6929 771.5874 null]
+1776 0 obj <<
+/Length 2189      
+/Filter /FlateDecode
+>>
+stream
+xÚ¥X_oÛHϧðÛ)@5�¿’fq8ÀMÒ6»mš­½À²}Pä±#T–¼–œ^îÓ/g8R$g’8øAÔˆÃ!9ä�¤ÙŒÂ�ÍTBÍõ,Õ’(ÊԬ؞ÐÙ¾}8až'î™â1×»åÉÛ÷"�i¢žÌ–둬ŒÐ,c³åê&zG9	4:¿Z,.Îâß.þóáâê4f:S:š___\�_þû4æŠ3°R}ž_ý1ÿ„kקšGó‹ÓoË_O.–ƒZcÕV§¿Nn¾ÑÙ
+,øõ„
'Ì~À%Lk>ÛžH%ˆ’Bô+ÕÉâä÷Aàè«Ût£„‹„|ÁÙŒ1¢•âg(MÁ…sÆåùµøãúúË×S¥¢¥56‹‘#é,æ	ÉÓ¸kíy؈'#™¤°ZŽ»¦ír8#JÖ3å-ÎÒèÖ˜ÚRYt{(«”Ý.¢’°ô'U´¬;³¯ó®lê¼*ÿgVøiÕlóÒ©ó­
V†_ÚÃn×ì»7ðÆeTzéEî™ó¢0;¿˜×½´²ÝUùƒ×Ô±µe¸‡T@Ø
n+拳ËKàLÙ£@[%Zð£”h)^ó'4ISÏ”ïvûSP¥Ùí˼3ÕžQ4õ½Ùw­»Ë÷y
ÞÁWSͪ¬7øÖ¬Ã*"ukÖ�;À¿·¦v[�ÕŒBÄ•7Ó(ÎDG¸ë¯ƒi;\èûÌlráBkö÷N' ÿôþEX´Á¥‰¼�³^×höÖ˾3(ÜËLeù)’ÔF¤ûðÐþ±BæªünÆ*Á󰯑
¼
bשÚÇ™UCÆ™O§·mý.j¬óç^å¼mjˆ1!À:ˆ>ÊkÓ"§•ï."g\šråoØž}'œJµҳD' €Ô?(œè,ËÂpã±HÄͱnœ¦„g2}<Ùªx~¹˜¿ûtV©•’{SL}_âµÕ[Swè„û"÷¶2O!
—wÞyÎçΟÞçî¥lñ+ĉݴò«k\õ…‹Ñ
+ ,™ÞPâš•dŸ­é�øqX@/
+˜Ÿ€cã­QbR@ÄjÖ‡a^mš=ÔÊm ®”S¶OÌø6$-%Z�‡·PT¢dJ2N“^Týª(OÝÃ.$ÚhÉzµnâ" ŠŽfTzž¢ÊÛ6 	@4ˆŒü†^»‰Í@­¢ER%zÑë*ß„$KÈßAÇo8’e„)–Mç&Þ¼j€�T¨
w@»¨’'FÜ
Ô÷�Ú² (™ðÛwû¦kŠ>
W˜Ÿ³ÈŠd‰ê‹Ó£f»2÷aåªø±ÐöU¡m·7õz¼ŸV´È„¼ó³„M»“gïD¾UÙÊÜ›êgã¯~D»ã¢
+¨7)`�iZ�‰zS™ÂÍXRúY
ˆbÿ°ëšÍ>ßÝ•.
Jº
+Pµl`JA{$�Ü¥Ñ[|<¦�jP–€r°äžÝü›^ãH`ô
Á©Ì<#¸ÃŸw-ðÑCKð¸À¿5ˆ‰zt8¼À˜o‰¬ïMt$©N<#n}ƒk}×”
`«Ã‚Ñ* ¼à,b”ËGÁ“�–À§ù/”{$·‡ª+
`BáàR.‘$”Ç�ý†×Ryß«±ïá…å=j­zÇ?óŸ6´Ãö�è@®Ð¡¥ø¿ÿï~ü_&
+endobj
+1775 0 obj <<
+/Type /Page
+/Contents 1776 0 R
+/Resources 1774 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 1748 0 R
 >> endobj
-1290 0 obj <<
-/D [1285 0 R /XYZ 56.6929 747.5177 null]
+1777 0 obj <<
+/D [1775 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
-1291 0 obj <<
-/D [1285 0 R /XYZ 56.6929 741.0838 null]
+1778 0 obj <<
+/D [1775 0 R /XYZ 56.6929 751.8114 null]
 >> endobj
-1292 0 obj <<
-/D [1285 0 R /XYZ 56.6929 714.364 null]
+1779 0 obj <<
+/D [1775 0 R /XYZ 56.6929 637.809 null]
 >> endobj
-1293 0 obj <<
-/D [1285 0 R /XYZ 56.6929 710.5801 null]
+1780 0 obj <<
+/D [1775 0 R /XYZ 56.6929 571.6272 null]
 >> endobj
-1294 0 obj <<
-/D [1285 0 R /XYZ 56.6929 683.8604 null]
+614 0 obj <<
+/D [1775 0 R /XYZ 56.6929 530.4875 null]
 >> endobj
-1295 0 obj <<
-/D [1285 0 R /XYZ 56.6929 680.0765 null]
+1781 0 obj <<
+/D [1775 0 R /XYZ 56.6929 492.9536 null]
 >> endobj
-1296 0 obj <<
-/D [1285 0 R /XYZ 56.6929 623.4385 null]
+1782 0 obj <<
+/D [1775 0 R /XYZ 56.6929 459.984 null]
 >> endobj
-1297 0 obj <<
-/D [1285 0 R /XYZ 56.6929 623.4385 null]
+1783 0 obj <<
+/D [1775 0 R /XYZ 56.6929 390.8804 null]
 >> endobj
-1298 0 obj <<
-/D [1285 0 R /XYZ 56.6929 623.4385 null]
+1784 0 obj <<
+/D [1775 0 R /XYZ 56.6929 303.7532 null]
 >> endobj
-1299 0 obj <<
-/D [1285 0 R /XYZ 56.6929 617.0603 null]
+1785 0 obj <<
+/D [1775 0 R /XYZ 56.6929 225.6163 null]
 >> endobj
-1300 0 obj <<
-/D [1285 0 R /XYZ 56.6929 602.2957 null]
+1774 0 obj <<
+/Font << /F37 743 0 R /F21 654 0 R /F23 678 0 R /F39 858 0 R /F53 957 0 R /F11 1293 0 R /F14 681 0 R /F55 965 0 R >>
+/ProcSet [ /PDF /Text ]
 >> endobj
-1301 0 obj <<
-/D [1285 0 R /XYZ 56.6929 598.5118 null]
+1788 0 obj <<
+/Length 2917      
+/Filter /FlateDecode
+>>
+stream
+xÚ¥Z[sÛ6~÷¯Ð£<�\y™}rçÒ´v6Rf·Ûö�–(›ŠTEÊÞô×ï98
+ …°ˆOßÞÍç·ofŸn}{wýÇ⧫ÛEGVHºà
+iúóê·?ød'øéŠ3«M^à�3‘¦r²¹ÒF1£•ò#åÕüêŸÝ‚Á¬}uˆÚ$ÌHMf
+{.;„�¾4ð$ðÿ+B}¸Ÿ/f·‚öönñqñ+Íh€‰ìhݬiêe‘µùŠž_à8Éh੶'=�pØOÃý)È.¿Îo¿àaexrÚÚ5:Ú5êv�„Gî›|w´MøïÂ�la4ÐäÔµ:и�w×dFËÌCŠªÉ«Yÿ@$–¦h‹çœ�x	gŠQ¬Q›Õy{
QãöÚ¡¬½.‡ì•3©ÀO’.K`㉱JÄI’ó”u¨
ÒzƪÀ¥i.ú´}¬VÅ„‡<Õ
+Œ0k}/§ˆ;rJì^Ö¶]Ñä²®Ú¬¨Šêñè-Rè4Oõ¾tè§ì9ïáä´éœ…_9�¦Ï“éÇ5�Uµ#Ê¢I¶3‰Z‹¾ˆi¥W6ˆ©¶ûñŽÚÂ=ƒN®ÆAI&“ä’"¨3ŠàQVNüqª˜R‰<¿¥
l
+bª©éoiY~ÌÁõf-	
+ž³ŠÚ/ó›_Þš×ÐÌ?ÜóøUÇ+÷5%Þ£Íÿ»Wµãìä‚Å ¡ìPgØéQ–�ë
»JY”(oVë2{<±*‘°HA?KW‡ ¬gUR±H@äëQ6ÏQacáô:}=�Ñ“s•¡0btYGèä •.Ý[6X†ÈC¡¥úFŠv+BñõªüN=�{¬Š¿IjÈÊ/J¢¾•}š"Ù[·n-æÅcÕéŒ:Gol’†RPÑcR¦t|AKBÔ¸–t(«%�ÃÙ
+Ê‘*
+endobj
+1787 0 obj <<
+/Type /Page
+/Contents 1788 0 R
+/Resources 1786 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 1791 0 R
 >> endobj
-1302 0 obj <<
-/D [1285 0 R /XYZ 56.6929 583.8071 null]
+1789 0 obj <<
+/D [1787 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
-1303 0 obj <<
-/D [1285 0 R /XYZ 56.6929 579.9633 null]
+1790 0 obj <<
+/D [1787 0 R /XYZ 85.0394 181.7045 null]
 >> endobj
-1304 0 obj <<
-/D [1285 0 R /XYZ 56.6929 565.2586 null]
+1786 0 obj <<
+/Font << /F37 743 0 R /F21 654 0 R /F55 965 0 R /F23 678 0 R /F39 858 0 R /F14 681 0 R >>
+/ProcSet [ /PDF /Text ]
 >> endobj
-1305 0 obj <<
-/D [1285 0 R /XYZ 56.6929 561.4149 null]
+1794 0 obj <<
+/Length 1916      
+/Filter /FlateDecode
+>>
+stream
+xÚ¥XKwÛ¶ÞëWhqòiˆâE¸;ÅVRµ±ìk)ç´7ñ‚!‰-ŠH9U}H‰2¥§G
ƒá`æÃ` C?2Šªa¤8
+1	‡Ë|€‡kX{? Ž'h™‚S®·‹Á�ïX4TH	*†‹Õ‰,‰°”d¸H>�Þ"Ž®@ÝÌæóÉu0Ÿ¾Ÿýÿn6¹
+ˆŒH4ßßOf7Ó_¯b`fŒG·ãÙÇñK»¿Rt4~?™_=.~L�b§ÊÌŒV_Ÿñ0
~`Ä”‡_a‚QŠó

+9c-%Ìÿ랬6ŸzÁ Q&¨
Ê|h„
+	K�ÅF#
+CÚyýáãÍÄú@UǵÎuQÃ5ß``h#N¾
-Å!Zh·»ôyà©”`r/ǧðÂ,ÎÖåìÈÍ”Œª­^¦†{i—ÍPgIeÜXâÑ»Ætà+Ÿž¯È(-÷•ûN/÷ æ`¿²€ÅUYTo€"LZ%¶ª$¥vÔ¢¬-pè‰3à6ñ³¶¸­u¡wqf'n›Äζz—§U•–…Ï·%–PŠ"ÎÄE_Å’Pljßé1‹¾ãd8‰z'(P°%¶Ù‰5µñX3]èÍ :ä¹®wéÒL£‘.–»Ã¶³�Œã�6ÜûåÆ-¸M~º_·7á8!’!€ÔC\?ëÂÂZoÊýzÓŽÝ1l÷OY£
+÷™2ÒÂÞ©-!¶‘�ÁSZ›	ÄîùØR­š@±ðÅÚÈŒsæpMìæ\öî A8"Ü� þ3η™FË2÷h*B…¬å}cDóv»fYù5-ÖvK‘[8aík¹ÏKrìàÞ{�ü×£S@…@’­çôIQÁÍÀʵ9O
™(ˆíACx²ÿ
+29ÏbÃÙæýH÷­û<Ÿ¸ì7þ0¿»|«ºUº.Lv6¹XštéÎ…ŸÖjR"©Â¶äx;�ÝØ�”Û0ÉÓ"7‹ëæžéA¯´=�bé<í6.ö�[|HJD�iק
+ ØîÏ)eÌ$˜¿P½}}©ûߦ­¨endstream
+endobj
+1793 0 obj <<
+/Type /Page
+/Contents 1794 0 R
+/Resources 1792 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 1791 0 R
 >> endobj
-1306 0 obj <<
-/D [1285 0 R /XYZ 56.6929 501.9076 null]
+1795 0 obj <<
+/D [1793 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
-1307 0 obj <<
-/D [1285 0 R /XYZ 56.6929 501.9076 null]
+1796 0 obj <<
+/D [1793 0 R /XYZ 56.6929 635.5323 null]
 >> endobj
-1308 0 obj <<
-/D [1285 0 R /XYZ 56.6929 501.9076 null]
+1797 0 obj <<
+/D [1793 0 R /XYZ 56.6929 476.3563 null]
 >> endobj
-1309 0 obj <<
-/D [1285 0 R /XYZ 56.6929 498.3987 null]
+1798 0 obj <<
+/D [1793 0 R /XYZ 56.6929 407.9215 null]
 >> endobj
-1310 0 obj <<
-/D [1285 0 R /XYZ 56.6929 483.694 null]
+618 0 obj <<
+/D [1793 0 R /XYZ 56.6929 365.2162 null]
 >> endobj
-1311 0 obj <<
-/D [1285 0 R /XYZ 56.6929 479.8502 null]
+1799 0 obj <<
+/D [1793 0 R /XYZ 56.6929 326.9947 null]
 >> endobj
-1312 0 obj <<
-/D [1285 0 R /XYZ 56.6929 465.0856 null]
+1800 0 obj <<
+/D [1793 0 R /XYZ 56.6929 293.3376 null]
 >> endobj
-1313 0 obj <<
-/D [1285 0 R /XYZ 56.6929 461.3017 null]
+1801 0 obj <<
+/D [1793 0 R /XYZ 56.6929 221.9809 null]
 >> endobj
-1314 0 obj <<
-/D [1285 0 R /XYZ 56.6929 446.5371 null]
+1802 0 obj <<
+/D [1793 0 R /XYZ 56.6929 108.6903 null]
 >> endobj
-1315 0 obj <<
-/D [1285 0 R /XYZ 56.6929 442.7532 null]
+1792 0 obj <<
+/Font << /F37 743 0 R /F23 678 0 R /F39 858 0 R /F21 654 0 R /F48 880 0 R /F47 874 0 R /F53 957 0 R >>
+/ProcSet [ /PDF /Text ]
 >> endobj
-1316 0 obj <<
-/D [1285 0 R /XYZ 56.6929 386.1153 null]
+1805 0 obj <<
+/Length 3193      
+/Filter /FlateDecode
+>>
+stream
+xÚ¥Z[wÛ6~÷¯ð#}±¸’D÷)mÜ4mâdk·»Ý¶´DÛl$Ò©8Þ_¿3˜
o¢¤œ³öƒÀÁ
+iÏ—›3q~}¯Ï$ó,ÓbÈõíÍÙ×ßëôÜÅ.QÉùÍÝ`®,Y&ÏoV¿G/?|¸¼zõæßeEôm|±°BDï^^ýòò-Ñ>\8½|}y}±�Y*S`2È–ˆèÕÕõõåw‹ë7¯¯þóþêòâÏ›Ï.o:Á†ÂK¡Qª¿Ï~ÿSœ¯`?ž‰X»Ìž?Áƒˆ¥sê|sf¬Ž­Ñ:PÖg×gÿì&ôú¡sÊ°:‹m¦Òm(y.eì¬U#uX'Zi¯Ž÷nÞ¼¿ºÞÛ‰ˆ…�¥JÄN¥jÞÌ´r……g̸pÝE>]ÒéXëL_20Í,©K‚Áµtv¼ä¯RʨؖwÏdè|½¦Æ}QÛ¼-VôØ”÷UÞî¶2‹Š&>¤›$sq& qT7C®Ãºé¸¼n–¸ä×ß[;à”"Vl+<Ër�7ÍT0©l,m–—¬ãšm¨C©Á%��cÙ®‹eù‡ªhHYíCA
ˆ
j�l¾YßM˜þ[WÅa…Ú,†ÅN)tÀuD¡�Ë+ôãœBeœ9«Y¡‹ç=uJgIj�ËÕqÍ6R§-4ÎP²›'"r´¼½Xh%£¦ÓðŠ(šoä
ÿŽèÊûkYÝO¸�Xo;r^=Oúa	�ß7ˆlJG7%Ï^?¶e]Q{“ó·Å¾p .ÈØ	•¡g`S›Ýº-×lò¶Ü"iãDwÂæ®#6\Þæë›»¼?e“¯êM^V{V·Z$Ç%ë¸fDȦËöšñ”4§Jlôê-ž;¿­)Z¢‚€Ä´Z•d¤¶5Q)® á­Š=+ ºü
Z’ÇV+^⺛í®-Ú½ >Ö†ïGW@ZþøXT«`jÀ
‘X7¶µ—dáU¾)?ùù²ö¿«Ã>aS§žH�ûÄ�ë°Ot\Þ'V'q`Un‹e[o÷ÑÀŠ8…“ø¨p�iF¸‘WX§Òè±toëú#)êTäÕn0Ê
+�™WhÆPì+7ÜùôPT#~=J$�þóÏP)PsßH@¼†‡~Ê×%f¡œåÃ9–yX	„
`D¦d
+Шâ¹ä ŠëÎc„ß”ëPß
N@VÚvדÉÆa&˜ÁN_q5Ü�6’w‡UýôÕULm7ì�7
•7gS¯‘1Ev
+å9@KÒX¨H‹1£”R1TÒrl}–àPI§xŽ½Š»¬üfûrá°ÿk“�¸lrñŸÀåýça¯úÿ6æÄ’�ifÉQõåÀìdÉÛ²jùÀÏ9x¨·¬ˆf·ÙäÛçtÅW\�å>Àïw›¢›¸e°i@¢ºk¤ª
ˆ] õÐofì—š8qnäsÖQióº™É�ë°u:.o�òÔU¨²ØB²Ÿ˜€fÀvT¶ŽkF¸qb’@;•céþÕe9ý<Òéñ©¬wÍš–�ØöZö­’³‰Ç¼iBoÎ4x8
+5Ÿ›ø»MlÜÃ†Vât£&¨!Á2Îe3Ê›ìx¡Á V‰É¥Y¸bgÕÍ4Õ^®Cm–ðO9sæ<ø7H~G—“ÒÁExXÓ”n¾z fÝe5*D0³ö¥…êJ‹œæ	…-Pƺ�Kbú$åÎ
+¹öwÒ î]"W|+±?Ö\HýÉšÀó!ÄÙì¥(Jྸª
œ‡ý¢ÀÓºv©>o1òËÑ>�µêò¦P05¼ÖèÕb¸ÄÏ[®§%TnJMêé^X�Ò56.ˆ�†¹*0WE§5"T@̉'ÄP`þp*TòDÀY|Ô'証¶ô«a“(y˜¯„ÊþnÈ
 t:sóÄ°§?ZíŠîðõ¿=~t×Øþw]4ÝtÎ4ÚÞF³.èØçDà©Þ…Û׃Á:w2K¼ú–öDÞ4ä:|2w\þd~s*ïöÇØ”¿!''Þ	¤ÊGåë¸f�ΩŒ
$Ýc	oBNÍ"@ÛpÂmû„›SPì£Ó‰!…<ÚDê¦)o×1Ñd
'Ͻ/ìeZIœ&"d¾@åÖŸ[ü�	<Šs¶óaã+Ýù¥B’>Žp‹L›Á*ÛüéÐ"�ÏËLMóù²üd’Ïó-®³ýyïlh�Û2ÔO† ô¯ÚüÕÔ	y)<S‰-
+zh¬ž«|S.é!¤GØï�\ótˆ0ÜâW»Í#�H¢
+endobj
+1804 0 obj <<
+/Type /Page
+/Contents 1805 0 R
+/Resources 1803 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 1791 0 R
 >> endobj
-1317 0 obj <<
-/D [1285 0 R /XYZ 56.6929 386.1153 null]
+1806 0 obj <<
+/D [1804 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
-1318 0 obj <<
-/D [1285 0 R /XYZ 56.6929 386.1153 null]
+1807 0 obj <<
+/D [1804 0 R /XYZ 85.0394 751.8312 null]
 >> endobj
-1319 0 obj <<
-/D [1285 0 R /XYZ 56.6929 379.7371 null]
+1803 0 obj <<
+/Font << /F37 743 0 R /F21 654 0 R /F23 678 0 R /F55 965 0 R /F39 858 0 R >>
+/ProcSet [ /PDF /Text ]
 >> endobj
-1320 0 obj <<
-/D [1285 0 R /XYZ 56.6929 355.6674 null]
+1810 0 obj <<
+/Length 2888      
+/Filter /FlateDecode
+>>
+stream
+xÚ¥Z[sÛ¶~÷¯Ð[åi„âÂpÞœÄͤi“œÚ�霶´HÙ<•HU¤ì8¿¾»X€)’>�3~ |
+<(ÎPaXœ€*¹Åü·lÛâ@°ÞŠJ³4ÆÁê}[ÖhÈðe³/ÖåïœË¢�m–õ»¥lû©¬òú‰ÚíCÖð©Ün©ï® ç±)rkkê9d0sW~-üä‚Æ›ò¾ÊÚãáRè¥+¾ìK÷äei¦Dœ,VB0ÇÒJÞ–»â™¶}86Ôjö4/ËËꞺÊjM}»¢j³­Ã
6….jßUqÈœN ·~´'ÇM`?fåá H
+úTd�›ÁZ‘YnËM�xúÕé/ÒËlÛÔÔÛºgS{\ñ¥©}r )Ú†~?fÛ2ÏÚúиuªÜM/ ¢CÝ=»Î� «>º•×ÙšÜÇž#P¨Õº=ºU«Z–¼R°P¹¡žmf×½·*“Ë긻£½a¬ÞPçÏ?ûéúòºú¦¥îÀ¦vȺ<É
+@=ÄH,õ ÔĪ¢ ÇaìL›X¹ P­÷ðB
¤‚p¥°æ¤ò˜s©ÂA–Eq÷ĺ	ƒ�ŠbÒ–Š"çeÔ‰NFƒÞÁ¡!p
+¾mÄüîjdûž
+ÍÍû¿u1»ª»�—›aŒ¶þiƒµóO;…ü3�fÔ–H&…‰^P[€šQ›GMúKOw
+^8m’y:Ôˆ=Ý�·F)7}!Þ‡dêh̶�MGÊ~þþ
5„ÑÒeÌCÙ>ì€6­›iå*É¡æ• f”ëQS¯M_·HºŽæ%èP#"ôtK6Hû2ÜÿX£ž~t3ÂÁzã'ÕÉ=ArØb_¯&UÌA4-_`!j:Qu(›¨êqþ¡¢4òEÉ¡¼/«3
+\ЖÆ•€ÚdMK¬
BD¤ÄòÎ: ¨Eiwƒà0TŽâ�K›ˆw%U¸N!‡œÕ‹/SiÅǸ•¦N(™ªÓ…
+j
+¨{’A½Ö8y^Üïï»*×
+6­2hˆˆëT fTæQVe_Ïœ(bÆ=¿¥�lÙs"h¦Jô·|_ÕáÇ”7ºúFeNþ¦ÞEj8š`!lç
yçóR�i]JÁ¤”ê]¨]zÉ� C“,IR3¿µ�lêü0‰À­z[w3¬Ã
+š¦{iµ{{È-ŸÍþ
+X„Ø‚ß�†µëú¡D¦$}Ði^uñSžì
ãöÐð´‡–þÐÐXcùx>öMz~Ïç¤4P�%êó¹|NùO9¯Â/–°aàû(vçû8öDTÓ‚>"x�¤Ñýb lšc‘ÿkDÒÁÿ8?Ä—Š¼?áoYí3<†íÈïØY߇ ‡}û[	…&ŸúGøß-#±›w‘äÿþ'šÓ¿E)SZOP3™ÆÀZ í„B…€c�';÷ï6ç²ÿ
3íðDendstream
+endobj
+1809 0 obj <<
+/Type /Page
+/Contents 1810 0 R
+/Resources 1808 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 1791 0 R
 >> endobj
-1321 0 obj <<
-/D [1285 0 R /XYZ 56.6929 349.2334 null]
+1811 0 obj <<
+/D [1809 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
-1322 0 obj <<
-/D [1285 0 R /XYZ 56.6929 334.5287 null]
+1812 0 obj <<
+/D [1809 0 R /XYZ 56.6929 136.9875 null]
 >> endobj
-1323 0 obj <<
-/D [1285 0 R /XYZ 56.6929 330.6849 null]
+1808 0 obj <<
+/Font << /F37 743 0 R /F23 678 0 R /F39 858 0 R /F21 654 0 R /F55 965 0 R /F48 880 0 R >>
+/ProcSet [ /PDF /Text ]
 >> endobj
-1324 0 obj <<
-/D [1285 0 R /XYZ 56.6929 315.9203 null]
+1815 0 obj <<
+/Length 1618      
+/Filter /FlateDecode
+>>
+stream
+xÚ¥XÛrÛ6}×WèQš‰ÜIôͱ•Äi#»–Üv&ñMA6‰tIÊŽóõ]
+2̧˼ªt:©²»ü{‘k‡ï-Š%ÌÁÓrLâ‘Nj]y•ÚjüŒ1]»ï™ê|/¢Œq¯ï9Ûx½zÐJ¨@‚*¯(ÂHÍœ^§®YW÷Þ¥ltëö¬�+Ýü�4N›0Ž‘Œ¥ç¤„ �h�§ÚÅ#Ë{ÁhâÂ'Þh¬îåq	ã(¢Ìž'½„£æ«À!%ETJá öH¨
YkäÊD["«£XÊæƒùtjí8ùm~,¡	…E7Ô_õó�Î?c�cø�8Šð^nÄ�Îή7ç³3«G9uËM–g@Õ¤.J»uå]m¼i·>&ù6Y‡B+csléćàpØ–sWoO­Dˆ¯ÈãQ.HË”�ÿ¨(V&ôÿ�\/Þ_\sœtéUë2×.øóç
+¸PÙ‡Ó"¯Š²Î¶›�ZŽ—ÔÉáa¢lu„RUCElX1IïuúÕSÀ™DKž
$lƒzEc±£WGPcÔgJ#»j^û”‚Ým!jYá¼Ë"àøs^'ßØlQ]ë�W±ó¦P–ŽÏyñPA‚în	Õ—A	唀Oc*´PͦH[†Z-fÒa[’
+áô�ÿš<ÞøÕ—vUÛCŠY#ÞŽ|Ž.³R§Àúç@æŽ$my褮²µ6&xßoÂüd@N—ŸgÓùéÕùåâüb¨ã{Ù Ô~�‚ÂO•/ü
²Úë0–¯ìÃíÖ1>/ê}œ†~Vgiõªßª’Ÿ¡]8S½•]G\4>˜¿˜-h£ˆazœ;]”mà$À�eô¶Œ¤BЛ¢º¶ÁЎעÖõX((RœË¾yé}Sr‹&<0JÕE€•P¹daúöt	iêÛtU8‘÷I#\@ÏK×Û¥¶Û §)öi�=6“@ðŸh»ñ2ôð¶­8°N¬‹~°gI54©¥{_Ù¾M o%d¿ogŽså8m±nŸûÓT¶ÉÖI¹~öUÍû˳Óv烼bE’óðªƒ:Â+�jxõ¸¯R1Óž~ Òƒ*»�„�<Ž¢=•—»Q³ÍâG]VmNv§Í—ÅnÄ9–Ý©æ'Š�î]™l\€ü4¬¿eõá
+endobj
+1814 0 obj <<
+/Type /Page
+/Contents 1815 0 R
+/Resources 1813 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 1791 0 R
 >> endobj
-1325 0 obj <<
-/D [1285 0 R /XYZ 56.6929 312.1364 null]
+1816 0 obj <<
+/D [1814 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
-1326 0 obj <<
-/D [1285 0 R /XYZ 56.6929 297.3719 null]
+1817 0 obj <<
+/D [1814 0 R /XYZ 85.0394 682.0055 null]
 >> endobj
-1327 0 obj <<
-/D [1285 0 R /XYZ 56.6929 293.5879 null]
+1818 0 obj <<
+/D [1814 0 R /XYZ 85.0394 616.549 null]
 >> endobj
-1328 0 obj <<
-/D [1285 0 R /XYZ 56.6929 269.5182 null]
+622 0 obj <<
+/D [1814 0 R /XYZ 85.0394 575.9131 null]
 >> endobj
-1329 0 obj <<
-/D [1285 0 R /XYZ 56.6929 263.0843 null]
+1819 0 obj <<
+/D [1814 0 R /XYZ 85.0394 542.1583 null]
 >> endobj
-1330 0 obj <<
-/D [1285 0 R /XYZ 56.6929 203.5771 null]
+1820 0 obj <<
+/D [1814 0 R /XYZ 85.0394 505.8522 null]
 >> endobj
-1331 0 obj <<
-/D [1285 0 R /XYZ 56.6929 203.5771 null]
+1821 0 obj <<
+/D [1814 0 R /XYZ 85.0394 437.4739 null]
 >> endobj
-1332 0 obj <<
-/D [1285 0 R /XYZ 56.6929 203.5771 null]
+1822 0 obj <<
+/D [1814 0 R /XYZ 85.0394 374.9822 null]
 >> endobj
-1333 0 obj <<
-/D [1285 0 R /XYZ 56.6929 200.0681 null]
+1823 0 obj <<
+/D [1814 0 R /XYZ 85.0394 309.5257 null]
 >> endobj
-582 0 obj <<
-/D [1285 0 R /XYZ 56.6929 159.3692 null]
+1824 0 obj <<
+/D [1814 0 R /XYZ 85.0394 84.1613 null]
 >> endobj
-1334 0 obj <<
-/D [1285 0 R /XYZ 56.6929 131.475 null]
+1813 0 obj <<
+/Font << /F37 743 0 R /F23 678 0 R /F21 654 0 R /F39 858 0 R /F47 874 0 R /F53 957 0 R /F55 965 0 R >>
+/ProcSet [ /PDF /Text ]
 >> endobj
-1284 0 obj <<
-/Font << /F62 634 0 R /F43 600 0 R /F56 618 0 R /F42 597 0 R >>
+1827 0 obj <<
+/Length 1899      
+/Filter /FlateDecode
+>>
+stream
+xÚíYÝsÛ6×_¡Gi¦Äáƒ
+ðäæâÍì*¸üivùÏ?oofÓ€D‚’ÉÅÝÝìæêú�i@9r Æxòæâæ·‹_ìÜÝTÑÉÅ�³ùôÃýÏ£Ù}+XWx‚™–êóèÝ<N@‡ŸG1%ùø0"JÑñjr†xȘŸÉGóѯ-ÃΪyu‚e‚ Aɘ¤8§=8¸B‚Qfà˜ÏfV©‹_æ·Zx‹u0Äã€Â{‚WÄ«4y�9–ð�|géÃ.æa„0c!¼gÀ¾¾¹²ì•Û%YeEV7UÜ”•�z›.ÓjJä$-©�z›8�†‰¨±GŽ¤§f@	Gl0…0ur_üvÿÓíÛêae讋&­Š´±bÌ·u“®jûpYuY5ÙfµÛ4D,Ôñ	Áæ`
ïdàNüÆ ,žÒŧ¿Ë"Õïjb&‹„%¾
’aј1»ÚA¿cô�•ÊÍ–«u–§f3ýžÒÈŽ:sÓÜ�Ÿã<K²fkŸÓ¬x´OÞ.‹²xNAa?ß”e>„7îC=ßåºÎêýØ`ER°q¨0!ôeÚSÞ~ÄÑQDˆ
+i$Â\ò/IËrßF—¯¨ÿ™,�“é«¥ûoÉ¢ÿíYþ5+ŒK¤™öNà/ÍÎÿÏ›ûyÓ<õM³×Q0ÊQÈ”ð•®�¯«ÙüòíõÝýõíMûÖÑÎb Ø«÷eˆBy¯2”¦õ`“æÉ”íá¤ÞMü—�Œ‹ÄNfг<V®˜g“réÖíª¯ÿ™«ÿ¡�eÐä^7vr�V:MldpÑS;9ÂI\èɘD„R®Ñs@» ¤r”ÚËQI™jæ2œ¼<¥…åeœØ®CZ5¤UD‡ªbrÿ”ÕvmJ‡D"ׇ’ìŠtúˆ*#›:]nr»ïÒtC0èôH°³Cæ-ªN‡‡TÓëVÖ½Tzý1°g3…!Ù+�7Õ®ÅzJWvF-í(Þ5zvT§ôeÓ(ì´¿=·#®/>bµWQ"|ÜYpa›l•å±Ñž@ï7°Ä«¤¡úr”AiL}&Ð
¬”“‡Mc÷Ë»Uœ¿Ä['C²Y­Ýк&¬{èMƒÚ¤Eã	J÷¾�.<ìPå((<ú°gÚ2àªÐdó¶7fX
+~&0Œ”b»[œ€c:ùÝ$
+„ò±ŠÝQï
+9k™£PúÂX�ñÎÑqø=‘Aÿã
ú1©“ûyšÃýz•¹D
+}`™Œëlæ�À¬›ú(œà?p¬žqçÑq8=‘�Ó_Hðž¿ ¨@î#ºR
D’@	}J*Os(Uï	á‹zbÍõñ´ÜîÁg%9pøÖºS xríÖŠ²9rؽ‡êÿúFÿw&¨ýAYo 6б¯dL7UlHYÜdßüm÷­:l&%Æ�BË
+endobj
+1826 0 obj <<
+/Type /Page
+/Contents 1827 0 R
+/Resources 1825 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 1791 0 R
+>> endobj
+1828 0 obj <<
+/D [1826 0 R /XYZ 56.6929 794.5015 null]
+>> endobj
+1829 0 obj <<
+/D [1826 0 R /XYZ 56.6929 751.8596 null]
+>> endobj
+1830 0 obj <<
+/D [1826 0 R /XYZ 56.6929 686.1725 null]
+>> endobj
+626 0 obj <<
+/D [1826 0 R /XYZ 56.6929 645.3764 null]
+>> endobj
+1831 0 obj <<
+/D [1826 0 R /XYZ 56.6929 611.5513 null]
+>> endobj
+1832 0 obj <<
+/D [1826 0 R /XYZ 56.6929 575.1748 null]
+>> endobj
+1833 0 obj <<
+/D [1826 0 R /XYZ 56.6929 506.5659 null]
+>> endobj
+1834 0 obj <<
+/D [1826 0 R /XYZ 56.6929 364.9645 null]
+>> endobj
+1835 0 obj <<
+/D [1826 0 R /XYZ 56.6929 220.3983 null]
+>> endobj
+1825 0 obj <<
+/Font << /F37 743 0 R /F21 654 0 R /F23 678 0 R /F47 874 0 R /F39 858 0 R /F53 957 0 R /F55 965 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1337 0 obj <<
-/Length 550       
+1838 0 obj <<
+/Length 3112      
 /Filter /FlateDecode
 >>
 stream
-xÚ¥S]oÚ0}ϯðÛ‚´x×_‰½·
-‹u^ÿ:ë$ÜÁ>OdµÍ¸Í¦ŠpwP>½ìó‡ÇÚ  hp.�M
+xÚÝ[Ý“Û¶¿¿B}àÍX¾
>^ìsš4vÜúÒfšä�'Q'Ž%ñ"R¾8}Ÿ")�ÒÕn§ÓóƒÀåX,~»Ø]Àd†á™i�0ËùLå	LÄl±½Â³x÷Íñ<óÀ4ïr}}wõÕk¦f9Ê%•³»U§/�°Ödv·ü9»y÷îöí«oºžS�³¯Ñõ\`œ½¹yûãÍ÷Žöî:§ÙÍ7·ï¯çDIJ€I6‰³·7on_Í_þùöå_þùÃÛÛë_ï¾»º½‹‚u…'˜©~»úùW<[¾»ÂˆåZÌžà
#’çt¶½â‚!Á”ÍÕû«¿Æ;oí§)ep¡‘ \Îæ‚"-`êI•a„¨`®8A’ë<ªŒ’”Ê—QÙ¼2ýêµÎ*tn8¶õ²*ƒк�¾RrE®„`¬3¡& U_²wå~Uï·×sÆiöX7­i±lSKGû£Þ•ŽVíÚòa_µŸÜ‹Åº\|h̲j•½«›¦ºßxN3™Æqûk¢³ÒM¿§(ªÂDj¯€_(å«Ãfc~=wWz
+ME"3xY®ŠÃ¦…&y‘èžsÐJ®½Ï�”ÕîadI ©ˆÿ(ÕíœS‰—Vñ(‚Æþ7õ¢Ÿ@!XÙxÇåšðŽ¸¶»sò戳ÜTì–‰~IŽ˜PÝŽw°¢cbR$�ÌÈpÀ<…ÝpÀ˜AHÆíË7°ÃUTE/_Ôœu;@؈¬]‰<{ó“£8-jû»lºÄU¹w¼míÈ7î±ÞûGøKuâ¸–îëví8ªÝ< ^X�ºží¼^¹7V'ÂL“°>Ö`>»b[6“`Œà15iîˆêár�-`™Ñ Ôz·ùäülИi¿ñþøDO†ø´®ëî{«2óhTf~ã¼ÍCœH@
+TO@…Ì–å¦|(ÚªÞ¹7oß»ßÄDEvÒÏÎzóS{²CÅi'ŽvD…yê(F:TØž
+1…E
0–÷”e߶î]±i¼ˆÇÉó8y‘=l¥£Ë¥¶iÊfBÕ.ôᇂðl[´‹uPoÝø÷Åòc¹o«¦´Û,…Ÿ‰‹úî=Þ|wxÕfyá)®È³N&îÖüƒÛ=Ö�×ëgM½-îs¤—½Åuƒüv¨\cé¾
++…³ò÷ªi›Ãn«(n¹èÔŠSî?¹kå‹Žê]ÓLÅõºÈ*1ÇÏ
‹8¢šósqÑœ<?€¡2Á˪)lIËü‡æ�¥9¢
¨÷‡ÖC”i©`±åþ©jüN¹¦CP®ã(šTdG ÂWŠç§‘Ý´ã/¡Ÿ‚]î轩?–‹¶úX‚IBB`¦)âó‹½1¹4
+ájÒ_”æÄü]ø?Là|–$˜��àd*ÕåO¥"—M¥VÉTJj¢k“Ï€­
“)†‘КOK¹¢õ’)Б��^ôd{ËT­†ŽÒËãœÌjðòèŽ~Á˜nJïP�ùÔ±¿ä<÷Œ»-o'‘›§3*?TÎûª\tCü}ñ46ˆB3�nB‘D-J}&ñîrM %pY´¼N Ì›qÅÎÀ…"*À'E‹\	ÙúpQ\�èá´ߦ™f.†hàbhþ¥MD­#:À8ºq•!”fKVà#:yì´qÌãb„"ÆH~‚ÀV˜&£²C%4‡@	a<ÌŸ.��P²vòví„!Pã¥g5›êrnýUÞ]kS³so¢a÷]ÖÁûíjoÇ‹âДÁH¼Á—+£ÖxjÏ}Ø�Û;¸ÿpyØ>6£>`QïÚr׎»U.%¢f�š4”.׸¡D.k(Ò†¢sÁ¦JT#ÍÅ´\�)!W¿@% ¡’ÁB�*Q1�éÚÝÓìÏ]ˆ�‘‚-“œ4Éž*›ýil�tmÊVEµ9„HÃŒFŒ¹aÞ37`zº
+å\|�àâKEù3<»Èÿÿ£"P	:c–‘eÜ&‹5Èú|fi”sb”œ#ŠŸ�)²…ê$75O­:RýãZñl_µ'™]HÜ}5ÚŠÎò.´˜9z	Ñ£r^
+HÄäù¿o
ã«-A#NžYð×Äš.»ìMjÙ1¢,ž®7í§Mª¤*“’E®„hýzF„cÒ—íèŠuî³û{q,ÍVÿºïL5Àz[ z¬èüX	ä4w|ºó¡¡¿ÆqN%—ð$ÔÅÇo<†§ñ¥)é*$lD*ï ûrS˜JõÈ@Ƭ“ýþJEßßßÙ4œé̈í[¡2msó»uWV ÕªÖ�x^×x´*ª°)ÙÓC+m
=U‹bc™éÞÿ¾³ò±Ø­ï¬Yì«ÇÖ\uQ"ûaçˆmО7¤ŽÌÖ ´À#H`SNGŽrœñ³ã­cRÔõ
Œyî(Å2Ìû£éÎgíúÐ8Js
+N)�¹¡4	Í#Ï80=�…å«á`¹t‘ûÄ`�åd°Î0¤
+endobj
+1837 0 obj <<
+/Type /Page
+/Contents 1838 0 R
+/Resources 1836 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 1840 0 R
+>> endobj
+1839 0 obj <<
+/D [1837 0 R /XYZ 85.0394 794.5015 null]
+>> endobj
+1836 0 obj <<
+/Font << /F37 743 0 R /F21 654 0 R /F55 965 0 R /F23 678 0 R /F39 858 0 R >>
+/ProcSet [ /PDF /Text ]
+>> endobj
+1843 0 obj <<
+/Length 1768      
+/Filter /FlateDecode
+>>
+stream
+xÚÝXKoÛF¾ëWèE¬Í.÷}tb§u‘(®%7Ò‘’‰R¤Ë‡÷×w–»K“ÒJ.PôRèÀ!9œ™�Ç73"S?2å	é©ÔqLøt½›àéÞý8!Žgî™æC®·«É›÷TN5Ò"ÓÕf K!¬™®’/³·H¢3�€g‹‹�W—góˆ1*f77W‹Ëëßàžc`Œg/wì³›3Í.~¼Zž}]ý<¹ZõæM&˜[þœ|ùŠ§	Xþó#ªŸ>Á
FDëhº›0Ng”ú'ùd9ù¥8xÛ}r
ã
+ñˆ	pE"’a?$	
É0R’½ø)"!?y.ã§ùgsÎ7ï9pŽ¤Ä
+¤–]™¤ûÎÐQÉÈt¨ñÀ.Ï°‹µa‚(çllØò!]g›ç³9ÕbötŸ6÷ieošÒ^×÷éúCÊÙ¦t˜7iµËŠ8wŸfy²Ž«3¢fI
ñ–Lͧ¹ì#{—Zq¾+ëÆxa:'IÎiΣÎÜ8ŠŸk“fÑLµ„•P·ycïË�½Æö²‰³¼õZºK{m‹$­ê&.’=�C3í“]ܬï³bëç۲ʚû�½ýs|ûþ�½�œeð€€(V³›²®³oyY—;é#^Ûrð^è’d”NL"E0sIò{±§¸*ÌÕ1cL9äžð¼`V’nbð‹1È)‚Ã*áàkÍÉ@I¶-Ê*=¦F#Šá‰eG%ì
+E(�"N¢ÓÕ4ä:^M=—ÑøWY¤E¼;(ð="J±Óš{®€êqÁ(D„–cÝ«.IÀ“I¹‹³ÂÒ�1Õå\ÏflµÔ·Ô&�]M¥ÉqÏqŽ8UôÏ
¸NxÎsÙœÀQô�æБ�V홪ǞÃ@9ÖÝ{îyËZŠúdíQ`pÍP$)@…â�PFüíÕêîva?þõŒDzvñáÎö—=Ï@FN­]ÆœdÞ…¤S˜ïŠAë ¾<l©6mUøâuY�~ÏK
¨4m=>£+ÀÌݦU'§¬ÛSÚC”I®´I×Mš¼mG`'Ò ôSVq�7wäžåÕ•ýøâÃòSàŒ!§Q;ÎíLŽ�	SêAÀâŸ9&¦< ž±a‚ò µˆÇ¹·×‹K+O;«h#YÝTqcš�yt›nœÏŠµsÛǸh¡×ª'B¡H1„¬¿E‚À ØØqw«Ÿ>ݾî±ëz]‘ºX>×Mºs±}WuY5Y»{Ñ1b"rrE€§Ü�Tg€QØÖIâ@»Jw,W¿
ƒ4RšBèŠ)Š¤¥ÆV†1¬N«GðlÀEØ»ÆjX>åC�ÕûXB
¡” ÓHc$¸V!,�ö®#nÒç$Æ
EØ™T0®çœ[€¿ÌÙWO‰žZ»Yl” `ôeéd]›l;ßd¹sôH­€Á�SŸ«½Ü$ ·L}–5I¿µÛyž>¦ù?»é©mO
U
+XG`.ï„v]±Ø&àçÑÜ#hSuߧèyO²ó½NkÚê‡vq—]>ߧ�
<–X„U°24÷eÛØ7všß¶»´hêó@	—ŠË·££Q„ÍUbŸ¤°•äV¾õMìT»óê™öí
 ˜¡¶mÕ»H¹¡*�®DbÄh_½oÒfý¦³
+$�D	AÕ°Ÿ›5š Ì#9^s†Ö?»A¨Èš,Î]#Š›x?9¤MêbºñMÿÏ6­²´F'»“­�O]
-�ÍØ°6C
+èÓígÀt|ÂöLÝ¢Ïöõ	l4Q'õyžC}#ø
RR2ÒwW»Ì¾¾yd¾rçbè3ÅxêìkãÞìÙµ‹Ífëg®:ÖñCl¶ÖÑ*
+A)7k�ôØ<­ŒÄ”p�‡ý:NBX+¹ôå\ã+"ŽÌ»¶�Ù¯?ú÷uÞÖÙczbÇBÂùʆåyNíWÏ‹É¡àŸPÖÇ~_Y(ôeÃÈ‹ÿ>òìy1@vó` ¸‡“ý·ãËߪÌ`½:ò'C$Áƒhg”9!ø0i1Š(쇶ÿ
J{9endstream
+endobj
+1842 0 obj <<
+/Type /Page
+/Contents 1843 0 R
+/Resources 1841 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 1840 0 R
+>> endobj
+1844 0 obj <<
+/D [1842 0 R /XYZ 56.6929 794.5015 null]
+>> endobj
+1845 0 obj <<
+/D [1842 0 R /XYZ 56.6929 610.0572 null]
+>> endobj
+1846 0 obj <<
+/D [1842 0 R /XYZ 56.6929 546.0335 null]
+>> endobj
+1847 0 obj <<
+/D [1842 0 R /XYZ 56.6929 482.0098 null]
+>> endobj
+630 0 obj <<
+/D [1842 0 R /XYZ 56.6929 442.3696 null]
+>> endobj
+1848 0 obj <<
+/D [1842 0 R /XYZ 56.6929 409.052 null]
+>> endobj
+1849 0 obj <<
+/D [1842 0 R /XYZ 56.6929 373.1831 null]
+>> endobj
+1850 0 obj <<
+/D [1842 0 R /XYZ 56.6929 306.2376 null]
+>> endobj
+1851 0 obj <<
+/D [1842 0 R /XYZ 56.6929 233.2236 null]
+>> endobj
+1852 0 obj <<
+/D [1842 0 R /XYZ 56.6929 126.5318 null]
+>> endobj
+1841 0 obj <<
+/Font << /F37 743 0 R /F21 654 0 R /F55 965 0 R /F23 678 0 R /F47 874 0 R /F39 858 0 R /F53 957 0 R >>
+/ProcSet [ /PDF /Text ]
+>> endobj
+1855 0 obj <<
+/Length 2451      
+/Filter /FlateDecode
+>>
+stream
+xÚÅYÝ�Û6ß¿ÂÀ=Ô"†ß’pO›&
¶h÷Òfƒ; íƒÖ¢m5²äXR¶¹¿¾3ü�%Yöö�‡–#rH‡3¿™¡Ù‚Â[$ŠP‘ÊEœJ¢(S‹õþ†.¶0öö†yž(0EC®W7/¿ñ"%©æzñ°¬•š$lñ�ÿ²¼}÷îÍýë»ÿ¬"®èòYEŠÒå�·÷np}ïV)_Þ¾}ó>¥˜bdÓtyûã›×«ß¾¿yóЋ3™Q�²|ºùå7ºÈAòïo(i¢OðA	KS¾ØßH%ˆ’B„žòæýÍOý‚ƒQ;uNR%Dq©‘¦„)æE	Upð(’pó^QœÍ)*p¡¢¢5ôåwJ
8nú¦–e]W›bmŠÒL•Â4#”ƒXÃ�Ïäë¹fÃmµ&”ªx,á‡Æx‡¼œ'ñ¼ˆ“uuJt¢¸çÍšU$Rµlw	‰“¥”o»cÖuåF±§4Ž.ª¦5Yî¸ëÍdzn6YW¶/ÜÆ"
+É4‘*
R¾4íúe•íMN�y	ÍI’€	DŒ‘T)Þfæ\�
Ï­¦šh¹|@+®W‘jiª¦;®X²4î»Ýe-RrézË:Ë‹j=×Ùé±3œ'C[T�iüD¿ÛS}üè²MkŽ“Usü:w q{ÜpZç©ë]Vm
*W¤Ë¢m�«[Yñ#/Ü
Öm}üâ»:ãgØf®9ÔMS<k_Š $¥T{EÂâ~ás•«˜°X?¨Þ<PPß:+
+~�O?ÖM0¶ÆµNs@]
éu…dQ­ÝYcšË&ˆVAÁ®›à€ëŠ	.k‚›é–)‡èº¹ºe`šÙr¨Õ4&œ	=Þò箚h&À¡ÓÇdpãU¼uwÜUÞ©¥Š¼6”[»Þªn½¶­�ÿ5ÀÇ.êUÅ’ÈD¥×õ:京מËêu{¦W
~­ŸÙ20Íl9ÒkB’8žlù7é5„gX{.½Å–uðBurõq
�SÝG†¦ÍÍñ8çtŠ$'¶Ë—$ ÐhH|®_Ò€ëÊ%.{IÕ³øû�õ¡kÎ�—k’p`¿*YÏ5#Ú:ÇD´o=(´sÙLˆ™Œ§"žCe4
+ Û4­û²áÚWw÷¯ÝœÔuäf% RXq…O4ü6>íŠamdøâ&9\Ž—G0åS~^>¤,.ÅÉéÅ
+†!¥Ãæ!}
§Å5œ¬|¦9}	�:
 endobj
-1336 0 obj <<
+1854 0 obj <<
 /Type /Page
-/Contents 1337 0 R
-/Resources 1335 0 R
+/Contents 1855 0 R
+/Resources 1853 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1283 0 R
+/Parent 1840 0 R
 >> endobj
-1338 0 obj <<
-/D [1336 0 R /XYZ 85.0394 794.5015 null]
+1856 0 obj <<
+/D [1854 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
-586 0 obj <<
-/D [1336 0 R /XYZ 85.0394 769.5949 null]
+1853 0 obj <<
+/Font << /F37 743 0 R /F21 654 0 R /F55 965 0 R /F23 678 0 R /F53 957 0 R /F39 858 0 R /F62 990 0 R >>
+/XObject << /Im2 979 0 R /Im3 1102 0 R >>
+/ProcSet [ /PDF /Text ]
 >> endobj
-1339 0 obj <<
-/D [1336 0 R /XYZ 85.0394 752.4085 null]
+1859 0 obj <<
+/Length 2185      
+/Filter /FlateDecode
+>>
+stream
+xÚµÛnÛFöÝ_Á·¥
+v�¶´8²‰J¤*Q¶ó÷=s!MŠ”ÒEºbÏœ9÷ÛP$Áð�$B"i¨I”áH`"’Åú'O°wsF"δAšv±>ÌÏ.®™J2’Êd¾ìÐÒkM’yþKú
)4

+8�]~ºú8™RΙL/¿|¹š}¼ý/¼H€‚qúéröõò.À¾LM/o®&¿Í>»š·âtE&˜9Yþ8ûå7œä ùÏg1£Eò
+/ch²>ã‚!Ák «³‡³·;»þè˜	8ÕH2©�
1,È_aË´7„g‹“)!1}ŠX8ˆ�X\¶GúĦš aŒH¦RP¤	a­�(ƒCÈA�“´BTiš(!Àq28iælì1
’‡H0Œr î0>O¦’¤søKÓ«C�h‰x#‘F"n„r¬“?‚07†¤ÎÚ+ûn¸¸]Óäc%]¥"ái—²WJÒNàÊÀ9œ%Š�îLÉ r9™2.Ó»¢œœîß΃–’uŽr	¤ŽZ–ÙÚæ«Ë€	$„Rk¿³»@º~¶añû„âÔn]䦥]ýc
qÙ&{,VEý-¼¯íâ9+‹ÝÚ½ª´®8ßV›°ÊV«°ØVUí„
;P.\ÀDG‚`GDZ¼+ûä$âD§vÂpú¶°›:¼{	91i+ƒ‡VAIfºVd)ÊMÔò±(ó_±À🌘„c„i��Žp}Ñò Á¦(Çi”,+ó°ØÙº9UMƒ¾D�(ÜÒSxawNK¨[»«öÛ…S�©tU¬‹z7
†PF4púZ.�~û2«íê
NÏ
¤˜¥Ø…Ãk›•‘jýœÕÍÊŽˆJH	¬eÔyº1‹ËNLID©6uQ•�fU‚^;ª èV�v!_]�VÁp¿»Ø¡&}}¶åHÐBƒòï-Ó´	í"’ö.7¨N«2@â7lRDÑ
Á	æ`+0åÖE÷¹‹QÚÂG À�1ÓÍÖ² ¹!HcJûnõ$0é“Æ*Ý¥ó0˜"ÃÇõKQíw
ù€_„æE”�9ÉT¹Èx
¯ƒœq@Ÿ‚pèц÷­­³¢´y¤°tb
£
÷µ€(Þ'F!MqSCÐa
åÒ ª�Nºõû{ƒb/
´Èé{gû±ž5¥i­ŒoƒœR6>/¤@&(Û
+¸ÁïódÆp^h±|V½ZFBñåF&]b–
ÒËnæ(×Ôð
Ë{¥©S‡¯—nñb·;Ÿ»î¥Ü¯C°áP·Ü¾õÀ��ê€@ËÓöéb·O‹åíóbKˆnÕÁHihþ!¶ÙâÙN—â‡Ò
+Ý_hvZ¼kD>ÖkP!˜‘}
ïª,(Ïê,¬–Û	Ô÷jE?ðˆT\ŽŠ~ÀO;)-‹ÒåmÏgþtXV˃½Ü.³ý*zù¥°¯n¼¸¯™¢ðRF˜¿eÊS�ùÌüù›ð¸æPw¤ù΄ù
+ÁäMÇãÚ7‚òÊ	ñ:ÌwŒ(ƒ6”ýO®�Aendstream
+endobj
+1858 0 obj <<
+/Type /Page
+/Contents 1859 0 R
+/Resources 1857 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 1840 0 R
 >> endobj
-1340 0 obj <<
-/D [1336 0 R /XYZ 85.0394 717.7086 null]
+1860 0 obj <<
+/D [1858 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
-1341 0 obj <<
-/D [1336 0 R /XYZ 85.0394 717.7086 null]
+1861 0 obj <<
+/D [1858 0 R /XYZ 56.6929 436.0529 null]
 >> endobj
-1342 0 obj <<
-/D [1336 0 R /XYZ 85.0394 717.7086 null]
+1862 0 obj <<
+/D [1858 0 R /XYZ 56.6929 286.4775 null]
 >> endobj
-1343 0 obj <<
-/D [1336 0 R /XYZ 85.0394 717.7086 null]
+1863 0 obj <<
+/D [1858 0 R /XYZ 56.6929 207.1916 null]
 >> endobj
-1335 0 obj <<
-/Font << /F62 634 0 R /F42 597 0 R /F43 600 0 R /F56 618 0 R /F14 608 0 R >>
+1864 0 obj <<
+/D [1858 0 R /XYZ 56.6929 96.5058 null]
+>> endobj
+1857 0 obj <<
+/Font << /F37 743 0 R /F23 678 0 R /F62 990 0 R /F63 993 0 R /F39 858 0 R /F21 654 0 R /F55 965 0 R /F53 957 0 R /F47 874 0 R /F48 880 0 R >>
+/XObject << /Im2 979 0 R /Im3 1102 0 R >>
+/ProcSet [ /PDF /Text ]
+>> endobj
+1867 0 obj <<
+/Length 2451      
+/Filter /FlateDecode
+>>
+stream
+xÚ¥YIsÛ¸¾ûWè6rU„`%€£³LÆSÇ/v¦^U&F¢,V$R#Rñó¿ÝXHP¢¤©šÒ�X�Fãë
b
+?61ŠPaåD[Iej2ß\ÑÉÌ}¸b�f‰f)՛ǫ׿
+=±Äf<›<.^†PcØäqñuzsÿþîÝí¯g\Ñér=S”N?ÞÜ}¹ùÃ�Ý_[>½ùðþ
»°ˆ’etúùîÝÛëo�¿_½ì¤I%fT (_}ýF'ü÷+J„5jòJ˜µ|²¹’J%…ˆ#뫇«ÿt“Y·tLJ¢×#*àl±Jñ�”%™àÂëàËãoŸ>ãA€\$£“ψ²F;ºÛª-vUÑz½<¼4m±i|çm]5õ®-÷›Àv•DÈŒ>RÂÆ:s|@�×3FAÏ»j1ÇH!2"˜äŽâ.ßãòЂÈ<·ÚmÿçÚ·*\éZM±ûYì|{^Wíîš™i½öû¶\—íK/l¯"ÜÄc¤r›<¼Tõ¶)›Ã{Îà²h\©Œ8æȵ0�œ+	íQÔRB•ÁËë9xÐÚÐF¢þÜèïëì»?‚JÕ€
ŒsØ©›z¿›³|±ØMãɇ[’!kOþ-rž�p
+„P*�‚V—åÓlY®‹¶™"Z	yÈöÇE¶?Š—S<¥&†S}ȳ¹È3€á˜# ŽsÉ9nG8B¡£¹šÌ:¸Àš-à~„1Ä¢ý0þ³k½Œl1Ô(âuœÂ$°U`P–föŸøN¬1fÜ»Ì:Ž³”¥â@4Îaܲ~g±\Œ�q"”ȆGŸ×›M^-Æ,nƤ!]\°<é¾{ÿðöóíýãí§»nÕIß=É�Çàœ(àÞ6º
ô[TMÛUáõ¶ØåmYW¡»ôßÜ‚W�V
+Jã‚^¢�V€H?ëN>ˆ¥Ïe»òÃUíG"6Üຬ
+?\oñB‹z翹“öi¿)ª¶yu


Ø·~ÁvWÂ` óŸf…æéf›=ì²{	ì–^#Z.h6TˆGÆ�ýÍÛI®:‡˜ç%†FGžÿÌËuþ}º½üÔeKƒ³�q�C¡µ@.LçQÈ}UÎó¡È,
+g ')y@ãP“8Z‡GíáÀãÛ{ßË©Š9çb
+ôZT‹²zòd½^ÜÚ=lSµN‚E"�G`�u ïEùT¶9†f™M›ò©ÊÛ½%âQP©‡Ÿôª†Æ|¿óÞ®ÔS½	Ú†éz¿r#£�½
+
õ¿*ç+?³oŠ@“ûO³ò0Ä­]¿˜û~ëûèñ[ä‘EQ9Ré¼$¸ó`£‡	Ü[&íôq%JüTS¾�·fMû²v¬Ì¡ÜØ�€ÈtÜÐôž;^ì¿÷EÓq¦£÷¸G÷àÉiÒõÍPT üp›õz°Ñ¨è�!Z|—qv>a¾ÊA'!íÜì›@ù=z@{t/ß_‚[ðŸ±ðo4d›€‹… ÁÌ¿ÿ‘ã,eé+‡�U@ä°TÚ~çþ½¨Uý\…ƒ×
+H#æ±%a€ò‰š÷tì’i“5]¹wÇÞá+ç©þ¢”?í»ps8â½2Šé¢€jfãƒ
¯êg?îç£6Ÿ·apÈb}!’ú‚GçŽLç
+÷íÊ•:KFŒUâd9’JÈ€[Æ!Ü�±£‘q˜I)’Q·B~iŠ‘Ô›StÖêLÑ4`
f#ŒŠ1“1¡Yð3š»õÏyá'�‘÷.�Ò»2Íã–øÎÀ«> 80$T¸ó¡7ú¸_·å6æ eÕ´y5/š4ãs[ÄÛe7ÑróõÚÛÚnÛº(ïœÛ2¸©Úåo©�ßÞÿ”ie�I¢GÒë¢ðYÏ(F…&ýÁyŒ&Tg0©Fçc¥�²…í
+0H8P,0<Q{øfhµLЙd#>£�Ä6¢<«ïà½3+úå‹b™È^�U½nF³(åë¢�¿FgNPÞ13¼=œÍ z]€BGsžÆÁàÇEW•>D0
+=MRü¡§9iŽ6#Ò¾óÖ˜�6ÆHälq{1ìÅí�%r|ûSg…Š4ÇB
¬�C½Ç³¡TE5úÄSR÷åRÖî±}hÚÜ¡»'çžjˆØŒHló’Ët/¥®e	"ÌœøiPÝ㶯ÂrW§.ŒTð÷ÚÓœ¾Ö@ãnõÏÃÍ@»Œ‚¯;³Y$9Úl Y
+™¬±éfï«þ‰Ìè{Íg]?=Aµ@Ný%*ÁGþYhWËþë¿Kûƒ%–h†�ŸKP	ðƒ"<…cLŠÞý±z,ûÿ
³@‡¬endstream
+endobj
+1866 0 obj <<
+/Type /Page
+/Contents 1867 0 R
+/Resources 1865 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 1840 0 R
+>> endobj
+1868 0 obj <<
+/D [1866 0 R /XYZ 85.0394 794.5015 null]
+>> endobj
+1869 0 obj <<
+/D [1866 0 R /XYZ 85.0394 751.8794 null]
+>> endobj
+634 0 obj <<
+/D [1866 0 R /XYZ 85.0394 711.2251 null]
+>> endobj
+1870 0 obj <<
+/D [1866 0 R /XYZ 85.0394 677.4622 null]
+>> endobj
+1871 0 obj <<
+/D [1866 0 R /XYZ 85.0394 641.148 null]
+>> endobj
+1872 0 obj <<
+/D [1866 0 R /XYZ 85.0394 572.743 null]
+>> endobj
+1873 0 obj <<
+/D [1866 0 R /XYZ 85.0394 498.2696 null]
+>> endobj
+1874 0 obj <<
+/D [1866 0 R /XYZ 85.0394 310.9784 null]
+>> endobj
+1865 0 obj <<
+/Font << /F37 743 0 R /F21 654 0 R /F23 678 0 R /F39 858 0 R /F53 957 0 R /F55 965 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-876 0 obj
-[590 0 R /Fit]
+1877 0 obj <<
+/Length 2033      
+/Filter /FlateDecode
+>>
+stream
+xÚ¥]oÛ8òÝ¿ÂÀ½Ø»1ÃOIì[š¦{^´i¯v�¶û Xr,¬,å,9YÿûrH}Ø즋ƒ
‹ç{†3bS
+?6U‰4×ÓXK¢(SÓÍ~B§�°÷Ë„9œ…GZ±Þ®'×ïE<ÕDG<š®·Z	¡I¦ëì÷Ù[¢Éü�õ¯×ï•àrF"žh o�¾Ü¿»%·Ÿîß#æˆ*O8�UÜ¡Þ|þ|wÿnùÛ|Áêó…¢töñæþëÍ„}žk>»ùåneˆMîÖ�C]F‰ÿN~ÿƒN3Pù×	%B'jú/”0­ùt?‘J%…ð�r²šü§#8صGC¶“*!ŠË¬È,–a33H±¤D'’uæ,da�e,²89ûª
&cDH`†Fû3?Ù¹9tL4w:dy!˜G
+6t'£œhªÕX²¯M>_®gíÎ.#H @-.´8öŒ‡„E\9¬íaÎ’Y½?c°©«o”òÇã!m‹ºÂ])óP2Æâc9¬ý±i‘ðƒW«ª_¯‡>«tŸg¸ûR´»^L >]ðˆkãpp”V݆pg †ãh––�õ
ŽíÝk•á¢É7Vï¼uïí¡¨q]TæÏj‹‘åok·
+3[ù0hL>1:[¶º«�eæÎìro[wbµÃÝ¥Ïô˜Wù!uŒ7uD¬§áùUÄa§�ÈMC\
‚4¢‘IÁ„D2Aϼ·§dì| MÍØ?•¹¥
+¤/gŠPªØ+ùK‰ìŠò•gžŸ	÷vyÿA
7Ù¾¨
+¨‰ië5ù’o�5«�;ö1­Ž`44ƒPÀ	Z•Ëœ³&…è¨ZJ(‹ù+JÀ•‰¨+B-øعãïñhRá,RPMX~g——O¸r›tuBCUUÀ.¡	”×z4àk¸~X~\®m?dþÖËO÷«€:Ó\Á}⿪�/ªY�7g�yÊ}4c 8]˲‹ëPŠØXn;·Â*	�ˆ #Ñ>€Â¢2mP@Ƕ(‹ö4gŒÍ|øC­Õ	c>þ1™×>ó€=ÜÖ¶ŽÂss<¸jË‚l†çKê
+7}’C<H±³$÷_Ô装íÕ½ÅS|àÜ?Ä#ßû¨j)!B×í*ûÿýÁµÿ-cðBÂÃ_#ylïƒÈe´fL^ˆÎ¨iHy@öÿ
‰Sѯendstream
+endobj
+1876 0 obj <<
+/Type /Page
+/Contents 1877 0 R
+/Resources 1875 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 1840 0 R
+>> endobj
+1878 0 obj <<
+/D [1876 0 R /XYZ 56.6929 794.5015 null]
+>> endobj
+1879 0 obj <<
+/D [1876 0 R /XYZ 56.6929 605.5421 null]
+>> endobj
+1880 0 obj <<
+/D [1876 0 R /XYZ 56.6929 504.7499 null]
+>> endobj
+1881 0 obj <<
+/D [1876 0 R /XYZ 56.6929 441.2539 null]
+>> endobj
+638 0 obj <<
+/D [1876 0 R /XYZ 56.6929 401.9804 null]
+>> endobj
+1882 0 obj <<
+/D [1876 0 R /XYZ 56.6929 368.8239 null]
+>> endobj
+1883 0 obj <<
+/D [1876 0 R /XYZ 56.6929 333.1161 null]
+>> endobj
+1884 0 obj <<
+/D [1876 0 R /XYZ 56.6929 266.6983 null]
+>> endobj
+1885 0 obj <<
+/D [1876 0 R /XYZ 56.6929 206.1673 null]
+>> endobj
+1875 0 obj <<
+/Font << /F37 743 0 R /F53 957 0 R /F21 654 0 R /F55 965 0 R /F23 678 0 R /F39 858 0 R /F47 874 0 R /F48 880 0 R >>
+/ProcSet [ /PDF /Text ]
+>> endobj
+1888 0 obj <<
+/Length 2595      
+/Filter /FlateDecode
+>>
+stream
+xÚ¥ÛrÛ6öÝ_¡éKåÙÅ�àfú�‹“:m·ñîdÚí-Q7銔5N§ÿ¾çà
+ÁRH½6°OŠi¶XlN…›æMC€zèãñø ¦žÜDOÑú¤f‹plU7-�vEYÒè:œÚam•W
/ «^áñûqD|SÜÅ3Y
+Gö´9¢K™0—Hw ÊÏùýV›2.�=Ô£t�¿´¯G€z=”ô€(œ4(Æ‘bÜïóðݪ˜¯†8‹H¤@=Ä›�ñ“
+&‰gD
+&¹Nû¾1#ûÒÜËÈ4J™¢ê¤h­�ž#áX©G.7–AœPû»‹ÅÈí
+â†I£÷x6m:½õú¯ï
+°¥…ç€uE_’ \ëõíAóz½Îª�ˢʟÁ0‰Váì(…R$,á&yJ<–ku¨gÀIÄ:Ðó6^STÊhºÎÚù*tÄœnh²Eu3S 9ÈN#Ç"‰‚ðhœ8jÀº
+¤äés"Ú1Mȸ�Îì‚3»Î™a­­	’mAÖ`os@M’=l‰
ãÛpOPB˜‘èa'¡ “0ë’ƒˆÕÜBÔ¦0›$G\Ó
+ÌúÀ5oëM;"™D³$yè›Ü†k1Ö†kbŒµS�×�ÚÍ`y¢Êç^Óo”8§£&°»®Û€*¸9Œ‚È|ŒõÂÊ2ÍÝн¼Oñ#>%!×hÔî%8äÎAR$œ1ÃtîE¾+qG—e‚o
hï[|ï[RN;ØJPÑ…Ý¿Eê^Q®—·ñž"Иъw®qÿÁŒ
ˆ÷‘K>éIê‘1O‚B,xRÂ{ž„1Šl$é\	FÞ•à\)	®_20&;
p$��§ª+àºj¢ÞnæùS:¦ó‡e ,Ñ?P7#bÑ`póÁ@,ã—ÌîìØ=F2aÍ0‚t$XuHW2QÓ9&r„¡@@A
+!MÞÀ*§Áùå�¦5oZ
dÃv �v6÷ª›¼	îiøSØužõFy*„ˆåƒc:•†Êðe‹Mjrƒ‡òÓ‚%¼žŠËŽ)åô>«ìjOÄâ"ùo‰1Ô�÷5)N‹j^n^²Ú[<lÚ
Ú»Eakr•H´`ÅFaOÕá†A=ˆ€e½!Á9(é¥1C«ÈÈËc•¢áJDë-˜Vzõ4YQ5'� º0§émÝ4ÅuÓùç˜`–H»’d</CîNUW«=+@4Xæ‰
+ý§.\ Ëš|f5AAšõ"Ô	ymo'Üo›a\'Í÷u�~Ó3+%b¶
øþJô¿XØÀ¸ˆÊºsî" [Ô[_Aàø�-4YÍ1$q„Ža?I¼áv�
õ=Ét—Ý7¡ª	r“Wù†úÞ~_ÔÑ�ÐH7Ž—þÝmÿPçz:ñˆ2T°òòüâ5mN	²›M¶1Õðãz¦:|¡9ˆ� å%�?Þèpð ˜6}Ö�Jð:è6SMRÀï^
+^÷Ü@­×4Žú}FS*6“}
=ô¹Ô1É»¦p½ö¶–�ù¾dÒñXC÷ÄîÉÊ&Pø¹ªwU ¯»“ƒ](Q­‹G.UL¨îÒgAÄF0nðÕºï¶!a‡‚¡ëøBÕPÚ¬ga{gö¶WÏÃú’X\ÓJdÊ?)Ýn[6ÂdIfºèqYê´{$_ÔTÉá›XKw7«â–@”XpD&Š«i |ÛÆWgÇx*åÁCVpÛì.+ʬóÑÖY2rsõÔº	ñàcž$ê³O/Þ_þt6cº�8¼‡yh¶¾�t¯8Á׉æ`s¥Ø^|ÉþñÚáÔÑÿñÚ‘„}„ÅîH%,�Œ1ø«af9ŸþéQ�÷Ö¡Nö—õ<+±I{>AûÏÎxäæÏC£;¼‰,ò¯$d�χ½&Õ“Ù]ûÕ¢+O 
+xúj9zµ{p5Äé¶?DbÔÅèp¨»ù@HûÞ àã�:eÔsþõõBô$Ù¾4žä¢W‚hTùj�Ígë…y>Öa¢È‰R>ýƾy¿ü¯Vš/º¼¿–úÃy.‹·g_Òr)Êò݇”_¾ùzmtD©~
ö8rÀ€WÛ7¿¨ÎÝ¥}ùã.ýu÷iw¡þýë�ÛŸ¿ÿž¨û\ÿ;ùÓ�wÄýßQîÿ¢Õ	SÎÉñ!
@딊Hò'„9$½û3ó!íÿTQÖ_endstream
+endobj
+1887 0 obj <<
+/Type /Page
+/Contents 1888 0 R
+/Resources 1886 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 1891 0 R
+>> endobj
+1889 0 obj <<
+/D [1887 0 R /XYZ 85.0394 794.5015 null]
+>> endobj
+1890 0 obj <<
+/D [1887 0 R /XYZ 85.0394 420.6717 null]
+>> endobj
+1886 0 obj <<
+/Font << /F37 743 0 R /F53 957 0 R /F23 678 0 R /F39 858 0 R /F21 654 0 R >>
+/ProcSet [ /PDF /Text ]
+>> endobj
+1894 0 obj <<
+/Length 2221      
+/Filter /FlateDecode
+>>
+stream
+xÚ¥YOsÛ¶¿ûShz)=¡øKï¦ÚNêNíäÙJçÍ$9Ð"lqB‘ªHÙM§ýîo�)R¢-g::\.‹Åîow!6¡ðc“Øp3IŒ$Š25Y¬Nèä
¾½;a�gÚ2Mû\?ÏO~z+’‰!&æñd~ß“¥	ÕšMæÙ§ègÂ(94º¹>?›ž½¿~ûîâútÊŒLd4ûðáâúüò§S®(0'¥ÑÕìúãì7¤}85<š½»¸=ý2ÿõäbÞ©ÕW�QátúãäÓ:É`¿žP"ŒV“'x¡„Ã'«©QRˆ–RœÜžü·Øû꧎švÃEÌÇlaz¶0œ(¥å$Q†Ä‚o‹Ü~zo;Æ©PDÇJÁ€så9/Kؼ¤Q³´0&JïªG‹4ûgºZöMÆú«j’0&AU'dSf‹‘9'Z˜žò¢@¹wßp©ÌÞ§Û¢Aâ¶
+ &@©íæÑn‚V�«¨i±¬êÉŸ)†'„Â�ÁC®´Ìöd}µaM˜^Ø,,�®¦NíÉ”qFTBÁñ#F)î5†½»yŒ±ÜE€»œU«¯a>çQS…§_…³�v@ï6
+,dŽ„ÆíEˆŒÙo·ï�;¿ó×h×¼	9º—	÷¿µAê
+¤#RôÛN–¸Œc´í¿³ÄáX¬æÆ�;ŒXe*$tqPL­3û8ÿåýÍKf‘¡Ûkì¦lÁõö[
G2Æ8ÔOùvµ[WB)·§!9TJu½64Ö”ÒƒúÂœ…nÊcšCŸqÅQ\ŒT)^ŸÏà™»sÃn»D‚mŠóΪ*^ãDßÊj]çõ~ƒ/ ft,à€L…Jy¤!‡Äl¸r‰y¼[wý°K!=‡Íz{“ÐqîÝ¥ŒOÓôK;ºÃ}©�§€ÂŠv�f©¸¢�d®xoK°NæbDf{;Љ¼Ï‹ï¹ìF_G„CQ�¨®ò
áe篾>ª¯/ýåq
€Ož¼Íˆ<èPø£äC8ÄÂþ[ñ»_U7Ͳ�­ë×[ 9*r±ÜTU“åcutcLuîÒ	Ý
+}Þ˜<.
¨vâFqŠq¢ 

âïüâöìæòC¯~a/CøK
î”·.ÕV–Ì´¹ËÐ&äûÀÑÈ{u¥ 	5üHß
+u|W¢»¬Í“è²	+§a5/£MÛ*Ã(
K§�Ž�¶Ì1Ó:rá°ô}3}竱§	÷TÜ•ØZÆCÅ×ÄÏ”‚À_6¾¦>J$׃ú%ã…‰Q¡0®òÛ`b«×Ué[¹s‚¥¸2æx1"‘qÂö[£¡4Wʳ—[,à
«°±®ÈÄãõZg4eS”ðNü5&H]‚º¡’.e¹w�8Û�l±»Ú“ �¿l’Ái¤B§
ÂæTGÛ@×n@íŽwh¥!1˶š¦cf¡PªVñj‚Bb™îd×xñ¥¢í	鈩Me¬ïIãǠܹïÚ(>ܼ�üÇ*Ï‚Ë°íÒÚ@Âñ5À„J’�Áþ
+endobj
+1893 0 obj <<
+/Type /Page
+/Contents 1894 0 R
+/Resources 1892 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 1891 0 R
+>> endobj
+1895 0 obj <<
+/D [1893 0 R /XYZ 56.6929 794.5015 null]
+>> endobj
+1896 0 obj <<
+/D [1893 0 R /XYZ 56.6929 513.8248 null]
+>> endobj
+1897 0 obj <<
+/D [1893 0 R /XYZ 56.6929 427.0967 null]
+>> endobj
+1898 0 obj <<
+/D [1893 0 R /XYZ 56.6929 364.279 null]
+>> endobj
+642 0 obj <<
+/D [1893 0 R /XYZ 56.6929 325.4767 null]
+>> endobj
+1899 0 obj <<
+/D [1893 0 R /XYZ 56.6929 288.9693 null]
+>> endobj
+1900 0 obj <<
+/D [1893 0 R /XYZ 56.6929 257.0263 null]
+>> endobj
+1901 0 obj <<
+/D [1893 0 R /XYZ 56.6929 191.2867 null]
+>> endobj
+1902 0 obj <<
+/D [1893 0 R /XYZ 56.6929 119.4786 null]
+>> endobj
+1892 0 obj <<
+/Font << /F37 743 0 R /F39 858 0 R /F23 678 0 R /F21 654 0 R /F48 880 0 R /F47 874 0 R /F53 957 0 R >>
+/ProcSet [ /PDF /Text ]
+>> endobj
+1905 0 obj <<
+/Length 3038      
+/Filter /FlateDecode
+>>
+stream
+xÚ¥Z[�Û¶~ß_áG/pÌð.ç)iÒ E»ÙÓl�m´–±%×’³ÝþúÎð"KZÊNqàQÒˆÎ|s¥Ù‚Â�-Œ"TX¹È¬$Š2µXïoèâ3¼{ÃÍ*­†Ton^}/²…%Vs½xØæ2„ÃÅoË×÷÷ïîÞ~øõvÅ]¾!·+Eéò§×w¿¼þÑ?»¿µ|ùúý»O·+fe&�ˆQ¤ÓtùóÝÛïVß}¼ûþý»»Û?~¸y÷г5d�Q�<ýyóÛtQÀ~¸¡DX£OpC	³–/ö7R	¢¤ñÉîæÓÍÿú	oݧ)Q(aˆ2<KÈ‚³cÄ*ÅGÂP–hÁ…ÆÇû‡ï>½Ø	%T�¼2Îà#˜<©„@´RÅ…JˆT¸î*Ÿ.iÂðËKF¢Ä’b°$¨[0«ÆK¾m@»F/óS×ìó®Z#^5'&“Ã/Žu‰†³s`‚sˆÖMý;¥üóés65ÀD2³|ØV­_n}¼…û2ïÊð ÷ühWúé…LϤ"2Ó|ÀùR>'Q”茪@XÕ©É
+¤°Ï¤™H9
†ÃžÉ€Å§rY”xW;´RåÐêžnòÓ®ó7ëf¿Ç½;‚õ6¯ërçßôOÁÈnÙÔvæìÂ?Ff<án×<Uõç„üSÄH«®jBQÕÕ5gÎN5.Y™(p<SQ&><Uip�Ÿ”×4'ˆ4R4‡1£Û–~°kÖùηMÛù‘[Ð�êÆ_7§#|rô7/|ˆã]i¹
ÇÊ¢–{Ö>ÕuZn|�êÝŠm…&ù¹tfÁåN6“	’‰,‚Éi¥õäÞâ¸ÒKë¤Ñn€I­ÔU�I˜ÿ@Y0ácéç?µh÷n‰°váL·9¬ªÀ»7åÃ._—{ÀTë?Ü875à5[/:Î%|=1…{µD¨,ê3½
¦‰²Yhþ3§T´…ÏÎrÍå_UÛ¡î|âx¦žç©ß΀«¬—«Ã"Au&˜ƒ þ@�l9@ˆg2>†Ð‡
®k�iCF³o¼týÃr—?6G´w;A¦®ö<êü,
+™OÔç³Û!Õ|vÛS9‘?zFÁ~G"7¶W8D¶ú»œ²Æ ›Ï2@ûEÞzªs#-K°eÙ˜»O}º…p—Ü{(8ŽÜ¨ÙL^A@Es|æ¢9ªðà±êZ¬“ sü鄱Ï=,ãµ{*Ë@ɬl0PŒã@¸)þCÓ#0&ˆab±sFꮂÚ7óÚ¡„vYÛªÚŽTNÛ딶Á¼!“9k{SíÚÎcò2k‘(ÁÚX×\<àkÄÛ/!¶£UÚch	
§w³i§AÁ÷‰YtÃXç2ùͳ¿ÉÃË|וÇ:„Ÿ �¿D‡�°ƒ…Þõ
+Hf�ÓèÆæUO5¡œê+ªP]P}¤rbÚ¾(c%�òÊ’‘(±ä¨ŒµDr5YòþX…ˆºŽRß6Ç`í	RócP@³™d ^eñã: #w®òó©Ï¬œ>Óá›sž}cÈ¢�x~M52“ÄfâŠRÍ«¦§rªùò->Cˬ¾ÈÛÙ¿d.éƒGÜ�|0æ²AG:”H0p¬¹‘×ã€Æg,8šºå8æ%ćíЊ€û“¯GtŸzçþò5ßU…Í>¯ê3ä‚~ˆ¸šúâDÑ
+åš‘Ã2auÉ¢õUØà#£ö
+lT`©lWas@k›b†S‚û»ÈW$Jð5BWXáOGmЀƒ¾vPŽãÇ©=a­é²ü„]SHá¸×ê^€¯èë¤Ô2eXqY·g_'ƒìl|%·OÕ]‚Fûr{®t¤Dö‹¢3ib_äH!æqŒ�W3Pß,˜ ÙÀnˆº¦!Õ<˜z*¦cL–h#zK
+Åw�HApŠ{ÝZ¢„œxœöP·÷¥^Ñ8ß©”ß�tðhûZ¥�'[¢†ë�WEùõUØW"ˆ
©î;¬®¶„Y±ì—	~ׯSTëÒU aÓŽ¿†@2”(¾t.®~åºl[¿kf4F‹I¿*:pp™��×Á]WõáÔ‘Ä.
žœÛ™nà3]�	™õ�ÜÙÀô2…è
.ç˜C¡å*o¤(�þÚ7•ó„˜ÐÑ˳ð1¨Zð´sv@C!º,SS½à>4ŽàIU.òÂ?ö²�i�Ó�Óñ¥†�Z:$«®W4 ÏSªÛÊ¥�úr˜È£Št7^2Ý÷)êµ!DÏ�’‰á�Óaè×XÕ´Ô‡†ú±Çrqïó�¡k½–ï©.8´HåZ{µÔÉ‹âàœ*u.²Ö—:/YK–:#ÞÆ)�úçlùáÞ?@Ö\lÅ¥¨È ÞQɲëÝ`fŒžFEœÝ÷¢`ýs¿œÓA¿œÓq¼tßÌÇKÈŠ·âßÅKïJ¹&LêoLÞ¦íìæ𘯿„Ra$AWpC±	?6‹E®�ÂÂà"‡TóXì©»dp…ì)êl½=6MΤF`„,ÓjHÅ/2×S%¸ÇVN¬ùŽØ•·µ±ò¶v®ò†tOu¥]Ç3-§•7NÙøë¹ò¶¾³kÍ 	ÖÛ‹ˆ‡�2É®#ÞfŒ÷½ÈÝÎOZ�n’w8n\ûm%ÁÍ¿¯òbJ
+&PZfêŠ
+÷æ½²
+®:ב†{/¬ä%_…BȈ³ô1Ã˶'òn_,«p…%aþɪ›æäÜ>z>GB€òä£7Ë¡€Síß3¯ú.J¬Wk-Î8¸�kÑdHuÁ‚#•ƒúéj­aî8Wk]䫯µ^ò•¬µFŒÛuêr¶«å|×,Ë»Ò5³œÙ©íöP’¾ÓÁíÍSíÒ)n&ë�“YÁ!_¤öÛ�ПžøÂ
+ýÑ
&H€­›ÄF3Eíëòè{Çí*xåÃs˜<ßµq—ƒSþp6‹)>�¤{M½{žÄ söH—Õô¼õl	ÃnVZcÛx PÅÖVm\W�~»ƒˬ8”»Tk,¬ˆÅ�̽ûõõO÷?¾û”Ø=Å0A4ž»ðŠÿ!jbt×<¥Nl!n
+{ý/„²ÑÙé8
œ;�„œã�¢'çxásx:%ÍðXGCZC¹Žì4¥iÀÓñWQ‚j(Ð*,šp˜ûKÛÓM]:#BŒp=ždä×nסXqCÖrh -Ožž3ê:\âü¯žîØìÚ”×Ôf\^þ™
é¿`èóWÛ�†,ò܉=†Íxe¢ià]UÇ Ê¦v“Üœfq
oâ…òZÒo:`+gÇgßóÈaWfíèÌümN("ÓÍVÚ[æÿý—ºó_!»Æðt\T"üXd
+÷ÀX6e½ÿóÝKÞÿ
n9ôÝendstream
+endobj
+1904 0 obj <<
+/Type /Page
+/Contents 1905 0 R
+/Resources 1903 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 1891 0 R
+>> endobj
+1906 0 obj <<
+/D [1904 0 R /XYZ 85.0394 794.5015 null]
+>> endobj
+1907 0 obj <<
+/D [1904 0 R /XYZ 85.0394 751.8648 null]
+>> endobj
+1908 0 obj <<
+/D [1904 0 R /XYZ 85.0394 153.4294 null]
+>> endobj
+1903 0 obj <<
+/Font << /F37 743 0 R /F21 654 0 R /F23 678 0 R /F39 858 0 R /F55 965 0 R /F48 880 0 R >>
+/ProcSet [ /PDF /Text ]
+>> endobj
+1911 0 obj <<
+/Length 438       
+/Filter /FlateDecode
+>>
+stream
+xÚ¥SMo›@½ó+öR™îì»GbÇQ‚]C¤Ji–Á‘¥°V1QÕßlg£8Ê¡BBìÌ›Ù÷ÞH¨{�HÊ0C#@R”dÓ”<»Ü,À#&>�buU߯yBÅ)·^/
Tk$eõ^
Rˆ\®òé$ž,òëY–G1‘ˆ0].³|:ÿÅLRvHJÃû4HïÆØ22,LgY=•·AVžiùÔ‘òžÓïàñ‰’Ê)¸
(p£%ùãÐFš@HRp~Š¼EðãÜÐË¥­pjWì‚	")Ù;3¤
ÅÌ(²l•Þ‹^�«âžƒ”ÄL€(xk«Í/*©v/ü6Vö1Øìí¶OH/a×M]yè¡»ð烂
j©Ý5Ãdæùt,5GRU³³»C×®»};†Võ¶n#Ôam7õº_Û×õËò¨40¥Ô±=!ï\‰¹óOH&Ü—DªlúPÞ,V_2·]ÝÚº™]ÝÆÃdoû¶Û½6Ÿí‰»°î…©Ò3ÅÿÞ¡·E$Àµfoëáëb‰W¬N¤zqˆúõÓ¶}äþjnÕÃendstream
 endobj
-1344 0 obj <<
+1910 0 obj <<
+/Type /Page
+/Contents 1911 0 R
+/Resources 1909 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 1891 0 R
+>> endobj
+1912 0 obj <<
+/D [1910 0 R /XYZ 56.6929 794.5015 null]
+>> endobj
+1913 0 obj <<
+/D [1910 0 R /XYZ 56.6929 752.4085 null]
+>> endobj
+1914 0 obj <<
+/D [1910 0 R /XYZ 56.6929 692.3565 null]
+>> endobj
+1909 0 obj <<
+/Font << /F37 743 0 R /F21 654 0 R /F23 678 0 R /F47 874 0 R >>
+/ProcSet [ /PDF /Text ]
+>> endobj
+1131 0 obj
+[646 0 R /Fit]
+endobj
+1915 0 obj <<
 /Type /Encoding
 /Differences [ 0 /.notdef 1/dotaccent/fi/fl/fraction/hungarumlaut/Lslash/lslash/ogonek/ring 10/.notdef 11/breve/minus 13/.notdef 14/Zcaron/zcaron/caron/dotlessi/dotlessj/ff/ffi/ffl/notequal/infinity/lessequal/greaterequal/partialdiff/summation/product/pi/grave/quotesingle/space/exclam/quotedbl/numbersign/dollar/percent/ampersand/quoteright/parenleft/parenright/asterisk/plus/comma/hyphen/period/slash/zero/one/two/three/four/five/six/seven/eight/nine/colon/semicolon/less/equal/greater/question/at/A/B/C/D/E/F/G/H/I/J/K/L/M/N/O/P/Q/R/S/T/U/V/W/X/Y/Z/bracketleft/backslash/bracketright/asciicircum/underscore/quoteleft/a/b/c/d/e/f/g/h/i/j/k/l/m/n/o/p/q/r/s/t/u/v/w/x/y/z/braceleft/bar/braceright/asciitilde 127/.notdef 128/Euro/integral/quotesinglbase/florin/quotedblbase/ellipsis/dagger/daggerdbl/circumflex/perthousand/Scaron/guilsinglleft/OE/Omega/radical/approxequal 144/.notdef 147/quotedblleft/quotedblright/bullet/endash/emdash/tilde/trademark/scaron/guilsinglright/oe/Delta/lozenge/Ydieresis 160/.notdef 161/exclamdown/cent/sterling/currency/yen/brokenbar/section/dieresis/copyright/ordfeminine/guillemotleft/logicalnot/hyphen/registered/macron/degree/plusminus/twosuperior/threesuperior/acute/mu/paragraph/periodcentered/cedilla/onesuperior/ordmasculine/guillemotright/onequarter/onehalf/threequarters/questiondown/Agrave/Aacute/Acircumflex/Atilde/Adieresis/Aring/AE/Ccedilla/Egrave/Eacute/Ecircumflex/Edieresis/Igrave/Iacute/Icircumflex/Idieresis/Eth/Ntilde/Ograve/Oacute/Ocircumflex/Otilde/Odieresis/multiply/Oslash/Ugrave/Uacute/Ucircumflex/Udieresis/Yacute/Thorn/germandbls/agrave/aacute/acircumflex/atilde/adieresis/aring/ae/ccedilla/egrave/eacute/ecircumflex/edieresis/igrave/iacute/icircumflex/idieresis/eth/ntilde/ograve/oacute/ocircumflex/otilde/odieresis/divide/oslash/ugrave/uacute/ucircumflex/udieresis/yacute/thorn/ydieresis]
 >> endobj
-1189 0 obj <<
+1476 0 obj <<
 /Length1 1628
 /Length2 8040
 /Length3 532
@@ -5324,7 +8416,7 @@ endobj
 stream
 xÚíte\Ôí¶6Ò ˆtÃÐÝÝÝÝ¡Ä000Ì ÝÝÝÝ’‚R"‚´t	ÒÈ‹>ïÞûüž³?�³?½¿w¾Ìÿ^×Z׺î7�¶‡Œ5Ü
 ¬‡¹rðpr‹t�´�P(ÐWç�…C­
�f
L9g0ЇÉ]Á¢
-Äü{fXE
+Äü{fXE
 0Üú÷äè¹aÖ�ÃöOÃoäæìüØã?ûÿxýœÿŒ=ì	a.ÌÁAb¡ö™9Y®
Ä£ò/z{x�Âœ*Þè—ÖÁ»2#×Dj,ïêÃ8›ÇEµyÍî;Ýoª²n
öA™ºÓÁß‹(üèX>ã.3v±ms™W`gÅúϨ¯"›
 rn­�êèš—ß¡RŽwð9£_²Ò¹Ð_8=óe4%v>oFÀk(Ù?`LÙ½¼`êú4ð±ûåÃ&9[~ƒ˜;26cLà«|r)Sƒj…×Íl(ßÛ
 b¬Å7ÎßÊçÏVð™h9�Žù,¢I‚°RÊ• e®äß·RÆ%=²ìÙ
êt›œ(†Ì%³LÇ�î)®Ž>1Ù¥‘„µ…^Ñ2¼éˆO£Ý	%õ‰>•pjÕr{2–Âw�Í<–g¬™-j—!3cäáakIè,AŒ$ÁLˆÇÆ‹J¯³nöùU»Ïm›Þ‰D3
@@ -5347,1481 +8439,1586 @@ $O�íœàÅ€DÈ
 t�‡Í=žÝbóÆÃwî6ß"£“˵?�”JËOP2RÐoQo+†â1)©w†¦ÜèådîI½ÈZ¿VÍ�­(e÷åû È
"QÔüFØs(úF�$'‘qL ®/¶!õÔ
¤HvkÖ‰Œh¼È‰¬ê؉á¶o?Ùa:Šÿ±qêcŒ°gã!_QÇ~ÏWê¡1üaœ¯UÝGmã§Yñmn%ìRãr9÷¬ß0qˆ5†/‚E…(êÚ“�†,W‚˜$Ù½ï¶åçLxËÎÔ|ú奕£w†Z|ÂV€ãž÷,éOd
 ÞyŠGÝ
 ŽÎ¨Ý3lÍ4©¿Î\×T2Zª½Ag—.7Ù#ÏPæï™v¼eŦQLÞ»±Oþ¼Ô\’	¬ÿĵJÅñ¾(š3Ç].Å*,MÎ>ÛBx�(ÃSÃó|D³uû‚Þ¡ï†{:Ò‘Á¨2G9¡Cê{É•<|?�ÒK áéá@F)Ø,êw÷ó?�È ¸¢Ëa„Çh%Ù±o^Œñ{‹6™Ý@¥-«ä%
Å~jÉwXjz1�îi´·î¬%uÕ3^¿±g�¸`d+ÎK[ŽDe—„]âò†Yè�ÖýÇ?Ï>£³HjË,èkѸÍhÔ8Š”™v_Å
[ªJÖ®²9m=·�âú?\‹k>¼à¬‡¤*³Ñ³ž,Y
ê<‹ý¹uÓZ/ZV$S·é#ƒmNOš¨5M@¿§rãÝ0Hõ7¬&7[àçŽAØñêOõƧÈêÚ5±pE6~d»Ž^.x¨T1¬µ¤$£Í7¿ÿ4òÆêüj§‹G1¬èípoóÌ3³QýÐZ:œNÍÆéç,0½‹Š‡Zg‹ðâ£à)‹Q©¯³‹X""œÛÆ0�ÏÁ¾äBvFA‚)Y9(ÎYÖý…ì¬S…|¸Ôü¾“qbæÇN.LÔX§…_�ï‚¿œ%�%½¥åŒìé|°
D>W²7}C–Í#—ZR¸
­$º`bÛGο…a¿9gÝS%\”Á/œîñ�hC|�?s§Ø…šg¯ÎÙÈ)ª¬m}ÐvÖËk†Ÿ.bÉ&O
 üõí+uqfº`Îa‡„°£â,I§ã¯½/‘�˜÷�ÇÝ›Á¤'P6ߢH‚
Ú?÷›½šÙ¹˜Žà9¦ŠmHr7:pMRYŸ#£ 'æW¥¿ðKCß|-¡mWÝ躖nᲶË0–«ÞÐ3äÛÙ=j’
¸Ë-,n–³e±€¢üb½iÙ;‘˜Hâ°l<)žL.ßÐYÖÿ°Ú·)�wL=(‚Œ£± L|�)=å'ÀÆ-Å@²öò¾µ<ÃNrä³6îµEôʃ3±d¶kÓ»¬ÿ‹%ôµøü·(kD~ô(¬_yñ‡Í;¯åä²fùOî{&*‰äyÒ¯9Û�B±T¨d>è.<Sâ¢éX3p7«Á~ª"럽Ÿ“lË´ÍÔDQÿfŒ°Ì
-*s"}Y
;Ò‰¢ú{YÌÝÇí]p¶Òݯ€Ž¶Xo³êÙ}
+*s"}Y
;Ò‰¢ú{YÌÝÇí]p¶Òݯ€Ž¶Xo³êÙ}
 endobj
-1190 0 obj <<
+1477 0 obj <<
 /Type /Font
 /Subtype /Type1
-/Encoding 1344 0 R
+/Encoding 1915 0 R
 /FirstChar 67
 /LastChar 85
-/Widths 1345 0 R
-/BaseFont /RMHUOF+URWPalladioL-Bold-Slant_167
-/FontDescriptor 1188 0 R
+/Widths 1916 0 R
+/BaseFont /XHCQCG+URWPalladioL-Bold-Slant_167
+/FontDescriptor 1475 0 R
 >> endobj
-1188 0 obj <<
+1475 0 obj <<
 /Ascent 708
 /CapHeight 672
 /Descent -266
-/FontName /RMHUOF+URWPalladioL-Bold-Slant_167
+/FontName /XHCQCG+URWPalladioL-Bold-Slant_167
 /ItalicAngle -9
 /StemV 123
 /XHeight 471
 /FontBBox [-152 -301 1000 935]
 /Flags 4
 /CharSet (/C/D/E/H/I/O/R/S/T/U)
-/FontFile 1189 0 R
+/FontFile 1476 0 R
 >> endobj
-1345 0 obj
+1916 0 obj
 [722 833 611 0 0 833 389 0 0 0 0 0 833 0 0 722 611 667 778 ]
 endobj
-1156 0 obj <<
+1292 0 obj <<
 /Length1 771
 /Length2 1151
 /Length3 532
-/Length 1711      
+/Length 1712      
 /Filter /FlateDecode
 >>
 stream
-xÚíRkTבª¡¬òRIÕzX¹yL4„„0åý”˜™�)É&�4€ˆ*©Ê²ˆE—<EE©°ªÔJ-±
-·€/Ò*Â%,¯EªVEÀW¬««ôgûë®{Ο³¿ý�½¿ó�Íp	�`Š`|„c$bAB •J  Î�Á ‰âX ŒD„
-f&›ƒ‚ª—4ÏÆ{ýç»ø:.ôžk'J4GåNÓ…mÑ}åÙlÞÄø¢cBÏ=/¼‡~(‰26�ö\”k=´yAÚNÖýÈåz¯_¬Î…ե躼êN¿Ÿ·l/™Í\»7íXmXí6µî‘`Ξ£‚†‡�UEöÙ'¢æïåD¨wÛøt¹{;cýåºG¤]Qøóªçw¦µ
#0óñq}&÷ÌGëyÞ‰©¯z|¯;X£ßµñÁ£›+m_OÚô
-èéâOKr_oí
ÖØØ‹›;LØÝ£¥·¿ïGƒ›Ï´×¸úÄ~µÔ·•^þ?c«Ö2¹öŠH=GçQh90Á€[ªÔuNØÉ|É_–êfr6J¿•<qÆŒ-é†mA$ãÐËÕ%Ñì\s望ž.äê±*!±TrJµÜbÆí™c�KœÍO‰M®†ð+vÂ~·*ÃãG+'|îtOhò/�vþtz…T!}�±'e¾"K§íš—ÕÜ]¶À®BÀtÛrú#ýçÜ/Nš6YÌ#ÖHÂáo,•Û®9^	‰¶UC›cZî³#±�ùVïæ†ÒéŸ`†¥õcÚ}õ!eæþ#;.fE½_`¼ãí\&.ye]?ÔaYžxˆ+th’75v_¨*¶ý0Z@”EæËÛo%o–Ö7ße³:¨Ì.îž[Ð2káŽM?:=Z–Qùe¼ï9~~fôÙ ^¿ßœo])I89çÄP‘¸æ@ê]qoHö3¿ïރ߱]ò8æLiaÁs³²ï´WE±dør—èfÛnF]·ª¹¦¬`·tn­Ãúw‚íu\^µóÙÕQÜÁû¤}œ¾Œ|ñ*áär§¯u)EP`�áapëê,;ÜŠÚ®ékrh÷cåå‰Êü»¯ïQ&7v^+Ïû	‹Šh¤O´Wï›Eå±}Ûg‹V³î}p%îÓoRjøƒcçÅ­IW{?]»ƒÿ”ÄvO*bÊÈU=¼y¦
O²ÂåWÓë8sÑþ_ࢀ\…ÈWˈ4Úo÷tŒÄendstream
+xÚíRkTבª¡¬òRIÕzX%ró˜h	 B,òF32%™¡Ã
+«Š@} Ô«pø"­"\ÂòZ¤jU|uÀººJ¶¿îºçü9ûÛßÙû;ßÙ—°–Æ7 �8F² 6$þ2™âêÌåÒ‘“(ŽÈID ¡Ð¬ÎPÞ
+Àˆø+D|
�
üñ4�¦¨HàæÏœ$	€Xƒ¨BŽ
™œT!ª†B®¸EHˆÕj>y#„#鑉Àl
U�`’‚b4Τ&)¦Ä�à
g¤½Me"D:%
+¸MÉdJ$Œcj€%�³§º!”–BÖôâ�jõ¹f²ü”SÉË5¨Z÷;פe�
d8ŒØtjòFœ�ÑÍô¬””«Q…KQ#€­dsW¾ÁÑô@T‹Àa(©P
¥\�ŽLáOWBù7¥ƒîþû×N%Ãä(FFêÒÀýƒ=CÄ”Iªñ\6—QDj¿=%Nk&Á8Œb)€Ç÷
+`ñøT+îJO àssþDTd‚‘SãCô6V¢”§¢E4Ó
\áµå㽧¶ÕæJª»ŽZ3Ó–ÞÒqnëÉR/öpŸ—Ã5¢é‡Häƒ_í·ÚŒ³+	ùŠ+ùýôSâl£>‚³µ×ÞhëĬÜ1ë�b8!iÆ¥òö¶÷4¶ß5-6§5¹?øÑõé�ÌsÖõ¡÷ A}¤pfíÍ/ç¦nìì7Ù|	»•ÐËO‡îA¢ÿ{§èÊÄý ¼7Õ\šŸ°ï©ã+½ívOê-ÛR¡¡\fu½ÔûÅ.S«è¤AûS›bË„«#D³z\‹®(ï{»”Æú´4‡È~™=Øͺ”¾Û#ÍÏ)	Ž‘F�.8Zé ¨] öª¡["
mëZ5>Ø…sÃÚ|‡Ô†.žw1”Ö´‡ž<þ’ñë’3Ÿ$>Þ÷ìµ�Þú@¡w±p>>#ÆÝs¿o¦›û0³ƒK·¾ú™Ñ%N®úâ.)ö
î³Yeh×üÛw »eLb…×óœnùÌÕÄ£Ý�köVüK¶Îýëfãî‰ÖBwûp êáÏ[
ûyI�þñ}Ég"oº_ªk<_àXW03ÑØX½¤y6Þ;è7ßÅÇq¡×\;q‚9¨vš.ôh‹î«Îf;ð'Æyèyá5ôCI”±iä°Ç¢\ë¡ÍRw²ïG.×{þbu.¤.Y×åYwÂøý¼e{áÈlÖÚ½©ÇjCj·it�„sö6<„¬*²Ï>7§,'Š@½[ÈƧ˙íŒõ—ë‘vEaÏ«’ÙDœï™Ö6ŒÀÌÇÇõ™¼3­ç{%¤¼êñ9~°F¿kãƒG7W.Ú¾ž&²èÒÓ$Ÿ–ä¾Þ2Ú”ac/iîˆ7aw�–Þþ¾n>{Ð>ÃÕ;ö«¥>­ôúóÿ[µ–ųWFê¹ê8÷BË�	ÜR¥©sbÀNæK~ò7“³Qæø­ô‰3flI3l$‡^ž¨.‰æäš{W�ôp!CǪDXÄRé)õr‹·gŽ=.q6?%6¸,h¬Ø	ûÞª[7Z9á}§{"#ÏñòHaçO§WÈ”²×ñ{’ç+³tÚ®yYÍÝeì*´þ,·-§?ÒÎû┡i“Å<b�4þÆRÕ±íšã•àh[
´9F¨å=;Û™oõnNáj:ýÌ°´~L»¯>¸ÌÜdÇŬ¨÷ŒwÜ¢�Ë$%¯,ã¢ë‡:,ËñDMŠ¦ÃîUŶF«ý‰²È|Eû­¤Í«‡eõ�ÇwÙl‡ª²‹»ç´ÌZ¸cÓ�N�–eFT~¹Îçœ ?3úl ¿ßwη®‹‹T$œ”sb¨HRs 室78û™ïwïÁïXŒ.ys¦´°à¹YÕwÚ³¢X:|¹K|³m7£®[Ý\SV°[6·Öaý;Av‡:.‹®Úyïê(îàÒ>N_F¾xr¹Ó׺ä"( Çð0¨54Æ·â
¶kúšÚ}Ùyyâ2¿îë;GTI��×Êó~¢"éíÕûæ@QyŸöYÄb¡Õ¬{\‰ûô›äÁàØyIkâÕÞÏG×î¼0%r˜‰E,9¹ª‡?Ï´áIVØ¡üjzÝ
 endobj
-1157 0 obj <<
+1293 0 obj <<
 /Type /Font
 /Subtype /Type1
-/Encoding 1346 0 R
+/Encoding 1917 0 R
 /FirstChar 60
 /LastChar 62
-/Widths 1347 0 R
-/BaseFont /ZZWIVJ+CMMI10
-/FontDescriptor 1155 0 R
+/Widths 1918 0 R
+/BaseFont /DTYLPR+CMMI10
+/FontDescriptor 1291 0 R
 >> endobj
-1155 0 obj <<
+1291 0 obj <<
 /Ascent 694
 /CapHeight 683
 /Descent -194
-/FontName /ZZWIVJ+CMMI10
+/FontName /DTYLPR+CMMI10
 /ItalicAngle -14.04
 /StemV 72
 /XHeight 431
 /FontBBox [-32 -250 1048 750]
 /Flags 4
 /CharSet (/less/greater)
-/FontFile 1156 0 R
+/FontFile 1292 0 R
 >> endobj
-1347 0 obj
+1918 0 obj
 [778 0 778 ]
 endobj
-1346 0 obj <<
+1917 0 obj <<
 /Type /Encoding
 /Differences [ 0 /.notdef 60/less 61/.notdef 62/greater 63/.notdef]
 >> endobj
-976 0 obj <<
+992 0 obj <<
 /Length1 1608
-/Length2 6751
+/Length2 7939
 /Length3 532
-/Length 7596      
-/Filter /FlateDecode
->>
-stream
-xÚítuTÔíÖ6Ò’J �Cw·ô€ 
-3383´t‡ ”´„ÒÝ 
ÒÒ-%)!)ˆä‡>ï9ç]Ïwþzßó×·¾YkÖúí¸¯}í}íûfg1
-€RRRDì
-fg�
p™™róòòýËó;`ãþ�ÈÍI4Ì
à¸ùp�‘NŽPæâ|…0öP€-¨è<ÖÒÓ
-ö‡†3†°û>
-jg�‚À¡hô
Ì
öïéü«OÀëÞÚÉ	îþç4òOÖ?9À0h(ÜV€(|SŒ¹©mC	þ^-„-
-Äé
-rÊ­4~Ÿå[‚lñI]’*|vQ$P5(}Uï>±åt¹ªÍ³ÖÓJçlI€îf2x±q·eÝ�çø(Á»æ/h•Kš´mé¹7®³ˆk..ôhí뀡‘UÎãàGÁÞOn_6—,_ª'Nw¼Áo+¢©É«°(ʲ·¶9b¿ý<áììíîúÔrp»m•ž7=š�]Æ—”#Â÷E:½‚¹I¡ç+›`lgI\kp›	—Èüô
Mõ¢À|ƒ°²
-œ…›±Ø§Ï«Fc³}m½}ä®V‡6Gr\> "KªY�Ió½1Ÿ·²Ÿ÷9Qg††1„K<O›ÎQî,,ÿxtä’3¹ÂtÐ#¦»è+Õ8+ìǤÈF¾‚¡Ëñê>¬”(æ33óÞ5±§Kí9uæêMæŶ¯’–÷O÷‘™÷Å㣛Rð�sZ1ÆŒ^&}ÐùQ íívRæXnú
v�†e^êÛ¤J³T×_+'wßsšßÚ&ŽŸjUH§¹ÿ0Ä~QzNÂí#(êyžJéêAB¢]±\ꞚǼû¼Å‰#¢
-»øã}y{ꔣx$�󙹕Ä7ì)	–/ˆ„³Îé4»×c§zœ�ïÈjYÔRy°©ûJæ—V‹V¦wß“ó
ÚÞÆdêˆô÷Ô·³0øò…i°sOí?¡Ðd˜¹ò@ÏéÞcxL
-çÚ“9q93š¹“Ù10Îd6NÞ”QáW}Þi¢ioRŠäqY"ã¿›	&Ù‹²'IU{ö+º#Phq"�!Ô}q§t°<>J*KIý s]/wûW3´¡Îú㌜LgŒq~2Ê΃U.{òªÄþ²Ô²LPšPPn
-%5èëÖ,»;e9øüNŠY‘
vÅ—/<<vǨqA%EªŠ�·Y
-GáÊCÚÅ*¼ä7/*§Åín‹+¤½oèg¼cèÿ jÇ7^96Ü@xÕÙf}¡ñÂSµË¸õh‚AF—GÌ‘ÿZÙx~åÓ‹ú®2OBëðғͦ´z+! v2gÅÜ‹†‡´©h³+®,:®1wJ:ŒéÜÊ�éxK‰ûž�q³¾êüX¢'ßV �IUm;³ª€‡HS@ž=T_ê ÙöHWçËm_åè˜#hcWÂWF– ©R
8O°rD›ö
-­¯Àäzú~ø£<)¸4<~v
-é‘XÜ…AÉ/½3JÈ…–ÆÊ¥íÆ„›€ˆÅèažÜ‹[òú6!C“�KZvââ‰Ê¨\ïFfþÌIòÅê ”×½]’À"ÒÖ0ìª:ðžD¢Â�“P•7vîÙú¶ß‘Øݬ��¢š³›Å1]»õ¢[Æ0áë¥z‹Þ°3éØ)ÏuµO"n`·¥(mèž<p=i9:
sPSk_A8ãÀ¯Ì4د¼#tH$Á›¥®k—f¿‡§7'2̃æä¢XañîÖ:ô”ä¦ò[ãDäfU½•Íß«š²�íYóå/õ$´PìHK׋~(¢‹E÷I9)°I­4áüÕæ=©Œã5öVQìºÒ
-hY$7U3~ñ4päáÕLÔ
-U¿ÍChùLð(+G ÞNÒ±˜¸åyB{v€SÐjñpÅʦDÀ�ú´ÐFˆå¬ÞõËþÝ�ýKxŠ|¢[ô‘tU¯™ÞUgkÿ*C‰wt{®Áå;»ïöøͪÍ%ç‚Ý'×k®DzÓ	±ri;Ìi/[ˆ?–¡zí¾ï‡÷$ƵèÜi“¤Ï�+õÎqM­ÆJ:¯V£#NWßÕ}èõ˜{¤lŽ­.NPGIÀ}5ÙéŸ8rè“2–î±"`ÅîpMûspÏ~ÉŸr Õ[âÜ+\øv»•èkIʦEæÑØ./îœN3ÅEÒlÜ9‡f�²AÊ“!ü¢µö<qÕ§>›¹Jjÿ˜¸{…öÚ1U÷¼05§lî¸:—ŠÕ­¸”ä&ö
ƒÝ]Ôßû%gÀŠ%ÉëO¶LK¹]ŠT”I¹eÓõ–FAh]A·Ã/@Ú>Pw"d:¹.ë”19M¦àÑ£ðs?Ù¢––~§wøÆÌ°£_ÙVŽÏ^¯ÓåÝ_ì#ê97¸›6!”UñuŠÞE(ÚÃkj't…×É¿è9ÑSLy¥Ïyîqk·s»ùµ¾Á’yˆFQù¤	[Üëĉåûæ‘>s\N«:òܵ„Ø™³=7ZQØ··B¿gð*ù�&¯½Œ}^&¾óDžgçµ|ÿODKoââÕ¯Oþƒ¤£j¤óÅʬ~Ö³Œ_ñ�ådNT_/üd¥×’ÙH�*$hç¤2/û-0Òó)Ëÿ¸’(4æd‰nÿœLõIÊ=·ŠQª¢|kA89Ç»=¯°ãá>kŠv3ROn&Àñ‰ô9DÖ<}£º‚P³Õœ2~„û¸¶wÑ·Q±@HfÝÑ=RUˆ`¹”~k+³x˜’x·Š}Ì;a—r‘­2`å-Å0{ªÎ817™†Ý€)2hô»}hïëõÔÚ+W/5¼zæÖm(³ìxÿ›tŽú9B*«tË[p{•¾ò3\>ŽJï,ä6>à•ð좒
-É7)¬G»ýØѱ†ùÛ#3/éµåhÈM
-Z²Û¢:
äL²%T1ãͨ—¥^‹?BAI_ì¹øŠ\3&Â…§Í-0�ÙySŠ¨W³4¬«·;çæ±û«ˆk	U,~уû�áNp¾÷�Uê¶]RÏìŒ{g|õóÒî8,-’-ë÷síKiØíÒ_zQP¢Y§Ï>3Y«ËÍgAg(æ)„ºkß-µE¤çÂuŠ¨émº.?}&í;!æ&B)ž(;H…uz\J.‡”
é²ìQ·óˬŸÑËM:Û{gjÜt|ï¦Öz½ÚŒyfE.:ð�“+ÿŠ~z=ŽóJñ¼Á@ÔHÈ:Âû¬º,À:¶ìâ5ôê¾]Ø�‡ðI[í2ñêá×n­Þ/5mêÉ«¸¿-Êä’8\ëã“ãÌȺ)ÓIsN~{ØE§Ÿ)n[,÷Úix„Ci?éÍÿ)ãTâëu|SÃ5^¦V²…÷èû ü¨HÖ°GîxWÖ"/‹Uí®lF³“ƒ™¨Îý@ÝZ{¤ë;
!‘›	±À]¾�dOÉ›ñ«²àýa0ØÇ««â}£@Ýä§oºtÍJF:ܺ²8Ê^œ1‘ûl�§ªæEéRûošD?÷®=¼»=ÓX#ô
-]‹g<V³-£¦ŒrœBBÅ–ù°�\DÍ`>k
h ¢.@3‰\§NýVró²C#Ô?Ö¿`죋žÚªJò‘
-꧛qÚüw…£·ñb
-Ðj¥×‰"̨"Œ 'ËÑ7úׯ‡Ø:�W¼¤Fü¤H®b¹j†CV¿UÜLzßìÕ‡OSS\�W$?KÍX	uçP(îVš#ÒîøÇÌv¶×{ª'Z‰=ìx©oïUë*^„Í›Ú\^OiJdXÜÛÖoQy>lÞ)ˆö�ó(ÏXäãè÷[nÔGÑ‹®ÝWèq±ÎÿÍ‹³n/²1EÅlæqéF0Ÿ‚õ—¦ìk#BÕibÅÓ‰h>ª
-ʃsdLðén4r¼™¼
Á=äÖ<º<@Úúšg×ʶÉÆ‘*<ã#
bowP›$ÖÌç»ÂËlöh¼ŸrevVMRMÐ�8t=jÀhqí»±¼bGP¹Cú•32°AöÍf»ïQ)‰•5W¤¹¶ÙŽà×¾€ ½>î‚ÒäÔC.ýR÷f‰9sï,çë„
: ~±+2ö$5è)ª8vM_wç¾Äè>ÉJˆûNn‚”ëäkƒ
ãÀb6²F=kJÿÃÉ%1%c”oYfðkxÒ¶ZzhÛ~¡bÈÚô‘­’ó͈7VÒ®Óìç¢j0·Š«qW;éKsF‡·ÚZ;�25߆o›�2Ü�KÉMšyh|µµÞ˜{JæÀT\]·B�/âfÇ@xP™�‡ò|d1£z†Žî›Seå]MtÞSø:WRÊ*ÊŽØ[cñ�Žð"àPE?îk'
ÚÓÆêù

²ŒHûÀ#²²£×G®–®/5¿âiËÑÓP[ñ¹Û?1ðßÁm“·»×@ks)j[Q¡1bD"¯‹[kbî%Ö”àbéÞ¾ÄLwðžî–“écʽ¾ÍÝÉÈQî"å$×3Ѓuq²wžõ$GM³þßviJ¾ÔË×d=5g»S–¦þÃsÒ;êiYŽÃý…Rnä®&nÇô�;\·ªLÙqÄü�˜²Ir™˜íµ½5e¶f""Áµj£èÓÒãdÂFÆט)ûó§¸ïôeQ™²ÏºùH{u׎ÈzÝsš…0æ=q<¨œ\¤Z©ÇûR‡\¾óc;™)‚ƒpt`
õV«c�‚pãøf“€6�0±‚]%]çtv�…~ýͨ‚¢$ÙÔpœSõÃÐÍéóÂ7mgíq‚�2ì¹yßÚ±œL“­ªr	ªÁ~y³Û
†o¼ú
îå~ácìðd�ùÊö�æÕ«“B¨U/‡¬S¬è
=g×
-v
-Åõn`ÑSd)-Š…ÕY¤Ch§ÕÍt%-�‡ÃÊ
-ãFaàÁHœ1a™ŒƒÍ°.Ç®üØí*¹Ô0y‰FÝ
-Ï6Ý_Uô]#ó±ä
-ŠŽt39‡nßh˜ãÀÑ0½1¢|=FL§d’æsÙ_Ù£“-"¦‹Ï*³8/©h…—¨ÃçäLrÏ¢·rb¥{›±\&®¼jÌ	I_¾l�‰Ï¯ÔB² �2Ýݪ'Þô\E–j“Ðò͈?Kåd—¡·–Î#·È÷!t%)G¬”�–Ò¼çF–ß?ϸˆ¼'ùY3{Ä&v(£ÑÅòÌïPA¨¦,‹vä@)!~®RìõôÉ7ЙF®è”{¸ûäº2™ vFéä9�"¹nqx§Ä
4þ5;G\tHê!2ìM)­Ä‚E,vµæ-ô¿üý€ÿ'
-ƒt´F='ú?=Œžyendstream
+/Length 8789      
+/Filter /FlateDecode
+>>
+stream
+xÚívgPTݶ-HPPÉ™&çÐÉ™–œƒº�–††î&K�(HÎQÉH�’sÎ 9#$ˆ€øÐïžsn}ïüº÷üzõvÕ®ÚkιÆsŽ¹VmVF-]^Yª„p@óùž4`ö–Î(]°ƒ¯
ÜEXYå‘P0†pP
+G8ÚCзÿã�ºP(
+�²BÂÑ€Û¬Z
+JñDÛ‚Ñ¿s£`·n
+œ6B†Nš
Vµúz9S,nq2BÙYÒ_+Ÿ¦Þsà›`n'.@b%iî§ZüwœJ¯îsúð{^¥’¸úC�HW—Z“èŒÁv,!ieí1«¥O˜–©í[�oF‹£‡y‚öƒÛ¢Aùx@”SÜeMIƒZ|
+úˆJý€•<.%sõJŽÅ?ANïÝy¯2}oÁ[+B”z1’áž ‚`Ïtf�¶¢tÈwŒ°ÏŽ·xÀ©þ™Ììè)‰ë�{çqéœÅâêsn¹ÁâÑÈ!áLâ|®Å–êjÙµXùPüðáæN…:ÍâŸiËÉ#V
+.¡Þ&ä±.­µÙ:á%%¯ÆƒÀ+Ùì£àrÒôdxå	~åj}vøñÅ
+E“õî
÷*\ÔíÀ5´Êµ³nÝ¥¿ìv°¦Õ°“@<˜ÐÀÁæ„|º‡¹Uº–ÒSCö¡•Z„þîýÐ�ni¯0q¡~‘
+5¿Õ¬g-Í=¥á`8Z4~  iN6ý”@}!ôk °)„COÊ,”úP¹EÞ}/šòÜ:o«4QßФháôBlågË”O„á�1
QÏ—�=GÖíÎ2‹$ö"Ä‚B5GmÞœ!k�Ê€ÅÁFþ9¡Ë+TdùGô“Àû"6®ld&Zíeí{4BQãÛ£x­æ
+Çžó,g½Ã!‰âŒOòpÓª¥øℱ—ê¨,«镨’/+U²ðN\ú_øHîÙ;š2™´@r•zPÆœ±¹ú™5¿,Oì°v^=³ŽÐŽrûÊ`ÉØÒ�d±‡U”£'„/,&z‰â£óõ�¾Ôá­�ÌÚ_'z8ƒ^»‚!OUáö:§˜VeÞö¨|BVvÔ0ó+·–0ûÖÓ¶Ú,V¿š J,â^´S´+�kNï¯s¥8¡ËÐ	f´“[„wO¹¹Ržáè�.ÁFFM„l-¿?®f$i½*Z§g´É-@$ˆð‰´…G©3ªV;eW„ôÆw�œÃðÇkÝüÓï«Ï0¾B¸9lZàâèàø3x?Üßj¼¼ß· E=_a^ñêu(ýv
+-gھ蟖¤§I„²kZKéä”ð
+›û,¥ñ­º“ÛýÙU@žXÒÖrÝ}Â;´w`D­.à™Œ«ž¥ÅÇ3\™»ølð­…Ébñƒ¥‚U³¢ÌöMÌœÞÎÛJ”…¶WkÓhý� j¢’«qµD¹Kz瑳�³B|óG\Caî+þ¹*Ê�Û~¡ñ¥ÎGÙ§}–ΪJæÄäû§	W÷�HíÚ>ÛÀaòœúò4ó	üN$ÕYYšžÇï_œ••W+vqƒÛSš:±	0ZÌ©„›a‚â[‹”%sˆ{¬Þd?zä­7~ÞÛsý3M{öž�i17Í
Ö‚\"éýGeã3mì7
+Kygm/®SÉçÍ�Ä\ÊqÈbO;z¸‰ð«-4'¤§€+k=ž~(6¸hLìÈÒúô<6»¯´yjÊ^"þxNLÝ�°Ç%3jz˾‘e2 ÃÏfĺEÎ>_žÝ(¸š¤²uy•“®ƒ›{!Þ4l"ùíóQtñÚIÝE°ºÙu²¯‡Ån¹¹�ÄùÂGˈÃÄ ›
+?y“w¾G$ÜË×ß™‹<Ê™2ãtÏ¢Þ}ÿ†­@´yIGbc‚²Kê�·HŸ|ëÖ	
x°–Ñx½Ùþ2—€_M”+�=‘Û~d˜„“•/tŸ†ò³vLFd*°Ä¾ù±b«&}¢¥çË/à¥2?‘©"B¾,|BÊ1û楛æŽÈkf�}°¿Åø«þŒ„g“IÆÞyã8‚©.Ͳ�mhïF`”ÜN‚”ƺʨjÊéž=wþ¼æuußÆ?ÀTÓˆ½~.%º�·�2¢_½¥’()“�5”ôe-èÍÜhxlšŒS+é\d®ýÞ¢Ïd=ºñ�bfýFÇO¹!3‚"Ž±6÷'íjCœ´¾X‰Œ]Š*ÅÂBùwK‡õiŽ€hn"d²¦…Œ·âg쎓š™Îë`ÎÓp¦»²'UJfaþ»f[Ĉ]ˆ•á®þÍ�z´&—À$ñZ�¼¡®i¾—fG‹LßÇzbÕû\dÊÅï격|X“Ý\sÉ•ŠØÊ+¾ÿfÜŸ
|>„%ýHÎÌÚ`=6"æ’P«ô9#Ñ\Ó#3z-Rô|%ñ¨$¾Gc^¤‹M]÷²³Ôú{'¢_ýDÊû1�éÍ*õ,θÈêÝþ²â³Gƒg¸LMa2B Æ»é»*+M[TÏ•´lm§2!ž7V¦�Ôˆ·nŠæ‘’¸†pj7ŒÙ>ò"$›XêÐ:{—­¶^˜u^9Ì’„‡DW¬9%%^ÑËå�,W0ß²¦ÜÝ™ZÒ×ý/õ{øúÆ>²Ý” à/"ŽDkúmù0§_ì>WTxìÑéƹœ ‹›��
+zƒ½Ê-%¯Oà¸L5�“‡û’ªV�,î½øÊáÃz‡>ò&ïw¼´rY6Ç—ÆJwŽGƒ±Â*ÜA5ƒ
+ëšSùSÕi…Ÿ*z~Öå{OrÛÎâ¿z»—­’M®læ|Pû„î"‡ãüi®WêæˆOâ›Ð'ñëgÏbíbœŒÉQùb³	3.ã…ñk›ÌBd¬ilüÖw_ãcÂŒ´¾,ã
Ž
+¢&tG�÷ü©Ï¾2¤ûôþÌÓ(v'«.Š
+òôÿÑü0�íû�¾€Žˆtß
+sožbrÌûvE	²ÁÅ/ÍWRÙu/w¦ØÒÕÛïòxœ‘h<L�šøÖ‘píÇâa
®”Y
+Kqh|>6œÊ³(æÀ’ßë.
+	a‰ñµoWkrŸÔgÔÅÖº›Ð˜wÜ6îÂÞN¾Ùö
i±	XüÐ~ýÅ´á´ÙÞVóÞ³6÷³Ý>EŽ
+‹^±Šî±nl#šñ�‰65%,ç_°Oê”+µNý%Ùz¯>W7¶]•fzã}A}H›ÎÀSÝÀ~ƒQrNÉ)îs�¬þr]
Lf¸á“
+<á¼ØËûò
Aê)¡³k¯×ývuSøGlVªs#Nu¥¬·OŠE•?.j?øÿ©ÓwGä“øݺ23oªkvSÛë>Ñ=¶ Ðz¸^"èÁ8¡-òo*N¡žº3Xl‰eÓk‹þœ%¿_>
+Ý‘o•�~~æHj¦ä=ß‚§§Øç÷üÁ4fA|Nç“ž@íD2ÏJªÏ	ªßãfœêvæ_ïùQÎ`œTäUí`­Ø
@–�¶Y™i"Çø¡Ñ=¸M×g•Õ´1�š:Uпƒfèò©�ü¢hçˆ		Šl`‡N¤·èç«s¼„klbhL˜:g6(皊…KQ}ÈÞ]Ÿjƒ+�ÅÁ7„,IL$¥<³	
Àãyª1ÕÓ¬^Ubó¥s¼=õ¤¯æ-_ãº"/·ÒøìX¸¶å¤)"<XŠxÜ*%Å•€,Kß‹?¯‘¬’ÿ„Ç#8,Gi§ñ
+D¯°4Õ4øO‰h§ª‚Ã*÷)É›%ŠØb~ø-GÈs“I»øN��à9-ŽSqÈÓºD
{Ú½S\pzùÃuyjD¡«†k!ÈÅ¡ùð4yªQemˆÿÉX‡Fiomß­¿»jÑÄŒŸ*�m—­´Ã”8Fèc…ךÆàAÔÉÜî°’Z¼5è篫a¸”dñF~²á)ž!“F³ò±Ëâ7£gªØjB}X€‰/‘'™“š"ZtÍCöEqË’¼R7ö¿Õð®ÒÂö@.)¨F…t ‘½uŸ¬®%Qò«§µEp˜Çd€™ÑÛkï#ÝýFø‡‰0A³KE*3Æ€F ‚é®0BÖLqÄ`nÿ‚Š%P爉䅟Ú�*›X‹²Å·jÔi÷b¶‹ôRáó"¿¬žû6vTZRœÌ°T3Séèv\ã«%øÜýI¯”Þ¯é¡ëæ®ZÖ·mpßú”Qn?ø&�Å—�Â#Ôߟ›ì}ÅÀ^í° ª"Á"çt{RH:†×¼woŽ¸ÏhFO°™§éç€oÊC£B÷~”…�
+ sœçã¸!q?Oƒ¶•G¯îW̳ŒÔ)HænÉøoÌF–A£Êå{Ç‘æä8£jýäUu;W�+Aà¢ï
óÇ;X;{¥ð”ÇÎwÆ}x"
�Æš=×N¿nc}&±Éy[µ~œ ¿öµh¨»š«¢³ñ©"Ì‹üEmÊ`;µ
+Lj
+â³ß
+�Ì Q=w¾�?‰¦6ª~û�á¤àõd‰xW/aéÒÛ‹†Cú\»UÒâàfÒ~…¶‡Í
+¤´HNú2HBÃ8—GÂ+zq(6|£}h`wŽXn‘ÉÖ­\ƒd0ÖŸ9yEúQ§lõ8þ4»G“‘Èh(1›‚#Tšl8ùñ\^ß/Jö\¥H§¼¿Õž‹r2Σ}‰RÕ»Y€|áCžÓ|ƒi
xCªݪÌZ-›Çð0ÜJLÕ—D9dkùåΞ‹üÀu!!‘}U?³9Ü«eŒ�iÒ�F̦ì½Äõ–çwNRi¸Ž
~ÑqÂzÊ—�eh)¶M#±M¤µ.?¶%aÿ5ßóÀ€L]t“ö´ƒÓÈÙ‹CM³S­ê£²lµ^÷³²Ú�fÉÔë'7±‹÷bqÛG2®K œ¾’j…Ã×?“	vœ:Û¤~í^~ŒÓ}ü>[6ï¥Ô‘Uïi!~£óú“á{±±?Gywuîj>S–µ¿ƒÆçò8CëD?¯‹{ÇéëˆLŠ"X?
¹ÒPÌ­ÔÜìô|�/*_6fñfw
+=ÂRŸó>ÍjóðÔv)Ùyÿ¹[G¼Ü5)­…ðwÃä¼Ar«òqsV
+…üЦ^o{<´p–…p¤(„¬Ý¡òž#%
+o–›�.%�§ª¿ƒàêÕÎ*4Z®÷„&§xás=G‡ü<ṼǕoÜRŠÂò7ð|lä”güâ(l€Â(Ù‘(8Å|)ÿ¿w
Æô/þQL™�uG«ØâÐÏœÎÎ~N*{cÀt(û6HÝB=viˆÀ%ŒÐ/ÌÐà>^P䶊ŧ¡¯ÕrȈ=ÂÆé2¾ldÔD4“kêœÐw§3\Wd†@$B}�vÓmwÝK&à#ýÁ?¡e6êœÿ¸¥*IÖÔ*Àií¨²Q„É¿åAFÜd@+íy‡íj¡×Ré­¬üž±àV{ñ)„ÓÜy¸KþÍç*ï¬%3Ã6ÄÐqO®Vî�z
+Pdž·ÕŽÝKcì" ÂñקÃ߸Ð|÷”:
úaAÞffñ~þµGµ³+ì�Mk{çg1Û»tîO±¶)0ÞÊœ<vŸj5Uq"¯}h‘ïÎ[
ã^ý­ŒwXcsÝX YVW³Zxg/ÁÍ&YÜÔŠþ6¾ÿ„×ÔĈäUu&S·+0›Ý)§LI4îÄR°v�ò[_•(�ÉëOJ¼‡ŽÛXÄbÉÛú󅟃HÙ¾üª½[!+ØÑ™õd­¶¶¹c
¡µìÉŠaüð L²ëb_Àå¦RnMúY6F¿ÅýíÕ<úx*¸÷â&?ñiÛJÌ¤éŠ Žô·Î±¯‰Ò%§¤+Žpñýïê=Ú02á=o �!“®…-‰NØ ží2_Ûš,l|%ÕvW”v¨q$M1‘]–OmÍöèÂg®eÝ/Ý»ÈÔß1x±]Ô'ÎÝíÎ<±úa’'0x{&¿µx¯ùí©wÏ.o†l¬AÁ +Øο>Ú²Ê�.ÔZlvp‡k³g¤…æ[FMI�Á‹£÷0�ê¹³ÕvœøæhPKò´	ûäx´!vyÚ³×eœï?uúfK¿ŠÈ+>ªX'·[ò&&ÇŒÈSm"~Ê�\mŸ$¯GÊ-ˆýJo%ÛÞêdyž†õJ-»Û¼`~DÒ]FB´§�Aäû¹xx²Ãò`}fZ%±ÆÈr™6³Á‡å_Êf
+í&2�PƒóuíIŸ[^|uÊàïíŽl«0x¦ŸøpÙ(ÈÅ%mé
…ÆÃð½/�¯±sqØo
+ŠÉËQfþNÒú�ðÄCzòÛgêg_åD6ºq¸I“ª¸ÊFØ2Ëv­Ö¦™˜¤Pé¿g¦Uu䂱~Õ#ÉUz$¼
+ÇHÄ•vËÕ$«x-‘–ß™š¦#{eöòÓ`ÐhšDŸâ°º ë«×^9ÁB0¤ñ뫽‡í»˜m×ÖÜ¢Ò	¯-‘+ÖŒ!ÇBPŸÕvî¦è	·?§¡ºƒ¼E^$‡ý…’*O*n˜.—Çw2wÏ5N¨°xNÂø,†éõG#ËÕ€ª“ŸêÅUOr3~\Å�[kÒ¸!9×0ϵ
+CÝ_‹{™éÉYŠúð["šgì2eàß$‹îy;Þ;Ú
+_ƒ
ÃižòÆv==·%!Ãd2KVûBàùü€ÿ'
 endobj
-977 0 obj <<
+993 0 obj <<
 /Type /Font
 /Subtype /Type1
-/Encoding 1344 0 R
+/Encoding 1915 0 R
 /FirstChar 36
 /LastChar 121
-/Widths 1348 0 R
-/BaseFont /XMLQTD+NimbusSanL-Bold
-/FontDescriptor 975 0 R
+/Widths 1919 0 R
+/BaseFont /MITGYF+NimbusSanL-Bold
+/FontDescriptor 991 0 R
 >> endobj
-975 0 obj <<
+991 0 obj <<
 /Ascent 722
 /CapHeight 722
 /Descent -217
-/FontName /XMLQTD+NimbusSanL-Bold
+/FontName /MITGYF+NimbusSanL-Bold
 /ItalicAngle 0
 /StemV 141
 /XHeight 532
 /FontBBox [-173 -307 1003 949]
 /Flags 4
-/CharSet (/dollar/hyphen/C/D/E/G/I/L/N/O/R/U/a/c/d/e/f/g/i/l/n/o/p/q/r/s/t/u/y)
-/FontFile 976 0 R
+/CharSet (/dollar/hyphen/semicolon/C/D/E/F/G/I/L/N/O/R/T/U/Y/a/c/d/e/f/g/h/i/l/m/n/o/p/q/r/s/t/u/w/y)
+/FontFile 992 0 R
 >> endobj
-1348 0 obj
-[556 0 0 0 0 0 0 0 0 333 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 722 722 667 0 778 0 278 0 0 611 0 722 778 0 0 722 0 0 722 0 0 0 0 0 0 0 0 0 0 0 556 0 556 611 556 333 611 0 278 0 0 278 0 611 611 611 611 389 556 333 611 0 0 0 556 ]
+1919 0 obj
+[556 0 0 0 0 0 0 0 0 333 0 0 0 0 0 0 0 0 0 0 0 0 0 333 0 0 0 0 0 0 0 722 722 667 611 778 0 278 0 0 611 0 722 778 0 0 722 0 611 722 0 0 0 667 0 0 0 0 0 0 0 556 0 556 611 556 333 611 611 278 0 0 278 889 611 611 611 611 389 556 333 611 0 778 0 556 ]
 endobj
-796 0 obj <<
+989 0 obj <<
 /Length1 1166
-/Length2 7700
+/Length2 8219
 /Length3 544
-/Length 8516      
-/Filter /FlateDecode
->>
-stream
-xÚízUX\[Ö-A‚Cp‡Â�*<¸Kî
-(¤€ÂÝ!œàÜ	î‚kÐ
.Á\ƒ\Îéÿtß>Ý÷é¾Ýïîý°×šcî1çkì‡ú¾b¤U×┲r²
-ò›c02jCÜÀÿ
?
20°¹Ä	*kîö„kÛºTÌa
-`(öÔ´Õ¹êÖærV·?ưغ¹9�ÎÖæৗ«5ìd}jTj%ãäø�+ÆšÉB``˧¡¼�×Íêä	õý�°5jõçHVîÎ@(ÄÅüJö’ŸBÿŠÙ€Ý
-ƒ­ÿ±W1wƒA¼
-*ÑÕvgY…ˆoC~©):h?Ÿþ,²‰LÃTêlšºaV2Äl:¼"¨ìÀ7›™í“Æ朎PÀp«;¶ 0(þ<ÖÉsk[Þn}[3ì\À¯Äkì¼ÈÑ_
-JÜj£A¾®Í×|¥Óqª'•¸Ù»¤ùÒØæ¿Ø!êåu©ÜQÇËï:ê¡î:óL1%ë
×ÓˆœªkÊ{(T¯¿ûà!QµÕû©cûëM§¾v�×É樂‘ß®ø7^9¦w?€èÜ�ñ ®ïØz|q¾
ZÓo�MÉ2å»
Š—»
-Ã�aTÐ{³ã´òÈ"°ûì ø"»dѶ'ŸPÀ”LJï{Äg5—š5ü÷¾-\_&¯z«ç…u“Œ|XÒ,œ$Åï£ ¾â3ùåÖ Fo½Šõb~Ä4
-(ÈGK)›>>ÝQ9Âîw…&…!4£Cw‰fn·
-¬åB?C¿ÒM@�'^ष=“ó¤y6ñ_ MóJU`âõ{Føbþ•yer~«tY”=ÙW,ƒ-ÉpÊÖ쨡È;‹ûìÀ·ªoºõæÉM?9CÒ
ýÌsîoÈŒ0+C‹Ïö׊ŠÝv«íñ>
|˜0mùðnmãÇC
--\»¸/³|Ô› 1œüEÛwLOÌJq	½3ðtª­â�­jë96)[GýŒ
æC¡»çœ	³Cˆ±Rô
-@ZÊøv7•
-…«á#!]x€6+H*?¶ðU„5´[J‡™¿m	gY+Ù×i?·ê=ظ¼�2Ô;{çLâOž]V‰â„µIÞÈŸ¼:àuòÐì-ÝR¹Ù]ê\M4rчÔ_VèN ²“êjv�¢!Ñ™:FPhR{ò^Ç•©�K™÷F6Ûqö:çÌ äÃb÷[˜þîçÃd¯^™g�i	âe„faÛÞ%:²cÅ5GÞ
Ti5+8áæñ6zj64Å÷¢Ù
-KñŠŒå€÷­L08ÞµÏnIÊ�
-ŸŽÆ¼³ Îæq±@å즤µ…üÔ2Œ{5Ä·P쫯BóQ��	“Ž$NŸ„ºŠ@qê>0¢Úøóû߆€ÐN#3ûó¶5HG
¤µ
>z�ëÔ\@�6ýÊ@ÚU"ýB‹Zwô¾"L;}X`¯Sç¼�,˜—@BgY²%„rt…èsóÌgÎÕ„†€FCš†Áë—Ñìqa?¿s¬ÒUnL”!›
ËVQ·¦2Í…ÒÔ…ªYýý OgfÏc¤¨ÙãjãØf<—uR05»šL(ÖF>©+vfQ©óuÛ�µ­C½£àO—†h¸ X¼)NÁ�.e«©lzíÑþv#áQÎ,©‰–qc–ØËz
öµám„©MLÝùxΆòüß^-ÑcÍ0®‹{ÃШ›‘…
Ñú/0‰<E"ñ±
-zv®õjÌ(71wºvžÀöë8FÊz¹/¡Ø—ÎNä:�ÀÄg¦N¿$|ñÄèDNÓ“@I$[¥ãª?¯?­	ÇñK\RÇ7‚íìw¿^¢˜2VìEORøÙ+;hUµµVÒ84Ó=wõ€ôP®ómÍÖ̉Žw'F½og�½cxìØï;
-¡Ðj´ã‡u\ô;LX)‹ï»à¾ˆŸÀ„µÙ–B6ÕfèÈ9•Š[­½ïÊ—_ûã@!¹�µVQ³›ÄZ²av"M¤þp\¤_·_ÕGÚï“—ÄÍó‚>=˜ª´^I.ÚMܧ5
®Â',Žï䪦&2	‡Š¥Î™lWš¢(m±ˆÎÕB|›C°Mî^á*
p~	;ãùýŒe·ÍÊá ±ÊÑûR=Jçjâ­“óÖ~¤ó>˜H±Ôåª1O-èª9FäŒañH®×‹™ÏÁ­7"ÞG6ª@¡s²1\Ç_Rjc·{
-‰PÄ—úõ=‘¸a·žM»çxó4^y²ÛVŽÚjÂA¨T\v—+ˆUmgÜ�ô•!?5J»î%uwwl4²vde¥lº˜?R¹Œ£‰îN\ñhšzJÎî˜dgž°œ¶�À"¤ÔSWõx×rò²çÿŽpᣫÔ²Cê^IoàE1£—ï5t.,©—rk·�À2€á� ñà§sÉf6$Yÿ<úŒÜˆ&
-n¤¸þzîaäÂXµÓ·+`;Z1„#!¦²xÄJýz”¢MÎÄŽ6ctÿ;¬Âm@ÌÞ¼2Átòɨñ3(¾æó*ðÚ—÷�
-—ë}f²JrÀ—.ÑÃM-ÚšóÙ(ÁÄá_9Ƙ�ÉÑ» <]�ô!s+7TcSˆ9”µµXÙ1"QŽÁÎgÁœÉwn"ï“éNN�J?.(9®DåôQ›'¿¬ÂûðöÜ@fµ–€›Œ¥ñWj„r™‘û±�øùüÉwÕZ3¬LŽ*„¡ Ó}¸?ÍЛ÷J|^NòýŽØ
-?9«°fˆ�VQ/¹‚¾‚�4÷v
ø‹¢¤¸�|௿õ!WµwúyÙ[BC—hÍ	p-ubu†:7ÎÉ~<ïüÑ[Ì” ÆÉ5<>bz¶ëŒ×g:{ºáó	�j
èËñQæt¦u"yöƒuÅŠÂ}å†×ÁŽÂ‹AouLr6<ƒð•äß
-­Âµ»�+í"·}=ƒ1 
iË>˜>1òÐ8AžÑ%£³­™ü!±u‚>i„Ake“Ù+”¤¦‘˜µ‚{�Ð…àˆ
-`*¡ µo‹™ËRÎ.AÝ7ŵ©¹m„º—·¿~Ñû²z³ö@âdTÏœ©Y³0ñ7",)xÑåºû«#ɤf· wKUé.@8ì�w⺲NbHŽô;ï¥
Þø5 “‰ÏZ³QÅÏ�ö×GOÛ,lÛÐ|‹†³©jç°3™^ JçU$��hZ#TïÚY;.�j>ˆnÔÖÎw²e¡ir˜Ð�6ˆÂq
-5�mh»nÓùÑmÐ÷ú?Ÿn:41]T]k,Rìa˜RŸ,«Ò3Sï¿:¨|Í?ñgÞ‡õ73->!]7Òõuí͆N½›k‰Á¼ÝôÙ+ès…Î{™3~¢a(’:Œä£ip]–Ì kÍ%ÁZ½äöÑ
-T¬ôUU6. þúc€”«1Ö²E):ÅDµTòv%×õÀáƳ�6nå+"úë^Aìõ‰Ïå¬Ry2M�þ@½•äjì·Sc‘˜=Êï?q°ë	ÆS$•½·‹e]Œ\²Â«¯y¸ ɼ±;ÊúÌ%G7§ûg×O>¹Ø©L­÷̶VE^»‰f6ëê¹ûˆVYRŒcJÎ@Å��ôº%*fI²�=ïzäÉ&²ïáá;Ï›yúGeò‚z¶s”¢Âá_¬Kª¸»N’Ð)¸VW{Ú3÷>“HuvGÂ'Ö1�{uæõÉ¿nIÍü	˜Éøj_<Ñ,�DÉ™öýRÀ°éU Î^²ø‰_¢ˤ¯ïç€âœULˆ2¶‰_™ªá@ø|fè3E¿	�Îâlç�"å¶B~§ZÐ:ŠòñÛ-EÅ×Èœ‚±{h
-B Íç9ƒ|£ºŸÎ¢ÕC4ó©5û>â
-Õòјâbžtk[nyN㦰H“òN,úŽÚ&z‰ê +Ká-5’fÁw#9¦­^ü
Áe�8$V•"@ŠÃµ;~'ÂôJ–B°7ÍÞ#Ýr-„+íÝÑå›ĉ’ñ'1ßN”,÷T|ÂD°eW‘Š‡
ëЧ
-7„éô
-BRC�˜Sþ0–YÊ>Î2‘ÒËM)Xvþá•Tè+€Ä×g$ž>ï	…^ƒc™F
-ŒD(©©³ÆBcýXÿ°‡C‹–¦Jcm̆äbp¥ú°¾¥�j—*ãš—cô
-«¡ÏDùs·òY„3+Pµ~ËÍñDlnóU?µÚx„4iÚÄtŽ¦=ÌkhE_îP[åh]{	ˆR›³Ñô»º®�Ù�‰®¡²�îLà‰JÇ3»°h1‡¸{ð	äI„ÆãÍ
-ã;œû›±W2³1Ñjà|Ë4Ñ‹)è
îZú
£bìWyä鵇€~å%{“ÞÈýAyÏ
{T$¡ž
-dugç,gÿ¶ùgÛ'îpRH¯Ö[>궥¼˜+¯p~ktþ’3ø@mÚ³•bzo·V‚Hµêæ�&W‰Ò­¢jkÂȸáÍQéÆ|ü7½œ?ëî£ÖÇqDé�gXEÚlßC#?œ|*JºýÜ}K˜vÅPi�­‚SÝÎ=VÞ|òþ±ÙéeŒY�3")¤²Î>Œt¸ö¼²A@—i·ó¾åØx倛ljÂ(µ
-æ�1Í‹�êpÊ-oyÙØñòuuØ|˜E¦–Æ.›Îg7 ò0$§#Ð�ï«,((©)!ònà6nêdJ)aÓ)‚w^Å¿À_Šb±{zBÔíI&ºÏ,$c»¾HI²Wýîq†OrÊV\²/ɬ›"n;Iq¼¯Vøþ¸ž�ÓEKýdu­Ï€C1�ôF߯éjE¥o!íkõÅ2M2¾7²Ï·œÏM \ n•Rzå: ôÛ˜ò
-Ç–fU7ó|rFyØz0£³¾²ÂÞ;VêÓ(:³>¢ŒoþàÐ# ~Êç¥ßÏ—Œ9z�cH·ñ
-+šÉù½ý˜÷ÛoðjÓ¥ +Aš�Ö}§‰Ö‚ðBàt8´7âM‡3�UçÃÈÃA\€>àíÍÐ[u
€	»™Ñ´æ–¦èJ—Ðö¡ÿMQLí¯vm¾ 7ÕyŒá�H¤®Û‚G‚
e6”úq\k—+ž•}¸Cz ÷L‚"}l¦Ý¡"an–øu†™Ò9�Bƒ¥¨"ݪ@²&ëœÔЃ4 ùñ¶ÎçÄï[!œwpHvfCO�mŽ»ÚÜÉ¢Ÿle‚(*÷–�7šGy¡wª42Îœ¢$£íÚáÃHRp9¾åŽJ!á/lú¡^z×ÙÅ;ª.™Có¹ƒr{)²�µÁñnqßÑ=÷é»cdÆ-‡è„˜’5—&Èì
-…滇fk^`ØTØLj×]íy�7«�¡$áÓ|i)>Å—9í®g3Óß—?qkïz¡†sý,ÿ+¤åmÝ‚Hslgât:	ˆ¬À^Öˆ]ÜÑæ>"^‰'ø¸Û®Ñʘ`‚IБ¸ïoá6föœíƒUcì¯u|'¡f3uá`ö»ï­ŒÎá�b¡ŒŠòû†Ã
-â/~ç�&¾Zæ3Ð?ø2â­;ßÚ5B2Tâ]Øn0ïÏom01#Úsø£¹€UÙWÐAJ)ѣǗÏú¨¶¦�äv
›|N)ˆ�2Â{ØQ« »-%VÞ˜§Ä¯í39ˆ(n‹ª8½îgÉ”ñTU¯„°nîs<맊o<KºVàHûÝòsŠŒÒåheK`R;ìîÕ$Jÿ”å�‘Ð<X³go„f#¨‡Nê©äMô{?»}…Ùy°M0|šXr‹*“T §¢ŽM§y©mgé<lñ…(ÝÝd4}o€MKÆ7šϯ7¶?}íw�6ÐOÔÕÛ¾ŸòÑoJB-'�ºúôÅIî(L£iià'Î>”ºîƒ¹sò8©Ù§ft­ª¸¢Ä–ŽØ¡.n¤7,þ8‹™¿.è˜Ào€ßèÃ˦^*,bá+£b£�‰
 é\»<¤Ø/øh+gn”NO«5ˆ=R5¹UÃ'Ûµd¼Öº§EÊœ÷±È/xÎØŒÅrâû½žY
-íZ®}Ãeú ùT­+ǔŷ˜HRB!ÍbbgN\º]N)ývC¢1³*û¦hÄBÇúó2�Iß‚ðþžé'RÜf¼š�œÛÊ|)G̸~	 9Ô•ÙPÆdä�Ð÷Ϊ‡­�ƒªmµu
çIÚÃ%­zû‹WœnלG’’eËŸŒÀ3x)Çm=ÅRûv|Ü•ò�?ŽPŸ£'b:é¬D_›Îþ:éoš#ÅbžÃ¡|^†ôóuýt’²$yÔ¿­ì¾Zú—„©”Õ+cµ±j÷‰uQŠ¯O.
«Ñì{ýivÁ±ÆØË'‰Rh<˜w�¿4ו©r=fǽåŽx«~LýŠW·Õ¬[F_Ñ—¬ày0Wòïá®>ußQÔŽCtžUuGö¢í¡µ%ª«±š1Þ˜¸>ú�!È7[/ß½$i=J*–`œN6w³h·F¡Z_çeÚë¸sjhÙ-›Ÿ™|bZ8©_„�ë¬l´g¸x•ÕU`�•¶ž$�ýΠeÛI˜P>¼JG q(â…�³Ò¿@/fÎWEÖ+ êbòÞ$‡Å}ω]G�5¨—È‚Û
7ñ*ÒïÐ0cÐÎJ:/Þ²PÙ�duZ”3„M¿0sÒ0!
�ÅOŽ™ Žã¡Ý>ëÅ[d`àd¿åe2´Ì	™&F¤íÿÆšj×®ï¥k—Ûë	?@,Å‘â8ÌzÞ6<Î|¤_Rö¦RM³šë·ioïOÝi„î7}œï¾¥÷¶Ú³öK߉mŠýè"¢ÄYO=óÇY“Lï´Yƿ݇×R;uÚó.¬£e¼¥k„¡€¡•LԔˡ�Óõwžì™ÈGÚšž×¯“KÖ ªëÒïB™;„è]H*_?›ÎÞHº÷Y‰ÀÇÈépY›’Jñ¯yÑL€à¸×�«¼3y cUêª<Ú
¹Ô×ÈÚ¹œ-Õ2#ØÏö€}ºþuÌ
Þ¢×5r`܇^¢ñøø
-=
-?Hb~Š
rö¬ò�{íÁ'8wÑ–î³dÄû´þÇo'
QÈž†jOpöKGˆmú?—9&CÒäý=�Œåì’dF¥})‰L^M¿JÀ6\r¡ÁœÎÍíÌ‹—n–ÿÑ‹QÉaZÏ9A^:®ëž›àö
-ï| îCg�/}_�··í–sÐTvF¨ù³êÖßH9ìr3"ü$h
-÷&WI 9)€±*‰êÁZ1žÔxïÙú‡I¢,áY†å½¥ÔúÅGäu¬/Ñ
�½+©T.Ô†?kÂڞǜs¶>û¼ßoeˆÐýK‡P6[mÌqû9,Ÿ‹€-ÐṆEѪA
+/Length 9029      
+/Filter /FlateDecode
+>>
+stream
+xÚízU\\kö%Ü(Ü¡p'¸CÐàN
…KáÁ��àîîîî4¸îî0ÜÛÿÛ=}»çiÞæ7ç<œï[kŸµ÷^ß>õTÔäÊjÌ¢fö& ){;3� ¶5qqV3¶S`VY¸
+ì2SCL-ÿ1.¹löçwR¶wÿñ%˜Ù¸ØþÆ©[‚M­í@Îίgñ'²3û[JI;S{3°�@
ò:•ÆNfÿþ M]œœ^íùó€^ßýko~-r™"/ÌÚ›
+|¶ªþÜz[)JâƼ5ÆÑíqýâBƉüÝz“¦[‰Ðºˆ„3ëŠ7.MBù‡¥p¹.¬",tp$‰äw7k>±6lœ l™PâC–A%~ÔSDº‰3`qÔ7„Œ=q�~™ò’kmjañQlµ`{<ßw·:;»ŽÞ��–ä”!}Ø�¥çÿ8þ cã£Âÿfz¨]hð%
E®£~òŽVN¥þð§¬
Ûhf¶W�Ëw:XR}jB¢]ÄÃß>ÚÁ~oYÜb~_9ä�Ã%Ç¡ï°ÄÔ—«Ÿ³Ü©û¶ÐÊhíƒõ&¦¯ð»%ŠSä6QüfÃ`¹ %®“ßmÇ|?Š¨†ªÆéo
+ÍZ‹²™åkÒ9W\Ž˜µE�Î0³ÚpC²I;ü&âuuΆ�¶sMѨ͞eÕ0p]³÷R› »û=¸lG+»ó”Ua×>Ÿ}’&ÚªTC&p�«¬*å*]±–æú¾üw³Ó�T^
ËcÝ-õn÷³Íi=Î]á)Iš°-V$¶º Ë"š¦
+g¸—�Útk}Œx[ñ®�Ìõ.€jþ�¬´%€Ä4êª!
+k¬Öþ´qÃÆ´°µ�­gê�»÷ZÂJ¬v3’>‘M0•¬*3ò(ybQÛ_.²‡
ÇP3âĤÙXÕ˜…FŸ~||Yà^òVOƒí÷.tc`ufÀûe¡ÏŽÝý}@csÏÊÍë
+‹¡å7Ã�„¹@œõ ŒÈ±-ñÚΔõ=±ýÄÆá¤ÇÞŸÚ‡ÓRCbÇù0X÷Þ­XcÁi¨>ýÅŸêr¦šæö!î!uÔ�µ€(v
îkõÔ¥„–»ÓE±Ô¢AÓzzQÄ u´üÞäâ%`O¤ÊPÌu¯QM!3™e¤ßóÉ*Ä’C†òßoÐÚj0‘ûi·w/™#g“a¾‹RJ³’¿�h�(úõÓÁΫxƒ×KZÿ¾}_ΆMëoÁà�þA¡ߟÒ_}
›mß±ݹe½�¨ Ì6Ÿmà*Ç(O FÕr$[ÏEra&C…ö´,^.ßöpÍÈZ‘Ê4Љh6Ç£r¡ñß›Ûu‰j9…£d¯|5M¥[+Øë0Š˜[õ¨[Ù‡ì™}t ð&N/*ƒ·GÝ$®ãÊf½9à€ø¹ªöäŒüV|âí*t¨À›¸ê…í+Êu!÷؉w6º�Syß‘8óý3N®AÕ÷³X
7šDŽ;‰tÛÙÛŒs•šŸ'�Õó÷ÜÄ°£ç‰Í"7?Øë`ÕÜæ½k$8ﺒ[vX¦¬;;
$ØÕÿÈ»—û¯“³�Að^W
Ú¬Îs0blD@Ê	æPgW,…·°P@”ô36†—ò”оxíx=,‰�Û=¨‰æ"Ú’®À<^jÒ�q©ç
7>qOUeƒzIeÆ$uŸ¨nýàӾȹ‡t•µÔ ¾Ö_ÀI½…ÌeÃ޺Хèjâ6C9B:JëVÓ³w†cÒ�Nqî_¾3¥öþ§²}l™ý-"yÎ>ò-Ì„4�ÝÑ�kh ë-¹ùHjÿ‘šN¸ì çB¾—–"Y©4.

+A¸
i9ŽÌä“op…~{ìƒ °CÏÕÑÈú²’a
ÜV	njBL¹Å°oÈ¡ê+PÍq—6 À=jßÝ"_¸Ï~pü\îà€²'æ¼Ì+(Œ1ó„À%CŠ‚â"t«%Ø̈Z	rN:A&¼Û`¢Ó
¹MÑóå9~¯ßW'úØ·õ*�òÔ}”w]ˆÈ¤%Á’U‡îJŒe!s‚ÞŽa[]s@éƒyhžuÜýIK±,>®øÝzÚ€$Vý®ª
[‹g˜®ùœ7v�Ø>À‰Î”
Æ>ìÆ?€á,=P-°ŽÑòsFö›œe‡H¶fkÁ–ä2W>JjÌdÑÒ*”Æd(ÛBçˆÓsmº¬vkuEúCǘžœ	`g“Èñ[ª€O‚zŒJi¹F…ÿ3_â9N¯!úÐéLJgH*Û<ª"
Æ)cømR"N|ÃI–Æ@àÂHóèg÷Ø!ÎÚ�VB†,õ	¬kiU¨£žÅˆ�¨iGÁtä“üª›:æÝÀK¿±=q§‘Ï;+ƒh±
+Y®R®º)Ë»Ê&:ð�1öi?¾rÀÓtãÓD÷Ê Ÿ
+~/bÕÉØ>íXÑ�îtÁ§ìF¥&ʤ§�<õE¤O¬hª¥ªMó*æ9¥nïæS<�¹
+•>!¼©öHøŽÊ}1/Ì錇¯ü%ŽÔ—;f%]žª‚Q«Wnõ¢¨�Ÿ¬þë×üäùs† ÃÐð<*:›Úƒ=‹’‰yÁbd³ý’wÝ·¨ös©n
﮼iÖU=³¸L…çM‹àÛ™,’¿ÚU¾Eï_‘¥b¾ZŒ~*{b´‡iÿ¦EÁqžtïå%¨ÿpá¹óp®Ì±´¯Å&‚ãßÔhUµÞ°Ö)³ÃéLïf\¬á?îŸ÷Ö|;Çè]zÑá8*Œz·2ÆwáQx+®w±Þè%ý˜¨Øôêã%Ãï	ýü
?ó>Ës«WÄ¡¹×ÏÕ|îÍä)”ÉáÚ�VÁL³ºVY¸9r‰ŒzÃrÄ¥$êío—Rè5t‡©ªt,uö�Eé‘w
+ÇÈ“Öó²‰ÁÕ¢eÓT­î^ú1
+ô	2ो±¦
+
I~Í)¤×™±'yš‡°öÞ»øþ¼¥þ2†kø@6×Øò¸÷k1v¢üsí†Ö]0RrÁ5�í‘bíêÃ÷s,íq	¸{×vزֲá$Ðx:ûÕŒ|E�ÅrÆ~?ó¢Ìd¼ô3×n¬Ê�KD¥9ÏÃjHpßí¤ªo¶Ê6‰ØŽ
+TteS¾¯
<´`oCïO¥L"/[Q×f¶“,TÝÐÉi£È]²Ânñ�¦d&hY·zp|„1v:LI0W$Í°¾}R©‹•èV�uÑâ…u¼É³Ô�"Ÿõ—JL‰æ3Þâã¸;Š%æ?¢SôLÌZl‡)u‹1¢99lŸÿR°uø¤qCdyÂã¾jw;‘Í7®˜ 
+5õ~Å�®“ⶈD�ó
:0K®sØaì÷
+\§«0ù¦ÞÈ»Ujáýì?ÓÁÛº€”<®eFÂÛ;/…)*ÈħDª7Æú�xYvƒ•©%‘æÜ€5¸¶rlb,îE{D‡‚n¾ºI¬Xß—F¸N[0D:.hIí{bM@Ž\LZ8Vô1Kg�ç
Ó&ÃÜsß~)Ì8Òr^œæÆcXÐúAÄ0ŸžÙ7eTW±çNÑ16ÑÜ=Lð‚ûHj•OáQ«FÑ®-Ž.S[Îæ€ø¦Ó¾/ø¬¤=™¿[£>^µ	qj‹ïkñ‹—èYv3ÞåêšuÂKýÄE‚àÇ΀(¥'ÕéZI
¿týL�ô%-d8=ïò^%† JKÓó.›Ïïñ®„�Mõö´‡\wõÛF?|Êà~TƒŠ0Fvdí�ÓæÁBª0¤üx«›‚ô3×ÃÏc³3®{຿ø¥¦S§4@²AWÅ6×™»ž]}�ÇçŠfTwn¡)¹ÃÔwâÁúábNv5)îðE3ÍEyñÑñÛ�ò†).ùÄ»òcO:ôÖÉV½õ_/[ÝÞíŒOÂ�ôqD�=yeÅdæ&ûyi‡wÝ©Zpî¨TÔ
¡J/>/å
+�nñë炸™Y*h°‹?t
+H?¸eIŠ—ªÆÁÿ°’ó(üèšÐ@õºõ‘7=Au±P¶v«¢½Ò¼¸ªÁW…NÌÍeêáá²”eÝÐ31_&„‚òwnª³Á=	…¤_"kÁíZkZÂì+ø'Õ]ß•|4¤I�É}4˜F˜Q†[P»ký»ÇUª‘ÕŸÕó?FÛ>S—yW
Þs‰K=!“ÖRÀX'<jù|«ž
—í�J½jŒ—åf(^¸AÞ…k±ÎY§ð§-ï
+bÛ
+~kКYãYç–­ˆ'bK\û^àúeÜñƒ‡³žj
Y�Ø„— H_fU:º½ç(ëÃïø‰8lÞ@ÞÀ·k=†ŒêAotZAxÖ«Ž6;ÆÉ×ý�¶Šêý¬Ž.†I/½üþ¢ôˆ7D[»�fëä­î”îv¸!ëPÒÑ^š¡¾t¥-ÄM~&’~ÆÑÝ7ÇêãE)ŽÕÐj\ƒv+1\…xwÖ b´|}"ªÖœ°wU䆅âWcœˆ¸è�iOõ·¶ê$hBbýÊɢ뽪¦¡­¡ñ}Zwö†U)fß�u^ˆ”TQ(”9%S3ôëhC,‚ܪ˜éí¥nÅ	ha6Š/¿¢pg¾ÖéW,öPÏ=VjáÁ+)¯B�K-b
»&ÈÒÝÜȶÂjÜ:°Á5×ð§¾ëMflb†?î·A%ÑhNÉùM×jBòý/£!™^dýì?Ž}uÓxkàÊ̺‹”
+ºE<å_ð]¢Ò«¨£ëK#Ô8ßôÌTòÖ8ïn§àôØùß¿[Ècj¦©YlÜ�f³Ó¢Ç…hum´—*KÒïòþŒÆ·R¼SØkæ\§Ç@°[‘Á¦lëÙß6úÁ¦;+36*ø¥ZS‡'Ï K¼Gv
Œµ ¾
+ò�I»	½KZsìã&&ÑŽ|(ã�½%8‹|ß]�´së"¥õ.6óá
®
3ïw?D`l0
£¬ÓÝ,w@§‘mÁÏ…XhÓ¸êC¡ùa6›t:4Vü•þƒË©¦©†ƒÀV’[‚
ËIϨ*[Ûž\÷Üz–¼°9hóáäýÈã%Ôc‹qƒî‡<�%ÝjÕL–*º¢ú¾V_x*]'×ö@Žî)Ï9o¦ån¤à>!­�ƒKc~FlPWšˆâfh¢ô9&»»äNA0¢òǬmZû§æ;é
ϼGªmnõýa ƒö½Ï¬¶íX@ä7^þ
s‚ìpé‡(ÍL
Ý!·]ÓKCÖ'"öÂEàÍ
•,³’]R#;·y#ÇVcðŠ®j°¤§÷b²º´TüñgOÞ0å¢u'�”–å¯0Zèñ0É#fo1E�¯NV

+ºÇwÞ‰ˆ``×긘ÎD÷Ô‹ß\Hh˜	h@pE…°/¯è$!1D¹‘VB¡ŽèòëFŽ®–ÍäêEH˜$.¡KÑ~LtBðòUkÚþs“y‚üþHN‚>¸)Ïê:Ÿí»%²OzF?‰B:$ä÷K
¢ªLM$åÉá‚=¨ÖŸ2OŒÞϘÅ}!¹ið<ŸÓŸ^€Zògäm#q^åBÛáXˆ¤¢Žô^îpT%Ñ j÷Š—ûñyôR8Áà×�Ò)Ÿ¬#2š>ÄÏøƒ§%£h¿ÖGbHGfh~LÚ
b„,�Ô܈ӽ™”ĸŽi2µÑÉOvô¯�L¹`Ň¿¤1BáéÅåœV×VæŠ
+ëJR†sýœS³o?Û\Yûylîc¿¥ØÚ&W}{é—%‹‚òCÆgØb1ô3šY-	A
+µ¯\M©°x2Y£|é´É˜™™ÃªÉrÊ’r¬^•†Wé7®uñ�©·ßÔƒÞ½<‘Î7!+çRSOÝ3+èó@�zÒã·

¾E2¨ƒk-Î\/…ËÖDÊéI}÷Žmƒ*Wç EÂÊœºJ	Æ¥à·ÍìµO).­žÚûü{‰Ò—‰¯?ÕóR~µ\B‰2b9®Ü}“‹Êú«ˆüßæ:Üoß�®Œc…èšÎ¸°ý6QÐ%9ï"n9êäˆkà‹5…ªE¿mc©#ÓûŽ~SœNܤá‘kîdË¥=´I�s™Í²ä»§”é~-®�‚b
+ŸÃT¤±öVið„B»·�¼P@V–bß]AhS­L±ä…M±x7̺¾!¤”ÃEúT<ÕÞwü(ˆ¬úA*U ©„
÷0[Û-©� ^Æœ�
+ñ"~�£t¦K©�¢·Þ+ÿ¥ØËZNrósÝ,2r,ZAqÙúK]¦äñæ×4�«(‘kÆÉÉ
©^¬MòáFÌÔ[X•�ty‚…ƒ\[$«Å
+Æñݧ�‚}�~¾+kv&×uXFû\é
o¿æ€Òý¦	TÔW›EšÃƒùì
+|û;Îb‰; …ìs™|	)Yÿ7™îÀø"G›àX!¾,ÒÈHÐã›}€ÖÞü‹i-PÁF²«ƒüÞ¦ZÓijýBõl&ü`>R}-•ÏT{@Æ×­›îMß.¹\næ€Ñ‡ÿloÙ©%Èä'$€n’ëó(½0ŽùnÆûd¾¹
G1Ôù-F‹x
+˜Õÿ9¾|r=Œy©7y«ìýUT`-ͽ̷4k¨
+󚺪mÒгdÃ�Ê-e¨®\�øÔ¯Õ&/ævÈðnßSÙïK½c‡ê=åË×Pã{;õö{I‡´HCvÞb˜qÌŸŽÞ¥J—†u;òi²aï2®zú!¹BÕ£èæÅÊfùvwVúÃVMæÎüÅ·±CqßFê7|½xÍ·i‰¡dð‚nŽJ`±—æ)ÒFÅΓHú_FܬWÒŽÄxÏ|=çtà¾U×ÅhG³ùJ|~+�ã4p¼ÍHSª# ùÞ”zâñ)�å
í‚äbÅ7Å!„²‘˜‹OõÂÍʵ6w"3¥·'Í{YVO"þDh‡¦£ï¶¸„Êt¿’XÅ/D*³íÜd
+½~O½—Å�óè.¶ÅÀ[›ÿl8¨¬–†JEj`sí#'=Û|HåÈ/}'ôäÇ!›XÖÅ×@ú3ò%éJÉ
M|–9qú€Ù¡¦‘�.Á™m÷›±Gf)Û
+ª¬†ÒU8ã>Á<uµ?Bâ¬Æ+2(¢š‚a—-<çfhF	³9žäžOLFzƒ±†Rºr]Ç�È£"KԽΨˆ[ª, G�ÊÇ•ÛÃp‰ÕBÉÞöÓ7
+‹Š=TÄÔ&ÌC!¼ªZøkÚû#Ê7›•‹2Ÿº«áÍcTvšò¦[bc+Äû
+[Ñ=wy3WR‘úžv
+¢³‰¶U$òhØ0R"úkV9ö�dùZ#×yÔD¹ˆì˜ôÑ{<ô%5åVáÛÇ'¾.ÝOUc~QeAÜ<M#œNä^Hœýjœ—Ôn”\ëЇ”é¾tþ­NŽY±ßË/„r Ö‘½îƒ™×òͼPÛØP9	“,¶
HBwú�F:¤ÞH¾¼í¶ú�;sÖµ�¿Nï~�ßÓÎc]æ
+n‹ù¥RßÖo$sj±E	É”w…â­NÈ”A÷UŒX[><{a™®’cÈ÷˜ìÂYkvE#N¦ôßÔ2á ¢ç$WÂÄ¥s¦Iãã­9ë»Çô¾ª‹$¡=aLjôïZ‹ÃÃtn�͊2ù!¡þ5ÍcÍ"fÖGÐ:~°çwˆÿÏMBØOd´¢Ìð^A@Ê®$%¾bÍ:†¾]¥Qs4±›éÇL†ä%}‘a\bBiÚ¨„7±œ?DãD]+n
Ÿk`¾bž3pþÔÊ�63稜¨;ÛE‡Õýi`"ܵuêÆšLlVW©V·
³‹ÁO�|´6¢/¤ƒm
�?	Le>u¨Äþ_^Èÿ_àÿ	
S�±ÄÞÖØÉÙË	ä±wúãÏLÈÿYŒøCendstream
 endobj
-797 0 obj <<
+990 0 obj <<
 /Type /Font
 /Subtype /Type1
-/Encoding 1344 0 R
+/Encoding 1915 0 R
 /FirstChar 2
 /LastChar 148
-/Widths 1349 0 R
-/BaseFont /ZTYCFF+NimbusSanL-Regu
-/FontDescriptor 795 0 R
+/Widths 1920 0 R
+/BaseFont /LOBUAX+NimbusSanL-Regu
+/FontDescriptor 988 0 R
 >> endobj
-795 0 obj <<
+988 0 obj <<
 /Ascent 712
 /CapHeight 712
 /Descent -213
-/FontName /ZTYCFF+NimbusSanL-Regu
+/FontName /LOBUAX+NimbusSanL-Regu
 /ItalicAngle 0
 /StemV 85
 /XHeight 523
 /FontBBox [-174 -285 1001 953]
 /Flags 4
-/CharSet (/fi/quoteright/parenleft/parenright/comma/hyphen/period/zero/one/two/three/five/nine/semicolon/B/C/D/F/I/N/P/R/S/T/U/Y/quoteleft/a/b/c/d/e/f/g/h/i/k/l/m/n/o/p/q/r/s/t/u/v/w/x/y/z/quotedblright)
-/FontFile 796 0 R
+/CharSet (/fi/quoteright/parenleft/parenright/comma/hyphen/period/zero/one/two/three/five/eight/nine/semicolon/A/B/C/D/F/I/L/N/O/P/R/S/T/U/Y/quoteleft/a/b/c/d/e/f/g/h/i/j/k/l/m/n/o/p/q/r/s/t/u/v/w/x/y/z/quotedblright)
+/FontFile 989 0 R
 >> endobj
-1349 0 obj
-[500 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 222 333 333 0 0 278 333 278 0 556 556 556 556 0 556 0 0 0 556 0 278 0 0 0 0 0 0 667 722 722 0 611 0 0 278 0 0 0 0 722 0 667 0 722 667 611 722 0 0 0 667 0 0 0 0 0 0 222 556 556 500 556 556 278 556 556 222 0 500 222 833 556 556 556 556 333 500 278 556 500 722 500 500 500 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 333 ]
+1920 0 obj
+[500 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 222 333 333 0 0 278 333 278 0 556 556 556 556 0 556 0 0 556 556 0 278 0 0 0 0 0 667 667 722 722 0 611 0 0 278 0 0 556 0 722 778 667 0 722 667 611 722 0 0 0 667 0 0 0 0 0 0 222 556 556 500 556 556 278 556 556 222 222 500 222 833 556 556 556 556 333 500 278 556 500 722 500 500 500 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 333 ]
 endobj
-710 0 obj <<
+964 0 obj <<
 /Length1 1624
-/Length2 5655
+/Length2 8351
 /Length3 532
-/Length 6501      
-/Filter /FlateDecode
->>
-stream
-xÚíWgP“붦ˆH•Þ…€
é½ÒA¤W
��„$$¡ƒô^¤
)*½Ez¯
-"]št¥H“"Üè¾ûì3ûž_÷œ_wnf’ùÞ÷YëYåYßš	»¾‘€aQGÀ1"‚²
-Ä@d
f0@ˆŠDdddˆ¹
-êàˆ
Ü114ãåç¿û×Í/€�ןÖ
u€¸±îé�c°ÿkG#€q„
-
-�µpÁbX2}ƒ¡ H
-…U÷÷›�-úÏóï�‡@<! âéO�\ˆSzf¦Š>§÷�ªeg»~o(²°Öøe~@¢Í?=bQ¦Ôö¢2T°nXöò­×Äòç—|«ýít0ž¶TÈN‹ßmÞŽ|Êyî&)þÕ !ëB²Œm³ŸÝ�®YH
-›®.½30´.¸¸~k¸Iuc÷„7à¶{~
-ä÷wvÇ«éRèJV¡e’ìr¼9ùâ‚œô0˜"Än%Ÿ•MsÒºYìÎUBu¨9‡çͪ�¸qæÍì}ÍlÓ}|e±ŸrºE©?G‚ü¯’ÍóEK0&•’O®&œ¾TÒ3©¢—]™7F�=«Æo¬ÌS
-8O,llH?I76µTèXD œö³Sè.NwiçD8T¥2u¼Á
ÏÔÈCi�ÂUЛAJéTH®gÜöI”1MëM`*o•æ¾ÐbÔõô©¹,V-u4ý†ýCÝÑUOKz‚—âÛë—ëÄä5~%šct]­§h¤²ÛNå¹öÿ Ûö’ñ?‰�·ÏÊ*åI“y[qo.oZqO—f4!OòìC'=[b°ëL‡\ö¬WK+õîI¢
-0…Ødgç•771ô|Ÿ¢‹y¾ÌõºbÓü–u0Æ_røªvùMc®ç¹ÃBÅ\n}HòýÇHyðîµ³p%Èuë@k+…–ß×ÏÔ\|©bû¬�ç´ËOª?XçsË,[Õ©EWJaoD’ןÚªÙ‚(eT"Œµ6¼AhÒ7Y*¿é½|8ÍÒäÒx5Ámê#)ѹ å€n_7¯Ë,f™·­ž³ö-üæ��S17É1I©wŠ—&ÍÄ°}ðnñô«ù\
t§kôaLs(‹‰Ó�³ÅÇ?=1òJ8¹¬_Ãkvy˪7—‹´nK°°=içé0Â!O³v£þ@ë¬QueniÊ<¾³ÕµÑ”ÒÂIm¶ŽìQ#wœïa8ú<�z/gÈlŠår¢g4t&*ÀD‘@(-=V›HÑü"§�KÀF§kìqDœ4F—î>á‹
ï¶ù´eöä—ñsç•2´9µrœ%´5“Å%:ø”rBSÛÔ†Çàš¶/BÄ)¯o�½ÑäNÜèÖ|ÂvthùL—XÿUš^ðöá÷FŽy
-ÀÛËÏ›ë"±¦­\E‚ñ<\þìa#®0G£Í¾ìÑž÷š¶˜œ ƧW3K2aØ•Ê/Õn$¦y½–î•Þ�ç�ùÊ1(µVÓ"bª�ùº©:¢OÃOò†Ÿ–Å°.(±Šb}ç”i¢Â˜¬ÿqî‡É{+_V®�¸Ä´$¥¢P_[QeYjçWZo—¡ÀŠæUYþÇ»®i):q #ÏÙ@öN­³…sèw^—”ŠÖ¬®I)kæ¤Å‘s˲QMµd9^bU·ü½çw£
-÷oŽC
Ò^ï'‰¶>ù
-ßX?zóä½ãÁÊñF—òû\šµæ–­ÎÆ:Û}|í.Mœ“îL#Ø*ê>~CÊ<Æ“¸R芧æxê2¾D0ùÜšãæ­Üh<U±n\n:K›øš`9X£9§K@Ø4½` ?‹x;˜"’L�œùñb¯T�íhSþºÖ©"/xý¹\ƒsûÈQÒZ#d¶(ùX@/ÍïŠ.jf#ÏÕùÕõŒ	ƒÈ¸Ñ�D/ù	$³s_H|�óÔyû­æëä³ë*åµÛÞ!›…9KçdäÌó¸ñoÒ>—gIè0�Û„^áÒ%	ÃéRÃ~îïQñE¸È~R<™¯—ÆksRÜx¦õ4«œßg‰½V?^ `ÚÖݪ3G6PøAb+aDoU¯ïN—íhø
h.�Ó FPïÉÃàFñä"}†ü»Š— á º㜒žêHÿG¯2‡Ä
*e&è°Ôóå[CVÆk´ø“ìtùÊœo$ô‡ÄÓ¯­ûÐ< ¯ZÁéEºð.œd¤˜]KȮ۰ūe«úž\¤�ãó.¥õ—ïæ :@Ú55,g|ßæö7úh;6XÄ/>¶"ynö#®¼QóÀ�<³{5”–SÐ/8*У‹‹GO	JøL©‚¼�EzÆÄǪµR¥xÂ]åÁ½œÎ+ñ6ý§ƒ÷ÎÆ`�bINÇQˆƒ›§ôý6†�„øågÑåîp&Ã8”ËöaKÚdagØ[Ä~¢�ÇS/e:¯|¯ñÞ昮¡»œY¶šÄÐî«�ŒLnc¶{ÂÏzõ/+åæ_9@irø˜crûó—?VpK[´Áúùp÷ãÌ�Wâi{m¶Ý�šÍš^¯ƒkBlïøôô¾™™úN‰¼·9˜¶Ë8ƒØdX'E?Šª!6œi<Á·
-MwY}6ŽûV¶Œ—n:÷ymO}€KQNUÁÆ®2¾)õ¼‘A”ɼÆÅ­…H?òês9úóØ‘)ª¦Ïý¥�¼O8â­‰`ù�£4ýÌÍͽ"/㬂ìÂ>ÂÇfSgL,D Ï\¤¶â2íÓ8MÇÇB3£[
~„ûðü¡í)9ú{N»\˜"¯¬ê9AäÍÜBvLœ¿xa1ýÐÙ‡?¦•J§®2ˆÄ‹"]¥ø4wLôn´¼lûÚ¡ï§.|‚ ³®2èEs^Þ=ÒNQã·;\Ð2>“»ÕWl�ª”›
-ÉZI²L%g}W
�f±½‘¸»=ñLù’óZۉ׎¬fž6‡û|vØz½¨ê¤Ù›«™œç«R};·C:)†æ½QßÈ›x» ¾ˆhQ	¤Ç¹Z&âþ±þ6(Õ†i”U·À·³•>ÖõðpÉúP9w1Oêë@Œ#Ú¢Ð\Â�H´èÅ“ˆ²]WúÔùýÁ�—¨£ÐtGÓÑ{£ˆÜ
-/%É =Þ0gè‚ž•/Š³=K%äØï˜méð©_8êZr1�OIE¯}}FºæÙ÷Qí0
-ÓKd÷5>£FÇíêN^)+&yä¬>Ki?bKÃþÂ5Ih\ðpX1„¦ ;ñ OÁµýËw•¢:ÙÔãoŽgX÷‘5XË2R²‹£ŸöŒ¼Ôö· ¾9ëȶÇ@‹këtÛ�6~lŠlÖúÊ›§29BÍÊS$ÔÑд¢Ý!œ_�4ÿ’‹Ó§GÂXH×rcbé>U&tã”%…àJ6ìdÌ$�V{
-ßѦ
-o>‡…~¼GYøüÈuQâ*³AÙŸK ¾ôµ‹«ñ–Åad
|KtY;…Ü©_–èe
5ÍŸˆ¾#�¾ïE’Ô{Éq;_þZˆ
�1ÔQ;—›ÎªD=!avhzìâ°l#<~á>Y×w<öì[oçü*Ö�s·ìûä(î·Æk*gÉç:]¢'�‰!%y]¦ZdTŸšnS Uß\&xyu%S–9²�îƒ'"šÇ†\ááº*ùx8"Üé÷žäæ
G»éÊB;âÊ(â
-¥~-1ßÊ·Sí·ÃÔ:�Ö©—JZFß�”-¦
âJ²FDDµ©�›¹�â1ËîÓHâÌäÅÖÓ�~ì†Þr·ÂCÅS#\iŸ5뫃O�Ë=iåw—3v0|¯†FHFú®Q…k<Œ"X1Ë”vuÔ4–¼¶uèSŒöÀ�îÛ
-Ú#ÎÝÅ)šjÀMs¤ârruRb&�l^5!Í¢W#
-¼RK·=Ž–ùóoú©G–c£m¨f�k
-³Ÿ“öÐ^£²P¶yWmnÏÄÄ�T‹Ë^­ZïÚ]:Ê>9mTl´ô£i¥OäáàÑýlú±Ê�(À•ªûjÊ,µrAAx-fLjpŒ
>¬ŽÐþÐ3ú¾3êÔ
-yîoÜlŒ�à㹶_ µ'Õ ÍO.׸µ6}¾Â£×˜^N!Ý´�’»ÒvµA±çþ�ð
kOg
-�Ówí2ëƒ'Î`p+p	¬ã�™CÏ?dÃÉ!¸äëõé)§»Å8Ë÷Ó»nübçG®ú•u™€ùw¾jaŸKè\¨§*A
䦢3$ÚˆåúŸád‡9�ðÖB¶€Á5
³m({ôTá{~·sF'[‹»zèêæ±Hží:¼“þ"2ÉaÊ�øàý´ƒ¸KðÒ‹,—‚aQú²¤þ+¿9PáÝÄúÈMU:‰b2Ù	œÂ�áÆ–€œÉ§mle,sm&,Võ£r—�“Gf—nÇßí¥ú2ÑÅu´SEÈŒÀKG9éìT\?µì/8—ù
-—
-IÃ%¢§¸ÁMÏ­W[öÉ%ä¢*¿gš]T›®æÅÖX=„~í�uÊÌ»Ñi©Xp
ÓYÂaE´=pÃõ{ó­›óŽ¾™É"ö÷¥	F8
4ÒL”ÆÙžÌ[;ôé‹�åŽ~¼ãl¸jä!@šjUâŸs5ÌÃO‘Å7o­\)ÄÈ’±0øzi*‘ƒu[ä	Ùxm3È!5œˆ£x‚
+/Length 9216      
+/Filter /FlateDecode
+>>
+stream
+xÚíweT›ë¶.R´¸;A‹»Cq-î‡ H!P¼x‘Bq)-îîPZ(VÜÝݵ-íº{ï3ÖÝ¿ÎÙ¿î¸#ß;Ÿ9Ÿ©ï_˜è´t9el Ö E(ÎÉËÅ#Ð
+‚l
+°…Â
+qòØ€l1¹5 ðG—
+úhÄÃó7LÏt„ü.¿à_bó÷Øõ'rn•Jrìÿn·þÑÔzœ
¸ž—ðܪCmþyøÍ#+õøp
+ñ8ù„E
+â6/ÄN;0|ës2©¶òÄXˆÇ`kmH[Ǽà*õp+?ýä†5€Á#/€ˆñÚǘRóŽ¸
¯� *ÿ€9a÷æúÙ—þ¯½=�g(Ÿ6)Ù³Þa0‰{<ÁfŽ
+pÍ¢”2Ö/õ‰`”TèÄjš 3L¿àƒíá!ŠH»  �s…?VLãT‘¹Jˆ&‰g: ÉÒѧLy‰À¸Šge0å+÷&|ÂýÀê~sóTšù‡²©ttÔRmñIëëd°9:6+¶@›ÿ䧗%«ŠA~ªÎA	ý¨£±bíè0�TóYòs¢1…Ðg{Ü™ü_8X—Áx!Öy4´Ê3æmü,qÕ¡Fôž¸Uœ1”=Ê™gÊ™gÆȲüwâEÉw#A¯�òøJàú•BþS›•¤ònë®”{w‘?ßW#·TæJZ…å˜>}‡Ñ•ÁJJù‹�”ºŠÑäÊj¿¸°[f"­u¬x^Ø( HHŠ}Q¡‚ßaŽRz8Œ¶¦µ“;jÇÐ:šÈƒÏó%^�%QÓ±¬­v˜iŒ¼Æ¤|hÉÊUq”J÷¹ù»Ìã:aẖ²Åà2]½Rô¶°÷\xT;
µ7L4T3FÁ°.ÌkÛ4ä»Ïuä‰qÑÅÓÅŠ ›c´ã¨�ˆ“Ÿ¾Ú:‰Á˃NG!òç»EŽfµ4ƒvZi•M–Þc’þÆXÓ"Ã-­íêÆáP‡³ÕÌ$’_?Nˆyéå…ÓÕ½mÞ+à„_½‘sãÙ’I%pazÏl›€ÿ¶uçU«
�·\Û×Ðbjêìb>U¸)}{QŸNßà—¨ªw%=Ák±ä�fZ%Åêos[1øÉ]·êñZ¬w¹­fsƒ\û¾cx‰¾¾‰ŽµMÌ(}–"Ú\ñ|1wNkõTƒh,.Wèçh7)m|°Íü'gˆ5’S¯ŠJ2ÇM<'s�Ö+±UÇR·¬§ëÁµ&I"AkËðÖíƒÜ�c»Êþª'ºø®¾bÒ^XÛÒV¶ãž‹c&jžüõ«{Aî.5ûÛd
+Ž{âA‚ݧL3bü
J?ÙnÁ›C#ŒGÖ:ÂûSÅŸ†¸XJ½·5^9%4•Õó’‚Ò¨î_Zúäu¼AÁ�Ü݇€,23sËÛZÉzÎgIÞf­35TìQ›Ã_
?Ôn¹)-ödÙ­¤!á-æÔ‡$J›½Àzö‚õ˜»‹Š)Nü‹:¸¶’{ý[}ð|ͯÍ*Úe™à€\‡v,­�:j±ªÖÙH’R<[ݧ¹}I¡ÊíÐRò
´hst4ý¯3¥{Þë—àe¶A¥ÆÈ)f!ÁîÎÈW
n];FuéÅTK&|Õ‹æ¾\c…GîàèE9#½‘lý¤z‡X,¾t8íèëàvO¿šåj›@’ò»²·1Z1–ÈÈWc7Ü^q7÷õÛHm®#Í4š‹9.<�qÆ–7]Ï>é"घ»Ž;ʆW=™PNïÞmMj§%·™Gô(àØ/õ�]-÷'?E4œ¥ºŸê��ЗBáNI�V}f…×–Ÿý•‰ÓBýó®aˈ
+ÝìËI–Ø+¥®kª+…k{p¶MÍÍ$]Lj&”?M(ìzŽh¾ÏöÄÝá�6è g*⪈}Æôš.lÄÕÉ^wïkæXÏ7eKxvù»‡ù5QÁ°Ç•Ê.ܥ˯ŒZKòQóÂsÅhã˜\«l>[êßÝ“Ñ"bÇ
+idguÊ ÛáÜ‚Ñ9¤ëË‘'jM.~×ÿfêKÃÔŸ’ SêkÉ'ë,Fèø.JìíÜÎXѶ%Ænvâš’¤¼ò\¤ëVù¹r>guΆɩ,hè‡ÓbѤÏ_9¶¯Ë`ÔT•#ÅW}gƒ|³f<×­ð8²ÿ5È âõm`cÚ—}çêã[ÿoöþ-ΣÆgLÊôµF&Žzê_Ùºœ['Xæ tqu“G.¢/­bŸºâi$g¿Ð ÿ
+#ÄÎÝSDº“l
¹ügTù®„B'æ|pÙž2SXÁÖ=‹ç~õÎK–DÛ+Ïk¢·­ÀICÇCÜ0SApðäcZ:³ísž÷½Z÷•âKíÀDÙl”osúòÖ'+˜EŒ;�úØÏb]RN;-¿Œº(·]({5ׄX’³øö÷ô~™Ÿ=ÇŒpy¾7�rB>Ý#ÛÁr{Yƒ©3ßrƒlšê¼õ~±Y¬Ø)Õ`qyûT±ŸIJ\^Òº2¶5ù¶…Œ�¨ÆÙ½C+âa¹ÜmyüÊ€=YÙGzm’ÕŸ>ÖÃI)ª~•¢•¾·wZ䥗Q�yyŒRÂf�ff8û“‚
+¸ÜÏ„e) ªÔ5‡Ðz}Í=1¶à‡v‰ÓG<˜'}îpÂ/òʨ^ärÁÍ)¤ƒÇ¼V²YYÍsSsôaÛA ŽPWôÔ/U®øGÎ8G”„X×ö¥ïôgd” ŸŸËÀ¿ÚrsŸc¡W8DN0|’t&sõ™9©~ }Y%ÛZˆÝñ4Ã@hÁwKÇÊ0º7ñ¤‡>–"OhIåà"5àÊtþ]ÛŸe»ÝÁ†UyåÞå¼ë\_¹j†œO"	o‰¾é~iŒµb�âÔwyu«�•¾Ö:
+ÓEWº?Kûß“IœñáÕtÍ{�Be-ë	
Uu£tië9ÙVåøë_onw®YH°íy‚Þ|˯©KâÉ'zÙuLÔ‚™I…¾?Cfà.mQn%¥Ÿ•I\zQ[°³D]Yí7öT¬$&+ázªŠÜ^„§P•àÇ´ômÖSXS„α¿çd±³Á¡Y>RêÑ™½²†ò…*Ÿ~ûzr”4�6:bŒ*Ç´H]ÅúÉêXË—P/f	Îëîw¸ÑV%.Ð-HÙ¤œùÍØÁ°�ù¦µŸÏ™¿Ï³Ú/€V>ÖG—ç™~]I§ÐRúå”ù5ÝÙo<…zÅ•—Ã!rÀÜC)4ÜKÿªdÞÌ5YG¨Ò!ŠU�a	dV¦Ä`ȆՃ¶å|þFĹšÆ�#\XZ­•c…–exÍØ⻫‹
+ðŠâÅI´ÁAM8îe¹åÌ4+Ÿ`,NÍ|
+‘†“u
+jT­C©i–Tu#s¥§Ú'¨jzÇ¢’‡‘]ž>û	�Ó›ã�é4�ý}AB1ö‰pvs!œÀZý¶Ù0¸øÖ5=YÙ‘Õ®¨=×`«²Š©«åU:�¯
+$¨éå,3£¨{Q¾Qê�5¨§6µh¸‰Üüß<ü‡ŸP1[½;džF�oU—%÷UÒÞ�,²Éš5Vo1
+=JƒË¬À<2Í¢îÿ¸£»|µºÂmïÝa²‡kv¼@ˆw÷ÎÖý¢AŸyÆ«ïÌ�vÒDYœ32²
+©òc¦Y+«Æ€�§Qùsýò:ŽrM£ÅÈ*iÀ· Kö �î0ÐÇkø�Ä<æçó|;€^QÞâÝ@�öE<YÍ4Ë.8XÉË@¶ÞIǽL» ïk[¯irWÏE/f؇jÈ)Rà�Xý¯œvb~ƒ�ŸCL?;Yt^8+¾ç/*7í2êì)É=fIï#!½öôžcháîÌÃ{ØV°#ré\šùˆ58»ƒ¬«1Éz—xÝ…È®ÊÖ¡@Ñüâ—¿GÈvÄ­ð*†b>�
+ăڙ~»À?(Ç«Ì_aè3µœÌÀq•Ò·'ZÍMÈòqZ£¹§ËSÅv8à‚¼Ô
[=Ä2
MV*ÇE¸ì¬Ömpx†“‘ò°Œ¢Ç¸
+4a¯ã§À!¾Â2J	’¯Ôc2Ä»îú£	GЙÓØQö(„ªž0ôéÊ ÕZÅÅ`¹‰ÞÍ>QqÜY·TÓlFrÙ9Ä>‚$s™|
+cúÝå�99¯ vµI÷ðJÐ?½›ÉÇÎlâ—2ãÁ¯Ú÷ýŒ€%Í4ïÚ�]zôMy\U¯_éCùÅ‘Oað�áׯ™Im>�jzX <Pû0[:?Ñú"§¤ùñ’¤\H)Ìn®ö£d©ü��N_ºmíDÕã?³íÙÑÎ*–=ï;Ü�RO†vhÁnOxŸŒ={ƒ³{oà¢
;ËùNÅZϧ&ˆœ–#)¶[>P’·ž¿Á©Øô©:Ïûô.)¿¨h^iyˆpdÎ<öL#ÑÆ¥{¨Òܺ¾E¨ózÛ'¦îIÐÔñ`Ï�õ®±G‘
+F¸lqF÷wã!
ïlgVc8Agbf–FLD¿¦x9Š|s ý5þ�i.ñ½5ò.–so–¾¨ìû4§e5<eÑ”7t>CÚ±CŠH›zrŒøòx³÷ÛÅ»+Vˆ-j¼pÎén
J™m–›Ñ�s°pЭ@úEƒsFÚ-V^@6êI]§gIëEJ‚J[eƒÏ%K\ñ¸\%kÕבÊ}½Ï±ª·—´Æs‡2ßwýÕk“Òhý€×U%'ˆW(“ûh?œGØâˆÏlíä7+#ÐÖO'›Þÿ²ºéúÅç78' K*ûTâàÃF\Úÿq$qƒqê¦tMŠ+éM4Îâ§7·!…
û9B²cr˜xÔ©*ÑEö�¬!ü¯¹Š	G_á¹É³Ìkñ¹ïEãA	GþHŸ#ÑÙfÓT¼äû<û˜}!gÆÁ¥�¬…X
Wϲlq*¿ˆé©°MWfüp]ýÕST”i;Çéyù>.¯Gxf�œÕÛ[$«LTmç¨m–fîîe¬¢¦§P*†tÑ5[=ÑTQ3<“)uk¥}²ùbâŽ4¯w
+E,˜µ´´&¾Þ6º„¢ï¨Í$¹°Á�Ü<ÊÅ|˜oÏLŽ8ßx'%ì-ià_~±úáÚuY߉•ü]��<ócÉÞ„Ä�:g}ä­A™l=iÜ’Ù›Añþèuúéצ<Û­O˜àmæ5 ÜT…ò‘êÕkjÕ‹IG	¦X%
-úú\¶qŸt§D	Љ64>–_Ú�Òâ[Nlòí3«KRÁp²–Âb]ÌJ—^»6m4×Ë'rÕÏ"d^D�›y!!o<¥fN�¸È%�PZQ¯÷nœ•7Je( æ%.ÜÆÐFœ—Q� 	Ú›v¢î*ï&Q�_Ç1éÇ»OµMí÷S]Ðê—âO
+,öŠú"Erq‰3×{1NÛZ2ú

©ôeeE?qx
+‡N$ÝE¾ã!Nz(Ý}Xn×ü½aב´˜S€¯q=!ÆUwŽÛ-ÁWá‚}Ø\dæ”�Qf¨ÛÁsZY THƒ-´/â«Î-k×ÖôïÒÉRZ¤™2ûx°.��[ÿªt8HÕ«XE¥2‡U-äbO¶’g×Vs�£I5üŒõ¤JÒ´Ù¼ëâ#LAôfvñͳýn™ÖM6H·Þî�,ÙŒšípŸBIN"±Š…:2 íÀlÇV=+èw9fš ÷˜±ÁÕ"ÙÛ½�ìøù<´ÓÇ™R]Y4B²,LˆéIL׶—=™ùôÜ3BÍ]²'ÿÔ¨ ’]döŽ
+ÝݦDJ)ÙŒáÉ¡fl°«Sa¬c€²cý×Øh}ë
–7‘:©„ÑÅeƒ+"Ï	^Œæ?õl^}âï.<œEÖöþÒë’QzM‚iDÓÂÂLTª¬õºÒk=mùP©ú'·UŒ´/€›0òû
+ä–“Tf0kˆ¯¨éÞ6¡"¸FÂéq$îDY7Ê�ôµíª‡æ¢_Ä+ùXDLI¨#%ò8ß[
”:¨ËA|�’z,¯
+ø¿BówÚ]ŒßxÅ®ªÙÒš›
+r
ÒÛdê9ñb÷Cæ½óG„á·|9]°Qˆí3ˆ¥8ö•'|2
jK¢´”6¾Y¦·ü–ū؆Mì{"¶¶¤~lú…W²ÌÅ£¥ZI¼ýÇCLTb¼Ø¨�ñÉ®-üGOdfEæ—ôk'Ì,³q½Š°ÊšBa›=As_|û¢Õå|šEñ	¦Ùá`uͶ‰:ïp0nÚ”Û+•¥`¯|,_
+Q^	±ëkB˶ÉÝÏW)´XI6°,}¥¬>Ñ­
+ff|óéæîDÈ[(-’°1MXü’µÌǨæ¹Ð1½æÄCÍ`SN¡‡ÒÅ�»ïaÏB±³7,PÄ�_ˆ•Žp�²Ï‰çó×CG®t¹=6Jøwº�‡P×±f×öËÌŸ õò–ÙÍ�·¿)—UôÑþN¶Õ2¤C.®;—ÿÔvcƒ‹&çî¼Ð›íø¡¢ ?’!sÛ	yvØ·�ïœÒÎkYiÌç
hbÏ0¾IDê.¶Y_^¤+<@<«Nk¿±eopô³…+¥ºêhC‹0�Hó³�c�ŒÆÜHf
Õ»uÎTÉ"[1ò™8ÍQ áMBšHiô*ó]ƽ¨Y©ipá8i­Þñó°žÇª<FßèÍNa¼�°ã¹Q[£ðbd
Yfwp“—µ©Â·{äBŽT.‡)çN¨5# Ü\8£
¦oåc—j9^ÐbYHËoùIà3Ò"¾œ½OÒU›7œëí
Ú£xÖ°´ =|MÆË•’ë�é÷\Êã®›½›ÊLs(iï*{–2w}À ‚Sq¤”œz¬4XBc°ˆ/­ù
šNߧ}‹ÆO"¼¸ò^µ¯Å•m¹•÷h„‰rd,ŒÛà½ûJtF ˆÛÑ�W¤\ʯ¡q—�9-1;Š’‡Vû·U¢“Äç

+	a¤)•Y°žeDÿ­ö‡Ú—«~‰ÕofØB8ûzIÅ‹‹—�ç"ç6ZŠõæï?|ÙÊËûêÞVÓjˆóý ª¾$ù…è¾™A_%ãè
+½=7c…ÙG¬èÎ35µmªâÊÉmqZ†\B‘[›¸46ÊÎõÉé1‹äp#T‹ÀY̼†Ü¼²µ8c1@Ìõb$ýZÃ>ËA‡ýÿ Z*9/‹[ qM%ÛZîÔ3Ÿ"Å÷OÙýklT¢HFk�mºYüéA3—¾OpkÄ·\;±©ô‰ãìµêOX.š²ÃÙZ|©9K>�ø��
+[L-‘×_ÎlrÉÁ~Õ?·åSç& ‰Å¬}+ž¾†¸WfÊ5na­¸À®ª|êkS=öê[¢8ˆžºÐ(ú°Oæ*ÔØ…ª\LêÊ°_PÄê:‚܆Ÿ0
+o¶d©W<DÐ?§|)"¶úšzœ8…û>r‘ÓÕ$EŠÚÜÍyÆokjÄÀ”*€Ò¤'ñË']Çåú®8šŸªBžß%[Ž1FôõU~zË7†Ÿ¿Ñ&¤”D·=.Eå°¹úiˆH×
|v`—þ/õ«”WÕw°õ‚I ¾ª@+a®ó(©±ãA5¡=y=£­ñxç>USåD»<çÆÍMU�Ô›€ÙlE—û†wRŽ{ÞÉíkGo-îçDq±¯R®¾…ù ¤í€‹p¼ìoB:04B»Ëß
*pº¤¯O*=¾oFäÉ°�ïCÀIüŠkú$ÛÆ�ò
wLv'
+�OêX¡gŠÛm9#Êó2Ôq
+ÓRLvÏÍŒÆ/Ï7Xy!r8Ë!MÔ4ócKv&½›Ä4á”UO-EyÂTóT­âÑÕì}3Þ5ªV¡H·>”œ³"M*�œjnøÏ3°ï|Ú÷×’4²�{óÝéL¬!àW”¬Pfœ«ÙýFGó¼Õ‰}j™jì»�“íRÜAñÓ5Ý«rà)vw º'-¢ßGrËpnvÙ1AÛõ ·ºó\<užèÃbð‡ÖhQ�jÄcñž­Š:DqŽz,|¸>1sNñ&b®]?Mr)smWÅ€Ñûä
ÌuQØÉ
+�aàùÚîjäßÜš¨SÞ‚{ÈTvø…ùî)x“›”Vˆc†šçùÁüÿÿO
+æˆù_Ð@endstream
 endobj
-711 0 obj <<
+965 0 obj <<
 /Type /Font
 /Subtype /Type1
-/Encoding 1344 0 R
-/FirstChar 46
+/Encoding 1915 0 R
+/FirstChar 35
 /LastChar 122
-/Widths 1350 0 R
-/BaseFont /YWKQHC+NimbusMonL-BoldObli
-/FontDescriptor 709 0 R
+/Widths 1921 0 R
+/BaseFont /IJVGNC+NimbusMonL-BoldObli
+/FontDescriptor 963 0 R
 >> endobj
-709 0 obj <<
+963 0 obj <<
 /Ascent 624
 /CapHeight 552
 /Descent -126
-/FontName /YWKQHC+NimbusMonL-BoldObli
+/FontName /IJVGNC+NimbusMonL-BoldObli
 /ItalicAngle -12
 /StemV 103
 /XHeight 439
 /FontBBox [-61 -278 840 871]
 /Flags 4
-/CharSet (/period/a/c/e/i/l/m/n/o/s/v/w/z)
-/FontFile 710 0 R
+/CharSet (/numbersign/hyphen/period/a/b/c/d/e/f/g/h/i/j/k/l/m/n/o/p/r/s/t/u/v/w/y/z)
+/FontFile 964 0 R
 >> endobj
-1350 0 obj
-[600 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 600 0 600 0 600 0 0 0 600 0 0 600 600 600 600 0 0 0 600 0 0 600 600 0 0 600 ]
+1921 0 obj
+[600 0 0 0 0 0 0 0 0 0 600 600 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 0 600 600 600 600 600 600 0 600 600 ]
 endobj
-702 0 obj <<
+956 0 obj <<
 /Length1 1630
-/Length2 8144
+/Length2 10420
 /Length3 532
-/Length 9011      
-/Filter /FlateDecode
->>
-stream
-xÚíwePœí²-î®ÁNpww‡à>ÀÀ
-h
àà
-ºÃ¡¿ŽpÊ!Õ×®ðŽdÚ�©Û£ˆëIÌå1ñ:–¹M	!LŸ+ÏS·×Ö:çñkÏñù È[œÒ¡±�Tlü+Û¿-ë•øET�×—mÚ<oR[¼Óf0ïw&±½‰2eé²G$QnXß´gÕíÂ_ÙM0¿³­Ë]ûÛv¢�^íH•%Ü’(ª»Mðîïp[¸x³ŒÎ¶imæéú‡¿ë'
Ú„ÔEÛ¬Ó]ö~!�þãømý­g­Rj$¸¤g2¤’Ä¿ïßæ�BýôQ2í¡8¹�ò*Ö!rEºg²Y颺.€ú¡Yœày¢f°‚mÆ™¹@aæ�t˺—�X[Y¶˦’åA$o,çí„Ùš”ÜÝU—w3&´|!|—
Ã8¸XÁ⨡	
-µÚ4‹î§AmëÁ$‘u]žœ¢¤é{þé
o)¯v­zÞ·þ°ŠÇ~”0†S¶_EÑä¿XA^Àe#Ì”ŒCš¹þv৭
-ýƒ¹`Z¤†.,¡®Çsõ*haç"¿ñíéâ2üE2î$ÏOt:Š«
ŸÛ¨C™`öQÄ–ìëñçO¤¶"æ$:lþa8§}îsž©j“vå°yD±^¦ã z—FŽÝ†ˆ©DÏ®Bcvg�Ö5XØwχ,Ðiu–ŸòD~i|Ó²DR8T‘ð³ý@(åÚþ{7ŽvŽa±�Ñz]|vJUånÖ7ý°z -’„Q¡¨o�3mïønò¶ÿõò"±ë«Ä(,XF�µÞ.¸�qK0I4îÇîÄ{¾4{_(ÓLéfÉIˆ*aGÏ]¬]¬jaáv…õªø²!�]J
-jEÅÖ*
-Ý–”èíC›ÇO/äÊBEQwÚüEšm˜§/ÞôRų#m ¨ŠçöØ
-o<sW,³âVݘ”43>Jªb¯-ûÏ¥š¯:ÜÒmSÂcòªÄòGµ›½�d–�ÝÒ±çfÐ
‡ï*7? Œø¹éݦÕáˆú»2Âœ;ä!X25#ÐjÓ¯*™Zðg‰æ²M¦Û�&=N
„¡#‰�ñô�¤—l.gýiŽõŒ'S"œ+€êæíFý=õ1¸nWQ5’F”ÕØ#Äù4]P³sÀ‚Y~ך4Á†Ç®~„ír	ݯ¨¨è&K‹�F¶òmis–rùÐe'¶“ná}%’,Rñ|ë,ã>aL¦CÁ!0Y1'Ü¥çý�üªPXXÊH<–êĨŸer¥¹ãy�På`C—@Gr›Ô!à–Áa•NºÎÄ{eBÀ…P}jlî'qþ	z#„y	ڬȧ¯úc
ArÅþÃqf§7ÅFù{ÂÎ;x’›¨ÇOÇ™œØνC;óA%‰|�ó;ÚŒHö“IÁi²Š1€À+,lÙFl¥Á�xI¢ŠØcØ,ûœÐ×­o±©yÞ<œ_4Žø&Ñ337c†u¯ëКuÞp¥Ò+¥ÖU´vûŒ�±³Æ¡ŠyT$Aø<)^�Ô1&‘»¿¶Ã†ídD™.w2ž¯œ$à°î„�!ðØÌÎfíàUœÚ¾QbÓ“›Û™¾ù*¹»$‚ññ8Ÿ°íBŒaº¹?'‡emj#§„böm«]²x.+„ä¨ð.]Ã8$Goÿ“1ŸjÏ‘¯G…%Z%½3WÈs&¾CÏñ=	é>4Méݲk×]GÕªßMÓN~|ð‰�,ï0Jž±�öfË”Äzž²"Ö,¨Àå¼A
-/–Tª1KÄ"}žŒ"Ô,®ÿØm<n�^Ú¯™»F¾*õ’ÝB>o¸Ny\ém<
-~Ç€ŸF�š[pcù¢3yŠ˜…Š\ØrJn‚Kµú‹ÙváçÔN_1oÞAM¤œ“*‘~à0sæQ@Út
íÁ~Ȧ.ìó?–µçã’»ÿ˜ûnW¿	mC­åÚÅ‚¯•Rî“CùW&Þ„Ù-’ˆ»[—CxþѧgT`&1|ÑJã—1`
~	�PVƒs
Ù
Ç„ Ú)a4»ZÇ[X€ÆF¹”2‡;mS¢ª&ä GÅ*‚b˜Xõê¬ÌyÏë:°íMhÛÔÑÜ-¨‚Þ¦!anPÏÇ”díFÚüÚI·«³J 95ò«‹iYïIôÉúqËñú“=ŸÑÒ~±úMuk°¿„‡dbM�Tß\46ê:Úq-u.Á
-fežÜrßCï£
Üvµ~�~1«e¥#Zç»×ÍÀ n®hÆÎJ/_Rîd{!ÏԺǤò3ìóðæ÷`¹’„¾%1íc-qlÇÙ‚iW¶tcL{þÂ�ÄkIcl1‡E5Ã6Ѭ 3€wXGZ´/dÖýÞ=“?Â5¨r!>Æh~X¾2
-×IÙ.Ch’Ŭø^AQ¾f!2¥ý+RS¢°k¾R•]ÍmËç ëDuÙ˸‡è™¨tÓv-º'÷W¿6ÐØW#ŽÛBÐô6Qº9É&˜7`~b8Ìêa²Èé’gΧñu NvA —’ÕW”Ÿm´ifø!:ú4$¹	÷p_£¬eæš÷ײ‚®LO„yÆ0Ž6O Û—�‡œjæýgWp„å^eÖTiDÞ6}Óû—FrV=+ìs¶ÔÈ·Þ:Û;§)^O¯©ótoibçWÒóÑ©„#þ²])Š2ã°À7
-�ZC¨JBöjü
-|Ò‡b9¢Ý—B”Óeß¡#Ï^+X¤½š^Ô€�ã„R|ÿVöàÕâÞ¼ÒDNètúÁQµd¢L¤–²ž3TKâ³°Ñ.ëÚÑÕ�S�ÜO3†<—7?¿t—Æ<ôÆè¶?„^K”½û‰ßè€wºÌyÕ…O=Ña
Ô]:»4aNÚYW¦$ñX“S
-sÆ@es‘Xü>¹eéN!I±rÝ<¥ImÓávL^Vc°èé4%ÐvcŒ~ŽuŸÚ:æšÐ(^V©FšÉFÊ„5¦@w:¤ªO!¸Ò:¨M„Páüòonñ=¹/)‰=D¬™‘x™( ;o•94‡Í‚¹m.Ïÿ&yj:f•…
-�ã¯ç´½y5âC̆7’gjóÄâ|ÈÂÚÔ¤à¤ò„[ZÓôÁûòúêFù³‚V"vÏ[´¯'›0¡'Øüˆu‡Haq>æ–‡›äã#‚
-[ê©úɱշÆ#]ðN«³¼6m¥‰8\mm×–æO*Ídœà?Ôd&ùãͼbÀ`›ÂQ EÑö�ý¸R>™üý‡Âk<7½¢ŸhTª*ñ!þ™ï¹ûXâ%|‰ddu:Ò_'r䕯w–Möaª4¸Í(#在žÜköÓ?%
sö)Y~;=N³2�€�†»F�
-ØŸ;Â[·^[VÕG
ô…›�Ë5a¯Õ<M±kÕ¦1±¼âÜ0°«Áé&%=ösݨÃ8àŽd*vHᓯÜh¦îÇm0²‘¹Ñ5ŸkÞ²±�ê"Ÿ¤Çµ©éì¹Ö-w^þbYm�(<rq=ÍÆ$fò»Qf?1áùšÖ—æ“|!Ž(]U˜Z²*¹¯êëýe<®mÒ…œ¡—7Å~·À2ÂC®,0¸úG”ý
)ÛùáHÁšCEÅC2ÁL>þ·«Ê/qhÃP៻AxàIèŽòÔ*a‰íŸñýi�"ñ”Î�èa¦J‚ãU«¿hè6[é¹Î]¶ú£^þ
Wœ
­„úž@Ô	ú<O#&—)‰fÔ—†Ã¿7EÆ{ö`A#£(ø.‘Ä�âW¨J¦½¹}+4zØ4ûuÍ”�[1[Èhü]	¯VÒM¬Ãò˜ìy/*ï³›b÷	ÎÎ/ÊèÒšiçWOcFb)-}�q‰Ïœ#6ŠW*Ü¢ï|Ë>ØÁq‚'QÞG«Á.·C—‡¬ö™Õš#ñÕY”…ý!A¦S3çìºâÆe²OÙð<è4ËÕ�hB\ÎÛ/f–Ѿ39ó6
©ÇfžÝ†ÒanÂÁÏ×áá–>Ï€V=Æ]‘ïÈ|zˆ•T°¹ÝH’“=æö+•ÜÐ�~áâ>è?¥ðR­M	:Öª�”¬¯¤1ÕUÓ2jmƒ<ì &oÅ•M<Ã,Aí‹KoLÇ/ ÝžKÅ7™ ¡„<¾Cšì+Í5Êhk£JVY+x°ÀBú€ÛH¬æó§˜W+°
-Ú�n3!©E:qg^˜½“çEÉHûK뵋Ùãi¬r°"×$n�{G4.ö5b
-C'75¾caÁ¢ãmƒž•å ûZ *œ®ÉÙ
@œË¼,A¾‚úqhîA¨øy#³
-1�jÚlÑ&³¤=
-Øcîmë5+¨38…y-5�*6Ó¼'G†I¡s*Éžš<ªf'&Â÷ç)7+9Si|пŠ·ÖC7¿¦´kEª3¡1/�`@;ý‚·ÕØ%T¿h¿÷mUBÉg€Kj2ç3gžE>Én+p×úˆlJ<2A1ƒÊÆø4œ/¥Epz¬&ôìÜ­ÿH\tõœÓ%±_~MgþD	õ*ÖÆÇûÔ³� K½?€÷£–ò>#¹ë��lY–ýaIø�
-•ªÿ­^²~wå0§÷>¬­i¡”Ðer;á2\ŸS2ûkÿÚÙJ=ñ8��ªÓ�;åȲ¦p«.©I*ΪoFãÄjèŸ*˜®$rرpVxO)ß-.LòV"ëàÁËð:¾ßOw(ʽ +X£ÏÕ½ÞÀ
¶aøz·#
OÈ
-B–y´S,¯K.Œ¾ÄJ�'7Z¤Ýiõ•®G@QÀn•?—‰†Í_#ppÚ“úëslg°ˆ!PB0ŽÇ0!)ô	j«ïY:FŒ›|ƒYÞ+[#’¯f•YÞifýP!`9†„øQ1º*˜¹’οçÿ1›†•Ò»=Iù NeõÉ #˜'g€"C-†óçþ9#Èï³Æ<4Wkë]
-�bvÑCª¶<áVÅák…î4ÛFüÀãó´[OÝ­É›þ(œ6®°Gɹ|ðzCà"å:.B*´
-ÌÇý¦”ït†ˆQF'£•W”‚Jî‹ö¨RZ»å>Õ;v×òu
"Bä—,IÆ÷
-?tBVå äÓÒ·&ŸõaðÎ��Ñ3ã?ì‰ðˆz)ýþŠË¬MÜöõÇÈR‹[uY­Êâ™xŽ(ä©rLx¹d0©Ù�¹9›—€¹`eîWœŠjÍ`«
rëáeÕ0Eg—¬ÀpÛco:,Cú‰–èÓT`T콈l×ÓkŽÊ]5É�_oÖÏ
-¿Ø„×óF¶?0PA–ßâeP¼šxoyT×]ƒ߯q‚éWëÆóªVüš
'ƒ³DŠgªš­µ©’((�_«¿ª²*ÉêjÂÉÀhýìÀß,[Rz<™ð<ËXs×;åäÚg&Ú
-¢…~/Œ%뺋
Í_
g>êµÓ~ãYbŠ5|
-ËÐÿÁÓ6æ›.æÏcÖ(‰…4�Sü4ºÖ. ³îñ à“ò<¯¬ˆ.76Ÿ?õ#»��Âoyù£ðc
™2ô2Íû>Úé	\‘ðc"l誤çoIk§†²ÇÝ‘Ïs§§+Û¤ßÈ„ÊMðʪìW¯> ÕÅŠJ~à‹“ç—=�6óÎ/QP<Ž}%´5�*¦²ÍÌà‹r][¸„ìWMfRA¾.¼Ôã
·v’ówØøÍÄVn®q»7OçÙ`°W¹(ã#ðmL¢mÚ¬61$"ã”’OãÙ¿
-�F
]bI“•C·v0ô�]ïsŠ×V*à&Æ:-H<c°1ñõZvO(MDÁ™Un�çÖÃMLw¦¼9Ìʘ'f	{­‚HòZÆpQ¹e熶c08*k¿^Z¨¤�ü”÷« jÒ ®íVÅFDøqÍGLÎL[Þ»@7U92ÇŠ ®•pTæÁ_Š6E{E-”»ì“¡ï–á䨓Ôò‰÷Aé‘E
-�ö;)Ó5†90öê8’ÊøïSÏ]m/‚ƒÐ	_èìûD"6ÅÐ
-ó/
¤¤IÝn×ャÃH£�J©´Á×í£\^"^?m¸î#ÜÓã­¡]?Âǫ̀ôÍÄ?õ}ŸÔ½�ºCCv‰ØÕÅóØôÉ‹ŽcÄqÙÅÄ 1È‚ÓÏAK–&ÇqJáw‡í¥óðq-²º5{Ü�9cúxsœ…vtàtf>Ø.V/èàl)]ÆüjEÞ)â06¦±/ˆÅˆÅðŸ—Â>¦O9L:»åcþ‘o†,
1ÜÊÈ6dðdrx·±+
-þuch`’WZÔ�6¿©Rì2oŒ`¨ÍÍj“(	FM›c¢JÃ�«Ê<^=¢fÎ(V«¯|^z‹D­Þ
»©ÚÇ�«×4úóeÍQCf¼5-LØñè‹9¤ÓlêÏÈßiÚNŽKš.¨¿’ò+sÈî/	ÙXй'ŠÝSu÷ _g““X®d–²žÃ2ÈÄÀÅtÑ"Ý
-GŽ—z�¥YƹQëкtšI–X˜‡1·Ee#§r}›áŸz±g˜$>ÈÕ­&)׬H1ì¶SdrvëOËx0P(îée¬-ÒM`¢!03ðÜW‰M^®#Yâ
-.„²5ÚþÈÖñ^ž/|†Saï½	ô»ØIvê
-Ý»ê}­€‘D=Tÿéâö·½‡žëÑG]#ÂâuöñçP2ÀÂ,
-ï:/ÿ©Aàéžµ@vô®ž å—þA·žÈFàQ=á'ê²_Z»ÔÙÄη+YS1¹Êƒ”ÞTRcÖì`Q�œú�}V›v1g1�ÒŒŠ$|OIq
@Ýsêç?ú¾óã°!¾,»Ö.qðŠ×þeËŠ”l~a;$gõ…<¾9K„‹DüÆ©8®À¶IÁI3ýSÈ�±$FïßûBßP5åqÏ' KÇ|µˆ€€
‰¥ÿî`Ëf_>´«Í@MãSì7nDAðù�g·u{<úzoáiC&‘RÊVçÇTA¿
Wb-Î�ŸØ]2PÉ™Ð.8ÙËÍÙ.ò¯j|ƒz�]÷ÞkZlü!½989Ÿðd¶aw¨É¾ ŽµQ
1ŸŒ¸9ŸTv2@&*•šíùAùÿÿOX€�fήŽöfÎv(ÿã,bZendstream
+/Length 11283     
+/Filter /FlateDecode
+>>
+stream
+xÚíteTœí’-îîNÜ%¸{pw·iÜÝÝÝ݃kp×
+äh-
+×u��”ø¦ñWÉê!r6Y—fü…øÙGRŸ¾yKR‰vUå)0o+Xä
+ ø`8ï&-Ô§|_wñ˜7¦æ
奿i®™ÀÂÆC6K’kФZqÿ©Üõ-„8ª±Ïë½=Iæ¾xV@f³6Å-ýwË�ÄÎûñÌq#Eûu$u±ë5Äel&Qül‰x„ù»ƒ#MeȦ’9ázÚð¤Æ
¯ëÃÈ E¸½ëâíŸ+óˆ°×CˆØ³Üg¨´ä·[¾Ñ÷pÒ!ìSðŸò“Ø›9"ÐbòMÀ8Õëq]yZsY£4îV¯—…d<¥siáøÞù%Þ«¯ÔˆÝ¤qg'ä·„ãKä´¾ÀGq!»:½mQ!!&�ßa?F±1Ž»ÁÞ�¥Y†eP.hNø­1!/­öã÷œ½ð& 
‚¸a©7hèÛûŒýóÇÙ‡\š¯+D®ÉÑÐZƒœ0üÓvÄù�ØEýÉO¼ö~&ÙRm³ŽÊø=�q¶qÊ¥¥»5ôÌ”ëb_
¸mÓa…©!RÇ<Ê)¯$KåT¾C’"ú3LºwìóÏ
#uCm…›®££¥b·B_iÊîð¼	]7‰Œõ�•
ðeQ ,®€”]®ì­|va!Ø;ýF‰E=ÅÑ8³¬5)Å¢u,
ûÕðì^È ›Âê‡V+ƉC~~UY›¿>%<{ïè—ÒQs�…ñpbÈNÖi¿KÚëC/`_IL»/\x7´×´mÂdšØÒeÖίð¸‡^ìë!>ûÙ;æ	ê¹MQU,¯ÕêÓÉKQBäg~—šö–S£,QØú¹¸_ìMjŽCçqTlÉJ6È£¾šø	(Ü×}Yô*NY�&Xìs'«Q·’RïÍnƒa°1³'ù¶¢;\´ý6§eã3Qº7¢RÜ
+ã>õû~
+[`Ï—Ì/ù®—�o
MyYU‹â¢/ÿ¼Ý›Âœ¢Ý�ˆÓ[³¶MlÆ
+ËšÕ˜±{[½¤-üyª!Ø¥ò6¯Ë,ÝÏ–r‡{ŠÒþŽ•ðRö¢i³4:»ŒNt8¬¼GrØ¿š&¦².ÌP˜ã®—ae‘©Ö’ГÖNTX/ïbmåV¡îé�1âûœ9åì¾ú;‘ùÑ­[BvÞÄÏdär{,‹&z¨½tEÒ2]A	fS0ò}úö4kwçXN!ZÔ¿£I5�·›_m—Ákˆìˆ±—|šÓC„�8Ìx^]·=´–(LHžI3(ed7iwã—⋪%ú£%wÚS?�{drS[nA½G›;õ>Òi´ý'mLG:dŒhfL{¤ÞzÚGÛH,UAw™Ö
PÖê�=µàŒ dn¶h˜¥‚Jï
¡ßÜè{ruIîÏžçS?èôQÚØŒjT3§Ïñ¤ŽYΡ¯jã"»t¡EM>í'ÎÄ—·pýèþÉR
?©0 o‹Oï|Ï‚®š!\Õsø” ¶ìOߨùu
+/À/„¡œ‹œãWÃ5t/‡…û’ÀÈÍL´ÀhDÔËá磑À÷7 �
+Ö«LA‘G´D©(aÿ	à;ÔAG´Õ JU;_^\‡uç.-©¤î,+»¼Z‘=•¿RæŸÐò…FIجóÔ~Å�Ç›º1“|÷dÈ…¾^¢§ =Ô**sç	«
n-�Ø[”Ú¶Q¶�ñ¦D•œ1ÃØu®KÁ¦¿µÜ†y€´Pä�†c(âÏnh0(iX²w¬N¸×õ¡ÍI˜û„ùÒ¥Èæbd¶ùq0«s°
ö؆¿-ÆN™¦}ümšŒ­ü‡+ÈŽšœ=zàë…qã�WÈÅ+¯|jeÅ5Îtÿw�ˆŠoµé¼’{„Ùdã
å”=\bHv8†Nt{„¿_å<˜m«3²”K,Í"ëT)(ãú`ÙP¸&«Âo˜«·õ£C·’=øV–ŽŽ‚ä±à	Ë1>F,.6¬z&·!^ý‚÷ž
·
9š/–_Ý‹ROnOs!ºð±
+
ÍœçIËýMãèY=±Dˆ*
+Xÿ÷Ô­&?=b¬;”½î‚™ ¬«zGn£P6í±ÿ�û±Ù‘,œPýgµƒ6å	Åù„
˜:vn‹
+®õgJŒGâÖÜ3ûRÄë,’� Órw¨¾}óã”sᓱx&á=¥Ì\_Îƈ߾lz'¦vC>_	€1Ä8ïÁ'nX«ÄÿÔ_>E듸è3cióú‚"“š¿X.,\Œ:ÚÎä½s¿
‹Šs©h‰74’žÅïM$úÚ”t¹A�¬Å�‰V%è¼Úï¯àF�ð¥ìÌšjIp0!{»¢”§îYý2™‡5¥C)›¬ÜgªïvPc,ØÖ1#H¼l€àT3%H°øófØú��ï{l;¸¼ûü
Ó	
¿@vt
MrO;¨|¡–Ï�즪ègY§ÓùîîÆô[q£¿èÄ"
…�W²Èj7ð!¸ÇŸ�nV¼ð’"ꘕ¤i$| ðæjlF
+ÃÚ¶lóE7÷³3™N/,*+¿PC.m.>ÊÖ�Syü�Šô¥–ƒ®v«~@ P2ÝÒf­�NMTP-OÏ<a-€…>oIBeqì†bHpæÔt‡“ŽÄqj
µ¥�u!Œ»MB“†#z«Vk™…ó³;¨b„èC5ãAÆyÝYïØü£D@ìpøÃò¾×{àOÅvcwQŠrøŽ	€e·52åeú/ZLé¹ÉË`~>\‚hX"'N¡�Ã$wõ¶!•õ[5ièÑsh7â”›Ž›ã¥ä»�l—Ý~ú,;>Â|¡bŒ»-挟 B—ík.D¿ÛµËïÅÓ€”ÖWQ”‘]H‰Õ÷gÆPіتïS+ØT
‹§y3ÕúÃ�‘›:u–ù�§™Ã×
&_¡TT}4ÞÝÛ˜­¤¢ÓM2²%Òì½#øE=
+�;½N
+¸»v ½Ê…éÔÔqKoœâ\¶Ý€×Ÿ0	hïóÚR
+¨T5=š€áÅ
+•½*V^¾º1êrðŒ*
+®é/Š)T,¯}«2lÍ,ʽÆÎ[ÙŸMÕ° Ú~(¤ÞQò«Žã¶ÚœuÁ3°QÑ•×46™›œö¬}Ù6tF-„zôôÏ
+x0Æà K¾�'¯g~y÷ý|Ž°ž¡CCëLFRçÔûCx“U2x’ì¤Ú€òzô8i½‚“ÀÀºP &&åËkå‰
ºâi-`JÜ&â,¿Ý¦¯˜Á¦¯z‚+Ý°G…˜Ö¬l†0ÏüÜÖ9�oHƒT
>vüŠ"nC1Ç=ˆ§XØ„?ýËzñŽ7½Ò!·51ضMcÿekxnºÒº1Èv&ÿ%V¯ŒQ¶Ù¾¡cÑ4~€Úgo¡ =;?§‹c6vÖÂ5�NCÞ0è+wµ ý¶NùLCª•û‰­r,Ïbj¿ÞÀ×Otm‹yã«÷Q±âm·/SVæK|“D|Vï�áEV<Q¡)…xú—7'Õ^'å´U6�æAÂÉ¡ehSÃQúÙì6p5=‚ÔKÅ´t,ý‰>
¯-¢A–×pE¸6¥]“¼á£Ê�h3–©pD’&ä£Ä
É
+k«ût‹2üWŽÜª|nÈ<~'>m8MUš™Ö²Z†>?nÆšfcBeµvG5?ÛbêÀ:'	ñ”"en<Ma f'2$ûÌ]R_­I¬‹ÃXż #—ˆd}lu>ërv×Mq(‘¦aíÅýv&…æäüá —<šµW
ˆ¼üe®vz{óü·ÄÜÓòŽ¦G§IDÃ"b_ÖÍ%ËŒ‚²¢êx‡Ê^‘$Û„�ù…üÆy
uÁéQ_p�$@ÖU/Èãˆ(w¡id-êl¡å¾kT
+K§4xÈÔP¶—ÛÛ‰Õ[û‹ÕÇo›_¶¤uÃwü`@Àr4ýÃ¥�Šùâu�.Ç�c^ʈ~¢{ªŽË�ûb²OÁw}ñx×—`c™ãø?$?q;a—C¸GKÁCÐJ&Ÿò�"t¸§'¥=€gh¥Þ¹êýs§H½Q”þ�¯ÙN0ViT®I‚ÀRÜ#Š,šõ@¯»Ï„S; —nÑ´„(ÁPþ±Óí'ó±÷t—¢ç©¤ç‹ûø?0õK*`ÁÎöÄË’&8¡ßçöìd„ÌV� }¼·Õ0£¢²Ü}çŽ	3ѬÅ@‘Òµ13LëÃAÏNÓó.WN8™œ	`c¥ý
+üm££�O<�+„ºlMË´�p~Mý™[ñ©ø·hÊW·N–&9_	9øÂåÖ ÒgÙ0ª¸Lt»ÈéX+sÿõ„&ûI*ofʸèÊ
/ŒÀÐÀƒÔ[ü"¤}.¸ûæ¥c‘�çäß>3D|åOVη}ðî
+(ª4rQ¹!Yzˆ‘Yù_‡u¼‡Ó´Q½Þˆ®¸ËÛÌ�«
+|ø2C¸Yƒ~Y¤¬BþLŽË¬ðLÕûvè÷Í	³˜U@âçÖ¾”5Ù¹~ÜCåýŽœ—®‘ë†<…¡ÚÉ¡�È„¿;÷Un¹�ù¼‡	ã
à™�9	ZTêS½D,f¥‘j@xqÒ–iEÐ+ž²J>`ýáìÃÕ´Eñϼœ#ÄñN%€õÐ7
+
l^¹C8I‘èe«3ÅA¤Ã¯ðÿØòk¾�Z¬nk¢ªh±¡FÃ]ðÙ›·²îtxrJ¼‰Ù¿bo

+d©‘¯l};�¥ZòM«yŽÏ‚ÐÛe´Æ;Î÷kßíªêÂ×¢èCsú?êÂr؇VÚýV.K“.ÅÍ"ûUg§ ™áön~	vµ
2Ävgè"àÃ\ôAm»)Zÿh”RøÉR¼.|y÷¹'"ˆ*&–ç>�™#xr§cm¦Æö0žœn³‘=ǤslF�&~k2E«jlþ¬ Ƈ�f„ÃLbJ&ÆRXc6¦KnÄÎäÖ¹˜O"êûðΕ¦#{äÚª|^3ŨÊ;è44Âr1f5)·g¼_
ì(1%Õ
+rÒŽ½wÂø’>;Slêô‰‘5s¼uÖ²Å#&ëA¬!­ø5çÈÔúÉÂbªªF%.ïîÐ{ãRU©ÉàëNyÐÒ6½/ÚÓNEg“É·Û¯êÏò¼�hžNº�–Ž¡]Șùj©<}crÑ¥d�­!]ìÜÎò>þ
ÞÄ	÷{€m�6"ûªùø@P¡S†¸s}�'V%ó.£zùˆí]¡I^(ÛùÌ6…–¯ƒÑ|4âsæþ>êYÈ-Ï:�´¢Ù2åÁÅs(×±@¢
�=}Åæ—U·�n6ÈBC¯>Ç!Âû@u=å<²—1i=íÉú=ƒ-¨òZ—ÅM ­
Â4÷–@tõJæv‘q½ãû�´yç¾vr«Ï„¾VnEø„}j*7Si‹{=‹Áï£!æXàý1±J ='»Ê`W¸îÌÒìì;ïD}Âv-wŒ$ØM0½(ðö¨ÍéM$ÀzCç§ 3ß3XôåB£
+°œâ
‘1é#V�~Ö¤›½hBñ
åùjtw“bsYŸ´5	¬˜ºÿ“,W²ýÖ»X,+'z7ÂàOe~a.!dÊ«+¼˜å¡ñÊVóÎçõîú…*>3 þ»m'¯¼ŽpFTYDº9HÁ†“l�PËÁs�à–Žý„Ä&ä’ÍåìƒÔ„¶“MÊBW{a
+œây[ƒËu¦YÚr!ƒô$l³Øa£.†þÌGƒaW]�èPj©"!w�¦k?…Bm$¯œ:#ϯ˜R¡~+Oø0¹`5ÌP(ÅÍé=vÛ
„ú"þÀ‘—Ñî1+…¸Ý¸&ߘ óÚ�*-‰Š ”8ÕÐYNÒcŸ˜¾üJìsMQj[F¸‹kzéú¸ä(ŽÀK¹öëÎá½gnä@@m35N-Í˨d²äí«hV]¨Áà^ƒì÷¾­Þ uŸ÷ÚÖ¦k‰-¾·UÉ[~¡�‰è%?Ôé·SrJvı}Ñ™¾Ä=3¯rêÅÀØ›uYoaQ•L}F¡©›§ü¡à:Ežir¢,sÊÜ[<z˜¦�öÚwR–o'«èC=R�p3s*£_Ë•Fª!Ñ ŒLïЋ˜¦)§í>¸©¿ÄG€ÇàðÿÀï>Â6SGÄT¤®I;@|
&ÞHJstÊk=Lig¤5è‰,þm!7ÿîág=ò"Œ
+<uHîPe£C³PÍ2EíäÁ|ËMó«QX³g9(bçŠvà‹÷µ/’TÂèó¹ÂûàEÔ’÷¼¡¿J£ºV]CG ;f¥/ÁàL­÷mˆª©’’ùê#°ð¯¸1¹C‚U=è3TnÌó´sS_�vçahîÖ5ImŒ=_²ž‘•9–ãÆ›Öo!|>i÷.T+=a9?wô�²ÅùÄ˺éN¡¼‡Q²¡\Ýq.¿³lߣ¯ÚÌMú‘á£óäPêç@lʼnT
+¨JUŠÆ•ý¿Ñu3·àp G„‡ùbÃéÏÝDŒ%çwì´¯ïª9áÌ	�ó5SsÕþ†ˆKë†Üœ¼e}Vô™¡)‹$?·,V�§¨$Uã½cNùÕTD ½³#éˆ
F»œ±´Å(EB‰w%È
{|(¬3-I™¢m8W‘r…XÍe«àÞVLL¥Q.*Gõt¹IÚ¯±™^_Ø“’ÚÖÈûR˜Sö «îÒžÿk./·9Ï•ÅyÊo •ÓwÉ×°ïJwYâ‘ϱî¸6eÉÑœEɈeósS}¯E±X8‚ÕË#¤yã�¼ŸKuEüì£!o´öUöä”óÏéŽÃZX©¨,M|eÍóÉÝ)ƒ^»D¥?O­Ü��]De×a$p*£<Ôu¸-‡•²·HÈÁÉ'.
JØ QíH2³&šÞ–é{IênÊf›êòËŽêõ0]\³Ç¸,Y|egσÜÍ–Ø,’ä¥à¦¥\�ÂO°ÌA%h�P
ŽmÀÙ3Y'
Ä]ÄhÌýð±ÕÞì²›ODPxþõn�º”å“]ç7CåÎm gªô÷ËÜÆu“óm�‚5	:ª4kíusD󰈪KÀs¢'·»^Rå”X�Ä
)>M“£<Áp©E^ˆž+vxE$¶Æ�öÕ¸œ eMÁ$	÷Š¡|¨•ùìü–îø�Èp¹[䢧ªT«-ĺ	ô{~Êfª~ý
WÑ8æôQT“�yi¬W%>ùàw—3+¶ë‡IÕæŒ}'Î
'>š!	^ËÉ´¯ƒT%¼àn=0Z€Þ�Oi°nŠŒƒÔ'ó'~
+\´)(ät‹hß÷çuÌîÈÕyêáTÅD_.àÞM`¦_}\_i¥ê#k?×ziÓÍà‰Á¼­zñ)90¥7€•ØIgx¶}/b
+(Ñ-ì@¹ÀËq²<Þl™xüú0·¨gOyP} Å¥\’`ÀxªÃÆ°6‹9)ü<»^íéî�ä>ƒ@1è¥ôk5 ê¥5a*ìH¹4}YÕ	#|ÿ§¦}ý68w…Ëj*6Ã㸟QmŽECÁ¬œ“§ÄƒO�oül“³æoC’rR>s”Ù°ký“Xâ²Tþ--i»ê‘7`ù`/N…›'¶1	h<þS°=xÇ4î×ÚT¡ëÛÇ
Ís=@· 1~_�¶ý)î;ÎnoŸ*CHÖÏÄÒú`^¨VY©êKŒ·€’ÃN±ÍÉ
ÿ£†-$Û:5š›B§>™ÌwÍ?
+qÒ¸#q¹àÞMn¢¾ƒ†ÇU­ÛòAö5	îQ�¤±£-•²x^€’ÙtÉ¥óçw¸_Ü ý‡ýZ;Ô4ò#qó)ùtƒ/UåÐnp©á„Ͷ5ž‚B²W ÎQÝNk›‹v<§sïU'¦J*"Ñx«xóoŽú�¡…Á�Ç••×ÕqƧÇãç‘œ^¬³“RöéEhæå)ôd6ºØ¦Nr?â¿®¼Ä½`„ˆÇÐS#£‹c†MéáßÞÀ>RÝNf¹h}ù)æ_Èt€½
 endobj
-703 0 obj <<
+957 0 obj <<
 /Type /Font
 /Subtype /Type1
-/Encoding 1344 0 R
-/FirstChar 40
+/Encoding 1915 0 R
+/FirstChar 34
 /LastChar 122
-/Widths 1351 0 R
-/BaseFont /ORHGST+NimbusMonL-ReguObli
-/FontDescriptor 701 0 R
+/Widths 1922 0 R
+/BaseFont /BYOQTK+NimbusMonL-ReguObli
+/FontDescriptor 955 0 R
 >> endobj
-701 0 obj <<
+955 0 obj <<
 /Ascent 625
 /CapHeight 557
 /Descent -147
-/FontName /ORHGST+NimbusMonL-ReguObli
+/FontName /BYOQTK+NimbusMonL-ReguObli
 /ItalicAngle -12
 /StemV 43
 /XHeight 426
 /FontBBox [-61 -237 774 811]
 /Flags 4
-/CharSet (/parenleft/parenright/hyphen/a/c/d/e/f/g/h/i/k/l/m/n/o/p/q/r/s/t/u/v/w/x/y/z)
-/FontFile 702 0 R
->> endobj
-1351 0 obj
-[600 600 0 0 0 600 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 600 0 600 600 600 600 600 600 600 0 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 ]
-endobj
-633 0 obj <<
-/Length1 1630
-/Length2 15731
-/Length3 532
-/Length 16611     
-/Filter /FlateDecode
->>
-stream
-xÚí¹UT¤]“%Œ»kቻ;îîîNâZ¸»»;…»»»;…»Z¸ÃÔûõt÷¬ž¹šé«ýy“ω±#Nì8çY¹’œXQ…^ÈÔÞØLÜÞÎ…ž™�‰ ¦¬¡hdccd
-´—¥W¶·5ü5³Ã‘“‹8™¹
-rp²ÿëaûûK¦hïìâlâtp
üͪ(*þouºX¹ü“ÛøØ›ÿõ4µ7qýgKÿÂþÒüE]Œ€vÎ
-±ªVõ¶ý^Nc_ñõiÜ�¬æ§•Q¿ÑŠÔ+«ñïP�Y
ŸÌôZ#Ûõ½¼6SºßS7Cç0ÂþD¶X>ªO¯Æ¶aÕl¾JüÁøÒŠuwßùöüh¨ÁŽ7n-	ª}»›ËÏì¯ò[ùwµ gïèÕËä‡× †¸ºŽïÛ­�IZR
» ˜Yâu#1¯›t,’‹¤×CMMW•M�¬îÓ–$�IÁ]•Ð}}™ß×(+�X{—üÓHï=s]Ô�½í<›Øáb57U
‘Ct¸¹# ¹@
²KCúFúØì¸5Ö0ë
-ƒŽÊ©ˆtÝÊNõ‹æíùu§TþÝ4F¯ä‚™ϸý§:Ù0Ìîz2.‡8Á¤¥"ð�@b¹ð:Í(o`Ô¿kM.Z’#ï£2GYŠ
nplwÌÙm݆øf[8³")Ý-Ì>ØÐÀ"¤¹ú,�ï6çš#±VEÿú4Í ÙTÙ	ƒ˜êççX}×¹�F; yhȱ½ýx˜!:Á<œ?-p©yó�>sd³aEG2 ‰iħØä¢_,Ì:ý¡ÒI“
-Èú€èç“.ª¡Ü^ó!Ozü(~”@½ð¤Ê¨JïŽ	÷(ù)I¡É’!Ë[í¿7O’0	™(Öê/Êó#?ŸòtssÕï“wÏgWWÂù;í
-ivPS“
ÙL+¥6º:]ø¹à s¡†U²;nü[Þþ¥ºÈ…\F˜+6ØU«Iæ´ÿµ´*mg_^ú3Q;.~ÄHB/׌0w=>>b¦u¨„Ê>D_×$,?z^ŽÄ'dð�1QèQïþ®Ä‡:RdDc]ØS
-y­)øM˯ìý>z¦ÓÁ‘,£¸º!6ãã
-d-ãµ!2AnXî}uM#Ek}ÚÛÀ£>ñ´0¥š¥b˜)£9Ëà_dö%ÐþÄd'~}?
-<$Œ^ƒ™yJŠ³Þ·|f¯¡_XÍé65È‹‡xȳT#¢Ê›c˜Fn²äjvb¡"£Dñuô‰ŽÔ7pô¨Þ3kµ¢ÃgnI\H�ý•ŽxÅaÙvè#Ýü½ä®ªª	Å9ñD“‹.š¾S2Àôõî”a½)m¾Úò~€ûó …â#_ôI\§êë•/»šžÇ¬"ñI4/á°ø¹;øë3  ËÍÄõ?X"M4Óþ0ÿÔžóë:i·áèÿ„X
µOTª—‚ wgÞZ%•ùÂkéúq¬4Ò7&Võ1;»:牦¯NªÞºŠÃ™5ÛUÆTŠ1 þäX›V­!ó™!*N4�3cÅß^uu”ûZ¹b«îÖÀì䱇R©ù)sÈ3:ð¸$®ÃÜ}þUœEc—Ìuø
-ÌŠÚø,Å@Hˆ¹´z$¦“¢Rõ„¾®û£6pzñŸZTyûÈ2(†4–²7h®GœÅ‰Ý?5ëË€ 7m›TÞQ¤‚+̇�ßG.¬¿sŸ‘7¢ÉnYFV³œÜÛQ$yÄE%û²±Q´…P”‡¹°Ý�Üï…Žžbÿ	_0}}rÅZ¥¶	š¦K.…¢ÌUkÎÖ »iÖý	MÒwÎûÃä˜‚ÊPÁ„Ð’
-ÒÀ^Ò6¾©Þ°´äÀÏqTÑíö® çŸ$@ÆOo‰…¿§ dêVMäáêh‘´B
-ODµóš\ÕåQÝ¥Út‰f»G	û*NèlÂò�;Ö× y<n‘G£4°»HÆßyᆣ§…‘ÙÊF-x/þ	%³ znj·<Ÿè„­÷ô
í	‰ª	šR˜*¯xM®Ì6`C¨€qÑÂzýÖóçÑú;þ¨#f\êŠ��³pÉôâˆ9£ö…¿4ðÕ«är	ã%�MKÂê·³©3[¯ïm©ð–J)”úகç'ï”oéa} “S\±Š£zÿGtÀàØ
-�µùœw¡ƒ Ì´ç+;ž"¶ë¦Ñ?doû‘ööb"!äMeßÙ°°XƒÛ"b±-`OX‹1Õ�û_µ²F„«WaŸï£˜@p+ëakqÛ€ŸÐˆnYôbôóºL¨�RÌaóå Çfh#-!”„pe·EŸ¥ìªäÂh��-lS–Úq•—;`âB=)vÎ?{w
Ùh`U“m1Q2X—Y˜õœj‡ú[µ®æ4öZ$DT›ß°Ó5'B~´)2Ï#*�pãŠCñ}t¬Akª#òô%ä`)~¨ä½{�ZXܱÄÃÇ’@K'‚Ú3Œ…¯�QÄüäYÁE›kÔïœÖ€w»îTð³'aH»xÙ^ôÃÛ²ö³›úRÆŽæl帘k%Ǧ‹ÀŽ¬ßkN¶óš×„~Yy¬Öåwã;™¾ex±xª}Î�fÖ†'ñg%·”Kkø“
-ü…ä”÷FT‹K¨âŸ‚øŠRʲŽ[	Ž�_n™N>ßÎ2rWìÐc”r…£ã‘mµ%Ç}6	Z_æ6?ë¦VS¡|Y=!j­¬å ÎÿùPÔ¶ÌÅì€Íˆëb޸ʮòu[É¢Ü%f)0ÅÊE�6¾7�ô§N«E[.©ß<¼ÆÓ,
-ë®o|:o•ÚœÅSŠ%)Õ}ø=™)WÜÔµÑ;¦Í“Øøæ�“úm±a
εVsJvö@K£áûç(BÂ^àwðg�®Ð‰'cÃfBÇ…¼"(Q
¦î†÷´sø¬kÿåõƒk¤3N}óx=©ZÍg´¼˜ù?¯…šÉ€—\E¢ŒíoAËLÕ‡õ©Û¹FCcËo÷³¸Ïá€Ò‘îÚ~ÿü…On4G!>Ü-[·,3!E‚VQ¥H¤HÿÇ°
-+¢±�'£ë(‘gå]h’
v–i`PÚEÞ…W‰¨¹úmõ'>Më³&#kÃ^z’0†i¹"Qrå>+o
’BP,ºðü R¥ ¯0˜÷—Ü]�ý°ùc‡’_´6iY"ëf¶á=µŽpe 
îìI‹vfê"
.Ÿ£ËæDáišó„TýL-k,I•:ðkÃæ&ïJŽáóÆfø	”fŠ×Mž-
æ,Eˆ,‹bù8#^à0T§L’‡Tvn轸ÿT,5÷S> +‹o7ëX¾õ±“¸K«¶CÕTå)#«:
-W£Ì8DB¡ÏUÿ,”…œ'‡n#íÀ‹ªUI“ƒè®œB �
-ÎÓq$Mö—YêqH$Ã…ýuQóë®_¡Eë´½ó:`$ËÄÉ•!‹‰@3^[�ůiF@êU›ÈxcmÄ*k�â\yýqj_¯*]U|ë•ð;š:Ýc¬Qz�
-j*
-Ô^Ó�ã¦6¼ÕìÀU\{~t
-¨2e¹ð={f´Wdo´@°£Hüd·J¬‰+z$Õ²Õ(
;Vœ¬~]1B\ØLäë{u*ûä èrƒË�WƤÍy^ݘ˜Ó\2Æ,´Nƒ	‹ù}Ì3Ý¿Úû|^žM‡Ó]¦�
-áÙœ´7S‡zõ¶lܵº"+7Uý	dÎÞ2jèá+ÏÊ�"eåc¯/äcà Ã±m¯h:ÙÙåUFñì>Ä&ûk©³=]§¬¨ßîaêÉv)£°®4Ê	+pö–fÛ˦ȃâ²o•LdšŽÍV?H%ù¡¬éBi©WO.Gßæ@X¬Ù¬†ÐøÒ‹@jGxô¾±–rƒ�Š%}ê0ÿB"jì
4
-cyÑ=—Ó2ÂÊnüžÚî`Ìëá(å9Úv˜t,‚v¤©©äX
?r—ýØJH¸Œ›Ámòƒ å’†ðº£Nk9'~µÕAœ Xs{c�ήz§O9�M‡GÒ§]I-þ3‡Õ6Œ°€ã1bµ9ü»:ˆŸ¡
-ÝtÅ	çÊzȆ¦ÏÇ3œ—5”Ö<ÝÊU½‰bâånm
-l_:¾
-ÃY_ÂK¬ìüvE\aÐNJð�ÿÞ¹nèbWo@ü7•öÙ58±£–%\É^
-òÌ%_Kì
-w½Á-Bõ?ïmif‹
:¯
í² ŠÔ|ÑŽé.QØ
l(è®!mW´»âŸ˜Å>2adQ”ÄpO}UŸN†}¤‹—çäsê2„|97pŸY^½VSz¯‰*ýsŠüä͸Î
=¶ù
Á
;ݽZ¸k²[lC)Â0ÐÐx·8äý=ÊÕi~°‰Œ÷æ	
¦j>ÝÏ	cê
^´5»kú¨Û®¢ð
-Õ8§¥rצT~& ¾}÷+Z?/_Èà£�w4E+^o:g’,¸’/f‚Ò MüFœ;xóÝ†—Åà`öÇ‘y´ºù‡Ú÷òD€Õð•MU‰¸ÑµEh&¼¤(Ýn�VŒè.lX@ÄôÑDvx™ƒïˆß†)~–EËKNæpר0-Ô§(†3øÚ8»!¹ þÚY‡Lcù°ô4à7¬wO[(V›âz'O]’ùÌ1Ô‡ã�MÇ‘+¹Ù“}ï`¢7aj?ýÇËš–x¾1ß÷»0Á3ðy—œbHey‹é¶ßí“£…™âa44•bô|ëi¾«!Öø±w€fïü@åÀuƒwt�—œû,a—ž�eú:o¤Õ”]aXS¹/Yv¶N£oúƒMU�G9–П9XoìÌ‹eóš_•·pI^Ç|B/ôÏpüÊ[®ÒnvÈp×6Ó¼îZ™ ?¼ð`Í‘‹…U¾£
-SUŽDŸ˜ƒpjU=y(Ž~{×R'¶7UÔG.!ÜÃe®ÉA+ðÔ±·v0H­7)m(pÍ~û%ƶ*¥â9êÊ<¢¨›]`Òël=�šV¾�ê5³ÝF2…2ÀG›±‘ƺ�»8Öñ‡%…x‚©ÙŒx&rq],`Ïcj!¬¢L›‰‚ꌻx
-—”tšJ°7ͼû	›¹yéÐjA0/Á ³	bHgnÁ�¯'Š€•é?d+lDVmË$;6†º—u™ 9>üAZØÁíšw`MíÙÝF:d”ç‚y³ñ\fË_3e4S
-CÔ„0XWÄQ(8@XKp9ätñHkaìÙ¶[öƒ!×�¿oT_N1;aµ<2WN¤øùÕBãAqÉBa@PNYocYÍ\Dç™ô’žÓ	…¸ßëö¡^uCGd¹êU¡RÌè>áëLúƒ¡¾\‹û¦_[³$$�ËÓ#¿%,8Kú—ËÀ
—ºé?ðZ;RÝèŒT@¾ïÝ­;s|ûÃìÓöYÊ[(T©ž™PLýMJÚ§âÐ×:®C:”P¥qg$)¦)šp4kÖÀ§B´#�¶á×çûsVÁ²!ÁÓ÷ú9ÅÂ|5/
…}Ù¸W�6:mº“Q7Œ£{PØUA%fBë*N`s´B1ÒMO‡b
-„v‡‡²˜¯ñ!�
+^×ÞJ{u¢õˆ8Æðl™GÓÉ`S‡„d9ªsiã¼™wnÌäz3ÉÞ}­ì#$ؘŸáÇ´.E‘Û<œÞ]oÀ×}¶Àå�d“‰CÌ®™§jÈ{ò3¯�÷bƱÒÂ$·+6ó(¸ÍÝ%3^E‹Y\~Òˆv/;˜˜ßï–ª%—â�Ž.’
-\1$xo«ñ—«zÂH•`öè€üFt©økbL"eŒ"Y�²ÚcQ½9O£ÎÂ&&¥-
É3íØ9ýz^–‘¥Áh†�~‘Ó_ˆ	xÃOZr@‰Uâ #1Ôq90½�dò«§”-˜=H\2†PÅ^äÝ9jÿšY ŒÞȃ°Dêp4?¢ð¢F
y™;:�š¿‰þÏ]Y›vÎ
ý12ÿX߶ï Z˜F‘ê+¨�Á+ª
’³HÌ•éq·¥óþê— S¶^5nJ,ŸÐ=ØâÄàѯÁVdÙÑ‚ýWÁ^‡„5ÐÓJ�<;POSgkÍÅ=Û‚Çj^i
-`‚Õ´¶È·ŽÈ:ã‹
'ê#&nnv
¿qÿt”êÄæ‰
-ÝKž*gÍ)âM3íålÉ+VÂRa°xÚ·^Ôp«=„j°®¡�HQÑ:8CiZ[
-J(˜LÝ
-ÐýÛ¹\g|Æ\ѤÇ/1—«ÂzwîP|MF¦‘ƒBXOèÈ�ªUŸâD b³N
-ªõ'M˜CkC
Ú„àŒìŽŸÊsÚb‹t&oYy•G%œ+šÏs/'KS8°È¿œf‰�_­³(V›tŒðI'ìÚ
-]RÎîà]­ÄÖÔ6h	Rû·@3¹9¦–P.áYä’v7êÀ!çbkú26«&¶Ýs8ðd·XåëGⲶ Í
-tþZè
-,,SÄ³®Û·Q–Ú‡Ý6%€¹·„SCTÛæ0nǽ]r	U¸¥Îô ÿ×7u)“q›&Kñáè×D\Oì!Hç‚íÄV¼²�¢8‡èä¨ÐM¿Ê-ú o<öž¿þ†îܬ²;¼½
:èå9ô“6s:Þ$ùÛõ}ü9ß[™ÎáÕU=u[h†J ¯ã®`/Ô Å-!¼:G%…R¾"¯�Éç›Ø…¿{føšÃw²rT(Ú<e?
-ÅŒ ò}¸‰2íFz�¡;f$Mµ÷KvQJ~4
-ug°{ŠÌ™‘ùjǼ­Q>ýR	Cþ 2U9BS×û¨þøDáɈ‚œmhºßa¾Eí¬ÇCøw[fÝQ¬ê_1ð¶
-㧣<¡žH4Ðé;7F9y¼Ì§@xcד;çUæõ<+sühUÌ-­F$F=©�
Åòƒ¼»vQº%‡Óò0j1±dÉpQfVëtFçÔq!›5V(ð¹s¼Q—6
-E
WÎ^ÌË#ÅwÂWÊö‰·²mý$ï�ãœ9ž"��ã�abH¶Ë'B÷Ô"žiØ¥±AËݧå—F‡(È-'ˆÏÕ)ŸÔ38ÝH—ð¢9p
Ï«1ç•¥)³Ðûí4�&P"tœ{#§ˆ:’úa@û#¿½ßsÒ¢ñ4:‹â¾%lÊ[PLxUµY¾L‰à'v4ûd)ÿR
-·ãtÛ”I67ˆ-
-ï3º¢\ïLV´m4ó
-2c
-·î:LH,rÍ̘}�”©”ÏmôwqDUp˜¢¦`ï³KÜÂM‘C¸2Ò¨æLëQ{ÐC¬,Ë•ºõtv@þýï$&�|Gh­–yšÔ=•€L�Â×�þ´9QÞìž/ú¾dÊO
-¥$y{o/ºÊ…-â^	³7˜ÞÌu7î×æÕ]ÞÕÛ 7K–
ö
Llœ®èBÉ0ä]F�ç Ã.Ȇ•O‘J®B�$¨QLJ‘
IxÖ-€I¨9
-ý +�î$aÉÚ ¼MÚÄ17œf
-µ…¬÷TýMŒpq�lî^²�²jd»¸m]
-ÑL=&†ØÚ稺Y²?·SjJJ}-ôäÀNT ftŸ
s %–þ²8—NŒ ÷¢—?³¼B¬ý�Ðã&~1$*nGTÌ1÷>¬�œå4>‹
šÁöm¡Jv6õg/Š0¦Î2¤׶j*ž™¥Ißëã¼é¤Tœ´g»ìr¦Âé‡Ô{vÆP>ý$ez.´r™Âòêc>«y.AžXn�7å�s"p.w¥Y¶üÁVc°rÆúÄÇ’QN¸ÿ‹)®D?â1œJŽJúwI×9õ€ž´ò3–\æsNçAS*Ö0a gîêv¦EËÕÔª
-ÃÕ³5šQ^­šõÙZfé©4ûå-IeU“®é	
-šÉ,‹^Ì*hÞÔ�@k
-ÙOâî¯4*ÐHÛŠå«<Ôš>OïY�ò™ì˜„_ó×Kßž6ÒóÕ�¹�“äÁ;áfÐ	ft°‰]vÁsò¾x¯»?N¶1…þªYGtìmÐp¥Ó¾ÉtZƉâ‚^¬·JHëƒÎE[+Í;þ ØÞ_�×�†ás·ÚW¾}Â]Ϫ'ÅOÍÜ“Ë£øЬããêd7
¦‰0Fª�kº‘*äýêLk¬ÔE¦ÜXÚ@Ùà#Œ]ËNÆ›y³?}/Ø­ÚÝö»µšqÁ§‡šMO×ÒNП
-î€þ™X
-â*áz^.\¥„!Á“{d¿ÜÐ#ü
-ïH
--|ò0¡÷F¢$ßñGÊÌká{ËâÈÍL–±¨ÀËäýŒÛª‡k[£·3žÐ îF§¦¹äð”Â-kû4•5}Â;²©%Ÿêm&øɈ`r}‹¼
ÇZöŸN�p±Q†}É |~+±Ú<¶Ð1öŸm*ÌCÃ!̤A©„=í«(OÈnœ¥cã7äG“dÊ}O²º¼óçžê‹T&Ý&ÚpÎZæ2«�æ\Y=9xb•	ž/PʹK¾âµm@0zõI:ì›`ßAhÃðæq¾g{o÷ ÖA;{Õ`ÓY£º\zÒUuxVè3óxðÛ‰¢¢3Ø­Vb&š
m¦G3I §¶„¤Ý1�Ž`°Êã>(•X‡¡=xô´¸®N×›ì€èLb”ˆC‚yÆ­G‡^
B[5zÜa¨(Ï:R7ÑÎœHü­b^ÏV.»(…âKY×÷¤M¨¬y0rôYÅOxÞœ“Ü‹Z¾ƒ4X�ÝáJ[K/pêٱ傥‰žeÐh˜8ÎS×R]öVa’ƃ|Qh Ú¡ÿî>†2v£O8xÍÕ�HØ媚:_øÓ秜ØGÞ8hùõáyQyáíšßål0ÌÃxñ¶ât× ½<•W°Fôä‰Yä)«Ë’%¦H¯Ø�Ñä冰<–ý&Í—.!l/C2CÉ›ÿÃ’i�WMvM´a¯à¢¨ ºÛåòÏ’«€G¯M+ëèr(“
-÷z¦iB‡®”wufX]¹©ô£~n¼N-ã1JtIà³7–›fãm~|GË×è§õE’N¥h­ÿÁ†‘ÿÜÖ1„ÖZE”BôÎ&ÕaÁðÃ_ç€Õ¶�ÇÍX¤kÅǠĀ%_, Å¥oCÝÃu´
-ù¹ñmá>¬$=Þp™i—à
-èÝŽòN½‡©*;€5'®­¾¯l�š²^~ÍPó­œ1ý®Ëôƒ¹q[½	zÊhwäºÂ�êáG:É:JÌ7�ƒ…?Ý�Ù¢|�³D2˹})ÔÍ4槄ªF?Îa
â[×’©©eÛKúyÛÜÞX]Ÿp�w’“?…Z$­ŠîÛÀÖ¬^ù¶ßu›¾3ˆ|
ÚãUi`�TîjRÑÜšZ�kôúŠW4*™º´Rþ.å
-HÇ’#Ñ6aG
HÄÖËvx�@³öÀþ­ÑȪ/áïba·DI)Rán®1.ŒxÏS[
¾¼m(ß�¹I$á(Á!Ý{æið¤ÆÙßuuòûk?–ÿ”_;Â2u9ifï›ïéÞ.WË,ß¼I•r
-·Kæ1š3rÇÖC´žBhŒ/ 7�¬-éËíâD™Ø¤Â½3ÇÚô89 ÝÁÁei?ääï‡à�)gLÄÐ'ЗDvf¥#|8Ì{êc!¡"M?Æ"Wfßîé5D¤EÕ,˲üŠËÜzät*VõÔ„òp	¥ö7Ñý
-º¶ÏŽmná›Á¹àŒ¹ŠF0„éY)Åšá«P�ñ‹6œ0`z)ú…Ý«Èg\¬<ÐãF�DQIòl¡_¨(¹XÀÄ.Ìšú¥ÎÛÏÕèU—æâïJ[�èhÜîè{”iÐÍî6®"#çÝcî]©%¡î!û1Bá¿^î:ê'\>•«wz¿Škb0	ç®OøñÍ!¬ªc!@¢ìp((‘åÏPCæàü�ùËóZü;(º›´Ÿ…pSõ‰Ô:®‚tÝîó7å²¥_!ÅZm¸Šý¶¬Î´ Eý¶5|JZ®DÊC|63^âaµ'ÐϺ)ÞÉßBÕ]¯žZ$•OAž¥€¥·qàvlàê±xh¯ØŒ¾Æ\O@Á\àqc–	$úfX›ŒMÿºÝâ	Ï—_~ÿ¥Œ;Ñþ™MN¶í/–ÌlŽöŒó bDTh‰·K,¹#To-—Ô‡ç·ÚÐÃ>¼—‡rùˆÏР$&ú"„Q.4éÎÿÖ¿v¡
	QXʽ֟ÿžÍÆZ¦|Ï?õ•òL›ï!u¶øZ†w^ v�OT˜ÿáKKîŠj*ìKía·iØÖ+TnÚ˜.PÑoÐV-š°ܶæ.Uä:MP 6J·-hé|î›õJãH”jh·UÜáU4|‡†ÍÈlŠ×=F|•Ž¸R�õË’ŒTL<“À>ó‡Hk;ÐØú!×½‹~%g E´·P”�Úíf×$Aœ¦‘Gþ°u†Wý‡czfb
WÔÅX�Ú´Ö\ü	|+B›·ñS€­)è7RD¬ós:?y‚Ã-r]þ
½^ó�nv-Ï]/žVcà·~6•ažBÖeÃH¸ïòYr£ìË$³°^(„*Œ©cÈ=¶1®waÖn÷>¿ÈžQSÌ«¯UßÍ ™?œ
-Ó2±_,¬0?$éýœEAíÓ!yyÊ$ð¦Ïœ6{‹1‹'®[+\Á‰�3‡ŽŒóàyp)
BèÐãk3¼Ý(ì08á^,Ánœÿÿ‘^‰{zË0
-PпÜ ¼ST 
-þè»ÜÔÕòø9¾ŸØþžÅe´8kô;_¿÷‰³RªLϳ÷7÷rÏ’XÈàð�ÆZ
-ªjDÒG�@œ=ù¢0Vþ23qð8@R‚¢Sx†€ÀˆQšk>Ö˜IÛ»åÆnÕ@ Šœ+7ƒ¥	#xA&
-V°î2»“u=œÕÏ"¨¡
¥}ŨRpÔG0Ò|Ëÿ°Á÷v¯×ã#Ði¹j3ÍTâè(3Z÷†]ö‰6$áHý.ù2rä"Šñ.Q}Œ[ô(~áa¼ô|·g7LÜëèi	GÕzBƒ¤�ìò°ôÉy,<ri5¢Ó<øQ°–"ß@X1páJ9¥œÜ{5ÖXOù!Òâ™DŒŸ-ƒÞÒ{ßî|¥Þ‹|õÈ”…;°ßUÃFrEþ÷÷>£–¢€%ÝÞû.îcäG�3*Ùºr¢ê.ûÝS²Z°¶¯Üi𥰛‰àò"ë8׊Ê[¬oœæiªÈtB!N²Ma3_#”Ö‘3?z25Q«û%Tb÷‹ºðƒS‰\	”Ë`�DðÌø¹Õ"†Ò»K$šù‘ W»P-$Ô"taâ5í.§œi�"2a îÎEg|鞢³‹O-,Œ'²Æ¤ùp|’Ì”‹Ò7rž´­‘€µ‘‹Üä!ðvƒŸÖß0ÕBöy\åqýXkÊ€XƒÆ;my»”(~aŸ›{á|±ob’ØÏÖ­Ùxœ=†¤…` Ö罦(h
ö˜85]‰„C¬…ù×UÎu×ÞÃ4
- ?0
-tâï¯tãq·˜þ?pÿ?Áÿ'LlÌŒœ\ìm�œ¬áþô_ªendstream
-endobj
-634 0 obj <<
-/Type /Font
-/Subtype /Type1
-/Encoding 1344 0 R
-/FirstChar 40
-/LastChar 90
-/Widths 1352 0 R
-/BaseFont /UIDBFP+URWPalladioL-Roma-Slant_167
-/FontDescriptor 632 0 R
->> endobj
-632 0 obj <<
-/Ascent 715
-/CapHeight 680
-/Descent -282
-/FontName /UIDBFP+URWPalladioL-Roma-Slant_167
-/ItalicAngle -9
-/StemV 84
-/XHeight 469
-/FontBBox [-166 -283 1021 943]
-/Flags 4
-/CharSet (/parenleft/parenright/period/one/two/three/four/five/six/seven/eight/nine/A/B/C/D/E/F/G/H/I/K/L/M/N/O/P/Q/R/S/T/U/V/X/Y/Z)
-/FontFile 633 0 R
+/CharSet (/quotedbl/numbersign/parenleft/parenright/plus/hyphen/period/colon/B/C/D/F/N/O/R/T/bracketleft/bracketright/a/b/c/d/e/f/g/h/i/j/k/l/m/n/o/p/q/r/s/t/u/v/w/x/y/z)
+/FontFile 956 0 R
 >> endobj
-1352 0 obj
-[333 333 0 0 0 0 250 0 0 500 500 500 500 500 500 500 500 500 0 0 0 0 0 0 0 778 611 709 774 611 556 763 832 337 0 726 611 946 831 786 604 786 668 525 613 778 722 0 667 667 667 ]
+1922 0 obj
+[600 600 0 0 0 0 600 600 0 600 0 600 600 0 0 0 0 0 0 0 0 0 0 0 600 0 0 0 0 0 0 0 600 600 600 0 600 0 0 0 0 0 0 0 600 600 0 0 600 0 600 0 0 0 0 0 0 600 0 600 0 0 0 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 ]
 endobj
-626 0 obj <<
+879 0 obj <<
 /Length1 1606
-/Length2 15226
+/Length2 16237
 /Length3 532
-/Length 16089     
-/Filter /FlateDecode
->>
-stream
-xÚí·ePeݲ%
-…»;ww(ܽpw6°qwwwww/ (ܽpw—ÂÝáÕwNß¾÷õ¯îûëÅ[+bÍÌœ#GæÈ9#ÉwaS;c „�­3#3/@
dcìâ$og+Ç bgm
-øk䀣 u9ƒìlÅŒœ�¼
-’
-tüWƒ¨ÿ™š¿$ŒLíl­=
-F6àßàï
c�üsÇü¿b�l@Öÿ›èÿ¨
ü7Ãÿˆ´³Ñß6Ûšÿ•‚™‘ùßF�“Èhúälb
03²þÛ£ÙÕlM�ŽÖ [à_-ÿÕF
-ñ½¿Ý¡$ý6;›˜ ½S‘F�‡‡9Lq®÷#7ùºÞAæOy�«Æk™¬0\™òã�)àÚŠ¯Põýè_°ÏÈ𸯪+WX½À4�qW%¸3A	pÇ‚yçNјŠhÙFƒ´¼òàH«Qûv¡;±0p•]ßt’~xd,Š‹÷xÂÍ6m$ˆ¤bŽè›a»èýa–Qº ÅZCE{˜Í¸V>$zytg�C¿ Ëûž~^üZ΢ë—'¿4vÌ¢€œQ(߈¼ÚóE$9�>RÛòvJr—Ž!V•�Qê-¦ 
ç]kˆ«#L¹)N[
-Y'L
-Ml%£:Tid„‡
-†{z¼*†ÆO0R�Õ[|+uØ<»×xB–)ûµjÃñáÛTK!ëßP.GJ¦
šïHídÏ·Âó‡8�ÍÈÝÑìᣮ¨¹)K�Ô«£"	[ßáØÓz'f?r÷g‡ÏÁ­õûd„» Ë}áY‘
’¡žRÞÃþÛÈžiuMÛqÁÞÚÖ:ÏÝu)âì¾
-´mg!™Õ[º±dúrTýÛ·
àÑï;¾Sh4+mpæN#{•x9)Âv]²O_ÊÚ"¸g)ˬÀ	ó6ÌúäT¤q6`Ü,ÎÄÊ“Ê.ÆmRúuZ}
-u¯Ôeø9‰ùXg©v«½~ô¤™ÎbfÓ@ËZ€'púÎfjûµ+4Šð9µ?çyG Åš2Ã>öá¡èÓÍõ‹æ©íq½j]F4ÊQc	&ÚWÊ¥Œ!¤)Ô¡W;êíˆkúë¥|ÂO!xËl|Ê/"Ë ¥Y8Þg™t‹}1ü¸ê²áüs,écbDŠ‚<ÕÔ&0S™2(Ãmz\�Ì#wÔJ$G”ûsuQ#�JöõÖ1Œsoæˆ 	•X1K÷·XøZ°˜©T†fzUàÝô¤˜:%)=ÿ¢NýÌýßáB0$awϬ&8Ž÷SMÕ@: ÿ��÷6²±‰ðJe Êq»‘€¿Cø# /ÒT
ÚÁû­B2cQ˜ãSŸ_1IãÛóù´P$O´›ä…™±<œBn�|\©žêŒ.ymõ¶9ŠLrd¤¼]‰mæâ¥ËNÛ” CSÿ
-Ôw(ˆ)¸ôèg¾ÜFþRM–”T–VRƒú¡âÕ€9«\æÁ	r˜.°ׄZÎAÆØRöuaÓ^z¾A}É €1X•¢Ä<”BÅ2Ý)×B
öÔÚó–7L}ƒ.DMZÖËçÒÌ¡sìÕzÇ<ï§PÙpK`Û¶—
-d„½-˜vNªÊ:&¬.U~ø
-S–2¶ò¦,|Uº•¹åÿŒ ²]d§ûHÛ±^'Óàrê¥�Ñ'Wží¼IëÛË­lž�œ‹¯‡ýôÊ0àU\|¬¹.wÑ`7ÐÛå/—êâY쵚ûU¿ð½@'�Ã\Û#ÿ¨tÓ"¥ÍSûã†ÖÑÖ
9X³*¶?"�D'Ö	ótÉ‘mtå
-6¾íè†

i#¦‡¨#d]™P8-ÆŒt8�ñOÑÇ,«ñæ¿V´Dze<
xzÄz
-ÉËh¶*”zT©
:ê%Ë×úì±m,0¼Z©“`Šì£ç!(ÐÖ2Y
-<«<Æ;ƒÎdä”4éPйë×¥ß"á§KHe
-¬Ÿþðåg¿ÐžT1‚ŒÙ{§ë³÷<¥·qÒVÍïl—ÎЕÑi„¦¨DäÒ)ìW¾V “{©¬1›
-�ºs„ŒÍDÔTQóÖÉ_+y’‡2„æSu•P¾1YÙÑ"®—tI+Œ,r]
 ¤'Ü~ÙŠÃüó²-e–´cOKs�wfÞé¬y�òÒƒâÌ’.ËLÿµ_·_Ú•bȼ±ÞõŒCⶓСš¬©%˜î­vNBÄ3Àu®*ó^Ú£e3ÐWE>qßiSgb`ÑÞXpœõ
ú~0èu†£ÆBß^ ¨íHßÿó1p}PŠÇ
-ÿ¡QÁ{þ­
-Pä±\7Š‡òÝÐBÞz¾–ܶ<
-hÞãBÚ'¡ê{üŸ[gq«JNi9ª	J¡ö–”ÍÎBÚ&eš"¡„™G
-0ũ㻢×J�ïØÄæv
-®t·Té„Ã}5§¯kŸ1öÖ¥¼?Pe;ö•Pö‘rû0ï}Bϼ˜\ˆÉ6ù·ÒšÏ¹äçM�I9!Èèm)L(ãÌSŠ›öž™{ÔˆV"X¡…-’?.ESö®žªAÝP! j#HA±}…KXžÌÕ§Ð�ÉMŠ[¤ã('©m»Ÿ>¾+­›™Q…ºCTmr9ðn«!dØ}û\>KdÚžïËeš»ùØã‚�„À¹b¼ôd *Ç£GhU×¹
->3;J¦@ÝÀ¯ÓrZþ@)%È€Êz¤a¨ädèji|µ€)	eãCÊuÙ.ƒæqô~l»JöUþŽžØóáxf‘n#©[6ú<—¼FL¨Õ�‚¢p¦áâþòþttÁo¬‚¡:ks_V]º¨ž�*Yº‚ÖS,"ƒTæ{à':¨²Ãêﳓ+xòä½o�»äß(!\Z,ÓræÁÚÉŸ ðµµV$n�« BA†lmº'U'ž½R›~nØõãç":E›çÎy?ž‡
?CÑ<,ê‹DÜ(8Óv}å~õìòÙ¼ŸêGF¾nƒU
„­]¢6¼óÈ¡@¦]¹:@¾"¹&~žûÔëâÈm!Êê½–B¿™—´¢´
-]éû.@U¥”¹7n0B¹TñÖ€•Ü’ü=²Øü;ApÊ|,êº�JCåD…rÿ}œ_PHqÆ»LO…
NEt"†‚©Û�AѲ‚÷&¾½&WáõÔ7j§qÝÄ´Öoºêe--Cª±G.y–æQ12Ò7C�}Ϥ$)S¢›#qò8R|ﬗT%’„`Ô‡>{|ÓÑ(~‰M€ì¡öÔõ|µ÷•Ý RÙŸ¿°xðÆÜï$xÂ1
ùê”
"B/J#_“�ÕK`ô!™"WX¥ž]
58�áqA8Rkªk7bfRCèç`…�oŽRÈeé'¶‚©&#É;°õCd€nzc¦}ϛ«ó~×€�#\K"™qø$â~FÛŽ›–‰K¹Zð®=¿Í<ÍšQƒT¼hçî�uÈÞ	Œ&©ò§=&—àÈjóAŸVËpý~‹wåhß\">ÿĺrÁI�~¹8îÖ²Øeçmב[~_‡Õ)Úùá!¼Gâƪ̣}^jèÍe�ìGHj{FƒÏDI‰áž>�ç;Ž;
:«^/lü²ÏÜ!*‚v5Bw®vªz‚/{¿É!Ä)Ý_Ò½,0‡Ä83ËqPA¨ÏÀB¤¬PA$�.Z„^™ùà À_q\E¯§nT©E|i¢jHm¯©
-mO´ø$ZEZ»ß÷êSùâþqÆtd±ã±ïäœ1·+}�py�Éi"�¾!¼ÈÓ‹ÞBêI†¾y¨‹5Á·n¤l¬	î¹2íib’-þa/mBrZJ¨g
“mˆêia1éØæŽÌQt¡ÓÆ˃¨
-¢j)ü™pÒŠb÷
"…í¬LÅí^²0�Ôô{k>—
¹§‚�ˆà�êÒ|%
ýˆëã_d;lEO㷳ߗœ×Rfå
-ZcÁ²Z!å5Zn;£°¤Êîž4Üb
-“â7+:¿ßå²p€‘ßTbºLJzù:˜cÇZ�ŸQyØCV`ÔÖ .ý\ø£é¬—Ò8~û§vYg“ÕŒ1…·ÁÅz
ýãÚWÕºÌÚùYÞ‘G½	µq€¥Žh”G	;èXîÙ7š%�›ŠK–YtÙ÷¿q;Â*ò¾¤ÈfRʽC@Óz†¾>ÑRKíóðdêZ+�%{<V6KiH|žz:]6•Æåý̧(j›ÀM¾dxÅ]©äh1=[SîKØ{²Y¿×Û3
fãï[4HâÀfppï}:´$ŠÖ‘1
`â;Ø8§QŽ�Vê’ÝýIX† ò«ˆ¤üYL^R3‚ŸW:o»é9¾5¾æÃÿÉ#¡ÊSºyØànJ¾w|fjvä|ðý®PRñgž‡�°¼äÃ!Šì1¬è¹Ø”9qζ3™u°œº­ª¥?™l*¼~þ²[q)7Š–%ñ,L�­2Û#Šôï[IÒÖÆÂJÏ®B*öç¥6ÙâµÅÀìÝŸ#zç*ûlãoô«âWýr)¿/©Ê»êrBIö…Úäé]›Ê®ß@¾	sL
.ƒ6ß!•}º‹É÷E‹šÏrW¹ý	¿ô¦®�V*sŠâʨîø»iaŽv|Ýj0=Ø$Q>SÚ¯‘n¾€ûà3µ¨¯¹|Ï‚·#ø2òJ_×Kà?ew5²ò�!msZYÝþ³Ûš6·—O,o|iVð”@DOXå¡g�g'\ÔQUáÏ‹wƒ§ tÔи7uû]J8IÓ~«]Õgb+©�‚±ë­õúZ÷0©Ýæ�öœÉgp£è½»Í¾÷QöÅÒ+*A¶3M{#ˆ2¡éŸ‹\®þK§Œæx'wÅw�÷q‡Ø™³G›Is%ößÕlÕ×ÙYó$;ƒ"d™ˆÞ›3™×Vc:DŸ!H™ØºASöò;ªÄ‚3:¬§µˆ6· ¿+><Æögn% ãïcªK�Z¬	ýÒEÓý°¡©
-oöw¡‰�Ç÷ �LN(Ú–�Ç•ë|¦ÙV0f†BckÔ/ÖözåÄò�«ÎMüPC‘&§¤sâQOŸîì?`øá
-u€2DZT‡ÿan<øF¢àƒKï�¼ƒÒÞxpÂä_µB…•’Ä5$(Z£½X÷˜,Çn=F„I1°�Sk€/ô¿Ñû’-Ú%6©`Û/XwܸýŒPä°X{�]‹{ÁõIê=/uµJLÒ	"nÏÖ9 
-ÊnQu}±”ÇËÂo¾ÀxÂO¦ßi“Ÿž„Z”ž¬ù�áXßâjøLƒMw®ÝÉ¡þ‰à0߉òÐaàð1͈o®ŒKÔ2û%걓ºîöC·wÕ‹Þ«WI±á‰šæN&`­†[Ë~©à}ã‘ë!–{«-ƒÐKÜQ>µÓ™ÚHh[“+ÊäŠw˜Œ~š‘o;UK䊋íó¢/¯sö6†>ûþøM7f“wcåwÛƒS^‡ãIÔˆ·œ­‘‘O¡�"è£á²
N´(*–ñYaZÿnŽš
-/†¿
-¯)$QF!ËêbVqâ!Š–i× ÛÔáZ4�z³2„«#�µùjÆa0Ž¢”½¦wÝ̳
Mx¹c"ve·yäÒ0Ëdao†
˜’|¨äÊÎ	|ýªm¯;°”`È$ùúgH÷ôT¼‰K6lºæð°1I§Áü<Mø—Ùî¹A�‘†*›Ý´ß4èN]ÐL:òs@ˆv.BBÓØ
~�©ç0ϽxØȸŒ�§´zŸÌ¹1lðhSe@¦¹Kz˜$Aˆ�"ÆÀô¢A $Õs‚ݸHªêmªœÒòûÜ™\ð€Èª&¿o¢újt§ã;»ô°Š lñëÒñLÅ–ÞÎÙÆòÛÞ¢bòê�/Èá‡@°‹Ôp;C¹@˜T¯+,OëBš—U
Òæ7v¾µŽó"zÌžƒu¸WÖŠŽ®‰Úƒ6äfôT!m¹dÒ«?¢-gÊsŒÅ¿î•n!yªWƒ¨¡õ…*‚�´Û˜d®Ë’Àî¤a‘ð7Àãk¦·nÖdsÈãMU„¼Ž8ðA;²Ÿ�‡–œGC¹éâ¿q…”½ïyB�–þ�|;kßá4\àç¹òNJes
æ¶3ìãdœx1y¼\�ø<µè¦>°¯Ì�~δ¨ñ¬
&d‰tñ‚Üè>øŒº§ðTÍ”­µq¥|rüꆸ´åxùòr¿j�ÖÑy„æOä¬-d�‘Òä[ºz@z6>"Ò(K)+è¸Ê]‚éÉëß-Z¿¹ùÁßP£«•O?.
Ÿ7©`ñ§„nºn´ˆ©AÅ
-®K·¶M“‹PÐ-øeó�ù(,•ÐqšW×,׃ññ£™”¦£W…á觇²H•ª£ën“¼ºUÕq/ßíÇ%–Þqÿ	J†tù›á8îe	�p©�SíÊw¥N¶oéÑ!í3ày
<Áév…‡~ñ¦g‰ûÓGÃPûÅ•'ëyçÅÙö°ê"б2¦<N[—ŸeD·^¸Ï×C2'!ðœþ…`—åæõ¤Ó.Çiæ’,Ýã�I�~d¿z`4¤‚+õë5e>¯ge&ü¿ˆh8#u­÷$å†7 ~g¤ Ì�Ój7#)¸"ãbø=�ËÈÓF7mõÏx|)Ê¦R+ËY'¢Æ‹f¯
-é0;
êÈÞšGû)¼ÕÝÛ•qòG­‚}¢v7~ýUÌØ{/ª//¶£@¢’BxP
?×㺽v/Ò"¢³�¬É–²7~õ¥-°ú¾Yâb²4GáY±Þ\ÛêùÑò:u|?í¥LTj/Ïäœän”…xÞN[³Ö´Yg$<o8ó!¯S庅{–¸¾£“7Bb¤ÖRƒû�°)©5Õ‘
5e'îäuõÄ]ºv&cÀ…oÊÄ8büR š?òré
-GZläÞ¢Åë6}oÛ,“Nxúœ½™§~ãIf7Ù,’y®�KuT§Ä�‹óˆÞˆ:‘¼	'³é~”*=Ï¥aæ½L
šá(ˆ#}�AÀ·�åÖ•INø™Õqy»±ýQÐBþtSè³í¸Ç
-Oùl_t>»ˆ„Q@·z×À!»Qqf¢Y �Îë"Ìãì]/©¦pš¶¢þz¨´ «E¹f‘SÑ”,Y¸!µx·?q¼ÀRœh·×ÚâOÐ`8 Ž÷PÚÑ¡lŽ~ñ¢ª ”HÓVß�Qk6˜qØ `?'7Àw1²£;Äk§ÕùI…²­™e£
-ÁÊ�ýŠ{Eoa’¥VÖôJŠD¢VØ+çòêqgkSÃúæœÖJ!¾íѹ‚§š@.¯¡?4�÷k¯Æp�HmÉKHÆ`ÅÀgç»C~\þëÔƱ
�)m®ðrô©:ã.ÓŒ±þ(pôs°¶†Yi†u1`kîxÍræN6Ór§‘Ó¾‡‡8êaì%ª?áXhu*‹e²ö×VÒôbÝMcÚí.ä	Ü
SߟýŠw×ë±AV‚,“gBsEû&·9Ó3÷–òÎöÀ¥[Œ»ÆT*UD-.ô€]¨ô€–'OWsá€TO›¦õ`¡Š»Ù†ÖáÂuþ¾ñFl	©>ØNRȘa»CSÔ—Ÿ¶†Ë�ÆÁdõÜBx½oÌ«�·†)Ô›.hþ¬ng¬ûÛöVhNÁ4ýÔ¦zçŒi=÷·ZÁ¸ö‰ÝbáÂóû=™‰¡-�í§ç)Cm=Úy«ôÇÅ“SwCðï—9C$~™¤9Ï…Û‡_ÚóWs¸	ù0.n' ’8_Jù�ïMæ­üÝRÄbI’OîÚë;Ãwh¯“J¬J´Š^kû³ÅJŽm™ªó‘'i‹lÛüŠßGÀCÿçù#K‰}¢orL-–cƒ9MºNöÊ^âæYj—aíLY&.þˆf$Qžþjõ0Cñɇ\›€®ì³¼kÔ42uR0Ó…µöµ©k)¶¡)–—Í …
‚‚Tuº—Æ6°�…5ÚÅ(˳«mÀšÇÊõ™¶Ôî^H™¯Ì¯ò,µêiÝò�¸:
-SþÅ•ù°�?UÆh´ÛÆ~‹Ü­³µ´��FŽ̽¨
÷`2�±Í¾ø_ÑÛ¥¥†%º%B\aáPbs�–�’´¯xÛŠÍ�Pßí"2¸'�\sïa øçÑõØ�ê
-ùôÀ®ß`&„jsJ·Ý�qüÚy»©N¨ªÊ‚a
'±ð¾•ìýʤhö\êøÔ<{,üág`™ÁZ±Mãêà7G¤¢œ‚ñ¹ÍÃ5¼tÈŠµΔࢼ'}ÍÈž›¹cU{œœ”ñ’£��Ñ8þ» *\þ:X)8ìÆäG4k·D«S ½</psð8M´vÊ#'®È?Ý(æDœ&jž]RBqf„I+=µ×õ;˜AüÂÛ©4€…Ï3‘«)Ã`&ùÄ.3Sª[‘¾vÒE&Q†üÕ¤Â3$H˜3ÈX)Òö
-Ûfãu¡ÀÐZK�Ï¢�ÊôG„�“ ?î]¢ozNS¥•oNüÖA797mÄÚ¥âFËë
-!üÂlŠÏY™Vß‚-#õÛ"�òæ)ê§4|÷4û•¦Ç\£Ù.,u˜XÞçAO¯é8h‘$?³DUŽ$ÐN—ýÀôZO�¾h¹)8’]íPlÒó!ÌÖ¦¾óí3„@ÍÿBkj�û"qJº„‡›áûÛ>Ä£c¤ùÄþâ<NI×–áä‚b…&y�K`à3r€ ‹¶ôfæX:„
¡'*?§ºnQ~ÓRÙüÌ¢÷­¿Ãs¦yÞ$Â9{¶Å*+'QÅö*§H(ð›xrPßÞÐFñ`$•†ÔXóþÈÖxÊ	¥ô*$ƒn%Õu{¸‡£Û"Ýft
/æ.;FÑ÷·ßà9èf¤û�*
Žn5ˆò§\S¨ƒÆ+’Iñ$ÉÆ­ãЩ$ÐÈ~f›hD"°[Ir·»FªÁ�>ÂnÆmp¥Z[ÆóžC|ø{}Í°†¡P®��¦é§
-@á–ŸŽšó‘ŸqJB¬Í×H¬íÅ]¦mš_-Áµd‰[…©ÝG}kÂ'†¹ZñEïJ/2Ž¿I¢Û¼Œ;ÀJ?ЗXÒ²se¥[ñԆص–3—ñ>(ìí,�¡’Ó7¿­o­Øc›ŒÆrOã·¨Ó½¹`­Ò^�¼>¼aˆË;hŒ¹ÿÙÿå`@HZa½¥×¶9‘àÕâ¡[Ü·Å’Øß©UøgéQuz`@ÝD�7… 6˜^³&s %qß�Õ±%zs‹É«I)Œ—þ[~x4ir:
�ÿ•Ä5¿‡¼c@'�dPí¼+Ê-ußvxØ
€F
-‹˜>cîÕ‡¬òš¢úcÓÕVAcB8‰à–à3†(�¿Ÿ->2$§‰#ϲf~µÉOR¢}Ì^Ô*ëT¦9Ï^°Q¦òÌ0Ò@§…×õ™Û¡f}O†kÞ�Ü9ìFÄ«òwÛÍbµËØq„ÂL™§ÇÙ宕NÔuKJL:˜Ü
õÚšöÀÎß
-�--˜TÎÁ?åשּׁ~Ig.äs#IR³1Þdà0säÐl„ë¤)wÜ�ÔC‚5ZêD¡˜A|aK]¾öQŒ)ŠÑ�ßÛ¥fÜ-6wâœÌn¿Ô‘ëZ¬×ñÂe²€KQÊÉ!qäl†ä Ã;¼Â`¯ˆ«Ýjƒ"àFd’(�ñ¹%Ð¥åŸ¤­:ìKÐÙÖ�»ûúj?ã0GLÝå/—�‡ÕsÉmtèŠ7@F.°vš\õ`òƒ_¨à@�ó+ß­'9/þ´îQöñ;*œî~¿ˆ\Ý‚°¥ù
"@Ãw¥>
-�«ñh²°�þ;f&õÏýtYPXÉ(ÄÑ—îÿ*ìRâ͋MI.riAÛ�³eBapX,&L˜”FÄqOÕi/zÌ-JîÙŽX!|½ôÔ{/¥Êl“”2êL¦›$ôéy¶r×òètA3È׸„–MT•˹#“Ÿ_«ê±C˜Ä%3(ØBN®fMݱd[ï0i®§�¬Þe˜nùÃ,2†•�³>Q~Eó“l¤Ñ‡d�¥K
-È	¿X¤ô��	á€S¥M†kh_v.ÊZ°X�Y–×~dŠZ£þq z3„=pÔÍ*SÈá£�.rYÎ8xz¡ªm:è«íƒÂfkl®õ3V°yÇݪ"|pA´q+K¯ìñÄ5ÄÆòX”ñ3³S“K¸8”Xgúy6VœOÉÒÀn‹|@aµ»§Õÿþ\1-óò$jô½·Yâ6I�ÞåQˆÿ¨Û.†î†!ÿ"	Žíë½#kÒŸ@nüšÂ.MV5âÒžpɾT	“L$*jsK�€kU3P"¢÷ÇÇ‚“\e,Ѷ™ßUeÅATIˆ
¼Š#DRÏãþfž‡ïDŒ4ùä;¬«"_u´©+E¸8å´•È.
a«MçeÉ™¸m»ÝbîBß_S¨�—,ò5žL(Áœ½¼«lè„OÞÐë³,­ÜV"éˆeÛæÅ—¶‡~,¡¸ŸÆü€¾µ¦gq8¿¯Z‹—Å}á/Å'laÿ†SÙq³t‡º¶^H·âœNwÌútaES<hpFEž u‹F,p?º°8*ü²z"¼ñ…>«¬¾lfœêð~,¯±Ni`—…Ï�gCž@2|§ãÓ>ú6.ûW˜ï>µ½Ø“M¿+Ÿ
$g;µÆñGïÞ—Æ
øE×®Ú§qkERãÒÆc{…ŽZ²ÊZd;_Pº·t‡Èû/QOûIàÏg»�–�%E:)‰7‰‹zz÷Ÿt¸ZúŠ
-É9û×ÖN¨Ó©Þ¶Gn‚‰å”÷,Œó¹ñ:Ÿ5Å=©x¹=Z©¥…»Qò‚Gc]qŒð_¿³�—«º'í(åDZþ´î€J®­‚Iç'«_ßÂ:ŸÇHjDõlÝå„,©qØ`G¾¬†\È@éø¦‚œ—éܪðX¢ÈQ<Ñi8ºÄ|#ñ°Åò­õ›O(m£mŸ8½7¸r¯já—"Tày¨
Zì|AúßPqéí
[ÈÃù3Vìlî¾
™
VÉlb¼¤.ÛžF
ûoŸJ�¶ô
+/Length 17113     
+/Filter /FlateDecode
+>>
+stream
+xÚ¬¶ct§_Ó%œ¤cÛøŶmÛ¶mÛ¶�Ží¤£N:¶mÛvòöÿ¾gæ™u¿óiæùp­u�ª:»vÕ®sÖ!%TP¦4±72³·s¡e¤càÈYÚ¹:ËÚÛÉÐ
+ÙÛ˜
+"bÿæébaèòOngË¿n€½ÙßH{c×Jú—ï/Ì_¯‹¡¥�3ÀÅÔÃåŸ\F¦
+IŒ‡1†
+	í:Œ}V
+T§:jâV6ðë>z1ZVª=à
šì™ÓvÓFÑÐ54½ú!§�¶å9A6P0ð®+MG¼bê¢Y‘ßçGa�ƒæ¶ËV­c3çY?â!_¸Ù
þZk
+ÍdÖC÷Á1Ðò“#MH}:²ad†ßêÆ“5½F•çJgbqà&§¾ù4ãèØHûù”ƒyÆ<˜^ÙÎ/ÓnÉçË,³t?P“©†œê!(‡n'¼|HøúøÁ“fQ"Žë3ã²ø½6<‚QÇ?#^vyì„Q!³P¶9aíˆPJM”–Õý´ø5mœ
+�ÄGìÏÌOÍ!ö®p¥æh-	
Ìp	d‘ÕÌê0Å‘N\dǬþsÐòa[” ##ŽW”å$�‘ŒªàãFAžiXã»â�Ï4ÃÂÕüàm÷àÚ(3Ÿ)qŒ_0\¨�pZ
#rûº\ÊF/�¿«·¹Wë08÷nQ±¬,RjU‡"vÈ—7ùB7ôy¯GJfô[ˆì¥/·“ÂC
+†ØŒÌHÜ—�`¢o(8äÉJàÕª££ðèÚ>¡YÒ{§žæ¾òfƒ†/’€môú¤»AËý`˜
+q;w¾æûD"'š0@=÷a#èQÏ÷ç«î³¿k^G6ÊP ó'9TʤŽ!è§ËéסT;éîŠjè¦~C
OÃúHm~Ë.!H!§[8=f÷‹âƒ|ÝtÛ²��È€ú!"L7wðÍV¦Jq˜œT#pÊw„áËàçýÚ@ZRÏÇ&—~¿w
+
bÛŸ=ÆMF"PÆ�‹C×™‰X1±
+AUä]<·õ—™ñÉ*1EQðÎ!A&åÔ@x*aÛ 99¬®
+
8"T¾ «¥Ìˬx"-Ô¦[ð=@%ê⨹µAÇ!øÑ=wàûàÄÔ‹î3ížl4íõ¾s3&ê�š)\l^ÒÌÄšÍQõlëŒoúÞƒ´m9EMé`:Áóñ8ÕÇ7d@8‚f¸Òá`
+ì�Ÿ–
+Z€«¬_Žˆ9¶Nž9l Ú:Î\zäÏYÑ�Ž>}8êÕ:¬ÆJywkPÃíñÖ¸ÛJt�Çlɬº‘;H•"@ë]P•½ƒ¼+æ%0)¨–úKÎ3á¯>KAÍHjú…L’Ÿ[ŸÞKI-?<š	ØQAŸ@éÛ™
+be2d5ÚÜÃ%Ìœ�&Ø9«a7\Ô¦ï†F#Â#ÂìÑò#f¸E庲¨NÈ<ê¤yÈ(¢õ
œjŸZ^á&#Ø
-•¤§q^Ñ+�!d®g¬~3ûužíNO=³“Øý.�E²ª%UâÊ1Ô¬}+lF†�b
~ö°�®–V¥Þ;ç£]£ÕKï o-K�‡_JO«×<G«ºøõªA%ÉÙx¥³ºVšÈÀöáÅoˆ{YæTA”…Áø"ý5TŸnH®om"ˆ–Œ-Ç:Æ#Wj¥G]§îHJ,¨Å14Ü×X2j®éP„
ðÐ0t–›G'3¥PšS/—]†"ÃdC·2|¼ÛC»ú˜8¥ŒêKÂ&ØHHU„.×I²ä’ùZAøý9‘ÍP&FÞù˜•Ü+Œz-«Žèc¬Vd½xP!Öœ-lÌw«5¹6‹yZÄX]½!­_68T�_̧–K*)Ü•\€ þ�gŽï)—°t
�5DBv¿, UÂo·P‡Üô*¢�€\o�z.;~ATyš#^ìs·]ÔUû(\’$D÷¸%ó»LeU™¶†þ�X•ùÈJ£j}kEOž^–d˜°ØÕ¶2"ÿ",£Då“pSì c;ûÏjr[­�Vq?p úB!µ÷픞„�œ{b?eV)”Õç‹Ÿ³âô7Ë÷—*ï„=„ÜBZïH_SHbűõ�“O2æU®‘¿
+ƒ�+”{¾ÊôóóÜ–oã<�j=`Seƒ
+àLÿCîCÒê¸wCŠYøqxþ:Üzø65|Yúö ½uYN²Æp¿ý"SëPy!W8½¤¡ÐWzFµ?¢V¢²ŠËHí’qn1Ux`	º(9žì7¿P…óU@U¦6—z
+xa™ëi†µ'°'cÏæ͆�Ñ’Ãxt }EjR—ᔚöc’ËÎ(ë‡Ñ#ÔI]†kÑ›(‘…,·�:®þ&q{iIÿHR[”ÅO—ÛÒßc,n7!Úhœè”>}yä¥GöÐ
+Â=ŠÚÅ׉_ó/7——1»—¬û¦£K`«¨àrøY±|Gõ`È=ÃÖápDÏŇ`™ Ý’(ÌZ“ Röâ.¨ñ”“¬Ù’ŒZ 	eR:Ž™Ÿñs͉æ„DuaïkÕOSA`«Ñó�uÎÝU'VAŸý^RõÂly�ÄspèÈ^4ô—�Ó$¥?ÝÛõ„$x¼@§å�ËÇÅÛoÔ$Z\—¬O„Z]È\(‚u
+8-y¨u'ö8÷ó\9b€Btï1³‰+/áu?ÌeóBjŸ(³ÂMEAé¬%»…> :þ
+aÍ×#êT/ãÜp·$3x»f'Óc;‚“Zà�Cq‹4:-žørf›B!èè‰<2©ÄP¶¿°wFôŽ.¨S:=<o(vY\×ø]l 6ÃÜX2ÌçJÕºûë:ƒ €˜LôÁ‡×V•GÒËôaq!´ÏU¹"õ‚WÕ§³o®Ç¦ ’êZæf3@¼eŽY{á>ØܹDñF-M0î’s%
+ÑÁQ|®gšnîòøÃ>_adÿæþ©£ñ!Îò¦_ 'Á™Œž$\­	ÌÓÞbHz¹×szrP'ðÌïã];7wÿ]@Ë/c™&ïÑj©ØMËùgº ˆàRŠ*6?á<Q±¿h9“µ›PåÀª;g¼¿W�e�ø§eî¥Åu¸<Å]f†ß½ÒÅ{üÚEG2kI2’‰aªˆûÃ
ׂ^µñ2€Ž¾‚ºeT�R.™ã·”sÉ„5šT“ÃpÏ	ÆJa¦s#
+ª
+ˆ¤ÅúÀÌ^wrËMb�vÖºQv¸”ÀÕM€’û•}«9»\û®­µñ¶hý(t
=�Ð!yØôѼèãL[±I–ºîîfÖ ÷k6«6Ü´‚W·
+ú4.Q¶É;X¸%ÝC³‹£w1¹G[è£ëWc/hl·÷­-Ò
2[Ÿï«+Çë9?èAaOc·t�o1b
+'úrxxÅ¡®bâò¡¶(»�EìæF‘ÚòQ2Ž'™'y•Û%
+]L­÷ú0bK„‡‡sMßTÕw÷ˆž7ÛÄ1�Mˆ2çµZ¶‹h/+׃ùgo•Þ#(úyék)@;4ð•ôò,zfM?H€H€Q,Cw9ø€†¯Æm·;8^vWâ×g×Õg*¶v£2ãˆ~½s
+:ï5€.X¯N¡Cx™kãºÇ6°=T¯6d‰;͇W.‚ìeœ1Gx²MÕkÍÇ~¶]
+ÉѨzJ±[س¡£•ûLç}Ÿ’8QŸ†žèóÇ8ç°ŠÁIZ‡6§¡Ã¾¤ŽÝCkÀ.`ƒ�\oàZÌZkif»?“䀅x`mH;ÐÒSVÅÁ°¸€ÈØ%à’ŒLN•ÿQ»Ž>19½)içíö	q€ú#ó¸adã|-‘³÷ $ç¹%@»µÒó³g�x«
ÖŽ¾—©ý$œ.¹gL<§ÍòÕõñ7bƒS¢£éj%;"Á2k)à"ÿx×9=FY‡ŸwjçJ’�
R�ö‹$›¿a,~LoÇôÚ«Ñäå³8Y}òç¢I6E�ÁÑ«ÿ¨œUX¬ÍÂ\>
HnŠNß–YÁ ðV
+t/˜~ü;™�nCÌ’}8êÂ)(Û8·ñËq]>\=n;‘:NœÞãË2hk]yt5Ï2NŠºœ¹ìI*œšuÚ D.²QQD‹°•6c8r…*Øê	Í
+ÉJ2kç¤%o72mÝIËKèo5š�n$éÒŠY~èp™î/íy\mT§ë4çN²jÆjKSO}Óé†6Ñ
gô]æÉ•\Gu²Ô2%LzI|’µ–ʽ۳:½TÇÔõöãOA©!
·\x,{"ÌF‘Ýwz§ÇY2­Îž•OdçÊúÎ`/â•<Á³Û9ˆÖˆH!‹¾Ó„ˆv�Ž–,ÕõMÄ[ñ«
Ïõ^‘9¹Õ3Nr‘17'rùJÒ¢î•"bPŒÆ(#é˜�ÛSˆËZZƒ•õuÄþà35<¥¥½::ãÞ‡
�®™!‚oš”,~�"‚\Õ
U¿{’áYAäÌ(q«Í€Š�µf­Ágß‘ãÓÅ:%§££ð¨±ræ'ô*"
+Sdü=zÔýKò*<gÙ e
+ä’
+t�mQbà¯mq™‹Ó™Ãþ<}~µ[$ÌE(-$Â÷p¯¦Ãk"†½®"ÂÔÑóM¯r=PUÏ£<z`YOû€Ñ¶¡éœp¡.¼2#ëî=™j'Îgª±Ï†ÕP…êf
+ínø‡ç¨H,d10PP�
ñÌG7¼_dêÜšÃjSX[‡sò9–øî}J·tqü´óįö±jFˆ~å�^xíVî°¶+'žÔ�i¤‰Å>Œäç(–©N'Ù¦7ÍÌu<TF[•÷EÔf±ôÒðÑ¢­äj›Ü!|íó€t_ŸŒ&âɈ%Ðóm“õC#¸\!…øí…§kÃ+襴aÔÁd–ÈÀáFb�Çä‹ù­™7,jûJ<Îy|»£Ên§†“±S¸J[äA
°óc¸`tÈËu*ÉËšÇð)µßŒÒšŠz̤¨ï‘�Yq«@¡ôÒFó¤iIl.¼3� h뉵óØ}ü„qÓ~|lHþèDYYnCè&Ì´çAdúsÀíe*ª¤õ
+-„xUdÛ¨û+õÇñ	Ñhå3MLÐ�Ìg•¼´æ´[Ðånd&N[I�³œ9u»Ž;h‚¦h	Ã&±v¤ðcý‚Æg[ÙÏ©R#*
+ñ¥ØDˆƒ¥™Pþh÷�ioi1ÂÿðïîÅíº”a¬M(añêâiùÃ
êÌ‹þîÜ0Æ«ŠÉ,zÃĵ:ûc
+‡ÓÕà¦^=µ®ãF–:%)Wmq
f`чÃyÜ©˜¯*Ò2|í~ð�µÜæf˜wÔªóŽ6‚ê¶SÖÞ¹†öJya×
+§[ªhÃàz\^-B}‹,�Kþý×nc�]O;EÎ�Ám±dé¹cxá˜g¸=%T]ãë÷�\†ƒ»jïÑÅðdêÅâºì´Z>»M4–‹ÎUìé´wâ; 0eÑ©€©KE*Ѽ—`0‘Êêk6_í„.‹6wVv>OÜ€@w¿‹Ê«ˆüŽnËé(Õä�^…õšjóFkƒ^Ù*® cJ#,ÆÆß“Û§FõçÆÅ¢Ê ôó¶‡aÞx’)ï
B'ƒ=Z°?é�uÊiŽ% 1~fÌ3Aù/A€NÖß
Bl‡wÜB+<{ÔÄŠ	€£iÝìG{K¿/è~¶ïõÄøìϥʰq˜X†bÝ>tÇ^hÜBÆ´½¾[â.1óÿb´$&ÄæEU¢láa/ëÔ tï˜Åpç7�/îEbØ…>	åÅ`YךŸ"3^›r¿ê‰Š;Ú�Q€µScÚï|Ö%Æûêæ%ÎÖ@äR›„L19ÒíQa[ˆb}[�2"¨œIÍžïš‰MÅîùÐÛ	Ïü.ùœ©e‡2yÇœóé(-å5Óü´�õö	´6¬±Ãþ<v‚sÖ£Ù¿1
+(led7)ÒÙsýœ¨p')ú¸ã]ž¾Îã»:N2àp6,Í×ê[®¿HÑÇn€R±PZ“Tª®¼Ø¡!Û$aìºï&Ĭ½oßlfS,åµ¢ÚxµÊ QœK;cå›@¤W?陉é�ÍBËzîrè&
’1i¶üžÅ…‘ŠI3w¨)§tÇœÅþ>Ú
™D;Ùäþºˆ_4×}‘ZQ%“›½™·]+ŒO‹àZâÃì&äÉ›Ã.²]ÝHŠöç˜ÉuÜPè95ÿ	�뢗ÁfDZbŠDl~r’nü%n†MmÂ7áC¢†æ‰‰b Msû¹(ŽãŒ¬--¿ò^Žö垌½ª»1”Ék^-ý•‹Dúft^t,¦£®ud˜'½ã0"©1oQòŠýAÕؽ6$-0,µy±ZdR3cÛ^„OKoÿ(r¯”Šµß‚¢ùe :3ĆԱhº¡³Œº:
+¤öÎ� "¦ýŽ :B;«ø&&c€'I”…Òn|]ãh¥ƒµ•
+%‘åwÕkïvm—wàpÇJ¹¾U	œ÷&“³�oP�1‘\œfr;Š|Y[âéÂn†ö¹ë°¾LTÁ¸Ÿ£d«ãÇ­!5ñ樹õS^¤X#Ûwô¨$c#Õp×RqE.84A•„�#ËPÆ4UÄ«SÚíÉ°ª\bÚô„ÑÑ`“ÇH­0åɹr,_QwæÖB“V
Ÿ4	O=“½´†?â;ežÞ¿(‡½
+7©¨�—.q`~K±
+¯3}â›ÛÉAj¸*óbŽ$k3VgzØOÜæ*PÛ=Idi)~*0vyÊ�î
+9ŽJ $W‚`ú­ýRÂ#Ëí"?æ’²†øo£qErl>í�Ïÿˆ!!(šÐ(ìÍ^÷H®²€Â#½7§”dËO€š>Äá}¿½8$�	4ûÝJ—ó^wÅý$-ZÇ;¯'ÉÔï{œU¡f
+Rs2$Ñ%º‹ë!n�ß%BÛ»C)uv÷'\ó&6Éu¨ë=Ôä:Æ	k‡z½ÌèœýU9S/ƒœþÀϨŠïw1~µ0D6Y+e»ø�ݼF‚z—P÷«údoÀ·
“T”,û«ðrJvº™‡ô¦ä‰_q ¸‰¸Oñ>Ëz0å™ð3ü™&UK&g&¥Ä²è÷˜‘[zÄ KR"áš…�Ê�Ž®è/¶ß~+˜àÔó†pJ§ã•<êw­òöViåhúyufRµÕ–4êåp\W a‚Ó\—B
+':o´ù]9>áÉ¡-Ö™)yãXp<âo_jð½äÂUZ帥þ06_VnO¨nórzcúî×Õ:L“5uþ¨8Ýi÷™¦»‚w®P€RJaa¨êé4
¯a²¿{LÑ™B”³è\@oE…Ð;çA‰
Èø,È+”qË�ájŒÂ¹’dV8G³}cÖÀdâæî‚^.ìÍûÚ�˜ÿà>*Õk …ÇÄx>2øµ•_&9¯!Æx˜ÙG"¼ï*“¹±ÌÝ»á‰V0�D)É¢‚k‹÷ž:å¯P4û
+Œ›?�yUGáõcç’£Ä%³¤™š€î°®÷�š�TYØô
+®V´:cMG	 ÏÌR\Y^( [#¶æÉù´*Ž|J¾¿µ°æêÇߎR/ð÷hïšý®dèÍß!HŨ¦µ—`èH�ÜÙ•õiÒ¥8Ÿ¢—"ƿ첈ïæÇ`é"¹º’ÆSð’ÞÈÏ–<$¸Î�â‰ã
+y#K×2ª®q1g¬›“‘-öæÙú݃ÓIÝFÍ×½Mx°<?ÑgýÆkµB-ÝNlr¥A¤M/šÅƒ¾Iµä;5
÷£,Ø¿W‰`ˆiÈäLJ©x’ ʪѾÓF/Gc à"Ç»_¹�,Ó¯+¢¸&lwsä`“ïS�&®ÖyGpˆ$9>O	cׇK2ºëAÆö¹Ì,b

šO)Ù˜•䪎ۖÜå×ïLlˆ¨¯Ø:
+:^fËër¡ó5‘ª‹�ê(foC;a'¥'Ô'pq84«Åq†‚iµ‡„
+¤¬™·yæN¡ÒÍ=Ñxhwí‡Ð¦-LêÅoR„µ ”3'ÅžŽ7vF£¼êb•r1uºÄ…›Ùaml³§W·áFIöõ»_ìß±#EÂp¯Î\R8ú�rî	,¸©n²o‰¨¡2V;�ëÃrÁÿßþî[gƶé¾ï—OžBË&í)Ü\ù#�ûÌÿ7õ|®æov·E|’ïÙ}…I%\ÜrŸø¥
7K¢ì´v,_Zµ¢e¥ÐŠÒyÛÕíŽ%_ÿœ÷ã�yìÍ2#íO¯Ö8_^{ñšÃÿ9ÊçC'±2]ØÓÔyÕáùÍ)Óç©X÷\�â~¡æô}Ù’—§Ëøb�y³Äó{K9ì™ül“íÙtß9³äí2Ë~ŸÏ�MÖYYzࢄ°TƒÎŸ8ë6‰B9ûdIF†Æ{úáª:OãÊ.,|©–u‰•Énãk“9u³3zX&jîû7WD‹ý î9�“fGÝÏòTNo½ª÷À’Ñž3(È'Pôè§b/©ˆóy§?nIËy¶ÚH©îš©ÖšÖæ-×¾$êMS|á*¹áö±k¬«¼+§Yå–óŸ}˜á·ÓÂ;œ¬ëönüÍ¢°i�òüêÕþ™6íŸLÂ6/èžµý±æc‰][K8–¾‰KQùiš¾ZnrKb]Ÿ:ß˃ü—ü¬²��´o\gl­V“Üèãë]šwó¹KÿM
“?
ÌÉ{EÝf3Ë…¼×Q©‘éÏÙ¼‚ýCÒR¥Èk_g-äM·´ÊQüµõ­öf
+
ר
ÀäœÔÄ¢’üÜÄ¢l.
 endobj
-627 0 obj <<
+880 0 obj <<
 /Type /Font
 /Subtype /Type1
-/Encoding 1344 0 R
+/Encoding 1915 0 R
 /FirstChar 34
 /LastChar 125
-/Widths 1353 0 R
-/BaseFont /YXERUA+NimbusMonL-Bold
-/FontDescriptor 625 0 R
+/Widths 1923 0 R
+/BaseFont /UFWDEX+NimbusMonL-Bold
+/FontDescriptor 878 0 R
 >> endobj
-625 0 obj <<
+878 0 obj <<
 /Ascent 624
 /CapHeight 552
 /Descent -126
-/FontName /YXERUA+NimbusMonL-Bold
+/FontName /UFWDEX+NimbusMonL-Bold
 /ItalicAngle 0
 /StemV 101
 /XHeight 439
 /FontBBox [-43 -278 681 871]
 /Flags 4
-/CharSet (/quotedbl/hyphen/period/slash/zero/one/two/five/six/seven/eight/semicolon/A/B/E/F/G/H/K/M/N/O/R/S/T/W/Z/bracketleft/bracketright/a/b/c/d/e/f/g/h/i/k/l/m/n/o/p/q/r/s/t/u/v/w/x/y/z/braceleft/bar/braceright)
-/FontFile 626 0 R
+/CharSet (/quotedbl/numbersign/plus/hyphen/period/slash/zero/one/two/three/five/six/seven/eight/semicolon/equal/A/B/D/E/F/G/H/K/M/N/O/R/S/T/W/Z/bracketleft/bracketright/a/b/c/d/e/f/g/h/i/k/l/m/n/o/p/q/r/s/t/u/v/w/x/y/z/braceleft/bar/braceright)
+/FontFile 879 0 R
 >> endobj
-1353 0 obj
-[600 0 0 0 0 0 0 0 0 0 0 600 600 600 600 600 600 0 0 600 600 600 600 0 0 600 0 0 0 0 0 600 600 0 0 600 600 600 600 0 0 600 0 600 600 600 0 0 600 600 600 0 0 600 0 0 600 600 0 600 0 0 0 600 600 600 600 600 600 600 600 600 0 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 ]
+1923 0 obj
+[600 600 0 0 0 0 0 0 0 600 0 600 600 600 600 600 600 600 0 600 600 600 600 0 0 600 0 600 0 0 0 600 600 0 600 600 600 600 600 0 0 600 0 600 600 600 0 0 600 600 600 0 0 600 0 0 600 600 0 600 0 0 0 600 600 600 600 600 600 600 600 600 0 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 ]
 endobj
-623 0 obj <<
+873 0 obj <<
+/Length1 1620
+/Length2 20127
+/Length3 532
+/Length 21036     
+/Filter /FlateDecode
+>>
+stream
+xÚ¬ºct¤]·.Ûv*I§cul'[£b§bÛ¶mÛ¶­Ží¤cwý¼ï·÷>cŸóëœý£jÜk^s^×Zë5FQ’)ª0›Ø
%ìlA,ŒÌ<
+o(:¨Ñ_‚ä¤ñOFuØI)Q’¬¥®‰Í:T\+kÀ2ñ´Ò(ÏË2+­Ô»Ð]é¾çAM�¾×Q­?A"tto¯�$ÏÊAœÇÛwÎB�¼ã¢ü1lþUx�q¨eÝÒäöt¼d"�$ÀÇŒ‡™M ,tEÃ2g§ö“0AC�ª•ƒÇ“IyàbL�żê|c
+)/
úh½0HéZ=`|K›@?ôî3Ob¨cËL<Bß1d÷h•ß$™§”±ù¡î]C¶Y™�GOýú!‰�ëŠ.=÷«Ý¹½.oÇ°,½ƒšt­¯”3sƒÆÖ®·qbé§0ŠÅ°ÈDY~–iÃøu(Ò˾‰ªæ³?ž�
cŠÔbdS7sYð§>ádÍíìÉQûcz‹þú7¾cèü¹$	Æ>2Í%—¹ß°%F
+>@í£dJî'�¾T¨WÝ–
’ÆÑë«úþ®@Zl—,P* ï™7o6x©bäÀ×ZëíùOרc ‰^à°HY¹ê¶]¼„qGÝx-
$v·úyüJŠÑ‹lüwÝ„ze|5lÇ¢‰Û&^^Y†¯d¤å¸=眫Ø'ZðþžQ.,°#p¯ü°Éøù¨~j‡|i¯ÖÍ_)¢é<-ëqHb_Ò»S3‚4~«Ò/²Jú
+ó»kœAUyÑ®
D‰<aº/Q߆W}á{N·râ‹0¢ž¦¸2üuŠþK!Ìe§óç-õœ_…Éæé&·öŽtºö›)×öÜÑiÞÜ=39^TùyÖVÑúA`›Ë¯“Š×1³[´³Cr!F\YÔT¯É$0¹âv¬]1¹â2õ¦2˜÷¨ÏQï<^™2ÄH‘,Fð«­Ѐö

�ÕúSöËö$§f@ÂÝ}7EŠqÂl™ûÑ0†R
+CùV¿�·¬�žg&�>ˆ„’"µpVk_í+t·—$ïÒBh�tçß’¼`ª-�‘C†<l®I4@‚ŠÕÆ6Ã0;˜‚û;>Èù}îÒôƒ¡OQN¢¾hÉlÙ‚¦X©ÍÉÃÚ-ðÝ󜚮Ӳå‰f]D–„]fp`Ý
+‘ו‡ošDƒŒ¾”¹�yÙÚ<1Þö÷Š3
+9àÙ÷:Å„Ÿ\ÉFlý¹ŽNÁçµ±½F¥1¢{1I#�ù�#gÐM!Å&Ð!ùf¸¸<:â‘�[Ç‚êÞ
—dx²U�Ãü9‰Åm³{¦¨F�®Aº/b›ƒÞŸ&ŽiÊù0ÆÊ<É{–3Á—)t;¾
+I…ÆÄ8á J’«2ðÚÁF–û†t÷+àK‘D:rtËSα£³ÒFX°Y¿ƒw0¢ºãÎo‰Õ"Ú-P¼L>Vš˜ñפ2 Ynîë|CVÞZsZú Ó†x9�„ĶU&bNž\@š'üýlNÔÞû1ãWÎèjöE¡¬¨ÿI1©~´Ç)¨¥P#çP&¦B5ãrEò¬é&Ü�ìPÿgÖ©‘ŽrÏ3ä5ë(h“‹£66q¨	JÄ·­ï|à·Ë Ç#·û:[‘úìƒîi0žì­ÎÚoœ*3ö8¡|SgrJ_ˆ·¬»TáZ‡%{ÍbË„pøTþÃiK¢`È$Ñò-ž—
r
+g}%ž�¿<ÿš¦¢§y>ÕdsŸZˆ—ŸäØt‘ùB<*C�uù­
Xò4RWJY¾?Ôse4¿¦öÁGGøË=1nI6ö>â¶�dxøÛzÀÛö§úø÷^`K­™u ÒZ¹$gMÍÍE®Ý§R‰³› |~Π
;âIךÚCXFçÔ[ �"9Û
+%Všy¯Žç½wd`õ\¥
+?>Lîw\_¼__º‚+�úˆ—Ï*×5²,Üâ~‡
+ËGBÐ×4
$<]q…x\6_Ì�I_ϱȸtÓ<< ±ã[ôV(“K—�ê£hAÑLÿ�ž�ƒ«±î�«k”“Á™-H¼~„ÈëRtàÆ;ê¬ԧОSŸ«,Ä>x›ºQmMΠà¸ÀöH|’MÇD-2:s»ÁK¾jÍ)yu$–©Ó:ž•([mq!+G�Œ™SÞz‚PùÒ†�ÞjLñpö«Ys%²Ý¶p¬z.M[›t]Þ§ÀŽKxÀKPų½×ÕêL•ªçLý=à'd{ì-¥?Ö­�#†‚­¢E^+#6#–
ñ/–“õ­ñ¼ÍTñÖ<ínÀZ‰/”Ú8Y2ÓØ/gÓAÓ›øæ±,dx
+v]šÑØ}a(ôÉ:eÝX!±«AÏ�[–Ž×ÊÜ’ÀæƹƣÞ3a‘^£ãxR°šË\ì2ª<2€ÿŒÍmxÕîQžæ‘QáE‚ž�È¿¼=±HF,ÃØðªÊжÌ>Èü]¼¾Ø¨ÍqZ\Q0³“×-|/SS´æ;ª?
 [B�«˜jÜë&BØ’ÆIRòu“$€„ƒƒj°�i&ÝY³$——½å£
+ç
¨÷i
¼%0¸)xëõdïIG•&Ž¿œÃtɳ6†ž7|¸.&õ
+	-ΈŸçf™ÕÈPMC°3p§î¸eÚìq²áBÞæh‡~ò¨,þ�¶¢Æ®¹ÿã
+¥;Kƒ{jPÌ�CÛf¯¨“Ø£_:©Ãb*¬Ž–Ôº°AïhµûÞÈq‚F΃a¹¦Ô9›X´Öò€)t‘ÚQPAng©§âÏíÿ4»š†ü˜©>¹I¡Îúîá
+-5ù\;³½�2>V®±*T#
+
+@0‡cz´ëðcL"¸¶©ˆ1tQ mhž7OyÙK/=mŽ1Ü´iüŒÇŠ··ôŒÄŒ%¥”v=
\lB­×9Ɔ½‰ü‘“WŽÄõÝ©s;Ú¾†øðýa_ 7,Z±jg[À6¾bV¤ÊY—qá=›TLÀTæù4¸©ŒZä¹xæÇ©D
 S7Aof„ûoŽ¦¹¶†d¬Å(?#	Í”¡4÷Ú7©¯;˜Ác%$P„P|¹Ú“k½T˜d
�pR(áæÓþ;	@UÂŽåo.P
+·?å?«ì:º;rº¶;(œåÒHBÐUQ%Wy¯ÇûcEàÝÚóÌãÁÏbמgo@¦
ð­q´ÔDÖèÈ'
)øóÁ�«ÄhåHø*²ï›#™·ZÏYHá(%Òïg!›µß¿ûW{|êõhñGÆq¡ÄL»»o–DTèd·ºãú±‚e6D²]�}~Ç¢jé‰
+S(xÚ#oÓÜõçç‚
+¦cô)E}dðHÓœGNoj<]Sç¬<âu½âyקûU�7Áê­²‹E«¤py÷á8'ËÍibHö� qT?q::جöì(ݽïRgÝý>^ØûûWM€Õ}ýÐ駋–Ê{ÅóZˆÔ(sï[6ìÂO‘zü
+I³ÙêéÇ–T©-˜R§5߇›‡þÚ@ÂÇŒçoT§÷uf‘‚‚Ÿ£;?®IÖB,$ÊqªG¶vÚâ¯PIJ	•£Æ»¨(¡àœ•SÕ`RHáRp�·É/i¼™É6rƳ¬È»ÚôÊvökU;]äW¸é­�ysV†$Zk›o��ÀëãõK„ö Î£
æe�*|LÞ¹*p¼§}¸ò× }an²éÜ¥ºÏ¡öÚò´Ú7dîyˆg9ÏÅõð¤éFOdtã’ý‰,5FYrè¼c}í¤Ná§à:†KÐe
fŸvE#Ÿ?Íю˪̘í‘0S(Ó¿£ME J+dL©¬¼I­ð^>|$½g'IàŠ´?"týy0ïù4=:9W8ùÉÝ1Õ
+6AdQ›¹Í,>N)¥Ò©ðOã’ÛÍ·o}ŠÓ3U¢ªõ3“ÏŠC…}àp)Æó
¿a™FK›ó+	•W1{‘¨íœiNŒZ?¿~Ô<îZÛ
×Áˆô~ô}“IU?û
+^ºö*ÕÊ;â˜<\éæj�B† :æ‹ãk‡o™ùžËýta�A=« ÓÔ'ŸÔÐH•ÄN!z^“«ÿw¢ëKËÌ´«vߪý'ZÎØS³_-Ÿ!¡ÑÐ9†˜­yƒ±<`–ìÜkÚìƒ8˹‚®UF¡èýÒ¿äâôëO‹¦3xª©‡ì†°b$pãÀfN2rI[	÷Ð�`-IêѸ\\AIëÇz£AÅ
;²;»¬·Ó@sûÑ’Ðë"ø	,méG(;vø™�Ùd×"|‘"¦ŠÄ`྅Óé‘«¬óõlýÖ!|t]Œjø0Š–¬¿Ö¾ª0Z
)ˆM&çEî+
É÷ÉœGÌ7kʱ—Ed`X]ŒÚE•ÀQd¸À'D5õüDU°p¯)+7sZz Ce´–
+Ý)k=g<
+ýÀ”å•LâàÛìàwD#XY«yû¸é ‰z�p£^àž¡�°óRÈÒˆþ‰B
˜D²¼¾Ý_v|˜÷ÕìÆ”¡v’S|*B‰ã˜D#ÑŒ¹N7uˆ'ôx’ÎvïNEy-‡UI9̽Ç|iýB[}¥­Ó¨�ÜE>T”;pf4_·Ñ%ÙøN} T…—Äï÷uĘ¿”õ‰¦ûñ,Ri.ï
+„y„ÑŠ<¦ª�òÐYtÍþz`Õ4ŠMÇ>f·ÅH
3¯�ð(±…¼]¨!9‡çߤ–�šà›c�à
+è°ƒXC#Ä1ž7róѧƒ†1÷‹þØ*:½Ý
+¾¬üš"¨�ùᶓ°P
¾¢®tþkºô¡�ßs˜8ÁºÌÈ8õc°ã9­•Qæ3EåŠü±¹ÙΆq«¿tÔöÙËCCY
^"fDzJ 
+ÛnÂ÷Ù'Î{ü®ÒÿŒŒ®AiD–Xg‰¸N
+Ã2k}„‡�Œ°±hd7,
=½åÒp3{9uN4Ò�œ°T—£b؆F–i$ïó‹'p‘}¾Ÿt¥™´ð^ɨ�"3±Ut¢¡zx²ØÆx4D	K¬ZógÜ–z‘xC6‹]äÂØý9&yóï³t6�?ðÌ"%
+‘¼FøCAÌÑð}>€¶6‡¢ÓVÛþ\ý	diB´«Ù�Q¯è.Ç~Þ‚´ÈÌ=ìäm’6yS$ý-Ñ¥ª¶™)P‚�´)keÅÃvM¡Gã¶Ëe·5%¬_ØYûMŠKÒ}ƒ†Œ8îÕŸÃl5wìóµ Ô<öÅ·£„²3Ç��³’œVÉ÷
+žóø.Ñ°\éd¥(š˜>¯–LãPÊ Ôš3,¿Ô16še¤³Û²˜BG»O�åÔÏæ¦_�ƵW‚®e	oÎP×½'”�@ç×ÒKLýº-/ÞJ[ýŒxw]öG8förˆVƒÉcvÄþh;Ìšé£è‡µŸõ!qîL¾ÂmÕBÇïã@håR}ºûür†¢'rû⣖í5qq!Š¥¥¾Üt¿°wô¯µžQ8É@Œ‹«}Hë%‚Õ›E1TâìGäìï¢vF9Õ´�½Öœþó«õ‚y¦
+°YN0Û�æxôÞù¾•
·Z1#‘pÐG�)œïò±ž{+¿ÝªjwÒ±E©áš=P´Þ7±ÙÑ[7û¦“¸NYYÇU¸yd
+¢ˆÉd)$±¶Š¸[a# :‘�ÁÜ.‹ÍÉü�7LÓ„�(èòGÚyö é안øžwb�MŽÓüÇÞN�Ëe?ZÎÂfRc¯PÌeš²ªéQÚ"äI8�
+4Æg÷ÎüôL¬¾¾Ò?Âlœ�á6_±Â؈u‡ëî$àÝÌ;ÇDpBÝu¢Cbî›#13º;Ï
+*‡Kò·¶‡;¼-’"+ܦ˳-ý<ÎÈt_üöYëÎ’áBÁ‚¡$üé©Ò.&�>Ùe¸R¸¡3›Áÿ]u7üaÌõñ.R8‹zAµÓãvnXLûçpYTÓôª['ÒøUÒà=|¹üº*ÚÜO�AŒ/–*CØ
¿?CÞêh67÷
Wáïx,V½ªŽ_RÆò^/H–}èÈ;‡¨=+mä káÕÊuS®ÉẇNbnN’²‹Y)êctž-yá¬JHw‡d`‹£Mó®úí}KÕ4¬�«–!øWù…�sYÚá•MS
|•Ð§DNß"æµdYDé
+Á4õ5’KÄó}†#‘.§­¤‹R�‹«
+õS—¸­oïV‚•¦x{ì—?]Ž{øjA}øé{¶$õ†BÇÃh>/o†"U¹»ý´P‡SkwUçn0þ€8âàB¶ü¾F;u¶pL)#–�à
+}c6!„L¹âP’{ƒá;D¾dçqí¨ˆz`Ë2«f§µ­])ÊFDŠÜ›/˜[öÃð"§Ê^w�HZÁ‘³"¯�oD{�¼_7züä5àb«;ýS@$ú¡W °²ZðDò¢òuÙ
Ù‡W{fMÞ2ó¥I*,~…Ä©¹#xÖÖŠì�z‰KkVß�L™E�›)¹‚¢ÞIXbÄSóùÈ»´[N[lº3íLX¬˜
üçw^@dqór
+G%vA)ÁÃ
G¬³¤f‹o¥¿ñ`Ý­LF™óVõ‹ÔK‰óÔÝwø`ø?qŸàÁ¨Í	tj@®È<a‹÷
÷äIFÞµåüïñõñ
Ú1*Oîc=÷Sï×Rf•«xh¡«>Îê3cçÈ
+ž(—NÑÄåi¾%¦�Še¿€Ù?ó‡Ÿ›o†`ƒbîª0Ø– õÚ MR�¾
+Xá�…<§õ0ØC"ôñŸjè(–ŸÚŠeÂÑ_{Ú#‹p7ƒLìÙ5`:ì¥~Áì4«¼„?ãL®Ý8Qó\‡,OÇ™ÒÀ;ŒmhT Î§µVÄ! ¿h¥¦ž;t*ê¿ôŸçq
!·Ë,·*¤Z…ΟÐWŸ¼T‘*”„6C‰:(ç›ø9ÖɵQçQÈÔGæǦߑ_<Â9ç×YÛ­ÐÚºMîƒ3u"JL	üüÒ¦Q#ÆV
_©©…vYTóVKYðçæÄÞU™gÔ»ð¼òù‘Ïz‘Z(ßC?¢1Ý=�žâD®jŠR8€‘%öøg×Èži2v»n›„¸MM¢t
Qd�Â*l%–¿‡RS7ÌÖgj¿¤‚<ÿWßÊ}#ó9¼ˆ¯†eç
^™êgÞÀ
Ïõ#²z:Ý¢
+�Ha\»¤ÿE�H
Ü„Ôçì¾f•%bA
¯üIÃvÊ¥lPsw‰8º8Ö­æŽÚz1IÝûQgÜûØÍMw­©•—#ŠC$=ꤡ ºí=ŒjâwÔŸD*/ÜÒdêÅÎV
+�ž‘�õ÷¦ÝÔÆ.3±õƒ¤9ù]v\_17OnS{‡71¼ôtÝêÅËCgû!Ìõ’+
Ì\\j·Äž¸,1Èßß62–e€Æ§¥ì¶£þ&kL¿ÜêWÎc½aàJÚQà&AY¸Úãt�¼Å+«8•�õà�ZõÐ
³…V|Òœ½ÅÆú¡/½99t<�g¸`^B?h¸Ç0Àûµ©¢ûOÛâD¥¿¸ÆŽAôÅöŸÐˆ"&üÒÙGZ‘úáMŠ÷1Ó.Ø›ÉÕ
+}É6¡©†þÇÈE…<ÊP&öÌ>sDõbÛ_ÇÜÛWp	vµe�>‡ÿö²fßé(!‡°~i0bkzì¾ÕIä­ÖÙ²¥©@ œæ‰R&ï…Ãi$|i ׶Î
³�ùòR¥ñ-f	—ºŸæžæœby,I꾟pXðØ©»›¦Æ)bF°¡K·b¬H‰ÌçubØ<A¨õ¨Y*ÓIÄ�w7y	èÃokSI‡&úÆΤ Kʱ¯¨/ÞQ�wŽŸž±“&×í1™>JŽ%Yô¶y�X}<¹ƒùÂ3éîe›i0Û~4f$­z6n/¾˜z¤ðvÀÓx$×ÂìÀˆæÑnmeõaàtçTŠEð­*>÷ËMÉCJÁ0Ýg¿WæWk¡
0[(ÃL�(”ÂÁÒ/;í�:1JÛÙÞ¯£ùþŽŠ's
+†‚˜!Y5ª¬h›Âø
+’9„©²Íºi=ÿ¨nuþò©­'h¾N«˜4Õ 
7<±–¹ûIíÓö†�÷Õ=Î)iÇN{À$dQñãTË0¿‡h¹KÝçµÙÚÒ9äó
ÌèÍï@¢ËG¢�$éðfKvHÀÑ:ÓÝ&îûAoà `žŽ“DGO?Ìd¨ö3ìŒÂ̪i¢ì'Y"-°ö-¸™¸O-õÂ5¾4¡Ã­š6rMŸ4Éì’‰üË¢¸U9F4Ò±SÑU-ÚÆ
+¡à£"Ð,‘gÏKîD~^ººÓÜÉ/Zn\Æ$ÿM­Œù–1ÄŒ)Á×�BoÅ�£E[âcQóh¨X*úêÊÒO>0”�ëw+ÇœðaÚ¨F~¶zñyþþ{‡gS(êá9‡&IdÑX2)Fžb¡8ÚËp¤‹PX,Gæ(xõš2œS`º	faj�e‰ªh.,w¤á«7
+cLÇý2 Ža®
+L­ysŽ<q›é;u	%ý¡xCߤi67k]|Õ•ðÓ�*‰I
+Ñœ±îÙª
Zˆ¼¿›7Ã_ÆvN¹—Ks6Ù\£÷ˆ[�wåÝ4
+ÒÝzI6…®uê+¤S9ü$±ì
+³î^x½«nŸN)ýŠ‚Ÿƒ.Îq:¢:+ùá�Ž{ÎúsX~²‚e–yÚÊYTº¾ws!k�œ(IÛÌÀB(ëÊ#’ØMëü««}d˜D2è9 ‰‹â—'Ì¡ø´ïƒšÛE’,6bOöO;fôu-~_Çx�ð¿7¾ØÄ(Òñ÷í/Ú݈9?’WÛïµÈßFgùè`æ}ô}4*¦
+…3©	¤ô1.aõÂ’ AÜÿJ&ªƒ0E|R*�ü(ô¯[\eZ¢¬ ÏÑZõçú½á¸sÅ%¶_,sEjìœÌ.�®Ü¨llüqÒé;¼ô½ë|i*VÖŸ
+¸Kþ­Óp’¹«³>ú±ägWüD³É÷?æKåÖ�ôm#|žZ¡£¢Ieí"b0G`½t¢n¢J¯q¨ÜÜPé¢G08mÜ8Ùªç µÝ¯Ýã¤ßRf§2e±;$D/Æ&.m�È—(Ân¹\çU"S#�Ð!=7±æ
+’Š±à÷+ÐáËú­qJ®lHsIw¹eòªzDëÞªÔ• NÚšO%ÒçÕñr‰�½¯=W¸Ë„TF%��:uÀ䀙2º,~u‘\ıáýú”�oC}xù‘Žq"4{‰
+@ûÅ#\t£¼ó�¿º™/K®Ÿ±UgR¯H€d~È
+a«Ç|…Á|e¿g½¯
}ð”uT©ûa3s+³Ì¥•¿½ã1KÇ×1¼tþ~¸O`Ë’tyQ[ýÈ—M!›ªo®J¿¦½Á'‚K›ð⊿Sî|
ÿ˜û\W�Aƒ#‰Å9Žê2]2Z³lp‰Fûû–†ÜûO¯†O
&¤ ÜDpªV¦8ï…ñ™÷óìº
è™zgØùÝg¢‚5¹’-É}P«�†öž/£y+
¢rC*î‹#&ï]:x"v˜rNµ4¥‹|ÓWíJû`føZ1mü-msFYîÐ:8[Ž–?[¯+v~ôðá²›	ó&pÀs–K‘v£y¨¤}�Üšÿˆ÷[â01%¸.cœY‰]j�˜ª:Ç¿ùö:Qqæ!åµ¾©ÏÁÈégƒ¡¾{£6jÊÑõ({ö;¯`ôô«î½A$äÆä¥=ÿ7<‰†ÐZLLSXëFŠ}Db62×,èÿv;=›#˜‡Ãc�(íˆFrEƒÎUA7Á¾ºñ°¤‘ïμ	Ÿ³ËØ
0
+·‘—Vh/†¸MƒD:•ÄÇNñü°†•:#Þþ>PLÇÒwïÿQ5GbÄñ
Òû¦ªð@`	Ìz(iVþÉOëµ6‘
+³ãÆY§uïèœÙ+�èï°9¤- ˆíRUöMxöOþúíú¡ÅsC¨3‚Džú›„àyEà·£¸q›—Rôd}ŽO±æé[ÞÄ™G`c·§;[�‰^L–çÎ(Ön^v轈î½—’‚IA?‡�Zdߦx¶ë‡0Þê5/„·ï0iñUE°—,¿"7ZE�"Y÷­à ŒçÂëáÂBG¾8˜¯§�µ#êÂ^	êa¹bÙø´­b÷VîæלuHmzæî	
+P�̪è¥Ôqõ D·Š@ÞDzˆ‹òuçöÿäüfN?ag>-šŒÊM©a7šµjª)Ð¥0c1å˜Åêž&¶Á0®ï¸‚«n9¯ÀMæW )õêP&°C˜Ù‹÷¥J@eôOqðȾÿçx˜¡ù3ÜÏú\åušà$å·=„þ’»:0¥äí
¬	{]Û7°PPÎþm1ˆ’=pËvÑ18Zµ±ˆ
ÀºrG»%±6.«ßÌ¢8Î8П«woZKÉ9'çêí#úG—ïj²X+§ÃšP8†»Œݸ¼0J…®D“-ýf¸=_U0óA­ú¤‰Lÿé-àK�‘ú¥Ïã&zŽ^Lqêm²ù›_º´~æ9ö$ |òÔ«*9k+ôûÒ—eL€<•Ëu¼É]ý	v¨Œº�_rœ!¬ß§Ìèèn"X[,#ѬR;Ry\³¥»VXÀƒ±AA+w
+©õŠÊ»üyž+¾û™%’I†2£mÞá­¥\÷¤uçó:µš¥WbÕ‘¹éˆ×h'¢I��µCŒºÛ 
+JÎtŒa½µ~öB¿çn
8b¦”W»VŽn$èÍñ�)4Üê¤÷VûËÌ�Œ;µ•èN ‰R£ËÐŪ§ýÿ×>Y¶5
(QD‰!%ÝH�îfà¨Ñ9º‘n	i’"]Ò-Ý1ºK�Ýݵ÷þ‡÷Û}îù
çÃyžã•�”4|œ"ïñ`Ûý]_€ßÿ¼�ݲí\£$«:ê¯{¶F†Æ»lìÏ3¢?ÑL$G@Öóå×vmôãŠ#Žª×°tή4ËFIñê\é±¹†òã–ÊcLÏBÙðn¶²e™i¤ÿs;<¶ ¼ÿñÏ7JŸ�¨ie/þ5÷“FàEZUuç!í¯îðœJMþ•³ŽôÓ�	}Ëß–~¸
+Âòé€z{JE‰FªM Û„�u–æG0iž³ÍÀ†�^µYkúzþ'ôÍòH¬n“È([ÒKFR}ÿ^÷ôdk
+±5b�$ßì}Cd%#vﱓ*š°ßÉ
‘ú°»­¥8hñÀÜ_Œ»Ð7¥U½2f
+b›oÒm÷ãÅY…½jãnQŒ˜�fýÊm½­�ªm&*þ8”Èç1|ñ˜a¬~– F‘«•¢ûÎòXQ;(_ÆSI0ü+p˜ý&�á¸$BF
+ý1ì_v#ZâÍ,µgªìVØ
+*‹š@i‰úû¿ž8ëäCî3luRŽn£ÒsbX‰É ýÚ�Nã0Lb£?yrK—Søƒ=Õˆ�áÜá@Æ	žÀlþ
 ¦Ã<˜
'•AÅ87gñU˜
+Üxäø›Š•XGŠyº'üá9vµ,Õ½OÓ
à¬KÏýØIC`­”¿¸9Âò§é¸ˆßcZ”Âh.RÕŒI�8¬_$òfIKmÌXró–€àÇêŸ%Ŭg”ÆÂüˆßY'ºVR, ¨B~
ÐÔAQäϲ¯u£s¢€Ý_˜Œ\@øt-ò©Ÿ’>ö‡Q÷FÉÎUŽ«l$Ô.ËW(¦8*³Ÿ{>B7@-7쑘ôy™Ù7º!„³¶QèÌL}*Ÿ$‚WVÉÉ®š±Èñ×´//2ZA$¼�§¥ªb;>~T6EÕ<Õ¿¿Vj3ps[‡Ú[ë�#.JìñåY¯ª0ûì©'™„±ŸµQÖ8}Q¥ÞÒš½.H�Òý¤ñ‘õ$=¨â¯oñöaZ]‹#6ž/¿¦Ðô¹e¸ÞZ‹ÇM{ªh=Hp¿œ¦-Õôš£åežÂúz‚€ÛÆ«ì(Onû�÷söQY²æ‰Ï&¡I(Ja]�U›-fø´Û[ˆÿÞóݦ6vº%š.[Íá§KpyJÖˆàêh2nösjJ,©VŽ&EͯU¨•x�9øW+0éOžÜX‰3„\
+‚¾¡ÉzŒ:s[­+ž:[´‚r7À«_ó熈ÑFÂ2Õ:¨Ù�˜-Aè
+œÆâO­Œ,Eß�÷�;XM«âU†æüìeçÎ&¾¸cë2“.D£T�«h8&Ëe7nV"ÎCøpÁ¨Ö#}&_ot-ç2ÃæX�L¦ºŠ�ðï"’‚Áf&ѭ탔w¤éʼŽE9Ãê¶Y|t\dà=_©Ÿiµª¯9ÅÝU5½<}âoCʬe±É·mQJ_”�–õx-�ºDïä»3¦Ÿëï"‚_
+{8þF�ÑÇæ–éì	é–sE�cø ôc/
¥Xne­£ß	Ip’XÌ,X§x©o�ÞC§C7}yñ8㟑KÓ•F<Ø—¶cÚùc§>É÷"ÊåæÔYxVì#³í³9y«bTjýé‰NÜáù„…ª�jŽ\«WÍX!Ì[Ê뺧b'ÞŒÆ)<$1ôÊÚ[,à§	ƒ@ŽWÃc3/—°WnY"¬Æ4áé[_Šüå–#xÎöf3I�¹[V¦;ñ²è2f’a_ÏãX;q)ö�&Öö4FØ…È÷Ÿ
+=X¤9�ƒ:Ø•ñÒ
+†*Nñ(ßc“À“
+ÎQÓp/6è~�
+ê™ã2ú»‚îY$óµÉ•­ßª2^IÑPYm3ïÜÚ×Juý¼=ÕùÌ~9Äÿ	2©”pmPkDÉ�	Ç¥)DcX¨Ù콘ûk*+ÇMCÆ{Ù´~­Íµ)²è5�¿¯ÅL|yÿ1ª5u‡Êë�ñ÷Òc9„ÍrU¶óBDøò3TyÈ嘙	SzH1ß+`Îð¶+§`½°W5Ó㎎²ÁÑÃiÁ™,÷ò}cýö3!§ïÒƒŒ‘PuaÛ›”Ë tòÍ|T\ÅL,p�ÈBHðì9çÑô)8H-ú�äjj*ê=êOŽ
+Œ†<\a/r¼ˆvÈxµfíÉCvP€ÕóuóföÈy§Åm4ÍÛÆajùlW¤JÕ4pñû
Z¢Aÿ6Ñ®–B�][¢µš×´B©®¦Ö
+å�UÔwUMõ»gÕ"&
+C•Á&ûA×"4ÂÌ]iÅÎ|,›ž(mÍ…pêÖ.‰ý³oRŽÕ]¸kŽ¬¢PÖ¡ZÛZŒŽT2Ê©‚pC¯–dô.Rn®f™7£žØær
ðk®–-!OõŽž1t¿9~‚ó–�‰æ·q¼mxYæó”9gK’}ÃÜÕè×å HéÏAf™\pCÊˬM‚._óBâÚjq
À¶]qL÷‡Âa¯¡n—ˆ›´¢('â¥&Cv­pñf–¿�‡OFÙ2ö
+# ð:øF(‰¥YäsäLèÆùxÂJßÓ%ÌgæÂîˆñe:‡¯#0®ÿëÊ»3¯‡óíLM¤\“wŒgßRkHäŽÅ_KØwÓªÂìni–ŠØ±
¨wŠlNþjsßÑ8v<o¸ÞâÖ²ãU8^ë|Wš�
+ÆúÁÿ%ž†ëÿ	öÿÿsK¨«»³#ÔÕûÿ
+endobj
+874 0 obj <<
+/Type /Font
+/Subtype /Type1
+/Encoding 1915 0 R
+/FirstChar 2
+/LastChar 151
+/Widths 1924 0 R
+/BaseFont /HMLXEY+URWPalladioL-Ital
+/FontDescriptor 872 0 R
+>> endobj
+872 0 obj <<
+/Ascent 722
+/CapHeight 693
+/Descent -261
+/FontName /HMLXEY+URWPalladioL-Ital
+/ItalicAngle -9.5
+/StemV 78
+/XHeight 482
+/FontBBox [-170 -305 1010 941]
+/Flags 4
+/CharSet (/fi/fl/parenleft/parenright/comma/hyphen/period/slash/zero/one/two/three/four/five/six/seven/eight/nine/colon/A/B/C/D/E/F/G/H/I/K/L/M/N/O/P/Q/R/S/T/U/V/W/X/Y/Z/a/b/c/d/e/f/g/h/i/k/l/m/n/o/p/q/r/s/t/u/v/w/x/y/z/emdash)
+/FontFile 873 0 R
+>> endobj
+1924 0 obj
+[528 545 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 333 333 0 0 250 333 250 296 500 500 500 500 500 500 500 500 500 500 250 0 0 0 0 0 0 722 611 667 778 611 556 722 778 333 0 667 556 944 778 778 611 778 667 556 611 778 722 944 722 667 667 0 0 0 0 0 0 444 463 407 500 389 278 500 500 278 0 444 278 778 556 444 500 463 389 389 333 556 500 722 500 500 444 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1000 ]
+endobj
+857 0 obj <<
 /Length1 1612
-/Length2 18545
+/Length2 18467
 /Length3 532
-/Length 19457     
-/Filter /FlateDecode
->>
-stream
-xÚ¬·c”fÝÒ%š¶Yé'UiVÚ¶m?iÛ¶]i³Ò¶mÛ¨´Ué¼õžÓÝ_�sûþéûýØcìkÆŒ˜±ÖØ›œXA™NÐÄÎ(fgëLÇDÏÈ�³°1rq’µ³•¡Sš¹
-tüWƒ(ÿ™ª¿$Mìl­=
-ÎÆæ
-âª*B4ÿy§þ+Já¯öÎ*ö‰ý�RdíLþ×â!!;w€ÝßHÇüƒÀö7!“Ïÿ!Û¿`˜þk-kèìháÐþ[2#Ó¿
-ÿÏ­tÿFÔÖØÎäŸYQv6´5ù;^ÿËð�ÛØÅÑñ¯ªÿ:ñþŸë
:è4†[[¶3æ¶LËLw®ÅΞÑîïe±/mP)*ð¯¶ëñKßå¬0x¯	¡oœæúlóX:³ÿ8”¢þ=Ú‹eMÑ“
-¼ÊÇ÷!¥ê+@ÝúÞÁNó;�A¯1ý\=ÚëzQfB‹�Qí÷Þ¤¢’^É;ÁtÇG˜ë?Tþ¤®þdOöH¾Æ?ëã0;QAÐjÏο'�üy¢ê¹…ì;ģɉƒ%çv…@üåï�ƒÇ¯¥ZáA•Þ„€wÛ~ýI¤Þí¥—GN†Ki#óª`–¿nÛ.óž™ÞÎÏ“$ë(ÑzX©�u3?Å#˜4Í9—ûµáB.ê„ÍÓ„?Ô7kE4“	]O8üvCÙïîUkSMýÚ‡”»02£ØYZïÖuHÎH7áR‰$ÜjïD"$m|/Ë·�K|ZT7âíè�³ª9—1ÉÕu¬Íü¦@ÖvŠyÚÄVhØx+20%3Ôt£%7!AZ|®èÑá{åÚ�G–PîóÄ¥¡
_•öÀÐXªÚÙ"³ ò'y´»¸
¹Ío)8[”Ì—3	!œ,ž	Ëh!k<Lûëlà8Ã}Û-­â4Àó4Ôe‹nv¡èÅ@�ý+ŸÌZÐF£hˆ¡ãû¯ûæ??jb¹ÊS‰cjŠÞFÆ×�¦³Âyxã°¢õB;^‘átlYéÇóžHü‡ ­Þ´Ç­^†‘À=‘DÌàbx:3pî=Æcàˆ#£],ˆqGÄ®ækŒ
-ýH£f»Ð–Á™�œ†�ƒÎïŽ	Ó“Ú|#9ž$’|SâðWßmMQ$TYÕZQ^‰žPÛLR`ð!Tèþ|Þ„lãlFOª›óS¢gc8FR�îÍéS?ß°�ÌÔl8DNýÞ�Él¶�›Çyøúä4Û­²LŒéK	ø¢Õê’4|EuœÄï´€Þf
-æ¤ÛÇ›¯„P¾Úû]%š¬
-Ö“[ÂçÀl/êf BØÄKÜøÉÃñ¶2ôX‹ÃN5�zMç|.òÎzÓOOÍÇE‚U4·qÝc³F^´×hiû™ïrÔ7ŸûÞÜiÞÎàì«Jðàq2ô½}6�cØdÂ#}!Δîvýl�"rz{N¬
ì+hnY‘ÓŠ[{«j¯û£–¸à"öÕÁFX8(ßË»u¬2òæN¯¢8+k#;Ú˜—ŽòøS¼¼MN2›²¤vÊGxoF¯û¿Opâ	*> +Â}î‹)X¥áË�¯½éÀÌÏ)诪¼vQlšg~BY¾”2îO Aʬ1ñ'µ”ýŠÚx
ìÊ€#4x×÷ã{%èn\W‡ñ:6¦ž?üòÔQlð`Ù
ÙNȶº`K ƒ÷:%®je;•áO¢øÎx…Ö7‡µý£¡1ë^Ãcö›ò¬
O!aQ¹!ÝB–«W\Äuç
-5ðž»f.1ŒYæ´„Ãá‘"4ÎcŸË,EU¥LrèîÑÇcÕ�ÙéOé²,VRËËŸRÜàÕž\a±�ežË`˜4úY)îðw™�™“r‘Spfµ8#�Û'O#æCw>ñÆí͸ø!«<Mm¢ÐĽ“‰1|¹Þßø Ò\yp‚Éß-ìüT‡Á*pMšp OḊ\ׇ~*�äGXû‹!Ø›úU£¿B}‚4%'ÛîŽ?a’‰<ûÍîúû91â³µ\fUà†ë�³å`
®•M_Q~nÖ- KXã©^ê×Õ8xv¸
-é³òb®_j«#ŒÖâ]3}»âeŠÃIé n¿¿‚îçã5ÇþΣr²îµ°ôà¢V)M÷…t‘#¾!©¾EHi3ôŠ°|6µ`{$áDü‚Í#P—sð¶&9
ÂVÁeøÆÆ$zèÅáOD9îò>ß�çùÅÏí#æ“n.g|·�@úDúðé~[Ò$i>Õs+ã_ƉyÈÑDŠhÇL +}_'�ûM¶G<@Æ84;ϯy­%×"Ÿ•äþx5ãÉyiÜqBìú0‚Dü¸°Tû»VOr…<îƒQg´ÐÚþŠ ïZ?/€Ü‘Zd›”¾Zò4¾˜æíFVAò•¡0\Y‡Ž
áµÛµpí¡•:VlgÝîÔ`úuÔ	QaZ­h
-Íqÿͺ›WR:„ºYO
-ˆˆt¦ðZ¡«·ä�J�}GðGw¨[PW[ñý^×Ç4.
I<§`Á´%ù~ÞÂéAH2„)hhä,È˱’-MQ~µou«Âç¨ßn
\sÖ‚¥ÅË
-&ap÷‰…I
-ù⬡ãqï~Ì2€ˆ.©à3z'E�šØÃv1)Í#ŠË"m#]<èõ[©>H¦¿÷˜_BF:˜À­Ç˜A¦‡ˆƒ <�ç�ÀxP;o0دC0Ãáa½sÄÅ#FŽÈžøEk‡Õe(|M—ø·j¡U™Jë`‚¶[˪81äNÌ3�<UzŒVs«9]¿¸ï›SŦ±N†7ÎÕ•GúCMŸ_Í$Nƒ&ÂF…:(¿‹~G¦Pfsˆý ª43“…míLûò±eÔAºH³ªi„CgMj$ŽËÑ×
-~ëã'‡3ñáF³k«é*È™½"éÿ±2]j©óÌþé7@¢-2~jÙãæ*HLx­–ó`£ŸáWÍy‰ƒAÌ–OáKžšdˆ
n�ëB.ç¶JBDÚ2Àó"v8wFÓ.ÒæÛ®³^,�‡¨…s(Eù9­
qîk0
-9S~€Ào�H“U#R�©ºz‰®²óîiÂ÷3GœgK_Àžd�¨ã,EgV)È¥|ï¾ö
-1¡Ä	KƇe˜ø…¥"¦ºÒ·�
f©J€‹¡L`qجòvüðçìçþ–S�­âƒ³ö|T6‘‰†ˆïÂØnpe…1c1Ä\k¾|oI_¤7�t˜V/|åbªeU"óVu<Áƒ¢±“ZQ ´›_;AR�±�B©µé-;¸àÈw™~`$seã'_™ Üøm>{ò¸E ©X–°Žù¥™^–W`‰/–,0¢%ýkèOšÏ£Â¯&Yñ}¸x+°†–RÊä€}ž§w˜rQ"ˆ•Q h=­m„²û3éÜf	çÔ–kç¯À¶	�Þ¥™GTÑ'z01$lÙ—ü\¨"j¨ð”ôl··Ð"¨ãy0GñÜÄÀ53h7iô1‡ºz�
-‘Ùi{¿‘–YÃéÃ=ìd„�Æ ºcpêc£Êôï°óy�‡Nã³FÖ]§™RÙw`Itqî©j‘›|0ñ~%ðÆèg2!­Ž:¾~¤;P¶fãÝ*g}èG‡ðî>(´`á+Ñ
ñ øøjÂ…©=çV©†À{‹ªßÃɾ,˜ÐPhFò³2Š7‘Ò�®7¬Â|ÜK1ÊJ‡Y•å‡�J]؈Ÿ½
-bJ¤pòg“îjä"�Ó—Fvø)=VÄ=Ÿ�ߣeݶݱéÍIƒÿw[áXNY×òܪygÑvYÏ	–?,О³,%{çלPÈ‚bššŽ€è-õÆ+ÔãŠ-ãwÍ,‘[½¾iÒl¯´Ò}‹’þ¢rñáÍÀ÷ô¿ë%B?¾@žØú"ÌŠ¾6
qœIú6áË]—E´"?GgÈ,h®éÙé“À`8ü΂Ö;o(dF„ùæà…Œô3¨.ôb»êT1þ.C^.ßb¸á׶xÝ>8n;ÃéŒè¥$Éî]/�‡h²HåWÀöæªía÷"²Œ“hFu×G<£¢90hˆF±ºæQÒðxeû²,“óšòã¨�ñ•;3Œ¹¤ÐrÌDøð\;ÿ¹çRub6DtM™p`?Ò¡ÎŒ¿Æ¡wy+Ê€ÜÛ-o‚P’(^èžDž¶€±^=à[BÜÏ‘Ž(£ßÌ?‰
{ÁžL2-*F"âòŠüq	GX¡1 P³ì/h^w[ñé"d:IÌ<
¢÷–�‰£¿¿=N4��
 �Xm€ê#5ÂS«>¨ŸZ†eÃù•0îô-}-çܾ ;‹—="7ûâkê)¢u†L„Ùý‚GT
Ŧˆºä¼O¿ÒcWTå¿©ò¤¡64]ªÕ��o"m€751Ê-¹�"yÃ/ÑŽ¹Á÷c,„šÚZ^Ÿ4â„•<G½–_ïBåµ|‹¬8ž^%~YöBAAž®_°ÕéS`;µïQJYÚ6ÂMZü\ã¥| Á/4v�C‚ŠšC›Ô!˜ds¦# _Î#i³×K
-$|Q¾´ó¸Hð�C_ÑF­É»Ðn°*§)¾&A¼Ö:œÑGMòùW®žÑ
ÙÖ?ƒ	 ïw¥“úDëHàp\°*çxÝÎûý!©e]£ôë÷øKœCü,„Ù<âd/Œk… ¶ØÇÃ`Š�§Å$6D
¥Bš‘ÔìnË2•n‹ï¯†VxµÕb}†N�Ûnâï_r#«¾µ:,ˆ\óXø8ÂDV/¶úŒÅ ˆñ†¶¬ô².©„l^OâçäJo:¿ÜÇ\pø·¹ß±>‰§IR"[}î–çÖ¯¼]ƒiV1WÔ€JzýŸ±–æÈ‹cNy5åEºÝ(Ð|¬�çpdÛMÙ+HMa›ƒíi2Œ(e¡‰‹wôïü‚,‹¿†ŸÓÅçÈÏ?nmpR«ØpÎB–\ºù0ÍÍS»–Ôc z_¦%#¾Ä±²äð"b$KeÂu·½fð®œà¥‰gtas§HïsMŒö‰ŠÜ˜³ðv—Bv²'9°v0'QJç¡
Z€‹SÆVÆYX¼rJ•Û¼xÑôííI—h£K]ô¿µ´ùws1Ü
©P—­pö`©ÑñGk¡í	ðÕìmHSÈBPmôŠ÷.
‚nœni׈Ž³ ¨ÅØY^Ô�¿´ˆòNW
2D
-­�r±Ü™ª}mòW÷Ê™~
Zøv�
-·"×`9í¨hM«v1 |"=±n4ý™'¶‘µ1eÒqü"-¢èR™9½Ùì.‚Ÿ	›7“5T\2£9Ó’FZ
“Ò£3žšÏYé!\'¼}­¿mZÎèlF’Ð’¯¬<DÂ%Ï7ó屧Š–¥B…äF…O÷¨ù|?£ü|udgî,B7ˆÇ8êT0æd�­iaµpê«ø ÊBðñ/î„âÙv¤½­cGcRaeŽ»ÌqÀÁÐÔ˜˜ù"ü¤øª˜/—E$�_ñŽÿïɱüº
;*o¬N'îíg6XP³ÙE1«ÜÃjà„/V®Mxy.S9*!èá™
-?$ÚçÅ�ìÈÈ\5×E›×Ð*z";m>TXõèñ÷Ÿˆ¾Ø&)c¥dƆ
-ûÙ°‰’‡‚ßD¹±…,A9…x|Âco7�ÙÒÈ]'v,!cµoôQ¤4ÑeÔ§`³“ÉêéƒBHÊR8s ZªŠX7’›vƒøMªf[$WÇ#`­Ž‰q�Õy]%œ$h„‰whÀrä
¦R»�™pv�TR«°€ãÚ0e)ãdLpX€‚.Š-ÜykÙPXô.™®ôÅp èÉ*ŒõB?úÒ=·ÿècØ1WŠÚB—÷¹!p ]å’�4ï`¶czE®iª€Þ¿lœaD‹7F×Öäf`ŒÝ7DP"‹ò]@™lº¶x#
žè�KFFÍvc¤L)ÏÀy§V<>^Á­C|½TZ`ø¹ÿæ@ˆf‡gùO)«
-üþBQ%®v^KLÆbUÎÇœ½ÂÁŽƒ ì¸ÀfŠ³þÝ|u€¬B³g/s_Bp1ƒPúC‘ŪR¡¹Ö»J¹Æ5(Þî¾$Arüh¯šÎW¦ÓJzÞÍoá¡—–‰¨/ºxÙQ¶º¯'ù\¥cK.×›!æF#ø=¡×*aÔõ]° ðâû>|'3Z‹:óÄZFþºDSºù�šÔZIîÓ¦[ÓäÝdU
-?Š¬üX’q–hL¢8ÁßÁ¬X±,=é~¿iƒ¹¥ÑûCœÊþtßÒ‚ÑÈüPó½Ü•÷^­}D»~óÀòKïÜÞ¥<§²„*¬R²iè«jt¢ÿ!dâû}ì˜n
-ÿÃ�›¦øtsgË›
-üÏÌrô7.�a¤¢~ùšmsäÅ»@,¦'êC
ã?œT­ñ£'r'©Ô2:ïœØS´ºÙWv9¹S(V“vò¼�£O„ûPÏ7¾½	¥Pžy2�ϼ­•Þ¹ù]¦$!*‚òG¾:µ¡=8IÚ{TýþQ9}ëßAKuà%\ÕÁi
-+Ëèäyeê>H5Æ`Ç—ÔjŠÓ&:_â¿3½kÊ¿›2‹µ¿/y¯á<éý
ÏžÅóòBæŠIþiAb~ÈH0´ÕEõêjC~åeæKU.ëÆ€ØÔL
üôž‰�p÷»í2-F­…M°�ª":4gHÔ�­Ž8¹Χ^vø¹îd%K¨ó©_QK¿a\mß:Eô¿”üÀC¬
-Ž¡~–>–íÀùpñÿ4øÚÍ1âøÌJ®ëOhóBçc
˜L'cÆäÀa§Ìؼ–©Io€�¢'v‡áRÙk
¢€e€‰g/}îOœªô��UßdœÌŸ[>Þ$œas³Ø¬¹@ž=Š¼FÙ<¾¨³¬Æu¥?B›ûm¹Ë¹‚]]éãJJÓ.¨7°$Æ Ñ÷Ý’S­v|—¸A
ˆ:ùÖM³€bÇÙ]*­‹J†Ñ
-èzÕowJVîbqVc¬¤–ñà¶<c$‰)Ž±ÍúõϧAÌߣˤýŒ]êán_´­3©E)~�g9YFŸ
-y”¦Œ²(?ŽO,âìN»&9Ä'Ùôô]ø1—”–ÄíúJVßÓê*Õé§�Ca$ü²j9èhH²Á¹•Zð×K®Cùïyù5
–~"¦hm
ØÛò·Ú¦Â¥iü–+†ýî‘f^êTL4û ¥®Ó<I^6Bþ^wÕ^AééÍXó
-ûf�&§€bªEß:ã£{ºÑÝ
-Ó¹{±�hµ%ЈBaÂòZ·&Ƭïm«¦úå]W~íñ®˜3Oqd68Áwm0Ó×\ Öðž‘‘ÌI~|;¡ì•[=’ãécN1"<ÎÚbÿ¨u`B”i^�„ç»/ü}ùšt´åù»k³83Óð9™Cw¤7„òcòz™6iöh„véþF™Rµ.ð<ÐuØÈ
-*A£au¥b3î‡æâ¢H?X<@Üs–¢<?ÕÅ*ˆ¦.ïí˜ Ý�Aóû˜¹‰é»NdøtHÓ¼DþpøÝÐlÒz›ð^-éarŸEŤ鱫BÛ¨˜>’:á_�È$·©õ©Ú>”L#mõ0îW\Þ^'¬aþcÛø�ïzaÁ6ЕVjÍ™ñùÐêÅm©‘P�ƽ"x
-ÔVŒisß
-�±UP3ç²Øu@tbÒ©m÷銶YÈLfFç¼Ä5�ó:Cu³J"nÛ|ðaÖì !*ΰ(AîL­(‡Â#[‹áT˜	³ñ�ψìמ$åGº¶�Ý•~X[Ý|»œŒ²ÊD8ã4¦À ´\0p¯R�I«g�DuŒÒ­»÷(ý9PtçYž(kŠõŠ0^(
-kf"7íØ„'z£½A̼™
-v q‡<³Èj+ñ_ýÔÏL$?~‘¶§Ë×ö·V¥+À<Ö¯$Éì°õ^õ/€ÕGГõÙÉXZÂõ�ðÏ@°Sr3òûÈes,ð‰L[}lÝܼwÛf£­|�½V‚f$•æ›QAf:|çöæ©­”ð”Þ[—uÏas‡¤u¥r©î�]•J¥›Í“—¶B‚KÃè0È’Þç;$“r5—=)kÚkd_cÙ=ø)ýÃ#7BÖQ.ظÅl§î”ÞéMd/±Š:»ù‚-*!ï88Ÿ!{WÙ’$TqU£f6Þåi»fé:VkÃX%~ÊúîuoèægZDY°žRYíóc�
-Cõ¬i79Õy@ÜÜÞ.úBŸ¿„�Œ�HË•VR¬�¦jªÊ}ÐÂju›Iæ-”m3Èd¯êwõ¢ 0£Ÿ§Ês�*ywÚÝOòKëô±.èm‹ðm~”´YÐe¯
äŽ!ShÝ·áJ¶
µëš4ü;Ð\'+øCˆ÷Nògc烺æªóe˜ß0aü#ºa¬_«lV׫	A2�•÷ „ :ù¨Ú²ì¦ØšS™&¤¹Ô‰ÛÉCR·OÓhöBiéúÇð_±TõIñšs£ø\ºcr±ô Q¿1Éî�L˜í‹º6ê4eÝ>†lCVeöîè]ª(ƒP3~ôg[ÓΤ3¾2ò9¯µó'o>R 1x
 È‚BK¢Š¢¢¥¢oDh÷AÏ¡c-«º–bæö¨”—VöŽ²óAZuže“ìY� †‡¢Ö•þBèfL=…w>u¤[!âv
Ø<{á	5,ù²
‰ÅŠ$Ó�¸Ê’ãA%áìPáÀ#Ö%;£Ån-ÁÂz…@“˜œ!
-h¨ß6üO¨¸
-{OubÏÍzTÖl`#¬l}XµÇ
Äw�ŒÐ×П:’„[?¬sUTϤvðݶS;ã¢H¾VkÝ»süm¬‘æY¿@D5ÎoðZì¾=°÷¸e³÷|à·8µ©  7OÖhõ[¸†7‚ÚVrØ?„/Ç,ʧY˜‹úfØÇEprã´c2¡)†	™9D 0~ü2m/A¤ k;©oGâ”p¸âlK
ó™ ’ÓÒ=%*8|K¾ÈÉóÑèöõð›Àö§@æ†å¸¬Š©‚}bFMu.ZEˆÝÄ¢ÚÙ¢ÝL­Àýb
-ÖÄ«fRÁT„Ýiæsž‡»ä‰â:-`r	.—¢CôD½ø2
 &BY*Ï%¾«4´Ÿj°{'Û«Sˆ’wsÑ*I
-YHØËÌ¡[x
-t~«ÖZß9ë1“¾Å¬•%ÚsýiPK댑c—æXšE·±R¹[Ñø3þZ8ð¿>e1D+v~ÄÖL,è²<‚˜JžoEˆ3F–#{G8F.‰Ÿ]�Ct)À¼0fÄ×ì+ü;hΨçjë3Ò—�æ
þÂH‰Pð‹Ú)=!êD8€�×Á=-…áL[ÆÕ.	‚èbŽ	|,Wî¸Ic( ñJ
&—ñ~°êp
šQÉa-
éß Jvn ºØ¥b›R»iO–¸sçä!˜8‡Ã½&—Þ;ùlíÄtOž§z
-zÞªgX-*ÍÞ§=ªïOèæ„)Ì´Mí&�
-ó¦ e£÷¼_½ì¯Þ'«ë‰¦ªÚ®À‘ÐMæL/ÁspÞ·ýƒ°¼ltª¶æDÛ1³E@hÆ=œ¼‹âa’“‡É‚j›ÂEtbrBwÛÁÓKÌÝg¼¬ož&‘¼2]7±Ý㎳l¨iHTÕ$’ÇaúÉKŽÝÏ‘è’ÄÏ•á%%Dû¥yƒù
-Àxc늈'z¬¬ÊÝõ:“ìèÙ×L_î%ʲfÌb®Déò~ûºœ•¹{¼'ço;Šûx¡ø,n‹2–¾k˜\ø:"ËßMÑúsË �ºü˜4ÙqSæ½�MŽT
Cs¹´.çºY'wímÁ`§„e{lÖ°–GÚjQ;¢ª'r×3f8K_"ÈÛ.×ÇçåÚ–Ýòä‰\×z[µê뽊½«%6Ê$ü‡ÝA”P�î©âL¸X#�¿Ù5[º_ýOêÎZpJëyq	DÅëK¸A8»!�Üü/!zd©OÏôåá°5³ÖxkRöÞjQ�\xun(5rӻˮ
-�'ÿmƒ4¦Õc¹R¬_}õ“Ù&ÒNÁÙÝxüÓ¢g]DÄ_S¸bèþûW3}l(iIÙn¤ö aT$&êó£ˆT'ÊÎ*Ýñ‡B“ÆS³;tŽ•HñŒ'KÇÚ<äKœ“Κ’ÕÒ}	Ä= õm’ÑÃÂËÂìU/¹õ¹Od5j9´1$êÏJa©MûH¡M|°;ƘìŠñ
-
Å�pB @ómkÇDœFÔ5FS{÷ÑJaÔØG¿Aø
-¨èdc	dˆäá8b”Ê%xüQÌ8K¤�N>"ã-ø/¢xÍûÇú’\ÌŽG\–Þ!
-¹óŠÚÙ‰/‹mŽ�õšl(£!¹�ÚåNžJ¦÷­IG®Ä¡Õ’á9ªÀC¤gœÛD+3‚ââû^m#wN]ŠÂþ´ÆF£´¡”Cûu¦‰3®˜¢ô¼v¾
-»VËñEpÕô&£÷Ö{áo®ÎéèƒÀ¿ŸFýžM©&'jªÙ�Ine%ª1œ5-«ƒêlÐÃÛ–‘9ù%Ôpv±�H*•¡1¬{ž›V¢°Ê­Ó†U¹…f»šY‹ô#TRÈ(¿BKŸÆlݧßdÌøKÀ%ÓÚHG»P%£‰F…ü-‘ÙÙ=µmÓ>&îðcQQû(\›ü{¸S]¬®	Gà/¾!Ôdå!Á¥žgý>×ePka¹ødí
»®u�3žYDÅy©Ìàé'E=�rbM`/-ó7*¿Å"(ýƒÑ¨
iÀ)‹}úÖ/Äo³4ÀÞD–-Pˆµ$�‰/O#]¹ßh*³7ã\Š=�ÜÿD÷¬Ÿþ�cÓ^ÉYK4�æXªL	—‡ƒfô…BÛ÷)H–—ñ-잯<V£�iÌ]*w�°5	�¬]ÿL=~Óˆ¯ËÄlH=ØkŠzϼÂ麳„‚’°÷¡‚ìøÄyb6WÿÒ¢¦ÇG0¦|.ø“µ‘†+œžžïŠ%\_�„t�7’)OñôYÚ›ÄLݺ»Àþö¦¨ÖÂï²{·ÕU[F»qÊ[q‡)oÙù¾‚ÁY6ErÐáko{ƒ·³3`Ä“(›²7v¬üK“€X÷½Jæ›Hÿ<ýOÇÂî¥$L° 6%çÚfì"Ìš’¬ÏSÐ×±•—§$iÞØ"«o­œ ¹5�{]hZ;ñ.­\7aŠB
øq=¸^�kJŠ‚ΙÐVTE7,gˆ7dW¼ÝÊ,~«àé•ïõ„ô§B$w§€àš“3ñ
+0”Û	ØÁhJϤz„é!û	u›"(Š÷#·J:h†I·P)ÄÝÒ‰»wÊþˆ
-©Z·Ú3ÛvKД�Ò(ó°gc{W’¢?
ïÈHÏvøYÙžh ðó¶�R±š/²ÙmÃ%%Ú½>EØZ—ZQÂ$o¯¬û÷–ZG9ÁܺªlÆb<qR†²¸¨t_*¶ºZ
±¯½D¸�ô¤€Ë­”·J�ešˆöÛö}]‘ �ÉþXÛ@>$ëyV\ÑËüOûØÓCËYŠE;§�³°jàü¨
×üzHøØä/vOn%S�ú] q#ëйêO7Å'Âm¦hh8j•)~�9äOôæù!q,;¡íåL9®Ù”Þ{ ~«ß`̦Z*Ç<Ò{éaÚÍŠ¹qf£Ø}P\Ôtq"¼øˆ±¬´µ…™;ÔÉmv<–®kàଧ�«j’Ò±w$£–#Á³M¬\õ`Ú¼sUßšç\”+zs¬¦Üô˜±D–m6¾9¨C
}äD‘�îŽð‚Û‡ò"ý@lÆtnZJ¯“.‘x¬
-"ƒÒdjGFpŽ@ì
-úv®\mÌúìºò¨Öw’ ý¾ÙÊvX%Œ3uE4/
-BæéU§Xû'íl4^lÄù~ç¶#+p±<
-郙^Y)§ÐûA&¯l˺„è,$.ó¡ú[7ñ*“FÙC†
‚ç!;e£0	ÛŒ¥ŽAÉ¿?Êi èP$…m¡ß_WX_ý’æ7Äd1‹Û~ô¸ýtQ^Ï­Zýà~¹_ªœ±ÏwøP+–ÒV&!EúµRÐDL:åB°HÊ>uç—4yÓš¡×ý÷#Ñk6/Ï3o
½±ØÏÇæ!½Ù5D'DÌŸÄcÛŽ{î
-Ï5ØRo™Þõe·-ËÉy}´§FªwžSÒ=Å|FUÄRˆZ®
2š
HÚð¿Ú¥¶®›a©UæÑ(|ƒe‡-äg.–”ráîAEˆ²¯ëšîÅëÝ,›êÐ�mÑ_#’"HZSÛ]€¬ã>Gæ´’{íabI©¬4¦7?AùœK£Í®ê ¿ß¬ëO¬r©õ=¨^ *z«d,
-䛣1ש°Ð¨ïpÒ`°uÖ7D¾jؾÛnÕA.J>àhp´Ç'©|öŠWwѳ½uð�ðëÒ0j8/V�™AøSAøŒ¹1Œ
{ µöï–žpÚ߇¿>8àOÖEKõ+FT
-pÉQFÂ^7`wîö˜`
Æ“Ïbun²+M~®-è7:ªÒtqBvÿî^åõàVÉšåš
-ÉBäL!ëlcCŸ*Àáé�En‘Tw¯q–ÜâšùÒŸ¬ß°1°M†Y³’›šï™
-Â_žÔ8	Y¤8ÐD�/ZƒL–WîT¾¤ÍŸdÙ‡ÌßÔ
7Dˆ1õ“­$ï$àˆ^âëH�õû†è!jJ³ÁöùµèÇëý;�
-3àկǸâ{<ˆ¿ü–—7úë˜ãæŒÚ†Çf¾GÖ3wú
Rýêg¬áàW8²	[åŽUP‰’*3ŽÞ'V,é·Æo¿J
-¥P‰�7'໺ÜÆú3×ìkË•6bÜíx~Ö6äV¬O²yž¶
ïØá¤L+XØ�,³T#ØÑØÃ<¹�qÝ%oÊÈÜ5X
-ɳaÒÓ~`Fs:—Ïl•*š�Ä
‹§SÌYµt3âØvàÞ\;(¿‚—`xÆ¿À»G»¦†ü!Sê1ïì°côÜ¥z
VõE¤‚7_ÕW½ÿQÜœÿª'÷�üèÄ‘6nès}áì©pƒÞJqy•ïTí·”FÛOÙšÑ.’ËOSòÊ›¥OcŠ Ø	š¯wRI:!g=õ‡
›íd”hˆª¥]C&m@Þge¹¼bó
9Kñw-À”
-U4"´Æúaæµì§ÿH�ý؇ƒ—£g$ø·8f£,a¬$O›Ä}ß1ôwí_TÚiƒ£é\HÔºn´�К׮>ÕÀ>O	Ðá³Áô"ŸŸ7è•P~èÌ»Çà
–.Ãj¨Â”Ý|±›$D(óԇ­®Â%b3¨$.µøÁ�دŒÚ.Ý@ò®z†¹œ

RMli—²žO#QwEƺäê˜åŠ(íEÿ?ìEão^Ñ•îm³ãÒš”µïY!:m\.µÝ‘þÌŸàAˆ*]
sÍõé¢bø1 mÔˆ©qp¡\È
øiQäèË‹J� G×
§É]…ÚáDòuË	ƒb(M±êÚ–�ÅçŒW¸h’�¥nÆ!_K¡%(y
-€

-Ý�à™cSœNy�ÏÜ�ç�ïÒa2•v£<#Ç
Âu€i⌺ðCÿ¶Vó¼Ò
E}bëWcçúíló|Á¦ÌêÉÅZÛ\ÿ*h´ËJrBÐì¹òÞ+0)˜J„?˜¿�Òê°äÒaöq_m2ÉŠk)°—hîÓdͼR)'":,U¥¨Ä¸£•çÖ¢«^
-ÏxÓã sâQÐe-¸“¤¼Ð¦¯ÿ¨I—y†rñ	âåýÐkõ‡ Ùˆ§.\ü‘v•#i2Ýé”$§&›BS‡Õöб‡$­Y¢´dÃ
-d‘\ÝxyÛ>™éþ
-è8º—Ó¶í ˆ|óž ò�òV­ôd"Q<<Ý+gÿRÌÉRˆó‹ó¢®Ëƒm2Ûš·;$~PsFzííy1v½‹·"ð†TÔÂò~꥕üÓó„lc^žÑèCÊônÊpÝ´|ˆªìRÅ¢ó2	
-€Mòb¾¨¢¡Ò@oæ1–%Hy.¢yœ?.µÜrn’¦ýTþËp¨Z[Ñù4£ùÉ�øHáy��#I‹H³Ñìµgƒ1ÜrwõeB„�?–ɾjŒ¨o­[½Vµ«”3PTcÈ=,r“?s0•Š)¡:Kô+®b¬Jå'(g³c?8Ⱦ<χôÇųÜÌÑæ°…SvU'µN—œô­ÜÛm�iG˜DÇîÅQ’ 
øV|Q´iåÈ-(ýP¬1W”¸s+âAÎrlÜxHÔ†Dû# ù®„ZÁ·åVÆçâ
.uþ&̺©Eµ	V­Ø|„èèKo¼¸N69]ô?%µð¬§Ðå:�ˆGI
ÿöm‚‡i”
yÖYú^\ðÅå㿾²Þ«Ù`QÀ|§ªiÏð<{ºDsäÔÓÑ©¾6è&`£ØWJÜ“	á+¼W|S#3L¦+uÛ­é`D²ûdh·¢Vd‹Á+Ð{³"oËÿ ¦xôÿâ$þŒì”ÕîÜ\D`ˆ}‡Ècƒ‰Í†\¨Z.©[Û†î©]DåD1Á˜DSM¬·¾Cå:-¾éÙ¦£™hj9
-[èJˆG)õÈDâU˜¯QG^D:óçä!5çÞ«Ç
-eæ'ì7ªd�ícîèhÌ0ØÝ”}tw¾Ö²ÿü—6qj%¬y?xš`*OôzŒ–•‚mDÓàìÜg¥¹ª|[w¢ÃP0¹æý3ij¾naTû‹¨rļžË[àDù·	‹Ž¿Ã
-bi}j2ùs Ðÿýo»�”¿Haâ)yòcþHóÖiš¥6aÚ1Ÿ‘œ°Rm8 ß8§%óùäN¯Â	øÿà"@û¸9c‚ü}�1ÞÀÿ
-endobj
-624 0 obj <<
+/Length 19384     
+/Filter /FlateDecode
+>>
+stream
+xÚ¬´cx¦ÝÖ%Û¬ø	+¶mÛöÛFŶ�Tl;Û¶UÛÉ©wïîþúڧϟ>ß�ûºî51æ˜s̵ȉUè„Lí��âöv.tLôŒÜ
+Î#óãJB'‹'EÂ2^ÈÓùú3p’é±m‡–^ù;Ðëw¨ë 	ÜìB0à’�»¢€ÌFÈVóçC'EÅ]Ë“&Km,wy*qLm±ãÛÈøÒtv8o _V´~hç+2œn£Ýáxþó‰¿Ó¤õ›Î¸õË0¸’¨9\oW&Î�çxL#¼#‘Rd´«%1î‚øå|­q‘?iÔl7Ú28ó±óðIpãYÑí	aFR»_$ç³¢d’_Jþê»�Š¤ª›zÊ+Ñ#j»i
+>„*ÝÓçuÈö0Îftð¤†1%z†SdÑwÒ½9êçkV’™Ú
ÇÈ)¢£Ý™¬‡¸yœû¯O.óÝj«Ä˜¾”À/Zín)£1T§Iü.Kx‘m�ŒÐÕÔå^

Í©L$xÜ…æ¬++túÍX†Ô339L(æ¢ñ*hZWâÈÁ·T+~›_æQŸãt©WtôÚ¶Çѵ<	Ñ »fùÜ�d!Ä[ÉW™¹m0ìÊz}̰ʥ᫽ªÑdÕ°–˜<’¶8æ{ñP×"¦Þ&�žNOØ*Ðc­Ž;54µ]óyÈ;ëÍi^Z‹ž+jhîz'æM|h¯Ñ23òÔןû><é>.à«Êðàq²ô½}•¶McœØd"#’}!.”öýì?Dåõ÷œÙ9VÐܳ#§•¶ö>VÕ_÷G­pÁEj‚�±pP(Ê{t­3óç~_FqUÕEv¶3/ç¤xû˜žf5gKï ”�ð]�Ü+]õSLðâ	)ý¸GV‚ûÜW´NÇ—%_{Ó…™ž}§¿¬öÞE±m™Iƒ²z)eÜŸ@‚”]cHj-«ˆÚxýÑ�	GhønàÏÿJÐÓ´®
ã}bB=<ÿPᥫÔèÉñ²²��c}Ξ@ïý›¸º�yì·¬@Òw
+ÆK´¾9¬m–Ʀì;MÏÙoÎȳ†¼E„�DåFtÙnÞqW]+ÔÀ;žÚ¹Ä0fÙWÐ"NLJï¡qžÃøÜæ)jªeRC·¾ž«
{ÌÎO?I—å°’Z_žBHqƒW剈çz.ó^äÓÏJó„¿ËnÌü24-çý
άgìyÓèìeÌ|èÁ/ñ‹q{³.~È:_K‡(4qïtb_¾÷D†;ßN(™ÂÒÞ_•p¬×´úTÔbÈm}(M¤ Â&@ÁÁÌ¿ýê¤99Ùnwü“LôyØv7Àß™Ÿ½õ"»7\œ=p¥ldöŠ’v@¸Y¿€.iŒ§vaP_ëèÕYè&lÀ^Ä_„¹~¡£�0Z‡wÅôí’�)'¥“ºã
+üºŸŸÏ›‚Wõ<d=àraéÞU½J†îé<W*|CJc‹�ÒvèaùÏԂݱ¤3ñ6¯`}îÁÛJ˜Ôü9{%·Ño“Ø¡7g
+•:D?IéðBÉì/$/hm5…ÜëüŸßÁ�Þ¿,‹{¡Àˆ’
+
+Íõø;›WV>{€º^O
+
�œ
ɲ+ÕÚåÏY÷V¿*r†úíÆÐ-w-XF¢¬p&wŸX„
+_Ó#>R+r¥*³DilDÐqo]• †œÁ‰y¦S ÊˆÑni³ ë—ð{s®Ü4ÑÍôÁ¹¼ôLG¿¯�á÷¯�ÄiÔBبÔ
+ò¡krNÚ
+�åa‹êÛÉýÓŸ´ý-ç_vJ/.:óQ9D¦š¢~c�ܸÁU•&ŒÅsm
+½%}‘>@:ÐaZýði”ó¨ÖUɬµñ ŠæRLje¡ònAÝhI
ÆB
+¥ö¦�Üà‚ÿEÆ�	�ÌQŒU\€|e‚roàÈböôa‹@J©$,aóK+£,¿Ð
+_<YpD[¦bè)Ý÷A±¢YNb.Þ¬±µ”29pŸ·Ñù�0¦œUŒbeAÚ@k¡âÈñL:·YÂ5µåÖUñ£=ER÷”oiæ
UìÚ“Æ™ÌU	[î¥ ê'5TxJFŽû[èO¨“CWU0'‰¼Äk8æÐî2ècŽõ
¦ž�2}¨q*Ôc.�pÊϾ7Št	S~Mac^í¿èeéJá?v	]›±wtY`~õ¦„ˆr,
¨<P«¬¶ò.Xaœç`Ž#X毠ÆlPWMcÎEÈr6p,¨ ³“gg
µ�l‚N0êT8ï–{Ëô˜ÍmwÆ‚ÜòbɇF%¿»mÝ.n.Óg+O£Þ‡º¹¥võ½^K¶�Á�§ñþj1-–±óMJ‚³¯yd¢Jƒ÷ÝÈ8¨ÕÉw#¬ï`w%º¤\�©ïÆŽ8?y܃¤Ÿ'TìE¶g6»-QƒÚ7@yŸpc¨¶@ÏÙáÊ'ò°™Ô» :iWýÞô^^©ÌP:Ùʉ4GÂCe*Z£:?ß*íÑŠS,`ï¹&~=QáAn�£¾�l3`0]‘iþ9ö[ÿD&¹R–ˆ%êa9G
m€¡ÆcÅdr¾ô*𑘮Ċ[ℳ“ra�±
+ð��?%÷’BÏÛ›­Ù‡¦_¡,Ðqv]Y4Ôýay�½’¬”¸=ŠÖM’œïa¬ZÇb~ÆA¬/$OXݯ€°I,Ø!kÀ~Y2Ó	�&!sÐö~#5*³�3€»ßÉ�AôÀà2ÀF•íß-2äà÷�Æg‹¬¿J7£rèÄ’ìæÚSÓ&6ý`âûJà‹1ÈbBZu2zýÈp¤ì8ÌÁ
ºQ1Éþ0ˆáÛ½WlÄþ‰¯L7Ä‹âOT触ôœW­ï#¦q'oô²`Jó]+R€�Q¢	ˆ|�
t“¼fáçYŠQQ>Ì®*?ìRîÆ~"~öa
Úè¥ó�Æ”HãÌ&ÝÖÊGºd,�ìPz®Hx=»¼G9ɹo{`Ó[�?‰ôXãZMÙÔñÞ¨ûdÓvÛÌ	•ß/О±.%ûäמ~—Å43
Ñ_ê�W
hÄ[)Å/îš[!·yÓ¢Ù^i£û%óEåêË—‰ïpÛK„þ~rŽ<3°õE˜}eâ4“ômÂ�§>›hEaŽÎˆYÈBË'²Ë7�;ÐpHÁŠÖ;o$lN„ùæè�Œ”–
Ô~
+Æ㜾µ¯õŒÇdgñâ— èõ¾ÄšFŠ¡X½aN¿Ð1•f`q¡¢9ßcEF슚Â7õ¼é¨�Í€j†C�“›ƒH» ãÄumŒJkÞƒhþðK´Se^ðÝ+¡–Ž¶÷'�aïqog&„ÕÄ»pyÿ"Ž—w‰¶ƒpP�—ÛlMÆØNÝû÷(ål[‘fm
îñ�R~�àû®!!%­¡ÂMêL²9³Ð/—‘ôÙ«%
+m¢üß«†™¢EÖM@ùXž,µ¾v…Ë;•,ÿFm|ûÅÑ+°ÜT´æUû~Ñ_±îç4ýY§v‘u1e2q¢­bè•ÒY¹ç½9®OÁ�‹„-›Éšª®YÑ\éI#mFIÑ™�-gE¬‡ô�n>~6ß6­ft7#IhÉWVî#á’ç[øó9RÅÊR¡Bò¢Â§©ûRü¡ü|uâ`îú‰n�qÜ¥hÂÅ
+[#ÚÊféÜÿVùA•�àPÜÅ»íD{SÏ�ƤÊÆw‘눃¡¥91óEøI=ðU9_.‡H¿,êÿ!ñ+×êëB,츼©^$ƒ¸´ŸqØB$pAIÜvżj«‘ç|©ˆJ]ÂËs™êáP	Á/Þ	P?}¶'uhW¡k1šKU÷€ºyIeÃ׸,gÖ“�ü¶Ÿ¢Ö”B¨SˆgŦß*öuÑïwTõw)•Ì_‚úªÓÔÉ3ø�è•0PY^·»ô’²ÒŸ€Ôsù1ï/ó²=]ßëÀOá‡DûÁ⼑[¨åáºêÐãYGOä¤Ï‡Š¨?=EôÅ6K›('36V:̆M”ܲ|%äÁ¶åæõ
�½ÙtaÏ$w›Ø±‚ŒÕ¹Ö?tB‘ÖB—Õ˜‚ÍI&«O¤
+!)KáÊ…j­þɶ‘ܸ$`Z=ÛV(µ:
k}BŒ¬Éßè.ùÎE‚F˜x›éˆ,7JÚ`*µß¹–Ý
çðd¡’^…œtÒ†©H›$c‚ÃõPìàÎÚʆ¢wÉÔqe·؃ž®ÂØ,ô£/ÝñŒ>��p§¨o!tûœ
’Ñ…P.Ióf;§W䛧
+éÊÆF@´ùbôìL¯Æ8üB„$³)ßUȦëŠ×1ÒቹeeÕí6FÊ”#ñ]vê$âãÝ;%ÖKu¡‡Ÿû?`„ivÈp–ŸJÙTá‡ð~Váêä·Æd.Vç~Ì9(ì8
+ÁÎ�n¦¸øãßÎ×Ê)¶xõ2÷%3gÜÿ´\U.²Ð^xWG)×¼ÅÛÝ—b%HŽíU×ýÊr^ÉÈ¿>zi�ˆú¢‹'�e¯ÿzTÈS>±âv»¾fn2†ß~­A]ß
+/¾ëÃw6¥%±ì¤³H¬c¨O4# ›Ïõ¬ÝA­“ÂáùÝ|c–¼›¬öÝÿ{ö~,É8k4&QœÐQ0V,ë¯ÿ#Ú`nDôþ粧ÎáZ0Yu¿»Á]ŸÕº´«7OLaÿŒ®í½PÊ3*+¨¢ÁjeÛƾê&gzaS?Š±º
àVm”äšÔîc¦Wk­­ÜÀÍÀŠ(�ÈÙŽ»È^ÉyCi‡�Å]²D*t<‹'6MñïÍ�u,*ð§™åèoÜžÃH?,j·-�o`1=R¿ àˆ	š<qQu¶Å�žÊŸ¦RËè¾saOÑêåœ_ÚçæM¢XOÚ+ðAŽ>îC=_ûõ&”ByÝçË><óµUùät›‘„¨)ûéÖ…þÂIÒ٣ꈒÌí[§
+®,£“ç—iø"Õš€�xv^P«+M›ê~IeùÔ–S˜1‹w¼/ù¬á<é?�ç̃âyû!Å¥žZ‘8žï3ŒìôP½»Û‘†ßĸA™ùSUÊz0 6µR
+#¡ÂF¸õ ³1=ÈJçfTnh!@?¹å#ü×KÅ4XÆ©˜’�%`o+Àz›
+—¦é[ž8ö»gºE©s1ѼîC ´†nË$yCØy¼Þª¼¢ò㛉Ö
röWmØ©wÑ”œLm
¯'¸ß4Èìjø¤�œŽ©~íìDã,Q›’Îci=ø³"£lÙÛ'˸9Êê�
+Çf¡— Rªeß:ãƒG†ñí
+=0‡Ç/ÿŒ‘´‘ùµÕn´?ye8`kõõm‹4Qí¹Öi�èÜ&Zè�jÖ–
+•äJBžO+ÚƒÄòÎ"«g®ÄõS?39’°T�vd(Ôõ·Ug(ÂÜ5¬$Éî°÷^ö/€Õ™DГüì³—µ²‚1î˜�à äa.ð•Ïá\à?˜¶þغ¾~
î±ËA[ù{­ÍL*-0§‚(Êr¤àñá­­’ô’Ù[—óÈe÷€¤u£r­é�]•N¥›ÍW�±F‚KÇè4Ì–Ùç?$“v³�;-kÞkâXcÙ=H“añÌ‹†�s’6i5ß©ÿM
ïü&º—X
+E�S…|Ε�\À�³«0Iª´ªY;o‡ò¸]»t«½a¢?esûºŠ7týgZTE¨�REýóc�
+CíOónrªË€„…ƒ}ô¹6¾@	??‘¶­”xMõTµÇþ ¥õê6“$Ì[(ûf�é^õQÍ¢�£¿—ês­yOúmù…MÆX7ô¶eø½Ž
+aƒâOӘܡïÐPG¶�¨¸Š{�õâÏ-ú÷T6ì`#lì}X…šu'�Ä·]ŒÐWПºR„[,6yªj¤wð„Ü·S»â¢H¾Vë<zrìm�æÙ¾@Ä4Îœ®ñ[í¿=±÷xärö|á·¸t¨ !7O×i
Z¹‡7‚ÚWr9>D.Æ,˧‹X™öÍpŒ‹âäýˆÓ‰É‚þ>LÈÌ)v…ÁÂ2dÖQ‚6ø�®ý´¡‰K>Ðñ’«=5Ìw‚H^[ô7Qáá[ò-@^�ŸF°/¤�ß¶?27,Ïm]L5ì3j¦{Þ&Jì.ÕÁínfÓîS¸&Q=“
+¦*âA3Ÿû<Ü­@Ðe	“Gp±¢/æÍŸ
+?§‡èB�ya̘¿ÅOä(h.`è×åÖg¤Íü¹�¡°‚Ú9#!ê
+D$��ÏÑ#=…á�Ž¬›}Qb'Ž5	|,wÞ¸iS( ñR&�ñn°úp
šQÙq-ШFvf(¶Ø­j—R·é@–¸sëì)”8‡Ã³&ŸÑ;ù¶vŽb¶'Ï[3=oýkX=*ÍÁ·#ªï)tsÂfÚ¶n“N•ySȪI—gÞ¿A®¢÷Âúj¢¹:„¶ûÇHè&s–·Ð8ßÛþAX~:U{K¢Ý˜ù½ 4óNÁUé0ÉÙÓtA-‰]ñ<:19¡§ýàñ¥æö3^Ö/_‹HA…®‡ØþaÇŸÙ6Ôš4$ªzÉó0ãô%×þž÷XlI2mex‰SÑaiÞp>�ªxmkí–àvÖ”Õð<…bLïNÕ
+Ã:nBXMë�ž?Q­QÌàóGën	1�Võp¾*Ë»sÉè¶qÏpeÎ�Ã�H_¿yu8\ä.~ƒ2ÁÉÛã#áæOåÏoß¼·ÓnJ‚ít”ƒát–%ô}H:S¼ÙÀ?£U:¼î˜+qÛ�yÀ5ͼ·h!vm RáKŸò2Þo
ÈïqÙÁ‡Ápe-ÄUÂõÜ<œ)J^T¹lŒi…xöpéù…(V"7
+I
+RPÞµ1pï’›jÕZdw|^zÏi�)—›Õ‘Á…§t—Ë:RÖñ{w}HÙ
òп
+Œ´OÑ!Àq´ïѼ²‘j JпAAºçôgÃìd‰Æ0è^J#¸©÷Y�A�ª×°îTó¢�ˆ +ÝÍ̶EÕK]K#û�EÅu¦‰CB4Ž?žb
+i"9u2’V"múN‰aõCr*\O…¼€Ÿc
B&ïEö°}Ê¢4]û$“Íœ¬ìùë$&/�é’¹�¯Ô2ؤœ„Ñ»ÿcQ÷s'õƒÞÀ;dw�ܳíØ0“�9Ól°/›ìÞ‚’ñ‘eë#ÙÊ⬼þœLÁ*ºµ}|ƒ¯]wDq�5UJNÑP§ËŸÖgˆÜõTx¿&ÓákAc­F�κD§õ삃G
ŠxrnºWM‘üè€(Cù^Q]a{IPžËA‰�>ÒNöÏç$
á¢]uÅ@ï0ï;OÿU-m
+OÁª>+7JN,¶³-¼�1Ãݘ�Åâ׋�qrÃ2Ñ7…ÓïX�òaa×ÃB·>ã\wC‰eÇóNw;™¤×d
H[S
y2N³‚vßzÙ7ë“Ý%\›;[ÕM>ѦâÎßÍá¡c'…,jx³Šõž|¯ J,š˜~œt�ç¿Úá:ƒ“;0çÃ¥ìŠ+;O@— íZ€]ÝÇYQÏ š�Cúw�—´ÍMñ2
+!èDU]I�N�‰ž<ÚhDž˜t‡±‰h¢
+â
¾ùÿIý½ª¼�v.aÌ7@Ýñë[$¾™Häž"p—Å…RÂv`­Êc§­Û`¦¾lI�TöcíûËn0[ÌJõôž†½;øKâÆýîMëcö~ˆþ�Kü§;m£ÏÕÊ–Wb1¯—NxÚ«�
îtzc±-ŸyN7k©uQœ±Ó&†ëMÍ"ãEu±Ûù¨ÂpÛQÁJ’õ‹_ãµj�&ô%A†
RhƱ?ò)û#9ZžõÝ‹®Áµ‹mb¨hº=¯´<ZpŽÝGÒ[?ž"ëò‚er‰as¦)Õ0w´w»WÖ.EÄJÊ9Š#6­°9üxÁ¡‚ ó<B-AIuÍê¦uʮхçŠØ™zvtJkÉÑÓîãDQøúçnéêÜ|²Øü’ÂK X×Ö°žPvžŽaªu`ÅÔtpñ7œÄàe�KJ×¹ýöqŒ¬g#lÎO…ß-–VÀ½î§Œ\ƒ¤»$^©}–!¾'5–Þ4$K¹Ãû.Êq¸E	ã`Ô
+q2=¨YÓ$£2
+¨¿)Þ-ò×8ú¾Â�Z0yëýš3óBÉzó‡zèíТìkÌldµµxi1bIDÔƒ
VþŒ7CŒ?LÎkp‰ÃãS¾NŒ0Ì´fiäz³ÄäJ‹—ƒ×ƒø¨m	Û¾°^Òë7Ô!¡%Dºâs“k2F�$
+tAؤÆ1Í«åY`Êö¡9Q¶$çÐŒ%@ùÿÐ>”Nê’àl
+1¡»¦Ç%®÷Þu–T{’zð�…D#8®9Ç£Ú¿vR"éº<•|îlƒ�¤MÉwV`Gªªõ[‰v½I’¯l

+I
5Ø‘ý¾s]#¦¹ e¡¸ßÐNtÖ02àvÍîPá÷—¤û@�°÷¨qn]”ê·_úÝôéœ_J`rŠµï0§›Š²áÃkBÌh V|·ÐexRiÆ4­ñ®Ò»ûiAdÿ-¦ž”Ë®'ÀEñ¾Ì'í%8l
+ªå´$ ´¥ØSê¾:Ž™	âí"óY’xñ!#º°¨!7O�yØ2ù@"iPE
P,ÃJè
éªòÅÎW•¹‹Û—ظ­x±©È˜ÄsUÇU¨œ´Bω¬â¦H🔙	†SÕ‡·<”]ÅX~‚ ”/Ãiõ¶¦‰RÖçéßÒ!®E.ä/dï;K¶‹ÃR¬
+J¨–/–]&áÄdã-˜]µµü	ìªò¬_A®Bùyæ¹ÞÛ�#sÊɤ”CÑzHóý˜Ÿ*¤KBMØ4Rî
è�áç
s
+Õ-ÃMÅ[!‹°cr7ŠsÑoU­¸ù¦òíóâíý¦V|ªâzË‚ ‰úzÓsOgy�¤V)
+A†Ê™ÏvVgå7Y”Ž
$¨×Ý�\t+o.G^_Ëçï©hÔµ°�njżÓ/°’³ÔjüÇl6Œxƒ’9Æ<Œ^F8uΆ×?†xu$FôÐ3¥‚ö7`Ì‚÷tèz¿Ò¼!*7zç@àzsùPW`"½¹æ"Q»´œNtXêAý,ï}NÐ|^“«Û³‚x5‹�ôM“TyâqBj{{ÃÝBO2)Q#ÏŸÏí¥–¡gÛÕŒo‘ Ìž6“µ–œs@D'h]¿Ó¼±.Jkë,G3ÖÄ憙*XîRáHÚ»Øì|Ó™©¥ÉÏ茇èXGÐ*„æ
+÷D¼�§~‡¹(‘ŽctD›?Æ´"ß$r˜Þ[ñÈšûų5ÉýûÁ/Ôžb»a�s."Ñ>Aé´X~4`Z[B|¤{�eô-|óé�òþã.bP…›5½áê	>nŠ‘œÉ§â†¢­™21‘*S½�¶
�¬'.:F‚Æ2ïôk>®u‹"4cÁYû¤cnT¥4þÑ°Ô=﹌€ºÉ
ÓípòÁ,ÉãÖ:ƒ/¿�þ‚[ ©Àßr‡âg/¡óÁLC9í}ú®¼­žÿ¯9¹dHú¼:ÍFÜüÝf…-Ù[ýRû_oÝÕÎMŠ­"RƃHí!Ý^`|£}þP;¼š&þt1c,oäÑâj>—÷·{_56Éï.CœÝ
¸ôÉ«yIœŠØÓðö™;¯$Ù¬1øGh÷¿ß
+ ¥æ†×�²?¡*!%`�†¾sÝ+h>Á»Â;Ü·˜yl.¼j4ä*²”cQÃët‘>
üàë°CÕ,jȻХ²ù1Î\¿³àhÀ¦OA·âè6!în#{T´¹Úûç‚àêáA~c{9Û3­Cdœƒñ-£VM¹šÀc#t:Ž�îÀü›Ó•_˜çod¬ÁØ/OÉ�õmJ>á–ÐÏ­‘狧$Y¾¤†�0èD„
þI Õ{c‰öò˜À¸‹ïV&2}‰*T1À‚G!$¤ª’Þ5�%Ø+<É	ÞÁ�~1°•Ój8ž¬‚UK£{¦»ØÅNd-5½=r¢W$ANp…$5i™ºgöàŒûi¿PÁZA¤ÜÆÌhó† ìéà� s	Æ«âÖ~–^Zhh\.…K¼¡¢²Ð	ŸpÌ»	Ž¼ŽÙ5MYóÞU-atÙ«Œ–xª
ñôu‚~o`¹lWŸ�Éïµ@Í\Öbž»]�™¥/RÛãàëW0Ÿ@ü¦izgžxñÀ.⧧.%T^¬”9Nÿ ;Æã—½ö5aw�Ô)üÝöõïÕ£-I��&ߥ±'y…—žÀXß"žÚ7oô*ŒD:`Ø\:m·�K±j��þ0›`æ¶ÐÏ4¬”*x�ýÔWÁŠ`ßbÂ6aÊzÓ:Uç?fû
"Ôôý‘GÙÐrÔÂöŒ²ž£²èô£ðAŽP�W‡6\Èœ7
•±øä´äÝž:ìãÄ
+õ¹‚t#PcßÕÑ/&Ø™
+k0͆‰àEP«t¯'øß!q‚Ù½Zó÷ó¬�AP¿a0qt.z„×,S¨æ|«–­ÐhóTŠµhÏs°ÓÐÉ–»n€h­vÅÐ�»:N�^”4Ôù&ºÊËXEš´Ù6ý?íÖ÷?ŽãÀqgeœ-+3.IV2“âDÊJÆÙ{&¡³ÎÈΈKVæ™Ýg:;ªwgwgœ£8ã}öù|ÿ‡ïoŸÇçõ<~=n¼Ú¡`(?®ÉLÕ³Ÿ¡þôR‚Ív#®ÚŽ¶m~Aö´§¬ð2ĬÏ`“�\nCØÔòóæKÙZ	~:§pñæç•Ñj2~Ò¢–
tUˆs°‡²Ô’Ô*/.éÃéXÓyb¶©¢d‚éý¦*�´ Š9�íJÿ$«F`™GÇ—ÒžX°©ÊCÛßß
+ç.pÒ%o~Í-¤6L-L�Œ}
Bv£
"Í°íÓ]`Õim"¿Y…éÉQÚB>Öž÷cÔ£z�>(]<E6ÿd껾 C
t™–ÈŒ¸_
R‘hdC§¹0´ÔCþï�‹™�\Rr,ò?u'Äc$„R$ò‚Œc+•꬯*tòLiod »Žº�
+^•ÉÓÌˬ6`¸½G¯;¸ÖâJðN¢yÂûOÔˆôïþÛ¨:”²É±Ýͽì4áÈd¾}sNKÑ&�}ù&‹°’š¯ˆ·Y:�PÏ•Õ4­5™Í²]ˆï×ÕøÝñ¼
+ÐÁ]Ý@?H[ª~T|ü[\._¯Äû†‡Ûm«~â¿Î&]“=æÉ?”b‘Y}…ö†®²žb&_˜Uá¹#
Q�\´3|°/›øè3—3:@÷×D„} ‰n7U�)4žu¾_Ù×)Ó¡;ÃÊg”‹îÝ{ÁåôÑáÛ‹`ñ’\+ÕHïì]
+ËdQ�Wþ
ðãéH… �—îc‚·¶Þ‚©Û’£RÄ’bݬ†G’+lIáCªw¼,Í*¬¹EÈþ YÑ•¬Ñ‘­Àº%ÁH‡½@[˜
+–Á
+ŠßÛf_ÿÞÛ
+7{–4	�pÎušóÌ(�Ãq"»Ý:56©"KÑ^_��Á”Ùw#çãHJ~1g<ujÆ׺ݨ‹¯ñYùÖn;“[ØŽîXo¼?A¸5IÍ-╯#¤”µü
+pÆU¢ûß· à2b¯½V¹•‹ôk
+KÒ§yçÙW9ô/˜µGB„ÝÀ¶ºSsâ'⃥—GWýè¤Ø@ níVM£YQ|¸óØ`”~x·¦äe·=­éšJàľ¿çò£‹²6“a~5¡FËŸo=q9¨�tÿÉ-äš —ErÆÅŒ½](©DM<6FZHf]Á«·ÑÈ?ÕG[>gùhH¬t͈Àd…>cÍ}una=ôp]Ë‘|Ý-ÿšÅQERv›0výšGñs€Ýi,¬v®dR¾—“UÊ(af¦Û´¼9&M¬@mšäK4G:Š¨'ÿ(Ž|ªŸÓ34TDŸ`umÊ¡;>ÀªáÓï¶ì¿Á×jÃzþ´õîÜî‰kæ%]«Èó×rL¡°þ¦�Võ®ÅÜý®Åºßý>7Gm*þLÈ•UüàÙkö�†öM#Kfró–²ÊÔRŽ,˜
OÝöþizD}uÜ>©êûâarê(v¯€ÏS
­i¹á�®NEƒÏ#k–ûnÆw—’Ûí¿wè®]öÝÎÒ
+ØfòC9’¨þ1â°'Å:Ü$–oKòs×ðlÀ[ŸÔy>ÖÚĪÏBÜŽÀ,ÿkOù]d´I $"kõ4ïþûþ¶ÕÞ¢„´~¸|`ãÂC_iMTã[rLölÒ½«_X] ʦy=Ò˜úÖv–6þôO‡ÛžXÌÐú�°D´e¢=YêMÅHºEr'ó�MˆÎ‹vYÊ$
ÿdƒîvQ€¿!4X�¢¤Ó�2(
uJíÆj)Â7îY m¦ÎÔ.µ«ZÄ ×Ĺ'�d*oøö²™êLi+îÜú™9àS¯
+Mu�à™C}
+Ó 6+Ø[É>Þ]¨W:£{C˜µ «x<Ä5w=¿ÕZLL‘1Ž,6ÑI½Þ  šMxã…Û”«fÆ~¸ÚUÍÓcˆ�ÚP]S\ÜènëGñö_j Ýpu+,Ûî’±ÊÞdŠ ûüÕQŒà¨±—:àGyäç÷Bº9èÉÜ‘Oµhªày߉z­wL”ªÈ
+endobj
+858 0 obj <<
 /Type /Font
 /Subtype /Type1
-/Encoding 1344 0 R
+/Encoding 1915 0 R
 /FirstChar 33
 /LastChar 125
-/Widths 1354 0 R
-/BaseFont /MPGUTB+NimbusMonL-Regu
-/FontDescriptor 622 0 R
+/Widths 1925 0 R
+/BaseFont /XMUYIO+NimbusMonL-Regu
+/FontDescriptor 856 0 R
 >> endobj
-622 0 obj <<
+856 0 obj <<
 /Ascent 625
 /CapHeight 557
 /Descent -147
-/FontName /MPGUTB+NimbusMonL-Regu
+/FontName /XMUYIO+NimbusMonL-Regu
 /ItalicAngle 0
 /StemV 41
 /XHeight 426
 /FontBBox [-12 -237 650 811]
 /Flags 4
-/CharSet (/exclam/quotedbl/numbersign/dollar/percent/quoteright/parenleft/parenright/asterisk/plus/comma/hyphen/period/slash/zero/one/two/three/four/five/six/seven/eight/nine/colon/semicolon/equal/at/A/B/C/D/E/F/G/H/I/J/K/L/M/N/O/P/Q/R/S/T/U/V/W/X/Y/Z/bracketleft/backslash/bracketright/underscore/a/b/c/d/e/f/g/h/i/j/k/l/m/n/o/p/q/r/s/t/u/v/w/x/y/z/braceleft/bar/braceright)
-/FontFile 623 0 R
+/CharSet (/exclam/quotedbl/numbersign/dollar/percent/quoteright/parenleft/parenright/asterisk/plus/comma/hyphen/period/slash/zero/one/two/three/four/five/six/seven/eight/nine/colon/semicolon/equal/at/A/B/C/D/E/F/G/H/I/J/K/L/M/N/O/P/Q/R/S/T/U/V/W/X/Y/Z/bracketleft/bracketright/underscore/a/b/c/d/e/f/g/h/i/j/k/l/m/n/o/p/q/r/s/t/u/v/w/x/y/z/braceleft/bar/braceright)
+/FontFile 857 0 R
 >> endobj
-1354 0 obj
-[600 600 600 600 600 0 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 0 600 0 0 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 0 600 0 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 ]
+1925 0 obj
+[600 600 600 600 600 0 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 0 600 0 0 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 0 600 0 600 0 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 ]
 endobj
-617 0 obj <<
-/Length1 1620
-/Length2 19156
+742 0 obj <<
+/Length1 1630
+/Length2 15892
 /Length3 532
-/Length 20062     
+/Length 16775     
 /Filter /FlateDecode
 >>
 stream
-xÚ¬zSx¥]·eœTlcÇv%©Ø¶íìضmÛ¨Šm£b£bÛ6»¾ÿïÓ§ŸÓ}Õ}.ö~Þ5Çœcb¬µö¾xɉ”éM쌀bv¶ÎôÌL\
-´¶³·
Ú:ÿ¥øT
Îæ@€©…5 ,¯ ))' —Sˆm�Ž›Pp1²¶0ÈXm�€Ô
-Ë(gçü7%€êÿMe†ÿ>‘ÿ$þoø¿EÞÿ?qÿ«FÿÛ!þÿ=Ïÿ•ZÌÅÚZÎÐø¯ ÀÜ1
-Hk
-
-\P3ÏØ©®â%ª«Q¶°sy1*õŸ�ƒð3›Wž®õ;7 K³y²mÇZÉh\H�ÐçãîäÑ|Àÿ´_˜D®á!)?¬oöër$q0>°±�ÏO„<X)
-V¼TC	ÝÐÆÕ»ýÈû]…:€n&)‹ãº}°Äk’…ÀUꜹþ®æSM¼^ž“O›@õò.ŽŠå†"5sÝ€ÐV›¿eXšÑÎI´Üû‹#k•ÚÖ®§alaUÑbPh¬4'Û´~ô2þy×DEã)
-É{<D¶¤
}[DY¶¤T­±ê-úcØ'Ÿ[z‘.J(›
ôb#Ö¹_{—Újå1ã�ysœÃ
--0ñö®ˆ(É0fö‡óÁ0–\Â9Šüµn3ÿ�>J¾™Ê
-Sò¹ °žô9w:%x?RŒ¾÷å9:…œÖÄáöýŠÞ‰Mb*x:�lô-1Y+„-0ÃÂâÒ�
-Ú8äWó	<'Æ–©läÍM*i�Þ
3E2
-r&Õ}Yðù0qLW*€2V:ãJÙ™³œ
-9O¥Ýò“O.2&ÀŒp&'¼(5
-rØàŽ:—UïÃ3;&^ƒH¾÷Ä¡@\³cöW¥ËĤo9z”ðq£9ÊÂÉ�¶Ò]èä´|Í6ّ͸;këá²êäQËÖË”W¯˜›}M;¦ºù“
-nƒ¡”C�ÓÓÚëíûDÌuU£–¡b½³i»´lÜUšd�¼mîRiSgC¡-kÖ;Uõü§3ƒsèº(sT
ØÔw{vUˆ?*?Èñ'f27ØÄbLà×I(~o뜫’°P/>³�ŠÖ²,9Cæp6ª%"Sš¼�ä¿Õ
-ý>Óv¯"žKa†­dLWA¤;a#
>ûëöêÍ¢®Ú:¾"
)¸-!Ó#Kþ=ñ]õû3¿fö™	† ›[ý9‘3Q�"mn±`÷Hé-ɦ
‘=]“¤GÇëÎ'*¨j
¦—œ�1*\
-Úâ\ô3†JÌtÂD†‚V­¹˜=ŠÛXüh¬‹:L›m8}äœZ¢Z¥UŽâý“kZM<íYáʦ¬b”Žnhuë²fè@–KüT‚GÐ_2ž�Ÿ=\kAõÛ;Ÿ¹š@t�å|#Žì¸bK]˜ÑÕa1%­• ÓÞÑÑgñ÷½«É®,Ï|ÒKp(À·ê»²“£K¶z7÷›Xi!P0L#‹
-K™ázŠŽï“ÕOG‚î
-é5[¬xv”C°‹S=ßPWâ±Géšæ­iúaÒ�~öäÁy�	o¿µþ¬�ís@q+@ñ›�¯0/<ϵº¸gÆ+útÊEQ”§ÎOƒÉ!qÝãÉ›¾e“Ø;E†èÏð‘#VÃèlµÃwÛ‡¥Y¿ÜºDöâã§7™“
m­*<„"ÉSé0
-$¦äh]�™!î;Ö¦xµ;5rÀDW’GT>—0Nzœý¼�
èè8FÃñ;Ó�‚ñ-ßFIüëJvë~-bñ¥=`°Êvýlö¸E‚æ!Äímâ/º�=ü1Ÿ/ˆÍX)²È<w×Øߣ¶ã™÷‘/‘Í“ì%mFÔÈøDÉÄÄRߎpHÀÒµÎÍäŒÊ‘
"X9€ãv-Þsçþ
æ¢	Ô'ÕžQ›©(Â8ø„˜º“lŒO!âàºBw‹IËd !�¸_a§\ünÉýùâH ]«y8û"VºÔìJ\+;£´ñ¦LÖŠ
�ÚhHõtñ¯^v÷Ý}²p¬|ú•¾<îög—#á5ñ¥;QÛöNW³#M²Ž#í³?Ð_ÀöÐGR¤
0\.%B
-À”ö¢+ˆÞ)Á÷
Ð?ŽGíL€êd´-1ucÊÅåâzh�4${Gg¬Øÿò¾Æʇ­’NÌå¥fdã€U{h%õIí®Ïyö¢˜Iw¯e,á#ooó§–Êù’¬°<ã5quèËîЂsºêJ&ÆŠÙÈ…_+LCi¬Å»oGö"ÑâÕ2þn¿ÆÇjPÁ¸:’¿¶XS0`ÕÔ*‘>Ø“}‹ÏÔ»•…w2øÜÝO1<¡½¹†’Œ8
-+ˆC:S¡€5‡a|°k÷gHƽ´)�2t•§©oš5O}ÞÉ({9nŠ5\·iøH@O°·ôŠB‹#"—r;uî?Û܇X©>pŒßú’•SŠÂòq¾Uãt´}	õåùb�#1,Z±jçX@7¼ •§ÉZ—rc?™”�AUäûÖ»+[ä»zÄ+G ÓÖ�_ÍÎðv_Mól
‰YKW£ðÌ”‚ 4vÚÖ©.æÛ™@ãÄÄý~´¥Ôx+3Ê
-Wi�7í”rU¾µ;a‘
-ž�¾\’’‡†@™´DÍ_7w[}æ˜ã£1™dªÓfGÑïÙä’e¸¡cî–\‘Aú”÷G¨ùøã¿ÇØs£â‚|cˆ¶zÅr}¿¡5oÅ_¯ÞðP­2þYìŒR TËašÚuAC¼	ñÙEωt¸²ž5ŽèÖä~ì¢ÛœD³ÅD“Ùµ”êR/ÍbÕeŠ%Æší®*²(D
lûU�czﲎT““)ëûm?i&lëlëWà<Û�Z¸ýd´GS€•/qV N“=
ŽÂÚ di¼fÑa2ð ú‰{Š›�âÄÊRm!ƒt‘Ùé7p‰œ„—ƒs;
ï÷ÄŸ¼Ý¬ÎQÎ2¬fqÇf!>ZSäÕ‹Üq{	àðŠi^
-Âhû'zO`Ícõ¤õ0P±rLYβ›G^¦È¥Þ#©ì
-ºR…ÒBnÖÂϾîÆ¿
-y5~Psòí>x7ªU•$峀ݪü´vƈ´5@àƒ³ä¡ïý’8JôF~¨FGÃü‰0¯ji�ô…q°…Ü€õRVË#»“é¦mV!‹·ä0B0IÅOا$—Á4à�¶]ãNáÙv™Ÿ—³#1zl»,¹	ãÄ5#\û‹zQÜ‹Žïi¬Ö#nÝÕ–¯µ(¾U¨“„f
p/¡Esªjˆé^©n6 „.ëÖ^
+"®
ÏeV¾¢
-8ðÞaí"Œ}9£tÍ\ÿ*÷Ü^"ªs/ü.Äöì0_
-ØÁ({0/“GÖ-m«Ôá>ñÔ‚Üb¹ýQ»ð�Ök¦«Ô«sö28¯âªV–Ñþ$JYÒ3ñî—ðZk‹w½¥·BJ¢?mÁ¢`g?%uÓÂÄ9§‰.‘älʤq+4ìcXä_¶=né£fóÑ�¸5­){_Ð�'Ëš”sO+Ú¢{~Œ¹#Ï\%5
ɸ„êdʺÖZ²¾`•[%UP+âóJ¬�~g½U8n( ö
£ó·( £Hž7á$m�¡D¹µ�hO�ëHíW„;hKÈß8φó�ú	†H~Â$+·CO‹-y�ÿB©˜R"g[¹dIP3(EÙKµSÄcm%==„ÕÅ»ÀrpÔÕRÈ q¥6úà +Ú,ë…4|¿‚
¯Yì-EI—m4’ªiE+D¨ZD2£BÌ%Hݼ³‘ö£~·ã»]bË	'ò|ŸÞtÿ½¢P)¯…¹'ÆÝ±¿IÒ/)>€j¸u™T-gí’;l´Ë'ÿ(sQÉd#r¹ÀFá3€m°¨^LuRñom×7ÿ\ _+3‘ñ›‘¢Ä1öXá
-^õÙ´ bš:®Ý~ì
-fÂéN~aŒ?á°¼¦‡·®_"ÎI¨}˜ÇØöµ`u7ñ›9“p°”¿�M�ûKJ�¡m
-|•n�ýÒˆÚXýyaݯℎºé
„J‰ÇI^}mèD„·_GN¢¢óÉRs±ì}o†|
-Mö¨Eçe€z§½Ð@ñômú³”ÞÇŨ¶¼�+D쇕a<¯‡»A´’– ¦r³S¿ÀóI!/LÕ¯GK^X"âQ¸ê9µ¦›µé�‹º
-Nl}MI{kIËJß.¿&ëƱʟ˜„èºã«mL²´,\…½´PνᆤyêÑc„MJ/›Î
xÎS,‡ñ4�C«uÌJh[Ž0ïoZËëûo=‰XR¯ÒFl�0JøÓŸ;ýQ
-0ª‰ø³»À5F%n{zY„v¶näâk‘†,¡œÊ}¬©©ÂåzŠ”Ý/ð)H\
-á	·óGÿ-ãæÄ`öS¢ç¤^wS‹6ÁŸù×õ�ÍÔýˆ_h±rà6zó|:èX£«~c&#ôÈîhzó'(Z{+<†r¹P­®ï’8­%·´	"™[n—�hsè7ßC'Üo³íV¤æYò›Aè�|ÒHnŽµÉ³“&<ÆÔâA—„w#ŒNH
-üzdùp»ºÇºû=Ì3j<óòSàìlúÊÖƒÛf|­µæ�Î÷eìgûÝ™0±�H{4Ê
-
Èo÷mxÖ¼þÒ‚âÌ×åBÍ–9Nhé#Äy»Ò«Ã{ÄÈTŒMmS
-î:Ó¯+1³¼+–ý0§ŽÕ’Ä:[”ð‰d覹,�J„ŸÒNE‰Ý	Ïq5þ&Ã
îVwmÌð¾ß;0´Œà0»’Âóüֺĩd¨¦M ;
ÛMM;4²¡>š/£û3/r3¬Å#šÙç¼ø•èwW˜Õh)¡ŒòÏæ¼³öFlò„ºWR†é^mLÉŒÂ{ðsLF6¨.ûžŠè,¨êz¬·f�o
-+ý¯Ü—Û¦@¼
�kn‡–°‰Ë-ÏvCø +W²žkFV옘rºË^ø¸ábçvœ»š±¨K?u4ŽP¢+‘ý—ÃT»¸ÇaÁéçytQ8árj”ôH¸
¥²�b®I5íÀù¼Uù¹Á[صuuH´éêìœHjûµ{Ã">gf'y»[8.¢|¿lA˜$‰
æ¨èH!K¿»Tl]²Qã­þßI
-»y¼¯ÈŸùt:Ùå6
-ðš$3:ÁHªËÖx×ÊÐùŸ'O&©>“ús)pCŠê–¤‚埌Ÿ÷dðqøÌûúçlsËçÆÓðž_pUwôû�ß;^š”ûÀ¤à<“¤TµzŸ�ÁDEdká6�]A=5ìƒË	"ûDMOò䃛½%[êÓ�×*{=F¹"ï£Ã?
-‘XE†™xð†Itò	ö~›sóUúˆ£©Ç“µäÍC]0𬼕”„€¢
ƒÇ‰?§×N®ÎANš±D¢¸Á1ø=Ði!íø'(ßMêá—ï­R�bøÚá²áCPþ(�¾8Lµ:$PøÍ
¥×èX;—Ý�­1'?�¶dUou±K…wõÔˆ“x4êºÓ»Ÿ*Ä·"+ìiÎUk|º;ÀÄZ2۽̹ºz×óä€ÍÍÄø0]*bí ¹àÅ�¼òªìš16
-¾9¡¶çÜ@Oƒ+'ÔÝ{Us~Íxeoèí×}ÔûhµÙ<rã.
-’/=ÿÀÔèÍD±Rî9œÓd -(‚*’NE畲é^:,SÄÔZR·âj ɺc�]žŽ’´’ø¶V¬µ=yf§F>Cˆ!Aÿqø�L•z35G0�ÿ3TxY¤ñYS“Ø»äOö–VÆÅ}¦×ºXGˆÈ° v�Ÿ8»úŒgŽŒ‹´ëuZÛ‚ì@ËŽk¤¨éN“ú|›EILœpöêñïDMfG ÏSk‰úºÀWVú›õˆ<	é5§ü”Kùiã“#OiÝcäM²RA+�Õ\Òuä8/)ˆ3ôžwû›eÈëDñ9æ7 «³‚�Ü1µóL8”(µåD:lU
Ùg>	‰>ˆ“9°-A–ãÒ
-é3ž¬¼·µ9ŸœJ#iy£LCpøWØJñ¬fHêÐCÚ¢ÀVÑ

é^¤Ç‹oCÔ‰bêb΢Bê7A”$qIË5i�Ôò`ŸØLtuŠ�·ÂÍ:Y‘¨:EÖìò¹fì…žÔ&Îœä? FQÈ
-åF¤zÍÜ-E¬%õ@ÄÄ:ƒ}Ñ„dœ­v4KÿÈ«Ùø€	 ìîrµßõ¦…!Q<u¬:\�ƒ|79l‚MVþ˜
ªfç·„�”
-[‰Wèûáù©>«�OæI¾¶C‡KV;%Œä¨ðò%rÚàŠ™"ßj@d+ËÔ5z¢fvrÃÕ¿uõzÆ‘¼Å–=]çÿêÌ
ikðšv)ÝrrÊJ¸
-¥¼¢ÏÉyÓ½¼Þ2Ÿeþh
-,ÏsË(ÙÁ½Á.(s8…›oAΖ¤*êæî¶}‰ý'·—õ*�ÈQðUXëjúé›úŸ8æ!õ5*|÷,ÚÜ­GïËopŒˆz´¾¹øãGRê
òù«M³t³”–ŸLæ
A�t,­c…Èc¾7]Aèùù¶£ÉN€ºÉ
-(‰ª¢û.t<bÎ2o;ˆ}¾â³±Ãã¤Ib$æ‘"­é[”‹
-Žìdh
-´D¨1a2(iégµ;x{‚7\©A0‚’yyáóäVv¾ªÙDâû:MTƒÔ’í)‘rrê7׋?,{œt˜O3q‡©r¥…Û”çÎÕÂLéÄ*ÝûÌò¦°Ã³·¥À1`äuÔ›¹$pÔ…RûmJ
-‚¶=ÆŽÍÉnù-4­0
-7{¢Wk¸»× 7µÇ�†»jåË%‡‚ó
ºÉ×E�&¦ Ü¦žüâW†g�Ô;7ŠÎ[R'P¾¿ÝÈÍè�ÒO¸L�^¾óuY�Î6ûÀj/ÎHÌ5¬¥ØÔ¼ºÇ`jT!I9%f|°‘"XÝJî&3ýÀþz›&ƒ¶q¨ç¬&6ŽäåÙäcŒ˜L16Zó61GŒÃÛ).1äÔSz‚(ãu—-ø(øi~pçrYÜ—�6^
õ\𛪗.ü]øš1‡½}l¬]m:¯|¥?D²sWFÇç¤>§�Èù›ýtÓáX ö§È%¦‹òf5T]ĨX;ÝöŠÖ–»	¡Ç–Et0ÞÛ8ë%
-EU¸ò€d+uQꞥz²™j#™f‰«
-ÊË'5lZ)c®wŒë¦éCD(¬G©ãe²µP³´5~PÏi¶L™æd!ɱnO�;Ë}i¦$²AbD�µ[¶¿o3˜g³!©\#ö³FU¾-Þ¹ÿæí>ú9¤ 2áUÉk�ûª»¦�|óíDIÀÙ
Þ@¡Ä
-»_C¶Mãl@â:}j·@Ý´2¥½Ú²•¿…à9SäfƺyJ-gj"ôøÜû4A±ƒÿ!=Ò]¥õ"/ïäl•N»"ïQE¨û]'œÌ¤O™|…KÄeЧXšcõ»³öûDCïJMÁ“„‚b`úÆĦL$ýš­Á­·™³4"Â-c ®'•–äÇvŒZ•Ræ�êêOÍ/Ø5¾¥lÌÂïkiLÄÙf
°k9rÆü³š#ª¿'•Õ
-052BÍ6�¸~ëϬ*“Þã“׫BL^x¹bÂ~;ý°^0æè
Z±!拵Å=>÷1•/µþÁ…Ÿ9y.×›k�ôÈ ÷=r�¼†=Eq‡q·ýçžáБš?	ÃMÒ ,:ä§j4rŒ
E¸ÅlôÍoÞ¢‡5fBµþFo˜@ÓÒJ1xÚ>véÙ!ùl"Ô><|qbŠúÇ”›_BŒ=÷úÖÏ#ð
4Øvg{ÎŽƒ`#µ“‹ëEB1útȯ_y
-ÐV×p™%V˜5ÞÒîm08ÂDyTø¤—ûAQe
-.Ú¢6‰Ài¤õ™qUÌGŒOËç”AÙ•B¯ß8¾?‡6Ë5yª4�VBô@ý¹ŽIÉõ*'Çïy•Ãˆ>qѦB-z¿:ÙýW–	ÊW‹;_ºdð°
«&µ#h™8†ÊŠ®Išëmw÷ Xg =sSi§ÅÄ5ãÈôÓKB?Ó›µT�ÉÌ]~ð�
l{ü(Œs`.¦¼o]çè_“3x¼ê_’o9å÷×Z•“ÒêȨd6Ê
-$bðê0eN½™•â­ÉŽÓG2f*Um‡�}÷WEySV8!#CŠØ§¯é(¥½óÁ9¿;-Z[3ù*³ôVžüzãa¬ïÆPcÑ
-‡À/Ä�‚u‚’í|£.襡=͋¼ÉÄ38:¢•¡j-rç·
Ã�(¬¨ L8;çFû>´P]bð®NX1ZÅy.Ê°>®®ªŠ³F7”åõÒ÷ý!ù†’½²ú®Y±¨Ñã?S×ü‹žÃÛ¡)ì­(­ý&GÔ‰]¾27t‡{Fn*+i{wBŒE0øÕ¹žà2Ý+y y#ÏnÕ0ÊÑókóôìN¹‘૬¼�í4Kã*ìŠÛg§n�4L”�l¹{6‡Çá7t¬UË>_šS.u
á¬r`<>¸ÆÕ>ÛçïWgdØô’Ö³2�å˜údG_ÇñœDßzn*q×ZŠÄ ñ%¨ó/F‡Fb‚öÙÀˆž&Ú%5ÄíÔ�RÍüÊgfêûWže‘Þé�ÒšÏØtôük{øÙ¿b©½×	춨q¯.Y©¿Â§kqçîW!öÏt£œìçL×ÀkèbmÝÑ:g=�G½ÐLk·þçÛ#&Êßnø`‰†Á&·»"
-�ž°ÍXVë/h$S¶ƒŒ:Añ¾÷TS!Ê!Œ?Ì�
¢-®%ÞöjÈ3”\uèD¡v»[M¯ TªõjW,‘@4\2‚¦Ür²€$ðã©Ü“ƒ*íÙˆH%ˆŸŠEgó¨è©~°ë
-ýqž\Q\²Ã‹±ûÍ—˜lËûâ¸æ­ph]ß,‚Üžúòš¿Â6Í%•¢ð“;‚)¬¼*¡¹ÀÜ'{‡Éõ(ÍÜö\CÈWýÈîƾýÂÓË
-†bJ6¾öÕûžõpIËÄZõ¶Ãp%}Eœ7*X§ïcáÄOÊòµúf3`#û¯é9	vqñ„§x§p b%c»šÌØ7¨D³¤ùF|X1/§¬ñFÛÌxË./U
­Åß4
-ˆ~_È‹õì盽ׂR¬£� U«Ö퟼¿52Wëýà9ZOÚ$a߶mO¼ësm@ƒÏJ>4¹5Êe3iöÅlê<$ê;4¼&™’ãÄÙОiÖ�Ütþùê;^1]öÐP½†Ä
-¨p9¹¸LNüÒÇÀÍБi'ëVên­_ÖËX¼L+UíZ÷¾÷\£–/ܱ šeý‘ne#x=XJ±RúS�ô‰�ÔÑ{£¡otdKaðĤåd@ˆ›Oàš595´ºà³Ù‡ꔨÒõ÷ÍvJH\µè&©)rp´T{þ-mñ¾äšuåžÏ(t6#=êåV§¨
øBKFôJ‹„vÍCÐ’Ã
-¤ê
-¾Õx;x�ŽM„}ÌÅȺéf‚øL��¶Ãpr6Ë(ÔTà£'ŽãáÜ–½‰Læ‰=¼�’cÉDÛ­¡“â-‚¶:àž k„Τ/ýjº‰/®ÙÉŠaÑ¡&©£Î•4#¨–͸Ò
Ú‹¦b-ùÜu¸ò
]ΚÊi^-6Š¹ÇºCè×Êu}M={ØÁj"¹/¶Îž\].¼ÜkYèä$U6“B¤l÷Jß"bÈÊ";„Fuj§&0$¼ò/Äé»c†ÈÌ�kñéP/¾�I”³,[R!&À$µ'¾?Á¥1Öaи¡€f(9
ÿ&œÐò
-EÉ�Ãc9²ÎÄS‡õ<z™,ÿZ^‰»;ôAÃÆÓýÕÙRÞìÕËï³xvvZ6ÿ)~——sÇéŒm¿ƒ)çÁK͘Ã"¹æhae™MH!Oî1¾ÂyxÅ aà…P£ÌMv]ZÞ…jTH™œ…ÂÍbdù`7ˉlO˜—K›�‡h”¸%Ì›uŭ§ë×½'EÙ3ú]ö@
ñƬ‘aÊY‹^ȸ"PÙóÂ(¿*Î8³h[d)yLšOãg°Èž f:Ì>(.&{>AY›uS)/âȈ†óôi‰‹V<èXÞl˾�)jÊ22ø~ÁU؆ҰfNmi%:iš~Vò]moòãªkYÞB5�òûõêÃ�4º8Tq$1òUé¼y§lP6Ö_ó½c^yÝø}·øš�£”™ãD6­Ûˇ=Sœ/ƒ‡ªKȶº‹áÆ#JŒ�0âüØoÛÖmf¼9ŽýS�&çùÍ:\Ã<ä¢B�©"H{f¢y®«Ÿ· d¶uzýØüøD…ŸbÝØ/”¿"ΦU_³µ/!0?Ù”Ìa£zêÙëDÔH¿îBqi›i–Œ`HËöCŤÇLéòñK'oùº�æ…–à@(ê×-[„rh–H~BV´Ü4è¡@O€h‚œ±¢¶—ÛÛ/f¦¨–‚p[—È"„ÇzúQòüÐ;­­äš/èN@öµÇ¶æwÒ$é;ÉYP›:r=Ñï9„
EÿBx'aËdzI–ᵇ^ÕTä摨	¬-Xœ¨ðoOòW<[z9sá›p
ß:—¾Ûl~(æ„B²b	ø>KƒSÐþ2•ŒûÄšåêx꼄JýX�§;
{B v
-
-¥&ôÙÝxK”ætªü«*Ã}Eñ($
kbAk²
-Íï!VS@ù¯b;8
~‡ÛUgžƒ¥ÎŸ“µ~ÑÆìåÔú<ÂŽ}¸K­¾�jﮣj„Þ²’çç�IYBÀõ<K®ß°”—ÚQ…”S" Ð<™—ÄÇÈãÚnÙûW-úÕ9ôTæ¹£;4E&x%v˜ˆZ	Éô±zÏBð­„¿‘Á;Ž)ÎÈJ…5ÓKÚ(1d¾>�ðœ{ûZ„Ì¿Q>3¬
-®Ã±U
,m;Œê*§Éáèï7‚§¯¨»×¹n[¡Óˆè¶bÌž �þ$”ŸÏid÷cvXqh@ú‚DmÛâÄWÅ
èôsÃù£í«Ó:
-kÅAž—v|étå@òó0´U]¼Y¨ß©ðYôsÚ÷/þGûôý…ã8pÜÂÙqöÞÎ&ãì¬d22Îv!ãrÙÊ9#3ûçÌtÙºÌã"{d�d¼…Ì>ßÿáûÛçñyý
Ïß^Ñð%¥Õ“ó/½Þ�x+¢ç«À:C_j=�ä¦DÅÈÖë8ÍT\Ln Íæ¹°†DŽ%‘ÍÐL÷ʵûYÈSEkþý÷•,¨8=ñt³Ô‰¦EP&§!ÉIÆ
ÿ:Ú
ËítüFkû!®9:<ÚMÂÀŒOÅEàg€R&Ö
¿_n›âT�Ë�1ê¾ç·Ÿ[~òTýpD÷ni³Y3ÀÜ–ês¨½”‹‹Ôñõz–bÚzÍísÃú ëgša9ZlÈê_Ö�mO‡�çH¦ª­Çʬû�%!#Ÿ£”ªÂ�÷¾Ù¨ÙÈÕ•ëË�Àå¾$1¹—bT!PÅÚhº¡Îî^Ôˆ6ëáÐr‡Ý£=�e[
]t×w“ãŠóùzmæE	DƒL%½ó\}°�¡·¬ÿ
å„|;®–ÚRÑX
-3ŸÖrÿFíöJÞL–¿8ÁϘ/»«Ð,!DÇ…î<ÆiÊOµSÙ”ñ£ÝT²Ç‘N�#èxîj«»�åuûoñ:Þ֧׹‹»ÄózFê’½Tõœý
-˜‰âüÝTRŠ‡ì¶NòØ]Æ_Ó”i¬ŽŸ_úú‘Å‚¼K‚ΆÇSIÊe°µ{ˆ×Xsë(ÛÜT+ö®ë^º
-+ •QͲƒâ„Þ˜Ò¸.É Ôï­]Wpü½¯vëùëBåP•®ðDÐ8©ôNr°z¼‡ïæìñ6ù]“ó˜Õ¥™ß‡ÄÂ9.æw™þ�ИݺÓ
-…%lÜOÍßc†ó‰
é4Ü´Ê0Kñ•ªA[lØAuâÂØáÑÂ÷>DÙÇ+ø³ûôëófÔÈóÖ)ñ�ÄIw�‹ªè×J#4RH΋‘¯¤ÐÛCé_ﾈņkŒKº·mWfö/…	<å"èq:”$±öñå”M¸уÜVý*Ž¼ù餱Î-ÎcH“í`ן,¬ùô­O­@™˜À<xc´á°2Š9L1.Î33µ±¹sWk¨gç@B¯8ßô+£@™Èv~¾”J©“öJ°ûZ€•0ÉDjëœÑ¾õ0õx9(Ç©Þ8×
}ñžûð»	Ý<#ÃÛƒ®
ºX6�GG†ßd�±œÎ
-lÅŸœ$f_dq_“ÉñøC–C'O§_œ„Í¢z™À7Í°5åAƒí`Eû�Kࣃ„>­Ò„rÖ:«Í·ä—ˆ•Ö’"îJ�ìK4åäNϲN^U©çuÃ̼ß!¿|gbTM‡H³™¢"
1�WK‹pr)*Ó:ô}øù&X}¿³�¼åð¡øúùDÊ’‰‰à†£/ÿ©“€óD-z°,¢L“4G{¨îwN
-Ã磵E˜±Ÿºùxünôqbßd˜[<ÇfÎ@ߤ»Pª p§vŠ,à ÈY·“›Úˆg”þ½#©Ø¦”üëÈ`�…>—âI�¼¤®;p»ï“‚ºúÈÞ˜Ôm}*�Ð÷î7zžôCDuQÒé”c§„Ë/οc�Ö”�N~?¾¨À¦Œâ~ Ò®QR__èeýrå
-@¤õÃo_U¡;¤¢æªe?Z*½¿ÚOæËͦcZ¢6zÓ*î
-€mK1”£»ã
ß:¹�<f:µ¦V.sF»øÎN®õÎîÅEQ‡gŒ�‹uà,�¥vz­!ìuS,ñš#\¥€ª6KѯAÃIá)è˜SX1ïŒ~†‰<& �;Ã]zÜ)ZP=ëN¾Ðºg¼)Q�µ°}¼>Õ˜z_#å*’Ðs,b½“o&‰ð]ÎÎì†Ò¬¦{˜±�ãxÂZ©–\å.ÉÉq™5í—]Í_ã
Ó~wX~˜½UÖ"bg¬%Ì—ÊÉbÙ¶Õ¾VÂ3a¾�$�þ—ì!íL;ENLãÖ[µô(ÁzŠþÐÞÂ
:\¦oŽìÿÞÉðdþÌn¤j’Pïn‰“Ì{:}*PDvŸw*[ð@9‚
-Ô0a¸­¦û[ßÅräÛ%Ó\qŸž]£÷Àëð|O-FêkÞ‹³€'‰Qö.ÊÂTqëÚĵ¦Îš)RžcÀ¾ôßØDã“V¶¢Ååž5yÔLùR„w
Oƒùͳ¬¯ãƲ¹ûx¥óuj2a�™	dêMèaÁxö³]&e9õ};ªÄqÜm–íʳì $j´’V¢_yŸ¹6€W3‚èíRõ�ѹc§EsšN1}œÇ‹”Çžácž!\°­1£�,,ᄬ¨\XMÔ�›ÖÁ€DÊŸ&ë«~9F=Þ'KJk®
-ÀÝÏói<ÐÿiŒö?›ª¶endstream
+xÚ¬¹cx¥]³-Ûv¯ØfǶm¯$+6:ìض“Žm;éØè°culãëç}ÏÞû\ûœ_çÛ¿Ö=kT�ªY£æ¼îûZ”¤ÊjŒ"æ¦@I{WFV&^€†ª–²‰­­‰9ÈAžQÕÁÎð×̉@I)æ4q9Ø‹›¸y
Z@s€8ÐÀÆ`ýúõ+%@ÌÁÑËdiå
+ ùËAKOÏð_–\
+ø›UY\òßuºZ™¸þ“Ûô8Xüõ4w0sûgKÿÂþÒüE]M@ö.
+`abû·Wÿ²kØ›�mAöÀ¿šþ«�
+™**À)—PHW£B¢ªU³m·W�ÛÔOrí]VÉ• $«ùqyĤ"õÂzŒf<0ëûë£Îðf}/Ÿí¤>bêFè,VØUd‹ÕƒæÔJlNÍo’©+¬O�XÏ1Ï-¼§c-NÂ1ipÝ›í\AÖ
+úêì`uvdé,RHžê$žkK‚>&Y	¤ºÛ”OØ&â„o™kâÆœm§Ù WëÙÉ
+¨œ/û«Ð[BÒó´`Ûtä¯äÍN¿GfáĈHªýmVéDÇÏ“Ÿ�”Ä÷¦Y_kÉóÍ+èü1pÇÒ¨å�Á³ñÂjD•jÊ
+Ga1�Ã8‘¯YÛ«Ÿãн>½l•ê!¾™Ç”œ±Rš¶?àW'‡Ù_NÄå�ƒÆY4!aÔ„ø‰¥–
+/ÓLòFºVÕa¥¹òÞ+sTe˜1‘G·G]<ÖlI¯7E³±+’Ò=‚��,Cš«OÒØor.¹kÕ/�ÁÓŒ’ÍU�±Hi~|ŒÖw�Úkµqš‡~ƒ¸Ö£7ö³"ÄÇYæ…ÅO	�k_ã1fo4,ëIoböm5¹‹²O½k‚uÒ¥2ƒÞ¡úd‹j¨7W})“Þ‹¤ÐϾÑdT¥wÇ„{•ü�¦ÒfË�ç«Ø™#K˜€Nƒh
çuÏÏ%¢>ÞØXñÿàÛñÝ%�rá§_&ωbksà£uÂÑj£«ÓEŸ
+ö:çkØ¥»ãÆðòvÏ5ÅΰÂÜ0p!.ZÍ2§.•`Õé;ûòÒŸ¾´E'ôòL‹~­'"Bδ	•RÛ…ê뚀ÄÌË1�ú€Þ‚`0ýzл»-õ®‰ÑÆöø�$·«|�Â9˜ ühˆô`´6GÞ£h‹º¢:"ÎÙ;¾M¯_­µJ�%îo%ÒÌnck—ý'y¾‘ýαšm¡‹¦ƒ”õí�Þ*{	iwQ[™¤kžçË tîF!cö8äÞŠNßãÇx´
’Ü!Ä’¥¼Ö¢¦¥Š—Î~_ó©àH¶ýÛ±1%Š–±Ú¹ Ͼº¦á¢Õ>ÝMÐAŸdZ˜Ê51Ýb1ܤɬUð/
+‡Ø
+ օݧ�{ÌæßÖRáï›I“¬ïØÃ4†ºéd`ðe'¢ò›KþÈé•ëÀ0xö¯´ØQ¤Î]åhÓJ;ZL½"�7Ò–ñà|êTñÌãço2R°×%‚¬Xs­üòc–>`pȸÔ¢D…Üo½I[«4uÉG ‡äÇ]F?bo÷¦"1I[#–	x�%‡x‹¹žÆɬ²×Á>Эs*´Ïühd&Cîx3Ôà
9‹œkMŒ™"Sà�ÈÕÍŠL€''ƒ™C¦eòœÿ@ËÞÀ4:%½BÔ‡?Ö´OH6c{h¦5/çÕ
+5’Q�Ä„Qƒœqó™0=l­\αç
+¥×$á_~Т:ò›l
+Û…úMÚ„m>ô‹'Á��†ž§MýO³qÎCÄ�]´5CXá*\•MN£dtWî
+BJ!•l!~X‡’Õ É•aó’1Ë"/°E©ø!Jü÷™oó§KDMk§Èéw“F±§Ûˆ{¹g,˜6Q4²«lía¤WÈw©4q’7_úU0"¾B` Ï"ø?(±*ë2­³G€ ¡fÓêQXŽŠJ5úºîÚ ñ%èÐäíb¡Ê¡ÓYÉ_c¸p'vÿЮ/�]·mÐøD‘/³îwòŸÙ|&æ>¡®GSÜ°
¯d9{¶£IóJŠK÷9fã¢éŠ ©þäÁõ@ñ¼9xŒi,P¾*=cùüà‰µNm6O—^E›ªÖž©ÁôЮº
+M2tÉ»bqJCgª`AjI@vr]Ú@Ö *Óä½è¼‰_‰ä”/ú¼�æ�/
+¨á"�R’´‰öÆ$ä	ÚUW=ŽgY·'æýÕ
±M‘‚‡{}•ÜÿöA®ô5±ò½U<b´Iïqç·3Áì\³ù«çsÿ^«Qº×I?^�s2XÉOzG÷6vïáæàæiðŠáãAûÍ6ü‘îav-œ2æ¯Kr�ʃzs_4/“íBào[çç3r„¸)_&x†·¦3‘�ÂÓeX’9iÏiëxêל-9ˆ‡sA\UÛ=$˘¹¦G	ÐñSÅ¿%ÂßR�2õ«&öòôtÈZ¡EÇ£ÚùÌ.êòhnSm»Ä³=£Dý”Çõ6àÆœêk0¼îSF£4pºJÆßú„c¦…QØÉG‹Ìû,\…RXÒ<5µ[�ŽwÂ×óé	‰ªšRš,¯þþ’\™mÄ�T�0쪃ó‚×sõ`ÃO4â„W…¾lï‹Ãë"Z2µ0lÁ¬{¦'(zñ.9_ÄzÎãБ²þãbîÂÑëwS*ú[­FspÛúÛߤ_é~} ‹s\±š“fÿ{ô÷ÁÑ
#ŽÊ‡/°²V L�lQ9áŽ%Ã¥€T… h�(£Œ"Îå
+Þ_#þÍ:ÑdŒ´r@SÓ^É2çQ›¨ô]´à8UY¦�âq¿½Ÿžj_'åm~²˜O±öòÃ
–,®ùé‹‘c^·�Úû…ç C)¾Êt%E—fã$‘P9¼žˆã4yo(¢�‘d9mšjW˜/¢qg
e>KмÎf6ÞÎ'2¦g¯,5ƒŽh­óçü¨6à«ÈÇ
+g!ò)#îLI•eÇO~,EbÛà ¢.ÈÁî=íõÙL(Bćơ=²a~¡Ž LÌjSÈ�¤k²5ž€ŸH½ºFŒ§WiWམXøwÖýï…	\#A†%ñ³‘�Ë2‘j	Ç�´½Û¡õ´„P2’åíC¶²‹’³o K,\QÛ²ÔŽ‹¼Ü
3WÚ	‰SÁ™Û3èF#ëšlËñ°ÁºÌ¬§T{ô?êu5DZ—b!⺂Æ�n9Š#M‘y^Qi$ë\Êo#£
:“�ÐÇÏq`{‹!ˆC%oÝË|°¢’N½`^¾VÄ:z´ßÂØÚ˜Å,Žž”\uyFÌOà�ø6ëÞÀ…?z†t+A×ÜéEî>VµÝ´çröt'ˇÅ<Ë9¶]ÄöýÞCðò�—|fŒK¨ª£µ®ß(­Â‹%SrÜ3ÀðYÙ%ŸT<RÎm�*ˆæ“SÞÑ-ÏaŠC!)wȨÊ;ý&NÀêpêüôÈtöÅ;ÉÈ]¶ÇŒQÉ�Ž_@q²Óa–Û÷Ý n}ù‘Ûü¤ŸZù“íÓúY»hy5}îê]5P×*»a$G(®‹uý"»ÊÏc9‹z›”­
+Qm�®­.
+_Hf³ÚU;ì­^º~ÁÀÝ3µ5é
øÚ¡ºø[\Ù¡&÷Ú;Mo9E*Ûí¬E	Õm¹lê·šÒqd‹¸þýà¡xZ¯ïvô£æQ¤䨟JêÅcFv£1Xc:bv´æQ43ÜËg¡ã6jÄK¸ú¡|R¹š“øÃ÷N7œô±°ÆDL³
ÒYTmN`ÄÔŠÓi
+öYˆ=~åÇk8¨ehúRZ^±V<£‘x–@#”"s•ýÇÚdÔIðP…®÷­•úz8*uÝKœdÕY…®Ùð.Ó©¬á.‚ºuÆTaˆVÇñŸC—nXЫç«j”«žŠçµS¹	Í[džN–üèÇæz	ôÛ¶IµWV€A¶šéÝØNQõÆ6W
+ÿ·^]Ä“†[#"‡6]”�ý¬…Xí=ïóñhé¼ÜmÄ%ýÖF¢WÛþª†Úû—tµdý
+á;¬/¨`>�‘DÉF•X8)RŒ(êe+QBöìøYýú$ø𙨗wš4ÉAÑåFç[/Ìï(=Š|ú11ǹÌYf�Fã–s»Ø'ú[þµwù|¼ŽÇÛ,ë¢39i¯æ¼Žõšm!¸«uEÖê†î	.>Pr˜áËóOªbeå£/Ï”£�à?cÛ^0ô²³Ë«Lâ9}IÍv#VSgzºŽÙÑ‘ðîàê)˜¶©£p.´ÊI*ðwgÚË&)ƒâ²o�UÌäšH€+ßÞÉ¥al‘BéiWŽÎG^ç˜ÀØl8„¬~ÇH/«æ5Àc/ý
+q,‘ô¡ÇúGåKco IÛ³�ø©‚Ž	Nv#j»£)Ÿ—“Ì·‘¶ý¤C±Œmm§
+ÄáÛì‡VJ@ÂyÜ4A“ß(9�,”÷-mZË)é‹�ò8ÕªÇ+“lvÕcÊž|:"Ú�!ý XjñÕ,NÛO¤y|¯aë�ŸÚaƒ™z
+ùΦ�*-Ír»b3‚Ë1<]#°Õ¤pX%'Lèw²ƒIýohZrI ®ìñõQ„è1šØ—×¾˜I×ì
—UHð¢îq‡G[Y(|#8°ˆ¾«ü Ì¡"�@áBÔóѳ{¾¨'™†VæŒþžßˆ)Iª‡ýE«HÞË]~@wt<ª7çqÄEÔË̬´¥!yšj½7§ßÀÛ*«4øÑ?rê9�ðgÅ£ŽÈKj…4HÍD}L
Âà=™òâ1å7Ü4
S¨r/êö,m@ÍH΋pø^T*õg´ ²è‚V
e™'&¯F€™á�myÛvî
ÃQŠ€X¿6~pl“È3ÍeôÆ`âå=õïÒ3(¬•éq7¥s
šçWÐ)¿Ÿ•µ®K¬1¿!qÄI b^B,Ësb¬@¼‰ja¦•0?8ì@?N�©¶�ôÚos¬y¡¸TF3ÎRer�9IÎÊè7?°0x?Dtebv
+"q‚x”Ad€Äœˆ®wÒ4°ÈJÙ¼­Ì8ø¿Wöwm
B\ëê ìáQ�ïÞÌæºÙ2çŠ'=|J¸^Ö{~
%ÒffÞ2*„ÿ¹UU£î[œRnÖûÎçäà/�︊»æÕµ±úøÖ[²@“¬½¡Í—5NCCOQ~Ù/N»ùÞq¾!ê �‚„ÙHÔÚä5Ôû3õíya÷UTE‡3BŒýóGN½Ü‡ÄlXþÔGõ“)Âå§aow;é5’-Vy3Å„§J%™èvsQ¾ó\¥Æ0wW˜jS4ÂÒlêW
bØ9z%ò¶;,_*EéÃŒ¯ïw1wÙ=ò^D%IßïÿèÀ	‘´ÃΉ™ûÆk¸ß‰y(@ÞqH·DêÇ�ÊQsfT+Û©Õ©s>ÁK@BªB¥¦¤¹já»AÙSg(c¯Ì^¹Ÿˆ<H|…vøuMgÌ[¸åßÎe7�wjrò2DüÛ6dlœ
H.)=í:{˜;œ5vrUå(è
+«°;‡5Î9ø%ÏçL¿ôw_†�hÝ¥‰’
6°V…
+�^”ØD>#û|ïzïÔ>Œ_ƈP‰ÌäFY„“ðÉQ[ÜȾo£zsT¸8ŽZv?=�ªÅHAÓB[LÒÒâvl.èÆí“ÚGÆv‹7"E‰†O¥Ojn(`²¯—½Wb°¡vs÷;îù+®{¿ÈýÀX°«§º½[�ŽÓì1˜'½Û6ˆUÊYø“÷dÌe`3ºæç³¼6àHÅ©ÜÁ­ ¾ØÅú(n°ƒù‹"uY»¦·[F’¼3 	J
+ÓdŠ®ÂlÀZ(”ŸRO¹
Œ»“69Û€Ìà†ûŽ�DQäìUJE5ý*rÍ@
+(§[$$Òè,ŠÕ%%yÔ»´Æ”V°ß{Ó(±3·Z„Ö= (0ÜHnƒ«%1œÍBz;�¦ßŽÚsÌ9û=u›UÛþígàÑv±Ú9Ž{â’®0Ý
+�ø%IÆãа¬"£H_|B
+DÈôZ¨K~¡ºy±'§«š—˜Â2ZSŸÄ*_Žs°¬¿áüy­•4á’DˆìG„V!3ÆÓä.¦ŸõÒÀ~Yx²ÚQ3æ0ËÉ*À‚äêJÛnïPýúúx ëW1�1u‚:OwaA” ^†’ÃÆ„fÚÒRW—Ø(˜¾àBß|d9™eŸÇì	x¹|nzç¥üí’�]áÍOúåð�;={É—êž/Ý„x_
?à^ÊÃxVòWû‚¼%uÅºs+§�iTO˜²�ýôˆí^êÓqFÆï;ëá[1IÑÇ@ÑIÍEÃÎXq{tUå½ÊZ$ÊÈ/.·Ë3¨-Î
ï_ßa?›@ñÅPlTÁLþ�Œ?iy1s•ÂyK°€[å>su
ñ-UXr§m;¨:ª•Kó£*gò¤Åú‰áªY&–Ì1Z°ÏÚ¬½ÙQ‘~r"¬JÅÌ`\Š}‰rí&�–¡[@²¦Ú»Eû($:¥ºøeÖÌÈ|�½C¾Ö(ß~™„¡
+ö99'(ÜÛG(#?‚iÎä²q
+[(†ºÍöt
bÚ[·ö-
+HÉU
+’7ø“’ðüÅšŽ,<ëÀ¢
Ò�½è¥;KY±7¨n’7qÍþL3Œ8Œ@×SÿCŠtv‰jáY²Ž¶bb»¸iS
+ÕL;&�ÜÚ社Q²;»UjNN{)òèÈù¥@Ã:è0>nOG"ýya,.�ÉàÙ zi™T�Äë:q!$*nK\Â)÷.¬�’í8>‹	–
Éîu¾J~&Õ†»M[oȳ©žJ´2Ëxy˜3Ÿ�‰“ýÖ.¿”©tü.ó–�5”Ï8A�ž«Z¦´´ò�Ïn‘Kœ'‘[àõ•úV‡54›»Ü,eW~o§5X9mó‹jœkÑ$'<àY�œ@ªùA-G-�_ÚmVó` «ú„£�ù”Ó¹×”Šó“$È�»²™©CÕr1¹"ÄÃ$AŠíŽ)й¦?¤Í0HÝÅŸàcËÉ&<j	©C@×Þ¶ÃtH.‰ŸkèA™ÎÿÎ!á
+u­WfH´‰6çÈPG
+.g4“Mâ'M¦ï(ŠMÑ|éÖˆð…õ²›ÓĘ#5Ç´=È•ò~u¦5Vê£R¯/®£­óH�Ä®f§ŒŠN¿:¿lŒTmoú_ˆ[O»1Â̤§ké&èIN†‹v@‹þH,€tŒt
¦á>Õ'R¥•K.zgóJ˜ë(+Á5¯2ìkÚ Ý϶¨Â[ú3Änè^þ^×ÌæQ¡T d`v+f<�ñ'yжj~›q)ž\k,°ý”škQí—½`µ‰OÒ«cìÔ\,&	šîJ
+íiW‡fÈ“$#Ò±"÷qHÀŠJ\èWxZ'dô•ÿ
+'�î»ìØ•Ë#>¼ºê£Z*¶
?fôÑ1sm%$¥ž
+aþ2rž¯Y"`��¿
+E¢Ì®_Q²HL‰@Zá~fNS^ÿœí^®<+9;ÚyÜúMtéÔtßæN9ïJAñÀئ{½ùMÌJXQ—DÎ+vûÔÕ†|bs”F-Ë•§EJ òó8}]ÕzÙeRéÀd.Ly’ö|ÿDl>Åõ]Ãh­W[®!ûÄT‡�‡ÞuýÝ!"ƒgúˆ.’FHD•‘õÝÖÚšgì$Ð6MN
â�jpx#2ì,y]®“ê™
_ŽwrÀ%�Oqp¶,Ô†´}–úy.Ì0ØÖ³pßãOS*³ã‡�ïwâE†ó0m‘�¨ü…YiEµ‹X‚EiyÂ’“	F/ɪô¶­‚´J´ž—�‡@%aHøèÕ?7ôÝŽ¨Â'’J‡ˆ2LäÍÝDœŒŸh¸Ì¢±·,Žh¶è„CYö]Ñß´­úgmkôfÆ#ÔíÈä�¡J¸Umßý¶ªæö1ãïÕâ•Æ»Å†-eQCÕs�oŸ½Ø‰	Í™ªLlmwÓšÞ—Jš¶9¾!&5#é»~kÃÓ•±�9wX§Mk‘ŠHg¥éÌÐ6ÓÂx̱Ùõr>%Cçñ#ñ“(ž¢Rm|™$×B\µÉ AvV7Áû¯…00À(ä1˵Õ�ÝÝK¦Ü¹Ù~éo»T9
z˜~Yã{òÑ=Mq0ûJA«ø}/£1ÄíÂ�«e—Ѧn/*ómF¿Äxù
q¬äyJS*\€d­-†:¯Ø]yÜÔåTƒ‡¿øƒØE@Í�fvTü
6íÁ2~lW=_xãSeþ<ùBÐÊÒm"¿‹g|£ž�Ž/>¡„ïn‡œ0'OK_5b«F¾ìؽ°`‚ýÔš´ú&¯Ï¸?`;ãõð
æzâŠ×=k-"c	ª)k¡@2×ÜlSÕs'tÜ«f�€p!Ó«‡¢¤H|ö‘¾×Á[ú4ô‹ê9_¹ªÒSGUPâI%¸5–
+¯
+qQ)[‡ŸäW=Òлe~ÙŒB‘»ëó´#âýmω;y»Š%üŽ@D$zfªéA%OÕtØ9ø»«óu 6’RáÞŠxƒ„ï”
+2:RÒ�]š¡¸\•´²DÊ™º´^-;nðÇY~þ0Ÿ1Í»PÒø¤0«¬}¦“?f0­úÙq†cŒ¶[ú¾;¶96�Ø/
+P„é*Ë~fûiöðÐÁ±y;§‹¸Ãà’ßÐpù<3A,
+HG€BÊ!´q<6õûœp—-HM¶�Ýu'¯ýôhË)
+Ûs'&ÞHË¥Á§õŒñ¾QNç—‰Ÿ8[/»'ÚýtÐMs¾Z!Å7ÃFjA¡;Pì;ÎÓ<Ø:ô‹hX[ÇñxWÓ·MéxW�ÕòћӼaç~ݯJürÎÇû®³`ù²ÏÉF™m¨1£áú§U, Å€ÎÌ÷;:Ö�Ç9½èyÄÂ1ž�ìPUºÝS‹QRUib�3íWëA(W×â“ÙÅ€µ†„�äõ6ú¡Q{I–àÆ/Š†#¿I¨
+RW¥Ï
+Òd<—ñ*õ/^›žˆu“ ”Ö†´06f¾Dx>É3ÓÐ6
$cºŽ~{V
+´.ÎlTÖ±ð`­çÐÖátžë¾±ÉŸÜÖR)z’ºª^Å}bû»Îd7
+Á~‡+Ò«‡´¬©Bcá#šUQˆµ»ž2ßÓ5:a]C>+×­7ø×B
+lwÏÍ	¤Á;e£“/~Å©ô6€bDPö€Àì5	ßhàdÓ'±1ãŽ�ÔH®—äI¯Ãz£íFR…R꿧�ù‰´Ôö~ZB‹µü|†šïs>vŽ(B¯)ˆä<µ¢+þ‰>wÓ*>‰v»P°ÈÒÕìn݇�32B‰;¾}0ñ\d3í•©Þlýöu>Ø5
¹¿
å'Všµ«7ŽìòÂn@ÐŒ_÷ u,c!Üy&iÏ6I�¿ÓpǾ
+I3qn»#q.¢+j¨lx¥šÏw$�àmE8L/ëÄŸ4
+i}ü8c©+V\‚ØH}Hȧ¿`$¾³O4Waˆ©þ«ùů�µbâbõê¿Þ™þz[›aó�¬^QÅç¿o¹59ô>Ÿ%{q‡óx§òêÕ/	ìŸ)¨1£7i�-ɉ<ô–Îy×`áÌ~)/B,ÔŒÄ’$¯üÈà‡Š}Ðq�ƒq\­¸Ôä9XÇÊ&Y Ä~ÛÙ?FÑ«âÖ7A�hnzräÍç$"wÅ:XÞ#uq^ß>\xb1Ò»Ïtá6J•ßOõ;‹ŽÉ–a¨Û�ß„f{âe#zP$ü®)И'Â�´³ýyòÓûÕn&såÚd´‘ôòh0×Qš>™ÒsA”>2Ì„8¹º—£q}�ªé·Lm¯‚Ódx¯N›GQðLÚþ‡Yô2�V÷«½	1±ÅµXè*ýõ÷q¦69+ÛÞ¥Ÿá0ë8õ¯Ü§Xî´ÏÚæs>Þ¡v5js+¹¢ˆ´Qaïe÷
+á°âÐÑÄÕ—bJŽãû—"oRc¸°€~:ƃKÚX^ªðTp�—£™#›2¾&�úÑj±7ÊL�åzm-5?ø±�	%;7Ü'GÈav�&³}.uƒîãÑ-ÏAmixûÞ	¢²c
+MIª\ÂuTØjGI-gý�ÂÓ–GâydføæÅxÃÃ,�oÛ.رÌ*�_ùSÕúƒóØCkëÚ™­¨·>]ÙrÿÅ:K¥ÓS%œx
+æ¨5-lçÖwŠ?v¹Í“!‰P£C´é¹2üÇ6$í.ªM¬—¿òÔö�ž8ü¨=Cî<:6¤Ò*À8€Ëi¾‚’¬ˆ§eœxÁ7gSL¥�]ü÷MÁl϶É_LÎ[¯>7‘~KÔ
C¿
bÖ¡ùMÙDSG„l,Ô±ÿ…ô4¨·ÕõvOój˜ývXÚ‹>N]'#èØÌ×!óþÇ7îð*xîG™õñÌþÀ!%aó�Ц_èõ\{¸®qf__ÌjävU“j3ùêEo/ž416ìž-AXðIŸsþã¹ßZI‚–>ÛýNA¸�­s´Kp‹²�ê˜"ÏGx	�™?þ³Kl\jß»¬“aÒۗ샜+€uÊtC—hÇîá•
+¿n$rÝ	Xð�D˜t
ÎõÓ…”2§—n„sÞmOÆ„
 ˆ;²ÃßshuåU9ñÖ�&;y-sõP~K*ªÅz4rnp´�}ª÷œõ)RB—+«å—>¢cI£Ž¹w×	éhz€Ì\mm £MúHþ×<×|Ìï­&‰� Ÿw³s£Üë+\?VË´<=yò‹ØH»M'²ñÑ67Cøoí+A5x5
½·x¯'_Ë
+c!vÜ~óÓ4¶bIpµP]ãH^ŒúÀnkLßYßÙ„æÀ,•‰)tCœrÀ‘Çi†Ï±m$�hýÈn.ÿ¶»öO¿ªWÂ[–{OFChÓ'ž
WùÆ*6L‡1±’g^H]u Ââa3ð¸g@—TÕL_1@d7¾ùÁ“†µ�‹Œ:…‘XF.ÿ§�Òfb1\ÄñSÙ£�Ö®TÁIS ÒŽã{9.´ v´ôPš_$ƒºÃ™.T€Áj”¤RÚ.z�àÂiXÎ^;-”ûkwå0HMKyÃûSc-‘tkâôk'a.*bí	Û¶4ŠdÇ&ž*qÉŸX‡ÒÝÓä"c°4	*+9‚3£
+cáE¢Lg%ãŸïÁó§KíÚï©=ëg‡~Q)œu‘Še7@ô`­¥¡c˜„s2¬ìe/ï´Ã÷
5ØI*·[ÔrH�îD4;"«hntRÉ´c¬¥ŸýÝ„u å{ÿÁØ}hë 
…
+¯41¶{ºQµÚâl·Pãg;‹($@
QQ~:ú4¥ /麞e„¼æª't“Ê>~œÍÆTÂ={š÷ÈcW
ä­ë6Å͆ÇIjË‚¶{Al ¸¸
²œísè¹”Lª £ÈàýÞùqœöÇ=*Y€þK
 endobj
-618 0 obj <<
+743 0 obj <<
 /Type /Font
 /Subtype /Type1
-/Encoding 1344 0 R
-/FirstChar 2
-/LastChar 151
-/Widths 1355 0 R
-/BaseFont /RRZLIG+URWPalladioL-Ital
-/FontDescriptor 616 0 R
+/Encoding 1915 0 R
+/FirstChar 40
+/LastChar 90
+/Widths 1926 0 R
+/BaseFont /IZQUPU+URWPalladioL-Roma-Slant_167
+/FontDescriptor 741 0 R
 >> endobj
-616 0 obj <<
-/Ascent 722
-/CapHeight 693
-/Descent -261
-/FontName /RRZLIG+URWPalladioL-Ital
-/ItalicAngle -9.5
-/StemV 78
-/XHeight 482
-/FontBBox [-170 -305 1010 941]
+741 0 obj <<
+/Ascent 715
+/CapHeight 680
+/Descent -282
+/FontName /IZQUPU+URWPalladioL-Roma-Slant_167
+/ItalicAngle -9
+/StemV 84
+/XHeight 469
+/FontBBox [-166 -283 1021 943]
 /Flags 4
-/CharSet (/fi/parenleft/parenright/comma/hyphen/period/one/two/three/four/five/six/seven/eight/colon/A/B/C/D/E/F/G/H/I/K/L/M/N/O/P/Q/R/S/T/U/W/X/Z/a/b/c/d/e/f/g/h/i/k/l/m/n/o/p/q/r/s/t/u/v/w/x/y/z/emdash)
-/FontFile 617 0 R
+/CharSet (/parenleft/parenright/hyphen/period/zero/one/two/three/four/five/six/seven/eight/nine/A/B/C/D/E/F/G/H/I/K/L/M/N/O/P/Q/R/S/T/U/V/X/Y/Z)
+/FontFile 742 0 R
 >> endobj
-1355 0 obj
-[528 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 333 333 0 0 250 333 250 0 0 500 500 500 500 500 500 500 500 0 250 0 0 0 0 0 0 722 611 667 778 611 556 722 778 333 0 667 556 944 778 778 611 778 667 556 611 778 0 944 722 0 667 0 0 0 0 0 0 444 463 407 500 389 278 500 500 278 0 444 278 778 556 444 500 463 389 389 333 556 500 722 500 500 444 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1000 ]
+1926 0 obj
+[333 333 0 0 0 333 250 0 500 500 500 500 500 500 500 500 500 500 0 0 0 0 0 0 0 778 611 709 774 611 556 763 832 337 0 726 611 946 831 786 604 786 668 525 613 778 722 0 667 667 667 ]
 endobj
-607 0 obj <<
+680 0 obj <<
 /Length1 862
 /Length2 1251
 /Length3 532
-/Length 1861      
+/Length 1860      
 /Filter /FlateDecode
 >>
 stream
 xÚíUkTgnõJÀ+Å€€¸
-æ2�@	Š,š–K
-™FuÀY
-ߢÝõÀ^¦Í›¹.’Lˆ/’ì�ƒ
ò;õb
¾«±”P¾ ÉdbïÛ¯Àe›}&b!l¾ˆP¨ö
-Ú$e	`ÖÂÔ$ìAHÁXæðŸ 2ÃPˆ`ΟaÛ7ðÒÐßáö¡ï
-Íþg…rJÔbBý˜™®êÙ¼m×ćº—ò}†OnûQC±–¶|[½—tªj߆×ûŸµÓ
s>
-ý‡þŒ¿æexîÜá!Í1µ—¼Wq	÷~^ƒì{á,™_›wõ¦âª‚èFhoé»YhOUy0¡ºVq}TZÃÉRNRÝ¢ì‹?�É(Éõ»ðƒÆ+’uYmõ¨²±¡»v.9h@<ÝUV~L›C9OÝÆÊ�&*JhŸúîù5–*áœpyþËIÒë„®çZµ-2“R?zeòäT±NËëÍÌ̶A¯
ù¬�5�RµJº§‰
-ä£îêÑÚ½Fúw:ÜJGô[ækØ;›o�8‡º\Õ‘Zµš—l	ýrÓ´§íÖ% fÙi�c]ù[
�×d™ì&q
ø°Æ9ücꃙÍÞöc“Y4—¼ÆC¡ò17úœÙ_GV¬ù¹·ÙP][{øTGg’_Œ»ùl›,ù´jrýö¶.ÂñY^�'z?§»ŸÖê›Uè¬L,‹a·‡ÔÙ¡±¤ÝG³|´zä¼üÕA=9åœ÷ôÈÿáƒûƒÿ‰ØÕ
¡D¡¡¸
œïþiendstream
-endobj
-608 0 obj <<
+æ2�@	Š&X4•;*(R’É’LP�
+A@0¨P¹TZ)­`�åb°¢àY#BAn¬\uÝ
ôØ¥?wíÙ™?ó>Ïó½ß3Ïû�óY˜yùèl$vEDHi€‹»ïA�€D2ÎÂÂ…!	í‚$0

+ߢÒÁ}t?Æ^›·s]$½ ¾H²/2ÈïÕ‹5ø¾ÆRBù2 €L$“ALˆ½ï¾—mö…ˆ…°ù".@¡ÚŠB‘8ìaˆ
¾ˆ
Ë
+|¨ÒðK–Ó)}ôŠQºGÚWSÅú¯¦–ùgÆQ‰Ý¾øÈ„Tùª×6–#LEø�ÓùߨŒi�裳ßnÙÚ3µ%¶Uï[Í8t¾av Kw½µÏIkó�=´û?Ü€�ìÒ±y¢&6÷ÆvÖøíûnL/¼Ø5ÕRÉqÖ
ž‚fã9J¥�÷0½ùžZuÔ�=·Ö3­1@öÔ4Å<Ùây‹o™l:5Æ8ú·[aÚø»)£éEÓ_{êàM×ûï(o¨Hq»LÝLZÙò^mlµñ�Â%Ø®¸4\cÔòxÿ/•`òµöÆÒ˜ePh~uŽé®§Qáß×mŸÝ�O?FÜ[uúà³’:…nW�
¨¿ã^�KÆË�v­TŠ»ôꌼ†wb”„³kﺳ»äQœð=£ï¾ö¬Æ¥{B®¯µÒ›‡Ž_£è˜Ë;L,¿:ðŠ¹²lµ¸Øjƒ¸øRÜh­ï(Xy³£| K?œÃœ`¦äp¯ÅÃ8rœc¥uÓzy­AwõY¹¢WÏT»O•e 4“WH‚øœ3º3ié^�Þþ{µb7å&z>×hz_”?+EÎnÝ?ê§Ibžhy90n3)óÕ¥]ê,ñO6¶Œ„/Õ;ÛMçkÓËήU3•HvÛM†ÿÅ}�¼‚¤,^Ôdʹ˜¿Œø}âûõ…!„Ÿ¢­ǵ�[{²¦c‡Ý�N–òž«<k�ªJM͈=Žc‰Ý!8gTžØ¦ZõÓ6¨ãОÓðØÌ#á£f^Zúžeò+NºññB
Ïme>£+t<4ûŸÊ)Q‹	õS¯tpUÏæm»&>Ö½œï3|jÛOŠµ´å»ê}ì SUû7¼É8ð¼�a˜óIèßôgü5¯ÂsçŽiŽ«=彊˸ód?ÿË`ÉDøÚ¼k·×DWBËxKß­B{ªòèÃ	ÕõŠ£Òú›N–r’ê6eü™Lv@I®ßÅ5ž‘¬+j«Ç•�
ݵsÉAâù0èž²òSÚÊyæ:Vî4QQ@ûÜwϯ±T	ç$ýÅßO‘Þ$t½Ðªm‘™”ú1*“'§ŠuZÞlöÊlô0�ÏÚX3(U«¤{š@ªãÎ>ãm»8³~“96¯óS&D;êùp\pÖë=ýùnÓÎ×¼¼gǵ¢“C…|š€ûêjÍi“0Ú}E`ù(±¶ õ¯;
+TÉIs›ò¯7”ï8�Ëlòm~èp|ÝLã«+õ·•^æ+M‹zç‹+
+endobj
+681 0 obj <<
 /Type /Font
 /Subtype /Type1
-/Encoding 1356 0 R
+/Encoding 1927 0 R
 /FirstChar 13
 /LastChar 110
-/Widths 1357 0 R
-/BaseFont /BCYTRP+CMSY10
-/FontDescriptor 606 0 R
+/Widths 1928 0 R
+/BaseFont /YTAWBK+CMSY10
+/FontDescriptor 679 0 R
 >> endobj
-606 0 obj <<
+679 0 obj <<
 /Ascent 750
 /CapHeight 683
 /Descent -194
-/FontName /BCYTRP+CMSY10
+/FontName /YTAWBK+CMSY10
 /ItalicAngle -14.035
 /StemV 85
 /XHeight 431
 /FontBBox [-29 -960 1116 775]
 /Flags 4
 /CharSet (/circlecopyrt/bullet/braceleft/braceright/bar/backslash)
-/FontFile 607 0 R
+/FontFile 680 0 R
 >> endobj
-1357 0 obj
+1928 0 obj
 [1000 0 500 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 500 500 0 0 278 0 0 0 500 ]
 endobj
-1356 0 obj <<
+1927 0 obj <<
 /Type /Encoding
 /Differences [ 0 /.notdef 13/circlecopyrt 14/.notdef 15/bullet 16/.notdef 102/braceleft/braceright 104/.notdef 106/bar 107/.notdef 110/backslash 111/.notdef]
 >> endobj
-599 0 obj <<
+677 0 obj <<
 /Length1 1616
-/Length2 24746
+/Length2 25061
 /Length3 532
-/Length 25639     
-/Filter /FlateDecode
->>
-stream
-xÚ¬ºS�ek´&š•¶Í•¶mÛ¶mÛvf¥mÛf¥mVªÒ¶}kïÓ§OÇé~êÛ3bþßÀ7þ±VLRBeZA{#S1{;ZF:.€ª’º‚¡��¡‰¥½­’½­!௘š”TØÉÔÐÅÒÞNÄÐÅ” nj1501
999¡I
ÂöžN–æ.
-0±tv°1ôüû/˜ƒ“å¿i¸:[Ú™ÿW4
-å< (&.ÕÃè25)�hTbp§bâßVv*—èTï/o;eÚ0&±º¥Œ¤8FOX5Éávדñ9Ä–ªA àÊü<xâË…×i†y£
Ýë*ÐAlyŸU9J’ô(°ÐƒcÆœÝÛÞne£U&¥»‡Û‡蛇¶Ôœ¥1áÜå\³%Ö)ë]ŸüHÓO6QrB%¤(úkè>·Sog´mY²mÄl?dEŠL0ç…ÿœæ¿Ô¸Å¤ÍÙl\Õ–lfñm³lvÑ+bžþTê¢Jd‚þâ•*®%ß^÷%Mzú,yGºð¢È¨Nï‰�ð,-’ Ó`Ê�á®	Ø�'J˜KnárËÏÅ%?ÙÜ\óÿâÞõý#„-îÌC½Jœn)„¦Á‚…`ª�XS“.ôR°ßµPË,Ñ?Ž™·w©&|!Ž
|Õfœ9p-¡BÝÕŸ—þBÐ��9’ÐÇ1#ÄÙ€‹—i&®¼Úß=	Ň’—cú²LcDvØ·÷GüS
>*²)œ&ü9?·»b“Ä);âxˆðpÆò÷<q{¬œ
šNبkßÄ^µN�ú:v–ˆóO[P�ÐfkpÛìÓä…&懦ÅnŠNZË,¯#j‹ìeؽ%
üî†A°ÜÍBÚ<´	�iÌItxÍþSƒçŸˆ›ø¹C0¥	òym)¸ÍË•o¬¿|uM¦C¢˜F±uBmÆÇåIZÇëB¥ƒÝÑ=úë›GŠ×ûµ¶-ûÅÒÂoñ¨&N“N
d—âCMwvh¿2v�Yòj¢W*œÆX•_
-£õ¼ÓíøZ
-ÅÓcA¢\k†Ø8+Ff
-%VQ&4«à\ùœÝ¤á×/)ul
3ù‹—I]
-˜ã“×ôq¯Û»ÎU÷«V’5¯…ªì¿�à!ôù	âr¿Žò}(šâ*¥›Kr`ܼÝWUi-�ÁòCò=Jª”´z`Ë™A9ˆRzí†RDÞå·Zhk‚•µå‘Lþ©±æUñè‘/—R©ZC‰oô¯·‘²o�$i¡nô�óÁ¡L°ê„{e>«AtãSZøx®
-Xf’W9wðc
-æl®Ù¥èÝ}£AIS˜çèÕeCkCh Õ":Êâ$nOn‰²î¬ü›T1†õPXÅÎÈ‚«H�ͤ» "ä‹?gìé8ék@Mdùi¿ÖšB\µôÁÍ•#з4Í�÷–ç¹tÔ‚©±*	×£+!·_§
-¶Ãp¿I~!½æÀV(®Ž·SXF|3Áq‚åh½Ím~Û Xã3w™úN#
’	L>¯�·åí
-D$¹\¨	qìk[;$å;£W­>wFc)F%‚WF)ˆWJ�d½‚L›M�e©F}qyY÷×¾+¼¸ç³óVRhÉ”¶Úþ¥¸â¤Æs¬[¶ÈªCŠ"ÔÛÒº:-«J™$
-&ÿ%h�r½ÚoçLá3ï³°4�:®ò¨ç“ë°×6pvh‘«
F€Å*±‰ƒTêœWÏÁ¼ÕÆÆ#®’Š,§~Õ\ÀoØ5¸Øgk¼ÁÐ<7dYiÕʦ|¹ªROØò5z&< Hú½Ü”B(îwâšÕÃp”Õ†A§êžé¯�hï…‰’ªZÛeÃÓ¦{äÛ«¢�ù}Ë÷�r8±PȈ½WhPÁîŒËŸ"=°:³zã>ÖP¼	þ-´mÆfX´ä�dÄòt´ÊD©Ÿx‚Ìr†u¥‰çP;õj ÓzužØ¼ô¦F
"YµŠ†'–$Y5häâ<<ÄËaÚ!�[.)ýâfÙL¯s¡Føǘ…ÌÍþ-KJþÎ~Þ(™Ø™ôi.xˆÚ’øÓcºTQ[ CN^|*TOû;¨:ãEò–NÚ–.›$Çòþõéº=òR€ÙDg1´¡øk¥Œ-ûÑñÚ”c	šc²» ˜�Ç:Øз‰ôœp¸Â®²:±÷Î Pâi�ÈÅ´VýÛ9*kc-J|ý#$	eöy6?ãgÙ—šNÝÌaÅó3Z×iÑF?$‡Kd4Š:?\ôp¥ðYvŽRp¾_Ñ#Õaä–!/ ‰é6ã˜7(LáöÏj¾ŒÍ­†/Cz=ôõ7WxR„àQrGÈ(/èñ¼ßômãˆ9¶À{‹Âi’©±•f~õhi5ÄRX`²\ãYq¥.ܦ|ÌFŒÅ6YÚ„ÊõiSXI?ù
êT•
ú×~IÌ�¨rl„Rü°±SÆñŸ3„@]½[
ÏŽýõ�~_Œr*Œ~Ûp’°7™õÇ2-û±ˆT¬8Ug>^-š=´é5Ö_¯¡oU,Žr¦õWÙª¯1Çû:	Ã÷°ÝQÀ°‹klRW&Àüq-î¿\bú›!@ïÞP[þ!0¹ºQ�°‚7hh`ª1½å4 èÉ_}~Ýz——7u~+
-3ï•r¤Ü×\¹û Hj±Z9ôÛšWò0R1öë<üëJÃB�U²æ©6.Èj¯¥SB?ú%ig-šô"
Ózõg-	
-»µmF	È÷06úgûFíÊ%;'iòºó°0`Í0“s*�aÙ¨6
xcAˆðÄW»Û_‡’è{õÖ¬þÔÐ…1‰’6j†
-­ñJñ¶LöP£�4R'Ç¡rkuÌ[Xñ1H'°à‘ñ£Û¤Ÿ"‘m¼LÐAÈ{~íë£Q§³Î•‡\
%"ÞÔn¿ƒKZÖÕxKiߣƒEÁÅ-\´!ˆ|’	w§©ÊB>
-
âœ]
qO%¦Ÿ™¼^–
-éæÉçz¸ùë�S�%¸ªB(\ɤP›<î‚jßuäF4gºË»©_}VÞoJ¶Œ[†óOL�ÊaYë)¨�vZÏÛR"ó†ôµ4¥%)eÈöüD�Á¥‚˜û;Ïh
úg(—óÏ>’Å“àýßYÝó±‹<¾l¨1y-�i•éö`ãx­3ú Ø_š±ÚúÖí÷‚ï…(F·01æ?_y­|P.Êd<¹91†Î…9ÓÜVô¡ms"jHÒ+fkµnäPBüdI 1†Ý—xiµÿ„ík#vý$b{ÙVv)+W¦dŽò™Œ“Û‘VöJd•UþÞ€ôÓŠè7V!KC.Pw¶‘ÙðNF/åó´žœ0ºøÖCýÑ4söûÒcÂâ©Bü9+ןxDå>÷Ü%÷�Lè�Ðäpï2…âÌ2Ka	.ÉfÏš=Þmi'ªn#Ú7}@G™?õ
-íY»7üTç¶Ù®©´!È©»5ad&-	5ìÜ°
+@ô«³RbHïÚƾñäuò±›¿T¤;§ÑjÜŸ]q¸Kïê¥]6�ýT½µ‰ù¦P°u"ÌÝ*p¯œ]D ÜZHÆ@Ð^�Ä/x"sRCšSÊxVéûdzJãâeG»ÍwQE£5·ÕZ…X,ö²IÒ;ö]¦M~­ˆÏž˜0sßgµk¥Š~@
ëóøœt]­+
-J9¦êhÉ[Aºª¿é0C»òc²œ=µfÞš]E©I@˜üuŽomÏz£Í¥#¨Ûw+iu” 0Ðo÷
-v<Ò„O·Â¸‘óÓ¼”I ÿ´õ™6ŸÜ(Œ¡ˆ|lc`kÖ‰àøûÅ1õ”¾JK¾àÕ¶e8KœÛBTÿ�íü	”«�>ÏüoD2‚‰Žtý¯üW
ßéZFTJ
-ú=úCÓÜYMÑÕÇÓ#J$ø_Ò¶jRbqš©Ÿc¶
G2Aê£ü/-Öt³/?¶Mº½´¯’yÖØg½h
-¯ìØEV‹¤uíwü�Ô—ì{’ZÞ䢜çtÒU'àÃùº'à(>€µÏHUo-XY¾tCßNƒ�ÿ4Éh³GoWøíntOï ¬°nû‚½—W´�²éÝÌ[¤´*KQÝ•_ŠFãLX¥hš|=Ú«nµ;)Ú^Û×™¯ÏÖÙY ”ðæŒÌ˜vK€„
BUfC›ŠA…>¢.¬¶Á_BÅ13Á¢ñ-=Ÿ�?£ n¦€!ܰ°›&re€Õð$åŒKúÔx`:�—=T"Ðu¢ö­TL'ë;õ¦üÄ�sÂxë�9"§¥PicRQ#‹;Ðœ|§°lèö„¨jÂÓSdÎq�SdÒB¢´ŸdƘ4I{r¹ëKºÿ($É�É�¯c�ºVUÉj˜3>…2==LN§p\zNO¼cð
“6nX ‰·nLLgŸòå�ÜÖLh•ÒþÅnÞÆèÙÂÈâªôŠ«½
-Ò\¨4›± “ÙHIB™4ÍÀ4ÄÍ\Üidf�ùæý„³Ù••çÆLYmýNYvž«:ÿË	Øg$e*#åÕa>zÑ™çüƒä*:Šê
þ7yl‰@,‚~¢X~cþžúÌx}tÚ´¢ºîÉàÄÛŒcšž+ÊšÝoŠúÆßÉ®‹¢Äñl…ÀD0N°E·¼C´N¨,
–t3‡H±aÓpÒ¯a%é 3L„’¾—(¥¹¦H„»mÏM,§ðX©i

�«›dý  îÏãAugUd=-–�
þ‘ýkÙŸÉù_‚ЋÜøæuÂ,ªëöW³b°/ô l£³'Û
JÒIœ(\cº¡ýkC!7¸Ëtä­¡Ã+Š•~O÷�]IiÖΠ›éP?áSñÀì®sð~Ì�Ïý1¥âŒþVÿ~@à¨sÍÄô·ð³¤³ªˆkSGÄߧðY”X3GB„üIj5ÓÎ2\J5ÍIÚáŸw�À¥7ó>MÅÒð‹¼”%¤½÷Xu´tYð"wàK±>,Ö5:™Í
œ'ÓûÊÉïš$šPéÅ™�emÕaÎh7‚¶»<ö]Çc6Ô}Ñ
„yÛŒ×áF¶º…[`w$ù#¼FcÛ·âû²XG5wžâé[�Ǿ§Þ€ømõ§Q¼JfÐ2hÒPÙ+š%t	q“�àk Ó.Ói¥4ôÞ”³·P<»
Чã'*€¯îËþ””ìôzÚðÔ…ÿ$Äâ¿"lTœÜÝA‘ãê…älOaW”æi‘?û Иñ2Z‘6Ü°7…úZê|Ôü9—Í#ˆ‡YE
Bs
þãÍ[ã)YVîUuä½”Åõ�³κ(Ð{D¾ÿe»1�i™ëã1­Öu®|ã\®@sW12ïz·mL
½+O$;Œä¾mÉu…™ÏXF?y­	]¼„a×7f(üÙþ×–ÛTÒ¢�äÃùݺîÒ‰èhî`(\Äƾ´5–$ð²ïOÖ*µóŸËÎñÆö0àE…guÉØ…
-‰Ë2„Ò�,Å>Ô@B�CRÑ;ueAíßÑN06»Øa¶Uy Ì;N.£ýÜõ¤4«%ræ›Õª6£eŒÔ:³WãQ2“b.[oÁ!ñÀv è2¦ïü¸à|ƒ^TX§^Ã/¨ã*ÂÒ+pÙR.x¢d½tFšòo˜šÇÄ_°¿#Ö=£÷#�ªÒ›»"ž<DAW…9s­,1ËÃUÀ€>/�×ïͬävUÅ­oÈÃê`W�I3wï[õ<;,¹X¬š£}y¨^%±¤õ©5µˆ]ôO®ej¯¯·�a"­›LáÜ]¿Ä8ÀnÕ¨dà©PÏ[œ¢�Auï9]m´~sÀŒËó°�¬&¹¬Ú{Éóû
-oBší=Ñ¢KÓ·\ôV×±õŒ!ªEö¯î÷Ì«ŽŸ¥ÇýEWÕ’±mB¹_Š$X	¢Jª‘$â�¨YL¿¸¶’Æ‚'¯ä½,ê¦'ÈnÃáå¨X¸Y;x*J_gÀåÂíìd²p\b’&“—®p×îšêà¬ìî—�?í9{•¦,ž�ýߟh-��ã£ÙâYutX
-–Òê¸e$ö$®á-MÖFÅØ…ÝëöýJ|Kü„#?¥®¤ìÈ#‚!Óp'v%`qÊ!
žÀy‹œnäÎçN—/+‹.Ì"¬ã@Љ­¢•ým·a•µ‰RÙD9oeÉ¤› iHÉVb¿†Ï")Pê`ò]^€Æ¶T®†˜¿†§†-	§ÅÛÖÁ	Oó³þŒåeFXƒ$ÊS¸Ÿ¯÷kŽŠòÍ™fL¢˜šëʲF‘9‚�‰_«õï+Ê‹\™¿¢úƒª¸QÏís‘ʲH§µÈ=ÉŽ±ÿˆ`#
-”—�¦e•>KDØ£8ë<^=
\üH93�Ñ2W‡¡aàÚÃÉø\þAݪˆøZä¨"ú<¦å­O±gVV­S´je먌�(“ïÂ�Þ°¸�6EPÀf­ßÁ×zÍ°Ÿ©/†¥eÝ鳨7�µ‹&‹öŠôºG2ag�D±ˆÀ|6À�í	9s
ö¦€Ý1c`¼×멘îªÙHv-Ë3ðîß‹áü«ACrÔÇš¼^=Yã
Z�¨ÐzT]'¹Û‚MÏì™ÓbÑÚØ»-Ó®1eZ.Ò+£¦ä5Ú×#í7h¿Øþµ.'�ÏŸMï°òR¢ÔÂÅ+oê·ûåþhMí_W6"u¦+&V“‚…ÞWÑ0{‚!ýÓ2üq�ô¨_š?Yob|_‡™ŠA«¼ƒKµ�Ëà<<ZõÛfeC¸–óc¬à¼
/9Hoäcóµäþ
3K¨ô•�?[àX
çOµ
hsë]§Y*“ëƒ5<F2v€²¥¼|¬r{%ÂSì(‰%ºÙ_üy~.¥ÊpìÅæGår›�ï–Å ñ:‹&/ì}*û¸P6CC)+XÒ´éüÞGî
-k¯gÚ†ÃâI1J8žœ�1÷‰òõNˆßñó÷¦ùèbTÿñÑ#¥YÒ�T§O¤¨ƒï2;º8Л�ȃ[@2
-”¤eû”/Æk„Øsã½”“ ëWÀØW-7‘ÙÌ“&Œ
ŠÙS�ÕçY'9üÈm™ó÷úŒI»~Ç9ýɾ�!ì-\Œ%h“Z56ys&˜a
]¼g"ô¬	ȆOúC™])[Eýt�BNÊDThÅY�I±£�²ÈȲ&d-ëd¸q°t!çëìÙ:TÞÖj®›o/\(7B�–¬ÆöC ýN²Æº‘”.U-'‡:1íªËaŸ)ƒßÖ½ÞÂÞë^#šÕ
õƒKÖ1Ö1Ê5�¾Ì§1v%áïz<¾6Í8eâÝëÁîÛA¿nºüzf½$É×Y…\þ�þÍÜ“O”?-,ʬ´<\ÅÇ/+«S“"\TÓÃiY+†
Vz)üìZÂèNdM¿ã›–ó³›ÅG
ŒkC\?™^QÅA±DNI»„Ï�3›moFªõØœ€Ï=ö[´ÕNÅàRu4x}ªs
-�¦�}Õà`‹›µ/#’Êì)ó(ôŸÁ—
´fŒg§‰ßhð–;ÛÌsøV2ÚƒšÚ!T³^ä´²i÷ Ðá©uó@‡e‘ëü“ý*=î<³ùs<¹¸~mIpHèRÕÙ>¾í¿oD÷"é†dÃåv©ùÑøŒ¿ ´Â§�¸“ ÁO?%cÅùoÑÞK«›àc¾ƒLÀùKè:+y7H³àÉ×ÊuЪhCt�d8ü;|�£ðÐÐT/Ô2,uÉz˜}ôÚP8ºø~úàµL˜î¥1XÓ…ç�E'9ìQWKöu@a2ø
-}zˆ‹ÀœëD1ÝÆ54­º+²�ZW™jEá&+jJ”Nr·°ˆZNj“Ût³ÅDwû+gõ(ê¦ÎáߪYð]p‚'fNùä“#É™’UŠÉ}¯Û))âO]¨Üõ� 
-·.�'�;A^…
?Aǵä(_F%XybS¶Öiî™y6
-¼ÁjõŒ8^–ScŽ…O¥–"};J¸„18—šP£íÝFÁ[²òéMÊqT,ø®}«ó³1YQÍ‹ã$ð'ˆ[_
ÜÚ üÄÜ¥l˜V
X)¯4’�ÍҌÜ)%èyjµý0Oê¼-ª ÄˆÈ¶wÕ:¢¢diËƇmZ·]„ûòB-½_
ëd“8¡4Û=ѴúK(÷ãô×Ú±�Žÿ!�>:*ÒHˆÙÂWæŽ!B¸ýË!Aȱò‡âGù¸8íÃqWA‚?
-øE«µÉØ
óÊ\
-jGžvCÂÚ,ÿ»â.éø*â	QÖlþØóR™äæåU÷Ù;[å]w”‘}{·X~=dðƒ½7¼—æËy©Ÿ†Lâ¦q4ÇÐûr4Sg$ØE…cø¢Å!q‘F8�dS}gìY?èOÚÛ–¯W_ü�'¼Î£A9nc?R¿p.?t3G¿ÝþBîÞ×prƒp´Ô¹ÓV«§í¯á|»¹5ÄQEû^Khóð{"�²µ·‡ŸÎ²ý®0=ü½NX¤é}±·�ÅZõÖRÒs,ûïÁ7ýC&¨ž–×ÁX‚f.ë½1l
 ú”0âu!–Œì·ýÎSÁ69¨…îl¹Z^îØÏhûiR±oæÊw•¼™"Çý„˜’Ј”.Ò¢; …xb“LôLiÇø}¤CÈú­¶ÈFe�‰ÞŸ¨ùŠ¡wG¸¢%à°Ù寃áÞËÛ¯†žxÅÉ��ts9ýwI©Ã¶
-­/h`p¦‚ùЃþ¾nA´JWŠ¯C;ÜyúûV¹¡zŽ�íx웋(ŸêªÞŸ2Iµ‰Vd“7%ÈL«X3u”‚Ô¡\•µñ\¨Ák
œÅÝõ×ÑëVñD`„<òú%#ŠÀC.-Ýw¿U©IAÍ\¿eXÕëʲ¹8¾q4׸¿\Éë»sø?®(P=2r±>¾)—x÷…~Ü¥3dn©å\Û-=âÁ_Iø´ytTl§w`˜»q¯eIÁ4š“é‚°§¹ô[K¬¯dV´ÏW~†å¬­Œ¹¶ø'Î_lûoú7³rÍÈ<¹*Î]?…÷ù6°·ßIË)òzâÇt‡o$pCt$Ôó�_dŽVè@2]FwA¤‹Ð®Û€¸‡}–ðKÖ·'û~$¥Ï•*€‘þ~… º
èax̢㒲¬
\ÏBó©œR]Æÿe´úx( øêådKi��7ö…•Øà�§l@�.q]®É%vò~k5öwð
-$Uù‡:ƒ�sŽßHQºš§p¯ìn©"¯‚Nux€yRÂL
-"a¹�Âz£t°p[ÅH¯cAq˜h½>þ… ûsö¡i®¡k%lûÖ.›Wz¥"*Gb&øÆB<Aza¾ØXâ«‹\¬Ë#9ÜY »é†vÿò7]î½(\ÚŸô*2÷v
-°ÞQd›vèµw89’9.„[>;häe¸c\_ë‘Yf`¢ÆZCº$ò5ˆÕn!ÛɦæÞ¤
sx½®ÄrR=*À@:×9ï+Û»%êÓ­fþ
-‚BàuÀT·n�*ÏŒ ÜóÙRF�”àêkRà?�
™mD)ÙÊ$¾Ôô‡6õÆcíؔʊÊfú[áŠ
-‘HòGNè½W¯¸;¡Máן!ÒPÆAÞò?‘é©ú@ãß}{¿Bß”ZŽŽ2ÐeXk®ÍÑ=&"Òp¯.$Yªûïññœ´é¢q{ónÂ#K÷¼Õß,SÊ×z¥vçSÅ`/r´ÔtUnέ�¯¥IàÓé´{y{õ‹¸%—ÃhIËÉ3”27—Ôë¤"YOK Ý~Lƒ&ºA7?¾ð."nzš+Ø´z'î,`J)D—ˆ*ª× OUym‚`•–

W7Ð!pu6†Æè4âœêq÷9!¯³îÑ3T‘!?9šFÙºÿY %ìär9�göó&ÇjÅ-jw­„ ‰µ??˜‚U¶†?3Ýö·5dœ•àÕ).b[yÀë53àí­¶cÄEw
yQ}NdIF,kéAŽ…Ù¶`'9¨ÊðôÀϲ…�R‹úÚ£?èôî¬lКZ6~N³{þVš‰Ï[Úp³Æz»œJ`Ž�¿9ÉT¢cšåZXø»z4×Zul=Ñ6»p	né´¿–KN
-‘IÜ11‡yÔÞ·k—J؉÷…Êy~Úµá*�'t†&.{^åÜùÉuö×ßW_wûeð{2?X%KûN›ÏÈ‚œ={T;‡d}5ËŽœ¼uo{µÓæ®mEi7hRïáÈyNo
��0P2ûI8Õí'Üàü5FÈ5rjuñµãÖm´‰Ý5‘
±Á#âÓ¹~³»''Óm�=^mÌ%°ÞJU#Í?çgE||ë÷£}HréƒÿàVŠD6åËÌq^CLwˆ|Gƒé�n‡ :0ኽæïR_Æ�V1†øQ�/Úà­¯ˆ¨`QN¿T7ŒÔöi@ÍÌ®åθ
»MÔEì¾	Ì´®CÅ 8;mžT�­í£J2«X8K˜èº­í¿û³1ĆQÈ}ñÄ
U
â…îäî'&5«{ƒpF^¸G
-§ŠçÍ%Vš›)|CÓîÏ9vÉÓôpXRH.…]ÃÌ	ò›øþTu{¾zÖÚ9p†a«hÿ	Ž©æµ¨󞽘Q\5KñíÀعQòJØysé±–W?yj,S=¦¥¾jCÃYd…ÂNˆ£¶Y<oò‡Ÿ¨çÝ@Ð.F9-EO,û·#,Ó•5XsÉtµD�XW¬,¨
-Л|:²$±pà¡Ô€ÕN4�”Öè}|O¨ÈîÜO«„ Òðf^MÌæs*Ü”>HzŠb^Pkè¾	$Ôs1¥\ÂQü[ê`Ƽ$˱ÞÒNr·äæJŸ�¾óáv½_ ·»~xu 4“õ¼P&;±¤Ï=ÓÇAÒógÁÂ_	|0™›¾À:ÔqE9®uÜÏqr„.aaéeõßÁûì6Ī/ÝûàtvˆË
-ªDÌ1ñÕ òX¿äzcƒ>2ë4c"fî
-t­Q:ÔÄ|éò�ýÞ~¾Ÿ/:�Øü U` ì(›ËwzæÖÃÚS3dú@x�N%jFîjüÚcZÂè)	8\"}Gˆö—}×ì0!ñÃ/ñŠFÙqhÕL`è_
-†ÊµßhÂĺ3Þ#4RÀ© “ì×›Q&êI([ê
t
-‡Û6Òú×ë_ ‰kYhJÛœN*A?7ƒƒ~åjØîZ€ás/äMTÉ:¾ãÃÝò¦³NŒ²¹é+ <í|0N<ûDCÌ2@@Ð"‹Ržâ‚4g*%ZŸóĺk‹y™OÁÕ.ŒZâõ³Ø×7ö<üÎe¼‰å³À’Šp÷^ú…*˜U‚§äfäQÔÏF
-ùf¶Bïô;‹y9ûWu FjÁ
ô…Õ2~pls%BUî-ÖŸ^ é”†ß‡‡Ø÷q‡×¹Óv*j9•¬ï®£"›ƒ~¼cR;ôÚ™ØÕà„°™}tkà>9
-=%?“Ž·ðV‰üì?´ë|ÜúHä/§_«IæˆrCÒioìÓ€±•£ò¢€<'¤tuÌΖÌdÕ«eM~Æ4"žôüO=	hTQàxT^,6§EÈ'C’|“à—-ЗŸA4ˆ#Ì %ŽIù.e›
Ò“ŽòYžÞd¶tvó]³ßDóßã­ø®åtÉÁÚœ1qHo²#�^ØšÀ&šÅÞÏÐç÷ZT,þ”Ç=… ä9ΩµWN0™­§¦DÚ¨®–®«„¥Ä¿pzú6+ZTÜ=µ÷™{牞Êü)Úð8é=±¾€ÍrUW˜AÊ/>¤¡J»®_³]ï£çj’Ý“E¯û¡
ƒ÷Ò÷òÚkž‡…æxÖ¨u8xŒ
RO7#0'k¸×É¦Ù�3¸úó+Ô¤ÞLݤ‰LÄ
-Çžž�–ˆJç\þ,ûÀŽF×T�|©�xöA4ªàJe"7³(ý ü±^|›üfŸ×Ÿ†ÁÒþÊ$¯«éFòK0Y²ÖoÔ‰ÁÁúSƒ`ÍjTT¨C¨¾øÆä¹<·}1L¹œ7óˆÙÑEÚäHµ×gÞ\
]¬<W­k;†ïXm
-�QÑf+ã9@/h0i‘ý;뀽…ÎßE§YÈFCÛíù¡Ô™Ëþäƒf¾­Aö5[Œ–0—Úñ¬søKláÁ䢣4 0f\ïª]Ç‘¾”û’àY/q!œArÍ	ò35K‡¯¾ïMئ½*KšNu°×OçvdúKÆRk¼NÌlÜÍegÁf�<™˜×,O	ú~’Ï@xm š„[àšÇ«—2£d!õÓÈ…¾„77z–Z¯×8¦çó3Ç:ÔíeS¬”÷#xY&‹º—�º=tkÙ”œ¼À.€Ugž\¤†zç8¢ÔçZ¼íZJ
-ïGdÀvÇ@?/ÐÜF𤬨¹CêÔ÷úžD¨ZÆ	‹éµÌ7”»ºÙ扂Ȋê0É"Ñ ñEŠk�hµW÷oT¸t—‡÷Ú‡á¿ówÖSg6;Ò®Yf­1²4ñûÆ®-
Ñ]£œœøÁêË.bð=ZÁ?Ô*·h2¨�÷@f
-ÀË¡Jšu©ö�aÚÍærsOÎ
Iñ{É«ÓΚh.ŸÂ0Ù®p^ÏD	Dz~ZÚ¬ÑÙ}á
HàSѯ‘G×µXt‹”úg*(7(ìÑ#pÊšAL”b71а••=ÉkæÎ
-‰ÉðÏ[SQOmGéQO”ùóú*sê9L¢ßcçý7Á.°˜XóØ'ð»h”Ëj*¦DÊsª:èÒMu÷´© $qY°$h“ÍFøñÙFÔV’È 3~ö3¾½þe§!Ö°Ù±íGaùÀ
-™¸8œî�LéÅYŸÀ-é§àê… —+²’�Ù7ge\!d%ÇçÙ
/ì|F››WÀ3͆qD¤ÈúGüʯäŠ%�dRºÆ(·½·¼Ð¦†¾…VšL>äÀº©–•ùh´GÉh¯úr¯PGáÒªÚ(_aœ�Så‹a‰·ê0Ù|ýP_v$kø£Yù%ùœ~‚:\á‚‚É–~NÖCIÂAíÕ]˜¯¿n0»	«'‚pu�”¢é·|õõ/@ҸȊ
-¥³mÈ*¤tZ®œf‘k™Qr‚ŸiµYéJ–“ríÃ;¶˜”æŽ×uqµlŽ/Í£ëûñQò3ÆNQé[!›`SJ�9†v/ú9ï1ѹ¶qã~‘—:‹^º¨˜Q¥žcsö²¹¶tÃò³™AÎmé9
-«ó/¶õ<øvçsK³~¨’mxÒ£€'´…ðîðRûPȆÏé‰=
¢6X7º
-å‚3Ÿ»¶¥+
FL{‘¥™É¸Ê{¦›dwE<Ûðöuª¡b~$.›�	o1P�YyàZ°„íãq»÷ê6›Kw¨Ð@Òøm!p–wB
¢ÓxÙpܾâÏÆšuÖŒP9IL“Fˆü“VðW¡˜N¾«5Šoé
-¹;~—ÿ409±‰z…:Ƀ
˲Ï�l'ˆÅÉO‡:⼤ßT�ÿŸg½0Ö‘ãC
-‰)`Ül®Èå©`—«dÛeö‚÷PÅ=õ>©k¿Ç“ù1UâÔÏÎS9¾8¦¸ÉÏh(óÛÔA»SmÖIˆUH~bóŠ`®õ¥P>ÊÛD²D£¾æ¦“³ÂiϸlZE¼jJ2à‹£®£ž¼òÑÆ;JäüÈ»Iúâòã–øèÑz¸;4ýƒoŽÕ�z¿ÍnÑŒlœv»fºü±±7†p•Efí¤t”ͤêNy(IF(¼Á_
¥Î
-’p6°’{�çOt\AŠw2¢VúaMŸxJ
äÑÈ®BZ骿² rL?¯1
-G”=Ë�ò…#†Õ4ä ñK"´µð°“Þy�¿Ä½¬ãpÜ-�Ñ[É~JheæÉŽraaî%7U�ŸÔòŒ”1²,	ûWæ³Û/¨^
-$9mhoàpÝ0V™/
-ÍÔ¼¦³ÂØ´VEíRÔæ¹^
hÊ;2¾'ºîGÂ"òåå㊻¥ÉG‰Ò½’ïÛH£-êí'Ee›_·á•žŽk²	ȼ\éÑ,úa+¾Ð¡};½#&Sÿ¦á*�²ôhP³Ñ¯sn
·×7o¶EŠbÎÞsî\ô·oÛê`
-�ò‚
-â†tãÓˆ'—%CVÓIšb¤–§µë~ç&à!;°ë-GÂÞ YÞ�œÇê+ÄNä‚b|—AtFÄÅwÇóZ;žÌfíáLÖ
#•«µ	Zzêdí8žÁÊ,`P�ðª°àògqæó	ýhí¾>¾ÆþPÐZ7“:®fìãèrÖΰ¦xÑ]Ôãa‘s~ç»+V
úšu\X`…À䌜÷ǧ”ÖÍÕÏîõ€4+3wQt1ûAYh¯‰/~òÙÉøM‡ô¦øÈ_—³•œi0!šœäjª÷yÙl±‚r€ éED
-蘭(Æ|(h„ÈA½®îÈGs%ÛA’Ã+©	Ûb2ý—�¼ŠÊÆ·ÍšíhÁó¹)[ǃ¥ Ôµ ︌2¾½¡'ÔÃ,N]¼tâÕå[²u&Ô˜?!&ôP{PÌóÀ´êì0Yͱ=·º�e ÖÁ¸‰‹ûyŽÆ»ZAKÕª}-¬þäs3C:3	,»€DŸÃ#‡ÒÓ¼°Ÿ)þD°;·�Zßj	°’êp_$S¢�¸=\<8âg(Êî/vSÈÍTõŒ¥¤rÙ �ߦ8N‹‡mpl;û|~kPæiÀä?¦
ÁDͦœ1ÜwÆ#EÏ’dï"ñ`S¤!²ÒœC:lCÌô~}WìÙP–3")Z&ýn2ôYp•Ä:Ï~¢rÓu}²6dÅMCO¹¹6+‡$€�'@®Mm`Å-º6V^¹SWnwFbJgG¦h_
-¼Ÿ'Ïû¨H³·Âë ä!ªEüñžë£?ßFïíÉs+ØšˆO¢)þç½ð²Ç’×QúSòiãF& v¬¨5ef˜ï2xœÀPÔk»ã±5ekÒ;Êx¿Ï•fa?E–õéè•yMhΣ º�r�yì�Váå09Âf	¹®ÑÁÈ?Lö²©«’â¾­^爛0è8ðvr·áj;øë{Yèâr¡_›LÐÎ<ë‚6ã‰!týÕÍ㳌+MÆ’$,ËúåIòrJ�AÏ�R§9sÄŽH:{ÇRÿ¹•FÜ]Šß[ñB¾ù[�^¢Wu¸ÛE ¤89„Õ'ù�êâÒIŽyü†ê=º—ÌÒ£6æžê:´:žåGëZ{<ï!ÈLãóUýÁ¯öå¾8)yÁ´²'ÛN�WÃð#bžÃ«�«óXU›þ|>KÞ°_Ñ£(Z¯ûÞYåx™O÷6t
B™W³ÈÊZ#Ç ¥Ù.W@£7eÌá=j¶ÇÅ[t›~SØÀf[Þ¿”8#E	í´KlkäJIó°ünQ²&»ŸäbeɾdÅb«B˦àJ³…PçȽ#ïExwö÷W+ü(3 Ü3ß¾ÎâÐ"¶lTƤ%Âç5™“˜ÉÍÌ�|
¢Î—ùªPk$ã4�·‹r{$‹¬ä— è½0	˜ã1–òÂÈm_—ö\ùfɸ…ìÄäƒïS�Ú‡» 
'93�!Åœ,ùÏkÅõ®“ù³§Z`Ì:v÷D)™éŸüJÔÙ³…6<åY¢'°~S渊ØNÝ]öËPNGˆÔ”F]g$p€9K†ûÐ:ÉÊÜ®f­Ù˜N£o/¿Ò§Ð+÷TìxÝgä—J.ì#­^I�d—§jè›ð{O†>ÈÝqYãºUj
-Vèp‡�—-,9,©Áz*[5í¶�V‰µ}¶ÔµNÛK­`TRø
ðôÐå}¼Ëº,5®¼S<PÍôŠ£˜8éà2Sr‰ÉòUŸŠ Z_â•RÛc¥CyÌi¼åʵ­cÞûCTò]¢6rÄO`3.²€’Íñ–ïË"hz
PKœÎ5³SÜžb9N§’:j‘ŒOÆà5Å7¤i7ô¡¦h9i|žÞ£
p¯�/ÕësÍO
s|“̇
MÅD§á
Ô@^wöÀ3�VÇŽG@EšCµ'´­Yƒ®­‰(e¢ÿ_;óØ	(
-Yø—E[ŒOÞê­žMnŸV¬‹Â¦‡Dð‡X7ù7RbŸóöo‚57Mß•y
-fkþŠP¼Œ°á ÀBŽ)3Nå
Häš{¶Ç¦e(dŽšã-´‹qÚ¾óƒÿ’ö%©Ë!Ut™îõEÀ·ÅÃe§á¨õOúÄĦKßd&oëdã�¤Lo›ƒ×£Hd—MÞj
-”ËÚ Íö+$hpýÛnü¼¯/Uâbõëú$×
-§´Ë¶ðp^þÄ—EÖþ�BÚfbwþLWw:³Èrš"þ¦UHF³Š�Ñ9¢˜”Í�f¬£­‚}Ÿj_5)¸palê
-’!c«ý”ý¢F)
0ÀðJXÜ|—Y«N¯ÛØ¡O1:ï¢f2˜³��ë¡»žï¦Ì+‘L,xÂ9¢Þ¸rQÒ'䘞ˆ˜lÏF~‚æ—Ã?a¾Ý0YZùCÀQ/Èk ã4G“ç+Ž´,´õÔ§‰ÎŠ[

-�g�ñc¦ÕŽ™¡Ü�3€ä˜î¸î
-Nïƒ_8B÷Œý±?·¡R¨[œå7Ø\ë!“Û¤QIÜ](äãZ9/!;aß�îJ7(d§¹.·òŽíÙ"ÁãP[½ô¯t*ë·ZŸÏu2ÖX¿hrG¢éùÞ¿P¹÷$plñbì%4ªÝù£7-ÿ¬eØ­uLôùôfŸ šZÆw¤–H9»S?à5ùö\¸$$iÄh±Àßj ½}æøè—.3’L—íçv"X£ÇŒKfd”v¿�ï[}™<‹âÍÁ,Ô:&—â„)Wßͦ¿¾öHâ¨o·±‰@ꃼZe2Þí1›È÷2ȸA@/½Lj¡=Ø-æ©.ò&ŒÔ‘þObw
æØ	CJ\q¦û6_¼AÅèØJæ�Ö´ö˜Øë2ÊB÷	
©�zhÛúXQ½îò#ETÄÝ*lÊ6×ÖOéþéetX%í$TÉÊȃËrrÙË«�³Raµ'p¤›€®Þ½ÐüB:ËbF“•¢õ”«Ú0dieš†¡¬Í|iÄYõÿ6ü dòž�su	#EËên³ø…>°‡&¾%TÅÄ�êâúÔ>¡)TÀ8ì2‹Rà?ì)œñÎJ“�F7J
�]ÚkúDG‰œ·^ßÂÑ$”mË8?äò›U–ãêw8”dR׎º™þ×)Uªžàa*�Ç%n'
-5”û´¦LÀu¬cA‹æ¤(ž¯ÏúÓ/YNRZÕcù˽Ð)€�¾¢_M\¼íöú£˜:l#¶Q_DE¶¶ü’yÓ
ðL©NlKõß·h„#�£3įÎ/Þ>€ºL&?Ê6æÂc
-sìm<ßò“ûöüàÏû@n6“$ZÿbáÌóå•h
-ßÄCù	 6#11ß7ÎQb­Üc󨮎ê*„QÖżÿ°H<Z®º„O|í6LDôÏÀ€�w¢Íð�ô¹é…éýL‚øU0?Å ºŸ4òCæ¦Ð\
øÍê¬EoDÁú‘ß{hÊä¾bÈ“*yb¢€·ÒËÓi_R½�ÀåSZ	Vé~ð£%ú’¯d‚t–…<xTÕ¬¸!ˆ‡(ZV¥2Œ�Þ|Ò××&ÜÈSÃHX»x.ÌÔY‹�°kDH=£ òivR‰ö‡OÙŒ¸É“:Õè& Á�#K¶kð0¬Ï¯èCYý
-–|Ú–¨ZjVሠ¡~ü;È»¬«ójoœ ¸Ö’@·Î§,1ؾ~hW2Ѻ¦“sËRsIÛiv‰XCt”€™Wg$Œe0‘.Öƒg†-‰>HÒ¬jÉ4!™¢'±ßõãÈ2Jt°™ñ/£ºÌQ>Yý¤ª•IŽá’,ÊV;á�._—7€yØ«UËbG
dŽ�cÖ^]Œð
-' Œä××6nÕ÷_¨ïo=›öÊ`Êp˜—#aèôhëܺÂqá’Ÿ槆71�|uå,'ÿ P
w\=X•ËÎWB«¸¸ñ|_<­8Œ
¥ùè×᪗é”|À¶ šÀ8Ýø²:yº„>¥‚x߉¸[Ð} °8}Ì‘™÷‘¡K³Ô–ða\“…¬¼ëDŠ±ýi9®±eËš€¬üKýÄ…ÿ’"€ØSJqÎT.ŸêŠ—BRÝ�„ðú“W¢@Ú(|í!lÝ4Ð:°ŠŸ-TËWSÞX“Bo‹ëÇ£’¬\U‰
-lŸUÄÙ!1îõJk&eüù'Ègw¹Còd¯"ýú{['�^Ì3Y»GÑ{K¾|ˆ‹-ï?1âɳZöQ™±šjA!ÏqÎp¦D9Ï°1‰æ—ßÏ�ñšyªJ߇Àè€ü?±2àÙ°«³´~w¨�‹Æ¢˜˜‘°vN*·nø‚(Y/¿åã^Uûº�ö¶+
FDû±_HÿOŸ˜­ìw] \�˜Ó—1é6+Û“†CE]Ïï›l¦Zh8{BÂjP1æöÐÑÕ2ÌS9Y–Ïð-Æ^èØi<<Dgø‚sÆôÅ«fðŽÝ.YŒC›I@Í/ ‹.¾kÝA•1›Ä4%ù
-0ôCV�»(hãÍߨ£Ø‘ôÍL÷ø¤”zs·/Ê·wâŽr²\„1íNkó³«ãI¢úb‚°í˧‰xªå1!Rxižÿ§þþ‹�T66»”yBØ,[™f

-øm(m
-=ÿPA8¢R–Ž&}«(òý†Ú¯:¡W0Ì˽xÝÄPSUrô�s{Ûžfk‹üYyü±z¢ŠÒn”ÍÛá’šúeäZ€¥L
-VwWØàÏ<ø7ýç»oG‡^pM‡yFÙæ^m<`ué$om2Û¥õ<¦>¬ÞÀÏl$Þ‚ˆgY\î·e]ø‡·‰í¤LH¨V_àó-AhRah—JéÂ2­ÍX\L/ê[ºÚ1qNd„Ì�@­µÏÛ÷
-¨ëcR÷aƒ>½x™&¥\—Kº>�VG—Gá·oT&Íe'\¥«Ð"9
-÷�¿Ï�TÊRáÕä´ã—ámñ[©“Ö¢ÈÕoÜTÔr³I,¨ìÚâƒèr“DÒk×.iOGEÃŒïpì} dö¤�™È}-wÆNMÛýV«*oðË]|VN×ÉÄÐdIÍ]n[ìJ!&�°žc�,ÂÙ„~G3^>Ðb&b÷6›$¤qUUø[�S
K^“€“8U³æ1x�âºòq³ÛÆïw
…:×=€%¦¥¶äÄF·
-;�*¬{Çšª(ÛQ„J54p0P�É©Ámp�®ïÅü­nmà,)X�ÓOÏsé£Ù™«ÔËÒŒ_È5Pðö_AnygÞP“�%ðYYú>r~|vÇÞéÆvý
ù4p¥v
-Ò0ÃøNðE»L`À÷%ìë±ðQËš/À{ú.-ävÓoo@W éÒ¯ñ2wCÍÈí$_±NÁ³æq˜FÔfTiu׳Ï5uò¶û¾¼l¼«õ‰à-Xˆ&½²æ'ù€ L©¬ÿÃÏBeZYIgŽïÝ;š!< $B…ýíÁXI±<ƒ”@hš³¬÷DP.·æBúþ­€dö"¢žHÀ½¦©e|B܇KÉ£û'c~{…±Kí!FfBýÊ>5—ÅË@Ge!¯{Óô^aÐÏë ñR@Í‹N�„¤ú£…Q@�â`�c?èá»ä¦Ý»ÁŒ#Ì/cáôPä²´µêÍÞ=¡±Ÿ/Wgžƒö“
Ã]íµ¹š[ÊŸ 0t¶w�pí,øß:œŒ!*}_›Ï¨œ=ËCiN�@“Fk(2‰Æ!¿Ðì´V•Á£Ü¿7š@×Ímãå@Ð$5ÚÜ´V+«ÐqqãÞ fÖˤׄð²:ħirmhѲP&#ãê`Ä/Û¶<Še´ZmbÉÒbÖ^ë€8ø2¸Ê-æ½èž~¦»¦¤¥�ÕeY�"é"¿èßÔÕB*Šÿëæ"#¼1’/EzÎH,�6�M¼¼„•ê�­ÏĦ¯àÈí_[‰z ‹‹ì…A؈å~×\ñâ´¹êÃu;ÖN/CÜ~ê,N�Ì“÷üÙ¿‚NÙÇûhü³Ù1ê¹VK
-#7�k9+~FÑØ™¤wI¡Ý5?xIõMœb»o~—
9ûn`Bâñ«ƒ›ù=—ì¨Þâ¡Ó=:R®Üæ±³
§Ïýë;Ü
Þ°ë�2©p¡ÔWì	(˜=ÝYr„9òç$ž:®ãBZ:óæ²È¾HwE>…T²;ëÐÑš?Eg:Ç/BóÃ"gwCšíYŠ+•9¨Ñ(©öþ‹)ÍTVƒ±Ù¹/žãÇŠp0þ
8RÌ×ó€€Y÷Žˆ6øÑþÆÈ]“aVÅ;6
̃.ÊÏË7N
-×C&©ü7ÙÖì€ÓåÅ;¨Ý�.
ô©qF…0W¬tÛ€¸œ&Æ,0þ¯�ÆÝx	}B¹�âáÃÍÃlr²ÁÿCPZ_>Y>÷ñu%ëÓTÁÊè@6%ë»î(_þOÒ[})ì׌#*¶XgËñ{u•8×€.´7Z˜gJ‚Hz
Õ
-½»ôúaDz—\nT£î©Ãc¢@ºÍšèU#í´j,*'YimщA­Ø*�–WÀ°;šQôÜøA¼ê.ŸcmˆD9Ò>#ÉôÅÿdUÚ¾ÞRÓU=þ”äê1Ë�PžÿRÇýÉžÀÂŒÇ7 ÉçKpÁ&‹ž¿ØßA4›DP§­¬ã²4äôCð�Q?èâ‰
-i7Žk¯¢¦Vúìë1=:—�1nÁƒd‰ÄÇbŠê€ñ-þÞ2–R–,*ؼB²:¦È½
WŠãŠ’Ïæ8ªóŽ[MTÄmëA¸ÛrŠ
-®?ìÑÈ:Ì>n.¦„Ú…†AW�y1ÔÑ3mÕ]}íËd¯‰�Ïá¼�!yÂú/1½º²6Ⱦž�»(…è5Åß�Þ-S©-פlÝHÄÒÙ$øªèÿõ\ú²ÍÚBašÔCSQ¬?{÷Õn‚Å©"¦R꟢âLJ­ÿYz–œÁã5¡4dÁ/* Þ÷ÊJïYÁ³ož–yh\Y< ¼&ÊoKqÐfÜÚüÃxÙµµÓÝO…+åb|ìý­Þ·â˜¸ :$eÂ]ä‹[}"{µËq:V¬yšèBA	¨äì¨Ú‚þÚVNF�¼ÃÚW¨$Æý·qÝ?j¥Wж1m
Pe6�SôóJÛõ˜�Šy°·KZeë*X.º’Àm›¬�*/—"÷Ë\ŸŒdõ}�˜ÆLºŠ@/å>n®ÚÐÒ�HT‹ƒÌŽÆAÊõx$ôA.Äž@'¨ç‡š,
-T!}³ÝÎäýð†â £/=Åÿcvz#þ#k”ˆ£ÉÄ㻑„ì¿aÝ f…¼…$â”3|t(Ž¾4hléŒØ×ÿw®ˆ[Žë;ÕØ¿©í?O�¶ÿ¼3–a}+Æj¹3Fm˜¸"ÝM£lçòþ¤VÊ 
I‡§i�Êßà‡‡ãDù¤‹¬…9þû.ƈú›£’à@¤=KTxçyO
nZ[Ž/Bý®g\ÝÅi‰�	KÖÒMýœÆ}jÿ+ë±5d7í:oæc¨‰€!póúŸDͽ†/Gªæ‰·ŽTï0î#E�/ÃrÉM~+À.…*ó'©oŒžã˜qÑàö�B¹�ÇÉm£ÅéúÝò‚9hnì˜ÕM~£Y:À¬ª|å_SÑ÷E¤÷Jåƒè@¸¤&_÷ä¾iº /×E>UR'UàÍm˜óµ¦•k�`°¡«Íù¤@); sžŸC¦²áB?§°[RIx ¯‹‰"5ÌZ÷Æß•3
tm›Ð²ýÀ«B«Ïc”õŸj'Áþqƒt„®

-pS>FŽÇ_è|/ÉQ�꣰–—þù"t5@Ó
ºá÷Qу;vä=­íÚ�[|r9>t4™ynÓry>lä�<þ“ýÖˆ•ÑÓpeBïaÂ)&ÓôF(ÜlŽª<ÖÆÑÇÚ‹çÊ6B¹ìÎÑd¹p†��¯UÝwŠø ¦šŠœ}J%æN.á�Ÿ·-Yg¦I&ÞÅoÂÂÝ
áòŒÖÝ’ëüîÅ%ÙºR¹å‡fǼ¶øá
SŸ¦RNëê·P¹	Žý§ RVª,ukªZž5ð°dã
ê/z’#ѱ‰·V„ÆáÛ5åcSŸaŸ®ÔŽ½YŒg<^ƒßL‘àŒ>îâô?8}˜fý£Ö,<B"j·ÞþÓd¥Äi¬S7™ÔS*Í�peK5PàfâõõxîxÇwe5¼±Ô;Ì&áw�ïY+wc­
-Úܾƒ•˜½j^ÇO³?�DkÅÕ(„)¾áãOÚ¾À³—g´àÚÓ¿cŒª(ú}øjJ;ó‚à,*Ìhz{Ž…˜•K¸+;¨(®hn¸‡­1„•êP]Mõ,Nýåq,snÚ€©÷hçõÛEõ™™‘´Æ÷k²êMé`÷j¶È;¥\²\¯]6öÀ©P�Á•YÞ@DÕãáV
-¬|°½ûjãœÙwÝœd^fÈž€©9F<ö$¥½WïCåì<¦fg)½<ËÖ¶ølÝôÆ5Ÿ�º'æ¶âgà;ºŸ[SM
+ý€i¬óJÁ@èaÀâøÌœMjY�ÜuòQþe³?†9]ÑðK…Õ\ì4« ƒŸë�à‹½KŽöíÍ9YäÕí½Tí„L¡oů	‘ÃAQÅÃ[Wo¤,C5m”`~É@ëè.4[®ö‡ÛAÉðFŒ}
Ñúò¤��Îk­ç~ÜØëiµ@š
1klî{–ñ;‹~.|xàyÁÏ·A|ËAþêòÅJ©‰dV¡³öî7“`g‡ÚÛ>}$ú릷;Úã5ÒÌZQ�ø$k»o^ËòøC@„�Çlª
-L€-²¥ø»¼Jîýý
-¡YÆS4{Ú0…b3ð?°äVf‹±Ò‚"©†¾£:iHß^Áa1`IÊRŠOÊGë½qPÌŽ3†aµæÁ¶ìêÒZ	(¾QûÈ´µ*½TÌ~4W�l?tnt49$ºÚÉ-zs^"ΉTŽ ¿ÚLi‹¨'}ãN~)™ØËžIS–+×XC” œï€tsai9£–Óv4êø&O¶ê¾ùš\CV昃ÉZLÞRÈ�ÇHýI½…àV8’ãÚ«#w}Ýá¸û"--xõôLd:ÞÂ9cœBŒÂÙ*ï#»Ã¡áÕô„u	‰¨Ù³)ŸáB¤É®…uÏÎÛoU†LÁÄÙ�WsÞ×£ö>ÅÉÚéH\"ü…ô›šu0a&†
¸V•Úð¥;T§’›î:¾Ð×'—LÕ=¸‡ Bí;`51&®séUÐœ`¤‘	øŽºT¸
‹¥{
-Ð]ŸXêy‘ß²oÓ€$ð;ñ^¯�$bМǒƒeR¨õJQ°~ð’½¢h•ƒöjtÁð’£� Aš–ÝHFþŒßæ¦>ù~~ÛŽÂÒ“]Ž3	Îk¥@\-`y-Œì|Šò
-8¨™€¢íuÉu(
{¤”ðßÁá*¬�χpr^!Þ¢�ë0SQPVÆ;�”M°(Î
E0’A		æÛ£Ÿq	E©¸›sFÍ5Ñ¥·¬XÌÖX;q¡{{ïHäP'Iðmå¨u葅ʲz­~Ì�|™Á¦­¤Ê×춻r­ŠŸ�
2µÕГ(ÚÆDÕ	Š�·Ž¾Lb`�Ån\a#ð-7ÊaÐ@ß™HÙ¶-dØä.`séBÈ�‹Å(Óâ‚4æ/gËÏÂ1‹´ˆ¶êC�-
-endobj
-600 0 obj <<
+/Length 25968     
+/Filter /FlateDecode
+>>
+stream
+xÚ¬¸ct%\°&ÛvNlÛ¶mçĶmvœŽmÛIwlw’Ž:¶í¯ß÷Î�;ëÎüšo~œµÎ®ªýÔSõÔ®µÎ¡ QVc1w4J::¸1°02ó4Tµ”MììLÌ­åTíM
+°t1qpûÛ7G€µƒ™�»ù?þÚ-ÿ%ääâø7Âþ¯ï/˜²£«›«™‹µ“àoVeqÉÿàéfeâöOnWë¿n€£ÅßHsG3÷Jú×÷æ¯×ÍÄÚÁàôrû'—)`níêdgâý7÷_0'ëi¸»Z;Xþz€ÐÒÄÅÜèêúæ/ö?Ýù¯:
ÿKõ&NNvÞÿÞvü7êr°vsÚY0±°þÍiæö7·¥µÓ?£"ã`á`aþ»¹»Óú<€.ÿ6ˆúŸ™¡ùKÂÄÜÑÁÎ`´€cRttû›@ý§2ãÿ;‘ÿHüÿDàÿ'òþÿ÷¿kô¿<âÿ¿ïù¿CKºÛÙ)šØÿ½øÏ�ü³dþ·h{k;ïÿSü�ÔþÉÿ#ŒŒ›ÉßVˆ8Xþ•ƒ™‘ù?ŒÖ®’Ö^@sek73+€…‰Ýß>ýk×p0ºØY;
+ŽæÿóðŠ¨¨£À—�…“ÀÀÊÍö÷ɱ²
+"—x
r[Hz�ä-ÙÙc«óæXÓ¬Œ
Qm í-½èÄEꋳ’øÞË[=Y�ym ú¯®jµ|XV^h�ƒØrMYáXz2(—²ß6êX´oϯÛåzðïæñeç,ø¦��¸µ©Æ‘W“‰¹dÖÌ!àPjBü„RËEW&ù?GƒzÖÔáB ¥9ó?ªsUe˜ÐàÇþŒ¹zþ¶#¹ÙÍÁ¬JÉôŒt36²o­=Í`ſͽâL®W3¼:Í0J5WuÁ ¡.þkì9sÐêà
+YN¤µ(¦6;.2P'
+¥>®6Sô¹p¯{¡ŽMº7q'÷BSì\!#Ò
ì²Ý,k:èJ	Z�®{ ?ó™¸� z$©Ÿ{F”§‘€
+–u°U×Ðü$~ßÀÝîÖпÄ ÒÜeuãó�nÃöÍZ¶ú««ìbE¢°ÙAeÞbdË(j~nZ¢1«…ÐÈ­^Óˆ+¹ýÖoK²±µ>”/81Ó¹Ì%=ô'åU-Ól,õ�]ð5Uó/”Á¤ˆ"1ˆÝeÛ?��Ó˜ð¬*à0ŽmzŒÀŒÏ&=t�°óv%!—°‹&H=—pO¤'³z}ïI¶×4>±Íi7H`,e	½Óí½6 +
+AZºM}eP„H‡§žÕ"Ùt‚aÜLæÝ@g¥˜£� !É ñ¯y€
+leh¯4³Àe ê¢$SbdxßW#Mÿ(\?'aS4©/K>ƒÝnèÔ„˜6¬÷Æ`š6Šg×!«˜[“wf×bRIñOð“-Gè…=lº¥
HYä°¾TÎ…k›íáx±µ,¶v.©ºø¢gáe1eX¹¢èÉUN�ÐÆlB¹øªÓ>îmcxé�+Y»èY»m�)6d`÷*ÉfïQÔ]%1�E¯ÈU¿o:ŽŽ×¥IÓQÞ†Ào?Ô#„¿NdævB!†‘$)ó–×KŽxv…@�MkG/f,p}·S¤µÅ6Ó¥!2:D•V³âšçà6{RWx®í‚7ÈViµ<epŸ–h
+@uº@ä® ÀŠT�œå’WÙ-ƒ
+ü;RAeýöžœi7Žs�þ�5ÒñIÓŸ¥%ªÍäyÈ°—©áú’P–*Fñ
ý+QàKš©}%÷ÞlwQ,CÆ)=ž»Ê" 
3£–LR�w<;a!ªÌ�(ÈfÊRb—­G¢Ö�1…›òM E[Õht�ÂŒ¡ÈI"+¤½�?e–ø1CÒÝ·Yôä<ÐÐ`üɲ ¨Î°e…(-ƒp�Õp$ߺ�BË�_}êçÓªÓË�YkûùþZMÌî¬l¸ÌÑx‰ë<ÚÓO¾Cè‰
‹BX\唽4Jhõüá7Ð2
qû&ŒÑúwÿÌA*Ö�z½C¾Â1Ã�ÑŽa.g€ÀMnÓ“û	4¸=¿jy	9Ù`è…']X¦zý–(©È0NIíëk9K±Fbê
ËRJ)!­ØÙë£�°»®¡q‡¦ìE¡÷Gη¨-˜}U æ½ä)Þ…ÀÐIÞ3(bÝÔ¾PEPÈKr]å]U™	¯P¶LEqòÂÔø,��0-ɹêÒÇ*Ö6h=éŠKS;¬n±HüEp2=96éU-9¸ÈQÕŸED€éD˜ŸÑj+Ä´k#™ù‰@G&¿8Üü8�ÆØ¥n°å¤ƒ+ŠK–±«Ô4Q6nCNTM´gu„í¢—ýy|d®¸ZÏƼ‰›‡zü	•…(¶]î1í~ÑÎÇœª÷ÇΑV1]F	Ç\EØ%H2ÊuÝÖ”Œu}­¯¬ÞdbÂÂy;²ø¥XO††̃(Hþé%_èTrzè©ùËE)`�~6çÛí²|­Œ5ŸVàP”ðyj.k"äçeÁS’݆-ÞÖš¯g[‚r›Qyv,
ºgb�£T?ߺUÖb›Ç÷ŸD~øàÉ`“ÈÇ›8b89<†9ìðf�ÎðN>’)»êÉøñ;™Òa[#CÏW²p?¶ªQ¯ý®†[>x”©ÐCk`+E#UÍ‹ô¨Îi÷ÜGNà%Âñ§»}ðš´f•¦$ÊùäyþÄ5Ò¦”·�@8¨âeô¾.%³­cË]ÉÑXSЄmÍO„X_(‹Cz>sñ�b}„óº~ë'_<m4ú-œÝ3¿Èîω—ßœQuŸé9îTHØ6cŽ÷©¯gdÛq'òV„mzgiüíEÀÆý¼\Þ›�{èLŒç!Ãã—œ}žrT-¹rfål�žðµ"zX€|29ö‰ç’
+j_ë0
ÚCQf#d�èÃ…Z®vòëÞ`©XRe‚Þ¶“ÆbCç_† Í3§¿/¼&¬+¥ž²ó܉ÈFÔïòÎÜ¢Pî)EïIÌv/Ò¨O­³¥‘—ÐSìvm¹=–¶cê×cý3ê«	¥_Ba>éUDžèß´84—5†¸ô´%�Ìd¤`Dœ™´ãI|vU@^Ù96¿L>ô•‰÷äv ØŒr©w^>w(dp�hµ5³]‰´MäA:bÙïVp‰WØŠÊ‹8Š�„NdMjËñȚͪ~ÏÃMiŸ?oëµû/ªk·åµÙª“IÆ_4ËøÆ¿É·+­€:’1fîúmv€1Xût~?ÀÎ(Ö4»c`
Ð⪗|•õચ¾ëU½OVp¥×Î[Ãq©«6‹Q½Ì	®îúÀ­w£c:£w†ôøo¦¬ŒììCz@ÆЫ®e÷îYi׸p2w•º)Î,«èsÞzÇjKÀ¬ç
+õÁÈ28žäp¦£›ô–Yÿ
+}jÀЖ¦E�öT'¨4kâùÁ:¯	kN)4m{ª'¨8
+o"®ßÜ–},2þv~D7e¤ÞZ rùˆgÉžà±3pm?ÿ,T
+ëîgÄ?)•Šl®/×ð£ Ñ]ÛºŽƒ†šÞŽi—é
+W7ª°å:)ª²‰¢Ò8¾M²
cOšg<ºÝö§Ü½‘çÅåÍ×3K‡à^i¨g7Î
ÅN`�‡©™ÔÎKO™É·Ì~�rf�䉶MÉ™\Sþü0[:Im²z?¸,ÛY¼[YØÝ T_ôöNÀ[ŠôAf¿/èçÃ4Ñ�Ó¤L3³ñ±•4Á„D›Z8âD¿ú>‡àotgç{°ÑÔؾєAåiÌÿpÁóI›úžöâ4»èÊv‹M~C{�ôš*¾T8Ù(Y² ©`Wkf¼!6cZEËàxpâuÆ9ÃÐ}Óá7uCÓïT÷E	j²DÎ"0R/mx„â/�!öFkÆ™ÔøˆiD¹—¯ÒLðVÿfô²< *ÉÄŽtûS3û	nú>sF£Sc×Êå
+�:ïزAøÀêPØ5Á2#U[øð/•ª€Ç»¦î”n[Wˆ�LØoHé„�W¹„ 3Ts€´<±_Z_÷ÈÜõž/Y8�V
ÖŒ6•ñ�íZ(D{Ô~‹Šc?W-QQƒ¿QØÌt°��•ÑNóPtz'æ_!ÆμMÓ²·ý *cëè;Ç­…X9Ï!øù©Ò�
+‘"Õôç|ÈÈtú<®{ }�à
+]’4ªLîl£+òöÁðt¤q©Èñ·*�¾kÏø˜þ’3YwÂ~.u=è|›ËáA�N@�®¦§‹»‚=ÀôÕ~LUP|Ñy+cwFæéB´­	öQxÞjÊd]æ}ƬsŸ«ØÃ>S,ÔÙQ‰Î¿ÚiSFÁêÎω ¿k_rÿÅ&h&o”€¶ÚŒ%UʼãŽN7ùäøcÓc*eQTæþìvÍ`éXb4o01j}OÎW†�lÙÿGµ“æÙ‚ßE×x#KG7Ø¢ò“–LÂBµôE9rÙv¶J?F0‰×
…Ä­–šˆÞïXx»¼ûê|¶m—{·Ñ
c¾
+úÊ•REË�
»Ñr:ýYîËñ˜	ùII·ÍWæÎаD0p,yà›ÁÄŸþ!ÏêS/‘çt	•™•œÌiÊü1
+>ú#ÍÌ׬-cRÏx_QkÞ±{Q*‡Õ™-ÝQ�^+b<y6Ö8‘ê� fkw6IŠ;R¶×T
?~¡˜5‰PdíܵzwZó²Û´ÄúóÓ¾ÈàÞË&Óéè’¸_É×_]m=‰ÀGÛ6=Ý?%¹!¯ƒ5i‚�h1ÎZ]b� îxÜítsÃ�)	ís�¯
¦¸­Ø’ù(	ù�X¤ƒ·`bÅßéµú€÷ð@l{(ƒ.•ôF|ÊÏñtK“MîvîØóŒ¬É¾»–Y
1«Y£C=V�<É3-Vêàõ0œ=ƒlðaqʡݘ’
Æ_p¸¥BøoU�¯)ÆáQá#ªÝ{eN†û9Î(ÔAïé~ýÙ0EŸ"œ�ã|K¶êÅñ¯�¸1pn»‚dNƆmU8'¬ÿ=ó¢`íuwÞ]½dfŸT�&YŠ¢žnª	ƒ“¤à„0‚Ø^ÚTø蓺›M×ü˦Çdx9&qÖ
‰–Æßp±p3;™*–�œ¢Ãêc Ö½³ª18«°óiÉpÆU­£@Kèçø÷'ZkÓÃøè÷©ìzF\ek9-‚rrGnr÷ÈÖÎf[Ó¼¨¢ž5Ç
bÕJÁ%!’õ‘o²—r ÛJ(�hô|ÉÝI¸<ŠÈ¦€G(�Åa—›ų¹“勪âs‹(ÛpÌ2ÛýXµ@û-5=ÒtN	žyJc¹fza
+Ê_ñŸÃ§ÑÔèõðnÏ c›Nê—ÃIlŸÃSÃÖ$ÓRAkP$'ÙÆò³¢lÁ‰“•¨=ÏÖtF%ç̾O¢-
8b(�!O¥®4öT”Ä/-_0!Ô=èæöx)”ƒØåÒ‹ÛBŒƸ@£"‚8I#ÇE”b8¤‡O“‘w©O»Ž$Ž
ç i'�À]K-xzfÞ]üïË t͈á*(/ÅÎú0aOcº¾FÔ»å5úÅ+6öÎjxÉònÜX�‹{˜SÄ…œ¶F�‚máWÌ{ߣ�$qum»Üø
çqw00_PC^vÉ'ÌQ©‘ÙNòáyÃŒÁ_A¾*ãuΛíöùD«dºë4Q^)ðO½öa»þhÔ–õ³¥j�ÂJÕ¾‡!-²ÕÒOí±âT"´xâ±Z´5ó-ÁÀ̲ElJ›VŒöù^[úkJà•ñ¢^Hrï“Ί€‡ØïO§ŽoDEizÑâ¥/ÝëÝò@,²ŽÞ�K;ñzàÂ//+s›I‘"_«ó¿«h˜+É„éq
é¨Wn4 ÓGˆ²¯%±_0‰ÛÂ	ݸMÉŠÙ­ÆÏmp	³æu£ª1R×õ!^dÞX€
+¼/ú¡e“–NfoŸ�=\îÒ.�³p¤Œÿg Æ"‚­í¶K‘2�›ÕýÞ	;¯Àƒ
ÓZU1Vµõ+Ê[ò0…=¶%Pêi~.½ÚdìÝ´j¹]ÔSŸz�l�]GU
+�¹±Œ2e8¿ûž÷‹£Ï;ãÛéå¸D(-’PÑÎšïXíj»<àèékÃrt1fà‘ìð�Æ"e—_¶Ë/ZÂÉ™K
+äÕAüÞ#(€ñ³ê[&H8¬ëé”//ð'tÔdN´ÖÙ–r‰»M¡Ù
+wp‘éõó �åÑûkB“꽞ü³süy
í)ˆ¨X²59~þ¿¯ï%v£‡"w‚é„0Í>au#§PùRà!ƒ’QNT>d⥄n0ßÊjš‘â¾BÌ¡„J»ªø›Ö)²‘¨V+ô1«éƒÃå¹;ýÐb1±’4Î5¿[Pö²ù¶£sw~ó#l�
+%p<ƵulºM*sLÛVXë$�„'+kË’T�ó6qI[�ëRÛäHJìTÍR70O�!½}Ó´<ç�JΚ
+ . úBU*R‘VI*‰~­†:¨ª˜M]ªßö£ˆµ-�‹•$ƒ@¹À\F?ÂŃ´æª]Ä$ÙxãÑ´ÕëìZx7‚\�g¸cÆÃf¥B¸à¥9èkItÃGåÞd^jÕ·«¤ãæ€þI��wÿŽ®„g'éÛµ­ËÿM5‰l	ü
hd¥}–uyRw÷º41]›u·ÎQ,f¢äá¶ÀßBû¡ýE;&)AD)Õh³rJ–¨À£=Ç.¨Þ‰@�¹#VÊ
–GG¢Ýþ…e§ì+Sõø*ë<*zÛ±ÙõÑ”ª†¢éÃ}ü
Ü£?ŠquPibîB!B7›²L@UÔîuÆiHÃ	q–^ã8ÌŸ>o�!"="¾å[½†¢"SÖºþnŸÑ#Ëå¹¼PGËPÈ1Ù,E"ÇyG:í´æÎ÷0ý¹z$J¬xÀo„…��:f±ð™µm‚éø¼MI"Hv¤ö®òÞO5.ÅpÔ]Iœ p±úJžœ‡]H—ý­Ø$çO¼ãóØ`vNܒЉ¼â†ƒá•Gñ™®Zú«²øá·(«†ù·ÿš"Ã
+RÈrdKÚ*Ÿ¤\*9f+2æúpŒËl�óž°I¼/]Ù¥QÔA‰Ó€kŽŸ˜¾›lq Ç¢ð/
�Tg^:RvGà˜H…ØøH{Œ�“HÉîd×_³,ˆÉ‰ÍNñŒÜ<xK
t¸»8‹ðÿæ¥
¡­Ë…ìdíº…£—Qá@ùš—`ãSYN§2GM(t–¨Ñ£äÌ/¨ñ"Z«rúGÊO‰Ï‰^²ã¦/%›Ý‚Ƶ	SgëiËOC(:å÷~Ê4Ÿ.óÊnädy«‚c˜ÞÁýRS�æ’"©	Òó
+‘²4‹g…ÌÃ�v`u*“ä¹àð³
_˜Ì)	¬}©øæraÙ*×;î;»›¼=nâ)MÔ‘LpFäµ\yå”àúËôá8Jy8¼º�E
g³!DÃÛ#ëS$)ú3Åîå¥Èoéú'D�æƒkP¢¾chL³`Æ/íËŒ�J¥Y¢ß»Æ>‚Xä¥R”/…ÓZíÇô†ãLÜu:ï±÷"�Ôz¯!ÖŸÈpì“;qªMŠ•…©•	RÈ.jêEäÆ7Yã)Ì×ôVK„vvJñn¨éÀ/˜”_èÒ×E�69zfŸìˆjxSp‡M˜8
< }ÔL†­PüxTJÜÆÛo½Á9ÁÛiWÓ¢|Ns
ÍC®ŒŸ</ÎKû˜™¨»††¤+â‚ï—¿°0Az{¾N©8Aç�i ³¬¤wkR3Ü´pÝ!¨2®É9Zdâ�~WÞ¦]F=¢(XÌ™á\¨‘_?¿<yáå¨aŒ
+¢°cmí”(­¥ƒ¾sÕD¶ пû°-
ÐSJC_7�æšø^Œfé�„º©sŸ·:%/Ò‹%‘o­moC>…üÉxÝô÷éOBÚ÷FÒ0® h@Ë‚kápØ[ÈÛýNm‹•=sÙló¶ÿ1Fä0·Š2ªâØg
gyGª]¾úzÿÍUaÀ¾W¨Ï…—"³?þ¦«D·°ÁVVnŽ}ï-ôz`ȼÃÛú*WÄÂm­/Ž3*܈^ª>Ìš…ùfÀu*´Ó.£È“3O×Çï	s/C6þÕRí¶p¿J Küh€GeŸÆMNb¼ˆPr’•‰5Cøˆ¨‚bͨÍ~­Ò´ü!Ù÷£@e=\ûö�@¢
+!§âe0ÒwyëÅÄ›°$µ«‹q.wà6;}Ø^Ù¸í(R
+/÷¾Î*ߧ›UC·H®Ðû%
3†×÷<Ü÷û/š%�=QÐÛLæ¬MÍÜ+‡¥B¤Ki¿ö¯ÎÊ­ÌNlK¾Õl™!ø&KJp®·
[éµ_Y&•í%óU¹«¿ÆÜ[SÁ>æÏ·7[8xgŒÝU抯#Dýƒ¸Ž:ŠÈnåU¼‰âz"דø ;“„FCϳF+õaX/b»á„3ÅÖìÀ=#>J…dÚJRýßS3çÊ”!‹)~¿@ÓÞAõ2?d3òÊZׯecŠWMi,ý0]y8yñq±§‚q€ËÉûƒÎAfüÆ_þS‹1yM±Ù-~òns%þwèO®úÒõîg¥h±êû4DÚŠw-fy^×Ü€‘â^|,Mo±>…�2
eýšÈ ?ª”¤™4DF’
+;å¬&¸P±öÊ‘>çÂ’‰#¢!jϧœuA`9�‰GBÇæ§Of•
+wJÔúB/.qfQ�äXò‹›b¼¨)¸"Á,ÈítcG`Å«
ßn
Ã7&uù;eßÊ
§N¬º[ü\™\7’M¿mLªræ‰1ÞϵèlH	3Ý!r¥Z”�°Î­T ³¥/EÐaß¹;™¢l¯:¶þUîÛû¯­�R­é6‹@eQ¨z0Úõ'¾ùYÓ(­UY¨o®&lv4\�ÄåÒ_ɪFC†ãñœj*?Ë‹Ëg~"¶!¡’Œ3ùþ:¸äë‚"¯=Ag �ƒ¿| 1Ñî7öC$¾ù÷}†?¼ª¶~ǒ稽²ÄôšˆfÎ ¸<—a¯¸#"tÑcŒe!èË¿ŽŒv.ÛõÕzµN«Xí“Ý™N—LbF8ÏÕÕ4PW¾>³»’#GÊdÔëè3*æ“YŽhd ¨ ú®šµ±¤Õ$ÍÁrR
+ã
:I‘ì
×òõð,°ˆ²ám©l×曼½€#«[*A¢¢U‹5Uí³
õþ·¬üçápM#Ó2O(ñPWSxœ~þ‰!_¿Ú»È.s5%Ú£30ÆÞ=ôÏI¯ÛI"[€/nAq‡{4}¼ã‘Ôþ‚š-Ò)p+ÐÞ„efTZ@¿¤˜]ò×=ždŸ…±@_�
–{سÆS2{*Jyk/Z<ü–ù~õwo/¢l{„͘Ï]¦ý.ß®ªFÝ©e³§tH‡§/
Ñ™Äü¥u[Ü׋©$ŽáÄÄëã,UFÖ		ÞåŸW�6Ëj›¾½7æF7
ñ
£Þçréq¹'Î0¿æÛVÝRR™$ÙÞƒhÿ7GÒvÕñ¤®ðàäeïËÜÛ
+FñÁe¿
agöÓè7è—‹Þ|‘Ô7ßo×M�…•ºW€‰¶�•ÜËKïØ‘ƒÅ2Œöý¼iFØ
6ùÄ›¦«oR²LAJ7Ò'·#0ÍÒk²ó§Ð(¤ñý'™_Å�¶‚ú°ÜdÛßdÓÙ+³�Üœò´õæyxáK/ìj!T>‡ (FÉ>òþ‰VŽ-®yôyñðÙbþ]s¨C2òù¸2úÐþUû
¶‰
²DjÍÛ#)	ÀT+PØûº(T!Mð�%tÜÎð9Cñ<Üí
+xýövB¶è2bJ®ÌLÓY>=Vàr?,(f�»«iÂúŽü›NÚ8ŒÖÝô¹Ëº„0Tvº@ý*‰’(ÿªÝfEBZ�ˆqàÖ©�À6º	Wì¸Ö��÷d¹C6n¢BÔ*Ä"ßk° I6”V³6
èô8ÖÅ.,O‡lÌÀ>“#\µM²õ!HèRåƒmcü¯º¹
+`ìgcxþôaÈ9P|ŠRm¶£Ç"`¡²'“ŠÏÖFMŽšNyÚT
·oe¬5<Ã�-Ö±Ó—µ»WC¼³l„†üÈӶ߱‚$â[Èš¨Vp~#B¼-Èä˜åô0RF~Ü~g™xò‹…že††f@)‘ 9!
+90š Š\ñ‚³„t�Œ¶òj´ÅåC–ZÝ4}iÔÑ™ÒV{qÁ4^Ág×£Ö*,Úæ«	Så=ö«j�>n€'*S%:�ÄWª˜w¾F¶I¤áýaXä3B¥z>Yø\I±DQ’Ëx嚌ý:l¤*ÊwAÍÔÂéjÍJÕ¸\ÖbÉ åÏ,ø06”6†Ã�
+O†½Ð¼ÿìát»¾£â†¡þ½äÓå`K:JDm’êP4o變o݉4-gÑäê¹ð
+"ü„£ÐD‚oà^b±I
Á÷-‚áp�,mÕ8®V¥‡dØÆÆ‘ü%kû¹ùð· „·²³Ü¨7úüYCµ%Ýéï±³�ëP7\ây<ìc¤LšeMu ©Úœ6²†>–\sý]C:8yB69æd‹)‘SbŽ)��Ì:øL€ãŒ_`ùI˜-BN|ÇaD
˜r
>�g0k&rIöXkæ	”V2øÅ/1™‡œëÓrÞ0ÊÒû#䳜Æg®BAÓ��K°™“„JR
+4£C!µ*•Ò&Ê(aYƒ?c4[¾›÷>˜SC_¢?5›¿+Bí÷Ð.«	Òë�RÒ;_öç]bŒ"fT·Ó¼À»š¥‘(• <�mÖ;ápú²49¡“<o˨Ô
+ŪpÉíÿtùátI
+†Û*üh»(bxW˺~C�Åó¢”$”XxèEš‹ÖùxãÌ1I"Ñ3ÑÞÏAÏJbÚ)—½Ï¶£�«S0¾ëºóXD¯fÅ(Š|d×egªZO*voÛãÐX:_Õ'Ôi¿{q:?·Œ®í%Æ(͘¹ÄdnR‡Qo@N©>äš8<å¾ýŒ‹Í³Oˆ¾Ð_ô1ÀÀ‰)ó›sÜWȳgVšÍ
+qmÏÌàcEB°†0­æª/’/N?yœÞßþñ“—³qTј:8yA«ïïºáή“hÊÌ-€PͪˆÜÅeån²ñéf%$›Ú±“YnyÅ™ÝbIQ~_™¶oà&r8›[Bž
À�i'”<b.DöD–;†Ã4~LOìj“¶“#x0Vªžúݶת^
+³à8Š/ÝËOþB¬ºc½NÅöT!´�ìX£*Båµû9á+é!<«
V™´u4ŽÌ×ýmçNËncéDŽ¨=ÑúV4HbÚ˜°2‘Ï_êÉL§Þ–67…uÒ¥SÈxÒé:çÏñW�ÎÏ’Æ"¾®…ßߌÍÅ�íb^¡BŽóá!³¢;ˆãñ2¡Ey.˜6”•>‰æ9ÎÍôQÃâ
+Y6Z*óø+9#«8wØ|�¼4N|�k%;îˆ"äAçbJ]¸ø«Æ÷‚ÇT6„XLäÝ�ñº4g]D9D•F¡7a‰çÚž‹”b|ÍeJµ+�j¯»x*]vÍʧե º1`7`e‚>¹ë;¨ªì|cÄÏ}›åÎ/ÞoÈl‡ÀºñÂ3ßçH0èöÚ-(Ç…¶jÁU<4õÅ‘¬°Ë¯—�ršWߪ
¥È‹F6j¢×ÛÀ�ÌWñ­	áÿ‰M(LóMEÑÍ<¨í—J+„9ÙQÎ([ÂpRQ‹0CgäŽqd?§WE;wÆ–…¤�†${N†³v1<«”¾SpN¸!6=ç,ÝK¯Ê:ÞV+*Ê»à£�¢P†]ž‘5ÃÆFS çÚåÍzòø
ÛO�ª¨GîËiÁÌ!ÿ	 b|TØÚø€ÈÄ1e²{'U}f<`·AÁk¥¥Ç˜Íj~¨ÎVÈt®Æ„°¬íª´Öé k^HøÀ?5h‚LùF'öÆÖƒ&-¢]\<üòt"e¥1/U½Sõ‰c±Ç¸Ùæ¡®jè1ù£ÞÛyE9
“Ÿ'7šÍ4l#>´ç`xÈ
+l®Ö/ÏŒ…°ý<ãÓöxyõå\¤.çé;ãËÃÚöø¢·¯
=‡T†QQ–2aŸF9¾(²™N™(Ô‘üNa}R·pf¶�°Öz(Fý‡ù†=èÕu¬¡RòX14)Î\DJjg<¿­óÑbÖIÙ|
0RµR—¤k¨EÙ�ﺠÆ	Œ¤�
+í³|Ïõ™œHa™€�4ú@»ä/ú£sß·
+™#+.‘]q&½‹«
hJ©T¦:Ó’Q!0
`9
RaÏˉ'·w¢HÐ\z”Œ>Fˆ�} 
+sf³±jÍ2‰
+.\R^æ•o;gV;§¿¢¶Çù‘fbîI$c4ŠÕŽ"7%€NWãJÌö,YøQRJò Í6®Kä‚úärSÌÇB :¹õm°S·Î’!Ðu¤žöºÚÏc!–ÙÆã|€TÔa’±ds�XA’¾ç ß)ÂèÜ#rî_£Ð¦­ߤ¤P£¸$<™äE3*ÛóŸÛ¥§­ÈAì˜
Ft‘0í‚+'+yÑÔð¨èYÒº%?5Øe=¼\}­ù“ƒ%˜Â)%9EJªÛªùq2ò¤F×@Dn©6봼礜O}Â0*“
¡²^ŒJ¶i€X°¯ÀIOS9 ×çúÙ}{¡Ñ+Ò¹)Ã%¥f2öB+è!Š�ùIXllëòè&Ê­g"ë~Á:Ýö”:Ys§>j¤¥w- ¡/r*ÁÑ£¸ÏSø°‘³VÃIvõ€Eë#¬Ç†Áâ–1F$~„}â1;yV®"�vÆŒ;gR~�	�S±ÂƒŒlÀ hràE¨;:ÉÏ3�ÔÜ>r˜÷ÇÙ 4upcñT·’~­õU)
+‹@Mcpƒä½‡×µ¶¡ŒËžÉò`™TîPm/dÉ–°ƒ,¦‡�ú\‚јýÎIä›îs߯=l
+¦ÜÞ°éˆÝÜb_ZFÍ’L”
ç“sÂ�gúœÓ›”pzŒÄ¦ðñÖ÷µfi×V"¬O¬:·Qîã~®ÃZ4ÀD­/BEƒm»á®®²3ÖŽçÛwfÍÌ�ÓVîÞ”fîmY’ìAŠÚ[UGÌ7¦6 V·hûBÔ@ÛC¥Ž¶;µ'úÓØý	‡7ø×âÕ„OÚ‹¼r.±|¥Tý±ŠLs”ä ¿Ìf¯Ÿ;ËUŠmK¢°õ©5Œg
½C¨îÐÇåª#¡L›q’Ý3R²¢?ð/™&ô=ÁôcZ4<˜Ïm÷êØz«ÈÇ[ÝB¢òMÿhäÖl§¹Ê§œ²íÛ„LÖ±x¸•Aû™
[bv¤uËE0?_|O
Ô×ëæfB¿{§$íÅ©rŽ;÷6þÕµž�:Ã"�¡&§;*\U„jŒ§Êž…lÙ5Ì�³HU;ËYÂD™0œÚ7Øl;½¼é1Q‚D½±—¢IíOùʈ¸	ƒ
+b´�Îì(«£IÛ�{jú»±Ú3í½ÏéÒªXÿ|\hÝ™#XòèŠ_^—7ÿlÅx$×ëËrÃKÂ'”?õ[õÉ¿—°QÓž¸}ƒ[ê!&1‚4AhLêåSÅÜ”qâ>XâîeTfO®\pCÚ ž¿òE?àã˜fB܇Žrm3eμW_Ÿ±ômšY7F­v	Ÿt¨çÔDƈP.=Õ"tHKÆ‹.‡4›žaÑ!ƒêâÖ_Ÿ“WJ%`Fµ€:¬ä:§ÜI?ôw?ÂÚ¤¦ÍÛŽJŠíPúþeCiq¢E™w¢n;³‹2HÐÍ'a*àæíÅyî­øn°˜š¢Ïa2¯~T
+‡}ºšíPøÌ^Ì ã~9|t=Ž%ÿ©øóÕšÐûäâÿ×âÒöµl/îh¨¯šs±º×Ø¥T9½ÉEUTJ–@”�ŒAQÎ'4XÏýv;—uS]Ss½Ÿ–ÈÿàÆF`‡ãŠé+f¤þ[¥ebǨ‹åxŽ‘�Rñ°<1?FQkáÆ c¨üè#?Žþ&.-AöÔÐ[(CàÀ¥o]ô¯½þœcpàÈn÷Ž”�óÄÁp˜,\’@|†‚”Ö$.DS`X¦a¡™ðÌà,(8�‚Ùvãñix,?"xŸXéT–rÖ8¸–+ÅÖÚå{fÅÄ-(6¤/ÐKwäÙùd-ptÈÊq2?àÑ‘xfß|ÈÅŸ¤F† ñ2òjÑà9tñmÞ1B4‰³¯¥üúUŽäµ�š[wŸ�y<‚&üš4ñ@Òà%GòV·žº·Ð.NRé´KóÙš$ŒÀùSN¬m[oðÝlˆÓÏ#92+úÇ?e‰×WÙ4Øê¨5 \ÕïÒ<?§yžvcÑþÞ)%Ÿ`ViWbù€ÂÔ™
:=[Ž�Ð×¾¼f£eìá
µ0ôÁRÀ×QEK0‚-IÃË®ëLÄætv±™«éÛ–Å:Ú–¸9c ‡_>6w¡íð(§¬íìàò‘£}1tUüÖÀ_€>*'ø’ö ‰¬ü¤éÉ¿8*�îÓ—¿i>ÀÈÛÙa8mù‘º½lØÖZÝð{Xþ¨Î¡»c’P1¾©e«Fm¦6Ê¢øð„§£0*£šß—­L[NË|äm�

+.ó)¹�)ÛÍߢßÏǨ8Ë—ËîÁÎïÀCuR5‡ˆb¼¿(ãS]ZÝ+ïa›Ò­ìÛþkª_YGëVâïbaˆèþmm­t/:ÅáúGÒDÄnB{²Ø?§¯1i¶Wéž¹5»/èzú¾éWƒb#½cCÂù Ž¶*_6Kªsálssy\�½mQõ·]»p¾Ö´ßcÇ"çxÓÍË�mõv€qËdíy T¬†eœó÷Éc†Uï»ó˶—«C®�Sè»XlÔ
+ÓuÅl–Ä=§‡ÎóliŽµÏ®ß2@A7÷Ï4.¢”K�{[s߉Ë&MÔ3�V¤eå‚Ÿ‡´Ré8œÛçýwñäìÌR5BÜVxÚï �6þzÌ(î ½º	È%Â3Í@½ºðéŠúVªI%°ð&ÄEf©¢Wÿ¹Föô"ê/-or@zZS�ö<Kl¾Ck:úw9FŽãqUk‰
oµ�€Çï´ÓÔ¢’:(d�›ØI)FQïŠ&
Y‘5²ÀD¬ˆá'³ºS¸ªn0%FDCÛcŒsÏn[ÐIc;
+›u*
öctIñ¬'2͹Ù>Ëk»¿
+–J3ðMÖ
£«ñH¬a@¯œÎÉ÷k®?s½la`²ÉÕÀ¦7"+GQ‚ž%ŸÉ7­9µµøèµùÁþ‰­˜¤–ß9æ²ñÓ.éeØý‹Ýߺ™¤/ÇN¿HˆÓ$:°øgL¯Œ=ßÂôäuå¥xÅ…¥Ÿæ‘ÙjKÍiŸ@·©.å8Þ"ih«Œ›èµ8!
õÔ1�e±	1'‡+0É]Êò»l)Ú±©S…⡾q}lY™ø1¿§M
Ç“«¿¬Žíì²:RÆ0ÁØ°§ÇáË�‹�ÛA³†9´9\v~Ë–©aòîo=ù"
‚êÆêë%á{3Ý’Õ®
+~J]áÿÎaËŒ¶Bؤ™¾oÍHÏ­¬„鲉®‹¹­.ê—ë|ùç¾­0ðòœ³xcÚq ry×ïІݸë,«�ÖÃïï¯&3sDÄžíÉþ¾,0ÂY†û44ßH¢3ÎÚ~%Ï¡]óŽî6
+à[†#NÁ3ŠfêvߧqëX¨ÍÝ�{ûeaÖQ@ßÍ}kYzéB>_¥UÍ�5îºÄ7‚ úÊU¿Ø‘Ø'+u7»ñ[–¶ûŠ†uVÉ„½x]oøŹpQÏò+á]ͪº9Äß—cÖu
+ù=€«ªû%ýš²B»¹Øœp«îfq»sGTÌ•WÒ?–�9´°$E8¯—Xð‰jU·«�pž[…þ0&¢aoìÏì+²K/�¹+9ù²g+,6@^›¥Î~R=�Ïi</BÿºWÂÄV/Ü›åÓ<6e7—ûý„emP°{Ñ4{æÖ-
Ò‹ï�JÿåAŠ2õí¸D[˜éW�ºç~÷ûk]àÉTðÃW¶ jr¶n=]ƒþfŽuõ8Ö:¬¸áÈ[¢‡7ù«L·#Íö×4Y|€�¾Sjènß“kÒünIçØ7¿£o(’‚&²­:ÊÚ1á¸
yµì{5þhî¹gz²r”ÑVÎÅPyÒŽzôÑ|NRgÀOn.øüFEÞƒq”ÓWf?l§:nÒú69ý…/Y:²}
§Ç祲î¸6ìÜë7az¾3&4ìžþ° 
+¬kr 
ÓÄÇr} u
+Ü”¶Ü[§ûÕ–0>Q„…¾Ïr¶kµ3ç̼ê7âéL×»:2ýõ<—‡ÌŸb®_>-z˜Ú‹8„Uåg'²¤UuŽ€mvf»ö!úΓëJ›ë²pZ¾Õ9äådLÉ–í”° ªúªä7¡Ð>÷ìjFW�ÄÑNƒ\¨GŽÕïí¶ëÉ„+âëÐ&Ø¥ŸÊª?á°0²|Ÿ³n`³¡ñʆ¦„Ëz
Çî'¾Ekåh%(m±®TQþM˜¼îÛè¬nBAá÷¨–Ðh½71ñ]6þ¹£Åa°–¨‘£0~˜ôD©iþÑÆDÉD‚ê²Þ�Þ“Ô«%N×…b'Ýsãc›pC<}oC°éŽyÇQ{²œhöItßÇ`[i“�ä«kì}Æ5bþS�›å“?k{뇴ºý˜üyý÷
Rfê·/ßËÝvÖ9Ô�Í!dôQûó!á@^Ĺü4ÆÃÝ9&^Ð^µ
GÑKŒ±,&÷îd+z.ø!IÛÞ�YS¼A¦ùWmM,I Ð�j€æ+|“¹o&ºæ‚´ÇóÁvÎý­4×V×KÏb¢ƒêÏq�{Ó¸R!i0a7�ŒQšbc©ä¤eÂy°�X£vœsÄ/uÌ@çÀ1a}#¾:ÒÝIrÝ_ÿšÌ4@¸#ùO}*ÏRÈZ˜»âŒ§wŒbüíô¾0#VŠÈ
´J†õ„ïcÈέ2r<ã;Ä¥4<R,IWòå°^¶˜/½o+JUøê¬Â"AG†¼1(Q|ÝIØZʾÌKƒÖ›þÖƒðÆÓ9Þa„˜Ì �ZÀ%EÄPsÐ’ñð}ùsÔr¬æ_¼"šØ¡ƒßa»�/ËQ�¸xV]ÇŒËÐ>
+)œÊÓTU×ÀŽx(S•ü+Õ˜�ºÉhn6÷^ê->97ø_Á$k©½œð––RYö«GÞ.
²(²Ó"ž,‹ŽNWa¾üê‰ê˜*×X2/¥›ád:"!1¶Ò<7_ËÖÌÌ.j'kí”6!À
+Œ8¼TŠRWæâ9í.ž©ÖYÈ‘€ÁÁØ2ñNæäüY4Lᯪ|˜oc%|äx±(··èŸWò(‹xiD,¨Þ	Æ›hq‚³Ë ŽÝª±]B�ž#¤@ZO¾Æ�äô«‡‚½}p¾Q�v%Ár_`£Ë�§ôQéÝ/èaÅ)ýS;.Ì)Û²ˆ�ÜþÙx£›1kÞ[ª;�µÚd¡oÞ°8[¡tÄ6Cí;lv€°D41¯å
RÃ�(´Öãí¹ æ»kr8ûŽ˜ë¡lêo
að°åf&
+.�$ƃÊQÎO/UŸöÑ$2yÿ¢Ì$¿ÓÚ£Ž?߆\M$]´áõ˜™! áÄ3¸žjIœè½ÛÐÞy ÞêœQxu«,Ã1RèGÅ}²¹é.*e¬´“gS_Þây\˜<~Å`K	ôsWJ{\|=eü¤yÉŸŇÐúšö©>|U=D�6ÒB3iƒJ›ð"-©Yå?%ß+æ�ï�ê¾Tp.ˆd)¿Z8âÇsDFO,L%•!<ôKæá%L)ßHõÓŸ¹?¦#ë˜<ŒüKð<ñ%§./½<T¹$�‰3KDrÛmþèa‹±gy «ž
|êÚY"enèiA/G.hŒ2i´ÏËJá©uˆ¯ØM.	”A˜l;E™¬÷�¨Þ�ü“:ÑäjÇu+^éX�¼ðîQJ÷Í•ó~ @)ñ3…àVþˆÙî'‚¡2ËQþKé�ÎYšØ…¯Á”¥*W]LÔ\(}I¡-”’ηm�Iï]Ó'šATàãZÊÞ=\r¯…ªmW3T‡¬:ÆГýpR%�TvŸû…¼—Ó¹ú½”Ï/ïè¦v/{½Èñúéï%�7=A�}i^…·qâºwƒiÈÆgÑþõ/¬ìÌwD¥îT“]CœxÖ@ý«kÙ‡]»}VLºÇüe6Ë
+ªÁ ¡1”ÕZÁ‚àˆ�=ØrB	=-…ü>
+!?Ðè‘ñ—Ådf¸÷•Ï±ÈÎcÓñÔw—
Oq_/0òkxLu\ÎRýZ«ïüd_¥Á¾™*˜Ð‹l^s>PWêѦæé
�—¸y5×yÉÞYš�¼jli\aÄâ’šÎí^8‡/cyÜ}g‡Œôô_Þ‘òïªðk_öѨr.
ã
+末vß,ybÓœrJHÅ#n}{iÔúìæzfï¦ÏAoéú2ºÞ�¶HG.‰ùq6ÐóÝS
dùLè²Ä­*öåpÑ,7ĉˆÈ,0šqDµqœ¸3O§÷—'H<q»’›êNœ^$q^åTÄ€3–‹(¶^„?¹Šy Xøì²Á¾vô¤Ù>†Ó¢WÒS­ÏGuu]„†�†TôöÊgäêÔ”3Þ{§tRÌâdh´š[½*ŠOÍòÎùBVù¬šq21N{›}×~LܯÆù
+<>ݯ¥h<òÀ@"«
ºØïÀ9ÉÔZɈ”ò�œWÄ«ÕI½†…*GIÛ‚þ!T¶þk„Õ[“|<�²…‹Ñ°â£%Q®¥/ ºÉJÙÅIM.²«b¡ÜÞ†1F)—½¸J¦–oMùÎØ‹^>+'ø‘ï<¸ëÒñ-¨ÀÿP�ЭSýE\üïá—Ù
Qš:>°ð"0èV乊žW,¥ì_ãÅ­hý$Ù9¦”/À|£ZÉ<ö–Ê‘(Åñ�WµÀ]›Q8ªN“Ã(�~ö¾}:-]ÖjwÏ)áÅ@
;ÂŽßQ®«ÊBí”èÚsã,]hÇb:Û—K�)4çŠI„©ò>Qõvªaì0±0Ÿ!•
+@¦ðÛÒGì+œé;D“±
}¡Ð—ž~µ
+¡?ôèMô©ê==з�Ôf®2 ¶‹Mªf4ø/Ó­äõGá�K› ”Ü�ZÕ†§ÓSþsT:ÆF)¸ÛÉ=#|2õÊ’ªö\:`¤Ú¼îÂKÉÀÁw{m
1ÎSk¼¶`ÿ¼6KÑôüc×ýhº�Ù3IÜax>ójÅíõtã�ãl'‰î0‚à‡êõ˜BGßÅΦòF›þí´ºT\Eq©S1r551LñYADôìå…_ˆ²¢ÄZZ
+¶?¨žC$‰ë»y„kˆâŽL<±4–þõ	/nKgÓÒõý-ÏUÔQr?S²QÑð²Ž5úÁýГ&�Hë{R×î°â'=ä÷
	hþp·~õŒBtŠJ©IpãQ¼R~¯ƒºý ¬ûäŠÂáWv}¹YʽóëtÇÈwàe"Gx þj$”mÂëeÎŽ¾ê¸µ¯4c~:ŒÌ7\T-n×ÃO-ôÖ
›2f‹§+�¿ªýtÀÎtnCóí/�é
8¸(8–f‘¾á•	¾/¿ÑüØ»e±Ëî'Ý�±ÕšÛïccp¹é`”;˜A®•!XŠ$zȪ‘¬ok¡u㉉„ìJ3<ÛÝä%Ö©=<ÏÏ�l§Y©Æh—!H�‚z6÷xˆ9¹Â0ò‹±ó§$	s«…rü�Ýv†AÓÁ´ÜtÚµŠ1Ð�æêòÃæ¢ì`§a´ß‘^d�C>�¹¦D"Šô€zÒìæ/AOÁ�}`Û%þ«\Ø[ÉÖ…ÙuÜíƒi“ÈG,djCÕÁñU¥ý´ê[¥!ë/OÇÞ^�>ù¦ýó¾þ¿XWm&›ËŒ¥ù¸˜1gèS¸Àys¯ƒB÷ц7”qýCIvcØV«Kçâ´ŸS”JÚ*¢Çõ˜,}¸VV
”iײ÷8ÌÅ÷Ç¢D3Œ‰¸¾Út_/g¬"0ÔF(Y�Š[fnMœñqb/'%€o¶úú>"Ñ2.~	Vú*¡qèÅ·@ò:ýø¯ô
+YEÄáõj64ÍÔŒfÄÒø„á
+³=Ö²%öËÿBy �ot�µË{w>ÓŽei
+"öp�fÂjZä—‹ìêéóäëêg¯Ìû=aÕi6ux‹²cVþ�7èïå–5“ýÂòÐØÞd�
¯$�}„b�V¼Ú[ë/ƒ˜¢1Rçµdwƒ/˜L#©dR£W¯¨™$m¦|¤$:{ý®EÞw†MÀOüáM�táäù¸ñ6a´ºB–Ÿ¬V¦çæy:yц”!	–¥m<î2w¡X9-]Ü V®ÌºêëyG;ç©ißÝ;³‹ö”gþBØJw„h4û¿Á÷rŒx™ÈÁ�»«<?…ÿ“÷Œö°3Þ#�9fÉ$'>¨£Äm*Èövh¹—‰Œ8êÇ@Ú^o·tE�ër_—
+îj1q<�„I²žI^L7bfD$À¢¡ë¢1õ%Ó8Ó
"¥›�<øp#sû½åÄÎœ
÷KןFŽÿePþð`á`eæêîôÓÌÕå?;|a­endstream
+endobj
+678 0 obj <<
 /Type /Font
 /Subtype /Type1
-/Encoding 1344 0 R
+/Encoding 1915 0 R
 /FirstChar 2
 /LastChar 151
-/Widths 1358 0 R
-/BaseFont /VGNWGZ+URWPalladioL-Roma
-/FontDescriptor 598 0 R
+/Widths 1929 0 R
+/BaseFont /FRWOFA+URWPalladioL-Roma
+/FontDescriptor 676 0 R
 >> endobj
-598 0 obj <<
+676 0 obj <<
 /Ascent 715
 /CapHeight 680
 /Descent -282
-/FontName /VGNWGZ+URWPalladioL-Roma
+/FontName /FRWOFA+URWPalladioL-Roma
 /ItalicAngle 0
 /StemV 84
 /XHeight 469
 /FontBBox [-166 -283 1021 943]
 /Flags 4
-/CharSet (/fi/fl/exclam/dollar/percent/quoteright/parenleft/parenright/asterisk/plus/comma/hyphen/period/slash/zero/one/two/three/four/five/six/seven/eight/nine/colon/semicolon/equal/at/A/B/C/D/E/F/G/H/I/J/K/L/M/N/O/P/Q/R/S/T/U/V/W/X/Y/Z/bracketleft/bracketright/quoteleft/a/b/c/d/e/f/g/h/i/j/k/l/m/n/o/p/q/r/s/t/u/v/w/x/y/z/circumflex/quotedblright/emdash)
-/FontFile 599 0 R
+/CharSet (/fi/fl/exclam/numbersign/dollar/percent/quoteright/parenleft/parenright/asterisk/plus/comma/hyphen/period/slash/zero/one/two/three/four/five/six/seven/eight/nine/colon/semicolon/equal/question/at/A/B/C/D/E/F/G/H/I/J/K/L/M/N/O/P/Q/R/S/T/U/V/W/X/Y/Z/bracketleft/bracketright/quoteleft/a/b/c/d/e/f/g/h/i/j/k/l/m/n/o/p/q/r/s/t/u/v/w/x/y/z/circumflex/quotedblright/emdash)
+/FontFile 677 0 R
 >> endobj
-1358 0 obj
-[605 608 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 278 0 0 500 840 0 278 333 333 389 606 250 333 250 606 500 500 500 500 500 500 500 500 500 500 250 250 0 606 0 0 747 778 611 709 774 611 556 763 832 337 333 726 611 946 831 786 604 786 668 525 613 778 722 1000 667 667 667 333 0 333 0 0 278 500 553 444 611 479 333 556 582 291 234 556 291 883 582 546 601 560 395 424 326 603 565 834 516 556 500 0 0 0 0 0 0 0 0 0 0 0 0 0 333 0 0 0 0 0 0 0 0 0 0 0 500 0 0 1000 ]
+1929 0 obj
+[605 608 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 278 0 500 500 840 0 278 333 333 389 606 250 333 250 606 500 500 500 500 500 500 500 500 500 500 250 250 0 606 0 444 747 778 611 709 774 611 556 763 832 337 333 726 611 946 831 786 604 786 668 525 613 778 722 1000 667 667 667 333 0 333 0 0 278 500 553 444 611 479 333 556 582 291 234 556 291 883 582 546 601 560 395 424 326 603 565 834 516 556 500 0 0 0 0 0 0 0 0 0 0 0 0 0 333 0 0 0 0 0 0 0 0 0 0 0 500 0 0 1000 ]
 endobj
-596 0 obj <<
+653 0 obj <<
 /Length1 1614
-/Length2 24485
+/Length2 24766
 /Length3 532
-/Length 25368     
-/Filter /FlateDecode
->>
-stream
-xÚ¬zc�eß³eÙ¶ë–m£Ë¶mÛ¶mWuÙ¶mÛ6»Œ®.×ôïÿ4ñf>ͼ'âìÌÜ+WæʽãÞˆCF¤ L'hbod*foçBÇDÏÈ
PURW0´±14±´—¡²·1
ü5³Á�‘	;™ºXÚÛ‰º˜rÔMM
-7µ3u2´
(¸ÙXd,�MíœM©
-ð|I¨
-‘wÈ»8hN‚ôÊà3/Õc¼o—eöÀ´ØÕN¦•ôJ? ðg»Xœ nÿP�¸ ‘>; ø§7Æ£w#5¡Ôýº$O>ÿóL1<16:Òw>pŒK“MÆãOà˜‹Ë¯¥Z)ZÝL~Ó‘mÂ{ôÔ*’»RÆ¢)ï0=ã½Ég—\"nsYâ‚{s’?ËçžiE«vY«Ôè€9¡ÇΗ©5{ý‰÷r=Fa‘ŠÚòBLÖÔ—J|‚íuÿáq™ßx&™å2‹r&G-H.‹Û"]pYÝÝÝÜ
-"+0TjêkÉ™”“Œ†yF
-3o¡a³ìR€Á¥äËG—$5]Ÿk&”ÈÔ›îª7[ãúÞÛÕ3Üî2R×HŽƒvž>kMt]ËwE*–3¼m–ô»°˜(×5ƒ>ìÛ:¸øJ¼ü;xÏÙúãÌôÆë2àÑÞJìîKéÑTXŠ
�Ñv…—ÇP¤úJzöJèXëÈ0¨Ê@-œéÇ=$!áFŽÚdÉr
¸Ò*û3JE›1�*-Yé
-5=Wx²à¶$_?äÑåŒ6i7ei¸�pÄ9ÎA÷ H»æ(»Ñ4@ïêŠRaï†cû •cœ¦Ã™¸�ß÷Rž¾Ï¬º/säæ¤Ux\Wx!’™²–
-ûˆÝ{Y„Í!\®©E.M.û¬BÛ)°÷�d)”(Ü}LxÜž s1Ôú~ã^ZˆUø‹t¦íÝ]TV!ò³þ"«ˆêVØ¥ÅBŸ‰òc yGOiEåŸáÉ[1*‡¸8E[¹ähÕï9
¸Z˜3q¥MÕ2^¾dŠ¼Da—ÌLŒû\ﶓ×G
hàºõ¦‚Úr¤ïåXØx·à외[]tWÚ*¢�å#îÑfÙ
-<ËnJ;ØW9EÛÛW0Òˆ¨š¡ý=OésmàìPr‚ž!at5nd‰÷GJ—‰ŽsÍï:¨›+|}]›�2Bjr¹“Þ14Á©
¾qêE®l=ÎÙqXñEpõÐëLïgß*R-h^è¶yn�ªÖö�«$¿1mcqm›àÍÌGm­` …ð×K𗎲©«t»­e‰åû—´´,‰#7Êc1^Ë XSú33<þÔ‚Q*¤ž´@·‹´ñi 2Äí­kÔȸ7�0ƒ@9}¥áejÎÐ
-d„Ü)-l	ÕZv±uãV �Ò‘ÈU¤‡éœÙù¶›náBFöR`i# VGö{C�à
-µ<ćI‰¡ÿ&)õduä.lõÚ…¾�UF¯*
뛦‡7æÛ
–�8
*²I°m~¾9ÀP‹U¡ÐIûVó(B–)l;߸´JŸÒðQ]ìF¨ñÏ1J�ò+î;©³5à"^Er5ä�g¶Ð�ò¦.‹í5ÄéÄùm
¿Ž+[ñCJuM2Þ‰@
¥q‘~+á Ûå(
�c¶öäÝ÷�°œX³ þŽ8¾cçz°RŠžØàW+@U<G£»íã4k¨t‰ÜÕÏUcÌƒv™DÄkËGÙ’¤ÈÏC—ÝRÀÈcí¬–žÃMuk
T»1ê¯c6n陌¡@3;måâò±ã3Î?jÛ—
-ûy›–C¬g›ë¾lñÀ¹>`q¸2�'Ô÷éöu3GLiÖÌP‹!Œ�	²ý}Æ>$�íég“œá�œ·íç‚ÖU½½˜.ˆU-”Y2„bIi—I�ª@Vóàï¢ø=ú/÷!ÁÈϹ5ä`¨xÏb¨ðrŽeA¸ìö˜:0µ.m
¦¸.#3
Ù\ˆc­t”àŒ´Ñl-U­™ésÿÏÕYÝ…žƒPòÝ×­uóÍŸÓð,ŠM{ˆê
BCœ¾vb¸ÔTCR§dÚc¸��eëq61»y«Ä'ù
-\®¨c­?šœö©?Q®ÉóeŒCÝ»ñ§š˜PE˜©•Øõ!™»ïë¿x/ëí-¤Kñ1(LùË\1ñyBµ³õ¢§X‰¶ Îç°w¸­)Šë–·ö
 H!û!|½Ž(§‚	ÿ&W;©2
-çüø±Pu¯Žq÷¹<¦^RvÂÃÀGuOܶBžÃD@ ˆ•ŒVÇ8	¿öýG^ÅÐ…ÂÔÜ’‚×4bãÝ#¼c£NðÀK%ÝíÖˆÓúÛÙ’<@´çªÜßp–oè°B/::â±Ý.û›QW3´ÐK¨Sû–Ab­ˆ‘¾IìxˆV©]ºü
-.o¥¢è›xÛŽ=m§<°·‡Ñ"a¿YDUrç�Ó8å<Ñ綉¯àç�ËgX´½xD‘WÕ^¤�ú]ÏbݸDÆ~œiÐÙŒ9BWØðÅ
-ÀcYûÞ´�Nƒ%„›#5ÆT½”÷
µ“)¶;ч*þý³mÃ{ÀÓš¿†xÙ:~rƒ‚æ¢p¡ÊOGÊ|‡{�Â]D‡R—xdHi?¯e8ß#�u0ë�«²ÒAR¢×ã“ŠomE°“Ž˜¹Ö1W¼V6­ºÜEÍ8X“ÂA÷M™*=´Î„ÒzÓôž½žCÂ
©ÁýÖv§”åfk&¡îKYŽè \ý¼üÎ-�{�7±¤mí‚0o….†)Ž‘TûáYª{è•ïÉ«ö»±�
-!ä/woD3“*·â—þzöq¼7VwJ
-áèñ!r±Otž˜¹f{«› (‡*Qs­�#òèRMc}çè–ßþî©vâl¿Ëñ{¸Q7(P#,L¿Om�ƒ�qäµ<­§5:Q™op`[õ�9†rïõNy�’ ÃTñEs(ê”#„&ü¦»pÜlUÛ/æž@ûTn|«ywrõ¿
-Yî€ÈôU`%vÑʽѠƒ OÞû®JxàuÕL¾ñ’Ã}änwJ×áL=ƒãMnižgT2älÕ§9¿ÜžYÄ'H£�Öþ…öL=òlÆ4×…F”ÖÜ+gruǦÒ�3&T
-ŒÓ2l8¨¦…þJoË¥Ò§c½}„B
-þ£ÁuâÖW¨ÌÜ|ò h0�®&Ÿ#ñ
Éúp覻Q¢Áîjg”�Þþ€Òƒ
-¹Œ'µ@O§þKlЭí÷¡‰ŠÆŸ@,Û—š·%¡°„`鸘\,˜3›}y§O’¢Av(˜igísø?/Æ¢ÉÇ1w«rû
ñîäÐnfÁ‚ê;+êÙáN�ïõƒÓé2‡l §Áœúî„]î"¹àᛇ?
ÉPl
¾^·f˜SÊËq²æøÐuÑ�R™lkOVöÿ=išA1Øêþ�ìÄ~Iȼ¼÷Ï(ÄXkÂç?[¡ƒ4"Ô <ºeYA/,vÈ•±%sK
-į´^ÑæJ4«KsGØèx8¤õH¯H{s‚Ï+³ûuŠwœ‹ä”ã¶EÊŒ˜©øzV᫃‚³]ÃÎ+6%ô,ñ%ËZ"3vò;îÇšmç�Êi-å:L~�NY|Je™ç›¯¢
x*.�º¾<Èzíò��iw^�ª(xw6ôÁu¥v8£½/DÕýˆ*Túøˆô´å˜ÜÍ-‰úøL…µ0[0îßÓƒíÅ·³nÜÁ.yÉ8vJvd;~­ë½cæ,�²3ŒÙŶçŸ]
ÊÞDx‘¸¯ˆpt¶n3õy(ƒ[øô¼}!µ}IDM	/@ã¾#�Á‹1éós�ùÉ©
õZ˜F©bÓÄ$²>th	mpÇÖ´i
QgdË÷¯„â–œý”'÷t‰jP
-¨a§ÎßÿñóÅ,ÿÓÄ‹‡îRmÍAšMžbã÷Dý0ɤATédEü~܆¾Ë@¦KØjv¸ÉâU—xêÚ¢ÆhÉã\a<zµcé$§¥%¶Í¶pƒ¹&å}UfÍ`4ý�ÎÇ—Íþ–âløÑç%|·‹ùþ¾Z9}ÞE�JS8M‚›¡W…U8¿ŒË$w¿ ¥Þ¬¬—Þ�Ÿ9†êOw<Bì%ü®8~9):)AoÞ¸7ªü­ä�«:jð²ó�ð:±£Ù„x�J�Iñ‰Ë¨X«`±�eú~Ž‡÷ax^?�
-!¨£ë¨…]–Õ•zXYá�êàõ%\yÌ캶7Eiç0ˆY#@å¸÷}½Œd [¯)pQÓNøœhp‹]Ï£héFÕà5‰_¡l}ì„3\JÍŒ£“|V(TœàJÈ`/öç}¨³ƒú"-ŠÞÕH+áK!EUé�_
Œ{GÀÙð¥*®Ž±ä‘ôªýh¼WpbO½¯àXÒ´²öªºÕY¶)G¼�—�…V(�n|rm¬6éC¢9q#˃r8|;Ô^Vü¡løà
-Y
-?ž®Ëm´¢˜^ÝkB°�gmpŸÇhAÁ›ã+�’½ ¦´ùCºìÛ*
¶‘ÊÌèmiÔ�YHjÈêo‘©ma¥î¨ÆŸ­´º�ÁtPäšP¥i¢‰Ã	Gö]
 Û,[wdbÕ8ì`Hj•¬F(!2"L<ý蔸ÙÌvØä_C8Z¢=|„Àh[œ_sbN~�•–F‰Èå/‚œ69v98 ÛúIÀ[µ!w3¢ï‰=R‡x*’ÁÃ�~ú!ñT�™N
c•Öd)ƒ—®²Å³`¤@À6«Ù
â··ÚþóÿU±3«Š”ì ûe“öà ;ˆût­án‡úÝqرØ9î]OÖăkp§OŠºçhÚqèìùœ*é4!QÅ]leo
P¯°
û(ŠpžOH;Àpn}XÈ&ùhzb}>-�o1‚לä<OàÀ¦
@¬½*Ý·V†òh
-­F&bÊ_ë8$Þx£§Ë©Ã¤EpPKyuVTe͸H$ët+áÈC0ù“9©!I[ô6[ñãœöŽ
D)K²su;f–JîEu—û!šâ’ÿC4áÉ� 69-úý£*ÁÅ-æu½!Œ±–‘©jM0™é'¨C¨Uä[,6ÒCé›@c=ÌÒ¾æpû�³5meX†p>¥Qò{qAb0hºAxô�¬eš–G¡ž« ÷·=³^þ•Ø;¶)ît�Ÿ~FjÒÃ÷°&….V’‘bP5Çzj;êü;¼N–åW' ̓3Mçzª~®¤?ú%öRRl{3!¸ýGT˜òýªêbј?ÄOO‡ö?é‘ä4�~#ÀLÝš7æ´n¢™hfì÷$¡Tk2­_+šçä[{p¿¥¦Ñ§t±¸s;Eº·øeÙ'ÉsH°]á#e­pÝÚB[NÖ©Ìì9ôŠ~+CK¹’´5vôÏ”¿§Åû$‚rq|xØÃñz˜¥-`)®þÙšî(‚–ÂPªã4·Áq…e•Š©™.\Æ
-·ò4«4é5Tò÷¢uv¶GÜL܈%Z
štÏ�ÆY²éw*žw6Ÿ+¿	m;ÆèfûºlA“]
-OcòÖ†›k<²8ÞCà8
-?
-©çœ.Ñ1FЋd4èõ
ŸDú½åÜüÒª»x+˜ôL½›’jËe�ÆYîÎ)}hïÌ)Ô…9Õ1$5zü6Åhæ¨dlxMË‘¥]Žÿ�F„k§±œ¬Óš¥E]T‹æu¹ÓyEì±ûÜT¨&š(H‰Z­—¢ö³Ž½%ÒánôâÜë#ê…“ jš-¢Í-ÿ1¶ˆ†£iµÝéËõ¬õXbßÄÂxò6
Q‡kWPNÇ<0z%ª$A‹\Âœð²j÷À®HÕ©”Ó"¡°~¾üós¿›é�ùÀ_íÝ 2mµ9ÐQ€’TB†@t�ÁTõ£;ËEßWEÌDÌ­ŒguÅ]gÊf)"PÆÖâ1¿í^‰šVÝæI×ÐK‹qùÍÐX	ŒÊY€²Âú1Ž»vp9t#ûÎvCkÏ�ToòÏ�Ħ.Ú�Ò	Åp¥Øð*ÞÅAš�àal.‹Òj¨BNš®)s\¬AØ(-¾Â‚`}¢þ•¿¹t€ƒ'ÚÞÇØç¦Á ¥‹i†Ö«nµðý“kf—P.Ye8ÚF‚Hôóž‚^AÅô“͉a'Ô
0Ñú||{†aÑSOKn§
a·¯dŸ‘æjlšTŸxCbyŒÔí£ÝñÔMÊuÇiYðr‚ÐurÚëxªnø˜n©œ0’Ýø$^´' J#æ›<BR3o°Ð‚¶.×Ò¾²8tEiÄ™h¢x]{
*—áª-fÓ�´‚.$žÂÅà>Q[ÝèøyE˱éëˆî¯Gj(Ûïh>4±ï3vÇ]«×3…1Ox/n±êψ´Ph|
\k±Z/BÛØ;n~� åá*`Ñ,n·¬§C�ßÓ5‚óÑÜßÃû‘aèTq«ý�’„,é±®²ð%¨¸¦¸H™˜þ_8²ºlH,ÏÉP?2N'Ë¢Cs32Œµ]•Ôtf… p”-Ϩ,ùï“Û³�É
-×ÝÀýr2`c�Ñ•:ï_ï6ësˆBª
-c[/ì¶}1?�ƒ8»ãe§Tº¬lÊ£ÇÉ�r´Ð–†)ˆ?~%@{$û뤓Ñ_•LrH›¨XòÅz£²á‹¼££N5R�?Pâ¦&+û•VÕ¯5t×PF¢×=�Œ'SÙÖÆš•âˆ7”Di´ÔÍÌÐø×u¬÷“„Á§ïj¾¨Œ*Æ'mÓåÍF×™9j>"þ ªƒÎZ—©®›k²‚ŠÁ¨ùéCÌÂ\ìżÁ5ÉëòöƒlLÆ£Ú€víE
•(Š_‡EW¹ÞOè�IBai°…@Ôóþ11šÏ[;„
-mø-³²a£7	™ˆÑ4yª¦”
Š.éw- áÏA&7–æ˜hæØ-syÊýem5ÖÔ¸ÙR—¹Õ
ð™$¥£–1u*Z&‰%6Ù0å!Ù$‡"˜«¸&%‡ÒæÖzMUôG+40\ëGBÝÍßYi”¿¯Ã�„Ä€¶MõtÞé1ûi
-˜¥^nè ”íêç�•âÎ,ÅŽÓ²:$!¨5]š¼úuØÍÿò´¢·8“å‹ W"°ˆý¡VN
-Z„1Û÷
ÿêséGe<hˆ-r°-n®õTÂg
“„ÖŸÜ9ëZšÀl«zÜ•k²¬•2¥�‡…à§+3m¶X&Œ5Hãe,*Vw¢®_��d÷¼ø
jdnÅ”ÍfreƒîL¸nüfI‚�[xÓåƒ÷T%Í*pîj¦xKÙ•P¶d¤”¾Ò–f
-Ã,7p“o#ØxpÀÔ�ÄàZ×LÎÌæ(4= Úö]’p×-¦’�­×s0‰!±�§²
;)‰²†Ó½zK­P°,v�“)˜¼6=.½3Œ¥NN4uwÁçkŒÔi?ßÛ‡½ �|#ÝIgÓ>³¾’!!\¡»NfM;–ù€y¾u/‰m_L‚{Hàéš41,³ø·YŠ†�ÈEh+þ¼¡�ÿ1ÿÁc¤Kw‰æ@áðB­>sÑX»ÒVücdåªïÄ‹5Ëb7½ÆR¥çEŽ[/Ò†Ôü�‘Î
-)<=U|xxtp9Wlz7;B#Jk•ï*$¥:˛ɚ§rSWí»ü¾‚6Ƀ`"ëP�ÑÙ8f’cDÍ3UO°úOZ5i”ö
›¸¯Z¹³uzÏýåkÒªŸÆû‰Ô8èAiµåD¬Ê¯ÌÌ
-¹J)�°•§Ù´0	×)NÇv*‡
B×ýD:)‡‘>}†�r�B¯csÏïq\þ%2Òû
à<óÐYZ
-Doµ~‘á�NÞÍžb…ü÷­æ»!µ«u`º3漺ç•E ¹ùÐÇð”‚çR­¾m¹mì?£••
-Ÿ‚�„¨Õ¯êF‡Ü–Ђ
-z®Ìx"q¬\?™Lüú)#¸§˜y
^d1]
ÀGó¥­KÝØL·);68Ƨ!i�›Jb“<šžôO!™¹n-º’l$ø‚æiÚ	Ö†/­
-ÉØ!úzZû�E¹¡Ü˜V]‡`ü—½H€'cÝ›Å.æö–b:ßü3Ù 
¤#sÀL¥ü­&(ÉÂËsõÉX›èœ2?hv†¿óÌïÀR‰¦Ý‡uZËpdÛO6-ÿ(¬:I�m¨àXsièë³Ñ=Û:«OÇEû±êï)­ådÚå_n5~G¾¨íÆØ"6M=‡”Bä|àaá•$t&0c®ŽN,–zQÜ!ÙBþ†Ó	-)˜¢½ëò{^¸ƒÞQ3@TÞù™4ïU½G7©æÀ7òyÎ%]öH|½éx\|Ýso§k5k„«º§8çQ]g®êWø·]`h§ͧÂUŒ 5¾yoÆ‘Ä ‘
-¢�š~µ9•v7N€¨Þ„J‡ØÜwº€µ´íµ·S*�ñ¦×“ç–«,yóîö†ã‡>κüXÎ!M	]ÜAÃÒ(V %?9s6÷%:+ÜÃhë¹8±Ã2Çœ»Ädñ†’¸ÆbäØ\Ô&PèaåÜS~žE¤ºÃ•P³e}ŒC’37@Ðì=Cù¦9Ü°hcW7£v)P½¹3ùx%ì=Q
M–ýHÕøÄžª	™Iú+|W"ÁÚÑöq¿
–‰c#}~8ÄldTÔ›#�ì‚zŸŠËb8ƒ½Ì
àÚ
/V}zÑEê2eâƒÂIyP™!Âp@÷CxKŒK³ó�ì>5A3…Ê‘–r0صàŵ€?Ž=µ~‰l~lE½ ÚÝÄ>=Æš”,S ð–lö-ok8‡ªâ7�}
-æb¶+Mƒ $(-TbaÄnÜÏ€³î¸‡ë7›KæÓ�ËŽê¼`ËØ”!�ê�QÊ—`µ{�y±>Ñ:ésHçz¸$-©žY¬|ÄýÁP/[0«'ý–~õ™�î!;Þžù 
-Åñf�!*BJpc3w”Ò
¥õ½�
-_¥êûRô9>Î1t%¿Y¯ÉIÍefæ%ÕÇtìÁS=·Û;éÇË»â Ófé¢òðÒ?­Ç^|cgGKgËhçÞÓü
ñ�æ³ø[ <£ªFö:&Ë
¿H28*§ªƒe*ÙYƒ”p>Ÿå‚žq$®!W¤²ÉIÒᆘÍìôµ2'h	Õü›eÌ‚¯©ÑðúÀ†\¯E>æ$ü¿ÁpnNÌðªÌyÝ„¤Ã	ÈÄp©É?·~ºÇiÚŽÐYçÝzC£‚un`×HK`ÀiájÿP~Á«ÕáR*Uk(ñ�Þjóe~?�r/]S7� éÆRúí;|@“
-ðÊÂ
C@
-]Ç]½|ˆmë‹0µZ~Vy¾
-‡.Wƒ”½‘ð®¯c[æ±`¸}Õ�p{Ù§
EÞ…lž=E9�Yðuh­`‚ø-s™Ê‡¡Eæú䊬Ï
›1
-|Éûw°©ØâjrÉHÒ,É‹Æ,CbE¶—»Þ^èFêÛ9¹çnx,9�c¤œãÖxrí“Í$åÈ£˜Ð^òK~_“â¨ö «48
-+ÇRaçÉç²�7[BÞºé¥4\faZ€T
¨ÏŒg"”¦¡�9¨™_Ûü Cµµ’)µ
ëËÏ
‡8Ÿ]ÛŒ±î}èÀ,??õbÒfÞÑ5MË$_ÿözÞ?=¬
-
F]|N—éUÍQÌ�Vá°ÊEšŸk´`ô—Y±fD
T‹¾g뉓Ä�w„Óg"‡ÓZ3<Ýãýøð£ÈZžpÍ  M>3�ίðåñ—2ºÔ7¨ažb8»×éŒ�5!‰Ñ~þš‚ ¾dm>Ú¡³^óZ¾7±YijûvV	+Ö²¯LL³fúêW‘¬ñExmíˆ/˜Ö39¢N1ÒŠyógõ4R–(,wV:Ív¡³)·…âÃÚx‰y¡þ3éT–V²`mÁ¦oA¼,×Qf*Å
-†ìÓg¤…žVVÔMˆ"óC>”-²™é=$uÖI€å°•p„Â�
Ô䪀]ƒy€
-áSý qÓS¿ª†R.“=©Àô®¸å)léj“%ÕÐ}PˆJ®D‘é=œ¼™–Ïßõ‰¼ØÇ´:4]‡ÔÇž¤=ðøsÃuú³�ä0A*›Â«mõß¿5Ä%#6ä@¾*æCàK}‡õdƒÖô_?±íÒÑaÑçpZöñj¤F{ªUpþ¶«EAHJÉûµGCåF=f
-wÔ84<õòN!…OÑÑ
-Ü*¢èp^ö}ÿLl QÛÊyÞò0æ[¢-C »=šK\ËÏ]E4ÈÐùëx´¾O^ƒÅZR=á¡ÂiüÆnnÆL´—tžú[­!ÖŽôbkÌzøCt0p
n€òA–Ý
-ÉÚëTÓ:ó%½ó»ê�ó×o~EGvQw—a“Çu!à­ð|"È�®]åû2Å[_“Eœ(Û$¤ú±KÊ'lÞ‚�l¾R‡è|n8²D®|a/EÃÌ62ØatŒ„RàU`©ÌÚIËÅ«|¨8[d J¸–3Ò–SÖåä9�òsÛétiô6jÅÍ©uÂd\þö|ƒ±¡]Ê7`WªŒÉ?¹´RÜð¤ukaØŸSñƒZÂì뛋ÂðÌ‹Wõ?ÕxZJKu`Ò£{žÉ‡?z:RÎ܃u™ÞrZï°æWð\¦� ÐÝB¯Ü$±
-•m›;ÆÖ‚N‘�šI‰Ì>0åœ\×ÔÁrÁ–~¿ß¦Wp—
|@(’ý$&hdž–mGë¿L‹a1Dx,}Š�Êq—›ƒEr²S¤ÌÂ*—;
ÒžÏpòbÜ‚7§"suÊ–XŽ¢jÅVvdJ9e°ù�ZØü¢·±›¡6 Fj’uoß@žÕÂÏRØA£šÏè7±R³ÜŸC¿«=¬z«R(–&HÍéE×`l¹�Õé<˧2&žù?Ñj›]#Èvÿ£ïo¨ðk£â„ÕˆH@ü‹õëE 5XVº[੨1?\ýbûìS£Ao!b1�/ѳ§‰J<<×*½´—Ô[,'{11ÅÓät—�«‹�É«˜Ù½U,ÓF•€û?çIIïºÒÂëGS#Íç‚FÄg	ñ�f¬"Gh€ãÄ.OÙ[‰]W‡BáSdSÔV�Ùþ´¥àÍü‚íLjÚ</p´žlÅ
-"ˆ§§³�±ªn†QÆöš»æuðÕ¥L(¥âŠ
v0Bo f¢Ü{¸ï�ÛÖˆ,`,3Ìýá”H¶ÛçÅ×í,°�Ÿ\ýýæf‰­_[äÙAL·É<ê}<òZYšŽ¯×ÎQ6§�¨Ñ<¨ð¼Æ5¸¸@7:ë=zÎ0É
/¢¡§ZGVv9ÏÞ9­ô%çŽüû΋tå1áy¨œ½¡¸­d)稬ª2Nš vï“ÞÆkoö¢@~¶Ï©žä­ö»cµÞð(’/gQMšÉcùüZÞ‡pªÀÖugâ2±tcÀ‚ûcâåwÁÀ‚û"”�ñ3džQ0eƒ¸®#8¶W¾‚.�¡tøš‰f@¤¶HðÀz+›4í¤?Õ_ù`
-�W;«Ä‚üUh&�ÕŠÒ¥HSnFi@YüáŠFr�¹ûjØ©�ô‚üîŒL0æÂú]ˆ<�‚V!}–K/iú â uXoJ–{N4YcAC†ÿÛ€/i}hXxQ_²·vS|PIpL‹OÎÄÿ×éÉÂNâÎþ§%ò¢�®#q=‹ß˜‘ëÞÊXì¸o^t7eˆ×WTæ4Sö0XÏÖYò€}6Ü›Z²ÈÄ]}rƒÌ:±l:#	bkäÝ–aÌý·€®Ï:$œäDDöÌǃêŽO
-³š}±ômCa¨œs¥”—žÀÔ|%«¯bå„ÊÁ®U‰P¤ÑU£3ÊšØ=çäÁὦ½Ü j Ë”“0ÂÀ²Ú/ÕH«’º}Ÿ½'ÒôÃûψW–˜k†ô@k«Fì¨,çl÷Œû[o½­¯åÏ HQÒ‰�…< v:Qñ7~to‹ôîÍñˆ”µÏŠaT'�cΜֹE8«™É&Ö+¯«exÞÓIþ#êÀK„N¨à;=/mÒ,ŽÞ5êgné*š^D‡S"‰±­pÍq>Ým…’º>Ãìöû×ÇãJ@zæxÕÕFW8^
-
.@ ü,ñ“`aMJ!λŠ6N‡ú:žØ7y�|‘Rä,,²àMgBˆ·»¦8o¹®(QF
™³nZˆpZª„;¶ƒ¤Ää.«³:‹�}ïþí�¸<$ÈñÄÙ“†öú¬�v�dž“IF#ûeyùéëBCⲶtÊgìv�ve] Š|(Ü©½ÞŽÖ2Ç
-"IúvœÝ~ÙuÊ)k˜ˆB­±©R…Vd›}��‚Á�à,‰$™ØmŸF3S)�pŸœOigRD['ù<пi[Ïe2rÃ2;í¢Ð
ŸUATþV]¤·êœUÃþe½ø¹7ã “àìxáO¹¦€`¼Æ!³†…˜I®‘fþ²¸<Üzm7—‡£©ŠT›ä%	€ȯ•“º»®bÔq᎕ÂÙxú§Åd%]ò�R¾ˆNa†PåÛ‘Ô›§­ÅË·o
#=ç’™¦™›ý&à¼)g‘^%›Ï¥ ‘¹m8®à†aiå==çƒÀ¶ 	rAao¼¶5–‚ñbP¥C‹ð¿Ú7‡õJ@Ùƶ�Û¶m³cÛöŽmu:¶mÛîØêØæù'÷	îì|§`M«Ö „í±-!‹°!Š£ñFll«šuÿ�¶³àEl°è^÷ìQú)æ<3¶ÄeóçUU$…»j×~a»XL^äMΊþùýê㉃j[‡‡·CÄ*Ä⮈àÒh‚»¦QË;u|ºUw">,œ
¤âÔ;û2Ùöí„gè‚s+‘뻹ˆ5'
ò5lÞ¢
-|dà3E¹Æ:[qáÚ™£ò|Q²îî
-¦A½­! V™Ñ«ô¸õ!UÖ‘»¿ûZì´àž÷¼ˆ_ÉxºËEµz™ãŸæ`ߎµ1BT5¢S.t´ÕãGéÓª›Jfƒ@á
ƒüZ~9:מÊF&–es×A·„^_Òj:Š54e°ñ2ZÅ[»É8
-ïZgUñYÄÙšf8Âôd¿ÜÕÌ°Š
kÄÇ‘­Pöd¼ùCSÖèJEAPÖ6ÿÝĸî­$˜ç¥Ç§¤F§Íä0'tÀ¸í•kØ0-öÈ*¯X&ÜÞÎe0ª"Óž`1Ò‘ÿZ�JPé‰|ϪâŽëH¸
Äo¯"0‘y‡�Äúyú#gcqê‡�ót}_/^ÈdkwÜÙíúòÜ×›ã“3ųʶe/oJ„yÍ,½ä!…‘NV§7S£dò=á`ëNŠ°›½7›.5ö_4cå6Ä}|3mÏ
‚¡há9é4Î…c ÄæeG(½¯üª§!Dî§Â‰ë%mëÒI¿lbÿr?¤áoÛTZô=Éé–‡™Ã¦…ñL22–ÏÔW‚b²’BžÕ”1Ó¾=neAŸ˜ç¾cqaZ*^"MïpØ
-f�‰ª^±Ü‹	é¼E..ƒ§úW÷#^ߥ3áÖøfF,þ­œ{L$ÆLÜ#b
-%Ue
-�ÖÇÿ$»R‚0°*kpC›5D$*|º™¼g®yÓà\'\óK[3;pÎ�H·û¬Bêš<\)Á\K¨mù*ªýùÂýÌââr¹é'É�‹ªí³=F
ûš°«'d<šgîcŠé'U�
¾³ò)2.�š9V×Ú›õgö#Ë£b@KÎåUÉ¢*@!ïXw·)2Íö«+¬CY�q4¿1ww¾\ò.—Ôd]?Ù'œ¥”c8
-†n|�»Aº§D�f2=]SÞºž2])ø.¡st£%²pΉ“�Wz6kJgýòÇ“ô‡a³�ö—‰ù®9y3jžð:¯·®sa³*|Ë—~Þ²A'±j"‚a<tÝÜ¿cžB[ŸË´}!ÃqÛ.tÞ¯ÕŒ£ã¶ƒ3
-ƒË[ÓôÚ¯^dþþÂ()<е€â¬‰fL^:Q+
-*ç+Ë7t±;¶Ý�¢
*%:‘�Õ]=âï›Ëu'–¸bȦ•@ø¶$®ä“Ns5>7;mjo'õ£NL)H?”ÌsŒÈÔ$aËê×�tPf\D:. 3Üí]0ŒEF�öáGÌåëd\W”%mÔÀàWíQÎ1‚Ôé^ȃÂgì/}™ïTJ@f¢”³ìr'
-Ÿ–YBAí¿†ÒŒê§äkÖÁ[„Xé„5ÔOBÌåçŒ�;ç0NGGw¶�;è‹q
-~êŸch]8-ož¨­`¤÷
3oi>ýß"	C¸ð*$4üÊVÊÇ�à�-
L>?´<²èl7“xxÞŠâƒsÌ™ú	sŠÒµÅG
-‹I: "0�²sŠ|¯ÕÁí›góij§6W]�˜d
Ý£,P•9Q¦%·Þ$,æv'){Ù¨«w�Æ
-š
-éɃ�Saåò5¨îŠ‘NK÷É“äQgÀeÁ��Šã*C†QÊú;±W¨+Ì(=ð¶ðr	¶}!YÏÍê»pD™Vµp¦ÔÃHã/°²\k‹÷ï-7•g;먴R‡:�g\;ìÇiw^îmÖºÔ�£…&ú§uâ@’åàº\s�›eðV
-ÕÊz]¹§0Ë0Ôo�{„ù9fJY?ó*î^”ƒðé )U_‚)(ƒ+ |õ÷±íàõ§¼�Õæ÷ãæGTjO×~ªØ:_†Üª63+‹êËí[ºšŽjJ�½põŽÚìt
-®Çïu;¢¸a
-X§äÊÎL‚|]BuKÚãª�X›ŠŠji·ýÜÉL5ÕvÜ4±bY(G¹Á©{»QR3œ”äï³IgÒ�ü»IlštêÉÛ|ÃÓD ¬k{�[Åi6Þˆâàô@ðww=ã›{Qúã¿TêFióLmò¤llÃ?æáúnÝöþÆžçètÒn¢³¯?>
-ukóñð^$r­…ùÛ0¬˜¡dâ,ö§éi¶h9PϹçÏX+#œá-1kÂ`þ73´>�ÕÏiÕ€â9rµÖîÍu1‡[
-.òvŒÆ›ãWa°r՜ܔ`Ÿ}ö¿¯ÂýÛwq¹ÙïÖ”‚·0®„i‘%Áüwþ!W¤Ìëe²Ó
-¿£JÄäôÀÈ~ïbþCñ÷a¼™V£;Ò9Dáö$hGSú‰</Ñ¥ÿ‘)Ƶèl["ŸV±N5Ò«m‡®ÆH©)§âÀ­ŠÐûÏIÐK¸ÖÕ«�\U…ïÁ#ÅXa!=*ˆª]!ÁîÞYÃÂídï1šÅ|âe9}âF+$r$SêxÜ”d2Ä“qChŸMH•ÛaÄN¨¹kl˜’?r´š•mnr"CÀÂ8Ô@æõ%<"ɾ@#Û™ÀÓÞ�â™	–ÚÈöÀ0ít­Ež”ïû´€šÚ¡MÜ™�:ãZÕBL•wÛ{1+(Úéï³´æ8ÿïÕaÐÓ#ËãŽÑOE‚šy¯ý”lî:¬¿_À­×þË=“	{E‰¶hvî~s2Ѭo¢Æ7u	ñdØJü7¶ài˜ñÑ»[ïtQÅ ™ÅèøŒË;pÕKôÂãÃì³
Ùì§{´3Óàr^ìI¹Úw°Úç)k%P>]À¼#A97±§ãÈ*Á¡atìm}¶—†mK•8ù6T«Ç}þÖ�åãÜxò`žüyþÕ\ÈqïN51FA1Â'Œ‘uôÐÅ42î²8ݕ沊° Fô„«Ô¬àCøb&å�ûlÅ
-.ô.!¯ ùŒl}‹²-ꦚ!Î(®d�ìQl’ç0(oih7»"âØS	~M¹û<w]óÓË»Tá!±Ú¢$‘
6¢�þ‚hx}}åPyOÖ”ñÄ.¯ºHƒƒ>¶%úÇõ+°jÐMᶵ=$,ƒ‰½=öPSÆO>ßʳqa—ïñˆëo"èäËÇt>U¦©Cði‘‚1åÄÀU±l¾ØÉB½Wiõã(¼�š�Qí‹Ù».¬@Üÿ ÄñŽ�š‰49c̤H�D–…P=ºÝXt>-š-”ã¸4•öv‰_1E‡1;K-ÏŽØõÆ©É-4�iž æ5¿Ó³ƒæ‡ÈÌÞ\Ô†ë1tD‹ÈÄtŽËd6_Eó�fNñŸZ�
-…¯oÏà’X³`G
ÊŸ�MjâVQ̼ó{?#ü{¨�
-ÿ†%ôAn÷«Et_�I^}Ü<&ì°ÄªäcY:/‹Èš
7Ôöyvcªð, +´Âpmê_oS´±KR*\ÍeãzÜ­bfú0óz30s–ÙXsø1ðniȹ‡"�/]vºrÊO‚0Ð4.²'‚çàž³ÖVŠ¢2ðm+ø�«Ö°ÎhP_		P^ÉòâR
ý;Ð<Pyâ6°™ba]a

~”ÿ¬˜òr�¸2–æj	âÌi@ç‹Ù­b’“¿ý«M²ìÖ@o“ð)4âéØIM.Ñá}ó´Oqu#Ú­<ko²öžü°ƒ“2N%Ûk¥Žw¾_ÃÓ�|·,xr»¼uÁ=…–/SVÊGã¬l¹`³–½ä{íi
¼X\n®^>Ä“œjÒ	Ë&Oæng�•Ûlý0kôÂ7¢mWÌçO5�RŒ0
-ŠÇ½Íè÷å/‘:Ìé5b"=žOæýÕ0Z꛳Ùø¹'sä3âçDç&EÇ
-‘ƒúS¼×¨,î$‚Ñ¢±Í97ÅÖ�àb+𶡸5f‰ôÍÄEáÄŠ\u’
Ϲs?
-¸ÑàXÎRP*;Výt”ÄùYh.H­� ‘¦P‡mºx¬KÆ2¥¶­^’f�²­åå¨�t¤Ç´gˆîPsÐ;�íÆžÿ|>w…Äv»Úhwò®â€n ÷¯ü×@(áÆzø­³�Æ)±GÈû
Ðú¹'»ÐÛºäz÷
-ªCð’󬧌¤p
iÅ2{Oe«pFañp¨“�òK¯Áf¤wÍÍF¯×p˜û$ð«—þ£R>,ÈÃð2*ÍpÃÛ@Hd/¿«–e†‘[Ã~“®ä“Ô‹Ëq˜øeˆ ÛvŒëkmÆ{iâñø�*@À˜BAY¸9“X±Än©�S�tÞSÖL( J[/ÎtS>üÆ�3Ý[מ¢ÿ}×yáõ
-êä;ã¶,¤
R††§t«É–¯Îo$–Nžù˜ªÏÍê;~6owAõÁf=c³½ŒÎF[Å„æù–¢
k¦ƒùœrÏ%ǨTá…äé~BÖ|®âËGbÏîå
ȲÆà|RMì^ï6QÌHè6 jRjôäßÄËèT[\ûâ‰�RµÃÂ/H]\qfˆN¼fc*)¥Ö`õâÌ<ò&$´­†»€ËVÑ’oþ¤qP¥`•i«ìÅ“/‚®iø=ÃØ…®¤	ØH’‘·LŸwžðˆVßÉÛ¤Xù¹ ‡¸N‰UÈF)Ÿ�ùÍ/'!xx2¼yT.o|³ìŽò©ÏÍ#$£A:Â>§%÷ˆºjôyáÄÅ ïaÿa$îÉ·FrQòÖü›¹Ó+üy»¡B•oV”`¦Úv
-&®[öà"¥ƒÊr0—®£½	O
-‘pGÌœ'¡v�éÏjËN‘D "jÀ=DÆ/¬?õKjNêps÷yEgð¸›âæÑÅÀ�é¸ eZÊ�ÌÓÉj¸-•0Ýàµ%‚aÄ€%’'ðX
ŒÞy˜ ž9˳Õ-AŠ^¢&‡†¡Äú¢|;“õ’ð­[Õƒ
¼“x¦Ñëc-£V^ùéïÎ$W‚
-c�d(¨[÷[qJDü­5›UÁï¦ùúª“|i‹DÞø£

– ¶8ÐÄ�Î9�_µàé4dað@˜Ÿ
P´¼jp-sð}Æ÷FþP³‹3ó#¢•Cø°¯‹À�À«£“TK|å�÷lfËZ¬h'B‘@á4u®°8ó]0tƒˆ‚Ÿ·Èr»‹•Å!¦¿Ñ TŽºéør:4xé"&ÅN Œ/S;8gw¿…×Û¦‰*™ÎûTáž	“axe4ܧ•>³î@E ƒÉhª…Ê(ˆ·êÃÖ&L}n³‘ƒÉ1rǺj,�ƒ©}j¯�Ø`�í}¦|ÙQì¼¼ó.òE)K�ïÝ’|³I4.Î3qÉ-™ÑŽa‰~Ó»š—8Ãd®HÎù¢záá~oÍ•ƒtfž
-®RÁ1�æ"+Ob´½ÞnšŸF±¡é’Þù4g?nhO)Õ"AD·â™¥ïŸÜõ׶auE‰ø�–ßl·
-ØNB†@–·üa`laø¯"kÝ =“¿'pr
-3c]MŽ<Z�!ÖYЙÖÄÊq̼RüÄ“xìqñm>*9Œz±â{¥ò˜r»¨A®€ÎVÝÁã¤þ칧ǘ¡O–•½¬€�K�™òLÞ“N¿b ª:"eä%‰zÖ¾˜+°¢	v¯
–=üµ{nváû¸iɳ5@“¥¼ ŽÀQEG}Ò="ÎÊg2¹k}rgÁÎaïÄbF2§«:ôq‘l5eúY[Ûh[Pz
-Õ"W›
‚HóoHëgAÐÐYqo!a{
In&Ýq7õµÊ´…B„ì©™-‡–¸	²“ÑÉ@ùïå¿ûïz‡^Âö[ÏŠëN¥
Ê
‰/\Œ«6Å:ê×c·•©àÀ®Dº¶6?i�&Ç]ÊÕ#¼Ð‚Æ›d¡&~	1¬çúàˆÚa;ÙzðBì•9|ÄyôÔùõ䢕)²röTÇÈ]Óu�Å…CäW®iCê««(LjS——VL¬'@벎3ŽPœ2sJƒWŸ’÷/-pxÇåjØ�!Ã1WÕ3ûg¯èê­ø�;øßïv!Çs8mÝ{¦b
µÏTfkŽžý¥]ÂÕþÚ¼þ ä@’èQ§üKþDЃ�U³øøäܯ
Éí£sfàb8äª*neð¿¾=à8XçRâÛ5‰æAD>D?¯[6ènºMeÒÊЪ“Ž\Ì¡Œ�@\$ì1‰ìÒ%$¸˜¿Ó�‚j
)Û±œžhÄßF%²&â}–ž9÷»¸nqôM‘棆dŽà
5<ƒ(»°äHd´
-ÿm“'èZÿm+‰pÁB"ÊÚO‹a££‘Úàÿa¥Å�Cîp�7¨Ûw_¬QOuü"�’­8ÏΓX£ìì?³F£,  »«V�H¤nÈ8�ò»‡Ö
œ»Œ¯WhHâÍQ6ååõ�0bÞwþOäÀG•tÙAz‚ÿr½S{–§ÝrðÃF5'va¿	ƪb…T›»¬ñ�º´=:I£V‹åc¢pf€ÅFw”™þ¡±šç©‰Øô:î»:·€·^Ï�¨„¯¶qzº
QVàD~Í‘6‰
-Æ94£ë
Fsf‡U…ÞpÃxò¯*N.sžuÒ7#0÷Óc‚HÕ˜ –âYph9ÅUG— Þ¿¯çÖë�Y:/¾=¶'·2€ùµG³<~ª:™HJë¸p”£0L;µ/$
-Š�ÝØfxö7w÷Aꎎ­L¤³íXUòW³.’¼ª’;ÓÓ¡E"Så]FÞÉÊÏ"iòmþò¯Ñ7„ò—Ú+ÝظqŸKÓ™û˜Žz„Œ¼{R�?5ùÁ.’ª–).ÄYðñ¡“ÿ’‡èa£öî3Mä¬8;
O'ÂÒÃ{(:õ„
-2 _LØÅ£™>÷R¤½¼
-NÜßúú
-Lœ›Ê%…LeÌ¿+1Œ-•*ŒÂ0�G70ýo2ˆ
…"³ôd°Ç\g¶i�7±Ýâs�qLÆ7!õòîÏ�¢{ßr%tCáÃ�²A@òÊý»ÑÕ*k„ï:qÉê“2²)]dÀÒ‚¸ê‚ƒL/j”ª®äQéâ	a“H�'‘±èñä^¹®˜%ö/ïŽö»Gž¤ò÷»F¬Píù'€.wÉ¢‰ç’‘H=¨>9ŸhxÓ~TÑMÖìÜ‘œ\nÁ¼)¬2ÂÆP¶R7w�õ/qiÉ#·gD^�&Ñ6JD»‡ùþþµ˜‹VÕz<ƒªÕ!
-6_mŠq'2~‹Ò=aFŠ†þÐœ²?Ç	¯Z¡._|;l[×OX˜àJÁ+QGýiÜZÉ�P&Yyf2
—<²
è•rŒGÜ75·ïá3òŽÃ#z‡FF⨾ãúF4þN¸ü5àcíÚ6P·¡“eä	è‡Ék¢œu_KŸ¥°L‹*·éñ0MH¼CrœT>Ü㇟x
 FÿàRÂB_!äµi¨NÙ%$hâ]tÞ‰¢èÛîûs¶¼ª=nù�<ü¨òÁËY©ÞØîƒQKñ™ÆýgF==ˆ3šöùsCì¶G’Ð!YŠ
W�aðŠ	+·�Yà¾]ˆh�‘!{â#iŽ»¤"”¯ùù4bwËZ¨Xà2&£‘.¿l=b,	¢,Ùl<aâr�7à')¬Í‹RQÜ.)ö2—.‘Ñ�
‡¥r×u�ü)RÖ\-Cà"
-¨{0öÊðeh饑@­s£²çäV>ÔúAœ¦Gôì©5W0!ÒãBîV\Êå6ÔÔëߥåíýŽá;RЭ$øžv(Ó@ÃICM«Çv¹Ì_�§/#	È
-ÙÌÑ‚§õ±Á¿2å6ôw’ä�{0ëó¬+/6A3C¿X	¬Ÿ�?

-¥0©jT™¶„qÚ]�¡ÁÂ'DY¸
ö.g¬Âñ¨û;AJÒ´á¿ÔÍ­[ßÇHûaA@Ôñ ?ÍJµAì»tI•%[Ø­$Ò�ð³"ɾs™ÿ?÷€ÿ
-endobj
-597 0 obj <<
+/Length 25647     
+/Filter /FlateDecode
+>>
+stream
+xÚ¬zS�m]³eÙ¶]uʶmÛ¶mÛö)Û¶mÛæ)ó”«ëû¯:n÷S÷}Xkfæ92GÎ{G,RBy%
c;CQ;[gZzNE5ykkc;iA;kc‚3)©�£‰�³…�­°�³	'�š‰1�°‰
##
)���½‡£…™¹3
ùõYþ	!0ôøÏÏN'3[²ŸWk;{[çˆÿç�J&&Îæ&¦Ö&Brò²bäb²*b&¶&ŽÖò.†ÖFÒF&¶N&¦vŽÖÿ¶ 0²³5¶ø§4'Ú,
''{#‹Ÿm&îF&öÿ¸¨	ìMm,œœ~Þ	,œÌ
l�zàlG`akdíbü�»©Ý¿Ù;ÚýDØüø~Àä휜�Œ-ì�	~²Ê‹þOgsçr;Yü¸	ìL"�íŒ\þ)é_¾˜¯³�…­�³‰»ó?¹MŒ-œì­
<~rÿ€Ù;Zü‹†‹“…­Ù1 &p413p4¶6qrú�ùÁþ§;ÿU'ÁÿV½�½½µÇ¿vÛý+ê?9X8;™X›ÒB10þä4rþÉmfaE÷ϨHØšÚ0Ðÿ›ÝØÅþ?|®&Žÿjù?3CñCÂÀØÎÖÚƒÀØÄŠNÖÎù'%
ùÿ›Ê´ÿs"ÿHü?"ðÿˆ¼ÿâþw�þ·Cüÿ{žÿ;´¨‹µµ¬��É¿6üÇC MðÏ%óØXX{üßÂÿ{¤šÉ¿qü¿¡H8ü4BÀÖìGzZú3Z8‰Z¸›Ë[8™˜Xÿté_v[cGk[“5ÿÕHzúÿæS6·0²²ý§í,ÿæ2±5þïÔúq:%!M	5ªÿóFýWœü�òÎÊö?Ôþ½;ãÿ\üƒ"(hçNàEÃÀÂH@ÃDÏðsà~øp0±øü_2þˆá¿Ö2ÎŽîZ?eÿìü§øþk¥óß`Dl�ìŒÿ™%g[ãŸñúOÃ?n#GÇUÿuâŠþ�õ¿ÝÄÄÝÄj}ÅΈ+Ø2ýw†szîÈ”°Ö@ðHˆ}i£rQ��]¯_zøG¥þGmmÓçW»ÇòûÏ#IÊã±>4ë_½©&×ù8>ÄýˆÛd�lTÇ�tº¥°jÑ^7KÒ» š¬ôªÇûS
+Šº%`¸3�LŽ7)ü‰]üQHžíá|�ÒâP»š
+ÿ\�%�ý}þ54>:2Ü{Ú„M•IÊå
+Kåï�ƒÍ§©R!RÕDzÝžeÌ}øØ"œ³\ʤ!g?5íµ	Îk“T$f}QìŒ}}œ7Ãë–aI­zQ£Ø`�{1®ËÊ›¡9sõ‰ór5úË<#¤=ø…ˆ´±36…è4Ó+òŽÇ¾a‘Ïp:‰é"“|:[5P6“Ó<M`IÍÍÍLÕ‘˜‡‰ŠŒDa_gÁ¡Ãœá½]é–§	9ç8sêÓšÆô e¬bô:miØ*N±«z|+hytHOÛV77Ùa‰
+×Nä&ýâ3­çï²E@\æYzm¾~D9šru]
ƒR¢á×0��u+»Y}Îî+�\·�¤èƒ˜`Ixï|P>½«D¡�;MMM¬:NNIˆ0þŒÞû+âÝzzÜðà\
+Š—€’»qt‰�ÿß)âxô0EBå)¦d4Ôà,Y=2€Ä„ÖÈ=ðK86iÓ·��½µS(ç�óQôx;”ˆwMÒ�Ý\]°Ň„ŒŒÄŽ¸¼'Ž‚ŒHè¬|Ûd@I¹²‘E	
—çê‰xERµÆ[ºª�–ØÞ÷6µt×Ûô”Uâ£ÀíÇÏcí—‡²áŠù¥�t/ëE½Nr…5õƒ‡À}[�ÖvÞbO¿öxî3–^üX³~ݱÚtX”·úbÛ»Ze¦B}Dþ¡¥±{dyÉÞâþÝbæZR4ŠR`s§Ú1w	p˜aºÃVÒ}ŽÔŠ'X7zÉ(S†Å£À¥AKÝÁÆçr&ì椫û\šì‘F­ÆLu×c¶X‡YÈnT<)—l%WªzÈ
+Ì�0Lo”2´“4c×±¢»ò“÷é·%¶œìÔr÷«rOxRæ
@oÑ[#OóÐY„ý‹UՈʼn%?¼H»@yÖÞãLùbùÛ�q÷›c}DNCýŸoìsÑr?áƒÔÝÛóŠJx>æ?¤å‘]ò;ÔHbÓ‘¾tTï¨)Âm"È|Ó\¹¢óCÁ†e`ç'(Ël-zÝÇ.æfì„©ƒ5/Â/‘˜ÅÓSþÃEÞW;mdu‘ýêØ®=)À6li»ÙæüÖEÍX»Æn–ç]6
+Ȇ§yð»Ô™6üÏ2Röv•ŽQvvåôTÂ*¦(?ç)m¶5”OVÀ#8”¦Ú•4áîPñ"!Ýa¶é]\yc™··sãAZPU6gbß+:�*(¥Þ'V­PÜ…¥Û)+#®¦.r�áýô[yÞ]²ÅÕ¦<×µAÅÊ|…ø	Ý&Û¦ÖŒß,`ÄÆ
+\w­wñ0‹²R§ËJ†H®oQSÓâ�(b½,íµ‚9¹/#Ýýo
¹|Êq3d›p+¯º>2£~ìîšzµ´[=1#„ãW*Ža†Æ4õ
+|\4YÍùô\VŽAò¡iÙœÐV
+'Œ†Ý¥ýrˆøœ]E‚ˆó(‚ƒ+c[€Éj‹®¦
Qíä¼_Þâgˆí44U÷“É
;2–×LC
+JOÉÒ4WÑœž:óû\™Ñ™ïÞ!×yÖ\3Ûø=«/Τ€çÞ¸¯æŸ/8ˆÇîc+Š
GI1(yBª5ŠÝ
+ˆÐ÷™êq¥@ûÏ|å�RøíçÒ¨Zqé1#
.²[Â^�%â”(:^ŒD”ÚPØ•/ð
+ÐJºN$†¦ædœÆak¯n¡mk5¼{n
+©.׬nà''2‘î3ˆ2?g‚Ó<ûeZ‘™�a÷­6™'z��OÁt­:ñÕBzÚFÑ£AjÅ6©²}Ôq”‹ðü¬
fŠ™ðaNõRäm€É€e‰aS—š=ø„PD�‹ Å©?Κ-Év“Ü*.ºå„í_óÄpçÂ’EJ-Mn’†´#Îó¿?JýjÌàUàTƒ*
+dªÑ‹ï­M1–7°¤*’±¹+DÞÄZ·íøjâ?å
+”;�çÙß
ëÀÓùÙ—8Ç!‚Kùz.Áøò¯�Xñ€¯ÈHêKŠ\�M(€Á½µBO8 çXE_æsÃYZ·èp6aaLÞ5f(wS;áKéªOÙÓzôx
+Õ§µ÷YÍÛž�—™®Î燸-f: sôqó957ì>\Ç�´¶	¬C½}8$;DPì…eªì¢V¼'­ØíÄ<È“½Ü¾NO(߈]øé¦ÛÅr_[Þ*ʇ¡ÆËÆ<Òx ç˜î®l
+Ä’£×¬÷°zJmp¤0ZgôìuáÜí™ô!F…ªä
Œb“Ð.ƒ‰¢9wØhQÝ+âGùTjx­~wtñ».^jËð‘g&rÖ̹V§
#KÚý®Œ¿çqÑHºö”Å~àlsLÓfH9�áNjn£W4`oÑ£:»Øš^ÀÅK¥ŽÒúƒ
òL9ôlÊ0Û‰B˜ÚÔ#k|yË¢\Ÿ=*XˆÕ<d0 ¢‰úJkáÜ«mµuˆ„‘¯H`Ž6彋EÖùñ�ïùBÅ«�/hüî#Ô^†§ö¬i(]‘×Z]°&�ÈC˜ìö¶ãíöù{Ùj+à€Ú‘ZQ[){Â�¤iZ_Âì“à=Fº(s!:T
KØ;Xž�ZÆ#›DÂ,vÌ4ÐüQD~ô¡²ôå *×BêbŠµÊ´è˜:³�pu þ§þ9rK28]±„»]Êö]– ÌiŽ rÆf§>Ä
 óRi×à¦H~&¸·—ϲSz…€ÕhßÝ0Ö/äH—Ì-Z‘m®Ûû
<€úQ³Õ0zÒבß8r¨tIÏ'Õ`™@*ØÆ®@fÃ&€IѪ¥v%QÏ:®Á:.s&ŸëF­¤ƒQüʸúW	›_!Ò�0sI"A4ªØ¼D×Ä÷¨C!n†Ñðú;+‘Öº{ýŠ÷ÊdÒ”üÝz/1�76ßÆÊê0l®�«ßCヤb£s0 N­÷ä?‰X! ¦œ´Î`ÿ¾‰$ý:Š¾]‘µß«�kw#+‡üåj$P®¶½¬6>žæØñ^70•öKú€ø$ˆ]ïï­�óÝo¸@g\³°G
+9ÅùbW<-—Ô9â�EjRœáÖÚîö©ÝRËâG^ì sJ¬¾bíÇAÂxÙýeØ­ÒæÊ>•¸jÀ ,WÐs
+�ñÝ‹¼I2ˆô|ß{1¦[y#²š‹9ö_ÀSƒæŸ’™fyf+(ý
+K#Îø/÷2ž;¼£§Zç$Êò^Mú½0�)íN(ïó‘µ<‘Š6lþ;9ÅуŸ)Ðæ¦óF}»ºÐ=À¸¶V
Û˜Å/éGŽIÌYW¯µ=·ŒìŶÑ;˜vìbs¯+�YÈý/âwåáNV­&Þ÷¥0óŸ7¯Â$6/	ÈÉa…�Ø藺¢z|£>†²ª
+«Mˆí&/·}�ÎI	Ø%΄%0W¦É·¤¬´{âI\5d§1ÖÙA)£7½¡TDƒÖcÆãM~ÉÛ0l4ÚÔÕÝ„ùäˆ÷)—h7¿d~aùruÖ[l¡F÷è\)ãƒ|<k�z?D	\]ò7ï2¤ÎÐdåÛTª³WdDmI!÷Ï€S‚'#Q~On	)vE6ün¡Öi¢� Ó€(IIŠ?´ëôWÞbÚ¼%­ÂbAP­`6D
+–fçÚïC%ÇÎbl·Å$ûÄÒéæÅÇDÙdÿ
+Ÿýpô¯°0TO@,{i`·Î¶ÍÆ¢ãÚâ×Kܬ	¾�yOàï–<ÀQ–
+ðÕŽ£èÈp¬­°"M¸p‘)š
!
(´Æ[É⯻¹ÑòsŸûùWÅʨBP¨hÙ'“¨¿ÞÞÀOԫøŠ½â{Ë	eÊdëô¹Kx5QªÎ™6!â–­a˦½ë}2 ¨Ýˆð+0ö|3k³Ÿr™eÈ[A˜ýl\ÊŠ}óÃ\&Ñ[Ããóqt“´ú8ûy:µlõUñ®¥"„KЯ¬’Cpeªb•^¶¨¦oÀªs'ª¹þ¯cÙKñ]ùw+VuN|äáù	s.…�¸¦Ÿn ª4—&Ðøš{«î‹½±é
+uW–ÿðžZ—â9«ÞËÛråŠi~Û�0¿<€G<æÀ›3¦?›(íPÒá“~šGÁqFëÝ�ŽíƽHšJ+3"Ê«F…@™'›ñ‡îIŸŒ‰õ‰ZêÀ7Y
+gìзt@Š™+[Ñ3²/*;œ÷Q¿.ønÐDâ]ñê “R£Þ?*ã�]£_×êCék~Á3A¬
+$1üf¡
+‰¾É%|¾Uůx¯¸;%ÒŠƒ}5]åD„¢J›œ)h#?yºâþ-^ø*#G„	Ú”¢‘
üÀÄi;IÑÉ2ç�ŽÌ/~é)Ñu	죯ã3noዯ78]P³]nÃ|¾g
+6ψ6o‘PBšP'̧AFæêdf?P0dGC×´rW›çB¼¼6&³SÊr¥Ü	•¬SS‰ÓòñÞõT9Žú¼K�)Œ\û)°bç¶Õ†3´�$ZÞ#&†×ææjsmÂCf‰àS4XäHFZ”ÔzϘ(Pt
+|ÿÖc2›#á¦$'j‡ß|c›xß3ÃlÞ“”3Bm€Ü9ºš?¨
+LÈJ„5(µ
+S|ØHˆGð—Ã=>ô�ԑʇÞw1®V®Áç€�R=äŽK‚uW—e“	4¤µZ^ öçý†Ï#ÃÎDžâØmwp#ŸT-Œä{Mô§SqêßÑZ!¯È¥û;Åcï¤ág´SƒqÑq/V1aŶõrR€ñùòdfN51©é‹å=túúöp›˜Ùøfqû—
áoœ
+#‘%‘�Ï+0{—¹�Vx³½û³IÏßç@
›A
Öå]d˜± ÜšfÓ
3.ˆ•Lçû^«ªwk
FOpªÍm“é éâKL§.ã¬f0æµ2x‘$âGÈÛ~Í…�†ÙgpèÙzœlŸTêŸß'Ah7‹#m¢(´â'Z	%åÝa
&˜P[&W)íýyÝa
HÄrÇxg+Ešê»ÎÑû ^äŽ(úÖß `–ºr¶jºù7Yþsß›ûPDS"äÊ"pqšQ¦Mê´šsËÚ‰ÉöR' 
)Ú0çöÌzlšºð•`^•¼ßÖ——úq2‹ãqÙ•ÚüŒmÄàðr²ÉEh
+¤á¾}˜D'N+�nš~¯Ðß0’ƒo™¬WOÜs:¡ðwaz;A³cJ©ÚäA çÖûÈ<’+UȯÉCvL¥ºøPô‚Û²sùô*
ze-£Šü;2 «ù«#_š¤£s¾þ vêÄ‹úñe‡Î‡CØ“¨Ï>¼»,æñ’peàùhôm2’ÏÝ°MÍ[®¼¬Ý’‹�÷	€"_o UÅôh£
ÖB57„ý^æÛT'kiWCEÏr§ó•
+©ØWÚ¿\N[Ž”ÀöŒÍ�&nâáµ9vdµÍ¢–£¡!Šã5iAÅ�@ñ/*w.¸Ã(:³›Åå×Î6
îu1Ü3î᪾ûõW¤®48ð“ã‹KÓ^¥3Tòte:ëù`Ë"‰‹º‚p­,»iAX/†HÛ˜?äµÞ)RR«Y?êxjÒ/½)‚P8ñ“—»C>Är–BŒ!†¬gÝ@¯kîÚ“èNü½?DÆF¹U<þ5”I.:´�s¾Ÿj-p“Ã䊰"Ÿ�ªcÂ#Œ:B
�+?/P— wég&åoï�²û×!æ9œa pñ|Š®¥Þ²K5lïøŠÑ9„CF	†ºž/õ¬;¿G@!íxc|ȹD¤.׎n^H$ßÄÛÂÓq]Èõ+É{¸i™’
+“*ÅûÖ€H-eëpg,eƒ|ÍaJtžŒ/d�Œú*Λ¢6ºK2;”‹x'.QŸ[å Ì�ñÚ:ŸÄTß$$¯µ“Í¥¤·4UA
+~:Š0NÇŽŸÂy¨r“Ñ$85¿Aš«`!¨WÄF'*nNÁbt*Ú*¼ëë�Âæ;ŠEôû”ÕaÇòõT~ÔÖ“S4Ÿò3<5×Ø\ÛJ´Æß&æ–“O=P©[¨P$“Óµãñ€èiªš_`Ž.Šó{h/"•"v¥¯CŸ)-FßE¶ÛA<ÝïKF‡�é9	‚'ýøa¢4*$'=ÝèOáequGf0[éÒ´ò¢ïÑÞ7™Ë©4€ÐóØxâ%%Ì:¼ã/º.@ªã#)NˆÈÌaÀSt–k	�’»´jˆ5b;¦¿J;÷Ò±C°7·ä°ƒÂKŒwA¹5S‚é%8.nN`ºê9_Žû�¡ôÓ;Sæüê\g|¢�Häae#§û×çÛu¦�;¯ºÖÈÊXšŠäo+7×m4”°‹ª0Ýë#4åâ8�hù‚˜RË9«�»åì{°S©ã£›�ªˆ¿z� rª“ÊûýÎœ•VØÖi�!z_)�õ¸¨VS[i²sõq£Ë%®µe?åw«ìbØ-…97Á �|Êš
	aü’Þ[
+4%Å5k£½02ƒ�Áw¿b¶8y<•«ápÁÒ*Á–È��p«¯
,”&«‚rÃæG€Tëƒç¦£¤å¿”X{Š”ùH;_
ÕZ ¼ë/i)ï1Èû£.5n仯ðå9
=)ÂéÌW%^}@|Ѧ{P`Áíea°,pS L§Ü”üÚ®Û7CÖÄbÀtÝzÏ3$rX§5Ø¢Pü–„˜jW~\\{	7NìySE¼9
]ºž½"„i5¿ÓúÅXôxBää\„“y”\á¼¼!‡k(MÂÖL]*/öðéžä§�FJ{Y<Á&eš¯lõ‰Ïƒï…Ì‚+üŽŠ<Ù@9vOŽ�’¤ä[RY·ZßUM�Zûp4–DagPcZ‚%V_©Þ\;=MåWÛ¾ÖG
+›¶ƒ¯ñ¦¯<¢—h¸E“;Ukê ñ
+J±&éù
雈‹˜9›âÆæZue)äG$ LË#[|íÕϬ4ÈÝÕbO
+€£AÚ¤x8mw›þÖµÔ�„±ßxèÍ#ºaýªU!˜ù´TßN.ÓÙÇ-É™Q‚«iy@ŒWc²8qá/øç ‹ïåqYw'`:ÓN·ˆ=
+*¥6©!bÆ¥$ž)ÈFå¨3Çx=H3/xRÎWGzÊt¡Dc€Ê'ÒHD´öXM-®Áö
páØîÐÌ’!#ŠÅø*ÒÕ	Íè/<Ô¢8>§Ð†ó÷‰rŠeÀìåtѦ’¾Lñp	m…
U?ˆ+
+�½ŽîÏ>¿ÇrøKKíùƒrÍAfjxy‘	^W_ª^ø‘U
ŠäNGReÈ\®v/ÖVö†¶Rú׌hÉýy3˜Œßc¼b'óÑl«ð‘Ä�›k,¢°§ƒ.ˆkx„Kªý( 9×^ÅÈ
+…d«…œ#£}þÂÀÑÜÂG( ÑhQ/Um+‹|“·^±OI$ѸÙ0ãÆVèþ)ÆJ3ÍLJ_ñ·ÿÑLÖ÷¥Ÿn­Þo”vÒJáØêqmìíçâ%�Á­Ãcœ~ªzVÈ�‘søqÕg%ŽQÌ4³æ`£E�–/T�““?§púyÂå[uïлJ÷ödhºHÐÈÜlM�
+Ås?Òr&Fd¿Ä6ë&>N´.Š ¦¾1:¹
rP1ûØ——k¡f)ØdQmŸèÄI BÐä5Mþ¦1T¿`m[;­z!î_µ±=ñp)ä5^Išõ@ÑðÈ
š¢
žAò'tG<ÞÊÁæa¯š�m-mn(Ø
+‰�|¿"]ˆnŸ†GhS”C£ãžä.%^=‰Â	žš| È%ÿÅ%Ÿ/†5¥n�tntI-¿ÊÍÈ.-ÚŠ
+˜4ƒ¿à†tæ-ws(›¢ü	À.}!Ë•™ª^‘ 805D|~ØfÌWŸ½æ°›ã‰Å9ãqÀy[eN ù~TÒ€J…gD›¼à%HõŽN´W¤VêÜ©&QXS²;^Æ#~o ÄSÙÄòQ¯¹Omº¿k�Ê–»{.�
+àé%.@”ØÀÄZPÑ}ú¥ÄÝØÇ<†,2xˆá+„PÀ:І¢€XH‚9É2¯!I‰¥“–mõ놀)Ó
LvÒÀªÊŠ‘¤®­‰ŠI¾ž´ÀJ€-um~5SµÏ?�¼‘ÞËxXkDZÎS§ꊿʥ�'ÿâA“EÈz©Ltª=ø½¿ˆÀ¯’ëÊ›2{@?ï5ºûšõ¨N…&øºòȨŽ3HKãGš‹6hXle¡ïÿ–kMžÍMxßqhìàV…Ú¤ki1IƒË‹ë°ª¶ƒÊ9UFmwY¥YññW>èYM Ð7u
+Ç:ê
hפ�­ߛ֙C9߇¬o“‚/¶z>‡”8Õ"�¬pÔ"8f@xk©óí…f¸®��söšË‚ý(†'ï»Úƒ½pLjt:1[ɘú‚ËHâûŠK¥Q¹ÞAH)†3W.‡å¬ÉüÖÀU7¹þ"ݨ²_mz$(®$åÔ^ÕìÊÆŸ‡EÄÆvPºÄ¤7/'ìl\du#vتç¾½ììÄ“QP‹qH{Ä$5ƒlíÛóyïd? 2$yá9MLºG%[!/J™Í2an¶ÁœÞOz~ØŠ9@5ꎥ;V7Î
F��FsÕàd—ûãת?siÜ5$�$éD_j(¯Ü‡ËOÒðBO¿šq€îôN»#.Æ/8ZëùkVŒè‚¹ép›ÆjÕGpéÎØz
ÇöÛI9´HÓ®"!ÕJˆá«OY¢Úîµ5¤=.J×ø�2yØPK0úÍ�ÙÃPI¼ ÌIñ$GÈ^˜ÆºÌ‚cý%úE˜òï„cijñ¼•9‹ž9Ñ’l{ˆ‰$0¢w¯¡&jjia>’4�\¸	KDÃ{pÊŒ#?ÓAþ0›9°ñ-D>"ª:c?ܺÚ~†‡^e55¸l
+:kb¾ÉLQÒcèâåSŠ�Û€ …l±Ã{Y14¯ŸË#Y‘·IUHš6‰·'&:,q[ÞÀÑçºËÔg+ñA¼dÖ/LŒn”•ÿRÔ
+ˇ—Õøê�MCEýŒw·òÞPðÃ�]ï-¼5L-§Ô²%\ðd*]®K¬qtmpMó¹{Â6Dm1Ð[�2m¢ºûw*QÝd‹Q“÷\ÒBq¶˜™2<ôÜå`ve¹¿�*9GiÐÍ
+ .ÓÐ']ÒÀ^Od°â®D—üå„,?#ÞWÖ³bRªv×èSž¼˜Î§ÁØ$ôÊ`mñ
2D=ón“þ´ÁžD㔹=õk½IPïÅvƒJ<�¨±ÏÞtݘÍZ´G
U^�W0äõ¬’”¤¡ÌšÙ=JéSQŠT#’åOµŸ>]žAß÷åʇȆ³Z!“Œ®Íïå>÷Ô‹fÜ.å�¾Ó;ö§hgXUãÿ‚yXÛ%…6,˜Ä�™T¸«úÊ*1²ö°Ò”"‚ï3Y¶m"ˆ†s¸µÌ·
Rþ;ÕõµU§é±8fŠ•ì0A¾Ç¤‘oxZ¼ÒÀá¸+ÊNVk�ú÷#$ Ë£6\4ŠtóV·‘D^2'lRw‚fÈ2Ñ[£Ø߇`Ÿk5Ñs kÜË·g¤Ãs©	ÛÂÍÝ�ÍŸ¬B?1|k6*yf¡3ñÚP‘|Büu+ÁËNõ8XÄôÈä‘¡ù EUQÊFÿµð¥¸ËôiÔ2¼ð`Næ}ïT´?AËÒiÎâ ú[¼5�¿«-ŠCLÓÇUY$ÐÀéëh¤®WN�ÉJB-þ¾ÜaìÚvvÚT¤‡dŽò[µ>Æ–ø|sÔrèCd `¦Ÿü^†ÕÁÊãDÃ*ã%­ã»ò�ýÏŸ‚«ˆ›ó�ñÚ àfX¡6øvçŽÒ]©Â�—ñV¤M"BÝèù£=&w>8Kº�ä
*¯+–¡oèKᣵ4æx(
=¾$h%H
+£VâRÑ
+ï82Ö&)°"¶E;Ü´”ŤUYvƒÜìVZ9M*­µjQSJ­)‡Ÿï@LH§Ò5Èþ¥
+½~ÒoÍdW)�(Ö€çÜÀæP»€Zø¦ÂP³¢½OU®æ’mèß´¨§raäÓw@„�&7ìVÛÌyå\çøiÃH47�+ù׉L
+µQu-W€»×4~Q.£ÎÐ)ÅÈLHQ-Û(èÖü¥> ø|kúÜ„X`Ž�×¾®º]	#.ëwx+«;.ñml3ÁѪ۰çµs
+:Ê(׸B®Ó'=êû’ýeÅ9,†`óÙ‡{ß%€ª�
¢0<ý}õ¬YâÁ}‹
+ˆ¬BÙp:©Ñx”Mî§�?ó}¢Ø×4¹„“ùïüGßß�aWGÄð«à
+�«1,u6AS�£áx\|czíR¢€oÀbÐ�.P³¦‹Ý=Öö+<µU
ZäÍ&zÐÑÅReu–
+[5Öð�Æê_ka‘¢Þ÷£ø‘*q¥=¡R4Ð/@™jÂHµ0M’$Ùþz„
+˜É¦p8çˆC¡·š•òÏq0ÞSGD¼ÆS
âT2J¹Ôi­¸É½°½äA�	iÎáDµ9)î“>oâÚà�Ђ,®DOͺ؀¢À¨&¯¬±ßŸ“ãùí„í½OÄ[¢:&ßQC—Ýåy�˜1ŸÜ¨^Nò`ϯȌ)†¬!�îÍÓ¤~»,˜7Õ$á/°Ûº¤zé5"™4¾bø–ˆÛM]üè»o~E®5p‰ñðJÌs¨�{•mo�œäÜ%Ö¡A;›<Ñíô¦óñÜý¦�¦@=®Ð@ZR¸ôGv Ö}¬ÇàƒO³þ›§—ÙA´|:÷©‡ž™Ï	@pmðïÑçñ€RÀw<—a°Ý½7#øSBG�8-(v�>	Ûžq<]ù�ÞÚÖÁPdöÙò@JÞâõ•WÑ2|¥ —Ê„s’¨Ê‘i%
Ìî3² °6“NP&0ž>�>ÀI2åOø®¾Ój¬ŠÛ¯)ÒÀŠÜÚJ8¯Öß*fzU;.ÏZÜ$Úùd
+×D½í¤»a£ªâ*¶‰ÂÀÜÙš*û(Œõ¤qÁÃåäÌ°
[¨.xÔŒHhý� {§ú·–æýy�澡:ÔuÓçg¦�¨÷œ4k	ÜÀ�=ñï�El�D+Ž9Ó{û¤Î=£n„ÉÐE:x�ª»n½†í·ô
+é4NÈŠóv É.Õƒ_Þn$`¬ÓÖ)<ËEŠþê°õ�ç@‘q6I„òÝäŽO¦ù¬R²Ôg-£d–‚îAúô>l¿ 3)VÐñ,ÿ²8Änd2€ø»Ì@צÍ*€]ÉãhsÀž”nä¦(ºÎõ§ÕŸW‘ÉÒî#�ÐósD–&�ôؤžm<[ãXp.7ôâ(5%ö‘ì>B8‘�'ÇÏÉÄ-ŽM%f+ùo0à8}¤{+Ãþ/®ò ¡‹pp… ‚óìô½ÙW¬ÒCF8fÎÞßòä6ŽÓ‘æBVÎÒP,-{DÞBЪðß“úé,¢�îN`:¹ ¾ÔŒ/™t>¯‘¾ÀýÝ«9Ñ>á…‡]`5TæÑ’zûvyWX2FüºþbfO–f§>}al÷¨\ÔMê—´ìù¥ìâVPÇsp¥²oøâÇШ›x¨³N
�O_Ž»N=ð£��³§ND˜ÿ«ýzZ¯@(5Ic{Çv³cÛ¶mÛ¶mÛ¶�ƶm»Ñ™w8wóÍz€ÿ~eŸYçÞ*D+_—‚#ioÛçT¢{?ØÏ|Xž!ÃS)Ëb×ß[ñ_ˆ
+ï%,3”1•äœJñÙwG¯üûñšøoeüªyDhéNÁÁϹݎÓR
þ ~¯›GßB‚\ÌŽ™;؆r•R-ŸEGT±ùø°ãѶ÷�Žz ‡¤/z”Þ‰…3¿µf!KÜt[¢áqQ‰(¤Õþˆg§þ¬EÒudV;~_€dr‡çI;17a£ƒžq”„)b±¿²‡s(…0
+IfLt´&
+¸Õ‰]ª¼ÖÀ·ü´¨ˆúWÓž•N€ÓáÚ îËè ¥·I­Ñ—Øü:k
b-F”ÛÈØyŒÔLúcÙY>#S·ÿý�¢žæãþx5
+ŽsU	? ë{x[òq=4£øŠÉTñ�ñbEK'òmç±v�§9ˆçì‘È�$“CXcþ©\“±>ÊG˜m@>¥¼lX1
©ô¸dwO	�AþŠEÒÖ’±Sc¸I/cK+–5>¶V‘+"zg
+*»åMì•¡p_ÐV—+}¤ªÞ�TžY!�æĹ(K§i�"üÇ(*wOzŒF®¯’«X`Ž¡ÿ­Š�¢É
+™*r[¶Â—n³î+ˆm•€Î
êËÜun2qÄi"P6h£.ü·T”•OdÉ_ùüånµ~ ‡q#$i5’2Íçš�uÛOÖL[˱ÙE¶IkQñßå:¢_é²w«®º!É·Õ7ˬÞýóÌlÒλª>	^ØH•€
þfuĶgŽÍÆm4N}Ò
+žº²Ü�à9UwgÒBkÙãƒËÚž½Gr˜�u)Ôë
+èòÔAé›ðöÖ_ß5Xuïwo%~’KG`4÷B9MXÄ—›Ý*¬â=cÉwú¦¶­r±¼§˜½ïÙÌèÀXmgsÌ{ná>³.ëÀS±¾ü¾ºÈÙ”¦ŠQ®�Ÿ6È4ȤÍzÚ9Ú—¦Å÷K\
ìkCì«›!ê;àú¸èy¢Å
+	
+"¿‘©ÜŒ˜%�(–PL•„�àà�}çô—ìd¸A�4HVs_™c‚Ò„µÜÅ‘nÜŠ¡V�z*-‰To­”�â7*úï	#{y‚íl¤â:n\Æ�>‡áos.ø¨ŠsýE×õ©É¡Ã<äm¶E±¸@ˆ�x²îkrŸËÁ}G=1ôƒNl.&·´Mf‰2À4îۯ0ö€6Ñð
�G¥í¤B§R“Bt•¯º%õĪÜ~ç$`XÞ(ÿ¶ˆphíÒ[,	²�·wÄ.„ˆØeæÒ$HÃù”±åá<€;]vÛàr Öù›–ÞpuU“J¯Ð�œA£½<�ÚÓ¤ïõV1r¿Â¥“e8Õè7Þ)h(²¼Eð¥GðЖ„ñ˜WÒMæ	_Y£õ‡æÒËfcØŠ�¡ÌõCÒ0—£Û²u—§§äùp3¦~ùÌ[yÔ5!Áy˜Ý Ð-¹9¨ÉŠ%�Q-}/DšC¦—jn¦%>HLgùh:âî…¶Bldš½üuô݈°½‹IÖ#o½¿ùði9žìtå‰ò2¯̉ê³æÖ®Ê2VÂ^­.îÔ
+ëÿ8±²
+òo·�ĉè8²{ãqÍED§G×æë±ÆöåÜbùÜß°”\&Ü�‘ù­òÏ2qsÈÆ°Ûy¾�>bò´ÌOX(oÁYÓ‹Þ"4Ù†w�7«~Lé'ƒ]‰v }Oä8ÝMª)Ž�–X’�EÀ,3bQ*ÞWAš0 N5<_8%)FľJVßr”[‰=Wÿ:¯&,o/ÑQƒ�+"%N†êémü‡*VtŸ_-’È°”´sPàkX‹'ÙÊ‘FâbMüzyixû�ŸGG1SÝ(&¦F›Å8'Ç
+mÁR!/¤ïmYz'Úò”¦ÀÀh'¨1I	ÌѨ�õéI¹;b’@\Öq×Ü[¤µ*ý�ôF£½™ÃØ»ÚRqõ¶›0ý×nD%ŒãßÉ€¦]:bĨvÿŽ“U®ïqî{Ĥ
+Èù#†ð÷†(£ÃÐw¾áR¼­ñ¿ø;	h@À‘Ä8~©Lp©™¦¿RÒtª3ª5/0Ò¡S0±nÍ&9=Ó ÷-Áz;¢Ir�H©3©Òpdl²l[‹}B¿p“šÌN2ùòw
Д˜…¥Uh�pO· 
+FÖ—bowÖç'<{†Ëe/>w¤ìºO Óyf4,%[n‹¦ó<ÑȲ’Dø¯7XQ`õì¹;ðkgýÑt{D¯VC|n$è_
+5±)Ä;À†íkPAs~6wD¦l¹Y²˜'À&>)Ž:•„ΊÙtAÊ�˜xñI…Å©Ñ’"Vï�·´—Á}“Ôl—Üœ2Ê?«RÙª¦»�
Ñ2ø¡†LŠ¶Ð*¥ÕùÏ•Õz¢W¯íPO!Zñšâ:¡••3ìv{´3:9¨;8
~†»Gcã–XÇ*ؾƔrõFÉ×<ͤŸ”WSs¤ù€ûñúóRXÙlN|PLò4ŠÒñ£l8¯´Àøî[ë†4 Àñɽ.zšcF­{ý†ÄT¢¸ˆŽ¾�‘Ð
[™(�)ä ‡¦f¾ÆF£ðÝ
´Z"gº…´>Ôæ5âµlÏ
â,¥÷y”¦Ä“1Êe]#¾{Gš!ÓK±¾„OÍ÷¢ü¤ïï!Œ^{ßðÉ‘F'U0BBo÷LÉ7„ob�¨AÏqØ5ƒ£&ÜçîYd5K­ÜeíO%:Ó
6™zD�-߹̫\šM0
+¯'l­Õ_‡2›.vèKâÔ€fïø¯âˆÚ\ŸÙÊ
¡òËà.¶¸iAìU„‹Åss*’ñªÛ
+ó
Ë.ºÞJy'k<¬¾T¨u®rï
p¦±2Äé�yš˜¾Á0^øÓí ›Hv,¥wó!éùž1�ÄVûr#Âp_JI´¿4ŽÎ¸6ú˘ì{2{ã•
<[—)¾Íj°xÔo~y‘S¿mäó¼—¯ùh§NWp¡Q2¬ð‚‰>÷ËgCX ÀõVUé³½æ·ÝbM†Ðñù6 kh*†4¬†	·ÚTã’#­Ò<÷òwHÜ�2ÈAœS¼WR¬v"«¡™Ô1í2•¢¨¡;ŽÞuE@L
±Âà‘Œ”ª^4þÕŒl«áÇü̺-€¾¨“\Z™�Òçtä %p´§”î–©ÚËj�Kûr¦ä¦¥Æ¢[~ÕÇÆ
+eÁ½õiÐGÓ8¿ÙñCÊI´‚¥º]u¯˜Ôjù -JtáBÊk(W
I�)Í’ˆÇ ¨�kFîÈ�Ji…ÕFS„Éãâ…—¹l;£—¬(¯cgHÖ5§ýUj®¦›¤ÞNX*1a"˜…J[å?x¯5Mï@ 7‰íɳ't"
Mrmc
§Õnœ€rÍÖÔ<.ïo°öÝｦk¶åÎM¾×ÅŸ“p40¶Y¤ÉçŠÀ^s ëµ¬d>Rõ~YîZ_Ä둹v0§Gm‡‡N®3çï7G$*›½th•ëù�ý¹¡Òg)ˆ,&ƒM€¶ïÎ3«yÔ&o¹Ù›ïu–ž4«ô,öZÎOkÜ÷ªÔD%«†Déz¡v?ò‡/óÀ;�Š'?§îºËcšý‹Üè
+µ(à\èaª
+E‰7jŨi¥oòƒŒ:½úþ·cêSJo*>»u+Æ#@Ä«áb\[k!s&D “‹Ãd`È<HØò†T¦EÚdò:±CíkE
+j!H·îà3ÁE.
+ ø!{mž/ƒòZú+p%Œ«u–}Fcí¿èýˆ/ì…Ƶ1>§ÌM)ÔÐ	O�%Sýù8½î×Ç
+dˆü�r4îŠ$#œ™/à·Ñw$–+3¸]Ì„5¼T87Å]ý—‰Ø¥–…ZPŽü¢
X¥Ì[šÿ8™XpÉþCi€ó`KpmMƒ*­y¨À&ÕÇ*é\—l¹ïˆü°xr#L?)¨ù¹kvü¯â|V{þ–aÀB$ÇÉÎàj�`ñh›Îëæîõ­QUd�j5Ë$k>7¦|©™¬âÃöõÚ¾¤,ˆÇSÎbÎ=¯	6¢ŽIÛž‚2üúð?÷ò)CÎ|æ¡î0)uktùþîo#‘Æ�$÷s‡³Wgª~„ŸÙñôÀԥ;º�aâlèQÌãæƒhË›ƒÌð`
+Z®§Ñœ8Îeä¾ÏFþ±Ã,ô\5ˆI.èÑaM
4Ž´mÇÕ‹èqWM‘±•î·egcØøí
«\[þT
+¿Á…æËU¨—xÙLDÞsäÓš
+Iö×~pºóE¦f}^!˜tQ°Ù’‹ƒEäì>‰ n|'ÆV²5D9_äå‹7â̬FJvõ˜2È­ÛŒ’ý;Û£K¿>Z&ú‰Àš¤þØɉ,-¯,Yت–=–ÏÞáÆX8?�¸#…m èÓð¥žçßèðž–u¤<5åÑwÒ6¨´Í�Ô™­×#0±q“²Qý‰±ÀåÙëã=¥—;1Â&<
+| fÉg¬,=‘¥vp‘�·xMŒé‰_b¬5
+µœóû¿ µ§öÈ4¿À#è¸?§ß7LíXʳŒ”ñkÌ€Zî»vSLR‡û
4ƒ?&4=cwÓ™7mÿ­8 ‡L¡ž~šËmé0Rƒù]N9ÄO:;e0vÈ(©6‘÷ôŒ÷ÃæÓ=Ô
èÖ‡7œŠ?­)Í'á ž	àÇ38ƬpYBà³Â|ƾC¬D?ÖD‡§-QÊ(6ò˜¤>Œö)€*#£˜ò�DUdùªé³ÓvU
+[`÷QìÿY¨OÖØJæÒ2‹„a¤.‡yMÙB.½T›.¡
+¥í’bWW�ž^¿§M?¼ªßªéë;ëš<™áh ±Kñŵž¢¨ÚÆóV1îcÖOÏ"ž³x4tÅ:l�¼t@i×uÅ«»‡‹Á0“ö�ë]RϺM'Ü>Á™?#ÉABlž=fÌì…
ïé ÚiózõÔ¨¿!…+°2Ô’Ýzôµ¥Îb—B
+y‘üP'càÜ^M#R°·ñÃ4
{LJB«œ»×ën¾HïŸMc–9|þ*S5ïV®ñKãÁ“ü�vÚJ¦‰‡’à°áR‹ÁPKw©ä;ÉͳðåH-ºOÖ²ÉâØÉ*Wü—¼éýšö•p…+èó®a7AÔºº;˜âR·~4ÿÕ|S®‘mƒ®W•~	©Ãâ‡}DL×WF5J‰åéØ|¨i÷>#\2®˜
+šÒ30D”€`Ÿ†§¾ç�4}&1xÒ¤Ö¥	ÎdP•Ý‹$ȾCO‡Ù’jÛvëö?`C&W'aÔCJ•I'sŠFðìM˼k©¡¨»°+X	ŠcAÐÀ«á¥£ùr!<s%!ÈbˆÀNÑ*d3³Ê6�†Ø0´+3ïÍNYÀ8�îj•ÛP³7Þ¨VäÎc=$0€Ž9€òõ
«£…WCÒ¸1å
Ô²9L±ž±~óŸ–äWÚyüInÐäöÀ'¼I3
ú]`+ò7vÃÝ!�’ÔËö—k«Zœ–(&4¨j�„¸`é+àpôxÿÅë«SüWâ$åM7ƒ[IZÒýš®ê~‚VƒÍ:Ø\é«…Œ
€Øy_à£öý
+.ÈëÃ6‹û¯™ÅSßcŽ¾Q&É5	fd
+ön’“,6"”@K;\ÿŸÁüø¯
+endobj
+654 0 obj <<
 /Type /Font
 /Subtype /Type1
-/Encoding 1344 0 R
+/Encoding 1915 0 R
 /FirstChar 2
 /LastChar 151
-/Widths 1359 0 R
-/BaseFont /IZDQVO+URWPalladioL-Bold
-/FontDescriptor 595 0 R
+/Widths 1930 0 R
+/BaseFont /SCZMIW+URWPalladioL-Bold
+/FontDescriptor 652 0 R
 >> endobj
-595 0 obj <<
+652 0 obj <<
 /Ascent 708
 /CapHeight 672
 /Descent -266
-/FontName /IZDQVO+URWPalladioL-Bold
+/FontName /SCZMIW+URWPalladioL-Bold
 /ItalicAngle 0
 /StemV 123
 /XHeight 471
 /FontBBox [-152 -301 1000 935]
 /Flags 4
-/CharSet (/fi/fl/exclam/dollar/percent/quoteright/parenleft/parenright/asterisk/plus/comma/hyphen/period/slash/zero/one/two/three/four/five/six/seven/eight/nine/colon/semicolon/question/at/A/B/C/D/E/F/G/H/I/K/L/M/N/O/P/Q/R/S/T/U/W/X/Y/Z/bracketleft/bracketright/a/b/c/d/e/f/g/h/i/j/k/l/m/n/o/p/q/r/s/t/u/v/w/x/y/z/emdash)
-/FontFile 596 0 R
+/CharSet (/fi/fl/exclam/dollar/percent/quoteright/parenleft/parenright/asterisk/plus/comma/hyphen/period/slash/zero/one/two/three/four/five/six/seven/eight/nine/colon/semicolon/question/at/A/B/C/D/E/F/G/H/I/K/L/M/N/O/P/Q/R/S/T/U/V/W/X/Y/Z/bracketleft/bracketright/a/b/c/d/e/f/g/h/i/j/k/l/m/n/o/p/q/r/s/t/u/v/w/x/y/z/quotedblright/emdash)
+/FontFile 653 0 R
 >> endobj
-1359 0 obj
-[611 611 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 278 0 0 500 889 0 278 333 333 444 606 250 333 250 296 500 500 500 500 500 500 500 500 500 500 250 250 0 0 0 444 747 778 667 722 833 611 556 833 833 389 0 778 611 1000 833 833 611 833 722 611 667 778 0 1000 667 667 667 333 0 333 0 0 0 500 611 444 611 500 389 556 611 333 333 611 333 889 611 556 611 611 389 444 333 611 556 833 500 556 500 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1000 ]
+1930 0 obj
+[611 611 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 278 0 0 500 889 0 278 333 333 444 606 250 333 250 296 500 500 500 500 500 500 500 500 500 500 250 250 0 0 0 444 747 778 667 722 833 611 556 833 833 389 0 778 611 1000 833 833 611 833 722 611 667 778 778 1000 667 667 667 333 0 333 0 0 0 500 611 444 611 500 389 556 611 333 333 611 333 889 611 556 611 611 389 444 333 611 556 833 500 556 500 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 500 0 0 1000 ]
 endobj
-601 0 obj <<
+655 0 obj <<
 /Type /Pages
 /Count 6
-/Parent 1360 0 R
-/Kids [590 0 R 603 0 R 610 0 R 629 0 R 646 0 R 657 0 R]
+/Parent 1931 0 R
+/Kids [646 0 R 673 0 R 683 0 R 738 0 R 802 0 R 862 0 R]
 >> endobj
-672 0 obj <<
+881 0 obj <<
 /Type /Pages
 /Count 6
-/Parent 1360 0 R
-/Kids [664 0 R 674 0 R 679 0 R 687 0 R 698 0 R 706 0 R]
+/Parent 1931 0 R
+/Kids [866 0 R 883 0 R 897 0 R 908 0 R 915 0 R 927 0 R]
 >> endobj
-717 0 obj <<
+939 0 obj <<
 /Type /Pages
 /Count 6
-/Parent 1360 0 R
-/Kids [713 0 R 720 0 R 727 0 R 739 0 R 748 0 R 753 0 R]
+/Parent 1931 0 R
+/Kids [932 0 R 941 0 R 952 0 R 960 0 R 967 0 R 973 0 R]
 >> endobj
-764 0 obj <<
+996 0 obj <<
 /Type /Pages
 /Count 6
-/Parent 1360 0 R
-/Kids [757 0 R 766 0 R 776 0 R 784 0 R 792 0 R 802 0 R]
+/Parent 1931 0 R
+/Kids [981 0 R 1003 0 R 1012 0 R 1017 0 R 1021 0 R 1028 0 R]
 >> endobj
-817 0 obj <<
+1044 0 obj <<
 /Type /Pages
 /Count 6
-/Parent 1360 0 R
-/Kids [811 0 R 819 0 R 823 0 R 833 0 R 839 0 R 847 0 R]
+/Parent 1931 0 R
+/Kids [1037 0 R 1047 0 R 1054 0 R 1059 0 R 1068 0 R 1075 0 R]
 >> endobj
-862 0 obj <<
+1087 0 obj <<
 /Type /Pages
 /Count 6
-/Parent 1360 0 R
-/Kids [854 0 R 864 0 R 878 0 R 885 0 R 889 0 R 895 0 R]
+/Parent 1931 0 R
+/Kids [1079 0 R 1090 0 R 1096 0 R 1104 0 R 1111 0 R 1120 0 R]
 >> endobj
-908 0 obj <<
+1139 0 obj <<
 /Type /Pages
 /Count 6
-/Parent 1361 0 R
-/Kids [901 0 R 910 0 R 917 0 R 921 0 R 926 0 R 932 0 R]
+/Parent 1932 0 R
+/Kids [1133 0 R 1141 0 R 1146 0 R 1152 0 R 1158 0 R 1166 0 R]
 >> endobj
-947 0 obj <<
+1176 0 obj <<
 /Type /Pages
 /Count 6
-/Parent 1361 0 R
-/Kids [938 0 R 950 0 R 954 0 R 964 0 R 971 0 R 979 0 R]
+/Parent 1932 0 R
+/Kids [1173 0 R 1178 0 R 1183 0 R 1189 0 R 1195 0 R 1200 0 R]
 >> endobj
-987 0 obj <<
+1213 0 obj <<
 /Type /Pages
 /Count 6
-/Parent 1361 0 R
-/Kids [983 0 R 989 0 R 997 0 R 1003 0 R 1010 0 R 1017 0 R]
+/Parent 1932 0 R
+/Kids [1210 0 R 1215 0 R 1220 0 R 1231 0 R 1237 0 R 1242 0 R]
 >> endobj
-1031 0 obj <<
+1250 0 obj <<
 /Type /Pages
 /Count 6
-/Parent 1361 0 R
-/Kids [1026 0 R 1033 0 R 1039 0 R 1048 0 R 1052 0 R 1056 0 R]
+/Parent 1932 0 R
+/Kids [1246 0 R 1252 0 R 1260 0 R 1266 0 R 1273 0 R 1281 0 R]
 >> endobj
-1067 0 obj <<
+1297 0 obj <<
 /Type /Pages
 /Count 6
-/Parent 1361 0 R
-/Kids [1064 0 R 1069 0 R 1081 0 R 1096 0 R 1109 0 R 1121 0 R]
+/Parent 1932 0 R
+/Kids [1288 0 R 1300 0 R 1304 0 R 1310 0 R 1315 0 R 1320 0 R]
 >> endobj
-1133 0 obj <<
+1332 0 obj <<
 /Type /Pages
 /Count 6
-/Parent 1361 0 R
-/Kids [1126 0 R 1135 0 R 1147 0 R 1160 0 R 1168 0 R 1172 0 R]
+/Parent 1932 0 R
+/Kids [1329 0 R 1334 0 R 1338 0 R 1342 0 R 1350 0 R 1362 0 R]
 >> endobj
-1183 0 obj <<
+1394 0 obj <<
 /Type /Pages
 /Count 6
-/Parent 1362 0 R
-/Kids [1176 0 R 1185 0 R 1195 0 R 1206 0 R 1210 0 R 1217 0 R]
+/Parent 1933 0 R
+/Kids [1373 0 R 1396 0 R 1402 0 R 1414 0 R 1420 0 R 1428 0 R]
 >> endobj
-1283 0 obj <<
+1448 0 obj <<
 /Type /Pages
-/Count 3
-/Parent 1362 0 R
-/Kids [1229 0 R 1285 0 R 1336 0 R]
+/Count 6
+/Parent 1933 0 R
+/Kids [1439 0 R 1450 0 R 1458 0 R 1462 0 R 1466 0 R 1472 0 R]
 >> endobj
-1360 0 obj <<
+1486 0 obj <<
+/Type /Pages
+/Count 6
+/Parent 1933 0 R
+/Kids [1483 0 R 1488 0 R 1492 0 R 1503 0 R 1507 0 R 1514 0 R]
+>> endobj
+1592 0 obj <<
+/Type /Pages
+/Count 6
+/Parent 1933 0 R
+/Kids [1537 0 R 1594 0 R 1652 0 R 1709 0 R 1729 0 R 1738 0 R]
+>> endobj
+1748 0 obj <<
+/Type /Pages
+/Count 6
+/Parent 1933 0 R
+/Kids [1744 0 R 1750 0 R 1754 0 R 1759 0 R 1771 0 R 1775 0 R]
+>> endobj
+1791 0 obj <<
+/Type /Pages
+/Count 6
+/Parent 1933 0 R
+/Kids [1787 0 R 1793 0 R 1804 0 R 1809 0 R 1814 0 R 1826 0 R]
+>> endobj
+1840 0 obj <<
+/Type /Pages
+/Count 6
+/Parent 1934 0 R
+/Kids [1837 0 R 1842 0 R 1854 0 R 1858 0 R 1866 0 R 1876 0 R]
+>> endobj
+1891 0 obj <<
+/Type /Pages
+/Count 4
+/Parent 1934 0 R
+/Kids [1887 0 R 1893 0 R 1904 0 R 1910 0 R]
+>> endobj
+1931 0 obj <<
 /Type /Pages
 /Count 36
-/Parent 1363 0 R
-/Kids [601 0 R 672 0 R 717 0 R 764 0 R 817 0 R 862 0 R]
+/Parent 1935 0 R
+/Kids [655 0 R 881 0 R 939 0 R 996 0 R 1044 0 R 1087 0 R]
 >> endobj
-1361 0 obj <<
+1932 0 obj <<
 /Type /Pages
 /Count 36
-/Parent 1363 0 R
-/Kids [908 0 R 947 0 R 987 0 R 1031 0 R 1067 0 R 1133 0 R]
+/Parent 1935 0 R
+/Kids [1139 0 R 1176 0 R 1213 0 R 1250 0 R 1297 0 R 1332 0 R]
 >> endobj
-1362 0 obj <<
+1933 0 obj <<
 /Type /Pages
-/Count 9
-/Parent 1363 0 R
-/Kids [1183 0 R 1283 0 R]
+/Count 36
+/Parent 1935 0 R
+/Kids [1394 0 R 1448 0 R 1486 0 R 1592 0 R 1748 0 R 1791 0 R]
 >> endobj
-1363 0 obj <<
+1934 0 obj <<
 /Type /Pages
-/Count 81
-/Kids [1360 0 R 1361 0 R 1362 0 R]
+/Count 10
+/Parent 1935 0 R
+/Kids [1840 0 R 1891 0 R]
 >> endobj
-1364 0 obj <<
+1935 0 obj <<
+/Type /Pages
+/Count 118
+/Kids [1931 0 R 1932 0 R 1933 0 R 1934 0 R]
+>> endobj
+1936 0 obj <<
 /Type /Outlines
 /First 7 0 R
-/Last 555 0 R
-/Count 9
+/Last 603 0 R
+/Count 10
+>> endobj
+643 0 obj <<
+/Title 644 0 R
+/A 641 0 R
+/Parent 603 0 R
+/Prev 639 0 R
+>> endobj
+639 0 obj <<
+/Title 640 0 R
+/A 637 0 R
+/Parent 603 0 R
+/Prev 635 0 R
+/Next 643 0 R
+>> endobj
+635 0 obj <<
+/Title 636 0 R
+/A 633 0 R
+/Parent 603 0 R
+/Prev 631 0 R
+/Next 639 0 R
+>> endobj
+631 0 obj <<
+/Title 632 0 R
+/A 629 0 R
+/Parent 603 0 R
+/Prev 627 0 R
+/Next 635 0 R
+>> endobj
+627 0 obj <<
+/Title 628 0 R
+/A 625 0 R
+/Parent 603 0 R
+/Prev 623 0 R
+/Next 631 0 R
+>> endobj
+623 0 obj <<
+/Title 624 0 R
+/A 621 0 R
+/Parent 603 0 R
+/Prev 619 0 R
+/Next 627 0 R
+>> endobj
+619 0 obj <<
+/Title 620 0 R
+/A 617 0 R
+/Parent 603 0 R
+/Prev 615 0 R
+/Next 623 0 R
+>> endobj
+615 0 obj <<
+/Title 616 0 R
+/A 613 0 R
+/Parent 603 0 R
+/Prev 611 0 R
+/Next 619 0 R
+>> endobj
+611 0 obj <<
+/Title 612 0 R
+/A 609 0 R
+/Parent 603 0 R
+/Prev 607 0 R
+/Next 615 0 R
+>> endobj
+607 0 obj <<
+/Title 608 0 R
+/A 605 0 R
+/Parent 603 0 R
+/Next 611 0 R
+>> endobj
+603 0 obj <<
+/Title 604 0 R
+/A 601 0 R
+/Parent 1936 0 R
+/Prev 567 0 R
+/First 607 0 R
+/Last 643 0 R
+/Count -10
+>> endobj
+599 0 obj <<
+/Title 600 0 R
+/A 597 0 R
+/Parent 587 0 R
+/Prev 595 0 R
+>> endobj
+595 0 obj <<
+/Title 596 0 R
+/A 593 0 R
+/Parent 587 0 R
+/Prev 591 0 R
+/Next 599 0 R
+>> endobj
+591 0 obj <<
+/Title 592 0 R
+/A 589 0 R
+/Parent 587 0 R
+/Next 595 0 R
 >> endobj
 587 0 obj <<
 /Title 588 0 R
 /A 585 0 R
-/Parent 575 0 R
-/Prev 583 0 R
+/Parent 567 0 R
+/Prev 579 0 R
+/First 591 0 R
+/Last 599 0 R
+/Count -3
 >> endobj
 583 0 obj <<
 /Title 584 0 R
 /A 581 0 R
-/Parent 575 0 R
-/Prev 579 0 R
-/Next 587 0 R
+/Parent 579 0 R
 >> endobj
 579 0 obj <<
 /Title 580 0 R
 /A 577 0 R
-/Parent 575 0 R
-/Next 583 0 R
+/Parent 567 0 R
+/Prev 571 0 R
+/Next 587 0 R
+/First 583 0 R
+/Last 583 0 R
+/Count -1
 >> endobj
 575 0 obj <<
 /Title 576 0 R
 /A 573 0 R
-/Parent 555 0 R
-/Prev 567 0 R
-/First 579 0 R
-/Last 587 0 R
-/Count -3
+/Parent 571 0 R
 >> endobj
 571 0 obj <<
 /Title 572 0 R
 /A 569 0 R
 /Parent 567 0 R
+/Next 579 0 R
+/First 575 0 R
+/Last 575 0 R
+/Count -1
 >> endobj
 567 0 obj <<
 /Title 568 0 R
 /A 565 0 R
-/Parent 555 0 R
-/Prev 559 0 R
-/Next 575 0 R
+/Parent 1936 0 R
+/Prev 547 0 R
+/Next 603 0 R
 /First 571 0 R
-/Last 571 0 R
-/Count -1
+/Last 587 0 R
+/Count -3
 >> endobj
 563 0 obj <<
 /Title 564 0 R
 /A 561 0 R
-/Parent 559 0 R
+/Parent 547 0 R
+/Prev 559 0 R
 >> endobj
 559 0 obj <<
 /Title 560 0 R
 /A 557 0 R
-/Parent 555 0 R
-/Next 567 0 R
-/First 563 0 R
-/Last 563 0 R
-/Count -1
+/Parent 547 0 R
+/Prev 551 0 R
+/Next 563 0 R
 >> endobj
 555 0 obj <<
 /Title 556 0 R
 /A 553 0 R
-/Parent 1364 0 R
-/Prev 535 0 R
-/First 559 0 R
-/Last 575 0 R
-/Count -3
+/Parent 551 0 R
 >> endobj
 551 0 obj <<
 /Title 552 0 R
 /A 549 0 R
-/Parent 535 0 R
-/Prev 547 0 R
+/Parent 547 0 R
+/Next 559 0 R
+/First 555 0 R
+/Last 555 0 R
+/Count -1
 >> endobj
 547 0 obj <<
 /Title 548 0 R
 /A 545 0 R
-/Parent 535 0 R
-/Prev 539 0 R
-/Next 551 0 R
+/Parent 1936 0 R
+/Prev 523 0 R
+/Next 567 0 R
+/First 551 0 R
+/Last 563 0 R
+/Count -3
 >> endobj
 543 0 obj <<
 /Title 544 0 R
 /A 541 0 R
-/Parent 539 0 R
+/Parent 523 0 R
+/Prev 531 0 R
 >> endobj
 539 0 obj <<
 /Title 540 0 R
 /A 537 0 R
-/Parent 535 0 R
-/Next 547 0 R
-/First 543 0 R
-/Last 543 0 R
-/Count -1
+/Parent 531 0 R
+/Prev 535 0 R
 >> endobj
 535 0 obj <<
 /Title 536 0 R
 /A 533 0 R
-/Parent 1364 0 R
-/Prev 511 0 R
-/Next 555 0 R
-/First 539 0 R
-/Last 551 0 R
-/Count -3
+/Parent 531 0 R
+/Next 539 0 R
 >> endobj
 531 0 obj <<
 /Title 532 0 R
 /A 529 0 R
-/Parent 511 0 R
-/Prev 519 0 R
+/Parent 523 0 R
+/Prev 527 0 R
+/Next 543 0 R
+/First 535 0 R
+/Last 539 0 R
+/Count -2
 >> endobj
 527 0 obj <<
 /Title 528 0 R
 /A 525 0 R
-/Parent 519 0 R
-/Prev 523 0 R
+/Parent 523 0 R
+/Next 531 0 R
 >> endobj
 523 0 obj <<
 /Title 524 0 R
 /A 521 0 R
-/Parent 519 0 R
-/Next 527 0 R
+/Parent 1936 0 R
+/Prev 239 0 R
+/Next 547 0 R
+/First 527 0 R
+/Last 543 0 R
+/Count -3
 >> endobj
 519 0 obj <<
 /Title 520 0 R
 /A 517 0 R
-/Parent 511 0 R
+/Parent 471 0 R
 /Prev 515 0 R
-/Next 531 0 R
-/First 523 0 R
-/Last 527 0 R
-/Count -2
 >> endobj
 515 0 obj <<
 /Title 516 0 R
 /A 513 0 R
-/Parent 511 0 R
+/Parent 471 0 R
+/Prev 499 0 R
 /Next 519 0 R
 >> endobj
 511 0 obj <<
 /Title 512 0 R
 /A 509 0 R
-/Parent 1364 0 R
-/Prev 239 0 R
-/Next 535 0 R
-/First 515 0 R
-/Last 531 0 R
-/Count -3
+/Parent 499 0 R
+/Prev 507 0 R
 >> endobj
 507 0 obj <<
 /Title 508 0 R
 /A 505 0 R
-/Parent 463 0 R
-/Prev 491 0 R
+/Parent 499 0 R
+/Prev 503 0 R
+/Next 511 0 R
 >> endobj
 503 0 obj <<
 /Title 504 0 R
 /A 501 0 R
-/Parent 491 0 R
-/Prev 499 0 R
+/Parent 499 0 R
+/Next 507 0 R
 >> endobj
 499 0 obj <<
 /Title 500 0 R
 /A 497 0 R
-/Parent 491 0 R
+/Parent 471 0 R
 /Prev 495 0 R
-/Next 503 0 R
+/Next 515 0 R
+/First 503 0 R
+/Last 511 0 R
+/Count -3
 >> endobj
 495 0 obj <<
 /Title 496 0 R
 /A 493 0 R
-/Parent 491 0 R
+/Parent 471 0 R
+/Prev 491 0 R
 /Next 499 0 R
 >> endobj
 491 0 obj <<
 /Title 492 0 R
 /A 489 0 R
-/Parent 463 0 R
+/Parent 471 0 R
 /Prev 487 0 R
-/Next 507 0 R
-/First 495 0 R
-/Last 503 0 R
-/Count -3
+/Next 495 0 R
 >> endobj
 487 0 obj <<
 /Title 488 0 R
 /A 485 0 R
-/Parent 463 0 R
-/Prev 483 0 R
+/Parent 471 0 R
+/Prev 475 0 R
 /Next 491 0 R
 >> endobj
 483 0 obj <<
 /Title 484 0 R
 /A 481 0 R
-/Parent 463 0 R
+/Parent 475 0 R
 /Prev 479 0 R
-/Next 487 0 R
 >> endobj
 479 0 obj <<
 /Title 480 0 R
 /A 477 0 R
-/Parent 463 0 R
-/Prev 467 0 R
+/Parent 475 0 R
 /Next 483 0 R
 >> endobj
 475 0 obj <<
 /Title 476 0 R
 /A 473 0 R
-/Parent 467 0 R
-/Prev 471 0 R
+/Parent 471 0 R
+/Next 487 0 R
+/First 479 0 R
+/Last 483 0 R
+/Count -2
 >> endobj
 471 0 obj <<
 /Title 472 0 R
 /A 469 0 R
-/Parent 467 0 R
-/Next 475 0 R
+/Parent 239 0 R
+/Prev 271 0 R
+/First 475 0 R
+/Last 519 0 R
+/Count -7
 >> endobj
 467 0 obj <<
 /Title 468 0 R
 /A 465 0 R
-/Parent 463 0 R
-/Next 479 0 R
-/First 471 0 R
-/Last 475 0 R
-/Count -2
+/Parent 451 0 R
+/Prev 463 0 R
 >> endobj
 463 0 obj <<
 /Title 464 0 R
 /A 461 0 R
-/Parent 239 0 R
-/Prev 271 0 R
-/First 467 0 R
-/Last 507 0 R
-/Count -6
+/Parent 451 0 R
+/Prev 459 0 R
+/Next 467 0 R
 >> endobj
 459 0 obj <<
 /Title 460 0 R
 /A 457 0 R
-/Parent 443 0 R
+/Parent 451 0 R
 /Prev 455 0 R
+/Next 463 0 R
 >> endobj
 455 0 obj <<
 /Title 456 0 R
 /A 453 0 R
-/Parent 443 0 R
-/Prev 451 0 R
+/Parent 451 0 R
 /Next 459 0 R
 >> endobj
 451 0 obj <<
 /Title 452 0 R
 /A 449 0 R
-/Parent 443 0 R
+/Parent 271 0 R
 /Prev 447 0 R
-/Next 455 0 R
+/First 455 0 R
+/Last 467 0 R
+/Count -4
 >> endobj
 447 0 obj <<
 /Title 448 0 R
 /A 445 0 R
-/Parent 443 0 R
+/Parent 271 0 R
+/Prev 443 0 R
 /Next 451 0 R
 >> endobj
 443 0 obj <<
@@ -6829,9 +10026,7 @@ endobj
 /A 441 0 R
 /Parent 271 0 R
 /Prev 439 0 R
-/First 447 0 R
-/Last 459 0 R
-/Count -4
+/Next 447 0 R
 >> endobj
 439 0 obj <<
 /Title 440 0 R
@@ -6865,21 +10060,20 @@ endobj
 /Title 424 0 R
 /A 421 0 R
 /Parent 271 0 R
-/Prev 419 0 R
+/Prev 343 0 R
 /Next 427 0 R
 >> endobj
 419 0 obj <<
 /Title 420 0 R
 /A 417 0 R
-/Parent 271 0 R
+/Parent 343 0 R
 /Prev 415 0 R
-/Next 423 0 R
 >> endobj
 415 0 obj <<
 /Title 416 0 R
 /A 413 0 R
-/Parent 271 0 R
-/Prev 343 0 R
+/Parent 343 0 R
+/Prev 411 0 R
 /Next 419 0 R
 >> endobj
 411 0 obj <<
@@ -6887,6 +10081,7 @@ endobj
 /A 409 0 R
 /Parent 343 0 R
 /Prev 407 0 R
+/Next 415 0 R
 >> endobj
 407 0 obj <<
 /Title 408 0 R
@@ -7004,10 +10199,10 @@ endobj
 /A 341 0 R
 /Parent 271 0 R
 /Prev 339 0 R
-/Next 415 0 R
+/Next 423 0 R
 /First 347 0 R
-/Last 411 0 R
-/Count -17
+/Last 419 0 R
+/Count -19
 >> endobj
 339 0 obj <<
 /Title 340 0 R
@@ -7133,9 +10328,9 @@ endobj
 /A 269 0 R
 /Parent 239 0 R
 /Prev 243 0 R
-/Next 463 0 R
+/Next 471 0 R
 /First 275 0 R
-/Last 443 0 R
+/Last 451 0 R
 /Count -24
 >> endobj
 267 0 obj <<
@@ -7192,11 +10387,11 @@ endobj
 239 0 obj <<
 /Title 240 0 R
 /A 237 0 R
-/Parent 1364 0 R
+/Parent 1936 0 R
 /Prev 227 0 R
-/Next 511 0 R
+/Next 523 0 R
 /First 243 0 R
-/Last 463 0 R
+/Last 471 0 R
 /Count -3
 >> endobj
 235 0 obj <<
@@ -7214,7 +10409,7 @@ endobj
 227 0 obj <<
 /Title 228 0 R
 /A 225 0 R
-/Parent 1364 0 R
+/Parent 1936 0 R
 /Prev 131 0 R
 /Next 239 0 R
 /First 231 0 R
@@ -7388,7 +10583,7 @@ endobj
 131 0 obj <<
 /Title 132 0 R
 /A 129 0 R
-/Parent 1364 0 R
+/Parent 1936 0 R
 /Prev 91 0 R
 /Next 227 0 R
 /First 135 0 R
@@ -7462,7 +10657,7 @@ endobj
 91 0 obj <<
 /Title 92 0 R
 /A 89 0 R
-/Parent 1364 0 R
+/Parent 1936 0 R
 /Prev 67 0 R
 /Next 131 0 R
 /First 95 0 R
@@ -7505,7 +10700,7 @@ endobj
 67 0 obj <<
 /Title 68 0 R
 /A 65 0 R
-/Parent 1364 0 R
+/Parent 1936 0 R
 /Prev 7 0 R
 /Next 91 0 R
 /First 71 0 R
@@ -7614,1414 +10809,1986 @@ endobj
 7 0 obj <<
 /Title 8 0 R
 /A 5 0 R
-/Parent 1364 0 R
+/Parent 1936 0 R
 /Next 67 0 R
 /First 11 0 R
 /Last 23 0 R
 /Count -4
 >> endobj
-1365 0 obj <<
-/Names [(Access_Control_Lists) 1180 0 R (Bv9ARM.ch01) 613 0 R (Bv9ARM.ch02) 667 0 R (Bv9ARM.ch03) 682 0 R (Bv9ARM.ch04) 730 0 R (Bv9ARM.ch05) 814 0 R (Bv9ARM.ch06) 826 0 R (Bv9ARM.ch07) 1179 0 R (Bv9ARM.ch08) 1198 0 R (Bv9ARM.ch09) 1213 0 R (Configuration_File_Grammar) 850 0 R (DNSSEC) 782 0 R (Doc-Start) 594 0 R (Setting_TTLs) 1143 0 R (access_control) 960 0 R (acl) 858 0 R (address_match_lists) 831 0 R (admin_tools) 704 0 R (appendix.A) 554 0 R (bibliography) 1225 0 R (boolean_options) 736 0 R (builtin) 1022 0 R (chapter.1) 6 0 R (chapter.2) 66 0 R (chapter.3) 90 0 R (chapter.4) 130 0 R (chapter.5) 226 0 R (chapter.6) 238 0 R (chapter.7) 510 0 R (chapter.8) 534 0 R (cite.RFC1034) 1241 0 R (cite.RFC1035) 1243 0 R (cite.RFC1101) 1299 0 R (cite.RFC1123) 1301 0 R (cite.RFC1183) 1278 0 R (cite.RFC1464) 1319 0 R (cite.RFC1535) 1270 0 R (cite.RFC1536) 1272 0 R (cite.RFC1537) 1309 0 R (cite.RFC1591) 1303 0 R (cite.RFC1706) 1280 0 R (cite.RFC1712) 1333 0 R (cite.RFC1713) 1321 0 R (cite.RFC1794) 1323 0 R (cite.RFC1876) 1282 0 R (cite.RFC1886) 1262 0 R (cite.RFC1912) 1311 0 R (cite.RFC1982) 1274 0 R (cite.RFC1995) 1248 0 R (cite.RFC1996) 1250 0 R (cite.RFC2010) 1313 0 R (cite.RFC2052) 1289 0 R (cite.RFC2065) 1264 0 R (cite.RFC2136) 1252 0 R (cite.RFC2137) 1266 0 R (cite.RFC2163) 1291 0 R (cite.RFC2168) 1293 0 R (cite.RFC2181) 1254 0 R (cite.RFC2219) 1315 0 R (cite.RFC2230) 1295 0 R (cite.RFC2240) 1325 0 R (cite.RFC2308) 1256 0 R (cite.RFC2317) 1305 0 R (cite.RFC2345) 1327 0 R (cite.RFC2352) 1329 0 R (cite.RFC2845) 1258 0 R (cite.RFC974) 1245 0 R (cite.id2492168) 1342 0 R (configuration_file_elements) 827 0 R (controls_statement_definition_and_usage) 718 0 R (diagnostic_tools) 655 0 R (dynamic_update) 734 0 R (dynamic_update_policies) 774 0 R (dynamic_update_security) 969 0 R (historical_dns_information) 1220 0 R (id2465089) 615 0 R (id2465144) 614 0 R (id2466440) 619 0 R (id2466449) 620 0 R (id2467046) 684 0 R (id2467062) 685 0 R (id2467084) 690 0 R (id2467101) 691 0 R (id2467443) 635 0 R (id2467586) 637 0 R (id2467606) 638 0 R (id2467728) 994 0 R (id2467914) 639 0 R (id2467998) 642 0 R (id2468073) 649 0 R (id2468096) 652 0 R (id2468117) 653 0 R (id2468136) 654 0 R (id2468165) 660 0 R (id2468333) 661 0 R (id2468359) 662 0 R (id2468459) 668 0 R (id2468484) 669 0 R (id2468494) 670 0 R (id2468508) 671 0 R (id2468517) 677 0 R (id2469143) 694 0 R (id2469148) 695 0 R (id2470313) 723 0 R (id2470325) 724 0 R (id2470669) 745 0 R (id2471232) 761 0 R (id2471248) 762 0 R (id2471282) 763 0 R (id2471298) 769 0 R (id2471306) 770 0 R (id2471414) 771 0 R (id2471466) 772 0 R (id2471510) 779 0 R (id2471524) 780 0 R (id2471573) 781 0 R (id2471776) 787 0 R (id2471843) 788 0 R (id2471986) 789 0 R (id2472123) 805 0 R (id2472250) 807 0 R (id2472270) 808 0 R (id2472371) 815 0 R (id2472509) 828 0 R (id2473074) 836 0 R (id2473100) 837 0 R (id2473262) 842 0 R (id2473277) 843 0 R (id2473306) 844 0 R (id2473520) 851 0 R (id2473816) 857 0 R (id2473858) 859 0 R (id2474053) 861 0 R (id2474330) 869 0 R (id2474345) 870 0 R (id2474368) 871 0 R (id2474389) 872 0 R (id2474460) 881 0 R (id2474586) 882 0 R (id2474707) 883 0 R (id2475401) 898 0 R (id2475861) 904 0 R (id2476002) 905 0 R (id2476133) 913 0 R (id2476177) 914 0 R (id2476192) 915 0 R (id2477760) 935 0 R (id2478765) 957 0 R (id2478816) 959 0 R (id2479131) 968 0 R (id2479288) 974 0 R (id2479898) 986 0 R (id2479914) 992 0 R (id2482177) 1000 0 R (id2482583) 1014 0 R (id2483049) 1029 0 R (id2483880) 1043 0 R (id2483928) 1044 0 R (id2484078) 1046 0 R (id2485225) 1059 0 R (id2485232) 1060 0 R (id2485236) 1061 0 R (id2485538) 1072 0 R (id2485569) 1073 0 R (id2486536) 1106 0 R (id2486695) 1112 0 R (id2486713) 1113 0 R (id2486734) 1116 0 R (id2486874) 1118 0 R (id2487525) 1124 0 R (id2487634) 1130 0 R (id2487792) 1131 0 R (id2488012) 1138 0 R (id2488128) 1140 0 R (id2488146) 1141 0 R (id2488519) 1144 0 R (id2488625) 1150 0 R (id2488638) 1151 0 R (id2488798) 1153 0 R (id2488818) 1154 0 R (id2488873) 1158 0 R (id2488936) 1163 0 R (id2488967) 1164 0 R (id2489028) 1165 0 R (id2489356) 1191 0 R (id2489500) 1192 0 R (id2489694) 1193 0 R (id2489765) 1199 0 R (id2489770) 1200 0 R (id2489782) 1201 0 R (id2489799) 1202 0 R (id2489929) 1214 0 R (id2489934) 1215 0 R (id2490057) 1221 0 R (id2490369) 1223 0 R (id2490713) 1237 0 R (id2490715) 1239 0 R (id2490724) 1244 0 R (id2490747) 1240 0 R (id2490771) 1242 0 R (id2490808) 1253 0 R (id2490834) 1255 0 R (id2490859) 1247 0 R (id2490884) 1249 0 R (id2490907) 1251 0 R (id2490963) 1257 0 R (id2491024) 1260 0 R (id2491038) 1261 0 R (id2491077) 1263 0 R (id2491116) 1265 0 R (id2491144) 1268 0 R (id2491153) 1269 0 R (id2491178) 1271 0 R (id2491245) 1273 0 R (id2491282) 1276 0 R (id2491287) 1277 0 R (id2491345) 1279 0 R (id2491382) 1292 0 R (id2491417) 1281 0 R (id2491472) 1288 0 R (id2491511) 1290 0 R (id2491538) 1294 0 R (id2491564) 1297 0 R (id2491572) 1298 0 R (id2491597) 1300 0 R (id2491621) 1302 0 R (id2491642) 1304 0 R (id2491689) 1307 0 R (id2491697) 1308 0 R (id2491722) 1310 0 R (id2491749) 1312 0 R (id2491785) 1314 0 R (id2491825) 1317 0 R (id2491845) 1318 0 R (id2491867) 1320 0 R (id2491960) 1322 0 R (id2491985) 1324 0 R (id2492007) 1326 0 R (id2492053) 1328 0 R (id2492077) 1331 0 R (id2492084) 1332 0 R (id2492156) 1339 0 R (id2492166) 1341 0 R (id2492168) 1343 0 R (incremental_zone_transfers) 742 0 R (internet_drafts) 1334 0 R (ipv6addresses) 809 0 R (journal) 735 0 R (lwresd) 816 0 R (notify) 731 0 R (options) 924 0 R (page.1) 593 0 R (page.10) 689 0 R (page.11) 700 0 R (page.12) 708 0 R (page.13) 715 0 R (page.14) 722 0 R (page.15) 729 0 R (page.16) 741 0 R (page.17) 750 0 R (page.18) 755 0 R (page.19) 759 0 R (page.2) 605 0 R (page.20) 768 0 R (page.21) 778 0 R (page.22) 786 0 R (page.23) 794 0 R (page.24) 804 0 R (page.25) 813 0 R (page.26) 821 0 R (page.27) 825 0 R (page.28) 835 0 R (page.29) 841 0 R (page.3) 612 0 R (page.30) 849 0 R (page.31) 856 0 R (page.32) 866 0 R (page.33) 880 0 R (page.34) 887 0 R (page.35) 891 0 R (page.36) 897 0 R (page.37) 903 0 R (page.38) 912 0 R (page.39) 919 0 R (page.4) 631 0 R (page.40) 923 0 R (page.41) 928 0 R (page.42) 934 0 R (page.43) 940 0 R (page.44) 952 0 R (page.45) 956 0 R (page.46) 966 0 R (page.47) 973 0 R (page.48) 981 0 R (page.49) 985 0 R (page.5) 648 0 R (page.50) 991 0 R (page.51) 999 0 R (page.52) 1005 0 R (page.53) 1012 0 R (page.54) 1019 0 R (page.55) 1028 0 R (page.56) 1035 0 R (page.57) 1041 0 R (page.58) 1050 0 R (page.59) 1054 0 R (page.6) 659 0 R (page.60) 1058 0 R (page.61) 1066 0 R (page.62) 1071 0 R (page.63) 1083 0 R (page.64) 1098 0 R (page.65) 1111 0 R (page.66) 1123 0 R (page.67) 1128 0 R (page.68) 1137 0 R (page.69) 1149 0 R (page.7) 666 0 R (page.70) 1162 0 R (page.71) 1170 0 R (page.72) 1174 0 R (page.73) 1178 0 R (page.74) 1187 0 R (page.75) 1197 0 R (page.76) 1208 0 R (page.77) 1212 0 R (page.78) 1219 0 R (page.79) 1232 0 R (page.8) 676 0 R (page.80) 1287 0 R (page.81) 1338 0 R (page.9) 681 0 R (proposed_standards) 746 0 R (rfcs) 644 0 R (rndc) 876 0 R (rrset_ordering) 696 0 R (sample_configuration) 683 0 R (section*.1) 1236 0 R (section*.10) 1330 0 R (section*.11) 1340 0 R (section*.2) 1238 0 R (section*.3) 1246 0 R (section*.4) 1259 0 R (section*.5) 1267 0 R (section*.6) 1275 0 R (section*.7) 1296 0 R (section*.8) 1306 0 R (section*.9) 1316 0 R (section.1.1) 10 0 R (section.1.2) 14 0 R (section.1.3) 18 0 R (section.1.4) 22 0 R (section.2.1) 70 0 R (section.2.2) 74 0 R (section.2.3) 78 0 R (section.2.4) 82 0 R (section.2.5) 86 0 R (section.3.1) 94 0 R (section.3.2) 106 0 R (section.3.3) 110 0 R (section.4.1) 134 0 R (section.4.2) 138 0 R (section.4.3) 146 0 R (section.4.4) 150 0 R (section.4.5) 154 0 R (section.4.6) 190 0 R (section.4.7) 194 0 R (section.4.8) 198 0 R (section.4.9) 214 0 R (section.5.1) 230 0 R (section.5.2) 234 0 R (section.6.1) 242 0 R (section.6.2) 270 0 R (section.6.3) 462 0 R (section.7.1) 514 0 R (section.7.2) 518 0 R (section.7.3) 530 0 R (section.8.1) 538 0 R (section.8.2) 546 0 R (section.8.3) 550 0 R (section.A.1) 558 0 R (section.A.2) 566 0 R (section.A.3) 574 0 R (server_statement_definition_and_usage) 948 0 R (server_statement_grammar) 1036 0 R (statsfile) 930 0 R (subsection.1.4.1) 26 0 R (subsection.1.4.2) 30 0 R (subsection.1.4.3) 34 0 R (subsection.1.4.4) 38 0 R (subsection.1.4.5) 54 0 R (subsection.1.4.6) 62 0 R (subsection.3.1.1) 98 0 R (subsection.3.1.2) 102 0 R (subsection.3.3.1) 114 0 R (subsection.3.3.2) 126 0 R (subsection.4.2.1) 142 0 R (subsection.4.5.1) 158 0 R (subsection.4.5.2) 170 0 R (subsection.4.5.3) 174 0 R (subsection.4.5.4) 178 0 R (subsection.4.5.5) 182 0 R (subsection.4.5.6) 186 0 R (subsection.4.8.1) 202 0 R (subsection.4.8.2) 206 0 R (subsection.4.8.3) 210 0 R (subsection.4.9.1) 218 0 R (subsection.4.9.2) 222 0 R (subsection.6.1.1) 246 0 R (subsection.6.1.2) 258 0 R (subsection.6.2.1) 274 0 R (subsection.6.2.10) 310 0 R (subsection.6.2.11) 322 0 R (subsection.6.2.12) 326 0 R (subsection.6.2.13) 330 0 R (subsection.6.2.14) 334 0 R (subsection.6.2.15) 338 0 R (subsection.6.2.16) 342 0 R (subsection.6.2.17) 414 0 R (subsection.6.2.18) 418 0 R (subsection.6.2.19) 422 0 R (subsection.6.2.2) 278 0 R (subsection.6.2.20) 426 0 R (subsection.6.2.21) 430 0 R (subsection.6.2.22) 434 0 R (subsection.6.2.23) 438 0 R (subsection.6.2.24) 442 0 R (subsection.6.2.3) 282 0 R (subsection.6.2.4) 286 0 R (subsection.6.2.5) 290 0 R (subsection.6.2.6) 294 0 R (subsection.6.2.7) 298 0 R (subsection.6.2.8) 302 0 R (subsection.6.2.9) 306 0 R (subsection.6.3.1) 466 0 R (subsection.6.3.2) 478 0 R (subsection.6.3.3) 482 0 R (subsection.6.3.4) 486 0 R (subsection.6.3.5) 490 0 R (subsection.6.3.6) 506 0 R (subsection.7.2.1) 522 0 R (subsection.7.2.2) 526 0 R (subsection.8.1.1) 542 0 R (subsection.A.1.1) 562 0 R (subsection.A.2.1) 570 0 R (subsection.A.3.1) 578 0 R (subsection.A.3.2) 582 0 R (subsection.A.3.3) 586 0 R (subsubsection.1.4.4.1) 42 0 R (subsubsection.1.4.4.2) 46 0 R (subsubsection.1.4.4.3) 50 0 R (subsubsection.1.4.5.1) 58 0 R (subsubsection.3.3.1.1) 118 0 R (subsubsection.3.3.1.2) 122 0 R (subsubsection.4.5.1.1) 162 0 R (subsubsection.4.5.1.2) 166 0 R (subsubsection.6.1.1.1) 250 0 R (subsubsection.6.1.1.2) 254 0 R (subsubsection.6.1.2.1) 262 0 R (subsubsection.6.1.2.2) 266 0 R (subsubsection.6.2.10.1) 314 0 R (subsubsection.6.2.10.2) 318 0 R (subsubsection.6.2.16.1) 346 0 R (subsubsection.6.2.16.10) 382 0 R (subsubsection.6.2.16.11) 386 0 R (subsubsection.6.2.16.12) 390 0 R (subsubsection.6.2.16.13) 394 0 R (subsubsection.6.2.16.14) 398 0 R (subsubsection.6.2.16.15) 402 0 R (subsubsection.6.2.16.16) 406 0 R (subsubsection.6.2.16.17) 410 0 R (subsubsection.6.2.16.2) 350 0 R (subsubsection.6.2.16.3) 354 0 R (subsubsection.6.2.16.4) 358 0 R (subsubsection.6.2.16.5) 362 0 R (subsubsection.6.2.16.6) 366 0 R (subsubsection.6.2.16.7) 370 0 R (subsubsection.6.2.16.8) 374 0 R (subsubsection.6.2.16.9) 378 0 R (subsubsection.6.2.24.1) 446 0 R (subsubsection.6.2.24.2) 450 0 R (subsubsection.6.2.24.3) 454 0 R (subsubsection.6.2.24.4) 458 0 R (subsubsection.6.3.1.1) 470 0 R (subsubsection.6.3.1.2) 474 0 R (subsubsection.6.3.5.1) 494 0 R (subsubsection.6.3.5.2) 498 0 R (subsubsection.6.3.5.3) 502 0 R (table.1.1) 621 0 R (table.1.2) 636 0 R (table.3.1) 692 0 R (table.3.2) 725 0 R (table.6.1) 829 0 R (table.6.10) 1117 0 R (table.6.11) 1119 0 R (table.6.12) 1129 0 R (table.6.13) 1132 0 R (table.6.14) 1139 0 R (table.6.15) 1142 0 R (table.6.16) 1145 0 R (table.6.17) 1152 0 R (table.6.18) 1166 0 R (table.6.2) 852 0 R (table.6.3) 860 0 R (table.6.4) 899 0 R (table.6.5) 936 0 R (table.6.6) 1015 0 R (table.6.7) 1030 0 R (table.6.8) 1062 0 R (table.6.9) 1107 0 R (table.A.1) 1222 0 R (table.A.2) 1224 0 R (the_category_phrase) 893 0 R (the_sortlist_statement) 1006 0 R (topology) 1001 0 R (tsig) 760 0 R (tuning) 1020 0 R (types_of_resource_records_and_when_to_use_them) 643 0 R (view_statement_grammar) 1024 0 R (zone_statement_grammar) 962 0 R (zone_transfers) 737 0 R]
-/Limits [(Access_Control_Lists) (zone_transfers)]
+1937 0 obj <<
+/Names [(Access_Control_Lists) 1470 0 R (Bv9ARM.ch01) 869 0 R (Bv9ARM.ch02) 918 0 R (Bv9ARM.ch03) 935 0 R (Bv9ARM.ch04) 984 0 R (Bv9ARM.ch05) 1071 0 R (Bv9ARM.ch06) 1082 0 R (Bv9ARM.ch07) 1469 0 R (Bv9ARM.ch08) 1495 0 R (Bv9ARM.ch09) 1510 0 R (Bv9ARM.ch10) 1732 0 R (Configuration_File_Grammar) 1107 0 R (DNSSEC) 1050 0 R (Doc-Start) 651 0 R (Setting_TTLs) 1435 0 R (acache) 925 0 R (access_control) 1225 0 R (acl) 1115 0 R (address_match_lists) 1088 0 R (admin_tools) 958 0 R (appendix.A) 566 0 R (appendix.B) 602 0 R (bibliography) 1518 0 R (boolean_options) 1000 0 R (builtin) 1294 0 R (chapter*.1) 686 0 R (chapter.1) 6 0 R (chapter.2) 66 0 R (chapter.3) 90 0 R (chapter.4) 130 0 R (chapter.5) 226 0 R (chapter.6) 238 0 R (chapter.7) 522 0 R (chapter.8) 546 0 R (cite.RFC1033) 1642 0 R (cite.RFC1034) 1526 0 R (cite.RFC1035) 1528 0 R (cite.RFC1101) 1628 0 R (cite.RFC1123) 1630 0 R (cite.RFC1183) 1585 0 R (cite.RFC1464) 1668 0 R (cite.RFC1535) 1575 0 R (cite.RFC1536) 1577 0 R (cite.RFC1537) 1644 0 R (cite.RFC1591) 1632 0 R (cite.RFC1706) 1587 0 R (cite.RFC1712) 1689 0 R (cite.RFC1713) 1670 0 R (cite.RFC1794) 1672 0 R (cite.RFC1876) 1589 0 R (cite.RFC1912) 1646 0 R (cite.RFC1982) 1579 0 R (cite.RFC1995) 1533 0 R (cite.RFC1996) 1535 0 R (cite.RFC2010) 1648 0 R (cite.RFC2052) 1591 0 R (cite.RFC2065) 1697 0 R (cite.RFC2136) 1541 0 R (cite.RFC2137) 1699 0 R (cite.RFC2163) 1598 0 R (cite.RFC2168) 1600 0 R (cite.RFC2181) 1543 0 R (cite.RFC2219) 1650 0 R (cite.RFC2230) 1602 0 R (cite.RFC2240) 1674 0 R (cite.RFC2308) 1545 0 R (cite.RFC2317) 1634 0 R (cite.RFC2345) 1676 0 R (cite.RFC2352) 1678 0 R (cite.RFC2535) 1701 0 R (cite.RFC2536) 1604 0 R (cite.RFC2537) 1606 0 R (cite.RFC2538) 1608 0 R (cite.RFC2539) 1610 0 R (cite.RFC2540) 1612 0 R (cite.RFC2671) 1547 0 R (cite.RFC2672) 1549 0 R (cite.RFC2673) 1691 0 R (cite.RFC2782) 1614 0 R (cite.RFC2825) 1658 0 R (cite.RFC2826) 1636 0 R (cite.RFC2845) 1551 0 R (cite.RFC2874) 1693 0 R (cite.RFC2915) 1616 0 R (cite.RFC2929) 1638 0 R (cite.RFC2930) 1553 0 R (cite.RFC2931) 1555 0 R (cite.RFC3007) 1557 0 R (cite.RFC3008) 1703 0 R (cite.RFC3071) 1681 0 R (cite.RFC3090) 1705 0 R (cite.RFC3110) 1618 0 R (cite.RFC3123) 1620 0 R (cite.RFC3225) 1563 0 R (cite.RFC3258) 1683 0 R (cite.RFC3445) 1707 0 R (cite.RFC3490) 1660 0 R (cite.RFC3491) 1662 0 R (cite.RFC3492) 1664 0 R (cite.RFC3596) 1622 0 R (cite.RFC3597) 1624 0 R (cite.RFC3645) 1559 0 R (cite.RFC3655) 1713 0 R (cite.RFC3658) 1715 0 R (cite.RFC3755) 1717 0 R (cite.RFC3757) 1719 0 R (cite.RFC3833) 1565 0 R (cite.RFC3845) 1721 0 R (cite.RFC3901) 1685 0 R (cite.RFC4033) 1567 0 R (cite.RFC4035) 1569 0 R (cite.RFC4044) 1571 0 R (cite.RFC4074) 1581 0 R (cite.RFC974) 1530 0 R (cite.id2499275) 1726 0 R (configuration_file_elements) 1083 0 R (controls_statement_definition_and_usage) 971 0 R (diagnostic_tools) 906 0 R (dynamic_update) 994 0 R (dynamic_update_policies) 1045 0 R (dynamic_update_security) 1229 0 R (empty) 1296 0 R (historical_dns_information) 1512 0 R (id2465026) 870 0 R (id2467301) 871 0 R (id2467572) 875 0 R (id2467581) 876 0 R (id2467713) 886 0 R (id2467890) 888 0 R (id2467911) 889 0 R (id2467945) 890 0 R (id2468029) 893 0 R (id2470291) 900 0 R (id2470314) 903 0 R (id2470344) 904 0 R (id2470434) 905 0 R (id2470464) 911 0 R (id2470499) 912 0 R (id2470594) 913 0 R (id2470628) 919 0 R (id2470654) 920 0 R (id2470667) 921 0 R (id2470693) 924 0 R (id2470704) 930 0 R (id2470872) 937 0 R (id2470888) 938 0 R (id2470910) 944 0 R (id2470997) 945 0 R (id2471334) 948 0 R (id2471339) 949 0 R (id2472978) 976 0 R (id2472989) 977 0 R (id2473299) 1009 0 R (id2473818) 1025 0 R (id2473835) 1026 0 R (id2473874) 1031 0 R (id2473892) 1032 0 R (id2473902) 1033 0 R (id2474010) 1034 0 R (id2474068) 1035 0 R (id2474113) 1041 0 R (id2474195) 1042 0 R (id2474244) 1043 0 R (id2474449) 1051 0 R (id2474518) 1052 0 R (id2474597) 1057 0 R (id2474808) 1062 0 R (id2474870) 1064 0 R (id2474960) 1065 0 R (id2474993) 1072 0 R (id2475208) 1084 0 R (id2476001) 1093 0 R (id2476028) 1094 0 R (id2476203) 1099 0 R (id2476218) 1100 0 R (id2476248) 1101 0 R (id2476331) 1108 0 R (id2476747) 1114 0 R (id2476858) 1116 0 R (id2477005) 1118 0 R (id2477366) 1125 0 R (id2477381) 1126 0 R (id2477404) 1127 0 R (id2477426) 1128 0 R (id2477585) 1137 0 R (id2477779) 1138 0 R (id2477831) 1144 0 R (id2478456) 1155 0 R (id2479266) 1161 0 R (id2479339) 1162 0 R (id2479403) 1169 0 R (id2479447) 1170 0 R (id2479462) 1171 0 R (id2481444) 1192 0 R (id2483414) 1218 0 R (id2483541) 1224 0 R (id2483880) 1235 0 R (id2484037) 1240 0 R (id2484784) 1249 0 R (id2484798) 1255 0 R (id2484982) 1257 0 R (id2485184) 1263 0 R (id2485614) 1277 0 R (id2486968) 1307 0 R (id2487888) 1324 0 R (id2488005) 1325 0 R (id2488085) 1327 0 R (id2489456) 1345 0 R (id2489463) 1346 0 R (id2489468) 1347 0 R (id2489950) 1353 0 R (id2489984) 1354 0 R (id2491390) 1399 0 R (id2491648) 1405 0 R (id2491666) 1406 0 R (id2491686) 1409 0 R (id2491923) 1411 0 R (id2492952) 1417 0 R (id2493148) 1423 0 R (id2493238) 1424 0 R (id2493532) 1426 0 R (id2493669) 1432 0 R (id2493691) 1433 0 R (id2494232) 1436 0 R (id2494357) 1442 0 R (id2494372) 1443 0 R (id2494484) 1445 0 R (id2494506) 1446 0 R (id2494567) 1447 0 R (id2494705) 1453 0 R (id2494741) 1454 0 R (id2494803) 1455 0 R (id2495349) 1479 0 R (id2495562) 1480 0 R (id2495622) 1481 0 R (id2495770) 1496 0 R (id2495776) 1497 0 R (id2495787) 1498 0 R (id2495804) 1499 0 R (id2495866) 1511 0 R (id2495960) 1517 0 R (id2496148) 1522 0 R (id2496150) 1524 0 R (id2496158) 1529 0 R (id2496182) 1525 0 R (id2496205) 1527 0 R (id2496242) 1542 0 R (id2496268) 1544 0 R (id2496294) 1532 0 R (id2496318) 1534 0 R (id2496342) 1540 0 R (id2496397) 1546 0 R (id2496424) 1548 0 R (id2496451) 1550 0 R (id2496513) 1552 0 R (id2496542) 1554 0 R (id2496572) 1556 0 R (id2496599) 1558 0 R (id2496674) 1561 0 R (id2496681) 1562 0 R (id2496708) 1564 0 R (id2496744) 1566 0 R (id2496809) 1570 0 R (id2496874) 1568 0 R (id2497008) 1573 0 R (id2497016) 1574 0 R (id2497042) 1576 0 R (id2497110) 1578 0 R (id2497145) 1580 0 R (id2497186) 1583 0 R (id2497191) 1584 0 R (id2497317) 1586 0 R (id2497354) 1599 0 R (id2497389) 1588 0 R (id2497444) 1590 0 R (id2497482) 1597 0 R (id2497508) 1601 0 R (id2497533) 1603 0 R (id2497560) 1605 0 R (id2497587) 1607 0 R (id2497626) 1609 0 R (id2497656) 1611 0 R (id2497686) 1613 0 R (id2497729) 1615 0 R (id2497762) 1617 0 R (id2497788) 1619 0 R (id2497812) 1621 0 R (id2497869) 1623 0 R (id2497894) 1626 0 R (id2497901) 1627 0 R (id2497927) 1629 0 R (id2497949) 1631 0 R (id2497973) 1633 0 R (id2498019) 1635 0 R (id2498042) 1637 0 R (id2498092) 1640 0 R (id2498100) 1641 0 R (id2498123) 1643 0 R (id2498150) 1645 0 R (id2498177) 1647 0 R (id2498213) 1649 0 R (id2498253) 1656 0 R (id2498259) 1657 0 R (id2498291) 1659 0 R (id2498337) 1661 0 R (id2498372) 1663 0 R (id2498398) 1666 0 R (id2498417) 1667 0 R (id2498507) 1669 0 R (id2498533) 1671 0 R (id2498558) 1673 0 R (id2498582) 1675 0 R (id2498628) 1677 0 R (id2498651) 1680 0 R (id2498678) 1682 0 R (id2498704) 1684 0 R (id2498740) 1679 0 R (id2498764) 1687 0 R (id2498771) 1688 0 R (id2498828) 1690 0 R (id2498855) 1692 0 R (id2498891) 1695 0 R (id2498903) 1696 0 R (id2498942) 1698 0 R (id2498969) 1700 0 R (id2498999) 1702 0 R (id2499025) 1704 0 R (id2499051) 1706 0 R (id2499088) 1712 0 R (id2499124) 1714 0 R (id2499150) 1716 0 R (id2499177) 1718 0 R (id2499222) 1720 0 R (id2499264) 1723 0 R (id2499273) 1725 0 R (id2499275) 1727 0 R (incremental_zone_transfers) 1006 0 R (internet_drafts) 1722 0 R (ipv6addresses) 1066 0 R (journal) 995 0 R (lwresd) 1073 0 R (man.dig) 1733 0 R (man.dnssec-keygen) 1781 0 R (man.dnssec-signzone) 1799 0 R (man.host) 1766 0 R (man.named) 1848 0 R (man.named-checkconf) 1819 0 R (man.named-checkzone) 1831 0 R (man.rndc) 1870 0 R (man.rndc-confgen) 1899 0 R (man.rndc.conf) 1882 0 R (notify) 985 0 R (options) 1181 0 R (page.1) 650 0 R (page.10) 910 0 R (page.100) 1761 0 R (page.101) 1773 0 R (page.102) 1777 0 R (page.103) 1789 0 R (page.104) 1795 0 R (page.105) 1806 0 R (page.106) 1811 0 R (page.107) 1816 0 R (page.108) 1828 0 R (page.109) 1839 0 R (page.11) 917 0 R (page.110) 1844 0 R (page.111) 1856 0 R (page.112) 1860 0 R (page.113) 1868 0 R (page.114) 1878 0 R (page.115) 1889 0 R (page.116) 1895 0 R (page.117) 1906 0 R (page.118) 1912 0 R (page.12) 929 0 R (page.13) 934 0 R (page.14) 943 0 R (page.15) 954 0 R (page.16) 962 0 R (page.17) 969 0 R (page.18) 975 0 R (page.19) 983 0 R (page.2) 675 0 R (page.20) 1005 0 R (page.21) 1014 0 R (page.22) 1019 0 R (page.23) 1023 0 R (page.24) 1030 0 R (page.25) 1039 0 R (page.26) 1049 0 R (page.27) 1056 0 R (page.28) 1061 0 R (page.29) 1070 0 R (page.3) 685 0 R (page.30) 1077 0 R (page.31) 1081 0 R (page.32) 1092 0 R (page.33) 1098 0 R (page.34) 1106 0 R (page.35) 1113 0 R (page.36) 1122 0 R (page.37) 1135 0 R (page.38) 1143 0 R (page.39) 1148 0 R (page.4) 740 0 R (page.40) 1154 0 R (page.41) 1160 0 R (page.42) 1168 0 R (page.43) 1175 0 R (page.44) 1180 0 R (page.45) 1185 0 R (page.46) 1191 0 R (page.47) 1197 0 R (page.48) 1202 0 R (page.49) 1212 0 R (page.5) 804 0 R (page.50) 1217 0 R (page.51) 1222 0 R (page.52) 1233 0 R (page.53) 1239 0 R (page.54) 1244 0 R (page.55) 1248 0 R (page.56) 1254 0 R (page.57) 1262 0 R (page.58) 1268 0 R (page.59) 1275 0 R (page.6) 864 0 R (page.60) 1283 0 R (page.61) 1290 0 R (page.62) 1302 0 R (page.63) 1306 0 R (page.64) 1312 0 R (page.65) 1317 0 R (page.66) 1322 0 R (page.67) 1331 0 R (page.68) 1336 0 R (page.69) 1340 0 R (page.7) 868 0 R (page.70) 1344 0 R (page.71) 1352 0 R (page.72) 1364 0 R (page.73) 1375 0 R (page.74) 1398 0 R (page.75) 1404 0 R (page.76) 1416 0 R (page.77) 1422 0 R (page.78) 1430 0 R (page.79) 1441 0 R (page.8) 885 0 R (page.80) 1452 0 R (page.81) 1460 0 R (page.82) 1464 0 R (page.83) 1468 0 R (page.84) 1474 0 R (page.85) 1485 0 R (page.86) 1490 0 R (page.87) 1494 0 R (page.88) 1505 0 R (page.89) 1509 0 R (page.9) 899 0 R (page.90) 1516 0 R (page.91) 1539 0 R (page.92) 1596 0 R (page.93) 1654 0 R (page.94) 1711 0 R (page.95) 1731 0 R (page.96) 1740 0 R (page.97) 1746 0 R (page.98) 1752 0 R (page.99) 1756 0 R (proposed_standards) 1010 0 R (rfcs) 895 0 R (rndc) 1131 0 R (rrset_ordering) 950 0 R (sample_configuration) 936 0 R (section*.10) 1655 0 R (section*.11) 1665 0 R (section*.12) 1686 0 R (section*.13) 1694 0 R (section*.14) 1724 0 R (section*.15) 1734 0 R (section*.16) 1735 0 R (section*.17) 1736 0 R (section*.18) 1741 0 R (section*.19) 1742 0 R (section*.2) 1521 0 R (section*.20) 1747 0 R (section*.21) 1757 0 R (section*.22) 1762 0 R (section*.23) 1763 0 R (section*.24) 1764 0 R (section*.25) 1765 0 R (section*.26) 1767 0 R (section*.27) 1768 0 R (section*.28) 1769 0 R (section*.29) 1778 0 R (section*.3) 1523 0 R (section*.30) 1779 0 R (section*.31) 1780 0 R (section*.32) 1782 0 R (section*.33) 1783 0 R (section*.34) 1784 0 R (section*.35) 1785 0 R (section*.36) 1790 0 R (section*.37) 1796 0 R (section*.38) 1797 0 R (section*.39) 1798 0 R (section*.4) 1531 0 R (section*.40) 1800 0 R (section*.41) 1801 0 R (section*.42) 1802 0 R (section*.43) 1807 0 R (section*.44) 1812 0 R (section*.45) 1817 0 R (section*.46) 1818 0 R (section*.47) 1820 0 R (section*.48) 1821 0 R (section*.49) 1822 0 R (section*.5) 1560 0 R (section*.50) 1823 0 R (section*.51) 1824 0 R (section*.52) 1829 0 R (section*.53) 1830 0 R (section*.54) 1832 0 R (section*.55) 1833 0 R (section*.56) 1834 0 R (section*.57) 1835 0 R (section*.58) 1845 0 R (section*.59) 1846 0 R (section*.6) 1572 0 R (section*.60) 1847 0 R (section*.61) 1849 0 R (section*.62) 1850 0 R (section*.63) 1851 0 R (section*.64) 1852 0 R (section*.65) 1861 0 R (section*.66) 1862 0 R (section*.67) 1863 0 R (section*.68) 1864 0 R (section*.69) 1869 0 R (section*.7) 1582 0 R (section*.70) 1871 0 R (section*.71) 1872 0 R (section*.72) 1873 0 R (section*.73) 1874 0 R (section*.74) 1879 0 R (section*.75) 1880 0 R (section*.76) 1881 0 R (section*.77) 1883 0 R (section*.78) 1884 0 R (section*.79) 1885 0 R (section*.8) 1625 0 R (section*.80) 1890 0 R (section*.81) 1896 0 R (section*.82) 1897 0 R (section*.83) 1898 0 R (section*.84) 1900 0 R (section*.85) 1901 0 R (section*.86) 1902 0 R (section*.87) 1907 0 R (section*.88) 1908 0 R (section*.89) 1913 0 R (section*.9) 1639 0 R (section*.90) 1914 0 R (section.1.1) 10 0 R (section.1.2) 14 0 R (section.1.3) 18 0 R (section.1.4) 22 0 R (section.2.1) 70 0 R (section.2.2) 74 0 R (section.2.3) 78 0 R (section.2.4) 82 0 R (section.2.5) 86 0 R (section.3.1) 94 0 R (section.3.2) 106 0 R (section.3.3) 110 0 R (section.4.1) 134 0 R (section.4.2) 138 0 R (section.4.3) 146 0 R (section.4.4) 150 0 R (section.4.5) 154 0 R (section.4.6) 190 0 R (section.4.7) 194 0 R (section.4.8) 198 0 R (section.4.9) 214 0 R (section.5.1) 230 0 R (section.5.2) 234 0 R (section.6.1) 242 0 R (section.6.2) 270 0 R (section.6.3) 470 0 R (section.7.1) 526 0 R (section.7.2) 530 0 R (section.7.3) 542 0 R (section.8.1) 550 0 R (section.8.2) 558 0 R (section.8.3) 562 0 R (section.A.1) 570 0 R (section.A.2) 578 0 R (section.A.3) 586 0 R (section.B.1) 606 0 R (section.B.10) 642 0 R (section.B.2) 610 0 R (section.B.3) 614 0 R (section.B.4) 618 0 R (section.B.5) 622 0 R (section.B.6) 626 0 R (section.B.7) 630 0 R (section.B.8) 634 0 R (section.B.9) 638 0 R (server_statement_definition_and_usage) 1208 0 R (server_statement_grammar) 1313 0 R (statsfile) 1187 0 R (subsection.1.4.1) 26 0 R (subsection.1.4.2) 30 0 R (subsection.1.4.3) 34 0 R (subsection.1.4.4) 38 0 R (subsection.1.4.5) 54 0 R (subsection.1.4.6) 62 0 R (subsection.3.1.1) 98 0 R (subsection.3.1.2) 102 0 R (subsection.3.3.1) 114 0 R (subsection.3.3.2) 126 0 R (subsection.4.2.1) 142 0 R (subsection.4.5.1) 158 0 R (subsection.4.5.2) 170 0 R (subsection.4.5.3) 174 0 R (subsection.4.5.4) 178 0 R (subsection.4.5.5) 182 0 R (subsection.4.5.6) 186 0 R (subsection.4.8.1) 202 0 R (subsection.4.8.2) 206 0 R (subsection.4.8.3) 210 0 R (subsection.4.9.1) 218 0 R (subsection.4.9.2) 222 0 R (subsection.6.1.1) 246 0 R (subsection.6.1.2) 258 0 R (subsection.6.2.1) 274 0 R (subsection.6.2.10) 310 0 R (subsection.6.2.11) 322 0 R (subsection.6.2.12) 326 0 R (subsection.6.2.13) 330 0 R (subsection.6.2.14) 334 0 R (subsection.6.2.15) 338 0 R (subsection.6.2.16) 342 0 R (subsection.6.2.17) 422 0 R (subsection.6.2.18) 426 0 R (subsection.6.2.19) 430 0 R (subsection.6.2.2) 278 0 R (subsection.6.2.20) 434 0 R (subsection.6.2.21) 438 0 R (subsection.6.2.22) 442 0 R (subsection.6.2.23) 446 0 R (subsection.6.2.24) 450 0 R (subsection.6.2.3) 282 0 R (subsection.6.2.4) 286 0 R (subsection.6.2.5) 290 0 R (subsection.6.2.6) 294 0 R (subsection.6.2.7) 298 0 R (subsection.6.2.8) 302 0 R (subsection.6.2.9) 306 0 R (subsection.6.3.1) 474 0 R (subsection.6.3.2) 486 0 R (subsection.6.3.3) 490 0 R (subsection.6.3.4) 494 0 R (subsection.6.3.5) 498 0 R (subsection.6.3.6) 514 0 R (subsection.6.3.7) 518 0 R (subsection.7.2.1) 534 0 R (subsection.7.2.2) 538 0 R (subsection.8.1.1) 554 0 R (subsection.A.1.1) 574 0 R (subsection.A.2.1) 582 0 R (subsection.A.3.1) 590 0 R (subsection.A.3.2) 594 0 R (subsection.A.3.3) 598 0 R (subsubsection.1.4.4.1) 42 0 R (subsubsection.1.4.4.2) 46 0 R (subsubsection.1.4.4.3) 50 0 R (subsubsection.1.4.5.1) 58 0 R (subsubsection.3.3.1.1) 118 0 R (subsubsection.3.3.1.2) 122 0 R (subsubsection.4.5.1.1) 162 0 R (subsubsection.4.5.1.2) 166 0 R (subsubsection.6.1.1.1) 250 0 R (subsubsection.6.1.1.2) 254 0 R (subsubsection.6.1.2.1) 262 0 R (subsubsection.6.1.2.2) 266 0 R (subsubsection.6.2.10.1) 314 0 R (subsubsection.6.2.10.2) 318 0 R (subsubsection.6.2.16.1) 346 0 R (subsubsection.6.2.16.10) 382 0 R (subsubsection.6.2.16.11) 386 0 R (subsubsection.6.2.16.12) 390 0 R (subsubsection.6.2.16.13) 394 0 R (subsubsection.6.2.16.14) 398 0 R (subsubsection.6.2.16.15) 402 0 R (subsubsection.6.2.16.16) 406 0 R (subsubsection.6.2.16.17) 410 0 R (subsubsection.6.2.16.18) 414 0 R (subsubsection.6.2.16.19) 418 0 R (subsubsection.6.2.16.2) 350 0 R (subsubsection.6.2.16.3) 354 0 R (subsubsection.6.2.16.4) 358 0 R (subsubsection.6.2.16.5) 362 0 R (subsubsection.6.2.16.6) 366 0 R (subsubsection.6.2.16.7) 370 0 R (subsubsection.6.2.16.8) 374 0 R (subsubsection.6.2.16.9) 378 0 R (subsubsection.6.2.24.1) 454 0 R (subsubsection.6.2.24.2) 458 0 R (subsubsection.6.2.24.3) 462 0 R (subsubsection.6.2.24.4) 466 0 R (subsubsection.6.3.1.1) 478 0 R (subsubsection.6.3.1.2) 482 0 R (subsubsection.6.3.5.1) 502 0 R (subsubsection.6.3.5.2) 506 0 R (subsubsection.6.3.5.3) 510 0 R (table.1.1) 877 0 R (table.1.2) 887 0 R (table.3.1) 946 0 R (table.3.2) 978 0 R (table.6.1) 1085 0 R (table.6.10) 1410 0 R (table.6.11) 1412 0 R (table.6.12) 1418 0 R (table.6.13) 1425 0 R (table.6.14) 1431 0 R (table.6.15) 1434 0 R (table.6.16) 1437 0 R (table.6.17) 1444 0 R (table.6.18) 1456 0 R (table.6.2) 1109 0 R (table.6.3) 1117 0 R (table.6.4) 1156 0 R (table.6.5) 1193 0 R (table.6.6) 1278 0 R (table.6.7) 1308 0 R (table.6.8) 1348 0 R (table.6.9) 1400 0 R (the_category_phrase) 1150 0 R (the_sortlist_statement) 1269 0 R (topology) 1264 0 R (tsig) 1024 0 R (tuning) 1279 0 R (types_of_resource_records_and_when_to_use_them) 894 0 R (view_statement_grammar) 1298 0 R (zone_statement_grammar) 1228 0 R (zone_transfers) 1001 0 R (zonefile_format) 1286 0 R]
+/Limits [(Access_Control_Lists) (zonefile_format)]
 >> endobj
-1366 0 obj <<
-/Kids [1365 0 R]
+1938 0 obj <<
+/Kids [1937 0 R]
 >> endobj
-1367 0 obj <<
-/Dests 1366 0 R
+1939 0 obj <<
+/Dests 1938 0 R
 >> endobj
-1368 0 obj <<
+1940 0 obj <<
 /Type /Catalog
-/Pages 1363 0 R
-/Outlines 1364 0 R
-/Names 1367 0 R
+/Pages 1935 0 R
+/Outlines 1936 0 R
+/Names 1939 0 R
 /PageMode /UseOutlines 
-/OpenAction 589 0 R
+/OpenAction 645 0 R
 >> endobj
-1369 0 obj <<
+1941 0 obj <<
 /Author()/Title()/Subject()/Creator(LaTeX with hyperref package)/Producer(pdfeTeX-1.21a)/Keywords()
-/CreationDate (D:20061128121044+11'00')
+/CreationDate (D:20070215121800+11'00')
 /PTEX.Fullbanner (This is pdfeTeX, Version 3.141592-1.21a-2.2 (Web2C 7.5.4) kpathsea version 3.5.4)
 >> endobj
 xref
-0 1370
+0 1942
 0000000001 65535 f 
 0000000002 00000 f 
 0000000003 00000 f 
 0000000004 00000 f 
 0000000000 00000 f 
 0000000009 00000 n 
-0000018863 00000 n 
-0000490048 00000 n 
+0000066574 00000 n 
+0000661205 00000 n 
 0000000054 00000 n 
 0000000086 00000 n 
-0000018987 00000 n 
-0000489976 00000 n 
+0000066698 00000 n 
+0000661133 00000 n 
 0000000133 00000 n 
 0000000173 00000 n 
-0000019112 00000 n 
-0000489890 00000 n 
+0000066823 00000 n 
+0000661047 00000 n 
 0000000221 00000 n 
 0000000273 00000 n 
-0000019237 00000 n 
-0000489804 00000 n 
+0000066948 00000 n 
+0000660961 00000 n 
 0000000321 00000 n 
 0000000377 00000 n 
-0000023672 00000 n 
-0000489694 00000 n 
+0000071356 00000 n 
+0000660851 00000 n 
 0000000425 00000 n 
 0000000478 00000 n 
-0000023796 00000 n 
-0000489620 00000 n 
+0000071480 00000 n 
+0000660777 00000 n 
 0000000531 00000 n 
 0000000572 00000 n 
-0000023921 00000 n 
-0000489533 00000 n 
+0000071605 00000 n 
+0000660690 00000 n 
 0000000625 00000 n 
 0000000674 00000 n 
-0000024046 00000 n 
-0000489446 00000 n 
+0000071730 00000 n 
+0000660603 00000 n 
 0000000727 00000 n 
 0000000757 00000 n 
-0000028194 00000 n 
-0000489322 00000 n 
+0000076025 00000 n 
+0000660479 00000 n 
 0000000810 00000 n 
 0000000861 00000 n 
-0000028319 00000 n 
-0000489248 00000 n 
+0000076150 00000 n 
+0000660405 00000 n 
 0000000919 00000 n 
 0000000964 00000 n 
-0000028444 00000 n 
-0000489161 00000 n 
+0000076275 00000 n 
+0000660318 00000 n 
 0000001022 00000 n 
 0000001062 00000 n 
-0000028569 00000 n 
-0000489087 00000 n 
+0000076400 00000 n 
+0000660244 00000 n 
 0000001120 00000 n 
 0000001162 00000 n 
-0000031482 00000 n 
-0000488963 00000 n 
+0000079196 00000 n 
+0000660120 00000 n 
 0000001215 00000 n 
 0000001260 00000 n 
-0000031607 00000 n 
-0000488902 00000 n 
+0000079321 00000 n 
+0000660059 00000 n 
 0000001318 00000 n 
 0000001355 00000 n 
-0000031732 00000 n 
-0000488828 00000 n 
+0000079446 00000 n 
+0000659985 00000 n 
 0000001408 00000 n 
 0000001463 00000 n 
-0000034120 00000 n 
-0000488703 00000 n 
+0000082373 00000 n 
+0000659860 00000 n 
 0000001509 00000 n 
 0000001556 00000 n 
-0000034245 00000 n 
-0000488629 00000 n 
+0000082498 00000 n 
+0000659786 00000 n 
 0000001604 00000 n 
 0000001648 00000 n 
-0000034370 00000 n 
-0000488542 00000 n 
+0000082623 00000 n 
+0000659699 00000 n 
 0000001696 00000 n 
 0000001735 00000 n 
-0000034493 00000 n 
-0000488455 00000 n 
+0000082748 00000 n 
+0000659612 00000 n 
 0000001783 00000 n 
 0000001825 00000 n 
-0000034617 00000 n 
-0000488368 00000 n 
+0000082872 00000 n 
+0000659525 00000 n 
 0000001873 00000 n 
 0000001936 00000 n 
-0000035653 00000 n 
-0000488294 00000 n 
+0000083958 00000 n 
+0000659451 00000 n 
 0000001984 00000 n 
 0000002034 00000 n 
-0000037331 00000 n 
-0000488166 00000 n 
+0000085668 00000 n 
+0000659323 00000 n 
 0000002080 00000 n 
 0000002126 00000 n 
-0000037455 00000 n 
-0000488053 00000 n 
+0000085792 00000 n 
+0000659210 00000 n 
 0000002174 00000 n 
 0000002218 00000 n 
-0000037580 00000 n 
-0000487977 00000 n 
+0000085917 00000 n 
+0000659134 00000 n 
 0000002271 00000 n 
 0000002323 00000 n 
-0000037705 00000 n 
-0000487900 00000 n 
+0000086042 00000 n 
+0000659057 00000 n 
 0000002377 00000 n 
 0000002436 00000 n 
-0000040321 00000 n 
-0000487809 00000 n 
+0000088553 00000 n 
+0000658966 00000 n 
 0000002485 00000 n 
 0000002523 00000 n 
-0000040572 00000 n 
-0000487692 00000 n 
+0000088805 00000 n 
+0000658849 00000 n 
 0000002572 00000 n 
 0000002618 00000 n 
-0000040698 00000 n 
-0000487574 00000 n 
+0000088931 00000 n 
+0000658731 00000 n 
 0000002672 00000 n 
 0000002739 00000 n 
-0000043877 00000 n 
-0000487495 00000 n 
+0000092111 00000 n 
+0000658652 00000 n 
 0000002798 00000 n 
 0000002842 00000 n 
-0000044003 00000 n 
-0000487416 00000 n 
+0000092237 00000 n 
+0000658573 00000 n 
 0000002901 00000 n 
 0000002949 00000 n 
-0000053920 00000 n 
-0000487337 00000 n 
+0000102534 00000 n 
+0000658494 00000 n 
 0000003003 00000 n 
 0000003036 00000 n 
-0000057191 00000 n 
-0000487205 00000 n 
+0000107458 00000 n 
+0000658362 00000 n 
 0000003083 00000 n 
 0000003126 00000 n 
-0000057317 00000 n 
-0000487126 00000 n 
+0000107584 00000 n 
+0000658283 00000 n 
 0000003175 00000 n 
 0000003205 00000 n 
-0000057443 00000 n 
-0000486994 00000 n 
+0000107710 00000 n 
+0000658151 00000 n 
 0000003254 00000 n 
 0000003292 00000 n 
-0000057568 00000 n 
-0000486929 00000 n 
+0000107836 00000 n 
+0000658086 00000 n 
 0000003346 00000 n 
 0000003388 00000 n 
-0000062008 00000 n 
-0000486836 00000 n 
+0000112115 00000 n 
+0000657993 00000 n 
 0000003437 00000 n 
 0000003496 00000 n 
-0000062134 00000 n 
-0000486743 00000 n 
+0000112244 00000 n 
+0000657900 00000 n 
 0000003545 00000 n 
 0000003578 00000 n 
-0000068838 00000 n 
-0000486611 00000 n 
+0000119613 00000 n 
+0000657768 00000 n 
 0000003627 00000 n 
 0000003655 00000 n 
-0000068964 00000 n 
-0000486493 00000 n 
+0000119740 00000 n 
+0000657650 00000 n 
 0000003709 00000 n 
 0000003778 00000 n 
-0000069090 00000 n 
-0000486414 00000 n 
+0000119869 00000 n 
+0000657571 00000 n 
 0000003837 00000 n 
 0000003885 00000 n 
-0000069216 00000 n 
-0000486335 00000 n 
+0000122743 00000 n 
+0000657492 00000 n 
 0000003944 00000 n 
 0000003989 00000 n 
-0000072218 00000 n 
-0000486242 00000 n 
+0000122872 00000 n 
+0000657399 00000 n 
 0000004043 00000 n 
 0000004111 00000 n 
-0000072344 00000 n 
-0000486149 00000 n 
+0000123001 00000 n 
+0000657306 00000 n 
 0000004165 00000 n 
 0000004235 00000 n 
-0000072470 00000 n 
-0000486056 00000 n 
+0000123130 00000 n 
+0000657213 00000 n 
 0000004289 00000 n 
 0000004352 00000 n 
-0000072596 00000 n 
-0000485963 00000 n 
+0000123258 00000 n 
+0000657120 00000 n 
 0000004406 00000 n 
 0000004461 00000 n 
-0000076316 00000 n 
-0000485884 00000 n 
+0000126895 00000 n 
+0000657041 00000 n 
 0000004515 00000 n 
 0000004547 00000 n 
-0000076442 00000 n 
-0000485791 00000 n 
+0000127024 00000 n 
+0000656948 00000 n 
 0000004596 00000 n 
 0000004624 00000 n 
-0000076567 00000 n 
-0000485698 00000 n 
+0000127153 00000 n 
+0000656855 00000 n 
 0000004673 00000 n 
 0000004705 00000 n 
-0000076693 00000 n 
-0000485566 00000 n 
+0000130754 00000 n 
+0000656723 00000 n 
 0000004754 00000 n 
 0000004784 00000 n 
-0000080149 00000 n 
-0000485487 00000 n 
+0000130883 00000 n 
+0000656644 00000 n 
 0000004838 00000 n 
 0000004879 00000 n 
-0000080274 00000 n 
-0000485394 00000 n 
+0000131011 00000 n 
+0000656551 00000 n 
 0000004933 00000 n 
 0000004975 00000 n 
-0000080400 00000 n 
-0000485315 00000 n 
+0000134470 00000 n 
+0000656472 00000 n 
 0000005029 00000 n 
 0000005074 00000 n 
-0000087840 00000 n 
-0000485197 00000 n 
+0000137544 00000 n 
+0000656354 00000 n 
 0000005123 00000 n 
 0000005169 00000 n 
-0000087966 00000 n 
-0000485118 00000 n 
+0000137673 00000 n 
+0000656275 00000 n 
 0000005223 00000 n 
 0000005283 00000 n 
-0000088092 00000 n 
-0000485039 00000 n 
+0000137801 00000 n 
+0000656196 00000 n 
 0000005337 00000 n 
 0000005406 00000 n 
-0000090527 00000 n 
-0000484906 00000 n 
+0000140281 00000 n 
+0000656063 00000 n 
 0000005453 00000 n 
 0000005506 00000 n 
-0000090653 00000 n 
-0000484827 00000 n 
+0000140410 00000 n 
+0000655984 00000 n 
 0000005555 00000 n 
 0000005611 00000 n 
-0000090779 00000 n 
-0000484748 00000 n 
+0000140539 00000 n 
+0000655905 00000 n 
 0000005660 00000 n 
 0000005709 00000 n 
-0000094890 00000 n 
-0000484615 00000 n 
+0000144723 00000 n 
+0000655772 00000 n 
 0000005756 00000 n 
 0000005808 00000 n 
-0000095016 00000 n 
-0000484497 00000 n 
+0000144852 00000 n 
+0000655654 00000 n 
 0000005857 00000 n 
 0000005908 00000 n 
-0000099160 00000 n 
-0000484379 00000 n 
+0000149108 00000 n 
+0000655536 00000 n 
 0000005962 00000 n 
 0000006007 00000 n 
-0000099285 00000 n 
-0000484300 00000 n 
+0000149237 00000 n 
+0000655457 00000 n 
 0000006066 00000 n 
 0000006100 00000 n 
-0000099410 00000 n 
-0000484221 00000 n 
+0000149366 00000 n 
+0000655378 00000 n 
 0000006159 00000 n 
 0000006207 00000 n 
-0000102688 00000 n 
-0000484103 00000 n 
+0000152708 00000 n 
+0000655260 00000 n 
 0000006261 00000 n 
 0000006301 00000 n 
-0000102814 00000 n 
-0000484024 00000 n 
+0000152837 00000 n 
+0000655181 00000 n 
 0000006360 00000 n 
 0000006394 00000 n 
-0000102940 00000 n 
-0000483945 00000 n 
+0000152966 00000 n 
+0000655102 00000 n 
 0000006453 00000 n 
 0000006501 00000 n 
-0000106666 00000 n 
-0000483812 00000 n 
+0000156871 00000 n 
+0000654969 00000 n 
 0000006550 00000 n 
 0000006600 00000 n 
-0000110504 00000 n 
-0000483733 00000 n 
+0000160493 00000 n 
+0000654890 00000 n 
 0000006654 00000 n 
 0000006701 00000 n 
-0000110630 00000 n 
-0000483640 00000 n 
+0000160622 00000 n 
+0000654797 00000 n 
 0000006755 00000 n 
 0000006815 00000 n 
-0000110880 00000 n 
-0000483547 00000 n 
+0000160879 00000 n 
+0000654704 00000 n 
 0000006869 00000 n 
 0000006921 00000 n 
-0000111006 00000 n 
-0000483454 00000 n 
+0000161008 00000 n 
+0000654611 00000 n 
 0000006975 00000 n 
 0000007040 00000 n 
-0000115636 00000 n 
-0000483361 00000 n 
+0000165662 00000 n 
+0000654518 00000 n 
 0000007094 00000 n 
 0000007145 00000 n 
-0000115762 00000 n 
-0000483268 00000 n 
+0000165791 00000 n 
+0000654425 00000 n 
 0000007199 00000 n 
 0000007263 00000 n 
-0000115888 00000 n 
-0000483175 00000 n 
+0000165920 00000 n 
+0000654332 00000 n 
 0000007317 00000 n 
 0000007364 00000 n 
-0000116014 00000 n 
-0000483082 00000 n 
+0000166049 00000 n 
+0000654239 00000 n 
 0000007418 00000 n 
 0000007478 00000 n 
-0000118956 00000 n 
-0000482989 00000 n 
+0000169396 00000 n 
+0000654146 00000 n 
 0000007532 00000 n 
 0000007583 00000 n 
-0000119082 00000 n 
-0000482857 00000 n 
+0000169525 00000 n 
+0000654014 00000 n 
 0000007638 00000 n 
 0000007703 00000 n 
-0000119208 00000 n 
-0000482778 00000 n 
+0000174160 00000 n 
+0000653935 00000 n 
 0000007763 00000 n 
 0000007810 00000 n 
-0000129617 00000 n 
-0000482699 00000 n 
+0000180339 00000 n 
+0000653856 00000 n 
 0000007870 00000 n 
 0000007918 00000 n 
-0000133330 00000 n 
-0000482606 00000 n 
+0000184081 00000 n 
+0000653763 00000 n 
 0000007973 00000 n 
 0000008023 00000 n 
-0000133456 00000 n 
-0000482513 00000 n 
+0000184210 00000 n 
+0000653670 00000 n 
 0000008078 00000 n 
 0000008141 00000 n 
-0000135194 00000 n 
-0000482420 00000 n 
+0000185958 00000 n 
+0000653577 00000 n 
 0000008196 00000 n 
 0000008248 00000 n 
-0000135320 00000 n 
-0000482327 00000 n 
+0000186087 00000 n 
+0000653484 00000 n 
 0000008303 00000 n 
 0000008368 00000 n 
-0000135446 00000 n 
-0000482234 00000 n 
+0000186216 00000 n 
+0000653391 00000 n 
 0000008423 00000 n 
 0000008475 00000 n 
-0000140719 00000 n 
-0000482101 00000 n 
+0000189968 00000 n 
+0000653258 00000 n 
 0000008530 00000 n 
 0000008595 00000 n 
-0000144791 00000 n 
-0000482022 00000 n 
+0000198252 00000 n 
+0000653179 00000 n 
 0000008655 00000 n 
 0000008699 00000 n 
-0000162452 00000 n 
-0000481929 00000 n 
+0000215386 00000 n 
+0000653086 00000 n 
 0000008759 00000 n 
 0000008798 00000 n 
-0000162576 00000 n 
-0000481836 00000 n 
+0000219756 00000 n 
+0000652993 00000 n 
 0000008858 00000 n 
 0000008905 00000 n 
-0000162702 00000 n 
-0000481743 00000 n 
+0000219885 00000 n 
+0000652900 00000 n 
 0000008965 00000 n 
 0000009008 00000 n 
-0000166677 00000 n 
-0000481650 00000 n 
+0000223624 00000 n 
+0000652807 00000 n 
 0000009068 00000 n 
 0000009107 00000 n 
-0000169550 00000 n 
-0000481557 00000 n 
+0000226684 00000 n 
+0000652714 00000 n 
 0000009167 00000 n 
 0000009209 00000 n 
-0000173583 00000 n 
-0000481464 00000 n 
+0000226813 00000 n 
+0000652621 00000 n 
 0000009269 00000 n 
 0000009312 00000 n 
-0000177138 00000 n 
-0000481371 00000 n 
+0000233783 00000 n 
+0000652528 00000 n 
 0000009372 00000 n 
 0000009419 00000 n 
-0000181163 00000 n 
-0000481278 00000 n 
+0000238035 00000 n 
+0000652435 00000 n 
 0000009479 00000 n 
 0000009540 00000 n 
-0000181289 00000 n 
-0000481185 00000 n 
+0000238164 00000 n 
+0000652342 00000 n 
 0000009601 00000 n 
 0000009653 00000 n 
-0000184888 00000 n 
-0000481092 00000 n 
+0000241534 00000 n 
+0000652249 00000 n 
 0000009714 00000 n 
 0000009767 00000 n 
-0000185015 00000 n 
-0000480999 00000 n 
+0000241663 00000 n 
+0000652156 00000 n 
 0000009828 00000 n 
 0000009866 00000 n 
-0000189024 00000 n 
-0000480906 00000 n 
+0000245562 00000 n 
+0000652063 00000 n 
 0000009927 00000 n 
 0000009979 00000 n 
-0000192176 00000 n 
-0000480813 00000 n 
+0000248987 00000 n 
+0000651970 00000 n 
 0000010040 00000 n 
 0000010084 00000 n 
-0000196560 00000 n 
-0000480720 00000 n 
+0000249245 00000 n 
+0000651877 00000 n 
 0000010145 00000 n 
 0000010181 00000 n 
-0000196689 00000 n 
-0000480627 00000 n 
+0000257943 00000 n 
+0000651784 00000 n 
 0000010242 00000 n 
 0000010305 00000 n 
-0000200114 00000 n 
-0000480548 00000 n 
+0000258072 00000 n 
+0000651691 00000 n 
 0000010366 00000 n 
-0000010415 00000 n 
-0000204331 00000 n 
-0000480455 00000 n 
-0000010470 00000 n 
-0000010521 00000 n 
-0000204460 00000 n 
-0000480362 00000 n 
-0000010576 00000 n 
-0000010640 00000 n 
-0000208218 00000 n 
-0000480269 00000 n 
-0000010695 00000 n 
-0000010752 00000 n 
-0000208347 00000 n 
-0000480176 00000 n 
-0000010807 00000 n 
-0000010877 00000 n 
-0000208476 00000 n 
-0000480083 00000 n 
-0000010932 00000 n 
-0000010981 00000 n 
-0000208605 00000 n 
-0000479990 00000 n 
-0000011036 00000 n 
-0000011098 00000 n 
-0000211144 00000 n 
-0000479897 00000 n 
-0000011153 00000 n 
-0000011202 00000 n 
-0000214243 00000 n 
-0000479779 00000 n 
-0000011257 00000 n 
-0000011319 00000 n 
-0000214372 00000 n 
-0000479700 00000 n 
-0000011379 00000 n 
-0000011418 00000 n 
-0000223329 00000 n 
-0000479607 00000 n 
-0000011478 00000 n 
-0000011512 00000 n 
-0000223458 00000 n 
-0000479514 00000 n 
-0000011572 00000 n 
-0000011613 00000 n 
-0000233632 00000 n 
-0000479435 00000 n 
-0000011673 00000 n 
-0000011725 00000 n 
-0000237666 00000 n 
-0000479317 00000 n 
-0000011774 00000 n 
-0000011807 00000 n 
-0000237795 00000 n 
-0000479199 00000 n 
-0000011861 00000 n 
-0000011933 00000 n 
-0000237923 00000 n 
-0000479120 00000 n 
-0000011992 00000 n 
-0000012036 00000 n 
-0000245477 00000 n 
-0000479041 00000 n 
-0000012095 00000 n 
-0000012148 00000 n 
-0000249238 00000 n 
-0000478948 00000 n 
-0000012202 00000 n 
-0000012252 00000 n 
-0000249496 00000 n 
-0000478855 00000 n 
-0000012306 00000 n 
-0000012344 00000 n 
-0000252743 00000 n 
-0000478762 00000 n 
-0000012398 00000 n 
-0000012447 00000 n 
-0000253002 00000 n 
-0000478630 00000 n 
-0000012501 00000 n 
-0000012553 00000 n 
-0000253131 00000 n 
-0000478551 00000 n 
-0000012612 00000 n 
-0000012664 00000 n 
-0000253260 00000 n 
-0000478458 00000 n 
-0000012723 00000 n 
-0000012776 00000 n 
-0000256913 00000 n 
-0000478379 00000 n 
-0000012835 00000 n 
-0000012884 00000 n 
-0000257042 00000 n 
-0000478300 00000 n 
-0000012938 00000 n 
-0000013018 00000 n 
-0000261560 00000 n 
-0000478167 00000 n 
-0000013065 00000 n 
-0000013117 00000 n 
-0000261689 00000 n 
-0000478088 00000 n 
+0000010416 00000 n 
+0000263388 00000 n 
+0000651598 00000 n 
+0000010477 00000 n 
+0000010526 00000 n 
+0000267136 00000 n 
+0000651519 00000 n 
+0000010587 00000 n 
+0000010643 00000 n 
+0000267264 00000 n 
+0000651426 00000 n 
+0000010698 00000 n 
+0000010749 00000 n 
+0000271927 00000 n 
+0000651333 00000 n 
+0000010804 00000 n 
+0000010868 00000 n 
+0000275574 00000 n 
+0000651240 00000 n 
+0000010923 00000 n 
+0000010980 00000 n 
+0000275703 00000 n 
+0000651147 00000 n 
+0000011035 00000 n 
+0000011105 00000 n 
+0000275832 00000 n 
+0000651054 00000 n 
+0000011160 00000 n 
+0000011209 00000 n 
+0000275961 00000 n 
+0000650961 00000 n 
+0000011264 00000 n 
+0000011326 00000 n 
+0000278854 00000 n 
+0000650868 00000 n 
+0000011381 00000 n 
+0000011430 00000 n 
+0000285099 00000 n 
+0000650750 00000 n 
+0000011485 00000 n 
+0000011547 00000 n 
+0000285228 00000 n 
+0000650671 00000 n 
+0000011607 00000 n 
+0000011646 00000 n 
+0000289999 00000 n 
+0000650578 00000 n 
+0000011706 00000 n 
+0000011740 00000 n 
+0000290128 00000 n 
+0000650485 00000 n 
+0000011800 00000 n 
+0000011841 00000 n 
+0000305064 00000 n 
+0000650406 00000 n 
+0000011901 00000 n 
+0000011953 00000 n 
+0000309075 00000 n 
+0000650288 00000 n 
+0000012002 00000 n 
+0000012035 00000 n 
+0000309204 00000 n 
+0000650170 00000 n 
+0000012089 00000 n 
+0000012161 00000 n 
+0000309332 00000 n 
+0000650091 00000 n 
+0000012220 00000 n 
+0000012264 00000 n 
+0000316570 00000 n 
+0000650012 00000 n 
+0000012323 00000 n 
+0000012376 00000 n 
+0000320317 00000 n 
+0000649919 00000 n 
+0000012430 00000 n 
+0000012480 00000 n 
+0000320576 00000 n 
+0000649826 00000 n 
+0000012534 00000 n 
+0000012572 00000 n 
+0000323637 00000 n 
+0000649733 00000 n 
+0000012626 00000 n 
+0000012675 00000 n 
+0000323896 00000 n 
+0000649601 00000 n 
+0000012729 00000 n 
+0000012781 00000 n 
+0000324025 00000 n 
+0000649522 00000 n 
+0000012840 00000 n 
+0000012892 00000 n 
+0000324154 00000 n 
+0000649429 00000 n 
+0000012951 00000 n 
+0000013004 00000 n 
+0000326890 00000 n 
+0000649350 00000 n 
+0000013063 00000 n 
+0000013112 00000 n 
+0000327019 00000 n 
+0000649257 00000 n 
 0000013166 00000 n 
-0000013210 00000 n 
-0000265419 00000 n 
-0000477956 00000 n 
-0000013259 00000 n 
-0000013321 00000 n 
-0000265548 00000 n 
-0000477877 00000 n 
-0000013375 00000 n 
-0000013423 00000 n 
-0000265677 00000 n 
-0000477798 00000 n 
-0000013477 00000 n 
-0000013528 00000 n 
-0000265806 00000 n 
-0000477719 00000 n 
-0000013577 00000 n 
-0000013624 00000 n 
-0000268736 00000 n 
-0000477586 00000 n 
-0000013671 00000 n 
-0000013708 00000 n 
-0000268865 00000 n 
-0000477468 00000 n 
-0000013757 00000 n 
-0000013796 00000 n 
-0000268994 00000 n 
-0000477403 00000 n 
-0000013850 00000 n 
-0000013928 00000 n 
-0000269123 00000 n 
-0000477310 00000 n 
-0000013977 00000 n 
-0000014044 00000 n 
-0000269252 00000 n 
-0000477231 00000 n 
-0000014093 00000 n 
-0000014138 00000 n 
-0000272731 00000 n 
-0000477112 00000 n 
-0000014186 00000 n 
-0000014218 00000 n 
-0000272860 00000 n 
-0000476994 00000 n 
-0000014267 00000 n 
-0000014306 00000 n 
-0000272989 00000 n 
-0000476929 00000 n 
-0000014360 00000 n 
-0000014421 00000 n 
-0000276996 00000 n 
-0000476797 00000 n 
-0000014470 00000 n 
-0000014527 00000 n 
-0000277125 00000 n 
-0000476732 00000 n 
-0000014581 00000 n 
-0000014630 00000 n 
-0000277513 00000 n 
-0000476614 00000 n 
-0000014679 00000 n 
-0000014741 00000 n 
-0000277642 00000 n 
-0000476535 00000 n 
-0000014795 00000 n 
-0000014850 00000 n 
-0000290746 00000 n 
-0000476442 00000 n 
-0000014904 00000 n 
-0000014945 00000 n 
-0000291808 00000 n 
-0000476363 00000 n 
-0000014999 00000 n 
+0000013246 00000 n 
+0000331008 00000 n 
+0000649178 00000 n 
+0000013300 00000 n 
+0000013349 00000 n 
+0000333285 00000 n 
+0000649045 00000 n 
+0000013396 00000 n 
+0000013448 00000 n 
+0000333414 00000 n 
+0000648966 00000 n 
+0000013497 00000 n 
+0000013541 00000 n 
+0000337507 00000 n 
+0000648834 00000 n 
+0000013590 00000 n 
+0000013631 00000 n 
+0000337636 00000 n 
+0000648755 00000 n 
+0000013685 00000 n 
+0000013733 00000 n 
+0000337765 00000 n 
+0000648676 00000 n 
+0000013787 00000 n 
+0000013838 00000 n 
+0000337894 00000 n 
+0000648597 00000 n 
+0000013887 00000 n 
+0000013934 00000 n 
+0000342171 00000 n 
+0000648464 00000 n 
+0000013981 00000 n 
+0000014018 00000 n 
+0000342300 00000 n 
+0000648346 00000 n 
+0000014067 00000 n 
+0000014106 00000 n 
+0000342429 00000 n 
+0000648281 00000 n 
+0000014160 00000 n 
+0000014238 00000 n 
+0000342558 00000 n 
+0000648188 00000 n 
+0000014287 00000 n 
+0000014354 00000 n 
+0000342687 00000 n 
+0000648109 00000 n 
+0000014403 00000 n 
+0000014448 00000 n 
+0000346221 00000 n 
+0000647976 00000 n 
+0000014496 00000 n 
+0000014528 00000 n 
+0000346350 00000 n 
+0000647858 00000 n 
+0000014577 00000 n 
+0000014616 00000 n 
+0000346479 00000 n 
+0000647793 00000 n 
+0000014670 00000 n 
+0000014731 00000 n 
+0000350291 00000 n 
+0000647661 00000 n 
+0000014780 00000 n 
+0000014837 00000 n 
+0000350420 00000 n 
+0000647596 00000 n 
+0000014891 00000 n 
+0000014940 00000 n 
+0000350549 00000 n 
+0000647478 00000 n 
+0000014989 00000 n 
 0000015051 00000 n 
-0000015407 00000 n 
-0000015655 00000 n 
-0000015104 00000 n 
-0000015529 00000 n 
-0000015592 00000 n 
-0000473205 00000 n 
-0000447541 00000 n 
-0000473031 00000 n 
-0000446492 00000 n 
-0000420557 00000 n 
-0000446318 00000 n 
-0000474210 00000 n 
-0000016313 00000 n 
-0000016128 00000 n 
-0000015740 00000 n 
-0000016250 00000 n 
-0000419872 00000 n 
-0000417727 00000 n 
-0000419708 00000 n 
-0000019488 00000 n 
-0000018678 00000 n 
-0000016398 00000 n 
-0000018800 00000 n 
-0000018924 00000 n 
-0000019049 00000 n 
-0000019174 00000 n 
-0000416873 00000 n 
-0000396515 00000 n 
-0000416699 00000 n 
-0000019299 00000 n 
-0000019362 00000 n 
-0000019425 00000 n 
-0000395566 00000 n 
-0000375814 00000 n 
-0000395393 00000 n 
-0000375087 00000 n 
-0000358703 00000 n 
-0000374914 00000 n 
-0000024171 00000 n 
-0000022989 00000 n 
-0000019612 00000 n 
-0000023483 00000 n 
-0000358168 00000 n 
-0000341251 00000 n 
-0000357984 00000 n 
-0000023546 00000 n 
-0000023609 00000 n 
-0000023733 00000 n 
-0000023858 00000 n 
-0000023983 00000 n 
-0000023139 00000 n 
-0000023332 00000 n 
-0000024108 00000 n 
-0000237859 00000 n 
-0000277706 00000 n 
-0000028694 00000 n 
-0000027659 00000 n 
-0000024295 00000 n 
-0000028131 00000 n 
-0000028256 00000 n 
-0000027809 00000 n 
-0000027971 00000 n 
-0000028381 00000 n 
-0000028506 00000 n 
-0000028631 00000 n 
-0000043940 00000 n 
-0000031856 00000 n 
-0000031297 00000 n 
-0000028818 00000 n 
-0000031419 00000 n 
-0000031544 00000 n 
-0000031669 00000 n 
-0000031793 00000 n 
-0000034742 00000 n 
-0000033935 00000 n 
-0000031967 00000 n 
-0000034057 00000 n 
-0000034182 00000 n 
-0000034307 00000 n 
-0000034432 00000 n 
-0000034554 00000 n 
-0000034679 00000 n 
-0000474328 00000 n 
-0000035778 00000 n 
-0000035468 00000 n 
-0000034827 00000 n 
-0000035590 00000 n 
-0000035715 00000 n 
-0000037831 00000 n 
-0000037146 00000 n 
-0000035876 00000 n 
-0000037268 00000 n 
-0000037393 00000 n 
-0000037517 00000 n 
-0000037642 00000 n 
-0000037768 00000 n 
-0000040824 00000 n 
-0000039957 00000 n 
-0000037929 00000 n 
-0000040258 00000 n 
-0000040384 00000 n 
-0000040447 00000 n 
-0000040509 00000 n 
-0000040099 00000 n 
-0000040635 00000 n 
-0000040761 00000 n 
-0000192240 00000 n 
-0000044129 00000 n 
-0000043692 00000 n 
-0000040935 00000 n 
-0000043814 00000 n 
-0000340724 00000 n 
-0000331415 00000 n 
-0000340547 00000 n 
-0000044066 00000 n 
-0000047728 00000 n 
-0000047543 00000 n 
-0000044253 00000 n 
-0000047665 00000 n 
-0000330972 00000 n 
-0000324173 00000 n 
-0000330795 00000 n 
-0000051997 00000 n 
-0000051607 00000 n 
-0000047891 00000 n 
-0000051934 00000 n 
-0000051749 00000 n 
-0000474446 00000 n 
-0000111069 00000 n 
-0000054170 00000 n 
-0000053735 00000 n 
-0000052134 00000 n 
-0000053857 00000 n 
-0000053983 00000 n 
-0000054044 00000 n 
-0000054107 00000 n 
-0000057694 00000 n 
-0000056656 00000 n 
-0000054294 00000 n 
-0000057128 00000 n 
-0000057254 00000 n 
-0000057380 00000 n 
-0000056806 00000 n 
-0000056967 00000 n 
-0000057505 00000 n 
-0000057631 00000 n 
-0000144854 00000 n 
-0000173646 00000 n 
-0000062260 00000 n 
-0000061469 00000 n 
-0000057792 00000 n 
-0000061945 00000 n 
-0000062071 00000 n 
-0000061619 00000 n 
-0000061784 00000 n 
-0000062197 00000 n 
-0000282256 00000 n 
-0000065099 00000 n 
-0000064727 00000 n 
-0000062410 00000 n 
-0000065036 00000 n 
-0000064869 00000 n 
-0000066255 00000 n 
-0000066070 00000 n 
-0000065223 00000 n 
-0000066192 00000 n 
-0000069342 00000 n 
-0000068653 00000 n 
-0000066353 00000 n 
-0000068775 00000 n 
-0000068901 00000 n 
-0000069027 00000 n 
-0000069153 00000 n 
-0000069279 00000 n 
-0000474564 00000 n 
-0000072722 00000 n 
-0000071845 00000 n 
-0000069479 00000 n 
-0000072155 00000 n 
-0000072281 00000 n 
-0000072407 00000 n 
-0000072533 00000 n 
-0000072659 00000 n 
-0000071987 00000 n 
-0000233696 00000 n 
-0000076818 00000 n 
-0000076131 00000 n 
-0000072859 00000 n 
-0000076253 00000 n 
-0000076379 00000 n 
-0000076505 00000 n 
-0000076630 00000 n 
-0000076755 00000 n 
-0000080524 00000 n 
-0000079964 00000 n 
-0000076942 00000 n 
-0000080086 00000 n 
-0000080211 00000 n 
-0000080337 00000 n 
-0000080461 00000 n 
-0000083525 00000 n 
-0000085224 00000 n 
-0000083403 00000 n 
-0000080648 00000 n 
-0000085161 00000 n 
-0000323354 00000 n 
-0000314545 00000 n 
-0000323182 00000 n 
-0000084993 00000 n 
-0000085050 00000 n 
-0000085139 00000 n 
-0000088218 00000 n 
-0000087476 00000 n 
-0000085376 00000 n 
-0000087777 00000 n 
-0000087903 00000 n 
-0000087618 00000 n 
-0000088029 00000 n 
-0000088155 00000 n 
-0000277189 00000 n 
-0000090905 00000 n 
-0000090342 00000 n 
-0000088342 00000 n 
-0000090464 00000 n 
-0000090590 00000 n 
-0000090716 00000 n 
-0000090842 00000 n 
-0000474682 00000 n 
-0000091337 00000 n 
-0000091152 00000 n 
-0000091003 00000 n 
-0000091274 00000 n 
-0000095267 00000 n 
-0000094519 00000 n 
-0000091378 00000 n 
-0000094827 00000 n 
-0000094953 00000 n 
-0000095078 00000 n 
-0000095141 00000 n 
-0000095204 00000 n 
-0000094661 00000 n 
-0000099223 00000 n 
-0000099536 00000 n 
-0000098975 00000 n 
-0000095365 00000 n 
-0000099097 00000 n 
-0000099347 00000 n 
-0000099473 00000 n 
-0000103066 00000 n 
-0000102503 00000 n 
-0000099673 00000 n 
-0000102625 00000 n 
-0000102751 00000 n 
-0000102877 00000 n 
-0000103003 00000 n 
-0000105678 00000 n 
-0000106917 00000 n 
-0000105556 00000 n 
-0000103177 00000 n 
-0000106603 00000 n 
-0000106729 00000 n 
-0000106792 00000 n 
-0000106855 00000 n 
-0000111132 00000 n 
-0000110319 00000 n 
-0000107069 00000 n 
-0000110441 00000 n 
-0000110567 00000 n 
-0000110691 00000 n 
-0000110754 00000 n 
-0000110817 00000 n 
-0000110943 00000 n 
-0000474800 00000 n 
-0000116140 00000 n 
-0000114574 00000 n 
-0000111243 00000 n 
-0000115573 00000 n 
-0000114748 00000 n 
-0000114898 00000 n 
-0000115699 00000 n 
-0000115825 00000 n 
-0000115951 00000 n 
-0000116077 00000 n 
-0000115056 00000 n 
-0000115207 00000 n 
-0000115391 00000 n 
-0000292322 00000 n 
-0000119334 00000 n 
-0000118771 00000 n 
-0000116277 00000 n 
-0000118893 00000 n 
-0000119019 00000 n 
-0000119145 00000 n 
-0000119271 00000 n 
-0000123845 00000 n 
-0000123660 00000 n 
-0000119471 00000 n 
-0000123782 00000 n 
-0000126880 00000 n 
-0000126510 00000 n 
-0000123956 00000 n 
-0000126817 00000 n 
-0000126652 00000 n 
-0000129680 00000 n 
-0000129869 00000 n 
-0000129432 00000 n 
-0000126991 00000 n 
-0000129554 00000 n 
-0000129743 00000 n 
-0000129806 00000 n 
-0000133582 00000 n 
-0000132814 00000 n 
-0000129980 00000 n 
-0000133267 00000 n 
-0000133393 00000 n 
-0000133519 00000 n 
-0000132964 00000 n 
-0000133115 00000 n 
-0000474918 00000 n 
-0000135572 00000 n 
-0000135009 00000 n 
-0000133693 00000 n 
-0000135131 00000 n 
-0000135257 00000 n 
-0000135383 00000 n 
-0000135509 00000 n 
-0000137122 00000 n 
-0000136937 00000 n 
-0000135683 00000 n 
-0000137059 00000 n 
-0000140844 00000 n 
-0000140534 00000 n 
-0000137220 00000 n 
-0000140656 00000 n 
-0000140781 00000 n 
-0000144917 00000 n 
-0000144432 00000 n 
-0000140968 00000 n 
-0000144728 00000 n 
-0000144574 00000 n 
-0000200178 00000 n 
-0000148826 00000 n 
-0000148515 00000 n 
-0000145041 00000 n 
-0000148637 00000 n 
-0000148700 00000 n 
-0000148763 00000 n 
-0000153958 00000 n 
-0000152681 00000 n 
-0000148950 00000 n 
-0000153895 00000 n 
-0000152863 00000 n 
-0000153016 00000 n 
-0000153172 00000 n 
-0000153355 00000 n 
-0000153527 00000 n 
-0000153711 00000 n 
-0000475036 00000 n 
-0000204524 00000 n 
-0000158215 00000 n 
-0000158030 00000 n 
-0000154136 00000 n 
-0000158152 00000 n 
-0000162828 00000 n 
-0000161906 00000 n 
-0000158352 00000 n 
-0000162389 00000 n 
-0000162515 00000 n 
-0000162056 00000 n 
-0000162639 00000 n 
-0000162765 00000 n 
-0000162224 00000 n 
-0000211208 00000 n 
-0000166803 00000 n 
-0000166302 00000 n 
-0000162952 00000 n 
-0000166614 00000 n 
-0000166444 00000 n 
-0000166740 00000 n 
-0000265869 00000 n 
-0000169676 00000 n 
-0000169365 00000 n 
-0000166927 00000 n 
-0000169487 00000 n 
-0000169613 00000 n 
-0000314019 00000 n 
-0000306129 00000 n 
-0000313846 00000 n 
-0000173709 00000 n 
-0000173398 00000 n 
-0000169841 00000 n 
-0000173520 00000 n 
-0000177262 00000 n 
-0000176953 00000 n 
-0000173820 00000 n 
-0000177075 00000 n 
-0000177200 00000 n 
-0000475154 00000 n 
-0000181415 00000 n 
-0000180623 00000 n 
-0000177414 00000 n 
-0000181100 00000 n 
-0000181226 00000 n 
-0000180773 00000 n 
-0000181352 00000 n 
-0000180946 00000 n 
-0000185142 00000 n 
-0000184703 00000 n 
-0000181526 00000 n 
-0000184825 00000 n 
-0000184951 00000 n 
-0000185078 00000 n 
-0000189153 00000 n 
-0000188487 00000 n 
-0000185294 00000 n 
-0000188959 00000 n 
-0000189088 00000 n 
-0000188642 00000 n 
-0000188804 00000 n 
-0000192432 00000 n 
-0000191796 00000 n 
-0000189319 00000 n 
-0000192111 00000 n 
-0000191942 00000 n 
-0000192303 00000 n 
-0000192367 00000 n 
-0000196818 00000 n 
-0000196012 00000 n 
-0000192598 00000 n 
-0000196495 00000 n 
-0000196624 00000 n 
-0000196167 00000 n 
-0000196753 00000 n 
-0000196329 00000 n 
-0000208540 00000 n 
-0000200372 00000 n 
-0000199923 00000 n 
-0000196984 00000 n 
-0000200049 00000 n 
-0000200242 00000 n 
-0000200307 00000 n 
-0000475275 00000 n 
-0000204588 00000 n 
-0000203968 00000 n 
-0000200484 00000 n 
-0000204266 00000 n 
-0000204395 00000 n 
-0000204115 00000 n 
-0000208734 00000 n 
-0000207681 00000 n 
-0000204700 00000 n 
-0000208153 00000 n 
-0000207837 00000 n 
-0000208282 00000 n 
-0000208411 00000 n 
-0000207999 00000 n 
-0000208669 00000 n 
-0000211272 00000 n 
-0000210953 00000 n 
-0000208846 00000 n 
-0000211079 00000 n 
-0000212676 00000 n 
-0000212485 00000 n 
-0000211384 00000 n 
-0000212611 00000 n 
-0000214630 00000 n 
-0000214052 00000 n 
-0000212775 00000 n 
-0000214178 00000 n 
-0000214307 00000 n 
-0000214436 00000 n 
-0000214501 00000 n 
-0000214566 00000 n 
-0000218616 00000 n 
-0000218425 00000 n 
-0000214742 00000 n 
-0000218551 00000 n 
-0000475400 00000 n 
-0000223587 00000 n 
-0000222083 00000 n 
-0000218728 00000 n 
-0000223264 00000 n 
-0000223393 00000 n 
-0000223522 00000 n 
-0000222275 00000 n 
-0000222437 00000 n 
-0000222599 00000 n 
-0000222761 00000 n 
-0000222932 00000 n 
-0000223103 00000 n 
-0000228876 00000 n 
-0000226808 00000 n 
-0000223699 00000 n 
-0000228811 00000 n 
-0000227045 00000 n 
-0000227208 00000 n 
-0000227369 00000 n 
-0000227531 00000 n 
-0000227692 00000 n 
-0000227854 00000 n 
-0000228016 00000 n 
-0000228170 00000 n 
-0000228332 00000 n 
-0000228494 00000 n 
-0000228653 00000 n 
-0000233890 00000 n 
-0000232249 00000 n 
-0000229001 00000 n 
-0000233567 00000 n 
-0000232450 00000 n 
-0000232612 00000 n 
-0000232774 00000 n 
-0000232935 00000 n 
-0000233089 00000 n 
-0000233250 00000 n 
-0000233405 00000 n 
-0000233760 00000 n 
-0000233825 00000 n 
-0000238310 00000 n 
-0000237113 00000 n 
-0000234015 00000 n 
-0000237601 00000 n 
-0000237730 00000 n 
-0000237987 00000 n 
-0000237269 00000 n 
-0000237439 00000 n 
-0000238052 00000 n 
-0000238117 00000 n 
-0000238181 00000 n 
-0000238246 00000 n 
-0000241771 00000 n 
-0000241516 00000 n 
-0000238448 00000 n 
-0000241642 00000 n 
-0000241707 00000 n 
-0000245736 00000 n 
-0000245221 00000 n 
-0000241870 00000 n 
-0000245347 00000 n 
-0000245412 00000 n 
-0000245541 00000 n 
-0000245606 00000 n 
-0000245671 00000 n 
-0000475525 00000 n 
-0000249753 00000 n 
-0000248917 00000 n 
-0000245848 00000 n 
-0000249043 00000 n 
-0000249108 00000 n 
-0000249173 00000 n 
-0000249302 00000 n 
-0000249367 00000 n 
-0000249431 00000 n 
-0000249559 00000 n 
-0000249624 00000 n 
-0000249688 00000 n 
-0000253388 00000 n 
-0000252552 00000 n 
-0000249878 00000 n 
-0000252678 00000 n 
-0000252807 00000 n 
-0000252872 00000 n 
-0000252937 00000 n 
-0000253066 00000 n 
-0000253195 00000 n 
-0000305774 00000 n 
-0000303777 00000 n 
-0000305609 00000 n 
-0000253323 00000 n 
-0000257301 00000 n 
-0000256722 00000 n 
-0000253594 00000 n 
-0000256848 00000 n 
-0000256977 00000 n 
-0000257106 00000 n 
-0000257171 00000 n 
-0000257236 00000 n 
-0000258796 00000 n 
-0000258605 00000 n 
-0000257493 00000 n 
-0000258731 00000 n 
-0000259236 00000 n 
-0000259045 00000 n 
-0000258895 00000 n 
-0000259171 00000 n 
-0000261817 00000 n 
-0000260909 00000 n 
-0000259278 00000 n 
-0000261495 00000 n 
-0000261624 00000 n 
-0000261753 00000 n 
-0000261065 00000 n 
-0000261280 00000 n 
-0000475650 00000 n 
-0000265933 00000 n 
-0000265228 00000 n 
-0000261943 00000 n 
-0000265354 00000 n 
-0000303456 00000 n 
-0000294243 00000 n 
-0000303270 00000 n 
-0000265483 00000 n 
-0000265612 00000 n 
-0000265741 00000 n 
-0000269380 00000 n 
-0000268154 00000 n 
-0000266098 00000 n 
-0000268671 00000 n 
-0000268800 00000 n 
-0000268929 00000 n 
-0000269058 00000 n 
-0000269187 00000 n 
-0000269316 00000 n 
-0000268310 00000 n 
-0000268482 00000 n 
-0000269834 00000 n 
-0000269643 00000 n 
-0000269493 00000 n 
-0000269769 00000 n 
-0000273118 00000 n 
-0000272540 00000 n 
-0000269876 00000 n 
-0000272666 00000 n 
-0000272795 00000 n 
-0000272924 00000 n 
-0000273053 00000 n 
-0000277770 00000 n 
-0000276420 00000 n 
-0000273204 00000 n 
-0000276931 00000 n 
-0000277060 00000 n 
-0000277253 00000 n 
-0000277318 00000 n 
-0000277383 00000 n 
-0000277448 00000 n 
-0000277577 00000 n 
-0000276576 00000 n 
-0000276754 00000 n 
-0000284654 00000 n 
-0000280594 00000 n 
-0000277922 00000 n 
-0000280768 00000 n 
-0000281476 00000 n 
-0000280946 00000 n 
-0000281124 00000 n 
-0000281300 00000 n 
-0000281541 00000 n 
-0000281606 00000 n 
-0000281671 00000 n 
-0000281736 00000 n 
-0000281801 00000 n 
-0000281866 00000 n 
-0000281931 00000 n 
-0000281996 00000 n 
-0000282061 00000 n 
-0000282126 00000 n 
-0000282191 00000 n 
-0000282320 00000 n 
-0000282385 00000 n 
-0000282450 00000 n 
-0000282515 00000 n 
-0000282580 00000 n 
-0000282644 00000 n 
-0000282709 00000 n 
-0000282773 00000 n 
-0000282838 00000 n 
-0000282903 00000 n 
-0000282968 00000 n 
-0000283033 00000 n 
-0000283097 00000 n 
-0000283162 00000 n 
-0000283227 00000 n 
-0000283292 00000 n 
-0000283357 00000 n 
-0000283422 00000 n 
-0000283487 00000 n 
-0000283551 00000 n 
-0000283616 00000 n 
-0000283681 00000 n 
-0000283746 00000 n 
-0000283811 00000 n 
-0000283876 00000 n 
-0000283941 00000 n 
-0000284006 00000 n 
-0000284071 00000 n 
-0000284136 00000 n 
-0000284201 00000 n 
-0000284266 00000 n 
-0000284331 00000 n 
-0000284396 00000 n 
-0000284461 00000 n 
-0000284526 00000 n 
-0000284590 00000 n 
-0000475775 00000 n 
-0000290874 00000 n 
-0000287567 00000 n 
-0000284806 00000 n 
-0000287693 00000 n 
-0000287758 00000 n 
-0000287823 00000 n 
-0000287888 00000 n 
-0000287953 00000 n 
-0000288018 00000 n 
-0000288082 00000 n 
-0000288147 00000 n 
-0000288212 00000 n 
-0000288277 00000 n 
-0000288342 00000 n 
-0000288407 00000 n 
-0000288472 00000 n 
-0000288537 00000 n 
-0000288602 00000 n 
-0000288667 00000 n 
-0000288732 00000 n 
-0000288797 00000 n 
-0000288862 00000 n 
-0000288927 00000 n 
-0000288992 00000 n 
-0000289057 00000 n 
-0000289122 00000 n 
-0000289187 00000 n 
-0000289251 00000 n 
-0000289316 00000 n 
-0000289381 00000 n 
-0000289446 00000 n 
-0000289511 00000 n 
-0000289576 00000 n 
-0000289641 00000 n 
-0000289706 00000 n 
-0000289771 00000 n 
-0000289836 00000 n 
-0000289901 00000 n 
-0000289966 00000 n 
-0000290031 00000 n 
-0000290096 00000 n 
-0000290161 00000 n 
-0000290226 00000 n 
-0000290291 00000 n 
-0000290356 00000 n 
-0000290421 00000 n 
-0000290486 00000 n 
-0000290551 00000 n 
-0000290616 00000 n 
-0000290681 00000 n 
-0000290810 00000 n 
-0000292197 00000 n 
-0000291617 00000 n 
-0000290986 00000 n 
-0000291743 00000 n 
-0000291872 00000 n 
-0000291937 00000 n 
-0000292002 00000 n 
-0000292067 00000 n 
-0000292132 00000 n 
-0000292354 00000 n 
-0000303698 00000 n 
-0000306021 00000 n 
-0000305990 00000 n 
-0000314294 00000 n 
-0000323752 00000 n 
-0000331214 00000 n 
-0000341010 00000 n 
-0000358508 00000 n 
-0000375495 00000 n 
-0000396134 00000 n 
-0000417277 00000 n 
-0000420359 00000 n 
-0000420129 00000 n 
-0000447046 00000 n 
-0000473724 00000 n 
-0000475873 00000 n 
-0000475993 00000 n 
-0000476116 00000 n 
-0000476205 00000 n 
-0000476287 00000 n 
-0000490158 00000 n 
-0000502158 00000 n 
-0000502199 00000 n 
-0000502239 00000 n 
-0000502373 00000 n 
+0000350678 00000 n 
+0000647399 00000 n 
+0000015105 00000 n 
+0000015160 00000 n 
+0000374453 00000 n 
+0000647306 00000 n 
+0000015214 00000 n 
+0000015255 00000 n 
+0000374582 00000 n 
+0000647227 00000 n 
+0000015309 00000 n 
+0000015361 00000 n 
+0000377282 00000 n 
+0000647107 00000 n 
+0000015409 00000 n 
+0000015443 00000 n 
+0000377411 00000 n 
+0000647028 00000 n 
+0000015492 00000 n 
+0000015519 00000 n 
+0000395360 00000 n 
+0000646935 00000 n 
+0000015568 00000 n 
+0000015596 00000 n 
+0000402947 00000 n 
+0000646842 00000 n 
+0000015645 00000 n 
+0000015682 00000 n 
+0000409275 00000 n 
+0000646749 00000 n 
+0000015731 00000 n 
+0000015770 00000 n 
+0000418787 00000 n 
+0000646656 00000 n 
+0000015819 00000 n 
+0000015858 00000 n 
+0000421692 00000 n 
+0000646563 00000 n 
+0000015907 00000 n 
+0000015946 00000 n 
+0000427976 00000 n 
+0000646470 00000 n 
+0000015995 00000 n 
+0000016024 00000 n 
+0000437167 00000 n 
+0000646377 00000 n 
+0000016073 00000 n 
+0000016101 00000 n 
+0000440192 00000 n 
+0000646284 00000 n 
+0000016150 00000 n 
+0000016183 00000 n 
+0000446424 00000 n 
+0000646205 00000 n 
+0000016233 00000 n 
+0000016270 00000 n 
+0000016639 00000 n 
+0000016761 00000 n 
+0000024590 00000 n 
+0000016323 00000 n 
+0000024464 00000 n 
+0000024527 00000 n 
+0000642088 00000 n 
+0000616145 00000 n 
+0000641914 00000 n 
+0000643113 00000 n 
+0000019624 00000 n 
+0000019841 00000 n 
+0000019910 00000 n 
+0000019979 00000 n 
+0000020047 00000 n 
+0000020115 00000 n 
+0000020164 00000 n 
+0000020211 00000 n 
+0000020544 00000 n 
+0000020566 00000 n 
+0000020734 00000 n 
+0000020899 00000 n 
+0000021068 00000 n 
+0000021247 00000 n 
+0000021556 00000 n 
+0000021716 00000 n 
+0000025949 00000 n 
+0000025764 00000 n 
+0000024690 00000 n 
+0000025886 00000 n 
+0000615072 00000 n 
+0000588808 00000 n 
+0000614898 00000 n 
+0000588123 00000 n 
+0000585979 00000 n 
+0000587959 00000 n 
+0000037649 00000 n 
+0000028998 00000 n 
+0000026034 00000 n 
+0000037523 00000 n 
+0000037586 00000 n 
+0000029532 00000 n 
+0000029686 00000 n 
+0000029843 00000 n 
+0000030000 00000 n 
+0000030156 00000 n 
+0000030313 00000 n 
+0000030475 00000 n 
+0000030636 00000 n 
+0000030797 00000 n 
+0000030959 00000 n 
+0000031126 00000 n 
+0000031293 00000 n 
+0000031458 00000 n 
+0000031620 00000 n 
+0000031786 00000 n 
+0000031947 00000 n 
+0000032102 00000 n 
+0000032259 00000 n 
+0000032415 00000 n 
+0000032572 00000 n 
+0000032729 00000 n 
+0000032886 00000 n 
+0000033040 00000 n 
+0000033196 00000 n 
+0000033358 00000 n 
+0000033520 00000 n 
+0000033676 00000 n 
+0000033833 00000 n 
+0000033995 00000 n 
+0000034162 00000 n 
+0000034328 00000 n 
+0000034489 00000 n 
+0000034644 00000 n 
+0000034801 00000 n 
+0000034958 00000 n 
+0000035120 00000 n 
+0000035277 00000 n 
+0000035434 00000 n 
+0000035591 00000 n 
+0000035753 00000 n 
+0000035920 00000 n 
+0000036087 00000 n 
+0000036248 00000 n 
+0000036410 00000 n 
+0000036572 00000 n 
+0000036734 00000 n 
+0000036896 00000 n 
+0000037053 00000 n 
+0000037208 00000 n 
+0000037363 00000 n 
+0000051025 00000 n 
+0000040974 00000 n 
+0000037734 00000 n 
+0000050962 00000 n 
+0000585428 00000 n 
+0000568347 00000 n 
+0000585244 00000 n 
+0000041564 00000 n 
+0000041727 00000 n 
+0000041890 00000 n 
+0000042048 00000 n 
+0000042211 00000 n 
+0000042374 00000 n 
+0000042530 00000 n 
+0000042688 00000 n 
+0000042846 00000 n 
+0000043001 00000 n 
+0000043159 00000 n 
+0000043322 00000 n 
+0000043490 00000 n 
+0000043658 00000 n 
+0000043821 00000 n 
+0000043989 00000 n 
+0000044157 00000 n 
+0000044315 00000 n 
+0000044477 00000 n 
+0000044640 00000 n 
+0000044803 00000 n 
+0000044965 00000 n 
+0000045127 00000 n 
+0000045290 00000 n 
+0000045452 00000 n 
+0000045614 00000 n 
+0000045777 00000 n 
+0000045941 00000 n 
+0000046109 00000 n 
+0000046277 00000 n 
+0000046441 00000 n 
+0000046605 00000 n 
+0000046768 00000 n 
+0000046932 00000 n 
+0000047096 00000 n 
+0000047259 00000 n 
+0000047428 00000 n 
+0000047597 00000 n 
+0000047765 00000 n 
+0000047934 00000 n 
+0000048103 00000 n 
+0000048272 00000 n 
+0000048441 00000 n 
+0000048610 00000 n 
+0000048779 00000 n 
+0000048949 00000 n 
+0000049119 00000 n 
+0000049289 00000 n 
+0000049459 00000 n 
+0000049628 00000 n 
+0000049798 00000 n 
+0000049968 00000 n 
+0000050138 00000 n 
+0000050307 00000 n 
+0000050477 00000 n 
+0000050639 00000 n 
+0000050800 00000 n 
+0000063624 00000 n 
+0000054499 00000 n 
+0000051123 00000 n 
+0000063561 00000 n 
+0000055057 00000 n 
+0000055220 00000 n 
+0000055383 00000 n 
+0000055546 00000 n 
+0000055709 00000 n 
+0000055871 00000 n 
+0000056039 00000 n 
+0000056207 00000 n 
+0000056375 00000 n 
+0000056541 00000 n 
+0000056698 00000 n 
+0000056859 00000 n 
+0000057026 00000 n 
+0000057193 00000 n 
+0000057355 00000 n 
+0000057517 00000 n 
+0000057679 00000 n 
+0000057841 00000 n 
+0000058008 00000 n 
+0000058175 00000 n 
+0000058342 00000 n 
+0000058504 00000 n 
+0000058666 00000 n 
+0000058821 00000 n 
+0000058978 00000 n 
+0000059133 00000 n 
+0000059295 00000 n 
+0000059457 00000 n 
+0000059614 00000 n 
+0000059769 00000 n 
+0000059926 00000 n 
+0000060088 00000 n 
+0000060245 00000 n 
+0000060401 00000 n 
+0000060557 00000 n 
+0000060713 00000 n 
+0000060875 00000 n 
+0000061032 00000 n 
+0000061194 00000 n 
+0000061351 00000 n 
+0000061513 00000 n 
+0000061674 00000 n 
+0000061836 00000 n 
+0000061992 00000 n 
+0000062149 00000 n 
+0000062306 00000 n 
+0000062463 00000 n 
+0000062620 00000 n 
+0000062777 00000 n 
+0000062933 00000 n 
+0000063090 00000 n 
+0000567410 00000 n 
+0000547731 00000 n 
+0000567237 00000 n 
+0000063247 00000 n 
+0000063404 00000 n 
+0000064069 00000 n 
+0000063884 00000 n 
+0000063735 00000 n 
+0000064006 00000 n 
+0000067199 00000 n 
+0000066389 00000 n 
+0000064110 00000 n 
+0000066511 00000 n 
+0000066635 00000 n 
+0000066760 00000 n 
+0000066885 00000 n 
+0000546842 00000 n 
+0000525510 00000 n 
+0000546668 00000 n 
+0000067010 00000 n 
+0000067073 00000 n 
+0000067136 00000 n 
+0000524743 00000 n 
+0000507335 00000 n 
+0000524570 00000 n 
+0000643231 00000 n 
+0000071855 00000 n 
+0000070673 00000 n 
+0000067323 00000 n 
+0000071167 00000 n 
+0000071230 00000 n 
+0000071293 00000 n 
+0000071417 00000 n 
+0000071542 00000 n 
+0000071667 00000 n 
+0000070823 00000 n 
+0000071016 00000 n 
+0000071792 00000 n 
+0000309268 00000 n 
+0000350742 00000 n 
+0000076525 00000 n 
+0000075489 00000 n 
+0000071979 00000 n 
+0000075962 00000 n 
+0000076087 00000 n 
+0000075639 00000 n 
+0000075801 00000 n 
+0000076212 00000 n 
+0000076337 00000 n 
+0000076462 00000 n 
+0000092174 00000 n 
+0000079571 00000 n 
+0000079011 00000 n 
+0000076649 00000 n 
+0000079133 00000 n 
+0000079258 00000 n 
+0000079383 00000 n 
+0000079508 00000 n 
+0000082997 00000 n 
+0000081857 00000 n 
+0000079682 00000 n 
+0000082310 00000 n 
+0000082435 00000 n 
+0000082560 00000 n 
+0000082685 00000 n 
+0000082810 00000 n 
+0000082007 00000 n 
+0000082159 00000 n 
+0000082934 00000 n 
+0000267200 00000 n 
+0000084083 00000 n 
+0000083773 00000 n 
+0000083082 00000 n 
+0000083895 00000 n 
+0000084020 00000 n 
+0000086168 00000 n 
+0000085483 00000 n 
+0000084181 00000 n 
+0000085605 00000 n 
+0000085730 00000 n 
+0000085854 00000 n 
+0000085979 00000 n 
+0000086105 00000 n 
+0000643349 00000 n 
+0000089056 00000 n 
+0000088188 00000 n 
+0000086266 00000 n 
+0000088490 00000 n 
+0000088616 00000 n 
+0000088679 00000 n 
+0000088742 00000 n 
+0000088330 00000 n 
+0000088868 00000 n 
+0000088994 00000 n 
+0000249051 00000 n 
+0000092363 00000 n 
+0000091926 00000 n 
+0000089167 00000 n 
+0000092048 00000 n 
+0000506679 00000 n 
+0000495097 00000 n 
+0000506502 00000 n 
+0000092300 00000 n 
+0000095962 00000 n 
+0000095777 00000 n 
+0000092487 00000 n 
+0000095899 00000 n 
+0000494562 00000 n 
+0000485048 00000 n 
+0000494385 00000 n 
+0000100500 00000 n 
+0000100110 00000 n 
+0000096125 00000 n 
+0000100437 00000 n 
+0000100252 00000 n 
+0000161071 00000 n 
+0000102786 00000 n 
+0000102349 00000 n 
+0000100637 00000 n 
+0000102471 00000 n 
+0000102597 00000 n 
+0000102660 00000 n 
+0000102723 00000 n 
+0000105437 00000 n 
+0000107962 00000 n 
+0000105287 00000 n 
+0000102910 00000 n 
+0000107395 00000 n 
+0000107521 00000 n 
+0000107647 00000 n 
+0000107073 00000 n 
+0000107234 00000 n 
+0000484205 00000 n 
+0000474883 00000 n 
+0000484033 00000 n 
+0000474321 00000 n 
+0000465238 00000 n 
+0000474148 00000 n 
+0000107773 00000 n 
+0000107899 00000 n 
+0000643467 00000 n 
+0000106905 00000 n 
+0000106962 00000 n 
+0000107051 00000 n 
+0000198315 00000 n 
+0000226877 00000 n 
+0000112373 00000 n 
+0000111567 00000 n 
+0000108114 00000 n 
+0000112050 00000 n 
+0000112179 00000 n 
+0000111722 00000 n 
+0000111888 00000 n 
+0000112308 00000 n 
+0000351520 00000 n 
+0000115864 00000 n 
+0000115485 00000 n 
+0000112524 00000 n 
+0000115799 00000 n 
+0000115631 00000 n 
+0000117097 00000 n 
+0000116907 00000 n 
+0000115989 00000 n 
+0000117032 00000 n 
+0000119998 00000 n 
+0000119423 00000 n 
+0000117196 00000 n 
+0000119548 00000 n 
+0000119675 00000 n 
+0000119804 00000 n 
+0000119933 00000 n 
+0000123387 00000 n 
+0000122553 00000 n 
+0000120136 00000 n 
+0000122678 00000 n 
+0000122807 00000 n 
+0000122936 00000 n 
+0000123065 00000 n 
+0000123193 00000 n 
+0000123322 00000 n 
+0000127281 00000 n 
+0000126513 00000 n 
+0000123525 00000 n 
+0000126830 00000 n 
+0000126660 00000 n 
+0000126959 00000 n 
+0000127088 00000 n 
+0000127217 00000 n 
+0000643590 00000 n 
+0000305128 00000 n 
+0000131140 00000 n 
+0000130563 00000 n 
+0000127393 00000 n 
+0000130689 00000 n 
+0000130818 00000 n 
+0000130946 00000 n 
+0000131075 00000 n 
+0000134599 00000 n 
+0000134279 00000 n 
+0000131278 00000 n 
+0000134405 00000 n 
+0000134534 00000 n 
+0000137930 00000 n 
+0000137171 00000 n 
+0000134711 00000 n 
+0000137479 00000 n 
+0000137608 00000 n 
+0000137318 00000 n 
+0000137737 00000 n 
+0000137865 00000 n 
+0000350484 00000 n 
+0000140668 00000 n 
+0000140090 00000 n 
+0000138096 00000 n 
+0000140216 00000 n 
+0000140345 00000 n 
+0000140474 00000 n 
+0000140603 00000 n 
+0000141108 00000 n 
+0000140917 00000 n 
+0000140767 00000 n 
+0000141043 00000 n 
+0000145110 00000 n 
+0000144344 00000 n 
+0000141150 00000 n 
+0000144658 00000 n 
+0000144787 00000 n 
+0000144915 00000 n 
+0000144980 00000 n 
+0000145045 00000 n 
+0000144491 00000 n 
+0000643715 00000 n 
+0000149172 00000 n 
+0000149495 00000 n 
+0000148917 00000 n 
+0000145209 00000 n 
+0000149043 00000 n 
+0000149301 00000 n 
+0000149430 00000 n 
+0000153095 00000 n 
+0000152517 00000 n 
+0000149633 00000 n 
+0000152643 00000 n 
+0000152772 00000 n 
+0000152901 00000 n 
+0000153030 00000 n 
+0000155880 00000 n 
+0000157130 00000 n 
+0000155754 00000 n 
+0000153220 00000 n 
+0000156806 00000 n 
+0000156935 00000 n 
+0000157000 00000 n 
+0000157065 00000 n 
+0000161135 00000 n 
+0000160302 00000 n 
+0000157284 00000 n 
+0000160428 00000 n 
+0000160557 00000 n 
+0000160684 00000 n 
+0000160749 00000 n 
+0000160814 00000 n 
+0000160943 00000 n 
+0000166177 00000 n 
+0000164779 00000 n 
+0000161247 00000 n 
+0000165597 00000 n 
+0000164953 00000 n 
+0000165104 00000 n 
+0000165726 00000 n 
+0000165855 00000 n 
+0000165984 00000 n 
+0000166113 00000 n 
+0000165263 00000 n 
+0000165413 00000 n 
+0000451429 00000 n 
+0000169654 00000 n 
+0000168997 00000 n 
+0000166315 00000 n 
+0000169331 00000 n 
+0000169144 00000 n 
+0000169460 00000 n 
+0000169589 00000 n 
+0000643840 00000 n 
+0000174289 00000 n 
+0000173969 00000 n 
+0000169779 00000 n 
+0000174095 00000 n 
+0000174224 00000 n 
+0000177453 00000 n 
+0000177074 00000 n 
+0000174414 00000 n 
+0000177388 00000 n 
+0000177221 00000 n 
+0000180403 00000 n 
+0000180597 00000 n 
+0000180148 00000 n 
+0000177565 00000 n 
+0000180274 00000 n 
+0000180468 00000 n 
+0000180532 00000 n 
+0000184339 00000 n 
+0000183555 00000 n 
+0000180709 00000 n 
+0000184016 00000 n 
+0000184145 00000 n 
+0000184274 00000 n 
+0000183711 00000 n 
+0000183863 00000 n 
+0000186345 00000 n 
+0000185767 00000 n 
+0000184451 00000 n 
+0000185893 00000 n 
+0000186022 00000 n 
+0000186151 00000 n 
+0000186280 00000 n 
+0000187890 00000 n 
+0000187699 00000 n 
+0000186457 00000 n 
+0000187825 00000 n 
+0000643965 00000 n 
+0000190097 00000 n 
+0000189777 00000 n 
+0000187989 00000 n 
+0000189903 00000 n 
+0000190032 00000 n 
+0000194415 00000 n 
+0000194047 00000 n 
+0000190209 00000 n 
+0000194350 00000 n 
+0000194194 00000 n 
+0000263452 00000 n 
+0000198510 00000 n 
+0000198061 00000 n 
+0000194540 00000 n 
+0000198187 00000 n 
+0000198380 00000 n 
+0000198445 00000 n 
+0000202640 00000 n 
+0000202274 00000 n 
+0000198635 00000 n 
+0000202575 00000 n 
+0000202421 00000 n 
+0000207674 00000 n 
+0000206541 00000 n 
+0000202765 00000 n 
+0000207609 00000 n 
+0000206724 00000 n 
+0000206880 00000 n 
+0000207065 00000 n 
+0000207239 00000 n 
+0000207424 00000 n 
+0000271991 00000 n 
+0000211774 00000 n 
+0000211583 00000 n 
+0000207866 00000 n 
+0000211709 00000 n 
+0000644090 00000 n 
+0000215515 00000 n 
+0000215195 00000 n 
+0000211886 00000 n 
+0000215321 00000 n 
+0000215450 00000 n 
+0000220014 00000 n 
+0000219022 00000 n 
+0000215627 00000 n 
+0000219691 00000 n 
+0000219187 00000 n 
+0000219820 00000 n 
+0000219949 00000 n 
+0000219356 00000 n 
+0000219521 00000 n 
+0000278918 00000 n 
+0000337958 00000 n 
+0000223753 00000 n 
+0000223241 00000 n 
+0000220180 00000 n 
+0000223559 00000 n 
+0000223388 00000 n 
+0000223688 00000 n 
+0000226942 00000 n 
+0000226493 00000 n 
+0000223878 00000 n 
+0000226619 00000 n 
+0000226748 00000 n 
+0000230940 00000 n 
+0000230749 00000 n 
+0000227108 00000 n 
+0000230875 00000 n 
+0000233912 00000 n 
+0000233592 00000 n 
+0000231052 00000 n 
+0000233718 00000 n 
+0000233847 00000 n 
+0000644215 00000 n 
+0000238291 00000 n 
+0000237485 00000 n 
+0000234065 00000 n 
+0000237970 00000 n 
+0000238099 00000 n 
+0000237641 00000 n 
+0000238227 00000 n 
+0000237815 00000 n 
+0000241792 00000 n 
+0000241343 00000 n 
+0000238403 00000 n 
+0000241469 00000 n 
+0000241598 00000 n 
+0000241727 00000 n 
+0000245691 00000 n 
+0000245024 00000 n 
+0000241945 00000 n 
+0000245497 00000 n 
+0000245626 00000 n 
+0000245180 00000 n 
+0000245342 00000 n 
+0000249374 00000 n 
+0000248606 00000 n 
+0000245857 00000 n 
+0000248922 00000 n 
+0000248753 00000 n 
+0000249115 00000 n 
+0000249180 00000 n 
+0000249309 00000 n 
+0000253794 00000 n 
+0000253248 00000 n 
+0000249553 00000 n 
+0000253729 00000 n 
+0000253404 00000 n 
+0000253566 00000 n 
+0000331072 00000 n 
+0000258200 00000 n 
+0000257562 00000 n 
+0000253960 00000 n 
+0000257878 00000 n 
+0000464883 00000 n 
+0000462885 00000 n 
+0000464718 00000 n 
+0000258007 00000 n 
+0000257709 00000 n 
+0000258135 00000 n 
+0000644340 00000 n 
+0000275896 00000 n 
+0000260287 00000 n 
+0000260096 00000 n 
+0000258339 00000 n 
+0000260222 00000 n 
+0000263647 00000 n 
+0000263197 00000 n 
+0000260399 00000 n 
+0000263323 00000 n 
+0000263517 00000 n 
+0000263582 00000 n 
+0000267393 00000 n 
+0000266945 00000 n 
+0000263787 00000 n 
+0000267071 00000 n 
+0000267328 00000 n 
+0000272056 00000 n 
+0000271564 00000 n 
+0000267505 00000 n 
+0000271862 00000 n 
+0000271711 00000 n 
+0000276090 00000 n 
+0000275039 00000 n 
+0000272168 00000 n 
+0000275509 00000 n 
+0000275195 00000 n 
+0000275638 00000 n 
+0000275767 00000 n 
+0000275355 00000 n 
+0000276025 00000 n 
+0000278982 00000 n 
+0000278663 00000 n 
+0000276202 00000 n 
+0000278789 00000 n 
+0000644465 00000 n 
+0000280382 00000 n 
+0000280191 00000 n 
+0000279094 00000 n 
+0000280317 00000 n 
+0000281794 00000 n 
+0000281603 00000 n 
+0000280481 00000 n 
+0000281729 00000 n 
+0000285487 00000 n 
+0000284908 00000 n 
+0000281893 00000 n 
+0000285034 00000 n 
+0000285163 00000 n 
+0000285292 00000 n 
+0000285357 00000 n 
+0000285422 00000 n 
+0000290257 00000 n 
+0000288765 00000 n 
+0000285599 00000 n 
+0000289934 00000 n 
+0000290063 00000 n 
+0000290192 00000 n 
+0000288957 00000 n 
+0000289118 00000 n 
+0000289280 00000 n 
+0000289442 00000 n 
+0000289604 00000 n 
+0000289774 00000 n 
+0000295160 00000 n 
+0000293756 00000 n 
+0000290369 00000 n 
+0000295095 00000 n 
+0000293957 00000 n 
+0000294120 00000 n 
+0000294283 00000 n 
+0000294446 00000 n 
+0000294609 00000 n 
+0000294772 00000 n 
+0000294935 00000 n 
+0000301257 00000 n 
+0000298024 00000 n 
+0000295285 00000 n 
+0000301192 00000 n 
+0000298324 00000 n 
+0000298485 00000 n 
+0000298647 00000 n 
+0000298809 00000 n 
+0000298971 00000 n 
+0000299134 00000 n 
+0000299288 00000 n 
+0000299450 00000 n 
+0000299612 00000 n 
+0000299772 00000 n 
+0000299932 00000 n 
+0000300094 00000 n 
+0000300253 00000 n 
+0000300412 00000 n 
+0000300565 00000 n 
+0000300727 00000 n 
+0000300878 00000 n 
+0000301040 00000 n 
+0000644590 00000 n 
+0000305323 00000 n 
+0000304873 00000 n 
+0000301382 00000 n 
+0000304999 00000 n 
+0000305193 00000 n 
+0000305258 00000 n 
+0000309720 00000 n 
+0000308522 00000 n 
+0000305448 00000 n 
+0000309010 00000 n 
+0000309139 00000 n 
+0000309395 00000 n 
+0000308678 00000 n 
+0000308848 00000 n 
+0000309460 00000 n 
+0000309525 00000 n 
+0000309590 00000 n 
+0000309655 00000 n 
+0000312971 00000 n 
+0000312650 00000 n 
+0000309832 00000 n 
+0000312776 00000 n 
+0000312841 00000 n 
+0000312906 00000 n 
+0000316891 00000 n 
+0000316379 00000 n 
+0000313070 00000 n 
+0000316505 00000 n 
+0000316633 00000 n 
+0000316698 00000 n 
+0000316763 00000 n 
+0000316828 00000 n 
+0000320835 00000 n 
+0000320061 00000 n 
+0000317003 00000 n 
+0000320187 00000 n 
+0000320252 00000 n 
+0000320381 00000 n 
+0000320446 00000 n 
+0000320511 00000 n 
+0000320640 00000 n 
+0000320705 00000 n 
+0000320770 00000 n 
+0000324282 00000 n 
+0000323446 00000 n 
+0000320960 00000 n 
+0000323572 00000 n 
+0000323701 00000 n 
+0000323766 00000 n 
+0000323831 00000 n 
+0000323960 00000 n 
+0000324089 00000 n 
+0000324218 00000 n 
+0000644715 00000 n 
+0000327278 00000 n 
+0000326699 00000 n 
+0000324488 00000 n 
+0000326825 00000 n 
+0000326954 00000 n 
+0000327083 00000 n 
+0000327148 00000 n 
+0000327213 00000 n 
+0000331137 00000 n 
+0000330817 00000 n 
+0000327457 00000 n 
+0000330943 00000 n 
+0000331603 00000 n 
+0000331412 00000 n 
+0000331262 00000 n 
+0000331538 00000 n 
+0000333543 00000 n 
+0000333094 00000 n 
+0000331645 00000 n 
+0000333220 00000 n 
+0000333349 00000 n 
+0000333478 00000 n 
+0000338023 00000 n 
+0000337079 00000 n 
+0000333655 00000 n 
+0000337442 00000 n 
+0000462564 00000 n 
+0000453351 00000 n 
+0000462378 00000 n 
+0000337226 00000 n 
+0000337571 00000 n 
+0000337700 00000 n 
+0000337829 00000 n 
+0000339061 00000 n 
+0000338870 00000 n 
+0000338256 00000 n 
+0000338996 00000 n 
+0000644840 00000 n 
+0000339488 00000 n 
+0000339297 00000 n 
+0000339147 00000 n 
+0000339423 00000 n 
+0000342815 00000 n 
+0000341589 00000 n 
+0000339530 00000 n 
+0000342106 00000 n 
+0000342235 00000 n 
+0000342364 00000 n 
+0000342493 00000 n 
+0000342622 00000 n 
+0000342751 00000 n 
+0000341745 00000 n 
+0000341917 00000 n 
+0000343269 00000 n 
+0000343078 00000 n 
+0000342928 00000 n 
+0000343204 00000 n 
+0000346608 00000 n 
+0000346030 00000 n 
+0000343311 00000 n 
+0000346156 00000 n 
+0000346285 00000 n 
+0000346414 00000 n 
+0000346543 00000 n 
+0000351840 00000 n 
+0000349715 00000 n 
+0000346694 00000 n 
+0000350226 00000 n 
+0000350355 00000 n 
+0000350613 00000 n 
+0000349871 00000 n 
+0000350050 00000 n 
+0000350806 00000 n 
+0000350871 00000 n 
+0000350936 00000 n 
+0000351001 00000 n 
+0000351066 00000 n 
+0000351131 00000 n 
+0000351196 00000 n 
+0000351261 00000 n 
+0000351326 00000 n 
+0000351391 00000 n 
+0000351456 00000 n 
+0000351584 00000 n 
+0000351648 00000 n 
+0000351712 00000 n 
+0000351776 00000 n 
+0000358577 00000 n 
+0000355009 00000 n 
+0000351992 00000 n 
+0000355135 00000 n 
+0000355200 00000 n 
+0000355265 00000 n 
+0000355330 00000 n 
+0000355395 00000 n 
+0000355460 00000 n 
+0000355525 00000 n 
+0000355590 00000 n 
+0000355655 00000 n 
+0000355720 00000 n 
+0000355785 00000 n 
+0000355850 00000 n 
+0000355915 00000 n 
+0000355980 00000 n 
+0000356045 00000 n 
+0000356110 00000 n 
+0000356175 00000 n 
+0000356240 00000 n 
+0000356305 00000 n 
+0000356370 00000 n 
+0000356435 00000 n 
+0000356500 00000 n 
+0000356565 00000 n 
+0000356630 00000 n 
+0000356695 00000 n 
+0000356760 00000 n 
+0000356825 00000 n 
+0000356890 00000 n 
+0000356955 00000 n 
+0000357020 00000 n 
+0000357085 00000 n 
+0000357150 00000 n 
+0000357215 00000 n 
+0000357280 00000 n 
+0000357345 00000 n 
+0000357410 00000 n 
+0000357475 00000 n 
+0000357540 00000 n 
+0000357605 00000 n 
+0000357670 00000 n 
+0000357734 00000 n 
+0000357799 00000 n 
+0000357864 00000 n 
+0000357929 00000 n 
+0000357994 00000 n 
+0000358059 00000 n 
+0000358124 00000 n 
+0000358189 00000 n 
+0000358254 00000 n 
+0000358319 00000 n 
+0000358384 00000 n 
+0000358449 00000 n 
+0000358513 00000 n 
+0000644965 00000 n 
+0000365304 00000 n 
+0000361609 00000 n 
+0000358689 00000 n 
+0000361735 00000 n 
+0000361800 00000 n 
+0000361865 00000 n 
+0000361930 00000 n 
+0000361995 00000 n 
+0000362059 00000 n 
+0000362124 00000 n 
+0000362189 00000 n 
+0000362254 00000 n 
+0000362319 00000 n 
+0000362384 00000 n 
+0000362449 00000 n 
+0000362514 00000 n 
+0000362579 00000 n 
+0000362644 00000 n 
+0000362709 00000 n 
+0000362774 00000 n 
+0000362839 00000 n 
+0000362904 00000 n 
+0000362969 00000 n 
+0000363034 00000 n 
+0000363099 00000 n 
+0000363164 00000 n 
+0000363229 00000 n 
+0000363293 00000 n 
+0000363358 00000 n 
+0000363423 00000 n 
+0000363488 00000 n 
+0000363553 00000 n 
+0000363618 00000 n 
+0000363683 00000 n 
+0000363748 00000 n 
+0000363813 00000 n 
+0000363878 00000 n 
+0000363943 00000 n 
+0000364008 00000 n 
+0000364073 00000 n 
+0000364138 00000 n 
+0000364203 00000 n 
+0000364268 00000 n 
+0000364333 00000 n 
+0000364398 00000 n 
+0000364463 00000 n 
+0000364528 00000 n 
+0000364593 00000 n 
+0000364658 00000 n 
+0000364723 00000 n 
+0000364788 00000 n 
+0000364853 00000 n 
+0000364918 00000 n 
+0000364983 00000 n 
+0000365047 00000 n 
+0000365112 00000 n 
+0000365176 00000 n 
+0000365240 00000 n 
+0000371853 00000 n 
+0000368225 00000 n 
+0000365416 00000 n 
+0000368351 00000 n 
+0000368416 00000 n 
+0000368480 00000 n 
+0000368544 00000 n 
+0000368608 00000 n 
+0000368673 00000 n 
+0000368738 00000 n 
+0000368803 00000 n 
+0000368868 00000 n 
+0000368933 00000 n 
+0000368998 00000 n 
+0000369063 00000 n 
+0000369128 00000 n 
+0000369193 00000 n 
+0000369258 00000 n 
+0000369323 00000 n 
+0000369387 00000 n 
+0000369452 00000 n 
+0000369516 00000 n 
+0000369581 00000 n 
+0000369646 00000 n 
+0000369711 00000 n 
+0000369776 00000 n 
+0000369841 00000 n 
+0000369906 00000 n 
+0000369971 00000 n 
+0000370036 00000 n 
+0000370101 00000 n 
+0000370166 00000 n 
+0000370231 00000 n 
+0000370296 00000 n 
+0000370361 00000 n 
+0000370426 00000 n 
+0000370491 00000 n 
+0000370556 00000 n 
+0000370621 00000 n 
+0000370686 00000 n 
+0000370751 00000 n 
+0000370816 00000 n 
+0000370881 00000 n 
+0000370946 00000 n 
+0000371011 00000 n 
+0000371076 00000 n 
+0000371141 00000 n 
+0000371206 00000 n 
+0000371270 00000 n 
+0000371335 00000 n 
+0000371400 00000 n 
+0000371465 00000 n 
+0000371530 00000 n 
+0000371595 00000 n 
+0000371660 00000 n 
+0000371725 00000 n 
+0000371789 00000 n 
+0000374971 00000 n 
+0000373613 00000 n 
+0000371965 00000 n 
+0000373739 00000 n 
+0000373804 00000 n 
+0000373869 00000 n 
+0000373934 00000 n 
+0000373999 00000 n 
+0000374064 00000 n 
+0000374129 00000 n 
+0000374194 00000 n 
+0000374259 00000 n 
+0000374323 00000 n 
+0000374388 00000 n 
+0000374517 00000 n 
+0000374646 00000 n 
+0000374711 00000 n 
+0000374776 00000 n 
+0000374841 00000 n 
+0000374906 00000 n 
+0000377735 00000 n 
+0000377091 00000 n 
+0000375096 00000 n 
+0000377217 00000 n 
+0000377346 00000 n 
+0000377475 00000 n 
+0000377540 00000 n 
+0000377605 00000 n 
+0000377670 00000 n 
+0000382216 00000 n 
+0000381895 00000 n 
+0000377847 00000 n 
+0000382021 00000 n 
+0000382086 00000 n 
+0000382151 00000 n 
+0000385471 00000 n 
+0000385215 00000 n 
+0000382368 00000 n 
+0000385341 00000 n 
+0000385406 00000 n 
+0000645090 00000 n 
+0000388730 00000 n 
+0000388539 00000 n 
+0000385609 00000 n 
+0000388665 00000 n 
+0000392510 00000 n 
+0000392254 00000 n 
+0000388855 00000 n 
+0000392380 00000 n 
+0000392445 00000 n 
+0000395684 00000 n 
+0000394909 00000 n 
+0000392648 00000 n 
+0000395035 00000 n 
+0000395100 00000 n 
+0000395165 00000 n 
+0000395230 00000 n 
+0000395295 00000 n 
+0000395424 00000 n 
+0000395489 00000 n 
+0000395554 00000 n 
+0000395619 00000 n 
+0000400154 00000 n 
+0000399963 00000 n 
+0000395822 00000 n 
+0000400089 00000 n 
+0000403335 00000 n 
+0000402562 00000 n 
+0000400292 00000 n 
+0000402688 00000 n 
+0000402753 00000 n 
+0000402818 00000 n 
+0000402882 00000 n 
+0000403011 00000 n 
+0000403076 00000 n 
+0000403140 00000 n 
+0000403205 00000 n 
+0000403270 00000 n 
+0000406754 00000 n 
+0000406498 00000 n 
+0000403500 00000 n 
+0000406624 00000 n 
+0000406689 00000 n 
+0000645215 00000 n 
+0000409599 00000 n 
+0000408889 00000 n 
+0000406892 00000 n 
+0000409015 00000 n 
+0000409080 00000 n 
+0000409145 00000 n 
+0000409210 00000 n 
+0000409339 00000 n 
+0000409404 00000 n 
+0000409469 00000 n 
+0000409534 00000 n 
+0000413280 00000 n 
+0000413024 00000 n 
+0000409750 00000 n 
+0000413150 00000 n 
+0000413215 00000 n 
+0000416630 00000 n 
+0000416374 00000 n 
+0000413405 00000 n 
+0000416500 00000 n 
+0000416565 00000 n 
+0000419240 00000 n 
+0000418467 00000 n 
+0000416768 00000 n 
+0000418593 00000 n 
+0000418658 00000 n 
+0000418723 00000 n 
+0000418851 00000 n 
+0000418916 00000 n 
+0000418981 00000 n 
+0000419046 00000 n 
+0000419111 00000 n 
+0000419176 00000 n 
+0000422081 00000 n 
+0000421371 00000 n 
+0000419391 00000 n 
+0000421497 00000 n 
+0000421562 00000 n 
+0000421627 00000 n 
+0000421756 00000 n 
+0000421821 00000 n 
+0000421886 00000 n 
+0000421951 00000 n 
+0000422016 00000 n 
+0000425616 00000 n 
+0000425425 00000 n 
+0000422232 00000 n 
+0000425551 00000 n 
+0000645340 00000 n 
+0000428364 00000 n 
+0000427590 00000 n 
+0000425741 00000 n 
+0000427716 00000 n 
+0000427781 00000 n 
+0000427846 00000 n 
+0000427911 00000 n 
+0000428040 00000 n 
+0000428104 00000 n 
+0000428169 00000 n 
+0000428234 00000 n 
+0000428299 00000 n 
+0000431238 00000 n 
+0000431047 00000 n 
+0000428515 00000 n 
+0000431173 00000 n 
+0000434147 00000 n 
+0000433697 00000 n 
+0000431431 00000 n 
+0000433823 00000 n 
+0000433888 00000 n 
+0000433953 00000 n 
+0000434018 00000 n 
+0000434083 00000 n 
+0000437554 00000 n 
+0000436911 00000 n 
+0000434379 00000 n 
+0000437037 00000 n 
+0000437102 00000 n 
+0000437231 00000 n 
+0000437296 00000 n 
+0000437360 00000 n 
+0000437424 00000 n 
+0000437489 00000 n 
+0000440516 00000 n 
+0000439806 00000 n 
+0000437692 00000 n 
+0000439932 00000 n 
+0000439997 00000 n 
+0000440062 00000 n 
+0000440127 00000 n 
+0000440256 00000 n 
+0000440321 00000 n 
+0000440386 00000 n 
+0000440451 00000 n 
+0000443612 00000 n 
+0000443356 00000 n 
+0000440680 00000 n 
+0000443482 00000 n 
+0000443547 00000 n 
+0000645465 00000 n 
+0000446748 00000 n 
+0000446039 00000 n 
+0000443737 00000 n 
+0000446165 00000 n 
+0000446230 00000 n 
+0000446295 00000 n 
+0000446360 00000 n 
+0000446488 00000 n 
+0000446553 00000 n 
+0000446618 00000 n 
+0000446683 00000 n 
+0000450339 00000 n 
+0000450018 00000 n 
+0000446899 00000 n 
+0000450144 00000 n 
+0000450209 00000 n 
+0000450274 00000 n 
+0000451317 00000 n 
+0000450996 00000 n 
+0000450477 00000 n 
+0000451122 00000 n 
+0000451187 00000 n 
+0000451252 00000 n 
+0000451462 00000 n 
+0000462806 00000 n 
+0000465130 00000 n 
+0000465099 00000 n 
+0000474618 00000 n 
+0000484617 00000 n 
+0000494846 00000 n 
+0000507048 00000 n 
+0000525181 00000 n 
+0000547269 00000 n 
+0000567968 00000 n 
+0000585780 00000 n 
+0000588610 00000 n 
+0000588380 00000 n 
+0000615646 00000 n 
+0000642623 00000 n 
+0000645572 00000 n 
+0000645694 00000 n 
+0000645820 00000 n 
+0000645946 00000 n 
+0000646036 00000 n 
+0000646128 00000 n 
+0000661315 00000 n 
+0000678553 00000 n 
+0000678594 00000 n 
+0000678634 00000 n 
+0000678768 00000 n 
 trailer
 <<
-/Size 1370
-/Root 1368 0 R
-/Info 1369 0 R
-/ID [<52936C5C32902731CDA6B6FA6B2205C2> <52936C5C32902731CDA6B6FA6B2205C2>]
+/Size 1942
+/Root 1940 0 R
+/Info 1941 0 R
+/ID [<C16C2A8590B8858C2F91556A1B642356> <C16C2A8590B8858C2F91556A1B642356>]
 >>
 startxref
-502637
+679032
 %%EOF
diff --git a/contrib/bind9/doc/arm/Makefile.in b/contrib/bind9/doc/arm/Makefile.in
index 88a54e3..4d48169 100644
--- a/contrib/bind9/doc/arm/Makefile.in
+++ b/contrib/bind9/doc/arm/Makefile.in
@@ -1,4 +1,4 @@
-# Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
 # Copyright (C) 2001, 2002  Internet Software Consortium.
 #
 # Permission to use, copy, modify, and distribute this software for any
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.8.2.2.8.5 2005/05/13 01:22:35 marka Exp $
+# $Id: Makefile.in,v 1.12.18.7 2007/02/07 23:57:58 marka Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
@@ -21,43 +21,47 @@ top_srcdir =	@top_srcdir@
 
 @BIND9_MAKE_RULES@
 
+@BIND9_VERSION@
+
 MANOBJS = Bv9ARM.html
 
 PDFOBJS = Bv9ARM.pdf
 
-distclean::
-	rm -f validate.sh
-	rm -f nominum-docbook-html.dsl nominum-docbook-print.dsl
-	rm -f HTML.index HTML.manifest
-
 doc man:: ${MANOBJS} ${PDFOBJS}
 
 clean::
-	rm -f Bv9ARM.aux Bv9ARM.brf Bv9ARM.glo Bv9ARM.idx
+	rm -f Bv9ARM.aux Bv9ARM.brf Bv9ARM.glo Bv9ARM.idx Bv9ARM.toc
 	rm -f Bv9ARM.log Bv9ARM.out Bv9ARM.tex Bv9ARM.tex.tmp
 
 docclean manclean maintainer-clean:: clean
-	rm -f *.html *.pdf
+	rm -f *.html ${PDFOBJS}
 
-Bv9ARM.html: Bv9ARM-book.xml
+docclean manclean maintainer-clean distclean::
+	rm -f releaseinfo.xml
+
+Bv9ARM.html: Bv9ARM-book.xml releaseinfo.xml
+	expand Bv9ARM-book.xml | \
 	${XSLTPROC} --stringparam root.filename Bv9ARM \
-		${top_srcdir}/doc/xsl/isc-docbook-chunk.xsl \
-		Bv9ARM-book.xml
+		${top_srcdir}/doc/xsl/isc-docbook-chunk.xsl -
 
-Bv9ARM.tex: Bv9ARM-book.xml
-	${XSLTPROC} ${top_srcdir}/doc/xsl/pre-latex.xsl Bv9ARM-book.xml | \
+Bv9ARM.tex: Bv9ARM-book.xml releaseinfo.xml
+	expand Bv9ARM-book.xml | \
+	${XSLTPROC} ${top_srcdir}/doc/xsl/pre-latex.xsl - | \
 	${XSLTPROC} ${top_srcdir}/doc/xsl/isc-docbook-latex.xsl - | \
 	@PERL@ latex-fixup.pl >$@.tmp 
 	if test -s $@.tmp; then mv $@.tmp $@; else rm -f $@.tmp; exit 1; fi
 
-Bv9ARM.dvi: Bv9ARM.tex
+Bv9ARM.dvi: Bv9ARM.tex releaseinfo.xml
 	rm -f Bv9ARM-book.aux Bv9ARM-book.dvi Bv9ARM-book.log
-	${LATEX} '\batchmode\input Bv9ARM.tex' || rm -f $@
-	${LATEX} '\batchmode\input Bv9ARM.tex' || rm -f $@
-	${LATEX} '\batchmode\input Bv9ARM.tex' || rm -f $@
+	${LATEX} '\batchmode\input Bv9ARM.tex' || (rm -f $@ ; exit 1)
+	${LATEX} '\batchmode\input Bv9ARM.tex' || (rm -f $@ ; exit 1)
+	${LATEX} '\batchmode\input Bv9ARM.tex' || (rm -f $@ ; exit 1)
 
-Bv9ARM.pdf: Bv9ARM.tex
+Bv9ARM.pdf: Bv9ARM.tex releaseinfo.xml
 	rm -f Bv9ARM-book.aux Bv9ARM-book.pdf Bv9ARM-book.log
-	${PDFLATEX} '\batchmode\input Bv9ARM.tex' || rm -f $@
-	${PDFLATEX} '\batchmode\input Bv9ARM.tex' || rm -f $@
-	${PDFLATEX} '\batchmode\input Bv9ARM.tex' || rm -f $@
+	${PDFLATEX} '\batchmode\input Bv9ARM.tex' || (rm -f $@ ; exit 1)
+	${PDFLATEX} '\batchmode\input Bv9ARM.tex' || (rm -f $@ ; exit 1)
+	${PDFLATEX} '\batchmode\input Bv9ARM.tex' || (rm -f $@ ; exit 1)
+
+releaseinfo.xml:
+	echo >$@ '<releaseinfo>BIND Version ${VERSION}</releaseinfo>'
diff --git a/contrib/bind9/doc/arm/README-SGML b/contrib/bind9/doc/arm/README-SGML
index 8e7bc4e..e33c937 100644
--- a/contrib/bind9/doc/arm/README-SGML
+++ b/contrib/bind9/doc/arm/README-SGML
@@ -4,7 +4,7 @@ See COPYRIGHT in the source root or http://isc.org/copyright.html for terms.
 
 The BIND v9 ARM master document is now kept in DocBook XML format.
 
-Version: $Id: README-SGML,v 1.16.206.1 2004/03/06 13:16:14 marka Exp $
+Version: $Id: README-SGML,v 1.17 2004/03/05 05:04:43 marka Exp $
 
 The entire ARM is in the single file:
 
diff --git a/contrib/bind9/doc/arm/isc-logo.eps b/contrib/bind9/doc/arm/isc-logo.eps
new file mode 100644
index 0000000..c6a1d7a
--- /dev/null
+++ b/contrib/bind9/doc/arm/isc-logo.eps
@@ -0,0 +1,12253 @@
+%!PS-Adobe-3.1 EPSF-3.0
+%%Title: Alternate-ISC-logo-v2.ai
+%%Creator: Adobe Illustrator(R) 11
+%%AI8_CreatorVersion: 11.0.0
+%AI9_PrintingDataBegin
+%%For: Douglas E. Appelt
+%%CreationDate: 10/22/04
+%%BoundingBox: 0 0 255 149
+%%HiResBoundingBox: 0 0 254.8672 148.7520
+%%CropBox: 0 0 254.8672 148.7520
+%%LanguageLevel: 2
+%%DocumentData: Clean7Bit
+%%Pages: 1
+%%DocumentNeededResources:
+%%DocumentSuppliedResources: procset Adobe_AGM_Image (1.0 0)
+%%+ procset Adobe_CoolType_Utility_T42 (1.0 0)
+%%+ procset Adobe_CoolType_Utility_MAKEOCF (1.19 0)
+%%+ procset Adobe_CoolType_Core (2.23 0)
+%%+ procset Adobe_AGM_Core (2.0 0)
+%%+ procset Adobe_AGM_Utils (1.0 0)
+%%DocumentFonts:
+%%DocumentNeededFonts:
+%%DocumentNeededFeatures:
+%%DocumentSuppliedFeatures:
+%%DocumentProcessColors:  Cyan Magenta Yellow Black
+%%DocumentCustomColors: (PANTONE 1805 C)
+%%+ (PANTONE 871 C)
+%%+ (PANTONE 301 C)
+%%+ (PANTONE 7506 C)
+%%CMYKCustomColor: 0 0.9100 1 0.2300 (PANTONE 1805 C)
+%%+ 0.3569 0.3608 0.6353 0.1882 (PANTONE 871 C)
+%%+ 1 0.4500 0 0.1800 (PANTONE 301 C)
+%%+ 0 0.0500 0.1500 0 (PANTONE 7506 C)
+%%RGBCustomColor:
+%ADO_ContainsXMP: MainFirst
+%AI7_Thumbnail: 128 76 8
+%%BeginData: 10692 Hex Bytes
+%0000330000660000990000CC0033000033330033660033990033CC0033FF
+%0066000066330066660066990066CC0066FF009900009933009966009999
+%0099CC0099FF00CC0000CC3300CC6600CC9900CCCC00CCFF00FF3300FF66
+%00FF9900FFCC3300003300333300663300993300CC3300FF333300333333
+%3333663333993333CC3333FF3366003366333366663366993366CC3366FF
+%3399003399333399663399993399CC3399FF33CC0033CC3333CC6633CC99
+%33CCCC33CCFF33FF0033FF3333FF6633FF9933FFCC33FFFF660000660033
+%6600666600996600CC6600FF6633006633336633666633996633CC6633FF
+%6666006666336666666666996666CC6666FF669900669933669966669999
+%6699CC6699FF66CC0066CC3366CC6666CC9966CCCC66CCFF66FF0066FF33
+%66FF6666FF9966FFCC66FFFF9900009900339900669900999900CC9900FF
+%9933009933339933669933999933CC9933FF996600996633996666996699
+%9966CC9966FF9999009999339999669999999999CC9999FF99CC0099CC33
+%99CC6699CC9999CCCC99CCFF99FF0099FF3399FF6699FF9999FFCC99FFFF
+%CC0000CC0033CC0066CC0099CC00CCCC00FFCC3300CC3333CC3366CC3399
+%CC33CCCC33FFCC6600CC6633CC6666CC6699CC66CCCC66FFCC9900CC9933
+%CC9966CC9999CC99CCCC99FFCCCC00CCCC33CCCC66CCCC99CCCCCCCCCCFF
+%CCFF00CCFF33CCFF66CCFF99CCFFCCCCFFFFFF0033FF0066FF0099FF00CC
+%FF3300FF3333FF3366FF3399FF33CCFF33FFFF6600FF6633FF6666FF6699
+%FF66CCFF66FFFF9900FF9933FF9966FF9999FF99CCFF99FFFFCC00FFCC33
+%FFCC66FFCC99FFCCCCFFCCFFFFFF33FFFF66FFFF99FFFFCC110000001100
+%000011111111220000002200000022222222440000004400000044444444
+%550000005500000055555555770000007700000077777777880000008800
+%000088888888AA000000AA000000AAAAAAAABB000000BB000000BBBBBBBB
+%DD000000DD000000DDDDDDDDEE000000EE000000EEEEEEEE0000000000FF
+%00FF0000FFFFFF0000FF00FFFFFF00FFFFFF
+%524C45FD1CF852FD63FFF820272726272727264B27272627272726272727
+%26272727264B20F827FD63FFF827FFFFFFCFFF84365AFFFFFFCFFFFFFFCF
+%FFFFFFCFFD04FFCAF852FD63FFF827CFCFCACFCA2F0607A8CFCACFCACFCA
+%CFCACFCACFCACFCACF7CF827FD63FFF800FFCFFFA8A8070D06A8CFFFCFFF
+%CFFFCFFFCFFFCFFFCFFFCFA7F852FD63FFF800077E2F0D060D060706537D
+%CF7D2FA8CFCACFCACFCACFCAFF7CF827FD63FFF8000D062F070D062F070D
+%062F2F0D062FCACFCFFFCFCFCFFFCFA1F852FD63FFF8050707062E517651
+%522807060706072ECFCACFCACFCACFCAFF7CF827FD63FFF8002F067C757B
+%757C757B512F072F2FFFCFCFCFFFCFFFCFFFCFA1F852FD63FFF805075251
+%75517551755175512F062FCACFCACFCACFCACFCAFF7CF827FD63FFF8F859
+%75765176757C517C757B2E2F07A8CFFFCFCFCFFFCFCFCFA1F852FD63FFF8
+%00517551757CCFCAA751755175060753CFCACFCACFCACFCACF7CF827FD63
+%FFF8F87C75757CFFCFFFCFA7517C752F072F59A8CFCFCFFFCFFFCFA7F852
+%FD04FFA87D527DA8FD5AFFF827757551A1CFCFCAFFA0755175280D060706
+%A8CFCFCACFCAFF7CF827FD05FF27F827FD5BFFF8F87C51767CFFCFFFCFA0
+%517C752F062F060D84FFCFFFCFFFCFA1F852FD05FF7DF87DFD5BFFF80552
+%7551757CC9A7A05175517606072F7E7DCFCACFC9CFCAFF6FF827FD05FF52
+%F852FD27FFA8FD33FFF80059757C7575517C517C517C2E2F06CFCFFFCFCF
+%9293CAFFCF6FF852FD05FF7DF87DFD04FFA8FD05FF7D7DA8FF527D7D7D52
+%7D52A8FFA8527D527DA8FF7D7D527D52FD05FFA8FD05FFA87D7DFFFFA852
+%7D527DA8FF527D7D7D527D52A8FD19FFF805075275755175517551752D0D
+%0653CFFFCFFFA78C6899939344F827FD05FF52F852FFFFFFA8F87DFD04FF
+%7D27FFA87D7DA8F827A87D7DFFA8F827A8527DFFA8F852A827F8A8FFFFFF
+%7DF8FD05FF2752FFFFA8F827A8527DA87D7DA8F827A87D7DFD19FFF8F82F
+%0752517C757B757C2E0D062FA8C999CFCFC28C928C8C8C6EF852FD05FF7D
+%F87DFD04FFF8F87DFFFFFF7D52FD05FFF852FD05FFF87DFD05FFF852FFFF
+%F852FFFFFF7DF8F8FD04FF7D52FFFFFFF87DFD07FFF852FD1CFFF8000607
+%062F2852282E060D0607067D928C9293688C6892688C44F827FD05FF52F8
+%52FFFFFFA85252F852FFFF7D27FD05FFF87DFD04FFA8F852FD05FFF852FF
+%FFF8A8FFFFFF7D5227F8A8FFFF527DFFFFA8F852FD07FFF87DFD1CFFF800
+%852F2F062F070D062F072F062F0D9A8C928C928C928C928C6EF852FD05FF
+%7DF87DFD04FF27FF52F852FF7D52FD05FFF852FD05FFF82752527DFFFFF8
+%52FF527DFD04FF527DFF27F8A8FF7D7DFFFFFFF82752527DFD04FFF852FD
+%1CFFF827CFCF7D2F060D062F2F7EA82F062F938C68928C8C68926E994AF8
+%27FD05FF52F852FFFFFFA827FFFF52F852A852FD05FFF87DFD04FFA8F852
+%FF7DA8FFFFF82752F8A8FD04FF7D52FFA827F8A87D7DFFFFA8F852FF7DA8
+%FD04FFF87DFD1CFFF827FFCFFFA80D062FA8CFCFCA927693928C928C9292
+%75517C7B51F852FD05FF7DF87DFFFFFFA827FFFFFF52F8F87DFD05FFF852
+%FD05FFF87DFD05FFF852FF52F8A8FFFFFF5252FFFFFF27F8277DFFFFFFF8
+%7DFD07FFF852FD1CFFF827CFCFCACF06062ECFCAFF928C688C6892688C6E
+%765175517C26F827FD05FF52F852FFFFFFA827FD04FF52F852FD05FFF852
+%FD04FFA8F852FFFFA8A8FFF87DFFFFF8F8A8FFFF5227FD04FF27F8A8FFFF
+%A8F852FFFFA8A8FFFFFFF852FD1CFFF827FFCFFFCF7E53A8CFFFCFC99292
+%8C928C92757C757C517C7551F852FD04FFA852F852A8FFFFA8F8A8FD04FF
+%527DFD04FF7DF827FD04FFA8F827525252FF7DF827FFFFFF2727A8FF5227
+%A8FD04FF52A8FFFFA8F827525252FFFFFF7DF827FD1CFFF827CFCFCACFCF
+%CFCAFD04CF93688C688C6F7651755175517C4BF827FD05FFA8FFA8FFFFFF
+%A8FFA8FD0BFFA8FFA8FFFFFFA8FFA8A8A8FFFFFFA8FFA8FFFFFFA8FFA8FF
+%A8FD09FFA8FFA8A8A8FD05FFA8FFA8FD1BFFF827FFCFCFCFFFCFCFCFFFCF
+%C38C928C8C6E7C7576517C75767551F852FD63FFF827CFCFCACFCACFCACF
+%92928C8C688C6875517551755175517526F827FD63FFF827FFCFFFCFFFCF
+%FFCA938C928C928C99517C757C517C757C7551F852FD63FFF827CFCFCACF
+%CACFCACFA093688C6892757551755175517551754BF827FD63FFF827FFCF
+%FFCFCFCFFFCFFF998C8C926E7C7576517C7576517CA7A1F852FD06FFA87D
+%527DA8FD58FFF827CFCFCACFCACFCAFFCF996892686F5175517551755175
+%7CFF7CF827FD05FF7D2752A82727A8FD57FFF827FFCFFFCFFFCFFFC2BB8C
+%928C8C6E7C757C517C757C51CFFFA1F852FD05FF2752FFFFFF52FD58FFF8
+%27CFCFCACFCACFCF99688C68928C6F5175517551755175CAFF7CF827FD04
+%FFA8F852FD5CFFF827FFCFCFCFFFCFFFA0998C928C926E7C517C7576517C
+%51CACFA1F852FD04FFA827F87DFFFFFFA8527DFD04FF527DFFFFA87D52A8
+%FF7D527D527D527D7DFF7D7D527D527DFFFFFFA8FD06FFA8FD04FFA87D7D
+%7DFD26FFF827CFCFCACFCACFCACFCF99688C6893517551755175517575FF
+%7CF827FD05FF52F8F852FFFFFF52F8A8FFFF7D27A8FF5252A8A852A852A8
+%7DF827A87D7DFFA8F852A87D52FFFFFFF8A8FD04FF5227FFFFFF7D27A8A8
+%52A8FD25FFF827FFCFFFCFFFCFFFCFFFA08C8C92927C517C757C517C7575
+%7C7CF852FD06FF52F8F852FFFFFF27F8FFFF52A8FFFFF87DFD07FFF87DFD
+%05FFF852FD06FFF827FD04FF2727FFFFFF2752FD29FFF827CFCFCACFCACF
+%CACFA799688C68927575517551755175517526F84BFD07FF52F8F87DFFFF
+%A8F87D7D52FFFFFFF8F87DFD05FFA8F852FD05FFF87DFD05FFA8F8F8A8FF
+%FF7DF8F8A8FFFF52F852A8FD27FFF827FFCFFFCFCFCFFFCF9368928C928C
+%995176517C7576517C7551F852FD08FF7DF8F8FFFFFF52F827FD05FFF8F8
+%27FD05FFF87DFD05FFF8277D527DFFFF7D52F852FFFF277DF8A8FFFFFF52
+%F8F87DFD26FFF827CFCFCACFCACFCAFF938C688C688C6875517551755175
+%517C26F827FD09FF27F8A8FFFFFFF852FD06FF52F827FFFFFFA8F852FD05
+%FFF852A8A87DFFFF527D7DF8FF7D52A8F87DFD04FF7DF8F8A8FD25FFF827
+%FFCFFFCFFFCFFFCFCFCFC98C928C92927C517C757C517C7551F852FD04FF
+%7DFD04FF7DF8FD04FFF852FD07FF7DF8A8FFFFFFF87DFD05FFF852FD05FF
+%52A8FF272752A8FFF87DFD06FFF8A8FD25FFF827CFCFCACFCACFCAFD04CF
+%99688C688C6E7651755175517C4BF827FD04FF5227FFFFA8F852FD04FFF8
+%7DFFFFFF7D7DFFFF7D27FD04FFF852FD05FFF852FFFFA8FFFF27A8FF7DF8
+%52FFFFF852FFA852FFFF7D27A8FD25FFF827FFCFCFCFFFCFCFCFFFCFCF92
+%928C928C926E7C517C75767551F852FD04FF7D272752277DFD04FF7DF827
+%FFFFFF7D27525227FD04FFA8F852A8FFFFFF7D2727525252FFA8F8A8FFFF
+%52FFFFFF2727A8FF275252527DFD26FFF827CFCFCACFCACFCACFCAFF998C
+%688C688C688C68755176517526F827FD07FFA8FD07FFA8FFA8FFFFFFA8A8
+%A8FD05FFA8FFA8FD05FFA8FFA8A8A8FFA8FFA8FD07FFA8FFFFFFA8A8FD28
+%FFF827FFCFFFCFFFCFFFCFFFCFCF92C29A928C928C928C99757C7551F852
+%FD63FFF827CFCFCACFCACFCACFCAFD04CFFF998C68928C8C6892689344F8
+%27FD63FFF827FFCFFFCFCFCFFFCFCFCFFFCFCFCFC98C928C928C928C928C
+%68F852FD63FFF827CFCFCACFCACFCAA8537ECACFCAFF938C6899688C688C
+%689244F827FD63FFF827FFCFFFCFFFCFA8072F07FFCFFFCFCF992F0D5992
+%928C928C68F852FD08FF7D7D527D52A8A8FD54FFF827CFCFCACFCACFA70D
+%060753A87DA8CA5A0607069368929AC244F827FD06FF7DF8527D7D7D52F8
+%27FD54FFF827FFCFCFCFFFCFCF2F2F070D062F072F062F07539993C2FFFF
+%76F852FD05FF7DF87DFD06FF27FD54FFF827CFCFCACFCACF7D0D060D0607
+%060D0607060753FFCACFCAFF76F827FD04FFA8F827FD07FFA8A8FD15FFA8
+%FD3DFFF827FFCFFFCFFF592F062F072F2852282F072F072F7DFFCFFFCFA7
+%F852FD04FF52F87DFD0CFFA87D7D7DFD05FFA8FD05FF7D7DA8FFFFA87D7D
+%7DFFFFFFA87D527D7DFD04FFA8527D527DA8FFFF7D527D527D527D7DFF7D
+%7D7DFFFFA8527DA8FFFFA8527DFFFFFFA8FD06FFA8FFFFF827CF5959CA53
+%07060D066F688C6892684B060D06077DCFCFCF7CF827FD04FF27F8A8FD0A
+%FFA82752A87D52F852FFFFA8F87DFD04FF7D27FFFF7D27A87D52FFFF5227
+%7DA87D27F8A8FFFFA8F827A827F8A8A852A87DF827A87D7DFFA8F852FFFF
+%A8F827FD04FF2727FFFFFFF8A8FD04FF5227FFFFF827A9062F070D062F28
+%928C928C928C928C92282F072F847E5953F852FD04FFF8F8A8FD0AFF2752
+%FD04FF7DF87DFFFFF8F852FFFFFF7D52FFFFF8A8FFFFA8FF7DF8A8FD04FF
+%27F8FFFFFFF87DFFFFF87DFD04FFF87DFD05FFF852FFFFFFF87DFD04FF27
+%52FFFFFFF827FD04FF2727FFFFF8272F07060D060D278C688C68928C8C68
+%8C688C060D0607060D06F827FFFFFFA827F87DFD09FF7DF8FD06FF27F8FF
+%A85252F852FFFF7D27FFFF27F87DFFFFFF2727FD05FF7DF852FFA8F852FF
+%A8F87DFFFFFFA8F852FD05FFF852FFFFA8F852FD04FF5252FFFFA8F8F8A8
+%FFFF7DF827A8FFF827FF2F2F070D06938C928CBCC9CFC9BB8C928C6F070D
+%062F0706F852FD04FF27F852FD09FF52F8FD06FF52F8FFFF27FF52F852FF
+%7D52FFFFA827F827A8FFF852FD06FFF852FFFFF852FF7D7DFD05FFF87DFD
+%05FFF852FFFFFFF87DFD04FF2752FFFF7D52F852FFFF277DF8A8FFF827CF
+%CF2F0D064C689268C2CFFFCFFFCFC2688C682E0607062F52F827FD04FF7D
+%F8F8A8FD08FF52F8A8FD05FF52F8FFA827FFFF52F852A852FD04FF7DF827
+%FF2727FD05FFA8F852FFA8F82752F8A8FD04FFA8F852FD05FFF852FFFFA8
+%F852FD04FF5252FFFF7D7D7DF8FF7D52A8F87DFFF827FFCF59062F6F8C8C
+%99CFFFCFFFCFFFCF938C8C4B2F0759CFA7F852FD05FF52F827FD06FF7DFF
+%A8F852FD05FFF852FFA827FFFFFF52F8F87DFD05FF7DF8FF52F8A8FD04FF
+%A8F8A8FFFFF87DFF52F8FD05FFF87DFD05FFF852FFFFFFF852FD04FF277D
+%FFFF27A8FF272752FFFFF87DFFF827CFCF2F070693688C99FFCACFCACFCA
+%FF998C686F060759CF7CF827FD05FFA852F8F87DFFFFFF5227FFFF52F87D
+%FFFFFF5227A8FFA827FD04FF52F852FF527DFFFF5227FFFFF827A8FFFFFF
+%2752FFFFFFF852FFFF27F8FFFFFFA8F852FD05FFF87DFFFFFF52F8A8FFFF
+%7D27A8FFFF27A8FF7DF852FFFFF827FFF827FFCF53062F6E928CC2FFFFCF
+%FFCFFFCFC28C926F2F077ECFA7F852FD07FFA8FD06277DFFFFFF7D27277D
+%527DFFFFFF7DF8A8FD04FF527DFFA827525252A8FFFFFF5227527D52A8FF
+%FFFFA8F852A8FFA82727A8FFA8F852A8FFFFFF7DF827FD04FF52277D5252
+%A8FFFFA8F8A8FFFF52FFFFFF2727A8F827CFCF2F07066F8C8C92FFCFCFCA
+%CFCFCF8C8C8C4B060D59CF7CF827FD0BFFA8FD09FFA8FD05FFA8FFA8FD09
+%FFA8A8FD07FFA8A8FD05FFA8FFA8FD05FFA8FFA8FFA8FD05FFA8FFA8FD05
+%FFA8FD05FFA8FFA8FD07FFA8FFF827AF2F2F070D4B928C8CA0FFCFFFCFFF
+%998C8C92280D067ECFA1F852FD63FFF8270707060D0607688C688C99C9CA
+%C9938C688C680D0607065A76F827FD63FFF8275A062F070D07528C928C92
+%8C928C928C928C2F070D062F072EF852FD63FFF84B842F597E0607064C8C
+%8C68928C8C688C6828060D0607060D52F827FD63FFF827FFCFCFCF7E060D
+%062F6F928C928C934B2F070D0684A85A59A1F852FD63FFF827CFCFCACFCA
+%590607060D06282728060D0607067ECACFCFCF7CF827FD63FFF827FFCFFF
+%CFFFCF59062F070D072F070D062F2FA8CFFFCFFFCFA7F852FD63FFF827CF
+%CFCACFCACF2F07060D0607060D06070653CFCFCACFCAFF7CF827FD63FFF8
+%27FFCFFFCFCFA82F070D59CFA8A8A859060D07FD04CFFFCFA1F852FD63FF
+%F827CFCFCACFCFA82F0D2FCFCACFCFCFA80D060DA8CFCACFCAFF7CF827FD
+%63FFF827FFCFFFCFFFCFFFA8FFCFFFCFFFCFFF7E7EA8FFCFFFCFFFFFA7F8
+%52FD63FFFD09F820FD07F820FD07F820F8F827FD63FF27F827F820F827F8
+%20F827F820F827F820F827F820F827F820F827F87CFDE2FFFF
+%%EndData
+%%EndComments
+%%BeginDefaults
+%%ViewingOrientation: 1 0 0 1
+%%EndDefaults
+%%BeginProlog
+%%BeginResource: procset Adobe_AGM_Utils 1.0 0
+%%Version: 1.0 0
+%%Copyright: Copyright (C) 2000-2003 Adobe Systems, Inc.  All Rights Reserved.
+systemdict /setpacking known
+{
+	currentpacking
+	true setpacking
+} if
+userdict /Adobe_AGM_Utils 68 dict dup begin put
+/bdf
+{
+	bind def
+} bind def
+/nd{
+	null def
+}bdf
+/xdf
+{
+	exch def
+}bdf
+/ldf
+{
+	load def
+}bdf
+/ddf
+{
+	put
+}bdf	
+/xddf
+{
+	3 -1 roll put
+}bdf	
+/xpt
+{
+	exch put
+}bdf
+/ndf
+{
+	exch dup where{
+		pop pop pop
+	}{
+		xdf
+	}ifelse
+}def
+/cdndf
+{
+	exch dup currentdict exch known{
+		pop pop
+	}{
+		exch def
+	}ifelse
+}def
+/bdict
+{
+	mark
+}bdf
+/edict
+{
+	counttomark 2 idiv dup dict begin {def} repeat pop currentdict end
+}def
+/ps_level
+	/languagelevel where{
+		pop systemdict /languagelevel get exec
+	}{
+		1
+	}ifelse
+def
+/level2
+	ps_level 2 ge
+def
+/level3
+	ps_level 3 ge
+def
+/ps_version
+	{version cvr} stopped {
+		-1
+	}if
+def
+/makereadonlyarray
+{
+	/packedarray where{
+		pop packedarray
+	}{
+		array astore readonly
+	}ifelse
+}bdf
+/map_reserved_ink_name
+{
+	dup type /stringtype eq{
+		dup /Red eq{
+			pop (_Red_)
+		}{
+			dup /Green eq{
+				pop (_Green_)
+			}{
+				dup /Blue eq{
+					pop (_Blue_)
+				}{
+					dup () cvn eq{
+						pop (Process)
+					}if
+				}ifelse
+			}ifelse
+		}ifelse
+	}if
+}bdf
+/AGMUTIL_GSTATE 22 dict def
+/get_gstate
+{
+	AGMUTIL_GSTATE begin
+	/AGMUTIL_GSTATE_clr_spc currentcolorspace def
+	/AGMUTIL_GSTATE_clr_indx 0 def
+	/AGMUTIL_GSTATE_clr_comps 12 array def
+	mark currentcolor counttomark
+		{AGMUTIL_GSTATE_clr_comps AGMUTIL_GSTATE_clr_indx 3 -1 roll put
+		/AGMUTIL_GSTATE_clr_indx AGMUTIL_GSTATE_clr_indx 1 add def} repeat pop
+	/AGMUTIL_GSTATE_fnt rootfont def
+	/AGMUTIL_GSTATE_lw currentlinewidth def
+	/AGMUTIL_GSTATE_lc currentlinecap def
+	/AGMUTIL_GSTATE_lj currentlinejoin def
+	/AGMUTIL_GSTATE_ml currentmiterlimit def
+	currentdash /AGMUTIL_GSTATE_do xdf /AGMUTIL_GSTATE_da xdf
+	/AGMUTIL_GSTATE_sa currentstrokeadjust def
+	/AGMUTIL_GSTATE_clr_rnd currentcolorrendering def
+	/AGMUTIL_GSTATE_op currentoverprint def
+	/AGMUTIL_GSTATE_bg currentblackgeneration cvlit def
+	/AGMUTIL_GSTATE_ucr currentundercolorremoval cvlit def
+	currentcolortransfer cvlit /AGMUTIL_GSTATE_gy_xfer xdf cvlit /AGMUTIL_GSTATE_b_xfer xdf
+		cvlit /AGMUTIL_GSTATE_g_xfer xdf cvlit /AGMUTIL_GSTATE_r_xfer xdf
+	/AGMUTIL_GSTATE_ht currenthalftone def
+	/AGMUTIL_GSTATE_flt currentflat def
+	end
+}def
+/set_gstate
+{
+	AGMUTIL_GSTATE begin
+	AGMUTIL_GSTATE_clr_spc setcolorspace
+	AGMUTIL_GSTATE_clr_indx {AGMUTIL_GSTATE_clr_comps AGMUTIL_GSTATE_clr_indx 1 sub get
+	/AGMUTIL_GSTATE_clr_indx AGMUTIL_GSTATE_clr_indx 1 sub def} repeat setcolor
+	AGMUTIL_GSTATE_fnt setfont
+	AGMUTIL_GSTATE_lw setlinewidth
+	AGMUTIL_GSTATE_lc setlinecap
+	AGMUTIL_GSTATE_lj setlinejoin
+	AGMUTIL_GSTATE_ml setmiterlimit
+	AGMUTIL_GSTATE_da AGMUTIL_GSTATE_do setdash
+	AGMUTIL_GSTATE_sa setstrokeadjust
+	AGMUTIL_GSTATE_clr_rnd setcolorrendering
+	AGMUTIL_GSTATE_op setoverprint
+	AGMUTIL_GSTATE_bg cvx setblackgeneration
+	AGMUTIL_GSTATE_ucr cvx setundercolorremoval
+	AGMUTIL_GSTATE_r_xfer cvx AGMUTIL_GSTATE_g_xfer cvx AGMUTIL_GSTATE_b_xfer cvx
+		AGMUTIL_GSTATE_gy_xfer cvx setcolortransfer
+	AGMUTIL_GSTATE_ht /HalftoneType get dup 9 eq exch 100 eq or
+		{
+		currenthalftone /HalftoneType get AGMUTIL_GSTATE_ht /HalftoneType get ne
+			{
+			  mark AGMUTIL_GSTATE_ht {sethalftone} stopped cleartomark
+			} if
+		}{
+		AGMUTIL_GSTATE_ht sethalftone
+		} ifelse
+	AGMUTIL_GSTATE_flt setflat
+	end
+}def
+/get_gstate_and_matrix
+{
+	AGMUTIL_GSTATE begin
+	/AGMUTIL_GSTATE_ctm matrix currentmatrix def
+	end
+	get_gstate
+}def
+/set_gstate_and_matrix
+{
+	set_gstate
+	AGMUTIL_GSTATE begin
+	AGMUTIL_GSTATE_ctm setmatrix
+	end
+}def
+/AGMUTIL_str256 256 string def
+/AGMUTIL_src256 256 string def
+/AGMUTIL_dst64 64 string def
+/AGMUTIL_srcLen nd
+/AGMUTIL_ndx nd
+/agm_sethalftone
+{
+	dup
+	begin
+		/_Data load
+		/Thresholds xdf
+	end
+	level3
+	{ sethalftone }{
+		dup /HalftoneType get 3 eq {
+			sethalftone
+		} {pop} ifelse
+	}ifelse
+} def
+/rdcmntline
+{
+	currentfile AGMUTIL_str256 readline pop
+	(%) anchorsearch {pop} if
+} bdf
+/filter_cmyk
+{	
+	dup type /filetype ne{
+		exch () /SubFileDecode filter
+	}
+	{
+		exch pop
+	}
+	ifelse
+	[
+	exch
+	{
+		AGMUTIL_src256 readstring pop
+		dup length /AGMUTIL_srcLen exch def
+		/AGMUTIL_ndx 0 def
+		AGMCORE_plate_ndx 4 AGMUTIL_srcLen 1 sub{
+			1 index exch get
+			AGMUTIL_dst64 AGMUTIL_ndx 3 -1 roll put
+			/AGMUTIL_ndx AGMUTIL_ndx 1 add def
+		}for
+		pop
+		AGMUTIL_dst64 0 AGMUTIL_ndx getinterval
+	}
+	bind
+	/exec cvx
+	] cvx
+} bdf
+/filter_indexed_devn
+{
+	cvi Names length mul names_index add Lookup exch get
+} bdf
+/filter_devn
+{	
+	4 dict begin
+	/srcStr xdf
+	/dstStr xdf
+	dup type /filetype ne{
+		0 () /SubFileDecode filter
+	}if
+	[
+	exch
+		[
+			/devicen_colorspace_dict /AGMCORE_gget cvx /begin cvx
+			currentdict /srcStr get /readstring cvx /pop cvx
+			/dup cvx /length cvx 0 /gt cvx [
+				Adobe_AGM_Utils /AGMUTIL_ndx 0 /ddf cvx
+				names_index Names length currentdict /srcStr get length 1 sub {
+					1 /index cvx /exch cvx /get cvx
+					currentdict /dstStr get /AGMUTIL_ndx /load cvx 3 -1 /roll cvx /put cvx
+					Adobe_AGM_Utils /AGMUTIL_ndx /AGMUTIL_ndx /load cvx 1 /add cvx /ddf cvx
+				} for
+				currentdict /dstStr get 0 /AGMUTIL_ndx /load cvx /getinterval cvx
+			] cvx /if cvx
+			/end cvx
+		] cvx
+		bind
+		/exec cvx
+	] cvx
+	end
+} bdf
+/AGMUTIL_imagefile nd
+/read_image_file
+{
+	AGMUTIL_imagefile 0 setfileposition
+	10 dict begin
+	/imageDict xdf
+	/imbufLen Width BitsPerComponent mul 7 add 8 idiv def
+	/imbufIdx 0 def
+	/origDataSource imageDict /DataSource get def
+	/origMultipleDataSources imageDict /MultipleDataSources get def
+	/origDecode imageDict /Decode get def
+	/dstDataStr imageDict /Width get colorSpaceElemCnt mul string def
+	/srcDataStrs [ imageDict begin
+		currentdict /MultipleDataSources known {MultipleDataSources {DataSource length}{1}ifelse}{1} ifelse
+		{
+			Width Decode length 2 div mul cvi string
+		} repeat
+		end ] def
+	imageDict /MultipleDataSources known {MultipleDataSources}{false} ifelse
+	{
+		/imbufCnt imageDict /DataSource get length def
+		/imbufs imbufCnt array def
+		0 1 imbufCnt 1 sub {
+			/imbufIdx xdf
+			imbufs imbufIdx imbufLen string put
+			imageDict /DataSource get imbufIdx [ AGMUTIL_imagefile imbufs imbufIdx get /readstring cvx /pop cvx ] cvx put
+		} for
+		DeviceN_PS2 {
+			imageDict begin
+		 	/DataSource [ DataSource /devn_sep_datasource cvx ] cvx def
+			/MultipleDataSources false def
+			/Decode [0 1] def
+			end
+		} if
+	}{
+		/imbuf imbufLen string def
+		Indexed_DeviceN level3 not and DeviceN_NoneName or {
+			imageDict begin
+		 	/DataSource [AGMUTIL_imagefile Decode BitsPerComponent false 1 /filter_indexed_devn load dstDataStr srcDataStrs devn_alt_datasource /exec cvx] cvx def
+			/Decode [0 1] def
+			end
+		}{
+			imageDict /DataSource {AGMUTIL_imagefile imbuf readstring pop} put
+		} ifelse
+	} ifelse
+	imageDict exch
+	load exec
+	imageDict /DataSource origDataSource put
+	imageDict /MultipleDataSources origMultipleDataSources put
+	imageDict /Decode origDecode put	
+	end
+} bdf
+/write_image_file
+{
+	begin
+	{ (AGMUTIL_imagefile) (w+) file } stopped{
+		false
+	}{
+		Adobe_AGM_Utils/AGMUTIL_imagefile xddf
+		2 dict begin
+		/imbufLen Width BitsPerComponent mul 7 add 8 idiv def
+		MultipleDataSources {DataSource 0 get}{DataSource}ifelse type /filetype eq {
+			/imbuf imbufLen string def
+		}if
+		1 1 Height {
+			pop
+			MultipleDataSources {
+			 	0 1 DataSource length 1 sub {
+					DataSource type dup
+					/arraytype eq {
+						pop DataSource exch get exec
+					}{
+						/filetype eq {
+							DataSource exch get imbuf readstring pop
+						}{
+							DataSource exch get
+						} ifelse
+					} ifelse
+					AGMUTIL_imagefile exch writestring
+				} for
+			}{
+				DataSource type dup
+				/arraytype eq {
+					pop DataSource exec
+				}{
+					/filetype eq {
+						DataSource imbuf readstring pop
+					}{
+						DataSource
+					} ifelse
+				} ifelse
+				AGMUTIL_imagefile exch writestring
+			} ifelse
+		}for
+		end
+		true
+	}ifelse
+	end
+} bdf
+/close_image_file
+{
+	AGMUTIL_imagefile closefile (AGMUTIL_imagefile) deletefile
+}def
+statusdict /product known userdict /AGMP_current_show known not and{
+	/pstr statusdict /product get def
+	pstr (HP LaserJet 2200) eq 	
+	pstr (HP LaserJet 4000 Series) eq or
+	pstr (HP LaserJet 4050 Series ) eq or
+	pstr (HP LaserJet 8000 Series) eq or
+	pstr (HP LaserJet 8100 Series) eq or
+	pstr (HP LaserJet 8150 Series) eq or
+	pstr (HP LaserJet 5000 Series) eq or
+	pstr (HP LaserJet 5100 Series) eq or
+	pstr (HP Color LaserJet 4500) eq or
+	pstr (HP Color LaserJet 4600) eq or
+	pstr (HP LaserJet 5Si) eq or
+	pstr (HP LaserJet 1200 Series) eq or
+	pstr (HP LaserJet 1300 Series) eq or
+	pstr (HP LaserJet 4100 Series) eq or
+	{
+ 		userdict /AGMP_current_show /show load put
+		userdict /show {
+		  currentcolorspace 0 get
+		  /Pattern eq
+		  {false charpath f}
+		  {AGMP_current_show} ifelse
+		} put
+	}if
+	currentdict /pstr undef
+} if
+/consumeimagedata
+{
+	begin
+	currentdict /MultipleDataSources known not
+		{/MultipleDataSources false def} if
+	MultipleDataSources
+		{
+		1 dict begin
+		/flushbuffer Width cvi string def
+		1 1 Height cvi
+			{
+			pop
+			0 1 DataSource length 1 sub
+				{
+				DataSource exch get
+				dup type dup
+				/filetype eq
+					{
+					exch flushbuffer readstring pop pop
+					}if
+				/arraytype eq
+					{
+					exec pop
+					}if
+				}for
+			}for
+		end
+		}
+		{
+		/DataSource load type dup
+		/filetype eq
+			{
+			1 dict begin
+			/flushbuffer Width Decode length 2 div mul cvi string def
+			1 1 Height { pop DataSource flushbuffer readstring pop pop} for
+			end
+			}if
+		/arraytype eq
+			{
+			1 1 Height { pop DataSource pop } for
+			}if
+		}ifelse
+	end
+}bdf
+/addprocs
+{
+	  2{/exec load}repeat
+	  3 1 roll
+	  [ 5 1 roll ] bind cvx
+}def
+/modify_halftone_xfer
+{
+	currenthalftone dup length dict copy begin
+	 currentdict 2 index known{
+	 	1 index load dup length dict copy begin
+		currentdict/TransferFunction known{
+			/TransferFunction load
+		}{
+			currenttransfer
+		}ifelse
+		 addprocs /TransferFunction xdf
+		 currentdict end def
+		currentdict end sethalftone
+	}{
+		currentdict/TransferFunction known{
+			/TransferFunction load
+		}{
+			currenttransfer
+		}ifelse
+		addprocs /TransferFunction xdf
+		currentdict end sethalftone		
+		pop
+	}ifelse
+}def
+/clonearray
+{
+	dup xcheck exch
+	dup length array exch
+	Adobe_AGM_Core/AGMCORE_tmp -1 ddf
+	{
+	Adobe_AGM_Core/AGMCORE_tmp AGMCORE_tmp 1 add ddf
+	dup type /dicttype eq
+		{
+			AGMCORE_tmp
+			exch
+			clonedict
+			Adobe_AGM_Core/AGMCORE_tmp 4 -1 roll ddf
+		} if
+	dup type /arraytype eq
+		{
+			AGMCORE_tmp exch
+			clonearray
+			Adobe_AGM_Core/AGMCORE_tmp 4 -1 roll ddf
+		} if
+	exch dup
+	AGMCORE_tmp 4 -1 roll put
+	}forall
+	exch {cvx} if
+}bdf
+/clonedict
+{
+	dup length dict
+	begin
+		{
+		dup type /dicttype eq
+			{
+				clonedict
+			} if
+		dup type /arraytype eq
+			{
+				clonearray
+			} if
+		def
+		}forall
+	currentdict
+	end
+}bdf
+/DeviceN_PS2
+{
+	/currentcolorspace AGMCORE_gget 0 get /DeviceN eq level3 not and
+} bdf
+/Indexed_DeviceN
+{
+	/indexed_colorspace_dict AGMCORE_gget dup null ne {
+		/CSD known
+	}{
+		pop false
+	} ifelse
+} bdf
+/DeviceN_NoneName
+{	
+	/Names where {
+		pop
+		false Names
+		{
+			(None) eq or
+		} forall
+	}{
+		false
+	}ifelse
+} bdf
+/DeviceN_PS2_inRip_seps
+{
+	/AGMCORE_in_rip_sep where
+	{
+		pop dup type dup /arraytype eq exch /packedarraytype eq or
+		{
+			dup 0 get /DeviceN eq level3 not and AGMCORE_in_rip_sep and
+			{
+				/currentcolorspace exch AGMCORE_gput
+				false
+			}
+			{
+				true
+			}ifelse
+		}
+		{
+			true
+		} ifelse
+	}
+	{
+		true
+	} ifelse
+} bdf
+/base_colorspace_type
+{
+	dup type /arraytype eq {0 get} if
+} bdf
+/doc_setup{
+	Adobe_AGM_Utils begin
+}bdf
+/doc_trailer{
+	currentdict Adobe_AGM_Utils eq{
+		end
+	}if
+}bdf
+systemdict /setpacking known
+{
+	setpacking
+} if
+%%EndResource
+%%BeginResource: procset Adobe_AGM_Core 2.0 0
+%%Version: 2.0 0
+%%Copyright: Copyright (C) 1997-2003 Adobe Systems, Inc.  All Rights Reserved.
+systemdict /setpacking known
+{
+	currentpacking
+	true setpacking
+} if
+userdict /Adobe_AGM_Core 216 dict dup begin put
+/nd{
+	null def
+}bind def
+/Adobe_AGM_Core_Id /Adobe_AGM_Core_2.0_0 def
+/AGMCORE_str256 256 string def
+/AGMCORE_save nd
+/AGMCORE_graphicsave nd
+/AGMCORE_c 0 def
+/AGMCORE_m 0 def
+/AGMCORE_y 0 def
+/AGMCORE_k 0 def
+/AGMCORE_cmykbuf 4 array def
+/AGMCORE_screen [currentscreen] cvx def
+/AGMCORE_tmp 0 def
+/AGMCORE_&setgray nd
+/AGMCORE_&setcolor nd
+/AGMCORE_&setcolorspace nd
+/AGMCORE_&setcmykcolor nd
+/AGMCORE_cyan_plate nd
+/AGMCORE_magenta_plate nd
+/AGMCORE_yellow_plate nd
+/AGMCORE_black_plate nd
+/AGMCORE_plate_ndx nd
+/AGMCORE_get_ink_data nd
+/AGMCORE_is_cmyk_sep nd
+/AGMCORE_host_sep nd
+/AGMCORE_avoid_L2_sep_space nd
+/AGMCORE_distilling nd
+/AGMCORE_composite_job nd
+/AGMCORE_producing_seps nd
+/AGMCORE_ps_level -1 def
+/AGMCORE_ps_version -1 def
+/AGMCORE_environ_ok nd
+/AGMCORE_CSA_cache 0 dict def
+/AGMCORE_CSD_cache 0 dict def
+/AGMCORE_pattern_cache 0 dict def
+/AGMCORE_currentoverprint false def
+/AGMCORE_deltaX nd
+/AGMCORE_deltaY nd
+/AGMCORE_name nd
+/AGMCORE_sep_special nd
+/AGMCORE_err_strings 4 dict def
+/AGMCORE_cur_err nd
+/AGMCORE_ovp nd
+/AGMCORE_current_spot_alias false def
+/AGMCORE_inverting false def
+/AGMCORE_feature_dictCount nd
+/AGMCORE_feature_opCount nd
+/AGMCORE_feature_ctm nd
+/AGMCORE_ConvertToProcess false def
+/AGMCORE_Default_CTM matrix def
+/AGMCORE_Default_PageSize nd
+/AGMCORE_currentbg nd
+/AGMCORE_currentucr nd
+/AGMCORE_gradientcache 32 dict def
+/AGMCORE_in_pattern false def
+/knockout_unitsq nd
+/AGMCORE_CRD_cache where{
+	pop
+}{
+	/AGMCORE_CRD_cache 0 dict def
+}ifelse
+/AGMCORE_key_known
+{
+	where{
+		/Adobe_AGM_Core_Id known
+	}{
+		false
+	}ifelse
+}ndf
+/flushinput
+{
+	save
+	2 dict begin
+	/CompareBuffer 3 -1 roll def
+	/readbuffer 256 string def
+	mark
+	{
+	currentfile readbuffer {readline} stopped
+		{cleartomark mark}
+		{
+		not
+			{pop exit}
+		if
+		CompareBuffer eq
+			{exit}
+		if
+		}ifelse
+	}loop
+	cleartomark
+	end
+	restore
+}bdf
+/getspotfunction
+{
+	AGMCORE_screen exch pop exch pop
+	dup type /dicttype eq{
+		dup /HalftoneType get 1 eq{
+			/SpotFunction get
+		}{
+			dup /HalftoneType get 2 eq{
+				/GraySpotFunction get
+			}{
+				pop
+				{
+					abs exch abs 2 copy add 1 gt{
+						1 sub dup mul exch 1 sub dup mul add 1 sub
+					}{
+						dup mul exch dup mul add 1 exch sub
+					}ifelse
+				}bind
+			}ifelse
+		}ifelse
+	}if
+} def
+/clp_npth
+{
+	clip newpath
+} def
+/eoclp_npth
+{
+	eoclip newpath
+} def
+/npth_clp
+{
+	newpath clip
+} def
+/add_grad
+{
+	AGMCORE_gradientcache 3 1 roll put
+}bdf
+/exec_grad
+{
+	AGMCORE_gradientcache exch get exec
+}bdf
+/graphic_setup
+{
+	/AGMCORE_graphicsave save def
+	concat
+	0 setgray
+	0 setlinecap
+	0 setlinejoin
+	1 setlinewidth
+	[] 0 setdash
+	10 setmiterlimit
+	newpath
+	false setoverprint
+	false setstrokeadjust
+	Adobe_AGM_Core/spot_alias get exec
+	/Adobe_AGM_Image where {
+		pop
+		Adobe_AGM_Image/spot_alias 2 copy known{
+			get exec
+		}{
+			pop pop
+		}ifelse
+	} if
+	100 dict begin
+	/dictstackcount countdictstack def
+	/showpage {} def
+	mark
+} def
+/graphic_cleanup
+{
+	cleartomark
+	dictstackcount 1 countdictstack 1 sub {end}for
+	end
+	AGMCORE_graphicsave restore
+} def
+/compose_error_msg
+{
+	grestoreall initgraphics	
+	/Helvetica findfont 10 scalefont setfont
+	/AGMCORE_deltaY 100 def
+	/AGMCORE_deltaX 310 def
+	clippath pathbbox newpath pop pop 36 add exch 36 add exch moveto
+	0 AGMCORE_deltaY rlineto AGMCORE_deltaX 0 rlineto
+	0 AGMCORE_deltaY neg rlineto AGMCORE_deltaX neg 0 rlineto closepath
+	0 AGMCORE_&setgray
+	gsave 1 AGMCORE_&setgray fill grestore
+	1 setlinewidth gsave stroke grestore
+	currentpoint AGMCORE_deltaY 15 sub add exch 8 add exch moveto
+	/AGMCORE_deltaY 12 def
+	/AGMCORE_tmp 0 def
+	AGMCORE_err_strings exch get
+		{
+		dup 32 eq
+			{
+			pop
+			AGMCORE_str256 0 AGMCORE_tmp getinterval
+			stringwidth pop currentpoint pop add AGMCORE_deltaX 28 add gt
+				{
+				currentpoint AGMCORE_deltaY sub exch pop
+				clippath pathbbox pop pop pop 44 add exch moveto
+				} if
+			AGMCORE_str256 0 AGMCORE_tmp getinterval show ( ) show
+			0 1 AGMCORE_str256 length 1 sub
+				{
+				AGMCORE_str256 exch 0 put
+				}for
+			/AGMCORE_tmp 0 def
+			}
+			{
+				AGMCORE_str256 exch AGMCORE_tmp xpt
+				/AGMCORE_tmp AGMCORE_tmp 1 add def
+			} ifelse
+		} forall
+} bdf
+/doc_setup{
+	Adobe_AGM_Core begin
+	/AGMCORE_ps_version xdf
+	/AGMCORE_ps_level xdf
+	errordict /AGM_handleerror known not{
+		errordict /AGM_handleerror errordict /handleerror get put
+		errordict /handleerror {
+			Adobe_AGM_Core begin
+			$error /newerror get AGMCORE_cur_err null ne and{
+				$error /newerror false put
+				AGMCORE_cur_err compose_error_msg
+			}if
+			$error /newerror true put
+			end
+			errordict /AGM_handleerror get exec
+			} bind put
+		}if
+	/AGMCORE_environ_ok
+		ps_level AGMCORE_ps_level ge
+		ps_version AGMCORE_ps_version ge and
+		AGMCORE_ps_level -1 eq or
+	def
+	AGMCORE_environ_ok not
+		{/AGMCORE_cur_err /AGMCORE_bad_environ def} if
+	/AGMCORE_&setgray systemdict/setgray get def
+	level2{
+		/AGMCORE_&setcolor systemdict/setcolor get def
+		/AGMCORE_&setcolorspace systemdict/setcolorspace get def
+	}if
+	/AGMCORE_currentbg currentblackgeneration def
+	/AGMCORE_currentucr currentundercolorremoval def
+	/AGMCORE_distilling
+		/product where{
+			pop systemdict/setdistillerparams known product (Adobe PostScript Parser) ne and
+		}{
+			false
+		}ifelse
+	def
+	level2 not{
+		/xput{
+			dup load dup length exch maxlength eq{
+				dup dup load dup
+				length dup 0 eq {pop 1} if 2 mul dict copy def
+			}if
+			load begin
+				def
+ 			end
+		}def
+	}{
+		/xput{
+			load 3 1 roll put
+		}def
+	}ifelse
+	/AGMCORE_GSTATE AGMCORE_key_known not{
+		/AGMCORE_GSTATE 21 dict def
+		/AGMCORE_tmpmatrix matrix def
+		/AGMCORE_gstack 32 array def
+		/AGMCORE_gstackptr 0 def
+		/AGMCORE_gstacksaveptr 0 def
+		/AGMCORE_gstackframekeys 10 def
+		/AGMCORE_&gsave /gsave ldf
+		/AGMCORE_&grestore /grestore ldf
+		/AGMCORE_&grestoreall /grestoreall ldf
+		/AGMCORE_&save /save ldf
+		/AGMCORE_gdictcopy {
+			begin
+			{ def } forall
+			end
+		}def
+		/AGMCORE_gput {
+			AGMCORE_gstack AGMCORE_gstackptr get
+			3 1 roll
+			put
+		}def
+		/AGMCORE_gget {
+			AGMCORE_gstack AGMCORE_gstackptr get
+			exch
+			get
+		}def
+		/gsave {
+			AGMCORE_&gsave
+			AGMCORE_gstack AGMCORE_gstackptr get
+			AGMCORE_gstackptr 1 add
+			dup 32 ge {limitcheck} if
+			Adobe_AGM_Core exch
+			/AGMCORE_gstackptr xpt
+			AGMCORE_gstack AGMCORE_gstackptr get
+			AGMCORE_gdictcopy
+		}def
+		/grestore {
+			AGMCORE_&grestore
+			AGMCORE_gstackptr 1 sub
+			dup AGMCORE_gstacksaveptr lt {1 add} if
+			Adobe_AGM_Core exch
+			/AGMCORE_gstackptr xpt
+		}def
+		/grestoreall {
+			AGMCORE_&grestoreall
+			Adobe_AGM_Core
+			/AGMCORE_gstackptr AGMCORE_gstacksaveptr put
+		}def
+		/save {
+			AGMCORE_&save
+			AGMCORE_gstack AGMCORE_gstackptr get
+			AGMCORE_gstackptr 1 add
+			dup 32 ge {limitcheck} if
+			Adobe_AGM_Core begin
+				/AGMCORE_gstackptr exch def
+				/AGMCORE_gstacksaveptr AGMCORE_gstackptr def
+			end
+			AGMCORE_gstack AGMCORE_gstackptr get
+			AGMCORE_gdictcopy
+		}def
+		0 1 AGMCORE_gstack length 1 sub {
+				AGMCORE_gstack exch AGMCORE_gstackframekeys dict put
+		} for
+	}if
+	level3 /AGMCORE_&sysshfill AGMCORE_key_known not and
+	{
+		/AGMCORE_&sysshfill systemdict/shfill get def
+		/AGMCORE_&usrshfill /shfill load def
+		/AGMCORE_&sysmakepattern systemdict/makepattern get def
+		/AGMCORE_&usrmakepattern /makepattern load def
+	}if
+	/currentcmykcolor [0 0 0 0] AGMCORE_gput
+	/currentstrokeadjust false AGMCORE_gput
+	/currentcolorspace [/DeviceGray] AGMCORE_gput
+	/sep_tint 0 AGMCORE_gput
+	/devicen_tints [0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0] AGMCORE_gput
+	/sep_colorspace_dict null AGMCORE_gput
+	/devicen_colorspace_dict null AGMCORE_gput
+	/indexed_colorspace_dict null AGMCORE_gput
+	/currentcolor_intent () AGMCORE_gput
+	/customcolor_tint 1 AGMCORE_gput
+	<<
+	/MaxPatternItem currentsystemparams /MaxPatternCache get
+	>>
+	setuserparams
+	end
+}def
+/page_setup
+{
+	/setcmykcolor where{
+		pop
+		Adobe_AGM_Core/AGMCORE_&setcmykcolor /setcmykcolor load put
+	}if
+	Adobe_AGM_Core begin
+	/setcmykcolor
+	{
+		4 copy AGMCORE_cmykbuf astore /currentcmykcolor exch AGMCORE_gput
+		1 sub 4 1 roll
+		3 {
+			3 index add neg dup 0 lt {
+				pop 0
+			} if
+			3 1 roll
+		} repeat
+		setrgbcolor pop
+	}ndf
+	/currentcmykcolor
+	{
+		/currentcmykcolor AGMCORE_gget aload pop
+	}ndf
+	/setoverprint
+	{
+		pop
+	}ndf
+	/currentoverprint
+	{
+		false
+	}ndf
+	/AGMCORE_deviceDPI 72 0 matrix defaultmatrix dtransform dup mul exch dup mul add sqrt def
+	/AGMCORE_cyan_plate 1 0 0 0 test_cmyk_color_plate def
+	/AGMCORE_magenta_plate 0 1 0 0 test_cmyk_color_plate def
+	/AGMCORE_yellow_plate 0 0 1 0 test_cmyk_color_plate def
+	/AGMCORE_black_plate 0 0 0 1 test_cmyk_color_plate def
+	/AGMCORE_plate_ndx
+		AGMCORE_cyan_plate{
+			0
+		}{
+			AGMCORE_magenta_plate{
+				1
+			}{
+				AGMCORE_yellow_plate{
+					2
+				}{
+					AGMCORE_black_plate{
+						3
+					}{
+						4
+					}ifelse
+				}ifelse
+			}ifelse
+		}ifelse
+		def
+	/AGMCORE_have_reported_unsupported_color_space false def
+	/AGMCORE_report_unsupported_color_space
+	{
+		AGMCORE_have_reported_unsupported_color_space false eq
+		{
+			(Warning: Job contains content that cannot be separated with on-host methods. This content appears on the black plate, and knocks out all other plates.) ==
+			Adobe_AGM_Core /AGMCORE_have_reported_unsupported_color_space true ddf
+		} if
+	}def
+	/AGMCORE_composite_job
+		AGMCORE_cyan_plate AGMCORE_magenta_plate and AGMCORE_yellow_plate and AGMCORE_black_plate and def
+	/AGMCORE_in_rip_sep
+		/AGMCORE_in_rip_sep where{
+			pop AGMCORE_in_rip_sep
+		}{
+			AGMCORE_distilling
+			{
+				false
+			}{
+				userdict/Adobe_AGM_OnHost_Seps known{
+					false
+				}{
+					level2{
+						currentpagedevice/Separations 2 copy known{
+							get
+						}{
+							pop pop false
+						}ifelse
+					}{
+						false
+					}ifelse
+				}ifelse
+			}ifelse
+		}ifelse
+	def
+	/AGMCORE_producing_seps AGMCORE_composite_job not AGMCORE_in_rip_sep or def
+	/AGMCORE_host_sep AGMCORE_producing_seps AGMCORE_in_rip_sep not and def
+	/AGM_preserve_spots
+		/AGM_preserve_spots where{
+			pop AGM_preserve_spots
+		}{
+			AGMCORE_distilling AGMCORE_producing_seps or
+		}ifelse
+	def
+	/AGM_is_distiller_preserving_spotimages
+	{
+		currentdistillerparams/PreserveOverprintSettings known
+		{
+			currentdistillerparams/PreserveOverprintSettings get
+				{
+					currentdistillerparams/ColorConversionStrategy known
+					{
+						currentdistillerparams/ColorConversionStrategy get
+						/LeaveColorUnchanged eq
+					}{
+						true
+					}ifelse
+				}{
+					false
+				}ifelse
+		}{
+			false
+		}ifelse
+	}def
+	/convert_spot_to_process where {pop}{
+		/convert_spot_to_process
+		{
+			dup map_alias {
+				/Name get exch pop
+			} if
+			dup dup (None) eq exch (All) eq or
+				{
+				pop false
+				}{
+				AGMCORE_host_sep
+				{
+					gsave
+					1 0 0 0 setcmykcolor currentgray 1 exch sub
+					0 1 0 0 setcmykcolor currentgray 1 exch sub
+					0 0 1 0 setcmykcolor currentgray 1 exch sub
+					0 0 0 1 setcmykcolor currentgray 1 exch sub
+					add add add 0 eq
+					{
+						pop false
+					}{
+						false setoverprint
+						1 1 1 1 5 -1 roll findcmykcustomcolor 1 setcustomcolor
+						currentgray 0 eq
+					}ifelse
+					grestore
+				}{
+					AGMCORE_distilling
+					{
+						pop AGM_is_distiller_preserving_spotimages not
+					}{
+						Adobe_AGM_Core/AGMCORE_name xddf
+						false
+						Adobe_AGM_Core/AGMCORE_in_pattern known {Adobe_AGM_Core/AGMCORE_in_pattern get}{false} ifelse
+						not currentpagedevice/OverrideSeparations known and
+							{
+							currentpagedevice/OverrideSeparations get
+								{
+								/HqnSpots /ProcSet resourcestatus
+									{
+									pop pop pop true
+									}if
+								}if
+							}if					
+							{
+							AGMCORE_name /HqnSpots /ProcSet findresource /TestSpot get exec not
+							}{
+							gsave
+							[/Separation AGMCORE_name /DeviceGray {}]setcolorspace
+							false
+							currentpagedevice/SeparationColorNames 2 copy known
+							{
+								get
+								{ AGMCORE_name eq or}forall
+							not
+							}{
+								pop pop pop true
+							}ifelse
+							grestore
+						}ifelse
+					}ifelse
+				}ifelse
+			}ifelse
+		}def
+	}ifelse
+	/convert_to_process where {pop}{
+		/convert_to_process
+		{
+			dup length 0 eq
+				{
+				pop false
+				}{
+				AGMCORE_host_sep
+				{
+				dup true exch
+					{
+					dup (Cyan) eq exch
+					dup (Magenta) eq 3 -1 roll or exch
+					dup (Yellow) eq 3 -1 roll or exch
+					dup (Black) eq 3 -1 roll or
+						{pop}
+						{convert_spot_to_process and}ifelse
+					}
+				forall
+					{
+					true exch
+						{
+						dup (Cyan) eq exch
+						dup (Magenta) eq 3 -1 roll or exch
+						dup (Yellow) eq 3 -1 roll or exch
+						(Black) eq or and
+						}forall
+						not
+					}{pop false}ifelse
+				}{
+				false exch
+					{
+					dup (Cyan) eq exch
+					dup (Magenta) eq 3 -1 roll or exch
+					dup (Yellow) eq 3 -1 roll or exch
+					dup (Black) eq 3 -1 roll or
+					{pop}
+					{convert_spot_to_process or}ifelse
+					}
+				forall
+				}ifelse
+			}ifelse
+		}def
+	}ifelse	
+	/AGMCORE_avoid_L2_sep_space
+		version cvr 2012 lt
+		level2 and
+		AGMCORE_producing_seps not and
+	def
+	/AGMCORE_is_cmyk_sep
+		AGMCORE_cyan_plate AGMCORE_magenta_plate or AGMCORE_yellow_plate or AGMCORE_black_plate or
+	def
+	/AGM_avoid_0_cmyk where{
+		pop AGM_avoid_0_cmyk
+	}{
+		AGM_preserve_spots
+		userdict/Adobe_AGM_OnHost_Seps known
+		userdict/Adobe_AGM_InRip_Seps known or
+		not and
+	}ifelse
+	{
+		/setcmykcolor[
+			{
+				4 copy add add add 0 eq currentoverprint and{
+					pop 0.0005
+				}if
+			}/exec cvx
+			/AGMCORE_&setcmykcolor load dup type/operatortype ne{
+				/exec cvx
+			}if
+		]cvx def
+	}if
+	AGMCORE_host_sep{
+		/setcolortransfer
+		{
+			AGMCORE_cyan_plate{
+				pop pop pop
+			}{
+			  	AGMCORE_magenta_plate{
+			  		4 3 roll pop pop pop
+			  	}{
+			  		AGMCORE_yellow_plate{
+			  			4 2 roll pop pop pop
+			  		}{
+			  			4 1 roll pop pop pop
+			  		}ifelse
+			  	}ifelse
+			}ifelse
+			settransfer
+		}	
+		def
+		/AGMCORE_get_ink_data
+			AGMCORE_cyan_plate{
+				{pop pop pop}
+			}{
+			  	AGMCORE_magenta_plate{
+			  		{4 3 roll pop pop pop}
+			  	}{
+			  		AGMCORE_yellow_plate{
+			  			{4 2 roll pop pop pop}
+			  		}{
+			  			{4 1 roll pop pop pop}
+			  		}ifelse
+			  	}ifelse
+			}ifelse
+		def
+		/AGMCORE_RemoveProcessColorNames
+			{
+			1 dict begin
+			/filtername
+				{
+				dup /Cyan eq 1 index (Cyan) eq or
+					{pop (_cyan_)}if
+				dup /Magenta eq 1 index (Magenta) eq or
+					{pop (_magenta_)}if
+				dup /Yellow eq 1 index (Yellow) eq or
+					{pop (_yellow_)}if
+				dup /Black eq 1 index (Black) eq or
+					{pop (_black_)}if
+				}def
+			dup type /arraytype eq
+				{[exch {filtername}forall]}
+				{filtername}ifelse
+			end
+			}def
+		/AGMCORE_IsSeparationAProcessColor
+			{
+			dup (Cyan) eq exch dup (Magenta) eq exch dup (Yellow) eq exch (Black) eq or or or
+			}def
+		level3 {
+			/AGMCORE_IsCurrentColor
+				{
+				gsave
+				false setoverprint
+				1 1 1 1 5 -1 roll findcmykcustomcolor 1 setcustomcolor
+				currentgray 0 eq
+				grestore
+				}def
+			/AGMCORE_filter_functiondatasource
+				{	
+				5 dict begin
+				/data_in xdf
+				data_in type /stringtype eq
+					{
+					/ncomp xdf
+					/comp xdf
+					/string_out data_in length ncomp idiv string def
+					0 ncomp data_in length 1 sub
+						{
+						string_out exch dup ncomp idiv exch data_in exch ncomp getinterval comp get 255 exch sub put
+						}for
+					string_out
+					}{
+					string /string_in xdf
+					/string_out 1 string def
+					/component xdf
+					[
+					data_in string_in /readstring cvx
+						[component /get cvx 255 /exch cvx /sub cvx string_out /exch cvx 0 /exch cvx /put cvx string_out]cvx
+						[/pop cvx ()]cvx /ifelse cvx
+					]cvx /ReusableStreamDecode filter
+				}ifelse
+				end
+				}def
+			/AGMCORE_separateShadingFunction
+				{
+				2 dict begin
+				/paint? xdf
+				/channel xdf
+					begin
+					FunctionType 0 eq
+						{
+						/DataSource channel Range length 2 idiv DataSource AGMCORE_filter_functiondatasource def
+						currentdict /Decode known
+							{/Decode Decode channel 2 mul 2 getinterval def}if
+						paint? not
+							{/Decode [1 1]def}if
+						}if
+					FunctionType 2 eq
+						{
+						paint?
+							{
+							/C0 [C0 channel get 1 exch sub] def
+							/C1 [C1 channel get 1 exch sub] def
+							}{
+							/C0 [1] def
+							/C1 [1] def
+							}ifelse			
+						}if
+					FunctionType 3 eq
+						{
+						/Functions [Functions {channel paint? AGMCORE_separateShadingFunction} forall] def			
+						}if
+					currentdict /Range known
+						{/Range [0 1] def}if
+					currentdict
+					end
+				end
+				}def
+			/AGMCORE_separateShading
+				{
+				3 -1 roll begin
+				currentdict /Function known
+					{
+					currentdict /Background known
+						{[1 index{Background 3 index get 1 exch sub}{1}ifelse]/Background xdf}if
+					Function 3 1 roll AGMCORE_separateShadingFunction /Function xdf
+					/ColorSpace [/DeviceGray] def
+					}{
+					ColorSpace dup type /arraytype eq {0 get}if /DeviceCMYK eq
+						{
+						/ColorSpace [/DeviceN [/_cyan_ /_magenta_ /_yellow_ /_black_] /DeviceCMYK {}] def
+						}{
+						ColorSpace dup 1 get AGMCORE_RemoveProcessColorNames 1 exch put
+						}ifelse
+					ColorSpace 0 get /Separation eq
+						{
+							{
+								[1 /exch cvx /sub cvx]cvx
+							}{
+								[/pop cvx 1]cvx
+							}ifelse
+							ColorSpace 3 3 -1 roll put
+							pop
+						}{
+							{
+								[exch ColorSpace 1 get length 1 sub exch sub /index cvx 1 /exch cvx /sub cvx ColorSpace 1 get length 1 add 1 /roll cvx ColorSpace 1 get length{/pop cvx} repeat]cvx
+							}{
+								pop [ColorSpace 1 get length {/pop cvx} repeat cvx 1]cvx
+							}ifelse
+							ColorSpace 3 3 -1 roll bind put
+						}ifelse
+					ColorSpace 2 /DeviceGray put																		
+					}ifelse
+				end
+				}def
+			/AGMCORE_separateShadingDict
+				{
+				dup /ColorSpace get
+				dup type /arraytype ne
+					{[exch]}if
+				dup 0 get /DeviceCMYK eq
+					{
+					exch begin
+					currentdict
+					AGMCORE_cyan_plate
+						{0 true}if
+					AGMCORE_magenta_plate
+						{1 true}if
+					AGMCORE_yellow_plate
+						{2 true}if
+					AGMCORE_black_plate
+						{3 true}if
+					AGMCORE_plate_ndx 4 eq
+						{0 false}if		
+					dup not currentoverprint and
+						{/AGMCORE_ignoreshade true def}if
+					AGMCORE_separateShading
+					currentdict
+					end exch
+					}if
+				dup 0 get /Separation eq
+					{
+					exch begin
+					ColorSpace 1 get dup /None ne exch /All ne and
+						{
+						ColorSpace 1 get AGMCORE_IsCurrentColor AGMCORE_plate_ndx 4 lt and ColorSpace 1 get AGMCORE_IsSeparationAProcessColor not and
+							{
+							ColorSpace 2 get dup type /arraytype eq {0 get}if /DeviceCMYK eq
+								{
+								/ColorSpace
+									[
+									/Separation
+									ColorSpace 1 get
+									/DeviceGray
+										[
+										ColorSpace 3 get /exec cvx
+										4 AGMCORE_plate_ndx sub -1 /roll cvx
+										4 1 /roll cvx
+										3 [/pop cvx]cvx /repeat cvx
+										1 /exch cvx /sub cvx
+										]cvx									
+									]def
+								}{
+								AGMCORE_report_unsupported_color_space
+								AGMCORE_black_plate not
+									{
+									currentdict 0 false AGMCORE_separateShading
+									}if
+								}ifelse
+							}{
+							currentdict ColorSpace 1 get AGMCORE_IsCurrentColor
+							0 exch
+							dup not currentoverprint and
+								{/AGMCORE_ignoreshade true def}if
+							AGMCORE_separateShading
+							}ifelse	
+						}if			
+					currentdict
+					end exch
+					}if
+				dup 0 get /DeviceN eq
+					{
+					exch begin
+					ColorSpace 1 get convert_to_process
+						{
+						ColorSpace 2 get dup type /arraytype eq {0 get}if /DeviceCMYK eq
+							{
+							/ColorSpace
+								[
+								/DeviceN
+								ColorSpace 1 get
+								/DeviceGray
+									[
+									ColorSpace 3 get /exec cvx
+									4 AGMCORE_plate_ndx sub -1 /roll cvx
+									4 1 /roll cvx
+									3 [/pop cvx]cvx /repeat cvx
+									1 /exch cvx /sub cvx
+									]cvx									
+								]def
+							}{
+							AGMCORE_report_unsupported_color_space
+							AGMCORE_black_plate not
+								{
+								currentdict 0 false AGMCORE_separateShading
+								/ColorSpace [/DeviceGray] def
+								}if
+							}ifelse
+						}{
+						currentdict
+						false -1 ColorSpace 1 get
+							{
+							AGMCORE_IsCurrentColor
+								{
+								1 add
+								exch pop true exch exit
+								}if
+							1 add
+							}forall
+						exch
+						dup not currentoverprint and
+							{/AGMCORE_ignoreshade true def}if
+						AGMCORE_separateShading
+						}ifelse
+					currentdict
+					end exch
+					}if
+				dup 0 get dup /DeviceCMYK eq exch dup /Separation eq exch /DeviceN eq or or not
+					{
+					exch begin
+					ColorSpace dup type /arraytype eq
+						{0 get}if
+					/DeviceGray ne
+						{
+						AGMCORE_report_unsupported_color_space
+						AGMCORE_black_plate not
+							{
+							ColorSpace 0 get /CIEBasedA eq
+								{
+								/ColorSpace [/Separation /_ciebaseda_ /DeviceGray {}] def
+								}if
+							ColorSpace 0 get dup /CIEBasedABC eq exch dup /CIEBasedDEF eq exch /DeviceRGB eq or or
+								{
+								/ColorSpace [/DeviceN [/_red_ /_green_ /_blue_] /DeviceRGB {}] def
+								}if
+							ColorSpace 0 get /CIEBasedDEFG eq
+								{
+								/ColorSpace [/DeviceN [/_cyan_ /_magenta_ /_yellow_ /_black_] /DeviceCMYK {}]
+								}if
+							currentdict 0 false AGMCORE_separateShading
+							}if
+						}if
+					currentdict
+					end exch
+					}if
+				pop
+				dup /AGMCORE_ignoreshade known
+					{
+					begin
+					/ColorSpace [/Separation (None) /DeviceGray {}] def
+					currentdict end
+					}if
+				}def
+			/shfill
+				{
+				clonedict
+				AGMCORE_separateShadingDict
+				dup /AGMCORE_ignoreshade known
+					{pop}
+					{AGMCORE_&sysshfill}ifelse
+				}def
+			/makepattern
+				{
+				exch
+				dup /PatternType get 2 eq
+					{
+					clonedict
+					begin
+					/Shading Shading AGMCORE_separateShadingDict def
+					currentdict end
+					exch AGMCORE_&sysmakepattern
+					}{
+					exch AGMCORE_&usrmakepattern
+					}ifelse
+				}def
+		}if
+	}if
+	AGMCORE_in_rip_sep{
+		/setcustomcolor
+		{
+			exch aload pop
+			dup 7 1 roll inRip_spot_has_ink not	{
+				4 {4 index mul 4 1 roll}
+				repeat
+				/DeviceCMYK setcolorspace
+				6 -2 roll pop pop
+			}{
+				Adobe_AGM_Core begin
+					/AGMCORE_k xdf /AGMCORE_y xdf /AGMCORE_m xdf /AGMCORE_c xdf
+				end
+				[/Separation 4 -1 roll /DeviceCMYK
+				{dup AGMCORE_c mul exch dup AGMCORE_m mul exch dup AGMCORE_y mul exch AGMCORE_k mul}
+				]
+				setcolorspace
+			}ifelse
+			setcolor
+		}ndf
+		/setseparationgray
+		{
+			[/Separation (All) /DeviceGray {}] setcolorspace_opt
+			1 exch sub setcolor
+		}ndf
+	}{
+		/setseparationgray
+		{
+			AGMCORE_&setgray
+		}ndf
+	}ifelse
+	/findcmykcustomcolor
+	{
+		5 makereadonlyarray
+	}ndf
+	/setcustomcolor
+	{
+		exch aload pop pop
+		4 {4 index mul 4 1 roll} repeat
+		setcmykcolor pop
+	}ndf
+	/has_color
+		/colorimage where{
+			AGMCORE_producing_seps{
+				pop true
+			}{
+				systemdict eq
+			}ifelse
+		}{
+			false
+		}ifelse
+	def
+	/map_index
+	{
+		1 index mul exch getinterval {255 div} forall
+	} bdf
+	/map_indexed_devn
+	{
+		Lookup Names length 3 -1 roll cvi map_index
+	} bdf
+	/n_color_components
+	{
+		base_colorspace_type
+		dup /DeviceGray eq{
+			pop 1
+		}{
+			/DeviceCMYK eq{
+				4
+			}{
+				3
+			}ifelse
+		}ifelse
+	}bdf
+	level2{
+		/mo /moveto ldf
+		/li /lineto ldf
+		/cv /curveto ldf
+		/knockout_unitsq
+		{
+			1 setgray
+			0 0 1 1 rectfill
+		}def
+		/level2ScreenFreq{
+			begin
+			60
+			HalftoneType 1 eq{
+				pop Frequency
+			}if
+			HalftoneType 2 eq{
+				pop GrayFrequency
+			}if
+			HalftoneType 5 eq{
+				pop Default level2ScreenFreq
+			}if
+			 end
+		}def
+		/currentScreenFreq{
+			currenthalftone level2ScreenFreq
+		}def
+		level2 /setcolorspace AGMCORE_key_known not and{
+			/AGMCORE_&&&setcolorspace /setcolorspace ldf
+			/AGMCORE_ReplaceMappedColor
+			{
+				dup type dup /arraytype eq exch /packedarraytype eq or
+				{
+					dup 0 get dup /Separation eq
+					{
+						pop
+						dup length array copy
+						dup dup 1 get
+						current_spot_alias
+						{
+							dup map_alias
+							{
+								begin
+								/sep_colorspace_dict currentdict AGMCORE_gput
+								pop pop	pop
+								[
+									/Separation Name
+									CSA map_csa
+									dup /MappedCSA xdf
+									/sep_colorspace_proc load
+								]
+								dup Name
+								end
+							}if
+						}if
+						map_reserved_ink_name 1 xpt
+					}{
+						/DeviceN eq
+						{
+							dup length array copy
+							dup dup 1 get [
+								exch {
+									current_spot_alias{
+										dup map_alias{
+											/Name get exch pop
+										}if
+									}if
+									map_reserved_ink_name
+								} forall
+							] 1 xpt
+						}if
+					}ifelse
+				}if
+			}def
+			/setcolorspace
+			{
+				dup type dup /arraytype eq exch /packedarraytype eq or
+				{
+					dup 0 get /Indexed eq
+					{
+						AGMCORE_distilling
+						{
+							/PhotoshopDuotoneList where
+							{
+								pop false
+							}{
+								true
+							}ifelse
+						}{
+							true
+						}ifelse
+						{
+							aload pop 3 -1 roll
+							AGMCORE_ReplaceMappedColor
+							3 1 roll 4 array astore
+						}if
+					}{
+						AGMCORE_ReplaceMappedColor
+					}ifelse
+				}if
+				DeviceN_PS2_inRip_seps {AGMCORE_&&&setcolorspace} if
+			}def
+		}if	
+	}{
+		/adj
+		{
+			currentstrokeadjust{
+				transform
+				0.25 sub round 0.25 add exch
+				0.25 sub round 0.25 add exch
+				itransform
+			}if
+		}def
+		/mo{
+			adj moveto
+		}def
+		/li{
+			adj lineto
+		}def
+		/cv{
+			6 2 roll adj
+			6 2 roll adj
+			6 2 roll adj curveto
+		}def
+		/knockout_unitsq
+		{
+			1 setgray
+			8 8 1 [8 0 0 8 0 0] {<ffffffffffffffff>} image
+		}def
+		/currentstrokeadjust{
+			/currentstrokeadjust AGMCORE_gget
+		}def
+		/setstrokeadjust{
+			/currentstrokeadjust exch AGMCORE_gput
+		}def
+		/currentScreenFreq{
+			currentscreen pop pop
+		}def
+		/setcolorspace
+		{
+			/currentcolorspace exch AGMCORE_gput
+		} def
+		/currentcolorspace
+		{
+			/currentcolorspace AGMCORE_gget
+		} def
+		/setcolor_devicecolor
+		{
+			base_colorspace_type
+			dup /DeviceGray eq{
+				pop setgray
+			}{
+				/DeviceCMYK eq{
+					setcmykcolor
+				}{
+					setrgbcolor
+				}ifelse
+			}ifelse
+		}def
+		/setcolor
+		{
+			currentcolorspace 0 get
+			dup /DeviceGray ne{
+				dup /DeviceCMYK ne{
+					dup /DeviceRGB ne{
+						dup /Separation eq{
+							pop
+							currentcolorspace 3 get exec
+							currentcolorspace 2 get
+						}{
+							dup /Indexed eq{
+								pop
+								currentcolorspace 3 get dup type /stringtype eq{
+									currentcolorspace 1 get n_color_components
+									3 -1 roll map_index
+								}{
+									exec
+								}ifelse
+								currentcolorspace 1 get
+							}{
+								/AGMCORE_cur_err /AGMCORE_invalid_color_space def
+								AGMCORE_invalid_color_space
+							}ifelse
+						}ifelse
+					}if
+				}if
+			}if
+			setcolor_devicecolor
+		} def
+	}ifelse
+	/sop /setoverprint ldf
+	/lw /setlinewidth ldf
+	/lc /setlinecap ldf
+	/lj /setlinejoin ldf
+	/ml /setmiterlimit ldf
+	/dsh /setdash ldf
+	/sadj /setstrokeadjust ldf
+	/gry /setgray ldf
+	/rgb /setrgbcolor ldf
+	/cmyk /setcmykcolor ldf
+	/sep /setsepcolor ldf
+	/devn /setdevicencolor ldf
+	/idx /setindexedcolor ldf
+	/colr /setcolor ldf
+	/csacrd /set_csa_crd ldf
+	/sepcs /setsepcolorspace ldf
+	/devncs /setdevicencolorspace ldf
+	/idxcs /setindexedcolorspace ldf
+	/cp /closepath ldf
+	/clp /clp_npth ldf
+	/eclp /eoclp_npth ldf
+	/f /fill ldf
+	/ef /eofill ldf
+	/@ /stroke ldf
+	/nclp /npth_clp ldf
+	/gset /graphic_setup ldf
+	/gcln /graphic_cleanup ldf
+	currentdict{
+		dup xcheck 1 index type dup /arraytype eq exch /packedarraytype eq or and {
+			bind
+		}if
+		def
+	}forall
+	/currentpagedevice currentpagedevice def
+/getrampcolor {
+/indx exch def
+0 1 NumComp 1 sub {
+dup
+Samples exch get
+dup type /stringtype eq { indx get } if
+exch
+Scaling exch get aload pop
+3 1 roll
+mul add
+} for
+ColorSpaceFamily /Separation eq
+	{
+	sep
+	}
+	{
+	ColorSpaceFamily /DeviceN eq
+		{
+		devn
+		}
+		{
+		setcolor
+		}ifelse
+	}ifelse
+} bind def
+/sssetbackground { aload pop setcolor } bind def
+/RadialShade {
+40 dict begin
+/ColorSpaceFamily exch def
+/background exch def
+/ext1 exch def
+/ext0 exch def
+/BBox exch def
+/r2 exch def
+/c2y exch def
+/c2x exch def
+/r1 exch def
+/c1y exch def
+/c1x exch def
+/rampdict exch def
+/setinkoverprint where {pop /setinkoverprint{pop}def}if
+gsave
+BBox length 0 gt {
+newpath
+BBox 0 get BBox 1 get moveto
+BBox 2 get BBox 0 get sub 0 rlineto
+0 BBox 3 get BBox 1 get sub rlineto
+BBox 2 get BBox 0 get sub neg 0 rlineto
+closepath
+clip
+newpath
+} if
+c1x c2x eq
+{
+c1y c2y lt {/theta 90 def}{/theta 270 def} ifelse
+}
+{
+/slope c2y c1y sub c2x c1x sub div def
+/theta slope 1 atan def
+c2x c1x lt c2y c1y ge and { /theta theta 180 sub def} if
+c2x c1x lt c2y c1y lt and { /theta theta 180 add def} if
+}
+ifelse
+gsave
+clippath
+c1x c1y translate
+theta rotate
+-90 rotate
+{ pathbbox } stopped
+{ 0 0 0 0 } if
+/yMax exch def
+/xMax exch def
+/yMin exch def
+/xMin exch def
+grestore
+xMax xMin eq yMax yMin eq or
+{
+grestore
+end
+}
+{
+/max { 2 copy gt { pop } {exch pop} ifelse } bind def
+/min { 2 copy lt { pop } {exch pop} ifelse } bind def
+rampdict begin
+40 dict begin
+background length 0 gt { background sssetbackground gsave clippath fill grestore } if
+gsave
+c1x c1y translate
+theta rotate
+-90 rotate
+/c2y c1x c2x sub dup mul c1y c2y sub dup mul add sqrt def
+/c1y 0 def
+/c1x 0 def
+/c2x 0 def
+ext0 {
+0 getrampcolor
+c2y r2 add r1 sub 0.0001 lt
+{
+c1x c1y r1 360 0 arcn
+pathbbox
+/aymax exch def
+/axmax exch def
+/aymin exch def
+/axmin exch def
+/bxMin xMin axmin min def
+/byMin yMin aymin min def
+/bxMax xMax axmax max def
+/byMax yMax aymax max def
+bxMin byMin moveto
+bxMax byMin lineto
+bxMax byMax lineto
+bxMin byMax lineto
+bxMin byMin lineto
+eofill
+}
+{
+c2y r1 add r2 le
+{
+c1x c1y r1 0 360 arc
+fill
+}
+{
+c2x c2y r2 0 360 arc fill
+r1 r2 eq
+{
+/p1x r1 neg def
+/p1y c1y def
+/p2x r1 def
+/p2y c1y def
+p1x p1y moveto p2x p2y lineto p2x yMin lineto p1x yMin lineto
+fill
+}
+{
+/AA r2 r1 sub c2y div def
+/theta AA 1 AA dup mul sub sqrt div 1 atan def
+/SS1 90 theta add dup sin exch cos div def
+/p1x r1 SS1 SS1 mul SS1 SS1 mul 1 add div sqrt mul neg def
+/p1y p1x SS1 div neg def
+/SS2 90 theta sub dup sin exch cos div def
+/p2x r1 SS2 SS2 mul SS2 SS2 mul 1 add div sqrt mul def
+/p2y p2x SS2 div neg def
+r1 r2 gt
+{
+/L1maxX p1x yMin p1y sub SS1 div add def
+/L2maxX p2x yMin p2y sub SS2 div add def
+}
+{
+/L1maxX 0 def
+/L2maxX 0 def
+}ifelse
+p1x p1y moveto p2x p2y lineto L2maxX L2maxX p2x sub SS2 mul p2y add lineto
+L1maxX L1maxX p1x sub SS1 mul p1y add lineto
+fill
+}
+ifelse
+}
+ifelse
+} ifelse
+} if
+c1x c2x sub dup mul
+c1y c2y sub dup mul
+add 0.5 exp
+0 dtransform
+dup mul exch dup mul add 0.5 exp 72 div
+0 72 matrix defaultmatrix dtransform dup mul exch dup mul add sqrt
+72 0 matrix defaultmatrix dtransform dup mul exch dup mul add sqrt
+1 index 1 index lt { exch } if pop
+/hires exch def
+hires mul
+/numpix exch def
+/numsteps NumSamples def
+/rampIndxInc 1 def
+/subsampling false def
+numpix 0 ne
+{
+NumSamples numpix div 0.5 gt
+{
+/numsteps numpix 2 div round cvi dup 1 le { pop 2 } if def
+/rampIndxInc NumSamples 1 sub numsteps div def
+/subsampling true def
+} if
+} if
+/xInc c2x c1x sub numsteps div def
+/yInc c2y c1y sub numsteps div def
+/rInc r2 r1 sub numsteps div def
+/cx c1x def
+/cy c1y def
+/radius r1 def
+newpath
+xInc 0 eq yInc 0 eq rInc 0 eq and and
+{
+0 getrampcolor
+cx cy radius 0 360 arc
+stroke
+NumSamples 1 sub getrampcolor
+cx cy radius 72 hires div add 0 360 arc
+0 setlinewidth
+stroke
+}
+{
+0
+numsteps
+{
+dup
+subsampling { round cvi } if
+getrampcolor
+cx cy radius 0 360 arc
+/cx cx xInc add def
+/cy cy yInc add def
+/radius radius rInc add def
+cx cy radius 360 0 arcn
+eofill
+rampIndxInc add
+}
+repeat
+pop
+} ifelse
+ext1 {
+c2y r2 add r1 lt
+{
+c2x c2y r2 0 360 arc
+fill
+}
+{
+c2y r1 add r2 sub 0.0001 le
+{
+c2x c2y r2 360 0 arcn
+pathbbox
+/aymax exch def
+/axmax exch def
+/aymin exch def
+/axmin exch def
+/bxMin xMin axmin min def
+/byMin yMin aymin min def
+/bxMax xMax axmax max def
+/byMax yMax aymax max def
+bxMin byMin moveto
+bxMax byMin lineto
+bxMax byMax lineto
+bxMin byMax lineto
+bxMin byMin lineto
+eofill
+}
+{
+c2x c2y r2 0 360 arc fill
+r1 r2 eq
+{
+/p1x r2 neg def
+/p1y c2y def
+/p2x r2 def
+/p2y c2y def
+p1x p1y moveto p2x p2y lineto p2x yMax lineto p1x yMax lineto
+fill
+}
+{
+/AA r2 r1 sub c2y div def
+/theta AA 1 AA dup mul sub sqrt div 1 atan def
+/SS1 90 theta add dup sin exch cos div def
+/p1x r2 SS1 SS1 mul SS1 SS1 mul 1 add div sqrt mul neg def
+/p1y c2y p1x SS1 div sub def
+/SS2 90 theta sub dup sin exch cos div def
+/p2x r2 SS2 SS2 mul SS2 SS2 mul 1 add div sqrt mul def
+/p2y c2y p2x SS2 div sub def
+r1 r2 lt
+{
+/L1maxX p1x yMax p1y sub SS1 div add def
+/L2maxX p2x yMax p2y sub SS2 div add def
+}
+{
+/L1maxX 0 def
+/L2maxX 0 def
+}ifelse
+p1x p1y moveto p2x p2y lineto L2maxX L2maxX p2x sub SS2 mul p2y add lineto
+L1maxX L1maxX p1x sub SS1 mul p1y add lineto
+fill
+}
+ifelse
+}
+ifelse
+} ifelse
+} if
+grestore
+grestore
+end
+end
+end
+} ifelse
+} bind def
+/GenStrips {
+40 dict begin
+/ColorSpaceFamily exch def
+/background exch def
+/ext1 exch def
+/ext0 exch def
+/BBox exch def
+/y2 exch def
+/x2 exch def
+/y1 exch def
+/x1 exch def
+/rampdict exch def
+/setinkoverprint where {pop /setinkoverprint{pop}def}if
+gsave
+BBox length 0 gt {
+newpath
+BBox 0 get BBox 1 get moveto
+BBox 2 get BBox 0 get sub 0 rlineto
+0 BBox 3 get BBox 1 get sub rlineto
+BBox 2 get BBox 0 get sub neg 0 rlineto
+closepath
+clip
+newpath
+} if
+x1 x2 eq
+{
+y1 y2 lt {/theta 90 def}{/theta 270 def} ifelse
+}
+{
+/slope y2 y1 sub x2 x1 sub div def
+/theta slope 1 atan def
+x2 x1 lt y2 y1 ge and { /theta theta 180 sub def} if
+x2 x1 lt y2 y1 lt and { /theta theta 180 add def} if
+}
+ifelse
+gsave
+clippath
+x1 y1 translate
+theta rotate
+{ pathbbox } stopped
+{ 0 0 0 0 } if
+/yMax exch def
+/xMax exch def
+/yMin exch def
+/xMin exch def
+grestore
+xMax xMin eq yMax yMin eq or
+{
+grestore
+end
+}
+{
+rampdict begin
+20 dict begin
+background length 0 gt { background sssetbackground gsave clippath fill grestore } if
+gsave
+x1 y1 translate
+theta rotate
+/xStart 0 def
+/xEnd x2 x1 sub dup mul y2 y1 sub dup mul add 0.5 exp def
+/ySpan yMax yMin sub def
+/numsteps NumSamples def
+/rampIndxInc 1 def
+/subsampling false def
+xStart 0 transform
+xEnd 0 transform
+3 -1 roll
+sub dup mul
+3 1 roll
+sub dup mul
+add 0.5 exp 72 div
+0 72 matrix defaultmatrix dtransform dup mul exch dup mul add sqrt
+72 0 matrix defaultmatrix dtransform dup mul exch dup mul add sqrt
+1 index 1 index lt { exch } if pop
+mul
+/numpix exch def
+numpix 0 ne
+{
+NumSamples numpix div 0.5 gt
+{
+/numsteps numpix 2 div round cvi dup 1 le { pop 2 } if def
+/rampIndxInc NumSamples 1 sub numsteps div def
+/subsampling true def
+} if
+} if
+ext0 {
+0 getrampcolor
+xMin xStart lt
+{ xMin yMin xMin neg ySpan rectfill } if
+} if
+/xInc xEnd xStart sub numsteps div def
+/x xStart def
+0
+numsteps
+{
+dup
+subsampling { round cvi } if
+getrampcolor
+x yMin xInc ySpan rectfill
+/x x xInc add def
+rampIndxInc add
+}
+repeat
+pop
+ext1 {
+xMax xEnd gt
+{ xEnd yMin xMax xEnd sub ySpan rectfill } if
+} if
+grestore
+grestore
+end
+end
+end
+} ifelse
+} bind def
+}def
+/page_trailer
+{
+	end
+}def
+/doc_trailer{
+}def
+systemdict /findcolorrendering known{
+	/findcolorrendering systemdict /findcolorrendering get def
+}if
+systemdict /setcolorrendering known{
+	/setcolorrendering systemdict /setcolorrendering get def
+}if
+/test_cmyk_color_plate
+{
+	gsave
+	setcmykcolor currentgray 1 ne
+	grestore
+}def
+/inRip_spot_has_ink
+{
+	dup Adobe_AGM_Core/AGMCORE_name xddf
+	convert_spot_to_process not
+}def
+/map255_to_range
+{
+	1 index sub
+	3 -1 roll 255 div mul add
+}def
+/set_csa_crd
+{
+	/sep_colorspace_dict null AGMCORE_gput
+	begin
+		CSA map_csa setcolorspace_opt
+		set_crd
+	end
+}
+def
+/setsepcolor
+{
+	/sep_colorspace_dict AGMCORE_gget begin
+		dup /sep_tint exch AGMCORE_gput
+		TintProc
+	end
+} def
+/setdevicencolor
+{
+	/devicen_colorspace_dict AGMCORE_gget begin
+		Names length copy
+		Names length 1 sub -1 0
+		{
+			/devicen_tints AGMCORE_gget 3 1 roll xpt
+		} for
+		TintProc
+	end
+} def
+/sep_colorspace_proc
+{
+	Adobe_AGM_Core/AGMCORE_tmp xddf
+	/sep_colorspace_dict AGMCORE_gget begin
+	currentdict/Components known{
+		Components aload pop
+		TintMethod/Lab eq{
+			2 {AGMCORE_tmp mul NComponents 1 roll} repeat
+			LMax sub AGMCORE_tmp mul LMax add  NComponents 1 roll
+		}{
+			TintMethod/Subtractive eq{
+				NComponents{
+					AGMCORE_tmp mul NComponents 1 roll
+				}repeat
+			}{
+				NComponents{
+					1 sub AGMCORE_tmp mul 1 add  NComponents 1 roll
+				} repeat
+			}ifelse
+		}ifelse
+	}{
+		ColorLookup AGMCORE_tmp ColorLookup length 1 sub mul round cvi get
+		aload pop
+	}ifelse
+	end
+} def
+/sep_colorspace_gray_proc
+{
+	Adobe_AGM_Core/AGMCORE_tmp xddf
+	/sep_colorspace_dict AGMCORE_gget begin
+	GrayLookup AGMCORE_tmp GrayLookup length 1 sub mul round cvi get
+	end
+} def
+/sep_proc_name
+{
+	dup 0 get
+	dup /DeviceRGB eq exch /DeviceCMYK eq or level2 not and has_color not and{
+		pop [/DeviceGray]
+		/sep_colorspace_gray_proc
+	}{
+		/sep_colorspace_proc
+	}ifelse
+} def
+/setsepcolorspace
+{
+	current_spot_alias{
+		dup begin
+			Name map_alias{
+				exch pop
+			}if
+		end
+	}if
+	dup /sep_colorspace_dict exch AGMCORE_gput
+	begin
+	/MappedCSA CSA map_csa def
+	Adobe_AGM_Core/AGMCORE_sep_special Name dup () eq exch (All) eq or ddf
+	AGMCORE_avoid_L2_sep_space{
+		[/Indexed MappedCSA sep_proc_name 255 exch
+			{ 255 div } /exec cvx 3 -1 roll [ 4 1 roll load /exec cvx ] cvx
+		] setcolorspace_opt
+		/TintProc {
+			255 mul round cvi setcolor
+		}bdf
+	}{
+		MappedCSA 0 get /DeviceCMYK eq
+		currentdict/Components known and
+		AGMCORE_sep_special not and{
+			/TintProc [
+				Components aload pop Name findcmykcustomcolor
+				/exch cvx /setcustomcolor cvx
+			] cvx bdf
+		}{
+ 			AGMCORE_host_sep Name (All) eq and{
+ 				/TintProc {
+					1 exch sub setseparationgray
+				}bdf
+ 			}{
+				AGMCORE_in_rip_sep MappedCSA 0 get /DeviceCMYK eq and
+				AGMCORE_host_sep or
+				Name () eq and{
+					/TintProc [
+						MappedCSA sep_proc_name exch 0 get /DeviceCMYK eq{
+							cvx /setcmykcolor cvx
+						}{
+							cvx /setgray cvx
+						}ifelse
+					] cvx bdf
+				}{
+					AGMCORE_producing_seps MappedCSA 0 get dup /DeviceCMYK eq exch /DeviceGray eq or and AGMCORE_sep_special not and{
+	 					/TintProc [
+							/dup cvx
+							MappedCSA sep_proc_name cvx exch
+							0 get /DeviceGray eq{
+								1 /exch cvx /sub cvx 0 0 0 4 -1 /roll cvx
+							}if
+							/Name cvx /findcmykcustomcolor cvx /exch cvx
+							AGMCORE_host_sep{
+								AGMCORE_is_cmyk_sep
+								/Name cvx
+								/AGMCORE_IsSeparationAProcessColor load /exec cvx
+								/not cvx /and cvx
+							}{
+								Name inRip_spot_has_ink not
+							}ifelse
+							[
+		 						/pop cvx 1
+							] cvx /if cvx
+							/setcustomcolor cvx
+						] cvx bdf
+ 					}{
+						/TintProc /setcolor ldf
+						[/Separation Name MappedCSA sep_proc_name load ] setcolorspace_opt
+					}ifelse
+				}ifelse
+			}ifelse
+		}ifelse
+	}ifelse
+	set_crd
+	setsepcolor
+	end
+} def
+/additive_blend
+{
+  	3 dict begin
+  	/numarrays xdf
+  	/numcolors xdf
+  	0 1 numcolors 1 sub
+  		{
+  		/c1 xdf
+  		1
+  		0 1 numarrays 1 sub
+  			{
+			1 exch add /index cvx
+  			c1 /get cvx /mul cvx
+  			}for
+ 		numarrays 1 add 1 /roll cvx
+  		}for
+ 	numarrays [/pop cvx] cvx /repeat cvx
+  	end
+}def
+/subtractive_blend
+{
+	3 dict begin
+	/numarrays xdf
+	/numcolors xdf
+	0 1 numcolors 1 sub
+		{
+		/c1 xdf
+		1 1
+		0 1 numarrays 1 sub
+			{
+			1 3 3 -1 roll add /index cvx
+			c1 /get cvx /sub cvx /mul cvx
+			}for
+		/sub cvx
+		numarrays 1 add 1 /roll cvx
+		}for
+	numarrays [/pop cvx] cvx /repeat cvx
+	end
+}def
+/exec_tint_transform
+{
+	/TintProc [
+		/TintTransform cvx /setcolor cvx
+	] cvx bdf
+	MappedCSA setcolorspace_opt
+} bdf
+/devn_makecustomcolor
+{
+	2 dict begin
+	/names_index xdf
+	/Names xdf
+	1 1 1 1 Names names_index get findcmykcustomcolor
+	/devicen_tints AGMCORE_gget names_index get setcustomcolor
+	Names length {pop} repeat
+	end
+} bdf
+/setdevicencolorspace
+{
+	dup /AliasedColorants known {false}{true}ifelse
+	current_spot_alias and {
+		6 dict begin
+		/names_index 0 def
+		dup /names_len exch /Names get length def
+		/new_names names_len array def
+		/new_LookupTables names_len array def
+		/alias_cnt 0 def
+		dup /Names get
+		{
+			dup map_alias {
+				exch pop
+				dup /ColorLookup known {
+					dup begin
+					new_LookupTables names_index ColorLookup put
+					end
+				}{
+					dup /Components known {
+						dup begin
+						new_LookupTables names_index Components put
+						end
+					}{
+						dup begin
+						new_LookupTables names_index [null null null null] put
+						end
+					} ifelse
+				} ifelse
+				new_names names_index 3 -1 roll /Name get put
+				/alias_cnt alias_cnt 1 add def
+			}{
+				/name xdf				
+				new_names names_index name put
+				dup /LookupTables known {
+					dup begin
+					new_LookupTables names_index LookupTables names_index get put
+					end
+				}{
+					dup begin
+					new_LookupTables names_index [null null null null] put
+					end
+				} ifelse
+			} ifelse
+			/names_index names_index 1 add def
+		} forall
+		alias_cnt 0 gt {
+			/AliasedColorants true def
+			0 1 names_len 1 sub {
+				/names_index xdf
+				new_LookupTables names_index get 0 get null eq {
+					dup /Names get names_index get /name xdf
+					name (Cyan) eq name (Magenta) eq name (Yellow) eq name (Black) eq
+					or or or not {
+						/AliasedColorants false def
+						exit
+					} if
+				} if
+			} for
+			AliasedColorants {
+				dup begin
+				/Names new_names def
+				/AliasedColorants true def
+				/LookupTables new_LookupTables def
+				currentdict /TTTablesIdx known not {
+					/TTTablesIdx -1 def
+				} if
+				currentdict /NComponents known not {
+					/NComponents TintMethod /Subtractive eq {4}{3}ifelse def
+				} if
+				end
+			} if
+		}if
+		end
+	} if
+	dup /devicen_colorspace_dict exch AGMCORE_gput
+	begin
+	/MappedCSA CSA map_csa def
+	currentdict /AliasedColorants known {
+		AliasedColorants
+	}{
+		false
+	} ifelse
+	/TintTransform load type /nulltype eq or {
+		/TintTransform [
+			0 1 Names length 1 sub
+				{
+				/TTTablesIdx TTTablesIdx 1 add def
+				dup LookupTables exch get dup 0 get null eq
+					{
+					1 index
+					Names exch get
+					dup (Cyan) eq
+						{
+						pop exch
+						LookupTables length exch sub
+						/index cvx
+						0 0 0
+						}
+						{
+						dup (Magenta) eq
+							{
+							pop exch
+							LookupTables length exch sub
+							/index cvx
+							0 /exch cvx 0 0
+							}
+							{
+							(Yellow) eq
+								{
+								exch
+								LookupTables length exch sub
+								/index cvx
+								0 0 3 -1 /roll cvx 0
+								}
+								{
+								exch
+								LookupTables length exch sub
+								/index cvx
+								0 0 0 4 -1 /roll cvx
+								} ifelse
+							} ifelse
+						} ifelse
+					5 -1 /roll cvx /astore cvx
+					}
+					{
+					dup length 1 sub
+					LookupTables length 4 -1 roll sub 1 add
+					/index cvx /mul cvx /round cvx /cvi cvx /get cvx
+					} ifelse
+					Names length TTTablesIdx add 1 add 1 /roll cvx
+				} for
+			Names length [/pop cvx] cvx /repeat cvx
+			NComponents Names length
+  			TintMethod /Subtractive eq
+  				{
+  				subtractive_blend
+  				}
+  				{
+  				additive_blend
+  				} ifelse
+		] cvx bdf
+	} if
+	AGMCORE_host_sep {
+		Names convert_to_process {
+			exec_tint_transform
+		}
+		{	
+			currentdict /AliasedColorants known {
+				AliasedColorants not
+			}{
+				false
+			} ifelse
+			5 dict begin
+			/AvoidAliasedColorants xdf
+			/painted? false def
+			/names_index 0 def
+			/names_len Names length def
+			Names {
+				AvoidAliasedColorants {
+					/currentspotalias current_spot_alias def
+					false set_spot_alias
+				} if
+				AGMCORE_is_cmyk_sep {
+					dup (Cyan) eq AGMCORE_cyan_plate and exch
+					dup (Magenta) eq AGMCORE_magenta_plate and exch
+					dup (Yellow) eq AGMCORE_yellow_plate and exch
+					(Black) eq AGMCORE_black_plate and or or or {
+						/devicen_colorspace_dict AGMCORE_gget /TintProc [
+							Names names_index /devn_makecustomcolor cvx
+						] cvx ddf
+						/painted? true def
+					} if
+					painted? {exit} if
+				}{
+					0 0 0 0 5 -1 roll findcmykcustomcolor 1 setcustomcolor currentgray 0 eq {
+					/devicen_colorspace_dict AGMCORE_gget /TintProc [
+						Names names_index /devn_makecustomcolor cvx
+					] cvx ddf
+					/painted? true def
+					exit
+					} if
+				} ifelse
+				AvoidAliasedColorants {
+					currentspotalias set_spot_alias
+				} if
+				/names_index names_index 1 add def
+			} forall
+			painted? {
+				/devicen_colorspace_dict AGMCORE_gget /names_index names_index put
+			}{
+				/devicen_colorspace_dict AGMCORE_gget /TintProc [
+					names_len [/pop cvx] cvx /repeat cvx 1 /setseparationgray cvx
+					0 0 0 0 () /findcmykcustomcolor cvx 0 /setcustomcolor cvx
+				] cvx ddf
+			} ifelse
+			end
+		} ifelse
+	}
+	{
+		AGMCORE_in_rip_sep {
+			Names convert_to_process not
+		}{
+			level3
+		} ifelse
+		{
+			[/DeviceN Names MappedCSA /TintTransform load] setcolorspace_opt
+			/TintProc level3 not AGMCORE_in_rip_sep and {
+				[
+					Names /length cvx [/pop cvx] cvx /repeat cvx
+				] cvx bdf
+			}{
+				/setcolor ldf
+			} ifelse
+		}{
+			exec_tint_transform
+		} ifelse
+	} ifelse
+	set_crd
+	/AliasedColorants false def
+	end
+} def
+/setindexedcolorspace
+{
+	dup /indexed_colorspace_dict exch AGMCORE_gput
+	begin
+		currentdict /CSD known {
+			CSD get_csd /Names known {
+				CSD get_csd begin
+				currentdict devncs
+				AGMCORE_host_sep{
+					4 dict begin
+					/devnCompCnt Names length def
+					/NewLookup HiVal 1 add string def
+					0 1 HiVal {
+						/tableIndex xdf
+						Lookup dup type /stringtype eq {
+							devnCompCnt tableIndex map_index
+						}{
+							exec
+						} ifelse
+						setdevicencolor
+						currentgray
+						tableIndex exch
+						HiVal mul cvi
+						NewLookup 3 1 roll put
+					} for
+					[/Indexed currentcolorspace HiVal NewLookup] setcolorspace_opt
+					end
+				}{
+					level3
+					{
+					[/Indexed [/DeviceN Names MappedCSA /TintTransform load] HiVal Lookup] setcolorspace_opt
+					}{
+					[/Indexed MappedCSA HiVal
+						[
+						Lookup dup type /stringtype eq
+							{/exch cvx CSD get_csd /Names get length dup /mul cvx exch /getinterval cvx {255 div} /forall cvx}
+							{/exec cvx}ifelse
+							/TintTransform load /exec cvx
+						]cvx
+					]setcolorspace_opt
+					}ifelse
+				} ifelse
+				end
+			}{
+			} ifelse
+			set_crd
+		}
+		{
+			/MappedCSA CSA map_csa def
+			AGMCORE_host_sep level2 not and{
+				0 0 0 0 setcmykcolor
+			}{
+				[/Indexed MappedCSA
+				level2 not has_color not and{
+					dup 0 get dup /DeviceRGB eq exch /DeviceCMYK eq or{
+						pop [/DeviceGray]
+					}if
+					HiVal GrayLookup
+				}{
+					HiVal
+					currentdict/RangeArray known{
+						{
+							/indexed_colorspace_dict AGMCORE_gget begin
+							Lookup exch
+							dup HiVal gt{
+								pop HiVal
+							}if
+							NComponents mul NComponents getinterval {} forall
+							NComponents 1 sub -1 0{
+								RangeArray exch 2 mul 2 getinterval aload pop map255_to_range
+								NComponents 1 roll
+							}for
+							end
+						} bind
+					}{
+						Lookup
+					}ifelse
+				}ifelse
+				] setcolorspace_opt
+				set_crd
+			}ifelse
+		}ifelse
+	end
+}def
+/setindexedcolor
+{
+	AGMCORE_host_sep {
+		/indexed_colorspace_dict AGMCORE_gget dup /CSD known {
+			begin
+			CSD get_csd begin
+			map_indexed_devn
+			devn
+			end
+			end
+		}{
+			AGMCORE_gget/Lookup get 4 3 -1 roll map_index
+			pop setcmykcolor
+		} ifelse
+	}{
+		level3 not AGMCORE_in_rip_sep and /indexed_colorspace_dict AGMCORE_gget /CSD known and {
+			/indexed_colorspace_dict AGMCORE_gget /CSD get get_csd begin
+			map_indexed_devn
+			devn
+			end
+		}
+		{
+			setcolor
+		} ifelse
+	}ifelse
+} def
+/ignoreimagedata
+{
+	currentoverprint not{
+		gsave
+		dup clonedict begin
+		1 setgray
+		/Decode [0 1] def
+		/DataSource <FF> def
+		/MultipleDataSources false def
+		/BitsPerComponent 8 def
+		currentdict end
+		systemdict /image get exec
+		grestore
+		}if
+	consumeimagedata
+}def
+/add_csa
+{
+	Adobe_AGM_Core begin
+			/AGMCORE_CSA_cache xput
+	end
+}def
+/get_csa_by_name
+{
+	dup type dup /nametype eq exch /stringtype eq or{
+		Adobe_AGM_Core begin
+		1 dict begin
+		/name xdf
+		AGMCORE_CSA_cache
+		{
+			0 get name eq {
+				exit
+			}{
+				pop
+			} ifelse
+		}forall
+		end
+		end
+	}{
+		pop
+	} ifelse
+}def
+/map_csa
+{
+	dup type /nametype eq{
+		Adobe_AGM_Core/AGMCORE_CSA_cache get exch get
+	}if
+}def
+/add_csd
+{
+	Adobe_AGM_Core begin
+		/AGMCORE_CSD_cache xput
+	end
+}def
+/get_csd
+{
+	dup type /nametype eq{
+		Adobe_AGM_Core/AGMCORE_CSD_cache get exch get
+	}if
+}def
+/pattern_buf_init
+{
+	/count get 0 0 put
+} def
+/pattern_buf_next
+{
+	dup /count get dup 0 get
+	dup 3 1 roll
+	1 add 0 xpt
+	get				
+} def
+/cachepattern_compress
+{
+	5 dict begin
+	currentfile exch 0 exch /SubFileDecode filter /ReadFilter exch def
+	/patarray 20 dict def
+	/string_size 16000 def
+	/readbuffer string_size string def
+	currentglobal true setglobal
+	patarray 1 array dup 0 1 put /count xpt
+	setglobal
+	/LZWFilter
+	{
+		exch
+		dup length 0 eq {
+			pop
+		}{
+			patarray dup length 1 sub 3 -1 roll put
+		} ifelse
+		{string_size}{0}ifelse string
+	} /LZWEncode filter def
+	{ 		
+		ReadFilter readbuffer readstring
+		exch LZWFilter exch writestring
+		not {exit} if
+	} loop
+	LZWFilter closefile
+	patarray				
+	end
+}def
+/cachepattern
+{
+	2 dict begin
+	currentfile exch 0 exch /SubFileDecode filter /ReadFilter exch def
+	/patarray 20 dict def
+	currentglobal true setglobal
+	patarray 1 array dup 0 1 put /count xpt
+	setglobal
+	{
+		ReadFilter 16000 string readstring exch
+		patarray dup length 1 sub 3 -1 roll put
+		not {exit} if
+	} loop
+	patarray dup dup length 1 sub () put					
+	end	
+}def
+/add_pattern
+{
+	Adobe_AGM_Core begin
+		/AGMCORE_pattern_cache xput
+	end
+}def
+/get_pattern
+{
+	dup type /nametype eq{
+		Adobe_AGM_Core/AGMCORE_pattern_cache get exch get
+		dup wrap_paintproc
+	}if
+}def
+/wrap_paintproc
+{
+  statusdict /currentfilenameextend known{
+	  begin
+		/OldPaintProc /PaintProc load def
+		/PaintProc
+		{
+		  mark exch
+		  dup /OldPaintProc get stopped
+		  {closefile restore end} if
+		  cleartomark
+		}  def
+	  end
+  } {pop} ifelse
+} def
+/make_pattern
+{
+	dup matrix currentmatrix matrix concatmatrix 0 0 3 2 roll itransform
+	exch 3 index /XStep get 1 index exch 2 copy div cvi mul sub sub
+	exch 3 index /YStep get 1 index exch 2 copy div cvi mul sub sub
+	matrix translate exch matrix concatmatrix
+			  1 index begin
+		BBox 0 get XStep div cvi XStep mul /xshift exch neg def
+		BBox 1 get YStep div cvi YStep mul /yshift exch neg def
+		BBox 0 get xshift add
+		BBox 1 get yshift add
+		BBox 2 get xshift add
+		BBox 3 get yshift add
+		4 array astore
+		/BBox exch def
+		[ xshift yshift /translate load null /exec load ] dup
+		3 /PaintProc load put cvx /PaintProc exch def
+		end
+	gsave 0 setgray
+	makepattern
+	grestore
+}def
+/set_pattern
+{
+	dup /PatternType get 1 eq{
+		dup /PaintType get 1 eq{
+			currentoverprint sop [/DeviceGray] setcolorspace 0 setgray
+		}if
+	}if
+	setpattern
+}def
+/setcolorspace_opt
+{
+	dup currentcolorspace eq{
+		pop
+	}{
+		setcolorspace
+	}ifelse
+}def
+/updatecolorrendering
+{
+	currentcolorrendering/Intent known{
+		currentcolorrendering/Intent get
+	}{
+		null
+	}ifelse
+	Intent ne{
+		false
+		Intent
+		AGMCORE_CRD_cache {
+			exch pop
+			begin
+				dup Intent eq{
+					currentdict setcolorrendering_opt
+					end
+					exch pop true exch	
+					exit
+				}if
+			end
+		} forall
+		pop
+		not{
+			systemdict /findcolorrendering known{
+				Intent findcolorrendering pop
+				/ColorRendering findresource
+				dup length dict copy
+				setcolorrendering_opt
+			}if
+		}if
+	}if
+} def
+/add_crd
+{
+	AGMCORE_CRD_cache 3 1 roll put
+}def
+/set_crd
+{
+	AGMCORE_host_sep not level2 and{
+		currentdict/CRD known{
+			AGMCORE_CRD_cache CRD get dup null ne{
+				setcolorrendering_opt
+			}{
+				pop
+			}ifelse
+		}{
+			currentdict/Intent known{
+				updatecolorrendering
+			}if
+		}ifelse
+		currentcolorspace dup type /arraytype eq
+			{0 get}if
+		/DeviceRGB eq
+			{
+			currentdict/UCR known
+				{/UCR}{/AGMCORE_currentucr}ifelse
+			load setundercolorremoval
+			currentdict/BG known
+				{/BG}{/AGMCORE_currentbg}ifelse
+			load setblackgeneration
+			}if
+	}if
+}def
+/setcolorrendering_opt
+{
+	dup currentcolorrendering eq{
+		pop
+	}{
+		begin
+			/Intent Intent def
+			currentdict
+		end
+		setcolorrendering
+	}ifelse
+}def
+/cpaint_gcomp
+{
+	convert_to_process Adobe_AGM_Core/AGMCORE_ConvertToProcess xddf
+	Adobe_AGM_Core/AGMCORE_ConvertToProcess get not
+	{
+		(%end_cpaint_gcomp) flushinput
+	}if
+}def
+/cpaint_gsep
+{
+	Adobe_AGM_Core/AGMCORE_ConvertToProcess get
+	{	
+		(%end_cpaint_gsep) flushinput
+	}if
+}def
+/cpaint_gend
+{
+	newpath
+}def
+/path_rez
+{
+	dup 0 ne{
+		AGMCORE_deviceDPI exch div
+		dup 1 lt{
+			pop 1
+		}if
+		setflat
+	}{
+		pop
+	}ifelse 	
+}def
+/set_spot_alias_ary
+{
+	/AGMCORE_SpotAliasAry where{
+		pop pop
+	}{
+		Adobe_AGM_Core/AGMCORE_SpotAliasAry xddf
+		true set_spot_alias
+	}ifelse
+}def
+/set_spot_alias
+{
+	/AGMCORE_SpotAliasAry where{
+		/AGMCORE_current_spot_alias 3 -1 roll put
+	}{
+		pop
+	}ifelse
+}def
+/current_spot_alias
+{
+	/AGMCORE_SpotAliasAry where{
+		/AGMCORE_current_spot_alias get
+	}{
+		false
+	}ifelse
+}def
+/map_alias
+{
+	/AGMCORE_SpotAliasAry where{
+		begin
+			/AGMCORE_name xdf
+			false	
+			AGMCORE_SpotAliasAry{
+				dup/Name get AGMCORE_name eq{
+					save exch
+					/Adobe_AGM_Core currentdict def
+					/CSD get get_csd
+					exch restore
+					exch pop true
+					exit
+				}{
+					pop
+				}ifelse
+			}forall
+		end
+	}{
+		pop false
+	}ifelse
+}bdf
+/spot_alias
+{
+	true set_spot_alias
+	/AGMCORE_&setcustomcolor AGMCORE_key_known not {
+		Adobe_AGM_Core/AGMCORE_&setcustomcolor /setcustomcolor load put
+	} if
+	/customcolor_tint 1 AGMCORE_gput
+	Adobe_AGM_Core begin
+	/setcustomcolor
+	{
+		dup /customcolor_tint exch AGMCORE_gput
+		current_spot_alias{
+			1 index 4 get map_alias{
+				mark 3 1 roll
+				setsepcolorspace
+				counttomark 0 ne{
+					setsepcolor
+				}if
+				pop
+				pop
+			}{
+				AGMCORE_&setcustomcolor
+			}ifelse
+		}{
+			AGMCORE_&setcustomcolor
+		}ifelse
+	}bdf
+	end
+}def
+/begin_feature
+{
+	Adobe_AGM_Core/AGMCORE_feature_dictCount countdictstack put
+	count Adobe_AGM_Core/AGMCORE_feature_opCount 3 -1 roll put
+	{Adobe_AGM_Core/AGMCORE_feature_ctm matrix currentmatrix put}if
+}def
+/end_feature
+{
+	2 dict begin
+	/spd /setpagedevice load def
+	/setpagedevice { get_gstate spd set_gstate } def
+	stopped{$error/newerror false put}if
+	end
+	count Adobe_AGM_Core/AGMCORE_feature_opCount get sub dup 0 gt{{pop}repeat}{pop}ifelse
+	countdictstack Adobe_AGM_Core/AGMCORE_feature_dictCount get sub dup 0 gt{{end}repeat}{pop}ifelse
+	{Adobe_AGM_Core/AGMCORE_feature_ctm get setmatrix}if
+}def
+/set_negative
+{
+	Adobe_AGM_Core begin
+	/AGMCORE_inverting exch def
+	level2{
+		currentpagedevice/NegativePrint known{
+			currentpagedevice/NegativePrint get Adobe_AGM_Core/AGMCORE_inverting get ne{
+				true begin_feature true{
+						bdict /NegativePrint Adobe_AGM_Core/AGMCORE_inverting get edict setpagedevice
+				}end_feature
+			}if
+			/AGMCORE_inverting false def
+		}if
+	}if
+	AGMCORE_inverting{
+		[{1 exch sub}/exec load dup currenttransfer exch]cvx bind settransfer
+		gsave newpath clippath 1 /setseparationgray where{pop setseparationgray}{setgray}ifelse
+		/AGMIRS_&fill where {pop AGMIRS_&fill}{fill} ifelse grestore
+	}if
+	end
+}def
+/lw_save_restore_override {
+	/md where {
+		pop
+		md begin
+		initializepage
+		/initializepage{}def
+		/pmSVsetup{} def
+		/endp{}def
+		/pse{}def
+		/psb{}def
+		/orig_showpage where
+			{pop}
+			{/orig_showpage /showpage load def}
+		ifelse
+		/showpage {orig_showpage gR} def
+		end
+	}if
+}def
+/pscript_showpage_override {
+	/NTPSOct95 where
+	{
+		begin
+		showpage
+		save
+		/showpage /restore load def
+		/restore {exch pop}def
+		end
+	}if
+}def
+/driver_media_override
+{
+	/md where {
+		pop
+		md /initializepage known {
+			md /initializepage {} put
+		} if
+		md /rC known {
+			md /rC {4{pop}repeat} put
+		} if
+	}if
+	/mysetup where {
+		/mysetup [1 0 0 1 0 0] put
+	}if
+	Adobe_AGM_Core /AGMCORE_Default_CTM matrix currentmatrix put
+	level2
+		{Adobe_AGM_Core /AGMCORE_Default_PageSize currentpagedevice/PageSize get put}if
+}def
+/driver_check_media_override
+{
+	/PrepsDict where
+		{pop}
+		{
+		Adobe_AGM_Core /AGMCORE_Default_CTM get matrix currentmatrix ne
+		Adobe_AGM_Core /AGMCORE_Default_PageSize get type /arraytype eq
+			{
+			Adobe_AGM_Core /AGMCORE_Default_PageSize get 0 get currentpagedevice/PageSize get 0 get eq and
+			Adobe_AGM_Core /AGMCORE_Default_PageSize get 1 get currentpagedevice/PageSize get 1 get eq and
+			}if
+			{
+			Adobe_AGM_Core /AGMCORE_Default_CTM get setmatrix
+			}if
+		}ifelse
+}def
+AGMCORE_err_strings begin
+	/AGMCORE_bad_environ (Environment not satisfactory for this job. Ensure that the PPD is correct or that the PostScript level requested is supported by this printer. ) def
+	/AGMCORE_color_space_onhost_seps (This job contains colors that will not separate with on-host methods. ) def
+	/AGMCORE_invalid_color_space (This job contains an invalid color space. ) def
+end
+end
+systemdict /setpacking known
+{
+	setpacking
+} if
+%%EndResource
+%%BeginResource: procset Adobe_CoolType_Core 2.23 0
+%%Copyright: Copyright 1997-2003 Adobe Systems Incorporated.  All Rights Reserved.
+%%Version: 2.23 0
+10 dict begin
+/Adobe_CoolType_Passthru currentdict def
+/Adobe_CoolType_Core_Defined userdict /Adobe_CoolType_Core known def
+Adobe_CoolType_Core_Defined
+	{ /Adobe_CoolType_Core userdict /Adobe_CoolType_Core get def }
+if
+userdict /Adobe_CoolType_Core 60 dict dup begin put
+/Adobe_CoolType_Version 2.23 def
+/Level2?
+	systemdict /languagelevel known dup
+		{ pop systemdict /languagelevel get 2 ge }
+	if def
+Level2? not
+	{
+	/currentglobal false def
+	/setglobal /pop load def
+	/gcheck { pop false } bind def
+	/currentpacking false def
+	/setpacking /pop load def
+	/SharedFontDirectory 0 dict def
+	}
+if
+currentpacking
+true setpacking
+/@_SaveStackLevels
+	{
+	Adobe_CoolType_Data
+		begin
+		@opStackCountByLevel @opStackLevel
+		2 copy known not
+			{ 2 copy 3 dict dup /args 7 index 5 add array put put get }
+			{
+			get dup /args get dup length 3 index lt
+				{
+				dup length 5 add array exch
+				1 index exch 0 exch putinterval
+				1 index exch /args exch put
+				}
+				{ pop }
+			ifelse
+			}
+		ifelse
+			begin
+			count 2 sub 1 index lt
+				{ pop count 1 sub }
+			if
+			dup /argCount exch def
+			dup 0 gt
+				{
+				exch 1 index 2 add 1 roll
+				args exch 0 exch getinterval
+			astore pop
+				}
+				{ pop }
+			ifelse
+			count 1 sub /restCount exch def
+			end
+		/@opStackLevel @opStackLevel 1 add def
+		countdictstack 1 sub
+		@dictStackCountByLevel exch @dictStackLevel exch put
+		/@dictStackLevel @dictStackLevel 1 add def
+		end
+	} bind def
+/@_RestoreStackLevels
+	{
+	Adobe_CoolType_Data
+		begin
+		/@opStackLevel @opStackLevel 1 sub def
+		@opStackCountByLevel @opStackLevel get
+			begin
+			count restCount sub dup 0 gt
+				{ { pop } repeat }
+				{ pop }
+			ifelse
+			args 0 argCount getinterval {} forall
+			end
+		/@dictStackLevel @dictStackLevel 1 sub def
+		@dictStackCountByLevel @dictStackLevel get
+		end
+	countdictstack exch sub dup 0 gt
+		{ { end } repeat }
+		{ pop }
+	ifelse
+	} bind def
+/@_PopStackLevels
+	{
+	Adobe_CoolType_Data
+		begin
+		/@opStackLevel @opStackLevel 1 sub def
+		/@dictStackLevel @dictStackLevel 1 sub def
+		end
+	} bind def
+/@Raise
+	{
+	exch cvx exch errordict exch get exec
+	stop
+	} bind def
+/@ReRaise
+	{
+	cvx $error /errorname get errordict exch get exec
+	stop
+	} bind def
+/@Stopped
+	{
+	0 @#Stopped
+	} bind def
+/@#Stopped
+	{
+	@_SaveStackLevels
+	stopped
+		{ @_RestoreStackLevels true }
+		{ @_PopStackLevels false }
+	ifelse
+	} bind def
+/@Arg
+	{
+	Adobe_CoolType_Data
+		begin
+		@opStackCountByLevel @opStackLevel 1 sub get /args get exch get
+		end
+	} bind def
+currentglobal true setglobal
+/CTHasResourceForAllBug
+	Level2?
+		{
+		1 dict dup begin
+		mark
+			{
+				(*) { pop stop } 128 string /Category
+			resourceforall
+			}
+		stopped
+		cleartomark
+		currentdict eq dup
+			{ end }
+		if
+		not
+		}
+		{ false }
+	ifelse
+	def
+/CTHasResourceStatusBug
+	Level2?
+		{
+		mark
+			{ /steveamerige /Category resourcestatus }
+		stopped
+			{ cleartomark true }
+			{ cleartomark currentglobal not }
+		ifelse
+		}
+		{ false }
+	ifelse
+	def
+setglobal
+/CTResourceStatus
+		{
+		mark 3 1 roll
+		/Category findresource
+			begin
+			({ResourceStatus} stopped) 0 () /SubFileDecode filter cvx exec
+				{ cleartomark false }
+				{ { 3 2 roll pop true } { cleartomark false } ifelse }
+			ifelse
+			end
+		} bind def
+/CTWorkAroundBugs
+	{
+	Level2?
+		{
+		/cid_PreLoad /ProcSet resourcestatus
+			{
+			pop pop
+			currentglobal
+			mark
+				{
+				(*)
+					{
+					dup /CMap CTHasResourceStatusBug
+						{ CTResourceStatus }
+						{ resourcestatus }
+					ifelse
+						{
+						pop dup 0 eq exch 1 eq or
+							{
+							dup /CMap findresource gcheck setglobal
+							/CMap undefineresource
+							}
+							{
+							pop CTHasResourceForAllBug
+								{ exit }
+								{ stop }
+							ifelse
+							}
+						ifelse
+						}
+						{ pop }
+					ifelse
+					}
+				128 string /CMap resourceforall
+				}
+			stopped
+				{ cleartomark }
+			stopped pop
+			setglobal
+			}
+		if
+		}
+	if
+	} bind def
+/doc_setup
+	{
+	Adobe_CoolType_Core
+		begin
+		CTWorkAroundBugs
+		/mov /moveto load def
+		/nfnt /newencodedfont load def
+		/mfnt /makefont load def
+		/sfnt /setfont load def
+		/ufnt /undefinefont load def
+		/chp /charpath load def
+		/awsh /awidthshow load def
+		/wsh /widthshow load def
+		/ash /ashow load def
+		/sh /show load def
+		end
+	userdict /Adobe_CoolType_Data 10 dict dup
+		begin
+		/AddWidths? false def
+		/CC 0 def
+		/charcode 2 string def
+		/@opStackCountByLevel 32 dict def
+		/@opStackLevel 0 def
+		/@dictStackCountByLevel 32 dict def
+		/@dictStackLevel 0 def
+		/InVMFontsByCMap 10 dict def
+		/InVMDeepCopiedFonts 10 dict def
+		end put
+	} bind def
+/doc_trailer
+	{
+	currentdict Adobe_CoolType_Core eq
+		{ end }
+	if
+	} bind def
+/page_setup
+	{
+	Adobe_CoolType_Core begin
+	} bind def
+/page_trailer
+	{
+	end
+	} bind def
+/unload
+	{
+	systemdict /languagelevel known
+		{
+		systemdict/languagelevel get 2 ge
+			{
+			userdict/Adobe_CoolType_Core 2 copy known
+				{ undef }
+				{ pop pop }
+			ifelse
+			}
+		if
+		}
+	if
+	} bind def
+/ndf
+	{
+	1 index where
+		{ pop pop pop }
+		{ dup xcheck { bind } if def }
+	ifelse
+	} def
+/findfont systemdict
+	begin
+	userdict
+		begin
+		/globaldict where { /globaldict get begin } if
+			dup where pop exch get
+		/globaldict where { pop end } if
+		end
+	end
+Adobe_CoolType_Core_Defined
+	{ /systemfindfont exch def }
+	{
+	/findfont 1 index def
+	/systemfindfont exch def
+	}
+ifelse
+/undefinefont
+	{ pop } ndf
+/copyfont
+	{
+	currentglobal 3 1 roll
+	1 index gcheck setglobal
+	dup null eq { 0 } { dup length } ifelse
+	2 index length add 1 add dict
+		begin
+		exch
+			{
+			1 index /FID eq
+				{ pop pop }
+				{ def }
+			ifelse
+			}
+		forall
+		dup null eq
+			{ pop }
+			{ { def } forall }
+		ifelse
+		currentdict
+		end
+	exch setglobal
+	} bind def
+/copyarray
+	{
+	currentglobal exch
+	dup gcheck setglobal
+	dup length array copy
+	exch setglobal
+	} bind def
+/newencodedfont
+	{
+	currentglobal
+		{
+		SharedFontDirectory 3 index  known
+			{ SharedFontDirectory 3 index get /FontReferenced known }
+			{ false }
+		ifelse
+		}
+		{
+		FontDirectory 3 index known
+			{ FontDirectory 3 index get /FontReferenced known }
+			{
+			SharedFontDirectory 3 index known
+				{ SharedFontDirectory 3 index get /FontReferenced known }
+				{ false }
+			ifelse
+			}
+		ifelse
+		}
+	ifelse
+	dup
+		{
+		3 index findfont /FontReferenced get
+		2 index dup type /nametype eq
+			{findfont}
+		if ne
+			{ pop false }
+		if
+		}
+	if
+		{
+		pop
+		1 index findfont
+		/Encoding get exch
+		0 1 255
+			{ 2 copy get 3 index 3 1 roll put }
+		for
+		pop pop pop
+		}
+		{
+		dup type /nametype eq
+		  { findfont }
+	  if
+		dup dup maxlength 2 add dict
+			begin
+			exch
+				{
+				1 index /FID ne
+					{def}
+					{pop pop}
+				ifelse
+				}
+			forall
+			/FontReferenced exch def
+			/Encoding exch dup length array copy def
+			/FontName 1 index dup type /stringtype eq { cvn } if def dup
+			currentdict
+			end
+		definefont def
+		}
+	ifelse
+	} bind def
+/SetSubstituteStrategy
+	{
+	$SubstituteFont
+		begin
+		dup type /dicttype ne
+			{ 0 dict }
+		if
+		currentdict /$Strategies known
+			{
+			exch $Strategies exch
+			2 copy known
+				{
+				get
+				2 copy maxlength exch maxlength add dict
+					begin
+					{ def } forall
+					{ def } forall
+					currentdict
+					dup /$Init known
+						{ dup /$Init get exec }
+					if
+					end
+				/$Strategy exch def
+				}
+				{ pop pop pop }
+			ifelse
+			}
+			{ pop pop }
+		ifelse
+		end
+	} bind def
+/scff
+	{
+	$SubstituteFont
+		begin
+		dup type /stringtype eq
+			{ dup length exch }
+			{ null }
+		ifelse
+		/$sname exch def
+		/$slen exch def
+		/$inVMIndex
+			$sname null eq
+				{
+				1 index $str cvs
+				dup length $slen sub $slen getinterval cvn
+				}
+				{ $sname }
+			ifelse def
+		end
+		{ findfont }
+	@Stopped
+		{
+		dup length 8 add string exch
+		1 index 0 (BadFont:) putinterval
+		1 index exch 8 exch dup length string cvs putinterval cvn
+			{ findfont }
+		@Stopped
+			{ pop /Courier findfont }
+		if
+		}
+	if
+	$SubstituteFont
+		begin
+		/$sname null def
+		/$slen 0 def
+		/$inVMIndex null def
+		end
+	} bind def
+/isWidthsOnlyFont
+	{
+	dup /WidthsOnly known
+		{ pop pop true }
+		{
+		dup /FDepVector known
+			{ /FDepVector get { isWidthsOnlyFont dup { exit } if } forall }
+			{
+			dup /FDArray known
+				{ /FDArray get { isWidthsOnlyFont dup { exit } if } forall }
+				{ pop }
+			ifelse
+			}
+		ifelse
+		}
+	ifelse
+	} bind def
+/?str1 256 string def
+/?set
+	{
+	$SubstituteFont
+		begin
+		/$substituteFound false def
+		/$fontname 4 index def
+		/$doSmartSub false def
+		end
+	3 index
+	currentglobal false setglobal exch
+	/CompatibleFonts /ProcSet resourcestatus
+		{
+		pop pop
+		/CompatibleFonts /ProcSet findresource
+			begin
+			dup /CompatibleFont currentexception
+			1 index /CompatibleFont true setexception
+			1 index /Font resourcestatus
+				{
+				pop pop
+				3 2 roll setglobal
+				end
+				exch
+				dup findfont
+				/CompatibleFonts /ProcSet findresource
+					begin
+					3 1 roll exch /CompatibleFont exch setexception
+					end
+				}
+				{
+				3 2 roll setglobal
+				1 index exch /CompatibleFont exch setexception
+				end
+				findfont
+				$SubstituteFont /$substituteFound true put
+				}
+			ifelse
+		}
+		{ exch setglobal findfont }
+	ifelse
+	$SubstituteFont
+		begin
+		$substituteFound
+			{
+		 false
+		 (%%[Using embedded font ) print
+		 5 index ?str1 cvs print
+		 ( to avoid the font substitution problem noted earlier.]%%\n) print
+		 }
+			{
+			dup /FontName known
+				{
+				dup /FontName get $fontname eq
+				1 index /DistillerFauxFont known not and
+				/currentdistillerparams where
+					{ pop false 2 index isWidthsOnlyFont not and }
+				if
+				}
+				{ false }
+			ifelse
+			}
+		ifelse
+		exch pop
+		/$doSmartSub true def
+		end
+		{
+		exch pop exch pop exch
+		2 dict dup /Found 3 index put
+		exch findfont exch
+		}
+		{
+		exch exec
+		exch dup findfont
+		dup /FontType get 3 eq
+	  {
+		  exch ?str1 cvs
+		  dup length 1 sub
+		  -1 0
+		{
+			  exch dup 2 index get 42 eq
+			{
+				 exch 0 exch getinterval cvn 4 1 roll 3 2 roll pop
+				 exit
+			  }
+			  {exch pop} ifelse
+		  }for
+		}
+		{
+		 exch pop
+	  } ifelse
+		2 dict dup /Downloaded 6 5 roll put
+		}
+	ifelse
+	dup /FontName 4 index put copyfont definefont pop
+	} bind def
+/?str2 256 string def
+/?add
+	{
+	1 index type /integertype eq
+		{ exch true 4 2 }
+		{ false 3 1 }
+	ifelse
+	roll
+	1 index findfont
+	dup /Widths known
+		{
+		Adobe_CoolType_Data /AddWidths? true put
+		gsave dup 1000 scalefont setfont
+		}
+	if
+	/Downloaded known
+		{
+		exec
+		exch
+			{
+			exch ?str2 cvs exch
+			findfont /Downloaded get 1 dict begin /Downloaded 1 index def ?str1 cvs length
+			?str1 1 index 1 add 3 index putinterval
+			exch length 1 add 1 index add
+			?str1 2 index (*) putinterval
+			?str1 0 2 index getinterval cvn findfont
+			?str1 3 index (+) putinterval
+			2 dict dup /FontName ?str1 0 6 index getinterval cvn put
+			dup /Downloaded Downloaded put end copyfont
+			dup /FontName get exch definefont pop pop pop
+			}
+			{
+			pop
+			}
+		ifelse
+		}
+		{
+		pop
+		exch
+			{
+			findfont
+			dup /Found get
+			dup length exch ?str1 cvs pop
+			?str1 1 index (+) putinterval
+			?str1 1 index 1 add 4 index ?str2 cvs putinterval
+			?str1 exch 0 exch 5 4 roll ?str2 cvs length 1 add add getinterval cvn
+			1 dict exch 1 index exch /FontName exch put copyfont
+			dup /FontName get exch definefont pop
+			}
+			{
+			pop
+			}
+		ifelse
+		}
+	ifelse
+	Adobe_CoolType_Data /AddWidths? get
+		{ grestore Adobe_CoolType_Data /AddWidths? false put }
+	if
+	} bind def
+/?sh
+	{
+	currentfont /Downloaded known { exch } if pop
+	} bind def
+/?chp
+	{
+	currentfont /Downloaded known { pop } { false chp } ifelse
+	} bind def
+/?mv
+	{
+	currentfont /Downloaded known { moveto pop pop } { pop pop moveto } ifelse
+	} bind def
+setpacking
+userdict /$SubstituteFont 25 dict put
+1 dict
+	begin
+	/SubstituteFont
+		dup $error exch 2 copy known
+			{ get }
+			{ pop pop { pop /Courier } bind }
+		ifelse def
+	/currentdistillerparams where dup
+		{
+		pop pop
+		currentdistillerparams /CannotEmbedFontPolicy 2 copy known
+			{ get /Error eq }
+			{ pop pop false }
+		ifelse
+		}
+	if not
+		{
+		countdictstack array dictstack 0 get
+			begin
+			userdict
+				begin
+				$SubstituteFont
+					begin
+					/$str 128 string def
+					/$fontpat 128 string def
+					/$slen 0 def
+					/$sname null def
+					/$match false def
+					/$fontname null def
+					/$substituteFound false def
+					/$inVMIndex null def
+					/$doSmartSub true def
+					/$depth 0 def
+					/$fontname null def
+					/$italicangle 26.5 def
+					/$dstack null def
+					/$Strategies 10 dict dup
+						begin
+						/$Type3Underprint
+							{
+							currentglobal exch false setglobal
+							11 dict
+								begin
+								/UseFont exch
+									$WMode 0 ne
+										{
+										dup length dict copy
+										dup /WMode $WMode put
+										/UseFont exch definefont
+										}
+									if def
+								/FontName $fontname dup type /stringtype eq { cvn } if def
+								/FontType 3 def
+								/FontMatrix [ .001 0 0 .001 0 0 ] def
+								/Encoding 256 array dup 0 1 255 { /.notdef put dup } for pop def
+								/FontBBox [ 0 0 0 0 ] def
+								/CCInfo 7 dict dup
+									begin
+									/cc null def
+									/x 0 def
+									/y 0 def
+									end def
+								/BuildChar
+									{
+									exch
+										begin
+										CCInfo
+											begin
+											1 string dup 0 3 index put exch pop
+											/cc exch def
+											UseFont 1000 scalefont setfont
+											cc stringwidth /y exch def /x exch def
+											x y setcharwidth
+											$SubstituteFont /$Strategy get /$Underprint get exec
+											0 0 moveto cc show
+											x y moveto
+											end
+										end
+									} bind def
+								currentdict
+								end
+							exch setglobal
+							} bind def
+						/$GetaTint
+							2 dict dup
+								begin
+								/$BuildFont
+									{
+									dup /WMode known
+										{ dup /WMode get }
+										{ 0 }
+									ifelse
+									/$WMode exch def
+									$fontname exch
+									dup /FontName known
+										{
+										dup /FontName get
+										dup type /stringtype eq { cvn } if
+										}
+										{ /unnamedfont }
+									ifelse
+									exch
+									Adobe_CoolType_Data /InVMDeepCopiedFonts get
+									1 index /FontName get known
+										{
+										pop
+										Adobe_CoolType_Data /InVMDeepCopiedFonts get
+										1 index get
+										null copyfont
+										}
+										{ $deepcopyfont }
+									ifelse
+									exch 1 index exch /FontBasedOn exch put
+									dup /FontName $fontname dup type /stringtype eq { cvn } if put
+									definefont
+									Adobe_CoolType_Data /InVMDeepCopiedFonts get
+										begin
+										dup /FontBasedOn get 1 index def
+										end
+									} bind def
+								/$Underprint
+									{
+									gsave
+									x abs y abs gt
+										{ /y 1000 def }
+										{ /x -1000 def 500 120 translate }
+									ifelse
+									Level2?
+										{
+										[ /Separation (All) /DeviceCMYK { 0 0 0 1 pop } ]
+										setcolorspace
+										}
+										{ 0 setgray }
+									ifelse
+									10 setlinewidth
+									x .8 mul
+									[ 7 3 ]
+										{
+										y mul 8 div 120 sub x 10 div exch moveto
+										0 y 4 div neg rlineto
+										dup 0 rlineto
+										0 y 4 div rlineto
+										closepath
+										gsave
+										Level2?
+											{ .2 setcolor }
+											{ .8 setgray }
+										ifelse
+										fill grestore
+										stroke
+										}
+									forall
+									pop
+									grestore
+									} bind def
+								end def
+						/$Oblique
+							1 dict dup
+								begin
+								/$BuildFont
+									{
+									currentglobal exch dup gcheck setglobal
+									null copyfont
+										begin
+										/FontBasedOn
+										currentdict /FontName known
+											{
+											FontName
+											dup type /stringtype eq { cvn } if
+											}
+											{ /unnamedfont }
+										ifelse
+										def
+										/FontName $fontname dup type /stringtype eq { cvn } if def
+										/currentdistillerparams where
+											{ pop }
+											{
+											/FontInfo currentdict /FontInfo known
+												{ FontInfo null copyfont }
+												{ 2 dict }
+											ifelse
+											dup
+												begin
+												/ItalicAngle $italicangle def
+												/FontMatrix FontMatrix
+												[ 1 0 ItalicAngle dup sin exch cos div 1 0 0 ]
+												matrix concatmatrix readonly
+												end
+											4 2 roll def
+											def
+											}
+										ifelse
+										FontName currentdict
+										end
+									definefont
+									exch setglobal
+									} bind def
+								end def
+						/$None
+							1 dict dup
+								begin
+								/$BuildFont {} bind def
+								end def
+						end def
+					/$Oblique SetSubstituteStrategy
+					/$findfontByEnum
+						{
+						dup type /stringtype eq { cvn } if
+						dup /$fontname exch def
+						$sname null eq
+							{ $str cvs dup length $slen sub $slen getinterval }
+							{ pop $sname }
+						ifelse
+						$fontpat dup 0 (fonts/*) putinterval exch 7 exch putinterval
+						/$match false def
+						$SubstituteFont /$dstack countdictstack array dictstack put
+						mark
+							{
+							$fontpat 0 $slen 7 add getinterval
+								{ /$match exch def exit }
+							$str filenameforall
+							}
+						stopped
+							{
+							cleardictstack
+							currentdict
+							true
+							$SubstituteFont /$dstack get
+								{
+								exch
+									{
+									1 index eq
+										{ pop false }
+										{ true }
+									ifelse
+									}
+									{ begin false }
+								ifelse
+								}
+							forall
+							pop
+							}
+						if
+						cleartomark
+						/$slen 0 def
+						$match false ne
+							{ $match (fonts/) anchorsearch pop pop cvn }
+							{ /Courier }
+						ifelse
+						} bind def
+					/$ROS 1 dict dup
+						begin
+						/Adobe 4 dict dup
+							begin
+							/Japan1  [ /Ryumin-Light /HeiseiMin-W3
+										  /GothicBBB-Medium /HeiseiKakuGo-W5
+										  /HeiseiMaruGo-W4 /Jun101-Light ] def
+							/Korea1  [ /HYSMyeongJo-Medium /HYGoThic-Medium ] def
+							/GB1	  [ /STSong-Light /STHeiti-Regular ] def
+							/CNS1	 [ /MKai-Medium /MHei-Medium ] def
+							end def
+						end def
+					/$cmapname null def
+					/$deepcopyfont
+						{
+						dup /FontType get 0 eq
+							{
+							1 dict dup /FontName /copied put copyfont
+								begin
+								/FDepVector FDepVector copyarray
+								0 1 2 index length 1 sub
+									{
+									2 copy get $deepcopyfont
+									dup /FontName /copied put
+									/copied exch definefont
+									3 copy put pop pop
+									}
+								for
+								def
+								currentdict
+								end
+							}
+							{ $Strategies /$Type3Underprint get exec }
+						ifelse
+						} bind def
+					/$buildfontname
+						{
+						dup /CIDFont findresource /CIDSystemInfo get
+							begin
+							Registry length Ordering length Supplement 8 string cvs
+							3 copy length 2 add add add string
+							dup 5 1 roll dup 0 Registry putinterval
+							dup 4 index (-) putinterval
+							dup 4 index 1 add Ordering putinterval
+							4 2 roll add 1 add 2 copy (-) putinterval
+							end
+						1 add 2 copy 0 exch getinterval $cmapname $fontpat cvs exch
+						anchorsearch
+							{ pop pop 3 2 roll putinterval cvn /$cmapname exch def }
+							{ pop pop pop pop pop }
+						ifelse
+						length
+						$str 1 index (-) putinterval 1 add
+						$str 1 index $cmapname $fontpat cvs putinterval
+						$cmapname length add
+						$str exch 0 exch getinterval cvn
+						} bind def
+					/$findfontByROS
+						{
+						/$fontname exch def
+						$ROS Registry 2 copy known
+							{
+							get Ordering 2 copy known
+								{ get }
+								{ pop pop [] }
+							ifelse
+							}
+							{ pop pop [] }
+						ifelse
+						false exch
+							{
+							dup /CIDFont resourcestatus
+								{
+								pop pop
+								save
+								1 index /CIDFont findresource
+								dup /WidthsOnly known
+									{ dup /WidthsOnly get }
+									{ false }
+								ifelse
+								exch pop
+								exch restore
+									{ pop }
+									{ exch pop true exit }
+								ifelse
+								}
+								{ pop }
+							ifelse
+							}
+						forall
+							{ $str cvs $buildfontname }
+							{
+							false (*)
+								{
+								save exch
+								dup /CIDFont findresource
+								dup /WidthsOnly known
+									{ dup /WidthsOnly get not }
+									{ true }
+								ifelse
+								exch /CIDSystemInfo get
+								dup /Registry get Registry eq
+								exch /Ordering get Ordering eq and and
+									{ exch restore exch pop true exit }
+									{ pop restore }
+								ifelse
+								}
+							$str /CIDFont resourceforall
+								{ $buildfontname }
+								{ $fontname $findfontByEnum }
+							ifelse
+							}
+						ifelse
+						} bind def
+					end
+				end
+				currentdict /$error known currentdict /languagelevel known and dup
+					{ pop $error /SubstituteFont known }
+				if
+				dup
+					{ $error }
+					{ Adobe_CoolType_Core }
+				ifelse
+				begin
+					{
+					/SubstituteFont
+					/CMap /Category resourcestatus
+						{
+						pop pop
+						{
+						$SubstituteFont
+							begin
+							/$substituteFound true def
+							dup length $slen gt
+							$sname null ne or
+							$slen 0 gt and
+								{
+								$sname null eq
+									{ dup $str cvs dup length $slen sub $slen getinterval cvn }
+									{ $sname }
+								ifelse
+								Adobe_CoolType_Data /InVMFontsByCMap get
+								1 index 2 copy known
+									{
+									get
+									false exch
+										{
+										pop
+										currentglobal
+											{
+											GlobalFontDirectory 1 index known
+												{ exch pop true exit }
+												{ pop }
+											ifelse
+											}
+											{
+											FontDirectory 1 index known
+												{ exch pop true exit }
+												{
+												GlobalFontDirectory 1 index known
+													{ exch pop true exit }
+													{ pop }
+												ifelse
+												}
+											ifelse
+											}
+										ifelse
+										}
+									forall
+									}
+									{ pop pop false }
+								ifelse
+									{
+									exch pop exch pop
+									}
+									{
+									dup /CMap resourcestatus
+										{
+										pop pop
+										dup /$cmapname exch def
+										/CMap findresource /CIDSystemInfo get { def } forall
+										$findfontByROS
+										}
+										{
+										128 string cvs
+										dup (-) search
+											{
+											3 1 roll search
+												{
+												3 1 roll pop
+													{ dup cvi }
+												stopped
+													{ pop pop pop pop pop $findfontByEnum }
+													{
+													4 2 roll pop pop
+													exch length
+													exch
+													2 index length
+													2 index
+													sub
+													exch 1 sub -1 0
+														{
+														$str cvs dup length
+														4 index
+														0
+														4 index
+														4 3 roll add
+														getinterval
+														exch 1 index exch 3 index exch
+														putinterval
+														dup /CMap resourcestatus
+															{
+															pop pop
+															4 1 roll pop pop pop
+															dup /$cmapname exch def
+															/CMap findresource /CIDSystemInfo get { def } forall
+															$findfontByROS
+															true exit
+															}
+															{ pop }
+														ifelse
+														}
+													for
+													dup type /booleantype eq
+														{ pop }
+														{ pop pop pop $findfontByEnum }
+													ifelse
+													}
+												ifelse
+												}
+												{ pop pop pop $findfontByEnum }
+											ifelse
+											}
+											{ pop pop $findfontByEnum }
+										ifelse
+										}
+									ifelse
+									}
+								ifelse
+								}
+								{ //SubstituteFont exec }
+							ifelse
+							/$slen 0 def
+							end
+						}
+						}
+						{
+						{
+						$SubstituteFont
+							begin
+							/$substituteFound true def
+							dup length $slen gt
+							$sname null ne or
+							$slen 0 gt and
+								{ $findfontByEnum }
+								{ //SubstituteFont exec }
+							ifelse
+							end
+						}
+						}
+					ifelse
+					bind readonly def
+					Adobe_CoolType_Core /scfindfont /systemfindfont load put
+					}
+					{
+					/scfindfont
+						{
+						$SubstituteFont
+							begin
+							dup systemfindfont
+							dup /FontName known
+								{ dup /FontName get dup 3 index ne }
+								{ /noname true }
+							ifelse
+							dup
+								{
+								/$origfontnamefound 2 index def
+								/$origfontname 4 index def /$substituteFound true def
+								}
+							if
+							exch pop
+								{
+								$slen 0 gt
+								$sname null ne
+								3 index length $slen gt or and
+									{
+									pop dup $findfontByEnum findfont
+									dup maxlength 1 add dict
+										begin
+											{ 1 index /FID eq { pop pop } { def } ifelse }
+										forall
+										currentdict
+										end
+									definefont
+									dup /FontName known { dup /FontName get } { null } ifelse
+									$origfontnamefound ne
+										{
+										$origfontname $str cvs print
+										( substitution revised, using ) print
+										dup /FontName known
+											{ dup /FontName get } { (unspecified font) }
+										ifelse
+										$str cvs print (.\n) print
+										}
+									if
+									}
+									{ exch pop }
+								ifelse
+								}
+								{ exch pop }
+							ifelse
+							end
+						} bind def
+					}
+				ifelse
+				end
+			end
+		Adobe_CoolType_Core_Defined not
+			{
+			Adobe_CoolType_Core /findfont
+				{
+				$SubstituteFont
+					begin
+					$depth 0 eq
+						{
+						/$fontname 1 index dup type /stringtype ne { $str cvs } if def
+						/$substituteFound false def
+						}
+					if
+					/$depth $depth 1 add def
+					end
+				scfindfont
+				$SubstituteFont
+					begin
+					/$depth $depth 1 sub def
+					$substituteFound $depth 0 eq and
+						{
+						$inVMIndex null ne
+							{ dup $inVMIndex $AddInVMFont }
+						if
+						$doSmartSub
+							{
+							currentdict /$Strategy known
+								{ $Strategy /$BuildFont get exec }
+							if
+							}
+						if
+						}
+					if
+					end
+				} bind put
+			}
+		if
+		}
+	if
+	end
+/$AddInVMFont
+	{
+	exch /FontName 2 copy known
+		{
+		get
+		1 dict dup begin exch 1 index gcheck def end exch
+		Adobe_CoolType_Data /InVMFontsByCMap get exch
+		$DictAdd
+		}
+		{ pop pop pop }
+	ifelse
+	} bind def
+/$DictAdd
+	{
+	2 copy known not
+		{ 2 copy 4 index length dict put }
+	if
+	Level2? not
+		{
+		2 copy get dup maxlength exch length 4 index length add lt
+		2 copy get dup length 4 index length add exch maxlength 1 index lt
+			{
+			2 mul dict
+				begin
+				2 copy get { forall } def
+				2 copy currentdict put
+				end
+			}
+			{ pop }
+		ifelse
+		}
+	if
+	get
+		begin
+			{ def }
+		forall
+		end
+	} bind def
+end
+end
+%%EndResource
+%%BeginResource: procset Adobe_CoolType_Utility_MAKEOCF 1.19 0
+%%Copyright: Copyright 1987-2003 Adobe Systems Incorporated.
+%%Version: 1.19 0
+systemdict /languagelevel known dup
+	{ currentglobal false setglobal }
+	{ false }
+ifelse
+exch
+userdict /Adobe_CoolType_Utility 2 copy known
+	{ 2 copy get dup maxlength 25 add dict copy }
+	{ 25 dict }
+ifelse put
+Adobe_CoolType_Utility
+	begin
+	/ct_Level2? exch def
+	/ct_Clone? 1183615869 internaldict dup
+			/CCRun known not
+			exch /eCCRun known not
+			ct_Level2? and or def
+ct_Level2?
+	{ globaldict begin currentglobal true setglobal }
+if
+	/ct_AddStdCIDMap
+		ct_Level2?
+			{ {
+			((Hex) 57 StartData
+			0615 1e27 2c39 1c60 d8a8 cc31 fe2b f6e0
+			7aa3 e541 e21c 60d8 a8c9 c3d0 6d9e 1c60
+			d8a8 c9c2 02d7 9a1c 60d8 a849 1c60 d8a8
+			cc36 74f4 1144 b13b 77) 0 () /SubFileDecode filter cvx exec
+			} }
+			{ {
+			<BAB431EA07F209EB8C4348311481D9D3F76E3D15246555577D87BC510ED54E
+		 118C39697FA9F6DB58128E60EB8A12FA24D7CDD2FA94D221FA9EC8DA3E5E6A1C
+			4ACECC8C2D39C54E7C946031DD156C3A6B4A09AD29E1867A> eexec
+			} }
+		ifelse bind def
+userdict /cid_extensions known
+dup { cid_extensions /cid_UpdateDB known and } if
+	 {
+	 cid_extensions
+	 begin
+	 /cid_GetCIDSystemInfo
+		 {
+		 1 index type /stringtype eq
+			 { exch cvn exch }
+		 if
+		 cid_extensions
+			 begin
+			 dup load 2 index known
+				 {
+				 2 copy
+				 cid_GetStatusInfo
+				 dup null ne
+					 {
+					 1 index load
+					 3 index get
+					 dup null eq
+						  { pop pop cid_UpdateDB }
+						  {
+						  exch
+						  1 index /Created get eq
+							  { exch pop exch pop }
+							  { pop cid_UpdateDB }
+						  ifelse
+						  }
+					 ifelse
+					 }
+					 { pop cid_UpdateDB }
+				 ifelse
+				 }
+				 { cid_UpdateDB }
+			 ifelse
+			 end
+		 } bind def
+	 end
+	 }
+if
+ct_Level2?
+	{ end setglobal }
+if
+	/ct_UseNativeCapability?  systemdict /composefont known def
+	/ct_MakeOCF 35 dict def
+	/ct_Vars 25 dict def
+	/ct_GlyphDirProcs 6 dict def
+	/ct_BuildCharDict 15 dict dup
+		begin
+		/charcode 2 string def
+		/dst_string 1500 string def
+		/nullstring () def
+		/usewidths? true def
+		end def
+	ct_Level2? { setglobal } { pop } ifelse
+	ct_GlyphDirProcs
+		begin
+		/GetGlyphDirectory
+			{
+			systemdict /languagelevel known
+				{ pop /CIDFont findresource /GlyphDirectory get }
+				{
+				1 index /CIDFont findresource /GlyphDirectory
+				get dup type /dicttype eq
+					{
+					dup dup maxlength exch length sub 2 index lt
+						{
+						dup length 2 index add dict copy 2 index
+						/CIDFont findresource/GlyphDirectory 2 index put
+						}
+					if
+					}
+				if
+				exch pop exch pop
+				}
+			ifelse
+			+
+			} def
+		/+
+			{
+			systemdict /languagelevel known
+				{
+				currentglobal false setglobal
+				3 dict begin
+					/vm exch def
+				}
+				{ 1 dict begin }
+			ifelse
+			/$ exch def
+			systemdict /languagelevel known
+				{
+				vm setglobal
+				/gvm currentglobal def
+				$ gcheck setglobal
+				}
+			if
+			? { $ begin } if
+			} def
+		/? { $ type /dicttype eq } def
+		/| {
+			userdict /Adobe_CoolType_Data known
+				{
+			Adobe_CoolType_Data /AddWidths? known
+				{
+				 currentdict Adobe_CoolType_Data
+					begin
+					  begin
+						AddWidths?
+								{
+								Adobe_CoolType_Data /CC 3 index put
+								? { def } { $ 3 1 roll put } ifelse
+								CC charcode exch 1 index 0 2 index 256 idiv put
+								1 index exch 1 exch 256 mod put
+								stringwidth 2 array astore
+								currentfont /Widths get exch CC exch put
+								}
+								{ ? { def } { $ 3 1 roll put } ifelse }
+							ifelse
+					end
+				end
+				}
+				{ ? { def } { $ 3 1 roll put } ifelse }	ifelse
+				}
+				{ ? { def } { $ 3 1 roll put } ifelse }
+			ifelse
+			} def
+		/!
+			{
+			? { end } if
+			systemdict /languagelevel known
+				{ gvm setglobal }
+			if
+			end
+			} def
+		/: { string currentfile exch readstring pop } executeonly def
+		end
+	ct_MakeOCF
+		begin
+		/ct_cHexEncoding
+		[/c00/c01/c02/c03/c04/c05/c06/c07/c08/c09/c0A/c0B/c0C/c0D/c0E/c0F/c10/c11/c12
+		 /c13/c14/c15/c16/c17/c18/c19/c1A/c1B/c1C/c1D/c1E/c1F/c20/c21/c22/c23/c24/c25
+		 /c26/c27/c28/c29/c2A/c2B/c2C/c2D/c2E/c2F/c30/c31/c32/c33/c34/c35/c36/c37/c38
+		 /c39/c3A/c3B/c3C/c3D/c3E/c3F/c40/c41/c42/c43/c44/c45/c46/c47/c48/c49/c4A/c4B
+		 /c4C/c4D/c4E/c4F/c50/c51/c52/c53/c54/c55/c56/c57/c58/c59/c5A/c5B/c5C/c5D/c5E
+		 /c5F/c60/c61/c62/c63/c64/c65/c66/c67/c68/c69/c6A/c6B/c6C/c6D/c6E/c6F/c70/c71
+		 /c72/c73/c74/c75/c76/c77/c78/c79/c7A/c7B/c7C/c7D/c7E/c7F/c80/c81/c82/c83/c84
+		 /c85/c86/c87/c88/c89/c8A/c8B/c8C/c8D/c8E/c8F/c90/c91/c92/c93/c94/c95/c96/c97
+		 /c98/c99/c9A/c9B/c9C/c9D/c9E/c9F/cA0/cA1/cA2/cA3/cA4/cA5/cA6/cA7/cA8/cA9/cAA
+		 /cAB/cAC/cAD/cAE/cAF/cB0/cB1/cB2/cB3/cB4/cB5/cB6/cB7/cB8/cB9/cBA/cBB/cBC/cBD
+		 /cBE/cBF/cC0/cC1/cC2/cC3/cC4/cC5/cC6/cC7/cC8/cC9/cCA/cCB/cCC/cCD/cCE/cCF/cD0
+		 /cD1/cD2/cD3/cD4/cD5/cD6/cD7/cD8/cD9/cDA/cDB/cDC/cDD/cDE/cDF/cE0/cE1/cE2/cE3
+		 /cE4/cE5/cE6/cE7/cE8/cE9/cEA/cEB/cEC/cED/cEE/cEF/cF0/cF1/cF2/cF3/cF4/cF5/cF6
+		 /cF7/cF8/cF9/cFA/cFB/cFC/cFD/cFE/cFF] def
+		/ct_CID_STR_SIZE 8000 def
+		/ct_mkocfStr100 100 string def
+		/ct_defaultFontMtx [.001 0 0 .001 0 0] def
+		/ct_1000Mtx [1000 0 0 1000 0 0] def
+		/ct_raise {exch cvx exch errordict exch get exec stop} bind def
+		/ct_reraise
+			{ cvx $error /errorname get (Error: ) print dup (						  ) cvs print
+					errordict exch get exec stop
+			} bind def
+		/ct_cvnsi
+			{
+			1 index add 1 sub 1 exch 0 4 1 roll
+				{
+				2 index exch get
+				exch 8 bitshift
+				add
+				}
+			for
+			exch pop
+			} bind def
+		/ct_GetInterval
+			{
+			Adobe_CoolType_Utility /ct_BuildCharDict get
+				begin
+				/dst_index 0 def
+				dup dst_string length gt
+					{ dup string /dst_string exch def }
+				if
+				1 index ct_CID_STR_SIZE idiv
+				/arrayIndex exch def
+				2 index arrayIndex  get
+				2 index
+				arrayIndex ct_CID_STR_SIZE mul
+				sub
+					{
+					dup 3 index add 2 index length le
+						{
+						2 index getinterval
+						dst_string  dst_index 2 index putinterval
+						length dst_index add /dst_index exch def
+						exit
+						}
+						{
+						1 index length 1 index sub
+						dup 4 1 roll
+						getinterval
+						dst_string  dst_index 2 index putinterval
+						pop dup dst_index add /dst_index exch def
+						sub
+						/arrayIndex arrayIndex 1 add def
+						2 index dup length arrayIndex gt
+							  { arrayIndex get }
+							  {
+							  pop
+							  exit
+							  }
+						ifelse
+						0
+						}
+					ifelse
+					}
+				loop
+				pop pop pop
+				dst_string 0 dst_index getinterval
+				end
+			} bind def
+		ct_Level2?
+			{
+			/ct_resourcestatus
+			currentglobal mark true setglobal
+				{ /unknowninstancename /Category resourcestatus }
+			stopped
+				{ cleartomark setglobal true }
+				{ cleartomark currentglobal not exch setglobal }
+			ifelse
+				{
+					{
+					mark 3 1 roll /Category findresource
+						begin
+						ct_Vars /vm currentglobal put
+						({ResourceStatus} stopped) 0 () /SubFileDecode filter cvx exec
+							{ cleartomark false }
+							{ { 3 2 roll pop true } { cleartomark false } ifelse }
+						ifelse
+						ct_Vars /vm get setglobal
+						end
+					}
+				}
+				{ { resourcestatus } }
+			ifelse bind def
+			/CIDFont /Category ct_resourcestatus
+				{ pop pop }
+				{
+				currentglobal  true setglobal
+				/Generic /Category findresource
+				dup length dict copy
+				dup /InstanceType /dicttype put
+				/CIDFont exch /Category defineresource pop
+				setglobal
+				}
+			ifelse
+			ct_UseNativeCapability?
+				{
+				/CIDInit /ProcSet findresource begin
+				12 dict begin
+				begincmap
+				/CIDSystemInfo 3 dict dup begin
+				  /Registry (Adobe) def
+				  /Ordering (Identity) def
+				  /Supplement 0 def
+				end def
+				/CMapName /Identity-H def
+				/CMapVersion 1.000 def
+				/CMapType 1 def
+				1 begincodespacerange
+				<0000> <FFFF>
+				endcodespacerange
+				1 begincidrange
+				<0000> <FFFF> 0
+				endcidrange
+				endcmap
+				CMapName currentdict /CMap defineresource pop
+				end
+				end
+				}
+			if
+			}
+			{
+			/ct_Category 2 dict begin
+			/CIDFont  10 dict def
+			/ProcSet	2 dict def
+			currentdict
+			end
+			def
+			/defineresource
+				{
+				ct_Category 1 index 2 copy known
+					{
+					get
+					dup dup maxlength exch length eq
+						{
+						dup length 10 add dict copy
+						ct_Category 2 index 2 index put
+						}
+					if
+					3 index 3 index put
+					pop exch pop
+					}
+					{ pop pop /defineresource /undefined ct_raise }
+				ifelse
+				} bind def
+			/findresource
+				{
+				ct_Category 1 index 2 copy known
+					{
+					get
+					2 index 2 copy known
+						{ get 3 1 roll pop pop}
+						{ pop pop /findresource /undefinedresource ct_raise }
+					ifelse
+					}
+					{ pop pop /findresource /undefined ct_raise }
+				ifelse
+				} bind def
+			/resourcestatus
+				{
+				ct_Category 1 index 2 copy known
+					{
+					get
+					2 index known
+					exch pop exch pop
+						{
+						0 -1 true
+						}
+						{
+						false
+						}
+					ifelse
+					}
+					{ pop pop /findresource /undefined ct_raise }
+				ifelse
+				} bind def
+			/ct_resourcestatus /resourcestatus load def
+			}
+		ifelse
+		/ct_CIDInit 2 dict
+			begin
+			/ct_cidfont_stream_init
+				{
+					{
+					dup (Binary) eq
+						{
+						pop
+						null
+						currentfile
+						ct_Level2?
+							{
+								{ cid_BYTE_COUNT () /SubFileDecode filter }
+							stopped
+								{ pop pop pop }
+							if
+							}
+						if
+						/readstring load
+						exit
+						}
+					if
+					dup (Hex) eq
+						{
+						pop
+						currentfile
+						ct_Level2?
+							{
+								{ null exch /ASCIIHexDecode filter /readstring }
+							stopped
+								{ pop exch pop (>) exch /readhexstring }
+							if
+							}
+							{ (>) exch /readhexstring }
+						ifelse
+						load
+						exit
+						}
+					if
+					/StartData /typecheck ct_raise
+					}
+				loop
+				cid_BYTE_COUNT ct_CID_STR_SIZE le
+					{
+					2 copy cid_BYTE_COUNT string exch exec
+					pop
+					1 array dup
+					3 -1 roll
+					0 exch put
+					}
+					{
+					cid_BYTE_COUNT ct_CID_STR_SIZE div ceiling cvi
+					dup array exch 2 sub 0 exch 1 exch
+						{
+						2 copy
+						5 index
+						ct_CID_STR_SIZE
+						string
+						6 index exec
+						pop
+						put
+						pop
+						}
+					for
+					2 index
+					cid_BYTE_COUNT ct_CID_STR_SIZE mod string
+					3 index exec
+					pop
+					1 index exch
+					1 index length 1 sub
+					exch put
+					}
+				ifelse
+				cid_CIDFONT exch /GlyphData exch put
+				2 index null eq
+					{
+					pop pop pop
+					}
+					{
+					pop /readstring load
+					1 string exch
+						{
+						3 copy exec
+						pop
+						dup length 0 eq
+							{
+							pop pop pop pop pop
+							true exit
+							}
+						if
+						4 index
+						eq
+							{
+							pop pop pop pop
+							false exit
+							}
+						if
+						}
+					loop
+					pop
+					}
+				ifelse
+				} bind def
+			/StartData
+				{
+				mark
+					{
+					currentdict
+					dup /FDArray get 0 get /FontMatrix get
+					0 get 0.001 eq
+						{
+						dup /CDevProc known not
+							{
+							/CDevProc 1183615869 internaldict /stdCDevProc 2 copy known
+								{ get }
+								{
+								pop pop
+								{ pop pop pop pop pop 0 -1000 7 index 2 div 880 }
+								}
+							ifelse
+							def
+							}
+						if
+						}
+						{
+						 /CDevProc
+							 {
+							 pop pop pop pop pop
+							 0
+							 1 cid_temp /cid_CIDFONT get
+							 /FDArray get 0 get
+							 /FontMatrix get 0 get div
+							 7 index 2 div
+							 1 index 0.88 mul
+							 } def
+						}
+					ifelse
+					/cid_temp 15 dict def
+					cid_temp
+						begin
+						/cid_CIDFONT exch def
+						3 copy pop
+						dup /cid_BYTE_COUNT exch def 0 gt
+							{
+							ct_cidfont_stream_init
+							FDArray
+								{
+								/Private get
+								dup /SubrMapOffset known
+									{
+									begin
+									/Subrs SubrCount array def
+									Subrs
+									SubrMapOffset
+									SubrCount
+									SDBytes
+									ct_Level2?
+										{
+										currentdict dup /SubrMapOffset undef
+										dup /SubrCount undef
+										/SDBytes undef
+										}
+									if
+									end
+									/cid_SD_BYTES exch def
+									/cid_SUBR_COUNT exch def
+									/cid_SUBR_MAP_OFFSET exch def
+									/cid_SUBRS exch def
+									cid_SUBR_COUNT 0 gt
+										{
+										GlyphData cid_SUBR_MAP_OFFSET cid_SD_BYTES ct_GetInterval
+										0 cid_SD_BYTES ct_cvnsi
+										0 1 cid_SUBR_COUNT 1 sub
+											{
+											exch 1 index
+											1 add
+											cid_SD_BYTES mul cid_SUBR_MAP_OFFSET add
+											GlyphData exch cid_SD_BYTES ct_GetInterval
+											0 cid_SD_BYTES ct_cvnsi
+											cid_SUBRS 4 2 roll
+											GlyphData exch
+											4 index
+											1 index
+											sub
+											ct_GetInterval
+											dup length string copy put
+											}
+										for
+										pop
+										}
+									if
+									}
+									{ pop }
+								ifelse
+								}
+							forall
+							}
+						if
+						cleartomark pop pop
+						end
+					CIDFontName currentdict /CIDFont defineresource pop
+					end end
+					}
+				stopped
+					{ cleartomark /StartData ct_reraise }
+				if
+				} bind def
+			currentdict
+			end def
+		/ct_saveCIDInit
+			{
+			/CIDInit /ProcSet ct_resourcestatus
+				{ true }
+				{ /CIDInitC /ProcSet ct_resourcestatus }
+			ifelse
+				{
+				pop pop
+				/CIDInit /ProcSet findresource
+				ct_UseNativeCapability?
+					{ pop null }
+					{ /CIDInit ct_CIDInit /ProcSet defineresource pop }
+				ifelse
+				}
+				{ /CIDInit ct_CIDInit /ProcSet defineresource pop null }
+			ifelse
+			ct_Vars exch /ct_oldCIDInit exch put
+			} bind def
+		/ct_restoreCIDInit
+			{
+			ct_Vars /ct_oldCIDInit get dup null ne
+				{ /CIDInit exch /ProcSet defineresource pop }
+				{ pop }
+			ifelse
+			} bind def
+		/ct_BuildCharSetUp
+			{
+			1 index
+				begin
+				CIDFont
+					begin
+					Adobe_CoolType_Utility /ct_BuildCharDict get
+						begin
+						/ct_dfCharCode exch def
+						/ct_dfDict exch def
+						CIDFirstByte ct_dfCharCode add
+						dup CIDCount ge
+							{ pop 0 }
+						if
+						/cid exch def
+							{
+							GlyphDirectory cid 2 copy known
+								{ get }
+								{ pop pop nullstring }
+							ifelse
+							dup length FDBytes sub 0 gt
+								{
+								dup
+								FDBytes 0 ne
+									{ 0 FDBytes ct_cvnsi }
+									{ pop 0 }
+								ifelse
+								/fdIndex exch def
+								dup length FDBytes sub FDBytes exch getinterval
+								/charstring exch def
+								exit
+								}
+								{
+								pop
+								cid 0 eq
+									{ /charstring nullstring def exit }
+								if
+								/cid 0 def
+								}
+							ifelse
+							}
+						loop
+			} def
+		/ct_SetCacheDevice
+			{
+			0 0 moveto
+			dup stringwidth
+			3 -1 roll
+			true charpath
+			pathbbox
+			0 -1000
+			7 index 2 div 880
+			setcachedevice2
+			0 0 moveto
+			} def
+		/ct_CloneSetCacheProc
+			{
+			1 eq
+				{
+				stringwidth
+				pop -2 div -880
+				0 -1000 setcharwidth
+				moveto
+				}
+				{
+				usewidths?
+					{
+					currentfont /Widths get cid
+					2 copy known
+						{ get exch pop aload pop }
+						{ pop pop stringwidth }
+					ifelse
+					}
+					{ stringwidth }
+				ifelse
+				setcharwidth
+				0 0 moveto
+				}
+			ifelse
+			} def
+		/ct_Type3ShowCharString
+			{
+			ct_FDDict fdIndex 2 copy known
+				{ get }
+				{
+				currentglobal 3 1 roll
+				1 index gcheck setglobal
+				ct_Type1FontTemplate dup maxlength dict copy
+					begin
+					FDArray fdIndex get
+					dup /FontMatrix 2 copy known
+						{ get }
+						{ pop pop ct_defaultFontMtx }
+					ifelse
+					/FontMatrix exch dup length array copy def
+					/Private get
+					/Private exch def
+					/Widths rootfont /Widths get def
+					/CharStrings 1 dict dup /.notdef
+						<d841272cf18f54fc13> dup length string copy put def
+					currentdict
+					end
+				/ct_Type1Font exch definefont
+				dup 5 1 roll put
+				setglobal
+				}
+			ifelse
+			dup /CharStrings get 1 index /Encoding get
+			ct_dfCharCode get charstring put
+			rootfont /WMode 2 copy known
+				{ get }
+				{ pop pop 0 }
+			ifelse
+			exch
+			1000 scalefont setfont
+			ct_str1 0 ct_dfCharCode put
+			ct_str1 exch ct_dfSetCacheProc
+			ct_SyntheticBold
+				{
+				currentpoint
+				ct_str1 show
+				newpath
+				moveto
+				ct_str1 true charpath
+				ct_StrokeWidth setlinewidth
+				stroke
+				}
+				{ ct_str1 show }
+			ifelse
+			} def
+		/ct_Type4ShowCharString
+			{
+			ct_dfDict ct_dfCharCode charstring
+			FDArray fdIndex get
+			dup /FontMatrix get dup ct_defaultFontMtx ct_matrixeq not
+				{ ct_1000Mtx matrix concatmatrix concat }
+				{ pop }
+			ifelse
+			/Private get
+			Adobe_CoolType_Utility /ct_Level2? get not
+				{
+				ct_dfDict /Private
+				3 -1 roll
+					{ put }
+				1183615869 internaldict /superexec get exec
+				}
+			if
+			1183615869 internaldict
+			Adobe_CoolType_Utility /ct_Level2? get
+				{ 1 index }
+				{ 3 index /Private get mark 6 1 roll }
+			ifelse
+			dup /RunInt known
+				{ /RunInt get }
+				{ pop /CCRun }
+			ifelse
+			get exec
+			Adobe_CoolType_Utility /ct_Level2? get not
+				{ cleartomark }
+			if
+			} bind def
+		/ct_BuildCharIncremental
+			{
+				{
+				Adobe_CoolType_Utility /ct_MakeOCF get begin
+				ct_BuildCharSetUp
+				ct_ShowCharString
+				}
+			stopped
+				{ stop }
+			if
+			end
+			end
+			end
+			end
+			} bind def
+		/BaseFontNameStr (BF00) def
+		/ct_Type1FontTemplate 14 dict
+			begin
+			/FontType 1 def
+			/FontMatrix  [0.001 0 0 0.001 0 0] def
+			/FontBBox  [-250 -250 1250 1250] def
+			/Encoding ct_cHexEncoding def
+			/PaintType 0 def
+			currentdict
+			end def
+		/BaseFontTemplate 11 dict
+			begin
+			/FontMatrix  [0.001 0 0 0.001 0 0] def
+			/FontBBox  [-250 -250 1250 1250] def
+			/Encoding ct_cHexEncoding def
+			/BuildChar /ct_BuildCharIncremental load def
+			ct_Clone?
+				{
+				/FontType 3 def
+				/ct_ShowCharString /ct_Type3ShowCharString load def
+				/ct_dfSetCacheProc /ct_CloneSetCacheProc load def
+				/ct_SyntheticBold false def
+				/ct_StrokeWidth 1 def
+				}
+				{
+				/FontType 4 def
+				/Private 1 dict dup /lenIV 4 put def
+				/CharStrings 1 dict dup /.notdef <d841272cf18f54fc13> put def
+				/PaintType 0 def
+				/ct_ShowCharString /ct_Type4ShowCharString load def
+				}
+			ifelse
+			/ct_str1 1 string def
+			currentdict
+			end def
+		/BaseFontDictSize BaseFontTemplate length 5 add def
+		/ct_matrixeq
+			{
+			true 0 1 5
+				{
+				dup 4 index exch get exch 3 index exch get eq and
+				dup not
+					{ exit }
+				if
+				}
+			for
+			exch pop exch pop
+			} bind def
+		/ct_makeocf
+			{
+			15 dict
+				begin
+				exch /WMode exch def
+				exch /FontName exch def
+				/FontType 0 def
+				/FMapType 2 def
+			dup /FontMatrix known
+				{ dup /FontMatrix get /FontMatrix exch def }
+				{ /FontMatrix matrix def }
+			ifelse
+				/bfCount 1 index /CIDCount get 256 idiv 1 add
+					dup 256 gt { pop 256} if def
+				/Encoding
+					256 array 0 1 bfCount 1 sub { 2 copy dup put pop } for
+					bfCount 1 255 { 2 copy bfCount put pop } for
+					def
+				/FDepVector bfCount dup 256 lt { 1 add } if array def
+				BaseFontTemplate BaseFontDictSize dict copy
+					begin
+					/CIDFont exch def
+					CIDFont /FontBBox known
+						{ CIDFont /FontBBox get /FontBBox exch def }
+					if
+					CIDFont /CDevProc known
+						{ CIDFont /CDevProc get /CDevProc exch def }
+					if
+					currentdict
+					end
+				BaseFontNameStr 3 (0) putinterval
+				0 1 bfCount dup 256 eq { 1 sub } if
+					{
+					FDepVector exch
+					2 index BaseFontDictSize dict copy
+						begin
+						dup /CIDFirstByte exch 256 mul def
+						FontType 3 eq
+							{ /ct_FDDict 2 dict def }
+						if
+						currentdict
+						end
+					1 index  16
+					BaseFontNameStr  2 2 getinterval cvrs pop
+					BaseFontNameStr exch definefont
+					put
+					}
+				for
+				ct_Clone?
+					{ /Widths 1 index /CIDFont get /GlyphDirectory get length dict def }
+				if
+				FontName
+				currentdict
+				end
+			definefont
+			ct_Clone?
+				{
+				gsave
+				dup 1000 scalefont setfont
+				ct_BuildCharDict
+					begin
+					/usewidths? false def
+					currentfont /Widths get
+						begin
+						exch /CIDFont get /GlyphDirectory get
+							{
+							pop
+							dup charcode exch 1 index 0 2 index 256 idiv put
+							1 index exch 1 exch 256 mod put
+							stringwidth 2 array astore def
+							}
+						forall
+						end
+					/usewidths? true def
+					end
+				grestore
+				}
+				{ exch pop }
+			ifelse
+			} bind def
+		/ct_ComposeFont
+			{
+			ct_UseNativeCapability?
+				{
+				2 index /CMap ct_resourcestatus
+					{ pop pop exch pop }
+					{
+					/CIDInit /ProcSet findresource
+						begin
+						12 dict
+							begin
+							begincmap
+							/CMapName 3 index def
+							/CMapVersion 1.000 def
+							/CMapType 1 def
+							exch /WMode exch def
+							/CIDSystemInfo 3 dict dup
+								begin
+								/Registry (Adobe) def
+								/Ordering
+								CMapName ct_mkocfStr100 cvs
+								(Adobe-) search
+									{
+									pop pop
+									(-) search
+										{
+										dup length string copy
+										exch pop exch pop
+										}
+										{ pop (Identity)}
+									ifelse
+									}
+									{ pop  (Identity)  }
+								ifelse
+								def
+								/Supplement 0 def
+								end def
+							1 begincodespacerange
+							<0000> <FFFF>
+							endcodespacerange
+							1 begincidrange
+							<0000> <FFFF> 0
+							endcidrange
+							endcmap
+							CMapName currentdict /CMap defineresource pop
+							end
+						end
+					}
+				ifelse
+				composefont
+				}
+				{
+				3 2 roll pop
+				0 get /CIDFont findresource
+				ct_makeocf
+				}
+			ifelse
+			} bind def
+		/ct_MakeIdentity
+			{
+			ct_UseNativeCapability?
+				{
+				1 index /CMap ct_resourcestatus
+					{ pop pop }
+					{
+					/CIDInit /ProcSet findresource begin
+					12 dict begin
+					begincmap
+					/CMapName 2 index def
+					/CMapVersion 1.000 def
+					/CMapType 1 def
+					/CIDSystemInfo 3 dict dup
+						begin
+						/Registry (Adobe) def
+						/Ordering
+						CMapName ct_mkocfStr100 cvs
+						(Adobe-) search
+							{
+							pop pop
+							(-) search
+								{ dup length string copy exch pop exch pop }
+								{ pop (Identity) }
+							ifelse
+							}
+							{ pop (Identity) }
+						ifelse
+						def
+						/Supplement 0 def
+						end def
+					1 begincodespacerange
+					<0000> <FFFF>
+					endcodespacerange
+					1 begincidrange
+					<0000> <FFFF> 0
+					endcidrange
+					endcmap
+					CMapName currentdict /CMap defineresource pop
+					end
+					end
+					}
+				ifelse
+				composefont
+				}
+				{
+				exch pop
+				0 get /CIDFont findresource
+				ct_makeocf
+				}
+			ifelse
+			} bind def
+		currentdict readonly pop
+		end
+	end
+%%EndResource
+%%BeginResource: procset Adobe_CoolType_Utility_T42 1.0 0
+%%Copyright: Copyright 1987-2003 Adobe Systems Incorporated.
+%%Version: 1.0 0
+userdict /ct_T42Dict 15 dict put
+ct_T42Dict begin
+/Is2015?
+{
+  version
+  cvi
+  2015
+  ge
+} bind def
+/AllocGlyphStorage
+{
+  Is2015?
+  {	
+		pop
+  }
+  {
+		{string} forall
+  } ifelse
+} bind def
+/Type42DictBegin
+{
+	25 dict begin
+  /FontName exch def
+  /CharStrings 256 dict
+	begin
+		  /.notdef 0 def
+		  currentdict
+	end def
+  /Encoding exch def
+  /PaintType 0 def
+  /FontType 42 def
+  /FontMatrix [1 0 0 1 0 0] def
+  4 array  astore cvx /FontBBox exch def
+  /sfnts
+} bind def
+/Type42DictEnd
+{
+	 currentdict dup /FontName get exch definefont end
+	ct_T42Dict exch
+	dup /FontName get exch put
+} bind def
+/RD {string currentfile exch readstring pop} executeonly def
+/PrepFor2015
+{
+	Is2015?
+	{		
+		 /GlyphDirectory
+		 16
+		 dict def
+		 sfnts 0 get
+		 dup
+		 2 index
+		 (glyx)
+		 putinterval
+		 2 index
+		 (locx)
+		 putinterval
+		 pop
+		 pop
+	}
+	{
+		 pop
+		 pop
+	} ifelse			
+} bind def
+/AddT42Char
+{
+	Is2015?
+	{
+		/GlyphDirectory get
+		begin
+		def
+		end
+		pop
+		pop
+	}
+	{
+		/sfnts get
+		4 index
+		get
+		3 index
+	  2 index
+		putinterval
+		pop
+		pop
+		pop
+		pop
+	} ifelse
+} bind def
+end
+%%EndResource
+Adobe_CoolType_Core begin /$Oblique SetSubstituteStrategy end
+%%BeginResource: procset Adobe_AGM_Image 1.0 0
+%%Version: 1.0 0
+%%Copyright: Copyright (C) 2000-2003 Adobe Systems, Inc.  All Rights Reserved.
+systemdict /setpacking known
+{
+	currentpacking
+	true setpacking
+} if
+userdict /Adobe_AGM_Image 75 dict dup begin put
+/Adobe_AGM_Image_Id /Adobe_AGM_Image_1.0_0 def
+/nd{
+	null def
+}bind def
+/AGMIMG_&image nd
+/AGMIMG_&colorimage nd
+/AGMIMG_&imagemask nd
+/AGMIMG_mbuf () def
+/AGMIMG_ybuf () def
+/AGMIMG_kbuf () def
+/AGMIMG_c 0 def
+/AGMIMG_m 0 def
+/AGMIMG_y 0 def
+/AGMIMG_k 0 def
+/AGMIMG_tmp nd
+/AGMIMG_imagestring0 nd
+/AGMIMG_imagestring1 nd
+/AGMIMG_imagestring2 nd
+/AGMIMG_imagestring3 nd
+/AGMIMG_imagestring4 nd
+/AGMIMG_imagestring5 nd
+/AGMIMG_cnt nd
+/AGMIMG_fsave nd
+/AGMIMG_colorAry nd
+/AGMIMG_override nd
+/AGMIMG_name nd
+/AGMIMG_maskSource nd
+/invert_image_samples nd
+/knockout_image_samples	nd
+/img nd
+/sepimg nd
+/devnimg nd
+/idximg nd
+/doc_setup
+{
+	Adobe_AGM_Core begin
+	Adobe_AGM_Image begin
+	/AGMIMG_&image systemdict/image get def
+	/AGMIMG_&imagemask systemdict/imagemask get def
+	/colorimage where{
+		pop
+		/AGMIMG_&colorimage /colorimage ldf
+	}if
+	end
+	end
+}def
+/page_setup
+{
+	Adobe_AGM_Image begin
+	/AGMIMG_ccimage_exists {/customcolorimage where
+		{
+			pop
+			/Adobe_AGM_OnHost_Seps where
+			{
+			pop false
+			}{
+			/Adobe_AGM_InRip_Seps where
+				{
+				pop false
+				}{
+					true
+				 }ifelse
+			 }ifelse
+			}{
+			false
+		}ifelse
+	}bdf
+	level2{
+		/invert_image_samples
+		{
+			Adobe_AGM_Image/AGMIMG_tmp Decode length ddf
+			/Decode [ Decode 1 get Decode 0 get] def
+		}def
+		/knockout_image_samples
+		{
+			Operator/imagemask ne{
+				/Decode [1 1] def
+			}if
+		}def
+	}{	
+		/invert_image_samples
+		{
+			{1 exch sub} currenttransfer addprocs settransfer
+		}def
+		/knockout_image_samples
+		{
+			{ pop 1 } currenttransfer addprocs settransfer
+		}def
+	}ifelse
+	/img /imageormask ldf
+	/sepimg /sep_imageormask ldf
+	/devnimg /devn_imageormask ldf
+	/idximg /indexed_imageormask ldf
+	/_ctype 7 def
+	currentdict{
+		dup xcheck 1 index type dup /arraytype eq exch /packedarraytype eq or and{
+			bind
+		}if
+		def
+	}forall
+}def
+/page_trailer
+{
+	end
+}def
+/doc_trailer
+{
+}def
+/imageormask_sys
+{
+	begin
+		save mark
+		level2{
+			currentdict
+			Operator /imagemask eq{
+				AGMIMG_&imagemask
+			}{
+				use_mask {
+					level3 {process_mask_L3 AGMIMG_&image}{masked_image_simulation}ifelse
+				}{
+					AGMIMG_&image
+				}ifelse
+			}ifelse
+		}{
+			Width Height
+			Operator /imagemask eq{
+				Decode 0 get 1 eq Decode 1 get 0 eq	and
+				ImageMatrix /DataSource load
+				AGMIMG_&imagemask
+			}{
+				BitsPerComponent ImageMatrix /DataSource load
+				AGMIMG_&image
+			}ifelse
+		}ifelse
+		cleartomark restore
+	end
+}def
+/overprint_plate
+{
+	currentoverprint {
+		0 get dup type /nametype eq {
+			dup /DeviceGray eq{
+				pop AGMCORE_black_plate not
+			}{
+				/DeviceCMYK eq{
+					AGMCORE_is_cmyk_sep not
+				}if
+			}ifelse
+		}{
+			false exch
+			{
+				 AGMOHS_sepink eq or
+			} forall
+			not
+		} ifelse
+	}{
+		pop false
+	}ifelse
+}def
+/process_mask_L3
+{
+	dup begin
+	/ImageType 1 def
+	end
+	4 dict begin
+		/DataDict exch def
+		/ImageType 3 def
+		/InterleaveType 3 def
+		/MaskDict 9 dict begin
+			/ImageType 1 def
+			/Width DataDict dup /MaskWidth known {/MaskWidth}{/Width} ifelse get def
+			/Height DataDict dup /MaskHeight known {/MaskHeight}{/Height} ifelse get def
+			/ImageMatrix [Width 0 0 Height neg 0 Height] def
+			/NComponents 1 def
+			/BitsPerComponent 1 def
+			/Decode [0 1] def
+			/DataSource AGMIMG_maskSource def
+		currentdict end def
+	currentdict end
+}def
+/use_mask
+{
+	dup type /dicttype eq
+	{
+		dup /Mask known	{
+			dup /Mask get {
+				level3
+				{true}
+				{
+					dup /MaskWidth known {dup /MaskWidth get 1 index /Width get eq}{true}ifelse exch
+					dup /MaskHeight known {dup /MaskHeight get 1 index /Height get eq}{true}ifelse
+					3 -1 roll and
+				} ifelse
+			}
+			{false} ifelse
+		}
+		{false} ifelse
+	}
+	{false} ifelse
+}def
+/make_line_source
+{
+	begin
+	MultipleDataSources {
+		[
+		Decode length 2 div cvi {Width string} repeat
+		]
+	}{
+		Width Decode length 2 div mul cvi string
+	}ifelse
+	end
+}def
+/datasource_to_str
+{
+	exch dup type
+	dup /filetype eq {
+		pop exch readstring
+	}{
+		/arraytype eq {
+			exec exch copy
+		}{
+			pop
+		}ifelse
+	}ifelse
+	pop
+}def
+/masked_image_simulation
+{
+	3 dict begin
+	dup make_line_source /line_source xdf
+	/mask_source AGMIMG_maskSource /LZWDecode filter def
+	dup /Width get 8 div ceiling cvi string /mask_str xdf
+	begin
+	gsave
+	0 1 translate 1 -1 Height div scale
+	1 1 Height {
+		pop
+		gsave
+		MultipleDataSources {
+			0 1 DataSource length 1 sub {
+				dup DataSource exch get
+				exch line_source exch get
+				datasource_to_str
+			} for
+		}{
+			DataSource line_source datasource_to_str
+		} ifelse
+		<<
+			/PatternType 1
+			/PaintProc [
+				/pop cvx
+				<<
+					/ImageType 1
+					/Width Width
+					/Height 1
+					/ImageMatrix Width 1.0 sub 1 matrix scale 0.5 0 matrix translate matrix concatmatrix
+					/MultipleDataSources MultipleDataSources
+					/DataSource line_source
+					/BitsPerComponent BitsPerComponent
+					/Decode Decode
+				>>
+				/image cvx
+			] cvx
+			/BBox [0 0 Width 1]
+			/XStep Width
+			/YStep 1
+			/PaintType 1
+			/TilingType 2
+		>>
+		matrix makepattern set_pattern
+		<<
+			/ImageType 1
+			/Width Width
+			/Height 1
+			/ImageMatrix Width 1 matrix scale
+			/MultipleDataSources false
+			/DataSource mask_source mask_str readstring pop
+			/BitsPerComponent 1
+			/Decode [0 1]
+		>>
+		imagemask
+		grestore
+		0 1 translate
+	} for
+	grestore
+	end
+	end
+}def
+/imageormask
+{
+	begin
+		SkipImageProc {
+			currentdict consumeimagedata
+		}
+		{
+			save mark
+			level2 AGMCORE_host_sep not and{
+				currentdict
+				Operator /imagemask eq DeviceN_PS2 not and {
+					imagemask
+				}{
+					AGMCORE_in_rip_sep currentoverprint and currentcolorspace 0 get /DeviceGray eq and{
+						[/Separation /Black /DeviceGray {}] setcolorspace
+						/Decode [ Decode 1 get Decode 0 get ] def
+					}if
+					use_mask {
+						level3 {process_mask_L3 image}{masked_image_simulation}ifelse
+					}{
+						DeviceN_NoneName DeviceN_PS2 Indexed_DeviceN level3 not and or or AGMCORE_in_rip_sep and
+						{
+							Names convert_to_process not {
+								2 dict begin
+								/imageDict xdf
+								/names_index 0 def
+								gsave
+								imageDict write_image_file {
+									Names {
+										dup (None) ne {
+											[/Separation 3 -1 roll /DeviceGray {1 exch sub}] setcolorspace
+											Operator imageDict read_image_file
+											names_index 0 eq {true setoverprint} if
+											/names_index names_index 1 add def
+										}{
+											pop
+										} ifelse
+									} forall
+									close_image_file
+								} if
+								grestore
+								end
+							}{
+								Operator /imagemask eq {
+									imagemask
+								}{
+									image
+								} ifelse
+							} ifelse
+						}{
+							Operator /imagemask eq {
+								imagemask
+							}{
+								image
+							} ifelse
+						} ifelse
+					}ifelse
+				}ifelse
+			}{
+				Width Height
+				Operator /imagemask eq{
+					Decode 0 get 1 eq Decode 1 get 0 eq	and
+					ImageMatrix /DataSource load
+					/Adobe_AGM_OnHost_Seps where {
+						pop imagemask
+					}{
+						currentgray 1 ne{
+							currentdict imageormask_sys
+						}{
+							currentoverprint not{
+								1 AGMCORE_&setgray
+								currentdict imageormask_sys
+							}{
+								currentdict ignoreimagedata
+							}ifelse				 		
+						}ifelse
+					}ifelse
+				}{
+					BitsPerComponent ImageMatrix
+					MultipleDataSources{
+						0 1 NComponents 1 sub{
+							DataSource exch get
+						}for
+					}{
+						/DataSource load
+					}ifelse
+					Operator /colorimage eq{
+						AGMCORE_host_sep{
+							MultipleDataSources level2 or NComponents 4 eq and{
+								AGMCORE_is_cmyk_sep{
+									MultipleDataSources{
+										/DataSource [
+											DataSource 0 get /exec cvx
+											DataSource 1 get /exec cvx
+											DataSource 2 get /exec cvx
+											DataSource 3 get /exec cvx
+											/AGMCORE_get_ink_data cvx
+										] cvx def
+									}{
+										/DataSource
+										Width BitsPerComponent mul 7 add 8 idiv Height mul 4 mul
+										/DataSource load
+										filter_cmyk 0 () /SubFileDecode filter def
+									}ifelse
+									/Decode [ Decode 0 get Decode 1 get ] def
+									/MultipleDataSources false def
+									/NComponents 1 def
+									/Operator /image def
+									invert_image_samples
+						 			1 AGMCORE_&setgray
+									currentdict imageormask_sys
+								}{
+									currentoverprint not Operator/imagemask eq and{
+  			 							1 AGMCORE_&setgray
+  			 							currentdict imageormask_sys
+  			 						}{
+  			 							currentdict ignoreimagedata
+  			 						}ifelse
+								}ifelse
+							}{	
+								MultipleDataSources NComponents AGMIMG_&colorimage						
+							}ifelse
+						}{
+							true NComponents colorimage
+						}ifelse
+					}{
+						Operator /image eq{
+							AGMCORE_host_sep{
+								/DoImage true def
+								HostSepColorImage{
+									invert_image_samples
+								}{
+									AGMCORE_black_plate not Operator/imagemask ne and{
+										/DoImage false def
+										currentdict ignoreimagedata
+					 				}if
+								}ifelse
+						 		1 AGMCORE_&setgray
+								DoImage
+									{currentdict imageormask_sys} if
+							}{
+								use_mask {
+									level3 {process_mask_L3 image}{masked_image_simulation}ifelse
+								}{
+									image
+								}ifelse
+							}ifelse
+						}{
+							Operator/knockout eq{
+								pop pop pop pop pop
+								currentcolorspace overprint_plate not{
+									knockout_unitsq
+								}if
+							}if
+						}ifelse
+					}ifelse
+				}ifelse
+			}ifelse
+			cleartomark restore
+		}ifelse
+	end
+}def
+/sep_imageormask
+{
+ 	/sep_colorspace_dict AGMCORE_gget begin
+	/MappedCSA CSA map_csa def
+	begin
+	SkipImageProc {
+		currentdict consumeimagedata
+	}
+	{
+		save mark
+		AGMCORE_avoid_L2_sep_space{
+			/Decode [ Decode 0 get 255 mul Decode 1 get 255 mul ] def
+		}if
+ 		AGMIMG_ccimage_exists
+		MappedCSA 0 get /DeviceCMYK eq and
+		currentdict/Components known and
+		Name () ne and
+		Name (All) ne and
+		Operator /image eq and
+		AGMCORE_producing_seps not and
+		level2 not and
+		{
+			Width Height BitsPerComponent ImageMatrix
+			[
+			/DataSource load /exec cvx
+			{
+				0 1 2 index length 1 sub{
+					1 index exch
+					2 copy get 255 xor put
+				}for
+			} /exec cvx
+			] cvx bind
+			MappedCSA 0 get /DeviceCMYK eq{
+				Components aload pop
+			}{
+				0 0 0 Components aload pop 1 exch sub
+			}ifelse
+			Name findcmykcustomcolor
+			customcolorimage
+		}{
+			AGMCORE_producing_seps not{
+				level2{
+					AGMCORE_avoid_L2_sep_space not currentcolorspace 0 get /Separation ne and{
+						[/Separation Name MappedCSA sep_proc_name exch 0 get exch load ] setcolorspace_opt
+						/sep_tint AGMCORE_gget setcolor
+					}if
+					currentdict imageormask
+				}{
+					currentdict
+					Operator /imagemask eq{
+						imageormask
+					}{
+						sep_imageormask_lev1
+					}ifelse
+				}ifelse
+ 			}{
+				AGMCORE_host_sep{
+					Operator/knockout eq{
+						currentdict/ImageMatrix get concat
+						knockout_unitsq
+					}{
+						currentgray 1 ne{
+ 							AGMCORE_is_cmyk_sep Name (All) ne and{
+ 								level2{
+	 								[ /Separation Name [/DeviceGray]
+	 								{
+	 									sep_colorspace_proc AGMCORE_get_ink_data
+										1 exch sub
+	 								} bind
+									] AGMCORE_&setcolorspace
+									/sep_tint AGMCORE_gget AGMCORE_&setcolor
+ 									currentdict imageormask_sys
+	 							}{
+	 								currentdict
+									Operator /imagemask eq{
+										imageormask_sys
+									}{
+										sep_image_lev1_sep
+									}ifelse
+	 							}ifelse
+ 							}{
+ 								Operator/imagemask ne{
+									invert_image_samples
+ 								}if
+		 						currentdict imageormask_sys
+ 							}ifelse
+ 						}{
+ 							currentoverprint not Name (All) eq or Operator/imagemask eq and{
+								currentdict imageormask_sys
+								}{
+								currentoverprint not
+									{
+ 									gsave
+ 									knockout_unitsq
+ 									grestore
+									}if
+								currentdict consumeimagedata
+		 					}ifelse
+ 						}ifelse
+		 			}ifelse
+ 				}{
+					currentcolorspace 0 get /Separation ne{
+						[/Separation Name MappedCSA sep_proc_name exch 0 get exch load ] setcolorspace_opt
+						/sep_tint AGMCORE_gget setcolor
+					}if
+					currentoverprint
+					MappedCSA 0 get /DeviceCMYK eq and
+					Name inRip_spot_has_ink not and
+					Name (All) ne and {
+						imageormask_l2_overprint
+					}{
+						currentdict imageormask
+ 					}ifelse
+				}ifelse
+			}ifelse
+		}ifelse
+		cleartomark restore
+	}ifelse
+	end
+	end
+}def
+/decode_image_sample
+{
+	4 1 roll exch dup 5 1 roll
+	sub 2 4 -1 roll exp 1 sub div mul add
+} bdf
+/colorSpaceElemCnt
+{
+	currentcolorspace 0 get dup /DeviceCMYK eq {
+		pop 4
+	}
+	{
+		/DeviceRGB eq {
+			pop 3
+		}{
+			1
+		} ifelse
+	} ifelse
+} bdf
+/devn_sep_datasource
+{
+	1 dict begin
+	/dataSource xdf
+	[
+		0 1 dataSource length 1 sub {
+			dup currentdict /dataSource get /exch cvx /get cvx /exec cvx
+			/exch cvx names_index /ne cvx [ /pop cvx ] cvx /if cvx
+		} for
+	] cvx bind
+	end
+} bdf		
+/devn_alt_datasource
+{
+	11 dict begin
+	/srcDataStrs xdf
+	/dstDataStr xdf
+	/convProc xdf
+	/origcolorSpaceElemCnt xdf
+	/origMultipleDataSources xdf
+	/origBitsPerComponent xdf
+	/origDecode xdf
+	/origDataSource xdf
+	/dsCnt origMultipleDataSources {origDataSource length}{1}ifelse def
+	/samplesNeedDecoding
+		0 0 1 origDecode length 1 sub {
+			origDecode exch get add
+		} for
+		origDecode length 2 div div
+		dup 1 eq {
+			/decodeDivisor 2 origBitsPerComponent exp 1 sub def
+		} if
+		2 origBitsPerComponent exp 1 sub ne
+	def
+	[
+		0 1 dsCnt 1 sub [
+			currentdict /origMultipleDataSources get {
+				dup currentdict /origDataSource get exch get dup type
+			}{
+				currentdict /origDataSource get dup type
+			} ifelse
+			dup /filetype eq {
+				pop currentdict /srcDataStrs get 3 -1 /roll cvx /get cvx /readstring cvx /pop cvx
+			}{
+				/stringtype ne {
+					/exec cvx
+				} if
+				currentdict /srcDataStrs get /exch cvx 3 -1 /roll cvx /xpt cvx
+			} ifelse
+		] cvx /for cvx
+		currentdict /srcDataStrs get 0 /get cvx /length cvx 0 /ne cvx [
+			0 1 Width 1 sub [
+				Adobe_AGM_Utils /AGMUTIL_ndx /xddf cvx
+				currentdict /origMultipleDataSources get {
+					0 1 dsCnt 1 sub [
+						Adobe_AGM_Utils /AGMUTIL_ndx1 /xddf cvx
+						currentdict /srcDataStrs get /AGMUTIL_ndx1 /load cvx /get cvx /AGMUTIL_ndx /load cvx /get cvx
+						samplesNeedDecoding {
+							currentdict /decodeDivisor known {
+								currentdict /decodeDivisor get /div cvx
+							}{
+								currentdict /origDecode get /AGMUTIL_ndx1 /load cvx 2 /mul cvx 2 /getinterval cvx /aload cvx /pop cvxs
+								BitsPerComponent /decode_image_sample load /exec cvx
+							} ifelse
+						} if
+					] cvx /for cvx
+				}{
+					Adobe_AGM_Utils /AGMUTIL_ndx1 0 /ddf cvx
+					currentdict /srcDataStrs get 0 /get cvx /AGMUTIL_ndx /load cvx		
+					currentdict /origDecode get length 2 idiv dup 3 1 /roll cvx /mul cvx /exch cvx /getinterval cvx
+					[
+						samplesNeedDecoding {
+							currentdict /decodeDivisor known {
+								currentdict /decodeDivisor get /div cvx
+							}{
+								currentdict /origDecode get /AGMUTIL_ndx1 /load cvx 2 /mul cvx 2 /getinterval cvx /aload cvx /pop cvx
+								BitsPerComponent /decode_image_sample load /exec cvx
+								Adobe_AGM_Utils /AGMUTIL_ndx1 /AGMUTIL_ndx1 /load cvx 1 /add cvx /ddf cvx
+							} ifelse
+						} if
+					] cvx /forall cvx
+				} ifelse
+				currentdict /convProc get /exec cvx
+				currentdict /origcolorSpaceElemCnt get 1 sub -1 0 [
+					currentdict /dstDataStr get 3 1 /roll cvx /AGMUTIL_ndx /load cvx currentdict /origcolorSpaceElemCnt get /mul cvx /add cvx /exch cvx
+					currentdict /convProc get /filter_indexed_devn load ne {
+						255 /mul cvx /cvi cvx
+					} if
+					/put cvx
+				] cvx /for cvx
+			] cvx /for cvx
+			currentdict /dstDataStr get
+		] cvx /if cvx
+	] cvx bind
+	end
+} bdf
+/devn_imageormask
+{
+ 	/devicen_colorspace_dict AGMCORE_gget begin
+	/MappedCSA CSA map_csa def
+	2 dict begin
+	dup dup
+	/dstDataStr exch /Width get colorSpaceElemCnt mul string def
+	/srcDataStrs [ 3 -1 roll begin
+		currentdict /MultipleDataSources known {MultipleDataSources {DataSource length}{1}ifelse}{1} ifelse
+		{
+			Width Decode length 2 div mul cvi string
+		} repeat
+		end ] def
+	begin
+	SkipImageProc {
+		currentdict consumeimagedata
+	}
+	{
+		save mark
+		AGMCORE_producing_seps not {
+			level3 not {
+				Operator /imagemask ne {
+					/DataSource [
+						DataSource Decode BitsPerComponent currentdict /MultipleDataSources known {MultipleDataSources}{false} ifelse
+						colorSpaceElemCnt /devicen_colorspace_dict AGMCORE_gget /TintTransform get
+						dstDataStr srcDataStrs devn_alt_datasource /exec cvx
+						] cvx 0 () /SubFileDecode filter def
+					/MultipleDataSources false def
+					/Decode colorSpaceElemCnt [ exch {0 1} repeat ] def
+				} if
+			}if
+			currentdict imageormask
+ 		}{
+			AGMCORE_host_sep{
+				Names convert_to_process {
+					CSA map_csa 0 get /DeviceCMYK eq {
+						/DataSource
+							Width BitsPerComponent mul 7 add 8 idiv Height mul 4 mul
+							[
+							DataSource Decode BitsPerComponent currentdict /MultipleDataSources known {MultipleDataSources}{false} ifelse
+							4 /devicen_colorspace_dict AGMCORE_gget /TintTransform get
+							dstDataStr srcDataStrs devn_alt_datasource /exec cvx
+							] cvx
+						filter_cmyk 0 () /SubFileDecode filter def
+						/MultipleDataSources false def
+						/Decode [1 0] def
+						/DeviceGray setcolorspace
+			 			currentdict imageormask_sys
+ 					}{
+						AGMCORE_report_unsupported_color_space
+						AGMCORE_black_plate {
+							/DataSource [
+								DataSource Decode BitsPerComponent currentdict /MultipleDataSources known {MultipleDataSources}{false} ifelse
+								CSA map_csa 0 get /DeviceRGB eq{3}{1}ifelse /devicen_colorspace_dict AGMCORE_gget /TintTransform get
+								dstDataStr srcDataStrs devn_alt_datasource /exec cvx
+								] cvx 0 () /SubFileDecode filter def
+							/MultipleDataSources false def
+							/Decode colorSpaceElemCnt [ exch {0 1} repeat ] def
+				 			currentdict imageormask_sys
+				 		}
+						{
+	 						gsave
+	 						knockout_unitsq
+	 						grestore
+							currentdict consumeimagedata
+						} ifelse
+ 					} ifelse
+				}
+				{	
+					/devicen_colorspace_dict AGMCORE_gget /names_index known {
+	 					Operator/imagemask ne{
+	 						MultipleDataSources {
+		 						/DataSource [ DataSource devn_sep_datasource /exec cvx ] cvx def
+								/MultipleDataSources false def
+	 						}{
+								/DataSource /DataSource load dstDataStr srcDataStrs 0 get filter_devn def
+	 						} ifelse
+							invert_image_samples
+	 					} if
+			 			currentdict imageormask_sys
+	 				}{
+	 					currentoverprint not Operator/imagemask eq and{
+							currentdict imageormask_sys
+							}{
+							currentoverprint not
+								{
+	 							gsave
+	 							knockout_unitsq
+	 							grestore
+								}if
+							currentdict consumeimagedata
+			 			}ifelse
+	 				}ifelse
+	 			}ifelse
+ 			}{
+				currentdict imageormask
+			}ifelse
+		}ifelse
+		cleartomark restore
+	}ifelse
+	end
+	end
+	end
+}def
+/imageormask_l2_overprint
+{
+	currentdict
+	currentcmykcolor add add add 0 eq{
+		currentdict consumeimagedata
+	}{
+		level3{ 			
+			currentcmykcolor
+			/AGMIMG_k xdf
+			/AGMIMG_y xdf
+			/AGMIMG_m xdf
+			/AGMIMG_c xdf
+			Operator/imagemask eq{
+				[/DeviceN [
+				AGMIMG_c 0 ne {/Cyan} if
+				AGMIMG_m 0 ne {/Magenta} if
+				AGMIMG_y 0 ne {/Yellow} if
+				AGMIMG_k 0 ne {/Black} if
+				] /DeviceCMYK {}] setcolorspace
+				AGMIMG_c 0 ne {AGMIMG_c} if
+				AGMIMG_m 0 ne {AGMIMG_m} if
+				AGMIMG_y 0 ne {AGMIMG_y} if
+				AGMIMG_k 0 ne {AGMIMG_k} if
+				setcolor			
+			}{	
+				/Decode [ Decode 0 get 255 mul Decode 1 get 255 mul ] def
+				[/Indexed 				
+					[
+						/DeviceN [
+							AGMIMG_c 0 ne {/Cyan} if
+							AGMIMG_m 0 ne {/Magenta} if
+							AGMIMG_y 0 ne {/Yellow} if
+							AGMIMG_k 0 ne {/Black} if
+						]
+						/DeviceCMYK {
+							AGMIMG_k 0 eq {0} if
+							AGMIMG_y 0 eq {0 exch} if
+							AGMIMG_m 0 eq {0 3 1 roll} if
+							AGMIMG_c 0 eq {0 4 1 roll} if						
+						}
+					]
+					255
+					{
+						255 div
+						mark exch
+						dup	dup dup
+						AGMIMG_k 0 ne{
+							/sep_tint AGMCORE_gget mul MappedCSA sep_proc_name exch pop load exec 4 1 roll pop pop pop		
+							counttomark 1 roll
+						}{
+							pop
+						}ifelse
+						AGMIMG_y 0 ne{
+							/sep_tint AGMCORE_gget mul MappedCSA sep_proc_name exch pop load exec 4 2 roll pop pop pop		
+							counttomark 1 roll
+						}{
+							pop
+						}ifelse
+						AGMIMG_m 0 ne{
+							/sep_tint AGMCORE_gget mul MappedCSA sep_proc_name exch pop load exec 4 3 roll pop pop pop		
+							counttomark 1 roll
+						}{
+							pop
+						}ifelse
+						AGMIMG_c 0 ne{
+							/sep_tint AGMCORE_gget mul MappedCSA sep_proc_name exch pop load exec pop pop pop		
+							counttomark 1 roll
+						}{
+							pop
+						}ifelse
+						counttomark 1 add -1 roll pop
+					}
+				] setcolorspace
+			}ifelse
+			imageormask_sys
+		}{
+	write_image_file{
+		currentcmykcolor
+		0 ne{
+			[/Separation /Black /DeviceGray {}] setcolorspace
+			gsave
+			/Black
+			[{1 exch sub /sep_tint AGMCORE_gget mul} /exec cvx MappedCSA sep_proc_name cvx exch pop {4 1 roll pop pop pop 1 exch sub} /exec cvx]
+			cvx modify_halftone_xfer
+			Operator currentdict read_image_file
+			grestore
+		}if
+		0 ne{
+			[/Separation /Yellow /DeviceGray {}] setcolorspace
+			gsave
+			/Yellow
+			[{1 exch sub /sep_tint AGMCORE_gget mul} /exec cvx MappedCSA sep_proc_name cvx exch pop {4 2 roll pop pop pop 1 exch sub} /exec cvx]
+			cvx modify_halftone_xfer
+			Operator currentdict read_image_file
+			grestore
+		}if
+		0 ne{
+			[/Separation /Magenta /DeviceGray {}] setcolorspace
+			gsave
+			/Magenta
+			[{1 exch sub /sep_tint AGMCORE_gget mul} /exec cvx MappedCSA sep_proc_name cvx exch pop {4 3 roll pop pop pop 1 exch sub} /exec cvx]
+			cvx modify_halftone_xfer
+			Operator currentdict read_image_file
+			grestore
+		}if
+		0 ne{
+			[/Separation /Cyan /DeviceGray {}] setcolorspace
+			gsave
+			/Cyan
+			[{1 exch sub /sep_tint AGMCORE_gget mul} /exec cvx MappedCSA sep_proc_name cvx exch pop {pop pop pop 1 exch sub} /exec cvx]
+			cvx modify_halftone_xfer
+			Operator currentdict read_image_file
+			grestore
+		} if
+				close_image_file
+			}{
+				imageormask
+			}ifelse
+		}ifelse
+	}ifelse
+} def
+/indexed_imageormask
+{
+	begin
+		save mark
+ 		currentdict
+ 		AGMCORE_host_sep{
+			Operator/knockout eq{
+				/indexed_colorspace_dict AGMCORE_gget dup /CSA known {
+					/CSA get map_csa
+				}{
+					/CSD get get_csd /Names get
+				} ifelse
+				overprint_plate not{
+					knockout_unitsq
+				}if
+			}{
+				Indexed_DeviceN {
+					/devicen_colorspace_dict AGMCORE_gget /names_index known {
+			 			indexed_image_lev2_sep
+					}{
+						currentoverprint not{
+							knockout_unitsq
+			 			}if
+			 			currentdict consumeimagedata
+					} ifelse
+				}{
+		 			AGMCORE_is_cmyk_sep{
+						Operator /imagemask eq{
+							imageormask_sys
+						}{
+							level2{
+								indexed_image_lev2_sep
+							}{
+								indexed_image_lev1_sep
+							}ifelse
+						}ifelse
+					}{
+						currentoverprint not{
+							knockout_unitsq
+			 			}if
+			 			currentdict consumeimagedata
+					}ifelse
+				}ifelse
+			}ifelse
+ 		}{
+			level2{
+				Indexed_DeviceN {
+					/indexed_colorspace_dict AGMCORE_gget begin
+					CSD get_csd begin
+				}{
+					/indexed_colorspace_dict AGMCORE_gget begin
+					CSA map_csa 0 get /DeviceCMYK eq ps_level 3 ge and ps_version 3015.007 lt and {
+						[/Indexed [/DeviceN [/Cyan /Magenta /Yellow /Black] /DeviceCMYK {}] HiVal Lookup]
+						setcolorspace
+					} if
+					end
+				} ifelse
+				imageormask
+				Indexed_DeviceN {
+					end
+					end
+				} if
+			}{
+				Operator /imagemask eq{
+					imageormask
+				}{
+					indexed_imageormask_lev1
+				}ifelse
+			}ifelse
+ 		}ifelse
+		cleartomark restore
+	end
+}def
+/indexed_image_lev2_sep
+{
+	/indexed_colorspace_dict AGMCORE_gget begin
+	begin
+		Indexed_DeviceN not {
+			currentcolorspace
+			dup 1 /DeviceGray put
+			dup 3
+			currentcolorspace 2 get 1 add string
+			0 1 2 3 AGMCORE_get_ink_data 4 currentcolorspace 3 get length 1 sub
+			{
+			dup 4 idiv exch currentcolorspace 3 get exch get 255 exch sub 2 index 3 1 roll put
+			}for
+			put	setcolorspace
+		} if
+		currentdict
+		Operator /imagemask eq{
+			AGMIMG_&imagemask
+		}{
+			use_mask {
+				level3 {process_mask_L3 AGMIMG_&image}{masked_image_simulation}ifelse
+			}{
+				AGMIMG_&image
+			}ifelse
+		}ifelse
+	end end
+}def
+  /OPIimage
+  {
+  	dup type /dicttype ne{
+  		10 dict begin
+  			/DataSource xdf
+  			/ImageMatrix xdf
+  			/BitsPerComponent xdf
+  			/Height xdf
+  			/Width xdf
+  			/ImageType 1 def
+  			/Decode [0 1 def]
+  			currentdict
+  		end
+  	}if
+  	dup begin
+  		/NComponents 1 cdndf
+  		/MultipleDataSources false cdndf
+  		/SkipImageProc {false} cdndf
+  		/HostSepColorImage false cdndf
+  		/Decode [
+  				0
+  				currentcolorspace 0 get /Indexed eq{
+  					2 BitsPerComponent exp 1 sub
+  				}{
+  					1
+  				}ifelse
+  		] cdndf
+  		/Operator /image cdndf
+  	end
+  	/sep_colorspace_dict AGMCORE_gget null eq{
+  		imageormask
+  	}{
+  		gsave
+  		dup begin invert_image_samples end
+  		sep_imageormask
+  		grestore
+  	}ifelse
+  }def
+/cachemask_level2
+{
+	3 dict begin
+	/LZWEncode filter /WriteFilter xdf
+	/readBuffer 256 string def
+	/ReadFilter
+		currentfile
+		0 (%EndMask) /SubFileDecode filter
+		/ASCII85Decode filter
+		/RunLengthDecode filter
+	def
+	{
+		ReadFilter readBuffer readstring exch
+		WriteFilter exch writestring
+		not {exit} if
+	}loop
+	WriteFilter closefile
+	end
+}def
+/cachemask_level3
+{
+	currentfile
+	<<
+		/Filter [ /SubFileDecode /ASCII85Decode /RunLengthDecode ]
+		/DecodeParms [ << /EODCount 0 /EODString (%EndMask) >> null null ]
+		/Intent 1
+	>>
+	/ReusableStreamDecode filter
+}def
+/spot_alias
+{
+	/mapto_sep_imageormask
+	{
+		dup type /dicttype ne{
+			12 dict begin
+				/ImageType 1 def
+				/DataSource xdf
+				/ImageMatrix xdf
+				/BitsPerComponent xdf
+				/Height xdf
+				/Width xdf
+				/MultipleDataSources false def
+		}{
+			begin
+		}ifelse
+				/Decode [/customcolor_tint AGMCORE_gget 0] def
+				/Operator /image def
+				/HostSepColorImage false def
+				/SkipImageProc {false} def
+				currentdict
+			end
+		sep_imageormask
+	}bdf
+	/customcolorimage
+	{
+		Adobe_AGM_Image/AGMIMG_colorAry xddf
+		/customcolor_tint AGMCORE_gget
+		bdict
+			/Name AGMIMG_colorAry 4 get
+			/CSA [ /DeviceCMYK ]
+			/TintMethod /Subtractive
+			/TintProc null
+			/MappedCSA null
+			/NComponents 4
+			/Components [ AGMIMG_colorAry aload pop pop ]
+		edict
+		setsepcolorspace
+		mapto_sep_imageormask
+	}ndf
+	Adobe_AGM_Image/AGMIMG_&customcolorimage /customcolorimage load put
+	/customcolorimage
+	{
+		Adobe_AGM_Image/AGMIMG_override false put
+		dup 4 get map_alias{
+			/customcolor_tint AGMCORE_gget exch setsepcolorspace
+			pop
+			mapto_sep_imageormask
+		}{
+			AGMIMG_&customcolorimage
+		}ifelse			
+	}bdf
+}def
+/snap_to_device
+{
+	6 dict begin
+	matrix currentmatrix
+	dup 0 get 0 eq 1 index 3 get 0 eq and
+	1 index 1 get 0 eq 2 index 2 get 0 eq and or exch pop
+	{
+		1 1 dtransform 0 gt exch 0 gt /AGMIMG_xSign? exch def /AGMIMG_ySign? exch def
+		0 0 transform
+		AGMIMG_ySign? {floor 0.1 sub}{ceiling 0.1 add} ifelse exch
+		AGMIMG_xSign? {floor 0.1 sub}{ceiling 0.1 add} ifelse exch
+		itransform /AGMIMG_llY exch def /AGMIMG_llX exch def
+		1 1 transform
+		AGMIMG_ySign? {ceiling 0.1 add}{floor 0.1 sub} ifelse exch
+		AGMIMG_xSign? {ceiling 0.1 add}{floor 0.1 sub} ifelse exch
+		itransform /AGMIMG_urY exch def /AGMIMG_urX exch def			
+		[AGMIMG_urX AGMIMG_llX sub 0 0 AGMIMG_urY AGMIMG_llY sub  AGMIMG_llX AGMIMG_llY] concat
+	}{
+	}ifelse
+	end
+} def
+level2 not{
+	/colorbuf
+	{
+		0 1 2 index length 1 sub{
+			dup 2 index exch get
+			255 exch sub
+			2 index
+			3 1 roll
+			put
+		}for
+	}def
+	/tint_image_to_color
+	{
+		begin
+			Width Height BitsPerComponent ImageMatrix
+			/DataSource load
+		end
+		Adobe_AGM_Image begin
+			/AGMIMG_mbuf 0 string def
+			/AGMIMG_ybuf 0 string def
+			/AGMIMG_kbuf 0 string def
+			{
+				colorbuf dup length AGMIMG_mbuf length ne
+					{
+					dup length dup dup
+					/AGMIMG_mbuf exch string def
+					/AGMIMG_ybuf exch string def
+					/AGMIMG_kbuf exch string def
+					} if
+				dup AGMIMG_mbuf copy AGMIMG_ybuf copy AGMIMG_kbuf copy pop
+			}
+			addprocs
+			{AGMIMG_mbuf}{AGMIMG_ybuf}{AGMIMG_kbuf} true 4 colorimage	
+		end
+	} def			
+	/sep_imageormask_lev1
+	{
+		begin
+			MappedCSA 0 get dup /DeviceRGB eq exch /DeviceCMYK eq or has_color not and{
+				{
+					255 mul round cvi GrayLookup exch get
+				} currenttransfer addprocs settransfer
+				currentdict imageormask
+			}{
+				/sep_colorspace_dict AGMCORE_gget/Components known{
+					MappedCSA 0 get /DeviceCMYK eq{
+						Components aload pop
+					}{
+						0 0 0 Components aload pop 1 exch sub
+					}ifelse
+					Adobe_AGM_Image/AGMIMG_k xddf
+					Adobe_AGM_Image/AGMIMG_y xddf
+					Adobe_AGM_Image/AGMIMG_m xddf
+					Adobe_AGM_Image/AGMIMG_c xddf
+					AGMIMG_y 0.0 eq AGMIMG_m 0.0 eq and AGMIMG_c 0.0 eq and{
+						{AGMIMG_k mul 1 exch sub} currenttransfer addprocs settransfer
+						currentdict imageormask
+					}{
+						currentcolortransfer
+						{AGMIMG_k mul 1 exch sub} exch addprocs 4 1 roll
+						{AGMIMG_y mul 1 exch sub} exch addprocs 4 1 roll
+						{AGMIMG_m mul 1 exch sub} exch addprocs 4 1 roll
+						{AGMIMG_c mul 1 exch sub} exch addprocs 4 1 roll
+						setcolortransfer
+						currentdict tint_image_to_color
+					}ifelse
+				}{
+					MappedCSA 0 get /DeviceGray eq {
+						{255 mul round cvi ColorLookup exch get 0 get} currenttransfer addprocs settransfer
+						currentdict imageormask
+					}{
+						MappedCSA 0 get /DeviceCMYK eq {
+							currentcolortransfer
+							{255 mul round cvi ColorLookup exch get 3 get 1 exch sub} exch addprocs 4 1 roll
+							{255 mul round cvi ColorLookup exch get 2 get 1 exch sub} exch addprocs 4 1 roll
+							{255 mul round cvi ColorLookup exch get 1 get 1 exch sub} exch addprocs 4 1 roll
+							{255 mul round cvi ColorLookup exch get 0 get 1 exch sub} exch addprocs 4 1 roll
+							setcolortransfer
+							currentdict tint_image_to_color
+						}{
+							currentcolortransfer
+							{pop 1} exch addprocs 4 1 roll
+							{255 mul round cvi ColorLookup exch get 2 get} exch addprocs 4 1 roll
+							{255 mul round cvi ColorLookup exch get 1 get} exch addprocs 4 1 roll
+							{255 mul round cvi ColorLookup exch get 0 get} exch addprocs 4 1 roll
+							setcolortransfer
+							currentdict tint_image_to_color
+						}ifelse
+					}ifelse
+				}ifelse
+			}ifelse
+		end
+	}def
+	/sep_image_lev1_sep
+	{
+		begin
+			/sep_colorspace_dict AGMCORE_gget/Components known{
+				Components aload pop
+				Adobe_AGM_Image/AGMIMG_k xddf
+				Adobe_AGM_Image/AGMIMG_y xddf
+				Adobe_AGM_Image/AGMIMG_m xddf
+				Adobe_AGM_Image/AGMIMG_c xddf
+				{AGMIMG_c mul 1 exch sub}
+				{AGMIMG_m mul 1 exch sub}
+				{AGMIMG_y mul 1 exch sub}
+				{AGMIMG_k mul 1 exch sub}
+			}{
+				{255 mul round cvi ColorLookup exch get 0 get 1 exch sub}
+				{255 mul round cvi ColorLookup exch get 1 get 1 exch sub}
+				{255 mul round cvi ColorLookup exch get 2 get 1 exch sub}
+				{255 mul round cvi ColorLookup exch get 3 get 1 exch sub}
+			}ifelse
+			AGMCORE_get_ink_data currenttransfer addprocs settransfer
+			currentdict imageormask_sys
+		end
+	}def
+	/indexed_imageormask_lev1
+	{
+		/indexed_colorspace_dict AGMCORE_gget begin
+		begin
+			currentdict
+			MappedCSA 0 get dup /DeviceRGB eq exch /DeviceCMYK eq or has_color not and{
+				{HiVal mul round cvi GrayLookup exch get HiVal div} currenttransfer addprocs settransfer
+				imageormask
+			}{
+				MappedCSA 0 get /DeviceGray eq {
+					{HiVal mul round cvi Lookup exch get HiVal div} currenttransfer addprocs settransfer
+					imageormask
+				}{
+					MappedCSA 0 get /DeviceCMYK eq {
+						currentcolortransfer
+						{4 mul HiVal mul round cvi 3 add Lookup exch get HiVal div 1 exch sub} exch addprocs 4 1 roll
+						{4 mul HiVal mul round cvi 2 add Lookup exch get HiVal div 1 exch sub} exch addprocs 4 1 roll
+						{4 mul HiVal mul round cvi 1 add Lookup exch get HiVal div 1 exch sub} exch addprocs 4 1 roll
+						{4 mul HiVal mul round cvi		 Lookup exch get HiVal div 1 exch sub} exch addprocs 4 1 roll
+						setcolortransfer
+						tint_image_to_color
+					}{
+						currentcolortransfer
+						{pop 1} exch addprocs 4 1 roll
+						{3 mul HiVal mul round cvi 2 add Lookup exch get HiVal div} exch addprocs 4 1 roll
+						{3 mul HiVal mul round cvi 1 add Lookup exch get HiVal div} exch addprocs 4 1 roll
+						{3 mul HiVal mul round cvi 		Lookup exch get HiVal div} exch addprocs 4 1 roll
+						setcolortransfer
+						tint_image_to_color
+					}ifelse
+				}ifelse
+			}ifelse
+		end end
+	}def
+	/indexed_image_lev1_sep
+	{
+		/indexed_colorspace_dict AGMCORE_gget begin
+		begin
+			{4 mul HiVal mul round cvi		 Lookup exch get HiVal div 1 exch sub}
+			{4 mul HiVal mul round cvi 1 add Lookup exch get HiVal div 1 exch sub}
+			{4 mul HiVal mul round cvi 2 add Lookup exch get HiVal div 1 exch sub}
+			{4 mul HiVal mul round cvi 3 add Lookup exch get HiVal div 1 exch sub}
+			AGMCORE_get_ink_data currenttransfer addprocs settransfer
+			currentdict imageormask_sys
+		end end
+	}def
+}if
+end
+systemdict /setpacking known
+{
+	setpacking
+} if
+%%EndResource
+currentdict Adobe_AGM_Utils eq {end} if
+%%EndProlog
+%%BeginSetup
+Adobe_AGM_Utils begin
+2 2010 Adobe_AGM_Core/doc_setup get exec
+Adobe_CoolType_Core/doc_setup get exec
+Adobe_AGM_Image/doc_setup get exec
+currentdict Adobe_AGM_Utils eq {end} if
+%%EndSetup
+%%Page: Alternate-ISC-logo-v2.ai 1
+%%EndPageComments
+%%BeginPageSetup
+/currentdistillerparams where
+{pop currentdistillerparams /CoreDistVersion get 5000 lt} {true} ifelse
+{ userdict /AI11_PDFMark5 /cleartomark load put
+userdict /AI11_ReadMetadata_PDFMark5 {flushfile cleartomark } bind put}
+{ userdict /AI11_PDFMark5 /pdfmark load put
+userdict /AI11_ReadMetadata_PDFMark5 {/PUT pdfmark} bind put } ifelse
+[/NamespacePush AI11_PDFMark5
+[/_objdef {ai_metadata_stream_123} /type /stream /OBJ AI11_PDFMark5
+[{ai_metadata_stream_123}
+currentfile 0 (%  &&end XMP packet marker&&)
+/SubFileDecode filter AI11_ReadMetadata_PDFMark5
+<?xpacket begin='' id='W5M0MpCehiHzreSzNTczkc9d'?><x:xmpmeta xmlns:x='adobe:ns:meta/' x:xmptk='XMP toolkit 3.0-29, framework 1.6'>
+<rdf:RDF xmlns:rdf='http://www.w3.org/1999/02/22-rdf-syntax-ns#' xmlns:iX='http://ns.adobe.com/iX/1.0/'>
+
+ <rdf:Description rdf:about='uuid:8aa76b3d-2474-11d9-a8a3-000393cd9a96'
+  xmlns:pdf='http://ns.adobe.com/pdf/1.3/'>
+  <pdf:Producer>Adobe PDF library 6.66</pdf:Producer>
+ </rdf:Description>
+
+ <rdf:Description rdf:about='uuid:8aa76b3d-2474-11d9-a8a3-000393cd9a96'
+  xmlns:tiff='http://ns.adobe.com/tiff/1.0/'>
+ </rdf:Description>
+
+ <rdf:Description rdf:about='uuid:8aa76b3d-2474-11d9-a8a3-000393cd9a96'
+  xmlns:xap='http://ns.adobe.com/xap/1.0/'
+  xmlns:xapGImg='http://ns.adobe.com/xap/1.0/g/img/'>
+  <xap:CreateDate>2004-10-06T16:15:40-07:00</xap:CreateDate>
+  <xap:ModifyDate>2004-10-22T21:51:43Z</xap:ModifyDate>
+  <xap:CreatorTool>Illustrator</xap:CreatorTool>
+  <xap:MetadataDate>2004-10-06T16:15:40-07:00</xap:MetadataDate>
+  <xap:Thumbnails>
+   <rdf:Alt>
+    <rdf:li rdf:parseType='Resource'>
+     <xapGImg:format>JPEG</xapGImg:format>
+     <xapGImg:width>256</xapGImg:width>
+     <xapGImg:height>152</xapGImg:height>
+     <xapGImg:image>/9j/4AAQSkZJRgABAgEASABIAAD/7QAsUGhvdG9zaG9wIDMuMAA4QklNA+0AAAAAABAASAAAAAEA&#xA;AQBIAAAAAQAB/+4ADkFkb2JlAGTAAAAAAf/bAIQABgQEBAUEBgUFBgkGBQYJCwgGBggLDAoKCwoK&#xA;DBAMDAwMDAwQDA4PEA8ODBMTFBQTExwbGxscHx8fHx8fHx8fHwEHBwcNDA0YEBAYGhURFRofHx8f&#xA;Hx8fHx8fHx8fHx8fHx8fHx8fHx8fHx8fHx8fHx8fHx8fHx8fHx8fHx8fHx8f/8AAEQgAmAEAAwER&#xA;AAIRAQMRAf/EAaIAAAAHAQEBAQEAAAAAAAAAAAQFAwIGAQAHCAkKCwEAAgIDAQEBAQEAAAAAAAAA&#xA;AQACAwQFBgcICQoLEAACAQMDAgQCBgcDBAIGAnMBAgMRBAAFIRIxQVEGE2EicYEUMpGhBxWxQiPB&#xA;UtHhMxZi8CRygvElQzRTkqKyY3PCNUQnk6OzNhdUZHTD0uIIJoMJChgZhJRFRqS0VtNVKBry4/PE&#xA;1OT0ZXWFlaW1xdXl9WZ2hpamtsbW5vY3R1dnd4eXp7fH1+f3OEhYaHiImKi4yNjo+Ck5SVlpeYmZ&#xA;qbnJ2en5KjpKWmp6ipqqusra6voRAAICAQIDBQUEBQYECAMDbQEAAhEDBCESMUEFURNhIgZxgZEy&#xA;obHwFMHR4SNCFVJicvEzJDRDghaSUyWiY7LCB3PSNeJEgxdUkwgJChgZJjZFGidkdFU38qOzwygp&#xA;0+PzhJSktMTU5PRldYWVpbXF1eX1RlZmdoaWprbG1ub2R1dnd4eXp7fH1+f3OEhYaHiImKi4yNjo&#xA;+DlJWWl5iZmpucnZ6fkqOkpaanqKmqq6ytrq+v/aAAwDAQACEQMRAD8AiX5AfkB5O/MTydea1rV5&#xA;qNvdW+oyWSJZSQJGY0ghlBIlhmblymPfMfLlMTQbIQBDOPM//OKX5U6B5e1DWZ9R1uSOxhaX0hcW&#xA;il2H2U5G0NOTUFcOCcskxAVuWOaoQMj0Y1+Wf5EflJ56N+kUuvWEtgImZHu7OTmJS4+Glmv2eG+3&#xA;fMvXYJ6etwb8v2uPpNRHNdCqZz/0Jp+WH/V01v8A5H2n/ZLmv/MSczww7/oTT8sP+rprf/I+0/7J&#xA;cfzEl8MO/wChNPyw/wCrprf/ACPtP+yXH8xJfDDAfzv/AOcc/JHkPyHN5g0i+1Oe9juIYVju5bd4&#xA;uMrUYkRwRNXw+LJ48xkaRKAAfT/5V/8AksPKH/bE07/qEjzJaiynFXYq7FXYq7FXYq7FXYq7FXYq&#xA;7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq+BfyU/MTzH5Nhnn0yUPbSzt9ZsZqtBJ8CAMVBFGHZ&#xA;hv8ARtmz0uihnwkS58XPryDrdVqp4sorlXL5st1/z/8AmP5whlgu7p20+b7VnCqwW9AwYL250YD7&#xA;TE5eI6TSncgS+Zccy1OoGwPD8ggfLXmTzl5HvJLzTD9X9YKtwroksUiqSVVjvTc9iDlkp6bVjhsS&#xA;+wsIxz6Y3Vfc9B1b/nJjWZ9Hhh03TYrPVmH+lXTt6sQp/vqM/wA3+UTT365iY+w4CVyNx7v1uTPt&#xA;eRjsKk9s8j+YrjzH5W0/Wbm0aymu4wzwtsCRsXTcng1KrXemaHV4RiyGAN07jT5TkgJEVae5jNzx&#xA;v/nLL/yT91/zG2v/ABM5dg+pjPk9M/Kv/wAlh5Q/7Ymnf9QkeZzjllOKuxV2KuxV2KuxV2KuxV2K&#xA;uxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV+eX5W6Yl7aztLvBDMSy/zEqtB8tsyJ644NP6fr&#xA;lI18hZcX8oMuf1fTGP6S9h0Ly3rGtzm20q1M7RgF6UVEXtyZiFHTbOa3ke8u52Adr3lvWNEnFtqt&#xA;qYWkUlCSGRx3oykqeu+DeJ7iuxDANasU07UIriJFaF29RYmAK8kILKVPVc7bsjWnUYiJfVHY/oLy&#xA;/aOlGHIDH6S+zNB1K31TRNP1K2UJb3lvFPEg6KsiBgu38taZzGaBhMxPMF6DHMSiCOoR2VM3jf8A&#xA;zll/5J+6/wCY21/4mcuwfUxnyemflX/5LDyh/wBsTTv+oSPM5xyynFXYq7FXYq7FXYq7FXYq7FXY&#xA;q7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq+A/yedP0NepT4xccie5BRR+FMxNfE8ET0uX+9bNP&#xA;IcZHWh+l9K/kxr2kW1neaZcSxwXskwmjaQhfUUqF4qT1Kla098wMUg5Mgq/nNrujzada6XDKk9+s&#xA;4mbgQ3pIEZaMR0Lcht9PhjlIWIeCebnQQ26U+MszA+AAAP31zoPZyJ4pnps6ftqQqI67s3/KGD81&#xA;YPMejRFNVh8ts6tKJ0mFp6HAsOPqDgFYUoVzYdonTGEvp4/hduJoRnE4/VwfY+lCyggEgE9B45yr&#xA;0Lxb/nLe8tYvyoe2kkCz3N7bmCM9W9NqtT5A5bhI4wFlAmBI5B6l+Vf/AJLDyh/2xNO/6hI8z3EL&#xA;y3/nLq+1nQPJem69oWsalpWoyapHZytZX11BG8UltM5BijkVK8oFoaePjir0v8ooJB+W/lq8nu7u&#xA;9vNR0uyvLy5vbme6keaeBZXPKZ34jk52XbFWYYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7F&#xA;XYq7FXYq7FXYq7FX5z/l3fy2Nq88Y5D1mDodgylE2zaafSR1GnMJfztvI0HWanUSw5xIfzf0l6Zb&#xA;a3plwnITrGe6SkIR9+x+jOdz9k6jGa4TId43dti7QwzF8Ve/Zq61zTLdORmWU9kiIcn7th9Jw6fs&#xA;nUZD9PCO+W37Vzdo4YDnfu3S3y5bW3mjzpptlqVwtnZ3U6xO5JoEFTwBAPxP9kH+Y+GdXDCNJpyI&#xA;CyBfvPf+Ojz5ynU5xxbAvozTPzt/L2W4vbT60bO109R6E8qFY5kX4SIVUF9uylakduucN+aiSbfQ&#xA;Z9gamMYkC+LoOnveJeYvzDnP5kTeatBmlMUUoayS7qRxMYSRCgbZHPLYHp4HMKWT18Qet03Zo/Kj&#xA;DkA5b179vixD84/zA8y+btFi/TEsbJaSVt44o1jVTIRy6bn7I6nMzRZJSyi+4un7Y7OxabSS8Mcz&#xA;G32N+Vf/AJLDyh/2xNO/6hI83jwxeUf85q/+Ss0r/tuW/wD1CXeKvVfyn/8AJWeTf+2Hpv8A1CR4&#xA;q8j8x/nX5n8ifnH5nGr28+o/l4tzp9rNKnxtp082nwSckAqQklWYp0Y1K/FUFV7F5gutN1/yJe6h&#xA;pmoSNaT2M1xY6jp1zJC1fRfi6SwMh2PY9+o2xVjP5faLe+ZPyb8tx3WtanDPqNraXmo6jHeXBvpD&#xA;QSMqXLSGSIOwAbifs1HeuKvOfzm0m/8ALHnz8tdI0fzJ5hhsfMmqG01aNta1GQyRC4tI6KzTEp8M&#xA;77rir2bQfIEWia5+kbXWtYurZ7SW2msNQ1G7voS7yROkyC4kk4OgjZajs2KvH9Is9R1n/nJrzd5Q&#xA;utf12Py9p+mRXtnZQavqEQjmaOxJIZZg1K3D7Vpvir2Xy/5JTSdO1PTZdW1PUbS9ujcW8l3fXUlz&#xA;bxmGKMwpcmT1uIkjZx8X7WKvB/8AnH/RPMX5gflhrGqaj5x8wQa/BqE9rYagNWvfTjEdtBLH6kLS&#xA;NG685TyqtaYq9K/5xr86+aPOH5Yw6n5kJlvYbqa1hvWADXMMQUrK3EAVDM0ZPfjirHPzm/M7zt5G&#xA;/M6wvNIt5NV8u22jC78waSrbCD620RuUG5R0LKC4FKfa23Cr1fyr5t8s+ePLcWraHeG5066HFzG7&#xA;RTROAC0UnAq8ci13FfwOKsS/JBbuS183fXNQv9Qaz8y6rp1s97eXFyUtbaVUijX1XYLxA6jfFWA6&#xA;RZ6jrP8Azk15u8oXWv67H5e0/TIr2zsoNX1CIRzNHYkkMswalbh9q03xV6vB+XE8Oi3+ijzJrJs7&#xA;2/S8W5e+uJL6GBI4gbWK8eQzIjSxFiQfssy964q8i/ObSb/yx58/LXSNH8yeYYbHzJqhtNWjbWtR&#xA;kMkQuLSOis0xKfDO+64q9n0DyDFoWvDU7XWtXurdrWW2m0/UdRur+Eu8kTpMq3MknF0EbLUdmxVl&#xA;WKuxV2KuxV2KuxV8tf8AOKPkvyrr35Z6zJq+mQ3k02qy2zTSL+8WJLa3dVRxRk+JyaqQcqnqsmMj&#xA;hkR1T4EJg8QtKPzn/LXS/JV9pzaXNNJaakJisc5VijQlKqGULUfvO4zoezNdLODxAXGnR6/SRwkc&#xA;PIsk/Ln8gtN17QNP17V9RnSO9VpPqMCKhCh2VaysXryVQ32B1+nMXW9ryxzMIgbdf2ORpezIziJS&#xA;PPownzdp3kO384XUWjyXMOkWbMrRg82kkiFCsEjVKhn25PWg+LfZc1uP2mIgRKPFLoeh9/7Ofk9P&#xA;H2GyT4JxkIxl9Q6x93f+hj2oXjXt9cXjIsbXEjStGleILmpArU985ORs2+nYcfhwEbJ4RW/PZG2X&#xA;l+4mAec+ih6LSrn6O2TjiJdNre38WI8MPXL7Pn+Pek/5j6Pa2nliWWMuW9WMfEQep9gM2GhxgZHm&#xA;O0u2cuoxGEhER8v7X2j+Vf8A5LDyh/2xNO/6hI83LzpeUf8AOapH/KrdKWu51yAgd6C0uv64q9V/&#xA;KYg/lZ5Np/1Y9N/6hI8VYb5Q0/SvMf5j/nBpWq2yXNhdzaVbXVq+4ZBp/p12oQTwqCNwehqMVea6&#xA;5Yeb/wAgZ9Tgtlm1r8qtdWWJVrym0+edCq1rQA1NK/ZkHg2Kvevyiiji/KrycqDip0TT2I93tY2Y&#xA;/STiryz/AJyO/wDJp/kv/wBtw/8AUXp+KvoDFXzXp/lvSfMH/OXnney1P6x6CaPbzJ9VurmyfmsG&#xA;nKKyWskLkUY/CWp3psMVe6+U/LmkeW0vdK064llV5hfGK5nluZo1nURqGlneSRlLQNxLH27Yq+XP&#xA;yK8n+e9f/IrzOPKfmS5025fULiJdIRLcQ3LLa2zOPXaP6xE8qNwqkqjYV74q93/Ij8xPLvmnyhBp&#xA;tjaR6Pq2hItnqnl9FMZtnj+CqI3xemxB3O4NQ2+KqFxLDN/zkwllKitGfJMpYPQhxLqiqUKkb7R4&#xA;q8984/l15r/JzzNP+YP5axNd+WZjy8w+WBXikIqzMgFf3a7lSByj90qMVehf8476tZ635O1fXrON&#xA;ooNZ8watqCJJTmFuLkugehI5BKA0xV57p/lvSfMH/OXnney1P6x6CaPbzJ9VurmyfmsGnKKyWskL&#xA;kUY/CWp3psMVe6+U/LmkeW0vdK064llV5hfGK5nluZo1nURqGlneSRlLQNxLH27Yq8e/5yO/8mn+&#xA;S/8A23D/ANRen4q+gMVdirsVdirsVdirsVfOv/OGn/ksNU/7bc//AFCWuYeo+pux8ntWreX9C1hE&#xA;TVtOttQWLl6X1mFJeHOnLhzB41oOmQx5pw+kke5M8UZ/UAUFq3mDyp5P0+zhv7iLTLI0t7KMIxUB&#xA;F+yqxq1AB36ZTlzC7kdy5ek0OTN6cUb4Q+XvzM13S9c866lqGmRJHZO4SOSMcfWKDi0xG28h36dO&#xA;u+arLIGRIfRey9PPDp4xmfV93l8EHoGmqVF5KtTX9yD2p+1/TJ4odXS9vdpkHwYH+t+r9f8AanuZ&#xA;DyTEPzS/5RKX/jNF/wASzJ0f1teb6X2H+Vf/AJLDyh/2xNO/6hI82zhlb51/K3yR52EK+aLGXUYr&#xA;ducMBvLyGJXpx5CKGaNOVO9MVTHy15Q0Ly1p0em6MlxBYQp6UFvJd3VwkaDosYnll4AduOKoTRfy&#xA;68p6Lr1/r2m29xDq2qFG1G4a9vZfXMYIT1ElmeNuAYhart2xVPNS03T9TsJ9P1G3ju7G6QxXFtMo&#xA;eN0bYqynYjFWtK0yx0rTLPS9Pi9CwsII7W0hBZgkMKBI1qxZjxVQNzXFWO+avys8j+a9VstV16xm&#xA;u7/TW9TT5heXkIgcFTyiSGaNENY1NQOoxVlFvAkEKQoXKIKAyO8jfS7lmP0nFWDXn5Gflnd69P5g&#xA;n066Ot3NPW1FNT1KOZqKEHxpcqacVAxVO9F8g+WdFsr6z02K5ij1Fle8le+vZZ3ZAFWlxLM8y0Ap&#xA;RXGKqPkr8s/JfkmGWDyxZSafbzuZZbf63dzRNIVCl/TmlkTlxUCtMVWXX5XeRbjzT/ir9Gm28wkF&#xA;ZNRs7i5s5JAQAfVFtJEslaCvMHFVWb8ufKU3mtfNklvcnzAkRt0vhfXqlYCxcxCMTCMR8mJ4caYq&#xA;yUgEUO4PUYql2g+W9D8v2cllotlHYWck0lw1vCCsYklNXKrWignstBirFLz8jPyzu9en8wT6ddHW&#xA;7mnraimp6lHM1FCD40uVNOKgYqyLyx5N8v8AllLpNHhmjN66y3Ulxc3N5I7KvFayXUkz0A7A0xVL&#xA;vNX5WeR/Neq2Wq69YzXd/prepp8wvLyEQOCp5RJDNGiGsamoHUYqyi3gSCFIULlEFAZHeRvpdyzH&#xA;6TiqpirsVdirsVdirsVfOv8Azhp/5LDVP+23P/1CWuYeo+pux8nvOY7Y8/8Azo8q6Nq/lK61O/eW&#xA;O40aCaayeJqLzYCiupqCGZVB75j6mAMbPR3XYeryYs4hGqmQC+XIYmlmjiX7UjBR82NM1z3+XIIR&#xA;MjyAtmqIqIqIKKoCqPADYZmgU+X5MhnIyPMm12Fghvzc8i6jZ/lNJ5hvHEKS3FsLe1pV2SRtnY1+&#xA;HboMy9JH1W1ZTs+nfyr/APJYeUP+2Jp3/UJHm0cQph5t84eXfKWjSaxr94tnZIwRWILvJI32Y441&#xA;DO7t2Cj8MVYZqX57aRpCQXOs+V/Mel6ZcOkUep3ViiwBpCAgfjM0sfIttzQYq9MxV2KuxV2KuxV2&#xA;KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KvnX/nDT/wAlhqn/AG25/wDqEtcw9R9Tdj5P&#xA;ecx2x4p+e3lfzteTXGr2dy7eXLa1Q3NoJ2ChkY839H7J6jf2zC1MJXfR6z2f1eniBCQ/emWxr9Lw&#xA;yw/3utv+Mqf8SGYkeYen1wvBP+pL7mZZmvmTsVZ7/wA5N6hZ6h+Rn12zINtNc2bRhabDkfh27r0O&#xA;bDTm5Boyci9X/Kv/AMlh5Q/7Ymnf9QkeZ7jF43/zl1Lrmk3vkTzVBAbvSNC1Fp7m3IPpfWFeGWES&#xA;0rtIsLqK9PpxV6v5X84+R/zX8mXB06cXFleRGDULJqLc27Ov2ZENeLKd0bcGlQTiqF1P85dE0r8w&#xA;NN8j6ppGp2OpauwXTr6ZLX6lKDWhWVbhm+0OPHhyrTbcYqnfn7z3pvkrRYtWv7S7vo5rmGyhtbBY&#xA;pLiSa4PGNUjlkh5knspJ9sVa1vz9pOg6TZX2t29zY3WozJbWGjlY576a4k+zFHHbPOrN40eg7nFV&#xA;C2/MOI6rHp2p6DqujGaGa5hur2O2Nu0cCeo/7y3nuOLcd+D0b2xVj+t/njDofl6TzFq/kvzJZaPC&#xA;sby3M0OnrxEzrGnKP676gq7qKccVRNp+cf1rSrPWU8meYho97HDPFf8Ao2DRiC4CskzLHePIE4sG&#xA;Y8dh1xVW8+/nFpHknXNH0bUtG1S7u9flNvpDWS2jpPMGjTgPUuYmU8p0HxAdcVR+kfmFNfa7a6Pe&#xA;eV9a0aW9SV7e6v47P6uTCvJkL29zcEMR0FMVTTW/OGiaLrWiaPqEpiu/MEssGnGg4GSGP1CrGu3I&#xA;bLtudsVTvFUj8u+cdD8w3utWelymWTQb06ffNQcfXWNXbgQTUKX4GtPiU/MqobzF5/0XRdZtNBEV&#xA;zqfmC+jae30iwjEs/oKeLTSF2jiij5bcpHUE9MVVPLXnBNb1HUdNl0nUNH1DTEgkuLfUY4V5JcmV&#xA;Y3ikt5biKRawOCVfFWQ4q7FXYq7FXYq7FXYq7FXYq+df+cNP/JYap/225/8AqEtcw9R9Tdj5Pecx&#xA;2x51+eHmy/0HysLa2sUuYdZE1jPPIW4xCSOlAi05MyluPxbU6HMfUzMRXe7zsHRxzZrMqMKlXfu+&#xA;YCHR6EFXU7g7EEZrn0AgEeTMrO5W5to5l/bHxAdj3H35mRlYfNNbpjgyygenL3dFbJOIxj80NQvk&#xA;8i3Fis7izluIXe35HgWVtm49K++ZWj+trzfS+u/yr/8AJYeUP+2Jp3/UJHm1cMpxrekaHr2nXeh6&#xA;vbxX1lcxgXdlLQ1jcnixA+JfiQ8WHcbbjFXx/wCefJXmT/nHvz/p3mzy1cyXHli9mMSo7fEU+1JZ&#xA;XIFA1UFUf2rsVxV9Efnb+XUf5geRuWnEx6/ptNR8vXa1WRZlAb0ww+IeqAB7NxPbFWLfk35j1D83&#xA;LrTPOOsxenY+VIhaW9r+xNrTxA3N5xB+ykLqIlP2S7HFU7/Pv8vvN/mO20LzF5MuBH5o8p3El3YW&#xA;zlQswlCc1Bf4OX7paB/hIqD1xVA/lD+ek/mzXn8necdGOh+drBWlELIyxSlFIdo1kq8T8GJpUgrU&#xA;hqbYqmH/ADlH/wCSJ8zf9GP/AHULfFWVflQA35VeTlYVB0LTQQehH1OPFXkn/OTk89v+Y35Pz29u&#xA;95PFrEjw2kbIjyut1YFY1aRkQFzsCzAeJxV61onm/wAwahr0Ol6n5SvdFR4JrlLy6uLKaP8AcsiF&#xA;V+qzXB5H1h1ptirxr/nJzRvMHmLzXZRaFM8eoeTNDm8ywrGKuXN7DH8BrXmEt3kX4TulO+Ks6i/O&#xA;car+TVj5q0dFk8x6z6el6fp43/3MzH0fTof2Uesu/wDusVxVhn/OMdldeWPP/wCYvkq8uWu5rOe3&#xA;uVuXJ5SGsgkkIPd/UQ4qmv5xeUPzP0Pz/b/mj+XcS6ldrZDT9X0dl9RpIUfn8EYKtIrUWqoeYK1F&#xA;a7Ksv/Jv839H/MewvZVsW0rzDphSDWNOloXQ1fgVchWZOQfZgCpqCO5VejYq7FXYq7FXYq7FXYq7&#xA;FXYq+df+cNP/ACWGqf8Abbn/AOoS1zD1H1N2Pk95zHbGiqkgkAlTUHwNKfxxS+UPzkutEufzA1KT&#xA;SkdOLCO+5rwU3UfwylFNDTYVr1apzV5iOI0+jdiQyR00RP4f1ejGNK1RrOQq9Wgf7Sjsf5hkYTpe&#xA;1ezBqY2Nsg5H9BZRDNFNGJImDoejDMoEF4TNgnilwzFFif5pf8olL/xmi/4lmVo/rcXN9L7D/Kv/&#xA;AMlh5Q/7Ymnf9QkebZwykHm1PzQ0f8w18xeWdIh8w6BeaZBYajpf1uO0uVnt7i4lSaJp6RfZuaHf&#xA;f2oDirH/ADj5I89/mxe6Rp3mfSI/K/k3TLpb+8tXuoru/u5kVkRF+r8ook4uwJ5k71xV7DdzSW1o&#xA;8kFs908Y/d2sJjV27UUytGg+lhirx7/nGDyX5z8keT7/AEHzPo0thcz6lLexTie0miMb28MYH7ma&#xA;R+XKE/s4qzXzNqX5haV5piutG0L/ABB5euLRIrq2huoLa5guY5Xb1Y1uWjidWRwGHMHb23VY/pvk&#xA;zzH5j/NnTvzB1/SU0CDQbGSz0ywaaK4vJpZxIjyTvbs8KIkcrBUDtua1xVGf85AeXvMnmb8r9V8u&#xA;eXtNk1HUtSNuIwstvCiCC6hnYu08kXVYzTjXFU9/LC11iw8haBpGr6bLpt/pWnWllcRyyW8oaS3h&#xA;WJijQSSgiqV3p1xV5z+fXlHz/r/nbyHq/lny9JqsHlO+a/umN1Z26y1mtZljT1plf/j3YElcVZ/p&#xA;3mfz3qGr6fay+TrrRtPeR21HULy70+ZUjWJyqpHbXE0jM8vBelAN8VSnyzpHmVvzd8z+YNU0S4tN&#xA;Jv7KxsNKuZJbSRSluJHnMkcVxI68pHAX4DXvTFWOflr+Q0vlP8ytZ1R5eflS3ma78q6dyDJFc3iB&#xA;LiUx/stCiekh7qcVdZ+TPO2hf85H635ztNElvfK+uWEdrNPBPaKVlWKD4/Rlmhf7dvStD9onFWXX&#xA;ut/mbpHmnWI4/K7+YfLtzJFNpNzZ3tpDNCBbRRywyxXckAoZkd1Kt3xVB/lr5C1ew84eavPWu28O&#xA;nap5nkhWLSbdxKttb26BAZJFCq8spHJ+OwPc1xV6RirsVdirsVdirsVdirsVdir51/5w0/8AJYap&#xA;/wBtuf8A6hLXMPUfU3Y+T3nMdsQGoa9omnT29vf30FrcXTrHbQyyKryO7cVCKTU1O2WwwzkCYgkB&#xA;hLJGJomrQd15K8p3eoXWo3WlW897ex+jczyIGZkC8e+wPHao3zGOKJNkOdDXZoxEYzIjE2Hyf5k0&#xA;uzj81alp2hRTzWkFxLHbRspaXhETy2ArQUPUVp1zWGO5p9G0+c+DGWUgSIHuspTBc3Fu/OFzG3en&#xA;eniO+AGm7Pp8eWNTAkEr896vd3Plp4JuLD1IzzpRtj7Gn4ZsNBMnJReT7d7Jw4cByQsGx12/Hxfb&#xA;v5V/+Sw8of8AbE07/qEjzePFFlOKuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV&#xA;2KuxV2KuxV86/wDOGn/ksNU/7bc//UJa5h6j6m7Hye85jtj5B/OE2S/mVrEun3KTwvKkglicOFkM&#xA;amReQJ3WSvyztuzb8CIkKeW19eMSCzGx/wCcmfMNvaWsM+k29zJDGqTztI6tKyinPYUUnqeuYM+w&#xA;4EkiRDlR7XkALDBvzG8+t5y1tNSXT49NVIkQxxkO7utfjkkCoXO9FqNhmZoezoaeyN5Hr+hp1naW&#xA;TOBAkiEeUb2vvZjpf5M+bNeg8vanNJHLYX8UL3tz6oNwkUjGQu4YDkwjYKtGY9K0zi+1cHFqZcIA&#xA;jfT7ftfRewO2oYNCIzMjkAJF7+4Wln/ORn5QaL5T8irq+k3F1KGvIYJobgo6qrh25hkRKfEoXfxy&#xA;OlwCGQENGt7ZyanBKExEcjt7w+kPyr/8lh5Q/wC2Jp3/AFCR5tnnCxj88Pzoi/LzTrSz061Gpeat&#xA;YPDSrA1KD4gvqyhSGK8moqjdjtUbnFXaF+WHnPUrGO988+dNYfV5xzmsNGuf0bZ25bf0k+rKkknD&#xA;pyL7+GKpJ5+/Lfz15b0afzB5N89a4X04fWbvTNUufr8UluhDS+m8ysyssYLDlyrSm2Kva8VdirsV&#xA;dirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVfHH5K/mFceTPyPvZrD021W98wzR2qyg&#xA;soSO0tGlYgUqKUXr+1lul0Yz5al9IH9jRqtUcWOx9RKa+aP+cgPNGu+XW0lLaLTZ5zS7vLV3BeKm&#xA;8aK1SnLueZ22za4Ox8eOfFfF3AutzdpznDhqnmkUApyfv0X+uYHavb/gyOPFRkOZ6D9r1Hs97HnU&#xA;wGbOTHGeURzkO/yH2nyVQqAEBVofYE/ed85qXbOqJvjP2Pcx9l+z4x4fCj9pPzu1jwIw+H4W/A5t&#xA;tB7RzEhHNvH+d1H4/FvOdsew+MxM9L6ZD+AmwfcTuD7yR7no/wCT/wCbcnlK4k0vWZJJNAkDsigF&#xA;3gmAJ+AdeLnYr47+Ob3tHs8ZwJwri+8PBaLWHCTCd19xX/n5+cXlzzh+Xt/pGm29zC8c1vOs1yEQ&#xA;OElClVVWc/t1zUz7MyYQJSI+Ds8WvhlJiL5Poj8q/wDyWHlD/tiad/1CR5BtL5u8+3Bv/wDnMzSL&#xA;bURW1srrTYrMP9mgt0uEpX/l4kP04q+usVaIBFDuD1GKvMPzU/MTW7LzT5d/L3yq6QeZvMzGR9Rk&#xA;QSrZWUfIyTLEdncrE/Hl8PwmuKprc/lSs9sKebPMkeohaDUE1OZfiofiNsKWp3PT0sVYX+Vv5k+d&#xA;NP8AzL1L8qfPk6alqVtGZ9F1xEETXMKp6gEqr8JJiPIECoKsGJ64qk/mP86/M/kT84/M41e3n1H8&#xA;vFudPtZpU+NtOnm0+CTkgFSEkqzFOjGpX4qgqvYvMF1puv8AkS91DTNQka0nsZrix1HTrmSFq+i/&#xA;F0lgZDsex79Rtirz6383eYPLf/OMsHm2ykn1PXhpNvdtPezS3bmacokkzGZnNIw5k49NsVVfI9jo&#xA;/nfybZavoHnbVbvzAkcMt7cDUp1CXNFd4LmwRhBGjMrLQRV4/ZJGKorzz588wal+Zenflf5Uuf0b&#xA;dzW5v9f1wIkstraAEiO3SQMnqybfEynjyFB4Kpxqn5TyT2kh07zd5isNVKn0b46lPOgfqC9rITbs&#xA;teoVF9qYqxj8kvzR806t5j1/8u/PHpyeafLvJhfwKI1urdHWMyFV4gNWRGBUCqsNgQaqsa0qz1HW&#xA;v+cmfN/k+58wa7F5fsNLjvLOzt9Xv4hHM8diSVZZq0rcOaHbfFU5/KrV/PVl+avnj8ur3WLjWtI0&#xA;i2juNN1i9P1ie3kuFjeGKSQ8WkJSY1qesZpSuKqX52eTpvJv5R6vrmkeZ/Mn6Y09bQRXk2tag9TL&#xA;dwwuzR+sI/iSRv2cVT3yT+Xh1n8v/LesnzL5ii1m+0ywv5Lg6zfyRtcSQRzNzheVozGzn4lp02FM&#xA;VY//AM5AX+sad+Zf5X22m6tqVha6/qv1XVra0vrqCKaFbmzjCmOORUX4ZnBKgVrirJv+cj5b3Sfy&#xA;d1fVdK1C+0/UdNFoLS6tby5hkAkvIYW5tHIvqVRyKvXFWUflR6z/AJa+WLu4uLi7u77S7K7urm6n&#xA;luJXmnto3kYvMztuxrQGmKsJsDej/nJi80U6lqLaPF5bXU49Oe/vGtxdC8ii9T0mlKH4CRxI4+2K&#xA;oX8/fzcvPIHm/wAivDK/6PknuZddtkJo9n+6hqyjqV9RnT/KXFXsFzrGmW2kSaxNcoumQ25u3u61&#xA;jECp6hkqP2eG+KvJf+cd/wAz9U8+XnnafUGkQQanHNY2cvW2tJ4jHDEFJ+Ha3JbsWJPc4qwz/nFD&#xA;QdH138oNY0/VrWO7tJNbn5RyDofqlrRlI3Vh2INcx55pY5iUTRZ+HGcakLDyTU7a1j1y9t7RWW0i&#xA;uJlgSQ1YRI7cQxHU8RnU6zUyxaaWT+IR+0/tdN2Xo46jWwxfwyn/ALEbn7GWflb5Oh82+bodPuiR&#xA;Ywo11ehTRmijKjgDsRyZ1Wo7Z5tihxy3fae1dZ+VwcUef0x/Hk+p7Py/oVlYiwtdPt4bMLxMCxIE&#xA;I/yhT4vpzZDHECqfPZ6nJKXFKRMu+3g357/l3pegyWuu6PCLazvZDBdWqCkaTcS6NGP2Q6q1V6Cm&#xA;2YOoxCO45PY+z/aU8wOOZuURYPk8buFHIMB1G/zGdr7O6g5NPwn+A18HgfbbRRw63ijyyR4vjyP3&#xA;X8WX/mR+VFlon5Kx+a57trnUL9rKW3iQcIoormj0Nfid+JG+w9u+U63tE5JnEBUQfudfo9EIR8Qm&#xA;yR976m/Kv/yWHlD/ALYmnf8AUJHmI5heIf8AOUv5ZeY013TfzQ8qxPNeaV6LalHEC0kbWr+pBdKg&#xA;3YL0enQAHpUhV6z+U/5y+VPzE0aGayuY7fW1QfX9HdwJo5AKsUU0Mkfg4+mhxVkHnfzlpXlPQZtT&#xA;vpYxMR6en2jtxe5uX+GKGMAMxLuQDQGg3O2KvEvzwFx5K/PPyX+Z1xE7+XkjGm6jOoLiAsJomYge&#xA;MNyWXxKnFX0LZXtnfWkV5ZTx3NpOokguIWDxujbhlZSQQfbFXhOlab/i7/nKm58z6YPV0XyhYfUr&#xA;m/XeKS9khkiMKMNmZBcNy8OPyqqyDyhp+leY/wAx/wA4NK1W2S5sLubSra6tX3DINP8ATrtQgnhU&#xA;Ebg9DUYq811yw83/AJAz6nBbLNrX5Va6ssSrXlNp886FVrWgBqaV+zIPBsVe0/l3e6Lp/wCVHkSz&#xA;1Dgtvq+l6dZRxygGOSW4sRIY2DbH1OLCncmmKvHPze/Ke0/K7U9L8/8A5cXMumajLqMFmdAVyYrl&#xA;rhifSiqeXF+NGiNVp0pTFUx84T/8q9/5yis/OOsAxeWvNdqti+pN/dQyiFIOLtSi0aCNmr+yxPY4&#xA;q+jY54ZIVnjkV4HUOkqkFSpFQwYbUp3xV4P+VWlN5k/5yB88fmNZrXy6iLpOn3Y/u7meKOCGV4mG&#xA;zov1U7jb4hiqS2Wk6vqn/OXXniDStauNBuk0eCT65bRW87Mog05fTZLqOZOJLBthXbriqffkj5qf&#xA;yz5r1v8ALfzoEg85zXcl7DrT1H6YSUkpJzcmrhBRFFBxHEAFWxVkX/OUf/kifM3/AEY/91C3xVlX&#xA;5T/+Ss8m/wDbD03/AKhI8VeVf85Hf+TT/Jf/ALbh/wCovT8VZv8A85HaVeap+Snmi1s4zLOsENxw&#xA;UEnha3MVxIaDwSJjiqY/kjrFhqv5S+U57KVZUt9LtbObiQSs1rCsEqNToQ6HFWN+Xok1T/nJTzLr&#xA;Fk/rWej6Bb6PeSrui3c1wtx6XIbFkSP4h2OxxVCeavK+n+f/AM1vNXl6+/3ktPKtvp4f7XpXF7dt&#xA;dJMFr9pTbxMNv2cVYD+WeqeavNGi235IazBLDcaBfNH5mujXidFs3V47cPt8U0pWJaf7qFcVZL+W&#xA;PDRP+coPzD0FVEUOo2kOoQqo4oSBDJRen/LU3TwOKsC/5x7/ADR0byR+VF8LqGW71C61m5a0tYxx&#xA;Vgtpagl5SOKip7VPtksWglnnsaiObVm1kcMd9yWBTXZn1Ca6ICGeR3I6hfUJr91c6DXabxNPLGOf&#xA;Dt7xydZ2TrRg1mPMeQnv7jz+xmf5V+cYPKfm+HULsH6jPG1relRVljkKtyA/yXRSfbPNcU+CVvtf&#xA;a2jOpwGMfq5j8e59U2etaPe2Iv7S9gmsqBvrKSKYwD4tWg+nNkJgi7fO54JxlwyiRLup4D+fP5ga&#xA;ZrtxaaJpE4ubSwdpbq4jNYnmI4qEYbMEUt8Q23zB1GUSNDkHs/Z/s6eEHJMVKXIda/a8duGqwUGo&#xA;A3HgTna+zmnMNPxH+M38HgvbbWxzazgibGOPCf63M/oHves/m/5m0DV/+cb7S10y8WebTjpltdQH&#xA;4ZY3iURnkh3oSux6HNbqcE4ZyZD6iSGjTZYSxARPIB75+Vf/AJLDyh/2xNO/6hI8LIspxVg+v/kl&#xA;+VOvXbXupeWrRrx25vc2/O0lZ615F7ZomLe9a4qoaR+Q35S6TqUGp2nl6Nr+2dZbe4uZ7m7ZHQhk&#xA;ZfrMsoBUio8MVZvf6fYajZzWOoW0V3ZXC8J7adFkjdT2ZGBUj54qwy1/JD8s7MsLPS5bWByS9pBf&#xA;X8Vq1a15WyTrCRv0KYqy7StG0nSNOi03SrSKwsIV4xW1sgiRR7BKUPviqT6L+XXlPRdev9e023uI&#xA;dW1Qo2o3DXt7L65jBCeokszxtwDELVdu2Kp5qWm6fqdhPp+o28d3Y3SGK4tplDxujbFWU7EYqk+p&#xA;+QPJ+qeV7XytqGmR3Og2McMVnZOzkRLbJ6cPF+XqAouwblX3xVB6P+VPkTSdSt9TttPkmv7Ov1O4&#xA;vru7v2gqKfufrcs/pmn8tMVT/WtD0bXNOl03WLKHULCYUltrhFkQ+BowO47HqMVYnbfkj+WltEbe&#xA;HS5VsmrXTzfX7WdD1H1VpzBT24YqzOysrKxtYrOyt47W0gUJDbwoscaKOiqigKo+WKsXsvyo8jWX&#xA;mqfzZbWdxH5iul4XOo/X79pJEAUcHDTlWWka7EU2GKovzf8Alz5L84NaP5h0xLyexYPZ3SvLBcRM&#xA;CG/dzwPFKvxAGgbrirfmL8v/ACt5k0BdA1yC4vtJWnK3kvbwF+Lh19WRZhJLxZQRzY0xVHeXPLOj&#xA;+XNMh0vSI5YbC3RYreCW4uLgRxpsqoZ5JSoAPQYqlPmn8rfJHmnVrHV9dsprvUNMcSafMLy8hEDg&#xA;q3KJIZo0U1jU1A6jFWTRW0UVuLccniA40lZpWIP8zSFmb6TirCh+SP5ZJczXNrpD6e9weU8en3l7&#xA;YxOf8qG1mhiP/A4qyjy/5c0Ly7pqaZodjDp9ihLCCBQoLN9p2PVmPdjviqA0nyH5Z0nX77X7GG4T&#xA;VtT9P9IXEl7eTCb0UKRc45ZnjPpqxC/Dt2xVMLPy/otlq+oaxa2ccOp6qIRqN2oo8wt1KRcz/kKa&#xA;DFUmvPyw8k3fm7/GEljKnmQoIjqMF3d27lAnphSsMsaEcRTdcVfOX/OO/wCXGled/wApJ7e+mktm&#xA;svMFzJHPCFL8XsrUOnxVA5UU/Rjj1stPMkC7DDLpY5ogHoU9/M/8hodE0RNU8r/WLtLQMdRgmZZJ&#xA;TH19VOCp9n9oAdN+xzZ6Dtc5J8OShfL9TrtZ2aIR4oWa5vHIphTi/wBDf1zF7V7A8WRyYtpHmO/3&#xA;eb0vs97Yfl4DDqAZYx9MhzA7j3j7R5qoZCvLktPmK/d1znD2Nqga4D9n38nuI+1HZ5jxeLH7b+VW&#xA;sedR9j4j49vxzcdn+zkuISz7D+b+s/qeX7Z9uIcJhpbMj/Gdq9w5376rzZn+Xv5ReYPOkFzeRyCw&#xA;sYgRDdzozLNNX7C0INB+029OmdDq+0MenqNWe4dA8Dp9HPPcifiepQv5oflBrHlD8vdZ1PWJYZJP&#xA;XtLayNuxdGV5eUjnkEYEcFA27nNZrO0o5hGML7zbsdJoZYiZS+D6p/Kv/wAlh5Q/7Ymnf9QkeYbm&#xA;FlOKuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV86/wDOGn/ksNU/&#xA;7bc//UJa5h6j6m7Hye63Mxht5ZgjSmNGcRoKs3EV4qO5PbKYizTMmg+NNH8sa75q85nSVga31C7u&#xA;He8EiFfQBYtK7qeJASvT6O+dzlzww4uK7iBt5vJwwyy5OHkSfk9Lk/5xf1YT0j16BoN/jaB1f2+A&#xA;Mw/4bNUO3o19Jv3uw/kc/wA77Hk+q6PdeW/M8um6nCJJdOuAs0RFVkRWDAivVZEoR7HNxjyDLj4o&#xA;/wAQdZPGcc6l0L7Wso7SO0hSzRI7RUUW8cahECU+EKoAAFM4ORNm+b18QK25PIf+csv/ACT91/zG&#xA;2v8AxM5Zg+pE+T0z8q//ACWHlD/tiad/1CR5nOOWU4q7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FX&#xA;Yq7FXYq7FXYq7FXYq7FXYq7FXyD5H/Lj/nLDyRpMuk+XLW1tbGedrqSN5dPlJldEjLcpGY/ZiXbK&#xA;5YxI7s4ypkX1b/nNfws/v0vI+BHuZcZUv0Z/zmb9Z+tehYfWuHp+vx0r1OFa8OXXjXemHwhVb0ji&#xA;3vZV+rf85r+Fn9+l4PAj3J4yl0nlT/nLmXVv0vLp2lyaoEWMXjx6S0oVCStGIqKV6jLBYjw2eHut&#xA;rIjxcVC0x+rf85r+Fn9+l5X4Ee5s4ykfnHyH/wA5becdEfRdftrW5055ElaJZNOiPOM1U8oyrYY4&#xA;gDYQZW+m/IelXuj+R/Luk3yhL3TtMs7S6RSGCywW6RuAw2NGU7jLWsp7irsVdirsVdirsVdirsVd&#xA;irsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVf/9k=</xapGImg:image>
+    </rdf:li>
+   </rdf:Alt>
+  </xap:Thumbnails>
+ </rdf:Description>
+
+ <rdf:Description rdf:about='uuid:8aa76b3d-2474-11d9-a8a3-000393cd9a96'
+  xmlns:xapMM='http://ns.adobe.com/xap/1.0/mm/'>
+  <xapMM:DocumentID>uuid:c63b31d6-45fe-11d8-8e7c-000393cd9a96</xapMM:DocumentID>
+ </rdf:Description>
+
+ <rdf:Description rdf:about='uuid:8aa76b3d-2474-11d9-a8a3-000393cd9a96'
+  xmlns:dc='http://purl.org/dc/elements/1.1/'>
+  <dc:format>application/postscript</dc:format>
+ </rdf:Description>
+
+</rdf:RDF>
+</x:xmpmeta>
+                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                <?xpacket end='w'?>
+%  &&end XMP packet marker&&
+[{ai_metadata_stream_123}
+<</Type /Metadata /Subtype /XML>>
+/PUT AI11_PDFMark5
+[/Document
+1 dict begin /Metadata {ai_metadata_stream_123} def
+currentdict end /BDC AI11_PDFMark5
+Adobe_AGM_Utils begin
+Adobe_AGM_Core/page_setup get exec
+Adobe_CoolType_Core/page_setup get exec
+Adobe_AGM_Image/page_setup get exec
+%%EndPageSetup
+Adobe_AGM_Core/AGMCORE_save save ddf
+1 -1 scale 0 -148.752 translate
+[1 0 0 1 0 0 ]  concat
+% page clip
+gsave
+newpath
+gsave % PSGState
+0 0 mo
+0 148.752 li
+254.868 148.752 li
+254.868 0 li
+clp
+[1 0 0 1 0 0 ] concat
+54.9161 147.252 mo
+1.5 147.252 li
+1.5 1.5 li
+54.9161 1.5 li
+54.9161 147.252 li
+false sop
+/0
+<<
+/Name (PANTONE 7506 C)
+/0
+[/DeviceCMYK] add_csa
+/CSA /0
+/TintMethod /Subtractive
+/TintProc null
+/MappedCSA null
+/NComponents 4
+/Components [ 0 0.05 0.15 0 ]
+>>
+add_csd
+1 /0 get_csd
+sepcs
+1 sep
+f
+7.82032 17.3956 mo
+12.9034 12.8946 20.6797 13.3624 25.1856 18.4405 cv
+29.4395 23.2481 29.1768 31.1573 24.5225 35.4014 cv
+19.4395 39.9131 11.2784 39.8477 6.76954 34.7637 cv
+2.26661 29.6758 2.73926 21.9004 7.82032 17.3956 cv
+cp
+11.7549 43.3096 mo
+12.2579 48.5938 li
+16.7979 48.8663 li
+17.9268 43.7178 li
+20.3682 43.4747 22.7608 42.7344 24.8936 41.4756 cv
+28.8946 44.7803 li
+32.2999 41.7657 li
+29.4512 37.3243 li
+30.8975 35.3721 31.9356 33.1631 32.5196 30.8428 cv
+37.9678 30.3233 li
+38.2413 25.7842 li
+33.0137 24.6417 li
+32.794 22.21 32.0909 19.837 30.8458 17.6924 cv
+34.1573 13.6866 li
+31.1416 10.2813 li
+26.8135 13.0518 li
+24.8252 11.46 22.5674 10.3506 20.1846 9.75684 cv
+19.6973 4.61329 li
+15.1592 4.34083 li
+14.0616 9.35645 li
+11.6202 9.62598 9.22754 10.4092 7.04786 11.7168 cv
+3.06153 8.42383 li
+2 9.36426 li
+2 15.0967 li
+2.42969 15.7667 li
+2.27442 15.96 2.14551 16.167 2 16.3663 cv
+2 42.168 li
+5.16114 40.1416 li
+7.12208 41.6631 9.37012 42.7315 11.7549 43.3096 cv
+/1
+<<
+/Name (PANTONE 301 C)
+/CSA /0
+/TintMethod /Subtractive
+/TintProc null
+/MappedCSA null
+/NComponents 4
+/Components [ 1 0.45 0 0.18 ]
+>>
+add_csd
+1 /1 get_csd
+sepcs
+1 sep
+f
+19.8682 23.167 mo
+21.6221 25.1495 21.9336 28.1055 19.6426 30.2452 cv
+17.7315 32.5264 13.9385 32.1124 12.1084 30.046 cv
+10.2051 27.9034 10.4053 24.626 12.5489 22.7256 cv
+14.6924 20.8213 17.9698 21.0293 19.8682 23.167 cv
+cp
+24.5225 35.4014 mo
+29.1768 31.1573 29.4395 23.2481 25.1856 18.4405 cv
+20.6797 13.3624 12.9034 12.8946 7.82032 17.3956 cv
+2.73926 21.9004 2.26661 29.6758 6.76954 34.7637 cv
+11.2784 39.8477 19.4395 39.9131 24.5225 35.4014 cv
+/2
+<<
+/Name (PANTONE 871 C)
+/CSA /0
+/TintMethod /Subtractive
+/TintProc null
+/MappedCSA null
+/NComponents 4
+/Components [ 0.3569 0.3608 0.6353 0.1882 ]
+>>
+add_csd
+1 /2 get_csd
+sepcs
+1 sep
+f
+42.0054 124.904 mo
+38.6949 132.106 29.9537 135.87 22.7505 132.561 cv
+15.5523 129.245 12.4058 120.72 15.7144 113.527 cv
+19.0259 106.334 27.5503 103.179 34.7427 106.488 cv
+41.5435 109.62 44.98 118.187 42.0054 124.904 cv
+cp
+52.1324 108.189 mo
+46.0132 109.425 li
+44.6382 106.935 42.775 104.731 40.4371 103.029 cv
+42.0914 97.1954 li
+37.271 94.9756 li
+33.9527 99.9629 li
+31.0816 99.1973 28.1519 99.0762 25.3277 99.5635 cv
+22.3921 94.2989 li
+17.4175 96.1416 li
+18.6011 102.011 li
+16.1207 103.443 13.9351 105.404 12.2232 107.825 cv
+6.41944 106.179 li
+4.2046 111.001 li
+9.19288 114.318 li
+8.42237 117.192 8.30616 120.126 8.78467 122.94 cv
+3.52295 125.882 li
+5.36475 130.86 li
+11.2349 129.672 li
+12.6656 132.151 14.6226 134.34 17.0562 136.049 cv
+15.4068 141.854 li
+20.23 144.069 li
+23.5582 139.057 li
+26.3648 139.764 29.271 139.844 32.0865 139.344 cv
+35.1089 144.747 li
+40.0816 142.907 li
+38.8687 136.883 li
+41.3609 135.473 43.5679 133.563 45.2554 131.213 cv
+51.0806 132.864 li
+53.2984 128.045 li
+48.1685 124.64 li
+48.7964 121.878 48.8687 119.031 48.4048 116.281 cv
+53.9722 113.169 li
+52.1324 108.189 li
+1 /1 get_csd
+sepcs
+1 sep
+f
+25.3804 126.851 mo
+21.3306 124.99 19.5601 120.199 21.4234 116.152 cv
+23.2847 112.103 28.0757 110.342 32.1226 112.198 cv
+35.8609 113.921 38.1509 117.934 36.23 122.414 cv
+34.9371 126.865 29.2769 128.645 25.3804 126.851 cv
+cp
+34.7427 106.488 mo
+27.5503 103.179 19.0259 106.334 15.7144 113.527 cv
+12.4058 120.72 15.5523 129.245 22.7505 132.561 cv
+29.9537 135.87 38.6949 132.106 42.0054 124.904 cv
+44.98 118.187 41.5435 109.62 34.7427 106.488 cv
+/3
+<<
+/Name (PANTONE 1805 C)
+/CSA /0
+/TintMethod /Subtractive
+/TintProc null
+/MappedCSA null
+/NComponents 4
+/Components [ 0 0.91 1 0.23 ]
+>>
+add_csd
+1 /3 get_csd
+sepcs
+1 sep
+f
+51.919 34.2159 mo
+50.1553 34.3702 48.4336 34.6612 46.7647 35.085 cv
+45.0293 31.7598 li
+41.462 32.9639 li
+42.0958 36.6563 li
+40.4815 37.3428 38.9317 38.1573 37.4639 39.085 cv
+34.7881 36.46 li
+31.7666 38.7081 li
+33.5157 42.0323 li
+32.1993 43.1778 30.9776 44.4268 29.8624 45.7686 cv
+26.5 44.0938 li
+24.3194 47.1651 li
+27.0049 49.7813 li
+26.1094 51.2696 25.3331 52.837 24.6817 54.4659 cv
+20.9756 53.917 li
+19.8526 57.5108 li
+23.2159 59.169 li
+22.8292 60.8477 22.5831 62.5772 22.4659 64.3418 cv
+18.7579 64.9659 li
+18.7999 68.7315 li
+22.5225 69.2696 li
+22.6778 71.0323 22.9639 72.7549 23.3868 74.4249 cv
+20.0635 76.1573 li
+21.2667 79.7266 li
+24.959 79.0928 li
+25.6456 80.709 26.46 82.2569 27.3887 83.7256 cv
+24.7627 86.4004 li
+27.0127 89.4219 li
+30.336 87.6729 li
+31.4795 88.9883 32.7305 90.21 34.0713 91.3243 cv
+32.3975 94.6895 li
+35.4698 96.8663 li
+38.085 94.1827 li
+39.5743 95.0782 41.1387 95.8555 42.7725 96.5069 cv
+42.2208 100.211 li
+45.8155 101.335 li
+47.4737 97.9708 li
+49.1524 98.3584 50.8799 98.6104 52.6456 98.7227 cv
+53.2696 102.43 li
+54.8282 102.401 li
+54.8282 90.2071 li
+50.5508 90.4063 47.168 89.4581 43.1543 87.2188 cv
+31.6788 80.8194 27.5655 66.3292 33.9717 54.8516 cv
+38.3282 47.044 45.9112 42.2872 54.8282 42.667 cv
+54.8282 30.4581 li
+52.4581 30.4971 li
+51.919 34.2159 li
+1 /3 get_csd
+sepcs
+1 sep
+f
+33.9717 54.8516 mo
+27.5655 66.3292 31.6788 80.8194 43.1543 87.2188 cv
+47.168 89.4581 50.5508 90.4063 54.8282 90.2071 cv
+54.8282 73.5127 li
+54.4903 73.5616 55.1485 73.5948 54.7969 73.5948 cv
+50.8213 73.5948 47.5987 70.3731 47.5987 66.3975 cv
+47.5987 62.419 50.8213 59.1944 54.7969 59.1944 cv
+55.1485 59.1944 54.4903 59.2286 54.8282 59.2764 cv
+54.8282 42.667 li
+45.9112 42.2872 38.3282 47.044 33.9717 54.8516 cv
+1 /2 get_csd
+sepcs
+1 sep
+f
+3 lw
+0 lc
+0 lj
+4 ml
+[] 0 dsh
+true sadj
+54.9161 147.252 mo
+1.5 147.252 li
+1.5 1.5 li
+54.9161 1.5 li
+54.9161 147.252 li
+cp
+0.99 0.99 0.99 1 cmyk
+@
+0 0 0 1 cmyk
+%ADOBeginSubsetFont: TrajanPro-Bold Initial
+%ADOt1write: (1.0.21)
+13 dict dup begin
+/FontType 1 def
+/FontName /TrajanPro-Bold def
+/FontInfo 7 dict dup begin
+/Notice (Copyright 2000 Adobe Systems Incorporated. All Rights Reserved.Trajan is either a registered trademark or a trademark of Adobe Systems Incorporated in the United States and/or other countries.) def
+/Weight (Bold) def
+/ItalicAngle 0 def
+/FSType 8 def
+end def
+/PaintType 0 def
+/FontMatrix [0.001 0 0 0.001 0 0] def
+/Encoding 256 array
+0 1 255 {1 index exch /.notdef put} for
+dup 67 /C put
+dup 73 /I put
+dup 83 /S put
+dup 127 /Nsmall put
+dup 128 /Tsmall put
+dup 129 /Esmall put
+dup 130 /Rsmall put
+dup 131 /Ysmall put
+dup 132 /Ssmall put
+dup 133 /Msmall put
+dup 134 /Osmall put
+dup 135 /Ismall put
+dup 136 /Usmall put
+def
+/UniqueID 45714 def
+/FontBBox {-248 -284 1528 985} def
+end
+systemdict begin
+dup /Private
+15 dict dup begin
+/|- {def} def
+/| {put} def
+/BlueValues [-17 0 750 775 638 660] def
+/OtherBlues [301 305 405 408 -261 -256 -222 -209] def
+/FamilyBlues [-17 0 750 767 638 656] def
+/FamilyOtherBlues [301 305 405 408 -273 -255 -214 -209 -252 -239] def
+/StdHW [47] def
+/StdVW [118] def
+/StemSnapH [47 55] def
+/StemSnapV [118 126] def
+/ForceBold true def
+/password 5839 def
+/MinFeature {16 16} def
+/OtherSubrs[{}{}{}{systemdict/internaldict known not{pop 3}{1183615869
+systemdict/internaldict get exec dup/startlock known{/startlock get exec}{dup
+/strtlck known{/strtlck get exec}{pop 3}ifelse}ifelse}ifelse}executeonly]def
+/Subrs 5 array
+dup 0 <1C60D8A8CC31FE2BF6E07AA3E541E2> |
+dup 1 <1C60D8A8C9C3D06D9E> |
+dup 2 <1C60D8A8C9C202D79A> |
+dup 3 <1C60D8A849> |
+dup 4 <1C60D8A8CC3674F41144B13B77> |
+def
+put
+dup /CharStrings
+14 dict dup begin
+/C <1C60D8A8C9B6D5A0DEDEC57B918D61DDFA401F5A49FEA3B89C6864173301
+6BDC674395116B42D2387AF24DF2F1DC60C61A5B6585CC0DA86F050A110B506B
+B65171C092F0636620BAA275DBDEA04B3E655EC58BDFB8B9B535650BF4DE0E82
+1C2ADFD8C9F649E0C395722C228833505318AA21D61F3D55D035246FCF9BC983
+692D83F8C9AF492468B91F4CB872C7D1953185BF38A8E7A5B72C7F51E36572D3
+718D9C26EEF5DDFAB02F3E79248875F4CA6CC06F7C289C017B388B2CFE4B85A5
+1B0090> |-
+/I <1C60D8A8C9B77771C05B04C6A1CDBDED73825D1016AD1A9F739BE3AE28A3
+2F89A16FA0ADB365C478020BF11BB9ADC332932373DC2832A2FD54E961E2B084
+4B0EB81447C317CA2A36F9297140F653C6CF38B651D9BF313FA9254650245A3A
+6E604D8E9EFFEAAF12423E3B4CFD19A9AFAFF5FC58BD3FF4189B6F8AF938C510
+BD91FB49103F7E5C2AE8440096A8B2CFB59E1B448BD934D6C96663C7ECAD3789
+1B4FEEBF9172B6A7CCC0965D9AA12297E39BBF30EB7B8F6243DD70D9185FBD81
+8CFC74B60F41E69C4533165A53D5C2FC5A9B44BA5F12F31CB79A71FA4F70F551
+E84E63E5837361F7B7736F91> |-
+/S <1C60D8A8C9B7F51B95A0DFD92CF0B9552EA2D8DB80CD668D35E3A70F4576
+D4238E8EEA2F046EF8BC16C7785D1607E04A62100A5AFF084F37B544AFC2004C
+0BC4AE1356D2B0EC8700AB99117F620401AEDDDFA69D53F0F4E5314303A9C779
+D85053ADE7DEA169C445735EBAC333F65F31A077498B479248885315A58C9DAE
+7AD6ABA3F9562E1A36EA3EA3274E191D557F04A6CB9FA3B240660C95B31FD1EC
+ACE3874E2F240022DE09CA2256274ED580EE94FBAA5793BD5F9D37682BE7C541
+ACC5EE4D95FB35149493D2CCA9BEA729ABD0DCEC9C95E902EA9DD124CA919CBA
+F3364C7699DDBE268B46D54393CC359D98EA67700B83CEF348489F1F90A16D> |-
+/Nsmall <1C60D8A8C9B6BC88BD85FE8659C453EEEB8E1BD03325A00213B3F3D
+4D450DC128DD37CC24C857B6D60D557A08CD43D812DF35B5BD6760576A63576C
+506A238602F1E6EA5D2CF18DAD28B193AFC0FA899C7F243B47EAB7B8460C0CB0
+4242476B1602C4D8E3342E27EB421C00D297126C6E43889F0137C7A1C441FC72
+2BE08EFEBABED7A59A7395971A284A820995BDAAE7D9478AB8745D9C9402C363
+B7514AFE9E3D0AF6A39663E1D555B5F7BDA2CE94F32DDC1E19216692DC849907
+7A3E6206E838004DD8DB4A986C8F31EDCAB6E6B82F722A0EF26221ADD2189144
+83D5E5F90B6CEB939F64EF523B4531C4C0B4ED4F521923EBA94C1FE7AE3B2648
+AB7B1D48BCD570F1DED35E03DBB412CF55B5989A09E378971DDF42BBC4FD1669
+7B92AE130992922E13408AB712F27D256F7305A6C6B07A0AD7C13FE23EFB63CE
+65111A1A787D3875B8B8D9507C694904CE3BA8114CCE10FF99A55> |-
+/Tsmall <1C60D8A8C9B66C0E1D18F4614EAB544F0CEC538C8C01A016933AA12
+429EBE5390D596C5F67CFF90C2108DEC0E3557EFE47A84AD0A504C83D7E8F287
+5DCBB9233950E37680119C5422B9BA74EB5E3A2AE4E2F090670CEE3CC015972E
+6CE8DF50DCD73A5ECEE824E6627364F3B83B1B73833AA7E396445D318F119C4C
+5EA2429D5B49B0EDBDDF4808A5790BF8CDC63B184CD3A9CE7C22C4D23ACC081C
+FF7BCA42342880880724EDF5A0F6F9059ADD736C441B65FC95D81D78B14BCAE7
+32E0959A4FEDBBA605D7DB559BC1CFFED39160EF11111F189C967E86115A679A
+21BB269B7452490D7C600719A2B02BE0A92DC8D7E101DFFE6011D579AD666FD2
+6352E7C3F88546D427880A3ED55A53668B9B911F227F478005846196CB2A821D
+9436A361DD997E24624546B193AD16A013BF60C83D456FEFAB524A4C3C4DAF51
+640204EE51B9A6B98D186E77DE45F4BD3696405A93E6DE14A3A251AC1EF6440B
+3F074B20C4913F3447DE56969C6BBDB2354148031166D8E9781263F94442062C
+991765ADD918972AAE466DE6B9C6E0991428CD75BCCEE> |-
+/Esmall <1C60D8A8C9B7FBE1B006E95A68A3EFE857D335EDE0BE9AEA4BE7F95
+2FA0109C6CB803A7F2B985E7BDE818880C9FD186C7136A63CCA57CEDB6AF2828
+DE38E8685BB8771E2988A810F73E0345E8908310C31FD0F7C222F54500389519
+240356E338A96366351A20F484B5651422D1A0FDAE927D548045766A19F6150D
+CC390EA0D98D6C0EC5E1C97E0B4512533CA015299550D65A6EA9A741DBD81A7F
+575EC26534A2210CD8BC3335B163A776277B6F29843653C092C384FA226EA0E5
+F40EBE1799B10828B444468B3DA053A6ABB46879088C5CDBC46D899C794B325A
+A3C97D044BB760BC39839995FB64819C682832A40321F78B99C09513B805CEC3
+996F9F6C14C0DA278CFDCC8EE83409A0C9BCAE8289E42BA209582E05976E48A0
+66222F364CA72855AA1A8DD971B9E012D88EC883F11B6B8DD1F7A3A1A193533F
+B42207516FD3B0F5443A7865F511A1795EBD587D37DBDF03F04386AD8496835A
+76A8A2EA2B1821C0A26A3284A32DDD223178AF712B0015CA9C866D881702FB56
+88AFCD83EBB5B8B70C983ADB28C933F563180B2F5D693852DE904FE07D55275B
+BF14C6F4184BD1B4A9AECA29C644CB5A0BE9622ABA21F24CFE079641418F3570
+3415A4A73F296C050FA68AD25A13C7E948BFB4A1F5816B4ED0207AE7F70F6A21
+CEF402873ACC39E699949E03BE7A042549D2AB51127EAC04572696553A61D3AD
+7A50684611A83B8CC45B07DFB59CE66FF4633DDD79F> |-
+/Rsmall <1C60D8A8C9B6232B67C2503515E3E19A361BD6B49811E165A598B41
+3BB79166E3FDF489EB666983D5C7D39CD639562A5B5DFFD54539B03730F39196
+01122BFF4EFD30EC733326ACD5E99E075E6AD0B22300446FDA3039558CE7D82F
+A6C33C70F1D07536B16D4B1DC2398D650AD9DE1FE1EEF9FC8801CF7C62691F3D
+44ABC62967E1B752BCC2F000EEC07286667F57839EF2E6B9C04C2DA9F22FCE01
+4B7A5598EA7A603107AC2DBC5AB39CAF9666BA8BD1E17DD88F1B0183C4C1C3F1
+1214AD45BA4F39EED6AE5D1943AADDA9D1EC079FB2B1E8FDACACF0141DE87287
+5FA936F561AD9761380B6FCDEE2C83C4F292D6BC0EFBBEBA1571BC78DB7E53A3
+C2355971E9941081B36BC438EEEB16D9D4B14BD1644AC5E58981D2AC452FD6A5
+580957C704505040E5A864423A1DEC798AD589C92753FF4E99FE4D12AC55E99D
+5F0AB1E5E4B10AE2F480F509E7AF89EE8CEFA0BA716FB8CEAE96307008D32070
+D365B7F6583B829884DD2FE6EB7D95965527303A93BC3BED5A9AD904DA3DA> |-
+/Ysmall <1C60D8A8C9B7CDD8BD7DBD65E184B9680768C945EF501FFBAF34DB2
+EB89B7C35DCB2E8CDE46F9D37FB471E35DF335DEED86CBC9BD25ACBBBE505717
+85D55C56B45ACC3A263ED736CAA051A570F787892A1CB6821A2FFAD018F8067C
+A681AE9EC8078E3C7AFE94C42C7FD5A558E11749ACDE333C8BDC9884D4FA3DAC
+AE8A34DD32D0843E9B8D09766739B4ABA55282A00532DD1F8B6DE1183006D340
+67C1700BABA7CDD73E0CDB5BE2DDAE32FBEED1C6D7EEEA3B5CEB4C4205571F0D
+CF1A506D8FC5DC8499A45715F34A9B98FE00C59CEE5F28BBF36D76480FA97A6C
+7DA2BD1F5844A8385287554D6A25D036C1B44B3D155C43934FF8AA5F5EFA8691
+C8A756E6E6312D494BA1468BA6D0686CD0C8B3FDB8C0351FA65E6040F976F25D
+799285A835570C29A2FB34B27E1A794353E610FC2C4A30406992C247A28AA7F6
+E944BDFAB0BBA11598F8F567A868E003F8F3944F74A873C0B590A5CBD543024C
+D6E3B83887E8B4201> |-
+/Ssmall <1C60D8A8C9B79FB048C852057885B7FB39D71FC3016435158EC7538
+3A43C835122312509B1BFED76A61F209ED65A42B34BB62984E18488BC60B5218
+01752FF5C2563FA0352A4574582BF27E08DA350B6E25230194888F1FA389A5D9
+3FBF39576DDF170A31E4F9A79349B244BDF70FC82577F5D740926CBB4F2ACA8D
+2425F341518CF5F38A11D5613BD07DDED6A6C9CC2A89D2BA18004761AD9B9FC3
+4EDA3D0BA2574B07F9B17535C3DFBDB872ECFEEFC15F4D3F7BCA04E0B730A15B
+DD0D5BCB061E10476825BE14CC3CD57D1B8CD428D2118BB782F85F1A67B39448
+980A962927A8E8DBBBF65E6278D0AFECB529564B170722C87DEFBDB> |-
+/Msmall <1C60D8A8C9B5BDB4869BB7396C2BCC7E2D035A8DDF69463A769AD1A
+A49DB431BF0660A482C35C477875AA9502C9E16D281765C1FE89158C85EF4F3E
+57125A0E615EF95AE1B7077390D7D5D6DDBA63FCBAB687625D16C58A812887A3
+BF8B333347AF25B78756DD80DFD049480BBC5CC2E60C8AAAAAEC52485278ACB4
+CB64431DB98372ED33A1281E6970D65A9DEE7B405CB6932D27F2DFA40B98C2E6
+9A163099093F74C6495CCB4C78B91CF36A00F110217924E037A2F56731347A29
+95E8AFF22D6698D628918F5A55716FEBDE556231C95D2821D1B0DE3CCFA65E60
+C9DDB56BAFC7C7328AEA86A4824D8004029A0A0834D297E9E2EE5DAE0DFFB8A2
+CC6F17A3EDC65> |-
+/Osmall <1C60D8A8C9B6AE36D8AFC06EF7691CEA7388408CB5711A90AA9C8BB
+7DF107C83E9F4C9D93C2707EED4FFD917928C910BF7966EA41381731C2EDBAD2
+707004603AE29A600E85B2D80CC1F8253013508BECCA2FDAB8779E3B7D43916A
+0E2CE1B80BB3DF3> |-
+/Ismall <1C60D8A8C9B704CCC403F91AADD9CB2F76DB90BC6EC90EF3D45C6A9
+10C33779B027A5893F399469312EDD288FF0EA2B3848F5A530D7C0162C275993
+6728784ECB91933A5B31FC0120544923268E389858466EE39EB2181D57CD3BF7
+07FB3669BB94B89A418CD729CFF5FBF8DC7045D58C25F7CB07F19116123D927E
+59434BBF93B4FE5DBF40C126B117E6B60590BBF45DA98B6DE8B19144213326F9
+87495E510476E3585AE1A21D73828E47A902A177877DAAAB4C0EE1255BEF7F14
+75F7B919B37EA781F4D15EE851B6A63CFE7192BA2E00BB3BF61621837B8C6E3E
+7AB8CE9EC58E9FFE71C29175C76E5> |-
+/Usmall <1C60D8A8C9B6ED055F5BB1EE84E1A93ADDC8E7C125E88D8FF53587C
+17D959293900B8FD46371B21619962E4E05301A5E3EA5963AEEE83B21393A2AB
+3695359695D60CA9917C3B4C055638C566E55787F9201E25FB6F1ED940BE5C4D
+321EC5E70BC368233DBA0CBD12DA827A229D0CC8A349901F7F6297A8D2B5EE1C
+32919F009B7DEC73D0710E8891AA9A0D36238E9E944FAFD91D10D63C6B88D5BD
+C3A7985808BE85B22B832353DB0C8315F69AE576B8073207A5E9FE25F5A1E4F5
+9C748E9F7D4D5B9763098CB580B40B6CD00897D0384713B624EAD8EE1E24E326
+A2BE8083CCA899DE1FAB4FB90AF9AEB63CFCC24D405FB6596CE1D598C7EFABAD
+D016781F1785ACBA6641462356572572D87FF66C89B7A4AFB38B24B24E1E7B07
+44FD561E659DB89FDAA3D90E0980DCB66> |-
+/.notdef <1C60D8A8C9B7A73DC56ED86593A26411A239A9F576A4BB06AD4079
+CBD73625AFEDCD129CE8B573E3C4C05A38ADB9D43C2E751D7FE69FF5F6F4BCAD
+D50244964753D5C819FE275F32A27920BE3EA3D1AFD957ADA922B28CD2CD8E15
+58DDDC89C143A1> |-
+end put
+end
+dup /FontName get exch definefont pop
+end
+%ADOEndSubsetFont
+/FDJFDP+TrajanPro-Bold /TrajanPro-Bold findfont def
+/FDJFDP+TrajanPro-Bold*1
+[
+67{/.notdef}repeat /C 5{/.notdef}repeat /I 9{/.notdef}repeat /S 43{/.notdef}repeat /Nsmall
+/Tsmall /Esmall /Rsmall /Ysmall /Ssmall /Msmall /Osmall /Ismall
+/Usmall 119{/.notdef}repeat
+] FDJFDP+TrajanPro-Bold nfnt
+FDJFDP+TrajanPro-Bold*1  [32 0 -0 -32 0 0 ]mfnt sfnt
+63.709 49.9312 mov
+(I) sh
+FDJFDP+TrajanPro-Bold*1  [26 0 -0 -26 0 0 ]mfnt sfnt
+78.333 49.9312 mov
+0.080658 0 128 0.288605 0 (\177\200\201) awsh
+131.874 49.9312 mov
+-1.83563 0 127 1.73947 0 (\202\177\201) awsh
+188.218 49.9312 mov
+(\200) sh
+FDJFDP+TrajanPro-Bold*1  [32 0 -0 -32 0 0 ]mfnt sfnt
+63.709 85.9316 mov
+(S) sh
+FDJFDP+TrajanPro-Bold*1  [26 0 -0 -26 0 0 ]mfnt sfnt
+81.7983 85.9316 mov
+0.213654 0 132 -0.177307 0 (\203\204\200) awsh
+127.864 85.9316 mov
+-0.0141907 0 133 0.276245 0 (\201\205\204) awsh
+FDJFDP+TrajanPro-Bold*1  [32 0 -0 -32 0 0 ]mfnt sfnt
+63.709 121.932 mov
+(C) sh
+FDJFDP+TrajanPro-Bold*1  [26 0 -0 -26 0 0 ]mfnt sfnt
+88.9883 121.932 mov
+(\206) sh
+109.841 121.932 mov
+(\177) sh
+130.882 121.932 mov
+(\204) sh
+144.271 121.932 mov
+(\206) sh
+165.124 121.932 mov
+(\202) sh
+182.77 121.932 mov
+(\200) sh
+199.487 121.932 mov
+(\207) sh
+210.59 121.932 mov
+(\210) sh
+230.869 121.932 mov
+(\205) sh
+%ADOBeginClientInjection: EndPageContent "AI11EPS"
+userdict /annotatepage 2 copy known {get exec}{pop pop} ifelse
+
+%ADOEndClientInjection: EndPageContent "AI11EPS"
+% page clip
+grestore
+grestore % PSGState
+/FDJFDP+TrajanPro-Bold*1 ufnt
+Adobe_AGM_Core/AGMCORE_save get restore
+%%PageTrailer
+[/EMC AI11_PDFMark5
+[/NamespacePop AI11_PDFMark5
+Adobe_AGM_Image/page_trailer get exec
+Adobe_CoolType_Core/page_trailer get exec
+Adobe_AGM_Core/page_trailer get exec
+currentdict Adobe_AGM_Utils eq {end} if
+%%Trailer
+Adobe_AGM_Image/doc_trailer get exec
+Adobe_CoolType_Core/doc_trailer get exec
+Adobe_AGM_Core/doc_trailer get exec
+%%EOF
+%AI9_PrintingDataEnd
+
+userdict /AI9_read_buffer 256 string put
+userdict begin
+/ai9_skip_data
+{
+	mark
+	{
+		currentfile AI9_read_buffer { readline } stopped
+		{
+		}
+		{
+			not
+			{
+				exit
+			} if
+			(%AI9_PrivateDataEnd) eq
+			{
+				exit
+			} if
+		} ifelse
+	} loop
+	cleartomark
+} def
+end
+userdict /ai9_skip_data get exec
+%AI9_PrivateDataBegin
+%!PS-Adobe-3.0 EPSF-3.0
+%%Creator: Adobe Illustrator(R) 11.0
+%%AI8_CreatorVersion: 11.0.0
+%%For: (Douglas E. Appelt) (Mad Doug Software)
+%%Title: (Alternate-ISC-logo-v2.eps)
+%%CreationDate: 10/22/04 2:51 PM
+%AI9_DataStream
+%Gb"-6CMtIYE[^blnitWj!HrIdV0lorEFGN3p=d2AK:U\*q_!hY[_$iT*gP5UX1]SSqSRQ?_'$)V>TY%qP`SMZ@PZ&5]GQS5IeD7R
+%m`Y!Qle<L>GQ7K.<ATW8Y&.3ff<4tLWP85on#ub1r+t\(\B,1VnRC\d?aFN#k'iiu,P=Jej)_iEpKp\9gP9_8n(o-NJ)9&<gtdJZ
+%c"d.Iea;XG=$QIuY#bRC]XbTMbA)*>p&6?3aPlR\_,pU'rp&CDDZ00VZam^DTYCI"bGS,pf>eC0p"$ku^->l[*"R8fVlPU'FAYD.
+%pH<]YO.ZB_I5g)6.fSi&qjT5\No0V,*'aApjM1[&?VKA;s5+k>*rNhPC\4:.?Tp^0SRbF/qI]^'n%Sf"Iau[8YhK*1=8[PW@95Bj
+%feh2g<p8L3A_Z,@b<N!cr+8s4l3l4F)ZS3.jk%=mrI?bp\bL4Cb1F/eHN2#M)10h-\l(\1c#S;^"2j?\A#s>C0m5p>Dk5X:Z"Oie
+%_>('6rT`ihmf%TV6aJF?pEP/0^\r2;05#YbIeS'\a5_%#</7$:3`Y.podN#Y[0)AgpUKKQL2Ok'].nKiG?6^6&XYr6NSe+CnDck=
+%d?+"\lhda;+2Wq^BXjUsa1jXk?iT6ap8=BiCnj_^n;[HORXgF0o\5ig-[E'j?N,`?LX9Z("VI(0Lot+`kmtfVY!5/+?ThZOh>Z`D
+%M#tCQSj(t84WKTq]6a,<n([nmj8WB5P83V<H.@$R:$^2BE;aO?4\HWk:*fbtIp=)qnf&+kpXckbGFs@1$N0&_4jiKiro)Vts74)f
+%2XP7"/X?=obK]SVO13_+fi[>!Z/=Ac38STd5'sfM!j\oF_"j]3hd,(<E.%/VlgEmCN:f-1\`U)Es5in@lK@1jd58MolVGRUn*^/k
+%p9n\jC8eaE[rSTh\+/\1&lSEE_>Bg28!D:rMsrhk/^7$3khgXInb)kR&(e;*iD*,)s5!YHLWE;hFu@_jloh"cpiZ.#*V<iiGW=Q#
+%LSsUUqshkocaR!-*[$G42:&XBs2p=ngY:Q7_j)mW8(XpCrqN+dc-Hp9ct`U0FmsSpiNI=lGIs-gY(P''K5\@3^?muXp2GP[l)AZU
+%>2om4is<'4&Sd<ci?2tu#BcPh3mRc@e':62kF`Ug#CiGuFpk^d>Bk2#Kl=D(W,jr6[thj\_UF8BI"+-&1Xoq"0D1+W8Dh:JnpT+i
+%?bp*J"_3/!:^b8g,Gjj:7.;#X^kgo%N*@Djcbc(-0AOC"i%MH*E2&Y,7.;#4%A-H(@tJn;2!Os8$cW@"U!DTsAMQKsF+Q,4Oe;i,
+%kt)dRoq)"TIA=8=cXi-4#5pe=(a&[0Q=pJ:eFXd+(jnY%(n]#+6%tnan\JSBK@/*E_dD[hPe^Y)"lk6M1lI#5"BTn6]MWVJH7nt;
+%F%6*QW'`.gS%s_I:;)FS;nqP0e?[:7eW:lO"/?ORK[IWb1huk&`Wq!e(?%32O'k<#_I'5DUT;*AbSJnUaO(q4]*3rn<s79NkCb:;
+%$UPXbVZ_5/*C67Q95oNTbDaNpW:*PUhG13%oCP3E:sXtR$(GYS#r^;M!IkB),IPuVeQ5)>Og5*b&bcUD"n*]8_:'!OK[Sm3$^B[6
+%5`Z&2n8s><oMt`<n"k3lael'-#<mtp2Z2%4oM,7ZT>%6#pdm^#=2R9LnWSF!M=0COrQI(Rca192k+D=8^58KSZe<]Rr1otMX5/e.
+%i[=]kpN.KAl),"U`6Vl[i%N>*h9-geqXLul[N?!kAp]o#p95J:So\,F?=@Y?r9HTE9mTU-eQ5>%g-7NM(++>09[hd@j04R<oEk-3
+%-+gb_TBi9Xe(0#T?,LT-W5j3fcZ0Q2*hUt'rVB#`%hO6g5O3SXf2KA`7qdIri+`$@rEW41%lg\<s*"Dnr_E.MQ-(+04mgrjg*?AU
+%A:9!kHj`mNoJ>P-UK1TF%c8k1lR(l6i1KQ.D>/ZiP77uF=:=.,l*oJ5h?SSg[%2rnj-9S%rs]G0#5Y%NI9>jRd)*Dm_=p:p6Ha4(
+%%s]7ECC]5b_C2&frY,1V!dlA`)%DM2%tN!shJ!Ad=ANrJE#?0-pjfm:H\(YXcc>jYILn%7LGPCXK7=doF?NF3Tq-Amq6356p8p]/
+%6aLY9>CE'2qW-gq0ue!MF2[/GR<gh4r$VJ.CnuOdT@cBS6UD;RUk@LYQY$S.Rs)N"S[@N^<@]lf+m.A)=s,dKjrC8s[,ZTqlJ$Q>
+%ID^&7gH`q9k)StGE/[64elI6>-HA)u?IH9bK3#J6Y3dN$<6>cP#CnF3fQ7'/b18A51>EE4/c=%\dK7XPDtQBgl"Sm!\%$3Y`+g>^
+%phb4CTn#q_5Gi]fcCeRTY4"5qE(gL_B,hStRio_GnkVgFj:;#QGL.SM!pD(QA:T_K#IUb-.^[@YnKl!DO]%%E@$]M0nJRC?TJaO/
+%[/OG4$eMo?o)eM8UH$VVn0^Oaf&iE!L-:Ue^bO'_&jB#SoZSTJ1gB+)*ZLLtcG87`T*)j!Fq4E8\oG`8B]7Fc")p\s#s\DC1H6&Z
+%^V)m<pRSgHbQ.8oc3V[ZH>8VOV"`D@n-.9Ri:D?2".%s#oN+DNk$.ZdGU'mT6QL,4qBY+@H[MF!OkpI7,gZ#I6AsAq1^9,N+OLJ_
+%0Uc_EnIin#3eBHQ$c%8\>ec#;QRRJ25F&?&^'+35b_\N[GM$P^0gZ\=Xp$HD=ZE^Y$$\,Fqge4XF^7(gSot56ST)P"8AU6<-)7,Q
+%UpuHR/l2P/J=dI!&;Q><JFf>Z5h'uT%#cI\]flh6U9K+%qklsH<82S$i^Hu'LXNQmOTH#g)t?H/7.Z$'dRL#8OCRF`K,oY:V.i/9
+%6)H_q\\OhK#AX<J#(!"L_A\h\_$Iht_&o$lkoK:[J2Uh*e2orH-12:iWjJPUNmA$PJl_8dC_*=U_XlN7E$>7.#W%%<d;S#\OOU"J
+%n_GIe2X*0mItVA3*C%6<>uFnAA(PN@jK0cnHeo(4+86'6O_)EI+eS)ToS`:0W?-MjmcVDF>)bc3-+I\o]2!?0a6sf"DnFd0hfJ5)
+%\rN<<b%g\d\Ec?:]9OH#*/jqY<sf')oNIAbi(,VmE"-s&\HEd`e#ur;-HCc+O/L?AWoJX=+t8Qi\JqCc>5l"eD!!=b>g:hX64>lD
+%i`;cm+I."DJKlOj`I80gcMO&DUHLk:Uti3!YmPSWJ0`AeoMEF;oMh?aKV!aA7%S/TP\ARfcOZbDd4]kh[C4_BbZ!$4@E+trFtD[Y
+%JjO)n0TcLpVOTL6d`BmG(5\YKJ(H7+f#5moL'QgDl\XCe\.c9Y7emMN[R1WS&E\YX*rEF$ILt,.D8b;<mf7\QK1OZDH/LojECJ]8
+%@4+0%E`(?d>n1#3d.J)-X@/Vp+ZtJ<>D"11Z@q@ATG6L%WhJZTRLR+L/Zi,iT\cg0.(BXI7/.<q!,4$e\Nu<EF3n4q#"0J0CHYl#
+%K7k$l`A-m6T]B0X!U.Vs>T$`VXDO5J0!,;0gilp_l^?ft$cOeN8]rFHV4KH5c.$C>L'c39Qq9D?s5N.7<b:f"96Sm4Uh-BT!bQ*_
+%)6Jd=AAVcj9?(SD2%"It0+Ba8Au!%A+M(pAg57on`;5,MCJ;&i^[d%`7u7'i:'%*sl]RYmg:/W;<,Z?Wa4ZcS6-aCIfKs?R(W82-
+%+c1W,jA4:hKL<^sUF*@>UUD!7#`V>hS`R7pP.&nB&VgH0O'61pfquQW9(N(dBXOB*5Nth7HqL%'4duc(9>$L^\o$7a=ck_HMh$i#
+%U_*o&d28')d7gtLiXT!2b3)f(:Ab9oS^Y\CrcHUQjV/<9iG$odb.+72JK5HUV@"4Oeu45M\0cX&'5ItAGNeXIXkBQX2E9VG?LM53
+%CKeCbhf\7%kSMSsi+KF>#h5[;'N2HH[]=0C-EtO,g$UPR"maTmgp,MlBbrA4f^kY9;[:sA&NeecGlt/b"Q*&E7Z7Idl#mijK9L`g
+%M[&hpCi6ju>86t'XOXQ4>L@2Mge2HoM:Qa0HfjEu*>RsKA^(RRNqTd2E`(FL#Rgqs3'Y"qfU3"_iutR%qi/B(m>?\$dOp0Rg=9ue
+%1l7Q7BphR9il8ne78KT,**L+Plk=.OQ)n-gb-a"AQ8"Y^VGkjii-D6&3l"rNc+5U@F732Dc=;s!*\q3aT!J>rQ3O1h"^NO:8gGY)
+%:snJ:C;h5G3n>@M^BLRTdVSQ[2EAj;efM-EmQ_a%<prkZBE`?BBc4#:UK55eIM<e:@%LN_%eQl2)tkRSYfJ#ocE1`mMC;)&77XWL
+%0[n02,iX+c8r[(E<iDK>g;"`1_J$=kpM+*KnI7)=&]%"8ViA:^+gp6j'fs3%H4VrOXW9fech-gF2?f+09bSrjX;81`e2)5b>9sNr
+%Sj\lFfNjA\DD.;``k4=5K&ZX*Cun;HO#WaeO(*0e(gW`VPUjmI$^thg\cYj0T;!oOpSlAl)4nO=LN:;O4['aCP"O-AV>@Q0$`*dc
+%n^,a"[3bTF[$M"kk\9_r;ao:Flh`A6P(k/\BA*_pqk9aLN4<(!,Lu*`ZE6PV&hZ[p7s%0J?-E.\)e)pS-epH/\=ti)io;3GAS*e9
+%?n%PAXKAnm/>LfI\tR#eh?/1hlk`mP+ma!'#U?N!`H`4nF,Y9EdX&m`,@t$_OOOi42m2)37!>F5C/LT52P*U_:0/>&4@k+Cc:K]M
+%&/;@6ABkLn]ja:]&ab)FMtV-]ng8FliDD\;5slM]i2Apple@,k#IY>CV4reK?3L8]Db,J]lU[.'TemP=,K72KG!OdQ-<VSiXf#ri
+%j*#F%*-UGqPHdQ.#0K%L2Iflj7k6Fp-G&;FpS$Kg4mWGMbTV>o/QsJFs.$Jb'Q0XfDq'AX5Ds'oGR3d,LaU%1F78@74ZEh)W3pqF
+%F]%_<J8+<)]IGmC*sg7d`SY*[qTPc-RR?_+YW`UB98(bB4[FMUmealX5O'gdT>t66M/\_\F#Yef+'r0JfDs>b>N>8L>oW4@]\cZV
+%U,PR.JR9'*ej4tgqL7/9ITO0H+;@XbU/:n2c#&GbY!;)/;VoThfae;,?)JuAT>%eH4_ps&m;G4>HRJd$]fUe7m:UG:r9""Hk3`KN
+%0)UdfI!^89nu;Iae[`kQs)RjQr-Wqi_p*2_`lfIlYQ!Pf/u4j"&(ejKs39`MotCD%Er5k2iVM^!l>hCIrl`4Lo(N[H2]n'H?V@fl
+%nrMad/#mWDX^,8H^V53tjn/**pn*mSYmrpHKoNj6`fKn*Fa9cQO6Y,&Gk@Gn^SX'DWm5acF,S:EQZlF'Np>K#\p'k9*HgHO<W,6a
+%^Vm/&jd/g<_po8^*:GOFp^S@+Qg[)M00_Z@mr)SJT9&HWZhX+;?Z'bA&!rokmK!B]I_>;KS??`or;"?"koTf*I;9oWhqrkYq&]IT
+%0-BVc4rd@"pHMq]+2[=rDXSW1*'[c4pQo6:^:F+<@hjkbh0f$G]"\+U/'6u#a4ned(L(-Up#P`4rkldODsI2m#lgO"5/7,<"#j-:
+%b*V_Ss8C.21CWilh-Y%QO8o%Tk3@X"HL/4lIs'cn#Z#l]\au#SGN4H3I]AI,]8)m9a+nn0O>u+P>^q?fJ,XQ_rckuNa]L@)n]1Y"
+%%WLM&KC@7MnUr!?a<&:PW8(4=GSeQ&nAFpK>Q]Q\TEU__9DIu9r>!T@rlb6\p(Sr%oGd8'\a&bG[3%)tLO\pW-i]dM%tGc^f9+AX
+%I.d:P3f#`/lGJ[,?TrfNW@ld07JH*I2.=KgFDamIq(7m3<hnu!6`&[<V6?lHf;^tOpX`C)O&Y/#\sYe2=!(hI5(C;\<):t2S?C`+
+%"2<Y7WS5mL,R>T.U?Ln5a"Ond>hslih->ARn8ro!Hi3.!rKVl8qJMANo#!\>s4uikVrM\r^\;)5bQ+rJrU'JD#Vu8$lMEE6a%#k%
+%l-`P@2"esZs1A<')Ya/+RU3*\h#7'Dh9V^ReXr;8@Cfc&;g7KbF8Ybc=#U]IFEr<3dF6.Rc\guf-<S)?c/TP_1>GjRg]6kiid\JP
+%](p=Dn`-Gfg^3!k/jJ1LIJEBiZ\E8QiWCkphu)gn^HNZf\6;ml)_O9$!('jHDS!LWj<+.mmY.,`GK62.X&[pHN4khJrp+h+_f=6#
+%2,q<[q#(*"5G.q&GOtbZI<#l%%=KA/Idc7nNLqI%4/dW.$,2hBs5rI%s6B(@n%O2GmHqs+l;n7ZeMe%PE.@cXXoIS)e`QkSk9!d_
+%h;-obHBhOhYG`32o):r,55PgsGId\)d#6W7??q9W>kn/DWVOF*iB9i[SpfSVk3Dp_gVDS5H1o?uh]jOB]hH0JN>J0GrrtlJld)K]
+%YUYM05DBc!U2E*fr>_9"gXrcTfDd"Jk8W.r5Mk4geC7slrq8R:2g:l.(dj/COfNuC])T.e/G.5Ol3@ibDnfOA*90HESN]?dip,8?
+%Y<G6l<g+rM1C$VrJ+GU3#cF(kRp5RahZ<7n%euODYBIt4Su]'ohM]2L]"@o`AICUpqM.6"WrBc5?h^%=g[FueIi.IEnI*'Kk_ER`
+%LM?6-Y?1EV_fjZAqr'6[@l(Q'2tl8cNh]tNN,Dm]RrLOX`r1/OCS@Wr9>YT3EVF+7k/g?`BesV(S_%*WF$2I2.FQK>4NuhJc1C;7
+%@_M<tPhj!E&$C'bGgO"XNG`dpbIF_1`bhckoj(jIl[D!ua#33S4)d_tDqDVoIXTkuRqC,e\kTpW2WJE'bT"#oD`4*PB"-H3%bl<a
+%Ctig9mC0uVgeP)Po.(Q[V/:E\^T?2?]4T[_\m<&iG2mJobr`C=ml%d0Gd6]Iqg./dgO6R"pVVIP3r$@3qt5EEhsP^crVgc7&'^fM
+%%c*iQ?#=t%_3a%dD;G#gY<?Q=!A`2Hm71<_rO&VQ^\j812sqcCl:ob(X)!$2%:1<=c/`%(gpgs%2=&6mZIq.MVp2r,pXN*PD;3?C
+%4YHcVbC+8:RrdD3OL0JhmB58tcR\X`CS5_"Fa_g5h#O!OIJ*R$hY.jn#QD/N%0sW@I-p^_ijI`\c'RI+jpQU(/,s8C97D3"3kee3
+%)STstq?()O^34Tu*`(bKn?muY0a"[L?ZU7a5O7Ca,hJ?bMZ;?Uf06_TqHDLmeKgKRM$j7Oe]EMNBB0d!,Qnhrogn@f<3VVV<%sSV
+%<NqbXeRNEL.#UV8d$>5E:fiaFd$G?3;:m*.i39sY[JL>4LGZfa`a;q`'C'&YEPa)nh&^48_7>3og>_b7IdX+_oMaW@?/Kt0Y.I'1
+%pO1qB)\2r#c/$l8aDUH$ZE660ep`arpB\D(W4N8;/e$_V4F22md36I"i/rNP!OhNkFe1K<O1'\=Qd4%]`6fQ>E$X:dl<78\cmSt3
+%GK_;HJ%Dd?aqonV6mA2J&8?bbg*)Rg8>Hn3WN1!TJOm7@UjFB8)Mtgi,$cPE*KoY1,uYpa:So1&UPG(HS/jS5Y<DM9*eo1Kq[OsS
+%#*.YHL[+@bGc6ZEp7B\.=]dJDhZ=5f-6/E)'=T?<:E6!O^-epW+Kb*orX['d)Ou#)>0@HrRACLkFpt4%g"=(kbV<4C%$H@]JY8qQ
+%&o34'0rftq'FoQ.@BXstHQI'_6QLE=:<Tp-/HhK-A(<(4g#,>Qg5JQ+gtY-Hikt81cTH9eAgS#(EnD?g\A:Y.=_JYT"#aLfY/.0X
+%pN625*ng%=Qa"<IoHJo$DAIMaT:\aG-fV618m@Cd'?])J=XFB+U%ANa]0dJ&V(g'N)J(Woj0mYaSg(KfJMEm<SnM*EERuV92^k[l
+%=G+,<b;5WDCOg8TDlFk=1n%5i@pgc[R8,8pVad1G8rWm0V,bC[PZg5Q<_TZLY['T!;kR2Y?D1Ifi<>[P(nVJI-+l^I-.E^A,m7;6
+%)qeF)g>,ndS+,/[ESKau]3X@'ou5kdU,nR`WLd*QYBFONh!3Sco36nT(06C<=O"+>j^atM9_2LjJMh3`MC1M?B[NVdcLn:)H1s+%
+%l)BH[s+QL8+.X!,U,_jmcGoGikP<rpFeHRGIck.sGjIJ9T!7f+@cR9<o=ST(S7M,:V=X<-GhbB*#.4!gB]E6Zo8IGTChot3"a,8,
+%)ipEmcgGtJokcf!F.OsYSja-\auVc7NCVcVkH$bkB/cF,3R<7(c]8=WSNBXCNCRcC6)u+B_tW'aED.2jf_`LmIZUthQM,dS><hnj
+%#K#hY0m]Mb*]Pb8eYl.0:j659`Mn/&bpa9Goer7;,ipMPA\<9)ro?XtK^9ro;QsOmR!OA^&OX8&eY1F#eQ:Y#YI+,l>A57m`7S!(
+%$i"<R/fG9#fYh5.I(k4a'a%F'0W3,[FU$BOjXSUYk>C3Hqt@m&i><UgInS*rk*5Wej<<d.7Qn=Z6/F*Qc#hpdHqN70^Vd>%aZ"3i
+%VVKeZm"/5'N!!X<_=+NkI(9#up$GO>s16W;^9p`&"L8U298N5/bVbm5/=UV;iNGlQfl*$hCTa5=m*@u#MEVMmE])uoc./5_O&s<d
+%+FT73R`mXY.p40!\;nE6q>\VUF."[_05&L?rO.$PJh+8J<%pVG4J5=">)Q,J>*FrRfMp7/_qZ[HPG^sqk6T;sjV(RaQg3ZG;kB?@
+%jV(RaQg3ZG;`:IPes8dOckpjhdJr@%"hL?7ME\NV>+oVa]:^8*<<_Bc_\M`WKW>J^cW@><TdD5B,VC!+WLSTU.I-"U.%-fCDM,O2
+%$VDcsT$2bu0Wfp:g&t-W%Jm$eUj^T`76;NBN]Mko$*HrOe5o(O'tn`'[+B0A@7?75M`)M2g,eH*ri0)6'c!'o<V>kBX+/8l4fqnt
+%]#Uu=nLE[9cX544'ae#`m]+Q^]m)..<*@&pVCJ%(CWNb>A$3A8+DC^iYm)Ws%TK>aI\YGnd[0`.4cb\NY&6<tJ*P%5;F<TqY0qA*
+%R,9"cZ?g`-qWQIrn?6aX-nh1$mSI+J0SaM,IQHVt^hJYWc=fCJ1WS=G2s6e.DRA5A<A<3eb_3CG7[n2?<!1nWkpPt\P^fK6`:=Pa
+%;&!B:EqU-69QC;CUQ*PPjPoui8@>fLJf<0)L1I_:P7@>\Z.,hpPQ0*RETcDbQGpA&J(mE^heM0Amsm8am3Yrh^iD-UcUH<+E=MG_
+%9dC[]jT?Xb3_'ifktCp'7Fr5%I&Xu(M!UW.j+j[j]DL.XkG'E3jOUfm$aBk)PVTHW+]B_hH$h)2]OE#[J^tF7VN>O#>%=d_K1D[d
+%-kE9YOXLfNDGj,aF?o,h8e_Z8>%mTG.N)F;8CS)H34-i%eW-/BS7<P_/h3WU'UV@X>o<5[W$mq]<5bM2S*AK;X<ogKANG$][^Iqi
+%H=kU9coPG>mZJVMKDfgK+OiYLFg_u6)A6fC<RB)jh2M"^V37\?=K70+-*.H0UQdF=0_VehMKVIp1m4t<m#@#a(,rljKNEkn8$Y;G
+%__S\2#3[D4RU%U9pU!_S#&2d^RWpX11W'QZdq#$S^:61Ab^9oX<h-dJ_YWUZgj;s_CQ8%@eT2I+C!Tq[SQS6[KpCAUf4qt-Ot>20
+%bPC<lHC"5homX]U59.=$hg*&PnH.Qm5sKXG5Bt$%H)tlnp&<kaJt5sO2Z=l_+.dj)K@_)(heKL$G6e/>SU]P:^Xql8b'.=eS`tR#
+%>2Ql:Hgi'3^"bYRQ-I3"[glJNoC0r*_c>APr,V+B[CFQS6L/T%c,4iL4kW)gPMMF>@;Gbf]s:7IDl9(9D:gBYQnQ]m[ql_$bNp9o
+%>:&%Z7.g:E2j1plFYaEhO9:Z>ib^iT1^@1G+4%7,<A1WJBYK&8b\XLZ]r\?%YA3<[QX6r5(]KN7dd)dRKIY'AU'Zs9<0^"RdMel+
+%Vb696iq?R_cUsS%E%UVJ)N`kKLsi*#YeQOqoSPh=dCW'L\o=2[S@SJGG]H4`Y3<JD?<bfcCQ3_b+n(k^E(RGSOGeBJ<Zs/#A7ol3
+%aOC^$\*T3eD-=8L,Em2MqFnur7TPOqjEY.<6N%4&JdadIA:]).]sbuh2lrNX!\%Z;PVmVPIR\W\LFgmR<2]lLa=@eB0DDCtP4H+K
+%cFIQ[E^gO"Z2Qa+-gd%cG,S"'\tR,\[f\.i463SLepl;mB,td/'PE0l`R_G1^LI'O/aZ+67O]a+0^b,o;(0:8MSghR=X7$?.Rprs
+%Otk,!-llmn1^_;P,/YI:P`nsBZE.$R1<N7PQr.IM4k2%'bpYTIlkJ\%j_'gN,"$ts,ro-4>SAZX(qW2)MEHk229Jm\W_oo?WZYJ6
+%\46!,"Dl_@NA<Eg;i!qtm)+,rr@F6!EK-uEM[am4;,qP>iN>&<l7FpL[7400`J2"UW2d>ZE)62^4l7S9J3g?cZ&<:(_VpN9E:j9.
+%Y7sX%;jJIeF+pC@JT<S3&$EC[bq$cYLWIaU0<Z$q^<F]eO&pnbLli&]D_`rZ9t9sB&$I/b:H5lRn(f5d46,04Ec9pmLQ$G\'Ab=2
+%HUp,?b."-7EJ7H,G0l6L<.L8uhh`*Wm]K'P$9CYrlPi"?o\)=Zr#W%6^(V"41StZ-XLW<BdC8*X0t#/ZimFd?`J-E9Kb;7Tk?&]'
+%E-6U+B/hUmr9'Oe`Q%Zgb=p.oX1)2CC7\P@`A1B``9Jq?R@5N&?g,4`c@d5kmIRb1T6+)U1AN7up%g#$)P#[HWnsbLEeEuLY:;%n
+%qun241b*_j'sHPC<#K&=g`,JaX'NCkXU8ji_t%AdQO818<T_Y-Eb[Yui+-)`.dcc%Y2RT9SY-U>W%.Cq>4RYVp63@qdO.)h51P@b
+%HC\tSDVD'rk?F4@L9&r%<oq>ll?0g@\Oj;W?8u2(o9V!]mM4>PfYj9NSc9A)pA^(nH&W)(RIa(RLtdjr0/2Qj?FI[k,2u0qp$>2o
+%8M#?kO&^Gm71EE2h'ZRJR(Ki@r^So'bJ),8iP56cT@P,&P[:VB.]o;B[u'("X/G6"@Q<B4WHt$NNjsD8hBmt%Y+DZF`GhU]q6f0M
+%<n"'TlUbYFXm3=Q797m;Sen:"\>E9>:#^`&BiQf^4L!n.qj=1/<)7dE5C-!l;k@'UEQ$#UYtEVkq5T<i>PY[Vj9dE<C2qAgQr!.e
+%:K;?l0429R6:UlPEW2hMaX\('k:E'[f/[.,PoI[)K86&4@Jmcl]Y4dfI]e1s)gfrp=4%NOVM;LnRN:aSlsYr.cCVdu,fciBZ;-=(
+%<P=Z?>1BV<XfU!G?<(oTSJLmuH7S<gW)qMR=f94u?.$O`_DU/6#%#djkXl%pfm,#8?_"<SHSfUY#?=438^'5Sj'40NVoEZbs2#ga
+%2$>#n;7CVL(:D&L8Q1['m%Q.[YM2'=Mh4?9YhW63T[[X4JBl]>G+&V$37bF8Tpn&@krCh(h]?]#6W1Q]*'aA49($)^.tjGV?.^0m
+%F`^NKPE"2(kuom/bB@Z?SZ17[-Mkr.N:t)++`+<!Pj?2fS7?(o'i^1(8phId)`;N-MC1d`AWWJ34VLD/BL#Ip_KKYK.W(PfA</S8
+%OG\77m#C_]_a4"1cURIX)nqqQm!bs[HblF^4_Dis$).dY-GM#=ONF\3nLErM`#mDSbI]"Bb255Pb@j6*2D:Aoa\5BNAjVf]i,"eR
+%3A<*R[0T:n_0C)JFh.^X?6;b0/jZPi7oH6Xd-CGKn'6Z6"oVM87BoE]fNt4,iX@".5\IB#8TCadH#[q<S2n+UC1go8mRmsYE5n&Z
+%MJe^jUqB#;E.oA_bH[Qd,nA,WR%/tsQ^:t'[oU8Z]_mRkpatOnGMn2L7U(",_De#lkS\*0QEit[-G`oqi!F<W0e+:(2T[$t<K]P%
+%11%[tY"Ku5$L.Ku10k6l=$l<#ZWoW?G4F>sQ)@h=Cp]Xj="?eBjZ*Y\HWRV:SA:M^(31$5>7Q=5Pm"?<./]OYe&(e8Y^-)VlYZT"
+%A-;Z;%H/#.pP+Fl@BSJ<&3e^r>8k@-qe,7shD<oq]Q]d,PkQm#A)>DAT:r.tlUr*#/auT[7<:XRJr=`N3T[i9jek+/%6W0OBim6?
+%)=)f)kB'dmYJH?R-SO(7j?!"P<-bekY=],2-j'Q!JoGQ/.rEMUO9M=B?Bpi;/`t_)LW6LM<U\45@KXHn"WPBKkHV(pYWl(N=UY+^
+%j7-`hrV6X2F2Q]q/V$l;=l6u2VBnh`nV3Htesi\,dDoaf#SLM8,Y.j3=p:t)3q>Mc.TiNZ6/?b4Mp:NgIUp-lh+=?]"_k(P>$sjr
+%ahC)/CkpEj%@^i<fER^RaXBeo=Ye3aBi^2!EVDQIB.IJdIEY7:D`U%q[mc#D[X-,m>JT[,QYMS-P])nQK-Y,QFt)n^,-=J<GWgWp
+%>GTMe^MX_6cq%EkJ>)]X`\\73jKVQ\_3"Z+UUP^6gZ>(QLfZ7iN!X]S)J<759pRkX/%'4K/]FSAQa3<!_Q/>oi<3+B"6gdr1_)t6
+%eBGUl/AR)O\6=^$=bs]KYa\PK%>We>@N=Oo)i:EHF%-F1&AaJgRuiunKkj`@7#P!S`cG4O8D"083!(AYp!ADge;RAb)R.`WW"\b+
+%et+k"`*H'#(]1Jj[%):i?peKF0)u;[UUpMS?gUaU^87nl/N#GF(K94i<'L!`MTk$\pVV]W5#p?d6)3Q#GJf+R[(_ilA)/1FQnCK]
+%\lEN9>l9nP3c;"c]Pc4n8qf'.@-u?-]$FD-<jCjKC=F>DDm)pV&$$e^a=C.k;;<V"0cef4Xinb4_[:]^Fd='7$aH^adTE6h')4bX
+%0SD`5jIj<T6CaWG*+:ZDJ[oj@9O[f(;s5%XnTG4GfMmP)CE6kIo^^H[((m=DS&d,DWpgNF$OaE7F,i8&AU2JiX,72i+1\t\>ns!%
+%nXOASG?&:i*+*_d`T$.D=+u.*Hf'GRjI+UU4j9N9@J,?]+*2(`=(Z2p/2uTe#"J=)H\3%#dBlldV.'j:>4jd&guJ7=HHB#$k8#Z"
+%o5^,;U.(QCB=57=_@fY1H$%056D=q.FJt?>c-KY6)&Zt/0Q)KbcSf#I^=M8+,D0UB4J\tt*=Y4''i%`^amhi+\0Ope9_ZVoA@6]n
+%YBYt+\e0EMI'(:4k8MV(&l'(M;;cb_8IC4fIN4b8Z[4m56ZJeb=f))nIGqJW/U+2$W)RpLHeAOj0m[&2BbnCm$DH;L)@P.n\-ftE
+%V9jdV_e83]j"b2$e<1>XamV*Rad]<g@9`<F4WA6,)rWOM^mLr?k]HZPjTG]IWD$m0b+)$QP:%M%,aG?F<gcGj&]@WOlRWbO-R4^P
+%"Qtp[m$!YhBf^i+8OkI6Bhk'DV3G+1.1&[GJgt/4^o(hBPbHI+?d9mA"(>6D2"B.["jZNr]]c0.?VXc"mlP+BnPcK!a&nsMF>*qb
+%`j=cgcDkNJ=nMp\K<"9dY]sVWaZh.E_,hr.3BP@!a*p%nOIoSh'C\G_SEQ*a<,-'.W&Z+^92Bm/;`oa;r+HIBBZ4ocoG653RcnjZ
+%DRf2OlbJnI3E<7%3*5JZ:Y&sa(n4[s<]s?EX@_(+?KG\cq[;#"3krjIQ,5O9f'695p,,kl&(H3)#>4qV>*U''\K^1;OK$)_MRf+"
+%9)cM'fO/aS[DLk3I#9+<$_8\hU>RbOpaS*-D'f40Z5YDh.To`-+@8p>KM`]6$,dJYX,q+'P0*./Tn%/%?p"a7@N":Eq1%Ai5M7Qj
+%_O5n+g+f5qUq_0"hgQTlpqu_%eDYlQ?p@_lF8b*dIUYO9ZVJWP,F01OL<SW+dl"=;[cFm8g[0@gC5iUT2B7A'LSI[[$XO<2F`Jl[
+%?F3JE:&,,tEX+cP[H=kfb=ACPHsCEYS9Ui*2psl`_6GD2Qq]\R1U#Hd(Y1R]<f-Qdg$a(*^UWLs>!:k>Hp3@cn5C'Z?Dp<l6K5bA
+%pb*ol$]4mMikLTM0-pN)M>op%^QA4D,lZCAnKd-G=TZ22U?g/Z-Tcu>IYAYGbKe75q<RARY%UUMl<lP+VGL<I2mQR"Mu%Ac9ROY\
+%D"Vs0CLJjhXOb.O;ZfL#I%.BfNh-+"bVQ`\=`qe,G.V?-)@tTg.e66+>ou6jBB#-L-n7L7l\83n,<!`Cn1h8OkF-Vdg'U@,1$=O/
+%nr;/Y4==e5&M)`--E*H^[q@0ZbA;mEL+W#[Nd8!Nl&e!6KH:]>?8Kpai%F=JE:,k#HkdJXS`\D@fV:D'q("AuZL]QPl_Ohn5/"cX
+%8kRjk[A@0`g@J-**UK[5mb<V9mYAaCY-%,$GE4,'BZn!tr56mr.\,oql.9lE7J9\Yh_sfd8t.?:]oot:"Xgd:gg5nO10@=2npH]s
+%(YNsd^9:OYI\dOhi@Yp[',BtV]l9#_O&;uf6o'm0P6C`YB+UC"iKP#"W&V7a`iF+uX&<9(/Cd]7d'?4GFPJXe";[5USHE+LL@XKD
+%;GFi-JKD#oK>V?ecLF(dGN$,VbZ]Fr4uo0#0k?!Y/JEoU3#=G7R:e^/6JY_B&8cD[U,?-fY>7a^f1r"2P\SP6WdB0>W.bGJS(fFe
+%kQ<kogITK'<GrgJ$'C*`Qr4JtBD%Q>"bCr"D\_5j'-\n=#@KGU2\Nf;#^Xl<f!+J5&#kgFWBuk`66'skLD?pte'b6sYA<OJ[ZT*W
+%'pc>n!d@,1/?WrU2=A"TDRI"$V.10_At?QHb2kKu<ES6YGj%=ogW#Lq+2UIeYb#u?fVfd\h9a7`*p6fX5k7UF8+J%(RB"P5HQB0T
+%MQFB^Nq%R)f_AYrITuH)ISspl^T(f5RmiiKl)I_<C!U@hHh+.6ia5Xg#G[V4!B*,2<U+,e='ei(F]L'8HKFg'8-'C]12hb9Thrt-
+%,KFE)ljucYf''b&"oEl'%Q7cXW/Tt+bQ_T;&=^KQC^+t%+s?R\@k4M1<8]2548bP2'M>[@@U]1dEtlc[\;I!t'+0>C?!IPDN^HUb
+%Po&HN;&48l_["I%(j5ZJU@%WA:J\'qA,\W4E@Nh2W11qma6UH7TF=8?1-k&+&1G]ahYQ*$]*_=!FB,lprpj(3o4BXqniq?cSoBCU
+%C:j,EH,?u7YK@Qh-X?8RX%M@bc<Y^_'f%+U-mtAPe?,5\bEZjgE%ffQk5*l]9pLCf3^*^Qa4I."G,=E6,R1_UhWGN)].lM5:5@Y[
+%B\U?_UU*=6V1$eF.m<Q!f14rEOf)tYSNcnK:OIoq;"9\Anbc>QXkoE^%ir]q9u8c>ms5`.0[a>:*Dhkf9a"gHP3d+KUIQh.e_>hj
+%&,YYZ&qSEHZ?j^\%j9)r\'4gOiiIJ%b#4_hrd*_bs#CND_,Sa@:OM7"T@@8CbWb8Bm=]#r&oA@YMI.^b`sDFeoNI:hmht\Ub2sSj
+%d%_kfLq"p4nRG2U'?ocsQ:WrWI(]'pRp3PEa2X[A%t(6;L6hQOE3B:pM.i6&c_:%2W`YLl&VddO*:H8=S:b>2NB2s2+*[mK`*UWT
+%3H1#\ZBs+O<H6saMENKd>Mcg@n;5S/hS=*CTf@&9rlB*VP#%pX3/pAM@JgRgo&BfO^e%T#*7hl7m:$`hiK^0_*=orp?6pb7&f.AI
+%j'%HlN59KH+K%Tf-qKBEl'4e"F]pH#c<k\1o5^p.os,7&QXbHDQ_!WY*:$P:m"FQ`=J+k)a75Zm(LNI!`KR7tT>RP`Wkn^^L%4sC
+%duChn1@!It2SgS[B\eR;p#@7H\Vo;hZcYK'[/(K/6OVh41@s%FASjBV\uA_7HV^_=$h9pG2oCg40A-/t'7(+:[b@dJhc"7^4lsC>
+%A5n<U_/GMs32d#2Ji`qA6D*]]TiuCngVsn&6`S8/-4($DYeVVG/;QsEo'55iY*Ig'8@FC10r1G4I_P;r2A]([$Ph.c[qt*X=.H1n
+%J'&h?<94m$/).mL-S!f3c;o9%%f``m%p,gVc'P1qh=s4A(!K,+1oT7#F@<jgCs]2_9.ie$JQW3_FcG[Te5\Khq!A-k'oc3H&(aQd
+%16Y\a:Wq8caN76.iqZ<Z$fp=3ani$/FE#1IN^cKlZ$PKHLpP,Cj)i$'4Q:bQ;SDK\inWru^$\#BI)/^ojud+2E[jr$:<Pl#*;hkX
+%I`S[aj:5186R>l[ba/j(`*9an#&^_pgSml]ajr&=]qG(jo3jD#$NB]OU[1LHB1CQ4!I@t.5EtknML.ltbcMO-V6ZUm8m'WC)j<i'
+%s.'#S$`Ck,c?Ll>PT?SV/lB<u0f'-VW6R/Xjce11%o:N4RsFj=1Ol7]B(?%:?>uS8=g1j5:c`eSce/Ea98E4'oba;F[-`E#kH;ZI
+%Pc)Kl<HJ-h:KY-,B1*:n)Ge0?Cc34B9&GJ0AMKV1-<t>m!Pt6:<O*8MG9]H:S?O.K2^RJ'7,4:<)\eZtWgJ47P\[:`<lu\MZDjTk
+%Bqf'GW)=rjPP#5&5)VFmnpF3/e4j)7VCM+_.6/fB;X9TKp#H+(kIS=b^'j.deQ_IRJGN3Xjh;,$5Lj!+]7B`V^#cs9W'AgJc>5Lb
+%5SG[WB9,&64,@'Vj^1l:?$%mllTtM.bO`JJ5p'u(UG3tR6HRP2bUVh#4*55LB\5Nmp^g5H0@!PYi21fD\1&kVcI29UI_:+hrkEnJ
+%H1h.a^Ud*VIB11#g%3e.T9?=KRPcS$'.U4>5")c(NE*K!'X$<\\,\8k=)W:f!#^Kkf3!`"7cEVi<oK3=\14$nMQF?U(9CEp96=M)
+%@$!E:a1=sP)8X#mD-)5V`E+u&H_j\'eGk-=^E@M&M'#73k90XG')R:LIt)\>c2I>&_tEC-J+GT+\+LQfmm"WI*I[P(e\f;prmi=m
+%qYk`IqSSXA4Jmm`=&!a5:L1"bPCJ><p[S]af0d7MkF_;<+8inRjpV3pl;t`)rTR\TeH[Z*k<FJj0s.%ObS7ca$gDe=HF>LkIZ*c4
+%r<_BZ2'ib8JVqkerU/Ci:SINboKMY70E"PenrE@]53JcIn7-tip$i+X+rp:gCrFSSh.n#o3k>\p%Pr:+SM+0M4,1%a]'u0P%/6@Y
+%go;AJ`hDd#':_oV\CD@dJ[2kbZ50Kch%4M&\Y8nOmsP`:Om/TWC'W#7DOTK@j4o]rEV9`-^M;`&*oIk9#9,*rl<3;_^,&M#FZ5@X
+%B7_]T\;+\6B__S?J#7!7I+9[1FT^7[ICXiE\8TkQ>W,7ldocK.gr;%DmudMAe2Q_eW5F&VpR\hRGi4#j"Tg[CTa*ic"<^'UiMh89
+%5T<l11^5Lse_NjU%eh25NTUN7]f*s8_>+2Jd`M5Kk1AL7cJq2-%GrB53]cCqauV`pc?H[?(Of(4Y<!Lp1Va#"?A3=e4ahP%_gr-m
+%HniJHp(Opi?h>C0_nCeH..`OT_lT\oWOj#FngM.`JoPoR^.8#T[2s^$Z]`$,Ho3n^T#m\?^o]V=N^^)#__7^75*BGXqu283Y2pS(
+%05]]cPFrd&ecVk=<qQ;D)gn%eHpPCTFlnV8H)2MK^$ri7H5bc!Zfb3TItYKQO-^t2&BF]9E+jt2E*'u_*">h'/YKC<pP^*;OA$cI
+%6Zsd(bfD^jmii-i+oAP`Z6ooK7fWI=mLa7hF^B[C1C./4)[:[#[O9O>&Ki8+#PY=p^P7!ESc=m+@h_N(Vt>SB'6tru"7_h>kJSCI
+%<>StFc`W?'C19LIlqKPE.^h&kjre4tZacC^C&sr*N47kETGWD;$;=PZp*_d'KQ%$+Y07mp'^S[B-(XKaLa>jjd-j"P3=fu%n)N'd
+%0_X'^]94LgYIr`T<q70dle-&g1j7ch="+1'>OW#64^uqAYMR18ojt:B3O`G`"gT+1&#Q)KX."9L$q%Bfl.6Y>dmYhQZ")F>VhCa;
+%.Rp(7H!?HR4P15MmsMGM%0&pqR+'4'b;RWj4$BsW@]Wj1-eUa:+Nc7ZE&l)FEt%aEQj=d<O=PdaJr^!B;!o"lNe*XHqr:<&n:Pkt
+%Y=fRDfoK]?q7IsdB-t#?mg?k:LouatOmURg%6\gf%dV?c"*cBlb"O!j,aQiJ@n+>>/41q<pu<7b[:/`:E_;ge16=,[qV]*ZD,)md
+%1(?oGe&+>K(@[=grq@<_:lHcY#"Z\-qZJ1n\A2<6$h<Km%3Naj$tC.t/nhs.h>9V]h5?-'K*jHBg:)M\JX?YfKdHfjd)UJL!@DA6
+%kW"+iT_!DG2hMSsN'Z?jB;P'Jmc<o]JM,Kt!!$-#XrN@&=Y@eo<\68m6*2Y`'&c_8J=TmWnJ:n\kug_fR&iJFQCBrH"-@sphTsKJ
+%#&s$tiHS_UKQmsQg5'mk^2@=Fld!]:M:IC@"C!-"+Gh+32I6b%"1&,jXb%dr"JJ4Q4P-M[=J.'oD`PYB`tlJcSq(K\T\#7Q#/AY$
+%EZ`GmNmSRic:qlc(4^<N-NfML:-)G)fg*iqTT9KAYe2o*F-7_7=dJW9eEMaBAK>Ii!0*+d+Pb8&merBm,P+<GH<)HVOmaZ!,3Y)n
+%,#_tCUfM2Uq.j$OV$1s*;:3<c#)p*iBnZA$i:#JA*q>'.c-R[e4YdVAcfFs`S]b+b/6#aU9DG5mRjGoj4ZDk\#+='S$M=iZmh,bc
+%HVHiTDmkDE"+p]J"!,aLFTdD9kQ&6,ejC.;I$<k!RpGEJWj#/"&((T')ONe:EBFM"BX=e`fWh!G/7gr00pQFRK+k!dKV1mo/PkA>
+%+>O]TdO!*t!Mfa;@4'9u&b`%K@N]C*Cra_O9::`M6AA?S$h&N\\dCqo?=5[\Bo3*P44QG*4g(X>^&8@akrbMhL=IO/.]BIM[EV\.
+%P'U@U0ggL0Oa805cm+R;.;ig<0)IpO;i)0abf]K3MmsP51ZU2#a>q43=B*lcM`NT25kjb@r<>6SkU)jeTqg5ijhC2(rM9a1']]@q
+%5^i+?Y$Vu#:XrJkiV$A321aN";4h:\Gj]2p8epnB32iPBcsWI+Du6e^JJ*8GaQO7J^ip+p6mCj2psaO<;YQS7coJC_Lbd<pV5c$o
+%<NT<%=;d;X;:`Mu!X*?@+"-?d;C-bA8lad,igXJ!?`+q3lb'"@H*.%!!EoJn!KmXt!pJ'C0GDDdi$luGeDK:a7/2_UmlDdF;,hpG
+%4%(+3h_sN!Z64Fm9%>EuDI@&V>'N?,&#P-8+IH<K'@RqhAT)*h?]^8\P)W76W"d@06C!XsV7.(/6LUTSXtfJ63!U3'pJ$jU0W[%U
+%JVE'2mn.[Q\s0X0M_8QmgsuO5[$#c2L!R7]n7fQ(,,9niJRt0]>Z`?<'0jnR7DnsXZmjtK?r%k-[hT3R;_OWN*ESur$q>Tp,7=e8
+%0!$NF7B?jgT%3mC9-e.PUu@sm-HkDFT.V#^UkfiecCk8N@#"E3/nG6\f.am9"%3=WN=+Z,3`#DM<E]$(fh7_:Bo!XGRa+*o8sql6
+%Pg1*AD9$5-SkO6m^a%qPQ@fn0EDDe)A0BrF8]?ij7W-dFC.tQP1TRHf@.tU[l$s]-i.j(3@hGCiUbbPE^tTLZ0l3i)\PPSE>qG0*
+%(8ASR%4(i9MS+Rl>Z30k881c[fHe(%ZU`*@=jUC^n>qjsn-O61h")Stf*gtB2PUH[\#=\8ZWC2dXr1(+##*$B19[O^Ng9Z!`XWj<
+%J;^ga*9Zn<g3h<E5mIct`sWik:ka8P0.rakMmi:dpPMVuG]l'ml0b;$oA0`?5__>46TNK*6Wp^09sjLO_fm?mFj5A<55T>C['A/.
+%S-P-6@hXg-ZU^)p2\XTK3(9LpM2>sK*<Og8CbeMIqGSI`P+.[[H(i"I.T5IDh"l/KoEi,=$b$=6"$E[,WtqjDYRT4oGe67Kf^Q8;
+%U=lDXH"/^#&W8sZ/G&^4#E?*s+,n6UcYL,u%g+QfZ*e\FFBPu*C1CtoqU,Gd?n'(N"l";iX&&)"$XebH`9orh4\!"sqh1obXho!*
+%Rpg+bdXO@U\'-PsAc_9sbd<aA_JWl8[<CGjD4$EMS5#+21op`3F_EI#)2"*W2jM`B5u!9K"mkr!I%$,sAd?\6cPB5trA5&(.C$3k
+%B=0G`--Mgdgt=Q-HSPD(irU+k\UcYN-7Ef1inBq'4H6WOgo3GEqi6jQ*FWf'fD[)nJF/-ZB43@8V'pWAML3FUQ(cS=(T!kCaH7cG
+%'?$"F=!c.+R;9fg$WJmB*cJkQN-ids.."@nEA(PNME:cCm@l`M[Zqj5$ek/b<FAY)rr@_L.%1Co4js[a;BeJJn:\Uo(n,#^L*[U[
+%VX:c/<GCNfD"8h/NA?#*=Nq&2;?^8%(e5unB1A!P0?`4tYe\=+/JHBb)S-+=Knn;I[t2Vm0Z8JA(-us\ilMWf&X:tnRCQ%#Amnm.
+%PjPt$=Ad)64O<T:nl.4*O$\fZ^_=jEH_:`Ll@jP9VK/jG1fRmOn)d#<J_R>q'0-74TOo6t*:&>Y<RIZn;,quS'31mp;H60ROapPD
+%PVUW7rHnLU:Z5WL>>uKo'h*0Y_d^_P:"1+hB:Qf9NR\tM$B!CDV!?\SHe41)1Z3ilgdT^lZr8c^m*n-tK+t4Em;*Z1nZ9(RJjUVR
+%`)*A3Y[87C!BHQ@^FgFh%g>]ePXSRhmPMZ!]k2%X7Vp>e'5=BN.go,\n+*!EIYGf1YiM;K;6_B@'rh\?8,*eESrfu?Z7$gCAPkXe
+%b6;CCZ!\@Vgl"X@0pGm0q@Xqt`+Fk25d/DbI2UZl!]\!V3CZc9@r"Yi9Mt#LfKm;.MhNHNc&HDf`g5<:=<[7=l1uPQ7,TL$#+J%s
+%UU<W2K;C;:g537o:dPq0log^eS-t;3pT0'.WWLj:7>$hUS<T<X#&Ace!gkiA=9D"n@-9@;K3;A.;SjW?,mA9u78bJ<$G<^`?PDRk
+%E?*Q*huUcDetf+h^t6/&c01WrP6-rZd\J^.S^Sa![n^@/**B%GUa9Vgq/OEV$iHN@4f6phi3V"+ouJ_,1?]Gqbe,j-Kp,\28)@u`
+%D`53F5;MT*W.:[BA#HId]r\FA'OZVh#$E/:F)#6"m']L_b&^\:VoikD^VU[hp0u_$i^bc8[-La,P/;NUdA;$W/7Y-rLXq%,eSAV7
+%m%ZM=@9U;4ATaf.R^uWYp):\Ml^)tLGF/8TNVi1--Yh$l^j:o@D\D)MU@%Et,or1*!XQTD!5R0[^O"r&l-(LO"Ls/RbIUPF8ZAo%
+%c2=,(^UE=&7&I?lX3=#L\kjr<V2S]W>C&q4[L0Ad:Y=^5HXJ/35D*M1]jRnk^6i7LG[==#aA\b'CrP)p#I?Kh_J+r&O3inVWn?ob
+%@#MX1AL@r=?"E7-#C7d!'[%K[WV$tV'+U8"^.G[g//t(_`JXCBm'&P!U@aJ,K<7Jm"_*72#@!%E'8LePMQCjXFrfh_&r-P6WQjcr
+%N(FkEMF3dtDt[F5b2t.'%p]b-?F,Vf`c3ETL;]J#HZU6boL7<H^.KB&$qEC!bD=i^?2u1poaEY$;&H=m'.?+YT0Se\D1In^'>)$'
+%Xk<9`=HqWkju%mXJIrfj-H5C;pR+$a@b29M\XJ6Q,)jX4$K40H-F$k)L;\Q2CUD594cuS4oJBsU_</6k.=8d^qK$1-NZ9mOaKZ04
+%-ko_o1SKceG.7PZapAXI'5VC\.Rr$(A(Zfo]iVuqjh^@G>*_^@J7Cs%":5e4bMloiUDY+W>gI*B%(ue41,N(,b6%(.[(Sa(I`N/>
+%+Wuma%KW%/0He/'%$H-(bcR<4Lb@e^/N`bU<@7KLYc$uF68-bNQ:B7q*r$?p&LNOU,f4tn]L@np_^)#e$'SIVZ4ma"P3.R:E8=>W
+%JQU3PCt0Z94=ASbVW2n6EO'\j<Bj3oag/i3/LSd[D,)V>\1plDNDlNo0W7;LMNg[<&jIu\81!WI`*4_i$3H@q.P;;7Lu8mhcq78p
+%R^Je"T2rE%=X\eP'PNJ2'p>RJm>.o]V^<l/-2/AeZ]d"OY\JtIEA,SqEXnH]YQknV4VG6b9\bd]`%<t_[j5f]gsQ6i>1SnCVS`6M
+%%'^(;5dE0u6FKf?2>GO<40UMn%fim8/9;-@8M$cBk!kJC=cSdKq5i;mWfHFq1Of"iE/4C15Zr1ZOUZ7Y8:jW(Tf<MVK#E9FBuBd-
+%:uTcVL_;1V>mMkc,aJ.,f,bL5FX,iU25#haJ#ETor_2;nTFANE-1\!HeL?.mKn<iG>Sr'RlA5XbN'8_G+.:b6>]\GgUt)`sZ'$F7
+%@Wk)t">9Hhf5o[+P:i(jTULOKN!1[6"(d+Xrn=(.^c2QS%G2*]q>?2I["KQ^Re]:+ii!`uP=UIt7=L&X$8@TM.17E?'c,Sd9;,W,
+%MA_WdD^kG"p9lY%a&F2?)\#XA1og>1@K8nAk3WbYA@pPUWE#m'&1,Mr_L`,cqBQs]mlac5)?Xln9i-1@kXWDr7_Jru%n_baO'9CI
+%_,*RtOgC;co)Ua!hCE:@Mf/[/o(ereg*&k<:k<l)FA8094i^"%#$%I;;fbnIW^u<;m0lsV_("DId<\h#=[Jp:OI@fM29![/fM[hs
+%/X+GhE045rK]sX&VIn('7)[a:Sl^fT&LE9fFRTop%.S:q1lF[`KMIf30B5,3B.AfU"%!CV;N0El#A2^N@I@_5G*(h$[8LOM``4e.
+%;hE=U7qPEZ-R&/I)e@10n.WDn0oMBm)@bn$]!`GR@7G5#-'m$nU(u$06eESdQ\[h8$T[g/]g;/SAC!*Z!*nCbca4=g4<&JtZ8N"N
+%;M>ha,6BjCs"FX)cM(#i+W<Z13s9X3+ET_tn6QN3$&hqp=9@MW2XX!m$sWJ#4bgXs<KQO6Z?n7)WpJT#d*TE!U1$Vm=&?_:X1bne
+%m4F14&oB$"@L8Dh,aP![a"1jh5=fE?(1IE1kR8*@,Xe%g>6r[bi>0;;6G,a,apWHV@88_V_S@a:b#*D;TIJ9h6A/DW4bn8b&3X0C
+%9;9Lb;&mIQ65YLI^C\F_#'E*OfmMm(ZbnQ9/k#k+U:Y!T'pYJO";;+od]dt5oIf\i$-rmi9Y2n[F\/)ddXhY^s/;`H%X/L6+lP$t
+%-7%BCAD5.K8+OogdKYU;DD:o5"3VnEZ"GS).<&(/XW"aKA[>sZ6tJ\/TgY72Xo@4Eo`'$*O4D1Qd3jf^f]a'SQu)GP=:?oJ+r3Q,
+%=TO`3BPh@G-b\Mt/1P.=$hT3(:l+*D'r\Sk:g[+OP)-d[YSlNnff:"dDr)I5pS<<7#`@ZLgaM2ajiGq<!8lHhIQRS(6D3l`2I]+g
+%P+C6gh:*?E1ZN85LiYU9I)(o@-r&]7'soI\Zs)Tn)->#V?H*s@][&"$5X4EOM<?nlloqC(naq%`SMdt9`\42RmHG-#%Bu%tlL_tF
+%T)Pmf`NXO7#)atN%radm"/e65CZ9l3P5RuG4s_IJp-'d5/G)ViQ-J5@4O0X:k'\Zb9p9p@.g]d'6(GP4m&7-o3Y,qT$LFF:Ti_@u
+%B(fV10&cDlHH_/D+GY8)1JuaPq[qS2?bPnMp4htkEI!$Ok<T/sA=b'^8*3^]Wq1%"I"WVp"@#H/FF]#HF_QYC1HBhSKL?,Q(8M`,
+%`E>e,\]m<_Bs7FZ/c%6&#\>hUE#[sMm[AUSh0&&r/)Bk\2%??c1^%BulHG^1D"AFc\2Bg1:fBu+Q6Jt$4'["ukp9.oJ0KOg(2sk"
+%$gtqKP>6uc"DkEs=Mi_7?>%N.\]Jcaa!JODJL`<?E,^?XZF)9na]YZM5,DlN/S:6/LY_hQ>f;2dK7GTb(F]sT3Oe!a4M8@j$p"J_
+%$#mmRO;SXfO?;W.CpE=@q+6el<jq)[a2fYZ_b/]@B=O6L>8@@rh`B-)2/+10@!#!S%_^s0-5[2:\k3*(M9=->(7T3H^t-0IZIU5s
+%buqF4i$B_2*LB<rcn%[Z'aJXXA,o_^Z1)*h&]/uqIVY=US_]5^)9u5kDY_f7WQRfaVf@$es/P,S$H.A4Za_i2gRruR)4XW(A#CrO
+%?HZe/$X+H>=g=2DLo^PI&ZM!$!K-c(\F4G^'dn$q;YDg]"Od:pU*rRbL+!BAekpHTl]V#`dJq,hW9uG^;$,06c]isf!!!b`-MgiC
+%_to`'`YGV1/-.'Z7jOnKr5`,X+*j_qM9HN?(V&51H)bU.OU*>R5bs?Gah\;3.IF]!*LBSG)46'a'l>5I;:R_5(>K"o$Xr1,=S+pR
+%0uRNt$-S.h8jJ.c>m68lAlc=h<n:*e5nLo53!c6<_\NV2QBX)FfVgSNp3BTG2Mbumo7CDa:':G_lOfKk5LD/2-I8Ki+GH%u+a78%
+%>VbWA(,fZQ/)aimUDAVXGg;7I68X@X8r,rVi!).YoG0A=1*^FL"Z<^n;>VW/9[l64-X/Jk5,)9HR'k-H@dPF0>Dhg)l"P,skB'?i
+%[jSTMNWR/AQXq&QEluP0&jIu;>f2^t>T9NH6oG2ad\I59[]kU?-"WfY8Jk?^F$2t(e.As'B(%;D9?R*1l]oho,2lW9@KfHF:bC-R
+%4F(Z1(AK8bYSEaF=`T)hPSdB:]eV&Ze(?]YjdlUr-<9.AP%9C@"9gTL?d#)n""V]_SPM?)q,$Es/N=([3u;15h-NlKTlQ1<gh.!i
+%[f(pGk;EP4e.@TA)tkFqV\JijeI(\7PZ?C"+EtfLI!(@mUKK6JLD.@fRCVBh:-1l\"F+bHS-h-s@a1J`>#k+o0*(8lJ0u9CYrB,+
+%A]K\Pr??=0=S.>S5ec5IL#(%s2S@2s)iJ-Y2Csdl)WJW":&R`V;!N)PD"c`61b@[8TV!EnfmT?+@qTdTAXAU3FjjA/C-rjX9F"U"
+%>ILIWaZJ0F2t0:Zb>*@T@`+W%d4n#!h$grag9SoT5^TI^];,nC=k>.<XFWMS>2G,RfQEm!hpcVKbSX7/Z'Xc!h@8fq15^.*$H3l/
+%9<Zj5dPg/m^F,7c?RWjk$%3gS7A_+:7UL7))"Pa.6NnZ4SO3k0VC"PDNJgLE+Kr(_bN.#f7@:iP'5,DaL3l'%8ZmX,E6<D7LkhBe
+%#!OmEP%uIep_4>KoNk<63@/`2V/V`IS/_1ZOg8;mQI&)SM_Ogi?5?u)'>[`6WQ")2asjsi%!+Ir-WPo!0/\/uhNC?r<WT;pdgh5M
+%Ue[O?+nl;)qg^Hc:lJgPh*d$!9b_d#dmO@p4cK',KF6q22KC.qE6;5gbq(=[:j!)8"3Oi2.$0E7Xc2ntOJa:29B$g*(rN%_F9l)5
+%Ym<W>&JH(!qYW8PD4#GM]u>SZ2<D>,MZS\l.@+L8<-Uj2)lB,#:tUu)A\ZNQ*=8NIkuoj3/Z/W63h54gZr+]I!]F4u?,GfUop.'7
+%P]P+tB4,`1.-KiGFTbBD0Mn^XPOo*+r3bf+k_8[HlX58@&DQ+[nODb*kb'tYS9J$S=Qr3U2]$bGjkgr*0+fS.8T*51GbdIDD.a(%
+%,tNZ+/lFU3Q]![t+rMV/XlM'*B6KQ%nV37^(`[^6U8Ce.)7&9^0s^#:)F0NqPqkGE$qk8mBqefmHje@[E16!61_:]CK\=C9b//^8
+%gd[DW/Jk]tWi44='5&Z#2#1e^Q#*X+P,1<#,:ea;K91dp)9OBqYmdPKPRQTXN3*6EF1Q269BKiD37`.I[?U?sl-QY*m+K&+W%cDd
+%j&-hnhOXgJ)igIhq6*2Yn&Z3rE`c&^hMWrhh1uuuW]g*J%J($UP4WRXDqL6t$q=kO7Pf+eK6Cof855>T5#_F,<Os.65Rd@E-4jSu
+%JoIpE-JaoP^!gP5%OoH)/$L@nIn])6p%r:"0Xt</cm+m;Hl+2NVOJT;A"OTmi*#86J_B;:"#2Jn[Q(f5!HJ=b7UelW6"A'2f[i+t
+%6Wm(1&`&6(BFXq.hEnL6*Gs\RdZE#JmD=3!B,QJn2B8m2!8A4aG&FUWAtuW+X`GmRiY659k9OVn[M$_5ct5B\_f:rU<r)(.Nnu65
+%N?kbl-$b]@J/Q$gcQ@EEXMsBp(<0r0S1Ts5Ms5Ig`fM75d>W03EM>\k&<T\RQ6TE7G)+"K]!3[CTA^5ri-HRWQEnK"D<B><+l<_s
+%\G%W8:uB8sKc\ZVNQeD=*nhd+MHH\ofP]+c4&k[cWAguO>&sY5poFR!6CMI[`X_;[9LUb/S2'+.`c:*ZN!5g54U,rC#n6QsWON"L
+%)_c"4(M;Tara=W.dUgiWgZpW\YjB?7T6t0Z5-f6Yc?>LLA5=CC@$BZe`j(88Q6hMJdqZ#9>LJH<Uh*+N,>[1@CY?n3kM<e:h7sf:
+%:s,^l5%[of_/"\s-.4cN:sF((RrJ+_bq>`3JA:1+>gQ%h5t@c\9Uq)$eDY5VUAKa$8b:Df%k(mF5;=Z&5!SRg.=1V"+2oc>C#Y>F
+%Kcs0<C9T%?&-^5A^r2#+Ml70(d0YC!&9]LlLPnP@QjZNO.k"DkN0Q+k*74DRX'+Z,fdc;eP@=Y]^(AU#lYe5AgP\HHcY_N=g\l?-
+%9SR4G:]aQ"arJpMl%"DXKoo-CQkDkLnO^`hh+W3t]'(UW+0.#([W$LcX0OE>kq[gZJSXKj=[2J+QH"M(2[ep[m5"!t$:<27pBcZX
+%/G5O/bYXZM^_2XL,G5iIXIgc9.h!k*S+n6SFT@+X!_f^af.\%OeNQQe0mm3CGgUd(R_ZM>NBV=LM*%k#pV_[tjX[n)dqInWPs.dC
+%)EA%sQ=IG>#R2p4BOi6[nYl?+q[.*<Um,u:5<^21<J)Lc=ak)\Bo2$D+]U(5-5N@#EU<2?X&aBTN0a:TN)DG$\a#oR/5VYo,aQp?
+%!(e;FTNP*#cKJ<;9.-$,8[n)k$6#RK!:P#t0F>oj$K*nA>?NE]`0M$nV5)6ORbCCjF)&hXapCF(@iIF:W+^9!FL!<-0sZJ>"f>dS
+%;T?.)*Ot<K';kpKIBLLKcCR8:*`7788]j);\aRL1MI#dADsikEIP5#*Yte($s1nl;(Z1N23hH!'pc&D;3HBN.+I;#YS%.-lfU*MV
+%3o6Y=4]>d!kghi7Z;02'nQ^r#ghVgU.$KkB\n'j,@,L8%n[+S![3j$Uhoan]1So/1eNkoEMZ=dR,?)EKpR%A*l9a15\"E5Z$t[p6
+%3b3s=p$ANM\tk@R^g7Q<]I9OY0G<#DH+Rjam=X-+;S/:,0_[#F=SsW,R.u8UACqZBF<!n\@4!\:7Sd>pVhS&a3%Z(NZ-P!,4\;:9
+%4G%heIAUQ4Z`I>]E`rt2&Ai2ZPk\Ds"4FOMS<T`5gGi">p:2UrT>aTa^I8i4Xh;X\>d>%s](OdbWL0V>o9(gmA_:WLe7*A'aX,t.
+%a$]Lc-&3Aj]7ih]'5&]$2#3QEcJ%j[PrANa[N)g-ZeoTBJR,)erAfpFq[UPSZf8G0J^QVr5I,_R`cB@qf@&q5idI%.<hAA-a2fPW
+%[n7VsB<mg.>>"/5Bt!--SXuBaV:@hm.VpL)QK*sNG-^JgOQ7YH<Tflt%2K=e:O0KZoQK:5n$B[3`'<jBgMu=bBBRVA+*J,'nB39O
+%,>1B-H.G=q2J1WIOVR$FdW!YJ_eo4f$JAp^Ai]"R3(Sr1#"]/HFN0ZV1qaZ>(92#O:3G>%/0DN9I[3![B5:)0PU1jA,hag1X;HfX
+%lr#U(H]>,#N$CAFNU.MHQhG,7;RSfNWE:S%Yi[rG>in%H>f(n-BhF6j/!%"bOfVfBnLFcBXH'!7*2:GFCsdr2cA,k?B9Mk[L(J?`
+%a/LIjS`CJ,@\=AVikn$j'D%SLBmoMH\h*^DBs"mQJ=)d)X2&-4E=C;Q0d`ogSGJHp:ORg$iDr[1PR1uljQIKDCh7"Nn?h[;c&$F'
+%['#63pVi2N-A3\9GSr])Th+<@fG+'^'<:\,1_AoVBHTaUR'gj:qffkGDXHYUS\7E_QJ*lI('rL;%2^^O\'KG\;LjSHH2F<kC!c(^
+%-Cb4f/1)-o[:E+?"ug=^itK*o0q.l*02[[o/<A@CBs!_uR7q5I@RC0)pjaOHlkg5fN.J;OB^_H@Bh*1f]2Ugp$]VG01Gr9:K15lN
+%B-Y=*9QoRH_MF@$BbMbTO]WplC&)PaI1%T]%LciQ.Q#;Z<5<`)dH<QUqA@P]["8?fSPpb-YLoqEnk.(ucg]]1OtF`"R/32M8(3^&
+%:Sk=/n?MK+62WHt;(1D!,bsA%$1faQ)U"-rG#dI6G&GOZSK">;CbeK-fEu/;7ZAr04`/Q[Ygb*`3HjtN69F9\QM2qiUDT.mEjcuK
+%\cpDkR\Ls3_r3uA?H$%^lJR4eToG5sf/htrLY\+lYAsKJNkn@0W^Yfrgl'*sR:NaN4*L6kiOBpX)`Xpsi@(hi/bjA1;6d=5:%M-7
+%YAIuKbe+^>,HUouorhI;9+ejR[q&\dgWhM-?$8<2ZjAGW0E`XG*ufA5,j2sLgm5:9&U(LTK[pq3+!D_R`qJ5KD/i@Rm):.EZ.#l-
+%YmaPDn<1Y.6@tT\3J>PuDQDekUpA_^@H_.sa2M#)iX5-6;l7(A43j'>mbLY"@[&j;E6\bO83"n%X6q2Gi3JcWf1MRUCr23Ejd@62
+%.T.TJ.+3k*lh@>5m#/f]KQBo0]iu#&SaL(-icHgb&XK/AVXl,=:I0PVP%K8X75b0Wil&Vco;_5b9`RlY!R>GCkmZq&?u2!"B.EM,
+%"D6&4AE-8`[jDat1_%RN?iZRY;0\J8+PO8QMlcQH-\A2C;iAb;EDlLdO_Bs^o;)jopC8?5`>Lu%Pb?D/Sb4_A8"'_XBoIe2!EuFs
+%X<>]jGd]]!+]KJP1B?-"r.*gTW[.ekER<_/+s$to2mcDUQ].dmc(1P$9tL^KQft'Z4(QDFhB=#(^]P$(M,Ig(W[S0d=U^*'F$?Zu
+%VYX92aM*0J(4ut_.!3@K1)gH':cQ`2.fg@4C?V(7$O9L!R06>W)auU,0[\nE+t<u3VpnNeQu``k5toiZME7\c(td_'63!]FIP&C4
+%5\knD0W9NM:=*ck'bDB@g1&L^/i\8?c3de8ba*MnhHhI&1bUi24Y3j$c32'FQXUCLmZ8n4&B,(m$-!<P,BQS!RG8usW8a'cTZC^m
+%C)?'M\stNWg6#Q('L654SRmLd4Jj@:3:!jQ2E;H'j9gH4c3-$s)b%?F4NR)l1*=sYB4eP*nRihsCnFI&$u$+J[c8irh81Ol?O=`,
+%T3-P@j@PYU=h[penN$!%2oJ/L_>Ph>&BAlt6Ph]"lS`lU#mIt/7=GB5Q8fN,S/Y0:T9*8<lm@ck3;*sm67f&&P13?D09/@D+C@7$
+%AJel$0OK42>k@9+*aT+H_LiiL[=VkOC0%%f^m(E*U6DB,KHo#pqIkg`;Tk"9qPDbLTs3YmBI/+dNo"_*1ECK/*f9KgeT%l<:e1p\
+%A.Y<,0W7gA@U*(c0J/766DFgm&nDI<QR6C1j#H7aG`)+.>k_2_i=M@Y^1kGRVk!\4FYT13%,V+XZ%PX,^3$/?#/gqoV>$4#@sV?!
+%&Ogq0<dQ*Di!fuD_Pro`E_P9;?'XfW-cB!;Q'#B2Q'PF5fQcUI^kUn)n`"lR<)ti(MM.>$af,nq4VUt-+0,r$("beX=\DmeJYs2B
+%:Ip=YcL[uEa9X)7RtKl=Z?`J#%Hap@0(Q&U3%P<0:X+0!''gFtmhpF_0&nK\Z(MrZ</P=gq&E4fBWClucm!$:poEAh,rR@613b@c
+%X9*"t=Fb+NNV:"GPRT#ITh7d77V]nDL;59":1@NT]StedQ;iHrKjY*ogM\ml/5j^cNT1&a#dQ0g88P\i-q:9fIZe]@*'B9MN$Uk5
+%(l;Z(Q;Laj@b1s1/Q#blLaBIk4AEYV>#QWC,+`AuR,_rgWJ^mt=[LCnfKG5b:6&WL:NN%UZG\$7.;iRX>=:%2Mbm*/'IKaIeXY)/
+%rU:R$L;3qcmLYd/e1G"`#pa&62t1)ZBaK/gN)0i<%D2A/(P_=(d2_2nFOj^M^m@C@_&"t/G4;oXOH;+mY<kdIk[1Kg]$2PO/JO'h
+%'OnENXR1s/Aj;b!T?pM-@80W:igN8H#k8+f1dh1pE39b&+e5Smo*+b?#ZM^A2Y7tK(5/uYR);o27B[''?NC-B9TSFVfm?I4fYu2I
+%iI`;^6hoRPYd5c5P?-si2R7_s,r,C$YZY^o#hqOho>'cFPVsUQ(R2,aIdD[(KB>lJYp-8T,$'B)(JH%qR:dcb5sjTe^6*E$1B.Z[
+%LZ^\9R0689:)=3a:*6O+oPJ):k$$)-iNga$0N-%k1T"BN:Pk/GeRDEl$regUdR%=k/HfN+l\o94:UJ9Ko;/9oM#S&9)$5=V8erf;
+%9GEp5-SrGp=_6s$5_g!2,q@;Q<MHIg&nNaiUA4k$1Y<KjkZgZII<?0?(HRom@=dAS[ZiMLP)>ZMiN]We$j2ZP=]VE:`iNiX7AFI,
+%q+M6m"o_>-+bmlKQk4RLM%V+@=$b#5j8^'ia>cc:D_f8?UerD1F+2*&LX55s$??*413)]*SD63]/$#<m_bAD9s6hAfZaaj6Q+0p?
+%AK5?)QUi"7$/GuT-k7&Wbts6DPKcpH+$1g)RGf;'m7O,(jt7+GRFNGp@S$uNjA<6:NCZZ";!"XS+cT%0K+d;`WJ;A#q*5PcTqCL)
+%,"^^1k9apaA_1D'(OSiuAA?db-g,j%*;UlnToPn@h"g<JXs]F--?usF,!qAWh++g$'T`[NLJ-,",q'kXn?OaU0JC\/g&/:Jj/!3,
+%*NA2NM&nE<;TA=kVBcojPB?DA3RVCs]`8NNP9/3;"Y(?F2%4&Nlcc_A14X"Lo$!,#TI<HTQ7,CZbMa\+PK6DlL]U3N\qmg!(Lr@s
+%V^b//8gc/V/iZI6k.AjMB3)JSIHC7r"Gsj5I(I2#!R@(sN#AfYULr@7@[)t06V&p.r6WK#o:1NK7#+PE=pr7,E2Rg%"sudfWNdFR
+%VM-5Pc8chJ1ufu1,=8Jb=dDB*WN7?qERY'A2,(R![k[jeO*siU9s.%iS"sip$jS[^R05E.:@2C4['Pm1VI+.o:3if"Z01ndime>[
+%cT"&m:eA\RJ1:u/2#&%U(4[9a5H7!V<N'lVaE0",c?PE3:R6Kq5]<PJS%`s=m*jl\2l=EJR`<YWYE]?2S$]BC]4EA2:1.4pVl[nD
+%U;`fW*2;2aR!6tiEjchj#7)KqJjL,$H^KR<m!p_,b3mUpN?k/aF9W'H&=oNYVT&g,dJ(RC./I?8RF2s!?qnchTM>&R\_"3db30DE
+%3E=?s#"8h)&m6V+5p@huJR6YL`GI;'X/VcPI(GgsSC95>83p%J.`4.jEe.RHNpXDR&k=5GQ8g'+=2@F<Hrpb/Y*o!%*=T%PimR0@
+%(h,4uJ7N.L9*cDRJ-Rl:$T!?RAnP^SKX"!Zp?Es)p5$-A1pg+Z%.:SO=eQpLVG(:4-`)$UQV.11PY(e-nBrNW=VS7l>Xn>7[Vh)n
+%72,W?+IcNFLQ"1C`b94N`_:*/e08l=d5ckI=K-sm#V.K&90..Ie.rXh?q&;`N4CBh6d8%!P>F'_s%5bAVhDB&8nMrUZ"B2_BuTea
+%p9ZZHF%W;Q>TLYV"@s_D$6mQKWD&6cph>TJ-4DmZR5U>X'([B.#1?Ik5*Rp=b`aGX"ho+;VTn$So6J7*/_eU+T!:W*.Z5K4mC40=
+%C%,'$T1Nja!3ekZ+0-7?W(39G1rJoWI*o7FN3O.3S-D!N;2_0jPm1s-+N'?D-CkN[/'Y;PRt^/g`9Ym&_D&@6kUdIT9QFRQQ6MBI
+%0#nTnK-r<<b51%)9F!MqfUPiURoGP1.VY`ls)6_V1WSU_HZS<PS[h<F\a*ju(O(YYgg5$OaddWskCa\*`WoP`.'tPflA7f.A_/-l
+%.?V/=PQ7:LbG18ZA$SJC#J'13<5uT1IYHV0b'(M)rNU3R8n%F&YZMYm`a(c<o7&%Z/a7?-D"cj$6jmB]6s&04aYn,)%aWRjroejf
+%l;t`,rUW8Ls1\9cB!qVkK*B7Qj+,[sdqi#OHfS00rT9f#\PfmND;X9Gek_q$6(QV-n:Wh?U0eA\Nms!iX``Tf/T/RO@;FYB,(4$I
+%?4gp3^/4[r/h-FOPIS^?4)coF2RK<E*G-s\HYh=n7+ll=n(fYhY)jed(.,7P5atNt0ZR**@U%<FH<2=CFkjq95#BoRm9iF%Q0$25
+%Tl@q:2brEWltWatH;,#]mLcoi7lA)s*]rSB'Q#<@lCQ63"Z2E5h8[ViW"louPL%P-E@l:b0jU1BmZAN@h/;Lt^0A_kP+3c]qqhmr
+%3aI,O:)QhQM2o&l'h'hA$UN^KQe$^3?:b\gHs.O;bhre=64NG;4%0Q(>'LK*']uNZeN9!%*H90f8-U@iGU3q9\e_MKOhaXfRt1VD
+%V#p`p$Io:Z>LM(HqYOpAiRG6,,6&;D(])gjUt1nD(_6IN&0F*V?=A9hn_Y2PUF>&d[4Lf?D34p&e>dRR_ila?"D(Gl0XK]*"Yu_m
+%U+ckqU?YR%;.@&=P6YZM:m;7LFOt8i+F\U9O2KHCpfsdp((1G<%<B9D9Y56f(]s/eP(EX)70>^r9qZ=<7U;nsa=fbB^nmV-q-];7
+%"9]'d-3sl.:G@qR5QC0'M[2a#+q-T-LjY#Cnle@/J>c1Ak0D&(5U@s,'Tj)DjAdI'R_Vhf;No$O[7XCdngIDVCPeh9_*j\/XLo+e
+%&0VSk6R7D`$P=8=/6HLPW[JM!,#+:_*9;jO#SA%C&0a(872-'fNTgI+b9f.n7uTg6Hpc3S\9s`79'4OsNjWVMlBe0g(fEcuV2Yj_
+%n<8m)P6H.d:<Bch;FOcU-LgEf/^VDG%X)9^.s7Yc;Jo""p@=eAXCC*,Q2W1CIVh<X2'+78Hc]uq_btL^pL"A[]$1r4A7JfsOF)86
+%hRo`Z0nBeB1%jdX-C'-SqBBLEs4i>LO4k+kPVpOf5(Nm(5n%kkU%9IKW$*l(:#R.%_0)SJ9K5VSl!l-*p:7>rDBE8['.e-/.1?++
+%j[E96M%Pa*Cc7:b\ioqUJu%RK1SFl)a8qG7UUl4T5"KP,cgYg/]$t-D\R!<?[,pR24G3*l64*^/(G(EI<?gl@pY7_+%":]:ZspXf
+%0CQ=/Z*lW!N_p+Q_[458H;'+BcmLg2ou(:8Y(.;.a`YU[fW);5abeb=h5po=muh'aG!(I>Te<eTFWk!j^IRQ[?_e.qWuY!hq!uI?
+%?[]?]D>4#.p;8gj%hH_X>Ir]3J%35SP2E?i[CuEYJ%b^PiVr]&naiq7F-"rTHu]o:bk@RVV7g46KE(]'I,SF5rT\U-5Q,B2qLI]-
+%r!1)%KK;#F@Del:YJu',rk-5Mi@2t^JfXX,Js`03J"]btam\0CPgtcnmopD=K'NAl:uSuqW&oaF:Bo=0f=/fHa45Cc2[$)?*n*Dt
+%SU>\-?T[gUK22^.Q[Bd65V?pH'MIKjmmp@@QR-3JrE[uTK_<q"0OU?RJ[rXRZCg\G:(+6ToI,2hTg'X:9Hu[tpU%U;1Y-l6_!JtO
+%oajjIiHZp/^`al'=+G$J+r@'Z^(W7h1gR'R/lmU)JX>Zj$B7@)BC6iQTR>'H1`]%UXh7T_n7=Jj(fE@&9rXF8-8-NHa\':5JRBg9
+%I[B]S%7@)g:=\Bk]usUf0B&%M@0YW+E.V,dP>Y35L."R_.TM\pj>@umTj\MQ,Jq@mNc;q'[18,W(/DR3BiE]cgI"&2DFnr6nCfJ.
+%A4qtCaGL=9NXi0/q\kM^C4YJ5r^gLs^(&[OUc3`q$<P\MBZtIX:Z+WP;a3.ufac[!geul?VGLs%mC&du0X!@1iu<=:`,43DD3"57
+%@s6>3Vo+D=kUs(5TE>p*JAB8A.#T>NT`[Nr\JnfS64Z@qh+0fhA#R53%?Dn@+S;&i]bqtN/-DRN"g9!S#ji>`%bl]q2p=PFhuJ.*
+%J:MLc8M18OHp8qJ`_V'`%#O<^#bDL@&AUG.TE(a?h*-BV!.IGmA,^f`KK0VeRuZ6BNY7)aGQ&Vc#%tZAoniN3jrV)lof,Wk:!;sd
+%T[NM3U4YNMN7P6\n1C>Uf20X-?Ak36+U6,>H*h/=)4GFlgUh"G8(:qrCRZ*1;.m*LqYRG`-QE0@04AlKJc^2Eb522U#"lfp%kLf_
+%?Y136635F>P5,G!!9IgEF9=-R\GYlTE%nR((nf/F_k(7o(Jl'sKHW%&f2&c,&2<St&g%92i,[4(NEK'q%/B\($"2C`4!UiN"Ukhd
+%bs<`d[,OK*A1.TEqb__*"ub0rRJDEeDbF?pgW4pDRn&P6RWVDj,ZH8i)&Y0aW.d>80\>M2idlpF@(PQ0T?/`74f1="cKLMPQ]4.u
+%O=)W6E`G%\DsHJ:8%>N,n>+3GLs5M]:#N`$(dG$c&2Q3<=r'4a3/F\\E:+uqP*6Z3[$7gd6W-q,<E4<jH"bQQi8B&D(rh$aH"9d)
+%AU<30/9tO4l%VT*%A7"WmYR\@6W?c7&\)YCl0'Jbk\o5fh^[`fDKt$fc,V2p$HL7a9::`;Sd'ktOq)=3(U^0d7//o/]Op)sZCm\g
+%S,ejL2,+Ac-bP]09"D)TcRUPi@!-/'GW&%WH+63c5]R@ZHHGM$%jgl'M7i<QklCitDbR5,3DW5Qpo.poRK`Wi*4g7(TWJ3,\QPF2
+%GQWI*Sf#'nPuoB*n$p?51AQ<!BMY[.IaGZi;D`Z=-2K$7J!Gre_0:0/jqS69r%+25f(_Ti<[`f#I4"IDgJmd<-pB.E0,;J"9O%3*
+%)G'G+*c*6'?jb5Gapark"m@1)D^(/OjB'MW6%4C>K+Ym4l\'7XSkeP\:Rc*r@1J_YR$BZYe9>?@':P^hj&[q;ND6d-aqMO%95GQr
+%np<(tH%I3:WlLkJ*V_a>"!qJf(6/o%%?H*(AG)/L]gTjBL%lCETKRt9EAp!1)Z(SfJ_frM@Fhn1;8C''2I].ld=s[jNR.ks9YX(3
+%+jdPYC>]REZZR8%UQ"XM*&+VV\HN+#P16E48VP!]kk,L[kOHWCn0H8W%lY_O(bkS#:'cF/)t@4t:a-:S<X#far1j\;:Kij"l'L>\
+%EOegb&_KWE"b(G>Ta$QX=s-@hGLUWAPh-MTKCd?"nebtmAjg^kHndlO5.!GFU!le$9jQN"6#t,k#?2Gc.N_i-3$;8Y!k.]7(6e7o
+%WZpX>0IZuI#^H&;@2?m+Lcs5UfO>>p#!_9Ia.k2aXO7;H<tE=ZWqX;nK'Fe5JLLg?8EhY_"?7doiIj6SjNn)u,eSo+(3EIch2.*V
+%3*tCNp"c6p!0RPpV`KED)]%H8dk(mLJHCF->&R3s1re]Kd\u7BX@Z3$Y"+!DQH]D3#,oS\!RGt2C>$^O"JF7rJ5b;J_qYk8a*n:B
+%\<d8rTPa`dLTnMo6^9,0LsQ.>9#'FI<iLSYqVfWJrN@aIBB>I3/Sqt*1k"E)iYN+gr\KR%ocb>SBE['X!N9Ar:)2,kW5uX+'S],c
+%&ZT`rNNWAh.Zc's$D8j5YM=no!Z59"U"p<@bk3L'St+t0&,M,?'?E?*Gn0BtjL$dj7C4r2F@Wn'rL3Wc30D6hHA:nGPC/a>*Jg05
+%FWc)Nh9Yj;HtFWRCbW[g3JmmX1r*UPCA^4ufKd+a<:\qW(7')@pl9S"](\.f0Pk^ALu-)";GBcL*i@Y%l-KaM#Q$TM2DE`S_q?2`
+%N6ncI[tCP;?8Z,";ZI=hn\_n7,OFjYaqje&7Yo,K_h[eME`p^k9Z)9S6+n<R%4"N]B0[S*k/k'/33AktqZq9KenM>le%r1t!hbRL
+%CC22'Q%l[tk2VuZ'Jg9U5YV:GZ_?Z4.)b(n`+1PX!N^GGUPWJ4!7m\K/$#7FCWIkBMub%ZAc;^"&8[Ke6c499>in'B#j^;ch\/LM
+%I-H&h$m]j4D/7ks*glsa/V=n7LE#0U$']b-ZNNl&_&8o!S'QUC3,?71V?8rdK2k`_#4ct.EYBksIL;<E2\Wje?Il+dl6289(=BtL
+%j$ZuLp^a*n$$S@4n?Hgt;9p1LiP))[492,Y%gm]]B*W)LRWb@!<@ND:*8OT3IT+M*\-[fm9L`IlKW?[):g^[;+>9fWC20W2?oh$d
+%+FjrqdL>CQ)"L/Y66IUZJhoGqTt1:`/^Wcd%Q`l#2'F#nL,_R7bP)DfFS(p*T%A,D^8#M\!218MY8KZ;b4cI949Gb0!1c/9VKn7(
+%`*1Y"%=mRZJ=f)?Uo58`ciBL6i..C">VTX&%f(sfYso"EEJd#]EKr6l6Ik#O`'>Nu#bZ.(:^.QH#(SQ&,9C<L(-<@@:X#aa+[Yo3
+%Uh0bi1m\5a)L?PpgO]DcJ-W6;nY(uEh=)cH`IlES6kDo)4JU?S%DuS(1^Z]e+AIZo!$`0rIUl-G4ddS%TdgmR(aeOU*2"t/Z31m9
+%'9Nsuh6pC&6a1(U1HPTN#"^8jj/usQD3PBLs.1!*?Aj\P*^FtsICO3`Hi&0>Zej0R%3mQWUI%)>(N3fCnF4)&6@06Bp'H*np,Xqt
+%iSfF(9>`,toe`rT%q)\1<<*q,Ekq,EHR=MS"?"7XL(PsUi44:P'6h@,\E+sFd$i_]9FlB8inV"a\7Z?^*I&9<RE$b6rf_]5Qa\59
+%L7t"=7$N*1E8P^hN:TNN1'f;k0Nc!.]MA`&\.hSejG@tHmKknGC0I8B[*dLNN`8<#Pd(]d#XjNCgI^4@0"nD7)`'U4Pf+[G?A7>2
+%95-)0cRlE!%Q&\Jjg!SrHuPJuAUR:MZ>e^J;&^oeRP%.H)1r`Un\EVh]5\i!gph2LeRgo8#!Ogp-<'\!g'n,Y[!e#$s1)Q\Z3@+g
+%NDtJ-V*N54_,rjp3RhUX7(E$4QJ<0tWG4a*!;MA'ei+U8"lgOk1*O_%6>7cBJ5?Ir@M>@7XMTB9?j)(-I7#M5[.)[\>X^RUkRO##
+%HJr3L87!V,)N.#M=j`n<LCO<"BaN]B9M79E"f-I;GS^_bXH=BOLAqo#'mbf>PH-^7!k;1Z%7/cDZm/"Z>VNl-&W,1$h(suo34pB`
+%EMOVu4`3&MKUaXhSMH,DLg_^%C>/9JqRYd2"/`lL<$_j0\f_h(N'P=CQ9"LO=:Lr^bb"<_Gro'g[mPIa$[PWD=rXUi-NOhuj.Y^,
+%[SpS+#aH<)155h/%Hec;fHVU5?4dJ;%&A%bqcLndH(+">cNcm`a><tZ6n?8_#[#&>/Lc3f-Hdk+G?H?=cDj?AmWL!"4YN0gcG6=;
+%5kNYc%L^_$.O]S@XZ-fj-3m#EBMBcI4[9SMDus3$a`jD?G(cfsViAb82n4C,M'nEm!8f#c@#kZ#>"]mg`G3#0n&SC\PQ[C[K[]ZP
+%\WiZn<0Ncjd=D?%XF?ZK:BHQ5L+WQR4F+0Ie]'^Ao+dcH$A"St=;?o%bQcjcmPkeoMEi(oO1lXoZ/ZK&W,ij7#[jRAB;t/^fI2b:
+%,-m2qo+4oQL@0$n;H&m9FKi&ieRNG6C_O5*MAAD'/d-'I@RHf=e<=F(_u.]f/^`TB/"X?c\t"dY.G&36q.%[MD[:8kVZmEJX?!A>
+%%MPT@HsL6I@A"@AMed^]9FY!,LGclr$Z>,KFWrr=bL7#ub2il*QA]J\h9:`g3.anm0;>'^bDD,f8.8n^cmpAZ%m5C$hMgKObBWY4
+%CFHb)?ch=u#<d%n7A:WF8VR[HJR9XK&Bt0DZS+h3jB.^1_7p()0Md('BX"."">jer3<,d,jq/I_Y7Q13+KI;u_Tb#De5UL$dkHsk
+%[K5D.1,'EB.e->>3286/WH^XW`l\D%AuKE@NL#:nV87]nQ.uL@E<L6d\?PeMB/YF$rgZNtE7TnhnZ`237_]AqD6X"b0_5c$O)I8g
+%5J)@k[Jp]+.35lqOWe[f!87b&^^u=eD2;>+#Yl7WJ!,b&2Y(@6RMQ8k#%4,E<E9G&@fSuXTDp5hfX[7ESl8M[?2828?1nS])i>Df
+%[QS86lh>>4N9G+H5*.=Jdfcnf_4goP&fR!hciWRcA`Eu*]d=>rUrHe`GopIP]qg$C#ClLMqj;t(#IM)%RNZ7g>%%b_.LW/k_?OH/
+%gB?%p,ug<lhe'g>c=W4Lalg0&KF#pU?,<$G6Tdm2.eN^&6ss4c[G;]QFI1Tm6U<QbiE.Zi?[VjLcj[9FbV4E:hZSJnq83X)WEm7<
+%+D_2$r*ort@9\:;);%si`0pML:B7ac@6j`[\=d0idtEl<6\Xha:u9?0WL6$K4@f$%^)gG3S-K*F'/mhRmd28U^rI.qZR5r-$_Z2!
+%liJiSVoTKe$<F`'*<^inVP)Z4:t"<4M?.>jPX"Z533]2t&_''G4PZJ(O"D2Xc7[bb7L4=a7q#6HU0-<5:j]SZaVNcDH5/s]X>"ET
+%oK_14KY4d_0PX2-'*RG&Q69N<c:6=<@>R1/ef,Pb+<]7K2n%3:Rl&32A:G#O7dFIg[QJsH0`g4#?=PrQF!KuUl%pN)2k;Gs=@*=$
+%&AB9[**kN)1hMiWjd.^8NL97o7K@t)+!A8reqL,-30;krb#<7![\+_"it4q-:I1Lf$dRi$_M*uDIb&)kci@';k(Y&5$-sSXWK5FU
+%^l5j5-5?b'I<e]:(2R3arT5/j[R_OMq:NPi?!DTW?\\222Z>fuJidBN(W&Fs0[/iW6A6#boggSW]sr^uJM!UA?sD^O1Fue90Eq/"
+%88`CJ%Z?4H.9[+KJsRV2$@^<66SP5-3BS_?69a^rS$@n&^26.PQ!On\Tgh!/183b64T9CmDhHuoKD[q-_mITIHmlcGp#A>J*Rlfc
+%Q]bku7g"8k0ZNft!!,KhU2:)g=Q=ISXfY<K'+T-tX:s*.BoM/kFI48T.7JhM#2Fk#3C)6s0a@Rg)iu"ppGuo&:]nNZr`R89*n/;?
+%Qb4NtD:fAqKIo[HQI&3$iDU=P-)KO=38imWTGYDSESrb.64R!mmce3i`o@0[CD'&KnsVH@e]Mm1+Skpi`b/.GUk.RD3=2<g(T)jp
+%0bsRFbZgbGU\jUm#5OT?]a\^@&)(Z066b,#oHhnX7RSU^"aBC#Xq7E!7,Ys0.@WYoA6j^ZQic4%D+H5O2=M8$e)Y+11'fkV0E%8n
+%[h@LEd1Q!Ja,ShE4]tBAO"<Bl*?k#>+BbT1$sDS:5]6a+8G=k7S)F,7'pdd?#tn5+X"RI;5*d>fQ?&Wr.Uc3G0:ssQo/7j8VEjq]
+%SjAYU:d0X7IHY'0r4$$"Q6<:GG=3>#N_-676AH.TB:FMC)m;)klUD8UL*7Pt011%)T8qnNpLi,HOde+^n8rCjPfhH@if=YfmBhSM
+%cZt3X,H6q$Ysldk+d7@@Tlt<T;/h/<WT5`:iP?W-0W:IDkkToHINk'9^e"uM_fD0+X%l`"Te2^Un5bl)^.39$Km`837r'S&:&&6t
+%-k?8>GUeI;g/q*@`UZ8uF9`mdE5N(d^\<mtVG0?Qp`<%__\@JFlXn+6`g*fm4ENbCN`2@BBKAPRfs!1RG`&F;@EjbkA]hdH)%I`"
+%o#8JKFh>*.&`$.NYn9<"\QNE4-QaD_11'6`q8'a\*_*5)9Kp*Y#R]M$*_ANq/9%_F]k)^X]e:c\<Feh*?X/Fj1f#/W\(se?FE&fj
+%r8c;F*WVK>lrmu?,8T92.OL.PRiT+k*p@Z%D\Ecmj$Z'[XF\0C=jtAUL>.0s[l2:uci9(e5sNOb3.Shbq(o>drH]gU3ia]7VDhk,
+%_ijj/*a,32+l:atC=7&dp`h(F+O\Dnb"'Bs3Pk6P?X?lq`ReRFjn9_M[<tb_!Vd'i(DFM<*VUEQhfC:a""Wo0?#Iu!J#Ak+Hs-$d
+%GI\;JB-FX(V$&c8a]lSY'J:^TMeGl(+e/WgHYj>sbXAX@=m,-%@uVTY?Y;74Q'G."s4LY&/53hslsaP'^OmQ\I,30D=dTE%b>91&
+%P06Z,JD]d)e.JZ[V@5``1i_el*TD+.r%0s\L_>f;$>5<gkGV+'I^^+-dM@b=MR,!>%e]c9`FHN;`@mRZDg`Su2BtF5C%//e%^#IE
+%8m>q#(u1tH9obEVb.&HQ,+asYCM0f)`\h%m0-O;&7DTRN/(IjH%4,?AlV(S*gJT;$hA?,#r!#=br^sErZ`8Q*7oM$Z@.<]$#ZD;a
+%T)#==&Zq5]#fUcU`jb_<9hD+*%%F]U0UaLH(s;!72M4Y4+`"raI-*4*FZ3&#Bu#0Tl>8S29GC?DAq]&fE;19p0NSGZ-_E,/1VfIa
+%0TX[[9qm76!Oq[S_8L;4`=)&3fkHCE4X"P^K?Js+bSr*i,I2!7)!>dhnG(@rn%TFm/kV$X&6rh3N>D_7@q<`L9`eUB<rJ:O#P=hi
+%-(_pQ%5'Rea.0BE#4p0`,HQf^`\&(,<LMAi`Lc6I2I+)/cXqIt2XP?Zrd2p_>!`]R=lq_#P"]X;D=ur79dR//,7OL[Y2DO\B2h@b
+%j)8Ra(?b$o:RM`d.G5nEo<H52ok7;JQfMWhO:o_la*b,4nTg?.;4AiX8r+Vu'X.89/28A^5*us5To.>+Bo=Y75XtS2A,9uK-WGUD
+%B:`6:jF<OJ.P\&02:Cm7F\E#RdNfkk4jCHAYNbgBGK*jhbpj3u;U0q,<ibPP42eVE'U"CGd:3'(Fp8L/Rg5^+RY&`c%\ILaQ#SDZ
+%T0S>f.2W(`R)/SH=S52qTg92>Z?k?d"REY_8Y\u8,r0=YdDl(2Zoald+asFCJMg7#;FZCJdW)A(K#W]T.Ep77&ST7mPD>C/Aft;1
+%gnd]UT6WhfGG@PChSS*O[gDm!q)e0*nAa2)/B)F-,kr$(+fu81jCY8:jrHQ)!atMAA=YEJkPTVqM>8U'S'W,J;J3:ur$qadm%RD\
+%N[_@G&2ulg!Ej4XM>+!jdPpI%>_YiPj\LDRhJ_)X4k"uR"F?!MIUb4UIE&a<*k*<AT9BN!Q:g%dSUr[LP4`41%81J$2\d^c1a8iV
+%!(./O&'Nhlj2W\p?3'2&4GR\=R?>XUa):NUOh0kq#C&_HD#65EO;:?.e$mW#AJug\bco@'Td6#%[N(E?EqJqTfL*W7Xi^aFParo5
+%*!'Q$"-N%51jI4TI$8feF\DQe%6m-G4^=&&$\9$7hr8@/!uIP"+779B?G.k5i=o7f'A+EuVSTN3'Gl"bqjL!=M)VY=rmoo,\*<ZB
+%O\)aHf@(L&CWo;6O8CrtR;#en3[?*<3?MO\#G,B1G*$4_NA?1g^]`b.h7RWe+_GFDF&3T1UPqeUAJ.pp#tg%167[CPGeJ^p)f?M1
+%]Yq<KkmtPdo%#oZJoEhI22nF$3R>1E:67T8_f.5\Tf="1\$Wj(Qo/Z6*$I+mKo"L\j%!Gi=h(OK_1,7uhIbihF=R:(<qfXlp<8=:
+%_.q#?#:Z41R:g'\Xt#3I"uVq+TpumqBGRMML9i(kVVOXhbl.m<I7U)a,oT#epb&s0g0cN(0=_VD_#U/kT7M'-iqfjZSeo>Ae_5/F
+%;tH)T+R/8r`JSU('Vhpq2-FQ]1/ad(!jf&S>c(7Ea"mj<_Zac+1btm0fg4+nJ$J<V6@MPknuj:cMW_u21,![-WiraWnKKn7\Mt\K
+%2amBI$@"a47nmc((O@=^5V2Rj,W`cbBF"M8<'Mgt+V"^p]?M\>@H!H#iK/oE7CIib]&*t/-Se.25uG4G22gau/Ode1fhYk"f<sBO
+%q(Uo<_s:@h8iY:8p6!Iq,GmeOhGhMV(R&0(nT.0fIm7Z?F.o5::cqi+)u1?`ajH32"7jK260K$XhS<t=DhI!l,s@0>f=#Vc&QN?9
+%aFnql(47`\Lng6/EgBVOFDi"%3V.f@,P4gBkGGJS]*Joamg$nDbj.<&UE8d*A&"IRhV[<q]_$!L*b%HHa^UJ`/ki(gE>3(^G?#/f
+%JE%u#AO0/$hV0%.GJi9LjN#J&m>6g\#LgBg&DE@/9M`$6L+59)8s##!>&'5\l)OT$%n0)\$`;'-2Xfg&;R(G>UkE"X:'g"('>k1Z
+%G.M;c0--!n0Q>PVV+I%D`r:Sq&aor\k'c(L4OLJRb4-)q9?*=.BBVFA];K22.nVZuH'u(_Q1aGBbaI&o45AgMq6s;i!l#TG2BtHK
+%f4@&r1O:]e7MHIN+6iYeK";Ye,+]@k(7eN1FL\LY3sdSP`iE7<ik-ORgq9MG#_`!5%RacA7qlTaOMQF1m0(JD8;[VV5"!,sKVHkr
+%M:]ZEbNZUaR5*?k&]%+2bbU!Y?$3r$fuC7tiZVQ5bt]Tko+@*re"qj6[c_ZP@qQ$%33!QTm!>._+1(lM-Lee?@%UL3Oq\P_8)dZb
+%e+/[`N%>_5PY^/+&Q,Q;8"`9TX(pq!dk?Dh91I!eVJWKJg9d'V'D'SAmG8O\@rW0FUPoO7P=I]9::q[OT2_s2.0dYC"#7so%UYAY
+%-BoTI?si#;i>59ORG"$@Vgb60QFqe..5DZ[TbQn60<<s,j1eP3Gk`\?jR&dh5iH)V0L6X,jJR3hja_Y$lo,ZWdnjMU+pFi69R5YB
+%UQ<Ja_5Jt8ZCZ_jB9mfe]#^B$[fua7s3H%ALgorH\r:BI%r]KAa=;IpWC[$5O=E.g/X(hd&jGV&kc/o`<>BikeWRFp\l:)[KN^6.
+%X@.a-nQ=nA%7Kp-ZFAoF^Jm@$'>XVfh[0L^qI/"0c;Du."Tpn]rkX;nAFnI#9=]8>.IW3e+I%8pH,3TUE,b,UCh&sfA.`V]liNfG
+%UiqgJTP5D.j2GqZStCoL;j)t7"YJ`9N2e8Y>L@5@SP-Po+XINh!hpti-.`;F)2C-qOq95eRuYm+;arcLc.f07qg=IYFQ=?_]EC<p
+%.fXW61rZDMTDA0IDo;R@9`@qI"*;#-WGjQZKpU&p\V2Rf,LOsM5]h%U##>'V(m;R69]Ku\j_VAEa<F+/)#%"\juMjf)?c8J6,Ajc
+%N@I''nM4C@]&2t*)tgrkbWe`44H=Zl"l:)K'dl-'a_1jLeJdoAHH:[;]fA9HR,[/E!,h]am6_ptf:\ORqB!$8Z8$$:p15EHfoC]#
+%#B,fj4+4jAD;7A:Up3FWbQ6N%r,E1W$Q5P*XsA1*f&`<;9=rCb"&PF(g8FqlC(7Tp(dE3lc:,H[%!mbAj#LeMqI@kRFHg;E>Uc\k
+%E50eMroNNcaIf(\^GqH97tt\q#@W^87p,)h%s>.[PW[]8#qR,(r%<=Jk_<!D0rmFU<Z/dQ2WsurCq@/a_p2J8RYG\$A,^%KIF(sC
+%VAciuCI,_Jr,((NjB#b\b5-5!o7-XrPP^KCqj,W`41_`d3_=;IL(FfV[4u?]V6c(4dAG/tmW'*[LQ/OGrAna9m4iE(qUeEsg^#LU
+%>9;1UnTb)gW.3*%ZCTb9RJ1TXgrC7p,Ao^$8p`4dIB]<r1kX:J1iI/D2J_TWS$/;a%NmVLE?6E!6utSI^4_`2Tm'P$nC->+B<aH$
+%#Ks:q\;gIMPTfa7,@s(0BkGlU+iZW;XoeC'BpKb`)#JF@l#FOd%bD3b[&(6fWFjW(Z7EmGI31NElhAc(4OY.YRW>]bV_ftG]A*SX
+%q/l\HU&UXP.qSqD0nsQD[s(#o`9bbtSn+k3ETl3NBOoVLhI+`WL+XYPq"MFBcn;G^/%]XSL7VDZGn-B*ruf'aIQ8K9'XeTLq%\QR
+%rAoJ`d!s8k_'`t[^8cE2s7ZHdY:KWm:T*KG(jDP96D\b,GW+"%35Yd_i__q,Q93JhoVZ9*CZ+N?[%)[XAb]cnXE<F!DH^lEm/IJm
+%B)gukDoe`HF&"\Po\1[B*<Z%]=i;W%".PA_(0$TGb?.:I3i^5Keq9n,(P;M7:6It>p_e?cDo?_T7&\,@<=mBJh8\PP-&D8ek`,Ld
+%qqJ?):@)BC0G+?KFIL7.:!LVC"5#BbcEH77j%f$:AVj_._K(CeP-L400A3MP])Vk?lhra0WfZh!i*C&h(q=lWZI:/e>\'Y#X-HM1
+%)8L+Q5A*f3F2WMSmF'nNI4_.##2p#%dTi72[BcZm?t8;BpGbO4V'pu3";P/+VA!6h39/c?kA$(9":jJ%2S&1GK@gs*ANN&RZA+k/
+%^Yf&Lnt/hq,c]*men"@JgIm*o/`M2G=_4(5etarGj04D^W9*(XZ]9^OEaWNYZ\V%Sk^\JO2aK157pa^]rJ,lia,ZuYh.>?k%7X[t
+%?f1lAo)G!j^a;[m:p"JVQ*DQjeO4LE.p#)Zg]p"%Jf[P.`e\DS\KN8CF;df&,HeE.OLmJFT0jra,).Z,#-`L0Ce(Q2o&)6H`7O=i
+%7iW$!oD02J#:=Af%@6_.B4+R3\`oN2[F3L0LFWUa<6B7?;Yid\'ST)eI1?1D?m^o+/b<0D@2FMe(3Be$OZZt?23Ml-+["T*I"Zt<
+%9*#DqLjZG-W9LN\-.<S/omTQWP78L[/M:9_hT(o8iEb<G$9`02^'7Z'M29!q#m+"<\,G&7DttFhkOSAc-(;^D9WIERQ%;=9\FT1U
+%JJa`/9?83DQ(k/\UVd*A>uLNPLq\uOmQFGK*aH8NU!MZf`DoM@BG)4@SK@QP_tOEmTLGeGbA*qEQB_eca%FrX5f-.e<HspN-1o#s
+%OhY]XVB1(AYUU$*M70hSDIX1$S-b7M*QhW,E_X")0k('+`HO9nd*F!E9!ELjnm'BmO17&$NhL&BEV"i.a(F(GNJuN<?4Dl]e,qA4
+%]34\5Xf88h27+X[k<Hh1@tU0l&APm>CX<_=/1a!K>E$XBj#V36SdJR:%6Pa)iit-d]AA&RO;bSSm#,?g7h"GW]VYLB!M;0ZY$C[K
+%F9&hF\Lp>fJ3MhVO*>sV+@72Fk\Luo1D2Z@;P=8l:TsN2Fu&jo(^$:&o_%Qs`^OPK(*GF.?kNU4T[/OBK**((`kM_d<"+_:mA4]@
+%0ipJEnhh2<$_XgPKI:o$NYs\G:_Fq)r"lY\`3sRnO0E^_W3jVPB6U3F+aY$s"/)]+[k!4!-EHt]h@pag&%e4A:?PY4kEiZ*NGU,e
+%(esb@737>!o'#eqZ[l\$aCKoR1-h8jk#ItqVFTlL0FH)kVc\sa^h[o]cFsKq?pkE`r\HUKPmI27a4D^OjR'1adF-R>b(lp/We$>C
+%:[T6&P6^[V?%3=o+o4WRph37?]H0CN,eHB-9sUd(%.5GKHlH;las-E=/-O69]HiQ)HjdK@9]5(oeeo[B6EC2LhtM51%uhLXE$"Fl
+%+##.p-"[Jr-E##.I-(NcK:Xk]o[c2\jO:cu0g*=\d?NK3O)TTnf.[Eop7VdEl+i)X$J551mlrVc=BkqWZ7K%blrH@uoM4'AGP+3L
+%St*lU#<E?_RDq"Fm.WBO-D@+M+/+t+bC%(;k%ddY0iRE$5r,f:Q@t[`EAO4$g0,cFZ:]DtME+Q<72\?qMT^rL/%b2+iBW>T/,9,_
+%?WE/.Uji\,i1SQum?cFP?"-=*?_m1V,LMF?`Lc)J8g.L\k82kYVeSnIk(dY+@sFejaMKs;)W:lI<?jW;U;H]Wk_ekB0fo/r',1L8
+%^Zk`\YKPIm.YfggY*Y@@5_0PBA')BE"<bQ3.p\o[VK2aW4NC$/Z384.c/"mAptUh')PS:jX)-no)I94!(KimJZI$4NK,3bOOtWiM
+%p`6k35EFkhbK4BNmlKMj.UBoOdLdp<<`[R3(8)eT+mPnpiaTQQFe&?\R!A+M%4\>?q4q_U^-U5^\:,L&ppQ2d9Mn_a,hEL#.#_KW
+%;nH$]h1rZjg;1)ZA5$[#Ma+5Mae5geFa9Pa*nfmtXra4iBtDG=IV+O*%dI9ghK46(].SR"M&<R&?aG(gE6'V+jXF<JWp(YX-#plI
+%0AopU$5bu2>h@$;h_od`Y=2Ku'>I@rX0`P>#KT\qe-R)'!m;Y[mAfN/9e2P#VRq\A;W'I!)91Gq9+]V;Sa56*-=_h#W0*;UEJ6Qf
+%FM]/c`T!hb+Kf2jXlT<A+<Cn@@u/<^6&1bF<g]@uM/L@[M=?\nqjm6q!<o9arJ\oJ7"j)$9>)nc(VuGh>*rseddI88(ELb!n3]N=
+%&RrmU")]NZc32NQ!fJFp@.aqEX88Lu[7@T@#@8@na@X7cbb']\;DkL4_n[A#:)Cl_Ic1=5o64K)_2KstV!dhFPe;7_#Y@H<$Z8M@
+%%qbD+_ub'lZBHFi6PqC#)CI,^g<IN9Dl_5R-Pp_D5uH97GU,uGF(Km"K%l%9AUoCGcKJU(/QO:8-8GZP_;To(BG.'f16R18jutie
+%<qo%DT_#ImijDVNDC@uj3MSjdU`O2WbJliP;VCNWa'i@1B>Ps-:!nq`W*mK9:\*EgY=8UM<GqsmnM_cFIm6;,KFLuodQK/SWn_IZ
+%YC0oVCGm#q,OU%mFEpcX;p7BP2t":0TiGL4$<)K;">S73\\E%Or;f0jTZrL><eCG+,ipqgd]UBN#Z^_nVK8QV70bm_%DM$WfYAd>
+%A0[&AggY`PekSgOTVu6#YB*Pg2Q$V*5]F)$1q)-@*i=6f=@Z#!-c6QM6!9T1&6P)dI!i*JSG8"2q4X*Y^jZb==.>bR/L!-+ndPVc
+%9[!ou3.7O?VE0ZeNO^V-QSM'hk`%M"ghKHs!`hj22aQX]0m("=Gd7Gd$4AY2b:jh^Y]UVF/j%aQ`GXG^U]`S0_.Lm[+CBCmU&)Z+
+%YA3i$,R-Z6jVd2LS-K.Z.RkV)QpuU)OFA,GS$Y6Ua:d)^0k(:-IEp9:UAY_S`U'G"#_A(:DNo4d8TJU6""nY^H0lU&,npL5L!DO-
+%.p]k';nakYVYeU&<.c$)Gp/Z<Q\i>?C#>o4SErnc%tH0Ii$BY<*)/@-/@BphN:dr=:inMtUf')\`YTunL,^[`H,Q;Dk/LP="IG*0
+%YJm>JDk!gGX])4I`8h\Ckp]'a6kNo4gE<uD3JNp_M]*l@[.d(.73!djXk[o\J7*-MRT#%Vl%R=%FPhq"^eXb(Mcp#CQR@6O9d=*-
+%/3L<3*0MH38MVYrO9f)?Yen:_Dh/5V:kgZP+Y+4`$/@%Sndr4Q&r9qQm>m5VDTuK+.H'-_(iF%",a;>3]8$opdS:K@FCih7C+kXl
+%$\H&M_n_d;eg<u-!hbrR&<(J<>QFU87R^9$Y>HUuFCr51R@'=d))R"lmqPprheK/;<U!I#@d>:-!l+-p(Aq"*&h<I5&QbN@Y&.GK
+%nM9&^K?NQOWLD*ZL_&`-'>K9#bYXXJ^d)?e;&;f3,dK6`fcnZk085!EOc&7mE`0t)O#%_jft;C53,;AG/cF$L'PCEBA0Oi<YUW%!
+%J6=1H)>TgWEE*$+-8nXb@+GBJSFlQI`d.rt#j=t+S8:mQE5I'3XtIF[Z&4*"cUT1`1!/cPOCpLT,`>sOPnMO2!&1>o6u?A1hn`D<
+%(n+aH?M0t>LiS#XQ5C\`rlYWkfbIs1\4?5JB,A^p9eKNh,LY5=NsD:%E?FPoP"LTf\+T$l[1?/t!_'Y-o9:_P>3miBUUoMTUff+D
+%M:.X'$X!"LES1rNJ=\+^3Rk"q:U?Go.E+'4&jU1u1F53*m^$faJZZX$p=[>H"2U%t.HkOFW@Kisb7G$NT3ksmH;K(A9_8IO*_T/L
+%(?#UoQ"ojLCuEI%V'Cn_IQQ@Q2RM37X7U4dAlt#r>g_F5HOD*uJh?MC.Od!bQDZZ;5pARJA(ZmbY].T)!Td^0aQ;GC5l]lO":!Ea
+%m_'>e+QIF@mq=*$;M^R,8e;*IA?rLSaKpsd7n_@f/PW$>8ntF]ZHK_-<)(@DKK*KtR+''?.K-L@;!M=EArK=B&$@qAU(ha+4tZFC
+%YC`!=p#^-T/jAlk(6`h=a6ctsrC2)V=hIK6G#)ohfo505(c4#TC`tCYpm?3gF0%'NOegk9lL?/.'>=;kpBPQ]_\sob#[[Z:^7YAh
+%rZ<'GAn!NR@VleN+Q,#K>Bk)>Qj6h4H/=P)>Rl=.R%U1=WP0#oY<L2'(*$9'[7uJ&9QC(]M1DW-\a=jR;6]`'1Ml/]!-GL4/0l8U
+%>*-`>I$]2"dEZPr&H,oHR]-%;j;#2)VH@7tD3J74T@Y6\N2DY\B&,X?C^*u#kUu`L\en'cf3@DZ@n<-$8b:GMY4@b9B1[*;.++]Z
+%(g*^?JJ82YWoa4CODJ_K\pPZa>o\k+#=ZV1LQ2<S^/KHE1cY`2'Nqq;LnRuI#"JiWZlVo*fHg0TOXVeq7216=Q,Srl>=/JKU)l#[
+%o-Bu(oI4p<4%To4"ClrHe5@>@b6B1X**e*Bf9:h=Wig,8EmdN4SfUmYGt*@J..M;/Zt!"B%KfF_3f]P/,#e."3MJpm09>RA'Vc,#
+%A[[I4Xbe/B(4M/pWp\r+hOosY=@">;eYF8D&U,$b<^JJlg#n@U[@;`Ka_"!r/ul$Anktno)JJ4*PL*1soCHEUX%ml.R4KW;5YhjV
+%"/iHV\jY@@kfpJM[>U$0rY72kcb[=h010)Y\F1KJ>M+c"/a5>(`D!oAhPTV\<g#3JgUM5X0&_,b2,/nJ.:W2o#,`WP$ibNU@fSL)
+%-"^`^B9k"+odTQLROZMFS6IT#d.RL!I4T5;aP#MV"f9'mojJe*n[Wb[eK-0VA@]q)\DLnV+^$'CVS][Yp+i8F/,LVBq`I8U<Ac:J
+%^pdea`"H3`f54#\7s2GM4e1X9?>YjKKn'GZQGF17[WWY2:uak<Egb=tp0t5Agr_WE2Zm3tZ,O]1RSl_M<a)@MBI!<Gh.g,?"@bsK
+%h/h@i;nnQA>&'=7=*PQ5S(j7jjPo5&D_XLqCbR@7JDH^JWi^nn4*M+g!a)Zl%hJb:nZ`56NM2W\.h*%0`4*^r:X\(n@kb&m(_LNe
+%MGffIcr#B*"e%>L#,=ck%Ftt2!X2Pg$k_M07(?9]q&]:2<,P,d[hBLC:/)7bdgetePjsp+'hFZb>?R"n[#dfl-,Fo:<>\Tj,;3aj
+%:2IA]ZkPk9lu<`K<tTBWg1Z;UQC6`K.5jQ/H6<ZOg'D.Je4Hp>TcfDj+dcfK1Wum,gP@g"4!30)fEPm7`5;?lo%TB[[+2T6;-D0Q
+%>;`a[+qfNuLY-X*+Ghukd6MMW)DDl7co0QFZ$Q5SOH+1s6Xid[&/Y)W!aUY[@VUK0U+Np7_cAnQZDCa1\`C.C&K?As+utY3=tmHI
+%GugCi]fS&sT*'P->/aFa/gnc_Kp<@t<tUugpe4(LW,W<4ZAVTZgK^PnWmf]//O30pMr"2,j=!c)K/JOuD2>bA[,>=SL6`gn$bHH>
+%@QSQW6)t,r]7tb_dRIHPN/'Q05U/XNb>P\#"ZD!R'5,h)ki\Vrk"$q9fH+"8YZ@QU8GH+qE+pQE(:Iu'5*LD]p_OMjFatjm`&kn9
+%Q^tK8k"5a1D3qE2,T<+r>p4&GZH3&4h#]W,aQ]e+e#OeVP\*uTTXeZ/(/Oh1&=[,1((Mtr#?kM6Pa*dOr\EcJa\GB;1(D"K0,2up
+%Zk%;,MY#>d$aZ^q+b+a+JA%>MQ@rncZ"p(.1$(H3LFuL.jLDRA3_eGnb=,M]MU;`D])6@rG`fpg;nndag`4J36TV3&S!iTt[US4i
+%;!QOWXt_[c<(a';%Jb/+&ruT6C8Bb=_HPLp.#9_&&pT$3>0TeE[Us$WKfPJ4,cde*/l!8"<cR-9V8\8lHHX>$9'6Xu0^-5(gSSdg
+%J5`d.29S/j,eK0."=b$]=L5%;8u1GMN5[,IZQa''4AaJF:Z\:AK79;?XO:*:_.2SB=`'(g0\qX#(H2e\,esuD<`D39hOqi)4s]dA
+%4LO-Q#?Rm!77)%Y*`3Jj$I>rfC'kY-gm3>,'a1t>&(W:rDU.mba8cHfZdC'81G5M+l'*$h%d-dW.m3Bo,CZ1KX<Q+^d0jYi>=t/O
+%eBC.8!(ZJ63Z:^:$&MIKG"bPjG9skE;qh_,>)"$Ejj[A:J/OAUA59C/-YX>Hd^%6"/!ben+TUecM>N\Y[L/nu6!'?9;_51BlL3b>
+%i&I3D4Ci(IS>`g9%7*;@kC?ne!3>/k\MD<1;GfEH3t*!&nmO,$1i4[9bTO5tl%5NaARocF-i'Cq(:BjW70pV)<1Y3;M'=)_Gas65
+%53<b"4^`DLLZ1FgM69boR[&SB_ZCKkq?ldVkRJqPgj+7n4/h:DYf?9_`30i"<SSpOKX>bO.:`c^ZpOa,#KSY$'f`mC.3A*=fATFg
+%Pj@"g^kL2Td9l&^^p-9A'&M`V-ZIu%`[;:GVtqXI4?WH$E]>?0i,?K$E.OZCSAZ:>8#f=NmDQKX7j;'m@ZnNDLC#,tU6a<\J7#56
+%5h=T_HS,?W@\D9"79WF5:6m=2:8eqDhuM\138cM+^`#q(2A<M#fN_8NEl2dWVqErk&=S<BL$q>2&T0"Q\HADmGo%d'_>NuZ`DHI8
+%Olpa$2FP<\W*+&MN?\.KQ^0(-/<?tB<V%4$Mp,;u4[[FY@3cPFE;5!0Qcc4aV1+"-Co#%>Y`"PWa"hCF5gI1ni_;Gf@5t]Xj=_l@
+%Ig(C*Q,c/!-`_EG1dNhB_+=4QSP#i52oJVP8L<%:p=es)_JDkU;2fUAFA"3?lC3h8^Wf_D/e"e&$BRN'PQdJQnl":hX/R(<:]Asl
+%a_bsi5ThjLPu2$3LDo?U;cM,U.[L8aIoQ5FirOAX2(+V2S)ZuMB#l8Ta<o[/oK],'-psm;!f@2QMBt\Pr!:YTAEAC)r]L2toui:/
+%61^XC?%Q0a`sq[>ckBj7d<(.V:Y$PKUa*4J8W/!8:P"n71uVcgUBAnE$:>9m(n@o83-S#:`%ur2_pO$%0Fmc)':NZ'^%Rgg+A+]3
+%5c!M"0PosRJes.@%[6El5)?d?h1/%(Nac21k@oIUWN0I\A&u(^E<'S`%c;*&(3c[oVs(Hp\1-[2;gj6a4gN<,o,s'JN&q(db&r*e
+%#"Sf*`7,GV":4`:15`:Ub*_]m2u@(M&lJ!gll")nEl4Uh#oH9:%Tcl<\hMdUdqET!)f.MM@7F*K(p/VXpRK?b%1a,bc!jQI"lSi#
+%D$-8fDUbbV(75Rc(mkqmNc%P6/=-iA:U1FVD)149REM;l:Z2f%_A^-Wm1aOP1u/u2M52U,;oP5l44rAd*K)g(l6IQ<f%CI)`t^ap
+%aPrlU/L\7r#&@I_9OrmV$KU)JZLlCYpoe^@ckZ.>]t:od%7dLCS5HM?0D$KM$+$#:J?b0M_k(0Xe/;IL7sJMmq\R?goW/IVAB;0'
+%*:u8;1J.M"XXePMQ`>Bj)K@U+j[<7Hm]q=D\Jh#u<0t4rHk&XZUZe-bp>^q/]h]$Kc#$=V:X@Dh[,m[a`d%a^'UFA=O.D-CY?Qa'
+%3dGGg!B`3@:4hL4[iHd+&nRsYbe\>)JY9SJjeAW>i&m3fXns)N/-%pZX#LRDVS$tb%LuVOpEnTAdFlEdhr<cM-_-m=KJ6uID4Zoe
+%NCdm1lI,m>P$M&#7+>sZ\a:_,e"Va>Ft9j3l[[V-<Qf02E*#he3R962YL[P=\-Xi.cU:;,2H)JB&Q6!<q=]UlP,KsP$Qq:oq]biM
+%9Aff??cXsD,ZgnT8q@Q@/dOcV2V]nJ:#Sb`:8":nVfT\:']EbV[tucpgj4u@4WBDFf$*^OHVr0/L+I44LT?%F)TM6].tLVnfu).`
+%fGmJC,pFjq_:)(YNcd65,d!GX50ma`jk<ZPXRD)7ZRnI&0jOLtYT1s&hA'RD6Th'5RdAhh#ii+j7p_7k(\^'(.Sg_j9nGZe)./b&
+%HekRZc,>%6hK@u?H$j'gA3&).VKkkUF;,\15-p6.#+&mpoea)%H5.utlcH67_uRs]jaA1ik.48Q#_uR$D*#6i3;L?4dPIpad**ab
+%U[te-[2bhJMW(9']j>>"C=e(X1VZ)ns#))+eQP*0Ys2_6g8t^ba*h$"2u`4r;H1jrFqa!dKG8^T/ilKb:f-u*G9DHrF.l_r3r2^K
+%,_;a0XuT#]T4bIh.NE-mZYE<k[]T6ACdp0<A0k#k>6#bpc)WVJjnRl9^i2aXdK%H&8N#:.W7=")n1m5ZII<csCg+KSPI1kS%[Sm9
+%7Q:CP)4e\WCo`8L,3aXT!oZ(+9n@,Sc`e^a%9+rbIB$0d>2bMg4)$^BGrX^-C5$Is,-pJ[[`R/.O's7Omb-If'OJ&Rj3Cu;3Ha\`
+%5B1J,&oBCo."73TD5N8V$^K$QM[&i(?O*_W3\M&_/;_`9ZlMU\?l(C+q&#)ghlt$'((0=E_bhQe/"CZ7>Mr]>d('J#p"L][*%O_h
+%I#>rb]?S@0DQ6+ACik;rh;G.<$s-(U6"1SW"g:N0FJgj5mUA%;LAs/KL=;gGf]pLn<9'j:ZP<:ZY:V_th'EDq.%Bt/>OMn2!_hA$
+%i%rTjh57B)CDhlq:J\!i@,`PkeB6J\/M.LEH,Xh1rNL"`,16p=TrtAb&`T#dF!`+>qN,KL:/JuJFB!5Aq?Hp;s4\e;Ho3IjZ.(OB
+%].kB0]9(=8W2U3K/("f7g(l$8?J%7*:t-T\KpkoM!s%\b*LES=8iWL2`k:sumoMX2MI5-/E?V\.>/Tj5OT7aJ#u:tJJpkFHokAR^
+%oM"F@6ilT[#7S1>YrB8%*en*):BS7(WcdnF_U7XW\0?1<E(L+c6d?3X)0ZGE(J-<NW\3=>lQRh\q*a;tg?-L7`9,IUf2`\Tl.r+"
+%O"DT%4lKugX=Z7T^tW%ZfiUZLg!H>P5;8hNl"9c\&ouY!#H&$;/NiI[V=:rhV/W&Zs7c.(VM7l?[:\,tK95Gr1g;WUWADC2%'a8V
+%GV%NS9K5DD(7+41_]r.aE$^eZIqNC?c%d"H_e;Y+Nr[R`:PpC?`B"go0EnYfi[J(BQPR&@2anXJ*oZYLX@&I<KAXMO:X;"oqD?"B
+%F;ktM)Ue]>j@mXcqF<.VEgo*g2,4*E*Eus=)-%CuYn1^rSu>85i>Wp+SlN#*Y4UHDLAo'^6-ucNfc"=ADCSnGWb0d?[M9,6otWHh
+%["!2).VmStA51>":C<0J%',p8h58emrgVf2H'siM]"L?qd7l2\#_7.YPaehe0;\o:;-@^WdghKgo3#O*?tR[k!6gB2aTEZZa1YuH
+%``J[(>=m[+^iIO"E0LDKC5`EG(_uP1.GEs%L=Z,nWt&#$a3T9YN&oc)"\m!!m<4-obI!Q6CmK.:NWkc2ZM/Pf^!59)Q@W$E^B>Ya
+%)]-&XBsFXK=TR;0B[$os(Sm0)])AeNaI_[*k6S_&=ntS]O41\2=f=#lI&!X4A=3Q9M3?tN%g($57$19S%<b%Z$LLhA.0=],T5@n@
+%$Looqhr.031.\D`;[J:=`7?4*=q%*3%I\ZR/>t%hi@d:+:$ld*#f*,?_CsCEP,:u@SPA_"S+q%*bcSYo/di:T^M@PH8SYcMFnYhp
+%S]$7Ng38?X,Rj$X'O@F`$OSpJ0&/>7K%8)`]\T\d[o/mO]^.oRB:G6'1O^Z?mm.5Tl!K4'h/Mlpa#0OSJEb)N6I;G]4Jl$Ndn6f!
+%J9V@p*+%G:?\_Z)-)A#Hr/?*Ch,>TDb97BpiVfp%8O*<./(CdeG%AL5+6qOQD(eL:+5$E^@E6>:j;^M/V;$cV&gX$iWfEDtOtMtj
+%XO0M'V"dX4G4@E.cNlTc0!7Y+,Nj%$1i.^s75%*B/HfFh7P+CfLR$_.$+K"X!XEN,ZI',r)ibbg&Q-5,J3pJI'$+oH;:,:0<=+U6
+%4;[o7/;^092[(D-]*,kUlc*#-n\*.T%Q>lM=4D5@I7!@ElY,2We6ML@fH8E()ZTm25/]kg&Nc:T1o[AtTdd"WV:gp<E"OuT?5SQ0
+%,^=<-^sc,`Ef##HZ[mA2=tBZ()Y+kBF[iL91,N`6/6-?%cH$'UoPRE0!oPM[g(+Su&3P")bKA(;).U\>`f7/9AMt<Mr[MEN'g4PW
+%,,-?@9LdIH5fTEc)+P&6+FruPS$jYDB55shjm&m>3>F:*=8F.KH8fRgn`rM;$L*T0XPD8sD\J/crLjpUG9[J0n.=Lf!V;.".83#]
+%Ba/r-:*.?`\3>AnZD?[lZ8*Q?!9>$YA)62jYV)%!kTL5t``J$G)<dD$`X"T?B(0*AgO^uZ73:.I%X8h6lAcbPBA1sr_soP"F`AM^
+%*6sj1ie`F-D9PX/Ki`H1n[>##Y3rAam;Ai2=\1^\,9cB<SF?NuBe%ku?*^PnKG#/=#>F)W&VJLa^M@DDh[u9'paf(k*JAbV!R7*&
+%ra>?;2l["a/MDZg@6&A4#^3^QKLEt8OChkMS&]0rQ<.l"9G1[A(R#I="KlA(O]$RP!qAQk;84[cgNiL\dGnr9\!]n)c*:/344Vb>
+%)5s\GU.GLA!3Hs+ZOK;BbL/[)Z_<W\].?GV#I"jcY[7.<Dpb,1,nE3gC`?`[_WWXg(aD-^:/<FAqB5)l/=m1;M4#([#9`%$B^9\)
+%`6Y7*Q$<^q<W_=bTFku*dc0'uL=b0H_%[30d11Etb=4-`Rs9mV>"uOdS!H8;0OHmB/VAn-Urepe9FteH1X"a_+%dSp*6ZWA+**]^
+%>5&nfC#^_or>&[&))2k\:BCHeQ'iG,65EQNMi3;+D7ig-ZY`>^ZM9j!FY[s]UmV7F<8#aL,QRHJp3aM*[,-mI_Q<kBe'gj+F.h7s
+%j27rf2D1c1W67O.]t6mgJ/c#=,s#0!Rf"eeTtlI(@hsDHF7j^1C##T?3K+naED,1-@LG[\]XB%g9^;I4Kn\?Kj)(Z$Kb9%h8Gl.K
+%<B3)&4$KbXN0nX:fO1K_A(=>6,Mj2XA6:abMBh>!UUQZ>m>Ak2l2pcc5qtroL+BV2H35LMU^5,9;!Gq.N/0%L5(hgE+[p3Bn5^2a
+%@!=OeNSAU<KlQ-'TXpu>2>dJ#@"JDt3@[FgFnnRYq3fP6<D1_.)kUtNqQ]RU-"cgN`IeOt+XS$R:R`a"TO;uV.s4)bF-"4*]O*"3
+%RnUeB4BdWRbA:@T#]Q4V)Z[(nX->=Ii.9O[L_m(&)h<Aa+0Kr2Q<_]&Y*XVPbVBhLQM!2:%UkkhJ8>cijH`N19lLY_m9&PAgP)Qo
+%OpT_8BZ&77NGhM40"!#-<.Nn/Q?,sRSf>f4i`3IaH<C'HoYJ6MoJYAp0l^34R_clE/SF1#$`/hO+-jdY5SG9L^4g4p>t39`2%6r%
+%cq.;q`.hij'S_UN\CGa?EJouZFELen%6cFtI4%bC0_nP-11bj1SLei2^,+i6_M^c9)KoYs-s[,rG"68o8kqCQW/9P0L:nJght+*t
+%@&ZOd&;*\LhumkPr%"+mO@Uo]iDaIl4:iG1]0fLB6K!!][K=(Y+%8<ol%jg/!?feuS&SO08q"4N&>HHe*dOk5%:49h70c+Y[56P#
+%fJF>8D,]l,o,[FUUL.t:_3U#mXSZAYW*-P'&j!]SINg?F@._o;Dc=*"Lqbhp.YDQ).-k'4A&>DKcZd`c@pUNH6h8'dbOM]u/]e6@
+%$\#NN?e7N'PQ.Gu!tlt^;F[i6p*7kpRoIPW]`.mp(Xj^79X);CV_hG"1IEk<8DkEf<S21]"!6CDe1572fQY\A3=;KiJprXBfZ=]5
+%BpWZ;&ZK%&Wu$Air)BbcmNnZ^<'rV<QB!'LF:NJgn&mUpS`c<(@)OmE`?!)uFj&QWK,b4r=(.TdScC^@>:@*%>4fudhe#[+"pG9:
+%[2/0Ba[.C]F7@ct`SAfC.okEp`@GT1+M:(f46Znm*<G^V*&5u^$1SbSnPkq9=:"/VWE+22Ln`M<G99k5D>AsDGgM5&(qnF1I<AWp
+%l"9#U-'@s>l.Z=heb7YN<92I4'f9E*[-*9MXt')G'9SW3'Wm([VE%c28ErVEW2Y<4"<)Ar5,T`!.(b]Pf>Y-`i>.et=]C`n-;.U@
+%lR"EcJUX##$&]__d<&^*BQB43Ih(s//H#)Zl)QA41`.%$@OFLpLNS7a13Urb;oQ)#.>4T')KBEZc"2g8Y99(pMS4`Z,%-rbeus't
+%5\qq-f!U*P5jBTBZQnP*m.Zidi(K,h3LohcSV$Hpi"',B[@8$%3R"sX8;]Xi*6WBCK5$g[Bh_VEK=iOK?.d2t8^4;kiiY%41E"r1
+%)(6B>[$eJ].,cFt^CpI31_@WN\AWe^;i<$oLmO7TF,u=\*177X[)0GW_\B/0%Nrn,eP,]2EP>$iOpI9d(0NYoYRX+Zb2Khp$j2R%
+%-CB4oGRi179h:l#AZ^ob%DNTo8KWb!]Md6B`fV^pN!&+%))DpUIu4.QK)[TdBdghZ"Js^F4=k+^4]j\+]9NoA7f#"Z8D;Rh:(RJ[
+%%[VH`@qUU+;Wj^;@$U!>r*`So2X6/n+K6J.M7a>/`@P:Z@UF*uNd7rC$!iJGS2QNOlfZ$,3AdZ'^5UQ@`]jO5fZ<9]*D*WY"=g[#
+%`]UqAK706:PCR4VT,Q1q@3t<8d(0<@+5;[1TPX0KA0ps0raij$i<K)HV.TnI;A)4M'V22hFjn)PWs+@30+BWB]2c*V+#DGSAPfF[
+%og=?BhDKE$n1_^qoB7e6,(CKtgZ7/;l:%=F0:/**>7++-;HDe'K&[1om4#k"))>Rs[TGR9Dr)8W_[3m<*D"$/;G+$*Z8uTl9NRMB
+%9*HoI.9);gR&Mg&nms,B]8o30rbf,[2L2Q)-pS$;U_Fo'I@4]B[P)BKka@#i(Hh=PFO=o)buRFaYnSuY3hM/)6[>(M#;m'5+]i[W
+%(28J+2iQfPic&i-^6Wa7Qk#TD.OKH`GIbtq*9<HKnm.B[$@dkT;[R[_Ha1)KbEc\Xf3mLubGYSq,VIg><kbY'b!9qBnCM0_M68^7
+%+V]!#Z4\nFItbB$3DYOK%qL]t>(&8>(:5H7o6$b0NfhDpe@fZI?,t9WVR;Pt)ET!03eU1khZ\-'Ca+uL_*lKUq9)=dVS+D(JSGO\
+%3J521_UuQ.5B_rg.[jd=E+s6ElI8Hk,&Z-<[n/T$.H:mj&eDbC_?3;BA6>i"8#bD)Z]'KYE!M,2qMpi2G5/A+IFk7FMl6erRnM``
+%$rO7@7^ErRIC*ok=AmdR,X^M%L7)/<7N4'l%eA:(T&%VXl#`8[NZ^)Q7N<#idS?*=iRb]1UM2&I4-$qUZ278%!R"@IKMOHY]+'&R
+%$m4nL.U0Hr,8l%_%6mP;;9%FEB'CTlI1>me5)P[SS=lR9\BoX<3Kau^8"-C[E?',DAL-iAr8h3VeZrX8&[s?W3)O<mEgGno9Prs&
+%,H=_h3',t<K"Z>57\bs/P)*I'=p!Y&$"-.]pgLR>$u's`ps#C?rV,([DZ^[hfn@*50b:Z^.)<AEY++Ka'E69GbVb(3W6SlodWE?n
+%'GSMLLgc4RUP(ng]$e2I%eCGdf%j/"%gQFO)[@p,q-ff8EotaThJ2>`<a8W+)@Il&/"YOOqDLhHl>#/Vq\!1&((b_$>a99"6-7!M
+%)3Me=kCu'[\ua+c&VQ0eU=M_W?ogkdMcCW>!-mI1<Ah$*2`KM.>EtZsVSb'%b<$g;l$A=2;5Js@!IFcKmsq,N`R[djLu9*M&O)ON
+%&kX7kXMmqhnS:RESI;u,A;C'pk(2bpL^F3=Y+M)t&oW=R\YhIfn,L$&"&AAc"bXI#JOC*7TE%Dc2*1usXi/pr/BDsK2+Y>oUVdm<
+%I2^s=0uVaD6/a8G*/HM("e1D<M8SLeAB@#75EA\YatVbHB``eMF2"m$n[!&r&XG:oU/mV'd?b@:REMMJ*3d<q/3YU71EG+ign5Si
+%1%kQm8qoLRG'"/,CjVY7T0\-/6;Y<-9X2A"QGWC93O;un_o2[r2ld`^L;D-n'JbB:M`G'/jKpcnPRE=>RCYikKED6cBA?1R3@Ddl
+%'%O/%Y[@ss5]u5QF1tfkj(GmcflbsO+G(,(,g&S\mAmW2!+r6rU#\VGW>P,$UfSWJ\g.4+PL9X+_&qN5+o&A1D,,Na*Y&c(i8.4+
+%1E:!KAZlP,;1Gle(f\Ag&_n+Y]BkhTdCHAOK4ATb]Mg.+;hD=1R,:^F^lBo+Y\10o_R"R-*!WMXC6Jdhb$AI0b!4T)D!siF&5-HA
+%D%W*>Mam6i>]JUG$Kd=CLsAr]('0+2/nsR'k9Eo\OY]8<E$8p*VIOc7'<hGNT#)8j!XM5DHVVOs$@b<"G/5ddV+PkR;^\J@b(k!'
+%G'>k.Y@14SB#;)cH$@VHMVSig]%`Inbc1`PiWLLVccR]&;^\K1Q$=Hloe@\ok\ZJ)bTJ%'a:+_S!H@_VN"at)rm?J;^95S.MIGt^
+%X#oj!:'/+T6V3L<oA;,O2BefqlHR4X-taq'Lg0`'-g2To0EDiP&r[%p+4DU^o$AS+9Z8l=rrSn\>+<`>2eB_.1qH"0+?t%R6^,Z0
+%MUF(r7d"Fij\_RCTu7="a!)cMS3hOVnF+8c!o<s'.LH_>U"ee^G-O2V$<[feDA5PfDA?([>Fkc@Nadt\o86SIF8%U/Q-RFG?9HQ-
+%dPsTGNL2NW,p`@fA#BB[,\DI#,$19@X4[=RaFM\Kd+6-mq-Qp-Q2400^!1%FDR9*?::$oL#=lYZ;Y\Yhmnls<:gW3iZD_qKP/qff
+%?'cqu)`_4]!psOs+<3(pV/QJYM\uX+#bo@9$m]%(Q%/ouil7?Q`kmqhm-I(5P[^WiU\S;nLhVi3KW(E0IeECp;1.#O,(G7pbdto`
+%rN!(QS%o7Q38:AU[Od#65o0ru&dTUK=b`G$FI`=pArqNDk+B.dmZVX[^n9#I71mF8F1^U3fcpT%J6SMe!EauOM"Dp&d9Nb"'F)4]
+%Ui\?l#<]pq9p#s)n7q$$juF]iSOm@TT+Y4U<5:-L,\9^\%V$)pLIcllpeO#-/4#A(Q4lM(:e4"FR.P$+p_phfIQ"!9'_$%2@9JSA
+%%'uq5mQrpe1b&I)7cGl<HIG%]AL=W+p#=VmV@Y.<T;Dc!MSM?tbQiYGF]FI1'mq?23W?5r:;RLb4KJ3e9irSAISAPO>W+R>:e+fH
+%lj.h\-6l3D%"&;2SOFn6U,&n8/qZ2K@)J^mfa)N@FG..O!3?1-"-1dMVk8RIPY@:/ak2@_,5u7L2S\7PF;jEPG0]4pfB4Hs\S\0:
+%dcPfc`Ffs3m%p8F%<XZRBZ.0k,:R8JcSpmaF;UaA4&`8@-PAJG!#KF^^d6>"e8lA+KF\LQN=)L&+O(A&U00sd;FjUlE6]>&&0!")
+%R/YHnfRf$!!VV+J/l)%h?aKGa+hq<IgM0"K>PloRS3$AM$eWFbH+*-;=&W2=*N[U=Fe:=R^m:E@f9EL"I&LHn$Ll;bV"bX+fc`da
+%2D\s7hs&i;eR,R4kWddu`$Z@F/Ib>Z1#K%bk@Ybi\Xg'-5O6J*bUA(Oe"WYc^nSPnAraG^2)*C38D,N`.lTW<'_1\i;lsq;%05;n
+%AG<5:'6Jn91\bI]I<Hk3)]mTFXj(@E?5=0pb"Hqs)IuSG*-J-#,]&A>.$Lp"TPCRVob3<]*1.o:+CX+"gld>%9k==0Y=&:)TJLcR
+%D)%'EnY.M-@ILMbQ=Umea5V$rGiU_sd?K,;;*9"5Z]LJ%q*nFL-pGKsW9NY@rN)LE$)d![J!eIudmFC`\i0VL)`lL0[c+C.3B^&b
+%f#;(LeM$:"AL-#`^;N;H^o]NoWb`pPVc`35Z<cVaAqu\5NUJ<B>PfOW?C#B8i^utK]j"&K#;3h\<@C/+"fJ@6A4$\_(Pc$LNb:ed
+%Go?H;X?eKhHp5tYR_sm6\u+b3[$p/<V3TQ3.P0L3A/_hsc2C-GPu2LR2hmP12HWgKR)a5pc=RcN9urrLq7#FT)@Yfmr>$1PZ`[:l
+%;FD>+ebM$2*&d?^7&:*<_Z'bXn8o/7X73HYg/*MJ3'a<[pZn"jQegTiKdfKoV82=U:N$V"fORusVZEXs9UOp&AM_s?=a<@ldjRi\
+%ZjUAZkD=&;W2;IrPc.?gK]2ugmc<0O6CqG6QE[-7+C2-U?rHJqs-2Om#5]k^Q.Z]@0fShkROFH3S,/5^H8SY)@,=+3j1Z?Wi]'0g
+%U;A4+h.2A)N#)!jKHEFJ</OWk13\(DX^V&sku+o.=(mW>3.c/+HB<4^9Q(Mo[/J)N@2i6p@0ipI'ja,%l#"+J7?&\\$ufi%EAeN[
+%l2:TO&bS"iHeDsq,`6Xr\2&l0RL2YATd\&r@o%r\DHZ'4GCQk>K9K%ukd&KCZ$ohL0Q(DH&Wn'$`afeD$pDF[Xe7Sf&@4pq[C?qt
+%5%C^KPAkt_nn-/g:M0.fR7J?,+nUm[_33eKkFs7W^Hf-S)+F$tRsJg1-U-osUl\hk]2R[??\a"E=FI\7rb%j>B&%[Wdb?fcS-ZW6
+%ST_k<@G(Y#8BuHmT<j:X`-(%]5NPp^<n@H()/:2#Httn'qO!W5"fU\!X/aGt2Dp1MmCAK<m*sNAAd#"j[`gt--VZNei[Rb,r%tq'
+%nJR7$]?#>Jf&b(bg8GuDQ:d#<YW/TFKT@sB_6STHdrJ5gUlt54iDhF[GlQ3g_Y>'u/_mnXRi7HG$leQJY-d"?A3[eJaW$FFpG#>@
+%?Jo$nTeqj&&I%2S(rYJ0qD8lt@=q\(<N!HODW!c'`*eHSF,:JDdgY4rGRm_QhSU-?XpZGAQa!m]iF@=I.uoX8`NR5]9.'q#lH03q
+%DN"<CfZ8fX2fgS0_TlthO&M(0B1Y>R-B@[d:0`Ta>*;'9CFuQQ\.=sXb9h0p_ASpq-*P,6Ypj?WFr4#V:/gh&XlJ^3:pVXA5M@65
+%e\jD8a@$W1,rJ\Pc.&jXq-t!@:!72qfV859:08;IB6HlKSGGdVB+sC#_(f4;nX$8D_rGCF:f/=3MN+-`!JP/P:VfYpQ%K7]O1V`s
+%qeQO."Ao4!=#;RXU.Va@$PEcd$E;&k&/RsKJ86IYZQkq*cM@6*J*9B2M39!,@$s;/R]T5LQ*GH&2Z>*aR`PCMY6tJ'BSeGCiPU%%
+%X8c:6+d(HL9Ms=]<i9T8's4nq.B"`K0L4idYO^j1HM5>tVT-W`K8l;&RO"E$E;EFV#CdP:'(!>oiT]AC-]8YBEkr$I:G`Z#A=^LA
+%<4:'XTgY9H\skf2@rsYT;GGI`4LB[U*O>*Q(R\![*!.^0"^3kYTLB8AKgVbnl#%::mo>K^"h1TB&^;=/]t3X$:q0c6!((S*j7mG3
+%X,I\KWKI?r7X%FQTEs%.K#+mOklDYI!XF/>%oKW1#>1`#+oI@"]1%_&:^Y(=2?4=ci4I[R8PA)UC37jrIl`tuAW,+f.r0p[;8U0Q
+%?2@4KJ]Y[+RWUDIB.<$5YhL`0s071'9L?CF;7=%"XDZLf3K!tf-gDW67jer"T>TMcB84-!6^UuID*e1\Q&11snd.%I'l)f?=.A63
+%KJ*?fkhruG&;`N@e:],9AI:/a81K>;.JDiYk"GAt]?usI%$GB%%69#+h.5jaFOBYtX.]-P2?YJAVXj.g];*lB>%\r.],CR^(ECf%
+%#B''#`&8(m`bB)AS,'>JBdX9o<&VYXZOPb>AK'H?'%"^#_#i\V19J\lpiIXP*Qp3-7$6P(JL$/_=Pob4B$H?MO$ngk@/I1<PL3M[
+%S[dF$0XG^W\&4@SB,k2bP(P#A5NX?"IX\@'m_Xoj"tKf*e-m?lm.t;'S#q1A%7#:M>b+MeJ$aDs!4T%GY_<^!?31;p-,D<c%!-XP
+%0)_&>rK&^tXTlg^o"[4+[#HEdF[D[6B\*@!PaHp30%m4C=1jp=Xm8M$8fg^]]mQ6[Ms0>AD[.7Rr$'C072C1eUkf9j^o_"uiMGPX
+%AE.2V7J%5YkJM=YPOm]N@`:uHQ47/borgPF,^5W0$NcG(ou-bg/<6+UI&C,(<=gHa6R_0fT7H9*67_T/_$j/ILa&cCK>Z]fh-\,Z
+%`s7o1O$="#[0-.l]T`^Rfr3uhmG3G8^Y?A!"Psiuc)@3X>$^b[_G@;.jnh^JTjoUJm82%$>Wu(0^r(221ZYZoL'^DhE)8=97/rur
+%AJDSZ/@L(k!@p@ghGrjGr_AYlfuLl2BdB_mb5>SK]L1;u#pP/q&Bc_%Hn==#99nDl.OJctBnpM/(1rO(%6U\Z:?F',DKMDC&e?.m
+%,Dcj5_HKL=gukRbaaKeRVNQRg.,[X(`tqa#E-`b+XRbQSZEm%Tb*`k(HDd4[*gV8Cj9?q,AC?7J`:K`PdMu-8SV%^h+(Hb=mZ0(c
+%`.@b(TN4F)JT>#?iFT8MghWD7>t`kg@e/J$b1L1M9,6HF^E:3Lk;Xo*pn$afa%T<3>HIUI!-4ZQ-!1PN-t=EtO*ju6Qc+;q>W'1?
+%:-Gr$j/E6M,J0eC1*flD)LlJ5<U!6LI`?K&=u1:d4m`))<=SDfU#O%CeWN>JVE>rj:D?iPpV`:Pl&VF-ZHp9E'u@?L&N(7.Fn^/3
+%Y]@.3TGi/F/IG(+-SQs,/(i<,$%pbXW)ed(OpA"A6"jbRFqb.]@Cqt++mD\%j6Iibh$4,c]DLrZfT?U8^ebQiR)6j[9O6]HNjb'^
+%Fhf/l.SPR2V4"*))#8$;)&!%#IF<D<qN%HbVF<'g)8,#<=)'t=VjNmDcbF\+@+1'7ZgP"Iq+\sW2@RHuYWGEZ5F4[q<0B5]!kA0B
+%gKTRi:'U5(FfN5-"!XTjg!&o/*KsXW`*,K2jo5=M;99U*3AL=Bal?,k$9o*Z;n))>-;qdm?&HDA%WcU],mBeM9O-*+],C6X5*up6
+%n;fUF4V)AV)N+/@%_5QOQD&>Pb`>!.7-*t.>t![FZAk-FY>tbs/8W!HV1Z+KMlr>d:7Y"]ZD173Fa8i=P.)]<+Vt5u$:9MJ=7[]Y
+%9@gdY%>SoVWc!ZL,XLr"niB19#"`K"5I0\#8d<PUeB\V\5!fTB!YZrR)&b&oa-QYJ]/AKCD/8Y)/,\EQ/CQ#:eT#=a:O1\/2bW>/
+%-UH0Br^I^_s0T(LeX\qT9',0Z,R`&Ng+^rmd!7s_:0aTX/b;qTP%8DL9t2[R3ab3IJF.Z8R+1O(>CZqM*4'/'k_,cWhV,5aaU\5a
+%<`+N-iJK..hNFTN[nh;TnOsnoH6FO:_2FL=\D-Z5PH9#$bgPg!D]hfJ_TA&]g!o_b+tij3qu@r;nSELGa#CU#3)f1_[Da)eW90h&
+%&,UC'7iU6r3)mHl/@!jdbd@g5M0VcWS]O#pRhC$I<%&<HAdV-Z'$gSQ>*XD'M`74\9$O(NSk5-hpT'>;MtjqK+*iE;\_s\Hh-7-K
+%Hd\;,kY`;:_?Ku1Yl<FE<GuTG+1jDOdTr^%?l2_H7Tn1p*$Ju1bs@=2<TTS'P7c\#j"N-A3Z?^k->=t*d7>EWe_mY#)F$hXqC<`s
+%!L+Q5(g)f-D:<:N;hjU-*r+j/Mtp)n5DJn/s1E*:kgh.P'KE0XgoZUhgj*_"&?*_MrmHk*9NWGFZ1/!.!-!VF,])0dmNi!Y-[?f)
+%IKOk-`3%$1-*c<*CJm:dA5d.g=U(if4GBdkdT3(=+!^!DM#iO\A-2OAHoJD0QoAZT\<=qr81d0^#e:*YeF8]=(Blnl,)%-u=IYcF
+%r`aaRi?]sVs6/'I<'ZRB60/),;7Zm%<'$-*Qtipt_0Z7WR\WcI%?l>$U>udX"rf)&R(uf@G=o>Z5n!k88Q()s$1o5"bre4+PM&6U
+%L0D?X%I5IfZG;SaK:G2L?H</O0%\E!pas3VQ@()"LX%I/:R&/a_NP.m%4I+\dYUH9RZ;C?*J\,.V`;U#RX??D.l!79MPR%a)em?<
+%%,eieTM:]69\XrSnRe9jSr/8#!9rh(7K([%:Goo%%E!jK[E>Q[Z^lmS0I=Gb#4h-c#h1YLh'.no3\-F,;!HaJ%&6m%PN]eF9TiqK
+%ncu+S.Y\U]@gELa--n'f.=HB_=2lA/oQgtc,L8Y^QMD>V0uP9k^$L[T>6?(M5($,0V`W'RT57&8`*"PnY#;-TYFs>E,pV0!Z!=5q
+%G)JJfmBKUdL42E_(V]qaT%F]eA/Z@[ZJ7HN6#[f`a,@FD[\71KK7IfX;PC+FbPX*7Rq[>u&1\)+)'RNCL10oiINoJs2@L0"&.&M*
+%e-?NeIrnYG;O1Zu.^4pe$mV0LV(Q_[n^su?3QXmO3nf0_!(n5q[9k+@JbU#kR;-cLiOBGj;Q)7$qf8#Z$Lf(Q2*f<;C\9F)Rq[<e
+%$?HG2-l2-VCrRNtlOXJ@lYn1I2]G5I2bOah1S#-tr!K02e1L^jNb(_H+kL*X_p-#E4@omC4#Q?rO.ufT's]I5aZr)-ViSdk#b1"b
+%7:g"6LOi),".Y'IY,r$*nJp]94?naT'iiIL!aO%1iPc0p(Y([8l)<lR/M?<eLe*h(eX,1==5\\+*9O6e,2ONaJ:nN/PS!3Lmc]2Q
+%TD!DV+N@fb.b;C<F9E?DO`%!B0RG#b3?^]q@i-m1;Q]G<OMlSXo4FSd28AER#c0HUhmY&t&U:Cp;T@WaNt[uM=dG.qHm;o*jkYms
+%=AB-!]7I6V$E8Y5*35AuoFdU\PV8ZonHhoL/>XO[F=men?0JXUfShQWXsF.9FboY]CQ(4,r$^i1,s?q@."XCIL;?(0oA$(;:;)VO
+%mX9"3Xn\W*f(i'AXhs4/Hr6Gb#AmjLjdL`AN_Y</p+p3F/;C"GCmnUGT?i2aJ?]Y'?ka;BJ#GH.*5_bh-'+oITCFqcb<#ZthdmWA
+%"7^0gN+m-cG!QUKZD#!1Rtn&PqTM%YES&W'\!:+&AT4\t?P:@\MigMK&Mh:7A`R#h`!2Vmlir.585aSG$K7?n+Wr\>,S]9hI1WEd
+%:b[9Uo4FVeQ+Eu6UFgS"#Ue#L?TJp<*sIco$(Sd>E#6$*oR*S#DQnPfB*muVl2WYH2)pG7]hlf\Z#).,W"_"?=+t0'@KWF:lSK4>
+%P&OO2Zl>VT8jgQO.##2W#`sJmh1p83cd.2J;^iZ=_V5q^GciUd+C3L+1p%/Ae.?R;XBbSYJ+kR,RVrOgp4j/4kSmJC0K/1XfW,Xp
+%k;u,r@%1-=YRh`^c,cmo>)FT[P\mEmaP*HC>4-')_?NC`&Jdi>lT*+sR42rUf(F!h3A&Z(+0pPLJou<eD"10Vr1K\AJ%'R!\q<g"
+%kp]hlBo:UZ<-](uJ%UGuoc5m9ll"C5OW;IVMIY223pMfO(,oGtckNMcs%bI=OsDeAr]!52?fV(YF:jhL[kpH:$b;D0Pj>oA(o?BL
+%csm$61=4)J@>gcH<-<b<PWG85:2oE&+e;krEaGQ<<AcF"rX<d8;RF<Z&S<'B'Wt(Ka2i.?W>@9bj_&fo`&L$-$L\Xn7&kf%`d%rq
+%ISA^"B2VPI0T<Y6-:B;Qg+=L%kRjhF<fB6eoM3\>ltXKFM0]$A&gHra.;Ei\#!5;5?2B<>1dJP69["Z!h>WPh22_EA<ViXnQ_`g;
+%(]6e(dPnsQg&"n6!%HeF*nYHbCC_F'qKT\1PeEF_.).M8.lZAE@E2RVmAG=DSEn%BkjWCrS&oXp[fpi,Sc$,'jj\$"HA`<frnXmF
+%C3-bj+,#i7mP'=uf16UkW^K3n*j[&YPo$<dm+uIpYGQ6`.qX?O"I.Hi5$*GJ_=]qopEusd8h-D<rb\au.S#i)IH7YGO-sAc'C[Z*
+%e>c)VWk6E8]jf(=e>_lXTMNf4Wq&b[icM4Gi*k9mFSqN(Wm5CRjqFF5dc2l='k&#c,_3-FFt\aS&$O`+82ddI[Oe-L.ATb'CWZ/h
+%d885-G_f[a<>si;,f-VI$77>)DNZQqaQ]-M>+$*VDa9Gh%re,jkZD^pM_V@ij)4eVlIJI'"f*d&@E*[kiOoLWJ=.AI[>`@-o"(lp
+%i8T]uXX0F*l?3M>nq]i.B"^pZO*NJJKq+Fn.5RiRi&=>";K7Nu/Fp5_gH[ZG9)LP:K,PMp"_*n6"B]W3EM'&Lh,dKOf"m)MRLCf2
+%>P9XH:L=#U&#0qm^(B9L6P4oJZf/cQ^iIj$<tNT5);u\)J<[?<_2P],=q]X:+j5B31`O=$ZE^oC^B3EseJt`2>g9?*Run?2+=dfR
+%&^_0,*6o.?beplu3Vi.>\8$#JE-=5b9mJWB8pQ?*Tna8aoE`HqE%ah;(/8:k0OR8h,%,GWp55$A7G%`="uWQ'<_oSrL]Qm7\O=fp
+%iD$#h'A+.D01ljC:rS0s7OT?!0Uf<4m&Fs]N5*SWMjPJ"c!-H8pJd5KJ/g"Cfp1uC3>FcT$AOR1='k+7i24;PMgscqgd:WqNHt]7
+%r0[MbL2/P>br[6s@Tf";n`j)3=VB?eW+nj)JNLX\6F:Gc)B\K-Xqp;_0!7abiQMqZ"(e!gDQT_<X9oE@$OL['e(9ANW*Dk@O-r:f
+%R2cSciPI,O33a'!mlJ,`OQSi&OMPH8DrT<o"A/0CCkMTtnHD=4eYn/G'2GiIcaC*MVs]Ge8!oHQDU![boemol4m>LpiP@40>MPE.
+%L"0d<K<!oE:2o!:E1=(i@C'O*LM@/Y9!),(90%h[jUkNQVG=Ve[0"7n#uAu@/gSQ3qZPO]*$(i5!5;h++K`1"JY(p#eB#?G(*UZb
+%loNJ5q(!r>poGW/A#!O,9_=tR%Nu/:aQrJp[I=3<.blS^qm`HdGnO0'"nB@XpnD@Bn7gJ.>l9uN`2t^>T,+L^I#FtF$9@Zlm0[6/
+%#o^AhQLc/qps(S<H5!C"24eDh_B)Cui_#$./Y-5oSrutY`VR'ZH*U/M$K6iQ@]2=%lfOou!m)LNYt2B$lnR>Tr4ZUKoqqnA:u'l'
+%XnLf.?sb$KMH*l5<@U7tJ0cG<HKPH]kdGF<D5B:=dRL4)AQ66KGI-.<j2[rFZ-e8L%=<[h*NUbflDO-5A_EV7Ao8)"XNbm&cNa8"
+%RO&K#J(0`ggtkg@5>uEj%,SbO@9#gXZD(!@#VUnVaWSKo-\ET0.6D^`HT8-k)\#nE0rq]0UC/s#cE-"lCpi]eT<Wh6-OHt'H;I?N
+%nYXiG7RBo<QjRHCE@c7cSmF<J(q]hA2!Sp5ISA]EJcHT!&ZRk3A8'^4nWsH7"GQZaS8ta%N=qei!IAQgQ,l=%=]&$E>uj4W7??7*
+%?M6kGJ/'5PT/c-cCp_0,j9[9O#m2iH$`+m,NQh:($_e^;%o\K`86_\mfP]K4^2].>s&7gS^mlY->68nIqaFI#jA)^I`Un/$ck2rB
+%F;f=FPRAb^ib@-$Pl-b+`a+:X#fL&S5*>nKc$VK1S!rtUjT&oQSYr.JSe!,bQXn?\#W#Z=3o>fP6(/b<A)Ro7#j)A:h[[($+I+$:
+%$h.g']!XLl<AW$T9@UE`I&qM,p.dCUBYnE[V[5F<5p]]oYjlOka:DL&/@d@'Nc%.S'\<=@HV:FPL<M?o">WZ41K@SA6kQ%\]qpU8
+%bZ!![P;`sRmD#4Mi3FmpJ>fYJ(^Q=A%bF,9`j*a/FU0Y1e;7/[C=*I*K+V2h?A`bd*R+6Zj1rqqkBJ`K9,@V5Z6AKja)P:^$:+5r
+%m]sSq=r@aS7n93)TAoZC11=t3U;fjl:K==le9=lV1FkAiR)2da*"`"dl,.MDbHC@o$TKqsRG8nFKmDDG2CC`O`pjPKPu(JA*[r:P
+%1Ui1qaC>#VL<i7=-L(;s*YMOSRMf%#_8Yb"UWKcN^l++$-r/9$"V0l)SE7_CXdJr/B=Zq%L*m_g8]lHT(A&@#9LDD,-Y;\5G&LB;
+%5Afm?(u1NoF:5KhUacC8Q/en1JZ7?K#Vm'SQCRcod=<oI/<dmFVZWN5E^%`oRuX,WW%Q5*[G6!bLgJ,<$lr1"=O"r$*_p"FU-R1,
+%K,!%L.Q(.b.biga@sF\@Fi2j,N(pN$MXaQ6dOo3!EBc!87I&Ei6:f,:5iB%Y]hGq@otF3*`6Fj=HmJ]51+#YjP9iC+:Blj_Ql,d;
+%[>;SZZ"%8$V<_]"`*15,B2(-#.<)9p;-]&b^74e4mN6WR45hFros`c.+mb@GS6>i=M\aHOf:cQ!q>kPRk$F,2*;DukSM*'86`g*T
+%NIATOo)%28X>>leqnS+O]#B:u*d).@<VR"_%C%1JcoJ2$n.a3HPsTs\ah]*O-e%hO-1Rl\$qMFm*,qRNqje;#/5nXjEb+kg/khAA
+%:,NP`D21B$1\:/km(_-jkar?Bgj\+.`)NsL"]LP+_1>o&NF##+-H0^``'"]"M$r0Qe-0RabS!bRUNbk`'1K`(]F&Y,([40RO*26l
+%YZUQg9Al@d#cYd:6,1eodH\Al4(XsQr[[ig8SR#oTW9Y+H6/;;)$Vq\lVrIkbtQo/lED6UruafXMoPn"=0J>jiPV\)7+K&nc$e+_
+%8@BS)#uqaG<#DWGA6/bcPio\_VnYN7ZuK1[L(oUA^_A[>%kM9l<nqnN%P@i@'7"o+_4$`oKMXKt:%"#GdR9$.P#ok>+j7Wb:u:EY
+%3?-YrnNmU?m6Bf!Jq_pAKtnpq>CWYB#a9oA&-<sW:UH$O7kl).IctNJ6YJ0YJG?noe+QE!4>l+$,RnQ\!hg%KC0RA],`i`H:[OHg
+%_nP$P^iD"ia7D3g%qZ[@\%6T/[KDG_JFd?pQ6BH9c!9g;W-U_0ZkJ.L#/$lJ*_Qgm"RqeG=[EfjPKYG\""Bic=&,0,FegR(\'baV
+%%?5O=Ub+Y^C"BELmdrXSG[_Nf)UI/S3nfUNj;VRCV]?0i)()k!MWqog&,EhR9F2+@"AhY^=h9m?EbJW"fU=uq[d"TKSjM'D2)H_r
+%fT/R!!#-aK)\`439V&VE6U9<j$_RgV35q<A?%IB`k>_`@,eL"m,>W"m&Ch.'?_gnl1<!(hc]VmKnpOK63h8JK@C\H#^b1?L(W:9K
+%f/D7,*(8&o"DeJ9MQSueTZrL\,N8\!hT#ao^W?UH-heC)Wg$N!6*PWdI?!B+k'64Y8)5%_Fm2_93WPfs$(dWPWaN!&.KMI0N7.<k
+%,[kdSgfd#cW_-;E@bJ2-)t4*#d*]5>g`n4KL`Bf?WV[snLM6aX!Pr,]2?US2W([ULCiRaBCWS`Zo."1L.t@VP)G2;*%?)i+cZFpF
+%2J0LU5)6\)?1?hNO*\l9`.1fT[H=WNfid[+$(,,rR"/!H':)>pN=u5A.+2T,2!_sZ76FDb%ZjAE.9.S=-PjRI1iK^r"ssQ`9Ytsf
+%3/'1D9KRrtV/j*`<`k%qm:,%q7XgCJfF95mi7Cb3fOf[;0p_nP6_W8AW+-EP#DfpPXeQJqDR'io)p&FS_W:o)=CSX!/+OP&g[$0e
+%En$lXTn<@*<)F/+Y;!c0QK6b`34e=06KB@@(%<:6Do3i`'H..C;&7LLdNO381GJN#5Q^[W-fYBnFh1>>%X"2!YU$=r,7r,OXYT>J
+%$t,&#PJ2hD2CiH$9*"ujp^5ULV>N9!Qg%J0Ak>IMVjJj(7W@c#[.Mj5aDQ1E]"-V91b4VW4OJ:uc7X'EOf068#/6Hq/=5*O&N61Z
+%fcUZq\#<mhZ$I(F4N?qI$THUS1!Euu^.\^/\GZsl%qQ(Q\r40g)L5l%S$nLg<\P.]ADG_fk;1)#i\<L[l2ELW,KS.I^oA7VWrb%&
+%M>sf]lBmB(7,K%sGa&jDkam#%*@3BG_T0]9hPS&bn?NVLDYB@(Jd[,)(E'.'I5JNm(8U\Z.R6r$^gHZ8Uh\?]F5I=5VB)!pa)RDY
+%;sHan_NU]bV`$=j_T6VHJ"VF@/AM;.!Xqs,CSf=gaNLgYJ`2(ej__;;.ZZEDW1!Y93Ou[/R*Kp!gi2SV\P#+.9/??)>?HM@7F9%O
+%UETD+EVL&#7^JP#$](>$i\XfDB@BUjidHDC@M>-&kRV;2G1M_3gqB\JK,\(IP<$GRDQ5&!.Y&6_gr!0D9Do_)gP!pMqAT[YZ9PU9
+%G7W.eFB-g\f."-3L81-W#^*/nQ!(Z#Wi9F:\QnG<66YA7$!l]564mms&P4;U4-C)ZE7lL^m'^&Z/cW&%<&mRfmnSW\?+?\<"!:`@
+%Ve@jt"X4o?I2\J*m4nCFBq(f((X<\e+FcI\5Zb6qFM!o<#*?B3jCY3"+dp(biQ@$GFY@T&a93(@D/s*4[BeHJU**0Fdb><^1[WsF
+%'m@VlUtKe[_t`DJs'o+.s2q;.4crTe<V!5%H:0$Y71Ee\/j`FH7oj3H4@7BV8->-:KMD/OSpsPMAC8?4'+;jp#V5tJ($Pm5P_T"t
+%d=asG0#ZMAo&Djai)?["[KjF5*q$TOrc1!;lbJ>ojOC#c;PM8K)nsO+HP4A272Le/5;9reDHiqYQEhel4aj([eQ\7,InZQgoM$s"
+%cN(P0:#oPkj/.%;V8iuS4pD=RMsG?Ai5[,=>qd9F=M?B_2W)qY<#30_bE?P`b4>PKcpo<;O^8<XVpdG%^sU5L<';r6O8G$jG6rX>
+%;1t1EEg^`%a2+osQLGo`LjnGIOQF&HWOXH2Z,ANu4c5SoQEH=7N9S$&0=0I@E>(?9Md=@HU9SOp!\P#m0Mi%-\'Onu,$>KGVJ7F7
+%WT/ciF@Pj^c\_jT,&%qqLrc]l00SR#o6=&'3SJhSc2jtnT030hqp3uKR)NPdDj)_XJ4Iu2D3K?AKi-NhLVF*C#I8$6d^r,T;D?qG
+%/1_Oe_qdsU1#lLKaCH.#\1VGs\&^_8@ISY`:<ALc\O;UpRa3R).A7I's%]hg]5YBY%.kC\gB<G@le*KCZ2qcCd"Ldh9TnI;7Vs5`
+%\4'qHV-eqo*6=tV'4?a!SV1XOqbZj1$>3i:JTA;Z*;*EJW<oIYOCtSZ%?Lm@9Z_Qh;o`Eh].3)u]fSXj^..ZCZdNr[;C<T$"h<q\
+%3.J8-mFem(`(4$!K1BfA>P/U8Hh>d)SN><3L#J&UE@IoDmhlsDf%Q?Z#EAt-ET1%3\SCb0lo3le;tu$>:c/o8&lA<WR(%p;VZ'Z`
+%mZ8@lMcs-3Pa$bk.ia6.-DG-7&NT9?5cg*e7E)PY1fY9=BQkc?O:dn2m(YCbB0rC,--H+Ihoua/!s,s6j=/HG6H(Dk&/[FT#Q>R`
+%X/&@O%u7L)\Tr4o5R5h?PO+LPJXHO,QsHqd:h7`%/acd0e5C0:pm.FmXo/m@C-Ehr@>&+d$$[s*:El/Cr/T91<jnD/9B9AP5,hPU
+%p`@T4PY)T)%nY/flafOeEC$+\9DMF=E*$W?%"'LtXI\.TPbi194[I.;d$7(]3oMOhU6FGJ%:qS[*90L[/Esclf`J\;ZMP+D-7E"?
+%VGjoC+Gn't[dTp&9rCs%V6c5*=b(<_fpM@WPQA9V!)VGXS<.1::0qM<?pUoVRLJc3@1i&9M]/U%)M?QO2[^R;jUlKE@S%qqG9.E.
+%@=08R*#;7V.V`qW%tOBq6[>.oWTn!<k"kq[LEd;hlkK0C'P+D$V;MP+k6RcjBR\;9430(nPUc##+0_.KXU+kQ$P;2&(^s#e=lS()
+%c,pbL.ZE*^W(,>t"";G,`3DbQF;.7G3I-SFAM0h-Z,gN$P6&V(]7S=hJHPT=&D!8F[RibTV)4m5[PFh\0G!m^U],0s;.fVnit%rS
+%oKHe6nr(U%crWC0Wr#oYQ_$bp6JZI\fj+%("*pA(WCfG7Q>]'&Vq@F823TcTg<u=VeDqkRUp2iE)B-.:Q55@IgP[MqWp5Elj1@4M
+%*&RqWP+n)^eONk*'n6b/l$h7R\YUFR5]=kMUtth9mub9-TbMRBc`<D_h1cX'@6Dk')7oCK*f!"R<4Um`11=Z"5s!)1RXS_F2HUK@
+%`M#a)Y*WX1e<aHh9T]jAYM'+b%H9-oAD9:tJg,gk<26K(.d?E,]Zl9I?Z]PN14XW.\+hPW$\`1OE!d#-@_cmU'NoHRS5&)GRQ50c
+%l(BS,\T&`-jm#.m!\AIpM7o:],jDq;>Sc8^V?g'GNaY'Y!TN]MB_40H\+u$C@c^K\MCcQ/22DkfJ*Mi^H6>c5WN8W>\*15#ls#(Y
+%:l:0]/g-f8$<mgT%Zn7*K7%uW)\pm8)IR9Ug&OK1V$nJLPg:?Z<jHOqcmcuYa&r=()<'^R*,gDM.4.VZ;?D!AA5^OFWG/]K@G,W0
+%I:Eh`2$PH7hMN7_9q,8?DPDLcER-mXZmA1H;7\/)E'PQf4A\iq\t&@@*L(psiC0dA23;V7g@rL9cm29N`3%)pC6s\$hC>3R'$AA[
+%k#?JK+Ya.M-H"q4!X8@]0uPc1i@cj\,5WQAF:nBR).UJ$NVG62Ui'EuJ&qVF,1>J3s.kRJ)krhNV<.fS5JTa8.=k90K1(8mEj)2O
+%]d./[3e..*+\FYkU.nJh80PE<S/6Pd#ZQ#_W7ng]389gh^&lVWA1!UW3\>E0OXL+PcSbTfTC0??p1CVC$^@oQ6Ks/_nY%PFS7L&A
+%jPSp6i,(Zm(]TGoa`aD6Vl\sZG#fB*3iNG1@U(2-o_iPs`T&Vr/nn-);8]^;Q3,PcMA.1DLM[*L\%os^9=J$l!0;YDAp78"SdQmr
+%)/=oA2m7C]Sg2.2L,EXh=IP9Uo4k.3*!04nUG-DL6L)am?krKY92ohZC5s^"!Z>H4,5]gd/[o2A@g,UWKLCE4Ijg'W<C2j?RYMU8
+%+.t0Igd]Hsi'BjfFN]f6AtDD!(monh.`&[VI6m>?2uCbgP,W&g;OK^-V<OQu$Ib9X6;$e_*^NN0pf8u5'Kpk:@]1'Y5t=r)+/hG3
+%6J6YYC,+Pd"kDBH50oO(B2%X]mhR5E5?700#4YBYgs^X/9[hYu_$(QMU&mI/6$Fduk_*@'AM_Vp80'1^TS[@qQ"LnTF(-k2mGla(
+%lG`C<eY$45OVQ!82`3E6!ahsS,WD(Q-5#lZ4gH;:M(:@.cU_DPGsNn7G-h;N'<ls9\g>I'dmc`5OY:t_A9NegmU$[kCm6//VqUZu
+%YTcf0MT7j"oH.!JZ[4G;_bi_EoHC4WZMSM;J5p9IdTM5*fXU%<iij+@pkS!BU#]9U7lQoVOF5.9$;]]k?f'_BbcXE4SFKj'`^qpD
+%4?it7*:"(Xp2/dMli]?[n1+7*bacWp<-Uu7`/fJbMi'C^CUo&&Ep(!#ETm=lGZDP`WO[[7m"84n2cJ#f[*WhrAOrS-nR?2DpW(A=
+%8>-=<7o37h)$&a2#+]'I!P`GG:suhlZUlro0er_m45spa&&H;<"c/'`,EQ"[qP%]=:bs]FQS2)E+-ZUX+(q=&MV$$&*.R9V+W:n>
+%q,5S"!.A((N]^@P6DncOJ*GSS5fC&uFhqO"B!9ZU:#O9&(J?Qm)-'De<KrJEh:<*eImR_k>PeGd^2^;W,uZ37K2ZncL:<PUJ^CdQ
+%V'0PZkNN#07m&QO[96cGTMDh@-R@H/l^1n!jm#_k<%_$R""OWrYs5['eO_2g(dQ%l<V<BJ/K5HQ?,b`mc;AXq^s)ul%>P22a-^bS
+%OBgl!$M]OuD<^g=SQ21]U9O)q;.`<T*_Sr8I@Qe.V7a8lpd53;I#4aP@Kn;Li2Q">J<]1&Q`?3[8?\Zg'&FAPY\<^J`K'i&)=&G"
+%4WGiX?Z+\4]*MXPH;r[,CE<1%alXOrloJU`TJ0_A72)2iBF^]hY5&meP-]F2P@K;PYJ\YC:Q;?Db$*B[0TLD`&#5Vgp(E7Lca\su
+%mT;?Kn9q25N,uJ?^7H$D"=Gf;<B&03O!\50ALD0ui(/Cn+bYKZ:F)I1UjJM_b`GU%[68SW_F$2!([@=KARsST_BGSjn5<(:5a`7i
+%bdbbh_\$?\AZ=TR`!f8R7:hA>?t,P@3MkI#&0c^Mb>O05!&jbgDKJ%WcaX2+-A^Oc'PN_]6bJ1VO%-9>T%_X-pKa:IcqKM%5e@I9
+%Itih>5Wfmo$pPj*9f_W7PRJ?_^mU!dJWR]n91cuqpRA-/BKY<Vg:&;T^mHa32_eP+^Qm(b@[CLDO2#S+$S&e^\3USVFgn9r_O0O"
+%!d>:"p_]h2TEIBL,l)?g*ask6\[0.^1N+%H8aCs:Z"o!7$Mfgh'`M(h*JboP];cDbUF:4N`<7PJ0NMd!,Vlm!o0)MG*+Rf$E&?Ql
+%M3P8c#sJQ<Mr\=d7l)[H&2uD@QC.1sSFS]<0FQpZ/P87aZ@Db,T3.^sEMhp.,]@*.l9gO1(ncB2br7<`oYNE\FJ*!#?j2?BlJ;W5
+%S1#(D>!'=N7[?#*$)\cr1h[,8(5AV8&\q-DJr0!@"CJAh&E8q)UbN,d)Of[B!09UE#@;+Y1Qu!YC+R7+#_Z.'*?rC;^Qb!,dlK&,
+%]Xktep^SL:_+3-^mI;up4%rSqRsGY99tp\+**I"1jn1EE7d12+_Gioq7B$g)MpO1N(8"$rCTn-gqBf7&`E5_;2'pteT!u?k.;Z,%
+%<TURkjsqV6<2G'R_FJi\^FY(@,J-OETm=9d5pd'NCDG\c-!Q95A`Xj:.qVP&LKFg]]6QCJ&jo90+<.1`8$";(.R>5=D2-tdQmQ^<
+%St@BBe\5hiMFhOpc_*&J>jQ%/T#H+.SQ.-S[rcSp96HZ&p72B(Eq_?J0#Gb;;ELSh&ncR4FR"M<]Wm8t*J#s.:sH3b)N;26#6eIt
+%Do*f,Q.W-545]c\92?&js7S,+RRB8u\86(\qa6qli3Ma54*7]:a)0V_SW^$1nLgi`/N7WYW:5&@EVFp:aZ^t/==5a7i7p[9+&X#6
+%7E-n'><\9?f8=pE#pLo:$7'9MEpP-%`13,MMYPg>8IhqR2FaJl'>^@6(-\XSCk7'CpG,Zd'FD`X>m8GLTLdlBa0_'a_4HOI5/3.2
+%H9$8,KMn!9Q3jK\Ejk'"+a*&Y_k)_lZB7`r+%;s(i@S&6mUUS>Vi>:WnM=8B_9cQnA0$/kP"n!,d.Ts;oPlc!G;D@.jJ%qdc?FD:
+%X%=Q?;_agd=N*qQG6\h=;>+3e.\`W99_DjBh/KHhA;sOr"iFa?D-/AiP1%csSMq3+UWGXJjPn)\Z&]TK$.,3_i]W3gV#g@@6OW[-
+%s%pjnWE:2DJ!*BEKJeihAUpD#nF*J5Pm0W@jW:-``,dJ6iaD1<)XnRU3=)Zf]g1-Ki9iHi-aTi1IP%spBS]%6\Rg4mX::nsG*[7!
+%07u9[A>plS=1]C>SB4M],WHsHnU?K+mZ'u'6@OKTNM3A%L7?t0ARKg4eqhdu-mE4BbAM/6s7ti]pG.Zs:g%/Fh^T'O'n$p*9BM5u
+%r:<hA%ej&I=UsR9pCVc2AJQ<k'qm"mlL2K8J"mGhTbYDq@m)(gFXh&b*R1#RqVd!pprD-]:3e]Y,ITQaZ5OlkR^,H:7hH:s'9'gS
+%*8'EWpL^ad@(!(PV<Um,b1WHD/kn(%%3i=+e#*(=n\uKqC%rRDOgl[.:0%3HqoZJXMq/$kcr8VoJe]be<=5\/'\@^KGAeoX29htT
+%j-VZIMeOC*SP9p%5oE*:=&sm1:E_nB,((SM67/Otk\gLKqdjesNt=_co]f@CE(&(\-4qMr'MHRg"%%#"R9udZ>p5]YUK-K_P$A-s
+%1aA6P!in6B$=1"',4fHB9GU806J4sj$G))QT;W/3`)\KY056'H6>/9Ri]mf;s7q",f4j@>f*!+:F/'@/dj`/X-j!L<q>eDYK^4Ku
+%Zbn)tW&'pAg=e6kZ'njRUBm-SLo6"+a)<S2iP\/oXXPSAnFOG&kslM/_\F1&fc?/GWd7O3.YOV./u_$<\f]LkY0u:19"S'!Ed:B4
+%TI19(Gr.pG2LO0AA6`*N"q([a>/k<]H$Ze85I@T)"0/B&b.Zi<.'`h3/Sh8I^VID9J@m#dD\)bCZgaA1]JKN%9U[[8c+pa-HQA/K
+%;;Q,20q?`(lnER#Pf"WjSg\5o.Y5?I#$?i%UFJ^\P+LrfAEDL'`)JtpI`gs2JoAh#<08@r[muS$kp\fE0Yu^/7&O3@Aq.2"([M$Y
+%E=oXjXu;J"B''%ipMRU+,[#<C(Xt\!MguZH.bO]o2_)cOO\&AWCQakm#bb*8$)=(3:rA\Fo_45cg#a>q:1g%<64X./;&OO>4P\2i
+%R;L]*mBr0tR?E-=MLr/O>kQ1Q=L3'?+ioL;m$@ul(f:a',SlT>dQ9::+r&h#M+Jkfq%N^WISb(S]n:gi@"fnc:j7qs'3>)p,1j1A
+%gA1TT'ch@)G+Pt\Hd9]LdeSm?L@nU1>Nmkjo'qNt#9<:aSbaqY#$?.%otU;P@\-[F6p:CKm!T+^(5A6Zg'enP*Ru97fTBE(\0arG
+%M6$ht%]F?9*"ofM&Q-AR9q'^HY't2i<,71F-RKDk'MKP=n%1?tpS)F@'h@U1&M=J&*e8>LjGTV`aI^!6g6fJ^<&)J7=+H'eEuuPp
+%E4CI+RoAuQ3VrqAXf`WAd.T'B`*bQch^8!2F&@P9'.pX?67p1m\fX*`NGBi*6."j]J^1j'/a-3^kKSmHAb*`N`K44^kFQ.>G^4J=
+%QHRW=]8`)[BI&NAgbYT35XSClk,FEEUKdFPTZMssV:X/7L`HRT[=)'ukiU9&gXtLp9J%(:i&>Cc_gK<YH0`1(444;&f6?:2%q6_#
+%XBo+P9'a<662+@sYc:mFIkWGYWL3T7,,_HW5;9MaN4Bm#a(@]=`mi%V.=mK;-D2?73#Le:<mD\7].&`aCe#d#._"2sV76d.`Yde[
+%XGC1K5,TpgI^)5AEI+bD4M&%@NVg`YU$kZjgt-`B/.7M?'=f8O!bMNi2)]3+C3cP]L2Ip#B*/XJaq&K.o2gHU?rU`DDhD4@QG%LI
+%[UAPh1o+oa%>XRolDC$j5PM6+%$9#jOs.X2QFp*gb\qFdo>I5i7Mca:.Q'a\B4QdMBAg=O>XKoY-(?4;,@Z92ri'n<EMkc9GK1NE
+%W(ZS9"@Opqkl6g7m]e\:WJH[KgJhdCp'h665g)sgC"7kNUXq`2/"%i^5KrsKXG<=fAug7L_T-e%qQ\D8Yp_#%IrMT8nS'HslXOHZ
+%J+[pj7KSVSB+J5aj3XHLRsb\B8ftNHBV"$W`!YjP>[jU9Z">1X5fF:=#mM4G#X&`h/2L^QTe[g(`[#F>,gLRX&=frR]j=-!_aJ;W
+%*G]2e8I_/l1k/J"=B.1uQ.81R@Q?kR40FL[J0$lKeX>PY"<ccjYVMEagIfNaNh`=JG7b:*2mqDfVItAm3H9F)X-$C08?!]^7AilF
+%ArHGhcRoQ;k,DQ`hQ$iP=R[$>(r/:maS[k0"jKG.rWMj)T;%^k;T(KDfTKHGi]rBB3=)%1]#?3sHjt/jFVnf>3Xi7W'U+W-_\%#2
+%n;`5R_)4[2+@re:CTI@W:,j[EeT8:O95=(UV)L;adu<8P\o./!qf!AY0S&i?`FR;C&j:@o+T9O8c'UF5aQ@5HWt@&KfG(9M@UjUK
+%P:DGag5$LKQm^.T(L=e3I86F0U2;!HgETC[Q(SYBFXXNF9=qK69t0dO=P^M,,f="`Z"E$Y$JeG4+It)>\piqXHfu]5o9jM61;3UJ
+%G`1^"%/rP1gYWU<r#'Ef$VX;q5">2K*7+E%d]V1=hKj"7h>-n6-jV*#I/e6*j)dHYD*WmOHs%64\)3n9hKn&THA%.YD]d.Rq$hIl
+%m&sqX6KX5576@0I\3ZV`r?khGbr4-XORKa"'4rYeJm[Lm(j@N*/>%\6\U&A+D]T5%Eh9^FoorV/?g9525dO3$5QGF^POg@_e8FU[
+%4Sp`?c0iD-L0;ia=ef_f5>PYUm;ALnLq(<#i^E&*!IF!tHb>?bD8pn1AMLEOZT'/LaUj#&HI:Ls'hR<A#0^Go$,L8"i,J3X<(eTe
+%qaA@K.L-0GB7j%)jWTB_2*h8]0P93c(_E:P!f]HJVjHUWEP=9HO,c"S`EIA>.LLnc7Jul0YOc:)&LcKJ)lWTY$([Kj9A4N'WCm)M
+%`gCaqf(]4Z3`EuIP2cD\ro&*VB>Gh]D4#,OSs=3GTf$4?c_5F&:\+QCZQ>#.F0Eo8NG?uE$`TY,.8P*jO?,I]`0,[]_"G1C`R0t*
+%iUD3gmWFBLZE#.Rn7Z@O$_E=H@K;3\,Q$U(N^G64%irRKrK7P2-F4H?)d'6G82=b[9t8DTkm>*?d3lf.kZk@9'gnD\.3L#sZ0PWC
+%fJ)B.&A-(#Icf[Wqi@GK,OdY17tXZ<dQ]oSV\"i<]N\65;4p8R'^m@eJNbUtJOs5+#9AkHGWA2:U5't>*==$#1VlH+UO)=FX)CT-
+%Z1A,AbG&4neT`C5G9>/FPNsJg8;?J;/VdP#T[5,KO_gIXfU-XWrXo:mr?00dHr"7KRi4NQgR+uP#3)Su<9=%LU7`nA`,<@4=[[tV
+%-n\=,D:TOm.3U_>/<JGI3F!%_]_"O4:=@Mi:IQ%VAP@N:'(RRa@^MZS"UDpnO[tK5SiCj<,rMTQS?W&?T<Fl.,"Wr0#U#W`7!;4T
+%F.P=R<(u.4a-kH:.=6BTs5(g7/C1>8NI4kF$7^ujoc'o;@<T"t`N=k8A=%_Yrm7bTIoM1'<#a,,H\E]WSV,hV8'bh!l*hmQq]%u-
+%Csi^D;8SY.Dne6p=5)bn.P:Sj[;rEj2E1&EFt-nAhZ"'+N9@\GW"lG6+6o$7qPK>`';&PL0;dUn,Q*juT<BZWLSD>kWgDX!(eh<K
+%YL")O;m57pilCpP7#kmT[Wrn>BWfh&8C1@raA>[nY305++@-^SJYgeD`.jS`3OiU[oC7KPVOPNq3F1-uokmX>ONTf^'TiYkVhuS5
+%O*H/2(`"*UW!@LNNu!M.RkRsJ7':)brAfJh9G)Mn.$F0)9S9_.EPpNC32tP\E%k8oM9%Z0W1G*sS/=C<G<S!HC:XnJ,)^0N2^\t,
+%pJ<$hm3L$:L1=lLY4I6hMjpjiG>LhZ*K(G-g/>IKFjZ-]p7Xj_Y%!2`=^.V*NA#+a%pn*:?LG")T0N@p?iKuTs+-gAePH5$^\j_i
+%s8K5$r]g?7J,I?:r0r32H[Yl8s5s@ZgV7sUs7#Ver7aI8h;A4n:\rCIktc\c6/Hs)MiTsuPP.TI1&_%%rsq?nlc26iY=IW&rOMn)
+%Dh%cDraYg#5I(0js#pCGfXE<t_DV,a`qQ@+,aeW/p\ad#EsmHm:]J]6N(Q8Z5_)fXUPgN1dKgas67lTJq'7`Vo`<cAO@,1)!Nqje
+%9XGblJ-2;N8Gs*f2As=ZLc'n\M0a)ZF3h04$5Q,<*5Yu\j%Xfn.>AJnHn\-83pZlF#ng:6Lj+ai"bcVc2(8`$fl(@M*EAD.jFn$?
+%iR'G;i6STVAkZ(d#&4eR5#EQ:3>L*Mq6@,3kR-DP<'H`e3B>8_Ml&CO)@45m`CPfs_)rqrHg9u]d?k3U8Jij=<d5DR`8hr7q_Kl&
+%&gU'%G?sm[2'$6G#m"SQ:Jh'f6GT6r?c*FmWXQJR=ag4r")$^G8kC.E\4m#:J.5m!E82igGloGpFdMSBH*0K@[N)h+PmC/c-mM.$
+%nkoE.S6nUI*qor;6\I3tWFBkACcc,eo4")Lj_[E)(s9mFLe;amAXMsKA8hrCKre0k"JQ"(81?'6>cPRf%KNg*-h@cFe-45W^sp6+
+%jSlRJOT98Q<,='6NlU11IY4i7Z5.Z3/e]Gl5T2N<E?[^F$27i\G8IkO2@/I*qc+Ve^`j/HVJ,f4dmq/Lhub,^Od$hh'r9NL(lJ[(
+%W)>1mVP3#,7:ahun[OuYH`<o6bf#Q1Ktb;"$,X*F@74+RDe]ru_"C6[[d9H[b">X8/6'jG-euZ3g!S$,U`hH$Kri_&K,@Zh[Y#<g
+%g$T)4</c!P?DJ3r:Vhc)1Bh?d<O5&LiMJA5QR3qpQB_k?=oqYgQED7GHJR?U&FTAemEa2%QfCJpksm@kV@#uK!h%:U.[s#/75>E0
+%'Q2VFV%%ZMXG5ST:#BAu/Z&MW^*!GL`^MjO3:p+!D[c1VWpH^Q]s*uqacs$TTFoA%3Ptn"%ftf,p?pmbNX:mFq2T,F#GE5)gCA3T
+%0MM'6rm<AIhSCeJW$@j+YAoYG]=:s_qE,_ulIi#]bIX\B)@7hQ=XO[?nuDmo!2Z5MRuj5B?"L31hGZhBOee5hGpGS9.#+dZ8P%>"
+%5Ybt'@35JDK)'YLkT^Jj5d1g[5M][LjuqoXlj!O-1P$+efCt>Tnb/!b#+Xg7\c)ru/Bn/[.llp^9'q`c-H4<B=H3B5=B^/U&-Qq'
+%>QCi1_V^XL#m/ReWdjTN%JoqBNktut;&mp47E"`\m@t^ejBP*&7P';IRbl`&QYu_o`+NaF!F]Hhik_j7AXC=ee*6j0ZDtq014VBQ
+%R`dledQX27n#,c%T:R+kEgeJND=ElMqSuPPJ't!r<6ZJi%<RddL%H]7a@<FG&km(Q<Bd4:"_h/e4fM<j(ka'\^qDUndeVq,=tHPr
+%ID!PgEg1iS(oA6r>/:MMnTr8.kRRK&EH>NA,2FJnmT2!\S0(<[`^je4UojJB?la@_bk'?*iKk/M*Q!(Yj!ns-6]b4Ieh@EN6Q%q4
+%k[ZXDeJH!F#YNS6UlfCOV;R*h'16.D4XcRSfYfQ[Ea3.JO`+>u/%GD',]>lgX^W!bd+Qame7r7]=U2REpdKq^k]<$<1K\)tCJ"s0
+%cr]EtXZF0o/0pk[4m4H[Ae#h!>OboFd<C"fDE:JDf^hPI6ruIli03ZFKcENi@<RX1RV3mq,3_Bbp4^#ck/m:MU>kRE6,g-W4m\0(
+%+/-_+BTg-ee:[b4CBXT1G)8OR!<Njl_OhHt1jXfue(_3%I*cGs[00>[,8o`#j`^G9?fpA`3-d^]'`NH4C-:g4LD&838@&$Agk7@n
+%+]TWq,@FS`E6h=.4^6@^]uk[XQ[S&oo'*7M5fmC#J=J5=+OTIC0m_Cr@HB0gNV%]lS760"=ssdW'D@<8oc=dR(nbN=9VF.leT2`p
+%,WL[#jK_X?7HH#.B43Vc^P/MJ9lM=R(j*A^`"^f*_+gVII_03\Vs/MMYcK6<I9j6$s0s-Jr>BTnHC7oCjL177\#:43?fHu$pF63H
+%K/?sj2V=LeqpER'-=[d].q6sA(&e(\b7dmH%DK<Ag_QHC[4KScO3aj@,!;9ZE1,&DiqHT22fPKlD0p)ukD.>O&'ore]>UMOV$D@u
+%Fch=F\(AF4c(OEGd?\7`m@ne?r+7duRmOp\rpaP=.4gRa(NhNtm*DjR0oi8I24Jon/D!nk%HkIO6gF0([##0\8I_W%EV0TF05\^8
+%pt99ai3]!OYg5KIOSM1h_In/m'[d]S"C#+cQ\>QTdh6Ps?-<DnbE9pYcSDDE(-qilK)c3dhWLqP;"KIKgW_-LI/(%!cYSur<G/a'
+%RYWo5/L4i,X)>6_7)k4>?UpjqeW:nCZuRRaWkAA4Y<Yj7j4-#*O!f&+(]d`$eEnG._K>e4[DZi\$EX0*Z+p*UA)N+t)uT%3l<HQu
+%*MoOoGIA*kGU<*$3MKe]fTh[-o#KYKm(j9V$]qKds48UfZAfi*]aG5%XRGaT^Vk_BJ62ZiH<ZoOj!BLu)=_op'(41"TG2fG$*tHN
+%p%[!I)O@;%4Ed*"h)66?b_j@:A-f\]Ke_:fnE@!=-aVh"p9XFCU"M.l=_K<%'3U\W65n%u(Y7G*o:@9t;E3Z"GApi'cVk5QnTb#"
+%M9W<?gO-udDD06hX'6<hi+_c>J(@92^$B,N6)5j#I^.`dZi&^I,s\5Eb.XubGeEH.N^YQW,O]F,drehK0k/O/Z*(s*@c<0?2qh_P
+%^43"([6K/PXmq)2H%'uc\3E:G(JgBC>C!g*S'Sd'@ZPiH:-0=M'<A5^p:I6G&gt[VICOFb,*(Ys)cp6[^/(A*e`Wqq.(8[Cqo!B%
+%It2JFmY2[p_p`aO0b>>Jo/ImI19\IOV-pH9RNC?U<R&aHhYj!YHi<m8juM7qH8o%%adet$YhRqADscep*YO`3[+l\:Vp"@fVEQLs
+%\<0S=@8SE30pigFNadmaajElLr=/,HEbVmLg\\ZKR9enN'#\(LR9Gsk6%8P+U$R`qHD7!GkVH]AlL31[4Y<oa?RO<Qhi"B9TG7Kt
+%Lr0?tX"dskUPR5#ol2XA2X`KPZu59t7Ig3*gNI_Bd=rE4o(C_smZ/95,Pl:;`::E-IK&IbJ;a3/MsbVDpp3@@.b:S;D`Yh74ETR0
+%=$;Upn^2!fk[GP]H&.D,n-Lnj>U/LJ#nt5JC"sk,YHca"!B7amX%\jmi:@s2Oi.$CLq\?bNnKq4_Cb?ncHkP<*5%p,fs^&;kHcB8
+%BS1:mhuJfo,V*7"\AYX46d.4cN83>q7OMZkH?VfiYBi+RpJsq]K""dk.<[3G<19Z)?C,(JN<EB:.`.7F%D$diE?,Hm`((O9Br6fF
+%TFfQ]V7sPT3P*^X,ei_bEf*bg]+=t'(fk`Y7(Hd]2?HnJasoQSLm-e?&/C.#)EpZ#-\?4!EhG?8()L!ciOZ6]6VA<DMr0P>?X+6f
+%_77Oho#;M(%!0)Z3p@qrK!$>U5o^+9qi3?:BcZ?^02',514)e95Ne<:#5eiS^@T\Ndn`2eK#ZM#L^X-(CU'\/I9>WY!DDM]f25;+
+%c2!&<q_UST;JH4/a^_,/XgLu[q<"'r@<t?n^/O8lk&?QBX"Nh8,^Ws3O-:@;>,SDWGVRU`a<"@u0n,:`1Q%C@]*XZR#!m7r-\[>,
+%$OtK,A9`ou8+![@UJ[(Hg"aV-IaqKCZ?kRTOsJ"GRm(BU>d9hdnAD-PJR>h0W.R<MZfc>=X-*s[IA6T:q)<RT/>\=a^s@:`$`pmb
+%.mEq^&"5N-BERQ3MS5dZ!TZt7BT5C$O(+TlimF>L+c*E:%4J8h+3P0engq]">S8gLM'QR9EPc,VG(P)LJh#OsR3.Qd7g?gqK42]U
+%R&obU*8kF+-pi(ZQL4W[&q3^h_c;8JA<b[El3FH6Qn+A;h,gW:,"p`_.REq;.>&s0%(o"FR'VC!Uu'"VV!HhIW(t.]C.tCFM]%Ob
+%FnQqZ3HpHt^3"?(fFjYZ.(W@YX!+-9SHm*XFCAmi<(7T)"*P0maX`?a>BE-s8]FdZGYehNXu]!;QQh>3*\:OjIL_2[bFd:GQC&;R
+%W$99-H..:t!V6esGB!gL$<T9!-Nu6pRk@4!LunebJKJIRMXd<(73F`j_I/]%&W7s:n@<=,%j0)TZ-k&s&`uH)kj/H-Lf)KqqEG'4
+%">OWQ8%"LHPI1DUc3jIr\RgDb\3Lcrk,Ph]@7_^lI<kc1GX*bN@dO&jEtq&D(fdXLp_.*@Uml<068^>HC]uFlOdm7=J[g0&Lm^+5
+%;sFA,Fr0g+ef`0dXA+rD:0d&i`<HcKn<h`W=t!dk0Zieo<V8dCC/b9In=@X?U%SW;@)RaF<JH(<P4hk"cFgo1=9l9JG4AC8e@_[N
+%?AdZq-s\7DnIUK&SI?do6pJX$&sER9TX)-<kC0KFi-FWkos@9Xp7MjHB?d@@-T$)LBLSaC3XY(?r#Em]9H_b(o:WD*,Wd)V4W%u`
+%9YA*aao35C9$s!!&CF$PJ?,(K]$ULW\QIq=MCH<$1f+fV;HQJ+Fk+EpVGO)==-WcmANMFE%\PQeo;,Whc!A0&7uSJ*?;2#il;Ck$
+%ne>*,EiX7W&:T[Ia]9r\Tf@aT<;61[`\H<UC#Q]Y:EgNf@D]@ZQijI0^EJ(]/TG.;-!rN,Ke_6CN'cGY8=6ZH;dZ@M/qYn4iArj<
+%'p,PnEKfDiN;\30\s?/JYADM>'8DK)MEroa4B7KKkn63SYYu>XW46`Afe#>.cuJc*q%Gj^e.+biG)EcGC8_AB60a7T6J81Z6ie`5
+%cu$>S/.ira(aSe^$TGkJk]kMdAC_&ZbknD^S4U*G3ksZ&OD<\uLjQp]5_]?AK;EpLl0Z"[Eki3pF[=Fs?^WBfVta@OiQ(9-L/%T(
+%^Nt#iIrm.L\3X&EmEHBj-5?-0="oAF_U(Ou-/il0j,KI"<SX9cJq/'Q9Gr$*ALTL0clT@rL@RH`FhFpk`0s!e]8H`-&.D_(n],RJ
+%F`(@S:-N$FPoB"6/MYIWW5CJs%%2h0[Pb42mJMegCcd,a$JuDBj_5h2d3!kO*)*ge5DT0`XkeMVkg'lObF3()LEbqNe^++:P&GB3
+%[Pfl+a_m@tR[+Q!?buuUep7s!<K^Z/b.F*jTG07ZA5l.C;OMQpW^".I;RG'r,*M4^;2C>g/-RC4S&Q8TksRAK+b\Cg8Icq,"6LB2
+%nkY&Q,jLE:q'.03Jse%VgJiT0eV]!W`=!d5Nu6Y3@aIPrW:!b'`aQ\@EJ6S!FWUcQrNm$:_6/H6('N')n%`+_e-(]SUf.Yj_T%>E
+%U)=n,ODRTX/QIB(3$#cVnq=!5o#bg<d>PK\'$:M*p'bb6U?2a_We`-U%uqhfKbT+1M"s5Hk?[&"&$]KDcI3G%7+e;sfV'f%ZLrZY
+%Q+0JUpiM'/cUMQMlWI]uLfMA@&:$I$AI5UgC0OU.JmLmO.CqD_#qtJNUbR^%cF6l":b^?FaD)@!(*>:.P87\l@iC;jQ"u#[/?1t9
+%jK,CM!;VbJ"hG$JAeE(Vi2TT]KfT:n."VEknl"XaZ'6meFafE@+lH8n1h8s>F?&UN=>HJWJ^@E.23*8Cg&eYkKJRVT,p]^^B\Pt.
+%38o*L/_JVf"lu)pU#W]7V)r5>2,:mbNYFgWp]Nj<<qXa[riP+62`LeVlSO^M@1B3;ATjX>;-nPkHKO;W$.0*WF1Ps,K3k9S1o\Xt
+%2g$/XHj[lg*n#YM^oe3O6q@C`^AX8@[pG@HMe@`W;@d7]5RD7"dFW<$82EXu"G%3:Uci=i":OFRm#0X&CD%hS>Br%><,V+RU-sK[
+%cZA/N,&%8VZFLGdD+1+*iiNe]Se`p9.;kX/ZH5.WeJUgF"h7H)Z$hMDQjjKNr@E'(b"iSP,0nYOf-V*2CtTI5D^3Fs'Y(2%6+>EV
+%r$9<L"D\;!\&C)S(l:6s'@"2@Y`:?49L:a2,0tu<l0ZA:5\E1rEL9T<"+c$KTYe]ZBYiO+%)HPA;7q`WTi%G'kl6=r5c7`A8ZF!G
+%V7s&6oFN'TqqO)8olUr0f\X`*E_r`6L0Qa`.d,7X[-fQ<#I^rc>6u5s0sYQkrf1Cu&::=>5S_81dDoM2;&Vlp`$lP&$`V4$]snCk
+%b-GGWJHaOGZ!.8M1Uj__`l$gKC1I.PY`'8Ao%>'p1PIWQRJ!YQa2A;`g>Q^Z2F@KoXcm6MPFBus0,*@RiG1F1Uf"L:0A(m?cnuB\
+%J^^+b8$83R:#2I:/?(]rK*JE$2Q$V7guRZMb>.'`".$$*JaY-Xpm.,'oJT9N/g[^KaGmMPo`BRd"<=jVj7.pfhJU<=N>F2=SV$a/
+%3&o7[f@PE@U-Dfkp$_nO5Q:&RJ,HpNs6tO<di\VKDuRperq*'V78cK($0F&?l+a>m.Thi"9&/n5eFq]ZWF*$ciadRh]G+'<o5655
+%iSWtR_0_B^0bL:6>*>NX%@5tn4$NA9TDtrs)C`*OiR#?qg*#Dh#rYK,^#!O^Dgm/uDJ8o#HlA4rA)i\6WueD6BqS$C3q!GqU*^q&
+%Hl$`8_MrrH/\_)WmG2Xj0_Ck$#g)'hll-HhVn00l6LW[2M)=Pc^af\)Gd#A!rVZA,f)m;@S]<^oL@*l3U/1POL_H=HZeMA'Q3Mnf
+%[k5>kq47E=*e8Qu8Ni^O8K%XQBD<BL0#G)%gJ$cn8DUT*HVO%TcgTZV4FuZ5IZ]3bM\9dFlqZ<F`fBPWokm^=%,pksnV^p-8MnIb
+%4g`VF=QF9XU_8m[1rVC<^N6lFoPBMWkL-KIh:bo@maG/Uo1i53oCG%fqd&5+rRrTnr2Qkh\=.9-BWHOua2!"\GFIN\TAR367j_<F
+%L,:E?9NW<P&9("+@2[s>Msl+DkC+LU@>`_Q4*dS8XG\tJo#856S;3gDn$L&X5JM9SlPY/Uk.:Hs*^c=SBcB"C9,cf6gWF(JYP3rf
+%-ou_.O8jC2KG[$X1?s#=C\'JL^U_rdHFiD`?+9cU[FB?T"BGs'`-ZA"HD'GJIDj^pK7G@9C&W$P$\B<7YV9O,DnXW^Dgm.VYMYma
+%e>4MDk[R_HLYH[IHT/A7k52j#q!R<hme;jOLAX*o=kYjh:lZJJ!qYNqpmnkgmcSf^pYIsVLf2?mGkKh)X^4@r/<'@A>Ip6XbPf^Y
+%hF+27ZMkV#1h,'cGc[8+5nr7H(4Y`CgH0hZA)V(Y0$(fkVqk24FV?_U$qn@af&M%Ime"+\"n*Z,`1?%VB+Re&^lEP"%cf%qC\(Ul
+%^V/Al-5?@cP.H;-1S&n/gAktn;;P0bh\P,Jr6G7)[%qNO$0bPZ/'r-E?LIs!"0_H*>C?2:488Wni_A:QbZNgY^M'AHj7,H,"obAF
+%^A%GoHc>H'oW[qBs89A+nAi:jS8nH;k!6sbd:Fu.fcAR05klQ'o+!gbGPu]#M]6GsGl>29f(f7-GOB_sLjZT+`MXk2B0ZF^T:"tk
+%m.V,8RDI-*\nIHur"dGQT\#U]_j3XEmSiCeg[Un#r'\3=9L<kd%_IKpnM*L<2&OQ1'&$@pBb$8+D[Fe?l!iOY]"jUH%ffPnlB5f7
+%!;_4;]b%mK\>SX,6!TpOR*m$g?Y4b&+a.FJGlceO8CJ(`eEA;CP]D[/&H3HmfsSK3PFeTr\XiBmK3"D&2JFL>[aY&^KM`3*P2spZ
+%EG`RR/gQ#E<\8/G5+O(q+UC[t_MlUYcK$_oM\Hk3%/$gb9\UZ%SJGehq*"S%KSAo%N"^irYU(JeU^fU_\<ek_:l^&=_R#E4ZgkdU
+%[pbG]!"P>NJeL6q2;AtrJ"mdr)g7\B5Upgt96*0h@17-fJM%!I60eGlC76l#%-U.sB(^tJ5o,qpN/2%/9F8>?KF8W*Jqs\/*_;`h
+%D]Y]7\3&aY9/ibXD^).\J?Q!f]UER"FCPp?*7^d,$,OSdK_n8gPhM,";LlJk0uH#A\If6]9ak1KFfm0\MKC_S'>^?=<ip,AXEG`f
+%*_dnTD`JE$o'f3gVISJ?K2lfD\!;RIf@jKdZH0=H[Q"Pc!n)f[)DdmqoDj^rBt1s?]USs)9CU0"1SbR7K\cJ9SNBE"E+A#s8l<FF
+%YB",W,2(l%0tjirI#.EuGLA8Q,6X+Tg-L4YlI%IDdfA_:YSK7GI#fo4PLRX;9Xp%p&_sR6-@!>E)5_Jnj(-G3/i"]"ZY6)0:dB4D
+%<!=rs/&GJ-X]p6"j[Im"F5%iOdBASV^p[]5iAcA7\sRF:VD"/qHn8r]Ad*%oddicP5Z87AFnURaA*tmF,AmYe41QmUc:j!"P*GI3
+%G-1/?o,u0bmA89%9aN96cQp,@_"oJ@:?Wkr3"[_bmES[!TqnFM/VM/A%[i0XTQq'SB].<4apE*)m&Mo=&)'@YQ/@CmEI]E\4=M'2
+%/PXbMWjK/i#ucudK_2\Z-?1E/a>`,46_JSAWiEQ3)PnB.oB`Gs$>ph[JRIA%"R#$R4#EjmU'lnMXGBngdZu'XJm/:45aL:0Q`\Q=
+%1@_]LH:ch%C>#a9?_3+8,bp*9r"A:<O%jXd*jGp[*Z*=I[U_I@5(mLBK5DPuYt5[^]f.[T,iG&caC-(q&N\;m&2$Y/M`<Y`O@.f-
+%,ul4+g#0[-+Z;^n#eKJT\9V:I)$(sPeru`U%53mlY(Us0q%%MT&5(pM"&WC%?m<$4n-c6/G)GJt*^iY!)sgZ=ORYahR4>#?4<$NI
+%>qGk-RF7\gXSZ*;$>*A@r#(jQ]^JLCgl<\(pN8T^]3=J_7o[=gD6Dr_hjD_?H1q/qV49$[><+mMjdF<L/5N<,+!N#!@@`0gmpR<K
+%Q)mh%eAJ,/(XRDcfJ<uZ?1;hJ?#TTfKCZ+?rS0],]-\TaoFR3*?u1fTU@\TZUt7d&]!rrDk]4EjIS_lmkC""8f)#'VR1r?\)TA,4
+%Z%Adg1e8)8#RHDVJ-JRMTT?meJufG^%\)aLO_6\5Hr]+68\SJAM$gu_&ui-(a"sS>UbbYs2]t;;r=):HoKAIZKq'WViX[9G/0FX<
+%Y!X>g"6-D]7Lq9b=`Q4T<(Y1qcKQjLd)QVTUs3+8RDQA5GHF,<rrWuX*o5]3P\q$6SS7:26V<;*p+a)BE?PSE1bsoM^e.=cirBl_
+%]r`Z]rrPtlFcV<S;<l#&#c+;:``e*sFc\1@ckK$V8f`[NWte.RAYkc^W6_5V8!dMTQu[-1pG%YaKGi)(W2eYr0Z=qbH#J"3^WLEU
+%9I&16MnTEgNRGXggi7H"Lk00h4#mSb.IoG1Dil.p(+fO(_!-H7*'gfkftiF=amS\HN!5;@d-)J]h-6WLc'.H#e"5Wm%(T`W3[Cuc
+%jFO$r+Og`q[+,WWR7f\dHDUtV"c)(l3=k3a:H)8!R=iXEIA^g?mR@XP@U(\AqQC&9eJDV;?KKn^VRJbQRC#Ocg,N?BmK=Xg)@I&F
+%2[9UIY>%]P%q!i-NO1Q=Yb#\mHUSi<E/gZA_Z1[IKs>R-Ld[@aOJHa@\qYPSd>VTf7Z(uBT[Sl%52njEIr0gV^D\e"k7^A'-A[Vr
+%%TURS,gK>N*)B9E!?trJC2t17-G6u[Cclq'kpe"FEAZ[7])7R^au.:s\)q-J/;?Q;!km@(*Y%Q!OdH.rVuTf!F?pHXfpDR;hH'cW
+%/V"M(.g`CEgBYT!/<rd,/UO7R,r8727[:]*UK(PM^nTg'C\MpF&UKqn2U_7-bP$MC[HAtQnU,Yi:_#)Yc.GshV%?fRa7\Sc&6TWU
+%2akKEASrYj"L1h(/-GO49Nmp.g]]#6]!4mr>pYo`%3AJI`ePW*SsnX]3Pu0BlL,G:Ap*.3fME45or02t3PGS@FgDD4!<uEDE<C>q
+%ZiubPCi(I<H8\-SPhRP!'Y5i7ADs$_H84R$^cj1.o$CubmK"E'p]q7jZq6o8aN+E;%:<aoeUS0%_(fn1c7CiW1o-U9eM%2*+d]Ot
+%m/RHG!*,kmb"R)4KPad@\sCKKeDoakU^ER##s:sJg1+o8(Ej^jAP.@p2J2W#CqH_Wq;+6qJb9MN1*3J]R7proG_!p41Vtbc-,hf3
+%b3-PpW*6j%cr.b51BlsQ\?i_E_g6YGRl+!9Pb9&"ese'8!2pX"XA-\:T@pO>R(-PQbK,i7rmeaf4gRfgMFf:9dX-%`.$NCV:K7b!
+%I2_tc'R$e'mS4NJa%@Y_883'bKu2?3eabPT7/r6Q;FPPZbhHX]JO'dMkYON>pO)?cI18pC$NCYQRM^t+npLP?-L_<)a^>3>[_.uL
+%Rr6Z[[IMJ")%W,+/m9r40RNnodj.r/F5lhkK,j4<MHd*i^ors^l3,bVGd;_=Dg0r%ggekgSJ#Dh[N$:ARVVl=E6q09#__"VBg_3m
+%ft_`I#-rp4o[j8_BSm)rO3Q&5hG5J^Nj2D2$p1\1V,gH;hb=8nf_mLrYS<>r'nJGX.$@fIS&o/YnEG]tK)/WO=(*=);L(#/BZ&mp
+%O+#BMhto0i-$IBXlfc3@LN+HSJl?13#-p@ooEi\ha!7BcPbqh_Qj$=*H/'/m=?BB6QpSL4=S'_5YT=>M)kPVq;oV@#1m+*AV!$PE
+%TeLWL?qm?a@Zg#A;FZW]TSeH9P[-<fc"[r@[;K-JRfrl&S"sg!GS.''e5;GTrc#Gn-7=]P.NGajl/@K&XC1Ye?B:YDDA('2IGXFK
+%`@RP<Tdrhp9TaDZg*FUm4'-O>Vm@6l5uoop6:88.-lrF2CTN8L+jlQF#'rp/Q@:3omQEniY6s(k.;Ko.EE2:lSu;A@E+:k\O8Y$%
+%+hu_W@mjdmJ<G,]7De,AYqFo%X[:8q'@ii`2/U:+ZmJ\q3AncB-pU+</qp`d\eqa?K2N#N/a67hQ4/'UQGB4US95-/#5G!O"!qd\
+%@4_OPUNDIu=,<#6TWs>s,O,a"+-'R@rXdc`q7EGSPGT,ujok]:<D"f=Ka3#iU@UXlm2l2J*J>s^#9J0$8P75E%$I:i^P1L@<$8;i
+%Ml[P-iYac\&+9V8!d=9X$O%Yn3NOTG)aIXJ=TrqdZ+fh[]?$-/p>!2QbOauQ+h0j\/N2@Pl;Q"1+H+<9oIR:Y,S!!YCM`-3^S\&%
+%;=Zp6l-QHZot<F+[Aruc9ghb.]dpp;17roVP72%pb[Q`7]Sg/YOsT=,f]omu"[=ZfK_pFi42Q3p0&]W7QK!=k7GB+4^KjP55h(rk
+%^KqZG$e='9*F*]R,F-Es$N9E?kA=^Q8Oc9!qp68gQD%At7:s]P/D*YT?dOQXXr]ijI)r[9]&Fu(J]t3o`ngo)hhq%Sg.nn\Fq6=b
+%J7pirNXKK3XW5M6&`n)VF%2#CHsJ7S+QPiGAh./9_(!r7p)[tA+N.+=/OGYuH#s^A#HLW1<5g96Q4`RA-3]P\R0:fHb>,[^d!LG#
+%c9nmN/;or3)(Qo&j]##S3]g%0nYClHSeG+D0:]T9FhF+V3b.Md00eK=/L!fYE86og+tX9;BcI[q6kjEROX$BpFjX'UjNOcM#1X7B
+%]7<.$dZ&"Gb+&[PnH"#*ZELdLYZ\%3;9[H+or[iU4K*ftf`B`1P2`d@ieUPtpbd%,`*neHgQOkrE,9YZ7Q(]E2qTtojDCoDlU@4(
+%(?@;Do:h8;U2ukqYo7bfKo-QY4KBu0:9=.\:&(l9FQsu_J6\[IP2RBF+snm=HC#oL1E6@Ep619iO(?d472ho[5o%A:GDZ=TU:`NY
+%#_Ien"mFZcOf3eCKu-"(L_e$9S=ea.+:Tcb@AYDKkhQ%rl%qqq^WB4r*DSkoSGFZga?,Ne=k06W3b\-mS)be!H>"'+ZTDrgiBtRm
+%d_t7_oO5VeAc@X:W<_B!KY6i^9JnklRb2#cBSqd7T,T.dm._R`.a;iRjec"98[Qe)5*=E,<b2j[.!'END=R2(7R(kc66IZOXH?o0
+%)?;I8\`Gn4[TN3n4*A-)X>nZ`4K9rNqPb-Y[E;DUIB82SHEA9V`:,$L&F,cBrKtS2=:oY-Qe)sFh+;Pu&t+`K-o;GP=<S$*`)i`R
+%&Ca(m))5F,5b&9g^8W>aQTTJl"Q.fR.QSA<Xc/'h_0oeT'uJY)8U-[E#$&>\IhYh)UoVF5GH::0E.U-ErbO1C$/&'+@ndBEK,d(G
+%rYs18*R&X"LBAiJVTpcIf>"kY'nMa.d[FPi(<[6R?=%j]!\-VuMsGh:I$Mc:N7ef"2!*YXmfWZ\+ikPfB@s?uesrVA^G^bHiF?G5
+%%0\>]`YL'c-&]^KmBWf@e#lZfE?F#&>6/4V^6J#qK4LiN-VG=5_\_NFJL>7^86<f07Wsfkird2"?FW"X\W'>FqTI%P8$IZ0Ll1If
+%r@6*$_K&S4Nne):g"_RP"MANKKdqrnZKoEaa#XRfVnh3M=gb-2C2h9V7CF((4M%gk>;9c?d`Ic'UpgDZVNA6P$ilX_o,4L1/h`!e
+%<O_2<@qX;o3B_Xjba]Be@9=*(:?5nmU[T:T0:7';dFU7&lZIU6*qmkE*Cu-To;Y'NN2/.S'qf-r"A9+1k,^eg&_`E,lIqDq\>B#J
+%a7MR7!U.3J!HE'C"LXZ=>HQ`M7iX.gO5Y!RG3"pD47\ab(8S-k6';k<!!>2Io+G?sp1FuCVe1OiE@r1t6Gr<:*j<dE_#4S^ODd$/
+%kCl@2fJj_,8(=e3<12]E?jl2'ZJ>C6i$ih2Ge#611Q$bd#.Z6LJ8bsPIqRr%&QHkN_Je&%6?&bX$-SNki7h1?j:.WG@8+7H>@ftM
+%8N3/2:\K`m2A^XT?$X$6?8CjEE]O")%Zq1K^2>Ve:(g`Pm0Z`)*+r>\3$$1OC^Yc$'Ll>7p'$0mL-3`;f/QPrR1:j>/3mcC_QgJq
+%KNo/u%VB1bD-Ag?UOKeL`3JlU6U6]OX?/A:?:J(9n&LepC/X^e('!jpI97[&K+odeOi\3/O$&U-Iainqkl>;B<R;,-&9**A7=(V@
+%qCn?ae&]ZdQYn.g^kYYsV!-b,TcpI1m^];]9ncmEiAoliaE/U-7"68/@u5u8iY8`<HCG157(eB(jee<>PqIbf3f\Hk<LBO!+[.q>
+%QB42$%!G#i_&ZC-i%hVL!@]6]B.1#:&Qp/D9pQKd1>69(^I21,L0ogg\8c(6FbZ%G5S7:V+/@n@^rmQc9bL:*Th%_Tq"3#=0Ok*1
+%9D_D<,C&k&.b?XmSm4=+bnr75dd&q:1FCOO4XdY74F5r0(g8@T,8+\0?cV+hOCl!UH/D@%)et+LH>Wc:1Y+*u6`oICc*Aa#gOYh_
+%em;2g$Sk3"rnu%gZS+<=B29EB5b-4O<^2BroHlj0!BJV2hRrS=V,S,aSnA`K8jF&\#mEt6J&cqghFZG_Gree+C\DO%!Rid6AHehJ
+%2UIeYeB]7O*_i1Uc8<C6'sj9tBuC0tT1SYlBfrl&&?<mB*J'SD-_qLK#;rGb]KLZS871]Fp-m1@U$Ot7,.;#i6Cc!q>:sKf7(d[n
+%8,,ih('4Y@8dj$MP%2^?X;1hjd]ZJ!i#qi-F9hNKoj=K;M>@<!"D2J#rZHb]7UBU(8:MCS+bon<'8$#)62VHD:(Q9$kktJFV[N"7
+%BBofjLMSEbb^oI<>M82/CWZ2u9&4R<+U$B"Bg;dc2mdiPTO60b_)$2kr%Or+_<<*3=sQ`rb`@ucj!fASl#r,S+R;]5S-YGq=!aDN
+%$"aT/T@[Jm7j7'qlTb?c5Q9Krr8g`E&$Sf&iT"qO`PDOZ.A5biFoV*[WiLQZUMD!SNcW:S?[g(4(B!/R9t)e4X);'J5tqfek5OWF
+%oABO3U-IT6JYAi2rdtenjDuD%rKAdqqZsUSqdJ"npU6(k2E+&u*^>8YI:<pPgR(6GSOHdRi_m8)Fn8ki7.8RK]]V$^ndckpJ%j\8
+%Cg#*ClhDE9hsQie2YDH8j*-(KN9f1u&qN[Fd5LsZG.e+^oUou7mJ>XN?`f`%bI)-5G-1qsb\cN%5jQGep$:FKpN:p#*6S&h:&"[^
+%.3?fT4`<L@]:O6A\pA/HlLuE`Fe9*:ajoO&8'L)eEDo(&CNUS#NDI9:GFc!%I=gC/a6\c(M#6#_L;/)I+&HQfY3Tu;g!n*hpA&I@
+%^\r6WWMJ9O-B"t*1j*bfplcbA!]Jp(B9XYiH*lQ"a'6.pC&6kWq7LiG4OUg/YHGJH$]`JfqfF>;H3j/#j7_<oB=i:<:5Sn.qln##
+%Y1p2U^$(5Wjq-"8ge<4MjQ=_Z7iF$m?B=pUS*?tj>h9R3Upb;"rTsE`S*@ulGTDTMB>(139g>5Ege>JrR1@-deQ\N0/'n:R9V:?k
+%Iu``:Y^bG%5J*!FA,F7sq`HcU9q-RNXPQW89XESLHG;3+q<iD$eYYfb[a/"o^.eRIb<Do9.^;'g=@ZXNg&OGM0m#BC6^X1?/buu*
+%M5DME6CE%N&sM'DAVG+eD8UD`8_cd2D<:"CEKdl0qf+8WjS=24pptlhbC8TJ7#.BP:2;dE9KY)!&9eOSJ`\mq[pSO:gO<m9n(hO7
+%j"8:L=8grPDf6"hPY,c6FWGuQPIiqZD#AClSj,(]DXB:g$u#AsI=5a55QCALV=6TH&X(&o:i-]<:iY*)S&<dBI%A$!2]Hc>eMDTt
+%k&@_NRn/"nZu'loGAaiL>\uc6IlFptlgBCjr6487_V*7?DpKEl]5GsC:>>_1[LM6q*nB(qh9YOEm_A)V,(t(8NTFT]:HNTj5*%lf
+%G+P0a,^ZLUZcTlUFJl>2N9i9TRpIuQHO0WO$(26+Y@c8h`Y-dQXDZ]i6p3l-FqJ\4p3^nYqWr;NP`t\19L<`0$62AV5EToBKH<.]
+%_2&:UA`NBc>5B`dn=gAgL7l7qk)fPA/X$l=^$5pA]0dM<VU<tsVOAeXLi$o0j'G.^p=^J#Sgi/mKa0h!KfTjN8Kh^?,*gpOF!q[$
+%BLCD]EGl!BK'oR^Wu>$7qkX55`c'EXD!aVs&ZuF8>[P-+;N9:]@ou"32@Djp[Wmh/b[`XMg*\O/LaBoT6'r+d"[Mpg?1TjKlV#tp
+%We^D@a&\9WF.)A>`4AbSbM;6Q1r3G>eFGE9W[LF[D/G*qZ<;Po@tK&9*+7-cZt7kGGV-JjH;P[a]R:R9=q7NiVZ2j(Dhe:mW]f)L
+%7i2^h]BNtr6iSTiIV@r-'LZgW8k8pkPN2UQ#d9qO=>]`t@7ARD['u&OJ_6f<9Q*:*Mq^d%SlMYHk5ed'cHBTTA(nF^Dj,F)9almf
+%YQLgdJu%YA9Hdt%:nM8(A68*oE!?prf8XhK>sfa62FUG&:;Z4Vr#F`3FI4VG9hat&YT$[(#Z2E3A-`*M4)"UgZQ8PJMVeH%'0lT1
+%WO8iQ6QhYa+o"5rG'putAVM=[[H*?p:iQpgBda4X3WpXHKh`W))0;boW(E@,li<_[3)d%H6q8DG"1*NP_<Z&HB(5L.O))RJ*%QLI
+%4^sOe.oHZsM;CddPpfl"F:;^NS"jhH=$\D<`U,/l==-tOC8)]"`QuOaA&];7B6",Je!a!7>;9P?+4ADmq+82Xi7:>t*uR%a<FU_\
+%;nc!_9FbD1'G$.@kXk&o+g[kEl/(%=l_?tAdVj$?U.sGVlQp&YDN0BiTVND^5c'qnUE"N21mYp2mg_ISPnZQ//dg,G,_t(\aFVUM
+%Rkp)>dq!i.>[;[3^ap!pkgF*g)U<-^],^(L-r`:@'m))/9C`q;dN$QEP0rs:pAj^`-;ca_PB"@fOs4hC7d"eR3L`TqH^<T0[B[:p
+%nZB=^QREk\@L9JO0Lj77lR!?2,NpfiABANgS#\qkLZ2XP-g7U2%ne6MH>q[i"0--KosbIKUhAIJnA:+:C<d_7#(@g]gG0&TN&F-L
+%1fR@M`nap=])4'446l</&c^k3gI6S2KbS-<htLt+9NH:gOG(Rrp.6GaX></EDiQ-;M<Hl6>JsjT;%khY3l%@O\hd%)%SZi7__1"A
+%,t[]Ver##.">isu!UmiN>uUtAh1cGDk?3kfT#`h.WQk0pK?I_U,bsG%>Mm7TYlR(8ZuMc_l:$gE66(o+kdq!r5M:<M5otYHRj9AO
+%Z'=WK%.Os6ce7WI!C/Js5RS!"!LNsqI%J^QB!JNWeu\BSD/f)$b6\;D9;-K3%6$4M"nO+#>D\N8#=)=u@AK(u;iJR(]hW5>M!G5o
+%,nN-<b,mc&fuss.5X@A>Xbe0iK/&4='.6goDEj3N0oK]5H9i(:n#%1XS-s!\Mt@h>g6Xd[TW<Xsf;BJ&4luj2a_2VkG1_Q@!V6Vr
+%0iE$#r9r"s,O,Q42,Fc*5Fdt+TH4I%JMn<@/h(rl)Y+);#F#XIAN"%Z=];'#bQPu<,9GBM'QIPn;a^%2ipk\Hc>pL0"6D+g^:"&$
+%-@pb;@/"hFP=Q^YK]9Kd(^qLYE;HN!lRi;$GK^DQGT'#\L)@nW,q'JdJH?TNV$Z`bLCHlL_CcBN!(<^k%TRa9GT+kgmLV`=f%6+D
+%8D86o_:&IT!hakq*\pW]aR(2HEXl5cb?#WIlT>%B<S,I.T<;UfIQ+)Sr(Q:0kV(Rh<!bTrEQgO_A[0<`1:5KV<j!_p9mQ!a:&mT]
+%Os]"lYIGtN[7%!_AY*XMfWGkc%A8CpD]:@<Ebu^g#k-5snU^NKDLiE8307)k_\(FE:=p()R$WLR1[ZE^,$?2(bd=SYFtmHEWgpJ/
+%c*BOp3A^MgeRFDhfTlSP1oB2sTb'\M"f0P4GT-,p\rlU.hTJ$o;*<QE0JS/$4n54ja?]lu>.`6r\EuG"LaE"$qsL7;*ic#J3k^[W
+%JMeLf]ZC"eQg\&#0GiX=aB#RMdi5,Fc:S9["(s<JDGr<;'KtP+Fg5N):Y^&?C^Zco&>$_]j+XaL!:E8=n.Ni]I'tc6,!"@*MUuQ<
+%$3Ukk(e!f;@gibcF&101OC_t98FD;nB2s<!jc;0@hT_gTd0Hf^)-cCoU7e27K0)4P.=bL1g<prk.o86NKBtm""8lR4@OU7+A/NRh
+%@2BC&_W)&,6a1G?^UcFu@0:2C)GepA@"glBU&421cX!_UUPc@%eopqqF?HU6%,hfpF9/n,<tV8fMQ2]q]E3GrBrGK&ecXoQ3CY\O
+%h32pt_@+7fH@B!/o$`I]]PFlO'<hj(5%FeDjF6L=3.8ZKa3SjQS>;q#PPXda5-2X!gBM]I.M6ANC>iT!+<].%./kr@]"K0g5B%=S
+%W^5mSV4o?+5p`AYdr=/eNuuC-YuRG5&GX(fAlL&gMp_6$Ha/5(DJ]MAke!s'0mB'2,1Q93%ZdGMQRf;^hlmT("@]ErQpQ';E<aV9
+%>QIY+M^buD7i19YDEC-Fcn>iVpDfDoh%d4Si?Ue*PflJ*?'iiZkBDb0e90A]pr)dRk!"%dNHO+<*q\%\f'>JVq]7,pdoP;N<YKL\
+%C##$"ZVQ!1DLL5e?+GraQOK17?=TrhlIU5q5&FrfC-Q3WnfjT,qVC`oeQsI.Zc]gRcSmN3GdY9sjqZ1nS?dDqgKPTZR-d&EF.)EE
+%a)(JhZ^jnJ).pM;1#)\fftPRJ@$Q/\D"emT]pnS([f)3=hVusBZQ8M%m=*)lpH*!AhjA8-RXS\Rl]'S`Rjm*.T;H[ggV,6MQeAN#
+%Am9362U<6%GKb6D1#(G>\=)`/A%$T&]Zdh!A%)8og"u)\,KoIr]iDaklbM6hBb-gj"!,]g%/ofG=CCW(Z6RA3l!/G?ASlPVAf#G-
+%_@:M"Ba5!fL2e5%,[/,pj*.E\"j!U3[c[&8C_XDb?[(k2qjHp1m1JZt/`.QrQ8DT.i;<34B:d^1MB!1WGMfQES>PE&FkM1h>F)ON
+%Z`hg-cf]cKG+J4f3,[U,i]U%D+alT(oCgW"ADH>P!c#>3ccP-#HKr9/e(ai@37j^FA'O:3T)tGKrk!!Fa<Q97emfU4+9Hk`?)I.&
+%Ormq[BCt?5;gd&X.Fsigd/gdAYFE#0X>bR5G[H4DG^Cs_<XojfqsDoYj16=)'5Y(Sf,m/b?`e=te!nr[`9[/ep$?lRH.X&(QJ=S8
+%rQ.s#XnK'g)"%94NQkLN?0>(<ZZdrWB)!t3HgWhb/:#uba*P/SqlFP1?`phWB(OOXbO9ee`dFr$qX<^uCHScs?)uS_L#2Y?J-5Q'
+%IJ%'W2`P8D)&[U*'>7a3]kZEYSo!tbni^_GN<8VD+t$+*)p4^<92?:'1*V?>*_B3K`+C8KX!6hf9f#/>O-kEXo>kkE9=gLCi\o$<
+%NtYB!2,pdb@,5,M"N;fo[g3d^3nL(nQ*_PD-IBEDJjU2UQ;c?KX,G"a8%])^""J)C&.qT)86[8d$*9f]OR?EIiIpk<)-A](c8TUU
+%Hm4Hff2M.\@h$Qk6t6DFWZ4G0cnifgStr0\235ZuW0f;[)u*YX"<nM#A\SfY!*DXsJM#t2W7m(7MpSpH'Wg-uZl%9OS^j0.JO336
+%isoJ8gF%!+'rIi^*_(A]WQq_*.2mD35&Qt-,Z?I0T5:ocpZ@f/j9S%]Ak=Rt#J_5V<a:R1`DV4`AJ-2ZjS9:Rbaq7HLd`CdJnXrq
+%K.[=e(ne`*A5uPiCIoDr7Of0c/W#sqb/:oOk(e$090-mV2)d$n9jdfr;9TR!?@s`g3D%>/QC)<(8;9.o<MDeLB.TNK]/"&.;HS>b
+%r6WuJ9U'Cn59h(:Y%Z",igM;F"_IgT(r2Y#&HmE-W94]'Eckmu!@V&49tDb8JYRX8']SAd;5a+.Ks?mNV`nt&O;76k#]5bho*fqh
+%gjL?0aFI5qb)RtB\AN*'C`WD-`k5DRR-@uopZo.>MHIUA8P;pi$7XLK8n\Fp(i8IMZac(Q%qCPkML9NSDBhk.\tV#Q*":1;;mjuL
+%"(b`XrQE&r[O#Bb(eqnL`mQ,Gr!MJ7JPomH3T`ELUd/ZkeZE#.3,s8-CX:nZ9m"umV/D7Ke8(0iR"D.A/q@LF7D=f>=JNDoAVG5&
+%>7YOPbti$ZWAJ8HF.2Fk1&Ld,;]NMra%2(b"\2JE%B>#9-t2Z/T((Qek?^tZ70T&G'#+JUU@C&'+':ji)D4Zh@6n(;8h,'$0R?s0
+%k\2k<RYTN#Ce4bu=U.KX:@@%_:1C:e`6VLrW0D3fmpu\@/!FX<nP*5BR)@b"S3j4O:=6"k6D-?<lEE#-74>:*R$3t6-BiM[N'e^p
+%,K5HeJ7l;gi(H\.YqQbieN?1=3%,:VQW2Fqco=G#n=FVj>WafE#q.PfSumt\H"eU#pAsbO!<T]$U_tR<5%rX*3=k1gYXES+:#_<_
+%e6+[X#4"+62]=njhebQO7S7]'J:p67knc/N-@f3)#Pc2fk,"j_DHk^q*OHeud:'fr[T4s%WDmiS9^0uLdrh@D=h5lg&#W<l;4pN"
+%K6%U>%YS><&L*MnR\6dj<8slZ5LS+\hG3JF>I\T"D&_V,\@]Y(8.t1Zn.Q"+9jU)?9BunX+k<hEHqs>C5I#+e8F'LV>DjiHi`ok+
+%9P&rq`8fa[6fSfr)7IU6Wp?+IL/:=LcfD)^PbQOmH:LkMX(7ET86!c?hpC#HGG9g;%i^?"D^G+eqeE*W)U#HFg`>`mA:@Es`8f*O
+%p_G$.U6K`,e1/$?&TNsNU]U[li*3Qsa.UYl<qe?I7,$)E"+[h6r2Z-i`3-\!.V<:$ajIqDa%"-c1>T^Y11qa<-np5"`FPV+oMFdo
+%H.3K_)"7g"\F%B48_/2@Tu`,@)r*(Zr+O!K,2#L7,oaiXPkDg'T/<3d1AQ8gbBq\^dgSs8gcSJlZ%oQF+0Np$BItR7>_?JTKRF3#
+%GmI392[t+%24k7?:NbgKG^^XCPk@E@Ad->qD#&1ocp2dj&!o0$AhV$cQC.96gVe]GXEC4/<0loChB5"7l6b;BWeI'q2QQp]0.9>q
+%[p1R>r5I,Ecj)6+l45,XVJ9]NN"\X2g"tJ4T)%J!r&W":+#1G&eaer2Z:##05!i&g9'>[QnN^1mJs.'"fqr+*W;UOeDK=@W1-WA_
+%OK1;UM]k>O!fEK.8qIs=ShpXW0D&EAW<&'sY2@BP,N1b]6VOuQAMAVS)9eI`eMV>$n2u_KYom*mn8#rFO?8AhF&RFlX`Urc?8Gf[
+%FVJRDTQG<n0cB?n6Vh#VlM-YpfNZi&a(gPbUM?F^aZM?,A74\3"Ms@e20XlkL@;t9^MS<7F+=7hZSF?ZiPX/k4MlcH@jI*tp-cTg
+%XkDO!iqS#u#>G%.4%$]JR/^H'mC3A-TnFrlk6.o_,'*(f:O;N<oQ5nP#a`CScXj`$V'amS&S@PCF-3-3n@qO^#e\FJOT$+F5l!V0
+%(2<l<Hfe-Xmf^R:ckPR"d)BIe\fI:h$&9@YR"D27*q(L;J?p!(1tHmn/;sEc*bqoQ!"Zu]hYF7X[)6q(<*O1hQH)@9PmU[E")C*0
+%V_MaD(iAcM:hW6[K;rc*@nHoV.aK9XPR!p4e6T\6:)&Kd?NSQ0B:+&^JL_l!8:.!c'HX4m6dWL*jT?FJ_Qe4mVlj]a$J4("Z$?jf
+%p0(p@_)=&6^faA(KG5k50)2T%I4W==%\!tKIllPFknRqpD]s0fi/@sZETlNr45s@=+XlTtd5tGj>R27bYYS'jjb).;XZh]"$0"N'
+%"(N2b%b-$,&Bq5749N'ob&]<)[%E%f!;>J;.NY0J"ObeLWU.1**(To4<>fn*L57u8]$Sk3-;kYlD$`Rtmg<V'<HF9A3dQkW[%\iO
+%+]<ufJ8hkKJG`.T9*VrWa#)'p#o,@W9TVdQT;ub*k[YaeJbinq,`)f_HgEco]\NcG8g5,3+LuR8nf<K%66]C#8X"8SP%7QHY?lJ`
+%=W#QFO8\:#/s.Y_%G/RUCU1G%W>#pk/r""+^/km_3@f&VNi3Yl$uffPUrR,=7@-.6?Y+Nj#hb2nX:(a7<*_0Y#<G!!,B'I>L*<a.
+%L*gX]BqJcfVE4>La%&4"*hoNfgt[QAEE^"sjONEXoY+F"XC!UI&D`=X'qT+n5B[QZ/\"m;rBo+S"?uD:d)X2%\G)D)D(^u=Dppe?
+%MGg-IT52ui5h!WW#W#l;%N4l@;sZ*>^&R?-pPGsQ=Zt*3#l>&`."p7eG$h!8F]Ra]a%s\"@;_HWhs#ObOm%0(b+KL`.qtd4!246'
+%DL?YjS79A]88t0'-KQU?VPppJ*G&e`diY:AS0G%]fr)VC/7PQ0ep#=,e9*suB%IdXTO&?,72::]pTsSt:2iY>X4N"ZmJJSjN/+kC
+%oIF%rOT,Ig(h_8FlbRW&H+L8Mib&6O@d3Vs%#.?A@9D363KS?o"BrGc3113o+7$1<HgQS]aY\s&$S_D$^$ZL6c8`W$Ge^3X_H6CY
+%nVQIPQn3:%W5:j(A,$#_CD_JGSAp@E*@c!E+UGg$aldsaU=Z_6;kdQsj.KpWVr8*4nIfEs.\&5A0#K0E8bap1^SriF)9f`-$h+pl
+%CU+*18G`P7QE$<,H&%JmU[#,-Wh\I\`eL`dLcmA?AW)Z?hNctQkiF"X@C!=*%iKo=.#i4^XrTR:mE/!'HGA(d0M%'h<Eas`VREK\
+%#`7qh7$e]OEQN<:XYk.2Bt7TnZ(P0GFNHVAoan,;iJ"B+IBp$u-GkIfE,m5;Aj,Ghm7%FpRsiK.,"&cY3;(&L'S'BA-6$KGAN71c
+%<^gG0miD5OGZhLYnZZr8)8L+0E+jP7OK?SP''GWF+uT0GK^<l,qO)UJnm?k92+`X"DM5eF@puFTc?:"#i>=Q:Z$%blk[3]#n.Dt3
+%6mO?(`l0^-E4WeT)+WSOhDnk12QYAdrm0uUO,VK*HB+p6,cmI"rjY4'eB(2hrpY<d(p6`;qdeq)o-TEA(PAW(rV3Ot2oh5QZ=;eO
+%@`\$-0_fnRpj*A9<2E+TB.bdNBkNB?(o.1;(GT,JZ6K9u!^(pTXimp5h!-fGW!tOHJn,l#j]=MY,s=V^:md4K82AG`,l&i9!&8B5
+%rhoMfr';:?]ssjQ"ij;JV0c2Go>Bm4W\*oAY%dKt`RoMrCN;.CPn7i\_UBbpfq!cm?;+o1U(!XDPHmIK)%q.QFa0UJ"@*n-BL/VV
+%ccA@qa#ifORBd`m,K)A<[mM$,GFF<V4&'#On7A5P4>n)F10CEXS3K]/!Jc%?5#ZgTo;m*F0Rfh!7gs.[:!'fkQFM)]d%sFS$D3"Y
+%@b=j30<n,qTt)j*gd[#mS5Z1@P?rWHaIN**Y=&!U#<OBXO-Se%lZ^!^j^O)E#N6(>@]R<U?SqDV!on4/]E/!>&Il?DYtYNa;H%mH
+%kI)qaPfRa__3%uQ3!G[hJQ`SE`HI+#PpC@ZmS$\:jPKN*da6`H:gjgOU4qqN8Q$OH&Sl_=)$A!HD]AY&As#1+/(UYrgU8nK_Su!`
+%%LiYX,l("o'&ehFdMA/l%"esT8EmC\2+oM4;L;%K_0Tr['G!QUYDP=,Bn3A&r1UV"ST0X6&edIm9F/BgP1Xr:X7jZ:'-U1i=:%fE
+%JIlQ]8T8hrLLjE?>LN)`=M#(Igt,-]ek*WZ9!YNTA9Vi(SV_pj=EanJW!K,-1Aq?'`]ZH:=C$iK<%*74E=/=<e-K)GCA@EGW%,T9
+%/SIsC7@tBoCck2oL&_Xh0;0bM;9N.<i3;2cQa!1T[Kd_n&$/YIng@8G;@TcJ;jC8nrV*LOPG/>Dr;D3Gh1[j.06<X>+#[M==BrI8
+%!4Xm5o\'!)r](T-,i[6;Z\m!;gssuZrM']56NP'l5Socka!5lW+..%u5uS??npmB,_0H[r9p&a]k.,euVoD=2+d@SV7\n\C$n)=P
+%J=*-33U)nm.1WgVT1kV@8HY#;/!aU1aCrCU>?Z#cl@KOt:;@>435S?o5%(?]7jc7-MpE(/$^7jTp%U#S+>(ki9O\5A;)XAo>`c:J
+%/Ns"=_.U<@0>eX%5KkR:I)E0H4DX8g(fS&(X/=?8fNC>Jg3/Zn>Bm*o[`_[iUT8ftq)sZSF!3nngKk:F[S>*_/.Tb'(Y/H@L58"S
+%@GD,"7iOX%SVk`JN3Mf7cQoAhN6`P7Ana"rfH*NHMe@tC<NVb0Z6GsFJmnHb&\,[p'Z2nb+i_H@;.Yt8!/tA`fab?^OSj](cHFaK
+%Eor-+)j7X6rsB:$<@"';U\/sqD\3DVS*u]hp0J(qG9&OU!%0JB"3V$o4;:=GYR_]L"q1=n/JHGJi-C8*Q?8':>coa+f1=eJW&u(W
+%5?#O*!^#LZ@Z\/CDHYO%UVNF)6^G=.E!X-fAThSA..&=(AXnr5B:["%KO>0q=L^fH`aXLR1KfTm]5a9DZ;^%a%22L\.n;`Ba!,<m
+%i%^Tr8X=l9hL^tU9\Pafc/hJVFoO3:BB3r#KD.lpgDWP?ER6-I)5J5@U,7!/4ChMHFsE5R=?j@E/Nb'2Yc\g1DP^T[MIL>9^L7O*
+%!Bc*mSRDdSK0dDZe$PpY_T37%Am:0*e>?JMTt6L^`^chMEEkgYT\/pn!T`%CcS/&VJjD"m:d6^eaZ_m37lVT6T)l54`.f.;aqX90
+%'<<&'UGG*O'ug)"*^[jR9"<d9)8b:g5d`?u"a[oI`3#TM-jlK%C$Sun+^_kj=$[1\[D3dA%d&;(:Z*tR7&#>iG`eo%1SK)#A8-q$
+%oscAI\[<lj_F:GCO8G`.'ATETQNYr_\i<-HI#R+FYVLju@AF-YV&N55KM[ioHV?iU*>B:qGSg`m-r*9A`j!s=-q$),$@dtN4>tN[
+%ficS*Y75Y(90ZY`=Dg"pUNsa_@Np7AO8#M\*J`G:j:MEe_$CR8I3CG48;P<ca5KQi)8-WO+Yi^nna9,3?:%m"I\<a!.&F_k$+!Br
+%`fF\CEh8lcb(osK/m=D%IMMko]i:i]SP;k6]I`n.#IdF(W[*5ZOl-I`J<,<_kL03X8:`c8qOr.D5-tXMGCOJmOGDF?,,5d)\QQ/[
+%W@=qfH7Vgl;J6?f2#&=-IS/+lJJ[qSH63<JTJoYsc$b1q'h4KE;q@!SQ<k@k=O?N0Mc)\<.3@EHoUQ,1m?4<B0Jim)F2)fh.&#NZ
+%Kn]1*Y9[*l%iG35\TDSO*CblF2be47R)9WJdKg\%@<-:)pYj?,ADr8%lCd5c_9gOs-%TX("RR?Q@1RIrG+:OX@3D[$3%,sCW4Q/@
+%bMg<Wn!,M%g@G_]:kVgc<Q%-b)Khf+jtE2$2=b/-+G"+@Z]PZqRA+L7ch.-]5D54/q-7Fbk'kaYM70Q<8l<oBKd,n(*B5U6O[$<Y
+%#:%YqNr#`GF1qC_(C&?Jc^hiW'FLtN66A"rO+U)t$s[g:\Jqsu;lCC+Rh;=2QWO&?k0%P$+FZraAc.PH?&#oZ_MHf?fd?=:-!l^]
+%#5#.04uF?:B$rG1-A20K-Y:i[:1;O1;YO>@.an/%=8S>\j!?(j4GZSKN.r&VWWcs`^K5lNc[bP<iP_M'KtIq0;n3e3!,sta5c35Z
+%(ur&d$tVeG4<SR$9Q_[RF2<#R#G1gHE34K%3%d+qC-BX?04S/+?4sHCcG/=oai;<\dGW`iO=2%K@t&^:>IQk*'.;XgDOL?#+RpE,
+%i`#*t>"It62Pt:7gc-%#-(\Z=?qY`r@4S/M5q6G:Z&bRMRC3"p^5,b8]jiBP[-)mPE$eEA,rR2!aEXB7+s)Wj>8[Z\3LlfKdMW%u
+%GTCThYHR\qV5.5D']C!!``t;pnrVi.*\-9mOh"_=1$%/NFkr\#e'.#,=n#PRd3R_1XW0?[U%f^NI-eS/8:u[ZW^pM%=5HnF$6oma
+%9-a[=#dXgXR"ZkrE-VXFEE<S>hW7s7g:bh!8tT_#AhloVMMV9M/6N>7i,`F<Bs3ad*'=)VD38SFgp_b1+=)O!6+RM:&`*D])ai<s
+%%m_+1@P&uGm0jDukh\JEH\$IHPpSbi"Z#ck0Tc?N)dJ^h7O5<qm0tV+Lh<@PPC,!Gakf(a)P_?A8=pBh%m$)r9D2(V+`X=s*esIF
+%Oeg_uZ/Ur+%&D'SD,$&\;jY.`U2jfbSirFhC\5m!#D<P/Ac,AR>FLNe`jW(Y!dHe;"4>['nn4$f.1%Brom$iOk^F2J^g'rk[@eU=
+%?k0C@\7uQ^T&jSJ?%m^jV4o4W$X@(g;j2jA3VU85P.eI"2-q1\rTU=*6LT!ELoD/GS&@-PVer'Al7'/LJct7;c:-[NHTus9)dAl_
+%*JT7Qd0,OW5d^oIW>tmQD'Z`#TXXfe0q"*[$D^RdBZOc*co(DQ"4o<^<KFuV>>UYhh.#N)Y+G5Ll^fhAO9K/b.FH?!0fkJ"JKb8f
+%HhS>Q2"'1ljWDbl*GRq.$bMl>4"N0or0[V-pYuh#hH*[7S2S8aUp'alY,T0TL.(,'cdYnCVO16MWu5bLF?YV>,$KM%JfPl"fGf)=
+%eO?/kp#lo^B]f/X1.Rsd\r)+`mMpg+bu>B@Ye$'"WSVq/Q"T2MZG8B2CmetA?CBl?:(!5as/\(7!pm*r&Gm@<>9t_E0;_\Q`SQ"t
+%Ad(D#`(e(L%YI/m1JhA70JZeh$Qk!U<X?*5EAs(d/$Bmpj,gD*.BZqH?r/Q%aj-mIL7dcT$75ZVD2O=N6)d,eBp'YPqnbS6k--'s
+%MM]^OWI.WfeG$"uJl]Rm=Z9>F3N)bn>:(Pa>Le'cCG8mn(!lt2#1FQTSUl/I6p+Nk'VfIo3t2li":XT7Vs99s$`MgdPf#V[+=l]R
+%P@V\.?Kj(0[h4-5*Gq)p'mNK^oN\$.pVU>+EceuZQ!SK@i_aSIMT3r]j"QM]l4hkNEZ?f?.!T-A0O8*=fL<7N@&$`OFp][d)'PLn
+%Q,=;nNa,=?n2u60V>sG43BKD@kE["\JIn9i"L0.=1o]I^3<$OU!mS9FV,1>l2'?86%'inl-[DrKW<Ung)*#+)?uG,*1c&,U'lSkX
+%APahZ&q0YQktLWQgpHGMmtPP\bRN^G.Tf<iW?Mt]BKTffCVd7>_O%4X..mqQ1ad@+2oj-Y.M=#_^>ON;"9-3Eo5Z[m4Y7QZf6.bg
+%ZEt67Pj/m)""kJ:mAE!7"_gEY3Ng>I;na"\TtL`r1/I_BoFXfd_`I3S;rF*\o-!f]2h;LQo94eh_lkR_F&<YHdE,#s;sfl[AJhBd
+%.!mRMTkse2TnJ5((*+cDZ&l!A:7G\fJ/.4B'Lu)*(C&Y_!)!h,:L)I"dA;e.PB;2.hnT@+O<COd_q`TN.jk6r$ltlbRUbKBMeTK3
+%@fjk\_ZX'mS=F5*lC6CFrFk+s)3!!]CW/!LCHDh8c2Xe\qKL3#Tb%^A)+1Xs^n#'j>l+Q#-M'?Ie9!Bb3tYr=3Uo,(2T9a8WGe39
+%c4HpbU:n`>7Q+6J$Fm?iEto8K<CTiNlF0V%]p00OTCcL$SRafl2@B:0YeMq^l%ngj#d^PLpdgN<'6*:X!@2o`&.ZV[Mm++i/A/+N
+%mho*HAi7"C&^6X`)Mg@+EcQ\/iA4mXk&!1mE,FeiB46@/ZS0fj&T.^KkA2>%@+%j(a"V2D`Ci-\[AqZk7&j\6H<.'7N#/BA1:bSU
+%ikW!5Mlmjt&Rg)]EF)p3K]X\<hl!qd0>c%@T*'OH$mk$nb4@?pM]IG(>i2jtl9rBh7oM:'Xb/bH\hqQ0`#b(!$Z-o;4QdnV&ljgI
+%m$M5DWQZJ9@HS<+B=JO?U.%M@1?@\=[\X;I>IAV#kd(A)#ip$%Z\_+&>0fTA<.6^TX;"b8^s`E\!F-,p`p\P-N8rRl(Vaj515&C8
+%NN0r^C0Zl7*%H>K1`e''1!`]j;A;]F(I:7rLT.kJ)E%:DKg77,UR8<P]'bT0+/k8F)"gmu"(U37OUkV7e7%oSQ,-`+C_5I=]PiNF
+%j1J&+EXQM\UFS's]2FF/Ma$ir,,@D60=&]C^:8fH\BEjn%2%c5?s/CJ<7-IKmc?"]7(n/dNtM,cGRo19Z\>.-4Kf-<edSq.hLEU5
+%4P8W_ZRSYo!_.P'=m1SdH*s\@^*q,$3j'R^0N^hAb,poW6q(eD66RP)5lo@V/47MaYnb@\&3rV.$%>`kX;])4<GMuj-(^UW<PO;3
+%3aJf;7?in584uW)5I7+XPV-CqDn2<);#nb#[!QU$$uj>$T2A^>/5nib$u_%\'@`bg%B`hc%gRoi8f1%n@7_kL[93b?)S<CW.:ArS
+%N8rW'qR%?<N>C3lqE#s^P9"foJQ5BuI9=W217d&dYVj=Hfog`Z-qNs/[no"`?SOQ$_)6q,"A.d]S$NV!AUo9VRDb7+E`"_!H<eF0
+%bG]7u_XR((J>F-u"8L]dOs4/E8MVPnP?^Zk?7!E4Yjdo.`PskE(<@Yk:nlrTmO(2.b=#tIBf(3*FFNY\cn1.<@FH@H5Z%q9)mj4(
+%fTLl1+oG6h"9WjQLoU5$]ol+&3r*'+I.VHsRL\3NZ%_]\L4&M>F;hhTi:6D&4$-r,\I3)%E%n-EVd]'eAoX;FViF_,ernfKK:MFU
+%]k&sDVfb"ljG)>OTiB:C7?Yapmt(0(Fc?>?#GMS#Eud*7_kL9]2_(%+U@2%pRrrDao;4<Wndr8#FVoB$QRdbLKAJPI-0)3qD'[kV
+%=87ga6-JQHF\7'lp'!ibZ(ZV'bh8#a,dt'.jbE-,l@CpYE*F<OC`A?PpJ'-e<OH<jVdXj&L@hd!Q_fk0h6`m'?XTm<$f)u@J^73g
+%E3.^/1e/ZG:E>C>MCJKD[/:Y"C[;a8F#!HJ8OrNK.8uB'Ku7h/Qj5/iZ`EZ3')Ft`QId:/c[?)1_0k:+`bkuiDSc\ijX)0#9t=so
+%Br]0@B%KP#j9/n2`Jc,i[$/[Q0)#hM%K,u1]h3f?j.VNJV][eW`\=ffR-KbjMtt@qrVA,gXdic6#TSVnpsD%XMpp9+1jXZ_Y?-KN
+%b0W6T#J=u[4Y4.+<X@p;ORFZe1RaO)]Z&(rh>7RWBL<rWVT)unHfA/U*<66fh4Z,G[Si(hM%HNDZ8#p%L<"\ALqt.`'Ys4%qOW53
+%.EMN;Jq5-"pTRJS:=Vn/M3Y;B`"=jmi]YM_nMO4cG0cGD>1$Ni);TBn&?M,n;<iGlr2UP0SZ5#pWBBjD%."IiF,jm1s!((H'drdV
+%dlc;H:pQNlnd)Z`f[:>H.k*A5I^.V=,a;h,IUn06@]74HBo*rW)4O=lP=CQ_Ze(-'`,W+a_0/i.@qdVd[0H`I68@Q^Kt*n*RZU%Q
+%2,BA0E!Urm`"u6)(_:("/"N)^7n*agX!WK=P<KN$+94Whp9Sg<72]Q:4@]lF2&8O>Cu#Oodo"RW8PeS/)V;e'\B<M&X1;Rgi$_FY
+%>,Z`5m*<FcH!_U\\sG]*\HU[V$/EG>F6QYc%,@k-\fmSOi2Kk(.W%NqT1R.umd!_&G\utVo`S!qL<rdkm>!>BAMK%.4:K'%&&A"W
+%$G-.PkX/41;_VH+;a2=H.8T)gjPI3'l!dCsEQI^94cl&]#_*Ds;H7RuMZCiU)bBfnL'1m8H,-P6T"-B8jl,!I!hu#I3FhkiG=Udf
+%`d<;aTrD9.mPqJ6=bk&B]CL_tXIH;l5tO0Gd\]@]?[fRWFf5"4W58o>M=;N_VFoYIWSq9Y."s)L]:4DMhe(dX=cjTFTXOp*[[\oH
+%:EAF<,Lgk?C5#8TO7uaGXXE4XDnIDrPg$Y38J-nr%iCo&jT`%ICWMslP2nPjXJ98*Q%j%_!@pcb_#-bOYZN*0!t:\r_i8f-ZA.T/
+%@/OuolmJmS#P,ZM^i3>/WrP>$*2o/kL-0L;+1PEH=VEt&LA<$cJAI'k^D&OpaHFadUM\VtLF\H\NrjKoams?m#5\kE5%HgoE_m7g
+%RhZ[G,`/.J,=F5%6u[ks[3W[g+B\^M-lAqi8#,ndDSCNtbYJaKXDr'F>D"jpKit\YkW9RF%Qd!2pf"qu'o'ah(!2E]#L:mN%CeBM
+%A7-u1XL`WpPBSBZfD:Nr@*CcOMPCuM"@Mquq<Om;e5uN^!/*#a\Z!G?)oe'#JRcO]FA\[9X&HGCoa+`)IW9'7_8@uUmu87G#".5K
+%JD"&:+l@p`Q:6qeEH0cf%c+?MOhou4-*\7e)C#(EClb'oBd(`F7ZAXR?GU)8nei`#TYG1,2%?UFP*1ZU)2K.X7JO6[]%'IU0-fsp
+%R[PkQ?7qRCh/s"FKaUU67I.7rA^OU2q*q!`-Si'n#U;4M\8[U@,DHMBKA?*:]\ZVX%-%K-JZ3+\QsP;V9il(u_SZOI(q66#&b5'[
+%)GG_@=cIs]43=G42s5=_5#ITN,IpHCNXgPME0fim?Sr/t`b%Lmc/qb;(I;<C?'9XP!F(5Z^Za5gg$EaGW(=dL6KsHJo<JFhQsN9+
+%7dlsUjr**LfL,*=mpR%5&?2AJ%Bp"UB(OI5N]'-NDJ`'PhS:#bF9B!!K!qRr77^m:Icj9d>l'H,PT\/.*Vg0*eP:*l"]%3.;kg;b
+%h?Hea)EHOBMrH]HiL^]0nGaFN1_lV8kBA!.H@^:_X1H]Ak-k)_mkZ%>llZ#p\"Z8(/rON07>J5QCV.'<:d2'M<Y+3#qbmTge=YT7
+%jF[Z5@lpb3"dIYsU[$%O^.2*4a=R70i+I3Mda7i'c=js(PKpP?2F8QQR)LWkqn3FljAR^\*I.lP.J>a1dI[E+,e2Vd0n-qlnd$a2
+%Zd7ICE^.?nC9[d8,(;4Nmap(d1TV1GeI[MOZJf+4lt';-eD7nbg+Y?>h?Bm*,2QLPC'.i]!>9I=N@M#4MTb-8[SJ0U:s_3U$iZk,
+%a3<DR'<7-6JYPV=rYC<Q"MnI&^.i^d?TnD'J,YA@r;!Pr_`LL`1/gs^g4hm.4n7P[c^RZ)<hh,cW@!%5>ZY@5SBj*`7;DhO_VOgt
+%%)"d@7n:nTR&n"XG-7eOrGe_>[T,J'C2,4E"<S?W#$r2K5<`'[Vs>A#-J!`07T4R#qtfpT$pRoa*4EZ""8E@M>!:>Rm%+;r)=T8O
+%ML.B'%iFn`MoLjg]/eY'%B=4-Jh8qIAlY_]H?qrE5Mha#Q\Ts,m:bK]nm)3lqk-?(31%ZSfZ;f"%KsH_GD\[E=hPX/k<<T=;eCP"
+%G-<,p3?$n6l/]&&P5%IoR'.\IK&EG])QSgTO^fR2qW8MVC2\*!cgG^QdsVhlU;0*X_N*_T&tG>]1UK_aT_H".`$PW:j"t._M*2q6
+%&,cA=HLALFr6h4G4qX?3A\#%N;9o(0"s7%mbaM_sE.7Cn^_T5KouVaQYFOUrg8.mcW5<L;.2](c28['HULMQap=fh-AicH`e;^&^
+%IY!>mX)o,_,4T#OkU<`/1&D:15+aMJPLqBJ1oskZIHpEb?'"c(b"jCG-*HIP,,E6l$;-g8`;l9X(:5d7P_OKL\ki,I+5#/\"L2tE
+%:VV%Dl8Fam4\\4.a(*e_=d#"<P-GQ$&ALusPN3hJoLtE^?HuEAEp;[75+:Fr(!8it,MC'.A8+38[q%f+NLMqGJJ3MaeVTm1`@0`^
+%8-G/FM.o<!/GRlhDo@k<f^u^>1m'kd,H"#OpWf*.pP2nE_,N)NGPsrZ_e`X)2Lr\eR8E/0hB-$VYi,\9?2K<mT8r;8D$2Z/$I)Yr
+%AW"mrSF956i(0EGbNF/EPMf+ZLm1V(JX$D4YWS^[)DB(8Sklh^@_Ig5'T?;Ul/8VI11>tJ];oK,l00jkr&^+?0JnQRS33S8M=ZG&
+%)1qKZ_RJ')aaBP-RU2',oFcU8<gL'AXJneq-1TNKW6[[G%u:*)*a5-ra1KM$CX;T[fbo^o6dpQKAPMae.)h?%IM>[9q2@ODBTgU`
+%s8&5R!SY<_>_MuJ'r1<0KEr`VHp$&T)ps:$S>1A#*@^6j/8_)U-JZ_McgdPR;eJHLWHei_pIQLn.3MsoVQFiA7i>q)dMD[je3J)n
+%$>nk<7kl^pQ/..A.8LcS+8om#`N4s#!$mE:O%jDa;Cbs3BDQ.6OI`.D(c"FdVRP6Y,!MgM*t+pVG$a_olIm^IZo`g7$38AU;"j!:
+%U,r6s(*s)&(-UAu&3t+*nu@K2W=b6%al'/c-F(S2I+,n/Qk0(t^\HcqWp"P^HZ^Q\YTf/7WJPZu:Pk&,0LC#O.j$4RFpO3ac$:9]
+%?2e;V@aV4q<a_^G&V/mr.4O^"_U)4cHLDY_&kbeanB<eL0$*V/B6MJs$ga1Zj'g.GpnZE<dh.Wq4M3:qr:T`4J$J#61(eK:8qD4V
+%_g&iLll+0nmrT9hS/.\!8[AM!<8I(>TXoH7/7BXCb#PD+ZCHO'0;0%A$1b%B2XNYucgIk(g/n(_Mkoo$cBLmAD>"j2e)g8qhd,Z-
+%l`r$,D5W.e=%ZSiN`?+UP(6?D]B6Z;0XC4?0<_TS(<htsOg@CD]0ln'gc6ek0Wc'$YQ/RM?/3PXW4@\hq<_:br7[(c?7C[(e;Ho2
+%7OpA+"@jJ]<[XU]1L`pE$ne3eES+$n"?#JdmiD&ZjY4aI,%#B_.tUVd4`j0KaH_:S"%jQ2;qJq-?hZ)TT+I_`*#J4)0a!p"f9gVH
+%ghOaY4FJhKN0/)!8f6%1J$d&9q0CFqYF`.h<4$(FL8)]ToC^/)CU5MUNoMl/=/"YPKYSHOC/s_NoH!O6.1^IYfNc=&!D#,Cr6q)s
+%aM[YODM>bBR<4`@btdEN@5M6r4u.5.%7;UM!=;qSo=9ZO#-aD%<]RO<*WU%GFf+/<SXOQd7[AfugT2l3^4#G4_ps`<<Gg]&!HBs%
+%lLSs-jkF<7?=,cC3qAg^n!ul[3DLA=i2hMOc5J$m,m+XSC^@!,M%iqR!#Vem^!1"fGu9aHkh_U.S]OK$24NAKrW&uhS#'PV@ED.B
+%PF!Zn_<]m/Y?OL/i(N2YdYp:Nl@L_-_cu?re8DjE=h/njldGs)Cqk.75YZ",gjn_Brf"O[>m&s\EV\KcbG,M\&3<(&*n;b;=bspY
+%p43;=jl#ZNRL;s>UuHI<[6eK%WS%.5=-%D?.L:sRQgiYS<G4_3)RlS9L8bp[gCfM@FR,<!NiCHK]%'TR9.-\HXYl,oF/6.JiIKQD
+%R+%).A211rnu,4<p?aSa\D\Ci!d\L4*kk(tE*M9O5g>OFMo3gm3L\_$Q&5QJOjCiEUL0-USX9d@H=.Otg:+)X1R@F]Q$]W#6OK^O
+%/UZ19@t*S\_V'YPmp,hFRBs3l5d%tDVjEOA!N^LulMCCi4<5`ics'0PP#VaE?ch)dSpp>/;m.tdS/n-t`\jD`$$i+V<7QY37Pspo
+%8,:W:>p;iDB#Q-^r?fRQP>rcEEIl%0f^P7AEL.h0SFoih,j5h"]KbT"K9Dr<*eK>"-qRKp&5Eq].VVat39-b*,:(/=\g\D50mo4.
+%P7$6@5<qmDb_>89#e/"b<E<Nu[7p9\?+\/HG!$n*RW/?p]La@MG#FOr8o:n+eTmtd=c4fqDGQsa`1nF>9bH/O4KUN<\.`2=!Q37?
+%+!0=a-<\Fpj`_cfSSoYEe_hCB,0COc[fG:k[M]JRdaBchqkL],NBe0/UE\\/4QbT7n0T#='NHVNb)Ra4&ZV8+bFmRB*#K3mdeN1(
+%,:rGdXq&_1`N*G"<Xn$0\Mq9n[#1=Y3K2',9+YQVU4@72;rTI61Equ(`c36pl*6SJ7^j4mChb1oJp#!ZMs':AP4^f``K1Y.0N>Yr
+%daB\<_9@I!FD9<L7\hiu`,JRrQ)BIUT)8>sV'oOSb[n6R&>]5'WTo_U1#eDRNPI)!YU019=c4m.IPI/0RUUr?&5u8cG-0//:%3BH
+%Eg=ER^u).kWNt>2.XDdUKoTEh1-s#B]V::5CGeBJq*!_;X&sBRgp-3<'bE1$KX2Jg`bK-R.SIAb5Y:i)V@]-nYBimVIhEQm0nkH]
+%,7LqLOt`OPU/hsg2I^*o+dOE:N/phaQfWUhM(DqAR)@iZNq2F75'g6Yl:=BLVUoi'[umi0mTa0G`fmPsY0Oa$/@_&L5.J%=d?c,6
+%(J&^;SJ(CMp\PU%_/uPe$!?cf-s5c9]#glf6Dgd8b>Wd'mLKRDiX.Fl8d>=s,8O0>^"LFG8V]T_r<Z3R@Btur7&]f"UdHAFSXr/2
+%=X"(EVO*d$F<@Lm^iZ8IA=H5)1.d(s0]V\6Mep81i^KN7S)^9d#:<!OcC[fX4\WPO(h\\?q/eqZ*fDUm+B;:[C?+>U^M#HT(u%aD
+%?"ekWL]>b*mlAom=K*%4jXs_:/=V]g=S7fFP(Ig10&URO0tJN)0;cBbF0-t^`><V:=L"!4Q1Y7FJISi!FTm"G$HKbZRpjRI/;847
+%7;s5Wc`qZSo\?tL*#W)=PZ:H'\&1u;r3Gdn\/*T[k$6H$N5oQ2TSV?]1r,uX/J>#br#@54f?nae!N2E.crm$i:\&P3\q&9u<h#/E
+%N$L/dY9QVefj[rnJ;M]ijNDpsglM$;\tTXI?/uImQ@rih)c?j#UIknN+Z52I8o99-Me=e:.a_rZb_Is[hVmgRksR'"%OBmPB99R>
+%:R?>_L!I3McS#h+*agd.(!KZAZ=49l'&@Y1,%m:Y_8*S>"0XXUpk6Q-R7VsN,*Ljb1<;1KCaBZOd/.e.M^GK[a%*fRS`"B<oU!UX
+%2gW(sROjA+GsT1q$nqE466oh9`*okj<uoB]Pf'i*ZE;r%CST\riebWkeX?:[Q,+67MDiE%F9_6rYs,arB$!YD6Hr)e,_7>a'btQB
+%N1n:+q2;]GWK;m;jL+)H0+IUI;UE5>L>6!1bS3rg,bImr$u.k&J0hKXTEtj@6MI7T!BD)"9-gOH7E4B(/ZN6]6N-Mo>gGgrPk;\Z
+%9hnsD]c;kAL]>;VB/P*mq6c\gk=LRH&)2URgcg$"R6"nNYOeSPImg77s-lQC+d($Wb'Hl"rC@C$>*3S4E`PmK@hCs8#+b^)5\sHs
+%YoBQ;QjE'`S*@&PUj"<a<[?CO'!b",OYW>;&VEZ^)O$b#7d>a"IC_n2d''86hkLT4mcX(@SY6t$$<0ahr8-n7"lAJ^3l8Bu+eD';
+%W%D+r`8J'8SN_0*[a7*[oXAHJXq`Gij\tSH>SrX7ZdZi1LJI-OEH^8^#ppshcgVmAG,!,d80mdi8U?>V@96T#gLt&u^I%-4fZj*$
+%*L#%Ni&C#M(T\(?N#X38Z2QILqnM>V>@kDt?rEO2/=bK,mhrc1D[lWiW^pj?]_1bN2Q<\Pod7oS6LMO'c-P\nhbSuIqIl"%j]9hJ
+%XahDZ:\'"?l@A=-i<*Ssf[LU4:oK'k6HX34E-l^B&H&rH8Q^Zj=_]f'HkFE5lRI`aO*d))\5WX79n?B.b]?5ej^q%BN.[o)!hhDD
+%o\[$>?q5aIh^";cqNit?pj1`ua2W.KS-]U'1[c&Q,+N$:U7+JohlipFXt/*?LL(*U7aY#d:$_'l#@&F!'2:-tE8U/N#\6M8?BIoJ
+%.(FNkW!chrX_R@80S#'03ud!Da8u^I?DC*/E\9=q2_[X""eAR*BeXOW^TQ!$a1Y&O2!.FUV:@#%&)g#(QhWQ816aZVTV]JgL>(4\
+%S)+SubJU_1^'>kr,At\35kTHKnN>L9o'PoP>5P=,:&T/SM=i\0]LPOp5A`:>X`=SNV;=lihYI(m(h3!kUbRVNm\gf8ELOpD(CR@'
+%i"4RVE`9!JM+pp?Bn$17&6@=]RM,^0VJ)62\2Ss\+[As+C9t'^h!Xn,BHMB,JBVU?E$g\4S!t7fa\%VDem#GuA'%@aL3tTs)8?%0
+%JqLa=K3a3""i*Q0oO42\GtH0iCN9i7+B^tFW^,.h$rWbmj4=]@G^#tc`f;Od@7!cXSGa).$]`Q,JlAI/)CqtG;!(4FI-:j1Bdpe:
+%+3Ah-T0CTZq*]J!\p.6O8`5G5Ge<8TO06$#\O2PNM?%KoF"H5FreGMQgLQ[GBZY1-'9ucHKF8M&0l4gj:UK*5Lsk:e$<0)dn\O=7
+%<JDVsl$>\IeRT(H:A5gb]no0i]e7_/8<W9Scj1cd6I(9Tp]"glh0(A3Q7K3ni'6_-!NG$ekP\jS8L6OPfPWY%&CH/>#XV*7b<SpZ
+%Hup;*pV"S&&WsWThCOtC,N41._7=UKbY)JW`/#"bPc[Oc>=S'<bdYl\@,T5B;E'pg\ILD68F()[T?GU$e2A-13J)XBR;0t`F,^>^
+%fNGsH_3;-hWVdtg^7C^#!gY[Zj=SJS`-E28F4SsW:<?!1)$'$XP"3VVX(h012llDA:Lu#lb!'`5l'!]K=n>*4)k`+39cLC&Zi'fm
+%35Tg?j@/fg+Y[6o_T7m[Z%8gd12f6Y?A!6'>Q)[iV@&\*/KZ>JnA1l2kTB!J*i>GbN@_"bKVhkOqB[]:->[;t=m-Dkh)%/3jL5gY
+%2fQ0Mr+h]Dm!I#G%KDgkA<Dl;cYAu1q?;+1Z\,B'jG[:!pWEtnY?MdK5PL0Ud`bm4SETJ!XtPG:`t[d3NGJ&:84q&?ZGtm-$l&g/
+%[&>9%iJEm@c&*g<=DX0?)QJd]5u[qOMOLfN8KjkN'G*gc9r9rA\ZVm2_gELH$FS%jL(uH#AU\4K2)=d-Bo+j'_aIPK8k0g6$-W"N
+%OMlGMX4Uuh.piPRqiHBG*bCV81+uWOI7pmH[J>3(U8H79`XLEo^$RbM*UO[\gW4D)`6XSAO6G9*1Vr#$7#kjord&qKV=-R'Qf3L_
+%=/i.\e8jh@Neo$j=YE`h&r>l5V-g@k!-eUe:1dg3no)@U&[0Fo*]P?MYe4_IpsT)DQtCTa0T*@B<eJ7J9-9LMWLcdmohsi__[04C
+%A715Kc[rBnO4i>kG^,W,G*mJ`gL_?Oqc:/\0J*M6;Z,*);)/FJVNtbrPFY.sEo=DMk-LTF^UtZc1M-"ci[)U?A=S9ZY@"1@J=*q$
+%(/Okm@_/ZkV+gk+:<ZVX_3bNAY#N$qiD4^#WfhLo_2$9ni?G9\X&CaSKOaqF]]aH<?Eif'9iEj'">Gu#j`5Zs""Q=RZr.@9/o>.J
+%+M%cH3bBj`$aX].nQ<.3KmZb)f-7[^FkuBa*kGL^AXAM"aXDh.\be7.jRHEFOo7-5+4[etWA.(m3Z0?ap_O$tg3a`O;)K"-7N8>M
+%J@7<?+)a#33@=<IXKki+P>s1d7SY7dGhL3YKVE]Vr"Xp2Mopbmm7\7$aY7_7gY<8EVif_JOI^ru+iZ8p4?>elATP[MO`!)M2!AC-
+%BCiKP^[[M'q'dksZ""W?mP'F9P'mlHob,rjZ"%\CkUlesD07#ie)5KY^ABBh-SR@)LMCs(QX2K"X8iB`'"IkYe&[Bii[gFp:]hE&
+%oB*]B^UO\87a\_P\^*hBer:X`=&TY>T\oaQQ&IM8,7(KpE'YG@X7V)Df$pt%M(G"B#g%k8_U!*E=0kcIaHkE5DfM530p""T;dVmS
+%%(nr*?!:W36hbT-i2$\`=oNu4O"*'0p^Vk@Ac_46V_qjk7Jmn5VJiNl*3T:-ng0MpF+TG\>m(d=<dC1t\*u3`CTi)\!AFrkmgrJ(
+%AO@cdQGK1>,A%?":\FDq>K1e@IQQr/E/..Xk']89m<ERA\I$9%Ir?",1b/6E?^g3.#_]DO>Z[Qdhte2I17O2L`W3Z=P-H\$,JB]E
+%it&.:126FP1(L0mbGo/6Wd+s#WD(\Ln38Zu"fDB]/j<H\IWsXb'i!;DaLY>G<1;UIf$,%H'YEnu6FI<,F_;UC:[f.e(ke8a?UVUV
+%?Pi:BEYD:r9m';=qA"E?:H=a'ER/4&i#A]I/L?BcYn]pfF`Xc:NUuD>Ac<(mA01H,Y;KY#E<?C@ijB`_93f?k=UGs\\>];0/qt!U
+%X10gfO)saHkl1J"esX9qD(3/a%f+^oI#HgZc;5[7,)O=f1l.%"kd:gBj/s/)iNIOp$K2"RN&/Cr[slkNs/*]hl]:8$qpfk@b`(I@
+%D#%0Sr=%\1/mJH:o]oFE+*6-c5-2dp=Jcrr8m7S&3(qHff\nP2Nuqr`I[]H9>o)Z9&Au)K&Bp<=]s9:odVm_`P7@dIBXHs.Go.Mo
+%Mn\\k,+Sid1UQgFHcFe68u9E0,F?<!<2>SY0gc*R::>G0Skb2"(c[V5"1^f<s(ej>L1d'>osM/%o2,/J=k&=ck#IbFq-9e:1d0T.
+%:Xs7EB5(G,Rq]U$IP%M]AbV_rK%@V6rE?;a[=4-rja@SjqRN4fB"gH/Ud(I5icSeSWT',Ee]LrSNK[DDa]+O,.s&J+*E6lXiI\gF
+%TrkJGa\r'1aD*h][qE!ll2m4dIE>Zp>Ub3G?E83a"`LMD>LD!8;ld=@N$Cme?ab#MmhTlmp:EcDQb]^gps_JPlPf>O.+IXQB3_K;
+%U3<Y>9kM.@/).Yei>/oc[IU3r\b`_.T%@8Lef0N+blrUtGhYO..c/N3Z+]]SZ4?f&Bc?2a_*\dKAa3!rS#!cS=it-ml:MBSp&HpI
+%TZo\@pn.>\BCb\9cF?W)bX60_5E_214fO0"XqPR)MM9:7@ES`&-tM/.g(c@'j$&I#$6kf%R+:$r'$=Q2;4gY)S]SlsChQ#QAb.g,
+%lhq.?Z3knB"6/&+QD#Qp[BK=@R\E.ZR8jO0%7C.??`f6.R8q5V\mFSJ>ZV)A=!D&FD#0DQJ(9a.?$oa)++"W+[Qr4W[f1C7Yfs4k
+%R@h'1p3Z_D-5^H6gI:hdm0oAh%i/[^O`dI)A#Q^;fERu>VK\=C6Il`qH0&2aB2&i[gHA+q?e(`L:k%(K<T_34d1C]WVE-5ECQ[Jg
+%h=9>=\L%k0=Wqk-CaHHd*TZg>n$JlSkPJ#L;>5q?@gdG8I,FXb_q:%@rSt8,2J\D^Dd*i<lJV9sGNGkIchciFYTIrT!sAVri,J&N
+%Ztg\Mpr]l:[SNA/<"e!gcu]#]$sj+Y8XPNd%=GLsj6_KnhF><Ln\K"!TBl=^c#r7mH`S5>2.I8/H1"K=a4g5=4eC6Rdn;nd"2I9]
+%P63W`\3A&!Z.t%Qmab];U!@F*D=]kQek4b)btf^-^$jn0b^<sF`I1tP(SBF)2M"Z=9m2#i[kD1S*W+8)c3%@Er!&J8ZS'"D[,_,A
+%96QnjM[7ir6J74c*S9W#f3s*A`iA5p?>k=Ib_1:R<u(8=Z@)G-pADDelJK4f\?:(&DH^_T>aABK<IYocS)8Db5Dm1M?#s<r-0cK@
+%bA[TgWiDd<mM#+JUig):H`b!5[Iu[$HtY)7/2lY^Sicb+E7C102Elliq<r_olRg)cN_>H04)TKDDG@n>msIbq4]"IK3u%ebY'm\A
+%haP;sds%chqU9Yfr8GhC&Ztp-=j5fL('0QsnkipqH2/jXLL*10WH6seTWQ%W/u.f+,%'f4j0+JY1FSbqkOBt2o<-60pY,V%*54)&
+%.&FS8qtJeIY(41ULDI1\DlD8J<NVgT?@6I@AKK-8PM443DrlAcF0YOa<.[0g^7m9#0m=Y!K(>T@<rBC4:/nE)&s/kZVq[ONW?F?O
+%;2sqTYP,9)9Dc;DH#c]/H7l21dq<<_\Xa3PPaT4V40n#^QKkbQX^=$&g>:^LX%6LeI+%8FcSViaRj';Q7QBkSHl#W00`-4CF'J$k
+%V^f+B:Png0='O2][e/-nSUNa&B2NNrdWf)Gp=j@JiN(=D:E>I^7K5H=e3-?-]O0LEH(E.o$fN//$?D*<Y>O[VQiW7II[/`q1sTc?
+%-W(L>dC^7j\nBhXN;rjs]>*Ns=92_qU*V*ohQrF=]CiOND._Dm9eU#Kh3qRUbK!IiCHd[ToSlksh3NoD_/40Caj.nIft-<W`&^Ka
+%b4_BH.@R/QF\BOMro;gAIqH`>:)1QdBVf/sjS3#mG).T7orRBG1&@FShq-d8Vfg!3?]gt[0g=oI`7Wnlq;-B8GHFm=d2gU5pE+Mr
+%leCcoZT_hl@!PA4g7!ERqc0cYS"=ErQP$l$#(3D)`@tc:,-4MQSB5e&"4ee/Y(YPa'qLAnD@"`N4Hl^@#*'h>]\#-&QZI_DZc5fS
+%$`IAI/gr2=N81dX`DE\9cenQ[ISXqVYHN-!)F=+/_u$]"lMKBng63OpmG0PN[.eLpL.CrC[&9/shP+SXd>!*oihe=(G2f#JAG(TS
+%>21c$+8GRPF\:St):-D$jaI!E1d;<37sR-Q>Sc36cdh@Lr\CprlYoKEmJ=80phDQnpk]h<rYfC6h4`@GF*Cm@M!i0(;7gpI-'(^P
+%F\=X+3FAISlZs.GSW\B7j0cWlH[Km?G7F@A<t1ZF?F"E.h"jc]rX)pen#AN,e"aC:X\5OI-K'hWVF8`BM7pXGTGpZN-^287kc)Vm
+%Tm+;%\o0PfD+jOr9$s,b=I1E2]9n]oJ(aM<&CPLc)nh7qPngS*Ao9F(nPCmqQcXh\jOeP:b96f&Y+X$e]Z!dG=^mZ,=fg[Y!)9dD
+%OMtUlW7]:no1$TMba5_BTemq-P0]V_^a5re^(ISlA2Xmt<hGdJ(m%cOBO;3iK_'iq>VcRk^?*dMh^eoqaCtbAI(_)V@J%s?+Xofq
+%O\G<^qd_!4&q3rO:EOr]ZTV_36*6ds3>#Za)17+B6k7+I>H4cX(k[u$P?s(aKklEVR8T<c#"K+BU0`Ir)0Sf@NlZaX7s+b+o=c#>
+%bHW<rR!GRC/oY>E]m20(6#FOP!^b./)4!sl)EB)ViX+r4W!JQYNI[J,%%]Um].`!\6/TZBr,gFh-E@9STjBh#^/>i'`CQBgCTH*(
+%*"uR,S3uW?oB1Oc?:>F*DC9ah"K:tZql7/`RoSIs82,rT)uFDJXoo:e.aSY;.m$s676(<XXMMD1Aflg(e'S7GYI>tlCFeF_CoG?b
+%NY0GSPZ>BMSq<TRn:qhbi#Yj-puU8EJ&cpj,-4Gn/O.k)+H7ZJ1a!5ao%="JptW^PgSboejB6p?#\jiX"DheXILgl<D%o@S"Cs_U
+%$)gP;EI\X9AD8HJ3%@h\4]T7g7KBd1;bUQW5(3I51&:bWZOA`RoC6:Rc0@%4M1\-X5A<ao1hgK46ZV02=]NqDN>e'O->Jj:.tV\k
+%rF7De#a+CWT1.[^N!elO,g1RQWb@c&!s^'dA52s[:jI=2c/MdW/E8Z_J_V>jN<_/;]M\/Mp/dZC<=n0kojsa0j2"?IQ*.)u3#HY(
+%C-7lYOtF![-k,Uo-UV/<CenTbg.1'<j-Q.Y9:N<pGG"f>(bX9^5QQ%?rXpt/7cJ7.T:g$'p+T^Ad*H<MfqlT$g#HCn9$\u_rpk?L
+%Va*-XT"+RuGa#RWfHVRd<&j`oOjLK]=g5Ce/*./-YMD>3a5fH"o>7-PJUW>WrQXD*1D2bqpN81_$!cn#$W9A`r3d6>>\_A/[2c3$
+%,lM6YZ0@>l'ifSU\po>>@7b"am&i[r3b7?;i8k0W(h?TOL[HqZX[+AY8,u&aW\G[p/t%!?5H-24)U&+@];8`Nknk(sW[?JV9m&Hr
+%cF9d+CGH0oIa3(tX<Idh#e8*YAN.8LhFHg$Ht33jbAoVJ.QWc_`F@\cdoL;W<?n)YY3th1o5UoACYNPO`!8"^PB^?j0<Q"V+K+PE
+%M0je9"K494R.r+-XL?bS=2.raG0<$K^)Ofu@0k_2l/Q1]j:V?/:Zm-\V3K1MLG#"N;rGf,QdA#:AtLr*KdIXPAA,YR,BUML+k,DZ
+%.+K[@2T&rn`39;M)[F\^")`-@N)O:GGo`2,0qEJ.bmN"i,$FT=Ms)mTI#:e:qsT2RMs9fpP;2bIXq5f&4=3#-bs3gs;=rk#b<ku0
+%9\i:)?@V2#pb%\]H`RnO!,Gufo`S>2/lf#K*W^7[OUimFM+q7tX*qf;mmm#>Y,>]m(?pK^U)""eq4!raAt;3GfUpCdF!t_-Xml.c
+%Z2;93br%_e/nXY`4[tZk^n=ojMI[*`P_@.r8WGGqG+n^/eCJpB[llIU(=JIX(ZfJ@\W^AoRJ(-%;W"(;rncBhIW..SU,k/<8B'4V
+%^9^'$]j4\t"#'ki#Be=0ibhTtG1T[CSpKE-*Cb.-8:oFeM5b\l[f\hX[,jN28i]UA4h]62(Q)c.![=9X4._<O1@ak1Z1\*S?G?:u
+%B>VD["QZ:,:tss7m<Ye(fW]ujqCSuoX=K`SKKf?ll*^:p`;Qa.]&)X8]KkHdU:Hd[/"VV?U&`b[A+TX8]mTQu0<SlDFU2QPb^-/U
+%N=4Qp9R/gG&^l6DNio4(4f@#@aHQ6B^tO%QEdL#PoN\IcGW#<R]0/r"DHD0W0ndS'TDn@$j+9SmGOu9\m0VQ,>%Hh@33I'&<$,ZN
+%Y-``sQi"HLj6,GdF^Pr\KRLOFj7r8%@V#*O*?!=n8q)q+>3-JXK<&l/.HbD`fm&)*d'9]?^u$*'b.Lc5E<Tej`6,_(fAiNn193[b
+%(c(7sRKoDNhZg^3a7XQ`^2jM]l-I[_Vt+QC`p&3g8Z>KQ@U7/Q1:&"(0[:5o1uI]"?>$u9bGPSRaD3c;d.Mi+:A`O]5'8n(lSZ(K
+%>G7"R@HY,96%9@@dhmK,0dj+k"F@a8&rm)HM<G2kK(!5"U5a,_^XKlqpNUlM><??CG0"iTrU"h:lRmV;$)u$6?,dcV[PUbX_Db"m
+%hJ8cA$^3`q"Qjo/?a\LmN+:/%cWNEgiVgC+DE*0RIEln?/a[j;q8m!P?HgG)AFEIWI)4-!$J?<[q8$uVk4a5I'2QcB7iOn1pA;2]
+%#;U`,S[6__F9j`$-nj'*Y/n<fEIV^V]l!jQ@+#bTRL7sCpGCT%l.7bPJ<_+B/=7fQn.Xp+;/+IE0?a'[>4MUJg(N=INR`;LeQqb=
+%hHmTh/sO./+(niUQJ#QY/B'M1j1ISNmE>EVYIZuFkK(YFl>1c<'h(Ma8/"BTr&^@"r;>':lG7*.CbCjUDTB0@?f($QI7IaGaE(IC
+%=7iP]&LJY3a^Z.pZI1NXVcgWW>J/33CS\)K\Y%m&67%t-SE=^gYdqXCihtCVDfnD]F?pp`Uo0$^%:l0'QO.9FpMJ3[FR$@Hn\dlB
+%(p6DLgknP(.7p/_`o-N]j7`DnD^?#+;%pb;DSp1]GgX[r0(LL2aiJ\V]2ndY+"PY"Ip'`]Mtb=g,*e!b=abSU8$rgkmaU16H%DM%
+%+.19_@Ip5OT%H#iD4^[P*Th_oBqW&dNFAFMpfm^mrT_;/NDJg[$Q1aL5ULrI^7AS9L=HifAfO-"-EQ'mgo=aB5<'b&Z4s5;>N4aM
+%hSjs`\Xm_9,rpB2Ohl8QYTaJCd*F&[Oo7Xf6JXShZDd339EACZ.IF]P,3A[Nl\>i(VPd`s^SOaY+?ke"$sdq;IU55*ZEF_*C(5[c
+%OldHEd>_9V6Z8)$.R!<iNTq3j!C%J`hqJb9jaB58(Ot^f9;9>12LHk2$c_hq8&&[2G2fK(>]cpr=InJl]T7+4m`(*'s5\M)b=MF/
+%(9>4$NAoZ1D"Apo1Wp`NEShrs>=F=(Xs"YSG+M]+`S8#uiW-P=04Z34]0)\_B^JF7(c"e=FeSME-(NBEaR!,LIQ?(^:Y4s,)-;^`
+%&-/X$"%4$@RP.&3(maXRFO7<e)E\u^OF$M>B0>pjn+Y_dA\>D9$B7Cp%VL*UrOHB4k^-!j=XI;H0P7\9SeI?i?.hluQZ@Z,]2_Q*
+%W76Y2]mK#?>lV0O9ng6dX^"f`_l)Sk+ZQai&H'p6M[cS%[:BI`r;00?:o(3UD-29pGW)'qY[3um+m`+-f+\_.o6I)o/]2'KI;jdM
+%ZWgTthP?hhFR><J70t[;b-pWUnJF=(D[C[]+l5ZsoCOK3ac%CgkK*DVMr-k+i8edBbK<IDhX?.Adk$a2[O(S!0'NW=2cT.%\\<4d
+%q"gE99>3T1ZlSWoYc&?G%+0p4naYFS<pu'6)@hD&RinX[_QWX[pltATBT3qZJ!Q*Fj6OAq+4hdbWkUDTHH%e]bBJE!!`:AD<_j3)
+%aDU1/CR88sV%:;`hgH:Pc10T!^-=I=or\5MH`K@'mitO9dK?eGiaAg13r%8WoBDLHe=Q3[\"[)VJ<*uq4F%!M%O8C&$=/baWL4Xr
+%ZRI.q*'20Q'g@>!h34fkTAHLj*p*4Sm?bkghum[BpHc"SU0Ob'/%5E;(JlGb\c'ZCasiYhdZ:#/Ut8JT=)/9f`S&Krgi!5$p9P=0
+%iuo@B<Y`?<WWEPq;>P=&3ne_,8&T>hn\<j+OiID"mF/'pMY$_P7+%$YQLMVJ9-^t5?9+jp\0'b?8h9D%jCA!UHcGY=m'%(2e(]-g
+%lRt<O;E55Gf7&3bfCp<3-ND)@bgunJY:`@1q6!LXPFaLGPbOf!CP%N[:6`*I]rgH2kG\t6mHj=*-#<O]X`k/Mk*(5^)=gT&W,=La
+%:+-(U.tNcrBg)0Iq5E^D,c,n6T:C5,/"j,=N%9e:PDK+G?E]T+IU+H`\V5GIN]qPLBg]&f.i[G0Ffb98JS4F_e@oKLFBSK$SQ+(@
+%lLHr@,M]%Ql[0QTG[Fr0*V2Bc>Fde3nab*=c0siJS8)$^o%o&?A4o/'VhE80<"ZQ"A'!fig",IbN<SR*C6iBI?r-,)3u%UV<Fl2/
+%QsN[/Zh,#tne/JsEec!B&;ouPWH6s4J4tTpolT-/e+fKm`</[UkfJZE+,R@m/90M"!CucIYhN#.U<%$rjp9HAn[i.E*#EZ.#mSK)
+%\B#_F,76Fc`%;GY8c*=r:ZiCT'`lr;<`5Lt?04Re-.sVg4p$Muhl6LnaHtV8QN?Xn-s>VXJ9;M8lg.WYL;@*i9L@_Vfc7W&-=6uC
+%S$eK"N*0"KY@e&+'$N4<\tgfGr>DYZ^j05j@_fU>b!o+K8gj'9H0?/3j?tP\F,"pNjP,<Rdcf\Lj"[%4F'<#-C*:i:-n<9mfi51$
+%)TEM@+F"Y%;.F%U[-b(M>e_g;W4=U0bqp3GU7rXX5]0-m5V4Zl8*IR^,,)S9e+m;195LUmqMPg86@DW_;=QDl=/O3NTO15d!Zs.#
+%fil]MM[9;dTUT(\/fB*Fisu((&'(5i:pa+k%(K1.VDSTsZ>:`)*OL?k2'iuA1;<W'B[=(X<rFlEre<hdI*p)WX[5f?/(-mrHdC[!
+%\2VnZ-BtW@%#nIk[?jKDP.2iJ8rgN`GuFq6(S%4Po?a]a2"#n!Z#324nTFanb,/HFFc^`-[POZk5Dtn--Z;pfVBcGj*EG"tW<VNu
+%WIVf'"2)9BbTk;NTU>OS))\X&9?/Ru*YMR+Wu=QPE6lrnT)=u%p0H1\b=ZN%%h!O!0jOW<)c2hiHr:tWbhh@KO@M6fLOcr%Pm-MV
+%h?ma=\kLIXFXq7NglF!!&hiYC103;^(fh]=0D"IEh<5m\]nWCLlRJ`)Rpm6g]b^^TJRTXCrh=pkOu*oL[j#X</b=N=kq=4Sn]?\g
+%e3(AbX\;V&)'3Z5J[?hNZOJbe26h,*$8M$\,R-#Gm21#k"?DZKIg)LgA8LaW1JIf(Cu)r]Ukt`^JmJn_[:7jZ$7u0c_aT)/;!OGE
+%Qf7hG1>([YC1;paO-fW@^q9^=7EY'U?oRVM>O-C%l?SH,*gr:Oi;`kk_./Hk(SLD]Qq:CUWs2/\[-sL7kZ@<%a:*`[HW_X4N-LQW
+%EW%A9Df?)Zr$!op;$m=aQ`N]h%,.d+p'OQrG_70Z(;^Vqqtl!hk1UTt#-FVU*+FK@/!U.OLRLia3$DYKmsF:-=jrTXn\199%kfdW
+%E.KL2UhD*s$]&(0)AX)/aEX2a,A^2THEdNfAJ2W2<3g9X=ZeeiUH+GgRE]a4_#LG582c+g,[<kb7^38H!<N2@IRR2nZ,=el)AuTm
+%fkAM#i^H,131HHJIToBF&pDse8Im3H%TOrF1d[Xr9*9``('XVGfNHs&_f">SBnX\`j7hNTY*L>2j[6IsR5B!#A/'JnX)%rP6W/0V
+%P<--P2Q'u_WeOUgfXI[TZ\@SQf$K@pE?fMII#;_u*6ot6IiS6B)JqRS^R,V[_>OoA%ZIoRBK(i'1CF#;*EW`@!m2J4UgLk'HS<WH
+%AIE:^_uQ46=QEjC`IaCU"2ZT_i6QS.,PhQj!u>p`ZFl!F6bRWC++u6W/^/+f"E:9ST>)phM@DMdmYa>?ZGK\ObSV9a(n<H0F:r*A
+%&Am_PHc\!go_j\"#9M"^alG"?k2#;1Nf_DW`d.;Ik?'ZE`\)H$dhMC)AC+2XCmCNE1=8WK:8U4&:UR-0J<j'Sk:nc35V6!=K_rQt
+%*fLP;nlWD).9XXB3bu!3/?QgsZ!sTjlP+cj5=!)&>U7`nJmTYpg^6],(26rcV&Ek-cXpZt_c+sf1G$nolJ%_V6Idc4BXeM,F=fJg
+%^qL5OUs@GGjYsZ:[A;j0&'0*W2P<]!-^.PF3:<'N[tiU(+SNoFUkraBi['8h!e3-JId.LBm459:Wb)iR]7<t@((I\IcaIaoBEhB8
+%iu*1QC'q:[4rdm-R0'0o$,/FlWq_iOV'%L_37tGH?s9gQG6nqI4SG.N>dp<fjJ$5aQALVAn8-<6Ur`CIT?'tp1kZE'L5bCUgXYG!
+%ftY&nA$Nf]o)@ao)TDl`g*b@+X/ZujMPqE%aCL*YBa#b9!a(H"J-/ILe#o(8!K6BQZF=4'65saaSL?h(Bh>OH&jE62_5(WX38@i>
+%+KS/bHq?$9;,e8B9*.(Pr4T22m+WtsfLNA#PEeVQ&tp(55C'AOX:i0t94M,i4\3_Rl>U0aj%]eaL7=!`!*RI&lGUG4eT[@E"^0Sl
+%3u`NA;f'BLamr8!ErcA+=o+5W34"cp;JfC_RP2`MTg#eCAgJb1Jmo<b#C3WA%\)O=AO3Wm<e"'T'e$'"n2k6B"lHrHB?YZP64n$,
+%jTA`uZa,Q6\n&F?EK7A*Z,ADJ&VB9J8DYQPY#U'_oiV-9]Yl1c.D8iC1m;WbiQl7[CR*8.ZKO*G>9<77=>*Xof7kD^.N'"@UA4Zt
+%5&GpL>)''"c,V]Sg=J9lF_7T^5CfA<c4=,!jK.F/9Tsi],ChULao!u_/EgU+%1/unk.nEg"Nthh3M4JOQO8X2("omma[P:dbA)9s
+%_f/&4?,q#p.#a\`7)A%qjlBrq32Y"pfk4f-jFs"E2!DKerm6dC,T597OO$t9B5!+L2j(5m3Mk-T=X9H?Cs&0#>uBm@s/cS0%hRqa
+%FC'"X_Lo"$R[)Q?&?35YHA)bR*kR9pYSMS?-/3mR\Y3KJ.&5VM\b[([2g-0ubM]k^:RYA9<PT*]'nmqM3g0QQB*(5&#lk-bgS(CN
+%o$FjW\Cne5+'"Vn3?Xq\;;pYK:*.W#*Ib3OKD8?W-*%;7gj#C8Z@PVD`(PEAk$gdBY\9/0K;ga"B!E1C2d@349h5EIbRTQ5(0,nD
+%c*HN=I^Ttli:]`NZePI3QL9HTLFWG#4m)d=%g%O)gulb]8h?jF9i_Ri.CRc>NV1=GK[gE,50_$$B)XR/]VneiAh1-"WL(6%.m,/>
+%+7q=63i(sZ^t^&J8&SAWN_Ts%@c))&Lo)OP2Nq/q<OUoXgnZFc"6+hs_mlIZanJLN06`d8B'%0<7"&*=gP?Zq,$0h;O),>Ks42$G
+%PeeA/F)ie3ZWM+/Hd,r+P<%@*/ebN_2qKPH3Ep[#i-AEtG61p$^YSU#1SuhC;d?sjgWS)opZ:&MZ'9C*8T=%&TZR%%29n717n('m
+%^XrsXV?DacM5?D\n&:pW^T]/_l`l89A_SYl.E&n%bImG)fR')S?@mFq-f2rsD-0msS9j"7b'#-6.)?:h!u^3'-+--"KF+Ft=j2oR
+%"Bp>X=FHGs72!PE3>b+)[OC"lDS0g_c_AkJq1S,nWY+c%A91[gX42&g\(,.<fJ]aCgBLYk,g0PM'e]7$4UiKr#SnomW"cXN#gO+r
+%V92bajoG*e(P-=8nL4FN"c_'t5E1*[FVacW8E,NY)hERTIc,70c2EOhTk2m)>X]nNk&*>k:hLHme,ZjNW]2dicE"\@YJaM=)>Sf_
+%diKN=_8*.8;,,d%S;b55+VMOlVO"6%B#Oc0<Ss2FNiY(mE1sO:NWLCW8)oCjWe"/:@raf4P\[(5G88J_O%F;tAHj?iC3^P8ahGFP
+%Hde<CaJ>5om.',+Ho3TF!Urhn?FKoA185#4,qcc<3<*fS&Z_C;g<fP*nu!4pO&pao.Gi<S9V0VXF/8BA/DIZ2l*(Om/St9-0ZU"Y
+%#'3g5kfUiuh!]7d:%NWZBRZEHhEf)"5e7/L3U%:NEfcZML4b&]U:>9Qp^I.4!F[4jnZWdF^9$n:YXH#c;R^*:HI_Jon/77F%U%A"
+%F=7fubQ>`)mY+fboFLh/#E+Ij4q*_%8_pHa(N9/q*<AmhA%1HG7t';RRE9HSZ?_[ZG\7,]QXijDC`Ynb/"HOj!^!mt1pUK4#3:3F
+%lD"OWZ7<TR;k^Ch2e`Geq1D-.?[k&f#O]UC4mDN/-8[4TBQtRRa0$S4%=]$3;H2IoR7.<:bd(d&#pn*?K6,RElGY7-5P'"0H8+8:
+%FsoV*hkTYg%c-Ijn$R6?]bU&`@+H1XcXEJ8s-jKM&Y.m+^`<P;:n4`)Og8)-Z-+H"7D1g%[Nbg\Z/?i2oEroP0VISi][2!f%7W3F
+%gH?BB2+lsf,B;CI/grlEaC&1><Xrb16%[H;1gsr!_euliTaftqGo`)e*_h^QXMs)@C]'R%mkU].iq/)BLY_e(D[o7GYW-AT']rCt
+%h6:?n3"E#0(<+YieYn+ZhJN_>&44)^lP]]AQf1l.W,)/hgug6J`6fMn%EP1Tr^=s1CY@bI86TWuL17WihIGhBFRV=8hg:@nj#9:\
+%f0FL[k`uXU@:3I3CpJULYdj\`5VgR1Qh`YW69'tHOOa1]Cl^5:(#n?3=D9h_<('rAARn1bf`K*dL(Ej#,fqh54Hf2k%oKq>5Jqf&
+%<Fs,Q%Ks#8WcD[;EuH".fE*nZa"ZEKl^3(oO^D*C;t#lH6IrW>b>9!CUrt+k_r*9%/0j*A6BR@A"(2MG)Dbn$XX^RLDZF<9=G!UX
+%V?*c-?*OY99<=f'+afr^p]Q])&)%'S7V:8G=<-+s8K2]PV[7&1PC!A"`K9U?0W]EiQ=Q*+]L6&,4QNBp1rc+Vl9f@")'igO@U%t&
+%QNU]^9JJN[nAUYUMip14?K<%K:lT[/<el:S5MJ!4CN+E*l)BVY=3_+Q!eRh.SeZbn_g\(pc7fA4IlAVL\:9)5I]1i3/IVfjJu]<k
+%#2fH!9F<Z)2!5UB,Q(e@]T1-YYKa4*I>KQc+n"RC)%N-N/7j_klC9fj4dPe];lg#$AdhC!Kd_^MT@XFB<[Yaq6UZb#G;X=-r>Y0t
+%`aV6%at[+"&^S<36t#q%Z5EN`I*]7J#BH?m!q5,.)[c,MN66(+cXosDfsqjBjX\:ulX5R4Pl]>Qjb[do[gjB$3m+]E\j/M?DF-7h
+%7FKY'c._BJbfM2qohPj/9@hg`SYT-o5er[*[M'YkGC,A>`R)SJCiR#Jo34_V,E4#+].^"E?Y&i8RY5,SGt,kUOD!?s[cdL$cgqWS
+%pXSk>UV?+385g'r/;J>efuZ5E2+Q`LI+DuTNk%TqfYWAf2nS+/^i.pW9>A6C=Vt>uH@=K]]_CY`HE<k<l[0F1XTXYN[aC!+p%KQq
+%RJ$32;fe0rJbn`_l[:t6m7I$D:#Bgbc9hi"c<0jcT+r^F05+!2HeVTu]lJMEb0s&]Z#@3j`\[NsA'pm>;-oX!o8A$lp%;Y)b)pr6
+%_ok";%f6!85/5sd]j86f`/ZghB`s:b/IRa,oVt'Gqeb@rT6>5%pRV"Q!ShdVkIWVHc?B^l`Notj1S\>e+uRG!E&IF4I8rkK_sG<3
+%c%=Z^%T[']Kq4^G"S$h&AZuET-2F'7:J;]YERpD07fYI@1ck9lrdD6`!j/h<f<6K&_Hb1m+=:S;V@`!D`N!/E<s_KO;\+34DUb/@
+%IV@Pb4EduAXL>SO-=O"de+*W('U:@_VUFLt7BF6QCMe<$=&n77(!K!8(m#=`fEaO\\DUr?AJ+gr"5(gZ3!C!]7Pi['LT2T5%)k1(
+%,hYL1d(TSGDSo$8I)0Ab[nUit\[`s2QA(7<Udj6C&h:%Af".Ss8YAEZ;fV<WdS6Rm'`ubhg&si$\bK8D@)XOq'f54_0mLhk()p'o
+%*4nX0c3?MNo@WI#Hk"2gpK\PeDH=L+N&]I60;J'N%\7EhRDT"U,+`1=Mh]+/?4%,M(BLS6_Vn*O`,pBsfsVD9"l,_h`h=q=`b$*o
+%M`6hPZ:^)uK4R%1TJdWTlXl_Gj8*EUqI8XhLD=7,%:RBb:eAPuFG%k`alF:&"!g*l*eP82H%7ZCi&b0F6X8D"6h/uZGFMBhoo><+
+%MYJ<fnk'#+ifo+Q#hMW`1\hk/W6^-hd*C;QV.CRB[+L]SGOJ<-&b:Wb>R)FkI_ip@A-']DaE%h61P'qdG7P2:QLfcrAaEaI"qRTF
+%,Q<M&AYjoop]@Pd+jO:&)oE>LRi)<`0>m<!!D)?di"GJ<7B[#8#p:H\<3I5o5,!lV%G*M]`54OV9PdN-TUfr`146iXD.A).IDg\l
+%'al?)^aco\.TqL"=5bQ_B&[FNKb&sR'B!(UQOJI>[m2[T["aO(A@T9S/<RG>*!l%/7uG1GD2[c,:S[Gu#l$-O$6kKe,;Guui;d0a
+%EE%Ju+/=S0QW<2\/jJN1cf2k*5V>\YK7=_0dsre+'J++n=p/f@/LsGL,>T]qN"Q/_\4uOt/[AY_Ks"\-blXS\dCYJ-pP(CYW_LOk
+%YaE(9*$Ci)CK@h[r&l5GY.J*i'hj#aUqlL(d=3"#AH_T/h-=(FE:2uKB-;K`H"dsZ"-ELf7CIa9-(m[\G4P3r&kh<>997c>=GMWA
+%6t6YQ@)d8l08*mLZBfB*fSs")]Wk!.<'u)u0k*qFJX--5@G-6\1.OouPaE1W9>gA>J;0sP7.sInUq>M$hdIB^aCY(M>=9GsRmYlC
+%\ZLDh#61*a[gu\p]jfQ:Ms#nq!N-<mj!>p)c8\DpXLcnA'@URqZ1[\3GZ7'QFe8ZV(P-FS..>mqCZ8Pf20N)sq&D,EDBKguJ>VNG
+%+U=Je^aU:3oYC9V-'!##P&4a^YkYDO)IU@K/n$Z#h)U?-dHj>b"ZiDo,'BZQZ8nS)?@0SS3DeJ:prAkldZ!&GmG/"q2^E]OA7I=Z
+%_8h+")cKfp`OWUmS!>Z!c-),-)Pk*&?oTBbh2Qlr!'$==82NLJQ59J>\YES@`#^ZfAn+gX6NHRL)MJBK%4A'l&g0AHaImm,s#n-'
+%!gq.r_M>p0J0p,[#Nsr/.h\2AX>2_;*3MY/QeWe<1()M$T3BOH]_(K17[h4+^qhr1&!fgIRRB9K3<qW(pYF^;DcH9R2F4^("r^UU
+%/1)`-;1o&@kBouq`_k><XZc1qq1'`SnV63/JfnfDf5G#Z.=IiX*SkJm8u";d>5Yg^/=p(sPpgle5(kOAe^(ONg"UDd:N%TGlL!h=
+%IfBRjBtb!HMdOK5Y8F^srM6T^e,<]!;I#j7(hR[V7]@If1Z`ASBI*25b[-bJKER7Y[(lFZ5Mi0&D3f7nqsHVsU[9jY5/ZW2hb1QJ
+%e#\Iu68JS<e)&7Tr8n3"%$H0C&3'3ap)+NOc.9(,de3_#L^ZnJB'(K>;%&+I,9G=XMAFkr(=j_%qYY.qgK(MdMh\MSSgtT;,_ll_
+%['d[g#kFRaDjWu0A=ade0rEpuI=)!^hlW<9=Un!/hX\HlGdJRE[=<")S1=KtiJCi*)R:@[R]GNd2[*P)\%I*j>^GDiiUQ(ta5@f6
+%Q<>-F-?G6=GFj0Wc4BU%11M=90;mOB8d!/>RqLSpJmr,17XJZ,gaOT`+__D=6bnB6TSA:)n>6ca9L'DibaBS-p'-03[8%[nncKs%
+%D)1[:"WUB=raL"+B`;#P(2;;i[CGRp:9m7mhs6%,.,\^+e25O;4eu^mMB!l]\?gH^@;:u?,DWJbP`BK5o_+^'MA9i*PPthWh.<E#
+%qQX2/WRO#c@c[r(PT9?+&#JBrSHt!LG4W['5rX]78X9?5.S;:&Hd0i=@e9PF?^ARDANTGZqZW4$7WJd/&?MAQ1&@Y.@rNSaOMsg^
+%n<1F4Ru=2B*$b5IQGBkT.67fTDQ>H/>51OTPA,6sdRN*]TBRQjp-GUkWD1"WH$%J'[W!/2$c1_q_)K!2LjN"](pE-C(AK#-'e\uu
+%pe+_Y?r,H59]`2HJ%1OO:[,N([YIWP"?^q[i$&Oj;G:^^.10#dT^:.AaL0;IKO>go!G5u(+(!s2=R[\/8s\U\]85[/,.`SZ.WcG;
+%p0MY]\enN60^PApj546\dpI`AJ`HR,m9d^oh<Nit>V1lCq.I#S-D8jVdfP6b=D+IR&N=S%gp@-;bOg7e9iVpq2q\#Rp&o5L/$=Nr
+%XhiV%k\6F]X;j)B_e%Ki2iE_0$chO#]SBmY-iSY:^_[r&k'k*JV2qta%GRW8./CurrL@2G@Hla']G*ejL1pWO<Mnb9!^/8n_=KTa
+%;+WuMKY5-1*K&tppL>X+niHd-8hQo@=7(poTVs=U7L'u,^WL*+@!%89mhQr%<i\X2l=X7Ebk'#D?4?-0pI*G\,"Fr?<mU-aF>DS0
+%ct"F[)m93RBrT,5(h2n&Eb)1n2Ui3!h^smcZcS*,>q$9,>jW_Oc:7`Y$pNg8Gnt0NYE&Jm]?P1I(Qc@n"5b]KDmV,cY.OLnVr?[g
+%""1r@mkb^dUA*Di+J*_/Bd@4OQQKS3j#ae9MAL=$VpKH]aZHkGf5fqZJCt[gN97A)39Mu!lGEF$6j?5^QAXSaTHf:(Nbm-@<6P'R
+%XA8S:Tl;q;OW[tB2t0V?H"n*6m"m$M3`*h]2$B'*K2laJ4<+reS"m6Nf_Mo`jkagC_Ztfs(@>*e>*6QQlp'uuNP?Q)e7*;T!sNEd
+%$QSNS3:8nb6u>Ri7WV.EZt6s.*$dehCs/9u>gi3O,g*K)eU(1Xo'Udt*4Am$Z2LV<8Wo'InX>6MeGg_&R(m*A3N(?Nm@(Pb'YVPr
+%>+T&qk-TY=<SB`&aaiS5bkjh1Uq@blN"f"?#2dHV-6D@mJ?fCnO6GMQ:WX_7iJ>c1"Y$#U!Znt!GF7t(n+ZG9K/;8$n6!EW<'qtt
+%MP=WnEIBaGM5TMn9JoquOC(+%bsSm*l',CaaWpiWEIoC4B31][B%YK*)(0@MVrM"W@msMQI'Es(;=c>7+\e]UF"*bLDX1[?]'Uo;
+%bZW_ZIV:T&_CG`^$ZY/UUd0EHihdZ$#7]E-rnh9*P]u'(g%;XRhX-\5BR4+.eLpMWXH_j$KV`97,A&mqd98GU9(pEM>9(XMTc)q:
+%+,1bDC,7&)8dm><2^I[67;&$*2(a^q1KsS`]]&g*:XH'NHC[IiRM[@o1#u7d8t<m\_Su@40->)DA2.EE$[_^)1"QjX#DOFWW3#;>
+%R:,n@n!2cqSnr`i-chPl[8KlWlt*KP%e8*(S:(*QfiQ#Hd:DcPn4I6?%$)9W+G)Sl/EZJ[bg^Q8_:t@67;M]<P6HZAl1@[K8T#@"
+%E6r=d@Dt#MpQA\5ar4D^qjJu-D-;OJ=_BR$<qbOTag/Nd#uo*[J!u)[N['A`*DVUZ$tI)+0A;B__CP[+rCfAoPTFQ:%VqU1Y;AKM
+%rccs+/83mbe%$pE8\NC,_XRbo[B2(<calYXAstFuQrT2g>)#(UQ(*uVPJYYP<<e*)MrtuVpc*Yu7?/3&53-<d(BNSul&.fC3$BIs
+%67BQZ4F3GHOWj;V_;,h+M.L,@T4R7?c6(^taF2H-C;_2>bH]4OfK(uiaa>3j_!<P!=:-`rIu(_`pR-Cb_,OP7,'5QB14IeeS6:;d
+%k&^@&<!l*=f.lj:p=$F,e3`nh4e<"h<DJ$n@W'MD%.<`,XSRSd-Ta5M4V`p<7EhJbP9njpN=,]5]'u_1bWe=?)RaQjLIE,.;b"XL
+%?2aTLUtaPc@5R4jG5![^P]+iqR9,c[X0nk7H4QVu&,aZ_J,R:"qhtK^rp=(mqY1$Sn,Dg3J,#@;nTW%2J,:>fq:GZ=0E:\1+9(NV
+%J,Jr\`..Rns7fC)hZ)Pis7lWQ^F]78J,(btqZ$R[hThblc*+n]h:I/OqhOn?o,lDAJ+<<kJ,+"Ir9NDCZ1r,Irg3Zapu?jNr6,-;
+%&H0'[gQ2C3O8mi3SUUK`4Stb#ps]q9UGi)Gs8'X2\dR/$:ocFkDboAtJZn=JpdY]6af_99b$P#g5FekGoUZcR4qmZ!%kkl2)*_XH
+%.,:Oe&[XA4&Le5.Xh_su2<dkHQV+QqhEHD?gCO=Lc\j<)s5BZ\X*(-<T5BRKT8^k@*[Yk8V%<O"Of8JW8\FcWr3p>9j1'_\>)&m\
+%]m%rBWh7fA'9O`@"3d>_7#7u9,5GYk5O1D">lJu:L_KXqq1_V&ZdkXQ86Fs=R,r-Nrs7?Vl<+eR-DWb*9UKdpf_6SArF#r\Z`3H@
+%j$+78TdG4na4L^[Jsroq8!H=]!@Hn+M*g`tR+NhHq(.P:$->)^QdNS=@1Q,b?<['*22(3BDP_^3*bVjkefO"6$O;SRVdLU33,`ra
+%7ie_7>h$P1h>kHB-H(o)F*)5sJ]CKo`3[_#Pod!a2[5&p`X$JD/k4HI^5^f)\DU.&D7C3E861UacTVbT'>hctau9T)AO_6-]1r9g
+%Fr2dRa_,7kD]:7;/n*UnUO^Q$AC0iEU?QoY_8m$t&"fsaZ%4NR5<d962hY+7TbM[9a>WQ:Xm-SX:9b!YL4hm"<_`A!(Nf<b=>Fff
+%euAq!&=Kc=S][;Hpjj"=cr.?Q/LQCQMa\j#0qp4(HoO<Eo`5br_`B+\"GF"gD&/9:mn>k9&]lZ#&f/peiRhtT(0I?T7+hhL+f([O
+%ALAN!Cf^%^Z:tV2m5%_J!:Pj5Fne<t"YA]*PB%S37O.i5VM>p"2XFEa:ea-q<F@sT0S,MK'=(cHop&8i4prlOAI2LNRghLBa;Z6<
+%V=\OF5(^dpLu7g8J['q_.:ihOp6d@1G_on0D%ieeIT0r%QBR!4>?<N^?/#t`YglaYaQ`&6Q+Wj@d-tMYl023SNt%%^l`Xt3EHK!6
+%ejlg=-Qg7brIqk-952GUl0`GX+#b,EH^pA=HnNtM]WZZr**:PVfCFQ6V;]9jQ6123WXmbG=^shq:CUDGBTHr2O5f2?UJkZ`e=m%7
+%8;m-U?\!46`ap%_bVjpiqW!dhpg9g--M\u3/m>[0*MC*PB-1V7iBs`VX4>PE8+[!^9[.Cj!RE9MF=QTJ";gDu?DWCJo;/\8?Ye!=
+%SuVHkBJTb.e$=Ji(oMpCLG(>SK908BG)iL&VJ5/A]8g#tn^?@%qeG!<'ej)t^<;n7B[8HAar6A="8#!bR`9aG=\$9_IaTSm'S;@6
+%-7;B9T>Q0;`%UZX[AVanPOV7.*LiDVaq/_h(pklH:n%c<$KY-5QU)U'<1Fc7`YOOBY7;,(C[[.Pf#0.a%0B<V',J)Ofdc%7-EPnF
+%U=NuT^(+?gn-,5W@u7XjiV%=7=bYE!"OeEoJJgA-]F`Wo)6Z_Z9J^c5/6TS^e3RiYH"X2(/aF-q<sLdlV`AN8e8H/9UG#dQ)%PJP
+%lUNA-VV*m[$&GY`Z4a]N#H*JCgM2m/hOFOoktTEBa6M).2-\DD*3lXXLY=p;<@b!dSD1e$NNEC!``0Q[Kr(_^H)Lm&kXLT(<\kms
+%i<o:>Or9LiH-TeSATKg";.fSg#d2S/eS&f'<3mLHPo5Xjkg;6!>FF:]d6o=^)mmWG@+*ld^nXQQKFbD7lM'$#'=h[QS[rW/jF>hQ
+%&HL.1`72'BmA;!K0fK$lT[=$=ACo'%4=tUk'agR]/-]l)Fl^"_<5sit!P!'*T$8uA0X\O=XDdL:9O%,A\Rj<D8\&WMSF&ArhoNCE
+%nZ$11E9FK+C<]PhD.^\HSc-`B"ANlNfec%oR;b*okiFNUEAc2pAWLF"e(n)'ZB&+DbuW(,%sntIReY819ld\SZ2q:K.]]*r9,Y%d
+%.U^7-2DaeN<".?rHj/7>%*QRn<gRic+X@eh<]IK9KMWq:qZfp]L]mtDHXn&3"6'K'Y/XO#ZQKHQcL2OO\J@/<S(<%@MpS%h13q#R
+%L[9+W:kF#o6G[2LQ.bE.O\N-p?_J#PieLO0"hD48C:fpSCs0)Q3o#P8<inI?@&sC+\ba0o]C/ZkYdKWg7'l([K_,<09G.FB4;ir3
+%(+Ec8JIlEl3]`J/UVc2F1O5(O`u]'Mqut8-Pqqbd4$'U&m561BhgO,e@Ad<'_iIY>'B\^`&H-ea'$;>tK!'32!&n7DLq0_QT:s6i
+%a*KT#.LkWEp*QS)\nOSWYg</g$0+dW9HaV2r02%dm9r?HGO$%bnMUEk'FJ_-dk8<JO'M>ea`."d2fk:Sc*_Kn;>=7?HBui<',Fl!
+%PGdu>fJaI8O__=n9]+l:KjYXK?qbDU>VcC%6;YnZSJ<8G]5ggIGZ6W61?7%-Qad?Kfiu_4_C^$e-luls>sZ2!S6Aq)_Zu@V4P^jB
+%UhR\.QC]?JR^Gfb?JSd&X#6TZ%BcT7Vj`]N_!^teZ\`P:,0@DTgP*aU2LQWU1QiS!ju<1Wf5fsX$TV_V,)[4aPsoG)MhK\oU1Sln
+%V5C;:%s%_fpXct+o$fgP;gZ,N4l(CkF*LQTkY5W,eqr#%L0`(?l[HfNn9`gAVMhP/5"93Y3g"M-2s&n%$0.<^Um.kEAbQqL*t80Y
+%igc0Y0Q;G]eR%laZ.g:0X?A>F<3?*?hB+f#YS?"O1*P2>c"+9KlmhFDb11o\G!,HW*funls#tXN!?lPo^E7W0T`\J*r-^$+pp85*
+%_AnIdS+j]nd`2q^[6V,E.@)V=.tu*j;X$&NN[5KBF"(MINce+r1jB&:(?p1gVX^&XX&F(4M*N<n7JIC5EF"2WQo8;*J<RTqP.WP,
+%@#K\q"\EMg2"=Qpb>opPKMOg+1gQhFDAqjb2^MT_[QDl_pt"<tm,Y!4Q&g"KD0JsRZq,2'U4Obbb[%L/HakZ.^n-"^lh7#7dZ'rj
+%/gCe*iksBiWG&\5jN8WVk,Z)F,igi3?cSZd]8ta\G\Q.h*1"bfE2e2gbeujq<]=bh^IC0R:*uZ/hEGi</R5uq\YZaJj7LIIeO!Ch
+%12LOCB=#_(#_&-O=dEC(Q=-l<2U6L8^O>l8ojTX+FBn@!YAS#r]4@aJ)T$!;V8R$.+bQJRXat>rPFpBCV5Ag2E@Y1,1he(+(-d'$
+%!R9uV@A>2^TRE(+2f5IjA=5V.ln\9RVV"Aoahl79nnR,!i*o,'oO0*HrIPL)8)8cEpO;c#Dgq1PgAPrKL]-nLJ,^2lqqWCJGR9Q3
+%>Jk!SEgrUF*$/@7];Zs1hk%asF_!LsDblAjLA5KdnZmZEY<V(is69r\+k)[,1Y>bjl(ZH71jd-5V`T$f/nEmj"X_pJ0Fs^K;d":L
+%mNi+RPIS_3$_a`Bb8;Ht8E+^ua'9o/=K/e6\'0bk$:5B9,EIOYg`f\UX\\R]5JBVUIiPBKBuY147rcp&"N`*MN?*A8%d5c?`3@J=
+%cj7,ghjRgV;=g]rY_EC]!A.4Jfk$aaet$Y!ag2RI`O"nOi5'9F0B!7CiMuD<cShk:`\_:[8k)kY0D`@D)i+[`HBoGGZL,mp5]2MX
+%Ri=?_V$<eh5]aHE>mA-d-[!/@>sc--j;u5"Th$/21]6f/PsV#R4t;K2?,$bE5X4PDDV_mD6UE.Cm^S-,2=llt:nDI"L!1=IG"[ei
+%Ir5Ma]sAfsFa0t3%459DVNBaib\f8K_strYZNK`]3Q1"fDAHUXU3MYt_rOO4DYJRk0,M^m("!4GS/UX#5O8&"]+\aT3Ssi_0(+4N
+%Jk*n^2-lY@"Dl/ek',e?m#o[c<gIMPO6ViY`R:@5BRO6Mb1b\Ch3pEV]"HV^!NLlpG-<bRo@TU@@1`dQ>,uekKh:0TQ1i1HY?5Qr
+%F_&?Dm2k"iK/@kO;n/*[)tQL9A9U@kZ,03hq1P.%l,K0IJ(k^LJ6u+l!8pru4]29?VIpXGJoLM_Y6ZX3J3;Tn/GK&pi8=2H1CZ_.
+%+(n!,(g-Cak#rgn,')>=[^fC`f3tGs%5D)k9IhT*@YGd8/*[j4X'6*826d/45c@=q-V@XLmpJUKoWg*)oiu?'"'OoPVUu\j+.'Xm
+%^e3g<VAidh_Q^3ag;gc"=;JfOE2Qe?oiUe.;O)&%B62!Dn-p(UBSCGcB,-R1*K/`Md&NV5g#gJ(0R&k7ZK$hMOVdG/SU30N@r\D"
+%K8]:0PT`E=,E<JMO%%nTG8^&4Y-tWYj)<o67h_>q(<:=`nsT&[fNF9lN8i.nSgCc.*bN1a1?\k60Y;?/5Vc7faSI91P7%Y;*^]Y#
+%CpXbak1t$m224cZ(Cr+g63_F9*f;i<*FsgSg(D$^&qoaZrG]XFi^3/i&TX<)<LiU'J$.?QZ6alq".A,4Yt8G1p$C_]>YSm\0'g?X
+%<b]HFST%;W(b*b-%(]Q"B\%oe(6Kqt1l=H'BTWsa\JM6'3nGNLj_e]n80_`t'U8+3)M1<%<Wt<f]r!)3<sfEonQLV1VsGXAPbNJG
+%aW(<FlYKkAn("URAM1ZPEH<'!GW#E)d+`Y5:JtT+KN"*]ad\lL*1#$Wfu*%o!-qrsEHLOc3YlJ.RIu"K?PLt+89+<8R4sm(=Yh%X
+%-+pQ]\:0`p9N]P,$m_jDOa*0eIL+$uA&=!if1e5FefegRs/pdSm$)._Oq/`m-SP`f6J7<)CCFqe^MYhIQ&TTS9.GfMTJd1=:R$XK
+%5E%>A!pb5Z[)V*7-l$Rt)T[;3-BBDl.s&?&`1di:(9,=_cGA8H3t>2q)0AE(lWlJ?/ZOTEfBK4bZGtY^=.PMl.hY.<N#kS@hASY.
+%6hZ_qK@$h>99XjUi*;a;PS=uR^T=@`cDFM4/E:q$b^0Z$7O[sH23=[ugEQj@:ji=,A1#")mGMaSn,E#Fr5HGKiNN7Fb9-`JT7?gO
+%J,/Otrm),&T7(25['oOts7d]8cTh?N5Q1G>5Q9>CroIL7q=:^rs78JTiU?:&TE"[N4eDRY*rgRlX8Y_Xor;,1Z@&+E$@?@;Cl%X1
+%'%QB6Ys$pLqj;WaZ7R)oaA`<gHWGBH7;A4dI/-5/AI]"Kb.*P[?j8r03A\!:V@N?:8E^RKi(l3ss8HrtE-tcFgGU5Bn#u-`['HC;
+%g'tpqd[TP7((L(-cWi(kqn:)#U%iWFaAN,#p>^2?ZgNpDjEXnV,AUs+U&fNqZ=1TA1*QoN9\FiH,UY<Tpo,W6YSMZ?e81e<YA([Z
+%_eEVrA6RGW2'62,0fDk0kj3&()APV#84\OA2-KAu/j*0K*FbngWE$O`fn5f"pbE4ar^=)/9@t7Ufked6no?W,D/`YIi7A-d(+t7@
+%?:3@fd^cXL9^iFl"eWh50pbZ=V04,b5$k+,^edVTqn(UHFQo6k!dnLV!GXk*X03+[cDi<i,SK)?liEO;3P_`V"g%uKC52%!D'Y1n
+%7C(PmTg8r-j:$H6"'e:W[V9>0Z#W^nZdN0qn.V]3rZ+qgaXEOJ^:#?R[rh\PnJ]:^m9Zg<.UEC=hN\i'#%=0a+ZeN^Hu]9gHe$&\
+%s.[W+3NEDVEfAK;$_cI7+lpauAO&=*0F/n;90I0%:!X_=#X[N-5?p^..TN9e1TJ1LEFBPf]ci;Gl)VFVbuTS5NS]#Qc:#BUd;Tft
+%^Af$lM.I::7\f83Wg+M.1j,R/dIA3^qeECHk.<1IAmQ0T?IW&61(B<,dR&g>',]hCG;1'E-FCi%KI"huTge:G`8'<:Bm1N>DqpE2
+%2`%duroSfq<ZMEceO%Z*3UFgYQ1aQKKG9rBr*jFIk/eDM2=OM`?)oak7?Hid([Z$sqe=N?Z/+T!KTd;5jpJtE".W5>pE3_k[79q\
+%poH-+;U'<dh:V.3V<G5\IeimJ'e#LGMo(A).%.G'>4W<b1lGrsO2'(d[i?(2AlJJ_[8\,1,\TX_G$Vrb4"$!un4RqAcdetl^8M)'
+%4]nq+/B96*YoW0^SHJpk)i@U[JFAN[51,lE$p.(7UJi#fTN9>Rf;CRb4_hl/E0BmIqpDjN`Ti4hJqY@)M^./dI]oOIF?n\%J4\!j
+%Fpu3BPOKriiC/W`D0M#*,D<Gk%RooLa7>o.+"^8%DY]e-4gN&pc=@*880S)oGW,Bs(Fk>0:Mq<0>4Vr;2g1N.K?Hc$_@01@$6M1S
+%Hm^J+rsPHi3sFp*5b"X%lE(t*mC2SCY/G&!&.A6b'G3)n0T_p-]?(oa)2Od<M6"1&9NFlA<i[/)%lUh`G.k/l>M:[5gjj,U=_q@K
+%5@!0Rb.9]D._qDhO>*q7JLhWTbu;UR.9oc27(Km9KjK.*bt<LOX0#E(pb&V#@8g4_AVR>9VE_*81T"P5#o=.$[TqTl;ln!OYG/*#
+%UDWmY-fHU^]b;,.bCR9a67;t81eCdqg8>9$:8IX8Y),^^$?]jko!\*XQ>jkHjr&24GSpe6IP8_rf:It;[1k7b)BsDg27K/iYa9;m
+%>d6:s0;R!jOI)Un_W0![?t*@RjPUurSQe*7.OjU?E*U`-5agMm>Bq*b#WcUcff`n211jV.n@U\&"M]10D_2LQDK>uQ"?C5iVa)@E
+%0Q#!Qb=l3&c#0Ib',nfE_IZO`5T,=4:f^g\g!q?@@`h^u>0B6DK*/dAo5!;<l5ZkSA&oltp:CLBE6F(T@%.@L-gfl`*G3FoXt-E+
+%&M;?sDqBVR$+s?8Ik!$u7u7g2?$C\jnW1Hb@Jm+aaa]JDbMmMbX7J?3o^,5-q:rsZ@D8DkbKd;@<Ms/$0!jHF%:SW>1t1n6B1]fq
+%'/J?Y6(_R<753^LnCh@1;!am3C6;p2PP^/<!QTl(9ofb!\?lHDi7*\Tm[C@1lP%B[k(,6n%LHcY.02q;4Vl%BoJ_VlXd07-SKY/j
+%6.PE&A*R79c"'A;R6cpPHG1:AR2Rd[BkrWMkr?"m"3Ca*NRfE,r<l:+&`t<2YXW7Qn(4WeL0$?!kdY=-:^@5`6$tV<UW)31A]OGY
+%s5K0\d\]7P8<UiCEW_@nCoCC:4rTfK.+1Zk=n7F5bl[M*(RX\<88OV9>f=Jd.FS$Y^r1#2+"u-kGf"ETG\)ZTpZu5Df!E],/eDt*
+%fBQ<!-lJ<ZN]#g'4E[;QLcXoI%Dpf,e7dO?aJQU5[O'-ob2eJ;%#6<8O3fR68C7Ht:,=p=Dfj*h928%l$8mQXS0"1GWN>:'11eph
+%Frg5KRE3*S`9VH)M/;^ibV#&T4lGaF^(P_uS`")]_u],j_bOpDr\^BghW2`IR!0'W.66PG+\tbq:#]KG7fqd."%19(mBfK/+`!4.
+%Ycb=Pe*7EqD[nd=f9RQYoZGi@qEi7mN2X-4S4L(D)]E`S\IChn%U[O"+GnN:X8B!pQU1Q7iY.=?B(C$/7FJDL:qs[c5CW<@oa"p&
+%d/\/4QE:e\^.Ra*R2)>QiJ$WEG#i0si0M+l^ZLKB*LUJ2;d9A9QNNG-A-6CYkGo,pD/[9@UtmeMQac:[Nq6e),FQgraLuo?4IH\j
+%_=+XR[^8U)CK_ho2q\j_\*Z,4Vq2"@,:!nne/8Gi?@Z1:Gp=S@;HC;f.g*[kem.M9E8/8%-@G`\6`bB.Gs=N`39's$qo[Qt^IgOZ
+%&Y+X3kU(E<es%C_:F=EJ/:kOm&YG]8BI;\Y4Hs7c5NmX$.,]'EYXab*e7-H=@Wl&";fbD4Uc[*ln>GPH&C5*$*7Y_/?J>&g10u?t
+%A_WfiJ"h2@MRpC'8NRKL.\RbMp.iPC:?#loH9lHmY2^/,Yj;mRq%cH3_Mj=5cr[iS#C8VOV[q5]YN!TL^-6eHBSZL9Y0A(gG!i](
+%1L[H@e';`Q<'`7JN5VT*+g_eh5&SJd*H8<8@H5B9#qo`LrL0%$@$_[SkrbXm$X9hZCbqsM\D!LN#e2bP7^h[Gs&fg+-$oBLMc)sl
+%hrQX+WKV-Tjca:j8WE)Pl6k!+N)7I_R_(:d>aMo7fDK0iL&q[X.k3Sl,Wd>G*On1#A?8+@k^i;odq)#[jln[UK(MSlh$<OuAY;(D
+%Jainf"*?Odecl#$5<f2pA#t>GY0K3_EHAYC_sl6q;1+NEc":N#fhK36f8h#^qt[m$:oqg4k3ot/'>CNt@PD5kAU=g>r<1Hk*h>+h
+%':V8Vo[UoB]5j4lqB;@a6$AWN+"<h#C%o>6Ud0&u(*rt%\f_"?qgP(GT.G>\^O@_`Gf[gX7`)EmNpCDU)JTNRJPpT?<Y5>EJ"<X/
+%A6bkOgdi`5NQsfa+C$EB++3p5bpHtC3%Ikh"N;1?jdjY*CQBX=4dQeTlEhDN#J*D'8tPU<j2lZs6!!`-']#s32kJ<lJSq=*>rg4<
+%gn0XsC>l1'U>-dJ]L[XV=1(%O-r9P#ELL^),1#6D0LYAS"1fr!Z]iPZb<o&(,4?\0g+_)k2<(%)=rsF2T\3$Wd:or08Pe&&i`n%l
+%KBY`eJ,rkb*nYWeYP&'#@<=(\fqoUOlL42]1i0-A&_eq7.J1F&fI,X1]4e!4N.421Nr(:?2+0ou+p?.W[h>.kSo7]JWm3_iFg^ei
+%fW6r4_jjiZ@HupZ=0bo@Z@$manTK>l8JZ5#+L;kNRAUURVaen(qQUoR,[L$Vks[XJ^&KfO5-JEq0N--^/&56kaF*5$oal>Fd$aE;
+%R@`XXX1d_U+<#Q3M9*94iX:tOLJ4i<cT9-pkp:&&",,bpgNu%/(j1\5<Ze@JIBjE?ZMd1BBYk`UWcSKbPic?Aq$>3^[R<($*@4MB
+%eeq+Y,$2G#iO'Lc6,rsdRD+/@DN9UZ!&k.4pX=YqH.cF)TBOZTodOZlNn=onC0l--r&8HFU/rZ$k;$I'cnK0fMauSdb*N+t4RJ_6
+%6VgsS/C15!e?OaTjBLl2@PN'`YQEhAjLJjSId-3>_dNV#-'<uWHa(<P85YkX+Q41F@MG4nghFqs_@GY[h2g#=\H-M;3YgGTK'B1%
+%8G0ID[49*PQ"-@LX<eOaXL/fcEE7GojSXHP(k.c(&pMGi_P?TolESXqemZ\-8>o4B6t\(!haLJtA?J^k'8b[AS+i?CHrbRARHjb'
+%Cla\\=Z/Yj"Wg%Y7neX,\VBhK:l?`i)!1+>O^WDLHYa,-iX9OJRkO5S.q;*+DmC?]O(J1@O=VI76;Ntk+9(kq\Xpab3JNj/#7rTS
+%abd"\1AL79G^`\b7^hT1rUIenqff#)RlLdOW6<FKGHoE^,JgZ)6^M:Q?GQg[k&0#q)HDo$MOd]J4?.4i4bh%3@SMJoSF,Qifbkb=
+%&2q#^G07P`?bYG8L@1U=p'q"8F*b\aT`Ate*a=rn[=l!a.,6upmjq=mc-RW`F2k!C.X?tYN7`3dgk%X.4"<Pm<FY\f:34+`q:!K6
+%RLql@Y_H)OPoi5,p0<V@UF7(Y/oJ]UN72jYD3bPpeklfm?PXT2%c]T;NID)kj?ENbDZ2^m6<_52J5A@`3E_D77ll[a1?>(D)U,gL
+%KPC%[0[hN?Df7NuTTea]45T&[b+aU@;.pFdk^i#86f^7d0,"V.Y+Xe,$93K-%s^4R<iuga2:*q9.mWi0[pO_H^#"D%"EH'j4>]=d
+%)@g3H1TFURA=`XmW7kjqk];r?DPj&=4#l$(@;'-^($,KZ/'f%cV`O<?!_0U[GsS#\auB+.RW*A,8KZ6i+k.!^'G9TW@%-9N&8fiR
+%gm"on-.hZ#9Z&)4WHSYO#fIOX5uWb%0_p^D.7MRu:fsN8H$;7!lWFJC/]r^BTpsF'=KI,f=aTVGhHT4(V%((Ro=7Lj3V?'ClE9r+
+%3mUtJ$\W(@nL:$pG72sueA+L]FrGVi!RugDCHi\Pf(;U5JkPI2`"+q22_n-cWRZZ9O\O!/0O[l^TuFp'BEZc(Kl(W_^iF#^H*\0#
+%iUU0KWH/oUjW_*bBA<=l//&rd5CQ*N7VMgt^53E5[/+4,8Fd,)Ubj9$p)qX(7u4-LY7J8Z(DOKZQr&0J/9^.85,o8Io\GP$4,2W7
+%K^h<s1'MVSaoNc)cFd:p3sV`tIGuGV_l1#R?nQGo$@"%m%%bi!S.:aI.Fi9@VqB4kJJpJ,Ca<HJq,p^`l1V_]oA+SR?Sprfa`=V3
+%"$;7l4TI;Mgfm$NLkI45?tMW^A2<Ho50b[4b#kn/#VGr6[0NEQL2gLSJ$,RHb-=0h?NQU7'+6f5MJ7m%+d$6LS(ie=;p&8-1&,V/
+%2%.\Kc"0+]jj1@OI+KD=P0dJ?*DJJZR9oja+LL8pa<ihf*?R=pQjP5+*0.S#(-gh/#l:l<3BAKn`ccqmbuVNUe)L`=!,"OB+d[k@
+%ilK:&JnS,(Ae[#Hlhcn7mooS8)r`otggVp?X'uY$V.7(`P&h(X<=tB=\%V6k#cCI/V>8T3=[0=s0j(WZprF0>!SnQqYs"G-[l-7D
+%[oJ6gI`W=YADJ@Mb$e=<b8UC0]np@Z;'WQ[qM@]2SXP9O<s$_#i=V2MpaWP]e[\e]]/PTDaSe[6%:5L0b?B;dF0dtiQkE=-&%C';
+%<u36F9p]b@K&$>Hg+Fn0YW.VGNL^5mTL-:99J#Za=hi_)mt'i`hE@<kDU3/i??0*AC53&)j-nk2S@7J8P?>&L13qc[^G+oN5U_4p
+%Y"h`%p(B_)YZdTf-IGn)&W6#/r0('I7%!qe?+gf'DNZ5OaCbD$`Oap)f]S`^ARh%Y^T<]!ok`%(KhrZ?`NIa`5CT00nta''A4*+]
+%5([U[E)AQiOSLRl4Z.m)&EL_'XP^MH#_Te7`QAC>2laODpDl4lios4mEWNqd3,]W-)#G4cPB<`qR$KrsJm'9g&QlXL&qt9>DkN'g
+%>Eeeia#'*1RO?$_DciT<>o_*GWBO.$k?OY>F:\pX_*&d#BHVWf\QBF6qSrfYl2&+!5+'642k(s`P*R'*EffCHA-1WQiI!m#,b@<=
+%T5D]"rjZ6H6>DYI%Te_sjhP=Kka\M$G^"96df%[K:(+6t-6K\n3<juOio5C,#N*4Xfo@9`[Gi%'Pc/n34KIZAclZ^hj[f%^pq`jT
+%?XE1?4h4W5A.*@WI$N?:q%?>fF*41bGm^EQ#sWb=ij3;6\p=2JFdeD>E"k6t4t@^%(X$c/"he=.(D7@FMVD\Cin;Ho19'2J=M.D'
+%93D4Ln+Wgm,:J$m^\Fj&PLhm8k^L3"J<!I0_f(">;@Q-+emXZFG&sTK31])nN7f:q^h8[F>ko^krVS.M*0RhtlB=jNp<amGdm@Ag
+%^TL?[oOKkP?\.%n_"p:M^%+3IhY5rMmA4C_R[4](NI,upk8$4601*o?+kX4hD7jZ0GIA_.KWW6W?LF2A^<NMgjVbCr-G.,r(C08N
+%P91l5OgD>U9pO)7rO2!5T@JI)+s2N\#)7elFmQIG00T(M>MpVR4'Xe["]Bl(3@^YM)lL5hfTdua"kA=V$_4c^+dKcYbJD6$#ZV]$
+%Pk5/"oi=E.&O8CRRrqNP,Wh8P,3>HshOQ-P![l$LW^[+n"6<(qa4HP-FR9Ms8-.>Ij^1j&^b=gQoq4=HB>g4*QZF.0Cd\QW>>aNf
+%]E`<[-7cag%;_0#Ai$T+Ak$c&,gULF\3A\3N>+$Fm;$Tu3_qD@4F4f)U:k:K:0=YC'BjuelqeNnn]r2.MR9ZYFDO$qEOQ#foq"XW
+%.HGM+ABp2B?f?=UGNkK^neEl-6u^be(%3;9%U?Q'*u"),I=58kB0/*A.H62Z`-,6KlW&R.3Cd&$:MV_:Xn)l'mXrg>OUsoKc8.a>
+%YIdJ^W%LCD-oVl+&S>MC;S/oImd6V>2qiDbF+<TSG0c<+FC46T(&StZ"'8+]-Ya;-Y/`Df_E-N]TA+L%):36g"=]CA1(l+dE1_Y:
+%^/4#0jYC'09MP7=6l^J?22dekO77&ZW<;"`XElHT/TH.9)WDL_l1SRI:"e+<NkJ?W<0-.I)X(TS2apXg'L0d$jnZUqpRo'<i3FJD
+%ER]e(i'E-iI.YPLIXXF!35M?Uj*.\N6Sgec13$BU'81W-1$^HsSqG.#>>4Br4^4ccZ;05Bo4TcHqj2MP-Yf/(bKd2m+,cnCNr\7a
+%l=*@6MCe+"0@8_J?ll%kAbr'&\)!Q&/6O`Y)fJcH^fZ)VDUHS:P7>JY&M-p&"t@?XG]l'/V?cqDkR+hnEsB>D^pSK[G"aG.A`nXi
+%:4='VS.%h2Tt$'?#Kn\Sj^j#6fc%IQE2p;diQIOp$hnam&L_3&^\B:`0e?/&N;%MD.Rn5A#R*j@Q=fsG)lR(d_niWp^t-i9jEV&Q
+%G%$V'H/C?#&ZB#4ZN<9_2lh^9%!0_^!JrR$#*N?!$Z"6ZMLZ3E7EI#"k*>mU<'^QRo6G8I<:<"+dt:tdA]%e)HP!<:+)SsP^5\e.
+%m<450&%l2u*4J4Q(eKe@5au'p$hWkb.b4;CWptoXF#r(aY:n(KID1r^:*4AGDYITsLBOrY4aufUV>Ofu"PS_?"Po6Mhn7M+LXg]Q
+%kokL7[h=be@`A<"aW!PuRZIiq1JTP8VH2o5EVqgQm'%r;r-eZpNg9:C2I^5$-m=S;>.9Ik]sd;=@8th"*ZKVdH,r,VilfVnE'B34
+%l(c434Y'BF&XaQB9?Y;ll@^AnB$[GqQq]+!LaTfM3a=F=dl)jBU(o%cB*6UeIHeSi(`5TogGaK!J>81'Bl4S6f#B7rjhWu:^enJa
+%*=)P$fY\RqNo,+K.QIK6o;&JK.oG=l"Q":q'Wq#/TPc0/Y:e\G=WJE<16QCI#;d-K/EL>g#QoJWEV4WgDL&JMj`KGkZE_tdfRqt^
+%Op">q4$4$t\(j^KrY*Sgp8^H6?QbYW$1i*A+U7%m^!N5>B`,<Y&k!8VcJmR&h&efJr9l]93<n<!P[U.$+*<2p^_a#hVM_r>?HUD>
+%HY\X,s0s1I(!Lp1\@D@@nm7si_.7<kd.oBZXuG8KmU7#-0+7Jr?bYtn_7pG)+5R-K(LKPra2cPh5iHm<<:S32G1YLa4p#QudcurX
+%Fl58Rc\bGG@e&mRY]tppbS/;lP^GJ>hE`IVOR`u\Qcjjqga[:9kB2BtSu=#P_HNDh4M(^l0V>/F[_9JD+%NYBK=&QMLf?0U^P2pT
+%]n*nl(>3t6Te!kDC,H:ip\?Kr[YLkm_]KnsNa[u250m"B<s^((I]"85g%cb*PiY8!fl@)0a,i6halcIsihpg$3m]o0+>i_,EP#?S
+%)?fN@F&on_M6V7ha6&**4Z.*Zf@,BGE5[3t-i&1Z?0e.cGF%8c=M?PFU*ZT[5=3\S!U/&_lW2MeF-]P5lQk.XpN+Ot',S3=1]1P=
+%?k-h&N994MRB4K.%PY&!6;O3qZ6h3:eZcC%Im.H]Pht$Rn?PGtDaji#Kh4H<LLGIrT,G#?#F/!c+]),_q9aS!"g%3Yr;bWE!!ICE
+%cr[XgaE"1&Ie6iXCS9q7<NGVR.S7Tpa:t=`<d)+]L>)aukEH%tb\b=_Kn5T8k4$3&b:0,,J15b!LXfOcI#ScH$KYS[^;b+ZYB^SF
+%H9$7K7'K]$hVo:&P#Xqd@`ZXTn?.BaD:]TJ_[#SZbXthIK<TU76XOi`mH^FW"B@_HXN2ELh;OAD5@7HL/>[ImrK&'US1-N'/&F@B
+%p1ZNr-JVHL[VRV"F"G@e(AEr>LBM`FBo2DHSkK,m<(*jG0gI_S4sO]n[6"J*35`G>L1kr$Qri"cajQfIN:97FS5S)/O+gC;R5)S;
+%_Pk4qkc<<oZt:<7ArnVj1FM(+Eb^eGB1?30]m6@HIB;\d33&KY"4X+!=7%ErPWii%q/r`XVq<2+?pFr54ZEZhW8k1QY!ft:8aIIe
+%iMGAp3gQ)1A&r'A##()p4_R)rr7El70^Ncb$abL,$npF[E^)ij\6Z5Em4@7'nHGA%qU]VU/,dV5fR^I640gIHCr"5a3f8O]UL*))
+%03<;WNH.\AF0353<P5ZL3:9?:Tb6Mo1[(7&ObP#LhH[^F-<KP*22kk/#2OtS65s"M%pVlMIk[StY6H\uEP6-iOY_7Fm:BkCW$K$W
+%qC+H?h>qOko(s1G)r?,:AWQ<gK8HQe87#/rh4rE]Yk-@ncO0E\m8T]oH!V6^>*98YYE>];;a7NhT[s@;!T)MTY%Uluo<l@;X"`;4
+%'WfV)cEG\["dW"nD#.5%6(KJ2[mG65ouY/,:No]p;s'+".:t7@rLPlblMhJhGoD*i=0HZIe#V!KW5*a"9,+#_2ErF?*YjHMOBn_M
+%DQGkd^\7!]0[;*\T(9G9QnmX2T9ke]?U^D+2jl5+MpFGo?lH#;$!6["=BQ9:+?75Cn2^s*_(rrf^afR^?8h*c-NMo+>($J(^"hkO
+%OjK*MV'JBbcaAb$lqLq8Xnm,WNPa)?QgcrT)+OATMd\`,LEX:l-/Qb9*&3.?*<S'E%NSo"rim06a/[?FnQa&=S/Rc4.h&1$GZ/V*
+%;_:"6.8bH>p,\X!;#OhCs*+;*X?:*;h]NZ0KMblY&SR$_Qg-fcpq9oAQ)p(3jR$9->\f<@pZX@CZ`gKgB6#)kj[2u140XKcC@0TG
+%#$U:XUnIk"c.jbJ\/D]:#o8GQTiKmlNNQhI]IXMW^<)\)B(_NU)HirngL98I&Mn3#moIM.lmM1uQpXQG!ntmmFaMV(0_Oc?B2]uS
+%4PkN@/`rlC>FlXb0d*+%4XrNH!>%r+aEQ+<:DQ.gTXJ7Zj'a#Lnk'j$!>O];MshaZYQMj%^!K@&6E:.4YYlhuaO\SG*<eTJmAT"`
+%0pT/:jiL8BC=/TCd(heVHrf05L6AId/?N:k;A6R(lI"Zd4@[e1bn_s+Hr]Y=.?2rVYlm93)Ul6IlLNAt*dDN&n[;@d5h$_I"-c7,
+%%QIAM$tiuX=AX3VG48rD(E,FSp3Tl0:69(!<Eer2Ddd8F\0=po<P1o9V2)(d]iJ98oOuDC2PJa=BkC+b]5u$`(7GmigV2p8Iqq(k
+%Mu)\'hl3)Rnh^K$:M@rJ!;PE^N1>+)(5Ea%q`5A2Hlpg@jRFS`\j4m%.\3/5j7D@9;pR:^cV6a";40j`XV1@R@6(Idc)jH,Lja?>
+%3V7HtX!50-V/AIW<b'Al>T5F@Me2)H#]*"]"CMoQkWCAN*+VO`aciu]E\PHucDTS/82l_sl[4JnopRe+IfmpZX?fZaO7cU+'AaWR
+%mQa.$LPL1A[9K3,ls]Kf'/tQ:(IYl/eTtf%Om"\ob`i/09%rOH/p&#A>NHmJT"un??e[J/"VTUD!d!Dt*h]`T?DN`?@gsQuYXn-&
+%A35L2.foN4X-V[2Wku8Q,r6(uA]:i^WB#"A;k2DK:,"qV*5K957@La[W*8FDE&HO1DNclT)'c$jcZUsYmsKSoN[EqEnU1eZp?d+n
+%<J-3<#LFLN\0jA]?U!/3qk@XQ4\-B4&0#5&G?P*(*NmSR[AK)UfoqPo"EAQHQ9t?t.H%RW%T,K^JF(-n'&%!fJLL]<*?.(%9K([,
+%o;C]&Xk_JF2GeB5Zi/U7/@4afoW6OM@'uPt276i4gQADd4H"k8Z0AD/%l;#e?6q*J[Wg6f7>^*`/e!o(&]MoV#FEX@i'8Y%^YYZ/
+%PBc=-rL0Tj`MIa#W*3*-s4lpo$`<G@E=Xrp*qc_.WFD.64rKbZ:bnp%S.0!s(.KSGJIj/T25XQSdr+qHR1F9F:<t=RS(h?skV36a
+%Q*O*4=D]*XJDX:ke\)Dh@<oEC>OnOD"kKrE;4D-tGS_1YFqoi<WhY!KoCZrr$D_W/b&[',[6nrOFZUW"c7@!a\p8^Fk6U+a-![4"
+%DQkT5$+DtQg(G\>T&'?V&"N9(<d%]&l(dJ-?;BY7](.8hhGNgPH>,Cj)"n/3EQ"iS-dA,-10?PKV!Y*bmalXih,?e'img.+LLhN#
+%kXJB4l#S)n9.[(($!f^20KJDCbUtRd;4o]?aPpX&S0OZmd)i"C?=_Br^75qpb-g*mf0QE(*;K#T!fe*n#4MK.&<c')Ze_iJZK/%l
+%Qb%Fm6dOAgQDj>03e-g5%m#\b%\GjmjT51J.SB]3b0T,5D3]Y<VKO]lXo?b(V^>ACm'dl3N*Y;kHp907^6aW<HbO.fqo"H+IAThc
+%!Rt0f.cN?]at[<E/TO&QpSu5a6<'OaSDl@tB3h=23`c-*J01c40G-K&2)t(L\MQAe91nVk7$q"p-ku)/baVmlU3=o'9bd-=@^Y5j
+%nWTg9WK[FG]-i.aX+\bZjkd=aZ)p35UkK^,KMU/iS9Akd-(S>+NaBD5>rcogDj9I$=*!Sd16'i;09cee=Css(96XM$\0A6@7l%?@
+%F@^^5GD2J"^bH^LL&]qk*/O8M;/J8OOp*:O04sItA;R&nd&gV50^.n]k@6mC\_ADsQWaR,nWghKNqM<5nXr4+gtX7Q3Eq4cBAXp8
+%aU>/$N$qb7"O99[A&BS`2n@L3g+pc,d$qt&,Kkh[E#n6\rY,r&-pH%iVC3cK:GIB:a?/#0<n?lACZ?>$fn*eUD2X'gh]%sA,=T2k
+%p.B!s[5r"d94ml1AS%F*YSY7i@Qjk?Wkc/.;@m>GLuJ,204VHXZK/p5QE-%AZLT!iVFEqJ[d[GU]Hr[kcY&e#Wp=,r!gjSfVg80F
+%S%H>_'FRHhWC`\q=-[WQmqPQm?I@nYK;fC7<EC?;)3jR5FLTc<H)5=NVl%AGpC,5J6clI*V5bLi<b\8!'`=Jf(LSYB3uPrD<1jUk
+%<.Y_NZ#<+D0&JMbV@^<Rd?pfFUskd!(JMPaS-oJeefYWW;B4NIoi,pr]]6>p#"=5KXrN'UgRW3k2W,l'VA)M3.u"PbPP5rQg7De]
+%PN*5k#_dA-&aDe_\E\2f]+')h?M8K[oa=paZnJAWANZ`>oChj"_:4T)iaUG4*)"pM91N9ZC#3VS?>q-slhA+SS7EX?OFj(4WY4/j
+%f,)ecZj%L)b4/Nd$Q=iIlHuQjpU0)KpIghsG!HhoQjSf,nImab;q\;=o%lYP><g;C_96HS>-F[6jF<un=mj?r]"QlW;Y=r@YMrQA
+%UWCZ:k^69b()oVpIH92TG1Uhf>ZXng6ZO<]?e?M1$S+.HCm/l^;OpjK#3#nZ_'7e\oQ17Da,[cGMW2BU-1P[<+S[6>?b,)Gf&hE#
+%VXLH^!h!SQh<\(8JR^iQ+mMsgK8L)T/O)K1.Pf6"o).Jb<.XLpJ">PBCnKP9@3`G\a1ae>+_;`>s4h%=j4)o?G(k4*ph]-\e`73K
+%?m=F?aW)^mY52]@2n'D_USb*kNLf-&6if3qgH8dILnhECM!B<"H,d2^4$dPuU(@O[Rh_ii%^@JR"U[EaJP[?n[qA4'GlKb1#O1_M
+%\)9\N;=FS&mK\3%ieaE8^b5rM6jqA[nHFlKZ?bT0o?6!(W\&(uLsGNP<+=IFLTl/NG/sPb.$]@N:#%:PM0@As\WR\UUJRJcGkP+W
+%hSE-0M@`%#Y&&NrOso91`X4Xd)7^j,YMIKB1O,hjCY2Js3QUoY5%;AIB$4:*lBs)b/7!(Tj$5HLTbTl7gaOTFg.re<:e@0Lf\6=O
+%Y=X!*muaddh1tN3pbg2FS1)*PG8N-Qn$#lB<a@'YBL)EA^2%+acNQYN-;6aM4iaQ,hLJO-UbIqNI5-R%5VfJ!!"MrW32j*(\Bo$d
+%MGf[&Y7Uq4()2YVF]m8jb!:?O+E4T2VX3R+2=O5:SeuJ10T8C\J)+A$*p8V82W.W<h[m>:HtYMq^<<CCjhl.%7_;uMP`IOq;'mA%
+%[VkVX`2S7C\l&FlUg^ic;5\3`.e4Zb%5T$0(EQV*MV)Jd9\='Fic'?*p.a]0!9oGYS6aGJ[p%[$HhhjOW[rpgO-X?8P*,95GR0g/
+%NoGLQGtP2"3NsCEe!GJ\&ZblZ.6O&`!cN-1IYspDYHbmaE_D^<U+u:MY]$SVB@!SWGi(80\8;q_6E;^6/L2f@N>*\3c>C!Of;[$T
+%G2ZQJ(J"5Jci#TdboIX*jO+QI;gH/mr6V(;!+p;!OSQoIJC+/5bd2u?DD"JL)K@ZfVC-Z.K..LKYAl:!(DsY`L!2O9b5l'XJN[64
+%MW48Sl'*b`o3T=uQnCdKB11W1Pf(;o]dZmO3^kn5HS\^,QT`pS[7Q,e`SC@<'/L[r_aW;@gV*Aq?l)mPf?b5(*j;m%j[6<MXBTTS
+%a6hW<cTmFGh'q9mrk1f785__qPPUhATqaP@A0F%3=k6:V\4rF9FfC)!^!?L(mtFrBJu,B_W\Z1XfflHqBQa"<DIASHkOuW"'![Is
+%+'>6\6=Jp:3ej?epjK8a[ah=\8g5qVYi"Ta0sP`=fm0K@R<#`T)4'\:?B&jFDC4C#@$P5].k8W>k2d((;2*[1Du4F<;#WadD7nD/
+%dH0El1b2>[=DfA9TTWa-r:`rSRKT;P1Q:l=1&[1.CF%a[(*cPG5uNu#b6u1C!gW&[Y^S?(caBF<*5R$Pc=rqRC7I4ZMUO&"W4r_E
+%eh"=r]i_:ICQs_k^Q40f*HDRii\1V.e)WZ[;66k`2BlG2^1/.6IhVdoV\jLF\ViJ!FRP>J;(SrK28>Y@";Tg(hti&%6nWG.$<*8C
+%[N>;s([VXL@=pXq)h^O]>r2#2B$GIr@n]MAOnTcY1C"ct2*F'Pal&4=E3KXjKh0Yt09GAp69#t\P3P)RkTr;O_TT"R@]?EQU=(L5
+%eone1S=:A6,6ES%]sHK_2Ie@$71`&#B"uYh1FHC9Ln7W;%EjVF#p&'Dn7]K7*8!p#DKJKYQG\94YK@pDlEC_F"B8q4rQ>("(ZhZI
+%9?bMNE&)UOPC&^chC_,-GFnLD!7Pc%)96=YCJ5AU:64BJ[n^<O#lh3]:'5@CXr1*@X;@!O)aV8]637C^"Ud[N_*+%N[1&RlO)9pY
+%X"JKX:KB.:rRJ,b"_D<^o5kTRD0+-VY1P`1eC&d#a8<b7jV:%TXKoeUPLiu%r"sOapd4OD_m0?6=O;]g.=aHBM<a^[j7mJ346,T!
+%Yg4\[(nQp;l""TaX8M^^=oQ/&Me]Cg=)&2pn_Co'T]JmD)t?DM&gm8Ae2rJ"S'g-JE96[H2]hX14pWM;8BsjA[W"q8ICLAP@'\J[
+%6#a4*TpfZlRe*[nhn3P'NJ:7CD>b"%hKIM6,s)T`JprLP7f[858!Vu"eh=>r+#_i7+bMTX_%;DL.FEc(!ldS5H@,+g,%>,ShH>%*
+%CEs;mF75PY\Z<$A1=o#aXIJ6k/bT.EP5nPs5%JO-KI'FF03,tiPsP:)ZCpX]4M.qooStFGh.I>6=48^dWh3`j.[V.u>?A1FZ,pQd
+%7%cW2Q_qFOmLEqTQfRdFW$U^d#V0qhY:8%>$9,dMW*JAF`c3Y.Y<i(`9A\jF(q#!Bb>6@5p)P.)UXr=D=1*u%S[tN](@u&GE,@g8
+%-bh)`/>]Bp>tS18LggQ;M+45bMR%I'(c*sc7GRX.egh_eC')u+6F,>YiX/bi;#*g"!B7'MpB#mY`j,0pW[\h5(C21K5cut"k"I7P
+%VtkI3e^'jYh;(i/TPW<;p5iRZdaIlF8<Iu)FCRSlqk>I>_X9>I-A"cuAtm;J4JQUA&F"0$a6aG@`oA[;s%G\QBt*/#>W[MApRG/&
+%[hk>t'[aiSC2::a%E9"6Sg&`?U.+.*1r(Xs1K0/Hnn'M%2DCHdb6.ZMnf^Bt[j7.'=c7Hp'Wh8!<L57f(UCT/1T7TfNBM'M-WE%1
+%[G=m7Br,mi^5i!$'F<8-<Tb>_dl&_C:i@X`d$f7D;fmUUn$^;1'Y2J#@"aJNgU]!f%W$#$->*liDgC9KKkeW*#AEkCI?EerD%QqV
+%6-6p?FN'!5Z_iFLHD,a"^Oo0ETZti4I5CGU/l76ZXr>)^+];Z_La-3H(W+8%BD-/TmW#H/,4WpBBZP,r.+GCMncSgUd[ul&1kd^k
+%?kiD(g';D)V?Ml6m/_b;N80Z+#aJGYpk-+R`m$^eM]HA(9kAY04adTIAHacjKei1j]pr8D4.X8@0lE$&Q+OD)'?)e)`C"C<?6m5Z
+%rC2@I?:5pkli6Xhiu691iZp/#98DC#U..[J[s").8S\YfSE+bor-aH_%_EZV:!D#\`3:JLrDIGFhA&ihUqkrfhH9B_0$)tF9&'G;
+%5jVG3.kg^DXDsV<9K;/YX&j'KF@@B)VSEgQ;6Z:;;BnH=63kGf!ArQUFmAB7PX5KLHj?(nb(/criL4aJ0_6.+_$55!%48r,^(h5C
+%"g5VT6?5um4%3)."B6q2U,&X9GYnh#D#-jo9Jnj`3XuAU"^@Ein2\V9egpC$CnmMIAOS];aV&s6e4%W_?R`pt"95k=7qG*kOGnkB
+%GF@&8?]?+=IJkVe]ul6201FL!QSJM&K4Wl0\aXO[;KE(sEq*AX9:.Z(oNRM6gBDg1D]hk[*ZaM.7#Sgsod`\K'X%mE;Aun46T[7V
+%1UoXc!'9"Oerb*K*%5l$3luX5QALP-[r=S\M@i6U45Y!mqtmJ!rh`dZ,0`^3VbM#EloPP'1U8DFZKs:5jJ1(]AHjiAbTI<JDNu.U
+%BZmp;Z<:abQI4I.3p#U"7P>BpSRiJ(Jj>;V.pe:@F_.E@A9Stbi/)Om1FB*gkFsrl#)G99LPR_9@-pRKLpC)g!^n*t5ac@lFk^JD
+%_B[Gu0WHc--)YpiQ*Nhafk)6onO!p%Kp\rI@IDOKh97[>?4E8"SRqm'1OR>!LQo/IOCa_>;:)rW01$9o3L[B@M-7<W_QZX4V5i"!
+%'-F_J>3',[\[tal/X2M:.+SVN3$Jbc9*p&P!]Ni'^EMcH%E=$cd#,N2$[/N7'm=G^s4<Nf.podN@UW&23kU]%1:]u%d3M\U')AbY
+%I]6l-'jtXaY&#Q3'Ri]cJqeG7%0?W:i@nW%3\OR=*)kcJo*Q78]&bd?jrTtA6X6+m^`E!.ndJ.QF_b6RGM?e?7Q<XJ)TU__XqWHE
+%h(nnRhL*krL51'0FIk!Yf=Z7rXr@p+pOJSUPi#p)9%+STXkE4BEi3)#d4b)SbrBqMq\p3]5EB$Hq4!WI\0Vh<HLEm7@=eStf1#QC
+%IGoGUq^)B)Cs#B?j)r[t&0uG6F+5cFnB.oeTMo(EjS**s?%NM0=3dpR<<kjR1S$:KKfBh=KL::92/<BMhZrCB,$FU>72'fjVt(4M
+%^7RLhc^^+Ef&Os2a:]kl/FY[CVl)ZXgMe'.a`cV21i%$NaJO];M(7SOddLE@Pr`+q6N#V++l3je]X8N4-n/+Cr7ZP?`se[1(>R@h
+%S@NG=aXZ0l&dL(2jgM!@=)QEhEqbePA((2?C2EbFm7Rdt@FkuX^"tu?<sGeL`FAN;1L*$s*:b^QQ1ut8eCdAbf&$k^[b6?uW2^RV
+%$KW%#TODQ;4TSHab-;WC(@o:%0X#)I'5]1+bS:F2SjlZ'A0ukGKu+XDXAK2U13kOZY\P+"TK:\\Q;doURVUEo126V=,F]BWJETO#
+%,#l0s,:[I)kTk6!C3-p_V7+`e0!U:WUThDWXV>6h[jS]'2003mNn\/D62JRS?jZO<>U`"65'HB8\\mZ4(s_f?<)FHW+'/]\_r/8#
+%RKD`=n%`c*roJHaH0(sYS*W2L192Yn@f`(Q3O!mln/'&!Et)jZ$Yf[/`MA;t7LI8]5pR*U/*B_:9<h25g-<E$j1I*+IMo!3@B0>i
+%cuO@Aq1c#t3Rhq&oFq"0d>pR(?umkPDPo4km7,\dmLY0B1^c=6UI06#2[XPPGM\iUgLN^beoW-]`JPnbfYk*qhsGfF\kp-2BCZck
+%jXeOAS8Q"bP[(Q0n)AL\52?-bW;[.3&3#IZ>=33cXjD8A:gWbpbfm^iM0,61r<M_^E9:*.(RR;?jq<cT'KsacaK<LA?0W(T#WQOF
+%<lMVLl:iBs\;%Ysh(0qN7.n?a8+9oi[cI/#rmYFJdf35FWrZ\U*r&ZK_.Cp^(/d]8G`#M]%bQ1!_Qm1>F,mt!MEopuk?Yf>K6gl?
+%(q2W0R.TjL$f\F9>W5W)oiUcfm0Sm7booK]j=[<3D=.=J-_f1b4?^(2-"#L1)f#OLh,UqJ9V864K0._s0J;Ki=sUIkT:ZaV:>p3[
+%n=ZI/oj&M"j/J&1`3pthCQE-f[ntEg2o)GcpK@?=OnZ(cI7ZT&;KC'CgD66#'W9,+Wr&A,Y;'o$7A_ii<h`%-CBTaC]F3k(7aRoO
+%O0.k'/t.,HF;%Xf(_]?(Ae82&QbPlUZgI?o;*]D]+Fu[X2"/N?O!n64.gfECO-3*LS(s$rcj79E&uoORHq6;4'XX?e5l'(n(qW^S
+%%2s:X8&dN'kd:gJ/`q*&>GmFXfp7)cm)Z*[Pt7=gZ#paiA_5j=D4p]TQ`gY8nGkqZKiFedmL3!F*&3Sef9`^!c!<T&LXO[WM>i`<
+%KLk.#fq22Npcg@`]/XKJlP6=dl#09R(R&VhD@.;k4`3M\o<q!pE?K:Z-tf2DW1-\aAa[9c<_&9)RVVT]Q6[Wbf'S\N&rC^lcL,Kq
+%XYF0+194Kp((%F@3EJbVp7d:42]97nW$R!3DBci09+MH0C2c8k.X![5UFXWs!Id,&Ja!O-m?DbCMI&'I[])DkBUa$SmE_9U5dS5P
+%HXE@(;S0[&>oCge`$nGkC:jS4(F^q(#NXYI9^2?VGs<3#ogO'13S27":R0"(jXhL`UAL.dI-RE.e4e.2o"4>e'Doi0%S6FSk:h@"
+%O."K#CdT"WI8!`3;s`l0P$QH],A6[p2EA.;@,u_$a<IF_h(,#U7$sh=1sqZlQf6OK[d@(=,]eX6ds5B^M]<@7hVbk\:Km8%("l77
+%1ogDu9m/QVj&"pJ(8*r4+C7c!'\k^X\OS711NR/<!$2B]%F;2![Q"H/;!3q_[O6k<TSF!?iGC3u[A-&@0%\gh1p1#$mgt*QC7N.F
+%Lr)#b^NLo/qpTKR^A)i=o,;n<)N'ck@D1IsF\(*/j]U^[IGqAVhJXpd=O+Xf37W4C]6QL(6,rZR9l6dpC=4)p(6PBi]mEfE"OESB
+%&\2ttos]f(@99]bV+jrDl_T?n.<t$dMd^,5;FJE#9%!E)A]QuO?*3k`@qdttA(hs[ll#$H"pSrE]hMSp]m3'cI0F:;:\>Y"Fc_i8
+%,7Q?'>D^8A!.Q=[Z?0g4Cth&HCL4Qd4#NP5S/h5.muPb:\0ORScPg>P*#qi)EE&*:MAYMG,oVX-YeL^k\6TGS,GfpI>#r26Km)ee
+%92u,DGK^Z5/HL*[ZHQ;%n972h@>XKFma^$3W@)-^$=^9oG@"H;4*Q^FDYDg.[o-+G@G`SHGDNINU+gK,C6*(Q'qE[7Dl]nBnVQr3
+%5_:M',\`,)?Tjj"#LG6q4(r@06GU#m/DZPR<JS%R%:G($p#u8-`:!A8kL+Q3oiU!)dKOrtDLfeD)k`t7D1*q-adoS*%[Ei"2I/7B
+%\c#WHZ(C4Y:30T"-[4o[8lSY'Rb3:]=ec`-0Ui<!J_#6i=7jnQ'g,)VFXr[X9+=CU*5\mc8fFecZXp%L;%*B20864e)5qSi9<uKQ
+%e^gQ-fagp0jS7-#.l-O!)!)a!-#i/0q=RZ\ECG2qIXe<FJeSC3L^`%N.484(Fm;MRih'+T/%R050oo$L(/g@ko<,f\(V?nmb]j6T
+%:1Rp#-Kle0*V9?di=e/bbU@]=?*gW%Zf5+ae^5=i'%r=gQgLQ#m&j;k-DnpE@9?d#Yar4>Wb'R(U4dqSJT\-Ibr9YBn2nkt25K'!
+%\N9PVis$XYTcC_M[T*%#$/d@^]Kln+\'P'jr]<BGG5l^F6qE%dHrMqO.REa3ME)hB7EhPq[D&h00d4"Z#6Y-.V&%j?#T0HLcRYe=
+%$uF$jh?#&D"#Q9'e$Zee28OIbefh)"6;<;U,7Mp6A>E#r\"UH9g2q<>)9W%WB8IP#O%jDT-WmiCJH:CiOQFWtXb]sd<6^"?eJ<U]
+%JU+a$'UlLJXl:5oMYF!'IL!l`LiLrhfsqcsl!(YSW`8]S%4?#Q;U0AQ*t/D1CVoZm6K0N#]P_t'"5R$QU,r+WHb[fJ@qE'#Z%H`p
+%aXmnZDf<J/6EqDKgr#<5<6K%D@*;keQ))i5,/50gibiV`Kasu"&)nh!:5$k$X1\m0$JsC]p:^(U2Sc/[;H5<Df!#4a+u`obLT^)[
+%$e60Qk#/_>6n9ge5;KMQ8k@?)j^P%^HZ`+k8E+)jl7GThh:_T48R8SS[cMdQ4K8(ZP6o)#9Xh0EK/%_2(9=UN^?Hl8lJ6du264kL
+%3`d-<<['a`58004Bc`qQ`e-]0?nl)*`ia:(M=N@#WUBskj;S?VrARrP)F-I:-\]1gW0h_agaqK5`]5:E?JDb"3u;9]bb`q$U6'*]
+%e9L($IZ$oYmD."M*%qmfmtsn!@I.^?[qd'b^6d!SXf<o0-]d-.d0SQT"c,C0@Ufig@C1d],G^,"a=2*&J*iZW*_KA%]1%k95$c$r
+%NADFkc&K'>cdBIn\5gHTkCu:';&5'V%7Rac:%;VuF8-"?^-_D:mZoU97[c`$T5MSO>Ep+7GDp3.X=5R9M\3BC/)b?.\M#SK>jk7A
+%e#=pAs8"QZrDH)<?M^$5Z7Cmd%XYt?Gq%S=Q**!<m8"<]&!^r=3TqRW91a(!V3(D,eg7bdQnWVb%>?Nj\W<<c!`'V[57EVWbck0l
+%DPZ.R2f$gGg3%0'9Cl,)+p^l'P+tOfQfJI!oVC>0=!pZ.F8tNGld%-WS/JX7n_:a;8?%P"hbuqr]U`Nf!="EAV$9j$H*W8u8m:ss
+%;5Pj7oK<R-ld8Fi0F*`Pr[fTOeVgXp^1O]n)p1tq;&'ZVT;^I<!`S8+1J>Ff*NEH!1&?>O\].<r!3o,gnAtN4U:<cp8!J*!N9PIr
+%EjE2>lO%p>C6`f#O!Ib*,K4Uf2&+';h6afD`_X:e6PUi4fT;sOijLm_W8*>&G'Q1+Ql=7p_T!-2*r?mf-F$bUnPY`7[KP!@\)'LA
+%cE;<,%T[6M\K_;f.J/F9V:$&Y!7Ck/6SKT_X^ZVjbK]'cIN]IKAc@oA=ti4&:jYikp3XAD*U\5TCKp1()PG.-+Vm]e3='i@U^f9X
+%dR!*Ih_Sd*gD&X:)mnht>s=@Zb.G6&eY4,3*<ZV4f+Pjb4&XL:eHh9r3Rd&gfJm8iKGO,X\OA4$6JcE)c=^V2Cf/7-\]intaE?oT
+%k`I6:VO")*o''(dLH]V$ZH*Hfht"Lu1\ImP9"JmGRm(^Y!B'na+,`9+(?bIP2No_QF[&,S_u$!:apt?*mFsMWpjGarBN"L8ab6#p
+%04$,o-2>'`eG6s"%eZPF*TE;,,ch#QXt-[jAClc&<&7-CDoV9VqLI"sqgr$b_gX5;j<mO`^2C*Sp9W'SH&G4>2gsO(\Xp&F=EFO!
+%@8q0UIb1c-MS$PD[4luO&$U16b.OJ?64X(o\,qFI5j?[hFa#LnlA@pdN=`9O]tnB/o]_'pBW`Rk^_MS&^-@PkJSYF47lMOs-`:U3
+%.UK4['o9J8np,$t4@<6%-A<%#gQL:Bm@JuI)(>o.Cf%4b+tp^eKZ$QoQn4:6n0"4<WqJ\U(Gd<5.lFP]^Ms84*F&<5,D@Hc>@>l=
+%oj/XG*U@::SbL^1Gjj37ZgaBpK:3/\7ha)d5PJ)8>OTIf2Esjj%t/[%OL[e=@.j#XpL^Rg%YQRYf\)B`f5ck2\2)X`D91$fDteCJ
+%"`M.bnX*bqgE61GU:NfuJY&W$R[r?pjQnKP)oM&\WVSKa7ON[9WKENF)`GL.L/U6]PaG)Z?$./'.tOc:h8j&@hAiMt`q0/cX4c6t
+%lb7[GQ['m5qB]4jk("kaIK`3GhHHP=`)SJ'<a@Z\B&D-(+PG5LRn*]li7i7gg&9Y,M.doJm&:L"/PIas`/dQVna<)/feu*thc,C_
+%^5*hbA.J5^0H*)XXnIaK1)e/m3Hi#'Ffb;(VeU++GC$lN>@d*lgbsY^UOrFV!L9*3._"WHNs8ZrluHNd1q3h/\+@,eD_$1k)EU#l
+%l9f1;jP7uC*SJrp_f]7Sp;u\JS$H8MV<md:'!-V<Zrhbe>gT&^*oDp^IZ#aOaMm/1L<e_LDOs#)qhT]pg^67+1K<aU>E6S'AnAVF
+%m_Km"UA!D@PNX7$!$-4*34#e(YDBC9g(:7lFX8^5rPis"2>32iO[!LprPcp[>rmKlTL+fT/CAgH6d%b7`/GRsG++7s`q)gF_"IPE
+%*1Ghu);K5q/'*T6'LqoMU;%N,d<Hhn&(P(fF^TXmYjo7Q-g\*<1h$rlNX\6C8r*!FA(b_E\)a5t.H<%A=G*8hIfc07F,0?='$UNp
+%;?W!WHtGoYfDo^f0Rjc1o[=blIG7dB+.<Be!e892:!Js41F"o"]?RBr=K52THZk@&1"EHd"`_cOj/b-*hXEHJ8`+odFTYW)<E(j9
+%h,.08/b3ejfTG!E;<g$iIO9RX$c"TdKmm8-mHL+BYbEju7l!hNmjg*!P]X,W8AYY4G4[u+[tD<BONVK35((_Yc`1DHUlk$XSSS&1
+%IcZk7keLeZ,o9H#mNBrjN9F2c3uY2dQiu"TRrgUh)o3Q\\%]trEKFHEalO5m3n-@D$V7!!Wdi(-e-*%\C7U4pf>B\;iUjmD]P9B;
+%1Su>)lkt<\Rh4T)-`HPh10%aA2=eJ.D,ZI]r(^aZ%_)RdQ:>-ioQ%qe>\`b1#!`[U^;qjqh\A$3)X"\b&'EHq[T9I*o1]b\J\/6T
+%pAPKaY`s;mek9uGb@\5j+CH%31!?\a$t1SO+o1:Ado(cO18&!S'"qDR"3EkHo1BV'/O:CHoPr`l=Q;GKqcb\a[a-6n-hS)<VjL<u
+%.*uXX*I%l(l.;qoODeeAih5Fn>%/$KUgS]f9tW@nJQUrJ0`ZkV+fe1k];/Z2iq?k`=!N'SqWuA<MWYGQZ:HF6_&b,kef8#!X'_hd
+%8C>Jt`f1L0/S!!AphEZ1m'`Y#]dJgsJB3cL->cpa8<3=MJWpieF?N0b[lL\BQ+#c5C+8,Qilio%kZ^37g?`g7p+09crP8N;91r5Y
+%b\S&P]#I@jU26BYG*>n445bnGgaS"Q_?DM:?HTsFlkZ9NF.<OsW*ZdNX0Y751T^gla'^k0S[[fKlK6>Kn>lUjX?*sNPc4@sUq!=9
+%(1uH*eOe];%Xj73>K$W*`C6AG".P\JI_sI,COu8fE5t/)&"83sCn[T\[f1p`\Q,q>L#k8-E4GL$jQa45JI,l;fIWj'2K).t"X\B@
+%4?G$(Wq=mkDG&?^cB'+9JRp_:5k#M_^Sq,0V7`!JnO)H_>8?r=.;4M0`7<-Q$<na&Ne+%&E>>7o?%AtS8aL5I$HS/hAT#Jb:%4c6
+%YHZ:k<^7e;\o-E>W:_KY[Zl&YBD!5,>>Ff;4P5%:;2%G+<m2:d#F/6Sg=:JN+N6Np$KB[fo`uLt[$s54[9Ntf5`#,=JOpXPfrejJ
+%^HU!1#$gfP9&<KNKF(]N3RaYU3SYDHCH[QU]8$VlP"L6U'\V5H68/\YAB(QWmaeFN"ucEYDRU)rOQiVJ2M/BB,2Z:FGcL'F%Cu:4
+%G$:9+*`<Lf_rX)ti:^ibBA-?:^[ID6h-KQ:,3(`6&)e2uf06nC/M@=G.-RJ'+Z*D_mGJd90L*:!R`&u7^"`)p\uCdZRDF3:5e?.`
+%G%#2G2n>o3D>ZX>YoufjltO[IiI8LU>`"(CiG!/;Z]8nuR3i5`#nD'HQl_u0,>*<j8,%h1ehO9dAj2.g[II2\nSUa_d+D7n\f"#K
+%+h4h>*?/6c94S?#NL,l0n&fE<Yg^s*jJRts[;QsS,FY5,7CM$/.RLe9],o4@&"2O!Nk7h_C(\\79COjEktG,]]':HP'uV.W7-r,A
+%cM<H"cGPJ/\LDPf+u_@1apjFLgR<\%oZC2[[-M<<N*ltA'#Hb0HJ3KDMC.$il0m.2d/YZOIBoMr::SG%l?jR"TAge]dCl4uZGa/N
+%Pk=16=*%d>qH`2U,$TM0Wi;GF3DJV8k_'jB0g+k()/a&(^TGj5G3b/(DS3>+XW)S+hSUWphPJ3lgZcJOG[qr?9?Wu5<SBu\M>t-N
+%a^kXJYf#FrZ,nDGGB*6oIk$4#c4ZngmYe$YZ9g,!+>Eo>Q)D66RtanEno;$`Q`X`FiBG&e'-N=[df<;$kYVjD46^\%a<j`bA5Lu3
+%h0oIQ2AE#6pb\a$,IbK1[YsW*$?+bFg)F.WH8EtlC09Xc\rNN7[OTlU+3'78Mgj)3"c9,UArBiii""=o(ehW%?W-i^<(M(`2tb`4
+%X_'I(5^>\aK"=,0l9,6Vo18beia`BPb=E@,*nqls37cGoKu+orkSE]hM%:*@c#/O%jqZFVTm`3F=+A%RLg/9NXQ+;J:A#AJ.Gcs_
+%`hLgdh=XJ7FC2Qn4*QIpSQ>bD0]ni-jSuCamWY=IbuTfsd[Ro5/<XTQUYpRfVLINGYjUA]`#>J<e"SRo?-B%T[9<nPai,`>]j]CV
+%IRbqo\a1Xi_'N,84dUI>eJnOkef.?=)B&)X<4f4S6,K#"doCX]EX%2lX#Gf+$`6/jQB!;GM<bW8A6r/3;(>5[F2dr[+XDaBdaG8S
+%e3.HC2\pK@Jl*.uFZYX7oOBAZ56V:d$Im-M<qZ"SCU`oD=MCmK]i'riDlIObjU3aH,Q"N?L5TMSk@iS3DOAu^;Nmcm.J+,2OgQ1q
+%dMh,)n%l'!g)>ei1;5tdh@W!:ncld<U9Err0'sFDqhi/u2kg45]YASE;%<D?AC+dG^HfTCd%tQn$#[L85?KC[48Fs_Cs[gQpoOOs
+%1WPu>CKRQcom<G:ZIc6#r=J?gI``6I2G7_!8!M?H!bHJ]kd9.AXg#0:%Ga(E1e8&7>#j!?U`inLk4QDO@(e.tW7HYrE<ED!lR/uh
+%o`:K8Ro2/fY.`m'BKrdmBM'r^(4:d?B>9;2)c/C3<@L'L:mG7L?->,Eo/;+@;&I(]N%4-hZ9,_NOI5;^:I/P<XZ8Y<NWHH@hj?(?
+%<_T>Y[C0\[D0?H;!&sp\?eu42VKq8K"^'SL[<iFpIib88CCR&ea;]KTB(Vtg2naaM6Jpb1i`7n;hS)omEK7AIY5pE7R2uFYArIA#
+%W7ki_`]E0Zg5:i3`si5T31`c<;DXB>1G24%hs2'1Gl$h5#EUY<0()lgWJJ*<<3l3ugni"B(Z2mg01.JOs)_a4]-GIRe]`f%!.re+
+%U0$LL4uk?'<<:FJduL4nFt;8#U7F4KDmP7&^NF=n0qu:8I:P^GNd0NRb&SnTeICkfd%c71RKL8o"H6,d[Q&p.\du4m<>ElFi,9PL
+%4!Om4c'uihj5*e6I]>=:YrHo0c8?2QA\'&p*b):l<#BZ=K"+`tkTP)I[GFrXa5Q3`#,kZ1$88H<6D:9+*QhVB[m2ZZp?7OF><".1
+%g7/"^YhdI2^#/[;3:Z#rk"l'hXL]:E=%i0+h,:NTFR`"JgW_ukhE%CdN1nbd`c(&;12+`.n5h)hRNBB[jMq5dK4ZQLe[ll$SasAA
+%A^U]5R"q]N:s@-@649)n9T\6Po(tDKmrq#e,->&lA1j,7X9BfjAW1aFL#1<gP2E&rQCPT>Rc]ZSd1P'[iGZL)4mjM"+pp=2$+DY,
+%Ri$]U2][u^V1"8Sm#B8PTAMVY3+k&<=_U@aeP[VpP$'7"lW[*(AsuO-Xe)J$Y\U!l.AWbsLbarthTT4&4H0=@%\PEC@p:=ZN%k5f
+%#Q#7di.3n`:[^i[5Wh:g`DT3082&&so<[j8Hp<\:2j/AKQ[5]!8dMMG`>2nGLJ-q3[00BZKH6EWmoq>BDi];K@(^2PB>H6M\cDgG
+%YK6%&V&Ji[]DE/)BYV/>#LMc<.bp!Ief)L0VUMc>I4P74[Gu;kcNh_HO?*&.7JTg1[Rr5Q-YH(QE48mt%(Q91`8N;A$/s<VQe9P3
+%#1ssfhJ_b-gbDWTd$S]"mT:aL.qJ<XH?sSsoBun'M[kRY;:RAW`f2pg8?f>1#Q`e4&TkJDoMLg(KD->6*?/"!.8<%7Y?M%4#&u6k
+%9\\)@"d"udHlmun>?^7!&>uC8(QR.b,C%U=h0e!pqL0JR\%Vp\FQ"bJ[F(Vk57OnGL4-n/K_4!51bn!3;oi$<"=n"LEmP`^#MBJR
+%T@h*CBqal-\pK&1(g5:U>%@o(h2'B8!SMo?QCh("[gjCL`VlHTA1c"DWdrV3'3QjOAhG5-l`$HDkHX]A1\s]paD?>SMj_Of'<U%,
+%qZKd`AiXEOXdAIX8C%C^i;`.5T'plrq'bs)-l\b"CM&U:2B(H-A^S.Y6=XECh/-'[5RKe_C*>M!:h8>HV</CTh7t,GZP;rhmEX5U
+%U@2,aDi+IlMd2BWY#1I'oM#KOVlsIB[?j7d2D2W31oso4[t@6dSR>Ksa`5Ytp+Z&oM1N'N=[[6S'Hg*tJFCd<X\.T0M6hc"XsbEL
+%3u<-t,i0133M*a8E13JW=r8@PRmYSs_D)"pLsbNH2F0QCLa1['#%g#ENO\j#0k^-9qIs\'L-k9@-L)ft9Q)dH5*u@)2G&G#Q?s3t
+%,iW[g1cG1Z9$-Y\2`IuV!W'#UWH$>'Ld&f#YIP9*4+mc-^TolY%,C"B'Bmj#7fK&`D0BP'e(S\PF6e@(Z,NCUGN722WpFV(C?6X!
+%"HB51p[mrkq?RB0ErtSSH[BGc,PoCn-%aM"nOE0.c\$V+GIlGEB&5^kUX:H3i"gpJAI;/A0e6V1hRq_ENK7p[E;K/s)AMV4hB\Ol
+%`V89i&T;37`2Y0eogU-Z(\/@]8ed-sRkE'*J2Y#_"MTcMQG6sEYr_"Dq"$T/H?4L/ek%;l7FJZja]0n9CXWX8(l_"/qnI;m5pc%B
+%CXu\=G$+]khX<_=AkYp5\o*=&M@HD-"T4fkFg>k_RX[O3nNG_5;s:Zk/1n!55qLq0UhV@2iR_rNHUVOq+e8KHG>T*fA2YUE"Kb>/
+%mt0p37=kS$g:P9.$A)a;DcPare8=:F!VW>f1pCR$:%4fM(Rn;0,`G@i/ncGXFp`P;9BofPU1JCb!Rhd`_5@P87qRO0:)UiMIOOI1
+%Q$W&AgGB+n6IYFk65IaY6sdZf6$'.(0&CJ2G?/TWllh&U%-:LR2LXc=Hg<*pFn/;8Egt3herFqD&CUs!QB25Ed/p8G<>cJm;M_&@
+%l%&GW_7ngpVD#bOo"Ai&3Vr/K3cE8PltT%HRFtRrAM.b<1Cnm:jCclT0^(bdrReThMg^!L,p0o$F"L[;FcaGh@!r7IoR0uX^(thi
+%!A)D!c%6-0i)F-L^Gqt0Rq3fh"E7e8W#>j)gURReZ-S]*iuMec1-++G6ci_MU@pma"MGn`aKCpikN8_+^CR(5D99rsG1J[O-1MH4
+%^r&\h6RS(!H\02^(7u8%SF>XGoqTp$3`/CSO!O,9'H!:1KIq4)JO(59l@k,:2bcl"Q-P28m+7!Q#uuf=bfI.['C?!%HpOG6pO9`%
+%Nj2-.6m&JHm:\%c(OHZTVUibuoima+^fX8rqeM&V<+]J%(e=qO=A^-sn^GZ`U6F1ErZ.2e&F\;`oU<cF+5W1iXH`MlP:'ufj(0c5
+%*I=&CiB>1kDc7on^pt?Ser*1<@`AgkiruNf"qZ5mX&Frp<%0"'@74*+;kWiH@hLNU:WCs5A$A_iYG'-o)NWVsa#5J%WX6uc$QF_5
+%FDN28B_:'pf!NlYAdqfZdPGD&bJ3qlAn2_1M=e.R4GB-&S<=b2Q=&<&kf),Wo-OPuKJ/$^*m,$0eG%]0Z[uEn5%/h!G5oj+$7@[-
+%-$=(W/3JnX%ZqVDY1OXrH8$/*d/_P#_=h3B\oG15[@*EPZ#6%_]?+7Id%/T1I+JVCi+P/].BFbSQQAe#DW/6X?^gAOcG3nqW&Ood
+%`d'd9Uq]#FK)5E.j7&Rqol2flQEI'PB2`n@GBYAp$uk]e&2dt!/I/Ukge=Z:RjX^g1U81o%$L'Y6VZ?e":aO)2.(n>mV>X```FoG
+%luU)L^K[V^ESG\81r,L]65dB?WYmm>:sl0X7dpA1Y;U?+F%"3R/(@P\\7J"g&_LsVg+S@e@ceQ-7nO0B!7;ra9dJkWg9,Xif)Rs%
+%!@WU(@uU]>K/M<7(`N/r.@"#AG'0_ugL@T&$J85rZNV?-\hQii$c4t'0YEm$CQ"_)1S*+>8Z`$4bFS=W%rU_3b`/i!:g2;WBrYrJ
+%LOV;,Xa>#b6MW/Fn$:[WG`\?bVtS$c[6ffFHK!bY[1?6j;6;ll$8V<tCE$a?8;j@^JV':=+LNP8#U%Dd!G/_O2<iTC#E*?MArPT3
+%nKP-7S#=VVYhL)D_(Y6t6"'eZn?pTlB\]Y258O,*7=Xd$,=(GZr>ba^G1i,3<L1gg0h*m!T[Li9Wps@\dB?Pk4s<CCe9(_qLQhKT
+%\QOGkMK:<>efOMrPGZlr4/ha6-U0jTZ3/\TYaPpB/p'-#hCf78d;R'i@"4rVUGTD1J;.FNhIiWfZo<rh[N*pBV7(.$WQee8n'T88
+%7Ks@[`TX,:qMcq0o7";lqE!`,rD]aH*^fAj$n0fm>_7d#!+1"4g7KHs<?5j[D<aaW^I>*]gMM@sgXXTWd!&.WX(J>qoaO\@[*E\_
+%2STd.4l@o%l1>g<^f%5#+NMr.']=Zh=2S?TO$CtFs.u$PpXu5*&h<!D74,#,rV-&A2aZodpX$E),i;=s/%/kBG=`6i1&Uoo&3ff.
+%p$t@@W,T1C0NekO!:OqS&T,1q-Qp0>'+HT+lb7?=je]-$gT;_m2]lFAJ=l7;J(E4L[:a8sbf/WEc8m?hbsA`X5Ac;g:piCZ5EKB;
+%);m*>NO12Y<K9!&-*2101[sIdbcWOX4d+po3SB#0NGXAh.JLO8Mk'*6,F)Z`<#]*RX'!?.MsqU6MBEE_b<[N^hL/GU758`<J`\@h
+%p+eGJACRb4*9AK8LtSeGQYA94(U?gjB1eSn$@ElSG/+5]TdCU[`5@jCoj1bFMK2d\L7=ZP$Wd'r>RcT`XD<%U\<*W(he/b)5K."\
+%qKuOLYZ+^'eDjY_bI0s>)Rhe?oK1(scba&8&.R'jFtlst#*`&&b%!"o_fN?m2(*3!kZug-%F7$l5[/goM*g7[KWl(.Lqcilc`TMV
+%Y2(&Z$Jaq2UZ1)VQ!78CRk':L(W]%cO)H7!;?YKt5SaXfVL[CJ!8h?/!b3C:J2-m/U\j"a>]'Y8:QVK_M`:>>=Ji_tRbWZ1^s<Q5
+%lZOB5gJ^2=gL@E0N6n.Y1jb?f/ksU-NkaJAp=2_kZnDGA5sAsgoFYQ)Ec3*d0Ec!jHRIg4Fg@nT</VYjf`7?sCFNH`=g*kO4""qK
+%/9MPKJ!iMj_4N5[W1NM.QT0^d]CuQZ'-!uW$&qr\DR:=g771iVRtnN?f+$C)50+fDVdVEnKXUU?L,g@n9M:g+#C)%S.B<WEoH*%_
+%DAp"3R9.<)/c&-o1WU0;1tV$Zgkc<"+)<7Uh2PDee,-BHZ,KqXDEcB]2m<+9L/OpX?q(EU4W47=bG_";=/\s1s4k)nO.YQ;pAr:1
+%0*Y&#QuOUY:aEQ@7](Sh]`4l73P<pmA:-eV9L@X(%gI*e6d'WRbm\KIbP8+5Wf7TJ)$f_^57Xff/8E#aP-a_oB"]?W)ETLp&9bYX
+%<j2if8nO["<kPIK2D39;(rT;uhPFY3FFV%-Gt:n9Gl8]f0UWH?-"*@?%QZ,#;`>>KCq5')b?";'9seJ1eR["$Qa'"iSA(;J="$d]
+%4X2a]W]<RZ2B)YX,9)nV]X9qp]R_!g(&UfG0>.Q#W@Dm>P5nT`X/_q+EbUIJ"70c1K\KLX\a/1No]r]8nj7'ZZ8O@NLr,p2hIUe-
+%#l2aeU<k?^qNeU!O/hOQ5hR7n?*K[\mreX6q-^pP/sd2#kjJmE/#0+TR+VC7Mmd7l64NHA9>%LH'UaQAY">D?MdgG35)Xn9*0f94
+%l@.W/2kW6:;;\hOZ#6bZ-$<qOTfXiI-@1=8#h+tP&oA(Yr*7'*A[g"S2".T5K!!`i,cR,AG(tI\Z++<#JE_3*r;(?.&<IRkG-8XC
+%Dt;)L+`A%#[MY#iL1[%:a[cDXY$:KgYL,Kq!6mX]8*I.eZ#u%`h>dE`[/1Mh%>WT1fFOApRjrs:bG^s'MDVSLfU6)Lkk"\2"$d1X
+%e+#/12(&Ptmromu[&_$/GprpTad7;.>g12u,0X+rOI]J:`dJI\]^[g0IkU3gOOh^U':GB!!9F1uM+45!#:X@@P%$:+a`#c@gmO3A
+%;FmBV3o.W5I;>HFeuc4-RAD$HN4`U#+V]2>\!dp5Tl=e5?]<K(!Z'D42t6lh8nAc4@\V<rmt'.mnRg'&nW.&VlHB%cci3j/^\PVc
+%romef`W&"!h>d&X^]2L7s7?9f+9%>9qnjNTiV1*>nLsq$huD0o5+2H;YC?5X^\de]^]1/1q3UE6^Nf_ODuS4PIt%@ZqBc)\q1&D+
+%5JR3ZIs_.3s78#EVdJ^Bs8+JLpA_jUq0TaIhgG5\k0&VNo?L63hHfY/WA""b[&%,"?Wb'm[Z6<&q"s4t*m?@Yn,2&AobUOP?GF!S
+%;#PlMTt&W%o.RlOhsh%gZN8b!ie(i-/RW`jnM)&goNEkboSaB@[8('(\fhS\h<[[X%++"[4+@U*=T>(+8JF+l%*uc70$rtI?L6<d
+%A%-QI)r1NZ5(L?CJ+<",j^7rb&-)5crV48prQ!goh=(C80E9MEoOf3e^J<0@s5dVeT7?Y75Q1$-s70fPq3QU$j2XB6r1!`]LVL/g
+%s885`nTEg*HMuG;_RniN5$J%ab0@+#B[U^D1Mf\pkAiIu]1ia\A=*h1!HU,,GrP038-W+fd@;XJ)r`LJrTcne?!:Qs!KA[Fd%Bb+
+%:H19[iM@8e7d&:^gE!'Ikf32arckE7]l*K5.?"gUL3_Z3.VK[L"B0#.)YN\2r(5eXVbaPnbjX/1+.(h=_EJeGg54QTqeboi[Ellq
+%P<U"7p#6FAqJJC.F[puQK?CiI)UTTaLH.OoXBg0q]nG0`o.LW=:ZPX8e'n?kQs"Vsh)q\af"2=%D=1DAa+N-4@mK_SBc:TgRQS?j
+%_<45p[K"7-AqfO/qm\*KjnKr\(Ze[.5AA?UOQM7[15tYr\?U.sg6hjE&qk.O=YVj)h=TO?I]HOt;&)nB)A,<Gfk%8@N7@"5fJJ`^
+%gA?4a+$_d9P-gKu]nf8DYo+"X1+#IrMkf!TQ91'0^#XQGs'"4E`-oBNQXt;D/,]9\JH2<-oNAi7<[M_"jcarWd+#4po-(k,)GY'<
+%&G\*-QWoU\c'G;_O^!\\=/n)hMqg!:%E]N*hS9*]^iaU%X82<ki:Q"[R\dj_P9+?[L,HVAMZ`#!gG425WX8I5LAk`,di=6*o_m)M
+%#JG[@-hh4G>/B>1d9\^58%kMlDuESW13DpNh@88"A+n6@fs%iC<SK4kbW=6*no'NJH:?PI/dLLXf=*hU9L_6hA*oUhKQ.sh!147H
+%3Vb@LFp[9i!109XmE5@\bl,h%O(n*'X1?o$lkaRj,N?M(Uh@3JdflIJ&WK4@eZ,JFEh)S_l+?S!Lj:*Nf?GsuR.KW#<#Ao.(WI=O
+%p[E9A'i$it%:J7:ADbUiko&,ZGHXsCR$FU1^sX7a(:T""ipP]!OJk!d^8dO1=R=>R/K2E=<i7tQ'5lnY=`eY"hZpBPgB-bi]"IsF
+%<'r)eLuFhm-*%HHN$Se_.a4`3/fp7Uh,o#akoH>7hR-*oD0l8#qt=Nc@>&X>!9fsH1)<E7_g#b\UmB`.Qg3i>]!bgL)FatS\T,%"
+%B,.60AZdGCn650^aZHa\rRfY7bcU*;104b*/^/:T[:AJ8^:&%#/sI^nPF)+,#&+Q^efDE_5Mg6[q[Q(H>cIqcDS('80]VY-?.TR2
+%=#L5pV`A'BWh7$ujdQ;!"[e<H*Mi.Z3raT@R^P+iciR]mSHGPWkJm%LHF4+-=PV/:C4OoULY('ohjBTO@.`@<HBfkF]TF%\/Bt3:
+%g@+oNI(4eEPN?hfHEK,S>)(@]i/2*UVLFJqdX<"agH&p[7,4-[$QjHq?d$X-04VI2Q]?Shr`&0-]R;QNk_2S<^mEKS"79%R#7#2K
+%3':.!I@<PujjQSU_i:5E`<\mt2gaG#R(]i9)dOWj7aHInd;/)jMrX>5L*tluV6S.-pXknR]Z/2PNWFCc3uQdH'B4\XWRYNq3nQPk
+%^n9A-f$'/4ZXqsb$G?NXQ%dVV1]#j3".1QsVH`e`GBRD(-lD9sp6rS\+F>8q5;oQ(%;'^Z*e)=JoRG,$QW;E._QgX^913(>hBkRD
+%m+AoGp1"D1m%Xo_cFA$O::8i^S;\DRg_M^/FjVdg]uA-ng$onH2kM^N0"tkGI!N6o39Ki$+7Ags<0&i.RC+C/\27EnMKZTG`pNE.
+%1bntnj0Wj51GCiQL_S0#Wo3[W%^53n@c%s;Y:c37(>%GmH!6$E-2XpZD;7&F/Le,R4[Mk9hK-=&,Ru+23dP/Hb_@+UERrNbl")]j
+%o$hBD*G8@E^6:Cf<WQ,.Q'-*(G.+%]/N&E&]7I-^14#F-4BKH"lN<Na&YbIdM>i"8q8UCjG$o')GRNOu=7U&C8_:oP!Cf@*75nTC
+%)Q029NQ.;(iPt,8^]l$1l^56Ba1Z]]=&3hunGTm%]dg)3Tln>4e&d=c>%QJDIbOr2"E?t^f^KP??k,Z_b=lb.6t$BSfuS/N/8V=E
+%,@9Nj0:@9u5J)&u9^X1b#u/79qgt9f%2LB:=33i-B5G"Gs2+SLptH_TNAnXZ2!TYYc/Hb6dc9Dt<XU<u06>#IC27H1b*uE96kUYI
+%oC0asP<?K?Pbg5fU?1"LfD.C3BG`g%;7-4Hpd$5-eo\K:DKHK^"bCbhJSE3co3$kbgfWWH=gGfc>e3]%M=mZL2]\EWpeuHs'$&a\
+%>j=-H@_)[(7!?<1OY5J+7.C"-^0V+Q@.rH\"m0B''b@g;#?F:>Q%S4!RDj-SCELoeGmoG'B(S8.\Cldm)BWP[8r)*A8Z=EETPsh:
+%Z[/-V.?fLQO=\c/>4oiS*`Cc1qA-]jV4@$\PjkpR-q`P3=,<LlDJ[\=b:(U[5;]B,Pujof4@Y`b!qp8Lo:4HP]f5WDDd>GViot'=
+%70RQfo.6Blc,/\%)DK>*\W?lFOZNBCB[)'ISHD,]gl:)lI9r:`=k["1^U3'660k(R\N/MS'bbp_$tmR$Hc)4&#,k0nF",.@T[9R[
+%>HQ&F9gj_J[+"-WQcEk`7X_e!j4tcKlSo,;+QJ_;TAP4ii`90G4S1^WUS!G$R/9fiZ@ILm&cVZb&(J"Toa$hbQi4rWjs66m*ujZV
+%0o."oiN$T52$XeV?jtuXDVc4V+hLUc4`RDSWhQ^?'s@Z!DD0(`@:HB1ogK(.,*b_!Xd9lt2?d>:B%\DR;]VB@QL<kPVSo+<>442&
+%NrA('?(17`P`6OA27%eWCWe$%7W-(<pH#7"r7ZPebh5mSD7]L]9\2O[HgPX>_*5ol",*i^iQkFlj_t00fpYm6:sIXNR8)SkMGb2b
+%MEneZgc2'PB%[:_5bHI^<Cb=tcnjmX??'e_L6>H)llMo'm@@@YldD2d;tr(12W:8LiQ%R&HN&SOn+g<fpbpW)05u_0<LG)aT,e+(
+%D(u(ahGr6h5CG6_huA^\oWQ$fNa,,kleArP>PC26iT,C-3]o4HKMun9.kN*<;32%.Ph1+hUQ]7i<WpY3TUD.o^`T/1Cb@2#C#l73
+%`fcbQ1g.HYN^ok#NYsG(G'C<u-SUK12OgR^7XK28G>)(Z%9M?O;KBo*),QO<VX*M[Ll%<FKjs1AHjahFhRnfd%LG?TgOMnQ)3]qX
+%Am@Ul^Wb8-)b.Ws?D[d;cHAb0DAYHY$'XUbT"):@PtcD1@t&YpfG3h%PB#:/#pW(PDA95_k.WeT*!s*j)=Q1k-USVn8DV`H;/JH"
+%VU*$)juHFq[*b3pX&_0lUO]P*DD"ZG!7iFrgNU-t61Z2)*Yt*7JM1M;)9*(R-TCaBE=&&[cK-[(0+'+_93_4,nReCAE4E9?]<`9'
+%OaZJ+eo'kYSAN1tR8eCbCfK<ic,Sh=h:7m__J5T7gcu%T%G/=gG2'[AAI6%LAQQHMp+j3!GPo.<]DPR!(c,(Jb)M\TTXne_Y=sQr
+%NL=(d`c&X;7i8e>XYD3T;"aO#*Cfci1k=Vcr4rAk`W2?P2r8-!I4"unm,?"Nc1Wmc!-Ct^L1WFe_>4$._KgV+F"R,U?cLgsN&g+!
+%!9.V;r7tJ4]*:FW&;SY7M(d/Z1l%sC5.'B&C>s.T;DFHs'MhOYlo<iRW5fQ2ak+e@YYF`6r1"';UL<CWjEjQ3\Y^8IGQHOC%=sr'
+%_+<2u-MsRJO^X["+h.CMh'"DZ3P[GUB4XfUKSttp_/dNHh*^5MboL581G)60:m>?G6"Cb\b_VM%bNN8s#4N8%S*T'M=eS4cP_Q<q
+%3bVJu)7_%L]0`Zi_811;/(lOkZ5,[n21<rYT.71d!<2e%gNG%b"rNPF!)3XreDag&FTN$1LhJ_/^\cKgiHoR&Gq%O+'3UK9pA=R8
+%ol<A\YFPraCkm,(Y.lT5\$7bkI#/%mY?]lcq)S@TicZ6tJ[Hn%]J?m$p(QAKZZ2,>pZZEcq_>l4B(VLD;&+7iW3[gpq1Zo<N>$)C
+%O^8D?E!*Q,@kT+D$eE-ic3V=AT7J5iYamHF^(!,V2m[rm[H^-O*h52#p^S+s&<%)kFQ56!M$&So[Upr/3..(rC[>I3,Q6YGX,6W9
+%LQKM>"E"C>6B;1@bPMG<aif+]N*6%'0p.s^[,Q=PHR@TD[:!1?T-S0d^'JkO?QeQA:kT;?,^=_;$_BkIFUmi!^<bYpbGCt,$>1@/
+%(nL0&p_B#$Y6`.Kkl+M.**!T94VT,K;`Nel>@J25KXkq\E[kDPLWg$%h#5=HhhnW_AmA>si5nP!;"9_<A0(G3CG3>B\!iZsToZR>
+%oF>5jSD6Hl2b/]ic](AO^m!5d92iF(,.^%Cm;ah]\6"@;@>rs0_WnXu<NMpgbZ2i;dI>GtmO;6^Z!QC+-1#RgiM5Oc6&u??+lN+j
+%\o>e+!Zq:dTX=?sq+K9g9K4HfdY3b=qP>OP7:ohA)>"4G2PV)]%m$T3&Y$-MO4697.e,8@pA&j+Y9$qO[VJ'gLTo\,hP>&=<`0Y*
+%NSJE8?()bfgu>dMGr#^CGkdZ,!FOq?[eL7lroXPV?LHil^RRL$O"ZQ$l/?E,q!O2i`,R_]fQeN]WPa2YYkK14alAD-hL1GHom'=t
+%DuWT\`T^&V+$YOEl?K0hS:AScnp%/uSA<1oqVb[Dq>_meiPD^Bn3N*6b/(E0n:Hg\BkD7'R'*K1BmN)bn(!PtDFD@tf1";Y9_+UV
+%`F$*S]o_.WZZS^SB!.?\9[DMjfouQiQDSot\FCV!l/QsdYk:4#'8H\OiUD+PW")>O_sqq5.Z]AM_ZB[S=MGsD%kbZF>rXk\#9W$>
+%F2![?hgRT"[Z<)&YP>UE*Z!%8NL^jFC"8fAp\?mq#TO=?`^;`V&@rjuS7=hV(d&f@X^anF%,[)=hD$E@L6'A?o,*WSL9JWopD=Sd
+%"6a7!I14<F&c>##In0r0U_&RNL1=]P0o9mDGT9X,a#(pQlI/W`NCg#OEg7T#)Jth`m@Cmps*I<c_q_J?\rJFUbEUS?hJ/B`U)R&/
+%rET?9/a)2h6n`&ek3>EfH<Uq*H@rdErgpDMa<MkQ5$A^+T^N?GHKJXgZBSM%N3/a]#'5&_f/iI(pNdQ:J>MpXUpjX1*%eC5SL%;m
+%2PIj3%CaWs&qe.Ikr+k4R*'H\`[E`p47qM+gF>OLC08(<;NA$k@GH22!liKO,7K=/P2bR.o04#),C@9Xe(@W.)VnR\/il'M"!__?
+%:Le!<T9lejpX@C#huiVmIG8U!$.+[,,'B>Sl?LRAiD_jtH3J`^S?i"s8&1(:6eUMi473<mQWqJt#\IE;L[B?Dh5\/Pfha&_]o42g
+%"?ke8oZc0!._YE[P^IruGuAenP+%>na_M![1iC=n[6pgjcZ;":X\mK-*WlDn2[hi*_`07i-c8(><qTttk+$-e2(IW8#?,@LFBc<n
+%?tqK@1H5gRR@_!U0@B'H'j9*-Ea(2<J=Pu^E5bs/1Ha5B/mst'n4qs.k9]l8M\Q%D-64,8GY&Kt=C]14Sd<@:Hua&D);kD"_eX3U
+%B<fJ'0ij0SRsN`%bj7L7^W2KlC-,0N];pXBF_89.hYfcp"ToTI\aWd9)S4=c+i6d1_AkgQct,uQl]"JN"3cB^B$4EMP$+oTH[/s;
+%?#+%u;&3WN2UKW\1/Afro)"k+NfImfE_HY8lI+;S!XsMZ-5V0(a]ktcK8n?e=qgt+$s-Bc2#5fWMrl\;i?U,7C-.8RHA$nO/9B]j
+%r_Clu)PR["-@R!_Cr1^C69bPSYbpL5[O]EV$n+hrG[_i.FH>itVR[R'A/D`\0L[C:\P?FKZ&;dfJ@i437+"gY=I#6UQ#;Sf2!$5!
+%]jd9"T(u$>@8[]-OA!2bm%,=t[80VRf5)o^DI\;/p:/?"3'\X)ef?,g%LT/Gp&p;CJO<%U;bTm_b[n9g7I$'rEs'RlXuU#';MWf\
+%r4c2>2>iJiOc5l9$=hZiFR^)?E2-Za!!/Mj7-@>l!egH,qapJT?9uKg'[45jWp3&dGS-soh=(KKd3g%O;2EIQRk"FWSVsqVik<7b
+%n>$*=YW@2[0n'P2qQJcmM:0QE70@c]"i&rS]ZJo;<lBs.JP05b#EQ@:/"=s:NY?%_0i>p7&SES@VN#>XH3O"KL0u6?++G_)GM*]t
+%Z+6YGW8F9h4rItL+!>2>62[X2cS^7Ai84nMP:]Qg37E.m0/rL\&L2%)^3^Q9Wb,ijE,K1^lOM<?=:*lj')SM")dS<U88sJ)K4Nn7
+%io\[bG][Q;fsSArn8E:#"Jgk*LkV#<'DY/D5B)G?ME=@*G]4Tfb;RZrd@8h4]eCZE3A'ejcEIsp"f!.sbWdhlR3fQ_q^iLlc'V`%
+%j>[Ii3-40o>^Cs5h9,j24A-`S89JoP>2^N1-8St[i*)&G9.ubP3&fuEKlHD7fYU9Q@h18kB;<`/L'qfWAeNNQ+2s0J/1(.B(Qn0P
+%JSFt8[Gd>cT0TiVSXIJ=\)j+V2\)K'->N\Wf9V"<ZSS)AH#<Ji2jBQ;i=dcf@T.BhF/3b>Kj2]PCt:,r\3bI%UO'Y_l&3##9V!I;
+%a5Z9FFSh@U6k7`/Q,FlRLgk0JVN(>KlM;fXH)l-qMsh*:5UF"YK,C^5lcDGr\D^21!%UEU'<;.;[1$,84eI\Kl&ZV`>l,YO'EZ$o
+%*aW1o&A:mNYYc'ok?DIQJ1gKqClXsb-+qH^?8,kd2Q'aa#tM094Im05$U!L0(`L#+AhA')qQW>n"4D^Bl&u/2G;nS<DQ=97hB>N$
+%,BGDbYLm'*^HKAe:j2/aj[m8%BaT:,VnM<th)H(#UH3&m!t:;mm/a^1Fp#S@*EWLThm(-i8WQKWLTc_9T?L.@,W<BjoL.',!8fKu
+%g.&)N*k@/e!W\>aM[1]-i"b\0iS:6Cq&^C*+H^T+V6F?2AA`C7&1fNLp=`7dENDpc_V,tg'WG#4Z0V*[O:WHI`o\>=@K6#/gQ$*?
+%A.Y^J;:\-J`tWJ?E"mA'...VH!OUhpW9,V]iPn;XQ3CO.WHQTmocZ**5/i]JVM,b#XFl=?F[?r/]e(:\l6#6A.YkOl.`82YgO^&!
+%N+<<`Vk$5'Eu]C9ok1rr"5PQeN8=XW%ZPPUOZt'Z;,cDDT.p=oQ[)$iBIVX"":V)M/[@rOL\ATXo$B:4fKl73kVQ18SZg]0kiNW'
+%@)0NE?7o;2RFciW%SFDd/rf.1lWAtaJ6?oHT\GfQ_q)2TN$;1Jb:Ls5_Z1/?Lp@kTD.]m2,&D.YP;n0O@0!oI10HqoZ0Vl0aAN6K
+%&,e)!H'\O&bo=?*jBKJVnOOO`1f!\ZgKL.Tp]QT66L7Tl#79W(qQNu3!Jt%C6f[blgJVW=X&s#s.k*%R'#0QZ(iT'],j)g+hEeqX
+%]@\i5m$7lF4UTpIOU/DUP:srMG%PL_?5e)dM66Pr*I1LQ3V[4A(/oW_YZkF@s-c<S(TN(/(KQmk5Y/':f>,)dH'`73OR_(p[mZW%
+%=WHpa:9-FN:dMKB51G)K>1D@KV9%\iJEqj`@qb+%?dnpcZ'3Dr(ime7R.M*GX+X.INnH_%IM4LUH]$7PkD?p[\\NorNP$f<A;pK]
+%3KaU+[^6o$f]tI)8o3t++uJbGC2>Wr)n(3Tn/Xt40,M,p0U=o4rq?ZI\e'lC=lX(=5s,Iu8qanPMbj8I;"F\)Wc/mj]*l=6q6`Nk
+%+'6`;URb4GkS%[N)SaZ&(*2s`__,QS@_<C2ZGj;B]toSq]uqOWK%!JDPD3FHM^=Ds\IAX&YZO(44&5OPW.pAIe]n_I`%5MsBb.O,
+%HKcE9;H;RmZZ8m@NP\4?akApmo+6JbGV0ONB\0BIU/.`!m]LL0`mTB9\j.tKPT-U!:9Gj10G[aJ![]]"(gr4fDe:9jbge#SEj)Ot
+%+W#^s53Q-MM<ToA#N_arI)Bg$qWY/+;2VMg;&g!A4*82nIUWCiD7>b40OsO57]B!4(ehD]cJd;+r>97$p5P$4!FF6SPoYfe_[F8^
+%[KVl!j4*!l[LnP5+VmllnE$86#_on3S?=nljI!3q)d&&DbrCuOp%'+)Ui>4ofL`3G13U_#bW$G<*02m2rY?CYWMFu3DQI+s!PJOs
+%Zs#T`pGQ3@</l9BiVmcGg_K!cYmj>dVn.N8H!>uZTp>:gjo?(J"'eDkF<c98"47#%BQoL^0DQ4hY(p!B*+#CWg^j__d^Eb=`MQc<
+%Ido8<:6H7TYL*"9iW[/"-Gdj_(FN&I=D;baH_X:u5`IhnMHlB3(3j$sS=cu+a0/hE#[Y+;_=4$!co-IglNmd?(/s%$,jNA2C,X=&
+%L@u<^4I$J8SZBn\k,PN%Pr_.)5`kl>8U1^6b"K=2-?MFTL?2%M]6/g.QAs"?aV;"Eb8$lAV0]'X]mtdJg)1sP,/D94c'F'K5H=*&
+%YGg`i%6q'2'1n3r-IpY^D@cm@j>BZKJ_ZZ-\Qc(@am6#BgDDtEk64p@2poS2UlWkZ=!di.T+#)TdWQr7Bm`;$@M1if7;[*BI?@+j
+%4ZA;Nn+?^oe/9^TldE(rEfK[/Vma7g.2js--fD(hq=t@&]7Lr^FHe!bZ>]ut4q7=:DHpZ);Rsf+28i;qZM&NHmPnf0$</90?q)hA
+%gtTr?Wp:WsC`2;GS"9m!oeW!+-:e3T7AE\E'$[LmgK-cd#"qR4O`'e,SL%;CU$uk2"sAVV7g.p"$;NLt,^d#!LneZRgPUJ7eP=8s
+%R;8.D;9r\3H0?a5g9baT-JlV*:Zafl^O#jo`Fnr*_UsTLGR::pqS6,P;P=H)Tgo2/8@W]d5mj7HU4WJ&904Xp?D`oXmckLWVg2W.
+%rB7\g3"G7P]nX2E[P_3hi03g:!J59U]h?c,72<lN<t%k.@51=IXg5VneXIJDiBWV:,;Bbl$R\@:=,@+X$BHAj^N):E*PGE[9LMVJ
+%i:=KfV3r5g0)U!PEiLc_^X1ZM67jqfkur8$(V1;..X"Gc!4p(Bkd\JUCOt44<f!=@'O/]KVG37d+^RjBH"Is,fpb\e]8kHlq"l,#
+%O<1XbeaHgiC7W@f>8F[K1'@Ls:qP6l(>Go_&?VqIC:@BHeEuO:#6U7u^LM1hfI@q[<\YU+6u"i`n[Cr`*]I"Ac,qM;(g4p3&s">H
+%9n-NQV+L&R-nLOEYa]!i^8tS4:!'><GE)Dp2hu@AlWqCfV8YocK%U4?C,KLe.sh8td6ECF+:-5LqLq)JIfC:D!K0YjH7:Q19e8MI
+%SJ05hg/Kh>EsJ(p%lGU'b^QkuE12_IB:u$$L9eF&.gk16ODNC8Fn2]&^NX2=48`'en";X%E3H81:\_qY!c',?';*ES)ufgMQI47.
+%JPol\Aeela(UGQoUTYSc+$-$R.;M0r</9o4ZA3'%os1=QCcIEb&nb699ugT(@HjYXZ!8@#[(>R_2D1[M(-*TYBh"EI%$h6VU8'gt
+%q#hpa2JlRE:CFd5]9-jKL.WbLaX'k@;5k&1eJ*6MN!Y^sT>4p<Mq?CtF81QaZ7YG]e0\;Uk0gbB"t5o:QpaS[;#^+fjFJ6s9dgHD
+%m_OR9eL^:fDM]C+C4\1(c7=DB2E54ub7^<+X^5\ig.>[I,-3lQL3W565oG%"e3mt!>/%V:[2-AWe6;cRSno?iiK>+0GbhIL@/(g\
+%NB'6FVAsRb%NmU)6&c-X:5E)%!1.b/S1_Xf`X]d>'$J-LM:CP\PTO7_Q]a_'!t8il@T402&PtbJ\.p/Ap/?kN49j*ZSrj#>KTVPl
+%)umk)^/_Aa;h<gc!-RI2AoW'N+d"W:3f.+tBTVMbU&:587HN8O*1tG/A<ibP,1>.BWLO`2mJ[)K^e28<9+/o5;%p0O96h$GFIbJ1
+%%$V%:5asocJ^/Tp<UU(;+,:Fc0ku:GiNSK'\#E0U.H9jb18%'C*=4aA^pXIT<jHSVN2gr\^jVgp]U%8l#.c'F`;)c?#L60*9K+HT
+%qKGuZ24@*U<YZJb8s;G(h9>X6-V4anQBmdmGMk#:=<=(O?m5[Yo*Sg1F9&U'q]+kECdCN'"p6]5]pbDX3$u0Yf!SA;Tl[g>W)P/6
+%Zl94J88Q-Oa3c=_KJZ\o^`;[bChiWL3r&RbY"K3q?-<<ND.Z7d6rqL.$pf$NgR"R9PI=^1bKNGe\_24l)Qs#g@;MCKFCSo7jO_W>
+%GZ>_%_Dru02d3`ufm7\<b"SA`)F@qG]]&^t3L-'t6bS)b<'lAkE__-@f_L&DT,HH>JC,i54pAndZ0V8uim0AO5qPIEk%?$uOnEqZ
+%#9G9FB/YH30j4`qe>o[b1Od\%4<\2ZIX?TX=WJFB)D_^P0Q-'/q'3]MH-L[+4/WLF%14GO3Sm/.E4VL5o0%BQ2hlZp!H]K0bc"-6
+%#>YFd4X$PZl92HL[Ms?C$*52>Lap,jX4:#\`n';aatR1ff;^CP%-&TXM[aQg#AQ[[B_HVto=d6iRpo)=SH.nm_dJfdG["$J1%W-6
+%/-p;+]T@Ag<gP.:W$;>H]pl1!h%g@gAo&l((p!hFH"Ni[m=3T<+`A!IG'X-hSA?GUa8rC@%tD3Z3.W(QfZB<[(25#q=<4$lJZ\Li
+%R8O$Z+SC]qB,'^_2lsF$"ZWN4J9DnfTk,U>5_E[O_F3m\0SquhYPSe<q\8,=.Z2&01k8%.dXi&a;'I5)_G7cYTID#Mc+bQ10^oYI
+%47o*1W!89i:O-Yt(KVaKQP'RpJ53TUPMhWNr/W)Q;&Ad0f=<b2TJVCf[`l^01_ku1"']Jc/K1goof&>&N'6_`B(U$P:Q*)k)[XKS
+%a?<s^Wm#+JgNg-s3"tEdhHs,T]W\H;@t2hh?<@L./aZOG4$7mLiRc[Vk74m`EH@<+1h(ulIT#YV7:hnD$=85.FJM3#:^%hk^^/.L
+%+bY=pM9p0T.!K$^Y-")m!.,$^Omi?lTEUIFW:NLfehj^CdY1I>[JFCp$d6tM/M]L*khV*sGf94n!.NBq=#^mHqRALfg\p[)E.rMO
+%!e=WN-n%<BYDf0.Tt3PZX3PhaLe-[!g^r7C3/OskdAuXP"*EVS0RtKi`8c"dKt_kT4coKHZQOL8e&ChO`gpQ4'mU$Ph0'$6\6+If
+%=_1gY)o,dEpbO_s*]:Gt+^&ZM+R4a9.T/%L;G!$":XWD<ecXRE#5a4fNSi-n#D2YR$_jda`1a8X![[;5pjWLJ?P6<IUlOWO:ntL%
+%!f,'1dr;e<!OW>AK>;TC"d7_c=uWZV]sd?%aKUUCHtqur6oD<0e+e^HJLCr:)(6:'jeLI;7c8C$@k2)K.0>$AUc&!<989b2o1<_2
+%Pe]7\^ED`]N<3)=&#M^jUg-<(1a?u][Ond;E(.I_@;aJgWJJZ*itCQs'fd.T#HS;<("0@)F9`?Z1k<\f#LjX+bW!(GoPt(Tc`HTG
+%Jo99kBsNC]g)8_D7/=&NBN;]uQg;sJDlSA>C$5s)`&U*82)_Pmg5`DV_fa-o-h%>EnS&?18qDE6mr)Z'BBZ'MeE9[2f&;%&-CohR
+%-BiOQiaca@Ye]J,@VR/pb.SW)%h3Nk`sY`rA`&',#F2b4Z)fDRG2HaGAo+2JGm-*<?iu&8;H@./Iq"I2W&\I0S@ik`MdTf$f28?Y
+%.5I!;HFX6u]W*)o6s0R@W]!u_(7G(I&'q6Xc'9NoL2M_GW&G$Ks/@<jp1sZ=<46l<bJADTG9=:b@+kTZ17)k!fCn8+N9cX.3Wh<T
+%iiG]FRj/1[VJEdV!Big^Z6GIY?D#1(K3lumQqLaA96+%$jFjQN`g/0\l9D:Q7G4GuOJ0\p'[<lNW*cJXg;-^%$ja613!]dq1#5lj
+%Ud"Ju?eNt[.>W6M)2\H,lrt:jCKC4@<$aLEN%AhuSYgd5lc7CcLcg-A7em$:`-+ZQ;Q\mXL_un';P!Ot5[sJrEEY@9p^I>mWo_/u
+%!ml>"WB,I%Aid<BYH<?$r`hVILi\1=+d=Z4hY=oR0e6CZoj\c+LEu5W.tgOfQLnLW8no?.Rai73J/OP4XO6NP'bN"pAXb'D&o1(5
+%ER)e7f57S:2Qe03E.=HjHR*Ls&<neE7l/g6.O5hGCggkikf.Bo3LILL)ol;j[>)[N!(YFN1@I;%.HkaR7;DD@9JQ\6,KhKB=]c,(
+%NE8fac[VoDKmGO\JET]e#+,Zt$GXO)@(8*Rc@i0'CBdM/:^NA;GDIS#U+:_3`^!1b/gK#rhWUDaOAMQ,kEN2Xe(-c9h.EJ/%91I5
+%']:b(pk"H/dR*#ccj?<kM+/$?]7?ISl0T05kKT$T+o5Y;ZAU<"/MVSsi\Y?\$hS-_)H2u;D_@A9gEs9H;R1S)2a0POa,EEqNHs\2
+%mJ[86p5g9U;%ru-W,>r#BD+<V9Uc.Zo3iTiNCu[<NV+QI1o8*19&o*;k&dGSd!\FH9$9J*/":!VHaO5q)bZZ!/@Z7:KM<^o#_p4u
+%I,$h61-mI<L'k+mT[i;B=MC!4:H,8Z?I=t$d-.Zn3+E;<KO3`@71%J[r2.4u"66Xb=:q7OjRNm9%I8ZITLE^kc('kN`sk"6L0gtu
+%R_ChMOS'@SBcnCb'pFi!Ff>%1*RX;KY_0<X)0rrTXLast)(@A3+?cJ#oX"pL7/RmcE?bYb]Qu&fTg_hE_@_oH_03d]iWGj%;5gag
+%E?U;4Gbss_egUg&k@K1824u<e9u8']h<uO*1dUWg,Y4g2('U)-!l2/+&lmC9V!MZ5_/mHMmmFu&;noW3mjuc4.R7r#T5<K]a'X&T
+%W7XHLZtR%\i=\*/H)Fh2\=5&9He[^n$K@3l=g4%@r8TU,$SO,tEWpbOKo9CL'!VRF[A*73&.QV#7[$cV.@m&A>4a+CaKTGePKm_c
+%'H=>SN8Y`qm,('8noTjI5k!5C/qAX,_8,aS$8CtHK2,ui?sdb_5`g17",JPqDoU?'C#qKC'#2EK&>-U0#NmT@G]mV;ip9r@ql*H\
+%;aXfO`P3PWH,KtIE>ZElo%OSgQ#.3pcs4\D1mG#iO%"&Q=LSVZ4YNk2$SuCJOYuo<nt3$_bD:t<\2eK8\eK,gG'5jh;irUaA<hH,
+%Sep7=6kQmQ1%a'#)LEfmpHJdn[EktUh9#o1`F_.J!+Un=m&qUk$["2e@&73iA!:@*pfOkKTNORICk7:,5)b,10PZS@n,.,Zn[7KJ
+%m0kU>-D@o^)l]+Z7l6b+p+;+U`SNu+1Etf0,eL[e:f9;k!U=hX<%uq`"e'@aVAWtmO2rg<6i$UGaIO(7R5J`g(2@G&WXB+0lc..G
+%jlF_>Y<2ihD9U3HA+_=gKf_U;D&FgHITP%mM-R=CJ$(&D;Ig@KF8F_n[RBsBbVW,V#QIb6FmHe!FQ[c$S4<WNnsP7[d[SWV/knMq
+%C!LVVHmEjiZ+Je00*Qd5"Gb$VA.t9e6p+E4%^`h]5OX`WGGP0X$%aN[iK8A0VC4XT)3<:f,>%HW:jF<n*bh&RPg0C.o10OCU6H_`
+%VamKH,H:?$J3?eA+)/,Q$LWJHq`sL2;Lf9Wi<NQVOb.s+.mFT7:F,-K?2BC]IAC9n$/9*5pQ5`1VMq/#j[UNk"(hGLDEecm:R(Z2
+%]DbLBJ"Z-Ml2=+$J:hCJUU\*:Lu9[aE0N:@8g,0C'-7;mc=.20fnQ9?_bgp'X;c.[QoKt#*+UQ@,VG*t(e<PD8!/ci4cZ:Va-4Tb
+%;%VeS3oiS=j<.$7'JDK4S/`hP%ald:+tH/LQBQ@4K?26J*6_8<k"0%E-qA=mY'CSh3==acV/m\gFrhoSNoE2lTq@Mqcq-=_;.f#7
+%8TYY"H5&D$Bd+S9P9,CCNhT59i_9q=:M37tUNk:@d*tpWl6p$4+E_gk`B"?>4c!sGFLdD5?4ULP7q&WSK\1q4fRl$6;8hfenE_Q`
+%G*GjNOBaliZQ4bT*_"rr!c]S:\[1SV=eP12AbRU"GEg01M!7&.mlcL!*T[,>V#QH1JO`#B#P#Wo:>o'sn3R!A.$St><.'d7I$/5,
+%ME2d^+<SNGO0Xp=$-K#Jj\a\$5m6d-R!FqII$!<7OR,)cH_,pVO.r=\H-ljGdKeIRUVQ+c$hYp;H5'IECU"pl>E8ih%q;b5iRj@2
+%lrf;@-sV+b\:'IV4\FlY7<TaUH&E4j(<uGLoQC_%Qc^B-f!%c'io.E-8b7NA@s>_qSHY2)1k*?j5+un%0C$%%-@TEBI*d7OH5npg
+%&,_Q6U<.tIo"\OVi45?q0dlD5O_&UpiuGTk8"S%h&bNj[3YRJ_N2-^PdZNd9j?u0#ViG#_,:i)2_0$rK*Ece]%'gQ"m)VeG@'Deu
+%h2].X'8Q"s[lZD;*a!e;_V^InprFXA0Fj_bM'jA)RIYU`7NQi>OdU@;-,E.V.eL5$/rV/)k`Ib!1UZk+JU1k-*dOlK*7uKCp;!bX
+%@,[[_]16K%!t4mT1&T$CIc)A6E0a;\js(91aHo(GWukHr%ufm#\,/Pq5;L5SeFEh[qN8%3jL.;Bi/aE(1V*M'_gg\4+5-T?-%N=:
+%^enIs6&XYe\)<oun=YMT<),Df/3N,N*46`G.M!&I&.e%<#G$\V9o:=sMPJV==V]tqTQ/K839kN(2*=WK*tQL:B,-Q(hT1=-a[sM5
+%W-@g*NH3NG3=2iNBX8[X>`NPP&'?RR'q(iRb`ag,6,Vi`G4VYkF&^OIkj:KJo,M:g%XL@#g->l`TqgVoK0%CWalo[KoUq7U71VP`
+%nt9TR4Gi@Q#%h@*pl8@Zq>e'[)td4`W!IH@Y`fc6D"1rI,d.70\SOPb6ePb/]+1>04DI8IkXce[ViE6,#<f*mh5d;?eq9RF;0hK+
+%de09sFk$D:<s^tRM4KpPc6?g1H=f\/Z_L.HPG6c.HgRWXG1:UqWkU\F`BC0B*VJS:[-E[_G"2_K#IV3sZJJH2mm4/G,jfg*!.<-$
+%I*`WkWXta9$]jS-B-"psA7?%HI]B7*FQ1!*T[E=oLa2o1W%GQn_+W4>f4\;?)h-AEhW.P'nm03)61=A9)tU/*Gu39YWcK5(4<HCE
+%O8>Ls+jig)d<BlaUQ4T6k35GYoj()\W470)ApmKq4Y"/eeR9PAA=k\kht:]E9"#81[grhV#;+a:h;&<qhP6P.c_A0ED;_1Hn6'c+
+%W(q`)0n*(a5)LR,<Kp::b=?^;UQ4r@k4?d6d4*<6BDHJcMBd:@j7[VL,e8efAFRW!0Sid=c<"M5#nQM4:q<]5K"m?H[<i*c"^5T>
+%@;+iue#/k?(B5baSf,u<*O327at"dDe''cceOOZ-bkY.?6-/N/'fEQ6?ac\*3;+u%>;]S_h:.82=(G4$7]%KU./B:B\_Y!JWRtF-
+%.U\l@;@_Y#l>NoRUsXgrr;e8-24,5M:;^F4::=,5]ErU`MPk7jaN&WS[:fqE[\-7L^l3r"TIDTMS$k-B@&e2N)T$*eG>od#8t;st
+%W"s5:XAud[#f0fjb0F4H<&`sUHgRTQ\-!bG%95P0RFqqp!]NlO]68@43Wua.)3kojTG156A25iC8Sdoq:h91Jj\+jZ0piL5?H1hl
+%WrSkHLE$]Tig7uoR+:)s3878SSViFS;F]UL9N<CO;_nGY*OlE#mZ@(.hG5tsL^%V?Z[GIQ?H*JHJR)N$68#_F+Z,DrFc]p'Dap&L
+%8*pp(iHqhP%VCM)N<FRB74K`9H$1d%[k;1/P;N'_<fZAETJ,9_AX-(sqjP'oCTCfHRB0'*Wej=/I3#SZ?@b7W!C(Euj`MeYrQVC$
+%Lna\_11:r&_M!nFr%MIiiZIU3iRFq;hrG2h"Q=Ks<_4*K`W2qXRub\qCHnX^[CNVMY&lH-=ml+fd:l&_4+^dFf8WR+j5d\(S3klq
+%DrsC1neD-dJ6K)HB"R$i=LPOr,eBbJkWs0=Kaa^i_u(g*QMUo^11f?a"Msb_cfkN;r`h@CjP%R"k7'-I\cSF"7_"[aUjQLbW`"=\
+%T1B0V@mmPLQVp)#Eat3i8:!45]<7->CSgX-'[g+',?I#Bhs8HV>_QIoRZ^$Bh']2`WM@Ir7]#O:V3.^KiZ1aI)Tq`MnO899:K`Cu
+%QKRqTHHth6Q[Dqef.]!=Qn(qmS0RiVD2t"8q"SP_)IIus]V"=9VheuoS!l]j_CLFo;!7.''"DC:`.;IhoRe-HQSI)X6+Io8ABPGm
+%.<#$fq?kSNP9-4E7,"nUEWHpQI8t>k]DF,CdattHM-:XLoZNWQigedp`C7/t('mD4E\W91TYpC:M;oaJ]No,'Hkuc&B')Zo"D45d
+%8H9G\2DuA^.IDDLRkE*bcTPRCpW%I(Si]FDTe^tp4FO8)juSa)pB.$lgJWA`EnT`[n$/:-^:9"RH8/_bpM9ol?mNh%Z2]_3%E)>u
+%(!tL3`CU[_n%C'bpNl58`FbFIBaP4APm&4H8b`s#-R`-ZmOA4F<H*[fR)7>%1a5EOaq-6'8l=nI&-L>\UtWE,>::*II*%L*]7S,P
+%#ROA5ajI(I,cPisQ)tqsnJ(g$q3p9m-%W3g9Xof*e0Gn5#MB*XU"n:qOBmAcM2EAg$Y@pj)mEBB#c*0cVFV])9t:9\.l?,hX_$=Z
+%[19&<BV5rHEQk]RPnhR-D0[_-goM.VMp#-K;-,8Cq0Kq#\k4Oec$%/cBuJ/n]#9X'dVRH>3V6Yn>NuULY_usD8_J/HNnYj;=b9!+
+%/]DC8.Lt1?'MH!tRb'fF)&TOBlWUD`X_%k?CR7Y#F/mSp5!g==I3jm+JbNYUr>G7^"#Ob)p&Jf3b'P%CT]>qC]j,fW)*@oVba,VY
+%LsPYJE(\@I9fM^'<I)9Uhl<?@KVnL7qLaKN00slJ^[ui^c^=;dMi<j]kHa>N?;W(^-3l/776\pmcUi9YT76h)NaEighm&G[#\*"b
+%(Vf"C]0t>""&bAcE*.hHTL,q_XeX`'TXgJo<p>bT6=p=9(^$%Lnd\@Z9i<\6P'MaP!q)?k1c':T<:Y5(lW2'K4mH9(&2q(uV7Qm<
+%5l-pHTHW/A#&&R!ksU7&:\?'U!&gnP)>nd*^J[%sO;d3tY7I'J<RnI)\o_Ks=iaAe(`0^n*MML(+2Enu/-ZXX5:bDg^fY_O5;oKu
+%]&K\G^l3Tq7Fr]9`0/AJN'h^"0cMD_/`RNhG]cDXE'ma_A!_on;nZdR;S^910)bd.WmM*VLN0u=Pj(NH1/cbZitI*_rk=3*'U(DM
+%Vduc_6LE&1nA>G683K8>dPl!2JYDXh]e6$EN/g()Ll9EHcdmihFiZO'pO,VP&*LVD;c'Eq]%';R$Z[^;G#ZpI7B,%'I`T@YQ/ZTq
+%d%rQ!;o@ER@P!'3(ccc0b_9UpMOA!&Vp'SL,%MJATnYqdMR6ILnf8M9O8"q-1;Ja:EPps,.l.R'D0SqI-k-PTk@'J7%O:!@'3>OF
+%QR>H^8[R2IbXgs]6EU;Xj^]/E%N7STi[?ArDQs7,@GoXnEgopEZ:%k?:;P-`huP&7`heO\IS)8,[&Crfp8n/2M%Ln@.P!`r\Ps(!
+%P5K2,D8\sP].,I5&hKM63JSB2k[m<oq-IqGbl@"t?_<Kn$_1eCX"8f&60[:`iF,54+:eY,$<B,moT7ed./TQqS*JYVX-?1%fO`3'
+%K'(gq'Rn5?c/f;29*u>aPrk/QGBapP#V9^$b.\T"n<=q%:K"fg,aGif:m@Z/QX=iO"mf\X&uooMl3Ohg-);%<<^YTh';Ugf.qF(_
+%,'QIB!f&cu:%XP6FXIGd'.nZ-e;=\m9I,O+V)rN8ZX_eqJ@.fLflT)!=3_/0_>QN!H7hjAdgm3YH7Y=_)pKU9!3`mXrg7?Z^H+V@
+%XiX$"L^4EN&I%)r?<SUL@5]kXCg4NI00"Vi2noYq9tr9[NE-&mD,ts2^_4q'ZXTO,IX`/Pjqa&<7FgR%ms`_>`;o@)V^FXWZZbV*
+%BD%q<qOlVi<-^Xm_*2PQ53U33'kr`o[7@(JUF,D]IdVj>mST8D6,E:ilh@=ar1G-Ze/CNN&jIc]5H#SEFcfH<b"'/,ZSM-)MXuJ[
+%o2-HQ91\Ae;lnn:O_p_U,cs.O`sq7:9D+*R9Q._tl%dJbIF\H#FVHWp6u#&!,'RPt;G<K$*mfl8_b=9eN%4^GaoX;be<nUtR6,KO
+%0=_SXUH,?*q[q!%-M[[N,(K3NN4sdOJ/#kd$Xl5XoXKi3FBt(`Gp1:E3XA.TYLg3+EH]<cG.'I$)%cH8I0pMV4I<e:g&NBpKLmW_
+%g7YGPUCujqAQL,--\9Yh!cbisb`#,16+gBeC<BttKFdfV'9&W_lt3'c)l+'W]P(j'eW"O$.`I9&!(@5HW"C8XJ-#K:E@3$`g^%)?
+%6Z%Q7<"jpm?KS!Q\kCcZ/SIWA#L:"M1@V[T79[Q"cM/^N2S66bkJ^,@IfY>6[$j1f7KgP_nkTQg1,b]#YpIt]R^-*[P&8\b_]3g-
+%4fnbiRqYq]R0A)aIiWTAa/mu^#4@ST46H2WF+D;YiBq5IR"`32]Hb$;Tj0mN2Z`feK[[:jXBK'p3.<>S6n"G?kh2upU:Q+E.HFaf
+%-f4"p^f#uDR8LB$9Bs&OX[psLCTCD1M^:G/!WL6n`L>j&BBe\p>_3Andk]f?gC(Ds(n#.qUBHAp16BOmjY<t7Qie'E18t?AP`(Zh
+%6tIG!r@<-m<05g0r#-Rnnj2jMCssZmUj7:*c;?n]`9I=nJlg*0.-7YG,7!M]@/04:D#h_ZRM9Ph*CO*D]9]ff1Qr'*/s2iBh*RuW
+%O)TEj&O5+@7=DDKUXWpDZ2#o7:$\]_%k7[>H]]DL?5Q>o#J->7VCQDi<QPJ%0(=;F(ifgeI>*eooGgbN#)6ZJ5#YW(`fPL'1c_nY
+%eG4f\b(DTD6p"QYO!do?$02to*)<#t1dPP),I(9u/]uq\Mqi.;0%='G<UIP5g^C05TFef>c+-G_Prjk)F9B(&`PIg,$8#U7]N]Q4
+%O-#[uYeGF<6lhR9&_0mcJ&,nHk14F#KRS:">`o9G`ueP(<&Cr`F@fp[&3=/ecgqON43)e@h<56b]_X>tIpM7J>SNZU?\)"piRcla
+%QA[Odl_/KgpXG@;l+7.>cR/atIPY$(p'rdMlRau1F3A$-m0^,2oEjnAb;A4[ocbj2FRqdE@$$TI?']il$^;*.bW%RId)g&n$^u!;
+%[7f,70Pa/;"T3.g)KX;3cWo,$"sf(P1q\3_KT[ie/Nq1t6nhXnYr24:\QeTnT"EeZ<@IDPCSpgP=Yh984>nZI(RPNB1c)2)GtAk$
+%N5Qa*lm\0G.n-%/P@p&X%QrcQLpWn&C!rDT2>uiU]J.&<UG5$`cUBaqOPKs0er<#uWB$$H`sbK?<!gbu0d's3@1`oFZ(5cO@4`"C
+%&/`2!G*\Our?e'f1[]_;KK6V`P6G^Ml^"cd&IUi1XUGqQAEpk:)pGm8jTAf&Zj;o4P`RoGXK!4eUZ`0::cg=/S^6)]\+ER];)5`s
+%S22(qoT5po%UVWRoNeprW6"ltYWo:4bVu1PQZ>W/L,3;YrRE[tm3D\W6-"P1!KpE*C^ub-1o(YnW+lp!T28AuJ5q`P?oY?nRTn32
+%Q`rJDelaQ11&TOcEjn-73<_H`30k-5@/ts?<FmL9JjEMlQJ`^SJ8SO:?4M%T"0;V3^g7gF\Wg@>9,NQRCC+7F@<95jpE.Sqk0Tak
+%T*jRP1o9\W6Yr32ZPb%r<KrpD&1>&HPD*77d*.AKZ?^aUW<OI8rr!fm@.I/FN\BApo+EacQE?E77H-2bP,"7/0>27gef9Q*2<pZl
+%8,2Va5<8uZ:;kQ=34^FIDTpMi3B9T"2sSND3kAo6DVU`!GB=6(8,-.XhG4=OM>/"L+r,R4f*LF"'E+!ALC]=*j3-Ha4"eLE(@=%5
+%g'MaQqfAa^Z#^3+,D+cXT=rU2pFNHO+S`&ScinMi>+^gbH<BiYcM@@8q=3S:1Hp9WDk"X'D%8\(Eki+,&E(Jk36LHQ.s5i^9kJBd
+%UE:@d7*s?3O7;oMLZ`JiGQP(s6JW0@fgVQOZnn.9dbE"$QQ3b?ZG&.m/m;;5YXSrH-)mBJ21:"@@fVh!3olQU+/iYqV^=(I3P]5l
+%0Zk]CE8iQ:\bXUNJ_EgqiPJR?8a<Z#!(3pOgP^(T@Fik@/Zp[_5pc+!5)"KfI@s0_%C$3ZOTL>-Q`oD=Ua7^G^oAV?>FuH2?Q[&h
+%-d]^T^-V\X(>5f0:!Kb#`ak00IYW1ITmi4n8DIV56k.he''_KOWUBWlS0/G_!!PV5@U32`"#7RBo"41iRO1B2A<i!658slZ-8^C=
+%Lu*6\nAdT]dSCF.#<9U%q!\9H39)IEE>Jk9`d`!&]gs[2oNkM+W_.)QK8?N?))WtCiQq+]6)*/,pJ6F1M'3L.9=5jOQ)TV-@"QpW
+%mW'<#8M7i5jJ7tV13;GMYkjVYs03niX<.;e2#5n*oC:qiWB.UtLX#JC2W!I0rHUL)_#X]=93]0;.A^a]o=/ta&>8J))TR6S,8>o@
+%eKbub)(?9X<7sKZE#oPCo5X^(i-q0WGGk@kjoqDDD5#?kWA2J7e4g9j[]L%2/X'lP!(-^o416:iG"+1>Z/'uAKSg*B#3Z-]GkNCB
+%!t?`BG2J:@I4MV*n7g)E%^%.^!LR_BLk0?NU\ba,4N&A_B]UhOH(Sg2:2'>`a,P`K](riMCbfM\YuO/SpiL?Ng(ANk$r7,kc5:(X
+%_e\mD1$=LQqi:$mTFQ>JV?\Vlo*PA;,L]^?JC3ganAgd2hTr<b0>DPI*DaR#ADfP,n;'#NJgLhE>X/0MV.==SYaH(h&D1^ojBgi3
+%V$_4Q>_<Dd7<:2YJG3llLB0;%]#cb7CF/jF@*HO9s*f"'222%&q:It/ct`EN/bMI=lU/#ELW7sW9sd^P[a0B4%kYGTc+]hHJfe0P
+%+.J6S2C:XF0gE*.IqXgjCnlGq\GjjFrRf3ieFNR34hMN:d##tl/pQ9^BbUm@8c$]@Xitfa#qrbc4ElO++7>Eq[tQG2#k7$"M^?+Q
+%"YV[,Y&&cKXM;M&O^AHLZYBcB3auAED)J!5F\,tgG_3A[PX_@Yg0u]\b=$92GQltU\Vt=j!LIn&Hu3k5\U`D`3[@>FbY=^gaH</!
+%DBII_j'@tfp:iPg%fi._d)5$a_XW"XClEH!c2N]Prnb]of^\pi*WCJrG]V=uBP,RL2i!mJ,MS/n?<O1lT*$f<X:mnWQ_GXmD`[M(
+%%"POrL5n@t.8PcC,<F:[NHuI@1]TI2)*1U2aR4-NPN&a[;#\a!)?TN3\<_T>@DWdh/:1?JMqK+Q"2#grR4EKY)$oi:%)ardqM;^H
+%i3ON1gkVQf+oHWoeW*2[Xu6^&&IV3)^9f'CW-i:\+$ch3@J0<F`(H*-VFLsBUKhP'4qG^lasMGC@hE_*mL48MTq_/'lPe'k<JLpI
+%U&Au1\ktD(.n(QA[S)X@g0N\IW6ol`+gKDr'DObJVjVG-8>qI?6*l3d!1>1&Zq&T.WP-C%%t\4OSdIDjFVQ'!g#C*sY?`RA3J:L]
+%".4Lb#,@_tCHnNI3\%*;\b4Fi83*IX?[)rUj0AE7DJ%An&\G(]"3+M9<I:@L;p<O'!0SPg:a9Qo$Af2#9B?(Q/oETR/iu;.d=Z3;
+%buT[d[M5.f_fn^aMaT:@BW>Sp>nZWGn":oh\'._oKJ=%jp9M3o]g'Bu3EIX!2/m_&BU4!H"6&=p'p<6<6Q-3Q?;&R@\Ph30PO?`6
+%%ln?YB]a7i1"9^BZ+$96J9c4s7ITe/.!4LWA%t7FiAlZ<HKZ)j%dns]VEc'#+(&;3>COsf:U@5WYUu-mYsmVAoV!rI-PtD_/J@Vj
+%bp\)7s'tM'Qg6]8F3uA^45c1#S/d1LHhWKar35EFQ!O$Y,0/H;?+X&I#['\(5QOI"b1#f#QZ(*)[<`IP-&IiHWcO?*$r6H[H]Q?/
+%^7i3'dK!ECi"LYTLh\sh+02!mRVY&b6"J0r-Y']WKN.8:R)c$Q>]'f]P7T3t;AZX9;9Lc"R^&>K6o.1VE-YEH/V1KIXor+4&\'EA
+%WhC%gD/uHU-8_V'Xbb4-7DMKrYtIEslQoeKA[*0'\a"a.[@/Q'-e"'U]a[r1<";+J<3!tPp/GG.bjl'JG+C/d\r+ILb,"Z5k*NCn
+%<9RnGMU9k'2Wm[Oq[3@j;Ml5h9qbU]m4HHpOVjn8C4#P[7:F885``rg@BCkp]f4RNm=$@&Y71LCc@XC`fW8IKSh"d/$>Q\Z8rca)
+%oP,,qF0ZUOlDgkmSg8ga\aH,E-)BcIICE3*HVZa[b3>N6ll^,`@gdo4V:\A;K-ar<e:nk_imC>iD!&C'Cp#J4Wp"3.:olD\1SiIG
+%.SC>+?K,MNe)%8,\HE*OE6H$T_UU4aGZ?`<:sDrF<`0$e[e8<W./K\i<rKIWJg8P<h7>2*CI?dUSZSl\X#uSj:/k;u2L0Qoa,X_2
+%A^2hAO0WjaZ[`oe!;KQYqc+"Rj.n[aN(GKS&1Fi`)oT6gRK7l=\dE@`;2gi%rDJh&WEH&?.Gh*+Ca$#uW(_gK^ls[0@'>.bd:bQ$
+%$3VkJ:e#3VeM+J6cn`'\FfoBoW.Ueh]WkML=t36+-&l?&k$3ZA*_F6/'YBctQ"_kbYeQ;jYiT03l'4lID7(fBbBH682bpMV*:"[.
+%Q$YO2`t"6=X/Oc&;+IK!'THX<<^+I#72`QS_>h:ejn$"f!TLZLN)3&cf"20'(Vkf?#u7\`QP-QATH6r$OI_jYcte'ukZksmcBW4!
+%/":^jCZ#O)0>'+4G&Is^mbg7;pQ^Wd2b#FjU5nu*]8@R?9)LplZ;O@ZAX$U_AI9K^=HI?p*b9q^(QF)?5=-D.hr(mp@<Ui![7'co
+%`BBBtC7s6^.YN0:gip;XLJHik6b*L*ZT.TBLcAC:-k'aFW&d(`rNCn]L&m"ai5=1lS])g:+Bc:-GY#n4Ui%*u4:Na5L?)2^6rQHN
+%WYPB1+k>,!'l/LeCIkk@6H_5/n6.4:g*[(D;2D@$NK'pZ"r(Z"A7mF2BL<-7'tUdR2;=52D3aU-9Fa"WO^"NL)q*1EM<r6XG=-tp
+%!L;LKmG81=hiQ'#L%oRW&ic[#*)[:WBaTWKL+D>?.n#4]9#VD>ieXLP8EdQUr\u6^*)]B=fI'0WPs\0e(&#fo;<Es:F+np]8CKRA
+%oNWR>N(2%Bk/,!WFG4<=kt:7DF+%ZHV(1VI/dbHQg70`:\HsOrNeB:+MDc]Dl^\9BJ6T_I@]oZAXK5[Z(sLct.*/38R=(ih[4Et2
+%/@Qg<!/HbTCeVSE=\^4H>O_iSNQX#&<&mcI#cV;D@d;mfGLi;3BMVMu>(foH^mQfYJ.?*E\=tcpL*YB;[L*Ygo4jSP85"tPg<+F^
+%pU7a?9hE=bP&<V3e[RdlG-#5'P#/Kf8a+#roc,-H@]BhCgS@mrC5WW37X9TMJK>8NMCr,`kn[+(SkN:B6KG;bP%C6drZ9@q#gP1\
+%mT#O4V?p+VE67l$L#4Q_*otOOP,kqjAWujlE/.tO:.:(7893Wt:9[InJ"s8L1XJb##rI6%HVUNX]O'"2FtCO]@'O7s!"Hc[L3`u5
+%pSuh:Mb8g;>X:0J0kJ-]6ke675QbsZ7(^M'k>h1?NIs-%'WU%2)\Ahn,#[*>[l<f+Yu=?B77C*"0[8.R4?4N8cTp%G+=u$j8po2:
+%4;b0fi!>X!#-'ihlngFl,DBo0%e>:g5I7BJ'%"i9&gotG<(kRcTu)<E*;`IR>GRnp1$q3q;=KR?j%&oJ^6p<J'?t&30j$(2P(uWm
+%Q*EFg!/g3VKWNa63b^1c6PflqWBq+3LJj[#Fs_eGDa&\/>>5clC1^`0?*\sJMc(VkROuJDV7`ldON\^`%"hlM.CJ$T[M(#Y1b)(t
+%H!UTIDiBklFA2A+FU(U"#_Bte>]`Nn679\u9u>EV&icP?81;Ni(u1_Y/Q$5i9Qi3OO@51L:A+g_.FC^4"K<nR#E&`mRF=C\n("%&
+%(6i9Na[Il'Q+]J)fm4qb,SLZXk7'k%#TTMYVG\5F5F5lIPp&F:'r,;4bn*jMapDcq;?nk^d9>HNE`)qC0``1$H%ishXrIq8RgfR9
+%^rmmdhLc)^cIK9OZ)q-a$ar[^C_:@2.-BX?iB+[(B&6SN06c]>YfJirj/\)>"2Q/i.KYZ@D@84&j+h$II]4K:&qPhdRqfb#%r`sV
+%gu$IMjA=e'/*Q_LT8H;s@.`bck*L?=^slFB_2>?Gcj-:A&Z^tV/g)rP_'2h<LYN5?n"*P8U-^gQ85l(@[Pc;V*H@f6I&g2:XWS&N
+%R"M*4VA%(Q[M@]4=a(h-MJ"/$V(JXbapC[>J_XXR9UOAOEZhiE<sp#D<>1biL?-JF`24"9VCNCZi(\P-GiG_jSWCl!h/WmhL-:An
+%,k#'Hpd;Bp[MD/R_4*bkJS8#lFY;Xiki&7nRhD8E1l29/VcC-?77A.DF"<.*MNTqq-O6[7Gg^qg(_F3<]T>,I#c08qF0%-<%9^>u
+%Hs\DZ@+EW^#b01LNg$1oQmh*=*7$iTO8TSd!\9'.p"qI`*FN&S2hs(!d3($`PX44439,8knP]q*?6(5s,h0%M`t5'-ELohn<Mo9r
+%g+97Jo>Tb_>EHb*UL/aHR3AG>%tF1G\(q$e#07G&MRThHglLf7::_MR*(Q@*ADr^.TE*%!XZG#A%3lleC'6?_706QD>ccD,gRMF:
+%VJoVW')oNLTi$]O5LCMtL%jYrpq[mY',Tj80C__,bLROP0<9P,b[9;Ia!\`=FNL'7#+13&->cbI"]Ae:SO+k%nUp?f(SGA\-,bAa
+%d7Q5hZg(Pt(,#onN?CD6Wh69?bkm:']6Q.Ng^-hLjZ679[umMn=&q,G?T]AR1dYFn5:+QAAsM60"JSjn1*T[Aclpf+d(g^(.%<]/
+%5/^+2K^#i6@cTPQ'$&2(M+K"W<-J7hM3lW0%tIT@f]/C/,SPsSQG(]l6T/5VY,`Kr#n0/t,@73'1TO(n:JECL?i_pZ+?8Rh%9IS(
+%dB)5?1*ge:%&%7[1Td8R(/QNGFu1&O<LJpnJ`MG1OVR53cn71IAeC^LPLG+_Sc+4o"r&L)R%^'WF/\Yg`$TS@71U^iWC[5rQNkOG
+%$YFL@o?+%e'&Y&0?%b"@\dO&/&k&j)eHLr"dVY[o%$P[?P7]*_AYbD,+3aYUUrg,VkgXn)<#aYe6g6qO_`cq[G0A?Hf,_rO+=q-*
+%bY`-]h'&52"noQd&:V+.YWlj;+:]`C\.gI:2I,7,c*4Wr7[n4u*ET[eZs0H%":$.jjk<Ba3cAT_=161h1[T%lI0eihm<&$SauqYo
+%moJkrnLZf7D21'V?gJq1Q=>`pQLD?1Qr,Krn$s[UZY0-GljSq@6'?%/PrjaF'G2rW/he]gT7FSO1SP5Hi)=bc+<?RY]EC%rRpaZq
+%!p:ET2*sIOb`)TtJ1R6n-mq\2]@!F*L>5;MCF!,X3ah#.R]^n*YXE2u4>9-@-:;LGJjJ>qLK<*/X[::hSg6Bn0G;dW:bmJ6<#=qa
+%BL^$Ga\N+^OWB`Q"@]qF'W48QALEiJ^oYD1%a<Q+MB.AMSQ.b=KN]48B#3pk/SLd+m[(]7;Hd7j7aY]L()\,BeX+D>-70`t`Hd2+
+%Yua=?7WI+7;mAtO@9OT)g\atXTF3/Y-Kt.+..J.i''V7Xap^Qn"8L+J<+cBcZO[%>!=Q$fMFRB9'rY#2ZC8mk&=Zo%^/cn"!0eh[
+%22RirJSru;K0]l-1]C-bH8N.A\Q.loC('`Ll<&^t,QWNW+W$#hb%f./)Q,g=ag3mZ!k;c8`>L4'@XZ2R"2*fM0JJS1=@B96aBV=H
+%MjU:U0L8348@l2U/`]kHPdBG4DW#YO@'$KG=]5E#Z^27t$:Cf!9:W8<U(O`Ai5`Xq=QON6@?;+lWQo<7N'pZi9Elk)+^&qo%-UuV
+%l9!NVS#]`3fU87cd(*>"+jF`VjL,fU_1M35Un!aFGE-^u:3a41EWh:3"BSTtB=LTu_!.8.IKF/$dp'#EV*fF*?L_$CR.;4JfnkeH
+%7(<>Ua<[hV9Fjp"3f5C^mW3g&'VN,:f'<-qE7WojFS-B.I]WAVb_2Z]0fD3"L<;[jC5'^"c5A4m'uUCf6E=f)BP1,H+N;pSM[W7@
+%N/Eq&'K?u]65e<I=Y6hO;;.gsHkCBA>"5?7`8jek;edG*ShV'(?3?LLKLdh9aIT2+1:Sa$&55UsK[PB,'e"/JLt!6QM<9-,r/Rbl
+%I,eC*dQg9QnRS%e`&t%F@L^OlX&->MXDS2l[fY,"!;hK^^f@o&XC<AfMQhpLO/#XjFeTAR7519bfLLA.K+g+]j!_eR>8D`Ak67]0
+%pW99V:/H\6=?7YmLEkeh8`\!UD\q"<kO*E\_aQ7KdsIe@/!iN3c`0fAfqe8.D147>2APYqL-W'qa?8QBV$sf5+J)u!b6GbI[WN6s
+%mOU)0K'&n\0$H1tX/Q%ScR[r^nIU>dZN18nN3JkRGY&5Mhb2n*,Gn6C^!2ToZZk\EdmQP:iT0L:>EUpF+q(W8'F[IMaeU[H*>lac
+%H,#_[o?:(R1QC6i"%bMDJe9lmiT<IAhEi\,!G!:+T2r\V;Wp:fDiT$l6pJ8e"RHkM/c$RDOYn/G\KV\$?^-<=D:*tC+H:;??JATu
+%IrO&,A15]5R=9mR(Fts;:l'[d&GaL5!QkR*JP_f')bi7HI_Ob,dq[hpU@=CL28.4l;L/G28>`B),7:FZ,/r"$=&mV*1+D^#e-0!1
+%Y:*hDk!J"?)!\I.!9+CERqVo!o%APlUdjSM19<B"?'4'I:FIh]cb7RFm/V9[<!sH;Lo<?@-'sM_(%ub^ep90GR:$C\6Q]1],[&\3
+%oq:TVR>(<*)OR'(M%OJPMdZMc$A^2@2K4@P0ZdN^8Zko8I#bnH33^ML'DEqtAI1hJ]0g&aI1kFY]gdCMMFRkP.:$'tX;P#H&?].2
+%dNifKBqV-C+c2E>Gst[B'hT1k'k?]+F7qQKY9ec+7*?Rsm@9=G,n*GrfE.hXK;^,?mHR[knmj`U#o)Ys+3H6A!Ac`#H[*aK=\Ckr
+%EbgjMN,_:t,-=2H0$BE!#0K`l$mgMd4".H)qpS??X\Sk#j1MPaCScpak/UiuQcrBrJUQ.?W&-jcRBg#(fjnfW<%H3Qs6?\!X\m:-
+%%7*:9$6K""ds;qkr=1je\c09/nu5h+<+SKo.EAA(X[G`-$Jsk*TbjhO1)#+3b\I@L"(eXs!7>k[o[#CA'PcmlNY>Y\$2ME'L!fOT
+%2H'`Z@E*YsMXepWML\6uJD2D:E/I=l]oqLsipVN%GBKcL$QtNOWtMDc=3UDs6kM@&.#Sh5GbsDR'2%NN6P9i#hFGNsKs^?+3(%M8
+%]MJfO>)@[O6Z(eDZNtV,?]1Cc.S@rB@E<s6V4A5A"3g[`.U88@"6Z#XU&h\>Tsth'Xb9h#D%aoR'fJcbnX?9r0Zb[.'&:f$a/MP"
+%-"[d0Vq*D0h]*>skSHFt6MJ6BMts)e#m)5qUPNYoF[uT;P(Xo.W1(hU^B"<XnBtM9.sRr<5V^`"6!bHVKF*OQL14?IS!@Fl,YR0>
+%<a.Lp;8kD=Q]/W$Te\2)cD?(#l;#c50OK+an52(Y&iRZ&fY^-7^(/kl3f09b;6[>GkU9hm`AP$((E4_IENp`>Jsob^VPjSsYS"t`
+%4Agd=1>G-`[F,@i0I!Pt9HLgI*/[MSfsELW47Rq@p'^X]k2o+^5Vk.*m'Wo=7k-ef8aJAG[a?Ap>@TR4=LVH8P%h&"]'^!A@JZH#
+%Z19iN[-0deB-mr^AHil/!'NfA?lA*464^A-HB[lHYEf).<='b5'Ak<'/q7dNHTn0EDUS_l!`D^uV)TnX1Y%mmK[ZWbZ!=?@a4>Eb
+%-SDH5-I.Vm&70$kEgJ9BSuJ1;?0]aY;.4G=I30CT+><Y>fS258!Q!7h[i([21+Fe;bm["e=)jq^_G9]LY-#]4/2eFKOBKC2G[9Yq
+%E5=D1j/Jca'I9Hi(0^m9CLQs:2NDN.%Pgr1)ur\i#:T)_e^pYA(hqTqJZj4=E)Be1o0&OZBjcXXHU-H$6M*Dd"Wu0JY>C4^d#nnG
+%bf<uO6X'+*JbkIEI7VSr6K(+;HQNm<%k6S[D"@a8qB:Fg3naI^(k5)M^Ikt"T]R>Zpob8.%uUMub6[I"*-eWt&QAaA)-)C425l4t
+%=%#@cpU,!hE.*@jV7!T:ZhLDMUP5gl4.^M2<L?M,-F=p?KO/=EV1%`K/^.P%k!aSP^,/dl?=J0B)uS6>[=jOd"=5>1H#QfKMK,&9
+%$qNj%e/082/pjF.=LO[;+a1!t..E>%;DCEcS[-,8"thm]K:Y)g8;[IN<fi>pcl(&tBK7YZ;OH=sUaD:'HQ,7\6;^"nhA&asKir[l
+%_E=W0?D2Nh9Q8?jiNp[]GG\[q0V3oTfZag:`uCr[#-"9*&\jYBZdfQm)Yc$.d:V3LnhfX((\=iq\uo`J?-d2'DeVmrVo9Tg-$r>E
+%c8NBA?h051huUoDKLT8O0(1dSQQ)W$l3P<-E/.2S]gZBd/2aHJ]ACFG"u,c9Yo=\1iF*eOR#(Q,P:9R%GD<ge(8RZ0pE6Y87f`34
+%'bA+H6eM8s7"0Z`+2I<b#lPJlrrD[U9Fhsc&r[G5<g"-I&fHEQ%kHlV50_P(7M]!cPscHmAZr^f!Y$tm%NE085<VRu3gr8E+.M;_
+%+FOj<mlir54V^qM%Bn&C8m8XdA+5e+Ya;#e[n69kBWb>"5j"c;E-2P1/&/9cS,e3_iW[HJ>pOCl)AjF(q?7go'(tX)&E3'_a[X1T
+%Um2Xk@CjoA0kr"kC*hhRR$om+iu4eBXX/a^'?Pu#B>aAKPuKXF0ek\g-n3)-<KO[,V1p@odNKnraMLLN'f>-U44pIR:#JlgPD'$f
+%Y@^cSWpthi3&45XQ9sbN?Pd7N_;.4FOXmN-Q<7[m="^<f/]^-W3DDh/b0[I4O]>_?Br)J<'j%\9f^MG>[]0kf<G,7o:oZEJk16PM
+%&_:R?_rqpHN`n<d($S51@9oilc\]"GO>e:?nV!Rq)15>b/C',nRdfnrh'&I^b+i:jebibGVSP\niZ+)9Ms>mn6X8sq/gl4,6c*aQ
+%/Hg-j2]'A!"#B%*Etb[ac2RK.PI-YmHDTV0%d>\%FI8IWb[Ol"GMUT(*Tk_/ZY`c!F,)cg_d)*,]\lWsnM&^B,r9g2KmB'M]TO"h
+%gkbdVAD/RG*9!3\r$F;4VhH9b;^KJ5Acn?Hq["\jlJs(<Rj^SUMi.W%#PM`GMWcsfm,HDu//pjZBI(gk"q\r',7t"qE-5bk$pnd.
+%>;0Fkk."lk$)Af_pa"<EZ,egEUc.+oBi?<u,q2J]X(7AqX#j6(:is].WsMfq1AFZ&6#A\k_&`+.Y%AIZ1QhBPQIbYsoH#/PY7Yd;
+%#pn*O.F1?rU'NBF%Vj$@QhjHd)i.<jnjO.714C_:D1+jE%K!\4fc9ZF33\@Yj;DN"p=<W)f+&'2'0-B0S-6#9&aCl&HYGB#?83i1
+%"5!de=/H-tOpG*Ye3KFPXsS`9n](1XB<\Z/&[.e/PI-A7>fY?tMBXA]T%&/I?AW`ek[X^[:H7:/c5^#Q[sHK.oGOWI&UGGaT?.<Q
+%Y4*)8\;Z3Ea6UitUVsuWMW$60dGd24<k'ZnFTK_"T[_fP"X@(#4`L:`MJGY/@]fUL`F\C?2.-]ZN_2l<fSm>,6seW@W_CQC85F$+
+%TU:o*H,0uhC2E6`>,bU\36`Kg-"''qBVhnX#;gk;4Z0%Scub$CLZjWa5aII.kTdV6#h^7&,qbgA50sZ$,dk3Y8)Sc/?j,O46N5Tb
+%"'/;+#"]%M#n"R\L1/fR+@Tb3Xtp/]_6uh\8e_EEGHdgKQ66Jk1;V)=jdef!/#81-qSs>Na<@\HOFV?dK0R<?O+@2H*.VMfmqJXB
+%/rN[fo`MoQ$Xo.%0[+B9c%G4pL!C+p74)URTVKsbgfq]/rcaFRoLd(oW$&B)R!]^%rRhQ_Z3V=;g8qH1i#IoF7IYVE[[AR<Ze@r`
+%9GYj%M-SIuqZlfUE?MhhWLHFgaOtMF,Q.'M<dBL9^'h<0#("=c#:,U7GoD8jZpU'-Vnt9Lj@Ag.;@5g!INU9k9pV.Y1sHm'f97Kb
+%M%qNi(rLHT+Ud\!YBI]u]?b41&=s*Lk*:h?pI?&$A`SfKG=,!7Ub,>]Yp9]Z<2@6:<<9I%<o@aKo(=F>8$Et^.nh_["d)Fj#65(2
+%E)pKsnEeUI-0XSSHg$Q(F9Q>@!+h5<gFGPX+Xh^D+('Sf%q4]i!;d,UI0CHPK[?p<m8<h!Z5SHr0TbLOYlA)INOIO^J*iMYP9kdS
+%6Sm&[',SV:KDhP3a_H3@cIqOB-2gu"3dGguM9%1%ZgZSOe/n.[lt7$/(Nbf9Y7r*#bUl>ddO<`$`CVcCUbHQYf0tc'dFF4O`C3[*
+%0rru=@gD\HIn1t[c(CHcY>,t>3SW/EE0^^^,3^j3K8H)rk71`CY1]#I`8e?6*,cfY&DrS=(:]X,ITSNHOE;,B2E0Q\.td]l%fA0M
+%LD:YYT=ka"WK=mhi`8of;uAo;UNYFoJMPAQkl[4?qck)-PVpr`=&'W+$aP"qr1\X8:A3\6QQAQ)(:,qd4E").\j3[N"?%<)!^h,+
+%"OnuNW[J'iCc_2mc5R[(Ji^9r&B==\[YBRK`$"FS@LUTa"XeXm^,.AJiOk06!U1*t109g3iP@Z.6dd'F@/rEXaQghNW%8(IC/P!C
+%r<=p8P<:Moo48\YWucNZC8ZJHM^Y^3TWmSJI5^hILd3[16'eadTt%mS]S!5"o(n-Q(qiu;,$Y5MXa2\&&;7nr#[4Hl/Jnh5N[Gk>
+%.:Y&P7&u&p1"\BeSS8/(:+LlKk)(9(*[68q@^0HW5P'J)/`d?4O5b=1,#nGZ<hUC/=#0OZ-dZTT-R6:aH&Il'WW3ZNJda@XH/;NU
+%!s0<B(l`$IVh0`R3.aMH1*beknU0CdZ$Gj,3[5?6@/9.:<'%HF4PC@Y2FP*X,2rgj\KT79'pCSlmgYD.X/Nf7JoHN'>fA!!0T8B+
+%itrXo6rB!7Q7LV3+c^W"p`+oR=)as&`9@UiFb"!C@U<.*YsU)0&9YUBclJj+#IrY+N:71GG_eI'Tp1=gjtZRT"XcIO<"IC..nK%N
+%Wd=pL]n-t@ilVK3oG+b0&D97c^^guVVlSaV!D7,2dDbWT,j?ba2Ec-qE1#SA?HLS5VK33p^/bocp63UQBkJq6C;XSj@G9I.MVKnV
+%DO>[XP,($1kSpDuXeZ9+U_N6n*j-b;NY37cWK1h/P/EO,EUMp\Rc]&gk:lRM,u&KK;EDr`>tIs8A[DqG?WYZdLFKXKjP,qfh-j4M
+%+T6L1<HoglGaO#oR]JWQK/0Bm18q@](O"q'3:Ou_js96YMT(a:WNU@a*=3HMk[pFW/ELYXSuQd4k1Ks@`]fa-gf7cP/`.,UX7*(=
+%cm!Hr&&:)kliuRRL9eM4"[lg]:sRk<XoM#<]V#l$I>A]8B;gpNMKpMS!K0JsNfgFB^sNRNAskId<)m<B_j-*`7)]SuGFnF[&%I6Y
+%5eY'\js\Z2?;=PjU5Pcm9R=BM,Ff`_49L3i=`g8%B4WPdL+&?l!Ya#+HJTOV@%;[41kKGl*"oqsmZr,W:r]\>J'0hF_&Eu7T&JbH
+%)\6;a)hq(tW]LV89^(:^<EF&5DP`;p=3Ep*=s>-K-49hT(8c&3p=E&ff'sVsk8rD*,a/X(*fq'!PSW%<a0TF/fW+d"_TZt_XOPAk
+%lj]gO=LaGR8XBm,l)J^$d/"r9RZ_G`ZU3t)PKGW_6MM*X]cgq(h-joj^UGDb/2S;^!l5`P(*c\FJ3#0e)bk9ZA@7dC1]dp3<AO\t
+%&dR>b3"unr#+1X6XRs1T(tD:ep/)S>itVuk>'5jVL.K-''$66'>kbsA6DS"ZLqWB3dQGA<aZ,g[m?*C''sloJ*a5.Q$n)u4/);`@
+%(t]qGBTrg+1j#E+*&t5dQ#phSP>?7FH`Kq;6I]dEZ6c?:`TH!VNjItb<QS&fKM,*LS6RiaVJ?tH%2<Uj+UZUEiIr<_@0Gifa>9NN
+%SAp&I:u:IsP>m<U9UT&uYG,%D)0q`k.C)I+]?)\/$%#MVHT)G'-JS6/[nlS!b-c%t7@IUidOM4hMG1Sf+?%JOfcS$9Pa^qCC($gW
+%77]:X4dk'%A/)2h((MZ7C=#ac:3/&p(snd2?r_U\n:2E'5U95j>+m\/dOAW(HhEJ"o;<?uVdQ4K&'>8Hl++G-JP\t>BL#_aPLY>'
+%ikl[0_*-Hs"9'U2U#"mH)R;E+'0oPCOs/ILN@G*0"k7tIJ[I+S$^J?::YKrfib#`M;0hSuOU3hn#K17G\mh70`6k6u=7H_j*).4u
+%<LCk.Ttk*hE#;tf#tEK7m[Z+VE@*[YbS;Z'Ni_hLK).0bI3n3m1o0tI\R/H@OaE6h7bTuOHH"go'Y2a-OYd1f'9J3P!OUM(0%cEO
+%\-3$aokc"[1']XS8Tn7"CJM:%UJpFY-J:cA5A4).2D/SGlW"LC.!0'\[V\S*2C*no&BDK]T^?gN@Fsr=g'nqhf%KVKb^'@$^6K9%
+%9"90YfO!8,_c&<Q:W&AT324<s]LLJ]7dN(.!8O=W*0I)bS.5Qm%/D,KQmRQh'LN(_&_Fu/0?0AHA&u*`a39)=OKrGT&d^jVRfUd3
+%DCNGjkZ*T9SjjKQSm/T0R0:gqKS+8cjb?mL9LdXZhA%oJ^j;=I"Vk,E>U`$@PnaLh+^<-Of4BX<B#kdp_CRKRTrI/gbJr0q($)&b
+%"(KrD3+2I)b!!V:.h-J.aH;368h6-!6[GUQOjf]hBuCK=UleiSS/TgSNJOZ:8?^+=/soK9ab)Bl`(hT2QAAuaW@@OG%JEV;U_2du
+%r%jKbM3;e3gnU;ZWYa(`>f;r,`ik*@PC_.)+c\pUr#YWT;?&KmPb&l.lMg2i,".lt6C^:Ej[VEXg6;dKPo;+BD!Y1.3VdKe[TRXD
+%c?0A*^'9EOZpNM6:J/WR]?6O!jOY;*E=H$^p9"5*FRgrAILK-#LIpbq7RHuY2tr^NY#P>UR1G%E%N?F3@+a/kYQj/!UVb8;4<5j*
+%4QQ,OY^``"3EK,]._JjTpI`G#=+jbZ"/:m$RO3Y,@AG;I;Cn,?)Iu9,^h9W6>,XGc[9;(Ci2U=g\\UhbZp+27";hPNSnkI@e$p%?
+%TOcPEH)[',<5YG1.g<)1\Yc-te7&>k[:I#Z$LPj`8F-Z2r2Rt\(qisC>U0lU<-8coAeBW`]P-7+P$qOOUisr='B$Yl<E&oZV$e[7
+%A6,JM&88/X=Nt;f4RC&"66n,G!8^AKY$B>+CjCkk&5[U)K).eAl.JlV:i/-n@WE6[#l_OE-=p%XS:55T4WiNB.Ktq,]BJA`_!+Tl
+%T2d4r3IY*J:jBUGr!h9SNo5\k(@4_XCnp<rYf:5<[9N^C5rdOEY4B`>=<WbWFQfh>Y&b)!JP`VS]&.TGB<-j/-+T[cnLYnNi#_Ft
+%6ffPfaU&hs"UR%k6Tkuo-Qfhug'C_8cp//T'uNsl&r?^qB`haKT[Oo91!FflRfHG5Oo\[je^I97A7gPU@Z:k-8=VCYfbb?BXAF,"
+%=?_Im+=kqb6^j,P8s04#aXZ>fLn%npiipJuE"=nNhR3H1_JkDB2WMs"?.n;Vj"NSV`@dc.DPk%Ze_o=H2stXK&!"Qck_rUjG&I++
+%*N,bL-S&Rjf82tia?cN8]eu73&Z*@+HsrSE@8QQ9=<2IZP30"6k-.&4?7jLdlE<t&d]_5/A*/*9TR7MCfPMAR^KD_D#,3i_AV3ZR
+%\"lV5fbO?a^Z2$?HW,Z[ccSV_nu*"i^Qk^;s&g@+^h]#(pg"sk!(1=+W)sI.OFb"6DB3_HeI\SpY4-B`%/8#N?L2Q,fp19t_`G3C
+%MRMR)\'"_(J)@>P/eChM=la[RoTB6gHtnJ_TE.N6'1UN%XgCGpc@i41/@&`\>bD=jF\8ihK$fGgieUDgN\Xb_<Y>3/;h4KGZ3:Am
+%a-iAek/_kb(!BB_'t^G_:hIVW$M$oEW!uUcj$JY*7iW?;Zh4D7V]^,>UHAnAbXS6b3qr)lQhJ%=p"AX"L(ggQBh=+H8<!DfeGqT5
+%F[F[!4Ii".M;4Tm#L_$/WAhgB*@lda6h69M9?8TV#ajeD`K'3Oc23;J%E^gc\G-n'Je$]W.*-G+&SNU_&h8!@j`ISpUu@^\S^67t
+%?9@i?$Y!4/HWY=cISQ-@.dg@f*`dY1e:q>0,JQ^l0Oeu<OZcYdjHop9c;QUW!$]_i;p,MncB)^PKp$)&^1U9KISedJD[,ZW[eBIh
+%Q&7HLQkhT2?4$P.P<f1`>3*VBcqc:n,[Lg<S6i*P#oZeRVoR[*fm_0&_1Z)TA!WHO?in:^:]dgfnj,(`$;J(.\i:q(XJCi+G_F>4
+%driO%20,H($dtCrBt-A34)'shA4T3G,VE4C3Do+%Zf;sa#Z>'CAW(MX'Xbn>2[p3Q"6h2D`@F$jEL3]:<@=ORV:;f=V.HYt['5G<
+%<#60n1aqkeH")"3NB(QNfOoq422"W.RVBpn',E%_?=E_*Yra.'E%+]9[,rFVodIQs%>*;-A#:O,3@l'\9;+u;p(2:I7L.kQfTc%n
+%A@$=dnCa=""@\7cC''KO+4lAbX;:GA>'Z4*-ja$-Cr3$j&G9^/7S0LkC8Rj0)dW'P/$NDF6Y*W-nHl'f6O-_=^ce>.n+?28UJIZt
+%$0jq`9@_0(\al=%?J`AbCmT9o=+/de2cmS/#=Lm'b+TPrU,=Eq+mIA]6.5`U)'5^+P;bIsUXQl%n;!@Kn2f77HJ\VY&Dg,h;re9/
+%K[l?F;%L"-Qn*OK4`j`?\OQ#adkt5,-ml1@Oh/T13b2N%AS<*i\INml7i\d$51q[^lj?Cf?\AO7=X6=PZcu)%,37LcEW)?7kWt6u
+%=$!7$R^8<N:pI70CF*[*X;3[SbY$F$'2=[h1p]b-3AT:42]r^V6,:$":!Fl8,A=cf$DAg6P2.ZWGO4e*"r'A?5GkF[ZnlZ?P'@I*
+%Qo-"f'n`?6Ch\:'o8S?kb#=ER*G'^BYO27``*V+.1!G\=JM5/M=o&,_1(bXSA[;c]`cEV`js;e$UdJ]ZfAs`nV[6R4;a-TF;+q6X
+%1Z\tEVEm)XRK$>&OK:=T-daD4rQpGij;A;-J\F;e%?Y".p&a\Lk,e'++\m4'A2gn_fBM`TauU=/8LPWbdIfnFPb9o*s%SiFr2'-J
+%BLti%:Cdm`ArmbP8]AmWEQUBoHC7S3`h,M-Ci-&?='hB/TJGVs4roimS?DFl%#J;FUbLgi]#0-33tt:B"!b7N+YD.aKp2H58gWJ*
+%c/N/[@qQ@p8H:]TGg&k&Z_B/N!K.[O5cELn,WHJk-gE[H9Ok73_6kK7UO(A+_UC#(W^l``LP;r+MIc>9k6ZT+53$s:PVIlHWk4o$
+%Q]i^qVh.-O`p`/f15?iAo`NRiXL(gJ[Z'sL*A9Cf_-:N"[0E.4bH$?@2h8/00FgMi-j&0=77KqSB(kHP[q``5k?NQ=U)Y:"SdBs*
+%;T/<01NI,^>VQmu"IUkk8('XZ[GEld.n=?3.UC\\`0RIuV%Y2VkB`,&Fri)<+Lq$AYJ@M8>,7bH3W,-'+]`3O!lpEiHq:43Q.uIK
+%:PK\]4WNX;qX7JsMfR"oT+*&e?ncS$,Bn"O/)Lh@]r(r1/e@&-Y#Gsr5<p7Q"-BY^:8;+CkUVo.q5&j?e3>p.ot)BbqtNKLI.NLm
+%h]ui6ZBZhN1W.`PR#Ob9V"@mBE+=pT>"R7E,_!6@WEh)Hk-CcgM%2Uu*e_]1=b$`&#[OBAO97TKWN6(+P"Ljg2))"D>JM4,q1Tke
+%BVG#9PSupl#F6:PTEnssgP!LJjV+I3BWi%(M&8pUciLHI&`oOI);*2m=;g4o.74k)SLcIckIQOeYVcG^"dH]#7`>Q-cP_FW;W:Pf
+%J1+ad+&eiu"TJ[/f<2:9<;44MHQYl\c`L.Y*Rl%a9m^NbIP!p9QqP1l8S(_@AYhT68hHB<h3VQ(R$DDAalZRe"?DIeck15A&B.@s
+%_kZ\NR6%"UMMO_OPmL=S'UYu+'h1aEIJi#0l(omF&'?_g$9G:'Ii9,\)O?Uk.6f[@<Ac=B[8I!?==e5i<bnN7f<AN3Ycu`ZF(!os
+%(qL[kAf\U>`=#Ko=jIEL%j`\NTe^>[]ZBY>d/Z?JW=L9@S&#_D*%HTK#pE)f)IaG51+3o(?ce1J,u`t,rXEKgc6@ttc`mofm&]9g
+%,h*69G#0HGc2d-2,`S<5LslD\$8`C_:AYh#nu.AsKAj,RU1,Y7a+!e]Ac%:L($OhbPg$Ambcj'dEJBTc=l&ks>7]/<U7666pc/J6
+%%cO36d*j.3FU2Zo(G9hk_INZjqfGN_42-,>'qTdA)S6#Ee2hl$5k?"g%NF45W%L10n"4T4Zh4+T0Al@$rpoWdZM`X`i+Kh$fCn;j
+%?bcO3mG$7Mr:0-uRu?$:&cVXdYF!jb`'=:rlg(mXMjGeB4]1`6oL=>\s5u&mobi,"Zf[T;pg<tarj.Ns4%Ug748D,@f:BRMYQ'TQ
+%f!Kaf(t`FEg,t:"/4El3>;,-RgR$jEY.5L$cis&VS7k8e5[sLOIHQFgQ^m=89hiX%s.];KMa7_(qWshp\u."s'K\(EeD?TIYsZ/-
+%#mS+?Z'/E/qF+t<mm<jWCT>$?]1a,7QB1fATBjflJKReH"@:*LQ>@RV<<@Y$e1\qKZ/Fp7g7\.@h^*.tZ.2JVUhDms=o2rEAgHd[
+%0\Q].C]^S6$cZ5nRBZTs;o2pG2BWns8)'82QicqeKo4.5\WpP8L"iW-gk.&r>0oVSFE3`o&o5lZRWO"l:(JpQ7$!URQ+h?8a&^$.
+%_W$ff+-S$ld<;Rl:::EDa$C6->LuL?'4r(aT.T*3VsgO<ZrdL?;C3sYN3`WnG*fO+W?p9@Y1Y/Vq(9f$WOQBRY:5#0MldZ7#A!6W
+%^TRp^2Ip5ffY1X,d8$(hLsANnIrj6"nFnN2P@4\M4Vd3jq"dV%b"tUg99oo:I^1kYIc&O-.E94\0d5r;8T$YOC]^rMo!n30AGc6H
+%<8Fp&e>5[-8d1*L?=Ok@&n',4Bu\:hL-eeC'Q.?I(tcK@oW4-4<qX0\###Yr'_PRI0_:"lbDZ+a`0pa"H/Adp+lLE7-MI7`H\':,
+%6nF:f1:X25>J=_^%YIo?*\/0?pEJAY#`]#-iglR4f\OZnjOUZ?qW`fEn)Ok4j]1BZmA#O,[XfZ22%43nO:?uHhDB5*N0hj8,F++m
+%jj&&bX03CWF>sAIW@9E$e2n9NIhoLsE@YcTS+C/<XI\JBOgsX%'ppoLKh=3eSbA+*H<ZR]^'n.mPktR#Cm*N2ouUag_A1!hNffrt
+%lq,rnrU'^=ARS1B(/"_#OK_#[AFu'tP#PO14`Ga2d&mro[?DrSX92?ME[aa"K-P4d<31=4g@T\cOjH$KN!Y?iMTD[F"?;#)WMehI
+%`],fJ%]#uL%M<IHBB'UKeV;k=)kCI\jrO['=;&lKKQnd&S?tTA&1_o1R._mq-C_jl6s+ie3Nuam&o3@f^B+m["YjlRp6fQp9rJ7b
+%E#4Kj;9KCN<n8Q0<[#t,6.0uHF%m`?%rIaSd-&CBJ"DO7P"C.<0&b0a+JL]C,](@FEX=3/138ChG/j:E;4E+%>tGn6b%oW+-j\Ai
+%E&0(h=i)V@^R(b+Y_cYts5=?5>UiJr7K$R%gX,8>q!]4T-!-dBG&^3#+uhIMKo/7@!O"cjFh?e)d]Sh1;AT,-\%uVD)2Vj[McWB$
+%9S"Qq78%A,*P7)q([%%TJEeS*'K,I9Kqp>9Di:3\BMW:0CBI-1&bt,%`!OJV7LT[P\1*#`KRO4YX<cA%*YN7MNeAIe_N(@i'nd8-
+%/Jpa,"XN_/Rg08p`&-&L-#p5Spp=SV!1P,$r-Z+J'C_>l1"["_X-61+%*=6cK`+9!-EIF:KB0Mi<m\)?']mo3)e34ESP:p/eB-2\
+%:'AUTnksU?H0kb0mdVm;NPi3(.#p^QAo"'l%ag^mXPQTiV#;@-CLeS&<Iqu*aAO,H=CdspkY+8L%DHm8JtI"s9JN2k,+>Dg$YAf$
+%kC0st;pSiHF=_^-=$A#c5.fRV=op#de/];m>7PgX#OBCTcUg?g))*rh$0U#I60t=?:c5i`K#8V9:iR<FM`WSpnE8MUQ6KlZ.\_Ks
+%AP\4)-pgY:=WUZX/)5]a7&]g]+Ah5A`I4l8`scZ*Co&^MZ1)-ZFU@>uJgd"'Z9m0M82#$_3n"@u[r8/IRpup@C"=+!PelLQ`g1_E
+%2T0iF^lrDYUUe.T:sMBb)GFTJO&1GY.Fa'^=LUPJ8arUQRdOE,P=dqoBZ1`#EsNN0?B@K?P7k1DLS<\XUu6pT:[t5/f80>b$Ag00
+%N.*/fXb+beg/i&e1XYEiQ%EcqDCB.pGu`PqgiFkNJ$7r8=LXR<A<Z-Bo+S,?9a1\2XX[F7\@bFOG23=@PPC@t?AF8-0'mM@m>aS$
+%DI>Y83-<)XL8RG_>EBE*=qk?L/e@'[>F;Nk(-AWM/L1,?]%'NNC^p"KkV9p[12(WO"K:`$9IFeP8Kb;#2f^LoWkVL`<_F*c=K))-
+%(ZHD34i`(TSFDgWV0^X^P+ie[`,(o^L+E&[KZ)I0&Xk9(=;+:EclUX)NH5KRL9Zk%H#;Zkb-p'4LkrFm`'s,WLdkO(TBi2L%B+T5
+%Ket$U<b469RI,U%M'FX'!KE'[+Q6U.FI!Aj(Fnj"""FVg&;63RAfS)0@!ad_ZBU0Tf[OHg#BJm2JG*Jh`Y%DKhOItGEG>_n"%n?<
+%m+WYQ$$s3S"IQ&E+>QFG!3L=jHM#KTJ$;@TXj.Fu@kuD]`a@q6:%k8]eJ/gjc&F>&X'&/a"9s*e,nXklM;KAd+(;K/oImdbnXdr.
+%74<sUTsHW:/tNFJKZTo1"sF:h%6/XmL#2>m(L&Sf@673WcIIWN1C%RgPpm"XL>j6]nrf=qX'&?3lTn]@5F0R<NKP>M:X<#/g9Z`L
+%W)6RACfSB@ff;?,eRC=&iTr9,`dli46'Q@``ENF%_G3RP%Ohc7hpm\kg'6&g]rkX,lnGm/D.on^_dJ?JTas3@`<0:[/JiPjWamK7
+%&1@p,No<UhE%Qh,p#((O&E6nrQWfqr34\ct=LOYu8rnjKJoN_*Zkl$Jn,ah?PB7s\ILIO2Tl1mo:?D"OTCaZQ$ssc44')su37U=d
+%SgEMJ1,)/#BJ!@2icgZJ]^Y*`H]<`BFjdX]eFR[p?>,+Xh8N^;p/`_E:a/]K^(JKB)]gp'4)R!k<V8f!h1W8h>G[Ya%U^b8-NL<#
+%DWWfD3jJFfR0uX%F`9@*q3aedf2K-@W8snlQ5$1To_-_I3]qFE5<kbj9sr"?`TDeajs;AN!\/91/^M'#`OHLc%poH>.*>Z=6u\c\
+%akR/Y0B\7l[Nsd'nK"I!njtfn=Z?R5hGf]]_'OoK*+$HWErTm?RSVkBjg`@*HBkcmPP^nM(`nG[cS59klM2Z6Xq7gAnZmG8P[k`U
+%C/B.c.<3-r46B8b,p0DQ%8[/Kiamf17K`VRJuPKc!m_,e(mBhRn]i$YdOH/c`>9eZk#;^U=D1A?7XjUDS$S&9iGO:>/^e??W-%_7
+%1\-?fI57ppllY`4S*;XN)hNaLG>Rfuo[c2$L63dgIYY:[DUNV]fP-Op$%h9KOKb2(D1t,b)LT%V7+_PTE`X7C`0n?%N!7NNV2[\K
+%keO9<=9UT1OIBd18Mn6N/*R&i\sUu^:+p+DF(2II'1s-2MdjsXIOf9;$>aCNa)`#gdN?qT;5&hd]`d\f=edma!H2He)f"ngFe$X9
+%JPM=[.)]SS8qj:o3=LjEiR+[21XY:3D'`Ygg4tFj#<sal1!SCEj/I="1^b^pb,9FVjauSI0&fePnaTKOQfk>6",s%=%ArbJ,kTFr
+%6%@,o?LUk`i]Pg9-q=N7`<e\`%JLHt'<)o-"RD9m0'GS.Qpu3t$<8C(O&""@&IR6.c.P;!@-J5ff1\l4,]l6.ge8hD<9t;nJXoUM
+%lND1Pk6i"oLNp8`W0t.+l=)9d4[8fp1e&_IcH^!EXeT1Ii+u&OQn%c&k0?i5#ITKJV)DIA+%1OGUg2N?cj-Mj1I46^oo=ht#t.1D
+%ju0LK//BId930DK-:'I`9FAr$hU>*5gae.L/YL*(:_bT$b8:O+67#VCJ:!?T52"eFb(Nfg6'YP:bNoJ_@iKA-n<G@fe4SG1(I-Q6
+%^]L.'r87]O3ZDP&("'M9Sg>(UC+.\T`s#$#U3<;^7T?EodR#F`gc%L*&Keu!C[)rG-M>k`$PWp<Bg&^F6Oh9DC++LG&Rd$A&7MjM
+%)iC,*"#pQ(Cr%BgA(W3BjsSNF/gc,6GpF691Rurj@ctkO.W9cTk!0?pr^[L^QVheF"F$mqg9O.)0g7R*g6I)]-1M8f4AV[h]d/X-
+%Q$ZLHWI]pu"?-koGKg@rk.a]DnYRa#m1nXJY`O@@&PO'\<=2Ra"(f1Hd\161)1('L#=e*I@/b^64!:AEMem;`[Oac?RM+W$>ffnh
+%(0qd>^W.6^]/o^cN"r/sW6e1k%l\g0:A*aa,2a,rc\"OZKsno0Du;a7(_lY+gn6<B@]SdAajBp6!Zr<e6!\8":=MOL\9f/%;NP!H
+%"XK(^=+K-r1qar2<c5oKbk,Gj^a*UE2n75e)38s3SWJ_5[4WNu!rh8ln6@e;OS`cVqO%hF=Fn`gO/-3!^u/QhmFnC.Yi0Z=7@8ZS
+%4E_'t-3iT6/V4jccp5"sN5fbG=-BE#9&>4O:6REcB![8(n!8V=<'eg\,dMZkdQ,0D.B`;0`QgU%\X9D,gW&#lo%<qXl(E#EE"W"[
+%r.>07Wl\:%#))NV8>E<,XR<.39gTB_@"hXkf)^:VJmY0:pqMo-d<mZC_<_)o_dR^,3FkgP&.V#1W&Zo#2!D:G;s4=[M97uE"Rp3G
+%OBU$qF3IX;F,1%Z,g+b9^gpW?H)d&9KH)CGkgD4k))c79MlUeDYbP*U#`pGV$>4o4)Gpi6+_`q<[Y\E("^3CfEh!kclMjk'hPWr!
+%0`e]64;;*741)%NEsil5.a"@9T0UUOESs==eH+/'JJ(-8,,4@9+MN0.Q1^g\I7'?8(Db$ML_Hi_1]>"<N>->%_ASXt=0eN<K5'_P
+%J]M"Ns7oC@3`jjZ8;e<EM/bi,-U(LNHd"*kqD-A>:qP&CWN>/$(4@]4O>\j,7V(SO"6,"HOSJ]braK9u"/2QaY?>`,Amh:AW9bP%
+%-/pGM1,KXZc^0UsZ+5"Uq"p?W&HY=KTR?*?k=(udp00QhU,,c6"n5W-0Lk+);/'d'7Bj6h)R+TVIQb)iV.0W7-<,3?1is2lMg/[!
+%CH8.\?5WHrYeQs"Eja>GBndlC#ce9O:8EF5c":Dn'&euUXrAu+_?5!D4'AB4YQ.XBn6=V+$NjL,I\_UOirK[2b_pu].sB?W[R7Vk
+%A.r$iYS[II`DiSdILDT=Ul8mK5j%_^$?[LUk%4ubeN2(L#,og@-,'fr_@H>'g&]2N[A?k=Zfnd%%'"hSAS'VQEu$-cYZD4Z.eb"_
+%=>[?&_^\PP7TR@J(K(dlA.O;p.'Y?$,;!]IAg6\2,W$W-+0-9Z;522d<"(>"Cqk!#%a[t>FA9V3+d0IiTQPf(Ke"IXjeG^B"/;E>
+%UXU]"@pQl^E#VUoC6&IKqSR`l&W.sn,o.g6BO-@Hg<e4IRF14"UEpo.b*p?s7`f^M/Q15o88)*=X(*0p1Ml?-Lu&!5iJr^%9tI9-
+%Ql9X_f'`/1cBTfsnO,?@6e-Ojl79G'kL!.Tm($Uc#gmJM`U44D+.sZS(p>YrUd,Z:>S>?[\u^n7:$HJ.,E.RAWYT.fiW2AJN3(j4
+%%bOTSN1i\hV8MjT!,iPAZ@VgTcbr&/dob/>6WL1^+`8#J'Cs#g_*ZN+=.j-eH),?dZqA]hKOe+0F;)/;,GG_F[gpD*Dke,KSQ,1r
+%S+T6m(P[c3P&(a6TW0qbeun.F$cY<oK;n%_gd&?UE#gQHGpDrnk^!gV"CS)8h$,!+of^T8#bDCQZ4=iO-j!MKp@Tg^=;_j:q<4UE
+%/r;I,Oc1'3KUO3N/4."`?;X4_AG0$%L)LZ-"t]OE&%$-LQQ"9ePGoc6O5ikbhu[':FE@H+9`,s$^pWi=dKc]+JR7TK2Rld^iP2G^
+%?4Fi].<d\rTC(B<#N++DBNKoMT=_./&&2EJfL!*CSU[a\Qp%+eN+!-)esRE8L%E1"B!R3U?@FVH6u>E9FIcgho'X1hna%l?!6#=n
+%D#hVN6j=p,XnCn?D7e9"%YlL9TtiGk$tW2&K2TiWO;AIt!fUe%=0%2Lq[DJaSTaZ2M7D=AA):$AMoiate@K?H-.+J#0X$n=L%Nb"
+%]Uf^<Q3cbXFoc"P8mEpM-CG0o1#+p:c:]ufO)?b\Rp&QHC2huENSs&J-@Rr>K?(k5/[Wl^iN-'17pb?)AJ/#mSK-URDf[=fBR_QY
+%hb8_K:@o*kBn0lfnEL#\I!Q#0J\5`*8W4s0?k,XPH-J`:#<"hR>+>c0UI9ma!,VOK>_,l%eFk/(F^dR2kS>!7i<H6(BXA^WCW[:u
+%^\[G`4e0G'A6?p@Ho+o'A$oF[.?gK9+m7B%7Np"k9_(YE"(d>0/65jQEL8"2GS+\)m^<7uAg<%A+/ROcd,GgXl#,Ege_$Nge:7af
+%gNqPgYZ7t>m+!dY>3aUHDDa+C$/HB?!d^,Hl:1+m6ZnRE.Bk`[/JXW%#aX+qME;DTZg^-$hp[:7;p+p#,-7*K#%p0j!"$+mSY`V_
+%T:U846@,qEjCs1TJJaFp>D!2cKW&f_NJs7,YZS*%AS[,a-X-MG0juidTSHJ%.:^,"A="K.8*ik`^=6hL0ML,9(R<UX,$koLRKXJf
+%94U_M"`XY;+P7[RK&K2j*^a#'_:f"9V1l#PKk3_aQI:i=Gh]6c8kSM((7/,76NY+C/]u1gj)4,A&n*8(\RD=cB$!.AeL2A8-_URj
+%HQaSm.5!J;1]Y$fP_q<gjA`COoNkU2a+>3AC_0ac/7i!m.gq[P'APjCe9E1[LbP=;BU$\pac<X[:T;F1-3I3;MnHj7QTA3cSoYR7
+%Oa8:rPGU.0?d9N&auIE5,DNbk=M+KV>eJip5Fc!oYd.DV-V"P/*YX!-PEo;fVB("0V1goi_g.&Fdc9>pU??N)"\c1p>?VoH.DH5d
+%T*$:>N2W(S%H_o*YPr'[J/i%Jg?6;f<L2IB@a1s3MdT'GQKGS/<%#RG,_4mAYf>Vs#4h$<AhYISSY<fR2S&>P9T)'L\N/)'s/cEZ
+%VInt1l1g-K7WIage<u@/a_1(hor>\=:/)]HD*T3Lm+mMs_P3HS?m;=`bq,KO1PhsPDS?sH@)p*m@sQ>Ci_gBDJSQKU:`Vm=<M@B7
+%%=gml[V/;%e83)r[DSY$T1"7)N4ZFLBNkQCBi4@`/C7F:=:dWTU:Ir_(S<2I%h=FT[r.)%Dq#IRoYSOiaORqs>ol-+I#@&]WY*HJ
+%Ak1H\rB\95Br6@caFL!`VECk1/?2uq4Y>T:=g&KI[T##Y66P5Dg$qj_'hE-f/6C2\bA0!IC^<ZnaIImGQG@2W\%19((32$9QlCQ`
+%`L_7],:rNo8u-256"1n%+?0b&2mSb=>d+/f,7si`:`@XfFum&k[,#P+Zttd1P_1)l6PUs?^^'e#p[EX;DN@8^h<B)"a_?Dn!;iBV
+%Qjq:pLGDDjXT>iCR3W.JZOeaph(5EqO(\M_*!M<ugea7D4lS7u3@nj[ke/mYd?4gi81kGu\t^1JD%DU,j;F9@7mbs5`_KflKq2$l
+%S]!>_"#.imY;j12^]H;&Ajo)tfPY<O\+"Apm4;I:BQ[^;p6Lm"X],H[]@M4NreRqe_7VAbe7MTTbPS\,"S$u1$'/b4Sfu!;J<?k>
+%3d@8+gd$2@A6C;fXWsrlFuef,+i7T=8C$FBk!leqHHc_,MP4E\^ck%'T0YZ`*l7,hK7:rl,VTI<QufaBhM,"/_gn&%62P2J(0<0>
+%E&2iK2UI;D<LCI'[%tRO`)\$+O+f8OfV3r!`Y$@*k(g=D2+q+0W$k`%F3)LY-(bP^eX)S9^UG]\1<j<picm/A][]Rr,IBe.[O%\Z
+%%H'b0D(T+LLaA[o+4`jf/qTp10C*I;@nQ><P\;fSL'4;jkD=aif>+Z!1t@fl:P9c4=JG<Xd+n^e+tMHb+@)<Q^7<oKCS!#IH1N\V
+%`BR-kf!J,Nf/Z.%W"o@ZEQ%IjPOUt&#opOA9273[`Ig=8I2Np:N#hYTqNZkCgfMrFQ,&$jZYPt+=>(f*>G2u#QOD@'Y-CTS1\s8%
+%X(VIqk'l[(N.09,f84>\h5:b>_5=kg/"8JM'>4PopZ/W9G@#^bJ3@E6I5r/6f5QgGk'3rr3-#m$4PZ.k3L5Kt,Lj(EJ#U$;KU7/i
+%;_ii<eem\1F/r,_&RjJ`_/nq2Q;tpfJ?E=2Og?@mkYjsh()J6%qebQ,CGLSk$@.jinh-L.N0\mcihY.WAt#?42%hlm.B-6f9WJ)%
+%TURqo=GnJV-RBMe3^4OB:SrM<M%b$%j@.IJ3\,GH]Jufo?j)ft#5J`Ff$](LP1&::!)[#I[=QuYPPLV?5te)s&8@X=;6uo<:V#0t
+%?iio=B!T^H^tj+L-H(a5ZP7r6Dr)oZ;6(S#+G.5%)U:/k5Y`Sr0K#YA^/1d^hTo)bl0UoN'@[UUP=m4DiBsZM0Bqr17>g0HaqR5q
+%(g/D&C>h]8Q;Ek_)"fX/Tp&`i,1O1p/Kl.B.&Eb^/"%Ke(q2kqXN=Bna9Oe)Vd"gNh6gRo1m"Qp!<&(,'?Zj.Rg^T4AIVnaA0\jr
+%:a2dc^P>6Ukc^Lo!C2iAZp$&^LigWNGoq`p72f9?V$L1Y^<Ch:/-VfE7E>b',kWYT3Z^mOlRPT*0n(_T2iD%A3,>TP4[XKZWX@ee
+%G#>maY:JDL*d%"Z"O7uZeWukYf+#f9qPAdEB9sAcCboQu%lb<CS@h"#H8/GT]&^:VO?SLQB9W:ZFq+p>%M19.0(_sM_"p=8.4X-K
+%Mopm_V%L\!TP&-PbpjoiIOYHTbRPFG&<34'<i6;'8k,\h(^W"8+#=Oe$83Y9QU'"OeY8#EPd)io.m#?R%-`LdGQeWd>e=J-pVI8@
+%8@t2&#,Apl)eV*s5,g(i/JURI[`Bg(MsG=ol;EB3e\@a*e7L>\/oKf@6Zrp(%k0c/!#e8\mfir_1TKZ5[t=dR]M`0H`"#\QQXYE<
+%N@L(/Z_o5uX_$T1W>PjMQks@fAcZ[]^`-A(>cYOB9>d,=RMls&YS#NM(hcs$K>17Iqui<WT0P.dk2ZpgCpKSDZq07$EGDA_7ZGAf
+%I5^3m>D1)S9]dn$E[_mncJW/XR[%S<R>[dd99Mm_PM"JI<7@OmLbWQbp]eE0V.%q$(cD<p?Y;XKXjA8_1Q9WEXj',RAc3dP"fUpq
+%/C6Q17MN\)iTI'JfTa_Wot#N@2-.o+W3RlUK7e1.JD5+&bh>+1[N1S=oke^.Zjf@XeXSOgP_#)OD=/9AD9tp0K--;XO(i8e92uK7
+%L*Xf($_C.Kf")IUoijLlc"JMg5[-[EZ9>)<k,+itU1ukF</Lr[Z:IT[*<6DP"at-N8A74AA[,dU0=<:9#b(o#bmL[,mn;,,88>ba
+%U"B!(3(0j9q[I!s"cC0O\7IcW!#/;H2<@0Kk/jS9WX#sY5C&gDQZ?_+G9tbuJr%9%-]<Cc`)N<\S%8s-Pb\Jo(,BsA.\T!fFLV0N
+%^R_&SW%1RWng;iDoQ&s^G,DR7&PhFOUtuN^R_hLlJXA-q8URO;=X7!'"`V(Nemub!7QNsG$glZ*nL7&2NXM^a>@*?t@%oSen"soH
+%q^pMOA-o*Uha`Sjc7JMP;8E-h*,jJ'G83S8=_.R?8`JpYl\]a+8;)4r.!QcpJsH7`aDVC`+b(Fn%]$hp99*T]WE5PBJpC;'_.6.6
+%qmXarmIZ`O:E8Oei7^J!31C,s)(<U%Vt9AgFso+CD>"@KL)e)^+\33^KZFNP`dYs7m-nhPrbIKb4-T0Whqq]=nb2PMc/nV*:JXF'
+%"P_+Lq!@b4d_C#Ss7F:&s5g_VYBi!srR1]:jI\X5j^3K2iqGAb0D^1tr+d)I_oXRHGgkFBlcIKQIeE!;s4]"$0B29rLQc(m2ZD=C
+%S\9?ms6NO1q6/Cgmf)79n%[t6qrP#!DpQ/TrR$Nf]tOC0mAl02o8B7!Va$gRrVW/.="eJFY5-t)F*[cIo&ff8G.2tL_E7Yfo/HE'
+%_"nmsYWa['lFZ*MnuK6</md">r?&,[`Ah`g?GCp]jrku&`Yd([];,/dm.J>9D_M+eD4g1`mi)[tY&7`'45IV4VX(]mIlMq!p,DjE
+%h#e#=(sTA(GDGbcc/kGdDuOkSlMe%nhgE6^Ddu=^3rY%]IJSkmg["[[e[IK@0AgU:o")KJD]-:!H$amenLq@ahgTWl^5]P1]\_IF
+%Qe-"7ItJORGP5qSDn`op4aV6khp]0N>X.`ik5O4Y'HXq2n%Z2Y[Z)`g];>Q,U%J9O]062^o&Z@KCY!h#h,aBUh7Yn)D_<[BqTZ_-
+%bB=)@rpJQO0CKjrYQ"4<?bQ=0S$OdH2TA$Grl)ZDq"O*t2toN+2dcOH`VH!1hn6XOfg#?+c.Wd+M8s^N"Rj"]IefIkY>7>H)GEB*
+%_=[Ef=]Z_QrVksMp!I=(QH?LrMrt>NR*ml^F0q<p(=S??8foX^UW)l>Vr25C]s%DW/LIcj2Y,?>/Z&t\9`K/,p@[apZg1u5HM^Y=
+%pnKM<LKPO&XnR8XQGu:7-U+`g(s'GRo_QhUhd$*Hnr3SI"0jKHG55"Hp`I6LqXqgU)fNVaieI@1Nar$=*/s8)mJR^gnm3&Q,Nn"H
+%SdP>b?6+,<?2sdH&+17k?C\cYFa!Y6[&2^WTDV:Zj3?]YRhlU^1#L1AEUT2Vm@(5"gK=Bo>>D)A1S*DZT)Rp0cA1d\rVufb#5c:Z
+%Y1NXMro*7uB?+*>#LMMFIs#ZLig&AlVrp"BDJoL=]5Q96P!?KPa5,Vje(`W\cd"2X3'Y$)BH'6$h<jdYE:aV:kJ)LnF+&',!,'8?
+%`jF@dn[P1J>eb`/p4.."CKPYe59@<5-ZgeUC(O0u9Pi'KnEC'(5.X,[lLN1AcRr:;i=G!KIk4I;NSR?*51aGVQZ'UK\p1QH`E8`#
+%j`pc?c+u,)iO1H@lKD!pfCYf^FkuM/4anM7+*D\'lh;IZX`Q]gnh'ap`U.#^MK`n+X7UmZnHHW+h:\6LrUR3*NXpO:\#$c#@.k-0
+%N?86HEuMK=Ed32:G;FYs,"s>#V>l=dA2Z6""(3n!^A-I%X"V1IH[55=[aGOI4?UaSDJm5fk2t4=?gkUQ2Ja1J`4,:L6V/>69>8&d
+%FgdRF_jVTkrsc<"A_=oXh4D<mI![O=c9L&SFu?l.3%akL\<&V#7Xs]W[$CUiM-iUhfgVOq2>!T[$,>2M?Mn>!`\tCmL^`'gDDs?D
+%qZlkEr8[$B:k[^jo"6#"M78^@r7+iNrZ<>FGU$_oJb"UUJu8D>o8"LahJMB%GfkZJOV;c=%rV-hps%pdDdT'+?X-lA^\Q^=[p+5?
+%*dHSF7;4]#hgWqas*c*3B"%_'#35etG9]1^?Wm@,q);s<f,(X)\9N.9rW&_n=5+S5I^aO<A<._]^MRI_qq^+S[3("]hT0#M%1)\Q
+%Sr2\6X8h!Ys6.0Vk@P0^X*=79__E`$@\H!]WS>K;G`nf1Oh'A!/@YfVg'd<Os51rTJ,28,\W(T<<0+ViIU\%^jc?$>?XBirhV[W&
+%q=WjM=8.&L/h[-9,JFuYn(kCZO+,D<^'C6WJ+in<4J\P9n*Jf`S#[&&XsmYig\j&i+,Jg.3kF>c^A")kH!\*cIql1VgHE6VX)dC<
+%]=A^kq=@[Sf,&'=6%7+-hDsKVkARQ\^*@a1E-tr0jITQKH"Sre?XCIWr7enp\\2AmbXR=sS_hgihjiNZO$n<eh:_NA3@rbC*ToAH
+%d(!.Sg;k,<ZgT9HrMto_fh]%5[\Blg`R<D[h!\GcO'u&BLr/]hZRVMaA-kFc(rTIPr^ef"[Z/!C@1XA[KW"\scSlIS3`_ml]ZhDc
+%nK!/l)gsW9o&OZK]RRLXM"?To=.ZG\D0Yg4%trTZp4!D\@OjP'#_Z:tf#IoHfSFfm"@Bcq,ri]MfSFnCa\U_n0&3?QH5i:L*t/G6
+%O$JN'C:"p7]:XJp[rPH>Em-HtpRcaGilH?:"MU_WCu-PAp4k`uRgEAL@e7;_eq1g0$9p*$i;neM>N(9^8e$W:FT%'/@X]h+s/GUI
+%4hnOQp$3'<J<(H?Nf7[:pcJ:;n8EeM9Ks&_bLq\1m"&\-O5H97\UT+HX81jHVW(/2GeB]0(R0oTCh"#\\=b`8'up^IGX3?t6!`:&
+%XEo7XW;C9R>/P^#TDk5oo;FkoYG^FR['f46,<E^HY,@9'`.rY%D&q3sR*bIpYQ9dl:&d1CA%AUHDIcq2-fk5uOLgFRYdG.MO_OVF
+%:WNc9drTkUFgF[jYlU;bLI!WmM>o]J';,1%Fsm6<54AO-s520"5FcP"E&6eMaXfic^]/.n3jqFBoDg'T^D14:".4%6InO$+gDIqm
+%$0U`qG%AHM1?"24?q`P(fAbPCZT#Y0s5(?"IX1JVjn3rmo:LD!XQ,oqV#RL?e=cbr9@c7V@q[[AE#?<=,IYr"q#9G8=5VlI?GE$p
+%J2;V6+oL<d7OfBBR;ut&a5SO>kaRN[m,b!,2#OVi>jjE@n`_+]NFYpM3>HIRGLQX@HrJ2.PL'!VmH'gUXtJRIjf2LBEW4Qn87FKA
+%[P7dIkYBa]:@72Tme=<,L?-ujDC9RKVsF'uj/mDd4Ru3.-DNaN)0L;0kVa+I*Y\tYj5o/O?N'EEg%SikAM-4H7&BjuX[b6\id>s5
+%2tFO2qL"6(rd]4MV\?>rbtKk8i'-&F`]cj@pGAqQ">,Z,3f[([+*fid.-8Q*9)56aa>$;tNHI3M.C[\$:HV8FS'/"MIf'!$"jr8#
+%@2quaS!m-m"T&,WeZ52.56's9`PqN5rFB5^hVYEX^YXA;\'(7B(N2LP]m0AKc0a3WWe9fYZ]/;UG!A,;innS]lX0hZ=O?PN+<:oe
+%UOdMDOPYnHoUF%<P1OVY4FgQ%]dP]RYPKn77&_aWnUW;R]Q7`acfN^3#>bu?N=<c%qa79K4j<&:.4Y<Tk2N-=nD.mKDJBI^-L]^D
+%YP[AZ`C$YQCkN)hDO5R3AXVrK2qNF%Iit,<]jC0l2Z;PrBSeW&TK><N4.$9+?TSJW2?pSDo1,bc?[R3?hR2k-UUT@6osUf;7D(5;
+%H=<_pdG&^6[N)t4HQ2A9D0bTf3I4n)No$(s\)gHoc2BQZX*8[a]j$.[B@2(<D;VP'kd?j-S&qQ((`c),n[J9(^u9l>o?Vpd[OYbs
+%n@3:G9RH^ZO6aWRUlF.Qqu&^srR*:GD%,_QhoeNO[JSA,c'oZn-_I\k9Z_eAL\oW`Rm3KMY.cV4aN<9a;8j3op9k$Ga&N!(jKh&o
+%'n7Iu\>Q.^De7LlOG^f<Y!4fZs!)j52R;kFqNu-c8Uf)L[R!Xbpm,dZC-'ecHm!@\<k<aUQ2(`"AN'7.IMA#%CFAJ^#MP3&1+,Ra
+%R31qd4/Q_1_fj\*F*Mm?O%FHMaSgBLU@TJ@rqc<,-D;Uo3taL-Ilc/i(G@_SY<Ku$r6+tpA8\6`)g-8#lYB\?k.:QdUFl#rgCd`(
+%2'-.)HrTF9fsoZ>C"Ie'c.U:0muBN(5MhcNN4Pc)FL6[\G0kC>?6AR-c"T#,VB+0pdIjEi6!NUMd1/4k5t="MdnB0Om%A]DhG^%r
+%[Z(UK]6j"[HFMAt^[Lmp]??NO8/=j9,Q66^hAsKm(D"TEr4.km)$Kg5M^NiQ2A2T@H3-"g$2E!(gTTJJ]!u'@Va&V3%/8f5kuJio
+%61WRZl\jZW?MsQP^(8edeh&V<I!p?_FY=HtfgaC<V6b@NnE/m4mVdbAS%?1@4PnDZE28!Z6&0HUJ%9q!*pI$\6Md$EJ3;r@)M3))
+%h:(oemFh<)ZWFoV\_KfSS@/-*\+9>a9Sfqmq'#%Hp@Ns-?JcdOp"QN3o\K,Jqn\t1@9$G'GW14rq<%UE5@)"7Ik]J5?gu+j(t+t8
+%5;mP%^6SKjIU^g?Y(NhrGOZM4_Z.74m(`kmRB=^1Omlcu6[1<D_rE]9KD^LCc8Lk^Gk<&+lJBE#78&,OhZuC_*M#[*NA:>R>.XU@
+%eF\aY.6`24rR9.0[r^JgqVk#K0A_1gs(iWQn9DUb<dOa5["[7,rsqD"Ch=4`TIjbeprbP'NMFa?[$a+*S*=F?ChuUuqE_3[NMNcW
+%5Xs3l7WUDTN^hLFBNc@od:bQZ9h1uCBJ^`G1i:1iHSh0LBJ^_Cepe$:irdS'HecTHSV7oFRsmcBrC.3kA&A3,;J/56K_tYmp!(*l
+%dsF=48)glb&dJ:-e]l?eqeF%Cc\@<HY?X*^UJ83RK[FT5rV]_%^SX.>Fk?WWX&irss7Q2ELi0pi42617rBG/=0rr4fGW^GIjt"-A
+%,P)U.k#U*o,P,M2mN-i%C]Vj@['^q_s8S).-$u>N0Rn*r`CEgLHRi5)a1C"hDT""#T'L94Wo2g5Bj,Fi#mP_P,Dq4oj@m7fB"6.[
+%K1fuu@mk[W*[,PF<nDa="1ltA]7YB6Q147Vfh>TI6$:&Zd#**=($dOgCE$L:W*p](//Wk@.u!dRC0;XHP(Gjgc[Yugk5+'<>09>&
+%N;\3da7Y!t?i/YCC+LH\p\LYqRl<9f,6i@E?L(DQE,Ve9qT"R']Dl\cbKG%0#/?^ll;+>_^Ce0K.Fm@c1@&q`lh;IZX`XNHe_lL,
+%fgai(D2mOHce&F:mGh-RR@EFI:YAd[re.1c/$JFUT!GJ?rNT/OYmAqp16]2*M0mD1J%4gK`TR9jLsRBtmmp9\-%_;,=(;nIoqQ1m
+%4uR<!Xi.V2I\)_#3$gfMVj,$M^H:a'h3WW!ft7%E?+p8GDW-*04a?pcYl,n$iVQEhefL$'k6?.grYtUMl2N^=09^3^O;QE@:B&:"
+%Gd'>Hk-+j;L'BCu(EJ>75+n\@LQ.c":H]iT)p/'c\N^,pF<d*n;_mi<2fbi=SV$kR7)!=?F9;HK)1',sT&YfE\k`Z_D=qfFFFdU;
+%LH<%0jVpdSIHiQEhM$*>6L2*Yf'ra*QJXt0V#T]Qm/$D,mt#*>[r8Irs)!\Wo-'^&2eQK7jjb80R^d]oIZSn$S8?-=I&G;OUK-S@
+%l!KH4l$`#rBD'36Ch+drmA4/3pX4EG9E%;kQ@;5%n1X`srpAh77TT8Y1AF$rmt!Hc5Q'oU]n:;iP1R\d>!>sT_%BK<"<?/309mUd
+%c1^o_Q5B-oY?l'U*p1Z=LRjA#iu<Ft2'X/LEb%7[Iq$ff]TrI<;KQG*K/fOfaT&ubH26(HZ`Ulta,2)hT7?R@?i@$L?iKZi9<10A
+%U.g_'It)P<a$(^0J2e;6Y:om$H+j-2c[Pnr[_`"9`V3G@h7W$RI=(\<`U!Ql6iYB$r2TeC?bZF(D?#+bn<nWhU/*0)=n]8qs/5Pi
+%M7)E.s8$O9'E.%irdXjLrZD0n7GjZ3PM_r/TE"4P?;a/jp=X.s;gF[-S5*7-oO"_k>]oStH<\j_83B%N0qOKN5AR55ObK/8$fa&3
+%@O>N1k,4SASnkZ]b)sX<=e4i"6GiN!(29Fc\$pMN+8fu(eg3o%FYO+!Z'oHlI^S7*r`JcG^T>b%%?Z-Vl@7qDBqY)IW;LAu5Y,#r
+%/L>[Z1mT+P(nR#Rb/q2;2W`N)c-u;9pQ9H.q\QrT,jZO"26bFlb>VeWI9(B\IVGH.JnloTI8t%5#$`[Br0WB8-N!_IYGm*(s3/*J
+%Zfk'?<M4Mfp[l-0cU,_WI7SK^(nOGRdM-pZP:Xo8T1un)/b-buS$$>e6`?99[^G@&$B@1`T/iM[J)6\JDMh#7.eOP>RI*3R;fD]^
+%r,&'<l?F,WB=1JH"0U140_d>9""o<N4n*@+,l0]n:eC$NiWT7c4u"A&+uAO4m;;6]#qF.tY0oT$isEGW\8P]',/Se$ZA^>*YP)TJ
+%b7Lq@I$!`>V;`&%>_lD4gqGHHhI$mY7fs4Li3KZn+to?WI?iq!En'NSOQQgO%:3)@c]?:E?\jlOr`CXV(8Bp))7/alP%E\IBh/OT
+%F0T+jHq[7pdmVB+XprlEKsG^qTuE(h'Tu.-haHR:3F=?(l_4j\D%l"n/\ZAR9&IiSXnH$d*T-*ImG#$00>3okO`0LR:4@,uG?.D(
+%ZA*#69gNr:ErDg);V'LTo2R-#Y:C7:B>12d/!312@C(kDaBce9;6sP[I2BH<)lgB9VPl`1>[LiEM4.tJH;Znu^KPUU]$T']Zj0NP
+%p!/S^l#EPs]:7D8o<bH?G'WQCPZl^&&\Zl?)g?RRq?ZqgipWJF5$_$@[60XaH<.qJA`H7NXaYK[*q0-ZYIKeTF?c+7.")V$.EW!a
+%f!jt1MQ8@VR3pdb,RQDeYklil9K]X,Uos2:Ph`n:ol]Km]_3l:XS6T3ae\n#;judh8c=b7htQBV;4jc;[h\pDJ"F;83DH(G?H#73
+%-o]5smuk]XQ=:YB^H-WIas8Pj06c(P^"`5h"C6U3cZe9)rZU+_G@-ZMZ`;4JmOQe:C#U4A^/o_TqRo^KhmUtBM_"Y6o!'NM^M5R]
+%Td7+hr^,"(qT$)$rr3EbeA$+4Z1pg>?0/_\IB#UC=a!`5A9N?^A'b#f>K#]Rhj#T1jAX&=oW95$(/u`UX1A[+s+7CF(:qV/YC.M$
+%Y<$I<<"1lmI;eEcom_J-df)k%.`'r3b/@r=(HF3*EDEZuhQL+hDNU*OSitt<.>N&(dIB5lVbKr^QggWZ-9IULjBMUgV^jV"rSFS;
+%n\"K?8CPL%kVn7qIF4bN7ZVZ<D+!'8TAE8.5b7]56iYIt?-W<`R;s'O^W:/l,0X?CO_G,D?8=[,FL`)G:*KB3,__s'ZhLYr!S?3N
+%q'j%k\-LFUVlFb>F<0rQ;HIs,iXW?P.ot3sc2!<!9S@eMEsHaSNK;krn*c3K+8q:eaIV]WG>07Ec;0YU#-ncL^&!b)oErs\@a8,;
+%NZ?L&O+o02=4:C,W7?@$.qtljX/EhtK^Pp5[MJP@o&E+IcnUfp`I#0,EpnpU)IC;[_T'Y]efWEX<;?e\g*3jL8lb.<7OG`S,l1W)
+%U>f9K[rugm?d^Bep-DWmYFiI;H@\"ieM#d-^3`PT_Sf&[(Y2/10:L0U\%2mlnQZeNmsa$[O2AA5-H/tkOG0dnXo2h\MfL8lWF$`p
+%\k4'@j0b_e$eko.J!T:uA'RN?488WG\175VN0A.^9M\G_bopc8EdpJfGLB?/T'&2ag5;'A2e8O>Cp'Mt]i4%("RJiDnP*r@hGMk%
+%pfaLum5^a[-Q6AWaeA5=jKuE_?(Wg]s1<L_6$;3e$ElbqI4,M<P$Qirec)$'rPgeA\P?.S.$OR.TSl:"6"Sl5]%'tt3#erRd/6=1
+%pLG*7HSq-8ids[j?KmDgkmL+1TWca0.(d"Hf2L>tQ>Efc71m+[&m<it=)`JNQL&3nY&?JR[mQ;D]MGiBEQ.4^^e0#X;r3ppM&oE?
+%)H38GrirH[d&p&>k-ahG?stbD+NP!D(*5V;<SIu]#14L9<`brlm6B)=Pk.=JUYdKTZ$p]e+4R>Q"P+tK<gtIb]Ace$F-*mr$<XPg
+%Ac9'p'"SOcBMBbj:\DPc):$.mr@n+\qcI[\rgqX+1Nn-ZK=:(h+o%VW6$@.68sFJVN@H9cS+nb5AV,K`mrgl8Hp26^T7=:"k0s6;
+%8)-%2o2/6&(`ZlpWX%i9<N=n1oSu(9$VPUBZ;[4).=HPsRe2bQ`BtOqH."46GI?(JFRJ5\mG_Bt!St10N,fcHORG7C3ZQqhD+fAu
+%7GQCem7M`arS8PFNt1f[2XqK)@AGtaB!sXfq;1@;Ib1l_DN7]lWU.N#j/=V=<tXQ^me9%ED5/U(GZ2\ZMSA;`rR'SLl+K]jdncRb
+%JJ;Y#)nkt#K@%)'&M9k1QC3(]"k$k\SoHr\>o7:Ri\W^boe8gTW8pP%QERiu^WWJ2^%,BUVhhSWI:R2Gf!,1/r&on7U>f/)-7<4\
+%PBg8PHlrfNFjD[5?;F)VG=\\/V5b(??(G+FJ1a7CnTgiF^5B5TkTKHbpUdp'HW<#9$Gh.eG:%Sg05X7cj1@q<-\XL6(PPX'TGJd8
+%Zej"GT?k@q-!Kco</u"a1Mn-rLgB5;Ed#F$pQd?I;AVZAgd(S=9tIQ9ao/\EA?andoHLAYP%=sra;d8a\laA/Zs::39n[gg:EaoK
+%Njg`W-IdS4U'Y&4W%UJU'@Ca_a!/84Hm-qfF^\W/;I&:?ENgRsH.(Rq?8,0A"n)Ljk"/pB$aF0eGB(db*p]<%n6:NWs/+'+I8ib&
+%@teLZ$?CXJR`o5SPLnVRM9i8b+e>>:X>R^8b2V]U7'RQ%O-9piZ=>'6a>,H^$FI<'aP-:@[GQg<2aV[ZO1dXjZt1#e\0t^g\B/\]
+%(i!$hg#[fIWj.VKKV=l<HGuh06H"-9!li3r\Uce9&E[Hj/PdD]+KF1u+-n;n;n_5>8=Ak-5$6D!T<$[K`5M,^Xf6Ws47a^6,/(H[
+%[(aQZ4l44kH;*B)jqC?FTfdl'qaksDQFW+SgaDH6[J<5Gm3c0m(9;Jl^.A,!+E%n);f^7@a`#UKGZdGRKm6s,9dk<@$ZiTX9''9C
+%[V)%:p@cf'546%u<LCJ6n._$_S%QI7rQcg1=*65K>k46&@I?$6q251F)0@UiEW(sj.$;s>S_"P#\tBB\bR@SF9d+Mt:!\SF@KLbI
+%)HFKLk[_BK73Tfms(?N'SZ=]DGeUfd\BW)jnD3_BjC%&d"]';62\2s(_\:lKni!GAM)9.kCI>G-j!)/sB&/2`I\3ZuRhIF.i1"KW
+%Ung(RA7/8OfR>,-2sH;+FYj8);7Yfjg1@P4&GNYagPt$jlGl?3I=A\_f^'@AB;(qI?CV.r+87^OqkUuMH6L[hP+BC.";9<s=-?A5
+%1OUhL$%Ps07o?L&;7_i09hEbl`/1t7cOKo-*(G8$cZRB@DS&`(o00S<hH%hLa1co2=1R$26+]m.RbiGSK3RSO%3G41Q=he-@dmXY
+%:XGoYR6I%Hf&eJP/ihWaH6EK4TOE1*-U1(hT%NE.5K*ZC"/&.OKJ@dX7s'ID0P9Lu@YP=pPPUQs33P)jrpQ5+ITqr4i`o9H\A252
+%&lYQ%gr_tlcmp<(h)21T+dh!:f-Q8/8kP_e@T(YT&IDs5,G#6)cfF_SqHD;oaDBP7h^"*JRFEb\4k%'>8T*3Hr]!sq6>dp-"2^=o
+%Du7\'fs05CqRqIB/"Rh<4eJdA/'-2`:PBW>Np[kC7HEKKigY""aGW+9(YO!Q?2R"bU5S=cLd0)1b!\,^]GH!Fhbcn(4==IJ.E_k"
+%p;og#!_n)YW\p0fG=n!l+Ps-t^eWnS?J(VpKVph(EOu$aNO%HK<P@q9`%&,!!Dc/r?*oOg1H:<h)Tm?l0.e.NUlEPZ#U(6PY9q`r
+%m?D0_Zr+nfAjAK/UdObD;HHF)#:G@6''m)X5RoNsok9AdY(jNm8-/($i$9npAdX#B[j=2X-)b/6SbPDn>_uu07-Rl^HM3n$"3qm#
+%<Sg7YHF_,=-kcb>374m2$YRABFY`fq.B"Ok]EE;tii$Z#G$u&,@Nnl_(@PKDkF+4];,g3-`D&q=m;8hV#`C`)4I`IoFY<MG/IoKH
+%6%1@GEPHLo)Bu%ZV]^E4&dWcc%HnHui`N3=ct?OojYasqq;r#6CbU0EOqYuI]eHA:D/P^5gJl*:Vesf5@miXOi7Pn=<Q2*04h_X(
+%$R17K1>GA4P+o53MT+g]hj"P,Y!^efA(EAR:k8"-%Iqg5l8'N$M<_=d:G+u^QITls:lN"?W\k^:Y2o2j^<R%N9U"io2OaVC?\?J"
+%Q-ZqDN(O/-eGWS$`CeD?k,)u`&O6su][-5P7-\HYc-,6EoUa^dWZ2m&C$b<<#pq-8UH5@0ajW7E'H#*kk-KD&%W0)57B1m]@a$-E
+%hBrS?)lI5(@M`Lkdc1tR8n$Z>+GQ_k`HmR>eW4I(`bpC-M5aoCEBWWt84/Z0!'Sl(PtJ>o]j0p"2E3NYlCW;3a?*^2V'D[%LZoQD
+%KcaT8+@PH[Q,Sslm!5A.OndJp4mKdDl-=$$X6m'L2@34%%+%;a9fBi;`(Egn[[Sn%?F&W=n23mAD*'@%nhWfh'ceclbu(!'I5@e"
+%B@(p$Y9qhri8\cs#g$@*:6rWGqn%sN9.sp0;ET[K%Z2NqWd1bZ.bCV3`R-P2_Yu<'eo"ZAmtl^G!9WC2U,G9r**'((6kU7D1dmC?
+%Yi!1K5Y<)!Aq(??Ug$sOs$!($;QG*r]U5sG43RVa@M[,T#:RLNm+9u=O<p)j=G(Dr](;t(@EtS3n+S[m?5M=EMDWN]4\?,]qL&eZ
+%;*6)8@PaZ8HOVZRB`Xc02fo,Nl`bjAog/9L:+Tko3go([*Llo3.:OdqBqN@^J&#oomN6ac;aeNXp5':1Br,d9qH:,gW4ffhNH?2m
+%5sJ$'O?JAW6LF[(`KPNk)IaMiOd\DrUpMG/8.@_%cdbUM`?dm,8FJYWi?Rg'1MLN_I'ReQ&B)@Si0Am2cslHhH-fhQY<fDECjudP
+%./WJ*rVL4lqsp)g\p\W)ch=[us763as7MFkqu8\tTq/@]*tH4N8J;=OStpF_!6d-SLI'/Fl[qH7dcEi(Aj?1`li'*_9BYa06^Vt4
+%%K\@nBat-&8J;?E`iO^r!QX9eK:l`L_#qJ_Z8ea,5SKIF+@m/)E>YV\h)bUmAkbB.MM<H!#"Ff[%t^RMM$!`l[^c2W.:(`H?rGdu
+%5sQm``'MI$C#Yi=2#6tjFIFc)+o&Ei?$:`o=#M3,5bDRe%KSdc$O>V>Uk(mpC=9sdZ"ik&!GF?l``)DBZD%hI*4b2Z$-B.uE]*ka
+%/bT_7Okb0As2X-b\X?i4\+sgYYjD>HF7%H2jkDj`ZH5<NKOs0j%R[Qo'Dm#4OWT6iP9pdTZsi6kNbXan%`5Vn'8Iac\;>jBD;<!:
+%kVbG8#N=EViu`ejP<8[RN19(;:Ihs`9(@"nRlu3r7_7Ofho!%I59,?"PO3Arh@1FlabVm&arZ4]PFjo:onH%"!;@g5H4]XA2V(1H
+%2qXN'T\m\.4:(s69fs*j#?19q$lh3G(^a$,3!]a:"$$Vn#KqT-$b-!DO%7+(=?ccr-_34&&LU9mJr,[o4pVlNCOHaHNgi!:)95Gk
+%KT5"-%RJ-,!sdfF\;A*7Emhll(ccKn0U/(Ya$D[FfiJD%jeR`g@ccZ%4:j*"V@UJc@=SS*k+mid0QVDm4<6;7S*\8,\``Zi++Tl6
+%3r<IS*8IFsT]beq*.XY;DpZrFFD.CJM.)R^h\h0O8Y<][YH)iQr'PtoS,S&SO9CB'aeU88aS)9Ld)lk#f0Kd,!+#mHaoMK(d>&6`
+%fKl:h"50)Zn8t$<2_bBfM4sf3W1C<d:p?L<rD:"pI!l"QDP"WK5jm^^6U5kbUE'?H1\9_m^cS(F"/'itJPQO.a^cFq^Vg%5!.ZG'
+%T7\82E6]I(_@u[o5qoql#O)MQ-i\,s*"Oc`!s!Vp`$(4)]VSC/jWQfA"QnYb%Y3\uc#F:S:RX6GSgQ*0"ON>Z%YEo$Z@3?U%o"#D
+%duu*g!pX2u*!"NqD7:&-KD;Er4W30DO?I=;&C@#UE!U:+B'5#d^%l%H^jGV_LVWY[KnBAQ@fIJPi=da>+:t/%E<(qnB&We5+-+g6
+%TmUh%4;l@u]ljCG:RX6KcmMO-!9o[O%Kc=V>Our=+(jL4@%X"G&\&@HHoenNYK5/nIcaRS3lDQ#SHD-+n>[N0o95RhSDSGZo7&aq
+%bQ%#1ooCW-5Gs`j6m$Vn:41K.Y@!m6roWS%Mj#Y<JGhq:lLY!>rVuo@s4@8eJ*[,Zp?'W=mI_RX^3OjHIIZ']gFp:S4o>6<G4E9E
+%\C'%;1#7A[manZ!?C^r]k4[PJDXNV:.>J=QegW3,UF>F(]u64I.t.<DKdJf18KC#H0)YpCaL=0mE`pJQ/2%62+(@m,0M]]j+u.,F
+%8^)`g&UFr:Og'WK6c.b!5=&qA$jSVN,KJ+,:?2LD_C-32J(lW9W^73bc<j0GR<6t/io"qbI;?A-(I,>YjAqmgL0fg=4-kfJC>DlJ
+%T_ieG<bd+S`&gRXQU*<'1_eUBUPLGcPXCqfdHa%a0:Lfs8.IY8#(hNd=^6$f[rR7eOAT3XV4`W,4k_$FTQUJ]e&<WU,a/&9#6!+3
+%Yo!5(jZ2f5%BB-rnfj8S2mH-"V^nf=TX3jZI:8S-NM%uN5e]*<O!#QIkV_EoaIf2_.Fnre9OoV<\ETT[&]CD/Whu^#MAZYLjOfL2
+%&@r(?+M`a,11>@QXZfnFCK`7cAOP23Qg!"O9_BSBE`>p;Frk`X<A6^jq$K0d<Gju47LLG2J\=m\o[87$N2$]<-M&.YWWX,T$J\jq
+%7:r7^b-g>V"ZjMZ46!K0)N\]F9\'1m+VNk0Lg%\-=CDsC]88UKKp@9-?-#j*;g-l8l7a/hPAu'a+E:jT#CS,V6t8l@Dr<8/0^,Yn
+%AIu.D%*1MdUP"nZ;A5]0Z<;n7KJP2VOX8BZ-Manj-s%HBRkl84Wf0X2bsm;n?n,;QG0;BNZhoj'PKkAo,_ka*<ne>nbIXR,QVW&R
+%<acC0Xb-HZhD=D#.fF*9m0WG!oZ*E=fVPp-D>?!%ST7ufdiqc8?^hIQa=pror6Rp#^dXur.GZ$O^XZ?A[+I/Ylm>E_gIOslT:ig5
+%hNXC)GD4#F71UYU_V:hh?aDZUW\p4JUr?Qhder:E2MkOoE,%r`<P0G3eKgqm`FnsN;]_L1H4mOY`<f1LW)^cfS*2=KPJ:ErWu$bQ
+%TNlg-3!K=VI!cB!mZ!Bb>c`N*NtP_YjbU\CE]l6VBhg\Jc^o6-HD[bmqQ,agM&VfnE[%]B9+2df"h%,Z%(`%!jcrK[9,;Gu=0[r0
+%7!bS\1Dq#iAI.u)FW0k<*#J2C#8O9O'A2r:MUtfD7Ng<r=-Pp>T&oF)AKXCRI3K@RW<ZIe4Zr)?+[!dBqa$NR^j@b-aQ`(B^k*0D
+%-[(XYSqE\-c]q-moMH:j$@0=.Kl0X!l8hZT,XoImgJh.SNe,#ddtI3!#q&#g9c?/[DJ=1ma#Gq%Bs\KiS#Vk7dQkoO;b8tBN]@AS
+%W"YoP<W#rK<KUBq.J7RQ=^?0tj_>6\<kod0Uip,W-&I&/HG_ATe^XLe"&:D*q9GXi&U:B_%Y)t'lMCj;L?PmO$LjhNWUPF'0ci&]
+%kp8b>C2h`V+\<qu4Y=Hf)JUCg02^PIZ!k#R$+PT+M@q<'KmG]2fdIj`2,BajoSd?moMeaV]lB"d3gFs$?961Z85BhOTQ^?''._+h
+%N8(6/"GQ,<a?(jIK@YJaFbRed>9pK3=BOc7I&h]9dOD)o(9a3,];4<CM@1><jN,$\l4tl_G9W_a[>e!X_:rYbOs4md&IktT+O2lf
+%m*KkIN@Um^"<oHok$q7*9qD6mm"f*!\jS\<rJiX;PTq/MDuN'se-l=NE`MKn<eNmi#s'=go!bGT^sbY1!:Nn,WBTT&E*d%Hm&`Sq
+%TNoPbQ;M@LP!C!Qd:!196+D06$lSP?<QR`\#'6RZI4>lRMt/]^OOGIW3%)"p!\_j(6@*I:o\7*8f_0LjBU,.=)^QXN@m[tsn,#qQ
+%a\;0-4:.Oj_Y4Q;n)WW+`!Ns]EgCoM35><Rl6'u[l8@qr9Lp>sG]]Wp]SMt\eN*a5e$1WjF0p.G5]IF5bRq[RM;0'c58:rM3&UJN
+%1S+=MoRSFSjSe$!:BdZ3"ss'GC@U4\mOrO!l?$Q,YiqC!%VZ_-esLP`KbOcK8j[#&1Q`oE)ZQ[5m0\He/chZ8.1.72f`FpE7eW4]
+%lbMJ\U#Iq=59^%rN*hTK)r2^1l);F7f#1,srZ>WgXt*/N.uA^@rkjjOYRY+`jE8ku<r2ku:8!kR-$B=^pFf+,O[dZ%[9KY2[QPKL
+%*^7q2(thuK^c:BBlH=Q%3+EjG$s!9a@m,;=b;2lP:@)s`9AKHhTm9/8^_X*/&E(S]@Xp?@O\F^;oGNS#nFD;$e'5%7':$8[JqJK$
+%37\Gf51j)/Z,iq$nFE,s2^LEi/e2cG0,SCNAcU[tAlo&PSB2PUYG9oQ["C2sHN_/HC]Q6HG)FAg(Uunk@"@h\:P-R[q_>rA8(E%5
+%5^,m,LiE:j[HT6<@Bn;p:M\b1,92`lrMI2=h]ai@bJPO$F2BtWocT2.7r1'nT:qVhk\>`'NX\?`s*jc,@Ri7\#hYiV>$D41$[B2e
+%+><p-mWKeXa`;L)IN$mQ,9$I`cJ]SFA0G4M/I)*tm#mQ+__sp'_;H29oQT"MCk$MIjHobl4a\]1aQt_h!=J:>"MS^7YE+lWM`@jm
+%GH]nD'sfo@OnX16A#Vst6:?.1j*mDa;A%)[?hB:M,+[gQ91&fM)!er?kr1<X-LP=8;Ql?eCp7Mh6?)90aViKU5OVjP\.9F]/0s_>
+%::&aRJef?:1.lXScL,iYRodOXLT/h>-.Xf9:g2(^d4a>*6$LSBEgo5EYn9C2F&E&+&Q'Ft*^k%:3s6@N2'N5+h!PG`hBI`?!nR68
+%(,-p_?b01Sa8)jT"&cnh4Et":"O`^9+sZ["Bntr+?Z.8qRV?L,J3St@5p">\ouRB=B7qP?EGS(4dL3_NYW!SE!1Ns8HY29os0D9:
+%$UHI0aU<mV;P))V@DtW>BDhe&]HIlGf=!mEcb9u0bgZ4_MYHj4<<@e]0+Wbe!YSbU?;Mc0c.=n%Dd2.??16]FXoKE6aQ3UeFt/!U
+%7DOA':V?%N!L1$a!.DhbJt1-YUa:%\B4::R"`g"iJ]G2?Qkj)>&JCl>`96m'"\K:4FIN]Bfuk:P-9\RRH9VY6Q8H1G>JC..b41qS
+%\%n\i^:lO<er<n#7<U>J8f`8/ajJ/%NU6!4$Xo#Yo+KuND+s?drlq=uc0*E??Uo>GE&XB+DL:_X9oQuQi9.ts%o=inUeYYGqY#/.
+%h>l,Z6VY$gh<4/\&-4tDlb12RJ&fFhrA;BZ%*m30"l6rl+'cjkl)@nq.QPKiR"').A7[n/!O^i$\&L*">NI.q5oKkSp\8s#?c&Ae
+%K^KVpG)MRCqpF0XC]+:dO4!Y5bpO@rPO_Xc9-hR*<l75-]5$->jDB*qf9N2M5X2CG@N5OG5Pf$FnhM`ti$da7Ekk^*_$7nZbWt'O
+%rdJr$9-j-%*l*9!"rK/;^GLg*Hcn?Pb#)ukTKA,,]Lfe%2f2&OqK9L[Ql3Q8h+I!_R8qICGi)nB07-L3ICuH$K91YP_AgJaigWX[
+%-W+aJn;Jb\kn_*DiUjQ\A0&T=&EG?hD#7)p`ua:l36B;5p'/RB^\rPeX;MdWSU<]7l5j%,IV/'pVeCk;oq6/B\_eNe"ShrBQ7&5)
+%ZEhZs,P0M\W'sjU;jD<OUBY`ui$K?X97PT4^jVs=VSQ#D1\O)LlDoQpI0iehS(&I;bk2)fT]#1=K)W>dn!noYqt(!cf440"Zn3uP
+%[_O-)g7Q9i4sDPeG:`]5AHbftHg!'Bre"0&(/pOnIG>d=,=@?;!\%.51f`sZO1pW_IoHG+6.(kEUYs`G)7P5K_bMkZ9&6N4N4(TU
+%Nm(r^E/pSq"YK(R>K;A:g;4l_=5t4m)dSA;'m5VuPI*a*niZAVpk[Jk$D6%YT;]&^=@P@G2XX:OPNFdi>B]r"N;26]*ZG,df0NJ!
+%:T2ILW&WefUtE"5b+LYTj)CR+(5H:J$m9u3[RM=JJCU514hs?*@"`fo8oWVqrk6YN&8a"Js-iIq%T'Q(g6Q%q+>bcqJBn;p#N43n
+%fqV9=$sp$Db=#j,Jb-UNV-B!0\)7pf[gfuO$s/"$Q*$/L>@s$]F`=oFK!->f74JJfi?f)),":N>E9KU(dK;\7JV.koAk,T7gB!W=
+%l;OtID+(X=\BLW7;=4^9&,pljbFtm;["Ig#>Dor!/<DO>5^D%GlMBjcTaX5MMZfs)=1`G%NT'gsn$KkG(-,S2d4)-s`bZl#!4."V
+%PF(#pmD]oaoWGEXL=PTtDLcYYc'2gf((n^$>G*>ZT>?H7"uL,XC\nG`XX.$(AC!LZ"gG4B.LMrC3E*dP#,C(3\KN]!^.*?71F.:X
+%6U:/<7L"p/adPNQred>oTOTeQ..3.3EG)FW+)0XbRk);%'YDbB@c2FMgM[Zl&E(-;],5dbNtHR4j[Zq$J3j!o/R<nGApVsl)NHEC
+%oCO_2ks5D7S<^9C\ZcZqH-d,>MUe/C0S4R?TPdkq&+J0s*2$r;r!^.p&-<D]k4$%@aU8g9%16t]g?o$NFP#GZ;;5j)\^:2Wd#2K/
+%d^V>D#JptnU)n>f'%cV7"IoC+a<S;l5*)NTL-=#PfOk=tfh>b^9r;2u?PU<$9L0).j8cd[VEbL`fTsPRReX):El[_tkd+kc)(WHD
+%8\&MaL)8tEccDJ4$U!FNRg&e!6Er]3pfBEIX8/>ON]$iaN%!LFc2*JQULAH))narVG+o)$:d4b(R/\&[,iE)0LR4P##Vq^hVF0"X
+%kpUd?7ehYW90i"h.(EeJhqti4,6fa8@m:['!'3$(bgEj:*I\mr8dMprW\"BR>9pk^?XsI%f\c0V>iBhT[KV94BE\9qTt:A$%#^4S
+%oD[A"7G/mLYrP,6pZnJ47cuef(g"Yt=b?6m<jdhk..\Gem\-$tK9fdP0C*L)%l4j5pQGVh]C?<>+2aV5'DI]=MY'+Y2W)`+?'ZcS
+%SK`?&2`eVY&b51X?6b0[P;.ZJ@bgD0A13OGU]'\)Du9T^7MO=:P`YtR+q!9h\=MuhK#HSf;41oJ'#D$rmM4'04ZG:HK0=Jg)gF&f
+%=@%j8aWBBbKIa)-nN;GKV@E9F#0Z5:IiMBcK&X`?O2H<YP[B4HQ^1]hjNg?nk_)G["Vc2N?s>\<&EJ=0aE*hm7Lk1>e!cnp*+Q6t
+%cc6=/INsd0][LlM5YpQf@c:;?mu2CQ$bBd=r_;@W*B"GF*Ln@M\S[5Ddr7)OTlqp/W<aCffk`m*G4;g4EYEE4V,P2V3%]Hc!)`g*
+%`G8&b//\Kl09'?g?M1uo\`_cFWj2IrOR6j"PBi<&a)oO-#n!R8<'eGo)7Ui0$QoU@c@Ea@p:=Tg>c8Ei(6g'/K1.=AIBWm%2!YEb
+%a9*!Q)ZRI@EDd!Z&m_F>g3Kr.",N1g$AaL\K,9G\p5O)S&02k">X8tkC?p>-mdOd\k<cMfM'iEWl13XTeB#GH@Wpb4WB6H;[s2J?
+%`<KVgRlXX>06hjt=:NmC&<jOV$Um]$JAJ"N0&r?P@i2)eAUMD/S45=;O)@Pu!SbB`ArLkfF/61ilMK[G-:%cGT\%Ma_g+CZ2+C..
+%2C#_<bkm]''1"D<1l,S.&/K0Q#0#-`9c$8&'=<GZM_*<uO66RJ>;lrg!Y"d>)MS<`iTsc):hMZbST$<"6+0=pe^dGc+nl%2L:DOn
+%\AETB@I8@"Kd-lGma',?It?c@WHTu1f/HspqX),5'MpJ731!Q=:#/M$q+;5YTV9V9!,O6ZHQ[rSj>lu3OJa>M^^(u%5Ro!REGX+i
+%CP0.aiLrrSn])c)0+UT]<_OeO=m3`6>]3u9Y@,0nBD%p*\?HC#Utc"3HO]S4T.s')neK:LAROS`PlJ_/_m\SX>Nd`5a95/:WMG)*
+%cQAQY/l9>j&dm9!?_J^3CK\LGb=Eg[?hY;lSi]>W"op(p;MR,2kI$d%NN?@l#.h4P)um;tp8q]57A]BYpTh6n&VN0966e<<c2?@B
+%OmuEUH#9%*F5:;639SRkN/YKGpU52ge/j[G@m!Vc?p<)BhjHWnq&I1#ZGcU%&hN/1nKpNH[#Y5`FXS:Kk*]jcY`N\f(0aORDN=k[
+%Zp'/s_b'Y+"L[MX=8=7)XY#%cN$ue_g[t`Y4Nd?RPnU#t(3W)@k?j8^hI)^d@&cm(,3nOl9gEGk57%$-6LA8>>Cd`lQUMM@j%t%g
+%5@Y&K(-LG\H7]c;Z#1YMq>QFQ0l^!^k4thl]s1=_f)%U&O(JT$a1IY][W@V@2UFgM.:CO&^P9qLIIHdS/V(LDIr&=4M''Ql^Ae[)
+%HfGB89I$YJT;!D8j/&Vj>.>siUTO9g]_)s9CUcak?M;q;RrX.f`.FX0CNmk2Yf[tADt:OnI^T&*/sa.?'E6XmY-ne@CN/DJl]q9U
+%<9\`4.]55..XGgT3U]p^)8aO^Rr6?YCn.&BBK7kYaZ;jOa#j(1#?-9m6gCc`gL]tWL,J/lPq5BRL6FD1'&3/dACq>ga9<W*HYMtu
+%*q*sp:6Z-Vi+OM7BP?,E$hB$(qiWb$W%k#OUS[:!-siYhJ[RJ>:3X[<-Fa,@hl\MI0EQ9;<Z&.[p>0;KhrCAb%Aql75=S]bOk:i8
+%A(:4mq!QJ%i1GYA5=V">&;a`Um12*n&V)ncAMSbP&rn6uf3b?02d,_UZb>,l%=AP\J&7]E+n4?/(J[BiD\kb<NFhj=9>lmD-bL.s
+%]AW[lm_E7g]R_3*p/Lb,p7Y:D$27#E+n)kI*hX!&15!T,R@nuS"EO\6Rlc0I+'m>Y4=j,9./9*i5UY.'jFr#*g1'a)PS4E,1O?lP
+%]Yq/,_"+UmJ-OKroJ+bQh)Rt+*tgPF6qHXQ4_LWnd:X9tQquVpN`K3A?M['q+p.(i9FE4OTJ,r)<e\;Whc(SkT_>Id9OI/K=%us.
+%-eQp`h0]Z,ht65:@be<jomE+0T<_aOaG`.###,nTJ4S*%DpN\SUCFYkkeZR5N3k*T!Z?Pq,^?:I42Lk*g=>XEJFH(.J"s+fRgsAk
+%::]II^Hn5q8,U)26eq6Img=UnEJVZ7Jb2YoE6]DRkoRYW/oE)H8ajRjD/)gb,8-dP:Le2;^U1s_&`C5g3n[.%Y:i\ao!m=q!h$'s
+%Of$f'7)/^MSVmR7$u@'4_"[VX#^^g`,.hAK(l.+(LkkglGe60@_qhCI%@&SO;/6Xf_0fdK/\)F@Sro[R]"j8np2)(fg_!%nhrr=R
+%i5Ta\j;FA*Al]d7BJ(H9L8Dmg4=AYT:]XOD9LFkghWEd3Y`n7)J-]m-5X#P5pX"P^@GI1(\&;""XL9-;+sLCQ9E?EO.I`"Bh#n8t
+%!L_"-'!Tn+\X?erO1tu1gU2#1n#5C8Df@DVQ?puE)n(sHJhoFm<\nd0P2&Wl@R$7-fkgi%D,N[L)mgYOPA8gW,u[.2DICsg9CVg5
+%_FZ#AYmeVW$E'ma?_Z*UZB*Z>p1pquNrSC8b+.PL;],U72,F.A*3*)3A&b7dENPi+kOU%0jCW+u$Ui47`0F]11Xkd76!8/-AJ9E<
+%XR<DEpW0"F607bZ`im%K2QrEh"BQ;U9TW2'0<jUOi7[aB2e5C9$H:7B3j@$gjI9%I5iFSbonY`L2f<tD&3[u'2sOmBO*5@Zg+n(>
+%QN/2B!8?Xll>;CG:ld^Z0RC*=GoIX8SOKhRGias^T^ufTTO03jrhB::dVbH^Ag49bEis>VN$-495Jg1Wgs0-#:>a[MKB+.!pk/VY
+%_Ka/U6ig,4?XWS8#IRLE63u6&P%bHU[WI[:&W(e\qtBboKJ/G%1oUPB<!Ok&n5311P8EFF_:5D#4R_eE#H9o#7c=qtHUdR99Irs*
+%!XAb)>\<gO>a>l*gm6[t\q!GD@LYe-P%Vbse@pOs<Ht&#Cqo1E0c9!!=7or;?>C7bE3S)Lp_=*>^stW/pRO$:"i<gLBgd]V1fG.&
+%PuT.U=[5\K(nN^JpRQDZZq!!8;$%4!(SH9b_%n5&KpsOT,ca6[7VYY)K'fAcFUF([,jq_rS2KG$UTqnZMq4h)c6P)4F@J[7N*o)_
+%]Um=!RYl^%*B_t1rB;oAIW0GfjTef5#lbh27#Y&#TohCl"'0[l6DW9nIdXVGqLrHQEXL=GqeF`Y+Zd&>HMU#_STED3=&pojpU=#5
+%B!`(H0A<X8a#*pg3(,;OC-iAC]DhTj&RF.>#rC(G&'a[*h_U7=EXAu(_\_@K:+8`(TUUJG+![:E6knFl*e2MC3OTWKX#rMnMKDL"
+%C=j0BZt,E^-fa>=b3r)*bc"*0AA]mj/5ZDEmUokqjM5W\GInEjVL`^o$d#Tm."_38HY#7MI;&E<)`[#^1?NVqNu$]BdA9?18-t0d
+%[nuCFaaTHAWb/YY_]r,<A#>fTh%)g[pUl^/j<1)AI\o?].Z)1mcF*b*,G2sX$7In"FdIU_Jnht:)QYbtm+5]&Z\lH>(dMl%B+`gt
+%[M!*'K$c00/QPQ(7^qAI[R+R33F9n8ihS5`^eKHF(D2FF/+#c3aum+%[\No3Ke;_Z_b8_N(4'eUCt9!+G&S\t+2RD9^hXjor,KIO
+%Hh<ZY_@/i7QEjX2a,Q:WO"Y>A`n*6Wd'h&3]9<Ya+9d#6G].qZ8ot&IAS_G+*kWaFh72WC`:%@:]JKC(@JI`6LnQh]l`9BM!P[ui
+%b95a1;<'1JXP$1eUL8M(-D3P5RcqEF>4DPk%Y;nDJDZD"c<$CT-EU2/N:<-@I@[iA5_7U@M8^V6+ANdb%KV'l_:]&.+lIgWhEE(_
+%f.QHX[Zul<D;8XQ.0-1l]Ja?N3].s*k?_0[Vj/AmloB5"mKj&TJDYlp./el#E*eG#<&UBk^iBT8R'p#rA[ed3!?>I?[4MVNDQI4p
+%)L(=qRt(Q]CVRulVe:X2Z$Z_G#K<Je'3%jKF>C>6S=mFMGL/P`-YPXogJ3pN+Pl$FOtk=?P[gA'lZgo&3-h35UI?E;Hik5%s*F>%
+%WD`P+dig%)eD,HsR.HK*#JieeW1sqIIpXn;;ZY'cAd'rp,m/PS*;5i:A(u4jRt.Nq2E6&ai"djeqC$mD"?`u!Cg/$An1Rdnko"7+
+%03pu2YuEeao<T>Ef39juBgX_Zs7'd6'B'P!D8(RM20lpX9heVR2q\.iLTTOf;cPcA4L*pn4jCUr&t8A>ApC@>Pl,0,0^FQfb*7hI
+%@taGgYjtgclZLgEG:0PB6J"D20uLi`e`Y927P@(qiA,<a4l`;QqU(B8VkRO9pfiYId^_%*&(Css!>_-7_f!.U'hYZm*DU"Q]fI2*
+%%Kj,rF2&gqAq^eO&`f3XY$4F5T`>3R*G'cr$"UM1:]:6**Ku6r"`a#Pp/b@+-1V79!=36]*!0dpqZ6=DGiC(8ThjK`IARn'be!+'
+%J1r_,$rl_=dLHGX3Ah&68V4GZMfOFddND^5%-t&j=mZejgLa/\G[HO+T*kp25_9\hD2a7\Nf+%ri)/hBpo%e!efM&i>SE3,fteeR
+%1^1=r"N?t7i-HA301e6m$t1"u/&+W$0Lb1N%;?!p%O?d!n`o2VRd^6INgp6V"\MaUZ"ZtVYRk,K"JBB%%g?@\0R#&0-;6<feHp^a
+%SV0@M[RjR2`V"@-_kCakmRPGkqK%2+@\%:1nsj6M1_]:G2EhH%P.%T;[[1kL8HOg#>#/Ur^;Sq];m.7NOfh$ZR\.A.;#;.Y<!OqB
+%XL7\:ZVeNY[e1!8/J9&3;"7#>),$eAfQo6L1T%R6'hWh7B8\bUD?f)W36*/D>I+/Fkl*"(TK4EPLr2dfeA18`,]IXpo)!IkeNq9)
+%R9%(SpC5`Nl4psuJ+l=ZX(o>FiZH'N!$'o0_,hZ<9EN:!JBO3>9C%5#A9)Jg*!S])o?nV=-l+V='-8CoY09]_q4saL+V6+1[@)WU
+%R0AtW9'n2(nZH3sK.<066]$U1:nn(2]Ygcs>&"6+23mr!Vc$fU:qZjsS.&okf-dDb3d&7I_tcIZZ[qk.W85o:ppVclQX=qd(L6AC
+%H8Uko+2GH+!?A:4X_lm1(lHgHqVCPlH_;/g(3O:kij'-NP24aJ]EP-c5R1.P)8s1El6'[LoNm`J:>T"'"2n(%'h6q5BW4Rg]9Tgi
+%LTt^^(*<^A?\.k1o!&$!H<[D+V"(Dnc:aCR$igo:,@o!#Y*Z(M6Ytk%P.#\V#`i&n;E\QI+t@5AkmG\FS.U9=0*GR(V4-!g-2O)N
+%2K1d>H[Wk_bN=.>XffEoUX<i'NE7!S<gW1qT#Bf%KFa<"W=+kM3(oZS*n%WEM(c2WX:"bV&0>")37V!,gC%QBDpaY'j]XJd#l+&s
+%Ih\%%fMje60"C+o1'jk_WmnTfrR`h:5S1j+f40JpWli5><Si@MCN.g^>G#b*q\6"5h@YK(C9$hFhZWlUkbHKc<hN6m^Y[["+f"^2
+%5Ro$S;$RmRGR[AAEV[2m_4SUK\ekQ\MPDbGVcl.2m=2UdE4=bOU-^.5ruJPi-GWNm,/:169^#J'D\icClb6YNIM[2W)$l$nr"H<$
+%6jjap8:GU-O9jT2ELsOZ#DK/01lrZ`0W?lIP#_5Nba2ErS-G.BJ9/V`?2.qU2'T@AIKCg&@[",K8S0_86%%,C0hGB=!gHnn="A_#
+%B#[.d((I'^<mhi7P%uE:R!]OYD:N?qY_0lC$hoao*paL12Y_3D.B.QL?6)OUZUUd&C1RM]MZ6aU*oI8"C2?U:AC]E1$4RcL3K'"6
+%7@15D$#A,/0VV%ajlHu]@q]*%;T/[e_"<"hg4^en(k^U+^OaVI&Eg09@7bd`*lY_?ql<j=9u%?@0eVu])gL=/at"n1QS;hs/8_/f
+%TOp-MOqQ;=#Y#?--lLLg?<.&L+/E5AN&^<s.@aa26'9=.'62kIlqu<"pn*$9.nQQDW$IYZ(.B$]G%jS`%Na`oAC_e]pn,%PVVE8"
+%iT'6):6)]`:G.9%Zu0_D(9Lg&UBi9OTO7q;Lg9a8G1"%EGu+W_9n9\FL])OXXg8PG)B.g:a]J(6G;sf8H<<54ohfDu/qC<[Z:G/S
+%,#eARc>MaKWrO!;.2jKiFL/'n8,:p+:q9\b-jA+t<k`>%rcGc\Ej=BW-10VRm^:Z]8boAjGQfT<'8p;aEDs5h\2',C7;L(?3.R-m
+%HY(QWZrN4^Esq29kW"f^.@c0gK"PDKW=H5CeZirf"'G"<VfpJ_[2pI);Cj;?jRUG54]"*UlP*$(_Q"Sl$;pjdkh<Ikcp7Bf>I)[Q
+%D%"Q]:BfRSo_fUgQ>JET;Chr>:=r/4cEM[R':-!?jf?0dH)C^Ke,.Zq+4U^^$W2&kf1*5)[5P']?:BUI.D)QlBl^DcFHbVV@r+e.
+%X(Zf'+LOP9b>^"N0rH2$KB3CO`>3nh$7Im%kt3b7'HL&QeSeB$pc0W6L*Qhe>I7:_focCDVN[s01ibFWI'?%&W,7`45Rbt-C+p"1
+%[=rel029J&#H!#*WJ?"uFXp+sYSI'9-K0V3(mO\_KU2F@ILcqn"mk^n(6P4["o&nfOr9t+*C>!P5*Q7Pidu+t+N`RQ^h;dc0__8l
+%Zo'_F#QdFI9Mk[6)TZ!q-(#\t2ab93YUG`W<X9Wgs62QArq05e`COWQH<1$[`j,uQ,Snk4rcsPS/1k+lQ#l\KJ[R*'QX1aeP\^3'
+%07QVC\n57k@2W/?Oc@@qdcPsF5h(6)"Mc@b!ceD.<%#44$<Kij3S,%3ZJ+hXIcY9,a5_km(XPF;,6Wc8ZF;EIF>"*)n@q!g#e-@-
+%"k:?S0q?Q[+7LJEOc_68)Yo<l\HS/rYUFFC"3.XgOsGWq/O@=m%?+s4$8t_0NsS;Fff(U%S"#:-/bVR_"B6<_Rg.R^kmuF_%!nVj
+%0j\pg+EH:`(%$j)+r4:U1DCb!i^4C\<Cjcg\66;(0!<%2]Y:kg_6m=:=nnk@)n2E"D2!/4[N:%WKAoK8!O[-^a)bc`n\W?d=f.?4
+%jYkq/5)-L=&_9t*75DI9@8!K:2GaMfS:agUm(l$&INa?WQWRk5jVmAB@h7/?L.&hs''V9.A=qpa"G7)m.f0H4+sj.r">b>95n`;k
+%mUM'Yg$NjC5]$4Q0:5pu]E,g_gMf`HmqS?!QlV\AB9;-o*D?0#aE;q7rDpqp(7\p).TO:LJV2jt.tE<E9:1C.Jk@bk%^_Z3-T`=4
+%KsE<<M8b)69Bs2)Xd<"L;%U*Wcc6=;Lt7]D2%Z&?[,t)<P9[8;5tF8AV3FBrLC&$oJol0,?W#3aHj/I=,ep>l)Nr.#e;*Sc,[FuL
+%XtQKS1XMO`^6Ec$A\pdL*_M%%#85(8ifEcU^6IW<jJ!e?)$u![Eb!5Mj9GQ\RRSf/R9V,/7A!)jZJM'iD.Y4_CH*?9)sQ,ZnI;NJ
+%.`qSi9VTYK/]tN@Q.[QJh9Grt-:$:N!0PEiVdpbS74\63%j3l=;$M[T$NAZnFo+4ePqkE`073lMX!T13UfCr&\N[E4@Ee1W@+GYO
+%9X"bD`hLi0q,ZjENL7&>-F5V!P!TMZAl200FacPE3*3#0\N3`*Q4$VX@G)!2O@:u9c!inTgEA!`gD6](F,qkK8m81o`/FYAo\De-
+%2QaLL3Y.^([1$NhDu;diTFK.2"PJmuU``NE42@#mOXD9j<nh=1BI2E<=HAo(#,@"<malYBnjia2j@`pkkJ!W#.SoVV1JHb#WU.j6
+%4-*)2WqM`n!-P_[6LLu6_+L,i)3@2V=')3il;2dOmN,)`i@SV?kI7H(;YLKuBmC6G9&;)5?Ph#fqS/*e?iLRJ650a3Dd4@>(Hf=q
+%_-i=P"rPS";t5oNm)uYRP%6Fro1/RueD#Rta.dRW"`7,IX*b>GO`YV_Q6ZL4)<['R!+&buWS@R[HK6mLn/ajUPCJ9d^g+m.O-A"/
+%AXr3>/IhMR4K^dI:$Rb7``>4)>R@r?j'h\2%Vsn#eU+H1DAM,K/l'k%h<A*T(:f8PY%oYW]LS8ZZ^,n.[e/oDas3@m#4umkVO<"6
+%kuJkZ<e\oYaGQ3cFWI9@eA-4!b&Iga[CpVhat'LdJ0rMB_(PY%(Z-4$0/<Fi/t05d<%8b&&;rkinGNWqa`#r;X@[!IcR:r\(p7Ej
+%H@X,bXd;(]IKCt+$*](nY6np3o=`LM]'$t5%R"ap^1tugJde-G0?#rTq6>Q/:g;L67(uB$3RZDli+r&C_].MT63.8]+DCl[jS.5P
+%8;!bJ^B$!B!1@*t]>7HNj%D]2[HNCh`lgI1I]j^QIW@A%ZUVI=m64^M?sm"jE"]4k!H=X.1*:a5:rp>M7#a:Rn!t.YAO#-bQ;aI7
+%V5R$qs6(8+=A%5/cQDSmUK!9ukYb::@BdPGJ@_U"ajV_`s$MAYV$C!\U<Gcd)*#<Pl_W$@*`O#>mOO<frk5JE2tU1eKmr@hkeBWL
+%lu6E3^nV)QO??3C[fhM\""gha_0'9/>LJ<aYAQkC.rNWR'dSO)Bq3]LNKsF];<PX+%Ora.38S:A4^%t"!7%k:D;-SVmF)8:i9Gm,
+%!nK<U?u=R-At(U.Nh)4FHTN7lIPC4\g:$DYqJ0,3NA4P?9AVVM@ba8Y&iL'GPhU'Y_5EuY!X`87.+3$!f)]n#TEe%?R6*`f*Mc:S
+%YFsJI)m>6)^d3%GJtt>@!pWn[Z1WIA+6")\s0?afOg%+4_>T0/g:#fc>qj/C@-_E^*aE[r@,ZHAX+P[4ZF7rq[Wg/1h^OhjrB;H2
+%^/mn1jc#2Q/A2_+^B3R[SO#PJ)EkU5']93aFY(>$\;43WhcDMT]%#i_hn)$#RcY/N9XnS'E_D=84Qr$mn&m.6:Z-;B"8)gc^k(8$
+%R1*ZH^,o]s?F`Yd:?18<[t#qHj4-Q^@A:$Jenn=6o;ooj3Y-E+i/Rf$Xr6#3>dJ7+lQD]eLGS)h_q$BPG,uYJhQVNbW$VL)NF()'
+%]qp0:kq&K-jc6/Q@o.<*D@j&Kr$Dq<MU;Z2I_LWgErl#4Xp'#W3LlSJo6nV>8p`8$!n\"Xp^*ug9FB=Y-GajK9d`Rro7jk/ld]V+
+%$]E`8hYfIFhY@KJ,i3KIp[t)pZI)!#0.T)fTnJ`fV(l?Gpkp/[ERD@L4tFEV+*7OV9!Cg2']r6[jJ'?3Amm_(,)Ed0E6/^=.b1iD
+%d1V9l/bX7bIJ!A8#HC(b=Np7<B2D[M__;D[-0sd9USQ,AS5`DI-kF9=_0Oes>kda9B(XT]G86OE*]V4qjNr^"/B:ruS6VUj5f$o<
+%r@R5<]P2(_iY;H'DM7$L'BgbL$J7KEdN=3bh<"nK$uP7'X#2]&c^I@e^$\Y+(S&qI0\EOf7rl1qJ_B)O?5#'5G#-E5m0:&4J_)_n
+%(+`*bMqRPuo9#/J[Qr%.4J+1D()]Ep;QH`!=1Q0!H=[\Pn=e'=l"h`3fk+]1.*\a+#Kt+:+'71IV_-qSmO#8C$.$(p=9dd]>%1mR
+%6,PFE\@$0WW!ejG]Ujenmd'r!hl?FR+O&dh.+\D?g@AgEeEVVN6Fe+CXJnW%Q&N-WGhneMm?74<Kf3fo.6#&P3=K<VH)4#^h_8NC
+%]a*dgg,t&=YT908*Ab$u$(c)#m<g4bK&%e@K;`hNq@s%.L)pSR3C)k=*'D(:0W'(gLec(/B$\13/lUF#gNN?*\5`i?;ab8!;<,W;
+%7aUZ*7_hJHmUddZS3KHfBUVd8!>`k_S>[;o1gmN3[]bKCbcqWH6k=$Mlp`IRXQ*Bh-u:OoY3mKlk*["kTF68,BZ[MtHWAkH'K*\m
+%/$f)l9%U1&XYcH%II-Q%i*$Erj8tTje\u>o1=Uk:,7G`MlON=1^j2gEm_f[,0i+cS_O!8a`A6nuNfnJ8fe\>lmI9p6Q-ZHV]r#*Y
+%DoLM&^6B)P<Qi=")t!9Ah$j0h-r2LW\&1TQUBO_S`<*T$a1HJ)"V[,eF/_84/Df0GA:3:mU=he8mLR47/DY%fM[e24%^RAI::m`H
+%-IT"S#0'!E@?6hW+?+C^lP<RBDDj10*KR%sW#Rf*DA3J`!*3'r]HW.O+P*'//[L=l*_@4hbi?_tL6(Ga)S`c!I`7_tdBX^dHaX=b
+%K<RjTc]IC\*If.^bhi'9.P@p07GAe`7ZSF3hUVWDMWC10Y9d:r[\`:>[/V2XQ/G@ci.1S"$n>VC8mG[a(nl,*J/tUVeut#G`B82V
+%L/bPuN8@k*(<IY"-c,lD7V;c>rd',A`]u2'^bMWs[07j#`W51\;-4mT?pUH#(Va&H@/]rZJu)^a[[Cm9RAuq6WH]C*Q&^[d9pa/$
+%#Ql_,L<Q=I9N@UsPT\IT'gM$UfHl/^R*=+E"]ikcZO7&,="(OX0[B5RnGG_"?lWK$Fli':<Q$WII64BgLOi-k[=LZp01i)RBJ-<S
+%'kZ8Uo7T'f6<qNn`_Q]g*E?U;]MLep<pI"2C(`t`5l1M_[`EV9hPBRbR6mgZ65q<S$G>N5"@UDXd'c3%$L_El6$iCgW`fnR%c1%7
+%RK+])[>4\\;VN&l'MQ3Y>d2lAVqBZ)j:sj.$Ic*q3ID_f<+*Z]AQBnXDu>!OGF/An21%o%nX<TCms\gq]agsHR$\GQnE1`a>&l>;
+%D4/'`i$q_Kg`pmW;oT_sV@0+^kZ1/*bAoeRcP-B@h;tB.i@N=NC'Mp_."3)YlIlG;2r*%gkAa61p_$9kBbA&CZE@h+'/ohu=BF@7
+%n,"uN&A69WXSVAak8VWS=#O(s/B>ODHiN>$OIM<=S[/h"S5,6GdUJl:0;SpN=^r]GEP+46\%qk[4Rm1!;e1R'T7l17\5Ss*b*/FN
+%k?&K1gup^H+8nu0K>uc?PfA!u!4n:3oDQ4$^[b#_pS9V@cSq5EXYr[W0&0U!fEZUEeilJA%Sgo3GpKO-K]h<sH+1V2EMYmKT;`6%
+%dk)$C.mEf&>6G2cq[:IbK;X20B2m0]LrNA[`gjJ+,?r9IM);a1iRlF)P!Pd3RJu#O'&[r/T;2/=)`\Vpl^4r-4:L5q2u#LU#?`er
+%`&XM\cok.W[CA(sgU!dWb"rXM7'cJa-'"%minpYn[I!YcC8dI_XXnK<K0DE4i#9S%\^@<sF:89@SZ@N`dQ94_\9\XW,mL[gi1>V5
+%"tm<\B"!*#iDDQ4aNQF7cFnAVfet_2o!@1=U,BNI!KXqm#_Lipn&CDH8%Ff<)<+OR/aCPh@;IG75.@*qbDsPaaA?3NVhj_\E5!*2
+%m'pr?F;lS2Cj1UkV->sTlssLYmaldh`CU7gk%sbX<ek*YF2-B;E*746jg;98`j8p"$Y$]nLqMa4UB'T-mldU4!*;<E("p!&luh2c
+%eb%Z\c1iF)41f[^m+P_m+Kcg;M`e^l3(V=G"_E67(Hj#bd`gV?r'/X@h)\1=a7hNSPqn'`$gN5EPje^f?l$F1&2D[MeS?KRP5>\<
+%!bKO/Z,N3WH.qWjDC%gKh\P"`E%B&4J%bA+:\BLmKtX<X>oqaGdhi]1J:$$2*UgA%Xq=\0E=BSC&70@k1a<1EB#21TF]O&^FK\g,
+%]r($.k(^AeDRZ.10ZEGlEK0W)hgOA1ZhDrNmegXP4@0EccOb]k2s8uRgk"]FmPT2)cR3h]Y>R5i4)W_phojuHd'If<-k;\oeYV2r
+%4mk7!"h76O75O8I6C/QA>=Xo\X&+@_P;cFJ@fV9=W7B&$)s4P5XS3%-`6@Ok"7*Ur2>2u2J^c!9H,Qh697D&un!P_MdPJ<"eW?Eb
+%.\EXCR!J2Hd#&e1)Uf`X!eIll8$%=+'WrJJ;*edR!5&id'\*Be*8nET2)$&6WJGbRUr(_Te`%k]QXYe&=>7%(oZ2"_#JaRNXVkt0
+%c`/$Tb3%IM\_"4&igeE*RaU[30__#hVqUOrBfBumnp<kJbWM5t"Ik#@f$\CO>W[.o1k-Trh.G[1^*?+B:@nX>#oRP5Tn9%jRDq6U
+%4CGO\gL6dRs1<`0c=^kgXTRdTj?p`er[6VHF>Wd,:MpjCbp\=r0M>QY-#^j_7\j#>Br^mR#(#F8b')oeC7_)8PFs<fCu7!Wiac`=
+%%P-rD)p#i#46uIchrZupY!(!^93'B2:up4n(?_a!gMGsV-#rLEBfBMK8/hcc%P9Od04*"m**c,:>WcV/UK0(F-Y1?(O_mri?bY>k
+%fs-JJ$t;8IY>Te(0sJLiYQ(0"-\;]7R+L+E&9Milr^bZsJ&4)gV(j2NGF1rQq=2&Iat7cH+,BSRmF,M'pB6'C-?041%1LIL[:XWt
+%,A$Si@bPGgO4qe^*pJ.EQZ@&g.c]ZSW?d1T%q^^9)0U;U-o2=AhsN;`2H2O,<YB"#4.5m]$tKG*Ju$4T)!DY\])EF`_p,Lj[u36R
+%TB_PTi)s(c8k$I0^LCnlX$ikoWQQ>*hf\9OV8:=A7\jeBrK^!Kb)K^#g5++!duCk&qslbjK+b>m@T!jJD!Y+#FeP(R>L-IG>l)>n
+%J-pIg`Ss3T@bI?3S0Rs)P!WP6AODgWi:Tpgc\8rch.Y9uB^euFEn')TiY2]\2;N,%$HQ!JrgY+Klij+TcQ9C]+_=HV1:LSs\@&_b
+%U),Fu<&([pH4PDL,(U(##]=?cCB>2^ke0+&DQ,%GbS';+K.;edHfY(3Z0f(UgZg$IhG+DC6$LFq2WFV4SnRe<&?f:qhAKZ@!YhNl
+%TLuslcLm%]B8E"ZMXXn:[Co[n1<[3Ar!*7*c<\</X*-VsbsHrteD`n^"&\Bh$cpKX&o$fnW&*K6;;C6FE<uDdP/ZanZmO-Q/a!$E
+%MoGXBN9H*)b90;-q#<WQ'`58T#^f-Bhu,1FG#\i]_OYnX$>Pbb+@&mJQ]8M_o^IG["JG1dm,[`A+$`$t."H9--1\8EnkfCZO+1j?
+%;/1YpEaq$/gGW^3lR5acVjZ'QpLoG5**,Z"/tdM`VgV.u+j1olY4,>Re./3J35P((#W$A%8j+-*1*X0-r,kpEjC-J;H^d1F6(B_:
+%8LC!eJR'P!o*n+D>(2q/@4Gd&Im*Y@8*aMLCJ:U4=LT^LH8"MC\'6SK!nnjWhR/IW]rg%K</n1QCHnnrRG<1FI7)s,Gt/<S%YoSe
+%cCU(/AnjgW'a#;.8qR!AC)]$k^pa&VLiVr"h?K1VX+>PF-s2]Q%F,&(X87!Yb3YM<6;CXhO;mE(ASclIC=i7.$DW8qG0N""H$?a/
+%p(>J*bn5X*KE+';jp:D`E/nnb(J*-H/9dTjFPdXK_Cn`2F]n(@ko:',@5r!a]HiDQ<]Q,Yd5H[`!Ld0$G]1U+C<i`/RIdDNkBoGu
+%!G;TA-(1dQaX<LV(h(InoLp<Mk&>\N26l.7:'39Sj%=GhN2s1#+m.uoC&N2Zm+]*g[_LG5BsL":K+-C%nE#Qm[A6"f,<FffZdcS!
+%aHVON74ZQ\s3*[UBu9bb3KrUY92XV9(<#;PkXA=HX'XtH?%I0BUK!.L[&0sHhAiVeD>T[!d8)/Ni<&LYr^?GGUkFb3"4S@Df3&SY
+%X/1ihr.XeUXj[!Yi3G^OcMMV,;bPD<Mk5a\rBPP]>SZ<-e1L\U;Zj4cYbkV0YU@Z:]_-`BO/di_SV+M'J`=SeQ(^_:H6S-K<5RFY
+%<@Rm>BF_%["L^0^FT]Uhmkiu"4Z?tT=AnXSe_6A&05MN.IEn7PGH`!^bY9XZkHOZ?1oK"`N*mFm"XEKm^k4gFpSd736pAn3f7^;>
+%]gCI"h1W!!M[i^&?dH4[:Mr\XXlUIsTPU9*]!LS,aIJ&jMtOVV4>ReLDVi6qB&%u`\KT/GM'.YB#0>..:1Ec6g6q3!(%rA$.#[7<
+%M3A?1[5)kd\M--C.DI(*".%_:cLO:T]ZeRd)@;;V9`.rS0[5Hoo]\Jcb#;al!d[+boKE_sm4Z9!X#e+>nKfa:^5!mO;F'>68lkD6
+%qj,sO+:ujtj;S/F]Uij3F+2*L1qablOhBnriq\?HC.Vud'UR8`q90uq7elra'e1Mb)[X(0O]cUV,P1de_L?1lQYdiiYSs@TKrf?"
+%N;"%[&?@c.N]!M%ODZpZM)4B!p?Jc*I2Ct)-H1+]O>RL+YV\$*p4a?3m)f!AA.7-,0gsF9G*!QY/HR>K$l@P8NAM`6S!f4Rd=hg<
+%9AX9?('AWVN9s,ik$&JP`lA;pIj?epq=Dai>V#%/_Lf<CJj!;#'CD(e*>UKBB4,#.JMZ5'MTO@5o0QC^@YWV(*$k#H'LM'tr>f-N
+%p/%b%aY72?I&%*&g(>J4':+kJ!t,J.T<KkKA\X6*6Z\D5f_>VjKp]lhnEK"#\`;^H^bLt<N:GK>Jbn`Y9?)r9f54.nP^(>C.$VeG
+%3041E7EZN-3CgN]#$J)H>AtB#bpig?AW_Se+hj@4AR*^)JfmjmD&GPCR0t5j3UK'p,:%)Bg'Cd]WU@I[$m;V'S2@VY]OrbXi>P=W
+%K-#usLGK-aarl.[q9XQQ3C=]g4Dq\8C+0Ue\"=as1dR2-Aac$Z0c(R!1@LV)nP0)g*_G17Yl9mqJ48H$P!Vo1MHT6i_%8lCIJ<-Q
+%kJ4aZ5pQe9^c-Q>Or]97O&@pf\M,tkKim[3KJf.(2't1IMVPt$btt6/"SECm)nfbR<?C9_?6Oicdh\>=h>5,:VB^N2r1On0INg14
+%_VJE1q4&mLCUb;lS0BR%;(Q,(+^KOdZ%T#F@E.8=-%Q)-5)L\uHJ65q"G,VS3-0;rr_;s.dLa-9c7'dg-PsFl(Yh^JTkD%E#:4-h
+%@/U!Hp#TEu%K!u7=\hPY8M>I':s<O9_9YW,O6"SK=C'F/MkI?/B?A5b$3RTB3sV8Q!<-9g:1]H#94Z\T<68?n_['j$6qrWk")XO,
+%'\.BMHUARIkc)Q'[p0=G/cAV"7aAl(8]PX).aAJdi*A?Y>kD"UpEYk2<gJ]0@R<?(*lYP%+b8$dcX^YjK>YuTQ)R8gP)<Uu-t'/6
+%m[GMfQjAM2ScLSiAf!7e<Pc0Nmh6@TR&Yk8\M#1UJc/2ua$!no!^s9(B2J!>MQ0XXP9_[gFX'XTDDF>G72<Nm,hDOa9Q:F@)eu'm
+%DB4"H[bP>/SP5U*Nk&V@=r3W=%2RI4oVR#:$8ZCI<CprEJ?8f;<2EtcWpKs]iPcQ2-!p'<>iVS/?ess.(c%BX201/IZ'F^#7WK]@
+%FD&Dh=+of\11HI*pNpMP<YB.\8>.[h%KSR&AD^ZjWE`r6rFup=+@G'+0H4TJGg.PuTcD7G`u6HR8js!IbXu3)'s#VD1YCb9+I@[$
+%ad*B^1+5a%]M/d?LG$S6XMQ>^>"'4Id#=Wi5j"H6?IRh[R"?3@\Rc=WH\G0R/OTR`$sO5l-qf0*:ff)RL37AOZ8Yk5N'9jc]f+RU
+%9K>3jb8$Aifj\DKApBVVlSPC\?r,p?W<-o-RUlj'GnL6%[9Wk]=c-(\`s".KHJtFIg>3^T?Qiq6]iE9ZKpVU-#nRu;]S_).S4A1K
+%9'C-J<Z`,Pf"J*m+n4-'-BfZ&m[@uGW3e&5rR:Y+%Eq7!kD]"7\WS:("?;J.V.q/j1'!`i]:m#NhCNGS4-E5Z@L0;?E^8@gq,eM2
+%7'`Q,+S>O(Of!"^DYq^W2VUug#0SR"ONc9O#[lTdQ(\Jk>+M[+)cFHJaQM+sXMC)_Xu&hkqUfJKb46ZlQ[&+6PENR/[0c4NG?;,=
+%hKpU"Y7h=Eb7KD#MbkH_#Eu3cNS@Hdj*7.,A"V=/q/3HFEpcCLZ6b[`0'q8B@>=0G(!,pgV,Nna.u7L`*pXqEl]oL==,q;o.Oq]5
+%^B'&AnHU+-Y+4]j]KOq*Q.Ssu*bd3lm(c3WT=Aht5"8"Q;Tc;++@#H?T\u?U$L[B94THoR6=JY43UmYKq*["S_]Ineo*P/'q1q0M
+%il(<-#[>8LDpV[H+Aulp?%e,[l4_6kH+(q"6>[;1I@omGB&HHc`UST"jkcCr7h3MX+%RGEofX\OT6n.i%JaK+TURP).1q4%!mBZ1
+%e#;Gip.BEmh=2:@_rrB7Fi7k\3P<.C]h]L\k7Ooc;KHH%!#ZN,_A:HfLKh@G%3J@RoOFts(<j!(S93;pf8Y',kFa)5p`[,DfZILd
+%QL#(>NA`Jke*V+8qNFN;3`u3t>^`jLg?sXPXed52bJ/U98bSgo,r:9rMd%[J.Zsi89[u9]Zf&Al*Z*n.CFp5,/d9lBr?d%OHS&V^
+%Mqej`VtV0g*Mp&0MD&c$[sI-Olg;f=Sf:]Dq_V^?SC8LBa1DSYbY&t>.0!sh50GiZ"/EK_44^IiX:,*X!8Te"42n+Ud9[[`A)TAG
+%,"2B&,>>9uK0U?Yl,,;$;M#@!"d*-l@655tI,/k90D9_sbSGF34=V.?/^aF,T<-1P23g-+/js81M0e`()Z><#k7-8[ODT_=[rIf9
+%hS6(l-X#*Nk7KQtNJF(eM%_]o>$%^R`0.Br5n/s)V<+RLMg/]qp-'K2!)I)<E)%:6[B!s6EfJk$$T5VKF4R"j@+Ha[9)'n<"E$Ei
+%KR^^F.p;G$T%O:O=_$lA+JLWTfrj714#23>baW6*I\tY*Ub$7sVVrr5$Of,Ufelu/D#Dlt).cS\/]&T?n8&'60b$tSrgG'&1:AbM
+%/Ha)Mm(djA76.Xukhj1_,\/&P$Q*+B;KpaVJH_"[^gL+j&cOsoQ<BI]Rp>bbX%*k<UY(XR)StIDKT6:+g+6ru0,q>l`NgU50Ub5D
+%b@e_U],o8akWZ.%<AA>?f3+g1X_^C6;`8T!%UL7)9oD0B9,-"JH28^=QutT:`lM;]"g]V`_"e:7AA3N/cM#_Aq@lu3!q1pHaIRF0
+%&qkJ*CO?8k]Gj-X7te(g[b-sa@BWN)1K]pg.nmM/M^)6Ri,-cO%1?NLkt)N7&m)!YneH#JS0h!po*hO4gJ&!'kE-_dDEBd19^>EH
+%b;S.cndX%0&Sf_ZpIS)F-aLc)>s+6HU$`&IC?k`%nX`1RlIssFRZXT&<KU(AZKud!KBITcO(?Y[5%0JEQcsa9#'9+4f,)>"&gc8>
+%P[t.$pjA$>QIF'hY$-'+lO:'i-[QEu&VK7.'e@eE\%iPYE,-@Cjc>XE)^s"r..q=>-hC\^3@I%Z+42aOpA<@_C2,>_8(k^=4qY90
+%TRu]#VfN_p6a]&>\iA5q!Vh&$n55[km&X1C"#=oH\=s3J_LcJbg_'JE:!%rlHg)Lk[/>=lp!tcCc.D-IMsEYpY91sZ#\D@Y;.C,7
+%,%t]H.dd]6q&&($>0NCS^s^Z>W*\8gi2^)e8$$)'ZWfEoX@C>e#VT+,;S'aHC'*s$Sf)+['sZBgMG%dM`u0oG[Q57X14oKR*\--J
+%CHXZ8p$dR5>[@Z=DYC#LWECVihb<00KEPGKeTB<k(]YPj6>Kf`?7C7*DTP0roph'm93@IO)osMV9n:+&&l_l=IfNaSB4=]M[YJ.e
+%QPH-)/XF$Uhod$P'S(;?(VJYi%q<*<1P:8^ZtQGoOql8/$l>18CCBjm.aN!@:DU_A:!YNMXATP0FSHKHplt5Y.UuG'[FKM7Z'kh;
+%-/VMDFDg[M=ct;_@MIDKjsi]*6P,O7%%]51#KdeUShCD*kZabb2S%Ym"CuK(`i*#&a]]Q6Ks4\F5un@P^"I0Mq5-i/Y=p:NRauR2
+%1.EZ"?.UU.BZmXTN&&fGf?(:`V3&G6%6j3#X_sf3nZRI:Vi9*gH_S=a^Oh[+`)kTb+&*J!_Jk=i'kTiVq+c_?GB9+jBm#qW&%cnH
+%^lCq:-o^'/*PjCj("86'!bF&PK(P$`GF4_%:Z>;6>TLJok&IVAKn2n.2G$s%C;)LDJPH%5;=ZlBmm.`CZkeYBbi%i[I_TI<[QNHM
+%pr>76@#[;Jn)4EMpNNa6oiX5R=1qC2]"\7jr0[?K,8dG-qWA<WY)9V:oUZpnJ1P>^ln8Z6aNa&j4+YGb`3t:r1DVJTPP?QLU!:EX
+%CtQII0q8/5j,SgN_PV[Ad:>3388XQa!_@Z*cqkSGVO-N69..@Sj=S1lFlMt*!qNL2iD*fmZs\[\jp59*QtukPc'0-?5.aP:jK>n_
+%FVsQ^qj,KhV2C%^EQKP1(5o9!,s6e?jDEh`dlVCi6npNA%%q(V$hW]C5<g#t),C3rq9=n0p*FWUQP#9_(i"F$(j9<Y0p3M_T_jB%
+%"a9Z`G)rge(`g]*Z/dr,Np)GJGA"o%!EXqt`&,C[?kB_?/LF##(.mr*:KVEk>V`=`Hs(ZR3seY;O/5pIcf"/C8!)kj#-OBhCB"tA
+%,h"EmZY/+(!9BA%YS:%Ej1a*>/$jE7j/+`2$,6TSU]?d>V/9fcfbq'6^^;uRDh;J$nBTOahh%F_`Z`-B'5lk/'3Npt-K)to'3`4D
+%*^)aP;/annd]h\7DF?Md9H2+Ndn<\)co-d-jQd"0n&tPc"q#Dm2)#7n_*_?49hEGW$0RhlK)=PE-Mp4_"u2iJqD;k>/"J]1bS5"o
+%^q+EqbYAM$Y\1^5J@=3r$tekI9Xh9pm_K%*GB4ha.o8a^KS6if>2\t>U&2&>*5rmDT]HjXX?9=)-]Z08e>7NApblqWNCN%4jS?pT
+%,AY`%7N$c'd%]Y`.<^3*9oC6)iXIN@?Q-QsR;$Z6[*Kf`SWLY;4BF[:'#GRN1"Oi"WQ37$PA0o!."W4Oa7)k/>T:1!!WE,gQuAu]
+%8nMnIn$LQNF`>+5ai3W`-R7S'<LiGM_!t:SBee&8al9P3CCEa<r6tIYF[*4&CT4f<4V_+o=7Af^N9deBM2Ehdk,m`c=8**q6Yutt
+%pg_Bl*gGQ7J30`NPNoUtWqcrq+1kF/adGG>"@Xe+9=C^SVe-q'rkao=?.$m4UnYj9N7U3K5bG_QK<=bP!INU"#id3tQ#nX+PZD?&
+%bAIO[$@Xf8gF'JNdr%9N,F6Nfc&&6q4@5)X/k"JiT\L@m#NV;EAHR4Vb[-m`kNg,Ak`b'n5364)4XV.%%rh5O9:r_WVol33H%@fS
+%P$*nT]nZiEO=fiYP2MBLn/+CH_"Erdhlk*]>P%J*-o,JGMk>VA^Ygb>7.W4s(p_WW2E=c\)n'VL0Fpt!5fYa-AY5&2IX7f!VPI_B
+%1X_LNe(::r13MtW;oebC'V(K4Es'`pa,p%TmXO9K3(XNi7f4SLHEPGe=m=c"(_knGZ7nl&-V:#5L0*'h2Gfh!\0<fV8#e=b%k;n$
+%3jLaIV/R1p6TO>TA0A:*JueO,?B%VhDe@mJ!JP2/-oa.;a,hPM9V^r=B?oW,H0YG+!NJ([PAtBK<8[MA+$_bQF6lQf%S)q7ju(i[
+%MI=4`9i>fN1te+SLB;o)f7P'12CGs.d"'0!B#\RoCN,GWr.;Q5h_r5J:1nlQ8LHobh[\MPerm)E^*d'=`\0Q%H&Jn%*E9M6SXT2V
+%k00T8k[0QY-MC[\%uk]EC\\/BTkMYbgbL`#c_!"^k![-"/7*8[^!YW\G:M%>N-d1G+qN6SCCAmtga-M+Na%6,L^@gn9frZ*m;e"e
+%rfL]rP&Y62S\\KmKd+j%5'JBOmG$F@dg;@,?[+MZJ&+4$8R<lgCqEmuIb64pW(Ur=_dR(g:/EOk\O@ec=ioiu4Lcck'HK:k0mc"B
+%rSd=iN<fE^3bGg)HbiI$qb?7(SO7"72K^Z6(1`q\k,)EZDS-5]3%^#@Y1N7VO"?jjk6[`#G;LBH1Zgut7.5,S^mT)X.pWVH^C/m5
+%GJ2"MhDu-*4hSg2#_3NV]TTRihH^AM0]T!$#/,h<5.=5P4r@R7I=Z\:"M+)gDVAdGYGJtf"t(M1(@g=LqAkLPV"l$J?].`!Rft`H
+%0CEuEMj1mj+FfH6(&LU.YT(K'?Mu*+BG-)Cc`-_@Tr8s=OEPS*[PoW-TtS:)LY\(q1-R".bW/,u'q7P]*o"_pE3-C991>=]T,*br
+%`S@%,*Op/@W-ZY+s!&Ze`@PQt>8d$K1_Xl"-B*`)oI/1F<4#qZ(=^7)aCP-FDBnO71/_5mL#kfn&*Bh^lnCCV-H8;CCdsO8[3-),
+%W1"pQC'sFLQSUNCeBfC/&4nD=:3/*oLObX(7eWlE[W8'hRa^[WTXn<[$#7R1MW2mlQ6c.(&MR'8I5Sb?hFn+6pCa\o2o4rH$`l"K
+%"=L2:%%HFlcU)-lb)Fsd=\Ao'#X-\oQ@!^7_$nOjGYpW:Q=RokU9lV.?<6qN<!4'>dlrF-$gr)QD%`7e)A\k6f,@-eLCie8Z@pgc
+%BAmhbS-p(SMf.WC4D?DnB0%sg3G^U]0`l-HO*<b#^g&uN22[T@@t3(T]g!,:>UXl:IL&Kf9BustWT./e(HBE)co!eC+bsi+;@f1!
+%!nKjAaHa-N($jS:qV6:K1"8u_!^QI0n.F14fLlcF=i#j,iEWuS^?okJ_hl;bqMDa-<&44=,QK[`fK5L!0'!]C_bgi`^.Ope(2JcJ
+%nN'LM6^^heD-1]6lT"bF(lUD,q_r=62\LYuNtFRkDr/9h#0R*Z$jlKh3Y3ulrk!9KFjFI=OoN?e;t&/Bi+BLA=(H@X$gu;5U<FaT
+%(-g^=eZ%joWr<k!'iFk"Vn]FgAu-$Y7>TUMhXHE;pgG$nCD7!%S3o_#>$a&TW@a3Z:IS":D,&1(W!/kllZLNf;<rBa$:d/=#$@s*
+%A<@SG2FJ_YVR_:pa%DHT:!$O*]_gWW:(j;f^gQXiL+=N8Sue7G+:\->UkE&GGY%r!`jabsZ&W)ILmu0&$9l.aiKSFMCZ\ugAo9`$
+%Zs=BEW<7$"RLatsgBb6upJ;++J3@ApW:.'%bE;3Gl0YX?30Jq8E<f,e=a3dMJ%=gh$&sQ,M#9>9&gAh"@'\K3)]%h%YbVXM?rD7u
+%UL96^oR%DJ5Mm`YAXLG&SoW#KfeO$tGQF=30PPqE``+^qNPEM?B\6&g=*m-'5DR3_b1##76'PE/L1Y0`8F#=[%C>P8hc65u3Y5B'
+%]2B3@gfqr^1)M=^VAOXOFuk`X`'E+b!G?RRpH!!9;L@%dn:r&=WT)QaH#':&5+,V%p^CgW#A&JVkb1h+3?9I/BI1KKp:qR?BV7#h
+%9_&hmRNbNA7NAdG%mUgRWFNeP;s@u7aJ'E$KViDP]CR\KQ">^i[Jg):/Ko#P_G15qILd+poR_'E8OAe>2O>LE\P(##7_^s`2c"Ka
+%YF)Zn->.J8<YCkZ[2=/h:6fNg6]j5hR:`oa<FWp%mfSs/,7F2Ge^0iFnC@VfXehE&P,W!oo*?QO80oPr(JD%tbo(q</Y`dVHU%U*
+%Pf0[P5i;3>.O1`@8cfE"WtsH[F4IA2G;QY5M,t*I)5,!$CoH"**e<+`MA@Bgo;G8PCMF#CelOQ>cD!8-K@&g[)EeHd=]s6+3Vek$
+%jTTrG)[2mDl@^Y,nM%1M-r!g07^Z-844=Nm[)_*`Ub/R_+d^+bS`q]K!]_phabMGqgTh0rFK:PN9h6',!jqcJlTsYU,Y:I*%34?Y
+%IeGCE?j8P9p^I6c./-J\i'c$OPCW6-<7"prHioCfYb(goEjSWApF#H1__ihARQ0f"';b<Nc+.eI>>N(o;_1b#^c@0NE2f!l_"QV:
+%1;qf&0\9eh2mi%o#h-0@Nni9M[u?q-mO<bD':ZUeSubi2m@B]r99,G_q"g>,i6D8m;GBI>H7q0i(O27Y+S;:VO(/@6:8hL.Pp>!Y
+%:^gb;<=f:Gf&I5b.NuS8C`b&eF^*t&TGo6Q%0=M_XoH``(UMuH62'5Z?lX*%fr]mRMREZ_r>8rgfDQI)?GYqZoN-8hfl\4j9>Qg.
+%Yl2h.!cR#(%<&XIi@WY&q"%(nYtH0(`7^1>^JRGK7lBe+(P(qs#Q]:JGWUjN=LZmP3u2NlJd2V/4"Lmm&F$_';=Y&Ur8I$cpS<i_
+%W>eHj,fh$+>OU2dO(ced4%:6q`_3C)N3rl/Aq8?YO@mOZ]@!lP.c_bWiLZGPm4;eQ9c+-fF2m&K!i@)mEZu/*m?@k<4L6<emF7ai
+%pu*!W(N-/75gcT^%BOm>%:$7%PmB?hQ#sm+8B\_agIr)KPYf#`UN6MLL&60_^ld/F03/`FOH^>AJ=^TMI#K`d[<8GT<Y*J0Jjg2n
+%dL"V^(,^XXPTK0'H!aGu@)3_6_u2J'=qL6_E!+ARlNGp%3sEprL(;(JWD\d,k2"c9ICXu70L?]!8uhra&-0/=hR5\3>+kLqNKBAW
+%TYN]_9F&W_@n<qU6GS3D1-=f-)]6OLZL%q/+-A_]:"toD=Jh^BmfG]H!-^L.UW@EP^;OonZP`rcZA.m]\7GiYNp[`K`R]i,1QWo8
+%!P\S?g(js/[LQ()UYJmioo*\69"'3Q70'[M';U0J,,F#N2RT:iqMjG/(h#AY#.UN#0-E6i#dO\gQcN\)!l.><+N^+>;DE+@3@Hl&
+%LoYX''c>?#W5>,p#g??.$D)6Mh_U'ki7D$2'.Z0_32((#EWITH8t(,_N\upoO_.#gC+lnijAj1#1Ec"OP$#&AoOKe_p#'=a^/pM%
+%4n*5%"d&NXc6?7p')@:XLc5KI4^%MJ>)%PXg&(7!>`uP:I#jTV`/5UKL;k(L8qbn1mVVD<=>a^dUc3LZ!g&6,O'S*G/XX.sb:Af)
+%f@/Qs2]^??O$W1O*:2&gnRBM1+6pI<7Z&ljqcAM8#^VSiW+"`q+NI,o\88NAR.1h01.To#2WJEQES[Kg`>.ar)=h:gfnHm0HY85W
+%]g_A)++mhYl&0mcCWhZ7Oh4)Uei2[<8A:oBr$QHD9F+6"!EO2PVr\fD%+9;nc`DXiR,IaO"Z)$6Ub388'&X@n-F:`gb[J4Ahi7+2
+%MUV^(#6h;6)F5Fq^j9,gfn2';9A=c[]E5q[``FQjg/;Yf#H8Ck%*]&1./27W09J<0_AoiE]itQ@$m"[9empV+1G#C0p^"I\k@915
+%>%K=HM#Y3P9Ei2_oYJa;=j%jc>?25rhL5U*#c2f17ed*\OZ]^r;;sAtp7Pf(<o$@9E_idM<7l>?'N[D';24\V5^IF.'#&oiB&)2M
+%acik76Fn!0>-9BMM7S3fbbPr'#ZAMa-isaWN'!L@iPX'OF#(l8!;`I"$l%RVGAg@_X<&p\1t^`ID<8Hc0mLDAU9lLKU__U/J2f$,
+%h4,AZD0*G]gC?m(lBCU?M:d%UX'L%/pi5`cgutXE/%<rUOWC+$\.0$BjJ/^@"g:5B?j'Mmk@;JYZMk;"Ko@;E,YutVP0?qu)PIEc
+%nblnUBtkak@EKJh0+dPkgWO3K;jb.X>[=kj3Z'<b[\%Vb0R\TW?60XNKGkO?"5f,I*d/X[QM^KCaq[M]^9lQ$4YR>-DmkC%1I1K,
+%cFAqZ=hA7'o"NVO&X-Z-f>>Dl8iD!bnJ$-m5`4\5>86O:e4bn8PAF*VfJO>P<"'20qd>aXE=9Ao#9A0T/'El%FHF-s=I3l89UHU%
+%kKf:hCm-"^#Hsu>7p2(piPYLqqQJ"%-V2G<@a(ps,&i(*?Ee[/nE?@,o;1^qaM=?Qh_9LslOFb*!!^`tGn6Q?FY]c]7u&`5gA1h$
+%WNqOGN&BKYljd<9m\\QY3L@?p`sUZ/i&0k-%QP$=T5.)Y8ff<7J6_P=r;8\.V60N>=^q!%'d)B"cU5JZ@#5&bSoK5gE#tq^hU?ba
+%4cCLe;Js=,TJ-q1&uB=+UI<Sp0[uO$635Ln'4j`WQAUrN$fKo0Dc[-eh9/EVM:/t8.ahG=L[C3_h7l<`#P<op&NfJFHq4iG++4Y9
+%p"t2G;oC(#?;hSXrgVjf3ks\Fo1,F05Y(0XDVo?"bl64XJgXI.oNI%94\eaWd5ZZ05IS8B.Ga.e^ut1j>$HGW!KA[T^#&r@S6*ic
+%!dEJW#7(9XZmB$;oD2X">c8+^rRT.SNhTT^]9ZqDKtQ,DDqCIHXD&V-pg!N<Gh<?A(9r-5fQpA7BDOo0Ct7h!^l+o`$84^!Ue>D%
+%A&&cUIM4scd:+Yt'L3n,N7Jn:p2LYeU6V@JJL+=@>WL_V4rZd+g'!(#meI^YI9MBa>04-NPH.paA@Te1-_L`An0%Ir%]si]4tXSM
+%r);?9m`-A2s/EJT=9CSHe2#b3d^7`^EXW[m_5NC2#2DT^`YTB%E;Kdi\dY4-N7.9<R'3,LkL'!aTi5Y'a07a3CWd%>f5;LF,%tq6
+%!m3L[H>s&m8/LdeCQ)2poq4S76%Q-C+56!FVUScUBZUbsa1+/dAD,+P'mKkPaR_.'+Qh:PfYH.R'E!:m5`\b,\E]lP4oL>NDI&Z0
+%T9O.^-YpN^UX%eLi>?N$C'*D)r_]\2q4iK2b/q_2jA=?%UWu2o*`pj;k_!!o7ZiQHP?i*"\9I6P3)@An47'[fBPtEX(UI9R>gV.+
+%H:EZ2Lr8j4YTC4:Q;AUFLZK?L$'ZLla0@B;a)V\R.&V'5"h)WVQk$uA&+\Cr?LU!O_8tZco/p-jbq>U#RA'VWeQ[sQ-!*-(6"Pn1
+%YQ:oI"LkjqT2WOKSU_:m)*Kqb_J`c0P@2.n$uJ!YXP0_MXa^!K^M*^iVI&RY"?>Tg]e*m@$oV"#3%(PTChMl'YPiR?ai(FL@\&]-
+%Y62=.\!G[@J&"TFTkHnMWCV<,>ch&lAq/]r$',04+9r&-F'(c2/\s<eG`8<9=,[1lNR9-N8n+(rH3i_R)A)=7.iLgi5D!7^q1F3\
+%Yq8=HjA?iF,7giB+;',HX:_P,,'gMP@$8hai0H7b1bPf8!f<USX<M>B[1TWTi=Q*kS-K3BpTB-T+7AT+d[ar+WAu1)C1,=8WAL-:
+%PhSr$G-%7+Hk^EX`uP!28]DV'?*7S'mX*+lN.urd0OH@dWUg+,7rVl\7>LJC^B$VK5Fu0&1Z-7=,C#M7l8NS-gHKBRNg&lVSR2?)
+%!cf?h=/bp@Y?O)\FK<28L^N<qf<fH=HZ0]SV$\nlmd^"ZG9)L0#.G9BI6Y`n!Cjpi27Bf$n2+l55Qf%\jf5FRXd200^>B'0UY01>
+%b2iYcLG'I"ZrJfVVKU[+J\iU]TZdICF:RI'^W430D$`,""h#J:J1\k.Du6-hH?90@O9NkTdKN1r-K(?&lop$/+3g,HIkH.:'<)4p
+%\7lJXF&B`cAM$0U[8bk&PD9>*f7a9S&Eet*TmGGpZWdUm;;[Ee\$jfDK>(2IhZRoqD%@<,;m(lhjB_150EM_/qu!@q^b=9Q6@nMS
+%grHi4^%FsRG[9$Zjtd9W!]2""Kk158s*`,kqX91mT(u_ljCL##4,a^lSo#!$anb0]66;_87hJ97%u/&J\F;t:<g6K?E*dJ0_dugf
+%&"&>M84tpG(<2epo\)hnY-@$3=arq%C'Q_=lN.Jmi/-N*"1TO>e_upL\-L4X(1N^h]/4:A30@8sBalWsFp@oW`Oa+WNFi'?%MdQ7
+%e*=d9GXd9e]Rn#D(5e`7Y=S^Q7fuPa#9"Rn(57k#6[M+0R5DM[7N(tDIQd;s6o301@Z-co2-B_7<0`3=CkiH(]<uit%6E(2]W2WJ
+%9]F`:Ti'9<rfo=P.-0Hq!/+j/UnS"%7m8^8Fe]0\Z3PteXC@da")N5??1ia..i?`gUX`a+aqdF;KcD=MnX)(N]R^f.DO'iH17qlM
+%KZHE'Z(5hL&4mW"E:Lro:N?M>+r*KFc6U_AaLc103)2"HKSbX/ndG`CXSclUe/c2+'6t_UgC!)-3?ePm^qt#/B#^LalR&ek$CZ5S
+%n.pAek-\]jkWi\5fa..DD+uZ]hh#U`ICM(9qW^\A+h18g(n"_)PkCK8^cWiT6!9?/]*mm@4(DM"]'br91FX_7q@pTUF&;&kjl+$u
+%pgX0e&hHW"$k*BLJp08#/1`[lOq5(e!$3DM"@]JGl[nT7VJ0ds-,\]:6=$?qYZ"`n45K9;fIOF-'.@5m5O=]iK-f=oUtXTO9Yi/9
+%Pg7&.El$RIBf-h5OFV[&_i)R7JkLQn4DBM%5oSD""eX7a$NBcBj(#+%_^cP9(T.9NnUUq^2ZV.VOumqZfi-7u(^F[".Km6n4K!Kf
+%#LF;Pfi-C'Z<\:NE@es`Gj)\FF8S9:AAm]A4^7b]`2o&,.mc/`,YN%<->)co,^!=SK[kZLXs=BZ1(o<-8]hCl@FT+2TV$</O(<s6
+%9)ptiek"P)JER0J/>k(Up_]<F;,T>g)ppK/l=Q('M"s"hVK5-Z9l)a\/(\3al^b+SB-<(?>I8.@Sf=&%TB9L?/_A(W5YYi8$\`&J
+%R$&&G=1B(iEc0!"C./@nOT,mqYLE7]WZmIR9gJBElHr`':s;_qD7Y=?_Yh+[pgOY-i9$6,E5Xu]7+t5O@)S=S#/k!&G,gWQ@l]/O
+%`lPQb=lNRo41)RgbK5jb.iFSm,&:R@5\77^co)'3,(_h[&VdeA(#9VtaXH(4R?oF<NigGK\?.<sn,VT/^qai5"#,t0<Qk)BP7?p%
+%Z4n(>(,Y(T6bk0^B&jd":oY8K:tpZRS9,_T->Tg$#J_"rG)=kAU6%^[,K`.uYEVP(po:Am@/#W(0#PIaAmm"[M)o*pg;M;blKd%A
+%!G9`&6Rf8a8eRgias>:<>MU^cUXUKb\lm;/@FP[qR<S&;i/Wd[fYOP>$?6cqN`@qsMfsq:#(;1,Q'f^Gj?e,H[\ji@fINq8%0ZX;
+%7;[DAEsJZZG\gjQ<*++4fYi`S8hP5Jg&d<gWO9IF%cc.($qu''/Ja"l#:_^a,U>$B/7bPQ(Q>=67<XWUkutPTd#7BVq$(^t9mD&Q
+%ZQ!=f7kkp_-oeR$CFpD=Yd']`#MFa]5>Sa>`.[5pfr_9(.,?ZLMY2A_!T5%'(uI^-VJ3HX#*Y7Y#nRY6QNY&Fs3UHAq"CYk#91<%
+%*d9ZI2mM`k5l@5&!#=UK`QCLfUE\Jd^jXMG@Ga.c,R;e\[;.@WC;$h0%;I5b-"f!fK!hVL5-3(e_g\J5@Y(P#?"g%0D/q-u=&6SS
+%ILdZBi\K5m,tGAIH)VY]Y&U*s]VhMtXHsIaa^8\#dq_")r6cB0TVcel2?L=5"-[6WcLO*kphSt(30kT2>)s*Wk60;$0,2W.I19Lk
+%U[0XAEN4:$ln#bq<BV_Y#I"qE+^3'XM&Kn?@XVRJq(mdX_$#:p`4f3TZPj/%1`\TXXqS4C[l%<j5V<nelgn?--41YqfNSPd4!,p7
+%:M!S2>c&rB;+.L<-k'\maH7R\#)$iaps-Z:4EUqI>V]A3kiu=K3*tQU@5,P!i[S>K&5)[7P7Z`t(U:L$oq]_`b@StnXI"o,K.'ng
+%+tMM)E>u8ElPWdB24:[lQ;9=K#8[]E6GUUeBE==$'3XgHC`0*IT4.YcP"!lDP\F8N,W_s+fk3X5eWe&69Li[RjT.i@,b1Tk!1#dr
+%;[!GlSL);Y`1le+q5(C)9)o63oO/3I![l&D5a>WeWs%U3gr\SbHe]odpI"j;4q2G@'N".3(0J>W%_.%Z0q_\09]Q=.rZ.Ea1:q:P
+%BFS`[9JZ!rL`i_+=LV]SYoKD/g1r\jfDa>:]=HG](/PBiq_dh3Q4_9*hIhT?0+eEi0Ir8I1I@Z;;/";XPqUo]:.]``f"A\:3rheP
+%"m6_/=WkECBZe+#++\9e!`-OhI)QIu6_2i3I;onca`_'HY;CFHA=C-nZ56MY!lM4dg'0=<ZZm#SYY'7ilRL!_^A]*@4ec$`,ZBoW
+%`>'WAD$>9>llH0D\Iq($G(U7gKXE/;a=&/d+U.tk`(91$h?,->)jg,d-M"UZpNj$s$Y1]Y60ID4:cbQ!ZU-b9N"j_Deh@lp1rF_R
+%fB`dCT'hET+$oHM!;qT!Qn10(F-Wk/.$f!W0NWit&GCe)37<s'VC@rG^0V15c.7lKXS3K`49c;^5Ol$c"3@69e)$fDZVh60!EKG5
+%>DIb1]b^"lUj61dfkk-e"Q^btW9NLXd<&p5cik[($h)bd,X9B*QF$m/S0I?f#D>2],J7qs1ae/\$H\a^=L@-ON7l`nb`Rj%8SM8(
+%@^6nL5V9VF3pHi284'iF<8<X1;cjJ$>YZ'PgV:eA%Yrc\C488p^E6ri<;cC\W@7;^,FJ1HnjA:b;CtYl@>_&=9n:lk8iHd?'TJa!
+%=pp'RFPSimEXP0J493-OA(?rBJt#A3Ys%\JCZdT;G8cFCI+Cb&._C0T%t.3!YI_MJ_+ZF&0TO9U@GOg8Q0`su^39F>\OIbC2a97B
+%XLr<.l=_'@k?c^DSpu8\0Qgn0O6I@"7EUl:i1?T)a@ge[Z5$-RU0^.$H5+0`a#LLOJ-.#WEXcJ>f6<OL1<#slgiFA8]N8E^E)WG7
+%5gsA^B0?Z)SIVChHfM^Q!MT\WoiJuX\=aoR=64e0/D!eQW#2IN[7^P[#.#@s"/e!T;J'<N_M8W+QPrrkkUZg^JP$YmHe?2o*mhZZ
+%CWDTS\4^lh2_r_5$?DK_D53YD$ModS\e/U38LWaS^Zc`al8?Zjf:]V6DHJTmcu^rP3X,KOU&^6Nn>(hnN[PYiZ<2HNc9.?N8nLP-
+%B9E0Dgl0t<3#&97n0hr9JR[UK,:m:bEk%,<4-c#TPj7;O;fMu),[b;+o7==mj)f5Ln-Z?4cXe0VB1BHO#k$+sN-.s+-MCin4<p$o
+%qGuj3K%DoATNr\dlV4uHGMoq"@Jb_/8KT+HpXt2edhcmjeIRjb;Y<,FbuBr5E7Z!I8F9"Q=GZt$UlC"S4Oo'po@1MBP-?8R_bnpq
+%"e*iAa8m:R4$*]`WcHVX[dqSAIcj>\3!N4V7]hfG%#cZl1C;k8@0g!-n<aYJ^dY43Q4LeFA*=_cJce,V0a\aTGs.kaT!nP&"bUNs
+%5KqlBO7JSN:_-2"oi_f`#baNaK3!(48DDiC17BZV="3&/.8k"')>2H*+sVb]cA)B6[^_"SeDb!#F$`&##Y>K,-!mY*@VL#VaX%+d
+%Jk9aV!k\ca7u%V@N9Xf2_2<7Q_\d2LDM,hbJmgd=IE-NH^t4p'E'D#/TO<l,lbd$jbILqH\#uZBbV:6&es/6J2?r=OSj);saN.g\
+%@h/p$0>rL@nB%l<`8Q(%!b?HY7[[A]#VK=^><$Yo/-k.ToHW]7nu1.Ac<l>MgX:'g>Y-KQ_HgO"d&C)+%:e^PrL3A^0kGtSEZtOd
+%Xc>*f)gLpYbT5gLhSo)QRu&`>,pT_"a3@P;$eB`m+EsT4ms>rVR%nUHa@DZ!;RSB)CbAo/gs4Pq"Lh$_#2&2'L!FsHbP![+Pu3Ij
+%OuujE`4c:?8aS8La-o_Sq#V'S\H=UgcI+HFL<3RT"\Y@[?;?kFkr#ro6*#9)O=TQ$$:!Qg4[MH@pro/bU%\Rc>uLf:7$jb[eq-)h
+%SbX,tiYKGD#Ee23q-*neBF&SBN-T[!&bhd9*E`EWrdCD)SEd.*"<_NZhuKMR`W/J*^O0)in7lWb#S`f\FTf10Wh=lui^u07edXef
+%GYS)2-GZYEh"WcU_.I)>$hOk!p#M-l/W(\6&SK-&*3AO$YRP!pLSJTB%tE$u(2TmgP/gnX6Cq;LC:S>),!YT%]<fV)DGsetS>b!j
+%TK]tr%[)mW<P]^UMFCLf<F`E>8:We(gG2G)%+Z*`k]KfA56:nclXA0r6E>idFG@?F@1j^,Y1eJsR/*D\&hlD>_buRfqZD(\pF[S8
+%E6T?Vh?[A7Jbt,bI3-KjNH;tHO."g@k](!]*)W3Y6eE4G0Q3a6^7l6/KVc")]YiKXaEIQO\W$hWAHok*UKbNPr;(O@"h[@M5`^%P
+%FpK4OM+,"J!?,<)o?]&!i9#gJp<6nKafB8?BCao4cQIEPmsfsGDm[=6?lF:HLSU^+W^k$1"/k`Q37qd=E##5CN9Ge'M!jH1Q'ffL
+%Bub-[Ya`mUe`iMiO>)</k8P_9#4M]G0gH)uNg3l%$b3\u5j?-@fVe%@lHF:?T(tFlB0T6/UM2rRh?/%+/AuH4!'dAtArEpR`ft18
+%.0-sq"mg#p#]!C.K[_6,0,+P@e7HJ\kN?dW@)&'k$,s]dF>((.ci'sN^:YnF]r`O7-K;EUs)U[%l8$9Md^N/uH(3r%i";cnd(mQA
+%`OuZ#LV74MkL&sf`N)./UM@*%&oeCrN+KY-o/6kV;4Z#HI2T6<iK%h7YX:@KXU!B\C1=L:jtr.Ba<FQ7MfCco[*=QP.<A`4aR995
+%3L)D.f\KS12qn\9mrbej_chRC8cdCe,ATIVC@5W%T8KfO7YmaR_[EH7)Ou'`#u4W#8/Aq=hRTDN1[Ke_I2q%*UTCi'pc,6o8"OT/
+%H09oekbj`=YW[L5g8qLJaif"&,;u+)?p'9PlGl2ImDtLS.Q0$R\kZ>",K;+ofe0tpZ2hn4@K';J?p8P-5VZjk=kr]F_(ZJ>-<49E
+%g^@tc>-:M%IeON6Z[a,_[u'2QYU9MV=?,XY^V`@l5^j3Np;rfGp"h%_2OM6oVf)4J`R@1fa,J`-#0pGYVLVgeniIYV/[@X#cK-fr
+%eIf[,@h8K&bnFKYObG]V3c]]OPBg=i"N(0=Z3Q!^O3r'=<3b.ok6h)j;H?d&Us+n_^nRi+R?VGb(B^7?/DoN]01/`VlWlc,q$%1l
+%SZ*)!Yt<JHX^H&357@8]0\Y7A("D#PYIiWZA!kj>A9b)=!,H(^hs6<F:eB,J[^mF/7WL]88&RjV3D?3RrCbmcLeCD6l-%,,:k=YO
+%+MQF1%1i()@ta*+DBPJl%<T'8"lQa%mto8_E`"K/NF1N?dU3Y`+9O\D=FhJN>*6R7/8Lp,0L^KN&E^Nl\#L4.:tL&R5>[FOS-E#!
+%7d]cJgSUl73V;FSObeUDIVeimXFL:2hs,:)JQX'q2FDUpa^urr?(59AbN-mi&=0IpCHt."rrX+!C1Ri9bg;a./bVFd'7_Oi@/RpT
+%n-8a#O)+B>N_9msQs#[#]SN5%Z#@.u#]j+W9T2Fm>.P[MU$Qb+.#sJrD,Ab9",;?"kG&Q(77<s6hE^L>$20(SOc"FSA6<CB/uS)C
+%>E0i`TV<gp],[(bbKF@UL_.+"oM`R5iQTQRH'2rue'Lo/R#JA-i`jGP/LfV#j>!1,Qo(-U)#q'%qWCo-.]<-\DGoC?U!.9`:I`W8
+%A3I!P`a+W,fWh_:jVB;MHhqTuSZf6/'K&C?=%3_O6KeIZ?5^RMAddAgOscMG`jm%sLkOLB,dLA'B!>k6E@n,`bXnogFnL^Od#G)[
+%55X^J;+D9kFQ5iC=:q@+e>97#`qU@B%RuB'<-amC$=qrVNo<-t7=WL^[n(Me*T]eiTQC@6LpHdK35FF#8%n/ke(p09d&+HDn:r#l
+%7f<9EQZ4.R9g&J@TC9ra5gt?a2*@9l^u,4qkBn%:=6]r=JmVPqFgY7u-9oQkPS2W/U1V#;bKVOd_FcC1iQ.Rc$@CZ#=t+CEN7WS]
+%q"!gtYcn<jBli>;+qujui,U&FJcqnZ,R(FYO:P0CKY/h=1--aBJL,_3IsmQnTRNIM.D9;)YET?";M`KnmD\<m,E1"aR8ai+UGLA+
+%[^>6n(THRLK*Q#6N-ri>L#X[T"/H1d[ur#6nlrL1Sdm!sVLpg$O%no1*fl9/P\cs!h.Qj,n!fBt(iX/a#7S>2bbP_\,+"'V@M/!r
+%s+%>ef-'L"Lc\1<"=FtRWB;qmXk)R=$t(8mO&pS("$3IQXH:"IME<&sRE>/M[-7!pM],^2XVj,pVP$nGT7cJ2nj8^Q(U&@"Hp6mi
+%UFDV)(F(mEnQ3M:`1L2Uj=2CPJOm[]j7YnBb_TNQ\2DOI-Sl*;DV#9Of&B8Gh5MMU_m<dSN7S7#O:s3>\%F6q'R[,;Sq9L(P`XBY
+%"rY3[.?P8.W[""$0tdhG<WjPJ<dV%T*H\[t!?&#?YHS1E6Pltjs.R1/Qk17/2[&ea]#qE7X&B)W$$%JLgWJH4@/t))2I)Z))^&lW
+%&EJCe,<+5;Mpj]%Pj'dm1'*B.CFXC$Gk;E9VP:*%,&_nTOQSZf9Yc%A`<lc0c8eerE2%87l&IiJ;tJCR.i8sI^LR8Ha7QS8I^JlT
+%js0m4QjZV\VU=_sRDV_rh'0SN7l%tn4D8n&OV9lp8C$#3"`Yj-LI]BS=a:,<UQSZk'SjR^UG,PF3ndmKj^lkU93kj9T&fC'7>KIP
+%LiICY.QgSphSH75#%o4P/QloB<8biKF7:H"@_WqHVe78kg>.'F;s"?YqKGqiR:@qCpjLZ'oX6<gp?M"Y6@df(H?pg3nf)QDP1%<6
+%=!ja[2Tu2k+NUbiEs@dCs!/$(L:^o'=!fSk2e**jHQ=U>jSFogcXWZ!9M!/UCuCb#2Y>r)nUDV[otPJf:X]C<_m:3[`&Z/Nc7Nbs
+%bX&N(6t=c4ie#U+CP+Xc3.$*;@O$]%&NRK<XIUnp7f&u.4%X:.%28gHf"RWY%D(k:(e#+Rk`3CCAUK:$O;V5`;ZGq-jgMVVkr%t_
+%kBAUYpO<`NHDJ3j7fG)nc_"RR5Qq"Di3CIU8(^>t/OM6*r6Jl+V75en"05XKVTHa0f;6t=5'`V=.lP%$<FmXO%ht8[9b&srbCE8,
+%YG1=IVeW3`EWTUB1$)Q_GiRaf04e5gA<*'m(<g<(qOM/GPqL]T&Pul@2>f\GFfGE4pt1A,[gCW4@HiiV]B0"GG,:Zi%7iQECfRp'
+%rDPHF>!5=\B;lJm!d:o)_`K9XCKV`pd6JJW`**'K>=o$t-3%5#:,O"2=4bu4E1CTZ?h,7qqrJ41%aYR<f^nZ[fpVP+!8p_i8'j-k
+%-]C(Es"on;'E//\fG,1?0>0rl5YoMeY!.J:pIf95gOABupcs]b`uo3L#-W5S'.C9:8PAe>mKe+YX>qrdbD^nL2<14T2Ol+4Vk:Tp
+%$9'.+;BGT.qUZ!*?rSekaU;?,EO`m,6?m<>VR"e$_8/$F9O%*N(hCnq)NS@IPI8Wp&/_%h\dtZ@,L9gVSMX-Kj^=Z,qph$:rJNY8
+%K=1hOg[;UBK0LFUEI^RKg92)&lDP2VZ;)Il5^!RofWd5)%/5g0Wo]jS$W'>&'AQ]ak.s^LFACRQ?<G"ue,qCp\S7PuDR*Se+MTPE
+%n"BtXe"ik;l/,@$=#Lrc0b*j1+'O8gYfser#'7&VA8&&QA?j=F8-A=-T2T_Q4S.\Xqdp'XHEo7q<FDg<57*aV.O07#Ms?N`WJ&=P
+%h/=0:.`e-ONtHPprf9@aBGXo'/pSc-YHVVPO/QtP$DmbKbET#q(5'UF=JD/amUP!:NboGk7ob^uQ++(qQ^SgkqGe1ln$"_JdH;J-
+%G5V7@mTGUMcD27=URG&7DDs9*('KCQgY3LRJh*XJ8TlEo>ZY0jTn5;<q^^`odFZXT_+,&(b>hJ80@X,#l1^Pu"PEfh4PH+ki'2fr
+%Y>[(odB?o<elX9CB8fd$^K'r,5!]Wn^8cXKC"d?7?uDQ;V9G_F<%N@$4`]-q%0,,C8+=$O3?0LW5mi-WeD#ETfe%`,oADaj2VsM[
+%G"<'4+&Bg9JG1?WS9].^URJ+9-6Xi/YiN`%%0YTrDi-u<cW=<Y^ps\G1;WMQ"JoWNK<9aLCCnm6g^N7dCY^q2McRkkk*P20mJF,(
+%97s0K[L9$Ff@gug;@@S=bAl5XA@h[NjJj4''J'bF0Y:>C\\1<^a56M7#cm#7!%1le>@;VI6$\0sr9N\J!5]p6$=IdFBp<JCbl`Fa
+%2XP:+aAgFeY_1_YRXj+>8k51WWK_3Z!A,(GUsQCl5^Dhq%&e7E!X[DL>6f%<YGTd'*BC<7`lC.M?IRAo(;otWN6AQq(tFfH6bA;A
+%g"\55r-cEE]T*ep#4hQi8*.6u8HPd"]7\tBEBf_s2:?Vi.W$I9C:HO$(@cO]%A+'E&,e/K+Xq7.GbJqll6%GX^V@.X9s8H<ZKX6X
+%s-f7`eGacQXiZYI1V83C"*uIM4gOe_Ms.B)Y+9PVk^g99Na/jB"2_/FHJ@&;Ej8]V%_'dZ'.B`3&n&%VhtlZ=BqYqq9gBa5g/c&V
+%JV*l-hu>>2>.6Js0UZkkg"S%*PhN"`6!BXZ0aEE=QpY#)RY?QMG_ARq*5nTZ>1@2LC(LQW*n6Y[*^T8GJ,3U0gO9;$`BY+3r?d']
+%JIP9tQ\$:T`\3&k7GI)D>OV2!cmFRp32d4$ql;4JC*tODUeHh3K)9<(K2nh?Jg(38.N^N-4EThaq7M?ig!ZVg`.]"nnoG.i1qI_S
+%RW*drjX?L=3=+&6s.QPe?'aUMkDg:I]97afhol=FE$k7d\B=OHY<eD4ibcc+b+_q`qRW"_B@]ai1Q58sXQW?KTFQude]2t4_ohMG
+%pO$1*\P^!ke%^X>]e+^@BH%*Y*+?W)DWkiqY-"^T[4?OUQuQ2b_D2"+UC'@qG*"`>DV;-Uh""Jli!cXb6),d^=/-1Jbo#e<K0N,G
+%Q\,%L$bS;p[H=Ora<dib0%Up&(-PnRa<Q%%\ncF?cG?,NC[h_K)C!a7!QdTiP;HK'WE9A\VdN@l'Vs5(5Np(P.^i$8Vt.)i:\ms2
+%>7:<VVj"&t'f.3uWIReP7ffT'<kt0fO2XKn75KCaoTH&a(OKtsq-P2:F(]cW\kl@bNa+d%cQ2r0cY\kH[t=qk+rCj6i$#Z1=B8-!
+%>DOl)=9Wu"$3sqX[d_lJ$S]Ga`#)=(_&YrA'9*urMt0#?q[a>,K\cgd+eK<r==Lda2NXMg#5Wc>qb=k][]Kc<f(E39XDZIg[j%(h
+%gFLe#e4j+9ep+om`XuW1FFAO(!!:HI)TS@b&Xk&t1(g1F[A&&U\f&SOrs@b]!(IJSOA:bC(A<Mm(hF[<`^Y)l1_b-!L7.YmDmX%C
+%B=]oF_XTFJ<c?0_\Z`h->YW2.,;%k"@Rn7:WIsboJ8/3sV<"CMO&V6Ol3FCFKjBg.NNgUTWcVh%,iTbm!ftR.CiC/QWehl4^;.0d
+%C1>8IX,56"%PsRU\3[LP`<fo6T_D`Eo9FC/%$U6gZK,a1[TBE2+:kNVcp38JZ7ZXmZ/FEH'Qc.rhiG$P1qCbAC`ksQRSb#o)leM(
+%;?-SQ1eFBF?`\hV@VR?-]/SQnZLt=N(t?AQ*2U[_cFZ&dJsoLfA]\bE_idMiSR?_pek,Vp:mG[C3.C2[e5Nr_[&4X]I$p0Jr*7d/
+%%%!ZV'YhuP)QG7$hUE7eEtCVj&IK7qe.j9`C!7.i%4pm<kda\YP%4NbBmo>6eiE(-q]IcVWS/r/_7U=;:m=C`KgQB&C9&5Z;VT^Z
+%&X)[\jbi><_0J[Q0Q2dTat5=_B%>2U4fu_o.P'1)%9c+TY:Xmp7J49rG%n12qs/XAF\$IMJP4O;XkW<="_,U6ec\s]/8G8P!`^1=
+%Mt//%R2"b`qZVmk#)GUG%&9OU^Y4-](?2t&P;!."[:daqjT7&;ePG&PLk;gSCP0T(-RTY`U($'`]6FA;=(H5<5kT;/NAR1FCIE5b
+%,$l)'g%$@uoKrjD&_e.9>9AK)O0Ng;%12/$ONRhNQPcl>&e?@_'S=QJaNmBXa<4q@a:[M*W;VCuA(]ujpo]0Q+TfYO*.K&MHMp]u
+%@H.C^r>8aVj*oW&NidMM3%h1A^o4AB7-5rG*j.(tmP9"ML/j#/AF98Ep>=K=P*Q*gDqE\YaOqd[J!C)jXf]qC[[@g,ld5sAAp`@]
+%[0IS%b*g8sWj]VsqO?"ZPYXGt0n/KV*4[<mc/tZFrD,Yi%M)KDLG^oV7;hK#[Zprt"hRuZlIK*V'eH=biAQVIeg`"/9)S`nM5%+%
+%45`3e<Yo`tL9'/r"r?\(I#RQ?SnuRV5:;A)"+=RV)F7l=6H/+)N6Ek75aHK1=/:@,"+,*8AO_kYK@Jn,7GH<#FX'OB:mXnVQ@4Ud
+%#&?*:kH&lLXii=erKgi[RanZ"F0RbaOB0C+Q@#DAG(!KH8id7D6Po5Z>MQh9?<CCJl8[Q.`;*DW1pMKgYUno,$M#kS76lFcTP8GQ
+%[`!)M\*=L$%abAi^rls+2lWZJf549)iO[9j3a_VQ24VhFZOE`UTLks[.+@Vd;XpoJ/jPjuBZ?-hAbp21GpT;p75n:KX;Y6j1o"-@
+%![k*?;AH'%8XJ_b1>iM*In(tSQ]b[Y5UHBthV4Klnn."@Oci?u4f"*(g"!KI3l@d:(LJ<gA@cZlY%7G/s4"aLXsM82-2%K)*Vtft
+%8p4-5=d<>Pr'NNN#I9CFL?3-U@2K+BLt9YY9bJH:%f#b#Lfc/OZM$JKRbN>3TQkUiG+PY6WiXG>>S1m*24VjMq:(QQXJ4K?G`)d3
+%!@G:#C1l'q]j\97/ma)F/Vi:8I`:3N]<HXtf3,pn9_HOgfX\lu%-+nn8%u\?%rUHpi/s83;)U>9-f)-)(AYrp(_f\Qnl?\;B%\VC
+%bsa`HXlMo#qk*$gf`ErLQ58ihnkoJPBS<!6+#bp,cmNl>G?%N9p[Ca,rR6&jW*!1TFLjNrqo3Y&Cbb7J#O&QM$d,N^6Zg/q=l,[M
+%fk(MP@65eI9&o6\IB4Oa^26c`br_9bc5<$-<8W]PX#dnBaT>79!IjjDYrB3DR'"CS+K7JPGi[PtRC;>DTq!ZD"*Eo[^u]`,DHPZP
+%N6JkW9WK!r^s2nLXR/FVc0@+fBT;ajJ<'HCm:9!RI:rX'J@^S9/l`DGR5Cla+_Gepfk=?V6)`JdY@9%_o$G@Skl5AiP#?ttR.,N)
+%fgEg)FUI7/rV$!aQSDQTUC.8Rm=h)tm=1%?/OQ3<Ep+P1bR@f!^ffEo;.uQ75?-M=I2+'o,8SM2I@fQ_Q00?a)A]Qlf_B9H8J7N/
+%DB)UL9dU1&bqRg"Ynq"RdK1fq$Z9Vca@e*,6;225)k\-=):YkMrX@5Q(q6`"SEl<LaQBbAoAnT%);K+q`uIm>FKmgQddA'PDt5;'
+%)O!-ZZ>/LaA6'%8%:iKtg]O%QSZIBq?Bk*XX;SS2STUS/6jM9/RSKuk,%ENR7J5Hke;uc4k#Zdan&ND^?U-FS,=hj.=,DaX.KK:e
+%WM=T279Eu/'!,K0!C9uUp#YGVI^n4%B-$&iH0fF6l[c84cI,fOoj4Kc-/9g_nC+X<5u!*D^KchiA]8oq\N3VJ/Sk1H@_S.L1sB/,
+%,>`O[_BR)`)0IAu,n*$UCA183jDutaT7Y/bN&W`8^:i=b^sqa^!_*=;2;o'aMlAYLDkop0`hMuq(o>FI_[aT:?SW.4PV?r8r&3D<
+%Q>IuW+I#'lYi_7t0]$pJMXp('N_O75bVaB!gsT*B?s7=HC-\-f\8.qejlp6&pokf(QR;hs;Op=T^jMI6@Ia88HX&^P)(D_[GDATe
+%a*RZ1h+,mLn;`A$(;(/fQKgUP3J1B=5^u;@G6*.#H))c,fF49;-Lu^cj3(!?87XTgat35'b[\=*jslW=VSsDUS8J@%1=oa_5q94R
+%Km^L.">!?7!g[+F"=tom*(en5'r9!:]OK[\["@ePjTPlb'GiONLu^52T_gDuq".Bi'EERg*lUks*BmFQ6<Wf*lh$$gq_<NEff.o[
+%"B._!bJ<?U:5H:#KX2eJ>f&8BC)#]:=l7@=>r1eRe)-<Y#.BM;_f"0LKt>#^ccF"YH1K(8T5W6>EVY`m]8pTnr%dNEKG-PaPb^\C
+%_H;4b)28AXXhsG/b$]OH^9Y$d.o-QPVECsp8'&iTf70lpX3C)Bn6kZW.-]Nlgu9pJVsTV.(&#*RHFUS"dRfk_1\m#WUcH20[mfjK
+%9%5G<_7Ja8NeIiaK/ng]XH@%-L<hL*Uorn-VSB[nE_OeZV%nYeFVhiuao9VZ>L47(*Y]%%Y)7/+XL</7fD0.N[T$[.mF2(Rrg)9O
+%do#m/WW^`Gh#SWA1f&c5A%t$^DRa)!YuN9$"nY']NeQ"bP(\Rf!u#')%OoZ1)S>8TA5g>*<<;lTL`h;!(OUf@2aWD03B_?b+"?+_
+%0hLG\AH<jeX?qp3=_%ef&u:&.r>%NV?!HGl79F\\"s2aL!^&moha0_]!A`g=Z0c[MJ-VN#/`8)VVXBT.1g?$DY99S*"<#s+aEnfJ
+%i:o'[!;@`"dni:lK+p$N!@^-l>BkS,O4>-Gn8]W<1sqltQ=_(m55^^_@\*[%Kn$YXRt1"5/HXoN>m,8q/OK`mJg($4^A?HJqnU=,
+%,ikdj(-idM]80bG$!*490/B0JjqP@-"CE=f>/^:*Fs@L@8IqD@[=Y?2\\K9bN4a%_)&@-$Y`<$Xj:i'$Td+50**IAtCt+/Ep?#Ka
+%Z31RR'!Dk^lCg16db&Ln/mpZH(YEfUU/5P)5ncMF1Z6oMK,.?0>`e@]]%-]$qIibV@Q[%XE%Q!PjYMfW]MqoH@oHrB##kJuf.Z7^
+%cUbSC!-I%3KtRWTc[\jfmK+#H>"gH3pVe^l,Te4/$.E_^6hH8laO*](=^FWr)],\9V-#q.ik5_^hC&-FY0;/Y\B"oCGssC]"r%F.
+%KnA[h16JZ!8h.UfN-s2R6BTXQJJk5NB4.P3%fqaF:dX+U&-CIh=+a'aRfmt=7(s@)EX%nHn951`JG?q5AHXP<YVCd^T+V\Oo,5KR
+%:djpOEhBHAO<TUXh<mp.2tkHQB"--h&(iqt!5Y.7i,SCWSh(%Ej3Gp\qua0+2[tAB06au+)Y7'qa/kqt'FCl-@B&JQdW<fm4`M/B
+%W6G[i6IW<YW"'Heg'%X#O^Ldg\PSb%3d^,Wjeq>H+(DL2*R,DHT[,fSc4MAl!=rF]I++,Jp$lUt3N)G0K5.P(;e'^%3B2T]=B;k5
+%@2X7fjT(jqkdh+H3*A+N!\t2@+p%#nE(QbiC^"r,"^!F\<4=3Ip#/Vf5QY+2hPK^YL#"%$I+SO]62/nE1MXr^5&cUq4?Q6p;bN](
+%nYas^F86/-)>K>8R)kh2cbUo3.)YI4E;s;+R:Hm%eT<^dVoFqZm:GgfAWMRm2RD*)5./qgikD^7U'I(0mVk[l,kDcEZ/OtO5e8Q`
+%)a>;Tb?0'I>THs5O%lbYFR7c,H/T@UParL3bNt?^WP@,1i%a6X-?)s<AJ%e?]_N$ipoO?E\L9fE=TF[rc6-L*SpO!QV<A*f]AOJ'
+%8=&l=5=[sflh1^TY)Y3Z$6hr,OC;o-H'722L*jf&>UPHq+oE5$=SbsZ59`@[@(3p5mC:J&Pe@F^<#5T'kfI^s!0_pA(2rf7DE#f_
+%*&:*#G^gL@4-+NrgN.^BOT(_cogYrLPm/`$/Rp1**[1VpnU?-mk1XWHCBTpN3YmgV,,_!Mn*o3gg#NQjl1!4K0UsnrV,k@FXDSp'
+%H'&[#2>&JUnp=-tojo/U3.$b#^!6V3L7H)T$crRjmA;6M2[b^2XJ]Rm`55_d@4!",a]B-/-[@qn2n,mBGi`XfI/q9U;*Q**`;4NK
+%?FUD.!1+RVHdP'?%+<D*GTG7W'48ZJl16,o=]=iN_^WA3O8IG4pG.NQo<rZHBW>TF@8o!mE+]uu(%`cVeY0(Bb3I>s4$A3FD($K!
+%aj1t[Fg&0o7pRUN>.se)eAo\tApOqP//^5U_+=DokQXZ_K??W_!m#r.'H;st,D5`i*sk<AN,Jpe&a9^Mn2p9S,u?4RC)V\a*`PAV
+%:F$1%"&-Y!=[7j_L5q\]gr1>^4i3Xre=$bIqt:;i,>+igIPUVPQW<kSb4n(Wl.Hs(+S#>'^g\%W:,<MIJJ]Nrhic6aN5?):J%f<p
+%<.NduMD2iQrSV\%WfiX/D9?B#Hn^juEI(d@W_KrEB%\A.NP.Qi//)6*$hdNg0+4^1%9@N9r!8hI3^9[^#3,2MFgDIiC-HE8L-]<$
+%!qs<o'hiNlEEd(d:1Bb'j!5c6C.sODGed_=cM$r5L/b)6rc%4&n9-7LnaHU]@h82>F+Wn(Upfa%qZ4>eb5,Yrl6AO3e-RH>ii<&C
+%=`<2[V5?^$.h%C^$]+e"ku(/-\9R,l[4O&-O?2LI;V,(>^6(WADbQ=\G7rik;Jp]A%/b4Z@GXKjQ?Au^W(EU`1gETo@i!uak;i_F
+%T(<ArJ2Aia$K0/HZ/.+RVCm5c$rTm:/0MA#bFi%<5<b&!2tglMS\a?&^!kjDD_0bINoZYfo'hBtH)u3ibRY:k(%8?]><(d4%kTG9
+%WM4@(_f(+4[J$?\b@MX<F9Gt'XIaLu#uU6s=.K#VP/W`jM\a/MpZB-1A#'(V#W"U#Q+$V'n)#kQ(lHG<GFJBLk2uej(%;6Kf()Lb
+%_COj;D=_e1N!f#g(+XYJ)dr-pVVB1#f'@TG/dX0Qbt"Fi!ktiod!Hc*Ftmn_S<eobb],Pm=.mQ$5N;;N3VEqtk8t$:3*e)24omB>
+%C88kYP:9BOpVf"dFV,<":MQBYQ.mM7%=U=ZGODTg`d5DePV>Xi^,DcYZXpUsaGc&>hAJ`)E!ck1jWk"cQJqXD!dMJ670'79=]N(+
+%*FTSjq*=]b-3:>7V!WKo%r##cNI;-d1Ou_D/_6+g["<7!MVIXQWgd"-6aHI`>q2;U-f8V*'#.ah6u!gVQn&FMDU,3H9ds3(UFbT1
+%k[4QSf4bEg'YoXOn9sJXH.HK>PR;YhD/*Zr'/(M-/8;<q320U/]VnQ[H2Bs\?P<t%\U$OF"4a50+e(MHcD[0go=epe:ugG;[^M7A
+%r`1-:."K"=h2*MPZX;+rd%o7knA7s^,91"n80>s"go0E>Y,*p]be0DQ89`s6&7/t>(UMS5,-^bHbt_%VRiNk?nkhXkNR_lH=s`*g
+%_"A%,<-AX&TQpqLY'XppA's(V*BDCWe:Re"Z'GT;"3oBXi9H)>\LZ=cE&8PJ!Zp4Xan*RVAm5lA_$Sb?,A>rFVG6:NE$l^I!r`MQ
+%gnPA9B<[=(E(=E%"]Y)X!^^d7j[5V*h<KBt"Vn8Q;Ob&k7,fCHg"J'e34eQ5AZb@OaZ;Ia4VQTjc<f*5_3V(L!Zq5d*';Q[Bt;`h
+%*OniqNO<$&&&CP1p-Si`d8p)R*d`r;b2sq7k;A.'Tc+Gr4BO@3d^OL+L\.`1]RHMfFiSC(HjL3s#d!""FmBY>P6Z9@b9<t.c'KBG
+%e>4:.b-]m"DWQkWiT=;8h4*06L!^lHc\)hEdC]FlV>Cn=A*M;AXAV1Qrc!9[grSZFJ4C\3SUli,%mY]TZZE4=TZd/M'3)bncA5ZX
+%)=I!?Yg6QJ@%)WgQ.0<Bo;(D-1o[9>\?/-[L(RkZLe6b9D=Rd*2(@g2!NV6*^K:OLAL;X0C<Ol+_B9QPb&5qe]XXDF+g$Es#J&;a
+%3\5VjlG-"Do*-6rG3oL/`:Bu+ql&XM\'IXpQ5Vp%]1l-T\b0P=B/Mot(\-6%@@[YY>J"&/fdLiUD)Fr&@jje+a5-b0VIB%\R1W&h
+%(*-eg>r%V"q)2V?qODVJBX!t%b7fFZfMfFFj(AOXF$u)kSrS4KoeqHsQPI5NV,kX7Ihenh3bL.cUUg.TdW5_m`<*&lj8KH5\9IS#
+%M`h):Mp1!q+^?S_/URPul\Nh`A4,I`iPq)b5%KM('6BR-j=Zu3)6TW*c!^=R(:eNY,u6(>>3jX0%D^T#ac6,7\!d3!iR^`g43\n>
+%CcDWca.6h(a1?IPT'TAVE;JDpKPN=pjlH&n7?<T)&=YUP:G-D.D59[N*U2D?f5JmF6>"U!E9:jXr,D\+NAGpPCa<h/RHGP#o1rHY
+%,YZ3753K:BJgMW'JNas@@Lk1+i%&DYl"RUt8HMhd,Tc:2jNk'F_^lp]S6#>Z0<d*s%mWb3mc?9XE3VpQB3n$sA3UbnO)K>N.8Jhn
+%X6V?JfOl.;]4kFl(#\E$IB7oiSi42UMjMR]lNR!A,;-ETUG8L*[\J**C%$rtV#;hsKoqnAG%uL6DY:&\F=>)P!ou.^3]95fQEgJo
+%mgh-8jF84E-Yltgjm6d>mK[.ph%p+Wc!K:Z46+d^2C7A^/`r1#S!'(W?cIij%<BG"c[<Pq@UT#ccUP(h=a-rpD,7!',@ed;(jF!$
+%;Iu*Erc;2c4AP[]msOM8=IqP#E:bL]-\7s3+=cr24,1Z#T>3kqcW`dEhI#\)$=kp%8.AC\fXi=-Gb+4,TZ1OkJGR*&0kq_)5s0es
+%.nF11E*o1f?Qg-Nqt`n\G:^K7(o;@9,4T`.)6ukM21bR$kn]kNrBMhuh!BFnl%*K/JZs6qjXiS#pu-BU/TUZ#V@g5m6&dL:@Xobl
+%^!6FeS?/B.1]VHTL&ugKJ/O7P&WB.1h\\lSV,MMoBNSF\bJ[k<2-,I6YWpqpi$kVnluCkXfY$_Pg%p`EB5k1Eo'JVh0`DuW.,P*(
+%QP6RXT>AG"]q61c$4?n64iYP_W*I%lL$oE,^YSgEUi/30kqe</97sX%HF^q&U-FTrK.Du!3%4>p)@'0qQ>[e;jQ*9-!iN"qo1=#G
+%=3B-mh@MJkN_p<hs-cPI*Z5g`-t><3a$457qpN[!2*]>=l8$d7A(p1C3e(:mLEdu-d*`[G;DF=9W^Oen!hN!n:flc=%/c$-0Rk_<
+%0=Nh>C+=`?\.moh7%Cc^5i;^OC?#eq424IK-rU-)Ld#1=7Ie6?PTYs5gE.64Q<8N1""X]B]E2fBJEh,PYg,i]=fP(AS78Dd=UJ94
+%n"A`I$n.LpS]h-/?)J?Z6,fh4@b1ZAZ2QNr$l`Z9DOQ)=Ka6LEJ<G.i-)\k_\:EGS;rD_3<q\S??pq=Ia3Q59$/Ph:@fp7tHN>@_
+%^<"j0Dh*&41/:To"f,qB,AJ:YBrsVTi<!U:R_rB2%*BVsalFFg]3QTge0t#2<(A_JBOFMBND:C:=?k+GR80*#qjIRE.s>L6=MShE
+%br^/eH0&!"b"Y-fDY=>eC[f6WUXcY2gKf>[IBTl$K_.gIApD6Z^h^!A"d*6L+:TmE1Z6Ye'2U8>,6rci5:qrV%X)DE&5\;F9gFFN
+%>tH0U`IGbWZg9ION!2>jGB4@8>T\60Br##c`erfin7's,dmM;c?LDbN>A>5j?qfm*f!"1E#[(e:b4)LBmK0eT4i5P[&28]8!k.K@
+%"F7TZ*sEbuT#'abgo[O@!jt-TK%hWFTWbAN[ganB#p=qqY<eN&4@TZ0gB5bUU3?ZR;+HWjYMeo-hC_+F3HGIL[#&O<M+R-coVU3U
+%/)`3SrHkODZXp`b1S>.->%cpD<WTBOB;lE#FM:)WAjO6=f+-n+g2aFI^gVf6*!"6f7o7gjlIZhF0jK9fV*50+756#cVuW'Rj#2O)
+%=Va"+/RrSH8"4EU_!>N^qbl)&&)0,jV&Q&*'PpCYKVH_]@7%;#D&H)L'OOsH_sji_G8Lqd'gukE^p++1mq^k8;NZCAJ<VO;'8Jc:
+%S-U7A&I"u+JTWNl$Wa6uMBMD3:Kr&R0"9c\&5VAi!n)9(e*<n`3Sf:b@seQjAt(HL;Ll?7mh[dcKFbn1"p+V!S3^\MXHuiSog(h]
+%)rS.HG;(>^a;/3#,0SUI]%#P@\W=@bd<=:JE9sm$BpIJBf96B6]sE5D+se)e9bJE1qo_#9R72%EV^5\<_NF3,W_u>J_R`V)@(Yn"
+%l!+Sbl,e03L3^#",<HAc:D&eQercDHBD5o+fk=LtG`Jb@nTn+Y@VBEpc`scu=$cuM1pb,fH<f6>9@I6$3`%L$Q8=X;,A:+WU:/bU
+%+2^bSW@:_7U.#H*QE(VN%29AXX)S8`HA(U"%_b9F:o!]\#F]].Td&aW7+SWeYAgHNI^tG4)K+,0fnr/<''=Wi"dp/7Qmn^:aCGc^
+%AK?/P!%IZTC&O`!0<.6:oYhRQ312N>FAjO@%aIQhn?@@cMqR_"In)hEqD1h.LDM$<9k?VX[_2NH!]`2iY7DFh6SC\M=mK)CaNBq&
+%a\H'[&r^r!`MSU<CT0'Fg8@rd*0u'eW@eRW(,0A4n=s-UZ+/.=iptDb5*L6'q!3R/NM06oG:FOMD#3hN/Ks:@oab:/%dq1^O:uYZ
+%H&dlK*/XPnqeW*m"@?Od"f_X"Vk>'nGShBm9>0tQY.gWkAe9e_Nu.\@F,K2W6!oJ[4p,--,W14fmJT<NHnam*(9m276NDL^\W>R*
+%[4Ak9Oq/rnPuE[*JE0kUT_atg4H+F'<60b0m.94@>.j+fSB?lMlS4HTE/Qf%h-[Sn_QL@lDIrK9L;,@[1YjoYnE-1_@mfG]o(k9G
+%E6YLp#tD@'`erA@_IJqLL!L;oNqG&^VX1FpbC&9Y`E#H%4RU6WbeBqk+o\!;IB*AJ<ar)6/#>hVArTCP5_-<lrOJP<nM]DMbi.%'
+%eFVMnp;Mk@X-&N`/j-5U*$G"%,X2t<\s=8EqoVXtAFWP5YgeFmO6)Jo#3&XZFG:WhFGBO$jeNk$fj0VXqst52K%fP6^LD"O%uVB4
+%;T[p$V6TQpPLN]6Mgu5B4E:H[q;\p0jID=A=NWIWO[jAKA@X-hjT?(W%Dgf-RPT"oBr$EUG_f!u1>c05ToMo&AMIam1S4$,CXeKE
+%lUT)u4I&T9k'*)I`;CIt<W)i!Zek_)4^'WX>m?k-/q^0)hDD"G!u;u+ih-g9RVWHmbr(V!KQ`OBal6U2^7Qp!h^YZ"SRKcEGNNc6
+%:QFB#*NW`QoI$-EnA]DVA2ZV<M7(YgOd2`hf+j\UQPDb4[e3,[W*e..0>2r3N60$3VqZM(5)\'#;t#UjNmUXT\fgY2eFG87AodLH
+%Ih-.?>"[H@'5?1niep8#U>^Bb]1[)6Y]s)NZEVktTUGI'?!&!a]O:0scFdQQ6#`E7]%l&[[U^Y,EQ:D?FU`hUF3)^>1=<Y`qZLQ2
+%5qM0t%O\@:%!M9\FV<CR25kB0h<d$YSADb!LPL@-&UT3ZC#Kd7DcZ@bKo7MP'o1tt_:ALPW.`%fRV7c#I7r/M`$m>.!.DB+C4-*1
+%e*FY<Nrm`<37_5j<WUKbZq_#D>QSYmRnOJ1DJA:0U)ST4Rg_thT9C3YnT'=&h]Ig56=k*%HnkK@DrC"\Wu#+#G1nuP\$1DF6skb`
+%_V:PmlOLnPFHr2$,/.Al0LCJc0u&DG9FH^C30n!#"\p&&^;JHh/q$tM^<Qi07mR+66E?`mq"tk<!=_%0ksDB$G5C23'4AD=o2asG
+%/RL6mH-=hK]$p_H)>FE&Do&p-<<+r%gi%Ro_8s<ABj)Z[6#O]pG?4g8ecNj>H$d@"H26+j]Ti?k%S!VX+r>)8o?JFG@HflTaBJr&
+%2sq+N(*A;?Ne>s<M&)mrfBK1S^\*\^$hnfed>>K*B^SsH7j;6KM$hsE3+eqlBa02-1n:[Y)Pd0B%b+l)$["*`^dQa=C*C3`j==NO
+%CHWQ-b(>fF1ec10KN^t:VJR[ZZNYIL,D3#hh->en'J4mmGrhon9@MqjjfN$d7AnG[$`N;0'G)s&=/Us.+K#D4p#Q[iMpS($]fGsN
+%K9RSOFBZ?1gF^4;R!N*e2)GSaPLY6PEAo8!pQ*K73I\lb_>\:qWsRSk5;-&9BYd8*DYBDJOm$bL^nb1icCP?%PCB-_T!2@\dN=4^
+%k"_4Qa<[f<7_6j19b%?k@tGpV>:cADQOTNJ0t^E)?i+Bi5Ag+BCsi?Yb5[[?;*+MO&t1Y%;m+jk2+dW)c\>Ra/Dpi7.fnsEJW!G6
+%@Q"M=C`0qR$asfQb65?s]=jrFTV[:%2=OF,P)SbQ#C,ZK@9r@LFI8[/ZPF<nT<(JqYe"%&`jKVGWcc-mbUQl"S%X?aL3WnaAD)EW
+%(jfXJ0Apse4G$e6-g-(=FrTpk!uWXZC_rbhet9c>Q=)YKLca6PR4HAo*S,JMdgRM4UU8eI!m"Rgh!F**"]T,b\LpkkdGj!6g\_)U
+%F/kQ%Fru!I7kC!M>"6VJI:d</(#:1=&+l3#I\)o"\i$:oeA3\s"[8b[Ne++>@;_b'!s-,F^$ELMaX`/XS/p_1P,31?(7[UE72RoV
+%Up/Ci$L^dm/l4XPC#VQOL?\j*"=ZU2[gJH=CW4pb!QKksM(6fAQ,[9BbNGG44E<K";o$h1#@WP#057BfKdEPc_/KUGfEEcgN.BNj
+%UoDi6ACWZN^j;OnRelE4gB:dEdQGftlie0LW7Jn_@W'oc;V1Z8hsL@X0&pF("?+N2:9,f*,k3:in&k5dN!jsF=7"uPen/VrQPS^t
+%ZDXW=]'2f,%n,lLJ4k6B((tQ_!rG7eFW%6aJR*mWo#YRN^cJcu[*nTXdMEi=><q'3V-UJEX,(6dY8:D.5(i1]EIAunKBD^soHf?F
+%Heq'T6kg3:De7@0`cBq?mB)_l8.+:nd^Br&;/GLn#V&%>+!SGG]GJS?8Q'%9@Ks;;1#G=1)I2VmKB3mD^sh[_!SoOU(>+\)!7U1t
+%_8Gk'Q8uI*GRI)."2CLiI&F9CDUIS<b+K+:Enb7^p'5El9%@ksJL&lq/n[ukG0YY;RoW=r/s%>$QH,^R`$8%Zih^"o&DDZ40*gG4
+%bIZ#I0X`3iB,TBnkToOfb?/Y=dgSPF7@h+"W1r2:F]FKMpUo!(o[XG=7C%R>qd5,qF^\:NZ8g::Td<S%?XKh$en!m))$>H`JiPtb
+%h(9"6dEQ^N/o5In2P3)a?b8VUN5(\&eu^S!I:5hV'faM<qDp(Zr>!lKW0hssI$kcVL7@;Df1Sj&jgK1^YUdJ!ej$"-TTYbICU[>+
+%K^N=V``FTq73u2De].jUa1?epln0+72t8j^"%t3V+%h.6m=p.*PXu'oX[oPLqeTb6f4LFC++o>m&q7JL)[eP]c;q_ulpC5MFN5%2
+%k'i?Fm9\P?p65:`]Ss,S!j:'T+"e=:&eHiiY<:,hNSSPiUdZ(EQY17d(e9!Vhtq+pbYFlpq:M`KWOX0A<@cu;CA%h4YcD8<,"Mai
+%=HY9!gKg-1Vr;A6``SUqDlWr&/PeTn1\b@hMT,J]?N.!Ts&X^Kq`k#G5JR6WT7?a-J,&u755hr,oW/#kqSutBnbS%=p\O49ZGuDh
+%GGD25(-e$(kNS[6H\S(JRUGP6aM\$k\t?Kc??,m%9*%'6%VU$JYj+L4Trruqf*4R+?sXB>iR.o&i>s[(Cseqa/qMKQ$&Y+IRE#gB
+%:+I)__/@r8qm88X+_$`H?i#GZm?AU:ZZ@r3oBj,!0%/E0nQ\M]`Qk5JP=49u%l=1R3*L'*HuSDe#8d)V54$Fd<n,<4&@B[\,-nYG
+%-F+GZ-50NW,$0,[Wn_LKb_JbdK'&^,DquE8eS#\U3.r5fgeHUeqAic6E"c*mO(k4!P(U\H2L;Y:C^<h-'!g?g+Z4C!:k\N=e;jo1
+%,qeM/oC(6>YCjOrNhhIuni,de!BmV'i+>8*#\./bTE]AmHuWHW)N"d&+4/D(<A5g/5Q-_5Lo6m;#9Wt_UNgnn[uKK$IMaFj_MJ9U
+%"h*I$5GSZ,K-RL#cpUFkUuMUeUfCbEoLT4%IfNJdLo>a>1=4Sd:u+%[_$)B\.b441Z"isQKSWgY%7ca$Sqf`2[Xj,<!lQJ,"@Yj0
+%PR8\hYlsD4<6`,/QS$8(<cD"e^E>sele,m*@'^]Y*,OX8fF`>,>2ff"D2scIBZd'/#$7=F`rn@uL\0rOV24miY1FTb(0YGS@V;%7
+%[kf:'l0(g+$3b"(")sb1pL]k0gQN)Xe_NYN=$UsQ_R'R"XtS&"a"G_kd/d9`.nC8k@ak/UWUSV-[923na@VJURN\`'K/5\UO_o5)
+%dL-hYCQa"k$V'U&1?4k9@E#(Jod$6\$3pbK6sDAN^Ok'r#=*7cmLlcs,-K=i^m!@.QI,=aG0F57P"t*#g&^]s]j%'sf0_elQq8jR
+%Eq\H.6up+$b>Kd``kmnd=@:'`qlO#8^4I<H+!b/lc9]gl0aS`N(,#A9c1;"k\[.stfI<NG*Fa6YqFD4S(dW<:_9m,PC5^[9.X0m4
+%[iYF+"TCKTd=r3=lW.R!YQ?nnOd'=pEGQ9!e_\phE4cHYMi79!^U%mfU-+)39r#0>:uU,;=")(HBX=8k`3hjp8J+SBBg9Ca-+D8@
+%8&P'FZe.3#SmJaZ@Sm>pNNq+*2EA%a,/d^1AI,5]k7^2;n,feS:.8F"oK3Fd=q9>LRWj>#8J5:dV%/3S95!(<C='8I%k:((Mi[-s
+%T2qcEW`LY/Bs$^MWn8[6ZmJ+KBamM@XT+M1LGD.XmGVM/DDr8b.9gMBW;B/pg0:#!@!Y/q5njr1_UGgN-O%XgMO@2W#GoaBMkk7p
+%eKJBP%2E`-o[b@g=0<"Y/5]-W^n]uFYet^LoQHksob$2(kcSQ>(q@%J2je:hf.I<VEOr\+!PpU-&]$#eLEc@%nWP9bW2ogTURr7<
+%5:r@S.'_q=T,-KP/_tnSk&2G-+9d!^+7MNQ5S6eJ$(b$34J=hj&Kd)Z4Jbob;(fMmLo1@b5=stp/J1[pa8?L0,SKCDpHO$t9(AFc
+%i^S&&,&YmIDbkh,8u1u34idF5&PiZnI[VI6+s%%ZSl1V3dZd#8T-H4=`dVAS<>=qe<95S-aobWO7=7Aenq7),7M\>l:MFC3da-^I
+%C-o^7@[e_Z3"L*k'QH0p[.nMtncS,bY9<Kf!K2-%'Q0LQW_/gION'^$:ob<V=jFVN5T:C]SrsMU\]Y/NR=^M?)2#Sb*;)*/An>mN
+%)%EueiH%%lIg!Ud6kOL0j@Y$I6bpTW4-FOcX:<[%l4Q]5WfIo/$=BBd8F;Ci=^5-s)0,50DZ(]ceoBF9-@&]B,"T=.6)?T*eFY=o
+%5jQH=TGTX3inVWYk[cj#b/"KskP5Lm<ikl#X[e2*(_(%e]qFjdR+(k?qr*KGM7tQiHAt'g"d_X7\+IS+J+1jM1AqE\OT7m,]&_/e
+%H)&SseXo<-W$1j');U`WU)`t6"-M[mTX0fL$)CqRQG*U[mDad3@JsC67-9/QNSj1g>("tsN&r=-;LYGjX)/;Q,teoT,Ia26TB`!n
+%PVIQ)kMT"&-W(sh1d7)kKnpalYM6oSId@P*T<W^%lr!+R^5oU_]'Cbu<-_uSrB]k25E@"CkZFM9@kt!eZg@ohFqj,22"-;Rff#"L
+%I<'nf*@L38elH**n@I)2CO).]:uQt'I,>$M/<0Uka!U^9iT5oTdN5[Rq&EuegcS@B<\MWgY4dMQPTkR>2"W61W,hu;"PGdc=-`Q7
+%$H@DBY=u#<*4b7!d4=JVR/<R"3<h.=^u\bJ1,&?mSg;EVgYj>[iM51C&@PA4N%0C.R`.`[J*%orQk9ek8Gp43;T^KL+!jT:hsgg@
+%'`mKB"R"p?[QC4>I1DcYWVPVcD`l(UJ1#p'7LiTN^V_>X"2]p>$hrH/]idNZR'_pV%Og7f`X#@E.,<N.:rLiF$m2ir\@$\i&Pj<5
+%4DcD7cut!br_/N5gs'<qHU.[.Rq+WuVt&,[K-EKmeFBoBa$]_7MKmi+jCqh\LDD-^ib?;n%pGGbZp?DY:Re5/csGh-'amGmD;=]h
+%`QPA(9SbsJMDUA[iJ]TX;g$="c'rS9AtraY7DsH:%2,g<VdQa.#Qco-=W[9_($oeE,f1V/[D4eJ]lNP3T_HENkfZ=*:V-<`l1aeF
+%2irmkTTdaOSjO%eM(%A9DFRG!*o2,f;2!HuH:+ML%GJ`S4-2S(mgG,L:-)uE'pg,C;^;mGK'dYU+BiH$cRN4*O7L3P*SGd!5c-NH
+%4Zcc`fE.X@1rR!jXh[@om)*n1-DM:,-=n02i`nCJ8jE](*fSF9^3@mjU@BVj4'GHn+?X-HpTlYH^t'@)fDY6i7>ru6,t,nPJ9>@4
+%r@+ZdVjIX;fIXp]^#/t_@K9mRf5'SAp)Wd.#RONPBd?-c&*\Z`lqKi*/(h:.PDH*%OJY$?ri1M#WJ8gA[7qmLGLo/YPTOL%>5I4F
+%iJ572n3"X?cbtbtXKQ"Mfr\6?@="(c3'$c^7ZlX<3f<RfenC0CE#e#,4rO<ae^_Zr5g6T=qcP3<Ai[2Qm@b(g,b[KPRNse#Fn#O!
+%UVPd37W1_qA!kK@q`[G*DKD!&]4pE.JEl7)1uSWEJ`^fHV<&pfB"oT@>AI1=ccq9bL'@):3E]J\qI!1P6kS$D^%M<8^rmuKBpuT4
+%Y<NZOEPYu4dVYKi`A]-M?3`r\A&m`RIYpQlbEKOp"<\jTJ#EUm>*M:g*oJp^\tq&Em)K7R(EA==M!K<F(hqXZA34M:N9)IX/RIXL
+%rZjQf9aMQ=NK/X42eu[6@s2m:'t;TO#C:GMMr,@bWi;!7m7A!bShRCFATaOEPC?Klnk@a(p)P@N'+a^2H:N6Cm,a#)e&;^F5f&X&
+%!%PJm/-F3b^[i"VDB03qUmpR![!SeKI0\h*Gj5FAV\;gCj;bZAPgB]7qi!OfNJTnc.<@7@Hdmh,lU9hFV;l8nreV8E=XJkdG:H`d
+%QAQKq+#J!&c%"AY+6a#\f:mQoXWJ7nf-Ffj%n':0^2.F-CDMBK]<4Y9)1.EWe0hfC.N^)'hOKGB<lG3TeXSEYU$En!P>N&B?q8]0
+%)W*jcCFq^*`We4!I,T>@>6df#2>;>"@62=X-lYAf=NAu*pr,bP,V%Y<<kuDtCp?7!JEO!:6hA^A)^\Ia.T\q.9dl<;#4O%F['It#
+%;sp3`:@gSc2g?b[kWZS.C0JU"it%V*#31E]!lkr%?0mS5_/R*N7raC<r@uoV4W2]6$U:"ZOs^ioDCA46I>]0cSQ=;#YpOhmkgLW%
+%@!O+\nb$a"aU7O1Om<t([5ps9Z*,_r63J9@i=D&f7)/Y=Hi3)sc?1Qq.F]"9E$pI%`KK,d9f0UV;'+Q%G'X1:'jVGE-+F1>f`j]A
+%WXr#SH)QbpnBKE?3>mgrbG&;<`ABQiKcsT9"gZ\)&+EtJT$:r@"MAhhod!f"s(nsLCm&\`m0EZo2mJeWmY)dl$h9+3+,X7poVOU-
+%"kEalgfDI8-b)*u591@7'?,?bM$k@odj&8XbY-et);PP)0*O_BQ8Dh@O;l@s'g+I4]rD+8?mD]gg+Sm#aVHS5U/:2%5A2:t&m1gh
+%mNa6u/CjZ`?Flb3,>&)M/UbT)0bt#U?n)VYj]F%:P')(*$'P+*Jf6(SS9#b8d`9lfBg!4K'Q?]d=FV1TalrO'%.C=sE'=qDc8PcN
+%JA]2Z?AA[Dg%YutPQIH:!2ulM#*P'AEZ*0p/GHu8BRH-6&<RN-ZTUU[XMCA2L8^3\ZtjZUNY:h<VEpA=IJ)"1Ch#[H0q!XjjCmkr
+%,+s[T'N>Sb0A)53=YFIQ$A.raU?.teO;^*;b=.3tXh9T*L885@&"q-CE3%on3j"[>Jn8De)SWJ6[r$b635bs42NVVq=s@>+=nXYU
+%G8C7nKOnt-`e(U-8L[?j=,[mGC^8].$CZ*qYeu@R=L"P>iu%"c"7aWa"?(8^^Uo<s!@?BD(9$.t7tU=]G/iq5TP["j\F,;eTIsLB
+%0C5CP0&)kXa/@24RVq[$Lp6';?up9gNE<oe%'PYGWt5:N+bP@p=g,9'j'nnUp<(+Z5)[Z<==pgN&\9h,\G;+4>C_;Dpe!Js4%/?2
+%gQN_&C,`cP=)1BVTk,Cj<22[ZktfX9D'0$JX37LA)>+CGLcMMahZ-9OAm-mrlFnBD:=s#'[5?!0Z4uH6j?Q%n,iApteT!9F2hGFQ
+%C,Lb29I/8JgXuC.RC<k]`mM1M"'0@8e1\2t()P%BY)oQ^q6@PSV&U*PW8T6EjN.NH([Z+sZTG["0hMX/P!.\E`Q"FIoLT6[7/D!r
+%T+N::T`qdTA-T5hLSa10c%70-,<.XB9H!JNB=Ud^+X=DS1e+@%W#oEkE#"&nb*=WtdS0l"2c[(c\!'$7doh['XN-/dIuJnc@+:<5
+%56T*!4A&gGkW'tS=I$IL7g8*8dOhb5@%YUnc2u\Tlnk[PZhTboKc3lMAkuftYT#/gbBJB6=5[fof1XiJ5nt%\;`"!'TV)nd;YNFm
+%UZjGTYtGFoL\"X=K$2Hgq`$FL.[e#Io:4Dq:r/B<.E[6+>8r"MI*@Oj8k`jTV8H^%IVp`oYaeO\?@c.V.4;$Ea&]1-b[sXl\)9W0
+%5TlO\i.;`mr<VaZ-9r15KDLV%+*CK*J[d=n"FX.kiW,U/P8sscfR;,oM3^%b*<VD0&A<"Ba3jd[#jOMROqKF%l/d]d*J;m;M.?T-
+%]#.P4=E./sKs"O?5SCDR\g]l1ViOl>Z%=[M'\&1;aJ>n%JW$b6,Pe$AFh3#P+MZA/N05aj_)Q)g#K`rp$^H+snH72ukDmb>V<cj;
+%lcIq+AkGYbKWJq2hSlQ"8RH1%k@eKp6T2B))i;r6@Nf3idp4Fh2Mg#(&F0>dqDK8bUsl(A#uV1&5Vg'(7b"*$I'@KHkPT(QZX*iO
+%7^fZ"^%i2Mr<G3QJ_!49OU+_P1iF<]r7'K?kYD,.*\d]?M@e-la:u#R41SHSqkS_#AiQi-GYg>2H4-[>=9bK7\P0,+f>"f2*'.NP
+%Z[sn4@B9cthdHmX4Pljkme5ecf%)E/<r)QmMFFbtaR3]g\n7WJ78iQ5r.#K:H<M`A5]dX?QVhG.m++un,hU`c$!*DP5CD$ih6a8d
+%'l;DA3C)Fg[@EfbkS$@J#EoYKOU?+EVs1&S6\FJPrqWG3C_h#bej[Bt;T^2F/g_=gEdYWI3"d8^rpX'CQZ*^NE(=c'K9X'ER`[;[
+%k!/>gK_Gb]^0B`#N&GY@bH:C#D((\#[tU\UilAJY`HlhTE"<LAQX`FD/YjqUlg+j$i"fHk+.7fQO$f2qokR?Ss2:p_JQc:L0rU@1
+%O!9/g19q<$-)A&(%m<EB1,:)9ee#3MdeBCKCiPc'+6aR%HApnnX51l;NfgT/GR!?IUf"EA7Y42/^bhr[&4rt*Oa+1'[$%;\iL;f@
+%hct>\+k*N;MTnXcC;D2"VTH7gA\=-oPK3pHKl$"BThD1LS;%/WMV(4SiBQ*`ZKNn`8.-M.OL?j+LSV]na]Y':]L1B#W!Gi5KC!/H
+%&1)n,=IP\?$uVX#<lc3i2Eqp2#.J.m1LbBj\)L+-J'hS('_[c#*j(&.o3Lu0:,IIJhNeod7<jQc'Eg/<eT6L!YbJ@3!INKE'=9MB
+%9rtR4%BiC4K$7+?=bAIkVkT-j+5Zo#1b9EN^",bgDM/=2!\sYtPJjXDXDQ/6j(QX[O5o"D!Xd0u_WgL8s&Kt[8'M+BhUohkB=Z$@
+%`N\W&UN\.k"B02sjNrO'\Jr<=B?f,=8m>Fbr7WBXrrP&jK-I*`]5dI2Me*2GB_Y1be347RSpab1gCZHjS(NFVm@<p?Z.^+@:0&g6
+%Vh;uZjWZ6mn+m&B6fRhY#Hi98@.p`[TLtRQb-+!PY\:B(FD1[P_9^?Z,RCO4,WD[ADXf.9#LaSn3GRK_+0^8,SJQ77R`=*>"j99O
+%^AAGk.li^`.j-@/]Hj=F?,Xgjct`1I!>hh!LqDt\6-YpqrRNhu#m80-\s(Z:nkU]J2Ge0f5-q6nS"Z.<Ka;X12l%rB=@S(R`RM*Z
+%$-(4Mas_kuJEquFG'`?[Xe9mU)r`<dY$P$EZ,dt+XVESkc$-*&*%Zo7]jkUDj6@/PDoiN&pX,1KQ_"@I'QUY+aMegJAih/f$1M61
+%V+T^7Kjq`5WK247L!?c[ZaLN;+1a,t:9UNc+RNofb0eJ@Srdo^8JGHR0*="i8l!l5.JGkHaRhRcPLp7[cXZQIA%Pm-!hurP<gV3a
+%5'!o?8"uZ6*^4moRWi[CerB:@1kV)?Co7g#U'DU/>%,C9J-.huWVJ/)Md<\L<dOA(]NMrg^fCb2qMY>\;/5oXSL-F3SaPG#Ea-j&
+%S/QkZ$]fC=;p#/!iVCSPUaW2K?W*_4Z[Dp?J5!HrH,[S54#dNfgV/L5+4)$-_;Z769s_<uIl<3p:Hpsn8VG7r4oH`tT?lSIoIN%K
+%rXi-hn:9\2Cu/>K3Br[u/tB85SCc#hGFH:M#)c+b9ja-bF/Ji].MVa\8ZC.X_6OP=*<th\JCQe#qqRA@XasP2Rm\qCDqGG?ml=K=
+%$@_<1VCk(IC?i2`11qP9P(:qjEJK609WOrl8]s;*DR=9PAe=)/<^)D`K%b0?/.XO]`F6n+88e1aA.".uhKoj%L`ig,3:f^e?_[ld
+%f_&>3c'sI1%jXqBm2*V>9[+B6FjnQ!^]Ik/f[MFM4)'N'[XP"o5,3Z[SHB2ZRU8K?d3*W1J1k3^,B&cHq)eqg0gi3W5RGi,U%g7r
+%3_Q2JO<"mU9.-Bgk)L3;8r^2VPWR>pKH%'S9a=rJ65U7=LaXpBet+NCaW[LX3Ib)8OC?9(X2A>D'=-6__:8iUYPb,+<L]i*[LX&q
+%M9QtT;+$1QD+:mKmO@?nl5Dao^/JU/r(n;;Gd(`_gm]8U40`XokmMc\#oidRNF>$Rh2R6h=MR5C=c1MY%jsN&Vl?O#*Y+dt62+MO
+%BN9O1%C0UQm^k4CWGa1F=8uO#5I?4>041WVMR"sEUD=F/W+^Q&/9PG-LrLkXTfV>A>9m$%^'`)?_!&b1J.iY+hTEZ"e931jJh.g]
+%V;0:EE@<\JqDA4&a^X%!s(m@Dk,H%^s6C3?WT#I']df#"ICo&]FTtJ1bGGPZBP#o)r%L+_S,6#d]g+/F#V[M4b:d\'g7dFaDao\G
+%lk#jjVb+hPn.8eg<QVs6Q05f?,BHQ"2r>"%]Fk6Eq8!>eeBi9"9&m/iN)Ul*bYbMX5:k>SM(2!rkb%Zg#t53P`4dN^^uVWC$R2[>
+%(2_Z(1#5.?I25YS,SYfGH?G>9Q80^n5<D2dA.TCQ:>:?NJ=dH.,=^qV_%fA7_[;utMirROo$O#'kp(i@jg/u6=i!jJ9qW]#3\.[;
+%&7WJ^g_r!TALcJCe"UlMKi3>e^V^0-8p$!h#IYF>j3Z1)"LM[V%m2<EX9<gk$Y\4-U5D>GVu<9'KofuT@q?Dhd('hqQ`DB.[&?mS
+%+!sHuk8)Fu#5)Y@-t(ekgQD//q-d$/CeU`S52!MtUdF7K*ZOiiPk<m4UP!e[OjKgJB'/Snl:Zqh+0O`*31=.%&r9e^=IE8WBlo&#
+%ZntX9"W2+I.)H8ME_A?bXgNRGr",f=O7/K^8+DicE8<s<"kctA2qPmL^;[t/ns$'fgWW_F"LPk:771OM=`AO">X1GpIsa#?p9eqq
+%Z4A,S%;S8cR"C0\YtEHLg4(=edrDGt0A"==nF:D$($6U&NaOlMU^*V_=n9XsK0VJ1<)o90aMj'E9CU(qfS+U(WPh?bPA+`o"h=AC
+%dD?M"OaNY,6HM2$$fg'p/9[r@_br]^"2j^HgBq/#EnPYk*/0-A:%Cs_GV+%n;YRT^Bo#U^NKK^(/g-XW-4k4Ts0X'':3HZ'I.L3g
+%2m5BVj[Kc!YDZD12RER+^5R4,Zo,:N]TjA,@LH6_^U$G(JEA^&XqT["KUT#.@5e]jLsQX(<Y!=U5Xr)>3I.0KH5r/&kRns]=BH1&
+%itE8G5mrL?nokZjQpg%XhG@IX)/fY[RJ4o8Usjr"&dr6Z$rL+W$Y-Z_()H'&f"tO)<^[O*h3_C6$BKmkI7I_IYK[E#!3Jc6.ljW9
+%5]:/jV(8/Bc>DaoNnp^/=2(X)6pSb[X)'V;#e0)h/SX:g>'?JChe4$sGa$u*IVA7>:MiWH;/hHN$XuC5YA"H^`bFC3YT]B`!=lQa
+%8q2_i.#G'#Lf1A,bDl!Cpf@4.$4[GFIo['2!BR;jX[srcs6t,Ple<XD<Y=8Fe]\5@fE%E,2L.Ck's4n\'<JUcP<7-GjB@:pX]O2Y
+%U2]V.'&m'p.?t`^g>S<^muXomHDVbmCmCNL8<Zn7igl$\_87F[-Y`P;@l^DH[&rs4k)iIaUP,s)9%G_"N[A"ni'e3]YY,Bqo+).I
+%%9+RI6&J6qX^IgAR,+,4ZuT+HND8=r],&A-&#07N3H:?[E8_+*#>7O[2*V^QMhqB\/EE'6rS*MXS4EN,j8&j>He?$FY`cF90__Wt
+%HVsu1?i`47aJuh<XRAK=BX^"&.4,7:PMV.u:#8F#+JRZtC9\<=h!+#g&DQR3ZZqH7-./Ec-^n)K?$k24LaAU&<7m[q@"tNG:G4ZW
+%E7EQ<1oDh-#IK$'e_aEOSb7VIZ<Y.h]]h>R4QFYRV@*..O+)=aDu8/aJEnb^B'M&J(-e#c>T1n]-8r834!)ZY-_TRpBVn.MKg`k!
+%ieIu/Uib7t/.ge>34r,\[(rZ&I>F$t,*:;(UT6>:5E'"Q;gs$7l!XpK_b%!:M7J'C>hqAsUB-m8c2]SN!$VWe6+Q"9&/em";Xd(P
+%`I/(J4Y=\;qa&,n@sV=>0i-`9V+f\KbV5L0nqn=p_.9+M\pu3cfV0-WKle)K(gjgZX`G7/6+Tj/S[KkClXdI(53<;C:Fmd@`(E5#
+%QFJGY/c6<i5_1K7E,F>?*M^rkZ^/OS/dsik!_LS9nTOe<<1a:TJ"qVinM\fYVYkWt%)0[kHfYcTpFQ6UTR*;lc?b.(fo]+cgiJ'F
+%:VY?r;8(=e(;!)9K:8lt6h7fdUUFD0K8dM3#0N,iIpHA!Q3>rV`_3r3*M+L[(Fs0%C'$/#[^4#]J>mEm<fl\Y,.m^3h2iXRg%7l%
+%P.Gr/:_K9dlt(<jjU5+<VGD(TIIQ2s@)9W;rrGQOWLLGKLj)Tef)p7-p,u2&Gp;"q#fSUM62%K*5CdW#$B#:?==q([Q2\JUK!()/
+%@j?b6GJ)^KKQejc0'9'=r5GR@r?'Y+m@XCO`<42Zk@ONsEfX=LA9s+4Ia)@C:U/mnnc&CWH8.>(iCc5`*eNi8_;eo5!HWZ7/YI-+
+%gVGrJ'57_#O(oUu58CG!-4s>ir<FbOTe)jKT'^s@4o9e@c2sR;bBa#RA;faYX-qLcNSR%1L=$7;%/a)aajqdO7+Cu5Gd><%LNahX
+%jRr3jG!r0LV8nMH2hmF-^N*tU[\O%ffCf-7;]`nTOi4Jr8,KYu:F+G,I!Ri11rDhueMmNeZl"o&J>FH_V1o@kooCQe61@$*R.G\G
+%blUMW/>)gb\B@!Z,JM,-HUGofS&uW8olMiW+i.o*?<r$,>]Bkr-XcWCked5P-c.<aBdi2!^A/;tf[^CN2F=ZPF6tb\]fXAl]i<>u
+%91C/&7)Wi7Rl3F_?1)PBBnhc5.GT*@2gt9>OI7NpFX)//G&iqD/^FNqibJgu4,=oF&[Yfg]C%l,+\bdKY6IZfjad4$j9P)NA`0D[
+%_!GSojC=p3U%k]/]oc;:]g9RT*eRodDE9JLMf*>l0[Nq.Ge;8AqoE^7JYVh+s'Udo`aamrcc3Wr)7`d4a`oir-q+#rbMH)D_35;'
+%:RFJZ@6IH9Iu>DK'A:8D,dj8Vl.aL?(;8lON0KE>:W!^7M0I;uTjT20r=ad1RGqS&cuWt!oN-P:Rm2;s`F&Z$^3t>-mC2!Op5cua
+%a%ua*5Q&FfIf8NcDu]@ZJ+;d<\OQOAf71"(qpg1ErBnWns6DoIi=E^&rGV]&+91iJ5QBlts5S$Is7a;*rBL5Ef=t,ArVRJbs8INC
+%bs24+T>(9]^\n35qepr^:]L>3+MW1"LMss)Vr,[os5IVeo[h]EJ+]F?rqNdKqWm$Es8KLZJ,ep/?hr%Il!IcXTD$$Kor%,*r(kqZ
+%r4a'?T0Ag<rg-F\kPqr<qF;.e^S-k(q)H;kYADSCDXbZ9IPl@#P^;MahU%;260ibYR:/HbqgsZWfJ5"@#g&nrgrrnc&/_:@@KVq_
+%q:!<K6l]?k)BIEBdR]J:a1M\l^+=Ioq!DY'j!5fi9tFF.0sT?n:\RT[H.uQ0s(DLQe^8$7qR1<eJ1ud*r#l-L`MOVG4'<Mo_Vi'%
+%!H$`aom[*W+_i3=jT3YJqa%.+FnSsZ]TGn*5I0OG+J_ol'A<=Yetk'"P!`o;bn&-Sr:"?f^cd*Yh")TD0e58UXbc.Uk@'q/A+6]T
+%h]@6&7Jpu05COKRp\TeC-G3^[n*]EFqQS[?UV!YR[tc'R>(3pF+.kGMcMqAJb^]52\_cW_J,G@oct1u09A)>?B@Au]n$.N,:+VZK
+%J58<Weal!g$.4"GVNk4.8D;K_$I&B?#-2BmC@0OXa6Z:ig[l8P<<Kf*[9_\]=@\5]_:Dr:LJrMFV6J_/07?n:<N9l.@Q]ZB5$taX
+%4'8P_UpANsZ2p3U9:;;)BW&+6cY3)p62'?cBeC\.@tHe3cmT^pDW)IGXd4k^/\F4<@f=iY-L`iNs43,=hZT%nY8YC=.eTUh!]?&%
+%iLP=S2XS*DAbgi`O]5L^[sQ\l5eR2,KE:IG)EZEe8=Q#4&FZ"e_W"-VV`U_@kf*u]oH,#XB`0bCYLAAMobNG'F*@&R.EBkL,8<5@
+%$VR2<-cCa1petbY\p,^:U,f/A@R3#rF?ceWjVFh<nX[7a(TT5P?<>PArcI=5OehXW;C&j&arnM;6(Pi381%AE`uafC)u%kLL.Qt*
+%3jE;(TR$&"baH@$GtF<HUE$-"EHS<0deTfGc.U?.W"e$;>qeN8gMUTZ-Qr5:TL+O*P%9m3D@_8j]n/U\pua[r(.OIU^c[7"dqlFs
+%j12Af<?qgUbkj1E-c>^r3$ghP/T%4kXBVT`6n,$Z>UM]\\_,"b5c!pED10"3h1<I3M$>M8PG%:G;R`GKHl@?[T#J4)/udog:#IiE
+%1q++569fOsY^=u^OdaOJc`"'=7u;jZ<q.6,4VNYc<a&66-SK*RhY^h1Pr$V#ea]NNCt*FIe"33RU,RK^ghGSnBcXLlF;jsbW7fAg
+%,di*_\:M9RU>50D9NLKtb*q.JMoeB9CEp#hHA3V@do^qNNcj^8<:4giR_V%<$s,)qdcM:ao.roQ.V6#80@Mrm;Sra'VPG]XALO@3
+%VfC`?^9iK+-cp?%W23Png04]@h.Nie^/R!9[".o>ZdgMnA7u+jKRe$aceV5`UlS>bo,oUtE[.EOBL1,+((bLQ94j=7;^B(LSS'0#
+%hr1Sc.*o6/gK:-TWCT'JC2a9uBGd^[N-:jQ<aSLh*VB1J<%!p?Cl>_H!5[a3f*GJZ,!/SnUQMbmJU(SYB04BA;O9]"Af<1HL$`hN
+%Aq8(t'7<t]aWa`VC\7#2$jaSbEZ<"(OiL4li_km:mZ[t`J):TZMi.pYkNkH!gV@[1c'%f1lf?k7D;Vi15?hF<fcV%XZKd5-b?!oL
+%BjP*p3o+BLm0Qa:0Ci6,QXNrE3c5S_X?hOH+KWN"kkJ99-$"<dZ;88%^;FaJgrD=c(Ze)gFI&8qJ=1Upr!i++OCPfYPEiV_Z%ZGq
+%JA#jA@a\d[rHfunh(,J.OWQ#$BNe93m-r6S&:T-3o_Bo_&QgB)+FQfSI;;NjUT.JhCfX2$&V-2&C,8r`qKgZ]?e+lK>M/VtfGZhR
+%8B_(dS^8pRGV@q#jKN0SY?9e]ZccKo^_s3X?3,2:9`")HX,.Y/*YRA7C>CoWD5h7>r+Re92pC[Ce^1_.Tk$H0KL$(u+V.n_#bbBg
+%jqU2spM52b.7ddPemb]=Eh)bDa]DR6S<Zb,%>I'XHBosRPV]*'+A,_+;J.-[VR@;(`mAZ)5$SN&Qtj+#:r.L&+3Gun'?-&B0.,%[
+%%-8k'nBajSOFu/+cn<aIWdn6OX=%7ChaR7;crMu>pn/V/1p$CSn-s@Z[T73h\d)!O*>L8sUh2^m"s8!.)Is?rM&htk-AcB_(hS0r
+%YPMWpdBKR'(jr@Dl][Gp+e/-[W6tBLpO9(io)=O<d"m%fOAlV4Hu@PKYL-57VuYDUa3/nM4K?/R_[b480;_:b^>iYe$2X@)qO+`'
+%;U0Q0CJb#=_fHsnjdRmUVV/\QD$3WfLO#hLgSg!co).m/1%u\kkf'=jh0@MX<d^eKGAbpm[%,4%DqX2GTBd*`ej^A#4<n(hd_Dc@
+%mQ3;P6%WE#qIr5:Vs7_p=1XN(Eul:KqmTGmkMfE<(VS>t3q_BJ>i$L7NLnujek&a(,q+W(p/Ra.Yp"Tie:/J!o+2Pb$LM-@FS/'B
+%63sPf"Y#)Bo+G)F99^1J"%i%]qYYAPpN_j6i&6X,?cG48YNS+:o<;hRI@Z..Rp3SPK9sJ<[L#0VE]T)4ch6",,JU(no6%`=MjB!m
+%dfpnIj:Sg-2MoOm9dH'&;>1/eo#^!t??LB4kR48--(RP:HX'q@TYW6L?u2")Q1nWm\-t=WWM+O%RQ@=/:P@955//)07n:k#W_&@1
+%_WOe??D,'e^er/Qm[tiqS5<L[V3IER7.Ne:[he,son(7cki,AlJfS[X.#dcI'*LLX9NShkR>!.cDTj+El/ZMR,-4Sp"t.N1[,P\>
+%?2G+6iFuffH#^VVd#.h#cbM^cmGR*kY1B:r_kGSqq&rmRC]\\eo06Iu6H>PF2G&nXNV]%sY(:JQ;FX0ArS_Ls<rV[IXV$9-?2NC"
+%dlm]tU\!EcB)^neNW7,^^-Fo-:^"Kq<u^![3:e6"K.e<]&s!k+Jo0W.e+i\oHMdu]]KH.%hELkK*\W:o4J$cSStD$]+!,9[a5E9p
+%O3GYf@31J6kJu?Diu\$Xjlqg%p>PH:Ge&TTn0n,-fQfS8DY)cmF.5Z\N?0a.<ViXMIs\&"^O<%$5:Fre51I+bYJj<!_,0n5UZ0*8
+%YRB=TLUW==NJFQC)NT6-XjMoplg9=!m`>t3jhop@nS2G/jLZG)h`a/;+-5M:cO]QT%o;-(bC01B+iqFrUF.-G"G?KecO:'Kc[T7d
+%aJ+OK&JAOeofIalRLT,b_a=([h[p\\!T+V1iZ,ZW3+P%Sh\@4'4Q2nS+C`4ZcOUVUK^T6\R>C;='<-fV#o&eXmg0_sK^T6`h'VZ5
+%_F=/L^FN]6>?3s9AAgq,*C1n`nQfQJqb"URE5W:cB8;N6@=D#AaJSGii?OQU>lgbUF8.a=,c97B7hCMkMr,+9@RA@a"Hn!Sh[rI9
+%&`4<so$!i#+&8Ocn/VNUAq>D$8BI&pIr8*)1IZeB=NU,N^FQPL22=CT[,h$f5<lYg,/,S?A5D3s!_as#HU:E/49+(Y';+C4%l;m5
+%Hrlt476Cl60ua,RJk],6Fnb]\$iFXaIA8pmkIS?D%c?=AVM(T/qY!GObWTZ)I$]JKZG4:GBd1:78]db+45?&n\],PdMPSpt+0+=7
+%q=B5=SAW[6fC=[mNelNk*sr&Jc0p/\led*dleh[/LL2\`Xc^f<rTE:J$B;U$#`:_/J.#,DO-TF=Rh6Bt'0Y%ATfH\t\6:7SjHD#4
+%dTE/aFJD$=dU&U;IMj.-Ls;ct]apA,CYb-[OF@9n4M9-Hh["IAY9rY\:9ErgC8r-H:4JIP(smFGeaC[5;K[2Je!MJ9$-4#l9<2sr
+%Wb/gKT#&,G<I"W"V;L\JT#QBZrj'D[93[W5h+GRSeC-Om"i_>-V6+>N3]59FIr-=$+'$06o>VffUroPUa%$)&JV_d#5N[T'B(C!/
+%n/?.`Jo'N,L/dPAd]AoNg4m?eTED_V"GlsO@*?+:kh.^NdL61XWe$-m@_hjem/nIR/i@6'FP/)DbC0mQ3,+1b[kOj[m$\t:T\k@&
+%)a%>IXPeA@]\N^J"gF#77m%'dON1B<E;C!_BmWX+>W7^R[8>\p(1?)/QS66hd/>-51K12l[[U&c)Fr^/VRJ7JhsQ;)&1UW]V:6Pa
+%`M[*A[02l++C(pk]4\hp`_'#-d_$X8@_06+-9uF^^3I8lF10=0LZnA8ZST:KSsM4a61:$f%:/`?IBH1dHcB:Ja&Mt[j#%/K.)G%D
+%cRcjr&YW+]/+3uA&Ff0HC9l5?a!]W`rricLN01]e[L/)jDDYt:hK?U0Ci4BjD\kV\GO"2S<8ur@aRkWkb.>=/)VS!4BK$PYD9juJ
+%pM!EHqhi=7_.:0`X!o4XI7)-Hc@0<P2B3ZQ"-oM(<VKq9CEo+l0,_f^G\rHB",0X,+S7?tpp<XX'2Zb!13TPqd),+*(l<E5ZdhP)
+%LWsZ(G=6c(=#6te0&CK@F2!r`Vk&Qh'gcSG*m9aU]:-Y6_qN]OY2WE'4[^r9mJ<[Hi$F2R[#qV#+0Fp6U`M`ODJ"G:oZNDlqGMb!
+%7FsAAn8)hCqHs1,^!Te,<H\W)cT=Mif$d6ioo.Tr4^`Faa]bR1qlgP^1N(ZS,fS0'Uq6ir_bTGX#p-TU+*OkB>?#2-XUnhU*Vkn`
+%kS8eOk!!FTZ4LWT6L(W>(@\/P2Ua\9JAW/%e\M`9HVcV]AZRipKqQ;Y*oL2R5R]8$ckaOS@u\d\#f'P`W`-9ndh?9U-S'D+9<E2`
+%W[:E)"&N,k+e3NkMiS-Dp-OY81h"qO0=u!ITMsg5[I'rdYZCpF:Z$]i/XM>Jn#RU;KLkR*R*BCD1Q0NaKiJeFhE4hX.$Hls>J2p3
+%g1U^-nb^$F'gW/=oV"<?:B`DSg;\Bc&r"qI?=Qk0n@rnjb-/GA;tft:ZU2Q.kG3R<SNDF39c=c:gH)rd@1=I]^clQh-UcO.(I)_)
+%'^OlC`Dp<Cnm9N1n;RKI?M#u>F&buX!h3YD2RKQ.iQ=)2Yb3GlJK7B)2G9>Xhn\PF]k&Pnb(M:k%KXt"&!00gp/XE!pb1oAZ/CmH
+%O!")kO%B#1nC9K;gDloXYF<07I65h\E>-n\det\-kW?(:cCNbTD8Z?qH5Edu]!@jGecMLJVS_X,T;_0X6EY-")^/*J/'&?sn"?.o
+%W[KsI_$qrBjYWPnmBAANa27?q>U3:3M^LVo-V(R>8/6!)n3LqR^qGEPAt1iTHuhf@:XA66Pehc%[h[^dlEI4B4TTC#A=V^IS)Hk&
+%CZnAUEncHDBe9Lg1$6U;a)f)<G=:lHP$(o@bVcLCp5[.a2YLD:`U8Kn!cLP(bQ=<m;OT]%.,s^90N)8!BV6N"33.$$E\c25*Y!3U
+%M7\pRj$OWSL,j#NR;c@8'k]Rk$YiPB/S.0A:iG4kN$ULG"s#C$.;NW;6NScJSV$^seA!O5*`<;g:Q!du,;Wo>)df_dY!C,Z\u9UR
+%eX<`n7U]eWl!K50mRB7<>!m@tYGi_?MphE,fa4c]gTA/`_H:u8oKMp;f`ol886.1.qekpuDs1bOT>kDHh.,58UYFC5J3_q`JdB4\
+%S%X)7<H"tq3TTDR)O7_skmMb/"Du=MP07Y$eSifr%jMWapKZf<\lhg"3DfF%?h0^.WqJak@HK?M/TH\;<r6=,95;U,[Nml8I@Blt
+%o2Ac.!$05_4ieAVDRr?,7V/?k#o<PbloUl7dG2<m<l-R0@Q">/U\NN?D@dFGO5jYhD<RJZ=I8Qi#Y=@YnKH=P:s"5>%JjV+YQu==
+%jn!ST>_ffGZ6e^ak.RaO@ha%7^!*$*S4M4?&*.<`=r,0QaeQUs;00'c"[+42ouK=+A@>"rDhZ+t3@(TUb7`ZUE:J3L06&*NGZAE/
+%U^<P,qP99sc;AKn37%st*W^;;<-O#5$gu2^,\7E1J6]P+abgRD0<XrIkOc\69;1.gjb`;==)X.rpJ=N4K3/"Dn0j2kZO:@&/B;]e
+%of@=Fe5UDbbGK\EW[*h?)4@A$=euj7;`?+9dp6k>Z=U)H"+%d/;=5_(D(FFd*qbp2,@,kh=i`Nf6gumq2t>_lV\_W%*)4'ks20d,
+%Ie[9B0B>'!iQ@=cr\4l>0I^iKH^!uG-i:G5D-]?]!MjA2k_gpY?HU"0T?%S'ls7T9@>g8%B3du0O9Wr84,]bP(2fhp3[Pac/VBn=
+%R[IBe9H9e6*;M!qkX^j@3ftZ.?"pMhXtiAVH9A!/m6Fcg!s/;G/128if@0=lQDZc323kUo\,WjOV`lbSS;XLG-gln"\S0u;P065b
+%@Q?T>-eNC[.Ou,$dt2/[G2pp6J7qDA-1M,s@]&-pc#$uY5SB2o:)[bHJo!H]o.j.EH-fQm+_fABGH0lTWmS2,iM"*.FnGO69_3U1
+%%7k.*9TaS"E]cE(/W-Oj%8saD5Dj;`4'Xbm:.2n6%o8/oMPt?W,X:W7ZVn7nG$<SL;cTrtJUgtNb]K109G-1ne"s]cC(5NT1^h*e
+%-iWlmpNEos(X$2*gt<T$QCIKe51sa'*;dRtoXKZ>g[Aqk:NsjWqrj5,f/!knhT*#kDkg/[Y_GWYQ/e?sTR/b_UV4&#4OFU-Ib<:G
+%nq;Us2psp4E:B,.is+8R;i_"i7'oSp2I0g9:*7m28q+"'d;=,8XU[C8PC""$GgHG\+`aVC/7BC<![q\OVP6-j%U41h.eXJ!M^87s
+%(RP3f^>kPn?cXZF:'XI3Qs0X;kftrR8Q%G^g&]+e`iAbcOJ&NE(VY;@@U,.K+8R_Va#H#!NjN1^IUZY<U%CFJC^YH:O.C--f'foO
+%m887lXmJ,"HT>/;=ho'^Q!?DA-<k7@%%K>#j8.-Y\_0Mh</co0RcU5kM6omV405@Oggf5XTRBo%(u<WPB33VuI+b-agL[hN4L=%=
+%g3_.^6]2dCHg<I>Kg0B]I['f51"T%^V%k7a]Sn[2dL!qcpkT:0\7`$$#u0:@@7*hi3]b`G2^X_b;p`193N[_+koZ^OP'\c&W@IVW
+%T.2bF<1mmhOtGRhb10EJm"rks,+^3-cW.g%(W(Ci?[@rD0DkV#++O7dJ,[\W/Wp#s#2u135SX6r3-*b$a`Y3*^Ak;0s&:mWNP.m&
+%V";nIfOGOkd;AOCKaY]e"*\[GY2&j_/E>Ghk/S;8QI5"sZ<sk=,YdJ^&DgFAn1-(b&Asc?DGK,GVVm'J#4WohZK"%QPDN>K3_bYI
+%dp(>HYHU5aB=ctOhDY&.#KCKtO<63cfflR<NsBM?S5L71*ACD!%I;D4MQMb`WJFX?rpV/_o8T_q(&dQ[fWWu=pQ`HK"L^YCRbiKe
+%49e\uoG.5.[0"bB5GXs0\dN!Hbr[iKrij9c;efd1%,)Ku8(O>UTP<KP^"Z.LBqb`#Mk.KnW9r(A[8VSrS+,1R40TAd)Bq-eN$o74
+%;@eNr6(VjL$IWh+p93u%G3ct*;h')]BIFtm[8_Xo42Bf5B=n?:SkXb#0I)j5p$f=`3@?c"G+,R;b\p+ab583C`ddC7T)4(Xa'#hg
+%En.eV1i7QCMGZ3(Z[J:?/;_MOO<p[4p-7PkXhgBZ]F$2+Ar*D.<W(gGE4Tf"WAEC@NRfYqC2hR#CK1\]%=HhR2<</HnQ0=i+HG!2
+%_Yg`$V&HMeP[<iL/3NNo.se_%#:3Q3$jZPZ6r,lop1(N6QNU2+/CdLg+(7H-N=b$"PRSl?R7BgER@;of03oS]VPhMeK1sGtm"@SI
+%1qjuB"eXj8emrq`H;M/d_4.<GJ=a@c4/H,0(b_bC7&s=Gg4<./I-c[YCpmJq78-`46AKc;q>hd>7lNZS%YB_?APW0'Nt09p%R?$F
+%g@Z<!V<\l@]KCd]SY**(8jf34^(6]3?O3^Zq4[J[_j]Abjm*R9qF>)WfMb`[Km?$S_,VsuSO8HIo)mfo<.2$]Qtj]E9Ug/Ep^q"o
+%2F2/Fj<HOoBY>TM,mST_CJ3%AYP"15j(bI]=]dEdRa_A30-!H8PbV=`6U@S48Ei`0.m/R5AY^1-Z6+:(4sJm/!iC*%ZAZ-..V5K\
+%>+o;oG[/8nIX;O`JURU<DYCRlj]ecj[iM["*C9gsP=2O6MTXIbmi@%a`p=cr7++T,;O'i2"G@-8aY5@L:`;*i\ba'MXSQALKL,nN
+%!O7QSehm=qNnl:!J&5r^k@KXp1gk_A!sa1t$`g4i%!mPZ=jXWXlAA>PFt[0@$)Q=V$@L?LCfS4PqCVEnlEhJ1d",Pcb^4mZ33XS9
+%3Qk-7Z[9&U33)D,lQL*K,oXA]9WiIAp,Q7+n'Td%6M"/OXO%XK!/4:;16kI[U5Wt'9hE<qP!448SCXRB!Z]9/=.MU#KWgbpI3>6t
+%kS",%:IGDI9DS;GZ8r(?4F)fT8!]@6A&"@gm;6RTLo4nr7u_b2_]S=70Ii`QplA+H3\4RX5*<[Impi]H&`)f,Fl'\m$s:PgJ>!0>
+%gt'(08VVHV7cD,:8b+)a!-<GL,`4`?BjnHL/L-=-pI66`U"4-S_6H@_6RJgbqOoEQ/L1H_*A6\>,Iam[q/g8cLK.\bML)]!obG):
+%DZa!pR[3FIYtV</'L9.X<Y1DB&,$BSESf>V?5*M-R*^-/YK#B6*JVN&L>,_+c9t!j>$a=MTUonH"oSqpR]VUENZCeUEX0ded:$5h
+%8[q]GZSGPpHa:VLjM$S4M=B6Ec:ZA-D91dq%mff\1g&1n#*5(jdPTS+i;s0Pdg)R/9In*/'W8KA[X02YZ@G*d&YO4Y2S2gbcrFcL
+%TS"5Ck'[h;Aas#/mkN46lc&hU9#BqI+@sHWWKhb1Hq=Pm)t_O*7D,g,.sJ7//BVju+4e>1SB*&e%G@eaS*se]0'"<[%:;Qj&P\jJ
+%27LD^1S[e'd4b6uB%^]4gVs_jXtXi2A!nF93R_$Gg/W(75nt2e*XTX)*b+lJft/8<[,/d*0a`\5n(+KeQ?N`q-'0`F.T/?6FhY,5
+%g5C3MCEmKdc&`ZHPc%"M0E1)e55j$hs$9?E:VZ[OZ0hSRLL:)D+"nT45Q'?pR`58as7sPUs8/F;Qe_Y2-s6?oGbZqB?eQB5_lmg#
+%Rn$%1$u!"Z0KZ6k.pN%T7E7O8:/BnS_,^q7CNiQ"(O4sh\X2<P-A@g52bNJHW0=)+*.6`:?icqem`4R)\+Q>S;dO;t41[L?Mn8#&
+%*e*k?:dqb^JKqj1\Y=WYbs7M+S<U@V+3<C&??^p+71Iq1)'$7G)`2MHf$a4"[5"c"LqW$Dm`Z':*j":[J>4RpYC&9g\Vs]FDl;H(
+%.28!$l@O/Ne(.gRdT/jBU[D6l1+ET#k?f=^FD;qKnVZ?AMS)sk6I-5YFOI`bnI!ZR'X`V<F[(9J';?@[YUAn)DkNQ\%']?1d0@^r
+%=9JD_!EZ0j3B&45Z\V;c;j`]?b,df/**6dsG-c&e$DOM_JgX4fK>1XKiuEa>:cJffql0iUc,_tcoU4\_#5^JH"1)r9@IR(7$LG-_
+%W+e1,@I[S59g;Xu-t(MT#O5O[4.r$bmHpVDTXhXc'lTeQ`;Mp&4gS/O;/7V[5//qEj4`bOq:g(m=be;<-t@lE"HUf'bC*L%3qL+s
+%DS8"'9hYLb;LBLU/Z*5)mI8%3G`qr,96@[):@%2Di(7ek</<#[P4iX_j=?0jbsTshk`HI&@?h1uo;l>Ld^3&PN_(tNYq^fVn'hTq
+%/9.nZNg:d?&TNQNFdZFX?u:<^SVmjMAnfTr,%@2pAnYZ)pJ3WN0sE8ei<*h4K48nMDcU2D/okW6`=M4t?1tYFd*rt9o3WY^[tQEF
+%AD<N3a#8Im[LoNJL_#;b2@Bm'a4[+b"SnWk[cSs!#]VM>943+0!-:A0$e%jQMS^Mc@,3d&b3QV0'k?"".)aVSk%AhF>S_97SH(6L
+%eH:H\M..4dbl+*fq"isW"le+'%;Mfl"+6p]aNRDU?iYK"oJ$9@_6=ll-ibZ:/S=2G#eaV%dmRRheS<OL5XDFt[bK>UIeDu=L:2(B
+%4O@ZIgBAU.8)'^qp?G>KYbEsoW6nOX$.'1]#_*tDB-*0d>V'EBQU>E@B%E'CW/+;g4MIWoj[lH*mW,&#MK)drLf=i<H7h`Wa[<O.
+%2"Paf\HrPj>A`\)fKXPFI8n??T'e)rHb7nt"bNK'Q45HrFpB)P,&/6I"rLtS6OD!u<bg:NCto?+lDZ`)J.b]V&[-H6'@)6i'o%#A
+%=Y)lRs,E.!FoE>)SF$)nH@S?9U3*9s+RU`PB?Zn!OhrcEmokABlYMKQlZBJHaYnVEYW$Z_2K0_oG6gBV4X?C$=&"h/(sHA,7.YRN
+%aNP\#-o[TK?F_<&<uj@Z,FS[[HpeM3f,):Kn)h'_kXe$U6'b^A$r4kRa4/.<NBKf'f'<07djUlY%sYAgjPq&<8'(nIL1GhbJLF3q
+%NG1U21,Wj>l.4BINM?9>>Wp-gK_Ra,!"'X%J<e'8id37:#oOBfa(*`(a[0$Z'Gq!d,tO3ll+N(s@)7fW;b,l@NMjL@Hf'ncVagpZ
+%!$@,DXr&"<UgR5mZN6VI(>UA5MERp*"$*W](U)5d/8Fg9p"e>dX0&)m!nV?F09#82A,$EO)pFRap[3!U\[W=nknT4E\8;'G&RX"e
+%bMf9,p:.LeD$8C;n!b-2Fp9G)C)Ic(dZ=d,S`%=iCj9<]@6k@(%F^Is2Dc7#g#i>c6oel%*CJiN7SQ`eA++C(C@$N0bTNND#;*l+
+%7:_cOkm/__n*FdDH@Y>uT^YO=`dp'lR%INpe*!tlgg::lf%8JS4Ig&^TiN2-+0F>dBitGdF!DA]*'CjZ?q2tQoj)dgc_kk$;)Mjd
+%@0M_3f8*L;_&ffNf8!nGKt-<cWZB((M,.ilU^4d0eHgCpq!r4,!2$c7[2ZH(ZiQ+hE.C^Nm"N8&bPB3sKW\i6aPJ3M+.d>jemQ`T
+%@<&".,[k,t%9-+jQ])&HXrZr)'U8s/\W'2=#+c<Nl];Q=A/0hN^X5D^798Q\gurKNE2+-n`"@ecHI#.PU7$_=Tnif>BeeLuJaW>5
+%\4shQVm_H12(@^iVWp`i<lMCC;qGV(cLHLnP=^I2NnBoUXmehsIdUr)&)$(L1X;JI]_>:mI5CAdi9=Vg?3:LXW5&S>dqcCeUZr_:
+%8.2KkrDOR$DT,_0N9GZIJ^[G.@u3(E4/$@KQu8lA"[d7L?Ep1JGcW'ug5shHqD'+IJJ'cCB.uKKII]eX@%B;+2;4''S8"Cc\tLTL
+%$VP`;lH#EieQ4m3.(/.PE#o=5Kf-40K6=f1;"e?)Ts=F1mP/L%%^T-k+TRhS6qdj*Qj#E;^tAf@%LsDP-W2E72Brb..+;u,%."J8
+%3F/c68S:9nM"JePab<@q8Q^^!F]lN9*Erag>=K*#S:>]H(nS,4&-_qrCc(h&C@:Y^f)=:7BLo,Z4<mgRBK-g+m2U5Mom&7S!L:D'
+%$()JG/ERZr_h3*^Fq+jES4Qa5<oUC%M%s"/O3YjkXUZrB2&8uXP_i^bp\Mo_lfqh">k;rWQ)XoT%BsH0>;2.\P+<c1$*Oe(>@`NC
+%0)!f-5\@V'-:/XkR`4Kf%(t_\RWnGho;4%(oPURj^!*fa"T;0@,<d3H_X4e))&!4`fA(t9E^uX$1O'B[WtXtZKm[!ejV;d;Yqt.t
+%1pp:`_eHgJ7skn;FNK-'G8@hnr0^DLZo_&L<g`rfYRC5l$nSV2'Xm'(JN&WhgIYos;*1Al"IY0j9qHIjD+nS:_9=[jV97:$`@?:s
+%LS&)YlR/M_pcAtU*X]b:<I^SVq!4a?doFGQ_Doa#bp)*p\Ko`*bkS.5.:28)DP#`C2pSkD;j:$c!KkDKb$g?%Fgh@-fKc=Lb"K*h
+%m](sEr;*hGVI?2UoBW<fHF!4O0(.*uf2KWmMnh/o3go2.6li/75F_1(>t_5Y#+)45C58C[i,LS\L8S%p$-^)_Gl?=`/@#=\,*m`]
+%APWY;5YL_=bcr_\f=c_Z5i]0N$U(WKqF"b5>%k4pM4kRp)KCuMmbsIIW\-1'l:Nf;*1_k3WPnUGq:DW&(P5]QU7gj6FD6KI]@KQG
+%.,Fiel&,mP=AhC6V#m]HArFR:C+f`VkFul18Z%sB%GUk=V=kqM(ufpXnt/%a#!DmSPEP@.?gGETSU!X5j=th1fc6j)PV8.3jJb3C
+%Bg)qP,83GA#.LTXp_P\K-niSA-pR2/MH>Cd<KfEmg)W/`0l`^VH=5*r*f\Q\<BYfLfRf2E&d4n-fnQ6sKc?LkL]dB^W1AmL7]tq0
+%nKtY!FJ>oMVgO2B=.Yf70(Z]Z+UHO.dQSqkhTT6H#IWo6AW4',/-W_kH2!oDc1aWJ"@D1]>L!Bc3Obb;N[_e*DjRg%Eo[:ic39s#
+%;;fIdEe#271R\k8O_!e2**R`$>F7D:/<N85\o"cH0m+dtEfZbTSN#2=9Z<)9/UWSrMC8oJJ%g1`HOA>>S[+6_e4.(1K$+U!gZVBR
+%-Uh<Al`/XHP<"uShf4QJpuu\p&UpfQYE-?=bo>M6%o\O.KO#sf<B4`/][=4(e-%e)>B&L?<^EV=O$D%*fWd6L^FC(0$G4u2YB[UR
+%bhg6-%;1f?CabfQ?+i%\-$g'<>H9HWL86@1;7,?.3?c4mgT-_AQ56i=\6<9L3l`6r$B(ari>!R!>&54aNmXppFaNOIVeoHLARVD9
+%7uWO(<lCG=\.Y:A>7F>L,U^m2:ZcIBS]B7re-UnY_@#acU&TPEf^!&C^lgI6TX+j<]r&Ur\4S5cI!,0II-Ngn:`K%eWIrbmrloU7
+%nMG'Z@S62k1G>%@CiWF+#JS%\C5&]V*IoJ8UG)lqMQON&X?dY.o3c!OnhXqoYmRGb"M1#5#0pbk@uDA+mBZ[^%jU[m3`S@bNgf49
+%FN$&E.pL[PdA,f$VEhlOl,JCi\HdJD#3?Rh"B9Of6pm2u`_/S=!4>8e=g1#_idPgk6,`s1WP\?dTWSh`*E3a1@66@Y?6Rj#)mE,M
+%R'Ula:Si?="g#-/4(O625p]eS.Euc_4<-FrST'Jo7`.Xi">SZrY$]G?kQ$$F'l%ajdf6$1S;hL*MJ;Lg<S''n&P@eI-0KUmXi9D?
+%mlCq2A(=N%kQ<Q)Jtilf6qC^]4EbHI3Wfb^M2b6%3dl&RcI7!2Am:kBXYTg\2&7%F[0=-=peo'dGfM^[RF1:l4e)jF?!$03/On5H
+%)4NOg+$P7NDX]rs*bp9X)NLf5`MnNi#!1(b<%&iP:+WUn9.#Y[0P[<4`eliG[039-8#)&eC+7@4"OlKlpOlRGljX=mB!lpnF'YGH
+%;cB[KrkWA;-;"opU$gO)r06GYs,<InesNe@6-?kJh/-o']L.076(A^`5qgs&k=Z<@0P,RbIBMDsLDX+o4d`%=dg*=F[-W)iQ&6uM
+%5R!]N8CI_#BGnAP#:u=#Xj]PH1V=a@6o>?!L$BfP=>I.0&+\KV?X:.[8ge(6j`WS#=jnMJ*:UW-aP%BR'Z@f31?r2>D0F+q<1".g
+%ob\.=\XrF:+p'<'&@!C(hd@9])et(CK7uZal3f.DUfku+/0C>Gm'.]mAHq6Y83s*J"\?]u/G_^U-F`!`o?t"`_@GQhH4Ug]8./?t
+%U&-N@Q<SsnGg]EJjRLJN+_;mp'5)CPH`"06h;*R9GNd[FK)j9i6$C6_kJ=5eXh-G?4F*rJd[Ys!7:%M;!O[UM@N&B>/D$3,`iV)<
+%kSi$5bpFRdXaICuF:U56$]Bm"4V=?t5SP3^VE*H?gte+$%hBJ.\*pZ"9RCW27cDU>NtZ!6`D^`3g9H4Wj!"Mj",j\"04&&QDU$i7
+%V)+&VM9*'^J@N$R;`mLI]AcJ[nggk8QtPNfbRdu]Q=6d6A1ZD-hH$c/"i)c7Ad_mFh%-j@HhTW`,N6HQg&ai;4iM\,RV$-R^@Eq=
+%Y@j!?05S'CSeo-&_QuSlJg0aEpKa>7[9*S&Q.#r6Cr'.j.?t&?if!sG\.=fUB["b#a\[&OKi7WuOOPJ.I:`^uU!'+(1(;]HL8N].
+%MIJIX]'55?#O#b&Gm;F&HH!`%$b@`n-e%4>#d)$VQ'E:2Bc:s(o<g;m0:EnQgE0NV,Q,F/rF*Sn8,NBkU&Ptd%Akso`JE%'NtmUM
+%@_n'\4K.F?0XdUF\-L?jOF]@bk\6p%J_%sIY[uPrN2d9Ua2;j.0*GOiiaf8_%R'RseH6/^U)ZI<?rerB6uX%eHtP>5%bj@P*(td"
+%o>6W).4>0T-8FjWnfMU*6Zr8KLIKc`pk%#5C*5'G"_W5^cj_h!?apTCQ$`lm[WN20#!a,K.[:<lNc_.<*+ZdlPfOMe;/bb^aUb;>
+%5jnQ5n5`'@0(s61SRM44Mj7hl_Bi9jIi12\$GTRI:LQ'.fY">*is=,pn3"IsEslkTC]_p6ib7bXd.FN*ASY=:Ane68LWJ`Za!57@
+%2F^p3bmmdK'W]h&3%`p8H-h*'H*_e=<$`]uJicViS+ecTRZm-77hAhId\I:XnC.#QS:Zr=RYQC8dV[+u,IR,_?raBDg>c^)R?KV=
+%U^65F(O@pcm-)#kC/XS<@jM<O8fl+KV!BcO$`S%lfb?=*U$_9YXGsq%XcpS'X)Y#;L7ZS#Cro"gd2O%9?$7>'Gd[13T$,RiO8F#`
+%roOpE"'.!:QXIrIf->\'_K%IC1lKch5LtpZ7sdW5Bk<VGRDYE0I@%i,Ca9>1Z:d$.F"eo$M>*b?RPq&$30Q6pQg1A-%XlT"<b5Y7
+%$Ip.g3l2%G)?4VsBu4Z;NN:@KLLu,5%Ti[kYWn4GhVD40!Uu.e(8^d5[i)l]h6n*o,#%s"INYPLXk"N@]ZBXJhdEa)1-9lPNC>n$
+%f^:n&G)L",;Y!;4>bQ9i:[RXVe;_&&\<i>`.=R`.-`ip^MgnQ,5S5[qbu5nRJaT#EdoF3*/?3Y%BSY,)8',0_1KOD2G2;W$ZOB*;
+%fX;o6,OFd)YTm>X1R3&?#59F)Z&e-=,KhB]?dm/t^!J-PT_m9$N[#"+]5Qj$'>E,%!AAPCE,$0W3`W8sQB)%$5m!7qGP@Pc$afI1
+%o8%L57<Rd;k=7pE`c-D+^>m-uI>PLQ2XK$afFd=6SlU"iNa+>H/JCi`PiT"5(.B<9k,&)l*iuC6IMlA\+Wa\/@r>SDfk4_;S&!ZZ
+%/!"=aP;)O40ZdB[0rD"L<&ubcm0O'c(K+lV$_a#%Z?5f`5k^*k_JPgZ_>63H+e[2"d_sG%M]5e^"1;>$&:h>0eV?o>/Jr);N+hN4
+%Jr\B1a]][@aEZjG/j7sP`kdm7h^`nm**$qlIRi39@?6B,_dCUn0;RZM%JVijm@8V-;5T#hBqqjaX<l_kBZeSGRUa6`LiYrWVg#c+
+%Sc<0.mO)u4J^X\r^jLnc>ES*/7Vu#i`f;AM,55,'M.lB!1ARel9!12j$]K:3&Gj@Ka"jXn$F4M%B$e^B\6GEDLNBR*3"L6E<4/S&
+%M[<`\OEHJ2^Vc&bLYi+^K9baQY"tr`[BJ&4ne"pgV[^uSnd:Dp-P5)BQkt]7g5K!Ag'VLCrBt*BT4!58:.AL5oVK0agj86NS8^],
+%SMfS+C6`3W0L(NA,ZT!goO7uH8fdF:C0aI*<Tt\3fD>hD2A/@d'PHSjhZ,Ws#5n\Y8YFG,0qoVJnWbWGW\fEl6/:,@=g8WXA6*>4
+%S5KEV>f6.$`jmmP`/u?2Yi-%cBsrTu#mZ7UX9$?<__.bO33_q*dQiC%i!DjYR))s<&Tob>;Pr)=(@(#jCP-ISeBR%.&/KF8[p=k,
+%bEG3L?[S$uK^V8acDYaAe.EP*B>R=$4YdLfCC=8Omo@[HS&%Yu;E\FEbFo@XDB'+3>k^,*Ct[9kLar,r%%F("g.-t99E@j^R:f-F
+%'\Fp2d2YGn*rU`IRo@p=XS5YG(7[XI`lt!'cX>Z>a(?^6q#D!l=?l/d\/B@!p5E<>)@UCqG7V-?@\u<%Qkc7KOo11Es2c(:.Q7Ao
+%>/&a89IFH=g<?5C-4;'+4'Q8CVe$2#N^m\aKoq%5U./AT$8jUp=7h+[&G^%]SE(=h_JA;>mCRG.$JgoJ$mCWk/%oE[L(LBkOgaQ3
+%[[kW[.\M%gMoNR5Z8u"D7_TCH04G[5EgWaX/HnWh3;F2jn)N>,XR)aT2$jP$XDFd4AB-rI_[=R.P?C&/!BWWhiJa-h^)(SfL#F&c
+%:U*&F"Ua"WPa(CQ_F,L-13HFJ`XWO6d?A_r^%ShGArJm@bK,!@l"sc)rCQ!*"n6p4Xq0e(1IYN4X^e7Vm,j0^#Nd0kSo/r8\Q#<4
+%?#jQV`G^gR<HTsB"3c1>$h)\bkDOr[!8O-^Iku*a4uQ@C$&mWq]qa/ursd.:l#q'aaK?MK:M=*oct&f:aghG[S#"_c>2d\i<UDoj
+%D]WMfY)Grm)u[R`>Ui"#Xo_)<=nb$mBb(:67e^SLG`qpee.cPs)(+co9/*cYe+4/qUp:;_>NjJQ6Jqn@&2u=$7h8U'SZ)Vc%,FLR
+%%SJuR=S?cJ9HDpE4DQc-FTJ.7$!i")$fD/NU`/<d(9b@d%p7dg[\H@bHJ^V,7^+[7J:T=u=s3.6<j6Kb-WR9JRSU_FXXJR;W\!bF
+%XO0nlU1`L[U]g4ECLPM!/Tn>*,AkFukr<5@g8VeCq@.Fb$&W3[I2\*-q3"QB+JG"@.n'fL'HJ"`W:qRX#3n&<LE_F:AM/k(1oc[6
+%0I36U(i1=YA&QH'b^?c%LC0VM$/NdU>T!2#&6^!I&fKPK9Ke@6"I5nBK1AIqq>Zh/HQC@s,Y@>/qAi&!6D,5ErZ_OQ];_)a?lLYR
+%+HdZ+JdSE+H$cFCO2o@hHN=J5"dPZ@Su:R0^C_OLk%<Fu2&tO/o]`[hr^/VanKO=m7=U":U)%:I^0acT.,F(['XA!N]$u>??gS%n
+%G41K.dmpX1eiWGp\)X,b7KUi9VYW3V&.Z(8h*;6tUsIq'iN)fUXscV0npOcBF@8GX`#S'*97eTj(2,5K52hRDUJ\.`rX?Z'pE*T:
+%X(KFj3!7!2T'-pOM+\M-Ve*R:,YthR-t_ts-'-4>NIou>/i:rp]JQWmnjA<.o3n!i"'?LU(Upl2JFq"C6=_C@#jt=R_IX,&@V'Q=
+%Jld-PG[+ZZke#)oS?I%U9s[T*7qu$emp^[1fFcsu[-pT'S#M_HoH[-I5+\Ch`cj.U;D8ljdT&%N=W@/.l?q.BcCgEN^pdTu(0.M:
+%3*%%O6!I3!q]QG]:?W8so<:,i:2&B\.'/XjdIMmUIo.BEN6ogP*RS^T:4Q,ZB]h-K\m--^0Mm#5EohGcYp,%%gjfR<]Z!nXL#O:1
+%]M"FY>TiCLCS%b;[n&tIm;#pi,q`4l_K.a5cc\HpY"OWlc\6`f<nR30k)GW2RVV!3rAMns+8.n4m2+<G.9ba[Jf7XEQ>fdu]AP_o
+%aeE9[)(loLPe/5qP]i7#KSr\q<S5\f\BKZqC7[m2@1Fug07Dt.fe0rj)@B_B>3[+uC[KW6Gc<lcLpMkK[u9O1S5@rdiq7\O4)<@N
+%$LRtQVkY=Q,:D1J$=kjtL1RtkPIJr6b;WmTPIOshX!+^Xc.bJFS3i"eFO'NK<pLfnK`37mH+:kZ9G;H@c1+S7B,S;<hjDtq!17"U
+%GQu#2kNJclh$.og)In+ORo?&&]+rSL+'\k,=7cVbd?1H%)T@tV)<R=0Vf_@IitY,qT)'XbD6(JAl10\bMK[FjN[;u&d;7QsP?Q8;
+%qX?!d`ZlDS;^9Pgjmts&p2d<^R(f1Y8^'?=f/Mb\--G:48UsHg3)K;o/apo@:?jL&bjA8/Bbj#n.I1E9gioDh^CEHfGmhW^i_/>k
+%PjWL(_=,)A-OD(p$GE4SYlk`5,-7cH=?84Cc-Mor];Q_oUk!=6RY+Y_4X:k!fUmKlhJPc#?N3rd,s^0gNj4+I]kA-,U:nfN?A;6`
+%e_I';DHZ,)#9:>hn6O.JD3nnJD>JGMWNXtr6+=%i/=qH(43]b7^@.NFPFM>\!'HZFh1I"rZ'HDZd0@kl5:R6@P+GXsYA?GmQ_Xi!
+%Mjg7cgNT<.p6`.!J"_$;\?H['V4.N<phV%Q.qD.m9?nSPTTXELAWfsE<j-&.R>+a9b&3MGN1aIN!#`)Y"C^g.HP.#k$3J'#oi%4k
+%4WEcCII*JY(U)h5G&NEUD6*SHS7rGKcLN)hd'UjY<Kd:"WG4ak^-[L,NR[=K7Bq7+a[eN6)5Pu8lfF3Qhiq#Y,o)-UU,XOjIB;Di
+%+nP:l00CCN[4`]5be#^=;Vo+A1(un6`L2(=;p];A#DGk%Ng=e2O=XH<GO[b6V/Oeb(h9TAom%qOQIpQZ()sNC"CtJj8o?;`&c<o4
+%j#L7;Gj&t.O<rQl;13bJ0i(I:I2c13mLcYNOCd/nWd./=]nCFEc_ZR_.:K?k4Af;iet0q\,+t^nbdlrTK])L7%K,lt"/os`b?#gg
+%E;(IP\[i5r.O.3ZYA4@TQC^Xh">F$5*uE9r]>7rN6b#d6!*+eO+KJNP6aIn!c_HfU,3L`dZ\(1f.@ps[!In6;#@QKN:#$@KcPJcB
+%XC7kjF=8lBh8ZEp8-cXOmcDVd)o0I0qN)t3"'@o+=bSjYK<!9?WEkuU-$(uShC&"HLPAaa+O6TU83rTSL(ksa"0qSd'6u0:5Oa0e
+%*Z=(&-N_*,Z3[ro:D$EXNle,-<D[20>5Y;JPLtf(A=FN^NQR"]^S#0QqJgX$TA9!M'kp\d7W(i(!F:1-1Qe"mR]7HXh,@7&VV?-4
+%h!*67=B(O[7dfN\j`5Wre(Y,mS9H!S-8#M/.\FZJq83+^l5me@.*jKh.'IkVEob0aY.W`+,(0!IdTXS--6mX'jsK`./Rtnh'AaG4
+%kN:ql?UQg)>C$:<,uSA*It+u;C><UQ(3A7X50?/.&$eAc\`D52S?r!6=jDr`kfHrM!I>N0b&E]amM6JqW's3omjB;1VXX"+++rXf
+%c*(?4nMmRNFXfiu]5u:u^J`OsFnQOeSLN6)!h?Un(3Bp>fs^_^YV4n:DG3%ZY\'+2io;ZEPSE@=E)kU"B[!XDQ@t_eJX?3<*J+L?
+%XH2OJl7tVFc/a;rB<hC'l$'%=AYQ@SS#1OqMU@=KN@(<A=1nsqQ*C;D#r<q(G%K@o=Z0MNT=(#i8''%Jl7@P557('eRP42nbB<]*
+%CggHNe='VZ/ZLMo=E4]f=/#4&rk)c4e'\=XV"VlAqh0IVM?'2/MP%n!osiFg*BD;C8r,FLkbZ&SEEf26nmi!Y'K2,IMuBlAerP$G
+%1gYd*OP)?#*q.K5.b^o;"FSD-I;JEY<mT%mY/#mS\KFbsC@0E3N)!sa!;E+LTIAVXJ:uP`4,@cEUB2D(YZ+SJj62W;AZ)PT945>4
+%hZ/WL3Wnn(f97Uab>,ZVQQ>.Te9g_q57P&AEu++WAM/P6P#]*J)n\id",@bq#u_i`f:_k0i,D>O%S2LqJ^-DQ'>Ql@oH4pBTA":`
+%1GM^.dj-spl#-""Ng9:opLF.&(M60lEQ*de`NIi*/4ho-#4$8%r`hLU]ROb.Ijt&Gp1qhoaub2m.XHD9QK<9Not7bff$L&grSi03
+%7?+5Fq)7NXW2s!+,jhfF8j1iZ!U)%p"lCN#m$D_C/mF,EYAU9S=F6VRp4h)<A["jpTE#*37U=+ALOq%/TY0m^l-0=[r-!rRp8@&s
+%el0os>%0\&\bo=2q7>%4gF"-C7XWZ\@W''1]soaUfW'UI[$TR\>B'.6$o)MJMt@GCCC11XnKY6QC=d4*7DGRm8cm`5[OOP;$<*(T
+%kWrc_R'Wa!G@MXMN1$8(N?X2fDV)#XS&DObI]FXl=>Kepem&FaYqs9&g>GBY,us"#O<.3cl<6Vq*hC-XpL(WPlb1/!4f_:525hQV
+%GlB/bM_AK\Q]o,WCt[Z#F!#sRMN_:MXRC`<CElWhE2is7R'9VShZ\@!?IAq#*Jr5An;eI_>\:1fL8$,QYK&T,>Y]gX=?q.[XM?Cj
+%]0TV:?P3qtn/,Sj8&5P-kd8p)IB/hQ#\Yr5iAIe)=UHO0d&fM0Vk>@cfm;^q+MEMP8P@l/2QohPSEk/b<Gf9Wouqln=k*5O'Q;-j
+%\6F8rCJ".9aP7rUp6E4ClKu#t"B26+ic6*UQ-X<.8j7q\XfLNhp"+*Og,e1AG]*oX`M3pPYjKB\/4QlnooWm[*hAM,(sK<jrO7i[
+%D/,MWdJ81pQS9sHbP)g]^L;+u)VODXcW*7\&,V5MNa*Arp'-6Yc>^O*l=g7B;[s'OgV7aMQT-1n/A$h^0apmEN?od=2eMqsT#nf.
+%GG:`*\6o1?&b_g^,ZaE1]Jgm@cermaiWYJhX;#=%s-uYR<Fl37.2/6+"-$=,@%J6&LYXdZL/]>QBs*$8Fal>*IV=83KP\E^]Nn`J
+%Y05n(g=cR\A1)kim"PDeFrRk+gXgeb?BT;Qg-1(YNXr:Em[$-!P,)%[e],++oY9RTbkA[J0-YL3&8L;0*n^^YJ5MeTio=/oIt*:4
+%^TYr(Ag7S2s'5Qb77lmLp7a$QM\@3mIK&1(I5n9o](]fHZHh_0]u[*l;F`>NcuT$)/IQW59uUM4<m>\AD$80`4mKP5Xpi?5_(b*P
+%Z#`5,PF\M)6J"C'ZPUnU[''YOEK^NWig?9<=lCklr9mol!$5pTQ)#U0]'T7i27%TakrhF;IUIeU0u"MV'Ld9OX(f43"0-q7ZJESS
+%*c[.=2Y,VY%UGHCnVl3M0ig.U,KXP"+XKgW;Vllg@$[lDi6F7HV4DGm4lSs6;L7sNY?]HV5%:d*n*CJlr)&h^m/7q#%S7;Tm"&Yq
+%:#YVlC(ku_rV_8'<YKkKZ2n@$l+%_COF5u9lJ!@p*3Os+s5!#@nD5iHpe/4cro">Rl28<FXY"6q,Wi.q*Qs(%.D)`N),q.&ZB4V*
+%g2>#]$sjg!>1Z%UcWa!4,klsX(V5D!7/k<QqY]g91B!PhTe4`CP6l97$1c^Jq*4m;jh^j:1f+ZSmD'lpnkB#`aaG[r'Xk$j(jT[5
+%p>KdX0$j.Wdc]nMefWEO6KL\4)[e7XotQYT[nHn.JR"da]er=uR87:7M*h#%F*V#"-q&H.!cjk<%Z$TSd8;13Ekb=,m6qIS"+r`o
+%[)@U";(ZiBOh2`1DgT4d>YB\f6D?3!`TZT2PaG\HD2Yj9kbZ@IY&kUTa&]@4-b8$']:q9nU`JPB6Tk=)V4>0H`u]3*Ks4p!@&*ol
+%D9)\sp!&@/_Bg-B?h?_Sgj1gkDsJd(K'T`33?)?m%/hJW^84XifgYb:Qf/W_rCWn!G8L,a*kSQc$/9=2*U>h?VSFd+qNsChkM4(t
+%Xp$Ni790#IY8<bt1Jl);Fl#tkT$_TJUekE/!g-GM=?BOHf2F[les:>HSHZi)X\Xf`*`;FE\m:g@AB>DF0Cuad`g%Rs0$IuH-nR#S
+%^p'7rXhFGMPC.^Vg?*MZJS/aq#6BVIU0'iDQ1Bh![Gl!'6J@Hgr$!!&pM,0gFC+GLm'quan]2(LAVG&XI3Kub6R/u71C5!<lu?Vg
+%KlUL&c#39P'2.>p:"1\HWEHHlVAS*.A2,(uOe^\?AhR6?pia0H6nk+(kGHTF_K*#C+PS)M>gG\l+Ioue&V03m(ebCQ+-df`Np=`8
+%U5k*U"fgK\"S[\H)TeA$CB%QAE:4Lu,cF=[D8nL+F0Z,h`r[oW__c_gAlWL.`9)e]fqe$n>cYt"q>,$OVb`d@o<b+e`hLe;ZdO4(
+%BApbo9oim+ha.SPO=E,R,cG2QPU/$OY``H84#cshj-gGtdZ8nD=;lEZa@5#X6\>*rn_J37.UN""7+UARC8,R`!)'>7I7XWi6CEFr
+%S_X^WBnoUAY:e$,@B7uP8g#.L,+$,+F?/7J`s@l!cu3bHNkDN,BsNT,_pX+#'ZU+>>VZ)mru]>BVuCDZKb!M_+ui#s`ab.a;&cNn
+%9t5,B-h$@Z/%rjh84'F];a*Z>'?;aH9D?$nkX/?HP@oE[njGr,Q/Y5`lp61dMV5eCLBC3:>X4%^)/u5/E=j]YfoeKFbcV`0m<Z]g
+%9B#t/)/#-t*0%'LIj_d=F^4.g9jR0X-\QQC^c-Y+D*?kWj=oLbZP5)(3,X#p@r%YF)bGmh+(E&'2Cu1mbo!f^fHJToNPnOR%`?l@
+%KNP4G)W&@\\:pp?QVKj?[U3Ir(F(@!;("BLVn7]>WN46r^@(#;/Kb@F3BqXDR\+>O45@kg"\QH!^:aU@^bt,LFCjSbd:n%N[oNCr
+%`%fU2SMgq2qmi=+.h1:></AlraYqV'X2o4-r8uh#e6EjDe,n(%QM>ITmXFeG.p/nEVCDUuP(6O##<70BA3Zt@fsh1TO&pZ-N$gK7
+%3bQJDbt(<13f3Mo2(U-fS'>PMggXGu_g\s5`\us$R_u>i^QgKc8O]mN8Dgc@IYOP$?10?/VEL??Gp-(3$7\Ho,#Y`kGl3lQC45Cj
+%B5=B64Z/'CXj]8p80+hPX=Jmh0-*/DIB.F$S[#KH,(_="lEDOU*k[XWhJEQ:X1gaHMhU7:3Nc9[.9G1d_Ue-,jr*T+4l4b4)HP!H
+%QBET,a?4ot>;WI3ZRW)#6D7O1[t7A4N&&/.>o(\kE3Gi$>h.%:iC<?L=ZFD>gW7BgJQ2%]/-b-XUuJ*XReNEnS0`AfF*nAq@-4U)
+%=(@$WY>!Bn"^SZE9HJN//(8*KQ`^fh.Y^@+ZO8m*^I2ZdKfjKb*e&;qp:S=Zmb=4?egVRPkfE;fDC%FP9qZf,rj&*n+(UEPHgI-k
+%\]a+<]X4"D]NK_4>dR!oh9-hQ[p$kYkF=j#Gb$NA-CI)PMq<3^AAhqnO0kd!&q\Z^E=q>SN\u.2D`$U!WZbd/QE3]^C/r6aSUQ)D
+%fb\PG8oD9;E;Kr@EgZ5=\0TK&Wn3"=06Lhq=HcuOE\i>IXNmJ-MsRce-=]Mm>Lq1^-U%.^L24E91BBu7kbl52rp[g&YO?Z144ZKV
+%4RcjFnnpfN'[Q'tR:qRpdjs+b0Ib`pe4Mt<Pkq<3%mIA/g?a.C1oFN#3]?Y*B2FaF]=;GPe=s.GO.B*ni9FE6O8-hi"E4U4h%.1&
+%^&u8PC0VONT8pK_'jMMBR!'!,37m(Nfjg*ajE\Gp6-=<42hE-sG"H13R,;gdr5)#KAb@:"He9/Hg[n9k$,m>"V_^-s_rNid,q,._
+%"suVZ3\5NdfnCCfJoe#Kjo>_u2eK"4?/aldN2j=@&atPi(-S%@a_e&^gQhTOj3GqX,!X<Gqo.S+"cVH^no>,qFomPS_]#cDH]Qt%
+%Id,])NPtFLq?K6T0rYC'`A.u=`7Ft&S?*P:m*'K7ZsQh8/"3Q\3K:-a=ui!qC+DO29CW8Hffjo_,!ORRNOrZBc(]Rsdm,Q1PJn,H
+%>V51B-ji&rEWRjj2[1S&L'3]U<hs0YK"Y58/2FBh8$`jJR?]%m[>SH/[W7WC*G6BA,m(DeIqd9SGP`k%+u(=:]&u`*D5P'ZjCV:M
+%T5!J![*`%/o1TbAqGbHm1dbj/S's&WR_ccP*]YVBjim-J+deHGM7C+]dLW!>+*74=CVqt"/irbVUum!@a?KiYAi=q0m/"m2cn^;*
+%m'rF;NL(D-/BG3fT=l7%TFdt=gmU4H!SfoM#aFl2Y-c'hN3Xcb=[n=(a(,;^:e_5QZA$l4WOEU"Pum%UTYQ^S2XXi(dbN^Ao)7"1
+%/hAi%KL76T=GI?qP/[3p!)MGo&"T[k0[j"sb'rWQIJiKY@6"<#Wh.A^<&]QFaiod^P#`?bh_u325]5mSS40]k!&![JMu<=2FtXXE
+%NnSF'+A;N*P7!JL"[.@i,/Y,)lYH.,/p7i,7*#^96*4LJ/b:%c;cTKHYkjM-=!tg3#$B=Y,8/e9o)GU/QY9.!XV4kOO'>f@`<*OX
+%g@jLZT`e!cjQ393L2IfD$F]=:B)_\[mX@2%QZQ!EYA6d^;l,T=]"qp*,[cXn^H"D3SB`XZI)iOq_?,)jW[\Ygl9FY0g=6/jG1N6g
+%;kp3KmIG!6"c1[tf,J#0G:M4[-C<.PkRa&^E;(D0[*#PFXscPtrK':(al8_SM<\ml%e"P:.?jJ/*s.2Y3Yb_lEko9_>EdmI%[Q(H
+%]m.D18'AOl(1'p>6?'U2a#kk&f&u`,D-NtO]5j;apio46[i5r)\Fsmgl'%B2OKhG0"4P\@Lp]&7<aTWY3U07jO8XmM+I?n7RbGAe
+%OZVsN$]J3(F9HLGpE2n/IT7r&@FVXN#ct$l['."d1C2P5&6IRnCl?Y/cu&RacK8O//7rc__t%s<b*6!Ag4$<2dL\^Y[pVb%@7$N/
+%gK^>@fa-;n.=u-EK"_Cnq\dZ\PY(sR%[keccs;?]HFopi*r?]77*N*h-sF^8'iR#<\:A#^1e"!.8g4[\&map5JO<]V%aGK[ZZK9[
+%`piJ5?ke$bbtP3GMm]_((7S)_"a2,abbGpL808n>eJr(2c^=Jd%/12%Rua5hp-rGP?QA<2#hfnNG5U()>-prU"MgTok/XSeWA<[L
+%]an`s?sPS4GCG6pN3>M#_Z:nmBLQmm(4!I2%UhYfOV4WGpXffg_8^ik>Urp2]8@!QdSBsu-ph["Rtd@UR-c:VS%7BXEq_b!mdj4,
+%,m\D%ne_*iR$F#%F*XRN:Xp=R#7fjo4`n/2#sH/thF/l(-j'W!NJ4,[bgEIDK%;)XG\!2*frSqKB'"["X/T=)TUj=ON*I*+2Lsdl
+%Mp#q>5baj948Rt8E9q/7mZ%0e*_VqKC*Y%M5bBgQMSjW\n@Yo,ej\Ve--W:CD#%L\bRO+a6sXjSLUj!HV=&F?Dk'VI=F"3;95A8V
+%nCCIuga2p(d][ta:s%Y%*4.M"KW@b*Eg;Jhdj6Ot\dXaF(XEIHYYP].cXE)#3HrJTb`fD%Rj6F+ER:_c#gWp[HtXiaIS+YnK!#eo
+%<RK4EQo<>'I#R!qRU:,_e:XM%fCT><`l/ts1pe"(dEmpOlZ)9j+#>jOCMIH8o@i%6oo!d5WGICTE71OG:c'b]qmOsAR&D@!%MIBQ
+%>2)&`0]J87Ofm4DEr/#8UD:<%He>bTY]sY'R/9s<&nJ5>JG$*+4-@`n7.Q+!Ht3S6-p/9YfGf0jFfA.Q\;4D+_5UD13eKb@46l[*
+%V&q''.6*O`_Yu)s5QLe2V-S"ZER/8[6+CRdo2[)H+?fY4;/`YA!jFMM_R#.,8Db26$,R/e!YCUBMe$0Z<6):1qmm<M=[VE>e=c1d
+%,onUb'Xd)AqZ'RoGh#f6!mPqsZ?R"e@M.K':V/mf#!Q`XZcR8u:l]o8CsIOa0gYh>]^/G2W(Ab$Qp@pq<1^l)kTcf0(O+7YM7O7q
+%9`T+/':W]sW:^X)\U!H--$P([K*:7_"Od>\q(NH;P0>6L_>[Q%bkfisMR1iO2[%"<"#sTRd@am8$JtkA^GE<7M&9Z<:7I_^n7&:r
+%lY6/seR&MK.02j0WBfaVq$j]j=%bFC^9*$4Pb7d]j>Var6s0<.?u\g]K&-=cR]7VFB'frT4/QA[g48sSd%fO)-:f*$>p=ZtB0jFK
+%J9<?Y>eQPF2+7lH,G1F1,tJQZ[V+!RUAhu^]25%:(aE\u3Ps>!A?Ip?dI!O6!YNp`KIV6GHYhR7B(-f\1/5`)[8ZDCioXNk]5eOh
+%BW7_M9(Ln09+ektp:e&d;XCUthO,1^5D=T%/T'4KQco7\7jh%IHW=.,8\;d;C"kO=1(ro23B22F)B\\iW1?0JLC$u[WOW0-9cIO_
+%,J3`Q,HXH`-X>b-dO%(M]RD;$ZuEkX]+^^+%2Y5c3/?lSl$R307SjAn]5^O#EY#uqQT6j*>BgWe*Xpb-I*c6:l16]9N6EhiB5K_n
+%S`OWHkoW'F+VL_A^Eo"?/VU6;DoH*UrO6qX/iXBIU@liJ=agYJJtd$cY6(#Xek4I]ABe6d*JqkrhYbmkbZ'M:/kuW&FP@pWHU="j
+%<K1'M:E40=G"K7Cd]rM/Z-rEU;(c>BN/^PP52i4`&Qk`WqfQnYkLJ3BX[.]GC=)8J>u/W,/djMqA48X`9Zk":S^%*I7XG.YAqpAK
+%Ou9Qg,6bsq4^@kNQA\(2RS%N_A"*mY;H5A'a3\DVD=).+2Gn%kOtYTOBc^EeRILL7.o5+WnqtX*/89>0;9Dl1RVDVgFoB*4jguJ9
+%pTfE<dD?&<Hrr\sie1[&fjfT0g>mP7ZQrR?hi!Pn]#p?;+n2R-;&;s20Ntn#pO.I;;kh?DI%n>i9F6H,^n9qWM%[4$8YfqrWO$g6
+%0QMaPlZU"BB;>akg3HSK8:cmef<-_C')_&pqR?B+W(nDG"JSW^;bp6G3+ot1"GtBWGeHd]@r;iV8F>WtSSO6K.II4OX/lD9ZAKhS
+%<m`1Rd:g-b\;LIt?C.Wr[pkDV4_EfPI+gV1B7@/7q)&c+?mViBMd&7GMiL1tAuq"q0f!^1<ku4"';66DXK"i]E2@&6</&94]1h(X
+%Zk^X887YjRDVAjEO3nrkRX)cabf!I3No6[LB]i^EpV:Fr%IPicM2A_<j]Y:7k0r4DnM2L.@<$8gkt5bm%Dd:M"HpuqC[R@j0Z'*'
+%ESr)g[T\r3+]uZAD.u3K@GSi.X2Gn".Z1OT(`.]id)fUIqr;P.(hYP7l2jY=?L9+kk``$mR'ahZ5'5?:T^GuCl,gYEKP#2Y':=)P
+%'"c_YI:cqa`''D7Q4,ZEZ%gTT1b;^62DAQ`gVj1Zo#[Ypn1d\GA72,#oDj=C+[O4'\]aVt>CL4sbFQZR-tEo'AQ&*HdJKp0iH`*=
+%f6B<m_K_qpH9d9FVWJp!H;*Ub?qg'^8m`@5lOc&)\.a:[l$O.1Sa(S_hb4nf0Pm+lCGcFV#+aV@[F>tBL/>Ve5m5sIGtbo>1U-r)
+%S.6lZ&]D9l%7#LuZ&C&-]d0f)a=r37OIR5#N>9n>#PVHHjl$0>6nk^XO6#qp5!NBOV$LS"B%X%)';G95-"MO6hqLGb-6QPuV=F7+
+%&6.?.Shsl:rde?S:o]hsMEQm^$+e6iXEcqsW?)^8Jt1aqjY9m%l1jgk^,?e_pB#[R</@3(@DE!ZXPB>TWZ-F4fFoYG9miE!Lrn/*
+%nEG?[JCUAW(HEgU1-,IY\#e-u9Up%%G)313V/Ye^Sp-crJm$Gm!s3:joO(.WV2q$eZ>NB<`+WORN\#ZE.Zo1_Y$R147NWD<7r[nm
+%HEE-J)XEs)@2OQD*M]MC;qdm5BDViXR^m@O9>jRdHXGcfi2R85?2Kl9++f?Z7p$G[aSKHio&%H$M+3:ZM+=0G)Q.ib?26.8C$j:D
+%OA?AC.re,W:pu+V(!k,,(_s.hWN%tFG5g-TIg/.b:`6=l"Y)kBaY+ssl9Bs-ppns\+6(mJ(O2=6.N'!+]:B>ELRX.i?D'pAGIl",
+%Ol]u/Pru>2>-D^H?Or':'f>5j#8HPU`GY?mK,UudE*_/<IQqRR_^(npS-X!K`^(OCd-Dl1q2dt@UCJ?r1^R%qk]*`Uo%[b@pgKSW
+%[rW5Q'm'Me/csfAr=X_Pna1&>`_$B_e;QR?=r9QI@%9sFSAA)0e/]\L4I3eXYbEq+f)8iI.ui*LqZI2(QAU4I[:bo<M[KrYHmi*$
+%RIM,5BD-c-,VX+0WIKMl+t0OoF+sG2RqQQ.U"u#/+e<\FJnO9GjuN5YM%g_=V:[5F^9A\q',\*DBHuI$O'YH<&amp)89_L!H/V.b
+%jqL<XG6Z8cd*VLJLBrr.(oZcVj%4CW`]&\E?G,Q'0IGRpoZjU-\jSuH2c^JpTq"NrHf"GdoRSMV3[aBm7sdP+=,/iRZpp([p-GIe
+%KNGiEM+Wr08G0QsTp7uQ@q-l(=(?Le_a6$X886$9QZXLh\OS76>J:)UpA#r3%9M^nec/sU/V3r$j([kU??^/tA)Vc._n9j$@qNiW
+%AfJ_Qg&L[!eS$5]n@We60p7@'H&>'Abr\O/k#g_<Z;)R0@'oL=0\T&dRPB_nLN@'!Yd1`PhWm4jP*C=)fo/gll?ClL_4Wf2o"$Ym
+%C%I%L\31J'DGBl57\Z2L&`&:uc^*'M=]r6je=$i?4Q8,BQ-6[DFJG-<p,.%>ka@S?>=krXK_J&RVJT?,9V`9O^*PgTR[*D/T)GLe
+%S]`KNRj(Z,BeWJAh./D6#BgTZ(ja/XrRT7]OSVtV_>lpBT'M1FJ=1E.Q*(Vu6B#]BC8a/$7!Zm^nbgmCe]KYN^$8AEqt]O/[WSfF
+%MToAse+-O?htD"'*kl1V1"TEGPh;9@Hdk19+ZOAo`kagoX^&?EHpMer?S0IKoShBo)3rH<;O8oL]dLib/pGr6bU%eiXNhJY4i%]S
+%C+I+sS6g-.B.C/VcYP,Vd0#K+'+[XEasG1<[94dlpe'.aSq#91S9SWss!HPh&`8p.rN:53S[GdK,8J]7K:'0*.Sq<1\$dL2I[HI+
+%D;F"m&aTpckMjK>6EKVsGhG[@]D@;ED]ah&_O/e.h07e2C#q8UkVBDIf6=&:@^s8qPWdX\D>FK1OiJT%9g\`8,52qa%OXN,m/uUV
+%[dl4J^J]t>Jf"3Om[?MQ)&dM70[`3G1b!)PEn#C-W<"8lMH"9!>2aMmY^S63Tk,1]A[EQ`WhPJ1$S+,f)"+!Qg_VZO>hrXBRoSVt
+%$.!uI/&BRY*XktMf=0@Z[3)q"HArV]&,ts>X?,aOp[RWPRun_2"$/'3@m4K!V&7`7;%P#Ho4'Q`!7'k.Fmm"kSJWop/.9E?r:no8
+%J?W]i^_)pAl/"D<VcLBX$+qn.>p^u.,j10B&m&,;'dSM<8OoO=lZ0KbF(1`kb`+LnFM0(hd5iWlT7HHeN\?TK=q.9kXJ)<&LJDD+
+%T)^0B&N8#qV#t0s.e$m";%CF1OQF^"f1^trjanRN[--tlB(G?#l;.aZ.-2pmjC^cgaW^'7('/1M53mo@?n1$l;\deO+Ge1'<*4f3
+%5Q(^gYD1V_l&B;s9IlGR3".#I9+<)8Ot?;k6?%h3jZ^kh9Hn/KB%^f,;:g`P$Q,(3,_A@,#N#.bjVXj9h'jbJDO)B1^W^CD1^Lso
+%J(!+*Cs_EUD!ZmbRH-G-p_:!DDt1baG3@ZOj&I*(qOmuje-q*T.RD@d\DA>jPK.>NZY(@u"GOBY2OJ,2Zu6*"j]Sh0_?cAY"0j`@
+%TlH&rW:k5ToP2k5k!&dM?K=SAYRi>i0I!%cV)%B?O&98#ZYg_6HJ9Co*dn*nileM(pT=Magl4`VVqdgKb.-Rm8elf&K0du*+u444
+%=B+_P%9Re%E:jAd*`9TYl.HD5&uhPgS_,_,+"O)0'_@oK5/T-(@fFB3f8SZV=Ob32GDR[t75_.3&JP=A;S9^I:X\(C<XU%V<o$k6
+%W'U]#j?lW9+ne7$XJM6+&+$pLWke[]NJ>[c)0F3h&D*(RAM.=/_Q(/RkN@\p92uco),l%t4s`pm_bV7nWO?*-,fOo?DW3(E\[0_H
+%$4FrMpsj%1kZQAkM]FG0"lDnX@Gj^:Ef&<KfN1(V?TAkolXSJC]Q^SLWDUFbe.F?bk(c-!go=]4e-LDd/IA]VT(Ro.26">WObPDk
+%I(pK'gdudVio(sd[j3NAXB.?\]&&m+hp)r->e+L%].t9>ocUl_^&LsO^@0hc*!fPmqU\A`8*aXkbmSY@mEEP)X&SFfQI/WaCOY^.
+%=2m=q*.Q]'LbDA%0X[Ve(9;7`G>(6hcO0_KbC6p4%WfR0?PF1FVYph\fI-KLN?/lAl4PH<F%/i]Zp87"48,5am?puS\;)?o7'P7-
+%2pmZQo25[7m`9#..,u>h[Nfmpq@_k;&RhM"I:Y'SPRs;@@%ho,eXtDo>%$0D<nsk<No+8omE)[I9']\(OQ>3P/(iA%"1[TmVk;l2
+%0;X6tZ2mY`C<)O\S1TR.j2k?/"piIeTl_S*WWpt'&D&gd,X%s%P%[eFfHK>ME9=DsA8G.0!sj2R6aIFF`<[,2Phoi\n*HMSo:e1t
+%BKUGi\&$`,@5VE0OI8t,@*</;5Sd/LcB[ZDGNAMGj9pT-T0tei;UbW)V>u'[c8WSIj_d:`A$+OQ2EOZO9?4*[2t"ubeN\#Y+b+%c
+%4bC"%GWX."PLia#,#Cu'L-%Q1\\+?-e6`ES@jO1idX3q;DoHC`$2&;;O*`gPSO*mZW<a-<-u5s@GH4<WEaHYe%e]%8B^&lm,^[BF
+%o5<4894oV)9iR[PV;XhfJ9[$2=$B4)`RLpG<=c%63<m=k0a#[-;Y60rpeConlGjb=PB<SDi91S0C:9N@6*ZS$;[t1`[k-N$Y&LG:
+%U5:WuICQK3V4QC>cb&W5C-'5S5A#DQl9gih4mciN5C>RXQ&?H8pmc`&"!=X,K@Zuho-IHhM_aq32bPb';R>GG>M[hQo`LZtGH)bQ
+%+j9p$rY04ph9r7&W(W:GcIH<l^'Op4;F!*j+M&#uRA;5[m9_o_9?V"l<[hLZZ;Np1H<me*P9Tn$ZmgbfdIPq:(][=?T_\/+^EaE0
+%W(C=7(e@o6$@d%uc/PmnJ\5!ibf98K.h)IqRW%WdN>7]qV"<B>=e\6>_@H]8[p7n:j%W_BX.^L07"]_iFd2+7>Ge]QP7q0Sr#fp,
+%%)T/Z<E7PD2_`cM;!hXeh=F-A[81YHYANHIlWn\9/!'P9,+)niI+KH0_B6,0MtWD$>$eY\]GibVLrh/qIKM.CYSWW#Z/0Q-XU-2p
+%9=-Kf0ijt1Wqh]'?oui/>EmZF%H0kI9Q+s+3H@"`DY)"n6+Le7<CqSA2W-k_B1ZX3)R;Tbf[]ET+'_22$JJ'lfGfEoT0<?q*d=%n
+%%\g0O(\tP0kDLKcFC^U+S>f)XKZcoA7&WK(pO5>[qiIG-YZ5!uHHbNDY*u;1BI/`+Z"dFKfLTXa4Z4+5i(:#OB%Ot1(H$iB.;r+G
+%oNE==S&!t\#29[_Up9YD6L]et:=!]bKh!g]_$DPI3iT*_DMip!jbsG8KMkdjI1+]f!E+RV!E$iJ_=5"md$#_JM<h\4@K&g)9'fd<
+%+BnH6flkS_!ZE,US=_g":XM5I57)qtbb.sS+#d=m0\c/b1KfBXs'B#gi44Q/f"@Eh`nC+UmP19&`@"L<(7-FYPlVLOhk^$93'dl2
+%<D1?9h_qGoiA8!e>mIr04L\P#TB$Bfqdj(lU1Ul1h1I35Ya/"2o-c0k@ncNQ.E:SDY`a8_XEnmXkrp-1Q9AOrQ?Zs5h2T(2Q?u&%
+%ii<gXqJ)1baj?deLLu+@&)gC'+aW78:PbZEWO/CI6Jt9Y17"<dYW,"U#tNDUYI_WY#ShsEMAtOB[fDVOK.$-=DusT.[`VCca]95G
+%>cHf,TLk.iQcKu4Z*7L/iG<B+7IEp-C(bc,.Y1)&WG^S`if$CM.ICQ#R5/,sKQ7n*#Uu,O!W<m*/_R,An90rN^rl7daY&`DITXM^
+%)))T?-gm5Yf(ug\UmNrV#F@kkK"STeRrWj`N;@LY4n$&>qK]@h1i1j`o6Ziur_Uj'k!Btf!h3/KmI5HpaAS7YP:@(68P-YJJ.d#q
+%E7WbR:?>Dr_J1M&YCpifF1ELX,tD6]4W>cl/C3^r4umHqY.tB&^Y'`<Htn0Y2#<NAJup4c]i[[_+]"s;Cur>nq5YFl[@[>!=X>KL
+%q[pY]V*[!HH%<rAY)p=OZqlE)U3]R)Vqa%[rOKQ7I5:/DqPr&#(gt3_Ou<!GShO2(aY:-TMY7rJ/IS@;QDaJ>"u+C[cg-`<c#?Z"
+%msmJ@+hPO$cT\=Zi#"pFG-tpH4HFmK2h+.;'<OB(T3\sY4B8i0EEA_Wp]97QA3"D=Xt-c^EV&?t4M/k#&U\T)bSZ7)=l/Ki<+FUV
+%PJ:Z%Eu'*IWip(^=(/Jkj\PJf6?MX_`Wt<r5AXJQ"QUu,jlWm*/"OMB'&oi(PNRG;I8LqUEgi\nOaUC=B)R//M_uC@)d+#<i,GZ$
+%Pf"2!7m<GNg!qL`dQN.gD>,ZZ(gfqmkMY4n@U5$ITO(aD9t0/3mO^/]_-Fk[fQ"X32bBbk^[ZGJ<*/PWQbC(3#-Dq8F^#S8X))l^
+%cpt>7P5#"UCNl`e>8%"JOW)Re&nVB@qU_MF8(_D4+E%VmD_UY1r))9UrhP?DKU9AA;C6_B.6I#lG6,=0KV52,eGobE#6QOR(t?/V
+%aq4'0VPtThgUT;MViN]-"erS.^p=P4D9$T"qhfS[eN6KT.i&K.9mp9Q1.7s2^ZSd'L^/BAXEE^(hNKjVmV;2=OWq<LFn_]_WsMV-
+%,gs2^<1<22f[Jd?MNpD\VjAo@^n64$^4J@1n`KFcXE@rhq&2EZ_ct)lZ9t^;h3+_^GXf:?6CiOO!:!/7)5dDTaX2L_0E*d2X61e`
+%%](M_<QD^_XO821J#gq`%GNlNgBE2?7>0hufsE"l:`5H!q4o?NZ_\ViNbT\"53(Na<Z6:QI?_q]KkRDh,Qt,Ar,!9"foP%cSeqL9
+%+&L.0hZsQ[D?Ku&/EMs!RQ%"<DF;*#,LO1gpD\s/g3->;Y9d&6VLr*C6(6h%55Fto1%%g^X4g4uj=UUh.P]kjReFDjIPo+.,1Y8X
+%XX0C67Y,>A0s`5V]F\_ioMTH/@cdEbI77)hBum&?K6/Acl=$FZ>K?G;QGYkF:A"'?"<!0Mao^rmDa)*7?895rO1Y#Hd])=,=DXmj
+%=VaA+L7PKV7YXK,2@@]k1M+,19B2k<pt?Vqoe*rN1$89&D:FPB!NWk8fX"dIrC(.b=&6-YK#/h"<@Y]D,tK/R-7Crg(-j@KX$7AV
+%0)co_.Ek`k3%`;qTl&0S/bG>kQ^(nef)JMTi(:&I4@O"8iF?WC"1Y<kZ4;eS7sKAl>`oO&P-GA,>#uR-_ZN0L`B/2-7,H?77Qn9`
+%poNoELY[JV^pT5pIC%=UW8$%nM2aekp0sh2>7>I%qf+0UH^DNsdDIDgVI@M!@g()$UPMrF^Fkqljh&'D"W526N"MT@AiB6n7_W%N
+%'hfjNU67>Hr>L!J)S*@E$ol^$kspGHL7H6>)..as`F*EJ0PC*^I/S=AhZEu+j/'L(iU)6n$SjU#/lq"n(E`cqoP0uB>XBcY/Hr&9
+%G4SYk+0gKoU0Gi#ESp?%'&;`#*ar,kfO6Oee%,_qDU.Zo6G"l1:A,hZfF5tfQ^DA#+8-k\G7:MU^EJ4k4"[n#j>=*r5?70BZW3u/
+%XB4[df`D^hVX!/SKU),0jCH2iV#XGs^Z2.7O)@+Q_9=G$Sn$VToWf\iJuLVMG<L1.LJI2@m:e*"?A<e0V[W^1$.J2`m-KOWNOi&-
+%@pXG;3-*j:^tgq2[k4ci(3U"UbU*''A:.Gek2c\`&o573>!"aqdjh'tg;4T*JOCIN]*.ElE+d@$LtZr0d/fA)W,DFJg<-uV$^*cS
+%ZKYmG7[7(iHek".+)sr:`P*"5bD6&a1AD3Gj<'6SD4RODp\PQZ/UC[d^1U9jih0Q2ZBAf*0&!tlRH$p2%-m.r\!94N>G_%q(>mR4
+%>PBef:EFk&\tX5dc<djCK6*iNi.UPMj+"0Q2cSD9[)dSjZQcBHm5'jp%*mGGV,pfFQ7?!b!gh\$D`qpO$iDo6>1oPTUiAA=XJ6[?
+%p9@$?j+Off,*K5T,nn'',9[$a`BWr7/oQU,EdUV[r]]$TIQ3N-.(Y4Fl(!nlQB1-QM9`Ni3Cd2jZV<-9_',q\SJ>#gAfcGk2^Nb1
+%&XN"rKB`aNdb=)0DtsZhqtUY8>&#BjI@V=#p-1rap`?:F>"#t3c!3)Mp$qG!fRC)6pJnd2;_*F7O5)G/cITr*VL6OX3eAZG5#_,&
+%KV*+g@LHuXEqPX#L0"*J&i1Rf=4L(D#B5fh*P,VXhEcc\Ds>ElP6eY$eQ/"j/0;u5$ijEiE&6N0!$hZ?5Sho;(N?-!YdWlr-P3*D
+%b2.qTG%$YRe0cZON)a13[]c=Q,;i:@YCll)B.[bL:gP6L0ZM8mc$.(N6rSQ?WfVP:,uCoF8?tjnSCQ4NDh7/8TI9$>h/cMf!l\)r
+%+cqi]5th>lO;Vo(muG_&WrV3o.lCHC_f64.?Z4Nq^H@H*Om(6mC1DXc`'M+M<5FX?Wh7dY>1,Qn?#]R*/&PWFT,@"S&!c,d*8IZN
+%Za2R\95PiX([#$(WLZ>4'TOcTXXdu__Co*k>"^ak**7LArCHhcTKr_H9uQ&i_Or%p_[/,`G"CqmRlsIp$:M:8QlWg?MV])#M!'os
+%+3o"4_(EN%<En'54j#_KrKP^SDr"]])"oPS6_4rigDV&^G$i4lAeb4jDA'(/%C:CPg4`G)NLuIeYC.F[?"].TOK*"cmr,e*<;)pB
+%h*1NjL5e\D[OadSERSo;$#;m->*1l%fKN9"KP69D[6LOARD$Ft2iN=UA3]^L@,4Cpf&Y]>7NO'AF14tmd'p$D3Elh2L=0A4F1HMC
+%+cXf+n*fCYZ5+f(X'0@H^D39>T!lM8T6Qs/VSl2,#OWaaA5Bc_\4i@'58BcNl+cK?.lF1uQ=_5l.JpJ_FP:_QV`/473AF#+>S;RR
+%lmfob5s1M-(/#X87D=)uVI:dTcYOO+9+ecj8\SbY#u[O$p1`,rfG0L'WsauRR8QQo(=O]uP'A6Ul&tFsLGTs?99'rJjQ_3Zb>^6V
+%0WG--(,Sg9X!8GYRD:Qt,SU)<.;!iE(XRlHjfUDC-f_RQ_QJ+<l1.;;(X"]lZ)JdH>@VD>2(>M0K^N;fpN/7r6j%Ad3Z,%+.p:7r
+%(8=<JF0pc68sEY:DC0Hf5.+.e7]9,!j:N/[+DY;h9%LIPkH6YtTNS"MAk@8]603tO)dNWb/D=rs/>dHQ."dIL)jAg_`;;HYLGSjM
+%jWcHGU-%Qg9_^Ng0I%BoC9:C@fO/l]*:nd$fW6].P5SAR/:!O`VB-VL<c9qe`Cq(9bJ5&4AA@cs)9$4!CS[EDE&1V?`%_4rST5kb
+%*aqe*=7R0EA"H.Z265LR"j/Y\E0%QY(FlMYfg?=<@o>W`[M9$(2S5f=fnY3QArGjt@SnlLT9M-m]>1ch:S^&M_$BfO*:+C;V$'c>
+%p3bP]7B-HG+%2GrdsbKnPLsXEja)L]C@Pj\BTLgW5F0NB#]&D,$#n.LW[t8BBU2_^6T*dE[-T<D7:%C2qc]:\.TIe"T6s<aOgN.+
+%p)(9rnQBmJ1U^0I.;Qr\H4'NHkE@r`pp$S:O;Ie^dDL<!SZ_2L=9`^'^W+E)&!;KaXf2EDV`I><bdL_gHmH)HM-!#:D32NCQ&4;&
+%p0/Y9HB54`oYXc?[kY2_X!rGGQP[[\kua"S2'Nl.[&7OT8hf&,pUaf_Nt#@`JN0haB5Jg1*''g-4HY#>K/qsLG2.NeI97Hb6/bh<
+%XtYMJ4(WSt/b+7nacC:SnG/#h=*t=f1$h76U-u*;gdUW1Lq+iRjt<Goi8'_nm-kWO6GS2C$BVlh*mYSF3@Xf`U@$UtIeI`U2I!nn
+%gF_K+%bUcS+rQ7RPU)g/CMP"Vpc8.Ig+$-77X4$WflHLLZkkG\E^+H9"'*cr)UoG#!X&D+6T1=47H=*e7SeOi7H5HTOdmd"SseU$
+%&X3ZF"Cp+s?JO>ajtLjiWSX"FkAd12J=fc0A#/Y@K6GqX#Sq8$Loq+*M<*YpqZ)%15jX`>a.<a.@XNCGCta\-oE[cC^4`-4SuDRC
+%NtddtCeo^hc#Keo&QXf!qO^'b4eY_F\ZMj^LL3)ckUMm,R]gPE%U2frZ)M,IHb_JW&0kA@EGDm:/^[aU2#(i)E\1eC%h>L<USs)d
+%NZA<c5#9GV/FooF(k:YWpo^>QJnoE1,rc&Po[&W"<qk"Dk-g5P4OSAoT`%Z_ihn?<n07HQg?Ac52mgaoJ*_(o>DW9^DDGmAeas0M
+%`_Z2mpT^76Jr*0&Y(*afrU63os*1c,Nq:tQs4@;I?Tp^Sj,a65s8INIO#U2;o7+1HEN?H2jp#*A0.Wd%R`<YK%u"$TM/V;-V4/ZT
+%Hjf\YWu5dZJnAR`R$NW.3ZkEo97\JAj"i@e"F5'iaA74=:"TS*PLT`M*B\W2.NJWZdb[G"BdI*cS?i*5D=aMKh\g!WOWpq09;f_e
+%bRpb-.`0m]iWQj,qR;&*pVN<pg.O\1;aI@1,j$`_3$ut:TTj7*V_"?DZZsV1%O[#H\1'mq/icq>a$?DT\QY+NFT5J38H]67$VRI!
+%)63(;'f0)i_Bktp?:UHUcldQgaL<Ieg@"_0OY:Z^]%'l1PX2l8Wg4hs#b!=Z@FFhc!5eVfkr/tqVs9EfFFp_R^-l5&L;Dq`80"QF
+%6]Q?0OW@POZQ_=)Ms(,ijm[G+LtlBJd$>[h=qqW+@1hm!lSs8CNDeFK3j82\JkS'EDAk^O&SKX)b#J-@2XN>k_N"5&D9g63VB"OJ
+%Gm6?5mbp,j(cbnS-!:N9qj)8Qhnk]<#epAr_g'9mMS"MV_'=jU]!*/nDCn[4S/%*/(L-53"SondMG-)t!\6Ura)6Gp`\>2%=$KC_
+%H4)jNf2npPSsuFQfGZQ9kT,eDFfpLP.gE1bQspQ,H)>F/$`K__/V?b.`=(^[W@fA:X$>YC%SAo`[)r;<c5\;t78R-!o>VcAWC'a6
+%V5ndJYKs7%LV?)=>NnjBD::NdhmL1p!-_O!7buH/ek,hU.HioEs-i^4D\7'!AN0:-PmRW3,G-iNVU)EUC=8+NBbZt-=>a/,LrMP$
+%4e'J@U012<>IS))BRKB$bPu7M<]e`\OKe=RJVFDe1#*F$k3pOI-<!GDn8O/)T$F^4ldt1@.,\Ha!0NgpB1BkW,6N$7<0/<fj@]9f
+%bVT[-WpccAP#O*PLT1&%*@jB%kX>2>,<99&;<2Pd%._c4X\iO;0qVQeH"Ph&&iNeg[1Z<d;0%E>#g_k)g`5o,$&"FF8Lu2"T1:iR
+%C]dKa/\pj[>R6\mCjt\P9(kYT'1eq0g,'u9'4UtnfOWqUWN0c7X1GtZ.5=mOoR@2VM6J=>jG-F$6]m-Hk=SM+GnRQE@!=h&W/,FF
+%Mfh@tBd`k;<mB&CJr_\$CIN6kF^bYJdM@A^pe'B,"3l#Odt9,3+*o$Z+rFb"F2`U'$Ku4-gL@?0$`OC=o8'kNU]sdsqU2'Rp'UGm
+%Xc*k3KERs64G:8qNprH(YHkYZ;+dO$HG#b_V@II`R,1%",5+D!m)Wumm^8ub0J1opI'sD;;oH?Os'&0j%eH9Jhh=D<;\`9fG<a^;
+%&.b)JAs?uM;T(sjH;R3pmZOme>HAF<IK7KBrI1h+EN%6'%>^%(dWAZZF9J_BWbR^N'S8Zl4?:p.e63*'HQTGaQO?(@ggHB=G?10C
+%RQ]ENA'[6U5#_^5%WJ8V>I5nCpfmkTp5D&<.DN)Do;V!3*^_*8Vt3[pYt,/M,_4goTTfC(U,$d!1gS?Zn3jUVO]tLHEJ%ij4g,#X
+%oOa:0*H6J@#2S'_`%nO9<s7oqIKa[8/0Cs3`sS":FN'Wi:6F5OI.gLsM1hu)9\7'CbQ3UTO#e:*aF0\5++J@!Fi'7nQ[uj^`ni4m
+%^LM-LXs7B0rMcS]]Ss)cHC@R>4!>(NH+@`,iJe8h@HMD>N'SVdQ40)Y$9H4k!5S>=Q)UC=m%AcRSI=U^Asp]\Efb6G"$.k^=g!n,
+%H#\'^6S-+>?nR:fKo4kJ\_+T,&F8Z1;$E3^WC5Dpj\OS^KJ$Z4o%Gd@/TUB"nDeEsQhdOhdqfA67eK1\QRLk@[&f(*k;)QMm1qNp
+%2\_m9eU)pIk`R?G4G1JRmJF05I+bHC<B&ZjK<[:hHF*.#Y.+D#'LEAGH<3!a4%LBNqJs-)0Y7DC`tm!UYkKU"(TlA`&KUa*GY9q0
+%*.he6-qtJ"M\eba-+]f.a57kcVSgl;8_OtK(%c)9VMFXP3)%W'=9Bq!a<6OG<(?W;'u;["/*JdfCb^8Y)lZUH^YmY4N`>HO>o<15
+%^67C_<e(hh@>G3[9m6"nn?kI"a9?p:h8ikY?:jO1UN4M*4+aGdg"\Am*EF5n<'W6d01(9-'`@`q_lSa/N_Q5hXE^1X_BS%lFkQRB
+%5_Cb>he'UD1lk7]WA@dqB"$P7G0W^p*=J#j.qO>ANZZpJ+3o7,3Hh]W[j`WZXLMtsXjHC<pW>>+f0OJLS[6%jm>32s@<VjpGQl@$
+%UhF/+QmGmi/T,P7/dDhA(gTZk;/>6pZ)C(_RM#FQ>GT!s#Z:gX.c0@BTD/O1cHZ8=_>bpD&+e,](0_g4SB$2E,i&<nna/<EBT8)D
+%RXS_T^ti_3lR"!:r2J>]kYho&;3@%6[m)$ts*[Acs(C9^!hPl6aU*3d*GK9c"mFtWKuLO=Y5)W\I^GB+l28387jtko:VBo$.)MGK
+%TYB*d>9&Bt;Q;o_c,3R6W<ruK<$'h.%EXg!:[us"EfgaUI"i$LjZlf>i<5gI!O)m1_IhPfPc3HK`/1%%$'ksO-N/A'iY6WLl*k.k
+%"P%c\"1A=:!-+6?.;;WA'RY`>8[Wt];;mjtF9"TdB`D1N(20_lT%c#a'Ro7R-+:ngCt*t4.5,=N;q;Nb*4;^fr:g\RklcRG:JW;`
+%_,8GISp2M4(0&nWi]89"6/aY#Vj_A_%u[uT33qn%n?L]^.uY#9@C=[L%5;=hi8mJGiLmT]PQE&J1f-U5Md4Z&#em3dF=&`TLK>B#
+%1:Z"9$O(a.&WFldkMO!*<TqUgFp2ggle3(DE,@gnR2SjuP<OG)4!!Ni7!g?G`1Z<1J=tY>6BlCu4<.jX8KX!h=P5*S$+@g#k'Zq=
+%<\*:W/nmjZ(^Fp%-0)dX':=;?R;bPg@h1qmEhPd+;_qs`h<pLDJg!e%11G2Q85<.fokm0ZCW]m8`%gsK!aT_Cr_>,>H)37)jS]Y&
+%He?u:grcZCDRR6Vi_u5-rn/(E:@?$?hu7?BR&<To4gX4j=2hP.8'*tP6s2qnF6a1Q\>3*Cih,!R;"qOu4A!8ZZsZ>+L\i^_8W]!'
+%o0bFm&I\pbEE`YXmC^URWQ=&GB/b!^9rfmjX7&.t9ANs2)Yh5^1j#bbg&'DffLp:1]sL>F%FTqX+OR,EMjBVc'NF)n%$u_mc;ZFt
+%D.=M\p!(n8pQr*cJJZD%%\Hr*U<#$61s\+4ifOA=mD??ggj/OPl2H/!n;_3Tal,5QJ\s8Z;2JtQdgR'\r\@AE]Bq$gk"h\H8qZ:M
+%&W&g*KHHerd8r?QY/gBGJU&-fH&*4TIFZ@YI(O:C9A5&]JOOJD@4Q\h4b3tl(AYDKWuODhp[s,3rZ#65[m?!-R+4j]!%K//_.Dg:
+%0,Ic#(W[sDO&ELq#!JhI<-#L7[e1_g+4[R+Y5d1;NQA[l5j3eMqWErpnNS\^B#[VHU&-a*"/C+$%-e-UQ8NpiWlnHomG-$OMQ`.I
+%;\P_K4OLR^XNIc>lu+,]ooZlf2Apcb8DYq'5umBl)ns"Tl$<qsa^2eg]Yt&^#JnbkLeYOQW!FLsOmVbq*KKIl'MRR'Fn!<i$-j[+
+%Fgl`"bH"\AH\i=>"%rMXn^#aZ[;KVH<+rf0JcMAN*9D)KqAISk0<\jhOKEeZ_mD9.nn47mTn2",,;.E'`FNc>dK32UH7[l<Q^me)
+%#.$ooJHTj\Z<NP.7PU:.N5i[Ec0V<IN'%lherOa.]"S9,gjFqTQ%fNr>drk<IR^q1aZa\@@0.62d5_pupduR=^a2[e%'5Dk@G%+-
+%;3BXi0CLg&PFLj9Vogr-Vu619;D0YS,a:=QWaO^gaG;h\Yro09]Oa`:46hUfOU?0#in\[C[IZfo#C.&dGP3s#=Eq*o`F?ZLH',p=
+%@ntpAKq92+,M?5dMa5H<,7CYZg\+X`O&Ut+]\S`2Ye)ta*H_-&bJ<kWp66#6ba(6#HEBN<C-(.\F`UYN&fUIDqi4n$m5%Y0j-jt]
+%W#`b,fB>f]:6P^2mWl<ZgHaiCpjVQjW?+-a&d#u6/QhlC6A,S=1Z%!LTF58*/VqfQ1)uh(Ej/nA<`23nF&ZoE7F8`dOg)0V[Y5iQ
+%$;hOA&HMKFm)#Sj/o[tV51$%m1M/mQrE"fHF;A=e=#?LN!B(mp%=72,KH4k0-?fE9Wh9CL'.sfWaIj\s)fmZs6Tb5+h<b1Mnm^Uk
+%g:?5M,lqXMqZpX%#%DHb(qDFYO.`@q"cWfR,slj&:G;DHr7>+10F4.O04m*h8!gohAB<@nfM9/e$EBPmT[2QEl1<R,.U79l?V7.0
+%/GC40`!EJ^\r/]mfB!J.bE&i;SGPZ%XBYoHEM]"kMdbKoLO<V./LE&Rj"d(,!@@d^c??I*P+PEp<O3mNIXlSRiCItA7Fj7RJn?\Q
+%RXU6!U->]GUSf^TP+8L&aOI(h$YePaTOE+)aM!Tc=Y%7Y+H`RBQB)]h*2&(.+O<<=T^-kT_'p<$Gk6u(ZB-+7p4#.^Ec<qN/r9Qg
+%ps`Bld#JA_EOI6CD!3^-HY=R_ka6X;=odC',nhGJ[0.PG;e%hUGAA%a^R)6LFSbJ8ZM?TQ>B/VZGqK]X]/bd^R+P.*=8082_g,L=
+%#=VFM^h28M_*TamGi#<L7<gD$e5_bCcM?u_4e#aVJl)Fs!R\)@hS0/eh66!@gA6TA:gW3(:3]Dg=0RoFY9in-$C\9Ur=Bf9Z`l_Y
+%G9&0>7'pYRQH+2"p:U8`d*(egC.NY-a&<E7b][r@;`J,)\a/4h(%i9$N(:WFn+W\;MYQGSmT7^n@*n%pT)^VlDRZb6FE7!,g$?bD
+%O.GqX%Zgj]a)/tMNh5n5<!NLJe#Z!<^PCdU>m>A28K\VaZIu62JoG%7),0Gh!4u!t/QGH:nM'>C"pA!nk<BOo;=u]KYj6J!bGi[:
+%5)14r?p]^d`?nr>o5Y4.c'u?pP^u-noL5ue/-5`a9B2Ik)pgGWZY&W]\#X-CBV!/_O0N7/)@+e#Xc_Y,]YOmAlCW)$(/^c:-+f4I
+%&Yjq"8?p.JHJ8>DkN0XP[WXX61ng03rbT'EnK^*JM!nqMS2E5RI40qH\V5;dYgA<p#6SB&;jBc;O2'N=..%?qD#"hhk^J>g(5Xg9
+%1]8MUTI=:"c<_"cnYHd[Ms8PQW2a?hE#C!PIO4^i6G[eD:etl3O!>>6l(/iI4htbAhX(>FIn3OMqTu),)dsQM5UgP^KW6^.RV:<+
+%FgK0F9c$(4>-^>fXtZmqZa"GKDEn6EbPSQBqk_?p)@4mY(UIRD3*=1s5]a!]9nJ%mHS@i.MB?&7`>5q#nAiQ=fkS.u,[#;0R`[8P
+%`tb@1LUZTj.>]0:WSk6DembifWRDgPR`h$Y7bf^^P%JV7OOIPjkXin3:i\P`I^4DoZm(^W&J1`kc!El0_SmU#3?sM?0h0Vg<Ns/-
+%=[MQ=87h7"lV!K@h"H)X`>`_^b`4oIc\VKZfrle`m;\*s,XF4gATSMW'kqd[COkQ/0')slO<\qTQu))=Tp!G4\^Rg06&6N4WfA)R
+%g4(#)e9c8l2&AQ$raJ/K!B$N:p?>(U[tsK6F10U7d<o"uUcX?2YdiU"UHjkj:cuB$b40',UV]nV11SWOhhO/=!$%#,=JX@mq[B`[
+%:(O!,,?V(JR0-+5-E*`+:!eX*7`T5"gCus):a9PS<lfi2g<si^hR7,&%PE<5W,^ng)2uKSTJkSJ$%`W%Hkq(7\d]C]A^]7`XqC8X
+%0gJ;s7[Q1jnA<l7oMgMsa8336Wm>DoZFZ<EA\A.ml=.gKSbm_%=a6"#=\&gBn"M'b"X/b;Oodb\))Qb>ifp']7Fb'K]3<>UKeeXr
+%.jKB^TOD?;me/bn4uo[]_e`QM"0F(`GERuj6r<WU%b`61>#"I1N(mN<V4BiPN6c_Po.a#7Z+l<aart/&<hk6s.H#];C&P$A8hs^\
+%`is3+)`<sc;&L'PhE`B[W^\R;LOQnJ$eA>OO'lu%giH&[,tZSa:3Y5'6l8nh<PH0/+gKX^KDEa3aFUcX@3D2d;Y*[.\1PFHTV5Ju
+%gomb8F<4'Y#>cVLooOT`nA.J`0[JZsm]`=JWsUq3Q3;h[l]lfYWH->nYAsP[a*t.#_IS\n(%t7AoV$PqJP[Y#OBL4RTiH(MjBcI$
+%a+9/"8ced/J9U8gmRm]8_b"#S*U3.s!pL9'lF/?C'M8GG!,?2.+?,u2[G8LU$Q8,]g/AiEmns[<o4GhT&*Ij$gX8:?61Yt`J`uBb
+%r%23?:M#UPQej<2+L^Va3'b_D]P502.`4n\i-jtP*^!ETVl=dO-O_!e*@JY"DcZ_PB`QtAidMC@M(^j`nMgJMc!uMp<0?tYjH\86
+%TWj$Lb=hd<..#HgcJb+l;t+MR*W2_?d=/WB7T]f$SYEepp*lsKA7T`6G:h[]eLrZ.UbhW4j&"u"`.'4/>g#;!%N:(%:&99Sa?MM0
+%ghHL>F!B6njtm(9*@C![!^)gO4(H]`'%GA[`L)-^R_=M8,ET<5Q-/6si=]-=<eEekdfsT91Er`ZpNnoXTVbcoNW3-dlJ&RY1'gFQ
+%q>*A_bF%bu_qFDu))$.hO)Kpc'7`!M71T/=E/jg$:2N[A`EH!U0:2V>&U_7l-4RE]#i]!!.lO!&Js'Yip"obihdcTKfP1B$Fg\qb
+%MGur0WgnG>#$.oqrYeoEY#<k<N1V%uG9_!mYI]8rS,9'oZhFU=V\Y&".Nu^nXl.P&,HgJ!MaZm1)=n<M04;2Ylg)X4.Sm*OCuD!=
+%i=-^L!G]hW4_/(,Ob4c"E"5f<SJLgP#c+iO7HthJ/'74\g4)j@RA`o/#fJfgXPN&_$b'3#S+=*QGGBrIZN`!'MPWVqaO7ciK:"=B
+%cfsP'^=gl"8/q2]X0J[#)GmB"L4@#_s.us_U8)eHT'LCL%J&=^&*ja[<<e;dOI-M/e!>06bMHnJE=luOcaqc\F3\lZHkL"\/6_Y\
+%aoXuXBtf_M+"QS<h>#W%gV$c4IL+89!\8e6)Y6#3n?Qq.b_Fh]MrEc#D&<58=^*E2rT6Z)E,5Z;@9Xsr?2is<Go-?6T]FYAN5De-
+%Wdk-K`TemWU;F7O8-mjTC]R,<h"4[/ISP)']a[i;hXVFQ0RG-Z">^V^If\'-4KV#\n8A(8+M,n'ZAr$U\0m]m=P#^'9*!eh?C7>1
+%YYi<*F/X)[Fr_W*,+la%4Pu#5&7O`1e!mHUI1^$E\%,fpnB/IjVu^O_@KKWCSIpX'9ap_sl.:loQ<Uj9?lHfb#KUUTo4cI>Ef]rZ
+%E=]u(N>.6f%^_Rg;a::]Iu2eGFI;RP_;O!PG;f'UYM_,TM2J[(:ZKb%k<&QhfO-L*E\e9.HBHUWi9XOiK`MuM95N1uSNZf?Ok^;'
+%Hke>cOr>nB`4*?o;ZZ/g=Wp#J9c#ePmukXW3#S5ubjKS3q_m`K!Mfo)^1fL^qtjXO=pVS$G+3L:K'dG$!(?GC-FbQ-il-"8B5S:(
+%3+fEj95WYrSSie85.X7\,r=)(Ag&A"KUDe5A(:bgg:R%to0o+ejS-hG.6Dhu#/@h.X%B#*/7tDOI;JMt=%1kO4u602Iqp\iR5j]]
+%PCOpi)7[&NTghhHBW*^k*(&t1qS[n^rq7,@\l8WOCf?PoA?d^dQVrpa*iEF?0g)UCZU0>MGZ9c:9l(H/n:I""@HH;s?b*:fX:\W(
+%pmIUWmK%(tg/]tmcCN_A<?p<X,3QP@UA'd*%\>DJ--Hab$G3Gt_'/m"#N)V8)%c(Tp\U^A48'ZU^qF%+NC`c_lti(h,GdJMc(jN-
+%n*_SCBPE%67OD*K1oU*R;>5rl_4ul6(O=FRjjJ!Yq^@3`4\,!=U4j<.R+G"l7T"O6RaLI^#1tk:Ht:JQ5<q">pTB/7&KutNAgagk
+%5&N#0Df+]Ea[HRL(W(#A$01nQf/1-;#C"nW?3tENL.8s#@-mBDDsieUH#:4=I);%q$?hosI`RJtBrjFKl&-99rc$L9,m[@ijl=.U
+%($oP#@'d^+R)r7-FubG(:%Wt)`a$?0V&TgBg3$1VWPE7<=Rj3QTqlJ7M!E&<rtTbF_aTc(@4N&nn.hp:mad=m.XT2gVk6?s`B,o7
+%6k_uVo"<;-Y>AHT\"bKj[S-YdZ&^hc<X+>SpTo7LG*7M)\<5qt;:Daa(P=ZsN^<7NTg_9-F[KBULW7Z/^BHVeDQQrsS\)X'Y.d2#
+%n'ik5BUh*-@$6kG:+L>A-au0W@S&.ps%iF!=8)bC=_VN0I=IHG:?)9uV)7-GInZ2L1:0tJCf7(u;tj\)dH1U<UXjXPR9[)P-qsjO
+%`I/#uCaoggIb[E)\`G3ESRf"@5[Yl9-t<u<FV9k7_d^YQpqTjML_W41N-\*il[@Pi2XN#XC",nt?D%t:n/1ef.HkNSUY?pkI/s,h
+%%`:+!rDuCTNS_d"He>OGm<UMFOW(@mf4.=6mF24TeAlDd$uiD?o(gRJo*nOsIgge:<8BMS.@@O2B"?C`WccpXmsT<[<LH1+d@=H'
+%:f/7)dt`r/TF].M7BejaT:)7%AI'qFod&l@)\DgD"RMP)a-Rtb5kQg4ciVZm&U8u#Gm9+5^8)#qkndbAiF]UNpg&+bB``Mlru1N\
+%n@$74n_k*+##MP%,57;!$5)\6pU[usg)J%<AiC1qdb'l@!&h;2J%qp.]I,]ASD2K,cQAKYl_$1Crhs/DDEI?iIM's*=rL_QbWA\_
+%p:c,Ohs3%^Zhh@erSl)]'f`;\;C//O>nhY+k2l.*HOj@6Xgo#1Ra7WPm:E3Zp6&";ha:A*QqW<S)+_K-a-p7e^q!ggfB1QLj7RG?
+%O#cIj)e_IffWUt:J`ut!@j>9$`rUkC)0@c5g%OD7\Cl`s!L%B#61jQCN>+A?(pDjf5/h17l.B]Q>6mA;O=elY3.\kWNVRnU\FVfP
+%q37.ilctVjm\"PBb@J>I9cZ%u+t0BIZZ(D%'LfZ\^oo1(T]@&l&s!25pW0re38:?m3&M"L[8AE1Rt\D35s/aN>HZJclYK>2h)uUZ
+%T4#ee8s&DJPWQWB#YupCmL)IKA2N]N']Q]%mPdnaBV,)%f<tK;XpE"l8=AIEdE$e`pc4cOU<Bc,oX^T`MeVl,/lkYEZ`JTZcMUMc
+%qn<=W!ss/nK=*YGp.f'uH:d)EG=tKTrL>DHA[uQc.rgEVLuliB:IA3AX+<1OitgFA`&6_K6!p(*epMl6p/*"-a)>it+9Un48Di1S
+%Wo(Ms=Z*]f1+RP$=".-U9WOZq^l.%%\KU,%+@>)hA-E@53WFHqK,NF)kB3VOi*Uag#*#aahob6BZ!s3IfX0G<dg*I,RDiL'e8_O)
+%@GP/3=0l+"-J+FgqC]D&P'^fm*>\D&QN-pDC9VDBK6kXBo=DkFK1q[i][8eU>8b'_6snE?";=9L,J1ZHBeAJ"cDT]<^&3fbG;I=9
+%!/?RPdGq6)`QlmJ!*I4.R!'\3Wk!WW^)-4s#L%Dnqjj.JDsL*A!q_poD.'ttIiE@3"*Q#+_V]aaEuG.QG?o&7a"L&m:LJ%+(QRIZ
+%bBCXmAd#["j3udB(REpHobVkS15:X.ci8Gg9sR$LSW#)^EEGLZm!fK`&H^m3#:P1GOs\P4_sdfYLDN5_n*cU#%\VArOO5/oc4XF,
+%Nrm=R+ZeE2?ggbRTuL"6j'M`7W+NYk)g+;MBJ@%8qii[6S?;>*ObKR'H4%n:\L=SlCE2cLK%Bg?;:;2qolY?:l!j"DI-khmHY)OQ
+%9#Rukpd)(;j.;Fsi6NVk'F/KREsmMDm**RB7"ZI\SH.qkiW)X#iCY:maDTgl80R+$hj^s#?<0g.04BCE;\jheWqXuXKO1p+3S0`[
+%/;''rr\h!N/KLg,]C#=ogqT;ZHe`9@kCE!/:j$DFH.a#7G)i<;p/@oLCKN*0CB=Q4=;PY;3P8^3Q6T1X3VPm8JV6KU8d>=?&aSiD
+%%K#MpF\6]4NY=HrIXf$T\:(R-.;-^nN4K;``2q6>gY%Jq:-G6$1dMKrbg*&F7,J'$l5irRfFa?Rc(t*oLEJ,%+meh4LQStlP_9K=
+%:>Yjo1jDo!1/^NnAB/W97;>G8O?k6`>)@Y3rk_DgLRh\`Q@S@@US:4@DnE7$W@*Vok>FC6Pl8E9*"?j+UJ>f)%LBKn=c(>/?)Wl8
+%38H1j;(S>jRLc&Job_h`H3WNgJNg#/>(oIC3i(@Wr&h/W7ChKqU2ELZIsbu2FiqQO-d+=Bimq,7M=5;OmbkZ^kMGkrWOit_a2U6m
+%'8ZdQe8u(@OUTrH>kI:q!i'!]K:rdkQsce02M)/#/G].((WE&0C2JYAP[CAA*oJMMpbdqc:\"l^lG9"cN1?X+QR=K#Za8^ffOcEZ
+%haVVCJbh27Ca01H>M&O9!.Rn.gpIKG\R1#ui2^Inb+rqs_O2E=_A1j1HF]TlGn:t)fP&0Y@^-4ZbOk:((YJ1.n$P5I&^re[[\jA<
+%dh3Se\;jt6cRE:RnDfDHlWBDKF^:'_7tsj/qKe>k"W[s%QLLg:7kqf`&<B+3"apRfHUi>V=J]j87]7=PK%Xtpl`4r1FuTs^fW?`7
+%m_\D6a0(r0SMdrAP?o<ORdtK)]Sp74#;`df5]JCQ0?:Ntp^G@dkUGFl\X`I(%#e21*$CYBn0VA=Y2Dfu)&5YdN^"W?gh"!1U(IBQ
+%'E-%]mi]FRY=f%49"2D&[5(^-L0i)VQ<aou4knbUL_i'[i'V37HscjCDQRnW;Des))M-(jWP/]o#^Z*;K_G;JZhh"td_Llk:@ZPP
+%Z(&P,o+N/)GlKUY_4TMte\"rj?7^D+UuiR0.(-kGFc7u3,7K^*Fg:.7B[!2FI=YQNX\moij/'b.:_F[o*NP-Hh<mMcQ)hQL4p0oa
+%#Zkq1DrXGbWAWA%c[/9DK%pqJlIIABl=3oPQ^Ou#lfq8JI-=.'Wfl)uO/_HaZLJ?Kqe[MOf5Y0(JJqao@'Y\r4ONPZ*HTgSk@$AA
+%_0p[<:Bn4G.VSb='OT5QfUg-XAAk,ajQFKCgfH$'E<e1.@\#_p+ll5?[":IBYOg*-eNJc(`nK6IJZc.\d'I0[A0p9H.+Ifo4-#SX
+%.<HGt<2$C^0UO-P:7AAf/:L)Lh\MDiIMAXUT'5?289-(t"q9T`5skXNr]Su*bj:[KTW7fX9n%32PY\\Ib<a@]ro^-6:,;4DVlXM*
+%g4SAD!e1@us/"qWLnBUHB7,<a>_oTN&'asN&"no0)7"7_ga3g3T?]EcgYh$8o^BpIXkn4R4\\h&$I7F/bCSXND7>0^%r[89(Z?3?
+%lhV'WMJ-f<*c&+G)guQd"-',@4+mT.:IF#)f<-$?;>d#Dpc5gss0)1_?gr%6#C9>K[srk0s4dSEofrKJIsh2j=BEQCIXb9?o!5Iu
+%TDnSg>>YJ-^uTj<@/>ZXE7.1!Va>NAk"CI$?1:dBn`X"AeX6q1Y&SF2l\F,D[k82OQMGb/it"d.]G<Z?Zl;6?`GNL\`_cAEfV3DB
+%mX9RAd7HtSJg_e_\E;j2/,phRSleZH`"5k4J)KY@K#\Zh2\*Z]=:8eblGl`jrl?8BeV[j2q/4T.f6%SeJrAQO)]\8K;[O#=KYlXX
+%8oB!bBM8u1#!ad\h1P=40Qs->C]oY9MWQ-.T7:NjpieCj_/`=gC9<KR;)6q$STj$DRd!ln@]E3dra=FGB(.:%QGRP'@o8=-WdBMU
+%ii\o_cKu<thGbWmi&Pp85!SX9;u^i(K9;Fb2H;)kd7bL9nuqq"D#WA"h'!luK;Z:/g@@<YO:$R/#;]hY`)&-Gm)!`13@*%Mc[6eh
+%io7GSNG5Xj0,X8IYgDLnn[7rsac4oe-dWT:F3&].(Jt=?M#$:>BOlinN0;^4Hq:p+i@%X_ouWuH2$$K;rii2`h3ajDD"l8ll#q3?
+%0`;Y=`,I1IIi-W2)Xp44%,(\5Jt$-I+dpA<FCdW,g#RPYe/p"d%_O$rn?DY(I<ah:dma08^r_8mM_6=46G=0r(P]/=mB\U)BB\qh
+%nk$eB$K$^QjN^pHFQ6a3@HeIl<@p@%HY2B?@L[_[cgq%F@b,%gAI%Z3P&H?l!uAR&l4+/lA'hu1@VQ#Q6WcmUi2u?"iku,OB%V@e
+%9"._?%9qtip.2kN0[A^`L@O2Z\+Ff.k`\Nf*9+8_6Ns2YIg/CmeJ@&^G8JU',DVr(#la=ls.p>>_PtWq*@'(QQt-iu#^,nQb=;XZ
+%@8JpaBQVb(WT'FG?UK2e*]aUcS&]u>YLOaVU]WL!%oPk\mg-NFs5E%dkBI9[5G71&pZonI&lcO'@m7U?C_GkuZYtqH<<U]fEhCB3
+%Y<V5%C@T\7jkRDOO5SXanNI>dp@*JuhP2`BR[P=*'BXE:+kk\jjrY]H`*e4<DLA@Rlm[Xk.7uQk%KWE-pqt9aT^8GKf9BNdF?ieG
+%M1tEYSfSfm-]Gp&gUf^.r<cl7Wq\;FhBLU_8+dFqEE\?+[Op`2a=5,ODdSU)JLTX"..bY+2KqnYqFQNf<!4$hW>P@%+o99+=$BHc
+%nJW*u_#9pX&1WSO^0iar)CTGj&2af#88L0<g%rUdVH'jr']T7FeE7mdp0)#'Q"4gmWZi;+:S7R5>5IoI(B^bfAd3I^;9XY_+0",B
+%1.aB$^5b??K"HBnfN1H&,N9#V((gT-6i^_4BN/C81>UP#n/S(Oi[XB$LDPgB_fXjq-u$UB7cL,N(pWT9p\P3P%5j#&]1J2D*dr\C
+%j)V`C10C<>n/C0XXN0YO=iK8p5g`h"_Fa)nfC6jei6-4Sro+W4K&sLS5C?<L,dkg&3Au/)nU6!pb=a+9%-tsV2)B@V-<-4`/dA#=
+%CZ`26e.c5Dgk^u-H$6f8)*?qA^D?-@BtjT]>JNjp.mi%TkL!a]CjmB)W)qA]c&<h\!]/suq#Q/[`:D!HHpqnLoW#mq1^CQGO4dWI
+%V];Ff2229&q`j]\Ch9Hq.-M]o.6:lSnD&MD7o-?,$XnR`]#j+^-K?\qi`+rR5s$IO`q[G^lJ8SgLb=b+oBn0oF)212De6UImAOOS
+%/PELf-\@hsZs'M^6PQrPi=@egRVD)Di"achC5ZK,R,&of&B5fnPquBA5u)@a]h,@LJuI@NC5Ajp>7;[`4QN@ek1?Mu64@;fJXd;'
+%3I@@:;#=c#Ti3oR56r.!$0gZo6)pMc#g0XO/D.EEIm=O5L=fcN</FH1a'/)CE.bmG+dST,@kSb2cHdL-O@p?nkQ76rr"fb)g53]"
+%Z-q!#&u#go1A2.Qa>3MU7oaHD+&[#_S<L;-\hME]jL$f"0pcPC!:Yh0fDluMHL]BY#&,oN,KIm;[j$m`&<@QeK(&b.2*,-roLZ7e
+%Eb$nN:SK`]2NI&j;KuYlq+:H."PFKH@%XVG,]e=V5>o_?8*q%O!-mco`8l%JF6Jd<,C[DBe$a];'_UNX+P-9qgG/n4#EhD7DH6>q
+%nOlB-"@)YNb>#GX'Fp(G+rB>0UI7ZhYEq;N+RMAoR7<5IjeoaJo9A!X6/b_PFKi0M_F+"C=tV)6LPK:2"b`R^`dpA$co,(5A/SaK
+%;[>h13&<_r8?G@QmVCB&mJWH;6H@Vg:W#FoW&fR(k)kE=o?SC#5A_B"Zlb0T%C3,(E3\(M7]?.A7Jt[#Onkq#3LKfM0g:4sgF0lq
+%aC[VV#^3-KCZ4(J2.Z&ZW\tp04]S%=%+\j;l"`Tbb%HI;.5GNuFhN;\ls"TaJ[Z**.YW4q#/.lEW(h2'HW4LlH#j=qLMn'f2j-;_
+%5d?T7G,V#n!\+]TK??*M8PMS$%8W^pdnWH_72=NDUlJUU+LbB+KH,'\!Oo_M`mKCfUH)4aaUt>'Bf',8NrA]8\cPil/i"&di_2bW
+%%,j<\2.(E2@)r\(I@bn>^a^E8%=of00sMmXQc_VD#",5J`Ub'Yo?(R>j74!FXq?k6Cm^$*+"$NVY!g.Ch?Q9r;$g4Q[(3;)%&L\L
+%)B4*cWkFcq8Q4<ngr+6ODt#ms@pmY<:<@W$mL_n]T]U`I5!i5Wcgu![DL`.UrZDm.5homTq4u&"PM%!Dc[*>.IJMMjPE-!4YT,]+
+%Kl_AZF-RF96Vbfp%P_u0B`jl[<"^"@0#Q/(PuNc'pHFB"b!Xqh/oZA>Z8RXG\4!>mIo70`\FJqXiqnbU[Ut%DrZH&XOPooQ\&$<@
+%FRVS#qNWGFM$mM\gbp?IQ?"Z!Jqrpo*fWI3>&1LHIW%e.hiC:X5D]>X58#\UU>-[5s1T=W8bV9g`%Cbq)t?DnBJNZKob;0rppkP1
+%;HMoU0<(1c1j@J+XBkMG9Y2W5IS1U=,=d8uS<V#gp$>qAH*C0ANJDl\Y[m!G;N.n$X0(#h^^K;PoSPlGNd`a^FlmYSTjAH;^cd;%
+%cVSH9K!;A$%Y9&BcXHQBQ<96QlcD)h"E9aVrTl+l2+@2R\3:ZB,:M`j?#<-J+XBj656uVR=p8.C6(>(('Lf'@S07e2r.BLOoB>BB
+%n,VnW8TYRB8g7i0$=NicGG6YWjLE.>];LqEf'ur1]ABK]j-'ajD<g42>K^g?F+.sPXVO2/Bg>j=h3/+T^p^=ib2$TO.'>T(p!\6M
+%2Ap#M*);NeB$1H4g7k5YWOsYO!,O4`m5g[>*e6q'#qW)u0W<MMJsnOmp\-.LnZ!a%G:"]7,4ohs-Q_I;+[ON0]oI'Sn=8J04G'@@
+%"k2]MRl=I[DNMEuR6qOrM]\1+%aJN?fnE*aU_N&#%H5rGh6W1XGl48]9M%_YbP&GMVV.O(g.`tI2qZAMa8HlCO7,Wn+B$PN+Gtbp
+%#YYkY>m>KZOZV,T4mPd+;gF8>S40Q`bQl8HJ:+^NY"57@/9L1*=WFd4UY@QpUH?Cd;,$0_s314Dg$uXV5)V/$fmoR15P"3IVps>Z
+%PG[s6j2inDf6nC'HXFbdO5&W2a@2EZn,'oNcb.JtLc9-\UG4T:IV98O?IqVaOPGJiAW]j'\3\_Peg%#%6&[MGmA\op.1.oNG#,D3
+%N*VW!+Q`hk!d[!j&n\CmS$oBpBRpuTh6]S3U-Fr3&*W_Y$l4VAnKSHmn*XXd[>:k%T!6g.mY%_@DP\FtL9$;u,BSh__)uc"ap!aD
+%`Y3sY68\CO)#(-^H]3hpZR6U"YWf[2AW>5V0GHfo`Z"18$o[7:BTp.$:@&RiV%Jfjr4ILjHRYAafY946K*TIIq2VU7SEa]^A!mtU
+%XAKu;G91U!EEm)2\ZN.MYaQa)'b8D\]PhT=0:dkai^W:BWh-;_=!M<@XKlYT.occH(I^,Dn<ur]&8^o<X5uiKlrk8m)jh@ls1_oN
+%G>\!#PJgPK9t:'VJ*")J/RWW/qg%Yq2Qcu3gZs_"O!i]Js,hBZC2U1&^8WD?W73uTn&R(1gZ3'E#<$j$*tGBVAC.#3mrS^beLqKq
+%/qpW**A-*$Qk,:kD]1QH?6.\eET8*fI=C=K+>,bB*2ZMY:q7Dm?S+4Fi=@>bIro\oKa2Tb,7JquFf#pO1($I;Mcj6&XcpWm6We#e
+%g)>rG&SjnBn@6SaKL6[rLm@4GM3K8KGFQ8?WY]UZrA=iR98ZZ]'-VH"-A+("Jtu2Of%9kfU#.(*e!<$R?S>Kk*ZE)Y3UT-GU":OU
+%Zuq\2.u4'q/EL=1P)NK%*L8JH(;8%:2N?.b3\bq=+3?(M#WFk:I5e7Z!kDI5W?E2r56VDndgsf2*eClUh)'KF5jXZb*d!T`M#g<m
+%pk)3JZ%K)p9.coAgLM@L?U?Nk6gRkZk+&D&@eYjJSe6Tr=NhAb3tIJIOjS:JD_.I#9F?r>O)%>\eQo$U]?p+2_]<I_\C5;2#H_jN
+%e*A"@DjOY3F"X*Ph(^-km]j<ZrfsreOsEE+Q9Xt7k!5q([N."ED5L@u+R6O/[CO,4HTWt?,Q:N:Aq?9!(10Xe@W%94@eC0cDsoo_
+%_k!jN$pgNC2Dh?Ff`#O/(*6pa/%iR*ngG)(kf/l_Hu`/(1A;rrdV)[oh#,[<f:Q+BI)\\is.<<R4@C];'%BsMat6-^DDmGCd*8GI
+%!jNf`k">5C-X/Jo:*qS%ReSj5[.=jrFm#YN-f9t;is*7+rcnW+b4'\Z,]u^Z)+I)p3U"dVg:$`$VS&\DD>A!C^>mC"ff\bhn(L9W
+%gpo-<nCWT:L%)3.]q0nKIqI>rs*j[3,.#NR2&=g2BP;2H5Y0ei1\a"Pcb.jPk3FUbH=V=^rtG9G&(*J\a7VJ>`g2;o9_EO?;C2DT
+%Uq^gM1l^u0CS!q5=05-poOA1#-/b8@hKQgTYJlt[%Uli@2N(/<?Yd'07.JE4EEb%'S!+ko%R/Q7T['$G2Hkrro.87:1Cd7adL!i\
+%O/&JaD=YNKU"!3%(b:`RCY=U)ak*HW5D8MM5528NkNGr)rL+N:XL;8j]d@'R+\=5+0-\rb*"[2P/88t?`,X!O&H,]Z'#C,sB66a$
+%lQ.k6?YFg\r?1$$ZaCE>+'6-1?M?2i7/sJ/>MVkNE8GCE2r(,?<3tdOe_"BBd<8c`@g(J7)ZOq?On&HKW$%B8Xnabol1hG1Rbj`L
+%F:^Pk;<m3)o.@kTo[oj@3:r!_`!D80B^!:1IS''!Gnpe@o#dSpOeN[DmH>)al#MIZ\AY%E$]5rU4iBBc?\b+2VX+[-Ch]b*Ra%^9
+%F*!;U?ASC?b4IjnqKDd^MHpN]/UNUW=,nMim&=kT7)4aTEuNbir+Z@K_@j!8&XRo-;\&-naE.7$la2D0P7Y3O'MXP;B8MBhZ'%lH
+%LsLH>%t,GX%qO),9@4iX@&P)$\@HgT.c-QW3:1?44(Xj)3%1Q%'V)5h(q+SoF2"29681n]im9,]aeOE!F-ScmO-@Ir*JksXN3Alj
+%]#cT%hg+kLDT=@R--(5:/\l+h]3q&(N9>Mhmr='Hq:OBq2<mgidR)]`>#!WZGb96sp*_AhCH\,e'2+9@?f?,?*E9An&>KTt!"s7S
+%0IXa:7W_(0ebNaNf$%\ehHq&:@Q(@O'(M^$N,;,GqEW'%B^]rMTET?,TprnAg3:)T&t*$);RmK0\3IZh.`fB&.k=d+J*4c&'<Mml
+%#D^98]f/#K:)iFdqp0=b/0s2nIi/%=B>R6('l+"^+,;Y,7(kh:jdpX?h*.\H,'h_pd$0N<S!;1Ib+$QTpH*@^`V,<8erW+Lm@@^G
+%G\feYRt;G":h!GrmBEUZrDNUIlXoDa7-@QEL%2(okT0"g'*?Y'&:[M,=A-W6R;MtCT@adVK;7Er0"X93,2F:G6i1ca,>DJuefAJ+
+%46LC88[8)X:XZf`\:\Y1?K8ZS!)14QLd<4Rr8H_rn#![a[*l^VCYTNW,X+$KNSq(%A$5cEd'o7"H\e+=k$k(o+3;qJ^JY%O_,F^W
+%O8J^NT^r%pfl]ZCX]i77CO+C=aS%ggIBe%VI^'SS'S6.'q"Up`!C#28Hq4J@+YN,Il]8Op#Z<J`4btc^/Y(PV0@WOkJ^*@/$9AWZ
+%-165`;WiO:j[];(+k)d+Lu4OU#);JE=/A[3_#E-dZ'UFf`"Ft<5u#M^E>!Dnkk--Li$+K1<r%*cJC?)]Cm[AqM@8^f7nsnDG#_]s
+%q[!;/V.p8O6Nme*7W:TT28lhu8lR]jL3'KaIk2ueMk8/0X'AgjFcuVs$_ci2nJ#'B7,a*HG9*7Af`*UOn,B@jEa=GL5lq/jqNh<c
+%@_iOl!Y?6l\hj#.a@P6Weg"-H-%V"&1E[N\Gc*ujfQWctp'a)<!lofn,7am:U*,O1a%kPW1hZ9jeuh'kpGGCWi4qRq1<GraF6flJ
+%:7\E`=F70pg6.UK-DXe0V'e#EgM9E7Gupb#P^(3bD4,S:5a%%ZVbP,j3=CG`S[V4?/?[5VOlor'`WD*jC2\:>o:R((YBg%52f?EX
+%/[MZ:RAt?Ffo)Z%"!UCepd_HK.IH@A=e1dO')7&H0:r%Pc(:I=KEPW;Mu\?R[;PYH>N'65SnF5sWM$O,R^CT[lmHUF42S<A<e;[O
+%4CiG^MLk\g&Y3D;TZ<5M,L,=qL$3-ED1l`_kfgst8E4,s.5V,._DWr%@>(:VVSi;0AE+;+'B!;7Aop^u4*fdnCG9uhQI^0HX\>Dd
+%jjfOf>=sid`eta3];Ta4l4tgmS^ugto?;)!H0pJmGSO$p/U=WkD!Sqb0.n!a1C^rblVN!1=M3=+Cod8($u'+,Z7uA36Q-5d.3XGk
+%Mh1NE(3HrRnARrYAi#5JVH$BK9EILc*PUI_7T>pF?!4L<fd6_&Mfd<D*=O/AO=G6u6;:9f8UK?-dJ/>tE.5P`I^3;Dpc1M56l9IJ
+%OG`_!/PTr=`O%:o&W`[6L6f9pg1G=T>1O6cW%+a*>GO([6[.-S8I]CX/'t<^1Lb/Cr5A]A5h&K1aB([tLQtd'2Su_Y(9B%;E/DhK
+%:H3Xt[MDaPad9TrLZTM\FWcSeX*YbcVDK3);Ap&n'8os[g71SYMo(EgcB?\_mojIG3C5HtE[<JJ^j7Hs"&r7J-l;tV$%T0t+,Q[I
+%]s@"TJ_8ORQI0S;XHSCr$OL$GUh$&H,s$9?3eH#rJeA0tFU]`-eD1fL6FNs&OP4S`*?E1b)ER'r$)rM8(>Hp+d5^Ee;*qIR6lF3f
+%$p\7'd;Yq.D\@&%%;$lhWtr]:eGIm[A38_dkhB^8`/;J/WZVg8L-bT"<fE<VPX%k&C&GQ0?krfrLhhRBd=PCDC6KB_,>fSI`jm8Y
+%AT!dYc>+Y?&Vk3M*7hR(<KNChl.RNWX3kVFhhg@K0A"a!?^8D`q*D5g$.Mo%i>=Wco(L;q;G>[gkVDk(GdL=R3Q;!_B92n2/P0E"
+%qBjdj*54JJ$@8+cS5#YtT&]ac@pt7EEta:ck3*b5<W&a*h4u^/!SC#mI2->"`?no%VmOp?Ol6'f4/1$G6jJWj`SG9FACdh4GoiXR
+%AJIcD'eDVPC?=;T>945E?H@/E]l1RNWYeUB^F.mena8F<$kn^>=sIL$'08p26J!qQS;LL\0jE_hD:N#_#JgqJTp>/elt]0_NkAAP
+%9k+6gQQ;aD%cfVZMX)#IHn?/j8L@gP)F\oANo#S!cp5L^A]Pd4'\&:SDUN/Lo]4,0N3"9pq9`W&n=rt?'ZBS_Jt@BF1qGP6qj<^`
+%nVoPI2`+W"WCEXFJgZ%K'h;+X]j<&UZGXVXd1JV<:fdLp>:\BE$Y;pUoieeE3(`WLi+/+rkIqnS<l"])obPeE)@gYT.Ug<QcNAME
+%,OS1_Bh&)@&Z`p?%k2NLA'\p[;[O?\j6<45TTE9=#AB2kE1dJl\V<[F/="^*<9m)M2Z@*[J;-Oc[B].bE0El<Z$$lP!bu0hQkT\=
+%Cb!\5PdihJGt4a6+[=%'1ajF"S3_\,ng&Cs$mQM>1=[uJ]f,%I1ZXMm1?j:lQH]>ZLmr#G`b$JE:YsJlKL:GMY6`o&&43B"O_pVO
+%`A;/>)%-uD;'Kua%;eki+JgJBi9JI)nM74deXNOm3S_J@V/MR32THbJ"s<^Q%^Y=&-oc'ia-ubqV+kDP[E\re_Y@TN[_cfWUH;a&
+%6^@b3R-Vf$J"nKcLE/s#`1HlGi\!?akX;*&.!_3@Y[*k/4(sL"0XRJS7!H6Rf@\(?d3X&eJV'2m@4jV%MqMrG(M</%)EYq2XQ0!C
+%Gt@]7.mP"Y[kf0bE(dHd6NFuB^7'AFahMM#mW!Qa[KWmgTY$CeYYccXES8_Y;:;Mb8bBIbTYU2uAG!1.=+G6F3A[H22=7K-K>,:0
+%c/C@$fE#>NSqI3k8-e!OOD=?qlJ.+R/2LTQ>^MR4h8r8IDSD21AIU]?'#d"/U*jkL]L!?m>hT4XJa?J@YmME"=LId=R0AA66Cf@r
+%+7aK*HF+e4<`>\*mC+C_`E_V+E,*MJRfY>Ifr5N.E1&Ja"MGW]$_pk/fhMHR15eoqXlBRk5)ASL8[&J*,h^&L:YoM>.IDZNOu0&U
+%7Y^CGQkd#KK0r5[.WXl0R/K#<Lh?=^Y%=XDgLT,VgmK2T,M"=tHHhVE*(Fr\<fenZ=]ljf-8UF4p!DBC+,h<de4)3<JCMpaNF$fT
+%+-#P/\9*SO,*8UV2G\CK?J/o\66&Q`eB%Z$VZ@aMJ.3FkYE`J;1uTQ"lq\f`eEE$^9A`U`9m=TpPLm)F4'/j612ja*BA,VYI/n\I
+%2:doT<_'WR+R)GhU3^N)Cb1NiCP6D*@p]BZg4@i/q.g.]+jmi7jKb-dhgF1V?m/)&BnDVG!'2kg3Dfo..(/T`S5Ng6Cc>_VZ>unl
+%0#Jd-L>[g62!qcF\PFe8YKbOB[@l07?aN"cJLc)LVn5d3:-'/CN#;c@o+[aIk2Q8C+0VED>8Zuqn`adWn#Rr-@l]LPTT"UB()"(,
+%3$oU=io0$BIpPn-=UcN,Yf0-*[k-Vk%XU4dIoh^0Ycq+H,@#"abJOl\pT:UrWqDL73m`H@]N7CO$l"\`NN.92h+1s:#':^iNAk'I
+%Ji"6odRN8%SahYJ(Ie["2[YK3V.chOS>.'B*&fZ?,Mk#-:t*+`_b*dZ0PN6'm9oTqBl(+P9AG:&^0=hu,G:CC*#Lu]Q_TOZ:P5@D
+%++4DU^0qaple.BQ3&iPMs4XtTNl(:aiX$JU.=<`KW+:(F$po&)Vm[Wo4l"8@9OAHLn;R.W%Em]"=?n$V;iI0jOSnCsd0RuGSO<g=
+%=4Y(+s4EP)KiE(UF;!B0k[NS#0IA3:-$?t`;HT[^OC_RM!TU1(c&JoKqg\jsDFTV]s.oW"T5[J_5m`OQZ$E)a$+4'?'@h\u`/:F_
+%!+6F\5Hsla,8?7Sc3Xs]Z-F!1=_Y%moY<dj0oCsp9rh^(/7E(XWB0BVd8=Rk09H:1p&O+f0_%We/D8!nC*_=V6>bX_?AEX`C__G^
+%BIn!oOX\Qn3,Y6,H.,nY6`iRd=c3l.ojNYgQ*#UR`mRtR&kc0,gX?jg)O#[j@9%SD>^R`t$[gNbGIlP)b524L6VZ*Z+&uL'PoZ'n
+%/lZ(J@j+ohnlSOjjF\r0e2T]:>:aK>=5H7nS,C.*p0'P.js\6n?reUR&,IKiPK#VVSYskf2$DoMWh)`JW+\i,(Lf:fKsp'm[Vc/h
+%,j/qd^/s*jeg`)jltL?L`=*RR,a7k$l-t50!Qh"/,W^&t2`"%@.<uP\_at+V\0Gmf;2C\pPAg:Vha0=Amb[ilkATeFH2h)'gc`At
+%qWY%656(9CB0pH]p[mb"S^R-L5PXG\*ri(g`]sI`c'oNQ5Q@K3hRrdQo,#19lLf@NqYHDZ?G,-tT--5oL5c(`hu3K%msas%_cJM]
+%miT4;d:])HjdlGBZQK/@kF[.pc"H#'rSp*arVY=bc\)?WJF)nUa$4uB)-)CioY5]qU-T64IrP>'T,p]k^FONc^AHd]_qh4Gb'1oJ
+%&#TQ#8P^J@7Hdk=N.Ipll>n1L=17;M@O.7b5Tr"]D.,@/]UmNeikU91;>loq\6&Ag=/HGf6Cu<l>?'[p,(h8Dodd%N,dRulQ&*/M
+%^4HMsk*#IE[lXV=qj>f/SI>fWn0ZOAb=l=!0?MXY-m24C,mD'm7C(1IG:HD[hS'+e1EXng%U5^h3>a&tT`+k+`QQ7")N5'HU**ih
+%hHnk-bC0BVLVJpVQYYe4m]r#-,Zt'9aZGM)VSSD*aUF@k;q[>m12r&pUj&$o.S+okd$r[b.?TlVc@P^/+U5%&8Y]u]2].`XYR[IG
+%eJEJ_3kBMp%6!^O'(lnGJM=AqS>*68Lf<m&*OR`pK$4BC&nsBPgU`Y@ZX^9\Ho>&&QhQ&B<*^0l:c^:"VP$d(cHQi+BS<a+feSa%
+%K^1%J-'10#gC@5dWo8EF!bHVh;N"6J5bL6?",cZt!M3,ik"1^,W%8NAY0Jt<4W)5nmW%[E/:$L@!:.L7[j&me.%d-?VKQaiIQq9c
+%=r@_*-p'hCUAFa_F8LlH9GpURXWtc3??h>a)=>()2;;EbeTr!d#Lk>@nLKDAd^%20Lm(pA4t-M%4o272=-oug<LB!n)E%&D)(D#I
+%JPnd8igN8XjpC.Z\*')]#<`2&frF1/X%?g.lU;^RY82:K%_+O9GFCc8(/<$V!,eI^iKOWEi@\*2E<XSR031F&0R<`7;l#7u25=\]
+%Qod%7#<N/-[ibR,KOD4Cj2;bk*W$P1+pAaJ<AMb(Mi4Z=9b'g5<)?F$2'&(7!4CI=4n0+R`4rSN_mc4dqYJ1WIWis$Z_'Bd=:p>E
+%TW:EGki40,kiB!?kad]_2,ch)q$sh_c$qq9,Y+]KKVTt2TS_XKp<j>,,Cp+H9SfPGYK`l`dqb(laH!]9-'tW&2Q@9!;^X8VdYuXW
+%KC)hYRqfGe)e>LC;,Gu1PW=i*6Yf[6+JcT',bu!6N)m"@RUqYrZ"C1G>\sma9ics]A#;5`Z9K]84TH5.c_P[5fR*b>'j;p@gDTNS
+%OF`Y96Fq;h#?NSKnb0SCq<Vb@b=1[o7%&dddO%I[[2#:Z*areVe%-B/W&?86F>;.if":2/og4Z]`;rAFKbBc9g!("RXAZK/:-jDr
+%`5_mrA$1')"mq7Gqt$Yb/[G/o-7@32O;';tRdk4U$#fr82Q5S'K]AmM^JBrR.Z*,t6%Xk\_Q+,[;T?]J=Y(8tR"@n=*1ZY-)@,X3
+%a??&_S'O>Lq2@7)Nc:fERd9]>bX?Kb2Lt,ckc*3Bl8IjPBlds?JTOEb/&tb%]UXPiCsZo92u$7BD9_:S;M4"2PFK-alK-=8\>sYW
+%-Nl_nlY?d?$aHkoDmtnV>E&c]Z)'_*$6(gk3nN8uMFW:cI`#_,Z8+>YU?+],:%#t!^)E<[@S)J/4o(lZ>FS=UbOI1qOH1>gJ;LZ-
+%".g883@=#a+)l?,"LQnRi605eB6=CEhq!T2M_Fi#`S57<SF;S^)#/.Keqa?%b:]JF=LT$0k"%M6,mUHN^f$S(M/Eq"Zu<nLAYK#J
+%4B>nn+O=t!hRrrNX/RPK,I%>s0rO;,p@=q<X<!uRj1])'P5?f=dHF*_DHCm<F4s!/H/77=%^[.&fMc8h:p!VI+589cJh/e:e[dCq
+%fr;.Ja^\&0M!]83UU'dlrX0WL2/t`8WZ3D;aBbO'5gf:?@d9tE7:':Z(N/QV=4b\T(JX7,^=6b4^kqoBgNTP>H\C%jokorqm&C4=
+%Z)a=<[PX_c9lP!!?]'9klJa-ff,:sHI!#J%l][;1>VtId<(aeoY>FppMA/>Z6hl35X&JbRm.E!\eA2m!4PI@@C<!*taal<'?tog2
+%Y/KU2<AN.&C#pNUZl3(mncZ0Vjk7R.+HUH"<9m*;Io%"Yf?[99MW.kOi"?hp'au35-\-UAB"XY&dh6qZfTs%S0]/+30^Xja=G3"!
+%IdR-AIFP<!n9FiTd!.iNKJ>WJkOCqd0\sf]ZXJ*U6^:Pl1P5'f,i9Y43CqnYXJWlL/0F@U>5<q3O-\UP0s%qr,#F2aBK#67C$neN
+%ln"c.NcYO1#b&O6d,H6u_7Y\C`Zd4_gE6TQI"3>M=62>hBdPs?^J@:E?9.tpA<[Yknd&4C;uWKq9p<"4C@O[MKD-5uf<2rTI"k[i
+%f9Bl,qa4La.87Qr%rf,8:1q,62B#oIRb%Q):VT:gD3<7Fk[#6)W#@PF@MS*Wd?\Ed<[d>M+<)LE&!_+%l)SU;cu`fWF7DsE_DKi&
+%@]DWj[;KrGWtkMVHQdH/C'Nn.1H*/dhDLX+8augU+,p(IG<PFh"3BG0;B9J"P5)`)=`C-6NBs";pCYQ`Dn3755/94%V#I@IAqT4@
+%&e::Xi[PYYf02Lr@9O>#/ePmqi^1Mg,f;*1=WD[MTfYCM$DQ_U>`2(*l(Vi.e_HeZ0rX@YUj+'&Uo99:"+Z\6mH`_\%tS]q-g6c:
+%59c39*!7@6D`!Ye[(A7`gHm7qC.*VOoF?1r&.U4EdR[m&Y3k[Ll)Hg/@B$QL<"0rg2:K6npe1]_G6@@gq-l1QW:-cemTn8r>3--Q
+%h4)#sBW3gTKhJ;E6+.R+Jk@u^l*?RV"uR@pj`U/gW=$tTX;QR$)?XOjO>YQc)hf#+V4;bWYlhJ38_XfCd`1DSgr4L/Gl)QFn*IKe
+%?;bLYR!pL36[Nm3s3fLJ+jqaF67tnVIfNcBh,;JZ>=,u+OJl@YX<<j'-Vh5*'6Yq/aaAs-"S`Fk\L&eOD%deLpf:<cogUQI:=cXj
+%2J@7KK&l#u![R2UKLnS,`@ll0.2P_poe3a*n=pJXit5At*!.]RjJ`m&0LYu?Cj<`j!hcN%:^T-r;%M5pTEhCRS!rSuB;1bf,$OZ;
+%q""[C;oLX74qu1DqNVS)euB.2%Trf/r4&d>C\#HG(TruqBFIk4!Wl88)(>EY/)rWsX=kgE]QJ_ZK$GraUjc@c2"tNp@C[M.CPu#I
+%[d59`f`$WO^Y/'?EZ*1]Bftq6N:g@KEUVJ)J%YRlfKgkFMRr<[-Q1--RjqVu6.CaT5qi>TL5Mq7SXc^,@FD#^hI47Fi5E*6'5pip
+%T'V2tXW/.u#)El@@@ld6im!AAI//_#PmL8i(SuZ-]/GBPYXr5&RP[Wb+uanL3GTE%-$Jh4ZogW2Ek@ZTO9T.B9-79X8sQqTSt47s
+%ROJNu)*IA%Q[B%KLmW4jj>?pX!Vp$P'hI`f"Lsb\KOYS^d6T2BOj"lZ9EcMO0eF'0!4@GZJR\*YN4I[a(RqbiWuo\^HpY7nhuRa$
+%*+L#)^R*Qs8K!l]5TP^B\A[mX.BCd,d'0!JTbF:@niAYEVq;=qRB1YU&8fCT]rqUn8ZTiYAcm,k(O*SF^".G]aC&uu[aO;oBNX*5
+%_.g:llfflNWT!=@-?"?.O12kZfT?fZRcLTtiqOlZ"63[X+\\.2aP%9oS'hae3fAb8,@5no:m&P9^,L7R\GW14b5m6!MI/PH`mJ<W
+%FY]14)dg`^#3fm7dGnuXc`"p/_5/$pBHp[S<#DMNPjogF%1VjlH:.?aUbl*?4s7hO\O=R'UpX@?reG,f=3LJP1Je9R@:jH;?DA$g
+%_US8BSjHsJVfJUf?=kY5e#oEm+'/%G$&VXD#CO%$H()W!I;RMV=.#;/5_e"'#,ld&`O@-2'a%DJ(uBH=_3:ohpWEf#>9Ge0D'+5B
+%eH<9X\+LoS$;gUXDPX/Ph9%X]h=18$4bNML('@96Rb4K_V@5V8%dV8T42#EX@it'/g[<m9\XQR#2<)$eQ-I:<YF=i-+AgI::AGIX
+%?"g&)J]so0@TK'H1GiMl1f']uRj39d&Z&aN?+D>@8%ZLA9j9d8`lK7^@Rtt=#S71B`)DpgV2B\B>@Dlg@4fMlY4Wi\`:W=f2!g-7
+%&b6(6.sg,t.UN9U,W\m-;iCo%)9gRX>-en['99`[&cFhVS!hbKnDd'.6,p6Q"glZLO+j_^:;VIS<KrG:T].P_K!KLlGDR=7j0Bk?
+%EM$0;e8R`i"[J&#q*B.4Xk^hg.d+'f3jK(Bl&QS*pdnmp+$a$Gb+0(C*X0*==l2ei@ABX"*VJ>XP@-4V]i3_rm-GF]QRn/Hr;,Mq
+%+2;Kt`WWmV-cUqfDDn,J&KFueQD[4FGGYO_/T-PTngm?X>MlShNSBMZ'!V<;&#0G#9J(I,`XI1-DHo]u$79)O]JgeE6:>naHl0)D
+%T$WE,:$@Pe((^76H,JBCU#(er/G9&W"V?3tIEC:hP0M)8ahVbT6Wdjh)6>JnV_^oB<$IJTWgdB,F,@5a[5$`d'?d[YY19Cd9H9>B
+%W,]jTSW'5SfH+T#!quQC[W>?)Sr<\npa.>e4H!>q\H4);YirORX$!+(A:TDg+4[ht@Ip_G55BXfC,6bWCSW\ae1WEE;[(XSMF))(
+%>b2,m`nE>5%5h""!"j*C,gF3\<O#rl3hC5hX"Qcijn8GKSMia9Mo+&Q\I7R?*j"'IG.[r6![!R".#gZ3%YdW**\W*Jjk[4:i=l?b
+%HoD/dieR,'PeUGMp$%5bRMjetc,h(^7cg.oKfF:/V;mN'AqJChBjkCie^%s$44E)i(hBkQk&M%+k_!"nrU:kG@0R7<?[]JG[m0)A
+%DPH7GD%CoDPmcVRJ62r5"l?GENcDt:KR1`pk7R:<.:Yhoo\KWLK/@!6c920#p!=bs)>(%A?@s!<\h:)$RIT#tO$Lm[rV*3cX0:FT
+%>1*Gq3u['r[;FS&*%0)YDfe4pO/:quGLl0f_ch-JEci1>jV%bB<5QU8R_af\%<gm%(Fe+JY@K26<^Mt'ChK9h..kP+$Fun5`><Aq
+%gM5]p3SLLt0331.&&rO=A7k^3O96Mh7ec8modY:#]t!82-FX>^%J"VQfc!`J2*b@AiNo#uejq"g3ubB:BXUBrP(;4`O(n]6g&91R
+%Lr"qMIMd9oC>8#o\?cl+UcUmu2M9s<Ju8;C`jZ7@3-Xs+Thd#JAE?$T,FYcY-9=E:b%?B.ak?`OmZP5)MCh8(bgce)&R<f=(e4'&
+%YgfU*)5/dgigNO]:ii2o#gdOb.%sm-abEkFi"`[rI)X/&]0-?XXh@OQ=)fC0V)m%3,'m-W^c..W6/u_r.a]YC@XKbsoeMVsA1VUU
+%;hT9";^!mi,qc<em''jq"c_!`RE!lg2%hjOHs`+]'H,(^_PZ_@RdXq=CYaATN9NZ6$=aAZeA(-eZWD?/L*Oas-DR?-mskLj5#%K*
+%'2dTfJl#sY+=2u+osef<M$=(oEEJIbFrPTOI9WYm]\/7!AK50,M'"pnfkcWr+lmh;jg1H$BJeIG73@P&r#os/S;!42lmd9b86Is3
+%=U@NX3B8B-K"Aj"l\^t.=W&2Jj=6!(ls$EFL)M`b<a<]?O5_`U`3g';<AbOfCZJ2T@H:(1q,fLpjS>.CZ@][Ql?YG=fNa/.+en>/
+%dArb>p+7@-Qu*"%-=.]'@^<gM$ZatXfq!uGF,&O"S!QK4[cT/+R2I]Bh4']qAd!A.h3?Q]4bnO;C-OR,!^,DTIJN7-A(:Z2Ec!6b
+%CO@l$Ccche2ggeK_Ma$`'\>S(FqXCiZd6H./]m#.(a)0'%mS#6DB=BGN?;@k,:q8TGf!6iAkent(>u<YlXD;/L8C0@\NUY[`aVaG
+%BMV6)&l5nu9Rob,#%gZ<YsnFeIQg'Uan&;j.Um6k_+H49bkb1CpU'qVSo/V+AW6lGOko.,q^4"LUN,mm/MehSobb>[JEKD_eG0*T
+%=gH_I]afR-_R,!G9CsS1.CS.43khH>BG[l?nb*oMH0(8d)oS9;m'3>EI^8OKe+Cg;e]$2Ca(X*@S8dS%08RR`hS=Pgo'4c9D=H#T
+%j)F<"'qe,Jbk%dhARn-H<@.cVb>N7b#Y,!RDMk-gl&8?7#N22j$8J=KjFj*(Ho2\SrDPNB"K+QGEm64C^nkt'B"Y@6h^/"Xk`5(j
+%8iP-^jHh/l\oD+6ULthHB"7*`ag^FJ*T!(u/UX7hSJT_t)AqU.$Ga52rr$5$@MZ^9r>o,'8?5f1c#XZ$QNib=YucfBP>m!5gsaCg
+%\6K5DKpfAGPcP[2Nm_c!OT^;iVMTW:$6mKAh-RTfo7F!DY,*!9!9)A5k>.edmWPe^lJ%q(n.Ed>;^3<pmI,8F:rI?'.JSbJC/-[5
+%DEKM$a'5TrNk"TDg.#=`G;_rRRS]aCmh"k!!0#TBFsL=#\9!qXi8%#Prm&GT+uLi>p4*Rh7gX](bH%InKnoS\lruHH(#[BQ-_Gl_
+%:)6j=^p_T.6X7u6l0>[5dK\5*+`$aX;Q_g1T/bNl:://@QulV!"Aa%bL4sPkgKPrb@?n/NYGAVM4LW*,i"F$X>Ia7r:>CEG`[5LO
+%92":NpjA4pnE6]K#oO'lN`Fd<E"Dg1oj?$1S%2cL@T:JCQ3$U)K"M(UmS4tA:9-q.Da4U[5%F5b7#r.aNilAbXYP3fA83M>V)EmX
+%.`*I<I)WXn'->9I*uGZDba0Md!>bo2T[ibS`^!T]iH.FfPInV;Y=.TrOk*6]&VV99+e<b9g)N8qXPlfY*M@9#(X[!kEb@m^g0Q\G
+%Es;f^E7e<uSP\a:h?ErSE35nG.,>*t8+p..,7.=1Q0G$/B=J/&gtG$?1H8<-[eIiDH7)WOCFt1*8/4@=7sLB.l-oB^NhaR^9gW0M
+%HGp804D((2T#sULVfM.,4Cf]]_F1K`Pk]#SYP]qJmg(SZoOb;6#'s&`1CLY)r-C=1OGbgQS_&O@K'k&n`-8T@,k9,%a=OR=`9=3-
+%l=&@m]!D32G.JgXaik(*Q^5EMikrZ',>k_adQe@G85P;qK@=@nbqJ``JU%#\.^&2SUdS]CUrd.5_UXGAG]Ps.D;l@3kl9c]a+&N2
+%V58Yes8DZNc(B7ZF99Ea2GhbaGJl1;(>/qN[\:11%,d\1R>djde&>_B[W5L1C6i[M\Ri^7V8;Bm;o**%XRb@(AX.Bn+=8.QV"<>6
+%O8`;q<d]_FCTj"DF;:HF&/.[\>(P.I+3KtJPsLkof]Ysq7ZiGH<j14uiXqATj0/0>6h5Ce$8'E&NNnUtf4Z2+ED:aW(IdMmpiC;M
+%:_GVuOt($(Y#K6fc5Is4g-P.DfspUg4jno.7MJ7-3d&n*W[N]RM/J_9!,;+)!eN'l+%mO&Lg+p+R;@;/[!hG?d=X$1iV^8#<-X.M
+%Na@Ku@s-e4?Z.6nh/)_r4oWsAV=cZ*`P_9nUBJr[f8H9?g,>GIK,5<D^6'k"iBoo3:<W;Z+Mi`@1hN=^C-J^P,@Y0*[WS=leDdm`
+%5;$NT^_#7q%0kb1%='E.ZpU<LK/SmeX7R\sU`G(P87t'+d=u;.PY&MCiKe9$k=OS9[?,1;?g(feLR^44r]ulC4.nm3BWJ3U$UG]H
+%b1S0U]Ej@(:Uo-/7Al9^RtW(!TUW-HmoT3Z09Q9#]_e7:]hT8)Wtk34F[UU&^?jt1,L[fsU0mOU)BGc!0]6Q#$:^]P<SCAsrO&nI
+%n*=_3&%J/`m"26oBq1O$iBF@Rds@1T%O@JK[TR?InGb2Z`=&V<JBU_j[Us8,b/]?`7*T'8h@,$HNO99E#Or$qX0_Y&j.sFk\##&)
+%o"NIUMkdUPU:*d@DG!_RZD17qcr`ul8r2mpp/H%nVT5\lE2<8+n+gDX?p1lcjQq]Jp=JZ3[79F`8FX]9B&OJ]l"ai\:0Qqi/I_h,
+%;EnGXX?m>UW\9N8-D*aEJ]4]_=)a4@mg(WB.'DoK.1NDS(hM<rRQ7*g#&M-h0q=A+@*et>csk-G6dL\j<@b%Npr9XBQ-m[#WCTpn
+%gJTnr2RI'3YKq4@U'-##_IE#tM/Q#p#FG's?_t?gl#H,&j8->3M!,VfN#ilEG*U@k)NT@OfBOtC+;C7^(Mc>))Oap1_&O;81ob"U
+%V3&J/<_#)k/:hS(2,Y?.^qht'G!sS>D*0P>1b&A)NR)FdK1$fbRr\D>iSl>&Lm6n<nK?(MWZFl./0:V@=k9Uu_FBWOZ@=(goG=C,
+%.Gki_"09NdfE]'f'P??+Xgj/LCCPQO1%fcPN3aXSUO;gh9:UpfniU0"J@]T?:`5rXn;($SdpniOY^2\J6>%3<6,U:GK(Z7</k./<
+%W&rOt;G/X:HN=A'k@Z;G(/g-FI<OUT(M$mKCkWXNXZ7A=.SIET@HIj8:YM*gT^iS$Y6\$Ap?59RO_X.EJR<OqFR1HIQd)hF[_Cs^
+%"hkp&8Y>9Wj,o@i8@Oi8>7o,ULln4c9U!V`2BhV"9:*g,d'h3\Gf!i\DNLe1OD,p_Ej!C)C6cEWa@>`Wktg?&hLXcKH0VCNPr0Jn
+%Qs.=O(Je#.<pQ&B!\Fp375/RT&Qk>q2C<3-clRT=cr[.m3cqRQ\rfO&^`"GSXd6b#*#^4!)RMV3+;>/[dop6b)$(RU1NTNbGoLVf
+%)d>gBoqN.KYTT(_TS1i6%ocO5j>iVWF/_f[&0M1=gdJAgC%Q9e?rTU$[IAG^f$OaAL8Pk)V036Ro@6cCkATaO+g!f7"2!.(G]bH1
+%n0NZlPN#N""BS;0_Sb`CO?4?t_GoBOL.WY+7QNp>iP@T(QW9@0Q6]i?67$O#G\0bs,)^hRKVLj93siIEWmIR=>9K!KPqbcib!:#J
+%+j:gn^6\[]D&mG1`P6o3Dq\)K9e!>eA##BhFI?><^BB^LOP3.tO?U,q>=/hGTV1=kY7TH&]hqd`W?`:JBkrK3]!TAjPF]btj^eN?
+%kJu*TfuR?4-6&qS"e.k,*J8WYc#Ppk#A?[D/A07H;*m'E%p_4=PEBdf;\KXuZQ^q[(^&6JkL#W7XsELKXaQ,1R9*Xo8uYp;'WOa1
+%5+.R*HX%>-IVBg$.s&*-Dk$V(K:Fb`4"3gK+CII&9Kr/%+d`UmR((_nO2eTV0MJi2p9Ppd-Z*9$kdI8-dE''[]p'j9"H2g=fH7HB
+%R<?EUh5XMFQ/&7T6iVBkA8'%'WGV_=T'k<Cndq597/ls]m9tlab3tRb-e^P))t#u/gWS;,JQ*);bhYCWC-o/"HWa9(e:Ro82u>+h
+%LMF7kHnr)5-[0ZH1BKTDU0*N^7lYZgO4IrE:6:d?]/Hc(.I`nr]`))<`G\N%MV#lSF`Z7aCYHfF#89@*+1@3op1e:<'0%Nu107(G
+%@5B`gW/ZYWf_b'5-A`]b`[[$W'0_S>*bg"cY7Hn2]87\1!sMPVE#`uSMZsAncEhetLhkWb\rgn(IL3XbZ$01FL'i."YrWI05SMjR
+%Z0Xg5glc93%X"<,3pYk#'\40)#HjS0(<<MW`$JP8\:%A"3Ha?TZIBd24\aJ/:_N/9)VqH9S&$8WD`SAQJ5h%6-ojgVLB5cL\5>RE
+%PtpRWN9Mk3[5I)46[0:;R$EG9gVl_o#8r,<e[TeM)!P>U<*[qjJ,s,Sf9j#&:n7XQ&5nBsJZ(=ES<Q.F%Z3=L%_osk+J/uPj;)<?
+%F?O_`4Aht3)BjgONg3Bj47CjBQK(s'<\1.K@!kD2JQM'tGX:[MB``/<b`,HC9H+'SS)%o&0Y4A20]U@*WY0SfNN)GVc*7dfo^gKC
+%X'_Fr#E]JD7[dJK@<oSA!1d+E-4We1C9BDjYKqM5!cNqnM*L,tYJuj"[LSW[/C)bs,&%?4a80tG/lL1m=)r9#&ckYA,Sdc\_-o9<
+%r-EN&OhZkqW>X5-7CXh'HG%-6JH?H^!b<+U7dqN`pE;;6)mKW!c;mSj.kqLDM^=*65S9`>msR,a.ZLGrE.b=oa)NGWW_1GOEQ1aJ
+%PmG<R#t6aXCslEagI^O-H-k3H(<'H5&Yk^U\>B9E,m+aJ'A3K=&2SP"T9MeD(@@oYaiX"`=X;S,j[pege0[4)@jANuFjTMja"W(\
+%61LNs4tQI0Y^;74=s?s<02C=*VbQ`BMb:$d7*DW@H`t[S%_!0l[9a[f?d?W0_D&B=2W_nW8FmO#8+COu&;eWl:k`,c/>#?4I!Ak7
+%LK/-4`\hG!d7:a#enGVD`CE%hm]FDRlPkrJ%fRc0:BX<)>9i&Ug6f[kUl71W[iq7S"mUOpKO<PRN%<PBkI2g_q#t.(oJZS4h4kAl
+%<taA"+SA95QPQCD85Kh_X)fI_U`rHAnEQ)^K,qk7E&7gjY'FMr\d26J1N&Zp=dl:N-:VADnOi5]N^G5M'f7&CR?MK<E_O[I@!m^E
+%7\DEQGd!'+kM=i,qGG"rMA!__T[A2<_rN-rN4c"3=)I(SJELgh]@r2d+O[a03Z(0rb+n7k`^YQK`aG!T,9=^*]$NG*`#VS:CiJ^_
+%8\uq-5Rt`MG!kIWa"<mS?pQ:P)jiR<C1JT+,Y8UOpbBjGc.rQQ!,4_\\#9GL7-2N7DBiA.Ji7A4@uE7BJA"+`"4S\=&f^?u(Z]ma
+%LbLbp_q\'-3q!*#>'Ok^*oQ=fd#AOmglr=L"*OI0FHJ-EV'CpNe0bD0H?R93TL[-r6`rDbk:@?uedA$*(rQSD>6B,O+Kfs9"1\io
+%1_?-O/+d%3Rq!gX`sU3pT2L8lhXPGtUXh<*Ffb/gG'1["+S>>%_D`[*l:aA2a%g%^c#6bj=(QP66g!1Ph9?nL]fgkMDp`#\"P+SM
+%amhTtN_8SF&TrBgp,H<^Bcu0ep,#)`N1K7cJoOG4.S9uRO=ZWVYO\AfVC`-1n<3>nYXX1eZluFqZ%lmZ)m;.K6;s:A/`NM"Ca[t;
+%=csC\,"#9W1!T%fKp\8PNML/;"KKQTg6"p*kN*T1A)sAC@$lf0A7&6dZ9frHR2Yig>(cru#,k$D/$Qi>cp,CIdNfK]#]MrVPfq')
+%V3OQ-Rfc)'3epP>ZfML,8&s5G&L1A-;oW]7'4=r`/rabIU7D)8LG4+,FnB7/MM5*H8>u7KlJMu_aL.iVMLYbZm/58Kj,2Cnia<iI
+%4*bn[KZo*U0rTK-Wm\Ua+iG;2IF\UHN'K3uK7&t?AJ#O%>XGc"bj)_LU!/5AO]UghE:"PK12]O73,l8DP1HQW?Zsn8BhV(:NNEZs
+%Y`XjYdZP*<_U.!T;T/DUQEO+Pj5ZJ5fjmK_`$nfsE/K4[q'J&VLC+r=?.XUj94RL53k.`MEG'tUB>s-?,i5V4o33^8;VH"fX$6F;
+%3phshSP'3n_Saff>K=slCD=,Hi:!Y(KX4ETY'hXoqPOf/NXSq4c=#3,R@ntB)U&Bd@tdI=Wgn1B%m@2KfpH4/a#$uA*CIf,YRsQ$
+%,78\'iq<J=,6?KL4_LkkOEADVJN6#0`\sQJ,^+.@\;Q@FlJtn56QeSPn>1R%D`G0F1]4J"ODpCF`FK8*)C(Y)$2&r_p[dcB8V)k)
+%c5SS8pt6:e<ZVElOBNCsZoZbc"rN,Cm+>CXD9^l4XE[=O]+fHCi\:W'/H`>A/L2[%]5N*_hb!Y(^&]Y%dOl#&V+*O%6fA.a2q0>2
+%\*f_Y"Y-_/bC9H!4+C@n7H2VTqoWnCqpHi$DRU%cF'<:D8<4/89PrQ[2F!P8,6W`[M3nthmtj"`/2X3.m#36OV;\MWlPUL+:#;8m
+%m-=cSMDNF`CfF9PD%`-/QH&e-DPRdF,2R\][rGtlb9n5':4H@<`"nrKKL'gL'Vdtr?h+'DR^'lCGVSMhYldi1k8(#\`W`h-3Xjas
+%iVH;BMjf]h-c),XirXkB*Vd=1rAY7!h$g`pjQLMM#o\AV2D,5/@$W*KBP1t9:ts@S>L5<dNW@2-^n,X4qguQP0;_qZmF2_n&i$[;
+%d(30o"\0hE.qnaWJ`+!\P!MRWSt=@sXGXB5LsENZ6&/aI*e?Zm_Z2;nc>5o6Xjg?ig"a*9mr!t!1"d0?"cB?bHXe]0Io+nB3(Y;(
+%jJUNDOaT1i-^YUL7rl1E-FU2=O[%QN>?<>--=KCU;SNa.Be$GBN/=tD+V_01YtsU'1W)%QA5>/-8cFc5.^#jo@7%nkD6\*sO^&oD
+%%U*,f.7c<E@s>E.6I<[hO'4?LBT.p%U2+L,"al"8kMZu,Lm/COW-h^rS#"Qi`[8R)=H3L0!c78W_B%r&cWo/^]H\FeEAkV`a6TQ9
+%C0K(NS?R$hl+5cFjjhBDHSN&.[$\:;c'W13#D9IF@Bhk,SLbX9di$Z&;J;:O4-!=$mhkeWIIAZ8-lYZN0IPTjI)"lY:@;=Zq1Xf$
+%0O?i@HO>&n:;pL+-/NoY?t0]0+\pM@O2Yk@ja)9rKDW#unC-!mHp'Kjc&md'*$4F.<ql'Y7$0ZF*0Es-)I3='0B%.+Ns!@22)"R^
+%*@A4t*AnF(D/hi&oS^9V,"r&e"E+r1Ep\lXT#kZX`hihu@WrFQJ>*&*2_>O*<!M,35hN's`9`<0$LF[4RaUUB,-a5p>8e#bS;_OO
+%jJmbMabZn4JBPa9*P,/6d<Isa#Y;"AMc3EM>@jY[_=neGm*;II.'`:DTkQp`[#pU>1t,1qfF<n/&a%M6CNE4(D"TcU5sh!!PZ]D>
+%Od0"J`Nf&o4"5ThetH9rQt/720V:1&"&O2tSZMp%D]mOUMb%Z?"W>L$7GD6*U2@(*WHMB!<'!E/j^E;-N1oG$rq<&hlnZ`HK2niu
+%$V%@X;bC9s0.>ptno4BVLP_=#`H<%tN_aNM`M)M7MZ*_A*OXOQ6V%utJhQdV*q>]B%&aY:W^uWt1mYDH3#"jo&6n@'ZCT8T0]k\j
+%2[XD/i1qWe3ul3a*@TH:>\YnGiWd%cKu*?2IN68Cg9IF;-^#fY+I$=9+&k))k@jX^oa-4i5s'%M9QGLQBS+Y0joqVN@VOD=9#ZbJ
+%o`R\NZ?m-=V2u2CSk1)J<T?Y]U#tXgMMI!W9->W?G'*'*b4Z1.(THgKIUbt!%PB/F/0KmEX?$!IOTDaFlFm*H4ADet%Wpt9fp+Ku
+%dQWSZ'4.f)GBG;[.&Ub;,S5s"06PRGNGtuh`dO69BRgObgMDhJ?#80&cHX7'_8B1'--mVAerr`H\XhtI)*L%-8I3kJ_GHh3gd6_D
+%3O=opD05I5jJ+;[CMQEeUH#87XYGmk<u^X!4.;5dHu)]!8Y&uFPt#rT6Wgm+7iE-A*Z?j!<0i$U02eR5qmSDeTdjO0_2ec5%e"=t
+%9*b7<mM;F2!=Bmu%0Ip5g`)@K=+02O;hS*!N7o<)M],.i>H?Mp6<;dT4S[Fq)3sORXJ@M$gtR?O+[>VeB9Q85.c3g#I%Qc-A2n/X
+%lmZjWA=,5on#X$/n4<3cD-+pb1r="*D?juQTNnGu]6^bFQ9NF.Qfl1jo-?8um$hdK"LMN"7gV+,Mntna-`:;lh7r5=e(/sfh>C_K
+%h#@?s9Bk(Z't_pr-OT2lF1ce=M?umFkkGq/+&Be8-ZZNK)W%CNkqr("l(M>(7dj!#<6N[e-'V(_B</(+"-hX`k`Hthc^^$>ch41*
+%9*?oT\0Af0)&pp^+n-WAMBcM`%V;]PDMSa!P4Rh5jrd"JEX2F@l41rB-D2S&&0Vc$9VV3b30(h&@O14X-3Na.fcj%.6KC`hL%p&#
+%r%+QjeKo?,r+5;mOP6/r7)H</Br7'2>/Cn_'@ug>F.Ym:AC=LFa]2/Jkqf_Qa+jU.c'&@<W2+V5$Z*-#*?gNUA!mmtaDlDb6PY$e
+%ii9&r7*mQ0%TFpgE/:`34](Co<L3sJoZ1@lA5H08-lsn6W-YN^=rB&s0jATmV,T6*Ol-]`o]:h1;:lT:H#RP/"'OspTL8fsL[a%&
+%TJS,!=V`E$Q'p1V:E,_YRkZn&AGlQjp<IDN=[]gt_lUDSZ*=nBrAqk(hTBaU(8kNt%#,^PSU.Tu!Q",?F^=at8/qJ;.?d.SlaR6O
+%`ZPC>`i%3-J\1R<_=t(@]G:$3fmR9148a8"0i8l]\H2c(I`-Aab9Z@:7']c3V_jE/kA8/+Un?8o&-7*7Fa$'j9#RBSc]3f5%QJu%
+%YcTNDZr"Ef$FY4]kZ3_LACdj%W#*AUor1(k%!'%6XAKGoW:O!IVu!(';<B0;P&iG)(^\eH=:FHHoFk?RLKVht$TfU<eE?rf5%.3n
+%l:sEseHf,0ehbbt?i%YX7YVt`KX`'DTtoW$$bNP.e_<r-.R@WeHA30'&e-"=7g%e<66I>^UDpn:Z3-:X)gH@&c2_r/88as9poEsT
+%>_uuJI;i!6E>"/?+OWQk8*!S`iooA=8g>_q_YP;"/u<j5eHaal)B,WN".G%H,A4D]U]XkGDegVFDmgCcIMAS8da:#CJ#)GR!'5`Q
+%EeG=j7p36HRaKZ4OuP&fR+W[^i7,8CB,:-#[DOn=eLE7::t1rj/)h*il1.V]Te[ppM;ZAC7b`%AP;o7YiOLqM@Y+'M"99t7J#lX*
+%jqk<j`\blI?!&>=YiO^Ss.3)sb_;gtN0.4rj"mVn2Th[Z:`(J8;D\r?-t4cKG%&q8T'5r&3fZQfDB7:fa(^of$eCT'-rVT'=X5#I
+%nfsT&?/`IW(kT?_d,I4C0C+3M.:.^EKdne!7\8*DN`=F/aslOU[UrHCjZq_W_c94[:$6SQ-4b)pM/eQoOElC`\I'X:FlHW-/M&/^
+%Z;.7HJos:(,5gtW)3_<pL%T8#.9#bMDJ"mVf1q]E&]?q$_&6MnJ:PonA^fF2g+oIhRu!$GMFPS1CIWnH#>f<ude(4BF@khXKQ8!I
+%I.E:sC!X:]lB6>m)@)7Sg+K9a*'N5*8@N1"o-:W&526kG6i$pndk]d=N`l'RH5%j/Ak1TKku4BBLH(Zhg8!M<N/X-X%@AStDDebq
+%3p2i=?u.0,=eFd>;l[0@LuqdfdZJ:<_<7BfedZu*NN&P*TV\W"%UWA610drAT&1c"[4RbUXlF$c"*n&j#Ttd"Q5lZPO4C3W&`[R@
+%o2mLTE!G]K6ED*8E[o6,qB1Pf7fmQ;Oc=rXYAUu61(5NXhNZ[mRop&oW+t:jm4TC0RrU-S0f;'1`1h04OSrl^91eD=PN)(JKBho!
+%I&1thSeA<!!Ie#JNT+82F;!*"W[39(Ku1]KP1VKKN^>rcgUr//)<Hfn"!LWdlBeaqN"eR<DO.A"(9GYb&A+FdKmFuASRiEL-sIu<
+%VC?>[&3/.3Qo1VX=uMsh'(U&Ep?]$Ze<?t6>!hPNDRiV:caT+[HL-)-_pT[Q5\r7Z&"r5<,F!P&(&SoK59_cf]$UnWaQRBH>$De^
+%2&0Y-AQbePXm\^L`<50IAQlB?/KlVhJRV.9Um;U"d-YNV5n/J1<d%p\>SYa-/+l9-gk)CF(\7CSf$TWOp6`P_=p,a%mNUmLg.1D[
+%b\':JZU<)cX2FM%C5gU,bbX#5MZlondDV;u_a[:M^(HQAF6t^KTU)7JEFCk2TpSs">Nqe'\-?h@@90o66H+l:UFX<+?<Q<gIQ2Pe
+%!9t,Y7q5_>e@+$0]OeSVAZN#cNl6t#\gYH=Bq&M05@,-2C16MZ'+kOW<R(uJgpkmXYpGrbG7\d5JoPTs\,lNW:0;lq#lP(O36Nqj
+%CT3W3!gV@LY,<IgapWd[aLV^g4XdMpTk4'QD(K]1-$E$9(rT-/<-$jIi9Z=;p[Pb2;L%d[:E&'0<XSW+eTpY,,0+pF%OW&j70q]U
+%7l^=LJgkP1R(Aqm\+<EZL?R9bM`KS<?,t4"RYbam]&g%U@)D-#:R!4tQo/Z87Upe-`kCT2>Q3&3U=5HHNMI%aph7(T,'n"Mh_r$'
+%Wh-A(cPd4j2C$FPC.^cd4.HFOA=[+nF?b2,\\dc5<f/"snDgpfQqqiaZ<j*+!#Y:/'dZ8JM3=%B2ll^c&HX\gJe6<Zj*2/S'C!6b
+%8FrT+f4,9;>gbp"b,>a9<iW0ZZm(b"X5d.,p_[p[\npJ[oJAf59T4kj*.bahXe2AQQ#T#s32]>-6)5]+CQ6KMGm&\-J]b&fVcS+/
+%GRE^^pZ`q-KWVP,@'Yh'H=/,#a^iasR%"#,>(Wq";G#/Cg4Q5QV?%?rp!@0bMFsb6mUh/MOfI*=SP$q.p4Vn-R,SiB5ZE')"(=.)
+%8p2+50bpe[S>k(QEpl&W\_/@A+_\2\Dht,)'t0LI>f<lEc"2Ya+ZGb$+CJZ9@?E2@(Oa"%m8?A)%O!\@Ct+>Y>`%rD0HT<:)U(J/
+%I#h"t/<"J5p3;2;NKiJbm85:S5hl$ZDR&09nfEdC@Qf+>;UUR7:o0u=VIh(oe_`us%%"!gIdC-gfj!'0fH[36Qo2:h7JBE`N*gZn
+%A;R-dMK;lZE=9KmhQ*J$X_f6s8Lm`W[oC'+Bq[EG*#nll##9e[jjUfO\N68=,7+D([hUJUB'+din$+,WUK(FN-e_;WV9M0nW5QhM
+%%<7LY#a*f;(3F<.]UbMWJ"ClKX&St86C\OMert;Wj!rO\XZCBFWGqQu1`;b)6ai]TdI'\\;jei.]3/acOh?Nj.KgiW-u8:7=<Y$$
+%fqP5[M@9W;J@]'q/e`Gl:j1TN&Z7WZ\q./i5Qa]+Wjc^_U@tf$K='9r>3_%iKWF"C:t`)SmZ^Fq;?N)f\[BhsQ'3`%Ki8qiS&UVh
+%Qc;XgX1^5h^N-S=84P-dfO/PfUT61LX@=+fj@j>`2OXY<h[Gl9#tb8U@Pblr3:3c.'>ukq)CE1YULNlKXkIEG0@OH]j:Tj1P/t%"
+%hBeSQf.5++^l(r6-PcB@M==c?V#Fh;rXoNC"nVS.Z^144Cb/<pHETZ''tFRMFMn'3MUXSs&P\-nQ-#k"S/SgY'#iO+BCA^ZA-R+E
+%itQqp$+@*jr2l)&M^p6uo/Kbs`83>&o\;ZePWRCpW!t#3L<5QELKaLE@3fM4=$BW`gUX>oTiG`&*0gPD`TiORAK?aFAei9Cg;rY`
+%*cf(.41il/;FOIQ1VZ8]8--1dp(!@HUKb$:X<kJs_)U+6#T,^0^mX\t'm4G5HKA<e'_(<ZKCXK5-($_hG:eM`KTETG0XJJ>>G]6a
+%,k?ba]I_-;'@p/QmR`\b@<a9@GE%kPODI;%e)tEg#W9NH%BC5M2K/gKmVAja:uMgFGn"(aUW.%b#t.fj*ig*8W,8UTWrQ_<4kZcF
+%S&d<!QX15pTeYaAk<T[Gq(oY&E/?;,YUJi2+\Fh=%$`U:@I)i'BGJt5NKHbQTF\R'*nk?3.]DSNIe445&kB#tOs]3d)Ok3cn4/DV
+%kA,T504>uZ2dKNTIZ9dnd[7Of2?R&XorsJm08$"SCZ:YcEY=ceQ3M;Q)\+ZdSLIT+^/85g+b;r7*T.M3<4WHL"%-DgkN!j-p,"!c
+%W2l9=Q4u&0.9g,"3;s#=PtQa$jK`7<V!+r1#obnZLrK_1h?I&.2ET\p=Vt+W<K4duCZr3&]cR6K*XQ1PX=>[bH!25F!g4LE9%p')
+%8JSBRBghAYe^>cX%]WXa)`iKmO@Be1NP^*0)C`?rlsq633:LSqe$1OTQUkAiN(?THTHb3&b6)`=9eer:Y;3&.]""_U!.f';G_TH\
+%s,>?/Zbb>AC/W@/Z$%&TDM>7.ge/%`[3p4.$26GFX##Q:_SgU5.6<h%<#8Bpb\8!t]WAEbRr!a96@j$*Q'3`:%Z@_Y?R'ecQiKW(
+%l@S=-J@2#Pm%/\i?QBFn9W0O@?-!"Sb*=+h`eD5P,Qhu0>1WB)bq[q/2Kkui@J9t+&NS.$-k^j4;3M7&'KVf!5d?/+;n@#r\n3(g
+%J]i^`*LSrq?ilG!Rt;$5c&pA?c%)/O\%LZ52&rg-YAkqoQr_@0m4X^uBQZ->b"DJJJA>c<#/+D7)6+)06t9QXK*oai,P_^?o27%t
+%#H!;,G?MWuVq7Ec047;*:-:'2!'K'%aFhCkZ[h;\lY6h,/%bi:7rd3dkW)b?iBbJD83KX]1iCEW'gadJW30V`^/EKK6R1euNcFBX
+%7V^So:b=4HN<CV1f<4LRQ3C^@Z=W?lgXAd0TOp^@X[KEBR62;I[c2SW)j?9r3.eCBW24!l(R8.JDU9A]D]=9hIGKPcf"t9s!9[se
+%jBue\U#6O]6+_5dhQ%\%,J,H%%)l?uX/drD1)4FJOqV88C7O>3G=f#99&LL)H#W"jg%[TrM?>RT@\K^2D=5I1K<Z"Yn6NSJfK:)M
+%i`848\!'m^9VkUGKmNfs[Z1C2mPT&#[Z3bf#9Kn:-?6g6+jrGuRSk`i<A#PpQ,t/Ir`8"j6htZ.T^6+2DYaHs_H;jOV[;$/!$??O
+%2_s6$8m"^"C/S&gZ$`kY\9SeO3`H`98o_5+Ll@1SdQBT[\1fZWkZ1,g@%h3K#cKl/34CL4=,t'+OH<W*EPD%d,;L[^'kfq&G-oSh
+%E4*JdQ=*>#.\+S'l!+HoGMfbI[%kHg='tUY<X7/9Z5]+[CApEjX,D8W'G"Nf'L8`b235bmF+99G-JLIh[S^@1BC_:5a42(6>%9pa
+%7<'iU\b!<]-fS.nYZ,;@)C./Vi!*7D)_L1r!a(?r>Q@k13>SBkB"jju"0AKW)?oM`YrSc>GM#nhW(9pIq=)3^9_:k;UlK>8*,]BK
+%:kbo5qPi//!ZnKjiA=,k8qB2F4UEKmo(AK7psB,Rb,o//jegL>,?#hU!;t3I*kkQ&U1k&=,c3%S8(OX-NF@.nnA[;nWEZL%m?Cg\
+%6"I6q/G1pp_K@&dRUQ6@+]5N]rEb$T'R3S&rGu5/EU"d98FLB\Ls<k&8p,+:XGlK'&Zs4TqWJm[Lt!$j.e?-2YXCfFQ!kl1WE>"8
+%1.d?AobtH%3d<MQYOsW<)&sk9.Q$ADp:Zbip6A/NBnVMLpast=Sni!$&u;?=/g]KS<W:]"mg,+X\ADo;j)+?(pJ"f3;EGDDm)&#g
+%q6ds$$/G=#<B.'\=eUVHf^q$E@p1ZY/(37p`LZ3rWNr,OO4TW?qI)E9h$S#-Hck-O2pd0q]^U0XQDL^,c,=;->(YKN6n5HWA_u];
+%Ks93MA*cEW98+7ln\2%S2(+?k&L*i]9XO_Bd"^i"gb?:1A[E<mJp%Qe8l]?`V/.LS;4EO;?Q(6?\P,`;)!3TEV7,"<4P`]Y`W:EF
+%M6-Ij!glf(5/Nsm+3VG2H-'!Sn<9<b!oVpQ`0:\,_o`Sa[c>;cd$`J(`GmgO'7$*iga8FBoW8s@;Tg]KLGc@=BiG_q2$BtH#?_JB
+%#e%@-NW=SdL;r\3cEoT@b>X@Bcr3'P)d)Lq&`hb"SZA\l4!m\og&,Sq^&,FZ9CS%)PXSd!?Co=WFZ6$1qMl4.Cbp6VIDdEFdP3Z^
+%U^f"L_h@.Vl])=l`V^;"^K*=g-[2(b9Yo@-on*aDRmk1hlUW#887"u(5-0j'kftJtTH$epkfg:4):6AY0p?TkF]Udu6Zf@j:Mucd
+%;M]=`>fFF&Z:[.p>cSR*0Z,qlVm^os(eC/ZO?D5d(l[NG&(1IBXH1+LG@5%^PT,)*OkkXmN:Q[uW`s;]rK9PNB.VZSoUj?:bI`0D
+%"2eIG#&AX`.:3K+SSrE($YuM5\p%=#@OOICGFf)p3L)-j:EP,%nDS4OmIV%um)Sso_uWttFf9c<XQ]cr91S+(+Ed&Cb19FG!"r3`
+%FKQf2=*X_Qh`O]5S,/j3hc[Dpkqk"e<IKAl!j^RafO'Q9G&PBu5B56$=n`&!)4BbJs5`dT\U($k:PH#k)nRD`W>Z@Zii@$E2,UaL
+%iXR&+\"Be`?JM8u;@lMR@fm2lIRrlp%<<<PN>F5!W<5st(%7(e"$%H#@c;qrjpMd<MK;9JifP;QUGd_IpA.7MDl_WH6f^Lq&u?=*
+%*X6E.Qldogj)jJ`DE'.`$k0(Jotthm!I7HimN4:S-BLTcBPhTSgjIa?^<FTb):;uN)5W11f4tR,p[D6Sc.+cqXSC4a]Hro&=rK[M
+%5]]GfFsJo<(Hu[Q#r9Gr?T"#TL`8eO.`d,XgkL*-Z<Kj\.AF'O58kbl)E.Eq$UZ9%P#;1QiN&E099(=H^g_#%YnZF<'hbSA`=L5H
+%=i-'6eR^P<Ba$#B(TlW<DU.s$`79)rG/C7*W!4q\5t9r>:dfA71ol1K\LLd6P=9$t?QJ=l^uGXVc($</Y%Y,to3N#&G7$R(24kjf
+%NHDUH=JY'&+\jU0Z0Yegl4[k:'9OJ(Cr6deoooiL_,#UeH0kC:`on`C6[an""\!8RK^*m2?=kABi?5ZR5l9fr%;H]ICSQT+rn_.G
+%^sIB"^?k-Mjc_""c'[j+eQ"Nu+M]ar.a.m!aT??;D9RF;MN:I?-jfW]-&1hdUP3u9,MTXA*(J\;4WT!be$`e6)n$M>0kW@i8)jRQ
+%hpfsR6gX@Z6H;!+J![3Gp[km/2+SrTS#]]i&pOjS@jG1RR_F$Xl530!AiSjr1%#>bY;)0f(*SlnfMZ,VAn*TX1;+MZ9Le9*9R8PV
+%\"Fr&3p8pG#.H<Z8k67Z4.HY'V#u:LY[n]K*F(ab^,)RRBUVD2?>*?J2)Z*d&QIYb;^r&L-c634YA9,)M`+aeE-"Gj)'Z1Dm09Ep
+%lMt=e<L.q]GT/?e$5._2f[qJE>kLX\df+SiNYVm]28AD\cIg+H.LV[j]fkp!`2hX,W8,Gf<YCL^44:>:hKUU\6EeJ2/rq\fqrIl(
+%IH^@(]>?3X+l"Rr`)&8iBlt*p,-E?,Fs)GT:Q-4?@CRiP5hY)+&LB\'7)KS)*a.qq,5i<0,062IeJ>[C``<A%>dQ*2OfXR>3fHTs
+%gTF_aI][JeCY#=uf33lqrY1%7)?h.4%!h7CN'YLB5cHY#j:^iV.<Mae].,m+LQH^KKG(#'qRL-s43SGRna_,8)bB%`^jDY)FT(8@
+%0tXGGlE=/\b+aWY3]D)B-+cu/h+Jea^a=5AZIrDk[F/t"0gj6k8HbbTj&*uPeqVY+aX&6o2RdQj?.p,UDK?QFA2t[U6F&0FYu]L]
+%Wf#C[Yo90R61cki*XHS/@?3h=W>)q6E'6Trb%bT[TYVj;7aeDfP)+$S-Y>f`h#aWnlp-8&b=..VX@1>QJ[?P)@mC4*Mf=NQHh,1p
+%7cWCVdc@Z!+X`'YCNfjEA,_eUf8rPB?;mcfB*YJo=jI0BO\.HK<_W\:k+;(*f*']M,!E3E<+s\rKD7Y*JjCuq'Q3Y5@F`7SRb"Er
+%.lS:3ohO(@jeR4!Mr[>gMTI,U@jG?8eZlIP06YV0ik!CffELX?.moi/DXagM9$%O9]s3e7j`.HY'<:gHR=b*&Lur73,-7SS3(og3
+%(52gJTV<W>kqsU1dPp.U_Ed?FMlLpK:BNhkh&E@*ocrk<S)N=@Jpm$@M"f$3O,CU$XZX`I%]DE,"Bi*O=,_%7^YS76dF)_'>%rX<
+%=rTT`-YbNi[R,8ilkE)jG2nan/tP(j$]mhL0'kq.C>!34H\qu/1$<;5ZKjr$HUhARWDKu+Z3!^tE7=MCfRCjff#]1j.,Ogb2U<13
+%#;d<od0qmHKT;0OB(@<cOh0kh>uWa_fb?M?TCqkoMQ2YY`u3YA<H-*%Cd0/(L#Fq0%-Ksl<I)PuAr:mi1=Tde73/+>[2FrmLE^^h
+%1$<-1-n86%r_NpK8dKiMnr85S="?WW4@&ktL]^=?Ipj@=PF2uK\Y(0u5ZW%q,M-bN[G?Tf#Yf*i));>>Ai5H,]8hf#7;Bdljt\B(
+%>..;[!2'cYBkP^7G;^)&.^QNL%GC],8_a4.RA1c0F5[!WZ"dLM_IBKK.(gjmhiknXdnFJ;R,fVNH/-s<-)S'hD1LJNn+P"*.J38l
+%kcOV[3`*Os'R0<0mDu>"0EB'!U6f,0g,0S`?E_`;%]WprLkmMH2'(C:l4M2&BOaYNXK-=Md6*e+*I[7`*b''CYC,,[\9[blEDJN6
+%RJt]/HGFa%$[0/6*k`dF%bMF5266?-2Q)Q_+#i!jl*.gcb-9K'^TuN6+tatO6F#c+qB9>([?9#)E18X!j$r&Qri,!kFAGP9PA*4S
+%kRs(&6(mOKN#K!.hAB.La2+du*]>lTVhsMm"'P(HqZAHhH_\QP]Z#IU)VZCr>?op>?CaY##=uEao'r&kGOoDE&n\\A"E!D`/qSu>
+%*48,T$it]H-&dH"5JLcPkU-isq04gG;UdDG<E5]43!kS#^C1;.=.%\[?fquQV4/Bu6G*]7YBZBZ,Sa*;+[`B4RdmPo6PUX`<_"D&
+%N1_=KA:W*A/j?JL<eAV4>b@HYY-SVhmnZ@\2O$>X:nc_4d!Y7+!)OufW[pIGeK$D`,-YZFo*,Y%<V0u_dQdu"h11eh^Zb6^Uc"NE
+%8eYnaqbZE#S3mmWlQdH>(,N!me*6B^ckrd(6(j$,,+ru<F.\.XR]$\0'eSQ>794R,[W5C>4g`+:%*6M'UU+@D`R)WD5cYWi&QXC<
+%P=:D'EuN#67gTN*cr8XVl8o<o9^b5_9ZnUn)Hl[5'a+sr?R]QXYHOtQG2*tWUr0]"B/[)CFaspGY$/IdbUmdM?(3-*,>Sd5dW_NY
+%`![ns7dQ/?iG,M5j\SPDg32(D6[G1f@iiZ/Oo,fh=^7*.%b-%d9U6$j7_Yrl#deSd-Jli'%p,W"_cfT$hC*'Kd3_sclXp9o#$Y;G
+%g)$e2.ekp@A$I6d("bY4eU90.41nW2,<R7J6n%u!ccBJuF0&!8X%i3./Q?B=VUI-5[ZjTcJ34VujiB&thOJU_$dWXGj7@Wc>B@s:
+%2^4TGOI+/m#rr0AfT.201I65rm1-R]c;f#<23(<E\e:MR_,sdKO0%q1oSMs+YC>,qUWMj[&"<4NB0dd4\!D)6P"C!Z'ASJZ7$WFo
+%L/[AlVbK1gCVP>B>?4`O1@_WKec)pu%.?a4B+l/<;SGj^@^jNnH4E4i<CX*ZX7R_`2c=a2@XWP4K77@!qt@UE%qgQ\SWn3HrFqO7
+%=1G#^YSQ']N!OGV0#J8<UJr5t7^iuNi2j*L7KY3+Q414#&%jq[aCuZW47BQ::tqj''4_;/0",7!>+iblmpc30g?@:=NpC\<SQuQa
+%R<GC>p)V)T'=t2Z"h#1#m61(c)k?B&]&2pdSU:Kr_V$u/b?$XhZk!l[_P@FRgptfDB\/9M1\>F)O`_)!_^4<S\-B7E1fEd*D^K<K
+%<L$m\:VYS-A8)Lmerb6Nk+/cX'/-//H-p>"N'(Dbqr0Mj!M\fC4g3Oh]kK+&Cf)YJk!:BC8p7KL5+u$og*7j0gr+sm3GIf$DFLG[
+%WmK;hfj9'e\#nNEP^e,MrRYt:kHi2fT=t+!PLj0trO2.HmsXNn2g=`'s/d.+*a_)/o[ObMIsUjq++Nk1(O&ZY5(2tG]AGZPqHM!i
+%NrT.,h`Um2YDn&0adY4B?@VrE?bC[[g#k#;n($amrq,k2?bL]t?11!1A,kJ25QCAf?TnAWeP#i;#;:Pug#m$ok79fSd?!2?IJ:u6
+%YJ9lagqA48kG+Y6qr7CC5<AdRs7_^ikq3r6Pl9?,?QC/:E;[VGhSm+!hj(flhgOtjiU0Y?bO7PL;a!C'ZPj4je$FB4%hp;P8ler\
+%H`_&O-=*@gF:ldPe^aZ`iA@u&@et<"goN(&I'm@.PLn#pA$;s-R9\)8iRshC[iX.\A$\_]%J>)0h*FcroMb'j3Or-'j)c)8ae.'5
+%29,\8!N1hp#ocVaYDYE%bFs^Q"<VO->41e?Z@(hAb2[9/j-t8]IJ;"PcT_BVh)c^+nG_J.(Jiq6p#ZpuG$A_Omerb!YPpW0Nq75H
+%rVl=Oi@s!RIP/AbN4^b0ci<7bgrE0"Xi8+GB*3"MFZ4,ae9fNM@I;[89M^_I;7B$?5R,l0F^%D<Pd""bg_MZnCJh<5BAg,PY?gn1
+%NI(O3*hRlM6iXSYq!mkWht]@+J,[R=Mbiejo_ObI5C7Bd$8HoA(IY>hqsP&EoLr4t%MN4Loq)2X1W=8<VoK$<c[L*ih%)\op6Ntd
+%U]4SBVD!$13aUb75P"Z"V#S.\Gk'C8NaTZQLUtoIW^EL$43+aP6pRnX)LZK+=0FM/2U99u+s""qClZs#_*Ck`jq!_V9<;g,>B[@Y
+%L\20Z@$SabiQ+r5:V\$>hYgItWu[`WR]9k7N@]FE/lX6Y7\qUqV7P*f7gJ*",_>>Ne%$9Z<3lL0"`#S+'f3Hk?ns&iD2Y&im,g,o
+%;4[/$%sVT2:-_*G@F@k#*'un=ei8)2d67Ffk5HWVFdpL4Z:LPpHA0q+_Au@<DOg@H"GXrtW*p[r%-(1T<*2PIJPn9@D'&ht;IUH)
+%j<YFC,>#M-/L;&)W2K>9P7S&3;;9$3n!0/F)^uT%;AfRr)V*aWcE/MG#!a-E;)p)Rc0/>T@&ksrV`_C2)Q`$-d$G=u<^]>To#M_^
+%nOSS^OX"C;I#(f5.A]uE#h:b\F4k3W$m;s4W5dgR_22T[h)LhP*?15==$C!_K$sM4$<\o-KGppH,*L?5-cm:7?HZTgZ8)MKgh]t3
+%F((2aG9;+BmK\=TNuC<ppqLBeV1Q4c<;]idTi+QQh-]<g"MJHr"l`VPlrpCkN"0JbY$P6f#W>b`&#1Zl+BI5t73h(nfJN`<-aFJg
+%X'jIs,mV(C.@\Ci)kib`P>k8r:8s+24,2rO$j)6=d!fe9V%VlH93q6d?JCXEpD/>_<Lf+D)Ds@]]L*nXP7Hm(X#jK=6tsq%<cm)^
+%`Y2eG5gbd;0[D>u5)>U2K1VP@&g>jICjg/fTBiP#gs0p"2N)j%('_@[R'Z=Ng"j3-Lq*ic/ERuaBOfsD*=`Y6C9<q,1o:T5&boG5
+%VS(`>.M`1ml\]%i3m<E"39Z(eI7.SEgDsGs3=$[`6.ZJk2L04ZI@+r`H6:bLKD/NMgq(_?Z%H1u]fT/#5AiQ9ZZLp[Y1KB&qu_/f
+%$=)\:is6p<Pjfo.Fed%\EsNsW<Sa-9a=)X7"cX4lO![l+NG<fZ#XJXt]I?=lKo215"4`s*99&kOd<FG9e(0_+e_;tQIuQL7Dj&1t
+%D![XkG)"Y"G"g58RUN!=-'P;3S2&`bf##q;8%uJON63!(U'\h4Bp2)c8I/Q/(R*_$\4q(p5f0L1=(b`2M`'sX^VgUleZlm1]9)u7
+%M\s1=MY3EmW.;?tA'PO?_u0eo5%d'9CAFOgkLN<mqKt.Gf['#]iFKTIHa6*;K.F+k(MXp+X$R<7E+92OMX.Y+`:E"8<r+/-)f'[@
+%"aaGC!t_<X[imbqRpXT3D#O"^9q_U#r'KLq])J'cV'jTI07SSuA)ALVh:5$,hGI6B]_1mq,AsW`,jd[Y!6n`XZ*1k.l@%H0CDL]0
+%<TVloHh!o%CknDV[VJYMWEnr^nq3p$o6DI_4,&4R-\n!]bfOp<RJ1<@=.W$H9#MG(?K[XtoM`GCg;sk[hTfc/KC8J4o^.]<XtH&B
+%T?#c"d;GKP(N[m7qSq>s4UWT3P6KX+@D^$QfiV9bmqb*$?E%J7)*H<)UFK.^PFI?u"t0iXCdfd*ClFRs2*nHg1<hWg9f$TEj<Q&h
+%j#ENVQBR4SqbYdMXL.]<QrGgL79"-$V`66),.e_l&g"Ffd0l.=_P8IAYo1?WIba8B<0gp)/2muQnRNs[3AeXmPA*1P%<h8NXJkO'
+%]N>&EVL7S99Wc9jB=C140ptUuc,UCiAsR^c848"MB^t2q87KgNoI_+(\YbC,G)Kn<5gP;tPiQo$20*lLVUkAJ3bO:CK87,sl,?L4
+%]c^Kb:OJ"Fs1pc>1Xoh[\:_lBjGaOW,gR5b\?J/k_2]e^nj[7>jmIik3qk`;4^E@#VN8@b`6*X5ijB"C/&tq=qV/<qN;.Mdb`s9R
+%p1lmAm\uA^1\G_nZ8,'Q8p-*4OqH+8<nNH/UN9r#)OUfd"mlP<s2nNiH`O:uaho)D@RLgD78-*5jEM$(.'_cjk;^Xafo'hjQ'#q$
+%Lgdb0NfZZG_-GA/AWA<#@RIFA+aq!I8^`FiY_Sb2Upe?5HqHF.]!Xu5A4JHkPqDF#KTq1<AQtC8C2tr!@qsGZ)6%-<9c@1%\4,\Y
+%Gq`-OW1F3.6Qm21`W*;"OtC.$(0Urqn;&Z"j5AH'KtOp96(Vtk$nfS<`g*cPON\7afDS4/j`/W<hMHs[S#iYcG!1k#)K#AHX-Q-.
+%*ZZ;C?&.Hd+iV[noBRph26A%sZATCCDTeb6(2b]JnNgd@=#/5@fkMkCPpuO!;!*$DMq><jg94L0W.a4r8)iUjW6t8q$$U*Cqa/<3
+%-R>tX"N;b"Lc!`8XAJN$Y@;nUWXm9IOCW9LB8=Ga,P[cMFr&<>!X/*S1m`'_Me(F5^0P2\eC(V-%m^9]i9At'j/OKpgElQ+n_<AD
+%J#:rq1nqG-^97\:l/IqhV"P#UZnhk+!EuSjoF\SuXFAsX!N)[hbK8,;Yp%N4im(;V07uF[o9$)*+PYJuXdfi%-h@$^q7R6\l:6sU
+%2%&q`3n*s;&X-$:$4_Lj]Q]#,_01W64&sl!c#tet&J`+c(%>pnlkI?U\Il;-oP.PO0M-B=FCDt`JEknoJ@/m[;9f2c;$ZLFabWjB
+%ZP5>[$mq<u9K=UTN&+I%FQ-AhEZ2V"D&WP2T5"GeCig=f'u_sJ@8Nt5f4N4:q'cSqP&n7/g8i]50=+]%=m+RpJ.X=E?BPH'\L`PC
+%^^c]N/bRd[n$>hG]?@79EV%_jd,DO,"U-k\F1uX<eGs+2cU+4.]RFl[T.rd#nOB,I&/Q?[NK@:DToNrrrDT`76dt\NY$5"%&nUZC
+%Cmu,$3uIP=LM;"/>fgo4bjOumZG&,=NF^]#FE_]"3f9of&9,6L74^K\*;m.W&1u(nPOq4842LLH:nWGU5O'Io8>SS69-$WF$n.?W
+%o?S@%ePteS)LKRC_&!)7@oZp!qW6NtVcnJ&,cl=I]G_3Ak+<G\Uaa:"MH->==cuD+MY`PAf+pVlOLBasW<0grQ(pA&66`>1"g9=[
+%cMW3uaA\+(iR4(?/+"Ic4el(>$S^3VI&0PYqstb.^1BtGT@jX=R$n97Zifa0LZRmJRR[u`pZE+^kE(',/c`lKTJg,2'"(Rd]_>5H
+%7IM\3V`%rI=6"lAn&?p&h9i82U$cud_T'O6mLpQ,.L*ND@B?5cOB#<C_Tr!">\0L1@&p_KT1:4;_r[u+SK?s@P^mip(Jf\Bl`4[=
+%@/&nWB@l')ND&<kC).S*5J:t>k>*U\Oo28&`45h]eYR+f?_:">>cd&J1:,`CD]*\i_tGr6ise"uHVTd8J#.b`XF*/-2]YKQ.^NLg
+%;ZHn[EN^2nJYW9lhY7a9fuAH$gQ3c:![V]^@Ek%ojn@gC_L45q'U%%U\HsFM2d&pTDEID]B5UrJb'dT4oIEeM*=FBo\fDnD!IJhA
+%XE<iQ33Bj]G)WOSnAV*!8u/6Y$-=:5IGfpWTY-^u1\9[e]4`M@m'\(;<B-Lb(/8Gf9(QTLLLLTmPJb=fV3&PX_HZKHF5Q0<6^E,+
+%O]G6U_F@]Hpru93\baQ?>+,<s)en722B-?R"u[E7i<q9>eqHTGCts_KfW=$8Ek&?E(F3IrZkmsrZcO$5ibZC`>fLCC0*K=9$PqOX
+%_M;7OONhoO.$E\%/]c%f6actES,9Xe/=WEDJ1h^ViI]0f:?2K+D!pG;hcr.=$`p\FZ4#6i3P>e'FQ"DsaO''G06#>$H7p\pKqlA4
+%9:K/#&5LFK?Z;s%@)9]TXiS?\=`"1q"j+=]="F@'(>N"gY:U0gJ706[P6E2c67`L_k+S/r9tL\cCe1uLjOl5*.ibo>jNbT:%8XH"
+%9cNY@"f338G7J"tLqXVjg9?&W/@H]*:ZU:MXO%&eBE[A,(SL4uk-/[$>=`;.kcir5>Ynpj:KKc.JS0qSqBkcQ/$m_E*?L0pMUIac
+%LQ)1qY81ZjRK\`)+"J4kP[80UYf'?";#5LB,e,@jh7UJ<a*%+mj)9hF<up&F6,c'jOol*531Vq$S@^GuL-W/8htt9,J65]IklQg3
+%\hD9^nFZs,1JD$F-_MiIT*n3Rq*psJDBCaVas8"mG5I@XQ,n=B06K`<YA?bSAtP*:s#8b!h#T;#Q`N]>&R+3#Z24a@+TDU#1j;8U
+%CPi&h>=($2(O,I'pkBT#=!1"u\?TI>jiFkg#X=kJd`H)mPc*-n5j8iZQCLbJXk2a$fR/L/..u8S^2bgc]\t2h<=*.BXt'Prd*3Ng
+%]m?6>::)f),V84Vcdpe/$m'CMT#`VB$ZW5?Bp<:/4.U<02^?F!Q\gHLHhr(EqHQ<kZY=-q%$IYs6hFJP841#$Gn^'VHd'g#-m\.(
+%fhL=3ZA!!!5iMg.0u$g#0tD=K9a04p''mZ$LoA:8"Ik@cS0a^e2'aN+GV0Q7aIC6r@WatS;nLS#=]ak%\<$S87D,^1->JUCRiJ-[
+%Ib\P]cAU+%d6igDUZeoT&Pj`XF=;"?0\LWrD=V_WFr%;`7J4Z''Pb9>A'UTedG8*aaF9K/kb+'hG1ICJX1S_m9qL??[QAf3/*AQ(
+%Q)eXUNm1dr+ASbQ>is!:C)eIZ^E\7b#npk_PZH*?dp>@Y=1>HlU'+g:ErX:kqrAd9Xii.1k_=Tg;*bW<TtSIN+M!atG#.8iK`I5(
+%o#U)2iklp5lA!pn]`8lc3q/S-R=*H\Wkej]o1&Gc'^8AE03Tu$*kYB28FfJ8YUB^/2O;7dV@"fHBdeVYE?,qLj'3RON;UefUoh:_
+%0;fgY%;D4j>Xkkt5IuTG")m&9IZNcc")&nkUnrS_6H3P^V=UZ;i7\D1KG<$kM><Fm<:(W(VUn9I%3q9URR_K(oT9Cf;n;`V`h4MH
+%L(%h=LZgu(H%kSG?#4^5hFJf9:*=DS`*2DMJ>sPVZP#OTVu\HiQQuAc]WkjI'@E7J^=30'i!Pa<$]JoX0sYC6Sre@$^6g)@L-q8&
+%GHp&a)?%/-K-e#r>j[&\q&lTA5o3CZ,Z)Y9M-b![!nYdR3^cOj+u_P@_b[Qr]bFd4[oeh#&G'?dBI!hN7H\O"\rHY();r6A`K#B*
+%1f+:RL&Ih=O(co&H@jteX4,mp5bG]+dYM0l,cNaTrSir_(a5f4IsE"1/Y:pna!,g"NePmS,pc"@KR!CR)cfXZ]i55'0W0UVYgR^j
+%!Q[al..I`N43cYF0?OS2lI5=;\rZ5*2/+lE>@0cRQM0Ru)9U)AQ&@dn=kQ:'NjGF#nlB>L]M@s2)nWltXpj#%F4aRVC%r`+SCIIa
+%(],dVZ$O=EXt%1^hEe:Z*Y=4YRZj69k\,X:e/YC8?W*IYHI9p[4p6*(8XS3LVmoK]o,J%1bN,dt)mT"bD=%#\8Q).m:HlbXKCdN_
+%aOri,<DW80><eVa>cG^B>L"+Pp8StZjD,mDd?Jo5SSFDBqr)B4"alHuW0\Y3)eg!khoL85NVXHqTpC`3m$'T+_'LF<U_QAJ9P3L)
+%'W5$sH)#eD#5%n4+=bC(>aSso^_i.t_o6g7@o1J%h:6B/[s5ngDN"07g/<BV(--5JS_tWJF0ir)Ledj'nK>p7/+n9V>B*knma+JT
+%6!%QGj57mK)ng6AMn:t+iW,DX:<euHW%KB$TL+GDTtlp3XZAbP8ld`U2V_#8=WeAl[_,_4(pfue,)IH%m(4lj%%.e;Tk5C@'Fk`.
+%G]=u*>n3kNd6Co?cc8'IFL,&h-P_ec9[JqN5)EN9$L3)q7];Fo1g[kQ3&AAP+uI]h]t6X/#'6*q%m,ZVe_W<>$T_YMa*s4b@-8kM
+%/PrY[f:&k@@_jOpm^(dsoR1;.2=,k%i8-Jh)nJlo`%1aO9db[TQeI;W4c9]S,Pu;\=$p6JaS@GAYbUM:Q*jkP$=RtROu^6Li!JO`
+%Ks8];[Pn2'e_G[4[R;!87)n;t9Z$s/Bh-u:bB=32)L(sJ?"Y0$h;,`'o0$![#Z8B[O-Hl:cEF"q`f-9n?dRW#Zg3]h@--Xan#%=@
+%(b?o8$f+u8%d&>\RiN$?_r*Hi+P@=BAA5lo0CEf851$,3?Z-Nk^e4^0A[lqF%H\EC^6i@k@rj`=9,Md%`W6f)Mb`#FGp0qUZCc'A
+%3rs6&iNj?i>fZ4!5i0s!hS+?[$Tq](s#)"f/]d@G(U/7\*iRX_CbKZ7aM/?FYs#*U=FA!QSq,RC$.WkXoBWEB!4d6!kB5+[<_\0_
+%Xa@&tPZ><"<q:5g/?j-?<;4muo9s)0'Tu)&#k9beo?PZ4o*SQHXQ+mmYkDS<i_;:7pZ?=_mh*3;"8)la*a>B&r&,MM6]j\+O!eFp
+%P(]>%i^RHa]L>?5Dbsu,)a3RPf>(tYg3"%BIJ!U][Vb'=\;g)CjuSV5<7^P]O!tjg4:L(U-j.<e$mFn%'TphV.+ai0ge'+@34_0g
+%+7DD300i!*5[^2efMsf^=o::PDrYY3OQJ;:'PEgJa4V"!M,(r`XFuO#EU"M*\N8kuQL-#!i6p&r+Rm([;S,Xh=iMuQFfQa,(7iKm
+%2nDIi5jXO252XFUo8q)cAKK.E*.a)9\7+M-P38h?>oJfLT&2nJ<`Fin$aUcq\tni%gNLUE!V!YeKpQ80(-o)oNmWW<pd#/B?erdt
+%=,'h6A`m8;6*V&4ck.^\!9f(uWS7.KT]Su/aG-XI6dW"<DmfX(dekVXas.H+ZJh8FX#j`RY4(E;H06m_#HDA,]5]/'cj1%jlKh<^
+%OpJ0gA#ob!UoAkZ)T]oU05)`!pBf;tj:Ek_gek2!4elgm9)q%bU3"Ge^(Mi\2mM6^b=N/h23u1B7XH-1)@9K9Q#e8k\JB2u[^D=n
+%-pBNj5irtpOedYn$imX(>7n'JnZc^PD-=C'duE]+Bi7?(hPFZ93eqa7gC6!pgS&\gKSfS?jJb\i_le2i8Kp)#Vqk,g'*3tunk_]g
+%*he>uI.t'roQW7FaU5XI!F44jKA.uTHsV1U5n!_Y;I(ZGNmKNtG%&`[G[p#04Z09)[?\0Jo,AQqAR1%9@gK0olhe1e;gX[^=L",Z
+%$*?1m%-[o2TJ_8K.e=.8o&'CtQ)@f'gkNTsUQE0HXXB4(;rM?cf(7[pGL>s=*U8)[U=OXLP@H\gmG\VZo@KRn]@_T06MPH6[^SN[
+%h?oVX7KU8?[@65n^9)%T'm!;+2K2g,Q"W*opH$1(3#Jgej.+po?BnX&Q1tKrA?3G,cS\KT[Mfo&cd.u\W^hd\e$4+ZM;2Mj^P]9`
+%'2nl/**)?udPL)-Ca'm-q>cqoh2C#Ih]jo;(Y43#e(9`;R$$Q<5!2rDBmQC\hEYt8<7?9`8c92&XUmmV29DG(E0O?eV:`KdgOd'N
+%L>&L>OrT@(E?f*M!l,;Q\JEtp(8CNN,joU(@:W>64CQ/rPaV>e)hC=gKR#-``u-&1PdOuTmkItt:6C0s$tQo%Ho8d[D;53?!5:c5
+%H@]aQE$<8+G.cr[3)(#OC-g#&2F<ED_%DH'T:gpa,_W&JX&($gmNZ,K;3S[,/^pg1klbP0\;TYna<=.ILXqIA6nhZrRhb6Kf/sL&
+%R*IC%Ks,\/&KR[D;EH7=:LQt>eTUcA*Xk+4&'S[KHZN8J#bm7Sf[oN-QGKn52];.tjYRi_eqtTBfk.NBi`q8f]-&*]1d[Q^A3J@m
+%9iA1KI:IB+jrhj$]S)O,o!tsmA%Thlr3o0lG,1eO,'HYR7kN$%c4`/h`!dPc7RMK@Nm\Y$d@XV8eOu=k)R$^#90*dZK^Rollo<Aj
+%p3>p'AlJ=#n`s7P0AcX%`>:a#;=fs@2u\tn]HU:31>I8i*<FLm%I::U.-4IAW+!\U-!&L=.9?'0jYIPl<m^^T`mrJ:aW.?)>clD\
+%bG.V]n?>^n)<G(^K)oc40c-$ipI6I=Y,9E<l6f<b'fCB?=dbR4`gj.P6KU=deZ<snd':,.3lAkk0Mt5n@YS&CK1bGl9-Ze1O?Bus
+%>_G3Kr-UUa,JR(je7#Tl;(r3r[/b'<R_-q9SI+e$0RB+<Zm@Jfm5Bak%%KB"#&'/fQ6`u=5,Z]iX9u]aNJVWV#n.`aI7q\>@Z;NI
+%Rbc#lc%:I)#LMW[a`jl"Ca'f__Sg8-@r=#?Dpj>="+YD][;Jo..@n-,3Z0aT5"h]>:oYq[R*M]@I0lG15ZIklK8g69R)f?'"Nnkg
+%p!!c_=LZ$e0IBf*8**LInM!EN)Q-60,98G60#EWfITgb!Tn60/"Wi[t?D<n!?qlXB?@CES77Ck_VZ;PT"\1i58c3!NXpm_epL3/h
+%WU.X<"sq%h(56A5Su1"825A@o*lU.[6;8*4/a!E[hgFmNI]=nM;?>ATT-%b"Ec;%GrQZ+[P%9b?*pT)^/EW%"#Z7n-7DUH.>@dIL
+%A7A/f(R#<t8:p,@f1&C7h&CO8(rE8e]2@Gh&p*lH+b*i;eInhdBek3l_30d/DgFA]@5I32cA\3ZY(ZNPQh3=d7&7Z-7butgpUtQ`
+%%Os7I.*8#G3[;?moU[4f@_WF_f3qZZ/qD=WX7auK^UK:lC\pTp#VL$f#ul`s/V$o5b*N<XV%Ap1!`R-k&N-q)Uk6QWDo<mLEXd;L
+%WMYT^C#B#T?e\Z7i_hCmH/#"IZ?3d9"FRPZ_r%Q\B%k:&ge2Q9Ml7i6po3K8<'MU^9!)0j_>(>6pWj@CNrClnH*L\KXg5RadmPKc
+%X]/$eBItEI)PBP!0u&?ERtkfk4d_[81WCI4qdql@-AMiX6?U-(q(P[ZAsD%Y<]34PG_p<+fH%F-L_Nege[Q-omn`8tFma(4WdrUh
+%gqUeMkVLQ67T_#QQ?59aQ6dC:TWW,8J(\as%%iB6YOYm0p+n#P3g[j+,k4c,^`M46cuCSdj,6p%g[pCSh6R(jg.OqG0ZVbqbJ<OD
+%dptl2LAg_o013Q>^Nh1o+$6fB0HQ9R`GgjpPf#:U(I/I+=Z+7>IAbV'+8k?U^$*<Ts!l`WLS7rf9fMJc"@gPVXr^eb-?&^re$D8!
+%k4?Co\'<=pp4'i(mgid=q9Fo==0FhOVYaT_H/>(4Hf',=aieUPo&fUXInpO'kO3odpMk9Soq/mCrFB1f9b7-odoSb]nUpSN21KR=
+%i4EpAHMQP*lXr-Y<Xd<85.u2kl!NHOP1X+0^VN$]MdcVA[m0]A:\::=h0U6VHM-jsSVPNTs2g0pD1]oF0;S;s2-k_$H_8!!n_<sX
+%[B..7aj1Ior+J-?jLC-*5Q9no,&JK"-bU<F),PB-:*^"'R9Hl6p[@,3p>XJCf[W4c=8PY(:]**MGAR"\NrKJBdr4G,J*3"STD\Cg
+%4I0`3p<g?urR_&Ks!Rj8htfB`lg+JRJ,=$ZXag*&q>,R+f>#%bqs2#efD`IelaQkgGJ<ShHqciun%UsT?iQRDlPk?N>CZMh?dDOH
+%NV>[8hB.gYnE]kK^\2#^r7OkpnGE7-fC<)6IJE*rJ+`Anht\1>l>QU:bCB:OrXWrHS)=&\I]NJ(J+-86r."Nh++4U5ocO4mRt(!q
+%J,)lirce@J?i=o.a+*^ts5K[LPLk<R)o(s9qWeZ1rmuYi0E:Sb^Z`H'TDGs>^]+iEia;[LJ,]2WNhnK1oRH^Ms6p!\O8nkJYPo.5
+%`j`_XZ[_u#s6Ronr(hh(5P8g\I.Z=pq>^C0s60?pq5aOpj)t=ps82ilB4(Z+fC2_Rp>1;r&,s'<j+%(+DuE:X"GYD(p\mDNhE+9/
+%.U<kjlHVP*k1k$jF(V9h`u+u>MB!Ad3M;'kP;>Fr,mPAAZ,th;-0Isa,_J?R&1"8X+AjCf8<tAh+d-mp1>T_DVR?.7)B."EkMA8s
+%%rKn,pY'Ddpoa9Rn+6/g2/Z76?amrQju<(Mf4nk+);23morGgmTDf/spMAO6I0TF^@fECrqAn<G<l6P<\i+lU]7'c2or11T(B7a?
+%>3df3)VVsg]Dgoqci$Z;j"J@jA@?>SigDptr65nE`6Z*m$6*]5.Pu%j\D58QhYH'$e0=ma"nahM;kE\t1hp.'E1XQ<k-n.]Z59X;
+%qQp+oF77\]=6&,Oja$;Zs2u(hlkuQd#tn"ZYE_hc;q]=BAGbiqqBY4t1O<7#;MOHHJ+fnmX]%.Hg%T^jp<Pu'<CZ5qPtSdcH^.F3
+%Cq[i2dU(/`rdXeC++EXErP^<lX[Y`DP4^VLV`/I!Y@N3sT(od-rqrramo<E!)X5f#$ND94p3N!9mFsKNQe-QZgHWIJi\UW.F'_k\
+%B'gLJoXM'nQ]gfMp[6V4EksjZqUZP@GdH=<Djl8ZeZ)QKS=)',B_AqH*BC&sXh6^9ZYpS,]?$UocE#)lIn<1\Th<o"kqg?RWqTQZ
+%kC3G3aU4m3a"i/DCmM,il;b)kZ1d3A?G:O4d$DXL2qi%Ydd'm*+6-p^eB6kBWgM1Cr3D;d2CtDdSc2*Y7pdk*W(#1(IYoNE\6^dj
+%*FADTMP"3i4RS,uLC`iW4fdIeWHuYC.l?R^eZsM8%G#0M<iqQl_+n:EWh[9jGkU.]6XS+&=Zsa,mk:MAp$CSL=fHdtf[Elt3jgJ"
+%WP0jl.Z@JVm+U:M(D!^=db[diHa,I27h*S?REl=NTlP8pep8^Iq7QXH%6r[jc+SIAc]UROT25GLXlIJoj8(UTT+U^3nN%PI/*/e/
+%<Z&77o_mS#h!7I2O)'p6/2,N<20%cC+g"B70gG+V;R9qHj&10P?n>>ubbh]WJp6&IEW*h7jHWZe)"QXuR3OI[k3$$rQ#"bnX,32+
+%n!1q3]o[m8=uWlrJY\q:[U\JQS3<TXhAJ^6ZXNTZ]cXPRX#=\4V;P@a2i`8?\6SUNV7TH)\7jI?N;ONUcW06eI/L4W7J"0ccE+_2
+%i*D]DIF9_CY#cMMq.Rn0)?&m_B7L_73+1J,8R5!Op&"'GQQ3ON]^"@A/Q4H38c&8=%MKU1><&l\V%c'Ll*=NS?*J_5O=GPS??5Ph
+%PP:^W^L,AQH%T(p_4]ISQd$Dq,0r0'>-(.S:]FnAaq*5EH/)V>au:,hY&XL>NgVJ_`^PHYh'OfOFRdje2%&F7pj`08j<*i6T=8h'
+%2_2m+:48!s\C9G)2hKAeH#2#mnk$U1SN2#qVk;6ReLJmOa?(!F9(ZH&j2d?'9*Q[)"BVF^?U5Fh>hV'5:!u0(7cV<,/RPb.poHT=
+%a*nu8ZqC%!^@1^ij4i^>9%@_7CccS(Q/K":Sldp&WA'$@p\f(,WmBikA8qLr;c,n4D8>=i0&=0dm-?+&;S9+/n22S2#Of7th1E(l
+%F%4"?HHfR+B(`GY?*!%#ec!Z5UNT\[rgt:Hp>Gr#,ASVOcTlDZcJ<mtkSZAs[XCt0iO>/RGG"TnL5i7s%t2N%_,J\XHfSPQH7_2q
+%N7Ifl%t$++6/oaX@G%%/n6,K]YNqr2r:Y$Kae*GLB(LnZ*T%/:'DH%PJ,ZX68p!,?hfB[TlM3S9qNjqSX?!mF_Rt6aVp@.45<35t
+%nu[95Cg&rsDKm<%h\*D/IsgLWaG7IaABL4EY\)ZS]mXdRpa.LUD"Ve81NMrT>1G_6]3_R!@,[E(8+pkgebS#T2/2s^oW&.j#$mY5
+%X+%hmD]\pn@[$"(HbIZo4"nB^jZYZ5Gte.Kla3.qiS_fkqcAc8%*[TSm?.BQkfr<0*-CL0d/LR9<t9X:0\WeT8L\\$YO;@f62W)@
+%=MFP%`RB1#ogoN)is%,Bcb*u)p-0f%Xu:I@aZEU'kB>'`)qpec>C?4jq>9fegHVk/)`9N[IXfecj&^/h%7YSQK)b#0/^i*d\jgd,
+%]\R)^!F.L&D]N%DWh,[&MtR)An9'%W0Q6<KgEA>e#!H_qq)`fHn!I-'P1./km?!ocj.51A`5HtufsE?/mp`V.gp<ZC3e=:lG2oR6
+%r3"g:V`)k7'D@r?qg<_R>#*A^*E-]B53ia,lJ`.q[mF4Z@UGAf]DTGZqQM'nNN'psYI0sSj-[$>a#6\,X6--SK2s!##2YX$e'l3^
+%rl8CGp/L%`ra)<gH6k4$_$`/m\FCq_Ym6Whb]!BiWl"4CW)r*C>l.siXR$;Ll,jE=qc!"/f+6)@*9R.1k6q8P3_dE_6AbH*1oftt
+%*T-)QnX`AaW5Veq;,MW"q@e(jGND#uIXKnj!uk.q.6D"VWI*!'^5-s#k;<'qK`0<I7;KAGP>O?gJLUi3/b\T;kBD=+!mUGR^X$CP
+%r3DfiFtO`!JM/N4nuL6U],k500roRZ)a<_fPqWi0m34DlGOF+Z>e&u3DY)89F0O*U?9c*82bjKFgK?V`5KJhrDP,Uk@U)ikhZX1o
+%ou!5,Q,<rUVb2r+DZ'LteLI]4p$CJ0Gh>7'%LcrraR8K<YK!7&iO#5JoWHt2kP'H\k5A[J-pQuIW5G9ZpFY[mW:,&A<o\qbrOAuo
+%?dbBc+5!c<mEijtmJTU`j+,FcZu]8h(h-[ll!)Hg96aP+h=LM.)c?Xc=G;n'dGi9]F(X1.9X3^ZjO\;&[TW8IE?AdMlonrJs)sOr
+%E%>__hTO9`Y9-l:%>4AnqIA+u^QnSsgcK.m0'l^ffI3jbEJK=k=-Hk2]_kfVgTK5SbJu3*YLi&%FR5s?/P:_>>B.SBI/;EVc[-I`
+%KT\J7mCelhM8AZ$2braBXiUj:.W]!_D9=ZhCXq/4manj<aln-Lf<T5tN12N,>?srL^!U9)ri=EFa&WYbl*Oj<`:_/g,eY^q>F#\3
+%<3=d3n#g]Jjb#'R2(ZiE[dH4n:f\iGBT;jOa%W'Y\4ueGa]`u6f?fNGr4%%afpp$ncN!&!mA-(Ss8Ipb<FW?`D3Y]Qn%uf8rHOTM
+%1AZqJ4Wq(9ZnFUEZ,?(Q;oeO/(Rc1ZAM*l[-G4-=@!^GJFbVO+Hi@pB]5AWr4hQ0DjFEN$hW3NR]mY&NeRIK`4i^55h4m`8F`0/*
+%4+?J55qO=nJb3[6?Gc0jGK#Fr*jt">Mhs+!I:DU5ZEZ@B"Qk9ZQ8al-)-%b1J`j%DO.JCPE:^S6`XA%n%A,ao<*&+b&k`bm&<+r.
+%]`se^PTiiBY<$VWU#Y#jZ"@[;=KK[/FYnjXfDQ)h(Nd\-'e@jYjL"/]ZDti'^s0lI5F=LG:]7L1$[5`nr(c[^UFZ2,O<gUS\5`be
+%`P:d5nPo[D>tr^!MkkR4,-Z5q".Y,4(.5"GRa`^6MtDC^c6F]4*8D_nF_30gH7S0uTk3&s1p-S,eV>ct9oHK@IbHTVU;&XWYj&NZ
+%ir6K,5&,it\k&TI;eJlHoR=G!A7tQ7@+(uK<Pj_oo-HWVH>n$,a)*")NnO>_eVC=r?ZtJf_G%JUb$&gV%>cV4(Ni)$nV%lE-dJ/=
+%Ufk>rp0uS=;3T&pBrELYn+Gd<G9:)CrF'eN&*Bl`l],3Xf?E$NHY1dI?`HiUVL$;U6d'gRK9bX_G/i#Tbn?$ZSE<2:9HD\f=V912
+%CqK0ZkOQote`1PR>#*djlt6$qbMQ'p`arA&;EjlqiD4f!.i3%aEpBHO)%#'.Qg,$Mrm=-AHe#Hh*khYX9hqqJNA_kr3tp3)V&^4o
+%'A@j0O*B,u/aGtdWRlIK`:86pC%6Je.eK4DGi!Bo:23S]"uF)\SPp/F$#[ce#HgS3Mf38H^?b(`KiqA@DTflV7s0;7ET^G4cmNVC
+%SC[kte>tH@%5,n,G>G92E*qu!&XtGP(;%.jH7_fJqlW*,T*m.]/a"jljhT82gK-oKR+*%`lJ(-a4s&.RDOi,&Vm!!>E+Aq7pCc?u
+%CV/l=Rdk;9?I4WPTDIqd:4$qtbCgdUCU#c"8+^_kGW>5*qmkIBSN=JtrSfgZ/R6!\`-!X-mA#RqP2Gro)>1.ZV`"r6%NjGDjY<0k
+%n"*cCS7^[AX)o78]Q]RXPHaVq^-$H3f$2C9NugE&jQ'mDE:0@tC/D0g44D2fQS6.'n6,5.Yg;0U=Xs-r&"iTj:FT2Va7/%Nl6g\5
+%?uraI4:M/b[r:-9*R7%(%P5b_mXO+FdpUh.A!+1\rhT]I-hR>po6hG)6e;jmDaWZOhdXCbiEanGG+'/#Y!//a`l"Zla1Ntg^TSG(
+%>GY*GnCbWcNo"dUlLE\7Fre17QLDu!Bf*PrYEh=lr:!IHik#DB<f/1e(RCh7(CeK2Y=?dJmJ@;2s5DB8H[`Pt'6cslSSORph2\::
+%qIUq4mj>lh2_=Qkps0:N.u!5>fBr/72Ct:[IJW;!?``.rkK'VQG>d<7?5L)#5i]IEa"]BI%W,W%Ib(Y0.6e3?n_34PqtKI1GPKgi
+%o2fiV)/dPtn6J#f?`?8/qV2s@S&@Au.L\o)>(#/@FoCUUlSn:fbK9XQa;)&u:-U&1-8/UdZ[_fZd9"$<HM4gnIb*Od_1&3mjI.h"
+%PEhcbl4JLe=(]h%+)X8'O8N=n:TWn!N0B,$(9HE#H?Rp"d8q'!2IlWpqiB#I^K8^W4`d(q_u&IgHhM:N-n>cInP7DALTWj&Mu6q+
+%c[7g`hk\SArp\C!c*KLMFi-hH2OmGrr1<,`F7.sF]8iJtG4jq)&"?(OIBU#Fq<c0!orrgNpMX<MG5Ha6h/h>K`iTnlQUM.^4o4]@
+%F6-['G&!$#]8H@[r9,fd$feCj]4]WN^8obV097K!$@\E/`clLi8)I<maQaih3QM*Blh8`fSYHG-V$I$Hn%*^`h4U]V+`6/[A%u%b
+%k$7[n@cT'F:6WEl[JEA\on//`7h1RHc3sCH8pqcIS.25CL$s>uq1h$ar5)rH>re8GIbZj04"?:pJ)])F*4`P.>W]<%AFAiioYB!a
+%lbacKgblQ.\Gn%G0kJhU?gYaK*a:e)IV@*+oj4rmi\.fl`Ei5`IP\H;7<P3mC;Y%,NrE3fn\KpmbD%n\:Sm],ZaQBOLiN#3fA1M[
+%Q]9)U_Sb8/]g(1qk#Zi]K58Lccg+Y6&)[%P^#@.Yru*Q&J*k17AReoA7Et0CNCPPWH0WC&h",T)?Tbo:adC9T3)JQ\,8P4tn_,YM
+%)t.)n\SqGZ+\dk@3YdS&lT8b>pD8=iEH_*1W<8WU:?YTR81a"O[="mO?g^!ur>5::#C!>B5.G2"Zp*rF9H>9b2'9MBlhBR[4R(U@
+%mbPBtik*I-:@6NC<1Y/M[i4o;E93*%0&1i;\(qQQ_FJcd=>H^kdkVHO3PSap`PC0-^--N1lKt58\t&YAD?N&hh&ASN1TGdkg7o50
+%L!$e@3r=hP#C\dZou?C2p[18eh_<,sE;0'cWu'*RpjVt7cf^>Sf=FSZ]T?gSl](J;qG1>$B'\<k5Fa]YqX"#N=)Qg)Hgee'S<Rs:
+%aa%jocHY9!592hupR=lmQHpH']61O@q2SE&<2OC(@?]h+rF5H2Y;U7r2V:mD4"jjKR!`2LE:3(l+2?_-c),V6Qd)!\G"Bq[<Sr5;
+%Y``)F/mGY^f=lllNYjp.b1pR/ens3LH-=d@gCg]l>ISG*\:3!!3KqGk)pk^0HDOMXkGRU.hrg7Q<OQ.d.d<?a#7Vb4B'd%t.B[Z#
+%a,CopYZo:SQ-,s=r<5MM$5H8c;ndX5MQ*`c(!;jn?./[I#UK5$]c`oRFPEZ(9a\/1jWkNu85k)D<DpljWp&.Ljo#6lZMsUumT'<3
+%DrZ(\+@K;9fdIW+Nh,D]9l_Z4Z;Zt]gIR"#8ks0NZ@2V9D4;muQZ&ALXCGnRqe[lLUP)]IbUg[C5FhQSa`3cLOQ)MK3JEm$%bX'?
+%Ls*5TUrS%rG>]dhH5mZCDAR:5,S5O2Gi21+Q33=[j;j#s*%CHNH"2K)ChC7t/<P2Z_La0^!u"c:FW/"fV#c&\CGu8EO/oNZ,EhcK
+%o4AT\nsD/U[>5R8!NHPOJ43LtCaK;34:qTpKE@%>)ZFb/iD"?KJ-%r.$RlZa?](TU7D?ti)F!4B&Af7Ep-[+Ei)K1SM:+<siJV![
+%KH$jlY2M.p(_]`!"TYD)ch/#'K]lLITh^k'XB0jAM#]XoTZcX])TCJ>9)tsC3LZZ:+-N8B(:k"#Af3VY/;^DZ+5,sH2.2X$]H*\Q
+%#d\ZAEB[P+AD6[DJ\s"43S63b#p]VM#*DBJmii2ek_IqPJO%L+)B>=?=Ga9#!F]Dp>"_t"JUr?-*eHd-e4F:Im%?StUt-So=AUpI
+%6scC:IXoS]1RTpc(R?Bj;UZ*6QO1CRZe\/&'"s3?)GGp^H(jXd&NBjDNMB&L\fr]QM49T?:e]He16p:j.TZ$i.JF*^MaK$e\fJF7
+%T`gDD&m$M<d=@Hk0`$<n68qji&of%uUZdHR;iu/L]ZU<VP&)QuE^BfeM/CmGI(#.jn:90.&QLl$^*G`\bOh1E72XsUOpk4VYX7%_
+%i@Tos&"ram*+l&]((L1?=O)=1l\*;PMb0=R`E<8:5T\<:"/Vb;XLg[@-B>"bGU&&-a&*%LE]?DdH';![=t$]i9H2WA5kF'Zj0nHd
+%"+:SSC_H?$Ja>r^%TqoD#7<9)M+hLQ4S3?]UI5%!_T8[og?6jOQg'IY5Sc[7?*b1k(f2#X771Dg7]Sr<ZLO:_$os`'l*6--3%7qf
+%hdT%3Y\>9.Z$hp$Z&-jI33c.T-P)YJf4?uF,'W#[M(B@VC<]\T(@l=C&k)$neHKXK&pd1t4<nHdi(#&T&L\DnW<b"U63]?H4#gRE
+%-eKcl;37bKZRMh)"'64#D^[L\TZp!4/mqP?rh<F-?sF?L0.p6/f-(J@0R&PS`tokgH6X:qkGZJ8CA!Ft$^m,/DQf^WR[tQZ+8QmH
+%;Y\HN`?au88E=S@3]%t!(3VX63jLn\f`@*O<`$8B();K!F:W`-XV%Hp4miZ8RUq?P$h1Q,UpFGhWr//:?!/'X3"+U\gEi^<E\\sZ
+%6,*[q:14Um4$4jgd=M;<0RNsJ!eQK`2'(BiphEG[IgVuFN<2Ct%dIe_9j$%i[f?t3dU36M2kn;K?/coP1>\OK([f&*FRmJJ,K534
+%W%f0U@p$Ziet@Pq(%CmX4m*E$_iOEmrV)G%3E@i[qub=-r9J8CpPEEOl_CW'%]+OOYt6Cg[)^u`Q`+-N0qYDsZ1VT2Lt<V+\B^l<
+%MI(GG:@FT#2Cn6shSbIFf6m4-OfRWS"V^2dqR4IF[+DC9N?@JC=G&?gRm,[B`HmR0nsK+)BQ1-h_+G6MCA#k)'oW%6@m!Vj;_p6'
+%oV98?UR:U%/ZZm#00Op_iK"S8EKQ"#dpfS6O6FF+7F'^^2J\u)@W1BD*lQ\%&_M3Ek2:u8b!'oXr@Lo\ZWR\*I_J`Bceth]HI7`e
+%\p=Sa\/!2#oT6S1X([=>/`!6^HJdUpgobXgO_$sRLX;u?rMBuH$sEB9SLWgmJ6f4eqT.+&Q7a+KYTgc#f2ek\de(Or_k=/-/,-.6
+%_1*8<dkq`C7otC^IFO@*Ds=M74626#V2h*FQKu5X_dt/C1\oDRqqq'EDpRXu4>D-dXsP6<d#e9D]';n*m\)i0VmkEf9/1W*BK'G4
+%%(UPNn)WV[h`(Hf]gIe?-XnZ>c"kXT[b>sf2tokXn@+kBg8,XGc0'L5MLhgnQX%\X4k`-uXnIhW.>$S8k,k'-M#SNB1cP1(i:+3&
+%+,iiI&_3MeDJ:Kt]CX>F\S&p;^NH&*$c.#V,Ik\5eZ1'!TYIN[^RBN@F+nA10Q$d:2Xnaoj'r?u0AcV@48sTfM;4V>3m'*YlOU/9
+%J,HuFg_8eII(ae\,Gr*>$`\CRs%mjcnVc:HJ\PM#r@KuPFBu6=1O_pl\i[H(53;Y*\a/t&4l,&"f>?S65=%8Ve"tr=T>k;$o<.95
+%gX-'%XL@b1DXJQn8"jn?r;l&BZ6()H\uI(U]Cs6k6*^:5/+u0J]se_dV;@1+0lSQ_]_;j/fHK/8k2r6R"+O?XH6G6AaqAgIRir4,
+%00!56m^mXa,lH'Z9CU86?OiX>droul&4h8`I+VNaFo;e5\Ft3UTQ91d6jM#g[R&oW+*)GkCrXUL;m3\n:oG(gn3P*8F*;.#n(L.=
+%[Cn_r0nZ'IDBZBae[1<&EL!Vb+NOkeF)t,NMm_?]&F%)"A$Pa^n)rj"_QU#sXb4i'`qq@HiUec(<:T"H]*2,]Eb;RYmt80](RG2.
+%`m5Qj.8s=@/fas$hZ"/D(IF[AReBKmb_b8iLV[9hLQ.D0m<0HPJEco;-9ABGlPHV7luMO-mEhcgmPTDd4as-Fi"8\8HCoO.iIT`j
+%[u7ZjqKD;gAMD`d*^<H&mnH"`f,tjp^*D#SH$2K==GO#&EfZ95]39YCIfP*hhs!(H6G6L?"m6L>\@3^HIEgAM]tLU^E*';1$YHg/
+%=4A-IIseA#k,(3HhgOeM?ihdln>Gkb6UR_Hpgg[X7fA0bqS+':\ef;^@DuRPr``U3&VfZKrY+Ko%4BID-o#f9a%m%'Cp*q[gURi)
+%R=".S+(sW4mJcdf38b`ORbU4J]^D^Q5s=tY`],#u];=`J^:ocIfXcIDD],3\RSFc">FnA-3kV%Hn\^GjqH)=K%M#.=HYbp[#A1-!
+%1P[FsI\hK\lGg%e"MJP<X="ePhM/W6CVKsqY-)ORCV9.p6)pipSHf9rFSC3&j+Wo+BirQf52fkhSBB*i](;,fa,V\V&MO[kB,?Q8
+%qZ_V3Vq+bhkBt_oJ#g6mH=tO*#=70g:f#R]*\;Te<tMT3&=qF^NpRala2f?%qp7<ul5_r0kZ8GC-M4=1p8scIpL&d`^$r")&fOH3
+%P8+f,F@%Y&c+/8aC?2#]GB]?#C/8%i[qT[@jhrMZY9.>=N0TpAlc@Xg5<e@`ghTR5!]oE#h0\te^YdqM6:(p)s6/4rg>,alE?p$0
+%m-cB!$pL8t-P#d7-RL*=C`ZCEi<Q0hoDaiP?29.]Hm_^KaQI3smc,t(nTd<l3B915n0m%\cWAou$CBsYfm3CpWSB<$WL#GEE@HAJ
+%gtU'h=+d?+P@5Na\O@Ks=n746nca0L\OH1kpLYGe#6<r4^58PgQp,TcPt*uVpV71p_*L$E^#BV([lXh,e;_FQ%Hm)loFP]SSaSbD
+%(JD9<oNqH4Eg.AG3EPrKX./lLE)l;=B\VL08PktiQ]LT>4YA`O"0]l7qi"jqH2%:?#7f1)i5#?JS!K*$g&,9J]ZQXJHhHeO=7;_d
+%1D;!:r\L_WEaHdHYA5Ek^8,jfo+A`OZQohs"D>#u5keO7MY(0D-Kr1`g5:nM6pQ?'B1Wf%:_OXtKd%=Pm-_-b%>7SMceAIt@9[j@
+%g"GO:PqMU@pu5Xmmjs9"kTl(`(X\V?*ul(j/[(A5.ZH5l7:,I\Y\XDtI+$3nLd8$nK_LKKqA:?C`TP%KaZ_t/1Qn%*d-QZQ0aM)&
+%lu>Hsp,'mA`CCnGF<^aGk+`-?A!+Nf:=st6CYJki-I#S/.9jJZH'JdM8;<REmje+DHkE\q0fDWnN@],-Yfm8#ISqs_Tbooe=[XR]
+%EG\MIj]mu(5uh'R,lnH-PP&c]R*,`F-s\ZbJ^Y_,^k9W_=oQWT^!,EkTVM=IaNbU3PA:P:"$fC*K/5asIO^^TDCJ,`4Ea(!H3*Y*
+%I$^Z5K5P(q%!:p1%S=EUZ,hpfJjtVJ*`HfB!#[3:@SfD^!kP7,)?GNpV6HuK7sV94c[a$m%/msOX+2,Jk^l3$-a?hqB]-k?)`iW\
+%mR$-01IU)bjnMX`h.5l-`aAiY7#.a:_'LK*##Nj1`d6FgKg6'<JKhOS1O.j)<N>Mr^_&j"_%=k;8!T_>1dL]PUE0Pi?R2!AOt*+7
+%Q,_.>#0Maq\uXWO=bn#Ig1:^Tc^$9c%B7>I."7;?'\9i?>!82?Z"mB.3`+?s]\"Xo+;q\l_qI_aZ&8bsT:X,!JBXEu0mj2q!VAL%
+%NAsQOmJm7+0t79Jp?[A4L8T^h`AJ^4Z:b]h\4-8*SjBrL<%0^aJ0@O35'XO&0E[mP_9:*WGk`nU)Y@/EJq*tTY6EY(\k"oV$6p$t
+%cuTie(<\QIc_?,F/2!\X!$?dWOD-9&iYj-o:5Nm2SYh]I)(8?R:F8c*kRCV,T*=;(ODcunG$tr*#:+#Z!Am]M_[<W4g^tmfU'T)t
+%)k17sk_A7$%%no8gjP*p.ZNC8.%Q7KHBp2A+."a:6kS>Xd2Tr(!0kV9omaKQL8o$f!#m406&M%V5id2bjOC#8WOIGS%!<_\jBRbR
+%a;CHJ3l6O__@A'%37P!%P)gf"6XjC^ebVmCemTSB!!P?@.r^b9)^&$P6\0eZ7Mc8aXpH/m,*+^^Ee0$d)J?k716g6$/R0%tL"Sb6
+%#_O'JdD,7:^'\Q+=KJggnq)cLaYYI"8k:!K:K9su^`^uWd?jSokZ1M\JoLof@dtZ-U9(^SmHcq4!MJ.]EV%;0NRFI<2kLS#1kf'J
+%e7Do@a0qcH+?S\+X&pS(Uate40Pj2K3U!o_Jl%!E]sN?h#C4IAmV-FH5hE(oN8ZdupoFQ/7kub-PfJGqe9pKaP,k]a]O7#O/7&F2
+%cfQ_(A\eSgc1e'J%,I3AL0#^a0LhNZnc^]Pi",ql-WIbh=paXTe]\5,_))IN@#lYs+S6M>Y8iOJ-US/Q`IUG)YR8+[Tj/2T(j9DR
+%S-,h6Z?/`^H(V>fW#\Es3eV\[+XMhd"9bELd"]?#'(?\_R\Bms0np;:$hXRO/O=GN*K#^9dJ?Il]'aUA4LIJ!E=%(!;Y+W=#2N>V
+%/h;VJ"j<eoM'aZ$&m3Oi!@WW+W.A@85]Ch!a+A3M&3uU[23E^f$1D;TiMu.!);)*TpqqRCEM@>4C4)2p@6:h/aB1>s%M0a1C^P_U
+%.S2)kAk*N=,9(+#'sT$9.UlPX+PCmB6B$4GD:u(*8jW`\i/6_>PkJ'1;Gn0M5jOKL;B;Ad^Tgs]dGkkd4oqJ&'J'e'VK6lA\q5kr
+%PR.,oc>m"#!2n37(?IY,/HKZqYJRsYAA$"%"nX7)/c_e1#4GMXTGdABlGkS[n6?#eB!0,8Ub%7VW3f[g)i'q_,0Gbk>[ilgDU;0]
+%1+Y*[1ha)0.#l28.]a8oan'dS+XRX$cm.,P'u5d)/V0h\,@OQX^p?aXON*Gf2O?[Z7mUHjd".2DdNf829#tSJns)?Q,g50JK#.XD
+%Kg]Z0=M9rX(Y0pIaXZ[H4#GD+AU;uUM2C7B-/_T2$Ia)T*RRR"&$Tp(l?M7t%!o9.$Hb,ng.F:6n6E^(!YAb;-7%B4#D-6Q&iO=k
+%6lR7RW8$LF&SS02W_K%\@"jWD3Yno)gk'(56N)Lq+e!$P-O[6.GSgPc`RZodaiU-id9)D>7N=&[P(?%J#\jVS:$NOLK0&-QCmSig
+%K1$*4HS+*Y$i$6CG*YY6@ER+C'ibWpn]7GUnOjOc(#@@ChrEp6("aYr9:aF1;J^O/MkOY-Xscj5FP.D]N`]KS$#ICDL%D[F`3+`Q
+%iG0jV*Mg6=Q'oWdkib"?D+uV>[NgF]%[AAL#,M4/`C!r=^nQc'bd!IU=<$./"i!+0oE#Q"/lA=f#g:PPY@T3\,H(T+aKQ(a-U?=7
+%js#%G-hBd\OO#I/9t"V!-fXsT$tToWYooOa$js#(&P5Kup.UekVD.$0[1Le73f@C*iR/_l7KNiX7T2[[jXZm6RMnjiD6$p%00h6T
+%!u)Va0d24XD-Ab@Ymnf^!*_.cWZ?p&O@7b<EGJ)4L!ahs?Gf_dX9PeBp`_!q%&Y6'"bU>?55_Vd9UbMZdm9.Vo0mUG)TDjS"iWAl
+%Fp5%K#nYdsE!O3]<B@@81?kAQ:b>^VKk*XX6R!H[VOU9ZI$C`le"N4&!/6l%LtG$<j-tZhO/7+Z=1Vedep%Ni)0c5:%XJ=0Z\#nF
+%RpV7*d^lZfU,sT(F%GH2$'8-Y8<2@;"4Aqr!L+3;"?3)p[#?/%[]s7nTtu(0e7b_=RH;S##`68KF,S`jK6XckBfn;%3oU8'BAINP
+%Fq\OD->GT0.;1h@#,(SQ.>pYOpg0Gf&R/!O;5]j=nAn4p$nRh=@%<?b$fFFEoO)^6m1&>Pqq/3jgnS=)+B^'TH^Hr5#OSM-\t\X$
+%%3sM3O5S\j!0+r"_,TFM3FI2V$b&77]kh81au,fD_.j%ZXm2!S#-3I?HMk1%[EaPlJlpT4DkZ[mO[_2'<`_T'+m+=ogeeEK:]M(s
+%%2r(WF>?B[P6D5Lo;#->M67iTZDe)$AWs(+CX@WK)J?kK4t-DFgBF<le-PrK76Vnf%MkqfMQPN;I/^2/6:c4NXoss3F#X7c$\Gl@
+%>m.:'cOrbh<^p;JN)'I\+SY6li8er@^qs<eRKmY4p)I.'OTm_C`>^uu#QRIM@9D/6U]E$)Cc=T2el-dHf=SD*2@90)?&/u>4dV8s
+%BekVRp$F2N?CW!Kb6`r4ZouAlba\F$,((/GKm`!<5a1T7O"0($3kumbSXuTQ3mF)?,?dY#i1sb`k>P-#R97$M,QoJX=,\f?)C!%)
+%[lEA<>$H'5"F]bpMea*?/llF8aun-MPGtCBoWf9&:Y;uFK2jH[CQ&-"a%^"U5qBNo!:Qt.CeFa8KEtC!6CJP27<)T.!,c!H[NW&)
+%Hp+$J=u9RHH*i@fkZ5BgNo%Q"f(iMn$;0=l*LRl)]M=Y%+AL-@+@(XH#WONhfIHuo)3^,,H#JJp,&A"`/V'Ocp/HE[0H)r`%"_OD
+%6mm4ce!/.i9/@o.E6E!NDBt[-iJ^H2ZX>oE"s4Q":#G)$3W0<=P!:$L3Q8NoP_k4J4/Q\uo8s.:B_)O)V"o.992R4oianTlAf+T[
+%$U>o>mh-cmi@(G?m=f>d&_T=gnnQ<M-MUos3i#&<T?BT+7BS$XeV1-5cZr\V0a,s[BUiRsNJeMd4KiJc=S%fI^`gO=9%6gr$8)cs
+%bcmBjS3bRS%Z)O?5Fa::IOO#ILRA>P#dZPT]4q]lbZK6fkW@c,KJ5LEWB_Y%+qS8ela-B`Ggus^%kYbf.ij<HV3ShQhj(u6Qd'=q
+%JZ#L`*Kf+\4\:lj_Bb1T7Qr"t%.-8%3(7n@/e=j[(jlm:otV1?)^&7NFg0^K3!?(C*@L(G#2C[pcer:>VRN4"UPD*iTL0*=]n0GN
+%brdt+9S3di%AF9';!e!T`VMe>XHJX5rPsgsnKe):@]h-Y,Zp-OhBl708rC7>7s]ddqoEFc44l4c"%93fS1BH9ro[NN:Zs;-qY+>`
+%6MB+1CE2G]4^I!f'nQDYg63?6,q#OVe)TOeZLj>RL[(/I4Ln:d;rsRjmq[ajpsn8Yr=6[2NtI]n%6jSnOCPQL-)el`qd\iI7=.!"
+%$'`T2(5i2=rOG%58Wp5@6tMFN$T_GPY.Ya<!j9'Mho]1!0E1h>$P?OO^V(Ap4FP`';(*ga=!Lkb-e7nFX04uW]EfpW2>V:2r%:#5
+%%_VUn3#emB=,S!E'#.T_JDi'qD-kp[(452?R%6q1o_YRLh:!L-:o$_Z\,sF7%^>:pCVF#B'oTb+Z.aP]nL2_u*#0p=Ln?Wl[]C7X
+%jfKkH!DP[epY"@i@^/6oZ9'=F%DCiWEBLb7]G._ap40(o7]^FPTp`/fo@4X!S6sl1(2G_+GK'>NSFTGIT78X(`a[JQ9H>0#Q)luh
+%g#B7M2ZT<;i`G/qc(-Z#6<kQ8X/<p+ZG#B)RFE:e@!W&0(6c=%T>(8Zj/7^unG84C[k6tbpYo<&L@sRPGi#fZO/k3Rna*Et@Xfst
+%1'n+6:YZ\9.::pn]:lh9:S8M-Wd2;A7.W>>H9fBi$R[d_@YK3r%^-_S%Vm7bd^*`c(?aFZ0(KoSQaJlm0l"G(6S6&;H$[eEXD&uR
+%Nu+s%^J'8_7hlU0qR4cQn$Hkp!Ih:_h1mkEB(@GD,,aVRd=Ad79#<ts3@h.NXT#-\3KMq,5@B`L>ID%ca$3eRra]u4I^nn%_&0.4
+%Hq(lDEtp6+X?_kWf!o/QYuiXhUrY^qTl<ZU*P5]kd,;/io60Jf'*W^IATWTVG7Hg6E`iZ?WBTI.)*q]3/LON_oe.9(rdZ6"fSF\I
+%[g\;Im'YioPr#IF7l.+a'VWdG<<Ha->%D%62>V"(1'"eE4\<%B3U!(pS^^kgoZ!^jo2kCqR$2lD>B[AKWi!NO)t_D&9p93bm"Ebf
+%/O&""*J0#8&:",ioN9>U3PXh$$b<hBY22R[S*qP@7Bos_[QOh3]QEV^WUEka?r,q=dq?E:Ql__hkhj"!L1e5]m(#hk7[j;Jr.sjh
+%o0ll3YSmPaf67jP\F!ALEj$Nf]C73^'jo_'TI5J]Parls'jk)a7Qs$7>cd#%%2UbtVt%Uo*K)dZG9)e<Tch;,<P<'bN]n=mEarUX
+%Es/b$<Ta3I*Fd(QcAer.`MEmNkHi@$e'/P%Ko+F4LWra#\nJRDe0T!]^NNN%SYmf"ToVsDc`b#;!qea`>XD\)YEgUTZsNE:r9jH[
+%^2+I`RK*`1\ZnNg:Vg\0S8^H@UgO.FPS-Y>RZ>6:,6`RGB2?iUVf1UX_EZ>K*.-Lg1%tV0(W23HS#0f7Ji2hY!KGn6$L`Ib@Vg(4
+%+O-JE?%XT8WYK<Y8R\lB*gdhbb'J2Fi@H#S%GX&Aq2opMm*!SP`JW/`>!/+Y6V;Uhi62I,C[jk.gbIrhaID4*2>>T*5nE4M>p7cf
+%;#5AHc]69tjk:i3qYg*/.O"(<2^oTX6O2-I1H@0C$3lRA(c\[Ff3T]:3hLU;\[OK(MKS`.@_Gn;:?o^J=2c[U241ZFX"A[Y5<Sl%
+%o!Z(J[OcYfeo<dF_N0\6b9PSInZJX"*_B^ckOR^V5AqHUc6%J-DgWm7.sC>Ar('5'E1L@`3*'H2IJ(;qEHtNT[-lDjj47Oa6k7%U
+%G&E^MD"oa_HZ/Xl*q/b$@f<gpRl3L"qtK=DYY4DD.nQ:mp)Nk%E@a$H@?&0m5TnCGU\OT_!RXT0I=Cb`:Q$.3Aj8'9-MLKd=^mT@
+%i87$O7$mlgX+R<GD>j+Z,P0!iI;o%]&,4Ot3&it1/iQo>7C\sCL>r*n:S+CFDK"eOrL>WacK+0aK^7W,=AqQsK#.8ApkcUXN"2G,
+%eU$<p[[attqAF+356e6,f.:9"9[/kB*\r'5]$=*0<QrSm/\DG^:HeQJ`9Y6jO-VDf&fNp<^AEB!pH5s5pA<1i7XE4GT1?kIH1QP?
+%BY)FS`9>5=>urrXMaW5BhO'pl+Rsbs@WA_FIk*Htn'>[?F'fH=B]92Rhi.J$p;C=9erH^DMn@DM++?m5nP^sL--9,`cT^o%oX#Fc
+%F\Bq&\E\N`4TA+S&'f#4QVtH%c&s1>q*fK[+'LZc[>M!Ap>c+<*`\R42pNH"\,D6,WFFfMWqjIIhk%K,-Z:l!];PCP[:![/Nf>,M
+%!E-4;hmmO3n(PBlhnK&:I<XoMKc>7(5Bq/IcF#I?((SEeoT87t.bhU'G1UVPFmn1^c`iI3DuO@h\)2"-[q'_)Yu(8<[qY`bg"BLK
+%1E/N:U#@*RqQKCeK^bq)T3A2CIh[..7d#dt=UGkCd@s50AgQ1gCYQ4"PKkc&Q_Lr)WgMs$27p87Q;k4]"^lnRLSI./X,(\_%RsiW
+%s3kE3MFW[^ET3bjdPAoDPKcjMQY6p^8)UYdmL!h70Lu>K6ru8)Q>E09YMt4JG"+t*7">B)*DcaAKS+OC!BWXHAf-OAqTq6Oa:o=7
+%]So!MSu,b+_5g7ji-.)uj%'J%=^r6hABO[)QOt_#b\-'A]"ssZEJupkjT$ninj%f9<+d&!6%DaN\%.sH!FLjsak'-qQW_6L3&BW1
+%\-CtT&=9;Bp&k[gj>$c"_-KN1$^"_R-M@J-U,0C1o-3gJ*1Z/9MWtZO+M,q<ft,P^ED^"#lL<Ai(KCjC5WQh$HOXst/eL\O+m#Ij
+%EEV9QA#`ULjbNAOm$\%S3eX>?9.V/R]7=\B2oRpp\\=W]#eH[+3,29;].Up;!H$%8#S>-K_&a.T71=X-0*#f;["3HL`F\6;h2L?i
+%_@H`f-3M?+2NXY*#*Ks_g'`a<*Q2,mF3ksQ-dZXD9$eW3N5<7YN_E[8kOMbRZ]ZmNOLT0./A@'MLDW[Yo)oabE'>Ur/R\(E)-(fJ
+%6NMfP1'autHD;Y:+N,;98dUL#4jKci*J,6o<AjqI!B+>>FIN,=[Lm!/%#La`+V7C8#oO*ZJ4rK/EpX-]gQfQE>;0<4He"MB;DAYB
+%J?'6?0*FHoFOj;_X5LAG!(!.Udr_M*_4TL<'"=eQiNE[f\3u+)$FAd]N<D1JMsG]+?oA/8*)$rJPe>M?aL>j5.QFM>KTUVQ5QR]j
+%#g+!+HQ+]2!"NV6"NE%)>i.%#d8b.65SlKp,%XF.PdEedMB-diD?U(%H3un^I7&T3RBed*3+9dZI4kF#=VOi"SOR%VRc5t(-iadI
+%0_WhEfL,AR]?r#iNOl$c/+.1<F1M^3`'IQ<:e4CtJ;*<\HCfCK+X`*PFB"bB`!G\GA8G)0*BYQ&6s,(<n%(+pSYiQ29U3j^B>E=7
+%Fgl":#TTd[P9:i[rPF(Im[T;pq#JuW-M4_PX$P(t$H<fU)dume'c79c\M!VX"[^,r7AbJCl,OrB:e(qO@k!qTVh03q8fi."<SD+6
+%EWkqJNr&6>Q6.3IaRD;BN(Lt,(r+Y-'W_C5?I[j5(%.M'+p0[8LnT_"GYJO'+F(lZbU>(LO\q70L`Z'G-VhV5&<>(8_%dO08)["A
+%6'9h5W977a_]dAJ`9B"W4.u!e_T!DYY00,1M9d\?/JN`1&6t5JcVD"%Ko(q1%B>s24,>^/7WF1c[OjoZ%6ukmjd7Y,S:P?8l5HtP
+%#hI`#I#a;T_1B-84HLkP,V1JH2cUDA/>eB*%<4A1$3UBc,L]CX_OT89P3=8?mfngJ0`Hu5Qc1j4N)<1Oc!&P%PQ@F*Khjtr(Pq5t
+%e/OX+:jY_6:Y8U>!t`,V)htupp^6JL>7lJB*/[^I0HOFb[5_V8!luWn:Eu'\fW5f.[c7[1$"@Qba<*P,5u7X1Wj<-8e-$[e*da"T
+%'A&CT1YW[[qljdbn<`s=!?&m#=hIX*F`VMq$o%N[%OAKaBV6$ZLB=bbd5M%h<eZ>8G;nZ!E`e^Eqk5nbm*'5]AIsenf@T&<Xf[Q-
+%a>sQG,8Au!TS]D7(T;6(@3?nSTX$=q;?=Xra"ZE^*XcI43Q0Xf\.B^S.eq-D!9\S7)$4e;mb:a+rIF@5qM$+oWC,TPE&j.!_35L@
+%_*Qq.ab4&1.Y1B;#!aXJL'^F&kUIc@=@WY+&"t't#F'"UV+6dW?g`U38-3Ng9f?"q]o=a41_q7/+5!CR:*QCP0RL5,g0dW"N#SL@
+%R8F!YmQSYtgR@I6_?_Jj$+MA"R_aiCLn$.$rW3C4d4%lrAlesV(WI:KhGXGP5L0O/aF=cW&3snW73/rD!P,0>3DLhT)q`<QNgnD4
+%dKXXZfuf'b:-n5(aWO\M0N:6mic6/XLr,uB5e-l;3L8C'J\f0f0An/3$K_ss.+f\DLSE]NK+X&]gY`g2f:T:Qj4;AWAg(F&<"X14
+%m=?F$NB'ph5:qnGK'8Xo%<.t0A?iPmk!sI:k(l#lGG=C\eJ9SJ7$md)<sp@!2safi/T'_dM\nC=,d*stBqUR0"sHC^q1u-Q"@[@l
+%-:Akh*!%9-8<sDURq<pX%QF_B9#1W\LTPQXR?53*h%94T"RAIJ&%<E'"Loj22")ng,:&sY3mGb_]%"qO#*KOfSe2Yu`0:HAN);jL
+%JDD@c2F1u-g'BkI%V=:U%2Lu,[kh-dT\5nJ<1:BTs2Uh/q5qYd6msKLk64KC('l7ULI+QWG9`=dT:l3JReU-sh>^-AU^>ZA*du3V
+%Y!5(5cPuHW(B4;oYN6G.pq&X\qj6JUYJhY5o>WKH6(@h3rd)d>&_0\$)_IOLX8hi5034r>8G!o!pUi$=hss;k?GB8$V@d4cF)_rd
+%mnmKKds9kYbI$`kX$m/up9OLAjOXH1_=Bf*N)uL8X'DR:g$_AVB$^9V,X45JIf"7PV*8D"eno0Bd:'XuV1B!LA^^uVIk"?i']<A.
+%Iu]!*lU@l+8rEp&^/M3fT`D1dqN^D,@DeE^eGp`A92:;$/5iWGXg\t3_V](`UGZ#SnUBXJHL/U`UV@PI?bKk6Dsp_'/QefWG#g@/
+%?]c*Ka7Lo)Mq&e$XDofbXS-8%%c)I(^"DpfC+2?tdbVqRWKi]:XOcT24rIKJep6[g5SFh`)u7e2dMiAo/6X]4lG(K'RH%3W9Y]D5
+%fs\)N:]L"?/^nISbhD;VA11NX)cT;#pYIRBs/n=lme#Y`=i?cQhgP(>nWP>]Cms'9ZW1k#+eQUDHEB5YQ)N30&\#F-IJ2HF.B(;E
+%*P1@fm2J8134*J_Uoo]7#6X0ML7B$[>889*'g&k-`l"h%\<"Zh9[4h_j5]S]rig"SBBqc$<?!Ig7I$[eV:S1Y>G\FHl-M_F)q7O\
+%q=FJ"99Da%YP50c*c!KM3`BE&-ib-LD:GKsG(CQ7D#n,BB>AjQS$?N#q^Ji7qY?Qd'k9Zo%e!$Iq=gQ7:.A:]pTP!`k1NI\5@/RB
+%19NWTfofd?PB&'3lEc2[7K.1[*_ip2(OS6?[2:Zn!tE;n=WPWg3>D.ZLAWYGXdIl/h8Ck5cM:orU7&$(mgad7"oHhPq0k,e7JQ81
+%I9Qk4<&fjSSkBN"^2diFVj&7;HHk[5n<]=r]TX.ifl'(sX#BO4q,fFrLG:$H%18H\=XIY0l4kNW]]&6Bhn=cXm-U[/DA;\W"Sl%9
+%Z0[ATi%(rjB#3QJ_>dlB=H/&WnKFO,?ed"9kDZ7`5BLoZ0rS+i[q+G&=hVBM?fPbE>Q=MdlEOI7"mZu_(R8`3Kr0oce(:aj(&aA;
+%PP/@u[2Xs//!!fHk-MV)k"Gn'7-QFAG&3Q<?>SQ^"(1%(Q#>0'?p-r*0A>pkO@\QUhK1>.pXnP/XD6pZeneYVU!KNG9?0Dr[TL':
+%kfspL[[k%9B/mVu<?m57PoIAPmE?.;ptcX6pY7harI\\9%NSk7Wd:c.]FCo2<=G=BpnjZ9S2l$Y2ttJKT\08@X_Pp^;ec+)Q,BF8
+%<G-`@0)YV0:LChaqnslHcp/QEXrU_,B]>'_?FY7VjR(aXF'nQXhl1,AE0fnkeQ.70VN'CH"`+$l7-@_=NZJ.G=O8N\efWPNihLq<
+%*G7:T);6Vc=tj^c_9\Nr]%Il9U<%ma859'^B;][<>TT+mF2?"5oj`XKhp&i[?r:!C`pt^eqMa0SiTrT0e+DE9LFKn0.F_klq587O
+%D\&;Ip%1gAgXK>Qo$4*!UO_R8B`7Z'kHEW[i2>>?=#L\<I-J0hUH.DlhhbaOiQ$"\J!_(R3bh9jip`Pa-P"E*Lp5cHr`A!J+Yhr^
+%N6ogOPlRMgZjNJI6[o5>fi\[u9u>S[ab"A:,&j[@h!_BWIcA1tDs('^C9oW,n9+G_Idb6>";'h21P[mt_\)_4i$IuVc*t+=WNREB
+%Ce3I;(bUu^0aWGQjl#u2NmOgZI*%c-7MD]Y?_+VK^*Vt7Q>(JO'kkBA=a;kZMqhQkVEMDMOmL'`:E'L*ZcauBqn\E6h9*cE@@$c<
+%+.l9Q6<ttZ8iLEHqr9k+BC(X8`lI8YggX8l3;S_liQf_BPUouigA#Ya)nit<H<Au?P28ss%c1d[6VprFf*F(:rL32!c`.s(!0BGG
+%:r<ONc]#@ceu#ASFWFi-aPEFLY?p'C0K'#&jLH_,<4d2b=s_A:IMaGVcH-g7&Y8V]E7^'OT,r\1hu3s>(b51rhMt[F:1$4"$@$"J
+%ZI&aZ:#,o2RDUGHZQ$pq(d)[7Up`C)bKi9GYUjh`>s<8hLXYd4VjfmkhQp_B"GMHPqDg77S?%E/l_SF3T*H"@]PVb$)5oat]6kbH
+%UXu%=e)JTJoN?qj'5$srVhK,0i4r6ZH18*0G]78;LKMFdhX&93a6aP@LEo6eC<\l&chb_nI=C(om8JSAhOAX1+74+7gl["h=,]d\
+%28W@7g<T<a*r>g%oD?:+34)22pIh=-+_]VMX7i*uG3AjWS5cfKpTFM*rR%RJZke)PI(AL2Dg1WdCNjabh1,4T[6&SN?i+ipR[IIP
+%;RVFob%.mJSDC"l?er;9mkoLO\uj_rXIRtA<D%pN^92M$gNRJcpb>4&rj/g.6Bh@!Z>Dj&0i+4Z";mQNiPD>:Q=>`uPn^M-KRp;O
+%:bPIt9n6i62(F_Fa5`@r:NI5*MJ)HnYic;e8_8jP#5VP?jjf,SA9T@J$kj0PZO#S0Cgq,m[LS;la3_fGntVeL6f;KZB:Wi!i#qS=
+%)fT;Yn7"()"?;&c;kR=<?OZili0k7RPu#mPQ4["[KY1p*d]V*MiO]co&g2X\gpc2J#['Q#<e_&IOfJI11mD7Hnd-NK#?;SsCXTn8
+%A?IZGMt5jM22*KT08aZ%'D>McpC\5F_"aS_&Y+-('FSRkI$5*&)=W0`lbo"kZt-nF?"\$Z$QO+/-P_hK_=>.TR^\SZTNR"YXp!eq
+%6$+ZI#Wq+;RfQd0^;O=Y+;[OD*`HKG'(b^FJ'^$+<6J0U7)7"43IIXJ/07\lF<Jj#@;t3Jl7RDj&#:!ReRNP@q?!)t"a*Wc-D(E_
+%@tEQPi^4'1,r?t<.\a5RJOru-h*"1c#6TfK9&L=i%udX#!C=2_\b3<81G/CZLdMrV0:>0;#]WT2MJuu31G^r#OH=TZ3&cB!RUgdj
+%o^KX'6_8I?XG/\QQ9Rm5DrH3KiFj:)0&\e"<9,cT)"j<Ak`DJ!);q:>ZN85.=n.1T3hD>FC[&"m/s@Uf4(QqCj8occoNsA1ZEO%%
+%:#b:NE!A,%!-OH$[Y+&#@4qG=RFu4\")t[U,V8N!8)-Ib9@1eQlS+l%2?QO(dg@)Z[a'+&iM<cDmh\5#/33(GA=*t$JK5n)f2^'`
+%3]F9-S)!$j2A:V8R)2PZ\K]YNMS3&h5OL"IFj#Y5H397]4QVl'T%CgbNF8Bi`Fus%bbHP]Kb;UE9DGV6Ka#^'a5\maC5d^_"]'h9
+%?th:Pfd4F&A1drq"euXH/did/R\'R=+b8FjbCDP&p&tTX1ZB$=I^5T'cTi"L!M2D+I@fkLKSg8<<-`uqUTPd2#q#D+OOFm`r'HbT
+%r`J<Z!\ZB,o98@'d3V&\`i`rYLs>8lE?i?!4<F,5d($?YT+gn%>''d*!BI+l;[-;O6!PX?b>EL25ZV!QSWH-:CE4a!_KLG?g?/,c
+%NEron1uX4U78=iS%"UYDT]5BM$8k)&")]Mk:^'7G#5k1E?%BJKqiF0mP3b,>Q#86A;@-]$>mk&g!aos^hl[]qG(cmr&$nQX)4n7S
+%8M(4dE6LXi==/*cJh'lLeBA(%2uk:9%r#IG1)VhSrbbGB3:'!(/lOmY+^?(YkCR4J$:7+i@U8+T#5"<K?>ST=LT*Nm*.VNRXm#7b
+%p]Ai#=YPD\PakFB-;-*O!CI\K'*2Q%#g)*r:d<%ek;$"%#bQXu=_WKB+fKs+Li)KG;LXDsTf$CoJ;$Jl7a!$BbA?jRNZT\N2`Dm!
+%/Vi!KktZj2lrHZ'LN!pV)?>C+5mc=VBmqj*W#dL,9M"D9&S]'R8dZ\++"GHbX4T??Po*98VAVZ*L[,q)oYCO$eQXC-HU%_$T$drh
+%:n8K_NW^$:,I8T<!)`8k/5q)Y.?+9(5QY22AQp'fG^I7le%nG+aT:=6^`Jag,bQi7>H<8T6Th;gh1e5]'sK-SJF+$U%Ci((,cL_B
+%+s8#cQ2$CC#]R`$n+mA&i"QIn;G'2>MRsH3J5=OA*si3,%J0U'5eui[QsD0pGBU^(a!(7MIJl%2/,R`Gs,aF6+o`NJEE?99!\Z_'
+%^:^YRm!g\`Yl""$IN'm9/+1TAS\adp'\3&/iS@t(r>gB72ARe[3q_;9hEu0U@"lJoJ+f/*@kjac!ZbCNWY^[A?ID`.,\-o*GkMRp
+%ZsU#&`,37mX`5'Z9b>qO;pUYOqJX^#AIs4N%mf"f!J0le>'=X'8;27,f+Zkh5:S3S_0:c'.17E:*aT-+n23TUBW_/S(=2jsl1Nrr
+%0.rpOje_5[[>P.kFQ-.NYIkkPRn9Q5VSi81o@()@JfK4M?X1ZMrM3VXmPTW@^@Q6,#O2K%;!dWl(B3]m'3Sj.\4T!rfZ+?4UK"hj
+%N1SV0==e&b.Mi+`kf)G8rRJ`AY;^@M#c4Y,^0WP^@kX&r/Z!>?Hf_o+Z.R62C0+G6bHI36NhA>i/SP;NRPRbMESkW\m%*(PZ*`t#
+%'jsS%ch;7G=?<CWWf:dc(<H@fH`N)@/)BO/Ki:#fAOD/hK3N+Wjgt\JJ!@)\8;-?SB2>W62m?>t<B<-J[3i#+!2e\$/R+:']l8:9
+%qM<SeV_"7l$9k+Nco&M69oF'&K+HeMGN;-\j]CirJt-"E]620JY;p:9U8?=cVPA@5b.-"!&$8:ffMYH/2=/hf21*-qqr1Lkm\MSQ
+%2dJGE".oBoS];2YoD=uOQ`QS1SbQkJ:Yp*McHQGYZ2&\T+#U?B6gF&MV]Nq\VAK#dWnk#Ngq)d,3>7KLV=M\r$\o9@<J_=B_,5C;
+%$ZHM5(bomuYa4'+4+@]E-TV'So:nUdD!ZOlV_"In)#eK$baQZ_3fTF;>K%*\)obKm)*>9V/+sjGrpUd(n9t>0H$YG7J.:"Ap?Dh"
+%4co3M3-N0HA`)\L+.)Zb25#0*)WG_]=@IlaV^KJnR3,0KZq9;'?[k]Ij+cU6Z7E0N%X)47qgRM^p=2K5%q2uYHXOk3<L]>^_Sj$,
+%[suq`?8-MB#2RpS[s0Kbc-$B=p:pS_kC?amR.^:((JfNL8<C3X]+-I5dW]!.LcLoMlka<T@IX:]XbKiRD^)o\4+!@oAFTSVa&_i6
+%(2LQnhlbY^(4?^o*!QWIHqfSD'WkHgZ/Lp.l<)>aMn<':gN`#GV6)#I3_jZe*<./Vk<#MOH>'l:l41M?'NkX?I0S5kF6bT+*m]3B
+%h6V)lD/jW,ZWN(HNFgBe4"%$nHgb22ZhN2fER`k@G#2#1M^(&!(Y=_=0WJ&kq2Bd[76O#)<X2X^FB';bdu@Y^VlW*'^$Ft"%3K^j
+%R'/Ceig;YWCm[>%@fgYoh=KeBr,NUgN<leTT,k-'HgCU?8%[^)XQgflJ@&\XBUY?Blgg>R;'*9r'DFY]+#N0?eo>\?GHk?#+3P[O
+%j7o&TnJT8SeN_j`0HYSqFmGqW+13a@9>#"fYl7%>^?!-'P?[0kWL3<?e4%s$D*M=<qbWF;S/\C#J+ZZ>T&.ABfsAEJZMW"jCT3^R
+%mb^"9Do;L%D3E'a/P"9Mh$8A@If&QHMUV]@/Uf[+n\WC84#bCLf-Y)!PD[ei@m$YXn"Ffg0:P*Y]B'^9%SJZmn1[%dIt6k"*060>
+%Gg'[tMAt'sZ`o6cn\<>$s3fk@W7@k_)DG%0&$-*>9^j$)$0V(1kuBJh3M2a<aK/0XWG,cN2TAAa@/t]GqpL,/rtfUGo`CuRfjl*N
+%/ll`;Vj.$S.C>m!Mc@PlGplW<WEE(.E4Y(K9Gr.?k^:QqF;DgcaQ3WH[>LUs]j+GoR`(m"3rpiH6R]KZ0[i-#b[G'a$BY\\3Kf#/
+%\u\(<C^t^0-K/GOK2agQ6l(2?b4r*'O^:UV@?O&#0k:U\Ap)VZ.AP?i`j$hE]L`UTnSp!&l&qh03"$G11,tZV1Wb:2E(h-<LhjSZ
+%/gD/o8G^3^A=CYmj\7mU<]]p`q?5]XFP]mu)G1e3[e3JeR;Z\P#)qM!`6hss2FkkVaC/0Tf,+5g#s<s;BA6ep"?`oc7+38U$'Rm\
+%,R\Q(pai+hEMA]]l5nQ1$DOoGdiOH/Pdcc+J3#r1JsCL&br<0<+eMK?\f"XSYi`pd@Kk#TU+>=]e;SulQ?_%6;[QF+?j@$N'V2-9
+%gEt&CT=h<Uk8>_R.o'X=K;Kk@cE*5nfqFiU_@q1Xl/6Lg-T6-r5g6])j:;e[Ch_*fJt^fWd:22?n:!Y.P:Si\a"Al"O]0K0I$U!.
+%NE=K.n:b?P*57R<a<ZWkKBQ?eT@EMDnPm^P&DfB/*)T(YCD69id0U&8\iL4fJp5"@Q!>$D/ke"CjI>eDi/>HY#^<nT<6TAV'I$9:
+%__,Xp;CP^d_tR;b6/$r2:(EfBM?''b;=T\/.bRCGnIpqcP@1)3L;P8[Nc%@PN<q6NN*D`!GRfW/&.DZ63il%*aL2FCKlCPm9L-go
+%'=L+"O"J-oTTHJ$9"GLdfEI+dP.:f%#ZN?u&:G2Rhu`?R^J@rm>g_O8.;!\OVQ7=GLifF74QS<,*>2id/KdE.o1<]BP!o`Fk@BS9
+%<,0jK6#,fO4B/>E'Wi[>Pkru\Q*M&l[3Z(,&t;-UY(ucfRBB4H,U"<U_'\V+=+nVOlD-fm!cjU:Kg=8C;j[j.<#qIh6n&L?fYMG2
+%clXEY&82H[OffNOLg\C,aUc8#:_js2^S/QN:(ieCkRnlk<W"d0Zn^Jsp_q#HaG2b9aMqPfF*j:em)&X]#UrtXS7WWsN@'EjH#\D>
+%I-RsHe%^,e"F]PK84=1m*4hoEZWL+7EqMc&1-J+p=H#\"lJ^B0.>/611chF@Z:-kc$u&RG"IfF<6BGm-*6(#6Jm*\CQ2kfa%7cE_
+%a"Z%!#SQgoWcSXs/dp#?nc6lFN*GD""oskqGROh=GgJ6lWphm;!eOSb7P]+*he!o@a#'#q..e*(Kh\X];J(\AU&rNB8-l"X:Ml3U
+%Lt8&NK>POOifVhQ,I%fKY/[Ute/53OU\Tcf/ieI7+q8Wg/Q_EZ7!8]8/`G]pBgQ>#*7L)5#M(>n\As,.NohJA'hM6[cOl0jQeMVo
+%'J!G"6%MP4H#?Jq<Yj"ud&gD<.87Yp_$eL??f4'9eH1t-cBii?@-Ci#V\(#V@=9e7p#BHREZDq.C;S0RENFLjQj#2ai>8d@P9smm
+%LQ!)S;CcQT#!kKDW0Tk&:t'Y7@%q$PF]$la=@Q'.!/r7<6%U9?3V5Lg(pL`fOrLbr.iB[J2.M?OGRb(f)1nD)3.QXMOID>n_XMpi
+%HE<SbNCUp&ct-?M3WplmL-a"[N16VZ#_5Jb?>B9_>U_B--Hm6%k$Y-o\/6t6'!db24<_0IJ2MVC#.PL`4A!NF1o69rS&O0/[Sf9^
+%M'jtfI5f7lKc42gh7+.;F-M@\MI8b<VjVQaYHqV1Ga;;?U\Kr6`t!Hi/$rcg,<SsSeu-&p5dHfDJilo1'.+<D3V'D<8><"TU*gk.
+%bQ<F*X_CBV:j(2rVmFY(hPVObOg)4OEljIY"6ho<ckfBL7$p<KOKnkOE/h?pLo6r0"V&>7Yf!JT3hWclA#dod3_f8u>=/ZD$>6\K
+%BumETPF3TtR>0/WF&WXrgC^:L!G%8f:bp"$*Ha;nYAbRuMCtc!*0[V23j-GYJSDps-4O]g?3lW;S]r%g,D-E(/)*d/F^e0,OefcT
+%9uoTB_I9La`jLrY#!qpH&6JoVL2e\Sp0c4k.g_jH6kWq/n$>3UXb>AZ61:8.H6HBo7-eNCa?4jDmJ)Y3Zo+O9FU`r@ZJK\*c*.AL
+%*tZN9F_"Y!:T>;@<*YU/W)R"/:"#9kV9)'%nekhO'gRkL9XJ38q*"mrZ'Wk/^+JDq/=eDYWEC:+Z1t3YEn+C.c:DIm(I93Mf%<HO
+%fgniqX&3sTjV^u@N9Z)FKkE-2MAb]@C-!N)'U'4[8338S5e)@R1J8L'dh]PH"j9Ish6S+%!%<R,K$iQ9=dB@fA@+W/ljm0AKi/'Y
+%J=)[bKuJ8JAGRd]1c)uW#=@T7-b>$KAe=;HLkNc)M(Z%eU2O<HS&EgUP8-j;(.4Q:39)\0*@AC:e55<0q[BZ\SKZ8NO9f%mfk),O
+%&6M<04l]6p5n?9Q=X]to(sE`;S$3qFq52o0mKqX5_4T[74"D%[N]Q#hU=`%/`fl:iLCW"eBb)?Gq'6=L8hB?$^`$h]$C>K'U8dR9
+%)_D&6Rb5"jJAERWC64-@]&nO2jn#TRC@+n+S(9-PG,GY,i2$X9_"6n%+2S/&2Ts*4(<BXu8F=1o<.mcUODNprNtR(ZNU`R\dM[K>
+%dL,!t'i%Po'fRkpO>Bd-Nc\+b3DpZZn0-M5*`b6878k4L2]dS!%t$>:=]cHSct+OcaGhDt/D=j^$__(r$tYd-*IJZ_4TP"5.PV5G
+%RrHRm7FA!NgEo7._o(T#38Oe^D]NsZJuJ2EHjM)'4br"n&k.C3<a4]h-tCo^@>'^%-mU@707]uY8Xn`H[qfuBP6N=kjIf^^3Y[b=
+%mU@$W95F$Z.e82UZEQa*p<ZeG((QR]]OcaSA,Tk&kZSRh=QTUJm`*UZ@-lt1-$4Gs+h(F(9!X3tN?'Gd4&J?1)@?T$+EjL+&%H#a
+%%k`^;a5?:;Tn,s>T2$OiTd@\lDX`:anR4dqE$CGb(/E*q0(ts=W#Rgt%2dH[&6i(&#2Da23BYI6N+aAVK4@J@7i[bi?'VOpe?osi
+%,(j[3E!gU;b])1o\]i<TCEFp-)I)6B*!]\Dhr#LDPZ"rk_%3]g]]GI#'F0J\BO@6VX8n_kLO!CSaNb`"/1gK;l)lW.AU(5+M$R.C
+%gB\%R$MB70-,PTY[[E:!UX>GNe1ST<@B]gdR'TW93_a0N-_;S@lq/-83]qRo:(@B`BJTi3)oms!^nF:q2Fit"1d$O(a3fg0W\'t4
+%ABJS/%5OBJTtk^"3?6!nGVb6_>S^Ir\u!Mg&M)1[G7n@FdT#'5Xo8kK@VHH0LTdE9atn_OgNCF[7(UGn$f<Y+^Ck8\a:;Z<.`OaL
+%SAqY]O;:TZ5rrq1@K$j!A!l@@6RF*REaTeJLUX3r.LXhr7XJ-U#Za`bdk"iP3pL!gGbP^:hS.*1)m\Mq2k*.5W4;#SRNjD#.i1lF
+%Rh)&H,8`,&b"2(CO3^de24YAJnfCQ$,h,L_-ug%/95A3REGQUk(&PEnbMldPq]Qkl^s_YlSS!,H!^E%dBo@-]ZeGZlQtNWZ'E'=.
+%5:#fbi&2orFpPt8_lpFIU`nATliOFlW$Xo:aHG`pR48b"7LmXZ`SVIK>]O3V+`"I.YW+890Y)dXK+jCC4S04A\M3*hX")++iPGV8
+%C>sOHG(mY`N&[s]RS^^2O3eW:.7B!UfN`Sj[13R.D;)h/MKl.0)+W!W#*.,b$+-&+;74:A<EQ@\16clA(e[fXXLgO63[7]Nf=gEi
+%'mhPX!Kn?H14RpneUb^5.8hBheIrk?'J[i%\r^SE*%*/T[)l0D)(LPP3Q>J0Nd1qKOa&om;0bO'8+bS_SB6_6],[Z$%&f[J\Ml35
+%gWYR>=2*"VT`oZ(MG_sQ1_0:Kl%#!U&KSGt?1pG82J&m1kb&njCMf8o_SC\A*ChJ1!1kPQk,98XI:RN>CC,c(L26;7RO?B3;o>%.
+%fa7'TY0p;=]f>ckTIX9K<M*+pP\?7j#<Z(B/i;@.>_\+!VNt,1_[G(8R-cju$52U9_%1t0/eeRqbO[1*/^/g!'#Bdm]0]b?OH-p`
+%@G=HsY6iH9*7.2Np>H5`@>&]GTdf^>=ob90bak?T+CV2AdJ$!!WCO,NbfC=S/([5[6j"*e%rlhk`'d+,&V3RLU$('g;P74-ai@aJ
+%T95O.Vn6?G>$f-rnO1e*=P\D11N5J8Tom[(E\p>*gQ'XG0F(f<q/2m[L.!4%a(A7B+M?+m\1:%S0Pp_S2r2g^dO!:b<@Qqh:dX>D
+%$Ls?+Tp7\(KcDoWkRR=(K>loPo0b<(@&9!CF!JC/?VZ6IQKd$D&j;cq^]BoI/a?1!2)r(8aB>K3U'_<NnE"Q2FnA4'VsH`*)oQ7H
+%'KR`^(mCqJY_a>?`$+oo"kXuCEJL5<93)+DG+-PS-&TdclP]io8U-kX`a6snn"phEX*i[I!5$^f!ZCA\gUG@@gU'3nODZP0frf%q
+%3!>m^rlXPQ[3hG+2s],)C0'LU/_`06e#m2?p)TWECXt4\^T%gc)aK3:\n/V5XptCM,HNl$:pmBbmFsHJ:npV&VEo,"nW[(I"@2gp
+%+?;tA,RBN?[ap;6^-(A)6%bR:4mfPKinDU)@`"N_c%0gT5UY<`7N<E/'\)>oh$Ab+k-/nG6$11p@<a%)J9-c[Ogdq&RY9E<3JbJp
+%<Hib2B:;Yf+IEDhi1bX.Y`8^6+HS#r8-Gdre)K'0;%2'R7?%0>]E+qPPp"cLq:#qf6oYb%^^Ql'&tI+d;DV=Hi,fjN$4>l\]Ih$`
+%*!-[N@`!RXfQ#UCa$Z)j(bFbu1Vd#Qn[8`!8FU,_@VeuMRk/Sn)87Rf0EATiTads3K/"FuQ>%d<,+Q*gE&M,Hkd!FkU2tVoOFJm4
+%!Ue1rGu+2Q!%5Sm:(rS$QcCk:i$\8c1l2#;IYJ,"S,49bMeeeEQXK<+-5/\<$3p@u==")GrbZ\qJhu,40e&\'4D"X6)I-+(;Wh<L
+%WW2Y06W`:Za4B$kaN'"*#AP+aDee&O:epH.crCKl-<lofYPr&,_XQP&8gXa4&?Z\\)<RqjXtkG]\-+]+9FpUB<G;mGS4`b`BIN/`
+%S23"0qDMQk&ATr\>`":[d#iqC,soM")HA,j-nq"h)Nfj[5\@s!SuGr114UE'oHWYNi#qK=(a*eT=Wq.6Y/N%7PftM\Off!C10==Q
+%.I)(;UHM.&5naSH=!cV^:Z]QRa,qT]Ba@Fh:S^g(9l1rhHN=FEk?bCX(mZ$"[]RY;RYV'^JL&,U?$95aOdiO\-+tY9C!rBU,##G!
+%I)V?qD(jD5!%BAB(!^/S?-0QU%<ti,jS).ZXRKQe;MTIr%++ScT.bOU\HKVZS--6j8dmKU?Q43:?hoYrV.McIFPnQrFK#i[!?_fe
+%2($!:).LZV2B?/mFn"b?=8R^H6rQLq0UZN4hZsr$9u?KFbQ25Fg$rbh*_mr%5oLDDTg&O4*ll)aI5)?X(j\ercVT8D#YA1GLp@.0
+%-/9`Z_/1,3]:Q"a)4_[.K8"]3V!5p#WrsE[E!DUEkm(=B1nH]Rfr)6H-<*Jm\f^W7e[f]8-2D:*0s]GY_3uLg:,jbTAZkXm6e&G9
+%=3f%JgsM2q@QG]8"#_^*EPT2")RAlX.iI,rRM2eUr%QT"P?g."!q.#Y9]QS/26UbWM&DU*gLnSA)^`B!"Xe5E1?8'pWD$L1?s5E-
+%l(6lmJn1$SJi#S_8*gh/kWkk!/L-+NGC$:4fRcO^Z@;dTMpT-'!`nnR-;jkr[GJ:$!:15K`"89uO];FfT!mpSXs(J_4S"SMR*&-a
+%<(g>q!]e\WeI-Nb/K&BABV*IQC%QFrZ![XoRQIF`A&a2pcLql3-^pRJ](@QE9H0:T#>nDA!Y>d,bt*MI8fR9nd$LMHBJ.;cM3&mY
+%5YkIGG+98PaTX+!d@m+qYiP>J\L6[,A@aM#$b9X.#Q_Yn,qIB29S@_;R9kV]P5pot0uQu@/5`^KfGK9DBYnRSB>p,#d(r,kIY>Cn
+%%\!Ju/Z8`+N$qB\o4lQO="7=Z97fQTU:Z;G#\q=+o,V@_/?/^*c-iEI0V"9L#+)d[!-%+R'h_77J5h@DeWO`=B;KPnd6bH;XcT\)
+%c87:*J6+:lm7a"\&Oj)]'\ef@LX@K^QDRi0TA60j$^><HfotrN<%h=M=#?<U=eQ)9:;X?sbY%)8$+;1?4dR.]EVCqm24A;+d>;BF
+%-MrP_`*og_S"^%K80q*/NSGJ%=!ZDY3ljSG(faYKWiOJf`CA+2Rj_8l:L8dr&1DNWl4==K5n.KhcsZSS01Mipj;!C.9+Q'[h5V@G
+%Ii74C=oqZ]hTK;Vg8cq4a)L5BR.,E^n#FVRRMm0Ljm_m*Uqnn:jXq*TlM.q9aqk2-8Fb>$[apnq/$fpAVkF_!S'F(9fh!&8E)i'H
+%B56aK,pQ<R&eTqRFul5I;[EkDOrGBg"1?)j3C#sSiB[/AS4Lsf$:5T?f-0Q:"pNFSDa:[\_m7R$[A@kukG)j,7%U"[=6;&0$gYbH
+%@%nphC5%dqnb7X.PK+82*/"ktZt]P,)2-,'_PDmrqO0*O77n\ZE^8WG'R01ULbI-nc79G\fF$&h/OiV-WhGPHiK<%H*PTAMe-XJR
+%)"p:VbcsLJ:M<+JRML&OI&ksb^m<#5lpD3J9B-'!gH+hIR]6mC"Ouu_V=Y2@6A*arl"EE.=W0?BA9UA*_LY6kbW;8K)Mjc8N,d8L
+%4?AW0^cY!Q%#BkZPB8qWG/]2TPIJso&W"j"MKoJkL=C_p-AGG2S'>Y^L-f73mg*kR7h!/V<uDii""-TDM6j?gMng;<%9+oQeC5*K
+%mO5rI.gTG.2<b8A?*9peN6Z!N$YP:G84O2`";sthRTcR7KB2:lQWPFR(1Ea(&0t3Qn-$cSP_I4`%er=0C&m:H9cPL;9*rma,T7&6
+%OHBq_)hRgQaqQ!e+QgfY(<K(/Op+*iBJX(Y]i6HY+XmO&&e,0V1'D<TE^N5t4OKINS4ZS_.2&TKcefKEiq3U97[1lUClRF/bWfla
+%KNZ*bm<Ta1a'n'`.N'4_@1KGD7*,=\hD'`>"VZIF9S.e'>Ctcti4u]/40Rn'Z=&AbT(3l+nd*)<0i?o"b>Hk>*,d@+(9C]8i<hA'
+%0oaTimE7V(dh/52OhlR)<Z"G;l@b`Sc[nlB(FC-4d)$(iA7Q80=b3Z9Gd\f!^hGXM`ba3nP-7O2%AGQaV`^uVkC)GH:r!<0UhC6/
+%,_n<("s$[o@mD;-ZLE![LpFBH,^SO\LI=iW\0pZe,n$&:rZ96Y@^Zup!BH6`0G_NkCnm(L31nfF3AC,?(mpmM"C32S/Y%.Q.9S@8
+%2OK*!,F'\f=GPsc.?OZud0e89U<<d19b-_Q.?^bdD>X^9Kc=]GI[J9kLn<j%fCgM*&fpOt=Di]C,3p(aCf@HGP_DEn+o$]1"589e
+%:n7[n:_/qq?OFc&fU*6B$"FdF+..a,@0W=eY6&8`7k:FgM9C#8"FG.1iofdMQ$<&en&I/@<',-siJI9hC2#K&qFq;7iC&],&#u5W
+%foSc&jC"M1Q607T':^RX]I.d(O;I[6ecG^K[ENO>Ys=_#D-Ai3T'63V$6H^m=paoK_<_tX!?:iR!@'$N@5:PB06lO[L+%D/o<EFl
+%:'LP?iO/d]UPH51!i5NVVIklI]m)$ChHn,>R6h2m18Y.dL8N.o?n)M#"2u)'h5_.?&-5L]&V<7u9dH9lD&reT_,;Rq#RE2\%Qagh
+%MJ(NBFG]<^^iW*Q$p>QiU*(p_pj=6LL"HB5hP$VNAgR[iW5OXmipYFYr"G#Cad#J`c,\p0:6'>U!e@Q#1!LP#6`3q?8ONpp$$V)=
+%RQh4TZ['&GHVdPG%RKQt@(nb@2!@\^WQ7SN-#0,D8[SSj[keY!AH:I9#/S^132-U+0oV4^`F3#07,S-.N9gNE,Psr4!aQTr\Dga(
+%]+KSKoRoW%,?ck^]3M^eRY!#Ac%)_XnQcVu:B2ak-?knb$ofjTp4e6_OH&+6a2an8Jh1m12iKA>P_T?7Cj*^ipj*_rJskEH)R1gV
+%iR!+_+,()q\)EVj4,0RDWXep'acljm+d'q*$"a#F:jcI]$Z;nqD!]n?]h:B;TiF2\eAb19'LcNb!$"D8l;mtinsRfji,B78JhTa:
+%e:RrN$?(Ql3hl'Eibf1J`#sFoJjVd7MBPe)^<\tf$U"Br*WK9>bO#'ZL]kDX>d50r.+BSenoRqM!HAf4*8&3G"Rf9!^]oRo9lh$!
+%JOB86peK_U7.J.Tcs-k/LI0uU.`SNA6"c(BKb-[Jd&\4k:U:iAKa3l].km_MZ',Zj:T;fH&Bfr@'_/j\joXL,/e1D(TEuVOUY@M%
+%'[I=SFcT'#/;'=i.+,7Q?dk]<VEo)59nLIhQO<%6+$,PpYiGsi"ULScL',GGL5B<'Qr;Wl)7E)1An!PO(H5;374TODO3@N*4J<KV
+%Fc1B(Hkk!3Ip.X[2(TJL'da,#S#.W(p;@_bPOG1Qd:,Yni;a2dhOVcrC(T?UjXFdE@+7]L,]!KHn7;-DB],F.liCXrUC^,>A2#dh
+%5<@_T7$]/4>mR&l^1dl3(E?Z.^bp6ph8.g_&1L_0/>\j=HlZnM6Mp:b'U_?o*28!9m>B<m/B/GTRg57Abcq07'eTk_+_F@P1_%kh
+%;):.O]tbIm@$]%HJO9D\hc,$J9ju_lH;g1u"`^5heW':-YbIOVH2sM,er?I`+[86uE=5C-391AJ$QjqY1Y@QrDGS^dK%_&umg+g\
+%`-=<ukQ/5GRQC4\*2TF)/tpB,M4*uAE/fLnf0)!MGlBIdVM,Y*L[$&$C4bRR'$!!L0I`_]5W**lI'9M(TKZ'!kVO\Lra&OjGp=su
+%>rC[cPaPVm+M^nh>YEk-\Vs,c+p'VfLu:X@eRfA[#U5d]1hC3XalKuC_^=B$(4NPaR%8&"LL'2+Q76JB0ZkBt;#qIdgD:&GMV'6E
+%FBm`]\>@/Qb$tZIk%q]\EbWp`;9J$_AZIg+KM9`,M&$([?gpTZ)GQ.p?ULCl=MK6W*A`-/9<O/q9!4P?`9A\hWWec4MWHW&12\o$
+%`Ca_bQo.Q2KPFp`R:PkV9HmrSaD_+]%A,(`.VoJ\\<rig%e,:%_Vrli=<CQp_l0R0a5J;`Ps$RkVL>T\nW(/UC'FK2M6mN3O2Grj
+%N;5i%Qd3;X-:OZh+e+(3I9e8]I#P5Zfe"=C8iW[:kpX]I3*+.O<kW/I%$0Y:&;pUlR@R/V8,/FlM';'a('0%T"'4^fs/,-$U)sS^
+%7K*MI(%irMHO9sM\#6/;)<Hoq2KUnY9I:Gd"&Nt+/l<hp?)#/^HUS^F)?r5=6/KK0L:A!D<5%>4!@oVA,!&B/Bd$?4-BrPJ)c;Xt
+%Lq@;?:qA#_M;\>!Ya26pm73'5RafOP>'-H1*K&-pC4_j'PPnCqIc$eJ`>Bq:'Bt$$Z`q4V[%F4R%uF*:Z"%JdG8B:FFG]I@4Cb&m
+%c?3^IM-CYYCL#$os2G;O&H6Q]I"m1;)tc(PQVtKJVdT`lR!;%FOie$OI@;%'DbpL=p7ipam0IEXa]F>>O_'0<^0G,AM:;MF]pds#
+%9;pN6/=l9Y3e\J>N$1GJ1\po-%*K/!/&2uFq*f7L!ME/8+.ipFb[Y+8XDg:)n5(D+8"[]_`$NV4L,b>U"&"mIi#%oZ,%5lQ!]<7"
+%/b*Hd3u0)gVC):XNo("iTZMXlfJGSSV8P>AJM>IAKZSW4#.Om*2\)h7E?YQ:b'1s<_!uNnF2]FEXBC;&duhH`8&GlI.tAXtKG8eO
+%8%c^t3a#=%_XI"!SDgdY*"0ibggL5^B[,8j1r?"f8"b,/IKaeaV_.+)Of;8,<CS'd4^>SMVC5Ob:)s+oggA,DJ0*`i=I2U.@gONe
+%%#;)nXS7D9:L`%3#or)9ksu^IeG)Ms<csY9>S$?:l@9G9[;rbXe]?/)^_Q4:?6b;m(fiVsP73`&F=JaBf3l$?JV4'nKa:Fm$?09'
+%Xj)6<n?Rkbf5ug&e5.DP&P%`k8liglZG%#`i)'`qqQdW<!`DUm>FK@;_nt(b)!@l7$J1Kp!,-hsB$"R^QRlND#1JjST0l4i(mZ&2
+%mKLU^6)T((&*JY%=F>d!(t#E3muLc.LXLc`EU,V%bK@)+3^`caTUar5$!3X%%SB@9koN+1Bo?h`FrS@kOeiD"S^=!Cj6j55$2;]Y
+%-'WZ(Mo"nH\97;Qd&,E:8G8AC;SaA+S`G&OA3Ah,U8&U`PINrF@1?C.c".IKbM50V3aGA_U&tGJT%\CNgBtANNZ?ARn1_![+E,8h
+%Bo4;sBWX^'gm!dkIDV_r&RQ^-Ci[`'`O?,lOi]+:Yr75Y<B:/fQ6T4Ah!\eFfnmcIe#"<&J`0D*29\W9UM<]Z?;N&2_K;^m3&1eB
+%QFKi.XC*q(kQP?PANpo2#,jI]du,a/s3KPK0.)i4IDaqOE"BrH(i4ih-A)uZ3+IS^,TE4`_X<iTO8%?mQ))^jDDgA.flQinZSSto
+%8sNAjP+;4VY.d:2M3L@giV&OIk"3^6RmQ*=A/S>F7Pg+blu9m*KUdi$1E@T`TST=<m_5NBF+K]9Jj<R0jG&KOC4W5#c5A(FKn0**
+%lShF/'!rn1:fL%HA_7lL'ac-_Yq$!*BFu'lM33^X]ElG98=u1Ma9@=f60:?N;"Fp_V\m=l)"^`U/7,,jY_(b%;P?EKaiqW;:WZdr
+%91c+&Aqub:_D"Yb5;)+$6lV:cW@n]qn\hD=(RHi7TWHS.!&7k[Pa,^8gk19S"P=7`94gRib%?9iI#t.T+c;g:A#4HSM*$UK+ZPqr
+%?@U%%.V6Ok;QN(`T1,U.TG*KT/>V@4&jeFI3=]>Ndf<irC*tH.9bC+X.O@)B6ZU$Fr$44@l+ieE;6nme3C,b>!kf1]\;Cn\a&u\W
+%i(*mu)8T=0,],$nVNUfbS4-s,;,LXim-qs'e/1rf'W1ej!1(H-Q;c\`/3X,MOQ8;"#\\fDq1tPC9'H]B0PL/t#T=s>*rO,XYWkB_
+%W*:_u^GC^4/D/e`%hqUK8VTL=(]';XFCXYnp+h818]it0UAPb=!9&0)mYdm,!T,A%5tE73;:Ik"7$9B>Z=.&+P\+kN'@$W=o`S%B
+%5g;N0J&$W$R7*:R'7cJR,_@2;0.b4&?nDZl+,S280F:;G)4$9s^7<1g/\NM>-\^363*@q,8d#BQHK3qWnZ\gh5ebBo'X0uQcX9\7
+%"ElcLZfDiDSk-(;UBsdEII^i+g_`VNE.E.qKbPZaZ^c\%659S'dR5Blr!gs26a!=4bZKP2r'6R%J=%2>8tAZf*'eBX^qGqj74IIo
+%W=eXFd9AXcVm-sIH]7!>,d0Cg1k;3t@1>UoKLJS"?jqBC,#jP`_EJV>R0c=d)OHL,*QLt%_^WJ[,TS[emf>GUkX,tBI55sb7KGk(
+%8Bsc^]VlC^&qGDFJUP/_)?eh9*"epqM3>]-+]VC]@8<s5Ymh>0>h7i(-g)%#.s5"t,9XOa5[9'n71+'m8_PZI;F,c\,"up%E4cr@
+%80S"I<"A:)73mRXP[8?`h3X:L`X%rl&/r5>L2^-q:1<99A]9t&%aG_`fQ<>h3oNJ+8->:#,1;t9d`UJU$CW)'P[<g/_,;ie-We19
+%*S_lio$q,$GgDC77#4ToB8o>iTDC^H<>24AdD.T7A=F0OeLg:r1`i)B6,KONFJOpBjXKgIcB:KP2c30-JO1EqnNFZGUjJYCLmmur
+%;D'#Q'O:2K4Vj(K/Jb.^Le+S'iHU"V'>G.9%$6m,:cG3fOd7sR8pj:)Hm9oMnW"3L<+uV23Y,4fBTc>Vl4LlWP#ClC"FVGa\[2kE
+%:*:XR1h[Zfk3,b0Sba1C8p0-'Kie?O]F0/;6eW;rN<k25;_m9qZm:G6!i2dP0LU%(*28/IHjDY?90Oh5..eg.0OdI"@6/hb!c/Ic
+%9LBuFPs^FdEKOSX9BeWZ)K%!N2-/k9?'25AW+8S0\NuBP@q\gs:'V`4^e;Wq!IGQJ6K"Z,EZeH3-@R#(3`un"$_(W&LerU:PG,Y9
+%@uT>RKmKtt6:_RlAdeu%g4U'+,3<0h;S5Ft$Hg8q]AY$[#aV9Z?FWG#H!<YsRSV'o!=:O@1bij'2M#AV@Phs0qh(hM:/Gp)\H+!r
+%)I2$Z<35#5OWS9C-)4?NS[`]A'9Z+aTYrBjfoluH?:"0j'7i\2O9fi1#O!ZB,Rtq_U?n-lE&K%jG8R19.n2*AI.s"acmRcipWRZH
+%/&SJGqu5;gf<+*J2;X92DpahlOG590k1r/c*hP!s5^=k.Ti0<caS8FMa9Y9BgEO\',\Vq/#cZZo!O*HOm.%qaKUe-1I#$HGM6L)W
+%#nkk1FCDDD*Ce)*1_H#m`TV?)?8m_'%+nZ6OWFK(;C.GM;(3h3?cXUO;AI6"?g9781Ut6hdBJ!I*KLeDLO)b;O3&YEe)M]YW$/>`
+%I0'JuA4D_[VLN@S7^7)Jk'<,UN@K-krC^'D!S8W;raJi%URK!m705>T&k_FjS9H(i->*HO*n$;a'88P?W0@.8rO,h)_Tt\"q>@%q
+%,Ke1d=<!/r"\d(N%Z3G1O<NoO;,Xk:T.:cJ!\q'Ac3#BY[aEX@G"EO@(Sh)/X+TXN@5q(S'-R\/"^/;;aYHX!nuFIo`>jb,YH*5@
+%4rTH^VMl68E`WgL=(^A\Q*/`7jREGN;9B7rV_LieWX_ep*f<c!Yp`<j8i-(d$q!oT0(>;4ou'Hu%2a$YUh+2p#9*%@l)PH`RmuP2
+%UuD<Y+\1!#D``q;UNCbIHW8RU/*h@Z5==N^Q[.c;\0%#;P_M@L'q6#@_f/RqqM2"I%)LIL0LZ/bOHS-`Uk?^l0^+`%^.'1k8<OdR
+%kcou_kW<H[C.P-EctI+ZSlAQ1akIk48CsR1ig*it6"X5FF2tjhQdX><mbaEkonH\!-#&_i#(U^n.O>O6hUXIMFd[HhAB`7:A&cd!
+%nHt`7B3eT.ghZ6D^`*X$'4NdERWJoM_G=9*60f4q&V;r1@a^/@#uQG75d'ro9M,U)Qe`m\5]q+t\f4=J.J4R$])sCC>i=R7CC*R\
+%N[n7P,gZt5cVbCT`oP@;nOQbSk"9].a67XHdi0q,51=^nn?Y@#*AY:u-N8@_YJ24o:e5p&N]o<7,oQ=DoV0a#PVG[SfeZ<dAnfPb
+%)ZE++)2r6&W#pj=16YmiaWu]O<-0I%q8'HQNOpr6q+8_d+XlhRs$7Ada:'t;"X]C`7&`Ze?cYkM:I*/o.9FR^92!8mR_TQJ(8SK3
+%):Pi.9Jbpc2GN#gb'c`',ah]TKZ8asN.pmqVMK7AP`RZN!d2qAZa_P^J_lVRJ2il/G%&0j'D-u8UL-B6gl>u#([6iGdY_LG"p9FG
+%^K<hF/#g.:P+#fc>Hofj=I3I7HBN<W6%W/FPJ[EG,RYH"UK;o?aEIK?X-cj(?q<eEe+4df3#\O)l'Rm4iJ&b$V(a.VS/ImCLh%l-
+%0]V"m&b<#:HHE6t`nhZ0oN;e)A/*8_IjS'DJLZbfiYjKV9XFj/fg'oc/0"d+0jt&`ckb8)$j18)_,+=OGVIMf/EDVWkgns?m)pIp
+%E<?-!&.]?J&aO#h8*RS%#`\,b5K6+aK6\__!4t6)U?&LFH;0p2;^<e_dD8?]Lm+[T;)/LY8LC65`Fk,,-q6XOq^Wua:>d6tHD?!B
+%#Gh_63<0Jl.)-FOr[D-;O[kY'*`s^5YWfujalONL-`,9fYGE?\,0<"b&Z"/Q0N]"L3S(F5I`42dOn2>#RmLR@Yo(b&$DG$$6S)-d
+%rIbCK(<86uF59^c!^)G\Qh)iYbcZ[\8Fu_l;Ma=Fc/1..KCZN6R!&_*5_/ckEFnDGY)<m>8WYUeh@0@.=oW:qVCl5Q3NT\jZK'X!
+%A*(?]W-);(Q-4.\%Dqtr$Mg'iom5H>\2O3I2JC4tE7ioJ$*T;b/(_!:3u19`.fktIQ]FH.@]q[qYptfmU.&\$NLM]&&;:IXJ(/eQ
+%D2Zb!D@-oo[X:'1D]4bYjT+]7#;1e$Op^A9C;$g98n6YYf6])m"fZ;ZdFRjG92u6V`@-QYU@SD&NuLHm@7Xt1B`)3fA_^7#d-00t
+%^T/OSC^b[.nOd@R*e#i`N13_s.F+Ba*WJ`n:`LZV%D=?]DGBg.dAMjmi*S`+q#AG8P>"C>^K*^mY@j9W8B4U&^K=&&5Nl;GJW;JP
+%@^<rnUOS/3VFY".\Qab0R;Z3:cmqt=R1ndK,.X9?Oe+q/Pt(c^j#P.IFOc'eR^0f3E5tLK;#1O7F9A%S?KOO]SR433/]Y\[h-%9+
+%$u5`AF!\K*,5j1A`m+ot04Eh7@58V@d<(!P@d6g@j:-b)lDFjh>Y6r<fO)61>.1P?Q+qQ^W*I+^5rTKUNiFRYmALHQ7lRf.Q?4=l
+%JjYiYZV`_HKLt_<%Cn7meS@la4/[_iT*,!%U^d1k_c\!8\P$RQA`j+((27kP)5K+gd?4k)jJ\eTm.Sd_Tdh7@mU1__+M[dC"EnI@
+%D-!LU["c$7Z;S+hkr.$K?nEt2M"pGPb:tT,)H#h5BMQJ0FfR5bb$YlHP%&NJ/%k]BEJZ#W]%(+YYIIV\Wb+L$:9WS^=447:ST8R0
+%A]uGZ*&M<aWQ@!H($Ab<?#QqoeeK`;$*#LkKX3_@i;[/(P1:YsBi[rG(=inR-AtXFMXP0*.f@[4>W/(A91b.QF^,kZg;@pfO,'K(
+%bpS!D.F]7XLp"is63UPW_L8H,44Wc+B1k5TBW"a&b%N+UkWiTgkIOY\TDQMj>,A_!'`Y91oiCoh1;X7%IVq.1[d]=iqVqkOSKU&6
+%RMA.p2M_8!s%2NG)BB?dM!_k:>Ffc72.:pEXu3gK1.";'1hkHcBS=?.@lhR%)lQ!TDe6l1>.Pm8:M7cDA$gDpdFp1Y[;i8'6Yu.]
+%p#CZL.Zh.VOEo/;#qFeDU]K"9/eWt4'<@(,%E)lKFMmZk1P6/\Cb_lQ`,+G9gRN_+p8?:(ZnDAlNI/&Fr]M)rWfU)o8l+Y062.L(
+%>8qd%0MYM25;;J;7\?+NN2?O@\PX%BX2<hFq2lOZ$8_KTpg8LB00f;go:mC>/Ls`akJ*Ib=NiMSCCQ^?9G5s$Wq%VQ;Q?2rh6g2V
+%:TH4&+lEm@Y//s3%n@j$U<5uA>]3><WkV$<UX<LYkin-a.\uma37Ms\eZ!_*Z\01YggJ0-]-L>GPYJ`./.J("f[r'-gOBD'7712I
+%jh$^RYP*nP'9D>_RB"l;S^`OjQK=S'W"!#h$6NP+bgis,b(4!WrBH];W;'/j-S[gLAu#/^RnW\dK;U<F#%4/!L5iB$]9AQWgWaE[
+%D79"k;De]fN2UkY`gbER/PS?u]Km`eV>=i*p172faKI.sK7;bl2hJCl?*Xbl=age"s+c)dq**g';[oq6eL/8kCtb&*Ltl$Jd.kuc
+%0V%*jE`9@V,0/`$<2og^/tP%GAEhOYO\EjId8BX05+p1<Bg7t;,p=M3]_g@lWg1g]?TB]>1<nMYrSqaJp]'WZhRb\maAHe4R3:=%
+%-/4oKRC&\AiJ_A06`c,8>%P#uX];>!\<H;PPr"]\nSobA7h%;KD3#Y7cYE=OoAf0:15X#qC:'G3qqt!=s4^&-a6diK_if^%_*]eW
+%N;a>:"/T1F]TTCJNr7XG!<8O+a.Kfn,N0n-&S$qW)".bj61Et5Dl%1JjYgA2U"b92"qsaNCqs3+Du*75o1cGEhLp0U2teGJ21SAO
+%>''J:@>Ql!(osb:cF)#n?<\$7b)2u\epE%HVEc.04J\1^PAf$l?XtbKnmW*VEbR@u&`RbY.iX]#Hu8ib0PU1!lCg-`j2Tt$%f\.9
+%Enk@,2Kn0PP^7.1[0DA,+ofhI'?W7?c&?tfoPQe)Xq%E3_D7`u:5M!,Ep]PLb@Td):pZ27_*?9&VRUklM`X%V]o?t-3N[*qp4(#h
+%rXF;BZC'5<fJUGClXO;)O+$7^>V&L$nP<8,^Oq%"[h9ur82!F8VAKp-&0jiW=(3[P8r\>h(U^o:c2%MAo"KS\mh:0&Jb@pYiKd2"
+%ftf7Yoaa$lQ,`hns)p*d[kYSr.IZGFmFQ%HH\>WVj.QAT%TD?q[CG+)m$jQR`@ZBbmR`<'e[(mkG'hZ+6KBk*q!+pOE?jWi-\""+
+%N#4OMBXe*XbW'.SN^H8E/5i#$$?5h85/4edr2Yif0H#R4BCKY6f_f-sr]QWuot_?[#1Y$)]S!2j0'b-Hhr.t_Ie$bCXeu#'F.d54
+%D(ojIR/`GWruU=;j=nW(<6G39))^U-ro.P=J#TPld6_2iQTMprLG=Q,QQt]s63R8i:Hf^W[".j<pb<9WQVA1>I8G`-J4E.$`loe[
+%rhCiu<G'=?LF7tWD)Td%mLarDM%\5G_t-i>Q@^s@a?P!FA4Ikd7kH)L7jReH2pn!L;2FKmS*82NI_Xi0j8\>"'!<1OB,&\DCncc9
+%oL-f]6Gc1G*DQO.-]04J[=:YH(d^GBe))D>oX@];AJ5mYo;FT<bbMa!GK?O+TMbES8capQn3t?f&CEE[1H^-:JEEn77bm#':7NLX
+%h=r+T;h)Ooo8eb]&VCDC+^l<t,03'^ec@,_7NI76rdC@\gDK)Kn"W=hA]sO]*?>3$/V*\_<'Ml.GDG/t%gMX2EHP8V,)GOZ34r;1
+%@-'ri<ZVpKEA195O+&JoKl".Vc"VQfV=!K@co]]`UVFuh(^Vjf_>g(Kh!^"3qX9d$LqhQ=NK<q?2K&L(iqd#^>E[:;D"4n'HNf6)
+%L8d\eE,/([/7[fS=gg%?O!Jl**+^0gPf*Nq<(R&;TE[IAJ-9$)^d3SB77]-1hb&HL8&cN,"VtbNpOBqYc>+)g<JE^Qg?hpNb+ug^
+%X#BoiE@3],G8e?DB9Ri*>1"3/r>H2\,3%KGF]tB7UHBKC@=pf!)qLkjdONQ]?g)F.!Y"q"KtMF</i&("'gn[Nm+?PubM\$1`Smnk
+%$'q!,kT>Y?OTggN)5I"-#0$oV,%D<G!!=,QN5D'+s$QRKIl8l08.#t-<bk5,Sgs\W-AA&m*rX:Q(QB4/R1Pp=p-J_FkqD@us-=JH
+%J#>m;heuk$]9C>FETYs\NB&raokL&tdBLuI?*p+Mr^8:gLVO%V1p@[c^\dmK(5C=t\_ai,&8*sib=\bbCJT]f[d2.6KM/0g(<FL_
+%lgBIH,"@&um;06^s*HU(s8H!s4b/#4j]B.bn"*GW_Jpbij/S(d7dV`cr\^+\ZUk+/Z=KEmF!\.$c*Mf&LZ.j014A-McXSCVT9oT7
+%4Mf^MB.%\)&Yji"*nPn0`P9XVYE,m^?Xjkf:c+?RM5"t?;AorBYQ"#E9DC)@6L+#P#sSa.r[[/o=T1GXCg-<VonT)X\)##iO8jj`
+%m'RPn)5aC,6\:D-!>_KDRaKLADT.)61*8`('akTT2-H1=Or!.$STO5-oEbG.&<u(oDpD*&aS))n(A4.e''>5G=>1F"a3>XfLag;;
+%IHQ>\*3Sn+EkB6YT'O/i,>nmJI9tk[oP8<pS%bhSB;O?)ojm$\pWHpe@7sAdS.I9dN+Bk+2&Q8>DILo9aRAKL51Wq-]8B>a*^mP6
+%?Z$KWHr&AXlNA4CR-tFL`Vm_dppJmRc,Fo$d@I^F5=-V2>$3-3l&UEqo"<O>6r]A"(<FhRXX<im.)rNM<;Jt8`u0u5g[.cZ30!PA
+%N(WaqdIHMKSr)qP@i.pj0r.X?gqnGl<YR6TQG>J-\J`hea%^j7[*=A,%jN<<S*CANo^/a7Q[0$,8'k$WNm[If3BurKgL<$c8-u-G
+%,BV5q%"_'NA\`d!^chIM_f6&8!;%/4(&f21i[&@tdHZb>9NsBRJV]I+es@D$4!.CG&uVSU-_JPfEGHlpMcNbE+8U)QXb8b]eo_fn
+%=*c`<7kpSY-mn"E>N>.Dh8*/gqApq=TjN/Q55eae-&R]seuja\7MCe@h$d.%9X\"%[8KJ28imp2GmRjrPf:mj-f=K.Tl)Oc:uOrs
+%^iNmNCMbn6F@sk_NK9B?#D3V%.ggb38OA0FWHr_bOm7>Q"TCN"I+6Y6*lNt7mWMb@'b\A+_k/,-2#6?qn2K@/_e3G*Kq8>r2k@+M
+%gd5T+CA#sIot"\e/DJMfQ<UmhXJ-3sCft$rV=`U_9P0+\j.g>E[CW/=s1I*&epa`#^4+a7<u7*:k?F,c@_X51$P,mJfn-plBgq#W
+%fan%)XC/$]F0I08%9CpoXZmE:e_2qK.E,DKgpT7$H5nM@;3bWK;]`E0*BkIH'Rn`CUb.HBo4>qDg<0)ij4@6Ts8/U,j(2et/dta$
+%[F)JlBs5)mcn7<ClY>?I5!V%ml64UL3#g8rJ4<:KSQTgR<Egp[eIY77E`F:eTuuJ1g-rU#9'%#"_Du!k*GDB,lAd02[&G\nKkf/k
+%GhQqQ<Ki<?,dd$=2lrd:W#4#ILagTP.OcrtOnjR.Zn/q&fdqQ6"LP=`>&Mf?8tRC!X/fYYQ)+OM2!\nUjE3f@&!b2H$>M"A$X%%<
+%B#ZIQEgMYbknBAfL'mQSK4pOaX6$CbWeKZ%MdZ@]Y9s]h7I81SYh7K-:h4QJN(0)&1)-l?,\%/b&Rh\T5p]sW,Qe2>*['hXhgu5m
+%"L+rN7J65GY`aeM.lh;'5;)nQFOWlUKg@Gp<"]g76.4AJI\[nq_35%&6nT&])>g/C8Qm=[(.9u5\P+!BVYYW22d.jKV3P&GU7msZ
+%(B"hF.q`Ef>uJ`Y'j[rR].QQ@bK!s84oYrTjD*Ge,W`p&i);!*cpc//M4mp&)jrgYX%nVN_^qN#_\muDA4V^V]fh"aJgY#CZS3._
+%#a%oJ?iBi*#L30r+Id-=(=j8;$pi'V4rfVIL454FrD<g;nGT#CUK(L>ooL2Ef*!2pQ-<op7sfoITf)bCKjVP[j$tKkce:$SR/RA2
+%mg6:R\s'j8d\\P9S:IFV&,WKn7r($Q@hj@oX+8b(M(8/8FVhHp;B5DAG\>)3d%o2*0OG*ss7p)5#+Ls_9kuB-gQ(oEA7i]n<;&*F
+%qu6N[!rVf^&)UQSQ;p*<o:LJMJ-lG;&%H*R;qU]]rr,Cs1H[(IUlGuYk:'/h#@D[1aC\k?!%gs*>S\kO!+ESBquLIY7$<fN\97fM
+%62^+[pa]DhXd!OIFF28PCI$),aAu:PfiNudbbi<u"eW5_F%K)@i,4)jnJ?*ppQW$0L-#%GoQ^\*[g$;=_g^=8Y\MDA?b6cq*/rX'
+%5G\;:Ri\<AamV8NR):fm3R12"B^U[]0CXSGX]6AZpZT6Yq^n(Z(.Mb`BA('gYaaO#h#.1aF-B)nP>pIj(];R6Kl`B`F.]i>r7`LT
+%Ut9J]=,9('OihW$DR?^B\,M\7dLQ)>m1@10J1T!EN&LK+8Gs?'i7ZCFLrY+hGV],bc/q6lg&+E>'\LW#N(/DU=T!BtT0K1M$MmnR
+%[#"1iDPJD4@/RL/3be*'C"7u;U`H&7g=+5b[f^p0lm=.:ec$mo1JZjeOgR_:rPM(ko&S&Y#-[S^^b8SR7HR\`<b+,ndNrP$Q*]2;
+%1TPY%/*5`'2U[^?Y#$1We^#>>Q"oVLe!38+40@&F^$_,*kZANj&%R>R8o6]0hPlbE%Q5&&`faY@>I$U9_d$d=11`kmLmTkL.OkP)
+%/ZBY=D:uKdL)Z%b8Jf,$n<d&^m;(_ulE8lHO`FaeD3C2J\MD%I`C[O'lcD_.OK_acQVcmd2BC&>/(ZXtY0k:\=0>ae-)=d9Lhc4F
+%[jE1T2+!c1QY:*0Mb;Ns/N!&72N]NuIgqK/5=C,+:EZJah\4eOchaXO?W8DF7@qI>KFpL"78/Hb'p\Ti3t`1:TTuD_+.$$B3U-fk
+%UTO4#'AZH4S4a&>ZQ-2+W\kNl,]gV]R8&J-lHt1$'g`X%.rBRM@pCSS7gfBI<pI)!D9stS[AM*.^25Yp8'Q8o=X>FTe8Jf%\C'W&
+%&4M3:k!/&hFO7&@e/1c4*^$bRE0&ES&J[%Lc%4-ORalp7XIQ]tB_?&f$E\bgNm"gbg,ZM]PKKte2R5;19jRr#S[Nu]fp&@UTjM^q
+%bN!$CgM9rY]_gnN54g/_q.Y_Po0iol7D5`^)7qF6Ujctj_5EDYPub(fRj'=G)`DFoT[jGKcB;+Hfjf8/rA^u5WW$-+ruq"aIG.O%
+%BB]VrO57,?XIR$G7?["rS)[)%Gf96?N1j?j0Gl:h8p8ud80Y1X7(\/mK!Rb\V?kTmd"4*bR#8KGImu^mpL(Ch$4KGLR8&6h>mlXc
+%<\W_E^hL/.0H<?Ph[+_hb+^Om;T18_-7+dfdkZ2"8m!C[qN<U`dhUAO2!3)EaM(mI3\#gXJ[V(@cKU79e=*LZbIYBYd(m]VZ4L2$
+%JqC6YUHAB#jT_h^%>+B"[hTXXA&nnGTZOtap;uU!4dZF$Lj`H#%#QlgUN(W/ZY\338?kA,+/uun>jbAe/(h%b^F$jA4%Kbcmc%`q
+%P2[lQ*KIYQp5f_.07ZW&`#i/WrMV`6X%(?2=roOk=j<n)HOj\mc<.90Xb[q=NE'tm2FU,,[I4UZ6bAr1WgU)Li/,f9603f$6b-g0
+%%>p"b5JUmN\FA[c54)*l#&foLJ63M:BX\lA6jb`Y.&2nHXAY$t1H7glJY_>3:(WYX1`?Is_aqq/H4<H`@'_^gXO_.js55I&@6o'5
+%C,kWPD-<0umB@Ei'H%?-?#(X:;J<g8;Pnd3;St6IWGQ=Wd2N=%NO)C>UTDU1P&`CL=r\G/WN\EAPp&c,;%B6e]fYW57X>)L<Z9;Y
+%2Be>FM@QcQ>:s!Tc=a20c.8]F);$P8BJ^3.PLPIjT[:^j^WL7llqb?)C,_VNA%!ok'iO`V*_iS>HdJ,Fp(8\%8:tS2@U3(^$_f*j
+%#J72k$3ZhA-upH%'[;N8(FUVt(/q=H;s-D7RNu^kJg7!Vp58i[g7tK6US`<t:lP)rQSWOk'nKlJA)3Igao^P2`Z"lWAbW"5A0\%7
+%,HMrJj97XT3\6/<+YET+!!e[L$Ekk4R#PZgFu5mK*;OMQBT+danY?>jNQigZ,q!'U&Rq#X00Ak3\c@]r29tZ$=?f9$JnfId>72/q
+%PUe8N3`gjO)+D^KnnBC+Sru$2^gUp@NhWqAUhguHM`@ZZC_4,eEPh(t'(8HDbe$2s:;%rRVI)brVIJ[b+iSK[9?C%<b-fri_W0L)
+%(+ai:K%^Af(b4C/Q0nW6E'PPPr*MqYo0",g+R3j'j3Qn]IhlV4*6S*:S)b7.+N:TlS"A/Z[3VkS[&Cuf]%H_NRL$EqdHGYZ&TL-]
+%>8B\geBSXW2EGj.O'04]W-*G&Z;[cEgMQnGr`caoaAUt@U;a`F*U;:<"t*j#&-!W2=K9j<TW'si][cWZ6kicrS4VgPO@5N5n.3M7
+%Z`^<KJgo`fhJ$gYl5uf:UUD0EfUsF8==lIU>l3W1279i^/Z,tZPI6(4NgEXFah^S9:&]i/*tF$b%u@8t/LT:YA5u^GW"I2^JJQHG
+%28[m&F(qb;,,pYA>:<$?iTdr-56i9`I8M7*3(m^icWZe81,hToEboI4.sr#r4tqYiHpqd^[-OW6f<TDO8/3b^WaA.%O-]7\iV;_4
+%engo-bM"tB9P[t\44L:,j$p&7"dd8t[C8_+p=dNfd1gaX#5&=+d5)YZG@4i:91ABab&K%(02*W?C3dseRi?`p@m;#;A)n2p6n,.9
+%mROgp.Z:a^GG8Io3fSu'frX1Ym6;BO.p!,7JZ1-B;kL"t=e2I]]/h@@<*(BGWq.R9>$S>CN3K:a.,N&35iq5!A@7UoV.K*V@'q?1
+%+Snkn#`^%h!XV[I%E.*LUn)@FN<@83am,V.hR(ZL7i[d(4";gC.P7$+NOj(Qdcg`-Op&(-e'd8;LqhZ(UHNLCc]iK$"QOY_R]XCo
+%<b:VeNqE@6'(Ee:#kXrn[PR6\78mG'P;X_da-!R0MYGd9T4g^+&h)5;4u`"hNegbY7(f6=iYA!qYNUde746#(lA7G6'UT5]\r$UT
+%'m8#A9obs>H<JgMVDosrMGC*OF@*Zm)>2._88K7'-==S$q$N/'=)^RAJeR\i*0IG_KR<qJq8R9m=)^L?JrY5\ku#fk02('H'^$`K
+%_$ToE:<5A)7_U.OMf!<Kg'p':h2il8%6:0=O;$=W3MP>k'A<m5BfF%j,uI``5eA0[m910585Hk+NH<Nca9h6ge?k]!0A78gGUYai
+%TPuJ4hmU+R`.RD,/p1kU<$'ReH-hScU09mmTpDVj6B=/OoV`EiNuA^C]CHH14K>/sQ<-mi>".Q(g2rRKb+i,i[m"S)-QG0V7__hR
+%$JYDl!Z&])CELq:Yg#p3oE:]FXMDlU,>JM(ieW+0:'`i=OFSQN#WSP'@$ZjA?^dI7,MWDAEC.I'T[pS`[2:Xc-JFStb`(=k1)/L.
+%C2+:4:dIdqXs#A)<s>#M"jS/WSiqli,2nn&&rnstiKt8kNp0(oc;C%"KO`d_*-4H`0df(CDFTjIMi_duXU^J$L:*u'lc9]O2<(V[
+%'.2"[`)T6jX$A!XXt!Zb3UV]lj%cO5mZ<mt:8g1UULjlk<%cEic#IW9N]Wrs\=/k_n<W+Nf*Z'd=j[3toWDaO]rO'Y%l?T#!J(J[
+%qW>Z_DY5[,7/gEfZ,$4p`.,Oj5<W_fMuG4]F82;SogK?ChtQ/TiD;>d8pLX9TBYCXY[)W@Rr&kq>>HEuDd*IUopq2sRmo3ceRJ2*
+%20qj6*b5.=QY/8H?6%tE:k._$VD>dRAHqhQK\"iVmUo;`$>\\lJU:G-bFY?e]H<3fr5%N0ZuD@9^#(8M2UhKB@c]Wq,jm.l]rh7H
+%OXDmjY?u,eHq_F1&+=c<8$fs3cYSXp:(C'`PPmm`pFb\#'Sha3gVWa]0ndR<:bD*Hp):%&/2A-NWU00)#"QA]c[,<`r$mo`*XFF`
+%"5u/#?Ydpoq-<1[Kf+tjOahS.g+EPLiqhMY4ubX:ai'h/*aG;h_al0l]iXqkg/TBXc*p2l+]COlcLelBhYX4LSWd2?GknU+*_5eW
+%O;M1B*St[5ek'9n<3?u7;fAeBrGo0,NGXTSLrMtIn&*'53'F78V;"0D$%^EeC7VZ^\^i$'SDK.,__5rpWjTAPFm&[hOkm';F_gG,
+%p+_"&9m20JZ_Y+=J)p;m-K=)+NTN,2gmKFJd-`9qe">h/^H^6?530,B5*''rT<Hn<*lVK]WT2SQZd[P!M_h2.e;Lci=SMI/_sVWu
+%m2Jh(c^<O&=a5t.MQ'<NV_6;+A,AAr1=t`FYI<st@!<OZ5B#qH*VN0.Mm&8NRo/V_GO"b_\d]C\VhZUi`n&]GA,i,lV[ou)@f)n:
+%l4hKSouOi4'i*VcXLX(G8n-=m=2i5Yl9"E5fZ_hQg-*+g5L9&LT[PaER!r+b&)jFXi('=B[LK$S(<Y'#b8VD3:8?59gPFCZb6-S7
+%NF+jR<SX^]e&,???<e;6S\?/X?^l1A=qCMYcaZo?a"Z+NpWI+7UNOiLoIB%]s'G/dYr^]5pJUmi:0eo78t-'HLR7?2N]]FWMTO3K
+%Zd[H6-bb&c(GAp^L5IW;7GK?5(]@TKCS%`GH-WM?>3KYsrKc:(;(/cuo#2\mSYBH[!`.FV&*R7?!^>EA+'_5-a8ua'kHCVWe&U:k
+%=ZdflVn7[Y9<DXh\e[PP6/@7sqRN1\4k<:fNNL17R`/@7:@k1Nc'P6/;jW8_Hi0Eqr#B'K1HV_72o;G_T!g--O@c?GJPbIQO*EF,
+%Y,A,I`RCU>a6`GAA'cst[.850?Is=WHBGd%$Jh;6G1iFXKfqB6_qdJ!Vk]GUdnXi=N`N&1O4dbk6[&d5H$6+Kqh;N2X-XW7V_=BD
+%a1>#c0=9K[LM4#-dckfsoJ5Y7fUZ>rNr#*a7$uZlgMpVO:8QWKa.CG>gSE;RRo#g55@J`(\-T1I%poAAe7gmu4%3%@iC^Gcp`&V-
+%*qnn0NW8OM[Y['\2thYGm7bhmn!g9bFLn[A'K,a_mIEeA5IR>"Kp/3SO*3QIf[A$orEO^?P>8Fp_QfC=DN?/(qekWi:o!\\Y&kYF
+%k.3&[=CGo$7QN[D:'3PF\ikpU&4mOA:ZY?ZSZW(XYLNm)D,rmQEMbUXkVjI3FZPA.VPp:N86lCAbI]fO]iU%aD:RKP3pe+p](*KE
+%;p'=?f7tlMIr"cN,?0!`bZJ4$k=;U4mkq)(p;";*UO#Z#ZPD)?N?s6:C#"oUK`:;qA+e^?1&W.H+/b])^F$nDlZ_s(+19]0jf<:<
+%@VZk/qq*U)IC;!m&C%u@0AC3l=1i"I[EI)i]jt#&;=^#rD^OO\HfI2eC\q_E.k.B5@5Xn]>!JtpU_RBe^Wg\FND71EH0RJ/o<6L9
+%e=Q6]Y[['mfD)pkmE]Kl<&4FKFXq(-=C:<MotQC]Y@b2iFKa+ie#t-.AH1NYCL^2ES=-RJfBk_MhDG17aILjdVI*-;K2oa8`A2=N
+%h4HI%*A)sPH^iHR;nfX,lW3[nE^7D%K"LkX=fT1XD._;T,MUhc;Qbg9QO@Wl@ai`j9<Rk`Ki#q9hL;c;%[;,!UUL%c,@t?X:!fk%
+%]PZP*1=`Df%Pt(Xot2.keAb:UXmC"IU&"(q"*;#;ODnQ7B'.r49agCVr:QV-qt@GWhL96@h7b9:%/s9s,l!XG#>X0N+SYP@iBnu6
+%'s8h/\8tlq4ro*kf&OmGDI?Cb96TDiUA-WpXrXB0_J9'\CFq#1c.gPQo<3s@f932o`a3pThqBW+n;8Ma@*h#-lc:]8bCR'dj=%L0
+%auqm9jcCe6/r@fVqYKlOD2Us*p?]AGf&c+@iL:4\`T#MK(S5Z"E;GQ(/k@;'m%2fg=p0uEi0qj/EBVs:9!7iF\b8U(kPV+j8,q@L
+%bJYKL@1]Pi,TPRNKM"QEZ'VG%#0"q\1pT]/#5fO`>)nJtfT!!s7$'T5G\hc:GIi-DJ*\n5<[-OH,OQSq+uko,Ic'p'>N5At4SA%F
+%(\,7JIEZkZX2S7=2a#[L6H.F012Ch]O+'#3(\r:0iB=hn%IRmmVUh!ULNdjJp1V']M3<Tm%"go(-4TF4CMPRuDgBp::q.ssK?L#r
+%.be=rW/7R1SaKZr>LUF>Y*R(*WdtEpdFWcXRLd;t,;?N2AZ!?<N=\oI79\S"S-pe%nootuA)9tC]s$gH.lEh4T[OKZR#j9hr5a:S
+%hXDADU:EM2(E2CM9_'TTAqe5ll^n#$EUhNUEH;Y)9#XpdT"_ce_hu]V7/?^;r!aP&?cce7md72emN>NG)_\8+8=S9cCnT0V2IV8)
+%4Ql[*Y;r;Z)QeXS>'rZWe'$OJm=ART>0U#mmW#Ln\DEq(?8TC*p<2;9'kKSfLb@)$1JcM41p62j7k=$OIipe^6VWhUeEk#9/8kid
+%7NS'.7I;r&g1be2ImD>Zp[<,p-!3$Wqo2'd]g(ED%"kU99;[>_H*kKDZle.XBC.C$@]C\p5qSZRbZ^NVmfrXKRS9&mDD]gbH,tZ$
+%H$-R&h:Pi[%1[&fOkhuHpOS,^E0/WVf86&+2>/r5T00\6,Kn2eU_s)l\8`'@L7oU1NEo,gY8fpKTCQA4h9J#dQ\Vgb6X_eJ=UYVY
+%kiZCLn.Bb%YE'TlePHqHWlH@_&_Wrb&j$LY<tD;)nYD2R.33AQ(--6O"ap;]/Kj_J-qhXpJ4NIbjBTJp(WZ=lMV6&2aW_,VngHUp
+%k%N?^*:70]UgN0/kV["d`ea5UXE"?]F(EC[V):7oog7!VbhXp7?VY#^Rb`j]G*6Fm?<K(/9oHJu<dX2h&!^o(H!$f(amQnZ_X$I8
+%1X07.D(t^a<=X?:I:95060d`_)(V$117f;G^%;qdBJq_e'ASuc8^$qs"r3YL8;d'i%1:di%ng''O>8*GN__m<iRXTp7*)If`-fOc
+%dJII\@U=ahe`R`109$m,I!R:YVme:-gWtSG7i(LB.M%r*U0Tq@(?s?fUW!=BiKS-0<'o_08Mh_<O$jX.]4#^IHjR7HVcd\ZB0g4*
+%[X'R[Of='ZP_l0Hdj'.t,Gjcqe[ogM<.4a^K&"[9GOiT9Rr'JL!;DEj],>YqFUg#okCQmMT3/S$+[`8B=_LrFM5cWWlnp`F(2`\%
+%QcEfu8N2uR\Q@Zf9//6&4Tb*OM5=bG0e[YGo!,XYI7^RpHXDpoqNg`$8W8KO[8UeT#fV^Zc8Kq+/fI5,]XE+(WOLTc-utY"D>2HF
+%E&ks8g?dQ*T.T29.>?LP7Z"O;E;++QQo7UZVnnOm,ker0^PAYeg[H<NV5+\8$pf,J+UG"C>fNTk#-l`l/dP)Y2:c$?2cVb@*\i$A
+%TiX<YbFt:Cm+n9TkcIEfI`-PT8l*ogFm]tHbtM:qLA=MDb^o;#]j_MQhIWe@rkt&okg#*&:U)d!6juSNJb($>Ch,@NLGlI6O<-l9
+%81r6*lX\.>PTdRs#PH*3c"QM1'2tI:;du]UejKZU?V,#dT!"nZGC>nSX#l,Nlt')@k!%e$;?$4[4"FUgi(cLt6d:To_4_I$@tg:j
+%s(*s)`W3*AcHg"V?K"gCcg[aH9l6+-l;Q].HnSEZhJ>-AY0P+SFahSgNFqkce"(An(q^36lioj#gp$"+6kGb`k]r>:((YfgW?_+%
+%k$km9*sTW;_hFuLnL@8tf[Pa9mfLW=Ls+i:Lg)F'[0o^f@hocrcopg@FcQX`6uUAD?KO2`:O$/Y/fRk^GWk.m?eC'%Dr7?+K6l4p
+%C6?hrej!$W2NhPC:,FcCF2I60ZX9uuGKA&A@-^-HV\1=hm6p"-=2C!8X<C0?E;Y/J1aL*o1m]7"+:fseghj.cQ)OBemu,"u0Vp>/
+%5E5r<>cKCg%oVL<^-on@Lb9uQ"F#2"P[<;?:"`fj+UVI1>(#qO?Uq$&*\OIRn_/8e`Ksa$PfHi7IjckqAG6UP;Ehh.np<)-0O$:3
+%Z;uo-LY7,L]@1qBj'eN;hB>`HM%$DtnU8/3"$f6%T/C]c@^f*%Hf(@QPoD657]k?0[o(qL;AS$Ic+L:_!a86dB^#1*k6Dg\,F_uO
+%*L6LgiFR&JH^S@jLN<1X258]`(:gjT_VT:*?!(ESj"[:rpSJoTFP33l=LR_8D=r:=AKs;T#3GS2j6d9'L;B43/.:Y=$0LF7#a=ks
+%4N+I`I\W;o2i[V8bEKYbnb'A5HlB*Bh8eijL!/li,)80HSHD0%?Y*M%WGm7I(JZ;&:`8c.9UE1V':)3n[(7bE)'NimP/n'@#3_P*
+%7GH2n9HekHdN8iq"j:I!rG[7mn4c.?OMJC!/<3;LgoaAi!#1.-f!<Z&4RCNYq6IOQFEokAe'0)grG#OF#.8%7E6c@!+P(.oq]=F.
+%I^3U,@JOq*>klTO7:TOk?DDSDBJ5B_q'IX3a"7fl-iq5-JQ:3*)f'U=$)[)MA:TN_+br6$Nt)*L\YSB*B\E+&rU#cC#gaD/7IQV9
+%SAOmh)HWFAa0Jhe1&Om-Qo9nP7'?@M,?/`BK^e1a;>)"_J]9Ze/mSnOh,GpmMf[]3BP<>NQ4XMZ1)J-AeMA7nJN'V#rb`=QXQ;.Q
+%Wj#a5r;;Pn1;q'iogH%K>ZcuQN_jdIC.k(@F,FNdIU=-q?qFh<[X'!"Ne[bY_H&5"4FDqQq0N^YXJ`>=d`!t0F4j%ncRY==`emlA
+%H$&R]^m0/T-').tK6snbK5F>$Fr95g/6_TCSe9XoY`cXGiCKgcoPM6_\UVA1\c4SMQMY:n.WqfoCj0]PQ8lelkq.6d9AFoYNK+QK
+%b&MEY8OWNcBAYhseR_;>U\4J?g&$P`RFgnYfB]?(MlG=35-aeW=bMsDIH-tg/16Z]iu^Vro<l/'[iu`&PhY3XE@[aq:2Tcj,%&Qs
+%E7FOW^b:hpoeGiWF5.CIKIF[jm6Ifn)[4uifKou@VPbERg#j/UMGB:.F^MWH1R7A)@HMl45KsBF_b4R+ABo+^02%gWgk!;l)ka):
+%mQ`,sl40=0$PYRKP'h4eIsb;UO!+@$"K6GQj/jJW`,;ICeSi&^KuVq7"6NJ]9]e^V<nT\fqSsn$Yc_mYo3[&K^emVk.M@8S\Pt-s
+%[O,Fd,%kD4TCq524`JJ-A0,!VoeDAfjdcra\Z8\t<R0^RPoS-,K)puJ;7Vq,e+7>E28D/;eRETTYM:M3B>[tNa\eG+`?TSkY?W3L
+%R>Vq`G!&?5:#oem%ciW)J"4XV$.M4HI/Bf!B30L$5[LfD!Y5Q_CH((a<lMtD%55/up)TVcgOl/kX9[qZ8A!:$6cdptm:!D;]6:G:
+%moetOW=092DV2jBnU[@:mPtK,BWQ1CFMtGl)W8C+g0Ls;at=201jV:=gf(NT2ulG:]$n/f3RZab*ZO8]En%(?7e`7k>cDMtm/A\=
+%o[N(A5l/D'UWVP5GBsd:h\<LWS&*=FE,^S]S#tri/DYH-bk\Ms/C)6nRYtV`R-X31UC$*]oCgFV+F/]Ja)\h/>&/6`21T,"#"0[@
+%.bG^uWc=quZTlM"jM;_bQn^Re*i`[(49JuL)[erWZG&c&a^pM?2S21(Dn,Ts]Y)]Nl@eMK9A\JAo"e69e'l6>>(DpJ(+)4F]OdZN
+%RA*[dXWYg8Ksj^g-2.IE#EPqG`]6oRL:]\l,aT82RgY9dZ%*HW,PrZFJf_?*AfRqgBrNl>R"60#fX>;6S@DnE6"><nb3P]d/Qr@E
+%l(W%^*4fes+*aklSVNB9@Y(pu+e^3G;0?4-KH9[&Cq-tZ[:is9KR6.?ijsEu)3Q^H_V1buk?W_Vg"nq9CKQQdk',k:`M(uL/[A,)
+%1PURD8(L*2g=>O.7IlJm>bole"u)DXc].paYK4TJ/EgTHJR)t/kJH=jB&'A:[XEu1KJ&>5;qO4l6h'T_,[&tF?&N`5>d3uJ(;>l%
+%@h)\Lb1<>pkOS,OaJE*U:B@:p##G4jRR7qfbmW@A)!0(qqnbTQ0"<QH.dI05_NtRbjU>aJXl8-QE,Du_=rDQ?i0CjW9MWsW)S'Ku
+%M`EaR[W!SY[<;WMk(6huaE*'$OtSPOSRJ\\r/r1mmXL]4_U=s/\X<\O]$HYE92Y*0FO2IFP=$-T?t$HGi)OV3*76CIM0ADA^:mh"
+%;e]"eflY1C*#d.8.u*)kQa1)/X@J:MOn:@a@[QXVC%dWf2KHpMNGLX$h1_LN\s?is\6tIVYCcG?C]bq"p9eV;)n9K8"O1n1AF)Xr
+%7r94]Jb1ZtR[]X87uo[72o<g:UL<QVDf4so`#L'"Xg^@EH/X"'a1#KA=fZ#6bp4BGd8%rk1U>P.2r`$1a-0q_GIe+e7.D`XZ5XlD
+%*[$f)8YIIie&V'jcq5eVW"HCQYeTSe,25Nn]`@?P4p-G$"k4W5PK]6g$cqErF'2?K$_8`:9[%U>'2o_$>b58teao6R?7FV8Hh[Cb
+%98'BCV!so<9G>XZYd"W/'3[,'J1QTnj,^gV6UETgqW@<L!>=,/KuP3M%>-Es6+%bs0&$[@aoOQP%\"o;bcoL1)f<chO77UVJa&>8
+%hZ+;3jmD'=ml=t9^<HnW'tCT,\i^sU*bmF45A6'T+m=*!FLi/S_Pti:YfM]I\AH"3Y[&;3GkNmj+h0WgW-M1.!=<TU`lQ6V@^f*R
+%KRb6Ueg(gnFGZt.Zo;$9B/N=MM#jVt*aIhj18%6lS:Esg'X!Z8E+q#RMJ6<M1N/=;9XNS^;Dqob[_pd=Q4;)M.>!n:Qd*AfNOdOi
+%5n,Mc_\K`\&SC-Z_H:`/R6<LW)p)E&nL[-)Oqpcp5HJong"h'Ap.M#,Sg`+\md]92pbNJ/[`igPkYX6C)$l[;OWPjBc95iu?q2g>
+%?=^'+W-)jR@h`JWqj=5IVuWh%*u=1pWsq"TMb3OCLe1o\^C:MdHf49h3BM5G"5<EAc^7BX$]aRLJ:oi9[EOoD$'oG%Ub.HUL>g;[
+%&*I1K"jmNAlS6RO?oPhP7gVd=j9nB./-jLXC!>PTYs$tIbdW=F12hI#9Vl&bqTAe$$Xc;Es)sO?*>YN:j\MH]B7.gb["[Cd!<^si
+%W8]([+?*s*%MPAWn0lSmCj@(5K-TXcdtTHGb&VrOKIR0F0-`Ci6$b=BK$Lu1]ZKVUKW6%*P81sPOa^2GO3e^oZ-:]i/3eVG'$GGq
+%SR<p"*[X<8bh^^dEc(JDFm>otIfZg%a!$bZEiHm\nKnRLaeaaNbKCL@Lc2VLH#=-!"u#S*AJYU&HV'VQnR=(S/-G$='$KF"_t/as
+%-([aAbGsC5?`mL[)_8O4.UVrm&WqY%k3b"X8ofI[PQ8OBk,UoYaSh?af7h3lpX'hmGgafVi]ch9#BP`fptOHN%:X43S"08<0BaDM
+%BkP+Ga:M.CX*'p_plh*P$gJCHY9-#4*I7U"hG!taCX^RWAKOOEo8NkEgR,3QN_iV2=k"flcT_*-m-Jfd$*RR\`KRM+[QD2o\cUpF
+%cecDsb]dL,G-ZF2jgfC[[LhhIq"aa)QGOO5@oqX5p$f2OmDVlu]3D!,/)sGKc>W\1[I8E)%[cJf@&D9*JOJFUq,$`r2&"G%<3:ME
+%)LUR0n5-O\R;*?D[If6SFlcl"+*jegpIr!f>ipL6g2nr?IAg?D9Js*MQMs^g%`jQSq2'm,Fb>><ncKD&ldjACq2pH4Fb:nso$SV[
+%eicq`kO)I?6e+5V11[-SJVU7JcVuuO*S\CteV;\\J)m;<h/s.Ngp6:%WccWe_hp&8:c0We(*g>Us%p+@E5i\'\3\JHckg.4o";k%
+%a$\Cgn9lmoIVB<m;\6=sTNMbZfC2To?bGKp%oqp,\#/\*M`k%a5c/Kb<6YkTB&r;^"Q[iG4KaaS>kk"-?9C";6e0s"-ofHa?l`Bb
+%#0nPXGp.Dj#<7(Uf,<*-C^tNN,Au9HT'\4LHs%7J7WA(V/*87q`?IN200G_68:Z%m`ncY4387;R;`6b-_fZ@BE^=rY[F<8,Q0&dP
+%c#J'S?^0]-B6,7=(PHF:V#_7"D2c)G%+"&9B<,D<RhMC<!R<UB=RkE<3Pa=n?7fg,ZT2pf/74Y(K4f7aOIZ9'i7T+.CnhL#(nStQ
+%c??cPI#lK4fb[D.[Zc--+.g^Xc<ep,lo*d<-$.8bn8+,]UpgYg^p>&q?oTMrRff2*JZa-_2iS!df&9r%O>i.&cF0N'5'Su@D'7_=
+%bR`$S5A\-gRMB%=DDM_]Ha+;A5,1"(ME*Q-c#f<ViRsYCZ-emRkZTbLA`RX8)\NgRi!c4%!R>k?XLGd6ZNb&Xhg)\]B5;/6Ee_68
+%Hd?.=DeH+!f`oUAoldbmlr81iCj8+4CThR3cF/(NI5u4Yj4GDCTj56KBBu>AX^9=[%W!-2`T$Q,k;[5-gY);R)j^#;[P:j]"ch:[
+%f23<FrAOLWIQ`SmFF!$=lWGd3!?#P5kI4KJS05hrj8,'u)!?\p?34TkJ/%tp`;"qf13"MX\Q3NTi#9j`Jhc:MLDZWgc/BWsDM>0!
+%*b$+8OYGf[LDY5\oN.;BJJdR/*aB72mP$HLS;;16h-VX@HoW]hLD]3&-$(fZ\D#g>3Q1\ZaEhaB3"O;DEQ#A$m-%=Zj*%]&b<_(s
+%<#W`7ru>M'EqboT(jBtiho-2f$8)X%pQ$K;kJef.6B#,]U0&1?SC6%Fo<g7`j#/a&,fD\9NUPQ:72A=N0DK-B-XtkBB^mG]j!oo0
+%Ju1++0s:22r"NUFKsJ8b3Q*n4A[)BV\:YT<(I3rFYmEXI(geiK4>1069>2s9(t[3'nMXV?".9ZSY1I'2"u-UZ/+oZj5D'g9bLs9O
+%@bd[U1+-NNEi5D2od(g%+ZGYb%V>HlEG'1sc\iWQ7,7_@@XL0mAjhTa@n4cT7>r#F5`G$8C&JHLggtSUrW$D4040/41!]Z.rF1S&
+%LUkps7#WpC6S0<5^'"rQ#@^s0@a:#X`YgVAFKtcAc$TP&l%j?1$R!V_N3b970-;odpYP4V&EAf4r`k8!$b=#?`&Pk`E'NMi_5>th
+%F+`saieo&$j`jG$GJ`MP^=E(DIgRpUrIWupLiHANpeh^aMLV_QaMknF`43M"[g^3bmR=Q+6B%CH2dIb>*.-Z>T=F&GqZatuoB\+<
+%1!W,:=3V?;o:a&:Cq.[[F6IS>*:1jETu.UqZ-2`[k]#ju/.3K$_'Ass3daST&<ljNIg-pr@)H!/]QA8*1,p`C_,$`A'l:B+Z@5)]
+%\,fb4,Ns)XE$i[&V4b_kfh3t8rWG8el',d@q@RhZJdnX3`K-\0'l:C>?+CM-h!Cm+jeBX-Cq'oqGp.:>dAQUMk\tm]fJ:h4g7-$Q
+%6AO=.@(7J(\?Zp>=G8&r_bGOq91=UdfPnkCh%%fjHkG1mU;PLnh*6Z)B37_iJ.B'-=\*>;&3=(4L@b3:k!b'ONT$GWoJEt<Q[fQI
+%[L'^ar^5o=q,,K0"gb0!^b6WIY2&"frgl*I+6LVjiJP=l>d5TK_j/^:o)'Ig>bOTgVR0TM\:P06H%$5DY+.NZ1\)4CE.oKXYEggV
+%*Nk2.h)ciS7>EC(8:7X+K+:u:e)sS5-9>DJL>,*a/;+Kll7bGR%X5K;o:a((p18O5E!71u\9hL*3aC>X#0LOlk]#Vpb4toW5_gj_
+%a[C,$#p$2"@=A\,^=7NHU%VXMflAOlYK9F9=5P5Y![RUodn:c;HiM69!7^.b>VhS=;fW$%21NlHjOgnR.T:#0?cIm-VG["=^4pjC
+%ja4i+<+bU6of&E-(#t4Wk`d&Q3NZ>@O/(C3fNW<GS6_S_=W?k1W(r@=fn:T<%S>h`5_F+R`inWg6sJuBGF^_\F;Ngl2h9NCYgZ<h
+%I[I/ZH=mgOrP4aA]0'\orpa7X0.^F</f7u0$b_sEA5!tL3)aX2_-dtHM'\]NDBbHEMd313bRDm79#mI5([lH)N)nA903DF<*S&5W
+%hD`aupb\K)![?/-]Y9UHm4%H<Yh+U0pVdnED.Z\!h'.p"gP:N/>YZ[o5IImHkh>:lQ'f9?2!LAW7,dh"L^.t>l\"Ss3-sH+9Xp]G
+%rRJZHjh>DYGf7UBOBhaJV8R_Q:aFZPIS7IO0BnJG'--JSN4<ji-pu.@H.GPq!*iVI>8Ir<f<&:O=tG^:YZpmq3mF.=QU[mSgk0b\
+%G+)`3KF_t/ei:+[AP5+a/$<OPq(kd@(3pE/LR7OqR;mO:kjtBq8LrpM7ahEl9fuLT$bu#*%#MsBWN:1Ga`i\A27]iD61NbMEJ4LX
+%(YBOM6H0G*1"rqS&V7d'NaLMJ5Y]hd[Z&f'>d'f$X<k$,O)Y7Yd&s7UiV[fl/HHb)hNrDf:G6uhh"Fp,GM,[.0$?UkqfoU1C_<tS
+%1_>Ck.B44SX`#kR`cuBH*'CN-ELnq;d$XXrS.n(l)-E\nph\X%rlVK/]FIulTCZi7M_&Kp`_?[h;na)-Z:o"kOV[cAlEFK'@T,3A
+%d63i:7,,OcgLYqDBWUlIc3>22O\'qTZd57a@.M:[Qolu2Pm><2k';67,HJiOE(S^3btNGI40O7\j5#a&*ganO\%WPm.``FAXY7S"
+%_2Dk1O>,OLEPs!`Qd*<)=[5!6EhgOEVZX'\VJ395:jC:MNC%+rGlC>QJ0u;=Z'i5dikQ7L+V>a-R"Gh*,t98u#fGG;(Nu`pH`S+J
+%qoB`6gPZn'Wm&JnV1g=+e@OB2@/Zh,*A67Aq8G@-CtgA(=Y<S[91GHiN3pZK!TGZb>oBE0NXj:Oo%e?)Z6EYI^R$43CTI2UY9oaV
+%n3]^"<Lu<'`k4I3@_&pNkOH*e85mQ;T"gU;Q><PagVu=h\IRL;Y?87+OH:j%(DP&U#)dKeb7Vp2Yo'EPrRHQgZ$aS8Q9i-eLB96M
+%Eltk..[JHfDi?V"$]*nkHa1fj15hS<hT!#$B>C^_bY9#ogru#p`eiK#)_Y4ZVgM>HnWmG$l[a?HN&`HZHO'9UZ6aD"anC`+*os?p
+%liVjq)=;BirSH>^i\O<P;J/*Y0TXg]SkC^"/1R&8iBm8;_sQgHCAS9A^os6;(%jRe\D<%DQm>TsF)g8hH/NlsR]p#Pfrn2],r-Qa
+%I7NjgEjo^+[[<aW7aI>eZ1YomkLU%mjn2MuZ#pfgRZ";78]NqV)!,7L)N6U/R/Pj:G"hdCh3].'9=t2%^CaN:XBMRk2#<V+,;@>0
+%Ha@da%)?.[H`^BU:?C*hF)fZU.5@/Y`g^n-r'KQ<mdX!-Bbg'-SfrO@pBt#1N7=$J()5(IZb;#raBdS,[>MSMk9-5NSZh7l&i5=#
+%fiOeV%*61(1lBXhq(Q*fRK5I\PR+e4Zbg#AcE0678;G;G;RL,1nQmW)a5SB)hX$3)Fon8"2gffjbsZ&GPE4apiN0IbC*f%4#>aZH
+%X7##Ihjl3&n#S^c`_u,f]=#<7CJ[%GBRPg@Z-(bo>PtOIeiEYS^\Bd*<K]q?kMj&EI9R:QVsVXI<O[0nZu\FCI67#shVN9Wrm-A`
+%k@ME@Q#;Yk*Y5/Y:W9dt*f&A'X2EM-`tMYV8GaLT)RiqmX`ND!pNlij-,*aTAO=#@X5i_9WpJSi3BDA0gg]u_\!:i!%R\4^_1&=b
+%]dnhteqP!7UW\RVn[NoW(sbD>2^TKu(\M22/=FX[eiF`e5`Y"$>R89o]Ut&U61-SaMdL=0n2?_L[>MuNC2Q>S"d_`GEe2%J/J9]2
+%]=k"eWu&<um_]CrVSq3.e_tD='VW&Cr#=>XC\B7PKLk4bB)R((3/CkMmk.AECmJc.*aIUpHLAuBM0(E:.9DO)2Vot)HUtV>HI$)7
+%?<MKL\l1fnLjX>\D^TK/_i#V6?XA*T';#e!4C!RI\+-rtUiWgW'!InY1@^^K<rTUYE.=5n^$P%^pkV;/Ii#O,PG$*_/>$0ijn#N:
+%(8^bGc?LmHc5#jj&pr*`gdg`%!U\Fu21tV^:=I?!^3$4?=BVK3GU^qngE3'^OQrRuhEJ]dGP_HL<QK3#!e7$%JP<T?%d\FI@@QuH
+%J\fmCH`I`P_I>nhf@B$nQ`!XjV;o)Qpg#l/"E\)ps"3&Q/UnoBHfmc&>2)3q/[\sVXmpWtdiY/Ud&cZLiO<DRQZ]JQI]d7.\Sc7S
+%#_aVohL,:mm37bH*Y#Rc\+_1:A#FPFX/O(@G?FiSnZC<r%LK=SSo"Gt,uMltB!oP(7&UbdCHpD&/i4J^Rtp6l06HPV:T)iY$Al+R
+%g>R:Y3R.gA]o.uViU:;,NK%*'C,9jfH5R3FB:u3+`u[t\Vh_7pgh5S/d$YsC*^i-dm+H4Xjq9>]^KljTebl1uLjaV'h[Ve7;NIW(
+%B+"Zd5MV7/a)EI)no+J4s5@,"jiR3#)ZaX=#50g@rVB97Z<*Ie=>hqjH7JcGmm=`/Ge-;lG`NuAC/1InLOB!\/tVGNp;50#^(#,G
+%5+W\!eG3/?$0^:]%il6`humqBcYjIcp\&a7pu[&eND2pHA[GMDgLr!QhpM(5<(F:+O(>7<Z`V.;R2`HsDQ`(s:J5\,G:eX*O]q9l
+%8=Peb_o*qA>V#;sjq<L\r0RV_?+p!n4p&dLdTY!2=*D/OHTth*KC91Pq/+HZkURYqV_59]Vu6)TTi_%Ah%:aCZDF&,2sF,.4Ts^B
+%jf,ej'T,&n5+aU^mER]KhH>=Y1tKANjR2uc_Y8,O\EVo-MQN`C.tu":DEp#"$P@NM*FQpM1.!gaYOh'#6j_1La@23.gb%F/hBe'T
+%kbEr)l/A^G&H/)ujUg&#^(/'6SPSfPTbANBZ0'V:'0:P()CkbT<mk=E]7fnfD9:8WiHSDY5fE/2)[a2Y'D^SJ7ilSY]%p/cB<L##
+%*AicN8cIe!i^M:5mj05s[sH`[iS?GYXs%6KcpNcVI[[e]!Yr@.&4=kc?'5(3KsLC&iGJJS%^FNCZg?5[;+OlN2VPq3I\lgE3br:Z
+%F4l?Hl*:-:n=^LV_-(XKI"C\ZfYcCe+mS0s[Jl7PmVQ7jgV`PF@9hc5`LH6W?JVL5ZZ6OHpR*'scquM*PDef'B&`^8m`8H[^ACiS
+%\8JpS,CJ5C.Vs5LVeF'#EgL^!6,f9kZnD[MW9rUGS/:tsr3H';>1gr@!krt-&W6mPq1n5n>.43)8=ZP5ag.gcT0C@TmYV75UN5o'
+%p*#'QWG2Q_He,Kj8mqT[GJ6#W;1?nPRq/_*/oS%T_<_p*94H7n%N"D3pRmqF#%InCqkIET3\mNWE;Ir)2=J!Bo'NL")mJ7i@R1j7
+%kI56a\(DIC%-2VI]A?M"Y]5:b(A6cnPCj-H4*Ms,eY#`@4I[,D[Vo*;`a5X>&Qlb+na$aJAi]ti#<E9gmq)6pjFfWGk!%e&e40ld
+%%Ir[l'kC]-G-dOXAT#0FG?b8+M;1CVPAJQDXl_[8M&VHO49:(-'H5ACJ,Ha!G,.;Tn_:+B.f,oI/++HA*FWQ7InO'hdbRms2:4l8
+%"<TdgW;CtC4+'*[*'JcelIA4#Baf!glqQi\2S-ks%A[.K\*j3'])2!7HhL+fF%]u<ZiS9URb;$:H4/Cl07NOt_2B^*;CMBF#;;M(
+%a5nYU^m#ASc_j+3(/=3EO2W8Fg%3YZ(XeMf7t%0tpg:5q_<Zi3^M@u]*:W3Z>j%mYL32b**^c8gWSHKh7BIcbHF&'f*qg\]QdZj6
+%qrq/(1E[IcnRU9)^7WY.PW/^*2nEGphgM#n"t>T&NKeW87Z_*WI=&I[h99d`UQJjS\)!7cS]U'qI5jI5cYDQ77*3R7hE`m,Ibi5]
+%S?/![MA<l8XI^6ccb4>`YTIG.g-Z369q2q:O*atg?6^o-4,3@[KcN-B\j/66I2?kZX2Jee*`"`_"1jYLXj's0[eEoh0%9uYa-:/$
+%G,gtRd-)GTNVjQ]ottpZkMK:0.0etr6<rG4LD=!7as0*SpU@mV=P_U=]GH>qp9$f(\C8`&VP@;Vo[0;H`2EJ!HLUT4W-^J\8penC
+%4"N'@Qf%d3p2[V#"(kTV[pN4O8o*$K8F&WJrqR$:"+:u6-_ET00Z+H=Cj(MdH5Xiem2Z4Eq*&OE.3\uK=[QGAirnc<[hgJK&&-81
+%DmWY\I!mB)rf[XR='[AMcr&GEKH*DU_c9AX35Nt5s)+lq(C!YP>Cl9/;@oI2iTN-)J=",fZ&n_#Fli8b.A>JgTco,O2NCb3eW4Mh
+%Q!Ynt;Z6cdKe55uid*J'Fj^'06oqZ/Q38=;5[p*FfmHsn%CASSXfmjU;B$B9)0pS?G'S8?+7mgtr,umL-2\:VGOLDQmn:,dYFNlF
+%>A$7kj^p[Oe*MFkptT-Ci8'1G"N1;g;ksJ%\s'g:j#Pr,nTV=!n's/S(@/"D/,eRIC26%_>KXX/AN04_pXs'HD>MXA9GK]Jq84[k
+%.51ROLHNR;cU]-><G=81p5-bHq;+"AK5douZ0CLpYP?]'EPmYKdcF.XI2\4@GC,.QO3Xhol)1tdlpmU>;mX<[BTQ]+`3Xeu\4smW
+%g1+cs5hLmQZX;tQ!&55"3H'Or$q5Y>HolKnM>m9^eE%!`2\2"UfhNOn7q\m]:cgVXM>@.eZ1p*I`PqSr^gT3$fIc;:E`Z3%;Go&4
+%j_3X:86t;"SrjMl]-HX[]6MWCcZ,VDmAK5ub/LcT0`,Vhs%^&[3C0R9'o%Z.d9L#1md.UeRh_"XY)m)n)8D!V$6@`,nSP_g6ot?P
+%Wpn[5FDt=7hK(HKdcJt>)YQ^Tf0BD7Yn1os[R1q5Q)hn%f#EF)FYN0m/6GR@Q@#tJ$;0@J[X)1G]5cAQh(Qnm&@(,p#B;LbH8C^T
+%Lc7c@T2mIumhD7!H0ga\)FY[\ls.4>[Q\">J^)&_Cko=0r[:%AWabk<<MqL(X\%.qe(k,SPKWdfeY<);N&8gb?luHCE9&e40KB9j
+%0U1mP`cdH0I5b(^p=O&4`oFae=7IO'q0M9XU?%@3n2mt"GdtBACsl"'fM;U+ii^ek2Y;3o8jX:gJ#oF!(QlVb`E+gA=WV^JHCaU>
+%He1FR:"8l0ZZ?;A/#c%o?g.914".Yq9\'>B@ob74gWjoNWP0$)SLa,RF`m`BaE".:eh[Ks6CM\gY^9O"buI!WenT;^B;X_U%ShY3
+%>%sT9Y[U-Cl.=Kjns7cXM?BZk"bX'MYf1)9<qZE[lJV<P*K9+_c#9tdrn:^Jk%ObC"($]HBq0J\OP(3=VOrN`a6i[R1`kMmD!tot
+%;e6K37"]2u7cLNEg+KVq,$X."E84!0Mj^XF"In?A<$E44#pI:X'q'KVj5YakjqoYda%(B0pDSnRA./<3Xl?s[M(/^P]"L7U04pdY
+%2_p)nYNi/'NI;#b7HniY04sbaYe[D\4!YEpY1U9O*2YhLqMo@cB^e*iFQfCb-MlB]I89ue21uH\nJMYW`^KDU(dMI,1UIW>*UkP/
+%bUrQ>SRSaASHI3gK8O-fK6fPe(fGf\0ccG#K=X2S>7F11.YDaq,\2,?6UEW,*E8u)NEqt_C9h%0KG9`8]Y*W:(13\h6_&l\FV3oP
+%`Fd`\]A,pC(idH:3D))Z6B9HOfYcq;204%DH8K`Dc=M9P/F5=6d3jJgKUs=Zo3tfj7dn<nG(-X1'Z=7#0=up""lG$6>@"8YquebB
+%c*_BK:<_*SSI?u;3l"B`(A49Hkqh=blt,QicahN'e!-M0<3Z+*=TLBrZE.Scn"u#S[@?U5+WX;;X_]g9\5drO2_NErhGG->8[?>]
+%0@in9ZaJp_H5\"A5W^5J(Yq]N&#shp1!bqZjf-G`BM`a[$1Tb,6/bYgq:H9CqtplE#s3H7BHLp3+nak?[gr_L@F?SfO@UX5^Z')1
+%%uIY*RRF]d"*n:"cC]7B>edn+GFLJ$qb"??G=\h59QpGN1]>PO?P_tDJMK9L;U8q5_e2U)GkXphW]liCc)AU<#pmnd<%V%'W^njc
+%U3\PX;t%AH)YSkV2U#cKF0^9P(TYqA9UeIKZajSR":n:#UY%r.C::g+Y^/#eY%00/")EBk%fquB@<,TpqF[M8%ndiAG5TTu2?Us*
+%_5pd\0&Y/']#JpkNG"WX4M%FnnbrA!b@^)cf\O,1O&K];)s9baDT!iV?R_(n^KdrTb86$I7GHE&"f6"F%A[:FF^3V5RMft[m9G9k
+%g:i!K6ba)FiHh]m%O;)d;#J;G/J`9Of9[\?q`q!1T0@^dY2F4YD4]i=aNBM-NI4<Hbu3Eg>`r[eAu1mh2t%GM!A,'epUZn]p*q$Q
+%'N_UWhT?;A[\?e8Gi;-F=M,X]YGZE=dP^6tTSa!eYC'9e$?&,D&+pDkTNdRZ?%A19)h&2t11$<=[IW!lY7H!<mh5Gj2uS38gRYIP
+%HVn.TDWrcKV6q7:Lt*]>T"iWfZHW_I^p"V]bW0iJn_`r9-g`SV%p"CdYP<kOH;ipqQCO,Ds3HHORI2^&3&]3eNE@(Ng(P$.!oGV>
+%ScA="RH)"=aToMn;9XNuh[>E<V>FAk&9%kl2)-k!&47*&AkUZ37EMZHp\>"tDr=D<RuH/A-Sr9,g-sM`n)E0=f-f2sJhMcdf>2gO
+%0D0I,\JpX6:qrh7>sI$ZkrPiKHC2;<FgHY;X@"UF'&AJTdXLdJVn^L,?Jhb8Dm>KbnfE$QDPOHE(rsFm"0&h%c7(KhGHVW>r!5%8
+%4)m,<r!5$Ud-*D,@t(Dq!$"Hq%R38g,SR\F*))2TI$pj,js1/t;mP<jb97)V+gKr7b97)_RjfoFYT.*P%V*HsQ9u)Q0$0>:QkMj\
+%5re!Q#,LiP&JPX_W/18be!;jG@*[(C-r,kg/e.#E=7'ilEEK!<leT\7BrZt)\@1,3&M:e^+f7[Ac_\_XZDie\TaR?HCH4FIM7rd5
+%Q^7;@5enWF2nZ_+_pbfgZsr6;RGM<dPg6.@s5Xh:LOCSe5pp1D[D>.B0'_pKDn"pl%=.Nb^"QEY.piVqB0TPkikm:[We9^M6ROg+
+%_h9Df7BK28^bLu$B:j<l0P+Cf;jr?g\^Y:FXf:!)]0&d%L<$jUao2tI>Fmd4H4S@Ud9o8X3?2(rJD?o6rj8-e;6jOjf[>nl-5r)2
+%3/np/meN^DSgQb;8$D+n<_e1_>XGgi/r-#aU=</+K;g`INI>/jB57.hOR8Cu=24P,idW4^>NdcZ37T/=i#^ULSO+tj"u1%o>-cN&
+%R,K*a)sC_lQ:&(1*FY]8W*dndKJM(dr/p>=$"'Vc0+@UL7NQ$kLlI?4U=B%-8EfY5+usuj45cSP*C^Aq]$]hR#<-:.VA7@V1"80C
+%#2Z@(j:I+tX,L/JB:(dX^'[F9fjgaQhg$3*&6JDEmmd#oaTFr)Pm`S=+)uc&bt2t.Nn3W>)kN,EVVRSV^"K>KVR]p/+["H1rjTM*
+%8a^t#p%c>_UgLB^1Z9=U=S+RY5Q&g@H0'D!,SKak!Fi%_,'1-.l1?bR]Xi#+0sS=pil7&4Yp:J$_aO'L%^c6](,fYKd=3/rJ_Sti
+%:d7%eL>'AbD(,NtA$u+"HP[P[O(>bos#]!,m+rKrd?;-*T6Xq6^LBuW^6SR$?;:%EMr9mH4?Qu+l,pAl"T@Lq^9_t4b-gu%j6YBA
+%&gFX<,-f0j1IAEV+:5?c4[Vot=$7,d)o?h%8,-Z1c3%!>^'bemLm3PW.]V;?%7(IrU]VZ>i:&>UEZ_G"ID[RdKTEniA<Qr%>NY)o
+%`!Z$F)Is"QaFR<]'%#PpP<N9UQh%8`qi+#6Rk6Z+D<Q%al)@$?)^*;P2RJ#G`RX,B(Kk'@S.LZgeHtZZ85u*cZt?=BREACu'1qH+
+%&J<4D\c,&V1<YE*D;SZ'I)"tJ0(RD^qhT19?o6E.0@=m:)Ssb(VpQ"T\*OiB1lO4MWCYpMa.^thqZ?[UQ,V%qg-JQCqn\haG!$l?
+%N]1/h,l)Cp:QT8LdEaK(+I2$Nf_pK2&1LhY_>mmqlYS'B6:pV;@9hUCBY;HrYVf+hM5o``2]Fmj;hYJ9POk^*6Ej:YNF%.JY0`RG
+%Xl7[;1oNP1iEI&*8,\(BrJ-`ad)j[9FR((:%>MRbm5n5rJIpt.67%.U@IXmIqpUaRa@dMp`P=%^Y!/b?*H[FuH-Q&WSuJ#40k@$b
+%!MVk28ODL7n"'':e1T&*ZdV&u4q)eq-3ot[MQK8$e1Q3'J`cpKA,*PrabBJhq_\<^;5FSR@k>U(q!W7DGAD,I:$<&84!2B82K9%3
+%_/pC%I7-cD'-qLL8RoD%@X5WpW0\0/ZsiFcmPu3EFTGr>&tub\4:IeC54`I@NeFVq]U<bb&@k$&:s&&Ql7,4m)\uXD&H5ak)IkZO
+%FM*(L`_Z%b1_Lgk_n:tc]utjOd<PT--="rF*15,b91D-C0B#TQU;7C)]r=tO3.YJic#ClE%G!j\-&p34<#$s4WLgBn[L8e)3H[ef
+%j2pR]F._,g<8j=4Cd!R7cr3C^`HRNCkCK.OF<XW'LQH_/#B?qZ<nMlUN/MVNrfL#<$q109oSIq74,!7W;-;J"rBu,sl_D5NDT(dX
+%pn-aP"\_Oqkjn4@,GE*E>4+pm;X2#7kDgrIT0^R1P9csJC@CS4bL\$IUGRA;nP&ghr[PB)^M_^f*3YZ(Nh1[p+FK0\4MjrCZ:ho)
+%+Kl[29RAXuMN[ScoEk]^%noqjB0)Wsh]behTWd@n87tI!>@2`5XDXMA9VdK*8Rr_LSYi!!BSS4HUu[Z"6RC&chlnS6g_>JDlc)Vf
+%K"7fug[uS4f#$a@Gk-0JD[2jser9u+\RGo.MYk=OY/fqIe9uWP>Ib;`Gug-ZDsbP;kpeNe4qM^;nB$KLRuk/R29D24K/F8H+lp*1
+%LoZPgLUZ[9$lc_7lam[i"P$n(>n@+tl6s>8&>BL5GX&VpbF_Jr2Tbcjd6aH];"lX$4G8^h6H\Lt*`J=h;@"0m$8KqTUiu/>n]'6R
+%p8WLb7D)biiZO/>lde++$?mFUj1%npY:%)f5eEtUg3@kIp%?L<=I:Tg[aYZ%?)Dpsd)SIPQ4%\J>n7/&_`E[u<^MC[E\&2QU/>7%
+%??(W9!4K9CgFj@)fg'T0NV*]_j?HM'KQ%j&1%5`@W!]sHJrc=hok#f38ld%<pC&Q<0$hCL&7-3L&.!8S9aLFO:`"/lZ.4+j9GI$+
+%YnsHqU%V3%*t@]#9XdCZEOaLEAAA.%QmfU/[T\'j.W1u5MGZO"5),%d8Q!g/<VC"1rOq\MH1]X:\8c&qjUdcfA8<nFpXPt>fb5@Z
+%MC_RI&b]Pt*XdtcAdOaX(;lQbojTm:mN"Q;oQmst.W"79(Z%)bp3JM&(fU>D!5F>NL"a$%3UqOhi!`qBMhKffT8,tC2fA/S+=[9[
+%Pl#\TFNB;o>f+(n>0mE__O88T&r)6bL@S&FbWd-rKPdEN$+8)<0-K^3!5gCRK8!;-Q\Rpg=BIFGF$Wc)J5G6]S[(pgK>Bb"UPcUd
+%pUgSPpc')8jR6H`3[e1:fi(ko+2j9_;;)C$q9h5^%ZC<a;1r;/.LJ<HK^obakXK)7?u3$6foP#sDa%\u];9jNcZ1MmKi*J>qtA8[
+%]=HK8BcMmg$]SY5mf64jr7tUR7L&@4rW1?m'*!gTr!?0:G7$?c]nKQ#d;2BCc9TL-TS;e%5[Gjag]cQ@_.q3$.CAuZZ">Y=qGQls
+%^P)J-B')"2*T^W%;;F^,0eR\DZ<Z`;m<<JlOFVXn^l=V'[t\CtYnL*"$kcTJ_M.EA!.oN>dp(%-PFE0j-L39@[QZhS?N@#k-s5-)
+%2YIF95]ZSUS">tmA*(A=9UkjAcYT-:'LW[M$Q*]1%fdiDW#h4Y_+V1rADP?;o$?b\,0shV$o0GjfSbkeIO)KJ@e:bu>c0je\X*-p
+%Hi9LQo^"Q-h$M#^4DWa3puLF(^?FCf`j/;o!8!62$GlA9GX`rcB%)aJl(WT6D%u%+M/Rh:^'Z`j[l1(cY`C.FV#COf#fEX:7tp!p
+%987dm4A:fh<Uc)XO)[GlO,cBC2s[D5Wpd_8OIBSS)D&Vu/So.H45^AUU8ATJGoTOa@Z&-C^qttJos2]5T"$`oPRZ$l\OW`F>`C8G
+%YIDhMl\@.a(uA4/:OknGYI4'hWf8!CS30C\,tjNC=lV'd)OAg->>dJ@\-.sO7Edq^m5K59S@L^E".>WD7GK@A]j$!!SK=Y(&uW#@
+%dRi[+d<_aU/t;tuV>cA'\8e,F$^A_H\p5="hqB$",^Tui1WR;mP3<0YkCc;e%(a4TnHOf'FMC*i=_5t4RkpB@bScTA@jFM!0HDf=
+%N[5-VPXs5\NR\&Pr*"(@Zp7FafFQH@YWWc9(d'Ph5qB]Q68Wk@ZqT@r-g][&3\tH;j`Ue+#fGcr%fRi9,&#$ULCjA8#_*NGDk`J>
+%OA28=UmWA"?;ed$^%K*`+OinJRUs1uC)cL8p43knF`gt2anFWG;fj[PDK>E#1u/k,9)tN`e.DR11=Wi;0IBZ#4_mVEXQ[qYdGGJ0
+%Zf/M\JeJne9]7=6UE=#!_T1;Q1!uUciTN@"5\D<h"DoN/Vin/DCX03]<:4(_@(]Sk'@(n_%eQ[IU$hjTDQ5c#NTmf_#aX-12S+T3
+%rS=%ALqKpTYR!V9Y?Hoe-(!V"\=.9cq)*TF=9/G2hJB+[s7^]5CMb<4p'LX,+peAbA#/OYe7/*rAk31=Q9^6\#+WU9Cq):mk<Ac+
+%<@rK[4@&8DhgCj1AZ8[8?#-M;p^`-#)DjMP((U65l4nH`91@4/P>tA0gOWf%YD3=Y*KorJV&re82dXC.Ki\b25'?`Paekq*%f:jk
+%`PE#'n3F)2fkM8*Y=ge:oO6>\!D1f4)uEFo+bWVbM#77WeU?cl;;!VIVls_FS)&5:O=P60r=&QqU.mSl]X[9>m9rjs/i9NcW(ImS
+%kK1D3Ih%&4HPm!>1I2Qlb/Qrei(O[bLO.oK^u.lt"GcMUP$r;V#_I\dD\NW*"@7"rPYj+o'*Q/1Hn6->B7_6cGfhEOS-af*E$&mO
+%%*euAE3Lsi?uRFuJj[-W,@GI;#_GG=@j>B#-4#2*WuM:qo5SeI1kWQ40E?_]_'c.XPFar4jRGNT9J)P9K/5e)*(HPnL;B9##S-[8
+%&MQ2>5]H;Qp-rDF^"i%-gJipeXM.Jg%UjMqhr",BT4WRaG-1iu$:fmk-f#!j;bb<BcNeH#QAV0>Q*5hlnY(9"gJ@iqa#u*\*@O=G
+%H#o^'\gS,J=K>I[lB4m-J]?g)NJ5BAcSOC$AJZa%=-gFkZcT."N#^3^\3'!JW&[YF20/,M\-W]:m[_$#iF:MJ$1_WQ/q8-'IU\BU
+%c8[3tr'3gJ24&61S2i;kD6Mdaj5R[>g<68)Mm,9$JrV9bh/&??G"OQEgG>8CfrIpJ&BkT;gKFn6E_#T69OEm+^[h1nnbOA0-aETF
+%l*a06o;je2[g'_,GnTB8'IhD4_(19[R)40!k1<2uiVKFj3s8hKpR.tD%+\'!"<#`:29e`ITE;U[D!-3/Q?JnSIGopLL6peAl@QsH
+%,EU)e`HpeD4[^E>WE?M)UN.`gMk)f9q8RTddlkJGmS/I&@OP>#dH[?S[[oe514N5o^"2'I1ZgI-2gt_"Y>a1]#VM&.T3KLIHb$i0
+%B=\H0h9(dfk,EFG06a0Elnm86V3qN*?_r#GIRBE6[r]6)i^7moZiFI%^K`#NhdLI8BP=hSBJb`%ZNjho2g"JAWuL,K+K[2*9`3[0
+%SpLmH,ic&qrc^6]C[G<Ze\8H\jlq!&rMeV_Bsas`C+6QPgN8t'f%"':?*>@"s*cNUeXi6&et]Wd/`cU5S!t>qV07&_\'jWMk20`3
+%F2r3VgKV)O*Y)s=++>L[eY)Y!opRR#/h+Zug0<jhMj;t#lggnd6a9gs[aoqXrHXh2Z*Te?V-D7@d[Kc-(Z/O^Q&:9TZYmm+5Ptn#
+%WTb5'nd7ie/p$:Sh6$$ecrnm<b=@ukh5R+bXmNGn]6ILC3@M)l<bb5(7'E[e2<Boa);4=U;C&[KG@W@L\WAJ$N@]^.AZlUTG&nVZ
+%O51W2H:8QV<"OgJqWAY!YNt\)\a$<RJ(s@K?prHKBDJ>#Y8R9Uj^!6`V,7[4Ft>3sZL@&D01b!UXKmkG53,O+ZI_cKHM)QVr&ON9
+%NGk@McMHarJ&a15F(.lk=SPqc]qpRV(F_TImQW?;SR:V-ZT[%%[^31l:rQ8S^qhdhic6c%mZoM,F4JZoSrH),[T?B\YQ%ol.:(eI
+%bi_0^hX+\hl_a!)=uDc)![\1M_1J3_.dq*iDIIc@>qN3;j!Dh[njWF4Z[R?]]3)$#Im/f-66YJ!+hm=+IoUs+N=,<S&rSj%]f"[7
+%l<EMJSbl,n^;!.ipc?Bf]q<lGI:&SJSRnPYSKh)3I(I[[$:\E;.4eVCL$GPm./se&K>+@;gfsc%4mupNTC2HjV#P`gkga*@q955X
+%Yl36SjVS$Crl#$Z$,=^O%sOHLAe3jEm4`bR[?JnE)n!54]j/1Z=[%6II9b(E(Ar=TKPD%HlhBk^c\K_gbN_k<Di[OK3YXdXN>dCF
+%Y?sD`WGi`eB2m&1F*i3,leZ-9lM$i<VEUL"#=Qt7L[sfonX&\'m"DpsI$S+c^*BkenoQ`=;%>4jig>e,MQ%!9Jb(0oDX\Gm)l7cM
+%[mpa)bZ8`BGgGOt?Yl!)-#tV2^H&KV9Tr?WF,6T<a\d"_]_T'C2.[CH/DVLb\PucrIuE!XO,$h(MRReUhk3j_nTOV!MsZ4kH1nnG
+%Agub'I0o3;m2tJu"DXU9h82cE=1bG/mBYJ^dL.5::]Yi[*W'MYBE+;T0.>9@/p"5"no=(=2P>)_=[e4elIONpG%p?Clb14M5mA>E
+%)CqkH8\Mu3R;Y:M51cqfgb>7eVU"j5,S420.<N9B^&>&VEUPG?h4/,VKmr5%D>8(e;k\7+lVl5q+gH]5:ZfdUlClqVfum0^W*&<M
+%&70V9iKNQh,6.RUQL>,q(TM,B9rtn09)H>.l8Nm@:2Qn)#t]SuSJfHa;!W>*<k>fUqMDbqE?k"/[8M#S`.pMHc#O=L:>]oRc?gYN
+%/]34MhbA]0+:P>.^03UQIM\I/C1o!,m!Uk=[5L32FR+\<(L,_U?$DEAX3KYd[t=nm?mjX(K.e8EQB%[:3OBkQndchTci(")LX<me
+%MJYL?`A#4Z"me=G.3<-!k*C3+i<"BQYj^T$]:rX"@XkT/(L'i&L\jm>`>Sab>YV&=N]3h!4M5P&\dY-A>dK3E["jiX`8?:A%(CD/
+%YMYSN2q^!no3d/irphrOru&\"#+[X(@SoTIoB%M!ODQZFA+^"bWRC[pbT<D.)r<kL<\XEUGD]Atb]Elsba%Ed1G"Atqhr>tRt^];
+%Q0Xugo@']io#E,CdUhR@hQ+@=BQjXf1tkLEkGM/DX_-grP<fDDSREODS_7@dFF,H;HZ^EA(L+No]Wq&+Wu^0Zp<Z'%kcCCe06=8'
+%WB2MspX]7+Md2iRF?Jc%rNKKljVJiUNu;HLNV)4#g2k"R`4un[+5VFJn%./>Sa\4\J'l8M<O]W11%3IVN/hgXV9A,(b@*UE3>Edg
+%r8("Ob5-R`f2n!8$X%d_HsN3<?G/YC4m8,*l]3i<_Yac5H9/\)rbPCZ3:GGE\`ic08hG3B9LE\A:qK^XXo.RIS[3\gGP7eR\TcKH
+%/g>tqUE?NAq;6*oAVL=^9aBPO>`I)l.;U"@q($sjaLe,4i<F-Fm?Q*)f*aaeD"3b'L&O8XN:*1\Ni;*7TpEP)P]1a]l'78Xed``]
+%k6S,u.,BrQY0s7):YNH9h't(EYFL`qmZK7J#rq<TPfU*a,*=<;NtOH27V(^7?\"Y+%Rq^Qjmsm_@q.pT/"L<M,0.]Z,l!mB;'O'#
+%LlANd!_VP+(m2n'T1=_X)^DWr4Rd8;O^hlhU>gM@-$!g\8FeGJ"_C?FLkJdB)V"*GOBs0j%/WmGa2Wpoi!fW#-$!g\a@$lL@?ej<
+%0d9s+Bf6<Fm,](H8`4tNPfU*a,,&LV!7eas,;KbQ3B9@E*_X/Fru=YlfGKatYmCJ5Nl$V=gA]#UCL:ZMk:]<]HN?S]f&_1AaK[HD
+%GqRF:7#m6=BprA#6&?R#,;NI$5;^(j@RSX[_uCjP%&jrH^?8?;a2Wq2M#9bV^9>D0m!4s_jn9u;OVGd+7>W!',Efj^SjeJU)^CM$
+%fOn&*a2Wr%c/i;/,%$3>)1OF`2P8CeTGQOfNVON0Yl+m;T-Z@e@4i425>,`T92/3nr@FrDN12@Fg4#@;Hq$.Tg%MbJjth=I38+#3
+%UujJ^r\2IfZ_Z`iYeBHhrXCc'Gb8[H=]4i/!=hi4r@FrDN4e7_gWu%OcV2OR,hpY.Ra6:&4oaV^YSg9<8[b8)V"*ieq$jdZ?N0!B
+%@&"r[PANNWC-KPH9Xt$PWVHr8RrJ7-;Y-<%@l;C%Z_Z_>I[`%=p9URW1\*5`D*L[.4u<)%PAEHVC-JD:(6`T"956ZNQF)LWT-Z@e
+%@J)#'Ib&9u>Jf<fNcS'4?1mrYV5C.VfrmV(h9uPq7D=6"BN;)4eCuFm1B6&&O8eSQQ6Wa_>SeJeU/imFZ[An:bZU33CAMB_f7#8/
+%C6+@d<jhme[7I+RS]]o'd9<p$[26>radNAlp'%V==*)m@Fo`(+;RVk.TB![a:O%9T*rl4m5Bb&d1G]M(GkQ2rpYaM<amr`lZO1ar
+%rLL5]2KA%IpooI%qul7;93F@-[r^<8U/A\$KQJt1^]^Hp)-a\hC8MtXB9XM1d4.;JnoVn'^&qR5hBZ:^^";3@_\:;U*ciahO.B.d
+%3@:DGlq?)i\9Bb6PY,(NGaZAA?/eH])'OD7RZm7CWJIT?Apch=.:EHT;jkGp,i@qI6DjPrWI1=Pg(CLL"@:%/[K+:m\?><Q@=rVB
+%9&gOT[ZD-1$PII<Aft;Po<Z8e+.15VJ]il3AX'PV\eLRJ'*6R0ge&i2K<'[-q/7SXN$FQUj/=*9BDelrUo-5_<"TA."eOd`*&f)F
+%%BU=H#`$FOJHY;]c$7BR6Q5"c<gCt_5*gdK[VoY4Q_]V/1.q[!U0Nh#nK`R\PB!CRnQdg.g!CfZ97o[R_6QDPCtCc_Ju2\_4r1t7
+%9S0on7CPTk!fnUp]#qpd>];)SOtpY8.5R3HKFa,c!^+S[0U2n:IAqL?"PD'bdfSX!201NrG\]RmXfu!=6/XKBo>%)q]aTf(:P?5d
+%O'6+25sb]UY&Bo1m;O=ilq&(pF(!K8UC3B'O64"k-a6aiHn:=!ON\hskX.lSXpg[EH/bKY;A$`r>cbZ5,_h(\(A`c@juA_K:C-Pm
+%O?1krs59`L)'FG$pc8qc6?ABKB$I@@qGuB6$8=6)9FEfV6(iL_Fb!>JiFjf"0:iT*a33JQ4=f2?'O7"77QfZH,#ZdCRaGm*$^L9k
+%aT8B*#ERm_"a'sTQZRaWMmQ`)QYrS[27I!ddT=YoE.,t6g^1+0:aSV4^oR['[Us'-otePMZAp/4VEXEZNL%ZEXn^[dR.Z5%nh&p'
+%n2QdsS;QrTNP@U?8p2pmoUH>8WR/c*QuAjbAf-k$9N6"W-HJ<#qh-uLjcCUd\3u++T!0oBK&B8GSl#5P=.p`;'TFs[%`OS*Oskl+
+%M%*-Z4!$W&'>cG8/&?t!)*)lU50`h<\dc[?&7<e'588aPrIF>Laq;i\*XomTfMYAR$8U%%)i&%L)P0?1a]uCur+:reJ`f*O(2VE?
+%E?BIP7:K>L&P.:mK.?G>jFJh3ET0XUM2WHg1*@auecUR2-l*eY+9s)=#WY)r,kMSd0,uO?$_rC8K:.$,-pCZ8WWED5rij]/E7lgQ
+%Hlqm@KN2I$03n8fl+7htR$clpf7U`4NtiC%KT=aZL]l&&"0u*60.7-(">'d+-[_c$bnnggFUFcT=@3ujcru/i;?l(9='`QSJ8Ga&
+%,SA:TmmZcsYot.PO^M1r`/:]Ac&u[unQ:huVC;;'a+[=kkTaBpfUBk/%]qh4K!,sD1]@pYk/552\D4k-N0AJEEj<nD?V$"/*J0r-
+%nH=M#`tJq]^nItDe4j=0?61SWYn/CMmE3ejiZkV$0J!&LLd9sA*LW;:DD2;`;I$(n3+QU,8c7!o6('!QHj39[U]g=U,tf0C@<f:s
+%-)DET)K>J9!$O1]ERVd%o^h<RXHU$I0VX<'fuC8<eJL.dZW>L"#rWb2;Z`\T!^SIs,Ut5l;4M\ncWDh'fo[<:%Bq8??U>Te<Ru_b
+%;2C#b"-$<iOBGrs\-oMND8E68We6Xg"_RXJk<b9aOV5ITQ/I1P8O,dRE=t_Lm:>km6On-)cmUR;h2mBd6o8`^.8^Ldn=RQd*^CF,
+%5PRS?Zmj6LnG%S#5XF?n@?+st@FM<2:5rj$BP!dZ/u?Z&n9c.>es'DVaZ%!BnGM5s9b&Rs>/'LY+_*fD8WQl9Hq7:UWM)tH#ojP2
+%1L,O-&mW6(Ze$uf%uHHYB+WFa#b07r5dT^]!DoZT6bIdU#D*lcm8EKu3M.Hl34PTF#=65#F=]V`TqH%\4]8SHFmF<0(k^RcBsB$a
+%TH!#H5)7(E-H]gpA21('"J;nV$.DQ``h9sWKGpin3C;ea(_?m:\Yt@+dNM'!6UX2m+sr:Cc?L+,<PX_-AV"H)FJN\-+UFFJNN5e;
+%,0+JoC1(Ba+N\+lFkC-\)KsC`2HA!+#6D\o$D+aPD8fG*J"rqc6[,5OXu/mJ*cTaSenM_81O,'o$q<?05.scE%T@p94(fQUU#lsh
+%MsS@2^]St,?t*80P?9.kEi:J#L:/NT;2>a]2M%4c.0+H=QjZM*8!%`b?_thT'?(3'9[Pc/3MQ;+-POlAAn=&o`cpl^R]G\uE-.r[
+%<)Z:LF=F!s+fE#SH8EK@Seb@ScF$WP`s&HSVF7J!>Sq/pO^)7I*l\jGLJsQ!6,br"`=gY0C_?1&#eHHR@)D)>63eq&@T?7nYgX:_
+%80/h@NC&aJ0L\TEAJCZNN<j5^.2(&0?e^^8AsZ$(=\6%3W$qcR7rYIT8<7Qs=?`+WPoBo37G/4]("U6tQ'BVBI;ZjZ:U&&'!R\Si
+%Q1@aE;Oq?57i27eD1l^b$-f<AFN?HbTR)VI=!:s^7=oI,Sh%[HcrWo)7a;`l23O70Oj`<2-MVT?.M7VVWXDCl=nIsSdJD6eE'Bp;
+%'I3CAGcOP^/<PXrSuK^@DoqCf5adSeKNg>n4<_l!a=D657FhR)#E)"?>[O]]#Zh2,I\ijn-<9_5mR6T'$=?E(WV/*(P0Y'Zn,c/.
+%U>Zj_!MZhd0Jo-Y7*6C5a4c9V/#rP^p;A@KPH<-DjJG&j<8:tDr?r'FTgCAR)L;D>EC*6<WiRVs)^a2dE#hQ-V^_G<EGLH[:7;g!
+%Rc`%\dNpj1Pmius_&Y9f\k4J`W`<`"fkhlkUre*:1,;@HiB@M.BXC4&4ko$K.!9s@<frPCj?ksA&Gnd55o2MGosrA!A\*?KKUV.P
+%j=67tn:lNdNB%`Jl\$:I&Oc!4eCeV6O[es8\.V*)::hr%c)//aN9*V`^r`aDEYR+U&h\sa)l\Lm:!)DC^&cW[ihHAQl#r\Ukp\6@
+%5kE%te*J@1/<h8<j9.<^3_c@oOSTHVLnKIq>qRN'+PIlHG6j'A4R_+oT&+O>4SFSC.Y3WtVo-t4,YpKn4>ARZCi`_2nHBe:[R0QU
+%-E=nd\ekZ0Uf;?I)ck8$#UN5Hp-GH-ZshF?S(FkV((uTa_5?7iD]HciK1L#+K5RP?_Asr5XWd.F89#G*kU,?8[#j?iP?`1aKc;*k
+%jQGQs?oVO.7Kf$Q!&P[oN04W=Z_;=S$]0SuaI*TI@tC"\Z"P-gkX/4^OIR:9,n[CmK4se>,bDFQjYhh2$n.Dip!ZH>g4UR%MPS4S
+%5&GDh,R*Q\po[a/nn_923g/b5X;T/A:*["ZT$(nBRlJ,?Q'.jN/m;"OF1?br$T9L0/=//,QaSb62Hg,?_hG*#Cu-K*-(a0=4PKKX
+%,^S/IIiNO/>Z8@[-S`V]=CDZ_.mEVO!@<OV-L068oM)faHhZXTI2R?/(*C`mitXjHeI^'5PHs^\`h&FH-YECr'uFo1dD*WIZ5]"l
+%ks\io&sV^nY@n8MZ$h01"Jc%Fru>f9-*=r]?XB(AqY4J9%!k'N/V:).!lH-W$nH0Y<L`[+elDZeo6LB+Y5M/gGq"Hhr0?8#J6+0Q
+%*7+&d64@oElPIn!Z.;M6iAP\>UtA2lYI$_&UEP'2j(i5^i;X9IR,j1JU$O%ck0Q"dnqHtbK_,+dQ+VAM>A@I6]@-NNeF`Crl:q5M
+%?#BMB[o55VlMoA9C9)LO=FI:.iu@<]?11#mFfTS1pD6\G96C"%FQl^aomb.>&V'~>
+%AI9_PrivateDataEnd
diff --git a/contrib/bind9/doc/arm/isc-logo.pdf b/contrib/bind9/doc/arm/isc-logo.pdf
new file mode 100644
index 0000000..71d3fdd
--- /dev/null
+++ b/contrib/bind9/doc/arm/isc-logo.pdf
diff --git a/contrib/bind9/doc/arm/man.dig.html b/contrib/bind9/doc/arm/man.dig.html
new file mode 100644
index 0000000..942b7fe
--- /dev/null
+++ b/contrib/bind9/doc/arm/man.dig.html
@@ -0,0 +1,665 @@
+<!--
+ - Copyright (C) 2004-2007 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2000-2003 Internet Software Consortium.
+ - 
+ - Permission to use, copy, modify, and distribute this software for any
+ - purpose with or without fee is hereby granted, provided that the above
+ - copyright notice and this permission notice appear in all copies.
+ - 
+ - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ - PERFORMANCE OF THIS SOFTWARE.
+-->
+<!-- $Id: man.dig.html,v 1.2.2.37 2007/01/30 00:23:46 marka Exp $ -->
+<html>
+<head>
+<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
+<title>dig</title>
+<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
+<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
+<link rel="up" href="Bv9ARM.ch10.html" title="Manual pages">
+<link rel="prev" href="Bv9ARM.ch10.html" title="Manual pages">
+<link rel="next" href="man.host.html" title="host">
+</head>
+<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
+<div class="navheader">
+<table width="100%" summary="Navigation header">
+<tr><th colspan="3" align="center">dig</th></tr>
+<tr>
+<td width="20%" align="left">
+<a accesskey="p" href="Bv9ARM.ch10.html">Prev</a> </td>
+<th width="60%" align="center">Manual pages</th>
+<td width="20%" align="right"> <a accesskey="n" href="man.host.html">Next</a>
+</td>
+</tr>
+</table>
+<hr>
+</div>
+<div class="refentry" lang="en">
+<a name="man.dig"></a><div class="titlepage"></div>
+<div class="refnamediv">
+<h2>Name</h2>
+<p>dig &#8212; DNS lookup utility</p>
+</div>
+<div class="refsynopsisdiv">
+<h2>Synopsis</h2>
+<div class="cmdsynopsis"><p><code class="command">dig</code>  [@server] [<code class="option">-b <em class="replaceable"><code>address</code></em></code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-f <em class="replaceable"><code>filename</code></em></code>] [<code class="option">-k <em class="replaceable"><code>filename</code></em></code>] [<code class="option">-p <em class="replaceable"><code>port#</code></em></code>] [<code class="option">-q <em class="replaceable"><code>name</code></em></code>] [<code class="option">-t <em class="replaceable"><code>type</code></em></code>] [<code class="option">-x <em class="replaceable"><code>addr</code></em></code>] [<code class="option">-y <em class="replaceable"><code>[<span class="optional">hmac:</span>]name:key</code></em></code>] [<code class="option">-4</code>] [<code class="option">-6</code>] [name] [type] [class] [queryopt...]</p></div>
+<div class="cmdsynopsis"><p><code class="command">dig</code>  [<code class="option">-h</code>]</p></div>
+<div class="cmdsynopsis"><p><code class="command">dig</code>  [global-queryopt...] [query...]</p></div>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2564009"></a><h2>DESCRIPTION</h2>
+<p><span><strong class="command">dig</strong></span>
+      (domain information groper) is a flexible tool
+      for interrogating DNS name servers.  It performs DNS lookups and
+      displays the answers that are returned from the name server(s) that
+      were queried.  Most DNS administrators use <span><strong class="command">dig</strong></span> to
+      troubleshoot DNS problems because of its flexibility, ease of use and
+      clarity of output.  Other lookup tools tend to have less functionality
+      than <span><strong class="command">dig</strong></span>.
+    </p>
+<p>
+      Although <span><strong class="command">dig</strong></span> is normally used with
+      command-line
+      arguments, it also has a batch mode of operation for reading lookup
+      requests from a file.  A brief summary of its command-line arguments
+      and options is printed when the <code class="option">-h</code> option is given.
+      Unlike earlier versions, the BIND9 implementation of
+      <span><strong class="command">dig</strong></span> allows multiple lookups to be issued
+      from the
+      command line.
+    </p>
+<p>
+      Unless it is told to query a specific name server,
+      <span><strong class="command">dig</strong></span> will try each of the servers listed
+      in
+      <code class="filename">/etc/resolv.conf</code>.
+    </p>
+<p>
+      When no command line arguments or options are given, will perform an
+      NS query for "." (the root).
+    </p>
+<p>
+      It is possible to set per-user defaults for <span><strong class="command">dig</strong></span> via
+      <code class="filename">${HOME}/.digrc</code>.  This file is read and
+      any options in it
+      are applied before the command line arguments.
+    </p>
+<p>
+      The IN and CH class names overlap with the IN and CH top level
+      domains names.  Either use the <code class="option">-t</code> and
+      <code class="option">-c</code> options to specify the type and class or
+      use the <code class="option">-q</code> the specify the domain name or
+      use "IN." and "CH." when looking up these top level domains.
+    </p>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2572153"></a><h2>SIMPLE USAGE</h2>
+<p>
+      A typical invocation of <span><strong class="command">dig</strong></span> looks like:
+      </p>
+<pre class="programlisting"> dig @server name type </pre>
+<p>
+      where:
+
+      </p>
+<div class="variablelist"><dl>
+<dt><span class="term"><code class="constant">server</code></span></dt>
+<dd><p>
+              is the name or IP address of the name server to query.  This can
+              be an IPv4
+              address in dotted-decimal notation or an IPv6
+              address in colon-delimited notation.  When the supplied
+              <em class="parameter"><code>server</code></em> argument is a
+              hostname,
+              <span><strong class="command">dig</strong></span> resolves that name before
+              querying that name
+              server.  If no <em class="parameter"><code>server</code></em>
+              argument is provided,
+              <span><strong class="command">dig</strong></span> consults <code class="filename">/etc/resolv.conf</code>
+              and queries the name servers listed there.  The reply from the
+              name
+              server that responds is displayed.
+            </p></dd>
+<dt><span class="term"><code class="constant">name</code></span></dt>
+<dd><p>
+              is the name of the resource record that is to be looked up.
+            </p></dd>
+<dt><span class="term"><code class="constant">type</code></span></dt>
+<dd><p>
+              indicates what type of query is required &#8212;
+              ANY, A, MX, SIG, etc.
+              <em class="parameter"><code>type</code></em> can be any valid query
+              type.  If no
+              <em class="parameter"><code>type</code></em> argument is supplied,
+              <span><strong class="command">dig</strong></span> will perform a lookup for an
+              A record.
+            </p></dd>
+</dl></div>
+<p>
+    </p>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2572264"></a><h2>OPTIONS</h2>
+<p>
+      The <code class="option">-b</code> option sets the source IP address of the query
+      to <em class="parameter"><code>address</code></em>.  This must be a valid
+      address on
+      one of the host's network interfaces or "0.0.0.0" or "::".  An optional
+      port
+      may be specified by appending "#&lt;port&gt;"
+    </p>
+<p>
+      The default query class (IN for internet) is overridden by the
+      <code class="option">-c</code> option.  <em class="parameter"><code>class</code></em> is
+      any valid
+      class, such as HS for Hesiod records or CH for CHAOSNET records.
+    </p>
+<p>
+      The <code class="option">-f</code> option makes <span><strong class="command">dig </strong></span>
+      operate
+      in batch mode by reading a list of lookup requests to process from the
+      file <em class="parameter"><code>filename</code></em>.  The file contains a
+      number of
+      queries, one per line.  Each entry in the file should be organised in
+      the same way they would be presented as queries to
+      <span><strong class="command">dig</strong></span> using the command-line interface.
+    </p>
+<p>
+      If a non-standard port number is to be queried, the
+      <code class="option">-p</code> option is used.  <em class="parameter"><code>port#</code></em> is
+      the port number that <span><strong class="command">dig</strong></span> will send its
+      queries
+      instead of the standard DNS port number 53.  This option would be used
+      to test a name server that has been configured to listen for queries
+      on a non-standard port number.
+    </p>
+<p>
+      The <code class="option">-4</code> option forces <span><strong class="command">dig</strong></span>
+      to only
+      use IPv4 query transport.  The <code class="option">-6</code> option forces
+      <span><strong class="command">dig</strong></span> to only use IPv6 query transport.
+    </p>
+<p>
+      The <code class="option">-t</code> option sets the query type to
+      <em class="parameter"><code>type</code></em>.  It can be any valid query type
+      which is
+      supported in BIND9.  The default query type "A", unless the
+      <code class="option">-x</code> option is supplied to indicate a reverse lookup.
+      A zone transfer can be requested by specifying a type of AXFR.  When
+      an incremental zone transfer (IXFR) is required,
+      <em class="parameter"><code>type</code></em> is set to <code class="literal">ixfr=N</code>.
+      The incremental zone transfer will contain the changes made to the zone
+      since the serial number in the zone's SOA record was
+      <em class="parameter"><code>N</code></em>.
+    </p>
+<p>
+      The <code class="option">-q</code> option sets the query name to 
+      <em class="parameter"><code>name</code></em>.  This useful do distingish the
+      <em class="parameter"><code>name</code></em> from other arguments.
+    </p>
+<p>
+      Reverse lookups - mapping addresses to names - are simplified by the
+      <code class="option">-x</code> option.  <em class="parameter"><code>addr</code></em> is
+      an IPv4
+      address in dotted-decimal notation, or a colon-delimited IPv6 address.
+      When this option is used, there is no need to provide the
+      <em class="parameter"><code>name</code></em>, <em class="parameter"><code>class</code></em> and
+      <em class="parameter"><code>type</code></em> arguments.  <span><strong class="command">dig</strong></span>
+      automatically performs a lookup for a name like
+      <code class="literal">11.12.13.10.in-addr.arpa</code> and sets the
+      query type and
+      class to PTR and IN respectively.  By default, IPv6 addresses are
+      looked up using nibble format under the IP6.ARPA domain.
+      To use the older RFC1886 method using the IP6.INT domain
+      specify the <code class="option">-i</code> option.  Bit string labels (RFC2874)
+      are now experimental and are not attempted.
+    </p>
+<p>
+      To sign the DNS queries sent by <span><strong class="command">dig</strong></span> and
+      their
+      responses using transaction signatures (TSIG), specify a TSIG key file
+      using the <code class="option">-k</code> option.  You can also specify the TSIG
+      key itself on the command line using the <code class="option">-y</code> option;
+      <em class="parameter"><code>hmac</code></em> is the type of the TSIG, default HMAC-MD5,
+      <em class="parameter"><code>name</code></em> is the name of the TSIG key and
+      <em class="parameter"><code>key</code></em> is the actual key.  The key is a
+      base-64
+      encoded string, typically generated by
+      <span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>.
+
+      Caution should be taken when using the <code class="option">-y</code> option on
+      multi-user systems as the key can be visible in the output from
+      <span class="citerefentry"><span class="refentrytitle">ps</span>(1)</span>
+      or in the shell's history file.  When
+      using TSIG authentication with <span><strong class="command">dig</strong></span>, the name
+      server that is queried needs to know the key and algorithm that is
+      being used.  In BIND, this is done by providing appropriate
+      <span><strong class="command">key</strong></span> and <span><strong class="command">server</strong></span> statements in
+      <code class="filename">named.conf</code>.
+    </p>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2649124"></a><h2>QUERY OPTIONS</h2>
+<p><span><strong class="command">dig</strong></span>
+      provides a number of query options which affect
+      the way in which lookups are made and the results displayed.  Some of
+      these set or reset flag bits in the query header, some determine which
+      sections of the answer get printed, and others determine the timeout
+      and retry strategies.
+    </p>
+<p>
+      Each query option is identified by a keyword preceded by a plus sign
+      (<code class="literal">+</code>).  Some keywords set or reset an
+      option.  These may be preceded
+      by the string <code class="literal">no</code> to negate the meaning of
+      that keyword.  Other
+      keywords assign values to options like the timeout interval.  They
+      have the form <code class="option">+keyword=value</code>.
+      The query options are:
+
+      </p>
+<div class="variablelist"><dl>
+<dt><span class="term"><code class="option">+[no]tcp</code></span></dt>
+<dd><p>
+              Use [do not use] TCP when querying name servers.  The default
+              behaviour is to use UDP unless an AXFR or IXFR query is
+              requested, in
+              which case a TCP connection is used.
+            </p></dd>
+<dt><span class="term"><code class="option">+[no]vc</code></span></dt>
+<dd><p>
+              Use [do not use] TCP when querying name servers.  This alternate
+              syntax to <em class="parameter"><code>+[no]tcp</code></em> is
+              provided for backwards
+              compatibility.  The "vc" stands for "virtual circuit".
+            </p></dd>
+<dt><span class="term"><code class="option">+[no]ignore</code></span></dt>
+<dd><p>
+              Ignore truncation in UDP responses instead of retrying with TCP.
+               By
+              default, TCP retries are performed.
+            </p></dd>
+<dt><span class="term"><code class="option">+domain=somename</code></span></dt>
+<dd><p>
+              Set the search list to contain the single domain
+              <em class="parameter"><code>somename</code></em>, as if specified in
+              a
+              <span><strong class="command">domain</strong></span> directive in
+              <code class="filename">/etc/resolv.conf</code>, and enable
+              search list
+              processing as if the <em class="parameter"><code>+search</code></em>
+              option were given.
+            </p></dd>
+<dt><span class="term"><code class="option">+[no]search</code></span></dt>
+<dd><p>
+              Use [do not use] the search list defined by the searchlist or
+              domain
+              directive in <code class="filename">resolv.conf</code> (if
+              any).
+              The search list is not used by default.
+            </p></dd>
+<dt><span class="term"><code class="option">+[no]showsearch</code></span></dt>
+<dd><p>
+              Perform [do not perform] a search showing intermediate
+	      results.
+            </p></dd>
+<dt><span class="term"><code class="option">+[no]defname</code></span></dt>
+<dd><p>
+              Deprecated, treated as a synonym for <em class="parameter"><code>+[no]search</code></em>
+            </p></dd>
+<dt><span class="term"><code class="option">+[no]aaonly</code></span></dt>
+<dd><p>
+              Sets the "aa" flag in the query.
+            </p></dd>
+<dt><span class="term"><code class="option">+[no]aaflag</code></span></dt>
+<dd><p>
+              A synonym for <em class="parameter"><code>+[no]aaonly</code></em>.
+            </p></dd>
+<dt><span class="term"><code class="option">+[no]adflag</code></span></dt>
+<dd><p>
+              Set [do not set] the AD (authentic data) bit in the query.  The
+              AD bit
+              currently has a standard meaning only in responses, not in
+              queries,
+              but the ability to set the bit in the query is provided for
+              completeness.
+            </p></dd>
+<dt><span class="term"><code class="option">+[no]cdflag</code></span></dt>
+<dd><p>
+              Set [do not set] the CD (checking disabled) bit in the query.
+              This
+              requests the server to not perform DNSSEC validation of
+              responses.
+            </p></dd>
+<dt><span class="term"><code class="option">+[no]cl</code></span></dt>
+<dd><p>
+              Display [do not display] the CLASS when printing the record.
+            </p></dd>
+<dt><span class="term"><code class="option">+[no]ttlid</code></span></dt>
+<dd><p>
+              Display [do not display] the TTL when printing the record.
+            </p></dd>
+<dt><span class="term"><code class="option">+[no]recurse</code></span></dt>
+<dd><p>
+              Toggle the setting of the RD (recursion desired) bit in the
+              query.
+              This bit is set by default, which means <span><strong class="command">dig</strong></span>
+              normally sends recursive queries.  Recursion is automatically
+              disabled
+              when the <em class="parameter"><code>+nssearch</code></em> or
+              <em class="parameter"><code>+trace</code></em> query options are
+              used.
+            </p></dd>
+<dt><span class="term"><code class="option">+[no]nssearch</code></span></dt>
+<dd><p>
+              When this option is set, <span><strong class="command">dig</strong></span>
+              attempts to find the
+              authoritative name servers for the zone containing the name
+              being
+              looked up and display the SOA record that each name server has
+              for the
+              zone.
+            </p></dd>
+<dt><span class="term"><code class="option">+[no]trace</code></span></dt>
+<dd><p>
+              Toggle tracing of the delegation path from the root name servers
+              for
+              the name being looked up.  Tracing is disabled by default.  When
+              tracing is enabled, <span><strong class="command">dig</strong></span> makes
+              iterative queries to
+              resolve the name being looked up.  It will follow referrals from
+              the
+              root servers, showing the answer from each server that was used
+              to
+              resolve the lookup.
+            </p></dd>
+<dt><span class="term"><code class="option">+[no]cmd</code></span></dt>
+<dd><p>
+              toggles the printing of the initial comment in the output
+              identifying
+              the version of <span><strong class="command">dig</strong></span> and the query
+              options that have
+              been applied.  This comment is printed by default.
+            </p></dd>
+<dt><span class="term"><code class="option">+[no]short</code></span></dt>
+<dd><p>
+              Provide a terse answer.  The default is to print the answer in a
+              verbose form.
+            </p></dd>
+<dt><span class="term"><code class="option">+[no]identify</code></span></dt>
+<dd><p>
+              Show [or do not show] the IP address and port number that
+              supplied the
+              answer when the <em class="parameter"><code>+short</code></em> option
+              is enabled.  If
+              short form answers are requested, the default is not to show the
+              source address and port number of the server that provided the
+              answer.
+            </p></dd>
+<dt><span class="term"><code class="option">+[no]comments</code></span></dt>
+<dd><p>
+              Toggle the display of comment lines in the output.  The default
+              is to
+              print comments.
+            </p></dd>
+<dt><span class="term"><code class="option">+[no]stats</code></span></dt>
+<dd><p>
+              This query option toggles the printing of statistics: when the
+              query
+              was made, the size of the reply and so on.  The default
+              behaviour is
+              to print the query statistics.
+            </p></dd>
+<dt><span class="term"><code class="option">+[no]qr</code></span></dt>
+<dd><p>
+              Print [do not print] the query as it is sent.
+              By default, the query is not printed.
+            </p></dd>
+<dt><span class="term"><code class="option">+[no]question</code></span></dt>
+<dd><p>
+              Print [do not print] the question section of a query when an
+              answer is
+              returned.  The default is to print the question section as a
+              comment.
+            </p></dd>
+<dt><span class="term"><code class="option">+[no]answer</code></span></dt>
+<dd><p>
+              Display [do not display] the answer section of a reply.  The
+              default
+              is to display it.
+            </p></dd>
+<dt><span class="term"><code class="option">+[no]authority</code></span></dt>
+<dd><p>
+              Display [do not display] the authority section of a reply.  The
+              default is to display it.
+            </p></dd>
+<dt><span class="term"><code class="option">+[no]additional</code></span></dt>
+<dd><p>
+              Display [do not display] the additional section of a reply.
+              The default is to display it.
+            </p></dd>
+<dt><span class="term"><code class="option">+[no]all</code></span></dt>
+<dd><p>
+              Set or clear all display flags.
+            </p></dd>
+<dt><span class="term"><code class="option">+time=T</code></span></dt>
+<dd><p>
+
+              Sets the timeout for a query to
+              <em class="parameter"><code>T</code></em> seconds.  The default time
+              out is 5 seconds.
+              An attempt to set <em class="parameter"><code>T</code></em> to less
+              than 1 will result
+              in a query timeout of 1 second being applied.
+            </p></dd>
+<dt><span class="term"><code class="option">+tries=T</code></span></dt>
+<dd><p>
+              Sets the number of times to try UDP queries to server to
+              <em class="parameter"><code>T</code></em> instead of the default, 3.
+              If
+              <em class="parameter"><code>T</code></em> is less than or equal to
+              zero, the number of
+              tries is silently rounded up to 1.
+            </p></dd>
+<dt><span class="term"><code class="option">+retry=T</code></span></dt>
+<dd><p>
+              Sets the number of times to retry UDP queries to server to
+              <em class="parameter"><code>T</code></em> instead of the default, 2.
+              Unlike
+              <em class="parameter"><code>+tries</code></em>, this does not include
+              the initial
+              query.
+            </p></dd>
+<dt><span class="term"><code class="option">+ndots=D</code></span></dt>
+<dd><p>
+              Set the number of dots that have to appear in
+              <em class="parameter"><code>name</code></em> to <em class="parameter"><code>D</code></em> for it to be
+              considered absolute.  The default value is that defined using
+              the
+              ndots statement in <code class="filename">/etc/resolv.conf</code>, or 1 if no
+              ndots statement is present.  Names with fewer dots are
+              interpreted as
+              relative names and will be searched for in the domains listed in
+              the
+              <code class="option">search</code> or <code class="option">domain</code> directive in
+              <code class="filename">/etc/resolv.conf</code>.
+            </p></dd>
+<dt><span class="term"><code class="option">+bufsize=B</code></span></dt>
+<dd><p>
+              Set the UDP message buffer size advertised using EDNS0 to
+              <em class="parameter"><code>B</code></em> bytes.  The maximum and minimum sizes
+	      of this buffer are 65535 and 0 respectively.  Values outside
+	      this range are rounded up or down appropriately.  
+	      Values other than zero will cause a EDNS query to be sent.
+            </p></dd>
+<dt><span class="term"><code class="option">+edns=#</code></span></dt>
+<dd><p>
+	       Specify the EDNS version to query with.  Valid values
+	       are 0 to 255.  Setting the EDNS version will cause a
+	       EDNS query to be sent.  <code class="option">+noedns</code> clears the
+	       remembered EDNS version.
+	    </p></dd>
+<dt><span class="term"><code class="option">+[no]multiline</code></span></dt>
+<dd><p>
+              Print records like the SOA records in a verbose multi-line
+              format with human-readable comments.  The default is to print
+              each record on a single line, to facilitate machine parsing
+              of the <span><strong class="command">dig</strong></span> output.
+            </p></dd>
+<dt><span class="term"><code class="option">+[no]fail</code></span></dt>
+<dd><p>
+              Do not try the next server if you receive a SERVFAIL.  The
+              default is
+              to not try the next server which is the reverse of normal stub
+              resolver
+              behaviour.
+            </p></dd>
+<dt><span class="term"><code class="option">+[no]besteffort</code></span></dt>
+<dd><p>
+              Attempt to display the contents of messages which are malformed.
+              The default is to not display malformed answers.
+            </p></dd>
+<dt><span class="term"><code class="option">+[no]dnssec</code></span></dt>
+<dd><p>
+              Requests DNSSEC records be sent by setting the DNSSEC OK bit
+              (DO)
+              in the OPT record in the additional section of the query.
+            </p></dd>
+<dt><span class="term"><code class="option">+[no]sigchase</code></span></dt>
+<dd><p>
+              Chase DNSSEC signature chains.  Requires dig be compiled with
+              -DDIG_SIGCHASE.
+            </p></dd>
+<dt><span class="term"><code class="option">+trusted-key=####</code></span></dt>
+<dd>
+<p>
+              Specifies a file containing trusted keys to be used with
+	      <code class="option">+sigchase</code>.  Each DNSKEY record must be
+	      on its own line.
+            </p>
+<p>
+	      If not specified <span><strong class="command">dig</strong></span> will look for
+	      <code class="filename">/etc/trusted-key.key</code> then
+	      <code class="filename">trusted-key.key</code> in the current directory.
+	    </p>
+<p>
+              Requires dig be compiled with -DDIG_SIGCHASE.
+	    </p>
+</dd>
+<dt><span class="term"><code class="option">+[no]topdown</code></span></dt>
+<dd><p>
+              When chasing DNSSEC signature chains perform a top down
+              validation.
+              Requires dig be compiled with -DDIG_SIGCHASE.
+            </p></dd>
+</dl></div>
+<p>
+
+    </p>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2650042"></a><h2>MULTIPLE QUERIES</h2>
+<p>
+      The BIND 9 implementation of <span><strong class="command">dig </strong></span>
+      supports
+      specifying multiple queries on the command line (in addition to
+      supporting the <code class="option">-f</code> batch file option).  Each of those
+      queries can be supplied with its own set of flags, options and query
+      options.
+    </p>
+<p>
+      In this case, each <em class="parameter"><code>query</code></em> argument
+      represent an
+      individual query in the command-line syntax described above.  Each
+      consists of any of the standard options and flags, the name to be
+      looked up, an optional query type and class and any query options that
+      should be applied to that query.
+    </p>
+<p>
+      A global set of query options, which should be applied to all queries,
+      can also be supplied.  These global query options must precede the
+      first tuple of name, class, type, options, flags, and query options
+      supplied on the command line.  Any global query options (except
+      the <code class="option">+[no]cmd</code> option) can be
+      overridden by a query-specific set of query options.  For example:
+      </p>
+<pre class="programlisting">
+dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
+</pre>
+<p>
+      shows how <span><strong class="command">dig</strong></span> could be used from the
+      command line
+      to make three lookups: an ANY query for <code class="literal">www.isc.org</code>, a
+      reverse lookup of 127.0.0.1 and a query for the NS records of
+      <code class="literal">isc.org</code>.
+
+      A global query option of <em class="parameter"><code>+qr</code></em> is
+      applied, so
+      that <span><strong class="command">dig</strong></span> shows the initial query it made
+      for each
+      lookup.  The final query has a local query option of
+      <em class="parameter"><code>+noqr</code></em> which means that <span><strong class="command">dig</strong></span>
+      will not print the initial query when it looks up the NS records for
+      <code class="literal">isc.org</code>.
+    </p>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2650196"></a><h2>IDN SUPPORT</h2>
+<p>
+      If <span><strong class="command">dig</strong></span> has been built with IDN (internationalized
+      domain name) support, it can accept and display non-ASCII domain names.
+      <span><strong class="command">dig</strong></span> appropriately converts character encoding of
+      domain name before sending a request to DNS server or displaying a
+      reply from the server.
+      If you'd like to turn off the IDN support for some reason, defines
+      the <code class="envar">IDN_DISABLE</code> environment variable.
+      The IDN support is disabled if the variable is set when 
+      <span><strong class="command">dig</strong></span> runs.
+    </p>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2650225"></a><h2>FILES</h2>
+<p><code class="filename">/etc/resolv.conf</code>
+    </p>
+<p><code class="filename">${HOME}/.digrc</code>
+    </p>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2650246"></a><h2>SEE ALSO</h2>
+<p><span class="citerefentry"><span class="refentrytitle">host</span>(1)</span>,
+      <span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>,
+      <span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>,
+      <em class="citetitle">RFC1035</em>.
+    </p>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2650352"></a><h2>BUGS</h2>
+<p>
+      There are probably too many query options.
+    </p>
+</div>
+</div>
+<div class="navfooter">
+<hr>
+<table width="100%" summary="Navigation footer">
+<tr>
+<td width="40%" align="left">
+<a accesskey="p" href="Bv9ARM.ch10.html">Prev</a> </td>
+<td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch10.html">Up</a></td>
+<td width="40%" align="right"> <a accesskey="n" href="man.host.html">Next</a>
+</td>
+</tr>
+<tr>
+<td width="40%" align="left" valign="top">Manual pages </td>
+<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
+<td width="40%" align="right" valign="top"> host</td>
+</tr>
+</table>
+</div>
+</body>
+</html>
diff --git a/contrib/bind9/doc/arm/man.dnssec-keygen.html b/contrib/bind9/doc/arm/man.dnssec-keygen.html
new file mode 100644
index 0000000..4836f04
--- /dev/null
+++ b/contrib/bind9/doc/arm/man.dnssec-keygen.html
@@ -0,0 +1,269 @@
+<!--
+ - Copyright (C) 2004-2007 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2000-2003 Internet Software Consortium.
+ - 
+ - Permission to use, copy, modify, and distribute this software for any
+ - purpose with or without fee is hereby granted, provided that the above
+ - copyright notice and this permission notice appear in all copies.
+ - 
+ - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ - PERFORMANCE OF THIS SOFTWARE.
+-->
+<!-- $Id: man.dnssec-keygen.html,v 1.2.2.37 2007/01/30 00:23:46 marka Exp $ -->
+<html>
+<head>
+<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
+<title>dnssec-keygen</title>
+<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
+<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
+<link rel="up" href="Bv9ARM.ch10.html" title="Manual pages">
+<link rel="prev" href="man.host.html" title="host">
+<link rel="next" href="man.dnssec-signzone.html" title="dnssec-signzone">
+</head>
+<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
+<div class="navheader">
+<table width="100%" summary="Navigation header">
+<tr><th colspan="3" align="center"><span class="application">dnssec-keygen</span></th></tr>
+<tr>
+<td width="20%" align="left">
+<a accesskey="p" href="man.host.html">Prev</a> </td>
+<th width="60%" align="center">Manual pages</th>
+<td width="20%" align="right"> <a accesskey="n" href="man.dnssec-signzone.html">Next</a>
+</td>
+</tr>
+</table>
+<hr>
+</div>
+<div class="refentry" lang="en">
+<a name="man.dnssec-keygen"></a><div class="titlepage"></div>
+<div class="refnamediv">
+<h2>Name</h2>
+<p><span class="application">dnssec-keygen</span> &#8212; DNSSEC key generation tool</p>
+</div>
+<div class="refsynopsisdiv">
+<h2>Synopsis</h2>
+<div class="cmdsynopsis"><p><code class="command">dnssec-keygen</code>  {-a <em class="replaceable"><code>algorithm</code></em>} {-b <em class="replaceable"><code>keysize</code></em>} {-n <em class="replaceable"><code>nametype</code></em>} [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-e</code>] [<code class="option">-f <em class="replaceable"><code>flag</code></em></code>] [<code class="option">-g <em class="replaceable"><code>generator</code></em></code>] [<code class="option">-h</code>] [<code class="option">-k</code>] [<code class="option">-p <em class="replaceable"><code>protocol</code></em></code>] [<code class="option">-r <em class="replaceable"><code>randomdev</code></em></code>] [<code class="option">-s <em class="replaceable"><code>strength</code></em></code>] [<code class="option">-t <em class="replaceable"><code>type</code></em></code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] {name}</p></div>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2597473"></a><h2>DESCRIPTION</h2>
+<p><span><strong class="command">dnssec-keygen</strong></span>
+      generates keys for DNSSEC (Secure DNS), as defined in RFC 2535
+      and RFC &lt;TBA\&gt;.  It can also generate keys for use with
+      TSIG (Transaction Signatures), as defined in RFC 2845.
+    </p>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2597555"></a><h2>OPTIONS</h2>
+<div class="variablelist"><dl>
+<dt><span class="term">-a <em class="replaceable"><code>algorithm</code></em></span></dt>
+<dd>
+<p>
+            Selects the cryptographic algorithm.  The value of
+            <code class="option">algorithm</code> must be one of RSAMD5 (RSA) or RSASHA1,
+            	      DSA, DH (Diffie Hellman), or HMAC-MD5.  These values
+            are case insensitive.
+          </p>
+<p>
+            Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement
+            algorithm,
+            and DSA is recommended.  For TSIG, HMAC-MD5 is mandatory.
+          </p>
+<p>
+            Note 2: HMAC-MD5 and DH automatically set the -k flag.
+          </p>
+</dd>
+<dt><span class="term">-b <em class="replaceable"><code>keysize</code></em></span></dt>
+<dd><p>
+            Specifies the number of bits in the key.  The choice of key
+            size depends on the algorithm used.  RSAMD5 / RSASHA1 keys must be
+            between
+            512 and 2048 bits.  Diffie Hellman keys must be between
+            128 and 4096 bits.  DSA keys must be between 512 and 1024
+            bits and an exact multiple of 64.  HMAC-MD5 keys must be
+            between 1 and 512 bits.
+          </p></dd>
+<dt><span class="term">-n <em class="replaceable"><code>nametype</code></em></span></dt>
+<dd><p>
+            Specifies the owner type of the key.  The value of
+            <code class="option">nametype</code> must either be ZONE (for a DNSSEC
+            zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated with
+            a host (KEY)),
+            USER (for a key associated with a user(KEY)) or OTHER (DNSKEY).
+            These values are
+            case insensitive.
+          </p></dd>
+<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
+<dd><p>
+            Indicates that the DNS record containing the key should have
+            the specified class.  If not specified, class IN is used.
+          </p></dd>
+<dt><span class="term">-e</span></dt>
+<dd><p>
+            If generating an RSAMD5/RSASHA1 key, use a large exponent.
+          </p></dd>
+<dt><span class="term">-f <em class="replaceable"><code>flag</code></em></span></dt>
+<dd><p>
+            Set the specified flag in the flag field of the KEY/DNSKEY record.
+            		The only recognized flag is KSK (Key Signing Key) DNSKEY.
+          </p></dd>
+<dt><span class="term">-g <em class="replaceable"><code>generator</code></em></span></dt>
+<dd><p>
+            If generating a Diffie Hellman key, use this generator.
+            Allowed values are 2 and 5.  If no generator
+            is specified, a known prime from RFC 2539 will be used
+            if possible; otherwise the default is 2.
+          </p></dd>
+<dt><span class="term">-h</span></dt>
+<dd><p>
+            Prints a short summary of the options and arguments to
+            <span><strong class="command">dnssec-keygen</strong></span>.
+          </p></dd>
+<dt><span class="term">-k</span></dt>
+<dd><p>
+            Generate KEY records rather than DNSKEY records.
+          </p></dd>
+<dt><span class="term">-p <em class="replaceable"><code>protocol</code></em></span></dt>
+<dd><p>
+            Sets the protocol value for the generated key.  The protocol
+            is a number between 0 and 255.  The default is 3 (DNSSEC).
+            Other possible values for this argument are listed in
+            RFC 2535 and its successors.
+          </p></dd>
+<dt><span class="term">-r <em class="replaceable"><code>randomdev</code></em></span></dt>
+<dd><p>
+            Specifies the source of randomness.  If the operating
+            system does not provide a <code class="filename">/dev/random</code>
+            or equivalent device, the default source of randomness
+            is keyboard input.  <code class="filename">randomdev</code>
+            specifies
+            the name of a character device or file containing random
+            data to be used instead of the default.  The special value
+            <code class="filename">keyboard</code> indicates that keyboard
+            input should be used.
+          </p></dd>
+<dt><span class="term">-s <em class="replaceable"><code>strength</code></em></span></dt>
+<dd><p>
+            Specifies the strength value of the key.  The strength is
+            a number between 0 and 15, and currently has no defined
+            purpose in DNSSEC.
+          </p></dd>
+<dt><span class="term">-t <em class="replaceable"><code>type</code></em></span></dt>
+<dd><p>
+            Indicates the use of the key.  <code class="option">type</code> must be
+            one of AUTHCONF, NOAUTHCONF, NOAUTH, or NOCONF.  The default
+            is AUTHCONF.  AUTH refers to the ability to authenticate
+            data, and CONF the ability to encrypt data.
+          </p></dd>
+<dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
+<dd><p>
+            Sets the debugging level.
+          </p></dd>
+</dl></div>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2597966"></a><h2>GENERATED KEYS</h2>
+<p>
+      When <span><strong class="command">dnssec-keygen</strong></span> completes
+      successfully,
+      it prints a string of the form <code class="filename">Knnnn.+aaa+iiiii</code>
+      to the standard output.  This is an identification string for
+      the key it has generated.
+    </p>
+<div class="itemizedlist"><ul type="disc">
+<li><p><code class="filename">nnnn</code> is the key name.
+        </p></li>
+<li><p><code class="filename">aaa</code> is the numeric representation
+          of the
+          algorithm.
+        </p></li>
+<li><p><code class="filename">iiiii</code> is the key identifier (or
+          footprint).
+        </p></li>
+</ul></div>
+<p><span><strong class="command">dnssec-keygen</strong></span> 
+      creates two file, with names based
+      on the printed string.  <code class="filename">Knnnn.+aaa+iiiii.key</code>
+      contains the public key, and
+      <code class="filename">Knnnn.+aaa+iiiii.private</code> contains the
+      private
+      key.
+    </p>
+<p>
+      The <code class="filename">.key</code> file contains a DNS KEY record
+      that
+      can be inserted into a zone file (directly or with a $INCLUDE
+      statement).
+    </p>
+<p>
+      The <code class="filename">.private</code> file contains algorithm
+      specific
+      fields.  For obvious security reasons, this file does not have
+      general read permission.
+    </p>
+<p>
+      Both <code class="filename">.key</code> and <code class="filename">.private</code>
+      files are generated for symmetric encryption algorithm such as
+      HMAC-MD5, even though the public and private key are equivalent.
+    </p>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2598074"></a><h2>EXAMPLE</h2>
+<p>
+      To generate a 768-bit DSA key for the domain
+      <strong class="userinput"><code>example.com</code></strong>, the following command would be
+      issued:
+    </p>
+<p><strong class="userinput"><code>dnssec-keygen -a DSA -b 768 -n ZONE example.com</code></strong>
+    </p>
+<p>
+      The command would print a string of the form:
+    </p>
+<p><strong class="userinput"><code>Kexample.com.+003+26160</code></strong>
+    </p>
+<p>
+      In this example, <span><strong class="command">dnssec-keygen</strong></span> creates
+      the files <code class="filename">Kexample.com.+003+26160.key</code>
+      and
+      <code class="filename">Kexample.com.+003+26160.private</code>
+    </p>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2598131"></a><h2>SEE ALSO</h2>
+<p><span class="citerefentry"><span class="refentrytitle">dnssec-signzone</span>(8)</span>,
+      <em class="citetitle">BIND 9 Administrator Reference Manual</em>,
+      <em class="citetitle">RFC 2535</em>,
+      <em class="citetitle">RFC 2845</em>,
+      <em class="citetitle">RFC 2539</em>.
+    </p>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2600824"></a><h2>AUTHOR</h2>
+<p><span class="corpauthor">Internet Systems Consortium</span>
+    </p>
+</div>
+</div>
+<div class="navfooter">
+<hr>
+<table width="100%" summary="Navigation footer">
+<tr>
+<td width="40%" align="left">
+<a accesskey="p" href="man.host.html">Prev</a> </td>
+<td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch10.html">Up</a></td>
+<td width="40%" align="right"> <a accesskey="n" href="man.dnssec-signzone.html">Next</a>
+</td>
+</tr>
+<tr>
+<td width="40%" align="left" valign="top">host </td>
+<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
+<td width="40%" align="right" valign="top"> <span class="application">dnssec-signzone</span>
+</td>
+</tr>
+</table>
+</div>
+</body>
+</html>
diff --git a/contrib/bind9/doc/arm/man.dnssec-signzone.html b/contrib/bind9/doc/arm/man.dnssec-signzone.html
new file mode 100644
index 0000000..84a7979
--- /dev/null
+++ b/contrib/bind9/doc/arm/man.dnssec-signzone.html
@@ -0,0 +1,318 @@
+<!--
+ - Copyright (C) 2004-2007 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2000-2003 Internet Software Consortium.
+ - 
+ - Permission to use, copy, modify, and distribute this software for any
+ - purpose with or without fee is hereby granted, provided that the above
+ - copyright notice and this permission notice appear in all copies.
+ - 
+ - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ - PERFORMANCE OF THIS SOFTWARE.
+-->
+<!-- $Id: man.dnssec-signzone.html,v 1.2.2.35 2007/01/30 00:23:46 marka Exp $ -->
+<html>
+<head>
+<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
+<title>dnssec-signzone</title>
+<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
+<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
+<link rel="up" href="Bv9ARM.ch10.html" title="Manual pages">
+<link rel="prev" href="man.dnssec-keygen.html" title="dnssec-keygen">
+<link rel="next" href="man.named-checkconf.html" title="named-checkconf">
+</head>
+<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
+<div class="navheader">
+<table width="100%" summary="Navigation header">
+<tr><th colspan="3" align="center"><span class="application">dnssec-signzone</span></th></tr>
+<tr>
+<td width="20%" align="left">
+<a accesskey="p" href="man.dnssec-keygen.html">Prev</a> </td>
+<th width="60%" align="center">Manual pages</th>
+<td width="20%" align="right"> <a accesskey="n" href="man.named-checkconf.html">Next</a>
+</td>
+</tr>
+</table>
+<hr>
+</div>
+<div class="refentry" lang="en">
+<a name="man.dnssec-signzone"></a><div class="titlepage"></div>
+<div class="refnamediv">
+<h2>Name</h2>
+<p><span class="application">dnssec-signzone</span> &#8212; DNSSEC zone signing tool</p>
+</div>
+<div class="refsynopsisdiv">
+<h2>Synopsis</h2>
+<div class="cmdsynopsis"><p><code class="command">dnssec-signzone</code>  [<code class="option">-a</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-d <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-e <em class="replaceable"><code>end-time</code></em></code>] [<code class="option">-f <em class="replaceable"><code>output-file</code></em></code>] [<code class="option">-g</code>] [<code class="option">-h</code>] [<code class="option">-k <em class="replaceable"><code>key</code></em></code>] [<code class="option">-l <em class="replaceable"><code>domain</code></em></code>] [<code class="option">-i <em class="replaceable"><code>interval</code></em></code>] [<code class="option">-I <em class="replaceable"><code>input-format</code></em></code>] [<code class="option">-j <em class="replaceable"><code>jitter</code></em></code>] [<code class="option">-N <em class="replaceable"><code>soa-serial-format</code></em></code>] [<code class="option">-o <em class="replaceable"><code>origin</code></em></code>] [<code class="option">-O <em class="replaceable"><code>output-format</code></em></code>] [<code class="option">-p</code>] [<code class="option">-r <em class="replaceable"><code>randomdev</code></em></code>] [<code class="option">-s <em class="replaceable"><code>start-time</code></em></code>] [<code class="option">-t</code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-z</code>] {zonefile} [key...]</p></div>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2598526"></a><h2>DESCRIPTION</h2>
+<p><span><strong class="command">dnssec-signzone</strong></span>
+      signs a zone.  It generates
+      NSEC and RRSIG records and produces a signed version of the
+      zone. The security status of delegations from the signed zone
+      (that is, whether the child zones are secure or not) is
+      determined by the presence or absence of a
+      <code class="filename">keyset</code> file for each child zone.
+    </p>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2598546"></a><h2>OPTIONS</h2>
+<div class="variablelist"><dl>
+<dt><span class="term">-a</span></dt>
+<dd><p>
+            Verify all generated signatures.
+          </p></dd>
+<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
+<dd><p>
+            Specifies the DNS class of the zone.
+          </p></dd>
+<dt><span class="term">-k <em class="replaceable"><code>key</code></em></span></dt>
+<dd><p>
+            Treat specified key as a key signing key ignoring any
+            key flags.  This option may be specified multiple times.
+          </p></dd>
+<dt><span class="term">-l <em class="replaceable"><code>domain</code></em></span></dt>
+<dd><p>
+            Generate a DLV set in addition to the key (DNSKEY) and DS sets.
+            The domain is appended to the name of the records.
+          </p></dd>
+<dt><span class="term">-d <em class="replaceable"><code>directory</code></em></span></dt>
+<dd><p>
+            Look for <code class="filename">keyset</code> files in
+            <code class="option">directory</code> as the directory
+          </p></dd>
+<dt><span class="term">-g</span></dt>
+<dd><p>
+            Generate DS records for child zones from keyset files.
+            Existing DS records will be removed.
+          </p></dd>
+<dt><span class="term">-s <em class="replaceable"><code>start-time</code></em></span></dt>
+<dd><p>
+            Specify the date and time when the generated RRSIG records
+            become valid.  This can be either an absolute or relative
+            time.  An absolute start time is indicated by a number
+            in YYYYMMDDHHMMSS notation; 20000530144500 denotes
+            14:45:00 UTC on May 30th, 2000.  A relative start time is
+            indicated by +N, which is N seconds from the current time.
+            If no <code class="option">start-time</code> is specified, the current
+            time minus 1 hour (to allow for clock skew) is used.
+          </p></dd>
+<dt><span class="term">-e <em class="replaceable"><code>end-time</code></em></span></dt>
+<dd><p>
+            Specify the date and time when the generated RRSIG records
+            expire.  As with <code class="option">start-time</code>, an absolute
+            time is indicated in YYYYMMDDHHMMSS notation.  A time relative
+            to the start time is indicated with +N, which is N seconds from
+            the start time.  A time relative to the current time is
+            indicated with now+N.  If no <code class="option">end-time</code> is
+            specified, 30 days from the start time is used as a default.
+          </p></dd>
+<dt><span class="term">-f <em class="replaceable"><code>output-file</code></em></span></dt>
+<dd><p>
+            The name of the output file containing the signed zone.  The
+            default is to append <code class="filename">.signed</code> to
+            the
+            input file.
+          </p></dd>
+<dt><span class="term">-h</span></dt>
+<dd><p>
+            Prints a short summary of the options and arguments to
+            <span><strong class="command">dnssec-signzone</strong></span>.
+          </p></dd>
+<dt><span class="term">-i <em class="replaceable"><code>interval</code></em></span></dt>
+<dd>
+<p>
+            When a previously signed zone is passed as input, records
+            may be resigned.  The <code class="option">interval</code> option
+            specifies the cycle interval as an offset from the current
+            time (in seconds).  If a RRSIG record expires after the
+            cycle interval, it is retained.  Otherwise, it is considered
+            to be expiring soon, and it will be replaced.
+          </p>
+<p>
+            The default cycle interval is one quarter of the difference
+            between the signature end and start times.  So if neither
+            <code class="option">end-time</code> or <code class="option">start-time</code>
+            are specified, <span><strong class="command">dnssec-signzone</strong></span>
+            generates
+            signatures that are valid for 30 days, with a cycle
+            interval of 7.5 days.  Therefore, if any existing RRSIG records
+            are due to expire in less than 7.5 days, they would be
+            replaced.
+          </p>
+</dd>
+<dt><span class="term">-I <em class="replaceable"><code>input-format</code></em></span></dt>
+<dd><p>
+            The format of the input zone file.
+	    Possible formats are <span><strong class="command">"text"</strong></span> (default)
+	    and <span><strong class="command">"raw"</strong></span>.
+	    This option is primarily intended to be used for dynamic
+            signed zones so that the dumped zone file in a non-text
+            format containing updates can be signed directly.
+	    The use of this option does not make much sense for
+	    non-dynamic zones.
+          </p></dd>
+<dt><span class="term">-j <em class="replaceable"><code>jitter</code></em></span></dt>
+<dd>
+<p>
+            When signing a zone with a fixed signature lifetime, all
+            RRSIG records issued at the time of signing expires
+            simultaneously.  If the zone is incrementally signed, i.e.
+            a previously signed zone is passed as input to the signer,
+            all expired signatures has to be regenerated at about the
+            same time.  The <code class="option">jitter</code> option specifies a
+            jitter window that will be used to randomize the signature
+            expire time, thus spreading incremental signature
+            regeneration over time.
+          </p>
+<p>
+            Signature lifetime jitter also to some extent benefits
+            validators and servers by spreading out cache expiration,
+            i.e. if large numbers of RRSIGs don't expire at the same time
+            from all caches there will be less congestion than if all
+            validators need to refetch at mostly the same time.
+          </p>
+</dd>
+<dt><span class="term">-n <em class="replaceable"><code>ncpus</code></em></span></dt>
+<dd><p>
+            Specifies the number of threads to use.  By default, one
+            thread is started for each detected CPU.
+          </p></dd>
+<dt><span class="term">-N <em class="replaceable"><code>soa-serial-format</code></em></span></dt>
+<dd>
+<p>
+            The SOA serial number format of the signed zone.
+	    Possible formats are <span><strong class="command">"keep"</strong></span> (default),
+            <span><strong class="command">"increment"</strong></span> and
+	    <span><strong class="command">"unixtime"</strong></span>.
+          </p>
+<div class="variablelist"><dl>
+<dt><span class="term"><span><strong class="command">"keep"</strong></span></span></dt>
+<dd><p>Do not modify the SOA serial number.</p></dd>
+<dt><span class="term"><span><strong class="command">"increment"</strong></span></span></dt>
+<dd><p>Increment the SOA serial number using RFC 1982
+                      arithmetics.</p></dd>
+<dt><span class="term"><span><strong class="command">"unixtime"</strong></span></span></dt>
+<dd><p>Set the SOA serial number to the number of seconds
+	        since epoch.</p></dd>
+</dl></div>
+</dd>
+<dt><span class="term">-o <em class="replaceable"><code>origin</code></em></span></dt>
+<dd><p>
+            The zone origin.  If not specified, the name of the zone file
+            is assumed to be the origin.
+          </p></dd>
+<dt><span class="term">-O <em class="replaceable"><code>output-format</code></em></span></dt>
+<dd><p>
+            The format of the output file containing the signed zone.
+	    Possible formats are <span><strong class="command">"text"</strong></span> (default)
+	    and <span><strong class="command">"raw"</strong></span>.
+          </p></dd>
+<dt><span class="term">-p</span></dt>
+<dd><p>
+            Use pseudo-random data when signing the zone.  This is faster,
+            but less secure, than using real random data.  This option
+            may be useful when signing large zones or when the entropy
+            source is limited.
+          </p></dd>
+<dt><span class="term">-r <em class="replaceable"><code>randomdev</code></em></span></dt>
+<dd><p>
+            Specifies the source of randomness.  If the operating
+            system does not provide a <code class="filename">/dev/random</code>
+            or equivalent device, the default source of randomness
+            is keyboard input.  <code class="filename">randomdev</code>
+            specifies
+            the name of a character device or file containing random
+            data to be used instead of the default.  The special value
+            <code class="filename">keyboard</code> indicates that keyboard
+            input should be used.
+          </p></dd>
+<dt><span class="term">-t</span></dt>
+<dd><p>
+            Print statistics at completion.
+          </p></dd>
+<dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
+<dd><p>
+            Sets the debugging level.
+          </p></dd>
+<dt><span class="term">-z</span></dt>
+<dd><p>
+            Ignore KSK flag on key when determining what to sign.
+          </p></dd>
+<dt><span class="term">zonefile</span></dt>
+<dd><p>
+            The file containing the zone to be signed.
+          </p></dd>
+<dt><span class="term">key</span></dt>
+<dd><p>
+            The keys used to sign the zone.  If no keys are specified, the
+            default all zone keys that have private key files in the
+            current directory.
+          </p></dd>
+</dl></div>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2623261"></a><h2>EXAMPLE</h2>
+<p>
+      The following command signs the <strong class="userinput"><code>example.com</code></strong>
+      zone with the DSA key generated in the <span><strong class="command">dnssec-keygen</strong></span>
+      man page.  The zone's keys must be in the zone.  If there are
+      <code class="filename">keyset</code> files associated with child
+      zones,
+      they must be in the current directory.
+      <strong class="userinput"><code>example.com</code></strong>, the following command would be
+      issued:
+    </p>
+<p><strong class="userinput"><code>dnssec-signzone -o example.com db.example.com
+        Kexample.com.+003+26160</code></strong>
+    </p>
+<p>
+      The command would print a string of the form:
+    </p>
+<p>
+      In this example, <span><strong class="command">dnssec-signzone</strong></span> creates
+      the file <code class="filename">db.example.com.signed</code>.  This
+      file
+      should be referenced in a zone statement in a
+      <code class="filename">named.conf</code> file.
+    </p>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2641212"></a><h2>SEE ALSO</h2>
+<p><span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>,
+      <em class="citetitle">BIND 9 Administrator Reference Manual</em>,
+      <em class="citetitle">RFC 2535</em>.
+    </p>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2652706"></a><h2>AUTHOR</h2>
+<p><span class="corpauthor">Internet Systems Consortium</span>
+    </p>
+</div>
+</div>
+<div class="navfooter">
+<hr>
+<table width="100%" summary="Navigation footer">
+<tr>
+<td width="40%" align="left">
+<a accesskey="p" href="man.dnssec-keygen.html">Prev</a> </td>
+<td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch10.html">Up</a></td>
+<td width="40%" align="right"> <a accesskey="n" href="man.named-checkconf.html">Next</a>
+</td>
+</tr>
+<tr>
+<td width="40%" align="left" valign="top">
+<span class="application">dnssec-keygen</span> </td>
+<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
+<td width="40%" align="right" valign="top"> <span class="application">named-checkconf</span>
+</td>
+</tr>
+</table>
+</div>
+</body>
+</html>
diff --git a/contrib/bind9/doc/arm/man.host.html b/contrib/bind9/doc/arm/man.host.html
new file mode 100644
index 0000000..4d3e6f3
--- /dev/null
+++ b/contrib/bind9/doc/arm/man.host.html
@@ -0,0 +1,249 @@
+<!--
+ - Copyright (C) 2004-2007 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2000-2003 Internet Software Consortium.
+ - 
+ - Permission to use, copy, modify, and distribute this software for any
+ - purpose with or without fee is hereby granted, provided that the above
+ - copyright notice and this permission notice appear in all copies.
+ - 
+ - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ - PERFORMANCE OF THIS SOFTWARE.
+-->
+<!-- $Id: man.host.html,v 1.2.2.36 2007/01/30 00:23:46 marka Exp $ -->
+<html>
+<head>
+<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
+<title>host</title>
+<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
+<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
+<link rel="up" href="Bv9ARM.ch10.html" title="Manual pages">
+<link rel="prev" href="man.dig.html" title="dig">
+<link rel="next" href="man.dnssec-keygen.html" title="dnssec-keygen">
+</head>
+<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
+<div class="navheader">
+<table width="100%" summary="Navigation header">
+<tr><th colspan="3" align="center">host</th></tr>
+<tr>
+<td width="20%" align="left">
+<a accesskey="p" href="man.dig.html">Prev</a> </td>
+<th width="60%" align="center">Manual pages</th>
+<td width="20%" align="right"> <a accesskey="n" href="man.dnssec-keygen.html">Next</a>
+</td>
+</tr>
+</table>
+<hr>
+</div>
+<div class="refentry" lang="en">
+<a name="man.host"></a><div class="titlepage"></div>
+<div class="refnamediv">
+<h2>Name</h2>
+<p>host &#8212; DNS lookup utility</p>
+</div>
+<div class="refsynopsisdiv">
+<h2>Synopsis</h2>
+<div class="cmdsynopsis"><p><code class="command">host</code>  [<code class="option">-aCdlnrsTwv</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-N <em class="replaceable"><code>ndots</code></em></code>] [<code class="option">-R <em class="replaceable"><code>number</code></em></code>] [<code class="option">-t <em class="replaceable"><code>type</code></em></code>] [<code class="option">-W <em class="replaceable"><code>wait</code></em></code>] [<code class="option">-m <em class="replaceable"><code>flag</code></em></code>] [<code class="option">-4</code>] [<code class="option">-6</code>] {name} [server]</p></div>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2596643"></a><h2>DESCRIPTION</h2>
+<p><span><strong class="command">host</strong></span>
+      is a simple utility for performing DNS lookups.
+      It is normally used to convert names to IP addresses and vice versa.
+      When no arguments or options are given,
+      <span><strong class="command">host</strong></span>
+      prints a short summary of its command line arguments and options.
+    </p>
+<p><em class="parameter"><code>name</code></em> is the domain name that is to be
+      looked
+      up.  It can also be a dotted-decimal IPv4 address or a colon-delimited
+      IPv6 address, in which case <span><strong class="command">host</strong></span> will by
+      default
+      perform a reverse lookup for that address.
+      <em class="parameter"><code>server</code></em> is an optional argument which
+      is either
+      the name or IP address of the name server that <span><strong class="command">host</strong></span>
+      should query instead of the server or servers listed in
+      <code class="filename">/etc/resolv.conf</code>.
+    </p>
+<p>
+      The <code class="option">-a</code> (all) option is equivalent to setting the
+      <code class="option">-v</code> option and asking <span><strong class="command">host</strong></span> to make
+      a query of type ANY.
+    </p>
+<p>
+      When the <code class="option">-C</code> option is used, <span><strong class="command">host</strong></span>
+      will attempt to display the SOA records for zone
+      <em class="parameter"><code>name</code></em> from all the listed
+      authoritative name
+      servers for that zone.  The list of name servers is defined by the NS
+      records that are found for the zone.
+    </p>
+<p>
+      The <code class="option">-c</code> option instructs to make a DNS query of class
+      <em class="parameter"><code>class</code></em>.  This can be used to lookup
+      Hesiod or
+      Chaosnet class resource records.  The default class is IN (Internet).
+    </p>
+<p>
+      Verbose output is generated by <span><strong class="command">host</strong></span> when
+      the
+      <code class="option">-d</code> or <code class="option">-v</code> option is used.  The two
+      options are equivalent.  They have been provided for backwards
+      compatibility.  In previous versions, the <code class="option">-d</code> option
+      switched on debugging traces and <code class="option">-v</code> enabled verbose
+      output.
+    </p>
+<p>
+      List mode is selected by the <code class="option">-l</code> option.  This makes
+      <span><strong class="command">host</strong></span> perform a zone transfer for zone
+      <em class="parameter"><code>name</code></em>.  Transfer the zone printing out
+      the NS, PTR
+      and address records (A/AAAA).  If combined with <code class="option">-a</code>
+      all records will be printed.
+    </p>
+<p>
+      The <code class="option">-i</code>
+      option specifies that reverse lookups of IPv6 addresses should
+      use the IP6.INT domain as defined in RFC1886.
+      The default is to use IP6.ARPA.
+    </p>
+<p>
+      The <code class="option">-N</code> option sets the number of dots that have to be
+      in <em class="parameter"><code>name</code></em> for it to be considered
+      absolute.  The
+      default value is that defined using the ndots statement in
+      <code class="filename">/etc/resolv.conf</code>, or 1 if no ndots
+      statement is
+      present.  Names with fewer dots are interpreted as relative names and
+      will be searched for in the domains listed in the <span class="type">search</span>
+      or <span class="type">domain</span> directive in
+      <code class="filename">/etc/resolv.conf</code>.
+    </p>
+<p>
+      The number of UDP retries for a lookup can be changed with the
+      <code class="option">-R</code> option.  <em class="parameter"><code>number</code></em>
+      indicates
+      how many times <span><strong class="command">host</strong></span> will repeat a query
+      that does
+      not get answered.  The default number of retries is 1.  If
+      <em class="parameter"><code>number</code></em> is negative or zero, the
+      number of
+      retries will default to 1.
+    </p>
+<p>
+      Non-recursive queries can be made via the <code class="option">-r</code> option.
+      Setting this option clears the <span class="type">RD</span> &#8212; recursion
+      desired &#8212; bit in the query which <span><strong class="command">host</strong></span> makes.
+      This should mean that the name server receiving the query will not
+      attempt to resolve <em class="parameter"><code>name</code></em>.  The
+      <code class="option">-r</code> option enables <span><strong class="command">host</strong></span>
+      to mimic
+      the behaviour of a name server by making non-recursive queries and
+      expecting to receive answers to those queries that are usually
+      referrals to other name servers.
+    </p>
+<p>
+      By default <span><strong class="command">host</strong></span> uses UDP when making
+      queries.  The
+      <code class="option">-T</code> option makes it use a TCP connection when querying
+      the name server.  TCP will be automatically selected for queries that
+      require it, such as zone transfer (AXFR) requests.
+    </p>
+<p>
+      The <code class="option">-4</code> option forces <span><strong class="command">host</strong></span> to only
+      use IPv4 query transport.  The <code class="option">-6</code> option forces
+      <span><strong class="command">host</strong></span> to only use IPv6 query transport.
+    </p>
+<p>
+      The <code class="option">-t</code> option is used to select the query type.
+      <em class="parameter"><code>type</code></em> can be any recognised query
+      type: CNAME,
+      NS, SOA, SIG, KEY, AXFR, etc.  When no query type is specified,
+      <span><strong class="command">host</strong></span> automatically selects an appropriate
+      query
+      type.  By default it looks for A records, but if the
+      <code class="option">-C</code> option was given, queries will be made for SOA
+      records, and if <em class="parameter"><code>name</code></em> is a
+      dotted-decimal IPv4
+      address or colon-delimited IPv6 address, <span><strong class="command">host</strong></span> will
+      query for PTR records.  If a query type of IXFR is chosen the starting
+      serial number can be specified by appending an equal followed by the
+      starting serial number (e.g. -t IXFR=12345678).
+    </p>
+<p>
+      The time to wait for a reply can be controlled through the
+      <code class="option">-W</code> and <code class="option">-w</code> options.  The
+      <code class="option">-W</code> option makes <span><strong class="command">host</strong></span>
+      wait for
+      <em class="parameter"><code>wait</code></em> seconds.  If <em class="parameter"><code>wait</code></em>
+      is less than one, the wait interval is set to one second.  When the
+      <code class="option">-w</code> option is used, <span><strong class="command">host</strong></span>
+      will
+      effectively wait forever for a reply.  The time to wait for a response
+      will be set to the number of seconds given by the hardware's maximum
+      value for an integer quantity.
+    </p>
+<p>
+      The <code class="option">-s</code> option tells <span><strong class="command">host</strong></span> 
+      <span class="emphasis"><em>not</em></span> to send the query to the next nameserver
+      if any server responds with a SERVFAIL response, which is the
+      reverse of normal stub resolver behaviour.
+    </p>
+<p>
+      The <code class="option">-m</code> can be used to set the memory usage debugging
+      flags
+      <em class="parameter"><code>record</code></em>, <em class="parameter"><code>usage</code></em> and
+      <em class="parameter"><code>trace</code></em>.
+    </p>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2597157"></a><h2>IDN SUPPORT</h2>
+<p>
+      If <span><strong class="command">host</strong></span> has been built with IDN (internationalized
+      domain name) support, it can accept and display non-ASCII domain names. 
+      <span><strong class="command">host</strong></span> appropriately converts character encoding of
+      domain name before sending a request to DNS server or displaying a
+      reply from the server.
+      If you'd like to turn off the IDN support for some reason, defines
+      the <code class="envar">IDN_DISABLE</code> environment variable.
+      The IDN support is disabled if the variable is set when
+      <span><strong class="command">host</strong></span> runs.
+    </p>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2597186"></a><h2>FILES</h2>
+<p><code class="filename">/etc/resolv.conf</code>
+    </p>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2597200"></a><h2>SEE ALSO</h2>
+<p><span class="citerefentry"><span class="refentrytitle">dig</span>(1)</span>,
+      <span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>.
+    </p>
+</div>
+</div>
+<div class="navfooter">
+<hr>
+<table width="100%" summary="Navigation footer">
+<tr>
+<td width="40%" align="left">
+<a accesskey="p" href="man.dig.html">Prev</a> </td>
+<td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch10.html">Up</a></td>
+<td width="40%" align="right"> <a accesskey="n" href="man.dnssec-keygen.html">Next</a>
+</td>
+</tr>
+<tr>
+<td width="40%" align="left" valign="top">dig </td>
+<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
+<td width="40%" align="right" valign="top"> <span class="application">dnssec-keygen</span>
+</td>
+</tr>
+</table>
+</div>
+</body>
+</html>
diff --git a/contrib/bind9/doc/arm/man.named-checkconf.html b/contrib/bind9/doc/arm/man.named-checkconf.html
new file mode 100644
index 0000000..d71bb2e
--- /dev/null
+++ b/contrib/bind9/doc/arm/man.named-checkconf.html
@@ -0,0 +1,129 @@
+<!--
+ - Copyright (C) 2004-2007 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2000-2003 Internet Software Consortium.
+ - 
+ - Permission to use, copy, modify, and distribute this software for any
+ - purpose with or without fee is hereby granted, provided that the above
+ - copyright notice and this permission notice appear in all copies.
+ - 
+ - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ - PERFORMANCE OF THIS SOFTWARE.
+-->
+<!-- $Id: man.named-checkconf.html,v 1.2.2.38 2007/01/30 00:23:46 marka Exp $ -->
+<html>
+<head>
+<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
+<title>named-checkconf</title>
+<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
+<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
+<link rel="up" href="Bv9ARM.ch10.html" title="Manual pages">
+<link rel="prev" href="man.dnssec-signzone.html" title="dnssec-signzone">
+<link rel="next" href="man.named-checkzone.html" title="named-checkzone">
+</head>
+<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
+<div class="navheader">
+<table width="100%" summary="Navigation header">
+<tr><th colspan="3" align="center"><span class="application">named-checkconf</span></th></tr>
+<tr>
+<td width="20%" align="left">
+<a accesskey="p" href="man.dnssec-signzone.html">Prev</a> </td>
+<th width="60%" align="center">Manual pages</th>
+<td width="20%" align="right"> <a accesskey="n" href="man.named-checkzone.html">Next</a>
+</td>
+</tr>
+</table>
+<hr>
+</div>
+<div class="refentry" lang="en">
+<a name="man.named-checkconf"></a><div class="titlepage"></div>
+<div class="refnamediv">
+<h2>Name</h2>
+<p><span class="application">named-checkconf</span> &#8212; named configuration file syntax checking tool</p>
+</div>
+<div class="refsynopsisdiv">
+<h2>Synopsis</h2>
+<div class="cmdsynopsis"><p><code class="command">named-checkconf</code>  [<code class="option">-v</code>] [<code class="option">-j</code>] [<code class="option">-t <em class="replaceable"><code>directory</code></em></code>] {filename} [<code class="option">-z</code>]</p></div>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2600049"></a><h2>DESCRIPTION</h2>
+<p><span><strong class="command">named-checkconf</strong></span>
+      checks the syntax, but not the semantics, of a named
+      configuration file.
+    </p>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2600062"></a><h2>OPTIONS</h2>
+<div class="variablelist"><dl>
+<dt><span class="term">-t <em class="replaceable"><code>directory</code></em></span></dt>
+<dd><p>
+            chroot to <code class="filename">directory</code> so that
+            include
+            directives in the configuration file are processed as if
+            run by a similarly chrooted named.
+          </p></dd>
+<dt><span class="term">-v</span></dt>
+<dd><p>
+            Print the version of the <span><strong class="command">named-checkconf</strong></span>
+            program and exit.
+          </p></dd>
+<dt><span class="term">-z</span></dt>
+<dd><p>
+            Perform a check load the master zonefiles found in
+            <code class="filename">named.conf</code>.
+          </p></dd>
+<dt><span class="term">-j</span></dt>
+<dd><p>
+            When loading a zonefile read the journal if it exists.
+          </p></dd>
+<dt><span class="term">filename</span></dt>
+<dd><p>
+            The name of the configuration file to be checked.  If not
+            specified, it defaults to <code class="filename">/etc/named.conf</code>.
+          </p></dd>
+</dl></div>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2600164"></a><h2>RETURN VALUES</h2>
+<p><span><strong class="command">named-checkconf</strong></span>
+      returns an exit status of 1 if
+      errors were detected and 0 otherwise.
+    </p>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2600178"></a><h2>SEE ALSO</h2>
+<p><span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>,
+      <em class="citetitle">BIND 9 Administrator Reference Manual</em>.
+    </p>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2600199"></a><h2>AUTHOR</h2>
+<p><span class="corpauthor">Internet Systems Consortium</span>
+    </p>
+</div>
+</div>
+<div class="navfooter">
+<hr>
+<table width="100%" summary="Navigation footer">
+<tr>
+<td width="40%" align="left">
+<a accesskey="p" href="man.dnssec-signzone.html">Prev</a> </td>
+<td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch10.html">Up</a></td>
+<td width="40%" align="right"> <a accesskey="n" href="man.named-checkzone.html">Next</a>
+</td>
+</tr>
+<tr>
+<td width="40%" align="left" valign="top">
+<span class="application">dnssec-signzone</span> </td>
+<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
+<td width="40%" align="right" valign="top"> <span class="application">named-checkzone</span>
+</td>
+</tr>
+</table>
+</div>
+</body>
+</html>
diff --git a/contrib/bind9/doc/arm/man.named-checkzone.html b/contrib/bind9/doc/arm/man.named-checkzone.html
new file mode 100644
index 0000000..5f0b066
--- /dev/null
+++ b/contrib/bind9/doc/arm/man.named-checkzone.html
@@ -0,0 +1,293 @@
+<!--
+ - Copyright (C) 2004-2007 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2000-2003 Internet Software Consortium.
+ - 
+ - Permission to use, copy, modify, and distribute this software for any
+ - purpose with or without fee is hereby granted, provided that the above
+ - copyright notice and this permission notice appear in all copies.
+ - 
+ - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ - PERFORMANCE OF THIS SOFTWARE.
+-->
+<!-- $Id: man.named-checkzone.html,v 1.2.2.40 2007/01/30 00:23:46 marka Exp $ -->
+<html>
+<head>
+<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
+<title>named-checkzone</title>
+<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
+<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
+<link rel="up" href="Bv9ARM.ch10.html" title="Manual pages">
+<link rel="prev" href="man.named-checkconf.html" title="named-checkconf">
+<link rel="next" href="man.named.html" title="named">
+</head>
+<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
+<div class="navheader">
+<table width="100%" summary="Navigation header">
+<tr><th colspan="3" align="center"><span class="application">named-checkzone</span></th></tr>
+<tr>
+<td width="20%" align="left">
+<a accesskey="p" href="man.named-checkconf.html">Prev</a> </td>
+<th width="60%" align="center">Manual pages</th>
+<td width="20%" align="right"> <a accesskey="n" href="man.named.html">Next</a>
+</td>
+</tr>
+</table>
+<hr>
+</div>
+<div class="refentry" lang="en">
+<a name="man.named-checkzone"></a><div class="titlepage"></div>
+<div class="refnamediv">
+<h2>Name</h2>
+<p><span class="application">named-checkzone</span>, <span class="application">named-compilezone</span> &#8212; zone file validity checking or converting tool</p>
+</div>
+<div class="refsynopsisdiv">
+<h2>Synopsis</h2>
+<div class="cmdsynopsis"><p><code class="command">named-checkzone</code>  [<code class="option">-d</code>] [<code class="option">-j</code>] [<code class="option">-q</code>] [<code class="option">-v</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-f <em class="replaceable"><code>format</code></em></code>] [<code class="option">-F <em class="replaceable"><code>format</code></em></code>] [<code class="option">-i <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-k <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-m <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-M <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-n <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-o <em class="replaceable"><code>filename</code></em></code>] [<code class="option">-s <em class="replaceable"><code>style</code></em></code>] [<code class="option">-S <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-t <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-w <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-D</code>] [<code class="option">-W <em class="replaceable"><code>mode</code></em></code>] {zonename} {filename}</p></div>
+<div class="cmdsynopsis"><p><code class="command">named-compilezone</code>  [<code class="option">-d</code>] [<code class="option">-j</code>] [<code class="option">-q</code>] [<code class="option">-v</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-C <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-f <em class="replaceable"><code>format</code></em></code>] [<code class="option">-F <em class="replaceable"><code>format</code></em></code>] [<code class="option">-i <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-k <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-m <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-n <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-o <em class="replaceable"><code>filename</code></em></code>] [<code class="option">-s <em class="replaceable"><code>style</code></em></code>] [<code class="option">-t <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-w <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-D</code>] [<code class="option">-W <em class="replaceable"><code>mode</code></em></code>] {zonename} {filename}</p></div>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2602354"></a><h2>DESCRIPTION</h2>
+<p><span><strong class="command">named-checkzone</strong></span>
+      checks the syntax and integrity of a zone file.  It performs the
+      same checks as <span><strong class="command">named</strong></span> does when loading a
+      zone.  This makes <span><strong class="command">named-checkzone</strong></span> useful for
+      checking zone files before configuring them into a name server.
+    </p>
+<p>
+        <span><strong class="command">named-compilezone</strong></span> is similar to
+	<span><strong class="command">named-checkzone</strong></span>, but it always dumps the
+        zone contents to a specified file in a specified format.
+	Additionally, it applies stricter check levels by default,
+        since the dump output will be used as an actual zone file
+	loaded by <span><strong class="command">named</strong></span>.
+	When manaully specified otherwise, the check levels must at
+        least be as strict as those specified in the
+	<span><strong class="command">named</strong></span> configuration file.
+     </p>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2602404"></a><h2>OPTIONS</h2>
+<div class="variablelist"><dl>
+<dt><span class="term">-d</span></dt>
+<dd><p>
+            Enable debugging.
+          </p></dd>
+<dt><span class="term">-q</span></dt>
+<dd><p>
+            Quiet mode - exit code only.
+          </p></dd>
+<dt><span class="term">-v</span></dt>
+<dd><p>
+            Print the version of the <span><strong class="command">named-checkzone</strong></span>
+            program and exit.
+          </p></dd>
+<dt><span class="term">-j</span></dt>
+<dd><p>
+            When loading the zone file read the journal if it exists.
+          </p></dd>
+<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
+<dd><p>
+            Specify the class of the zone.  If not specified "IN" is assumed.
+          </p></dd>
+<dt><span class="term">-i <em class="replaceable"><code>mode</code></em></span></dt>
+<dd>
+<p>
+	      Perform post load zone integrity checks.  Possible modes are
+	      <span><strong class="command">"full"</strong></span> (default),
+	      <span><strong class="command">"full-sibling"</strong></span>,
+	      <span><strong class="command">"local"</strong></span>,
+	      <span><strong class="command">"local-sibling"</strong></span> and
+	      <span><strong class="command">"none"</strong></span>.
+	  </p>
+<p>
+	      Mode <span><strong class="command">"full"</strong></span> checks that MX records
+	      refer to A or AAAA record (both in-zone and out-of-zone
+	      hostnames).  Mode <span><strong class="command">"local"</strong></span> only
+	      checks MX records which refer to in-zone hostnames.
+	  </p>
+<p>
+	      Mode <span><strong class="command">"full"</strong></span> checks that SRV records
+	      refer to A or AAAA record (both in-zone and out-of-zone
+	      hostnames).  Mode <span><strong class="command">"local"</strong></span> only
+	      checks SRV records which refer to in-zone hostnames.
+	  </p>
+<p>
+	      Mode <span><strong class="command">"full"</strong></span> checks that delegation NS
+	      records refer to A or AAAA record (both in-zone and out-of-zone
+	      hostnames).  It also checks that glue addresses records
+	      in the zone match those advertised by the child.
+	      Mode <span><strong class="command">"local"</strong></span> only checks NS records which
+	      refer to in-zone hostnames or that some required glue exists,
+	      that is when the nameserver is in a child zone.
+	  </p>
+<p>
+	      Mode <span><strong class="command">"full-sibling"</strong></span> and
+	      <span><strong class="command">"local-sibling"</strong></span> disable sibling glue
+	      checks but are otherwise the same as <span><strong class="command">"full"</strong></span>
+	      and <span><strong class="command">"local"</strong></span> respectively.
+	  </p>
+<p>
+	      Mode <span><strong class="command">"none"</strong></span> disables the checks.
+	  </p>
+</dd>
+<dt><span class="term">-f <em class="replaceable"><code>format</code></em></span></dt>
+<dd><p>
+	    Specify the format of the zone file.
+	    Possible formats are <span><strong class="command">"text"</strong></span> (default)
+	    and <span><strong class="command">"raw"</strong></span>.
+	  </p></dd>
+<dt><span class="term">-F <em class="replaceable"><code>format</code></em></span></dt>
+<dd><p>
+	    Specify the format of the output file specified.
+	    Possible formats are <span><strong class="command">"text"</strong></span> (default)
+	    and <span><strong class="command">"raw"</strong></span>.
+	    For <span><strong class="command">named-checkzone</strong></span>,
+	    this does not cause any effects unless it dumps the zone
+	    contents.
+	  </p></dd>
+<dt><span class="term">-k <em class="replaceable"><code>mode</code></em></span></dt>
+<dd><p>
+            Perform <span><strong class="command">"check-names"</strong></span> checks with the
+	    specified failure mode.
+            Possible modes are <span><strong class="command">"fail"</strong></span>
+	    (default for <span><strong class="command">named-compilezone</strong></span>),
+            <span><strong class="command">"warn"</strong></span>
+	    (default for <span><strong class="command">named-checkzone</strong></span>) and
+            <span><strong class="command">"ignore"</strong></span>.
+          </p></dd>
+<dt><span class="term">-m <em class="replaceable"><code>mode</code></em></span></dt>
+<dd><p>
+            Specify whether MX records should be checked to see if they
+            are addresses.  Possible modes are <span><strong class="command">"fail"</strong></span>,
+            <span><strong class="command">"warn"</strong></span> (default) and
+            <span><strong class="command">"ignore"</strong></span>.
+          </p></dd>
+<dt><span class="term">-M <em class="replaceable"><code>mode</code></em></span></dt>
+<dd><p>
+	    Check if a MX record refers to a CNAME.
+            Possible modes are <span><strong class="command">"fail"</strong></span>,
+            <span><strong class="command">"warn"</strong></span> (default) and
+            <span><strong class="command">"ignore"</strong></span>.
+	  </p></dd>
+<dt><span class="term">-n <em class="replaceable"><code>mode</code></em></span></dt>
+<dd><p>
+            Specify whether NS records should be checked to see if they
+            are addresses.
+	    Possible modes are <span><strong class="command">"fail"</strong></span>
+	    (default for <span><strong class="command">named-compilezone</strong></span>),
+            <span><strong class="command">"warn"</strong></span>
+	    (default for <span><strong class="command">named-checkzone</strong></span>) and
+            <span><strong class="command">"ignore"</strong></span>.
+          </p></dd>
+<dt><span class="term">-o <em class="replaceable"><code>filename</code></em></span></dt>
+<dd><p>
+            Write zone output to <code class="filename">filename</code>.
+	    This is mandatory for <span><strong class="command">named-compilezone</strong></span>.
+          </p></dd>
+<dt><span class="term">-s <em class="replaceable"><code>style</code></em></span></dt>
+<dd><p>
+	    Specify the style of the dumped zone file.
+	    Possible styles are <span><strong class="command">"full"</strong></span> (default)
+	    and <span><strong class="command">"relative"</strong></span>.
+	    The full format is most suitable for processing
+	    automatically by a separate script.
+	    On the other hand, the relative format is more
+	    human-readable and is thus suitable for editing by hand.
+	    For <span><strong class="command">named-checkzone</strong></span>
+	    this does not cause any effects unless it dumps the zone
+	    contents.
+	    It also does not have any meaning if the output format
+	    is not text.
+	  </p></dd>
+<dt><span class="term">-S <em class="replaceable"><code>mode</code></em></span></dt>
+<dd><p>
+	    Check if a SRV record refers to a CNAME.
+            Possible modes are <span><strong class="command">"fail"</strong></span>,
+            <span><strong class="command">"warn"</strong></span> (default) and
+            <span><strong class="command">"ignore"</strong></span>.
+	  </p></dd>
+<dt><span class="term">-t <em class="replaceable"><code>directory</code></em></span></dt>
+<dd><p>
+            chroot to <code class="filename">directory</code> so that
+            include
+            directives in the configuration file are processed as if
+            run by a similarly chrooted named.
+          </p></dd>
+<dt><span class="term">-w <em class="replaceable"><code>directory</code></em></span></dt>
+<dd><p>
+            chdir to <code class="filename">directory</code> so that
+            relative
+            filenames in master file $INCLUDE directives work.  This
+            is similar to the directory clause in
+            <code class="filename">named.conf</code>.
+          </p></dd>
+<dt><span class="term">-D</span></dt>
+<dd><p>
+            Dump zone file in canonical format.
+	    This is always enabled for <span><strong class="command">named-compilezone</strong></span>.
+          </p></dd>
+<dt><span class="term">-W <em class="replaceable"><code>mode</code></em></span></dt>
+<dd><p>
+            Specify whether to check for non-terminal wildcards.
+            Non-terminal wildcards are almost always the result of a
+            failure to understand the wildcard matching algorithm (RFC 1034).
+            Possible modes are <span><strong class="command">"warn"</strong></span> (default)
+            and
+            <span><strong class="command">"ignore"</strong></span>.
+          </p></dd>
+<dt><span class="term">zonename</span></dt>
+<dd><p>
+            The domain name of the zone being checked.
+          </p></dd>
+<dt><span class="term">filename</span></dt>
+<dd><p>
+            The name of the zone file.
+          </p></dd>
+</dl></div>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2654862"></a><h2>RETURN VALUES</h2>
+<p><span><strong class="command">named-checkzone</strong></span>
+      returns an exit status of 1 if
+      errors were detected and 0 otherwise.
+    </p>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2654876"></a><h2>SEE ALSO</h2>
+<p><span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>,
+      <em class="citetitle">RFC 1035</em>,
+      <em class="citetitle">BIND 9 Administrator Reference Manual</em>.
+    </p>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2654901"></a><h2>AUTHOR</h2>
+<p><span class="corpauthor">Internet Systems Consortium</span>
+    </p>
+</div>
+</div>
+<div class="navfooter">
+<hr>
+<table width="100%" summary="Navigation footer">
+<tr>
+<td width="40%" align="left">
+<a accesskey="p" href="man.named-checkconf.html">Prev</a> </td>
+<td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch10.html">Up</a></td>
+<td width="40%" align="right"> <a accesskey="n" href="man.named.html">Next</a>
+</td>
+</tr>
+<tr>
+<td width="40%" align="left" valign="top">
+<span class="application">named-checkconf</span> </td>
+<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
+<td width="40%" align="right" valign="top"> <span class="application">named</span>
+</td>
+</tr>
+</table>
+</div>
+</body>
+</html>
diff --git a/contrib/bind9/doc/arm/man.named.html b/contrib/bind9/doc/arm/man.named.html
new file mode 100644
index 0000000..4b44640
--- /dev/null
+++ b/contrib/bind9/doc/arm/man.named.html
@@ -0,0 +1,280 @@
+<!--
+ - Copyright (C) 2004-2007 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2000-2003 Internet Software Consortium.
+ - 
+ - Permission to use, copy, modify, and distribute this software for any
+ - purpose with or without fee is hereby granted, provided that the above
+ - copyright notice and this permission notice appear in all copies.
+ - 
+ - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ - PERFORMANCE OF THIS SOFTWARE.
+-->
+<!-- $Id: man.named.html,v 1.2.2.43 2007/02/02 04:33:09 marka Exp $ -->
+<html>
+<head>
+<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
+<title>named</title>
+<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
+<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
+<link rel="up" href="Bv9ARM.ch10.html" title="Manual pages">
+<link rel="prev" href="man.named-checkzone.html" title="named-checkzone">
+<link rel="next" href="man.rndc.html" title="rndc">
+</head>
+<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
+<div class="navheader">
+<table width="100%" summary="Navigation header">
+<tr><th colspan="3" align="center"><span class="application">named</span></th></tr>
+<tr>
+<td width="20%" align="left">
+<a accesskey="p" href="man.named-checkzone.html">Prev</a> </td>
+<th width="60%" align="center">Manual pages</th>
+<td width="20%" align="right"> <a accesskey="n" href="man.rndc.html">Next</a>
+</td>
+</tr>
+</table>
+<hr>
+</div>
+<div class="refentry" lang="en">
+<a name="man.named"></a><div class="titlepage"></div>
+<div class="refnamediv">
+<h2>Name</h2>
+<p><span class="application">named</span> &#8212; Internet domain name server</p>
+</div>
+<div class="refsynopsisdiv">
+<h2>Synopsis</h2>
+<div class="cmdsynopsis"><p><code class="command">named</code>  [<code class="option">-4</code>] [<code class="option">-6</code>] [<code class="option">-c <em class="replaceable"><code>config-file</code></em></code>] [<code class="option">-d <em class="replaceable"><code>debug-level</code></em></code>] [<code class="option">-f</code>] [<code class="option">-g</code>] [<code class="option">-n <em class="replaceable"><code>#cpus</code></em></code>] [<code class="option">-p <em class="replaceable"><code>port</code></em></code>] [<code class="option">-s</code>] [<code class="option">-t <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-u <em class="replaceable"><code>user</code></em></code>] [<code class="option">-v</code>] [<code class="option">-x <em class="replaceable"><code>cache-file</code></em></code>]</p></div>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2602900"></a><h2>DESCRIPTION</h2>
+<p><span><strong class="command">named</strong></span>
+      is a Domain Name System (DNS) server,
+      part of the BIND 9 distribution from ISC.  For more
+      information on the DNS, see RFCs 1033, 1034, and 1035.
+    </p>
+<p>
+      When invoked without arguments, <span><strong class="command">named</strong></span>
+      will
+      read the default configuration file
+      <code class="filename">/etc/named.conf</code>, read any initial
+      data, and listen for queries.
+    </p>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2602931"></a><h2>OPTIONS</h2>
+<div class="variablelist"><dl>
+<dt><span class="term">-4</span></dt>
+<dd><p>
+            Use IPv4 only even if the host machine is capable of IPv6.
+            <code class="option">-4</code> and <code class="option">-6</code> are mutually
+            exclusive.
+          </p></dd>
+<dt><span class="term">-6</span></dt>
+<dd><p>
+            Use IPv6 only even if the host machine is capable of IPv4.
+            <code class="option">-4</code> and <code class="option">-6</code> are mutually
+            exclusive.
+          </p></dd>
+<dt><span class="term">-c <em class="replaceable"><code>config-file</code></em></span></dt>
+<dd><p>
+            Use <em class="replaceable"><code>config-file</code></em> as the
+            configuration file instead of the default,
+            <code class="filename">/etc/named.conf</code>.  To
+            ensure that reloading the configuration file continues
+            to work after the server has changed its working
+            directory due to to a possible
+            <code class="option">directory</code> option in the configuration
+            file, <em class="replaceable"><code>config-file</code></em> should be
+            an absolute pathname.
+          </p></dd>
+<dt><span class="term">-d <em class="replaceable"><code>debug-level</code></em></span></dt>
+<dd><p>
+            Set the daemon's debug level to <em class="replaceable"><code>debug-level</code></em>.
+            Debugging traces from <span><strong class="command">named</strong></span> become
+            more verbose as the debug level increases.
+          </p></dd>
+<dt><span class="term">-f</span></dt>
+<dd><p>
+            Run the server in the foreground (i.e. do not daemonize).
+          </p></dd>
+<dt><span class="term">-g</span></dt>
+<dd><p>
+            Run the server in the foreground and force all logging
+            to <code class="filename">stderr</code>.
+          </p></dd>
+<dt><span class="term">-n <em class="replaceable"><code>#cpus</code></em></span></dt>
+<dd><p>
+            Create <em class="replaceable"><code>#cpus</code></em> worker threads
+            to take advantage of multiple CPUs.  If not specified,
+            <span><strong class="command">named</strong></span> will try to determine the
+            number of CPUs present and create one thread per CPU.
+            If it is unable to determine the number of CPUs, a
+            single worker thread will be created.
+          </p></dd>
+<dt><span class="term">-p <em class="replaceable"><code>port</code></em></span></dt>
+<dd><p>
+            Listen for queries on port <em class="replaceable"><code>port</code></em>.  If not
+            specified, the default is port 53.
+          </p></dd>
+<dt><span class="term">-s</span></dt>
+<dd>
+<p>
+            Write memory usage statistics to <code class="filename">stdout</code> on exit.
+          </p>
+<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
+<h3 class="title">Note</h3>
+<p>
+              This option is mainly of interest to BIND 9 developers
+              and may be removed or changed in a future release.
+            </p>
+</div>
+</dd>
+<dt><span class="term">-t <em class="replaceable"><code>directory</code></em></span></dt>
+<dd>
+<p><code class="function">chroot()</code>
+	    to <em class="replaceable"><code>directory</code></em> after
+            processing the command line arguments, but before
+            reading the configuration file.
+          </p>
+<div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;">
+<h3 class="title">Warning</h3>
+<p>
+              This option should be used in conjunction with the
+              <code class="option">-u</code> option, as chrooting a process
+              running as root doesn't enhance security on most
+              systems; the way <code class="function">chroot()</code> is
+              defined allows a process with root privileges to
+              escape a chroot jail.
+            </p>
+</div>
+</dd>
+<dt><span class="term">-u <em class="replaceable"><code>user</code></em></span></dt>
+<dd>
+<p><code class="function">setuid()</code>
+	    to <em class="replaceable"><code>user</code></em> after completing
+            privileged operations, such as creating sockets that
+            listen on privileged ports.
+          </p>
+<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
+<h3 class="title">Note</h3>
+<p>
+              On Linux, <span><strong class="command">named</strong></span> uses the kernel's
+              		capability mechanism to drop all root privileges
+              except the ability to <code class="function">bind()</code> to
+              a
+              privileged port and set process resource limits.
+              Unfortunately, this means that the <code class="option">-u</code>
+              option only works when <span><strong class="command">named</strong></span> is
+              run
+              on kernel 2.2.18 or later, or kernel 2.3.99-pre3 or
+              later, since previous kernels did not allow privileges
+              to be retained after <code class="function">setuid()</code>.
+            </p>
+</div>
+</dd>
+<dt><span class="term">-v</span></dt>
+<dd><p>
+            Report the version number and exit.
+          </p></dd>
+<dt><span class="term">-x <em class="replaceable"><code>cache-file</code></em></span></dt>
+<dd>
+<p>
+            Load data from <em class="replaceable"><code>cache-file</code></em> into the
+            cache of the default view.
+          </p>
+<div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;">
+<h3 class="title">Warning</h3>
+<p>
+              This option must not be used.  It is only of interest
+              to BIND 9 developers and may be removed or changed in a
+              future release.
+            </p>
+</div>
+</dd>
+</dl></div>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2604871"></a><h2>SIGNALS</h2>
+<p>
+      In routine operation, signals should not be used to control
+      the nameserver; <span><strong class="command">rndc</strong></span> should be used
+      instead.
+    </p>
+<div class="variablelist"><dl>
+<dt><span class="term">SIGHUP</span></dt>
+<dd><p>
+            Force a reload of the server.
+          </p></dd>
+<dt><span class="term">SIGINT, SIGTERM</span></dt>
+<dd><p>
+            Shut down the server.
+          </p></dd>
+</dl></div>
+<p>
+      The result of sending any other signals to the server is undefined.
+    </p>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2604921"></a><h2>CONFIGURATION</h2>
+<p>
+      The <span><strong class="command">named</strong></span> configuration file is too complex
+      to describe in detail here.  A complete description is provided
+      in the
+      <em class="citetitle">BIND 9 Administrator Reference Manual</em>.
+    </p>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2604940"></a><h2>FILES</h2>
+<div class="variablelist"><dl>
+<dt><span class="term"><code class="filename">/etc/named.conf</code></span></dt>
+<dd><p>
+            The default configuration file.
+          </p></dd>
+<dt><span class="term"><code class="filename">/var/run/named.pid</code></span></dt>
+<dd><p>
+            The default process-id file.
+          </p></dd>
+</dl></div>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2604984"></a><h2>SEE ALSO</h2>
+<p><em class="citetitle">RFC 1033</em>,
+      <em class="citetitle">RFC 1034</em>,
+      <em class="citetitle">RFC 1035</em>,
+      <span class="citerefentry"><span class="refentrytitle">rndc</span>(8)</span>,
+      <span class="citerefentry"><span class="refentrytitle">lwresd</span>(8)</span>,
+      <span class="citerefentry"><span class="refentrytitle">named.conf</span>(5)</span>,
+      <em class="citetitle">BIND 9 Administrator Reference Manual</em>.
+    </p>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2605035"></a><h2>AUTHOR</h2>
+<p><span class="corpauthor">Internet Systems Consortium</span>
+    </p>
+</div>
+</div>
+<div class="navfooter">
+<hr>
+<table width="100%" summary="Navigation footer">
+<tr>
+<td width="40%" align="left">
+<a accesskey="p" href="man.named-checkzone.html">Prev</a> </td>
+<td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch10.html">Up</a></td>
+<td width="40%" align="right"> <a accesskey="n" href="man.rndc.html">Next</a>
+</td>
+</tr>
+<tr>
+<td width="40%" align="left" valign="top">
+<span class="application">named-checkzone</span> </td>
+<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
+<td width="40%" align="right" valign="top"> <span class="application">rndc</span>
+</td>
+</tr>
+</table>
+</div>
+</body>
+</html>
diff --git a/contrib/bind9/doc/arm/man.rndc-confgen.html b/contrib/bind9/doc/arm/man.rndc-confgen.html
new file mode 100644
index 0000000..25186f2
--- /dev/null
+++ b/contrib/bind9/doc/arm/man.rndc-confgen.html
@@ -0,0 +1,222 @@
+<!--
+ - Copyright (C) 2004-2007 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2000-2003 Internet Software Consortium.
+ - 
+ - Permission to use, copy, modify, and distribute this software for any
+ - purpose with or without fee is hereby granted, provided that the above
+ - copyright notice and this permission notice appear in all copies.
+ - 
+ - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ - PERFORMANCE OF THIS SOFTWARE.
+-->
+<!-- $Id: man.rndc-confgen.html,v 1.2.2.44 2007/02/02 04:33:09 marka Exp $ -->
+<html>
+<head>
+<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
+<title>rndc-confgen</title>
+<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
+<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
+<link rel="up" href="Bv9ARM.ch10.html" title="Manual pages">
+<link rel="prev" href="man.rndc.conf.html" title="rndc.conf">
+</head>
+<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
+<div class="navheader">
+<table width="100%" summary="Navigation header">
+<tr><th colspan="3" align="center"><span class="application">rndc-confgen</span></th></tr>
+<tr>
+<td width="20%" align="left">
+<a accesskey="p" href="man.rndc.conf.html">Prev</a> </td>
+<th width="60%" align="center">Manual pages</th>
+<td width="20%" align="right"> </td>
+</tr>
+</table>
+<hr>
+</div>
+<div class="refentry" lang="en">
+<a name="man.rndc-confgen"></a><div class="titlepage"></div>
+<div class="refnamediv">
+<h2>Name</h2>
+<p><span class="application">rndc-confgen</span> &#8212; rndc key generation tool</p>
+</div>
+<div class="refsynopsisdiv">
+<h2>Synopsis</h2>
+<div class="cmdsynopsis"><p><code class="command">rndc-confgen</code>  [<code class="option">-a</code>] [<code class="option">-b <em class="replaceable"><code>keysize</code></em></code>] [<code class="option">-c <em class="replaceable"><code>keyfile</code></em></code>] [<code class="option">-h</code>] [<code class="option">-k <em class="replaceable"><code>keyname</code></em></code>] [<code class="option">-p <em class="replaceable"><code>port</code></em></code>] [<code class="option">-r <em class="replaceable"><code>randomfile</code></em></code>] [<code class="option">-s <em class="replaceable"><code>address</code></em></code>] [<code class="option">-t <em class="replaceable"><code>chrootdir</code></em></code>] [<code class="option">-u <em class="replaceable"><code>user</code></em></code>]</p></div>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2605267"></a><h2>DESCRIPTION</h2>
+<p><span><strong class="command">rndc-confgen</strong></span>
+      generates configuration files
+      for <span><strong class="command">rndc</strong></span>.  It can be used as a
+      convenient alternative to writing the
+      <code class="filename">rndc.conf</code> file
+      and the corresponding <span><strong class="command">controls</strong></span>
+      and <span><strong class="command">key</strong></span>
+      statements in <code class="filename">named.conf</code> by hand.
+      Alternatively, it can be run with the <span><strong class="command">-a</strong></span>
+      option to set up a <code class="filename">rndc.key</code> file and
+      avoid the need for a <code class="filename">rndc.conf</code> file
+      and a <span><strong class="command">controls</strong></span> statement altogether.
+    </p>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2605469"></a><h2>OPTIONS</h2>
+<div class="variablelist"><dl>
+<dt><span class="term">-a</span></dt>
+<dd>
+<p>
+            Do automatic <span><strong class="command">rndc</strong></span> configuration.
+            This creates a file <code class="filename">rndc.key</code>
+            in <code class="filename">/etc</code> (or whatever
+            <code class="varname">sysconfdir</code>
+            was specified as when <acronym class="acronym">BIND</acronym> was
+            built)
+            that is read by both <span><strong class="command">rndc</strong></span>
+            and <span><strong class="command">named</strong></span> on startup.  The
+            <code class="filename">rndc.key</code> file defines a default
+            command channel and authentication key allowing
+            <span><strong class="command">rndc</strong></span> to communicate with
+            <span><strong class="command">named</strong></span> on the local host
+            with no further configuration.
+          </p>
+<p>
+            Running <span><strong class="command">rndc-confgen -a</strong></span> allows
+            BIND 9 and <span><strong class="command">rndc</strong></span> to be used as
+            drop-in
+            replacements for BIND 8 and <span><strong class="command">ndc</strong></span>,
+            with no changes to the existing BIND 8
+            <code class="filename">named.conf</code> file.
+          </p>
+<p>
+            If a more elaborate configuration than that
+            generated by <span><strong class="command">rndc-confgen -a</strong></span>
+            is required, for example if rndc is to be used remotely,
+            you should run <span><strong class="command">rndc-confgen</strong></span> without
+            the
+            <span><strong class="command">-a</strong></span> option and set up a
+            <code class="filename">rndc.conf</code> and
+            <code class="filename">named.conf</code>
+            as directed.
+          </p>
+</dd>
+<dt><span class="term">-b <em class="replaceable"><code>keysize</code></em></span></dt>
+<dd><p>
+            Specifies the size of the authentication key in bits.
+            Must be between 1 and 512 bits; the default is 128.
+          </p></dd>
+<dt><span class="term">-c <em class="replaceable"><code>keyfile</code></em></span></dt>
+<dd><p>
+            Used with the <span><strong class="command">-a</strong></span> option to specify
+            an alternate location for <code class="filename">rndc.key</code>.
+          </p></dd>
+<dt><span class="term">-h</span></dt>
+<dd><p>
+            Prints a short summary of the options and arguments to
+            <span><strong class="command">rndc-confgen</strong></span>.
+          </p></dd>
+<dt><span class="term">-k <em class="replaceable"><code>keyname</code></em></span></dt>
+<dd><p>
+            Specifies the key name of the rndc authentication key.
+            This must be a valid domain name.
+            The default is <code class="constant">rndc-key</code>.
+          </p></dd>
+<dt><span class="term">-p <em class="replaceable"><code>port</code></em></span></dt>
+<dd><p>
+            Specifies the command channel port where <span><strong class="command">named</strong></span>
+            listens for connections from <span><strong class="command">rndc</strong></span>.
+            The default is 953.
+          </p></dd>
+<dt><span class="term">-r <em class="replaceable"><code>randomfile</code></em></span></dt>
+<dd><p>
+            Specifies a source of random data for generating the
+            authorization.  If the operating
+            system does not provide a <code class="filename">/dev/random</code>
+            or equivalent device, the default source of randomness
+            is keyboard input.  <code class="filename">randomdev</code>
+            specifies
+            the name of a character device or file containing random
+            data to be used instead of the default.  The special value
+            <code class="filename">keyboard</code> indicates that keyboard
+            input should be used.
+          </p></dd>
+<dt><span class="term">-s <em class="replaceable"><code>address</code></em></span></dt>
+<dd><p>
+            Specifies the IP address where <span><strong class="command">named</strong></span>
+            listens for command channel connections from
+            <span><strong class="command">rndc</strong></span>.  The default is the loopback
+            address 127.0.0.1.
+          </p></dd>
+<dt><span class="term">-t <em class="replaceable"><code>chrootdir</code></em></span></dt>
+<dd><p>
+            Used with the <span><strong class="command">-a</strong></span> option to specify
+            a directory where <span><strong class="command">named</strong></span> will run
+            chrooted.  An additional copy of the <code class="filename">rndc.key</code>
+            will be written relative to this directory so that
+            it will be found by the chrooted <span><strong class="command">named</strong></span>.
+          </p></dd>
+<dt><span class="term">-u <em class="replaceable"><code>user</code></em></span></dt>
+<dd><p>
+            Used with the <span><strong class="command">-a</strong></span> option to set the
+            owner
+            of the <code class="filename">rndc.key</code> file generated.
+            If
+            <span><strong class="command">-t</strong></span> is also specified only the file
+            in
+            the chroot area has its owner changed.
+          </p></dd>
+</dl></div>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2605856"></a><h2>EXAMPLES</h2>
+<p>
+      To allow <span><strong class="command">rndc</strong></span> to be used with
+      no manual configuration, run
+    </p>
+<p><strong class="userinput"><code>rndc-confgen -a</code></strong>
+    </p>
+<p>
+      To print a sample <code class="filename">rndc.conf</code> file and
+      corresponding <span><strong class="command">controls</strong></span> and <span><strong class="command">key</strong></span>
+      statements to be manually inserted into <code class="filename">named.conf</code>,
+      run
+    </p>
+<p><strong class="userinput"><code>rndc-confgen</code></strong>
+    </p>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2605912"></a><h2>SEE ALSO</h2>
+<p><span class="citerefentry"><span class="refentrytitle">rndc</span>(8)</span>,
+      <span class="citerefentry"><span class="refentrytitle">rndc.conf</span>(5)</span>,
+      <span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>,
+      <em class="citetitle">BIND 9 Administrator Reference Manual</em>.
+    </p>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2608476"></a><h2>AUTHOR</h2>
+<p><span class="corpauthor">Internet Systems Consortium</span>
+    </p>
+</div>
+</div>
+<div class="navfooter">
+<hr>
+<table width="100%" summary="Navigation footer">
+<tr>
+<td width="40%" align="left">
+<a accesskey="p" href="man.rndc.conf.html">Prev</a> </td>
+<td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch10.html">Up</a></td>
+<td width="40%" align="right"> </td>
+</tr>
+<tr>
+<td width="40%" align="left" valign="top">
+<code class="filename">rndc.conf</code> </td>
+<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
+<td width="40%" align="right" valign="top"> </td>
+</tr>
+</table>
+</div>
+</body>
+</html>
diff --git a/contrib/bind9/doc/arm/man.rndc.conf.html b/contrib/bind9/doc/arm/man.rndc.conf.html
new file mode 100644
index 0000000..7e873ba
--- /dev/null
+++ b/contrib/bind9/doc/arm/man.rndc.conf.html
@@ -0,0 +1,255 @@
+<!--
+ - Copyright (C) 2004-2007 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2000-2003 Internet Software Consortium.
+ - 
+ - Permission to use, copy, modify, and distribute this software for any
+ - purpose with or without fee is hereby granted, provided that the above
+ - copyright notice and this permission notice appear in all copies.
+ - 
+ - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ - PERFORMANCE OF THIS SOFTWARE.
+-->
+<!-- $Id: man.rndc.conf.html,v 1.2.2.43 2007/02/02 04:33:09 marka Exp $ -->
+<html>
+<head>
+<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
+<title>rndc.conf</title>
+<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
+<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
+<link rel="up" href="Bv9ARM.ch10.html" title="Manual pages">
+<link rel="prev" href="man.rndc.html" title="rndc">
+<link rel="next" href="man.rndc-confgen.html" title="rndc-confgen">
+</head>
+<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
+<div class="navheader">
+<table width="100%" summary="Navigation header">
+<tr><th colspan="3" align="center"><code class="filename">rndc.conf</code></th></tr>
+<tr>
+<td width="20%" align="left">
+<a accesskey="p" href="man.rndc.html">Prev</a> </td>
+<th width="60%" align="center">Manual pages</th>
+<td width="20%" align="right"> <a accesskey="n" href="man.rndc-confgen.html">Next</a>
+</td>
+</tr>
+</table>
+<hr>
+</div>
+<div class="refentry" lang="en">
+<a name="man.rndc.conf"></a><div class="titlepage"></div>
+<div class="refnamediv">
+<h2>Name</h2>
+<p><code class="filename">rndc.conf</code> &#8212; rndc configuration file</p>
+</div>
+<div class="refsynopsisdiv">
+<h2>Synopsis</h2>
+<div class="cmdsynopsis"><p><code class="command">rndc.conf</code> </p></div>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2604307"></a><h2>DESCRIPTION</h2>
+<p><code class="filename">rndc.conf</code> is the configuration file
+      for <span><strong class="command">rndc</strong></span>, the BIND 9 name server control
+      utility.  This file has a similar structure and syntax to
+      <code class="filename">named.conf</code>.  Statements are enclosed
+      in braces and terminated with a semi-colon.  Clauses in
+      the statements are also semi-colon terminated.  The usual
+      comment styles are supported:
+    </p>
+<p>
+      C style: /* */
+    </p>
+<p>
+      C++ style: // to end of line
+    </p>
+<p>
+      Unix style: # to end of line
+    </p>
+<p><code class="filename">rndc.conf</code> is much simpler than
+      <code class="filename">named.conf</code>.  The file uses three
+      statements: an options statement, a server statement
+      and a key statement.
+    </p>
+<p>
+      The <code class="option">options</code> statement contains five clauses.
+      The <code class="option">default-server</code> clause is followed by the
+      name or address of a name server.  This host will be used when
+      no name server is given as an argument to
+      <span><strong class="command">rndc</strong></span>.  The <code class="option">default-key</code>
+      clause is followed by the name of a key which is identified by
+      a <code class="option">key</code> statement.  If no
+      <code class="option">keyid</code> is provided on the rndc command line,
+      and no <code class="option">key</code> clause is found in a matching
+      <code class="option">server</code> statement, this default key will be
+      used to authenticate the server's commands and responses.  The
+      <code class="option">default-port</code> clause is followed by the port
+      to connect to on the remote name server.  If no
+      <code class="option">port</code> option is provided on the rndc command
+      line, and no <code class="option">port</code> clause is found in a
+      matching <code class="option">server</code> statement, this default port
+      will be used to connect.
+      The <code class="option">default-source-address</code> and
+      <code class="option">default-source-address-v6</code> clauses which
+      can be used to set the IPv4 and IPv6 source addresses
+      respectively.
+    </p>
+<p>
+      After the <code class="option">server</code> keyword, the server
+      statement includes a string which is the hostname or address
+      for a name server.  The statement has three possible clauses:
+      <code class="option">key</code>, <code class="option">port</code> and
+      <code class="option">addresses</code>. The key name must match the
+      name of a key statement in the file.  The port number
+      specifies the port to connect to.  If an <code class="option">addresses</code>
+      clause is supplied these addresses will be used instead of
+      the server name.  Each address can take a optional port.
+      If an <code class="option">source-address</code> or <code class="option">source-address-v6</code>
+      of supplied then these will be used to specify the IPv4 and IPv6
+      source addresses respectively.
+    </p>
+<p>
+      The <code class="option">key</code> statement begins with an identifying
+      string, the name of the key.  The statement has two clauses.
+      <code class="option">algorithm</code> identifies the encryption algorithm
+      for <span><strong class="command">rndc</strong></span> to use; currently only HMAC-MD5
+      is
+      supported.  This is followed by a secret clause which contains
+      the base-64 encoding of the algorithm's encryption key.  The
+      base-64 string is enclosed in double quotes.
+    </p>
+<p>
+      There are two common ways to generate the base-64 string for the
+      secret.  The BIND 9 program <span><strong class="command">rndc-confgen</strong></span>
+      can
+      be used to generate a random key, or the
+      <span><strong class="command">mmencode</strong></span> program, also known as
+      <span><strong class="command">mimencode</strong></span>, can be used to generate a
+      base-64
+      string from known input.  <span><strong class="command">mmencode</strong></span> does
+      not
+      ship with BIND 9 but is available on many systems.  See the
+      EXAMPLE section for sample command lines for each.
+    </p>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2604478"></a><h2>EXAMPLE</h2>
+<pre class="programlisting">
+      options {
+        default-server  localhost;
+        default-key     samplekey;
+      };
+</pre>
+<p>
+    </p>
+<pre class="programlisting">
+      server localhost {
+        key             samplekey;
+      };
+</pre>
+<p>
+    </p>
+<pre class="programlisting">
+      server testserver {
+        key		testkey;
+        addresses	{ localhost port 5353; };
+      };
+</pre>
+<p>
+    </p>
+<pre class="programlisting">
+      key samplekey {
+        algorithm       hmac-md5;
+        secret          "6FMfj43Osz4lyb24OIe2iGEz9lf1llJO+lz";
+      };
+</pre>
+<p>
+    </p>
+<pre class="programlisting">
+      key testkey {
+        algorithm	hmac-md5;
+        secret		"R3HI8P6BKw9ZwXwN3VZKuQ==";
+      }
+    </pre>
+<p>
+    </p>
+<p>
+      In the above example, <span><strong class="command">rndc</strong></span> will by
+      default use
+      the server at localhost (127.0.0.1) and the key called samplekey.
+      Commands to the localhost server will use the samplekey key, which
+      must also be defined in the server's configuration file with the
+      same name and secret.  The key statement indicates that samplekey
+      uses the HMAC-MD5 algorithm and its secret clause contains the
+      base-64 encoding of the HMAC-MD5 secret enclosed in double quotes.
+    </p>
+<p>
+      If <span><strong class="command">rndc -s testserver</strong></span> is used then <span><strong class="command">rndc</strong></span> will
+      connect to server on localhost port 5353 using the key testkey.
+    </p>
+<p>
+      To generate a random secret with <span><strong class="command">rndc-confgen</strong></span>:
+    </p>
+<p><strong class="userinput"><code>rndc-confgen</code></strong>
+    </p>
+<p>
+      A complete <code class="filename">rndc.conf</code> file, including
+      the
+      randomly generated key, will be written to the standard
+      output.  Commented out <code class="option">key</code> and
+      <code class="option">controls</code> statements for
+      <code class="filename">named.conf</code> are also printed.
+    </p>
+<p>
+      To generate a base-64 secret with <span><strong class="command">mmencode</strong></span>:
+    </p>
+<p><strong class="userinput"><code>echo "known plaintext for a secret" | mmencode</code></strong>
+    </p>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2605078"></a><h2>NAME SERVER CONFIGURATION</h2>
+<p>
+      The name server must be configured to accept rndc connections and
+      to recognize the key specified in the <code class="filename">rndc.conf</code>
+      file, using the controls statement in <code class="filename">named.conf</code>.
+      See the sections on the <code class="option">controls</code> statement in the
+      BIND 9 Administrator Reference Manual for details.
+    </p>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2605104"></a><h2>SEE ALSO</h2>
+<p><span class="citerefentry"><span class="refentrytitle">rndc</span>(8)</span>,
+      <span class="citerefentry"><span class="refentrytitle">rndc-confgen</span>(8)</span>,
+      <span class="citerefentry"><span class="refentrytitle">mmencode</span>(1)</span>,
+      <em class="citetitle">BIND 9 Administrator Reference Manual</em>.
+    </p>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2605142"></a><h2>AUTHOR</h2>
+<p><span class="corpauthor">Internet Systems Consortium</span>
+    </p>
+</div>
+</div>
+<div class="navfooter">
+<hr>
+<table width="100%" summary="Navigation footer">
+<tr>
+<td width="40%" align="left">
+<a accesskey="p" href="man.rndc.html">Prev</a> </td>
+<td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch10.html">Up</a></td>
+<td width="40%" align="right"> <a accesskey="n" href="man.rndc-confgen.html">Next</a>
+</td>
+</tr>
+<tr>
+<td width="40%" align="left" valign="top">
+<span class="application">rndc</span> </td>
+<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
+<td width="40%" align="right" valign="top"> <span class="application">rndc-confgen</span>
+</td>
+</tr>
+</table>
+</div>
+</body>
+</html>
diff --git a/contrib/bind9/doc/arm/man.rndc.html b/contrib/bind9/doc/arm/man.rndc.html
new file mode 100644
index 0000000..efe4bd0
--- /dev/null
+++ b/contrib/bind9/doc/arm/man.rndc.html
@@ -0,0 +1,203 @@
+<!--
+ - Copyright (C) 2004-2007 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2000-2003 Internet Software Consortium.
+ - 
+ - Permission to use, copy, modify, and distribute this software for any
+ - purpose with or without fee is hereby granted, provided that the above
+ - copyright notice and this permission notice appear in all copies.
+ - 
+ - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ - PERFORMANCE OF THIS SOFTWARE.
+-->
+<!-- $Id: man.rndc.html,v 1.2.2.42 2007/02/02 04:33:09 marka Exp $ -->
+<html>
+<head>
+<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
+<title>rndc</title>
+<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
+<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
+<link rel="up" href="Bv9ARM.ch10.html" title="Manual pages">
+<link rel="prev" href="man.named.html" title="named">
+<link rel="next" href="man.rndc.conf.html" title="rndc.conf">
+</head>
+<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
+<div class="navheader">
+<table width="100%" summary="Navigation header">
+<tr><th colspan="3" align="center"><span class="application">rndc</span></th></tr>
+<tr>
+<td width="20%" align="left">
+<a accesskey="p" href="man.named.html">Prev</a> </td>
+<th width="60%" align="center">Manual pages</th>
+<td width="20%" align="right"> <a accesskey="n" href="man.rndc.conf.html">Next</a>
+</td>
+</tr>
+</table>
+<hr>
+</div>
+<div class="refentry" lang="en">
+<a name="man.rndc"></a><div class="titlepage"></div>
+<div class="refnamediv">
+<h2>Name</h2>
+<p><span class="application">rndc</span> &#8212; name server control utility</p>
+</div>
+<div class="refsynopsisdiv">
+<h2>Synopsis</h2>
+<div class="cmdsynopsis"><p><code class="command">rndc</code>  [<code class="option">-b <em class="replaceable"><code>source-address</code></em></code>] [<code class="option">-c <em class="replaceable"><code>config-file</code></em></code>] [<code class="option">-k <em class="replaceable"><code>key-file</code></em></code>] [<code class="option">-s <em class="replaceable"><code>server</code></em></code>] [<code class="option">-p <em class="replaceable"><code>port</code></em></code>] [<code class="option">-V</code>] [<code class="option">-y <em class="replaceable"><code>key_id</code></em></code>] {command}</p></div>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2603458"></a><h2>DESCRIPTION</h2>
+<p><span><strong class="command">rndc</strong></span>
+      controls the operation of a name
+      server.  It supersedes the <span><strong class="command">ndc</strong></span> utility
+      that was provided in old BIND releases.  If
+      <span><strong class="command">rndc</strong></span> is invoked with no command line
+      options or arguments, it prints a short summary of the
+      supported commands and the available options and their
+      arguments.
+    </p>
+<p><span><strong class="command">rndc</strong></span>
+      communicates with the name server
+      over a TCP connection, sending commands authenticated with
+      digital signatures.  In the current versions of
+      <span><strong class="command">rndc</strong></span> and <span><strong class="command">named</strong></span> named
+      the only supported authentication algorithm is HMAC-MD5,
+      which uses a shared secret on each end of the connection.
+      This provides TSIG-style authentication for the command
+      request and the name server's response.  All commands sent
+      over the channel must be signed by a key_id known to the
+      server.
+    </p>
+<p><span><strong class="command">rndc</strong></span>
+      reads a configuration file to
+      determine how to contact the name server and decide what
+      algorithm and key it should use.
+    </p>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2603508"></a><h2>OPTIONS</h2>
+<div class="variablelist"><dl>
+<dt><span class="term">-b <em class="replaceable"><code>source-address</code></em></span></dt>
+<dd><p>
+            Use <em class="replaceable"><code>source-address</code></em>
+            as the source address for the connection to the server.
+            Multiple instances are permitted to allow setting of both
+            the IPv4 and IPv6 source addresses.
+          </p></dd>
+<dt><span class="term">-c <em class="replaceable"><code>config-file</code></em></span></dt>
+<dd><p>
+            Use <em class="replaceable"><code>config-file</code></em>
+            as the configuration file instead of the default,
+            <code class="filename">/etc/rndc.conf</code>.
+          </p></dd>
+<dt><span class="term">-k <em class="replaceable"><code>key-file</code></em></span></dt>
+<dd><p>
+            Use <em class="replaceable"><code>key-file</code></em>
+            as the key file instead of the default,
+            <code class="filename">/etc/rndc.key</code>.  The key in
+            <code class="filename">/etc/rndc.key</code> will be used to
+            authenticate
+            commands sent to the server if the <em class="replaceable"><code>config-file</code></em>
+            does not exist.
+          </p></dd>
+<dt><span class="term">-s <em class="replaceable"><code>server</code></em></span></dt>
+<dd><p><em class="replaceable"><code>server</code></em> is
+            	       the name or address of the server which matches a
+            server statement in the configuration file for
+            <span><strong class="command">rndc</strong></span>.  If no server is supplied on
+            the
+            command line, the host named by the default-server clause
+            in the option statement of the configuration file will be
+            used.
+          </p></dd>
+<dt><span class="term">-p <em class="replaceable"><code>port</code></em></span></dt>
+<dd><p>
+            Send commands to TCP port
+            <em class="replaceable"><code>port</code></em>
+            instead
+            of BIND 9's default control channel port, 953.
+          </p></dd>
+<dt><span class="term">-V</span></dt>
+<dd><p>
+            Enable verbose logging.
+          </p></dd>
+<dt><span class="term">-y <em class="replaceable"><code>keyid</code></em></span></dt>
+<dd><p>
+            Use the key <em class="replaceable"><code>keyid</code></em>
+            from the configuration file.
+            <em class="replaceable"><code>keyid</code></em>
+            must be
+            known by named with the same algorithm and secret string
+            in order for control message validation to succeed.
+            If no <em class="replaceable"><code>keyid</code></em>
+            is specified, <span><strong class="command">rndc</strong></span> will first look
+            for a key clause in the server statement of the server
+            being used, or if no server statement is present for that
+            host, then the default-key clause of the options statement.
+            Note that the configuration file contains shared secrets
+            which are used to send authenticated control commands
+            to name servers.  It should therefore not have general read
+            or write access.
+          </p></dd>
+</dl></div>
+<p>
+      For the complete set of commands supported by <span><strong class="command">rndc</strong></span>,
+      see the BIND 9 Administrator Reference Manual or run
+      <span><strong class="command">rndc</strong></span> without arguments to see its help
+      message.
+    </p>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2604136"></a><h2>LIMITATIONS</h2>
+<p><span><strong class="command">rndc</strong></span>
+      does not yet support all the commands of
+      the BIND 8 <span><strong class="command">ndc</strong></span> utility.
+    </p>
+<p>
+      There is currently no way to provide the shared secret for a
+      <code class="option">key_id</code> without using the configuration file.
+    </p>
+<p>
+      Several error messages could be clearer.
+    </p>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2604167"></a><h2>SEE ALSO</h2>
+<p><span class="citerefentry"><span class="refentrytitle">rndc.conf</span>(5)</span>,
+      <span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>,
+      <span class="citerefentry"><span class="refentrytitle">named.conf</span>(5)</span>
+      <span class="citerefentry"><span class="refentrytitle">ndc</span>(8)</span>,
+      <em class="citetitle">BIND 9 Administrator Reference Manual</em>.
+    </p>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2604282"></a><h2>AUTHOR</h2>
+<p><span class="corpauthor">Internet Systems Consortium</span>
+    </p>
+</div>
+</div>
+<div class="navfooter">
+<hr>
+<table width="100%" summary="Navigation footer">
+<tr>
+<td width="40%" align="left">
+<a accesskey="p" href="man.named.html">Prev</a> </td>
+<td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch10.html">Up</a></td>
+<td width="40%" align="right"> <a accesskey="n" href="man.rndc.conf.html">Next</a>
+</td>
+</tr>
+<tr>
+<td width="40%" align="left" valign="top">
+<span class="application">named</span> </td>
+<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
+<td width="40%" align="right" valign="top"> <code class="filename">rndc.conf</code>
+</td>
+</tr>
+</table>
+</div>
+</body>
+</html>
diff --git a/contrib/bind9/doc/draft/draft-ietf-dnsext-dhcid-rr-12.txt b/contrib/bind9/doc/draft/draft-ietf-dnsext-dhcid-rr-12.txt
new file mode 100644
index 0000000..07749d9
--- /dev/null
+++ b/contrib/bind9/doc/draft/draft-ietf-dnsext-dhcid-rr-12.txt
@@ -0,0 +1,674 @@
+
+
+
+
+DNSEXT                                                          M. Stapp
+Internet-Draft                                       Cisco Systems, Inc.
+Expires: September 1, 2006                                      T. Lemon
+                                                           Nominum, Inc.
+                                                           A. Gustafsson
+                                          Araneus Information Systems Oy
+                                                       February 28, 2006
+
+
+           A DNS RR for Encoding DHCP Information (DHCID RR)
+                  <draft-ietf-dnsext-dhcid-rr-12.txt>
+
+Status of this Memo
+
+   By submitting this Internet-Draft, each author represents that any
+   applicable patent or other IPR claims of which he or she is aware
+   have been or will be disclosed, and any of which he or she becomes
+   aware will be disclosed, in accordance with Section 6 of BCP 79.
+
+   Internet-Drafts are working documents of the Internet Engineering
+   Task Force (IETF), its areas, and its working groups.  Note that
+   other groups may also distribute working documents as Internet-
+   Drafts.
+
+   Internet-Drafts are draft documents valid for a maximum of six months
+   and may be updated, replaced, or obsoleted by other documents at any
+   time.  It is inappropriate to use Internet-Drafts as reference
+   material or to cite them other than as "work in progress."
+
+   The list of current Internet-Drafts can be accessed at
+   http://www.ietf.org/ietf/1id-abstracts.txt.
+
+   The list of Internet-Draft Shadow Directories can be accessed at
+   http://www.ietf.org/shadow.html.
+
+   This Internet-Draft will expire on September 1, 2006.
+
+Copyright Notice
+
+   Copyright (C) The Internet Society (2006).
+
+Abstract
+
+   It is possible for DHCP clients to attempt to update the same DNS
+   FQDN or attempt to update a DNS FQDN that has been added to the DNS
+   for another purpose as they obtain DHCP leases.  Whether the DHCP
+   server or the clients themselves perform the DNS updates, conflicts
+   can arise.  To resolve such conflicts, "Resolution of DNS Name
+
+
+
+Stapp, et al.           Expires September 1, 2006               [Page 1]
+
+Internet-Draft                The DHCID RR                 February 2006
+
+
+   Conflicts" [1] proposes storing client identifiers in the DNS to
+   unambiguously associate domain names with the DHCP clients to which
+   they refer.  This memo defines a distinct RR type for this purpose
+   for use by DHCP clients and servers, the "DHCID" RR.
+
+
+Table of Contents
+
+   1.  Terminology  . . . . . . . . . . . . . . . . . . . . . . . . .  3
+   2.  Introduction . . . . . . . . . . . . . . . . . . . . . . . . .  3
+   3.  The DHCID RR . . . . . . . . . . . . . . . . . . . . . . . . .  3
+     3.1.  DHCID RDATA format . . . . . . . . . . . . . . . . . . . .  3
+     3.2.  DHCID Presentation Format  . . . . . . . . . . . . . . . .  4
+     3.3.  The DHCID RR Identifier Type Codes . . . . . . . . . . . .  4
+     3.4.  The DHCID RR Digest Type Code  . . . . . . . . . . . . . .  4
+     3.5.  Computation of the RDATA . . . . . . . . . . . . . . . . .  5
+       3.5.1.  Using the Client's DUID  . . . . . . . . . . . . . . .  5
+       3.5.2.  Using the Client Identifier Option . . . . . . . . . .  5
+       3.5.3.  Using the Client's htype and chaddr  . . . . . . . . .  6
+     3.6.  Examples . . . . . . . . . . . . . . . . . . . . . . . . .  6
+       3.6.1.  Example 1  . . . . . . . . . . . . . . . . . . . . . .  6
+       3.6.2.  Example 2  . . . . . . . . . . . . . . . . . . . . . .  6
+       3.6.3.  Example 3  . . . . . . . . . . . . . . . . . . . . . .  7
+   4.  Use of the DHCID RR  . . . . . . . . . . . . . . . . . . . . .  7
+   5.  Updater Behavior . . . . . . . . . . . . . . . . . . . . . . .  8
+   6.  Security Considerations  . . . . . . . . . . . . . . . . . . .  8
+   7.  IANA Considerations  . . . . . . . . . . . . . . . . . . . . .  8
+   8.  Acknowledgements . . . . . . . . . . . . . . . . . . . . . . .  9
+   9.  References . . . . . . . . . . . . . . . . . . . . . . . . . .  9
+     9.1.  Normative References . . . . . . . . . . . . . . . . . . .  9
+     9.2.  Informative References . . . . . . . . . . . . . . . . . . 10
+   Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 11
+   Intellectual Property and Copyright Statements . . . . . . . . . . 12
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Stapp, et al.           Expires September 1, 2006               [Page 2]
+
+Internet-Draft                The DHCID RR                 February 2006
+
+
+1.  Terminology
+
+   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
+   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
+   document are to be interpreted as described in RFC 2119 [2].
+
+
+2.  Introduction
+
+   A set of procedures to allow DHCP [6] [10] clients and servers to
+   automatically update the DNS (RFC 1034 [3], RFC 1035 [4]) is proposed
+   in "Resolution of DNS Name Conflicts" [1].
+
+   Conflicts can arise if multiple DHCP clients wish to use the same DNS
+   name or a DHCP client attempts to use a name added for another
+   purpose.  To resolve such conflicts, "Resolution of DNS Name
+   Conflicts" [1] proposes storing client identifiers in the DNS to
+   unambiguously associate domain names with the DHCP clients using
+   them.  In the interest of clarity, it is preferable for this DHCP
+   information to use a distinct RR type.  This memo defines a distinct
+   RR for this purpose for use by DHCP clients or servers, the "DHCID"
+   RR.
+
+   In order to obscure potentially sensitive client identifying
+   information, the data stored is the result of a one-way SHA-256 hash
+   computation.  The hash includes information from the DHCP client's
+   message as well as the domain name itself, so that the data stored in
+   the DHCID RR will be dependent on both the client identification used
+   in the DHCP protocol interaction and the domain name.  This means
+   that the DHCID RDATA will vary if a single client is associated over
+   time with more than one name.  This makes it difficult to 'track' a
+   client as it is associated with various domain names.
+
+
+3.  The DHCID RR
+
+   The DHCID RR is defined with mnemonic DHCID and type code [TBD].  The
+   DHCID RR is only defined in the IN class.  DHCID RRs cause no
+   additional section processing.  The DHCID RR is not a singleton type.
+
+3.1.  DHCID RDATA format
+
+   The RDATA section of a DHCID RR in transmission contains RDLENGTH
+   octets of binary data.  The format of this data and its
+   interpretation by DHCP servers and clients are described below.
+
+   DNS software should consider the RDATA section to be opaque.  DHCP
+   clients or servers use the DHCID RR to associate a DHCP client's
+
+
+
+Stapp, et al.           Expires September 1, 2006               [Page 3]
+
+Internet-Draft                The DHCID RR                 February 2006
+
+
+   identity with a DNS name, so that multiple DHCP clients and servers
+   may deterministically perform dynamic DNS updates to the same zone.
+   From the updater's perspective, the DHCID resource record RDATA
+   consists of a 2-octet identifier type, in network byte order,
+   followed by a 1-octet digest type, followed by one or more octets
+   representing the actual identifier:
+
+           < 2 octets >    Identifier type code
+           < 1 octet >     Digest type code
+           < n octets >    Digest (length depends on digest type)
+
+3.2.  DHCID Presentation Format
+
+   In DNS master files, the RDATA is represented as a single block in
+   base 64 encoding identical to that used for representing binary data
+   in RFC 3548 [7].  The data may be divided up into any number of white
+   space separated substrings, down to single base 64 digits, which are
+   concatenated to form the complete RDATA.  These substrings can span
+   lines using the standard parentheses.
+
+3.3.  The DHCID RR Identifier Type Codes
+
+   The DHCID RR Identifier Type Code specifies what data from the DHCP
+   client's request was used as input into the hash function.  The
+   identifier type codes are defined in a registry maintained by IANA,
+   as specified in Section 7.  The initial list of assigned values for
+   the identifier type code is:
+
+   0x0000 = htype, chaddr from a DHCPv4 client's DHCPREQUEST [6].
+   0x0001 = The data octets (i.e., the Type and Client-Identifier
+      fields) from a DHCPv4 client's Client Identifier option [9].
+   0x0002 = The client's DUID (i.e., the data octets of a DHCPv6
+      client's Client Identifier option [10] or the DUID field from a
+      DHCPv4 client's Client Identifier option [12]).
+
+   0x0003 - 0xfffe = Available to be assigned by IANA.
+
+   0xffff = RESERVED
+
+3.4.  The DHCID RR Digest Type Code
+
+   The DHCID RR Digest Type Code is an identifier for the digest
+   algorithm used.  The digest is calculated over an identifier and the
+   canonical FQDN as described in the next section.
+
+   The digest type codes are defined in a registry maintained by IANA,
+   as specified in Section 7.  The initial list of assigned values for
+   the digest type codes is: value 0 is reserved and value 1 is SHA-256.
+
+
+
+Stapp, et al.           Expires September 1, 2006               [Page 4]
+
+Internet-Draft                The DHCID RR                 February 2006
+
+
+   Reserving other types requires IETF standards action.  Defining new
+   values will also require IETF standards action to document how DNS
+   updaters are to deal with multiple digest types.
+
+3.5.  Computation of the RDATA
+
+   The DHCID RDATA is formed by concatenating the 2-octet identifier
+   type code with variable-length data.
+
+   The RDATA for all type codes other than 0xffff, which is reserved for
+   future expansion, is formed by concatenating the 2-octet identifier
+   type code, the 1-octet digest type code, and the digest value (32
+   octets for SHA-256).
+
+       < identifier-type > < digest-type > < digest >
+
+   The input to the digest hash function is defined to be:
+
+       digest = SHA-256(< identifier > < FQDN >)
+
+   The FQDN is represented in the buffer in unambiguous canonical form
+   as described in RFC 4034 [8], section 6.1.  The identifier type code
+   and the identifier are related as specified in Section 3.3: the
+   identifier type code describes the source of the identifier.
+
+   A DHCPv4 updater uses the 0x0002 type code if a Client Identifier
+   option is present in the DHCPv4 messages and it is encoded as
+   specified in [12].  Otherwise, the updater uses 0x0001 if a Client
+   Identifier option is present and 0x0000 if not.
+
+   A DHCPv6 updater always uses the 0x0002 type code.
+
+3.5.1.  Using the Client's DUID
+
+   When the updater is using the Client's DUID (either from a DHCPv6
+   Client Identifier option or from a portion of the DHCPv4 Client
+   Identifier option encoded as specified in [12]), the first two octets
+   of the DHCID RR MUST be 0x0002, in network byte order.  The third
+   octet is the digest type code (1 for SHA-256).  The rest of the DHCID
+   RR MUST contain the results of computing the SHA-256 hash across the
+   octets of the DUID followed by the FQDN.
+
+3.5.2.  Using the Client Identifier Option
+
+   When the updater is using the DHCPv4 Client Identifier option sent by
+   the client in its DHCPREQUEST message, the first two octets of the
+   DHCID RR MUST be 0x0001, in network byte order.  The third octet is
+   the digest type code (1 for SHA-256).  The rest of the DHCID RR MUST
+
+
+
+Stapp, et al.           Expires September 1, 2006               [Page 5]
+
+Internet-Draft                The DHCID RR                 February 2006
+
+
+   contain the results of computing the SHA-256 hash across the data
+   octets (i.e., the Type and Client-Identifier fields) of the option,
+   followed by the FQDN.
+
+3.5.3.  Using the Client's htype and chaddr
+
+   When the updater is using the client's link-layer address as the
+   identifier, the first two octets of the DHCID RDATA MUST be zero.
+   The third octet is the digest type code (1 for SHA-256).  To generate
+   the rest of the resource record, the updater computes a one-way hash
+   using the SHA-256 algorithm across a buffer containing the client's
+   network hardware type, link-layer address, and the FQDN data.
+   Specifically, the first octet of the buffer contains the network
+   hardware type as it appeared in the DHCP 'htype' field of the
+   client's DHCPREQUEST message.  All of the significant octets of the
+   'chaddr' field in the client's DHCPREQUEST message follow, in the
+   same order in which the octets appear in the DHCPREQUEST message.
+   The number of significant octets in the 'chaddr' field is specified
+   in the 'hlen' field of the DHCPREQUEST message.  The FQDN data, as
+   specified above, follows.
+
+3.6.  Examples
+
+3.6.1.  Example 1
+
+   A DHCP server allocating the IPv4 address 10.0.0.1 to a client with
+   Ethernet MAC address 01:02:03:04:05:06 using domain name
+   "client.example.com" uses the client's link-layer address to identify
+   the client.  The DHCID RDATA is composed by setting the two type
+   octets to zero, the 1-octet digest type to 1 for SHA-256, and
+   performing an SHA-256 hash computation across a buffer containing the
+   Ethernet MAC type octet, 0x01, the six octets of MAC address, and the
+   domain name (represented as specified in Section 3.5).
+
+     client.example.com.   A       10.0.0.1
+     client.example.com.   DHCID   ( AAABxLmlskllE0MVjd57zHcWmEH3pCQ6V
+                                     ytcKD//7es/deY= )
+
+   If the DHCID RR type is not supported, the RDATA would be encoded
+   [13] as:
+
+     \# 35 ( 000001c4b9a5b249651343158dde7bcc77169841f7a4243a572b5c283
+             fffedeb3f75e6 )
+
+3.6.2.  Example 2
+
+   A DHCP server allocates the IPv4 address 10.0.12.99 to a client which
+   included the DHCP client-identifier option data 01:07:08:09:0a:0b:0c
+
+
+
+Stapp, et al.           Expires September 1, 2006               [Page 6]
+
+Internet-Draft                The DHCID RR                 February 2006
+
+
+   in its DHCP request.  The server updates the name "chi.example.com"
+   on the client's behalf, and uses the DHCP client identifier option
+   data as input in forming a DHCID RR.  The DHCID RDATA is formed by
+   setting the two type octets to the value 0x0001, the 1-octet digest
+   type to 1 for SHA-256, and performing a SHA-256 hash computation
+   across a buffer containing the seven octets from the client-id option
+   and the FQDN (represented as specified in Section 3.5).
+
+     chi.example.com.      A       10.0.12.99
+     chi.example.com.      DHCID   ( AAEBOSD+XR3Os/0LozeXVqcNc7FwCfQdW
+                                     L3b/NaiUDlW2No= )
+
+   If the DHCID RR type is not supported, the RDATA would be encoded
+   [13] as:
+
+     \# 35 ( 0001013920fe5d1dceb3fd0ba3379756a70d73b17009f41d58bddbfcd
+             6a2503956d8da )
+
+3.6.3.  Example 3
+
+   A DHCP server allocates the IPv6 address 2000::1234:5678 to a client
+   which included the DHCPv6 client-identifier option data 00:01:00:06:
+   41:2d:f1:66:01:02:03:04:05:06 in its DHCPv6 request.  The server
+   updates the name "chi6.example.com" on the client's behalf, and uses
+   the DHCP client identifier option data as input in forming a DHCID
+   RR.  The DHCID RDATA is formed by setting the two type octets to the
+   value 0x0002, the 1-octet digest type to 1 for SHA-256, and
+   performing a SHA-256 hash computation across a buffer containing the
+   14 octets from the client-id option and the FQDN (represented as
+   specified in Section 3.5).
+
+     chi6.example.com.     AAAA    2000::1234:5678
+     chi6.example.com.     DHCID   ( AAIBY2/AuCccgoJbsaxcQc9TUapptP69l
+                                     OjxfNuVAA2kjEA= )
+
+   If the DHCID RR type is not supported, the RDATA would be encoded
+   [13] as:
+
+     \# 35 ( 000201636fc0b8271c82825bb1ac5c41cf5351aa69b4febd94e8f17cd
+             b95000da48c40 )
+
+
+4.  Use of the DHCID RR
+
+   This RR MUST NOT be used for any purpose other than that detailed in
+   "Resolution of DNS Name Conflicts" [1].  Although this RR contains
+   data that is opaque to DNS servers, the data must be consistent
+   across all entities that update and interpret this record.
+
+
+
+Stapp, et al.           Expires September 1, 2006               [Page 7]
+
+Internet-Draft                The DHCID RR                 February 2006
+
+
+   Therefore, new data formats may only be defined through actions of
+   the DHC Working Group, as a result of revising [1].
+
+
+5.  Updater Behavior
+
+   The data in the DHCID RR allows updaters to determine whether more
+   than one DHCP client desires to use a particular FQDN.  This allows
+   site administrators to establish policy about DNS updates.  The DHCID
+   RR does not establish any policy itself.
+
+   Updaters use data from a DHCP client's request and the domain name
+   that the client desires to use to compute a client identity hash, and
+   then compare that hash to the data in any DHCID RRs on the name that
+   they wish to associate with the client's IP address.  If an updater
+   discovers DHCID RRs whose RDATA does not match the client identity
+   that they have computed, the updater SHOULD conclude that a different
+   client is currently associated with the name in question.  The
+   updater SHOULD then proceed according to the site's administrative
+   policy.  That policy might dictate that a different name be selected,
+   or it might permit the updater to continue.
+
+
+6.  Security Considerations
+
+   The DHCID record as such does not introduce any new security problems
+   into the DNS.  In order to obscure the client's identity information,
+   a one-way hash is used.  And, in order to make it difficult to
+   'track' a client by examining the names associated with a particular
+   hash value, the FQDN is included in the hash computation.  Thus, the
+   RDATA is dependent on both the DHCP client identification data and on
+   each FQDN associated with the client.
+
+   However, it should be noted that an attacker that has some knowledge,
+   such as of MAC addresses commonly used in DHCP client identification
+   data, may be able to discover the client's DHCP identify by using a
+   brute-force attack.  Even without any additional knowledge, the
+   number of unknown bits used in computing the hash is typically only
+   48 to 80.
+
+   Administrators should be wary of permitting unsecured DNS updates to
+   zones, whether or not they are exposed to the global Internet.  Both
+   DHCP clients and servers SHOULD use some form of update
+   authentication (e.g., TSIG [11]) when performing DNS updates.
+
+
+7.  IANA Considerations
+
+
+
+
+Stapp, et al.           Expires September 1, 2006               [Page 8]
+
+Internet-Draft                The DHCID RR                 February 2006
+
+
+   IANA is requested to allocate a DNS RR type number for the DHCID
+   record type.
+
+   This specification defines a new number-space for the 2-octet
+   identifier type codes associated with the DHCID RR.  IANA is
+   requested to establish a registry of the values for this number-
+   space.  Three initial values are assigned in Section 3.3, and the
+   value 0xFFFF is reserved for future use.  New DHCID RR identifier
+   type codes are assigned through Standards Action, as defined in RFC
+   2434 [5].
+
+   This specification defines a new number-space for the 1-octet digest
+   type codes associated with the DHCID RR.  IANA is requested to
+   establish a registry of the values for this number-space.  Two
+   initial values are assigned in Section 3.4.  New DHCID RR digest type
+   codes are assigned through Standards Action, as defined in RFC 2434
+   [5].
+
+
+8.  Acknowledgements
+
+   Many thanks to Harald Alvestrand, Ralph Droms, Olafur Gudmundsson,
+   Sam Hartman, Josh Littlefield, Pekka Savola, and especially Bernie
+   Volz for their review and suggestions.
+
+
+9.  References
+
+9.1.  Normative References
+
+   [1]  Stapp, M. and B. Volz, "Resolution of DNS Name Conflicts Among
+        DHCP Clients (draft-ietf-dhc-dns-resolution-*)", February 2006.
+
+   [2]  Bradner, S., "Key words for use in RFCs to Indicate Requirement
+        Levels", BCP 14, RFC 2119, March 1997.
+
+   [3]  Mockapetris, P., "Domain names - concepts and facilities",
+        STD 13, RFC 1034, November 1987.
+
+   [4]  Mockapetris, P., "Domain names - implementation and
+        specification", STD 13, RFC 1035, November 1987.
+
+   [5]  Narten, T. and H. Alvestrand, "Guidelines for Writing an IANA
+        Considerations Section in RFCs", BCP 26, RFC 2434, October 1998.
+
+
+
+
+
+
+
+Stapp, et al.           Expires September 1, 2006               [Page 9]
+
+Internet-Draft                The DHCID RR                 February 2006
+
+
+9.2.  Informative References
+
+   [6]   Droms, R., "Dynamic Host Configuration Protocol", RFC 2131,
+         March 1997.
+
+   [7]   Josefsson, S., "The Base16, Base32, and Base64 Data Encodings",
+         RFC 3548, July 2003.
+
+   [8]   Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose,
+         "Resource Records for the DNS Security Extensions", RFC 4034,
+         March 2005.
+
+   [9]   Alexander, S. and R. Droms, "DHCP Options and BOOTP Vendor
+         Extensions", RFC 2132, March 1997.
+
+   [10]  Droms, R., Bound, J., Volz, B., Lemon, T., Perkins, C., and M.
+         Carney, "Dynamic Host Configuration Protocol for IPv6
+         (DHCPv6)", RFC 3315, July 2003.
+
+   [11]  Vixie, P., Gudmundsson, O., Eastlake, D., and B. Wellington,
+         "Secret Key Transaction Authentication for DNS (TSIG)",
+         RFC 2845, May 2000.
+
+   [12]  Lemon, T. and B. Sommerfeld, "Node-specific Client Identifiers
+         for Dynamic Host Configuration Protocol Version Four (DHCPv4)",
+         RFC 4361, February 2006.
+
+   [13]  Gustafsson, A., "Handling of Unknown DNS Resource Record (RR)
+         Types", RFC 3597, September 2003.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Stapp, et al.           Expires September 1, 2006              [Page 10]
+
+Internet-Draft                The DHCID RR                 February 2006
+
+
+Authors' Addresses
+
+   Mark Stapp
+   Cisco Systems, Inc.
+   1414 Massachusetts Ave.
+   Boxborough, MA  01719
+   USA
+
+   Phone: 978.936.1535
+   Email: mjs@cisco.com
+
+
+   Ted Lemon
+   Nominum, Inc.
+   950 Charter St.
+   Redwood City, CA  94063
+   USA
+
+   Email: mellon@nominum.com
+
+
+   Andreas Gustafsson
+   Araneus Information Systems Oy
+   Ulappakatu 1
+   02320 Espoo
+   Finland
+
+   Email: gson@araneus.fi
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Stapp, et al.           Expires September 1, 2006              [Page 11]
+
+Internet-Draft                The DHCID RR                 February 2006
+
+
+Intellectual Property Statement
+
+   The IETF takes no position regarding the validity or scope of any
+   Intellectual Property Rights or other rights that might be claimed to
+   pertain to the implementation or use of the technology described in
+   this document or the extent to which any license under such rights
+   might or might not be available; nor does it represent that it has
+   made any independent effort to identify any such rights.  Information
+   on the procedures with respect to rights in RFC documents can be
+   found in BCP 78 and BCP 79.
+
+   Copies of IPR disclosures made to the IETF Secretariat and any
+   assurances of licenses to be made available, or the result of an
+   attempt made to obtain a general license or permission for the use of
+   such proprietary rights by implementers or users of this
+   specification can be obtained from the IETF on-line IPR repository at
+   http://www.ietf.org/ipr.
+
+   The IETF invites any interested party to bring to its attention any
+   copyrights, patents or patent applications, or other proprietary
+   rights that may cover technology that may be required to implement
+   this standard.  Please address the information to the IETF at
+   ietf-ipr@ietf.org.
+
+
+Disclaimer of Validity
+
+   This document and the information contained herein are provided on an
+   "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
+   OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
+   ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
+   INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
+   INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
+   WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
+
+
+Copyright Statement
+
+   Copyright (C) The Internet Society (2006).  This document is subject
+   to the rights, licenses and restrictions contained in BCP 78, and
+   except as set forth therein, the authors retain all their rights.
+
+
+Acknowledgment
+
+   Funding for the RFC Editor function is currently provided by the
+   Internet Society.
+
+
+
+
+Stapp, et al.           Expires September 1, 2006              [Page 12]
+
+
diff --git a/contrib/bind9/doc/draft/draft-ietf-dnsext-dnssec-online-signing-02.txt b/contrib/bind9/doc/draft/draft-ietf-dnsext-dnssec-online-signing-02.txt
new file mode 100644
index 0000000..7503c66
--- /dev/null
+++ b/contrib/bind9/doc/draft/draft-ietf-dnsext-dnssec-online-signing-02.txt
@@ -0,0 +1,616 @@
+
+
+
+Network Working Group                                          S. Weiler
+Internet-Draft                                               SPARTA, Inc
+Updates: 4034, 4035 (if approved)                               J. Ihren
+Expires: July 24, 2006                                     Autonomica AB
+                                                        January 20, 2006
+
+
+       Minimally Covering NSEC Records and DNSSEC On-line Signing
+               draft-ietf-dnsext-dnssec-online-signing-02
+
+Status of this Memo
+
+   By submitting this Internet-Draft, each author represents that any
+   applicable patent or other IPR claims of which he or she is aware
+   have been or will be disclosed, and any of which he or she becomes
+   aware will be disclosed, in accordance with Section 6 of BCP 79.
+
+   Internet-Drafts are working documents of the Internet Engineering
+   Task Force (IETF), its areas, and its working groups.  Note that
+   other groups may also distribute working documents as Internet-
+   Drafts.
+
+   Internet-Drafts are draft documents valid for a maximum of six months
+   and may be updated, replaced, or obsoleted by other documents at any
+   time.  It is inappropriate to use Internet-Drafts as reference
+   material or to cite them other than as "work in progress."
+
+   The list of current Internet-Drafts can be accessed at
+   http://www.ietf.org/ietf/1id-abstracts.txt.
+
+   The list of Internet-Draft Shadow Directories can be accessed at
+   http://www.ietf.org/shadow.html.
+
+   This Internet-Draft will expire on July 24, 2006.
+
+Copyright Notice
+
+   Copyright (C) The Internet Society (2006).
+
+Abstract
+
+   This document describes how to construct DNSSEC NSEC resource records
+   that cover a smaller range of names than called for by RFC4034.  By
+   generating and signing these records on demand, authoritative name
+   servers can effectively stop the disclosure of zone contents
+   otherwise made possible by walking the chain of NSEC records in a
+   signed zone.
+
+
+
+
+Weiler & Ihren            Expires July 24, 2006                 [Page 1]
+
+Internet-Draft                NSEC Epsilon                  January 2006
+
+
+Changes from ietf-01 to ietf-02
+
+   Clarified that a generated NSEC RR's type bitmap MUST have the RRSIG
+   and NSEC bits set, to be consistent with DNSSECbis -- previous text
+   said SHOULD.
+
+   Made the applicability statement a little less oppressive.
+
+Changes from ietf-00 to ietf-01
+
+   Added an applicability statement, making reference to ongoing work on
+   NSEC3.
+
+   Added the phrase "epsilon functions", which has been commonly used to
+   describe the technique and already appeared in the header of each
+   page, in place of "increment and decrement functions".  Also added an
+   explanatory sentence.
+
+   Corrected references from 4034 section 6.2 to section 6.1.
+
+   Fixed an out-of-date reference to [-bis] and other typos.
+
+   Replaced IANA Considerations text.
+
+   Escaped close parentheses in examples.
+
+   Added some more acknowledgements.
+
+Changes from weiler-01 to ietf-00
+
+   Inserted RFC numbers for 4033, 4034, and 4035.
+
+   Specified contents of bitmap field in synthesized NSEC RR's, pointing
+   out that this relaxes a constraint in 4035.  Added 4035 to the
+   Updates header.
+
+Changes from weiler-00 to weiler-01
+
+   Clarified that this updates RFC4034 by relaxing requirements on the
+   next name field.
+
+   Added examples covering wildcard names.
+
+   In the 'better functions' section, reiterated that perfect functions
+   aren't needed.
+
+   Added a reference to RFC 2119.
+
+
+
+
+Weiler & Ihren            Expires July 24, 2006                 [Page 2]
+
+Internet-Draft                NSEC Epsilon                  January 2006
+
+
+Table of Contents
+
+   1.  Introduction and Terminology . . . . . . . . . . . . . . . . .  4
+   2.  Applicability of This Technique  . . . . . . . . . . . . . . .  4
+   3.  Minimally Covering NSEC Records  . . . . . . . . . . . . . . .  5
+   4.  Better Epsilon Functions . . . . . . . . . . . . . . . . . . .  6
+   5.  IANA Considerations  . . . . . . . . . . . . . . . . . . . . .  7
+   6.  Security Considerations  . . . . . . . . . . . . . . . . . . .  7
+   7.  Normative References . . . . . . . . . . . . . . . . . . . . .  8
+   Appendix A.  Acknowledgments . . . . . . . . . . . . . . . . . . .  8
+   Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 10
+   Intellectual Property and Copyright Statements . . . . . . . . . . 11
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Weiler & Ihren            Expires July 24, 2006                 [Page 3]
+
+Internet-Draft                NSEC Epsilon                  January 2006
+
+
+1.  Introduction and Terminology
+
+   With DNSSEC [1], an NSEC record lists the next instantiated name in
+   its zone, proving that no names exist in the "span" between the
+   NSEC's owner name and the name in the "next name" field.  In this
+   document, an NSEC record is said to "cover" the names between its
+   owner name and next name.
+
+   Through repeated queries that return NSEC records, it is possible to
+   retrieve all of the names in the zone, a process commonly called
+   "walking" the zone.  Some zone owners have policies forbidding zone
+   transfers by arbitrary clients; this side-effect of the NSEC
+   architecture subverts those policies.
+
+   This document presents a way to prevent zone walking by constructing
+   NSEC records that cover fewer names.  These records can make zone
+   walking take approximately as many queries as simply asking for all
+   possible names in a zone, making zone walking impractical.  Some of
+   these records must be created and signed on demand, which requires
+   on-line private keys.  Anyone contemplating use of this technique is
+   strongly encouraged to review the discussion of the risks of on-line
+   signing in Section 6.
+
+   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
+   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
+   document are to be interpreted as described in RFC 2119 [4].
+
+
+2.  Applicability of This Technique
+
+   The technique presented here may be useful to a zone owner that wants
+   to use DNSSEC, is concerned about exposure of its zone contents via
+   zone walking, and is willing to bear the costs of on-line signing.
+
+   As discussed in Section 6, on-line signing has several security
+   risks, including an increased likelihood of private keys being
+   disclosed and an increased risk of denial of service attack.  Anyone
+   contemplating use of this technique is strongly encouraged to review
+   the discussion of the risks of on-line signing in Section 6.
+
+   Furthermore, at the time this document was published, the DNSEXT
+   working group was actively working on a mechanism to prevent zone
+   walking that does not require on-line signing (tentatively called
+   NSEC3).  The new mechanism is likely to expose slightly more
+   information about the zone than this technique (e.g. the number of
+   instantiated names), but it may be preferable to this technique.
+
+
+
+
+
+Weiler & Ihren            Expires July 24, 2006                 [Page 4]
+
+Internet-Draft                NSEC Epsilon                  January 2006
+
+
+3.  Minimally Covering NSEC Records
+
+   This mechanism involves changes to NSEC records for instantiated
+   names, which can still be generated and signed in advance, as well as
+   the on-demand generation and signing of new NSEC records whenever a
+   name must be proven not to exist.
+
+   In the 'next name' field of instantiated names' NSEC records, rather
+   than list the next instantiated name in the zone, list any name that
+   falls lexically after the NSEC's owner name and before the next
+   instantiated name in the zone, according to the ordering function in
+   RFC4034 [2] section 6.1.  This relaxes the requirement in section
+   4.1.1 of RFC4034 that the 'next name' field contains the next owner
+   name in the zone.  This change is expected to be fully compatible
+   with all existing DNSSEC validators.  These NSEC records are returned
+   whenever proving something specifically about the owner name (e.g.
+   that no resource records of a given type appear at that name).
+
+   Whenever an NSEC record is needed to prove the non-existence of a
+   name, a new NSEC record is dynamically produced and signed.  The new
+   NSEC record has an owner name lexically before the QNAME but
+   lexically following any existing name and a 'next name' lexically
+   following the QNAME but before any existing name.
+
+   The generated NSEC record's type bitmap MUST have the RRSIG and NSEC
+   bits set and SHOULD NOT have any other bits set.  This relaxes the
+   requirement in Section 2.3 of RFC4035 that NSEC RRs not appear at
+   names that did not exist before the zone was signed.
+
+   The functions to generate the lexically following and proceeding
+   names need not be perfect nor consistent, but the generated NSEC
+   records must not cover any existing names.  Furthermore, this
+   technique works best when the generated NSEC records cover as few
+   names as possible.  In this document, the functions that generate the
+   nearby names are called 'epsilon' functions, a reference to the
+   mathematical convention of using the greek letter epsilon to
+   represent small deviations.
+
+   An NSEC record denying the existence of a wildcard may be generated
+   in the same way.  Since the NSEC record covering a non-existent
+   wildcard is likely to be used in response to many queries,
+   authoritative name servers using the techniques described here may
+   want to pregenerate or cache that record and its corresponding RRSIG.
+
+   For example, a query for an A record at the non-instantiated name
+   example.com might produce the following two NSEC records, the first
+   denying the existence of the name example.com and the second denying
+   the existence of a wildcard:
+
+
+
+Weiler & Ihren            Expires July 24, 2006                 [Page 5]
+
+Internet-Draft                NSEC Epsilon                  January 2006
+
+
+             exampld.com 3600 IN NSEC example-.com ( RRSIG NSEC )
+
+             \).com 3600 IN NSEC +.com ( RRSIG NSEC )
+
+   Before answering a query with these records, an authoritative server
+   must test for the existence of names between these endpoints.  If the
+   generated NSEC would cover existing names (e.g. exampldd.com or
+   *bizarre.example.com), a better epsilon function may be used or the
+   covered name closest to the QNAME could be used as the NSEC owner
+   name or next name, as appropriate.  If an existing name is used as
+   the NSEC owner name, that name's real NSEC record MUST be returned.
+   Using the same example, assuming an exampldd.com delegation exists,
+   this record might be returned from the parent:
+
+             exampldd.com 3600 IN NSEC example-.com ( NS DS RRSIG NSEC )
+
+   Like every authoritative record in the zone, each generated NSEC
+   record MUST have corresponding RRSIGs generated using each algorithm
+   (but not necessarily each DNSKEY) in the zone's DNSKEY RRset, as
+   described in RFC4035 [3] section 2.2.  To minimize the number of
+   signatures that must be generated, a zone may wish to limit the
+   number of algorithms in its DNSKEY RRset.
+
+
+4.  Better Epsilon Functions
+
+   Section 6.1 of RFC4034 defines a strict ordering of DNS names.
+   Working backwards from that definition, it should be possible to
+   define epsilon functions that generate the immediately following and
+   preceding names, respectively.  This document does not define such
+   functions.  Instead, this section presents functions that come
+   reasonably close to the perfect ones.  As described above, an
+   authoritative server should still ensure than no generated NSEC
+   covers any existing name.
+
+   To increment a name, add a leading label with a single null (zero-
+   value) octet.
+
+   To decrement a name, decrement the last character of the leftmost
+   label, then fill that label to a length of 63 octets with octets of
+   value 255.  To decrement a null (zero-value) octet, remove the octet
+   -- if an empty label is left, remove the label.  Defining this
+   function numerically: fill the left-most label to its maximum length
+   with zeros (numeric, not ASCII zeros) and subtract one.
+
+   In response to a query for the non-existent name foo.example.com,
+   these functions produce NSEC records of:
+
+
+
+
+Weiler & Ihren            Expires July 24, 2006                 [Page 6]
+
+Internet-Draft                NSEC Epsilon                  January 2006
+
+
+     fon\255\255\255\255\255\255\255\255\255\255\255\255\255\255
+     \255\255\255\255\255\255\255\255\255\255\255\255\255\255\255
+     \255\255\255\255\255\255\255\255\255\255\255\255\255\255\255
+     \255\255\255\255\255\255\255\255\255\255\255\255\255\255\255
+     \255.example.com 3600 IN NSEC \000.foo.example.com ( NSEC RRSIG )
+
+     \)\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255
+     \255\255\255\255\255\255\255\255\255\255\255\255\255\255\255
+     \255\255\255\255\255\255\255\255\255\255\255\255\255\255\255
+     \255\255\255\255\255\255\255\255\255\255\255\255\255\255\255
+     \255\255.example.com 3600 IN NSEC \000.*.example.com ( NSEC RRSIG )
+
+   The first of these NSEC RRs proves that no exact match for
+   foo.example.com exists, and the second proves that there is no
+   wildcard in example.com.
+
+   Both of these functions are imperfect: they don't take into account
+   constraints on number of labels in a name nor total length of a name.
+   As noted in the previous section, though, this technique does not
+   depend on the use of perfect epsilon functions: it is sufficient to
+   test whether any instantiated names fall into the span covered by the
+   generated NSEC and, if so, substitute those instantiated owner names
+   for the NSEC owner name or next name, as appropriate.
+
+
+5.  IANA Considerations
+
+   This document specifies no IANA Actions.
+
+
+6.  Security Considerations
+
+   This approach requires on-demand generation of RRSIG records.  This
+   creates several new vulnerabilities.
+
+   First, on-demand signing requires that a zone's authoritative servers
+   have access to its private keys.  Storing private keys on well-known
+   internet-accessible servers may make them more vulnerable to
+   unintended disclosure.
+
+   Second, since generation of digital signatures tends to be
+   computationally demanding, the requirement for on-demand signing
+   makes authoritative servers vulnerable to a denial of service attack.
+
+   Lastly, if the epsilon functions are predictable, on-demand signing
+   may enable a chosen-plaintext attack on a zone's private keys.  Zones
+   using this approach should attempt to use cryptographic algorithms
+   that are resistant to chosen-plaintext attacks.  It's worth noting
+
+
+
+Weiler & Ihren            Expires July 24, 2006                 [Page 7]
+
+Internet-Draft                NSEC Epsilon                  January 2006
+
+
+   that while DNSSEC has a "mandatory to implement" algorithm, that is a
+   requirement on resolvers and validators -- there is no requirement
+   that a zone be signed with any given algorithm.
+
+   The success of using minimally covering NSEC record to prevent zone
+   walking depends greatly on the quality of the epsilon functions
+   chosen.  An increment function that chooses a name obviously derived
+   from the next instantiated name may be easily reverse engineered,
+   destroying the value of this technique.  An increment function that
+   always returns a name close to the next instantiated name is likewise
+   a poor choice.  Good choices of epsilon functions are the ones that
+   produce the immediately following and preceding names, respectively,
+   though zone administrators may wish to use less perfect functions
+   that return more human-friendly names than the functions described in
+   Section 4 above.
+
+   Another obvious but misguided concern is the danger from synthesized
+   NSEC records being replayed.  It's possible for an attacker to replay
+   an old but still validly signed NSEC record after a new name has been
+   added in the span covered by that NSEC, incorrectly proving that
+   there is no record at that name.  This danger exists with DNSSEC as
+   defined in [3].  The techniques described here actually decrease the
+   danger, since the span covered by any NSEC record is smaller than
+   before.  Choosing better epsilon functions will further reduce this
+   danger.
+
+7.  Normative References
+
+   [1]  Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose,
+        "DNS Security Introduction and Requirements", RFC 4033,
+        March 2005.
+
+   [2]  Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose,
+        "Resource Records for the DNS Security Extensions", RFC 4034,
+        March 2005.
+
+   [3]  Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose,
+        "Protocol Modifications for the DNS Security Extensions",
+        RFC 4035, March 2005.
+
+   [4]  Bradner, S., "Key words for use in RFCs to Indicate Requirement
+        Levels", BCP 14, RFC 2119, March 1997.
+
+
+Appendix A.  Acknowledgments
+
+   Many individuals contributed to this design.  They include, in
+   addition to the authors of this document, Olaf Kolkman, Ed Lewis,
+
+
+
+Weiler & Ihren            Expires July 24, 2006                 [Page 8]
+
+Internet-Draft                NSEC Epsilon                  January 2006
+
+
+   Peter Koch, Matt Larson, David Blacka, Suzanne Woolf, Jaap Akkerhuis,
+   Jakob Schlyter, Bill Manning, and Joao Damas.
+
+   In addition, the editors would like to thank Ed Lewis, Scott Rose,
+   and David Blacka for their careful review of the document.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Weiler & Ihren            Expires July 24, 2006                 [Page 9]
+
+Internet-Draft                NSEC Epsilon                  January 2006
+
+
+Authors' Addresses
+
+   Samuel Weiler
+   SPARTA, Inc
+   7075 Samuel Morse Drive
+   Columbia, Maryland  21046
+   US
+
+   Email: weiler@tislabs.com
+
+
+   Johan Ihren
+   Autonomica AB
+   Bellmansgatan 30
+   Stockholm  SE-118 47
+   Sweden
+
+   Email: johani@autonomica.se
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Weiler & Ihren            Expires July 24, 2006                [Page 10]
+
+Internet-Draft                NSEC Epsilon                  January 2006
+
+
+Intellectual Property Statement
+
+   The IETF takes no position regarding the validity or scope of any
+   Intellectual Property Rights or other rights that might be claimed to
+   pertain to the implementation or use of the technology described in
+   this document or the extent to which any license under such rights
+   might or might not be available; nor does it represent that it has
+   made any independent effort to identify any such rights.  Information
+   on the procedures with respect to rights in RFC documents can be
+   found in BCP 78 and BCP 79.
+
+   Copies of IPR disclosures made to the IETF Secretariat and any
+   assurances of licenses to be made available, or the result of an
+   attempt made to obtain a general license or permission for the use of
+   such proprietary rights by implementers or users of this
+   specification can be obtained from the IETF on-line IPR repository at
+   http://www.ietf.org/ipr.
+
+   The IETF invites any interested party to bring to its attention any
+   copyrights, patents or patent applications, or other proprietary
+   rights that may cover technology that may be required to implement
+   this standard.  Please address the information to the IETF at
+   ietf-ipr@ietf.org.
+
+
+Disclaimer of Validity
+
+   This document and the information contained herein are provided on an
+   "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
+   OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
+   ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
+   INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
+   INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
+   WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
+
+
+Copyright Statement
+
+   Copyright (C) The Internet Society (2006).  This document is subject
+   to the rights, licenses and restrictions contained in BCP 78, and
+   except as set forth therein, the authors retain all their rights.
+
+
+Acknowledgment
+
+   Funding for the RFC Editor function is currently provided by the
+   Internet Society.
+
+
+
+
+Weiler & Ihren            Expires July 24, 2006                [Page 11]
+
diff --git a/contrib/bind9/doc/draft/draft-ietf-dnsext-dnssec-rsasha256-00.txt b/contrib/bind9/doc/draft/draft-ietf-dnsext-dnssec-rsasha256-00.txt
new file mode 100644
index 0000000..390420a
--- /dev/null
+++ b/contrib/bind9/doc/draft/draft-ietf-dnsext-dnssec-rsasha256-00.txt
@@ -0,0 +1,392 @@
+
+
+
+DNS Extensions working group                                   J. Jansen
+Internet-Draft                                                NLnet Labs
+Expires: July 5, 2006                                       January 2006
+
+
+     Use of RSA/SHA-256 DNSKEY and RRSIG Resource Records in DNSSEC
+                 draft-ietf-dnsext-dnssec-rsasha256-00
+
+Status of this Memo
+
+   By submitting this Internet-Draft, each author represents that any
+   applicable patent or other IPR claims of which he or she is aware
+   have been or will be disclosed, and any of which he or she becomes
+   aware will be disclosed, in accordance with Section 6 of BCP 79.
+
+   Internet-Drafts are working documents of the Internet Engineering
+   Task Force (IETF), its areas, and its working groups.  Note that
+   other groups may also distribute working documents as Internet-
+   Drafts.
+
+   Internet-Drafts are draft documents valid for a maximum of six months
+   and may be updated, replaced, or obsoleted by other documents at any
+   time.  It is inappropriate to use Internet-Drafts as reference
+   material or to cite them other than as "work in progress."
+
+   The list of current Internet-Drafts can be accessed at
+   http://www.ietf.org/ietf/1id-abstracts.txt.
+
+   The list of Internet-Draft Shadow Directories can be accessed at
+   http://www.ietf.org/shadow.html.
+
+   This Internet-Draft will expire on July 5, 2006.
+
+Copyright Notice
+
+   Copyright (C) The Internet Society (2006).
+
+Abstract
+
+   This document describes how to produce RSA/SHA-256 DNSKEY and RRSIG
+   resource records for use in the Domain Name System Security
+   Extensions (DNSSEC, RFC4033, RFC4034, and RFC4035).
+
+
+
+
+
+
+
+
+
+Jansen                    Expires July 5, 2006                  [Page 1]
+
+Internet-Draft       RSA/SHA-256 DNSKEYs and RRSIGS         January 2006
+
+
+Table of Contents
+
+   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . . . 3
+   2.  RSA/SHA-256 DNSKEY Resource Records . . . . . . . . . . . . . . 3
+   3.  RSA/SHA-256 RRSIG Resource Records  . . . . . . . . . . . . . . 3
+   4.  Implementation Considerations . . . . . . . . . . . . . . . . . 4
+   5.  IANA Considerations . . . . . . . . . . . . . . . . . . . . . . 4
+   6.  Security Considerations . . . . . . . . . . . . . . . . . . . . 4
+   7.  Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . 5
+   8.  References  . . . . . . . . . . . . . . . . . . . . . . . . . . 5
+     8.1.  Normative References  . . . . . . . . . . . . . . . . . . . 5
+     8.2.  Informative References  . . . . . . . . . . . . . . . . . . 5
+   Author's Address  . . . . . . . . . . . . . . . . . . . . . . . . . 6
+   Intellectual Property and Copyright Statements  . . . . . . . . . . 7
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Jansen                    Expires July 5, 2006                  [Page 2]
+
+Internet-Draft       RSA/SHA-256 DNSKEYs and RRSIGS         January 2006
+
+
+1.  Introduction
+
+   The Domain Name System (DNS) is the global hierarchical distributed
+   database for Internet Addressing.  The DNS has been extended to use
+   digital signatures and cryptographic keys for the verification of
+   data.  RFC4033 [1], RFC4034 [2], and RFC4035 [3] describe these DNS
+   Security Extensions.
+
+   RFC4034 describes how to store DNSKEY and RRSIG resource records, and
+   specifies a list of cryptographic algorithms to use.  This document
+   extends that list with the algorithm RSA/SHA-256, and specifies how
+   to store RSA/SHA-256 DNSKEY data and how to produce RSA/SHA-256 RRSIG
+   resource records.
+
+   Familiarity with the RSA [7] and SHA-256 [5] algorithms is assumed in
+   this document.
+
+
+2.  RSA/SHA-256 DNSKEY Resource Records
+
+   RSA public keys for use with RSA/SHA-256 are stored in DNSKEY
+   resource records (RRs) with the algorithm number [TBA].
+
+   The format of the DNSKEY RR can be found in RFC4034 [2] and RFC3110
+   [6].
+
+
+3.  RSA/SHA-256 RRSIG Resource Records
+
+   RSA/SHA-256 signatures are stored in the DNS using RRSIG resource
+   records (RRs) with algorithm number [TBA].
+
+   The value of the signature field in the RRSIG RR is calculated as
+   follows.  The values for the fields that precede the signature data
+   are specified in RFC4034 [2].
+
+   hash = SHA-256(data)
+
+   signature = ( 00 | 01 | FF* | 00 | prefix | hash ) ** e (mod n)
+
+   Where SHA-256 is the message digest algorithm as specified in FIPS
+   180 [5], | is concatenation, 00, 01, FF and 00 are fixed octets of
+   corresponding hexadecimal value, "e" is the private exponent of the
+   signing RSA key, and "n" is the public modulus of the signing key.
+   The FF octet MUST be repeated the maximum number of times so that the
+   total length of the signature equals the length of the modulus of the
+   signer's public key ("n"). "data" is the data of the resource record
+   set that is signed, as specified in RFC4034 [2].
+
+
+
+Jansen                    Expires July 5, 2006                  [Page 3]
+
+Internet-Draft       RSA/SHA-256 DNSKEYs and RRSIGS         January 2006
+
+
+   The prefix is the ASN.1 BER SHA-256 algorithm designator prefix as
+   specified in PKCS 2.1 [4]:
+
+   hex 30 31 30 0d 06 09 60 86 48 01 65 03 04 02 01 05 00 04 20
+
+   This prefix should make the use of standard cryptographic libraries
+   easier.  These specifications are taken directly from PKCS #1 v2.1
+   section 9.2 [4].
+
+
+4.  Implementation Considerations
+
+   DNSSEC aware implementations MUST be able to support RRSIG resource
+   records with the RSA/SHA-256 algorithm.
+
+   If both RSA/SHA-256 and RSA/SHA-1 RRSIG resource records are
+   available for a certain rrset, with a secure path to their keys, the
+   validator SHOULD ignore the SHA-1 signature.  If the RSA/SHA-256
+   signature does not verify the data, and the RSA/SHA-1 does, the
+   validator SHOULD mark the data with the security status from the RSA/
+   SHA-256 signature.
+
+
+5.  IANA Considerations
+
+   IANA has not yet assigned an algorithm number for RSA/SHA-256.
+
+   The algorithm list from RFC4034 Appendix A.1 [2] is extended with the
+   following entry:
+
+                                   Zone
+   Value Algorithm    [Mnemonic] Signing  References   Status
+   ----- ----------- ----------- -------- ----------  ---------
+   [tba] RSA/SHA-256 [RSASHA256]      y        [TBA]  MANDATORY
+
+
+6.  Security Considerations
+
+   Recently, weaknesses have been discovered in the SHA-1 hashing
+   algorithm.  It is therefore strongly encouraged to deploy SHA-256
+   where SHA-1 is used now, as soon as the DNS software supports it.
+
+   SHA-256 is considered sufficiently strong for the immediate future,
+   but predictions about future development in cryptography and
+   cryptanalysis are beyond the scope of this document.
+
+
+
+
+
+
+Jansen                    Expires July 5, 2006                  [Page 4]
+
+Internet-Draft       RSA/SHA-256 DNSKEYs and RRSIGS         January 2006
+
+
+7.  Acknowledgments
+
+   This document is a minor extension to RFC4034 [2].  Also, we try to
+   follow the documents RFC3110 [6] and draft-ietf-dnsext-ds-sha256.txt
+   [8] for consistency.  The authors of and contributors to these
+   documents are gratefully acknowledged for their hard work.
+
+   The following people provided additional feedback and text: Jaap
+   Akkerhuis, Miek Gieben and Wouter Wijngaards.
+
+
+8.  References
+
+8.1.  Normative References
+
+   [1]  Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose,
+        "DNS Security Introduction and Requirements", RFC 4033,
+        March 2005.
+
+   [2]  Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose,
+        "Resource Records for the DNS Security Extensions", RFC 4034,
+        March 2005.
+
+   [3]  Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose,
+        "Protocol Modifications for the DNS Security Extensions",
+        RFC 4035, March 2005.
+
+   [4]  Jonsson, J. and B. Kaliski, "Public-Key Cryptography Standards
+        (PKCS) #1: RSA Cryptography Specifications Version 2.1",
+        RFC 3447, February 2003.
+
+   [5]  National Institute of Standards and Technology, "Secure Hash
+        Standard", FIPS PUB 180-2, August 2002.
+
+   [6]  Eastlake, D., "RSA/SHA-1 SIGs and RSA KEYs in the Domain Name
+        System (DNS)", RFC 3110, May 2001.
+
+8.2.  Informative References
+
+   [7]  Schneier, B., "Applied Cryptography Second Edition: protocols,
+        algorithms, and source code in C", Wiley and Sons , ISBN 0-471-
+        11709-9, 1996.
+
+   [8]  Hardaker, W., "Use of SHA-256 in DNSSEC Delegation Signer (DS)
+        Resource Records (RRs)", Work in Progress Feb 2006.
+
+
+
+
+
+
+Jansen                    Expires July 5, 2006                  [Page 5]
+
+Internet-Draft       RSA/SHA-256 DNSKEYs and RRSIGS         January 2006
+
+
+Author's Address
+
+   Jelte Jansen
+   NLnet Labs
+   Kruislaan 419
+   Amsterdam  1098VA
+   NL
+
+   Email: jelte@NLnetLabs.nl
+   URI:   http://www.nlnetlabs.nl/
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Jansen                    Expires July 5, 2006                  [Page 6]
+
+Internet-Draft       RSA/SHA-256 DNSKEYs and RRSIGS         January 2006
+
+
+Intellectual Property Statement
+
+   The IETF takes no position regarding the validity or scope of any
+   Intellectual Property Rights or other rights that might be claimed to
+   pertain to the implementation or use of the technology described in
+   this document or the extent to which any license under such rights
+   might or might not be available; nor does it represent that it has
+   made any independent effort to identify any such rights.  Information
+   on the procedures with respect to rights in RFC documents can be
+   found in BCP 78 and BCP 79.
+
+   Copies of IPR disclosures made to the IETF Secretariat and any
+   assurances of licenses to be made available, or the result of an
+   attempt made to obtain a general license or permission for the use of
+   such proprietary rights by implementers or users of this
+   specification can be obtained from the IETF on-line IPR repository at
+   http://www.ietf.org/ipr.
+
+   The IETF invites any interested party to bring to its attention any
+   copyrights, patents or patent applications, or other proprietary
+   rights that may cover technology that may be required to implement
+   this standard.  Please address the information to the IETF at
+   ietf-ipr@ietf.org.
+
+
+Disclaimer of Validity
+
+   This document and the information contained herein are provided on an
+   "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
+   OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
+   ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
+   INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
+   INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
+   WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
+
+
+Copyright Statement
+
+   Copyright (C) The Internet Society (2006).  This document is subject
+   to the rights, licenses and restrictions contained in BCP 78, and
+   except as set forth therein, the authors retain all their rights.
+
+
+Acknowledgment
+
+   Funding for the RFC Editor function is currently provided by the
+   Internet Society.
+
+
+
+
+Jansen                    Expires July 5, 2006                  [Page 7]
+
diff --git a/contrib/bind9/doc/draft/draft-ietf-dnsext-ds-sha256-05.txt b/contrib/bind9/doc/draft/draft-ietf-dnsext-ds-sha256-05.txt
new file mode 100644
index 0000000..2460cb6
--- /dev/null
+++ b/contrib/bind9/doc/draft/draft-ietf-dnsext-ds-sha256-05.txt
@@ -0,0 +1,504 @@
+
+
+
+Network Working Group                                        W. Hardaker
+Internet-Draft                                                    Sparta
+Expires: August 25, 2006                               February 21, 2006
+
+
+ Use of SHA-256 in DNSSEC Delegation Signer (DS) Resource Records (RRs)
+                   draft-ietf-dnsext-ds-sha256-05.txt
+
+Status of this Memo
+
+   By submitting this Internet-Draft, each author represents that any
+   applicable patent or other IPR claims of which he or she is aware
+   have been or will be disclosed, and any of which he or she becomes
+   aware will be disclosed, in accordance with Section 6 of BCP 79.
+
+   Internet-Drafts are working documents of the Internet Engineering
+   Task Force (IETF), its areas, and its working groups.  Note that
+   other groups may also distribute working documents as Internet-
+   Drafts.
+
+   Internet-Drafts are draft documents valid for a maximum of six months
+   and may be updated, replaced, or obsoleted by other documents at any
+   time.  It is inappropriate to use Internet-Drafts as reference
+   material or to cite them other than as "work in progress."
+
+   The list of current Internet-Drafts can be accessed at
+   http://www.ietf.org/ietf/1id-abstracts.txt.
+
+   The list of Internet-Draft Shadow Directories can be accessed at
+   http://www.ietf.org/shadow.html.
+
+   This Internet-Draft will expire on August 25, 2006.
+
+Copyright Notice
+
+   Copyright (C) The Internet Society (2006).
+
+Abstract
+
+   This document specifies how to use the SHA-256 digest type in DNS
+   Delegation Signer (DS) Resource Records (RRs).  DS records, when
+   stored in a parent zone, point to key signing DNSKEY key(s) in a
+   child zone.
+
+
+
+
+
+
+
+
+Hardaker                 Expires August 25, 2006                [Page 1]
+
+Internet-Draft       Use of SHA-256 in DNSSEC DS RRs       February 2006
+
+
+Table of Contents
+
+   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . . . 3
+   2.  Implementing the SHA-256 algorithm for DS record support  . . . 3
+     2.1.  DS record field values  . . . . . . . . . . . . . . . . . . 3
+     2.2.  DS Record with SHA-256 Wire Format  . . . . . . . . . . . . 3
+     2.3.  Example DS Record Using SHA-256 . . . . . . . . . . . . . . 4
+   3.  Implementation Requirements . . . . . . . . . . . . . . . . . . 4
+   4.  Deployment Considerations . . . . . . . . . . . . . . . . . . . 4
+   5.  IANA Considerations . . . . . . . . . . . . . . . . . . . . . . 5
+   6.  Security Considerations . . . . . . . . . . . . . . . . . . . . 5
+     6.1.  Potential Digest Type Downgrade Attacks . . . . . . . . . . 5
+     6.2.  SHA-1 vs SHA-256 Considerations for DS Records  . . . . . . 6
+   7.  Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . 6
+   8.  References  . . . . . . . . . . . . . . . . . . . . . . . . . . 7
+     8.1.  Normative References  . . . . . . . . . . . . . . . . . . . 7
+     8.2.  Informative References  . . . . . . . . . . . . . . . . . . 7
+   Author's Address  . . . . . . . . . . . . . . . . . . . . . . . . . 8
+   Intellectual Property and Copyright Statements  . . . . . . . . . . 9
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Hardaker                 Expires August 25, 2006                [Page 2]
+
+Internet-Draft       Use of SHA-256 in DNSSEC DS RRs       February 2006
+
+
+1.  Introduction
+
+   The DNSSEC [RFC4033] [RFC4034] [RFC4035] DS RR is published in parent
+   zones to distribute a cryptographic digest of a child's Key Signing
+   Key (KSK) DNSKEY RR.  The DS RRset is signed by at least one of the
+   parent zone's private zone data signing keys for each algorithm in
+   use by the parent.  Each signature is published in an RRSIG resource
+   record, owned by the same domain as the DS RRset and with a type
+   covered of DS.
+
+   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
+   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
+   document are to be interpreted as described in [RFC2119].
+
+
+2.  Implementing the SHA-256 algorithm for DS record support
+
+   This document specifies that the digest type code [XXX: To be
+   assigned by IANA; likely 2] is to be assigned to SHA-256 [SHA256]
+   [SHA256CODE] for use within DS records.  The results of the digest
+   algorithm MUST NOT be truncated and the entire 32 byte digest result
+   is to be published in the DS record.
+
+2.1.  DS record field values
+
+   Using the SHA-256 digest algorithm within a DS record will make use
+   of the following DS-record fields:
+
+   Digest type: [XXX: To be assigned by IANA; likely 2]
+
+   Digest: A SHA-256 bit digest value calculated by using the following
+      formula ("|" denotes concatenation).  The resulting value is not
+      truncated and the entire 32 byte result is to used in the
+      resulting DS record and related calculations.
+
+        digest = SHA_256(DNSKEY owner name | DNSKEY RDATA)
+
+      where DNSKEY RDATA is defined by [RFC4034] as:
+
+        DNSKEY RDATA = Flags | Protocol | Algorithm | Public Key
+
+   The Key Tag field and Algorithm fields remain unchanged by this
+   document and are specified in the [RFC4034] specification.
+
+2.2.  DS Record with SHA-256 Wire Format
+
+   The resulting on-the-wire format for the resulting DS record will be
+   [XXX: IANA assignment should replace the 2 below]:
+
+
+
+Hardaker                 Expires August 25, 2006                [Page 3]
+
+Internet-Draft       Use of SHA-256 in DNSSEC DS RRs       February 2006
+
+
+                           1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3
+       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+      |           Key Tag             |  Algorithm    | DigestType=2  |
+      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+      /                                                               /
+      /            Digest  (length for SHA-256 is 32 bytes)           /
+      /                                                               /
+      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-|
+
+2.3.  Example DS Record Using SHA-256
+
+   The following is an example DNSKEY and matching DS record.  This
+   DNSKEY record comes from the example DNSKEY/DS records found in
+   section 5.4 of [RFC4034].
+
+   The DNSKEY record:
+
+   dskey.example.com. 86400 IN DNSKEY 256 3 5 ( AQOeiiR0GOMYkDshWoSKz9Xz
+                                                fwJr1AYtsmx3TGkJaNXVbfi/
+                                                2pHm822aJ5iI9BMzNXxeYCmZ
+                                                DRD99WYwYqUSdjMmmAphXdvx
+                                                egXd/M5+X7OrzKBaMbCVdFLU
+                                                Uh6DhweJBjEVv5f2wwjM9Xzc
+                                                nOf+EPbtG9DMBmADjFDc2w/r
+                                                ljwvFw==
+                                                ) ;  key id = 60485
+
+   The resulting DS record covering the above DNSKEY record using a SHA-
+   256 digest: [RFC Editor: please replace XXX with the assigned digest
+   type (likely 2):]
+
+   dskey.example.com. 86400 IN DS 60485 5 XXX ( D4B7D520E7BB5F0F67674A0C
+                                                CEB1E3E0614B93C4F9E99B83
+                                                83F6A1E4469DA50A )
+
+
+3.  Implementation Requirements
+
+   Implementations MUST support the use of the SHA-256 algorithm in DS
+   RRs.  Validator implementations SHOULD ignore DS RRs containing SHA-1
+   digests if DS RRs with SHA-256 digests are present in the DS RRset.
+
+
+4.  Deployment Considerations
+
+   If a validator does not support the SHA-256 digest type and no other
+   DS RR exists in a zone's DS RRset with a supported digest type, then
+
+
+
+Hardaker                 Expires August 25, 2006                [Page 4]
+
+Internet-Draft       Use of SHA-256 in DNSSEC DS RRs       February 2006
+
+
+   the validator has no supported authentication path leading from the
+   parent to the child.  The resolver should treat this case as it would
+   the case of an authenticated NSEC RRset proving that no DS RRset
+   exists, as described in [RFC4035], section 5.2.
+
+   Because zone administrators can not control the deployment speed of
+   support for SHA-256 in validators that may be referencing any of
+   their zones, zone operators should consider deploying both SHA-1 and
+   SHA-256 based DS records.  This should be done for every DNSKEY for
+   which DS records are being generated.  Whether to make use of both
+   digest types and for how long is a policy decision that extends
+   beyond the scope of this document.
+
+
+5.  IANA Considerations
+
+   Only one IANA action is required by this document:
+
+   The Digest Type to be used for supporting SHA-256 within DS records
+   needs to be assigned by IANA.  This document requests that the Digest
+   Type value of 2 be assigned to the SHA-256 digest algorithm.
+
+   At the time of this writing, the current digest types assigned for
+   use in DS records are as follows:
+
+      VALUE     Digest Type          Status
+        0       Reserved                -
+        1       SHA-1                MANDATORY
+        2       SHA-256              MANDATORY
+      3-255    Unassigned               -
+
+
+6.  Security Considerations
+
+6.1.  Potential Digest Type Downgrade Attacks
+
+   A downgrade attack from a stronger digest type to a weaker one is
+   possible if all of the following are true:
+
+   o  A zone includes multiple DS records for a given child's DNSKEY,
+      each of which use a different digest type.
+
+   o  A validator accepts a weaker digest even if a stronger one is
+      present but invalid.
+
+   For example, if the following conditions are all true:
+
+
+
+
+
+Hardaker                 Expires August 25, 2006                [Page 5]
+
+Internet-Draft       Use of SHA-256 in DNSSEC DS RRs       February 2006
+
+
+   o  Both SHA-1 and SHA-256 based digests are published in DS records
+      within a parent zone for a given child zone's DNSKEY.
+
+   o  The DS record with the SHA-1 digest matches the digest computed
+      using the child zone's DNSKEY.
+
+   o  The DS record with the SHA-256 digest fails to match the digest
+      computed using the child zone's DNSKEY.
+
+   Then if the validator accepts the above situation as secure then this
+   can be used as a downgrade attack since the stronger SHA-256 digest
+   is ignored.
+
+6.2.  SHA-1 vs SHA-256 Considerations for DS Records
+
+   Users of DNSSEC are encouraged to deploy SHA-256 as soon as software
+   implementations allow for it.  SHA-256 is widely believed to be more
+   resilient to attack than SHA-1, and confidence in SHA-1's strength is
+   being eroded by recently-announced attacks.  Regardless of whether or
+   not the attacks on SHA-1 will affect DNSSEC, it is believed (at the
+   time of this writing) that SHA-256 is the better choice for use in DS
+   records.
+
+   At the time of this publication, the SHA-256 digest algorithm is
+   considered sufficiently strong for the immediate future.  It is also
+   considered sufficient for use in DNSSEC DS RRs for the immediate
+   future.  However, future published attacks may weaken the usability
+   of this algorithm within the DS RRs.  It is beyond the scope of this
+   document to speculate extensively on the cryptographic strength of
+   the SHA-256 digest algorithm.
+
+   Likewise, it is also beyond the scope of this document to specify
+   whether or for how long SHA-1 based DS records should be
+   simultaneously published alongside SHA-256 based DS records.
+
+
+7.  Acknowledgments
+
+   This document is a minor extension to the existing DNSSEC documents
+   and those authors are gratefully appreciated for the hard work that
+   went into the base documents.
+
+   The following people contributed to portions of this document in some
+   fashion: Mark Andrews, Roy Arends, Olafur Gudmundsson, Paul Hoffman,
+   Olaf M. Kolkman, Edward Lewis, Scott Rose, Stuart E. Schechter, Sam
+   Weiler.
+
+
+
+
+
+Hardaker                 Expires August 25, 2006                [Page 6]
+
+Internet-Draft       Use of SHA-256 in DNSSEC DS RRs       February 2006
+
+
+8.  References
+
+8.1.  Normative References
+
+   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
+              Requirement Levels", BCP 14, RFC 2119, March 1997.
+
+   [RFC4033]  Arends, R., Austein, R., Larson, M., Massey, D., and S.
+              Rose, "DNS Security Introduction and Requirements",
+              RFC 4033, March 2005.
+
+   [RFC4034]  Arends, R., Austein, R., Larson, M., Massey, D., and S.
+              Rose, "Resource Records for the DNS Security Extensions",
+              RFC 4034, March 2005.
+
+   [RFC4035]  Arends, R., Austein, R., Larson, M., Massey, D., and S.
+              Rose, "Protocol Modifications for the DNS Security
+              Extensions", RFC 4035, March 2005.
+
+   [SHA256]   National Institute of Standards and Technology, "Secure
+              Hash Algorithm. NIST FIPS 180-2", August 2002.
+
+8.2.  Informative References
+
+   [SHA256CODE]
+              Eastlake, D., "US Secure Hash Algorithms (SHA)",
+              June 2005.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Hardaker                 Expires August 25, 2006                [Page 7]
+
+Internet-Draft       Use of SHA-256 in DNSSEC DS RRs       February 2006
+
+
+Author's Address
+
+   Wes Hardaker
+   Sparta
+   P.O. Box 382
+   Davis, CA  95617
+   US
+
+   Email: hardaker@tislabs.com
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Hardaker                 Expires August 25, 2006                [Page 8]
+
+Internet-Draft       Use of SHA-256 in DNSSEC DS RRs       February 2006
+
+
+Intellectual Property Statement
+
+   The IETF takes no position regarding the validity or scope of any
+   Intellectual Property Rights or other rights that might be claimed to
+   pertain to the implementation or use of the technology described in
+   this document or the extent to which any license under such rights
+   might or might not be available; nor does it represent that it has
+   made any independent effort to identify any such rights.  Information
+   on the procedures with respect to rights in RFC documents can be
+   found in BCP 78 and BCP 79.
+
+   Copies of IPR disclosures made to the IETF Secretariat and any
+   assurances of licenses to be made available, or the result of an
+   attempt made to obtain a general license or permission for the use of
+   such proprietary rights by implementers or users of this
+   specification can be obtained from the IETF on-line IPR repository at
+   http://www.ietf.org/ipr.
+
+   The IETF invites any interested party to bring to its attention any
+   copyrights, patents or patent applications, or other proprietary
+   rights that may cover technology that may be required to implement
+   this standard.  Please address the information to the IETF at
+   ietf-ipr@ietf.org.
+
+
+Disclaimer of Validity
+
+   This document and the information contained herein are provided on an
+   "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
+   OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
+   ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
+   INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
+   INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
+   WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
+
+
+Copyright Statement
+
+   Copyright (C) The Internet Society (2006).  This document is subject
+   to the rights, licenses and restrictions contained in BCP 78, and
+   except as set forth therein, the authors retain all their rights.
+
+
+Acknowledgment
+
+   Funding for the RFC Editor function is currently provided by the
+   Internet Society.
+
+
+
+
+Hardaker                 Expires August 25, 2006                [Page 9]
+
diff --git a/contrib/bind9/doc/draft/draft-ietf-dnsext-nsec3-04.txt b/contrib/bind9/doc/draft/draft-ietf-dnsext-nsec3-04.txt
new file mode 100644
index 0000000..8c6c5b1
--- /dev/null
+++ b/contrib/bind9/doc/draft/draft-ietf-dnsext-nsec3-04.txt
@@ -0,0 +1,2352 @@
+
+
+
+Network Working Group                                          B. Laurie
+Internet-Draft                                                 G. Sisson
+Expires: August 5, 2006                                        R. Arends
+                                                                 Nominet
+                                                           February 2006
+
+
+             DNSSEC Hash Authenticated Denial of Existence
+                       draft-ietf-dnsext-nsec3-04
+
+Status of this Memo
+
+   By submitting this Internet-Draft, each author represents that any
+   applicable patent or other IPR claims of which he or she is aware
+   have been or will be disclosed, and any of which he or she becomes
+   aware will be disclosed, in accordance with Section 6 of BCP 79.
+
+   Internet-Drafts are working documents of the Internet Engineering
+   Task Force (IETF), its areas, and its working groups.  Note that
+   other groups may also distribute working documents as Internet-
+   Drafts.
+
+   Internet-Drafts are draft documents valid for a maximum of six months
+   and may be updated, replaced, or obsoleted by other documents at any
+   time.  It is inappropriate to use Internet-Drafts as reference
+   material or to cite them other than as "work in progress."
+
+   The list of current Internet-Drafts can be accessed at
+   http://www.ietf.org/ietf/1id-abstracts.txt.
+
+   The list of Internet-Draft Shadow Directories can be accessed at
+   http://www.ietf.org/shadow.html.
+
+   This Internet-Draft will expire on August 5, 2006.
+
+Copyright Notice
+
+   Copyright (C) The Internet Society (2006).
+
+Abstract
+
+   The DNS Security Extensions introduces the NSEC resource record for
+   authenticated denial of existence.  This document introduces a new
+   resource record as an alternative to NSEC that provides measures
+   against zone enumeration and allows for gradual expansion of
+   delegation-centric zones.
+
+
+
+
+
+Laurie, et al.           Expires August 5, 2006                 [Page 1]
+
+Internet-Draft                    nsec3                    February 2006
+
+
+Table of Contents
+
+   1.  Introduction . . . . . . . . . . . . . . . . . . . . . . . . .  4
+     1.1.  Rationale  . . . . . . . . . . . . . . . . . . . . . . . .  4
+     1.2.  Reserved Words . . . . . . . . . . . . . . . . . . . . . .  4
+     1.3.  Terminology  . . . . . . . . . . . . . . . . . . . . . . .  4
+   2.  NSEC versus NSEC3  . . . . . . . . . . . . . . . . . . . . . .  5
+   3.  The NSEC3 Resource Record  . . . . . . . . . . . . . . . . . .  5
+     3.1.  NSEC3 RDATA Wire Format  . . . . . . . . . . . . . . . . .  6
+       3.1.1.  The Hash Function Field  . . . . . . . . . . . . . . .  6
+       3.1.2.  The Opt-In Flag Field  . . . . . . . . . . . . . . . .  7
+       3.1.3.  The Iterations Field . . . . . . . . . . . . . . . . .  8
+       3.1.4.  The Salt Length Field  . . . . . . . . . . . . . . . .  8
+       3.1.5.  The Salt Field . . . . . . . . . . . . . . . . . . . .  8
+       3.1.6.  The Next Hashed Ownername Field  . . . . . . . . . . .  9
+       3.1.7.  The Type Bit Maps Field  . . . . . . . . . . . . . . .  9
+     3.2.  The NSEC3 RR Presentation Format . . . . . . . . . . . . . 10
+   4.  Creating Additional NSEC3 RRs for Empty Non-Terminals  . . . . 11
+   5.  Calculation of the Hash  . . . . . . . . . . . . . . . . . . . 11
+   6.  Including NSEC3 RRs in a Zone  . . . . . . . . . . . . . . . . 11
+   7.  Responding to NSEC3 Queries  . . . . . . . . . . . . . . . . . 12
+   8.  Special Considerations . . . . . . . . . . . . . . . . . . . . 13
+     8.1.  Proving Nonexistence . . . . . . . . . . . . . . . . . . . 13
+     8.2.  Salting  . . . . . . . . . . . . . . . . . . . . . . . . . 14
+     8.3.  Iterations . . . . . . . . . . . . . . . . . . . . . . . . 15
+     8.4.  Hash Collision . . . . . . . . . . . . . . . . . . . . . . 16
+       8.4.1.  Avoiding Hash Collisions during generation . . . . . . 16
+       8.4.2.  Second Preimage Requirement Analysis . . . . . . . . . 16
+       8.4.3.  Possible Hash Value Truncation Method  . . . . . . . . 17
+       8.4.4.  Server Response to a Run-time Collision  . . . . . . . 17
+       8.4.5.  Parameters that Cover the Zone . . . . . . . . . . . . 18
+   9.  Performance Considerations . . . . . . . . . . . . . . . . . . 18
+   10. IANA Considerations  . . . . . . . . . . . . . . . . . . . . . 18
+   11. Security Considerations  . . . . . . . . . . . . . . . . . . . 18
+   12. References . . . . . . . . . . . . . . . . . . . . . . . . . . 21
+     12.1. Normative References . . . . . . . . . . . . . . . . . . . 21
+     12.2. Informative References . . . . . . . . . . . . . . . . . . 22
+   Editorial Comments . . . . . . . . . . . . . . . . . . . . . . . .
+   Appendix A.  Example Zone  . . . . . . . . . . . . . . . . . . . . 22
+   Appendix B.  Example Responses . . . . . . . . . . . . . . . . . . 27
+     B.1.  answer . . . . . . . . . . . . . . . . . . . . . . . . . . 27
+       B.1.1.  Authenticating the Example DNSKEY RRset  . . . . . . . 29
+     B.2.  Name Error . . . . . . . . . . . . . . . . . . . . . . . . 30
+     B.3.  No Data Error  . . . . . . . . . . . . . . . . . . . . . . 32
+       B.3.1.  No Data Error, Empty Non-Terminal  . . . . . . . . . . 33
+     B.4.  Referral to Signed Zone  . . . . . . . . . . . . . . . . . 34
+     B.5.  Referral to Unsigned Zone using the Opt-In Flag  . . . . . 35
+     B.6.  Wildcard Expansion . . . . . . . . . . . . . . . . . . . . 36
+
+
+
+Laurie, et al.           Expires August 5, 2006                 [Page 2]
+
+Internet-Draft                    nsec3                    February 2006
+
+
+     B.7.  Wildcard No Data Error . . . . . . . . . . . . . . . . . . 38
+     B.8.  DS Child Zone No Data Error  . . . . . . . . . . . . . . . 39
+   Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 41
+   Intellectual Property and Copyright Statements . . . . . . . . . . 42
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Laurie, et al.           Expires August 5, 2006                 [Page 3]
+
+Internet-Draft                    nsec3                    February 2006
+
+
+1.  Introduction
+
+1.1.  Rationale
+
+   The DNS Security Extensions included the NSEC RR to provide
+   authenticated denial of existence.  Though the NSEC RR meets the
+   requirements for authenticated denial of existence, it introduced a
+   side-effect in that the contents of a zone can be enumerated.  This
+   property introduces undesired policy issues.
+
+   An enumerated zone can be used either directly as a source of
+   probable e-mail addresses for spam, or indirectly as a key for
+   multiple WHOIS queries to reveal registrant data which many
+   registries may be under strict legal obligations to protect.  Many
+   registries therefore prohibit copying of their zone file; however the
+   use of NSEC RRs renders these policies unenforceable.
+
+   A second problem was the requirement that the existence of all record
+   types in a zone - including unsigned delegation points - must be
+   accounted for, despite the fact that unsigned delegation point
+   records are not signed.  This requirement has a side-effect that the
+   overhead of signed zones is not related to the increase in security
+   of subzones.  This requirement does not allow the zones' size to grow
+   in relation to the growth of signed subzones.
+
+   In the past, solutions (draft-ietf-dnsext-dnssec-opt-in) have been
+   proposed as a measure against these side effects but at the time were
+   regarded as secondary over the need to have a stable DNSSEC
+   specification.  With (draft-vixie-dnssec-ter) [14] a graceful
+   transition path to future enhancements is introduced, while current
+   DNSSEC deployment can continue.  This document presents the NSEC3
+   Resource Record which mitigates these issues with the NSEC RR.
+
+   The reader is assumed to be familiar with the basic DNS and DNSSEC
+   concepts described in RFC 1034 [1], RFC 1035 [2], RFC 4033 [3], RFC
+   4034 [4], RFC 4035 [5] and subsequent RFCs that update them: RFC 2136
+   [6], RFC2181 [7] and RFC2308 [8].
+
+1.2.  Reserved Words
+
+   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
+   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
+   document are to be interpreted as described in RFC 2119 [9].
+
+1.3.  Terminology
+
+   The practice of discovering the contents of a zone, i.e. enumerating
+   the domains within a zone, is known as "zone enumeration".  Zone
+
+
+
+Laurie, et al.           Expires August 5, 2006                 [Page 4]
+
+Internet-Draft                    nsec3                    February 2006
+
+
+   enumeration was not practical prior to the introduction of DNSSEC.
+
+   In this document the term "original ownername" refers to a standard
+   ownername.  Because this proposal uses the result of a hash function
+   over the original (unmodified) ownername, this result is referred to
+   as "hashed ownername".
+
+   "Hash order" means the order in which hashed ownernames are arranged
+   according to their numerical value, treating the leftmost (lowest
+   numbered) octet as the most significant octet.  Note that this is the
+   same as the canonical ordering specified in RFC 4034 [4].
+
+   An "empty non-terminal" is a domain name that owns no resource
+   records but has subdomains that do.
+
+   The "closest encloser" of a (nonexistent) domain name is the longest
+   domain name, including empty non-terminals, that matches the
+   rightmost part of the nonexistent domain name.
+
+   "Base32 encoding" is "Base 32 Encoding with Extended Hex Alphabet" as
+   specified in RFC 3548bis [15].
+
+
+2.  NSEC versus NSEC3
+
+   This document does NOT obsolete the NSEC record, but gives an
+   alternative for authenticated denial of existence.  NSEC and NSEC3
+   RRs can not co-exist in a zone.  See draft-vixie-dnssec-ter [14] for
+   a signaling mechanism to allow for graceful transition towards NSEC3.
+
+
+3.  The NSEC3 Resource Record
+
+   The NSEC3 RR provides Authenticated Denial of Existence for DNS
+   Resource Record Sets.
+
+   The NSEC3 Resource Record (RR) lists RR types present at the NSEC3
+   RR's original ownername.  It includes the next hashed ownername in
+   the hash order of the zone.  The complete set of NSEC3 RRs in a zone
+   indicates which RRsets exist for the original ownername of the RRset
+   and form a chain of hashed ownernames in the zone.  This information
+   is used to provide authenticated denial of existence for DNS data, as
+   described in RFC 4035 [5].  To provide protection against zone
+   enumeration, the ownernames used in the NSEC3 RR are cryptographic
+   hashes of the original ownername prepended to the name of the zone.
+   The NSEC3 RR indicates which hash function is used to construct the
+   hash, which salt is used, and how many iterations of the hash
+   function are performed over the original ownername.  The hashing
+
+
+
+Laurie, et al.           Expires August 5, 2006                 [Page 5]
+
+Internet-Draft                    nsec3                    February 2006
+
+
+   technique is described fully in Section 5.
+
+   Hashed ownernames of unsigned delegations may be excluded from the
+   chain.  An NSEC3 record which span covers the hash of an unsigned
+   delegation's ownername is referred to as an Opt-In NSEC3 record and
+   is indicated by the presence of a flag.
+
+   The ownername for the NSEC3 RR is the base32 encoding of the hashed
+   ownername prepended to the name of the zone..
+
+   The type value for the NSEC3 RR is XX.
+
+   The NSEC3 RR RDATA format is class independent and is described
+   below.
+
+   The class MUST be the same as the original ownername's class.
+
+   The NSEC3 RR SHOULD have the same TTL value as the SOA minimum TTL
+   field.  This is in the spirit of negative caching [8].
+
+3.1.  NSEC3 RDATA Wire Format
+
+   The RDATA of the NSEC3 RR is as shown below:
+
+                        1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3
+    0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+   | Hash Function |O|                Iterations                   |
+   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+   |  Salt Length  |                     Salt                      /
+   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+   /                     Next Hashed Ownername                     /
+   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+   /                         Type Bit Maps                         /
+   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+
+   "O" is the Opt-In Flag field.
+
+3.1.1.  The Hash Function Field
+
+   The Hash Function field identifies the cryptographic hash function
+   used to construct the hash-value.
+
+   The values are as defined for the DS record (see RFC 3658 [10]).
+
+   On reception, a resolver MUST ignore an NSEC3 RR with an unknown hash
+   function value.
+
+
+
+
+Laurie, et al.           Expires August 5, 2006                 [Page 6]
+
+Internet-Draft                    nsec3                    February 2006
+
+
+3.1.2.  The Opt-In Flag Field
+
+   The Opt-In Flag field indicates whether this NSEC3 RR covers unsigned
+   delegations.
+
+   In DNSSEC, NS RRsets at delegation points are not signed, and may be
+   accompanied by a DS record.  The security status of the subzone is
+   determined by the presence or absence of the DS RRset,
+   cryptographically proven by the NSEC record or the signed DS RRset.
+   The presence of the Opt-In flag expands this definition by allowing
+   insecure delegations to exist within an otherwise signed zone without
+   the corresponding NSEC3 record at the delegation's (hashed) owner
+   name.  These delegations are proven insecure by using a covering
+   NSEC3 record.
+
+   Resolvers must be able to distinguish between NSEC3 records and
+   Opt-In NSEC3 records.  This is accomplished by setting the Opt-In
+   flag of the NSEC3 records that cover (or potentially cover) insecure
+   delegation nodes.
+
+   An Opt-In NSEC3 record does not assert the existence or non-existence
+   of the insecure delegations that it covers.  This allows for the
+   addition or removal of these delegations without recalculating or
+   resigning records in the NSEC3 chain.  However, Opt-In NSEC3 records
+   do assert the (non)existence of other, authoritative RRsets.
+
+   An Opt-In NSEC3 record MAY have the same original owner name as an
+   insecure delegation.  In this case, the delegation is proven insecure
+   by the lack of a DS bit in type map and the signed NSEC3 record does
+   assert the existence of the delegation.
+
+   Zones using Opt-In MAY contain a mixture of Opt-In NSEC3 records and
+   non-Opt-In NSEC3 records.  If an NSEC3 record is not Opt-In, there
+   MUST NOT be any hashed ownernames of insecure delegations (nor any
+   other records) between it and the RRsets indicated by the 'Next
+   Hashed Ownername' in the NSEC3 RDATA.  If it is Opt-In, there MUST
+   only be hashed ownernames of insecure delegations between it and the
+   next node indicated by the 'Next Hashed Ownername' in the NSEC3
+   RDATA.
+
+   In summary,
+   o  An Opt-In NSEC3 type is identified by an Opt-In Flag field value
+      of 1.
+   o  A non Opt-In NSEC3 type is identified by an Opt-In Flag field
+      value of 0.
+   and,
+
+
+
+
+
+Laurie, et al.           Expires August 5, 2006                 [Page 7]
+
+Internet-Draft                    nsec3                    February 2006
+
+
+   o  An Opt-In NSEC3 record does not assert the non-existence of a hash
+      ownername between its ownername and next hashed ownername,
+      although it does assert that any hashed name in this span MUST be
+      of an insecure delegation.
+   o  An Opt-In NSEC3 record does assert the (non)existence of RRsets
+      with the same hashed owner name.
+
+3.1.3.  The Iterations Field
+
+   The Iterations field defines the number of times the hash has been
+   iterated.  More iterations results in greater resiliency of the hash
+   value against dictionary attacks, but at a higher cost for both the
+   server and resolver.  See Section 5 for details of this field's use.
+
+   Iterations make an attack more costly by making the hash computation
+   more computationally intensive, e.g. by iterating the hash function a
+   number of times.
+
+   When generating a few hashes this performance loss will not be a
+   problem, as a validator can handle a delay of a few milliseconds.
+   But when doing a dictionary attack it will also multiply the attack
+   workload by a factor, which is a problem for the attacker.
+
+3.1.4.  The Salt Length Field
+
+   The salt length field defines the length of the salt in octets.
+
+3.1.5.  The Salt Field
+
+   The Salt field is not present when the Salt Length Field has a value
+   of 0.
+
+   The Salt field is appended to the original ownername before hashing
+   in order to defend against precalculated dictionary attacks.  See
+   Section 5 for details on how the salt is used.
+
+   Salt is used to make dictionary attacks using precomputation more
+   costly.  A dictionary can only be computed after the attacker has the
+   salt, hence a new salt means that the dictionary has to be
+   regenerated with the new salt.
+
+   There MUST be a complete set of NSEC3 records covering the entire
+   zone that use the same salt value.  The requirement exists so that,
+   given any qname within a zone, at least one covering NSEC3 RRset may
+   be found.  While it may be theoretically possible to produce a set of
+   NSEC3s that use different salts that cover the entire zone, it is
+   computationally infeasible to generate such a set.  See Section 8.2
+   for further discussion.
+
+
+
+Laurie, et al.           Expires August 5, 2006                 [Page 8]
+
+Internet-Draft                    nsec3                    February 2006
+
+
+   The salt value SHOULD be changed from time to time - this is to
+   prevent the use of a precomputed dictionary to reduce the cost of
+   enumeration.
+
+3.1.6.  The Next Hashed Ownername Field
+
+   The Next Hashed Ownername field contains the next hashed ownername in
+   hash order.  That is, given the set of all hashed owernames, the Next
+   Hashed Ownername contains the hash value that immediately follows the
+   owner hash value for the given NSEC3 record.  The value of the Next
+   Hashed Ownername Field in the last NSEC3 record in the zone is the
+   same as the ownername of the first NSEC3 RR in the zone in hash
+   order.
+
+   Hashed ownernames of glue RRsets MUST NOT be listed in the Next
+   Hashed Ownername unless at least one authoritative RRset exists at
+   the same ownername.  Hashed ownernames of delegation NS RRsets MUST
+   be listed if the Opt-In bit is clear.
+
+   Note that the Next Hashed Ownername field is not encoded, unlike the
+   NSEC3 RR's ownername.  It is the unmodified binary hash value.  It
+   does not include the name of the containing zone.
+
+   The length of this field is the length of the hash value produced by
+   the hash function selected by the Hash Function field.
+
+3.1.7.  The Type Bit Maps Field
+
+   The Type Bit Maps field identifies the RRset types which exist at the
+   NSEC3 RR's original ownername.
+
+   The Type bits for the NSEC3 RR and RRSIG RR MUST be set during
+   generation, and MUST be ignored during processing.
+
+   The RR type space is split into 256 window blocks, each representing
+   the low-order 8 bits of the 16-bit RR type space.  Each block that
+   has at least one active RR type is encoded using a single octet
+   window number (from 0 to 255), a single octet bitmap length (from 1
+   to 32) indicating the number of octets used for the window block's
+   bitmap, and up to 32 octets (256 bits) of bitmap.
+
+   Blocks are present in the NSEC3 RR RDATA in increasing numerical
+   order.
+
+   "|" denotes concatenation
+
+   Type Bit Map(s) Field = ( Window Block # | Bitmap Length | Bitmap ) +
+
+
+
+
+Laurie, et al.           Expires August 5, 2006                 [Page 9]
+
+Internet-Draft                    nsec3                    February 2006
+
+
+   Each bitmap encodes the low-order 8 bits of RR types within the
+   window block, in network bit order.  The first bit is bit 0.  For
+   window block 0, bit 1 corresponds to RR type 1 (A), bit 2 corresponds
+   to RR type 2 (NS), and so forth.  For window block 1, bit 1
+   corresponds to RR type 257, bit 2 to RR type 258.  If a bit is set to
+   1, it indicates that an RRset of that type is present for the NSEC3
+   RR's ownername.  If a bit is set to 0, it indicates that no RRset of
+   that type is present for the NSEC3 RR's ownername.
+
+   Since bit 0 in window block 0 refers to the non-existing RR type 0,
+   it MUST be set to 0.  After verification, the validator MUST ignore
+   the value of bit 0 in window block 0.
+
+   Bits representing Meta-TYPEs or QTYPEs as specified in RFC 2929 [11]
+   (section 3.1) or within the range reserved for assignment only to
+   QTYPEs and Meta-TYPEs MUST be set to 0, since they do not appear in
+   zone data.  If encountered, they must be ignored upon reading.
+
+   Blocks with no types present MUST NOT be included.  Trailing zero
+   octets in the bitmap MUST be omitted.  The length of each block's
+   bitmap is determined by the type code with the largest numerical
+   value, within that block, among the set of RR types present at the
+   NSEC3 RR's actual ownername.  Trailing zero octets not specified MUST
+   be interpreted as zero octets.
+
+3.2.  The NSEC3 RR Presentation Format
+
+   The presentation format of the RDATA portion is as follows:
+
+   The Opt-In Flag Field is represented as an unsigned decimal integer.
+   The value is either 0 or 1.
+
+   The Hash field is presented as a mnemonic of the hash or as an
+   unsigned decimal integer.  The value has a maximum of 127.
+
+   The Iterations field is presented as an unsigned decimal integer.
+
+   The Salt Length field is not presented.
+
+   The Salt field is represented as a sequence of case-insensitive
+   hexadecimal digits.  Whitespace is not allowed within the sequence.
+   The Salt Field is represented as "-" (without the quotes) when the
+   Salt Length field has value 0.
+
+   The Next Hashed Ownername field is represented as a sequence of case-
+   insensitive base32 digits, without whitespace.
+
+   The Type Bit Maps Field is represented as a sequence of RR type
+
+
+
+Laurie, et al.           Expires August 5, 2006                [Page 10]
+
+Internet-Draft                    nsec3                    February 2006
+
+
+   mnemonics.  When the mnemonic is not known, the TYPE representation
+   as described in RFC 3597 [12] (section 5) MUST be used.
+
+
+4.  Creating Additional NSEC3 RRs for Empty Non-Terminals
+
+   In order to prove the non-existence of a record that might be covered
+   by a wildcard, it is necessary to prove the existence of its closest
+   encloser.  A closest encloser might be an empty non-terminal.
+
+   Additional NSEC3 RRs are generated for empty non-terminals.  These
+   additional NSEC3 RRs are identical in format to NSEC3 RRs that cover
+   existing RRs in the zone except that their type-maps only indicated
+   the existence of an NSEC3 RRset and an RRSIG RRset.
+
+   This relaxes the requirement in Section 2.3 of RFC4035 that NSEC RRs
+   not appear at names that did not exist before the zone was signed.
+   [Comment.1]
+
+
+5.  Calculation of the Hash
+
+   Define H(x) to be the hash of x using the hash function selected by
+   the NSEC3 record and || to indicate concatenation.  Then define:
+
+   IH(salt,x,0)=H(x || salt)
+
+   IH(salt,x,k)=H(IH(salt,x,k-1) || salt) if k > 0
+
+   Then the calculated hash of an ownername is
+   IH(salt,ownername,iterations-1), where the ownername is the canonical
+   form.
+
+   The canonical form of the ownername is the wire format of the
+   ownername where:
+   1.  The ownername is fully expanded (no DNS name compression) and
+       fully qualified;
+   2.  All uppercase US-ASCII letters are replaced by the corresponding
+       lowercase US-ASCII letters;
+   3.  If the ownername is a wildcard name, the ownername is in its
+       original unexpanded form, including the "*" label (no wildcard
+       substitution);
+   This form is as defined in section 6.2 of RFC 4034 ([4]).
+
+
+6.  Including NSEC3 RRs in a Zone
+
+   Each ownername within the zone that owns authoritative RRsets MUST
+
+
+
+Laurie, et al.           Expires August 5, 2006                [Page 11]
+
+Internet-Draft                    nsec3                    February 2006
+
+
+   have a corresponding NSEC3 RR.  Ownernames that correspond to
+   unsigned delegations MAY have a corresponding NSEC3 RR, however, if
+   there is not, there MUST be a covering NSEC3 RR with the Opt-In flag
+   set to 1.  Other non-authoritative RRs are not included in the set of
+   NSEC3 RRs.
+
+   Each empty non-terminal MUST have an NSEC3 record.
+
+   The TTL value for any NSEC3 RR SHOULD be the same as the minimum TTL
+   value field in the zone SOA RR.
+
+   The type bitmap of every NSEC3 resource record in a signed zone MUST
+   indicate the presence of both the NSEC3 RR type itself and its
+   corresponding RRSIG RR type.
+
+   The following steps describe the proper construction of NSEC3
+   records.  [Comment.2]
+   1.  For each unique original ownername in the zone, add an NSEC3
+       RRset.  If Opt-In is being used, ownernames of unsigned
+       delegations may be excluded, but must be considered for empty-
+       non-terminals.  The ownername of the NSEC3 RR is the hashed
+       equivalent of the original owner name, prepended to the zone
+       name.  The Next Hashed Ownername field is left blank for the
+       moment.  If Opt-In is being used, set the Opt-In bit to one.
+   2.  For each RRset at the original owner name, set the corresponding
+       bit in the type bit map.
+   3.  If the difference in number of labels between the apex and the
+       original ownername is greater then 1, additional NSEC3s need to
+       be added for every empty non-terminal between the apex and the
+       original ownername.  This process may generate NSEC3 RRs with
+       duplicate hashed ownernames.
+   4.  Sort the set of NSEC3 RRs into hash order.  Hash order is the
+       ascending numerical order of the non-encoded hash values.
+   5.  Combine NSEC3 RRs with identical hashed ownernames by replacing
+       with a single NSEC3 RR with the type map consisting of the union
+       of the types represented by the set of NSEC3 RRs.
+   6.  In each NSEC3 RR, insert the Next Hashed Ownername by using the
+       value of the next NSEC3 RR in hash order.  The Next Hashed
+       Ownername of the last NSEC3 in the zone contains the value of the
+       hashed ownername of the first NSEC3 in the hash order.
+
+
+7.  Responding to NSEC3 Queries
+
+   Since NSEC3 ownernames are not represented in the NSEC3 chain like
+   other zone ownernames, direct queries for NSEC3 ownernames present a
+   special case.
+
+
+
+
+Laurie, et al.           Expires August 5, 2006                [Page 12]
+
+Internet-Draft                    nsec3                    February 2006
+
+
+   The special case arises when the following are all true:
+   o  The QNAME equals an existing NSEC3 ownername, and
+   o  There are no other record types that exist at QNAME, and
+   o  The QTYPE does not equal NSEC3.
+   These conditions describe a particular case: the answer should be a
+   NOERROR/NODATA response, but there is no NSEC3 RRset for H(QNAME) to
+   include in the authority section.
+
+   However, the NSEC3 RRset with ownername equal to QNAME is able to
+   prove its own existence.  Thus, when answering this query, the
+   authoritative server MUST include the NSEC3 RRset whose ownername
+   equals QNAME.  This RRset proves that QNAME is an existing name with
+   types NSEC3 and RRSIG.  The authoritative server MUST also include
+   the NSEC3 RRset that covers the hash of QNAME.  This RRset proves
+   that no other types exist.
+
+   When validating a NOERROR/NODATA response, validators MUST check for
+   a NSEC3 RRset with ownername equals to QNAME, and MUST accept that
+   (validated) NSEC3 RRset as proof that QNAME exists.  The validator
+   MUST also check for an NSEC3 RRset that covers the hash of QNAME as
+   proof that QTYPE doesn't exist.
+
+   Other cases where the QNAME equals an existing NSEC3 ownername may be
+   answered normally.
+
+
+8.  Special Considerations
+
+   The following paragraphs clarify specific behaviour explain special
+   considerations for implementations.
+
+8.1.  Proving Nonexistence
+
+   If a wildcard resource record appears in a zone, its asterisk label
+   is treated as a literal symbol and is treated in the same way as any
+   other ownername for purposes of generating NSEC3 RRs.  RFC 4035 [5]
+   describes the impact of wildcards on authenticated denial of
+   existence.
+
+   In order to prove there exist no RRs for a domain, as well as no
+   source of synthesis, an RR must be shown for the closest encloser,
+   and non-existence must be shown for all closer labels and for the
+   wildcard at the closest encloser.
+
+   This can be done as follows.  If the QNAME in the query is
+   omega.alfa.beta.example, and the closest encloser is beta.example
+   (the nearest ancestor to omega.alfa.beta.example), then the server
+   should return an NSEC3 that demonstrates the nonexistence of
+
+
+
+Laurie, et al.           Expires August 5, 2006                [Page 13]
+
+Internet-Draft                    nsec3                    February 2006
+
+
+   alfa.beta.example, an NSEC3 that demonstrates the nonexistence of
+   *.beta.example, and an NSEC3 that demonstrates the existence of
+   beta.example.  This takes between one and three NSEC3 records, since
+   a single record can, by chance, prove more than one of these facts.
+
+   When a verifier checks this response, then the existence of
+   beta.example together with the non-existence of alfa.beta.example
+   proves that the closest encloser is indeed beta.example.  The non-
+   existence of *.beta.example shows that there is no wildcard at the
+   closest encloser, and so no source of synthesis for
+   omega.alfa.beta.example.  These two facts are sufficient to satisfy
+   the resolver that the QNAME cannot be resolved.
+
+   In practice, since the NSEC3 owner and next names are hashed, if the
+   server responds with an NSEC3 for beta.example, the resolver will
+   have to try successively longer names, starting with example, moving
+   to beta.example, alfa.beta.example, and so on, until one of them
+   hashes to a value that matches the interval (but not the ownername
+   nor next owner name) of one of the returned NSEC3s (this name will be
+   alfa.beta.example).  Once it has done this, it knows the closest
+   encloser (i.e. beta.example), and can then easily check the other two
+   required proofs.
+
+   Note that it is not possible for one of the shorter names tried by
+   the resolver to be denied by one of the returned NSEC3s, since, by
+   definition, all these names exist and so cannot appear within the
+   range covered by an NSEC3.  Note, however, that the first name that
+   the resolver tries MUST be the apex of the zone, since names above
+   the apex could be denied by one of the returned NSEC3s.
+
+8.2.  Salting
+
+   Augmenting original ownernames with salt before hashing increases the
+   cost of a dictionary of pre-generated hash-values.  For every bit of
+   salt, the cost of a precomputed dictionary doubles (because there
+   must be an entry for each word combined with each possible salt
+   value).  The NSEC3 RR can use a maximum of 2040 bits (255 octets) of
+   salt, multiplying the cost by 2^2040.  This means that an attacker
+   must, in practice, recompute the dictionary each time the salt is
+   changed.
+
+   There MUST be at least one complete set of NSEC3s for the zone using
+   the same salt value.
+
+   The salt SHOULD be changed periodically to prevent precomputation
+   using a single salt.  It is RECOMMENDED that the salt be changed for
+   every resigning.
+
+
+
+
+Laurie, et al.           Expires August 5, 2006                [Page 14]
+
+Internet-Draft                    nsec3                    February 2006
+
+
+   Note that this could cause a resolver to see records with different
+   salt values for the same zone.  This is harmless, since each record
+   stands alone (that is, it denies the set of ownernames whose hashes,
+   using the salt in the NSEC3 record, fall between the two hashes in
+   the NSEC3 record) - it is only the server that needs a complete set
+   of NSEC3 records with the same salt in order to be able to answer
+   every possible query.
+
+   There is no prohibition with having NSEC3 with different salts within
+   the same zone.  However, in order for authoritative servers to be
+   able to consistently find covering NSEC3 RRs, the authoritative
+   server MUST choose a single set of parameters (algorithm, salt, and
+   iterations) to use when selecting NSEC3s.  In the absence of any
+   other metadata, the server does this by using the parameters from the
+   zone apex NSEC3, recognizable by the presence of the SOA bit in the
+   type map.  If there is more than one NSEC3 record that meets this
+   description, then the server may arbitrarily choose one.  Because of
+   this, if there is a zone apex NSEC3 RR within a zone, it MUST be part
+   of a complete NSEC3 set.  Conversely, if there exists an incomplete
+   set of NSEC3 RRs using the same parameters within a zone, there MUST
+   NOT be an NSEC3 RR using those parameters with the SOA bit set.
+
+8.3.  Iterations
+
+   Setting the number of iterations used allows the zone owner to choose
+   the cost of computing a hash, and so the cost of generating a
+   dictionary.  Note that this is distinct from the effect of salt,
+   which prevents the use of a single precomputed dictionary for all
+   time.
+
+   Obviously the number of iterations also affects the zone owner's cost
+   of signing the zone as well as the verifiers cost of verifying the
+   zone.  We therefore impose an upper limit on the number of
+   iterations.  We base this on the number of iterations that
+   approximately doubles the cost of signing the zone.
+
+   A zone owner MUST NOT use a value higher than shown in the table
+   below for iterations.  A resolver MAY treat a response with a higher
+   value as bogus.
+
+                       +--------------+------------+
+                       | RSA Key Size | Iterations |
+                       +--------------+------------+
+                       | 1024         | 3,000      |
+                       | 2048         | 20,000     |
+                       | 4096         | 150,000    |
+                       +--------------+------------+
+
+
+
+
+Laurie, et al.           Expires August 5, 2006                [Page 15]
+
+Internet-Draft                    nsec3                    February 2006
+
+
+                       +--------------+------------+
+                       | DSA Key Size | Iterations |
+                       +--------------+------------+
+                       | 1024         | 1,500      |
+                       | 2048         | 5,000      |
+                       +--------------+------------+
+
+   This table is based on 150,000 SHA-1's per second, 50 RSA signs per
+   second for 1024 bit keys, 7 signs per second for 2048 bit keys, 1
+   sign per second for 4096 bit keys, 100 DSA signs per second for 1024
+   bit keys and 30 signs per second for 2048 bit keys.
+
+   Note that since RSA verifications are 10-100 times faster than
+   signatures (depending on key size), in the case of RSA the legal
+   values of iterations can substantially increase the cost of
+   verification.
+
+8.4.  Hash Collision
+
+   Hash collisions occur when different messages have the same hash
+   value.  The expected number of domain names needed to give a 1 in 2
+   chance of a single collision is about 2^(n/2) for a hash of length n
+   bits (i.e. 2^80 for SHA-1).  Though this probability is extremely
+   low, the following paragraphs deal with avoiding collisions and
+   assessing possible damage in the event of an attack using hash
+   collisions.
+
+8.4.1.  Avoiding Hash Collisions during generation
+
+   During generation of NSEC3 RRs, hash values are supposedly unique.
+   In the (academic) case of a collision occurring, an alternative salt
+   MUST be chosen and all hash values MUST be regenerated.
+
+8.4.2.  Second Preimage Requirement Analysis
+
+   A cryptographic hash function has a second-preimage resistance
+   property.  The second-preimage resistance property means that it is
+   computationally infeasible to find another message with the same hash
+   value as a given message, i.e. given preimage X, to find a second
+   preimage X' != X such that hash(X) = hash(X').  The work factor for
+   finding a second preimage is of the order of 2^160 for SHA-1.  To
+   mount an attack using an existing NSEC3 RR, an adversary needs to
+   find a second preimage.
+
+   Assuming an adversary is capable of mounting such an extreme attack,
+   the actual damage is that a response message can be generated which
+   claims that a certain QNAME (i.e. the second pre-image) does exist,
+   while in reality QNAME does not exist (a false positive), which will
+
+
+
+Laurie, et al.           Expires August 5, 2006                [Page 16]
+
+Internet-Draft                    nsec3                    February 2006
+
+
+   either cause a security aware resolver to re-query for the non-
+   existent name, or to fail the initial query.  Note that the adversary
+   can't mount this attack on an existing name but only on a name that
+   the adversary can't choose and does not yet exist.
+
+8.4.3.  Possible Hash Value Truncation Method
+
+   The previous sections outlined the low probability and low impact of
+   a second-preimage attack.  When impact and probability are low, while
+   space in a DNS message is costly, truncation is tempting.  Truncation
+   might be considered to allow for shorter ownernames and rdata for
+   hashed labels.  In general, if a cryptographic hash is truncated to n
+   bits, then the expected number of domains required to give a 1 in 2
+   probability of a single collision is approximately 2^(n/2) and the
+   work factor to produce a second preimage is 2^n.
+
+   An extreme hash value truncation would be truncating to the shortest
+   possible unique label value.  This would be unwise, since the work
+   factor to produce second preimages would then approximate the size of
+   the zone (sketch of proof: if the zone has k entries, then the length
+   of the names when truncated down to uniqueness should be proportional
+   to log_2(k).  Since the work factor to produce a second pre-image is
+   2^n for an n-bit hash, then in this case it is 2^(C log_2(k)) (where
+   C is some constant), i.e.  C'k - a work factor of k).
+
+   Though the mentioned truncation can be maximized to a certain
+   extreme, the probability of collision increases exponentially for
+   every truncated bit.  Given the low impact of hash value collisions
+   and limited space in DNS messages, the balance between truncation
+   profit and collision damage may be determined by local policy.  Of
+   course, the size of the corresponding RRSIG RR is not reduced, so
+   truncation is of limited benefit.
+
+   Truncation could be signaled simply by reducing the length of the
+   first label in the ownername.  Note that there would have to be a
+   corresponding reduction in the length of the Next Hashed Ownername
+   field.
+
+8.4.4.  Server Response to a Run-time Collision
+
+   In the astronomically unlikely event that a server is unable to prove
+   nonexistence because the hash of the name that does not exist
+   collides with a name that does exist, the server is obviously broken,
+   and should, therefore, return a response with an RCODE of 2 (server
+   failure).
+
+
+
+
+
+
+Laurie, et al.           Expires August 5, 2006                [Page 17]
+
+Internet-Draft                    nsec3                    February 2006
+
+
+8.4.5.  Parameters that Cover the Zone
+
+   Secondary servers (and perhaps other entities) need to reliably
+   determine which NSEC3 parameters (that is, hash, salt and iterations)
+   are present at every hashed ownername, in order to be able to choose
+   an appropriate set of NSEC3 records for negative responses.  This is
+   indicated by the parameters at the apex: any set of parameters that
+   is used in an NSEC3 record whose original ownername is the apex of
+   the zone MUST be present throughout the zone.
+
+   A method to determine which NSEC3 in a complete chain corresponds to
+   the apex is to look for a NSEC3 RRset which has the SOA bit set in
+   the RDATA bit type maps field.
+
+
+9.  Performance Considerations
+
+   Iterated hashes impose a performance penalty on both authoritative
+   servers and resolvers.  Therefore, the number of iterations should be
+   carefully chosen.  In particular it should be noted that a high value
+   for iterations gives an attacker a very good denial of service
+   attack, since the attacker need not bother to verify the results of
+   their queries, and hence has no performance penalty of his own.
+
+   On the other hand, nameservers with low query rates and limited
+   bandwidth are already subject to a bandwidth based denial of service
+   attack, since responses are typically an order of magnitude larger
+   than queries, and hence these servers may choose a high value of
+   iterations in order to increase the difficulty of offline attempts to
+   enumerate their namespace without significantly increasing their
+   vulnerability to denial of service attacks.
+
+
+10.  IANA Considerations
+
+   IANA needs to allocate a RR type code for NSEC3 from the standard RR
+   type space (type XXX requested).  IANA needs to open a new registry
+   for the NSEC3 Hash Functions.  The range for this registry is 0-127.
+   Defined types are:
+
+      0 is reserved.
+      1 is SHA-1 ([13]).
+      127 is experimental.
+
+
+11.  Security Considerations
+
+   The NSEC3 records are still susceptible to dictionary attacks (i.e.
+
+
+
+Laurie, et al.           Expires August 5, 2006                [Page 18]
+
+Internet-Draft                    nsec3                    February 2006
+
+
+   the attacker retrieves all the NSEC3 records, then calculates the
+   hashes of all likely domain names, comparing against the hashes found
+   in the NSEC3 records, and thus enumerating the zone).  These are
+   substantially more expensive than enumerating the original NSEC
+   records would have been, and in any case, such an attack could also
+   be used directly against the name server itself by performing queries
+   for all likely names, though this would obviously be more detectable.
+   The expense of this off-line attack can be chosen by setting the
+   number of iterations in the NSEC3 RR.
+
+   Domains are also susceptible to a precalculated dictionary attack -
+   that is, a list of hashes for all likely names is computed once, then
+   NSEC3 is scanned periodically and compared against the precomputed
+   hashes.  This attack is prevented by changing the salt on a regular
+   basis.
+
+   Walking the NSEC3 RRs will reveal the total number of records in the
+   zone, and also what types they are.  This could be mitigated by
+   adding dummy entries, but certainly an upper limit can always be
+   found.
+
+   Hash collisions may occur.  If they do, it will be impossible to
+   prove the non-existence of the colliding domain - however, this is
+   fantastically unlikely, and, in any case, DNSSEC already relies on
+   SHA-1 to not collide.
+
+   Responses to queries where QNAME equals an NSEC3 ownername that has
+   no other types may be undetectably changed from a NOERROR/NODATA
+   response to a NAME ERROR response.
+
+   The Opt-In Flag (O) allows for unsigned names, in the form of
+   delegations to unsigned subzones, to exist within an otherwise signed
+   zone.  All unsigned names are, by definition, insecure, and their
+   validity or existence cannot by cryptographically proven.
+
+   In general:
+      Records with unsigned names (whether existing or not) suffer from
+      the same vulnerabilities as records in an unsigned zone.  These
+      vulnerabilities are described in more detail in [16] (note in
+      particular sections 2.3, "Name Games" and 2.6, "Authenticated
+      Denial").
+      Records with signed names have the same security whether or not
+      Opt-In is used.
+
+   Note that with or without Opt-In, an insecure delegation may be
+   undetectably altered by an attacker.  Because of this, the primary
+   difference in security when using Opt-In is the loss of the ability
+   to prove the existence or nonexistence of an insecure delegation
+
+
+
+Laurie, et al.           Expires August 5, 2006                [Page 19]
+
+Internet-Draft                    nsec3                    February 2006
+
+
+   within the span of an Opt-In NSEC3 record.
+
+   In particular, this means that a malicious entity may be able to
+   insert or delete records with unsigned names.  These records are
+   normally NS records, but this also includes signed wildcard
+   expansions (while the wildcard record itself is signed, its expanded
+   name is an unsigned name).
+
+   For example, if a resolver received the following response from the
+   example zone above:
+
+   Example S.1: Response to query for WWW.DOES-NOT-EXIST.EXAMPLE.  A
+
+           RCODE=NOERROR
+
+           Answer Section:
+
+           Authority Section:
+           DOES-NOT-EXIST.EXAMPLE. NS     NS.FORGED.
+           EXAMPLE.                NSEC   FIRST-SECURE.EXAMPLE. SOA NS \
+                                          RRSIG DNSKEY
+           abcd...                 RRSIG  NSEC3 ...
+
+           Additional Section:
+
+   The resolver would have no choice but to accept that the referral to
+   NS.FORGED. is valid.  If a wildcard existed that would have been
+   expanded to cover "WWW.DOES-NOT-EXIST.EXAMPLE.", an attacker could
+   have undetectably removed it and replaced it with the forged
+   delegation.
+
+   Note that being able to add a delegation is functionally equivalent
+   to being able to add any record type: an attacker merely has to forge
+   a delegation to nameserver under his/her control and place whatever
+   records needed at the subzone apex.
+
+   While in particular cases, this issue may not present a significant
+   security problem, in general it should not be lightly dismissed.
+   Therefore, it is strongly RECOMMENDED that Opt-In be used sparingly.
+   In particular, zone signing tools SHOULD NOT default to using Opt-In,
+   and MAY choose to not support Opt-In at all.
+
+
+12.  References
+
+
+
+
+
+
+
+Laurie, et al.           Expires August 5, 2006                [Page 20]
+
+Internet-Draft                    nsec3                    February 2006
+
+
+12.1.  Normative References
+
+   [1]   Mockapetris, P., "Domain names - concepts and facilities",
+         STD 13, RFC 1034, November 1987.
+
+   [2]   Mockapetris, P., "Domain names - implementation and
+         specification", STD 13, RFC 1035, November 1987.
+
+   [3]   Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose,
+         "DNS Security Introduction and Requirements", RFC 4033,
+         March 2005.
+
+   [4]   Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose,
+         "Resource Records for the DNS Security Extensions", RFC 4034,
+         March 2005.
+
+   [5]   Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose,
+         "Protocol Modifications for the DNS Security Extensions",
+         RFC 4035, March 2005.
+
+   [6]   Vixie, P., Thomson, S., Rekhter, Y., and J. Bound, "Dynamic
+         Updates in the Domain Name System (DNS UPDATE)", RFC 2136,
+         April 1997.
+
+   [7]   Elz, R. and R. Bush, "Clarifications to the DNS Specification",
+         RFC 2181, July 1997.
+
+   [8]   Andrews, M., "Negative Caching of DNS Queries (DNS NCACHE)",
+         RFC 2308, March 1998.
+
+   [9]   Bradner, S., "Key words for use in RFCs to Indicate Requirement
+         Levels", BCP 14, RFC 2119, March 1997.
+
+   [10]  Gudmundsson, O., "Delegation Signer (DS) Resource Record (RR)",
+         RFC 3658, December 2003.
+
+   [11]  Eastlake, D., Brunner-Williams, E., and B. Manning, "Domain
+         Name System (DNS) IANA Considerations", BCP 42, RFC 2929,
+         September 2000.
+
+   [12]  Gustafsson, A., "Handling of Unknown DNS Resource Record (RR)
+         Types", RFC 3597, September 2003.
+
+   [13]  Eastlake, D. and P. Jones, "US Secure Hash Algorithm 1 (SHA1)",
+         RFC 3174, September 2001.
+
+
+
+
+
+
+Laurie, et al.           Expires August 5, 2006                [Page 21]
+
+Internet-Draft                    nsec3                    February 2006
+
+
+12.2.  Informative References
+
+   [14]  Vixie, P., "Extending DNSSEC-BIS (DNSSEC-TER)",
+         draft-vixie-dnssec-ter-01 (work in progress), June 2004.
+
+   [15]  Josefsson, Ed., S,., "The Base16, Base32, and Base64 Data
+         Encodings.", draft-josefsson-rfc3548bis-00 (work in progress),
+         October 2005.
+
+   [16]  Atkins, D. and R. Austein, "Threat Analysis of the Domain Name
+         System (DNS)", RFC 3833, August 2004.
+
+Editorial Comments
+
+   [Comment.1]  Although, strictly speaking, the names *did* exist.
+
+   [Comment.2]  Note that this method makes it impossible to detect
+                (extremely unlikely) hash collisions.
+
+
+Appendix A.  Example Zone
+
+   This is a zone showing its NSEC3 records.  They can also be used as
+   test vectors for the hash algorithm.
+
+   The data in the example zone is currently broken, as it uses a
+   different base32 alphabet.  This shall be fixed in the next release.
+
+
+   example.       3600 IN SOA ns1.example. bugs.x.w.example. (
+                              1
+                              3600
+                              300
+                              3600000
+                              3600 )
+                  3600 RRSIG  SOA 5 1 3600 20050712112304 (
+                              20050612112304 62699 example.
+                              RtctD6aLUU5Md5wOOItilS7JXX1tf58Ql3sK
+                              mTXkL13jqLiUFOGg0uzqRh1U9GbydS0P7M0g
+                              qYIt90txzE/4+g== )
+                  3600 NS     ns1.example.
+                  3600 NS     ns2.example.
+                  3600 RRSIG  NS 5 1 3600 20050712112304 (
+                              20050612112304 62699 example.
+                              hNyyin2JpECIFxW4vsj8RhHcWCQKUXgO+z4l
+                              m7g2zM8q3Qpsm/gYIXSF2Rhj6lAG7esR/X9d
+                              1SH5r/wfjuCg+g== )
+                  3600 MX     1 xx.example.
+
+
+
+Laurie, et al.           Expires August 5, 2006                [Page 22]
+
+Internet-Draft                    nsec3                    February 2006
+
+
+                  3600 RRSIG  MX 5 1 3600 20050712112304 (
+                              20050612112304 62699 example.
+                              L/ZDLMSZJKITmSxmM9Kni37/wKQsdSg6FT0l
+                              NMm14jy2Stp91Pwp1HQ1hAMkGWAqCMEKPMtU
+                              S/o/g5C8VM6ftQ== )
+                  3600 DNSKEY 257 3 5 (
+                              AQOnsGyJvywVjYmiLbh0EwIRuWYcDiB/8blX
+                              cpkoxtpe19Oicv6Zko+8brVsTMeMOpcUeGB1
+                              zsYKWJ7BvR2894hX
+                              ) ; Key ID = 21960
+                  3600 DNSKEY 256 3 5 (
+                              AQO0gEmbZUL6xbD/xQczHbnwYnf+jQjwz/sU
+                              5k44rHTt0Ty+3aOdYoome9TjGMhwkkGby1TL
+                              ExXT48OGGdbfIme5
+                              ) ; Key ID = 62699
+                  3600 RRSIG  DNSKEY 5 1 3600 20050712112304 (
+                              20050612112304 62699 example.
+                              e6EB+K21HbyZzoLUeRDb6+g0+n8XASYe6h+Z
+                              xtnB31sQXZgq8MBHeNFDQW9eZw2hjT9zMClx
+                              mTkunTYzqWJrmQ== )
+                  3600 RRSIG  DNSKEY 5 1 3600 20050712112304 (
+                              20050612112304 21960 example.
+                              SnWLiNWLbOuiKU/F/wVMokvcg6JVzGpQ2VUk
+                              ZbKjB9ON0t3cdc+FZbOCMnEHRJiwgqlnncik
+                              3w7ZY2UWyYIvpw== )
+   5pe7ctl7pfs2cilroy5dcofx4rcnlypd.example. 3600 NSEC3  0 1 1 (
+                              deadbeaf
+                              7nomf47k3vlidh4vxahhpp47l3tgv7a2
+                              NSEC3 RRSIG )
+                  3600 RRSIG  NSEC3 5 2 3600 20050712112304 (
+                              20050612112304 62699 example.
+                              PTWYq4WZmmtgh9UQif342HWf9DD9RuuM4ii5
+                              Z1oZQgRi5zrsoKHAgl2YXprF2Rfk1TLgsiFQ
+                              sb7KfbaUo/vzAg== )
+   7nomf47k3vlidh4vxahhpp47l3tgv7a2.example. 3600 NSEC3  0 1 1 (
+                              deadbeaf
+                              dw4o7j64wnel3j4jh7fb3c5n7w3js2yb
+                              MX NSEC3 RRSIG )
+                  3600 RRSIG  NSEC3 5 2 3600 20050712112304 (
+                              20050612112304 62699 example.
+                              YTcqole3h8EOsTT3HKnwhR1QS8borR0XtZaA
+                              ZrLsx6n0RDC1AAdZONYOvdqvcal9PmwtWjlo
+                              MEFQmc/gEuxojA== )
+   a.example.     3600 IN NS  ns1.a.example.
+                  3600 IN NS  ns2.a.example.
+                  3600 DS     58470 5 1 3079F1593EBAD6DC121E202A8B
+                              766A6A4837206C )
+                  3600 RRSIG  DS 5 2 3600 20050712112304 (
+
+
+
+Laurie, et al.           Expires August 5, 2006                [Page 23]
+
+Internet-Draft                    nsec3                    February 2006
+
+
+                              20050612112304 62699 example.
+                              QavhbsSmEvJLSUzGoTpsV3SKXCpaL1UO3Ehn
+                              cB0ObBIlex/Zs9kJyG/9uW1cYYt/1wvgzmX2
+                              0kx7rGKTc3RQDA== )
+   ns1.a.example. 3600 IN A   192.0.2.5
+   ns2.a.example. 3600 IN A   192.0.2.6
+   ai.example.    3600 IN A   192.0.2.9
+                  3600 RRSIG  A 5 2 3600 20050712112304 (
+                              20050612112304 62699 example.
+                              plY5M26ED3Owe3YX0pBIhgg44j89NxUaoBrU
+                              6bLRr99HpKfFl1sIy18JiRS7evlxCETZgubq
+                              ZXW5S+1VjMZYzQ== )
+                  3600 HINFO  "KLH-10" "ITS"
+                  3600 RRSIG  HINFO 5 2 3600 20050712112304 (
+                              20050612112304 62699 example.
+                              AR0hG/Z/e+vlRhxRQSVIFORzrJTBpdNHhwUk
+                              tiuqg+zGqKK84eIqtrqXelcE2szKnF3YPneg
+                              VGNmbgPnqDVPiA== )
+                  3600 AAAA   2001:db8:0:0:0:0:f00:baa9
+                  3600 RRSIG  AAAA 5 2 3600 20050712112304 (
+                              20050612112304 62699 example.
+                              PNF/t7+DeosEjhfuL0kmsNJvn16qhYyLI9FV
+                              ypSCorFx/PKIlEL3syomkYM2zcXVSRwUXMns
+                              l5/UqLCJJ9BDMg== )
+   b.example.     3600 IN NS  ns1.b.example.
+                  3600 IN NS  ns2.b.example.
+   ns1.b.example. 3600 IN A   192.0.2.7
+   ns2.b.example. 3600 IN A   192.0.2.8
+   dw4o7j64wnel3j4jh7fb3c5n7w3js2yb.example. 3600 NSEC3  0 1 1 (
+                              deadbeaf
+                              gmnfcccja7wkax3iv26bs75myptje3qk
+                              MX DNSKEY NS SOA NSEC3 RRSIG )
+                  3600 RRSIG  NSEC3 5 2 3600 20050712112304 (
+                              20050612112304 62699 example.
+                              VqEbXiZLJVYmo25fmO3IuHkAX155y8NuA50D
+                              C0NmJV/D4R3rLm6tsL6HB3a3f6IBw6kKEa2R
+                              MOiKMSHozVebqw== )
+   gmnfcccja7wkax3iv26bs75myptje3qk.example. 3600 NSEC3  0 1 1 (
+                              deadbeaf
+                              jt4bbfokgbmr57qx4nqucvvn7fmo6ab6
+                              DS NS NSEC3 RRSIG )
+                  3600 RRSIG  NSEC3 5 2 3600 20050712112304 (
+                              20050612112304 62699 example.
+                              ZqkdmF6eICpHyn1Cj7Yvw+nLcbji46Qpe76/
+                              ZetqdZV7K5sO3ol5dOc0dZyXDqsJp1is5StW
+                              OwQBGbOegrW/Zw== )
+   jt4bbfokgbmr57qx4nqucvvn7fmo6ab6.example. 3600 NSEC3  0 1 1 (
+                              deadbeaf
+
+
+
+Laurie, et al.           Expires August 5, 2006                [Page 24]
+
+Internet-Draft                    nsec3                    February 2006
+
+
+                              kcll7fqfnisuhfekckeeqnmbbd4maanu
+                              NSEC3 RRSIG )
+                  3600 RRSIG  NSEC3 5 2 3600 20050712112304 (
+                              20050612112304 62699 example.
+                              FXyCVQUdFF1EW1NcgD2V724/It0rn3lr+30V
+                              IyjmqwOMvQ4G599InTpiH46xhX3U/FmUzHOK
+                              94Zbq3k8lgdpZA== )
+   kcll7fqfnisuhfekckeeqnmbbd4maanu.example. 3600 NSEC3  1 1 1 (
+                              deadbeaf
+                              n42hbhnjj333xdxeybycax5ufvntux5d
+                              MX NSEC3 RRSIG )
+                  3600 RRSIG  NSEC3 5 2 3600 20050712112304 (
+                              20050612112304 62699 example.
+                              d0g8MTOvVwByOAIwvYV9JrTHwJof1VhnMKuA
+                              IBj6Xaeney86RBZYgg7Qyt9WnQSK3uCEeNpx
+                              TOLtc5jPrkL4zQ== )
+   n42hbhnjj333xdxeybycax5ufvntux5d.example. 3600 NSEC3  0 1 1 (
+                              deadbeaf
+                              nimwfwcnbeoodmsc6npv3vuaagaevxxu
+                              A NSEC3 RRSIG )
+                  3600 RRSIG  NSEC3 5 2 3600 20050712112304 (
+                              20050612112304 62699 example.
+                              MZGzllh+YFqZbY8SkHxARhXFiMDPS0tvQYyy
+                              91tj+lbl45L/BElD3xxB/LZMO8vQejYtMLHj
+                              xFPFGRIW3wKnrA== )
+   nimwfwcnbeoodmsc6npv3vuaagaevxxu.example. 3600 NSEC3  0 1 1 (
+                              deadbeaf
+                              vhgwr2qgykdkf4m6iv6vkagbxozphazr
+                              HINFO A AAAA NSEC3 RRSIG )
+                  3600 RRSIG  NSEC3 5 2 3600 20050712112304 (
+                              20050612112304 62699 example.
+                              c3zQdK68cYTHTjh1cD6pi0vblXwzyoU/m7Qx
+                              z8kaPYikbJ9vgSl9YegjZukgQSwybHUC0SYG
+                              jL33Wm1p07TBdw== )
+   ns1.example.   3600 A      192.0.2.1
+                  3600 RRSIG  A 5 2 3600 20050712112304 (
+                              20050612112304 62699 example.
+                              QLGkaqWXxRuE+MHKkMvVlswg65HcyjvD1fyb
+                              BDZpcfiMHH9w4x1eRqRamtSDTcqLfUrcYkrr
+                              nWWLepz1PjjShQ== )
+   ns2.example.   3600 A      192.0.2.2
+                  3600 RRSIG  A 5 2 3600 20050712112304 (
+                              20050612112304 62699 example.
+                              UoIZaC1O6XHRWGHBOl8XFQKPdYTkRCz6SYh3
+                              P2mZ3xfY22fLBCBDrEnOc8pGDGijJaLl26Cz
+                              AkeTJu3J3auUiA== )
+   vhgwr2qgykdkf4m6iv6vkagbxozphazr.example. 3600 NSEC3  0 1 1 (
+                              deadbeaf
+
+
+
+Laurie, et al.           Expires August 5, 2006                [Page 25]
+
+Internet-Draft                    nsec3                    February 2006
+
+
+                              wbyijvpnyj33pcpi3i44ecnibnaj7eiw
+                              HINFO A AAAA NSEC3 RRSIG )
+                  3600 RRSIG  NSEC3 5 2 3600 20050712112304 (
+                              20050612112304 62699 example.
+                              leFhoF5FXZAiNOxK4OBOOA0WKdbaD5lLDT/W
+                              kLoyWnQ6WGBwsUOdsEcVmqz+1n7q9bDf8G8M
+                              5SNSHIyfpfsi6A== )
+   *.w.example.   3600 MX     1 ai.example.
+                  3600 RRSIG  MX 5 3 3600 20050712112304 (
+                              20050612112304 62699 example.
+                              sYNUPHn1/gJ87wTHNksGdRm3vfnSFa2BbofF
+                              xGfJLF5A4deRu5f0hvxhAFDCcXfIASj7z0wQ
+                              gQlgxEwhvQDEaQ== )
+   x.w.example.   3600 MX     1 xx.example.
+                  3600 RRSIG  MX 5 3 3600 20050712112304 (
+                              20050612112304 62699 example.
+                              s1XQ/8SlViiEDik9edYs1Ooe3XiXo453Dg7w
+                              lqQoewuDzmtd6RaLNu52W44zTM1EHJES8ujP
+                              U9VazOa1KEIq1w== )
+   x.y.w.example. 3600 MX     1 xx.example.
+                  3600 RRSIG  MX 5 4 3600 20050712112304 (
+                              20050612112304 62699 example.
+                              aKVCGO/Fx9rm04UUsHRTTYaDA8o8dGfyq6t7
+                              uqAcYxU9xiXP+xNtLHBv7er6Q6f2JbOs6SGF
+                              9VrQvJjwbllAfA== )
+   wbyijvpnyj33pcpi3i44ecnibnaj7eiw.example. 3600 NSEC3  0 1 1 (
+                              deadbeaf
+                              zjxfz5o7t4ty4u3f6fa7mhhqzjln4mui
+                              A NSEC3 RRSIG )
+                  3600 RRSIG  NSEC3 5 2 3600 20050712112304 (
+                              20050612112304 62699 example.
+                              ledFAaDCqDxapQ1FvBAjjK2DP06iQj8AN6gN
+                              ZycTeSmobKLTpzbgQp8uKYYe/DPHjXYmuEhd
+                              oorBv4xkb0flXw== )
+   xx.example.    3600 A      192.0.2.10
+                  3600 RRSIG  A 5 2 3600 20050712112304 (
+                              20050612112304 62699 example.
+                              XSuMVjNxovbZUsnKU6oQDygaK+WB+O5HYQG9
+                              tJgphHIX7TM4uZggfR3pNM+4jeC8nt2OxZZj
+                              cxwCXWj82GVGdw== )
+                  3600 HINFO  "KLH-10" "TOPS-20"
+                  3600 RRSIG  HINFO 5 2 3600 20050712112304 (
+                              20050612112304 62699 example.
+                              ghS2DimOqPSacG9j6KMgXSfTMSjLxvoxvx3q
+                              OKzzPst4tEbAmocF2QX8IrSHr67m4ZLmd2Fk
+                              KMf4DgNBDj+dIQ== )
+                  3600 AAAA   2001:db8:0:0:0:0:f00:baaa
+                  3600 RRSIG  AAAA 5 2 3600 20050712112304 (
+
+
+
+Laurie, et al.           Expires August 5, 2006                [Page 26]
+
+Internet-Draft                    nsec3                    February 2006
+
+
+                              20050612112304 62699 example.
+                              rto7afZkXYB17IfmQCT5QoEMMrlkeOoAGXzo
+                              w8Wmcg86Fc+MQP0hyXFScI1gYNSgSSoDMXIy
+                              rzKKwb8J04/ILw== )
+   zjxfz5o7t4ty4u3f6fa7mhhqzjln4mui.example. 3600 NSEC3  0 1 1 (
+                              deadbeaf
+                              5pe7ctl7pfs2cilroy5dcofx4rcnlypd
+                              MX NSEC3 RRSIG )
+                  3600 RRSIG  NSEC3 5 2 3600 20050712112304 (
+                              20050612112304 62699 example.
+                              eULkdWjcjmM+wXQcr7zXNfnGLgHjZSJINGkt
+                              7Zmvp7WKVAqoHMm1RXV8IfBH1aRgv5+/Lgny
+                              OcFlrPGPMm48/A== )
+
+
+Appendix B.  Example Responses
+
+   The examples in this section show response messages using the signed
+   zone example in Appendix A.
+
+B.1.  answer
+
+   A successful query to an authoritative server.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Laurie, et al.           Expires August 5, 2006                [Page 27]
+
+Internet-Draft                    nsec3                    February 2006
+
+
+   ;; Header: QR AA DO RCODE=0
+   ;;
+   ;; Question
+   x.w.example.        IN MX
+
+   ;; Answer
+   x.w.example.   3600 IN MX  1 xx.example.
+   x.w.example.   3600 IN RRSIG  MX 5 3 3600 20050712112304 (
+                              20050612112304 62699 example.
+                              s1XQ/8SlViiEDik9edYs1Ooe3XiXo453Dg7w
+                              lqQoewuDzmtd6RaLNu52W44zTM1EHJES8ujP
+                              U9VazOa1KEIq1w== )
+
+   ;; Authority
+   example.       3600 IN NS  ns1.example.
+   example.       3600 IN NS  ns2.example.
+   example.       3600 IN RRSIG  NS 5 1 3600 20050712112304 (
+                              20050612112304 62699 example.
+                              hNyyin2JpECIFxW4vsj8RhHcWCQKUXgO+z4l
+                              m7g2zM8q3Qpsm/gYIXSF2Rhj6lAG7esR/X9d
+                              1SH5r/wfjuCg+g== )
+
+   ;; Additional
+   xx.example.    3600 IN A   192.0.2.10
+   xx.example.    3600 IN RRSIG  A 5 2 3600 20050712112304 (
+                              20050612112304 62699 example.
+                              XSuMVjNxovbZUsnKU6oQDygaK+WB+O5HYQG9
+                              tJgphHIX7TM4uZggfR3pNM+4jeC8nt2OxZZj
+                              cxwCXWj82GVGdw== )
+   xx.example.    3600 IN AAAA   2001:db8::f00:baaa
+   xx.example.    3600 IN RRSIG  AAAA 5 2 3600 20050712112304 (
+                              20050612112304 62699 example.
+                              rto7afZkXYB17IfmQCT5QoEMMrlkeOoAGXzo
+                              w8Wmcg86Fc+MQP0hyXFScI1gYNSgSSoDMXIy
+                              rzKKwb8J04/ILw== )
+   ns1.example.   3600 IN A   192.0.2.1
+   ns1.example.   3600 IN RRSIG  A 5 2 3600 20050712112304 (
+                              20050612112304 62699 example.
+                              QLGkaqWXxRuE+MHKkMvVlswg65HcyjvD1fyb
+                              BDZpcfiMHH9w4x1eRqRamtSDTcqLfUrcYkrr
+                              nWWLepz1PjjShQ== )
+   ns2.example.   3600 IN A   192.0.2.2
+   ns2.example.   3600 IN RRSIG  A 5 2 3600 20050712112304 (
+                              20050612112304 62699 example.
+                              UoIZaC1O6XHRWGHBOl8XFQKPdYTkRCz6SYh3
+                              P2mZ3xfY22fLBCBDrEnOc8pGDGijJaLl26Cz
+                              AkeTJu3J3auUiA== )
+
+
+
+
+Laurie, et al.           Expires August 5, 2006                [Page 28]
+
+Internet-Draft                    nsec3                    February 2006
+
+
+   The query returned an MX RRset for "x.w.example".  The corresponding
+   RRSIG RR indicates that the MX RRset was signed by an "example"
+   DNSKEY with algorithm 5 and key tag 62699.  The resolver needs the
+   corresponding DNSKEY RR in order to authenticate this answer.  The
+   discussion below describes how a resolver might obtain this DNSKEY
+   RR.
+
+   The RRSIG RR indicates the original TTL of the MX RRset was 3600,
+   and, for the purpose of authentication, the current TTL is replaced
+   by 3600.  The RRSIG RR's labels field value of 3 indicates that the
+   answer was not the result of wildcard expansion.  The "x.w.example"
+   MX RRset is placed in canonical form, and, assuming the current time
+   falls between the signature inception and expiration dates, the
+   signature is authenticated.
+
+B.1.1.  Authenticating the Example DNSKEY RRset
+
+   This example shows the logical authentication process that starts
+   from a configured root DNSKEY RRset (or DS RRset) and moves down the
+   tree to authenticate the desired "example" DNSKEY RRset.  Note that
+   the logical order is presented for clarity.  An implementation may
+   choose to construct the authentication as referrals are received or
+   to construct the authentication chain only after all RRsets have been
+   obtained, or in any other combination it sees fit.  The example here
+   demonstrates only the logical process and does not dictate any
+   implementation rules.
+
+   We assume the resolver starts with a configured DNSKEY RRset for the
+   root zone (or a configured DS RRset for the root zone).  The resolver
+   checks whether this configured DNSKEY RRset is present in the root
+   DNSKEY RRset (or whether a DS RR in the DS RRset matches some DNSKEY
+   RR in the root DNSKEY RRset), whether this DNSKEY RR has signed the
+   root DNSKEY RRset, and whether the signature lifetime is valid.  If
+   all these conditions are met, all keys in the DNSKEY RRset are
+   considered authenticated.  The resolver then uses one (or more) of
+   the root DNSKEY RRs to authenticate the "example" DS RRset.  Note
+   that the resolver may have to query the root zone to obtain the root
+   DNSKEY RRset or "example" DS RRset.
+
+   Once the DS RRset has been authenticated using the root DNSKEY, the
+   resolver checks the "example" DNSKEY RRset for some "example" DNSKEY
+   RR that matches one of the authenticated "example" DS RRs.  If such a
+   matching "example" DNSKEY is found, the resolver checks whether this
+   DNSKEY RR has signed the "example" DNSKEY RRset and the signature
+   lifetime is valid.  If these conditions are met, all keys in the
+   "example" DNSKEY RRset are considered authenticated.
+
+   Finally, the resolver checks that some DNSKEY RR in the "example"
+
+
+
+Laurie, et al.           Expires August 5, 2006                [Page 29]
+
+Internet-Draft                    nsec3                    February 2006
+
+
+   DNSKEY RRset uses algorithm 5 and has a key tag of 62699.  This
+   DNSKEY is used to authenticate the RRSIG included in the response.
+   If multiple "example" DNSKEY RRs match this algorithm and key tag,
+   then each DNSKEY RR is tried, and the answer is authenticated if any
+   of the matching DNSKEY RRs validate the signature as described above.
+
+B.2.  Name Error
+
+   An authoritative name error.  The NSEC3 RRs prove that the name does
+   not exist and that no covering wildcard exists.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Laurie, et al.           Expires August 5, 2006                [Page 30]
+
+Internet-Draft                    nsec3                    February 2006
+
+
+   ;; Header: QR AA DO RCODE=3
+   ;;
+   ;; Question
+   a.c.x.w.example.         IN A
+
+   ;; Answer
+   ;; (empty)
+
+   ;; Authority
+   example.       3600 IN SOA ns1.example. bugs.x.w.example. (
+                              1
+                              3600
+                              300
+                              3600000
+                              3600
+                              )
+   example.       3600 IN RRSIG  SOA 5 1 3600 20050712112304 (
+                              20050612112304 62699 example.
+                              RtctD6aLUU5Md5wOOItilS7JXX1tf58Ql3sK
+                              mTXkL13jqLiUFOGg0uzqRh1U9GbydS0P7M0g
+                              qYIt90txzE/4+g== )
+   7nomf47k3vlidh4vxahhpp47l3tgv7a2.example. 3600 IN NSEC3  0 1 1 (
+                              deadbeaf
+                              dw4o7j64wnel3j4jh7fb3c5n7w3js2yb
+                              MX NSEC3 RRSIG )
+   7nomf47k3vlidh4vxahhpp47l3tgv7a2.example. 3600 IN RRSIG  NSEC3 (
+                              5 2 3600 20050712112304
+                              20050612112304 62699 example.
+                              YTcqole3h8EOsTT3HKnwhR1QS8borR0XtZaA
+                              ZrLsx6n0RDC1AAdZONYOvdqvcal9PmwtWjlo
+                              MEFQmc/gEuxojA== )
+   nimwfwcnbeoodmsc6npv3vuaagaevxxu.example. 3600 IN NSEC3  0 1 1 (
+                              deadbeaf
+                              vhgwr2qgykdkf4m6iv6vkagbxozphazr
+                              HINFO A AAAA NSEC3 RRSIG )
+   nimwfwcnbeoodmsc6npv3vuaagaevxxu.example. 3600 IN RRSIG  NSEC3 (
+                              5 2 3600 20050712112304
+                              20050612112304 62699 example.
+                              c3zQdK68cYTHTjh1cD6pi0vblXwzyoU/m7Qx
+                              z8kaPYikbJ9vgSl9YegjZukgQSwybHUC0SYG
+                              jL33Wm1p07TBdw== )
+   ;; Additional
+   ;; (empty)
+
+   The query returned two NSEC3 RRs that prove that the requested data
+   does not exist and no wildcard applies.  The negative reply is
+   authenticated by verifying both NSEC3 RRs.  The NSEC3 RRs are
+   authenticated in a manner identical to that of the MX RRset discussed
+
+
+
+Laurie, et al.           Expires August 5, 2006                [Page 31]
+
+Internet-Draft                    nsec3                    February 2006
+
+
+   above.  At least one of the owner names of the NSEC3 RRs will match
+   the closest encloser.  At least one of the NSEC3 RRs prove that there
+   exists no longer name.  At least one of the NSEC3 RRs prove that
+   there exists no wildcard RRsets that should have been expanded.  The
+   closest encloser can be found by hashing the apex ownername (The SOA
+   RR's ownername, or the ownername of the DNSKEY RRset referred by an
+   RRSIG RR), matching it to the ownername of one of the NSEC3 RRs, and
+   if that fails, continue by adding labels.  In other words, the
+   resolver first hashes example, checks for a matching NSEC3 ownername,
+   then hashes w.example, checks, and finally hashes w.x.example and
+   checks.
+
+   In the above example, the name 'x.w.example' hashes to
+   '7nomf47k3vlidh4vxahhpp47l3tgv7a2'.  This indicates that this might
+   be the closest encloser.  To prove that 'c.x.w.example' and
+   '*.x.w.example' do not exists, these names are hashed to respectively
+   'qsgoxsf2lanysajhtmaylde4tqwnqppl' and
+   'cvljzyf6nsckjowghch4tt3nohocpdka'.  The two NSEC3 records prove that
+   these hashed ownernames do not exists, since the names are within the
+   given intervals.
+
+B.3.  No Data Error
+
+   A "no data" response.  The NSEC3 RR proves that the name exists and
+   that the requested RR type does not.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Laurie, et al.           Expires August 5, 2006                [Page 32]
+
+Internet-Draft                    nsec3                    February 2006
+
+
+   ;; Header: QR AA DO RCODE=0
+   ;;
+   ;; Question
+   ns1.example.        IN MX
+
+   ;; Answer
+   ;; (empty)
+
+   ;; Authority
+   example.       3600 IN SOA ns1.example. bugs.x.w.example. (
+                              1
+                              3600
+                              300
+                              3600000
+                              3600
+                              )
+   example.       3600 IN RRSIG  SOA 5 1 3600 20050712112304 (
+                              20050612112304 62699 example.
+                              RtctD6aLUU5Md5wOOItilS7JXX1tf58Ql3sK
+                              mTXkL13jqLiUFOGg0uzqRh1U9GbydS0P7M0g
+                              qYIt90txzE/4+g== )
+   wbyijvpnyj33pcpi3i44ecnibnaj7eiw.example. 3600 IN NSEC3  0 1 1 (
+                              deadbeaf
+                              zjxfz5o7t4ty4u3f6fa7mhhqzjln4mui
+                              A NSEC3 RRSIG )
+   wbyijvpnyj33pcpi3i44ecnibnaj7eiw.example. 3600 IN RRSIG  NSEC3 (
+                              5 2 3600 20050712112304
+                              20050612112304 62699 example.
+                              ledFAaDCqDxapQ1FvBAjjK2DP06iQj8AN6gN
+                              ZycTeSmobKLTpzbgQp8uKYYe/DPHjXYmuEhd
+                              oorBv4xkb0flXw== )
+   ;; Additional
+   ;; (empty)
+
+   The query returned an NSEC3 RR that proves that the requested name
+   exists ("ns1.example." hashes to "wbyijvpnyj33pcpi3i44ecnibnaj7eiw"),
+   but the requested RR type does not exist (type MX is absent in the
+   type code list of the NSEC RR).  The negative reply is authenticated
+   by verifying the NSEC3 RR.  The NSEC3 RR is authenticated in a manner
+   identical to that of the MX RRset discussed above.
+
+B.3.1.  No Data Error, Empty Non-Terminal
+
+   A "no data" response because of an empty non-terminal.  The NSEC3 RR
+   proves that the name exists and that the requested RR type does not.
+
+
+
+
+
+
+Laurie, et al.           Expires August 5, 2006                [Page 33]
+
+Internet-Draft                    nsec3                    February 2006
+
+
+   ;; Header: QR AA DO RCODE=0
+   ;;
+   ;; Question
+   y.w.example.        IN A
+
+   ;; Answer
+   ;; (empty)
+
+   ;; Authority
+   example.       3600 IN SOA ns1.example. bugs.x.w.example. (
+                              1
+                              3600
+                              300
+                              3600000
+                              3600
+                              )
+   example.       3600 IN RRSIG  SOA 5 1 3600 20050712112304 (
+                              20050612112304 62699 example.
+                              RtctD6aLUU5Md5wOOItilS7JXX1tf58Ql3sK
+                              mTXkL13jqLiUFOGg0uzqRh1U9GbydS0P7M0g
+                              qYIt90txzE/4+g== )
+   jt4bbfokgbmr57qx4nqucvvn7fmo6ab6.example. 3600 IN NSEC3  0 1 1 (
+                              deadbeaf
+                              kcll7fqfnisuhfekckeeqnmbbd4maanu
+                              NSEC3 RRSIG )
+   jt4bbfokgbmr57qx4nqucvvn7fmo6ab6.example. 3600 IN RRSIG  NSEC3 (
+                              5 2 3600 20050712112304
+                              20050612112304 62699 example.
+                              FXyCVQUdFF1EW1NcgD2V724/It0rn3lr+30V
+                              IyjmqwOMvQ4G599InTpiH46xhX3U/FmUzHOK
+                              94Zbq3k8lgdpZA== )
+
+   The query returned an NSEC3 RR that proves that the requested name
+   exists ("y.w.example." hashes to "jt4bbfokgbmr57qx4nqucvvn7fmo6ab6"),
+   but the requested RR type does not exist (Type A is absent in the
+   type-bit-maps of the NSEC3 RR).  The negative reply is authenticated
+   by verifying the NSEC3 RR.  The NSEC3 RR is authenticated in a manner
+   identical to that of the MX RRset discussed above.  Note that, unlike
+   generic empty non terminal proof using NSECs, this is identical to
+   proving a No Data Error.  This example is solely mentioned to be
+   complete.
+
+B.4.  Referral to Signed Zone
+
+   Referral to a signed zone.  The DS RR contains the data which the
+   resolver will need to validate the corresponding DNSKEY RR in the
+   child zone's apex.
+
+
+
+
+Laurie, et al.           Expires August 5, 2006                [Page 34]
+
+Internet-Draft                    nsec3                    February 2006
+
+
+   ;; Header: QR DO RCODE=0
+   ;;
+
+   ;; Question
+   mc.a.example.       IN MX
+
+   ;; Answer
+   ;; (empty)
+
+   ;; Authority
+   a.example.     3600 IN NS  ns1.a.example.
+   a.example.     3600 IN NS  ns2.a.example.
+   a.example.     3600 IN DS  58470 5 1 (
+                              3079F1593EBAD6DC121E202A8B766A6A4837
+                              206C )
+   a.example.     3600 IN RRSIG  DS 5 2 3600 20050712112304 (
+                              20050612112304 62699 example.
+                              QavhbsSmEvJLSUzGoTpsV3SKXCpaL1UO3Ehn
+                              cB0ObBIlex/Zs9kJyG/9uW1cYYt/1wvgzmX2
+                              0kx7rGKTc3RQDA== )
+
+   ;; Additional
+   ns1.a.example. 3600 IN A   192.0.2.5
+   ns2.a.example. 3600 IN A   192.0.2.6
+
+   The query returned a referral to the signed "a.example." zone.  The
+   DS RR is authenticated in a manner identical to that of the MX RRset
+   discussed above.  This DS RR is used to authenticate the "a.example"
+   DNSKEY RRset.
+
+   Once the "a.example" DS RRset has been authenticated using the
+   "example" DNSKEY, the resolver checks the "a.example" DNSKEY RRset
+   for some "a.example" DNSKEY RR that matches the DS RR.  If such a
+   matching "a.example" DNSKEY is found, the resolver checks whether
+   this DNSKEY RR has signed the "a.example" DNSKEY RRset and whether
+   the signature lifetime is valid.  If all these conditions are met,
+   all keys in the "a.example" DNSKEY RRset are considered
+   authenticated.
+
+B.5.  Referral to Unsigned Zone using the Opt-In Flag
+
+   The NSEC3 RR proves that nothing for this delegation was signed in
+   the parent zone.  There is no proof that the delegation exists
+
+
+
+
+
+
+
+
+Laurie, et al.           Expires August 5, 2006                [Page 35]
+
+Internet-Draft                    nsec3                    February 2006
+
+
+   ;; Header: QR DO RCODE=0
+   ;;
+   ;; Question
+   mc.b.example.       IN MX
+
+   ;; Answer
+   ;; (empty)
+
+   ;; Authority
+   b.example.     3600 IN NS  ns1.b.example.
+   b.example.     3600 IN NS  ns2.b.example.
+   kcll7fqfnisuhfekckeeqnmbbd4maanu.example. 3600 IN NSEC3  1 1 1 (
+                              deadbeaf
+                              n42hbhnjj333xdxeybycax5ufvntux5d
+                              MX NSEC3 RRSIG )
+   kcll7fqfnisuhfekckeeqnmbbd4maanu.example. 3600 IN RRSIG  NSEC3 (
+                              5 2 3600 20050712112304
+                              20050612112304 62699 example.
+                              d0g8MTOvVwByOAIwvYV9JrTHwJof1VhnMKuA
+                              IBj6Xaeney86RBZYgg7Qyt9WnQSK3uCEeNpx
+                              TOLtc5jPrkL4zQ== )
+
+   ;; Additional
+   ns1.b.example. 3600 IN A   192.0.2.7
+   ns2.b.example. 3600 IN A   192.0.2.8
+
+   The query returned a referral to the unsigned "b.example." zone.  The
+   NSEC3 proves that no authentication leads from "example" to
+   "b.example", since the hash of "b.example"
+   ("ldjpfcucebeks5azmzpty4qlel4cftzo") is within the NSEC3 interval and
+   the NSEC3 opt-in bit is set.  The NSEC3 RR is authenticated in a
+   manner identical to that of the MX RRset discussed above.
+
+B.6.  Wildcard Expansion
+
+   A successful query that was answered via wildcard expansion.  The
+   label count in the answer's RRSIG RR indicates that a wildcard RRset
+   was expanded to produce this response, and the NSEC3 RR proves that
+   no closer match exists in the zone.
+
+
+
+
+
+
+
+
+
+
+
+
+Laurie, et al.           Expires August 5, 2006                [Page 36]
+
+Internet-Draft                    nsec3                    February 2006
+
+
+   ;; Header: QR AA DO RCODE=0
+   ;;
+   ;; Question
+   a.z.w.example.      IN MX
+
+   ;; Answer
+   a.z.w.example. 3600 IN MX  1 ai.example.
+   a.z.w.example. 3600 IN RRSIG  MX 5 3 3600 20050712112304 (
+                              20050612112304 62699 example.
+                              sYNUPHn1/gJ87wTHNksGdRm3vfnSFa2BbofF
+                              xGfJLF5A4deRu5f0hvxhAFDCcXfIASj7z0wQ
+                              gQlgxEwhvQDEaQ== )
+   ;; Authority
+   example.       3600 NS     ns1.example.
+   example.       3600 NS     ns2.example.
+   example.       3600 IN RRSIG  NS 5 1 3600 20050712112304 (
+                              20050612112304 62699 example.
+                              hNyyin2JpECIFxW4vsj8RhHcWCQKUXgO+z4l
+                              m7g2zM8q3Qpsm/gYIXSF2Rhj6lAG7esR/X9d
+                              1SH5r/wfjuCg+g== )
+   zjxfz5o7t4ty4u3f6fa7mhhqzjln4mui.example. 3600 IN NSEC3  0 1 1 (
+                              deadbeaf
+                              5pe7ctl7pfs2cilroy5dcofx4rcnlypd
+                              MX NSEC3 RRSIG )
+   zjxfz5o7t4ty4u3f6fa7mhhqzjln4mui.example. 3600 IN RRSIG  NSEC3 (
+                              5 2 3600 20050712112304
+                              20050612112304 62699 example.
+                              eULkdWjcjmM+wXQcr7zXNfnGLgHjZSJINGkt
+                              7Zmvp7WKVAqoHMm1RXV8IfBH1aRgv5+/Lgny
+                              OcFlrPGPMm48/A== )
+   ;; Additional
+   ai.example.    3600 IN A   192.0.2.9
+   ai.example.    3600 IN RRSIG  A 5 2 3600 20050712112304 (
+                              20050612112304 62699 example.
+                              plY5M26ED3Owe3YX0pBIhgg44j89NxUaoBrU
+                              6bLRr99HpKfFl1sIy18JiRS7evlxCETZgubq
+                              ZXW5S+1VjMZYzQ== )
+   ai.example.    3600 AAAA   2001:db8::f00:baa9
+   ai.example.    3600 IN RRSIG  AAAA 5 2 3600 20050712112304 (
+                              20050612112304 62699 example.
+                              PNF/t7+DeosEjhfuL0kmsNJvn16qhYyLI9FV
+                              ypSCorFx/PKIlEL3syomkYM2zcXVSRwUXMns
+                              l5/UqLCJJ9BDMg== )
+
+   The query returned an answer that was produced as a result of
+   wildcard expansion.  The answer section contains a wildcard RRset
+   expanded as it would be in a traditional DNS response, and the
+   corresponding RRSIG indicates that the expanded wildcard MX RRset was
+
+
+
+Laurie, et al.           Expires August 5, 2006                [Page 37]
+
+Internet-Draft                    nsec3                    February 2006
+
+
+   signed by an "example" DNSKEY with algorithm 5 and key tag 62699.
+   The RRSIG indicates that the original TTL of the MX RRset was 3600,
+   and, for the purpose of authentication, the current TTL is replaced
+   by 3600.  The RRSIG labels field value of 2 indicates that the answer
+   is the result of wildcard expansion, as the "a.z.w.example" name
+   contains 4 labels.  The name "a.z.w.example" is replaced by
+   "*.w.example", the MX RRset is placed in canonical form, and,
+   assuming that the current time falls between the signature inception
+   and expiration dates, the signature is authenticated.
+
+   The NSEC3 proves that no closer match (exact or closer wildcard)
+   could have been used to answer this query, and the NSEC3 RR must also
+   be authenticated before the answer is considered valid.
+
+B.7.  Wildcard No Data Error
+
+   A "no data" response for a name covered by a wildcard.  The NSEC3 RRs
+   prove that the matching wildcard name does not have any RRs of the
+   requested type and that no closer match exists in the zone.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Laurie, et al.           Expires August 5, 2006                [Page 38]
+
+Internet-Draft                    nsec3                    February 2006
+
+
+   ;; Header: QR AA DO RCODE=0
+   ;;
+   ;; Question
+   a.z.w.example.      IN AAAA
+
+   ;; Answer
+   ;; (empty)
+
+   ;; Authority
+   example.       3600 IN SOA ns1.example. bugs.x.w.example. (
+                              1
+                              3600
+                              300
+                              3600000
+                              3600
+                              )
+   example.       3600 IN RRSIG  SOA 5 1 3600 20050712112304 (
+                              20050612112304 62699 example.
+                              RtctD6aLUU5Md5wOOItilS7JXX1tf58Ql3sK
+                              mTXkL13jqLiUFOGg0uzqRh1U9GbydS0P7M0g
+                              qYIt90txzE/4+g== )
+   zjxfz5o7t4ty4u3f6fa7mhhqzjln4mui.example. 3600 IN NSEC3  0 1 1 (
+                              deadbeaf
+                              5pe7ctl7pfs2cilroy5dcofx4rcnlypd
+                              MX NSEC3 RRSIG )
+   zjxfz5o7t4ty4u3f6fa7mhhqzjln4mui.example. 3600 IN RRSIG  NSEC3 (
+                              5 2 3600 20050712112304
+                              20050612112304 62699 example.
+                              eULkdWjcjmM+wXQcr7zXNfnGLgHjZSJINGkt
+                              7Zmvp7WKVAqoHMm1RXV8IfBH1aRgv5+/Lgny
+                              OcFlrPGPMm48/A== )
+   ;; Additional
+   ;; (empty)
+
+   The query returned NSEC3 RRs that prove that the requested data does
+   not exist and no wildcard applies.  The negative reply is
+   authenticated by verifying both NSEC3 RRs.
+
+B.8.  DS Child Zone No Data Error
+
+   A "no data" response for a QTYPE=DS query that was mistakenly sent to
+   a name server for the child zone.
+
+
+
+
+
+
+
+
+
+Laurie, et al.           Expires August 5, 2006                [Page 39]
+
+Internet-Draft                    nsec3                    February 2006
+
+
+   ;; Header: QR AA DO RCODE=0
+   ;;
+   ;; Question
+   example.            IN DS
+
+   ;; Answer
+   ;; (empty)
+
+   ;; Authority
+   example.       3600 IN SOA ns1.example. bugs.x.w.example. (
+                              1
+                              3600
+                              300
+                              3600000
+                              3600
+                              )
+   example.       3600 IN RRSIG  SOA 5 1 3600 20050712112304 (
+                              20050612112304 62699 example.
+                              RtctD6aLUU5Md5wOOItilS7JXX1tf58Ql3sK
+                              mTXkL13jqLiUFOGg0uzqRh1U9GbydS0P7M0g
+                              qYIt90txzE/4+g== )
+   dw4o7j64wnel3j4jh7fb3c5n7w3js2yb.example. 3600 IN NSEC3  0 1 1 (
+                              deadbeaf
+                              gmnfcccja7wkax3iv26bs75myptje3qk
+                              MX DNSKEY NS SOA NSEC3 RRSIG )
+   dw4o7j64wnel3j4jh7fb3c5n7w3js2yb.example. 3600 IN RRSIG  NSEC3 (
+                              5 2 3600 20050712112304
+                              20050612112304 62699 example.
+                              VqEbXiZLJVYmo25fmO3IuHkAX155y8NuA50D
+                              C0NmJV/D4R3rLm6tsL6HB3a3f6IBw6kKEa2R
+                              MOiKMSHozVebqw== )
+
+   ;; Additional
+   ;; (empty)
+
+   The query returned NSEC RRs that shows the requested was answered by
+   a child server ("example" server).  The NSEC RR indicates the
+   presence of an SOA RR, showing that the answer is from the child .
+   Queries for the "example" DS RRset should be sent to the parent
+   servers ("root" servers).
+
+
+
+
+
+
+
+
+
+
+
+Laurie, et al.           Expires August 5, 2006                [Page 40]
+
+Internet-Draft                    nsec3                    February 2006
+
+
+Authors' Addresses
+
+   Ben Laurie
+   Nominet
+   17 Perryn Road
+   London  W3 7LR
+   England
+
+   Phone: +44 (20) 8735 0686
+   Email: ben@algroup.co.uk
+
+
+   Geoffrey Sisson
+   Nominet
+
+
+   Roy Arends
+   Nominet
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Laurie, et al.           Expires August 5, 2006                [Page 41]
+
+Internet-Draft                    nsec3                    February 2006
+
+
+Intellectual Property Statement
+
+   The IETF takes no position regarding the validity or scope of any
+   Intellectual Property Rights or other rights that might be claimed to
+   pertain to the implementation or use of the technology described in
+   this document or the extent to which any license under such rights
+   might or might not be available; nor does it represent that it has
+   made any independent effort to identify any such rights.  Information
+   on the procedures with respect to rights in RFC documents can be
+   found in BCP 78 and BCP 79.
+
+   Copies of IPR disclosures made to the IETF Secretariat and any
+   assurances of licenses to be made available, or the result of an
+   attempt made to obtain a general license or permission for the use of
+   such proprietary rights by implementers or users of this
+   specification can be obtained from the IETF on-line IPR repository at
+   http://www.ietf.org/ipr.
+
+   The IETF invites any interested party to bring to its attention any
+   copyrights, patents or patent applications, or other proprietary
+   rights that may cover technology that may be required to implement
+   this standard.  Please address the information to the IETF at
+   ietf-ipr@ietf.org.
+
+
+Disclaimer of Validity
+
+   This document and the information contained herein are provided on an
+   "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
+   OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
+   ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
+   INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
+   INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
+   WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
+
+
+Copyright Statement
+
+   Copyright (C) The Internet Society (2006).  This document is subject
+   to the rights, licenses and restrictions contained in BCP 78, and
+   except as set forth therein, the authors retain all their rights.
+
+
+Acknowledgment
+
+   Funding for the RFC Editor function is currently provided by the
+   Internet Society.
+
+
+
+
+Laurie, et al.           Expires August 5, 2006                [Page 42]
+
diff --git a/contrib/bind9/doc/draft/draft-ietf-dnsext-nsid-01.txt b/contrib/bind9/doc/draft/draft-ietf-dnsext-nsid-01.txt
new file mode 100644
index 0000000..90d1a06
--- /dev/null
+++ b/contrib/bind9/doc/draft/draft-ietf-dnsext-nsid-01.txt
@@ -0,0 +1,840 @@
+
+
+
+Network Working Group                                         R. Austein
+Internet-Draft                                                       ISC
+Expires: July 15, 2006                                  January 11, 2006
+
+
+                DNS Name Server Identifier Option (NSID)
+                       draft-ietf-dnsext-nsid-01
+
+Status of this Memo
+
+   By submitting this Internet-Draft, each author represents that any
+   applicable patent or other IPR claims of which he or she is aware
+   have been or will be disclosed, and any of which he or she becomes
+   aware will be disclosed, in accordance with Section 6 of BCP 79.
+
+   Internet-Drafts are working documents of the Internet Engineering
+   Task Force (IETF), its areas, and its working groups.  Note that
+   other groups may also distribute working documents as Internet-
+   Drafts.
+
+   Internet-Drafts are draft documents valid for a maximum of six months
+   and may be updated, replaced, or obsoleted by other documents at any
+   time.  It is inappropriate to use Internet-Drafts as reference
+   material or to cite them other than as "work in progress."
+
+   The list of current Internet-Drafts can be accessed at
+   http://www.ietf.org/ietf/1id-abstracts.txt.
+
+   The list of Internet-Draft Shadow Directories can be accessed at
+   http://www.ietf.org/shadow.html.
+
+   This Internet-Draft will expire on July 15, 2006.
+
+Copyright Notice
+
+   Copyright (C) The Internet Society (2006).
+
+Abstract
+
+   With the increased use of DNS anycast, load balancing, and other
+   mechanisms allowing more than one DNS name server to share a single
+   IP address, it is sometimes difficult to tell which of a pool of name
+   servers has answered a particular query.  While existing ad-hoc
+   mechanism allow an operator to send follow-up queries when it is
+   necessary to debug such a configuration, the only completely reliable
+   way to obtain the identity of the name server which responded is to
+   have the name server include this information in the response itself.
+   This note defines a protocol extension to support this functionality.
+
+
+
+Austein                   Expires July 15, 2006                 [Page 1]
+
+Internet-Draft                  DNS NSID                    January 2006
+
+
+Table of Contents
+
+   1.  Introduction . . . . . . . . . . . . . . . . . . . . . . . . .  3
+     1.1.  Reserved Words . . . . . . . . . . . . . . . . . . . . . .  3
+   2.  Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . .  4
+     2.1.  Resolver Behavior  . . . . . . . . . . . . . . . . . . . .  4
+     2.2.  Name Server Behavior . . . . . . . . . . . . . . . . . . .  4
+     2.3.  The NSID Option  . . . . . . . . . . . . . . . . . . . . .  4
+     2.4.  Presentation Format  . . . . . . . . . . . . . . . . . . .  5
+   3.  Discussion . . . . . . . . . . . . . . . . . . . . . . . . . .  6
+     3.1.  The NSID Payload . . . . . . . . . . . . . . . . . . . . .  6
+     3.2.  NSID Is Not Transitive . . . . . . . . . . . . . . . . . .  8
+     3.3.  User Interface Issues  . . . . . . . . . . . . . . . . . .  8
+     3.4.  Truncation . . . . . . . . . . . . . . . . . . . . . . . .  9
+   4.  IANA Considerations  . . . . . . . . . . . . . . . . . . . . . 10
+   5.  Security Considerations  . . . . . . . . . . . . . . . . . . . 11
+   6.  Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 12
+   7.  References . . . . . . . . . . . . . . . . . . . . . . . . . . 13
+     7.1.  Normative References . . . . . . . . . . . . . . . . . . . 13
+     7.2.  Informative References . . . . . . . . . . . . . . . . . . 13
+   Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 14
+   Intellectual Property and Copyright Statements . . . . . . . . . . 15
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Austein                   Expires July 15, 2006                 [Page 2]
+
+Internet-Draft                  DNS NSID                    January 2006
+
+
+1.  Introduction
+
+   With the increased use of DNS anycast, load balancing, and other
+   mechanisms allowing more than one DNS name server to share a single
+   IP address, it is sometimes difficult to tell which of a pool of name
+   servers has answered a particular query.
+
+   Existing ad-hoc mechanisms allow an operator to send follow-up
+   queries when it is necessary to debug such a configuration, but there
+   are situations in which this is not a totally satisfactory solution,
+   since anycast routing may have changed, or the server pool in
+   question may be behind some kind of extremely dynamic load balancing
+   hardware.  Thus, while these ad-hoc mechanisms are certainly better
+   than nothing (and have the advantage of already being deployed), a
+   better solution seems desirable.
+
+   Given that a DNS query is an idempotent operation with no retained
+   state, it would appear that the only completely reliable way to
+   obtain the identity of the name server which responded to a
+   particular query is to have that name server include identifying
+   information in the response itself.  This note defines a protocol
+   enhancement to achieve this.
+
+1.1.  Reserved Words
+
+   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
+   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
+   document are to be interpreted as described in [RFC2119].
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Austein                   Expires July 15, 2006                 [Page 3]
+
+Internet-Draft                  DNS NSID                    January 2006
+
+
+2.  Protocol
+
+   This note uses an EDNS [RFC2671] option to signal the resolver's
+   desire for information identifying the name server and to hold the
+   name server's response, if any.
+
+2.1.  Resolver Behavior
+
+   A resolver signals its desire for information identifying a name
+   server by sending an empty NSID option (Section 2.3) in an EDNS OPT
+   pseudo-RR in the query message.
+
+   The resolver MUST NOT include any NSID payload data in the query
+   message.
+
+   The semantics of an NSID request are not transitive.  That is: the
+   presence of an NSID option in a query is a request that the name
+   server which receives the query identify itself.  If the name server
+   side of a recursive name server receives an NSID request, the client
+   is asking the recursive name server to identify itself; if the
+   resolver side of the recursive name server wishes to receive
+   identifying information, it is free to add NSID requests in its own
+   queries, but that is a separate matter.
+
+2.2.  Name Server Behavior
+
+   A name server which understands the NSID option and chooses to honor
+   a particular NSID request responds by including identifying
+   information in a NSID option (Section 2.3) in an EDNS OPT pseudo-RR
+   in the response message.
+
+   The name server MUST ignore any NSID payload data that might be
+   present in the query message.
+
+   The NSID option is not transitive.  A name server MUST NOT send an
+   NSID option back to a resolver which did not request it.  In
+   particular, while a recursive name server may choose to add an NSID
+   option when sending a query, this has no effect on the presence or
+   absence of the NSID option in the recursive name server's response to
+   the original client.
+
+   As stated in Section 2.1, this mechanism is not restricted to
+   authoritative name servers; the semantics are intended to be equally
+   applicable to recursive name servers.
+
+2.3.  The NSID Option
+
+   The OPTION-CODE for the NSID option is [TBD].
+
+
+
+Austein                   Expires July 15, 2006                 [Page 4]
+
+Internet-Draft                  DNS NSID                    January 2006
+
+
+   The OPTION-DATA for the NSID option is an opaque byte string the
+   semantics of which are deliberately left outside the protocol.  See
+   Section 3.1 for discussion.
+
+2.4.  Presentation Format
+
+   User interfaces MUST read and write the content of the NSID option as
+   a sequence of hexadecimal digits, two digits per payload octet.
+
+   The NSID payload is binary data.  Any comparison between NSID
+   payloads MUST be a comparison of the raw binary data.  Copy
+   operations MUST NOT assume that the raw NSID payload is null-
+   terminated.  Any resemblance between raw NSID payload data and any
+   form of text is purely a convenience, and does not change the
+   underlying nature of the payload data.
+
+   See Section 3.3 for discussion.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Austein                   Expires July 15, 2006                 [Page 5]
+
+Internet-Draft                  DNS NSID                    January 2006
+
+
+3.  Discussion
+
+   This section discusses certain aspects of the protocol and explains
+   considerations that led to the chosen design.
+
+3.1.  The NSID Payload
+
+   The syntax and semantics of the content of the NSID option is
+   deliberately left outside the scope of this specification.  This
+   section describe some of the kinds of data that server administrators
+   might choose to provide as the content of the NSID option, and
+   explains the reasoning behind choosing a simple opaque byte string.
+
+   There are several possibilities for the payload of the NSID option:
+
+   o  It could be the "real" name of the specific name server within the
+      name server pool.
+
+   o  It could be the "real" IP address (IPv4 or IPv6) of the name
+      server within the name server pool.
+
+   o  It could be some sort of pseudo-random number generated in a
+      predictable fashion somehow using the server's IP address or name
+      as a seed value.
+
+   o  It could be some sort of probabilisticly unique identifier
+      initially derived from some sort of random number generator then
+      preserved across reboots of the name server.
+
+   o  It could be some sort of dynamicly generated identifier so that
+      only the name server operator could tell whether or not any two
+      queries had been answered by the same server.
+
+   o  It could be a blob of signed data, with a corresponding key which
+      might (or might not) be available via DNS lookups.
+
+   o  It could be a blob of encrypted data, the key for which could be
+      restricted to parties with a need to know (in the opinion of the
+      server operator).
+
+   o  It could be an arbitrary string of octets chosen at the discretion
+      of the name server operator.
+
+   Each of these options has advantages and disadvantages:
+
+   o  Using the "real" name is simple, but the name server may not have
+      a "real" name.
+
+
+
+
+Austein                   Expires July 15, 2006                 [Page 6]
+
+Internet-Draft                  DNS NSID                    January 2006
+
+
+   o  Using the "real" address is also simple, and the name server
+      almost certainly does have at least one non-anycast IP address for
+      maintenance operations, but the operator of the name server may
+      not be willing to divulge its non-anycast address.
+
+   o  Given that one common reason for using anycast DNS techniques is
+      an attempt to harden a critical name server against denial of
+      service attacks, some name server operators are likely to want an
+      identifier other than the "real" name or "real" address of the
+      name server instance.
+
+   o  Using a hash or pseudo-random number can provide a fixed length
+      value that the resolver can use to tell two name servers apart
+      without necessarily being able to tell where either one of them
+      "really" is, but makes debugging more difficult if one happens to
+      be in a friendly open environment.  Furthermore, hashing might not
+      add much value, since a hash based on an IPv4 address still only
+      involves a 32-bit search space, and DNS names used for servers
+      that operators might have to debug at 4am tend not to be very
+      random.
+
+   o  Probabilisticly unique identifiers have similar properties to
+      hashed identifiers, but (given a sufficiently good random number
+      generator) are immune to the search space issues.  However, the
+      strength of this approach is also its weakness: there is no
+      algorithmic transformation by which even the server operator can
+      associate name server instances with identifiers while debugging,
+      which might be annoying.  This approach also requires the name
+      server instance to preserve the probabilisticly unique identifier
+      across reboots, but this does not appear to be a serious
+      restriction, since authoritative nameservers almost always have
+      some form of nonvolatile storage in any case, and in the rare case
+      of a name server that does not have any way to store such an
+      identifier, nothing terrible will happen if the name server just
+      generates a new identifier every time it reboots.
+
+   o  Using an arbitrary octet string gives name server operators yet
+      another thing to configure, or mis-configure, or forget to
+      configure.  Having all the nodes in an anycast name server
+      constellation identify themselves as "My Name Server" would not be
+      particularly useful.
+
+   Given all of the issues listed above, there does not appear to be a
+   single solution that will meet all needs.  Section 2.3 therefore
+   defines the NSID payload to be an opaque byte string and leaves the
+   choice up to the implementor and name server operator.  The following
+   guidelines may be useful to implementors and server operators:
+
+
+
+
+Austein                   Expires July 15, 2006                 [Page 7]
+
+Internet-Draft                  DNS NSID                    January 2006
+
+
+   o  Operators for whom divulging the unicast address is an issue could
+      use the raw binary representation of a probabilisticly unique
+      random number.  This should probably be the default implementation
+      behavior.
+
+   o  Operators for whom divulging the unicast address is not an issue
+      could just use the raw binary representation of a unicast address
+      for simplicity.  This should only be done via an explicit
+      configuration choice by the operator.
+
+   o  Operators who really need or want the ability to set the NSID
+      payload to an arbitrary value could do so, but this should only be
+      done via an explicit configuration choice by the operator.
+
+   This approach appears to provide enough information for useful
+   debugging without unintentionally leaking the maintenance addresses
+   of anycast name servers to nogoodniks, while also allowing name
+   server operators who do not find such leakage threatening to provide
+   more information at their own discretion.
+
+3.2.  NSID Is Not Transitive
+
+   As specified in Section 2.1 and Section 2.2, the NSID option is not
+   transitive.  This is strictly a hop-by-hop mechanism.
+
+   Most of the discussion of name server identification to date has
+   focused on identifying authoritative name servers, since the best
+   known cases of anycast name servers are a subset of the name servers
+   for the root zone.  However, given that anycast DNS techniques are
+   also applicable to recursive name servers, the mechanism may also be
+   useful with recursive name servers.  The hop-by-hop semantics support
+   this.
+
+   While there might be some utility in having a transitive variant of
+   this mechanism (so that, for example, a stub resolver could ask a
+   recursive server to tell it which authoritative name server provided
+   a particular answer to the recursive name server), the semantics of
+   such a variant would be more complicated, and are left for future
+   work.
+
+3.3.  User Interface Issues
+
+   Given the range of possible payload contents described in
+   Section 3.1, it is not possible to define a single presentation
+   format for the NSID payload that is efficient, convenient,
+   unambiguous, and aesthetically pleasing.  In particular, while it is
+   tempting to use a presentation format that uses some form of textual
+   strings, attempting to support this would significantly complicate
+
+
+
+Austein                   Expires July 15, 2006                 [Page 8]
+
+Internet-Draft                  DNS NSID                    January 2006
+
+
+   what's intended to be a very simple debugging mechanism.
+
+   In some cases the content of the NSID payload may be binary data
+   meaningful only to the name server operator, and may not be
+   meaningful to the user or application, but the user or application
+   must be able to capture the entire content anyway in order for it to
+   be useful.  Thus, the presentation format must support arbitrary
+   binary data.
+
+   In cases where the name server operator derives the NSID payload from
+   textual data, a textual form such as US-ASCII or UTF-8 strings might
+   at first glance seem easier for a user to deal with.  There are,
+   however, a number of complex issues involving internationalized text
+   which, if fully addressed here, would require a set of rules
+   significantly longer than the rest of this specification.  See
+   [RFC2277] for an overview of some of these issues.
+
+   It is much more important for the NSID payload data to be passed
+   unambiguously from server administrator to user and back again than
+   it is for the payload data data to be pretty while in transit.  In
+   particular, it's critical that it be straightforward for a user to
+   cut and paste an exact copy of the NSID payload output by a debugging
+   tool into other formats such as email messages or web forms without
+   distortion.  Hexadecimal strings, while ugly, are also robust.
+
+3.4.  Truncation
+
+   In some cases, adding the NSID option to a response message may
+   trigger message truncation.  This specification does not change the
+   rules for DNS message truncation in any way, but implementors will
+   need to pay attention to this issue.
+
+   Including the NSID option in a response is always optional, so this
+   specification never requires name servers to truncate response
+   messages.
+
+   By definition, a resolver that requests NSID responses also supports
+   EDNS, so a resolver that requests NSID responses can also use the
+   "sender's UDP payload size" field of the OPT pseudo-RR to signal a
+   receive buffer size large enough to make truncation unlikely.
+
+
+
+
+
+
+
+
+
+
+
+Austein                   Expires July 15, 2006                 [Page 9]
+
+Internet-Draft                  DNS NSID                    January 2006
+
+
+4.  IANA Considerations
+
+   This mechanism requires allocation of one ENDS option code for the
+   NSID option (Section 2.3).
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Austein                   Expires July 15, 2006                [Page 10]
+
+Internet-Draft                  DNS NSID                    January 2006
+
+
+5.  Security Considerations
+
+   This document describes a channel signaling mechanism, intended
+   primarily for debugging.  Channel signaling mechanisms are outside
+   the scope of DNSSEC per se.  Applications that require integrity
+   protection for the data being signaled will need to use a channel
+   security mechanism such as TSIG [RFC2845].
+
+   Section 3.1 discusses a number of different kinds of information that
+   a name server operator might choose to provide as the value of the
+   NSID option.  Some of these kinds of information are security
+   sensitive in some environments.  This specification deliberately
+   leaves the syntax and semantics of the NSID option content up to the
+   implementation and the name server operator.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Austein                   Expires July 15, 2006                [Page 11]
+
+Internet-Draft                  DNS NSID                    January 2006
+
+
+6.  Acknowledgements
+
+   Joe Abley, Harald Alvestrand, Mark Andrews, Roy Arends, Steve
+   Bellovin, Randy Bush, David Conrad, Johan Ihren, Daniel Karrenberg,
+   Peter Koch, Mike Patton, Mike StJohns, Paul Vixie, Sam Weiler, and
+   Suzanne Woolf.  Apologies to anyone inadvertently omitted from the
+   above list.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Austein                   Expires July 15, 2006                [Page 12]
+
+Internet-Draft                  DNS NSID                    January 2006
+
+
+7.  References
+
+7.1.  Normative References
+
+   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
+              Requirement Levels", RFC 2119, BCP 14, March 1997.
+
+   [RFC2671]  Vixie, P., "Extension Mechanisms for DNS (EDNS0)",
+              RFC 2671, August 1999.
+
+   [RFC2845]  Vixie, P., Gudmundsson, O., Eastlake 3rd, D., and B.
+              Wellington, "Secret Key Transaction Authentication for DNS
+              (TSIG)", RFC 2845, May 2000.
+
+7.2.  Informative References
+
+   [RFC2277]  Alvestrand, H., "IETF Policy on Character Sets and
+              Languages", RFC 2277, BCP 18, January 1998.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Austein                   Expires July 15, 2006                [Page 13]
+
+Internet-Draft                  DNS NSID                    January 2006
+
+
+Author's Address
+
+   Rob Austein
+   ISC
+   950 Charter Street
+   Redwood City, CA  94063
+   USA
+
+   Email: sra@isc.org
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Austein                   Expires July 15, 2006                [Page 14]
+
+Internet-Draft                  DNS NSID                    January 2006
+
+
+Intellectual Property Statement
+
+   The IETF takes no position regarding the validity or scope of any
+   Intellectual Property Rights or other rights that might be claimed to
+   pertain to the implementation or use of the technology described in
+   this document or the extent to which any license under such rights
+   might or might not be available; nor does it represent that it has
+   made any independent effort to identify any such rights.  Information
+   on the procedures with respect to rights in RFC documents can be
+   found in BCP 78 and BCP 79.
+
+   Copies of IPR disclosures made to the IETF Secretariat and any
+   assurances of licenses to be made available, or the result of an
+   attempt made to obtain a general license or permission for the use of
+   such proprietary rights by implementers or users of this
+   specification can be obtained from the IETF on-line IPR repository at
+   http://www.ietf.org/ipr.
+
+   The IETF invites any interested party to bring to its attention any
+   copyrights, patents or patent applications, or other proprietary
+   rights that may cover technology that may be required to implement
+   this standard.  Please address the information to the IETF at
+   ietf-ipr@ietf.org.
+
+
+Disclaimer of Validity
+
+   This document and the information contained herein are provided on an
+   "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
+   OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
+   ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
+   INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
+   INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
+   WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
+
+
+Copyright Statement
+
+   Copyright (C) The Internet Society (2006).  This document is subject
+   to the rights, licenses and restrictions contained in BCP 78, and
+   except as set forth therein, the authors retain all their rights.
+
+
+Acknowledgment
+
+   Funding for the RFC Editor function is currently provided by the
+   Internet Society.
+
+
+
+
+Austein                   Expires July 15, 2006                [Page 15]
+
diff --git a/contrib/bind9/doc/draft/draft-ietf-dnsext-trustupdate-threshold-00.txt b/contrib/bind9/doc/draft/draft-ietf-dnsext-trustupdate-threshold-00.txt
index b5aaad2..a598826 100644
--- a/contrib/bind9/doc/draft/draft-ietf-dnsext-trustupdate-threshold-00.txt
+++ b/contrib/bind9/doc/draft/draft-ietf-dnsext-trustupdate-threshold-00.txt
@@ -1380,7 +1380,7 @@ Appendix B.  Document History
    to the RFC editor.
 
 
-   The version you are reading is tagged as $Revision: 1.1.232.1 $.
+   The version you are reading is tagged as $Revision: 1.1.230.1 $.
 
 
    Text between square brackets, other than references, are editorial
diff --git a/contrib/bind9/doc/draft/draft-ietf-dnsext-trustupdate-timers-02.txt b/contrib/bind9/doc/draft/draft-ietf-dnsext-trustupdate-timers-02.txt
new file mode 100644
index 0000000..7cb9063
--- /dev/null
+++ b/contrib/bind9/doc/draft/draft-ietf-dnsext-trustupdate-timers-02.txt
@@ -0,0 +1,730 @@
+
+
+
+
+Network Working Group                                         M. StJohns
+Internet-Draft                                             Nominum, Inc.
+Expires: July 14, 2006                                  January 10, 2006
+
+
+               Automated Updates of DNSSEC Trust Anchors
+                draft-ietf-dnsext-trustupdate-timers-02
+
+Status of this Memo
+
+   By submitting this Internet-Draft, each author represents that any
+   applicable patent or other IPR claims of which he or she is aware
+   have been or will be disclosed, and any of which he or she becomes
+   aware will be disclosed, in accordance with Section 6 of BCP 79.
+
+   Internet-Drafts are working documents of the Internet Engineering
+   Task Force (IETF), its areas, and its working groups.  Note that
+   other groups may also distribute working documents as Internet-
+   Drafts.
+
+   Internet-Drafts are draft documents valid for a maximum of six months
+   and may be updated, replaced, or obsoleted by other documents at any
+   time.  It is inappropriate to use Internet-Drafts as reference
+   material or to cite them other than as "work in progress."
+
+   The list of current Internet-Drafts can be accessed at
+   http://www.ietf.org/ietf/1id-abstracts.txt.
+
+   The list of Internet-Draft Shadow Directories can be accessed at
+   http://www.ietf.org/shadow.html.
+
+   This Internet-Draft will expire on July 14, 2006.
+
+Copyright Notice
+
+   Copyright (C) The Internet Society (2006).
+
+Abstract
+
+   This document describes a means for automated, authenticated and
+   authorized updating of DNSSEC "trust anchors".  The method provides
+   protection against single key compromise of a key in the trust point
+   key set.  Based on the trust established by the presence of a current
+   anchor, other anchors may be added at the same place in the
+   hierarchy, and, ultimately, supplant the existing anchor.
+
+   This mechanism, if adopted, will require changes to resolver
+   management behavior (but not resolver resolution behavior), and the
+
+
+
+StJohns                   Expires July 14, 2006                 [Page 1]
+
+Internet-Draft             trustanchor-update               January 2006
+
+
+   addition of a single flag bit to the DNSKEY record.
+
+
+Table of Contents
+
+   1.  Introduction . . . . . . . . . . . . . . . . . . . . . . . . .  3
+     1.1.  Compliance Nomenclature  . . . . . . . . . . . . . . . . .  3
+     1.2.  Changes since -00  . . . . . . . . . . . . . . . . . . . .  3
+   2.  Theory of Operation  . . . . . . . . . . . . . . . . . . . . .  4
+     2.1.  Revocation . . . . . . . . . . . . . . . . . . . . . . . .  4
+     2.2.  Add Hold-Down  . . . . . . . . . . . . . . . . . . . . . .  5
+     2.3.  Remove Hold-down . . . . . . . . . . . . . . . . . . . . .  5
+     2.4.  Active Refresh . . . . . . . . . . . . . . . . . . . . . .  6
+     2.5.  Resolver Parameters  . . . . . . . . . . . . . . . . . . .  6
+       2.5.1.  Add Hold-Down Time . . . . . . . . . . . . . . . . . .  6
+       2.5.2.  Remove Hold-Down Time  . . . . . . . . . . . . . . . .  6
+       2.5.3.  Minimum Trust Anchors per Trust Point  . . . . . . . .  6
+   3.  Changes to DNSKEY RDATA Wire Format  . . . . . . . . . . . . .  6
+   4.  State Table  . . . . . . . . . . . . . . . . . . . . . . . . .  7
+     4.1.  Events . . . . . . . . . . . . . . . . . . . . . . . . . .  7
+     4.2.  States . . . . . . . . . . . . . . . . . . . . . . . . . .  8
+     4.3.  Trust Point Deletion . . . . . . . . . . . . . . . . . . .  8
+   5.  Scenarios  . . . . . . . . . . . . . . . . . . . . . . . . . .  8
+     5.1.  Adding A Trust Anchor  . . . . . . . . . . . . . . . . . .  9
+     5.2.  Deleting a Trust Anchor  . . . . . . . . . . . . . . . . .  9
+     5.3.  Key Roll-Over  . . . . . . . . . . . . . . . . . . . . . .  9
+     5.4.  Active Key Compromised . . . . . . . . . . . . . . . . . .  9
+     5.5.  Stand-by Key Compromised . . . . . . . . . . . . . . . . . 10
+   6.  IANA Considerations  . . . . . . . . . . . . . . . . . . . . . 10
+   7.  Security Considerations  . . . . . . . . . . . . . . . . . . . 10
+     7.1.  Key Ownership vs Acceptance Policy . . . . . . . . . . . . 10
+     7.2.  Multiple Key Compromise  . . . . . . . . . . . . . . . . . 10
+     7.3.  Dynamic Updates  . . . . . . . . . . . . . . . . . . . . . 11
+   8.  Normative References . . . . . . . . . . . . . . . . . . . . . 11
+   Editorial Comments . . . . . . . . . . . . . . . . . . . . . . . .
+   Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 12
+   Intellectual Property and Copyright Statements . . . . . . . . . . 13
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+StJohns                   Expires July 14, 2006                 [Page 2]
+
+Internet-Draft             trustanchor-update               January 2006
+
+
+1.  Introduction
+
+   As part of the reality of fielding DNSSEC (Domain Name System
+   Security Extensions) [RFC2535] [RFC4033][RFC4034][RFC4035], the
+   community has come to the realization that there will not be one
+   signed name space, but rather islands of signed name space each
+   originating from specific points (i.e. 'trust points') in the DNS
+   tree.  Each of those islands will be identified by the trust point
+   name, and validated by at least one associated public key.  For the
+   purpose of this document we'll call the association of that name and
+   a particular key a 'trust anchor'.  A particular trust point can have
+   more than one key designated as a trust anchor.
+
+   For a DNSSEC-aware resolver to validate information in a DNSSEC
+   protected branch of the hierarchy, it must have knowledge of a trust
+   anchor applicable to that branch.  It may also have more than one
+   trust anchor for any given trust point.  Under current rules, a chain
+   of trust for DNSSEC-protected data that chains its way back to ANY
+   known trust anchor is considered 'secure'.
+
+   Because of the probable balkanization of the DNSSEC tree due to
+   signing voids at key locations, a resolver may need to know literally
+   thousands of trust anchors to perform its duties. (e.g.  Consider an
+   unsigned ".COM".)  Requiring the owner of the resolver to manually
+   manage this many relationships is problematic.  It's even more
+   problematic when considering the eventual requirement for key
+   replacement/update for a given trust anchor.  The mechanism described
+   herein won't help with the initial configuration of the trust anchors
+   in the resolvers, but should make trust point key replacement/
+   rollover more viable.
+
+   As mentioned above, this document describes a mechanism whereby a
+   resolver can update the trust anchors for a given trust point, mainly
+   without human intervention at the resolver.  There are some corner
+   cases discussed (e.g. multiple key compromise) that may require
+   manual intervention, but they should be few and far between.  This
+   document DOES NOT discuss the general problem of the initial
+   configuration of trust anchors for the resolver.
+
+1.1.  Compliance Nomenclature
+
+   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
+   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
+   document are to be interpreted as described in BCP 14, [RFC2119].
+
+1.2.  Changes since -00
+
+   Added the concept of timer triggered resolver queries to refresh the
+
+
+
+StJohns                   Expires July 14, 2006                 [Page 3]
+
+Internet-Draft             trustanchor-update               January 2006
+
+
+   resolvers view of the trust anchor key RRSet.
+
+   Re-submitted expired draft as -01.  Updated DNSSEC RFC References.
+
+   Draft -02.  Added the IANA Considerations section.  Added text to
+   describe what happens if all trust anchors at a trust point are
+   deleted.
+
+
+2.  Theory of Operation
+
+   The general concept of this mechanism is that existing trust anchors
+   can be used to authenticate new trust anchors at the same point in
+   the DNS hierarchy.  When a new SEP key is added to a trust point
+   DNSKEY RRSet, and when that RRSet is validated by an existing trust
+   anchor, then the new key can be added to the set of trust anchors.
+
+   There are some issues with this approach which need to be mitigated.
+   For example, a compromise of one of the existing keys could allow an
+   attacker to add their own 'valid' data.  This implies a need for a
+   method to revoke an existing key regardless of whether or not that
+   key is compromised.  As another example assuming a single key
+   compromise, an attacker could add a new key and revoke all the other
+   old keys.
+
+2.1.  Revocation
+
+   Assume two trust anchor keys A and B. Assume that B has been
+   compromised.  Without a specific revocation bit, B could invalidate A
+   simply by sending out a signed trust point key set which didn't
+   contain A. To fix this, we add a mechanism which requires knowledge
+   of the private key of a DNSKEY to revoke that DNSKEY.
+
+   A key is considered revoked when the resolver sees the key in a self-
+   signed RRSet and the key has the REVOKE bit (see Section 6 below) set
+   to '1'.  Once the resolver sees the REVOKE bit, it MUST NOT use this
+   key as a trust anchor or for any other purposes except validating the
+   RRSIG over the DNSKEY RRSet specifically for the purpose of
+   validating the revocation.  Unlike the 'Add' operation below,
+   revocation is immediate and permanent upon receipt of a valid
+   revocation at the resolver.
+
+   N.B. A DNSKEY with the REVOKE bit set has a different fingerprint
+   than one without the bit set.  This affects the matching of a DNSKEY
+   to DS records in the parent, or the fingerprint stored at a resolver
+   used to configure a trust point. [msj3]
+
+   In the given example, the attacker could revoke B because it has
+
+
+
+StJohns                   Expires July 14, 2006                 [Page 4]
+
+Internet-Draft             trustanchor-update               January 2006
+
+
+   knowledge of B's private key, but could not revoke A.
+
+2.2.  Add Hold-Down
+
+   Assume two trust point keys A and B. Assume that B has been
+   compromised.  An attacker could generate and add a new trust anchor
+   key - C (by adding C to the DNSKEY RRSet and signing it with B), and
+   then invalidate the compromised key.  This would result in the both
+   the attacker and owner being able to sign data in the zone and have
+   it accepted as valid by resolvers.
+
+   To mitigate, but not completely solve, this problem, we add a hold-
+   down time to the addition of the trust anchor.  When the resolver
+   sees a new SEP key in a validated trust point DNSKEY RRSet, the
+   resolver starts an acceptance timer, and remembers all the keys that
+   validated the RRSet.  If the resolver ever sees the DNSKEY RRSet
+   without the new key but validly signed, it stops the acceptance
+   process and resets the acceptance timer.  If all of the keys which
+   were originally used to validate this key are revoked prior to the
+   timer expiring, the resolver stops the acceptance process and resets
+   the timer.
+
+   Once the timer expires, the new key will be added as a trust anchor
+   the next time the validated RRSet with the new key is seen at the
+   resolver.  The resolver MUST NOT treat the new key as a trust anchor
+   until the hold down time expires AND it has retrieved and validated a
+   DNSKEY RRSet after the hold down time which contains the new key.
+
+   N.B.: Once the resolver has accepted a key as a trust anchor, the key
+   MUST be considered a valid trust anchor by that resolver until
+   explictly revoked as described above.
+
+   In the given example, the zone owner can recover from a compromise by
+   revoking B and adding a new key D and signing the DNSKEY RRSet with
+   both A and B.
+
+   The reason this does not completely solve the problem has to do with
+   the distributed nature of DNS.  The resolver only knows what it sees.
+   A determined attacker who holds one compromised key could keep a
+   single resolver from realizing that key had been compromised by
+   intercepting 'real' data from the originating zone and substituting
+   their own (e.g. using the example, signed only by B).  This is no
+   worse than the current situation assuming a compromised key.
+
+2.3.  Remove Hold-down
+
+   A new key which has been seen by the resolver, but hasn't reached
+   it's add hold-down time, MAY be removed from the DNSKEY RRSet by the
+
+
+
+StJohns                   Expires July 14, 2006                 [Page 5]
+
+Internet-Draft             trustanchor-update               January 2006
+
+
+   zone owner.  If the resolver sees a validated DNSKEY RRSet without
+   this key, it waits for the remove hold-down time and then, if the key
+   hasn't reappeared, SHOULD discard any information about the key.
+
+2.4.  Active Refresh
+
+   A resolver which has been configured for automatic update of keys
+   from a particular trust point MUST query that trust point (e.g. do a
+   lookup for the DNSKEY RRSet and related RRSIG records) no less often
+   than the lesser of 15 days or half the original TTL for the DNSKEY
+   RRSet or half the RRSIG expiration interval.  The expiration interval
+   is the amount of time from when the RRSIG was last retrieved until
+   the expiration time in the RRSIG.
+
+   If the query fails, the resolver MUST repeat the query until
+   satisfied no more often than once an hour and no less often than the
+   lesser of 1 day or 10% of the original TTL or 10% of the original
+   expiration interval.
+
+2.5.  Resolver Parameters
+
+2.5.1.  Add Hold-Down Time
+
+   The add hold-down time is 30 days or the expiration time of the TTL
+   of the first trust point DNSKEY RRSet which contained the key,
+   whichever is greater.  This ensures that at least two validated
+   DNSKEY RRSets which contain the new key MUST be seen by the resolver
+   prior to the key's acceptance.
+
+2.5.2.  Remove Hold-Down Time
+
+   The remove hold-down time is 30 days.
+
+2.5.3.  Minimum Trust Anchors per Trust Point
+
+   A compliant resolver MUST be able to manage at least five SEP keys
+   per trust point.
+
+
+3.  Changes to DNSKEY RDATA Wire Format
+
+   Bit n [msj2] of the DNSKEY Flags field is designated as the 'REVOKE'
+   flag.  If this bit is set to '1', AND the resolver sees an
+   RRSIG(DNSKEY) signed by the associated key, then the resolver MUST
+   consider this key permanently invalid for all purposes except for
+   validing the revocation.
+
+
+
+
+
+StJohns                   Expires July 14, 2006                 [Page 6]
+
+Internet-Draft             trustanchor-update               January 2006
+
+
+4.  State Table
+
+   The most important thing to understand is the resolver's view of any
+   key at a trust point.  The following state table describes that view
+   at various points in the key's lifetime.  The table is a normative
+   part of this specification.  The initial state of the key is 'Start'.
+   The resolver's view of the state of the key changes as various events
+   occur.
+
+   [msj1] This is the state of a trust point key as seen from the
+   resolver.  The column on the left indicates the current state.  The
+   header at the top shows the next state.  The intersection of the two
+   shows the event that will cause the state to transition from the
+   current state to the next.
+
+                             NEXT STATE
+           --------------------------------------------------
+    FROM   |Start  |AddPend |Valid  |Missing|Revoked|Removed|
+   ----------------------------------------------------------
+   Start   |       |NewKey  |       |       |       |       |
+   ----------------------------------------------------------
+   AddPend |KeyRem |        |AddTime|       |       |
+   ----------------------------------------------------------
+   Valid   |       |        |       |KeyRem |Revbit |       |
+   ----------------------------------------------------------
+   Missing |       |        |KeyPres|       |Revbit |       |
+   ----------------------------------------------------------
+   Revoked |       |        |       |       |       |RemTime|
+   ----------------------------------------------------------
+   Removed |       |        |       |       |       |       |
+   ----------------------------------------------------------
+
+4.1.  Events
+   NewKey The resolver sees a valid DNSKEY RRSet with a new SEP key.
+      That key will become a new trust anchor for the named trust point
+      after its been present in the RRSet for at least 'add time'.
+   KeyPres The key has returned to the valid DNSKEY RRSet.
+   KeyRem The resolver sees a valid DNSKEY RRSet that does not contain
+      this key.
+   AddTime The key has been in every valid DNSKEY RRSet seen for at
+      least the 'add time'.
+   RemTime A revoked key has been missing from the trust point DNSKEY
+      RRSet for sufficient time to be removed from the trust set.
+   RevBit The key has appeared in the trust anchor DNSKEY RRSet with its
+      "REVOKED" bit set, and there is an RRSig over the DNSKEY RRSet
+      signed by this key.
+
+
+
+
+
+StJohns                   Expires July 14, 2006                 [Page 7]
+
+Internet-Draft             trustanchor-update               January 2006
+
+
+4.2.  States
+   Start The key doesn't yet exist as a trust anchor at the resolver.
+      It may or may not exist at the zone server, but hasn't yet been
+      seen at the resolver.
+   AddPend The key has been seen at the resolver, has its 'SEP' bit set,
+      and has been included in a validated DNSKEY RRSet.  There is a
+      hold-down time for the key before it can be used as a trust
+      anchor.
+   Valid The key has been seen at the resolver and has been included in
+      all validated DNSKEY RRSets from the time it was first seen up
+      through the hold-down time.  It is now valid for verifying RRSets
+      that arrive after the hold down time.  Clarification: The DNSKEY
+      RRSet does not need to be continuously present at the resolver
+      (e.g. its TTL might expire).  If the RRSet is seen, and is
+      validated (i.e. verifies against an existing trust anchor), this
+      key MUST be in the RRSet otherwise a 'KeyRem' event is triggered.
+   Missing This is an abnormal state.  The key remains as a valid trust
+      point key, but was not seen at the resolver in the last validated
+      DNSKEY RRSet.  This is an abnormal state because the zone operator
+      should be using the REVOKE bit prior to removal.  [Discussion
+      item: Should a missing key be considered revoked after some period
+      of time?]
+   Revoked This is the state a key moves to once the resolver sees an
+      RRSIG(DNSKEY) signed by this key where that DNSKEY RRSet contains
+      this key with its REVOKE bit set to '1'.  Once in this state, this
+      key MUST permanently be considered invalid as a trust anchor.
+   Removed After a fairly long hold-down time, information about this
+      key may be purged from the resolver.  A key in the removed state
+      MUST NOT be considered a valid trust anchor.
+
+4.3.  Trust Point Deletion
+
+   A trust point which has all of its trust anchors revoked is
+   considered deleted and is treated as if the trust point was never
+   configured.  If there are no superior trust points, data at and below
+   the deleted trust point are considered insecure.  If there there ARE
+   superior trust points, data at and below the deleted trust point are
+   evaluated with respect to the superior trust point.
+
+
+5.  Scenarios
+
+   The suggested model for operation is to have one active key and one
+   stand-by key at each trust point.  The active key will be used to
+   sign the DNSKEY RRSet.  The stand-by key will not normally sign this
+   RRSet, but the resolver will accept it as a trust anchor if/when it
+   sees the signature on the trust point DNSKEY RRSet.
+
+
+
+
+StJohns                   Expires July 14, 2006                 [Page 8]
+
+Internet-Draft             trustanchor-update               January 2006
+
+
+   Since the stand-by key is not in active signing use, the associated
+   private key may (and SHOULD) be provided with additional protections
+   not normally available to a key that must be used frequently.  E.g.
+   locked in a safe, split among many parties, etc.  Notionally, the
+   stand-by key should be less subject to compromise than an active key,
+   but that will be dependent on operational concerns not addressed
+   here.
+
+5.1.  Adding A Trust Anchor
+
+   Assume an existing trust anchor key 'A'.
+   1.  Generate a new key pair.
+   2.  Create a DNSKEY record from the key pair and set the SEP and Zone
+       Key bits.
+   3.  Add the DNSKEY to the RRSet.
+   4.  Sign the DNSKEY RRSet ONLY with the existing trust anchor key -
+       'A'.
+   5.  Wait a while.
+
+5.2.  Deleting a Trust Anchor
+
+   Assume existing trust anchors 'A' and 'B' and that you want to revoke
+   and delete 'A'.
+   1.  Set the revolcation bit on key 'A'.
+   2.  Sign the DNSKEY RRSet with both 'A' and 'B'.
+   'A' is now revoked.  The operator SHOULD include the revoked 'A' in
+   the RRSet for at least the remove hold-down time, but then may remove
+   it from the DNSKEY RRSet.
+
+5.3.  Key Roll-Over
+
+   Assume existing keys A and B. 'A' is actively in use (i.e. has been
+   signing the DNSKEY RRSet.)  'B' was the stand-by key. (i.e. has been
+   in the DNSKEY RRSet and is a valid trust anchor, but wasn't being
+   used to sign the RRSet.)
+   1.  Generate a new key pair 'C'.
+   2.  Add 'C' to the DNSKEY RRSet.
+   3.  Set the revocation bit on key 'A'.
+   4.  Sign the RRSet with 'A' and 'B'.
+   'A' is now revoked, 'B' is now the active key, and 'C' will be the
+   stand-by key once the hold-down expires.  The operator SHOULD include
+   the revoked 'A' in the RRSet for at least the remove hold-down time,
+   but may then remove it from the DNSKEY RRSet.
+
+5.4.  Active Key Compromised
+
+   This is the same as the mechanism for Key Roll-Over (Section 5.3)
+   above assuming 'A' is the active key.
+
+
+
+StJohns                   Expires July 14, 2006                 [Page 9]
+
+Internet-Draft             trustanchor-update               January 2006
+
+
+5.5.  Stand-by Key Compromised
+
+   Using the same assumptions and naming conventions as Key Roll-Over
+   (Section 5.3) above:
+   1.  Generate a new key pair 'C'.
+   2.  Add 'C' to the DNSKEY RRSet.
+   3.  Set the revocation bit on key 'B'.
+   4.  Sign the RRSet with 'A' and 'B'.
+   'B' is now revoked, 'A' remains the active key, and 'C' will be the
+   stand-by key once the hold-down expires.  'B' SHOULD continue to be
+   included in the RRSet for the remove hold-down time.
+
+
+6.  IANA Considerations
+
+   The IANA will need to assign a bit in the DNSKEY flags field (see
+   section 4.3 of [RFC3755]) for the REVOKE bit.  There are no other
+   IANA actions required.
+
+
+7.  Security Considerations
+
+7.1.  Key Ownership vs Acceptance Policy
+
+   The reader should note that, while the zone owner is responsible
+   creating and distributing keys, it's wholly the decision of the
+   resolver owner as to whether to accept such keys for the
+   authentication of the zone information.  This implies the decision
+   update trust anchor keys based on trust for a current trust anchor
+   key is also the resolver owner's decision.
+
+   The resolver owner (and resolver implementers) MAY choose to permit
+   or prevent key status updates based on this mechanism for specific
+   trust points.  If they choose to prevent the automated updates, they
+   will need to establish a mechanism for manual or other out-of-band
+   updates outside the scope of this document.
+
+7.2.  Multiple Key Compromise
+
+   This scheme permits recovery as long as at least one valid trust
+   anchor key remains uncompromised.  E.g. if there are three keys, you
+   can recover if two of them are compromised.  The zone owner should
+   determine their own level of comfort with respect to the number of
+   active valid trust anchors in a zone and should be prepared to
+   implement recovery procedures once they detect a compromise.  A
+   manual or other out-of-band update of all resolvers will be required
+   if all trust anchor keys at a trust point are compromised.
+
+
+
+
+StJohns                   Expires July 14, 2006                [Page 10]
+
+Internet-Draft             trustanchor-update               January 2006
+
+
+7.3.  Dynamic Updates
+
+   Allowing a resolver to update its trust anchor set based in-band key
+   information is potentially less secure than a manual process.
+   However, given the nature of the DNS, the number of resolvers that
+   would require update if a trust anchor key were compromised, and the
+   lack of a standard management framework for DNS, this approach is no
+   worse than the existing situation.
+
+8.  Normative References
+
+   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
+              Requirement Levels", BCP 14, RFC 2119, March 1997.
+
+   [RFC2535]  Eastlake, D., "Domain Name System Security Extensions",
+              RFC 2535, March 1999.
+
+   [RFC3755]  Weiler, S., "Legacy Resolver Compatibility for Delegation
+              Signer (DS)", RFC 3755, May 2004.
+
+   [RFC4033]  Arends, R., Austein, R., Larson, M., Massey, D., and S.
+              Rose, "DNS Security Introduction and Requirements",
+              RFC 4033, March 2005.
+
+   [RFC4034]  Arends, R., Austein, R., Larson, M., Massey, D., and S.
+              Rose, "Resource Records for the DNS Security Extensions",
+              RFC 4034, March 2005.
+
+   [RFC4035]  Arends, R., Austein, R., Larson, M., Massey, D., and S.
+              Rose, "Protocol Modifications for the DNS Security
+              Extensions", RFC 4035, March 2005.
+
+Editorial Comments
+
+   [msj1]  msj: N.B. This table is preliminary and will be revised to
+           match implementation experience.  For example, should there
+           be a state for "Add hold-down expired, but haven't seen the
+           new RRSet"?
+
+   [msj2]  msj: To be assigned.
+
+   [msj3]  msj: For discussion: What's the implementation guidance for
+           resolvers currently with respect to the non-assigned flag
+           bits?  If they consider the flag bit when doing key matching
+           at the trust anchor, they won't be able to match.
+
+
+
+
+
+
+StJohns                   Expires July 14, 2006                [Page 11]
+
+Internet-Draft             trustanchor-update               January 2006
+
+
+Author's Address
+
+   Michael StJohns
+   Nominum, Inc.
+   2385 Bay Road
+   Redwood City, CA  94063
+   USA
+
+   Phone: +1-301-528-4729
+   Email: Mike.StJohns@nominum.com
+   URI:   www.nominum.com
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+StJohns                   Expires July 14, 2006                [Page 12]
+
+Internet-Draft             trustanchor-update               January 2006
+
+
+Intellectual Property Statement
+
+   The IETF takes no position regarding the validity or scope of any
+   Intellectual Property Rights or other rights that might be claimed to
+   pertain to the implementation or use of the technology described in
+   this document or the extent to which any license under such rights
+   might or might not be available; nor does it represent that it has
+   made any independent effort to identify any such rights.  Information
+   on the procedures with respect to rights in RFC documents can be
+   found in BCP 78 and BCP 79.
+
+   Copies of IPR disclosures made to the IETF Secretariat and any
+   assurances of licenses to be made available, or the result of an
+   attempt made to obtain a general license or permission for the use of
+   such proprietary rights by implementers or users of this
+   specification can be obtained from the IETF on-line IPR repository at
+   http://www.ietf.org/ipr.
+
+   The IETF invites any interested party to bring to its attention any
+   copyrights, patents or patent applications, or other proprietary
+   rights that may cover technology that may be required to implement
+   this standard.  Please address the information to the IETF at
+   ietf-ipr@ietf.org.
+
+
+Disclaimer of Validity
+
+   This document and the information contained herein are provided on an
+   "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
+   OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
+   ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
+   INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
+   INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
+   WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
+
+
+Copyright Statement
+
+   Copyright (C) The Internet Society (2006).  This document is subject
+   to the rights, licenses and restrictions contained in BCP 78, and
+   except as set forth therein, the authors retain all their rights.
+
+
+Acknowledgment
+
+   Funding for the RFC Editor function is currently provided by the
+   Internet Society.
+
+
+
+
+StJohns                   Expires July 14, 2006                [Page 13]
+
+
diff --git a/contrib/bind9/doc/draft/draft-ietf-dnsext-tsig-sha-06.txt b/contrib/bind9/doc/draft/draft-ietf-dnsext-tsig-sha-06.txt
new file mode 100644
index 0000000..00476ae
--- /dev/null
+++ b/contrib/bind9/doc/draft/draft-ietf-dnsext-tsig-sha-06.txt
@@ -0,0 +1,522 @@
+
+INTERNET-DRAFT                                    Donald E. Eastlake 3rd
+UPDATES RFC 2845                                   Motorola Laboratories
+Expires: July 2006                                          January 2006
+
+                  HMAC SHA TSIG Algorithm Identifiers
+                  ---- --- ---- --------- -----------
+                  <draft-ietf-dnsext-tsig-sha-06.txt>
+
+
+Status of This Document
+
+   By submitting this Internet-Draft, each author represents that any
+   applicable patent or other IPR claims of which he or she is aware
+   have been or will be disclosed, and any of which he or she becomes
+   aware will be disclosed, in accordance with Section 6 of BCP 79.
+
+   This draft is intended to be become a Proposed Standard RFC.
+   Distribution of this document is unlimited. Comments should be sent
+   to the DNSEXT working group mailing list <namedroppers@ops.ietf.org>.
+
+   Internet-Drafts are working documents of the Internet Engineering
+   Task Force (IETF), its areas, and its working groups.  Note that
+   other groups may also distribute working documents as Internet-
+   Drafts.
+
+   Internet-Drafts are draft documents valid for a maximum of six months
+   and may be updated, replaced, or obsoleted by other documents at any
+   time.  It is inappropriate to use Internet-Drafts as reference
+   material or to cite them other than as "work in progress."
+
+   The list of current Internet-Drafts can be accessed at
+   http://www.ietf.org/1id-abstracts.html
+
+   The list of Internet-Draft Shadow Directories can be accessed at
+   http://www.ietf.org/shadow.html
+
+
+Abstract
+
+   Use of the Domain Name System TSIG resource record requires
+   specification of a cryptographic message authentication code.
+   Currently identifiers have been specified only for the HMAC MD5
+   (Message Digest) and GSS (Generic Security Service) TSIG algorithms.
+   This document standardizes identifiers and implementation
+   requirements for additional HMAC SHA (Secure Hash Algorithm) TSIG
+   algorithms and standardizes how to specify and handle the truncation
+   of HMAC values in TSIG.
+
+
+Copyright Notice
+
+   Copyright (C) The Internet Society (2006).
+
+
+
+D. Eastlake 3rd                                                 [Page 1]
+
+
+INTERNET-DRAFT                                 HMAC-SHA TSIG Identifiers
+
+
+Table of Contents
+
+      Status of This Document....................................1
+      Abstract...................................................1
+      Copyright Notice...........................................1
+
+      Table of Contents..........................................2
+
+      1. Introduction............................................3
+
+      2. Algorithms and Identifiers..............................4
+
+      3. Specifying Truncation...................................5
+      3.1 Truncation Specification...............................5
+
+      4. TSIG Truncation Policy and Error Provisions.............6
+
+      5. IANA Considerations.....................................7
+      6. Security Considerations.................................7
+      7. Copyright and Disclaimer................................7
+
+      8. Normative References....................................8
+      9. Informative References..................................8
+
+      Author's Address...........................................9
+      Additional IPR Provisions..................................9
+      Expiration and File Name...................................9
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+D. Eastlake 3rd                                                 [Page 2]
+
+
+INTERNET-DRAFT                                 HMAC-SHA TSIG Identifiers
+
+
+1. Introduction
+
+   [RFC 2845] specifies a TSIG Resource Record (RR) that can be used to
+   authenticate DNS (Domain Name System [STD 13]) queries and responses.
+   This RR contains a domain name syntax data item which names the
+   authentication algorithm used. [RFC 2845] defines the HMAC-MD5.SIG-
+   ALG.REG.INT name for authentication codes using the HMAC [RFC 2104]
+   algorithm with the MD5 [RFC 1321] hash algorithm. IANA has also
+   registered "gss-tsig" as an identifier for TSIG authentication where
+   the cryptographic operations are delegated to the Generic Security
+   Service (GSS) [RFC 3645].
+
+   It should be noted that use of TSIG presumes prior agreement, between
+   the resolver and server involved, as to the algorithm and key to be
+   used.
+
+   In Section 2, this document specifies additional names for TSIG
+   authentication algorithms based on US NIST SHA (United States,
+   National Institute of Science and Technology, Secure Hash Algorithm)
+   algorithms and HMAC and specifies the implementation requirements for
+   those algorithms.
+
+   In Section 3, this document specifies the effect of inequality
+   between the normal output size of the specified hash function and the
+   length of MAC (message authentication code) data given in the TSIG
+   RR. In particular, it specifies that a shorter length field value
+   specifies truncation and a longer length field is an error.
+
+   In Section 4, policy restrictions and implications related to
+   truncation and a new error code to indicate truncation shorter than
+   permitted by policy are described and specified.
+
+   The use herein of MUST, SHOULD, MAY, MUST NOT, and SHOULD NOT is as
+   defined in [RFC 2119].
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+D. Eastlake 3rd                                                 [Page 3]
+
+
+INTERNET-DRAFT                                 HMAC-SHA TSIG Identifiers
+
+
+2. Algorithms and Identifiers
+
+   TSIG Resource Records (RRs) [RFC 2845] are used to authenticate DNS
+   queries and responses.  They are intended to be efficient symmetric
+   authentication codes based on a shared secret. (Asymmetric signatures
+   can be provided using the SIG RR [RFC 2931]. In particular, SIG(0)
+   can be used for transaction signatures.) Used with a strong hash
+   function, HMAC [RFC 2104] provides a way to calculate such symmetric
+   authentication codes. The only specified HMAC based TSIG algorithm
+   identifier has been HMAC-MD5.SIG-ALG.REG.INT based on MD5 [RFC 1321].
+
+   The use of SHA-1 [FIPS 180-2, RFC 3174], which is a 160 bit hash, as
+   compared with the 128 bits for MD5, and additional hash algorithms in
+   the SHA family [FIPS 180-2, RFC 3874, SHA2draft] with 224, 256, 384,
+   and 512 bits, may be preferred in some cases particularly since
+   increasingly successful cryptanalytic attacks are being made on the
+   shorter hashes.
+
+   Use of TSIG between a DNS resolver and server is by mutual agreement.
+   That agreement can include the support of additional algorithms and
+   criteria as to which algorithms and truncations are acceptable,
+   subject to the restriction and guidelines in Section 3 and 4 below.
+   Key agreement can be by the TKEY mechanism [RFC 2930] or other
+   mutually agreeable method.
+
+   The current HMAC-MD5.SIG-ALG.REG.INT and gss-tsig identifiers are
+   included in the table below for convenience.  Implementations which
+   support TSIG MUST also implement HMAC SHA1 and HMAC SHA256 and MAY
+   implement gss-tsig and the other algorithms listed below.
+
+         Mandatory      HMAC-MD5.SIG-ALG.REG.INT
+         Optional       gss-tsig
+         Mandatory      hmac-sha1
+         Optional       hmac-sha224
+         Mandatory      hmac-sha256
+         Optional       hamc-sha384
+         Optional       hmac-sha512
+
+   SHA-1 truncated to 96 bits (12 octets) SHOULD be implemented.
+
+
+
+
+
+
+
+
+
+
+
+
+
+D. Eastlake 3rd                                                 [Page 4]
+
+
+INTERNET-DRAFT                                 HMAC-SHA TSIG Identifiers
+
+
+3. Specifying Truncation
+
+   When space is at a premium and the strength of the full length of an
+   HMAC is not needed, it is reasonable to truncate the HMAC output and
+   use the truncated value for authentication. HMAC SHA-1 truncated to
+   96 bits is an option available in several IETF protocols including
+   IPSEC and TLS.
+
+   The TSIG RR [RFC 2845] includes a "MAC size" field, which gives the
+   size of the MAC field in octets. But [RFC 2845] does not specify what
+   to do if this MAC size differs from the length of the output of HMAC
+   for a particular hash function. Truncation is indicated by a MAC size
+   less than the HMAC size as specified below.
+
+
+
+3.1 Truncation Specification
+
+   The specification for TSIG handling is changed as follows:
+
+   1. If "MAC size" field is greater than HMAC output length:
+         This case MUST NOT be generated and if received MUST cause the
+      packet to be dropped and RCODE 1 (FORMERR) to be returned.
+
+   2. If "MAC size" field equals HMAC output length:
+         Operation is as described in [RFC 2845] with the entire output
+      HMAC output present.
+
+   3. "MAC size" field is less than HMAC output length but greater than
+      that specified in case 4 below:
+         This is sent when the signer has truncated the HMAC output to
+      an allowable length, as described in RFC 2104, taking initial
+      octets and discarding trailing octets. TSIG truncation can only be
+      to an integral number of octets. On receipt of a packet with
+      truncation thus indicated, the locally calculated MAC is similarly
+      truncated and only the truncated values compared for
+      authentication. The request MAC used when calculating the TSIG MAC
+      for a reply is the truncated request MAC.
+
+   4. "MAC size" field is less than the larger of 10 (octets) and half
+      the length of the hash function in use:
+         With the exception of certain TSIG error messages described in
+      RFC 2845 section 3.2 where it is permitted that the MAC size be
+      zero, this case MUST NOT be generated and if received MUST cause
+      the packet to be dropped and RCODE 1 (FORMERR) to be returned. The
+      size limit for this case can also, for the hash functions
+      mentioned in this document, be stated as less than half the hash
+      function length for hash functions other than MD5 and less than 10
+      octets for MD5.
+
+
+
+D. Eastlake 3rd                                                 [Page 5]
+
+
+INTERNET-DRAFT                                 HMAC-SHA TSIG Identifiers
+
+
+4. TSIG Truncation Policy and Error Provisions
+
+   Use of TSIG is by mutual agreement between a resolver and server.
+   Implicit in such "agreement" are criterion as to acceptable keys and
+   algorithms and, with the extensions in this document, truncations.
+   Note that it is common for implementations to bind the TSIG secret
+   key or keys that may be in place at a resolver and server to
+   particular algorithms. Thus such implementations only permit the use
+   of an algorithm if there is an associated key in place. Receipt of an
+   unknown, unimplemented, or disabled algorithm typically results in a
+   BADKEY error.
+
+      Local policies MAY require the rejection of TSIGs even though they
+   use an algorithm for which implementation is mandatory.
+
+      When a local policy permits acceptance of a TSIG with a particular
+   algorithm and a particular non-zero amount of truncation it SHOULD
+   also permit the use of that algorithm with lesser truncation (a
+   longer MAC) up to the full HMAC output.
+
+      Regardless of a lower acceptable truncated MAC length specified by
+   local policy, a reply SHOULD be sent with a MAC at least as long as
+   that in the corresponding request unless the request specified a MAC
+   length longer than the HMAC output.
+
+      Implementations permitting multiple acceptable algorithms and/or
+   truncations SHOULD permit this list to be ordered by presumed
+   strength and SHOULD allow different truncations for the same
+   algorithm to be treated as separate entities in this list. When so
+   implemented, policies SHOULD accept a presumed stronger algorithm and
+   truncation than the minimum strength required by the policy.
+
+      If a TSIG is received with truncation which is permitted under
+   Section 3 above but the MAC is too short for the local policy in
+   force, an RCODE of TBA [22 suggested](BADTRUNC) MUST be returned.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+D. Eastlake 3rd                                                 [Page 6]
+
+
+INTERNET-DRAFT                                 HMAC-SHA TSIG Identifiers
+
+
+5. IANA Considerations
+
+   This document, on approval for publication as a standards track RFC,
+   (1) registers the new TSIG algorithm identifiers listed in Section 2
+   with IANA and (2) allocates the BADTRUNC RCODE TBA [22 suggested] in
+   Section 4. [RFC 2845]
+
+
+
+6. Security Considerations
+
+   For all of the message authentication code algorithms listed herein,
+   those producing longer values are believed to be stronger; however,
+   while there have been some arguments that mild truncation can
+   strengthen a MAC by reducing the information available to an
+   attacker, excessive truncation clearly weakens authentication by
+   reducing the number of bits an attacker has to try to break the
+   authentication by brute force [RFC 2104].
+
+   Significant progress has been made recently in cryptanalysis of hash
+   function of the type used herein, all of which ultimately derive from
+   the design of MD4. While the results so far should not effect HMAC,
+   the stronger SHA-1 and SHA-256 algorithms are being made mandatory
+   due to caution.
+
+   See the Security Considerations section of [RFC 2845].  See also the
+   Security Considerations section of [RFC 2104] from which the limits
+   on truncation in this RFC were taken.
+
+
+
+7. Copyright and Disclaimer
+
+   Copyright (C) The Internet Society (2006).
+
+   This document is subject to the rights, licenses and restrictions
+   contained in BCP 78, and except as set forth therein, the authors
+   retain all their rights.
+
+
+   This document and the information contained herein are provided on an
+   "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
+   OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
+   ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
+   INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
+   INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
+   WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
+
+
+
+
+
+D. Eastlake 3rd                                                 [Page 7]
+
+
+INTERNET-DRAFT                                 HMAC-SHA TSIG Identifiers
+
+
+8. Normative References
+
+   [FIPS 180-2] - "Secure Hash Standard", (SHA-1/224/256/384/512) US
+   Federal Information Processing Standard, with Change Notice 1,
+   February 2004.
+
+   [RFC 1321] - Rivest, R., "The MD5 Message-Digest Algorithm ", RFC
+   1321, April 1992.
+
+   [RFC 2104] - Krawczyk, H., Bellare, M., and R. Canetti, "HMAC: Keyed-
+   Hashing for Message Authentication", RFC 2104, February 1997.
+
+   [RFC 2119] - Bradner, S., "Key words for use in RFCs to Indicate
+   Requirement Levels", BCP 14, RFC 2119, March 1997.
+
+   [RFC 2845] - Vixie, P., Gudmundsson, O., Eastlake 3rd, D., and B.
+   Wellington, "Secret Key Transaction Authentication for DNS (TSIG)",
+   RFC 2845, May 2000.
+
+   [RFC 3174] - Eastlake 3rd, D. and P. Jones, "US Secure Hash Algorithm
+   1 (SHA1)", RFC 3174, September 2001.
+
+   [RFC 3874] - R. Housely, "A 224-bit One-way Hash Function: SHA-224",
+   September 2004,
+
+   [SHA2draft] - Eastlake, D., T. Hansen, "US Secure Hash Algorithms
+   (SHA)", draft-eastlake-sha2-*.txt, work in progress.
+
+   [STD 13]
+         Mockapetris, P., "Domain names - concepts and facilities", STD
+         13, RFC 1034, November 1987.
+
+         Mockapetris, P., "Domain names - implementation and
+         specification", STD 13, RFC 1035, November 1987.
+
+
+
+9. Informative References.
+
+   [RFC 2930] - Eastlake 3rd, D., "Secret Key Establishment for DNS
+   (TKEY RR)", RFC 2930, September 2000.
+
+   [RFC 2931] - Eastlake 3rd, D., "DNS Request and Transaction
+   Signatures ( SIG(0)s )", RFC 2931, September 2000.
+
+   [RFC 3645] - Kwan, S., Garg, P., Gilroy, J., Esibov, L., Westhead,
+   J., and R. Hall, "Generic Security Service Algorithm for Secret Key
+   Transaction Authentication for DNS (GSS-TSIG)", RFC 3645, October
+   2003.
+
+
+
+D. Eastlake 3rd                                                 [Page 8]
+
+
+INTERNET-DRAFT                                 HMAC-SHA TSIG Identifiers
+
+
+Author's Address
+
+   Donald E. Eastlake 3rd
+   Motorola Laboratories
+   155 Beaver Street
+   Milford, MA 01757 USA
+
+   Telephone:   +1-508-786-7554 (w)
+
+   EMail:       Donald.Eastlake@motorola.com
+
+
+
+Additional IPR Provisions
+
+   The IETF takes no position regarding the validity or scope of any
+   Intellectual Property Rights or other rights that might be claimed
+   to pertain to the implementation or use of the technology
+   described in this document or the extent to which any license
+   under such rights might or might not be available; nor does it
+   represent that it has made any independent effort to identify any
+   such rights.  Information on the procedures with respect to
+   rights in RFC documents can be found in BCP 78 and BCP 79.
+
+   Copies of IPR disclosures made to the IETF Secretariat and any
+   assurances of licenses to be made available, or the result of an
+   attempt made to obtain a general license or permission for the use
+   of such proprietary rights by implementers or users of this
+   specification can be obtained from the IETF on-line IPR repository
+   at http://www.ietf.org/ipr.
+
+   The IETF invites any interested party to bring to its attention
+   any copyrights, patents or patent applications, or other
+   proprietary rights that may cover technology that may be required
+   to implement this standard.  Please address the information to the
+   IETF at ietf-ipr@ietf.org.
+
+
+
+Expiration and File Name
+
+   This draft expires in July 2006.
+
+   Its file name is draft-ietf-dnsext-tsig-sha-06.txt
+
+
+
+
+
+
+
+
+D. Eastlake 3rd                                                 [Page 9]
+
diff --git a/contrib/bind9/doc/draft/draft-ietf-dnsext-wcard-clarify-10.txt b/contrib/bind9/doc/draft/draft-ietf-dnsext-wcard-clarify-10.txt
new file mode 100644
index 0000000..9cf88a5
--- /dev/null
+++ b/contrib/bind9/doc/draft/draft-ietf-dnsext-wcard-clarify-10.txt
@@ -0,0 +1,1063 @@
+Internet-Draft                  dnsext-wcard           January 9, 2006
+
+DNSEXT Working Group                                          E. Lewis
+INTERNET DRAFT                                                 NeuStar
+Expiration Date: July 9, 2006                          January 9, 2006
+Updates RFC 1034, RFC 2672
+
+                              The Role of Wildcards
+                            in the Domain Name System
+                      draft-ietf-dnsext-wcard-clarify-10.txt
+
+Status of this Memo
+
+      By submitting this Internet-Draft, each author represents that
+      any applicable patent or other IPR claims of which he or she is
+      aware have been or will be disclosed, and any of which he or she
+      becomes aware will be disclosed, in accordance with Section 6 of
+      BCP 79.
+
+      Internet-Drafts are working documents of the Internet Engineering
+      Task Force (IETF), its areas, and its working groups.  Note that
+      other groups may also distribute working documents as Internet-
+      Drafts.
+
+      Internet-Drafts are draft documents valid for a maximum of six
+      months and may be updated, replaced, or obsoleted by other
+      documents at any time.  It is inappropriate to use Internet-Drafts
+      as reference material or to cite them other than as "work in
+      progress."
+
+      The list of current Internet-Drafts can be accessed at
+        http://www.ietf.org/ietf/1id-abstracts.txt
+
+      The list of Internet-Draft Shadow Directories can be accessed at
+        http://www.ietf.org/shadow.html
+
+      This Internet-Draft will expire on July 9, 2006.
+
+Copyright Notice
+
+      Copyright (C) The Internet Society (2006).
+
+Abstract
+
+      This is an update to the wildcard definition of RFC 1034.  The
+      interaction with wildcards and CNAME is changed, an error
+      condition removed, and the words defining some concepts central
+      to wildcards are changed.  The overall goal is not to change
+      wildcards, but to refine the definition of RFC 1034.
+
+
+
+
+DNSEXT Working Group        Expires July 9, 2006             [Page  1]
+
+Internet-Draft                  dnsext-wcard           January 9, 2006
+
+Table of Contents
+
+1.    Introduction   .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  3
+1 1   Motivation                                                     3
+1 2   The Original Definition                                        3
+1 3   Roadmap to This Document                                       4
+1 3 1 New Terms                                                      4
+1.3.2 Changed Text                                                   5
+1.3.3 Considerations with Special Types                              5
+1.4   Standards Terminology                                          5
+2.    Wildcard Syntax   .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  6
+2.1   Identifying a Wildcard                                         6
+2.1.1 Wild Card Domain Name and Asterisk Label                       6
+2.1.2 Asterisks and Other Characters                                 6
+2.1.3 Non-terminal Wild Card Domain Names                            6
+2.2   Existence Rules                                                7
+2.2.1 An Example                                                     7
+2.2.2 Empty Non-terminals                                            9
+2.2.3 Yet Another Definition of Existence                           10
+2.3   When is a Wild Card Domain Name Not Special                   10
+3.    Impact of a Wild Card Domain Name On a Response .  .  .  .  . 10
+3.1   Step 2                                                        10
+3.2   Step 3                                                        11
+3.3   Part 'c'                                                      11
+3.3.1 Closest Encloser and the Source of Synthesis                  12
+3.3.2 Closest Encloser and Source of Synthesis Examples             12
+3.3.3 Type Matching                                                 13
+4.    Considerations with Special Types   .  .  .  .  .  .  .  .  . 13
+4.1   SOA RRSet at a Wild Card Domain Name                          13
+4.2   NS RRSet at a Wild Card Domain Name                           14
+4.2.1 Discarded Notions                                             14
+4.3   CNAME RRSet at a Wild Card Domain Name                        15
+4.4   DNAME RRSet at a Wild Card Domain Name                        15
+4.5   SRV RRSet at a Wild Card Domain Name                          16
+4.6   DS RRSet at a Wild Card Domain Name                           16
+4.7   NSEC RRSet at a Wild Card Domain Name                         17
+4.8   RRSIG at a Wild Card Domain Name                              17
+4.9   Empty Non-terminal Wild Card Domain Name                      17
+5.    Security Considerations .  .  .  .  .  .  .  .  .  .  .  .  . 17
+6.    IANA Considerations     .  .  .  .  .  .  .  .  .  .  .  .  . 17
+7.    References              .  .  .  .  .  .  .  .  .  .  .  .  . 17
+8.    Editor                  .  .  .  .  .  .  .  .  .  .  .  .  . 18
+9.    Others Contributing to the Document    .  .  .  .  .  .  .  . 18
+10.   Trailing Boilerplate    .  .  .  .  .  .  .  .  .  .  .  .  . 19
+
+
+
+
+
+
+
+
+DNSEXT Working Group        Expires July 9, 2006             [Page  2]
+
+Internet-Draft                  dnsext-wcard           January 9, 2006
+
+1. Introduction
+
+      In RFC 1034 [RFC1034], sections 4.3.2 and 4.3.3 describe the
+      synthesis of answers from special resource records called
+      wildcards.  The definition in RFC 1034 is incomplete and has
+      proven to be confusing.  This document describes the wildcard
+      synthesis by adding to the discussion and making limited
+      modifications.  Modifications are made to close inconsistencies
+      that have led to interoperability issues.  This description
+      does not expand the service intended by the original definition.
+
+      Staying within the spirit and style of the original documents,
+      this document avoids specifying rules for DNS implementations
+      regarding wildcards.  The intention is to only describe what is
+      needed for interoperability, not restrict implementation choices.
+      In addition, consideration is given to minimize any backwards
+      compatibility issues with implementations that comply with RFC
+      1034's definition.
+
+      This document is focused on the concept of wildcards as defined
+      in RFC 1034.  Nothing is implied regarding alternative means of
+      synthesizing resource record sets, nor are alternatives discussed.
+
+1.1 Motivation
+
+      Many DNS implementations diverge, in different ways, from the
+      original definition of wildcards.  Although there is clearly a
+      need to clarify the original documents in light of this alone,
+      the impetus for this document lay in the engineering of the DNS
+      security extensions [RFC4033].  With an unclear definition of
+      wildcards the design of authenticated denial became entangled.
+
+      This document is intended to limit its changes, documenting only
+      those based on implementation experience, and to remain as close
+      to the original document as possible.  To reinforce that this
+      document is meant to clarify and adjust and not redefine wildcards,
+      relevant sections of RFC 1034 are repeated verbatim to facilitate
+      comparison of the old and new text.
+
+1.2 The Original Definition
+
+      The definition of the wildcard concept is comprised by the
+      documentation of the algorithm by which a name server prepares
+      a response (in RFC 1034's section 4.3.2) and the way in which
+      a resource record (set) is identified as being a source of
+      synthetic data (section 4.3.3).
+
+      This is the definition of the term "wildcard" as it appears in
+      RFC 1034, section 4.3.3.
+
+
+
+DNSEXT Working Group        Expires July 9, 2006             [Page  3]
+
+Internet-Draft                  dnsext-wcard           January 9, 2006
+
+# In the previous algorithm, special treatment was given to RRs with
+# owner names starting with the label "*".  Such RRs are called
+# wildcards. Wildcard RRs can be thought of as instructions for
+# synthesizing RRs.  When the appropriate conditions are met, the name
+# server creates RRs with an owner name equal to the query name and
+# contents taken from the wildcard RRs.
+
+      This passage follows the algorithm in which the term wildcard
+      is first used.   In this definition, wildcard refers to resource
+      records.  In other usage, wildcard has referred to domain names,
+      and it has been used to describe the operational practice of
+      relying on wildcards to generate answers.  It is clear from this
+      that there is a need to define clear and unambiguous terminology
+      in the process of discussing wildcards.
+
+      The mention of the use of wildcards in the preparation of a
+      response is contained in step 3c of RFC 1034's section 4.3.2
+      entitled "Algorithm."  Note that "wildcard" does not appear in
+      the algorithm, instead references are made to the "*" label.
+      The portion of the algorithm relating to wildcards is
+      deconstructed in detail in section 3 of this document, this is
+      the beginning of the relevant portion of the "Algorithm."
+
+#    c. If at some label, a match is impossible (i.e., the
+#       corresponding label does not exist), look to see if [...]
+#       the "*" label exists.
+
+      The scope of this document is the RFC 1034 definition of
+      wildcards and the implications of updates to those documents,
+      such as DNSSEC.  Alternate schemes for synthesizing answers are
+      not considered.  (Note that there is no reference listed.  No
+      document is known to describe any alternate schemes, although
+      there has been some mention of them in mailing lists.)
+
+1.3 Roadmap to This Document
+
+      This document accomplishes these three items.
+      o Defines new terms
+      o Makes minor changes to avoid conflicting concepts
+      o Describes the actions of certain resource records as wildcards
+
+1.3.1 New Terms
+
+      To help in discussing what resource records are wildcards, two
+      terms will be defined - "asterisk label" and "wild card domain
+      name".  These are defined in section 2.1.1.
+
+      To assist in clarifying the role of wildcards in the name server
+      algorithm in RFC 1034, 4.3.2, "source of synthesis" and "closest
+      encloser" are defined.  These definitions are in section 3.3.2.
+      "Label match" is defined in section 3.2.
+
+DNSEXT Working Group        Expires July 9, 2006             [Page  4]
+
+Internet-Draft                  dnsext-wcard           January 9, 2006
+
+      The new terms are used to make discussions of wildcards clearer.
+      Terminology doesn't directly have an impact on implementations.
+
+1.3.2 Changed Text
+
+      The definition of "existence" is changed superficially.  This
+      change will not be apparent to implementations; it is needed to
+      make descriptions more precise.  The change appears in section
+      2.2.3.
+
+      RFC 1034, section 4.3.3., seems to prohibit having two asterisk
+      labels in a wildcard owner name.  With this document the
+      restriction is removed entirely.  This change and its implications
+      are in section 2.1.3.
+
+      The actions when a source of synthesis owns a CNAME RR are
+      changed to mirror the actions if an exact match name owns a
+      CNAME RR.  This is an addition to the words in RFC 1034,
+      section 4.3.2, step 3, part c.  The discussion of this is in
+      section 3.3.3.
+
+      Only the latter change represents an impact to implementations.
+      The definition of existence is not a protocol impact.  The change
+      to the restriction on names is unlikely to have an impact, as
+      RFC 1034 contained no specification on when and how to enforce the
+      restriction.
+
+1.3.3 Considerations with Special Types
+
+      This document describes semantics of wildcard RRSets for
+      "interesting" types as well as empty non-terminal wildcards.
+      Understanding these situations in the context of wildcards has
+      been clouded because these types incur special processing if
+      they are the result of an exact match.  This discussion is in
+      section 4.
+
+      These discussions do not have an implementation impact, they cover
+      existing knowledge of the types, but to a greater level of detail.
+
+1.4 Standards Terminology
+
+      This document does not use terms as defined in "Key words for use
+      in RFCs to Indicate Requirement Levels." [RFC2119]
+
+      Quotations of RFC 1034 are denoted by a '#' in the leftmost
+      column.  References to section "4.3.2" are assumed to refer
+      to RFC 1034's section 4.3.2, simply titled "Algorithm."
+
+
+
+
+
+DNSEXT Working Group        Expires July 9, 2006             [Page  5]
+
+Internet-Draft                  dnsext-wcard           January 9, 2006
+
+2. Wildcard Syntax
+
+      The syntax of a wildcard is the same as any other DNS resource
+      record, across all classes and types.  The only significant
+      feature is the owner name.
+
+      Because wildcards are encoded as resource records with special
+      names, they are included in zone transfers and incremental zone
+      transfers[RFC1995] just as non-wildcard resource records are.
+      This feature has been under appreciated until discussions on
+      alternative approaches to wildcards appeared on mailing lists.
+
+2.1 Identifying a Wildcard
+
+      To provide a more accurate description of wildcards, the
+      definition has to start with a discussion of the domain names
+      that appear as owners.  Two new terms are needed, "Asterisk
+      Label" and "Wild Card Domain Name."
+
+2.1.1 Wild Card Domain Name and Asterisk Label
+
+      A "wild card domain name" is defined by having its initial
+      (i.e., left-most or least significant) label be, in binary format:
+
+           0000 0001 0010 1010 (binary) = 0x01 0x2a (hexadecimal)
+
+      The first octet is the normal label type and length for a 1 octet
+      long label, the second octet is the ASCII representation [RFC20]
+      for the '*' character.
+
+      A descriptive name of a label equaling that value is an "asterisk
+      label."
+
+      RFC 1034's definition of wildcard would be "a resource record
+      owned by a wild card domain name."
+
+2.1.2 Asterisks and Other Characters
+
+      No label values other than that in section 2.1.1 are asterisk
+      labels, hence names beginning with other labels are never wild
+      card domain names.  Labels such as 'the*' and '**' are not
+      asterisk labels so these labels do not start wild card domain
+      names.
+
+2.1.3 Non-terminal Wild Card Domain Names
+
+      In section 4.3.3, the following is stated:
+
+# ..........................  The owner name of the wildcard RRs is of
+# the form "*.<anydomain>", where <anydomain> is any domain name.
+# <anydomain> should not contain other * labels......................
+
+DNSEXT Working Group        Expires July 9, 2006             [Page  6]
+
+Internet-Draft                  dnsext-wcard           January 9, 2006
+
+      The restriction is now removed.  The original documentation of it
+      is incomplete and the restriction does not serve any purpose
+      given years of operational experience.
+
+      There are three possible reasons for putting the restriction in
+      place, but none of the three has held up over time.  One is
+      that the restriction meant that there would never be subdomains
+      of wild card domain names, but the restriciton as stated still
+      permits "example.*.example." for instance.  Another is that
+      wild card domain names are not intended to be empty non-terminals,
+      but this situation does not disrupt the algorithm in 4.3.2.
+      Finally, "nested" wild card domain names are not ambiguous once
+      the concept of the closest encloser had been documented.
+
+      A wild card domain name can have subdomains.  There is no need
+      to inspect the subdomains to see if there is another asterisk
+      label in any subdomain.
+
+      A wild card domain name can be an empty non-terminal.  (See the
+      upcoming sections on empty non-terminals.)  In this case, any
+      lookup encountering it will terminate as would any empty
+      non-terminal match.
+
+2.2 Existence Rules
+
+      The notion that a domain name 'exists' is mentioned in the
+      definition of wildcards.  In section 4.3.3 of RFC 1034:
+
+# Wildcard RRs do not apply:
+#
+...
+#   - When the query name or a name between the wildcard domain and
+#     the query name is know[n] to exist.  For example, if a wildcard
+
+      "Existence" is therefore an important concept in the understanding
+      of wildcards.  Unfortunately, the definition of what exists, in RFC
+      1034, is unclear.  So, in sections 2.2.2. and 2.2.3, another look is
+      taken at the definition of existence.
+
+2.2.1 An Example
+
+      To illustrate what is meant by existence consider this complete
+      zone:
+
+
+
+
+
+
+
+
+
+DNSEXT Working Group        Expires July 9, 2006             [Page  7]
+
+Internet-Draft                  dnsext-wcard           January 9, 2006
+
+        $ORIGIN example.
+        example.                 3600 IN  SOA   <SOA RDATA>
+        example.                 3600     NS    ns.example.com.
+        example.                 3600     NS    ns.example.net.
+        *.example.               3600     TXT   "this is a wild card"
+        *.example.               3600     MX    10 host1.example.
+        sub.*.example.           3600     TXT   "this is not a wild card"
+        host1.example.           3600     A     192.0.4.1
+        _ssh._tcp.host1.example. 3600     SRV  <SRV RDATA>
+        _ssh._tcp.host2.example. 3600     SRV  <SRV RDATA>
+        subdel.example.          3600     NS   ns.example.com.
+        subdel.example.          3600     NS   ns.example.net.
+
+      A look at the domain names in a tree structure is helpful:
+
+                                    |
+                    -------------example------------
+                   /           /         \          \
+                  /           /           \          \
+                 /           /             \          \
+                *          host1          host2      subdel
+                |            |             |
+                |            |             |
+               sub         _tcp          _tcp
+                             |             |
+                             |             |
+                           _ssh          _ssh
+
+      The following responses would be synthesized from one of the
+      wildcards in the zone:
+
+          QNAME=host3.example. QTYPE=MX, QCLASS=IN
+               the answer will be a "host3.example. IN MX ..."
+
+          QNAME=host3.example. QTYPE=A, QCLASS=IN
+               the answer will reflect "no error, but no data"
+               because there is no A RR set at '*.example.'
+
+          QNAME=foo.bar.example. QTYPE=TXT, QCLASS=IN
+               the answer will be "foo.bar.example. IN TXT ..."
+               because bar.example. does not exist, but the wildcard
+               does.
+
+      The following responses would not be synthesized from any of the
+      wildcards in the zone:
+
+          QNAME=host1.example., QTYPE=MX, QCLASS=IN
+               because host1.example. exists
+
+          QNAME=sub.*.example., QTYPE=MX, QCLASS=IN
+               because sub.*.example. exists
+
+DNSEXT Working Group        Expires July 9, 2006             [Page  8]
+
+Internet-Draft                  dnsext-wcard           January 9, 2006
+
+          QNAME=_telnet._tcp.host1.example., QTYPE=SRV, QCLASS=IN
+               because _tcp.host1.example. exists (without data)
+
+          QNAME=host.subdel.example., QTYPE=A, QCLASS=IN
+               because subdel.example. exists (and is a zone cut)
+
+          QNAME=ghost.*.example., QTYPE=MX, QCLASS=IN
+               because *.example. exists
+
+      The final example highlights one common misconception about
+      wildcards.  A wildcard "blocks itself" in the sense that a
+      wildcard does not match its own subdomains.  I.e. "*.example."
+      does not match all names in the "example." zone, it fails to
+      match the names below "*.example." To cover names under
+      "*.example.", another wild card domain name is needed -
+      "*.*.example." - which covers all but it's own subdomains.
+
+2.2.2 Empty Non-terminals
+
+      Empty non-terminals [RFC2136, Section 7.16] are domain names
+      that own no resource records but have subdomains that do.  In
+      section 2.2.1, "_tcp.host1.example." is an example of a empty
+      non-terminal name.  Empty non-terminals are introduced by this
+      text in section 3.1 of RFC 1034:
+
+# The domain name space is a tree structure.  Each node and leaf on
+# the tree corresponds to a resource set (which may be empty).  The
+# domain system makes no distinctions between the uses of the
+# interior nodes and leaves, and this memo uses the term "node" to
+# refer to both.
+
+      The parenthesized "which may be empty" specifies that empty non-
+      terminals are explicitly recognized, and that empty non-terminals
+      "exist."
+
+      Pedantically reading the above paragraph can lead to an
+      interpretation that all possible domains exist - up to the
+      suggested limit of 255 octets for a domain name [RFC1035].
+      For example, www.example. may have an A RR, and as far as is
+      practically concerned, is a leaf of the domain tree.  But the
+      definition can be taken to mean that sub.www.example. also
+      exists, albeit with no data.  By extension, all possible domains
+      exist, from the root on down.
+
+      As RFC 1034 also defines "an authoritative name error indicating
+      that the name does not exist" in section 4.3.1, so this apparently
+      is not the intent of the original definition, justifying the
+      need for an updated definition in the next section.
+
+
+
+
+DNSEXT Working Group        Expires July 9, 2006             [Page  9]
+
+Internet-Draft                  dnsext-wcard           January 9, 2006
+
+2.2.3 Yet Another Definition of Existence
+
+      RFC1034's wording is fixed by the following paragraph:
+
+      The domain name space is a tree structure.  Nodes in the tree
+      either own at least one RRSet and/or have descendants that
+      collectively own at least one RRSet.  A node may exist with no
+      RRSets only if it has descendents that do, this node is an empty
+      non-terminal.
+
+      A node with no descendants is a leaf node.  Empty leaf nodes do
+      not exist.
+
+      Note that at a zone boundary, the domain name owns data,
+      including the NS RR set.  In the delegating zone, the NS RR
+      set is not authoritative, but that is of no consequence here.
+      The domain name owns data, therefore, it exists.
+
+2.3 When is a Wild Card Domain Name Not Special
+
+      When a wild card domain name appears in a message's query section,
+      no special processing occurs.  An asterisk label in a query name
+      only matches a single, corresponding asterisk label in the
+      existing zone tree when the 4.3.2 algorithm is being followed.
+
+      When a wild card domain name appears in the resource data of a
+      record, no special processing occurs.  An asterisk label in that
+      context literally means just an asterisk.
+
+3. Impact of a Wild Card Domain Name On a Response
+
+      RFC 1034's description of how wildcards impact response
+      generation is in its section 4.3.2.  That passage contains the
+      algorithm followed by a server in constructing a response.
+      Within that algorithm, step 3, part 'c' defines the behavior of
+      the wildcard.
+
+      The algorithm in section 4.3.2. is not intended to be pseudo-code,
+      i.e., its steps are not intended to be followed in strict order.
+      The "algorithm" is a suggested means of implementing the
+      requirements.  As such, in step 3, parts a, b, and c, do not have
+      to be implemented in that order, provided that the result of the
+      implemented code is compliant with the protocol's specification.
+
+3.1 Step 2
+
+      Step 2 of section 4.3.2 reads:
+
+#   2. Search the available zones for the zone which is the nearest
+#      ancestor to QNAME.  If such a zone is found, go to step 3,
+#      otherwise step 4.
+
+DNSEXT Working Group        Expires July 9, 2006             [Page 10]
+
+Internet-Draft                  dnsext-wcard           January 9, 2006
+
+      In this step, the most appropriate zone for the response is
+      chosen.  The significance of this step is that it means all of
+      step 3 is being performed within one zone.  This has significance
+      when considering whether or not an SOA RR can be ever be used for
+      synthesis.
+
+3.2 Step 3
+
+      Step 3 is dominated by three parts, labelled 'a', 'b', and 'c'.
+      But the beginning of the step is important and needs explanation.
+
+#   3. Start matching down, label by label, in the zone.  The
+#      matching process can terminate several ways:
+
+      The word 'matching' refers to label matching.  The concept
+      is based in the view of the zone as the tree of existing names.
+      The query name is considered to be an ordered sequence of
+      labels - as if the name were a path from the root to the owner
+      of the desired data.  (Which it is - 3rd paragraph of RFC 1034,
+      section 3.1.)
+
+      The process of label matching a query name ends in exactly one of
+      three choices, the parts 'a', 'b', and 'c'.  Either the name is
+      found, the name is below a cut point, or the name is not found.
+
+      Once one of the parts is chosen, the other parts are not
+      considered.  (E.g., do not execute part 'c' and then change
+      the execution path to finish in part 'b'.)  The process of label
+      matching is also done independent of the query type (QTYPE).
+
+      Parts 'a' and 'b' are not an issue for this clarification as they
+      do not relate to record synthesis.  Part 'a' is an exact match
+      that results in an answer, part 'b' is a referral.
+
+3.3 Part 'c'
+
+      The context of part 'c' is that the process of label matching the
+      labels of the query name has resulted in a situation in which
+      there is no corresponding label in the tree.  It is as if the
+      lookup has "fallen off the tree."
+
+#     c. If at some label, a match is impossible (i.e., the
+#        corresponding label does not exist), look to see if [...]
+#        the "*" label exists.
+
+      To help describe the process of looking 'to see if [...] the "*"
+      label exists' a term has been coined to describe the last domain
+      (node) matched.  The term is "closest encloser."
+
+
+
+
+DNSEXT Working Group        Expires July 9, 2006             [Page 11]
+
+Internet-Draft                  dnsext-wcard           January 9, 2006
+
+3.3.1 Closest Encloser and the Source of Synthesis
+
+      The closest encloser is the node in the zone's tree of existing
+      domain names that has the most labels matching the query name
+      (consecutively, counting from the root label downward). Each match
+      is a "label match" and the order of the labels is the same.
+
+      The closest encloser is, by definition, an existing name in the
+      zone.  The closest encloser might be an empty non-terminal or even
+      be a wild card domain name itself.  In no circumstances is the
+      closest encloser to be used to synthesize records for the current
+      query.
+
+      The source of synthesis is defined in the context of a query
+      process as that wild card domain name immediately descending
+      from the closest encloser, provided that this wild card domain
+      name exists.  "Immediately descending" means that the source
+      of synthesis has a name of the form:
+            <asterisk label>.<closest encloser>.
+      A source of synthesis does not guarantee having a RRSet to use
+      for synthesis.  The source of synthesis could be an empty
+      non-terminal.
+
+      If the source of synthesis does not exist (not on the domain
+      tree), there will be no wildcard synthesis.  There is no search
+      for an alternate.
+
+      The important concept is that for any given lookup process, there
+      is at most one place at which wildcard synthetic records can be
+      obtained.  If the source of synthesis does not exist, the lookup
+      terminates, the lookup does not look for other wildcard records.
+
+3.3.2 Closest Encloser and Source of Synthesis Examples
+
+      To illustrate, using the example zone in section 2.2.1 of this
+      document, the following chart shows QNAMEs and the closest
+      enclosers.
+
+      QNAME                       Closest Encloser    Source of Synthesis
+      host3.example.              example.            *.example.
+      _telnet._tcp.host1.example. _tcp.host1.example. no source
+      _telnet._tcp.host2.example. host2.example.      no source
+      _telnet._tcp.host3.example. example.            *.example.
+      _chat._udp.host3.example.   example.            *.example.
+      foobar.*.example.           *.example.          no source
+
+
+
+
+
+
+
+DNSEXT Working Group        Expires July 9, 2006             [Page 12]
+
+Internet-Draft                  dnsext-wcard           January 9, 2006
+
+3.3.3 Type Matching
+
+       RFC 1034 concludes part 'c' with this:
+
+#            If the "*" label does not exist, check whether the name
+#            we are looking for is the original QNAME in the query
+#            or a name we have followed due to a CNAME.  If the name
+#            is original, set an authoritative name error in the
+#            response and exit.  Otherwise just exit.
+#
+#            If the "*" label does exist, match RRs at that node
+#            against QTYPE.  If any match, copy them into the answer
+#            section, but set the owner of the RR to be QNAME, and
+#            not the node with the "*" label.  Go to step 6.
+
+      The final paragraph covers the role of the QTYPE in the lookup
+      process.
+
+      Based on implementation feedback and similarities between step
+      'a' and step 'c' a change to this passage has been made.
+
+      The change is to add the following text to step 'c' prior to the
+      instructions to "go to step 6":
+
+               If the data at the source of synthesis is a CNAME, and
+               QTYPE doesn't match CNAME, copy the CNAME RR into the
+               answer section of the response changing the owner name
+               to the QNAME, change QNAME to the canonical name in the
+               CNAME RR, and go back to step 1.
+
+      This is essentially the same text in step a covering the
+      processing of CNAME RRSets.
+
+4. Considerations with Special Types
+
+      Sections 2 and 3 of this document discuss wildcard synthesis
+      with respect to names in the domain tree and ignore the impact
+      of types.  In this section, the implication of wildcards of
+      specific types are discussed.  The types covered are those
+      that have proven to be the most difficult to understand.  The
+      types are SOA, NS, CNAME, DNAME, SRV, DS, NSEC, RRSIG and
+      "none," i.e., empty non-terminal wild card domain names.
+
+4.1 SOA RRSet at a Wild Card Domain Name
+
+      A wild card domain name owning an SOA RRSet means that the
+      domain is at the root of the zone (apex).  The domain can not
+      be a source of synthesis because that is, by definition, a
+      descendent node (of the closest encloser) and a zone apex is
+      at the top of the zone.
+
+
+DNSEXT Working Group        Expires July 9, 2006             [Page 13]
+
+Internet-Draft                  dnsext-wcard           January 9, 2006
+
+      Although a wild card domain name owning an SOA RRSet can never
+      be a source of synthesis, there is no reason to forbid the
+      ownership of an SOA RRSet.
+
+      E.g., given this zone:
+             $ORIGIN *.example.
+             @                 3600 IN  SOA   <SOA RDATA>
+                               3600     NS    ns1.example.com.
+                               3600     NS    ns1.example.net.
+             www               3600     TXT   "the www txt record"
+
+      A query for www.*.example.'s TXT record would still find the
+      "the www txt record" answer.  The asterisk label only becomes
+      significant when section 4.3.2, step 3 part 'c' is in effect.
+
+      Of course, there would need to be a delegation in the parent
+      zone, "example." for this to work too.  This is covered in the
+      next section.
+
+4.2 NS RRSet at a Wild Card Domain Name
+
+      With the definition of DNSSEC [RFC4033, RFC4034, RFC4035] now
+      in place, the semantics of a wild card domain name owning an
+      NS RRSet has come to be poorly defined.  The dilemma relates to
+      a conflict between the rules for synthesis in part 'c' and the
+      fact that the resulting synthesis generates a record for which
+      the zone is not authoritative.  In a DNSSEC signed zone, the
+      mechanics of signature management (generation and inclusion
+      in a message) have become unclear.
+
+      Salient points of the working group discussion on this topic is
+      summarized in section 4.2.1.
+
+      As a result of these discussion, there is no definition given for
+      wild card domain names owning an NS RRSet.  The semantics are
+      left undefined until there is a clear need to have a set defined,
+      and until there is a clear direction to proceed.  Operationally,
+      inclusion of wild card NS RRSets in a zone is discouraged, but
+      not barred.
+
+4.2.1 Discarded Notions
+
+      Prior to DNSSEC, a wild card domain name owning a NS RRSet
+      appeared to be workable, and there are some instances in which
+      it is found in deployments using implementations that support
+      this.  Continuing to allow this in the specification is not
+      tenable with DNSSEC.  The reason is that the synthesis of the
+      NS RRSet is being done in a zone that has delegated away the
+      responsibility for the name.  This "unauthorized" synthesis is
+      not a problem for the base DNS protocol, but DNSSEC, in affirming
+      the authorization model for DNS exposes the problem.
+
+DNSEXT Working Group        Expires July 9, 2006             [Page 14]
+
+Internet-Draft                  dnsext-wcard           January 9, 2006
+
+      Outright banning of wildcards of type NS is also untenable as
+      the DNS protocol does not define how to handle "illegal" data.
+      Implementations may choose not to load a zone, but there is no
+      protocol definition.  The lack of the definition is complicated
+      by having to cover dynamic update [RFC 2136], zone transfers,
+      as well as loading at the master server.  The case of a client
+      (resolver, caching server) getting a wildcard of type NS in
+      a reply would also have to be considered.
+
+      Given the daunting challenge of a complete definition of how to
+      ban such records, dealing with existing implementations that
+      permit the records today is a further complication.  There are
+      uses of wild card domain name owning NS RRSets.
+
+      One compromise proposed would have redefined wildcards of type
+      NS to not be used in synthesis, this compromise fell apart
+      because it would have required significant edits to the DNSSEC
+      signing and validation work.  (Again, DNSSEC catches
+      unauthorized data.)
+
+      With no clear consensus forming on the solution to this dilemma,
+      and the realization that wildcards of type NS are a rarity in
+      operations, the best course of action is to leave this open-ended
+      until "it matters."
+
+4.3 CNAME RRSet at a Wild Card Domain Name
+
+      The issue of a CNAME RRSet owned by a wild card domain name has
+      prompted a suggested change to the last paragraph of step 3c of
+      the algorithm in 4.3.2.  The changed text appears in section
+      3.3.3 of this document.
+
+4.4 DNAME RRSet at a Wild Card Domain Name
+
+      Ownership of a DNAME [RFC2672] RRSet by a wild card domain name
+      represents a threat to the coherency of the DNS and is to be
+      avoided or outright rejected.  Such a DNAME RRSet represents
+      non-deterministic synthesis of rules fed to different caches.
+      As caches are fed the different rules (in an unpredictable
+      manner) the caches will cease to be coherent.  ("As caches
+      are fed" refers to the storage in a cache of records obtained
+      in responses by recursive or iterative servers.)
+
+      For example, assume one cache, responding to a recursive
+      request, obtains the record:
+         "a.b.example. DNAME foo.bar.example.net."
+      and another cache obtains:
+         "b.example.  DNAME foo.bar.example.net."
+      both generated from the record:
+         "*.example. DNAME foo.bar.example.net."
+      by an authoritative server.
+
+DNSEXT Working Group        Expires July 9, 2006             [Page 15]
+
+Internet-Draft                  dnsext-wcard           January 9, 2006
+
+      The DNAME specification is not clear on whether DNAME records
+      in a cache are used to rewrite queries.  In some interpretations,
+      the rewrite occurs, in some, it is not.  Allowing for the
+      occurrence of rewriting, queries for "sub.a.b.example. A" may
+      be rewritten as "sub.foo.bar.tld. A" by the former caching
+      server and may be rewritten as "sub.a.foo.bar.tld. A" by the
+      latter.  Coherency is lost, an operational nightmare ensues.
+
+      Another justification for banning or avoiding wildcard DNAME
+      records is the observation that such a record could synthesize
+      a DNAME owned by "sub.foo.bar.example." and "foo.bar.example."
+      There is a restriction in the DNAME definition that no domain
+      exist below a DNAME-owning domain, hence, the wildcard DNAME
+      is not to be permitted.
+
+4.5 SRV RRSet at a Wild Card Domain Name
+
+      The definition of the SRV RRset is RFC 2782 [RFC2782].  In the
+      definition of the record, there is some confusion over the term
+      "Name."  The definition reads as follows:
+
+# The format of the SRV RR
+...
+#    _Service._Proto.Name TTL Class SRV Priority Weight Port Target
+...
+#  Name
+#   The domain this RR refers to.  The SRV RR is unique in that the
+#   name one searches for is not this name; the example near the end
+#   shows this clearly.
+
+      Do not confuse the definition "Name" with the owner name.  I.e.,
+      once removing the _Service and _Proto labels from the owner name
+      of the SRV RRSet, what remains could be a wild card domain name
+      but this is immaterial to the SRV RRSet.
+
+      E.g.,  If an SRV record is:
+         _foo._udp.*.example. 10800 IN SRV 0 1 9 old-slow-box.example.
+
+      *.example is a wild card domain name and although it is the Name
+      of the SRV RR, it is not the owner (domain name).  The owner
+      domain name is "_foo._udp.*.example." which is not a wild card
+      domain name.
+
+      The confusion is likely based on the mixture of the specification
+      of the SRV RR and the description of a "use case."
+
+4.6 DS RRSet at a Wild Card Domain Name
+
+      A DS RRSet owned by a wild card domain name is meaningless and
+      harmless.  This statement is made in the context that an NS RRSet
+      at a wild card domain name is undefined.  At a non-delegation
+
+DNSEXT Working Group        Expires July 9, 2006             [Page 16]
+
+Internet-Draft                  dnsext-wcard           January 9, 2006
+
+      point, a DS RRSet has no value (no corresponding DNSKEY RRSet
+      will be used in DNSSEC validation).  If there is a synthesized
+      DS RRSet, it alone will not be very useful as it exists in the
+      context of a delegation point.
+
+4.7 NSEC RRSet at a Wild Card Domain Name
+
+      Wild card domain names in DNSSEC signed zones will have an NSEC
+      RRSet.  Synthesis of these records will only occur when the
+      query exactly matches the record.  Synthesized NSEC RR's will not
+      be harmful as they will never be used in negative caching or to
+      generate a negative response.  [RFC2308]
+
+4.8 RRSIG at a Wild Card Domain Name
+
+      RRSIG records will be present at a wild card domain name in a
+      signed zone, and will be synthesized along with data sought in a
+      query.  The fact that the owner name is synthesized is not a
+      problem as the label count in the RRSIG will instruct the
+      verifying code to ignore it.
+
+4.9 Empty Non-terminal Wild Card Domain Name
+
+      If a source of synthesis is an empty non-terminal, then the
+      response will be one of no error in the return code and no RRSet
+      in the answer section.
+
+5. Security Considerations
+
+      This document is refining the specifications to make it more
+      likely that security can be added to DNS.  No functional
+      additions are being made, just refining what is considered
+      proper to allow the DNS, security of the DNS, and extending
+      the DNS to be more predictable.
+
+6. IANA Considerations
+
+       None.
+
+7. References
+
+      Normative References
+
+      [RFC20]   ASCII Format for Network Interchange, V.G. Cerf,
+                Oct-16-1969
+
+      [RFC1034] Domain Names - Concepts and Facilities,
+                P.V. Mockapetris, Nov-01-1987
+
+      [RFC1035] Domain Names - Implementation and Specification, P.V
+                Mockapetris, Nov-01-1987
+
+DNSEXT Working Group        Expires July 9, 2006             [Page 17]
+
+Internet-Draft                  dnsext-wcard           January 9, 2006
+
+      [RFC1995] Incremental Zone Transfer in DNS, M. Ohta, August 1996
+
+      [RFC2119] Key Words for Use in RFCs to Indicate Requirement
+                Levels, S Bradner, March 1997
+
+      [RFC2308] Negative Caching of DNS Queries (DNS NCACHE),
+                M. Andrews, March 1998
+
+      [RFC2672] Non-Terminal DNS Name Redirection, M. Crawford,
+                August 1999.
+
+      [RFC2782] A DNS RR for specifying the location of services (DNS
+                SRV), A. Gulbrandsen, et.al., February 2000
+
+      [RFC4033] DNS Security Introduction and Requirements, R. Arends,
+                et.al., March 2005
+
+      [RFC4034] Resource Records for the DNS Security Extensions,
+                R. Arends, et.al., March 2005
+
+      [RFC4035] Protocol Modifications for the DNS Security Extensions,
+                R. Arends, et.al., March 2005
+
+      Informative References
+
+      [RFC2136] Dynamic Updates in the Domain Name System (DNS UPDATE),
+                P. Vixie, Ed., S. Thomson, Y. Rekhter, J. Bound,
+                April 1997
+
+8. Editor
+
+           Name:         Edward Lewis
+           Affiliation:  NeuStar
+           Address:      46000 Center Oak Plaza, Sterling, VA, 20166, US
+           Phone:        +1-571-434-5468
+           Email:        ed.lewis@neustar.biz
+
+      Comments on this document can be sent to the editor or the mailing
+      list for the DNSEXT WG, namedroppers@ops.ietf.org.
+
+9. Others Contributing to the Document
+
+      This document represents the work of a large working group.  The
+      editor merely recorded the collective wisdom of the working group.
+
+
+
+
+
+
+
+
+
+DNSEXT Working Group        Expires July 9, 2006             [Page 17]
+
+Internet-Draft                  dnsext-wcard           January 9, 2006
+
+10. Trailing Boilerplate
+
+      Copyright (C) The Internet Society (2006).
+
+      This document is subject to the rights, licenses and restrictions
+      contained in BCP 78, and except as set forth therein, the authors
+      retain all their rights.
+
+      This document and the information contained herein are provided
+      on an "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION
+      HE/SHE REPRESENTS OR IS SPONSORED BY (IF ANY), THE INTERNET
+      SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL
+      WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO
+      ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT
+      INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
+      MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
+
+Intellectual Property
+
+      The IETF takes no position regarding the validity or scope of
+      any Intellectual Property Rights or other rights that might
+      be claimed to pertain to the implementation or use of the
+      technology described in this document or the extent to which
+      any license under such rights might or might not be available;
+      nor does it represent that it has made any independent effort
+      to identify any such rights.  Information on the procedures
+      with respect to rights in RFC documents can be found in BCP 78
+      and BCP 79.
+
+      Copies of IPR disclosures made to the IETF Secretariat and any
+      assurances of licenses to be made available, or the result of an
+      attempt made to obtain a general license or permission for the
+      use of such proprietary rights by implementers or users of this
+      specification can be obtained from the IETF on-line IPR
+      repository at http://www.ietf.org/ipr.  The IETF invites any
+      interested party to bring to its attention any copyrights,
+      patents or patent applications, or other proprietary rights
+      that may cover technology that may be required to implement
+      this standard.  Please address the information to the IETF at
+      ietf-ipr@ietf.org.
+
+Acknowledgement
+
+      Funding for the RFC Editor function is currently provided by the
+      Internet Society.
+
+Expiration
+
+      This document expires on or about July 9, 2006.
+
+
+
+DNSEXT Working Group        Expires July 9, 2006             [Page 19]
diff --git a/contrib/bind9/doc/draft/draft-ietf-dnsop-bad-dns-res-05.txt b/contrib/bind9/doc/draft/draft-ietf-dnsop-bad-dns-res-05.txt
new file mode 100644
index 0000000..0855ba3
--- /dev/null
+++ b/contrib/bind9/doc/draft/draft-ietf-dnsop-bad-dns-res-05.txt
@@ -0,0 +1,1232 @@
+
+
+
+DNS Operations                                                 M. Larson
+Internet-Draft                                                 P. Barber
+Expires: August 14, 2006                                        VeriSign
+                                                       February 10, 2006
+
+
+                  Observed DNS Resolution Misbehavior
+                    draft-ietf-dnsop-bad-dns-res-05
+
+Status of this Memo
+
+   By submitting this Internet-Draft, each author represents that any
+   applicable patent or other IPR claims of which he or she is aware
+   have been or will be disclosed, and any of which he or she becomes
+   aware will be disclosed, in accordance with Section 6 of BCP 79.
+
+   Internet-Drafts are working documents of the Internet Engineering
+   Task Force (IETF), its areas, and its working groups.  Note that
+   other groups may also distribute working documents as Internet-
+   Drafts.
+
+   Internet-Drafts are draft documents valid for a maximum of six months
+   and may be updated, replaced, or obsoleted by other documents at any
+   time.  It is inappropriate to use Internet-Drafts as reference
+   material or to cite them other than as "work in progress."
+
+   The list of current Internet-Drafts can be accessed at
+   http://www.ietf.org/ietf/1id-abstracts.txt.
+
+   The list of Internet-Draft Shadow Directories can be accessed at
+   http://www.ietf.org/shadow.html.
+
+   This Internet-Draft will expire on August 14, 2006.
+
+Copyright Notice
+
+   Copyright (C) The Internet Society (2006).
+
+Abstract
+
+   This memo describes DNS iterative resolver behavior that results in a
+   significant query volume sent to the root and top-level domain (TLD)
+   name servers.  We offer implementation advice to iterative resolver
+   developers to alleviate these unnecessary queries.  The
+   recommendations made in this document are a direct byproduct of
+   observation and analysis of abnormal query traffic patterns seen at
+   two of the thirteen root name servers and all thirteen com/net TLD
+   name servers.
+
+
+
+Larson & Barber          Expires August 14, 2006                [Page 1]
+
+Internet-Draft     Observed DNS Resolution Misbehavior     February 2006
+
+
+   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
+   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
+   document are to be interpreted as described in RFC 2119 [1].
+
+
+Table of Contents
+
+   1.  Introduction . . . . . . . . . . . . . . . . . . . . . . . . .  3
+     1.1.  A note about terminology in this memo  . . . . . . . . . .  3
+   2.  Observed iterative resolver misbehavior  . . . . . . . . . . .  5
+     2.1.  Aggressive requerying for delegation information . . . . .  5
+       2.1.1.  Recommendation . . . . . . . . . . . . . . . . . . . .  6
+     2.2.  Repeated queries to lame servers . . . . . . . . . . . . .  7
+       2.2.1.  Recommendation . . . . . . . . . . . . . . . . . . . .  7
+     2.3.  Inability to follow multiple levels of indirection . . . .  8
+       2.3.1.  Recommendation . . . . . . . . . . . . . . . . . . . .  9
+     2.4.  Aggressive retransmission when fetching glue . . . . . . .  9
+       2.4.1.  Recommendation . . . . . . . . . . . . . . . . . . . . 10
+     2.5.  Aggressive retransmission behind firewalls . . . . . . . . 10
+       2.5.1.  Recommendation . . . . . . . . . . . . . . . . . . . . 11
+     2.6.  Misconfigured NS records . . . . . . . . . . . . . . . . . 11
+       2.6.1.  Recommendation . . . . . . . . . . . . . . . . . . . . 12
+     2.7.  Name server records with zero TTL  . . . . . . . . . . . . 12
+       2.7.1.  Recommendation . . . . . . . . . . . . . . . . . . . . 13
+     2.8.  Unnecessary dynamic update messages  . . . . . . . . . . . 13
+       2.8.1.  Recommendation . . . . . . . . . . . . . . . . . . . . 14
+     2.9.  Queries for domain names resembling IPv4 addresses . . . . 14
+       2.9.1.  Recommendation . . . . . . . . . . . . . . . . . . . . 14
+     2.10. Misdirected recursive queries  . . . . . . . . . . . . . . 15
+       2.10.1. Recommendation . . . . . . . . . . . . . . . . . . . . 15
+     2.11. Suboptimal name server selection algorithm . . . . . . . . 15
+       2.11.1. Recommendation . . . . . . . . . . . . . . . . . . . . 16
+   3.  Acknowledgments  . . . . . . . . . . . . . . . . . . . . . . . 17
+   4.  IANA considerations  . . . . . . . . . . . . . . . . . . . . . 18
+   5.  Security considerations  . . . . . . . . . . . . . . . . . . . 19
+   6.  Internationalization considerations  . . . . . . . . . . . . . 20
+   7.  Informative References . . . . . . . . . . . . . . . . . . . . 20
+   Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 21
+   Intellectual Property and Copyright Statements . . . . . . . . . . 22
+
+
+
+
+
+
+
+
+
+
+
+
+Larson & Barber          Expires August 14, 2006                [Page 2]
+
+Internet-Draft     Observed DNS Resolution Misbehavior     February 2006
+
+
+1.  Introduction
+
+   Observation of query traffic received by two root name servers and
+   the thirteen com/net TLD name servers has revealed that a large
+   proportion of the total traffic often consists of "requeries".  A
+   requery is the same question (<QNAME, QTYPE, QCLASS>) asked
+   repeatedly at an unexpectedly high rate.  We have observed requeries
+   from both a single IP address and multiple IP addresses (i.e., the
+   same query received simultaneously from multiple IP addresses).
+
+   By analyzing requery events we have found that the cause of the
+   duplicate traffic is almost always a deficient iterative resolver,
+   stub resolver or application implementation combined with an
+   operational anomaly.  The implementation deficiencies we have
+   identified to date include well-intentioned recovery attempts gone
+   awry, insufficient caching of failures, early abort when multiple
+   levels of indirection must be followed, and aggressive retry by stub
+   resolvers or applications.  Anomalies that we have seen trigger
+   requery events include lame delegations, unusual glue records, and
+   anything that makes all authoritative name servers for a zone
+   unreachable (DoS attacks, crashes, maintenance, routing failures,
+   congestion, etc.).
+
+   In the following sections, we provide a detailed explanation of the
+   observed behavior and recommend changes that will reduce the requery
+   rate.  None of the changes recommended affects the core DNS protocol
+   specification; instead, this document consists of guidelines to
+   implementors of iterative resolvers.
+
+1.1.  A note about terminology in this memo
+
+   To recast an old saying about standards, the nice thing about DNS
+   terms is that there are so many of them to choose from.  Writing or
+   talking about DNS can be difficult and cause confusion resulting from
+   a lack of agreed-upon terms for its various components.  Further
+   complicating matters are implementations that combine multiple roles
+   into one piece of software, which makes naming the result
+   problematic.  An example is the entity that accepts recursive
+   queries, issues iterative queries as necessary to resolve the initial
+   recursive query, caches responses it receives, and which is also able
+   to answer questions about certain zones authoritatively.  This entity
+   is an iterative resolver combined with an authoritative name server
+   and is often called a "recursive name server" or a "caching name
+   server".
+
+   This memo is concerned principally with the behavior of iterative
+   resolvers, which are typically found as part of a recursive name
+   server.  This memo uses the more precise term "iterative resolver",
+
+
+
+Larson & Barber          Expires August 14, 2006                [Page 3]
+
+Internet-Draft     Observed DNS Resolution Misbehavior     February 2006
+
+
+   because the focus is usually on that component.  In instances where
+   the name server role of this entity requires mentioning, this memo
+   uses the term "recursive name server".  As an example of the
+   difference, the name server component of a recursive name server
+   receives DNS queries and the iterative resolver component sends
+   queries.
+
+   The advent of IPv6 requires mentioning AAAA records as well as A
+   records when discussing glue.  To avoid continuous repetition and
+   qualification, this memo uses the general term "address record" to
+   encompass both A and AAAA records when a particular situation is
+   relevant to both types.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Larson & Barber          Expires August 14, 2006                [Page 4]
+
+Internet-Draft     Observed DNS Resolution Misbehavior     February 2006
+
+
+2.  Observed iterative resolver misbehavior
+
+2.1.  Aggressive requerying for delegation information
+
+   There can be times when every name server in a zone's NS RRset is
+   unreachable (e.g., during a network outage), unavailable (e.g., the
+   name server process is not running on the server host) or
+   misconfigured (e.g., the name server is not authoritative for the
+   given zone, also known as "lame").  Consider an iterative resolver
+   that attempts to resolve a query for a domain name in such a zone and
+   discovers that none of the zone's name servers can provide an answer.
+   We have observed a recursive name server implementation whose
+   iterative resolver then verifies the zone's NS RRset in its cache by
+   querying for the zone's delegation information: it sends a query for
+   the zone's NS RRset to one of the parent zone's name servers.  (Note
+   that queries with QTYPE=NS are not required by the standard
+   resolution algorithm described in section 4.3.2 of RFC 1034 [2].
+   These NS queries represent this implementation's addition to that
+   algorithm.)
+
+   For example, suppose that "example.com" has the following NS RRset:
+
+     example.com.   IN   NS   ns1.example.com.
+     example.com.   IN   NS   ns2.example.com.
+
+   Upon receipt of a query for "www.example.com" and assuming that
+   neither "ns1.example.com" nor "ns2.example.com" can provide an
+   answer, this iterative resolver implementation immediately queries a
+   "com" zone name server for the "example.com" NS RRset to verify it
+   has the proper delegation information.  This implementation performs
+   this query to a zone's parent zone for each recursive query it
+   receives that fails because of a completely unresponsive set of name
+   servers for the target zone.  Consider the effect when a popular zone
+   experiences a catastrophic failure of all its name servers: now every
+   recursive query for domain names in that zone sent to this recursive
+   name server implementation results in a query to the failed zone's
+   parent name servers.  On one occasion when several dozen popular
+   zones became unreachable, the query load on the com/net name servers
+   increased by 50%.
+
+   We believe this verification query is not reasonable.  Consider the
+   circumstances: When an iterative resolver is resolving a query for a
+   domain name in a zone it has not previously searched, it uses the
+   list of name servers in the referral from the target zone's parent.
+   If on its first attempt to search the target zone, none of the name
+   servers in the referral is reachable, a verification query to the
+   parent would be pointless: this query to the parent would come so
+   quickly on the heels of the referral that it would be almost certain
+
+
+
+Larson & Barber          Expires August 14, 2006                [Page 5]
+
+Internet-Draft     Observed DNS Resolution Misbehavior     February 2006
+
+
+   to contain the same list of name servers.  The chance of discovering
+   any new information is slim.
+
+   The other possibility is that the iterative resolver successfully
+   contacts one of the target zone's name servers and then caches the NS
+   RRset from the authority section of a response, the proper behavior
+   according to section 5.4.1 of RFC 2181 [3], because the NS RRset from
+   the target zone is more trustworthy than delegation information from
+   the parent zone.  If, while processing a subsequent recursive query,
+   the iterative resolver discovers that none of the name servers
+   specified in the cached NS RRset is available or authoritative,
+   querying the parent would be wrong.  An NS RRset from the parent zone
+   would now be less trustworthy than data already in the cache.
+
+   For this query of the parent zone to be useful, the target zone's
+   entire set of name servers would have to change AND the former set of
+   name servers would have to be deconfigured or decommissioned AND the
+   delegation information in the parent zone would have to be updated
+   with the new set of name servers, all within the TTL of the target
+   zone's NS RRset.  We believe this scenario is uncommon:
+   administrative best practices dictate that changes to a zone's set of
+   name servers happen gradually when at all possible, with servers
+   removed from the NS RRset left authoritative for the zone as long as
+   possible.  The scenarios that we can envision that would benefit from
+   the parent requery behavior do not outweigh its damaging effects.
+
+   This section should not be understood to claim that all queries to a
+   zone's parent are bad.  In some cases, such queries are not only
+   reasonable but required.  Consider the situation when required
+   information, such as the address of a name server (i.e., the address
+   record corresponding to the RDATA of an NS record), has timed out of
+   an iterative resolver's cache before the corresponding NS record.  If
+   the name of the name server is below the apex of the zone, then the
+   name server's address record is only available as glue in the parent
+   zone.  For example, consider this NS record:
+
+     example.com.        IN   NS   ns.example.com.
+
+   If a cache has this NS record but not the address record for
+   "ns.example.com", it is unable to contact the "example.com" zone
+   directly and must query the "com" zone to obtain the address record.
+   Note, however, that such a query would not have QTYPE=NS according to
+   the standard resolution algorithm.
+
+2.1.1.  Recommendation
+
+   An iterative resolver MUST NOT send a query for the NS RRset of a
+   non-responsive zone to any of the name servers for that zone's parent
+
+
+
+Larson & Barber          Expires August 14, 2006                [Page 6]
+
+Internet-Draft     Observed DNS Resolution Misbehavior     February 2006
+
+
+   zone.  For the purposes of this injunction, a non-responsive zone is
+   defined as a zone for which every name server listed in the zone's NS
+   RRset:
+
+   1.  is not authoritative for the zone (i.e., lame), or,
+
+   2.  returns a server failure response (RCODE=2), or,
+
+   3.  is dead or unreachable according to section 7.2 of RFC 2308 [4].
+
+2.2.  Repeated queries to lame servers
+
+   Section 2.1 describes a catastrophic failure: when every name server
+   for a zone is unable to provide an answer for one reason or another.
+   A more common occurrence is when a subset of a zone's name servers
+   are unavailable or misconfigured.  Different failure modes have
+   different expected durations.  Some symptoms indicate problems that
+   are potentially transient; for example, various types of ICMP
+   unreachable messages because a name server process is not running or
+   a host or network is unreachable, or a complete lack of a response to
+   a query.  Such responses could be the result of a host rebooting or
+   temporary outages; these events don't necessarily require any human
+   intervention and can be reasonably expected to be temporary.
+
+   Other symptoms clearly indicate a condition requiring human
+   intervention, such as lame server: if a name server is misconfigured
+   and not authoritative for a zone delegated to it, it is reasonable to
+   assume that this condition has potential to last longer than
+   unreachability or unresponsiveness.  Consequently, repeated queries
+   to known lame servers are not useful.  In this case of a condition
+   with potential to persist for a long time, a better practice would be
+   to maintain a list of known lame servers and avoid querying them
+   repeatedly in a short interval.
+
+   It should also be noted, however, that some authoritative name server
+   implementations appear to be lame only for queries of certain types
+   as described in RFC 4074 [5].  In this case, it makes sense to retry
+   the "lame" servers for other types of queries, particularly when all
+   known authoritative name servers appear to be "lame".
+
+2.2.1.  Recommendation
+
+   Iterative resolvers SHOULD cache name servers that they discover are
+   not authoritative for zones delegated to them (i.e. lame servers).
+   If this caching is performed, lame servers MUST be cached against the
+   specific query tuple <zone name, class, server IP address>.  Zone
+   name can be derived from the owner name of the NS record that was
+   referenced to query the name server that was discovered to be lame.
+
+
+
+Larson & Barber          Expires August 14, 2006                [Page 7]
+
+Internet-Draft     Observed DNS Resolution Misbehavior     February 2006
+
+
+   Implementations that perform lame server caching MUST refrain from
+   sending queries to known lame servers based on a time interval from
+   when the server is discovered to be lame.  A minimum interval of
+   thirty minutes is RECOMMENDED.
+
+   An exception to this recommendation occurs if all name servers for a
+   zone are marked lame.  In that case, the iterative resolver SHOULD
+   temporarily ignore the servers' lameness status and query one or more
+   servers.  This behavior is a workaround for the type-specific
+   lameness issue described in the previous section.
+
+   Implementors should take care not to make lame server avoidance logic
+   overly broad: note that a name server could be lame for a parent zone
+   but not a child zone, e.g., lame for "example.com" but properly
+   authoritative for "sub.example.com".  Therefore a name server should
+   not be automatically considered lame for subzones.  In the case
+   above, even if a name server is known to be lame for "example.com",
+   it should be queried for QNAMEs at or below "sub.example.com" if an
+   NS record indicates it should be authoritative for that zone.
+
+2.3.  Inability to follow multiple levels of indirection
+
+   Some iterative resolver implementations are unable to follow
+   sufficient levels of indirection.  For example, consider the
+   following delegations:
+
+     foo.example.        IN   NS   ns1.example.com.
+     foo.example.        IN   NS   ns2.example.com.
+
+     example.com.        IN   NS   ns1.test.example.net.
+     example.com.        IN   NS   ns2.test.example.net.
+
+     test.example.net.   IN   NS   ns1.test.example.net.
+     test.example.net.   IN   NS   ns2.test.example.net.
+
+   An iterative resolver resolving the name "www.foo.example" must
+   follow two levels of indirection, first obtaining address records for
+   "ns1.test.example.net" or "ns2.test.example.net" in order to obtain
+   address records for "ns1.example.com" or "ns2.example.com" in order
+   to query those name servers for the address records of
+   "www.foo.example".  While this situation may appear contrived, we
+   have seen multiple similar occurrences and expect more as new generic
+   top-level domains (gTLDs) become active.  We anticipate many zones in
+   new gTLDs will use name servers in existing gTLDs, increasing the
+   number of delegations using out-of-zone name servers.
+
+
+
+
+
+
+Larson & Barber          Expires August 14, 2006                [Page 8]
+
+Internet-Draft     Observed DNS Resolution Misbehavior     February 2006
+
+
+2.3.1.  Recommendation
+
+   Clearly constructing a delegation that relies on multiple levels of
+   indirection is not a good administrative practice.  However, the
+   practice is widespread enough to require that iterative resolvers be
+   able to cope with it.  Iterative resolvers SHOULD be able to handle
+   arbitrary levels of indirection resulting from out-of-zone name
+   servers.  Iterative resolvers SHOULD implement a level-of-effort
+   counter to avoid loops or otherwise performing too much work in
+   resolving pathological cases.
+
+   A best practice that avoids this entire issue of indirection is to
+   name one or more of a zone's name servers in the zone itself.  For
+   example, if the zone is named "example.com", consider naming some of
+   the name servers "ns{1,2,...}.example.com" (or similar).
+
+2.4.  Aggressive retransmission when fetching glue
+
+   When an authoritative name server responds with a referral, it
+   includes NS records in the authority section of the response.
+   According to the algorithm in section 4.3.2 of RFC 1034 [2], the name
+   server should also "put whatever addresses are available into the
+   additional section, using glue RRs if the addresses are not available
+   from authoritative data or the cache."  Some name server
+   implementations take this address inclusion a step further with a
+   feature called "glue fetching".  A name server that implements glue
+   fetching attempts to include address records for every NS record in
+   the authority section.  If necessary, the name server issues multiple
+   queries of its own to obtain any missing address records.
+
+   Problems with glue fetching can arise in the context of
+   "authoritative-only" name servers, which only serve authoritative
+   data and ignore requests for recursion.  Such an entity will not
+   normally generate any queries of its own.  Instead it answers non-
+   recursive queries from iterative resolvers looking for information in
+   zones it serves.  With glue fetching enabled, however, an
+   authoritative server invokes an iterative resolver to look up an
+   unknown address record to complete the additional section of a
+   response.
+
+   We have observed situations where the iterative resolver of a glue-
+   fetching name server can send queries that reach other name servers,
+   but is apparently prevented from receiving the responses.  For
+   example, perhaps the name server is authoritative-only and therefore
+   its administrators expect it to receive only queries and not
+   responses.  Perhaps unaware of glue fetching and presuming that the
+   name server's iterative resolver will generate no queries, its
+   administrators place the name server behind a network device that
+
+
+
+Larson & Barber          Expires August 14, 2006                [Page 9]
+
+Internet-Draft     Observed DNS Resolution Misbehavior     February 2006
+
+
+   prevents it from receiving responses.  If this is the case, all glue-
+   fetching queries will go answered.
+
+   We have observed name server implementations whose iterative
+   resolvers retry excessively when glue-fetching queries are
+   unanswered.  A single com/net name server has received hundreds of
+   queries per second from a single such source.  Judging from the
+   specific queries received and based on additional analysis, we
+   believe these queries result from overly aggressive glue fetching.
+
+2.4.1.  Recommendation
+
+   Implementers whose name servers support glue fetching SHOULD take
+   care to avoid sending queries at excessive rates.  Implementations
+   SHOULD support throttling logic to detect when queries are sent but
+   no responses are received.
+
+2.5.  Aggressive retransmission behind firewalls
+
+   A common occurrence and one of the largest sources of repeated
+   queries at the com/net and root name servers appears to result from
+   resolvers behind misconfigured firewalls.  In this situation, an
+   iterative resolver is apparently allowed to send queries through a
+   firewall to other name servers, but not receive the responses.  The
+   result is more queries than necessary because of retransmission, all
+   of which are useless because the responses are never received.  Just
+   as with the glue-fetching scenario described in Section 2.4, the
+   queries are sometimes sent at excessive rates.  To make matters
+   worse, sometimes the responses, sent in reply to legitimate queries,
+   trigger an alarm on the originator's intrusion detection system.  We
+   are frequently contacted by administrators responding to such alarms
+   who believe our name servers are attacking their systems.
+
+   Not only do some resolvers in this situation retransmit queries at an
+   excessive rate, but they continue to do so for days or even weeks.
+   This scenario could result from an organization with multiple
+   recursive name servers, only a subset of whose iterative resolvers'
+   traffic is improperly filtered in this manner.  Stub resolvers in the
+   organization could be configured to query multiple recursive name
+   servers.  Consider the case where a stub resolver queries a filtered
+   recursive name server first.  The iterative resolver of this
+   recursive name server sends one or more queries whose replies are
+   filtered, so it can't respond to the stub resolver, which times out.
+   Then the stub resolver retransmits to a recursive name server that is
+   able to provide an answer.  Since resolution ultimately succeeds the
+   underlying problem might not be recognized or corrected.  A popular
+   stub resolver implementation has a very aggressive retransmission
+   schedule, including simultaneous queries to multiple recursive name
+
+
+
+Larson & Barber          Expires August 14, 2006               [Page 10]
+
+Internet-Draft     Observed DNS Resolution Misbehavior     February 2006
+
+
+   servers, which could explain how such a situation could persist
+   without being detected.
+
+2.5.1.  Recommendation
+
+   The most obvious recommendation is that administrators SHOULD take
+   care not to place iterative resolvers behind a firewall that allows
+   queries to pass through but not the resulting replies.
+
+   Iterative resolvers SHOULD take care to avoid sending queries at
+   excessive rates.  Implementations SHOULD support throttling logic to
+   detect when queries are sent but no responses are received.
+
+2.6.  Misconfigured NS records
+
+   Sometimes a zone administrator forgets to add the trailing dot on the
+   domain names in the RDATA of a zone's NS records.  Consider this
+   fragment of the zone file for "example.com":
+
+     $ORIGIN example.com.
+     example.com.      3600   IN   NS   ns1.example.com  ; Note missing
+     example.com.      3600   IN   NS   ns2.example.com  ; trailing dots
+
+   The zone's authoritative servers will parse the NS RDATA as
+   "ns1.example.com.example.com" and "ns2.example.com.example.com" and
+   return NS records with this incorrect RDATA in responses, including
+   typically the authority section of every response containing records
+   from the "example.com" zone.
+
+   Now consider a typical sequence of queries.  An iterative resolver
+   attempting to resolve address records for "www.example.com" with no
+   cached information for this zone will query a "com" authoritative
+   server.  The "com" server responds with a referral to the
+   "example.com" zone, consisting of NS records with valid RDATA and
+   associated glue records.  (This example assumes that the
+   "example.com" zone delegation information is correct in the "com"
+   zone.)  The iterative resolver caches the NS RRset from the "com"
+   server and follows the referral by querying one of the "example.com"
+   authoritative servers.  This server responds with the
+   "www.example.com" address record in the answer section and,
+   typically, the "example.com" NS records in the authority section and,
+   if space in the message remains, glue address records in the
+   additional section.  According to Section 5.4 of RFC 2181 [3], NS
+   records in the authority section of an authoritative answer are more
+   trustworthy than NS records from the authority section of a non-
+   authoritative answer.  Thus the "example.com" NS RRset just received
+   from the "example.com" authoritative server overrides the
+   "example.com" NS RRset received moments ago from the "com"
+
+
+
+Larson & Barber          Expires August 14, 2006               [Page 11]
+
+Internet-Draft     Observed DNS Resolution Misbehavior     February 2006
+
+
+   authoritative server.
+
+   But the "example.com" zone contains the erroneous NS RRset as shown
+   in the example above.  Subsequent queries for names in "example.com"
+   will cause the iterative resolver to attempt to use the incorrect NS
+   records and so it will try to resolve the nonexistent names
+   "ns1.example.com.example.com" and "ns2.example.com.example.com".  In
+   this example, since all of the zone's name servers are named in the
+   zone itself (i.e., "ns1.example.com.example.com" and
+   "ns2.example.com.example.com" both end in "example.com") and all are
+   bogus, the iterative resolver cannot reach any "example.com" name
+   servers.  Therefore attempts to resolve these names result in address
+   record queries to the "com" authoritative servers.  Queries for such
+   obviously bogus glue address records occur frequently at the com/net
+   name servers.
+
+2.6.1.  Recommendation
+
+   An authoritative server can detect this situation.  A trailing dot
+   missing from an NS record's RDATA always results by definition in a
+   name server name that exists somewhere under the apex of the zone the
+   NS record appears in.  Note that further levels of delegation are
+   possible, so a missing trailing dot could inadvertently create a name
+   server name that actually exists in a subzone.
+
+   An authoritative name server SHOULD issue a warning when one of a
+   zone's NS records references a name server below the zone's apex when
+   a corresponding address record does not exist in the zone AND there
+   are no delegated subzones where the address record could exist.
+
+2.7.  Name server records with zero TTL
+
+   Sometimes a popular com/net subdomain's zone is configured with a TTL
+   of zero on the zone's NS records, which prohibits these records from
+   being cached and will result in a higher query volume to the zone's
+   authoritative servers.  The zone's administrator should understand
+   the consequences of such a configuration and provision resources
+   accordingly.  A zero TTL on the zone's NS RRset, however, carries
+   additional consequences beyond the zone itself: if an iterative
+   resolver cannot cache a zone's NS records because of a zero TTL, it
+   will be forced to query that zone's parent's name servers each time
+   it resolves a name in the zone.  The com/net authoritative servers do
+   see an increased query load when a popular com/net subdomain's zone
+   is configured with a TTL of zero on the zone's NS records.
+
+   A zero TTL on an RRset expected to change frequently is extreme but
+   permissible.  A zone's NS RRset is a special case, however, because
+   changes to it must be coordinated with the zone's parent.  In most
+
+
+
+Larson & Barber          Expires August 14, 2006               [Page 12]
+
+Internet-Draft     Observed DNS Resolution Misbehavior     February 2006
+
+
+   zone parent/child relationships we are aware of, there is typically
+   some delay involved in effecting changes.  Further, changes to the
+   set of a zone's authoritative name servers (and therefore to the
+   zone's NS RRset) are typically relatively rare: providing reliable
+   authoritative service requires a reasonably stable set of servers.
+   Therefore an extremely low or zero TTL on a zone's NS RRset rarely
+   makes sense, except in anticipation of an upcoming change.  In this
+   case, when the zone's administrator has planned a change and does not
+   want iterative resolvers throughout the Internet to cache the NS
+   RRset for a long period of time, a low TTL is reasonable.
+
+2.7.1.  Recommendation
+
+   Because of the additional load placed on a zone's parent's
+   authoritative servers resulting from a zero TTL on a zone's NS RRset,
+   under such circumstances authoritative name servers SHOULD issue a
+   warning when loading a zone.
+
+2.8.  Unnecessary dynamic update messages
+
+   The UPDATE message specified in RFC 2136 [6] allows an authorized
+   agent to update a zone's data on an authoritative name server using a
+   DNS message sent over the network.  Consider the case of an agent
+   desiring to add a particular resource record.  Because of zone cuts,
+   the agent does not necessarily know the proper zone to which the
+   record should be added.  The dynamic update process requires that the
+   agent determine the appropriate zone so the UPDATE message can be
+   sent to one of the zone's authoritative servers (typically the
+   primary master as specified in the zone's SOA MNAME field).
+
+   The appropriate zone to update is the closest enclosing zone, which
+   cannot be determined only by inspecting the domain name of the record
+   to be updated, since zone cuts can occur anywhere.  One way to
+   determine the closest enclosing zone entails walking up the name
+   space tree by sending repeated UPDATE messages until success.  For
+   example, consider an agent attempting to add an address record with
+   the name "foo.bar.example.com".  The agent could first attempt to
+   update the "foo.bar.example.com" zone.  If the attempt failed, the
+   update could be directed to the "bar.example.com" zone, then the
+   "example.com" zone, then the "com" zone, and finally the root zone.
+
+   A popular dynamic agent follows this algorithm.  The result is many
+   UPDATE messages received by the root name servers, the com/net
+   authoritative servers, and presumably other TLD authoritative
+   servers.  A valid question is why the algorithm proceeds to send
+   updates all the way to TLD and root name servers.  This behavior is
+   not entirely unreasonable: in enterprise DNS architectures with an
+   "internal root" design, there could conceivably be private, non-
+
+
+
+Larson & Barber          Expires August 14, 2006               [Page 13]
+
+Internet-Draft     Observed DNS Resolution Misbehavior     February 2006
+
+
+   public TLD or root zones that would be the appropriate targets for a
+   dynamic update.
+
+   A significant deficiency with this algorithm is that knowledge of a
+   given UPDATE message's failure is not helpful in directing future
+   UPDATE messages to the appropriate servers.  A better algorithm would
+   be to find the closest enclosing zone by walking up the name space
+   with queries for SOA or NS rather than "probing" with UPDATE
+   messages.  Once the appropriate zone is found, an UPDATE message can
+   be sent.  In addition, the results of these queries can be cached to
+   aid in determining closest enclosing zones for future updates.  Once
+   the closest enclosing zone is determined with this method, the update
+   will either succeed or fail and there is no need to send further
+   updates to higher-level zones.  The important point is that walking
+   up the tree with queries yields cacheable information, whereas
+   walking up the tree by sending UPDATE messages does not.
+
+2.8.1.  Recommendation
+
+   Dynamic update agents SHOULD send SOA or NS queries to progressively
+   higher-level names to find the closest enclosing zone for a given
+   name to update.  Only after the appropriate zone is found should the
+   client send an UPDATE message to one of the zone's authoritative
+   servers.  Update clients SHOULD NOT "probe" using UPDATE messages by
+   walking up the tree to progressively higher-level zones.
+
+2.9.  Queries for domain names resembling IPv4 addresses
+
+   The root name servers receive a significant number of A record
+   queries where the QNAME looks like an IPv4 address.  The source of
+   these queries is unknown.  It could be attributed to situations where
+   a user believes an application will accept either a domain name or an
+   IP address in a given configuration option.  The user enters an IP
+   address, but the application assumes any input is a domain name and
+   attempts to resolve it, resulting in an A record lookup.  There could
+   also be applications that produce such queries in a misguided attempt
+   to reverse map IP addresses.
+
+   These queries result in Name Error (RCODE=3) responses.  An iterative
+   resolver can negatively cache such responses, but each response
+   requires a separate cache entry, i.e., a negative cache entry for the
+   domain name "192.0.2.1" does not prevent a subsequent query for the
+   domain name "192.0.2.2".
+
+2.9.1.  Recommendation
+
+   It would be desirable for the root name servers not to have to answer
+   these queries: they unnecessarily consume CPU resources and network
+
+
+
+Larson & Barber          Expires August 14, 2006               [Page 14]
+
+Internet-Draft     Observed DNS Resolution Misbehavior     February 2006
+
+
+   bandwidth.  A possible solution is to delegate these numeric TLDs
+   from the root zone to a separate set of servers to absorb the
+   traffic.  The "black hole servers" used by the AS 112 Project [8],
+   which are currently delegated the in-addr.arpa zones corresponding to
+   RFC 1918 [7] private use address space, would be a possible choice to
+   receive these delegations.  Of course, the proper and usual root zone
+   change procedures would have to be followed to make such a change to
+   the root zone.
+
+2.10.  Misdirected recursive queries
+
+   The root name servers receive a significant number of recursive
+   queries (i.e., queries with the RD bit set in the header).  Since
+   none of the root servers offers recursion, the servers' response in
+   such a situation ignores the request for recursion and the response
+   probably does not contain the data the querier anticipated.  Some of
+   these queries result from users configuring stub resolvers to query a
+   root server.  (This situation is not hypothetical: we have received
+   complaints from users when this configuration does not work as
+   hoped.)  Of course, users should not direct stub resolvers to use
+   name servers that do not offer recursion, but we are not aware of any
+   stub resolver implementation that offers any feedback to the user
+   when so configured, aside from simply "not working".
+
+2.10.1.  Recommendation
+
+   When the IP address of a name server that supposedly offers recursion
+   is configured in a stub resolver using an interactive user interface,
+   the resolver could send a test query to verify that the server indeed
+   supports recursion (i.e., verify that the response has the RA bit set
+   in the header).  The user could be immediately notified if the server
+   is non-recursive.
+
+   The stub resolver could also report an error, either through a user
+   interface or in a log file, if the queried server does not support
+   recursion.  Error reporting SHOULD be throttled to avoid a
+   notification or log message for every response from a non-recursive
+   server.
+
+2.11.  Suboptimal name server selection algorithm
+
+   An entire document could be devoted to the topic of problems with
+   different implementations of the recursive resolution algorithm.  The
+   entire process of recursion is woefully under specified, requiring
+   each implementor to design an algorithm.  Sometimes implementors make
+   poor design choices that could be avoided if a suggested algorithm
+   and best practices were documented, but that is a topic for another
+   document.
+
+
+
+Larson & Barber          Expires August 14, 2006               [Page 15]
+
+Internet-Draft     Observed DNS Resolution Misbehavior     February 2006
+
+
+   Some deficiencies cause significant operational impact and are
+   therefore worth mentioning here.  One of these is name server
+   selection by an iterative resolver.  When an iterative resolver wants
+   to contact one of a zone's authoritative name servers, how does it
+   choose from the NS records listed in the zone's NS RRset?  If the
+   selection mechanism is suboptimal, queries are not spread evenly
+   among a zone's authoritative servers.  The details of the selection
+   mechanism are up to the implementor, but we offer some suggestions.
+
+2.11.1.  Recommendation
+
+   This list is not conclusive, but reflects the changes that would
+   produce the most impact in terms of reducing disproportionate query
+   load among a zone's authoritative servers.  I.e., these changes would
+   help spread the query load evenly.
+
+   o  Do not make assumptions based on NS RRset order: all NS RRs SHOULD
+      be treated equally.  (In the case of the "com" zone, for example,
+      most of the root servers return the NS record for "a.gtld-
+      servers.net" first in the authority section of referrals.
+      Apparently as a result, this server receives disproportionately
+      more traffic than the other 12 authoritative servers for "com".)
+
+   o  Use all NS records in an RRset.  (For example, we are aware of
+      implementations that hard-coded information for a subset of the
+      root servers.)
+
+   o  Maintain state and favor the best-performing of a zone's
+      authoritative servers.  A good definition of performance is
+      response time.  Non-responsive servers can be penalized with an
+      extremely high response time.
+
+   o  Do not lock onto the best-performing of a zone's name servers.  An
+      iterative resolver SHOULD periodically check the performance of
+      all of a zone's name servers to adjust its determination of the
+      best-performing one.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Larson & Barber          Expires August 14, 2006               [Page 16]
+
+Internet-Draft     Observed DNS Resolution Misbehavior     February 2006
+
+
+3.  Acknowledgments
+
+   The authors would like to thank the following people for their
+   comments that improved this document: Andras Salamon, Dave Meyer,
+   Doug Barton, Jaap Akkerhuis, Jinmei Tatuya, John Brady, Kevin Darcy,
+   Olafur Gudmundsson, Pekka Savola, Peter Koch and Rob Austein.  We
+   apologize if we have omitted anyone; any oversight was unintentional.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Larson & Barber          Expires August 14, 2006               [Page 17]
+
+Internet-Draft     Observed DNS Resolution Misbehavior     February 2006
+
+
+4.  IANA considerations
+
+   There are no new IANA considerations introduced by this memo.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Larson & Barber          Expires August 14, 2006               [Page 18]
+
+Internet-Draft     Observed DNS Resolution Misbehavior     February 2006
+
+
+5.  Security considerations
+
+   The iterative resolver misbehavior discussed in this document exposes
+   the root and TLD name servers to increased risk of both intentional
+   and unintentional denial of service attacks.
+
+   We believe that implementation of the recommendations offered in this
+   document will reduce the amount of unnecessary traffic seen at root
+   and TLD name servers, thus reducing the opportunity for an attacker
+   to use such queries to his or her advantage.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Larson & Barber          Expires August 14, 2006               [Page 19]
+
+Internet-Draft     Observed DNS Resolution Misbehavior     February 2006
+
+
+6.  Internationalization considerations
+
+   There are no new internationalization considerations introduced by
+   this memo.
+
+7.  Informative References
+
+   [1]  Bradner, S., "Key words for use in RFCs to Indicate Requirement
+        Levels", BCP 14, RFC 2119, March 1997.
+
+   [2]  Mockapetris, P., "Domain names - concepts and facilities",
+        STD 13, RFC 1034, November 1987.
+
+   [3]  Elz, R. and R. Bush, "Clarifications to the DNS Specification",
+        RFC 2181, July 1997.
+
+   [4]  Andrews, M., "Negative Caching of DNS Queries (DNS NCACHE)",
+        RFC 2308, March 1998.
+
+   [5]  Morishita, Y. and T. Jinmei, "Common Misbehavior Against DNS
+        Queries for IPv6 Addresses", RFC 4074, May 2005.
+
+   [6]  Vixie, P., Thomson, S., Rekhter, Y., and J. Bound, "Dynamic
+        Updates in the Domain Name System (DNS UPDATE)", RFC 2136,
+        April 1997.
+
+   [7]  Rekhter, Y., Moskowitz, R., Karrenberg, D., Groot, G., and E.
+        Lear, "Address Allocation for Private Internets", BCP 5,
+        RFC 1918, February 1996.
+
+   [8]  <http://www.as112.net>
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Larson & Barber          Expires August 14, 2006               [Page 20]
+
+Internet-Draft     Observed DNS Resolution Misbehavior     February 2006
+
+
+Authors' Addresses
+
+   Matt Larson
+   VeriSign, Inc.
+   21345 Ridgetop Circle
+   Dulles, VA  20166-6503
+   USA
+
+   Email: mlarson@verisign.com
+
+
+   Piet Barber
+   VeriSign, Inc.
+   21345 Ridgetop Circle
+   Dulles, VA  20166-6503
+   USA
+
+   Email: pbarber@verisign.com
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Larson & Barber          Expires August 14, 2006               [Page 21]
+
+Internet-Draft     Observed DNS Resolution Misbehavior     February 2006
+
+
+Intellectual Property Statement
+
+   The IETF takes no position regarding the validity or scope of any
+   Intellectual Property Rights or other rights that might be claimed to
+   pertain to the implementation or use of the technology described in
+   this document or the extent to which any license under such rights
+   might or might not be available; nor does it represent that it has
+   made any independent effort to identify any such rights.  Information
+   on the procedures with respect to rights in RFC documents can be
+   found in BCP 78 and BCP 79.
+
+   Copies of IPR disclosures made to the IETF Secretariat and any
+   assurances of licenses to be made available, or the result of an
+   attempt made to obtain a general license or permission for the use of
+   such proprietary rights by implementers or users of this
+   specification can be obtained from the IETF on-line IPR repository at
+   http://www.ietf.org/ipr.
+
+   The IETF invites any interested party to bring to its attention any
+   copyrights, patents or patent applications, or other proprietary
+   rights that may cover technology that may be required to implement
+   this standard.  Please address the information to the IETF at
+   ietf-ipr@ietf.org.
+
+
+Disclaimer of Validity
+
+   This document and the information contained herein are provided on an
+   "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
+   OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
+   ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
+   INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
+   INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
+   WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
+
+
+Copyright Statement
+
+   Copyright (C) The Internet Society (2006).  This document is subject
+   to the rights, licenses and restrictions contained in BCP 78, and
+   except as set forth therein, the authors retain all their rights.
+
+
+Acknowledgment
+
+   Funding for the RFC Editor function is currently provided by the
+   Internet Society.
+
+
+
+
+Larson & Barber          Expires August 14, 2006               [Page 22]
+
diff --git a/contrib/bind9/doc/draft/draft-ietf-dnsop-dnssec-operational-practices-08.txt b/contrib/bind9/doc/draft/draft-ietf-dnsop-dnssec-operational-practices-08.txt
new file mode 100644
index 0000000..8ca68a8
--- /dev/null
+++ b/contrib/bind9/doc/draft/draft-ietf-dnsop-dnssec-operational-practices-08.txt
@@ -0,0 +1,2016 @@
+
+
+
+DNSOP                                                         O. Kolkman
+Internet-Draft                                                 R. Gieben
+Obsoletes: 2541 (if approved)                                 NLnet Labs
+Expires: September 7, 2006                                 March 6, 2006
+
+
+                      DNSSEC Operational Practices
+          draft-ietf-dnsop-dnssec-operational-practices-08.txt
+
+Status of this Memo
+
+   By submitting this Internet-Draft, each author represents that any
+   applicable patent or other IPR claims of which he or she is aware
+   have been or will be disclosed, and any of which he or she becomes
+   aware will be disclosed, in accordance with Section 6 of BCP 79.
+
+   Internet-Drafts are working documents of the Internet Engineering
+   Task Force (IETF), its areas, and its working groups.  Note that
+   other groups may also distribute working documents as Internet-
+   Drafts.
+
+   Internet-Drafts are draft documents valid for a maximum of six months
+   and may be updated, replaced, or obsoleted by other documents at any
+   time.  It is inappropriate to use Internet-Drafts as reference
+   material or to cite them other than as "work in progress."
+
+   The list of current Internet-Drafts can be accessed at
+   http://www.ietf.org/ietf/1id-abstracts.txt.
+
+   The list of Internet-Draft Shadow Directories can be accessed at
+   http://www.ietf.org/shadow.html.
+
+   This Internet-Draft will expire on September 7, 2006.
+
+Copyright Notice
+
+   Copyright (C) The Internet Society (2006).
+
+Abstract
+
+   This document describes a set of practices for operating the DNS with
+   security extensions (DNSSEC).  The target audience is zone
+   administrators deploying DNSSEC.
+
+   The document discusses operational aspects of using keys and
+   signatures in the DNS.  It discusses issues as key generation, key
+   storage, signature generation, key rollover and related policies.
+
+
+
+
+Kolkman & Gieben        Expires September 7, 2006               [Page 1]
+
+Internet-Draft        DNSSEC Operational Practices            March 2006
+
+
+   This document obsoletes RFC 2541, as it covers more operational
+   ground and gives more up to date requirements with respect to key
+   sizes and the new DNSSEC specification.
+
+
+Table of Contents
+
+   1.  Introduction . . . . . . . . . . . . . . . . . . . . . . . . .  4
+     1.1.  The Use of the Term 'key'  . . . . . . . . . . . . . . . .  4
+     1.2.  Time Definitions . . . . . . . . . . . . . . . . . . . . .  5
+   2.  Keeping the Chain of Trust Intact  . . . . . . . . . . . . . .  5
+   3.  Keys Generation and Storage  . . . . . . . . . . . . . . . . .  6
+     3.1.  Zone and Key Signing Keys  . . . . . . . . . . . . . . . .  6
+       3.1.1.  Motivations for the KSK and ZSK Separation . . . . . .  7
+       3.1.2.  KSKs for High Level Zones  . . . . . . . . . . . . . .  8
+     3.2.  Key Generation . . . . . . . . . . . . . . . . . . . . . .  8
+     3.3.  Key Effectivity Period . . . . . . . . . . . . . . . . . .  9
+     3.4.  Key Algorithm  . . . . . . . . . . . . . . . . . . . . . .  9
+     3.5.  Key Sizes  . . . . . . . . . . . . . . . . . . . . . . . . 10
+     3.6.  Private Key Storage  . . . . . . . . . . . . . . . . . . . 12
+   4.  Signature generation, Key Rollover and Related Policies  . . . 12
+     4.1.  Time in DNSSEC . . . . . . . . . . . . . . . . . . . . . . 12
+       4.1.1.  Time Considerations  . . . . . . . . . . . . . . . . . 13
+     4.2.  Key Rollovers  . . . . . . . . . . . . . . . . . . . . . . 14
+       4.2.1.  Zone Signing Key Rollovers . . . . . . . . . . . . . . 15
+       4.2.2.  Key Signing Key Rollovers  . . . . . . . . . . . . . . 19
+       4.2.3.  Difference Between ZSK and KSK Rollovers . . . . . . . 20
+       4.2.4.  Automated Key Rollovers  . . . . . . . . . . . . . . . 21
+     4.3.  Planning for Emergency Key Rollover  . . . . . . . . . . . 22
+       4.3.1.  KSK Compromise . . . . . . . . . . . . . . . . . . . . 22
+       4.3.2.  ZSK Compromise . . . . . . . . . . . . . . . . . . . . 24
+       4.3.3.  Compromises of Keys Anchored in Resolvers  . . . . . . 24
+     4.4.  Parental Policies  . . . . . . . . . . . . . . . . . . . . 24
+       4.4.1.  Initial Key Exchanges and Parental Policies
+               Considerations . . . . . . . . . . . . . . . . . . . . 24
+       4.4.2.  Storing Keys or Hashes?  . . . . . . . . . . . . . . . 25
+       4.4.3.  Security Lameness  . . . . . . . . . . . . . . . . . . 25
+       4.4.4.  DS Signature Validity Period . . . . . . . . . . . . . 26
+   5.  IANA Considerations  . . . . . . . . . . . . . . . . . . . . . 26
+   6.  Security Considerations  . . . . . . . . . . . . . . . . . . . 27
+   7.  Acknowledgments  . . . . . . . . . . . . . . . . . . . . . . . 27
+   8.  References . . . . . . . . . . . . . . . . . . . . . . . . . . 27
+     8.1.  Normative References . . . . . . . . . . . . . . . . . . . 27
+     8.2.  Informative References . . . . . . . . . . . . . . . . . . 28
+   Appendix A.  Terminology . . . . . . . . . . . . . . . . . . . . . 29
+   Appendix B.  Zone Signing Key Rollover Howto . . . . . . . . . . . 30
+   Appendix C.  Typographic Conventions . . . . . . . . . . . . . . . 31
+   Appendix D.  Document Details and Changes  . . . . . . . . . . . . 33
+
+
+
+Kolkman & Gieben        Expires September 7, 2006               [Page 2]
+
+Internet-Draft        DNSSEC Operational Practices            March 2006
+
+
+     D.1.  draft-ietf-dnsop-dnssec-operational-practices-00 . . . . . 33
+     D.2.  draft-ietf-dnsop-dnssec-operational-practices-01 . . . . . 33
+     D.3.  draft-ietf-dnsop-dnssec-operational-practices-02 . . . . . 33
+     D.4.  draft-ietf-dnsop-dnssec-operational-practices-03 . . . . . 33
+     D.5.  draft-ietf-dnsop-dnssec-operational-practices-04 . . . . . 34
+     D.6.  draft-ietf-dnsop-dnssec-operational-practices-05 . . . . . 34
+     D.7.  draft-ietf-dnsop-dnssec-operational-practices-06 . . . . . 34
+     D.8.  draft-ietf-dnsop-dnssec-operational-practices-07 . . . . . 34
+     D.9.  draft-ietf-dnsop-dnssec-operational-practices-08 . . . . . 34
+   Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 35
+   Intellectual Property and Copyright Statements . . . . . . . . . . 36
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Kolkman & Gieben        Expires September 7, 2006               [Page 3]
+
+Internet-Draft        DNSSEC Operational Practices            March 2006
+
+
+1.  Introduction
+
+   This document describes how to run a DNSSEC (DNS SECure) enabled
+   environment.  It is intended for operators who have knowledge of the
+   DNS (see RFC 1034 [1] and RFC 1035 [2]) and want deploy DNSSEC.  See
+   RFC 4033 [4] for an introduction into DNSSEC and RFC 4034 [5] for the
+   newly introduced Resource Records and finally RFC 4035 [6] for the
+   protocol changes.
+
+   During workshops and early operational deployment tests, operators
+   and system administrators have gained experience about operating the
+   DNS with security extensions (DNSSEC).  This document translates
+   these experiences into a set of practices for zone administrators.
+   At the time of writing, there exists very little experience with
+   DNSSEC in production environments; this document should therefore
+   explicitly not be seen as representing 'Best Current Practices'.
+
+   The procedures herein are focused on the maintenance of signed zones
+   (i.e. signing and publishing zones on authoritative servers).  It is
+   intended that maintenance of zones such as re-signing or key
+   rollovers be transparent to any verifying clients on the Internet.
+
+   The structure of this document is as follows.  In Section 2 we
+   discuss the importance of keeping the "chain of trust" intact.
+   Aspects of key generation and storage of private keys are discussed
+   in Section 3; the focus in this section is mainly on the private part
+   of the key(s).  Section 4 describes considerations concerning the
+   public part of the keys.  Since these public keys appear in the DNS
+   one has to take into account all kinds of timing issues, which are
+   discussed in Section 4.1.  Section 4.2 and Section 4.3 deal with the
+   rollover, or supercession, of keys.  Finally Section 4.4 discusses
+   considerations on how parents deal with their children's public keys
+   in order to maintain chains of trust.
+
+   The typographic conventions used in this document are explained in
+   Appendix C.
+
+   Since this is a document with operational suggestions and there are
+   no protocol specifications, the RFC 2119 [9] language does not apply.
+
+   This document obsoletes RFC 2541 [12].
+
+1.1.  The Use of the Term 'key'
+
+   It is assumed that the reader is familiar with the concept of
+   asymmetric keys on which DNSSEC is based (Public Key Cryptography
+   [18]).  Therefore, this document will use the term 'key' rather
+   loosely.  Where it is written that 'a key is used to sign data' it is
+
+
+
+Kolkman & Gieben        Expires September 7, 2006               [Page 4]
+
+Internet-Draft        DNSSEC Operational Practices            March 2006
+
+
+   assumed that the reader understands that it is the private part of
+   the key pair that is used for signing.  It is also assumed that the
+   reader understands that the public part of the key pair is published
+   in the DNSKEY resource record and that it is the public part that is
+   used in key exchanges.
+
+1.2.  Time Definitions
+
+   In this document we will be using a number of time related terms.
+   The following definitions apply:
+   o  "Signature validity period"
+         The period that a signature is valid.  It starts at the time
+         specified in the signature inception field of the RRSIG RR and
+         ends at the time specified in the expiration field of the RRSIG
+         RR.
+   o  "Signature publication period"
+         Time after which a signature (made with a specific key) is
+         replaced with a new signature (made with the same key).  This
+         replacement takes place by publishing the relevant RRSIG in the
+         master zone file.
+         After one stops publishing an RRSIG in a zone it may take a
+         while before the RRSIG has expired from caches and has actually
+         been removed from the DNS.
+   o  "Key effectivity period"
+         The period during which a key pair is expected to be effective.
+         This period is defined as the time between the first inception
+         time stamp and the last expiration date of any signature made
+         with this key, regardless of any discontinuity in the use of
+         the key.
+         The key effectivity period can span multiple signature validity
+         periods.
+   o  "Maximum/Minimum Zone Time to Live (TTL)"
+         The maximum or minimum value of the TTLs from the complete set
+         of RRs in a zone.  Note that the minimum TTL is not the same as
+         the MINIMUM field in the SOA RR.  See [11] for more
+         information.
+
+
+2.  Keeping the Chain of Trust Intact
+
+   Maintaining a valid chain of trust is important because broken chains
+   of trust will result in data being marked as Bogus (as defined in [4]
+   section 5), which may cause entire (sub)domains to become invisible
+   to verifying clients.  The administrators of secured zones have to
+   realize that their zone is, to verifying clients, part of a chain of
+   trust.
+
+   As mentioned in the introduction, the procedures herein are intended
+
+
+
+Kolkman & Gieben        Expires September 7, 2006               [Page 5]
+
+Internet-Draft        DNSSEC Operational Practices            March 2006
+
+
+   to ensure that maintenance of zones, such as re-signing or key
+   rollovers, will be transparent to the verifying clients on the
+   Internet.
+
+   Administrators of secured zones will have to keep in mind that data
+   published on an authoritative primary server will not be immediately
+   seen by verifying clients; it may take some time for the data to be
+   transferred to other secondary authoritative nameservers and clients
+   may be fetching data from caching non-authoritative servers.  In this
+   light it is good to note that the time for a zone transfer from
+   master to slave is negligible when using NOTIFY [8] and IXFR [7],
+   increasing by reliance on AXFR, and more if you rely on the SOA
+   timing parameters for zone refresh.
+
+   For the verifying clients it is important that data from secured
+   zones can be used to build chains of trust regardless of whether the
+   data came directly from an authoritative server, a caching nameserver
+   or some middle box.  Only by carefully using the available timing
+   parameters can a zone administrator assure that the data necessary
+   for verification can be obtained.
+
+   The responsibility for maintaining the chain of trust is shared by
+   administrators of secured zones in the chain of trust.  This is most
+   obvious in the case of a 'key compromise' when a trade off between
+   maintaining a valid chain of trust and replacing the compromised keys
+   as soon as possible must be made.  Then zone administrators will have
+   to make a trade off, between keeping the chain of trust intact -
+   thereby allowing for attacks with the compromised key - or to
+   deliberately break the chain of trust and making secured sub domains
+   invisible to security aware resolvers.  Also see Section 4.3.
+
+
+3.  Keys Generation and Storage
+
+   This section describes a number of considerations with respect to the
+   security of keys.  It deals with the generation, effectivity period,
+   size and storage of private keys.
+
+3.1.  Zone and Key Signing Keys
+
+   The DNSSEC validation protocol does not distinguish between different
+   types of DNSKEYs.  All DNSKEYs can be used during the validation.  In
+   practice operators use Key Signing and Zone Signing Keys and use the
+   so-called (Secure Entry Point) SEP [3] flag to distinguish between
+   them during operations.  The dynamics and considerations are
+   discussed below.
+
+   To make zone re-signing and key rollover procedures easier to
+
+
+
+Kolkman & Gieben        Expires September 7, 2006               [Page 6]
+
+Internet-Draft        DNSSEC Operational Practices            March 2006
+
+
+   implement, it is possible to use one or more keys as Key Signing Keys
+   (KSK).  These keys will only sign the apex DNSKEY RRSet in a zone.
+   Other keys can be used to sign all the RRSets in a zone and are
+   referred to as Zone Signing Keys (ZSK).  In this document we assume
+   that KSKs are the subset of keys that are used for key exchanges with
+   the parent and potentially for configuration as trusted anchors - the
+   SEP keys.  In this document we assume a one-to-one mapping between
+   KSK and SEP keys and we assume the SEP flag to be set on all KSKs.
+
+3.1.1.  Motivations for the KSK and ZSK Separation
+
+   Differentiating between the KSK and ZSK functions has several
+   advantages:
+
+   o  No parent/child interaction is required when ZSKs are updated.
+   o  The KSK can be made stronger (i.e. using more bits in the key
+      material).  This has little operational impact since it is only
+      used to sign a small fraction of the zone data.  Also the KSK is
+      only used to verify the zone's key set, not for other RRSets in
+      the zone.
+   o  As the KSK is only used to sign a key set, which is most probably
+      updated less frequently than other data in the zone, it can be
+      stored separately from and in a safer location than the ZSK.
+   o  A KSK can have a longer key effectivity period.
+
+   For almost any method of key management and zone signing the KSK is
+   used less frequently than the ZSK.  Once a key set is signed with the
+   KSK all the keys in the key set can be used as ZSK.  If a ZSK is
+   compromised, it can be simply dropped from the key set.  The new key
+   set is then re-signed with the KSK.
+
+   Given the assumption that for KSKs the SEP flag is set, the KSK can
+   be distinguished from a ZSK by examining the flag field in the DNSKEY
+   RR.  If the flag field is an odd number it is a KSK.  If it is an
+   even number it is a ZSK.
+
+   The zone signing key can be used to sign all the data in a zone on a
+   regular basis.  When a zone signing key is to be rolled, no
+   interaction with the parent is needed.  This allows for "Signature
+   Validity Periods" on the order of days.
+
+   The key signing key is only to be used to sign the DNSKEY RRs in a
+   zone.  If a key signing key is to be rolled over, there will be
+   interactions with parties other than the zone administrator.  These
+   can include the registry of the parent zone or administrators of
+   verifying resolvers that have the particular key configured as secure
+   entry points.  Hence, the key effectivity period of these keys can
+   and should be made much longer.  Although, given a long enough key,
+
+
+
+Kolkman & Gieben        Expires September 7, 2006               [Page 7]
+
+Internet-Draft        DNSSEC Operational Practices            March 2006
+
+
+   the Key Effectivity Period can be on the order of years we suggest
+   planning for a key effectivity of the order of a few months so that a
+   key rollover remains an operational routine.
+
+3.1.2.  KSKs for High Level Zones
+
+   Higher level zones are generally more sensitive than lower level
+   zones.  Anyone controlling or breaking the security of a zone thereby
+   obtains authority over all of its sub domains (except in the case of
+   resolvers that have locally configured the public key of a sub
+   domain, in which case this, and only this, sub domain wouldn't be
+   affected by the compromise of the parent zone).  Therefore, extra
+   care should be taken with high level zones and strong keys should
+   used.
+
+   The root zone is the most critical of all zones.  Someone controlling
+   or compromising the security of the root zone would control the
+   entire DNS name space of all resolvers using that root zone (except
+   in the case of resolvers that have locally configured the public key
+   of a sub domain).  Therefore, the utmost care must be taken in the
+   securing of the root zone.  The strongest and most carefully handled
+   keys should be used.  The root zone private key should always be kept
+   off line.
+
+   Many resolvers will start at a root server for their access to and
+   authentication of DNS data.  Securely updating the trust anchors in
+   an enormous population of resolvers around the world will be
+   extremely difficult.
+
+3.2.  Key Generation
+
+   Careful generation of all keys is a sometimes overlooked but
+   absolutely essential element in any cryptographically secure system.
+   The strongest algorithms used with the longest keys are still of no
+   use if an adversary can guess enough to lower the size of the likely
+   key space so that it can be exhaustively searched.  Technical
+   suggestions for the generation of random keys will be found in RFC
+   4086 [15].  One should carefully assess if the random number
+   generator used during key generation adheres to these suggestions.
+
+   Keys with a long effectivity period are particularly sensitive as
+   they will represent a more valuable target and be subject to attack
+   for a longer time than short period keys.  It is strongly recommended
+   that long term key generation occur off-line in a manner isolated
+   from the network via an air gap or, at a minimum, high level secure
+   hardware.
+
+
+
+
+
+Kolkman & Gieben        Expires September 7, 2006               [Page 8]
+
+Internet-Draft        DNSSEC Operational Practices            March 2006
+
+
+3.3.  Key Effectivity Period
+
+   For various reasons keys in DNSSEC need to be changed once in a
+   while.  The longer a key is in use, the greater the probability that
+   it will have been compromised through carelessness, accident,
+   espionage, or cryptanalysis.  Furthermore when key rollovers are too
+   rare an event, they will not become part of the operational habit and
+   there is risk that nobody on-site will remember the procedure for
+   rollover when the need is there.
+
+   From a purely operational perspective a reasonable key effectivity
+   period for Key Signing Keys is 13 months, with the intent to replace
+   them after 12 months.  An intended key effectivity period of a month
+   is reasonable for Zone Signing Keys.
+
+   For key sizes that matches these effectivity periods see Section 3.5.
+
+   As argued in Section 3.1.2 securely updating trust anchors will be
+   extremely difficult.  On the other hand the "operational habit"
+   argument does also apply to trust anchor reconfiguration.  If a short
+   key-effectivity period is used and the trust anchor configuration has
+   to be revisited on a regular basis the odds that the configuration
+   tends to be forgotten is smaller.  The trade-off is against a system
+   that is so dynamic that administrators of the validating clients will
+   not be able to follow the modifications.
+
+   Key effectivity periods can be made very short, as in the order of a
+   few minutes.  But when replacing keys one has to take the
+   considerations from Section 4.1 and Section 4.2 into account.
+
+3.4.  Key Algorithm
+
+   There are currently three different types of algorithms that can be
+   used in DNSSEC: RSA, DSA and elliptic curve cryptography.  The latter
+   is fairly new and has yet to be standardized for usage in DNSSEC.
+
+   RSA has been developed in an open and transparent manner.  As the
+   patent on RSA expired in 2000, its use is now also free.
+
+   DSA has been developed by NIST.  The creation of signatures takes
+   roughly the same time as with RSA, but is 10 to 40 times as slow for
+   verification [18].
+
+   We suggest the use of RSA/SHA-1 as the preferred algorithm for the
+   key.  The current known attacks on RSA can be defeated by making your
+   key longer.  As the MD5 hashing algorithm is showing (theoretical)
+   cracks, we recommend the usage of SHA-1.
+
+
+
+
+Kolkman & Gieben        Expires September 7, 2006               [Page 9]
+
+Internet-Draft        DNSSEC Operational Practices            March 2006
+
+
+   At the time of publication it is known that the SHA-1 hash has
+   cryptanalysis issues.  There is work in progress on addressing these
+   issues.  We recommend the use of public key algorithms based on
+   hashes stronger than SHA-1, e.g.  SHA-256, as soon as these
+   algorithms are available in protocol specifications (See [20] and
+   [21] ) and implementations.
+
+3.5.  Key Sizes
+
+   When choosing key sizes, zone administrators will need to take into
+   account how long a key will be used, how much data will be signed
+   during the key publication period (See Section 8.10 of [18]) and,
+   optionally, how large the key size of the parent is.  As the chain of
+   trust really is "a chain", there is not much sense in making one of
+   the keys in the chain several times larger then the others.  As
+   always, it's the weakest link that defines the strength of the entire
+   chain.  Also see Section 3.1.1 for a discussion of how keys serving
+   different roles (ZSK v.  KSK) may need different key sizes.
+
+   Generating a key of the correct size is a difficult problem, RFC 3766
+   [14] tries to deal with that problem.  The first part of the
+   selection procedure in Section 1 of the RFC states:
+
+      1. Determine the attack resistance necessary to satisfy the
+         security requirements of the application.  Do this by
+         estimating the minimum number of computer operations that
+         the attacker will be forced to do in order to compromise
+         the security of the system and then take the logarithm base
+         two of that number.  Call that logarithm value "n".
+
+         A 1996 report recommended 90 bits as a good all-around choice
+         for system security.  The 90 bit number should be increased
+         by about 2/3 bit/year, or about 96 bits in 2005.
+
+   [14] goes on to explain how this number "n" can be used to calculate
+   the key sizes in public key cryptography.  This culminated in the
+   table given below (slightly modified for our purpose):
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Kolkman & Gieben        Expires September 7, 2006              [Page 10]
+
+Internet-Draft        DNSSEC Operational Practices            March 2006
+
+
+      +-------------+-----------+--------------+
+      | System      |           |              |
+      | requirement | Symmetric | RSA or DSA   |
+      | for attack  | key size  | modulus size |
+      | resistance  | (bits)    | (bits)       |
+      | (bits)      |           |              |
+      +-------------+-----------+--------------+
+      |     70      |     70    |      947     |
+      |     80      |     80    |     1228     |
+      |     90      |     90    |     1553     |
+      |    100      |    100    |     1926     |
+      |    150      |    150    |     4575     |
+      |    200      |    200    |     8719     |
+      |    250      |    250    |    14596     |
+      +-------------+-----------+--------------+
+
+   The key sizes given are rather large.  This is because these keys are
+   resilient against a trillionaire attacker.  Assuming this rich
+   attacker will not attack your key and that the key is rolled over
+   once a year, we come to the following recommendations about KSK
+   sizes; 1024 bits low value domains, 1300 for medium value and 2048
+   for the high value domains.
+
+   Whether a domain is of low, medium, high value depends solely on the
+   views of the zone owner.  One could for instance view leaf nodes in
+   the DNS as of low value and TLDs or the root zone of high value.  The
+   suggested key sizes should be safe for the next 5 years.
+
+   As ZSKs can be rolled over more easily (and thus more often) the key
+   sizes can be made smaller.  But as said in the introduction of this
+   paragraph, making the ZSKs' key sizes too small (in relation to the
+   KSKs' sizes) doesn't make much sense.  Try to limit the difference in
+   size to about 100 bits.
+
+   Note that nobody can see into the future, and that these key sizes
+   are only provided here as a guide.  Further information can be found
+   in [17] and Section 7.5 of [18].  It should be noted though that [17]
+   is already considered overly optimistic about what key sizes are
+   considered safe.
+
+   One final note concerning key sizes.  Larger keys will increase the
+   sizes of the RRSIG and DNSKEY records and will therefore increase the
+   chance of DNS UDP packet overflow.  Also the time it takes to
+   validate and create RRSIGs increases with larger keys, so don't
+   needlessly double your key sizes.
+
+
+
+
+
+
+Kolkman & Gieben        Expires September 7, 2006              [Page 11]
+
+Internet-Draft        DNSSEC Operational Practices            March 2006
+
+
+3.6.  Private Key Storage
+
+   It is recommended that, where possible, zone private keys and the
+   zone file master copy that is to be signed, be kept and used in off-
+   line, non-network connected, physically secure machines only.
+   Periodically an application can be run to add authentication to a
+   zone by adding RRSIG and NSEC RRs.  Then the augmented file can be
+   transferred.
+
+   When relying on dynamic update to manage a signed zone [10], be aware
+   that at least one private key of the zone will have to reside on the
+   master server.  This key is only as secure as the amount of exposure
+   the server receives to unknown clients and the security of the host.
+   Although not mandatory one could administer the DNS in the following
+   way.  The master that processes the dynamic updates is unavailable
+   from generic hosts on the Internet, it is not listed in the NS RR
+   set, although its name appears in the SOA RRs MNAME field.  The
+   nameservers in the NS RR set are able to receive zone updates through
+   NOTIFY, IXFR, AXFR or an out-of-band distribution mechanism.  This
+   approach is known as the "hidden master" setup.
+
+   The ideal situation is to have a one way information flow to the
+   network to avoid the possibility of tampering from the network.
+   Keeping the zone master file on-line on the network and simply
+   cycling it through an off-line signer does not do this.  The on-line
+   version could still be tampered with if the host it resides on is
+   compromised.  For maximum security, the master copy of the zone file
+   should be off net and should not be updated based on an unsecured
+   network mediated communication.
+
+   In general keeping a zone-file off-line will not be practical and the
+   machines on which zone files are maintained will be connected to a
+   network.  Operators are advised to take security measures to shield
+   unauthorized access to the master copy.
+
+   For dynamically updated secured zones [10] both the master copy and
+   the private key that is used to update signatures on updated RRs will
+   need to be on-line.
+
+
+4.  Signature generation, Key Rollover and Related Policies
+
+4.1.  Time in DNSSEC
+
+   Without DNSSEC all times in DNS are relative.  The SOA fields
+   REFRESH, RETRY and EXPIRATION are timers used to determine the time
+   elapsed after a slave server synchronized with a master server.  The
+   Time to Live (TTL) value and the SOA RR minimum TTL parameter [11]
+
+
+
+Kolkman & Gieben        Expires September 7, 2006              [Page 12]
+
+Internet-Draft        DNSSEC Operational Practices            March 2006
+
+
+   are used to determine how long a forwarder should cache data after it
+   has been fetched from an authoritative server.  By using a signature
+   validity period, DNSSEC introduces the notion of an absolute time in
+   the DNS.  Signatures in DNSSEC have an expiration date after which
+   the signature is marked as invalid and the signed data is to be
+   considered Bogus.
+
+4.1.1.  Time Considerations
+
+   Because of the expiration of signatures, one should consider the
+   following:
+   o  We suggest the Maximum Zone TTL of your zone data to be a fraction
+      of your signature validity period.
+         If the TTL would be of similar order as the signature validity
+         period, then all RRSets fetched during the validity period
+         would be cached until the signature expiration time.  Section
+         7.1 of [4] suggests that "the resolver may use the time
+         remaining before expiration of the signature validity period of
+         a signed RRSet as an upper bound for the TTL".  As a result
+         query load on authoritative servers would peak at signature
+         expiration time, as this is also the time at which records
+         simultaneously expire from caches.
+         To avoid query load peaks we suggest the TTL on all the RRs in
+         your zone to be at least a few times smaller than your
+         signature validity period.
+   o  We suggest the Signature Publication Period to end at least one
+      Maximum Zone TTL duration before the end of the Signature Validity
+      Period.
+         Re-signing a zone shortly before the end of the signature
+         validity period may cause simultaneous expiration of data from
+         caches.  This in turn may lead to peaks in the load on
+         authoritative servers.
+   o  We suggest the minimum zone TTL to be long enough to both fetch
+      and verify all the RRs in the trust chain.  In workshop
+      environments it has been demonstrated [19] that a low TTL (under 5
+      to 10 minutes) caused disruptions because of the following two
+      problems:
+         1.  During validation, some data may expire before the
+         validation is complete.  The validator should be able to keep
+         all data, until is completed.  This applies to all RRs needed
+         to complete the chain of trust: DSs, DNSKEYs, RRSIGs, and the
+         final answers i.e. the RRSet that is returned for the initial
+         query.
+         2.  Frequent verification causes load on recursive nameservers.
+         Data at delegation points, DSs, DNSKEYs and RRSIGs benefit from
+         caching.  The TTL on those should be relatively long.
+
+
+
+
+
+Kolkman & Gieben        Expires September 7, 2006              [Page 13]
+
+Internet-Draft        DNSSEC Operational Practices            March 2006
+
+
+   o  Slave servers will need to be able to fetch newly signed zones
+      well before the RRSIGs in the zone served by the slave server pass
+      their signature expiration time.
+         When a slave server is out of sync with its master and data in
+         a zone is signed by expired signatures it may be better for the
+         slave server not to give out any answer.
+         Normally a slave server that is not able to contact a master
+         server for an extended period will expire a zone.  When that
+         happens the server will respond differently to queries for that
+         zone.  Some servers issue SERVFAIL while others turn off the
+         'AA' bit in the answers.  The time of expiration is set in the
+         SOA record and is relative to the last successful refresh
+         between the master and the slave server.  There exists no
+         coupling between the signature expiration of RRSIGs in the zone
+         and the expire parameter in the SOA.
+         If the server serves a DNSSEC zone then it may well happen that
+         the signatures expire well before the SOA expiration timer
+         counts down to zero.  It is not possible to completely prevent
+         this from happening by tweaking the SOA parameters.
+         However, the effects can be minimized where the SOA expiration
+         time is equal or shorter than the signature validity period.
+         The consequence of an authoritative server not being able to
+         update a zone, whilst that zone includes expired signatures, is
+         that non-secure resolvers will continue to be able to resolve
+         data served by the particular slave servers while security
+         aware resolvers will experience problems because of answers
+         being marked as Bogus.
+         We suggest the SOA expiration timer being approximately one
+         third or one fourth of the signature validity period.  It will
+         allow problems with transfers from the master server to be
+         noticed before the actual signature times out.
+         We also suggest that operators of nameservers that supply
+         secondary services develop 'watch dogs' to spot upcoming
+         signature expirations in zones they slave, and take appropriate
+         action.
+         When determining the value for the expiration parameter one has
+         to take the following into account: What are the chances that
+         all my secondaries expire the zone; How quickly can I reach an
+         administrator of secondary servers to load a valid zone?  All
+         these arguments are not DNSSEC specific but may influence the
+         choice of your signature validity intervals.
+
+4.2.  Key Rollovers
+
+   A DNSSEC key cannot be used forever (see Section 3.3).  So key
+   rollovers -- or supercessions, as they are sometimes called -- are a
+   fact of life when using DNSSEC.  Zone administrators who are in the
+   process of rolling their keys have to take into account that data
+
+
+
+Kolkman & Gieben        Expires September 7, 2006              [Page 14]
+
+Internet-Draft        DNSSEC Operational Practices            March 2006
+
+
+   published in previous versions of their zone still lives in caches.
+   When deploying DNSSEC, this becomes an important consideration;
+   ignoring data that may be in caches may lead to loss of service for
+   clients.
+
+   The most pressing example of this occurs when zone material signed
+   with an old key is being validated by a resolver which does not have
+   the old zone key cached.  If the old key is no longer present in the
+   current zone, this validation fails, marking the data Bogus.
+   Alternatively, an attempt could be made to validate data which is
+   signed with a new key against an old key that lives in a local cache,
+   also resulting in data being marked Bogus.
+
+4.2.1.  Zone Signing Key Rollovers
+
+   For zone signing key rollovers there are two ways to make sure that
+   during the rollover data still cached can be verified with the new
+   key sets or newly generated signatures can be verified with the keys
+   still in caches.  One schema, described in Section 4.2.1.2, uses
+   double signatures; the other uses key pre-publication
+   (Section 4.2.1.1).  The pros, cons and recommendations are described
+   in Section 4.2.1.3.
+
+4.2.1.1.  Pre-publish Key Rollover
+
+   This section shows how to perform a ZSK rollover without the need to
+   sign all the data in a zone twice - the so-called "pre-publish
+   rollover".This method has advantages in the case of a key compromise.
+   If the old key is compromised, the new key has already been
+   distributed in the DNS.  The zone administrator is then able to
+   quickly switch to the new key and remove the compromised key from the
+   zone.  Another major advantage is that the zone size does not double,
+   as is the case with the double signature ZSK rollover.  A small
+   "HOWTO" for this kind of rollover can be found in Appendix B.
+
+   Pre-publish Key Rollover involves four stages as follows:
+
+    initial         new DNSKEY       new RRSIGs      DNSKEY removal
+
+    SOA0            SOA1             SOA2            SOA3
+    RRSIG10(SOA0)   RRSIG10(SOA1)    RRSIG11(SOA2)   RRSIG11(SOA3)
+
+    DNSKEY1         DNSKEY1          DNSKEY1         DNSKEY1
+    DNSKEY10        DNSKEY10         DNSKEY10        DNSKEY11
+                    DNSKEY11         DNSKEY11
+    RRSIG1 (DNSKEY) RRSIG1 (DNSKEY)  RRSIG1(DNSKEY)  RRSIG1 (DNSKEY)
+    RRSIG10(DNSKEY) RRSIG10(DNSKEY)  RRSIG11(DNSKEY) RRSIG11(DNSKEY)
+
+
+
+
+Kolkman & Gieben        Expires September 7, 2006              [Page 15]
+
+Internet-Draft        DNSSEC Operational Practices            March 2006
+
+
+   initial: Initial version of the zone: DNSKEY 1 is the key signing
+      key.  DNSKEY 10 is used to sign all the data of the zone, the zone
+      signing key.
+   new DNSKEY: DNSKEY 11 is introduced into the key set.  Note that no
+      signatures are generated with this key yet, but this does not
+      secure against brute force attacks on the public key.  The minimum
+      duration of this pre-roll phase is the time it takes for the data
+      to propagate to the authoritative servers plus TTL value of the
+      key set.
+   new RRSIGs: At the "new RRSIGs" stage (SOA serial 2) DNSKEY 11 is
+      used to sign the data in the zone exclusively (i.e. all the
+      signatures from DNSKEY 10 are removed from the zone).  DNSKEY 10
+      remains published in the key set.  This way data that was loaded
+      into caches from version 1 of the zone can still be verified with
+      key sets fetched from version 2 of the zone.
+      The minimum time that the key set including DNSKEY 10 is to be
+      published is the time that it takes for zone data from the
+      previous version of the zone to expire from old caches i.e. the
+      time it takes for this zone to propagate to all authoritative
+      servers plus the Maximum Zone TTL value of any of the data in the
+      previous version of the zone.
+   DNSKEY removal: DNSKEY 10 is removed from the zone.  The key set, now
+      only containing DNSKEY 1 and DNSKEY 11 is re-signed with the
+      DNSKEY 1.
+
+   The above scheme can be simplified by always publishing the "future"
+   key immediately after the rollover.  The scheme would look as follows
+   (we show two rollovers); the future key is introduced in "new DNSKEY"
+   as DNSKEY 12 and again a newer one, numbered 13, in "new DNSKEY
+   (II)":
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Kolkman & Gieben        Expires September 7, 2006              [Page 16]
+
+Internet-Draft        DNSSEC Operational Practices            March 2006
+
+
+       initial             new RRSIGs          new DNSKEY
+
+       SOA0                SOA1                SOA2
+       RRSIG10(SOA0)       RRSIG11(SOA1)       RRSIG11(SOA2)
+
+       DNSKEY1             DNSKEY1             DNSKEY1
+       DNSKEY10            DNSKEY10            DNSKEY11
+       DNSKEY11            DNSKEY11            DNSKEY12
+       RRSIG1(DNSKEY)      RRSIG1 (DNSKEY)     RRSIG1(DNSKEY)
+       RRSIG10(DNSKEY)     RRSIG11(DNSKEY)     RRSIG11(DNSKEY)
+
+
+       new RRSIGs (II)     new DNSKEY (II)
+
+       SOA3                SOA4
+       RRSIG12(SOA3)       RRSIG12(SOA4)
+
+       DNSKEY1             DNSKEY1
+       DNSKEY11            DNSKEY12
+       DNSKEY12            DNSKEY13
+       RRSIG1(DNSKEY)      RRSIG1(DNSKEY)
+       RRSIG12(DNSKEY)     RRSIG12(DNSKEY)
+
+
+   Pre-Publish Key Rollover, showing two rollovers.
+
+   Note that the key introduced in the "new DNSKEY" phase is not used
+   for production yet; the private key can thus be stored in a
+   physically secure manner and does not need to be 'fetched' every time
+   a zone needs to be signed.
+
+4.2.1.2.  Double Signature Zone Signing Key Rollover
+
+   This section shows how to perform a ZSK key rollover using the double
+   zone data signature scheme, aptly named "double sig rollover".
+
+   During the "new DNSKEY" stage the new version of the zone file will
+   need to propagate to all authoritative servers and the data that
+   exists in (distant) caches will need to expire, requiring at least
+   the maximum Zone TTL.
+
+
+
+
+
+
+
+
+
+
+
+Kolkman & Gieben        Expires September 7, 2006              [Page 17]
+
+Internet-Draft        DNSSEC Operational Practices            March 2006
+
+
+   Double Signature Zone Signing Key Rollover involves three stages as
+   follows:
+
+       initial             new DNSKEY         DNSKEY removal
+
+       SOA0                SOA1               SOA2
+       RRSIG10(SOA0)       RRSIG10(SOA1)      RRSIG11(SOA2)
+                           RRSIG11(SOA1)
+
+       DNSKEY1             DNSKEY1            DNSKEY1
+       DNSKEY10            DNSKEY10           DNSKEY11
+                           DNSKEY11
+       RRSIG1(DNSKEY)      RRSIG1(DNSKEY)     RRSIG1(DNSKEY)
+       RRSIG10(DNSKEY)     RRSIG10(DNSKEY)    RRSIG11(DNSKEY)
+                           RRSIG11(DNSKEY)
+
+   initial: Initial Version of the zone: DNSKEY 1 is the key signing
+      key.  DNSKEY 10 is used to sign all the data of the zone, the zone
+      signing key.
+   new DNSKEY: At the "New DNSKEY" stage (SOA serial 1) DNSKEY 11 is
+      introduced into the key set and all the data in the zone is signed
+      with DNSKEY 10 and DNSKEY 11.  The rollover period will need to
+      continue until all data from version 0 of the zone has expired
+      from remote caches.  This will take at least the maximum Zone TTL
+      of version 0 of the zone.
+   DNSKEY removal: DNSKEY 10 is removed from the zone.  All the
+      signatures from DNSKEY 10 are removed from the zone.  The key set,
+      now only containing DNSKEY 11, is re-signed with DNSKEY 1.
+
+   At every instance, RRSIGs from the previous version of the zone can
+   be verified with the DNSKEY RRSet from the current version and the
+   other way around.  The data from the current version can be verified
+   with the data from the previous version of the zone.  The duration of
+   the "new DNSKEY" phase and the period between rollovers should be at
+   least the Maximum Zone TTL.
+
+   Making sure that the "new DNSKEY" phase lasts until the signature
+   expiration time of the data in initial version of the zone is
+   recommended.  This way all caches are cleared of the old signatures.
+   However, this duration could be considerably longer than the Maximum
+   Zone TTL, making the rollover a lengthy procedure.
+
+   Note that in this example we assumed that the zone was not modified
+   during the rollover.  New data can be introduced in the zone as long
+   as it is signed with both keys.
+
+
+
+
+
+
+Kolkman & Gieben        Expires September 7, 2006              [Page 18]
+
+Internet-Draft        DNSSEC Operational Practices            March 2006
+
+
+4.2.1.3.  Pros and Cons of the Schemes
+
+   Pre-publish Key Rollover: This rollover does not involve signing the
+      zone data twice.  Instead, before the actual rollover, the new key
+      is published in the key set and thus available for cryptanalysis
+      attacks.  A small disadvantage is that this process requires four
+      steps.  Also the pre-publish scheme involves more parental work
+      when used for KSK rollovers as explained in Section 4.2.3.
+   Double Signature Zone-signing Key Rollover: The drawback of this
+      signing scheme is that during the rollover the number of
+      signatures in your zone doubles, this may be prohibitive if you
+      have very big zones.  An advantage is that it only requires three
+      steps.
+
+4.2.2.  Key Signing Key Rollovers
+
+   For the rollover of a key signing key the same considerations as for
+   the rollover of a zone signing key apply.  However we can use a
+   double signature scheme to guarantee that old data (only the apex key
+   set) in caches can be verified with a new key set and vice versa.
+   Since only the key set is signed with a KSK, zone size considerations
+   do not apply.
+
+
+       initial        new DNSKEY        DS change       DNSKEY removal
+     Parent:
+       SOA0           -------->         SOA1            -------->
+       RRSIGpar(SOA0) -------->         RRSIGpar(SOA1)  -------->
+       DS1            -------->         DS2             -------->
+       RRSIGpar(DS)   -------->         RRSIGpar(DS)    -------->
+
+
+     Child:
+       SOA0            SOA1             -------->       SOA2
+       RRSIG10(SOA0)   RRSIG10(SOA1)    -------->       RRSIG10(SOA2)
+                                        -------->
+       DNSKEY1         DNSKEY1          -------->       DNSKEY2
+                       DNSKEY2          -------->
+       DNSKEY10        DNSKEY10         -------->       DNSKEY10
+       RRSIG1 (DNSKEY) RRSIG1 (DNSKEY)  -------->       RRSIG2 (DNSKEY)
+                       RRSIG2 (DNSKEY)  -------->
+       RRSIG10(DNSKEY) RRSIG10(DNSKEY)  -------->       RRSIG10(DNSKEY)
+
+   Stages of Deployment for Key Signing Key Rollover.
+
+
+
+
+
+
+
+Kolkman & Gieben        Expires September 7, 2006              [Page 19]
+
+Internet-Draft        DNSSEC Operational Practices            March 2006
+
+
+   initial: Initial version of the zone.  The parental DS points to
+      DNSKEY1.  Before the rollover starts the child will have to verify
+      what the TTL is of the DS RR that points to DNSKEY1 - it is needed
+      during the rollover and we refer to the value as TTL_DS.
+   new DNSKEY: During the "new DNSKEY" phase the zone administrator
+      generates a second KSK, DNSKEY2.  The key is provided to the
+      parent and the child will have to wait until a new DS RR has been
+      generated that points to DNSKEY2.  After that DS RR has been
+      published on all servers authoritative for the parent's zone, the
+      zone administrator has to wait at least TTL_DS to make sure that
+      the old DS RR has expired from caches.
+   DS change: The parent replaces DS1 with DS2.
+   DNSKEY removal: DNSKEY1 has been removed.
+
+   The scenario above puts the responsibility for maintaining a valid
+   chain of trust with the child.  It also is based on the premises that
+   the parent only has one DS RR (per algorithm) per zone.  An
+   alternative mechanism has been considered.  Using an established
+   trust relation, the interaction can be performed in-band, and the
+   removal of the keys by the child can possibly be signaled by the
+   parent.  In this mechanism there are periods where there are two DS
+   RRs at the parent.  Since at the moment of writing the protocol for
+   this interaction has not been developed, further discussion is out of
+   scope for this document.
+
+4.2.3.  Difference Between ZSK and KSK Rollovers
+
+   Note that KSK rollovers and ZSK rollovers are different in the sense
+   that a KSK rollover requires interaction with the parent (and
+   possibly replacing of trust anchors) and the ensuing delay while
+   waiting for it.
+
+   A zone key rollover can be handled in two different ways: pre-publish
+   (Section Section 4.2.1.1) and double signature (Section
+   Section 4.2.1.2).
+
+   As the KSK is used to validate the key set and because the KSK is not
+   changed during a ZSK rollover, a cache is able to validate the new
+   key set of the zone.  The pre-publish method would also work for a
+   KSK rollover.  The records that are to be pre-published are the
+   parental DS RRs.  The pre-publish method has some drawbacks for KSKs.
+   We first describe the rollover scheme and then indicate these
+   drawbacks.
+
+
+
+
+
+
+
+
+Kolkman & Gieben        Expires September 7, 2006              [Page 20]
+
+Internet-Draft        DNSSEC Operational Practices            March 2006
+
+
+     initial         new DS           new DNSKEY      DS/DNSKEY removal
+   Parent:
+     SOA0            SOA1             -------->       SOA2
+     RRSIGpar(SOA0)  RRSIGpar(SOA1)   -------->       RRSIGpar(SOA2)
+     DS1             DS1              -------->       DS2
+                     DS2              -------->
+     RRSIGpar(DS)    RRSIGpar(DS)     -------->       RRSIGpar(DS)
+
+
+
+   Child:
+     SOA0            -------->        SOA1            SOA1
+     RRSIG10(SOA0)   -------->        RRSIG10(SOA1)   RRSIG10(SOA1)
+                     -------->
+     DNSKEY1         -------->        DNSKEY2         DNSKEY2
+                     -------->
+     DNSKEY10        -------->        DNSKEY10        DNSKEY10
+     RRSIG1 (DNSKEY) -------->        RRSIG2(DNSKEY)  RRSIG2 (DNSKEY)
+     RRSIG10(DNSKEY) -------->        RRSIG10(DNSKEY) RRSIG10(DNSKEY)
+
+   Stages of Deployment for a Pre-publish Key Signing Key rollover.
+
+   When the child zone wants to roll it notifies the parent during the
+   "new DS" phase and submits the new key (or the corresponding DS) to
+   the parent.  The parent publishes DS1 and DS2, pointing to DNSKEY1
+   and DNSKEY2 respectively.  During the rollover ("new DNSKEY" phase),
+   which can take place as soon as the new DS set propagated through the
+   DNS, the child replaces DNSKEY1 with DNSKEY2.  Immediately after that
+   ("DS/DNSKEY removal" phase) it can notify the parent that the old DS
+   record can be deleted.
+
+   The drawbacks of this scheme are that during the "new DS" phase the
+   parent cannot verify the match between the DS2 RR and DNSKEY2 using
+   the DNS -- as DNSKEY2 is not yet published.  Besides, we introduce a
+   "security lame" key (See Section 4.4.3).  Finally the child-parent
+   interaction consists of two steps.  The "double signature" method
+   only needs one interaction.
+
+4.2.4.  Automated Key Rollovers
+
+   As keys must be renewed periodically, there is some motivation to
+   automate the rollover process.  Consider that:
+
+   o  ZSK rollovers are easy to automate as only the child zone is
+      involved.
+   o  A KSK rollover needs interaction between parent and child.  Data
+      exchange is needed to provide the new keys to the parent,
+      consequently, this data must be authenticated and integrity must
+
+
+
+Kolkman & Gieben        Expires September 7, 2006              [Page 21]
+
+Internet-Draft        DNSSEC Operational Practices            March 2006
+
+
+      be guaranteed in order to avoid attacks on the rollover.
+
+4.3.  Planning for Emergency Key Rollover
+
+   This section deals with preparation for a possible key compromise.
+   Our advice is to have a documented procedure ready for when a key
+   compromise is suspected or confirmed.
+
+   When the private material of one of your keys is compromised it can
+   be used for as long as a valid trust chain exists.  A trust chain
+   remains intact for:
+   o  as long as a signature over the compromised key in the trust chain
+      is valid,
+   o  as long as a parental DS RR (and signature) points to the
+      compromised key,
+   o  as long as the key is anchored in a resolver and is used as a
+      starting point for validation (this is generally the hardest to
+      update).
+
+   While a trust chain to your compromised key exists, your name-space
+   is vulnerable to abuse by anyone who has obtained illegitimate
+   possession of the key.  Zone operators have to make a trade off if
+   the abuse of the compromised key is worse than having data in caches
+   that cannot be validated.  If the zone operator chooses to break the
+   trust chain to the compromised key, data in caches signed with this
+   key cannot be validated.  However, if the zone administrator chooses
+   to take the path of a regular roll-over, the malicious key holder can
+   spoof data so that it appears to be valid.
+
+4.3.1.  KSK Compromise
+
+   A zone containing a DNSKEY RRSet with a compromised KSK is vulnerable
+   as long as the compromised KSK is configured as trust anchor or a
+   parental DS points to it.
+
+   A compromised KSK can be used to sign the key set of an attacker's
+   zone.  That zone could be used to poison the DNS.
+
+   Therefore when the KSK has been compromised, the trust anchor or the
+   parental DS, should be replaced as soon as possible.  It is local
+   policy whether to break the trust chain during the emergency
+   rollover.  The trust chain would be broken when the compromised KSK
+   is removed from the child's zone while the parent still has a DS
+   pointing to the compromised KSK (the assumption is that there is only
+   one DS at the parent.  If there are multiple DSs this does not apply
+   -- however the chain of trust of this particular key is broken).
+
+   Note that an attacker's zone still uses the compromised KSK and the
+
+
+
+Kolkman & Gieben        Expires September 7, 2006              [Page 22]
+
+Internet-Draft        DNSSEC Operational Practices            March 2006
+
+
+   presence of a parental DS would cause the data in this zone to appear
+   as valid.  Removing the compromised key would cause the attacker's
+   zone to appear as valid and the child's zone as Bogus.  Therefore we
+   advise not to remove the KSK before the parent has a DS to a new KSK
+   in place.
+
+4.3.1.1.  Keeping the Chain of Trust Intact
+
+   If we follow this advice the timing of the replacement of the KSK is
+   somewhat critical.  The goal is to remove the compromised KSK as soon
+   as the new DS RR is available at the parent.  And also make sure that
+   the signature made with a new KSK over the key set with the
+   compromised KSK in it expires just after the new DS appears at the
+   parent.  Thus removing the old cruft in one swoop.
+
+   The procedure is as follows:
+   1.  Introduce a new KSK into the key set, keep the compromised KSK in
+       the key set.
+   2.  Sign the key set, with a short validity period.  The validity
+       period should expire shortly after the DS is expected to appear
+       in the parent and the old DSs have expired from caches.
+   3.  Upload the DS for this new key to the parent.
+   4.  Follow the procedure of the regular KSK rollover: Wait for the DS
+       to appear in the authoritative servers and then wait as long as
+       the TTL of the old DS RRs.  If necessary re-sign the DNSKEY RRSet
+       and modify/extend the expiration time.
+   5.  Remove the compromised DNSKEY RR from the zone and re-sign the
+       key set using your "normal" validity interval.
+
+   An additional danger of a key compromise is that the compromised key
+   could be used to facilitate a legitimate DNSKEY/DS rollover and/or
+   nameserver changes at the parent.  When that happens the domain may
+   be in dispute.  An authenticated out-of-band and secure notify
+   mechanism to contact a parent is needed in this case.
+
+   Note that this is only a problem when the DNSKEY and or DS records
+   are used for authentication at the parent.
+
+4.3.1.2.  Breaking the Chain of Trust
+
+   There are two methods to break the chain of trust.  The first method
+   causes the child zone to appear as 'Bogus' to validating resolvers.
+   The other causes the the child zone to appear as 'insecure'.  These
+   are described below.
+
+   In the method that causes the child zone to appear as 'Bogus' to
+   validating resolvers, the child zone replaces the current KSK with a
+   new one and resigns the key set.  Next it sends the DS of the new key
+
+
+
+Kolkman & Gieben        Expires September 7, 2006              [Page 23]
+
+Internet-Draft        DNSSEC Operational Practices            March 2006
+
+
+   to the parent.  Only after the parent has placed the new DS in the
+   zone, the child's chain of trust is repaired.
+
+   An alternative method of breaking the chain of trust is by removing
+   the DS RRs from the parent zone altogether.  As a result the child
+   zone would become insecure.
+
+4.3.2.  ZSK Compromise
+
+   Primarily because there is no parental interaction required when a
+   ZSK is compromised, the situation is less severe than with a KSK
+   compromise.  The zone must still be re-signed with a new ZSK as soon
+   as possible.  As this is a local operation and requires no
+   communication between the parent and child this can be achieved
+   fairly quickly.  However, one has to take into account that just as
+   with a normal rollover the immediate disappearance of the old
+   compromised key may lead to verification problems.  Also note that as
+   long as the RRSIG over the compromised ZSK is not expired the zone
+   may be still at risk.
+
+4.3.3.  Compromises of Keys Anchored in Resolvers
+
+   A key can also be pre-configured in resolvers.  For instance, if
+   DNSSEC is successfully deployed the root key may be pre-configured in
+   most security aware resolvers.
+
+   If trust-anchor keys are compromised, the resolvers using these keys
+   should be notified of this fact.  Zone administrators may consider
+   setting up a mailing list to communicate the fact that a SEP key is
+   about to be rolled over.  This communication will of course need to
+   be authenticated e.g. by using digital signatures.
+
+   End-users faced with the task of updating an anchored key should
+   always validate the new key.  New keys should be authenticated out-
+   of-band, for example, looking them up on an SSL secured announcement
+   website.
+
+4.4.  Parental Policies
+
+4.4.1.  Initial Key Exchanges and Parental Policies Considerations
+
+   The initial key exchange is always subject to the policies set by the
+   parent.  When designing a key exchange policy one should take into
+   account that the authentication and authorization mechanisms used
+   during a key exchange should be as strong as the authentication and
+   authorization mechanisms used for the exchange of delegation
+   information between parent and child.  I.e. there is no implicit need
+   in DNSSEC to make the authentication process stronger than it was in
+
+
+
+Kolkman & Gieben        Expires September 7, 2006              [Page 24]
+
+Internet-Draft        DNSSEC Operational Practices            March 2006
+
+
+   DNS.
+
+   Using the DNS itself as the source for the actual DNSKEY material,
+   with an out-of-band check on the validity of the DNSKEY, has the
+   benefit that it reduces the chances of user error.  A DNSKEY query
+   tool can make use of the SEP bit [3] to select the proper key from a
+   DNSSEC key set; thereby reducing the chance that the wrong DNSKEY is
+   sent.  It can validate the self-signature over a key; thereby
+   verifying the ownership of the private key material.  Fetching the
+   DNSKEY from the DNS ensures that the chain of trust remains intact
+   once the parent publishes the DS RR indicating the child is secure.
+
+   Note: the out-of-band verification is still needed when the key-
+   material is fetched via the DNS.  The parent can never be sure
+   whether the DNSKEY RRs have been spoofed or not.
+
+4.4.2.  Storing Keys or Hashes?
+
+   When designing a registry system one should consider which of the
+   DNSKEYs and/or the corresponding DSs to store.  Since a child zone
+   might wish to have a DS published using a message digest algorithm
+   not yet understood by the registry, the registry can't count on being
+   able to generate the DS record from a raw DNSKEY.  Thus, we recommend
+   that registry systems at least support storing DS records.
+
+   It may also be useful to store DNSKEYs, since having them may help
+   during troubleshooting and, as long as the child's chosen message
+   digest is supported, the overhead of generating DS records from them
+   is minimal.  Having an out-of-band mechanism, such as a registry
+   directory (e.g.  Whois), to find out which keys are used to generate
+   DS Resource Records for specific owners and/or zones may also help
+   with troubleshooting.
+
+   The storage considerations also relate to the design of the customer
+   interface and the method by which data is transferred between
+   registrant and registry; Will the child zone administrator be able to
+   upload DS RRs with unknown hash algorithms or does the interface only
+   allow DNSKEYs?  In the registry-registrar model one can use the
+   DNSSEC EPP protocol extension [16] which allows transfer of DS RRs
+   and optionally DNSKEY RRs.
+
+4.4.3.  Security Lameness
+
+   Security Lameness is defined as what happens when a parent has a DS
+   RR pointing to a non-existing DNSKEY RR.  When this happens the
+   child's zone may be marked as "Bogus" by verifying DNS clients.
+
+   As part of a comprehensive delegation check the parent could, at key
+
+
+
+Kolkman & Gieben        Expires September 7, 2006              [Page 25]
+
+Internet-Draft        DNSSEC Operational Practices            March 2006
+
+
+   exchange time, verify that the child's key is actually configured in
+   the DNS.  However if a parent does not understand the hashing
+   algorithm used by child the parental checks are limited to only
+   comparing the key id.
+
+   Child zones should be very careful removing DNSKEY material,
+   specifically SEP keys, for which a DS RR exists.
+
+   Once a zone is "security lame", a fix (e.g. removing a DS RR) will
+   take time to propagate through the DNS.
+
+4.4.4.  DS Signature Validity Period
+
+   Since the DS can be replayed as long as it has a valid signature, a
+   short signature validity period over the DS minimizes the time a
+   child is vulnerable in the case of a compromise of the child's
+   KSK(s).  A signature validity period that is too short introduces the
+   possibility that a zone is marked Bogus in case of a configuration
+   error in the signer.  There may not be enough time to fix the
+   problems before signatures expire.  Something as mundane as operator
+   unavailability during weekends shows the need for DS signature
+   validity periods longer than 2 days.  We recommend an absolute
+   minimum for a DS signature validity period of a few days.
+
+   The maximum signature validity period of the DS record depends on how
+   long child zones are willing to be vulnerable after a key compromise.
+   On the other hand shortening the DS signature validity interval
+   increases the operational risk for the parent.  Therefore the parent
+   may have policy to use a signature validity interval that is
+   considerably longer than the child would hope for.
+
+   A compromise between the operational constraints of the parent and
+   minimizing damage for the child may result in a DS signature validity
+   period somewhere between the order of a week to order of months.
+
+   In addition to the signature validity period, which sets a lower
+   bound on the number of times the zone owner will need to sign the
+   zone data and which sets an upper bound to the time a child is
+   vulnerable after key compromise, there is the TTL value on the DS
+   RRs.  Shortening the TTL means that the authoritative servers will
+   see more queries.  But on the other hand, a short TTL lowers the
+   persistence of DS RRSets in caches thereby increases the speed with
+   which updated DS RRSets propagate through the DNS.
+
+
+5.  IANA Considerations
+
+   This overview document introduces no new IANA considerations.
+
+
+
+Kolkman & Gieben        Expires September 7, 2006              [Page 26]
+
+Internet-Draft        DNSSEC Operational Practices            March 2006
+
+
+6.  Security Considerations
+
+   DNSSEC adds data integrity to the DNS.  This document tries to assess
+   the operational considerations to maintain a stable and secure DNSSEC
+   service.  Not taking into account the 'data propagation' properties
+   in the DNS will cause validation failures and may make secured zones
+   unavailable to security aware resolvers.
+
+
+7.  Acknowledgments
+
+   Most of the ideas in this draft were the result of collective efforts
+   during workshops, discussions and try outs.
+
+   At the risk of forgetting individuals who were the original
+   contributors of the ideas we would like to acknowledge people who
+   were actively involved in the compilation of this document.  In
+   random order: Rip Loomis, Olafur Gudmundsson, Wesley Griffin, Michael
+   Richardson, Scott Rose, Rick van Rein, Tim McGinnis, Gilles Guette
+   Olivier Courtay, Sam Weiler, Jelte Jansen, Niall O'Reilly, Holger
+   Zuleger, Ed Lewis, Hilarie Orman, Marcos Sanz and Peter Koch.
+
+   Some material in this document has been copied from RFC 2541 [12].
+
+   Mike StJohns designed the key exchange between parent and child
+   mentioned in the last paragraph of Section 4.2.2
+
+   Section 4.2.4 was supplied by G. Guette and O. Courtay.
+
+   Emma Bretherick, Adrian Bedford and Lindy Foster corrected many of
+   the spelling and style issues.
+
+   Kolkman and Gieben take the blame for introducing all miscakes(SIC).
+
+   Kolkman was employed by the RIPE NCC while working on this document.
+
+
+8.  References
+
+8.1.  Normative References
+
+   [1]  Mockapetris, P., "Domain names - concepts and facilities",
+        STD 13, RFC 1034, November 1987.
+
+   [2]  Mockapetris, P., "Domain names - implementation and
+        specification", STD 13, RFC 1035, November 1987.
+
+   [3]  Kolkman, O., Schlyter, J., and E. Lewis, "Domain Name System KEY
+
+
+
+Kolkman & Gieben        Expires September 7, 2006              [Page 27]
+
+Internet-Draft        DNSSEC Operational Practices            March 2006
+
+
+        (DNSKEY) Resource Record (RR) Secure Entry Point (SEP) Flag",
+        RFC 3757, May 2004.
+
+   [4]  Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose,
+        "DNS Security Introduction and Requirements", RFC 4033,
+        March 2005.
+
+   [5]  Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose,
+        "Resource Records for the DNS Security Extensions", RFC 4034,
+        March 2005.
+
+   [6]  Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose,
+        "Protocol Modifications for the DNS Security Extensions",
+        RFC 4035, March 2005.
+
+8.2.  Informative References
+
+   [7]   Ohta, M., "Incremental Zone Transfer in DNS", RFC 1995,
+         August 1996.
+
+   [8]   Vixie, P., "A Mechanism for Prompt Notification of Zone Changes
+         (DNS NOTIFY)", RFC 1996, August 1996.
+
+   [9]   Bradner, S., "Key words for use in RFCs to Indicate Requirement
+         Levels", BCP 14, RFC 2119, March 1997.
+
+   [10]  Eastlake, D., "Secure Domain Name System Dynamic Update",
+         RFC 2137, April 1997.
+
+   [11]  Andrews, M., "Negative Caching of DNS Queries (DNS NCACHE)",
+         RFC 2308, March 1998.
+
+   [12]  Eastlake, D., "DNS Security Operational Considerations",
+         RFC 2541, March 1999.
+
+   [13]  Gudmundsson, O., "Delegation Signer (DS) Resource Record (RR)",
+         RFC 3658, December 2003.
+
+   [14]  Orman, H. and P. Hoffman, "Determining Strengths For Public
+         Keys Used For Exchanging Symmetric Keys", BCP 86, RFC 3766,
+         April 2004.
+
+   [15]  Eastlake, D., Schiller, J., and S. Crocker, "Randomness
+         Requirements for Security", BCP 106, RFC 4086, June 2005.
+
+   [16]  Hollenbeck, S., "Domain Name System (DNS) Security Extensions
+         Mapping for the Extensible Provisioning Protocol (EPP)",
+         RFC 4310, December 2005.
+
+
+
+Kolkman & Gieben        Expires September 7, 2006              [Page 28]
+
+Internet-Draft        DNSSEC Operational Practices            March 2006
+
+
+   [17]  Lenstra, A. and E. Verheul, "Selecting Cryptographic Key
+         Sizes", The Journal of Cryptology 14 (255-293), 2001.
+
+   [18]  Schneier, B., "Applied Cryptography: Protocols, Algorithms, and
+         Source Code in C", ISBN (hardcover) 0-471-12845-7, ISBN
+         (paperback) 0-471-59756-2, Published by John Wiley & Sons Inc.,
+         1996.
+
+   [19]  Rose, S., "NIST DNSSEC workshop notes", June 2001.
+
+   [20]  Jansen, J., "Use of RSA/SHA-256 DNSKEY and RRSIG Resource
+         Records in DNSSEC", draft-ietf-dnsext-dnssec-rsasha256-00.txt
+         (work in progress), January 2006.
+
+   [21]  Hardaker, W., "Use of SHA-256 in DNSSEC Delegation Signer (DS)
+         Resource Records (RRs)", draft-ietf-dnsext-ds-sha256-04.txt
+         (work in progress), January 2006.
+
+
+Appendix A.  Terminology
+
+   In this document there is some jargon used that is defined in other
+   documents.  In most cases we have not copied the text from the
+   documents defining the terms but given a more elaborate explanation
+   of the meaning.  Note that these explanations should not be seen as
+   authoritative.
+
+   Anchored Key: A DNSKEY configured in resolvers around the globe.
+      This key is hard to update, hence the term anchored.
+   Bogus: Also see Section 5 of [4].  An RRSet in DNSSEC is marked
+      "Bogus" when a signature of a RRSet does not validate against a
+      DNSKEY.
+   Key Signing Key or KSK: A Key Signing Key (KSK) is a key that is used
+      exclusively for signing the apex key set.  The fact that a key is
+      a KSK is only relevant to the signing tool.
+   Key size: The term 'key size' can be substituted by 'modulus size'
+      throughout the document.  It is mathematically more correct to use
+      modulus size, but as this is a document directed at operators we
+      feel more at ease with the term key size.
+   Private and Public Keys: DNSSEC secures the DNS through the use of
+      public key cryptography.  Public key cryptography is based on the
+      existence of two (mathematically related) keys, a public key and a
+      private key.  The public keys are published in the DNS by use of
+      the DNSKEY Resource Record (DNSKEY RR).  Private keys should
+      remain private.
+
+
+
+
+
+
+Kolkman & Gieben        Expires September 7, 2006              [Page 29]
+
+Internet-Draft        DNSSEC Operational Practices            March 2006
+
+
+   Key Rollover: A key rollover (also called key supercession in some
+      environments) is the act of replacing one key pair by another at
+      the end of a key effectivity period.
+   Secure Entry Point key or SEP Key: A KSK that has a parental DS
+      record pointing to it or is configured as a trust anchor.
+      Although not required by the protocol we recommend that the SEP
+      flag [3] is set on these keys.
+   Self-signature: This is only applies to signatures over DNSKEYs; a
+      signature made with DNSKEY x, over DNSKEY x is called a self-
+      signature.  Note: without further information self-signatures
+      convey no trust, they are useful to check the authenticity of the
+      DNSKEY, i.e. they can be used as a hash.
+   Singing the Zone File: The term used for the event where an
+      administrator joyfully signs its zone file while producing melodic
+      sound patterns.
+   Signer: The system that has access to the private key material and
+      signs the Resource Record sets in a zone.  A signer may be
+      configured to sign only parts of the zone e.g. only those RRSets
+      for which existing signatures are about to expire.
+   Zone Signing Key or ZSK: A Zone Signing Key (ZSK) is a key that is
+      used for signing all data in a zone.  The fact that a key is a ZSK
+      is only relevant to the signing tool.
+   Zone Administrator: The 'role' that is responsible for signing a zone
+      and publishing it on the primary authoritative server.
+
+
+Appendix B.  Zone Signing Key Rollover Howto
+
+   Using the pre-published signature scheme and the most conservative
+   method to assure oneself that data does not live in caches, here
+   follows the "HOWTO".
+   Step 0: The preparation: Create two keys and publish both in your key
+      set.  Mark one of the keys as "active" and the other as
+      "published".  Use the "active" key for signing your zone data.
+      Store the private part of the "published" key, preferably off-
+      line.
+      The protocol does not provide for attributes to mark a key as
+      active or published.  This is something you have to do on your
+      own, through the use of a notebook or key management tool.
+   Step 1: Determine expiration: At the beginning of the rollover make a
+      note of the highest expiration time of signatures in your zone
+      file created with the current key marked as "active".
+      Wait until the expiration time marked in Step 1 has passed
+   Step 2: Then start using the key that was marked as "published" to
+      sign your data i.e. mark it as "active".  Stop using the key that
+      was marked as "active", mark it as "rolled".
+
+
+
+
+
+Kolkman & Gieben        Expires September 7, 2006              [Page 30]
+
+Internet-Draft        DNSSEC Operational Practices            March 2006
+
+
+   Step 3: It is safe to engage in a new rollover (Step 1) after at
+      least one "signature validity period".
+
+
+Appendix C.  Typographic Conventions
+
+   The following typographic conventions are used in this document:
+   Key notation: A key is denoted by DNSKEYx, where x is a number or an
+      identifier, x could be thought of as the key id.
+   RRSet notations: RRs are only denoted by the type.  All other
+      information - owner, class, rdata and TTL - is left out.  Thus:
+      "example.com 3600 IN A 192.0.2.1" is reduced to "A".  RRSets are a
+      list of RRs.  A example of this would be: "A1, A2", specifying the
+      RRSet containing two "A" records.  This could again be abbreviated
+      to just "A".
+   Signature notation: Signatures are denoted as RRSIGx(RRSet), which
+      means that RRSet is signed with DNSKEYx.
+   Zone representation: Using the above notation we have simplified the
+      representation of a signed zone by leaving out all unnecessary
+      details such as the names and by representing all data by "SOAx"
+   SOA representation: SOAs are represented as SOAx, where x is the
+      serial number.
+   Using this notation the following signed zone:
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Kolkman & Gieben        Expires September 7, 2006              [Page 31]
+
+Internet-Draft        DNSSEC Operational Practices            March 2006
+
+
+   example.net.      86400  IN SOA  ns.example.net. bert.example.net. (
+                            2006022100   ; serial
+                            86400        ; refresh (  24 hours)
+                            7200         ; retry   (   2 hours)
+                            3600000      ; expire  (1000 hours)
+                            28800 )      ; minimum (   8 hours)
+                     86400  RRSIG   SOA 5 2 86400 20130522213204 (
+                                  20130422213204 14 example.net.
+                                  cmL62SI6iAX46xGNQAdQ... )
+                     86400  NS      a.iana-servers.net.
+                     86400  NS      b.iana-servers.net.
+                     86400  RRSIG   NS 5 2 86400 20130507213204 (
+                                  20130407213204 14 example.net.
+                                  SO5epiJei19AjXoUpFnQ ... )
+                     86400  DNSKEY  256 3 5 (
+                                  EtRB9MP5/AvOuVO0I8XDxy0... ) ; id = 14
+                     86400  DNSKEY  257 3 5 (
+                                  gsPW/Yy19GzYIY+Gnr8HABU... ) ; id = 15
+                     86400  RRSIG   DNSKEY 5 2 86400 20130522213204 (
+                                  20130422213204 14 example.net.
+                                  J4zCe8QX4tXVGjV4e1r9... )
+                     86400  RRSIG   DNSKEY 5 2 86400 20130522213204 (
+                                  20130422213204 15 example.net.
+                                  keVDCOpsSeDReyV6O... )
+                     86400  RRSIG   NSEC 5 2 86400 20130507213204 (
+                                  20130407213204 14 example.net.
+                                  obj3HEp1GjnmhRjX... )
+   a.example.net.    86400  IN TXT  "A label"
+                     86400  RRSIG   TXT 5 3 86400 20130507213204 (
+                                  20130407213204 14 example.net.
+                                  IkDMlRdYLmXH7QJnuF3v... )
+                     86400  NSEC    b.example.com. TXT RRSIG NSEC
+                     86400  RRSIG   NSEC 5 3 86400 20130507213204 (
+                                  20130407213204 14 example.net.
+                                  bZMjoZ3bHjnEz0nIsPMM... )
+                     ...
+
+   is reduced to the following representation:
+
+       SOA2006022100
+       RRSIG14(SOA2006022100)
+       DNSKEY14
+       DNSKEY15
+
+       RRSIG14(KEY)
+       RRSIG15(KEY)
+
+   The rest of the zone data has the same signature as the SOA record,
+
+
+
+Kolkman & Gieben        Expires September 7, 2006              [Page 32]
+
+Internet-Draft        DNSSEC Operational Practices            March 2006
+
+
+   i.e a RRSIG created with DNSKEY 14.
+
+
+Appendix D.  Document Details and Changes
+
+   This section is to be removed by the RFC editor if and when the
+   document is published.
+
+   $Id: draft-ietf-dnsop-dnssec-operational-practices.xml,v 1.31.2.14
+   2005/03/21 15:51:41 dnssec Exp $
+
+D.1.  draft-ietf-dnsop-dnssec-operational-practices-00
+
+   Submission as working group document.  This document is a modified
+   and updated version of draft-kolkman-dnssec-operational-practices-00.
+
+D.2.  draft-ietf-dnsop-dnssec-operational-practices-01
+
+   changed the definition of "Bogus" to reflect the one in the protocol
+   draft.
+
+   Bad to Bogus
+
+   Style and spelling corrections
+
+   KSK - SEP mapping made explicit.
+
+   Updates from Sam Weiler added
+
+D.3.  draft-ietf-dnsop-dnssec-operational-practices-02
+
+   Style and errors corrected.
+
+   Added Automatic rollover requirements from I-D.ietf-dnsop-key-
+   rollover-requirements.
+
+D.4.  draft-ietf-dnsop-dnssec-operational-practices-03
+
+   Added the definition of Key effectivity period and used that term
+   instead of Key validity period.
+
+   Modified the order of the sections, based on a suggestion by Rip
+   Loomis.
+
+   Included parts from RFC 2541 [12].  Most of its ground was already
+   covered.  This document obsoletes RFC 2541 [12].  Section 3.1.2
+   deserves some review as it in contrast to RFC 2541 does _not_ give
+   recomendations about root-zone keys.
+
+
+
+Kolkman & Gieben        Expires September 7, 2006              [Page 33]
+
+Internet-Draft        DNSSEC Operational Practices            March 2006
+
+
+   added a paragraph to Section 4.4.4
+
+D.5.  draft-ietf-dnsop-dnssec-operational-practices-04
+
+   Somewhat more details added about the pre-publish KSK rollover.  Also
+   moved that subsection down a bit.
+
+   Editorial and content nits that came in during wg last call were
+   fixed.
+
+D.6.  draft-ietf-dnsop-dnssec-operational-practices-05
+
+   Applied some another set of comments that came in _after_ the the
+   WGLC.
+
+   Applied comments from Hilarie Orman and made a referece to RFC 3766.
+   Deleted of a lot of key length discussion and took over the
+   recommendations from RFC 3766.
+
+   Reworked all the heading of the rollover figures
+
+D.7.  draft-ietf-dnsop-dnssec-operational-practices-06
+
+   One comment from Scott Rose applied.
+
+   Marcos Sanz gave a lots of editorial nits.  Almost all are
+   incorporated.
+
+D.8.  draft-ietf-dnsop-dnssec-operational-practices-07
+
+   Peter Koch's comments applied.
+
+   SHA-1/SHA-256 remarks added
+
+D.9.  draft-ietf-dnsop-dnssec-operational-practices-08
+
+   IESG comments applied.  Added headers and some captions to the tables
+   and applied all the nits.
+
+   IESG DISCUSS comments applied
+
+
+
+
+
+
+
+
+
+
+
+Kolkman & Gieben        Expires September 7, 2006              [Page 34]
+
+Internet-Draft        DNSSEC Operational Practices            March 2006
+
+
+Authors' Addresses
+
+   Olaf M. Kolkman
+   NLnet Labs
+   Kruislaan 419
+   Amsterdam  1098 VA
+   The Netherlands
+
+   Email: olaf@nlnetlabs.nl
+   URI:   http://www.nlnetlabs.nl
+
+
+   Miek Gieben
+   NLnet Labs
+   Kruislaan 419
+   Amsterdam  1098 VA
+   The Netherlands
+
+   Email: miek@nlnetlabs.nl
+   URI:   http://www.nlnetlabs.nl
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Kolkman & Gieben        Expires September 7, 2006              [Page 35]
+
+Internet-Draft        DNSSEC Operational Practices            March 2006
+
+
+Intellectual Property Statement
+
+   The IETF takes no position regarding the validity or scope of any
+   Intellectual Property Rights or other rights that might be claimed to
+   pertain to the implementation or use of the technology described in
+   this document or the extent to which any license under such rights
+   might or might not be available; nor does it represent that it has
+   made any independent effort to identify any such rights.  Information
+   on the procedures with respect to rights in RFC documents can be
+   found in BCP 78 and BCP 79.
+
+   Copies of IPR disclosures made to the IETF Secretariat and any
+   assurances of licenses to be made available, or the result of an
+   attempt made to obtain a general license or permission for the use of
+   such proprietary rights by implementers or users of this
+   specification can be obtained from the IETF on-line IPR repository at
+   http://www.ietf.org/ipr.
+
+   The IETF invites any interested party to bring to its attention any
+   copyrights, patents or patent applications, or other proprietary
+   rights that may cover technology that may be required to implement
+   this standard.  Please address the information to the IETF at
+   ietf-ipr@ietf.org.
+
+
+Disclaimer of Validity
+
+   This document and the information contained herein are provided on an
+   "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
+   OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
+   ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
+   INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
+   INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
+   WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
+
+
+Copyright Statement
+
+   Copyright (C) The Internet Society (2006).  This document is subject
+   to the rights, licenses and restrictions contained in BCP 78, and
+   except as set forth therein, the authors retain all their rights.
+
+
+Acknowledgment
+
+   Funding for the RFC Editor function is currently provided by the
+   Internet Society.
+
+
+
+
+Kolkman & Gieben        Expires September 7, 2006              [Page 36]
+
diff --git a/contrib/bind9/doc/draft/draft-ietf-dnsop-serverid-06.txt b/contrib/bind9/doc/draft/draft-ietf-dnsop-serverid-06.txt
new file mode 100644
index 0000000..c6ec7e4
--- /dev/null
+++ b/contrib/bind9/doc/draft/draft-ietf-dnsop-serverid-06.txt
@@ -0,0 +1,618 @@
+
+
+
+
+Network Working Group                                           S. Woolf
+Internet-Draft                         Internet Systems Consortium, Inc.
+Expires: September 6, 2006                                     D. Conrad
+                                                           Nominum, Inc.
+                                                           March 5, 2006
+
+
+    Requirements for a Mechanism Identifying a Name Server Instance
+                      draft-ietf-dnsop-serverid-06
+
+Status of this Memo
+
+   By submitting this Internet-Draft, each author represents that any
+   applicable patent or other IPR claims of which he or she is aware
+   have been or will be disclosed, and any of which he or she becomes
+   aware will be disclosed, in accordance with Section 6 of BCP 79.
+
+   Internet-Drafts are working documents of the Internet Engineering
+   Task Force (IETF), its areas, and its working groups.  Note that
+   other groups may also distribute working documents as Internet-
+   Drafts.
+
+   Internet-Drafts are draft documents valid for a maximum of six months
+   and may be updated, replaced, or obsoleted by other documents at any
+   time.  It is inappropriate to use Internet-Drafts as reference
+   material or to cite them other than as "work in progress."
+
+   The list of current Internet-Drafts can be accessed at
+   http://www.ietf.org/ietf/1id-abstracts.txt.
+
+   The list of Internet-Draft Shadow Directories can be accessed at
+   http://www.ietf.org/shadow.html.
+
+   This Internet-Draft will expire on September 6, 2006.
+
+Copyright Notice
+
+   Copyright (C) The Internet Society (2006).
+
+Abstract
+
+   With the increased use of DNS anycast, load balancing, and other
+   mechanisms allowing more than one DNS name server to share a single
+   IP address, it is sometimes difficult to tell which of a pool of name
+   servers has answered a particular query.  A standardized mechanism to
+   determine the identity of a name server responding to a particular
+   query would be useful, particularly as a diagnostic aid for
+   administrators.  Existing ad hoc mechanisms for addressing this need
+
+
+
+Woolf & Conrad          Expires September 6, 2006               [Page 1]
+
+Internet-Draft                  Serverid                      March 2006
+
+
+   have some shortcomings, not the least of which is the lack of prior
+   analysis of exactly how such a mechanism should be designed and
+   deployed.  This document describes the existing convention used in
+   some widely deployed implementations of the DNS protocol, including
+   advantages and disadvantages, and discusses some attributes of an
+   improved mechanism.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Woolf & Conrad          Expires September 6, 2006               [Page 2]
+
+Internet-Draft                  Serverid                      March 2006
+
+
+1.  Introduction and Rationale
+
+   Identifying which name server is responding to queries is often
+   useful, particularly in attempting to diagnose name server
+   difficulties.  This is most obviously useful for authoritative
+   nameservers in the attempt to diagnose the source or prevalence of
+   inaccurate data, but can also conceivably be useful for caching
+   resolvers in similar and other situations.  Furthermore, the ability
+   to identify which server is responding to a query has become more
+   useful as DNS has become more critical to more Internet users, and as
+   network and server deployment topologies have become more complex.
+
+   The traditional means for determining which of several possible
+   servers is answering a query has traditionally been based on the use
+   of the server's IP address as a unique identifier.  However, the
+   modern Internet has seen the deployment of various load balancing,
+   fault-tolerance, or attack-resistance schemes such as shared use of
+   unicast IP addresses as documented in [RFC3258].  An unfortunate side
+   effect of these schemes has been to make the use of IP addresses as
+   identifiers somewhat problematic.  Specifically, a dedicated DNS
+   query may not go to the same server as answered a previous query,
+   even though sent to the same IP address.  Non-DNS methods such as
+   ICMP ping, TCP connections, or non-DNS UDP packets (such as those
+   generated by tools like "traceroute"), etc., may well be even less
+   certain to reach the same server as the one which receives the DNS
+   queries.
+
+   There is a well-known and frequently-used technique for determining
+   an identity for a nameserver more specific than the possibly-non-
+   unique "server that answered the query I sent to IP address XXX".
+   The widespread use of the existing convention suggests a need for a
+   documented, interoperable means of querying the identity of a
+   nameserver that may be part of an anycast or load-balancing cluster.
+   At the same time, however, it also has some drawbacks that argue
+   against standardizing it as it's been practiced so far.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Woolf & Conrad          Expires September 6, 2006               [Page 3]
+
+Internet-Draft                  Serverid                      March 2006
+
+
+2.  Existing Conventions
+
+   For some time, the commonly deployed Berkeley Internet Name Domain
+   implementation of the DNS protocol suite from the Internet Systems
+   Consortium [BIND] has supported a way of identifying a particular
+   server via the use of a standards-compliant, if somewhat unusual, DNS
+   query.  Specifically, a query to a recent BIND server for a TXT
+   resource record in class 3 (CHAOS) for the domain name
+   "HOSTNAME.BIND." will return a string that can be configured by the
+   name server administrator to provide a unique identifier for the
+   responding server.  (The value defaults to the result of a
+   gethostname() call).  This mechanism, which is an extension of the
+   BIND convention of using CHAOS class TXT RR queries to sub-domains of
+   the "BIND." domain for version information, has been copied by
+   several name server vendors.
+
+   A refinement to the BIND-based mechanism, which dropped the
+   implementation-specific string, replaces ".BIND" with ".SERVER".
+   Thus the query string to learn the unique name of a server may be
+   queried as "ID.SERVER".
+
+   (For reference, the other well-known name used by recent versions of
+   BIND within the CHAOS class "BIND." domain is "VERSION.BIND."  A
+   query for a CHAOS TXT RR for this name will return an
+   administratively defined string which defaults to the version of the
+   server responding.  This is, however, not generally implemented by
+   other vendors.)
+
+2.1.  Advantages
+
+   There are several valuable attributes to this mechanism, which
+   account for its usefulness.
+
+   1.  The "HOSTNAME.BIND" or "ID.SERVER" query response mechanism is
+       within the DNS protocol itself.  An identification mechanism that
+       relies on the DNS protocol is more likely to be successful
+       (although not guaranteed) in going to the same system as a
+       "normal" DNS query.
+
+   2.  Since the identity information is requested and returned within
+       the DNS protocol, it doesn't require allowing any other query
+       mechanism to the server, such as holes in firewalls for
+       otherwise-unallowed ICMP Echo requests.  Thus it is likely to
+       reach the same server over a path subject to the same routing,
+       resource, and security policy as the query, without any special
+       exceptions to site security policy.
+
+
+
+
+
+Woolf & Conrad          Expires September 6, 2006               [Page 4]
+
+Internet-Draft                  Serverid                      March 2006
+
+
+   3.  It is simple to configure.  An administrator can easily turn on
+       this feature and control the results of the relevant query.
+
+   4.  It allows the administrator complete control of what information
+       is given out in the response, minimizing passive leakage of
+       implementation or configuration details.  Such details are often
+       considered sensitive by infrastructure operators.
+
+   5.  Hypothetically, since it's an ordinary DNS record and the
+       relevant DNSSEC RRs are class independent, the id.server response
+       RR could be signed, which has the advantages described in
+       [RFC4033].
+
+2.2.  Disadvantages
+
+   At the same time, there are some serious drawbacks to the CHAOS/TXT
+   query mechanism that argue against standardizing it as it currently
+   operates.
+
+   1.  It requires an additional query to correlate between the answer
+       to a DNS query under normal conditions and the supposed identity
+       of the server receiving the query.  There are a number of
+       situations in which this simply isn't reliable.
+
+   2.  It reserves an entire class in the DNS (CHAOS) for what amounts
+       to one zone.  While CHAOS class is defined in [RFC1034] and
+       [RFC1035], it's not clear that supporting it solely for this
+       purpose is a good use of the namespace or of implementation
+       effort.
+
+   3.  The initial and still common form, using .BIND, is implementation
+       specific.  BIND is one DNS implementation.  At the time of this
+       writing, it is probably the most prevalent for authoritative
+       servers.  This does not justify standardizing on its ad hoc
+       solution to a problem shared across many operators and
+       implementors.  Meanwhile, the proposed refinement changes the
+       string but preserves the ad hoc CHAOS/TXT mechanism.
+
+   4.  There is no convention or shared understanding of what
+       information an answer to such a query for a server identity could
+       or should include, including a possible encoding or
+       authentication mechanism.
+
+   The first of the listed disadvantages may be technically the most
+   serious.  It argues for an attempt to design a good answer to the
+   problem that "I need to know what nameserver is answering my
+   queries", not simply a convenient one.
+
+
+
+
+Woolf & Conrad          Expires September 6, 2006               [Page 5]
+
+Internet-Draft                  Serverid                      March 2006
+
+
+2.3.  Characteristics of an Implementation Neutral Convention
+
+   The discussion above of advantages and disadvantages to the
+   HOSTNAME.BIND mechanism suggest some requirements for a better
+   solution to the server identification problem.  These are summarized
+   here as guidelines for any effort to provide appropriate protocol
+   extensions:
+
+   1.  The mechanism adopted must be in-band for the DNS protocol.  That
+       is, it needs to allow the query for the server's identifying
+       information to be part of a normal, operational query.  It should
+       also permit a separate, dedicated query for the server's
+       identifying information.  But it should preserve the ability of
+       the CHAOS/TXT query-based mechanism to work through firewalls and
+       in other situations where only DNS can be relied upon to reach
+       the server of interest.
+
+   2.  The new mechanism should not require dedicated namespaces or
+       other reserved values outside of the existing protocol mechanisms
+       for these, i.e. the OPT pseudo-RR.  In particular, it should not
+       propagate the existing drawback of requiring support for a CLASS
+       and top level domain in the authoritative server (or the querying
+       tool) to be useful.
+
+   3.  Support for the identification functionality should be easy to
+       implement and easy to enable.  It must be easy to disable and
+       should lend itself to access controls on who can query for it.
+
+   4.  It should be possible to return a unique identifier for a server
+       without requiring the exposure of information that may be non-
+       public and considered sensitive by the operator, such as a
+       hostname or unicast IP address maintained for administrative
+       purposes.
+
+   5.  It should be possible to authenticate the received data by some
+       mechanism analogous to those provided by DNSSEC.  In this
+       context, the need could be met by including encryption options in
+       the specification of a new mechanism.
+
+   6.  The identification mechanism should not be implementation-
+       specific.
+
+
+
+
+
+
+
+
+
+
+Woolf & Conrad          Expires September 6, 2006               [Page 6]
+
+Internet-Draft                  Serverid                      March 2006
+
+
+3.  IANA Considerations
+
+   This document proposes no specific IANA action.  Protocol extensions,
+   if any, to meet the requirements described are out of scope for this
+   document.  A proposed extension, specified and adopted by normal IETF
+   process, is described in [NSID], including relevant IANA action.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Woolf & Conrad          Expires September 6, 2006               [Page 7]
+
+Internet-Draft                  Serverid                      March 2006
+
+
+4.  Security Considerations
+
+   Providing identifying information as to which server is responding to
+   a particular query from a particular location in the Internet can be
+   seen as information leakage and thus a security risk.  This motivates
+   the suggestion above that a new mechanism for server identification
+   allow the administrator to disable the functionality altogether or
+   partially restrict availability of the data.  It also suggests that
+   the serverid data should not be readily correlated with a hostname or
+   unicast IP address that may be considered private to the nameserver
+   operator's management infrastructure.
+
+   Propagation of protocol or service meta-data can sometimes expose the
+   application to denial of service or other attack.  As DNS is a
+   critically important infrastructure service for the production
+   Internet, extra care needs to be taken against this risk for
+   designers, implementors, and operators of a new mechanism for server
+   identification.
+
+   Both authentication and confidentiality of serverid data are
+   potentially of interest to administrators-- that is, operators may
+   wish to make serverid data available and reliable to themselves and
+   their chosen associates only.  This would imply both an ability to
+   authenticate it to themselves and keep it private from arbitrary
+   other parties.  This led to Characteristics 4 and 5 of an improved
+   solution.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Woolf & Conrad          Expires September 6, 2006               [Page 8]
+
+Internet-Draft                  Serverid                      March 2006
+
+
+5.  Acknowledgements
+
+   The technique for host identification documented here was initially
+   implemented by Paul Vixie of the Internet Software Consortium in the
+   Berkeley Internet Name Daemon package.  Comments and questions on
+   earlier drafts were provided by Bob Halley, Brian Wellington, Andreas
+   Gustafsson, Ted Hardie, Chris Yarnell, Randy Bush, and members of the
+   ICANN Root Server System Advisory Committee.  The newest version
+   takes a significantly different direction from previous versions,
+   owing to discussion among contributors to the DNSOP working group and
+   others, particularly Olafur Gudmundsson, Ed Lewis, Bill Manning, Sam
+   Weiler, and Rob Austein.
+
+6.  References
+
+   [1]  Mockapetris, P., "Domain Names - Concepts and Facilities",
+        RFC 1034, STD 0013, November 1987.
+
+   [2]  Mockapetris, P., "Domain Names - Implementation and
+        Specification", RFC 1035, STD 0013, November 1987.
+
+   [3]  Hardie, T., "Distributing Authoritative Name Servers via Shared
+        Unicast Addresses", RFC 3258, April 2002.
+
+   [4]  ISC, "BIND 9 Configuration Reference".
+
+   [5]  Austein, S., "DNS Name Server Identifier Option (NSID)",
+        Internet Drafts http://www.ietf.org/internet-drafts/
+        draft-ietf-dnsext-nsid-01.txt, January 2006.
+
+   [6]  Arends, R., Austein, S., Larson, M., Massey, D., and S. Rose,
+        "DNS Security Introduction and Requirements", RFC 4033,
+        March 2005.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Woolf & Conrad          Expires September 6, 2006               [Page 9]
+
+Internet-Draft                  Serverid                      March 2006
+
+
+Authors' Addresses
+
+   Suzanne Woolf
+   Internet Systems Consortium, Inc.
+   950 Charter Street
+   Redwood City, CA  94063
+   US
+
+   Phone: +1 650 423-1333
+   Email: woolf@isc.org
+   URI:   http://www.isc.org/
+
+
+   David Conrad
+   Nominum, Inc.
+   2385 Bay Road
+   Redwood City, CA  94063
+   US
+
+   Phone: +1 1 650 381 6003
+   Email: david.conrad@nominum.com
+   URI:   http://www.nominum.com/
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Woolf & Conrad          Expires September 6, 2006              [Page 10]
+
+Internet-Draft                  Serverid                      March 2006
+
+
+Intellectual Property Statement
+
+   The IETF takes no position regarding the validity or scope of any
+   Intellectual Property Rights or other rights that might be claimed to
+   pertain to the implementation or use of the technology described in
+   this document or the extent to which any license under such rights
+   might or might not be available; nor does it represent that it has
+   made any independent effort to identify any such rights.  Information
+   on the procedures with respect to rights in RFC documents can be
+   found in BCP 78 and BCP 79.
+
+   Copies of IPR disclosures made to the IETF Secretariat and any
+   assurances of licenses to be made available, or the result of an
+   attempt made to obtain a general license or permission for the use of
+   such proprietary rights by implementers or users of this
+   specification can be obtained from the IETF on-line IPR repository at
+   http://www.ietf.org/ipr.
+
+   The IETF invites any interested party to bring to its attention any
+   copyrights, patents or patent applications, or other proprietary
+   rights that may cover technology that may be required to implement
+   this standard.  Please address the information to the IETF at
+   ietf-ipr@ietf.org.
+
+
+Disclaimer of Validity
+
+   This document and the information contained herein are provided on an
+   "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
+   OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
+   ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
+   INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
+   INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
+   WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
+
+
+Copyright Statement
+
+   Copyright (C) The Internet Society (2006).  This document is subject
+   to the rights, licenses and restrictions contained in BCP 78, and
+   except as set forth therein, the authors retain all their rights.
+
+
+Acknowledgment
+
+   Funding for the RFC Editor function is currently provided by the
+   Internet Society.
+
+
+
+
+Woolf & Conrad          Expires September 6, 2006              [Page 11]
+
+
diff --git a/contrib/bind9/doc/draft/draft-schlitt-spf-classic-02.txt b/contrib/bind9/doc/draft/draft-schlitt-spf-classic-02.txt
new file mode 100644
index 0000000..3bd9594
--- /dev/null
+++ b/contrib/bind9/doc/draft/draft-schlitt-spf-classic-02.txt
@@ -0,0 +1,3136 @@
+
+
+
+Network Working Group                                            M. Wong
+Internet-Draft                                                W. Schlitt
+Expires: December 8, 2005                                   June 6, 2005
+
+
+Sender Policy Framework (SPF) for Authorizing Use of Domains in E-MAIL,
+                               version 1
+                      draft-schlitt-spf-classic-02
+
+Status of this Memo
+
+   By submitting this Internet-Draft, each author represents that any
+   applicable patent or other IPR claims of which he or she is aware
+   have been or will be disclosed, and any of which he or she becomes
+   aware will be disclosed, in accordance with Section 6 of BCP 79.
+
+   Internet-Drafts are working documents of the Internet Engineering
+   Task Force (IETF), its areas, and its working groups.  Note that
+   other groups may also distribute working documents as Internet-
+   Drafts.
+
+   Internet-Drafts are draft documents valid for a maximum of six months
+   and may be updated, replaced, or obsoleted by other documents at any
+   time.  It is inappropriate to use Internet-Drafts as reference
+   material or to cite them other than as "work in progress."
+
+   The list of current Internet-Drafts can be accessed at
+   http://www.ietf.org/ietf/1id-abstracts.txt.
+
+   The list of Internet-Draft Shadow Directories can be accessed at
+   http://www.ietf.org/shadow.html.
+
+   This Internet-Draft will expire on December 8, 2005.
+
+Copyright Notice
+
+   Copyright (C) The Internet Society (2005).
+
+Abstract
+
+   E-mail on the Internet can be forged in a number of ways.  In
+   particular, existing protocols place no restriction on what a sending
+   host can use as the reverse-path of a message or the domain given on
+   the SMTP HELO/EHLO commands.  This document describes version 1 of
+   the SPF protocol, whereby a domain may explicitly authorize the hosts
+   that are allowed to use its domain name, and a receiving host may
+   check such authorization.
+
+
+
+
+Wong & Schlitt          Expires December 8, 2005                [Page 1]
+
+Internet-Draft        Sender Policy Framework (SPF)            June 2005
+
+
+Table of Contents
+
+   1.  Introduction . . . . . . . . . . . . . . . . . . . . . . . . .  4
+     1.1.  State of this draft  . . . . . . . . . . . . . . . . . . .  4
+     1.2.  Protocol Status  . . . . . . . . . . . . . . . . . . . . .  5
+     1.3.  Terminology  . . . . . . . . . . . . . . . . . . . . . . .  5
+   2.  Operation  . . . . . . . . . . . . . . . . . . . . . . . . . .  6
+     2.1.  The HELO Identity  . . . . . . . . . . . . . . . . . . . .  6
+     2.2.  The MAIL FROM Identity . . . . . . . . . . . . . . . . . .  6
+     2.3.  Publishing Authorization . . . . . . . . . . . . . . . . .  6
+     2.4.  Checking Authorization . . . . . . . . . . . . . . . . . .  7
+     2.5.  Interpreting the Result  . . . . . . . . . . . . . . . . .  8
+       2.5.1.  None . . . . . . . . . . . . . . . . . . . . . . . . .  8
+       2.5.2.  Neutral  . . . . . . . . . . . . . . . . . . . . . . .  9
+       2.5.3.  Pass . . . . . . . . . . . . . . . . . . . . . . . . .  9
+       2.5.4.  Fail . . . . . . . . . . . . . . . . . . . . . . . . .  9
+       2.5.5.  SoftFail . . . . . . . . . . . . . . . . . . . . . . .  9
+       2.5.6.  TempError  . . . . . . . . . . . . . . . . . . . . . . 10
+       2.5.7.  PermError  . . . . . . . . . . . . . . . . . . . . . . 10
+   3.  SPF Records  . . . . . . . . . . . . . . . . . . . . . . . . . 11
+     3.1.  Publishing . . . . . . . . . . . . . . . . . . . . . . . . 11
+       3.1.1.  DNS Resource Record Types  . . . . . . . . . . . . . . 11
+       3.1.2.  Multiple DNS Records . . . . . . . . . . . . . . . . . 12
+       3.1.3.  Multiple Strings in a Single DNS record  . . . . . . . 12
+       3.1.4.  Record Size  . . . . . . . . . . . . . . . . . . . . . 12
+       3.1.5.  Wildcard Records . . . . . . . . . . . . . . . . . . . 13
+   4.  The check_host() Function  . . . . . . . . . . . . . . . . . . 14
+     4.1.  Arguments  . . . . . . . . . . . . . . . . . . . . . . . . 14
+     4.2.  Results  . . . . . . . . . . . . . . . . . . . . . . . . . 14
+     4.3.  Initial Processing . . . . . . . . . . . . . . . . . . . . 14
+     4.4.  Record Lookup  . . . . . . . . . . . . . . . . . . . . . . 15
+     4.5.  Selecting Records  . . . . . . . . . . . . . . . . . . . . 15
+     4.6.  Record Evaluation  . . . . . . . . . . . . . . . . . . . . 15
+       4.6.1.  Term Evaluation  . . . . . . . . . . . . . . . . . . . 16
+       4.6.2.  Mechanisms . . . . . . . . . . . . . . . . . . . . . . 16
+       4.6.3.  Modifiers  . . . . . . . . . . . . . . . . . . . . . . 17
+     4.7.  Default Result . . . . . . . . . . . . . . . . . . . . . . 17
+     4.8.  Domain Specification . . . . . . . . . . . . . . . . . . . 17
+   5.  Mechanism Definitions  . . . . . . . . . . . . . . . . . . . . 19
+     5.1.  "all"  . . . . . . . . . . . . . . . . . . . . . . . . . . 19
+     5.2.  "include"  . . . . . . . . . . . . . . . . . . . . . . . . 20
+     5.3.  "a"  . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
+     5.4.  "mx" . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
+     5.5.  "ptr"  . . . . . . . . . . . . . . . . . . . . . . . . . . 22
+     5.6.  "ip4" and "ip6"  . . . . . . . . . . . . . . . . . . . . . 23
+     5.7.  "exists" . . . . . . . . . . . . . . . . . . . . . . . . . 24
+   6.  Modifier Definitions . . . . . . . . . . . . . . . . . . . . . 25
+     6.1.  redirect: Redirected Query . . . . . . . . . . . . . . . . 25
+
+
+
+Wong & Schlitt          Expires December 8, 2005                [Page 2]
+
+Internet-Draft        Sender Policy Framework (SPF)            June 2005
+
+
+     6.2.  exp: Explanation . . . . . . . . . . . . . . . . . . . . . 26
+   7.  The Received-SPF header field  . . . . . . . . . . . . . . . . 28
+   8.  Macros . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
+     8.1.  Macro definitions  . . . . . . . . . . . . . . . . . . . . 30
+     8.2.  Expansion Examples . . . . . . . . . . . . . . . . . . . . 33
+   9.  Implications . . . . . . . . . . . . . . . . . . . . . . . . . 34
+     9.1.  Sending Domains  . . . . . . . . . . . . . . . . . . . . . 34
+     9.2.  Mailing Lists  . . . . . . . . . . . . . . . . . . . . . . 34
+     9.3.  Forwarding Services and Aliases  . . . . . . . . . . . . . 34
+     9.4.  Mail Services  . . . . . . . . . . . . . . . . . . . . . . 36
+     9.5.  MTA Relays . . . . . . . . . . . . . . . . . . . . . . . . 37
+   10. Security Considerations  . . . . . . . . . . . . . . . . . . . 38
+     10.1. Processing Limits  . . . . . . . . . . . . . . . . . . . . 38
+     10.2. SPF-Authorized E-Mail May Be UBE . . . . . . . . . . . . . 39
+     10.3. Spoofed DNS and IP Data  . . . . . . . . . . . . . . . . . 40
+     10.4. Cross-User Forgery . . . . . . . . . . . . . . . . . . . . 40
+     10.5. Untrusted Information Sources  . . . . . . . . . . . . . . 40
+     10.6. Privacy Exposure . . . . . . . . . . . . . . . . . . . . . 41
+   11. Contributors and Acknowledgements  . . . . . . . . . . . . . . 42
+   12. IANA Considerations  . . . . . . . . . . . . . . . . . . . . . 43
+     12.1. The SPF DNS Record Type  . . . . . . . . . . . . . . . . . 43
+     12.2. The Received-SPF mail header . . . . . . . . . . . . . . . 43
+   13. References . . . . . . . . . . . . . . . . . . . . . . . . . . 44
+     13.1. Normative References . . . . . . . . . . . . . . . . . . . 44
+     13.2. Informative References . . . . . . . . . . . . . . . . . . 44
+   Appendix A.  Collected ABNF  . . . . . . . . . . . . . . . . . . . 46
+   Appendix B.  Extended Examples . . . . . . . . . . . . . . . . . . 48
+     B.1.  Simple Examples  . . . . . . . . . . . . . . . . . . . . . 48
+     B.2.  Multiple Domain Example  . . . . . . . . . . . . . . . . . 49
+     B.3.  DNSBL Style Example  . . . . . . . . . . . . . . . . . . . 50
+     B.4.  Multiple Requirements Example  . . . . . . . . . . . . . . 50
+   Appendix C.  Change Log  . . . . . . . . . . . . . . . . . . . . . 51
+     C.1.  Changes in Version -02 . . . . . . . . . . . . . . . . . . 51
+     C.2.  Changes in Version -01 . . . . . . . . . . . . . . . . . . 52
+   Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 55
+   Intellectual Property and Copyright Statements . . . . . . . . . . 56
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Wong & Schlitt          Expires December 8, 2005                [Page 3]
+
+Internet-Draft        Sender Policy Framework (SPF)            June 2005
+
+
+1.  Introduction
+
+   The current e-mail infrastructure has the property that any host
+   injecting mail into the mail system can identify itself as any domain
+   name it wants.  Hosts can do this at a variety of levels: in
+   particular, the session, the envelope, and the mail headers.  While
+   this feature is desirable in some circumstances, it is a major
+   obstacle to reducing Unsolicited Bulk E-mail (UBE, aka "spam").
+   Furthermore, many domain name holders are understandably concerned
+   about the ease with which other entities may make use of their domain
+   names, often with malicious intent.
+
+   This document defines a protocol by which domain owners may authorize
+   hosts to use their domain name in the "MAIL FROM" or "HELO" identity.
+   Compliant domain holders publish SPF records specifying which hosts
+   are permitted to use their names, and compliant mail receivers use
+   the published SPF records to test the authorization of sending MTAs
+   using a given "HELO" or "MAIL FROM" identity during a mail
+   transaction.
+
+   An additional benefit to mail receivers is that after the use of an
+   identity is verified, local policy decisions about the mail can be
+   made based on the sender's domain, rather than the host's IP address.
+   This is advantageous because reputation of domain names is likely to
+   be more accurate than reputation of host IP addresses.  Furthermore,
+   if a claimed identity fails verification, local policy can take
+   stronger action against such e-mail, such as rejecting it.
+
+1.1.  State of this draft
+
+   This draft version attempts to resolve all known issues and address
+   all comments received from the IESG review of 2005/02/17, as well
+   reviews from the namedroppers, ietf-smtp, ietf-822 and spf-discuss
+   mailing lists both in January and in May.
+
+   Please check the Change log in Appendix C before proposing changes,
+   as it is possible that your idea has already been discussed.  Please
+   post comments on the spf-discuss@v2.listbox.com mailing list or
+   e-mail them directly to the author.
+
+   I am sorry for the length of this I-D; I have not had time to make it
+   shorter.
+
+   RFC Editor Note: Please remove this section for the final publication
+   of the document.  It has been inspired by
+   draft-ietf-tools-draft-submission-09.txt.
+
+
+
+
+
+Wong & Schlitt          Expires December 8, 2005                [Page 4]
+
+Internet-Draft        Sender Policy Framework (SPF)            June 2005
+
+
+1.2.  Protocol Status
+
+   SPF has been in development since the Summer of 2003, and has seen
+   deployment beyond the developers beginning in December, 2003.  The
+   design of SPF slowly evolved until the spring of 2004 and has since
+   stabilized.  There have been quite a number of forms of SPF, some
+   written up as documents, some submitted as Internet Drafts, and many
+   discussed and debated in development forums.
+
+   The goal of this document is to clearly document the protocol defined
+   by earlier draft specifications of SPF as used in existing
+   implementations.  This conception of SPF is sometimes called "SPF
+   Classic".  It is understood that particular implementations and
+   deployments may differ from, and build upon, this work.  It is hoped
+   that we have nonetheless captured the common understanding of SPF
+   version 1.
+
+1.3.  Terminology
+
+   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
+   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
+   document are to be interpreted as described in [RFC2119].
+
+   This document is concerned with the portion of a mail message
+   commonly called "envelope sender", "return path", "reverse path",
+   "bounce address", "2821 FROM", or "MAIL FROM".  Since these terms are
+   either not well defined, or often used casually, this document
+   defines the "MAIL FROM" identity in Section 2.2.  Note that other
+   terms that may superficially look like the common terms, such as
+   "reverse-path", are used only with the defined meanings from
+   normative documents.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Wong & Schlitt          Expires December 8, 2005                [Page 5]
+
+Internet-Draft        Sender Policy Framework (SPF)            June 2005
+
+
+2.  Operation
+
+2.1.  The HELO Identity
+
+   The "HELO" identity derives from either the SMTP HELO or EHLO command
+   (see [RFC2821]).  These commands supply the SMTP client (sending
+   host) for the SMTP session.  Note that requirements for the domain
+   presented in the EHLO or HELO command are not always clear to the
+   sending party, and SPF clients must be prepared for the "HELO"
+   identity to be malformed or an IP address literal.  At the time of
+   this writing, many legitimate e-mails are delivered with invalid HELO
+   domains.
+
+   It is RECOMMENDED that SPF clients check not only the "MAIL FROM"
+   identity, but also separately check the "HELO" identity by applying
+   the check_host() function (Section 4) to the "HELO" identity as the
+   <sender>.
+
+2.2.  The MAIL FROM Identity
+
+   The "MAIL FROM" identity derives from the SMTP MAIL command (see
+   [RFC2821]).  This command supplies the "reverse-path" for a message,
+   which generally consists of the sender mailbox, and is the mailbox to
+   which notification messages are to be sent if there are problems
+   delivering the message.
+
+   [RFC2821] allows the reverse-path to be null (see Section 4.5.5).  In
+   this case, there is no explicit sender mailbox, and such a message
+   can be assumed to be a notification message from the mail system
+   itself.  When the reverse-path is null, this document defines the
+   "MAIL FROM" identity to be the mailbox composed of the localpart
+   "postmaster" and the "HELO" identity (which may or may not have been
+   checked separately before).
+
+   SPF clients MUST check the "MAIL FROM" identity.  SPF clients check
+   the "MAIL FROM" identity by applying the check_host() function to the
+   "MAIL FROM" identity as the <sender>.
+
+2.3.  Publishing Authorization
+
+   An SPF-compliant domain MUST publish a valid SPF record as described
+   in Section 3.  This record authorizes the use of the domain name in
+   the "HELO" and "MAIL FROM" identities by the MTAs it specifies.
+
+   If domain owners choose to publish SPF records, it is RECOMMENDED
+   that they end in "-all", or redirect to other records that do, so
+   that a definitive determination of authorization can be made.
+
+
+
+
+Wong & Schlitt          Expires December 8, 2005                [Page 6]
+
+Internet-Draft        Sender Policy Framework (SPF)            June 2005
+
+
+   Domain holders may publish SPF records that explicitly authorize no
+   hosts if mail should never originate using that domain.
+
+   When changing SPF records, care must be taken to ensure that there is
+   a transition period so that the old policy remains valid until all
+   legitimate e-mail has been checked.
+
+2.4.  Checking Authorization
+
+   A mail receiver can perform a set of SPF checks for each mail message
+   it receives.  An SPF check tests the authorization of a client host
+   to emit mail with a given identity.  Typically, such checks are done
+   by a receiving MTA, but can be performed elsewhere in the mail
+   processing chain so long as the required information is available and
+   reliable.  At least the "MAIL FROM" identity MUST be checked, but it
+   is RECOMMENDED that the "HELO" identity also be checked beforehand.
+
+   Without explicit approval of the domain owner, checking other
+   identities against SPF version 1 records is NOT RECOMMENDED because
+   there are cases that are known to give incorrect results.  For
+   example, almost all mailing lists rewrite the "MAIL FROM" identity
+   (see Section 9.2), but some do not change any other identities in the
+   message.  The scenario described in Section 9.3.1.2 is another
+   example.  Documents that define other identities should define the
+   method for explicit approval.
+
+   It is possible that mail receivers will use the SPF check as part of
+   a larger set of tests on incoming mail.  The results of other tests
+   may influence whether or not a particular SPF check is performed.
+   For example, finding the sending host's IP address on a local white
+   list may cause all other tests to be skipped and all mail from that
+   host to be accepted.
+
+   When a mail receiver decides to perform an SPF check, it MUST use a
+   correctly-implemented check_host() function (Section 4) evaluated
+   with the correct parameters.  While the test as a whole is optional,
+   once it has been decided to perform a test it must be performed as
+   specified so that the correct semantics are preserved between
+   publisher and receiver.
+
+   To make the test, the mail receiver MUST evaluate the check_host()
+   function with the arguments set as follows:
+
+   <ip>     - the IP address of the SMTP client that is emitting the
+            mail, either IPv4 or IPv6.
+
+
+
+
+
+
+Wong & Schlitt          Expires December 8, 2005                [Page 7]
+
+Internet-Draft        Sender Policy Framework (SPF)            June 2005
+
+
+   <domain> - the domain portion of the "MAIL FROM" or "HELO" identity.
+
+   <sender> - the "MAIL FROM" or "HELO" identity.
+
+   Note that the <domain> argument may not be a well-formed domain name.
+   For example, if the reverse-path was null, then the EHLO/HELO domain
+   is used, with its associated problems (see Section 2.1).  In these
+   cases, check_host() is defined in Section 4.3 to return a "None"
+   result.
+
+   While invalid, malformed, or non-existent domains cause SPF checks to
+   return "None" because no SPF record can be found, it has long been
+   the policy of many MTAs to reject e-mail from such domains,
+   especially in the case of invalid "MAIL FROM".  In order to prevent
+   the circumvention of SPF records, rejecting e-mail from invalid
+   domains should be considered.
+
+   Implementations must take care to correctly extract the <domain> from
+   the data given with the SMTP MAIL FROM command as many MTAs will
+   still accept such things as source routes (see [RFC2821] appendix C),
+   the %-hack (see [RFC1123]), and bang paths (see [RFC1983]).  These
+   archaic features have been maliciously used to bypass security
+   systems.
+
+2.5.  Interpreting the Result
+
+   This section describes how software that performs the authorization
+   should interpret the results of the check_host() function.  The
+   authorization check SHOULD be performed during the processing of the
+   SMTP transaction that sends the mail.  This allows errors to be
+   returned directly to the sending server by way of SMTP replies.
+
+   Performing the authorization after the SMTP transaction has finished
+   may cause problems, such as: 1) It may be difficult to accurately
+   extract the required information from potentially deceptive headers.
+   2) Legitimate e-mail may fail because the sender's policy may have
+   since changed.
+
+   Generating non-delivery notifications to forged identities that have
+   failed the authorization check is generally abusive and against the
+   explicit wishes of the identity owner.
+
+2.5.1.  None
+
+   A result of "None" means that no records were published by the
+   domain, or that no checkable sender domain could be determined from
+   the given identity.  The checking software cannot ascertain whether
+   the client host is authorized or not.
+
+
+
+Wong & Schlitt          Expires December 8, 2005                [Page 8]
+
+Internet-Draft        Sender Policy Framework (SPF)            June 2005
+
+
+2.5.2.  Neutral
+
+   The domain owner has explicitly stated that they cannot or do not
+   want to assert whether the IP address is authorized or not.  A
+   "Neutral" result MUST be treated exactly like the "None" result; the
+   distinction exists only for informational purposes.  Treating
+   "Neutral" more harshly than "None" will discourage domain owners from
+   testing the use of SPF records (see Section 9.1).
+
+2.5.3.  Pass
+
+   A "Pass" result means that the client is authorized to inject mail
+   with the given identity.  The domain can now, in the sense of
+   reputation, be considered responsible for sending the message.
+   Further policy checks can now proceed with confidence in the
+   legitimate use of the identity.
+
+2.5.4.  Fail
+
+   A "Fail" result is an explicit statement that the client is not
+   authorized to use the domain in the given identity.  The checking
+   software can choose to mark the mail based on this, or to reject the
+   mail outright.
+
+   If the checking software chooses to reject the mail during the SMTP
+   transaction, then it SHOULD use an SMTP reply code of 550 (see
+   [RFC2821]) and, if supported, the 5.7.1 Delivery Status Notification
+   (DSN) code (see [RFC3464]), in addition to an appropriate reply text.
+   The check_host() function may return either a default explanation
+   string, or one from the domain that published the SPF records (see
+   Section 6.2).  If the information doesn't originate with the checking
+   software, it should be made clear that the text is provided by the
+   sender's domain.  For example:
+
+       550-5.7.1 SPF MAIL FROM check failed:
+       550-5.7.1 The domain example.com explains:
+       550 5.7.1 Please see http://www.example.com/mailpolicy.html
+
+2.5.5.  SoftFail
+
+   A "SoftFail" result should be treated as somewhere between a "Fail"
+   and a "Neutral".  The domain believes the host isn't authorized but
+   isn't willing to make that strong of a statement.  Receiving software
+   SHOULD NOT reject the message based solely on this result, but MAY
+   subject the message to closer scrutiny than normal.
+
+   The domain owner wants to discourage the use of this host and so they
+   desire limited feedback when a "SoftFail" result occurs.  For
+
+
+
+Wong & Schlitt          Expires December 8, 2005                [Page 9]
+
+Internet-Draft        Sender Policy Framework (SPF)            June 2005
+
+
+   example, the recipient's MUA could highlight the "SoftFail" status,
+   or the receiving MTA could give the sender a message using a
+   technique called "greylisting" whereby the MTA can issue an SMTP
+   reply code of 451 (4.3.0 DSN code) with a note the first time the
+   message is received, but accept it the second time.
+
+2.5.6.  TempError
+
+   A "TempError" result means that the SPF client encountered a
+   transient error while performing the check.  Checking software can
+   choose to accept or temporarily reject the message.  If the message
+   is rejected during the SMTP transaction for this reason, the software
+   SHOULD use an SMTP reply code of 451 and, if supported, the 4.4.3 DSN
+   code.
+
+2.5.7.  PermError
+
+   A "PermError" result means that the domain's published records
+   couldn't be correctly interpreted.  This signals an error condition
+   that requires manual intervention to be resolved, as opposed to the
+   TempError result.  Be aware that if the domain owner uses macros
+   (Section 8), it is possible that this result is due to the checked
+   identities having an unexpected format.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Wong & Schlitt          Expires December 8, 2005               [Page 10]
+
+Internet-Draft        Sender Policy Framework (SPF)            June 2005
+
+
+3.  SPF Records
+
+   An SPF record is a DNS Resource Record (RR) that declares which hosts
+   are, and are not, authorized to use a domain name for the "HELO" and
+   "MAIL FROM" identities.  Loosely, the record partitions all hosts
+   into permitted and not-permitted sets.  (Though some hosts might fall
+   into neither category.)
+
+   The SPF record is a single string of text.  An example record is:
+
+      v=spf1 +mx a:colo.example.com/28 -all
+
+   This record has a version of "spf1" and three directives: "+mx",
+   "a:colo.example.com/28" (the + is implied), and "-all".
+
+3.1.  Publishing
+
+   Domain owners wishing to be SPF compliant must publish SPF records
+   for the hosts that are used in the "MAIL FROM" and "HELO" identities.
+   The SPF records are placed in the DNS tree at the host name it
+   pertains to, not a subdomain under it, such as is done with SRV
+   records.  This is the same whether the TXT or SPF RR type is used.
+
+   The example above in Section 3 might be published via this lines in a
+   domain zone file:
+
+      example.com.          TXT "v=spf1 +mx a:colo.example.com/28 -all"
+      smtp-out.example.com. TXT "v=spf1 a -all"
+
+   When publishing via TXT records, beware of other TXT records
+   published there for other purposes.  They may cause problems with
+   size limits (see Section 3.1.4).
+
+3.1.1.  DNS Resource Record Types
+
+   This document defines a new DNS RR of type SPF, type code to be
+   determined.  The format of this type is identical to the TXT RR
+   [RFC1035].  For either type, the character content of the record is
+   encoded as [US-ASCII].
+
+   RFC Editor Note: Please add the DNS RR type code once it has been
+   allocated by the IANA.
+
+   It is recognized that the current practice (using a TXT record) is
+   not optimal, but it is necessary because there are a number of DNS
+   server and resolver implementations in common use that cannot handle
+   the new RR type.  The two-record-type scheme provides a forward path
+   to the better solution of using an RR type reserved for this purpose.
+
+
+
+Wong & Schlitt          Expires December 8, 2005               [Page 11]
+
+Internet-Draft        Sender Policy Framework (SPF)            June 2005
+
+
+   An SPF-compliant domain name SHOULD have SPF records of both RR
+   types.  A compliant domain name MUST have a record of at least one
+   type.  If a domain has records of both types, they MUST have
+   identical content.  For example, instead of just publishing one
+   record as in Section 3.1 above, it is better to publish:
+
+      example.com. IN TXT "v=spf1 +mx a:colo.example.com/28 -all"
+      example.com. IN SPF "v=spf1 +mx a:colo.example.com/28 -all"
+
+   Example RRs in this document are shown with the TXT record type,
+   however they could be published with the SPF type or with both types.
+
+3.1.2.  Multiple DNS Records
+
+   A domain name MUST NOT have multiple records that would cause an
+   authorization check to select more than one record.  See Section 4.5
+   for the selection rules.
+
+3.1.3.  Multiple Strings in a Single DNS record
+
+   As defined in [RFC1035] sections 3.3.14 and 3.3, a single text DNS
+   record (either TXT and SPF RR types) can be composed of more than one
+   string.  If a published record contains multiple strings, then the
+   record MUST be treated as if those strings are concatenated together
+   without adding spaces.  For example:
+
+      IN TXT "v=spf1 .... first" "second string..."
+
+   MUST be treated as equivalent to
+
+      IN TXT "v=spf1 .... firstsecond string..."
+
+   SPF or TXT records containing multiple strings are useful in order to
+   construct records which would exceed the 255 byte maximum length of a
+   string within a single TXT or SPF RR record.
+
+3.1.4.  Record Size
+
+   The published SPF record for a given domain name SHOULD remain small
+   enough that the results of a query for it will fit within 512 octets.
+   This will keep even older DNS implementations from falling over to
+   TCP.  Since the answer size is dependent on many things outside the
+   scope of this document, it is only possible to give this guideline:
+   If the combined length of the DNS name and the text of all the
+   records of a given type (TXT or SPF) is under 450 characters, then
+   DNS answers should fit in UDP packets.  Note that when computing the
+   sizes for queries of the TXT format, one must take into account any
+   other TXT records published at the domain name.  Records that are too
+
+
+
+Wong & Schlitt          Expires December 8, 2005               [Page 12]
+
+Internet-Draft        Sender Policy Framework (SPF)            June 2005
+
+
+   long to fit in a single UDP packet MAY be silently ignored by SPF
+   clients.
+
+3.1.5.  Wildcard Records
+
+   Use of wildcard records for publishing is not recommended.  Care must
+   be taken if wildcard records are used.  If a domain publishes
+   wildcard MX records, it may want to publish wildcard declarations,
+   subject to the same requirements and problems.  In particular, the
+   declaration must be repeated for any host that has any RR records at
+   all, and for subdomains thereof.  For example, the example given in
+   [RFC1034], Section 4.3.3, could be extended with:
+
+       X.COM.          MX      10      A.X.COM
+       X.COM.          TXT     "v=spf1 a:A.X.COM -all"
+
+       *.X.COM.        MX      10      A.X.COM
+       *.X.COM.        TXT     "v=spf1 a:A.X.COM -all"
+
+       A.X.COM.        A       1.2.3.4
+       A.X.COM.        MX      10      A.X.COM
+       A.X.COM.        TXT     "v=spf1 a:A.X.COM -all"
+
+       *.A.X.COM.      MX      10      A.X.COM
+       *.A.X.COM.      TXT     "v=spf1 a:A.X.COM -all"
+
+   Notice that SPF records must be repeated twice for every name within
+   the domain: once for the name, and once with a wildcard to cover the
+   tree under the name.
+
+   Use of wildcards is discouraged in general as they cause every name
+   under the domain to exist and queries against arbitrary names will
+   never return RCODE 3 (Name Error).
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Wong & Schlitt          Expires December 8, 2005               [Page 13]
+
+Internet-Draft        Sender Policy Framework (SPF)            June 2005
+
+
+4.  The check_host() Function
+
+   The check_host() function fetches SPF records, parses them, and
+   interprets them to determine whether a particular host is or is not
+   permitted to send mail with a given identity.  Mail receivers that
+   perform this check MUST correctly evaluate the check_host() function
+   as described here.
+
+   Implementations MAY use a different algorithm than the canonical
+   algorithm defined here, so long as the results are the same in all
+   cases.
+
+4.1.  Arguments
+
+   The function check_host() takes these arguments:
+
+   <ip>     - the IP address of the SMTP client that is emitting the
+            mail, either IPv4 or IPv6.
+
+   <domain> - the domain that provides the sought-after authorization
+            information; initially the domain portion of the "MAIL FROM"
+            or "HELO" identity.
+
+   <sender> - the "MAIL FROM" or "HELO" identity.
+
+   The domain portion of <sender> will usually be the same as the
+   <domain> argument when check_host() is initially evaluated.  However,
+   this will generally not be true for recursive evaluations (see
+   Section 5.2 below).
+
+   Actual implementations of the check_host() function may need
+   additional arguments.
+
+4.2.  Results
+
+   The function check_host() can return one of several results described
+   in Section 2.5.  Based on the result, the action to be taken is
+   determined by the local policies of the receiver.
+
+4.3.  Initial Processing
+
+   If the <domain> is malformed (label longer than 63 characters, zero
+   length label not at the end, etc.), is not a fully qualified domain
+   name, or if the DNS lookup returns "domain does not exist" (RCODE 3),
+   check_host() immediately returns the result "None".
+
+   If the <sender> has no localpart, substitute the string "postmaster"
+   for the localpart.
+
+
+
+Wong & Schlitt          Expires December 8, 2005               [Page 14]
+
+Internet-Draft        Sender Policy Framework (SPF)            June 2005
+
+
+4.4.  Record Lookup
+
+   In accordance with how the records are published, see Section 3.1
+   above, a DNS query needs to be made for the <domain> name, querying
+   for either RR type TXT, SPF, or both.  If both SPF and TXT RRs are
+   looked up, the queries MAY be done in parallel.
+
+   If the DNS lookup returns a server failure (RCODE 2), or other error
+   (RCODE other than 0 or 3), or the query times out, check_host() exits
+   immediately with the result "TempError".
+
+4.5.  Selecting Records
+
+   Records begin with a version section:
+
+   record           = version terms *SP
+   version          = "v=spf1"
+
+   Starting with the set of records that were returned by the lookup,
+   record selection proceeds in three steps:
+
+   1.  Records that do not begin with a version section of exactly
+       "v=spf1" are discarded.  Note that the version section is
+       terminated either by a SP character or the end of the record.  A
+       record with a version section of "v=spf10" does not match and
+       must be discarded.
+
+   2.  If there are both SPF and TXT records in the set and if they are
+       not all identical, return a "PermError".
+
+   3.  If any records of type SPF are in the set, then all records of
+       type TXT are discarded.
+
+   After the above steps, there should be exactly one record remaining
+   and evaluation can proceed.  If there are two or more records
+   remaining, then check_host() exits immediately with the result of
+   "PermError".
+
+   If no matching records are returned, an SPF client MUST assume that
+   the domain makes no SPF declarations.  SPF processing MUST stop and
+   return "None".
+
+4.6.  Record Evaluation
+
+   After one SPF record has been selected, the check_host() function
+   parses and interprets it to find a result for the current test.  If
+   there are any syntax errors, check_host() returns immediately with
+   the result "PermError".
+
+
+
+Wong & Schlitt          Expires December 8, 2005               [Page 15]
+
+Internet-Draft        Sender Policy Framework (SPF)            June 2005
+
+
+   Implementations MAY choose to parse the entire record first and
+   return "PermError" if the record is not syntactically well formed.
+   However, in all cases, any syntax errors anywhere in the record MUST
+   be detected.
+
+4.6.1.  Term Evaluation
+
+   There are two types of terms: mechanisms and modifiers.  A record
+   contains an ordered list of these as specified in the following ABNF.
+
+   terms            = *( 1*SP ( directive / modifier ) )
+
+   directive        = [ qualifier ] mechanism
+   qualifier        = "+" / "-" / "?" / "~"
+   mechanism        = ( all / include
+                      / A / MX / PTR / IP4 / IP6 / exists )
+   modifier         = redirect / explanation / unknown-modifier
+   unknown-modifier = name "=" macro-string
+
+   name             = ALPHA *( ALPHA / DIGIT / "-" / "_" / "." )
+
+   Most mechanisms allow a ":" or "/" character after the name.
+
+   Modifiers always contain an equals ('=') character immediately after
+   the name, and before any ":" or "/" characters that may be part of
+   the macro-string.
+
+   Terms that do not contain any of "=", ":" or "/" are mechanisms, as
+   defined in Section 5.
+
+   As per the definition of the ABNF notation in [I-D.crocker-abnf-
+   rfc2234bis], mechanism and modifier names are case-insensitive.
+
+4.6.2.  Mechanisms
+
+   Each mechanism is considered in turn from left to right.  If there
+   are no more mechanisms, the result is specified in Section 4.7.
+
+   When a mechanism is evaluated, one of three things can happen: it can
+   match, it can not match, or it can throw an exception.
+
+   If it matches, processing ends and the qualifier value is returned as
+   the result of that record.  If it does not match, processing
+   continues with the next mechanism.  If it throws an exception,
+   mechanism processing ends and the exception value is returned.
+
+   The possible qualifiers, and the results they return are:
+
+
+
+
+Wong & Schlitt          Expires December 8, 2005               [Page 16]
+
+Internet-Draft        Sender Policy Framework (SPF)            June 2005
+
+
+      "+" Pass
+      "-" Fail
+      "~" SoftFail
+      "?" Neutral
+
+   The qualifier is optional and defaults to "+".
+
+   When a mechanism matches and the qualifier is "-", then a "Fail"
+   result is returned and the explanation string is computed as
+   described in Section 6.2.
+
+   The specific mechanisms are described in Section 5.
+
+4.6.3.  Modifiers
+
+   Modifiers are not mechanisms: they do not return match or not-match.
+   Instead they provide additional information.  While modifiers do not
+   directly affect the evaluation of the record, the "redirect" modifier
+   has an effect after all the mechanisms have been evaluated.
+
+4.7.  Default Result
+
+   If none of the mechanisms match and there is no "redirect" modifier,
+   then the check_host() returns a result of "Neutral", just as if
+   "?all" were specified as the last directive.  If there is a
+   "redirect" modifier, check_host() proceeds as defined in Section 6.1.
+
+   Note that records SHOULD always either use a "redirect" modifier or
+   an "all" mechanism to explicitly terminate processing.
+
+   For example:
+
+      v=spf1 +mx -all
+   or
+      v=spf1 +mx redirect=_spf.example.com
+
+4.8.  Domain Specification
+
+   Several of these mechanisms and modifiers have a <domain-spec>
+   section.  The <domain-spec> string is macro expanded (see Section 8).
+   The resulting string is the common presentation form of a fully-
+   qualified DNS name: a series of labels separated by periods.  This
+   domain is called the <target-name> in the rest of this document.
+
+   Note: The result of the macro expansion is not subject to any further
+   escaping.  Hence, this facility cannot produce all characters that
+   are legal in a DNS label (e.g. the control characters).  However,
+   this facility is powerful enough to express legal host names, and
+
+
+
+Wong & Schlitt          Expires December 8, 2005               [Page 17]
+
+Internet-Draft        Sender Policy Framework (SPF)            June 2005
+
+
+   common utility labels (such as "_spf") that are used in DNS.
+
+   For several mechanisms, the <domain-spec> is optional.  If it is not
+   provided, the <domain> is used as the <target-name>.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Wong & Schlitt          Expires December 8, 2005               [Page 18]
+
+Internet-Draft        Sender Policy Framework (SPF)            June 2005
+
+
+5.  Mechanism Definitions
+
+   This section defines two types of mechanisms.
+
+   Basic mechanisms contribute to the language framework.  They do not
+   specify a particular type of authorization scheme.
+
+      all
+      include
+
+   Designated sender mechanisms are used to designate a set of <ip>
+   addresses as being permitted or not permitted to use the <domain> for
+   sending mail.
+
+      a
+      mx
+      ptr
+      ip4
+      ip6
+      exists
+
+   The following conventions apply to all mechanisms that perform a
+   comparison between <ip> and an IP address at any point:
+
+   If no CIDR-length is given in the directive, then <ip> and the IP
+   address are compared for equality.
+
+   If a CIDR-length is specified, then only the specified number of
+   high-order bits of <ip> and the IP address are compared for equality.
+
+   When any mechanism fetches host addresses to compare with <ip>, when
+   <ip> is an IPv4 address, A records are fetched, when <ip> is an IPv6
+   address, AAAA records are fetched.  Even if the SMTP connection is
+   via IPv6, an IPv4-mapped IPv6 IP address (see [RFC3513] section
+   2.5.5) MUST still be considered an IPv4 address.
+
+   Several mechanisms rely on information fetched from DNS.  For these
+   DNS queries, except where noted, if the DNS server returns an error
+   (RCODE other than 0 or 3) or the query times out, the mechanism
+   throws the exception "TempError".  If the server returns "domain does
+   not exist" (RCODE 3), then evaluation of the mechanism continues as
+   if the server returned no error (RCODE 0) and zero answer records.
+
+5.1.  "all"
+
+   all              = "all"
+
+   The "all" mechanism is a test that always matches.  It is used as the
+
+
+
+Wong & Schlitt          Expires December 8, 2005               [Page 19]
+
+Internet-Draft        Sender Policy Framework (SPF)            June 2005
+
+
+   rightmost mechanism in a record to provide an explicit default.
+
+   For example:
+
+      v=spf1 a mx -all
+
+   Mechanisms after "all" will never be tested.  Any "redirect" modifier
+   (Section 6.1) has no effect when there is an "all" mechanism.
+
+5.2.  "include"
+
+   include          = "include"  ":" domain-spec
+
+   The "include" mechanism triggers a recursive evaluation of
+   check_host().  The domain-spec is expanded as per Section 8.  Then
+   check_host() is evaluated with the resulting string as the <domain>.
+   The <ip> and <sender> arguments remain the same as in the current
+   evaluation of check_host().
+
+   In hindsight, the name "include" was poorly chosen.  Only the
+   evaluated result of the referenced SPF record is used, rather than
+   acting as if the referenced SPF record was literally included in the
+   first.  For example, evaluating a "-all" directive in the referenced
+   record does not terminate the overall processing and does not
+   necessarily result in an overall "Fail".  (Better names for this
+   mechanism would have been "if-pass", "on-pass", etc.)
+
+   The "include" mechanism makes it possible for one domain to designate
+   multiple administratively-independent domains.  For example, a vanity
+   domain "example.net" might send mail using the servers of
+   administratively-independent domains example.com and example.org.
+
+   Example.net could say
+
+      IN TXT "v=spf1 include:example.com include:example.org -all"
+
+   This would direct check_host() to, in effect, check the records of
+   example.com and example.org for a "Pass" result.  Only if the host
+   were not permitted for either of those domains would the result be
+   "Fail".
+
+   Whether this mechanism matches, does not match, or throws an error,
+   depends on the result of the recursive evaluation of check_host():
+
+
+
+
+
+
+
+
+Wong & Schlitt          Expires December 8, 2005               [Page 20]
+
+Internet-Draft        Sender Policy Framework (SPF)            June 2005
+
+
+   +---------------------------------+---------------------------------+
+   | A recursive check_host() result | Causes the "include" mechanism  |
+   | of:                             | to:                             |
+   +---------------------------------+---------------------------------+
+   | Pass                            | match                           |
+   |                                 |                                 |
+   | Fail                            | not match                       |
+   |                                 |                                 |
+   | SoftFail                        | not match                       |
+   |                                 |                                 |
+   | Neutral                         | not match                       |
+   |                                 |                                 |
+   | TempError                       | throw TempError                 |
+   |                                 |                                 |
+   | PermError                       | throw PermError                 |
+   |                                 |                                 |
+   | None                            | throw PermError                 |
+   +---------------------------------+---------------------------------+
+
+   The "include" mechanism is intended for crossing administrative
+   boundaries.  While it is possible to use includes to consolidate
+   multiple domains that share the same set of designated hosts, domains
+   are encouraged to use redirects where possible, and to minimize the
+   number of includes within a single administrative domain.  For
+   example, if example.com and example.org were managed by the same
+   entity, and if the permitted set of hosts for both domains were
+   "mx:example.com", it would be possible for example.org to specify
+   "include:example.com", but it would be preferable to specify
+   "redirect=example.com" or even "mx:example.com".
+
+5.3.  "a"
+
+   This mechanism matches if <ip> is one of the <target-name>'s IP
+   addresses.
+
+   A                = "a"      [ ":" domain-spec ] [ dual-cidr-length ]
+
+   An address lookup is done on the <target-name>.  The <ip> is compared
+   to the returned address(es).  If any address matches, the mechanism
+   matches.
+
+5.4.  "mx"
+
+   This mechanism matches if <ip> is one of the MX hosts for a domain
+   name.
+
+   MX               = "mx"     [ ":" domain-spec ] [ dual-cidr-length ]
+
+
+
+
+Wong & Schlitt          Expires December 8, 2005               [Page 21]
+
+Internet-Draft        Sender Policy Framework (SPF)            June 2005
+
+
+   check_host() first performs an MX lookup on the <target-name>.  Then
+   it performs an address lookup on each MX name returned.  The <ip> is
+   compared to each returned IP address.  To prevent DoS attacks, more
+   than 10 MX names MUST NOT be looked up during the evaluation of an
+   "mx" mechanism (see Section 10).  If any address matches, the
+   mechanism matches.
+
+   Note regarding implicit MXes: If the <target-name> has no MX records,
+   check_host() MUST NOT pretend the target is its single MX, and MUST
+   NOT default to an A lookup on the <target-name> directly.  This
+   behavior breaks with the legacy "implicit MX" rule.  See [RFC2821]
+   Section 5.  If such behavior is desired, the publisher should specify
+   an "a" directive.
+
+5.5.  "ptr"
+
+   This mechanism tests whether the DNS reverse mapping for <ip> exists
+   and correctly points to a domain name within a particular domain.
+
+   PTR              = "ptr"    [ ":" domain-spec ]
+
+   First the <ip>'s name is looked up using this procedure: perform a
+   DNS reverse-mapping for <ip>, looking up the corresponding PTR record
+   in "in-addr.arpa." if the address is an IPv4 one and in "ip6.arpa."
+   if it is an IPv6 address.  For each record returned, validate the
+   domain name by looking up its IP address.  To prevent DoS attacks,
+   more than 10 PTR names MUST NOT be looked up during the evaluation of
+   a "ptr" mechanism (see Section 10).  If <ip> is among the returned IP
+   addresses, then that domain name is validated.  In pseudocode:
+
+   sending-domain_names := ptr_lookup(sending-host_IP);
+   if more than 10 sending-domain_names are found, use at most 10.
+   for each name in (sending-domain_names) {
+     IP_addresses := a_lookup(name);
+     if the sending-domain_IP is one of the IP_addresses {
+       validated-sending-domain_names += name;
+     }
+   }
+
+   Check all validated domain names to see if they end in the
+   <target-name> domain.  If any do, this mechanism matches.  If no
+   validated domain name can be found, or if none of the validated
+   domain names end in the <target-name>, this mechanism fails to match.
+   If a DNS error occurs while doing the PTR RR lookup, then this
+   mechanism fails to match.  If a DNS error occurs while doing an A RR
+   lookup, then that domain name is skipped and the search continues.
+
+
+
+
+
+Wong & Schlitt          Expires December 8, 2005               [Page 22]
+
+Internet-Draft        Sender Policy Framework (SPF)            June 2005
+
+
+   Pseudocode:
+
+   for each name in (validated-sending-domain_names) {
+     if name ends in <domain-spec>, return match.
+     if name is <domain-spec>, return match.
+   }
+   return no-match.
+
+   This mechanism matches if the <target-name> is either an ancestor of
+   a validated domain name, or if the <target-name> and a validated
+   domain name are the same.  For example: "mail.example.com" is within
+   the domain "example.com", but "mail.bad-example.com" is not.
+
+   Note: Use of this mechanism is discouraged because it is slow, is not
+   as reliable as other mechanisms in cases of DNS errors and it places
+   a large burden on the arpa name servers.  If used, proper PTR records
+   must be in place for the domain's hosts and the "ptr" mechanism
+   should be one of the last mechanisms checked.
+
+5.6.  "ip4" and "ip6"
+
+   These mechanisms test whether <ip> is contained within a given IP
+   network.
+
+   IP4              = "ip4"      ":" ip4-network   [ ip4-cidr-length ]
+   IP6              = "ip6"      ":" ip6-network   [ ip6-cidr-length ]
+
+   ip4-cidr-length  = "/" 1*DIGIT
+   ip6-cidr-length  = "/" 1*DIGIT
+   dual-cidr-length = [ ip4-cidr-length ] [ "/" ip6-cidr-length ]
+
+   ip4-network      = qnum "." qnum "." qnum "." qnum
+   qnum             = DIGIT                 ; 0-9
+                      / %x31-39 DIGIT       ; 10-99
+                      / "1" 2DIGIT          ; 100-199
+                      / "2" %x30-34 DIGIT   ; 200-249
+                      / "25" %x30-35        ; 250-255
+             ; as per conventional dotted quad notation.  e.g. 192.0.2.0
+   ip6-network      = <as per [RFC 3513], section 2.2>
+             ; e.g. 2001:DB8::CD30
+
+   The <ip> is compared to the given network.  If CIDR-length high-order
+   bits match, the mechanism matches.
+
+   If ip4-cidr-length is omitted it is taken to be "/32".  If
+   ip6-cidr-length is omitted it is taken to be "/128".  It is not
+   permitted to omit parts of the IP address instead of using CIDR
+   notations.  That is, use 192.0.2.0/24 instead of 192.0.2.
+
+
+
+Wong & Schlitt          Expires December 8, 2005               [Page 23]
+
+Internet-Draft        Sender Policy Framework (SPF)            June 2005
+
+
+5.7.  "exists"
+
+   This mechanism is used to construct an arbitrary domain name that is
+   used for a DNS A record query.  It allows for complicated schemes
+   involving arbitrary parts of the mail envelope to determine what is
+   permitted.
+
+   exists           = "exists"   ":" domain-spec
+
+   The domain-spec is expanded as per Section 8.  The resulting domain
+   name is used for a DNS A RR lookup.  If any A record is returned,
+   this mechanism matches.  The lookup type is 'A' even when the
+   connection type is IPv6.
+
+   Domains can use this mechanism to specify arbitrarily complex
+   queries.  For example, suppose example.com publishes the record:
+
+      v=spf1 exists:%{ir}.%{l1r+-}._spf.%{d} -all
+
+   The <target-name> might expand to
+   "1.2.0.192.someuser._spf.example.com".  This makes fine-grained
+   decisions possible at the level of the user and client IP address.
+
+   This mechanism enables queries that mimic the style of tests that
+   existing anti-spam DNS blacklists (DNSBL) use.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Wong & Schlitt          Expires December 8, 2005               [Page 24]
+
+Internet-Draft        Sender Policy Framework (SPF)            June 2005
+
+
+6.  Modifier Definitions
+
+   Modifiers are name/value pairs that provide additional information.
+   Modifiers always have an "=" separating the name and the value.
+
+   The modifiers defined in this document ("redirect" and "exp") MAY
+   appear anywhere in the record, but SHOULD appear at the end, after
+   all mechanisms.  Ordering of these two modifiers does not matter.
+   These two modifiers MUST NOT appear in a record more than once each.
+   If they do, then check_host() exits with a result of "PermError".
+
+   Unrecognized modifiers MUST be ignored no matter where in a record,
+   or how often.  This allows implementations of this document to
+   gracefully handle records with modifiers that are defined in other
+   specifications.
+
+6.1.  redirect: Redirected Query
+
+   If all mechanisms fail to match, and a "redirect" modifier is
+   present, then processing proceeds as follows:
+
+   redirect         = "redirect" "=" domain-spec
+
+   The domain-spec portion of the redirect section is expanded as per
+   the macro rules in Section 8.  Then check_host() is evaluated with
+   the resulting string as the <domain>.  The <ip> and <sender>
+   arguments remain the same as current evaluation of check_host().
+
+   The result of this new evaluation of check_host() is then considered
+   the result of the current evaluation with the exception that if no
+   SPF record is found, or if the target-name is malformed, the result
+   is a "PermError" rather than "None".
+
+   Note that the newly-queried domain may itself specify redirect
+   processing.
+
+   This facility is intended for use by organizations that wish to apply
+   the same record to multiple domains.  For example:
+
+     la.example.com. TXT "v=spf1 redirect=_spf.example.com"
+     ny.example.com. TXT "v=spf1 redirect=_spf.example.com"
+     sf.example.com. TXT "v=spf1 redirect=_spf.example.com"
+   _spf.example.com. TXT "v=spf1 mx:example.com -all"
+
+   In this example, mail from any of the three domains is described by
+   the same record.  This can be an administrative advantage.
+
+   Note: In general, the domain "A" cannot reliably use a redirect to
+
+
+
+Wong & Schlitt          Expires December 8, 2005               [Page 25]
+
+Internet-Draft        Sender Policy Framework (SPF)            June 2005
+
+
+   another domain "B" not under the same administrative control.  Since
+   the <sender> stays the same, there is no guarantee that the record at
+   domain "B" will correctly work for mailboxes in domain "A",
+   especially if domain "B" uses mechanisms involving localparts.  An
+   "include" directive may be more appropriate.
+
+   For clarity it is RECOMMENDED that any "redirect" modifier appear as
+   the very last term in a record.
+
+6.2.  exp: Explanation
+
+   explanation      = "exp" "=" domain-spec
+
+   If check_host() results in a "Fail" due to a mechanism match (such as
+   "-all"), and the "exp" modifier is present, then the explanation
+   string returned is computed as described below.  If no "exp" modifier
+   is present, then either a default explanation string or an empty
+   explanation string may be returned.
+
+   The <domain-spec> is macro expanded (see Section 8) and becomes the
+   <target-name>.  The DNS TXT record for the <target-name> is fetched.
+
+   If <domain-spec> is empty, or there are any DNS processing errors
+   (any RCODE other than 0), or if no records are returned, or if more
+   than one record is returned, or if there are syntax errors in the
+   explanation string, then proceed as if no exp modifier was given.
+
+   The fetched TXT record's strings are concatenated with no spaces, and
+   then treated as an <explain-string> which is macro-expanded.  This
+   final result is the explanation string.  Implementations MAY limit
+   the length of the resulting explanation string to allow for other
+   protocol constraints and/or reasonable processing limits.  Since the
+   explanation string is intended for an SMTP response and [RFC2821]
+   section 2.4 says that responses are in [US-ASCII], the explanation
+   string is also limited to US-ASCII.
+
+   Software evaluating check_host() can use this string to communicate
+   information from the publishing domain in the form of a short message
+   or URL.  Software SHOULD make it clear that the explanation string
+   comes from a third party.  For example, it can prepend the macro
+   string "%{o} explains: " to the explanation, such as shown in
+   Section 2.5.4.
+
+   Suppose example.com has this record:
+
+      v=spf1 mx -all exp=explain._spf.%{d}
+
+   Here are some examples of possible explanation TXT records at
+
+
+
+Wong & Schlitt          Expires December 8, 2005               [Page 26]
+
+Internet-Draft        Sender Policy Framework (SPF)            June 2005
+
+
+   explain._spf.example.com:
+      "Mail from example.com should only be sent by its own servers."
+         -- a simple, constant message
+
+      "%{i} is not one of %{d}'s designated mail servers."
+         -- a message with a little more info, including the IP address
+            that failed the check
+
+      "See http://%{d}/why.html?s=%{S}&i=%{I}"
+         -- a complicated example that constructs a URL with the
+            arguments to check_host() so that a web page can be
+            generated with detailed, custom instructions
+
+   Note: During recursion into an "include" mechanism, an exp= modifier
+   from the <target-name> MUST NOT be used.  In contrast, when executing
+   a "redirect" modifier, an exp= modifier from the original domain MUST
+   NOT be used.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Wong & Schlitt          Expires December 8, 2005               [Page 27]
+
+Internet-Draft        Sender Policy Framework (SPF)            June 2005
+
+
+7.  The Received-SPF header field
+
+   It is RECOMMENDED that SMTP receivers record the result of SPF
+   processing in the message headers.  If an SMTP receiver chooses to do
+   so, it SHOULD use the "Received-SPF" header defined here for each
+   identity that was checked.  This information is intended for the
+   recipient.  (Information intended for the sender is described in
+   Section 6.2, Explanation.)
+
+   The Received-SPF header is a trace field (see [RFC2822] section
+   3.6.7) and SHOULD be prepended to existing headers, above the
+   Received: header that is generated by the SMTP receiver.  It MUST
+   appear above any other Received-SPF headers in the message.  The
+   header has the format:
+
+   header           = "Received-SPF:" [CFWS] result FWS [comment FWS]
+                      [ key-value-list ] CRLF
+
+   result           = "Pass" / "Fail" / "SoftFail" / "Neutral" /
+                      "None" / "TempError" / "PermError"
+
+   key-value-list   = key-value-pair *( ";" [CFWS] key-value-pair )
+                      [";"]
+
+   key-value-pair   = key [CFWS] "=" ( dot-atom / quoted-string )
+
+   key              = "client-ip" / "envelope-from" / "helo" /
+                      "problem" / "receiver" / "identity" /
+                       mechanism / "x-" name / name
+
+   identity         = "mailfrom"   ; for the "MAIL FROM" identity
+                      / "helo"     ; for the "HELO" identity
+                      / name       ; other identities
+
+   dot-atom         = <unquoted word as per [RFC2822]>
+   quoted-string    = <quoted string as per [RFC2822]>
+   comment          = <comment string as per [RFC2822]>
+   CFWS             = <comment or folding white space as per [RFC2822]>
+   FWS              = <folding white space as per [RFC2822]>
+   CRLF             = <standard end-of-line token as per [RFC2822]>
+
+   The header SHOULD include a "(...)" style <comment> after the result,
+   conveying supporting information for the result, such as <ip>,
+   <sender> and <domain>.
+
+   The following key-value pairs are designed for later machine parsing.
+   SPF clients SHOULD give enough information so that the SPF results
+   can be verified.  That is, at least the "client-ip", "helo", and, if
+
+
+
+Wong & Schlitt          Expires December 8, 2005               [Page 28]
+
+Internet-Draft        Sender Policy Framework (SPF)            June 2005
+
+
+   the "MAIL FROM" identity was checked, the "envelope-from".
+
+   client-ip      the IP address of the SMTP client
+
+   envelope-from  the envelope sender mailbox
+
+   helo           the host name given in the HELO or EHLO command
+
+   mechanism      the mechanism that matched (if no mechanisms matched,
+                  substitute the word "default".)
+
+   problem        if an error was returned, details about the error
+
+   receiver       the host name of the SPF client
+
+   identity       the identity that was checked, see the <identity> ABNF
+                  rule.
+
+   Other keys may be defined by SPF clients.  Until a new key name
+   becomes widely accepted, new key names should start with "x-".
+
+   SPF clients MUST make sure that the Received-SPF header does not
+   contain invalid characters, is not excessively long, and does not
+   contain malicious data that has been provided by the sender.
+
+   Examples of various header styles that could be generated:
+
+   Received-SPF: Pass (mybox.example.org: domain of
+    myname@example.com designates 192.0.2.1 as permitted sender)
+       receiver=mybox.example.org; client-ip=192.0.2.1;
+       envelope-from=<myname@example.com>; helo=foo.example.com;
+
+
+   Received-SPF: Fail (mybox.example.org: domain of
+                     myname@example.com does not designate
+                     192.0.2.1 as permitted sender)
+                     identity=mailfrom; client-ip=192.0.2.1;
+                     envelope-from=<myname@example.com>;
+
+
+
+
+
+
+
+
+
+
+
+
+
+Wong & Schlitt          Expires December 8, 2005               [Page 29]
+
+Internet-Draft        Sender Policy Framework (SPF)            June 2005
+
+
+8.  Macros
+
+8.1.  Macro definitions
+
+   Many mechanisms and modifiers perform macro expansion on part of the
+   term.
+
+   domain-spec      = macro-string domain-end
+   domain-end       = ( "." toplabel ) / macro-expand
+
+   toplabel         = ALPHA / ALPHA *[ alphanum / "-" ] alphanum
+                      ; LDH rule (See [RFC3696])
+   alphanum         = ALPHA / DIGIT
+
+   explain-string   = *( macro-string / SP )
+
+   macro-string     = *( macro-expand / macro-literal )
+   macro-expand     = ( "%{" macro-letter transformers *delimiter "}" )
+                      / "%%" / "%_" / "%-"
+   macro-literal    = %x21-24 / %x26-7E
+                      ; visible characters except "%"
+   macro-letter     = "s" / "l" / "o" / "d" / "i" / "p" / "h" /
+                      "c" / "r" / "t"
+   transformers     = *DIGIT [ "r" ]
+   delimiter        = "." / "-" / "+" / "," / "/" / "_" / "="
+
+   A literal "%" is expressed by "%%".
+
+      "%_" expands to a single " " space.
+      "%-" expands to a URL-encoded space, viz. "%20".
+
+   The following macro letters are expanded in term arguments:
+
+      s = <sender>
+      l = local-part of <sender>
+      o = domain of <sender>
+      d = <domain>
+      i = <ip>
+      p = the validated domain name of <ip>
+      v = the string "in-addr" if <ip> is ipv4, or "ip6" if <ip> is ipv6
+      h = HELO/EHLO domain
+
+   The following macro letters are only allowed in "exp" text:
+
+      c = SMTP client IP (easily readable format)
+      r = domain name of host performing the check
+      t = current timestamp
+
+
+
+
+Wong & Schlitt          Expires December 8, 2005               [Page 30]
+
+Internet-Draft        Sender Policy Framework (SPF)            June 2005
+
+
+   A '%' character not followed by a '{', '%', '-', or '_' character is
+   a syntax error.  So,
+
+      -exists:%(ir).sbl.spamhaus.example.org
+
+   is incorrect and will cause check_host() to return a "PermError".
+   Instead, say
+
+      -exists:%{ir}.sbl.spamhaus.example.org
+
+   Optional transformers are:
+
+      *DIGIT = zero or more digits
+      'r'    = reverse value, splitting on dots by default
+
+   If transformers or delimiters are provided, the replacement value for
+   a macro letter is split into parts.  After performing any reversal
+   operation and/or removal of left-hand parts, the parts are rejoined
+   using "." and not the original splitting characters.
+
+   By default, strings are split on "." (dots).  Note that no special
+   treatment is given to leading, trailing or consecutive delimiters,
+   and so the list of parts may contain empty strings.  Macros may
+   specify delimiter characters which are used instead of ".".
+
+   The 'r' transformer indicates a reversal operation: if the client IP
+   address were 192.0.2.1, the macro %{i} would expand to "192.0.2.1"
+   and the macro %{ir} would expand to "1.2.0.192".
+
+   The DIGIT transformer indicates the number of right-hand parts to
+   use, after optional reversal.  If a DIGIT is specified, the value
+   MUST be nonzero.  If no DIGITs are specified, or if the value
+   specifies more parts than are available, all the available parts are
+   used.  If the DIGIT was 5, and only 3 parts were available, the macro
+   interpreter would pretend the DIGIT was 3.  Implementations MUST
+   support at least a value of 128, as that is the maximum number of
+   labels in a domain name.
+
+   The "s" macro expands to the <sender> argument.  It is an e-mail
+   address with a localpart, an "@" character, and a domain.  The "l"
+   macro expands to just the localpart.  The "o" macro expands to just
+   the domain part.  Note that these values remain the same during
+   recursive and chained evaluations due to "include" and/or "redirect".
+   Note also that if the original <sender> had no localpart, the
+   localpart was set to "postmaster" in initial processing (see
+   Section 4.3).
+
+   For IPv4 addresses, both the "i" and "c" macros expand to the
+
+
+
+Wong & Schlitt          Expires December 8, 2005               [Page 31]
+
+Internet-Draft        Sender Policy Framework (SPF)            June 2005
+
+
+   standard dotted-quad format.
+
+   For IPv6 addresses, the "i" macro expands to a dot-format address; it
+   is intended for use in %{ir}.  The "c" macro may expand to any of the
+   hexadecimal colon-format addresses specified in [RFC3513] section
+   2.2.  It is intended for humans to read.
+
+   The "p" macro expands to the validated domain name of <ip>.  The
+   procedure for finding the validated domain name is defined in
+   Section 5.5.  If the <domain> is present in the list of validated
+   domains, it SHOULD be used.  Otherwise, if a subdomain of the
+   <domain> is present, it SHOULD be used.  Otherwise, any name from the
+   list may be used.  If there are no validated domain names or if a DNS
+   error occurs, the string "unknown" is used.
+
+   The "r" macro expands to the name of the receiving MTA.  This SHOULD
+   be a fully qualified domain name, but if one does not exist (as when
+   the checking is done by a MUA) or if policy restrictions dictate
+   otherwise, the word "unknown" SHOULD be substituted.  The domain name
+   may be different than the name found in the MX record that the client
+   MTA used to locate the receiving MTA.
+
+   The "t" macro expands to the decimal representation of the
+   approximate number of seconds since the Epoch (Midnight, January 1st,
+   1970, UTC).  This is the same value as is returned by the POSIX
+   time() function in most standards-compliant libraries.
+
+   When the result of macro expansion is used in a domain name query, if
+   the expanded domain name exceeds 253 characters (the maximum length
+   of a domain name), the left side is truncated to fit, by removing
+   successive domain labels until the total length does not exceed 253
+   characters.
+
+   Uppercased macros expand exactly as their lower case equivalents, and
+   are then URL escaped.  URL escaping must be performed for characters
+   not in the "uric" set, which is defined in [RFC3986].
+
+   Note: Care must be taken so that macro expansion for legitimate
+   e-mail does not exceed the 63 character limit on DNS labels.  The
+   localpart of e-mail addresses, in particular, can have more than 63
+   characters between dots.
+
+   Note: Domains should avoid using the "s", "l", "o", or "h" macros in
+   conjunction with any mechanism directive.  While these macros are
+   powerful and allow per-user records to be published, they severely
+   limit the ability of implementations to cache results of check_host()
+   and they reduce the effectiveness of DNS caches.
+
+
+
+
+Wong & Schlitt          Expires December 8, 2005               [Page 32]
+
+Internet-Draft        Sender Policy Framework (SPF)            June 2005
+
+
+   Implementations should be aware that if no directive processed during
+   the evaluation of check_host() contains an "s", "l", "o" or "h"
+   macro, then the results of the evaluation can be cached on the basis
+   of <domain> and <ip> alone for as long as the shortest TTL of all the
+   DNS records involved.
+
+8.2.  Expansion Examples
+
+      The <sender> is strong-bad@email.example.com.
+      The IPv4 SMTP client IP is 192.0.2.3.
+      The IPv6 SMTP client IP is 2001:DB8::CB01.
+      The PTR domain name of the client IP is mx.example.org.
+
+
+   macro                       expansion
+   -------  ----------------------------
+   %{s}     strong-bad@email.example.com
+   %{o}                email.example.com
+   %{d}                email.example.com
+   %{d4}               email.example.com
+   %{d3}               email.example.com
+   %{d2}                     example.com
+   %{d1}                             com
+   %{dr}               com.example.email
+   %{d2r}                  example.email
+   %{l}                       strong-bad
+   %{l-}                      strong.bad
+   %{lr}                      strong-bad
+   %{lr-}                     bad.strong
+   %{l1r-}                        strong
+
+   macro-string                                               expansion
+   --------------------------------------------------------------------
+   %{ir}.%{v}._spf.%{d2}             3.2.0.192.in-addr._spf.example.com
+   %{lr-}.lp._spf.%{d2}                  bad.strong.lp._spf.example.com
+
+   %{lr-}.lp.%{ir}.%{v}._spf.%{d2}
+                       bad.strong.lp.3.2.0.192.in-addr._spf.example.com
+
+   %{ir}.%{v}.%{l1r-}.lp._spf.%{d2}
+                           3.2.0.192.in-addr.strong.lp._spf.example.com
+
+   %{d2}.trusted-domains.example.net
+                                example.com.trusted-domains.example.net
+
+   IPv6:
+   %{ir}.%{v}._spf.%{d2}                               1.0.B.C.0.0.0.0.
+   0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.B.D.0.1.0.0.2.ip6._spf.example.com
+
+
+
+Wong & Schlitt          Expires December 8, 2005               [Page 33]
+
+Internet-Draft        Sender Policy Framework (SPF)            June 2005
+
+
+9.  Implications
+
+   This section outlines the major implications that adoption of this
+   document will have on various entities involved in Internet e-mail.
+   It is intended to make clear to the reader where this document
+   knowingly affects the operation of such entities.  This section is
+   not a "how-to" manual, nor a "best practices" document, and is not a
+   comprehensive list of what such entities should do in light of this
+   document.
+
+   This section is non-normative.
+
+9.1.  Sending Domains
+
+   Domains that wish to be compliant with this specification will need
+   to determine the list of hosts that they allow to use their domain
+   name in the "HELO" and "MAIL FROM" identities.  It is recognized that
+   forming such a list is not just a simple technical exercise, but
+   involves policy decisions with both technical and administrative
+   considerations.
+
+   It can be helpful to publish records that include a "tracking
+   exists:" mechanism.  By looking at the name server logs, a rough list
+   may then be generated.  For example:
+
+      v=spf1 exists:_h.%{h}._l.%{l}._o.%{o}._i.%{i}._spf.%{d} ?all
+
+9.2.  Mailing Lists
+
+   Mailing lists must be aware of how they re-inject mail that is sent
+   to the list.  Mailing lists MUST comply with the requirements in
+   [RFC2821] Section 3.10 and [RFC1123] Section 5.3.6 that say that the
+   reverse-path MUST be changed to be the mailbox of a person or other
+   entity who administers the list.  While the reasons for changing the
+   reverse-path are many and long standing, SPF adds enforcement to this
+   requirement.
+
+   In practice, almost all mailing list software in use already complies
+   with this requirement.  Mailing lists that do not comply may or may
+   not encounter problems depending on how access to the list is
+   restricted.  Such lists that are entirely internal to a domain (only
+   people in the domain can send to or receive from the list) are not
+   affected.
+
+9.3.  Forwarding Services and Aliases
+
+   Forwarding services take mail that is received at a mailbox and
+   direct it to some external mailbox.  At the time of this writing, the
+
+
+
+Wong & Schlitt          Expires December 8, 2005               [Page 34]
+
+Internet-Draft        Sender Policy Framework (SPF)            June 2005
+
+
+   near-universal practice of such services is to use the original "MAIL
+   FROM" of a message when re-injecting it for delivery to the external
+   mailbox.  [RFC1123] and [RFC2821] describe this action as an "alias"
+   rather than a "mail list".  This means the external mailbox's MTA
+   sees all such mail in a connection from a host of the forwarding
+   service, and so the "MAIL FROM" identity will not, in general, pass
+   authorization.
+
+   There are three places that techniques can be used to ameliorate this
+   problem.
+
+   1.  The beginning, when e-mail is first sent.
+
+       1.  "Neutral" results could be given for IP addresses that may be
+           forwarders, instead of "Fail" results.  For example:
+
+              "v=spf1 mx -exists:%{ir}.sbl.spamhaus.example.org ?all"
+
+           This would cause a lookup on an anti-spam DNS blocklist
+           (DNSBL) and cause a result of "Fail" only for e-mail coming
+           from listed sources.  All other e-mail, including e-mail sent
+           through forwarders, would receive a "Neutral" result.  By
+           checking the DNSBL after the known good sources, problems
+           with incorrect listing on the DNSBL are greatly reduced.
+
+       2.  The "MAIL FROM" identity could have additional information in
+           the localpart that cryptographically identifies the mail as
+           coming from an authorized source.  In this case, such an SPF
+           record could be used:
+
+              "v=spf1 mx exists:%{l}._spf_verify.%{d} -all"
+
+           Then, a specialized DNS server can be set up to serve the
+           _spf_verify subdomain which validates the localpart.  While
+           this requires an extra DNS lookup, this only happens when the
+           e-mail would otherwise be rejected as not coming from a known
+           good source.
+
+           Note that due to the 63 character limit for domain labels,
+           this approach only works reliably if the localpart signature
+           scheme is guaranteed either to only produce localparts with a
+           maximum of 63 characters or to gracefully handle truncated
+           localparts.
+
+       3.  Similarly, a specialized DNS server could be set up that will
+           rate-limit the e-mail coming from unexpected IP addresses.
+
+
+
+
+
+Wong & Schlitt          Expires December 8, 2005               [Page 35]
+
+Internet-Draft        Sender Policy Framework (SPF)            June 2005
+
+
+              "v=spf1 mx exists:%{ir}._spf_rate.%{d} -all"
+
+       4.  SPF allows the creation of per-user policies for special
+           cases.  For example, the following SPF record and appropriate
+           wildcard DNS records can be used:
+
+              "v=spf1 mx redirect=%{l1r+}._at_.%{o}._spf.%{d}"
+
+   2.  The middle, when e-mail is forwarded.
+
+       1.  Forwarding services can solve the problem by rewriting the
+           "MAIL FROM" to be in their own domain.  This means that mail
+           bounced from the external mailbox will have to be re-bounced
+           by the forwarding service.  Various schemes to do this exist
+           though they vary widely in complexity and resource
+           requirements on the part of the forwarding service.
+
+       2.  Several popular MTAs can be forced from "alias" semantics to
+           "mailing list" semantics by configuring an additional alias
+           with "owner-" prepended to the original alias name (e.g. an
+           alias of "friends: george@example.com, fred@example.org"
+           would need another alias of the form "owner-friends:
+           localowner").
+
+   3.  The end, when e-mail is received.
+
+       1.  If the owner of the external mailbox wishes to trust the
+           forwarding service, they can direct the external mailbox's
+           MTA to skip SPF tests when the client host belongs to the
+           forwarding service.
+
+       2.  Tests against other identities, such as the "HELO" identity,
+           may be used to override a failed test against the "MAIL FROM"
+           identity.
+
+       3.  For larger domains, it may not be possible to have a complete
+           or accurate list of forwarding services used by the owners of
+           the domain's mailboxes.  In such cases, whitelists of
+           generally-recognized forwarding services could be employed.
+
+9.4.  Mail Services
+
+   Service providers that offer mail services to third-party domains,
+   such as sending of bulk mail, may have to adjust their setup in light
+   of the authorization check described in this document.  If the "MAIL
+   FROM" identity used for such e-mail uses the domain of the service
+   provider, then the provider needs only to ensure that their sending
+   host is authorized by their own SPF record, if any.
+
+
+
+Wong & Schlitt          Expires December 8, 2005               [Page 36]
+
+Internet-Draft        Sender Policy Framework (SPF)            June 2005
+
+
+   If the "MAIL FROM" identity does not use the mail service provider's
+   domain, then extra care must be taken.  The SPF record format has
+   several options for the third party domain to authorize the service
+   provider's MTAs to send mail on its behalf.  For mail service
+   providers, such as ISPs, that have a wide variety of customers using
+   the same MTA, steps should be taken to prevent cross-customer forgery
+   (see Section 10.4).
+
+9.5.  MTA Relays
+
+   The authorization check generally precludes the use of arbitrary MTA
+   relays between sender and receiver of an e-mail message.
+
+   Within an organization, MTA relays can be effectively deployed.
+   However, for purposes of this document, such relays are effectively
+   transparent.  The SPF authorization check is a check between border
+   MTAs of different domains.
+
+   For mail senders, this means that published SPF records must
+   authorize any MTAs that actually send across the Internet.  Usually,
+   these are just the border MTAs as internal MTAs simply forward mail
+   to these MTAs for delivery.
+
+   Mail receivers will generally want to perform the authorization check
+   at the border MTAs, specifically including all secondary MXes.  This
+   allows mail that fails to be rejected during the SMTP session rather
+   than bounced.  Internal MTAs then do not perform the authorization
+   test.  To perform the authorization test other than at the border,
+   the host that first transferred the message to the organization must
+   be determined, which can be difficult to extract from headers.
+   Testing other than at the border is not recommended.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Wong & Schlitt          Expires December 8, 2005               [Page 37]
+
+Internet-Draft        Sender Policy Framework (SPF)            June 2005
+
+
+10.  Security Considerations
+
+10.1.  Processing Limits
+
+   As with most aspects of e-mail, there are a number of ways that
+   malicious parties could use the protocol as an avenue for a Denial-
+   of-Service (DoS) attack.  The processing limits outlined here are
+   designed to prevent attacks such as:
+
+   o  A malicious party could create an SPF record with many references
+      to a victim's domain and send many e-mails to different SPF
+      clients; those SPF clients would then create a DoS attack.  In
+      effect, the SPF clients are being used to amplify the attacker's
+      bandwidth by using fewer bytes in the SMTP session than are used
+      by the DNS queries.  Using SPF clients also allows the attacker to
+      hide the true source of the attack.
+
+   o  While implementations of check_host() are supposed to limit the
+      number of DNS lookups, malicious domains could publish records
+      that exceed these limits in an attempt to waste computation effort
+      at their targets when they send them mail.  Malicious domains
+      could also design SPF records that cause particular
+      implementations to use excessive memory or CPU usage, or to
+      trigger bugs.
+
+   o  Malicious parties could send a large volume of mail purporting to
+      come from the intended target to a wide variety of legitimate mail
+      hosts.  These legitimate machines would then present a DNS load on
+      the target as they fetched the relevant records.
+
+   Of these, the case of a third party referenced in the SPF record is
+   the easiest for a DoS attack to effectively exploit.  As a result,
+   limits that may seem reasonable for an individual mail server can
+   still allow an unreasonable amount of bandwidth amplification.
+   Therefore the processing limits need to be quite low.
+
+   SPF implementations MUST limit the number of mechanisms and modifiers
+   that do DNS lookups to at most 10 per SPF check, including any
+   lookups caused by the use of the "include" mechanism or the
+   "redirect" modifier.  If this number is exceeded during a check, a
+   PermError MUST be returned.  The "include", "a", "mx", "ptr", and
+   "exists" mechanisms as well as the "redirect" modifier do count
+   against this limit.  The "all", "ip4" and "ip6" mechanisms do not
+   require DNS lookups and therefore do not count against this limit.
+   The "exp" modifier does not count against this limit because the DNS
+   lookup to fetch the explanation string occurs after the SPF record
+   has been evaluated.
+
+
+
+
+Wong & Schlitt          Expires December 8, 2005               [Page 38]
+
+Internet-Draft        Sender Policy Framework (SPF)            June 2005
+
+
+   When evaluating the "mx" and "ptr" mechanisms, or the %{p} macro,
+   there MUST be a limit of no more than 10 MX or PTR RRs looked up and
+   checked.
+
+   SPF implementations SHOULD limit the total amount of data obtained
+   from the DNS queries.  For example, when DNS over TCP or EDNS0 are
+   available, there may need to be an explicit limit to how much data
+   will be accepted to prevent excessive bandwidth usage or memory
+   usage, and DoS attacks.
+
+   MTAs or other processors MAY also impose a limit on the maximum
+   amount of elapsed time to evaluate check_host().  Such a limit SHOULD
+   allow at least 20 seconds.  If such a limit is exceeded, the result
+   of authorization SHOULD be "TempError".
+
+   Domains publishing records SHOULD try to keep the number of "include"
+   mechanisms and chained "redirect" modifiers to a minimum.  Domains
+   SHOULD also try to minimize the amount of other DNS information
+   needed to evaluate a record.  This can be done by choosing directives
+   that require less DNS information and placing lower-cost mechanisms
+   earlier in the SPF record.
+
+   For example, consider a domain set up as:
+
+   example.com.      IN MX   10 mx.example.com.
+   mx.example.com.   IN A    192.0.2.1
+   a.example.com.    IN TXT  "v=spf1 mx:example.com -all"
+   b.example.com.    IN TXT  "v=spf1 a:mx.example.com -all"
+   c.example.com.    IN TXT  "v=spf1 ip4:192.0.2.1 -all"
+
+   Evaluating check_host() for the domain "a.example.com" requires the
+   MX records for "example.com", and then the A records for the listed
+   hosts.  Evaluating for "b.example.com" only requires the A records.
+   Evaluating for "c.example.com" requires none.
+
+   However, there may be administrative considerations: using "a" over
+   "ip4" allows hosts to be renumbered easily.  Using "mx" over "a"
+   allows the set of mail hosts to be changed easily.
+
+10.2.  SPF-Authorized E-Mail May Be UBE
+
+   The "MAIL FROM" and "HELO" identity authorizations must not be
+   construed to provide more assurance than they do.  It is entirely
+   possible for a malicious sender to inject a message using their own
+   domain in the identities used by SPF, to have that domain's SPF
+   record authorize the sending host, and yet the message content can
+   easily claim other identities in the headers.  Unless the user or the
+   MUA takes care to note that the authorized identity does not match
+
+
+
+Wong & Schlitt          Expires December 8, 2005               [Page 39]
+
+Internet-Draft        Sender Policy Framework (SPF)            June 2005
+
+
+   the other more commonly-presented identities (such as the From:
+   header), the user may be lulled into a false sense of security.
+
+10.3.  Spoofed DNS and IP Data
+
+   There are two aspects of this protocol that malicious parties could
+   exploit to undermine the validity of the check_host() function:
+
+   o  The evaluation of check_host() relies heavily on DNS.  A malicious
+      attacker could attack the DNS infrastructure and cause
+      check_host() to see spoofed DNS data, and then return incorrect
+      results.  This could include returning "Pass" for an <ip> value
+      where the actual domain's record would evaluate to "Fail".  See
+      [RFC3833] for a description of the DNS weaknesses.
+
+   o  The client IP address, <ip>, is assumed to be correct.  A
+      malicious attacker could spoof TCP sequence numbers to make mail
+      appear to come from a permitted host for a domain that the
+      attacker is impersonating.
+
+10.4.  Cross-User Forgery
+
+   By definition, SPF policies just map domain names to sets of
+   authorized MTAs, not whole e-mail addresses to sets of authorized
+   users.  Although the "l" macro (Section 8) provides a limited way to
+   define individual sets of authorized MTAs for specific e-mail
+   addresses, it is generally impossible to verify, through SPF, the use
+   of specific e-mail addresses by individual users of the same MTA.
+
+   It is up to mail services and their MTAs to directly prevent cross-
+   user forgery: based on SMTP AUTH ([RFC2554]), users should be
+   restricted to using only those e-mail addresses that are actually
+   under their control (see [I-D.gellens-submit-bis] section 6.1).
+   Another means to verify the identity of individual users is message
+   cryptography such as PGP ([RFC2440]) or S/MIME ([RFC3851]).
+
+10.5.  Untrusted Information Sources
+
+   SPF uses information supplied by third parties, such as the "HELO"
+   domain name, the "MAIL FROM" address, and SPF records.  This
+   information is then passed to the receiver in the Received-SPF: mail
+   headers and possibly returned to the client MTA in the form of an
+   SMTP rejection message.  This information must be checked for invalid
+   characters and excessively long lines.
+
+   When the authorization check fails, an explanation string may be
+   included in the reject response.  Both the sender and the rejecting
+   receiver need to be aware that the explanation was determined by the
+
+
+
+Wong & Schlitt          Expires December 8, 2005               [Page 40]
+
+Internet-Draft        Sender Policy Framework (SPF)            June 2005
+
+
+   publisher of the SPF record checked and, in general, not the
+   receiver.  The explanation may contain malicious URLs, or it may be
+   offensive or misleading.
+
+   This is probably less of a concern than it may initially seem since
+   such messages are returned to the sender, and the explanation strings
+   come from the sender policy published by the domain in the identity
+   claimed by that very sender.  As long as the DSN is not redirected to
+   someone other than the actual sender, the only people who see
+   malicious explanation strings are people whose messages claim to be
+   from domains that publish such strings in their SPF records.  In
+   practice DSNs can be misdirected, such as when an MTA accepts an
+   e-mail and then later generates a DSN to a forged address, or when an
+   e-mail forwarder does not direct the DSN back to the original sender.
+
+10.6.  Privacy Exposure
+
+   Checking SPF records causes DNS queries to be sent to the domain
+   owner.  These DNS queries, especially if they are caused by the
+   "exists" mechanism, can contain information about who is sending
+   e-mail and likely to which MTA the e-mail is being sent to.  This can
+   introduce some privacy concerns, which may be more or less of an
+   issue depending on local laws and the relationship between the domain
+   owner and the person sending the e-mail.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Wong & Schlitt          Expires December 8, 2005               [Page 41]
+
+Internet-Draft        Sender Policy Framework (SPF)            June 2005
+
+
+11.  Contributors and Acknowledgements
+
+   This document is largely based on the work of Meng Weng Wong and Mark
+   Lentczner.  While, as this section acknowledges, many people have
+   contributed to this document, a very large portion of the writing and
+   editing are due to Meng and Mark.
+
+   This design owes a debt of parentage to [RMX] by Hadmut Danisch and
+   to [DMP] by Gordon Fecyk.  The idea of using a DNS record to check
+   the legitimacy of an e-mail address traces its ancestry farther back
+   through messages on the namedroppers mailing list by Paul Vixie
+   [Vixie] (based on suggestion by Jim Miller) and by David Green
+   [Green].
+
+   Philip Gladstone contributed the concept of macros to the
+   specification, multiplying the expressiveness of the language and
+   making per-user and per-IP lookups possible.
+
+   The authors would also like to thank the literally hundreds of
+   individuals who have participated in the development of this design.
+   They are far too numerous to name, but they include:
+
+      The folks on the spf-discuss mailing list.
+      The folks on the SPAM-L mailing list.
+      The folks on the IRTF ASRG mailing list.
+      The folks on the IETF MARID mailing list.
+      The folks on #perl.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Wong & Schlitt          Expires December 8, 2005               [Page 42]
+
+Internet-Draft        Sender Policy Framework (SPF)            June 2005
+
+
+12.  IANA Considerations
+
+12.1.  The SPF DNS Record Type
+
+   The IANA needs to assign a new Resource Record Type and Qtype from
+   the DNS Parameters Registry for the SPF RR type.
+
+12.2.  The Received-SPF mail header
+
+   Per [RFC3864], the "Received-SPF:" header field is added to the IANA
+   Permanent Message Header Field Registry.  The following is the
+   registration template:
+
+      Header field name: Received-SPF
+      Applicable protocol: mail ([RFC2822])
+      Status: standard
+      (Note to RFC Editor: Replace the status with the final
+      determination by the IESG)
+      Author/Change controller: IETF
+      Specification document(s): this Internet Draft
+      (Note to RFC Editor: Replace this with RFC YYYY (RFC number of
+      this spec))
+      Related information:
+      Requesting SPF Council review of any proposed changes and
+      additions to this field is recommended.  For information about SPF
+      Council see http://spf.mehnle.net/
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Wong & Schlitt          Expires December 8, 2005               [Page 43]
+
+Internet-Draft        Sender Policy Framework (SPF)            June 2005
+
+
+13.  References
+
+13.1  Normative References
+
+   [RFC1035]  Mockapetris, P., "Domain names - implementation and
+              specification", STD 13, RFC 1035, November 1987.
+
+   [RFC1123]  Braden, R., "Requirements for Internet Hosts - Application
+              and Support", STD 3, RFC 1123, October 1989.
+
+   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
+              Requirement Levels", BCP 14, RFC 2119, March 1997.
+
+   [I-D.crocker-abnf-rfc2234bis]
+              Crocker, D. and P. Overell, "Augmented BNF for Syntax
+              Specifications: ABNF", draft-crocker-abnf-rfc2234bis-00
+              (work in progress), March 2005.
+
+   [RFC2821]  Klensin, J., "Simple Mail Transfer Protocol", RFC 2821,
+              April 2001.
+
+   [RFC2822]  Resnick, P., "Internet Message Format", RFC 2822,
+              April 2001.
+
+   [RFC3464]  Moore, K. and G. Vaudreuil, "An Extensible Message Format
+              for Delivery Status Notifications", RFC 3464,
+              January 2003.
+
+   [RFC3513]  Hinden, R. and S. Deering, "Internet Protocol Version 6
+              (IPv6) Addressing Architecture", RFC 3513, April 2003.
+
+   [RFC3864]  Klyne, G., Nottingham, M., and J. Mogul, "Registration
+              Procedures for Message Header Fields", BCP 90, RFC 3864,
+              September 2004.
+
+   [RFC3986]  Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform
+              Resource Identifier (URI): Generic Syntax", STD 66,
+              RFC 3986, January 2005.
+
+   [US-ASCII]
+              American National Standards Institute (formerly United
+              States of America Standards Institute), "USA Code for
+              Information Interchange, X3.4", 1968.
+
+              ANSI X3.4-1968 has been replaced by newer versions with
+              slight modifications, but the 1968 version remains
+              definitive for the Internet.
+
+
+
+
+Wong & Schlitt          Expires December 8, 2005               [Page 44]
+
+Internet-Draft        Sender Policy Framework (SPF)            June 2005
+
+
+13.2  Informative References
+
+   [RFC1034]  Mockapetris, P., "Domain names - concepts and facilities",
+              STD 13, RFC 1034, November 1987.
+
+   [RFC1983]  Malkin, G., "Internet Users' Glossary", RFC 1983,
+              August 1996.
+
+   [RFC2440]  Callas, J., Donnerhacke, L., Finney, H., and R. Thayer,
+              "OpenPGP Message Format", RFC 2440, November 1998.
+
+   [I-D.gellens-submit-bis]
+              Gellens, R. and J. Klensin, "Message Submission for Mail",
+              draft-gellens-submit-bis-02 (work in progress),
+              April 2005.
+
+   [RFC2554]  Myers, J., "SMTP Service Extension for Authentication",
+              RFC 2554, March 1999.
+
+   [RFC3696]  Klensin, J., "Application Techniques for Checking and
+              Transformation of Names", RFC 3696, February 2004.
+
+   [RFC3833]  Atkins, D. and R. Austein, "Threat Analysis of the Domain
+              Name System (DNS)", RFC 3833, August 2004.
+
+   [RFC3851]  Ramsdell, B., "Secure/Multipurpose Internet Mail
+              Extensions (S/MIME) Version 3.1 Message Specification",
+              RFC 3851, July 2004.
+
+   [RMX]      Danish, H., "The RMX DNS RR Type for light weight sender
+              authentication", October 2003.
+
+              Work In Progress
+
+   [DMP]      Fecyk, G., "Designated Mailers Protocol", December 2003.
+
+              Work In Progress
+
+   [Vixie]    Vixie, P., "Repudiating MAIL FROM", 2002.
+
+   [Green]    Green, D., "Domain-Authorized SMTP Mail", 2002.
+
+
+
+
+
+
+
+
+
+
+Wong & Schlitt          Expires December 8, 2005               [Page 45]
+
+Internet-Draft        Sender Policy Framework (SPF)            June 2005
+
+
+Appendix A.  Collected ABNF
+
+   This section is normative and any discrepancies with the ABNF
+   fragments in the preceding text are to be resolved in favor of this
+   grammar.
+
+   See [I-D.crocker-abnf-rfc2234bis] for ABNF notation.  Please note
+   that as per this ABNF definition, literal text strings (those in
+   quotes) are case-insensitive.  Hence, "mx" matches "mx", "MX", "mX"
+   and "Mx".
+
+   record           = version terms *SP
+   version          = "v=spf1"
+
+   terms            = *( 1*SP ( directive / modifier ) )
+
+   directive        = [ qualifier ] mechanism
+   qualifier        = "+" / "-" / "?" / "~"
+   mechanism        = ( all / include
+                      / A / MX / PTR / IP4 / IP6 / exists )
+
+   all              = "all"
+   include          = "include"  ":" domain-spec
+   A                = "a"      [ ":" domain-spec ] [ dual-cidr-length ]
+   MX               = "mx"     [ ":" domain-spec ] [ dual-cidr-length ]
+   PTR              = "ptr"    [ ":" domain-spec ]
+   IP4              = "ip4"      ":" ip4-network   [ ip4-cidr-length ]
+   IP6              = "ip6"      ":" ip6-network   [ ip6-cidr-length ]
+   exists           = "exists"   ":" domain-spec
+
+   modifier         = redirect / explanation / unknown-modifier
+   redirect         = "redirect" "=" domain-spec
+   explanation      = "exp" "=" domain-spec
+   unknown-modifier = name "=" macro-string
+
+   ip4-cidr-length  = "/" 1*DIGIT
+   ip6-cidr-length  = "/" 1*DIGIT
+   dual-cidr-length = [ ip4-cidr-length ] [ "/" ip6-cidr-length ]
+
+   ip4-network      = qnum "." qnum "." qnum "." qnum
+   qnum             = DIGIT                 ; 0-9
+                      / %x31-39 DIGIT       ; 10-99
+                      / "1" 2DIGIT          ; 100-199
+                      / "2" %x30-34 DIGIT   ; 200-249
+                      / "25" %x30-35        ; 250-255
+             ; conventional dotted quad notation.  e.g. 192.0.2.0
+   ip6-network      = <as per [RFC 3513], section 2.2>
+             ; e.g. 2001:DB8::CD30
+
+
+
+Wong & Schlitt          Expires December 8, 2005               [Page 46]
+
+Internet-Draft        Sender Policy Framework (SPF)            June 2005
+
+
+   domain-spec      = macro-string domain-end
+   domain-end       = ( "." toplabel ) / macro-expand
+   toplabel         = ALPHA / ALPHA *[ alphanum / "-" ] alphanum
+                      ; LDH rule (See [RFC3696])
+   alphanum         = ALPHA / DIGIT
+
+   explain-string   = *( macro-string / SP )
+
+   macro-string     = *( macro-expand / macro-literal )
+   macro-expand     = ( "%{" macro-letter transformers *delimiter "}" )
+                      / "%%" / "%_" / "%-"
+   macro-literal    = %x21-24 / %x26-7E
+                      ; visible characters except "%"
+   macro-letter     = "s" / "l" / "o" / "d" / "i" / "p" / "h" /
+                      "c" / "r" / "t"
+   transformers     = *DIGIT [ "r" ]
+   delimiter        = "." / "-" / "+" / "," / "/" / "_" / "="
+
+   name             = ALPHA *( ALPHA / DIGIT / "-" / "_" / "." )
+
+   header           = "Received-SPF:" [CFWS] result FWS [comment FWS]
+                      [ key-value-list ] CRLF
+
+   result           = "Pass" / "Fail" / "SoftFail" / "Neutral" /
+                      "None" / "TempError" / "PermError"
+
+   key-value-list   = key-value-pair *( ";" [CFWS] key-value-pair )
+                      [";"]
+
+   key-value-pair   = key [CFWS] "=" ( dot-atom / quoted-string )
+
+   key              = "client-ip" / "envelope-from" / "helo" /
+                      "problem" / "receiver" / "identity" /
+                       mechanism / "x-" name / name
+
+   identity         = "mailfrom"   ; for the "MAIL FROM" identity
+                      / "helo"     ; for the "HELO" identity
+                      / name       ; other identities
+
+   dot-atom         = <unquoted word as per [RFC2822]>
+   quoted-string    = <quoted string as per [RFC2822]>
+   comment          = <comment string as per [RFC2822]>
+   CFWS             = <comment or folding white space as per [RFC2822]>
+   FWS              = <folding white space as per [RFC2822]>
+   CRLF             = <standard end-of-line token as per [RFC2822]>
+
+
+
+
+
+
+Wong & Schlitt          Expires December 8, 2005               [Page 47]
+
+Internet-Draft        Sender Policy Framework (SPF)            June 2005
+
+
+Appendix B.  Extended Examples
+
+   These examples are based on the following DNS setup:
+
+   ; A domain with two mail servers, two hosts
+   ; and two servers at the domain name
+   $ORIGIN example.com.
+   @           MX  10 mail-a
+               MX  20 mail-b
+               A   192.0.2.10
+               A   192.0.2.11
+   amy         A   192.0.2.65
+   bob         A   192.0.2.66
+   mail-a      A   192.0.2.129
+   mail-b      A   192.0.2.130
+   www         CNAME example.com.
+
+   ; A related domain
+   $ORIGIN example.org.
+   @           MX  10 mail-c
+   mail-c      A   192.0.2.140
+
+   ; The reverse IP for those addresses
+   $ORIGIN 2.0.192.in-addr.arpa.
+   10          PTR example.com.
+   11          PTR example.com.
+   65          PTR amy.example.com.
+   66          PTR bob.example.com.
+   129         PTR mail-a.example.com.
+   130         PTR mail-b.example.com.
+   140         PTR mail-c.example.org.
+
+   ; A rogue reverse IP domain that claims to be
+   ; something it's not
+   $ORIGIN 0.0.10.in-addr.arpa.
+   4           PTR bob.example.com.
+
+B.1.  Simple Examples
+
+   These examples show various possible published records for
+   example.com and which values if <ip> would cause check_host() to
+   return "Pass".  Note that <domain> is "example.com".
+
+   v=spf1 +all
+      -- any <ip> passes
+
+   v=spf1 a -all
+      -- hosts 192.0.2.10 and 192.0.2.11 pass
+
+
+
+Wong & Schlitt          Expires December 8, 2005               [Page 48]
+
+Internet-Draft        Sender Policy Framework (SPF)            June 2005
+
+
+   v=spf1 a:example.org -all
+      -- no sending hosts pass since example.org has no A records
+
+   v=spf1 mx -all
+      -- sending hosts 192.0.2.129 and 192.0.2.130 pass
+
+   v=spf1 mx:example.org -all
+      -- sending host 192.0.2.140 passes
+
+   v=spf1 mx mx:example.org -all
+      -- sending hosts 192.0.2.129, 192.0.2.130, and 192.0.2.140 pass
+
+   v=spf1 mx/30 mx:example.org/30 -all
+      -- any sending host in 192.0.2.128/30 or 192.0.2.140/30 passes
+
+   v=spf1 ptr -all
+      -- sending host 192.0.2.65 passes (reverse DNS is valid and is in
+         example.com)
+      -- sending host 192.0.2.140 fails (reverse DNS is valid, but not
+         in example.com)
+      -- sending host 10.0.0.4 fails (reverse IP is not valid)
+
+   v=spf1 ip4:192.0.2.128/28 -all
+      -- sending host 192.0.2.65 fails
+      -- sending host 192.0.2.129 passes
+
+B.2.  Multiple Domain Example
+
+   These examples show the effect of related records:
+
+      example.org: "v=spf1 include:example.com include:example.net -all"
+
+   This record would be used if mail from example.org actually came
+   through servers at example.com and example.net.  Example.org's
+   designated servers are the union of example.com's and example.net's
+   designated servers.
+
+      la.example.org: "v=spf1 redirect=example.org"
+      ny.example.org: "v=spf1 redirect=example.org"
+      sf.example.org: "v=spf1 redirect=example.org"
+
+   These records allow a set of domains that all use the same mail
+   system to make use of that mail system's record.  In this way, only
+   the mail system's record needs to be updated when the mail setup
+   changes.  These domains' records never have to change.
+
+
+
+
+
+
+Wong & Schlitt          Expires December 8, 2005               [Page 49]
+
+Internet-Draft        Sender Policy Framework (SPF)            June 2005
+
+
+B.3.  DNSBL Style Example
+
+   Imagine that, in addition to the domain records listed above, there
+   are these:
+
+   $ORIGIN _spf.example.com.
+   mary.mobile-users                   A 127.0.0.2
+   fred.mobile-users                   A 127.0.0.2
+   15.15.168.192.joel.remote-users     A 127.0.0.2
+   16.15.168.192.joel.remote-users     A 127.0.0.2
+
+   The following records describe users at example.com who mail from
+   arbitrary servers, or who mail from personal servers.
+
+   example.com:
+
+   v=spf1 mx
+          include:mobile-users._spf.%{d}
+          include:remote-users._spf.%{d}
+          -all
+
+   mobile-users._spf.example.com:
+
+   v=spf1 exists:%{l1r+}.%{d}
+
+   remote-users._spf.example.com:
+
+   v=spf1 exists:%{ir}.%{l1r+}.%{d}
+
+B.4.  Multiple Requirements Example
+
+   Say that your sender policy requires that both the IP address is
+   within a certain range and that the reverse DNS for the IP matches.
+   This can be done several ways, including:
+
+   example.com.           SPF  ( "v=spf1 "
+                                 "-include:ip4._spf.%{d} "
+                                 "-include:ptr._spf.%{d} "
+                                 "+all" )
+   ip4._spf.example.com.  SPF  "v=spf1 -ip4:192.0.2.0/24 +all"
+   ptr._spf.example.com.  SPF  "v=spf1 -ptr +all"
+
+   This example shows how the "-include" mechanism can be useful, how an
+   SPF record that ends in "+all" can be very restrictive and the use of
+   De Morgan's Law.
+
+
+
+
+
+
+Wong & Schlitt          Expires December 8, 2005               [Page 50]
+
+Internet-Draft        Sender Policy Framework (SPF)            June 2005
+
+
+Appendix C.  Change Log
+
+   RFC Editor Note: This section is to be removed during the final
+   publication of the document.
+
+C.1.  Changes in Version -02
+
+   o  The abstract notes that SPF-classic covers both the HELO and MAIL
+      FROM identities. (ietf-822 review)
+
+   o  In section 2.3 "Publishing Authorization", it now makes it clear
+      that publishing is optional. (ietf-smtp review)
+
+   o  The definition of the "SoftFail" result have been recast from
+      Receiver Policy to Sender Policy.
+
+   o  The definitions of Neutral, Pass and PermError have been updated/
+      clarified to more correctly reflect the semantics of
+      draft-mengwong-spf-01.
+
+   o  A note to the RFC editor was made indicating that the SPF DNS RR
+      type number should be added to the draft once the IANA has made an
+      allocation.
+
+   o  The ip4-network ABNF has been fixed to give the ABNF of the
+      dotted-quad format, rather than just using words to explain it.
+
+   o  The ABNF for the Received-SPF header now shows that it ends with a
+      CRLF. (ietf-822 review)
+
+   o  The new, optional, "scope" keyword-value pair has been renamed to
+      "identity".
+
+   o  The "exp=" modifier no longer counts toward the DoS DNS lookup
+      limits.
+
+   o  In section 10.5 "Untrusted Information Sources", the explanation
+      about explanation strings going to only the sender has been fixed
+      to note that, in some cases, it can go to other people. (ietf-822
+      review)
+
+   o  Sections 3.1.2 and 3.1.3 were updated to make the distinction
+      between "multiple TXT RRs" and "multiple strings within a TXT"
+      clearer. (ietf-822 review)
+
+   o  A normative reference to US-ASCII has been added.
+
+
+
+
+
+Wong & Schlitt          Expires December 8, 2005               [Page 51]
+
+Internet-Draft        Sender Policy Framework (SPF)            June 2005
+
+
+   o  Text describing how to lookup and process the SPF records has been
+      removed from section 3.1.1 "DNS Resource Record Types" and merged
+      into similar text in sections 4.4 "Record Lookup" and 4.5
+      "Selecting Records"
+
+   o  Section 4.5 "Selecting Records" has been updated to give an
+      algorithm that says to return a PermError when it discovers that
+      SPF and TXT records don't match.
+
+   o  In section 6.1 "redirect: Redirected Query", the semantics have
+      been changed to specify a result of PermError instead of None in
+      cases where the target domain does not have any SPF records.  It
+      makes no sense to return None, that is "no SPF records found",
+      when SPF records were found.
+
+   o  In section 6.2 "exp: Explanation", it is explained that the record
+      must be in US-ASCII due to requirements of RFC2821.
+
+   o  In section 6.2 "exp: Explanation", the duplicate warning about
+      source being from a third party was deleted.
+
+   o  A note has been added to section 9.3.1.2 warning about domain
+      labels being over 63 characters.
+
+   o  The "prefix" ABNF rule was renamed to "qualifier" to reflect the
+      semantics of the rule, rather than the syntax.
+
+C.2.  Changes in Version -01
+
+   o  IETF boilerplate was updated to BCP 79.
+
+   o  A version number was added to the title.  (IESG review)
+
+   o  Many grammatical, typographical and spelling errors were
+      corrected, along with rephrasing sentences to make the intent and
+      meaning clearer.
+
+   o  Sections have been re-ordered in so that they conform to the
+      instructions2authors.txt document.  All required sections and
+      arrangements are included, and only the "Security Considerations"
+      section is not in the suggested order.  Since the Security
+      Considerations is such an important part of the spec, it has been
+      moved before the Acknowledgement section.
+
+   o  The HELO identity checking has been changed from "MAY" to
+      "RECOMMENDED".
+
+
+
+
+
+Wong & Schlitt          Expires December 8, 2005               [Page 52]
+
+Internet-Draft        Sender Policy Framework (SPF)            June 2005
+
+
+   o  The e-mail receiver policy definition on how to handle HELO
+      checking was removed.  It was copied incorrectly from
+      draft-mengwong-spf-01, changing its meaning.
+
+   o  A note was added that when changing SPF records, there needs to be
+      a transitional period to prevent incorrect results.
+
+   o  The RECOMMENDATION not to use other identities with version 1 SPF
+      records has been clarified.  Example cases where checking other
+      identities will cause incorrect results have been cited.  (IESG
+      review)
+
+   o  The "zone cut" method of determining if there is an SPF record at
+      the top of the zone has been removed.  It wasn't implemented very
+      often and could not always be easily done.  (IESG/namedroppers'
+      review)
+
+   o  A note was added that receivers should consider rejecting e-mail
+      for non-existent domains in order to prevent circumvention of SPF
+      policies.  This is due to the remove of "zone cuts".
+      (namedroppers' review)
+
+   o  The RECOMMENDATION to perform SPF checks during the SMTP session
+      has been clarified and strengthened.
+
+   o  Note added about the consequences of treating "Neutral" results
+      worse than "None".
+
+   o  The suggested e-mail receiver policy when a "PermError" is
+      encountered has been changed to be, effectively, the same
+      semantics as were in draft-mengwong-spf-01.  (MAAWG review)
+
+   o  ABNF cleaned up to pass Bill Fenner's checker and not just the one
+      at http://www.apps.ietf.org/abnf.html
+
+   o  A few host names/IP addresses were fixed to use appropriate ones
+      for I-Ds.
+
+   o  A definition of what to should be done if there are syntax errors
+      in the explanation string was added.  (E.g. use the default.)
+
+   o  Section 10 "Security Considerations" has been broken up into
+      subsections and reorganized.
+
+   o  Section 7.1 "Process Limits" has been merged into the similar
+      language in the "Security Considerations" section.
+
+
+
+
+
+Wong & Schlitt          Expires December 8, 2005               [Page 53]
+
+Internet-Draft        Sender Policy Framework (SPF)            June 2005
+
+
+   o  The ABNF for the Received-SPF e-mail header has been made to be
+      more compatible with draft-mengwong-spf-01.  It was fixed to
+      require whitespace when needed and to show where the suggested
+      comment should be added to the header.
+
+   o  The IANA Considerations section now has the required information
+      to document the Received-SPF header.
+
+   o  A new, optional, "scope" keyword has added to the Received-SPF
+      header.
+
+   o  The non-normative Section 9.3 "Forwarding Services and Aliases"
+      has been expanded to more thoroughly cover the subject.
+
+   o  New Security Considerations sections on "Privacy Exposure" and
+      "Cross-User Forgery" have been added.
+
+   o  A new example of an SPF policy with a non-obvious implementation
+      has been added.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Wong & Schlitt          Expires December 8, 2005               [Page 54]
+
+Internet-Draft        Sender Policy Framework (SPF)            June 2005
+
+
+Authors' Addresses
+
+   Meng Weng Wong
+   Singapore
+
+   Email: mengwong+spf@pobox.com
+   URI:   http://spf.pobox.com/
+
+
+   Wayne Schlitt
+   4615 Meredeth #9
+   Lincoln Nebraska, NE  68506
+   United States of America
+
+   Email: wayne@schlitt.net
+   URI:   http://www.schlitt.net/spf/
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Wong & Schlitt          Expires December 8, 2005               [Page 55]
+
+Internet-Draft        Sender Policy Framework (SPF)            June 2005
+
+
+Intellectual Property Statement
+
+   The IETF takes no position regarding the validity or scope of any
+   Intellectual Property Rights or other rights that might be claimed to
+   pertain to the implementation or use of the technology described in
+   this document or the extent to which any license under such rights
+   might or might not be available; nor does it represent that it has
+   made any independent effort to identify any such rights.  Information
+   on the procedures with respect to rights in RFC documents can be
+   found in BCP 78 and BCP 79.
+
+   Copies of IPR disclosures made to the IETF Secretariat and any
+   assurances of licenses to be made available, or the result of an
+   attempt made to obtain a general license or permission for the use of
+   such proprietary rights by implementers or users of this
+   specification can be obtained from the IETF on-line IPR repository at
+   http://www.ietf.org/ipr.
+
+   The IETF invites any interested party to bring to its attention any
+   copyrights, patents or patent applications, or other proprietary
+   rights that may cover technology that may be required to implement
+   this standard.  Please address the information to the IETF at
+   ietf-ipr@ietf.org.
+
+
+Disclaimer of Validity
+
+   This document and the information contained herein are provided on an
+   "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
+   OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
+   ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
+   INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
+   INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
+   WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
+
+
+Copyright Statement
+
+   Copyright (C) The Internet Society (2005).  This document is subject
+   to the rights, licenses and restrictions contained in BCP 78, and
+   except as set forth therein, the authors retain all their rights.
+
+
+Acknowledgment
+
+   Funding for the RFC Editor function is currently provided by the
+   Internet Society.
+
+
+
+
+Wong & Schlitt          Expires December 8, 2005               [Page 56]
+
diff --git a/contrib/bind9/doc/misc/Makefile.in b/contrib/bind9/doc/misc/Makefile.in
index 81f13be..4251994 100644
--- a/contrib/bind9/doc/misc/Makefile.in
+++ b/contrib/bind9/doc/misc/Makefile.in
@@ -1,4 +1,4 @@
-# Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2004, 2007  Internet Systems Consortium, Inc. ("ISC")
 # Copyright (C) 2001  Internet Software Consortium.
 #
 # Permission to use, copy, modify, and distribute this software for any
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.1.12.3 2004/03/08 09:04:25 marka Exp $
+# $Id: Makefile.in,v 1.3.18.2 2007/01/30 23:52:53 marka Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
@@ -30,7 +30,18 @@ doc man:: ${MANOBJS}
 docclean manclean maintainer-clean::
 	rm -f options
 
-options: ../../bin/tests/cfg_test
-	../../bin/tests/cfg_test --named --grammar | \
-		${PERL} ${srcdir}/format-options.pl >options || \
-		rm -f options
+# Do not make options depend on ../../bin/tests/cfg_test, doing so
+# will cause excessively clever versions of make to attempt to build
+# that program right here, right now, if it is missing, which will
+# cause make doc to bomb.
+
+CFG_TEST = ../../bin/tests/cfg_test
+
+options: FORCE
+	if test -x ${CFG_TEST} && \
+	   ${CFG_TEST} --named --grammar | \
+	   ${PERL} ${srcdir}/format-options.pl >$@.new ; then \
+		mv -f $@.new $@ ; \
+	else \
+		rm -f $@.new ; \
+	fi
diff --git a/contrib/bind9/doc/misc/dnssec b/contrib/bind9/doc/misc/dnssec
index 79d91cf..4451e6c 100644
--- a/contrib/bind9/doc/misc/dnssec
+++ b/contrib/bind9/doc/misc/dnssec
@@ -81,4 +81,4 @@ future as we consider them inferior to the use of TSIG or SIG(0) to
 ensure the integrity of zone transfers.
 
 
-$Id: dnssec,v 1.14.2.6.4.4 2004/03/08 09:04:25 marka Exp $
+$Id: dnssec,v 1.19 2004/03/05 05:04:53 marka Exp $
diff --git a/contrib/bind9/doc/misc/format-options.pl b/contrib/bind9/doc/misc/format-options.pl
index 5f0975a..70b334e 100644
--- a/contrib/bind9/doc/misc/format-options.pl
+++ b/contrib/bind9/doc/misc/format-options.pl
@@ -15,7 +15,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: format-options.pl,v 1.1.206.1 2004/03/06 13:16:19 marka Exp $
+# $Id: format-options.pl,v 1.2 2004/03/05 05:04:53 marka Exp $
 
 print <<END;
 
diff --git a/contrib/bind9/doc/misc/ipv6 b/contrib/bind9/doc/misc/ipv6
index dd96cd2..aeba275 100644
--- a/contrib/bind9/doc/misc/ipv6
+++ b/contrib/bind9/doc/misc/ipv6
@@ -110,4 +110,4 @@ RELEVANT RFCs
 3542:  Advanced Sockets Application Program Interface (API) for IPv6
 
 
-$Id: ipv6,v 1.5.206.4 2004/08/10 04:28:15 jinmei Exp $
+$Id: ipv6,v 1.6.18.3 2004/08/10 04:28:41 jinmei Exp $
diff --git a/contrib/bind9/doc/misc/migration b/contrib/bind9/doc/misc/migration
index af9fccb..6660e8f 100644
--- a/contrib/bind9/doc/misc/migration
+++ b/contrib/bind9/doc/misc/migration
@@ -252,4 +252,4 @@ necessary, the umask should be set explicitly in the script used to
 start the named process.
 
 
-$Id: migration,v 1.37.2.3.2.3 2004/11/22 22:33:09 marka Exp $
+$Id: migration,v 1.45.18.1 2004/11/22 22:32:19 marka Exp $
diff --git a/contrib/bind9/doc/misc/migration-4to9 b/contrib/bind9/doc/misc/migration-4to9
index fa75bac..008cbed 100644
--- a/contrib/bind9/doc/misc/migration-4to9
+++ b/contrib/bind9/doc/misc/migration-4to9
@@ -2,7 +2,7 @@ Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
 Copyright (C) 2001  Internet Software Consortium.
 See COPYRIGHT in the source root or http://isc.org/copyright.html for terms.
 
-$Id: migration-4to9,v 1.3.206.1 2004/03/06 13:16:19 marka Exp $
+$Id: migration-4to9,v 1.4 2004/03/05 05:04:53 marka Exp $
 
 		   BIND 4 to BIND 9 Migration Notes
 
diff --git a/contrib/bind9/doc/misc/options b/contrib/bind9/doc/misc/options
index 01546b7..a17c522 100644
--- a/contrib/bind9/doc/misc/options
+++ b/contrib/bind9/doc/misc/options
@@ -50,6 +50,7 @@ options {
         use-ixfr <boolean>;
         version ( <quoted_string> | none );
         flush-zones-on-shutdown <boolean>;
+        allow-query-cache { <address_match_element>; ... };
         allow-recursion { <address_match_element>; ... };
         allow-v6-synthesis { <address_match_element>; ... }; // obsolete
         sortlist { <address_match_element>; ... };
@@ -81,25 +82,41 @@ options {
         dual-stack-servers [ port <integer> ] { ( <quoted_string> [port
             <integer>] | <ipv4_address> [port <integer>] | <ipv6_address> [port <integer>] ); ... };
         edns-udp-size <integer>;
+        max-udp-size <integer>;
         root-delegation-only [ exclude { <quoted_string>; ... } ];
         disable-algorithms <string> { <string>; ... };
         dnssec-enable <boolean>;
+        dnssec-validation <boolean>;
         dnssec-lookaside <string> trust-anchor <string>;
         dnssec-must-be-secure <string> <boolean>;
+        dnssec-accept-expired <boolean>;
+        ixfr-from-differences <ixfrdiff>;
+        acache-enable <boolean>;
+        acache-cleaning-interval <integer>;
+        max-acache-size <size_no_default>;
+        clients-per-query <integer>;
+        max-clients-per-query <integer>;
+        empty-server <string>;
+        empty-contact <string>;
+        empty-zones-enable <boolean>;
+        disable-empty-zone <string>;
+        zero-no-soa-ttl-cache <boolean>;
         allow-query { <address_match_element>; ... };
         allow-transfer { <address_match_element>; ... };
+        allow-update { <address_match_element>; ... };
         allow-update-forwarding { <address_match_element>; ... };
         allow-notify { <address_match_element>; ... };
+        masterfile-format ( text | raw );
         notify <notifytype>;
         notify-source ( <ipv4_address> | * ) [ port ( <integer> | * ) ];
         notify-source-v6 ( <ipv6_address> | * ) [ port ( <integer> | * ) ];
         also-notify [ port <integer> ] { ( <ipv4_address> | <ipv6_address>
             ) [ port <integer> ]; ... };
+        notify-delay <integer>;
         dialup <dialuptype>;
         forward ( first | only );
         forwarders [ port <integer> ] { ( <ipv4_address> | <ipv6_address> )
             [ port <integer> ]; ... };
-        ixfr-from-differences <boolean>;
         maintain-ixfr-base <boolean>; // obsolete
         max-ixfr-log-size <size>; // obsolete
         max-journal-size <size_no_default>;
@@ -122,12 +139,21 @@ options {
         use-alt-transfer-source <boolean>;
         zone-statistics <boolean>;
         key-directory <quoted_string>;
+        check-wildcard <boolean>;
+        check-integrity <boolean>;
+        check-mx ( fail | warn | ignore );
+        check-mx-cname ( fail | warn | ignore );
+        check-srv-cname ( fail | warn | ignore );
+        check-sibling <boolean>;
+        zero-no-soa-ttl <boolean>;
+        update-check-ksk <boolean>;
 };
 
 controls {
         inet ( <ipv4_address> | <ipv6_address> | * ) [ port ( <integer> | *
             ) ] allow { <address_match_element>; ... } [ keys { <string>; ... } ];
-        unix <unsupported>; // not implemented
+        unix <quoted_string> perm <integer> owner <integer> group <integer>
+            [ keys { <string>; ... } ];
 };
 
 acl <string> { <address_match_element>; ... };
@@ -160,8 +186,8 @@ view <string> <optional_class> {
         zone <string> <optional_class> {
                 type ( master | slave | stub | hint | forward |
                     delegation-only );
-                allow-update { <address_match_element>; ... };
                 file <quoted_string>;
+                journal <quoted_string>;
                 ixfr-base <quoted_string>; // obsolete
                 ixfr-tmp-file <quoted_string>; // obsolete
                 masters [ port <integer> ] { ( <masters> | <ipv4_address>
@@ -169,14 +195,17 @@ view <string> <optional_class> {
                 pubkey <integer> <integer> <integer> <quoted_string>; //
                     obsolete
                 update-policy { ( grant | deny ) <string> ( name |
-                    subdomain | wildcard | self ) <string> <rrtypelist>; ... };
+                    subdomain | wildcard | self | selfsub | selfwild ) <string> <rrtypelist>; ... };
                 database <string>;
                 delegation-only <boolean>;
                 check-names ( fail | warn | ignore );
+                ixfr-from-differences <boolean>;
                 allow-query { <address_match_element>; ... };
                 allow-transfer { <address_match_element>; ... };
+                allow-update { <address_match_element>; ... };
                 allow-update-forwarding { <address_match_element>; ... };
                 allow-notify { <address_match_element>; ... };
+                masterfile-format ( text | raw );
                 notify <notifytype>;
                 notify-source ( <ipv4_address> | * ) [ port ( <integer> | *
                     ) ];
@@ -184,11 +213,11 @@ view <string> <optional_class> {
                     | * ) ];
                 also-notify [ port <integer> ] { ( <ipv4_address> |
                     <ipv6_address> ) [ port <integer> ]; ... };
+                notify-delay <integer>;
                 dialup <dialuptype>;
                 forward ( first | only );
                 forwarders [ port <integer> ] { ( <ipv4_address> |
                     <ipv6_address> ) [ port <integer> ]; ... };
-                ixfr-from-differences <boolean>;
                 maintain-ixfr-base <boolean>; // obsolete
                 max-ixfr-log-size <size>; // obsolete
                 max-journal-size <size_no_default>;
@@ -213,8 +242,19 @@ view <string> <optional_class> {
                 use-alt-transfer-source <boolean>;
                 zone-statistics <boolean>;
                 key-directory <quoted_string>;
+                check-wildcard <boolean>;
+                check-integrity <boolean>;
+                check-mx ( fail | warn | ignore );
+                check-mx-cname ( fail | warn | ignore );
+                check-srv-cname ( fail | warn | ignore );
+                check-sibling <boolean>;
+                zero-no-soa-ttl <boolean>;
+                update-check-ksk <boolean>;
+        };
+        dlz <string> {
+                database <string>;
         };
-        server <netaddr> {
+        server <netprefix> {
                 bogus <boolean>;
                 provide-ixfr <boolean>;
                 request-ixfr <boolean>;
@@ -223,6 +263,14 @@ view <string> <optional_class> {
                 transfer-format ( many-answers | one-answer );
                 keys <server_key>;
                 edns <boolean>;
+                edns-udp-size <integer>;
+                max-udp-size <integer>;
+                notify-source ( <ipv4_address> | * ) [ port ( <integer> | *
+                    ) ];
+                notify-source-v6 ( <ipv6_address> | * ) [ port ( <integer>
+                    | * ) ];
+                query-source <querysource4>;
+                query-source-v6 <querysource6>;
                 transfer-source ( <ipv4_address> | * ) [ port ( <integer> |
                     * ) ];
                 transfer-source-v6 ( <ipv6_address> | * ) [ port (
@@ -230,6 +278,7 @@ view <string> <optional_class> {
         };
         trusted-keys { <string> <integer> <integer> <integer>
             <quoted_string>; ... };
+        allow-query-cache { <address_match_element>; ... };
         allow-recursion { <address_match_element>; ... };
         allow-v6-synthesis { <address_match_element>; ... }; // obsolete
         sortlist { <address_match_element>; ... };
@@ -261,25 +310,41 @@ view <string> <optional_class> {
         dual-stack-servers [ port <integer> ] { ( <quoted_string> [port
             <integer>] | <ipv4_address> [port <integer>] | <ipv6_address> [port <integer>] ); ... };
         edns-udp-size <integer>;
+        max-udp-size <integer>;
         root-delegation-only [ exclude { <quoted_string>; ... } ];
         disable-algorithms <string> { <string>; ... };
         dnssec-enable <boolean>;
+        dnssec-validation <boolean>;
         dnssec-lookaside <string> trust-anchor <string>;
         dnssec-must-be-secure <string> <boolean>;
+        dnssec-accept-expired <boolean>;
+        ixfr-from-differences <ixfrdiff>;
+        acache-enable <boolean>;
+        acache-cleaning-interval <integer>;
+        max-acache-size <size_no_default>;
+        clients-per-query <integer>;
+        max-clients-per-query <integer>;
+        empty-server <string>;
+        empty-contact <string>;
+        empty-zones-enable <boolean>;
+        disable-empty-zone <string>;
+        zero-no-soa-ttl-cache <boolean>;
         allow-query { <address_match_element>; ... };
         allow-transfer { <address_match_element>; ... };
+        allow-update { <address_match_element>; ... };
         allow-update-forwarding { <address_match_element>; ... };
         allow-notify { <address_match_element>; ... };
+        masterfile-format ( text | raw );
         notify <notifytype>;
         notify-source ( <ipv4_address> | * ) [ port ( <integer> | * ) ];
         notify-source-v6 ( <ipv6_address> | * ) [ port ( <integer> | * ) ];
         also-notify [ port <integer> ] { ( <ipv4_address> | <ipv6_address>
             ) [ port <integer> ]; ... };
+        notify-delay <integer>;
         dialup <dialuptype>;
         forward ( first | only );
         forwarders [ port <integer> ] { ( <ipv4_address> | <ipv6_address> )
             [ port <integer> ]; ... };
-        ixfr-from-differences <boolean>;
         maintain-ixfr-base <boolean>; // obsolete
         max-ixfr-log-size <size>; // obsolete
         max-journal-size <size_no_default>;
@@ -302,6 +367,15 @@ view <string> <optional_class> {
         use-alt-transfer-source <boolean>;
         zone-statistics <boolean>;
         key-directory <quoted_string>;
+        check-wildcard <boolean>;
+        check-integrity <boolean>;
+        check-mx ( fail | warn | ignore );
+        check-mx-cname ( fail | warn | ignore );
+        check-srv-cname ( fail | warn | ignore );
+        check-sibling <boolean>;
+        zero-no-soa-ttl <boolean>;
+        update-check-ksk <boolean>;
+        database <string>;
 };
 
 lwres {
@@ -319,32 +393,35 @@ key <string> {
 
 zone <string> <optional_class> {
         type ( master | slave | stub | hint | forward | delegation-only );
-        allow-update { <address_match_element>; ... };
         file <quoted_string>;
+        journal <quoted_string>;
         ixfr-base <quoted_string>; // obsolete
         ixfr-tmp-file <quoted_string>; // obsolete
         masters [ port <integer> ] { ( <masters> | <ipv4_address> [port
             <integer>] | <ipv6_address> [port <integer>] ) [ key <string> ]; ... };
         pubkey <integer> <integer> <integer> <quoted_string>; // obsolete
         update-policy { ( grant | deny ) <string> ( name | subdomain |
-            wildcard | self ) <string> <rrtypelist>; ... };
+            wildcard | self | selfsub | selfwild ) <string> <rrtypelist>; ... };
         database <string>;
         delegation-only <boolean>;
         check-names ( fail | warn | ignore );
+        ixfr-from-differences <boolean>;
         allow-query { <address_match_element>; ... };
         allow-transfer { <address_match_element>; ... };
+        allow-update { <address_match_element>; ... };
         allow-update-forwarding { <address_match_element>; ... };
         allow-notify { <address_match_element>; ... };
+        masterfile-format ( text | raw );
         notify <notifytype>;
         notify-source ( <ipv4_address> | * ) [ port ( <integer> | * ) ];
         notify-source-v6 ( <ipv6_address> | * ) [ port ( <integer> | * ) ];
         also-notify [ port <integer> ] { ( <ipv4_address> | <ipv6_address>
             ) [ port <integer> ]; ... };
+        notify-delay <integer>;
         dialup <dialuptype>;
         forward ( first | only );
         forwarders [ port <integer> ] { ( <ipv4_address> | <ipv6_address> )
             [ port <integer> ]; ... };
-        ixfr-from-differences <boolean>;
         maintain-ixfr-base <boolean>; // obsolete
         max-ixfr-log-size <size>; // obsolete
         max-journal-size <size_no_default>;
@@ -367,9 +444,21 @@ zone <string> <optional_class> {
         use-alt-transfer-source <boolean>;
         zone-statistics <boolean>;
         key-directory <quoted_string>;
+        check-wildcard <boolean>;
+        check-integrity <boolean>;
+        check-mx ( fail | warn | ignore );
+        check-mx-cname ( fail | warn | ignore );
+        check-srv-cname ( fail | warn | ignore );
+        check-sibling <boolean>;
+        zero-no-soa-ttl <boolean>;
+        update-check-ksk <boolean>;
 };
 
-server <netaddr> {
+dlz <string> {
+        database <string>;
+};
+
+server <netprefix> {
         bogus <boolean>;
         provide-ixfr <boolean>;
         request-ixfr <boolean>;
@@ -378,6 +467,12 @@ server <netaddr> {
         transfer-format ( many-answers | one-answer );
         keys <server_key>;
         edns <boolean>;
+        edns-udp-size <integer>;
+        max-udp-size <integer>;
+        notify-source ( <ipv4_address> | * ) [ port ( <integer> | * ) ];
+        notify-source-v6 ( <ipv6_address> | * ) [ port ( <integer> | * ) ];
+        query-source <querysource4>;
+        query-source-v6 <querysource6>;
         transfer-source ( <ipv4_address> | * ) [ port ( <integer> | * ) ];
         transfer-source-v6 ( <ipv6_address> | * ) [ port ( <integer> | * ) ];
 };
diff --git a/contrib/bind9/doc/misc/rfc-compliance b/contrib/bind9/doc/misc/rfc-compliance
index 6a3fac1..4c87c66 100644
--- a/contrib/bind9/doc/misc/rfc-compliance
+++ b/contrib/bind9/doc/misc/rfc-compliance
@@ -2,7 +2,7 @@ Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
 Copyright (C) 2001  Internet Software Consortium.
 See COPYRIGHT in the source root or http://isc.org/copyright.html for terms.
 
-$Id: rfc-compliance,v 1.3.206.1 2004/03/06 13:16:20 marka Exp $
+$Id: rfc-compliance,v 1.4 2004/03/05 05:04:53 marka Exp $
 
 BIND 9 is striving for strict compliance with IETF standards.  We
 believe this release of BIND 9 complies with the following RFCs, with
diff --git a/contrib/bind9/doc/misc/roadmap b/contrib/bind9/doc/misc/roadmap
index 72021b8..f63a469 100644
--- a/contrib/bind9/doc/misc/roadmap
+++ b/contrib/bind9/doc/misc/roadmap
@@ -2,7 +2,7 @@ Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
 Copyright (C) 2000, 2001  Internet Software Consortium.
 See COPYRIGHT in the source root or http://isc.org/copyright.html for terms.
 
-$Id: roadmap,v 1.1.206.1 2004/03/06 13:16:20 marka Exp $
+$Id: roadmap,v 1.2 2004/03/05 05:04:54 marka Exp $
 
 Road Map to the BIND 9 Source Tree
 
diff --git a/contrib/bind9/doc/misc/sdb b/contrib/bind9/doc/misc/sdb
index 0de0ab8..552028a 100644
--- a/contrib/bind9/doc/misc/sdb
+++ b/contrib/bind9/doc/misc/sdb
@@ -166,4 +166,4 @@ Future Directions
 A future release may support dynamic loading of sdb drivers.
 
 
-$Id: sdb,v 1.5.206.1 2004/03/06 13:16:20 marka Exp $
+$Id: sdb,v 1.6 2004/03/05 05:04:54 marka Exp $
diff --git a/contrib/bind9/doc/rfc/index b/contrib/bind9/doc/rfc/index
index 5c588db..947827e 100644
--- a/contrib/bind9/doc/rfc/index
+++ b/contrib/bind9/doc/rfc/index
@@ -101,3 +101,8 @@
 4035:	Protocol Modifications for the DNS Security Extensions
 4074:	Common Misbehavior Against DNS Queries for IPv6 Addresses
 4159:	Deprecation of "ip6.int"
+4193:	Unique Local IPv6 Unicast Addresses
+4255:	Using DNS to Securely Publish Secure Shell (SSH) Key Fingerprints
+4343:	Domain Name System (DNS) Case Insensitivity Clarification
+4367:	What's in a Name: False Assumptions about DNS Names
+4431:	The DNSSEC Lookaside Validation (DLV) DNS Resource Record
diff --git a/contrib/bind9/doc/rfc/rfc4193.txt b/contrib/bind9/doc/rfc/rfc4193.txt
new file mode 100644
index 0000000..17e2c0b
--- /dev/null
+++ b/contrib/bind9/doc/rfc/rfc4193.txt
@@ -0,0 +1,899 @@
+
+
+
+
+
+
+Network Working Group                                          R. Hinden
+Request for Comments: 4193                                         Nokia
+Category: Standards Track                                    B. Haberman
+                                                                 JHU-APL
+                                                            October 2005
+
+
+                  Unique Local IPv6 Unicast Addresses
+
+Status of This Memo
+
+   This document specifies an Internet standards track protocol for the
+   Internet community, and requests discussion and suggestions for
+   improvements.  Please refer to the current edition of the "Internet
+   Official Protocol Standards" (STD 1) for the standardization state
+   and status of this protocol.  Distribution of this memo is unlimited.
+
+Copyright Notice
+
+   Copyright (C) The Internet Society (2005).
+
+Abstract
+
+   This document defines an IPv6 unicast address format that is globally
+   unique and is intended for local communications, usually inside of a
+   site.  These addresses are not expected to be routable on the global
+   Internet.
+
+Table of Contents
+
+   1. Introduction ....................................................2
+   2. Acknowledgements ................................................3
+   3. Local IPv6 Unicast Addresses ....................................3
+      3.1. Format .....................................................3
+           3.1.1. Background ..........................................4
+      3.2. Global ID ..................................................4
+           3.2.1. Locally Assigned Global IDs .........................5
+           3.2.2. Sample Code for Pseudo-Random Global ID Algorithm ...5
+           3.2.3. Analysis of the Uniqueness of Global IDs ............6
+      3.3. Scope Definition ...........................................6
+   4. Operational Guidelines ..........................................7
+      4.1. Routing ....................................................7
+      4.2. Renumbering and Site Merging ...............................7
+      4.3. Site Border Router and Firewall Packet Filtering ...........8
+      4.4. DNS Issues .................................................8
+      4.5. Application and Higher Level Protocol Issues ...............9
+      4.6. Use of Local IPv6 Addresses for Local Communication ........9
+      4.7. Use of Local IPv6 Addresses with VPNs .....................10
+
+
+
+Hinden & Haberman           Standards Track                     [Page 1]
+
+RFC 4193          Unique Local IPv6 Unicast Addresses       October 2005
+
+
+   5. Global Routing Considerations ..................................11
+      5.1. From the Standpoint of the Internet .......................11
+      5.2. From the Standpoint of a Site .............................11
+   6. Advantages and Disadvantages ...................................12
+      6.1. Advantages ................................................12
+      6.2. Disadvantages .............................................13
+   7. Security Considerations ........................................13
+   8. IANA Considerations ............................................13
+   9. References .....................................................13
+      9.1. Normative References ......................................13
+      9.2. Informative References ....................................14
+
+1.  Introduction
+
+   This document defines an IPv6 unicast address format that is globally
+   unique and is intended for local communications [IPV6].  These
+   addresses are called Unique Local IPv6 Unicast Addresses and are
+   abbreviated in this document as Local IPv6 addresses.  They are not
+   expected to be routable on the global Internet.  They are routable
+   inside of a more limited area such as a site.  They may also be
+   routed between a limited set of sites.
+
+   Local IPv6 unicast addresses have the following characteristics:
+
+      - Globally unique prefix (with high probability of uniqueness).
+
+      - Well-known prefix to allow for easy filtering at site
+        boundaries.
+
+      - Allow sites to be combined or privately interconnected without
+        creating any address conflicts or requiring renumbering of
+        interfaces that use these prefixes.
+
+      - Internet Service Provider independent and can be used for
+        communications inside of a site without having any permanent or
+        intermittent Internet connectivity.
+
+      - If accidentally leaked outside of a site via routing or DNS,
+        there is no conflict with any other addresses.
+
+      - In practice, applications may treat these addresses like global
+        scoped addresses.
+
+   This document defines the format of Local IPv6 addresses, how to
+   allocate them, and usage considerations including routing, site
+   border routers, DNS, application support, VPN usage, and guidelines
+   for how to use for local communication inside a site.
+
+
+
+
+Hinden & Haberman           Standards Track                     [Page 2]
+
+RFC 4193          Unique Local IPv6 Unicast Addresses       October 2005
+
+
+   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
+   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
+   document are to be interpreted as described in [RFC2119].
+
+2.  Acknowledgements
+
+   The underlying idea of creating Local IPv6 addresses described in
+   this document has been proposed a number of times by a variety of
+   people.  The authors of this document do not claim exclusive credit.
+   Credit goes to Brian Carpenter, Christian Huitema, Aidan Williams,
+   Andrew White, Charlie Perkins, and many others.  The authors would
+   also like to thank Brian Carpenter, Charlie Perkins, Harald
+   Alvestrand, Keith Moore, Margaret Wasserman, Shannon Behrens, Alan
+   Beard, Hans Kruse, Geoff Huston, Pekka Savola, Christian Huitema, Tim
+   Chown, Steve Bellovin, Alex Zinin, Tony Hain, Bill Fenner, Sam
+   Hartman, and Elwyn Davies for their comments and suggestions on this
+   document.
+
+3.  Local IPv6 Unicast Addresses
+
+3.1.  Format
+
+   The Local IPv6 addresses are created using a pseudo-randomly
+   allocated global ID.  They have the following format:
+
+      | 7 bits |1|  40 bits   |  16 bits  |          64 bits           |
+      +--------+-+------------+-----------+----------------------------+
+      | Prefix |L| Global ID  | Subnet ID |        Interface ID        |
+      +--------+-+------------+-----------+----------------------------+
+
+   Where:
+
+      Prefix            FC00::/7 prefix to identify Local IPv6 unicast
+                        addresses.
+
+      L                 Set to 1 if the prefix is locally assigned.
+                        Set to 0 may be defined in the future.  See
+                        Section 3.2 for additional information.
+
+      Global ID         40-bit global identifier used to create a
+                        globally unique prefix.  See Section 3.2 for
+                        additional information.
+
+      Subnet ID         16-bit Subnet ID is an identifier of a subnet
+                        within the site.
+
+      Interface ID      64-bit Interface ID as defined in [ADDARCH].
+
+
+
+
+Hinden & Haberman           Standards Track                     [Page 3]
+
+RFC 4193          Unique Local IPv6 Unicast Addresses       October 2005
+
+
+3.1.1.  Background
+
+   There were a range of choices available when choosing the size of the
+   prefix and Global ID field length.  There is a direct tradeoff
+   between having a Global ID field large enough to support foreseeable
+   future growth and not using too much of the IPv6 address space
+   needlessly.  A reasonable way of evaluating a specific field length
+   is to compare it to a projected 2050 world population of 9.3 billion
+   [POPUL] and the number of resulting /48 prefixes per person.  A range
+   of prefix choices is shown in the following table:
+
+    Prefix  Global ID     Number of          Prefixes    % of IPv6
+            Length        /48 Prefixes       per Person  Address Space
+
+    /11       37           137,438,953,472     15         0.049%
+    /10       38           274,877,906,944     30         0.098%
+    /9        39           549,755,813,888     59         0.195%
+    /8        40         1,099,511,627,776    118         0.391%
+    /7        41         2,199,023,255,552    236         0.781%
+    /6        42         4,398,046,511,104    473         1.563%
+
+   A very high utilization ratio of these allocations can be assumed
+   because the Global ID field does not require internal structure, and
+   there is no reason to be able to aggregate the prefixes.
+
+   The authors believe that a /7 prefix resulting in a 41-bit Global ID
+   space (including the L bit) is a good choice.  It provides for a
+   large number of assignments (i.e., 2.2 trillion) and at the same time
+   uses less than .8% of the total IPv6 address space.  It is unlikely
+   that this space will be exhausted.  If more than this were to be
+   needed, then additional IPv6 address space could be allocated for
+   this purpose.
+
+3.2.  Global ID
+
+   The allocation of Global IDs is pseudo-random [RANDOM].  They MUST
+   NOT be assigned sequentially or with well-known numbers.  This is to
+   ensure that there is not any relationship between allocations and to
+   help clarify that these prefixes are not intended to be routed
+   globally.  Specifically, these prefixes are not designed to
+   aggregate.
+
+   This document defines a specific local method to allocate Global IDs,
+   indicated by setting the L bit to 1.  Another method, indicated by
+   clearing the L bit, may be defined later.  Apart from the allocation
+   method, all Local IPv6 addresses behave and are treated identically.
+
+
+
+
+
+Hinden & Haberman           Standards Track                     [Page 4]
+
+RFC 4193          Unique Local IPv6 Unicast Addresses       October 2005
+
+
+   The local assignments are self-generated and do not need any central
+   coordination or assignment, but have an extremely high probability of
+   being unique.
+
+3.2.1.  Locally Assigned Global IDs
+
+   Locally assigned Global IDs MUST be generated with a pseudo-random
+   algorithm consistent with [RANDOM].  Section 3.2.2 describes a
+   suggested algorithm.  It is important that all sites generating
+   Global IDs use a functionally similar algorithm to ensure there is a
+   high probability of uniqueness.
+
+   The use of a pseudo-random algorithm to generate Global IDs in the
+   locally assigned prefix gives an assurance that any network numbered
+   using such a prefix is highly unlikely to have that address space
+   clash with any other network that has another locally assigned prefix
+   allocated to it.  This is a particularly useful property when
+   considering a number of scenarios including networks that merge,
+   overlapping VPN address space, or hosts mobile between such networks.
+
+3.2.2.  Sample Code for Pseudo-Random Global ID Algorithm
+
+   The algorithm described below is intended to be used for locally
+   assigned Global IDs.  In each case the resulting global ID will be
+   used in the appropriate prefix as defined in Section 3.2.
+
+     1) Obtain the current time of day in 64-bit NTP format [NTP].
+
+     2) Obtain an EUI-64 identifier from the system running this
+        algorithm.  If an EUI-64 does not exist, one can be created from
+        a 48-bit MAC address as specified in [ADDARCH].  If an EUI-64
+        cannot be obtained or created, a suitably unique identifier,
+        local to the node, should be used (e.g., system serial number).
+
+     3) Concatenate the time of day with the system-specific identifier
+        in order to create a key.
+
+     4) Compute an SHA-1 digest on the key as specified in [FIPS, SHA1];
+        the resulting value is 160 bits.
+
+     5) Use the least significant 40 bits as the Global ID.
+
+     6) Concatenate FC00::/7, the L bit set to 1, and the 40-bit Global
+        ID to create a Local IPv6 address prefix.
+
+   This algorithm will result in a Global ID that is reasonably unique
+   and can be used to create a locally assigned Local IPv6 address
+   prefix.
+
+
+
+Hinden & Haberman           Standards Track                     [Page 5]
+
+RFC 4193          Unique Local IPv6 Unicast Addresses       October 2005
+
+
+3.2.3.  Analysis of the Uniqueness of Global IDs
+
+   The selection of a pseudo random Global ID is similar to the
+   selection of an SSRC identifier in RTP/RTCP defined in Section 8.1 of
+   [RTP].  This analysis is adapted from that document.
+
+   Since Global IDs are chosen randomly (and independently), it is
+   possible that separate networks have chosen the same Global ID.  For
+   any given network, with one or more random Global IDs, that has
+   inter-connections to other such networks, having a total of N such
+   IDs, the probability that two or more of these IDs will collide can
+   be approximated using the formula:
+
+      P = 1 - exp(-N**2 / 2**(L+1))
+
+   where P is the probability of collision, N is the number of
+   interconnected Global IDs, and L is the length of the Global ID.
+
+   The following table shows the probability of a collision for a range
+   of connections using a 40-bit Global ID field.
+
+      Connections      Probability of Collision
+
+          2                1.81*10^-12
+         10                4.54*10^-11
+        100                4.54*10^-09
+       1000                4.54*10^-07
+      10000                4.54*10^-05
+
+   Based on this analysis, the uniqueness of locally generated Global
+   IDs is adequate for sites planning a small to moderate amount of
+   inter-site communication using locally generated Global IDs.
+
+3.3.  Scope Definition
+
+   By default, the scope of these addresses is global.  That is, they
+   are not limited by ambiguity like the site-local addresses defined in
+   [ADDARCH].  Rather, these prefixes are globally unique, and as such,
+   their applicability is greater than site-local addresses.  Their
+   limitation is in the routability of the prefixes, which is limited to
+   a site and any explicit routing agreements with other sites to
+   propagate them (also see Section 4.1).  Also, unlike site-locals, a
+   site may have more than one of these prefixes and use them at the
+   same time.
+
+
+
+
+
+
+
+Hinden & Haberman           Standards Track                     [Page 6]
+
+RFC 4193          Unique Local IPv6 Unicast Addresses       October 2005
+
+
+4.  Operational Guidelines
+
+   The guidelines in this section do not require any change to the
+   normal routing and forwarding functionality in an IPv6 host or
+   router.  These are configuration and operational usage guidelines.
+
+4.1.  Routing
+
+   Local IPv6 addresses are designed to be routed inside of a site in
+   the same manner as other types of unicast addresses.  They can be
+   carried in any IPv6 routing protocol without any change.
+
+   It is expected that they would share the same Subnet IDs with
+   provider-based global unicast addresses, if they were being used
+   concurrently [GLOBAL].
+
+   The default behavior of exterior routing protocol sessions between
+   administrative routing regions must be to ignore receipt of and not
+   advertise prefixes in the FC00::/7 block.  A network operator may
+   specifically configure prefixes longer than FC00::/7 for inter-site
+   communication.
+
+   If BGP is being used at the site border with an ISP, the default BGP
+   configuration must filter out any Local IPv6 address prefixes, both
+   incoming and outgoing.  It must be set both to keep any Local IPv6
+   address prefixes from being advertised outside of the site as well as
+   to keep these prefixes from being learned from another site.  The
+   exception to this is if there are specific /48 or longer routes
+   created for one or more Local IPv6 prefixes.
+
+   For link-state IGPs, it is suggested that a site utilizing IPv6 local
+   address prefixes be contained within one IGP domain or area.  By
+   containing an IPv6 local address prefix to a single link-state area
+   or domain, the distribution of prefixes can be controlled.
+
+4.2.  Renumbering and Site Merging
+
+   The use of Local IPv6 addresses in a site results in making
+   communication that uses these addresses independent of renumbering a
+   site's provider-based global addresses.
+
+   When merging multiple sites, the addresses created with these
+   prefixes are unlikely to need to be renumbered because all of the
+   addresses have a high probability of being unique.  Routes for each
+   specific prefix would have to be configured to allow routing to work
+   correctly between the formerly separate sites.
+
+
+
+
+
+Hinden & Haberman           Standards Track                     [Page 7]
+
+RFC 4193          Unique Local IPv6 Unicast Addresses       October 2005
+
+
+4.3.  Site Border Router and Firewall Packet Filtering
+
+   While no serious harm will be done if packets with these addresses
+   are sent outside of a site via a default route, it is recommended
+   that routers be configured by default to keep any packets with Local
+   IPv6 addresses from leaking outside of the site and to keep any site
+   prefixes from being advertised outside of their site.
+
+   Site border routers and firewalls should be configured to not forward
+   any packets with Local IPv6 source or destination addresses outside
+   of the site, unless they have been explicitly configured with routing
+   information about specific /48 or longer Local IPv6 prefixes.  This
+   will ensure that packets with Local IPv6 destination addresses will
+   not be forwarded outside of the site via a default route.  The
+   default behavior of these devices should be to install a "reject"
+   route for these prefixes.  Site border routers should respond with
+   the appropriate ICMPv6 Destination Unreachable message to inform the
+   source that the packet was not forwarded. [ICMPV6].  This feedback is
+   important to avoid transport protocol timeouts.
+
+   Routers that maintain peering arrangements between Autonomous Systems
+   throughout the Internet should obey the recommendations for site
+   border routers, unless configured otherwise.
+
+4.4.  DNS Issues
+
+   At the present time, AAAA and PTR records for locally assigned local
+   IPv6 addresses are not recommended to be installed in the global DNS.
+
+   For background on this recommendation, one of the concerns about
+   adding AAAA and PTR records to the global DNS for locally assigned
+   Local IPv6 addresses stems from the lack of complete assurance that
+   the prefixes are unique.  There is a small possibility that the same
+   locally assigned IPv6 Local addresses will be used by two different
+   organizations both claiming to be authoritative with different
+   contents.  In this scenario, it is likely there will be a connection
+   attempt to the closest host with the corresponding locally assigned
+   IPv6 Local address.  This may result in connection timeouts,
+   connection failures indicated by ICMP Destination Unreachable
+   messages, or successful connections to the wrong host.  Due to this
+   concern, adding AAAA records for these addresses to the global DNS is
+   thought to be unwise.
+
+   Reverse (address-to-name) queries for locally assigned IPv6 Local
+   addresses MUST NOT be sent to name servers for the global DNS, due to
+   the load that such queries would create for the authoritative name
+   servers for the ip6.arpa zone.  This form of query load is not
+   specific to locally assigned Local IPv6 addresses; any current form
+
+
+
+Hinden & Haberman           Standards Track                     [Page 8]
+
+RFC 4193          Unique Local IPv6 Unicast Addresses       October 2005
+
+
+   of local addressing creates additional load of this kind, due to
+   reverse queries leaking out of the site.  However, since allowing
+   such queries to escape from the site serves no useful purpose, there
+   is no good reason to make the existing load problems worse.
+
+   The recommended way to avoid sending such queries to nameservers for
+   the global DNS is for recursive name server implementations to act as
+   if they were authoritative for an empty d.f.ip6.arpa zone and return
+   RCODE 3 for any such query.  Implementations that choose this
+   strategy should allow it to be overridden, but returning an RCODE 3
+   response for such queries should be the default, both because this
+   will reduce the query load problem and also because, if the site
+   administrator has not set up the reverse tree corresponding to the
+   locally assigned IPv6 Local addresses in use, returning RCODE 3 is in
+   fact the correct answer.
+
+4.5.  Application and Higher Level Protocol Issues
+
+   Application and other higher level protocols can treat Local IPv6
+   addresses in the same manner as other types of global unicast
+   addresses.  No special handling is required.  This type of address
+   may not be reachable, but that is no different from other types of
+   IPv6 global unicast address.  Applications need to be able to handle
+   multiple addresses that may or may not be reachable at any point in
+   time.  In most cases, this complexity should be hidden in APIs.
+
+   From a host's perspective, the difference between Local IPv6 and
+   other types of global unicast addresses shows up as different
+   reachability and could be handled by default in that way.  In some
+   cases, it is better for nodes and applications to treat them
+   differently from global unicast addresses.  A starting point might be
+   to give them preference over global unicast, but fall back to global
+   unicast if a particular destination is found to be unreachable.  Much
+   of this behavior can be controlled by how they are allocated to nodes
+   and put into the DNS.  However, it is useful if a host can have both
+   types of addresses and use them appropriately.
+
+   Note that the address selection mechanisms of [ADDSEL], and in
+   particular the policy override mechanism replacing default address
+   selection, are expected to be used on a site where Local IPv6
+   addresses are configured.
+
+4.6.  Use of Local IPv6 Addresses for Local Communication
+
+   Local IPv6 addresses, like global scope unicast addresses, are only
+   assigned to nodes if their use has been enabled (via IPv6 address
+   autoconfiguration [ADDAUTO], DHCPv6 [DHCP6], or manually).  They are
+
+
+
+
+Hinden & Haberman           Standards Track                     [Page 9]
+
+RFC 4193          Unique Local IPv6 Unicast Addresses       October 2005
+
+
+   not created automatically in the way that IPv6 link-local addresses
+   are and will not appear or be used unless they are purposely
+   configured.
+
+   In order for hosts to autoconfigure Local IPv6 addresses, routers
+   have to be configured to advertise Local IPv6 /64 prefixes in router
+   advertisements, or a DHCPv6 server must have been configured to
+   assign them.  In order for a node to learn the Local IPv6 address of
+   another node, the Local IPv6 address must have been installed in a
+   naming system (e.g., DNS, proprietary naming system, etc.)  For these
+   reasons, controlling their usage in a site is straightforward.
+
+   To limit the use of Local IPv6 addresses the following guidelines
+   apply:
+
+      - Nodes that are to only be reachable inside of a site:  The local
+        DNS should be configured to only include the Local IPv6
+        addresses of these nodes.  Nodes with only Local IPv6 addresses
+        must not be installed in the global DNS.
+
+      - Nodes that are to be limited to only communicate with other
+        nodes in the site:  These nodes should be set to only
+        autoconfigure Local IPv6 addresses via [ADDAUTO] or to only
+        receive Local IPv6 addresses via [DHCP6].  Note: For the case
+        where both global and Local IPv6 prefixes are being advertised
+        on a subnet, this will require a switch in the devices to only
+        autoconfigure Local IPv6 addresses.
+
+      - Nodes that are to be reachable from inside of the site and from
+        outside of the site:  The DNS should be configured to include
+        the global addresses of these nodes.  The local DNS may be
+        configured to also include the Local IPv6 addresses of these
+        nodes.
+
+      - Nodes that can communicate with other nodes inside of the site
+        and outside of the site: These nodes should autoconfigure global
+        addresses via [ADDAUTO] or receive global address via [DHCP6].
+        They may also obtain Local IPv6 addresses via the same
+        mechanisms.
+
+4.7.  Use of Local IPv6 Addresses with VPNs
+
+   Local IPv6 addresses can be used for inter-site Virtual Private
+   Networks (VPN) if appropriate routes are set up.  Because the
+   addresses are unique, these VPNs will work reliably and without the
+   need for translation.  They have the additional property that they
+   will continue to work if the individual sites are renumbered or
+   merged.
+
+
+
+Hinden & Haberman           Standards Track                    [Page 10]
+
+RFC 4193          Unique Local IPv6 Unicast Addresses       October 2005
+
+
+5.  Global Routing Considerations
+
+   Section 4.1 provides operational guidelines that forbid default
+   routing of local addresses between sites.  Concerns were raised to
+   the IPv6 working group and to the IETF as a whole that sites may
+   attempt to use local addresses as globally routed provider-
+   independent addresses.  This section describes why using local
+   addresses as globally-routed provider-independent addresses is
+   unadvisable.
+
+5.1.  From the Standpoint of the Internet
+
+   There is a mismatch between the structure of IPv6 local addresses and
+   the normal IPv6 wide area routing model.  The /48 prefix of an IPv6
+   local addresses fits nowhere in the normal hierarchy of IPv6 unicast
+   addresses.  Normal IPv6 unicast addresses can be routed
+   hierarchically down to physical subnet (link) level and only have to
+   be flat-routed on the physical subnet.  IPv6 local addresses would
+   have to be flat-routed even over the wide area Internet.
+
+   Thus, packets whose destination address is an IPv6 local address
+   could be routed over the wide area only if the corresponding /48
+   prefix were carried by the wide area routing protocol in use, such as
+   BGP.  This contravenes the operational assumption that long prefixes
+   will be aggregated into many fewer short prefixes, to limit the table
+   size and convergence time of the routing protocol.  If a network uses
+   both normal IPv6 addresses [ADDARCH] and IPv6 local addresses, these
+   types of addresses will certainly not aggregate with each other,
+   since they differ from the most significant bit onwards.  Neither
+   will IPv6 local addresses aggregate with each other, due to their
+   random bit patterns.  This means that there would be a very
+   significant operational penalty for attempting to use IPv6 local
+   address prefixes generically with currently known wide area routing
+   technology.
+
+5.2.  From the Standpoint of a Site
+
+   There are a number of design factors in IPv6 local addresses that
+   reduce the likelihood that IPv6 local addresses will be used as
+   arbitrary global unicast addresses.  These include:
+
+      - The default rules to filter packets and routes make it very
+        difficult to use IPv6 local addresses for arbitrary use across
+        the Internet.  For a site to use them as general purpose unicast
+        addresses, it would have to make sure that the default rules
+        were not being used by all other sites and intermediate ISPs
+        used for their current and future communication.
+
+
+
+
+Hinden & Haberman           Standards Track                    [Page 11]
+
+RFC 4193          Unique Local IPv6 Unicast Addresses       October 2005
+
+
+      - They are not mathematically guaranteed to be unique and are not
+        registered in public databases.  Collisions, while highly
+        unlikely, are possible and a collision can compromise the
+        integrity of the communications.  The lack of public
+        registration creates operational problems.
+
+      - The addresses are allocated randomly.  If a site had multiple
+        prefixes that it wanted to be used globally, the cost of
+        advertising them would be very high because they could not be
+        aggregated.
+
+      - They have a long prefix (i.e., /48) so a single local address
+        prefix doesn't provide enough address space to be used
+        exclusively by the largest organizations.
+
+6.  Advantages and Disadvantages
+
+6.1.  Advantages
+
+   This approach has the following advantages:
+
+      - Provides Local IPv6 prefixes that can be used independently of
+        any provider-based IPv6 unicast address allocations.  This is
+        useful for sites not always connected to the Internet or sites
+        that wish to have a distinct prefix that can be used to localize
+        traffic inside of the site.
+
+      - Applications can treat these addresses in an identical manner as
+        any other type of global IPv6 unicast addresses.
+
+      - Sites can be merged without any renumbering of the Local IPv6
+        addresses.
+
+      - Sites can change their provider-based IPv6 unicast address
+        without disrupting any communication that uses Local IPv6
+        addresses.
+
+      - Well-known prefix that allows for easy filtering at site
+        boundary.
+
+      - Can be used for inter-site VPNs.
+
+      - If accidently leaked outside of a site via routing or DNS, there
+        is no conflict with any other addresses.
+
+
+
+
+
+
+
+Hinden & Haberman           Standards Track                    [Page 12]
+
+RFC 4193          Unique Local IPv6 Unicast Addresses       October 2005
+
+
+6.2.  Disadvantages
+
+   This approach has the following disadvantages:
+
+      - Not possible to route Local IPv6 prefixes on the global Internet
+        with current routing technology.  Consequentially, it is
+        necessary to have the default behavior of site border routers to
+        filter these addresses.
+
+      - There is a very low probability of non-unique locally assigned
+        Global IDs being generated by the algorithm in Section 3.2.3.
+        This risk can be ignored for all practical purposes, but it
+        leads to a theoretical risk of clashing address prefixes.
+
+7.  Security Considerations
+
+   Local IPv6 addresses do not provide any inherent security to the
+   nodes that use them.  They may be used with filters at site
+   boundaries to keep Local IPv6 traffic inside of the site, but this is
+   no more or less secure than filtering any other type of global IPv6
+   unicast addresses.
+
+   Local IPv6 addresses do allow for address-based security mechanisms,
+   including IPsec, across end to end VPN connections.
+
+8.  IANA Considerations
+
+   The IANA has assigned the FC00::/7 prefix to "Unique Local Unicast".
+
+9.  References
+
+9.1.  Normative References
+
+   [ADDARCH]  Hinden, R. and S. Deering, "Internet Protocol Version 6
+             (IPv6) Addressing Architecture", RFC 3513, April 2003.
+
+   [FIPS]    "Federal Information Processing Standards Publication",
+             (FIPS PUB) 180-1, Secure Hash Standard, 17 April 1995.
+
+   [GLOBAL]  Hinden, R., Deering, S., and E. Nordmark, "IPv6 Global
+             Unicast Address Format", RFC 3587, August 2003.
+
+   [ICMPV6]  Conta, A. and S. Deering, "Internet Control Message
+             Protocol (ICMPv6) for the Internet Protocol Version 6
+             (IPv6) Specification", RFC 2463, December 1998.
+
+
+
+
+
+
+Hinden & Haberman           Standards Track                    [Page 13]
+
+RFC 4193          Unique Local IPv6 Unicast Addresses       October 2005
+
+
+   [IPV6]    Deering, S. and R. Hinden, "Internet Protocol, Version 6
+             (IPv6) Specification", RFC 2460, December 1998.
+
+   [NTP]     Mills, D., "Network Time Protocol (Version 3)
+             Specification, Implementation and Analysis", RFC 1305,
+             March 1992.
+
+   [RANDOM]  Eastlake, D., 3rd, Schiller, J., and S. Crocker,
+             "Randomness Requirements for Security", BCP 106, RFC 4086,
+             June 2005.
+
+   [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
+             Requirement Levels", BCP 14, RFC 2119, March 1997.
+
+   [SHA1]    Eastlake 3rd, D. and P. Jones, "US Secure Hash Algorithm 1
+             (SHA1)", RFC 3174, September 2001.
+
+9.2.  Informative References
+
+   [ADDAUTO] Thomson, S. and T. Narten, "IPv6 Stateless Address
+             Autoconfiguration", RFC 2462, December 1998.
+
+   [ADDSEL]  Draves, R., "Default Address Selection for Internet
+             Protocol version 6 (IPv6)", RFC 3484, February 2003.
+
+   [DHCP6]   Droms, R., Bound, J., Volz, B., Lemon, T., Perkins, C., and
+             M. Carney, "Dynamic Host Configuration Protocol for IPv6
+             (DHCPv6)", RFC 3315, July 2003.
+
+   [POPUL]   Population Reference Bureau, "World Population Data Sheet
+             of the Population Reference Bureau 2002",  August 2002.
+
+   [RTP]     Schulzrinne, H.,  Casner, S., Frederick, R., and V.
+             Jacobson, "RTP: A Transport Protocol for Real-Time
+             Applications", STD 64, RFC 3550, July 2003.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Hinden & Haberman           Standards Track                    [Page 14]
+
+RFC 4193          Unique Local IPv6 Unicast Addresses       October 2005
+
+
+Authors' Addresses
+
+   Robert M. Hinden
+   Nokia
+   313 Fairchild Drive
+   Mountain View, CA 94043
+   USA
+
+   Phone: +1 650 625-2004
+   EMail: bob.hinden@nokia.com
+
+
+   Brian Haberman
+   Johns Hopkins University
+   Applied Physics Lab
+   11100 Johns Hopkins Road
+   Laurel, MD 20723
+   USA
+
+   Phone: +1 443 778 1319
+   EMail: brian@innovationslab.net
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Hinden & Haberman           Standards Track                    [Page 15]
+
+RFC 4193          Unique Local IPv6 Unicast Addresses       October 2005
+
+
+Full Copyright Statement
+
+   Copyright (C) The Internet Society (2005).
+
+   This document is subject to the rights, licenses and restrictions
+   contained in BCP 78, and except as set forth therein, the authors
+   retain all their rights.
+
+   This document and the information contained herein are provided on an
+   "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
+   OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
+   ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
+   INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
+   INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
+   WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
+
+Intellectual Property
+
+   The IETF takes no position regarding the validity or scope of any
+   Intellectual Property Rights or other rights that might be claimed to
+   pertain to the implementation or use of the technology described in
+   this document or the extent to which any license under such rights
+   might or might not be available; nor does it represent that it has
+   made any independent effort to identify any such rights.  Information
+   on the procedures with respect to rights in RFC documents can be
+   found in BCP 78 and BCP 79.
+
+   Copies of IPR disclosures made to the IETF Secretariat and any
+   assurances of licenses to be made available, or the result of an
+   attempt made to obtain a general license or permission for the use of
+   such proprietary rights by implementers or users of this
+   specification can be obtained from the IETF on-line IPR repository at
+   http://www.ietf.org/ipr.
+
+   The IETF invites any interested party to bring to its attention any
+   copyrights, patents or patent applications, or other proprietary
+   rights that may cover technology that may be required to implement
+   this standard.  Please address the information to the IETF at ietf-
+   ipr@ietf.org.
+
+Acknowledgement
+
+   Funding for the RFC Editor function is currently provided by the
+   Internet Society.
+
+
+
+
+
+
+
+Hinden & Haberman           Standards Track                    [Page 16]
+
diff --git a/contrib/bind9/doc/rfc/rfc4255.txt b/contrib/bind9/doc/rfc/rfc4255.txt
new file mode 100644
index 0000000..f350b7a
--- /dev/null
+++ b/contrib/bind9/doc/rfc/rfc4255.txt
@@ -0,0 +1,507 @@
+
+
+
+
+
+
+Network Working Group                                        J. Schlyter
+Request for Comments: 4255                                       OpenSSH
+Category: Standards Track                                     W. Griffin
+                                                                  SPARTA
+                                                            January 2006
+
+
+   Using DNS to Securely Publish Secure Shell (SSH) Key Fingerprints
+
+Status of This Memo
+
+   This document specifies an Internet standards track protocol for the
+   Internet community, and requests discussion and suggestions for
+   improvements.  Please refer to the current edition of the "Internet
+   Official Protocol Standards" (STD 1) for the standardization state
+   and status of this protocol.  Distribution of this memo is unlimited.
+
+Copyright Notice
+
+   Copyright (C) The Internet Society (2006).
+
+Abstract
+
+   This document describes a method of verifying Secure Shell (SSH) host
+   keys using Domain Name System Security (DNSSEC).  The document
+   defines a new DNS resource record that contains a standard SSH key
+   fingerprint.
+
+Table of Contents
+
+   1. Introduction ....................................................2
+   2. SSH Host Key Verification .......................................2
+      2.1. Method .....................................................2
+      2.2. Implementation Notes .......................................2
+      2.3. Fingerprint Matching .......................................3
+      2.4. Authentication .............................................3
+   3. The SSHFP Resource Record .......................................3
+      3.1. The SSHFP RDATA Format .....................................4
+           3.1.1. Algorithm Number Specification ......................4
+           3.1.2. Fingerprint Type Specification ......................4
+           3.1.3. Fingerprint .........................................5
+      3.2. Presentation Format of the SSHFP RR ........................5
+   4. Security Considerations .........................................5
+   5. IANA Considerations .............................................6
+   6. Normative References ............................................7
+   7. Informational References ........................................7
+   8. Acknowledgements ................................................8
+
+
+
+
+Schlyter & Griffin          Standards Track                     [Page 1]
+
+RFC 4255                DNS and SSH Fingerprints            January 2006
+
+
+1.  Introduction
+
+   The SSH [6] protocol provides secure remote login and other secure
+   network services over an insecure network.  The security of the
+   connection relies on the server authenticating itself to the client
+   as well as the user authenticating itself to the server.
+
+   If a connection is established to a server whose public key is not
+   already known to the client, a fingerprint of the key is presented to
+   the user for verification.  If the user decides that the fingerprint
+   is correct and accepts the key, the key is saved locally and used for
+   verification for all following connections.  While some security-
+   conscious users verify the fingerprint out-of-band before accepting
+   the key, many users blindly accept the presented key.
+
+   The method described here can provide out-of-band verification by
+   looking up a fingerprint of the server public key in the DNS [1][2]
+   and using DNSSEC [5] to verify the lookup.
+
+   In order to distribute the fingerprint using DNS, this document
+   defines a new DNS resource record, "SSHFP", to carry the fingerprint.
+
+   Basic understanding of the DNS system [1][2] and the DNS security
+   extensions [5] is assumed by this document.
+
+   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
+   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
+   document are to be interpreted as described in RFC 2119 [3].
+
+2.  SSH Host Key Verification
+
+2.1.  Method
+
+   Upon connection to an SSH server, the SSH client MAY look up the
+   SSHFP resource record(s) for the host it is connecting to.  If the
+   algorithm and fingerprint of the key received from the SSH server
+   match the algorithm and fingerprint of one of the SSHFP resource
+   record(s) returned from DNS, the client MAY accept the identity of
+   the server.
+
+2.2.  Implementation Notes
+
+   Client implementors SHOULD provide a configurable policy used to
+   select the order of methods used to verify a host key.  This document
+   defines one method: Fingerprint storage in DNS.  Another method
+   defined in the SSH Architecture [6] uses local files to store keys
+   for comparison.  Other methods that could be defined in the future
+   might include storing fingerprints in LDAP or other databases.  A
+
+
+
+Schlyter & Griffin          Standards Track                     [Page 2]
+
+RFC 4255                DNS and SSH Fingerprints            January 2006
+
+
+   configurable policy will allow administrators to determine which
+   methods they want to use and in what order the methods should be
+   prioritized.  This will allow administrators to determine how much
+   trust they want to place in the different methods.
+
+   One specific scenario for having a configurable policy is where
+   clients do not use fully qualified host names to connect to servers.
+   In this scenario, the implementation SHOULD verify the host key
+   against a local database before verifying the key via the fingerprint
+   returned from DNS.  This would help prevent an attacker from
+   injecting a DNS search path into the local resolver and forcing the
+   client to connect to a different host.
+
+2.3.  Fingerprint Matching
+
+   The public key and the SSHFP resource record are matched together by
+   comparing algorithm number and fingerprint.
+
+      The public key algorithm and the SSHFP algorithm number MUST
+      match.
+
+      A message digest of the public key, using the message digest
+      algorithm specified in the SSHFP fingerprint type, MUST match the
+      SSHFP fingerprint.
+
+2.4.  Authentication
+
+   A public key verified using this method MUST NOT be trusted if the
+   SSHFP resource record (RR) used for verification was not
+   authenticated by a trusted SIG RR.
+
+   Clients that do validate the DNSSEC signatures themselves SHOULD use
+   standard DNSSEC validation procedures.
+
+   Clients that do not validate the DNSSEC signatures themselves MUST
+   use a secure transport (e.g., TSIG [9], SIG(0) [10], or IPsec [8])
+   between themselves and the entity performing the signature
+   validation.
+
+3.  The SSHFP Resource Record
+
+   The SSHFP resource record (RR) is used to store a fingerprint of an
+   SSH public host key that is associated with a Domain Name System
+   (DNS) name.
+
+   The RR type code for the SSHFP RR is 44.
+
+
+
+
+
+Schlyter & Griffin          Standards Track                     [Page 3]
+
+RFC 4255                DNS and SSH Fingerprints            January 2006
+
+
+3.1.  The SSHFP RDATA Format
+
+   The RDATA for a SSHFP RR consists of an algorithm number, fingerprint
+   type and the fingerprint of the public host key.
+
+       1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3
+       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+       |   algorithm   |    fp type    |                               /
+       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+                               /
+       /                                                               /
+       /                          fingerprint                          /
+       /                                                               /
+       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+
+3.1.1.  Algorithm Number Specification
+
+   This algorithm number octet describes the algorithm of the public
+   key.  The following values are assigned:
+
+          Value    Algorithm name
+          -----    --------------
+          0        reserved
+          1        RSA
+          2        DSS
+
+   Reserving other types requires IETF consensus [4].
+
+3.1.2.  Fingerprint Type Specification
+
+   The fingerprint type octet describes the message-digest algorithm
+   used to calculate the fingerprint of the public key.  The following
+   values are assigned:
+
+          Value    Fingerprint type
+          -----    ----------------
+          0        reserved
+          1        SHA-1
+
+   Reserving other types requires IETF consensus [4].
+
+   For interoperability reasons, as few fingerprint types as possible
+   should be reserved.  The only reason to reserve additional types is
+   to increase security.
+
+
+
+
+
+
+
+Schlyter & Griffin          Standards Track                     [Page 4]
+
+RFC 4255                DNS and SSH Fingerprints            January 2006
+
+
+3.1.3.  Fingerprint
+
+   The fingerprint is calculated over the public key blob as described
+   in [7].
+
+   The message-digest algorithm is presumed to produce an opaque octet
+   string output, which is placed as-is in the RDATA fingerprint field.
+
+3.2.  Presentation Format of the SSHFP RR
+
+   The RDATA of the presentation format of the SSHFP resource record
+   consists of two numbers (algorithm and fingerprint type) followed by
+   the fingerprint itself, presented in hex, e.g.:
+
+       host.example.  SSHFP 2 1 123456789abcdef67890123456789abcdef67890
+
+   The use of mnemonics instead of numbers is not allowed.
+
+4.  Security Considerations
+
+   Currently, the amount of trust a user can realistically place in a
+   server key is proportional to the amount of attention paid to
+   verifying that the public key presented actually corresponds to the
+   private key of the server.  If a user accepts a key without verifying
+   the fingerprint with something learned through a secured channel, the
+   connection is vulnerable to a man-in-the-middle attack.
+
+   The overall security of using SSHFP for SSH host key verification is
+   dependent on the security policies of the SSH host administrator and
+   DNS zone administrator (in transferring the fingerprint), detailed
+   aspects of how verification is done in the SSH implementation, and in
+   the client's diligence in accessing the DNS in a secure manner.
+
+   One such aspect is in which order fingerprints are looked up (e.g.,
+   first checking local file and then SSHFP).  We note that, in addition
+   to protecting the first-time transfer of host keys, SSHFP can
+   optionally be used for stronger host key protection.
+
+      If SSHFP is checked first, new SSH host keys may be distributed by
+      replacing the corresponding SSHFP in DNS.
+
+      If SSH host key verification can be configured to require SSHFP,
+      SSH host key revocation can be implemented by removing the
+      corresponding SSHFP from DNS.
+
+
+
+
+
+
+
+Schlyter & Griffin          Standards Track                     [Page 5]
+
+RFC 4255                DNS and SSH Fingerprints            January 2006
+
+
+   As stated in Section 2.2, we recommend that SSH implementors provide
+   a policy mechanism to control the order of methods used for host key
+   verification.  One specific scenario for having a configurable policy
+   is where clients use unqualified host names to connect to servers.
+   In this case, we recommend that SSH implementations check the host
+   key against a local database before verifying the key via the
+   fingerprint returned from DNS.  This would help prevent an attacker
+   from injecting a DNS search path into the local resolver and forcing
+   the client to connect to a different host.
+
+   A different approach to solve the DNS search path issue would be for
+   clients to use a trusted DNS search path, i.e., one not acquired
+   through DHCP or other autoconfiguration mechanisms.  Since there is
+   no way with current DNS lookup APIs to tell whether a search path is
+   from a trusted source, the entire client system would need to be
+   configured with this trusted DNS search path.
+
+   Another dependency is on the implementation of DNSSEC itself.  As
+   stated in Section 2.4, we mandate the use of secure methods for
+   lookup and that SSHFP RRs are authenticated by trusted SIG RRs.  This
+   is especially important if SSHFP is to be used as a basis for host
+   key rollover and/or revocation, as described above.
+
+   Since DNSSEC only protects the integrity of the host key fingerprint
+   after it is signed by the DNS zone administrator, the fingerprint
+   must be transferred securely from the SSH host administrator to the
+   DNS zone administrator.  This could be done manually between the
+   administrators or automatically using secure DNS dynamic update [11]
+   between the SSH server and the nameserver.  We note that this is no
+   different from other key enrollment situations, e.g., a client
+   sending a certificate request to a certificate authority for signing.
+
+5.  IANA Considerations
+
+   IANA has allocated the RR type code 44 for SSHFP from the standard RR
+   type space.
+
+   IANA has opened a new registry for the SSHFP RR type for public key
+   algorithms.  The defined types are:
+
+      0 is reserved
+      1 is RSA
+      2 is DSA
+
+   Adding new reservations requires IETF consensus [4].
+
+
+
+
+
+
+Schlyter & Griffin          Standards Track                     [Page 6]
+
+RFC 4255                DNS and SSH Fingerprints            January 2006
+
+
+   IANA has opened a new registry for the SSHFP RR type for fingerprint
+   types.  The defined types are:
+
+      0 is reserved
+      1 is SHA-1
+
+   Adding new reservations requires IETF consensus [4].
+
+6.  Normative References
+
+   [1]   Mockapetris, P., "Domain names - concepts and facilities", STD
+         13, RFC 1034, November 1987.
+
+   [2]   Mockapetris, P., "Domain names - implementation and
+         specification", STD 13, RFC 1035, November 1987.
+
+   [3]   Bradner, S., "Key words for use in RFCs to Indicate Requirement
+         Levels", BCP 14, RFC 2119, March 1997.
+
+   [4]   Narten, T. and H. Alvestrand, "Guidelines for Writing an IANA
+         Considerations Section in RFCs", BCP 26, RFC 2434, October
+         1998.
+
+   [5]   Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose,
+         "DNS Security Introduction and Requirements", RFC 4033, March
+         2005.
+
+         Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose,
+         "Resource Records for the DNS Security Extensions", RFC 4034,
+         March 2005.
+
+         Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose,
+         "Protocol Modifications for the DNS Security Extensions", RFC
+         4035, March 2005.
+
+   [6]   Ylonen, T. and C. Lonvick, Ed., "The Secure Shell (SSH)
+         Protocol Architecture", RFC 4251, January 2006.
+
+   [7]   Ylonen, T. and C. Lonvick, Ed., "The Secure Shell (SSH)
+         Transport Layer Protocol", RFC 4253, January 2006.
+
+7.  Informational References
+
+   [8]   Thayer, R., Doraswamy, N., and R. Glenn, "IP Security Document
+         Roadmap", RFC 2411, November 1998.
+
+
+
+
+
+
+Schlyter & Griffin          Standards Track                     [Page 7]
+
+RFC 4255                DNS and SSH Fingerprints            January 2006
+
+
+   [9]   Vixie, P., Gudmundsson, O., Eastlake 3rd, D., and B.
+         Wellington, "Secret Key Transaction Authentication for DNS
+         (TSIG)", RFC 2845, May 2000.
+
+   [10]  Eastlake 3rd, D., "DNS Request and Transaction Signatures
+         ( SIG(0)s )", RFC 2931, September 2000.
+
+   [11]  Wellington, B., "Secure Domain Name System (DNS) Dynamic
+         Update", RFC 3007, November 2000.
+
+8.  Acknowledgements
+
+   The authors gratefully acknowledge, in no particular order, the
+   contributions of the following persons:
+
+      Martin Fredriksson
+
+      Olafur Gudmundsson
+
+      Edward Lewis
+
+      Bill Sommerfeld
+
+Authors' Addresses
+
+   Jakob Schlyter
+   OpenSSH
+   812 23rd Avenue SE
+   Calgary, Alberta  T2G 1N8
+   Canada
+
+   EMail: jakob@openssh.com
+   URI:   http://www.openssh.com/
+
+
+   Wesley Griffin
+   SPARTA
+   7075 Samuel Morse Drive
+   Columbia, MD  21046
+   USA
+
+   EMail: wgriffin@sparta.com
+   URI:   http://www.sparta.com/
+
+
+
+
+
+
+
+
+Schlyter & Griffin          Standards Track                     [Page 8]
+
+RFC 4255                DNS and SSH Fingerprints            January 2006
+
+
+Full Copyright Statement
+
+   Copyright (C) The Internet Society (2006).
+
+   This document is subject to the rights, licenses and restrictions
+   contained in BCP 78, and except as set forth therein, the authors
+   retain all their rights.
+
+   This document and the information contained herein are provided on an
+   "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
+   OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
+   ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
+   INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
+   INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
+   WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
+
+Intellectual Property
+
+   The IETF takes no position regarding the validity or scope of any
+   Intellectual Property Rights or other rights that might be claimed to
+   pertain to the implementation or use of the technology described in
+   this document or the extent to which any license under such rights
+   might or might not be available; nor does it represent that it has
+   made any independent effort to identify any such rights.  Information
+   on the procedures with respect to rights in RFC documents can be
+   found in BCP 78 and BCP 79.
+
+   Copies of IPR disclosures made to the IETF Secretariat and any
+   assurances of licenses to be made available, or the result of an
+   attempt made to obtain a general license or permission for the use of
+   such proprietary rights by implementers or users of this
+   specification can be obtained from the IETF on-line IPR repository at
+   http://www.ietf.org/ipr.
+
+   The IETF invites any interested party to bring to its attention any
+   copyrights, patents or patent applications, or other proprietary
+   rights that may cover technology that may be required to implement
+   this standard.  Please address the information to the IETF at
+   ietf-ipr@ietf.org.
+
+Acknowledgement
+
+   Funding for the RFC Editor function is provided by the IETF
+   Administrative Support Activity (IASA).
+
+
+
+
+
+
+
+Schlyter & Griffin          Standards Track                     [Page 9]
+
diff --git a/contrib/bind9/doc/rfc/rfc4343.txt b/contrib/bind9/doc/rfc/rfc4343.txt
new file mode 100644
index 0000000..621420a
--- /dev/null
+++ b/contrib/bind9/doc/rfc/rfc4343.txt
@@ -0,0 +1,563 @@
+
+
+
+
+
+
+Network Working Group                                    D. Eastlake 3rd
+Request for Comments: 4343                         Motorola Laboratories
+Updates: 1034, 1035, 2181                                   January 2006
+Category: Standards Track
+
+
+       Domain Name System (DNS) Case Insensitivity Clarification
+
+Status of This Memo
+
+   This document specifies an Internet standards track protocol for the
+   Internet community, and requests discussion and suggestions for
+   improvements.  Please refer to the current edition of the "Internet
+   Official Protocol Standards" (STD 1) for the standardization state
+   and status of this protocol.  Distribution of this memo is unlimited.
+
+Copyright Notice
+
+   Copyright (C) The Internet Society (2006).
+
+Abstract
+
+   Domain Name System (DNS) names are "case insensitive".  This document
+   explains exactly what that means and provides a clear specification
+   of the rules.  This clarification updates RFCs 1034, 1035, and 2181.
+
+Table of Contents
+
+   1. Introduction ....................................................2
+   2. Case Insensitivity of DNS Labels ................................2
+      2.1. Escaping Unusual DNS Label Octets ..........................2
+      2.2. Example Labels with Escapes ................................3
+   3. Name Lookup, Label Types, and CLASS .............................3
+      3.1. Original DNS Label Types ...................................4
+      3.2. Extended Label Type Case Insensitivity Considerations ......4
+      3.3. CLASS Case Insensitivity Considerations ....................4
+   4. Case on Input and Output ........................................5
+      4.1. DNS Output Case Preservation ...............................5
+      4.2. DNS Input Case Preservation ................................5
+   5. Internationalized Domain Names ..................................6
+   6. Security Considerations .........................................6
+   7. Acknowledgements ................................................7
+   Normative References................................................7
+   Informative References..............................................8
+
+
+
+
+
+
+
+Eastlake 3rd                Standards Track                     [Page 1]
+
+RFC 4343          DNS Case Insensitivity Clarification      January 2006
+
+
+1.  Introduction
+
+   The Domain Name System (DNS) is the global hierarchical replicated
+   distributed database system for Internet addressing, mail proxy, and
+   other information.  Each node in the DNS tree has a name consisting
+   of zero or more labels [STD13, RFC1591, RFC2606] that are treated in
+   a case insensitive fashion.  This document clarifies the meaning of
+   "case insensitive" for the DNS.  This clarification updates RFCs
+   1034, 1035 [STD13], and [RFC2181].
+
+   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
+   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
+   document are to be interpreted as described in [RFC2119].
+
+2.  Case Insensitivity of DNS Labels
+
+   DNS was specified in the era of [ASCII].  DNS names were expected to
+   look like most host names or Internet email address right halves (the
+   part after the at-sign, "@") or to be numeric, as in the in-addr.arpa
+   part of the DNS name space.  For example,
+
+       foo.example.net.
+       aol.com.
+       www.gnu.ai.mit.edu.
+   or  69.2.0.192.in-addr.arpa.
+
+   Case-varied alternatives to the above [RFC3092] would be DNS names
+   like
+
+       Foo.ExamplE.net.
+       AOL.COM.
+       WWW.gnu.AI.mit.EDU.
+   or  69.2.0.192.in-ADDR.ARPA.
+
+   However, the individual octets of which DNS names consist are not
+   limited to valid ASCII character codes.  They are 8-bit bytes, and
+   all values are allowed.  Many applications, however, interpret them
+   as ASCII characters.
+
+2.1.  Escaping Unusual DNS Label Octets
+
+   In Master Files [STD13] and other human-readable and -writable ASCII
+   contexts, an escape is needed for the byte value for period (0x2E,
+   ".") and all octet values outside of the inclusive range from 0x21
+   ("!") to 0x7E ("~").  That is to say, 0x2E and all octet values in
+   the two inclusive ranges from 0x00 to 0x20 and from 0x7F to 0xFF.
+
+
+
+
+
+Eastlake 3rd                Standards Track                     [Page 2]
+
+RFC 4343          DNS Case Insensitivity Clarification      January 2006
+
+
+   One typographic convention for octets that do not correspond to an
+   ASCII printing graphic is to use a back-slash followed by the value
+   of the octet as an unsigned integer represented by exactly three
+   decimal digits.
+
+   The same convention can be used for printing ASCII characters so that
+   they will be treated as a normal label character.  This includes the
+   back-slash character used in this convention itself, which can be
+   expressed as \092 or \\, and the special label separator period
+   ("."), which can be expressed as and \046 or \.  It is advisable to
+   avoid using a backslash to quote an immediately following non-
+   printing ASCII character code to avoid implementation difficulties.
+
+   A back-slash followed by only one or two decimal digits is undefined.
+   A back-slash followed by four decimal digits produces two octets, the
+   first octet having the value of the first three digits considered as
+   a decimal number, and the second octet being the character code for
+   the fourth decimal digit.
+
+2.2.  Example Labels with Escapes
+
+   The first example below shows embedded spaces and a period (".")
+   within a label.  The second one shows a 5-octet label where the
+   second octet has all bits zero, the third is a backslash, and the
+   fourth octet has all bits one.
+
+         Donald\032E\.\032Eastlake\0323rd.example.
+   and   a\000\\\255z.example.
+
+3.  Name Lookup, Label Types, and CLASS
+
+   According to the original DNS design decision, comparisons on name
+   lookup for DNS queries should be case insensitive [STD13].  That is
+   to say, a lookup string octet with a value in the inclusive range
+   from 0x41 to 0x5A, the uppercase ASCII letters, MUST match the
+   identical value and also match the corresponding value in the
+   inclusive range from 0x61 to 0x7A, the lowercase ASCII letters.  A
+   lookup string octet with a lowercase ASCII letter value MUST
+   similarly match the identical value and also match the corresponding
+   value in the uppercase ASCII letter range.
+
+   (Historical note: The terms "uppercase" and "lowercase" were invented
+   after movable type.  The terms originally referred to the two font
+   trays for storing, in partitioned areas, the different physical type
+   elements.  Before movable type, the nearest equivalent terms were
+   "majuscule" and "minuscule".)
+
+
+
+
+
+Eastlake 3rd                Standards Track                     [Page 3]
+
+RFC 4343          DNS Case Insensitivity Clarification      January 2006
+
+
+   One way to implement this rule would be to subtract 0x20 from all
+   octets in the inclusive range from 0x61 to 0x7A before comparing
+   octets.  Such an operation is commonly known as "case folding", but
+   implementation via case folding is not required.  Note that the DNS
+   case insensitivity does NOT correspond to the case folding specified
+   in [ISO-8859-1] or [ISO-8859-2].  For example, the octets 0xDD (\221)
+   and 0xFD (\253) do NOT match, although in other contexts, where they
+   are interpreted as the upper- and lower-case version of "Y" with an
+   acute accent, they might.
+
+3.1.  Original DNS Label Types
+
+   DNS labels in wire-encoded names have a type associated with them.
+   The original DNS standard [STD13] had only two types: ASCII labels,
+   with a length from zero to 63 octets, and indirect (or compression)
+   labels, which consist of an offset pointer to a name location
+   elsewhere in the wire encoding on a DNS message.  (The ASCII label of
+   length zero is reserved for use as the name of the root node of the
+   name tree.)  ASCII labels follow the ASCII case conventions described
+   herein and, as stated above, can actually contain arbitrary byte
+   values.  Indirect labels are, in effect, replaced by the name to
+   which they point, which is then treated with the case insensitivity
+   rules in this document.
+
+3.2.  Extended Label Type Case Insensitivity Considerations
+
+   DNS was extended by [RFC2671] so that additional label type numbers
+   would be available.  (The only such type defined so far is the BINARY
+   type [RFC2673], which is now Experimental [RFC3363].)
+
+   The ASCII case insensitivity conventions only apply to ASCII labels;
+   that is to say, label type 0x0, whether appearing directly or invoked
+   by indirect labels.
+
+3.3.  CLASS Case Insensitivity Considerations
+
+   As described in [STD13] and [RFC2929], DNS has an additional axis for
+   data location called CLASS.  The only CLASS in global use at this
+   time is the "IN" (Internet) CLASS.
+
+   The handling of DNS label case is not CLASS dependent.  With the
+   original design of DNS, it was intended that a recursive DNS resolver
+   be able to handle new CLASSes that were unknown at the time of its
+   implementation.  This requires uniform handling of label case
+   insensitivity.  Should it become desirable, for example, to allocate
+   a CLASS with "case sensitive ASCII labels", it would be necessary to
+   allocate a new label type for these labels.
+
+
+
+
+Eastlake 3rd                Standards Track                     [Page 4]
+
+RFC 4343          DNS Case Insensitivity Clarification      January 2006
+
+
+4.  Case on Input and Output
+
+   While ASCII label comparisons are case insensitive, [STD13] says case
+   MUST be preserved on output and preserved when convenient on input.
+   However, this means less than it would appear, since the preservation
+   of case on output is NOT required when output is optimized by the use
+   of indirect labels, as explained below.
+
+4.1.  DNS Output Case Preservation
+
+   [STD13] views the DNS namespace as a node tree.  ASCII output is as
+   if a name were marshaled by taking the label on the node whose name
+   is to be output, converting it to a typographically encoded ASCII
+   string, walking up the tree outputting each label encountered, and
+   preceding all labels but the first with a period (".").  Wire output
+   follows the same sequence, but each label is wire encoded, and no
+   periods are inserted.  No "case conversion" or "case folding" is done
+   during such output operations, thus "preserving" case.  However, to
+   optimize output, indirect labels may be used to point to names
+   elsewhere in the DNS answer.  In determining whether the name to be
+   pointed to (for example, the QNAME) is the "same" as the remainder of
+   the name being optimized, the case insensitive comparison specified
+   above is done.  Thus, such optimization may easily destroy the output
+   preservation of case.  This type of optimization is commonly called
+   "name compression".
+
+4.2.  DNS Input Case Preservation
+
+   Originally, DNS data came from an ASCII Master File as defined in
+   [STD13] or a zone transfer.  DNS Dynamic update and incremental zone
+   transfers [RFC1995] have been added as a source of DNS data [RFC2136,
+   RFC3007].  When a node in the DNS name tree is created by any of such
+   inputs, no case conversion is done.  Thus, the case of ASCII labels
+   is preserved if they are for nodes being created.  However, when a
+   name label is input for a node that already exists in DNS data being
+   held, the situation is more complex.  Implementations are free to
+   retain the case first loaded for such a label, to allow new input to
+   override the old case, or even to maintain separate copies preserving
+   the input case.
+
+   For example, if data with owner name "foo.bar.example" [RFC3092] is
+   loaded and then later data with owner name "xyz.BAR.example" is
+   input, the name of the label on the "bar.example" node (i.e., "bar")
+   might or might not be changed to "BAR" in the DNS stored data.  Thus,
+   later retrieval of data stored under "xyz.bar.example" in this case
+   can use "xyz.BAR.example" in all returned data, use "xyz.bar.example"
+   in all returned data, or even, when more than one RR is being
+   returned, use a mixture of these two capitalizations.  This last case
+
+
+
+Eastlake 3rd                Standards Track                     [Page 5]
+
+RFC 4343          DNS Case Insensitivity Clarification      January 2006
+
+
+   is unlikely, as optimization of answer length through indirect labels
+   tends to cause only one copy of the name tail ("bar.example" or
+   "BAR.example") to be used for all returned RRs.  Note that none of
+   this has any effect on the number or completeness of the RR set
+   returned, only on the case of the names in the RR set returned.
+
+   The same considerations apply when inputting multiple data records
+   with owner names differing only in case.  For example, if an "A"
+   record is the first resource record stored under owner name
+   "xyz.BAR.example" and then a second "A" record is stored under
+   "XYZ.BAR.example", the second MAY be stored with the first (lower
+   case initial label) name, the second MAY override the first so that
+   only an uppercase initial label is retained, or both capitalizations
+   MAY be kept in the DNS stored data.  In any case, a retrieval with
+   either capitalization will retrieve all RRs with either
+   capitalization.
+
+   Note that the order of insertion into a server database of the DNS
+   name tree nodes that appear in a Master File is not defined so that
+   the results of inconsistent capitalization in a Master File are
+   unpredictable output capitalization.
+
+5.  Internationalized Domain Names
+
+   A scheme has been adopted for "internationalized domain names" and
+   "internationalized labels" as described in [RFC3490, RFC3454,
+   RFC3491, and RFC3492].  It makes most of [UNICODE] available through
+   a separate application level transformation from internationalized
+   domain name to DNS domain name and from DNS domain name to
+   internationalized domain name.  Any case insensitivity that
+   internationalized domain names and labels have varies depending on
+   the script and is handled entirely as part of the transformation
+   described in [RFC3454] and [RFC3491], which should be seen for
+   further details.  This is not a part of the DNS as standardized in
+   STD 13.
+
+6.  Security Considerations
+
+   The equivalence of certain DNS label types with case differences, as
+   clarified in this document, can lead to security problems.  For
+   example, a user could be confused by believing that two domain names
+   differing only in case were actually different names.
+
+   Furthermore, a domain name may be used in contexts other than the
+   DNS.  It could be used as a case sensitive index into some database
+   or file system.  Or it could be interpreted as binary data by some
+   integrity or authentication code system.  These problems can usually
+   be handled by using a standardized or "canonical" form of the DNS
+
+
+
+Eastlake 3rd                Standards Track                     [Page 6]
+
+RFC 4343          DNS Case Insensitivity Clarification      January 2006
+
+
+   ASCII type labels; that is, always mapping the ASCII letter value
+   octets in ASCII labels to some specific pre-chosen case, either
+   uppercase or lower case.  An example of a canonical form for domain
+   names (and also a canonical ordering for them) appears in Section 6
+   of [RFC4034].  See also [RFC3597].
+
+   Finally, a non-DNS name may be stored into DNS with the false
+   expectation that case will always be preserved.  For example,
+   although this would be quite rare, on a system with case sensitive
+   email address local parts, an attempt to store two Responsible Person
+   (RP) [RFC1183] records that differed only in case would probably
+   produce unexpected results that might have security implications.
+   That is because the entire email address, including the possibly case
+   sensitive local or left-hand part, is encoded into a DNS name in a
+   readable fashion where the case of some letters might be changed on
+   output as described above.
+
+7.  Acknowledgements
+
+   The contributions to this document by Rob Austein, Olafur
+   Gudmundsson, Daniel J. Anderson, Alan Barrett, Marc Blanchet, Dana,
+   Andreas Gustafsson, Andrew Main, Thomas Narten, and Scott Seligman
+   are gratefully acknowledged.
+
+Normative References
+
+   [ASCII]      ANSI, "USA Standard Code for Information Interchange",
+                X3.4, American National Standards Institute: New York,
+                1968.
+
+   [RFC1995]    Ohta, M., "Incremental Zone Transfer in DNS", RFC 1995,
+                August 1996.
+
+   [RFC2119]    Bradner, S., "Key words for use in RFCs to Indicate
+                Requirement Levels", BCP 14, RFC 2119, March 1997.
+
+   [RFC2136]    Vixie, P., Thomson,  S., Rekhter, Y., and J. Bound,
+                "Dynamic Updates in the Domain Name System (DNS
+                UPDATE)", RFC 2136, April 1997.
+
+   [RFC2181]     Elz, R. and R. Bush, "Clarifications to the DNS
+                Specification", RFC 2181, July 1997.
+
+   [RFC3007]    Wellington, B., "Secure Domain Name System (DNS) Dynamic
+                Update", RFC 3007, November 2000.
+
+
+
+
+
+
+Eastlake 3rd                Standards Track                     [Page 7]
+
+RFC 4343          DNS Case Insensitivity Clarification      January 2006
+
+
+   [RFC3597]    Gustafsson, A., "Handling of Unknown DNS Resource Record
+                (RR) Types", RFC 3597, September 2003.
+
+   [RFC4034]    Arends, R., Austein, R., Larson, M., Massey, D., and S.
+                Rose, "Resource Records for the DNS Security
+                Extensions", RFC 4034, March 2005.
+
+   [STD13]      Mockapetris, P., "Domain names - concepts and
+                facilities", STD 13, RFC 1034, November 1987.
+
+                Mockapetris, P., "Domain names - implementation and
+                specification", STD 13, RFC 1035, November 1987.
+
+Informative References
+
+   [ISO-8859-1] International Standards Organization, Standard for
+                Character Encodings, Latin-1.
+
+   [ISO-8859-2] International Standards Organization, Standard for
+                Character Encodings, Latin-2.
+
+   [RFC1183]    Everhart, C., Mamakos, L., Ullmann, R., and P.
+                Mockapetris, "New DNS RR Definitions", RFC 1183, October
+                1990.
+
+   [RFC1591]    Postel, J., "Domain Name System Structure and
+                Delegation", RFC 1591, March 1994.
+
+   [RFC2606]    Eastlake 3rd, D. and A. Panitz, "Reserved Top Level DNS
+                Names", BCP 32, RFC 2606, June 1999.
+
+   [RFC2929]    Eastlake 3rd, D., Brunner-Williams, E., and B. Manning,
+                "Domain Name System (DNS) IANA Considerations", BCP 42,
+                RFC 2929, September 2000.
+
+   [RFC2671]    Vixie, P., "Extension Mechanisms for DNS (EDNS0)", RFC
+                2671, August 1999.
+
+   [RFC2673]    Crawford, M., "Binary Labels in the Domain Name System",
+                RFC 2673, August 1999.
+
+   [RFC3092]    Eastlake 3rd, D., Manros, C., and E. Raymond, "Etymology
+                of "Foo"", RFC 3092, 1 April 2001.
+
+   [RFC3363]    Bush, R., Durand, A., Fink, B., Gudmundsson, O., and T.
+                Hain, "Representing Internet Protocol version 6 (IPv6)
+                Addresses in the Domain Name System (DNS)", RFC 3363,
+                August 2002.
+
+
+
+Eastlake 3rd                Standards Track                     [Page 8]
+
+RFC 4343          DNS Case Insensitivity Clarification      January 2006
+
+
+   [RFC3454]    Hoffman, P. and M. Blanchet, "Preparation of
+                Internationalized Strings ("stringprep")", RFC 3454,
+                December 2002.
+
+   [RFC3490]    Faltstrom, P., Hoffman, P., and A. Costello,
+                "Internationalizing Domain Names in Applications
+                (IDNA)", RFC 3490, March 2003.
+
+   [RFC3491]    Hoffman, P. and M. Blanchet, "Nameprep: A Stringprep
+                Profile for Internationalized Domain Names (IDN)", RFC
+                3491, March 2003.
+
+   [RFC3492]    Costello, A., "Punycode: A Bootstring encoding of
+                Unicode for Internationalized Domain Names in
+                Applications (IDNA)", RFC 3492, March 2003.
+
+   [UNICODE]    The Unicode Consortium, "The Unicode Standard",
+                <http://www.unicode.org/unicode/standard/standard.html>.
+
+Author's Address
+
+   Donald E. Eastlake 3rd
+   Motorola Laboratories
+   155 Beaver Street
+   Milford, MA 01757 USA
+
+   Phone: +1 508-786-7554 (w)
+   EMail: Donald.Eastlake@motorola.com
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Eastlake 3rd                Standards Track                     [Page 9]
+
+RFC 4343          DNS Case Insensitivity Clarification      January 2006
+
+
+Full Copyright Statement
+
+   Copyright (C) The Internet Society (2006).
+
+   This document is subject to the rights, licenses and restrictions
+   contained in BCP 78, and except as set forth therein, the authors
+   retain all their rights.
+
+   This document and the information contained herein are provided on an
+   "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
+   OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
+   ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
+   INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
+   INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
+   WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
+
+Intellectual Property
+
+   The IETF takes no position regarding the validity or scope of any
+   Intellectual Property Rights or other rights that might be claimed to
+   pertain to the implementation or use of the technology described in
+   this document or the extent to which any license under such rights
+   might or might not be available; nor does it represent that it has
+   made any independent effort to identify any such rights.  Information
+   on the procedures with respect to rights in RFC documents can be
+   found in BCP 78 and BCP 79.
+
+   Copies of IPR disclosures made to the IETF Secretariat and any
+   assurances of licenses to be made available, or the result of an
+   attempt made to obtain a general license or permission for the use of
+   such proprietary rights by implementers or users of this
+   specification can be obtained from the IETF on-line IPR repository at
+   http://www.ietf.org/ipr.
+
+   The IETF invites any interested party to bring to its attention any
+   copyrights, patents or patent applications, or other proprietary
+   rights that may cover technology that may be required to implement
+   this standard.  Please address the information to the IETF at
+   ietf-ipr@ietf.org.
+
+Acknowledgement
+
+   Funding for the RFC Editor function is provided by the IETF
+   Administrative Support Activity (IASA).
+
+
+
+
+
+
+
+Eastlake 3rd                Standards Track                    [Page 10]
+
diff --git a/contrib/bind9/doc/rfc/rfc4367.txt b/contrib/bind9/doc/rfc/rfc4367.txt
new file mode 100644
index 0000000..f066b64
--- /dev/null
+++ b/contrib/bind9/doc/rfc/rfc4367.txt
@@ -0,0 +1,955 @@
+
+
+
+
+
+
+Network Working Group                                  J. Rosenberg, Ed.
+Request for Comments: 4367                                           IAB
+Category: Informational                                    February 2006
+
+
+          What's in a Name: False Assumptions about DNS Names
+
+Status of This Memo
+
+   This memo provides information for the Internet community.  It does
+   not specify an Internet standard of any kind.  Distribution of this
+   memo is unlimited.
+
+Copyright Notice
+
+   Copyright (C) The Internet Society (2006).
+
+Abstract
+
+   The Domain Name System (DNS) provides an essential service on the
+   Internet, mapping structured names to a variety of data, usually IP
+   addresses.  These names appear in email addresses, Uniform Resource
+   Identifiers (URIs), and other application-layer identifiers that are
+   often rendered to human users.  Because of this, there has been a
+   strong demand to acquire names that have significance to people,
+   through equivalence to registered trademarks, company names, types of
+   services, and so on.  There is a danger in this trend; the humans and
+   automata that consume and use such names will associate specific
+   semantics with some names and thereby make assumptions about the
+   services that are, or should be, provided by the hosts associated
+   with the names.  Those assumptions can often be false, resulting in a
+   variety of failure conditions.  This document discusses this problem
+   in more detail and makes recommendations on how it can be avoided.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Rosenberg                    Informational                      [Page 1]
+
+RFC 4367                    Name Assumptions               February 2006
+
+
+Table of Contents
+
+   1. Introduction ....................................................2
+   2. Target Audience .................................................4
+   3. Modeling Usage of the DNS .......................................4
+   4. Possible Assumptions ............................................5
+      4.1. By the User ................................................5
+      4.2. By the Client ..............................................6
+      4.3. By the Server ..............................................7
+   5. Consequences of False Assumptions ...............................8
+   6. Reasons Why the Assumptions Can Be False ........................9
+      6.1. Evolution ..................................................9
+      6.2. Leakage ...................................................10
+      6.3. Sub-Delegation ............................................10
+      6.4. Mobility ..................................................12
+      6.5. Human Error ...............................................12
+   7. Recommendations ................................................12
+   8. A Note on RFC 2219 and RFC 2782 ................................13
+   9. Security Considerations ........................................14
+   10. Acknowledgements ..............................................14
+   11. IAB Members ...................................................14
+   12. Informative References ........................................15
+
+1.  Introduction
+
+   The Domain Name System (DNS) [1] provides an essential service on the
+   Internet, mapping structured names to a variety of different types of
+   data.  Most often it is used to obtain the IP address of a host
+   associated with that name [2] [1] [3].  However, it can be used to
+   obtain other information, and proposals have been made for nearly
+   everything, including geographic information [4].
+
+   Domain names are most often used in identifiers used by application
+   protocols.  The most well known include email addresses and URIs,
+   such as the HTTP URL [5], Real Time Streaming Protocol (RTSP) URL
+   [6], and SIP URI [7].  These identifiers are ubiquitous, appearing on
+   business cards, web pages, street signs, and so on.  Because of this,
+   there has been a strong demand to acquire domain names that have
+   significance to people through equivalence to registered trademarks,
+   company names, types of services, and so on.  Such identifiers serve
+   many business purposes, including extension of brand, advertising,
+   and so on.
+
+   People often make assumptions about the type of service that is or
+   should be provided by a host associated with that name, based on
+   their expectations and understanding of what the name implies.  This,
+   in turn, triggers attempts by organizations to register domain names
+   based on that presumed user expectation.  Examples of this are the
+
+
+
+Rosenberg                    Informational                      [Page 2]
+
+RFC 4367                    Name Assumptions               February 2006
+
+
+   various proposals for a Top-Level Domain (TLD) that could be
+   associated with adult content [8], the requests for creation of TLDs
+   associated with mobile devices and services, and even phishing
+   attacks.
+
+   When these assumptions are codified into the behavior of an
+   automaton, such as an application client or server, as a result of
+   implementor choice, management directive, or domain owner policy, the
+   overall system can fail in various ways.  This document describes a
+   number of typical ways in which these assumptions can be codified,
+   how they can be wrong, the consequences of those mistakes, and the
+   recommended ways in which they can be avoided.
+
+   Section 4 describes some of the possible assumptions that clients,
+   servers, and people can make about a domain name.  In this context,
+   an "assumption" is defined as any behavior that is expected when
+   accessing a service at a domain name, even though the behavior is not
+   explicitly codified in protocol specifications.  Frequently, these
+   assumptions involve ignoring parts of a specification based on an
+   assumption that the client or server is deployed in an environment
+   that is more rigid than the specification allows.  Section 5
+   overviews some of the consequences of these false assumptions.
+   Generally speaking, these consequences can include a variety of
+   different interoperability failures, user experience failures, and
+   system failures.  Section 6 discusses why these assumptions can be
+   false from the very beginning or become false at some point in the
+   future.  Most commonly, they become false because the environment
+   changes in unexpected ways over time, and what was a valid assumption
+   before, no longer is.  Other times, the assumptions prove wrong
+   because they were based on the belief that a specific community of
+   clients and servers was participating, and an element outside of that
+   community began participating.
+
+   Section 7 then provides some recommendations.  These recommendations
+   encapsulate some of the engineering mantras that have been at the
+   root of Internet protocol design for decades.  These include:
+
+      Follow the specifications.
+
+      Use the capability negotiation techniques provided in the
+      protocols.
+
+      Be liberal in what you accept, and conservative in what you send.
+      [18]
+
+   Overall, automata should not change their behavior within a protocol
+   based on the domain name, or some component of the domain name, of
+   the host they are communicating with.
+
+
+
+Rosenberg                    Informational                      [Page 3]
+
+RFC 4367                    Name Assumptions               February 2006
+
+
+2.  Target Audience
+
+   This document has several audiences.  Firstly, it is aimed at
+   implementors who ultimately develop the software that make the false
+   assumptions that are the subject of this document.  The
+   recommendations described here are meant to reinforce the engineering
+   guidelines that are often understood by implementors, but frequently
+   forgotten as deadlines near and pressures mount.
+
+   The document is also aimed at technology managers, who often develop
+   the requirements that lead to these false assumptions.  For them,
+   this document serves as a vehicle for emphasizing the importance of
+   not taking shortcuts in the scope of applicability of a project.
+
+   Finally, this document is aimed at domain name policy makers and
+   administrators.  For them, it points out the perils in establishing
+   domain policies that get codified into the operation of applications
+   running within that domain.
+
+3.  Modeling Usage of the DNS
+
+
+                       +--------+
+                       |        |
+                       |        |
+                       |  DNS   |
+                       |Service |
+                       |        |
+                       +--------+
+                         ^   |
+                         |   |
+                         |   |
+                         |   |
+          /--\           |   |
+         |    |          |   V
+         |    |        +--------+                     +--------+
+          \--/         |        |                     |        |
+            |          |        |                     |        |
+         ---+---       | Client |-------------------->| Server |
+            |          |        |                     |        |
+            |          |        |                     |        |
+           /\          +--------+                     +--------+
+          /  \
+         /    \
+
+         User
+                                 Figure 1
+
+
+
+
+Rosenberg                    Informational                      [Page 4]
+
+RFC 4367                    Name Assumptions               February 2006
+
+
+   Figure 1 shows a simple conceptual model of how the DNS is used by
+   applications.  A user of the application obtains an identifier for
+   particular content or service it wishes to obtain.  This identifier
+   is often a URL or URI that contains a domain name.  The user enters
+   this identifier into its client application (for example, by typing
+   in the URL in a web browser window).  The client is the automaton (a
+   software and/or hardware system) that contacts a server for that
+   application in order to provide service to the user.  To do that, it
+   contacts a DNS server to resolve the domain name in the identifier to
+   an IP address.  It then contacts the server at that IP address.  This
+   simple model applies to application protocols such as HTTP [5], SIP
+   [7], RTSP [6], and SMTP [9].
+
+   >From this model, it is clear that three entities in the system can
+   potentially make false assumptions about the service provided by the
+   server.  The human user may form expectations relating to the content
+   of the service based on a parsing of the host name from which the
+   content originated.  The server might assume that the client
+   connecting to it supports protocols that it does not, can process
+   content that it cannot, or has capabilities that it does not.
+   Similarly, the client might assume that the server supports
+   protocols, content, or capabilities that it does not.  Furthermore,
+   applications can potentially contain a multiplicity of humans,
+   clients, and servers, all of which can independently make these false
+   assumptions.
+
+4.  Possible Assumptions
+
+   For each of the three elements, there are many types of false
+   assumptions that can be made.
+
+4.1.  By the User
+
+   The set of possible assumptions here is nearly boundless.  Users
+   might assume that an HTTP URL that looks like a company name maps to
+   a server run by that company.  They might assume that an email from a
+   email address in the .gov TLD is actually from a government employee.
+   They might assume that the content obtained from a web server within
+   a TLD labeled as containing adult materials (for example, .sex)
+   actually contains adult content [8].  These assumptions are
+   unavoidable, may all be false, and are not the focus of this
+   document.
+
+
+
+
+
+
+
+
+
+Rosenberg                    Informational                      [Page 5]
+
+RFC 4367                    Name Assumptions               February 2006
+
+
+4.2.  By the Client
+
+   Even though the client is an automaton, it can make some of the same
+   assumptions that a human user might make.  For example, many clients
+   assume that any host with a hostname that begins with "www" is a web
+   server, even though this assumption may be false.
+
+   In addition, the client concerns itself with the protocols needed to
+   communicate with the server.  As a result, it might make assumptions
+   about the operation of the protocols for communicating with the
+   server.  These assumptions manifest themselves in an implementation
+   when a standardized protocol negotiation technique defined by the
+   protocol is ignored, and instead, some kind of rule is coded into the
+   software that comes to its own conclusion about what the negotiation
+   would have determined.  The result is often a loss of
+   interoperability, degradation in reliability, and worsening of user
+   experience.
+
+   Authentication Algorithm: Though a protocol might support a
+      multiplicity of authentication techniques, a client might assume
+      that a server always supports one that is only optional according
+      to the protocol.  For example, a SIP client contacting a SIP
+      server in a domain that is apparently used to identify mobile
+      devices (for example, www.example.cellular) might assume that the
+      server supports the optional Authentication and Key Agreement
+      (AKA) digest technique [10], just because of the domain name that
+      was used to access the server.  As another example, a web client
+      might assume that a server with the name https.example.com
+      supports HTTP over Transport Layer Security (TLS) [16].
+
+   Data Formats: Though a protocol might allow a multiplicity of data
+      formats to be sent from the server to the client, the client might
+      assume a specific one, rather than using the content labeling and
+      negotiation capabilities of the underlying protocol.  For example,
+      an RTSP client might assume that all audio content delivered to it
+      from media.example.cellular uses a low-bandwidth codec.  As
+      another example, a mail client might assume that the contents of
+      messages it retrieves from a mail server at mail.example.cellular
+      are always text, instead of checking the MIME headers [11] in the
+      message in order to determine the actual content type.
+
+   Protocol Extensions: A client may attempt an operation on the server
+      that requires the server to support an optional protocol
+      extension.  However, rather than implementing the necessary
+      fallback logic, the client may falsely assume that the extension
+      is supported.  As an example, a SIP client that requires reliable
+      provisional responses to its request (RFC 3262 [17]) might assume
+      that this extension is supported on servers in the domain
+
+
+
+Rosenberg                    Informational                      [Page 6]
+
+RFC 4367                    Name Assumptions               February 2006
+
+
+      sip.example.telecom.  Furthermore, the client would not implement
+      the fallback behavior defined in RFC 3262, since it would assume
+      that all servers it will communicate with are in this domain and
+      that all therefore support this extension.  However, if the
+      assumptions prove wrong, the client is unable to make any phone
+      calls.
+
+   Languages: A client may support facilities for processing text
+      content differently depending on the language of the text.  Rather
+      than determining the language from markers in the message from the
+      server, the client might assume a language based on the domain
+      name.  This assumption can easily be wrong.  For example, a client
+      might assume that any text in a web page retrieved from a server
+      within the .de country code TLD (ccTLD) is in German, and attempt
+      a translation to Finnish.  This would fail dramatically if the
+      text was actually in French.  Unfortunately, this client behavior
+      is sometimes exhibited because the server has not properly labeled
+      the language of the content in the first place, often because the
+      server assumed such a labeling was not needed.  This is an example
+      of how these false assumptions can create vicious cycles.
+
+4.3.  By the Server
+
+   The server, like the client, is an automaton.  Let us consider one
+   servicing a particular domain -- www.company.cellular, for example.
+   It might assume that all clients connecting to this domain support
+   particular capabilities, rather than using the underlying protocol to
+   make this determination.  Some examples include:
+
+   Authentication Algorithm: The server can assume that a client
+      supports a particular, optional, authentication technique, and it
+      therefore does not support the mandatory one.
+
+   Language: The server can serve content in a particular language,
+      based on an assumption that clients accessing the domain speak a
+      particular language, or based on an assumption that clients coming
+      from a particular IP address speak a certain language.
+
+   Data Formats: The server can assume that the client supports a
+      particular set of MIME types and is only capable of sending ones
+      within that set.  When it generates content in a protocol
+      response, it ignores any content negotiation headers that were
+      present in the request.  For example, a web server might ignore
+      the Accept HTTP header field and send a specific image format.
+
+
+
+
+
+
+
+Rosenberg                    Informational                      [Page 7]
+
+RFC 4367                    Name Assumptions               February 2006
+
+
+   Protocol Extensions: The server might assume that the client supports
+      a particular optional protocol extension, and so it does not
+      support the fallback behavior necessary in the case where the
+      client does not.
+
+   Client Characteristics: The server might assume certain things about
+      the physical characteristics of its clients, such as memory
+      footprint, processing power, screen sizes, screen colors, pointing
+      devices, and so on.  Based on these assumptions, it might choose
+      specific behaviors when processing a request.  For example, a web
+      server might always assume that clients connect through cell
+      phones, and therefore return content that lacks images and is
+      tuned for such devices.
+
+5.  Consequences of False Assumptions
+
+   There are numerous negative outcomes that can arise from the various
+   false assumptions that users, servers, and clients can make.  These
+   include:
+
+   Interoperability Failure: In these cases, the client or server
+      assumed some kind of protocol operation, and this assumption was
+      wrong.  The result is that the two are unable to communicate, and
+      the user receives some kind of an error.  This represents a total
+      interoperability failure, manifesting itself as a lack of service
+      to users of the system.  Unfortunately, this kind of failure
+      persists.  Repeated attempts over time by the client to access the
+      service will fail.  Only a change in the server or client software
+      can fix this problem.
+
+   System Failure: In these cases, the client or server misinterpreted a
+      protocol operation, and this misinterpretation was serious enough
+      to uncover a bug in the implementation.  The bug causes a system
+      crash or some kind of outage, either transient or permanent (until
+      user reset).  If this failure occurs in a server, not only will
+      the connecting client lose service, but other clients attempting
+      to connect will not get service.  As an example, if a web server
+      assumes that content passed to it from a client (created, for
+      example, by a digital camera) is of a particular content type, and
+      it always passes image content to a codec for decompression prior
+      to storage, the codec might crash when it unexpectedly receives an
+      image compressed in a different format.  Of course, it might crash
+      even if the Content-Type was correct, but the compressed bitstream
+      was invalid.  False assumptions merely introduce additional
+      failure cases.
+
+
+
+
+
+
+Rosenberg                    Informational                      [Page 8]
+
+RFC 4367                    Name Assumptions               February 2006
+
+
+   Poor User Experience: In these cases, the client and server
+      communicate, but the user receives a diminished user experience.
+      For example, if a client on a PC connects to a web site that
+      provides content for mobile devices, the content may be
+      underwhelming when viewed on the PC.  Or, a client accessing a
+      streaming media service may receive content of very low bitrate,
+      even though the client supported better codecs.  Indeed, if a user
+      wishes to access content from both a cellular device and a PC
+      using a shared address book (that is, an address book shared
+      across multiple devices), the user would need two entries in that
+      address book, and would need to use the right one from the right
+      device.  This is a poor user experience.
+
+   Degraded Security: In these cases, a weaker security mechanism is
+      used than the one that ought to have been used.  As an example, a
+      server in a domain might assume that it is only contacted by
+      clients with a limited set of authentication algorithms, even
+      though the clients have been recently upgraded to support a
+      stronger set.
+
+6.  Reasons Why the Assumptions Can Be False
+
+   Assumptions made by clients and servers about the operation of
+   protocols when contacting a particular domain are brittle, and can be
+   wrong for many reasons.  On the server side, many of the assumptions
+   are based on the notion that a domain name will only be given to, or
+   used by, a restricted set of clients.  If the holder of the domain
+   name assumes something about those clients, and can assume that only
+   those clients use the domain name, then it can configure or program
+   the server to operate specifically for those clients.  Both parts of
+   this assumption can be wrong, as discussed in more detail below.
+
+   On the client side, the notion is similar, being based on the
+   assumption that a server within a particular domain will provide a
+   specific type of service.  Sub-delegation and evolution, both
+   discussed below, can make these assumptions wrong.
+
+6.1.  Evolution
+
+   The Internet and the devices that access it are constantly evolving,
+   often at a rapid pace.  Unfortunately, there is a tendency to build
+   for the here and now, and then worry about the future at a later
+   time.  Many of the assumptions above are predicated on
+   characteristics of today's clients and servers.  Support for specific
+   protocols, authentication techniques, or content are based on today's
+   standards and today's devices.  Even though they may, for the most
+   part, be true, they won't always be.  An excellent example is mobile
+   devices.  A server servicing a domain accessed by mobile devices
+
+
+
+Rosenberg                    Informational                      [Page 9]
+
+RFC 4367                    Name Assumptions               February 2006
+
+
+   might try to make assumptions about the protocols, protocol
+   extensions, security mechanisms, screen sizes, or processor power of
+   such devices.  However, all of these characteristics can and will
+   change over time.
+
+   When they do change, the change is usually evolutionary.  The result
+   is that the assumptions remain valid in some cases, but not in
+   others.  It is difficult to fix such systems, since it requires the
+   server to detect what type of client is connecting, and what its
+   capabilities are.  Unless the system is built and deployed with these
+   capability negotiation techniques built in to begin with, such
+   detection can be extremely difficult.  In fact, fixing it will often
+   require the addition of such capability negotiation features that, if
+   they had been in place and used to begin with, would have avoided the
+   problem altogether.
+
+6.2.  Leakage
+
+   Servers also make assumptions because of the belief that they will
+   only be accessed by specific clients, and in particular, those that
+   are configured or provisioned to use the domain name.  In essence,
+   there is an assumption of community -- that a specific community
+   knows and uses the domain name, while others outside of the community
+   do not.
+
+   The problem is that this notion of community is a false one.  The
+   Internet is global.  The DNS is global.  There is no technical
+   barrier that separates those inside of the community from those
+   outside.  The ease with which information propagates across the
+   Internet makes it extremely likely that such domain names will
+   eventually find their way into clients outside of the presumed
+   community.  The ubiquitous presence of domain names in various URI
+   formats, coupled with the ease of conveyance of URIs, makes such
+   leakage merely a matter of time.  Furthermore, since the DNS is
+   global, and since it can only have one root [12], it becomes possible
+   for clients outside of the community to search and find and use such
+   "special" domain names.
+
+   Indeed, this leakage is a strength of the Internet architecture, not
+   a weakness.  It enables global access to services from any client
+   with a connection to the Internet.  That, in turn, allows for rapid
+   growth in the number of customers for any particular service.
+
+6.3.  Sub-Delegation
+
+   Clients and users make assumptions about domains because of the
+   notion that there is some kind of centralized control that can
+   enforce those assumptions.  However, the DNS is not centralized; it
+
+
+
+Rosenberg                    Informational                     [Page 10]
+
+RFC 4367                    Name Assumptions               February 2006
+
+
+   is distributed.  If a domain doesn't delegate its sub-domains and has
+   its records within a single zone, it is possible to maintain a
+   centralized policy about operation of its domain.  However, once a
+   domain gets sufficiently large that the domain administrators begin
+   to delegate sub-domains to other authorities, it becomes increasingly
+   difficult to maintain any kind of central control on the nature of
+   the service provided in each sub-domain.
+
+   Similarly, the usage of domain names with human semantic connotation
+   tends to lead to a registration of multiple domains in which a
+   particular service is to run.  As an example, a service provider with
+   the name "example" might register and set up its services in
+   "example.com", "example.net", and generally example.foo for each foo
+   that is a valid TLD.  This, like sub-delegation, results in a growth
+   in the number of domains over which it is difficult to maintain
+   centralized control.
+
+   Not that it is not possible, since there are many examples of
+   successful administration of policies across sub-domains many levels
+   deep.  However, it takes an increasing amount of effort to ensure
+   this result, as it requires human intervention and the creation of
+   process and procedure.  Automated validation of adherence to policies
+   is very difficult to do, as there is no way to automatically verify
+   many policies that might be put into place.
+
+   A less costly process for providing centralized management of
+   policies is to just hope that any centralized policies are being
+   followed, and then wait for complaints or perform random audits.
+   Those approaches have many problems.
+
+   The invalidation of assumptions due to sub-delegation is discussed in
+   further detail in Section 4.1.3 of [8] and in Section 3.3 of [20].
+
+   As a result of the fragility of policy continuity across sub-
+   delegations, if a client or user assumes some kind of property
+   associated with a TLD (such as ".wifi"), it becomes increasingly more
+   likely with the number of sub-domains that this property will not
+   exist in a server identified by a particular name.  For example, in
+   "store.chain.company.provider.wifi", there may be four levels of
+   delegation from ".wifi", making it quite likely that, unless the
+   holder of ".wifi" is working diligently, the properties that the
+   holder of ".wifi" wishes to enforce are not present.  These
+   properties may not be present due to human error or due to a willful
+   decision not to adhere to them.
+
+
+
+
+
+
+
+Rosenberg                    Informational                     [Page 11]
+
+RFC 4367                    Name Assumptions               February 2006
+
+
+6.4.  Mobility
+
+   One of the primary value propositions of a hostname as an identifier
+   is its persistence.  A client can change IP addresses, yet still
+   retain a persistent identifier used by other hosts to reach it.
+   Because their value derives from their persistence, hostnames tend to
+   move with a host not just as it changes IP addresses, but as it
+   changes access network providers and technologies.  For this reason,
+   assumptions made about a host based on the presumed access network
+   corresponding to that hostname tend to be wrong over time.  As an
+   example, a PC might normally be connected to its broadband provider,
+   and through dynamic DNS have a hostname within the domain of that
+   provider.  However, one cannot assume that any host within that
+   network has access over a broadband link; the user could connect
+   their PC over a low-bandwidth wireless access network and still
+   retain its domain name.
+
+6.5.  Human Error
+
+   Of course, human error can be the source of errors in any system, and
+   the same is true here.  There are many examples relevant to the
+   problem under discussion.
+
+   A client implementation may make the assumption that, just because a
+   DNS SRV record exists for a particular protocol in a particular
+   domain, indicating that the service is available on some port, that
+   the service is, in fact, running there.  This assumption could be
+   wrong because the SRV records haven't been updated by the system
+   administrators to reflect the services currently running.  As another
+   example, a client might assume that a particular domain policy
+   applies to all sub-domains.  However, a system administrator might
+   have omitted to apply the policy to servers running in one of those
+   sub-domains.
+
+7.  Recommendations
+
+   Based on these problems, the clear conclusion is that clients,
+   servers, and users should not make assumptions on the nature of the
+   service provided to, or by, a domain.  More specifically, however,
+   the following can be said:
+
+   Follow the specifications: When specifications define mandatory
+      baseline procedures and formats, those should be implemented and
+      supported, even if the expectation is that optional procedures
+      will most often be used.  For example, if a specification mandates
+      a particular baseline authentication technique, but allows others
+      to be negotiated and used, implementations need to implement the
+      baseline authentication algorithm even if the other ones are used
+
+
+
+Rosenberg                    Informational                     [Page 12]
+
+RFC 4367                    Name Assumptions               February 2006
+
+
+      most of the time.  Put more simply, the behavior of the protocol
+      machinery should never change based on the domain name of the
+      host.
+
+   Use capability negotiation: Many protocols are engineered with
+      capability negotiation mechanisms.  For example, a content
+      negotiation framework has been defined for protocols using MIME
+      content [13] [14] [15].  SIP allows for clients to negotiate the
+      media types used in the multimedia session, as well as protocol
+      parameters.  HTTP allows for clients to negotiate the media types
+      returned in requests for content.  When such features are
+      available in a protocol, client and servers should make use of
+      them rather than making assumptions about supported capabilities.
+      A corollary is that protocol designers should include such
+      mechanisms when evolution is expected in the usage of the
+      protocol.
+
+   "Be liberal in what you accept, and conservative in what you send"
+      [18]:  This axiom of Internet protocol design is applicable here
+      as well.  Implementations should be prepared for the full breadth
+      of what a protocol allows another entity to send, rather than be
+      limiting in what it is willing to receive.
+
+   To summarize -- there is never a need to make assumptions.  Rather
+   than doing so, utilize the specifications and the negotiation
+   capabilities they provide, and the overall system will be robust and
+   interoperable.
+
+8.  A Note on RFC 2219 and RFC 2782
+
+   Based on the definition of an assumption given here, the behavior
+   hinted at by records in the DNS also represents an assumption.  RFC
+   2219 [19] defines well-known aliases that can be used to construct
+   domain names for reaching various well-known services in a domain.
+   This approach was later followed by the definition of a new resource
+   record, the SRV record [2], which specifies that a particular service
+   is running on a server in a domain.  Although both of these
+   mechanisms are useful as a hint that a particular service is running
+   in a domain, both of them represent assumptions that may be false.
+   However, they differ in the set of reasons why those assumptions
+   might be false.
+
+   A client that assumes that "ftp.example.com" is an FTP server may be
+   wrong because the presumed naming convention in RFC 2219 was not
+   known by, or not followed by, the owner of domain.com.  With RFC
+   2782, an SRV record for a particular service would be present only by
+   explicit choice of the domain administrator, and thus a client that
+
+
+
+
+Rosenberg                    Informational                     [Page 13]
+
+RFC 4367                    Name Assumptions               February 2006
+
+
+   assumes that the corresponding host provides this service would be
+   wrong only because of human error in configuration.  In this case,
+   the assumption is less likely to be wrong, but it certainly can be.
+
+   The only way to determine with certainty that a service is running on
+   a host is to initiate a connection to the port for that service, and
+   check.  Implementations need to be careful not to codify any
+   behaviors that cause failures should the information provided in the
+   record actually be false.  This borders on common sense for robust
+   implementations, but it is valuable to raise this point explicitly.
+
+9.  Security Considerations
+
+   One of the assumptions that can be made by clients or servers is the
+   availability and usage (or lack thereof) of certain security
+   protocols and algorithms.  For example, a client accessing a service
+   in a particular domain might assume a specific authentication
+   algorithm or hash function in the application protocol.  It is
+   possible that, over time, weaknesses are found in such a technique,
+   requiring usage of a different mechanism.  Similarly, a system might
+   start with an insecure mechanism, and then decide later on to use a
+   secure one.  In either case, assumptions made on security properties
+   can result in interoperability failures, or worse yet, providing
+   service in an insecure way, even though the client asked for, and
+   thought it would get, secure service.  These kinds of assumptions are
+   fundamentally unsound even if the records themselves are secured with
+   DNSSEC.
+
+10.  Acknowledgements
+
+   The IAB would like to thank John Klensin, Keith Moore and Peter Koch
+   for their comments.
+
+11.  IAB Members
+
+   Internet Architecture Board members at the time of writing of this
+   document are:
+
+      Bernard Aboba
+
+      Loa Andersson
+
+      Brian Carpenter
+
+      Leslie Daigle
+
+      Patrik Faltstrom
+
+
+
+
+Rosenberg                    Informational                     [Page 14]
+
+RFC 4367                    Name Assumptions               February 2006
+
+
+      Bob Hinden
+
+      Kurtis Lindqvist
+
+      David Meyer
+
+      Pekka Nikander
+
+      Eric Rescorla
+
+      Pete Resnick
+
+      Jonathan Rosenberg
+
+12.  Informative References
+
+   [1]   Mockapetris, P., "Domain names - concepts and facilities",
+         STD 13, RFC 1034, November 1987.
+
+   [2]   Gulbrandsen, A., Vixie, P., and L. Esibov, "A DNS RR for
+         specifying the location of services (DNS SRV)", RFC 2782,
+         February 2000.
+
+   [3]   Mealling, M., "Dynamic Delegation Discovery System (DDDS) Part
+         Three: The Domain Name System (DNS) Database", RFC 3403,
+         October 2002.
+
+   [4]   Davis, C., Vixie, P., Goodwin, T., and I. Dickinson, "A Means
+         for Expressing Location Information in the Domain Name System",
+         RFC 1876, January 1996.
+
+   [5]   Fielding, R., Gettys, J., Mogul, J., Frystyk, H., Masinter, L.,
+         Leach, P., and T. Berners-Lee, "Hypertext Transfer Protocol --
+         HTTP/1.1", RFC 2616, June 1999.
+
+   [6]   Schulzrinne, H., Rao, A., and R. Lanphier, "Real Time Streaming
+         Protocol (RTSP)", RFC 2326, April 1998.
+
+   [7]   Rosenberg, J., Schulzrinne, H., Camarillo, G., Johnston, A.,
+         Peterson, J., Sparks, R., Handley, M., and E. Schooler, "SIP:
+         Session Initiation Protocol", RFC 3261, June 2002.
+
+   [8]   Eastlake, D., ".sex Considered Dangerous", RFC 3675,
+         February 2004.
+
+   [9]   Klensin, J., "Simple Mail Transfer Protocol", RFC 2821,
+         April 2001.
+
+
+
+
+Rosenberg                    Informational                     [Page 15]
+
+RFC 4367                    Name Assumptions               February 2006
+
+
+   [10]  Niemi, A., Arkko, J., and V. Torvinen, "Hypertext Transfer
+         Protocol (HTTP) Digest Authentication Using Authentication and
+         Key Agreement (AKA)", RFC 3310, September 2002.
+
+   [11]  Freed, N. and N. Borenstein, "Multipurpose Internet Mail
+         Extensions (MIME) Part One: Format of Internet Message Bodies",
+         RFC 2045, November 1996.
+
+   [12]  Internet Architecture Board, "IAB Technical Comment on the
+         Unique DNS Root", RFC 2826, May 2000.
+
+   [13]  Klyne, G., "Indicating Media Features for MIME Content",
+         RFC 2912, September 2000.
+
+   [14]  Klyne, G., "A Syntax for Describing Media Feature Sets",
+         RFC 2533, March 1999.
+
+   [15]  Klyne, G., "Protocol-independent Content Negotiation
+         Framework", RFC 2703, September 1999.
+
+   [16]  Rescorla, E., "HTTP Over TLS", RFC 2818, May 2000.
+
+   [17]  Rosenberg, J. and H. Schulzrinne, "Reliability of Provisional
+         Responses in Session Initiation Protocol (SIP)", RFC 3262,
+         June 2002.
+
+   [18]  Braden, R., "Requirements for Internet Hosts - Communication
+         Layers", STD 3, RFC 1122, October 1989.
+
+   [19]  Hamilton, M. and R. Wright, "Use of DNS Aliases for Network
+         Services", BCP 17, RFC 2219, October 1997.
+
+   [20]  Faltstrom, P., "Design Choices When Expanding DNS", Work in
+         Progress, June 2005.
+
+Author's Address
+
+   Jonathan Rosenberg, Editor
+   IAB
+   600 Lanidex Plaza
+   Parsippany, NJ  07054
+   US
+
+   Phone: +1 973 952-5000
+   EMail: jdrosen@cisco.com
+   URI:   http://www.jdrosen.net
+
+
+
+
+
+Rosenberg                    Informational                     [Page 16]
+
+RFC 4367                    Name Assumptions               February 2006
+
+
+Full Copyright Statement
+
+   Copyright (C) The Internet Society (2006).
+
+   This document is subject to the rights, licenses and restrictions
+   contained in BCP 78, and except as set forth therein, the authors
+   retain all their rights.
+
+   This document and the information contained herein are provided on an
+   "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
+   OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
+   ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
+   INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
+   INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
+   WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
+
+Intellectual Property
+
+   The IETF takes no position regarding the validity or scope of any
+   Intellectual Property Rights or other rights that might be claimed to
+   pertain to the implementation or use of the technology described in
+   this document or the extent to which any license under such rights
+   might or might not be available; nor does it represent that it has
+   made any independent effort to identify any such rights.  Information
+   on the procedures with respect to rights in RFC documents can be
+   found in BCP 78 and BCP 79.
+
+   Copies of IPR disclosures made to the IETF Secretariat and any
+   assurances of licenses to be made available, or the result of an
+   attempt made to obtain a general license or permission for the use of
+   such proprietary rights by implementers or users of this
+   specification can be obtained from the IETF on-line IPR repository at
+   http://www.ietf.org/ipr.
+
+   The IETF invites any interested party to bring to its attention any
+   copyrights, patents or patent applications, or other proprietary
+   rights that may cover technology that may be required to implement
+   this standard.  Please address the information to the IETF at
+   ietf-ipr@ietf.org.
+
+Acknowledgement
+
+   Funding for the RFC Editor function is provided by the IETF
+   Administrative Support Activity (IASA).
+
+
+
+
+
+
+
+Rosenberg                    Informational                     [Page 17]
+
diff --git a/contrib/bind9/doc/rfc/rfc4431.txt b/contrib/bind9/doc/rfc/rfc4431.txt
new file mode 100644
index 0000000..8b38872
--- /dev/null
+++ b/contrib/bind9/doc/rfc/rfc4431.txt
@@ -0,0 +1,227 @@
+
+
+
+
+
+
+Network Working Group                                         M. Andrews
+Request for Comments: 4431                   Internet Systems Consortium
+Category: Informational                                        S. Weiler
+                                                            SPARTA, Inc.
+                                                           February 2006
+
+
+       The DNSSEC Lookaside Validation (DLV) DNS Resource Record
+
+Status of This Memo
+
+   This memo provides information for the Internet community.  It does
+   not specify an Internet standard of any kind.  Distribution of this
+   memo is unlimited.
+
+Copyright Notice
+
+   Copyright (C) The Internet Society (2006).
+
+Abstract
+
+   This document defines a new DNS resource record, called the DNSSEC
+   Lookaside Validation (DLV) RR, for publishing DNSSEC trust anchors
+   outside of the DNS delegation chain.
+
+1.  Introduction
+
+   DNSSEC [1] [2] [3] authenticates DNS data by building public-key
+   signature chains along the DNS delegation chain from a trust anchor,
+   ideally a trust anchor for the DNS root.
+
+   This document defines a new resource record for publishing such trust
+   anchors outside of the DNS's normal delegation chain.  Use of these
+   records by DNSSEC validators is outside the scope of this document,
+   but it is expected that these records will help resolvers validate
+   DNSSEC-signed data from zones whose ancestors either aren't signed or
+   refuse to publish delegation signer (DS) records for their children.
+
+2.  DLV Resource Record
+
+   The DLV resource record has exactly the same wire and presentation
+   formats as the DS resource record, defined in RFC 4034, Section 5.
+   It uses the same IANA-assigned values in the algorithm and digest
+   type fields as the DS record.  (Those IANA registries are known as
+   the "DNS Security Algorithm Numbers" and "DS RR Type Algorithm
+   Numbers" registries.)
+
+
+
+
+
+Andrews & Weiler             Informational                      [Page 1]
+
+RFC 4431                  DLV Resource Record              February 2006
+
+
+   The DLV record is a normal DNS record type without any special
+   processing requirements.  In particular, the DLV record does not
+   inherit any of the special processing or handling requirements of the
+   DS record type (described in Section 3.1.4.1 of RFC 4035).  Unlike
+   the DS record, the DLV record may not appear on the parent's side of
+   a zone cut.  A DLV record may, however, appear at the apex of a zone.
+
+3.  Security Considerations
+
+   For authoritative servers and resolvers that do not attempt to use
+   DLV RRs as part of DNSSEC validation, there are no particular
+   security concerns -- DLV RRs are just like any other DNS data.
+
+   Software using DLV RRs as part of DNSSEC validation will almost
+   certainly want to impose constraints on their use, but those
+   constraints are best left to be described by the documents that more
+   fully describe the particulars of how the records are used.  At a
+   minimum, it would be unwise to use the records without some sort of
+   cryptographic authentication.  More likely than not, DNSSEC itself
+   will be used to authenticate the DLV RRs.  Depending on how a DLV RR
+   is used, failure to properly authenticate it could lead to
+   significant additional security problems including failure to detect
+   spoofed DNS data.
+
+   RFC 4034, Section 8, describes security considerations specific to
+   the DS RR.  Those considerations are equally applicable to DLV RRs.
+   Of particular note, the key tag field is used to help select DNSKEY
+   RRs efficiently, but it does not uniquely identify a single DNSKEY
+   RR.  It is possible for two distinct DNSKEY RRs to have the same
+   owner name, the same algorithm type, and the same key tag.  An
+   implementation that uses only the key tag to select a DNSKEY RR might
+   select the wrong public key in some circumstances.
+
+   For further discussion of the security implications of DNSSEC, see
+   RFC 4033, RFC 4034, and RFC 4035.
+
+4.  IANA Considerations
+
+   IANA has assigned DNS type code 32769 to the DLV resource record from
+   the Specification Required portion of the DNS Resource Record Type
+   registry, as defined in [4].
+
+   The DLV resource record reuses the same algorithm and digest type
+   registries already used for the DS resource record, currently known
+   as the "DNS Security Algorithm Numbers" and "DS RR Type Algorithm
+   Numbers" registries.
+
+
+
+
+
+Andrews & Weiler             Informational                      [Page 2]
+
+RFC 4431                  DLV Resource Record              February 2006
+
+
+5.  Normative References
+
+   [1]  Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose,
+        "DNS Security Introduction and Requirements", RFC 4033,
+        March 2005.
+
+   [2]  Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose,
+        "Resource Records for the DNS Security Extensions", RFC 4034,
+        March 2005.
+
+   [3]  Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose,
+        "Protocol Modifications for the DNS Security Extensions",
+        RFC 4035, March 2005.
+
+   [4]  Eastlake, D., Brunner-Williams, E., and B. Manning, "Domain Name
+        System (DNS) IANA Considerations", BCP 42, RFC 2929,
+        September 2000.
+
+Authors' Addresses
+
+   Mark Andrews
+   Internet Systems Consortium
+   950 Charter St.
+   Redwood City, CA  94063
+   US
+
+   EMail: Mark_Andrews@isc.org
+
+
+   Samuel Weiler
+   SPARTA, Inc.
+   7075 Samuel Morse Drive
+   Columbia, Maryland  21046
+   US
+
+   EMail: weiler@tislabs.com
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Andrews & Weiler             Informational                      [Page 3]
+
+RFC 4431                  DLV Resource Record              February 2006
+
+
+Full Copyright Statement
+
+   Copyright (C) The Internet Society (2006).
+
+   This document is subject to the rights, licenses and restrictions
+   contained in BCP 78, and except as set forth therein, the authors
+   retain all their rights.
+
+   This document and the information contained herein are provided on an
+   "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
+   OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
+   ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
+   INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
+   INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
+   WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
+
+Intellectual Property
+
+   The IETF takes no position regarding the validity or scope of any
+   Intellectual Property Rights or other rights that might be claimed to
+   pertain to the implementation or use of the technology described in
+   this document or the extent to which any license under such rights
+   might or might not be available; nor does it represent that it has
+   made any independent effort to identify any such rights.  Information
+   on the procedures with respect to rights in RFC documents can be
+   found in BCP 78 and BCP 79.
+
+   Copies of IPR disclosures made to the IETF Secretariat and any
+   assurances of licenses to be made available, or the result of an
+   attempt made to obtain a general license or permission for the use of
+   such proprietary rights by implementers or users of this
+   specification can be obtained from the IETF on-line IPR repository at
+   http://www.ietf.org/ipr.
+
+   The IETF invites any interested party to bring to its attention any
+   copyrights, patents or patent applications, or other proprietary
+   rights that may cover technology that may be required to implement
+   this standard.  Please address the information to the IETF at
+   ietf-ipr@ietf.org.
+
+Acknowledgement
+
+   Funding for the RFC Editor function is provided by the IETF
+   Administrative Support Activity (IASA).
+
+
+
+
+
+
+
+Andrews & Weiler             Informational                      [Page 4]
+
diff --git a/contrib/bind9/isc-config.sh.in b/contrib/bind9/isc-config.sh.in
index 737e31d..45aab66 100644
--- a/contrib/bind9/isc-config.sh.in
+++ b/contrib/bind9/isc-config.sh.in
@@ -15,7 +15,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: isc-config.sh.in,v 1.10.12.3 2004/03/08 04:04:12 marka Exp $
+# $Id: isc-config.sh.in,v 1.15 2004/03/05 04:56:57 marka Exp $
 
 prefix=@prefix@
 exec_prefix=@exec_prefix@
diff --git a/contrib/bind9/lib/Makefile.in b/contrib/bind9/lib/Makefile.in
index c72b3e7..e8be294 100644
--- a/contrib/bind9/lib/Makefile.in
+++ b/contrib/bind9/lib/Makefile.in
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.15.2.2.8.4 2004/03/08 09:04:25 marka Exp $
+# $Id: Makefile.in,v 1.19 2004/03/05 05:05:00 marka Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
diff --git a/contrib/bind9/lib/bind/Makefile.in b/contrib/bind9/lib/bind/Makefile.in
index 61424e7..fd9a16f 100644
--- a/contrib/bind9/lib/bind/Makefile.in
+++ b/contrib/bind9/lib/bind/Makefile.in
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.12.2.5.2.11 2006/06/24 00:25:38 marka Exp $
+# $Id: Makefile.in,v 1.22.18.7 2006/06/24 00:25:39 marka Exp $
 
 srcdir =        @srcdir@
 VPATH =         @srcdir@
diff --git a/contrib/bind9/lib/bind/api b/contrib/bind9/lib/bind/api
index 8632b12..8701441 100644
--- a/contrib/bind9/lib/bind/api
+++ b/contrib/bind9/lib/bind/api
@@ -1,3 +1,3 @@
 LIBINTERFACE = 4
-LIBREVISION = 7
+LIBREVISION = 6
 LIBAGE = 0
diff --git a/contrib/bind9/lib/bind/bsd/Makefile.in b/contrib/bind9/lib/bind/bsd/Makefile.in
index dd7b616..cf70c10 100644
--- a/contrib/bind9/lib/bind/bsd/Makefile.in
+++ b/contrib/bind9/lib/bind/bsd/Makefile.in
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.6.206.1 2004/03/06 08:13:22 marka Exp $
+# $Id: Makefile.in,v 1.7 2004/03/05 05:05:07 marka Exp $
 
 srcdir=         @srcdir@
 VPATH =         @srcdir@
diff --git a/contrib/bind9/lib/bind/bsd/daemon.c b/contrib/bind9/lib/bind/bsd/daemon.c
index a1472f9..a7d2ded 100644
--- a/contrib/bind9/lib/bind/bsd/daemon.c
+++ b/contrib/bind9/lib/bind/bsd/daemon.c
@@ -1,6 +1,6 @@
 #if defined(LIBC_SCCS) && !defined(lint)
 static const char sccsid[] = "@(#)daemon.c	8.1 (Berkeley) 6/4/93";
-static const char rcsid[] = "$Id: daemon.c,v 1.1 2001/03/29 06:30:31 marka Exp $";
+static const char rcsid[] = "$Id: daemon.c,v 1.1.352.1 2005/04/27 05:00:42 sra Exp $";
 #endif /* LIBC_SCCS and not lint */
 
 /*
@@ -77,3 +77,5 @@ daemon(int nochdir, int noclose) {
 	return (0);
 }
 #endif
+
+/*! \file */
diff --git a/contrib/bind9/lib/bind/bsd/ftruncate.c b/contrib/bind9/lib/bind/bsd/ftruncate.c
index 56ce8d3..b222c8b 100644
--- a/contrib/bind9/lib/bind/bsd/ftruncate.c
+++ b/contrib/bind9/lib/bind/bsd/ftruncate.c
@@ -1,8 +1,9 @@
 #ifndef LINT
-static const char rcsid[] = "$Id: ftruncate.c,v 1.1 2001/03/29 06:30:32 marka Exp $";
+static const char rcsid[] = "$Id: ftruncate.c,v 1.1.352.3 2005/06/22 22:05:45 marka Exp $";
 #endif
 
-/*
+/*! \file
+ * \brief
  * ftruncate - set file size, BSD Style
  *
  * shortens or enlarges the file as neeeded
diff --git a/contrib/bind9/lib/bind/bsd/gettimeofday.c b/contrib/bind9/lib/bind/bsd/gettimeofday.c
index ffde020..0c88e00 100644
--- a/contrib/bind9/lib/bind/bsd/gettimeofday.c
+++ b/contrib/bind9/lib/bind/bsd/gettimeofday.c
@@ -1,5 +1,5 @@
 #ifndef LINT
-static const char rcsid[] = "$Id: gettimeofday.c,v 1.1.2.2 2002/07/12 00:49:51 marka Exp $";
+static const char rcsid[] = "$Id: gettimeofday.c,v 1.3.332.1 2005/04/27 05:00:43 sra Exp $";
 #endif
 
 #include "port_before.h"
@@ -9,7 +9,7 @@ static const char rcsid[] = "$Id: gettimeofday.c,v 1.1.2.2 2002/07/12 00:49:51 m
 #include "port_after.h"
 
 #if !defined(NEED_GETTIMEOFDAY)
-/*
+/*%
  * gettimeofday() occasionally returns invalid tv_usec on some platforms.
  */
 #define MILLION 1000000
@@ -60,3 +60,5 @@ gettimeofday(struct timeval *tvp, struct _TIMEZONE *tzp) {
 	return (0);
 }
 #endif /*NEED_GETTIMEOFDAY*/
+
+/*! \file */
diff --git a/contrib/bind9/lib/bind/bsd/mktemp.c b/contrib/bind9/lib/bind/bsd/mktemp.c
index 9852a35..f201c2d 100644
--- a/contrib/bind9/lib/bind/bsd/mktemp.c
+++ b/contrib/bind9/lib/bind/bsd/mktemp.c
@@ -1,6 +1,6 @@
 #if defined(LIBC_SCCS) && !defined(lint)
 static const char sccsid[] = "@(#)mktemp.c	8.1 (Berkeley) 6/4/93";
-static const char rcsid[] = "$Id: mktemp.c,v 1.1 2001/03/29 06:30:33 marka Exp $";
+static const char rcsid[] = "$Id: mktemp.c,v 1.1.352.1 2005/04/27 05:00:43 sra Exp $";
 #endif /* LIBC_SCCS and not lint */
 
 /*
@@ -96,7 +96,7 @@ gettemp(char *path, int *doopen) {
 	u_int pid;
 
 	pid = getpid();
-	for (trv = path; *trv; ++trv);		/* extra X's get set to 0's */
+	for (trv = path; *trv; ++trv);		/*%< extra X's get set to 0's */
 	while (*--trv == 'X') {
 		*trv = (pid % 10) + '0';
 		pid /= 10;
@@ -152,3 +152,5 @@ gettemp(char *path, int *doopen) {
 }
 
 #endif /*NEED_MKTEMP*/
+
+/*! \file */
diff --git a/contrib/bind9/lib/bind/bsd/putenv.c b/contrib/bind9/lib/bind/bsd/putenv.c
index abaa525..dca02c10 100644
--- a/contrib/bind9/lib/bind/bsd/putenv.c
+++ b/contrib/bind9/lib/bind/bsd/putenv.c
@@ -1,11 +1,11 @@
 #ifndef LINT
-static const char rcsid[] = "$Id: putenv.c,v 1.1 2001/03/29 06:30:33 marka Exp $";
+static const char rcsid[] = "$Id: putenv.c,v 1.1.352.1 2005/04/27 05:00:43 sra Exp $";
 #endif
 
 #include "port_before.h"
 #include "port_after.h"
 
-/*
+/*%
  * To give a little credit to Sun, SGI,
  * and many vendors in the SysV world.
  */
@@ -23,3 +23,5 @@ putenv(char *str) {
 	return (setenv(str, tmp, 1));
 }
 #endif
+
+/*! \file */
diff --git a/contrib/bind9/lib/bind/bsd/readv.c b/contrib/bind9/lib/bind/bsd/readv.c
index ccfcb5a..eb13bcc 100644
--- a/contrib/bind9/lib/bind/bsd/readv.c
+++ b/contrib/bind9/lib/bind/bsd/readv.c
@@ -1,5 +1,5 @@
 #ifndef LINT
-static const char rcsid[] = "$Id: readv.c,v 1.1 2001/03/29 06:30:35 marka Exp $";
+static const char rcsid[] = "$Id: readv.c,v 1.1.352.1 2005/04/27 05:00:43 sra Exp $";
 #endif
 
 #include "port_before.h"
@@ -36,3 +36,4 @@ __readv(fd, vp, vpcount)
 	return (count);
 }
 #endif /* NEED_READV */
+/*! \file */
diff --git a/contrib/bind9/lib/bind/bsd/setenv.c b/contrib/bind9/lib/bind/bsd/setenv.c
index 6a11c9d..ce2f063 100644
--- a/contrib/bind9/lib/bind/bsd/setenv.c
+++ b/contrib/bind9/lib/bind/bsd/setenv.c
@@ -1,6 +1,6 @@
 #if defined(LIBC_SCCS) && !defined(lint)
 static const char sccsid[] = "@(#)setenv.c	8.1 (Berkeley) 6/4/93";
-static const char rcsid[] = "$Id: setenv.c,v 1.1 2001/03/29 06:30:35 marka Exp $";
+static const char rcsid[] = "$Id: setenv.c,v 1.1.352.1 2005/04/27 05:00:44 sra Exp $";
 #endif /* LIBC_SCCS and not lint */
 
 /*
@@ -52,40 +52,40 @@ extern char **environ;
 
 static char *findenv(const char *name, int *offset);
 
-/*
+/*%
  * setenv --
  *	Set the value of the environmental variable "name" to be
  *	"value".  If rewrite is set, replace any current value.
  */
 setenv(const char *name, const char *value, int rewrite) {
 	extern char **environ;
-	static int alloced;			/* if allocated space before */
+	static int alloced;			/*%< if allocated space before */
 	char *c;
 	int l_value, offset;
 
-	if (*value == '=')			/* no `=' in value */
+	if (*value == '=')			/*%< no `=' in value */
 		++value;
 	l_value = strlen(value);
-	if ((c = findenv(name, &offset))) {	/* find if already exists */
+	if ((c = findenv(name, &offset))) {	/*%< find if already exists */
 		if (!rewrite)
 			return (0);
-		if (strlen(c) >= l_value) {	/* old larger; copy over */
+		if (strlen(c) >= l_value) {	/*%< old larger; copy over */
 			while (*c++ = *value++);
 			return (0);
 		}
-	} else {					/* create new slot */
+	} else {					/*%< create new slot */
 		int cnt;
 		char **p;
 
 		for (p = environ, cnt = 0; *p; ++p, ++cnt);
-		if (alloced) {			/* just increase size */
+		if (alloced) {			/*%< just increase size */
 			environ = (char **)realloc((char *)environ,
 			    (size_t)(sizeof(char *) * (cnt + 2)));
 			if (!environ)
 				return (-1);
 		}
-		else {				/* get new space */
-			alloced = 1;		/* copy old entries into it */
+		else {				/*%< get new space */
+			alloced = 1;		/*%< copy old entries into it */
 			p = malloc((size_t)(sizeof(char *) * (cnt + 2)));
 			if (!p)
 				return (-1);
@@ -95,8 +95,8 @@ setenv(const char *name, const char *value, int rewrite) {
 		environ[cnt + 1] = NULL;
 		offset = cnt;
 	}
-	for (c = (char *)name; *c && *c != '='; ++c);	/* no `=' in name */
-	if (!(environ[offset] =			/* name + `=' + value */
+	for (c = (char *)name; *c && *c != '='; ++c);	/*%< no `=' in name */
+	if (!(environ[offset] =			/*%< name + `=' + value */
 	    malloc((size_t)((int)(c - name) + l_value + 2))))
 		return (-1);
 	for (c = environ[offset]; (*c = *name++) && *c != '='; ++c);
@@ -104,7 +104,7 @@ setenv(const char *name, const char *value, int rewrite) {
 	return (0);
 }
 
-/*
+/*%
  * unsetenv(name) --
  *	Delete environmental variable "name".
  */
@@ -113,13 +113,13 @@ unsetenv(const char *name) {
 	char **p;
 	int offset;
 
-	while (findenv(name, &offset))	/* if set multiple times */
+	while (findenv(name, &offset))	/*%< if set multiple times */
 		for (p = &environ[offset];; ++p)
 			if (!(*p = *(p + 1)))
 				break;
 }
 
-/*
+/*%
  * findenv --
  *	Returns pointer to value associated with name, if any, else NULL.
  *	Sets offset to be the offset of the name/value combination in the
@@ -147,3 +147,5 @@ findenv(const char *name, int *offset) {
 	return (NULL);
 }
 #endif
+
+/*! \file */
diff --git a/contrib/bind9/lib/bind/bsd/setitimer.c b/contrib/bind9/lib/bind/bsd/setitimer.c
index 791846a..2d5a4e4 100644
--- a/contrib/bind9/lib/bind/bsd/setitimer.c
+++ b/contrib/bind9/lib/bind/bsd/setitimer.c
@@ -1,5 +1,5 @@
 #ifndef LINT
-static const char rcsid[] = "$Id: setitimer.c,v 1.1 2001/03/29 06:30:35 marka Exp $";
+static const char rcsid[] = "$Id: setitimer.c,v 1.1.352.1 2005/04/27 05:00:44 sra Exp $";
 #endif
 
 #include "port_before.h"
@@ -8,7 +8,7 @@ static const char rcsid[] = "$Id: setitimer.c,v 1.1 2001/03/29 06:30:35 marka Ex
 
 #include "port_after.h"
 
-/*
+/*%
  * Setitimer emulation routine.
  */
 #ifndef NEED_SETITIMER
@@ -25,3 +25,5 @@ __setitimer(int which, const struct itimerval *value,
 		return (-1);
 }
 #endif
+
+/*! \file */
diff --git a/contrib/bind9/lib/bind/bsd/strcasecmp.c b/contrib/bind9/lib/bind/bsd/strcasecmp.c
index c8c9d05..fd76837 100644
--- a/contrib/bind9/lib/bind/bsd/strcasecmp.c
+++ b/contrib/bind9/lib/bind/bsd/strcasecmp.c
@@ -1,6 +1,6 @@
 #if defined(LIBC_SCCS) && !defined(lint)
 static const char sccsid[] = "@(#)strcasecmp.c	8.1 (Berkeley) 6/4/93";
-static const char rcsid[] = "$Id: strcasecmp.c,v 1.1 2001/03/29 06:30:35 marka Exp $";
+static const char rcsid[] = "$Id: strcasecmp.c,v 1.1.352.1 2005/04/27 05:00:45 sra Exp $";
 #endif /* LIBC_SCCS and not lint */
 
 /*
@@ -50,7 +50,7 @@ static const char rcsid[] = "$Id: strcasecmp.c,v 1.1 2001/03/29 06:30:35 marka E
 int __strcasecmp_unneeded__;
 #else
 
-/*
+/*%
  * This array is designed for mapping upper and lower case letter
  * together for a case independent comparison.  The mappings are
  * based upon ascii character sequences.
@@ -120,3 +120,5 @@ strncasecmp(const char *s1, const char *s2, size_t n) {
 }
 
 #endif /*NEED_STRCASECMP*/
+
+/*! \file */
diff --git a/contrib/bind9/lib/bind/bsd/strdup.c b/contrib/bind9/lib/bind/bsd/strdup.c
index 246bc1f..a8d31e9 100644
--- a/contrib/bind9/lib/bind/bsd/strdup.c
+++ b/contrib/bind9/lib/bind/bsd/strdup.c
@@ -16,3 +16,5 @@ strdup(const char *src) {
 	return (dst);
 }
 #endif
+
+/*! \file */
diff --git a/contrib/bind9/lib/bind/bsd/strerror.c b/contrib/bind9/lib/bind/bsd/strerror.c
index d13adbb..5743398 100644
--- a/contrib/bind9/lib/bind/bsd/strerror.c
+++ b/contrib/bind9/lib/bind/bsd/strerror.c
@@ -1,6 +1,6 @@
 #if defined(LIBC_SCCS) && !defined(lint)
 static const char sccsid[] = "@(#)strerror.c	8.1 (Berkeley) 6/4/93";
-static const char rcsid[] = "$Id: strerror.c,v 1.3.2.1 2001/11/02 17:45:31 gson Exp $";
+static const char rcsid[] = "$Id: strerror.c,v 1.4.332.1 2005/04/27 05:00:46 sra Exp $";
 #endif /* LIBC_SCCS and not lint */
 
 /*
@@ -57,19 +57,19 @@ extern char *sys_errlist[];
 const char *
 isc_strerror(int num) {
 #define	UPREFIX	"Unknown error: "
-	static char ebuf[40] = UPREFIX;		/* 64-bit number + slop */
+	static char ebuf[40] = UPREFIX;		/*%< 64-bit number + slop */
 	u_int errnum;
 	char *p, *t;
 	const char *ret;
 	char tmp[40];
 
-	errnum = num;				/* convert to unsigned */
+	errnum = num;				/*%< convert to unsigned */
 #ifdef USE_SYSERROR_LIST
 	if (errnum < sys_nerr)
 		return (sys_errlist[errnum]);
 #else
 #undef strerror
-	ret = strerror(num);			/* call strerror() in libc */
+	ret = strerror(num);			/*%< call strerror() in libc */
 	if (ret != NULL)
 		return(ret);
 #endif
@@ -88,3 +88,5 @@ isc_strerror(int num) {
 }
 
 #endif /*NEED_STRERROR*/
+
+/*! \file */
diff --git a/contrib/bind9/lib/bind/bsd/strpbrk.c b/contrib/bind9/lib/bind/bsd/strpbrk.c
index ff039e1..4502572 100644
--- a/contrib/bind9/lib/bind/bsd/strpbrk.c
+++ b/contrib/bind9/lib/bind/bsd/strpbrk.c
@@ -1,6 +1,6 @@
 #if defined(LIBC_SCCS) && !defined(lint)
 static const char sccsid[] = "@(#)strpbrk.c	8.1 (Berkeley) 6/4/93";
-static const char rcsid[] = "$Id: strpbrk.c,v 1.1 2001/03/29 06:30:36 marka Exp $";
+static const char rcsid[] = "$Id: strpbrk.c,v 1.1.352.1 2005/04/27 05:00:46 sra Exp $";
 #endif /* LIBC_SCCS and not lint */
 
 /*
@@ -49,7 +49,7 @@ static const char rcsid[] = "$Id: strpbrk.c,v 1.1 2001/03/29 06:30:36 marka Exp
 int __strpbrk_unneeded__;
 #else
 
-/*
+/*%
  * Find the first occurrence in s1 of a character in s2 (excluding NUL).
  */
 char *
@@ -66,3 +66,5 @@ strpbrk(const char *s1, const char *s2) {
 }
 
 #endif /*NEED_STRPBRK*/
+
+/*! \file */
diff --git a/contrib/bind9/lib/bind/bsd/strsep.c b/contrib/bind9/lib/bind/bsd/strsep.c
index 3dcee4a..1214f80 100644
--- a/contrib/bind9/lib/bind/bsd/strsep.c
+++ b/contrib/bind9/lib/bind/bsd/strsep.c
@@ -1,6 +1,6 @@
 #if defined(LIBC_SCCS) && !defined(lint)
 static const char sccsid[] = "strsep.c	8.1 (Berkeley) 6/4/93";
-static const char rcsid[] = "$Id: strsep.c,v 1.1 2001/03/29 06:30:36 marka Exp $";
+static const char rcsid[] = "$Id: strsep.c,v 1.1.352.1 2005/04/27 05:00:47 sra Exp $";
 #endif /* LIBC_SCCS and not lint */
 
 /*
@@ -46,7 +46,7 @@ static const char rcsid[] = "$Id: strsep.c,v 1.1 2001/03/29 06:30:36 marka Exp $
 int __strsep_unneeded__;
 #else
 
-/*
+/*%
  * Get next token from string *stringp, where tokens are possibly-empty
  * strings separated by characters from delim.  
  *
@@ -84,3 +84,5 @@ strsep(char **stringp, const char *delim) {
 }
 
 #endif /*NEED_STRSEP*/
+
+/*! \file */
diff --git a/contrib/bind9/lib/bind/bsd/strtoul.c b/contrib/bind9/lib/bind/bsd/strtoul.c
index d110f30..f419227 100644
--- a/contrib/bind9/lib/bind/bsd/strtoul.c
+++ b/contrib/bind9/lib/bind/bsd/strtoul.c
@@ -1,6 +1,6 @@
 #if defined(LIBC_SCCS) && !defined(lint)
 static const char sccsid[] = "@(#)strtoul.c	8.1 (Berkeley) 6/4/93";
-static const char rcsid[] = "$Id: strtoul.c,v 1.1.2.1 2003/06/27 03:51:35 marka Exp $";
+static const char rcsid[] = "$Id: strtoul.c,v 1.2.164.1 2005/04/27 05:00:47 sra Exp $";
 #endif /* LIBC_SCCS and not lint */
 
 /*
@@ -52,7 +52,7 @@ static const char rcsid[] = "$Id: strtoul.c,v 1.1.2.1 2003/06/27 03:51:35 marka
 int __strtoul_unneeded__;
 #else
 
-/*
+/*%
  * Convert a string to an unsigned long integer.
  *
  * Ignores `locale' stuff.  Assumes that the upper and lower case
@@ -115,3 +115,5 @@ strtoul(const char *nptr, char **endptr, int base) {
 }
 
 #endif /*NEED_STRTOUL*/
+
+/*! \file */
diff --git a/contrib/bind9/lib/bind/bsd/utimes.c b/contrib/bind9/lib/bind/bsd/utimes.c
index 6a288f4..2f65cff 100644
--- a/contrib/bind9/lib/bind/bsd/utimes.c
+++ b/contrib/bind9/lib/bind/bsd/utimes.c
@@ -37,3 +37,4 @@ __utimes(char *filename, struct timeval *tvp) {
 }
 
 #endif /* NEED_UTIMES */
+/*! \file */
diff --git a/contrib/bind9/lib/bind/bsd/writev.c b/contrib/bind9/lib/bind/bsd/writev.c
index fe204a9..0e81c26 100644
--- a/contrib/bind9/lib/bind/bsd/writev.c
+++ b/contrib/bind9/lib/bind/bsd/writev.c
@@ -1,5 +1,5 @@
 #ifndef LINT
-static const char rcsid[] = "$Id: writev.c,v 1.1.2.1 2003/06/27 03:51:35 marka Exp $";
+static const char rcsid[] = "$Id: writev.c,v 1.2.164.1 2005/04/27 05:00:47 sra Exp $";
 #endif
 
 #include "port_before.h"
@@ -85,3 +85,5 @@ __writev(fd, vp, vpcount)
 #endif /*_CRAY*/
 
 #endif /*NEED_WRITEV*/
+
+/*! \file */
diff --git a/contrib/bind9/lib/bind/configure b/contrib/bind9/lib/bind/configure
index 1fba616..d6171dc 100755
--- a/contrib/bind9/lib/bind/configure
+++ b/contrib/bind9/lib/bind/configure
@@ -1,5 +1,5 @@
 #! /bin/sh
-# From configure.in Revision: 1.83.2.5.2.31 .
+# From configure.in Revision: 1.90.18.29 .
 # Guess values for system-dependent variables and create Makefiles.
 # Generated by GNU Autoconf 2.59.
 #
diff --git a/contrib/bind9/lib/bind/configure.in b/contrib/bind9/lib/bind/configure.in
index 9c2877c..3431818 100644
--- a/contrib/bind9/lib/bind/configure.in
+++ b/contrib/bind9/lib/bind/configure.in
@@ -1,5 +1,5 @@
-# Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
-# Copyright (C) 2001  Internet Software Consortium.
+# Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2001, 2003  Internet Software Consortium.
 #
 # Permission to use, copy, modify, and distribute this software for any
 # purpose with or without fee is hereby granted, provided that the above
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-AC_REVISION($Revision: 1.83.2.5.2.31 $)
+AC_REVISION($Revision: 1.90.18.31 $)
 
 AC_INIT(resolv/herror.c)
 AC_PREREQ(2.13)
diff --git a/contrib/bind9/lib/bind/dst/Makefile.in b/contrib/bind9/lib/bind/dst/Makefile.in
index 8b30659..c802840 100644
--- a/contrib/bind9/lib/bind/dst/Makefile.in
+++ b/contrib/bind9/lib/bind/dst/Makefile.in
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.5.206.1 2004/03/06 08:13:22 marka Exp $
+# $Id: Makefile.in,v 1.6 2004/03/05 05:05:09 marka Exp $
  
 srcdir=		@srcdir@
 VPATH =         @srcdir@
diff --git a/contrib/bind9/lib/bind/dst/dst_api.c b/contrib/bind9/lib/bind/dst/dst_api.c
index 417c31f..bc730dc 100644
--- a/contrib/bind9/lib/bind/dst/dst_api.c
+++ b/contrib/bind9/lib/bind/dst/dst_api.c
@@ -1,5 +1,5 @@
 #ifndef LINT
-static const char rcsid[] = "$Header: /proj/cvs/prod/bind9/lib/bind/dst/dst_api.c,v 1.4.2.6.8.4 2006/03/10 00:17:21 marka Exp $";
+static const char rcsid[] = "$Header: /proj/cvs/prod/bind9/lib/bind/dst/dst_api.c,v 1.10.332.5 2006/03/10 00:20:08 marka Exp $";
 #endif
 
 /*
@@ -78,7 +78,7 @@ static DST_KEY *dst_s_get_key_struct(const char *name, const int alg,
 				     const int flags, const int protocol,
 				     const int bits);
 
-/*
+/*%
  *  dst_init
  *	This function initializes the Digital Signature Toolkit.
  *	Right now, it just checks the DSTKEYPATH environment variable.
@@ -124,7 +124,7 @@ dst_init()
 	dst_hmac_md5_init();
 }
 
-/*
+/*%
  *  dst_check_algorithm
  *	This function determines if the crypto system for the specified
  *	algorithm is present.
@@ -143,7 +143,7 @@ dst_check_algorithm(const int alg)
 	return (dst_t_func[alg] != NULL);
 }
 
-/* 
+/*%
  * dst_s_get_key_struct 
  *	This function allocates key structure and fills in some of the 
  *	fields of the structure. 
@@ -163,7 +163,7 @@ dst_s_get_key_struct(const char *name, const int alg, const int flags,
 {
 	DST_KEY *new_key = NULL; 
 
-	if (dst_check_algorithm(alg)) /* make sure alg is available */
+	if (dst_check_algorithm(alg)) /*%< make sure alg is available */
 		new_key = (DST_KEY *) malloc(sizeof(*new_key));
 	if (new_key == NULL)
 		return (NULL);
@@ -183,7 +183,7 @@ dst_s_get_key_struct(const char *name, const int alg, const int flags,
 	return (new_key);
 }
 
-/*
+/*%
  *  dst_compare_keys
  *	Compares two keys for equality.
  *  Parameters
@@ -209,8 +209,7 @@ dst_compare_keys(const DST_KEY *key1, const DST_KEY *key2)
 	return (key1->dk_func->compare(key1, key2));
 }
 
-
-/*
+/*%
  * dst_sign_data
  *	An incremental signing function.  Data is signed in steps.
  *	First the context must be initialized (SIG_MODE_INIT).
@@ -236,8 +235,8 @@ dst_compare_keys(const DST_KEY *key1, const DST_KEY *key2)
  *	sig_len Length of the signature field in bytes.
  * Return
  *	 0      Successfull INIT or Update operation
- *	>0      success FINAL (sign) operation
- *	<0      failure
+ *	&gt;0      success FINAL (sign) operation
+ *	&lt;0      failure
  */
 
 int
@@ -257,8 +256,7 @@ dst_sign_data(const int mode, DST_KEY *in_key, void **context,
 	return (UNKNOWN_KEYALG);
 }
 
-
-/*
+/*%
  *  dst_verify_data
  *	An incremental verify function.  Data is verified in steps.
  *	First the context must be initialized (SIG_MODE_INIT).
@@ -300,8 +298,7 @@ dst_verify_data(const int mode, DST_KEY *in_key, void **context,
 					signature, sig_len));
 }
 
-
-/*
+/*%
  *  dst_read_private_key
  *	Access a private key.  First the list of private keys that have
  *	already been read in is searched, then the key accessed on disk.
@@ -330,7 +327,7 @@ dst_read_key(const char *in_keyname, const u_int16_t in_id,
 	char keyname[PATH_MAX];
 	DST_KEY *dg_key = NULL, *pubkey = NULL;
 
-	if (!dst_check_algorithm(in_alg)) { /* make sure alg is available */
+	if (!dst_check_algorithm(in_alg)) { /*%< make sure alg is available */
 		EREPORT(("dst_read_private_key(): Algorithm %d not suppored\n",
 			 in_alg));
 		return (NULL);
@@ -373,7 +370,7 @@ dst_write_key(const DST_KEY *key, const int type)
 
 	if (key == NULL) 
 		return (0);
-	if (!dst_check_algorithm(key->dk_alg)) { /* make sure alg is available */
+	if (!dst_check_algorithm(key->dk_alg)) { /*%< make sure alg is available */
 		EREPORT(("dst_write_key(): Algorithm %d not suppored\n", 
 			 key->dk_alg));
 		return (UNSUPPORTED_KEYALG);
@@ -390,19 +387,19 @@ dst_write_key(const DST_KEY *key, const int type)
 	return (priv+pub);
 }
 
-/*
+/*%
  *  dst_write_private_key
  *	Write a private key to disk.  The filename will be of the form:
- *	K<key->dk_name>+<key->dk_alg>+<key->dk_id>.<private key suffix>.
+ *	K&lt;key-&gt;dk_name&gt;+&lt;key-&gt;dk_alg+&gt;&lt;key-d&gt;k_id.&gt;&lt;private key suffix&gt;.
  *	If there is already a file with this name, an error is returned.
  *
  *  Parameters
  *	key     A DST managed key structure that contains
  *	      all information needed about a key.
  *  Return
- *	>= 0    Correct behavior.  Returns length of encoded key value
+ *	&gt;= 0    Correct behavior.  Returns length of encoded key value
  *		  written to disk.
- *	<  0    error.
+ *	&lt;  0    error.
  */
 
 static int
@@ -417,8 +414,7 @@ dst_s_write_private_key(const DST_KEY *key)
 	if (key == NULL)
 		return (-1);
 	if (key->dk_KEY_struct == NULL)
-		return (0);	/* null key has no private key */
-
+		return (0);	/*%< null key has no private key */
 	if (key->dk_func == NULL || key->dk_func->to_file_fmt == NULL) {
 		EREPORT(("dst_write_private_key(): Unsupported operation %d\n",
 			 key->dk_alg));
@@ -450,12 +446,12 @@ dst_s_write_private_key(const DST_KEY *key)
 	return (len);
 }
 
-/*
+/*%
 *
  *  dst_read_public_key
  *	Read a public key from disk and store in a DST key structure.
  *  Parameters
- *	in_name	 K<in_name><in_id>.<public key suffix> is the
+ *	in_name	 K&lt;in_name&gt;&lt;in_id&gt;.&lt;public key suffix&gt; is the
  *		      filename of the key file to be read.
  *  Returns
  *	NULL	    If the key does not exist or no name is supplied.
@@ -484,7 +480,7 @@ dst_s_read_public_key(const char *in_name, const u_int16_t in_id, int in_alg)
 	/*
 	 * Open the file and read it's formatted contents up to key
 	 * File format:
-	 *    domain.name [ttl] [IN] KEY  <flags> <protocol> <algorithm> <key>
+	 *    domain.name [ttl] [IN] KEY  &lt;flags&gt; &lt;protocol&gt; &lt;algorithm&gt; &lt;key&gt;
 	 * flags, proto, alg stored as decimal (or hex numbers FIXME).
 	 * (FIXME: handle parentheses for line continuation.)
 	 */
@@ -531,7 +527,7 @@ dst_s_read_public_key(const char *in_name, const u_int16_t in_id, int in_alg)
 	while ((c = getc(fp)) != EOF)
 		if (!isspace(c))
 			break;
-	ungetc(c, fp);		/* return the charcter to the input field */
+	ungetc(c, fp);		/*%< return the charcter to the input field */
 	/* Handle hex!! FIXME.  */
 
 	if (fscanf(fp, "%d %d %d", &flags, &proto, &alg) != 3) {
@@ -574,8 +570,7 @@ dst_s_read_public_key(const char *in_name, const u_int16_t in_id, int in_alg)
 	return dst_buffer_to_key(in_name, alg, flags, proto, deckey, dlen);
 }
 
-
-/*
+/*%
  *  dst_write_public_key
  *	Write a key to disk in DNS format.
  *  Parameters
@@ -629,8 +624,7 @@ dst_s_write_public_key(const DST_KEY *key)
 	return (1);
 }
 
-
-/*
+/*%
  *  dst_dnskey_to_public_key
  *	This function converts the contents of a DNS KEY RR into a DST
  *	key structure.
@@ -651,10 +645,10 @@ dst_dnskey_to_key(const char *in_name, const u_char *rdata, const int len)
 	int alg ;
 	int start = DST_KEY_START;
 
-	if (rdata == NULL || len <= DST_KEY_ALG) /* no data */
+	if (rdata == NULL || len <= DST_KEY_ALG) /*%< no data */
 		return (NULL);
 	alg = (u_int8_t) rdata[DST_KEY_ALG];
-	if (!dst_check_algorithm(alg)) { /* make sure alg is available */
+	if (!dst_check_algorithm(alg)) { /*%< make sure alg is available */
 		EREPORT(("dst_dnskey_to_key(): Algorithm %d not suppored\n",
 			 alg));
 		return (NULL);
@@ -691,8 +685,7 @@ dst_dnskey_to_key(const char *in_name, const u_char *rdata, const int len)
 	return (key_st);
 }
 
-
-/*
+/*%
  *  dst_public_key_to_dnskey
  *	Function to encode a public key into DNS KEY wire format 
  *  Parameters
@@ -714,7 +707,7 @@ dst_key_to_dnskey(const DST_KEY *key, u_char *out_storage,
 	if (key == NULL)
 		return (-1);
 
-	if (!dst_check_algorithm(key->dk_alg)) { /* make sure alg is available */
+	if (!dst_check_algorithm(key->dk_alg)) { /*%< make sure alg is available */
 		EREPORT(("dst_key_to_dnskey(): Algorithm %d not suppored\n",
 			 key->dk_alg));
 		return (UNSUPPORTED_KEYALG);
@@ -727,7 +720,7 @@ dst_key_to_dnskey(const DST_KEY *key, u_char *out_storage,
 	out_storage[loc++] = (u_char) key->dk_proto;
 	out_storage[loc++] = (u_char) key->dk_alg;
 
-	if (key->dk_flags > 0xffff) {	/* Extended flags */
+	if (key->dk_flags > 0xffff) {	/*%< Extended flags */
 		val = (u_int16_t)((key->dk_flags >> 16) & 0xffff);
 		dst_s_put_int16(&out_storage[loc], val);
 		loc += 2;
@@ -748,8 +741,7 @@ dst_key_to_dnskey(const DST_KEY *key, u_char *out_storage,
 	return (-1);
 }
 
-
-/*
+/*%
  *  dst_buffer_to_key
  *	Function to encode a string of raw data into a DST key
  *  Parameters
@@ -761,19 +753,19 @@ dst_key_to_dnskey(const DST_KEY *key, u_char *out_storage,
  *	NON-NULL	the DST key
  */
 DST_KEY *
-dst_buffer_to_key(const char *key_name,		/* name of the key */
-		  const int alg,		/* algorithm */
-		  const int flags,		/* dns flags */
-		  const int protocol,		/* dns protocol */
-		  const u_char *key_buf,	/* key in dns wire fmt */
-		  const int key_len)		/* size of key */
+dst_buffer_to_key(const char *key_name,		/*!< name of the key  */
+		  const int alg,		/*!< algorithm  */
+		  const int flags,		/*!< dns flags  */
+		  const int protocol,		/*!< dns protocol  */
+		  const u_char *key_buf,	/*!< key in dns wire fmt  */
+		  const int key_len)		/*!< size of key  */
 {
 	
 	DST_KEY *dkey = NULL; 
 	int dnslen;
 	u_char dns[2048];
 
-	if (!dst_check_algorithm(alg)) { /* make sure alg is available */
+	if (!dst_check_algorithm(alg)) { /*%< make sure alg is available */
 		EREPORT(("dst_buffer_to_key(): Algorithm %d not suppored\n", alg));
 		return (NULL);
 	}
@@ -810,8 +802,7 @@ dst_key_to_buffer(DST_KEY *key, u_char *out_buff, int buf_len)
 	return (0);
 }
 
-
-/*
+/*%
  * dst_s_read_private_key_file
  *     Function reads in private key from a file.
  *     Fills out the KEY structure.
@@ -885,14 +876,14 @@ dst_s_read_private_key_file(char *name, DST_KEY *pk_key, u_int16_t in_id,
 				"dst_s_read_private_key_file(): Keyfile %s version higher than mine %d.%d MAY FAIL\n",
 				name, file_major, file_minor));
 
-	while (*p++ != '\n') ;	/* skip to end of line */
+	while (*p++ != '\n') ;	/*%< skip to end of line */
 
 	if (!dst_s_verify_str((const char **) (void *)&p, "Algorithm: "))
 		goto fail;
 
 	if (sscanf((char *)p, "%d", &alg) != 1)
 		goto fail;
-	while (*p++ != '\n') ;	/* skip to end of line */
+	while (*p++ != '\n') ;	/*%< skip to end of line */
 
 	if (pk_key->dk_key_name && !strcmp(pk_key->dk_key_name, name))
 		SAFE_FREE2(pk_key->dk_key_name, strlen(pk_key->dk_key_name));
@@ -925,34 +916,34 @@ dst_s_read_private_key_file(char *name, DST_KEY *pk_key, u_int16_t in_id,
 	return (0);
 }
 
-
-/*
- *  dst_generate_key
+/*%
  *	Generate and store a public/private keypair.
  *	Keys will be stored in formatted files.
+ *
  *  Parameters
- *	name    Name of the new key.  Used to create key files
- *		  K<name>+<alg>+<id>.public and K<name>+<alg>+<id>.private.
- *	bits    Size of the new key in bits.
- *	exp     What exponent to use:
- *		  0	   use exponent 3
- *		  non-zero    use Fermant4
- *	flags   The default value of the DNS Key flags.
- *		  The DNS Key RR Flag field is defined in RFC 2065,
+ &
+ *\par	name    Name of the new key.  Used to create key files
+ *\li		  K&lt;name&gt;+&lt;alg&gt;+&lt;id&gt;.public and K&lt;name&gt;+&lt;alg&gt;+&lt;id&gt;.private.
+ *\par	bits    Size of the new key in bits.
+ *\par	exp     What exponent to use:
+ *\li		  0	   use exponent 3
+ *\li		  non-zero    use Fermant4
+ *\par	flags   The default value of the DNS Key flags.
+ *\li		  The DNS Key RR Flag field is defined in RFC2065,
  *		  section 3.3.  The field has 16 bits.
- *	protocol
- *	      Default value of the DNS Key protocol field.
- *		  The DNS Key protocol field is defined in RFC 2065,
+ *\par	protocol
+ *\li	      Default value of the DNS Key protocol field.
+ *\li		  The DNS Key protocol field is defined in RFC2065,
  *		  section 3.4.  The field has 8 bits.
- *	alg     What algorithm to use.  Currently defined:
- *		  KEY_RSA       1
- *		  KEY_DSA       3
- *		  KEY_HMAC    157
- *	out_id The key tag is returned.
+ *\par	alg     What algorithm to use.  Currently defined:
+ *\li		  KEY_RSA       1
+ *\li		  KEY_DSA       3
+ *\li		  KEY_HMAC    157
+ *\par	out_id The key tag is returned.
  *
  *  Return
- *	NULL		Failure
- *	non-NULL 	the generated key pair
+ *\li	NULL		Failure
+ *\li	non-NULL 	the generated key pair
  *			Caller frees the result, and its dk_name pointer.
  */
 DST_KEY *
@@ -966,7 +957,7 @@ dst_generate_key(const char *name, const int bits, const int exp,
 	if (name == NULL)
 		return (NULL);
 
-	if (!dst_check_algorithm(alg)) { /* make sure alg is available */
+	if (!dst_check_algorithm(alg)) { /*%< make sure alg is available */
 		EREPORT(("dst_generate_key(): Algorithm %d not suppored\n", alg));
 		return (NULL);
 	}
@@ -974,7 +965,7 @@ dst_generate_key(const char *name, const int bits, const int exp,
 	new_key = dst_s_get_key_struct(name, alg, flags, protocol, bits);
 	if (new_key == NULL)
 		return (NULL);
-	if (bits == 0) /* null key we are done */
+	if (bits == 0) /*%< null key we are done */
 		return (new_key);
 	if (new_key->dk_func == NULL || new_key->dk_func->generate == NULL) {
 		EREPORT(("dst_generate_key_pair():Unsupported algorithm %d\n",
@@ -997,12 +988,11 @@ dst_generate_key(const char *name, const int bits, const int exp,
 	return (new_key);
 }
 
-
-/*
- *  dst_free_key
+/*%
  *	Release all data structures pointed to by a key structure.
+ *
  *  Parameters
- *	f_key   Key structure to be freed.
+ *\li	f_key   Key structure to be freed.
  */
 
 DST_KEY *
@@ -1028,13 +1018,14 @@ dst_free_key(DST_KEY *f_key)
 	return (NULL);
 }
 
-/*
- * dst_sig_size
+/*%
  *	Return the maximim size of signature from the key specified in bytes
+ *
  * Parameters
- *      key 
+ *\li      key 
+ *
  * Returns
- *     bytes
+ *  \li   bytes
  */
 int
 dst_sig_size(DST_KEY *key) {
@@ -1052,3 +1043,5 @@ dst_sig_size(DST_KEY *key) {
 		return -1;
 	}
 }
+
+/*! \file */
diff --git a/contrib/bind9/lib/bind/dst/dst_internal.h b/contrib/bind9/lib/bind/dst/dst_internal.h
index 928650a..e9bc6fc 100644
--- a/contrib/bind9/lib/bind/dst/dst_internal.h
+++ b/contrib/bind9/lib/bind/dst/dst_internal.h
@@ -29,19 +29,19 @@
 # ifdef POSIX_PATH_MAX
 #  define PATH_MAX POSIX_PATH_MAX
 # else
-#  define PATH_MAX 255 /* this is the value of POSIX_PATH_MAX */
+#  define PATH_MAX 255 /*%< this is the value of POSIX_PATH_MAX */
 # endif
 #endif 
 
 typedef struct dst_key {
-	char	*dk_key_name;   /* name of the key */
-	int	dk_key_size;    /* this is the size of the key in bits */
-	int	dk_proto;       /* what protocols this key can be used for */
-	int	dk_alg;         /* algorithm number from key record */
-	u_int32_t dk_flags;     /* and the flags of the public key */
-	u_int16_t dk_id;        /* identifier of the key */
-	void	*dk_KEY_struct; /* pointer to key in crypto pkg fmt */
-	struct dst_func *dk_func; /* point to cryptto pgk specific function table */
+	char	*dk_key_name;   /*%< name of the key */
+	int	dk_key_size;    /*%< this is the size of the key in bits */
+	int	dk_proto;       /*%< what protocols this key can be used for */
+	int	dk_alg;         /*%< algorithm number from key record */
+	u_int32_t dk_flags;     /*%< and the flags of the public key */
+	u_int16_t dk_id;        /*%< identifier of the key */
+	void	*dk_KEY_struct; /*%< pointer to key in crypto pkg fmt */
+	struct dst_func *dk_func; /*%< point to cryptto pgk specific function table */
 } DST_KEY;
 #define HAS_DST_KEY 
 
@@ -103,7 +103,7 @@ extern const char *key_file_fmt_str;
 extern const char *dst_path;
 
 #ifndef DST_HASH_SIZE
-#define DST_HASH_SIZE 20	/* RIPEMD160 and SHA-1 are 20 bytes MD5 is 16 */
+#define DST_HASH_SIZE 20	/*%< RIPEMD160 and SHA-1 are 20 bytes MD5 is 16 */
 #endif
 
 int dst_bsafe_init(void);
@@ -129,7 +129,7 @@ int       dst_s_build_filename(  char *filename, const char *name,
 
 FILE      *dst_s_fopen (const char *filename, const char *mode, int perm);
 
-/* 
+/*%
  * read and write network byte order into u_int?_t  
  *  all of these should be retired
  */
@@ -152,3 +152,4 @@ dst_s_dump(const int mode, const u_char *data, const int size,
 
 
 #endif /* DST_INTERNAL_H */
+/*! \file */
diff --git a/contrib/bind9/lib/bind/dst/hmac_link.c b/contrib/bind9/lib/bind/dst/hmac_link.c
index 028f02e..d4f0a2a 100644
--- a/contrib/bind9/lib/bind/dst/hmac_link.c
+++ b/contrib/bind9/lib/bind/dst/hmac_link.c
@@ -1,6 +1,6 @@
 #ifdef HMAC_MD5
 #ifndef LINT
-static const char rcsid[] = "$Header: /proj/cvs/prod/bind9/lib/bind/dst/hmac_link.c,v 1.2.2.1.4.2 2006/03/10 00:17:21 marka Exp $";
+static const char rcsid[] = "$Header: /proj/cvs/prod/bind9/lib/bind/dst/hmac_link.c,v 1.3.164.3 2006/03/10 00:20:08 marka Exp $";
 #endif
 /*
  * Portions Copyright (c) 1995-1998 by Trusted Information Systems, Inc.
@@ -19,7 +19,7 @@ static const char rcsid[] = "$Header: /proj/cvs/prod/bind9/lib/bind/dst/hmac_lin
  * WITH THE USE OR PERFORMANCE OF THE SOFTWARE.
  */
 
-/* 
+/*%
  * This file contains an implementation of the HMAC-MD5 algorithm.
  */
 #include "port_before.h"
@@ -46,7 +46,7 @@ static const char rcsid[] = "$Header: /proj/cvs/prod/bind9/lib/bind/dst/hmac_lin
 #  endif
 # endif
 # ifndef _MD5_H_
-#  define _MD5_H_ 1	/* make sure we do not include rsaref md5.h file */
+#  define _MD5_H_ 1	/*%< make sure we do not include rsaref md5.h file */
 # endif
 #endif
 
@@ -283,10 +283,9 @@ dst_hmac_md5_key_to_file_format(const DST_KEY *dkey, char *buff,
 	if (dkey == NULL || dkey->dk_KEY_struct == NULL) 
 		return (0);
 	if (buff == NULL || buff_len <= (int) strlen(key_file_fmt_str))
-		return (-1);	/* no OR not enough space in output area */
-
+		return (-1);	/*%< no OR not enough space in output area */
 	hkey = (HMAC_Key *) dkey->dk_KEY_struct;
-	memset(buff, 0, buff_len);	/* just in case */
+	memset(buff, 0, buff_len);	/*%< just in case */
 	/* write file header */
 	sprintf(buff, key_file_fmt_str, KEY_FILE_FORMAT, KEY_HMAC_MD5, "HMAC");
 
@@ -360,7 +359,7 @@ dst_hmac_md5_key_from_file_format(DST_KEY *dkey, const char *buff,
 		return (-5);
 	memcpy(tmp, p, len);
 	*(tmp + len) = 0x0;
-	key_len = b64_pton((char *)tmp, key, HMAC_LEN+1);	/* see above */
+	key_len = b64_pton((char *)tmp, key, HMAC_LEN+1);	/*%< see above */
 	SAFE_FREE2(tmp, len + 2);
 
 	if (dst_buffer_to_hmac_md5(dkey, key, key_len) < 0) {
@@ -369,7 +368,7 @@ dst_hmac_md5_key_from_file_format(DST_KEY *dkey, const char *buff,
 	return (0);
 }
 
-/*
+/*%
  * dst_hmac_md5_to_dns_key() 
  *         function to extract hmac key from DST_KEY structure 
  * intput: 
@@ -443,7 +442,7 @@ dst_hmac_md5_generate_key(DST_KEY *key, const int nothing)
 	return (-1);
 }
 
-/*
+/*%
  * dst_hmac_md5_init()  Function to answer set up function pointers for HMAC
  *	   related functions 
  */
@@ -480,3 +479,5 @@ dst_hmac_md5_init(){
 	return (0);
 }
 #endif
+
+/*! \file */
diff --git a/contrib/bind9/lib/bind/dst/md5.h b/contrib/bind9/lib/bind/dst/md5.h
index 6525662..b1ed9e1 100644
--- a/contrib/bind9/lib/bind/dst/md5.h
+++ b/contrib/bind9/lib/bind/dst/md5.h
@@ -104,3 +104,5 @@ unsigned char *MD5();
 #else 
 #include <sys/md5.h>
 #endif /* HAVE_MD5 */
+
+/*! \file */
diff --git a/contrib/bind9/lib/bind/dst/md5_dgst.c b/contrib/bind9/lib/bind/dst/md5_dgst.c
index ba0a5a1..76b0505 100644
--- a/contrib/bind9/lib/bind/dst/md5_dgst.c
+++ b/contrib/bind9/lib/bind/dst/md5_dgst.c
@@ -56,7 +56,7 @@
  * [including the GNU Public Licence.]
  */
 
-#ifdef USE_MD5 /* Added by ogud@tis.com 1998/1/26 */
+#ifdef USE_MD5 /*%< Added by ogud@tis.com 1998/1/26 */
 #include <port_before.h>
 #ifndef HAVE_MD5
 #include <stdio.h>
@@ -65,7 +65,9 @@
 
 const char *MD5_version="MD5 part of SSLeay 0.8.1 19-Jul-1997";
 
-/* Implemented from RFC1321 The MD5 Message-Digest Algorithm
+/*! \file
+ * \brief
+ *  Implemented from RFC1321 The MD5 Message-Digest Algorithm
  */
 
 #define INIT_DATA_A (unsigned long)0x67452301L
@@ -105,7 +107,7 @@ unsigned long len;
 	l=(c->Nl+(len<<3))&0xffffffffL;
 	/* 95-05-24 eay Fixed a bug with the overflow handling, thanks to
 	 * Wei Dai <weidai@eskimo.com> for pointing it out. */
-	if (l < c->Nl) /* overflow */
+	if (l < c->Nl) /*%< overflow */
 		c->Nh++;
 	c->Nh+=(len>>29);
 	c->Nl=l;
@@ -137,7 +139,7 @@ unsigned long len;
 			int ew,ec;
 
 			c->num+=(int)len;
-			if ((sc+len) < 4U) /* ugly, add char's to a word */
+			if ((sc+len) < 4U) /*%< ugly, add char's to a word */
 				{
 				l= p[sw];
 				p_c2l_p(data,l,sc,len);
@@ -196,7 +198,7 @@ unsigned long len;
 	c->num=sc;
 	if (sc)
 		{
-		sw=sc>>2;	/* words to copy */
+		sw=sc>>2;	/*%< words to copy */
 #ifdef L_ENDIAN
 		p[sw]=0;
 		memcpy(p,data,sc);
diff --git a/contrib/bind9/lib/bind/dst/md5_locl.h b/contrib/bind9/lib/bind/dst/md5_locl.h
index ce4c765..657fe8c 100644
--- a/contrib/bind9/lib/bind/dst/md5_locl.h
+++ b/contrib/bind9/lib/bind/dst/md5_locl.h
@@ -147,7 +147,8 @@
 	(a)=ROTATE(l,16L); \
 	}
 #endif
-/*
+
+/*%
 #define	F(x,y,z)	(((x) & (y))  |  ((~(x)) & (z)))
 #define	G(x,y,z)	(((x) & (z))  |  ((y) & (~(z))))
 */
@@ -188,3 +189,5 @@
 	a+=((k)+(t)+I((b),(c),(d))); \
 	a=ROTATE(a,s); \
 	a+=b; };
+
+/*! \file */
diff --git a/contrib/bind9/lib/bind/dst/support.c b/contrib/bind9/lib/bind/dst/support.c
index 8fe3cdb..ec228d0 100644
--- a/contrib/bind9/lib/bind/dst/support.c
+++ b/contrib/bind9/lib/bind/dst/support.c
@@ -1,4 +1,4 @@
-static const char rcsid[] = "$Header: /proj/cvs/prod/bind9/lib/bind/dst/support.c,v 1.2.2.1.10.2 2005/10/11 00:48:14 marka Exp $";
+static const char rcsid[] = "$Header: /proj/cvs/prod/bind9/lib/bind/dst/support.c,v 1.3.332.3 2005/10/11 00:25:09 marka Exp $";
 
 
 /*
@@ -34,7 +34,7 @@ static const char rcsid[] = "$Header: /proj/cvs/prod/bind9/lib/bind/dst/support.
 
 #include "port_after.h"
 
-/*
+/*%
  * dst_s_verify_str()
  *     Validate that the input string(*str) is at the head of the input
  *     buffer(**buf).  If so, move the buffer head pointer (*buf) to
@@ -52,20 +52,20 @@ int
 dst_s_verify_str(const char **buf, const char *str)
 {
 	int b, s;
-	if (*buf == NULL)	/* error checks */
+	if (*buf == NULL)	/*%< error checks */
 		return (0);
 	if (str == NULL || *str == '\0')
 		return (1);
 
-	b = strlen(*buf);	/* get length of strings */
+	b = strlen(*buf);	/*%< get length of strings */
 	s = strlen(str);
-	if (s > b || strncmp(*buf, str, s))	/* check if same */
-		return (0);	/* not a match */
-	(*buf) += s;		/* advance pointer */
+	if (s > b || strncmp(*buf, str, s))	/*%< check if same */
+		return (0);	/*%< not a match */
+	(*buf) += s;		/*%< advance pointer */
 	return (1);
 }
 
-/*
+/*%
  * dst_s_calculate_bits
  *     Given a binary number represented in a u_char[], determine
  *     the number of significant bits used.
@@ -89,8 +89,7 @@ dst_s_calculate_bits(const u_char *str, const int max_bits)
 	return (bits);
 }
 
-
-/*
+/*%
  * calculates a checksum used in dst for an id.
  * takes an array of bytes and a length.
  * returns a 16  bit checksum.
@@ -115,7 +114,7 @@ dst_s_id_calc(const u_char *key, const int keysize)
 	return (ac & 0xffff);
 }
 
-/* 
+/*%
  * dst_s_dns_key_id() Function to calculate DNSSEC footprint from KEY record
  *   rdata
  * Input:
@@ -131,7 +130,7 @@ dst_s_dns_key_id(const u_char *dns_key_rdata, const int rdata_len)
 		return 0;
 
 	/* compute id */
-	if (dns_key_rdata[3] == KEY_RSA)	/* Algorithm RSA */
+	if (dns_key_rdata[3] == KEY_RSA)	/*%< Algorithm RSA */
 		return dst_s_get_int16((const u_char *)
 				       &dns_key_rdata[rdata_len - 3]);
 	else if (dns_key_rdata[3] == KEY_HMAC_MD5)
@@ -142,7 +141,7 @@ dst_s_dns_key_id(const u_char *dns_key_rdata, const int rdata_len)
 		return dst_s_id_calc(dns_key_rdata, rdata_len);
 }
 
-/*
+/*%
  * dst_s_get_int16
  *     This routine extracts a 16 bit integer from a two byte character
  *     string.  The character string is assumed to be in network byte
@@ -161,8 +160,7 @@ dst_s_get_int16(const u_char *buf)
 	return (a);
 }
 
-
-/*
+/*%
  * dst_s_get_int32
  *     This routine extracts a 32 bit integer from a four byte character
  *     string.  The character string is assumed to be in network byte
@@ -182,8 +180,7 @@ dst_s_get_int32(const u_char *buf)
 	return (a);
 }
 
-
-/*
+/*%
  * dst_s_put_int16
  *     Take a 16 bit integer and store the value in a two byte
  *     character string.  The integer is assumed to be in network
@@ -201,8 +198,7 @@ dst_s_put_int16(u_int8_t *buf, const u_int16_t val)
 	buf[1] = (u_int8_t)(val);
 }
 
-
-/*
+/*%
  * dst_s_put_int32
  *     Take a 32 bit integer and store the value in a four byte
  *     character string.  The integer is assumed to be in network
@@ -222,13 +218,12 @@ dst_s_put_int32(u_int8_t *buf, const u_int32_t val)
 	buf[3] = (u_int8_t)(val);
 }
 
-
-/*
+/*%
  *  dst_s_filename_length
  *
  *	This function returns the number of bytes needed to hold the
  *	filename for a key file.  '/', '\' and ':' are not allowed.
- *	form:  K<keyname>+<alg>+<id>.<suffix>
+ *	form:  K&lt;keyname&gt;+&lt;alg&gt;+&lt;id&gt;.&lt;suffix&gt;
  *
  *	Returns 0 if the filename would contain either '\', '/' or ':'
  */
@@ -254,13 +249,12 @@ dst_s_filename_length(const char *name, const char *suffix)
 	return (1 + strlen(name) + 6 + strlen(suffix));
 }
 
-
-/*
+/*%
  *  dst_s_build_filename ()
  *	Builds a key filename from the key name, it's id, and a
  *	suffix.  '\', '/' and ':' are not allowed. fA filename is of the
- *	form:  K<keyname><id>.<suffix>
- *	form: K<keyname>+<alg>+<id>.<suffix>
+ *	form:  K&lt;keyname&gt;&lt;id&gt;.&lt;suffix&gt;
+ *	form: K&lt;keyname&gt;+&lt;alg&gt;+&lt;id&gt;.&lt;suffix&gt;
  *
  *	Returns -1 if the conversion fails:
  *	  if the filename would be too long for space allotted
@@ -294,7 +288,7 @@ dst_s_build_filename(char *filename, const char *name, u_int16_t id,
 	return (0);
 }
 
-/*
+/*%
  *  dst_s_fopen ()
  *     Open a file in the dst_path directory.  If perm is specified, the
  *     file is checked for existence first, and not opened if it exists.
@@ -344,3 +338,5 @@ dst_s_dump(const int mode, const u_char *data, const int size,
 #endif
 	}
 }
+
+/*! \file */
diff --git a/contrib/bind9/lib/bind/include/Makefile.in b/contrib/bind9/lib/bind/include/Makefile.in
index a6e5553..d07ea7a 100644
--- a/contrib/bind9/lib/bind/include/Makefile.in
+++ b/contrib/bind9/lib/bind/include/Makefile.in
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.3.206.1 2004/03/06 08:13:22 marka Exp $
+# $Id: Makefile.in,v 1.4 2004/03/05 05:05:11 marka Exp $
 
 srcdir =        @srcdir@
 VPATH =         @srcdir@
diff --git a/contrib/bind9/lib/bind/include/arpa/inet.h b/contrib/bind9/lib/bind/include/arpa/inet.h
index 46caa49..d84987b 100644
--- a/contrib/bind9/lib/bind/include/arpa/inet.h
+++ b/contrib/bind9/lib/bind/include/arpa/inet.h
@@ -53,9 +53,9 @@
  * --Copyright--
  */
 
-/*
+/*%
  *	@(#)inet.h	8.1 (Berkeley) 6/2/93
- *	$Id: inet.h,v 1.1.206.1 2004/03/09 08:33:30 marka Exp $
+ *	$Id: inet.h,v 1.2.18.1 2005/04/27 05:00:50 sra Exp $
  */
 
 #ifndef _INET_H_
@@ -122,3 +122,5 @@ __END_DECLS
 #endif
 
 #endif /* !_INET_H_ */
+
+/*! \file */
diff --git a/contrib/bind9/lib/bind/include/arpa/nameser.h b/contrib/bind9/lib/bind/include/arpa/nameser.h
index 23db498..b3a7849 100644
--- a/contrib/bind9/lib/bind/include/arpa/nameser.h
+++ b/contrib/bind9/lib/bind/include/arpa/nameser.h
@@ -49,12 +49,14 @@
  */
 
 /*
- *	$Id: nameser.h,v 1.2.2.4.4.1 2004/03/09 08:33:30 marka Exp $
+ *	$Id: nameser.h,v 1.7.18.1 2005/04/27 05:00:50 sra Exp $
  */
 
 #ifndef _ARPA_NAMESER_H_
 #define _ARPA_NAMESER_H_
 
+/*! \file */
+
 #define BIND_4_COMPAT
 
 #include <sys/param.h>
@@ -65,7 +67,7 @@
 #endif
 #include <sys/cdefs.h>
 
-/*
+/*%
  * Revision information.  This is the release date in YYYYMMDD format.
  * It can change every day so the right thing to do with it is use it
  * in preprocessor commands such as "#if (__NAMESER > 19931104)".  Do not
@@ -73,43 +75,41 @@
  * contains a new enough lib/nameser/ to support the feature you need.
  */
 
-#define __NAMESER	19991006	/* New interface version stamp. */
-
+#define __NAMESER	19991006	/*%< New interface version stamp. */
 /*
- * Define constants based on RFC 883, RFC 1034, RFC 1035
+ * Define constants based on RFC0883, RFC1034, RFC 1035
  */
-#define NS_PACKETSZ	512	/* default UDP packet size */
-#define NS_MAXDNAME	1025	/* maximum domain name */
-#define NS_MAXMSG	65535	/* maximum message size */
-#define NS_MAXCDNAME	255	/* maximum compressed domain name */
-#define NS_MAXLABEL	63	/* maximum length of domain label */
-#define NS_HFIXEDSZ	12	/* #/bytes of fixed data in header */
-#define NS_QFIXEDSZ	4	/* #/bytes of fixed data in query */
-#define NS_RRFIXEDSZ	10	/* #/bytes of fixed data in r record */
-#define NS_INT32SZ	4	/* #/bytes of data in a u_int32_t */
-#define NS_INT16SZ	2	/* #/bytes of data in a u_int16_t */
-#define NS_INT8SZ	1	/* #/bytes of data in a u_int8_t */
-#define NS_INADDRSZ	4	/* IPv4 T_A */
-#define NS_IN6ADDRSZ	16	/* IPv6 T_AAAA */
-#define NS_CMPRSFLGS	0xc0	/* Flag bits indicating name compression. */
-#define NS_DEFAULTPORT	53	/* For both TCP and UDP. */
-
+#define NS_PACKETSZ	512	/*%< default UDP packet size */
+#define NS_MAXDNAME	1025	/*%< maximum domain name */
+#define NS_MAXMSG	65535	/*%< maximum message size */
+#define NS_MAXCDNAME	255	/*%< maximum compressed domain name */
+#define NS_MAXLABEL	63	/*%< maximum length of domain label */
+#define NS_HFIXEDSZ	12	/*%< #/bytes of fixed data in header */
+#define NS_QFIXEDSZ	4	/*%< #/bytes of fixed data in query */
+#define NS_RRFIXEDSZ	10	/*%< #/bytes of fixed data in r record */
+#define NS_INT32SZ	4	/*%< #/bytes of data in a u_int32_t */
+#define NS_INT16SZ	2	/*%< #/bytes of data in a u_int16_t */
+#define NS_INT8SZ	1	/*%< #/bytes of data in a u_int8_t */
+#define NS_INADDRSZ	4	/*%< IPv4 T_A */
+#define NS_IN6ADDRSZ	16	/*%< IPv6 T_AAAA */
+#define NS_CMPRSFLGS	0xc0	/*%< Flag bits indicating name compression. */
+#define NS_DEFAULTPORT	53	/*%< For both TCP and UDP. */
 /*
  * These can be expanded with synonyms, just keep ns_parse.c:ns_parserecord()
  * in synch with it.
  */
 typedef enum __ns_sect {
-	ns_s_qd = 0,		/* Query: Question. */
-	ns_s_zn = 0,		/* Update: Zone. */
-	ns_s_an = 1,		/* Query: Answer. */
-	ns_s_pr = 1,		/* Update: Prerequisites. */
-	ns_s_ns = 2,		/* Query: Name servers. */
-	ns_s_ud = 2,		/* Update: Update. */
-	ns_s_ar = 3,		/* Query|Update: Additional records. */
+	ns_s_qd = 0,		/*%< Query: Question. */
+	ns_s_zn = 0,		/*%< Update: Zone. */
+	ns_s_an = 1,		/*%< Query: Answer. */
+	ns_s_pr = 1,		/*%< Update: Prerequisites. */
+	ns_s_ns = 2,		/*%< Query: Name servers. */
+	ns_s_ud = 2,		/*%< Update: Update. */
+	ns_s_ar = 3,		/*%< Query|Update: Additional records. */
 	ns_s_max = 4
 } ns_sect;
 
-/*
+/*%
  * This is a message handle.  It is caller allocated and has no dynamic data.
  * This structure is intended to be opaque to all but ns_parse.c, thus the
  * leading _'s on the member names.  Use the accessor functions, not the _'s.
@@ -135,7 +135,7 @@ extern struct _ns_flagdata _ns_flagdata[];
 #define ns_msg_size(handle) ((handle)._eom - (handle)._msg)
 #define ns_msg_count(handle, section) ((handle)._counts[section] + 0)
 
-/*
+/*%
  * This is a parsed record.  It is caller allocated and has no dynamic data.
  */
 typedef	struct __ns_rr {
@@ -155,54 +155,54 @@ typedef	struct __ns_rr {
 #define ns_rr_rdlen(rr)	((rr).rdlength + 0)
 #define ns_rr_rdata(rr)	((rr).rdata + 0)
 
-/*
+/*%
  * These don't have to be in the same order as in the packet flags word,
  * and they can even overlap in some cases, but they will need to be kept
  * in synch with ns_parse.c:ns_flagdata[].
  */
 typedef enum __ns_flag {
-	ns_f_qr,		/* Question/Response. */
-	ns_f_opcode,		/* Operation code. */
-	ns_f_aa,		/* Authoritative Answer. */
-	ns_f_tc,		/* Truncation occurred. */
-	ns_f_rd,		/* Recursion Desired. */
-	ns_f_ra,		/* Recursion Available. */
-	ns_f_z,			/* MBZ. */
-	ns_f_ad,		/* Authentic Data (DNSSEC). */
-	ns_f_cd,		/* Checking Disabled (DNSSEC). */
-	ns_f_rcode,		/* Response code. */
+	ns_f_qr,		/*%< Question/Response. */
+	ns_f_opcode,		/*%< Operation code. */
+	ns_f_aa,		/*%< Authoritative Answer. */
+	ns_f_tc,		/*%< Truncation occurred. */
+	ns_f_rd,		/*%< Recursion Desired. */
+	ns_f_ra,		/*%< Recursion Available. */
+	ns_f_z,			/*%< MBZ. */
+	ns_f_ad,		/*%< Authentic Data (DNSSEC). */
+	ns_f_cd,		/*%< Checking Disabled (DNSSEC). */
+	ns_f_rcode,		/*%< Response code. */
 	ns_f_max
 } ns_flag;
 
-/*
+/*%
  * Currently defined opcodes.
  */
 typedef enum __ns_opcode {
-	ns_o_query = 0,		/* Standard query. */
-	ns_o_iquery = 1,	/* Inverse query (deprecated/unsupported). */
-	ns_o_status = 2,	/* Name server status query (unsupported). */
+	ns_o_query = 0,		/*%< Standard query. */
+	ns_o_iquery = 1,	/*%< Inverse query (deprecated/unsupported). */
+	ns_o_status = 2,	/*%< Name server status query (unsupported). */
 				/* Opcode 3 is undefined/reserved. */
-	ns_o_notify = 4,	/* Zone change notification. */
-	ns_o_update = 5,	/* Zone update message. */
+	ns_o_notify = 4,	/*%< Zone change notification. */
+	ns_o_update = 5,	/*%< Zone update message. */
 	ns_o_max = 6
 } ns_opcode;
 
-/*
+/*%
  * Currently defined response codes.
  */
 typedef	enum __ns_rcode {
-	ns_r_noerror = 0,	/* No error occurred. */
-	ns_r_formerr = 1,	/* Format error. */
-	ns_r_servfail = 2,	/* Server failure. */
-	ns_r_nxdomain = 3,	/* Name error. */
-	ns_r_notimpl = 4,	/* Unimplemented. */
-	ns_r_refused = 5,	/* Operation refused. */
+	ns_r_noerror = 0,	/*%< No error occurred. */
+	ns_r_formerr = 1,	/*%< Format error. */
+	ns_r_servfail = 2,	/*%< Server failure. */
+	ns_r_nxdomain = 3,	/*%< Name error. */
+	ns_r_notimpl = 4,	/*%< Unimplemented. */
+	ns_r_refused = 5,	/*%< Operation refused. */
 	/* these are for BIND_UPDATE */
-	ns_r_yxdomain = 6,	/* Name exists */
-	ns_r_yxrrset = 7,	/* RRset exists */
-	ns_r_nxrrset = 8,	/* RRset does not exist */
-	ns_r_notauth = 9,	/* Not authoritative for zone */
-	ns_r_notzone = 10,	/* Zone of record different from zone section */
+	ns_r_yxdomain = 6,	/*%< Name exists */
+	ns_r_yxrrset = 7,	/*%< RRset exists */
+	ns_r_nxrrset = 8,	/*%< RRset does not exist */
+	ns_r_notauth = 9,	/*%< Not authoritative for zone */
+	ns_r_notzone = 10,	/*%< Zone of record different from zone section */
 	ns_r_max = 11,
 	/* The following are EDNS extended rcodes */
 	ns_r_badvers = 16,
@@ -219,7 +219,7 @@ typedef enum __ns_update_operation {
 	ns_uop_max = 2
 } ns_update_operation;
 
-/*
+/*%
  * This structure is used for TSIG authenticated messages
  */
 struct ns_tsig_key {
@@ -229,7 +229,7 @@ struct ns_tsig_key {
 };
 typedef struct ns_tsig_key ns_tsig_key;
 
-/*
+/*%
  * This structure is used for TSIG authenticated TCP messages
  */
 struct ns_tcp_tsig_state {
@@ -249,61 +249,61 @@ typedef struct ns_tcp_tsig_state ns_tcp_tsig_state;
 #define NS_TSIG_ERROR_NO_SPACE -11
 #define NS_TSIG_ERROR_FORMERR -12
 
-/*
+/*%
  * Currently defined type values for resources and queries.
  */
 typedef enum __ns_type {
-	ns_t_invalid = 0,	/* Cookie. */
-	ns_t_a = 1,		/* Host address. */
-	ns_t_ns = 2,		/* Authoritative server. */
-	ns_t_md = 3,		/* Mail destination. */
-	ns_t_mf = 4,		/* Mail forwarder. */
-	ns_t_cname = 5,		/* Canonical name. */
-	ns_t_soa = 6,		/* Start of authority zone. */
-	ns_t_mb = 7,		/* Mailbox domain name. */
-	ns_t_mg = 8,		/* Mail group member. */
-	ns_t_mr = 9,		/* Mail rename name. */
-	ns_t_null = 10,		/* Null resource record. */
-	ns_t_wks = 11,		/* Well known service. */
-	ns_t_ptr = 12,		/* Domain name pointer. */
-	ns_t_hinfo = 13,	/* Host information. */
-	ns_t_minfo = 14,	/* Mailbox information. */
-	ns_t_mx = 15,		/* Mail routing information. */
-	ns_t_txt = 16,		/* Text strings. */
-	ns_t_rp = 17,		/* Responsible person. */
-	ns_t_afsdb = 18,	/* AFS cell database. */
-	ns_t_x25 = 19,		/* X_25 calling address. */
-	ns_t_isdn = 20,		/* ISDN calling address. */
-	ns_t_rt = 21,		/* Router. */
-	ns_t_nsap = 22,		/* NSAP address. */
-	ns_t_nsap_ptr = 23,	/* Reverse NSAP lookup (deprecated). */
-	ns_t_sig = 24,		/* Security signature. */
-	ns_t_key = 25,		/* Security key. */
-	ns_t_px = 26,		/* X.400 mail mapping. */
-	ns_t_gpos = 27,		/* Geographical position (withdrawn). */
-	ns_t_aaaa = 28,		/* Ip6 Address. */
-	ns_t_loc = 29,		/* Location Information. */
-	ns_t_nxt = 30,		/* Next domain (security). */
-	ns_t_eid = 31,		/* Endpoint identifier. */
-	ns_t_nimloc = 32,	/* Nimrod Locator. */
-	ns_t_srv = 33,		/* Server Selection. */
-	ns_t_atma = 34,		/* ATM Address */
-	ns_t_naptr = 35,	/* Naming Authority PoinTeR */
-	ns_t_kx = 36,		/* Key Exchange */
-	ns_t_cert = 37,		/* Certification record */
-	ns_t_a6 = 38,		/* IPv6 address (deprecates AAAA) */
-	ns_t_dname = 39,	/* Non-terminal DNAME (for IPv6) */
-	ns_t_sink = 40,		/* Kitchen sink (experimentatl) */
-	ns_t_opt = 41,		/* EDNS0 option (meta-RR) */
-	ns_t_apl = 42,		/* Address prefix list (RFC 3123) */
-	ns_t_tkey = 249,	/* Transaction key */
-	ns_t_tsig = 250,	/* Transaction signature. */
-	ns_t_ixfr = 251,	/* Incremental zone transfer. */
-	ns_t_axfr = 252,	/* Transfer zone of authority. */
-	ns_t_mailb = 253,	/* Transfer mailbox records. */
-	ns_t_maila = 254,	/* Transfer mail agent records. */
-	ns_t_any = 255,		/* Wildcard match. */
-	ns_t_zxfr = 256,	/* BIND-specific, nonstandard. */
+	ns_t_invalid = 0,	/*%< Cookie. */
+	ns_t_a = 1,		/*%< Host address. */
+	ns_t_ns = 2,		/*%< Authoritative server. */
+	ns_t_md = 3,		/*%< Mail destination. */
+	ns_t_mf = 4,		/*%< Mail forwarder. */
+	ns_t_cname = 5,		/*%< Canonical name. */
+	ns_t_soa = 6,		/*%< Start of authority zone. */
+	ns_t_mb = 7,		/*%< Mailbox domain name. */
+	ns_t_mg = 8,		/*%< Mail group member. */
+	ns_t_mr = 9,		/*%< Mail rename name. */
+	ns_t_null = 10,		/*%< Null resource record. */
+	ns_t_wks = 11,		/*%< Well known service. */
+	ns_t_ptr = 12,		/*%< Domain name pointer. */
+	ns_t_hinfo = 13,	/*%< Host information. */
+	ns_t_minfo = 14,	/*%< Mailbox information. */
+	ns_t_mx = 15,		/*%< Mail routing information. */
+	ns_t_txt = 16,		/*%< Text strings. */
+	ns_t_rp = 17,		/*%< Responsible person. */
+	ns_t_afsdb = 18,	/*%< AFS cell database. */
+	ns_t_x25 = 19,		/*%< X_25 calling address. */
+	ns_t_isdn = 20,		/*%< ISDN calling address. */
+	ns_t_rt = 21,		/*%< Router. */
+	ns_t_nsap = 22,		/*%< NSAP address. */
+	ns_t_nsap_ptr = 23,	/*%< Reverse NSAP lookup (deprecated). */
+	ns_t_sig = 24,		/*%< Security signature. */
+	ns_t_key = 25,		/*%< Security key. */
+	ns_t_px = 26,		/*%< X.400 mail mapping. */
+	ns_t_gpos = 27,		/*%< Geographical position (withdrawn). */
+	ns_t_aaaa = 28,		/*%< Ip6 Address. */
+	ns_t_loc = 29,		/*%< Location Information. */
+	ns_t_nxt = 30,		/*%< Next domain (security). */
+	ns_t_eid = 31,		/*%< Endpoint identifier. */
+	ns_t_nimloc = 32,	/*%< Nimrod Locator. */
+	ns_t_srv = 33,		/*%< Server Selection. */
+	ns_t_atma = 34,		/*%< ATM Address */
+	ns_t_naptr = 35,	/*%< Naming Authority PoinTeR */
+	ns_t_kx = 36,		/*%< Key Exchange */
+	ns_t_cert = 37,		/*%< Certification record */
+	ns_t_a6 = 38,		/*%< IPv6 address (deprecates AAAA) */
+	ns_t_dname = 39,	/*%< Non-terminal DNAME (for IPv6) */
+	ns_t_sink = 40,		/*%< Kitchen sink (experimentatl) */
+	ns_t_opt = 41,		/*%< EDNS0 option (meta-RR) */
+	ns_t_apl = 42,		/*%< Address prefix list (RFC3123) */
+	ns_t_tkey = 249,	/*%< Transaction key */
+	ns_t_tsig = 250,	/*%< Transaction signature. */
+	ns_t_ixfr = 251,	/*%< Incremental zone transfer. */
+	ns_t_axfr = 252,	/*%< Transfer zone of authority. */
+	ns_t_mailb = 253,	/*%< Transfer mailbox records. */
+	ns_t_maila = 254,	/*%< Transfer mail agent records. */
+	ns_t_any = 255,		/*%< Wildcard match. */
+	ns_t_zxfr = 256,	/*%< BIND-specific, nonstandard. */
 	ns_t_max = 65536
 } ns_type;
 
@@ -318,61 +318,61 @@ typedef enum __ns_type {
 #define ns_t_xfr_p(t) ((t) == ns_t_axfr || (t) == ns_t_ixfr || \
 		       (t) == ns_t_zxfr)
 
-/*
+/*%
  * Values for class field
  */
 typedef enum __ns_class {
-	ns_c_invalid = 0,	/* Cookie. */
-	ns_c_in = 1,		/* Internet. */
-	ns_c_2 = 2,		/* unallocated/unsupported. */
-	ns_c_chaos = 3,		/* MIT Chaos-net. */
-	ns_c_hs = 4,		/* MIT Hesiod. */
+	ns_c_invalid = 0,	/*%< Cookie. */
+	ns_c_in = 1,		/*%< Internet. */
+	ns_c_2 = 2,		/*%< unallocated/unsupported. */
+	ns_c_chaos = 3,		/*%< MIT Chaos-net. */
+	ns_c_hs = 4,		/*%< MIT Hesiod. */
 	/* Query class values which do not appear in resource records */
-	ns_c_none = 254,	/* for prereq. sections in update requests */
-	ns_c_any = 255,		/* Wildcard match. */
+	ns_c_none = 254,	/*%< for prereq. sections in update requests */
+	ns_c_any = 255,		/*%< Wildcard match. */
 	ns_c_max = 65536
 } ns_class;
 
 /* DNSSEC constants. */
 
 typedef enum __ns_key_types {
-	ns_kt_rsa = 1,		/* key type RSA/MD5 */
-	ns_kt_dh  = 2,		/* Diffie Hellman */
-	ns_kt_dsa = 3,		/* Digital Signature Standard (MANDATORY) */
-	ns_kt_private = 254	/* Private key type starts with OID */
+	ns_kt_rsa = 1,		/*%< key type RSA/MD5 */
+	ns_kt_dh  = 2,		/*%< Diffie Hellman */
+	ns_kt_dsa = 3,		/*%< Digital Signature Standard (MANDATORY) */
+	ns_kt_private = 254	/*%< Private key type starts with OID */
 } ns_key_types;
 
 typedef enum __ns_cert_types {
-	cert_t_pkix = 1,	/* PKIX (X.509v3) */
-	cert_t_spki = 2,	/* SPKI */
-	cert_t_pgp  = 3,	/* PGP */
-	cert_t_url  = 253,	/* URL private type */
-	cert_t_oid  = 254	/* OID private type */
+	cert_t_pkix = 1,	/*%< PKIX (X.509v3) */
+	cert_t_spki = 2,	/*%< SPKI */
+	cert_t_pgp  = 3,	/*%< PGP */
+	cert_t_url  = 253,	/*%< URL private type */
+	cert_t_oid  = 254	/*%< OID private type */
 } ns_cert_types;
 
 /* Flags field of the KEY RR rdata. */
-#define	NS_KEY_TYPEMASK		0xC000	/* Mask for "type" bits */
-#define	NS_KEY_TYPE_AUTH_CONF	0x0000	/* Key usable for both */
-#define	NS_KEY_TYPE_CONF_ONLY	0x8000	/* Key usable for confidentiality */
-#define	NS_KEY_TYPE_AUTH_ONLY	0x4000	/* Key usable for authentication */
-#define	NS_KEY_TYPE_NO_KEY	0xC000	/* No key usable for either; no key */
+#define	NS_KEY_TYPEMASK		0xC000	/*%< Mask for "type" bits */
+#define	NS_KEY_TYPE_AUTH_CONF	0x0000	/*%< Key usable for both */
+#define	NS_KEY_TYPE_CONF_ONLY	0x8000	/*%< Key usable for confidentiality */
+#define	NS_KEY_TYPE_AUTH_ONLY	0x4000	/*%< Key usable for authentication */
+#define	NS_KEY_TYPE_NO_KEY	0xC000	/*%< No key usable for either; no key */
 /* The type bits can also be interpreted independently, as single bits: */
-#define	NS_KEY_NO_AUTH		0x8000	/* Key unusable for authentication */
-#define	NS_KEY_NO_CONF		0x4000	/* Key unusable for confidentiality */
+#define	NS_KEY_NO_AUTH		0x8000	/*%< Key unusable for authentication */
+#define	NS_KEY_NO_CONF		0x4000	/*%< Key unusable for confidentiality */
 #define	NS_KEY_RESERVED2	0x2000	/* Security is *mandatory* if bit=0 */
-#define	NS_KEY_EXTENDED_FLAGS	0x1000	/* reserved - must be zero */
-#define	NS_KEY_RESERVED4	0x0800  /* reserved - must be zero */
-#define	NS_KEY_RESERVED5	0x0400  /* reserved - must be zero */
-#define	NS_KEY_NAME_TYPE	0x0300	/* these bits determine the type */
-#define	NS_KEY_NAME_USER	0x0000	/* key is assoc. with user */
-#define	NS_KEY_NAME_ENTITY	0x0200	/* key is assoc. with entity eg host */
-#define	NS_KEY_NAME_ZONE	0x0100	/* key is zone key */
-#define	NS_KEY_NAME_RESERVED	0x0300	/* reserved meaning */
-#define	NS_KEY_RESERVED8	0x0080  /* reserved - must be zero */
-#define	NS_KEY_RESERVED9	0x0040  /* reserved - must be zero */
-#define	NS_KEY_RESERVED10	0x0020  /* reserved - must be zero */
-#define	NS_KEY_RESERVED11	0x0010  /* reserved - must be zero */
-#define	NS_KEY_SIGNATORYMASK	0x000F	/* key can sign RR's of same name */
+#define	NS_KEY_EXTENDED_FLAGS	0x1000	/*%< reserved - must be zero */
+#define	NS_KEY_RESERVED4	0x0800  /*%< reserved - must be zero */
+#define	NS_KEY_RESERVED5	0x0400  /*%< reserved - must be zero */
+#define	NS_KEY_NAME_TYPE	0x0300	/*%< these bits determine the type */
+#define	NS_KEY_NAME_USER	0x0000	/*%< key is assoc. with user */
+#define	NS_KEY_NAME_ENTITY	0x0200	/*%< key is assoc. with entity eg host */
+#define	NS_KEY_NAME_ZONE	0x0100	/*%< key is zone key */
+#define	NS_KEY_NAME_RESERVED	0x0300	/*%< reserved meaning */
+#define	NS_KEY_RESERVED8	0x0080  /*%< reserved - must be zero */
+#define	NS_KEY_RESERVED9	0x0040  /*%< reserved - must be zero */
+#define	NS_KEY_RESERVED10	0x0020  /*%< reserved - must be zero */
+#define	NS_KEY_RESERVED11	0x0010  /*%< reserved - must be zero */
+#define	NS_KEY_SIGNATORYMASK	0x000F	/*%< key can sign RR's of same name */
 #define	NS_KEY_RESERVED_BITMASK ( NS_KEY_RESERVED2 | \
 				  NS_KEY_RESERVED4 | \
 				  NS_KEY_RESERVED5 | \
@@ -380,16 +380,14 @@ typedef enum __ns_cert_types {
 				  NS_KEY_RESERVED9 | \
 				  NS_KEY_RESERVED10 | \
 				  NS_KEY_RESERVED11 )
-#define NS_KEY_RESERVED_BITMASK2 0xFFFF /* no bits defined here */
-
+#define NS_KEY_RESERVED_BITMASK2 0xFFFF /*%< no bits defined here */
 /* The Algorithm field of the KEY and SIG RR's is an integer, {1..254} */
-#define	NS_ALG_MD5RSA		1	/* MD5 with RSA */
-#define	NS_ALG_DH               2	/* Diffie Hellman KEY */
-#define	NS_ALG_DSA              3	/* DSA KEY */
+#define	NS_ALG_MD5RSA		1	/*%< MD5 with RSA */
+#define	NS_ALG_DH               2	/*%< Diffie Hellman KEY */
+#define	NS_ALG_DSA              3	/*%< DSA KEY */
 #define	NS_ALG_DSS              NS_ALG_DSA
-#define	NS_ALG_EXPIRE_ONLY	253	/* No alg, no security */
-#define	NS_ALG_PRIVATE_OID	254	/* Key begins with OID giving alg */
-
+#define	NS_ALG_EXPIRE_ONLY	253	/*%< No alg, no security */
+#define	NS_ALG_PRIVATE_OID	254	/*%< Key begins with OID giving alg */
 /* Protocol values  */
 /* value 0 is reserved */
 #define NS_KEY_PROT_TLS         1
@@ -399,7 +397,7 @@ typedef enum __ns_cert_types {
 #define NS_KEY_PROT_ANY		255
 
 /* Signatures */
-#define	NS_MD5RSA_MIN_BITS	 512	/* Size of a mod or exp in bits */
+#define	NS_MD5RSA_MIN_BITS	 512	/*%< Size of a mod or exp in bits */
 #define	NS_MD5RSA_MAX_BITS	4096
 	/* Total of binary mod and exp */
 #define	NS_MD5RSA_MAX_BYTES	((NS_MD5RSA_MAX_BITS+7/8)*2+3)
@@ -413,15 +411,14 @@ typedef enum __ns_cert_types {
 #define NS_DSA_MAX_BYTES        405
 
 /* Offsets into SIG record rdata to find various values */
-#define	NS_SIG_TYPE	0	/* Type flags */
-#define	NS_SIG_ALG	2	/* Algorithm */
-#define	NS_SIG_LABELS	3	/* How many labels in name */
-#define	NS_SIG_OTTL	4	/* Original TTL */
-#define	NS_SIG_EXPIR	8	/* Expiration time */
-#define	NS_SIG_SIGNED	12	/* Signature time */
-#define	NS_SIG_FOOT	16	/* Key footprint */
-#define	NS_SIG_SIGNER	18	/* Domain name of who signed it */
-
+#define	NS_SIG_TYPE	0	/*%< Type flags */
+#define	NS_SIG_ALG	2	/*%< Algorithm */
+#define	NS_SIG_LABELS	3	/*%< How many labels in name */
+#define	NS_SIG_OTTL	4	/*%< Original TTL */
+#define	NS_SIG_EXPIR	8	/*%< Expiration time */
+#define	NS_SIG_SIGNED	12	/*%< Signature time */
+#define	NS_SIG_FOOT	16	/*%< Key footprint */
+#define	NS_SIG_SIGNER	18	/*%< Domain name of who signed it */
 /* How RR types are represented as bit-flags in NXT records */
 #define	NS_NXT_BITS 8
 #define	NS_NXT_BIT_SET(  n,p) (p[(n)/NS_NXT_BITS] |=  (0x80>>((n)%NS_NXT_BITS)))
@@ -429,12 +426,12 @@ typedef enum __ns_cert_types {
 #define	NS_NXT_BIT_ISSET(n,p) (p[(n)/NS_NXT_BITS] &   (0x80>>((n)%NS_NXT_BITS)))
 #define NS_NXT_MAX 127
 
-/*
+/*%
  * EDNS0 extended flags, host order.
  */
 #define NS_OPT_DNSSEC_OK	0x8000U
 
-/*
+/*%
  * Inline versions of get/put short/long.  Pointer is advanced.
  */
 #define NS_GET16(s, cp) do { \
@@ -473,7 +470,7 @@ typedef enum __ns_cert_types {
 	(cp) += NS_INT32SZ; \
 } while (0)
 
-/*
+/*%
  * ANSI C identifier hiding for bind's lib/nameser.
  */
 #define	ns_msg_getflag		__ns_msg_getflag
@@ -574,3 +571,4 @@ __END_DECLS
 #endif
 
 #endif /* !_ARPA_NAMESER_H_ */
+/*! \file */
diff --git a/contrib/bind9/lib/bind/include/arpa/nameser_compat.h b/contrib/bind9/lib/bind/include/arpa/nameser_compat.h
index 4460261..3713293 100644
--- a/contrib/bind9/lib/bind/include/arpa/nameser_compat.h
+++ b/contrib/bind9/lib/bind/include/arpa/nameser_compat.h
@@ -30,16 +30,15 @@
  * SUCH DAMAGE.
  */
 
-/*
+/*%
  *      from nameser.h	8.1 (Berkeley) 6/2/93
- *	$Id: nameser_compat.h,v 1.1.2.3.4.3 2006/05/19 02:38:15 marka Exp $
+ *	$Id: nameser_compat.h,v 1.5.18.3 2006/05/19 02:36:00 marka Exp $
  */
 
 #ifndef _ARPA_NAMESER_COMPAT_
 #define	_ARPA_NAMESER_COMPAT_
 
-#define	__BIND		19950621	/* (DEAD) interface version stamp. */
-
+#define	__BIND		19950621	/*%< (DEAD) interface version stamp. */
 #ifndef BYTE_ORDER
 #if (BSD >= 199103)
 # include <machine/endian.h>
@@ -47,10 +46,9 @@
 #ifdef __linux
 # include <endian.h>
 #else
-#define	LITTLE_ENDIAN	1234	/* least-significant byte first (vax, pc) */
-#define	BIG_ENDIAN	4321	/* most-significant byte first (IBM, net) */
-#define	PDP_ENDIAN	3412	/* LSB first in word, MSW first in long (pdp)*/
-
+#define	LITTLE_ENDIAN	1234	/*%< least-significant byte first (vax, pc) */
+#define	BIG_ENDIAN	4321	/*%< most-significant byte first (IBM, net) */
+#define	PDP_ENDIAN	3412	/*%< LSB first in word, MSW first in long (pdp) */
 #if defined(vax) || defined(ns32000) || defined(sun386) || defined(i386) || \
     defined(__i386__) || defined(__i386) || defined(__amd64__) || \
     defined(__x86_64__) || defined(MIPSEL) || defined(_MIPSEL) || \
@@ -86,7 +84,7 @@
   error "Undefined or invalid BYTE_ORDER";
 #endif
 
-/*
+/*%
  * Structure for query header.  The order of the fields is machine- and
  * compiler-dependent, depending on the byte/bit order and the layout
  * of bit fields.  We use bit fields only in int variables, as this
@@ -94,40 +92,40 @@
  */
 
 typedef struct {
-	unsigned	id :16;		/* query identification number */
+	unsigned	id :16;		/*%< query identification number */
 #if BYTE_ORDER == BIG_ENDIAN
 			/* fields in third byte */
-	unsigned	qr: 1;		/* response flag */
-	unsigned	opcode: 4;	/* purpose of message */
-	unsigned	aa: 1;		/* authoritive answer */
-	unsigned	tc: 1;		/* truncated message */
-	unsigned	rd: 1;		/* recursion desired */
+	unsigned	qr: 1;		/*%< response flag */
+	unsigned	opcode: 4;	/*%< purpose of message */
+	unsigned	aa: 1;		/*%< authoritive answer */
+	unsigned	tc: 1;		/*%< truncated message */
+	unsigned	rd: 1;		/*%< recursion desired */
 			/* fields in fourth byte */
-	unsigned	ra: 1;		/* recursion available */
-	unsigned	unused :1;	/* unused bits (MBZ as of 4.9.3a3) */
-	unsigned	ad: 1;		/* authentic data from named */
-	unsigned	cd: 1;		/* checking disabled by resolver */
-	unsigned	rcode :4;	/* response code */
+	unsigned	ra: 1;		/*%< recursion available */
+	unsigned	unused :1;	/*%< unused bits (MBZ as of 4.9.3a3) */
+	unsigned	ad: 1;		/*%< authentic data from named */
+	unsigned	cd: 1;		/*%< checking disabled by resolver */
+	unsigned	rcode :4;	/*%< response code */
 #endif
 #if BYTE_ORDER == LITTLE_ENDIAN || BYTE_ORDER == PDP_ENDIAN
 			/* fields in third byte */
-	unsigned	rd :1;		/* recursion desired */
-	unsigned	tc :1;		/* truncated message */
-	unsigned	aa :1;		/* authoritive answer */
-	unsigned	opcode :4;	/* purpose of message */
-	unsigned	qr :1;		/* response flag */
+	unsigned	rd :1;		/*%< recursion desired */
+	unsigned	tc :1;		/*%< truncated message */
+	unsigned	aa :1;		/*%< authoritive answer */
+	unsigned	opcode :4;	/*%< purpose of message */
+	unsigned	qr :1;		/*%< response flag */
 			/* fields in fourth byte */
-	unsigned	rcode :4;	/* response code */
-	unsigned	cd: 1;		/* checking disabled by resolver */
-	unsigned	ad: 1;		/* authentic data from named */
-	unsigned	unused :1;	/* unused bits (MBZ as of 4.9.3a3) */
-	unsigned	ra :1;		/* recursion available */
+	unsigned	rcode :4;	/*%< response code */
+	unsigned	cd: 1;		/*%< checking disabled by resolver */
+	unsigned	ad: 1;		/*%< authentic data from named */
+	unsigned	unused :1;	/*%< unused bits (MBZ as of 4.9.3a3) */
+	unsigned	ra :1;		/*%< recursion available */
 #endif
 			/* remaining bytes */
-	unsigned	qdcount :16;	/* number of question entries */
-	unsigned	ancount :16;	/* number of answer entries */
-	unsigned	nscount :16;	/* number of authority entries */
-	unsigned	arcount :16;	/* number of resource entries */
+	unsigned	qdcount :16;	/*%< number of question entries */
+	unsigned	ancount :16;	/*%< number of answer entries */
+	unsigned	nscount :16;	/*%< number of authority entries */
+	unsigned	arcount :16;	/*%< number of resource entries */
 } HEADER;
 
 #define PACKETSZ	NS_PACKETSZ
@@ -231,3 +229,4 @@ typedef struct {
 #define	PUTLONG			NS_PUT32
 
 #endif /* _ARPA_NAMESER_COMPAT_ */
+/*! \file */
diff --git a/contrib/bind9/lib/bind/include/fd_setsize.h b/contrib/bind9/lib/bind/include/fd_setsize.h
index 235b1ad..0e21049 100644
--- a/contrib/bind9/lib/bind/include/fd_setsize.h
+++ b/contrib/bind9/lib/bind/include/fd_setsize.h
@@ -1,9 +1,10 @@
 #ifndef _FD_SETSIZE_H
 #define _FD_SETSIZE_H
 
-/*
+/*%
  * If you need a bigger FD_SETSIZE, this is NOT the place to set it.
  * This file is a fallback for BIND ports which don't specify their own.
  */
 
 #endif /* _FD_SETSIZE_H */
+/*! \file */
diff --git a/contrib/bind9/lib/bind/include/hesiod.h b/contrib/bind9/lib/bind/include/hesiod.h
index 7165d48..30c08d0 100644
--- a/contrib/bind9/lib/bind/include/hesiod.h
+++ b/contrib/bind9/lib/bind/include/hesiod.h
@@ -15,12 +15,13 @@
  * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/*
+/*! \file 
+ * \brief
  * This file is primarily maintained by <tytso@mit.edu> and <ghudson@mit.edu>.
  */
 
 /*
- * $Id: hesiod.h,v 1.1.2.1.4.1 2004/03/09 08:33:29 marka Exp $
+ * $Id: hesiod.h,v 1.3.18.1 2005/04/27 05:00:49 sra Exp $
  */
 
 #ifndef _HESIOD_H_INCLUDED
diff --git a/contrib/bind9/lib/bind/include/irp.h b/contrib/bind9/lib/bind/include/irp.h
index 4462f20..21d8f48 100644
--- a/contrib/bind9/lib/bind/include/irp.h
+++ b/contrib/bind9/lib/bind/include/irp.h
@@ -16,16 +16,18 @@
  */
 
 /*
- * $Id: irp.h,v 1.1.2.1.4.1 2004/03/09 08:33:29 marka Exp $
+ * $Id: irp.h,v 1.3.18.1 2005/04/27 05:00:49 sra Exp $
  */
 
 #ifndef _IRP_H_INCLUDED
 #define _IRP_H_INCLUDED
 
-#define IRPD_TIMEOUT 30			/* seconds */
-#define IRPD_MAXSESS 50			/* number of simultaneous sessions. */
-#define IRPD_PORT 6660			/* 10 times the number of the beast. */
-#define IRPD_PATH "/var/run/irpd"	/* af_unix socket path */
+/*! \file */
+
+#define IRPD_TIMEOUT 30			/*%< seconds */
+#define IRPD_MAXSESS 50			/*%< number of simultaneous sessions. */
+#define IRPD_PORT 6660			/*%< 10 times the number of the beast. */
+#define IRPD_PATH "/var/run/irpd"	/*%< af_unix socket path */
 
 /* If sets the environment variable IRPDSERVER to an IP address
    (e.g. "192.5.5.1"), then that's the host the client expects irpd to be
@@ -101,3 +103,5 @@ int	irs_irp_get_full_response(struct irp_p *, int *, char *, size_t,
 int	irs_irp_read_line(struct irp_p *, char *, int);
 
 #endif
+
+/*! \file */
diff --git a/contrib/bind9/lib/bind/include/irs.h b/contrib/bind9/lib/bind/include/irs.h
index a3b7903..582ba5b 100644
--- a/contrib/bind9/lib/bind/include/irs.h
+++ b/contrib/bind9/lib/bind/include/irs.h
@@ -16,12 +16,14 @@
  */
 
 /*
- * $Id: irs.h,v 1.2.2.1.4.1 2004/03/09 08:33:29 marka Exp $
+ * $Id: irs.h,v 1.4.18.1 2005/04/27 05:00:49 sra Exp $
  */
 
 #ifndef _IRS_H_INCLUDED
 #define _IRS_H_INCLUDED
 
+/*! \file */
+
 #include <sys/types.h>
 
 #include <arpa/nameser.h>
@@ -31,7 +33,7 @@
 #include <resolv.h>
 #include <pwd.h>
 
-/*
+/*%
  * This is the group map class.
  */
 struct irs_gr {
@@ -49,7 +51,7 @@ struct irs_gr {
 					void (*)(void *)));
 };
 
-/*
+/*%
  * This is the password map class.
  */
 struct irs_pw {
@@ -65,7 +67,7 @@ struct irs_pw {
 					void (*)(void *)));
 };
 
-/*
+/*%
  * This is the service map class.
  */
 struct irs_sv {
@@ -82,7 +84,7 @@ struct irs_sv {
 					void (*)(void *)));
 };
 
-/*
+/*%
  * This is the protocols map class.
  */
 struct irs_pr {
@@ -98,7 +100,7 @@ struct irs_pr {
 					void (*)(void *)));
 };
 
-/*
+/*%
  * This is the hosts map class.
  */
 struct irs_ho {
@@ -118,7 +120,7 @@ struct irs_ho {
 					  const struct addrinfo *));
 };
 
-/*
+/*%
  * This is the networks map class.
  */
 struct irs_nw {
@@ -134,7 +136,7 @@ struct irs_nw {
 					void (*)(void *)));
 };
 
-/*
+/*%
  * This is the netgroups map class.
  */
 struct irs_ng {
@@ -149,7 +151,7 @@ struct irs_ng {
 	void		(*minimize) __P((struct irs_ng *));
 };
 
-/*
+/*%
  * This is the generic map class, which copies the front of all others.
  */
 struct irs_map {
@@ -157,7 +159,7 @@ struct irs_map {
 	void		(*close) __P((void *));
 };
 
-/*
+/*%
  * This is the accessor class.  It contains pointers to all of the
  * initializers for the map classes for a particular accessor.
  */
@@ -176,21 +178,21 @@ struct irs_acc {
 					void (*)(void *)));
 };
 
-/*
+/*%
  * This is because the official definition of "struct netent" has no
  * concept of CIDR even though it allows variant address families (on
  * output but not input).  The compatibility stubs convert the structs
  * below into "struct netent"'s.
  */
 struct nwent {
-	char		*n_name;	/* official name of net */
-	char		**n_aliases;	/* alias list */
-	int		n_addrtype;	/* net address type */
-	void		*n_addr;	/* network address */
-	int		n_length;	/* address length, in bits */
+	char		*n_name;	/*%< official name of net */
+	char		**n_aliases;	/*%< alias list */
+	int		n_addrtype;	/*%< net address type */
+	void		*n_addr;	/*%< network address */
+	int		n_length;	/*%< address length, in bits */
 };
 
-/*
+/*%
  * Hide external function names from POSIX.
  */
 #define	irs_gen_acc	__irs_gen_acc
@@ -240,7 +242,7 @@ struct nwent {
 #define	net_data_destroy	__net_data_destroy
 #define	net_data_minimize	__net_data_minimize
 
-/*
+/*%
  * Externs.
  */
 extern struct irs_acc *	irs_gen_acc __P((const char *, const char *));
@@ -251,7 +253,7 @@ extern struct irs_acc *	irs_irp_acc __P((const char *));
 
 extern void		irs_destroy __P((void));
 
-/*
+/*%
  * These forward declarations are for the semi-private functions in
  * the get*.c files. Each of these funcs implements the real get*
  * functionality and the standard versions are just wrappers that
@@ -260,8 +262,7 @@ extern void		irs_destroy __P((void));
  * the /usr/include replacements.
  */
 
-struct net_data;			/* forward */
-
+struct net_data;			/*%< forward */
 /*
  * net_data_create gets a singleton net_data object.  net_data_init
  * creates as many net_data objects as times it is called.  Clients using
@@ -343,3 +344,5 @@ extern void		setservent_p __P((int, struct net_data *));
 extern void		endservent_p __P((struct net_data *));
 
 #endif /*_IRS_H_INCLUDED*/
+
+/*! \file */
diff --git a/contrib/bind9/lib/bind/include/isc/assertions.h b/contrib/bind9/lib/bind/include/isc/assertions.h
index 9a9b9de..2ed768d 100644
--- a/contrib/bind9/lib/bind/include/isc/assertions.h
+++ b/contrib/bind9/lib/bind/include/isc/assertions.h
@@ -16,7 +16,7 @@
  */
 
 /*
- * $Id: assertions.h,v 1.1.206.1 2004/03/09 08:33:30 marka Exp $
+ * $Id: assertions.h,v 1.2.18.1 2005/04/27 05:00:50 sra Exp $
  */
 
 #ifndef ASSERTIONS_H
@@ -118,5 +118,5 @@ const char *assertion_type_to_text(assertion_type type);
 #define INVARIANT(cond)		((void) (cond))
 #define INVARIANT_ERR(cond)	((void) (cond))
 #endif /* CHECK_INVARIANT */
-
 #endif /* ASSERTIONS_H */
+/*! \file */
diff --git a/contrib/bind9/lib/bind/include/isc/ctl.h b/contrib/bind9/lib/bind/include/isc/ctl.h
index 74957bc..0f6fe94 100644
--- a/contrib/bind9/lib/bind/include/isc/ctl.h
+++ b/contrib/bind9/lib/bind/include/isc/ctl.h
@@ -19,9 +19,11 @@
  */
 
 /*
- * $Id: ctl.h,v 1.1.2.2.4.1 2004/03/09 08:33:30 marka Exp $
+ * $Id: ctl.h,v 1.4.18.1 2005/04/27 05:00:51 sra Exp $
  */
 
+/*! \file */
+
 #include <sys/types.h>
 #include <sys/socket.h>
 
@@ -29,10 +31,9 @@
 
 /* Macros. */
 
-#define	CTL_MORE	0x0001	/* More will be / should be sent. */
-#define	CTL_EXIT	0x0002	/* Close connection after this. */
-#define	CTL_DATA	0x0004	/* Go into / this is DATA mode. */
-
+#define	CTL_MORE	0x0001	/*%< More will be / should be sent. */
+#define	CTL_EXIT	0x0002	/*%< Close connection after this. */
+#define	CTL_DATA	0x0004	/*%< Go into / this is DATA mode. */
 /* Types. */
 
 struct ctl_cctx;
@@ -107,3 +108,5 @@ void *			ctl_getcsctx(struct ctl_sess *);
 void *			ctl_setcsctx(struct ctl_sess *, void *);
 
 #endif /*ISC_CTL_H*/
+
+/*! \file */
diff --git a/contrib/bind9/lib/bind/include/isc/dst.h b/contrib/bind9/lib/bind/include/isc/dst.h
index fe92297..90a9e67 100644
--- a/contrib/bind9/lib/bind/include/isc/dst.h
+++ b/contrib/bind9/lib/bind/include/isc/dst.h
@@ -3,15 +3,14 @@
 
 #ifndef HAS_DST_KEY
 typedef struct dst_key {
-	char	*dk_key_name;   /* name of the key */
-	int	dk_key_size;    /* this is the size of the key in bits */
-	int	dk_proto;       /* what protocols this key can be used for */
-	int	dk_alg;         /* algorithm number from key record */
-	u_int32_t dk_flags;     /* and the flags of the public key */
-	u_int16_t dk_id;        /* identifier of the key */
+	char	*dk_key_name;   /*%< name of the key */
+	int	dk_key_size;    /*%< this is the size of the key in bits */
+	int	dk_proto;       /*%< what protocols this key can be used for */
+	int	dk_alg;         /*%< algorithm number from key record */
+	u_int32_t dk_flags;     /*%< and the flags of the public key */
+	u_int16_t dk_id;        /*%< identifier of the key */
 } DST_KEY;
 #endif /* HAS_DST_KEY */
-
 /*
  * do not taint namespace
  */
@@ -59,58 +58,47 @@ typedef struct dst_key {
 void     dst_init(void);
 int      dst_check_algorithm(const int);
 
-int dst_sign_data(const int,	 	/* specifies INIT/UPDATE/FINAL/ALL */
-		  DST_KEY *,	 	/* the key to use */
-		  void **,	 	/* pointer to state structure */
-		  const u_char *,	/* data to be signed */
-		  const int,	 	/* length of input data */
-		  u_char *,	 	/* buffer to write signature to */
-		  const int);	 	/* size of output buffer */
-
-int dst_verify_data(const int,	 	/* specifies INIT/UPDATE/FINAL/ALL */
-		    DST_KEY *,	 	/* the key to use */
-		    void **,	 	/* pointer to state structure */
-		    const u_char *,	/* data to be verified */
-		    const int,	 	/* length of input data */
-		    const u_char *,	/* buffer containing signature */
-		    const int);	 	/* length of signature */
-
-
-DST_KEY *dst_read_key(const char *,	/* name of key */
-		      const u_int16_t,	/* key tag identifier */
-		      const int,	/* key algorithm */
-		      const int);	/* Private/PublicKey wanted*/
-
-int      dst_write_key(const DST_KEY *,	/* key to write out */
-		       const int); 	/* Public/Private */
-
-DST_KEY *dst_dnskey_to_key(const char *,	/* KEY record name */
-			   const u_char *,	/* KEY RDATA */
-			   const int);		/* size of input buffer*/
-
-
-int      dst_key_to_dnskey(const DST_KEY *,	/* key to translate */
-			   u_char *,		/* output buffer */
-			   const int);		/* size of out_storage*/
-
-
-DST_KEY *dst_buffer_to_key(const char *,  	/* name of the key */
-			   const int,	  	/* algorithm */
-			   const int,	  	/* dns flags */
-			   const int,	  	/* dns protocol */
-			   const u_char *, 	/* key in dns wire fmt */
-			   const int);	  	/* size of key */
-
 
+int dst_sign_data(const int,	 	/*!<   specifies INIT/UPDATE/FINAL/ALL  */
+		  DST_KEY *,	 	/*!<   the key to use  */
+		  void **,	 	/*!<   pointer to state structure  */
+		  const u_char *,	/*!<   data to be signed  */
+		  const int,	 	/*!<   length of input data  */
+		  u_char *,	 	/*!<   buffer to write signature to  */
+		  const int);	 	/*!<   size of output buffer  */
+int dst_verify_data(const int,	 	/*!<   specifies INIT/UPDATE/FINAL/ALL  */
+		    DST_KEY *,	 	/*!<   the key to use  */
+		    void **,	 	/*!<   pointer to state structure  */
+		    const u_char *,	/*!<   data to be verified  */
+		    const int,	 	/*!<   length of input data  */
+		    const u_char *,	/*!<   buffer containing signature  */
+		    const int);	 	/*!<   length of signature  */
+DST_KEY *dst_read_key(const char *,	/*!<   name of key  */
+		      const u_int16_t,	/*!<   key tag identifier  */
+		      const int,	/*!<   key algorithm  */
+		      const int);	/*!<   Private/PublicKey wanted */
+int      dst_write_key(const DST_KEY *,	/*!<   key to write out  */
+		       const int); 	/*!<   Public/Private  */
+DST_KEY *dst_dnskey_to_key(const char *,	/*!<   KEY record name  */
+			   const u_char *,	/*!<   KEY RDATA  */
+			   const int);		/*!<   size of input buffer */
+int      dst_key_to_dnskey(const DST_KEY *,	/*!<   key to translate  */
+			   u_char *,		/*!<   output buffer  */
+			   const int);		/*!<   size of out_storage */
+DST_KEY *dst_buffer_to_key(const char *,  	/*!<   name of the key  */
+			   const int,	  	/*!<   algorithm  */
+			   const int,	  	/*!<   dns flags  */
+			   const int,	  	/*!<   dns protocol  */
+			   const u_char *, 	/*!<   key in dns wire fmt  */
+			   const int);	  	/*!<   size of key  */
 int     dst_key_to_buffer(DST_KEY *, u_char *, int);
 
-DST_KEY *dst_generate_key(const char *,    	/* name of new key */
-			  const int,       	/* key algorithm to generate */
-			  const int,      	/* size of new key */
-			  const int,       	/* alg dependent parameter*/
-			  const int,     	/* key DNS flags */
-			  const int);		/* key DNS protocol */
-
+DST_KEY *dst_generate_key(const char *,    	/*!<   name of new key  */
+			  const int,       	/*!<   key algorithm to generate  */
+			  const int,      	/*!<   size of new key  */
+			  const int,       	/*!<   alg dependent parameter */
+			  const int,     	/*!<   key DNS flags  */
+			  const int);		/*!<   key DNS protocol  */
 DST_KEY *dst_free_key(DST_KEY *);
 int      dst_compare_keys(const DST_KEY *, const DST_KEY *);
 
@@ -122,13 +110,12 @@ u_int16_t dst_s_dns_key_id(const u_char *, const int);
 u_int16_t dst_s_id_calc(const u_char *, const int);
 
 /* Used by callers as well as by the library.  */
-#define RAW_KEY_SIZE    8192        /* large enough to store any key */
-
+#define RAW_KEY_SIZE    8192        /*%< large enough to store any key */
 /* DST_API control flags */
 /* These are used used in functions dst_sign_data and dst_verify_data */
-#define SIG_MODE_INIT		1  /* initialize digest */
-#define SIG_MODE_UPDATE		2  /* add data to digest */
-#define SIG_MODE_FINAL		4  /* generate/verify signature */
+#define SIG_MODE_INIT		1  /*%< initialize digest */
+#define SIG_MODE_UPDATE		2  /*%< add data to digest */
+#define SIG_MODE_FINAL		4  /*%< generate/verify signature */
 #define SIG_MODE_ALL		(SIG_MODE_INIT|SIG_MODE_UPDATE|SIG_MODE_FINAL)
 
 /* Flags for dst_read_private_key()  */
@@ -178,3 +165,4 @@ u_int16_t dst_s_id_calc(const u_char *, const int);
 #define UNSUPPORTED_KEYALG	(-31)
 
 #endif /* DST_H */
+/*! \file */
diff --git a/contrib/bind9/lib/bind/include/isc/eventlib.h b/contrib/bind9/lib/bind/include/isc/eventlib.h
index 033b312..598c71c 100644
--- a/contrib/bind9/lib/bind/include/isc/eventlib.h
+++ b/contrib/bind9/lib/bind/include/isc/eventlib.h
@@ -18,7 +18,7 @@
 /* eventlib.h - exported interfaces for eventlib
  * vix 09sep95 [initial]
  *
- * $Id: eventlib.h,v 1.1.2.1.4.2 2005/07/28 07:43:18 marka Exp $
+ * $Id: eventlib.h,v 1.3.18.2 2005/07/28 07:38:07 marka Exp $
  */
 
 #ifndef _EVENTLIB_H
@@ -200,3 +200,5 @@ int evDefer __P((evContext, evWaitFunc, void *));
 #endif
 
 #endif /*_EVENTLIB_H*/
+
+/*! \file */
diff --git a/contrib/bind9/lib/bind/include/isc/heap.h b/contrib/bind9/lib/bind/include/isc/heap.h
index 691c821..384d507 100644
--- a/contrib/bind9/lib/bind/include/isc/heap.h
+++ b/contrib/bind9/lib/bind/include/isc/heap.h
@@ -45,3 +45,5 @@ int		heap_increased(heap_context, int);
 int		heap_decreased(heap_context, int);
 void *		heap_element(heap_context, int);
 int		heap_for_each(heap_context, heap_for_each_func, void *);
+
+/*! \file */
diff --git a/contrib/bind9/lib/bind/include/isc/irpmarshall.h b/contrib/bind9/lib/bind/include/isc/irpmarshall.h
index e672f97..ef57701 100644
--- a/contrib/bind9/lib/bind/include/isc/irpmarshall.h
+++ b/contrib/bind9/lib/bind/include/isc/irpmarshall.h
@@ -16,7 +16,7 @@
  */
 
 /*
- * $Id: irpmarshall.h,v 1.1.2.1.4.1 2004/03/09 08:33:31 marka Exp $
+ * $Id: irpmarshall.h,v 1.3.18.1 2005/04/27 05:00:51 sra Exp $
  */
 
 #ifndef _IRPMARSHALL_H_INCLUDED
@@ -63,7 +63,8 @@ int irp_unmarshall_nw(struct nwent *, char *);
 int irp_marshall_ne(struct netent *, char **, size_t *);
 int irp_unmarshall_ne(struct netent *, char *);
 
-/*
+/*! \file
+ * \brief
  * Functions to marshall and unmarshall various system data structures. We
  * use a printable ascii format that is as close to various system config
  * files as reasonable (e.g. /etc/passwd format).
@@ -79,9 +80,7 @@ int irp_unmarshall_ne(struct netent *, char *);
  *
  * The following description is true for all the marshalling functions:
  *
- */
-
-/* int irp_marshall_XX(struct yyyy *XX, char **buffer, size_t *len);
+ * int irp_marshall_XX(struct yyyy *XX, char **buffer, size_t *len);
  *
  * The argument XX (of type struct passwd for example) is marshalled in the
  * buffer pointed at by *BUFFER, which is of length *LEN. Returns 0
@@ -101,9 +100,7 @@ int irp_unmarshall_ne(struct netent *, char *);
  * to separate fields). Fields that have multiple subfields (like the
  * gr_mem field in struct group) have their subparts separated by
  * commas.
- */
-
-/*
+ *
  * int irp_unmarshall_XX(struct YYYYY *XX, char *buffer);
  *
  * The unmashalling functions break apart the buffer and store the
diff --git a/contrib/bind9/lib/bind/include/isc/list.h b/contrib/bind9/lib/bind/include/isc/list.h
index 4e27eb1..c85c667 100644
--- a/contrib/bind9/lib/bind/include/isc/list.h
+++ b/contrib/bind9/lib/bind/include/isc/list.h
@@ -114,3 +114,4 @@
 #define DEQUEUE(list, elt, link) UNLINK(list, elt, link)
 
 #endif /* LIST_H */
+/*! \file */
diff --git a/contrib/bind9/lib/bind/include/isc/logging.h b/contrib/bind9/lib/bind/include/isc/logging.h
index 574fd8a..c539443 100644
--- a/contrib/bind9/lib/bind/include/isc/logging.h
+++ b/contrib/bind9/lib/bind/include/isc/logging.h
@@ -110,3 +110,4 @@ int			log_free_channel(log_channel);
 void			log_close_debug_channels(log_context);
 
 #endif /* !LOGGING_H */
+/*! \file */
diff --git a/contrib/bind9/lib/bind/include/isc/memcluster.h b/contrib/bind9/lib/bind/include/isc/memcluster.h
index 11e1fa3..0923deb 100644
--- a/contrib/bind9/lib/bind/include/isc/memcluster.h
+++ b/contrib/bind9/lib/bind/include/isc/memcluster.h
@@ -47,3 +47,4 @@ void 	memstats(FILE *);
 int	memactive(void);
 
 #endif /* MEMCLUSTER_H */
+/*! \file */
diff --git a/contrib/bind9/lib/bind/include/isc/misc.h b/contrib/bind9/lib/bind/include/isc/misc.h
index b08b02d..d2e98ac 100644
--- a/contrib/bind9/lib/bind/include/isc/misc.h
+++ b/contrib/bind9/lib/bind/include/isc/misc.h
@@ -16,12 +16,14 @@
  */
 
 /*
- * $Id: misc.h,v 1.2.2.1.4.1 2004/03/09 08:33:31 marka Exp $
+ * $Id: misc.h,v 1.4.18.1 2005/04/27 05:00:52 sra Exp $
  */
 
 #ifndef _ISC_MISC_H
 #define _ISC_MISC_H
 
+/*! \file */
+
 #include <stdio.h>
 
 #define	bitncmp		__bitncmp
@@ -37,3 +39,5 @@ extern void		isc_puthexstring(FILE *, const unsigned char *, size_t,
 extern void		isc_tohex(const unsigned char *, size_t, char *);
 
 #endif /*_ISC_MISC_H*/
+
+/*! \file */
diff --git a/contrib/bind9/lib/bind/include/isc/tree.h b/contrib/bind9/lib/bind/include/isc/tree.h
index 0572c40..8096a8d 100644
--- a/contrib/bind9/lib/bind/include/isc/tree.h
+++ b/contrib/bind9/lib/bind/include/isc/tree.h
@@ -3,7 +3,7 @@
  * vix 22jan93 [revisited; uses RCS, ANSI, POSIX; has bug fixes]
  * vix 27jun86 [broken out of tree.c]
  *
- * $Id: tree.h,v 1.1.2.1 2003/06/27 03:51:39 marka Exp $
+ * $Id: tree.h,v 1.2.164.1 2005/04/27 05:00:52 sra Exp $
  */
 
 
@@ -19,7 +19,7 @@
 # endif
 #endif
 
-/*
+/*%
  * tree_t is our package-specific anonymous pointer.
  */
 #if defined(__STDC__) || defined(__GNUC__)
@@ -28,7 +28,7 @@ typedef	void *tree_t;
 typedef	char *tree_t;
 #endif
 
-/*
+/*%
  * Do not taint namespace
  */
 #define	tree_add	__tree_add
@@ -56,3 +56,4 @@ void	tree_mung	__P((tree **, void (*)()));
 
 
 #endif	/* _TREE_H_INCLUDED */
+/*! \file */
diff --git a/contrib/bind9/lib/bind/include/netdb.h b/contrib/bind9/lib/bind/include/netdb.h
index 11ee8a5..66dd13d 100644
--- a/contrib/bind9/lib/bind/include/netdb.h
+++ b/contrib/bind9/lib/bind/include/netdb.h
@@ -86,7 +86,7 @@
 
 /*
  *      @(#)netdb.h	8.1 (Berkeley) 6/2/93
- *	$Id: netdb.h,v 1.12.2.1.4.9 2006/10/02 01:20:30 marka Exp $
+ *	$Id: netdb.h,v 1.15.18.6 2006/10/02 01:23:09 marka Exp $
  */
 
 #ifndef _NETDB_H_
@@ -131,99 +131,98 @@ __END_DECLS
 extern int h_errno;
 #endif
 
-/*
+/*%
  * Structures returned by network data base library.  All addresses are
  * supplied in host order, and returned in network order (suitable for
  * use in system calls).
  */
 struct	hostent {
-	char	*h_name;	/* official name of host */
-	char	**h_aliases;	/* alias list */
-	int	h_addrtype;	/* host address type */
-	int	h_length;	/* length of address */
-	char	**h_addr_list;	/* list of addresses from name server */
-#define	h_addr	h_addr_list[0]	/* address, for backward compatiblity */
+	char	*h_name;	/*%< official name of host */
+	char	**h_aliases;	/*%< alias list */
+	int	h_addrtype;	/*%< host address type */
+	int	h_length;	/*%< length of address */
+	char	**h_addr_list;	/*%< list of addresses from name server */
+#define	h_addr	h_addr_list[0]	/*%< address, for backward compatiblity */
 };
 
-/*
+/*%
  * Assumption here is that a network number
  * fits in an unsigned long -- probably a poor one.
  */
 struct	netent {
-	char		*n_name;	/* official name of net */
-	char		**n_aliases;	/* alias list */
-	int		n_addrtype;	/* net address type */
-	unsigned long	n_net;		/* network # */
+	char		*n_name;	/*%< official name of net */
+	char		**n_aliases;	/*%< alias list */
+	int		n_addrtype;	/*%< net address type */
+	unsigned long	n_net;		/*%< network # */
 };
 
 struct	servent {
-	char	*s_name;	/* official service name */
-	char	**s_aliases;	/* alias list */
-	int	s_port;		/* port # */
-	char	*s_proto;	/* protocol to use */
+	char	*s_name;	/*%< official service name */
+	char	**s_aliases;	/*%< alias list */
+	int	s_port;		/*%< port # */
+	char	*s_proto;	/*%< protocol to use */
 };
 
 struct	protoent {
-	char	*p_name;	/* official protocol name */
-	char	**p_aliases;	/* alias list */
-	int	p_proto;	/* protocol # */
+	char	*p_name;	/*%< official protocol name */
+	char	**p_aliases;	/*%< alias list */
+	int	p_proto;	/*%< protocol # */
 };
 
 struct	addrinfo {
-	int		ai_flags;	/* AI_PASSIVE, AI_CANONNAME */
-	int		ai_family;	/* PF_xxx */
-	int		ai_socktype;	/* SOCK_xxx */
-	int		ai_protocol;	/* 0 or IPPROTO_xxx for IPv4 and IPv6 */
+	int		ai_flags;	/*%< AI_PASSIVE, AI_CANONNAME */
+	int		ai_family;	/*%< PF_xxx */
+	int		ai_socktype;	/*%< SOCK_xxx */
+	int		ai_protocol;	/*%< 0 or IPPROTO_xxx for IPv4 and IPv6 */
 #if defined(sun) && defined(_SOCKLEN_T)
 #ifdef __sparcv9
 	int		_ai_pad;
 #endif
 	socklen_t	ai_addrlen;
 #else
-	size_t		ai_addrlen;	/* length of ai_addr */
+	size_t		ai_addrlen;	/*%< length of ai_addr */
 #endif
 #ifdef __linux
-	struct sockaddr	*ai_addr; 	/* binary address */
-	char		*ai_canonname;	/* canonical name for hostname */
+	struct sockaddr	*ai_addr; 	/*%< binary address */
+	char		*ai_canonname;	/*%< canonical name for hostname */
 #else
-	char		*ai_canonname;	/* canonical name for hostname */
-	struct sockaddr	*ai_addr; 	/* binary address */
+	char		*ai_canonname;	/*%< canonical name for hostname */
+	struct sockaddr	*ai_addr; 	/*%< binary address */
 #endif
-	struct addrinfo	*ai_next; 	/* next structure in linked list */
+	struct addrinfo	*ai_next; 	/*%< next structure in linked list */
 };
 
-/*
+/*%
  * Error return codes from gethostbyname() and gethostbyaddr()
  * (left in extern int h_errno).
  */
 
-#define	NETDB_INTERNAL	-1	/* see errno */
-#define	NETDB_SUCCESS	0	/* no problem */
-#define	HOST_NOT_FOUND	1 /* Authoritative Answer Host not found */
-#define	TRY_AGAIN	2 /* Non-Authoritive Host not found, or SERVERFAIL */
-#define	NO_RECOVERY	3 /* Non recoverable errors, FORMERR, REFUSED, NOTIMP */
-#define	NO_DATA		4 /* Valid name, no data record of requested type */
-#define	NO_ADDRESS	NO_DATA		/* no address, look for MX record */
-
+#define	NETDB_INTERNAL	-1	/*%< see errno */
+#define	NETDB_SUCCESS	0	/*%< no problem */
+#define	HOST_NOT_FOUND	1 /*%< Authoritative Answer Host not found */
+#define	TRY_AGAIN	2 /*%< Non-Authoritive Host not found, or SERVERFAIL */
+#define	NO_RECOVERY	3 /*%< Non recoverable errors, FORMERR, REFUSED, NOTIMP */
+#define	NO_DATA		4 /*%< Valid name, no data record of requested type */
+#define	NO_ADDRESS	NO_DATA		/*%< no address, look for MX record */
 /*
  * Error return codes from getaddrinfo()
  */
-#define	EAI_ADDRFAMILY	 1	/* address family for hostname not supported */
-#define	EAI_AGAIN	 2	/* temporary failure in name resolution */
-#define	EAI_BADFLAGS	 3	/* invalid value for ai_flags */
-#define	EAI_FAIL	 4	/* non-recoverable failure in name resolution */
-#define	EAI_FAMILY	 5	/* ai_family not supported */
-#define	EAI_MEMORY	 6	/* memory allocation failure */
-#define	EAI_NODATA	 7	/* no address associated with hostname */
-#define	EAI_NONAME	 8	/* hostname nor servname provided, or not known */
-#define	EAI_SERVICE	 9	/* servname not supported for ai_socktype */
-#define	EAI_SOCKTYPE	10	/* ai_socktype not supported */
-#define	EAI_SYSTEM	11	/* system error returned in errno */
+#define	EAI_ADDRFAMILY	 1	/*%< address family for hostname not supported */
+#define	EAI_AGAIN	 2	/*%< temporary failure in name resolution */
+#define	EAI_BADFLAGS	 3	/*%< invalid value for ai_flags */
+#define	EAI_FAIL	 4	/*%< non-recoverable failure in name resolution */
+#define	EAI_FAMILY	 5	/*%< ai_family not supported */
+#define	EAI_MEMORY	 6	/*%< memory allocation failure */
+#define	EAI_NODATA	 7	/*%< no address associated with hostname */
+#define	EAI_NONAME	 8	/*%< hostname nor servname provided, or not known */
+#define	EAI_SERVICE	 9	/*%< servname not supported for ai_socktype */
+#define	EAI_SOCKTYPE	10	/*%< ai_socktype not supported */
+#define	EAI_SYSTEM	11	/*%< system error returned in errno */
 #define EAI_BADHINTS	12
 #define EAI_PROTOCOL	13
 #define EAI_MAX		14
 
-/*
+/*%
  * Flag values for getaddrinfo()
  */
 #define	AI_PASSIVE	0x00000001
@@ -231,7 +230,7 @@ struct	addrinfo {
 #define AI_NUMERICHOST	0x00000004
 #define	AI_MASK		0x00000007
 
-/*
+/*%
  * Flag values for getipnodebyname()
  */
 #define AI_V4MAPPED	0x00000008
@@ -239,13 +238,13 @@ struct	addrinfo {
 #define AI_ADDRCONFIG	0x00000020
 #define AI_DEFAULT	(AI_V4MAPPED|AI_ADDRCONFIG)
 
-/*
+/*%
  * Constants for getnameinfo()
  */
 #define	NI_MAXHOST	1025
 #define	NI_MAXSERV	32
 
-/*
+/*%
  * Flag values for getnameinfo()
  */
 #define	NI_NOFQDN	0x00000001
@@ -256,7 +255,7 @@ struct	addrinfo {
 #define	NI_WITHSCOPEID	0x00000020
 #define NI_NUMERICSCOPE	0x00000040
 
-/*
+/*%
  * Scope delimit character
  */
 #define SCOPE_DELIMITER	'%'
@@ -572,12 +571,12 @@ __END_DECLS
 #include <rpc/netdb.h>
 #else
 struct rpcent {
-	char	*r_name;	/* name of server for this rpc program */
-	char	**r_aliases;	/* alias list */
-	int	r_number;	/* rpc program number */
+	char	*r_name;	/*%< name of server for this rpc program */
+	char	**r_aliases;	/*%< alias list */
+	int	r_number;	/*%< rpc program number */
 };
 struct rpcent	*getrpcbyname(), *getrpcbynumber(), *getrpcent();
 #endif /* __GNU_LIBRARY__ */
 #endif /* sun */
-
 #endif /* !_NETDB_H_ */
+/*! \file */
diff --git a/contrib/bind9/lib/bind/include/netgroup.h b/contrib/bind9/lib/bind/include/netgroup.h
index 2296208..e4be459 100644
--- a/contrib/bind9/lib/bind/include/netgroup.h
+++ b/contrib/bind9/lib/bind/include/netgroup.h
@@ -22,3 +22,5 @@ int innetgr __P((const char *, const char *, const char *, const char *));
 #endif
 #endif
 #endif
+
+/*! \file */
diff --git a/contrib/bind9/lib/bind/include/res_update.h b/contrib/bind9/lib/bind/include/res_update.h
index 07a37f3..2e6f171 100644
--- a/contrib/bind9/lib/bind/include/res_update.h
+++ b/contrib/bind9/lib/bind/include/res_update.h
@@ -16,34 +16,36 @@
  */
 
 /*
- *	$Id: res_update.h,v 1.1.206.1 2004/03/09 08:33:29 marka Exp $
+ *	$Id: res_update.h,v 1.2.18.1 2005/04/27 05:00:49 sra Exp $
  */
 
 #ifndef __RES_UPDATE_H
 #define __RES_UPDATE_H
 
+/*! \file */
+
 #include <sys/types.h>
 #include <arpa/nameser.h>
 #include <isc/list.h>
 #include <resolv.h>
 
-/*
+/*%
  * This RR-like structure is particular to UPDATE.
  */
 struct ns_updrec {
 	LINK(struct ns_updrec) r_link, r_glink;
-	ns_sect		r_section;	/* ZONE/PREREQUISITE/UPDATE */
-	char *		r_dname;	/* owner of the RR */
-	ns_class	r_class;	/* class number */
-	ns_type		r_type;		/* type number */
-	u_int32_t	r_ttl;		/* time to live */
-	u_char *	r_data;		/* rdata fields as text string */
-	u_int		r_size;		/* size of r_data field */
-	int		r_opcode;	/* type of operation */
+	ns_sect		r_section;	/*%< ZONE/PREREQUISITE/UPDATE */
+	char *		r_dname;	/*%< owner of the RR */
+	ns_class	r_class;	/*%< class number */
+	ns_type		r_type;		/*%< type number */
+	u_int32_t	r_ttl;		/*%< time to live */
+	u_char *	r_data;		/*%< rdata fields as text string */
+	u_int		r_size;		/*%< size of r_data field */
+	int		r_opcode;	/*%< type of operation */
 	/* following fields for private use by the resolver/server routines */
-	struct databuf *r_dp;		/* databuf to process */
-	struct databuf *r_deldp;	/* databuf's deleted/overwritten */
-	u_int		r_zone;		/* zone number on server */
+	struct databuf *r_dp;		/*%< databuf to process */
+	struct databuf *r_deldp;	/*%< databuf's deleted/overwritten */
+	u_int		r_zone;		/*%< zone number on server */
 };
 typedef struct ns_updrec ns_updrec;
 typedef	LIST(ns_updrec)	ns_updque;
@@ -63,3 +65,5 @@ int		res_nmkupdate __P((res_state, ns_updrec *, u_char *, int));
 int		res_nupdate __P((res_state, ns_updrec *, ns_tsig_key *));
 
 #endif /*__RES_UPDATE_H*/
+
+/*! \file */
diff --git a/contrib/bind9/lib/bind/include/resolv.h b/contrib/bind9/lib/bind/include/resolv.h
index 87a9520..66d84fc 100644
--- a/contrib/bind9/lib/bind/include/resolv.h
+++ b/contrib/bind9/lib/bind/include/resolv.h
@@ -48,9 +48,9 @@
  * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/*
+/*%
  *	@(#)resolv.h	8.1 (Berkeley) 6/2/93
- *	$Id: resolv.h,v 1.7.2.11.4.3 2005/08/25 04:44:13 marka Exp $
+ *	$Id: resolv.h,v 1.19.18.3 2005/08/25 04:43:51 marka Exp $
  */
 
 #ifndef _RESOLV_H_
@@ -67,7 +67,7 @@
 #include <stdio.h>
 #include <arpa/nameser.h>
 
-/*
+/*%
  * Revision information.  This is the release date in YYYYMMDD format.
  * It can change every day so the right thing to do with it is use it
  * in preprocessor commands such as "#if (__RES > 19931104)".  Do not
@@ -77,7 +77,7 @@
 
 #define	__RES	20030124
 
-/*
+/*%
  * This used to be defined in res_query.c, now it's in herror.c.
  * [XXX no it's not.  It's in irs/irs_data.c]
  * It was
@@ -97,12 +97,12 @@
  */
 
 #define RES_SET_H_ERRNO(r,x) __h_errno_set(r,x)
-struct __res_state; /* forward */
+struct __res_state; /*%< forward */
 __BEGIN_DECLS
 void __h_errno_set(struct __res_state *res, int err);
 __END_DECLS
 
-/*
+/*%
  * Resolver configuration file.
  * Normally not present, but may contain the address of the
  * initial name server(s) to query and the domain search list.
@@ -132,70 +132,68 @@ typedef res_sendhookact (*res_send_rhook)__PMT((const struct sockaddr *,
 						int, int *));
 
 struct res_sym {
-	int		number;	   /* Identifying number, like T_MX */
-	const char *	name;	   /* Its symbolic name, like "MX" */
-	const char *	humanname; /* Its fun name, like "mail exchanger" */
+	int		number;	   /*%< Identifying number, like T_MX */
+	const char *	name;	   /*%< Its symbolic name, like "MX" */
+	const char *	humanname; /*%< Its fun name, like "mail exchanger" */
 };
 
-/*
+/*%
  * Global defines and variables for resolver stub.
  */
-#define	MAXNS			3	/* max # name servers we'll track */
-#define	MAXDFLSRCH		3	/* # default domain levels to try */
-#define	MAXDNSRCH		6	/* max # domains in search path */
-#define	LOCALDOMAINPARTS	2	/* min levels in name that is "local" */
-
-#define	RES_TIMEOUT		5	/* min. seconds between retries */
-#define	MAXRESOLVSORT		10	/* number of net to sort on */
-#define	RES_MAXNDOTS		15	/* should reflect bit field size */
-#define	RES_MAXRETRANS		30	/* only for resolv.conf/RES_OPTIONS */
-#define	RES_MAXRETRY		5	/* only for resolv.conf/RES_OPTIONS */
-#define	RES_DFLRETRY		2	/* Default #/tries. */
-#define	RES_MAXTIME		65535	/* Infinity, in milliseconds. */
-
+#define	MAXNS			3	/*%< max # name servers we'll track */
+#define	MAXDFLSRCH		3	/*%< # default domain levels to try */
+#define	MAXDNSRCH		6	/*%< max # domains in search path */
+#define	LOCALDOMAINPARTS	2	/*%< min levels in name that is "local" */
+#define	RES_TIMEOUT		5	/*%< min. seconds between retries */
+#define	MAXRESOLVSORT		10	/*%< number of net to sort on */
+#define	RES_MAXNDOTS		15	/*%< should reflect bit field size */
+#define	RES_MAXRETRANS		30	/*%< only for resolv.conf/RES_OPTIONS */
+#define	RES_MAXRETRY		5	/*%< only for resolv.conf/RES_OPTIONS */
+#define	RES_DFLRETRY		2	/*%< Default #/tries. */
+#define	RES_MAXTIME		65535	/*%< Infinity, in milliseconds. */
 struct __res_state_ext;
 
 struct __res_state {
-	int	retrans;	 	/* retransmission time interval */
-	int	retry;			/* number of times to retransmit */
+	int	retrans;	 	/*%< retransmission time interval */
+	int	retry;			/*%< number of times to retransmit */
 #ifdef sun
-	u_int	options;		/* option flags - see below. */
+	u_int	options;		/*%< option flags - see below. */
 #else
-	u_long	options;		/* option flags - see below. */
+	u_long	options;		/*%< option flags - see below. */
 #endif
-	int	nscount;		/* number of name servers */
+	int	nscount;		/*%< number of name servers */
 	struct sockaddr_in
-		nsaddr_list[MAXNS];	/* address of name server */
-#define	nsaddr	nsaddr_list[0]		/* for backward compatibility */
-	u_short	id;			/* current message id */
-	char	*dnsrch[MAXDNSRCH+1];	/* components of domain to search */
-	char	defdname[256];		/* default domain (deprecated) */
+		nsaddr_list[MAXNS];	/*%< address of name server */
+#define	nsaddr	nsaddr_list[0]		/*%< for backward compatibility */
+	u_short	id;			/*%< current message id */
+	char	*dnsrch[MAXDNSRCH+1];	/*%< components of domain to search */
+	char	defdname[256];		/*%< default domain (deprecated) */
 #ifdef sun
-	u_int	pfcode;			/* RES_PRF_ flags - see below. */
+	u_int	pfcode;			/*%< RES_PRF_ flags - see below. */
 #else
-	u_long	pfcode;			/* RES_PRF_ flags - see below. */
+	u_long	pfcode;			/*%< RES_PRF_ flags - see below. */
 #endif
-	unsigned ndots:4;		/* threshold for initial abs. query */
-	unsigned nsort:4;		/* number of elements in sort_list[] */
+	unsigned ndots:4;		/*%< threshold for initial abs. query */
+	unsigned nsort:4;		/*%< number of elements in sort_list[] */
 	char	unused[3];
 	struct {
 		struct in_addr	addr;
 		u_int32_t	mask;
 	} sort_list[MAXRESOLVSORT];
-	res_send_qhook qhook;		/* query hook */
-	res_send_rhook rhook;		/* response hook */
-	int	res_h_errno;		/* last one set for this context */
-	int	_vcsock;		/* PRIVATE: for res_send VC i/o */
-	u_int	_flags;			/* PRIVATE: see below */
-	u_int	_pad;			/* make _u 64 bit aligned */
+	res_send_qhook qhook;		/*%< query hook */
+	res_send_rhook rhook;		/*%< response hook */
+	int	res_h_errno;		/*%< last one set for this context */
+	int	_vcsock;		/*%< PRIVATE: for res_send VC i/o */
+	u_int	_flags;			/*%< PRIVATE: see below */
+	u_int	_pad;			/*%< make _u 64 bit aligned */
 	union {
 		/* On an 32-bit arch this means 512b total. */
 		char	pad[72 - 4*sizeof (int) - 2*sizeof (void *)];
 		struct {
 			u_int16_t		nscount;
-			u_int16_t		nstimes[MAXNS];	/* ms. */
+			u_int16_t		nstimes[MAXNS];	/*%< ms. */
 			int			nssocks[MAXNS];
-			struct __res_state_ext *ext;	/* extention for IPv6 */
+			struct __res_state_ext *ext;	/*%< extention for IPv6 */
 		} _ext;
 	} _u;
 };
@@ -208,62 +206,62 @@ union res_sockaddr_union {
 	struct sockaddr_in6	sin6;
 #endif
 #ifdef ISC_ALIGN64
-	int64_t			__align64;	/* 64bit alignment */
+	int64_t			__align64;	/*%< 64bit alignment */
 #else
-	int32_t			__align32;	/* 32bit alignment */
+	int32_t			__align32;	/*%< 32bit alignment */
 #endif
-	char			__space[128];   /* max size */
+	char			__space[128];   /*%< max size */
 };
 
-/*
+/*%
  * Resolver flags (used to be discrete per-module statics ints).
  */
-#define	RES_F_VC	0x00000001	/* socket is TCP */
-#define	RES_F_CONN	0x00000002	/* socket is connected */
-#define	RES_F_EDNS0ERR	0x00000004	/* EDNS0 caused errors */
-#define	RES_F__UNUSED	0x00000008	/* (unused) */
-#define	RES_F_LASTMASK	0x000000F0	/* ordinal server of last res_nsend */
-#define	RES_F_LASTSHIFT	4		/* bit position of LASTMASK "flag" */
+#define	RES_F_VC	0x00000001	/*%< socket is TCP */
+#define	RES_F_CONN	0x00000002	/*%< socket is connected */
+#define	RES_F_EDNS0ERR	0x00000004	/*%< EDNS0 caused errors */
+#define	RES_F__UNUSED	0x00000008	/*%< (unused) */
+#define	RES_F_LASTMASK	0x000000F0	/*%< ordinal server of last res_nsend */
+#define	RES_F_LASTSHIFT	4		/*%< bit position of LASTMASK "flag" */
 #define	RES_GETLAST(res) (((res)._flags & RES_F_LASTMASK) >> RES_F_LASTSHIFT)
 
 /* res_findzonecut2() options */
-#define	RES_EXHAUSTIVE	0x00000001	/* always do all queries */
-#define	RES_IPV4ONLY	0x00000002	/* IPv4 only */
-#define	RES_IPV6ONLY	0x00000004	/* IPv6 only */
+#define	RES_EXHAUSTIVE	0x00000001	/*%< always do all queries */
+#define	RES_IPV4ONLY	0x00000002	/*%< IPv4 only */
+#define	RES_IPV6ONLY	0x00000004	/*%< IPv6 only */
 
-/*
+/*%
  * Resolver options (keep these in synch with res_debug.c, please)
  */
-#define RES_INIT	0x00000001	/* address initialized */
-#define RES_DEBUG	0x00000002	/* print debug messages */
-#define RES_AAONLY	0x00000004	/* authoritative answers only (!IMPL)*/
-#define RES_USEVC	0x00000008	/* use virtual circuit */
-#define RES_PRIMARY	0x00000010	/* query primary server only (!IMPL) */
-#define RES_IGNTC	0x00000020	/* ignore trucation errors */
-#define RES_RECURSE	0x00000040	/* recursion desired */
-#define RES_DEFNAMES	0x00000080	/* use default domain name */
-#define RES_STAYOPEN	0x00000100	/* Keep TCP socket open */
-#define RES_DNSRCH	0x00000200	/* search up local domain tree */
-#define	RES_INSECURE1	0x00000400	/* type 1 security disabled */
-#define	RES_INSECURE2	0x00000800	/* type 2 security disabled */
-#define	RES_NOALIASES	0x00001000	/* shuts off HOSTALIASES feature */
-#define	RES_USE_INET6	0x00002000	/* use/map IPv6 in gethostbyname() */
-#define RES_ROTATE	0x00004000	/* rotate ns list after each query */
-#define	RES_NOCHECKNAME	0x00008000	/* do not check names for sanity. */
-#define	RES_KEEPTSIG	0x00010000	/* do not strip TSIG records */
-#define	RES_BLAST	0x00020000	/* blast all recursive servers */
-#define RES_NOTLDQUERY	0x00100000	/* don't unqualified name as a tld */
-#define RES_USE_DNSSEC	0x00200000	/* use DNSSEC using OK bit in OPT */
+#define RES_INIT	0x00000001	/*%< address initialized */
+#define RES_DEBUG	0x00000002	/*%< print debug messages */
+#define RES_AAONLY	0x00000004	/*%< authoritative answers only (!IMPL)*/
+#define RES_USEVC	0x00000008	/*%< use virtual circuit */
+#define RES_PRIMARY	0x00000010	/*%< query primary server only (!IMPL) */
+#define RES_IGNTC	0x00000020	/*%< ignore trucation errors */
+#define RES_RECURSE	0x00000040	/*%< recursion desired */
+#define RES_DEFNAMES	0x00000080	/*%< use default domain name */
+#define RES_STAYOPEN	0x00000100	/*%< Keep TCP socket open */
+#define RES_DNSRCH	0x00000200	/*%< search up local domain tree */
+#define	RES_INSECURE1	0x00000400	/*%< type 1 security disabled */
+#define	RES_INSECURE2	0x00000800	/*%< type 2 security disabled */
+#define	RES_NOALIASES	0x00001000	/*%< shuts off HOSTALIASES feature */
+#define	RES_USE_INET6	0x00002000	/*%< use/map IPv6 in gethostbyname() */
+#define RES_ROTATE	0x00004000	/*%< rotate ns list after each query */
+#define	RES_NOCHECKNAME	0x00008000	/*%< do not check names for sanity. */
+#define	RES_KEEPTSIG	0x00010000	/*%< do not strip TSIG records */
+#define	RES_BLAST	0x00020000	/*%< blast all recursive servers */
+#define RES_NOTLDQUERY	0x00100000	/*%< don't unqualified name as a tld */
+#define RES_USE_DNSSEC	0x00200000	/*%< use DNSSEC using OK bit in OPT */
 /* #define RES_DEBUG2	0x00400000 */	/* nslookup internal */
 /* KAME extensions: use higher bit to avoid conflict with ISC use */
-#define RES_USE_DNAME	0x10000000	/* use DNAME */
-#define RES_USE_EDNS0	0x40000000	/* use EDNS0 if configured */
-#define RES_NO_NIBBLE2	0x80000000	/* disable alternate nibble lookup */
+#define RES_USE_DNAME	0x10000000	/*%< use DNAME */
+#define RES_USE_EDNS0	0x40000000	/*%< use EDNS0 if configured */
+#define RES_NO_NIBBLE2	0x80000000	/*%< disable alternate nibble lookup */
 
 #define RES_DEFAULT	(RES_RECURSE | RES_DEFNAMES | \
 			 RES_DNSRCH | RES_NO_NIBBLE2)
 
-/*
+/*%
  * Resolver "pfcode" values.  Used by dig.
  */
 #define RES_PRF_STATS	0x00000001
@@ -504,3 +502,4 @@ int		res_getservers __P((res_state,
 __END_DECLS
 
 #endif /* !_RESOLV_H_ */
+/*! \file */
diff --git a/contrib/bind9/lib/bind/inet/Makefile.in b/contrib/bind9/lib/bind/inet/Makefile.in
index 96698fd..7eb297c 100644
--- a/contrib/bind9/lib/bind/inet/Makefile.in
+++ b/contrib/bind9/lib/bind/inet/Makefile.in
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.4.206.1 2004/03/06 08:13:23 marka Exp $
+# $Id: Makefile.in,v 1.5 2004/03/05 05:05:13 marka Exp $
 
 srcdir=		@srcdir@
 VPATH =         @srcdir@
diff --git a/contrib/bind9/lib/bind/inet/inet_addr.c b/contrib/bind9/lib/bind/inet/inet_addr.c
index b967dc2..c95622d 100644
--- a/contrib/bind9/lib/bind/inet/inet_addr.c
+++ b/contrib/bind9/lib/bind/inet/inet_addr.c
@@ -70,7 +70,7 @@
 
 #if defined(LIBC_SCCS) && !defined(lint)
 static const char sccsid[] = "@(#)inet_addr.c	8.1 (Berkeley) 6/17/93";
-static const char rcsid[] = "$Id: inet_addr.c,v 1.2.206.2 2004/03/17 00:29:45 marka Exp $";
+static const char rcsid[] = "$Id: inet_addr.c,v 1.4.18.1 2005/04/27 05:00:52 sra Exp $";
 #endif /* LIBC_SCCS and not lint */
 
 #include "port_before.h"
@@ -85,7 +85,7 @@ static const char rcsid[] = "$Id: inet_addr.c,v 1.2.206.2 2004/03/17 00:29:45 ma
 
 #include "port_after.h"
 
-/*
+/*%
  * Ascii internet address interpretation routine.
  * The value returned is in network order.
  */
@@ -98,7 +98,7 @@ inet_addr(const char *cp) {
 	return (INADDR_NONE);
 }
 
-/* 
+/*%
  * Check whether "cp" is a valid ascii representation
  * of an Internet address and convert to a binary address.
  * Returns 1 if the address is valid, 0 if not.
@@ -179,22 +179,22 @@ inet_aton(const char *cp, struct in_addr *addr) {
 	 */
 	n = pp - parts + 1;
 	switch (n) {
-	case 1:				/* a -- 32 bits */
+	case 1:				/*%< a -- 32 bits */
 		break;
 
-	case 2:				/* a.b -- 8.24 bits */
+	case 2:				/*%< a.b -- 8.24 bits */
 		if (val > 0xffffffU)
 			return (0);
 		val |= parts[0] << 24;
 		break;
 
-	case 3:				/* a.b.c -- 8.8.16 bits */
+	case 3:				/*%< a.b.c -- 8.8.16 bits */
 		if (val > 0xffffU)
 			return (0);
 		val |= (parts[0] << 24) | (parts[1] << 16);
 		break;
 
-	case 4:				/* a.b.c.d -- 8.8.8.8 bits */
+	case 4:				/*%< a.b.c.d -- 8.8.8.8 bits */
 		if (val > 0xffU)
 			return (0);
 		val |= (parts[0] << 24) | (parts[1] << 16) | (parts[2] << 8);
@@ -204,3 +204,5 @@ inet_aton(const char *cp, struct in_addr *addr) {
 		addr->s_addr = htonl(val);
 	return (1);
 }
+
+/*! \file */
diff --git a/contrib/bind9/lib/bind/inet/inet_cidr_ntop.c b/contrib/bind9/lib/bind/inet/inet_cidr_ntop.c
index b25dc82..645b3cd 100644
--- a/contrib/bind9/lib/bind/inet/inet_cidr_ntop.c
+++ b/contrib/bind9/lib/bind/inet/inet_cidr_ntop.c
@@ -16,7 +16,7 @@
  */
 
 #if defined(LIBC_SCCS) && !defined(lint)
-static const char rcsid[] = "$Id: inet_cidr_ntop.c,v 1.1.2.1.8.4 2006/10/11 02:32:50 marka Exp $";
+static const char rcsid[] = "$Id: inet_cidr_ntop.c,v 1.4.18.3 2006/10/11 02:32:47 marka Exp $";
 #endif
 
 #include "port_before.h"
@@ -45,7 +45,7 @@ inet_cidr_ntop_ipv4(const u_char *src, int bits, char *dst, size_t size);
 static char *
 inet_cidr_ntop_ipv6(const u_char *src, int bits, char *dst, size_t size);
 
-/*
+/*%
  * char *
  * inet_cidr_ntop(af, src, bits, dst, size)
  *	convert network address from network to presentation format.
@@ -92,7 +92,7 @@ decoct(const u_char *src, int bytes, char *dst, size_t size) {
 	return (dst - odst);
 }
 
-/*
+/*%
  * static char *
  * inet_cidr_ntop_ipv4(src, bits, dst, size)
  *	convert IPv4 network address from network to presentation format.
@@ -259,3 +259,5 @@ inet_cidr_ntop_ipv6(const u_char *src, int bits, char *dst, size_t size) {
 	strcpy(dst, tmp);
 	return (dst);
 }
+
+/*! \file */
diff --git a/contrib/bind9/lib/bind/inet/inet_cidr_pton.c b/contrib/bind9/lib/bind/inet/inet_cidr_pton.c
index 5bfef71..b55e3ea 100644
--- a/contrib/bind9/lib/bind/inet/inet_cidr_pton.c
+++ b/contrib/bind9/lib/bind/inet/inet_cidr_pton.c
@@ -16,7 +16,7 @@
  */
 
 #if defined(LIBC_SCCS) && !defined(lint)
-static const char rcsid[] = "$Id: inet_cidr_pton.c,v 1.2.2.1.8.2 2004/03/17 00:29:46 marka Exp $";
+static const char rcsid[] = "$Id: inet_cidr_pton.c,v 1.5.18.1 2005/04/27 05:00:53 sra Exp $";
 #endif
 
 #include "port_before.h"
@@ -49,7 +49,7 @@ static int	inet_cidr_pton_ipv6 __P((const char *src, u_char *dst,
 
 static int	getbits(const char *, int ipv6);
 
-/*
+/*%
  * int
  * inet_cidr_pton(af, src, dst, *bits)
  *	convert network address from presentation to network format.
@@ -204,7 +204,7 @@ inet_cidr_pton_ipv6(const char *src, u_char *dst, int *pbits) {
 		    inet_cidr_pton_ipv4(curtok, tp, &bits, 1) == 0) {
 			tp += NS_INADDRSZ;
 			saw_xdigit = 0;
-			break;	/* '\0' was seen by inet_pton4(). */
+			break;	/*%< '\\0' was seen by inet_pton4(). */
 		}
 		if (ch == '/') {
 			bits = getbits(src, 1);
@@ -256,20 +256,22 @@ getbits(const char *src, int ipv6) {
 	int bits = 0;
 	char *cp, ch;
 	
-	if (*src == '\0')			/* syntax */
+	if (*src == '\0')			/*%< syntax */
 		return (-2);
 	do {
 		ch = *src++;
 		cp = strchr(digits, ch);
-		if (cp == NULL)			/* syntax */
+		if (cp == NULL)			/*%< syntax */
 			return (-2);
 		bits *= 10;
 		bits += cp - digits;
-		if (bits == 0 && *src != '\0')	/* no leading zeros */
+		if (bits == 0 && *src != '\0')	/*%< no leading zeros */
 			return (-2);
-		if (bits > (ipv6 ? 128 : 32))	/* range error */
+		if (bits > (ipv6 ? 128 : 32))	/*%< range error */
 			return (-2);
 	} while (*src != '\0');
 
 	return (bits);
 }
+
+/*! \file */
diff --git a/contrib/bind9/lib/bind/inet/inet_data.c b/contrib/bind9/lib/bind/inet/inet_data.c
index e586297..f3fa25b 100644
--- a/contrib/bind9/lib/bind/inet/inet_data.c
+++ b/contrib/bind9/lib/bind/inet/inet_data.c
@@ -16,7 +16,7 @@
  */
 
 #if defined(LIBC_SCCS) && !defined(lint)
-static char rcsid[] = "$Id: inet_data.c,v 1.2.206.1 2004/03/09 08:33:32 marka Exp $";
+static char rcsid[] = "$Id: inet_data.c,v 1.3.18.1 2005/04/27 05:00:53 sra Exp $";
 #endif /* LIBC_SCCS and not lint */
 
 #include "port_before.h"
@@ -42,3 +42,5 @@ static char rcsid[] = "$Id: inet_data.c,v 1.2.206.1 2004/03/09 08:33:32 marka Ex
 
 const struct in6_addr isc_in6addr_any = IN6ADDR_ANY_INIT;
 const struct in6_addr isc_in6addr_loopback = IN6ADDR_LOOPBACK_INIT;
+
+/*! \file */
diff --git a/contrib/bind9/lib/bind/inet/inet_lnaof.c b/contrib/bind9/lib/bind/inet/inet_lnaof.c
index 97b80cf..70ac409 100644
--- a/contrib/bind9/lib/bind/inet/inet_lnaof.c
+++ b/contrib/bind9/lib/bind/inet/inet_lnaof.c
@@ -43,7 +43,7 @@ static const char sccsid[] = "@(#)inet_lnaof.c	8.1 (Berkeley) 6/4/93";
 
 #include "port_after.h"
 
-/*
+/*%
  * Return the local network address portion of an
  * internet address; handles class a/b/c network
  * number formats.
@@ -61,3 +61,5 @@ inet_lnaof(in)
 	else
 		return ((i)&IN_CLASSC_HOST);
 }
+
+/*! \file */
diff --git a/contrib/bind9/lib/bind/inet/inet_makeaddr.c b/contrib/bind9/lib/bind/inet/inet_makeaddr.c
index 6e4ecc3..c56cb3e 100644
--- a/contrib/bind9/lib/bind/inet/inet_makeaddr.c
+++ b/contrib/bind9/lib/bind/inet/inet_makeaddr.c
@@ -43,7 +43,7 @@ static const char sccsid[] = "@(#)inet_makeaddr.c	8.1 (Berkeley) 6/4/93";
 
 #include "port_after.h"
 
-/*
+/*%
  * Formulate an Internet address from network + host.  Used in
  * building addresses stored in the ifnet structure.
  */
@@ -64,3 +64,5 @@ inet_makeaddr(net, host)
 	a.s_addr = htonl(a.s_addr);
 	return (a);
 }
+
+/*! \file */
diff --git a/contrib/bind9/lib/bind/inet/inet_net_ntop.c b/contrib/bind9/lib/bind/inet/inet_net_ntop.c
index 47af6284e..a1ac243 100644
--- a/contrib/bind9/lib/bind/inet/inet_net_ntop.c
+++ b/contrib/bind9/lib/bind/inet/inet_net_ntop.c
@@ -16,7 +16,7 @@
  */
 
 #if defined(LIBC_SCCS) && !defined(lint)
-static const char rcsid[] = "$Id: inet_net_ntop.c,v 1.1.2.1.8.2 2006/06/20 02:53:07 marka Exp $";
+static const char rcsid[] = "$Id: inet_net_ntop.c,v 1.3.18.2 2006/06/20 02:51:32 marka Exp $";
 #endif
 
 #include "port_before.h"
@@ -44,7 +44,7 @@ static char *	inet_net_ntop_ipv4 __P((const u_char *src, int bits,
 static char *	inet_net_ntop_ipv6 __P((const u_char *src, int bits,
 					char *dst, size_t size));
 
-/*
+/*%
  * char *
  * inet_net_ntop(af, src, bits, dst, size)
  *	convert network number from network to presentation format.
@@ -73,7 +73,7 @@ inet_net_ntop(af, src, bits, dst, size)
 	}
 }
 
-/*
+/*%
  * static char *
  * inet_net_ntop_ipv4(src, bits, dst, size)
  *	convert IPv4 network number from network to presentation format.
@@ -148,7 +148,7 @@ inet_net_ntop_ipv4(src, bits, dst, size)
 	return (NULL);
 }
 
-/*
+/*%
  * static char *
  * inet_net_ntop_ipv6(src, bits, fakebits, dst, size)
  *	convert IPv6 network number from network to presentation format.
@@ -275,3 +275,5 @@ emsgsize:
 	errno = EMSGSIZE;
 	return (NULL);
 }
+
+/*! \file */
diff --git a/contrib/bind9/lib/bind/inet/inet_net_pton.c b/contrib/bind9/lib/bind/inet/inet_net_pton.c
index abecfc7..d3de33b 100644
--- a/contrib/bind9/lib/bind/inet/inet_net_pton.c
+++ b/contrib/bind9/lib/bind/inet/inet_net_pton.c
@@ -16,7 +16,7 @@
  */
 
 #if defined(LIBC_SCCS) && !defined(lint)
-static const char rcsid[] = "$Id: inet_net_pton.c,v 1.4.2.1.8.2 2004/03/17 00:29:47 marka Exp $";
+static const char rcsid[] = "$Id: inet_net_pton.c,v 1.7.18.1 2005/04/27 05:00:53 sra Exp $";
 #endif
 
 #include "port_before.h"
@@ -42,7 +42,7 @@ static const char rcsid[] = "$Id: inet_net_pton.c,v 1.4.2.1.8.2 2004/03/17 00:29
 # define SPRINTF(x) ((size_t)sprintf x)
 #endif
 
-/*
+/*%
  * static int
  * inet_net_pton_ipv4(src, dst, size)
  *	convert IPv4 network number from presentation to network format.
@@ -73,7 +73,7 @@ inet_net_pton_ipv4(const char *src, u_char *dst, size_t size) {
 		if (size <= 0U)
 			goto emsgsize;
 		dirty = 0;
-		src++;	/* skip x or X. */
+		src++;	/*%< skip x or X. */
 		while ((ch = *src++) != '\0' && isascii(ch) && isxdigit(ch)) {
 			if (isupper(ch))
 				ch = tolower(ch);
@@ -90,7 +90,7 @@ inet_net_pton_ipv4(const char *src, u_char *dst, size_t size) {
 				dirty = 0;
 			}
 		}
-		if (dirty) {  /* Odd trailing nybble? */
+		if (dirty) {  /*%< Odd trailing nybble? */
 			if (size-- <= 0U)
 				goto emsgsize;
 			*dst++ = (u_char) (tmp << 4);
@@ -126,7 +126,7 @@ inet_net_pton_ipv4(const char *src, u_char *dst, size_t size) {
 	if (ch == '/' && isascii((unsigned char)(src[0])) &&
 	    isdigit((unsigned char)(src[0])) && dst > odst) {
 		/* CIDR width specifier.  Nothing can follow it. */
-		ch = *src++;	/* Skip over the /. */
+		ch = *src++;	/*%< Skip over the /. */
 		bits = 0;
 		do {
 			n = strchr(digits, ch) - digits;
@@ -149,15 +149,15 @@ inet_net_pton_ipv4(const char *src, u_char *dst, size_t size) {
 		goto enoent;
 	/* If no CIDR spec was given, infer width from net class. */
 	if (bits == -1) {
-		if (*odst >= 240)	/* Class E */
+		if (*odst >= 240)	/*%< Class E */
 			bits = 32;
-		else if (*odst >= 224)	/* Class D */
+		else if (*odst >= 224)	/*%< Class D */
 			bits = 8;
-		else if (*odst >= 192)	/* Class C */
+		else if (*odst >= 192)	/*%< Class C */
 			bits = 24;
-		else if (*odst >= 128)	/* Class B */
+		else if (*odst >= 128)	/*%< Class B */
 			bits = 16;
-		else			/* Class A */
+		else			/*%< Class A */
 			bits = 8;
 		/* If imputed mask is narrower than specified octets, widen. */
 		if (bits < ((dst - odst) * 8))
@@ -200,11 +200,11 @@ getbits(const char *src, int *bitsp) {
 
 		pch = strchr(digits, ch);
 		if (pch != NULL) {
-			if (n++ != 0 && val == 0)	/* no leading zeros */
+			if (n++ != 0 && val == 0)	/*%< no leading zeros */
 				return (0);
 			val *= 10;
 			val += (pch - digits);
-			if (val > 128)			/* range */
+			if (val > 128)			/*%< range */
 				return (0);
 			continue;
 		}
@@ -231,16 +231,16 @@ getv4(const char *src, u_char *dst, int *bitsp) {
 
 		pch = strchr(digits, ch);
 		if (pch != NULL) {
-			if (n++ != 0 && val == 0)	/* no leading zeros */
+			if (n++ != 0 && val == 0)	/*%< no leading zeros */
 				return (0);
 			val *= 10;
 			val += (pch - digits);
-			if (val > 255)			/* range */
+			if (val > 255)			/*%< range */
 				return (0);
 			continue;
 		}
 		if (ch == '.' || ch == '/') {
-			if (dst - odst > 3)		/* too many octets? */
+			if (dst - odst > 3)		/*%< too many octets? */
 				return (0);
 			*dst++ = val;
 			if (ch == '/')
@@ -253,7 +253,7 @@ getv4(const char *src, u_char *dst, int *bitsp) {
 	}
 	if (n == 0)
 		return (0);
-	if (dst - odst > 3)		/* too many octets? */
+	if (dst - odst > 3)		/*%< too many octets? */
 		return (0);
 	*dst++ = val;
 	return (1);
@@ -322,7 +322,7 @@ inet_net_pton_ipv6(const char *src, u_char *dst, size_t size) {
 			tp += NS_INADDRSZ;
 			saw_xdigit = 0;
 			ipv4 = 1;
-			break;	/* '\0' was seen by inet_pton4(). */
+			break;	/*%< '\\0' was seen by inet_pton4(). */
 		}
 		if (ch == '/' && getbits(src, &bits) > 0)
 			break;
@@ -378,7 +378,7 @@ inet_net_pton_ipv6(const char *src, u_char *dst, size_t size) {
 	return (-1);
 }
 
-/*
+/*%
  * int
  * inet_net_pton(af, src, dst, size)
  *	convert network number from presentation to network format.
@@ -403,3 +403,5 @@ inet_net_pton(int af, const char *src, void *dst, size_t size) {
 		return (-1);
 	}
 }
+
+/*! \file */
diff --git a/contrib/bind9/lib/bind/inet/inet_neta.c b/contrib/bind9/lib/bind/inet/inet_neta.c
index 325b7ce..bc3b601 100644
--- a/contrib/bind9/lib/bind/inet/inet_neta.c
+++ b/contrib/bind9/lib/bind/inet/inet_neta.c
@@ -16,7 +16,7 @@
  */
 
 #if defined(LIBC_SCCS) && !defined(lint)
-static const char rcsid[] = "$Id: inet_neta.c,v 1.1.206.1 2004/03/09 08:33:33 marka Exp $";
+static const char rcsid[] = "$Id: inet_neta.c,v 1.2.18.1 2005/04/27 05:00:53 sra Exp $";
 #endif
 
 #include "port_before.h"
@@ -38,7 +38,7 @@ static const char rcsid[] = "$Id: inet_neta.c,v 1.1.206.1 2004/03/09 08:33:33 ma
 # define SPRINTF(x) ((size_t)sprintf x)
 #endif
 
-/*
+/*%
  * char *
  * inet_neta(src, dst, size)
  *	format a u_long network number into presentation format.
@@ -85,3 +85,5 @@ inet_neta(src, dst, size)
 	errno = EMSGSIZE;
 	return (NULL);
 }
+
+/*! \file */
diff --git a/contrib/bind9/lib/bind/inet/inet_netof.c b/contrib/bind9/lib/bind/inet/inet_netof.c
index e887530..c228e3d 100644
--- a/contrib/bind9/lib/bind/inet/inet_netof.c
+++ b/contrib/bind9/lib/bind/inet/inet_netof.c
@@ -43,7 +43,7 @@ static const char sccsid[] = "@(#)inet_netof.c	8.1 (Berkeley) 6/4/93";
 
 #include "port_after.h"
 
-/*
+/*%
  * Return the network number from an internet
  * address; handles class a/b/c network #'s.
  */
@@ -60,3 +60,5 @@ inet_netof(in)
 	else
 		return (((i)&IN_CLASSC_NET) >> IN_CLASSC_NSHIFT);
 }
+
+/*! \file */
diff --git a/contrib/bind9/lib/bind/inet/inet_network.c b/contrib/bind9/lib/bind/inet/inet_network.c
index aaa50c8..4758a00 100644
--- a/contrib/bind9/lib/bind/inet/inet_network.c
+++ b/contrib/bind9/lib/bind/inet/inet_network.c
@@ -44,7 +44,7 @@ static const char sccsid[] = "@(#)inet_network.c	8.1 (Berkeley) 6/4/93";
 
 #include "port_after.h"
 
-/*
+/*%
  * Internet network address interpretation routine.
  * The library routines call this routine to interpret
  * network numbers.
@@ -102,3 +102,5 @@ again:
 	}
 	return (val);
 }
+
+/*! \file */
diff --git a/contrib/bind9/lib/bind/inet/inet_ntoa.c b/contrib/bind9/lib/bind/inet/inet_ntoa.c
index 7fad4b8..1d566be 100644
--- a/contrib/bind9/lib/bind/inet/inet_ntoa.c
+++ b/contrib/bind9/lib/bind/inet/inet_ntoa.c
@@ -33,7 +33,7 @@
 
 #if defined(LIBC_SCCS) && !defined(lint)
 static const char sccsid[] = "@(#)inet_ntoa.c	8.1 (Berkeley) 6/4/93";
-static const char rcsid[] = "$Id: inet_ntoa.c,v 1.1 2001/03/29 06:31:38 marka Exp $";
+static const char rcsid[] = "$Id: inet_ntoa.c,v 1.1.352.1 2005/04/27 05:00:54 sra Exp $";
 #endif /* LIBC_SCCS and not lint */
 
 #include "port_before.h"
@@ -48,7 +48,7 @@ static const char rcsid[] = "$Id: inet_ntoa.c,v 1.1 2001/03/29 06:31:38 marka Ex
 
 #include "port_after.h"
 
-/*
+/*%
  * Convert network-format internet address
  * to base 256 d.d.d.d representation.
  */
@@ -60,3 +60,5 @@ inet_ntoa(struct in_addr in) {
 	(void) inet_ntop(AF_INET, &in, ret, sizeof ret);
 	return (ret);
 }
+
+/*! \file */
diff --git a/contrib/bind9/lib/bind/inet/inet_ntop.c b/contrib/bind9/lib/bind/inet/inet_ntop.c
index cd502ab..9ab38bc 100644
--- a/contrib/bind9/lib/bind/inet/inet_ntop.c
+++ b/contrib/bind9/lib/bind/inet/inet_ntop.c
@@ -16,7 +16,7 @@
  */
 
 #if defined(LIBC_SCCS) && !defined(lint)
-static const char rcsid[] = "$Id: inet_ntop.c,v 1.1.2.1.8.2 2005/11/03 23:08:40 marka Exp $";
+static const char rcsid[] = "$Id: inet_ntop.c,v 1.3.18.2 2005/11/03 23:02:22 marka Exp $";
 #endif /* LIBC_SCCS and not lint */
 
 #include "port_before.h"
@@ -41,7 +41,7 @@ static const char rcsid[] = "$Id: inet_ntop.c,v 1.1.2.1.8.2 2005/11/03 23:08:40
 # define SPRINTF(x) ((size_t)sprintf x)
 #endif
 
-/*
+/*%
  * WARNING: Don't even consider trying to compile this on a system where
  * sizeof(int) < 4.  sizeof(int) > 4 is fine; all the world's not a VAX.
  */
@@ -203,3 +203,5 @@ inet_ntop6(src, dst, size)
 	strcpy(dst, tmp);
 	return (dst);
 }
+
+/*! \file */
diff --git a/contrib/bind9/lib/bind/inet/inet_pton.c b/contrib/bind9/lib/bind/inet/inet_pton.c
index f18a7b6..66b4c6a 100644
--- a/contrib/bind9/lib/bind/inet/inet_pton.c
+++ b/contrib/bind9/lib/bind/inet/inet_pton.c
@@ -16,7 +16,7 @@
  */
 
 #if defined(LIBC_SCCS) && !defined(lint)
-static const char rcsid[] = "$Id: inet_pton.c,v 1.2.206.2 2005/07/28 07:43:18 marka Exp $";
+static const char rcsid[] = "$Id: inet_pton.c,v 1.3.18.2 2005/07/28 07:38:07 marka Exp $";
 #endif /* LIBC_SCCS and not lint */
 
 #include "port_before.h"
@@ -30,7 +30,7 @@ static const char rcsid[] = "$Id: inet_pton.c,v 1.2.206.2 2005/07/28 07:43:18 ma
 #include <errno.h>
 #include "port_after.h"
 
-/*
+/*%
  * WARNING: Don't even consider trying to compile this on a system where
  * sizeof(int) < 4.  sizeof(int) > 4 is fine; all the world's not a VAX.
  */
@@ -188,7 +188,7 @@ inet_pton6(src, dst)
 		    inet_pton4(curtok, tp) > 0) {
 			tp += NS_INADDRSZ;
 			seen_xdigits = 0;
-			break;	/* '\0' was seen by inet_pton4(). */
+			break;	/*%< '\\0' was seen by inet_pton4(). */
 		}
 		return (0);
 	}
@@ -219,3 +219,5 @@ inet_pton6(src, dst)
 	memcpy(dst, tmp, NS_IN6ADDRSZ);
 	return (1);
 }
+
+/*! \file */
diff --git a/contrib/bind9/lib/bind/inet/nsap_addr.c b/contrib/bind9/lib/bind/inet/nsap_addr.c
index a4b98e7..d8fe87c 100644
--- a/contrib/bind9/lib/bind/inet/nsap_addr.c
+++ b/contrib/bind9/lib/bind/inet/nsap_addr.c
@@ -16,7 +16,7 @@
  */
 
 #if defined(LIBC_SCCS) && !defined(lint)
-static const char rcsid[] = "$Id: nsap_addr.c,v 1.2.206.2 2005/07/28 07:43:18 marka Exp $";
+static const char rcsid[] = "$Id: nsap_addr.c,v 1.3.18.2 2005/07/28 07:38:08 marka Exp $";
 #endif /* LIBC_SCCS and not lint */
 
 #include "port_before.h"
@@ -107,3 +107,5 @@ inet_nsap_ntoa(int binlen, const u_char *binary, char *ascii) {
 	*ascii = '\0';
 	return (start);
 }
+
+/*! \file */
diff --git a/contrib/bind9/lib/bind/irs/Makefile.in b/contrib/bind9/lib/bind/irs/Makefile.in
index 9695435..ce6f5f2 100644
--- a/contrib/bind9/lib/bind/irs/Makefile.in
+++ b/contrib/bind9/lib/bind/irs/Makefile.in
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.7.206.3 2004/12/07 00:38:35 marka Exp $
+# $Id: Makefile.in,v 1.8.18.2 2004/12/07 00:53:48 marka Exp $
 
 srcdir=		@srcdir@
 VPATH =         @srcdir@
diff --git a/contrib/bind9/lib/bind/irs/dns.c b/contrib/bind9/lib/bind/irs/dns.c
index 27529b5..b78a1d6 100644
--- a/contrib/bind9/lib/bind/irs/dns.c
+++ b/contrib/bind9/lib/bind/irs/dns.c
@@ -16,10 +16,11 @@
  */
 
 #if defined(LIBC_SCCS) && !defined(lint)
-static const char rcsid[] = "$Id: dns.c,v 1.1.206.3 2006/03/10 00:17:21 marka Exp $";
+static const char rcsid[] = "$Id: dns.c,v 1.3.18.2 2006/03/10 00:20:08 marka Exp $";
 #endif
 
-/*
+/*! \file
+ * \brief
  * dns.c --- this is the top-level accessor function for the dns
  */
 
diff --git a/contrib/bind9/lib/bind/irs/dns_gr.c b/contrib/bind9/lib/bind/irs/dns_gr.c
index a35b10c..358e5a7 100644
--- a/contrib/bind9/lib/bind/irs/dns_gr.c
+++ b/contrib/bind9/lib/bind/irs/dns_gr.c
@@ -16,10 +16,11 @@
  */
 
 #if defined(LIBC_SCCS) && !defined(lint)
-static const char rcsid[] = "$Id: dns_gr.c,v 1.1.2.1.4.1 2004/03/09 08:33:34 marka Exp $";
+static const char rcsid[] = "$Id: dns_gr.c,v 1.3.18.1 2005/04/27 05:00:54 sra Exp $";
 #endif
 
-/*
+/*! \file
+ * \brief
  * dns_gr.c --- this file contains the functions for accessing
  * 	group information from Hesiod.
  */
@@ -69,7 +70,7 @@ struct pvt {
 	 * we keep one buffer and resize it as needed.
 	 */
 	struct group	group;
-	size_t		nmemb;		/* Malloc'd max index of gr_mem[]. */
+	size_t		nmemb;		/*%< Malloc'd max index of gr_mem[]. */
 	char *		membuf;
 	size_t		membufsize;
 };
diff --git a/contrib/bind9/lib/bind/irs/dns_ho.c b/contrib/bind9/lib/bind/irs/dns_ho.c
index 192be04..d1d6f5a 100644
--- a/contrib/bind9/lib/bind/irs/dns_ho.c
+++ b/contrib/bind9/lib/bind/irs/dns_ho.c
@@ -52,7 +52,7 @@
 /* BIND Id: gethnamaddr.c,v 8.15 1996/05/22 04:56:30 vixie Exp $ */
 
 #if defined(LIBC_SCCS) && !defined(lint)
-static const char rcsid[] = "$Id: dns_ho.c,v 1.5.2.7.4.8 2006/03/10 00:17:21 marka Exp $";
+static const char rcsid[] = "$Id: dns_ho.c,v 1.14.18.7 2006/12/07 03:54:24 marka Exp $";
 #endif /* LIBC_SCCS and not lint */
 
 /* Imports. */
@@ -95,8 +95,7 @@ static const char rcsid[] = "$Id: dns_ho.c,v 1.5.2.7.4.8 2006/03/10 00:17:21 mar
 #define	MAXALIASES	35
 #define	MAXADDRS	35
 
-#define MAXPACKET (65535)	/* Maximum TCP message size */
-
+#define MAXPACKET (65535)	/*%< Maximum TCP message size */
 #define BOUNDS_CHECK(ptr, count) \
 	if ((ptr) + (count) > eom) { \
 		had_error++; \
@@ -110,14 +109,14 @@ typedef union {
 
 struct dns_res_target {
 	struct dns_res_target *next;
-	querybuf qbuf;		/* query buffer */
-	u_char *answer;		/* buffer to put answer */
-	int anslen;		/* size of answer buffer */
-	int qclass, qtype;	/* class and type of query */
-	int action;		/* condition whether query is really issued */
-	char qname[MAXDNAME +1]; /* domain name */
+	querybuf qbuf;		/*%< query buffer */
+	u_char *answer;		/*%< buffer to put answer */
+	int anslen;		/*%< size of answer buffer */
+	int qclass, qtype;	/*%< class and type of query */
+	int action;		/*%< condition whether query is really issued */
+	char qname[MAXDNAME +1]; /*%< domain name */
 #if 0
-	int n;			/* result length */
+	int n;			/*%< result length */
 #endif
 };
 enum {RESTGT_DOALWAYS, RESTGT_AFTERFAILURE, RESTGT_IGNORE};
@@ -128,7 +127,7 @@ struct pvt {
 	char *		h_addr_ptrs[MAXADDRS + 1];
 	char *		host_aliases[MAXALIASES];
 	char		hostbuf[8*1024];
-	u_char		host_addr[16];	/* IPv4 or IPv6 */
+	u_char		host_addr[16];	/*%< IPv4 or IPv6 */
 	struct __res_state  *res;
 	void		(*free_res)(void *);
 };
@@ -141,8 +140,7 @@ typedef union {
 static const u_char mapped[] = { 0,0, 0,0, 0,0, 0,0, 0,0, 0xff,0xff };
 static const u_char tunnelled[] = { 0,0, 0,0, 0,0, 0,0, 0,0, 0,0 };
 /* Note: the IPv6 loopback address is in the "tunnel" space */
-static const u_char v6local[] = { 0,0, 0,1 }; /* last 4 bytes of IPv6 addr */
-
+static const u_char v6local[] = { 0,0, 0,1 }; /*%< last 4 bytes of IPv6 addr */
 /* Forwards. */
 
 static void		ho_close(struct irs_ho *this);
@@ -317,8 +315,7 @@ ho_byname2(struct irs_ho *this, const char *name, int af)
 		if ((hp = gethostans(this, p->answer, n, name, p->qtype,
 				     af, size, NULL,
 				     (const struct addrinfo *)&ai)) != NULL)
-			goto cleanup;	/* no more loop is necessary */
-
+			goto cleanup;	/*%< no more loop is necessary */
 		querystate = RESQRY_FAIL;
 		continue;
 	}
@@ -495,10 +492,9 @@ ho_byaddr(struct irs_ho *this, const void *addr, int len, int af)
 		}
 
 		RES_SET_H_ERRNO(pvt->res, NETDB_SUCCESS);
-		goto cleanup;	/* no more loop is necessary. */
+		goto cleanup;	/*%< no more loop is necessary. */
 	}
-	hp = NULL; /* H_ERRNO was set by subroutines */
-
+	hp = NULL; /*%< H_ERRNO was set by subroutines */
  cleanup:
 	if (q != NULL)
 		memput(q, sizeof(*q));
@@ -610,7 +606,7 @@ ho_addrinfo(struct irs_ho *this, const char *name, const struct addrinfo *pai)
 		q->action = RESTGT_DOALWAYS;
 		break;
 	default:
-		RES_SET_H_ERRNO(pvt->res, NO_RECOVERY); /* better error? */
+		RES_SET_H_ERRNO(pvt->res, NO_RECOVERY); /*%< better error? */
 		goto cleanup;
 	}
 
@@ -643,7 +639,7 @@ ho_addrinfo(struct irs_ho *this, const char *name, const struct addrinfo *pai)
 			continue;
 		}
 		(void)gethostans(this, p->answer, n, name, p->qtype,
-				 pai->ai_family, /* XXX: meaningless */
+				 pai->ai_family, /*%< XXX: meaningless */
 				 0, &ai, pai);
 		if (ai) {
 			querystate = RESQRY_SUCCESS;
@@ -681,7 +677,7 @@ ho_res_set(struct irs_ho *this, struct __res_state *res,
 static struct hostent *
 gethostans(struct irs_ho *this,
 	   const u_char *ansbuf, int anslen, const char *qname, int qtype,
-	   int af, int size,	/* meaningless for addrinfo cases */
+	   int af, int size,	/*!< meaningless for addrinfo cases  */
 	   struct addrinfo **ret_aip, const struct addrinfo *pai)
 {
 	struct pvt *pvt = (struct pvt *)this->private;
@@ -709,7 +705,7 @@ gethostans(struct irs_ho *this,
 	switch (qtype) {
 	case T_A:
 	case T_AAAA:
-	case T_ANY:	/* use T_ANY only for T_A/T_AAAA lookup */
+	case T_ANY:	/*%< use T_ANY only for T_A/T_AAAA lookup */
 		name_ok = res_hnok;
 		break;
 	case T_PTR:
@@ -755,7 +751,7 @@ gethostans(struct irs_ho *this,
 		 * same as the one we sent; this just gets the expanded name
 		 * (i.e., with the succeeding search-domain tacked on).
 		 */
-		n = strlen(bp) + 1;		/* for the \0 */
+		n = strlen(bp) + 1;		/*%< for the \\0 */
 		if (n > MAXHOSTNAMELEN) {
 			RES_SET_H_ERRNO(pvt->res, NO_RECOVERY);
 			return (NULL);
@@ -780,14 +776,14 @@ gethostans(struct irs_ho *this,
 			had_error++;
 			continue;
 		}
-		cp += n;			/* name */
+		cp += n;			/*%< name */
 		BOUNDS_CHECK(cp, 3 * INT16SZ + INT32SZ);
 		type = ns_get16(cp);
- 		cp += INT16SZ;			/* type */
+ 		cp += INT16SZ;			/*%< type */
 		class = ns_get16(cp);
- 		cp += INT16SZ + INT32SZ;	/* class, TTL */
+ 		cp += INT16SZ + INT32SZ;	/*%< class, TTL */
 		n = ns_get16(cp);
-		cp += INT16SZ;			/* len */
+		cp += INT16SZ;			/*%< len */
 		BOUNDS_CHECK(cp, n);
 		if (class != C_IN) {
 			cp += n;
@@ -815,10 +811,10 @@ gethostans(struct irs_ho *this,
 			if (ap >= &pvt->host_aliases[MAXALIASES-1])
 				continue;
 			*ap++ = bp;
-			n = strlen(bp) + 1;	/* for the \0 */
+			n = strlen(bp) + 1;	/*%< for the \\0 */
 			bp += n;
 			/* Get canonical name. */
-			n = strlen(tbuf) + 1;	/* for the \0 */
+			n = strlen(tbuf) + 1;	/*%< for the \\0 */
 			if (n > (ep - bp) || n > MAXHOSTNAMELEN) {
 				had_error++;
 				continue;
@@ -850,7 +846,7 @@ gethostans(struct irs_ho *this,
 					continue;
 			}
 			/* Get canonical name. */
-			n = strlen(tbuf) + 1;	/* for the \0 */
+			n = strlen(tbuf) + 1;	/*%< for the \\0 */
 			if (n > (ep - bp)) {
 				had_error++;
 				continue;
@@ -896,7 +892,7 @@ gethostans(struct irs_ho *this,
 			else
 				n = -1;
 			if (n != -1) {
-				n = strlen(bp) + 1;	/* for the \0 */
+				n = strlen(bp) + 1;	/*%< for the \\0 */
 				bp += n;
 			}
 			break;
@@ -927,7 +923,7 @@ gethostans(struct irs_ho *this,
 			if (!haveanswer) {
 				int nn;
 
-				nn = strlen(bp) + 1;	/* for the \0 */
+				nn = strlen(bp) + 1;	/*%< for the \\0 */
 				if (nn >= MAXHOSTNAMELEN) {
 					cp += n;
 					had_error++;
@@ -941,14 +937,14 @@ gethostans(struct irs_ho *this,
 			bp = (char *)(((u_long)bp + (sizeof(align) - 1)) &
 				      ~(sizeof(align) - 1));
 			/* Avoid overflows. */
-			if (bp + n >= &pvt->hostbuf[sizeof pvt->hostbuf]) {
+			if (bp + n > &pvt->hostbuf[sizeof(pvt->hostbuf) - 1]) {
 				had_error++;
 				continue;
 			}
-			if (ret_aip) { /* need addrinfo. keep it. */
+			if (ret_aip) { /*%< need addrinfo. keep it. */
 				while (cur->ai_next)
 					cur = cur->ai_next;
-			} else if (cur->ai_next) { /* need hostent */
+			} else if (cur->ai_next) { /*%< need hostent */
 				struct addrinfo *aip = cur->ai_next;
 
 				for (aip = cur->ai_next; aip;
@@ -988,7 +984,7 @@ gethostans(struct irs_ho *this,
 				addrsort(pvt->res, pvt->h_addr_ptrs,
 					 haveanswer);
 			if (pvt->host.h_name == NULL) {
-				n = strlen(qname) + 1;	/* for the \0 */
+				n = strlen(qname) + 1;	/*%< for the \\0 */
 				if (n > (ep - bp) || n >= MAXHOSTNAMELEN)
 					goto no_recovery;
 				strcpy(bp, qname);	/* (checked) */
@@ -1044,18 +1040,17 @@ add_hostent(struct pvt *pvt, char *bp, char **hap, struct addrinfo *ai)
 		addrp = (char *)&((struct sockaddr_in *)ai->ai_addr)->sin_addr;
 		break;
 	default:
-		return(-1);	/* abort? */
+		return(-1);	/*%< abort? */
 	}
 
 	/* Ensure alignment. */
 	bp = (char *)(((u_long)bp + (sizeof(align) - 1)) &
 		      ~(sizeof(align) - 1));
 	/* Avoid overflows. */
-	if (bp + addrlen >= &pvt->hostbuf[sizeof pvt->hostbuf])
+	if (bp + addrlen > &pvt->hostbuf[sizeof(pvt->hostbuf) - 1])
 		return(-1);
 	if (hap >= &pvt->h_addr_ptrs[MAXADDRS-1])
-		return(0); /* fail, but not treat it as an error. */
-
+		return(0); /*%< fail, but not treat it as an error. */
 	/* Suppress duplicates. */
 	for (tap = (const char **)pvt->h_addr_ptrs;
 	     *tap != NULL;
diff --git a/contrib/bind9/lib/bind/irs/dns_nw.c b/contrib/bind9/lib/bind/irs/dns_nw.c
index 8a5937d..1d03a52 100644
--- a/contrib/bind9/lib/bind/irs/dns_nw.c
+++ b/contrib/bind9/lib/bind/irs/dns_nw.c
@@ -16,7 +16,7 @@
  */
 
 #if defined(LIBC_SCCS) && !defined(lint)
-static const char rcsid[] = "$Id: dns_nw.c,v 1.3.2.4.4.4 2004/09/16 00:57:34 marka Exp $";
+static const char rcsid[] = "$Id: dns_nw.c,v 1.9.18.3 2005/04/27 05:00:55 sra Exp $";
 #endif /* LIBC_SCCS and not lint */
 
 /* Imports. */
@@ -377,16 +377,16 @@ get1101answer(struct irs_nw *this,
 	while (--ancount >= 0 && cp < eom) {
 		int n = dn_expand(ansbuf, eom, cp, bp, ep - bp);
 
-		cp += n;		/* Owner */
+		cp += n;		/*%< Owner */
 		if (n < 0 || !maybe_dnok(pvt->res, bp) ||
 		    cp + 3 * INT16SZ + INT32SZ > eom) {
 			RES_SET_H_ERRNO(pvt->res, NO_RECOVERY);
 			return (NULL);
 		}
-		GETSHORT(type, cp);	/* Type */
-		GETSHORT(class, cp);	/* Class */
-		cp += INT32SZ;		/* TTL */
-		GETSHORT(n, cp);	/* RDLENGTH */
+		GETSHORT(type, cp);	/*%< Type */
+		GETSHORT(class, cp);	/*%< Class */
+		cp += INT32SZ;		/*%< TTL */
+		GETSHORT(n, cp);	/*%< RDLENGTH */
 		if (class == C_IN && type == T_PTR) {
 			int nn;
 
@@ -430,7 +430,7 @@ get1101answer(struct irs_nw *this,
 			    }
 			}
 		}
-		cp += n;		/* RDATA */
+		cp += n;		/*%< RDATA */
 	}
 	if (!haveanswer) {
 		RES_SET_H_ERRNO(pvt->res, TRY_AGAIN);
@@ -491,13 +491,13 @@ get1101mask(struct irs_nw *this, struct nwent *nwent) {
 
 		if (n < 0 || !maybe_dnok(pvt->res, owner))
 			break;
-		cp += n;		/* Owner */
+		cp += n;		/*%< Owner */
 		if (cp + 3 * INT16SZ + INT32SZ > eom)
 			break;
-		GETSHORT(type, cp);	/* Type */
-		GETSHORT(class, cp);	/* Class */
-		cp += INT32SZ;		/* TTL */
-		GETSHORT(n, cp);	/* RDLENGTH */
+		GETSHORT(type, cp);	/*%< Type */
+		GETSHORT(class, cp);	/*%< Class */
+		cp += INT32SZ;		/*%< TTL */
+		GETSHORT(n, cp);	/*%< RDLENGTH */
 		if (cp + n > eom)
 			break;
 		if (n == INADDRSZ && class == C_IN && type == T_A &&
@@ -513,7 +513,7 @@ get1101mask(struct irs_nw *this, struct nwent *nwent) {
 					else
 						break;
 		}
-		cp += n;		/* RDATA */
+		cp += n;		/*%< RDATA */
 	}
 	memput(ansbuf, MAXPACKET);
 	return (nwent);
@@ -587,3 +587,5 @@ init(struct irs_nw *this) {
 		return (-1);
 	return (0);
 }
+
+/*! \file */
diff --git a/contrib/bind9/lib/bind/irs/dns_p.h b/contrib/bind9/lib/bind/irs/dns_p.h
index f984c1c..a19ff2d 100644
--- a/contrib/bind9/lib/bind/irs/dns_p.h
+++ b/contrib/bind9/lib/bind/irs/dns_p.h
@@ -16,7 +16,7 @@
  */
 
 /*
- * $Id: dns_p.h,v 1.1.206.2 2004/03/17 00:29:48 marka Exp $
+ * $Id: dns_p.h,v 1.3.18.1 2005/04/27 05:00:55 sra Exp $
  */
 
 #ifndef _DNS_P_H_INCLUDED
@@ -27,7 +27,7 @@
 #define maybe_hnok(res, hn) maybe_ok((res), (hn), res_hnok)
 #define maybe_dnok(res, dn) maybe_ok((res), (dn), res_dnok)
 
-/*
+/*%
  * Object state.
  */
 struct dns_p {
@@ -48,3 +48,5 @@ extern struct irs_ho *	irs_dns_ho __P((struct irs_acc *));
 extern struct irs_nw *	irs_dns_nw __P((struct irs_acc *));
 
 #endif /*_DNS_P_H_INCLUDED*/
+
+/*! \file */
diff --git a/contrib/bind9/lib/bind/irs/dns_pr.c b/contrib/bind9/lib/bind/irs/dns_pr.c
index ffcca15..7582f85 100644
--- a/contrib/bind9/lib/bind/irs/dns_pr.c
+++ b/contrib/bind9/lib/bind/irs/dns_pr.c
@@ -16,7 +16,7 @@
  */
 
 #if defined(LIBC_SCCS) && !defined(lint)
-static const char rcsid[] = "$Id: dns_pr.c,v 1.3.206.1 2004/03/09 08:33:34 marka Exp $";
+static const char rcsid[] = "$Id: dns_pr.c,v 1.4.18.1 2005/04/27 05:00:55 sra Exp $";
 #endif
 
 /* Imports */
@@ -264,3 +264,5 @@ parse_hes_list(struct irs_pr *this, char **hes_list) {
 	}
 	return (NULL);
 }
+
+/*! \file */
diff --git a/contrib/bind9/lib/bind/irs/dns_pw.c b/contrib/bind9/lib/bind/irs/dns_pw.c
index 41b3795..62c61d5 100644
--- a/contrib/bind9/lib/bind/irs/dns_pw.c
+++ b/contrib/bind9/lib/bind/irs/dns_pw.c
@@ -16,7 +16,7 @@
  */
 
 #if defined(LIBC_SCCS) && !defined(lint)
-static const char rcsid[] = "$Id: dns_pw.c,v 1.1.206.1 2004/03/09 08:33:34 marka Exp $";
+static const char rcsid[] = "$Id: dns_pw.c,v 1.2.18.1 2005/04/27 05:00:55 sra Exp $";
 #endif
 
 #include "port_before.h"
@@ -229,3 +229,4 @@ getpwcommon(struct irs_pw *this, const char *arg, const char *type) {
 }
 
 #endif /* WANT_IRS_PW */
+/*! \file */
diff --git a/contrib/bind9/lib/bind/irs/dns_sv.c b/contrib/bind9/lib/bind/irs/dns_sv.c
index a2aafde..fcb25ac 100644
--- a/contrib/bind9/lib/bind/irs/dns_sv.c
+++ b/contrib/bind9/lib/bind/irs/dns_sv.c
@@ -16,7 +16,7 @@
  */
 
 #if defined(LIBC_SCCS) && !defined(lint)
-static const char rcsid[] = "$Id: dns_sv.c,v 1.3.206.1 2004/03/09 08:33:34 marka Exp $";
+static const char rcsid[] = "$Id: dns_sv.c,v 1.4.18.1 2005/04/27 05:00:55 sra Exp $";
 #endif
 
 /* Imports */
@@ -111,8 +111,8 @@ irs_dns_sv(struct irs_acc *this) {
 	sv->res_get = sv_res_get;
 	sv->res_set = sv_res_set;
 #else
-	sv->res_get = NULL; /* sv_res_get; */
-	sv->res_set = NULL; /* sv_res_set; */
+	sv->res_get = NULL; /*%< sv_res_get; */
+	sv->res_set = NULL; /*%< sv_res_set; */
 #endif
 	return (sv);
 }
@@ -296,3 +296,5 @@ sv_res_set(struct irs_sv *this, struct __res_state * res,
 	__hesiod_res_set(dns->hes_ctx, res, free_res);
 }
 #endif
+
+/*! \file */
diff --git a/contrib/bind9/lib/bind/irs/gai_strerror.c b/contrib/bind9/lib/bind/irs/gai_strerror.c
index 0492f8f..29196a0 100644
--- a/contrib/bind9/lib/bind/irs/gai_strerror.c
+++ b/contrib/bind9/lib/bind/irs/gai_strerror.c
@@ -26,21 +26,20 @@
 
 static const char *gai_errlist[] = {
 	"no error",
-	"address family not supported for name",/* EAI_ADDRFAMILY */
-	"temporary failure",			/* EAI_AGAIN */
-	"invalid flags",			/* EAI_BADFLAGS */
-	"permanent failure",			/* EAI_FAIL */
-	"address family not supported",		/* EAI_FAMILY */
-	"memory failure",			/* EAI_MEMORY */
-	"no address",				/* EAI_NODATA */
-	"unknown name or service",		/* EAI_NONAME */
-	"service not supported for socktype",	/* EAI_SERVICE */
-	"socktype not supported",		/* EAI_SOCKTYPE */
-	"system failure",			/* EAI_SYSTEM */
-	"bad hints",				/* EAI_BADHINTS */
-	"bad protocol",				/* EAI_PROTOCOL */
-
-	"unknown error"				/* Must be last. */
+	"address family not supported for name",/*%< EAI_ADDRFAMILY */
+	"temporary failure",			/*%< EAI_AGAIN */
+	"invalid flags",			/*%< EAI_BADFLAGS */
+	"permanent failure",			/*%< EAI_FAIL */
+	"address family not supported",		/*%< EAI_FAMILY */
+	"memory failure",			/*%< EAI_MEMORY */
+	"no address",				/*%< EAI_NODATA */
+	"unknown name or service",		/*%< EAI_NONAME */
+	"service not supported for socktype",	/*%< EAI_SERVICE */
+	"socktype not supported",		/*%< EAI_SOCKTYPE */
+	"system failure",			/*%< EAI_SYSTEM */
+	"bad hints",				/*%< EAI_BADHINTS */
+	"bad protocol",				/*%< EAI_PROTOCOL */
+	"unknown error"				/*%< Must be last. */
 };
 
 static const int gai_nerr = (sizeof(gai_errlist)/sizeof(*gai_errlist));
@@ -100,3 +99,5 @@ gai_strerror(int ecode) {
 	return ("unknown error");
 #endif
 }
+
+/*! \file */
diff --git a/contrib/bind9/lib/bind/irs/gen.c b/contrib/bind9/lib/bind/irs/gen.c
index e093db3..8e9146e 100644
--- a/contrib/bind9/lib/bind/irs/gen.c
+++ b/contrib/bind9/lib/bind/irs/gen.c
@@ -16,10 +16,11 @@
  */
 
 #if !defined(LINT) && !defined(CODECENTER)
-static const char rcsid[] = "$Id: gen.c,v 1.3.206.3 2004/09/16 00:57:34 marka Exp $";
+static const char rcsid[] = "$Id: gen.c,v 1.5.18.2 2005/04/27 05:00:56 sra Exp $";
 #endif
 
-/*
+/*! \file
+ * \brief
  * this is the top level dispatcher
  *
  * The dispatcher is implemented as an accessor class; it is an
diff --git a/contrib/bind9/lib/bind/irs/gen_gr.c b/contrib/bind9/lib/bind/irs/gen_gr.c
index e0c6dba..0829ed8 100644
--- a/contrib/bind9/lib/bind/irs/gen_gr.c
+++ b/contrib/bind9/lib/bind/irs/gen_gr.c
@@ -16,7 +16,7 @@
  */
 
 #if !defined(LINT) && !defined(CODECENTER)
-static const char rcsid[] = "$Id: gen_gr.c,v 1.4.2.1.4.2 2004/05/17 07:48:56 marka Exp $";
+static const char rcsid[] = "$Id: gen_gr.c,v 1.6.18.2 2005/04/27 05:00:56 sra Exp $";
 #endif
 
 /* Imports */
@@ -61,7 +61,7 @@ struct pvt {
 	 * we keep one buffer and resize it as needed.
 	 */
 	struct group		group;
-	size_t			nmemb;    /* Malloc'd max index of gr_mem[]. */
+	size_t			nmemb;    /*%< Malloc'd max index of gr_mem[]. */
 	char *			membuf;
 	size_t			membufsize;
 	struct __res_state *	res;
@@ -490,3 +490,4 @@ newgid(int ngroups, gid_t *groups, gid_t group) {
 }
 
 #endif /* WANT_IRS_GR */
+/*! \file */
diff --git a/contrib/bind9/lib/bind/irs/gen_ho.c b/contrib/bind9/lib/bind/irs/gen_ho.c
index f17aa22..c5e09da 100644
--- a/contrib/bind9/lib/bind/irs/gen_ho.c
+++ b/contrib/bind9/lib/bind/irs/gen_ho.c
@@ -16,7 +16,7 @@
  */
 
 #if defined(LIBC_SCCS) && !defined(lint)
-static const char rcsid[] = "$Id: gen_ho.c,v 1.1.206.3 2006/03/10 00:17:21 marka Exp $";
+static const char rcsid[] = "$Id: gen_ho.c,v 1.3.18.2 2006/03/10 00:20:08 marka Exp $";
 #endif /* LIBC_SCCS and not lint */
 
 /* Imports */
@@ -348,7 +348,7 @@ ho_addrinfo(struct irs_ho *this, const char *name, const struct addrinfo *pai)
 		ho = rule->inst->ho;
 		RES_SET_H_ERRNO(pvt->res, NETDB_INTERNAL);
 		errno = 0;
-		if (ho->addrinfo == NULL) /* for safety */
+		if (ho->addrinfo == NULL) /*%< for safety */
 			continue;
 		rval = (*ho->addrinfo)(ho, name, pai);
 		if (rval != NULL)
@@ -387,3 +387,5 @@ init(struct irs_ho *this) {
 
         return (0);
 }
+
+/*! \file */
diff --git a/contrib/bind9/lib/bind/irs/gen_ng.c b/contrib/bind9/lib/bind/irs/gen_ng.c
index 9f3ecad..67f4edd 100644
--- a/contrib/bind9/lib/bind/irs/gen_ng.c
+++ b/contrib/bind9/lib/bind/irs/gen_ng.c
@@ -16,7 +16,7 @@
  */
 
 #if !defined(LINT) && !defined(CODECENTER)
-static const char rcsid[] = "$Id: gen_ng.c,v 1.1.206.1 2004/03/09 08:33:35 marka Exp $";
+static const char rcsid[] = "$Id: gen_ng.c,v 1.2.18.1 2005/04/27 05:00:56 sra Exp $";
 #endif
 
 /* Imports */
@@ -170,3 +170,5 @@ ng_minimize(struct irs_ng *this) {
 		(*ng->minimize)(ng);
 	}
 }
+
+/*! \file */
diff --git a/contrib/bind9/lib/bind/irs/gen_nw.c b/contrib/bind9/lib/bind/irs/gen_nw.c
index cb41f5d..8452f3f 100644
--- a/contrib/bind9/lib/bind/irs/gen_nw.c
+++ b/contrib/bind9/lib/bind/irs/gen_nw.c
@@ -16,7 +16,7 @@
  */
 
 #if !defined(LINT) && !defined(CODECENTER)
-static const char rcsid[] = "$Id: gen_nw.c,v 1.1.206.2 2004/03/17 01:49:40 marka Exp $";
+static const char rcsid[] = "$Id: gen_nw.c,v 1.3.18.1 2005/04/27 05:00:56 sra Exp $";
 #endif
 
 /* Imports */
@@ -260,3 +260,5 @@ init(struct irs_nw *this) {
 		return (-1);
 	return (0);
 }
+
+/*! \file */
diff --git a/contrib/bind9/lib/bind/irs/gen_p.h b/contrib/bind9/lib/bind/irs/gen_p.h
index 0a7ea2b..a0a312d 100644
--- a/contrib/bind9/lib/bind/irs/gen_p.h
+++ b/contrib/bind9/lib/bind/irs/gen_p.h
@@ -16,10 +16,11 @@
  */
 
 /*
- * $Id: gen_p.h,v 1.1.206.1 2004/03/09 08:33:35 marka Exp $
+ * $Id: gen_p.h,v 1.2.18.1 2005/04/27 05:00:56 sra Exp $
  */
 
-/* Notes:
+/*! \file
+ *  Notes:
  *	We hope to create a complete set of thread-safe entry points someday,
  *	which will mean a set of getXbyY() functions that take as an argument
  *	a pointer to the map class, which will have a pointer to the private
@@ -36,32 +37,32 @@
 #ifndef _GEN_P_H_INCLUDED
 #define _GEN_P_H_INCLUDED
 
-/*
+/*%
  * These are the access methods.
  */
 enum irs_acc_id {
-	irs_lcl,	/* Local. */
-	irs_dns,	/* DNS or Hesiod. */
-	irs_nis,	/* Sun NIS ("YP"). */
-	irs_irp,	/* IR protocol.  */
+	irs_lcl,	/*%< Local. */
+	irs_dns,	/*%< DNS or Hesiod. */
+	irs_nis,	/*%< Sun NIS ("YP"). */
+	irs_irp,	/*%< IR protocol. */
 	irs_nacc
 };
 
-/*
+/*%
  * These are the map types.
  */
 enum irs_map_id {
-	irs_gr,		/* "group" */
-	irs_pw,		/* "passwd" */
-	irs_sv,		/* "services" */
-	irs_pr,		/* "protocols" */
-	irs_ho,		/* "hosts" */
-	irs_nw,		/* "networks" */
-	irs_ng,		/* "netgroup" */
+	irs_gr,		/*%< "group" */
+	irs_pw,		/*%< "passwd" */
+	irs_sv,		/*%< "services" */
+	irs_pr,		/*%< "protocols" */
+	irs_ho,		/*%< "hosts" */
+	irs_nw,		/*%< "networks" */
+	irs_ng,		/*%< "netgroup" */
 	irs_nmap
 };
 
-/*
+/*%
  * This is an accessor instance.
  */
 struct irs_inst {
@@ -75,7 +76,7 @@ struct irs_inst {
 	struct irs_ng *	ng;
 };
 
-/*
+/*%
  * This is a search rule for some map type.
  */
 struct irs_rule {
@@ -83,9 +84,8 @@ struct irs_rule {
 	struct irs_inst *	inst;
 	int			flags;
 };
-#define IRS_MERGE		0x0001	/* Don't stop if acc. has data? */
-#define	IRS_CONTINUE		0x0002	/* Don't stop if acc. has no data? */
-
+#define IRS_MERGE		0x0001	/*%< Don't stop if acc. has data? */
+#define	IRS_CONTINUE		0x0002	/*%< Don't stop if acc. has no data? */
 /*
  * This is the private data for a search access class.
  */
diff --git a/contrib/bind9/lib/bind/irs/gen_pr.c b/contrib/bind9/lib/bind/irs/gen_pr.c
index 465fee3..5c9d69c 100644
--- a/contrib/bind9/lib/bind/irs/gen_pr.c
+++ b/contrib/bind9/lib/bind/irs/gen_pr.c
@@ -16,7 +16,7 @@
  */
 
 #if !defined(LINT) && !defined(CODECENTER)
-static const char rcsid[] = "$Id: gen_pr.c,v 1.1.206.1 2004/03/09 08:33:35 marka Exp $";
+static const char rcsid[] = "$Id: gen_pr.c,v 1.2.18.1 2005/04/27 05:00:56 sra Exp $";
 #endif
 
 /* Imports */
@@ -224,3 +224,5 @@ pr_res_set(struct irs_pr *this, struct __res_state *res,
 			(*pr->res_set)(pr, pvt->res, NULL);
 	}
 }
+
+/*! \file */
diff --git a/contrib/bind9/lib/bind/irs/gen_pw.c b/contrib/bind9/lib/bind/irs/gen_pw.c
index ca31302..80d9b5d 100644
--- a/contrib/bind9/lib/bind/irs/gen_pw.c
+++ b/contrib/bind9/lib/bind/irs/gen_pw.c
@@ -16,7 +16,7 @@
  */
 
 #if !defined(LINT) && !defined(CODECENTER)
-static const char rcsid[] = "$Id: gen_pw.c,v 1.1.206.1 2004/03/09 08:33:35 marka Exp $";
+static const char rcsid[] = "$Id: gen_pw.c,v 1.2.18.1 2005/04/27 05:00:57 sra Exp $";
 #endif
 
 /* Imports */
@@ -231,3 +231,4 @@ pw_res_set(struct irs_pw *this, struct __res_state *res,
 }
 
 #endif /* WANT_IRS_PW */
+/*! \file */
diff --git a/contrib/bind9/lib/bind/irs/gen_sv.c b/contrib/bind9/lib/bind/irs/gen_sv.c
index e8f6114..66f0ab7 100644
--- a/contrib/bind9/lib/bind/irs/gen_sv.c
+++ b/contrib/bind9/lib/bind/irs/gen_sv.c
@@ -16,7 +16,7 @@
  */
 
 #if !defined(LINT) && !defined(CODECENTER)
-static const char rcsid[] = "$Id: gen_sv.c,v 1.1.206.1 2004/03/09 08:33:35 marka Exp $";
+static const char rcsid[] = "$Id: gen_sv.c,v 1.2.18.1 2005/04/27 05:00:57 sra Exp $";
 #endif
 
 /* Imports */
@@ -225,3 +225,5 @@ sv_res_set(struct irs_sv *this, struct __res_state *res,
 			(*sv->res_set)(sv, pvt->res, NULL);
 	}
 }
+
+/*! \file */
diff --git a/contrib/bind9/lib/bind/irs/getaddrinfo.c b/contrib/bind9/lib/bind/irs/getaddrinfo.c
index c8d1ab3..1839ba4 100644
--- a/contrib/bind9/lib/bind/irs/getaddrinfo.c
+++ b/contrib/bind9/lib/bind/irs/getaddrinfo.c
@@ -29,48 +29,52 @@
  * SUCH DAMAGE.
  */
 
-/*
+/*! \file
  * Issues to be discussed:
- * - Thread safe-ness must be checked.
- * - Return values.  There are nonstandard return values defined and used
+ *\li  Thread safe-ness must be checked.
+ *\li  Return values.  There are nonstandard return values defined and used
  *   in the source code.  This is because RFC2553 is silent about which error
  *   code must be returned for which situation.
- * - IPv4 classful (shortened) form.  RFC2553 is silent about it.  XNET 5.2
+ *\li  IPv4 classful (shortened) form.  RFC2553 is silent about it.  XNET 5.2
  *   says to use inet_aton() to convert IPv4 numeric to binary (allows
  *   classful form as a result).
  *   current code - disallow classful form for IPv4 (due to use of inet_pton).
- * - freeaddrinfo(NULL).  RFC2553 is silent about it.  XNET 5.2 says it is
+ *\li  freeaddrinfo(NULL).  RFC2553 is silent about it.  XNET 5.2 says it is
  *   invalid.
  *   current code - SEGV on freeaddrinfo(NULL)
  * Note:
- * - We use getipnodebyname() just for thread-safeness.  There's no intent
+ *\li  We use getipnodebyname() just for thread-safeness.  There's no intent
  *   to let it do PF_UNSPEC (actually we never pass PF_UNSPEC to
  *   getipnodebyname().
- * - The code filters out AFs that are not supported by the kernel,
+ *\li  The code filters out AFs that are not supported by the kernel,
  *   when globbing NULL hostname (to loopback, or wildcard).  Is it the right
  *   thing to do?  What is the relationship with post-RFC2553 AI_ADDRCONFIG
  *   in ai_flags?
- * - (post-2553) semantics of AI_ADDRCONFIG itself is too vague.
+ *\li  (post-2553) semantics of AI_ADDRCONFIG itself is too vague.
  *   (1) what should we do against numeric hostname (2) what should we do
  *   against NULL hostname (3) what is AI_ADDRCONFIG itself.  AF not ready?
  *   non-loopback address configured?  global address configured?
- * - To avoid search order issue, we have a big amount of code duplicate
+ * \par Additional Issue:
+ *  To avoid search order issue, we have a big amount of code duplicate
  *   from gethnamaddr.c and some other places.  The issues that there's no
  *   lower layer function to lookup "IPv4 or IPv6" record.  Calling
  *   gethostbyname2 from getaddrinfo will end up in wrong search order, as
  *   follows:
- *	- The code makes use of following calls when asked to resolver with
+ *	\li The code makes use of following calls when asked to resolver with
  *	  ai_family  = PF_UNSPEC:
- *		getipnodebyname(host, AF_INET6);
+ *\code		getipnodebyname(host, AF_INET6);
  *		getipnodebyname(host, AF_INET);
- *	  This will result in the following queries if the node is configure to
+ *\endcode
+ *	\li  This will result in the following queries if the node is configure to
  *	  prefer /etc/hosts than DNS:
+ *\code
  *		lookup /etc/hosts for IPv6 address
  *		lookup DNS for IPv6 address
  *		lookup /etc/hosts for IPv4 address
  *		lookup DNS for IPv4 address
+ *\endcode
  *	  which may not meet people's requirement.
- *	  The right thing to happen is to have underlying layer which does
+ *	 \li The right thing to happen is to have underlying layer which does
  *	  PF_UNSPEC lookup (lookup both) and return chain of addrinfos.
  *	  This would result in a bit of code duplicate with _dns_ghbyname() and
  *	  friends.
@@ -199,20 +203,20 @@ struct addrinfo *addr2addrinfo __P((const struct addrinfo *,
 #if 0
 static const char *ai_errlist[] = {
 	"Success",
-	"Address family for hostname not supported",	/* EAI_ADDRFAMILY */
-	"Temporary failure in name resolution",		/* EAI_AGAIN      */
-	"Invalid value for ai_flags",		       	/* EAI_BADFLAGS   */
-	"Non-recoverable failure in name resolution", 	/* EAI_FAIL       */
-	"ai_family not supported",			/* EAI_FAMILY     */
-	"Memory allocation failure", 			/* EAI_MEMORY     */
-	"No address associated with hostname", 		/* EAI_NODATA     */
-	"hostname nor servname provided, or not known",	/* EAI_NONAME     */
-	"servname not supported for ai_socktype",	/* EAI_SERVICE    */
-	"ai_socktype not supported", 			/* EAI_SOCKTYPE   */
-	"System error returned in errno", 		/* EAI_SYSTEM     */
-	"Invalid value for hints",			/* EAI_BADHINTS	  */
-	"Resolved protocol is unknown",			/* EAI_PROTOCOL   */
-	"Unknown error", 				/* EAI_MAX        */
+	"Address family for hostname not supported",	/*%< EAI_ADDRFAMILY */
+	"Temporary failure in name resolution",		/*%< EAI_AGAIN */
+	"Invalid value for ai_flags",		       	/*%< EAI_BADFLAGS */
+	"Non-recoverable failure in name resolution", 	/*%< EAI_FAIL */
+	"ai_family not supported",			/*%< EAI_FAMILY */
+	"Memory allocation failure", 			/*%< EAI_MEMORY */
+	"No address associated with hostname", 		/*%< EAI_NODATA */
+	"hostname nor servname provided, or not known",	/*%< EAI_NONAME */
+	"servname not supported for ai_socktype",	/*%< EAI_SERVICE */
+	"ai_socktype not supported", 			/*%< EAI_SOCKTYPE */
+	"System error returned in errno", 		/*%< EAI_SYSTEM */
+	"Invalid value for hints",			/*%< EAI_BADHINTS */
+	"Resolved protocol is unknown",			/*%< EAI_PROTOCOL */
+	"Unknown error", 				/*%< EAI_MAX */
 };
 #endif
 
@@ -268,7 +272,7 @@ do { \
 #define MATCH(x, y, w) \
 	((x) == (y) || (/*CONSTCOND*/(w) && ((x) == ANY || (y) == ANY)))
 
-#if 0				/* bind8 has its own version */
+#if 0				/*%< bind8 has its own version */
 char *
 gai_strerror(ecode)
 	int ecode;
@@ -352,7 +356,7 @@ getaddrinfo(hostname, servname, hints, res)
 		/* error check for hints */
 		if (hints->ai_addrlen || hints->ai_canonname ||
 		    hints->ai_addr || hints->ai_next)
-			SETERROR(EAI_BADHINTS); /* xxx */
+			SETERROR(EAI_BADHINTS); /*%< xxx */
 		if (hints->ai_flags & ~AI_MASK)
 			SETERROR(EAI_BADFLAGS);
 		switch (hints->ai_family) {
@@ -517,7 +521,7 @@ getaddrinfo(hostname, servname, hints, res)
 		goto free;
 	}
 	if (afai == NULL) {
-		error = EAI_NONAME; /* we've had no errors. */
+		error = EAI_NONAME; /*%< we've had no errors. */
 		goto free;
 	}
 
@@ -574,7 +578,7 @@ getaddrinfo(hostname, servname, hints, res)
 			cur = cur->ai_next;
 	}
 
-	freeaddrinfo(afai);	/* afai must not be NULL at this point. */
+	freeaddrinfo(afai);	/*%< afai must not be NULL at this point. */
 
 	if (sentinel.ai_next) {
 good:
@@ -597,7 +601,7 @@ bad:
 	return(error);
 }
 
-/*
+/*%
  * FQDN hostname, DNS lookup
  */
 static int
@@ -625,7 +629,7 @@ explore_fqdn(pai, hostname, servname, res)
 
 	if (!net_data || !(ho = net_data->ho))
 		return(0);
-#if 0				/* XXX (notyet) */
+#if 0				/*%< XXX (notyet) */
 	if (net_data->ho_stayopen && net_data->ho_last &&
 	    net_data->ho_last->h_addrtype == af) {
 		if (ns_samename(name, net_data->ho_last->h_name) == 1)
@@ -661,7 +665,7 @@ explore_fqdn(pai, hostname, servname, res)
 			error = EAI_NONAME;
 			break;
 		default:
-		case NETDB_SUCCESS: /* should be impossible... */
+		case NETDB_SUCCESS: /*%< should be impossible... */
 			error = EAI_NONAME;
 			break;
 		}
@@ -669,7 +673,7 @@ explore_fqdn(pai, hostname, servname, res)
 	}
 
 	for (cur = result; cur; cur = cur->ai_next) {
-		GET_PORT(cur, servname); /* XXX: redundant lookups... */
+		GET_PORT(cur, servname); /*%< XXX: redundant lookups... */
 		/* canonname should already be filled. */
 	}
 
@@ -685,8 +689,8 @@ free:
 
 static int
 explore_copy(pai, src0, res)
-	const struct addrinfo *pai;	/* seed */
-	const struct addrinfo *src0;	/* source */
+	const struct addrinfo *pai;	/*%< seed */
+	const struct addrinfo *src0;	/*%< source */
 	struct addrinfo **res;
 {
 	int error;
@@ -720,7 +724,7 @@ fail:
 	return error;
 }
 
-/*
+/*%
  * hostname == NULL.
  * passive socket -> anyaddr (0.0.0.0 or ::)
  * non-passive socket -> localhost (127.0.0.1 or ::1)
@@ -768,7 +772,7 @@ free:
 	return error;
 }
 
-/*
+/*%
  * numeric hostname
  */
 static int
@@ -831,7 +835,7 @@ bad:
 	return error;
 }
 
-/*
+/*%
  * numeric hostname with scope
  */
 static int
@@ -882,7 +886,7 @@ explore_numeric_scope(pai, hostname, servname, res)
 			sin6 = (struct sockaddr_in6 *)(void *)cur->ai_addr;
 			if (!ip6_str2scopeid(scope, sin6, &scopeid)) {
 				free(hostname2);
-				return(EAI_NONAME); /* XXX: is return OK? */
+				return(EAI_NONAME); /*%< XXX: is return OK? */
 			}
 #ifdef HAVE_SIN6_SCOPE_ID
 			sin6->sin6_scope_id = scopeid;
@@ -1078,7 +1082,7 @@ find_afd(af)
 	return NULL;
 }
 
-/*
+/*%
  * post-2553: AI_ADDRCONFIG check.  if we use getipnodeby* as backend, backend
  * will take care of it.
  * the semantics of AI_ADDRCONFIG is not defined well.  we are not sure
@@ -1136,8 +1140,7 @@ ip6_str2scopeid(char *scope, struct sockaddr_in6 *sin6,
 	if (IN6_IS_ADDR_MC_ORGLOCAL(a6))
 		goto trynumeric;
 	else
-		goto trynumeric;	/* global */
-
+		goto trynumeric;	/*%< global */
 	/* try to convert to a numeric id as a last resort */
 trynumeric:
 	errno = 0;
@@ -1174,7 +1177,7 @@ hostent2addrinfo(hp, pai)
 	cur = &sentinel;
 
 	for (i = 0; (ap = aplist[i]) != NULL; i++) {
-#if 0				/* the trick seems too much */
+#if 0				/*%< the trick seems too much */
 		af = hp->h_addr_list;
 		if (af == AF_INET6 &&
 		    IN6_IS_ADDR_V4MAPPED((struct in6_addr *)ap)) {
@@ -1198,7 +1201,7 @@ hostent2addrinfo(hp, pai)
 			 */
 			GET_CANONNAME(cur->ai_next, hp->h_name);
 		}
-		while (cur->ai_next) /* no need to loop, actually. */
+		while (cur->ai_next) /*%< no need to loop, actually. */
 			cur = cur->ai_next;
 		continue;
 
diff --git a/contrib/bind9/lib/bind/irs/getgrent.c b/contrib/bind9/lib/bind/irs/getgrent.c
index 7c394f2..fe91ab3 100644
--- a/contrib/bind9/lib/bind/irs/getgrent.c
+++ b/contrib/bind9/lib/bind/irs/getgrent.c
@@ -16,7 +16,7 @@
  */
 
 #if !defined(LINT) && !defined(CODECENTER)
-static const char rcsid[] = "$Id: getgrent.c,v 1.3.206.1 2004/03/09 08:33:35 marka Exp $";
+static const char rcsid[] = "$Id: getgrent.c,v 1.4.18.1 2005/04/27 05:00:57 sra Exp $";
 #endif
 
 /* Imports */
@@ -221,3 +221,4 @@ init() {
 }
 
 #endif /* WANT_IRS_GR */
+/*! \file */
diff --git a/contrib/bind9/lib/bind/irs/getgrent_r.c b/contrib/bind9/lib/bind/irs/getgrent_r.c
index 1e8b1a6..1f7d94d 100644
--- a/contrib/bind9/lib/bind/irs/getgrent_r.c
+++ b/contrib/bind9/lib/bind/irs/getgrent_r.c
@@ -16,7 +16,7 @@
  */
 
 #if defined(LIBC_SCCS) && !defined(lint)
-static const char rcsid[] = "$Id: getgrent_r.c,v 1.5.206.1 2004/03/09 08:33:35 marka Exp $";
+static const char rcsid[] = "$Id: getgrent_r.c,v 1.6.18.1 2005/04/27 05:00:57 sra Exp $";
 #endif /* LIBC_SCCS and not lint */
 
 #include <port_before.h>
@@ -120,7 +120,7 @@ getgrgid_r(gid_t gid, struct group *gptr,
 }
 #endif
 
-/*
+/*%
  *	These assume a single context is in operation per thread.
  *	If this is not the case we will need to call irs directly
  *	rather than through the base functions.
@@ -180,7 +180,7 @@ copy_group(struct group *ge, struct group *gptr, char *buf, int buflen) {
 	int numptr, len;
 
 	/* Find out the amount of space required to store the answer. */
-	numptr = 1; /* NULL ptr */
+	numptr = 1; /*%< NULL ptr */
 	len = (char *)ALIGN(buf) - buf;
 	for (i = 0; ge->gr_mem[i]; i++, numptr++) {
 		len += strlen(ge->gr_mem[i]) + 1;
@@ -227,3 +227,4 @@ copy_group(struct group *ge, struct group *gptr, char *buf, int buflen) {
 	static int getgrent_r_unknown_system = 0;
 #endif /* GROUP_R_RETURN */
 #endif /* !def(_REENTRANT) || !def(DO_PTHREADS) || !def(WANT_IRS_PW) */
+/*! \file */
diff --git a/contrib/bind9/lib/bind/irs/gethostent.c b/contrib/bind9/lib/bind/irs/gethostent.c
index cfea501..23aaa30 100644
--- a/contrib/bind9/lib/bind/irs/gethostent.c
+++ b/contrib/bind9/lib/bind/irs/gethostent.c
@@ -16,7 +16,7 @@
  */
 
 #if !defined(LINT) && !defined(CODECENTER)
-static const char rcsid[] = "$Id: gethostent.c,v 1.1.2.2.4.3 2006/01/10 05:09:16 marka Exp $";
+static const char rcsid[] = "$Id: gethostent.c,v 1.6.18.2 2006/01/10 05:09:08 marka Exp $";
 #endif
 
 /* Imports */
@@ -235,11 +235,11 @@ static const unsigned char in6addr_mapped[12] = {
 static int scan_interfaces(int *, int *);
 static struct hostent *copyandmerge(struct hostent *, struct hostent *, int, int *);
 
-/*
+/*%
  *	Public functions
  */
 
-/*
+/*%
  *	AI_V4MAPPED + AF_INET6
  *	If no IPv6 address then a query for IPv4 and map returned values.
  *
@@ -445,11 +445,11 @@ freehostent(struct hostent *he) {
 	memput(he, sizeof *he);
 }
 
-/*
+/*%
  * Private
  */
 
-/*
+/*%
  * Scan the interface table and set have_v4 and have_v6 depending
  * upon whether there are IPv4 and IPv6 interface addresses.
  *
@@ -505,7 +505,7 @@ scan_interfaces6(int *have_v4, int *have_v6) {
 		if (buf == NULL)
 			goto cleanup;
 #ifdef SETFAMILYFLAGS
-		lifc.lifc_family = AF_UNSPEC;	/* request all families */
+		lifc.lifc_family = AF_UNSPEC;	/*%< request all families */
 		lifc.lifc_flags = 0;
 #endif
 		lifc.lifc_len = bufsiz;
@@ -533,7 +533,7 @@ scan_interfaces6(int *have_v4, int *have_v6) {
 	}
 
 	/* Parse system's interface list. */
-	cplim = buf + lifc.lifc_len;    /* skip over if's with big ifr_addr's */
+	cplim = buf + lifc.lifc_len;    /*%< skip over if's with big ifr_addr's */
 	for (cp = buf;
 	     (*have_v4 == 0 || *have_v6 == 0) && cp < cplim;
 	     cp += cpsize) {
@@ -639,7 +639,7 @@ static int
 scan_interfaces(int *have_v4, int *have_v6) {
 	struct ifconf ifc;
 	union {
-		char _pad[256];		/* leave space for IPv6 addresses */
+		char _pad[256];		/*%< leave space for IPv6 addresses */
 		struct ifreq ifreq;
 	} u;
 	struct in_addr in4;
@@ -712,7 +712,7 @@ scan_interfaces(int *have_v4, int *have_v6) {
 	}
 
 	/* Parse system's interface list. */
-	cplim = buf + ifc.ifc_len;    /* skip over if's with big ifr_addr's */
+	cplim = buf + ifc.ifc_len;    /*%< skip over if's with big ifr_addr's */
 	for (cp = buf;
 	     (*have_v4 == 0 || *have_v6 == 0) && cp < cplim;
 	     cp += cpsize) {
@@ -792,8 +792,8 @@ scan_interfaces(int *have_v4, int *have_v6) {
 static struct hostent *
 copyandmerge(struct hostent *he1, struct hostent *he2, int af, int *error_num) {
 	struct hostent *he = NULL;
-	int addresses = 1;	/* NULL terminator */
-	int names = 1;		/* NULL terminator */
+	int addresses = 1;	/*%< NULL terminator */
+	int names = 1;		/*%< NULL terminator */
 	int len = 0;
 	char **cpp, **npp;
 
@@ -1034,7 +1034,7 @@ fakeaddr(const char *name, int af, struct net_data *net_data) {
 	return (&pvt->host);
 }
 
-#ifdef grot	/* for future use in gethostbyaddr(), for "SUNSECURITY" */
+#ifdef grot	/*%< for future use in gethostbyaddr(), for "SUNSECURITY" */
 	struct hostent *rhp;
 	char **haddr;
 	u_long old_options;
@@ -1065,5 +1065,6 @@ fakeaddr(const char *name, int af, struct net_data *net_data) {
 	    }
 	}
 #endif /* grot */
-
 #endif /*__BIND_NOSTATIC*/
+
+/*! \file */
diff --git a/contrib/bind9/lib/bind/irs/gethostent_r.c b/contrib/bind9/lib/bind/irs/gethostent_r.c
index 8a7cff0..96d2a57 100644
--- a/contrib/bind9/lib/bind/irs/gethostent_r.c
+++ b/contrib/bind9/lib/bind/irs/gethostent_r.c
@@ -16,7 +16,7 @@
  */
 
 #if defined(LIBC_SCCS) && !defined(lint)
-static const char rcsid[] = "$Id: gethostent_r.c,v 1.4.206.4 2005/09/03 12:47:38 marka Exp $";
+static const char rcsid[] = "$Id: gethostent_r.c,v 1.5.18.4 2005/09/03 12:45:14 marka Exp $";
 #endif /* LIBC_SCCS and not lint */
 
 #include <port_before.h>
@@ -90,7 +90,7 @@ gethostbyaddr_r(const char *addr, int len, int type,
 #endif
 }
 
-/*
+/*%
  *	These assume a single context is in operation per thread.
  *	If this is not the case we will need to call irs directly
  *	rather than through the base functions.
@@ -163,7 +163,7 @@ copy_hostent(struct hostent *he, struct hostent *hptr, HOST_R_COPY_ARGS) {
 	int nptr, len;
 
 	/* Find out the amount of space required to store the answer. */
-	nptr = 2; /* NULL ptrs */
+	nptr = 2; /*%< NULL ptrs */
 	len = (char *)ALIGN(buf) - buf;
 	for (i = 0; he->h_addr_list[i]; i++, nptr++) {
 		len += he->h_length;
@@ -272,3 +272,4 @@ copy_hostent(struct hostent *he, struct hostent *hptr, HOST_R_COPY_ARGS) {
 	static int gethostent_r_unknown_system = 0;
 #endif /* HOST_R_RETURN */
 #endif /* !defined(_REENTRANT) || !defined(DO_PTHREADS) */
+/*! \file */
diff --git a/contrib/bind9/lib/bind/irs/getnameinfo.c b/contrib/bind9/lib/bind/irs/getnameinfo.c
index d6d89f3..89c8230 100644
--- a/contrib/bind9/lib/bind/irs/getnameinfo.c
+++ b/contrib/bind9/lib/bind/irs/getnameinfo.c
@@ -63,7 +63,7 @@
 
 #include <port_after.h>
 
-/*
+/*%
  * Note that a_off will be dynamically adjusted so that to be consistent
  * with the definition of sockaddr_in{,6}.
  * The value presented below is just a guess.
@@ -139,7 +139,7 @@ getnameinfo(sa, salen, host, hostlen, serv, servlen, flags)
  found:
 	if (salen != afd->a_socklen) return EAI_FAIL;
 
-	port = ((const struct sockinet *)sa)->si_port; /* network byte order */
+	port = ((const struct sockinet *)sa)->si_port; /*%< network byte order */
 	addr = (const char *)sa + afd->a_off;
 
 	if (serv == NULL || servlen == 0U) {
@@ -251,13 +251,13 @@ ip6_parsenumeric(const struct sockaddr *sa, const char *addr, char *host,
 		return EAI_SYSTEM;
 
 	numaddrlen = strlen(numaddr);
-	if (numaddrlen + 1 > hostlen) /* don't forget terminator */
+	if (numaddrlen + 1 > hostlen) /*%< don't forget terminator */
 		return EAI_MEMORY;
 	strcpy(host, numaddr);
 
 #ifdef HAVE_SIN6_SCOPE_ID
 	if (((const struct sockaddr_in6 *)sa)->sin6_scope_id) {
-		char scopebuf[MAXHOSTNAMELEN]; /* XXX */
+		char scopebuf[MAXHOSTNAMELEN]; /*%< XXX */
 		int scopelen;
 
 		/* ip6_sa2str never fails */
@@ -330,3 +330,5 @@ ip6_sa2str(const struct sockaddr_in6 *sa6, char *buf,
 	return(strlen(tmp));
 }
 #endif
+
+/*! \file */
diff --git a/contrib/bind9/lib/bind/irs/getnetent.c b/contrib/bind9/lib/bind/irs/getnetent.c
index 4d1cd1e..5f7d233 100644
--- a/contrib/bind9/lib/bind/irs/getnetent.c
+++ b/contrib/bind9/lib/bind/irs/getnetent.c
@@ -16,7 +16,7 @@
  */
 
 #if !defined(LINT) && !defined(CODECENTER)
-static const char rcsid[] = "$Id: getnetent.c,v 1.4.206.2 2004/03/17 01:49:40 marka Exp $";
+static const char rcsid[] = "$Id: getnetent.c,v 1.6.18.1 2005/04/27 05:00:58 sra Exp $";
 #endif
 
 /* Imports */
@@ -321,7 +321,7 @@ nw_to_net(struct nwent *nwent, struct net_data *net_data) {
 	pvt->netent.n_aliases = nwent->n_aliases;
 	pvt->netent.n_addrtype = nwent->n_addrtype;
 
-/*
+/*%
  * What this code does: Converts net addresses from network to host form.
  *
  * msbyte: the index of the most significant byte in the n_addr array.
@@ -341,3 +341,5 @@ nw_to_net(struct nwent *nwent, struct net_data *net_data) {
 }
 
 #endif /*__BIND_NOSTATIC*/
+
+/*! \file */
diff --git a/contrib/bind9/lib/bind/irs/getnetent_r.c b/contrib/bind9/lib/bind/irs/getnetent_r.c
index 1f8290d..7e56ddc 100644
--- a/contrib/bind9/lib/bind/irs/getnetent_r.c
+++ b/contrib/bind9/lib/bind/irs/getnetent_r.c
@@ -16,7 +16,7 @@
  */
 
 #if defined(LIBC_SCCS) && !defined(lint)
-static const char rcsid[] = "$Id: getnetent_r.c,v 1.3.206.2 2005/09/03 12:47:38 marka Exp $";
+static const char rcsid[] = "$Id: getnetent_r.c,v 1.4.18.2 2005/09/03 12:45:14 marka Exp $";
 #endif /* LIBC_SCCS and not lint */
 
 #include <port_before.h>
@@ -83,7 +83,7 @@ getnetbyaddr_r(GETNETBYADDR_ADDR_T addr, int type, struct netent *nptr, NET_R_AR
 #endif
 }
 
-/*
+/*%
  *	These assume a single context is in operation per thread.
  *	If this is not the case we will need to call irs directly
  *	rather than through the base functions.
@@ -151,7 +151,7 @@ copy_netent(struct netent *ne, struct netent *nptr, NET_R_COPY_ARGS) {
 	int numptr, len;
 
 	/* Find out the amount of space required to store the answer. */
-	numptr = 1; /* NULL ptr */
+	numptr = 1; /*%< NULL ptr */
 	len = (char *)ALIGN(buf) - buf;
 	for (i = 0; ne->n_aliases[i]; i++, numptr++) {
 		len += strlen(ne->n_aliases[i]) + 1;
@@ -231,3 +231,4 @@ copy_netent(struct netent *ne, struct netent *nptr, NET_R_COPY_ARGS) {
 	static int getnetent_r_unknown_system = 0;
 #endif /* NET_R_RETURN */
 #endif /* !defined(_REENTRANT) || !defined(DO_PTHREADS) */
+/*! \file */
diff --git a/contrib/bind9/lib/bind/irs/getnetgrent.c b/contrib/bind9/lib/bind/irs/getnetgrent.c
index b275153..a11fa08 100644
--- a/contrib/bind9/lib/bind/irs/getnetgrent.c
+++ b/contrib/bind9/lib/bind/irs/getnetgrent.c
@@ -16,7 +16,7 @@
  */
 
 #if defined(LIBC_SCCS) && !defined(lint)
-static const char rcsid[] = "$Id: getnetgrent.c,v 1.1.2.1.4.1 2004/03/09 08:33:36 marka Exp $";
+static const char rcsid[] = "$Id: getnetgrent.c,v 1.3.18.1 2005/04/27 05:00:58 sra Exp $";
 #endif /* LIBC_SCCS and not lint */
 
 /* Imports */
@@ -154,3 +154,5 @@ init(void) {
 }
 
 #endif /*__BIND_NOSTATIC*/
+
+/*! \file */
diff --git a/contrib/bind9/lib/bind/irs/getnetgrent_r.c b/contrib/bind9/lib/bind/irs/getnetgrent_r.c
index b5d9bb1..261d9b7 100644
--- a/contrib/bind9/lib/bind/irs/getnetgrent_r.c
+++ b/contrib/bind9/lib/bind/irs/getnetgrent_r.c
@@ -16,7 +16,7 @@
  */
 
 #if defined(LIBC_SCCS) && !defined(lint)
-static const char rcsid[] = "$Id: getnetgrent_r.c,v 1.5.2.1.4.4 2005/09/03 12:47:38 marka Exp $";
+static const char rcsid[] = "$Id: getnetgrent_r.c,v 1.7.18.4 2005/09/03 12:45:15 marka Exp $";
 #endif /* LIBC_SCCS and not lint */
 
 #include <port_before.h>
@@ -51,7 +51,7 @@ innetgr_r(const char *netgroup, const char *host, const char *user,
 	return (innetgr(ng, ho, us, dom));
 }
 
-/*
+/*%
  *	These assume a single context is in operation per thread.
  *	If this is not the case we will need to call irs directly
  *	rather than through the base functions.
@@ -175,3 +175,4 @@ copy_protoent(char **machinep, char **userp, char **domainp,
 	static int getnetgrent_r_unknown_system = 0;
 #endif /* NGR_R_RETURN */
 #endif /* !defined(_REENTRANT) || !defined(DO_PTHREADS) */
+/*! \file */
diff --git a/contrib/bind9/lib/bind/irs/getprotoent.c b/contrib/bind9/lib/bind/irs/getprotoent.c
index 145062f..9e3d775 100644
--- a/contrib/bind9/lib/bind/irs/getprotoent.c
+++ b/contrib/bind9/lib/bind/irs/getprotoent.c
@@ -16,7 +16,7 @@
  */
 
 #if !defined(LINT) && !defined(CODECENTER)
-static const char rcsid[] = "$Id: getprotoent.c,v 1.2.206.1 2004/03/09 08:33:36 marka Exp $";
+static const char rcsid[] = "$Id: getprotoent.c,v 1.3.18.1 2005/04/27 05:00:58 sra Exp $";
 #endif
 
 /* Imports */
@@ -172,3 +172,5 @@ init() {
 }
 
 #endif /*__BIND_NOSTATIC*/
+
+/*! \file */
diff --git a/contrib/bind9/lib/bind/irs/getprotoent_r.c b/contrib/bind9/lib/bind/irs/getprotoent_r.c
index 58d0ec9..00b1572 100644
--- a/contrib/bind9/lib/bind/irs/getprotoent_r.c
+++ b/contrib/bind9/lib/bind/irs/getprotoent_r.c
@@ -16,7 +16,7 @@
  */
 
 #if defined(LIBC_SCCS) && !defined(lint)
-static const char rcsid[] = "$Id: getprotoent_r.c,v 1.3.206.2 2006/08/01 01:19:28 marka Exp $";
+static const char rcsid[] = "$Id: getprotoent_r.c,v 1.4.18.2 2006/08/01 01:19:12 marka Exp $";
 #endif /* LIBC_SCCS and not lint */
 
 #include <port_before.h>
@@ -76,7 +76,7 @@ getprotobynumber_r(int proto, struct protoent *pptr, PROTO_R_ARGS) {
 #endif
 }
 
-/*
+/*%
  *	These assume a single context is in operation per thread.
  *	If this is not the case we will need to call irs directly
  *	rather than through the base functions.
@@ -142,7 +142,7 @@ copy_protoent(struct protoent *pe, struct protoent *pptr, PROTO_R_COPY_ARGS) {
 	int numptr, len;
 
 	/* Find out the amount of space required to store the answer. */
-	numptr = 1; /* NULL ptr */
+	numptr = 1; /*%< NULL ptr */
 	len = (char *)ALIGN(buf) - buf;
 	for (i = 0; pe->p_aliases[i]; i++, numptr++) {
 		len += strlen(pe->p_aliases[i]) + 1;
@@ -220,3 +220,4 @@ copy_protoent(struct protoent *pe, struct protoent *pptr, PROTO_R_COPY_ARGS) {
 	static int getprotoent_r_unknown_system = 0;
 #endif /* PROTO_R_RETURN */
 #endif /* !defined(_REENTRANT) || !defined(DO_PTHREADS) */
+/*! \file */
diff --git a/contrib/bind9/lib/bind/irs/getpwent.c b/contrib/bind9/lib/bind/irs/getpwent.c
index 10c237e..86f1d03 100644
--- a/contrib/bind9/lib/bind/irs/getpwent.c
+++ b/contrib/bind9/lib/bind/irs/getpwent.c
@@ -16,7 +16,7 @@
  */
 
 #if !defined(LINT) && !defined(CODECENTER)
-static const char rcsid[] = "$Id: getpwent.c,v 1.1.206.1 2004/03/09 08:33:36 marka Exp $";
+static const char rcsid[] = "$Id: getpwent.c,v 1.2.18.1 2005/04/27 05:00:59 sra Exp $";
 #endif
 
 /* Imports */
@@ -198,3 +198,4 @@ init() {
 }
 
 #endif /* WANT_IRS_PW */
+/*! \file */
diff --git a/contrib/bind9/lib/bind/irs/getpwent_r.c b/contrib/bind9/lib/bind/irs/getpwent_r.c
index d28f184..212d016 100644
--- a/contrib/bind9/lib/bind/irs/getpwent_r.c
+++ b/contrib/bind9/lib/bind/irs/getpwent_r.c
@@ -16,7 +16,7 @@
  */
 
 #if defined(LIBC_SCCS) && !defined(lint)
-static const char rcsid[] = "$Id: getpwent_r.c,v 1.5.206.2 2004/09/17 13:32:37 marka Exp $";
+static const char rcsid[] = "$Id: getpwent_r.c,v 1.6.18.2 2005/04/27 05:00:59 sra Exp $";
 #endif /* LIBC_SCCS and not lint */
 
 #include <port_before.h>
@@ -121,7 +121,7 @@ getpwuid_r(uid_t uid,  struct passwd *pwptr, char *buf, int buflen) {
 }
 #endif
 
-/*
+/*%
  *	These assume a single context is in operation per thread.
  *	If this is not the case we will need to call irs directly
  *	rather than through the base functions.
@@ -273,3 +273,4 @@ copy_passwd(struct passwd *pw, struct passwd *pwptr, char *buf, int buflen) {
 	static int getpwent_r_unknown_system = 0;
 #endif /* PASS_R_RETURN */
 #endif /* !def(_REENTRANT) || !def(DO_PTHREADS) || !def(WANT_IRS_PW) */
+/*! \file */
diff --git a/contrib/bind9/lib/bind/irs/getservent.c b/contrib/bind9/lib/bind/irs/getservent.c
index a13e36f..92ed18b 100644
--- a/contrib/bind9/lib/bind/irs/getservent.c
+++ b/contrib/bind9/lib/bind/irs/getservent.c
@@ -16,7 +16,7 @@
  */
 
 #if !defined(LINT) && !defined(CODECENTER)
-static const char rcsid[] = "$Id: getservent.c,v 1.2.206.1 2004/03/09 08:33:36 marka Exp $";
+static const char rcsid[] = "$Id: getservent.c,v 1.3.18.1 2005/04/27 05:00:59 sra Exp $";
 #endif
 
 /* Imports */
@@ -175,3 +175,5 @@ init() {
 }
 
 #endif /*__BIND_NOSTATIC*/
+
+/*! \file */
diff --git a/contrib/bind9/lib/bind/irs/getservent_r.c b/contrib/bind9/lib/bind/irs/getservent_r.c
index 6dd7034..12c2b9b 100644
--- a/contrib/bind9/lib/bind/irs/getservent_r.c
+++ b/contrib/bind9/lib/bind/irs/getservent_r.c
@@ -16,7 +16,7 @@
  */
 
 #if defined(LIBC_SCCS) && !defined(lint)
-static const char rcsid[] = "$Id: getservent_r.c,v 1.3.206.2 2006/08/01 01:19:28 marka Exp $";
+static const char rcsid[] = "$Id: getservent_r.c,v 1.4.18.2 2006/08/01 01:19:12 marka Exp $";
 #endif /* LIBC_SCCS and not lint */
 
 #include <port_before.h>
@@ -79,7 +79,7 @@ getservbyport_r(int port, const char *proto,
 #endif
 }
 
-/*
+/*%
  *	These assume a single context is in operation per thread.
  *	If this is not the case we will need to call irs directly
  *	rather than through the base functions.
@@ -145,7 +145,7 @@ copy_servent(struct servent *se, struct servent *sptr, SERV_R_COPY_ARGS) {
 	int numptr, len;
 
 	/* Find out the amount of space required to store the answer. */
-	numptr = 1; /* NULL ptr */
+	numptr = 1; /*%< NULL ptr */
 	len = (char *)ALIGN(buf) - buf;
 	for (i = 0; se->s_aliases[i]; i++, numptr++) {
 		len += strlen(se->s_aliases[i]) + 1;
@@ -239,3 +239,4 @@ copy_servent(struct servent *se, struct servent *sptr, SERV_R_COPY_ARGS) {
 	static int getservent_r_unknown_system = 0;
 #endif /*SERV_R_RETURN */
 #endif /* !defined(_REENTRANT) || !defined(DO_PTHREADS) */
+/*! \file */
diff --git a/contrib/bind9/lib/bind/irs/hesiod.c b/contrib/bind9/lib/bind/irs/hesiod.c
index 618c592..5abb57c 100644
--- a/contrib/bind9/lib/bind/irs/hesiod.c
+++ b/contrib/bind9/lib/bind/irs/hesiod.c
@@ -1,5 +1,5 @@
 #if defined(LIBC_SCCS) && !defined(lint)
-static const char rcsid[] = "$Id: hesiod.c,v 1.1.2.1.4.4 2005/07/28 07:43:19 marka Exp $";
+static const char rcsid[] = "$Id: hesiod.c,v 1.4.18.3 2005/07/28 07:38:08 marka Exp $";
 #endif
 
 /*
@@ -19,16 +19,16 @@ static const char rcsid[] = "$Id: hesiod.c,v 1.1.2.1.4.4 2005/07/28 07:43:19 mar
  * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/*
- * This file is primarily maintained by <tytso@mit.edu> and <ghudson@mit.edu>.
- */
 
-/*
+/*! \file
+ * \brief
  * hesiod.c --- the core portion of the hesiod resolver.
  *
  * This file is derived from the hesiod library from Project Athena;
  * It has been extensively rewritten by Theodore Ts'o to have a more
  * thread-safe interface.
+ * \author
+ * This file is primarily maintained by &lt;tytso@mit.edu&gt; and &lt;ghudson@mit.edu&gt;.
  */
 
 /* Imports */
@@ -69,7 +69,7 @@ static int	init(struct hesiod_p *ctx);
 
 /* Public */
 
-/*
+/*%
  * This function is called to initialize a hesiod_p.
  */
 int
@@ -145,7 +145,7 @@ hesiod_init(void **context) {
 	return (-1);
 }
 
-/*
+/*%
  * This function deallocates the hesiod_p
  */
 void
@@ -165,7 +165,7 @@ hesiod_end(void *context) {
 	errno = save_errno;
 }
 
-/*
+/*%
  * This function takes a hesiod (name, type) and returns a DNS
  * name which is to be resolved.
  */
@@ -224,7 +224,7 @@ hesiod_to_bind(void *context, const char *name, const char *type) {
 	return (bindname);
 }
 
-/*
+/*%
  * This is the core function.  Given a hesiod (name, type), it
  * returns an array of strings returned by the resolver.
  */
@@ -265,7 +265,7 @@ hesiod_free_list(void *context, char **list) {
 	free(list);
 }
 
-/*
+/*%
  * This function parses the /etc/hesiod.conf file
  */
 static int
@@ -335,17 +335,17 @@ parse_config_file(struct hesiod_p *ctx, const char *filename) {
 	return (-1);
 }
 
-/*
+/*%
  * Given a DNS class and a DNS name, do a lookup for TXT records, and
  * return a list of them.
  */
 static char **
 get_txt_records(struct hesiod_p *ctx, int class, const char *name) {
 	struct {
-		int type;		/* RR type */
-		int class;		/* RR class */
-		int dlen;		/* len of data section */
-		u_char *data;		/* pointer to data */
+		int type;		/*%< RR type */
+		int class;		/*%< RR class */
+		int dlen;		/*%< len of data section */
+		u_char *data;		/*%< pointer to data */
 	} rr;
 	HEADER *hp;
 	u_char qbuf[MAX_HESRESP], abuf[MAX_HESRESP];
@@ -412,7 +412,7 @@ get_txt_records(struct hesiod_p *ctx, int class, const char *name) {
 		rr.type = ns_get16(cp);
 		cp += INT16SZ;
 		rr.class = ns_get16(cp);
-		cp += INT16SZ + INT32SZ;	/* skip the ttl, too */
+		cp += INT16SZ + INT32SZ;	/*%< skip the ttl, too */
 		rr.dlen = ns_get16(cp);
 		cp += INT16SZ;
 		if (cp + rr.dlen > eom) {
diff --git a/contrib/bind9/lib/bind/irs/hesiod_p.h b/contrib/bind9/lib/bind/irs/hesiod_p.h
index 5af70a7..f42f84a 100644
--- a/contrib/bind9/lib/bind/irs/hesiod_p.h
+++ b/contrib/bind9/lib/bind/irs/hesiod_p.h
@@ -16,27 +16,27 @@
  */
 
 /*
- * This file is primarily maintained by <tytso@mit.edu> and <ghudson@mit.edu>.
- */
-
-/*
- * $Id: hesiod_p.h,v 1.1.206.1 2004/03/09 08:33:36 marka Exp $
- */
-
-/*
- * hesiod_p.h -- private definitions for the hesiod library
+ * $Id: hesiod_p.h,v 1.2.18.1 2005/04/27 05:00:59 sra Exp $
  */
 
 #ifndef _HESIOD_P_H_INCLUDED
 #define _HESIOD_P_H_INCLUDED
 
-#define DEF_RHS		".Athena.MIT.EDU"	/* Defaults if HESIOD_CONF */
-#define DEF_LHS		".ns"			/*    file is not */
-						/*    present. */
+/** \file
+ * \brief
+ * hesiod_p.h -- private definitions for the hesiod library.
+ *
+ * \author
+ * This file is primarily maintained by tytso@mit.edu and ghudson@mit.edu.
+ */
+
+#define DEF_RHS		".Athena.MIT.EDU"	/*%< Defaults if HESIOD_CONF */
+#define DEF_LHS		".ns"			/*%<    file is not */
+						/*%<    present. */
 struct hesiod_p {
-	char *		LHS;		/* normally ".ns" */
-	char *		RHS;		/* AKA the default hesiod domain */
-	struct __res_state * res;	/* resolver context */
+	char *		LHS;		/*%< normally ".ns" */
+	char *		RHS;		/*%< AKA the default hesiod domain */
+	struct __res_state * res;	/*%< resolver context */
 	void		(*free_res)(void *);
 	void		(*res_set)(struct hesiod_p *, struct __res_state *,
 				   void (*)(void *));
diff --git a/contrib/bind9/lib/bind/irs/irp.c b/contrib/bind9/lib/bind/irs/irp.c
index 649079c..85a053d 100644
--- a/contrib/bind9/lib/bind/irs/irp.c
+++ b/contrib/bind9/lib/bind/irs/irp.c
@@ -16,7 +16,7 @@
  */
 
 #if !defined(LINT) && !defined(CODECENTER)
-static const char rcsid[] = "$Id: irp.c,v 1.3.2.1.10.4 2006/03/10 00:17:21 marka Exp $";
+static const char rcsid[] = "$Id: irp.c,v 1.6.18.3 2006/03/10 00:20:08 marka Exp $";
 #endif
 
 /* Imports */
@@ -66,7 +66,7 @@ static void		irp_close(struct irs_acc *);
 /* send errors to syslog if true. */
 int irp_log_errors = 1;
 
-/*
+/*%
  * This module handles the irp module connection to irpd.
  *
  * The client expects a synchronous interface to functions like
@@ -74,7 +74,7 @@ int irp_log_errors = 1;
  * the wire (it's used in the server).
  */
 
-/*
+/*%
  * irs_acc *irs_irp_acc(const char *options);
  *
  *	Initialize the irp module.
@@ -137,8 +137,7 @@ irs_irp_connection_setup(struct irp_p *cxndata, int *warned) {
 	return (0);
 }
 
-
-/*
+/*%
  * int irs_irp_connect(void);
  *
  *	Sets up the connection to the remote irpd server.
@@ -245,9 +244,7 @@ irs_irp_connect(struct irp_p *pvt) {
 	return (0);
 }
 
-
-
-/*
+/*%
  * int	irs_irp_is_connected(struct irp_p *pvt);
  *
  * Returns:
@@ -261,9 +258,7 @@ irs_irp_is_connected(struct irp_p *pvt) {
 	return (pvt->fdCxn >= 0);
 }
 
-
-
-/*
+/*%
  * void
  * irs_irp_disconnect(struct irp_p *pvt);
  *
@@ -355,11 +350,7 @@ irs_irp_read_line(struct irp_p *pvt, char *buffer, int len) {
 	return (buffpos);
 }
 
-
-
-
-
-/*
+/*%
  * int irp_read_response(struct irp_p *pvt);
  *
  * Returns:
@@ -399,9 +390,7 @@ irs_irp_read_response(struct irp_p *pvt, char *text, size_t textlen) {
 	return (code);
 }
 
-
-
-/*
+/*%
  * char *irp_read_body(struct irp_p *pvt, size_t *size);
  *
  *	Read in the body of a response. Terminated by a line with
@@ -471,8 +460,7 @@ irs_irp_read_body(struct irp_p *pvt, size_t *size) {
 	return (NULL);
 }
 
-
-/*
+/*%
  * int irs_irp_get_full_response(struct irp_p *pvt, int *code,
  *			char **body, size_t *bodylen);
  *
@@ -515,8 +503,7 @@ irs_irp_get_full_response(struct irp_p *pvt, int *code, char *text,
 	return (0);
 }
 
-
-/*
+/*%
  * int irs_irp_send_command(struct irp_p *pvt, const char *fmt, ...);
  *
  *	Sends command to remote connected via the PVT
@@ -572,9 +559,7 @@ irs_irp_send_command(struct irp_p *pvt, const char *fmt, ...) {
 
 /* Methods */
 
-
-
-/*
+/*%
  * void irp_close(struct irs_acc *this)
  *
  */
@@ -593,3 +578,5 @@ irp_close(struct irs_acc *this) {
 
 
 
+
+/*! \file */
diff --git a/contrib/bind9/lib/bind/irs/irp_gr.c b/contrib/bind9/lib/bind/irs/irp_gr.c
index f7e3a2f..bdab3da 100644
--- a/contrib/bind9/lib/bind/irs/irp_gr.c
+++ b/contrib/bind9/lib/bind/irs/irp_gr.c
@@ -16,7 +16,7 @@
  */
 
 #if defined(LIBC_SCCS) && !defined(lint)
-static const char rcsid[] = "$Id: irp_gr.c,v 1.2.206.1 2004/03/09 08:33:36 marka Exp $";
+static const char rcsid[] = "$Id: irp_gr.c,v 1.3.18.1 2005/04/27 05:01:00 sra Exp $";
 #endif /* LIBC_SCCS and not lint */
 
 /* extern */
@@ -54,16 +54,17 @@ static int __bind_irs_gr_unneeded;
 
 /* Types. */
 
-/*
+/*! \file 
+ * \brief
  * Module for the getnetgrent(3) family to use when connected to a
  * remote irp daemon.
- *
+ * \brief
  * See irpd.c for justification of caching done here.
  *
  */
 
 struct pvt {
-	struct irp_p   *girpdata;	/* global IRP data */
+	struct irp_p   *girpdata;	/*%< global IRP data */
 	int		warned;
 	struct group	group;
 };
@@ -83,21 +84,9 @@ static void		free_group(struct group *gr);
 
 /* Public. */
 
-
-
-
-
-/*
- * struct irs_gr * irs_irp_gr(struct irs_acc *this)
- *
- * Notes:
- *
+/*%
  *	Initialize the group sub-module.
  *
- * Notes:
- *
- *	Module data.
- *
  */
 
 struct irs_gr *
@@ -132,13 +121,7 @@ irs_irp_gr(struct irs_acc *this) {
 
 /* Methods. */
 
-
-
-/*
- * void gr_close(struct irs_gr *this)
- *
- * Notes:
- *
+/*%
  *	Close the sub-module.
  *
  */
@@ -153,14 +136,7 @@ gr_close(struct irs_gr *this) {
 	memput(this, sizeof *this);
 }
 
-
-
-
-/*
- * struct group * gr_next(struct irs_gr *this)
- *
- * Notes:
- *
+/*%
  *	Gets the next group out of the cached data and returns it.
  *
  */
@@ -207,15 +183,7 @@ gr_next(struct irs_gr *this) {
 	return (gr);
 }
 
-
-
-
-
-/*
- * struct group * gr_byname(struct irs_gr *this, const char *name)
- *
- * Notes:
- *
+/*%
  *	Gets a group by name from irpd and returns it.
  *
  */
@@ -263,15 +231,7 @@ gr_byname(struct irs_gr *this, const char *name) {
 	return (gr);
 }
 
-
-
-
-
-/*
- * struct group * gr_bygid(struct irs_gr *this, gid_t gid)
- *
- * Notes:
- *
+/*%
  *	Gets a group by gid from irpd and returns it.
  *
  */
@@ -318,10 +278,7 @@ gr_bygid(struct irs_gr *this, gid_t gid) {
 	return (gr);
 }
 
-
-
-
-/*
+/*%
  * void gr_rewind(struct irs_gr *this)
  *
  */
@@ -350,14 +307,7 @@ gr_rewind(struct irs_gr *this) {
 	return;
 }
 
-
-
-
-/*
- * void gr_minimize(struct irs_gr *this)
- *
- * Notes:
- *
+/*%
  *	Frees up cached data and disconnects(if necessary) from the remote.
  *
  */
@@ -372,9 +322,7 @@ gr_minimize(struct irs_gr *this) {
 
 /* Private. */
 
-
-
-/*
+/*%
  * static void free_group(struct group *gr);
  *
  *	Deallocate all the memory irp_unmarshall_gr allocated.
@@ -406,3 +354,4 @@ free_group(struct group *gr) {
 
 
 #endif /* WANT_IRS_GR */
+/*! \file */
diff --git a/contrib/bind9/lib/bind/irs/irp_ho.c b/contrib/bind9/lib/bind/irs/irp_ho.c
index 9056612..d71285e 100644
--- a/contrib/bind9/lib/bind/irs/irp_ho.c
+++ b/contrib/bind9/lib/bind/irs/irp_ho.c
@@ -16,7 +16,7 @@
  */
 
 #if defined(LIBC_SCCS) && !defined(lint)
-static const char rcsid[] = "$Id: irp_ho.c,v 1.1.206.1 2004/03/09 08:33:36 marka Exp $";
+static const char rcsid[] = "$Id: irp_ho.c,v 1.2.18.1 2005/04/27 05:01:00 sra Exp $";
 #endif /* LIBC_SCCS and not lint */
 
 /* Imports. */
@@ -84,9 +84,7 @@ static struct addrinfo * ho_addrinfo(struct irs_ho *this, const char *name,
 
 /* Public. */
 
-
-
-/*
+/*%
  * struct irs_ho * irs_irp_ho(struct irs_acc *this)
  *
  * Notes:
@@ -129,13 +127,7 @@ irs_irp_ho(struct irs_acc *this) {
 
 /* Methods. */
 
-
-
-/*
- * void ho_close(struct irs_ho *this)
- *
- * Notes:
- *
+/*%
  *	Closes down the module.
  *
  */
@@ -281,15 +273,7 @@ ho_byaddr(struct irs_ho *this, const void *addr, int len, int af) {
 	return (ho);
 }
 
-
-
-
-
-/*
- * struct hostent * ho_next(struct irs_ho *this)
- *
- * Notes:
- *
+/*%
  *	The implementation for gethostent(3). The first time it's
  *	called all the data is pulled from the remote(i.e. what
  *	the maximum number of gethostent(3) calls would return)
@@ -336,11 +320,7 @@ ho_next(struct irs_ho *this) {
 	return (ho);
 }
 
-
-
-
-
-/*
+/*%
  * void ho_rewind(struct irs_ho *this)
  *
  */
@@ -369,10 +349,7 @@ ho_rewind(struct irs_ho *this) {
 	return;
 }
 
-
-
-
-/*
+/*%
  * void ho_minimize(struct irs_ho *this)
  *
  */
@@ -386,10 +363,7 @@ ho_minimize(struct irs_ho *this) {
 	irs_irp_disconnect(pvt->girpdata);
 }
 
-
-
-
-/*
+/*%
  * void free_host(struct hostent *ho)
  *
  */
@@ -427,3 +401,5 @@ ho_addrinfo(struct irs_ho *this, const char *name, const struct addrinfo *pai)
 	UNUSED(pai);
 	return(NULL);
 }
+
+/*! \file */
diff --git a/contrib/bind9/lib/bind/irs/irp_ng.c b/contrib/bind9/lib/bind/irs/irp_ng.c
index cf7bc7c..e0aa468 100644
--- a/contrib/bind9/lib/bind/irs/irp_ng.c
+++ b/contrib/bind9/lib/bind/irs/irp_ng.c
@@ -16,7 +16,7 @@
  */
 
 #if !defined(LINT) && !defined(CODECENTER)
-static const char rcsid[] = "$Id: irp_ng.c,v 1.1.206.1 2004/03/09 08:33:37 marka Exp $";
+static const char rcsid[] = "$Id: irp_ng.c,v 1.2.18.2 2006/12/07 04:53:02 marka Exp $";
 #endif
 
 /* Imports */
@@ -62,13 +62,7 @@ static void		ng_minimize(struct irs_ng *);
 
 /* Public */
 
-
-
-/*
- * struct irs_ng * irs_irp_ng(struct irs_acc *this)
- *
- * Notes:
- *
+/*%
  *	Intialize the irp netgroup module.
  *
  */
@@ -155,15 +149,7 @@ ng_rewind(struct irs_ng *this, const char *group) {
 	return;
 }
 
-
-
-
 /*
- * int ng_next(struct irs_ng *this, const char **host, const char **user,
- *	       const char **domain)
- *
- * Notes:
- *
  *	Get the next netgroup item from the cache.
  *
  */
@@ -205,14 +191,7 @@ ng_next(struct irs_ng *this, const char **host, const char **user,
 	return (rval);
 }
 
-
-
 /*
- * int ng_test(struct irs_ng *this, const char *name, const char *host,
- *		const char *user, const char *domain)
- *
- * Notes:
- *
  *	Search for a match in a netgroup.
  *
  */
@@ -239,14 +218,14 @@ ng_test(struct irs_ng *this, const char *name,
 	}
 
 	if (irs_irp_send_command(pvt->girpdata, "innetgr %s", body) == 0) {
-		memput(body, bodylen);
-
 		code = irs_irp_read_response(pvt->girpdata, text, sizeof text);
 		if (code == IRPD_GETNETGR_MATCHES) {
 			rval = 1;
 		}
 	}
 
+	memput(body, bodylen);
+
 	return (rval);
 }
 
@@ -270,3 +249,5 @@ ng_minimize(struct irs_ng *this) {
 
 /* Private */
 
+
+/*! \file */
diff --git a/contrib/bind9/lib/bind/irs/irp_nw.c b/contrib/bind9/lib/bind/irs/irp_nw.c
index ea68612..b285120 100644
--- a/contrib/bind9/lib/bind/irs/irp_nw.c
+++ b/contrib/bind9/lib/bind/irs/irp_nw.c
@@ -16,7 +16,7 @@
  */
 
 #if defined(LIBC_SCCS) && !defined(lint)
-static const char rcsid[] = "$Id: irp_nw.c,v 1.1.206.2 2006/03/10 00:17:21 marka Exp $";
+static const char rcsid[] = "$Id: irp_nw.c,v 1.2.18.2 2006/03/10 00:20:08 marka Exp $";
 #endif /* LIBC_SCCS and not lint */
 
 #if 0
@@ -79,9 +79,7 @@ static void		free_nw(struct nwent *nw);
 
 /* Public */
 
-
-
-/*
+/*%
  * struct irs_nw * irs_irp_nw(struct irs_acc *this) 
  *
  */
@@ -117,9 +115,7 @@ irs_irp_nw(struct irs_acc *this) {
 
 /* Methods */
 
-
-
-/*
+/*%
  * void nw_close(struct irs_nw *this) 
  *
  */
@@ -136,10 +132,7 @@ nw_close(struct irs_nw *this) {
 	memput(this, sizeof *this);
 }
 
-
-
-
-/*
+/*%
  * struct nwent * nw_byaddr(struct irs_nw *this, void *net, 
  * 				int length, int type) 
  *
@@ -152,7 +145,7 @@ nw_byaddr(struct irs_nw *this, void *net, int length, int type) {
 	char *body = NULL;
 	size_t bodylen;
 	int code;
-	char paddr[24];			/* bigenough for ip4 w/ cidr spec. */
+	char paddr[24];			/*%< bigenough for ip4 w/ cidr spec. */
 	char text[256];
 
 	if (inet_net_ntop(type, net, length, paddr, sizeof paddr) == NULL) {
@@ -189,10 +182,7 @@ nw_byaddr(struct irs_nw *this, void *net, int length, int type) {
 	return (nw);
 }
 
-
-
-
-/*
+/*%
  * struct nwent * nw_byname(struct irs_nw *this, const char *name, int type) 
  *
  */
@@ -241,10 +231,7 @@ nw_byname(struct irs_nw *this, const char *name, int type) {
 	return (nw);
 }
 
-
-
-
-/*
+/*%
  * void nw_rewind(struct irs_nw *this) 
  *
  */
@@ -273,16 +260,7 @@ nw_rewind(struct irs_nw *this) {
 	return;
 }
 
-
-
-
-
-
-/*
- * struct nwent * nw_next(struct irs_nw *this) 
- *
- * Notes:
- * 	
+/*%
  * 	Prepares the cache if necessary and returns the first, or 
  * 	next item from it.
  */
@@ -324,12 +302,7 @@ nw_next(struct irs_nw *this) {
 	return (nw);
 }
 
-
-
-
-
-
-/*
+/*%
  * void nw_minimize(struct irs_nw *this) 
  *
  */
@@ -346,11 +319,7 @@ nw_minimize(struct irs_nw *this) {
 
 /* private. */
 
-
-
-/*
- * static void free_passwd(struct passwd *pw);
- *
+/*%
  *	deallocate all the memory irp_unmarshall_pw allocated.
  *
  */
@@ -375,3 +344,5 @@ free_nw(struct nwent *nw) {
 	if (nw->n_addr != NULL)
 		free(nw->n_addr);
 }
+
+/*! \file */
diff --git a/contrib/bind9/lib/bind/irs/irp_p.h b/contrib/bind9/lib/bind/irs/irp_p.h
index fa2858d..21d31cc 100644
--- a/contrib/bind9/lib/bind/irs/irp_p.h
+++ b/contrib/bind9/lib/bind/irs/irp_p.h
@@ -16,7 +16,7 @@
  */
 
 /*
- * $Id: irp_p.h,v 1.1.2.2.4.1 2004/03/09 08:33:37 marka Exp $
+ * $Id: irp_p.h,v 1.4.18.1 2005/04/27 05:01:00 sra Exp $
  */
 
 #ifndef _IRP_P_H_INCLUDED
@@ -26,9 +26,8 @@
 
 struct irp_p {
 	char inbuffer[1024];
-	int inlast; /* index of one past the last char in buffer */
-	int incurr; /* index of the next char to be read from buffer */
-
+	int inlast; /*%< index of one past the last char in buffer */
+	int incurr; /*%< index of the next char to be read from buffer */
 	int fdCxn;
 };
 
@@ -57,3 +56,5 @@ int irs_irp_get_full_response(struct irp_p *pvt, int *code,
 extern int irp_log_errors;
 
 #endif
+
+/*! \file */
diff --git a/contrib/bind9/lib/bind/irs/irp_pr.c b/contrib/bind9/lib/bind/irs/irp_pr.c
index 07d739d..00e69ab 100644
--- a/contrib/bind9/lib/bind/irs/irp_pr.c
+++ b/contrib/bind9/lib/bind/irs/irp_pr.c
@@ -16,7 +16,7 @@
  */
 
 #if defined(LIBC_SCCS) && !defined(lint)
-static const char rcsid[] = "$Id: irp_pr.c,v 1.1.206.1 2004/03/09 08:33:37 marka Exp $";
+static const char rcsid[] = "$Id: irp_pr.c,v 1.2.18.1 2005/04/27 05:01:01 sra Exp $";
 #endif /* LIBC_SCCS and not lint */
 
 /* extern */
@@ -69,9 +69,7 @@ static void			free_proto(struct protoent *pr);
 
 /* Public */
 
-
-
-/*
+/*%
  * struct irs_pr * irs_irp_pr(struct irs_acc *this)
  *
  */
@@ -107,9 +105,7 @@ irs_irp_pr(struct irs_acc *this) {
 
 /* Methods */
 
-
-
-/*
+/*%
  * void pr_close(struct irs_pr *this)
  *
  */
@@ -126,9 +122,7 @@ pr_close(struct irs_pr *this) {
 	memput(this, sizeof *this);
 }
 
-
-
-/*
+/*%
  * struct protoent * pr_byname(struct irs_pr *this, const char *name)
  *
  */
@@ -177,9 +171,7 @@ pr_byname(struct irs_pr *this, const char *name) {
 	return (pr);
 }
 
-
-
-/*
+/*%
  * struct protoent * pr_bynumber(struct irs_pr *this, int proto)
  *
  */
@@ -228,10 +220,7 @@ pr_bynumber(struct irs_pr *this, int proto) {
 	return (pr);
 }
 
-
-
-
-/*
+/*%
  * void pr_rewind(struct irs_pr *this)
  *
  */
@@ -260,14 +249,7 @@ pr_rewind(struct irs_pr *this) {
 	return;
 }
 
-
-
-
-/*
- * struct protoent * pr_next(struct irs_pr *this)
- *
- * Notes:
- *
+/*%
  *	Prepares the cache if necessary and returns the next item in it.
  *
  */
@@ -311,10 +293,7 @@ pr_next(struct irs_pr *this) {
 	return (pr);
 }
 
-
-
-
-/*
+/*%
  * void pr_minimize(struct irs_pr *this)
  *
  */
@@ -326,14 +305,7 @@ pr_minimize(struct irs_pr *this) {
 	irs_irp_disconnect(pvt->girpdata);
 }
 
-
-
-
-
-
-/*
- * static void free_proto(struct protoent *pw);
- *
+/*%
  *	Deallocate all the memory irp_unmarshall_pr allocated.
  *
  */
@@ -351,3 +323,5 @@ free_proto(struct protoent *pr) {
 	for (p = pr->p_aliases ; p != NULL && *p != NULL ; p++)
 		free(*p);
 }
+
+/*! \file */
diff --git a/contrib/bind9/lib/bind/irs/irp_pw.c b/contrib/bind9/lib/bind/irs/irp_pw.c
index 069f588..a326375 100644
--- a/contrib/bind9/lib/bind/irs/irp_pw.c
+++ b/contrib/bind9/lib/bind/irs/irp_pw.c
@@ -16,7 +16,7 @@
  */
 
 #if defined(LIBC_SCCS) && !defined(lint)
-static const char rcsid[] = "$Id: irp_pw.c,v 1.2.206.1 2004/03/09 08:33:37 marka Exp $";
+static const char rcsid[] = "$Id: irp_pw.c,v 1.3.18.1 2005/04/27 05:01:01 sra Exp $";
 #endif /* LIBC_SCCS and not lint */
 
 /* Extern */
@@ -55,9 +55,9 @@ static int __bind_irs_pw_unneeded;
 /* Types */
 
 struct	pvt {
-	struct irp_p   *girpdata; /* global IRP data */
+	struct irp_p   *girpdata; /*%< global IRP data */
 	int		warned;
-	struct passwd	passwd;		/* password structure */
+	struct passwd	passwd;		/*%< password structure */
 };
 
 /* Forward */
@@ -104,9 +104,7 @@ irs_irp_pw(struct irs_acc *this) {
 
 /* Methods */
 
-
-
-/*
+/*%
  * void pw_close(struct irs_pw *this)
  *
  */
@@ -123,10 +121,7 @@ pw_close(struct irs_pw *this) {
 	memput(this, sizeof *this);
 }
 
-
-
-
-/*
+/*%
  * struct passwd * pw_next(struct irs_pw *this)
  *
  */
@@ -170,10 +165,7 @@ pw_next(struct irs_pw *this) {
 	return (pw);
 }
 
-
-
-
-/*
+/*%
  * struct passwd * pw_byname(struct irs_pw *this, const char *name)
  *
  */
@@ -221,10 +213,7 @@ pw_byname(struct irs_pw *this, const char *name) {
 	return (pw);
 }
 
-
-
-
-/*
+/*%
  * struct passwd * pw_byuid(struct irs_pw *this, uid_t uid)
  *
  */
@@ -272,10 +261,7 @@ pw_byuid(struct irs_pw *this, uid_t uid) {
 	return (pw);
 }
 
-
-
-
-/*
+/*%
  * void pw_rewind(struct irs_pw *this)
  *
  */
@@ -304,8 +290,7 @@ pw_rewind(struct irs_pw *this) {
 	return;
 }
 
-
-/*
+/*%
  * void pw_minimize(struct irs_pw *this)
  *
  */
@@ -320,11 +305,7 @@ pw_minimize(struct irs_pw *this) {
 
 /* Private. */
 
-
-
-/*
- * static void free_passwd(struct passwd *pw);
- *
+/*%
  *	Deallocate all the memory irp_unmarshall_pw allocated.
  *
  */
@@ -356,3 +337,4 @@ free_passwd(struct passwd *pw) {
 }
 
 #endif /* WANT_IRS_PW */
+/*! \file */
diff --git a/contrib/bind9/lib/bind/irs/irp_sv.c b/contrib/bind9/lib/bind/irs/irp_sv.c
index 0c4d6a1..22ea980 100644
--- a/contrib/bind9/lib/bind/irs/irp_sv.c
+++ b/contrib/bind9/lib/bind/irs/irp_sv.c
@@ -16,7 +16,7 @@
  */
 
 #if defined(LIBC_SCCS) && !defined(lint)
-static const char rcsid[] = "$Id: irp_sv.c,v 1.1.206.1 2004/03/09 08:33:37 marka Exp $";
+static const char rcsid[] = "$Id: irp_sv.c,v 1.2.18.1 2005/04/27 05:01:01 sra Exp $";
 #endif /* LIBC_SCCS and not lint */
 
 /* extern */
@@ -73,9 +73,7 @@ static void			free_service(struct servent *sv);
 
 /* Public */
 
-
-
-/*
+/*%
  * struct irs_sv * irs_irp_sv(struct irs_acc *this)
  *
  */
@@ -112,9 +110,7 @@ irs_irp_sv(struct irs_acc *this) {
 
 /* Methods */
 
-
-
-/*
+/*%
  * void sv_close(struct irs_sv *this)
  *
  */
@@ -131,14 +127,7 @@ sv_close(struct irs_sv *this) {
 	memput(this, sizeof *this);
 }
 
-
-
-
-/*
- * struct servent * sv_next(struct irs_sv *this)
- *
- * Notes:
- *
+/*%
  *	Fills the cache if necessary and returns the next item from it.
  *
  */
@@ -182,10 +171,7 @@ sv_next(struct irs_sv *this) {
 	return (sv);
 }
 
-
-
-
-/*
+/*%
  * struct servent * sv_byname(struct irs_sv *this, const char *name,
  *				const char *proto)
  *
@@ -236,10 +222,7 @@ sv_byname(struct irs_sv *this, const char *name, const char *proto) {
 	return (sv);
 }
 
-
-
-
-/*
+/*%
  * struct servent * sv_byport(struct irs_sv *this, int port,
  *				const char *proto)
  *
@@ -291,11 +274,7 @@ sv_byport(struct irs_sv *this, int port, const char *proto) {
 	return (sv);
 }
 
-
-
-
-
-/*
+/*%
  * void sv_rewind(struct irs_sv *this)
  *
  */
@@ -324,11 +303,7 @@ sv_rewind(struct irs_sv *this) {
 	return;
 }
 
-
-
-
-
-/*
+/*%
  * void sv_minimize(struct irs_sv *this)
  *
  */
@@ -367,3 +342,5 @@ free_service(struct servent *sv) {
 }
 
 
+
+/*! \file */
diff --git a/contrib/bind9/lib/bind/irs/irpmarshall.c b/contrib/bind9/lib/bind/irs/irpmarshall.c
index 198e349..8c34fa2 100644
--- a/contrib/bind9/lib/bind/irs/irpmarshall.c
+++ b/contrib/bind9/lib/bind/irs/irpmarshall.c
@@ -49,7 +49,7 @@
  */
 
 #if defined(LIBC_SCCS) && !defined(lint)
-static const char rcsid[] = "$Id: irpmarshall.c,v 1.3.206.4 2006/03/10 00:17:21 marka Exp $";
+static const char rcsid[] = "$Id: irpmarshall.c,v 1.5.18.2 2006/03/10 00:20:08 marka Exp $";
 #endif /* LIBC_SCCS and not lint */
 
 #if 0
@@ -118,15 +118,14 @@ static const char *COLONSTR = ":";
 #ifdef WANT_IRS_PW
 /* +++++++++++++++++++++++++ struct passwd +++++++++++++++++++++++++ */
 
-
-/*
+/*%
  * int irp_marshall_pw(const struct passwd *pw, char **buffer, size_t *len)
  *
- * notes:
+ * notes: \li
  *
- *	See above
+ *	See irpmarshall.h
  *
- * return:
+ * return: \li
  *
  *	0 on sucess, -1 on failure.
  *
@@ -134,7 +133,7 @@ static const char *COLONSTR = ":";
 
 int
 irp_marshall_pw(const struct passwd *pw, char **buffer, size_t *len) {
-	size_t need = 1 ;		/* for null byte */
+	size_t need = 1 ;		/*%< for null byte */
 	char pwUid[24];
 	char pwGid[24];
 	char pwChange[24];
@@ -170,7 +169,7 @@ irp_marshall_pw(const struct passwd *pw, char **buffer, size_t *len) {
 	pwClass = "";
 #endif
 
-	need += strlen(pw->pw_name)	+ 1; /* one for fieldsep */
+	need += strlen(pw->pw_name)	+ 1; /*%< one for fieldsep */
 	need += strlen(pw->pw_passwd)	+ 1;
 	need += strlen(pwUid)		+ 1;
 	need += strlen(pwGid)		+ 1;
@@ -192,7 +191,7 @@ irp_marshall_pw(const struct passwd *pw, char **buffer, size_t *len) {
 	}
 
 	if (*buffer == NULL) {
-		need += 2;		/* for CRLF */
+		need += 2;		/*%< for CRLF */
 		*buffer = memget(need);
 		if (*buffer == NULL) {
 			errno = ENOMEM;
@@ -216,18 +215,14 @@ irp_marshall_pw(const struct passwd *pw, char **buffer, size_t *len) {
 	return (0);
 }
 
-
-
-
-
-/*
+/*%
  * int irp_unmarshall_pw(struct passwd *pw, char *buffer)
  *
- * notes:
+ * notes: \li
  *
- *	see above
+ *	See irpmarshall.h
  *
- * return:
+ * return: \li
  *
  *	0 on success, -1 on failure
  *
@@ -258,7 +253,7 @@ irp_unmarshall_pw(struct passwd *pw, char *buffer) {
 
 	/* pw_passwd field */
 	pass = NULL;
-	if (getfield(&pass, 0, &p, fieldsep) == NULL) { /* field can be empty */
+	if (getfield(&pass, 0, &p, fieldsep) == NULL) { /*%< field can be empty */
 		goto error;
 	}
 
@@ -271,10 +266,10 @@ irp_unmarshall_pw(struct passwd *pw, char *buffer) {
 	}
 	t = strtol(tmpbuf, &tb, 10);
 	if (*tb) {
-		goto error;	/* junk in value */
+		goto error;	/*%< junk in value */
 	}
 	pwuid = (uid_t)t;
-	if ((long) pwuid != t) {	/* value must have been too big. */
+	if ((long) pwuid != t) {	/*%< value must have been too big. */
 		goto error;
 	}
 
@@ -288,10 +283,10 @@ irp_unmarshall_pw(struct passwd *pw, char *buffer) {
 	}
 	t = strtol(tmpbuf, &tb, 10);
 	if (*tb) {
-		goto error;	/* junk in value */
+		goto error;	/*%< junk in value */
 	}
 	pwgid = (gid_t)t;
-	if ((long)pwgid != t) {	/* value must have been too big. */
+	if ((long)pwgid != t) {	/*%< value must have been too big. */
 		goto error;
 	}
 
@@ -313,10 +308,10 @@ irp_unmarshall_pw(struct passwd *pw, char *buffer) {
 	}
 	t = strtol(tmpbuf, &tb, 10);
 	if (*tb) {
-		goto error;	/* junk in value */
+		goto error;	/*%< junk in value */
 	}
 	pwchange = (time_t)t;
-	if ((long)pwchange != t) {	/* value must have been too big. */
+	if ((long)pwchange != t) {	/*%< value must have been too big. */
 		goto error;
 	}
 
@@ -330,10 +325,10 @@ irp_unmarshall_pw(struct passwd *pw, char *buffer) {
 	}
 	t = strtol(tmpbuf, &tb, 10);
 	if (*tb) {
-		goto error;	/* junk in value */
+		goto error;	/*%< junk in value */
 	}
 	pwexpire = (time_t)t;
-	if ((long) pwexpire != t) {	/* value must have been too big. */
+	if ((long) pwexpire != t) {	/*%< value must have been too big. */
 		goto error;
 	}
 
@@ -397,28 +392,23 @@ irp_unmarshall_pw(struct passwd *pw, char *buffer) {
 
 /* ------------------------- struct passwd ------------------------- */
 #endif /* WANT_IRS_PW */
-
-
-
 /* +++++++++++++++++++++++++ struct group +++++++++++++++++++++++++ */
 
-
-
-/*
+/*%
  * int irp_marshall_gr(const struct group *gr, char **buffer, size_t *len)
  *
- * notes:
+ * notes: \li
  *
- *	see above.
+ *	See irpmarshall.h.
  *
- * return:
+ * return: \li
  *
  *	0 on success, -1 on failure
  */
 
 int
 irp_marshall_gr(const struct group *gr, char **buffer, size_t *len) {
-	size_t need = 1;	/* for null byte */
+	size_t need = 1;	/*%< for null byte */
 	char grGid[24];
 	const char *fieldsep = COLONSTR;
 
@@ -449,7 +439,7 @@ irp_marshall_gr(const struct group *gr, char **buffer, size_t *len) {
 	}
 
 	if (*buffer == NULL) {
-		need += 2;		/* for CRLF */
+		need += 2;		/*%< for CRLF */
 		*buffer = memget(need);
 		if (*buffer == NULL) {
 			errno = ENOMEM;
@@ -470,17 +460,14 @@ irp_marshall_gr(const struct group *gr, char **buffer, size_t *len) {
 	return (0);
 }
 
-
-
-
-/*
+/*%
  * int irp_unmarshall_gr(struct group *gr, char *buffer)
  *
- * notes:
+ * notes: \li
  *
- *	see above
+ *	See irpmarshall.h
  *
- * return:
+ * return: \li
  *
  *	0 on success and -1 on failure.
  *
@@ -528,10 +515,10 @@ irp_unmarshall_gr(struct group *gr, char *buffer) {
 	}
 	t = strtol(tmpbuf, &tb, 10);
 	if (*tb) {
-		goto error;	/* junk in value */
+		goto error;	/*%< junk in value */
 	}
 	grgid = (gid_t)t;
-	if ((long) grgid != t) {	/* value must have been too big. */
+	if ((long) grgid != t) {	/*%< value must have been too big. */
 		goto error;
 	}
 
@@ -575,16 +562,14 @@ irp_unmarshall_gr(struct group *gr, char *buffer) {
 
 /* +++++++++++++++++++++++++ struct servent +++++++++++++++++++++++++ */
 
-
-
-/*
+/*%
  * int irp_marshall_sv(const struct servent *sv, char **buffer, size_t *len)
  *
- * notes:
+ * notes: \li
  *
- *	see above
+ *	See irpmarshall.h
  *
- * return:
+ * return: \li
  *
  *	0 on success, -1 on failure.
  *
@@ -592,7 +577,7 @@ irp_unmarshall_gr(struct group *gr, char *buffer) {
 
 int
 irp_marshall_sv(const struct servent *sv, char **buffer, size_t *len) {
-	size_t need = 1;	/* for null byte */
+	size_t need = 1;	/*%< for null byte */
 	char svPort[24];
 	const char *fieldsep = COLONSTR;
 	short realport;
@@ -623,7 +608,7 @@ irp_marshall_sv(const struct servent *sv, char **buffer, size_t *len) {
 	}
 
 	if (*buffer == NULL) {
-		need += 2;		/* for CRLF */
+		need += 2;		/*%< for CRLF */
 		*buffer = memget(need);
 		if (*buffer == NULL) {
 			errno = ENOMEM;
@@ -641,18 +626,14 @@ irp_marshall_sv(const struct servent *sv, char **buffer, size_t *len) {
 	return (0);
 }
 
-
-
-
-
-/*
+/*%
  * int irp_unmarshall_sv(struct servent *sv, char *buffer)
  *
- * notes:
+ * notes: \li
  *
- *	see above
+ *	See irpmarshall.h
  *
- * return:
+ * return: \li
  *
  *	0 on success, -1 on failure.
  *
@@ -705,10 +686,10 @@ irp_unmarshall_sv(struct servent *sv, char *buffer) {
 	}
 	t = strtol(tmpbuf, &tb, 10);
 	if (*tb) {
-		goto error;	/* junk in value */
+		goto error;	/*%< junk in value */
 	}
 	svport = (short)t;
-	if ((long) svport != t) {	/* value must have been too big. */
+	if ((long) svport != t) {	/*%< value must have been too big. */
 		goto error;
 	}
 	svport = htons(svport);
@@ -741,16 +722,14 @@ irp_unmarshall_sv(struct servent *sv, char *buffer) {
 
 /* +++++++++++++++++++++++++ struct protoent +++++++++++++++++++++++++ */
 
-
-
-/*
+/*%
  * int irp_marshall_pr(struct protoent *pr, char **buffer, size_t *len)
  *
- * notes:
+ * notes: \li
  *
- *	see above
+ *	See irpmarshall.h
  *
- * return:
+ * return: \li
  *
  *	0 on success and -1 on failure.
  *
@@ -758,7 +737,7 @@ irp_unmarshall_sv(struct servent *sv, char *buffer) {
 
 int
 irp_marshall_pr(struct protoent *pr, char **buffer, size_t *len) {
-	size_t need = 1;	/* for null byte */
+	size_t need = 1;	/*%< for null byte */
 	char prProto[24];
 	const char *fieldsep = COLONSTR;
 
@@ -784,7 +763,7 @@ irp_marshall_pr(struct protoent *pr, char **buffer, size_t *len) {
 	}
 
 	if (*buffer == NULL) {
-		need += 2;		/* for CRLF */
+		need += 2;		/*%< for CRLF */
 		*buffer = memget(need);
 		if (*buffer == NULL) {
 			errno = ENOMEM;
@@ -802,16 +781,14 @@ irp_marshall_pr(struct protoent *pr, char **buffer, size_t *len) {
 
 }
 
-
-
-/*
+/*%
  * int irp_unmarshall_pr(struct protoent *pr, char *buffer)
  *
- * notes:
+ * notes: \li
  *
- *	See above
+ *	See irpmarshall.h
  *
- * return:
+ * return: \li
  *
  *	0 on success, -1 on failure
  *
@@ -863,10 +840,10 @@ int irp_unmarshall_pr(struct protoent *pr, char *buffer) {
 	}
 	t = strtol(tmpbuf, &tb, 10);
 	if (*tb) {
-		goto error;	/* junk in value */
+		goto error;	/*%< junk in value */
 	}
 	prproto = (int)t;
-	if ((long) prproto != t) {	/* value must have been too big. */
+	if ((long) prproto != t) {	/*%< value must have been too big. */
 		goto error;
 	}
 
@@ -891,15 +868,14 @@ int irp_unmarshall_pr(struct protoent *pr, char *buffer) {
 
 /* +++++++++++++++++++++++++ struct hostent +++++++++++++++++++++++++ */
 
-
-/*
+/*%
  * int irp_marshall_ho(struct hostent *ho, char **buffer, size_t *len)
  *
- * notes:
+ * notes: \li
  *
- *	see above.
+ *	See irpmarshall.h.
  *
- * return:
+ * return: \li
  *
  *	0 on success, -1 on failure.
  *
@@ -907,7 +883,7 @@ int irp_unmarshall_pr(struct protoent *pr, char *buffer) {
 
 int
 irp_marshall_ho(struct hostent *ho, char **buffer, size_t *len) {
-	size_t need = 1;	/* for null byte */
+	size_t need = 1;	/*%< for null byte */
 	char hoaddrtype[24];
 	char holength[24];
 	char **av;
@@ -945,7 +921,7 @@ irp_marshall_ho(struct hostent *ho, char **buffer, size_t *len) {
 
 	/* we determine an upper bound on the string length needed, not an
 	   exact length. */
-	addrlen = (ho->h_addrtype == AF_INET ? 16 : 46) ; /* XX other AF's?? */
+	addrlen = (ho->h_addrtype == AF_INET ? 16 : 46) ; /*%< XX other AF's?? */
 	for (av = ho->h_addr_list; av != NULL && *av != NULL ; av++)
 		need += addrlen;
 
@@ -960,7 +936,7 @@ irp_marshall_ho(struct hostent *ho, char **buffer, size_t *len) {
 	}
 
 	if (*buffer == NULL) {
-		need += 2;		/* for CRLF */
+		need += 2;		/*%< for CRLF */
 		*buffer = memget(need);
 		if (*buffer == NULL) {
 			errno = ENOMEM;
@@ -999,16 +975,14 @@ irp_marshall_ho(struct hostent *ho, char **buffer, size_t *len) {
 	return (-1);
 }
 
-
-
-/*
+/*%
  * int irp_unmarshall_ho(struct hostent *ho, char *buffer)
  *
- * notes:
+ * notes: \li
  *
- *	See above.
+ *	See irpmarshall.h.
  *
- * return:
+ * return: \li
  *
  *	0 on success, -1 on failure.
  *
@@ -1080,10 +1054,10 @@ irp_unmarshall_ho(struct hostent *ho, char *buffer) {
 	}
 	t = strtol(tmpbuf, &tb, 10);
 	if (*tb) {
-		goto error;	/* junk in value */
+		goto error;	/*%< junk in value */
 	}
 	holength = (int)t;
-	if ((long) holength != t) {	/* value must have been too big. */
+	if ((long) holength != t) {	/*%< value must have been too big. */
 		goto error;
 	}
 
@@ -1155,16 +1129,15 @@ irp_unmarshall_ho(struct hostent *ho, char *buffer) {
 
 /* +++++++++++++++++++++++++ struct netgrp +++++++++++++++++++++++++ */
 
-
-/*
+/*%
  * int irp_marshall_ng(const char *host, const char *user,
  *		       const char *domain, char *buffer, size_t *len)
  *
- * notes:
+ * notes: \li
  *
  *	See note for irp_marshall_ng_start
  *
- * return:
+ * return: \li
  *
  *	0 on success, 0 on failure.
  *
@@ -1173,7 +1146,7 @@ irp_unmarshall_ho(struct hostent *ho, char *buffer) {
 int
 irp_marshall_ng(const char *host, const char *user, const char *domain,
 		char **buffer, size_t *len) {
-	size_t need = 1; /* for nul byte */
+	size_t need = 1; /*%< for nul byte */
 	const char *fieldsep = ",";
 
 	if (len == NULL) {
@@ -1181,7 +1154,7 @@ irp_marshall_ng(const char *host, const char *user, const char *domain,
 		return (-1);
 	}
 
-	need += 4;		       /* two parens and two commas */
+	need += 4;		       /*%< two parens and two commas */
 	need += (host == NULL ? 0 : strlen(host));
 	need += (user == NULL ? 0 : strlen(user));
 	need += (domain == NULL ? 0 : strlen(domain));
@@ -1195,7 +1168,7 @@ irp_marshall_ng(const char *host, const char *user, const char *domain,
 	}
 
 	if (*buffer == NULL) {
-		need += 2;		/* for CRLF */
+		need += 2;		/*%< for CRLF */
 		*buffer = memget(need);
 		if (*buffer == NULL) {
 			errno = ENOMEM;
@@ -1227,18 +1200,17 @@ irp_marshall_ng(const char *host, const char *user, const char *domain,
 
 /* ---------- */
 
-
-/*
+/*%
  * int irp_unmarshall_ng(const char **host, const char **user,
  *			 const char **domain, char *buffer)
  *
- * notes:
+ * notes: \li
  *
  *	Unpacks the BUFFER into 3 character arrays it allocates and assigns
  *	to *HOST, *USER and *DOMAIN. If any field of the value is empty,
  *	then the corresponding paramater value will be set to NULL.
  *
- * return:
+ * return: \li
  *
  *	0 on success and -1 on failure.
  */
@@ -1325,15 +1297,14 @@ irp_unmarshall_ng(const char **hostp, const char **userp, const char **domainp,
 
 /* +++++++++++++++++++++++++ struct nwent +++++++++++++++++++++++++ */
 
-
-/*
+/*%
  * int irp_marshall_nw(struct nwent *ne, char **buffer, size_t *len)
  *
- * notes:
+ * notes: \li
  *
  *	See at top.
  *
- * return:
+ * return: \li
  *
  *	0 on success and -1 on failure.
  *
@@ -1341,7 +1312,7 @@ irp_unmarshall_ng(const char **hostp, const char **userp, const char **domainp,
 
 int
 irp_marshall_nw(struct nwent *ne, char **buffer, size_t *len) {
-	size_t need = 1;	/* for null byte */
+	size_t need = 1;	/*%< for null byte */
 	char nAddrType[24];
 	char nNet[MAXPADDRSIZE];
 	const char *fieldsep = COLONSTR;
@@ -1374,7 +1345,7 @@ irp_marshall_nw(struct nwent *ne, char **buffer, size_t *len) {
 	}
 
 	if (*buffer == NULL) {
-		need += 2;		/* for CRLF */
+		need += 2;		/*%< for CRLF */
 		*buffer = memget(need);
 		if (*buffer == NULL) {
 			errno = ENOMEM;
@@ -1392,16 +1363,14 @@ irp_marshall_nw(struct nwent *ne, char **buffer, size_t *len) {
 	return (0);
 }
 
-
-
-/*
+/*%
  * int irp_unmarshall_nw(struct nwent *ne, char *buffer)
  *
- * notes:
+ * notes: \li
  *
  *	See note up top.
  *
- * return:
+ * return: \li
  *
  *	0 on success and -1 on failure.
  *
@@ -1502,15 +1471,14 @@ irp_unmarshall_nw(struct nwent *ne, char *buffer) {
 
 /* +++++++++++++++++++++++++ struct netent +++++++++++++++++++++++++ */
 
-
-/*
+/*%
  * int irp_marshall_ne(struct netent *ne, char **buffer, size_t *len)
  *
- * notes:
+ * notes: \li
  *
  *	See at top.
  *
- * return:
+ * return: \li
  *
  *	0 on success and -1 on failure.
  *
@@ -1518,7 +1486,7 @@ irp_unmarshall_nw(struct nwent *ne, char *buffer) {
 
 int
 irp_marshall_ne(struct netent *ne, char **buffer, size_t *len) {
-	size_t need = 1;	/* for null byte */
+	size_t need = 1;	/*%< for null byte */
 	char nAddrType[24];
 	char nNet[MAXPADDRSIZE];
 	const char *fieldsep = COLONSTR;
@@ -1551,7 +1519,7 @@ irp_marshall_ne(struct netent *ne, char **buffer, size_t *len) {
 	}
 
 	if (*buffer == NULL) {
-		need += 2;		/* for CRLF */
+		need += 2;		/*%< for CRLF */
 		*buffer = memget(need);
 		if (*buffer == NULL) {
 			errno = ENOMEM;
@@ -1569,16 +1537,14 @@ irp_marshall_ne(struct netent *ne, char **buffer, size_t *len) {
 	return (0);
 }
 
-
-
-/*
+/*%
  * int irp_unmarshall_ne(struct netent *ne, char *buffer)
  *
- * notes:
+ * notes: \li
  *
  *	See note up top.
  *
- * return:
+ * return: \li
  *
  *	0 on success and -1 on failure.
  *
@@ -1671,11 +1637,10 @@ irp_unmarshall_ne(struct netent *ne, char *buffer) {
 
 /* =========================================================================== */
 
-
-/*
+/*%
  * static char ** splitarray(const char *buffer, const char *buffend, char delim)
  *
- * notes:
+ * notes: \li
  *
  *	Split a delim separated astring. Not allowed
  *	to have two delims next to each other. BUFFER points to begining of
@@ -1683,7 +1648,7 @@ irp_unmarshall_ne(struct netent *ne, char *buffer) {
  *	(i.e. points at where the null byte would be if null
  *	terminated).
  *
- * return:
+ * return: \li
  *
  *	Returns a malloced array of pointers, each pointer pointing to a
  *	malloced string. If BUFEER is an empty string, then return values is
@@ -1719,7 +1684,7 @@ splitarray(const char *buffer, const char *buffend, char delim) {
 	}
 
 	if (count > 0) {
-		count++ ;		/* for NULL at end */
+		count++ ;		/*%< for NULL at end */
 		aptr = arr = malloc(count * sizeof (char *));
 		if (aptr == NULL) {
 			 errno = ENOMEM;
@@ -1749,13 +1714,10 @@ splitarray(const char *buffer, const char *buffend, char delim) {
 	return (arr);
 }
 
-
-
-
-/*
+/*%
  * static size_t joinlength(char * const *argv)
  *
- * return:
+ * return: \li
  *
  *	the number of bytes in all the arrays pointed at
  *	by argv, including their null bytes(which will usually be turned
@@ -1776,18 +1738,16 @@ joinlength(char * const *argv) {
 	return (len);
 }
 
-
-
-/*
+/*%
  * int joinarray(char * const *argv, char *buffer, char delim)
  *
- * notes:
+ * notes: \li
  *
  *	Copy all the ARGV strings into the end of BUFFER
  *	separating them with DELIM.  BUFFER is assumed to have
  *	enough space to hold everything and to be already null-terminated.
  *
- * return:
+ * return: \li
  *
  *	0 unless argv or buffer is NULL.
  *
@@ -1817,11 +1777,10 @@ joinarray(char * const *argv, char *buffer, char delim) {
 	return (0);
 }
 
-
-/*
+/*%
  * static char * getfield(char **res, size_t reslen, char **ptr, char delim)
  *
- * notes:
+ * notes: \li
  *
  *	Stores in *RES, which is a buffer of length RESLEN, a
  *	copy of the bytes from *PTR up to and including the first
@@ -1829,7 +1788,7 @@ joinarray(char * const *argv, char *buffer, char delim) {
  *	assigned a malloced buffer to hold the copy. *PTR is
  *	modified to point at the found delimiter.
  *
- * return:
+ * return: \li
  *
  *	If there was no delimiter, then NULL is returned,
  *	otherewise *RES is returned.
@@ -1854,7 +1813,7 @@ getfield(char **res, size_t reslen, char **ptr, char delim) {
 		if (*res == NULL) {
 			*res = strndup(*ptr, q - *ptr);
 		} else {
-			if ((size_t)(q - *ptr + 1) > reslen) { /* to big for res */
+			if ((size_t)(q - *ptr + 1) > reslen) { /*%< to big for res */
 				errno = EINVAL;
 				return (NULL);
 			} else {
@@ -1876,12 +1835,12 @@ getfield(char **res, size_t reslen, char **ptr, char delim) {
 /*
  * static char * strndup(const char *str, size_t len)
  *
- * notes:
+ * notes: \li
  *
  *	like strdup, except do len bytes instead of the whole string. Always
  *	null-terminates.
  *
- * return:
+ * return: \li
  *
  *	The newly malloced string.
  *
@@ -1901,14 +1860,14 @@ strndup(const char *str, size_t len) {
 
 #if WANT_MAIN
 
-/*
+/*%
  * static int strcmp_nws(const char *a, const char *b)
  *
- * notes:
+ * notes: \li
  *
  *	do a strcmp, except uneven lengths of whitespace compare the same
  *
- * return:
+ * return: \li
  *
  */
 
@@ -1942,14 +1901,10 @@ strcmp_nws(const char *a, const char *b) {
 
 #endif
 
-
-
-
-
-/*
+/*%
  * static void free_array(char **argv, size_t entries)
  *
- * notes:
+ * notes: \li
  *
  *	Free argv and each of the pointers inside it. The end of
  *	the array is when a NULL pointer is found inside. If
@@ -1984,7 +1939,7 @@ free_array(char **argv, size_t entries) {
 
 #if WANT_MAIN
 
-/* takes an option to indicate what sort of marshalling(read the code) and
+/*% takes an option to indicate what sort of marshalling(read the code) and
    an argument. If the argument looks like a marshalled buffer(has a ':'
    embedded) then it's unmarshalled and the remarshalled and the new string
    is compared to the old one.
@@ -2342,3 +2297,5 @@ main(int argc, char **argv) {
 }
 
 #endif
+
+/*! \file */
diff --git a/contrib/bind9/lib/bind/irs/irs_data.c b/contrib/bind9/lib/bind/irs/irs_data.c
index 7904286..b71bc33 100644
--- a/contrib/bind9/lib/bind/irs/irs_data.c
+++ b/contrib/bind9/lib/bind/irs/irs_data.c
@@ -16,7 +16,7 @@
  */
 
 #if !defined(LINT) && !defined(CODECENTER)
-static const char rcsid[] = "$Id: irs_data.c,v 1.3.2.2.4.4 2006/03/10 00:17:21 marka Exp $";
+static const char rcsid[] = "$Id: irs_data.c,v 1.7.18.3 2006/03/10 00:20:08 marka Exp $";
 #endif
 
 #include "port_before.h"
@@ -113,7 +113,8 @@ net_data_destroy(void *p) {
 	memput(net_data, sizeof *net_data);
 }
 
-/* applications that need a specific config file other than
+/*%
+ *  applications that need a specific config file other than
  * _PATH_IRS_CONF should call net_data_init directly rather than letting
  *   the various wrapper functions make the first call. - brister
  */
@@ -239,3 +240,5 @@ __h_errno_set(struct __res_state *res, int err) {
 }
 
 #endif /*__BIND_NOSTATIC*/
+
+/*! \file */
diff --git a/contrib/bind9/lib/bind/irs/irs_data.h b/contrib/bind9/lib/bind/irs/irs_data.h
index 90eb78c..c1ee3dd 100644
--- a/contrib/bind9/lib/bind/irs/irs_data.h
+++ b/contrib/bind9/lib/bind/irs/irs_data.h
@@ -16,7 +16,7 @@
  */
 
 /*
- * $Id: irs_data.h,v 1.1.206.1 2004/03/09 08:33:37 marka Exp $
+ * $Id: irs_data.h,v 1.2.18.1 2005/04/27 05:01:01 sra Exp $
  */
 
 #ifndef __BIND_NOSTATIC
@@ -38,7 +38,7 @@ struct net_data {
 	struct passwd *		pw_last;
 	struct servent *	sv_last;
 	struct protoent *	pr_last;
-	struct netent *		nw_last; /* should have been ne_last */
+	struct netent *		nw_last; /*%< should have been ne_last */
 	struct nwent *		nww_last;
 	struct hostent *	ho_last;
 
@@ -52,11 +52,12 @@ struct net_data {
 	void *			nw_data;
 	void *			ho_data;
 
-	struct __res_state *	res;	/* for gethostent.c */
-
+	struct __res_state *	res;	/*%< for gethostent.c */
 };
 
 extern struct net_data *	net_data_init(const char *conf_file);
 extern void			net_data_minimize(struct net_data *);
 
 #endif /*__BIND_NOSTATIC*/
+
+/*! \file */
diff --git a/contrib/bind9/lib/bind/irs/irs_p.h b/contrib/bind9/lib/bind/irs/irs_p.h
index 6d340f2..bc1817b 100644
--- a/contrib/bind9/lib/bind/irs/irs_p.h
+++ b/contrib/bind9/lib/bind/irs/irs_p.h
@@ -16,7 +16,7 @@
  */
 
 /*
- * $Id: irs_p.h,v 1.1.206.1 2004/03/09 08:33:37 marka Exp $
+ * $Id: irs_p.h,v 1.2.18.1 2005/04/27 05:01:01 sra Exp $
  */
 
 #ifndef _IRS_P_H_INCLUDED
@@ -47,3 +47,5 @@ extern struct irs_ng *	irs_nul_ng(struct irs_acc *);
 extern struct servent * irs_lclsv_fnxt(struct lcl_sv *);
 
 #endif
+
+/*! \file */
diff --git a/contrib/bind9/lib/bind/irs/lcl.c b/contrib/bind9/lib/bind/irs/lcl.c
index e02c90d..930c87e 100644
--- a/contrib/bind9/lib/bind/irs/lcl.c
+++ b/contrib/bind9/lib/bind/irs/lcl.c
@@ -16,7 +16,7 @@
  */
 
 #if !defined(LINT) && !defined(CODECENTER)
-static const char rcsid[] = "$Id: lcl.c,v 1.1.206.2 2004/03/17 00:29:49 marka Exp $";
+static const char rcsid[] = "$Id: lcl.c,v 1.3.18.1 2005/04/27 05:01:02 sra Exp $";
 #endif
 
 /* Imports */
@@ -138,3 +138,5 @@ lcl_close(struct irs_acc *this) {
 	}
 	memput(this, sizeof *this);
 }
+
+/*! \file */
diff --git a/contrib/bind9/lib/bind/irs/lcl_gr.c b/contrib/bind9/lib/bind/irs/lcl_gr.c
index ccf7b79..f17410c 100644
--- a/contrib/bind9/lib/bind/irs/lcl_gr.c
+++ b/contrib/bind9/lib/bind/irs/lcl_gr.c
@@ -49,7 +49,7 @@
  */
 
 #if defined(LIBC_SCCS) && !defined(lint)
-static const char rcsid[] = "$Id: lcl_gr.c,v 1.1.206.1 2004/03/09 08:33:37 marka Exp $";
+static const char rcsid[] = "$Id: lcl_gr.c,v 1.2.18.1 2005/04/27 05:01:02 sra Exp $";
 /* from getgrent.c 8.2 (Berkeley) 3/21/94"; */
 /* from BSDI Id: getgrent.c,v 2.8 1996/05/28 18:15:14 bostic Exp $	*/
 #endif /* LIBC_SCCS and not lint */
@@ -90,7 +90,7 @@ static int __bind_irs_gr_unneeded;
 
 struct pvt {
 	FILE *		fp;
-	/*
+	/*%<
 	 * Need space to store the entries read from the group file.
 	 * The members list also needs space per member, and the
 	 * strings making up the user names must be allocated
@@ -98,7 +98,7 @@ struct pvt {
 	 * we keep one buffer and resize it as needed.
 	 */
 	struct group	group;
-	size_t		nmemb;		/* Malloc'd max index of gr_mem[]. */
+	size_t		nmemb;		/*%< Malloc'd max index of gr_mem[]. */
 	char *		membuf;
 	size_t		membufsize;
 };
@@ -227,9 +227,8 @@ grstart(struct pvt *pvt) {
 	return (1);
 }
 
-#define	INITIAL_NMEMB	30			/* about 120 bytes */
-#define	INITIAL_BUFSIZ	(INITIAL_NMEMB * 8)	/* about 240 bytes */
-
+#define	INITIAL_NMEMB	30			/*%< about 120 bytes */
+#define	INITIAL_BUFSIZ	(INITIAL_NMEMB * 8)	/*%< about 240 bytes */
 static char *
 grnext(struct pvt *pvt) {
 	char *w, *e;
@@ -352,3 +351,4 @@ grscan(struct irs_gr *this, int search, gid_t gid, const char *name) {
 }
 
 #endif /* WANT_IRS_GR */
+/*! \file */
diff --git a/contrib/bind9/lib/bind/irs/lcl_ho.c b/contrib/bind9/lib/bind/irs/lcl_ho.c
index b59a104..9534ee6 100644
--- a/contrib/bind9/lib/bind/irs/lcl_ho.c
+++ b/contrib/bind9/lib/bind/irs/lcl_ho.c
@@ -52,7 +52,7 @@
 /* BIND Id: gethnamaddr.c,v 8.15 1996/05/22 04:56:30 vixie Exp $ */
 
 #if defined(LIBC_SCCS) && !defined(lint)
-static const char rcsid[] = "$Id: lcl_ho.c,v 1.1.206.3 2006/03/10 00:17:21 marka Exp $";
+static const char rcsid[] = "$Id: lcl_ho.c,v 1.3.18.2 2006/03/10 00:20:08 marka Exp $";
 #endif /* LIBC_SCCS and not lint */
 
 /* Imports. */
@@ -109,7 +109,7 @@ struct pvt {
 	char *		h_addr_ptrs[MAXADDRS + 1];
 	char *		host_aliases[MAXALIASES];
 	char		hostbuf[8*1024];
-	u_char		host_addr[16];	/* IPv4 or IPv6 */
+	u_char		host_addr[16];	/*%< IPv4 or IPv6 */
 	struct __res_state  *res;
 	void		(*free_res)(void *);
 };
@@ -508,7 +508,7 @@ ho_addrinfo(struct irs_ho *this, const char *name, const struct addrinfo *pai)
 	cur = &sentinel;
 
 	switch(pai->ai_family) {
-	case AF_UNSPEC:		/* INET6 then INET4 */
+	case AF_UNSPEC:		/*%< INET6 then INET4 */
 		q.family = AF_INET6;
 		q.next = &q2;
 		q2.family = AF_INET;
@@ -520,7 +520,7 @@ ho_addrinfo(struct irs_ho *this, const char *name, const struct addrinfo *pai)
 		q.family = AF_INET;
 		break;
 	default:
-		RES_SET_H_ERRNO(pvt->res, NO_RECOVERY); /* ??? */
+		RES_SET_H_ERRNO(pvt->res, NO_RECOVERY); /*%< ??? */
 		return(NULL);
 	}
 
@@ -574,3 +574,5 @@ init(struct irs_ho *this) {
 		return (-1);
 	return (0);
 }
+
+/*! \file */
diff --git a/contrib/bind9/lib/bind/irs/lcl_ng.c b/contrib/bind9/lib/bind/irs/lcl_ng.c
index 3c678f2..3a9f3fa 100644
--- a/contrib/bind9/lib/bind/irs/lcl_ng.c
+++ b/contrib/bind9/lib/bind/irs/lcl_ng.c
@@ -16,7 +16,7 @@
  */
 
 #if !defined(LINT) && !defined(CODECENTER)
-static const char rcsid[] = "$Id: lcl_ng.c,v 1.1.206.1 2004/03/09 08:33:38 marka Exp $";
+static const char rcsid[] = "$Id: lcl_ng.c,v 1.2.18.1 2005/04/27 05:01:02 sra Exp $";
 #endif
 
 /* Imports */
@@ -43,11 +43,10 @@ static const char rcsid[] = "$Id: lcl_ng.c,v 1.1.206.1 2004/03/09 08:33:38 marka
 
 /* Definitions */
 
-#define NG_HOST         0       /* Host name */
-#define NG_USER         1       /* User name */
-#define NG_DOM          2       /* and Domain name */
-#define LINSIZ		1024    /* Length of netgroup file line */
-
+#define NG_HOST         0       /*%< Host name */
+#define NG_USER         1       /*%< User name */
+#define NG_DOM          2       /*%< and Domain name */
+#define LINSIZ		1024    /*%< Length of netgroup file line */
 /*
  * XXX Warning XXX
  * This code is a hack-and-slash special.  It realy needs to be
@@ -55,24 +54,25 @@ static const char rcsid[] = "$Id: lcl_ng.c,v 1.1.206.1 2004/03/09 08:33:38 marka
  * More reasonable data structures would not be a bad thing.
  */
 
-/*
+/*%
  * Static Variables and functions used by setnetgrent(), getnetgrent() and
  * endnetgrent().
+ *
  * There are two linked lists:
- * - linelist is just used by setnetgrent() to parse the net group file via.
+ * \li linelist is just used by setnetgrent() to parse the net group file via.
  *   parse_netgrp()
- * - netgrp is the list of entries for the current netgroup
+ * \li netgrp is the list of entries for the current netgroup
  */
 struct linelist {
-	struct linelist *l_next;	/* Chain ptr. */
-	int		l_parsed;	/* Flag for cycles */
-	char *		l_groupname;	/* Name of netgroup */
-	char *		l_line;		/* Netgroup entrie(s) to be parsed */
+	struct linelist *l_next;	/*%< Chain ptr. */
+	int		l_parsed;	/*%< Flag for cycles */
+	char *		l_groupname;	/*%< Name of netgroup */
+	char *		l_line;		/*%< Netgroup entrie(s) to be parsed */
 };
 
 struct ng_old_struct {
-	struct ng_old_struct *ng_next;	/* Chain ptr */
-	char *		ng_str[3];	/* Field pointers, see below */
+	struct ng_old_struct *ng_next;	/*%< Chain ptr */
+	char *		ng_str[3];	/*%< Field pointers, see below */
 };
 
 struct pvt {
@@ -142,7 +142,7 @@ ng_close(struct irs_ng *this) {
 	memput(this, sizeof *this);
 }
 	
-/*
+/*%
  * Parse the netgroup file looking for the netgroup and build the list
  * of netgrp structures. Let parse_netgrp() and read_for_group() do
  * most of the work.
@@ -174,7 +174,7 @@ ng_rewind(struct irs_ng *this, const char *group) {
 	pvt->nextgrp = pvt->grouphead.gr;
 }
 
-/*
+/*%
  * Get the next netgroup off the list.
  */
 static int
@@ -193,7 +193,7 @@ ng_next(struct irs_ng *this, const char **host, const char **user,
 	return (0);
 }
 
-/*
+/*%
  * Search for a match in a netgroup.
  */
 static int
@@ -229,7 +229,7 @@ ng_minimize(struct irs_ng *this) {
 
 /* Private */
 
-/*
+/*%
  * endnetgrent() - cleanup
  */
 static void
@@ -266,7 +266,7 @@ freelists(struct irs_ng *this) {
 	pvt->grouphead.gr = NULL;
 }
 
-/*
+/*%
  * Parse the netgroup file setting up the linked lists.
  */
 static int
@@ -349,7 +349,7 @@ parse_netgrp(struct irs_ng *this, const char *group) {
 	return (1);
 }
 
-/*
+/*%
  * Read the netgroup file and save lines until the line for the netgroup
  * is found. Return 1 if eof is encountered.
  */
@@ -442,3 +442,5 @@ read_for_group(struct irs_ng *this, const char *group) {
 	}
 	return (NULL);
 }
+
+/*! \file */
diff --git a/contrib/bind9/lib/bind/irs/lcl_nw.c b/contrib/bind9/lib/bind/irs/lcl_nw.c
index 7d04672..2804946 100644
--- a/contrib/bind9/lib/bind/irs/lcl_nw.c
+++ b/contrib/bind9/lib/bind/irs/lcl_nw.c
@@ -49,7 +49,7 @@
  */
 
 #if defined(LIBC_SCCS) && !defined(lint)
-static const char rcsid[] = "$Id: lcl_nw.c,v 1.1.206.2 2004/03/17 00:29:50 marka Exp $";
+static const char rcsid[] = "$Id: lcl_nw.c,v 1.3.18.1 2005/04/27 05:01:02 sra Exp $";
 /* from getgrent.c 8.2 (Berkeley) 3/21/94"; */
 /* from BSDI Id: getgrent.c,v 2.8 1996/05/28 18:15:14 bostic Exp $	*/
 #endif /* LIBC_SCCS and not lint */
@@ -369,3 +369,5 @@ init(struct irs_nw *this) {
 		return (-1);
 	return (0);
 }
+
+/*! \file */
diff --git a/contrib/bind9/lib/bind/irs/lcl_p.h b/contrib/bind9/lib/bind/irs/lcl_p.h
index 44dd621..4e6bdc3 100644
--- a/contrib/bind9/lib/bind/irs/lcl_p.h
+++ b/contrib/bind9/lib/bind/irs/lcl_p.h
@@ -16,17 +16,18 @@
  */
 
 /*
- * $Id: lcl_p.h,v 1.1.206.1 2004/03/09 08:33:38 marka Exp $
+ * $Id: lcl_p.h,v 1.2.18.1 2005/04/27 05:01:02 sra Exp $
  */
 
-/*
+/*! \file
+ * \brief
  * lcl_p.h - private include file for the local accessor functions.
  */
 
 #ifndef _LCL_P_H_INCLUDED
 #define _LCL_P_H_INCLUDED
 
-/*
+/*%
  * Object state.
  */
 struct lcl_p {
diff --git a/contrib/bind9/lib/bind/irs/lcl_pr.c b/contrib/bind9/lib/bind/irs/lcl_pr.c
index ddc92c8..08c6da9 100644
--- a/contrib/bind9/lib/bind/irs/lcl_pr.c
+++ b/contrib/bind9/lib/bind/irs/lcl_pr.c
@@ -49,7 +49,7 @@
  */
 
 #if defined(LIBC_SCCS) && !defined(lint)
-static const char rcsid[] = "$Id: lcl_pr.c,v 1.1.206.2 2006/03/10 00:17:21 marka Exp $";
+static const char rcsid[] = "$Id: lcl_pr.c,v 1.2.18.2 2006/03/10 00:20:08 marka Exp $";
 #endif /* LIBC_SCCS and not lint */
 
 /* extern */
@@ -290,3 +290,5 @@ pr_minimize(struct irs_pr *this) {
 		pvt->fp = NULL;
 	}
 }
+
+/*! \file */
diff --git a/contrib/bind9/lib/bind/irs/lcl_pw.c b/contrib/bind9/lib/bind/irs/lcl_pw.c
index dc31dd2..316057b 100644
--- a/contrib/bind9/lib/bind/irs/lcl_pw.c
+++ b/contrib/bind9/lib/bind/irs/lcl_pw.c
@@ -49,7 +49,7 @@
  */
 
 #if defined(LIBC_SCCS) && !defined(lint)
-static const char rcsid[] = "$Id: lcl_pw.c,v 1.1.206.1 2004/03/09 08:33:38 marka Exp $";
+static const char rcsid[] = "$Id: lcl_pw.c,v 1.2.18.1 2005/04/27 05:01:03 sra Exp $";
 #endif /* LIBC_SCCS and not lint */
 
 /* Extern */
@@ -85,7 +85,8 @@ static int __bind_irs_pw_unneeded;
 #include "irs_p.h"
 #include "lcl_p.h"
 
-/*
+/*! \file
+ * \brief
  * The lookup techniques and data extraction code here must be kept
  * in sync with that in `pwd_mkdb'.
  */
@@ -94,9 +95,9 @@ static int __bind_irs_pw_unneeded;
 /* Types */
 
 struct  pvt {
-	struct passwd	passwd;		/* password structure */
-	DB 		*pw_db;		/* password database */
-	int		pw_keynum;	/* key counter */
+	struct passwd	passwd;		/*%< password structure */
+	DB 		*pw_db;		/*%< password database */
+	int		pw_keynum;	/*%< key counter */
 	int		warned;
 	u_int		max;
 	char *		line;
diff --git a/contrib/bind9/lib/bind/irs/lcl_sv.c b/contrib/bind9/lib/bind/irs/lcl_sv.c
index b407d7f..7675834 100644
--- a/contrib/bind9/lib/bind/irs/lcl_sv.c
+++ b/contrib/bind9/lib/bind/irs/lcl_sv.c
@@ -49,7 +49,7 @@
  */
 
 #if defined(LIBC_SCCS) && !defined(lint)
-static const char rcsid[] = "$Id: lcl_sv.c,v 1.2.206.1 2004/03/09 08:33:38 marka Exp $";
+static const char rcsid[] = "$Id: lcl_sv.c,v 1.3.18.1 2005/04/27 05:01:03 sra Exp $";
 #endif /* LIBC_SCCS and not lint */
 
 /* extern */
@@ -387,8 +387,7 @@ sv_db_rec(struct lcl_sv *sv, DBT *key, DBT *data) {
 	int n;
 
 	p = data->data;
-	p[data->size - 1] = '\0';	/* should be, but we depend on it */
-
+	p[data->size - 1] = '\0';	/*%< should be, but we depend on it */
 	if (((char *)key->data)[0] == '\0') {
 		if (key->size < sizeof(u_short)*2 || data->size < 2)
 			return (NULL);
@@ -429,3 +428,5 @@ sv_db_rec(struct lcl_sv *sv, DBT *key, DBT *data) {
 	return (&sv->serv);
 }
 #endif
+
+/*! \file */
diff --git a/contrib/bind9/lib/bind/irs/nis.c b/contrib/bind9/lib/bind/irs/nis.c
index 70eaaed..62cc267 100644
--- a/contrib/bind9/lib/bind/irs/nis.c
+++ b/contrib/bind9/lib/bind/irs/nis.c
@@ -16,7 +16,7 @@
  */
 
 #if defined(LIBC_SCCS) && !defined(lint)
-static const char rcsid[] = "$Id: nis.c,v 1.1.206.1 2004/03/09 08:33:38 marka Exp $";
+static const char rcsid[] = "$Id: nis.c,v 1.2.18.1 2005/04/27 05:01:03 sra Exp $";
 #endif
 
 /* Imports */
@@ -152,3 +152,5 @@ nis_close(struct irs_acc *this) {
 }
 
 #endif /*WANT_IRS_NIS*/
+
+/*! \file */
diff --git a/contrib/bind9/lib/bind/irs/nis_gr.c b/contrib/bind9/lib/bind/irs/nis_gr.c
index e06861f..9d4f15d 100644
--- a/contrib/bind9/lib/bind/irs/nis_gr.c
+++ b/contrib/bind9/lib/bind/irs/nis_gr.c
@@ -49,7 +49,7 @@
  */
 
 #if defined(LIBC_SCCS) && !defined(lint)
-static const char rcsid[] = "$Id: nis_gr.c,v 1.1.2.1.4.1 2004/03/09 08:33:38 marka Exp $";
+static const char rcsid[] = "$Id: nis_gr.c,v 1.3.18.1 2005/04/27 05:01:03 sra Exp $";
 /* from getgrent.c 8.2 (Berkeley) 3/21/94"; */
 /* from BSDI Id: getgrent.c,v 2.8 1996/05/28 18:15:14 bostic Exp $	*/
 #endif /* LIBC_SCCS and not lint */
@@ -99,7 +99,7 @@ struct pvt {
 	int		curkey_len;
 	char *		curval_data;
 	int		curval_len;
-	/*
+	/*%<
 	 * Need space to store the entries read from the group file.
 	 * The members list also needs space per member, and the
 	 * strings making up the user names must be allocated
@@ -107,7 +107,7 @@ struct pvt {
 	 * we keep one buffer and resize it as needed.
 	 */
 	struct group	group;
-	size_t		nmemb;		/* Malloc'd max index of gr_mem[]. */
+	size_t		nmemb;		/*%< Malloc'd max index of gr_mem[]. */
 	char *		membuf;
 	size_t		membufsize;
 };
@@ -351,3 +351,4 @@ nisfree(struct pvt *pvt, enum do_what do_what) {
 }
 
 #endif /* WANT_IRS_GR && WANT_IRS_NIS */
+/*! \file */
diff --git a/contrib/bind9/lib/bind/irs/nis_ho.c b/contrib/bind9/lib/bind/irs/nis_ho.c
index 7f0b125..7524279 100644
--- a/contrib/bind9/lib/bind/irs/nis_ho.c
+++ b/contrib/bind9/lib/bind/irs/nis_ho.c
@@ -16,7 +16,7 @@
  */
 
 #if defined(LIBC_SCCS) && !defined(lint)
-static const char rcsid[] = "$Id: nis_ho.c,v 1.2.2.1.4.1 2004/03/09 08:33:38 marka Exp $";
+static const char rcsid[] = "$Id: nis_ho.c,v 1.4.18.1 2005/04/27 05:01:03 sra Exp $";
 #endif /* LIBC_SCCS and not lint */
 
 /* Imports */
@@ -79,7 +79,7 @@ struct pvt {
 	char *		h_addr_ptrs[MAXADDRS + 1];
 	char *		host_aliases[MAXALIASES + 1];
 	char		hostbuf[8*1024];
-	u_char		host_addr[16];	/* IPv4 or IPv6 */
+	u_char		host_addr[16];	/*%< IPv4 or IPv6 */
 	struct __res_state  *res;
 	void		(*free_res)(void *);
 };
@@ -369,7 +369,7 @@ ho_addrinfo(struct irs_ho *this, const char *name, const struct addrinfo *pai)
 	cur = &sentinel;
 
 	switch(pai->ai_family) {
-	case AF_UNSPEC:		/* INET6 then INET4 */
+	case AF_UNSPEC:		/*%< INET6 then INET4 */
 		q.family = AF_INET6;
 		q.next = &q2;
 		q2.family = AF_INET;
@@ -381,7 +381,7 @@ ho_addrinfo(struct irs_ho *this, const char *name, const struct addrinfo *pai)
 		q.family = AF_INET;
 		break;
 	default:
-		RES_SET_H_ERRNO(pvt->res, NO_RECOVERY); /* ??? */
+		RES_SET_H_ERRNO(pvt->res, NO_RECOVERY); /*%< ??? */
 		return(NULL);
 	}
 
@@ -414,7 +414,7 @@ ho_addrinfo(struct irs_ho *this, const char *name, const struct addrinfo *pai)
 
 /* Private */
 
-/*
+/*%
 ipnodes:
 ::1             localhost
 127.0.0.1       localhost
@@ -531,3 +531,5 @@ init(struct irs_ho *this) {
 	return (0);
 }
 #endif /*WANT_IRS_NIS*/
+
+/*! \file */
diff --git a/contrib/bind9/lib/bind/irs/nis_ng.c b/contrib/bind9/lib/bind/irs/nis_ng.c
index 4ee700c..f2298b2 100644
--- a/contrib/bind9/lib/bind/irs/nis_ng.c
+++ b/contrib/bind9/lib/bind/irs/nis_ng.c
@@ -16,7 +16,7 @@
  */
 
 #if defined(LIBC_SCCS) && !defined(lint)
-static const char rcsid[] = "$Id: nis_ng.c,v 1.2.206.1 2004/03/09 08:33:38 marka Exp $";
+static const char rcsid[] = "$Id: nis_ng.c,v 1.3.18.1 2005/04/27 05:01:03 sra Exp $";
 #endif
 
 /* Imports */
@@ -300,3 +300,5 @@ tmpfree(struct pvt *pvt) {
 }
 
 #endif /*WANT_IRS_NIS*/
+
+/*! \file */
diff --git a/contrib/bind9/lib/bind/irs/nis_nw.c b/contrib/bind9/lib/bind/irs/nis_nw.c
index 669b29d..2fb50dc 100644
--- a/contrib/bind9/lib/bind/irs/nis_nw.c
+++ b/contrib/bind9/lib/bind/irs/nis_nw.c
@@ -16,7 +16,7 @@
  */
 
 #if defined(LIBC_SCCS) && !defined(lint)
-static const char rcsid[] = "$Id: nis_nw.c,v 1.2.206.1 2004/03/09 08:33:38 marka Exp $";
+static const char rcsid[] = "$Id: nis_nw.c,v 1.3.18.1 2005/04/27 05:01:03 sra Exp $";
 #endif /* LIBC_SCCS and not lint */
 
 /* Imports */
@@ -381,3 +381,5 @@ init(struct irs_nw *this) {
 }
 
 #endif /*WANT_IRS_NIS*/
+
+/*! \file */
diff --git a/contrib/bind9/lib/bind/irs/nis_p.h b/contrib/bind9/lib/bind/irs/nis_p.h
index 95f5851..9e7f26c 100644
--- a/contrib/bind9/lib/bind/irs/nis_p.h
+++ b/contrib/bind9/lib/bind/irs/nis_p.h
@@ -16,14 +16,15 @@
  */
 
 /*
- * $Id: nis_p.h,v 1.1.206.1 2004/03/09 08:33:38 marka Exp $
+ * $Id: nis_p.h,v 1.2.18.1 2005/04/27 05:01:04 sra Exp $
  */
 
-/*
+/*! \file
+ * \brief
  * nis_p.h - private include file for the NIS functions.
  */
 
-/*
+/*%
  * Object state.
  */
 struct nis_p {
diff --git a/contrib/bind9/lib/bind/irs/nis_pr.c b/contrib/bind9/lib/bind/irs/nis_pr.c
index 8173f3e..58ff84d 100644
--- a/contrib/bind9/lib/bind/irs/nis_pr.c
+++ b/contrib/bind9/lib/bind/irs/nis_pr.c
@@ -16,7 +16,7 @@
  */
 
 #if defined(LIBC_SCCS) && !defined(lint)
-static const char rcsid[] = "$Id: nis_pr.c,v 1.2.206.1 2004/03/09 08:33:38 marka Exp $";
+static const char rcsid[] = "$Id: nis_pr.c,v 1.3.18.1 2005/04/27 05:01:04 sra Exp $";
 #endif
 
 /* Imports */
@@ -298,3 +298,5 @@ nisfree(struct pvt *pvt, enum do_what do_what) {
 }
 
 #endif /*WANT_IRS_NIS*/
+
+/*! \file */
diff --git a/contrib/bind9/lib/bind/irs/nis_pw.c b/contrib/bind9/lib/bind/irs/nis_pw.c
index 889d97f..02c6b42 100644
--- a/contrib/bind9/lib/bind/irs/nis_pw.c
+++ b/contrib/bind9/lib/bind/irs/nis_pw.c
@@ -16,7 +16,7 @@
  */
 
 #if defined(LIBC_SCCS) && !defined(lint)
-static const char rcsid[] = "$Id: nis_pw.c,v 1.2.206.1 2004/03/09 08:33:38 marka Exp $";
+static const char rcsid[] = "$Id: nis_pw.c,v 1.3.18.1 2005/04/27 05:01:04 sra Exp $";
 #endif /* LIBC_SCCS and not lint */
 
 /* Imports */
@@ -230,7 +230,7 @@ makepasswdent(struct irs_pw *this) {
 	if (!(cp = strchr(cp, ':')))
 		goto cleanup;
 #ifdef HAS_PW_CLASS
-	pvt->passwd.pw_class = cp;	/* Needs to point at a \0. */
+	pvt->passwd.pw_class = cp;	/*%< Needs to point at a \0. */
 #endif
 	*cp++ = '\0';
 
@@ -285,3 +285,4 @@ nisfree(struct pvt *pvt, enum do_what do_what) {
 }
 
 #endif /* WANT_IRS_PW && WANT_IRS_NIS */
+/*! \file */
diff --git a/contrib/bind9/lib/bind/irs/nis_sv.c b/contrib/bind9/lib/bind/irs/nis_sv.c
index b8c1c6b..dd307f0 100644
--- a/contrib/bind9/lib/bind/irs/nis_sv.c
+++ b/contrib/bind9/lib/bind/irs/nis_sv.c
@@ -16,7 +16,7 @@
  */
 
 #if defined(LIBC_SCCS) && !defined(lint)
-static const char rcsid[] = "$Id: nis_sv.c,v 1.2.206.1 2004/03/09 08:33:38 marka Exp $";
+static const char rcsid[] = "$Id: nis_sv.c,v 1.3.18.1 2005/04/27 05:01:04 sra Exp $";
 #endif /* LIBC_SCCS and not lint */
 
 /* Imports */
@@ -306,3 +306,5 @@ nisfree(struct pvt *pvt, enum do_what do_what) {
 }
 
 #endif /*WANT_IRS_NIS*/
+
+/*! \file */
diff --git a/contrib/bind9/lib/bind/irs/nul_ng.c b/contrib/bind9/lib/bind/irs/nul_ng.c
index 828bebe..fa9ec46 100644
--- a/contrib/bind9/lib/bind/irs/nul_ng.c
+++ b/contrib/bind9/lib/bind/irs/nul_ng.c
@@ -16,10 +16,11 @@
  */
 
 #if defined(LIBC_SCCS) && !defined(lint)
-static const char rcsid[] = "$Id: nul_ng.c,v 1.1.206.1 2004/03/09 08:33:39 marka Exp $";
+static const char rcsid[] = "$Id: nul_ng.c,v 1.2.18.1 2005/04/27 05:01:04 sra Exp $";
 #endif
 
-/*
+/*! \file
+ * \brief
  * nul_ng.c - the netgroup accessor null map
  */
 
diff --git a/contrib/bind9/lib/bind/irs/pathnames.h b/contrib/bind9/lib/bind/irs/pathnames.h
index 412dc76..c775de2 100644
--- a/contrib/bind9/lib/bind/irs/pathnames.h
+++ b/contrib/bind9/lib/bind/irs/pathnames.h
@@ -16,7 +16,7 @@
  */
 
 /*
- * $Id: pathnames.h,v 1.1.206.1 2004/03/09 08:33:39 marka Exp $
+ * $Id: pathnames.h,v 1.2.18.1 2005/04/27 05:01:04 sra Exp $
  */
 
 #ifndef _PATH_IRS_CONF
@@ -48,3 +48,5 @@
 #ifndef _PATH_HESIOD_CONF
 #define _PATH_HESIOD_CONF "/etc/hesiod.conf"
 #endif
+
+/*! \file */
diff --git a/contrib/bind9/lib/bind/irs/util.c b/contrib/bind9/lib/bind/irs/util.c
index 095e7ad..5c4cc28 100644
--- a/contrib/bind9/lib/bind/irs/util.c
+++ b/contrib/bind9/lib/bind/irs/util.c
@@ -16,7 +16,7 @@
  */
 
 #if defined(LIBC_SCCS) && !defined(lint)
-static const char rcsid[] = "$Id: util.c,v 1.1.206.1 2004/03/09 08:33:39 marka Exp $";
+static const char rcsid[] = "$Id: util.c,v 1.2.18.1 2005/04/27 05:01:05 sra Exp $";
 #endif
 
 #include "port_before.h"
@@ -105,3 +105,5 @@ make_group_list(struct irs_gr *this, const char *name,
 	*ngroups = ng;
 	return (ret);
 }
+
+/*! \file */
diff --git a/contrib/bind9/lib/bind/isc/Makefile.in b/contrib/bind9/lib/bind/isc/Makefile.in
index d8e8889..3cbb640 100644
--- a/contrib/bind9/lib/bind/isc/Makefile.in
+++ b/contrib/bind9/lib/bind/isc/Makefile.in
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.6.206.1 2004/03/06 08:13:23 marka Exp $
+# $Id: Makefile.in,v 1.7 2004/03/05 05:05:38 marka Exp $
 
 srcdir=		@srcdir@
 VPATH =         @srcdir@
diff --git a/contrib/bind9/lib/bind/isc/assertions.c b/contrib/bind9/lib/bind/isc/assertions.c
index f1fb2ef..c03464d 100644
--- a/contrib/bind9/lib/bind/isc/assertions.c
+++ b/contrib/bind9/lib/bind/isc/assertions.c
@@ -16,7 +16,7 @@
  */
 
 #if !defined(LINT) && !defined(CODECENTER)
-static const char rcsid[] = "$Id: assertions.c,v 1.1.206.1 2004/03/09 08:33:39 marka Exp $";
+static const char rcsid[] = "$Id: assertions.c,v 1.2.18.1 2005/04/27 05:01:05 sra Exp $";
 #endif
 
 #include "port_before.h"
@@ -89,3 +89,5 @@ default_assertion_failed(const char *file, int line, assertion_type type,
 	abort();
 	/* NOTREACHED */
 }
+
+/*! \file */
diff --git a/contrib/bind9/lib/bind/isc/assertions.mdoc b/contrib/bind9/lib/bind/isc/assertions.mdoc
index c214453..4b77e56 100644
--- a/contrib/bind9/lib/bind/isc/assertions.mdoc
+++ b/contrib/bind9/lib/bind/isc/assertions.mdoc
@@ -1,4 +1,4 @@
-.\" $Id: assertions.mdoc,v 1.1.2.1.10.1 2004/03/09 08:33:39 marka Exp $
+.\" $Id: assertions.mdoc,v 1.3 2004/03/09 06:30:06 marka Exp $
 .\"
 .\" Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC")
 .\" Copyright (c) 1997,1999 by Internet Software Consortium.
diff --git a/contrib/bind9/lib/bind/isc/base64.c b/contrib/bind9/lib/bind/isc/base64.c
index 51676f3..d4bc2ea 100644
--- a/contrib/bind9/lib/bind/isc/base64.c
+++ b/contrib/bind9/lib/bind/isc/base64.c
@@ -41,7 +41,7 @@
  */
 
 #if !defined(LINT) && !defined(CODECENTER)
-static const char rcsid[] = "$Id: base64.c,v 1.1.206.2 2004/03/17 00:29:50 marka Exp $";
+static const char rcsid[] = "$Id: base64.c,v 1.3.18.1 2005/04/27 05:01:05 sra Exp $";
 #endif /* not lint */
 
 #include "port_before.h"
@@ -69,7 +69,7 @@ static const char Base64[] =
 static const char Pad64 = '=';
 
 /* (From RFC1521 and draft-ietf-dnssec-secext-03.txt)
-   The following encoding technique is taken from RFC 1521 by Borenstein
+   The following encoding technique is taken from RFC1521 by Borenstein
    and Freed.  It is reproduced here in a slightly edited form for
    convenience.
 
@@ -187,7 +187,7 @@ b64_ntop(u_char const *src, size_t srclength, char *target, size_t targsize) {
 	}
 	if (datalength >= targsize)
 		return (-1);
-	target[datalength] = '\0';	/* Returned value doesn't count \0. */
+	target[datalength] = '\0';	/*%< Returned value doesn't count \\0. */
 	return (datalength);
 }
 
@@ -210,14 +210,14 @@ b64_pton(src, target, targsize)
 	tarindex = 0;
 
 	while ((ch = *src++) != '\0') {
-		if (isspace(ch))	/* Skip whitespace anywhere. */
+		if (isspace(ch))	/*%< Skip whitespace anywhere. */
 			continue;
 
 		if (ch == Pad64)
 			break;
 
 		pos = strchr(Base64, ch);
-		if (pos == 0) 		/* A non-base64 character. */
+		if (pos == 0) 		/*%< A non-base64 character. */
 			return (-1);
 
 		switch (state) {
@@ -270,14 +270,14 @@ b64_pton(src, target, targsize)
 	 * on a byte boundary, and/or with erroneous trailing characters.
 	 */
 
-	if (ch == Pad64) {		/* We got a pad char. */
-		ch = *src++;		/* Skip it, get next. */
+	if (ch == Pad64) {		/*%< We got a pad char. */
+		ch = *src++;		/*%< Skip it, get next. */
 		switch (state) {
-		case 0:		/* Invalid = in first position */
-		case 1:		/* Invalid = in second position */
+		case 0:		/*%< Invalid = in first position */
+		case 1:		/*%< Invalid = in second position */
 			return (-1);
 
-		case 2:		/* Valid, means one byte of info */
+		case 2:		/*%< Valid, means one byte of info */
 			/* Skip any number of spaces. */
 			for ((void)NULL; ch != '\0'; ch = *src++)
 				if (!isspace(ch))
@@ -285,11 +285,11 @@ b64_pton(src, target, targsize)
 			/* Make sure there is another trailing = sign. */
 			if (ch != Pad64)
 				return (-1);
-			ch = *src++;		/* Skip the = */
+			ch = *src++;		/*%< Skip the = */
 			/* Fall through to "single trailing =" case. */
 			/* FALLTHROUGH */
 
-		case 3:		/* Valid, means two bytes of info */
+		case 3:		/*%< Valid, means two bytes of info */
 			/*
 			 * We know this char is an =.  Is there anything but
 			 * whitespace after it?
@@ -318,3 +318,5 @@ b64_pton(src, target, targsize)
 
 	return (tarindex);
 }
+
+/*! \file */
diff --git a/contrib/bind9/lib/bind/isc/bitncmp.c b/contrib/bind9/lib/bind/isc/bitncmp.c
index fcff9f7..8764db1 100644
--- a/contrib/bind9/lib/bind/isc/bitncmp.c
+++ b/contrib/bind9/lib/bind/isc/bitncmp.c
@@ -16,7 +16,7 @@
  */
 
 #if defined(LIBC_SCCS) && !defined(lint)
-static const char rcsid[] = "$Id: bitncmp.c,v 1.1.206.1 2004/03/09 08:33:39 marka Exp $";
+static const char rcsid[] = "$Id: bitncmp.c,v 1.2.18.1 2005/04/27 05:01:05 sra Exp $";
 #endif
 
 #include "port_before.h"
@@ -29,7 +29,7 @@ static const char rcsid[] = "$Id: bitncmp.c,v 1.1.206.1 2004/03/09 08:33:39 mark
 
 #include <isc/misc.h>
 
-/*
+/*%
  * int
  * bitncmp(l, r, n)
  *	compare bit masks l and r, for n bits.
@@ -64,3 +64,5 @@ bitncmp(const void *l, const void *r, int n) {
 	}
 	return (0);
 }
+
+/*! \file */
diff --git a/contrib/bind9/lib/bind/isc/bitncmp.mdoc b/contrib/bind9/lib/bind/isc/bitncmp.mdoc
index 5462c2f..7d4646c 100644
--- a/contrib/bind9/lib/bind/isc/bitncmp.mdoc
+++ b/contrib/bind9/lib/bind/isc/bitncmp.mdoc
@@ -1,4 +1,4 @@
-.\" $Id: bitncmp.mdoc,v 1.1.2.1.10.1 2004/03/09 08:33:39 marka Exp $
+.\" $Id: bitncmp.mdoc,v 1.3 2004/03/09 06:30:07 marka Exp $
 .\"
 .\" Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC")
 .\" Copyright (c) 1996,1999 by Internet Software Consortium.
diff --git a/contrib/bind9/lib/bind/isc/ctl_clnt.c b/contrib/bind9/lib/bind/isc/ctl_clnt.c
index e1fa7e7..7dcf1be 100644
--- a/contrib/bind9/lib/bind/isc/ctl_clnt.c
+++ b/contrib/bind9/lib/bind/isc/ctl_clnt.c
@@ -1,5 +1,5 @@
 #if !defined(lint) && !defined(SABER)
-static const char rcsid[] = "$Id: ctl_clnt.c,v 1.4.2.1.4.3 2004/03/17 01:13:35 marka Exp $";
+static const char rcsid[] = "$Id: ctl_clnt.c,v 1.7.18.1 2005/04/27 05:01:05 sra Exp $";
 #endif /* not lint */
 
 /*
@@ -122,7 +122,7 @@ static const char * const state_names[] = {
 
 /* Public. */
 
-/*
+/*%
  * void
  * ctl_client()
  *	create, condition, and connect to a listener on the control port.
@@ -198,7 +198,7 @@ ctl_client(evContext lev, const struct sockaddr *cap, size_t cap_len,
 	return (ctx);
 }
 
-/*
+/*%
  * void
  * ctl_endclient(ctx)
  *	close a client and release all of its resources.
@@ -210,7 +210,7 @@ ctl_endclient(struct ctl_cctx *ctx) {
 	memput(ctx, sizeof *ctx);
 }
 
-/*
+/*%
  * int
  * ctl_command(ctx, cmd, len, donefunc, uap)
  *	Queue a transaction, which will begin with sending cmd
@@ -600,3 +600,5 @@ timer(evContext ev, void *uap, struct timespec due, struct timespec itv) {
 		       ctx->timeout.tv_sec, state_names[ctx->state]);
 	error(ctx);
 }
+
+/*! \file */
diff --git a/contrib/bind9/lib/bind/isc/ctl_p.c b/contrib/bind9/lib/bind/isc/ctl_p.c
index bc45004..35c2398 100644
--- a/contrib/bind9/lib/bind/isc/ctl_p.c
+++ b/contrib/bind9/lib/bind/isc/ctl_p.c
@@ -1,5 +1,5 @@
 #if !defined(lint) && !defined(SABER)
-static const char rcsid[] = "$Id: ctl_p.c,v 1.1.206.2 2004/03/17 00:29:51 marka Exp $";
+static const char rcsid[] = "$Id: ctl_p.c,v 1.3.18.1 2005/04/27 05:01:05 sra Exp $";
 #endif /* not lint */
 
 /*
@@ -56,7 +56,7 @@ const char * const ctl_sevnames[] = {
 
 /* Public. */
 
-/*
+/*%
  * ctl_logger()
  *	if ctl_startup()'s caller didn't specify a logger, this one
  *	is used.  this pollutes stderr with all kinds of trash so it will
@@ -184,3 +184,5 @@ ctl_sa_copy(const struct sockaddr *src, struct sockaddr *dst) {
 		break;
 	}
 }
+
+/*! \file */
diff --git a/contrib/bind9/lib/bind/isc/ctl_p.h b/contrib/bind9/lib/bind/isc/ctl_p.h
index 42aade7..18a52ae 100644
--- a/contrib/bind9/lib/bind/isc/ctl_p.h
+++ b/contrib/bind9/lib/bind/isc/ctl_p.h
@@ -3,7 +3,7 @@ struct ctl_buf {
 	size_t			used;
 };
 
-#define	MAX_LINELEN		990	/* Like SMTP. */
+#define	MAX_LINELEN		990	/*%< Like SMTP. */
 #ifndef NO_SOCKADDR_UN
 #define MAX_NTOP			PATH_MAX
 #else
@@ -24,3 +24,5 @@ const char *		ctl_sa_ntop(const struct sockaddr *, char *, size_t,
 				    ctl_logfunc);
 void			ctl_sa_copy(const struct sockaddr *,
 				    struct sockaddr *);
+
+/*! \file */
diff --git a/contrib/bind9/lib/bind/isc/ctl_srvr.c b/contrib/bind9/lib/bind/isc/ctl_srvr.c
index 56c7684..52137c0 100644
--- a/contrib/bind9/lib/bind/isc/ctl_srvr.c
+++ b/contrib/bind9/lib/bind/isc/ctl_srvr.c
@@ -1,5 +1,5 @@
 #if !defined(lint) && !defined(SABER)
-static const char rcsid[] = "$Id: ctl_srvr.c,v 1.3.2.1.4.3 2004/03/17 01:13:35 marka Exp $";
+static const char rcsid[] = "$Id: ctl_srvr.c,v 1.6.18.2 2006/12/07 04:53:02 marka Exp $";
 #endif /* not lint */
 
 /*
@@ -158,7 +158,7 @@ static const struct ctl_verb	fakehelpverb = {
 
 /* Public. */
 
-/*
+/*%
  * void
  * ctl_server()
  *	create, condition, and start a listener on the control port.
@@ -263,7 +263,7 @@ ctl_server(evContext lev, const struct sockaddr *sap, size_t sap_len,
 	return (ctx);
 }
 
-/*
+/*%
  * void
  * ctl_endserver(ctx)
  *	if the control listener is open, close it.  clean out all eventlib
@@ -291,7 +291,7 @@ ctl_endserver(struct ctl_sctx *ctx) {
 	memput(ctx, sizeof *ctx);
 }
 
-/*
+/*%
  * If body is non-NULL then it we add a "." line after it.
  * Caller must have  escaped lines with leading ".".
  */
@@ -564,7 +564,7 @@ static void
 ctl_readable(evContext lev, void *uap, int fd, int evmask) {
 	static const char me[] = "ctl_readable";
 	struct ctl_sess *sess = uap;
-	struct ctl_sctx *ctx = sess->ctx;
+	struct ctl_sctx *ctx;
 	char *eos, tmp[MAX_NTOP];
 	ssize_t n;
 
@@ -572,6 +572,8 @@ ctl_readable(evContext lev, void *uap, int fd, int evmask) {
 	REQUIRE(fd >= 0);
 	REQUIRE(evmask == EV_READ);
 	REQUIRE(sess->state == reading || sess->state == reading_data);
+
+	ctx = sess->ctx;
 	evTouchIdleTimer(lev, sess->rdtiID);
 	if (!allocated_p(sess->inbuf) &&
 	    ctl_bufget(&sess->inbuf, ctx->logger) < 0) {
@@ -778,3 +780,5 @@ ctl_signal_done(struct ctl_sctx *ctx, struct ctl_sess *sess) {
 		sess->donefunc = NULL;
 	}
 }
+
+/*! \file */
diff --git a/contrib/bind9/lib/bind/isc/ev_connects.c b/contrib/bind9/lib/bind/isc/ev_connects.c
index b3873b7..64e918d 100644
--- a/contrib/bind9/lib/bind/isc/ev_connects.c
+++ b/contrib/bind9/lib/bind/isc/ev_connects.c
@@ -20,7 +20,7 @@
  */
 
 #if !defined(LINT) && !defined(CODECENTER)
-static const char rcsid[] = "$Id: ev_connects.c,v 1.4.206.3 2006/03/10 00:17:21 marka Exp $";
+static const char rcsid[] = "$Id: ev_connects.c,v 1.5.18.3 2006/03/10 00:20:08 marka Exp $";
 #endif
 
 /* Import. */
@@ -69,7 +69,7 @@ evListen(evContext opaqueCtx, int fd, int maxconn,
 
 	OKNEW(new);
 	new->flags = EV_CONN_LISTEN;
-	OKFREE(mode = fcntl(fd, F_GETFL, NULL), new);	/* side effect: validate fd. */
+	OKFREE(mode = fcntl(fd, F_GETFL, NULL), new);	/*%< side effect: validate fd. */
 	/*
 	 * Remember the nonblocking status.  We assume that either evSelectFD
 	 * has not been done to this fd, or that if it has then the caller
@@ -359,9 +359,11 @@ connector(evContext opaqueCtx, void *uap, int fd, int evmask) {
 	    GETXXXNAME(getpeername, fd, ra.sa, ralen) < 0) {
 		int save = errno;
 
-		(void) close(fd);	/* XXX closing caller's fd */
+		(void) close(fd);	/*%< XXX closing caller's fd */
 		errno = save;
 		fd = -1;
 	}
 	(*conn_func)(opaqueCtx, conn_uap, fd, &la.sa, lalen, &ra.sa, ralen);
 }
+
+/*! \file */
diff --git a/contrib/bind9/lib/bind/isc/ev_files.c b/contrib/bind9/lib/bind/isc/ev_files.c
index 1f95ed0..71de091 100644
--- a/contrib/bind9/lib/bind/isc/ev_files.c
+++ b/contrib/bind9/lib/bind/isc/ev_files.c
@@ -20,7 +20,7 @@
  */
 
 #if !defined(LINT) && !defined(CODECENTER)
-static const char rcsid[] = "$Id: ev_files.c,v 1.3.2.1.4.3 2005/07/28 07:43:19 marka Exp $";
+static const char rcsid[] = "$Id: ev_files.c,v 1.5.18.3 2005/07/28 07:38:09 marka Exp $";
 #endif
 
 #include "port_before.h"
@@ -62,8 +62,7 @@ evSelectFD(evContext opaqueCtx,
 	if (fd > ctx->highestFD)
 		EV_ERR(EINVAL);
 #endif
-	OK(mode = fcntl(fd, F_GETFL, NULL));	/* side effect: validate fd. */
-
+	OK(mode = fcntl(fd, F_GETFL, NULL));	/*%< side effect: validate fd. */
 	/*
 	 * The first time we touch a file descriptor, we need to check to see
 	 * if the application already had it in O_NONBLOCK mode and if so, all
@@ -274,3 +273,5 @@ FindFD(const evContext_p *ctx, int fd, int eventmask) {
 			break;
 	return (id);
 }
+
+/*! \file */
diff --git a/contrib/bind9/lib/bind/isc/ev_streams.c b/contrib/bind9/lib/bind/isc/ev_streams.c
index 64e88b0..ab61246 100644
--- a/contrib/bind9/lib/bind/isc/ev_streams.c
+++ b/contrib/bind9/lib/bind/isc/ev_streams.c
@@ -20,7 +20,7 @@
  */
 
 #if !defined(LINT) && !defined(CODECENTER)
-static const char rcsid[] = "$Id: ev_streams.c,v 1.2.206.2 2004/03/17 00:29:51 marka Exp $";
+static const char rcsid[] = "$Id: ev_streams.c,v 1.4.18.1 2005/04/27 05:01:06 sra Exp $";
 #endif
 
 #include "port_before.h"
@@ -304,3 +304,5 @@ readable(evContext opaqueCtx, void *uap, int fd, int evmask) {
 	if (str->ioDone <= 0 || str->ioDone == str->ioTotal)
 		done(opaqueCtx, str);
 }
+
+/*! \file */
diff --git a/contrib/bind9/lib/bind/isc/ev_timers.c b/contrib/bind9/lib/bind/isc/ev_timers.c
index 11433fb..cead2aa 100644
--- a/contrib/bind9/lib/bind/isc/ev_timers.c
+++ b/contrib/bind9/lib/bind/isc/ev_timers.c
@@ -20,7 +20,7 @@
  */
 
 #if !defined(LINT) && !defined(CODECENTER)
-static const char rcsid[] = "$Id: ev_timers.c,v 1.2.2.1.4.5 2004/03/17 02:39:13 marka Exp $";
+static const char rcsid[] = "$Id: ev_timers.c,v 1.5.18.1 2005/04/27 05:01:06 sra Exp $";
 #endif
 
 /* Import. */
@@ -495,3 +495,5 @@ idle_timeout(evContext opaqueCtx,
 		this->timer->inter = evSubTime(this->max_idle, idle);
 	}
 }
+
+/*! \file */
diff --git a/contrib/bind9/lib/bind/isc/ev_waits.c b/contrib/bind9/lib/bind/isc/ev_waits.c
index f30280d..d33b061 100644
--- a/contrib/bind9/lib/bind/isc/ev_waits.c
+++ b/contrib/bind9/lib/bind/isc/ev_waits.c
@@ -20,7 +20,7 @@
  */
 
 #if !defined(LINT) && !defined(CODECENTER)
-static const char rcsid[] = "$Id: ev_waits.c,v 1.1.2.1.4.1 2004/03/09 08:33:43 marka Exp $";
+static const char rcsid[] = "$Id: ev_waits.c,v 1.3.18.1 2005/04/27 05:01:06 sra Exp $";
 #endif
 
 #include "port_before.h"
@@ -44,7 +44,7 @@ static evWaitList *	evGetWaitList(evContext_p *, const void *, int);
 
 /* Public. */
 
-/*
+/*%
  * Enter a new wait function on the queue.
  */
 int
@@ -72,7 +72,7 @@ evWaitFor(evContext opaqueCtx, const void *tag,
 	return (0);
 }
 
-/*
+/*%
  * Mark runnable all waiting functions having a certain tag.
  */
 int
@@ -99,7 +99,7 @@ evDo(evContext opaqueCtx, const void *tag) {
 	return (0);
 }
 
-/*
+/*%
  * Remove a waiting (or ready to run) function from the queue.
  */
 int
@@ -243,3 +243,5 @@ evGetWaitList(evContext_p *ctx, const void *tag, int should_create) {
 		this = evNewWaitList(ctx);
 	return (this);
 }
+
+/*! \file */
diff --git a/contrib/bind9/lib/bind/isc/eventlib.c b/contrib/bind9/lib/bind/isc/eventlib.c
index 11120ec..20624d0 100644
--- a/contrib/bind9/lib/bind/isc/eventlib.c
+++ b/contrib/bind9/lib/bind/isc/eventlib.c
@@ -20,7 +20,7 @@
  */
 
 #if !defined(LINT) && !defined(CODECENTER)
-static const char rcsid[] = "$Id: eventlib.c,v 1.2.2.1.4.6 2006/03/10 00:17:21 marka Exp $";
+static const char rcsid[] = "$Id: eventlib.c,v 1.5.18.5 2006/03/10 00:20:08 marka Exp $";
 #endif
 
 #include "port_before.h"
@@ -29,9 +29,9 @@ static const char rcsid[] = "$Id: eventlib.c,v 1.2.2.1.4.6 2006/03/10 00:17:21 m
 #include <sys/types.h>
 #include <sys/time.h>
 #include <sys/stat.h>
-#ifdef SOLARIS2
+#ifdef	SOLARIS2
 #include <limits.h>
-#endif /* SOLARIS2 */
+#endif	/* SOLARIS2 */
 
 #include <errno.h>
 #include <signal.h>
@@ -48,7 +48,7 @@ static const char rcsid[] = "$Id: eventlib.c,v 1.2.2.1.4.6 2006/03/10 00:17:21 m
 int      __evOptMonoTime;
 
 #ifdef USE_POLL
-#define pselect Pselect
+#define	pselect Pselect
 #endif /* USE_POLL */
 
 /* Forward. */
@@ -85,8 +85,9 @@ evCreate(evContext *opaqueCtx) {
 	INIT_LIST(ctx->accepts);
 
 	/* Files. */
+	ctx->files = NULL;
 #ifdef USE_POLL
-	ctx->pollfds = NULL;
+        ctx->pollfds = NULL;
 	ctx->maxnfds = 0;
 	ctx->firstfd = 0;
 	emulMaskInit(ctx, rdLast, EV_READ, 1);
@@ -97,21 +98,20 @@ evCreate(evContext *opaqueCtx) {
 	emulMaskInit(ctx, exNext, EV_EXCEPT, 0);
 	emulMaskInit(ctx, nonblockBefore, EV_WASNONBLOCKING, 0);
 #endif /* USE_POLL */
-	ctx->files = NULL;
 	FD_ZERO(&ctx->rdNext);
 	FD_ZERO(&ctx->wrNext);
 	FD_ZERO(&ctx->exNext);
 	FD_ZERO(&ctx->nonblockBefore);
 	ctx->fdMax = -1;
 	ctx->fdNext = NULL;
-	ctx->fdCount = 0;	/* Invalidate {rd,wr,ex}Last. */
+	ctx->fdCount = 0;	/*%< Invalidate {rd,wr,ex}Last. */
 #ifndef USE_POLL
 	ctx->highestFD = FD_SETSIZE - 1;
 	memset(ctx->fdTable, 0, sizeof ctx->fdTable);
-#else
+#else   
 	ctx->highestFD = INT_MAX / sizeof(struct pollfd);
 	ctx->fdTable = NULL;
-#endif
+#endif /* USE_POLL */
 #ifdef EVENTLIB_TIME_CHECKS
 	ctx->lastFdCount = 0;
 #endif
@@ -150,7 +150,7 @@ evSetDebug(evContext opaqueCtx, int level, FILE *output) {
 int
 evDestroy(evContext opaqueCtx) {
 	evContext_p *ctx = opaqueCtx.opaque;
-	int revs = 424242;	/* Doug Adams. */
+	int revs = 424242;	/*%< Doug Adams. */
 	evWaitList *this_wl, *next_wl;
 	evWait *this_wait, *next_wait;
 
@@ -266,8 +266,7 @@ evGetNext(evContext opaqueCtx, evEvent *opaqueEv, int options) {
 		nextTime = nextTimer->due;
 		timerPast = (evCmpTime(nextTime, ctx->lastEventTime) <= 0);
 	} else
-		timerPast = 0;	/* Make gcc happy. */
-
+		timerPast = 0;	/*%< Make gcc happy. */
 	evPrintf(ctx, 9, "evGetNext: fdCount %d\n", ctx->fdCount);
 	if (ctx->fdCount == 0) {
 		static const struct timespec NoTime = {0, 0L};
@@ -309,10 +308,10 @@ evGetNext(evContext opaqueCtx, evEvent *opaqueEv, int options) {
 #endif
 		do {
 #ifndef USE_POLL
-			/* XXX need to copy only the bits we are using. */
-			ctx->rdLast = ctx->rdNext;
-			ctx->wrLast = ctx->wrNext;
-			ctx->exLast = ctx->exNext;
+			 /* XXX need to copy only the bits we are using. */
+			 ctx->rdLast = ctx->rdNext;
+			 ctx->wrLast = ctx->wrNext;
+			 ctx->exLast = ctx->exNext;
 #else
 			/*
 			 * The pollfd structure uses separate fields for
@@ -742,10 +741,10 @@ pselect(int nfds, void *rfds, void *wfds, void *efds,
 	sigset_t sigs;
 	int n;
 #ifdef USE_POLL
-	int polltimeout = INFTIM;
-	evContext_p *ctx;
-	struct pollfd *fds;
-	nfds_t pnfds;
+	int	polltimeout = INFTIM;
+	evContext_p	*ctx;
+	struct pollfd	*fds;
+	nfds_t		pnfds;
 
 	UNUSED(nfds);
 #endif /* USE_POLL */
@@ -761,9 +760,9 @@ pselect(int nfds, void *rfds, void *wfds, void *efds,
 	if (sigmask)
 		sigprocmask(SIG_SETMASK, sigmask, &sigs);
 #ifndef USE_POLL
-	n = select(nfds, rfds, wfds, efds, tvp);
+	 n = select(nfds, rfds, wfds, efds, tvp);
 #else
-	/*
+        /*
 	 * rfds, wfds, and efds should all be from the same evContext_p,
 	 * so any of them will do. If they're all NULL, the caller is
 	 * presumably calling us to block.
@@ -797,7 +796,7 @@ pselect(int nfds, void *rfds, void *wfds, void *efds,
 				e++;
 			if (FD_ISSET(i, &ctx->exLast))
 				e++;
-			}
+		}
 		n = e;
 	}
 #endif /* USE_POLL */
diff --git a/contrib/bind9/lib/bind/isc/eventlib.mdoc b/contrib/bind9/lib/bind/isc/eventlib.mdoc
index 3bf6ffb..5e9cd85 100644
--- a/contrib/bind9/lib/bind/isc/eventlib.mdoc
+++ b/contrib/bind9/lib/bind/isc/eventlib.mdoc
@@ -1,4 +1,4 @@
-.\" $Id: eventlib.mdoc,v 1.1.2.1.10.1 2004/03/09 08:33:43 marka Exp $
+.\" $Id: eventlib.mdoc,v 1.3 2004/03/09 06:30:08 marka Exp $
 .\"
 .\" Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC")
 .\" Copyright (c) 1995-1999 by Internet Software Consortium
diff --git a/contrib/bind9/lib/bind/isc/eventlib_p.h b/contrib/bind9/lib/bind/isc/eventlib_p.h
index 5c45ab8..5896553 100644
--- a/contrib/bind9/lib/bind/isc/eventlib_p.h
+++ b/contrib/bind9/lib/bind/isc/eventlib_p.h
@@ -15,10 +15,11 @@
  * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* eventlib_p.h - private interfaces for eventlib
- * vix 09sep95 [initial]
+/*! \file 
+ * \brief private interfaces for eventlib
+ * \author vix 09sep95 [initial]
  *
- * $Id: eventlib_p.h,v 1.3.2.1.4.4 2006/03/10 00:17:21 marka Exp $
+ * $Id: eventlib_p.h,v 1.5.18.4 2006/03/10 00:20:08 marka Exp $
  */
 
 #ifndef _EVENTLIB_P_H
@@ -77,9 +78,9 @@ typedef struct evConn {
 	void *		uap;
 	int		fd;
 	int		flags;
-#define EV_CONN_LISTEN		0x0001		/* Connection is a listener. */
-#define EV_CONN_SELECTED	0x0002		/* evSelectFD(conn->file). */
-#define EV_CONN_BLOCK		0x0004		/* Listener fd was blocking. */
+#define EV_CONN_LISTEN		0x0001		/*%< Connection is a listener. */
+#define EV_CONN_SELECTED	0x0002		/*%< evSelectFD(conn->file). */
+#define EV_CONN_BLOCK		0x0004		/*%< Listener fd was blocking. */
 	evFileID	file;
 	struct evConn *	prev;
 	struct evConn *	next;
@@ -126,7 +127,7 @@ typedef struct evStream {
 	evFileID	file;
 	evTimerID	timer;
 	int		flags;
-#define EV_STR_TIMEROK	0x0001	/* IFF timer valid. */
+#define EV_STR_TIMEROK	0x0001	/*%< IFF timer valid. */
 	int		fd;
 	struct iovec *	iovOrig;
 	int		iovOrigCount;
diff --git a/contrib/bind9/lib/bind/isc/heap.c b/contrib/bind9/lib/bind/isc/heap.c
index 2faf6f5..bea7678 100644
--- a/contrib/bind9/lib/bind/isc/heap.c
+++ b/contrib/bind9/lib/bind/isc/heap.c
@@ -15,7 +15,7 @@
  * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/*
+/*%
  * Heap implementation of priority queues adapted from the following:
  *
  *	_Introduction to Algorithms_, Cormen, Leiserson, and Rivest,
@@ -26,7 +26,7 @@
  */
 
 #if !defined(LINT) && !defined(CODECENTER)
-static const char rcsid[] = "$Id: heap.c,v 1.1.206.2 2006/03/10 00:17:21 marka Exp $";
+static const char rcsid[] = "$Id: heap.c,v 1.2.18.2 2006/03/10 00:20:08 marka Exp $";
 #endif /* not lint */
 
 #include "port_before.h"
@@ -39,7 +39,7 @@ static const char rcsid[] = "$Id: heap.c,v 1.1.206.2 2006/03/10 00:17:21 marka E
 
 #include <isc/heap.h>
 
-/*
+/*%
  * Note: to make heap_parent and heap_left easy to compute, the first
  * element of the heap array is not used; i.e. heap subscripts are 1-based,
  * not 0-based.
@@ -232,3 +232,5 @@ heap_for_each(heap_context ctx, heap_for_each_func action, void *uap) {
 		(action)(ctx->heap[i], uap);
 	return (0);
 }
+
+/*! \file */
diff --git a/contrib/bind9/lib/bind/isc/heap.mdoc b/contrib/bind9/lib/bind/isc/heap.mdoc
index 95c9444..332a6ec 100644
--- a/contrib/bind9/lib/bind/isc/heap.mdoc
+++ b/contrib/bind9/lib/bind/isc/heap.mdoc
@@ -1,4 +1,4 @@
-.\" $Id: heap.mdoc,v 1.1.2.1.10.1 2004/03/09 08:33:43 marka Exp $
+.\" $Id: heap.mdoc,v 1.3 2004/03/09 06:30:08 marka Exp $
 .\"
 .\" Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC")
 .\" Copyright (c) 1997,1999 by Internet Software Consortium.
diff --git a/contrib/bind9/lib/bind/isc/hex.c b/contrib/bind9/lib/bind/isc/hex.c
index 7031259..e43be4f 100644
--- a/contrib/bind9/lib/bind/isc/hex.c
+++ b/contrib/bind9/lib/bind/isc/hex.c
@@ -33,7 +33,7 @@ isc_gethexstring(unsigned char *buf, size_t len, int count, FILE *fp,
 	char *s;
 	int result = count;
 	
-	x = 0; /* silence compiler */
+	x = 0; /*%< silence compiler */
 	n = 0;
 	while (count > 0) {
 		c = fgetc(fp);
@@ -115,3 +115,5 @@ isc_tohex(const unsigned char *buf, size_t buflen, char *t) {
 	}
 	*t = '\0';
 }
+
+/*! \file */
diff --git a/contrib/bind9/lib/bind/isc/logging.c b/contrib/bind9/lib/bind/isc/logging.c
index d4c7be2..ca7049c 100644
--- a/contrib/bind9/lib/bind/isc/logging.c
+++ b/contrib/bind9/lib/bind/isc/logging.c
@@ -16,7 +16,7 @@
  */
 
 #if !defined(LINT) && !defined(CODECENTER)
-static const char rcsid[] = "$Id: logging.c,v 1.3.2.1.4.2 2004/03/17 01:49:42 marka Exp $";
+static const char rcsid[] = "$Id: logging.c,v 1.6.18.1 2005/04/27 05:01:07 sra Exp $";
 #endif /* not lint */
 
 #include "port_before.h"
@@ -258,7 +258,7 @@ log_check(log_context lc, int category, int level) {
 		return (0);
 
 	if (category < 0 || category > lc->num_categories)
-		category = 0;		/* use default */
+		category = 0;		/*%< use default */
 	lcl = lc->categories[category];
 	if (lcl == NULL) {
 		category = 0;
@@ -302,7 +302,7 @@ log_vwrite(log_context lc, int category, int level, const char *format,
 		return;
 
 	if (category < 0 || category > lc->num_categories)
-		category = 0;		/* use default */
+		category = 0;		/*%< use default */
 	original_category = category;
 	lcl = lc->categories[category];
 	if (lcl == NULL) {
@@ -441,7 +441,7 @@ log_write(log_context lc, int category, int level, const char *format, ...) {
 	va_end(args);
 }
 
-/*
+/*%
  * Functions to create, set, or destroy contexts
  */
 
@@ -718,3 +718,5 @@ log_free_channel(log_channel chan) {
 	}
 	return (0);
 }
+
+/*! \file */
diff --git a/contrib/bind9/lib/bind/isc/logging.mdoc b/contrib/bind9/lib/bind/isc/logging.mdoc
index fc6351f..98b2aed 100644
--- a/contrib/bind9/lib/bind/isc/logging.mdoc
+++ b/contrib/bind9/lib/bind/isc/logging.mdoc
@@ -1,4 +1,4 @@
-.\" $Id: logging.mdoc,v 1.1.2.1.10.1 2004/03/09 08:33:43 marka Exp $
+.\" $Id: logging.mdoc,v 1.3 2004/03/09 06:30:08 marka Exp $
 .\"
 .\" Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC")
 .\" Copyright (c) 1995-1999 by Internet Software Consortium
diff --git a/contrib/bind9/lib/bind/isc/logging_p.h b/contrib/bind9/lib/bind/isc/logging_p.h
index 99f6976..5e6314f 100644
--- a/contrib/bind9/lib/bind/isc/logging_p.h
+++ b/contrib/bind9/lib/bind/isc/logging_p.h
@@ -34,7 +34,7 @@ typedef union log_output {
 } log_output;
 
 struct log_channel {
-	int level;			/* don't log messages > level */
+	int level;			/*%< don't log messages > level */
 	log_channel_type type;
 	log_output out;
 	unsigned int flags;
@@ -58,3 +58,4 @@ struct log_context {
 };
 
 #endif /* !LOGGING_P_H */
+/*! \file */
diff --git a/contrib/bind9/lib/bind/isc/memcluster.c b/contrib/bind9/lib/bind/isc/memcluster.c
index 886f516..a58a2fe 100644
--- a/contrib/bind9/lib/bind/isc/memcluster.c
+++ b/contrib/bind9/lib/bind/isc/memcluster.c
@@ -24,7 +24,7 @@
 
 
 #if !defined(LINT) && !defined(CODECENTER)
-static const char rcsid[] = "$Id: memcluster.c,v 1.3.206.8 2006/08/30 23:35:06 marka Exp $";
+static const char rcsid[] = "$Id: memcluster.c,v 1.5.18.6 2006/08/30 23:30:35 marka Exp $";
 #endif /* not lint */
 
 #include "port_before.h"
@@ -355,7 +355,7 @@ __memget_record(size_t size, const char *file, int line) {
 #endif
 }
 
-/* 
+/*%
  * This is a call from an external caller, 
  * so we want to count this as a user "put". 
  */
@@ -410,7 +410,7 @@ __memput_record(void *mem, size_t size, const char *file, int line) {
 		prev = el;
 		el = el->next;
 	}
-	INSIST(el != NULL);	/* double free */
+	INSIST(el != NULL);	/*%< double free */
 	if (prev == NULL) {
 		if (size == max_size || new_size >= max_size)
 			activelists[max_size] = el->next;
@@ -437,8 +437,8 @@ __memput_record(void *mem, size_t size, const char *file, int line) {
 
 	/* The free list uses the "rounded-up" size "new_size": */
 #if defined(DEBUGGING_MEMCLUSTER)
-	memset(mem, 0xa5, new_size - sizeof *e); /* catch write after free */
-	e->size = 0;	/* catch double memput() */
+	memset(mem, 0xa5, new_size - sizeof *e); /*%< catch write after free */
+	e->size = 0;	/*%< catch double memput() */
 #ifdef MEMCLUSTER_RECORD
 	e->file = file;
 	e->line = line;
@@ -489,7 +489,7 @@ __memput_debug(void *ptr, size_t size, const char *file, int line) {
 	__memput_record(ptr, size, file, line);
 }
 
-/*
+/*%
  * Print the stats[] on the stream "out" with suitable formatting.
  */
 void
@@ -549,7 +549,7 @@ memactive(void) {
 
 /* Private. */
 
-/* 
+/*%
  * Round up size to a multiple of sizeof(void *).  This guarantees that a
  * block is at least sizeof void *, and that we won't violate alignment
  * restrictions, both of which are needed to make lists of blocks.
@@ -584,3 +584,5 @@ check(unsigned char *a, int value, size_t len) {
 		INSIST(a[i] == value);
 }
 #endif
+
+/*! \file */
diff --git a/contrib/bind9/lib/bind/isc/memcluster.mdoc b/contrib/bind9/lib/bind/isc/memcluster.mdoc
index cd4e6fb..20b39d0 100644
--- a/contrib/bind9/lib/bind/isc/memcluster.mdoc
+++ b/contrib/bind9/lib/bind/isc/memcluster.mdoc
@@ -1,4 +1,4 @@
-.\" $Id: memcluster.mdoc,v 1.1.2.1.10.1 2004/03/09 08:33:43 marka Exp $
+.\" $Id: memcluster.mdoc,v 1.3 2004/03/09 06:30:08 marka Exp $
 .\"
 .\" Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC")
 .\" Copyright (c) 1995-1999 by Internet Software Consortium
diff --git a/contrib/bind9/lib/bind/isc/movefile.c b/contrib/bind9/lib/bind/isc/movefile.c
index 8582aa7..191c46e 100644
--- a/contrib/bind9/lib/bind/isc/movefile.c
+++ b/contrib/bind9/lib/bind/isc/movefile.c
@@ -33,3 +33,5 @@ isc_movefile(const char *oldname, const char *newname) {
 #else
 	static int os_port_has_isc_movefile = 1;
 #endif
+
+/*! \file */
diff --git a/contrib/bind9/lib/bind/isc/tree.c b/contrib/bind9/lib/bind/isc/tree.c
index 9bdf6d6..5553636 100644
--- a/contrib/bind9/lib/bind/isc/tree.c
+++ b/contrib/bind9/lib/bind/isc/tree.c
@@ -1,8 +1,8 @@
 #ifndef LINT
-static const char rcsid[] = "$Id: tree.c,v 1.2.206.1 2004/03/09 08:33:43 marka Exp $";
+static const char rcsid[] = "$Id: tree.c,v 1.3.18.1 2005/04/27 05:01:08 sra Exp $";
 #endif
 
-/*
+/*%
  * tree - balanced binary tree library
  *
  * vix 05apr94 [removed vixie.h dependencies; cleaned up formatting, names]
@@ -14,7 +14,7 @@ static const char rcsid[] = "$Id: tree.c,v 1.2.206.1 2004/03/09 08:33:43 marka E
  * vix 14dec85 [written]
  */
 
-/*
+/*%
  * This program text was created by Paul Vixie using examples from the book:
  * "Algorithms & Data Structures," Niklaus Wirth, Prentice-Hall, 1986, ISBN
  * 0-13-022005-1.  Any errors in the conversion from Modula-2 to C are Paul
@@ -215,7 +215,7 @@ sprout(tree **ppr, tree_t p_data, int *pi_balance,
 		MSG("LESS. sprouting left.")
 		sub = sprout(&(*ppr)->left, p_data, pi_balance,
 			     pfi_compare, pfv_delete);
-		if (sub && *pi_balance) {	/* left branch has grown */
+		if (sub && *pi_balance) {	/*%< left branch has grown */
 			MSG("LESS: left branch has grown")
 			switch ((*ppr)->bal) {
 			case 1:
@@ -233,13 +233,13 @@ sprout(tree **ppr, tree_t p_data, int *pi_balance,
 				/* left branch was already too long. rebal */
 				MSG("LESS: case -1: rebalancing")
 				p1 = (*ppr)->left;
-				if (p1->bal == -1) {		/* LL */
+				if (p1->bal == -1) {		/*%< LL */
 					MSG("LESS: single LL")
 					(*ppr)->left = p1->right;
 					p1->right = *ppr;
 					(*ppr)->bal = 0;
 					*ppr = p1;
-				} else {			/* double LR */
+				} else {			/*%< double LR */
 					MSG("LESS: double LR")
 
 					p2 = p1->right;
@@ -289,13 +289,13 @@ sprout(tree **ppr, tree_t p_data, int *pi_balance,
 			case 1:
 				MSG("MORE: balance was off, need to rebalance")
 				p1 = (*ppr)->right;
-				if (p1->bal == 1) {		/* RR */
+				if (p1->bal == 1) {		/*%< RR */
 					MSG("MORE: single RR")
 					(*ppr)->right = p1->left;
 					p1->left = *ppr;
 					(*ppr)->bal = 0;
 					*ppr = p1;
-				} else {			/* double RL */
+				} else {			/*%< double RL */
 					MSG("MORE: double RL")
 
 					p2 = p1->left;
@@ -530,3 +530,5 @@ bal_R(tree **ppr_p, int *pi_balance) {
 	}
 	RETV
 }
+
+/*! \file */
diff --git a/contrib/bind9/lib/bind/isc/tree.mdoc b/contrib/bind9/lib/bind/isc/tree.mdoc
index c46fa7d..2c24e1f 100644
--- a/contrib/bind9/lib/bind/isc/tree.mdoc
+++ b/contrib/bind9/lib/bind/isc/tree.mdoc
@@ -1,4 +1,4 @@
-.\" $Id: tree.mdoc,v 1.1.2.1.10.1 2004/03/09 08:33:44 marka Exp $
+.\" $Id: tree.mdoc,v 1.3 2004/03/09 06:30:09 marka Exp $
 .\"
 .\" Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC")
 .\" Copyright (c) 1995-1999 by Internet Software Consortium
diff --git a/contrib/bind9/lib/bind/make/includes.in b/contrib/bind9/lib/bind/make/includes.in
index f080202..d7e21cb 100644
--- a/contrib/bind9/lib/bind/make/includes.in
+++ b/contrib/bind9/lib/bind/make/includes.in
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: includes.in,v 1.1.206.1 2004/03/15 01:02:44 marka Exp $
+# $Id: includes.in,v 1.2 2004/03/16 05:22:19 marka Exp $
 
 # Search for machine-generated header files in the build tree,
 # and for normal headers in the source tree (${top_srcdir}).
diff --git a/contrib/bind9/lib/bind/make/rules.in b/contrib/bind9/lib/bind/make/rules.in
index 1a4e81d..888e6ad 100644
--- a/contrib/bind9/lib/bind/make/rules.in
+++ b/contrib/bind9/lib/bind/make/rules.in
@@ -1,5 +1,5 @@
-# Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
-# Copyright (C) 2001  Internet Software Consortium.
+# Copyright (C) 2004, 2007  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2001, 2002  Internet Software Consortium.
 #
 # Permission to use, copy, modify, and distribute this software for any
 # purpose with or without fee is hereby granted, provided that the above
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: rules.in,v 1.3.2.3.4.4 2004/10/20 00:14:47 marka Exp $
+# $Id: rules.in,v 1.9.18.3 2007/01/18 00:06:11 marka Exp $
 
 ###
 ### Common Makefile rules for BIND 9.
diff --git a/contrib/bind9/lib/bind/nameser/Makefile.in b/contrib/bind9/lib/bind/nameser/Makefile.in
index aa4bc6c..d033eee 100644
--- a/contrib/bind9/lib/bind/nameser/Makefile.in
+++ b/contrib/bind9/lib/bind/nameser/Makefile.in
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.4.206.1 2004/03/15 01:02:45 marka Exp $
+# $Id: Makefile.in,v 1.5 2004/03/16 05:22:19 marka Exp $
 
 srcdir=		@srcdir@
 VPATH =         @srcdir@
diff --git a/contrib/bind9/lib/bind/nameser/ns_date.c b/contrib/bind9/lib/bind/nameser/ns_date.c
index d6b347a..af1455c 100644
--- a/contrib/bind9/lib/bind/nameser/ns_date.c
+++ b/contrib/bind9/lib/bind/nameser/ns_date.c
@@ -16,7 +16,7 @@
  */
 
 #ifndef lint
-static const char rcsid[] = "$Id: ns_date.c,v 1.3.206.2 2004/03/16 12:34:16 marka Exp $";
+static const char rcsid[] = "$Id: ns_date.c,v 1.5.18.1 2005/04/27 05:01:08 sra Exp $";
 #endif
 
 /* Import. */
@@ -45,9 +45,11 @@ static int	datepart(const char *, int, int, int, int *);
 
 /* Public. */
 
-/* Convert a date in ASCII into the number of seconds since
-   1 January 1970 (GMT assumed).  Format is yyyymmddhhmmss, all
-   digits required, no spaces allowed.  */
+/*%
+ * Convert a date in ASCII into the number of seconds since
+ * 1 January 1970 (GMT assumed).  Format is yyyymmddhhmmss, all
+ * digits required, no spaces allowed.
+ */
 
 u_int32_t
 ns_datetosecs(const char *cp, int *errp) {
@@ -70,7 +72,7 @@ ns_datetosecs(const char *cp, int *errp) {
 	time.tm_hour  = datepart(cp +  8, 2,   00,   23, errp);
 	time.tm_min   = datepart(cp + 10, 2,   00,   59, errp);
 	time.tm_sec   = datepart(cp + 12, 2,   00,   59, errp);
-	if (*errp)		/* Any parse errors? */
+	if (*errp)		/*%< Any parse errors? */
 		return (0);
 
 	/* 
@@ -81,32 +83,29 @@ ns_datetosecs(const char *cp, int *errp) {
 #define SECS_PER_DAY    ((u_int32_t)24*60*60)
 #define isleap(y) ((((y) % 4) == 0 && ((y) % 100) != 0) || ((y) % 400) == 0)
 
-	result  = time.tm_sec;				/* Seconds */
-	result += time.tm_min * 60;			/* Minutes */
-	result += time.tm_hour * (60*60);		/* Hours */
-	result += (time.tm_mday - 1) * SECS_PER_DAY;	/* Days */
-
+	result  = time.tm_sec;				/*%< Seconds */
+	result += time.tm_min * 60;			/*%< Minutes */
+	result += time.tm_hour * (60*60);		/*%< Hours */
+	result += (time.tm_mday - 1) * SECS_PER_DAY;	/*%< Days */
 	/* Months are trickier.  Look without leaping, then leap */
 	mdays = 0;
 	for (i = 0; i < time.tm_mon; i++)
 		mdays += days_per_month[i];
-	result += mdays * SECS_PER_DAY;			/* Months */
+	result += mdays * SECS_PER_DAY;			/*%< Months */
 	if (time.tm_mon > 1 && isleap(1900+time.tm_year))
-		result += SECS_PER_DAY;		/* Add leapday for this year */
-
+		result += SECS_PER_DAY;		/*%< Add leapday for this year */
 	/* First figure years without leapdays, then add them in.  */
 	/* The loop is slow, FIXME, but simple and accurate.  */
-	result += (time.tm_year - 70) * (SECS_PER_DAY*365); /* Years */
+	result += (time.tm_year - 70) * (SECS_PER_DAY*365); /*%< Years */
 	for (i = 70; i < time.tm_year; i++)
 		if (isleap(1900+i))
-			result += SECS_PER_DAY; /* Add leapday for prev year */
-
+			result += SECS_PER_DAY; /*%< Add leapday for prev year */
 	return (result);
 }
 
 /* Private. */
 
-/*
+/*%
  * Parse part of a date.  Set error flag if any error.
  * Don't reset the flag if there is no error.
  */
@@ -126,3 +125,5 @@ datepart(const char *buf, int size, int min, int max, int *errp) {
 		*errp = 1;
 	return (result);
 }
+
+/*! \file */
diff --git a/contrib/bind9/lib/bind/nameser/ns_name.c b/contrib/bind9/lib/bind/nameser/ns_name.c
index 5ac91e3..31dee36 100644
--- a/contrib/bind9/lib/bind/nameser/ns_name.c
+++ b/contrib/bind9/lib/bind/nameser/ns_name.c
@@ -16,7 +16,7 @@
  */
 
 #ifndef lint
-static const char rcsid[] = "$Id: ns_name.c,v 1.3.2.4.4.2 2004/05/04 03:27:47 marka Exp $";
+static const char rcsid[] = "$Id: ns_name.c,v 1.8.18.2 2005/04/27 05:01:08 sra Exp $";
 #endif
 
 #include "port_before.h"
@@ -41,7 +41,7 @@ static const char rcsid[] = "$Id: ns_name.c,v 1.3.2.4.4.2 2004/05/04 03:27:47 ma
 # define SPRINTF(x) ((size_t)sprintf x)
 #endif
 
-#define NS_TYPE_ELT			0x40 /* EDNS0 extended label type */
+#define NS_TYPE_ELT			0x40 /*%< EDNS0 extended label type */
 #define DNS_LABELTYPE_BITSTRING		0x41
 
 /* Data. */
@@ -83,14 +83,15 @@ static int		decode_bitstring(const unsigned char **,
 
 /* Public. */
 
-/*
- * ns_name_ntop(src, dst, dstsiz)
+/*%
  *	Convert an encoded domain name to printable ascii as per RFC1035.
+
  * return:
- *	Number of bytes written to buffer, or -1 (with errno set)
+ *\li	Number of bytes written to buffer, or -1 (with errno set)
+ *
  * notes:
- *	The root is returned as "."
- *	All other domains are returned in non absolute form
+ *\li	The root is returned as "."
+ *\li	All other domains are returned in non absolute form
  */
 int
 ns_name_ntop(const u_char *src, char *dst, size_t dstsiz)
@@ -119,7 +120,7 @@ ns_name_ntop(const u_char *src, char *dst, size_t dstsiz)
 			*dn++ = '.';
 		}
 		if ((l = labellen(cp - 1)) < 0) {
-			errno = EMSGSIZE; /* XXX */
+			errno = EMSGSIZE; /*%< XXX */
 			return(-1);
 		}
 		if (dn + l >= eom) {
@@ -184,15 +185,17 @@ ns_name_ntop(const u_char *src, char *dst, size_t dstsiz)
 	return (dn - dst);
 }
 
-/*
- * ns_name_pton(src, dst, dstsiz)
+/*%
  *	Convert a ascii string into an encoded domain name as per RFC1035.
+ *
  * return:
- *	-1 if it fails
- *	1 if string was fully qualified
- *	0 is string was not fully qualified
+ *
+ *\li	-1 if it fails
+ *\li	1 if string was fully qualified
+ *\li	0 is string was not fully qualified
+ *
  * notes:
- *	Enforces label and domain length limits.
+ *\li	Enforces label and domain length limits.
  */
 
 int
@@ -209,9 +212,9 @@ ns_name_pton(const char *src, u_char *dst, size_t dstsiz)
 
 	while ((c = *src++) != 0) {
 		if (escaped) {
-			if (c == '[') { /* start a bit string label */
+			if (c == '[') { /*%< start a bit string label */
 				if ((cp = strchr(src, ']')) == NULL) {
-					errno = EINVAL; /* ??? */
+					errno = EINVAL; /*%< ??? */
 					return(-1);
 				}
 				if ((e = encode_bitsring(&src, cp + 2,
@@ -256,7 +259,7 @@ ns_name_pton(const char *src, u_char *dst, size_t dstsiz)
 			continue;
 		} else if (c == '.') {
 			c = (bp - label - 1);
-			if ((c & NS_CMPRSFLGS) != 0) {	/* Label too big. */
+			if ((c & NS_CMPRSFLGS) != 0) {	/*%< Label too big. */
 				errno = EMSGSIZE;
 				return (-1);
 			}
@@ -294,7 +297,7 @@ ns_name_pton(const char *src, u_char *dst, size_t dstsiz)
 		*bp++ = (u_char)c;
 	}
 	c = (bp - label - 1);
-	if ((c & NS_CMPRSFLGS) != 0) {		/* Label too big. */
+	if ((c & NS_CMPRSFLGS) != 0) {		/*%< Label too big. */
 		errno = EMSGSIZE;
 		return (-1);
 	}
@@ -311,20 +314,21 @@ ns_name_pton(const char *src, u_char *dst, size_t dstsiz)
 		}
 		*bp++ = 0;
 	}
-	if ((bp - dst) > MAXCDNAME) {	/* src too big */
+	if ((bp - dst) > MAXCDNAME) {	/*%< src too big */
 		errno = EMSGSIZE;
 		return (-1);
 	}
 	return (0);
 }
 
-/*
- * ns_name_ntol(src, dst, dstsiz)
+/*%
  *	Convert a network strings labels into all lowercase.
+ *
  * return:
- *	Number of bytes written to buffer, or -1 (with errno set)
+ *\li	Number of bytes written to buffer, or -1 (with errno set)
+ *
  * notes:
- *	Enforces label and domain length limits.
+ *\li	Enforces label and domain length limits.
  */
 
 int
@@ -371,11 +375,11 @@ ns_name_ntol(const u_char *src, u_char *dst, size_t dstsiz)
 	return (dn - dst);
 }
 
-/*
- * ns_name_unpack(msg, eom, src, dst, dstsiz)
+/*%
  *	Unpack a domain name from a message, source may be compressed.
+ *
  * return:
- *	-1 if it fails, or consumed octets if it succeeds.
+ *\li	-1 if it fails, or consumed octets if it succeeds.
  */
 int
 ns_name_unpack(const u_char *msg, const u_char *eom, const u_char *src,
@@ -424,7 +428,7 @@ ns_name_unpack(const u_char *msg, const u_char *eom, const u_char *src,
 			if (len < 0)
 				len = srcp - src + 1;
 			srcp = msg + (((n & 0x3f) << 8) | (*srcp & 0xff));
-			if (srcp < msg || srcp >= eom) {  /* Out of range. */
+			if (srcp < msg || srcp >= eom) {  /*%< Out of range. */
 				errno = EMSGSIZE;
 				return (-1);
 			}
@@ -442,7 +446,7 @@ ns_name_unpack(const u_char *msg, const u_char *eom, const u_char *src,
 
 		default:
 			errno = EMSGSIZE;
-			return (-1);			/* flag error */
+			return (-1);			/*%< flag error */
 		}
 	}
 	*dstp = '\0';
@@ -451,19 +455,21 @@ ns_name_unpack(const u_char *msg, const u_char *eom, const u_char *src,
 	return (len);
 }
 
-/*
- * ns_name_pack(src, dst, dstsiz, dnptrs, lastdnptr)
+/*%
  *	Pack domain name 'domain' into 'comp_dn'.
+ *
  * return:
- *	Size of the compressed name, or -1.
+ *\li	Size of the compressed name, or -1.
+ *
  * notes:
- *	'dnptrs' is an array of pointers to previous compressed names.
- *	dnptrs[0] is a pointer to the beginning of the message. The array
+ *\li	'dnptrs' is an array of pointers to previous compressed names.
+ *\li	dnptrs[0] is a pointer to the beginning of the message. The array
  *	ends with NULL.
- *	'lastdnptr' is a pointer to the end of the array pointed to
+ *\li	'lastdnptr' is a pointer to the end of the array pointed to
  *	by 'dnptrs'.
+ *
  * Side effects:
- *	The list of pointers in dnptrs is updated for labels inserted into
+ *\li	The list of pointers in dnptrs is updated for labels inserted into
  *	the message as we compress the name.  If 'dnptr' is NULL, we don't
  *	try to compress names. If 'lastdnptr' is NULL, we don't update the
  *	list.
@@ -485,7 +491,7 @@ ns_name_pack(const u_char *src, u_char *dst, int dstsiz,
 		if ((msg = *dnptrs++) != NULL) {
 			for (cpp = dnptrs; *cpp != NULL; cpp++)
 				(void)NULL;
-			lpp = cpp;	/* end of list to search */
+			lpp = cpp;	/*%< end of list to search */
 		}
 	} else
 		msg = NULL;
@@ -560,13 +566,14 @@ cleanup:
 	return (dstp - dst);
 }
 
-/*
- * ns_name_uncompress(msg, eom, src, dst, dstsiz)
+/*%
  *	Expand compressed domain name to presentation format.
+ *
  * return:
- *	Number of bytes read out of `src', or -1 (with errno set).
+ *\li	Number of bytes read out of `src', or -1 (with errno set).
+ *
  * note:
- *	Root domain returns as "." not "".
+ *\li	Root domain returns as "." not "".
  */
 int
 ns_name_uncompress(const u_char *msg, const u_char *eom, const u_char *src,
@@ -582,18 +589,19 @@ ns_name_uncompress(const u_char *msg, const u_char *eom, const u_char *src,
 	return (n);
 }
 
-/*
- * ns_name_compress(src, dst, dstsiz, dnptrs, lastdnptr)
+/*%
  *	Compress a domain name into wire format, using compression pointers.
+ *
  * return:
- *	Number of bytes consumed in `dst' or -1 (with errno set).
+ *\li	Number of bytes consumed in `dst' or -1 (with errno set).
+ *
  * notes:
- *	'dnptrs' is an array of pointers to previous compressed names.
- *	dnptrs[0] is a pointer to the beginning of the message.
- *	The list ends with NULL.  'lastdnptr' is a pointer to the end of the
+ *\li	'dnptrs' is an array of pointers to previous compressed names.
+ *\li	dnptrs[0] is a pointer to the beginning of the message.
+ *\li	The list ends with NULL.  'lastdnptr' is a pointer to the end of the
  *	array pointed to by 'dnptrs'. Side effect is to update the list of
  *	pointers for labels inserted into the message as we compress the name.
- *	If 'dnptr' is NULL, we don't try to compress names. If 'lastdnptr'
+ *\li	If 'dnptr' is NULL, we don't try to compress names. If 'lastdnptr'
  *	is NULL, we don't update the list.
  */
 int
@@ -607,7 +615,7 @@ ns_name_compress(const char *src, u_char *dst, size_t dstsiz,
 	return (ns_name_pack(tmp, dst, dstsiz, dnptrs, lastdnptr));
 }
 
-/*
+/*%
  * Reset dnptrs so that there are no active references to pointers at or
  * after src.
  */
@@ -624,11 +632,11 @@ ns_name_rollback(const u_char *src, const u_char **dnptrs,
 	}
 }
 
-/*
- * ns_name_skip(ptrptr, eom)
+/*%
  *	Advance *ptrptr to skip over the compressed name it points at.
+ *
  * return:
- *	0 on success, -1 (with errno set) on failure.
+ *\li	0 on success, -1 (with errno set) on failure.
  */
 int
 ns_name_skip(const u_char **ptrptr, const u_char *eom)
@@ -641,20 +649,20 @@ ns_name_skip(const u_char **ptrptr, const u_char *eom)
 	while (cp < eom && (n = *cp++) != 0) {
 		/* Check for indirection. */
 		switch (n & NS_CMPRSFLGS) {
-		case 0:			/* normal case, n == len */
+		case 0:			/*%< normal case, n == len */
 			cp += n;
 			continue;
-		case NS_TYPE_ELT: /* EDNS0 extended label */
+		case NS_TYPE_ELT: /*%< EDNS0 extended label */
 			if ((l = labellen(cp - 1)) < 0) {
-				errno = EMSGSIZE; /* XXX */
+				errno = EMSGSIZE; /*%< XXX */
 				return(-1);
 			}
 			cp += l;
 			continue;
-		case NS_CMPRSFLGS:	/* indirection */
+		case NS_CMPRSFLGS:	/*%< indirection */
 			cp++;
 			break;
-		default:		/* illegal type */
+		default:		/*%< illegal type */
 			errno = EMSGSIZE;
 			return (-1);
 		}
@@ -670,44 +678,44 @@ ns_name_skip(const u_char **ptrptr, const u_char *eom)
 
 /* Private. */
 
-/*
- * special(ch)
+/*%
  *	Thinking in noninternationalized USASCII (per the DNS spec),
  *	is this characted special ("in need of quoting") ?
+ *
  * return:
- *	boolean.
+ *\li	boolean.
  */
 static int
 special(int ch) {
 	switch (ch) {
-	case 0x22: /* '"' */
-	case 0x2E: /* '.' */
-	case 0x3B: /* ';' */
-	case 0x5C: /* '\\' */
-	case 0x28: /* '(' */
-	case 0x29: /* ')' */
+	case 0x22: /*%< '"' */
+	case 0x2E: /*%< '.' */
+	case 0x3B: /*%< ';' */
+	case 0x5C: /*%< '\\' */
+	case 0x28: /*%< '(' */
+	case 0x29: /*%< ')' */
 	/* Special modifiers in zone files. */
-	case 0x40: /* '@' */
-	case 0x24: /* '$' */
+	case 0x40: /*%< '@' */
+	case 0x24: /*%< '$' */
 		return (1);
 	default:
 		return (0);
 	}
 }
 
-/*
- * printable(ch)
+/*%
  *	Thinking in noninternationalized USASCII (per the DNS spec),
  *	is this character visible and not a space when printed ?
+ *
  * return:
- *	boolean.
+ *\li	boolean.
  */
 static int
 printable(int ch) {
 	return (ch > 0x20 && ch < 0x7f);
 }
 
-/*
+/*%
  *	Thinking in noninternationalized USASCII (per the DNS spec),
  *	convert this character to lower case if it's upper case.
  */
@@ -718,14 +726,15 @@ mklower(int ch) {
 	return (ch);
 }
 
-/*
- * dn_find(domain, msg, dnptrs, lastdnptr)
+/*%
  *	Search for the counted-label name in an array of compressed names.
+ *
  * return:
- *	offset from msg if found, or -1.
+ *\li	offset from msg if found, or -1.
+ *
  * notes:
- *	dnptrs is the pointer to the first name on the list,
- *	not the pointer to the start of the message.
+ *\li	dnptrs is the pointer to the first name on the list,
+ *\li	not the pointer to the start of the message.
  */
 static int
 dn_find(const u_char *domain, const u_char *msg,
@@ -753,9 +762,8 @@ dn_find(const u_char *domain, const u_char *msg,
 				 * check for indirection
 				 */
 				switch (n & NS_CMPRSFLGS) {
-				case 0:		/* normal case, n == len */
-					n = labellen(cp - 1); /* XXX */
-
+				case 0:		/*%< normal case, n == len */
+					n = labellen(cp - 1); /*%< XXX */
 					if (n != *dn++)
 						goto next;
 
@@ -769,11 +777,11 @@ dn_find(const u_char *domain, const u_char *msg,
 					if (*dn)
 						continue;
 					goto next;
-				case NS_CMPRSFLGS:	/* indirection */
+				case NS_CMPRSFLGS:	/*%< indirection */
 					cp = msg + (((n & 0x3f) << 8) | *cp);
 					break;
 
-				default:	/* illegal type */
+				default:	/*%< illegal type */
 					errno = EMSGSIZE;
 					return (-1);
 				}
@@ -855,12 +863,12 @@ encode_bitsring(const char **bp, const char *end, unsigned char **labelp,
 	/* XXX: currently, only hex strings are supported */
 	if (*cp++ != 'x')
 		return(EINVAL);
-	if (!isxdigit((*cp) & 0xff)) /* reject '\[x/BLEN]' */
+	if (!isxdigit((*cp) & 0xff)) /*%< reject '\[x/BLEN]' */
 		return(EINVAL);
 
 	for (tp = *dst + 1; cp < end && tp < eom; cp++) {
 		switch((c = *cp)) {
-		case ']':	/* end of the bitstring */
+		case ']':	/*%< end of the bitstring */
 			if (afterslash) {
 				if (beg_blen == NULL)
 					return(EINVAL);
@@ -870,7 +878,7 @@ encode_bitsring(const char **bp, const char *end, unsigned char **labelp,
 			}
 			if (count)
 				*tp++ = ((value << 4) & 0xff);
-			cp++;	/* skip ']' */
+			cp++;	/*%< skip ']' */
 			goto done;
 		case '/':
 			afterslash = 1;
@@ -914,14 +922,14 @@ encode_bitsring(const char **bp, const char *end, unsigned char **labelp,
 	 * MUST be just sufficient to contain the number of bits specified
 	 * by the <length>. If there are insignificant bits in a final
 	 * hexadecimal or octal digit, they MUST be zero.
-	 * RFC 2673, Section 3.2.
+	 * RFC2673, Section 3.2.
 	 */
 	if (blen > 0) {
 		int traillen;
 
 		if (((blen + 3) & ~3) != tbcount)
 			return(EINVAL);
-		traillen = tbcount - blen; /* between 0 and 3 */
+		traillen = tbcount - blen; /*%< between 0 and 3 */
 		if (((value << (8 - traillen)) & 0xff) != 0)
 			return(EINVAL);
 	}
@@ -957,7 +965,9 @@ labellen(const u_char *lp)
 				bitlen = 256;
 			return((bitlen + 7 ) / 8 + 1);
 		}
-		return(-1);	/* unknwon ELT */
+		return(-1);	/*%< unknwon ELT */
 	}
 	return(l);
 }
+
+/*! \file */
diff --git a/contrib/bind9/lib/bind/nameser/ns_netint.c b/contrib/bind9/lib/bind/nameser/ns_netint.c
index 15fc93e..b08c58b 100644
--- a/contrib/bind9/lib/bind/nameser/ns_netint.c
+++ b/contrib/bind9/lib/bind/nameser/ns_netint.c
@@ -16,7 +16,7 @@
  */
 
 #ifndef lint
-static const char rcsid[] = "$Id: ns_netint.c,v 1.1.206.1 2004/03/09 08:33:44 marka Exp $";
+static const char rcsid[] = "$Id: ns_netint.c,v 1.2.18.1 2005/04/27 05:01:08 sra Exp $";
 #endif
 
 /* Import. */
@@ -54,3 +54,5 @@ void
 ns_put32(u_long src, u_char *dst) {
 	NS_PUT32(src, dst);
 }
+
+/*! \file */
diff --git a/contrib/bind9/lib/bind/nameser/ns_parse.c b/contrib/bind9/lib/bind/nameser/ns_parse.c
index 19a6f51..5e7998d 100644
--- a/contrib/bind9/lib/bind/nameser/ns_parse.c
+++ b/contrib/bind9/lib/bind/nameser/ns_parse.c
@@ -16,7 +16,7 @@
  */
 
 #ifndef lint
-static const char rcsid[] = "$Id: ns_parse.c,v 1.3.2.1.4.3 2005/10/11 00:48:16 marka Exp $";
+static const char rcsid[] = "$Id: ns_parse.c,v 1.5.18.3 2005/10/11 00:25:10 marka Exp $";
 #endif
 
 /* Import. */
@@ -51,22 +51,22 @@ static void	setsection(ns_msg *msg, ns_sect sect);
 
 /* These need to be in the same order as the nres.h:ns_flag enum. */
 struct _ns_flagdata _ns_flagdata[16] = {
-	{ 0x8000, 15 },		/* qr. */
-	{ 0x7800, 11 },		/* opcode. */
-	{ 0x0400, 10 },		/* aa. */
-	{ 0x0200, 9 },		/* tc. */
-	{ 0x0100, 8 },		/* rd. */
-	{ 0x0080, 7 },		/* ra. */
-	{ 0x0040, 6 },		/* z. */
-	{ 0x0020, 5 },		/* ad. */
-	{ 0x0010, 4 },		/* cd. */
-	{ 0x000f, 0 },		/* rcode. */
-	{ 0x0000, 0 },		/* expansion (1/6). */
-	{ 0x0000, 0 },		/* expansion (2/6). */
-	{ 0x0000, 0 },		/* expansion (3/6). */
-	{ 0x0000, 0 },		/* expansion (4/6). */
-	{ 0x0000, 0 },		/* expansion (5/6). */
-	{ 0x0000, 0 },		/* expansion (6/6). */
+	{ 0x8000, 15 },		/*%< qr. */
+	{ 0x7800, 11 },		/*%< opcode. */
+	{ 0x0400, 10 },		/*%< aa. */
+	{ 0x0200, 9 },		/*%< tc. */
+	{ 0x0100, 8 },		/*%< rd. */
+	{ 0x0080, 7 },		/*%< ra. */
+	{ 0x0040, 6 },		/*%< z. */
+	{ 0x0020, 5 },		/*%< ad. */
+	{ 0x0010, 4 },		/*%< cd. */
+	{ 0x000f, 0 },		/*%< rcode. */
+	{ 0x0000, 0 },		/*%< expansion (1/6). */
+	{ 0x0000, 0 },		/*%< expansion (2/6). */
+	{ 0x0000, 0 },		/*%< expansion (3/6). */
+	{ 0x0000, 0 },		/*%< expansion (4/6). */
+	{ 0x0000, 0 },		/*%< expansion (5/6). */
+	{ 0x0000, 0 },		/*%< expansion (6/6). */
 };
 
 int ns_msg_getflag(ns_msg handle, int flag) {
@@ -207,3 +207,5 @@ setsection(ns_msg *msg, ns_sect sect) {
 		msg->_msg_ptr = msg->_sections[(int)sect];
 	}
 }
+
+/*! \file */
diff --git a/contrib/bind9/lib/bind/nameser/ns_print.c b/contrib/bind9/lib/bind/nameser/ns_print.c
index cb61cb1..0679ba4 100644
--- a/contrib/bind9/lib/bind/nameser/ns_print.c
+++ b/contrib/bind9/lib/bind/nameser/ns_print.c
@@ -16,7 +16,7 @@
  */
 
 #ifndef lint
-static const char rcsid[] = "$Id: ns_print.c,v 1.3.2.1.4.7 2004/09/16 07:01:12 marka Exp $";
+static const char rcsid[] = "$Id: ns_print.c,v 1.6.18.4 2005/04/27 05:01:09 sra Exp $";
 #endif
 
 /* Import. */
@@ -69,12 +69,11 @@ static int	addtab(size_t len, size_t target, int spaced,
 
 /* Public. */
 
-/*
- * int
- * ns_sprintrr(handle, rr, name_ctx, origin, buf, buflen)
+/*%
  *	Convert an RR to presentation format.
+ *
  * return:
- *	Number of characters written to buf, or -1 (check errno).
+ *\li	Number of characters written to buf, or -1 (check errno).
  */
 int
 ns_sprintrr(const ns_msg *handle, const ns_rr *rr,
@@ -90,13 +89,11 @@ ns_sprintrr(const ns_msg *handle, const ns_rr *rr,
 	return (n);
 }
 
-/*
- * int
- * ns_sprintrrf(msg, msglen, name, class, type, ttl, rdata, rdlen,
- *	       name_ctx, origin, buf, buflen)
+/*%
  *	Convert the fields of an RR into presentation format.
+ *
  * return:
- *	Number of characters written to buf, or -1 (check errno).
+ *\li	Number of characters written to buf, or -1 (check errno).
  */
 int
 ns_sprintrrf(const u_char *msg, size_t msglen,
@@ -645,10 +642,10 @@ ns_sprintrrf(const u_char *msg, size_t msglen,
 
 		T(len = addname(msg, msglen, &rdata, origin, &buf, &buflen));
 		T(addstr(" ", 1, &buf, &buflen));
-		rdata += 8; /* time */
+		rdata += 8; /*%< time */
 		n = ns_get16(rdata); rdata += INT16SZ;
-		rdata += n; /* sig */
-		n = ns_get16(rdata); rdata += INT16SZ; /* original id */
+		rdata += n; /*%< sig */
+		n = ns_get16(rdata); rdata += INT16SZ; /*%< original id */
 		sprintf(buf, "%d", ns_get16(rdata));
 		rdata += INT16SZ;
 		addlen(strlen(buf), &buf, &buflen);
@@ -735,7 +732,7 @@ ns_sprintrrf(const u_char *msg, size_t msglen,
 
 /* Private. */
 
-/*
+/*%
  * size_t
  * prune_origin(name, origin)
  *	Find out if the name is at or under the current origin.
@@ -768,7 +765,7 @@ prune_origin(const char *name, const char *origin) {
 	return (name - oname);
 }
 
-/*
+/*%
  * int
  * charstr(rdata, edata, buf, buflen)
  *	Format a <character-string> into the presentation buffer.
@@ -824,7 +821,7 @@ addname(const u_char *msg, size_t msglen,
 
 	n = dn_expand(msg, msg + msglen, *pp, *buf, *buflen);
 	if (n < 0)
-		goto enospc;	/* Guess. */
+		goto enospc;	/*%< Guess. */
 	newlen = prune_origin(*buf, origin);
 	if (**buf == '\0') {
 		goto root;
@@ -896,3 +893,5 @@ addtab(size_t len, size_t target, int spaced, char **buf, size_t *buflen) {
 	}
 	return (spaced);
 }
+
+/*! \file */
diff --git a/contrib/bind9/lib/bind/nameser/ns_samedomain.c b/contrib/bind9/lib/bind/nameser/ns_samedomain.c
index d4ca550..a720f6a 100644
--- a/contrib/bind9/lib/bind/nameser/ns_samedomain.c
+++ b/contrib/bind9/lib/bind/nameser/ns_samedomain.c
@@ -16,7 +16,7 @@
  */
 
 #ifndef lint
-static const char rcsid[] = "$Id: ns_samedomain.c,v 1.1.2.2.4.2 2004/03/16 12:34:17 marka Exp $";
+static const char rcsid[] = "$Id: ns_samedomain.c,v 1.5.18.1 2005/04/27 05:01:09 sra Exp $";
 #endif
 
 #include "port_before.h"
@@ -28,21 +28,22 @@ static const char rcsid[] = "$Id: ns_samedomain.c,v 1.1.2.2.4.2 2004/03/16 12:34
 
 #include "port_after.h"
 
-/*
- * int
- * ns_samedomain(a, b)
+/*%
  *	Check whether a name belongs to a domain.
+ *
  * Inputs:
- *	a - the domain whose ancestory is being verified
- *	b - the potential ancestor we're checking against
+ *\li	a - the domain whose ancestory is being verified
+ *\li	b - the potential ancestor we're checking against
+ *
  * Return:
- *	boolean - is a at or below b?
+ *\li	boolean - is a at or below b?
+ *
  * Notes:
- *	Trailing dots are first removed from name and domain.
+ *\li	Trailing dots are first removed from name and domain.
  *	Always compare complete subdomains, not only whether the
  *	domain name is the trailing string of the given name.
  *
- *	"host.foobar.top" lies in "foobar.top" and in "top" and in ""
+ *\li	"host.foobar.top" lies in "foobar.top" and in "top" and in ""
  *	but NOT in "bar.top"
  */
 
@@ -140,9 +141,7 @@ ns_samedomain(const char *a, const char *b) {
 	return (strncasecmp(cp, b, lb) == 0);
 }
 
-/*
- * int
- * ns_subdomain(a, b)
+/*%
  *	is "a" a subdomain of "b"?
  */
 int
@@ -150,30 +149,31 @@ ns_subdomain(const char *a, const char *b) {
 	return (ns_samename(a, b) != 1 && ns_samedomain(a, b));
 }
 
-/*
- * int
- * ns_makecanon(src, dst, dstsize)
+/*%
  *	make a canonical copy of domain name "src"
+ *
  * notes:
+ * \code
  *	foo -> foo.
  *	foo. -> foo.
  *	foo.. -> foo.
  *	foo\. -> foo\..
  *	foo\\. -> foo\\.
+ * \endcode
  */
 
 int
 ns_makecanon(const char *src, char *dst, size_t dstsize) {
 	size_t n = strlen(src);
 
-	if (n + sizeof "." > dstsize) {			/* Note: sizeof == 2 */
+	if (n + sizeof "." > dstsize) {			/*%< Note: sizeof == 2 */
 		errno = EMSGSIZE;
 		return (-1);
 	}
 	strcpy(dst, src);
-	while (n >= 1U && dst[n - 1] == '.')		/* Ends in "." */
-		if (n >= 2U && dst[n - 2] == '\\' &&	/* Ends in "\." */
-		    (n < 3U || dst[n - 3] != '\\'))	/* But not "\\." */
+	while (n >= 1U && dst[n - 1] == '.')		/*%< Ends in "." */
+		if (n >= 2U && dst[n - 2] == '\\' &&	/*%< Ends in "\." */
+		    (n < 3U || dst[n - 3] != '\\'))	/*%< But not "\\." */
 			break;
 		else
 			dst[--n] = '\0';
@@ -182,14 +182,13 @@ ns_makecanon(const char *src, char *dst, size_t dstsize) {
 	return (0);
 }
 
-/*
- * int
- * ns_samename(a, b)
+/*%
  *	determine whether domain name "a" is the same as domain name "b"
+ *
  * return:
- *	-1 on error
- *	0 if names differ
- *	1 if names are the same
+ *\li	-1 on error
+ *\li	0 if names differ
+ *\li	1 if names are the same
  */
 
 int
@@ -204,3 +203,5 @@ ns_samename(const char *a, const char *b) {
 	else
 		return (0);
 }
+
+/*! \file */
diff --git a/contrib/bind9/lib/bind/nameser/ns_sign.c b/contrib/bind9/lib/bind/nameser/ns_sign.c
index 7b742f1..ab4b0ef 100644
--- a/contrib/bind9/lib/bind/nameser/ns_sign.c
+++ b/contrib/bind9/lib/bind/nameser/ns_sign.c
@@ -16,7 +16,7 @@
  */
 
 #ifndef lint
-static const char rcsid[] = "$Id: ns_sign.c,v 1.1.2.2.4.2 2006/03/10 00:17:21 marka Exp $";
+static const char rcsid[] = "$Id: ns_sign.c,v 1.4.18.2 2006/03/10 00:20:08 marka Exp $";
 #endif
 
 /* Import. */
@@ -53,24 +53,26 @@ static const char rcsid[] = "$Id: ns_sign.c,v 1.1.2.2.4.2 2006/03/10 00:17:21 ma
 		} \
 	} while (0)
 
-/* ns_sign
+/*%
+ *  ns_sign
+ *
  * Parameters:
- *	msg		message to be sent
- *	msglen		input - length of message
+ *\li	msg		message to be sent
+ *\li	msglen		input - length of message
  *			output - length of signed message
- *	msgsize		length of buffer containing message
- *	error		value to put in the error field
- *	key		tsig key used for signing
- *	querysig	(response), the signature in the query
- *	querysiglen	(response), the length of the signature in the query
- *	sig		a buffer to hold the generated signature
- *	siglen		input - length of signature buffer
+ *\li	msgsize		length of buffer containing message
+ *\li	error		value to put in the error field
+ *\li	key		tsig key used for signing
+ *\li	querysig	(response), the signature in the query
+ *\li	querysiglen	(response), the length of the signature in the query
+ *\li	sig		a buffer to hold the generated signature
+ *\li	siglen		input - length of signature buffer
  *			output - length of signature
  *
  * Errors:
- *	- bad input data (-1)
- *	- bad key / sign failed (-BADKEY)
- *	- not enough space (NS_TSIG_ERROR_NO_SPACE)
+ *\li	- bad input data (-1)
+ *\li	- bad key / sign failed (-BADKEY)
+ *\li	- not enough space (NS_TSIG_ERROR_NO_SPACE)
  */
 int
 ns_sign(u_char *msg, int *msglen, int msgsize, int error, void *k,
@@ -124,7 +126,7 @@ ns_sign2(u_char *msg, int *msglen, int msgsize, int error, void *k,
 	BOUNDS_CHECK(cp, INT16SZ + INT16SZ + INT32SZ + INT16SZ);
 	PUTSHORT(ns_t_tsig, cp);
 	PUTSHORT(ns_c_any, cp);
-	PUTLONG(0, cp);		/* TTL */
+	PUTLONG(0, cp);		/*%< TTL */
 	lenp = cp;
 	cp += 2;
 
@@ -191,18 +193,18 @@ ns_sign2(u_char *msg, int *msglen, int msgsize, int error, void *k,
 
 		/* Digest the time signed, fudge, error, and other data */
 		cp2 = buf;
-		PUTSHORT(0, cp2);	/* Top 16 bits of time */
+		PUTSHORT(0, cp2);	/*%< Top 16 bits of time */
 		if (error != ns_r_badtime)
 			PUTLONG(timesigned, cp2);
 		else
 			PUTLONG(in_timesigned, cp2);
 		PUTSHORT(NS_TSIG_FUDGE, cp2);
-		PUTSHORT(error, cp2);	/* Error */
+		PUTSHORT(error, cp2);	/*%< Error */
 		if (error != ns_r_badtime)
-			PUTSHORT(0, cp2);	/* Other data length */
+			PUTSHORT(0, cp2);	/*%< Other data length */
 		else {
-			PUTSHORT(INT16SZ+INT32SZ, cp2);	/* Other data length */
-			PUTSHORT(0, cp2);	/* Top 16 bits of time */
+			PUTSHORT(INT16SZ+INT32SZ, cp2);	/*%< Other data length */
+			PUTSHORT(0, cp2);	/*%< Top 16 bits of time */
 			PUTLONG(timesigned, cp2);
 		}
 		dst_sign_data(SIG_MODE_UPDATE, key, &ctx, buf, cp2-buf,
@@ -224,17 +226,17 @@ ns_sign2(u_char *msg, int *msglen, int msgsize, int error, void *k,
 
 	/* The original message ID & error. */
 	BOUNDS_CHECK(cp, INT16SZ + INT16SZ);
-	PUTSHORT(ntohs(hp->id), cp);	/* already in network order */
+	PUTSHORT(ntohs(hp->id), cp);	/*%< already in network order */
 	PUTSHORT(error, cp);
 
 	/* Other data. */
 	BOUNDS_CHECK(cp, INT16SZ);
 	if (error != ns_r_badtime)
-		PUTSHORT(0, cp);	/* Other data length */
+		PUTSHORT(0, cp);	/*%< Other data length */
 	else {
-		PUTSHORT(INT16SZ+INT32SZ, cp);	/* Other data length */
+		PUTSHORT(INT16SZ+INT32SZ, cp);	/*%< Other data length */
 		BOUNDS_CHECK(cp, INT32SZ+INT16SZ);
-		PUTSHORT(0, cp);	/* Top 16 bits of time */
+		PUTSHORT(0, cp);	/*%< Top 16 bits of time */
 		PUTLONG(timesigned, cp);
 	}
 
@@ -323,7 +325,7 @@ ns_sign_tcp2(u_char *msg, int *msglen, int msgsize, int error,
 	BOUNDS_CHECK(cp, INT16SZ + INT16SZ + INT32SZ + INT16SZ);
 	PUTSHORT(ns_t_tsig, cp);
 	PUTSHORT(ns_c_any, cp);
-	PUTLONG(0, cp);		/* TTL */
+	PUTLONG(0, cp);		/*%< TTL */
 	lenp = cp;
 	cp += 2;
 
@@ -346,7 +348,7 @@ ns_sign_tcp2(u_char *msg, int *msglen, int msgsize, int error,
 
 	/* Digest the time signed and fudge. */
 	cp2 = buf;
-	PUTSHORT(0, cp2);	/* Top 16 bits of time */
+	PUTSHORT(0, cp2);	/*%< Top 16 bits of time */
 	PUTLONG(timesigned, cp2);
 	PUTSHORT(NS_TSIG_FUDGE, cp2);
 
@@ -367,7 +369,7 @@ ns_sign_tcp2(u_char *msg, int *msglen, int msgsize, int error,
 
 	/* The original message ID & error. */
 	BOUNDS_CHECK(cp, INT16SZ + INT16SZ);
-	PUTSHORT(ntohs(hp->id), cp);	/* already in network order */
+	PUTSHORT(ntohs(hp->id), cp);	/*%< already in network order */
 	PUTSHORT(error, cp);
 
 	/* Other data. */
@@ -381,3 +383,5 @@ ns_sign_tcp2(u_char *msg, int *msglen, int msgsize, int error,
 	*msglen = (cp - msg);
 	return (0);
 }
+
+/*! \file */
diff --git a/contrib/bind9/lib/bind/nameser/ns_ttl.c b/contrib/bind9/lib/bind/nameser/ns_ttl.c
index 4d18d3f..627ddf1 100644
--- a/contrib/bind9/lib/bind/nameser/ns_ttl.c
+++ b/contrib/bind9/lib/bind/nameser/ns_ttl.c
@@ -16,7 +16,7 @@
  */
 
 #ifndef lint
-static const char rcsid[] = "$Id: ns_ttl.c,v 1.1.206.2 2005/07/28 07:43:21 marka Exp $";
+static const char rcsid[] = "$Id: ns_ttl.c,v 1.2.18.2 2005/07/28 07:38:10 marka Exp $";
 #endif
 
 /* Import. */
@@ -158,3 +158,5 @@ fmt1(int t, char s, char **buf, size_t *buflen) {
 	*buflen -= len;
 	return (0);
 }
+
+/*! \file */
diff --git a/contrib/bind9/lib/bind/nameser/ns_verify.c b/contrib/bind9/lib/bind/nameser/ns_verify.c
index c74a0a3..b80b588 100644
--- a/contrib/bind9/lib/bind/nameser/ns_verify.c
+++ b/contrib/bind9/lib/bind/nameser/ns_verify.c
@@ -16,7 +16,7 @@
  */
 
 #ifndef lint
-static const char rcsid[] = "$Id: ns_verify.c,v 1.1.206.3 2006/03/10 00:17:21 marka Exp $";
+static const char rcsid[] = "$Id: ns_verify.c,v 1.2.18.3 2006/03/10 00:20:08 marka Exp $";
 #endif
 
 /* Import. */
@@ -107,28 +107,29 @@ ns_find_tsig(u_char *msg, u_char *eom) {
 }
 
 /* ns_verify
+ *
  * Parameters:
- *	statp		res stuff
- *	msg		received message
- *	msglen		length of message
- *	key		tsig key used for verifying.
- *	querysig	(response), the signature in the query
- *	querysiglen	(response), the length of the signature in the query
- *	sig		(query), a buffer to hold the signature
- *	siglen		(query), input - length of signature buffer
+ *\li	statp		res stuff
+ *\li	msg		received message
+ *\li	msglen		length of message
+ *\li	key		tsig key used for verifying.
+ *\li	querysig	(response), the signature in the query
+ *\li	querysiglen	(response), the length of the signature in the query
+ *\li	sig		(query), a buffer to hold the signature
+ *\li	siglen		(query), input - length of signature buffer
  *				 output - length of signature
  *
  * Errors:
- *	- bad input (-1)
- *	- invalid dns message (NS_TSIG_ERROR_FORMERR)
- *	- TSIG is not present (NS_TSIG_ERROR_NO_TSIG)
- *	- key doesn't match (-ns_r_badkey)
- *	- TSIG verification fails with BADKEY (-ns_r_badkey)
- *	- TSIG verification fails with BADSIG (-ns_r_badsig)
- *	- TSIG verification fails with BADTIME (-ns_r_badtime)
- *	- TSIG verification succeeds, error set to BAKEY (ns_r_badkey)
- *	- TSIG verification succeeds, error set to BADSIG (ns_r_badsig)
- *	- TSIG verification succeeds, error set to BADTIME (ns_r_badtime)
+ *\li	- bad input (-1)
+ *\li	- invalid dns message (NS_TSIG_ERROR_FORMERR)
+ *\li	- TSIG is not present (NS_TSIG_ERROR_NO_TSIG)
+ *\li	- key doesn't match (-ns_r_badkey)
+ *\li	- TSIG verification fails with BADKEY (-ns_r_badkey)
+ *\li	- TSIG verification fails with BADSIG (-ns_r_badsig)
+ *\li	- TSIG verification fails with BADTIME (-ns_r_badtime)
+ *\li	- TSIG verification succeeds, error set to BAKEY (ns_r_badkey)
+ *\li	- TSIG verification succeeds, error set to BADSIG (ns_r_badsig)
+ *\li	- TSIG verification succeeds, error set to BADTIME (ns_r_badtime)
  */
 int
 ns_verify(u_char *msg, int *msglen, void *k,
@@ -450,7 +451,7 @@ ns_verify_tcp(u_char *msg, int *msglen, ns_tcp_tsig_state *state,
 
 	/* Digest the time signed and fudge. */
 	cp2 = buf;
-	PUTSHORT(0, cp2);       /* Top 16 bits of time. */
+	PUTSHORT(0, cp2);       /*%< Top 16 bits of time. */
 	PUTLONG(timesigned, cp2);
 	PUTSHORT(NS_TSIG_FUDGE, cp2);
 
@@ -479,3 +480,5 @@ ns_verify_tcp(u_char *msg, int *msglen, ns_tcp_tsig_state *state,
 
 	return (0);
 }
+
+/*! \file */
diff --git a/contrib/bind9/lib/bind/port/freebsd/include/Makefile.in b/contrib/bind9/lib/bind/port/freebsd/include/Makefile.in
index c18acf2..68bef09 100644
--- a/contrib/bind9/lib/bind/port/freebsd/include/Makefile.in
+++ b/contrib/bind9/lib/bind/port/freebsd/include/Makefile.in
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.1.206.1 2004/03/15 01:02:47 marka Exp $
+# $Id: Makefile.in,v 1.2 2004/03/16 05:22:22 marka Exp $
 
 srcdir =        @srcdir@
 VPATH =         @srcdir@
diff --git a/contrib/bind9/lib/bind/port_before.h.in b/contrib/bind9/lib/bind/port_before.h.in
index 320fff1..79cf277 100644
--- a/contrib/bind9/lib/bind/port_before.h.in
+++ b/contrib/bind9/lib/bind/port_before.h.in
@@ -148,3 +148,5 @@ struct timezone;        /* silence warning */
 #endif
 
 #endif
+
+/*! \file */
diff --git a/contrib/bind9/lib/bind/resolv/Makefile.in b/contrib/bind9/lib/bind/resolv/Makefile.in
index a235fbc..cc661b6 100644
--- a/contrib/bind9/lib/bind/resolv/Makefile.in
+++ b/contrib/bind9/lib/bind/resolv/Makefile.in
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.3.206.3 2005/07/29 00:13:09 marka Exp $
+# $Id: Makefile.in,v 1.4.18.2 2005/07/29 00:12:55 marka Exp $
 
 srcdir=		@srcdir@
 VPATH =         @srcdir@
diff --git a/contrib/bind9/lib/bind/resolv/herror.c b/contrib/bind9/lib/bind/resolv/herror.c
index 58807e9..9232426 100644
--- a/contrib/bind9/lib/bind/resolv/herror.c
+++ b/contrib/bind9/lib/bind/resolv/herror.c
@@ -50,7 +50,7 @@
 
 #if defined(LIBC_SCCS) && !defined(lint)
 static const char sccsid[] = "@(#)herror.c	8.1 (Berkeley) 6/4/93";
-static const char rcsid[] = "$Id: herror.c,v 1.2.206.1 2004/03/09 08:33:54 marka Exp $";
+static const char rcsid[] = "$Id: herror.c,v 1.3.18.1 2005/04/27 05:01:09 sra Exp $";
 #endif /* LIBC_SCCS and not lint */
 
 #include "port_before.h"
@@ -72,10 +72,10 @@ static const char rcsid[] = "$Id: herror.c,v 1.2.206.1 2004/03/09 08:33:54 marka
 
 const char *h_errlist[] = {
 	"Resolver Error 0 (no error)",
-	"Unknown host",				/* 1 HOST_NOT_FOUND */
-	"Host name lookup failure",		/* 2 TRY_AGAIN */
-	"Unknown server error",			/* 3 NO_RECOVERY */
-	"No address associated with name",	/* 4 NO_ADDRESS */
+	"Unknown host",				/*%< 1 HOST_NOT_FOUND */
+	"Host name lookup failure",		/*%< 2 TRY_AGAIN */
+	"Unknown server error",			/*%< 3 NO_RECOVERY */
+	"No address associated with name",	/*%< 4 NO_ADDRESS */
 };
 int	h_nerr = { sizeof h_errlist / sizeof h_errlist[0] };
 
@@ -84,7 +84,7 @@ int	h_nerr = { sizeof h_errlist / sizeof h_errlist[0] };
 int	h_errno;
 #endif
 
-/*
+/*%
  * herror --
  *	print the error indicated by the h_errno value.
  */
@@ -113,7 +113,7 @@ herror(const char *s) {
 	writev(STDERR_FILENO, iov, (v - iov) + 1);
 }
 
-/*
+/*%
  * hstrerror --
  *	return the string associated with a given "host" errno value.
  */
@@ -125,3 +125,5 @@ hstrerror(int err) {
 		return (h_errlist[err]);
 	return ("Unknown resolver error");
 }
+
+/*! \file */
diff --git a/contrib/bind9/lib/bind/resolv/res_comp.c b/contrib/bind9/lib/bind/resolv/res_comp.c
index 8cc99a7..4dc3c2a 100644
--- a/contrib/bind9/lib/bind/resolv/res_comp.c
+++ b/contrib/bind9/lib/bind/resolv/res_comp.c
@@ -70,7 +70,7 @@
 
 #if defined(LIBC_SCCS) && !defined(lint)
 static const char sccsid[] = "@(#)res_comp.c	8.1 (Berkeley) 6/4/93";
-static const char rcsid[] = "$Id: res_comp.c,v 1.1.2.1.4.2 2005/07/28 07:43:22 marka Exp $";
+static const char rcsid[] = "$Id: res_comp.c,v 1.3.18.2 2005/07/28 07:38:11 marka Exp $";
 #endif /* LIBC_SCCS and not lint */
 
 #include "port_before.h"
@@ -85,12 +85,13 @@ static const char rcsid[] = "$Id: res_comp.c,v 1.1.2.1.4.2 2005/07/28 07:43:22 m
 #include <unistd.h>
 #include "port_after.h"
 
-/*
+/*%
  * Expand compressed domain name 'src' to full domain name.
- * 'msg' is a pointer to the begining of the message,
- * 'eom' points to the first location after the message,
- * 'dst' is a pointer to a buffer of size 'dstsiz' for the result.
- * Return size of compressed name or -1 if there was an error.
+ *
+ * \li 'msg' is a pointer to the begining of the message,
+ * \li 'eom' points to the first location after the message,
+ * \li 'dst' is a pointer to a buffer of size 'dstsiz' for the result.
+ * \li Return size of compressed name or -1 if there was an error.
  */
 int
 dn_expand(const u_char *msg, const u_char *eom, const u_char *src,
@@ -103,10 +104,11 @@ dn_expand(const u_char *msg, const u_char *eom, const u_char *src,
 	return (n);
 }
 
-/*
+/*%
  * Pack domain name 'exp_dn' in presentation form into 'comp_dn'.
- * Return the size of the compressed name or -1.
- * 'length' is the size of the array pointed to by 'comp_dn'.
+ *
+ * \li Return the size of the compressed name or -1.
+ * \li 'length' is the size of the array pointed to by 'comp_dn'.
  */
 int
 dn_comp(const char *src, u_char *dst, int dstsiz,
@@ -117,7 +119,7 @@ dn_comp(const char *src, u_char *dst, int dstsiz,
 				 (const u_char **)lastdnptr));
 }
 
-/*
+/*%
  * Skip over a compressed domain name. Return the size or -1.
  */
 int
@@ -129,11 +131,9 @@ dn_skipname(const u_char *ptr, const u_char *eom) {
 	return (ptr - saveptr);
 }
 
-/*
+/*%
  * Verify that a domain name uses an acceptable character set.
- */
-
-/*
+ *
  * Note the conspicuous absence of ctype macros in these definitions.  On
  * non-ASCII hosts, we can't depend on string literals or ctype macros to
  * tell us anything about network-format data.  The rest of the BIND system
@@ -176,7 +176,7 @@ res_hnok(const char *dn) {
 	return (1);
 }
 
-/*
+/*%
  * hostname-like (A, MX, WKS) owners can have "*" as their first label
  * but must otherwise be as a host name.
  */
@@ -191,7 +191,7 @@ res_ownok(const char *dn) {
 	return (res_hnok(dn));
 }
 
-/*
+/*%
  * SOA RNAMEs and RP RNAMEs can have any printable character in their first
  * label, but the rest of the name has to look like a host name.
  */
@@ -219,8 +219,8 @@ res_mailok(const char *dn) {
 	return (0);
 }
 
-/*
- * This function is quite liberal, since RFC 1034's character sets are only
+/*%
+ * This function is quite liberal, since RFC1034's character sets are only
  * recommendations.
  */
 int
@@ -234,7 +234,7 @@ res_dnok(const char *dn) {
 }
 
 #ifdef BIND_4_COMPAT
-/*
+/*%
  * This module must export the following externally-visible symbols:
  *	___putlong
  *	___putshort
@@ -261,3 +261,5 @@ u_int32_t _getlong(const u_char *src) { return (ns_get32(src)); }
 u_int16_t _getshort(const u_char *src) { return (ns_get16(src)); }
 #endif /*__ultrix__*/
 #endif /*BIND_4_COMPAT*/
+
+/*! \file */
diff --git a/contrib/bind9/lib/bind/resolv/res_data.c b/contrib/bind9/lib/bind/resolv/res_data.c
index 204e03d..e3dcbf0 100644
--- a/contrib/bind9/lib/bind/resolv/res_data.c
+++ b/contrib/bind9/lib/bind/resolv/res_data.c
@@ -16,7 +16,7 @@
  */
 
 #if defined(LIBC_SCCS) && !defined(lint)
-static const char rcsid[] = "$Id: res_data.c,v 1.1.206.2 2004/03/16 12:34:18 marka Exp $";
+static const char rcsid[] = "$Id: res_data.c,v 1.3.18.1 2005/04/27 05:01:10 sra Exp $";
 #endif /* LIBC_SCCS and not lint */
 
 #include "port_before.h"
@@ -46,8 +46,8 @@ const char *_res_opcodes[] = {
 	"QUERY",
 	"IQUERY",
 	"CQUERYM",
-	"CQUERYU",	/* experimental */
-	"NOTIFY",	/* experimental */
+	"CQUERYU",	/*%< experimental */
+	"NOTIFY",	/*%< experimental */
 	"UPDATE",
 	"6",
 	"7",
@@ -73,7 +73,7 @@ const char *_res_sectioncodes[] = {
 #ifndef __BIND_NOSTATIC
 struct __res_state _res
 # if defined(__BIND_RES_TEXT)
-	= { RES_TIMEOUT, }	/* Motorola, et al. */
+	= { RES_TIMEOUT, }	/*%< Motorola, et al. */
 # endif
         ;
 
@@ -140,14 +140,14 @@ fp_nquery(const u_char *msg, int len, FILE *file) {
 }
 
 int
-res_mkquery(int op,			/* opcode of query */
-	    const char *dname,		/* domain name */
-	    int class, int type,	/* class and type of query */
-	    const u_char *data,		/* resource record data */
-	    int datalen,		/* length of data */
-	    const u_char *newrr_in,	/* new rr for modify or append */
-	    u_char *buf,		/* buffer to put query */
-	    int buflen)			/* size of buffer */
+res_mkquery(int op,			/*!< opcode of query  */
+	    const char *dname,		/*!< domain name  */
+	    int class, int type,	/*!< class and type of query  */
+	    const u_char *data,		/*!< resource record data  */
+	    int datalen,		/*!< length of data  */
+	    const u_char *newrr_in,	/*!< new rr for modify or append  */
+	    u_char *buf,		/*!< buffer to put query  */
+	    int buflen)			/*!< size of buffer  */
 {
 	if ((_res.options & RES_INIT) == 0U && res_init() == -1) {
 		RES_SET_H_ERRNO(&_res, NETDB_INTERNAL);
@@ -169,10 +169,10 @@ res_mkupdate(ns_updrec *rrecp_in, u_char *buf, int buflen) {
 }
 
 int
-res_query(const char *name,	/* domain name */
-	  int class, int type,	/* class and type of query */
-	  u_char *answer,	/* buffer to put answer */
-	  int anslen)		/* size of answer buffer */
+res_query(const char *name,	/*!< domain name  */
+	  int class, int type,	/*!< class and type of query  */
+	  u_char *answer,	/*!< buffer to put answer  */
+	  int anslen)		/*!< size of answer buffer  */
 {
 	if ((_res.options & RES_INIT) == 0U && res_init() == -1) {
 		RES_SET_H_ERRNO(&_res, NETDB_INTERNAL);
@@ -234,10 +234,10 @@ res_update(ns_updrec *rrecp_in) {
 }
 
 int
-res_search(const char *name,	/* domain name */
-	   int class, int type,	/* class and type of query */
-	   u_char *answer,	/* buffer to put answer */
-	   int anslen)		/* size of answer */
+res_search(const char *name,	/*!< domain name  */
+	   int class, int type,	/*!< class and type of query  */
+	   u_char *answer,	/*!< buffer to put answer  */
+	   int anslen)		/*!< size of answer  */
 {
 	if ((_res.options & RES_INIT) == 0U && res_init() == -1) {
 		RES_SET_H_ERRNO(&_res, NETDB_INTERNAL);
@@ -250,9 +250,9 @@ res_search(const char *name,	/* domain name */
 int
 res_querydomain(const char *name,
 		const char *domain,
-		int class, int type,	/* class and type of query */
-		u_char *answer,		/* buffer to put answer */
-		int anslen)		/* size of answer */
+		int class, int type,	/*!< class and type of query  */
+		u_char *answer,		/*!< buffer to put answer  */
+		int anslen)		/*!< size of answer  */
 {
 	if ((_res.options & RES_INIT) == 0U && res_init() == -1) {
 		RES_SET_H_ERRNO(&_res, NETDB_INTERNAL);
@@ -289,3 +289,5 @@ local_hostname_length(const char *hostname) {
 #endif /*ultrix*/
 
 #endif
+
+/*! \file */
diff --git a/contrib/bind9/lib/bind/resolv/res_debug.c b/contrib/bind9/lib/bind/resolv/res_debug.c
index 8dda12c..2ed234e 100644
--- a/contrib/bind9/lib/bind/resolv/res_debug.c
+++ b/contrib/bind9/lib/bind/resolv/res_debug.c
@@ -95,7 +95,7 @@
 
 #if defined(LIBC_SCCS) && !defined(lint)
 static const char sccsid[] = "@(#)res_debug.c	8.1 (Berkeley) 6/4/93";
-static const char rcsid[] = "$Id: res_debug.c,v 1.3.2.5.4.6 2005/07/28 07:43:22 marka Exp $";
+static const char rcsid[] = "$Id: res_debug.c,v 1.10.18.5 2005/07/28 07:38:11 marka Exp $";
 #endif /* LIBC_SCCS and not lint */
 
 #include "port_before.h"
@@ -130,7 +130,7 @@ static const char rcsid[] = "$Id: res_debug.c,v 1.3.2.5.4.6 2005/07/28 07:43:22
 extern const char *_res_opcodes[];
 extern const char *_res_sectioncodes[];
 
-/*
+/*%
  * Print the current options.
  */
 void
@@ -223,7 +223,7 @@ do_section(const res_state statp,
 		free(buf);
 }
 
-/*
+/*%
  * Print the contents of a query.
  * This is intended to be primarily a debugging routine.
  */
@@ -318,7 +318,8 @@ p_cdname(const u_char *cp, const u_char *msg, FILE *file) {
 	return (p_cdnname(cp, msg, PACKETSZ, file));
 }
 
-/* Return a fully-qualified domain name from a compressed name (with
+/*%
+ * Return a fully-qualified domain name from a compressed name (with
    length supplied).  */
 
 const u_char *
@@ -334,7 +335,7 @@ p_fqnname(cp, msg, msglen, name, namelen)
 		return (NULL);
 	newlen = strlen(name);
 	if (newlen == 0 || name[newlen - 1] != '.') {
-		if (newlen + 1 >= namelen)	/* Lack space for final dot */
+		if (newlen + 1 >= namelen)	/*%< Lack space for final dot */
 			return (NULL);
 		else
 			strcpy(name + newlen, ".");
@@ -356,7 +357,7 @@ p_fqname(const u_char *cp, const u_char *msg, FILE *file) {
 	return (n);
 }
 
-/*
+/*%
  * Names of RR classes and qclasses.  Classes and qclasses are the same, except
  * that C_ANY is a qclass but not a class.  (You can ask for records of class
  * C_ANY, but you can't have any records of that class in the database.)
@@ -372,7 +373,7 @@ const struct res_sym __p_class_syms[] = {
 	{C_IN, 		(char *)0,	(char *)0}
 };
 
-/*
+/*%
  * Names of message sections.
  */
 const struct res_sym __p_default_section_syms[] = {
@@ -409,7 +410,7 @@ const struct res_sym __p_cert_syms[] = {
 	{0,		NULL,		NULL}
 };
 
-/*
+/*%
  * Names of RR types and qtypes.  Types and qtypes are the same, except
  * that T_ANY is a qtype but not a type.  (You can ask for records of type
  * T_ANY, but you can't have any records of that type in the database.)
@@ -467,7 +468,7 @@ const struct res_sym __p_type_syms[] = {
 	{0, 		NULL,		NULL}
 };
 
-/*
+/*%
  * Names of DNS rcodes.
  */
 const struct res_sym __p_rcode_syms[] = {
@@ -500,7 +501,7 @@ sym_ston(const struct res_sym *syms, const char *name, int *success) {
 	}
 	if (success)
 		*success = 0;
-	return (syms->number);		/* The default value. */
+	return (syms->number);		/*%< The default value. */
 }
 
 const char *
@@ -515,7 +516,7 @@ sym_ntos(const struct res_sym *syms, int number, int *success) {
 		}
 	}
 
-	sprintf(unname, "%d", number);		/* XXX nonreentrant */
+	sprintf(unname, "%d", number);		/*%< XXX nonreentrant */
 	if (success)
 		*success = 0;
 	return (unname);
@@ -532,13 +533,13 @@ sym_ntop(const struct res_sym *syms, int number, int *success) {
 			return (syms->humanname);
 		}
 	}
-	sprintf(unname, "%d", number);		/* XXX nonreentrant */
+	sprintf(unname, "%d", number);		/*%< XXX nonreentrant */
 	if (success)
 		*success = 0;
 	return (unname);
 }
 
-/*
+/*%
  * Return a string for the type.
  */
 const char *
@@ -556,7 +557,7 @@ p_type(int type) {
 	return (typebuf);
 }
 
-/*
+/*%
  * Return a string for the type.
  */
 const char *
@@ -574,7 +575,7 @@ p_section(int section, int opcode) {
 	return (sym_ntos(symbols, section, (int *)0));
 }
 
-/*
+/*%
  * Return a mnemonic for class.
  */
 const char *
@@ -592,7 +593,7 @@ p_class(int class) {
 	return (classbuf);
 }
 
-/*
+/*%
  * Return a mnemonic for an option
  */
 const char *
@@ -614,7 +615,7 @@ p_option(u_long option) {
 	case RES_INSECURE2:	return "insecure2";
 	case RES_NOALIASES:	return "noaliases";
 	case RES_USE_INET6:	return "inet6";
-#ifdef RES_USE_EDNS0	/* KAME extension */
+#ifdef RES_USE_EDNS0	/*%< KAME extension */
 	case RES_USE_EDNS0:	return "edns0";
 #endif
 #ifdef RES_USE_DNAME
@@ -635,7 +636,7 @@ p_option(u_long option) {
 	}
 }
 
-/*
+/*%
  * Return a mnemonic for a time to live.
  */
 const char *
@@ -647,7 +648,7 @@ p_time(u_int32_t value) {
 	return (nbuf);
 }
 
-/*
+/*%
  * Return a string for the rcode.
  */
 const char *
@@ -655,7 +656,7 @@ p_rcode(int rcode) {
 	return (sym_ntos(__p_rcode_syms, rcode, (int *)0));
 }
 
-/*
+/*%
  * Return a string for a res_sockaddr_union.
  */
 const char *
@@ -682,7 +683,7 @@ p_sockun(union res_sockaddr_union u, char *buf, size_t size) {
 	return (buf);
 }
 
-/*
+/*%
  * routines to convert between on-the-wire RR format and zone file format.
  * Does not contain conversion to/from decimal degrees; divide or multiply
  * by 60*60*1000 for that.
@@ -691,7 +692,7 @@ p_sockun(union res_sockaddr_union u, char *buf, size_t size) {
 static unsigned int poweroften[10] = {1, 10, 100, 1000, 10000, 100000,
 				      1000000,10000000,100000000,1000000000};
 
-/* takes an XeY precision/size value, returns a string representation. */
+/*% takes an XeY precision/size value, returns a string representation. */
 static const char *
 precsize_ntoa(prec)
 	u_int8_t prec;
@@ -709,7 +710,7 @@ precsize_ntoa(prec)
 	return (retbuf);
 }
 
-/* converts ascii size/precision X * 10**Y(cm) to 0xXY.  moves pointer. */
+/*% converts ascii size/precision X * 10**Y(cm) to 0xXY.  moves pointer.  */
 static u_int8_t
 precsize_aton(const char **strptr) {
 	unsigned int mval = 0, cmval = 0;
@@ -723,7 +724,7 @@ precsize_aton(const char **strptr) {
 	while (isdigit((unsigned char)*cp))
 		mval = mval * 10 + (*cp++ - '0');
 
-	if (*cp == '.') {		/* centimeters */
+	if (*cp == '.') {		/*%< centimeters */
 		cp++;
 		if (isdigit((unsigned char)*cp)) {
 			cmval = (*cp++ - '0') * 10;
@@ -749,7 +750,7 @@ precsize_aton(const char **strptr) {
 	return (retval);
 }
 
-/* converts ascii lat/lon to unsigned encoded 32-bit number.  moves pointer. */
+/*% converts ascii lat/lon to unsigned encoded 32-bit number.  moves pointer. */
 static u_int32_t
 latlon2ul(const char **latlonstrptr, int *which) {
 	const char *cp;
@@ -779,7 +780,7 @@ latlon2ul(const char **latlonstrptr, int *which) {
 	while (isdigit((unsigned char)*cp))
 		secs = secs * 10 + (*cp++ - '0');
 
-	if (*cp == '.') {		/* decimal seconds */
+	if (*cp == '.') {		/*%< decimal seconds */
 		cp++;
 		if (isdigit((unsigned char)*cp)) {
 			secsfrac = (*cp++ - '0') * 100;
@@ -792,7 +793,7 @@ latlon2ul(const char **latlonstrptr, int *which) {
 		}
 	}
 
-	while (!isspace((unsigned char)*cp))	/* if any trailing garbage */
+	while (!isspace((unsigned char)*cp))	/*%< if any trailing garbage */
 		cp++;
 
 	while (isspace((unsigned char)*cp))
@@ -813,30 +814,29 @@ latlon2ul(const char **latlonstrptr, int *which) {
 			- secsfrac;
 		break;
 	default:
-		retval = 0;	/* invalid value -- indicates error */
+		retval = 0;	/*%< invalid value -- indicates error */
 		break;
 	}
 
 	switch (*cp) {
 	case 'N': case 'n':
 	case 'S': case 's':
-		*which = 1;	/* latitude */
+		*which = 1;	/*%< latitude */
 		break;
 	case 'E': case 'e':
 	case 'W': case 'w':
-		*which = 2;	/* longitude */
+		*which = 2;	/*%< longitude */
 		break;
 	default:
-		*which = 0;	/* error */
+		*which = 0;	/*%< error */
 		break;
 	}
 
-	cp++;			/* skip the hemisphere */
-
-	while (!isspace((unsigned char)*cp))	/* if any trailing garbage */
+	cp++;			/*%< skip the hemisphere */
+	while (!isspace((unsigned char)*cp))	/*%< if any trailing garbage */
 		cp++;
 
-	while (isspace((unsigned char)*cp))	/* move to next field */
+	while (isspace((unsigned char)*cp))	/*%< move to next field */
 		cp++;
 
 	*latlonstrptr = cp;
@@ -844,7 +844,8 @@ latlon2ul(const char **latlonstrptr, int *which) {
 	return (retval);
 }
 
-/* converts a zone file representation in a string to an RDATA on-the-wire
+/*%
+ * converts a zone file representation in a string to an RDATA on-the-wire
  * representation. */
 int
 loc_aton(ascii, binary)
@@ -857,9 +858,9 @@ loc_aton(ascii, binary)
 	u_int32_t latit = 0, longit = 0, alt = 0;
 	u_int32_t lltemp1 = 0, lltemp2 = 0;
 	int altmeters = 0, altfrac = 0, altsign = 1;
-	u_int8_t hp = 0x16;	/* default = 1e6 cm = 10000.00m = 10km */
-	u_int8_t vp = 0x13;	/* default = 1e3 cm = 10.00m */
-	u_int8_t siz = 0x12;	/* default = 1e2 cm = 1.00m */
+	u_int8_t hp = 0x16;	/*%< default = 1e6 cm = 10000.00m = 10km */
+	u_int8_t vp = 0x13;	/*%< default = 1e3 cm = 10.00m */
+	u_int8_t siz = 0x12;	/*%< default = 1e2 cm = 1.00m */
 	int which1 = 0, which2 = 0;
 
 	cp = ascii;
@@ -870,18 +871,18 @@ loc_aton(ascii, binary)
 	lltemp2 = latlon2ul(&cp, &which2);
 
 	switch (which1 + which2) {
-	case 3:			/* 1 + 2, the only valid combination */
-		if ((which1 == 1) && (which2 == 2)) { /* normal case */
+	case 3:			/*%< 1 + 2, the only valid combination */
+		if ((which1 == 1) && (which2 == 2)) { /*%< normal case */
 			latit = lltemp1;
 			longit = lltemp2;
-		} else if ((which1 == 2) && (which2 == 1)) { /* reversed */
+		} else if ((which1 == 2) && (which2 == 1)) { /*%< reversed */
 			longit = lltemp1;
 			latit = lltemp2;
-		} else {	/* some kind of brokenness */
+		} else {	/*%< some kind of brokenness */
 			return (0);
 		}
 		break;
-	default:		/* we didn't get one of each */
+	default:		/*%< we didn't get one of each */
 		return (0);
 	}
 
@@ -897,7 +898,7 @@ loc_aton(ascii, binary)
 	while (isdigit((unsigned char)*cp))
 		altmeters = altmeters * 10 + (*cp++ - '0');
 
-	if (*cp == '.') {		/* decimal meters */
+	if (*cp == '.') {		/*%< decimal meters */
 		cp++;
 		if (isdigit((unsigned char)*cp)) {
 			altfrac = (*cp++ - '0') * 10;
@@ -909,7 +910,7 @@ loc_aton(ascii, binary)
 
 	alt = (10000000 + (altsign * (altmeters * 100 + altfrac)));
 
-	while (!isspace((unsigned char)*cp) && (cp < maxcp)) /* if trailing garbage or m */
+	while (!isspace((unsigned char)*cp) && (cp < maxcp)) /*%< if trailing garbage or m */
 		cp++;
 
 	while (isspace((unsigned char)*cp) && (cp < maxcp))
@@ -920,7 +921,7 @@ loc_aton(ascii, binary)
 
 	siz = precsize_aton(&cp);
 	
-	while (!isspace((unsigned char)*cp) && (cp < maxcp))	/* if trailing garbage or m */
+	while (!isspace((unsigned char)*cp) && (cp < maxcp))	/*%< if trailing garbage or m */
 		cp++;
 
 	while (isspace((unsigned char)*cp) && (cp < maxcp))
@@ -931,7 +932,7 @@ loc_aton(ascii, binary)
 
 	hp = precsize_aton(&cp);
 
-	while (!isspace((unsigned char)*cp) && (cp < maxcp))	/* if trailing garbage or m */
+	while (!isspace((unsigned char)*cp) && (cp < maxcp))	/*%< if trailing garbage or m */
 		cp++;
 
 	while (isspace((unsigned char)*cp) && (cp < maxcp))
@@ -945,7 +946,7 @@ loc_aton(ascii, binary)
  defaults:
 
 	bcp = binary;
-	*bcp++ = (u_int8_t) 0;	/* version byte */
+	*bcp++ = (u_int8_t) 0;	/*%< version byte */
 	*bcp++ = siz;
 	*bcp++ = hp;
 	*bcp++ = vp;
@@ -953,10 +954,10 @@ loc_aton(ascii, binary)
 	PUTLONG(longit,bcp);
 	PUTLONG(alt,bcp);
     
-	return (16);		/* size of RR in octets */
+	return (16);		/*%< size of RR in octets */
 }
 
-/* takes an on-the-wire LOC RR and formats it in a human readable format. */
+/*% takes an on-the-wire LOC RR and formats it in a human readable format. */
 const char *
 loc_ntoa(binary, ascii)
 	const u_char *binary;
@@ -1003,7 +1004,7 @@ loc_ntoa(binary, ascii)
 	longval = (templ - ((unsigned)1<<31));
 
 	GETLONG(templ, cp);
-	if (templ < referencealt) { /* below WGS 84 spheroid */
+	if (templ < referencealt) { /*%< below WGS 84 spheroid */
 		altval = referencealt - templ;
 		altsign = "-";
 	} else {
@@ -1066,7 +1067,7 @@ loc_ntoa(binary, ascii)
 }
 
 
-/* Return the number of DNS hierarchy levels in the name. */
+/*% Return the number of DNS hierarchy levels in the name. */
 int
 dn_count_labels(const char *name) {
 	int i, len, count;
@@ -1091,8 +1092,7 @@ dn_count_labels(const char *name) {
 	return (count);
 }
 
-
-/* 
+/*%
  * Make dates expressed in seconds-since-Jan-1-1970 easy to read.  
  * SIG records are required to be printed like this, by the Secure DNS RFC.
  */
@@ -1161,3 +1161,5 @@ res_nametotype(const char *buf, int *successp) {
 		*successp = success;
 	return (result);
 }
+
+/*! \file */
diff --git a/contrib/bind9/lib/bind/resolv/res_debug.h b/contrib/bind9/lib/bind/resolv/res_debug.h
index 2a9c0ae..c28171d 100644
--- a/contrib/bind9/lib/bind/resolv/res_debug.h
+++ b/contrib/bind9/lib/bind/resolv/res_debug.h
@@ -32,3 +32,4 @@
 #endif
 
 #endif /* _RES_DEBUG_H_ */ 
+/*! \file */
diff --git a/contrib/bind9/lib/bind/resolv/res_findzonecut.c b/contrib/bind9/lib/bind/resolv/res_findzonecut.c
index 804beb6..207d66c 100644
--- a/contrib/bind9/lib/bind/resolv/res_findzonecut.c
+++ b/contrib/bind9/lib/bind/resolv/res_findzonecut.c
@@ -1,5 +1,5 @@
 #if !defined(lint) && !defined(SABER)
-static const char rcsid[] = "$Id: res_findzonecut.c,v 1.2.2.3.4.4 2005/10/11 00:48:16 marka Exp $";
+static const char rcsid[] = "$Id: res_findzonecut.c,v 1.7.18.3 2005/10/11 00:25:11 marka Exp $";
 #endif /* not lint */
 
 /*
@@ -96,55 +96,56 @@ static void	res_dprintf(const char *, ...) ISC_FORMAT_PRINTF(1, 2);
 
 /* Public. */
 
-/*
- * int
- * res_findzonecut(res, dname, class, zname, zsize, addrs, naddrs)
+/*%
  *	find enclosing zone for a <dname,class>, and some server addresses
+ *
  * parameters:
- *	res - resolver context to work within (is modified)
- *	dname - domain name whose enclosing zone is desired
- *	class - class of dname (and its enclosing zone)
- *	zname - found zone name
- *	zsize - allocated size of zname
- *	addrs - found server addresses
- *	naddrs - max number of addrs
+ *\li	res - resolver context to work within (is modified)
+ *\li	dname - domain name whose enclosing zone is desired
+ *\li	class - class of dname (and its enclosing zone)
+ *\li	zname - found zone name
+ *\li	zsize - allocated size of zname
+ *\li	addrs - found server addresses
+ *\li	naddrs - max number of addrs
+ *
  * return values:
- *	< 0 - an error occurred (check errno)
- *	= 0 - zname is now valid, but addrs[] wasn't changed
- *	> 0 - zname is now valid, and return value is number of addrs[] found
+ *\li	< 0 - an error occurred (check errno)
+ *\li	= 0 - zname is now valid, but addrs[] wasn't changed
+ *\li	> 0 - zname is now valid, and return value is number of addrs[] found
+ *
  * notes:
- *	this function calls res_nsend() which means it depends on correctly
+ *\li	this function calls res_nsend() which means it depends on correctly
  *	functioning recursive nameservers (usually defined in /etc/resolv.conf
  *	or its local equivilent).
  *
- *	we start by asking for an SOA<dname,class>.  if we get one as an
+ *\li	we start by asking for an SOA<dname,class>.  if we get one as an
  *	answer, that just means <dname,class> is a zone top, which is fine.
  *	more than likely we'll be told to go pound sand, in the form of a
  *	negative answer.
  *
- *	note that we are not prepared to deal with referrals since that would
+ *\li	note that we are not prepared to deal with referrals since that would
  *	only come from authority servers and our correctly functioning local
  *	recursive server would have followed the referral and got us something
  *	more definite.
  *
- *	if the authority section contains an SOA, this SOA should also be the
+ *\li	if the authority section contains an SOA, this SOA should also be the
  *	closest enclosing zone, since any intermediary zone cuts would've been
  *	returned as referrals and dealt with by our correctly functioning local
  *	recursive name server.  but an SOA in the authority section should NOT
  *	match our dname (since that would have been returned in the answer
  *	section).  an authority section SOA has to be "above" our dname.
  *
- *	however, since authority section SOA's were once optional, it's
+ *\li	however, since authority section SOA's were once optional, it's
  *	possible that we'll have to go hunting for the enclosing SOA by
  *	ripping labels off the front of our dname -- this is known as "doing
  *	it the hard way."
  *
- *	ultimately we want some server addresses, which are ideally the ones
+ *\li	ultimately we want some server addresses, which are ideally the ones
  *	pertaining to the SOA.MNAME, but only if there is a matching NS RR.
  *	so the second phase (after we find an SOA) is to go looking for the
  *	NS RRset for that SOA's zone.
  *
- *	no answer section processed by this code is allowed to contain CNAME
+ *\li	no answer section processed by this code is allowed to contain CNAME
  *	or DNAME RR's.  for the SOA query this means we strip a label and
  *	keep going.  for the NS and A queries this means we just give up.
  */
@@ -717,3 +718,5 @@ res_dprintf(const char *fmt, ...) {
 	fputc('\n', stderr);
 	va_end(ap);
 }
+
+/*! \file */
diff --git a/contrib/bind9/lib/bind/resolv/res_init.c b/contrib/bind9/lib/bind/resolv/res_init.c
index fd82e872..013a3ca 100644
--- a/contrib/bind9/lib/bind/resolv/res_init.c
+++ b/contrib/bind9/lib/bind/resolv/res_init.c
@@ -70,7 +70,7 @@
 
 #if defined(LIBC_SCCS) && !defined(lint)
 static const char sccsid[] = "@(#)res_init.c	8.1 (Berkeley) 6/7/93";
-static const char rcsid[] = "$Id: res_init.c,v 1.9.2.5.4.6 2006/08/30 23:23:01 marka Exp $";
+static const char rcsid[] = "$Id: res_init.c,v 1.16.18.5 2006/08/30 23:23:13 marka Exp $";
 #endif /* LIBC_SCCS and not lint */
 
 #include "port_before.h"
@@ -98,7 +98,7 @@ static const char rcsid[] = "$Id: res_init.c,v 1.9.2.5.4.6 2006/08/30 23:23:01 m
 
 #include "res_private.h"
 
-/* Options.  Should all be left alone. */
+/*% Options.  Should all be left alone. */
 #define RESOLVSORT
 #define DEBUG
 
@@ -114,7 +114,7 @@ static const char sort_mask[] = "/&";
 static u_int32_t net_mask __P((struct in_addr));
 #endif
 
-#if !defined(isascii)	/* XXX - could be a function */
+#if !defined(isascii)	/*%< XXX - could be a function */
 # define isascii(c) (!(c & 0200))
 #endif
 
@@ -122,7 +122,7 @@ static u_int32_t net_mask __P((struct in_addr));
  * Resolver state default settings.
  */
 
-/*
+/*%
  * Set up default settings.  If the configuration file exist, the values
  * there will have precedence.  Otherwise, the server address is set to
  * INADDR_ANY and the default domain name comes from the gethostname().
@@ -150,14 +150,14 @@ res_ninit(res_state statp) {
 	return (__res_vinit(statp, 0));
 }
 
-/* This function has to be reachable by res_data.c but not publically. */
+/*% This function has to be reachable by res_data.c but not publically. */
 int
 __res_vinit(res_state statp, int preinit) {
 	register FILE *fp;
 	register char *cp, **pp;
 	register int n;
 	char buf[BUFSIZ];
-	int nserv = 0;    /* number of nameserver records read from file */
+	int nserv = 0;    /*%< number of nameserver records read from file */
 	int haveenv = 0;
 	int havesearch = 0;
 #ifdef RESOLVSORT
@@ -262,7 +262,7 @@ __res_vinit(res_state statp, int preinit) {
 		pp = statp->dnsrch;
 		*pp++ = cp;
 		for (n = 0; *cp && pp < statp->dnsrch + MAXDNSRCH; cp++) {
-			if (*cp == '\n')	/* silly backwards compat */
+			if (*cp == '\n')	/*%< silly backwards compat */
 				break;
 			else if (*cp == ' ' || *cp == '\t') {
 				*cp = 0;
@@ -294,7 +294,7 @@ __res_vinit(res_state statp, int preinit) {
 			continue;
 		/* read default domain name */
 		if (MATCH(buf, "domain")) {
-		    if (haveenv)	/* skip if have from environ */
+		    if (haveenv)	/*%< skip if have from environ */
 			    continue;
 		    cp = buf + sizeof("domain") - 1;
 		    while (*cp == ' ' || *cp == '\t')
@@ -310,7 +310,7 @@ __res_vinit(res_state statp, int preinit) {
 		}
 		/* set search list */
 		if (MATCH(buf, "search")) {
-		    if (haveenv)	/* skip if have from environ */
+		    if (haveenv)	/*%< skip if have from environ */
 			    continue;
 		    cp = buf + sizeof("search") - 1;
 		    while (*cp == ' ' || *cp == '\t')
@@ -464,7 +464,7 @@ __res_vinit(res_state statp, int preinit) {
 		while (pp < statp->dnsrch + MAXDFLSRCH) {
 			if (dots < LOCALDOMAINPARTS)
 				break;
-			cp = strchr(cp, '.') + 1;    /* we know there is one */
+			cp = strchr(cp, '.') + 1;    /*%< we know there is one */
 			*pp++ = cp;
 			dots--;
 		}
@@ -626,7 +626,7 @@ res_setoptions(res_state statp, const char *options, const char *source)
 #ifdef RESOLVSORT
 /* XXX - should really support CIDR which means explicit masks always. */
 static u_int32_t
-net_mask(in)		/* XXX - should really use system's version of this */
+net_mask(in)		/*!< XXX - should really use system's version of this  */
 	struct in_addr in;
 {
 	register u_int32_t i = ntohl(in.s_addr);
@@ -647,7 +647,7 @@ res_randomid(void) {
 	return (0xffff & (now.tv_sec ^ now.tv_usec ^ getpid()));
 }
 
-/*
+/*%
  * This routine is for closing the socket if a virtual circuit is used and
  * the program wants to close it.  This provides support for endhostent()
  * which expects to close the socket.
@@ -790,3 +790,5 @@ res_getservers(res_state statp, union res_sockaddr_union *set, int cnt) {
 	}
 	return (statp->nscount);
 }
+
+/*! \file */
diff --git a/contrib/bind9/lib/bind/resolv/res_mkquery.c b/contrib/bind9/lib/bind/resolv/res_mkquery.c
index 89000ed..50e4a9e 100644
--- a/contrib/bind9/lib/bind/resolv/res_mkquery.c
+++ b/contrib/bind9/lib/bind/resolv/res_mkquery.c
@@ -70,7 +70,7 @@
 
 #if defined(LIBC_SCCS) && !defined(lint)
 static const char sccsid[] = "@(#)res_mkquery.c	8.1 (Berkeley) 6/4/93";
-static const char rcsid[] = "$Id: res_mkquery.c,v 1.1.2.2.4.2 2004/03/16 12:34:18 marka Exp $";
+static const char rcsid[] = "$Id: res_mkquery.c,v 1.5.18.1 2005/04/27 05:01:11 sra Exp $";
 #endif /* LIBC_SCCS and not lint */
 
 #include "port_before.h"
@@ -89,20 +89,20 @@ static const char rcsid[] = "$Id: res_mkquery.c,v 1.1.2.2.4.2 2004/03/16 12:34:1
 
 extern const char *_res_opcodes[];
 
-/*
+/*%
  * Form all types of queries.
  * Returns the size of the result or -1.
  */
 int
 res_nmkquery(res_state statp,
-	     int op,			/* opcode of query */
-	     const char *dname,		/* domain name */
-	     int class, int type,	/* class and type of query */
-	     const u_char *data,	/* resource record data */
-	     int datalen,		/* length of data */
-	     const u_char *newrr_in,	/* new rr for modify or append */
-	     u_char *buf,		/* buffer to put query */
-	     int buflen)		/* size of buffer */
+	     int op,			/*!< opcode of query  */
+	     const char *dname,		/*!< domain name  */
+	     int class, int type,	/*!< class and type of query  */
+	     const u_char *data,	/*!< resource record data  */
+	     int datalen,		/*!< length of data  */
+	     const u_char *newrr_in,	/*!< new rr for modify or append  */
+	     u_char *buf,		/*!< buffer to put query  */
+	     int buflen)		/*!< size of buffer  */
 {
 	register HEADER *hp;
 	register u_char *cp, *ep;
@@ -179,7 +179,7 @@ res_nmkquery(res_state statp,
 		 */
 		if (ep - cp < 1 + RRFIXEDSZ + datalen)
 			return (-1);
-		*cp++ = '\0';	/* no domain name */
+		*cp++ = '\0';	/*%< no domain name */
 		ns_put16(type, cp);
 		cp += INT16SZ;
 		ns_put16(class, cp);
@@ -209,10 +209,10 @@ res_nmkquery(res_state statp,
 
 int
 res_nopt(res_state statp,
-	 int n0,		/* current offset in buffer */
-	 u_char *buf,		/* buffer to put query */
-	 int buflen,		/* size of buffer */
-	 int anslen)		/* UDP answer buffer size */
+	 int n0,		/*%< current offset in buffer */
+	 u_char *buf,		/*%< buffer to put query */
+	 int buflen,		/*%< size of buffer */
+	 int anslen)		/*%< UDP answer buffer size */
 {
 	register HEADER *hp;
 	register u_char *cp, *ep;
@@ -230,14 +230,13 @@ res_nopt(res_state statp,
 	if ((ep - cp) < 1 + RRFIXEDSZ)
 		return (-1);
 
-	*cp++ = 0;	/* "." */
-
-	ns_put16(T_OPT, cp);	/* TYPE */
+	*cp++ = 0;	/*%< "." */
+	ns_put16(T_OPT, cp);	/*%< TYPE */
 	cp += INT16SZ;
-	ns_put16(anslen & 0xffff, cp);	/* CLASS = UDP payload size */
+	ns_put16(anslen & 0xffff, cp);	/*%< CLASS = UDP payload size */
 	cp += INT16SZ;
-	*cp++ = NOERROR;	/* extended RCODE */
-	*cp++ = 0;		/* EDNS version */
+	*cp++ = NOERROR;	/*%< extended RCODE */
+	*cp++ = 0;		/*%< EDNS version */
 	if (statp->options & RES_USE_DNSSEC) {
 #ifdef DEBUG
 		if (statp->options & RES_DEBUG)
@@ -247,10 +246,12 @@ res_nopt(res_state statp,
 	}
 	ns_put16(flags, cp);
 	cp += INT16SZ;
-	ns_put16(0, cp);	/* RDLEN */
+	ns_put16(0, cp);	/*%< RDLEN */
 	cp += INT16SZ;
 	hp->arcount = htons(ntohs(hp->arcount) + 1);
 
 	return (cp - buf);
 }
 #endif
+
+/*! \file */
diff --git a/contrib/bind9/lib/bind/resolv/res_mkupdate.c b/contrib/bind9/lib/bind/resolv/res_mkupdate.c
index 01078f1..4299275 100644
--- a/contrib/bind9/lib/bind/resolv/res_mkupdate.c
+++ b/contrib/bind9/lib/bind/resolv/res_mkupdate.c
@@ -15,13 +15,14 @@
  * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/*
+/*! \file
+ * \brief
  * Based on the Dynamic DNS reference implementation by Viraj Bais
- * <viraj_bais@ccm.fm.intel.com>
+ * &lt;viraj_bais@ccm.fm.intel.com>
  */
 
 #if !defined(lint) && !defined(SABER)
-static const char rcsid[] = "$Id: res_mkupdate.c,v 1.1.2.1.4.5 2005/10/14 05:43:47 marka Exp $";
+static const char rcsid[] = "$Id: res_mkupdate.c,v 1.4.18.4 2005/10/14 05:44:12 marka Exp $";
 #endif /* not lint */
 
 #include "port_before.h"
@@ -62,17 +63,19 @@ static int getstr_str(char *, int, u_char **, u_char *);
 int res_protocolnumber(const char *);
 int res_servicenumber(const char *);
 
-/*
+/*%
  * Form update packets.
  * Returns the size of the resulting packet if no error
+ *
  * On error,
- *	returns -1 if error in reading a word/number in rdata
+ *	returns 
+ *\li              -1 if error in reading a word/number in rdata
  *		   portion for update packets
- *		-2 if length of buffer passed is insufficient
- *		-3 if zone section is not the first section in
+ *\li		-2 if length of buffer passed is insufficient
+ *\li		-3 if zone section is not the first section in
  *		   the linked list, or section order has a problem
- *		-4 on a number overflow
- *		-5 unknown operation or no records
+ *\li		-4 on a number overflow
+ *\li		-5 unknown operation or no records
  */
 int
 res_nmkupdate(res_state statp, ns_updrec *rrecp_in, u_char *buf, int buflen) {
@@ -189,7 +192,7 @@ res_nmkupdate(res_state statp, ns_updrec *rrecp_in, u_char *buf, int buflen) {
 		}
 		ShrinkBuffer(INT32SZ + INT16SZ);
 		PUTLONG(rttl, cp);
-		sp2 = cp;  /* save pointer to length byte */
+		sp2 = cp;  /*%< save pointer to length byte */
 		cp += INT16SZ;
 		if (rrecp->r_size == 0) {
 			if (section == S_UPDATE && rclass != C_ANY)
@@ -395,7 +398,7 @@ res_nmkupdate(res_state statp, ns_updrec *rrecp_in, u_char *buf, int buflen) {
 			}
 			break;
 		case T_X25:
-			/* RFC 1183 */
+			/* RFC1183 */
 			if ((n = getstr_str(buf2, sizeof buf2, &startp,
 					 endp)) < 0)
 				return (-1);
@@ -407,7 +410,7 @@ res_nmkupdate(res_state statp, ns_updrec *rrecp_in, u_char *buf, int buflen) {
 			cp += n;
 			break;
 		case T_ISDN:
-			/* RFC 1183 */
+			/* RFC1183 */
 			if ((n = getstr_str(buf2, sizeof buf2, &startp,
 					 endp)) < 0)
 				return (-1);
@@ -708,7 +711,7 @@ res_nmkupdate(res_state statp, ns_updrec *rrecp_in, u_char *buf, int buflen) {
 	return (cp - buf);
 }
 
-/*
+/*%
  * Get a whitespace delimited word from a string (not file)
  * into buf. modify the start pointer to point after the
  * word in the string.
@@ -721,9 +724,9 @@ getword_str(char *buf, int size, u_char **startpp, u_char *endp) {
         for (cp = buf; *startpp <= endp; ) {
                 c = **startpp;
                 if (isspace(c) || c == '\0') {
-                        if (cp != buf) /* trailing whitespace */
+                        if (cp != buf) /*%< trailing whitespace */
                                 break;
-                        else { /* leading whitespace */
+                        else { /*%< leading whitespace */
                                 (*startpp)++;
                                 continue;
                         }
@@ -737,9 +740,9 @@ getword_str(char *buf, int size, u_char **startpp, u_char *endp) {
         return (cp != buf);
 }
 
-/*
+/*%
  * get a white spae delimited string from memory.  Process quoted strings
- * and \DDD escapes.  Return length or -1 on error.  Returned string may
+ * and \\DDD escapes.  Return length or -1 on error.  Returned string may
  * contain nulls.
  */
 static char digits[] = "0123456789";
@@ -816,7 +819,8 @@ getstr_str(char *buf, int size, u_char **startpp, u_char *endp) {
 	*cp = '\0';
 	return ((cp == buf)?  (seen_quote? 0: -1): (cp - buf));
 }
-/*
+
+/*%
  * Get a whitespace delimited base 16 number from a string (not file) into buf
  * update the start pointer to point after the number in the string.
  */
@@ -832,9 +836,9 @@ gethexnum_str(u_char **startpp, u_char *endp) {
         for (n = 0; *startpp <= endp; ) {
                 c = **startpp;
                 if (isspace(c) || c == '\0') {
-                        if (seendigit) /* trailing whitespace */
+                        if (seendigit) /*%< trailing whitespace */
                                 break;
-                        else { /* leading whitespace */
+                        else { /*%< leading whitespace */
                                 (*startpp)++;
                                 continue;
                         }
@@ -864,7 +868,7 @@ gethexnum_str(u_char **startpp, u_char *endp) {
         return (n + m);
 }
 
-/*
+/*%
  * Get a whitespace delimited base 10 number from a string (not file) into buf
  * update the start pointer to point after the number in the string.
  */
@@ -877,9 +881,9 @@ getnum_str(u_char **startpp, u_char *endp) {
         for (n = 0; *startpp <= endp; ) {
                 c = **startpp;
                 if (isspace(c) || c == '\0') {
-                        if (seendigit) /* trailing whitespace */
+                        if (seendigit) /*%< trailing whitespace */
                                 break;
-                        else { /* leading whitespace */
+                        else { /*%< leading whitespace */
                                 (*startpp)++;
                                 continue;
                         }
@@ -906,7 +910,7 @@ getnum_str(u_char **startpp, u_char *endp) {
         return (n + m);
 }
 
-/*
+/*%
  * Allocate a resource record buffer & save rr info.
  */
 ns_updrec *
@@ -928,7 +932,7 @@ res_mkupdrec(int section, const char *dname,
 	return (rrecp);
 }
 
-/*
+/*%
  * Free a resource record buffer created by res_mkupdrec.
  */
 void
@@ -970,7 +974,7 @@ res_buildservicelist() {
 			free(slp);
 			break;
 		}
-		slp->port = ntohs((u_int16_t)sp->s_port);  /* host byt order */
+		slp->port = ntohs((u_int16_t)sp->s_port);  /*%< host byt order */
 		slp->next = servicelist;
 		slp->prev = NULL;
 		if (servicelist)
@@ -1012,7 +1016,7 @@ res_buildprotolist(void) {
 			free(slp);
 			break;
 		}
-		slp->port = pp->p_proto;	/* host byte order */
+		slp->port = pp->p_proto;	/*%< host byte order */
 		slp->next = protolist;
 		slp->prev = NULL;
 		if (protolist)
@@ -1049,14 +1053,14 @@ findservice(const char *s, struct valuelist **list) {
 				lp->next = *list;
 				*list = lp;
 			}
-			return (lp->port);	/* host byte order */
+			return (lp->port);	/*%< host byte order */
 		}
 	if (sscanf(s, "%d", &n) != 1 || n <= 0)
 		n = -1;
 	return (n);
 }
 
-/*
+/*%
  * Convert service name or (ascii) number to int.
  */
 int
@@ -1066,7 +1070,7 @@ res_servicenumber(const char *p) {
 	return (findservice(p, &servicelist));
 }
 
-/*
+/*%
  * Convert protocol name or (ascii) number to int.
  */
 int
@@ -1077,14 +1081,14 @@ res_protocolnumber(const char *p) {
 }
 
 static struct servent *
-cgetservbyport(u_int16_t port, const char *proto) {	/* Host byte order. */
+cgetservbyport(u_int16_t port, const char *proto) {	/*%< Host byte order. */
 	struct valuelist **list = &servicelist;
 	struct valuelist *lp = *list;
 	static struct servent serv;
 
 	port = ntohs(port);
 	for (; lp != NULL; lp = lp->next) {
-		if (port != (u_int16_t)lp->port)	/* Host byte order. */
+		if (port != (u_int16_t)lp->port)	/*%< Host byte order. */
 			continue;
 		if (strcasecmp(lp->proto, proto) == 0) {
 			if (lp != *list) {
@@ -1105,13 +1109,13 @@ cgetservbyport(u_int16_t port, const char *proto) {	/* Host byte order. */
 }
 
 static struct protoent *
-cgetprotobynumber(int proto) {				/* Host byte order. */
+cgetprotobynumber(int proto) {				/*%< Host byte order. */
 	struct valuelist **list = &protolist;
 	struct valuelist *lp = *list;
 	static struct protoent prot;
 
 	for (; lp != NULL; lp = lp->next)
-		if (lp->port == proto) {		/* Host byte order. */
+		if (lp->port == proto) {		/*%< Host byte order. */
 			if (lp != *list) {
 				lp->prev->next = lp->next;
 				if (lp->next)
@@ -1121,7 +1125,7 @@ cgetprotobynumber(int proto) {				/* Host byte order. */
 				*list = lp;
 			}
 			prot.p_name = lp->name;
-			prot.p_proto = lp->port;	/* Host byte order. */
+			prot.p_proto = lp->port;	/*%< Host byte order. */
 			return (&prot);
 		}
 	return (0);
@@ -1143,7 +1147,7 @@ res_protocolname(int num) {
 }
 
 const char *
-res_servicename(u_int16_t port, const char *proto) {	/* Host byte order. */
+res_servicename(u_int16_t port, const char *proto) {	/*%< Host byte order. */
 	static char number[8];
 	struct servent *ss;
 
diff --git a/contrib/bind9/lib/bind/resolv/res_mkupdate.h b/contrib/bind9/lib/bind/resolv/res_mkupdate.h
index a8f1e7c..96c452d 100644
--- a/contrib/bind9/lib/bind/resolv/res_mkupdate.h
+++ b/contrib/bind9/lib/bind/resolv/res_mkupdate.h
@@ -22,3 +22,4 @@ __BEGIN_DECLS
 __END_DECLS
 
 #endif /* _RES_MKUPDATE_H_ */ 
+/*! \file */
diff --git a/contrib/bind9/lib/bind/resolv/res_private.h b/contrib/bind9/lib/bind/resolv/res_private.h
index d7b66cd..4e98157 100644
--- a/contrib/bind9/lib/bind/resolv/res_private.h
+++ b/contrib/bind9/lib/bind/resolv/res_private.h
@@ -18,3 +18,5 @@ extern int
 res_ourserver_p(const res_state statp, const struct sockaddr *sa);
 
 #endif
+
+/*! \file */
diff --git a/contrib/bind9/lib/bind/resolv/res_query.c b/contrib/bind9/lib/bind/resolv/res_query.c
index 5156ce8..c160e93 100644
--- a/contrib/bind9/lib/bind/resolv/res_query.c
+++ b/contrib/bind9/lib/bind/resolv/res_query.c
@@ -70,7 +70,7 @@
 
 #if defined(LIBC_SCCS) && !defined(lint)
 static const char sccsid[] = "@(#)res_query.c	8.1 (Berkeley) 6/4/93";
-static const char rcsid[] = "$Id: res_query.c,v 1.2.2.3.4.2 2004/03/16 12:34:19 marka Exp $";
+static const char rcsid[] = "$Id: res_query.c,v 1.7.18.1 2005/04/27 05:01:11 sra Exp $";
 #endif /* LIBC_SCCS and not lint */
 
 #include "port_before.h"
@@ -97,7 +97,7 @@ static const char rcsid[] = "$Id: res_query.c,v 1.2.2.3.4.2 2004/03/16 12:34:19
 #define MAXPACKET	1024
 #endif
 
-/*
+/*%
  * Formulate a normal query, send, and await answer.
  * Returned answer is placed in supplied buffer "answer".
  * Perform preliminary check of answer, returning success only
@@ -109,10 +109,10 @@ static const char rcsid[] = "$Id: res_query.c,v 1.2.2.3.4.2 2004/03/16 12:34:19
  */
 int
 res_nquery(res_state statp,
-	   const char *name,	/* domain name */
-	   int class, int type,	/* class and type of query */
-	   u_char *answer,	/* buffer to put answer */
-	   int anslen)		/* size of answer buffer */
+	   const char *name,	/*%< domain name */
+	   int class, int type,	/*%< class and type of query */
+	   u_char *answer,	/*%< buffer to put answer */
+	   int anslen)		/*%< size of answer buffer */
 {
 	u_char buf[MAXPACKET];
 	HEADER *hp = (HEADER *) answer;
@@ -122,8 +122,7 @@ res_nquery(res_state statp,
 	oflags = statp->_flags;
 
 again:
-	hp->rcode = NOERROR;	/* default */
-
+	hp->rcode = NOERROR;	/*%< default */
 #ifdef DEBUG
 	if (statp->options & RES_DEBUG)
 		printf(";; res_query(%s, %d, %d)\n", name, class, type);
@@ -195,7 +194,7 @@ again:
 	return (n);
 }
 
-/*
+/*%
  * Formulate a normal query, send, and retrieve answer in supplied buffer.
  * Return the size of the response on success, -1 on error.
  * If enabled, implement search rules until answer or unrecoverable failure
@@ -203,10 +202,10 @@ again:
  */
 int
 res_nsearch(res_state statp,
-	    const char *name,	/* domain name */
-	    int class, int type,	/* class and type of query */
-	    u_char *answer,	/* buffer to put answer */
-	    int anslen)		/* size of answer */
+	    const char *name,	/*%< domain name */
+	    int class, int type,	/*%< class and type of query */
+	    u_char *answer,	/*%< buffer to put answer */
+	    int anslen)		/*%< size of answer */
 {
 	const char *cp, * const *domain;
 	HEADER *hp = (HEADER *) answer;
@@ -218,8 +217,7 @@ res_nsearch(res_state statp,
 	int searched = 0;
 
 	errno = 0;
-	RES_SET_H_ERRNO(statp, HOST_NOT_FOUND);  /* True if we never query. */
-
+	RES_SET_H_ERRNO(statp, HOST_NOT_FOUND);  /*%< True if we never query. */
 	dots = 0;
 	for (cp = name; *cp != '\0'; cp++)
 		dots += (*cp == '.');
@@ -344,7 +342,7 @@ res_nsearch(res_state statp,
 	return (-1);
 }
 
-/*
+/*%
  * Perform a call on res_query on the concatenation of name and domain,
  * removing a trailing dot from name if domain is NULL.
  */
@@ -352,9 +350,9 @@ int
 res_nquerydomain(res_state statp,
 	    const char *name,
 	    const char *domain,
-	    int class, int type,	/* class and type of query */
-	    u_char *answer,		/* buffer to put answer */
-	    int anslen)		/* size of answer */
+	    int class, int type,	/*%< class and type of query */
+	    u_char *answer,		/*%< buffer to put answer */
+	    int anslen)		/*%< size of answer */
 {
 	char nbuf[MAXDNAME];
 	const char *longname = nbuf;
@@ -430,3 +428,5 @@ res_hostalias(const res_state statp, const char *name, char *dst, size_t siz) {
 	fclose(fp);
 	return (NULL);
 }
+
+/*! \file */
diff --git a/contrib/bind9/lib/bind/resolv/res_send.c b/contrib/bind9/lib/bind/resolv/res_send.c
index c47dd49..39dc998 100644
--- a/contrib/bind9/lib/bind/resolv/res_send.c
+++ b/contrib/bind9/lib/bind/resolv/res_send.c
@@ -70,10 +70,11 @@
 
 #if defined(LIBC_SCCS) && !defined(lint)
 static const char sccsid[] = "@(#)res_send.c	8.1 (Berkeley) 6/4/93";
-static const char rcsid[] = "$Id: res_send.c,v 1.5.2.2.4.9 2006/10/16 23:00:50 marka Exp $";
+static const char rcsid[] = "$Id: res_send.c,v 1.9.18.8 2006/10/16 23:00:58 marka Exp $";
 #endif /* LIBC_SCCS and not lint */
 
-/*
+/*! \file
+ * \brief
  * Send query to name server and wait for reply.
  */
 
@@ -147,14 +148,15 @@ static const int niflags = NI_NUMERICHOST | NI_NUMERICSERV;
 
 /* Public. */
 
-/* int
- * res_isourserver(ina)
+/*%
  *	looks up "ina" in _res.ns_addr_list[]
+ *
  * returns:
- *	0  : not found
- *	>0 : found
+ *\li	0  : not found
+ *\li	>0 : found
+ *
  * author:
- *	paul vixie, 29may94
+ *\li	paul vixie, 29may94
  */
 int
 res_ourserver_p(const res_state statp, const struct sockaddr *sa) {
@@ -197,17 +199,19 @@ res_ourserver_p(const res_state statp, const struct sockaddr *sa) {
 	return (0);
 }
 
-/* int
- * res_nameinquery(name, type, class, buf, eom)
+/*%
  *	look for (name,type,class) in the query section of packet (buf,eom)
+ *
  * requires:
- *	buf + HFIXEDSZ <= eom
+ *\li	buf + HFIXEDSZ <= eom
+ *
  * returns:
- *	-1 : format error
- *	0  : not found
- *	>0 : found
+ *\li	-1 : format error
+ *\li	0  : not found
+ *\li	>0 : found
+ *
  * author:
- *	paul vixie, 29may94
+ *\li	paul vixie, 29may94
  */
 int
 res_nameinquery(const char *name, int type, int class,
@@ -235,16 +239,17 @@ res_nameinquery(const char *name, int type, int class,
 	return (0);
 }
 
-/* int
- * res_queriesmatch(buf1, eom1, buf2, eom2)
+/*%
  *	is there a 1:1 mapping of (name,type,class)
  *	in (buf1,eom1) and (buf2,eom2)?
+ *
  * returns:
- *	-1 : format error
- *	0  : not a 1:1 mapping
- *	>0 : is a 1:1 mapping
+ *\li	-1 : format error
+ *\li	0  : not a 1:1 mapping
+ *\li	>0 : is a 1:1 mapping
+ *
  * author:
- *	paul vixie, 29may94
+ *\li	paul vixie, 29may94
  */
 int
 res_queriesmatch(const u_char *buf1, const u_char *eom1,
@@ -524,9 +529,9 @@ res_nsend(res_state statp,
 	res_nclose(statp);
 	if (!v_circuit) {
 		if (!gotsomewhere)
-			errno = ECONNREFUSED;	/* no nameservers found */
+			errno = ECONNREFUSED;	/*%< no nameservers found */
 		else
-			errno = ETIMEDOUT;	/* no answer obtained */
+			errno = ETIMEDOUT;	/*%< no answer obtained */
 	} else
 		errno = terrno;
 	return (-1);
@@ -553,10 +558,10 @@ get_salen(sa)
 	else if (sa->sa_family == AF_INET6)
 		return (sizeof(struct sockaddr_in6));
 	else
-		return (0);	/* unknown, die on connect */
+		return (0);	/*%< unknown, die on connect */
 }
 
-/*
+/*%
  * pick appropriate nsaddr_list for use.  see res_init() for initialization.
  */
 static struct sockaddr *
diff --git a/contrib/bind9/lib/bind/resolv/res_sendsigned.c b/contrib/bind9/lib/bind/resolv/res_sendsigned.c
index 93ad5c9..63ae07c 100644
--- a/contrib/bind9/lib/bind/resolv/res_sendsigned.c
+++ b/contrib/bind9/lib/bind/resolv/res_sendsigned.c
@@ -24,7 +24,7 @@
 #include "res_debug.h"
 
 
-/* res_nsendsigned */
+/*% res_nsendsigned */
 int
 res_nsendsigned(res_state statp, const u_char *msg, int msglen,
 		ns_tsig_key *key, u_char *answer, int anslen)
@@ -166,3 +166,5 @@ retry:
 	dst_free_key(dstkey);
 	return (len);
 }
+
+/*! \file */
diff --git a/contrib/bind9/lib/bind/resolv/res_update.c b/contrib/bind9/lib/bind/resolv/res_update.c
index 8783d8a..483e19d 100644
--- a/contrib/bind9/lib/bind/resolv/res_update.c
+++ b/contrib/bind9/lib/bind/resolv/res_update.c
@@ -1,5 +1,5 @@
 #if !defined(lint) && !defined(SABER)
-static const char rcsid[] = "$Id: res_update.c,v 1.6.2.4.4.2 2004/03/16 12:34:20 marka Exp $";
+static const char rcsid[] = "$Id: res_update.c,v 1.12.18.1 2005/04/27 05:01:12 sra Exp $";
 #endif /* not lint */
 
 /*
@@ -19,9 +19,10 @@ static const char rcsid[] = "$Id: res_update.c,v 1.6.2.4.4.2 2004/03/16 12:34:20
  * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/*
+/*! \file
+ * \brief
  * Based on the Dynamic DNS reference implementation by Viraj Bais
- * <viraj_bais@ccm.fm.intel.com>
+ * &lt;viraj_bais@ccm.fm.intel.com>
  */
 
 #include "port_before.h"
@@ -49,7 +50,7 @@ static const char rcsid[] = "$Id: res_update.c,v 1.6.2.4.4.2 2004/03/16 12:34:20
 #include "port_after.h"
 #include "res_private.h"
 
-/*
+/*%
  * Separate a linked list of records into groups so that all records
  * in a group will belong to a single zone on the nameserver.
  * Create a dynamic update packet for each zone and send it to the
diff --git a/contrib/bind9/lib/bind9/Makefile.in b/contrib/bind9/lib/bind9/Makefile.in
index cd822f3..270e9ae 100644
--- a/contrib/bind9/lib/bind9/Makefile.in
+++ b/contrib/bind9/lib/bind9/Makefile.in
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.2.200.10 2004/12/10 00:05:48 marka Exp $
+# $Id: Makefile.in,v 1.4.18.5 2004/12/10 00:11:50 marka Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
diff --git a/contrib/bind9/lib/bind9/api b/contrib/bind9/lib/bind9/api
index be7faa6..aba393a 100644
--- a/contrib/bind9/lib/bind9/api
+++ b/contrib/bind9/lib/bind9/api
@@ -1,3 +1,3 @@
-LIBINTERFACE = 0
-LIBREVISION = 8
+LIBINTERFACE = 30
+LIBREVISION = 3
 LIBAGE = 0
diff --git a/contrib/bind9/lib/bind9/check.c b/contrib/bind9/lib/bind9/check.c
index 2079a84..3144e65 100644
--- a/contrib/bind9/lib/bind9/check.c
+++ b/contrib/bind9/lib/bind9/check.c
@@ -15,7 +15,9 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: check.c,v 1.37.6.34 2006/03/02 00:37:20 marka Exp $ */
+/* $Id: check.c,v 1.44.18.31 2006/08/21 00:09:52 marka Exp $ */
+
+/*! \file */
 
 #include <config.h>
 
@@ -33,11 +35,13 @@
 #include <isc/symtab.h>
 #include <isc/util.h>
 
+#include <dns/acl.h>
 #include <dns/fixedname.h>
 #include <dns/rdataclass.h>
 #include <dns/rdatatype.h>
 #include <dns/secalg.h>
 
+#include <isccfg/aclconf.h>
 #include <isccfg/cfg.h>
 
 #include <bind9/check.h>
@@ -117,10 +121,7 @@ check_orderent(const cfg_obj_t *ent, isc_log_t *logctx) {
 	    cfg_obj_log(ent, logctx, ISC_LOG_ERROR,
 			"rrset-order: missing ordering");
 		result = ISC_R_FAILURE;
-	} else if (strcasecmp(cfg_obj_asstring(obj), "fixed") == 0) {
-		cfg_obj_log(obj, logctx, ISC_LOG_WARNING,
-			    "rrset-order: order 'fixed' not fully implemented");
-	} else if (/* strcasecmp(cfg_obj_asstring(obj), "fixed") != 0 && */
+	} else if (strcasecmp(cfg_obj_asstring(obj), "fixed") != 0 &&
 		   strcasecmp(cfg_obj_asstring(obj), "random") != 0 &&
 		   strcasecmp(cfg_obj_asstring(obj), "cyclic") != 0) {
 		cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
@@ -272,7 +273,8 @@ disabled_algorithms(const cfg_obj_t *disabled, isc_log_t *logctx) {
 		}
 		if (tresult != ISC_R_SUCCESS) {
 			cfg_obj_log(cfg_listelt_value(element), logctx,
-				    ISC_LOG_ERROR, "invalid algorithm");
+				    ISC_LOG_ERROR, "invalid algorithm '%s'",
+				    r.base);
 			result = tresult;
 		}
 	}
@@ -345,6 +347,56 @@ mustbesecure(const cfg_obj_t *secure, isc_symtab_t *symtab, isc_log_t *logctx,
 	return (result);
 }
 
+static isc_result_t
+checkacl(const char *aclname, cfg_aclconfctx_t *actx, const cfg_obj_t *zconfig,
+	 const cfg_obj_t *voptions, const cfg_obj_t *config,
+	 isc_log_t *logctx, isc_mem_t *mctx)
+{
+	isc_result_t result;
+	const cfg_obj_t *aclobj = NULL;
+	const cfg_obj_t *options;
+	dns_acl_t *acl = NULL;
+
+	if (zconfig != NULL) {
+		options = cfg_tuple_get(zconfig, "options");
+		cfg_map_get(options, aclname, &aclobj);
+	}
+	if (voptions != NULL && aclobj == NULL)
+		cfg_map_get(voptions, aclname, &aclobj);
+	if (config != NULL && aclobj == NULL) {
+		options = NULL;
+		cfg_map_get(config, "options", &options);
+		if (options != NULL)
+			cfg_map_get(options, aclname, &aclobj);
+	}
+	if (aclobj == NULL)
+		return (ISC_R_SUCCESS);
+	result = cfg_acl_fromconfig(aclobj, config, logctx, actx, mctx, &acl);
+	if (acl != NULL)
+		dns_acl_detach(&acl);
+	return (result);
+}
+
+static isc_result_t
+check_viewacls(cfg_aclconfctx_t *actx, const cfg_obj_t *voptions,
+	       const cfg_obj_t *config, isc_log_t *logctx, isc_mem_t *mctx)
+{
+	isc_result_t result = ISC_R_SUCCESS, tresult;
+	int i = 0;
+	
+	static const char *acls[] = { "allow-query", "allow-query-cache",
+		"allow-recursion", "blackhole", "match-clients",
+		"match-destinations", "sortlist", NULL };
+
+	while (acls[i] != NULL) {
+		tresult = checkacl(acls[i++], actx, NULL, voptions, config,
+				   logctx, mctx);
+		if (tresult != ISC_R_SUCCESS)
+			result = tresult;  
+	}
+	return (result);
+}
+
 typedef struct {
 	const char *name;
 	unsigned int scale;
@@ -359,6 +411,10 @@ check_options(const cfg_obj_t *options, isc_log_t *logctx, isc_mem_t *mctx) {
 	const cfg_obj_t *obj = NULL;
 	const cfg_listelt_t *element;
 	isc_symtab_t *symtab = NULL;
+	dns_fixedname_t fixed;
+	const char *str;
+	dns_name_t *name;
+	isc_buffer_t b;
 
 	static intervaltable intervals[] = {
 	{ "cleaning-interval", 60, 28 * 24 * 60 },	/* 28 days */
@@ -458,6 +514,9 @@ check_options(const cfg_obj_t *options, isc_log_t *logctx, isc_mem_t *mctx) {
 		}
 	}
 
+	dns_fixedname_init(&fixed);
+	name = dns_fixedname_name(&fixed);
+
 	/*
 	 * Check the DLV zone name.
 	 */
@@ -472,16 +531,11 @@ check_options(const cfg_obj_t *options, isc_log_t *logctx, isc_mem_t *mctx) {
 		     element != NULL;
 		     element = cfg_list_next(element))
 		{
-			dns_fixedname_t fixedname;
-			dns_name_t *name;
 			const char *dlv;
-			isc_buffer_t b;
 
 			obj = cfg_listelt_value(element);
 
 			dlv = cfg_obj_asstring(cfg_tuple_get(obj, "domain"));
-			dns_fixedname_init(&fixedname);
-			name = dns_fixedname_name(&fixedname);
 			isc_buffer_init(&b, dlv, strlen(dlv));
 			isc_buffer_add(&b, strlen(dlv));
 			tresult = dns_name_fromtext(name, &b, dns_rootname,
@@ -514,7 +568,6 @@ check_options(const cfg_obj_t *options, isc_log_t *logctx, isc_mem_t *mctx) {
 			}
 			dlv = cfg_obj_asstring(cfg_tuple_get(obj,
 					       "trust-anchor"));
-			dns_fixedname_init(&fixedname);
 			isc_buffer_init(&b, dlv, strlen(dlv));
 			isc_buffer_add(&b, strlen(dlv));
 			tresult = dns_name_fromtext(name, &b, dns_rootname,
@@ -554,6 +607,59 @@ check_options(const cfg_obj_t *options, isc_log_t *logctx, isc_mem_t *mctx) {
 			isc_symtab_destroy(&symtab);
 	}
 
+	/*
+	 * Check empty zone configuration.
+	 */
+	obj = NULL;
+	(void)cfg_map_get(options, "empty-server", &obj);
+	if (obj != NULL) {
+		str = cfg_obj_asstring(obj);
+		isc_buffer_init(&b, str, strlen(str));
+		isc_buffer_add(&b, strlen(str));
+		tresult = dns_name_fromtext(dns_fixedname_name(&fixed), &b,
+					    dns_rootname, ISC_FALSE, NULL);
+		if (tresult != ISC_R_SUCCESS) {
+			cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
+				    "empty-server: invalid name '%s'", str);
+			result = ISC_R_FAILURE;
+		}
+	}
+
+	obj = NULL;
+	(void)cfg_map_get(options, "empty-contact", &obj);
+	if (obj != NULL) {
+		str = cfg_obj_asstring(obj);
+		isc_buffer_init(&b, str, strlen(str));
+		isc_buffer_add(&b, strlen(str));
+		tresult = dns_name_fromtext(dns_fixedname_name(&fixed), &b,
+					    dns_rootname, ISC_FALSE, NULL);
+		if (tresult != ISC_R_SUCCESS) {
+			cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
+				    "empty-contact: invalid name '%s'", str);
+			result = ISC_R_FAILURE;
+		}
+	}
+
+	obj = NULL;
+	(void)cfg_map_get(options, "disable-empty-zone", &obj);
+	for (element = cfg_list_first(obj);
+	     element != NULL;
+	     element = cfg_list_next(element))
+	{
+		obj = cfg_listelt_value(element);
+		str = cfg_obj_asstring(obj);
+		isc_buffer_init(&b, str, strlen(str));
+		isc_buffer_add(&b, strlen(str));
+		tresult = dns_name_fromtext(dns_fixedname_name(&fixed), &b,
+					    dns_rootname, ISC_FALSE, NULL);
+		if (tresult != ISC_R_SUCCESS) {
+			cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
+				    "disable-empty-zone: invalid name '%s'",
+				    str);
+			result = ISC_R_FAILURE;
+		}
+	}
+
 	return (result);
 }
 
@@ -679,12 +785,87 @@ validate_masters(const cfg_obj_t *obj, const cfg_obj_t *config,
 	return (result);
 }
 
+static isc_result_t
+check_update_policy(const cfg_obj_t *policy, isc_log_t *logctx) {
+	isc_result_t result = ISC_R_SUCCESS;
+	isc_result_t tresult;
+	const cfg_listelt_t *element;
+	const cfg_listelt_t *element2;
+	dns_fixedname_t fixed;
+	const char *str;
+	isc_buffer_t b;
+
+	for (element = cfg_list_first(policy);
+	     element != NULL;
+	     element = cfg_list_next(element))
+	{
+		const cfg_obj_t *stmt = cfg_listelt_value(element);
+		const cfg_obj_t *identity = cfg_tuple_get(stmt, "identity");
+		const cfg_obj_t *matchtype = cfg_tuple_get(stmt, "matchtype");
+		const cfg_obj_t *dname = cfg_tuple_get(stmt, "name");
+		const cfg_obj_t *typelist = cfg_tuple_get(stmt, "types");
+
+		dns_fixedname_init(&fixed);
+		str = cfg_obj_asstring(identity);
+		isc_buffer_init(&b, str, strlen(str));
+		isc_buffer_add(&b, strlen(str));
+		tresult = dns_name_fromtext(dns_fixedname_name(&fixed), &b,
+                                            dns_rootname, ISC_FALSE, NULL);
+		if (tresult != ISC_R_SUCCESS) {
+			cfg_obj_log(identity, logctx, ISC_LOG_ERROR,
+				    "'%s' is not a valid name", str);
+			result = tresult;
+		}
+
+		dns_fixedname_init(&fixed);
+		str = cfg_obj_asstring(dname);
+		isc_buffer_init(&b, str, strlen(str));
+		isc_buffer_add(&b, strlen(str));
+		tresult = dns_name_fromtext(dns_fixedname_name(&fixed), &b,
+					    dns_rootname, ISC_FALSE, NULL);
+		if (tresult != ISC_R_SUCCESS) {
+			cfg_obj_log(dname, logctx, ISC_LOG_ERROR,
+				    "'%s' is not a valid name", str);
+			result = tresult;
+		}
+		if (tresult == ISC_R_SUCCESS &&
+		    strcasecmp(cfg_obj_asstring(matchtype), "wildcard") == 0 &&
+		    !dns_name_iswildcard(dns_fixedname_name(&fixed))) {
+			cfg_obj_log(identity, logctx, ISC_LOG_ERROR,
+				    "'%s' is not a wildcard", str);
+			result = ISC_R_FAILURE;
+		}
+
+		for (element2 = cfg_list_first(typelist);
+		     element2 != NULL;
+		     element2 = cfg_list_next(element2))
+		{
+			const cfg_obj_t *typeobj;
+			isc_textregion_t r;
+			dns_rdatatype_t type;
+			
+			typeobj = cfg_listelt_value(element2);
+			DE_CONST(cfg_obj_asstring(typeobj), r.base);
+			r.length = strlen(r.base);
+
+			tresult = dns_rdatatype_fromtext(&type, &r);
+			if (tresult != ISC_R_SUCCESS) {
+				cfg_obj_log(typeobj, logctx, ISC_LOG_ERROR,
+                                            "'%s' is not a valid type", r.base);
+				result = tresult;
+			}
+		}
+	}
+	return (result);
+}
+
 #define MASTERZONE	1
 #define SLAVEZONE	2
 #define STUBZONE	4
 #define HINTZONE	8
 #define FORWARDZONE	16
 #define DELEGATIONZONE	32
+#define CHECKACL	64
 
 typedef struct {
 	const char *name;
@@ -692,8 +873,9 @@ typedef struct {
 } optionstable;
 
 static isc_result_t
-check_zoneconf(const cfg_obj_t *zconfig, const cfg_obj_t *config,
-	       isc_symtab_t *symtab, dns_rdataclass_t defclass,
+check_zoneconf(const cfg_obj_t *zconfig, const cfg_obj_t *voptions,
+	       const cfg_obj_t *config, isc_symtab_t *symtab,
+	       dns_rdataclass_t defclass, cfg_aclconfctx_t *actx,
 	       isc_log_t *logctx, isc_mem_t *mctx)
 {
 	const char *zname;
@@ -709,9 +891,9 @@ check_zoneconf(const cfg_obj_t *zconfig, const cfg_obj_t *config,
 	isc_buffer_t b;
 
 	static optionstable options[] = {
-	{ "allow-query", MASTERZONE | SLAVEZONE | STUBZONE },
-	{ "allow-notify", SLAVEZONE },
-	{ "allow-transfer", MASTERZONE | SLAVEZONE },
+	{ "allow-query", MASTERZONE | SLAVEZONE | STUBZONE | CHECKACL },
+	{ "allow-notify", SLAVEZONE | CHECKACL },
+	{ "allow-transfer", MASTERZONE | SLAVEZONE | CHECKACL },
 	{ "notify", MASTERZONE | SLAVEZONE },
 	{ "also-notify", MASTERZONE | SLAVEZONE },
 	{ "dialup", MASTERZONE | SLAVEZONE | STUBZONE },
@@ -734,9 +916,10 @@ check_zoneconf(const cfg_obj_t *zconfig, const cfg_obj_t *config,
 	{ "min-refresh-time", SLAVEZONE | STUBZONE },
 	{ "sig-validity-interval", MASTERZONE },
 	{ "zone-statistics", MASTERZONE | SLAVEZONE | STUBZONE },
-	{ "allow-update", MASTERZONE },
-	{ "allow-update-forwarding", SLAVEZONE },
+	{ "allow-update", MASTERZONE | CHECKACL },
+	{ "allow-update-forwarding", SLAVEZONE | CHECKACL },
 	{ "file", MASTERZONE | SLAVEZONE | STUBZONE | HINTZONE },
+	{ "journal", MASTERZONE | SLAVEZONE },
 	{ "ixfr-base", MASTERZONE | SLAVEZONE },
 	{ "ixfr-tmp-file", MASTERZONE | SLAVEZONE },
 	{ "masters", SLAVEZONE | STUBZONE },
@@ -744,6 +927,13 @@ check_zoneconf(const cfg_obj_t *zconfig, const cfg_obj_t *config,
 	{ "update-policy", MASTERZONE },
 	{ "database", MASTERZONE | SLAVEZONE | STUBZONE },
 	{ "key-directory", MASTERZONE },
+	{ "check-wildcard", MASTERZONE },
+	{ "check-mx", MASTERZONE },
+	{ "integrity-check", MASTERZONE },
+	{ "check-mx-cname", MASTERZONE },
+	{ "check-srv-cname", MASTERZONE },
+	{ "masterfile-format", MASTERZONE | SLAVEZONE | STUBZONE | HINTZONE },
+	{ "update-check-ksk", MASTERZONE },
 	};
 
 	static optionstable dialups[] = {
@@ -835,6 +1025,7 @@ check_zoneconf(const cfg_obj_t *zconfig, const cfg_obj_t *config,
 
 	/*
 	 * Look for inappropriate options for the given zone type.
+	 * Check that ACLs expand correctly.
 	 */
 	for (i = 0; i < sizeof(options) / sizeof(options[0]); i++) {
 		obj = NULL;
@@ -855,6 +1046,16 @@ check_zoneconf(const cfg_obj_t *zconfig, const cfg_obj_t *config,
 					    "in '%s' zone '%s'",
 					    options[i].name, typestr, zname);
 		}
+		obj = NULL;
+		if ((options[i].allowed & ztype) != 0 &&
+		    (options[i].allowed & CHECKACL) != 0) {
+
+			tresult = checkacl(options[i].name, actx, zconfig,
+				           voptions, config, logctx, mctx);
+			if (tresult != ISC_R_SUCCESS)
+				result = tresult;
+		}
+
 	}
 
 	/*
@@ -897,7 +1098,9 @@ check_zoneconf(const cfg_obj_t *zconfig, const cfg_obj_t *config,
 				    "when 'update-policy' is present",
 				    zname);
 			result = ISC_R_FAILURE;
-		}
+		} else if (res2 == ISC_R_SUCCESS &&
+			   check_update_policy(obj, logctx) != ISC_R_SUCCESS)
+			result = ISC_R_FAILURE;
 	}
 
 	/*
@@ -971,11 +1174,31 @@ check_zoneconf(const cfg_obj_t *zconfig, const cfg_obj_t *config,
 	return (result);
 }
 
+
+typedef struct keyalgorithms {
+	const char *name;
+	isc_uint16_t size;
+} algorithmtable;
+
 isc_result_t
 bind9_check_key(const cfg_obj_t *key, isc_log_t *logctx) {
 	const cfg_obj_t *algobj = NULL;
 	const cfg_obj_t *secretobj = NULL;
 	const char *keyname = cfg_obj_asstring(cfg_map_getname(key));
+	const char *algorithm;
+	int i;
+	size_t len = 0;
+	static const algorithmtable algorithms[] = {
+		{ "hmac-md5", 128 },
+		{ "hmac-md5.sig-alg.reg.int", 0 },
+		{ "hmac-md5.sig-alg.reg.int.", 0 },
+		{ "hmac-sha1", 160 },
+		{ "hmac-sha224", 224 },
+		{ "hmac-sha256", 256 },
+		{ "hmac-sha384", 384 },
+		{ "hmac-sha512", 512 },
+		{  NULL, 0 }
+	};
 	
 	(void)cfg_map_get(key, "algorithm", &algobj);
 	(void)cfg_map_get(key, "secret", &secretobj);
@@ -986,6 +1209,56 @@ bind9_check_key(const cfg_obj_t *key, isc_log_t *logctx) {
 			    keyname);
 		return (ISC_R_FAILURE);
 	}
+
+	algorithm = cfg_obj_asstring(algobj);
+	for (i = 0; algorithms[i].name != NULL; i++) {
+		len = strlen(algorithms[i].name);
+		if (strncasecmp(algorithms[i].name, algorithm, len) == 0 &&
+		    (algorithm[len] == '\0' ||
+		     (algorithms[i].size != 0 && algorithm[len] == '-')))
+			break;
+	}
+	if (algorithms[i].name == NULL) {
+		cfg_obj_log(algobj, logctx, ISC_LOG_ERROR,
+			    "unknown algorithm '%s'", algorithm);
+		return (ISC_R_NOTFOUND);
+	}
+	if (algorithm[len] == '-') {
+		isc_uint16_t digestbits;
+		isc_result_t result;
+		result = isc_parse_uint16(&digestbits, algorithm + len + 1, 10);
+		if (result == ISC_R_SUCCESS || result == ISC_R_RANGE) {
+			if (result == ISC_R_RANGE ||
+			    digestbits > algorithms[i].size) {
+				cfg_obj_log(algobj, logctx, ISC_LOG_ERROR,
+					    "key '%s' digest-bits too large "
+					    "[%u..%u]", keyname,
+					    algorithms[i].size / 2,
+					    algorithms[i].size);
+				return (ISC_R_RANGE);
+			}
+			if ((digestbits % 8) != 0) {
+				cfg_obj_log(algobj, logctx, ISC_LOG_ERROR,
+					    "key '%s' digest-bits not multiple"
+					    " of 8", keyname);
+				return (ISC_R_RANGE);
+			}
+			/*
+			 * Recommended minima for hmac algorithms.
+			 */
+			if ((digestbits < (algorithms[i].size / 2U) ||
+			     (digestbits < 80U)))
+				cfg_obj_log(algobj, logctx, ISC_LOG_WARNING,
+					    "key '%s' digest-bits too small "
+					    "[<%u]", keyname, 
+					    algorithms[i].size/2);
+		} else {
+			cfg_obj_log(algobj, logctx, ISC_LOG_ERROR,
+				    "key '%s': unable to parse digest-bits",
+				    keyname);
+			return (result);
+		}
+	}
 	return (ISC_R_SUCCESS);
 }
 
@@ -1003,6 +1276,10 @@ check_keylist(const cfg_obj_t *keys, isc_symtab_t *symtab, isc_log_t *logctx) {
 		const char *keyname = cfg_obj_asstring(cfg_map_getname(key));
 		isc_symvalue_t symvalue;
 
+		tresult = bind9_check_key(key, logctx);
+		if (tresult != ISC_R_SUCCESS)
+			return (tresult);
+
 		symvalue.as_cpointer = key;
 		tresult = isc_symtab_define(symtab, keyname, 1,
 					    symvalue, isc_symexists_reject);
@@ -1024,69 +1301,80 @@ check_keylist(const cfg_obj_t *keys, isc_symtab_t *symtab, isc_log_t *logctx) {
 			result = tresult;
 		} else if (tresult != ISC_R_SUCCESS)
 			return (tresult);
-
-		tresult = bind9_check_key(key, logctx);
-		if (tresult != ISC_R_SUCCESS)
-			return (tresult);
 	}
 	return (result);
 }
 
+static struct {
+	const char *v4;
+	const char *v6;
+} sources[] = {
+	{ "transfer-source", "transfer-source-v6" },
+	{ "notify-source", "notify-source-v6" },
+	{ "query-source", "query-source-v6" },
+	{ NULL, NULL }
+};
+
 static isc_result_t
 check_servers(const cfg_obj_t *servers, isc_log_t *logctx) {
 	isc_result_t result = ISC_R_SUCCESS;
-	const cfg_listelt_t *e1;
-	const cfg_listelt_t *e2;
-	const cfg_obj_t *v1;
-	const cfg_obj_t *v2;
-	const isc_sockaddr_t *s1;
-	const isc_sockaddr_t *s2;
-	isc_netaddr_t na;
-	const cfg_obj_t *ts;
-	char buf[128];
+	isc_result_t tresult;
+	const cfg_listelt_t *e1, *e2;
+	const cfg_obj_t *v1, *v2;
+	isc_netaddr_t n1, n2;
+	unsigned int p1, p2;
+	const cfg_obj_t *obj;
+	char buf[ISC_NETADDR_FORMATSIZE];
 	const char *xfr;
-	isc_buffer_t target;
+	int source;
 
 	for (e1 = cfg_list_first(servers); e1 != NULL; e1 = cfg_list_next(e1)) {
 		v1 = cfg_listelt_value(e1);
-		s1 = cfg_obj_assockaddr(cfg_map_getname(v1));
-		ts = NULL;
-		if (isc_sockaddr_pf(s1) == AF_INET)
-			xfr = "transfer-source-v6";
-		else
-			xfr = "transfer-source";
-		(void)cfg_map_get(v1, xfr, &ts);
-		if (ts != NULL) {
-			isc_netaddr_fromsockaddr(&na, s1);
-			isc_buffer_init(&target, buf, sizeof(buf) - 1);
-			RUNTIME_CHECK(isc_netaddr_totext(&na, &target)
-				      == ISC_R_SUCCESS);
-			buf[isc_buffer_usedlength(&target)] = '\0';
+		cfg_obj_asnetprefix(cfg_map_getname(v1), &n1, &p1);
+		/*
+		 * Check that unused bits are zero.
+		 */
+		tresult = isc_netaddr_prefixok(&n1, p1);
+		if (tresult != ISC_R_SUCCESS) {
+			INSIST(tresult == ISC_R_FAILURE);
+			isc_netaddr_format(&n1, buf, sizeof(buf));
 			cfg_obj_log(v1, logctx, ISC_LOG_ERROR,
-				    "server '%s': %s not valid", buf, xfr);
-			result = ISC_R_FAILURE;
+				    "server '%s/%u': invalid prefix "
+				    "(extra bits specified)", buf, p1);
+			result = tresult;
 		}
+		source = 0;
+		do {
+			obj = NULL;
+			if (n1.family == AF_INET)
+				xfr = sources[source].v6;
+			else
+				xfr = sources[source].v4;
+			(void)cfg_map_get(v1, xfr, &obj);
+			if (obj != NULL) {
+				isc_netaddr_format(&n1, buf, sizeof(buf));
+				cfg_obj_log(v1, logctx, ISC_LOG_ERROR,
+					    "server '%s': %s not legal",
+					    buf, xfr);
+				result = ISC_R_FAILURE;
+			}
+		} while (sources[++source].v4 != NULL);
 		e2 = e1;
 		while ((e2 = cfg_list_next(e2)) != NULL) {
 			v2 = cfg_listelt_value(e2);
-			s2 = cfg_obj_assockaddr(cfg_map_getname(v2));
-			if (isc_sockaddr_eqaddr(s1, s2)) {
+			cfg_obj_asnetprefix(cfg_map_getname(v2), &n2, &p2);
+			if (p1 == p2 && isc_netaddr_equal(&n1, &n2)) {
 				const char *file = cfg_obj_file(v1);
 				unsigned int line = cfg_obj_line(v1);
 
 				if (file == NULL)
 					file = "<unknown file>";
 
-				isc_netaddr_fromsockaddr(&na, s2);
-				isc_buffer_init(&target, buf, sizeof(buf) - 1);
-				RUNTIME_CHECK(isc_netaddr_totext(&na, &target)
-					      == ISC_R_SUCCESS);
-				buf[isc_buffer_usedlength(&target)] = '\0';
-
+				isc_netaddr_format(&n2, buf, sizeof(buf));
 				cfg_obj_log(v2, logctx, ISC_LOG_ERROR,
-					    "server '%s': already exists "
+					    "server '%s/%u': already exists "
 					    "previous definition: %s:%u",
-					    buf, file, line);
+					    buf, p2, file, line);
 				result = ISC_R_FAILURE;
 			}
 		}
@@ -1095,7 +1383,7 @@ check_servers(const cfg_obj_t *servers, isc_log_t *logctx) {
 }
 		
 static isc_result_t
-check_viewconf(const cfg_obj_t *config, const cfg_obj_t *vconfig,
+check_viewconf(const cfg_obj_t *config, const cfg_obj_t *voptions,
 	       dns_rdataclass_t vclass, isc_log_t *logctx, isc_mem_t *mctx)
 {
 	const cfg_obj_t *servers = NULL;
@@ -1105,6 +1393,9 @@ check_viewconf(const cfg_obj_t *config, const cfg_obj_t *vconfig,
 	isc_symtab_t *symtab = NULL;
 	isc_result_t result = ISC_R_SUCCESS;
 	isc_result_t tresult = ISC_R_SUCCESS;
+	cfg_aclconfctx_t actx;
+	const cfg_obj_t *obj;
+	isc_boolean_t enablednssec, enablevalidation;
 
 	/*
 	 * Check that all zone statements are syntactically correct and
@@ -1115,8 +1406,10 @@ check_viewconf(const cfg_obj_t *config, const cfg_obj_t *vconfig,
 	if (tresult != ISC_R_SUCCESS)
 		return (ISC_R_NOMEMORY);
 
-	if (vconfig != NULL)
-		(void)cfg_map_get(vconfig, "zone", &zones);
+	cfg_aclconfctx_init(&actx);
+
+	if (voptions != NULL)
+		(void)cfg_map_get(voptions, "zone", &zones);
 	else
 		(void)cfg_map_get(config, "zone", &zones);
 
@@ -1127,8 +1420,8 @@ check_viewconf(const cfg_obj_t *config, const cfg_obj_t *vconfig,
 		isc_result_t tresult;
 		const cfg_obj_t *zone = cfg_listelt_value(element);
 
-		tresult = check_zoneconf(zone, config, symtab, vclass,
-					 logctx, mctx);
+		tresult = check_zoneconf(zone, voptions, config, symtab,
+					 vclass, &actx, logctx, mctx);
 		if (tresult != ISC_R_SUCCESS)
 			result = ISC_R_FAILURE;
 	}
@@ -1152,9 +1445,9 @@ check_viewconf(const cfg_obj_t *config, const cfg_obj_t *vconfig,
 		return (tresult);
 	}
 	
-	if (vconfig != NULL) {
+	if (voptions != NULL) {
 		keys = NULL;
-		(void)cfg_map_get(vconfig, "key", &keys);
+		(void)cfg_map_get(voptions, "key", &keys);
 		tresult = check_keylist(keys, symtab, logctx);
 		if (tresult == ISC_R_EXISTS)
 			result = ISC_R_FAILURE;
@@ -1169,55 +1462,349 @@ check_viewconf(const cfg_obj_t *config, const cfg_obj_t *vconfig,
 	/*
 	 * Check that forwarding is reasonable.
 	 */
-	if (vconfig == NULL) {
+	if (voptions == NULL) {
 		const cfg_obj_t *options = NULL;
 		(void)cfg_map_get(config, "options", &options);
 		if (options != NULL)
 			if (check_forward(options, logctx) != ISC_R_SUCCESS)
 				result = ISC_R_FAILURE;
 	} else {
-		if (check_forward(vconfig, logctx) != ISC_R_SUCCESS)
+		if (check_forward(voptions, logctx) != ISC_R_SUCCESS)
 			result = ISC_R_FAILURE;
 	}
 	/*
 	 * Check that dual-stack-servers is reasonable.
 	 */
-	if (vconfig == NULL) {
+	if (voptions == NULL) {
 		const cfg_obj_t *options = NULL;
 		(void)cfg_map_get(config, "options", &options);
 		if (options != NULL)
 			if (check_dual_stack(options, logctx) != ISC_R_SUCCESS)
 				result = ISC_R_FAILURE;
 	} else {
-		if (check_dual_stack(vconfig, logctx) != ISC_R_SUCCESS)
+		if (check_dual_stack(voptions, logctx) != ISC_R_SUCCESS)
 			result = ISC_R_FAILURE;
 	}
 
 	/*
 	 * Check that rrset-order is reasonable.
 	 */
-	if (vconfig != NULL) {
-		if (check_order(vconfig, logctx) != ISC_R_SUCCESS)
+	if (voptions != NULL) {
+		if (check_order(voptions, logctx) != ISC_R_SUCCESS)
 			result = ISC_R_FAILURE;
 	}
 
-	if (vconfig != NULL) {
-		(void)cfg_map_get(vconfig, "server", &servers);
+	if (voptions != NULL) {
+		(void)cfg_map_get(voptions, "server", &servers);
 		if (servers != NULL &&
 		    check_servers(servers, logctx) != ISC_R_SUCCESS)
 			result = ISC_R_FAILURE;
 	}
 
-	if (vconfig != NULL)
-		tresult = check_options(vconfig, logctx, mctx);
+	/*
+	 * Check that dnssec-enable/dnssec-validation are sensible.
+	 */
+	obj = NULL;
+	if (voptions != NULL)
+		(void)cfg_map_get(voptions, "dnssec-enable", &obj);
+	if (obj == NULL)
+		(void)cfg_map_get(config, "dnssec-enable", &obj);
+	if (obj == NULL)
+		enablednssec = ISC_TRUE;
+	else
+		enablednssec = cfg_obj_asboolean(obj);
+
+	obj = NULL;
+	if (voptions != NULL)
+		(void)cfg_map_get(voptions, "dnssec-validation", &obj);
+	if (obj == NULL)
+		(void)cfg_map_get(config, "dnssec-validation", &obj);
+	if (obj == NULL)
+		enablevalidation = ISC_FALSE;	/* XXXMPA Change for 9.5. */
+	else
+		enablevalidation = cfg_obj_asboolean(obj);
+
+	if (enablevalidation && !enablednssec)
+		cfg_obj_log(obj, logctx, ISC_LOG_WARNING,
+			    "'dnssec-validation yes;' and 'dnssec-enable no;'");
+
+	if (voptions != NULL)
+		tresult = check_options(voptions, logctx, mctx);
 	else
 		tresult = check_options(config, logctx, mctx);
 	if (tresult != ISC_R_SUCCESS)
 		result = tresult;
 
+	tresult = check_viewacls(&actx, voptions, config, logctx, mctx);
+	if (tresult != ISC_R_SUCCESS)
+		result = tresult;
+
+	cfg_aclconfctx_destroy(&actx);
+
 	return (result);
 }
 
+static const char *
+default_channels[] = {
+	"default_syslog",
+	"default_stderr",
+	"default_debug",
+	"null",
+	NULL
+};
+
+static isc_result_t
+bind9_check_logging(const cfg_obj_t *config, isc_log_t *logctx,
+		    isc_mem_t *mctx)
+{
+	const cfg_obj_t *categories = NULL;
+	const cfg_obj_t *category;
+	const cfg_obj_t *channels = NULL;
+	const cfg_obj_t *channel;
+	const cfg_listelt_t *element;
+	const cfg_listelt_t *delement;
+	const char *channelname;
+	const char *catname;
+	const cfg_obj_t *fileobj = NULL;
+        const cfg_obj_t *syslogobj = NULL;
+        const cfg_obj_t *nullobj = NULL;
+        const cfg_obj_t *stderrobj = NULL;
+        const cfg_obj_t *logobj = NULL;
+	isc_result_t result = ISC_R_SUCCESS;
+	isc_result_t tresult;
+	isc_symtab_t *symtab = NULL;
+	isc_symvalue_t symvalue;
+	int i;
+
+	(void)cfg_map_get(config, "logging", &logobj);
+	if (logobj == NULL)
+		return (ISC_R_SUCCESS);
+
+	result = isc_symtab_create(mctx, 100, NULL, NULL, ISC_FALSE, &symtab);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	symvalue.as_cpointer = NULL;
+	for (i = 0; default_channels[i] != NULL; i++) {
+		tresult = isc_symtab_define(symtab, default_channels[i], 1,
+					    symvalue, isc_symexists_replace);
+		if (tresult != ISC_R_SUCCESS)
+			result = tresult;
+	}
+
+	cfg_map_get(logobj, "channel", &channels);
+
+	for (element = cfg_list_first(channels);
+	     element != NULL;
+	     element = cfg_list_next(element))
+	{
+		channel = cfg_listelt_value(element);
+		channelname = cfg_obj_asstring(cfg_map_getname(channel));
+		fileobj = syslogobj = nullobj = stderrobj = NULL;
+		(void)cfg_map_get(channel, "file", &fileobj);
+		(void)cfg_map_get(channel, "syslog", &syslogobj);
+		(void)cfg_map_get(channel, "null", &nullobj);
+		(void)cfg_map_get(channel, "stderr", &stderrobj);
+		i = 0;
+		if (fileobj != NULL)
+			i++;
+		if (syslogobj != NULL)
+			i++;
+		if (nullobj != NULL)
+			i++;
+		if (stderrobj != NULL)
+			i++;
+		if (i != 1) {
+			cfg_obj_log(channel, logctx, ISC_LOG_ERROR,
+				    "channel '%s': exactly one of file, syslog, "
+				    "null, and stderr must be present",
+				     channelname);
+			result = ISC_R_FAILURE;
+		}
+		tresult = isc_symtab_define(symtab, channelname, 1,
+					    symvalue, isc_symexists_replace);
+		if (tresult != ISC_R_SUCCESS)
+			result = tresult;
+	}
+
+	cfg_map_get(logobj, "category", &categories);
+
+	for (element = cfg_list_first(categories);
+             element != NULL;
+             element = cfg_list_next(element))
+        {
+		category = cfg_listelt_value(element);
+		catname = cfg_obj_asstring(cfg_tuple_get(category, "name"));
+		if (isc_log_categorybyname(logctx, catname) == NULL) {
+			cfg_obj_log(category, logctx, ISC_LOG_ERROR,
+				    "undefined category: '%s'", catname);
+			result = ISC_R_FAILURE;
+		}
+		channels = cfg_tuple_get(category, "destinations");
+		for (delement = cfg_list_first(channels);
+		     delement != NULL;
+		     delement = cfg_list_next(delement))
+		{
+			channel = cfg_listelt_value(delement);
+			channelname = cfg_obj_asstring(channel);
+			tresult = isc_symtab_lookup(symtab, channelname, 1,
+                                          	    &symvalue);
+			if (tresult != ISC_R_SUCCESS) {
+				cfg_obj_log(channel, logctx, ISC_LOG_ERROR,
+					    "undefined channel: '%s'",
+					    channelname);
+				result = tresult;
+			}
+		}
+	}
+	isc_symtab_destroy(&symtab);
+	return (result);
+}
+
+static isc_result_t
+key_exists(const cfg_obj_t *keylist, const char *keyname) {
+	const cfg_listelt_t *element;
+	const char *str;
+	const cfg_obj_t *obj;
+	
+	if (keylist == NULL)
+		return (ISC_R_NOTFOUND);
+	for (element = cfg_list_first(keylist);
+	     element != NULL;   
+	     element = cfg_list_next(element)) 
+	{
+		obj = cfg_listelt_value(element);
+		str = cfg_obj_asstring(cfg_map_getname(obj));
+		if (strcasecmp(str, keyname) == 0)
+			return (ISC_R_SUCCESS);
+	}
+	return (ISC_R_NOTFOUND);
+}
+
+static isc_result_t
+bind9_check_controlskeys(const cfg_obj_t *control, const cfg_obj_t *keylist,
+			 isc_log_t *logctx)
+{
+	isc_result_t result = ISC_R_SUCCESS, tresult;
+	const cfg_obj_t *control_keylist;
+	const cfg_listelt_t *element;
+	const cfg_obj_t *key;
+	
+	control_keylist = cfg_tuple_get(control, "keys");
+	if (cfg_obj_isvoid(control_keylist))
+		return (ISC_R_SUCCESS);
+
+	for (element = cfg_list_first(control_keylist);
+	     element != NULL;
+	     element = cfg_list_next(element))
+	{
+		key = cfg_listelt_value(element);
+		tresult = key_exists(keylist, cfg_obj_asstring(key));
+		if (tresult != ISC_R_SUCCESS) {
+			cfg_obj_log(key, logctx, ISC_LOG_ERROR,
+				    "unknown key '%s'", cfg_obj_asstring(key));
+			result = tresult;
+		}
+	}
+	return (result);
+}
+
+static isc_result_t
+bind9_check_controls(const cfg_obj_t *config, isc_log_t *logctx,
+		     isc_mem_t *mctx)
+{
+	isc_result_t result = ISC_R_SUCCESS, tresult;
+	cfg_aclconfctx_t actx;
+	const cfg_listelt_t *element, *element2;
+	const cfg_obj_t *allow;
+	const cfg_obj_t *control;
+	const cfg_obj_t *controls;
+	const cfg_obj_t *controlslist = NULL;
+	const cfg_obj_t *inetcontrols;
+	const cfg_obj_t *unixcontrols;
+	const cfg_obj_t *keylist = NULL;
+	const char *path;
+	isc_uint32_t perm, mask;
+	dns_acl_t *acl = NULL;
+	isc_sockaddr_t addr;
+	int i;
+
+	(void)cfg_map_get(config, "controls", &controlslist);
+	if (controlslist == NULL)
+		return (ISC_R_SUCCESS);
+
+	(void)cfg_map_get(config, "key", &keylist);
+
+	cfg_aclconfctx_init(&actx);
+
+	/*
+	 * INET: Check allow clause.
+	 * UNIX: Check "perm" for sanity, check path length.
+	 */
+	for (element = cfg_list_first(controlslist);
+	     element != NULL;
+	     element = cfg_list_next(element)) {
+		controls = cfg_listelt_value(element);
+		unixcontrols = NULL;
+		inetcontrols = NULL;
+		(void)cfg_map_get(controls, "unix", &unixcontrols);
+		(void)cfg_map_get(controls, "inet", &inetcontrols);
+		for (element2 = cfg_list_first(inetcontrols);
+		     element2 != NULL;
+		     element2 = cfg_list_next(element2)) {
+			control = cfg_listelt_value(element2);
+			allow = cfg_tuple_get(control, "allow");
+			tresult = cfg_acl_fromconfig(allow, config, logctx,
+						     &actx, mctx, &acl);
+			if (acl != NULL)
+				dns_acl_detach(&acl);
+			if (tresult != ISC_R_SUCCESS)
+				result = tresult;
+			tresult = bind9_check_controlskeys(control, keylist,
+							   logctx);
+			if (tresult != ISC_R_SUCCESS)
+				result = tresult;
+		}
+		for (element2 = cfg_list_first(unixcontrols);
+		     element2 != NULL;
+		     element2 = cfg_list_next(element2)) {
+			control = cfg_listelt_value(element2);
+			path = cfg_obj_asstring(cfg_tuple_get(control, "path"));
+			tresult = isc_sockaddr_frompath(&addr, path);
+			if (tresult == ISC_R_NOSPACE) {
+				cfg_obj_log(control, logctx, ISC_LOG_ERROR,
+					    "unix control '%s': path too long",
+					    path);
+				result = ISC_R_NOSPACE;
+			}
+			perm = cfg_obj_asuint32(cfg_tuple_get(control, "perm"));
+			for (i = 0; i < 3; i++) {
+#ifdef NEED_SECURE_DIRECTORY
+				mask = (0x1 << (i*3));	/* SEARCH */
+#else
+				mask = (0x6 << (i*3)); 	/* READ + WRITE */
+#endif
+				if ((perm & mask) == mask)
+					break;
+			}
+			if (i == 0) {
+				cfg_obj_log(control, logctx, ISC_LOG_WARNING,
+					    "unix control '%s' allows access "
+					    "to everyone", path);
+			} else if (i == 3) {
+				cfg_obj_log(control, logctx, ISC_LOG_WARNING,
+					    "unix control '%s' allows access "
+					    "to nobody", path);
+			}
+			tresult = bind9_check_controlskeys(control, keylist,
+							   logctx);
+			if (tresult != ISC_R_SUCCESS)
+				result = tresult;
+		}
+	}
+	cfg_aclconfctx_destroy(&actx);
+	return (result);
+}
 
 isc_result_t
 bind9_check_namedconf(const cfg_obj_t *config, isc_log_t *logctx,
@@ -1248,6 +1835,12 @@ bind9_check_namedconf(const cfg_obj_t *config, isc_log_t *logctx,
 	    check_servers(servers, logctx) != ISC_R_SUCCESS)
 		result = ISC_R_FAILURE;
 
+	if (bind9_check_logging(config, logctx, mctx) != ISC_R_SUCCESS)
+		result = ISC_R_FAILURE;
+
+	if (bind9_check_controls(config, logctx, mctx) != ISC_R_SUCCESS)
+		result = ISC_R_FAILURE;
+
 	if (options != NULL && 
 	    check_order(options, logctx) != ISC_R_SUCCESS)
 		result = ISC_R_FAILURE;
diff --git a/contrib/bind9/lib/bind9/getaddresses.c b/contrib/bind9/lib/bind9/getaddresses.c
index 02d1104..b6edce0 100644
--- a/contrib/bind9/lib/bind9/getaddresses.c
+++ b/contrib/bind9/lib/bind9/getaddresses.c
@@ -15,7 +15,9 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: getaddresses.c,v 1.13.126.8 2005/10/14 02:13:06 marka Exp $ */
+/* $Id: getaddresses.c,v 1.15.18.5 2005/10/14 01:28:24 marka Exp $ */
+
+/*! \file */
 
 #include <config.h>
 #include <string.h>
diff --git a/contrib/bind9/lib/bind9/include/Makefile.in b/contrib/bind9/lib/bind9/include/Makefile.in
index 9081d9e..6c6611e 100644
--- a/contrib/bind9/lib/bind9/include/Makefile.in
+++ b/contrib/bind9/lib/bind9/include/Makefile.in
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.1.200.3 2004/03/08 09:04:27 marka Exp $
+# $Id: Makefile.in,v 1.2 2004/03/05 05:09:08 marka Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
diff --git a/contrib/bind9/lib/bind9/include/bind9/Makefile.in b/contrib/bind9/lib/bind9/include/bind9/Makefile.in
index dec2982..8ef5c32 100644
--- a/contrib/bind9/lib/bind9/include/bind9/Makefile.in
+++ b/contrib/bind9/lib/bind9/include/bind9/Makefile.in
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.5.200.4 2004/03/08 09:04:28 marka Exp $
+# $Id: Makefile.in,v 1.6 2004/03/05 05:09:10 marka Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
diff --git a/contrib/bind9/lib/bind9/include/bind9/check.h b/contrib/bind9/lib/bind9/include/bind9/check.h
index 09e8b2e..25a8e0c 100644
--- a/contrib/bind9/lib/bind9/include/bind9/check.h
+++ b/contrib/bind9/lib/bind9/include/bind9/check.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2006  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,11 +15,13 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: check.h,v 1.1.200.6 2006/03/02 00:37:20 marka Exp $ */
+/* $Id: check.h,v 1.2.18.4 2006/03/02 00:37:21 marka Exp $ */
 
 #ifndef BIND9_CHECK_H
 #define BIND9_CHECK_H 1
 
+/*! \file */
+
 #include <isc/lang.h>
 #include <isc/types.h>
 
@@ -30,24 +32,24 @@ ISC_LANG_BEGINDECLS
 isc_result_t
 bind9_check_namedconf(const cfg_obj_t *config, isc_log_t *logctx,
 		      isc_mem_t *mctx);
-/*
+/*%<
  * Check the syntactic validity of a configuration parse tree generated from
  * a named.conf file.
  *
  * Requires:
- *	config is a valid parse tree
+ *\li	config is a valid parse tree
  *
- *	logctx is a valid logging context.
+ *\li	logctx is a valid logging context.
  *
  * Returns:
- * 	ISC_R_SUCCESS
- * 	ISC_R_FAILURE
+ * \li	#ISC_R_SUCCESS
+ * \li	#ISC_R_FAILURE
  */
 
 isc_result_t
 bind9_check_key(const cfg_obj_t *config, isc_log_t *logctx);
-/*
- * As above, but for a single 'key' statement.
+/*%<
+ * Same as bind9_check_namedconf(), but for a single 'key' statement.
  */
 
 ISC_LANG_ENDDECLS
diff --git a/contrib/bind9/lib/bind9/include/bind9/getaddresses.h b/contrib/bind9/lib/bind9/include/bind9/getaddresses.h
index 4a3a546..e6d030d 100644
--- a/contrib/bind9/lib/bind9/include/bind9/getaddresses.h
+++ b/contrib/bind9/lib/bind9/include/bind9/getaddresses.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,11 +15,13 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: getaddresses.h,v 1.2.200.3 2004/03/08 09:04:28 marka Exp $ */
+/* $Id: getaddresses.h,v 1.3.18.2 2005/04/29 00:15:48 marka Exp $ */
 
 #ifndef BIND9_GETADDRESSES_H
 #define BIND9_GETADDRESSES_H 1
 
+/*! \file */
+
 #include <isc/lang.h>
 #include <isc/types.h>
 
@@ -30,7 +32,7 @@ ISC_LANG_BEGINDECLS
 isc_result_t
 bind9_getaddresses(const char *hostname, in_port_t port,
 		   isc_sockaddr_t *addrs, int addrsize, int *addrcount);
-/*
+/*%<
  * Use the system resolver to get the addresses associated with a hostname.
  * If successful, the number of addresses found is returned in 'addrcount'.
  * If a hostname lookup is performed and addresses of an unknown family is
@@ -41,16 +43,16 @@ bind9_getaddresses(const char *hostname, in_port_t port,
  * framework, it should be surounded by isc_app_block()/isc_app_unblock().
  *
  *  Requires:
- *	'hostname' is not NULL.
- *	'addrs' is not NULL.
- *	'addrsize' > 0
- *	'addrcount' is not NULL.
+ *\li	'hostname' is not NULL.
+ *\li	'addrs' is not NULL.
+ *\li	'addrsize' > 0
+ *\li	'addrcount' is not NULL.
  *
  * 
  * Returns:
- *	ISC_R_SUCCESS
- *	ISC_R_NOTFOUND
- *	ISC_R_NOFAMILYSUPPORT - 'hostname' is an IPv6 address, and IPv6 is
+ *\li	#ISC_R_SUCCESS
+ *\li	#ISC_R_NOTFOUND
+ *\li	#ISC_R_NOFAMILYSUPPORT - 'hostname' is an IPv6 address, and IPv6 is
  *		not supported.
  */
 
diff --git a/contrib/bind9/lib/bind9/include/bind9/version.h b/contrib/bind9/lib/bind9/include/bind9/version.h
index a3b812e..154e240d 100644
--- a/contrib/bind9/lib/bind9/include/bind9/version.h
+++ b/contrib/bind9/lib/bind9/include/bind9/version.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,9 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: version.h,v 1.2.208.3 2004/03/08 09:04:28 marka Exp $ */
+/* $Id: version.h,v 1.3.18.2 2005/04/29 00:15:48 marka Exp $ */
+
+/*! \file */
 
 #include <isc/platform.h>
 
diff --git a/contrib/bind9/lib/bind9/version.c b/contrib/bind9/lib/bind9/version.c
index 5fee2cf..2cc17da 100644
--- a/contrib/bind9/lib/bind9/version.c
+++ b/contrib/bind9/lib/bind9/version.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,9 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: version.c,v 1.3.200.4 2004/03/08 09:04:27 marka Exp $ */
+/* $Id: version.c,v 1.4.18.2 2005/04/29 00:15:47 marka Exp $ */
+
+/*! \file */
 
 #include <bind9/version.h>
 
diff --git a/contrib/bind9/lib/dns/Makefile.in b/contrib/bind9/lib/dns/Makefile.in
index 9c368d1..286a5f9 100644
--- a/contrib/bind9/lib/dns/Makefile.in
+++ b/contrib/bind9/lib/dns/Makefile.in
@@ -1,4 +1,4 @@
-# Copyright (C) 2004, 2006  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
 # Copyright (C) 1998-2003  Internet Software Consortium.
 #
 # Permission to use, copy, modify, and distribute this software for any
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.126.2.3.2.19 2006/01/06 00:01:42 marka Exp $
+# $Id: Makefile.in,v 1.144.18.10 2006/01/06 00:01:43 marka Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
@@ -49,17 +49,18 @@ DSTOBJS =	dst_api.@O@ dst_lib.@O@ dst_parse.@O@ dst_result.@O@ \
 		opensslrsa_link.@O@
 
 # Alphabetically
-DNSOBJS =	acl.@O@ adb.@O@ byaddr.@O@ \
+DNSOBJS =	acache.@O@ acl.@O@ adb.@O@ byaddr.@O@ \
 		cache.@O@ callbacks.@O@ compress.@O@ \
 		db.@O@ dbiterator.@O@ dbtable.@O@ diff.@O@ dispatch.@O@ \
-		dnssec.@O@ ds.@O@ forward.@O@ journal.@O@ keytable.@O@ \
+		dlz.@O@ dnssec.@O@ ds.@O@ forward.@O@ journal.@O@ keytable.@O@ \
 		lib.@O@ log.@O@ lookup.@O@ \
 		master.@O@ masterdump.@O@ message.@O@ \
 		name.@O@ ncache.@O@ nsec.@O@ order.@O@ peer.@O@ portlist.@O@ \
 		rbt.@O@ rbtdb.@O@ rbtdb64.@O@ rcode.@O@ rdata.@O@ \
 		rdatalist.@O@ \
 		rdataset.@O@ rdatasetiter.@O@ rdataslab.@O@ request.@O@ \
-		resolver.@O@ result.@O@ rootns.@O@ sdb.@O@ soa.@O@ ssu.@O@ \
+		resolver.@O@ result.@O@ rootns.@O@ sdb.@O@ sdlz.@O@ \
+		soa.@O@ ssu.@O@ \
 		stats.@O@ tcpmsg.@O@ time.@O@ timer.@O@ tkey.@O@ \
 		tsig.@O@ ttl.@O@ validator.@O@ \
 		version.@O@ view.@O@ xfrin.@O@ zone.@O@ zonekey.@O@ zt.@O@
@@ -73,17 +74,18 @@ DSTSRCS =	dst_api.c dst_lib.c dst_parse.c \
 		openssl_link.c openssldh_link.c \
 		openssldsa_link.c opensslrsa_link.c
 
-SRCS =		acl.c adb.c byaddr.c \
+DNSSRCS =	acache.c acl.c adb.c byaddr.c \
 		cache.c callbacks.c compress.c \
 		db.c dbiterator.c dbtable.c diff.c dispatch.c \
-		dnssec.c ds.c forward.c journal.c keytable.c \
+		dlz.c dnssec.c ds.c forward.c journal.c keytable.c \
 		lib.c log.c lookup.c \
 		master.c masterdump.c message.c \
 		name.c ncache.c nsec.c order.c peer.c portlist.c \
 		rbt.c rbtdb.c rbtdb64.c rcode.c rdata.c \
 		rdatalist.c \
 		rdataset.c rdatasetiter.c rdataslab.c request.c \
-		resolver.c result.c rootns.c sdb.c soa.c ssu.c \
+		resolver.c result.c rootns.c sdb.c sdlz.c \
+		soa.c ssu.c \
 		stats.c tcpmsg.c time.c timer.c tkey.c \
 		tsig.c ttl.c validator.c \
 		version.c view.c xfrin.c zone.c zonekey.c zt.c ${OTHERSRCS}
diff --git a/contrib/bind9/lib/dns/acache.c b/contrib/bind9/lib/dns/acache.c
new file mode 100644
index 0000000..5787a5a
--- /dev/null
+++ b/contrib/bind9/lib/dns/acache.c
@@ -0,0 +1,1778 @@
+/*
+ * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: acache.c,v 1.3.2.16 2006/07/19 00:34:56 marka Exp $ */
+
+#include <config.h>
+
+#include <isc/atomic.h>
+#include <isc/event.h>
+#include <isc/hash.h>
+#include <isc/magic.h>
+#include <isc/mem.h>
+#include <isc/mutex.h>
+#include <isc/random.h>
+#include <isc/refcount.h>
+#include <isc/rwlock.h>
+#include <isc/task.h>
+#include <isc/time.h>
+#include <isc/timer.h>
+
+#include <dns/acache.h>
+#include <dns/db.h>
+#include <dns/events.h>
+#include <dns/log.h>
+#include <dns/message.h>
+#include <dns/name.h>
+#include <dns/rdataset.h>
+#include <dns/result.h>
+#include <dns/zone.h>
+
+#define ACACHE_MAGIC			ISC_MAGIC('A', 'C', 'H', 'E')
+#define DNS_ACACHE_VALID(acache)	ISC_MAGIC_VALID(acache, ACACHE_MAGIC)
+
+#define ACACHEENTRY_MAGIC		ISC_MAGIC('A', 'C', 'E', 'T')
+#define DNS_ACACHEENTRY_VALID(entry)	ISC_MAGIC_VALID(entry, ACACHEENTRY_MAGIC)
+
+#define DBBUCKETS	67
+
+#if 0
+#define ATRACE(m)       isc_log_write(dns_lctx, \
+				      DNS_LOGCATEGORY_DATABASE, \
+				      DNS_LOGMODULE_ACACHE, \
+				      ISC_LOG_DEBUG(3), \
+				      "acache %p: %s", acache, (m))
+#define AATRACE(a,m)    isc_log_write(dns_lctx, \
+				      DNS_LOGCATEGORY_DATABASE, \
+				      DNS_LOGMODULE_ACACHE, \
+				      ISC_LOG_DEBUG(3), \
+				      "acache %p: %s", (a), (m))
+#else
+#define ATRACE(m)
+#define AATRACE(a, m)
+#endif
+
+/*
+ * The following variables control incremental cleaning.
+ * MINSIZE is how many bytes is the floor for dns_acache_setcachesize().
+ * CLEANERINCREMENT is how many entries are examined in one pass.
+ * (XXX simply derived from definitions in cache.c  There may be better
+ *  constants here.)
+ */
+#define DNS_ACACHE_MINSIZE 		2097152	/* Bytes.  2097152 = 2 MB */
+#define DNS_ACACHE_CLEANERINCREMENT	1000	/* Number of entries. */
+
+#define DEFAULT_ACACHE_ENTRY_LOCK_COUNT	1009	/*%< Should be prime. */
+
+#if defined(ISC_RWLOCK_USEATOMIC) && defined(ISC_PLATFORM_HAVEATOMICSTORE)
+#define ACACHE_USE_RWLOCK 1
+#endif
+
+#ifdef ACACHE_USE_RWLOCK
+#define ACACHE_INITLOCK(l)	isc_rwlock_init((l), 0, 0)
+#define ACACHE_DESTROYLOCK(l)	isc_rwlock_destroy(l)
+#define ACACHE_LOCK(l, t)	RWLOCK((l), (t))
+#define ACACHE_UNLOCK(l, t)	RWUNLOCK((l), (t))
+
+#define acache_storetime(entry, t) \
+	(isc_atomic_store((isc_int32_t *)&(entry)->lastused, (t)))
+#else
+#define ACACHE_INITLOCK(l)	isc_mutex_init(l)
+#define ACACHE_DESTROYLOCK(l)	DESTROYLOCK(l)
+#define ACACHE_LOCK(l, t)	LOCK(l)
+#define ACACHE_UNLOCK(l, t)	UNLOCK(l)
+
+#define acache_storetime(entry, t) ((entry)->lastused = (t))
+#endif
+
+/* Locked by acache lock */
+typedef struct dbentry {
+	ISC_LINK(struct dbentry)	link;
+
+	dns_db_t			*db;
+	ISC_LIST(dns_acacheentry_t)	originlist;
+	ISC_LIST(dns_acacheentry_t)	referlist;
+} dbentry_t;
+
+typedef ISC_LIST(dbentry_t) dbentrylist_t;
+
+typedef struct acache_cleaner acache_cleaner_t;
+
+typedef enum {
+	cleaner_s_idle,	/* Waiting for cleaning-interval to expire. */
+	cleaner_s_busy,	/* Currently cleaning. */
+	cleaner_s_done  /* Freed enough memory after being overmem. */
+} cleaner_state_t;
+
+/*
+ * Convenience macros for comprehensive assertion checking.
+ */
+#define CLEANER_IDLE(c) ((c)->state == cleaner_s_idle && \
+			 (c)->resched_event != NULL)
+#define CLEANER_BUSY(c) ((c)->state == cleaner_s_busy && \
+			 (c)->resched_event == NULL)
+
+struct acache_cleaner {
+	isc_mutex_t		lock;
+	/*
+	 * Locks overmem_event, overmem.  (See cache.c)
+	 */
+
+	dns_acache_t		*acache;
+	unsigned int		cleaning_interval; /* The cleaning-interval
+						      from named.conf,
+						      in seconds. */
+
+	isc_stdtime_t		last_cleanup_time; /* The time when the last
+      						      cleanup task completed */
+
+	isc_timer_t 		*cleaning_timer;
+	isc_event_t		*resched_event;	/* Sent by cleaner task to
+						   itself to reschedule */
+	isc_event_t		*overmem_event;
+
+	dns_acacheentry_t	*current_entry;	/* The bookmark entry to
+						   restart the cleaning.
+						   Locked by acache lock. */
+	int 		 	increment;	/* Number of entries to
+						   clean in one increment */
+
+	unsigned long		ncleaned;	/* Number of entries cleaned
+						   up (for logging purposes) */
+	cleaner_state_t  	state;		/* Idle/Busy/Done. */
+	isc_boolean_t	 	overmem;	/* The acache is in an overmem
+						   state. */
+};
+
+struct dns_acachestats {
+	unsigned int			hits;
+	unsigned int			queries;
+	unsigned int			misses;
+	unsigned int			adds;
+	unsigned int			deleted;
+	unsigned int			cleaned;
+	unsigned int			cleaner_runs;
+	unsigned int			overmem;
+	unsigned int			overmem_nocreates;
+	unsigned int			nomem;
+};
+
+/*
+ * The actual acache object.
+ */
+
+struct dns_acache {
+	unsigned int			magic;
+
+	isc_mem_t			*mctx;
+	isc_refcount_t			refs;
+
+#ifdef ACACHE_USE_RWLOCK
+	isc_rwlock_t 			*entrylocks;
+#else
+	isc_mutex_t 			*entrylocks;
+#endif
+
+	isc_mutex_t			lock;
+
+	int				live_cleaners;
+	acache_cleaner_t		cleaner;
+	ISC_LIST(dns_acacheentry_t)	entries;
+	unsigned int			dbentries;
+	dbentrylist_t			dbbucket[DBBUCKETS];
+
+	isc_boolean_t			shutting_down;
+
+	isc_task_t 			*task;
+	isc_event_t			cevent;
+	isc_boolean_t			cevent_sent;
+
+	dns_acachestats_t		stats;
+};
+
+struct dns_acacheentry {
+	unsigned int 		magic;
+
+	unsigned int		locknum;
+	isc_refcount_t 		references;
+
+	dns_acache_t 		*acache;
+
+	/* Data for Management of cache entries */
+	ISC_LINK(dns_acacheentry_t) link;
+	ISC_LINK(dns_acacheentry_t) olink;
+	ISC_LINK(dns_acacheentry_t) rlink;
+
+	dns_db_t 		*origdb; /* reference to the DB
+					    holding this entry */
+
+	/* Cache data */
+	dns_zone_t 		*zone;		/* zone this entry
+						   belongs to */
+	dns_db_t		*db;   		/* DB this entry belongs to */
+	dns_dbversion_t		*version;	/* the version of the DB */
+	dns_dbnode_t 		*node;		/* node this entry
+						   belongs to */
+	dns_name_t 		*foundname;	/* corresponding DNS name
+						   and rdataset */
+
+	/* Callback function and its argument */
+	void 			(*callback)(dns_acacheentry_t *, void **);
+	void 			*cbarg;
+
+	/* Timestamp of the last time this entry is referred to */
+	isc_stdtime32_t		lastused;
+};
+
+/*
+ *	Internal functions (and prototypes).
+ */
+static inline isc_boolean_t check_noentry(dns_acache_t *acache);
+static void destroy(dns_acache_t *acache);
+static void shutdown_entries(dns_acache_t *acache);
+static void shutdown_buckets(dns_acache_t *acache);
+static void destroy_entry(dns_acacheentry_t *ent);
+static inline void unlink_dbentries(dns_acache_t *acache,
+				    dns_acacheentry_t *ent);
+static inline isc_result_t finddbent(dns_acache_t *acache,
+				     dns_db_t *db, dbentry_t **dbentryp);
+static inline void clear_entry(dns_acache_t *acache, dns_acacheentry_t *entry);
+static isc_result_t acache_cleaner_init(dns_acache_t *acache,
+					isc_timermgr_t *timermgr,
+					acache_cleaner_t *cleaner);
+static void acache_cleaning_timer_action(isc_task_t *task, isc_event_t *event);
+static void acache_incremental_cleaning_action(isc_task_t *task,
+					       isc_event_t *event);
+static void acache_overmem_cleaning_action(isc_task_t *task,
+					   isc_event_t *event);
+static void acache_cleaner_shutdown_action(isc_task_t *task,
+					   isc_event_t *event);
+
+/*
+ * acache should be locked.  If it is not, the stats can get out of whack,
+ * which is not a big deal for us since this is for debugging / stats
+ */
+static void
+reset_stats(dns_acache_t *acache) {
+	acache->stats.hits = 0;
+	acache->stats.queries = 0;
+	acache->stats.misses = 0;
+	acache->stats.adds = 0;
+	acache->stats.deleted = 0;
+	acache->stats.cleaned = 0;
+	acache->stats.overmem = 0;
+	acache->stats.overmem_nocreates = 0;
+	acache->stats.nomem = 0;
+}
+
+/*
+ * The acache must be locked before calling.
+ */
+static inline isc_boolean_t
+check_noentry(dns_acache_t *acache) {
+	if (ISC_LIST_EMPTY(acache->entries) && acache->dbentries == 0) {
+		return (ISC_TRUE);
+	}
+
+	return (ISC_FALSE);
+}
+
+/*
+ * The acache must be locked before calling.
+ */
+static void
+shutdown_entries(dns_acache_t *acache) {
+	dns_acacheentry_t *entry, *entry_next;
+
+	REQUIRE(DNS_ACACHE_VALID(acache));
+	INSIST(acache->shutting_down);
+
+	/*
+	 * Release the dependency of all entries, and detach them.
+	 */
+	for (entry = ISC_LIST_HEAD(acache->entries);
+	     entry != NULL;
+	     entry = entry_next) {
+		entry_next = ISC_LIST_NEXT(entry, link);
+
+		ACACHE_LOCK(&acache->entrylocks[entry->locknum],
+			    isc_rwlocktype_write);
+
+		/*
+		 * If the cleaner holds this entry, it will be unlinked and
+		 * freed in the cleaner later.
+		 */
+		if (acache->cleaner.current_entry != entry)
+			ISC_LIST_UNLINK(acache->entries, entry, link);
+		unlink_dbentries(acache, entry);
+		if (entry->callback != NULL) {
+			(entry->callback)(entry, &entry->cbarg);
+			entry->callback = NULL;
+		}
+
+		ACACHE_UNLOCK(&acache->entrylocks[entry->locknum],
+			      isc_rwlocktype_write);
+
+		if (acache->cleaner.current_entry != entry)
+			dns_acache_detachentry(&entry);
+	}
+}
+
+/*
+ * The acache must be locked before calling.
+ */
+static void
+shutdown_buckets(dns_acache_t *acache) {
+	int i;
+	dbentry_t *dbent;
+
+	REQUIRE(DNS_ACACHE_VALID(acache));
+	INSIST(acache->shutting_down);
+
+	for (i = 0; i < DBBUCKETS; i++) {
+		while ((dbent = ISC_LIST_HEAD(acache->dbbucket[i])) != NULL) {
+			INSIST(ISC_LIST_EMPTY(dbent->originlist) &&
+			       ISC_LIST_EMPTY(dbent->referlist));
+			ISC_LIST_UNLINK(acache->dbbucket[i], dbent, link);
+						
+			dns_db_detach(&dbent->db);
+
+			isc_mem_put(acache->mctx, dbent, sizeof(*dbent));
+				    
+			acache->dbentries--;
+		}
+	}
+
+	INSIST(acache->dbentries == 0);
+}
+
+static void
+shutdown_task(isc_task_t *task, isc_event_t *ev) {
+	dns_acache_t *acache;
+
+	UNUSED(task);
+
+	acache = ev->ev_arg;
+	INSIST(DNS_ACACHE_VALID(acache));
+
+	isc_event_free(&ev);
+
+	LOCK(&acache->lock);
+
+	shutdown_entries(acache);
+	shutdown_buckets(acache);
+
+	UNLOCK(&acache->lock);
+
+	dns_acache_detach(&acache);
+}
+
+/* The acache and the entry must be locked before calling. */
+static inline void
+unlink_dbentries(dns_acache_t *acache, dns_acacheentry_t *ent) {
+	isc_result_t result;
+	dbentry_t *dbent;
+
+	if (ISC_LINK_LINKED(ent, olink)) {
+		INSIST(ent->origdb != NULL);
+		dbent = NULL;
+		result = finddbent(acache, ent->origdb, &dbent);
+		INSIST(result == ISC_R_SUCCESS);
+
+		ISC_LIST_UNLINK(dbent->originlist, ent, olink);
+	}
+	if (ISC_LINK_LINKED(ent, rlink)) {
+		INSIST(ent->db != NULL);
+		dbent = NULL;
+		result = finddbent(acache, ent->db, &dbent);
+		INSIST(result == ISC_R_SUCCESS);
+
+		ISC_LIST_UNLINK(dbent->referlist, ent, rlink);
+	}
+}
+
+/* There must not be a reference to this entry. */
+static void
+destroy_entry(dns_acacheentry_t *entry) {
+	dns_acache_t *acache;
+
+	REQUIRE(DNS_ACACHEENTRY_VALID(entry));
+
+	acache = entry->acache;
+	REQUIRE(DNS_ACACHE_VALID(acache));
+
+	/*
+	 * Since there is no reference to this entry, it is safe to call
+	 * clear_entry() here.
+	 */
+	clear_entry(acache, entry);
+
+	isc_mem_put(acache->mctx, entry, sizeof(*entry));
+
+	dns_acache_detach(&acache);
+}
+
+static void
+destroy(dns_acache_t *acache) {
+	int i;
+
+	REQUIRE(DNS_ACACHE_VALID(acache));
+
+	ATRACE("destroy");
+
+	isc_mem_setwater(acache->mctx, NULL, NULL, 0, 0);
+
+	if (acache->cleaner.overmem_event != NULL)
+		isc_event_free(&acache->cleaner.overmem_event);
+
+	if (acache->cleaner.resched_event != NULL)
+		isc_event_free(&acache->cleaner.resched_event);
+
+	if (acache->task != NULL)
+		isc_task_detach(&acache->task);
+
+	for (i = 0; i < DEFAULT_ACACHE_ENTRY_LOCK_COUNT; i++)
+		ACACHE_DESTROYLOCK(&acache->entrylocks[i]);
+	isc_mem_put(acache->mctx, acache->entrylocks,
+		    sizeof(*acache->entrylocks) *
+		    DEFAULT_ACACHE_ENTRY_LOCK_COUNT);
+
+	DESTROYLOCK(&acache->cleaner.lock);
+
+	DESTROYLOCK(&acache->lock);
+	acache->magic = 0;
+
+	isc_mem_putanddetach(&acache->mctx, acache, sizeof(*acache));
+}
+
+static inline isc_result_t
+finddbent(dns_acache_t *acache, dns_db_t *db, dbentry_t **dbentryp) {
+	int bucket;
+	dbentry_t *dbentry;
+
+	REQUIRE(DNS_ACACHE_VALID(acache));
+	REQUIRE(db != NULL);
+	REQUIRE(dbentryp != NULL && *dbentryp == NULL);
+
+	/*
+	 * The caller must be holding the acache lock.
+	 */
+
+	bucket = isc_hash_calc((const unsigned char *)&db,
+			       sizeof(db), ISC_TRUE) % DBBUCKETS;
+
+	for (dbentry = ISC_LIST_HEAD(acache->dbbucket[bucket]);
+	     dbentry != NULL;
+	     dbentry = ISC_LIST_NEXT(dbentry, link)) {
+		if (dbentry->db == db)
+			break;
+	}
+
+	*dbentryp = dbentry;
+
+	if (dbentry == NULL)
+		return (ISC_R_NOTFOUND);
+	else
+		return (ISC_R_SUCCESS);
+}
+
+static inline void
+clear_entry(dns_acache_t *acache, dns_acacheentry_t *entry) {
+	REQUIRE(DNS_ACACHE_VALID(acache));
+	REQUIRE(DNS_ACACHEENTRY_VALID(entry));
+
+	/*
+	 * The caller must be holing the entry lock.
+	 */
+
+	if (entry->foundname) {
+		dns_rdataset_t *rdataset, *rdataset_next;
+
+		for (rdataset = ISC_LIST_HEAD(entry->foundname->list);
+		     rdataset != NULL;
+		     rdataset = rdataset_next) {
+			rdataset_next = ISC_LIST_NEXT(rdataset, link);
+			ISC_LIST_UNLINK(entry->foundname->list,
+					rdataset, link);
+			dns_rdataset_disassociate(rdataset);
+			isc_mem_put(acache->mctx, rdataset, sizeof(*rdataset));
+		}
+		if (dns_name_dynamic(entry->foundname))
+			dns_name_free(entry->foundname, acache->mctx);
+		isc_mem_put(acache->mctx, entry->foundname,
+			    sizeof(*entry->foundname)); 
+		entry->foundname = NULL;
+	}
+
+	if (entry->node != NULL) {
+		INSIST(entry->db != NULL);
+		dns_db_detachnode(entry->db, &entry->node);
+	}
+	if (entry->version != NULL) {
+		INSIST(entry->db != NULL);
+		dns_db_closeversion(entry->db, &entry->version, ISC_FALSE);
+	}
+	if (entry->db != NULL)
+		dns_db_detach(&entry->db);
+	if (entry->zone != NULL)
+		dns_zone_detach(&entry->zone);
+
+	if (entry->origdb != NULL)
+		dns_db_detach(&entry->origdb);
+}
+
+static isc_result_t
+acache_cleaner_init(dns_acache_t *acache, isc_timermgr_t *timermgr,
+		    acache_cleaner_t *cleaner)
+{
+	int result;
+
+	ATRACE("acache cleaner init");
+
+	result = isc_mutex_init(&cleaner->lock);
+	if (result != ISC_R_SUCCESS)
+		goto fail;
+
+	cleaner->increment = DNS_ACACHE_CLEANERINCREMENT;
+	cleaner->state = cleaner_s_idle;
+	cleaner->acache = acache;
+	cleaner->overmem = ISC_FALSE;
+
+	cleaner->cleaning_timer = NULL;
+	cleaner->resched_event = NULL;
+	cleaner->overmem_event = NULL;
+	cleaner->current_entry = NULL;
+
+	if (timermgr != NULL) {
+		cleaner->acache->live_cleaners++;
+		
+		result = isc_task_onshutdown(acache->task,
+					     acache_cleaner_shutdown_action,
+					     acache);
+		if (result != ISC_R_SUCCESS) {
+			UNEXPECTED_ERROR(__FILE__, __LINE__,
+					 "acache cleaner: "
+					 "isc_task_onshutdown() failed: %s",
+					 dns_result_totext(result));
+			goto cleanup;
+		}
+
+		cleaner->cleaning_interval = 0; /* Initially turned off. */
+		isc_stdtime_get(&cleaner->last_cleanup_time);
+		result = isc_timer_create(timermgr, isc_timertype_inactive,
+					  NULL, NULL,
+					  acache->task,
+					  acache_cleaning_timer_action,
+					  cleaner, &cleaner->cleaning_timer);
+		if (result != ISC_R_SUCCESS) {
+			UNEXPECTED_ERROR(__FILE__, __LINE__,
+					 "isc_timer_create() failed: %s",
+					 dns_result_totext(result));
+			result = ISC_R_UNEXPECTED;
+			goto cleanup;
+		}
+
+		cleaner->resched_event =
+			isc_event_allocate(acache->mctx, cleaner,
+					   DNS_EVENT_ACACHECLEAN,
+					   acache_incremental_cleaning_action,
+					   cleaner, sizeof(isc_event_t));
+		if (cleaner->resched_event == NULL) {
+			result = ISC_R_NOMEMORY;
+			goto cleanup;
+		}
+
+		cleaner->overmem_event =
+			isc_event_allocate(acache->mctx, cleaner,
+					   DNS_EVENT_ACACHEOVERMEM,
+					   acache_overmem_cleaning_action,
+					   cleaner, sizeof(isc_event_t));
+		if (cleaner->overmem_event == NULL) {
+			result = ISC_R_NOMEMORY;
+			goto cleanup;
+		}
+	}
+
+	return (ISC_R_SUCCESS);
+
+ cleanup:
+	if (cleaner->overmem_event != NULL)
+		isc_event_free(&cleaner->overmem_event);
+	if (cleaner->resched_event != NULL)
+		isc_event_free(&cleaner->resched_event);
+	if (cleaner->cleaning_timer != NULL)
+		isc_timer_detach(&cleaner->cleaning_timer);
+	cleaner->acache->live_cleaners--;
+	DESTROYLOCK(&cleaner->lock);
+ fail:
+	return (result);
+}
+
+static void
+begin_cleaning(acache_cleaner_t *cleaner) {
+	dns_acacheentry_t *head;
+	dns_acache_t *acache = cleaner->acache;
+
+	/*
+	 * This function does not have to lock the cleaner, since critical
+	 * parameters (except current_entry, which is locked by acache lock,)
+	 * are only used in a single task context.
+	 */
+
+	REQUIRE(CLEANER_IDLE(cleaner));
+	INSIST(DNS_ACACHE_VALID(acache));
+	INSIST(cleaner->current_entry == NULL);
+
+	isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE,
+		      DNS_LOGMODULE_ACACHE, ISC_LOG_DEBUG(1),
+		      "begin acache cleaning, mem inuse %lu",
+		      (unsigned long)isc_mem_inuse(cleaner->acache->mctx));
+
+	LOCK(&acache->lock);
+
+	head = ISC_LIST_HEAD(acache->entries);
+	if (head != NULL)
+		dns_acache_attachentry(head, &cleaner->current_entry);
+
+	UNLOCK(&acache->lock);
+
+	if (cleaner->current_entry != NULL) {
+		cleaner->ncleaned = 0;
+		cleaner->state = cleaner_s_busy;
+		isc_task_send(acache->task, &cleaner->resched_event);
+	}
+
+	return;
+}
+
+static void
+end_cleaning(acache_cleaner_t *cleaner, isc_event_t *event) {
+	dns_acache_t *acache = cleaner->acache;
+
+	REQUIRE(CLEANER_BUSY(cleaner));
+	REQUIRE(event != NULL);
+	REQUIRE(DNS_ACACHEENTRY_VALID(cleaner->current_entry));
+
+	/* No need to lock the cleaner (see begin_cleaning()). */
+
+	LOCK(&acache->lock);
+
+	/*
+	 * Even if the cleaner has the last reference to the entry, which means
+	 * the entry has been unused, it may still be linked if unlinking the
+	 * entry has been delayed due to the reference.
+	 */
+	if (isc_refcount_current(&cleaner->current_entry->references) == 1) {
+		INSIST(cleaner->current_entry->callback == NULL);
+		
+		if (ISC_LINK_LINKED(cleaner->current_entry, link)) {
+			ISC_LIST_UNLINK(acache->entries,
+					cleaner->current_entry, link);
+		}
+	}
+	dns_acache_detachentry(&cleaner->current_entry);
+
+	if (cleaner->overmem)
+		acache->stats.overmem++;
+	acache->stats.cleaned += cleaner->ncleaned;
+	acache->stats.cleaner_runs++;
+
+	isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE, DNS_LOGMODULE_ACACHE,
+		      ISC_LOG_NOTICE,
+		      "acache %p stats: hits=%d misses=%d queries=%d "
+		      "adds=%d deleted=%d "
+		      "cleaned=%d cleaner_runs=%d overmem=%d "
+		      "overmem_nocreates=%d nomem=%d",
+		      acache,
+		      acache->stats.hits, acache->stats.misses,
+		      acache->stats.queries,
+		      acache->stats.adds, acache->stats.deleted,
+		      acache->stats.cleaned, acache->stats.cleaner_runs,
+		      acache->stats.overmem, acache->stats.overmem_nocreates, 
+		      acache->stats.nomem);
+	reset_stats(acache);
+
+	isc_stdtime_get(&cleaner->last_cleanup_time);
+
+	UNLOCK(&acache->lock);
+
+	dns_acache_setcleaninginterval(cleaner->acache,
+				       cleaner->cleaning_interval);
+
+	isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE, DNS_LOGMODULE_ACACHE,
+		      ISC_LOG_DEBUG(1), "end acache cleaning, "
+		      "%lu entries cleaned, mem inuse %lu",
+		      cleaner->ncleaned,
+		      (unsigned long)isc_mem_inuse(cleaner->acache->mctx));
+
+	if (cleaner->overmem) {
+		isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE,
+			      DNS_LOGMODULE_ACACHE, ISC_LOG_NOTICE,
+			      "acache is still in overmem state "
+			      "after cleaning");
+	}
+
+	cleaner->ncleaned = 0;
+	cleaner->state = cleaner_s_idle;
+	cleaner->resched_event = event;
+}
+
+/*
+ * This is run once for every acache-cleaning-interval as defined
+ * in named.conf.
+ */
+static void
+acache_cleaning_timer_action(isc_task_t *task, isc_event_t *event) {
+	acache_cleaner_t *cleaner = event->ev_arg;
+
+	UNUSED(task);
+
+	INSIST(event->ev_type == ISC_TIMEREVENT_TICK);
+
+	isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE, DNS_LOGMODULE_ACACHE,
+		      ISC_LOG_DEBUG(1), "acache cleaning timer fired, "
+		      "cleaner state = %d", cleaner->state);
+
+	if (cleaner->state == cleaner_s_idle)
+		begin_cleaning(cleaner);
+
+	isc_event_free(&event);
+}
+
+/* The caller must hold entry lock. */
+static inline isc_boolean_t
+entry_stale(acache_cleaner_t *cleaner, dns_acacheentry_t *entry,
+	    isc_stdtime32_t now32, unsigned int interval)
+{
+	/*
+	 * If the callback has been canceled, we definitely do not need the
+	 * entry.
+	 */
+	if (entry->callback == NULL)
+		return (ISC_TRUE);
+
+	if (interval > cleaner->cleaning_interval)
+		interval = cleaner->cleaning_interval;
+
+	if (entry->lastused + interval < now32)
+		return (ISC_TRUE);
+
+	/*
+	 * If the acache is in the overmem state, probabilistically decide if
+	 * the entry should be purged, based on the time passed from its last
+	 * use and the cleaning interval.
+	 */
+	if (cleaner->overmem) {
+		unsigned int passed =
+			now32 - entry->lastused; /* <= interval */
+		isc_uint32_t val;
+
+		if (passed > interval / 2)
+			return (ISC_TRUE);
+		isc_random_get(&val);
+		if (passed > interval / 4)
+			return (ISC_TF(val % 4 == 0));
+		return (ISC_TF(val % 8 == 0));
+	}
+
+	return (ISC_FALSE);
+}
+
+/*
+ * Do incremental cleaning.
+ */
+static void
+acache_incremental_cleaning_action(isc_task_t *task, isc_event_t *event) {
+	acache_cleaner_t *cleaner = event->ev_arg;
+	dns_acache_t *acache = cleaner->acache;
+	dns_acacheentry_t *entry, *next = NULL;
+	int n_entries;
+	isc_stdtime32_t now32, last32;
+	isc_stdtime_t now;
+	unsigned int interval;
+
+	INSIST(DNS_ACACHE_VALID(acache));
+	INSIST(task == acache->task);
+	INSIST(event->ev_type == DNS_EVENT_ACACHECLEAN);
+
+	if (cleaner->state == cleaner_s_done) {
+		cleaner->state = cleaner_s_busy;
+		end_cleaning(cleaner, event);
+		return;
+	}
+
+	INSIST(CLEANER_BUSY(cleaner));
+
+	n_entries = cleaner->increment;
+
+	isc_stdtime_get(&now);
+	isc_stdtime_convert32(now, &now32);
+
+	LOCK(&acache->lock);
+
+	entry = cleaner->current_entry;
+	isc_stdtime_convert32(cleaner->last_cleanup_time, &last32);
+	INSIST(now32 > last32);
+	interval = now32 - last32;
+
+	while (n_entries-- > 0) {
+		isc_boolean_t is_stale = ISC_FALSE;
+
+		INSIST(entry != NULL);
+
+		next = ISC_LIST_NEXT(entry, link);
+
+		ACACHE_LOCK(&acache->entrylocks[entry->locknum],
+			    isc_rwlocktype_write);
+
+		is_stale = entry_stale(cleaner, entry, now32, interval);
+		if (is_stale) {
+			ISC_LIST_UNLINK(acache->entries, entry, link);
+			unlink_dbentries(acache, entry);
+			if (entry->callback != NULL)
+				(entry->callback)(entry, &entry->cbarg);
+			entry->callback = NULL;
+
+			cleaner->ncleaned++;
+		}
+
+		ACACHE_UNLOCK(&acache->entrylocks[entry->locknum],
+			      isc_rwlocktype_write);
+
+		if (is_stale)
+			dns_acache_detachentry(&entry);
+
+		if (next == NULL) {
+			if (cleaner->overmem) {
+				entry = ISC_LIST_HEAD(acache->entries);
+				if (entry != NULL) {
+					/*
+					 * If we are still in the overmem
+					 * state, keep cleaning.
+					 */
+					isc_log_write(dns_lctx,
+						      DNS_LOGCATEGORY_DATABASE,
+						      DNS_LOGMODULE_ACACHE,
+						      ISC_LOG_DEBUG(1),
+						      "acache cleaner: "
+						      "still overmem, "
+						      "reset and try again");
+					continue;
+				}
+			}
+
+			UNLOCK(&acache->lock);
+			end_cleaning(cleaner, event);
+			return;
+		}
+
+		entry = next;
+	}
+
+	/*
+	 * We have successfully performed a cleaning increment but have
+	 * not gone through the entire cache.  Remember the entry that will
+	 * be the starting point in the next clean-up, and reschedule another
+	 * batch.  If it fails, just try to continue anyway.
+	 */
+	INSIST(next != NULL && next != cleaner->current_entry);
+	dns_acache_detachentry(&cleaner->current_entry);
+	dns_acache_attachentry(next, &cleaner->current_entry);
+
+	UNLOCK(&acache->lock);
+
+	isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE, DNS_LOGMODULE_ACACHE,
+		      ISC_LOG_DEBUG(1), "acache cleaner: checked %d entries, "
+		      "mem inuse %lu, sleeping", cleaner->increment,
+		      (unsigned long)isc_mem_inuse(cleaner->acache->mctx));
+
+	isc_task_send(task, &event);
+	INSIST(CLEANER_BUSY(cleaner));
+
+	return;
+}
+
+/*
+ * This is called when the acache either surpasses its upper limit
+ * or shrinks beyond its lower limit.
+ */
+static void
+acache_overmem_cleaning_action(isc_task_t *task, isc_event_t *event) {
+	acache_cleaner_t *cleaner = event->ev_arg;
+	isc_boolean_t want_cleaning = ISC_FALSE;
+	
+	UNUSED(task);
+
+	INSIST(event->ev_type == DNS_EVENT_ACACHEOVERMEM);
+	INSIST(cleaner->overmem_event == NULL);
+
+	isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE, DNS_LOGMODULE_ACACHE,
+		      ISC_LOG_DEBUG(1), "overmem_cleaning_action called, "
+		      "overmem = %d, state = %d", cleaner->overmem,
+		      cleaner->state);
+
+	LOCK(&cleaner->lock);
+
+	if (cleaner->overmem) {
+		if (cleaner->state == cleaner_s_idle)
+			want_cleaning = ISC_TRUE;
+	} else {
+		if (cleaner->state == cleaner_s_busy)
+			/*
+			 * end_cleaning() can't be called here because
+			 * then both cleaner->overmem_event and
+			 * cleaner->resched_event will point to this
+			 * event.  Set the state to done, and then
+			 * when the acache_incremental_cleaning_action() event
+			 * is posted, it will handle the end_cleaning.
+			 */
+			cleaner->state = cleaner_s_done;
+	}
+
+	cleaner->overmem_event = event;
+
+	UNLOCK(&cleaner->lock);
+
+	if (want_cleaning)
+		begin_cleaning(cleaner);
+}
+
+static void
+water(void *arg, int mark) {
+	dns_acache_t *acache = arg;
+	isc_boolean_t overmem = ISC_TF(mark == ISC_MEM_HIWATER);
+
+	REQUIRE(DNS_ACACHE_VALID(acache));
+
+	isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE,
+		      DNS_LOGMODULE_ACACHE, ISC_LOG_DEBUG(1),
+		      "acache memory reaches %s watermark, mem inuse %lu",
+		      overmem ? "high" : "low",
+		      (unsigned long)isc_mem_inuse(acache->mctx));
+
+	LOCK(&acache->cleaner.lock);
+
+	acache->cleaner.overmem = overmem;
+
+	if (acache->cleaner.overmem_event != NULL)
+		isc_task_send(acache->task, &acache->cleaner.overmem_event);
+
+	UNLOCK(&acache->cleaner.lock);
+}
+
+/*
+ * The cleaner task is shutting down; do the necessary cleanup.
+ */
+static void
+acache_cleaner_shutdown_action(isc_task_t *task, isc_event_t *event) {
+	dns_acache_t *acache = event->ev_arg;
+	isc_boolean_t should_free = ISC_FALSE;
+
+	INSIST(task == acache->task);
+	INSIST(event->ev_type == ISC_TASKEVENT_SHUTDOWN);
+	INSIST(DNS_ACACHE_VALID(acache));
+
+	ATRACE("acache cleaner shutdown");
+
+	if (CLEANER_BUSY(&acache->cleaner))
+		end_cleaning(&acache->cleaner, event);
+	else
+		isc_event_free(&event);
+
+	LOCK(&acache->lock);
+
+	acache->live_cleaners--;
+	INSIST(acache->live_cleaners == 0);
+
+	if (isc_refcount_current(&acache->refs) == 0) {
+		INSIST(check_noentry(acache) == ISC_TRUE);
+		should_free = ISC_TRUE;
+	}
+
+	/*
+	 * By detaching the timer in the context of its task,
+	 * we are guaranteed that there will be no further timer
+	 * events.
+	 */
+	if (acache->cleaner.cleaning_timer != NULL)
+		isc_timer_detach(&acache->cleaner.cleaning_timer);
+
+	/* Make sure we don't reschedule anymore. */
+	(void)isc_task_purge(task, NULL, DNS_EVENT_ACACHECLEAN, NULL);
+
+	UNLOCK(&acache->lock);
+
+	if (should_free)
+		destroy(acache);
+}
+
+/*
+ *	Public functions.
+ */
+
+isc_result_t
+dns_acache_create(dns_acache_t **acachep, isc_mem_t *mctx,
+		  isc_taskmgr_t *taskmgr, isc_timermgr_t *timermgr)
+{
+	int i;
+	isc_result_t result;
+	dns_acache_t *acache;
+
+	REQUIRE(acachep != NULL && *acachep == NULL);
+	REQUIRE(mctx != NULL);
+	REQUIRE(taskmgr != NULL);
+
+	acache = isc_mem_get(mctx, sizeof(*acache));
+	if (acache == NULL)
+		return (ISC_R_NOMEMORY);
+
+	ATRACE("create");
+
+	result = isc_refcount_init(&acache->refs, 1);
+	if (result != ISC_R_SUCCESS) {
+		isc_mem_put(mctx, acache, sizeof(*acache));
+		return (result);
+	}
+
+	result = isc_mutex_init(&acache->lock);
+	if (result != ISC_R_SUCCESS) {
+		isc_refcount_decrement(&acache->refs, NULL);
+		isc_refcount_destroy(&acache->refs);
+		isc_mem_put(mctx, acache, sizeof(*acache));
+		return (result);
+	}
+
+	acache->mctx = NULL;
+	isc_mem_attach(mctx, &acache->mctx);
+	ISC_LIST_INIT(acache->entries);
+
+	acache->shutting_down = ISC_FALSE;
+
+	acache->task = NULL;
+	acache->entrylocks = NULL;
+
+	result = isc_task_create(taskmgr, 1, &acache->task);
+	if (result != ISC_R_SUCCESS) {
+		UNEXPECTED_ERROR(__FILE__, __LINE__,
+				 "isc_task_create() failed(): %s",
+				 dns_result_totext(result));
+		result = ISC_R_UNEXPECTED;
+		goto cleanup;
+	}
+	isc_task_setname(acache->task, "acachetask", acache);
+	ISC_EVENT_INIT(&acache->cevent, sizeof(acache->cevent), 0, NULL,
+		       DNS_EVENT_ACACHECONTROL, shutdown_task, NULL,
+		       NULL, NULL, NULL);
+	acache->cevent_sent = ISC_FALSE;
+
+	acache->dbentries = 0;
+	for (i = 0; i < DBBUCKETS; i++)
+		ISC_LIST_INIT(acache->dbbucket[i]);
+
+	acache->entrylocks = isc_mem_get(mctx, sizeof(*acache->entrylocks) *
+					 DEFAULT_ACACHE_ENTRY_LOCK_COUNT);
+	if (acache->entrylocks == NULL) {
+		result = ISC_R_NOMEMORY;
+		goto cleanup;
+	}
+	for (i = 0; i < DEFAULT_ACACHE_ENTRY_LOCK_COUNT; i++) {
+		result = ACACHE_INITLOCK(&acache->entrylocks[i]);
+		if (result != ISC_R_SUCCESS) {
+			while (i-- > 0)
+				ACACHE_DESTROYLOCK(&acache->entrylocks[i]);
+			isc_mem_put(mctx, acache->entrylocks,
+				    sizeof(*acache->entrylocks) *
+				    DEFAULT_ACACHE_ENTRY_LOCK_COUNT);
+			acache->entrylocks = NULL;
+			goto cleanup;
+		}
+	}
+
+	acache->live_cleaners = 0;
+	result = acache_cleaner_init(acache, timermgr, &acache->cleaner); 
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+
+	acache->stats.cleaner_runs = 0;
+	reset_stats(acache);
+
+	acache->magic = ACACHE_MAGIC;
+
+	*acachep = acache;
+	return (ISC_R_SUCCESS);
+
+ cleanup:
+	if (acache->task != NULL)
+		isc_task_detach(&acache->task);
+	DESTROYLOCK(&acache->lock);
+	isc_refcount_decrement(&acache->refs, NULL);
+	isc_refcount_destroy(&acache->refs);
+	if (acache->entrylocks != NULL) {
+		for (i = 0; i < DEFAULT_ACACHE_ENTRY_LOCK_COUNT; i++)
+			ACACHE_DESTROYLOCK(&acache->entrylocks[i]);
+		isc_mem_put(mctx, acache->entrylocks,
+			    sizeof(*acache->entrylocks) *
+			    DEFAULT_ACACHE_ENTRY_LOCK_COUNT);
+	}
+	isc_mem_put(mctx, acache, sizeof(*acache));
+	isc_mem_detach(&mctx);
+
+	return (result);
+}
+
+void
+dns_acache_attach(dns_acache_t *source, dns_acache_t **targetp) {
+	REQUIRE(DNS_ACACHE_VALID(source));
+	REQUIRE(targetp != NULL && *targetp == NULL);
+
+	AATRACE(source, "attach");
+
+	isc_refcount_increment(&source->refs, NULL);
+
+	*targetp = source;
+}
+
+void
+dns_acache_countquerymiss(dns_acache_t *acache) {
+	acache->stats.misses++; 	/* XXXSK danger: unlocked! */
+	acache->stats.queries++;	/* XXXSK danger: unlocked! */
+}
+
+void
+dns_acache_detach(dns_acache_t **acachep) {
+	dns_acache_t *acache;
+	unsigned int refs;
+	isc_boolean_t should_free = ISC_FALSE;
+
+	REQUIRE(acachep != NULL && DNS_ACACHE_VALID(*acachep));
+	acache = *acachep;
+
+	ATRACE("detach");
+
+	isc_refcount_decrement(&acache->refs, &refs);
+	if (refs == 0) {
+		INSIST(check_noentry(acache) == ISC_TRUE);
+		should_free = ISC_TRUE;
+	}
+
+	*acachep = NULL;
+
+	/*
+	 * If we're exiting and the cleaner task exists, let it free the cache.
+	 */
+	if (should_free && acache->live_cleaners > 0) {
+		isc_task_shutdown(acache->task);
+		should_free = ISC_FALSE;
+	}
+	
+	if (should_free)
+		destroy(acache);
+}
+
+void
+dns_acache_shutdown(dns_acache_t *acache) {
+	REQUIRE(DNS_ACACHE_VALID(acache));
+
+	LOCK(&acache->lock);
+
+	ATRACE("shutdown");
+
+	if (!acache->shutting_down) {
+		isc_event_t *event;
+		dns_acache_t *acache_evarg = NULL;
+
+		INSIST(!acache->cevent_sent);
+
+		acache->shutting_down = ISC_TRUE;
+
+		isc_mem_setwater(acache->mctx, NULL, NULL, 0, 0);
+
+		/*
+		 * Self attach the object in order to prevent it from being
+		 * destroyed while waiting for the event.
+		 */
+		dns_acache_attach(acache, &acache_evarg);
+		event = &acache->cevent;
+		event->ev_arg = acache_evarg;
+		isc_task_send(acache->task, &event);
+		acache->cevent_sent = ISC_TRUE;
+	}
+
+	UNLOCK(&acache->lock);
+}
+
+isc_result_t
+dns_acache_setdb(dns_acache_t *acache, dns_db_t *db) {
+	int bucket;
+	dbentry_t *dbentry;
+	isc_result_t result = ISC_R_SUCCESS;
+
+	REQUIRE(DNS_ACACHE_VALID(acache));
+	REQUIRE(db != NULL);
+
+	ATRACE("setdb");
+
+	LOCK(&acache->lock);
+
+	dbentry = NULL;
+	result = finddbent(acache, db, &dbentry);
+	if (result == ISC_R_SUCCESS) {
+		result = ISC_R_EXISTS;
+		goto end;
+	}
+	result = ISC_R_SUCCESS;
+
+	dbentry = isc_mem_get(acache->mctx, sizeof(*dbentry));
+	if (dbentry == NULL) {
+		result = ISC_R_NOMEMORY;
+		goto end;
+	}
+
+	ISC_LINK_INIT(dbentry, link);
+	ISC_LIST_INIT(dbentry->originlist);
+	ISC_LIST_INIT(dbentry->referlist);
+
+	dbentry->db = NULL;
+	dns_db_attach(db, &dbentry->db);
+
+	bucket = isc_hash_calc((const unsigned char *)&db,
+			       sizeof(db), ISC_TRUE) % DBBUCKETS;
+
+	ISC_LIST_APPEND(acache->dbbucket[bucket], dbentry, link);
+
+	acache->dbentries++;
+
+ end:
+	UNLOCK(&acache->lock);
+
+	return (result);
+}
+
+isc_result_t
+dns_acache_putdb(dns_acache_t *acache, dns_db_t *db) {
+	int bucket;
+	isc_result_t result;
+	dbentry_t *dbentry;
+	dns_acacheentry_t *entry;
+
+	REQUIRE(DNS_ACACHE_VALID(acache));
+	REQUIRE(db != NULL);
+
+	ATRACE("putdb");
+
+	LOCK(&acache->lock);
+
+	dbentry = NULL;
+	result = finddbent(acache, db, &dbentry);
+	if (result != ISC_R_SUCCESS) {
+		/*
+		 * The entry may have not been created due to memory shortage.
+		 */
+		UNLOCK(&acache->lock);
+		return (ISC_R_NOTFOUND);
+	}
+
+	/*
+	 * Release corresponding cache entries: for each entry, release all
+	 * links the entry has, and then callback to the entry holder (if any).
+	 * If no other external references exist (this can happen if the
+	 * original holder has canceled callback,) destroy it here.
+	 */
+	while ((entry = ISC_LIST_HEAD(dbentry->originlist)) != NULL) {
+		ACACHE_LOCK(&acache->entrylocks[entry->locknum],
+			    isc_rwlocktype_write);
+
+		/*
+		 * Releasing olink first would avoid finddbent() in
+		 * unlink_dbentries().
+		 */
+		ISC_LIST_UNLINK(dbentry->originlist, entry, olink);
+		if (acache->cleaner.current_entry != entry)
+			ISC_LIST_UNLINK(acache->entries, entry, link);
+		unlink_dbentries(acache, entry);
+
+		if (entry->callback != NULL)
+			(entry->callback)(entry, &entry->cbarg);
+		entry->callback = NULL;
+
+		ACACHE_UNLOCK(&acache->entrylocks[entry->locknum],
+			      isc_rwlocktype_write);
+
+		if (acache->cleaner.current_entry != entry)
+			dns_acache_detachentry(&entry);
+	}
+	while ((entry = ISC_LIST_HEAD(dbentry->referlist)) != NULL) {
+		ACACHE_LOCK(&acache->entrylocks[entry->locknum],
+			    isc_rwlocktype_write);
+
+		ISC_LIST_UNLINK(dbentry->referlist, entry, rlink);
+		if (acache->cleaner.current_entry != entry)
+			ISC_LIST_UNLINK(acache->entries, entry, link);
+		unlink_dbentries(acache, entry);
+
+		if (entry->callback != NULL)
+			(entry->callback)(entry, &entry->cbarg);
+		entry->callback = NULL;
+
+		ACACHE_UNLOCK(&acache->entrylocks[entry->locknum],
+			      isc_rwlocktype_write);
+
+		if (acache->cleaner.current_entry != entry)
+			dns_acache_detachentry(&entry);
+	}
+
+	INSIST(ISC_LIST_EMPTY(dbentry->originlist) &&
+	       ISC_LIST_EMPTY(dbentry->referlist));
+
+	bucket = isc_hash_calc((const unsigned char *)&db,
+			       sizeof(db), ISC_TRUE) % DBBUCKETS;
+	ISC_LIST_UNLINK(acache->dbbucket[bucket], dbentry, link);
+	dns_db_detach(&dbentry->db);
+
+	isc_mem_put(acache->mctx, dbentry, sizeof(*dbentry));
+
+	acache->dbentries--;
+
+	acache->stats.deleted++;
+
+	UNLOCK(&acache->lock);
+
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+dns_acache_createentry(dns_acache_t *acache, dns_db_t *origdb,
+		       void (*callback)(dns_acacheentry_t *, void **),
+		       void *cbarg, dns_acacheentry_t **entryp)
+{
+	dns_acacheentry_t *newentry;
+	isc_result_t result;
+	isc_uint32_t r;
+
+	REQUIRE(DNS_ACACHE_VALID(acache));
+	REQUIRE(entryp != NULL && *entryp == NULL);
+	REQUIRE(origdb != NULL);
+
+	/* 
+	 * Should we exceed our memory limit for some reason (for 
+	 * example, if the cleaner does not run aggressively enough), 
+	 * then we will not create additional entries.
+	 *
+	 * XXXSK: It might be better to lock the acache->cleaner->lock,
+	 * but locking may be an expensive bottleneck. If we misread 
+	 * the value, we will occasionally refuse to create a few 
+	 * cache entries, or create a few that we should not. I do not
+	 * expect this to happen often, and it will not have very bad
+	 * effects when it does. So no lock for now.
+	 */
+	if (acache->cleaner.overmem) {
+		acache->stats.overmem_nocreates++; /* XXXSK danger: unlocked! */
+		return (ISC_R_NORESOURCES);
+	}
+
+	newentry = isc_mem_get(acache->mctx, sizeof(*newentry));
+	if (newentry == NULL) {
+		acache->stats.nomem++;  /* XXXMLG danger: unlocked! */
+		return (ISC_R_NOMEMORY);
+	}
+
+	isc_random_get(&r);
+	newentry->locknum = r % DEFAULT_ACACHE_ENTRY_LOCK_COUNT;
+	
+	result = isc_refcount_init(&newentry->references, 1);
+	if (result != ISC_R_SUCCESS) {
+		isc_mem_put(acache->mctx, newentry, sizeof(*newentry));
+		return (result);
+	};
+
+	ISC_LINK_INIT(newentry, link);
+	ISC_LINK_INIT(newentry, olink);
+	ISC_LINK_INIT(newentry, rlink);
+
+	newentry->acache = NULL;
+	dns_acache_attach(acache, &newentry->acache);
+
+	newentry->zone = NULL;
+	newentry->db = NULL;
+	newentry->version = NULL;
+	newentry->node = NULL;
+	newentry->foundname = NULL;
+
+	newentry->callback = callback;
+	newentry->cbarg = cbarg;
+	newentry->origdb = NULL;
+	dns_db_attach(origdb, &newentry->origdb);
+
+	isc_stdtime_get(&newentry->lastused);
+
+	newentry->magic = ACACHEENTRY_MAGIC;
+
+	*entryp = newentry;
+
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+dns_acache_getentry(dns_acacheentry_t *entry, dns_zone_t **zonep,
+		    dns_db_t **dbp, dns_dbversion_t **versionp,
+		    dns_dbnode_t **nodep, dns_name_t *fname,
+		    dns_message_t *msg, isc_stdtime_t now)
+{
+	isc_result_t result = ISC_R_SUCCESS;
+	dns_rdataset_t *erdataset;
+	isc_stdtime32_t	now32;
+	dns_acache_t *acache;
+	int locknum;
+
+	REQUIRE(DNS_ACACHEENTRY_VALID(entry));
+	REQUIRE(zonep == NULL || *zonep == NULL);
+	REQUIRE(dbp != NULL && *dbp == NULL);
+	REQUIRE(versionp != NULL && *versionp == NULL);
+	REQUIRE(nodep != NULL && *nodep == NULL);
+	REQUIRE(fname != NULL);
+	REQUIRE(msg != NULL);
+	acache = entry->acache;
+	REQUIRE(DNS_ACACHE_VALID(acache));
+
+	locknum = entry->locknum;
+	ACACHE_LOCK(&acache->entrylocks[locknum], isc_rwlocktype_read);
+
+	isc_stdtime_convert32(now, &now32);
+	acache_storetime(entry, now32);
+
+	if (entry->zone != NULL && zonep != NULL)
+		dns_zone_attach(entry->zone, zonep);
+
+	if (entry->db == NULL) {
+		*dbp = NULL;
+		*versionp = NULL;
+	} else {
+		dns_db_attach(entry->db, dbp);
+		dns_db_attachversion(entry->db, entry->version, versionp);
+	}
+	if (entry->node == NULL)
+		*nodep = NULL;
+	else {
+		dns_db_attachnode(entry->db, entry->node, nodep);
+
+		INSIST(entry->foundname != NULL);
+		dns_name_copy(entry->foundname, fname, NULL);
+		for (erdataset = ISC_LIST_HEAD(entry->foundname->list);
+		     erdataset != NULL;
+		     erdataset = ISC_LIST_NEXT(erdataset, link)) {
+			dns_rdataset_t *ardataset;
+
+			ardataset = NULL;
+			result = dns_message_gettemprdataset(msg, &ardataset);
+			if (result != ISC_R_SUCCESS) {
+				ACACHE_UNLOCK(&acache->entrylocks[locknum],
+					      isc_rwlocktype_read);
+				goto fail;
+			}
+
+			/*
+			 * XXXJT: if we simply clone the rdataset, we'll get
+			 * lost wrt cyclic ordering.  We'll need an additional
+			 * trick to get the latest counter from the original
+			 * header.
+			 */
+			dns_rdataset_init(ardataset);
+			dns_rdataset_clone(erdataset, ardataset);
+			ISC_LIST_APPEND(fname->list, ardataset, link);
+		}
+	}
+
+	entry->acache->stats.hits++; /* XXXMLG danger: unlocked! */
+	entry->acache->stats.queries++;
+
+	ACACHE_UNLOCK(&acache->entrylocks[locknum], isc_rwlocktype_read);
+
+	return (result);
+
+  fail:
+	while ((erdataset = ISC_LIST_HEAD(fname->list)) != NULL) {
+		ISC_LIST_UNLINK(fname->list, erdataset, link);
+		dns_rdataset_disassociate(erdataset);
+		dns_message_puttemprdataset(msg, &erdataset);
+	}
+	if (*nodep != NULL)
+		dns_db_detachnode(*dbp, nodep);
+	if (*versionp != NULL)
+		dns_db_closeversion(*dbp, versionp, ISC_FALSE);
+	if (*dbp != NULL)
+		dns_db_detach(dbp);
+	if (zonep != NULL && *zonep != NULL)
+		dns_zone_detach(zonep);
+
+	return (result);
+}
+
+isc_result_t
+dns_acache_setentry(dns_acache_t *acache, dns_acacheentry_t *entry,
+		    dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *version,
+		    dns_dbnode_t *node, dns_name_t *fname)
+{
+	isc_result_t result;
+	dbentry_t *odbent;
+	dbentry_t *rdbent = NULL;
+	isc_boolean_t close_version = ISC_FALSE;
+	dns_acacheentry_t *dummy_entry = NULL;
+
+	REQUIRE(DNS_ACACHE_VALID(acache));
+	REQUIRE(DNS_ACACHEENTRY_VALID(entry));
+
+	LOCK(&acache->lock);	/* XXX: need to lock it here for ordering */
+	ACACHE_LOCK(&acache->entrylocks[entry->locknum], isc_rwlocktype_write);
+
+	/* Set zone */
+	if (zone != NULL)
+		dns_zone_attach(zone, &entry->zone);
+	/* Set DB */
+	if (db != NULL)
+		dns_db_attach(db, &entry->db);
+	/*
+	 * Set DB version.  If the version is not given by the caller,
+	 * which is the case for glue or cache DBs, use the current version.
+	 */
+	if (version == NULL) {
+		if (db != NULL) {
+			dns_db_currentversion(db, &version);
+			close_version = ISC_TRUE;
+		}
+	}
+	if (version != NULL) {
+		INSIST(db != NULL);
+		dns_db_attachversion(db, version, &entry->version);
+	}
+	if (close_version)
+		dns_db_closeversion(db, &version, ISC_FALSE);
+	/* Set DB node. */
+	if (node != NULL) {
+		INSIST(db != NULL);
+		dns_db_attachnode(db, node, &entry->node);
+	}
+
+	/*
+	 * Set list of the corresponding rdatasets, if given.
+	 * To minimize the overhead and memory consumption, we'll do this for
+	 * positive cache only, in which case the DB node is non NULL.
+	 * We do not want to cache incomplete information, so give up the
+	 * entire entry when a memory shortage happen during the process.
+	 */
+	if (node != NULL) {
+		dns_rdataset_t *ardataset, *crdataset;
+
+		entry->foundname = isc_mem_get(acache->mctx,
+					       sizeof(*entry->foundname));
+
+		if (entry->foundname == NULL) {
+			result = ISC_R_NOMEMORY;
+			goto fail;
+		}
+		dns_name_init(entry->foundname, NULL);
+		result = dns_name_dup(fname, acache->mctx,
+				      entry->foundname);
+		if (result != ISC_R_SUCCESS)
+			goto fail;
+
+		for (ardataset = ISC_LIST_HEAD(fname->list);
+		     ardataset != NULL;
+		     ardataset = ISC_LIST_NEXT(ardataset, link)) {
+			crdataset = isc_mem_get(acache->mctx,
+						sizeof(*crdataset));
+			if (crdataset == NULL) {
+				result = ISC_R_NOMEMORY;
+				goto fail;
+			}
+
+			dns_rdataset_init(crdataset);
+			dns_rdataset_clone(ardataset, crdataset);
+			ISC_LIST_APPEND(entry->foundname->list, crdataset,
+					link);
+		}
+	}
+
+	odbent = NULL;
+	result = finddbent(acache, entry->origdb, &odbent);
+	if (result != ISC_R_SUCCESS)
+		goto fail;
+	if (db != NULL) {
+		rdbent = NULL;
+		result = finddbent(acache, db, &rdbent);
+		if (result != ISC_R_SUCCESS)
+			goto fail;
+	}
+
+	ISC_LIST_APPEND(acache->entries, entry, link);
+	ISC_LIST_APPEND(odbent->originlist, entry, olink);
+	if (rdbent != NULL)
+		ISC_LIST_APPEND(rdbent->referlist, entry, rlink);
+
+	/*
+	 * The additional cache needs an implicit reference to entries in its
+	 * link.
+	 */
+	dns_acache_attachentry(entry, &dummy_entry);
+
+	ACACHE_UNLOCK(&acache->entrylocks[entry->locknum],
+		      isc_rwlocktype_write);
+
+	acache->stats.adds++;
+	UNLOCK(&acache->lock);
+
+	return (ISC_R_SUCCESS);
+
+ fail:
+	clear_entry(acache, entry);
+
+	ACACHE_UNLOCK(&acache->entrylocks[entry->locknum],
+		      isc_rwlocktype_write);
+	UNLOCK(&acache->lock);
+
+	return (result);
+}
+
+void
+dns_acache_cancelentry(dns_acacheentry_t *entry) {
+	dns_acache_t *acache = entry->acache;
+
+	REQUIRE(DNS_ACACHEENTRY_VALID(entry));
+	INSIST(DNS_ACACHE_VALID(acache));
+
+	LOCK(&acache->lock);
+	ACACHE_LOCK(&acache->entrylocks[entry->locknum], isc_rwlocktype_write);
+
+	/*
+	 * Release dependencies stored in this entry as much as possible.
+	 * The main link cannot be released, since the acache object has
+	 * a reference to this entry; the empty entry will be released in
+	 * the next cleaning action.
+	 */
+	unlink_dbentries(acache, entry);
+	clear_entry(entry->acache, entry);
+
+	entry->callback = NULL;
+	entry->cbarg = NULL;
+
+	ACACHE_UNLOCK(&acache->entrylocks[entry->locknum],
+		      isc_rwlocktype_write);
+	UNLOCK(&acache->lock);
+}
+
+void
+dns_acache_attachentry(dns_acacheentry_t *source,
+		       dns_acacheentry_t **targetp)
+{
+	REQUIRE(DNS_ACACHEENTRY_VALID(source));
+	REQUIRE(targetp != NULL && *targetp == NULL);
+
+	isc_refcount_increment(&source->references, NULL);
+
+	*targetp = source;
+}
+
+void
+dns_acache_detachentry(dns_acacheentry_t **entryp) {
+	dns_acacheentry_t *entry;
+	unsigned int refs;
+
+	REQUIRE(entryp != NULL && DNS_ACACHEENTRY_VALID(*entryp));
+	entry = *entryp;
+
+	isc_refcount_decrement(&entry->references, &refs);
+
+	/*
+	 * If there are no references to the entry, the entry must have been
+	 * unlinked and can be destroyed safely.
+	 */
+	if (refs == 0) {
+		INSIST(!ISC_LINK_LINKED(entry, link));
+		(*entryp)->acache->stats.deleted++;
+		destroy_entry(entry);
+	}
+
+	*entryp = NULL;
+}
+
+void
+dns_acache_setcleaninginterval(dns_acache_t *acache, unsigned int t) {
+	isc_interval_t interval;
+	isc_result_t result;
+
+	REQUIRE(DNS_ACACHE_VALID(acache));
+
+	ATRACE("dns_acache_setcleaninginterval");
+
+	LOCK(&acache->lock);
+
+	/*
+	 * It may be the case that the acache has already shut down.
+	 * If so, it has no timer.  (Not sure if this can really happen.)
+	 */
+	if (acache->cleaner.cleaning_timer == NULL)
+		goto unlock;
+
+	acache->cleaner.cleaning_interval = t;
+
+	if (t == 0) {
+		result = isc_timer_reset(acache->cleaner.cleaning_timer,
+					 isc_timertype_inactive,
+					 NULL, NULL, ISC_TRUE);
+	} else {
+		isc_interval_set(&interval, acache->cleaner.cleaning_interval,
+				 0);
+		result = isc_timer_reset(acache->cleaner.cleaning_timer,
+					 isc_timertype_ticker,
+					 NULL, &interval, ISC_FALSE);
+	}
+	if (result != ISC_R_SUCCESS)	
+		isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE,
+			      DNS_LOGMODULE_ACACHE, ISC_LOG_WARNING,
+			      "could not set acache cleaning interval: %s",
+			      isc_result_totext(result));
+	else
+		isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE,
+			      DNS_LOGMODULE_ACACHE, ISC_LOG_NOTICE,
+			      "acache %p cleaning interval set to %d.",
+			      acache, t);
+
+ unlock:
+	UNLOCK(&acache->lock);
+}
+
+/*
+ * This function was derived from cache.c:dns_cache_setcachesize().  See the
+ * function for more details about the logic.
+ */
+void
+dns_acache_setcachesize(dns_acache_t *acache, isc_uint32_t size) {
+	isc_uint32_t lowater;
+	isc_uint32_t hiwater;
+
+	REQUIRE(DNS_ACACHE_VALID(acache));
+
+	if (size != 0 && size < DNS_ACACHE_MINSIZE)
+		size = DNS_ACACHE_MINSIZE;
+
+	hiwater = size - (size >> 3);
+	lowater = size - (size >> 2);
+
+	if (size == 0 || hiwater == 0 || lowater == 0)
+		isc_mem_setwater(acache->mctx, water, acache, 0, 0);
+	else
+		isc_mem_setwater(acache->mctx, water, acache,
+				 hiwater, lowater);
+}
diff --git a/contrib/bind9/lib/dns/acl.c b/contrib/bind9/lib/dns/acl.c
index e81d5ef..844c132 100644
--- a/contrib/bind9/lib/dns/acl.c
+++ b/contrib/bind9/lib/dns/acl.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2006  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2002  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,9 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: acl.c,v 1.23.52.6 2006/03/02 00:37:20 marka Exp $ */
+/* $Id: acl.c,v 1.25.18.5 2006/03/02 00:37:21 marka Exp $ */
+
+/*! \file */
 
 #include <config.h>
 
@@ -41,7 +43,11 @@ dns_acl_create(isc_mem_t *mctx, int n, dns_acl_t **target) {
 		return (ISC_R_NOMEMORY);
 	acl->mctx = mctx;
 	acl->name = NULL;
-	isc_refcount_init(&acl->refcount, 1);
+	result = isc_refcount_init(&acl->refcount, 1);
+	if (result != ISC_R_SUCCESS) {
+		isc_mem_put(mctx, acl, sizeof(*acl));
+		return (result);
+	}
 	acl->elements = NULL;
 	acl->alloc = 0;
 	acl->length = 0;
diff --git a/contrib/bind9/lib/dns/adb.c b/contrib/bind9/lib/dns/adb.c
index 3fe436a..714df96 100644
--- a/contrib/bind9/lib/dns/adb.c
+++ b/contrib/bind9/lib/dns/adb.c
@@ -15,19 +15,18 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: adb.c,v 1.181.2.11.2.26 2006/01/04 23:50:20 marka Exp $ */
+/* $Id: adb.c,v 1.215.18.13 2006/08/30 23:49:57 marka Exp $ */
 
-/*
- * Implementation notes
- * --------------------
+/*! \file 
  *
+ * \note
  * In finds, if task == NULL, no events will be generated, and no events
  * have been sent.  If task != NULL but taskaction == NULL, an event has been
  * posted but not yet freed.  If neither are NULL, no event was posted.
  *
  */
 
-/*
+/*%
  * After we have cleaned all buckets, dump the database contents.
  */
 #if 0
@@ -53,6 +52,7 @@
 #include <dns/rdata.h>
 #include <dns/rdataset.h>
 #include <dns/rdatastruct.h>
+#include <dns/rdatatype.h>
 #include <dns/resolver.h>
 #include <dns/result.h>
 
@@ -62,8 +62,8 @@
 #define DNS_ADBNAME_VALID(x)	  ISC_MAGIC_VALID(x, DNS_ADBNAME_MAGIC)
 #define DNS_ADBNAMEHOOK_MAGIC	  ISC_MAGIC('a', 'd', 'N', 'H')
 #define DNS_ADBNAMEHOOK_VALID(x)  ISC_MAGIC_VALID(x, DNS_ADBNAMEHOOK_MAGIC)
-#define DNS_ADBZONEINFO_MAGIC	  ISC_MAGIC('a', 'd', 'b', 'Z')
-#define DNS_ADBZONEINFO_VALID(x)  ISC_MAGIC_VALID(x, DNS_ADBZONEINFO_MAGIC)
+#define DNS_ADBLAMEINFO_MAGIC	  ISC_MAGIC('a', 'd', 'b', 'Z')
+#define DNS_ADBLAMEINFO_VALID(x)  ISC_MAGIC_VALID(x, DNS_ADBLAMEINFO_MAGIC)
 #define DNS_ADBENTRY_MAGIC	  ISC_MAGIC('a', 'd', 'b', 'E')
 #define DNS_ADBENTRY_VALID(x)	  ISC_MAGIC_VALID(x, DNS_ADBENTRY_MAGIC)
 #define DNS_ADBFETCH_MAGIC	  ISC_MAGIC('a', 'd', 'F', '4')
@@ -71,51 +71,54 @@
 #define DNS_ADBFETCH6_MAGIC	  ISC_MAGIC('a', 'd', 'F', '6')
 #define DNS_ADBFETCH6_VALID(x)	  ISC_MAGIC_VALID(x, DNS_ADBFETCH6_MAGIC)
 
-/*
+/*! 
  * The number of buckets needs to be a prime (for good hashing).
  *
  * XXXRTH  How many buckets do we need?
  */
-#define NBUCKETS	       1009	/* how many buckets for names/addrs */
+#define NBUCKETS	       1009	/*%< how many buckets for names/addrs */
 
-/*
+/*!
  * For type 3 negative cache entries, we will remember that the address is
  * broken for this long.  XXXMLG This is also used for actual addresses, too.
  * The intent is to keep us from constantly asking about A/AAAA records
  * if the zone has extremely low TTLs.
  */
-#define ADB_CACHE_MINIMUM	10	/* seconds */
-#define ADB_CACHE_MAXIMUM	86400	/* seconds (86400 = 24 hours) */
-#define ADB_ENTRY_WINDOW	1800	/* seconds */
+#define ADB_CACHE_MINIMUM	10	/*%< seconds */
+#define ADB_CACHE_MAXIMUM	86400	/*%< seconds (86400 = 24 hours) */
+#define ADB_ENTRY_WINDOW	1800	/*%< seconds */
 
-/*
+/*%
  * Wake up every CLEAN_SECONDS and clean CLEAN_BUCKETS buckets, so that all
  * buckets are cleaned in CLEAN_PERIOD seconds.
  */
 #define CLEAN_PERIOD		3600
+/*% See #CLEAN_PERIOD */
 #define CLEAN_SECONDS		30
+/*% See #CLEAN_PERIOD */
 #define CLEAN_BUCKETS		((NBUCKETS * CLEAN_SECONDS) / CLEAN_PERIOD)
 
-#define FREE_ITEMS		64	/* free count for memory pools */
-#define FILL_COUNT		16	/* fill count for memory pools */
+#define FREE_ITEMS		64	/*%< free count for memory pools */
+#define FILL_COUNT		16	/*%< fill count for memory pools */
 
-#define DNS_ADB_INVALIDBUCKET (-1)	/* invalid bucket address */
+#define DNS_ADB_INVALIDBUCKET (-1)	/*%< invalid bucket address */
 
-#define DNS_ADB_MINADBSIZE	(1024*1024)	/* 1 Megabyte */
+#define DNS_ADB_MINADBSIZE	(1024*1024)	/*%< 1 Megabyte */
 
 typedef ISC_LIST(dns_adbname_t) dns_adbnamelist_t;
 typedef struct dns_adbnamehook dns_adbnamehook_t;
 typedef ISC_LIST(dns_adbnamehook_t) dns_adbnamehooklist_t;
-typedef struct dns_adbzoneinfo dns_adbzoneinfo_t;
+typedef struct dns_adblameinfo dns_adblameinfo_t;
 typedef ISC_LIST(dns_adbentry_t) dns_adbentrylist_t;
 typedef struct dns_adbfetch dns_adbfetch_t;
 typedef struct dns_adbfetch6 dns_adbfetch6_t;
 
+/*% dns adb structure */
 struct dns_adb {
 	unsigned int			magic;
 
 	isc_mutex_t			lock;
-	isc_mutex_t			reflock; /* Covers irefcnt, erefcnt */
+	isc_mutex_t			reflock; /*%< Covers irefcnt, erefcnt */
 	isc_mem_t		       *mctx;
 	dns_view_t		       *view;
 	isc_timermgr_t		       *timermgr;
@@ -131,32 +134,35 @@ struct dns_adb {
 	unsigned int			erefcnt;
 
 	isc_mutex_t			mplock;
-	isc_mempool_t		       *nmp;	/* dns_adbname_t */
-	isc_mempool_t		       *nhmp;	/* dns_adbnamehook_t */
-	isc_mempool_t		       *zimp;	/* dns_adbzoneinfo_t */
-	isc_mempool_t		       *emp;	/* dns_adbentry_t */
-	isc_mempool_t		       *ahmp;	/* dns_adbfind_t */
-	isc_mempool_t		       *aimp;	/* dns_adbaddrinfo_t */
-	isc_mempool_t		       *afmp;	/* dns_adbfetch_t */
-
-	/*
+	isc_mempool_t		       *nmp;	/*%< dns_adbname_t */
+	isc_mempool_t		       *nhmp;	/*%< dns_adbnamehook_t */
+	isc_mempool_t		       *limp;	/*%< dns_adblameinfo_t */
+	isc_mempool_t		       *emp;	/*%< dns_adbentry_t */
+	isc_mempool_t		       *ahmp;	/*%< dns_adbfind_t */
+	isc_mempool_t		       *aimp;	/*%< dns_adbaddrinfo_t */
+	isc_mempool_t		       *afmp;	/*%< dns_adbfetch_t */
+
+	/*!
 	 * Bucketized locks and lists for names.
 	 *
 	 * XXXRTH  Have a per-bucket structure that contains all of these?
 	 */
 	dns_adbnamelist_t		names[NBUCKETS];
+	/*% See dns_adbnamelist_t */
 	isc_mutex_t			namelocks[NBUCKETS];
+	/*% See dns_adbnamelist_t */
 	isc_boolean_t			name_sd[NBUCKETS];
+	/*% See dns_adbnamelist_t */
 	unsigned int			name_refcnt[NBUCKETS];
 
-	/*
+	/*!
 	 * Bucketized locks for entries.
 	 *
 	 * XXXRTH  Have a per-bucket structure that contains all of these?
 	 */
 	dns_adbentrylist_t		entries[NBUCKETS];
 	isc_mutex_t			entrylocks[NBUCKETS];
-	isc_boolean_t			entry_sd[NBUCKETS]; /* shutting down */
+	isc_boolean_t			entry_sd[NBUCKETS]; /*%< shutting down */
 	unsigned int			entry_refcnt[NBUCKETS];
 
 	isc_event_t			cevent;
@@ -169,6 +175,7 @@ struct dns_adb {
  * XXXMLG  Document these structures.
  */
 
+/*% dns_adbname structure */
 struct dns_adbname {
 	unsigned int			magic;
 	dns_name_t			name;
@@ -191,6 +198,7 @@ struct dns_adbname {
 	ISC_LINK(dns_adbname_t)		plink;
 };
 
+/*% The adbfetch structure */
 struct dns_adbfetch {
 	unsigned int			magic;
 	dns_adbnamehook_t	       *namehook;
@@ -199,9 +207,7 @@ struct dns_adbfetch {
 	dns_rdataset_t			rdataset;
 };
 
-/*
- * dns_adbnamehook_t
- *
+/*%
  * This is a small widget that dangles off a dns_adbname_t.  It contains a
  * pointer to the address information about this host, and a link to the next
  * namehook that will contain the next address this host has.
@@ -212,23 +218,22 @@ struct dns_adbnamehook {
 	ISC_LINK(dns_adbnamehook_t)	plink;
 };
 
-/*
- * dns_adbzoneinfo_t
- *
- * This is a small widget that holds zone-specific information about an
+/*%
+ * This is a small widget that holds qname-specific information about an
  * address.  Currently limited to lameness, but could just as easily be
  * extended to other types of information about zones.
  */
-struct dns_adbzoneinfo {
+struct dns_adblameinfo {
 	unsigned int			magic;
 
-	dns_name_t			zone;
+	dns_name_t			qname;
+	dns_rdatatype_t			qtype;
 	isc_stdtime_t			lame_timer;
 
-	ISC_LINK(dns_adbzoneinfo_t)	plink;
+	ISC_LINK(dns_adblameinfo_t)	plink;
 };
 
-/*
+/*%
  * An address entry.  It holds quite a bit of information about addresses,
  * including edns state (in "flags"), rtt, and of course the address of
  * the host.
@@ -244,7 +249,7 @@ struct dns_adbentry {
 	isc_sockaddr_t			sockaddr;
 
 	isc_stdtime_t			expires;
-	/*
+	/*%<
 	 * A nonzero 'expires' field indicates that the entry should
 	 * persist until that time.  This allows entries found
 	 * using dns_adb_findaddrinfo() to persist for a limited time
@@ -252,7 +257,7 @@ struct dns_adbentry {
 	 * name.
 	 */
 
-	ISC_LIST(dns_adbzoneinfo_t)	zoneinfo;
+	ISC_LIST(dns_adblameinfo_t)	lameinfo;
 	ISC_LINK(dns_adbentry_t)	plink;
 };
 
@@ -264,8 +269,9 @@ static inline void free_adbname(dns_adb_t *, dns_adbname_t **);
 static inline dns_adbnamehook_t *new_adbnamehook(dns_adb_t *,
 						 dns_adbentry_t *);
 static inline void free_adbnamehook(dns_adb_t *, dns_adbnamehook_t **);
-static inline dns_adbzoneinfo_t *new_adbzoneinfo(dns_adb_t *, dns_name_t *);
-static inline void free_adbzoneinfo(dns_adb_t *, dns_adbzoneinfo_t **);
+static inline dns_adblameinfo_t *new_adblameinfo(dns_adb_t *, dns_name_t *,
+						 dns_rdatatype_t);
+static inline void free_adblameinfo(dns_adb_t *, dns_adblameinfo_t **);
 static inline dns_adbentry_t *new_adbentry(dns_adb_t *);
 static inline void free_adbentry(dns_adb_t *, dns_adbentry_t **);
 static inline dns_adbfind_t *new_adbfind(dns_adb_t *);
@@ -1321,42 +1327,42 @@ free_adbnamehook(dns_adb_t *adb, dns_adbnamehook_t **namehook) {
 	isc_mempool_put(adb->nhmp, nh);
 }
 
-static inline dns_adbzoneinfo_t *
-new_adbzoneinfo(dns_adb_t *adb, dns_name_t *zone) {
-	dns_adbzoneinfo_t *zi;
+static inline dns_adblameinfo_t *
+new_adblameinfo(dns_adb_t *adb, dns_name_t *qname, dns_rdatatype_t qtype) {
+	dns_adblameinfo_t *li;
 
-	zi = isc_mempool_get(adb->zimp);
-	if (zi == NULL)
+	li = isc_mempool_get(adb->limp);
+	if (li == NULL)
 		return (NULL);
 
-	dns_name_init(&zi->zone, NULL);
-	if (dns_name_dup(zone, adb->mctx, &zi->zone) != ISC_R_SUCCESS) {
-		isc_mempool_put(adb->zimp, zi);
+	dns_name_init(&li->qname, NULL);
+	if (dns_name_dup(qname, adb->mctx, &li->qname) != ISC_R_SUCCESS) {
+		isc_mempool_put(adb->limp, li);
 		return (NULL);
 	}
+	li->magic = DNS_ADBLAMEINFO_MAGIC;
+	li->lame_timer = 0;
+	li->qtype = qtype;
+	ISC_LINK_INIT(li, plink);
 
-	zi->magic = DNS_ADBZONEINFO_MAGIC;
-	zi->lame_timer = 0;
-	ISC_LINK_INIT(zi, plink);
-
-	return (zi);
+	return (li);
 }
 
 static inline void
-free_adbzoneinfo(dns_adb_t *adb, dns_adbzoneinfo_t **zoneinfo) {
-	dns_adbzoneinfo_t *zi;
+free_adblameinfo(dns_adb_t *adb, dns_adblameinfo_t **lameinfo) {
+	dns_adblameinfo_t *li;
 
-	INSIST(zoneinfo != NULL && DNS_ADBZONEINFO_VALID(*zoneinfo));
-	zi = *zoneinfo;
-	*zoneinfo = NULL;
+	INSIST(lameinfo != NULL && DNS_ADBLAMEINFO_VALID(*lameinfo));
+	li = *lameinfo;
+	*lameinfo = NULL;
 
-	INSIST(!ISC_LINK_LINKED(zi, plink));
+	INSIST(!ISC_LINK_LINKED(li, plink));
 
-	dns_name_free(&zi->zone, adb->mctx);
+	dns_name_free(&li->qname, adb->mctx);
 
-	zi->magic = 0;
+	li->magic = 0;
 
-	isc_mempool_put(adb->zimp, zi);
+	isc_mempool_put(adb->limp, li);
 }
 
 static inline dns_adbentry_t *
@@ -1375,7 +1381,7 @@ new_adbentry(dns_adb_t *adb) {
 	isc_random_get(&r);
 	e->srtt = (r & 0x1f) + 1;
 	e->expires = 0;
-	ISC_LIST_INIT(e->zoneinfo);
+	ISC_LIST_INIT(e->lameinfo);
 	ISC_LINK_INIT(e, plink);
 
 	return (e);
@@ -1384,7 +1390,7 @@ new_adbentry(dns_adb_t *adb) {
 static inline void
 free_adbentry(dns_adb_t *adb, dns_adbentry_t **entry) {
 	dns_adbentry_t *e;
-	dns_adbzoneinfo_t *zi;
+	dns_adblameinfo_t *li;
 
 	INSIST(entry != NULL && DNS_ADBENTRY_VALID(*entry));
 	e = *entry;
@@ -1396,11 +1402,11 @@ free_adbentry(dns_adb_t *adb, dns_adbentry_t **entry) {
 
 	e->magic = 0;
 
-	zi = ISC_LIST_HEAD(e->zoneinfo);
-	while (zi != NULL) {
-		ISC_LIST_UNLINK(e->zoneinfo, zi, plink);
-		free_adbzoneinfo(adb, &zi);
-		zi = ISC_LIST_HEAD(e->zoneinfo);
+	li = ISC_LIST_HEAD(e->lameinfo);
+	while (li != NULL) {
+		ISC_LIST_UNLINK(e->lameinfo, li, plink);
+		free_adblameinfo(adb, &li);
+		li = ISC_LIST_HEAD(e->lameinfo);
 	}
 
 	isc_mempool_put(adb->emp, e);
@@ -1436,8 +1442,6 @@ new_adbfind(dns_adb_t *adb) {
 	 */
 	result = isc_mutex_init(&h->lock);
 	if (result != ISC_R_SUCCESS) {
-		UNEXPECTED_ERROR(__FILE__, __LINE__,
-				 "isc_mutex_init failed in new_adbfind()");
 		isc_mempool_put(adb->ahmp, h);
 		return (NULL);
 	}
@@ -1647,45 +1651,48 @@ find_entry_and_lock(dns_adb_t *adb, isc_sockaddr_t *addr, int *bucketp) {
  * Entry bucket MUST be locked!
  */
 static isc_boolean_t
-entry_is_bad_for_zone(dns_adb_t *adb, dns_adbentry_t *entry, dns_name_t *zone,
-		      isc_stdtime_t now)
+entry_is_lame(dns_adb_t *adb, dns_adbentry_t *entry, dns_name_t *qname,
+	      dns_rdatatype_t qtype, isc_stdtime_t now)
 {
-	dns_adbzoneinfo_t *zi, *next_zi;
+	dns_adblameinfo_t *li, *next_li;
 	isc_boolean_t is_bad;
 
 	is_bad = ISC_FALSE;
 
-	zi = ISC_LIST_HEAD(entry->zoneinfo);
-	if (zi == NULL)
+	li = ISC_LIST_HEAD(entry->lameinfo);
+	if (li == NULL)
 		return (ISC_FALSE);
-	while (zi != NULL) {
-		next_zi = ISC_LIST_NEXT(zi, plink);
+	while (li != NULL) {
+		next_li = ISC_LIST_NEXT(li, plink);
 
 		/*
 		 * Has the entry expired?
 		 */
-		if (zi->lame_timer < now) {
-			ISC_LIST_UNLINK(entry->zoneinfo, zi, plink);
-			free_adbzoneinfo(adb, &zi);
+		if (li->lame_timer < now) {
+			ISC_LIST_UNLINK(entry->lameinfo, li, plink);
+			free_adblameinfo(adb, &li);
 		}
 
 		/*
 		 * Order tests from least to most expensive.
+		 *
+		 * We do not break out of the main loop here as
+		 * we use the loop for house keeping.
 		 */
-		if (zi != NULL && !is_bad) {
-			if (dns_name_equal(zone, &zi->zone))
-				is_bad = ISC_TRUE;
-		}
+		if (li != NULL && !is_bad && li->qtype == qtype &&
+		    dns_name_equal(qname, &li->qname))
+			is_bad = ISC_TRUE;
 
-		zi = next_zi;
+		li = next_li;
 	}
 
 	return (is_bad);
 }
 
 static void
-copy_namehook_lists(dns_adb_t *adb, dns_adbfind_t *find, dns_name_t *zone,
-		    dns_adbname_t *name, isc_stdtime_t now)
+copy_namehook_lists(dns_adb_t *adb, dns_adbfind_t *find, dns_name_t *qname,
+		    dns_rdatatype_t qtype, dns_adbname_t *name,
+		    isc_stdtime_t now)
 {
 	dns_adbnamehook_t *namehook;
 	dns_adbaddrinfo_t *addrinfo;
@@ -1702,7 +1709,7 @@ copy_namehook_lists(dns_adb_t *adb, dns_adbfind_t *find, dns_name_t *zone,
 			LOCK(&adb->entrylocks[bucket]);
 
 			if (!FIND_RETURNLAME(find)
-			    && entry_is_bad_for_zone(adb, entry, zone, now)) {
+			    && entry_is_lame(adb, entry, qname, qtype, now)) {
 				find->options |= DNS_ADBFIND_LAMEPRUNED;
 				goto nextv4;
 			}
@@ -1731,7 +1738,7 @@ copy_namehook_lists(dns_adb_t *adb, dns_adbfind_t *find, dns_name_t *zone,
 			bucket = entry->lock_bucket;
 			LOCK(&adb->entrylocks[bucket]);
 
-			if (entry_is_bad_for_zone(adb, entry, zone, now))
+			if (entry_is_lame(adb, entry, qname, qtype, now))
 				goto nextv6;
 			addrinfo = new_adbaddrinfo(adb, entry, find->port);
 			if (addrinfo == NULL) {
@@ -1971,7 +1978,7 @@ destroy(dns_adb_t *adb) {
 
 	isc_mempool_destroy(&adb->nmp);
 	isc_mempool_destroy(&adb->nhmp);
-	isc_mempool_destroy(&adb->zimp);
+	isc_mempool_destroy(&adb->limp);
 	isc_mempool_destroy(&adb->emp);
 	isc_mempool_destroy(&adb->ahmp);
 	isc_mempool_destroy(&adb->aimp);
@@ -2019,7 +2026,7 @@ dns_adb_create(isc_mem_t *mem, dns_view_t *view, isc_timermgr_t *timermgr,
 	adb->irefcnt = 0;
 	adb->nmp = NULL;
 	adb->nhmp = NULL;
-	adb->zimp = NULL;
+	adb->limp = NULL;
 	adb->emp = NULL;
 	adb->ahmp = NULL;
 	adb->aimp = NULL;
@@ -2091,7 +2098,7 @@ dns_adb_create(isc_mem_t *mem, dns_view_t *view, isc_timermgr_t *timermgr,
 
 	MPINIT(dns_adbname_t, adb->nmp, "adbname");
 	MPINIT(dns_adbnamehook_t, adb->nhmp, "adbnamehook");
-	MPINIT(dns_adbzoneinfo_t, adb->zimp, "adbzoneinfo");
+	MPINIT(dns_adblameinfo_t, adb->limp, "adblameinfo");
 	MPINIT(dns_adbentry_t, adb->emp, "adbentry");
 	MPINIT(dns_adbfind_t, adb->ahmp, "adbfind");
 	MPINIT(dns_adbaddrinfo_t, adb->aimp, "adbaddrinfo");
@@ -2144,8 +2151,8 @@ dns_adb_create(isc_mem_t *mem, dns_view_t *view, isc_timermgr_t *timermgr,
 		isc_mempool_destroy(&adb->nmp);
 	if (adb->nhmp != NULL)
 		isc_mempool_destroy(&adb->nhmp);
-	if (adb->zimp != NULL)
-		isc_mempool_destroy(&adb->zimp);
+	if (adb->limp != NULL)
+		isc_mempool_destroy(&adb->limp);
 	if (adb->emp != NULL)
 		isc_mempool_destroy(&adb->emp);
 	if (adb->ahmp != NULL)
@@ -2265,8 +2272,9 @@ dns_adb_shutdown(dns_adb_t *adb) {
 
 isc_result_t
 dns_adb_createfind(dns_adb_t *adb, isc_task_t *task, isc_taskaction_t action,
-		   void *arg, dns_name_t *name, dns_name_t *zone,
-		   unsigned int options, isc_stdtime_t now, dns_name_t *target,
+		   void *arg, dns_name_t *name, dns_name_t *qname,
+		   dns_rdatatype_t qtype, unsigned int options,
+		   isc_stdtime_t now, dns_name_t *target,
 		   in_port_t port, dns_adbfind_t **findp)
 {
 	dns_adbfind_t *find;
@@ -2283,7 +2291,7 @@ dns_adb_createfind(dns_adb_t *adb, isc_task_t *task, isc_taskaction_t action,
 		REQUIRE(action != NULL);
 	}
 	REQUIRE(name != NULL);
-	REQUIRE(zone != NULL);
+	REQUIRE(qname != NULL);
 	REQUIRE(findp != NULL && *findp == NULL);
 	REQUIRE(target == NULL || dns_name_hasbuffer(target));
 
@@ -2511,7 +2519,7 @@ dns_adb_createfind(dns_adb_t *adb, isc_task_t *task, isc_taskaction_t action,
 	 * Run through the name and copy out the bits we are
 	 * interested in.
 	 */
-	copy_namehook_lists(adb, find, zone, adbname, now);
+	copy_namehook_lists(adb, find, qname, qtype, adbname, now);
 
  post_copy:
 	if (NAME_FETCH_V4(adbname))
@@ -2826,8 +2834,9 @@ dump_entry(FILE *f, dns_adbentry_t *entry, isc_boolean_t debug,
 	   isc_stdtime_t now)
 {
 	char addrbuf[ISC_NETADDR_FORMATSIZE];
+	char typebuf[DNS_RDATATYPE_FORMATSIZE];
 	isc_netaddr_t netaddr;
-	dns_adbzoneinfo_t *zi;
+	dns_adblameinfo_t *li;
 
 	isc_netaddr_fromsockaddr(&netaddr, &entry->sockaddr);
 	isc_netaddr_format(&netaddr, addrbuf, sizeof(addrbuf));
@@ -2840,12 +2849,14 @@ dump_entry(FILE *f, dns_adbentry_t *entry, isc_boolean_t debug,
 	if (entry->expires != 0)
 		fprintf(f, " [ttl %d]", entry->expires - now);
 	fprintf(f, "\n");
-	for (zi = ISC_LIST_HEAD(entry->zoneinfo);
-	     zi != NULL;
-	     zi = ISC_LIST_NEXT(zi, plink)) {
+	for (li = ISC_LIST_HEAD(entry->lameinfo);
+	     li != NULL;
+	     li = ISC_LIST_NEXT(li, plink)) {
 		fprintf(f, ";\t\t");
-		print_dns_name(f, &zi->zone);
-		fprintf(f, " [lame TTL %d]\n", zi->lame_timer - now);
+		print_dns_name(f, &li->qname);
+		dns_rdatatype_format(li->qtype, typebuf, sizeof(typebuf));
+		fprintf(f, " %s [lame TTL %d]\n", typebuf,
+			li->lame_timer - now);
 	}
 }
 
@@ -3332,36 +3343,37 @@ fetch_name(dns_adbname_t *adbname,
  * since these can be extracted from the find itself.
  */
 isc_result_t
-dns_adb_marklame(dns_adb_t *adb, dns_adbaddrinfo_t *addr, dns_name_t *zone,
-		 isc_stdtime_t expire_time)
+dns_adb_marklame(dns_adb_t *adb, dns_adbaddrinfo_t *addr, dns_name_t *qname,
+		 dns_rdatatype_t qtype, isc_stdtime_t expire_time)
 {
-	dns_adbzoneinfo_t *zi;
+	dns_adblameinfo_t *li;
 	int bucket;
 	isc_result_t result = ISC_R_SUCCESS;
 
 	REQUIRE(DNS_ADB_VALID(adb));
 	REQUIRE(DNS_ADBADDRINFO_VALID(addr));
-	REQUIRE(zone != NULL);
+	REQUIRE(qname != NULL);
 
 	bucket = addr->entry->lock_bucket;
 	LOCK(&adb->entrylocks[bucket]);
-	zi = ISC_LIST_HEAD(addr->entry->zoneinfo);
-	while (zi != NULL && !dns_name_equal(zone, &zi->zone))
-		zi = ISC_LIST_NEXT(zi, plink);
-	if (zi != NULL) {
-		if (expire_time > zi->lame_timer)
-			zi->lame_timer = expire_time;
+	li = ISC_LIST_HEAD(addr->entry->lameinfo);
+	while (li != NULL &&
+	       (li->qtype != qtype || !dns_name_equal(qname, &li->qname)))
+		li = ISC_LIST_NEXT(li, plink);
+	if (li != NULL) {
+		if (expire_time > li->lame_timer)
+			li->lame_timer = expire_time;
 		goto unlock;
 	}
-	zi = new_adbzoneinfo(adb, zone);
-	if (zi == NULL) {
+	li = new_adblameinfo(adb, qname, qtype);
+	if (li == NULL) {
 		result = ISC_R_NOMEMORY;
 		goto unlock;
 	}
 
-	zi->lame_timer = expire_time;
+	li->lame_timer = expire_time;
 
-	ISC_LIST_PREPEND(addr->entry->zoneinfo, zi, plink);
+	ISC_LIST_PREPEND(addr->entry->lameinfo, li, plink);
  unlock:
 	UNLOCK(&adb->entrylocks[bucket]);
 
diff --git a/contrib/bind9/lib/dns/api b/contrib/bind9/lib/dns/api
index 95b29be..5798ebc 100644
--- a/contrib/bind9/lib/dns/api
+++ b/contrib/bind9/lib/dns/api
@@ -1,3 +1,3 @@
-LIBINTERFACE = 23
-LIBREVISION = 0
+LIBINTERFACE = 33
+LIBREVISION = 1
 LIBAGE = 1
diff --git a/contrib/bind9/lib/dns/byaddr.c b/contrib/bind9/lib/dns/byaddr.c
index ace4fb0..38d6e8b 100644
--- a/contrib/bind9/lib/dns/byaddr.c
+++ b/contrib/bind9/lib/dns/byaddr.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,9 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: byaddr.c,v 1.29.2.1.2.8 2004/08/28 06:25:18 marka Exp $ */
+/* $Id: byaddr.c,v 1.34.18.3 2005/04/29 00:15:49 marka Exp $ */
+
+/*! \file */
 
 #include <config.h>
 
diff --git a/contrib/bind9/lib/dns/cache.c b/contrib/bind9/lib/dns/cache.c
index f45af90..011dbf7 100644
--- a/contrib/bind9/lib/dns/cache.c
+++ b/contrib/bind9/lib/dns/cache.c
@@ -15,7 +15,9 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: cache.c,v 1.45.2.4.8.15 2006/08/01 01:07:05 marka Exp $ */
+/* $Id: cache.c,v 1.57.18.16 2006/08/01 01:06:48 marka Exp $ */
+
+/*! \file */
 
 #include <config.h>
 
@@ -29,6 +31,7 @@
 #include <dns/db.h>
 #include <dns/dbiterator.h>
 #include <dns/events.h>
+#include <dns/lib.h>
 #include <dns/log.h>
 #include <dns/masterdump.h>
 #include <dns/rdata.h>
@@ -39,13 +42,18 @@
 #define CACHE_MAGIC		ISC_MAGIC('$', '$', '$', '$')
 #define VALID_CACHE(cache)	ISC_MAGIC_VALID(cache, CACHE_MAGIC)
 
-/*
- * The following two variables control incremental cleaning.
- * MINSIZE is how many bytes is the floor for dns_cache_setcachesize().
+/*! 
+ * Control incremental cleaning.
+ * DNS_CACHE_MINSIZE is how many bytes is the floor for dns_cache_setcachesize().
+ * See also DNS_CACHE_CLEANERINCREMENT
+ */
+#define DNS_CACHE_MINSIZE 		2097152	/*%< Bytes.  2097152 = 2 MB */
+/*! 
+ * Control incremental cleaning.
  * CLEANERINCREMENT is how many nodes are examined in one pass.
+ * See also DNS_CACHE_MINSIZE 
  */
-#define DNS_CACHE_MINSIZE 		2097152	/* Bytes.  2097152 = 2 MB */
-#define DNS_CACHE_CLEANERINCREMENT	1000	/* Number of nodes. */
+#define DNS_CACHE_CLEANERINCREMENT	1000U	/*%< Number of nodes. */
 
 /***
  ***	Types
@@ -59,9 +67,9 @@
 typedef struct cache_cleaner cache_cleaner_t;
 
 typedef enum {
-	cleaner_s_idle,	/* Waiting for cleaning-interval to expire. */
-	cleaner_s_busy,	/* Currently cleaning. */
-	cleaner_s_done  /* Freed enough memory after being overmem. */
+	cleaner_s_idle,	/*%< Waiting for cleaning-interval to expire. */
+	cleaner_s_busy,	/*%< Currently cleaning. */
+	cleaner_s_done  /*%< Freed enough memory after being overmem. */
 } cleaner_state_t;
 
 /*
@@ -73,13 +81,13 @@ typedef enum {
 			 (c)->iterator != NULL && \
 			 (c)->resched_event == NULL)
 
-/*
+/*%
  * Accesses to a cache cleaner object are synchronized through
  * task/event serialization, or locked from the cache object.
  */
 struct cache_cleaner {
 	isc_mutex_t	lock;
-	/*
+	/*%<
 	 * Locks overmem_event, overmem.  Note: never allocate memory
 	 * while holding this lock - that could lead to deadlock since
 	 * the lock is take by water() which is called from the memory
@@ -88,22 +96,22 @@ struct cache_cleaner {
 
 	dns_cache_t	*cache;
 	isc_task_t 	*task;
-	unsigned int	cleaning_interval; /* The cleaning-interval from
+	unsigned int	cleaning_interval; /*% The cleaning-interval from
 					      named.conf, in seconds. */
 	isc_timer_t 	*cleaning_timer;
-	isc_event_t	*resched_event;	/* Sent by cleaner task to
+	isc_event_t	*resched_event;	/*% Sent by cleaner task to
 					   itself to reschedule */
 	isc_event_t	*overmem_event;
 
 	dns_dbiterator_t *iterator;
-	int 		 increment;	/* Number of names to
+	unsigned int 	 increment;	/*% Number of names to
 					   clean in one increment */
-	cleaner_state_t  state;		/* Idle/Busy. */
-	isc_boolean_t	 overmem;	/* The cache is in an overmem state. */
+	cleaner_state_t  state;		/*% Idle/Busy. */
+	isc_boolean_t	 overmem;	/*% The cache is in an overmem state. */
 	isc_boolean_t	 replaceiterator;
 };
 
-/*
+/*%
  * The actual cache object.
  */
 
@@ -149,6 +157,79 @@ cleaner_shutdown_action(isc_task_t *task, isc_event_t *event);
 static void
 overmem_cleaning_action(isc_task_t *task, isc_event_t *event);
 
+/*%
+ * Work out how many nodes can be cleaned in the time between two
+ * requests to the nameserver.  Smooth the resulting number and use
+ * it as a estimate for the number of nodes to be cleaned in the next
+ * iteration.
+ */
+static void
+adjust_increment(cache_cleaner_t *cleaner, unsigned int remaining,
+		 isc_time_t *start)
+{
+	isc_time_t end;
+	isc_uint64_t usecs;
+	isc_uint64_t new;
+	unsigned int pps = dns_pps;
+	unsigned int interval;
+	unsigned int names;
+	
+	/*
+	 * Tune for minumum of 100 packets per second (pps).
+	 */
+	if (pps < 100)
+		pps = 100;
+
+	isc_time_now(&end);
+
+	interval = 1000000 / pps; /* Interval between packets in usecs. */
+	if (interval == 0)
+		interval = 1;
+
+	INSIST(cleaner->increment >= remaining);
+	names = cleaner->increment - remaining;
+	usecs = isc_time_microdiff(&end, start);
+
+	isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE, DNS_LOGMODULE_CACHE,
+		      ISC_LOG_DEBUG(1), "adjust_increment interval=%u "
+		      "names=%u usec=%" ISC_PLATFORM_QUADFORMAT "u",
+		      interval, names, usecs);
+	
+	if (usecs == 0) {
+		/*
+		 * If we cleaned all the nodes in unmeasurable time
+		 * double the number of nodes to be cleaned next time.
+		 */
+		if (names == cleaner->increment) {
+			cleaner->increment *= 2;
+			if (cleaner->increment > DNS_CACHE_CLEANERINCREMENT)
+				cleaner->increment = DNS_CACHE_CLEANERINCREMENT;
+			isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE,
+				      DNS_LOGMODULE_CACHE, ISC_LOG_DEBUG(1),
+				      "%p:new cleaner->increment = %u\n",
+				      cleaner, cleaner->increment);
+		}
+		return;
+	}
+
+	new = (names * interval);
+	new /= (usecs * 2);
+	if (new == 0)
+		new = 1;
+
+	/* Smooth */
+	new = (new + cleaner->increment * 7) / 8;
+
+	if (new > DNS_CACHE_CLEANERINCREMENT)
+		new = DNS_CACHE_CLEANERINCREMENT;
+
+	cleaner->increment = (unsigned int)new;
+
+	isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE, DNS_LOGMODULE_CACHE,
+		      ISC_LOG_DEBUG(1), "%p:new cleaner->increment = %u\n",
+		      cleaner, cleaner->increment);
+}
+
 static inline isc_result_t
 cache_create_db(dns_cache_t *cache, dns_db_t **db) {
 	return (dns_db_create(cache->mctx, cache->db_type, dns_rootname,
@@ -178,22 +259,12 @@ dns_cache_create(isc_mem_t *mctx, isc_taskmgr_t *taskmgr,
 	isc_mem_attach(mctx, &cache->mctx);
 
 	result = isc_mutex_init(&cache->lock);
-	if (result != ISC_R_SUCCESS) {
-		UNEXPECTED_ERROR(__FILE__, __LINE__,
-				 "isc_mutex_init() failed: %s",
-				 dns_result_totext(result));
-		result = ISC_R_UNEXPECTED;
+	if (result != ISC_R_SUCCESS)
 		goto cleanup_mem;
-	}
 
 	result = isc_mutex_init(&cache->filelock);
-	if (result != ISC_R_SUCCESS) {
-		UNEXPECTED_ERROR(__FILE__, __LINE__,
-				 "isc_mutex_init() failed: %s",
-				 dns_result_totext(result));
-		result = ISC_R_UNEXPECTED;
+	if (result != ISC_R_SUCCESS)
 		goto cleanup_lock;
-	}
 
 	cache->references = 1;
 	cache->live_tasks = 0;
@@ -488,13 +559,8 @@ cache_cleaner_init(dns_cache_t *cache, isc_taskmgr_t *taskmgr,
 	isc_result_t result;
 
 	result = isc_mutex_init(&cleaner->lock);
-	if (result != ISC_R_SUCCESS) {
-		UNEXPECTED_ERROR(__FILE__, __LINE__,
-				 "isc_mutex_init() failed: %s",
-				 dns_result_totext(result));
-		result = ISC_R_UNEXPECTED;
+	if (result != ISC_R_SUCCESS)
 		goto fail;
-	}
 
 	cleaner->increment = DNS_CACHE_CLEANERINCREMENT;
 	cleaner->state = cleaner_s_idle;
@@ -740,7 +806,8 @@ static void
 incremental_cleaning_action(isc_task_t *task, isc_event_t *event) {
 	cache_cleaner_t *cleaner = event->ev_arg;
 	isc_result_t result;
-	int n_names;
+	unsigned int n_names;
+	isc_time_t start;
 
 	UNUSED(task);
 
@@ -770,6 +837,7 @@ incremental_cleaning_action(isc_task_t *task, isc_event_t *event) {
 
 	REQUIRE(DNS_DBITERATOR_VALID(cleaner->iterator));
 
+	isc_time_now(&start);
 	while (n_names-- > 0) {
 		dns_dbnode_t *node = NULL;
 
@@ -780,6 +848,7 @@ incremental_cleaning_action(isc_task_t *task, isc_event_t *event) {
 				 "cache cleaner: dns_dbiterator_current() "
 				 "failed: %s", dns_result_totext(result));
 
+			adjust_increment(cleaner, n_names, &start);
 			end_cleaning(cleaner, event);
 			return;
 		}
@@ -823,11 +892,14 @@ incremental_cleaning_action(isc_task_t *task, isc_event_t *event) {
 				}
 			}
 
+			adjust_increment(cleaner, n_names, &start);
 			end_cleaning(cleaner, event);
 			return;
 		}
 	}
 
+	adjust_increment(cleaner, 0U, &start);
+
 	/*
 	 * We have successfully performed a cleaning increment but have
 	 * not gone through the entire cache.  Free the iterator locks
@@ -838,7 +910,7 @@ incremental_cleaning_action(isc_task_t *task, isc_event_t *event) {
 	RUNTIME_CHECK(result == ISC_R_SUCCESS);
 
 	isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE, DNS_LOGMODULE_CACHE,
-		      ISC_LOG_DEBUG(1), "cache cleaner: checked %d nodes, "
+		      ISC_LOG_DEBUG(1), "cache cleaner: checked %u nodes, "
 		      "mem inuse %lu, sleeping", cleaner->increment,
 		      (unsigned long)isc_mem_inuse(cleaner->cache->mctx));
 
diff --git a/contrib/bind9/lib/dns/callbacks.c b/contrib/bind9/lib/dns/callbacks.c
index 431c7ef..a487ed0 100644
--- a/contrib/bind9/lib/dns/callbacks.c
+++ b/contrib/bind9/lib/dns/callbacks.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,9 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: callbacks.c,v 1.12.206.1 2004/03/06 08:13:36 marka Exp $ */
+/* $Id: callbacks.c,v 1.13.18.2 2005/04/29 00:15:49 marka Exp $ */
+
+/*! \file */
 
 #include <config.h>
 
diff --git a/contrib/bind9/lib/dns/compress.c b/contrib/bind9/lib/dns/compress.c
index 2122436..2103767 100644
--- a/contrib/bind9/lib/dns/compress.c
+++ b/contrib/bind9/lib/dns/compress.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2006  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,9 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: compress.c,v 1.50.206.4 2006/03/02 00:37:20 marka Exp $ */
+/* $Id: compress.c,v 1.52.18.5 2006/03/02 00:37:21 marka Exp $ */
+
+/*! \file */
 
 #define DNS_NAME_USEINLINE 1
 
@@ -82,13 +84,31 @@ void
 dns_compress_setmethods(dns_compress_t *cctx, unsigned int allowed) {
 	REQUIRE(VALID_CCTX(cctx));
 
-	cctx->allowed = allowed;
+	cctx->allowed &= ~DNS_COMPRESS_ALL;
+	cctx->allowed |= (allowed & DNS_COMPRESS_ALL);
 }
 
 unsigned int
 dns_compress_getmethods(dns_compress_t *cctx) {
 	REQUIRE(VALID_CCTX(cctx));
-	return (cctx->allowed);
+	return (cctx->allowed & DNS_COMPRESS_ALL);
+}
+
+void
+dns_compress_setsensitive(dns_compress_t *cctx, isc_boolean_t sensitive) {
+	REQUIRE(VALID_CCTX(cctx));
+
+	if (sensitive)
+		cctx->allowed |= DNS_COMPRESS_CASESENSITIVE;
+	else
+		cctx->allowed &= ~DNS_COMPRESS_CASESENSITIVE;
+}
+
+isc_boolean_t
+dns_compress_getsensitive(dns_compress_t *cctx) {
+	REQUIRE(VALID_CCTX(cctx));
+
+	return (ISC_TF((cctx->allowed & DNS_COMPRESS_CASESENSITIVE) != 0));
 }
 
 int
@@ -138,8 +158,13 @@ dns_compress_findglobal(dns_compress_t *cctx, const dns_name_t *name,
 		for (node = cctx->table[hash]; node != NULL; node = node->next)
 		{
 			NODENAME(node, &nname);
-			if (dns_name_equal(&nname, &tname))
-				break;
+			if ((cctx->allowed & DNS_COMPRESS_CASESENSITIVE) != 0) {
+				if (dns_name_caseequal(&nname, &tname))
+					break;
+			} else {
+				if (dns_name_equal(&nname, &tname))
+					break;
+			}
 		}
 		if (node != NULL)
 			break;
diff --git a/contrib/bind9/lib/dns/db.c b/contrib/bind9/lib/dns/db.c
index 347ce1e..32ff6ae 100644
--- a/contrib/bind9/lib/dns/db.c
+++ b/contrib/bind9/lib/dns/db.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001, 2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,9 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: db.c,v 1.69.2.1.10.4 2004/03/08 02:07:52 marka Exp $ */
+/* $Id: db.c,v 1.74.18.6 2005/10/13 02:12:24 marka Exp $ */
+
+/*! \file */
 
 /***
  *** Imports
@@ -301,6 +303,11 @@ dns_db_endload(dns_db_t *db, dns_dbload_t **dbloadp) {
 
 isc_result_t
 dns_db_load(dns_db_t *db, const char *filename) {
+	return (dns_db_load2(db, filename, dns_masterformat_text));
+}
+
+isc_result_t
+dns_db_load2(dns_db_t *db, const char *filename, dns_masterformat_t format) {
 	isc_result_t result, eresult;
 	dns_rdatacallbacks_t callbacks;
 	unsigned int options = 0;
@@ -319,9 +326,9 @@ dns_db_load(dns_db_t *db, const char *filename) {
 	result = dns_db_beginload(db, &callbacks.add, &callbacks.add_private);
 	if (result != ISC_R_SUCCESS)
 		return (result);
-	result = dns_master_loadfile(filename, &db->origin, &db->origin,
-				     db->rdclass, options,
-				     &callbacks, db->mctx);
+	result = dns_master_loadfile2(filename, &db->origin, &db->origin,
+				      db->rdclass, options,
+				      &callbacks, db->mctx, format);
 	eresult = dns_db_endload(db, &callbacks.add_private);
 	/*
 	 * We always call dns_db_endload(), but we only want to return its
@@ -337,13 +344,22 @@ dns_db_load(dns_db_t *db, const char *filename) {
 
 isc_result_t
 dns_db_dump(dns_db_t *db, dns_dbversion_t *version, const char *filename) {
+	return ((db->methods->dump)(db, version, filename,
+				    dns_masterformat_text));
+}
+
+isc_result_t
+dns_db_dump2(dns_db_t *db, dns_dbversion_t *version, const char *filename,
+	     dns_masterformat_t masterformat) {
 	/*
-	 * Dump 'db' into master file 'filename'.
+	 * Dump 'db' into master file 'filename' in the 'masterformat' format.
+	 * XXXJT: is it okay to modify the interface to the existing "dump"
+	 * method?
 	 */
 
 	REQUIRE(DNS_DB_VALID(db));
 
-	return ((db->methods->dump)(db, version, filename));
+	return ((db->methods->dump)(db, version, filename, masterformat));
 }
 
 /***
@@ -791,3 +807,15 @@ dns_db_unregister(dns_dbimplementation_t **dbimp) {
 	isc_mem_detach(&mctx);
 	RWUNLOCK(&implock, isc_rwlocktype_write);
 }
+
+isc_result_t
+dns_db_getoriginnode(dns_db_t *db, dns_dbnode_t **nodep) {
+	REQUIRE(DNS_DB_VALID(db));
+	REQUIRE(dns_db_iszone(db) == ISC_TRUE);
+	REQUIRE(nodep != NULL && *nodep == NULL);
+
+	if (db->methods->getoriginnode != NULL)
+		return ((db->methods->getoriginnode)(db, nodep));
+
+	return (ISC_R_NOTFOUND);
+}
diff --git a/contrib/bind9/lib/dns/dbiterator.c b/contrib/bind9/lib/dns/dbiterator.c
index 0bf354b..d462ad5 100644
--- a/contrib/bind9/lib/dns/dbiterator.c
+++ b/contrib/bind9/lib/dns/dbiterator.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,9 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: dbiterator.c,v 1.13.206.1 2004/03/06 08:13:37 marka Exp $ */
+/* $Id: dbiterator.c,v 1.14.18.2 2005/04/29 00:15:50 marka Exp $ */
+
+/*! \file */
 
 #include <config.h>
 
diff --git a/contrib/bind9/lib/dns/dbtable.c b/contrib/bind9/lib/dns/dbtable.c
index d027fa3..b091e42 100644
--- a/contrib/bind9/lib/dns/dbtable.c
+++ b/contrib/bind9/lib/dns/dbtable.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -16,10 +16,11 @@
  */
 
 /*
- * $Id: dbtable.c,v 1.25.12.4 2004/03/09 05:21:08 marka Exp $
+ * $Id: dbtable.c,v 1.28.18.3 2005/07/12 01:22:19 marka Exp $
  */
 
-/*
+/*! \file
+ * \author
  * Principal Author: DCL
  */
 
@@ -86,7 +87,6 @@ dns_dbtable_create(isc_mem_t *mctx, dns_rdataclass_t rdclass,
 	result = isc_rwlock_init(&dbtable->tree_lock, 0, 0);
 	if (result != ISC_R_SUCCESS)
 		goto clean3;
-	
 
 	dbtable->default_db = NULL;
 	dbtable->mctx = mctx;
diff --git a/contrib/bind9/lib/dns/diff.c b/contrib/bind9/lib/dns/diff.c
index 8cd5643..22a3938 100644
--- a/contrib/bind9/lib/dns/diff.c
+++ b/contrib/bind9/lib/dns/diff.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,9 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: diff.c,v 1.4.2.1.8.4 2004/03/08 02:07:52 marka Exp $ */
+/* $Id: diff.c,v 1.9.18.3 2005/04/27 05:01:15 sra Exp $ */
+
+/*! \file */
 
 #include <config.h>
 
@@ -30,8 +32,10 @@
 #include <dns/db.h>
 #include <dns/diff.h>
 #include <dns/log.h>
+#include <dns/rdataclass.h>
 #include <dns/rdatalist.h>
 #include <dns/rdataset.h>
+#include <dns/rdatatype.h>
 #include <dns/result.h>
 
 #define CHECK(op) \
@@ -195,6 +199,9 @@ diff_apply(dns_diff_t *diff, dns_db_t *db, dns_dbversion_t *ver,
 	dns_difftuple_t *t;
 	dns_dbnode_t *node = NULL;
 	isc_result_t result;
+	char namebuf[DNS_NAME_FORMATSIZE];
+	char typebuf[DNS_RDATATYPE_FORMATSIZE];
+	char classbuf[DNS_RDATACLASS_FORMATSIZE];
 
 	REQUIRE(DNS_DIFF_VALID(diff));
 	REQUIRE(DNS_DB_VALID(db));
@@ -254,11 +261,19 @@ diff_apply(dns_diff_t *diff, dns_db_t *db, dns_dbversion_t *ver,
 			       t->rdata.type == type &&
 			       rdata_covers(&t->rdata) == covers)
 			{
+				dns_name_format(name, namebuf, sizeof(namebuf));
+				dns_rdatatype_format(t->rdata.type, typebuf,
+						     sizeof(typebuf));
+				dns_rdataclass_format(t->rdata.rdclass,
+						      classbuf,
+						      sizeof(classbuf));
 				if (t->ttl != rdl.ttl && warn)
 					isc_log_write(DIFF_COMMON_LOGARGS,
 					      	ISC_LOG_WARNING,
-						"TTL differs in rdataset, "
-						"adjusting %lu -> %lu",
+						"'%s/%s/%s': TTL differs in "
+						"rdataset, adjusting "
+						"%lu -> %lu",
+						namebuf, typebuf, classbuf,
 						(unsigned long) t->ttl,
 						(unsigned long) rdl.ttl);
 				ISC_LIST_APPEND(rdl.rdata, &t->rdata, link);
diff --git a/contrib/bind9/lib/dns/dispatch.c b/contrib/bind9/lib/dns/dispatch.c
index 91ef2c5..02accdf 100644
--- a/contrib/bind9/lib/dns/dispatch.c
+++ b/contrib/bind9/lib/dns/dispatch.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2006  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,9 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: dispatch.c,v 1.101.2.6.2.13 2006/07/19 00:44:04 marka Exp $ */
+/* $Id: dispatch.c,v 1.116.18.13 2007/02/07 23:57:58 marka Exp $ */
+
+/*! \file */
 
 #include <config.h>
 
@@ -43,12 +45,12 @@ typedef ISC_LIST(dns_dispentry_t)	dns_displist_t;
 
 typedef struct dns_qid {
 	unsigned int	magic;
-	unsigned int	qid_nbuckets;	/* hash table size */
-	unsigned int	qid_increment;	/* id increment on collision */
+	unsigned int	qid_nbuckets;	/*%< hash table size */
+	unsigned int	qid_increment;	/*%< id increment on collision */
 	isc_mutex_t	lock;
-	isc_lfsr_t	qid_lfsr1;	/* state generator info */
-	isc_lfsr_t	qid_lfsr2;	/* state generator info */
-	dns_displist_t	*qid_table;	/* the table itself */
+	isc_lfsr_t	qid_lfsr1;	/*%< state generator info */
+	isc_lfsr_t	qid_lfsr2;	/*%< state generator info */
+	dns_displist_t	*qid_table;	/*%< the table itself */
 } dns_qid_t;
 
 struct dns_dispatchmgr {
@@ -66,18 +68,18 @@ struct dns_dispatchmgr {
 	/* locked by buffer lock */
 	dns_qid_t			*qid;
 	isc_mutex_t			buffer_lock;
-	unsigned int			buffers;    /* allocated buffers */
-	unsigned int			buffersize; /* size of each buffer */
-	unsigned int			maxbuffers; /* max buffers */
+	unsigned int			buffers;    /*%< allocated buffers */
+	unsigned int			buffersize; /*%< size of each buffer */
+	unsigned int			maxbuffers; /*%< max buffers */
 
 	/* Locked internally. */
 	isc_mutex_t			pool_lock;
-	isc_mempool_t		       *epool;	/* memory pool for events */
-	isc_mempool_t		       *rpool;	/* memory pool for replies */
-	isc_mempool_t		       *dpool;  /* dispatch allocations */
-	isc_mempool_t		       *bpool;	/* memory pool for buffers */
+	isc_mempool_t		       *epool;	/*%< memory pool for events */
+	isc_mempool_t		       *rpool;	/*%< memory pool for replies */
+	isc_mempool_t		       *dpool;  /*%< dispatch allocations */
+	isc_mempool_t		       *bpool;	/*%< memory pool for buffers */
 
-	isc_entropy_t		       *entropy; /* entropy source */
+	isc_entropy_t		       *entropy; /*%< entropy source */
 };
 
 #define MGR_SHUTTINGDOWN		0x00000001U
@@ -103,32 +105,32 @@ struct dns_dispentry {
 
 struct dns_dispatch {
 	/* Unlocked. */
-	unsigned int		magic;		/* magic */
-	dns_dispatchmgr_t      *mgr;		/* dispatch manager */
-	isc_task_t	       *task;		/* internal task */
-	isc_socket_t	       *socket;		/* isc socket attached to */
-	isc_sockaddr_t		local;		/* local address */
-	unsigned int		maxrequests;	/* max requests */
+	unsigned int		magic;		/*%< magic */
+	dns_dispatchmgr_t      *mgr;		/*%< dispatch manager */
+	isc_task_t	       *task;		/*%< internal task */
+	isc_socket_t	       *socket;		/*%< isc socket attached to */
+	isc_sockaddr_t		local;		/*%< local address */
+	unsigned int		maxrequests;	/*%< max requests */
 	isc_event_t	       *ctlevent;
 
-	/* Locked by mgr->lock. */
+	/*% Locked by mgr->lock. */
 	ISC_LINK(dns_dispatch_t) link;
 
 	/* Locked by "lock". */
-	isc_mutex_t		lock;		/* locks all below */
+	isc_mutex_t		lock;		/*%< locks all below */
 	isc_sockettype_t	socktype;
 	unsigned int		attributes;
-	unsigned int		refcount;	/* number of users */
-	dns_dispatchevent_t    *failsafe_ev;	/* failsafe cancel event */
+	unsigned int		refcount;	/*%< number of users */
+	dns_dispatchevent_t    *failsafe_ev;	/*%< failsafe cancel event */
 	unsigned int		shutting_down : 1,
 				shutdown_out : 1,
 				connected : 1,
 				tcpmsg_valid : 1,
-				recv_pending : 1; /* is a recv() pending? */
+				recv_pending : 1; /*%< is a recv() pending? */
 	isc_result_t		shutdown_why;
-	unsigned int		requests;	/* how many requests we have */
-	unsigned int		tcpbuffers;	/* allocated buffers */
-	dns_tcpmsg_t		tcpmsg;		/* for tcp streams */
+	unsigned int		requests;	/*%< how many requests we have */
+	unsigned int		tcpbuffers;	/*%< allocated buffers */
+	dns_tcpmsg_t		tcpmsg;		/*%< for tcp streams */
 	dns_qid_t		*qid;
 };
 
@@ -970,6 +972,9 @@ startrecv(dns_dispatch_t *disp) {
 		INSIST(disp->recv_pending == 0);
 		disp->recv_pending = 1;
 		break;
+	default:
+		INSIST(0);
+		break;
 	}
 }
 
@@ -1239,6 +1244,7 @@ dns_dispatchmgr_setudp(dns_dispatchmgr_t *mgr,
 
 	if (isc_mempool_create(mgr->mctx, buffersize,
 			       &mgr->bpool) != ISC_R_SUCCESS) {
+		UNLOCK(&mgr->buffer_lock);
 		return (ISC_R_NOMEMORY);
 	}
 
@@ -1396,6 +1402,7 @@ qid_allocate(dns_dispatchmgr_t *mgr, unsigned int buckets,
 {
 	dns_qid_t *qid;
 	unsigned int i;
+	isc_result_t result;
 
 	REQUIRE(VALID_DISPATCHMGR(mgr));
 	REQUIRE(buckets < 2097169);  /* next prime > 65536 * 32 */
@@ -1413,12 +1420,12 @@ qid_allocate(dns_dispatchmgr_t *mgr, unsigned int buckets,
 		return (ISC_R_NOMEMORY);
 	}
 
-	if (isc_mutex_init(&qid->lock) != ISC_R_SUCCESS) {
-		UNEXPECTED_ERROR(__FILE__, __LINE__, "isc_mutex_init failed");
+	result = isc_mutex_init(&qid->lock);
+	if (result != ISC_R_SUCCESS) {
 		isc_mem_put(mgr->mctx, qid->qid_table,
 			    buckets * sizeof(dns_displist_t));
 		isc_mem_put(mgr->mctx, qid, sizeof(*qid));
-		return (ISC_R_UNEXPECTED);
+		return (result);
 	}
 
 	for (i = 0; i < buckets; i++)
@@ -1471,7 +1478,7 @@ dispatch_allocate(dns_dispatchmgr_t *mgr, unsigned int maxrequests,
 		  dns_dispatch_t **dispp)
 {
 	dns_dispatch_t *disp;
-	isc_result_t res;
+	isc_result_t result;
 
 	REQUIRE(VALID_DISPATCHMGR(mgr));
 	REQUIRE(dispp != NULL && *dispp == NULL);
@@ -1502,15 +1509,13 @@ dispatch_allocate(dns_dispatchmgr_t *mgr, unsigned int maxrequests,
 	disp->tcpbuffers = 0;
 	disp->qid = NULL;
 
-	if (isc_mutex_init(&disp->lock) != ISC_R_SUCCESS) {
-		res = ISC_R_UNEXPECTED;
-		UNEXPECTED_ERROR(__FILE__, __LINE__, "isc_mutex_init failed");
+	result = isc_mutex_init(&disp->lock);
+	if (result != ISC_R_SUCCESS)
 		goto deallocate;
-	}
 
 	disp->failsafe_ev = allocate_event(disp);
 	if (disp->failsafe_ev == NULL) {
-		res = ISC_R_NOMEMORY;
+		result = ISC_R_NOMEMORY;
 		goto kill_lock;
 	}
 
@@ -1527,7 +1532,7 @@ dispatch_allocate(dns_dispatchmgr_t *mgr, unsigned int maxrequests,
  deallocate:
 	isc_mempool_put(mgr->dpool, disp);
 
-	return (res);
+	return (result);
 }
 
 
diff --git a/contrib/bind9/lib/dns/dlz.c b/contrib/bind9/lib/dns/dlz.c
new file mode 100644
index 0000000..ee6c03b
--- /dev/null
+++ b/contrib/bind9/lib/dns/dlz.c
@@ -0,0 +1,510 @@
+/*
+ * Portions Copyright (C) 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Portions Copyright (C) 1999-2001  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/*
+ * Copyright (C) 2002 Stichting NLnet, Netherlands, stichting@nlnet.nl.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the
+ * above copyright notice and this permission notice appear in all
+ * copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND STICHTING NLNET
+ * DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL
+ * STICHTING NLNET BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR
+ * CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS
+ * OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE
+ * USE OR PERFORMANCE OF THIS SOFTWARE.
+ *
+ * The development of Dynamically Loadable Zones (DLZ) for Bind 9 was
+ * conceived and contributed by Rob Butler.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the
+ * above copyright notice and this permission notice appear in all
+ * copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ROB BUTLER
+ * DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL
+ * ROB BUTLER BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR
+ * CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS
+ * OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE
+ * USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: dlz.c,v 1.2.2.2 2005/09/06 03:47:17 marka Exp $ */
+
+/*! \file */
+
+/***
+ *** Imports
+ ***/
+
+#include <config.h>
+
+#include <dns/fixedname.h>
+#include <dns/log.h>
+#include <dns/master.h>
+#include <dns/dlz.h>
+
+
+#include <isc/buffer.h>
+#include <isc/magic.h>
+#include <isc/mem.h>
+#include <isc/once.h>
+#include <isc/rwlock.h>
+#include <isc/string.h>
+#include <isc/util.h>
+
+/***
+ *** Supported DLZ DB Implementations Registry
+ ***/
+
+static ISC_LIST(dns_dlzimplementation_t) dlz_implementations;
+static isc_rwlock_t dlz_implock;
+static isc_once_t once = ISC_ONCE_INIT;
+
+static void
+dlz_initialize(void) {
+	RUNTIME_CHECK(isc_rwlock_init(&dlz_implock, 0, 0) == ISC_R_SUCCESS);
+	ISC_LIST_INIT(dlz_implementations);
+}
+
+/*%
+ * Searches the dlz_implementations list for a driver matching name.
+ */
+static inline dns_dlzimplementation_t *
+dlz_impfind(const char *name) {
+	dns_dlzimplementation_t *imp;
+
+	for (imp = ISC_LIST_HEAD(dlz_implementations);
+	     imp != NULL;
+	     imp = ISC_LIST_NEXT(imp, link))
+		if (strcasecmp(name, imp->name) == 0)
+			return (imp);
+	return (NULL);
+}
+
+/***
+ *** Basic DLZ Methods
+ ***/
+
+isc_result_t
+dns_dlzallowzonexfr(dns_view_t *view, dns_name_t *name,
+		    isc_sockaddr_t *clientaddr, dns_db_t **dbp)
+{
+	isc_result_t result;
+	dns_dlzallowzonexfr_t allowzonexfr;
+	dns_dlzdb_t *dlzdatabase;
+
+	/*
+	 * Performs checks to make sure data is as we expect it to be.
+	 */
+	REQUIRE(DNS_DLZ_VALID(view->dlzdatabase));
+	REQUIRE(name != NULL);
+	REQUIRE(dbp != NULL && *dbp == NULL);
+
+	/* ask driver if the zone is supported */
+	dlzdatabase = view->dlzdatabase;
+	allowzonexfr = dlzdatabase->implementation->methods->allowzonexfr;
+	result = (*allowzonexfr)(dlzdatabase->implementation->driverarg,
+			         dlzdatabase->dbdata, dlzdatabase->mctx,
+				 view->rdclass, name, clientaddr, dbp);
+
+	if (result == ISC_R_NOTIMPLEMENTED)
+		return (ISC_R_NOTFOUND);
+	return (result);
+}
+
+isc_result_t
+dns_dlzcreate(isc_mem_t *mctx, const char *dlzname, const char *drivername,
+	      unsigned int argc, char *argv[], dns_dlzdb_t **dbp)
+{
+	dns_dlzimplementation_t *impinfo;
+	isc_result_t result;
+
+	/*
+	 * initialize the dlz_implementations list, this is guaranteed
+	 * to only really happen once.
+	 */
+	RUNTIME_CHECK(isc_once_do(&once, dlz_initialize) == ISC_R_SUCCESS);
+
+	/*
+	 * Performs checks to make sure data is as we expect it to be.
+	 */
+	REQUIRE(dbp != NULL && *dbp == NULL);
+	REQUIRE(dlzname != NULL);
+	REQUIRE(drivername != NULL);
+	REQUIRE(mctx != NULL);
+
+	/* write log message */
+	isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE,
+		      DNS_LOGMODULE_DLZ, ISC_LOG_INFO,
+		      "Loading '%s' using driver %s", dlzname, drivername);
+
+	/* lock the dlz_implementations list so we can search it. */
+	RWLOCK(&dlz_implock, isc_rwlocktype_read);
+
+	/* search for the driver implementation	 */
+	impinfo = dlz_impfind(drivername);
+	if (impinfo == NULL) {
+		RWUNLOCK(&dlz_implock, isc_rwlocktype_read);
+
+		isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE,
+			      DNS_LOGMODULE_DLZ, ISC_LOG_ERROR,
+			      "unsupported DLZ database driver '%s'."
+			      "  %s not loaded.",
+			      drivername, dlzname);
+
+		return (ISC_R_NOTFOUND);
+	}
+
+	/* Allocate memory to hold the DLZ database driver */
+	(*dbp) = isc_mem_get(mctx, sizeof(dns_dlzdb_t));
+	if ((*dbp) == NULL) {
+		RWUNLOCK(&dlz_implock, isc_rwlocktype_read);
+		return (ISC_R_NOMEMORY);
+	}
+
+	/* Make sure memory region is set to all 0's */
+	memset((*dbp), 0, sizeof(dns_dlzdb_t));
+
+	(*dbp)->implementation = impinfo;
+
+	/* Create a new database using implementation 'drivername'. */
+	result = ((impinfo->methods->create)(mctx, dlzname, argc, argv,
+					     impinfo->driverarg,
+					     &(*dbp)->dbdata));
+
+	/* mark the DLZ driver as valid */
+	if (result == ISC_R_SUCCESS) {
+		RWUNLOCK(&dlz_implock, isc_rwlocktype_read);
+		(*dbp)->magic = DNS_DLZ_MAGIC;
+		isc_mem_attach(mctx, &(*dbp)->mctx);
+		isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE,
+			      DNS_LOGMODULE_DLZ, ISC_LOG_DEBUG(2),
+			      "DLZ driver loaded successfully.");
+		return (ISC_R_SUCCESS);
+	} else {
+		isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE,
+			      DNS_LOGMODULE_DLZ, ISC_LOG_ERROR,
+			      "DLZ driver failed to load.");
+	}
+
+	/* impinfo->methods->create failed. */
+	RWUNLOCK(&dlz_implock, isc_rwlocktype_read);
+	isc_mem_put(mctx, (*dbp), sizeof(dns_dlzdb_t));
+	return (result);
+}
+
+void
+dns_dlzdestroy(dns_dlzdb_t **dbp) {
+	isc_mem_t *mctx;
+	dns_dlzdestroy_t destroy;
+
+	/* Write debugging message to log */
+	isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE,
+		      DNS_LOGMODULE_DLZ, ISC_LOG_DEBUG(2),
+		      "Unloading DLZ driver.");
+
+	/*
+	 * Perform checks to make sure data is as we expect it to be.
+	 */
+	REQUIRE(dbp != NULL && DNS_DLZ_VALID(*dbp));
+
+	/* call the drivers destroy method */
+	if ((*dbp) != NULL) {
+		mctx = (*dbp)->mctx;
+		destroy = (*dbp)->implementation->methods->destroy;
+		(*destroy)((*dbp)->implementation->driverarg,(*dbp)->dbdata);
+		/* return memory */
+		isc_mem_put(mctx, (*dbp), sizeof(dns_dlzdb_t));
+		isc_mem_detach(&mctx);
+	}
+
+	*dbp = NULL;
+}
+
+
+isc_result_t
+dns_dlzfindzone(dns_view_t *view, dns_name_t *name, unsigned int minlabels,
+		dns_db_t **dbp)
+{
+	dns_fixedname_t fname;
+	dns_name_t *zonename;
+	unsigned int namelabels;
+	unsigned int i;
+	isc_result_t result;
+	dns_dlzfindzone_t findzone;
+	dns_dlzdb_t *dlzdatabase;
+
+	/*
+	 * Performs checks to make sure data is as we expect it to be.
+	 */
+	REQUIRE(DNS_DLZ_VALID(view->dlzdatabase));
+	REQUIRE(name != NULL);
+	REQUIRE(dbp != NULL && *dbp == NULL);
+
+	/* setup a "fixed" dns name */
+	dns_fixedname_init(&fname);
+	zonename = dns_fixedname_name(&fname);
+
+	/* count the number of labels in the name */
+	namelabels = dns_name_countlabels(name);
+
+	/*
+	 * loop through starting with the longest domain name and
+	 * trying shorter names portions of the name until we find a
+	 * match, have an error, or are below the 'minlabels'
+	 * threshold.  minlabels is 0, if the standard database didn't
+	 * have a zone name match.  Otherwise minlables is the number
+	 * of labels in that name.  We need to beat that for a
+	 * "better" match for the DLZ database to be authoritative
+	 * instead of the standard database.
+	 */
+	for (i = namelabels; i > minlabels && i > 1; i--) {
+		if (i == namelabels) {
+			result = dns_name_copy(name, zonename, NULL);
+			if (result != ISC_R_SUCCESS)
+				return (result);
+		} else
+			dns_name_split(name, i, NULL, zonename);
+
+		/* ask SDLZ driver if the zone is supported */
+		dlzdatabase = view->dlzdatabase;
+		findzone = dlzdatabase->implementation->methods->findzone;
+		result = (*findzone)(dlzdatabase->implementation->driverarg,
+				     dlzdatabase->dbdata, dlzdatabase->mctx,
+				     view->rdclass, zonename, dbp);
+		if (result != ISC_R_NOTFOUND)
+			return (result);
+	}
+	return (ISC_R_NOTFOUND);
+}
+
+/*%
+ * Registers a DLZ driver.  This basically just adds the dlz
+ * driver to the list of available drivers in the dlz_implementations list.
+ */
+isc_result_t
+dns_dlzregister(const char *drivername, const dns_dlzmethods_t *methods,
+		void *driverarg, isc_mem_t *mctx,
+		dns_dlzimplementation_t **dlzimp)
+{
+
+	dns_dlzimplementation_t *dlz_imp;
+
+	/* Write debugging message to log */
+	isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE,
+		      DNS_LOGMODULE_DLZ, ISC_LOG_DEBUG(2),
+		      "Registering DLZ driver '%s'", drivername);
+
+	/*
+	 * Performs checks to make sure data is as we expect it to be.
+	 */
+	REQUIRE(drivername != NULL);
+	REQUIRE(methods != NULL);
+	REQUIRE(methods->create != NULL);
+	REQUIRE(methods->destroy != NULL);
+	REQUIRE(methods->findzone != NULL);
+	REQUIRE(mctx != NULL);
+	REQUIRE(dlzimp != NULL && *dlzimp == NULL);
+
+	/*
+	 * initialize the dlz_implementations list, this is guaranteed
+	 * to only really happen once.
+	 */
+	RUNTIME_CHECK(isc_once_do(&once, dlz_initialize) == ISC_R_SUCCESS);
+
+	/* lock the dlz_implementations list so we can modify it. */
+	RWLOCK(&dlz_implock, isc_rwlocktype_write);
+
+	/*
+	 * check that another already registered driver isn't using
+	 * the same name
+	 */
+	dlz_imp = dlz_impfind(drivername);
+	if (dlz_imp != NULL) {
+		isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE,
+			      DNS_LOGMODULE_DLZ, ISC_LOG_DEBUG(2),
+			      "DLZ Driver '%s' already registered",
+			      drivername);
+		RWUNLOCK(&dlz_implock, isc_rwlocktype_write);
+		return (ISC_R_EXISTS);
+	}
+
+	/*
+	 * Allocate memory for a dlz_implementation object.  Error if
+	 * we cannot.
+	 */
+	dlz_imp = isc_mem_get(mctx, sizeof(dns_dlzimplementation_t));
+	if (dlz_imp == NULL) {
+		RWUNLOCK(&dlz_implock, isc_rwlocktype_write);
+		return (ISC_R_NOMEMORY);
+	}
+
+	/* Make sure memory region is set to all 0's */
+	memset(dlz_imp, 0, sizeof(dns_dlzimplementation_t));
+
+	/* Store the data passed into this method */
+	dlz_imp->name = drivername;
+	dlz_imp->methods = methods;
+	dlz_imp->mctx = NULL;
+	dlz_imp->driverarg = driverarg;
+
+	/* attach the new dlz_implementation object to a memory context */
+	isc_mem_attach(mctx, &dlz_imp->mctx);
+
+	/*
+	 * prepare the dlz_implementation object to be put in a list,
+	 * and append it to the list
+	 */
+	ISC_LINK_INIT(dlz_imp, link);
+	ISC_LIST_APPEND(dlz_implementations, dlz_imp, link);
+
+	/* Unlock the dlz_implementations list.	 */
+	RWUNLOCK(&dlz_implock, isc_rwlocktype_write);
+
+	/* Pass back the dlz_implementation that we created. */
+	*dlzimp = dlz_imp;
+
+	return (ISC_R_SUCCESS);
+}
+
+/*%
+ * Helper function for dns_dlzstrtoargv().
+ * Pardon the gratuitous recursion.
+ */
+static isc_result_t
+dns_dlzstrtoargvsub(isc_mem_t *mctx, char *s, unsigned int *argcp,
+		    char ***argvp, unsigned int n)
+{
+	isc_result_t result;
+
+ restart:
+	/* Discard leading whitespace. */
+	while (*s == ' ' || *s == '\t')
+		s++;
+
+	if (*s == '\0') {
+		/* We have reached the end of the string. */
+		*argcp = n;
+		*argvp = isc_mem_get(mctx, n * sizeof(char *));
+		if (*argvp == NULL)
+			return (ISC_R_NOMEMORY);
+	} else {
+		char *p = s;
+		while (*p != ' ' && *p != '\t' && *p != '\0' && *p != '{') {
+			if (*p == '\n') {
+				*p = ' ';
+				goto restart;
+			}
+			p++;
+		}
+
+		/* do "grouping", items between { and } are one arg */
+		if (*p == '{') {
+			char *t = p;
+			/*
+			 * shift all characters to left by 1 to get rid of '{'
+			 */
+			while (*t != '\0') {
+				t++;
+				*(t-1) = *t;
+			}
+			while (*p != '\0' && *p != '}') {
+				p++;
+			}
+			/* get rid of '}' character */
+			if (*p == '}') {
+				*p = '\0';
+				p++;
+			}
+			/* normal case, no "grouping" */
+		} else if (*p != '\0')
+			*p++ = '\0';
+
+		result = dns_dlzstrtoargvsub(mctx, p, argcp, argvp, n + 1);
+		if (result != ISC_R_SUCCESS)
+			return (result);
+		(*argvp)[n] = s;
+	}
+	return (ISC_R_SUCCESS);
+}
+
+/*%
+ * Tokenize the string "s" into whitespace-separated words,
+ * return the number of words in '*argcp' and an array
+ * of pointers to the words in '*argvp'.  The caller
+ * must free the array using isc_mem_put().  The string
+ * is modified in-place.
+ */
+isc_result_t
+dns_dlzstrtoargv(isc_mem_t *mctx, char *s,
+		 unsigned int *argcp, char ***argvp)
+{
+	return(dns_dlzstrtoargvsub(mctx, s, argcp, argvp, 0));
+}
+
+/*%
+ * Unregisters a DLZ driver.  This basically just removes the dlz
+ * driver from the list of available drivers in the dlz_implementations list.
+ */
+void
+dns_dlzunregister(dns_dlzimplementation_t **dlzimp) {
+	dns_dlzimplementation_t *dlz_imp;
+	isc_mem_t *mctx;
+
+	/* Write debugging message to log */
+	isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE,
+		      DNS_LOGMODULE_DLZ, ISC_LOG_DEBUG(2),
+		      "Unregistering DLZ driver.");
+
+	/*
+	 * Performs checks to make sure data is as we expect it to be.
+	 */
+	REQUIRE(dlzimp != NULL && *dlzimp != NULL);
+
+	/*
+	 * initialize the dlz_implementations list, this is guaranteed
+	 * to only really happen once.
+	 */
+	RUNTIME_CHECK(isc_once_do(&once, dlz_initialize) == ISC_R_SUCCESS);
+
+	dlz_imp = *dlzimp;
+
+	/* lock the dlz_implementations list so we can modify it. */
+	RWLOCK(&dlz_implock, isc_rwlocktype_write);
+
+	/* remove the dlz_implementation object from the list */
+	ISC_LIST_UNLINK(dlz_implementations, dlz_imp, link);
+	mctx = dlz_imp->mctx;
+
+	/*
+	 * return the memory back to the available memory pool and
+	 * remove it from the memory context.
+	 */
+	isc_mem_put(mctx, dlz_imp, sizeof(dns_dlzimplementation_t));
+	isc_mem_detach(&mctx);
+
+	/* Unlock the dlz_implementations list. */
+	RWUNLOCK(&dlz_implock, isc_rwlocktype_write);
+}
diff --git a/contrib/bind9/lib/dns/dnssec.c b/contrib/bind9/lib/dns/dnssec.c
index 91f7a99..c0339a1 100644
--- a/contrib/bind9/lib/dns/dnssec.c
+++ b/contrib/bind9/lib/dns/dnssec.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2006  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -16,9 +16,10 @@
  */
 
 /*
- * $Id: dnssec.c,v 1.69.2.5.2.9 2006/01/04 23:50:20 marka Exp $
+ * $Id: dnssec.c,v 1.81.18.6 2006/03/07 00:34:53 marka Exp $
  */
 
+/*! \file */
 
 #include <config.h>
 
@@ -519,10 +520,10 @@ dns_dnssec_verify(dns_name_t *name, dns_rdataset_t *set, dst_key_t *key,
 
 isc_result_t
 dns_dnssec_findzonekeys2(dns_db_t *db, dns_dbversion_t *ver,
-			dns_dbnode_t *node, dns_name_t *name,
-			const char *directory, isc_mem_t *mctx,
-			unsigned int maxkeys, dst_key_t **keys,
-			unsigned int *nkeys)
+			 dns_dbnode_t *node, dns_name_t *name,
+			 const char *directory, isc_mem_t *mctx,
+			 unsigned int maxkeys, dst_key_t **keys,
+			 unsigned int *nkeys)
 {
 	dns_rdataset_t rdataset;
 	dns_rdata_t rdata = DNS_RDATA_INIT;
diff --git a/contrib/bind9/lib/dns/ds.c b/contrib/bind9/lib/dns/ds.c
index b0ca523..7cd1609 100644
--- a/contrib/bind9/lib/dns/ds.c
+++ b/contrib/bind9/lib/dns/ds.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2002, 2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,9 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: ds.c,v 1.4.2.1 2004/03/08 02:07:53 marka Exp $ */
+/* $Id: ds.c,v 1.4.20.5 2006/02/22 23:50:09 marka Exp $ */
+
+/*! \file */
 
 #include <config.h>
 
@@ -24,6 +26,7 @@
 #include <isc/buffer.h>
 #include <isc/region.h>
 #include <isc/sha1.h>
+#include <isc/sha2.h>
 #include <isc/util.h>
 
 #include <dns/ds.h>
@@ -40,10 +43,9 @@ dns_ds_buildrdata(dns_name_t *owner, dns_rdata_t *key,
 		  unsigned int digest_type, unsigned char *buffer,
 		  dns_rdata_t *rdata)
 {
-	isc_sha1_t sha1;
 	dns_fixedname_t fname;
 	dns_name_t *name;
-	unsigned char digest[ISC_SHA1_DIGESTLENGTH];
+	unsigned char digest[ISC_SHA256_DIGESTLENGTH];
 	isc_region_t r;
 	isc_buffer_t b;
 	dns_rdata_ds_t ds;
@@ -51,7 +53,7 @@ dns_ds_buildrdata(dns_name_t *owner, dns_rdata_t *key,
 	REQUIRE(key != NULL);
 	REQUIRE(key->type == dns_rdatatype_dnskey);
 
-	if (digest_type != DNS_DSDIGEST_SHA1)
+	if (!dns_ds_digest_supported(digest_type))
 		return (ISC_R_NOTIMPLEMENTED);
 
 	dns_fixedname_init(&fname);
@@ -61,23 +63,42 @@ dns_ds_buildrdata(dns_name_t *owner, dns_rdata_t *key,
 	memset(buffer, 0, DNS_DS_BUFFERSIZE);
 	isc_buffer_init(&b, buffer, DNS_DS_BUFFERSIZE);
 
-	isc_sha1_init(&sha1);
-	dns_name_toregion(name, &r);
-	isc_sha1_update(&sha1, r.base, r.length);
-	dns_rdata_toregion(key, &r);
-	INSIST(r.length >= 4);
-	isc_sha1_update(&sha1, r.base, r.length);
-	isc_sha1_final(&sha1, digest);
+	if (digest_type == DNS_DSDIGEST_SHA1) {
+		isc_sha1_t sha1;
+		isc_sha1_init(&sha1);
+		dns_name_toregion(name, &r);
+		isc_sha1_update(&sha1, r.base, r.length);
+		dns_rdata_toregion(key, &r);
+		INSIST(r.length >= 4);
+		isc_sha1_update(&sha1, r.base, r.length);
+		isc_sha1_final(&sha1, digest);
+	} else {
+		isc_sha256_t sha256;
+		isc_sha256_init(&sha256);
+		dns_name_toregion(name, &r);
+		isc_sha256_update(&sha256, r.base, r.length);
+		dns_rdata_toregion(key, &r);
+		INSIST(r.length >= 4);
+		isc_sha256_update(&sha256, r.base, r.length);
+		isc_sha256_final(digest, &sha256);
+	}
 
 	ds.mctx = NULL;
 	ds.common.rdclass = key->rdclass;
 	ds.common.rdtype = dns_rdatatype_ds;
 	ds.algorithm = r.base[3];
 	ds.key_tag = dst_region_computeid(&r, ds.algorithm);
-	ds.digest_type = DNS_DSDIGEST_SHA1;
-	ds.length = ISC_SHA1_DIGESTLENGTH;
+	ds.digest_type = digest_type;
+	ds.length = (digest_type == DNS_DSDIGEST_SHA1) ?
+		    ISC_SHA1_DIGESTLENGTH : ISC_SHA256_DIGESTLENGTH;
 	ds.digest = digest;
 
 	return (dns_rdata_fromstruct(rdata, key->rdclass, dns_rdatatype_ds,
 				     &ds, &b));
 }
+
+isc_boolean_t
+dns_ds_digest_supported(unsigned int digest_type) {
+	return  (ISC_TF(digest_type == DNS_DSDIGEST_SHA1 ||
+			digest_type == DNS_DSDIGEST_SHA256));
+}
diff --git a/contrib/bind9/lib/dns/dst_api.c b/contrib/bind9/lib/dns/dst_api.c
index b7b03e6..7d98e10 100644
--- a/contrib/bind9/lib/dns/dst_api.c
+++ b/contrib/bind9/lib/dns/dst_api.c
@@ -1,5 +1,5 @@
 /*
- * Portions Copyright (C) 2004, 2006  Internet Systems Consortium, Inc. ("ISC")
+ * Portions Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
  * Portions Copyright (C) 1999-2003  Internet Software Consortium.
  * Portions Copyright (C) 1995-2000 by Network Associates, Inc.
  *
@@ -18,9 +18,11 @@
 
 /*
  * Principal Author: Brian Wellington
- * $Id: dst_api.c,v 1.1.4.3 2006/01/04 23:50:20 marka Exp $
+ * $Id: dst_api.c,v 1.1.6.7 2006/01/27 23:57:44 marka Exp $
  */
 
+/*! \file */
+
 #include <config.h>
 
 #include <stdlib.h>
@@ -29,6 +31,7 @@
 #include <isc/dir.h>
 #include <isc/entropy.h>
 #include <isc/fsaccess.h>
+#include <isc/hmacsha.h>
 #include <isc/lex.h>
 #include <isc/mem.h>
 #include <isc/once.h>
@@ -69,10 +72,6 @@ static dst_key_t *	get_key_struct(dns_name_t *name,
 				       unsigned int bits,
 				       dns_rdataclass_t rdclass,
 				       isc_mem_t *mctx);
-static isc_result_t	read_public_key(const char *filename,
-					int type,
-					isc_mem_t *mctx,
-					dst_key_t **keyp);
 static isc_result_t	write_public_key(const dst_key_t *key, int type,
 					 const char *directory);
 static isc_result_t	buildfilename(dns_name_t *name,
@@ -111,6 +110,20 @@ static isc_result_t	addsuffix(char *filename, unsigned int len,
 			return (_r);		\
 	} while (0);				\
 
+static void *
+default_memalloc(void *arg, size_t size) {
+        UNUSED(arg);
+        if (size == 0U)
+                size = 1;
+        return (malloc(size));
+}
+
+static void
+default_memfree(void *arg, void *ptr) {
+        UNUSED(arg);
+        free(ptr);
+}
+
 isc_result_t
 dst_lib_init(isc_mem_t *mctx, isc_entropy_t *ectx, unsigned int eflags) {
 	isc_result_t result;
@@ -126,9 +139,12 @@ dst_lib_init(isc_mem_t *mctx, isc_entropy_t *ectx, unsigned int eflags) {
 	 * When using --with-openssl, there seems to be no good way of not
 	 * leaking memory due to the openssl error handling mechanism.
 	 * Avoid assertions by using a local memory context and not checking
-	 * for leaks on exit.
+	 * for leaks on exit.  Note: as there are leaks we cannot use
+	 * ISC_MEMFLAG_INTERNAL as it will free up memory still being used
+	 * by libcrypto.
 	 */
-	result = isc_mem_create(0, 0, &dst__memory_pool);
+	result = isc_mem_createx2(0, 0, default_memalloc, default_memfree,
+				  NULL, &dst__memory_pool, 0);
 	if (result != ISC_R_SUCCESS)
 		return (result);
 	isc_mem_setdestroycheck(dst__memory_pool, ISC_FALSE);
@@ -142,6 +158,11 @@ dst_lib_init(isc_mem_t *mctx, isc_entropy_t *ectx, unsigned int eflags) {
 
 	memset(dst_t_func, 0, sizeof(dst_t_func));
 	RETERR(dst__hmacmd5_init(&dst_t_func[DST_ALG_HMACMD5]));
+	RETERR(dst__hmacsha1_init(&dst_t_func[DST_ALG_HMACSHA1]));
+	RETERR(dst__hmacsha224_init(&dst_t_func[DST_ALG_HMACSHA224]));
+	RETERR(dst__hmacsha256_init(&dst_t_func[DST_ALG_HMACSHA256]));
+	RETERR(dst__hmacsha384_init(&dst_t_func[DST_ALG_HMACSHA384]));
+	RETERR(dst__hmacsha512_init(&dst_t_func[DST_ALG_HMACSHA512]));
 #ifdef OPENSSL
 	RETERR(dst__openssl_init());
 	RETERR(dst__opensslrsa_init(&dst_t_func[DST_ALG_RSAMD5]));
@@ -392,7 +413,16 @@ dst_key_fromnamedfile(const char *filename, int type, isc_mem_t *mctx,
 	REQUIRE(mctx != NULL);
 	REQUIRE(keyp != NULL && *keyp == NULL);
 
-	result = read_public_key(filename, type, mctx, &pubkey);
+	newfilenamelen = strlen(filename) + 5;
+	newfilename = isc_mem_get(mctx, newfilenamelen);
+	if (newfilename == NULL)
+		return (ISC_R_NOMEMORY);
+	result = addsuffix(newfilename, newfilenamelen, filename, ".key");
+	INSIST(result == ISC_R_SUCCESS);
+
+	result = dst_key_read_public(newfilename, type, mctx, &pubkey);
+	isc_mem_put(mctx, newfilename, newfilenamelen);
+	newfilename = NULL;
 	if (result != ISC_R_SUCCESS)
 		return (result);
 
@@ -482,7 +512,7 @@ dst_key_todns(const dst_key_t *key, isc_buffer_t *target) {
 						    & 0xffff));
 	}
 
-	if (key->opaque == NULL) /* NULL KEY */
+	if (key->opaque == NULL) /*%< NULL KEY */
 		return (ISC_R_SUCCESS);
 
 	return (key->func->todns(key, target));
@@ -629,7 +659,7 @@ dst_key_generate(dns_name_t *name, unsigned int alg,
 	if (key == NULL)
 		return (ISC_R_NOMEMORY);
 
-	if (bits == 0) { /* NULL KEY */
+	if (bits == 0) { /*%< NULL KEY */
 		key->key_flags |= DNS_KEYTYPE_NOKEY;
 		*keyp = key;
 		return (ISC_R_SUCCESS);
@@ -753,8 +783,23 @@ dst_key_sigsize(const dst_key_t *key, unsigned int *n) {
 	case DST_ALG_HMACMD5:
 		*n = 16;
 		break;
+	case DST_ALG_HMACSHA1:
+		*n = ISC_SHA1_DIGESTLENGTH;
+		break;
+	case DST_ALG_HMACSHA224:
+		*n = ISC_SHA224_DIGESTLENGTH;
+		break;
+	case DST_ALG_HMACSHA256:
+		*n = ISC_SHA256_DIGESTLENGTH;
+		break;
+	case DST_ALG_HMACSHA384:
+		*n = ISC_SHA384_DIGESTLENGTH;
+		break;
+	case DST_ALG_HMACSHA512:
+		*n = ISC_SHA512_DIGESTLENGTH;
+		break;
 	case DST_ALG_GSSAPI:
-		*n = 128; /* XXX */
+		*n = 128; /*%< XXX */
 		break;
 	case DST_ALG_DH:
 	default:
@@ -780,7 +825,7 @@ dst_key_secretsize(const dst_key_t *key, unsigned int *n) {
  *** Static methods
  ***/
 
-/*
+/*%
  * Allocates a key structure and fills in some of the fields.
  */
 static dst_key_t *
@@ -822,12 +867,12 @@ get_key_struct(dns_name_t *name, unsigned int alg,
 	return (key);
 }
 
-/*
+/*%
  * Reads a public key from disk
  */
-static isc_result_t
-read_public_key(const char *filename, int type,
-		isc_mem_t *mctx, dst_key_t **keyp)
+isc_result_t
+dst_key_read_public(const char *filename, int type,
+		    isc_mem_t *mctx, dst_key_t **keyp)
 {
 	u_char rdatabuf[DST_KEY_MAXSIZE];
 	isc_buffer_t b;
@@ -837,25 +882,16 @@ read_public_key(const char *filename, int type,
 	isc_result_t ret;
 	dns_rdata_t rdata = DNS_RDATA_INIT;
 	unsigned int opt = ISC_LEXOPT_DNSMULTILINE;
-	char *newfilename;
-	unsigned int newfilenamelen;
 	dns_rdataclass_t rdclass = dns_rdataclass_in;
 	isc_lexspecials_t specials;
 	isc_uint32_t ttl;
 	isc_result_t result;
 	dns_rdatatype_t keytype;
 
-	newfilenamelen = strlen(filename) + 5;
-	newfilename = isc_mem_get(mctx, newfilenamelen);
-	if (newfilename == NULL)
-		return (ISC_R_NOMEMORY);
-	ret = addsuffix(newfilename, newfilenamelen, filename, ".key");
-	INSIST(ret == ISC_R_SUCCESS);
-
 	/*
 	 * Open the file and read its formatted contents
 	 * File format:
-	 *    domain.name [ttl] [class] KEY <flags> <protocol> <algorithm> <key>
+	 *    domain.name [ttl] [class] [KEY|DNSKEY] <flags> <protocol> <algorithm> <key>
 	 */
 
 	/* 1500 should be large enough for any key */
@@ -870,7 +906,7 @@ read_public_key(const char *filename, int type,
 	isc_lex_setspecials(lex, specials);
 	isc_lex_setcomments(lex, ISC_LEXCOMMENT_DNSMASTERFILE);
 
-	ret = isc_lex_openfile(lex, newfilename);
+	ret = isc_lex_openfile(lex, filename);
 	if (ret != ISC_R_SUCCESS)
 		goto cleanup;
 
@@ -918,7 +954,7 @@ read_public_key(const char *filename, int type,
 	if (strcasecmp(DST_AS_STR(token), "DNSKEY") == 0)
 		keytype = dns_rdatatype_dnskey;
 	else if (strcasecmp(DST_AS_STR(token), "KEY") == 0)
-		keytype = dns_rdatatype_key; /* SIG(0), TKEY */
+		keytype = dns_rdatatype_key; /*%< SIG(0), TKEY */
 	else
 		BADTOKEN();
 
@@ -942,8 +978,6 @@ read_public_key(const char *filename, int type,
  cleanup:
 	if (lex != NULL)
 		isc_lex_destroy(&lex);
-	isc_mem_put(mctx, newfilename, newfilenamelen);
-
 	return (ret);
 }
 
@@ -967,7 +1001,7 @@ issymmetric(const dst_key_t *key) {
 	}
 }
 
-/*
+/*%
  * Writes a public key to disk in DNS format.
  */
 static isc_result_t
diff --git a/contrib/bind9/lib/dns/dst_internal.h b/contrib/bind9/lib/dns/dst_internal.h
index 982eb6d..f2deb72 100644
--- a/contrib/bind9/lib/dns/dst_internal.h
+++ b/contrib/bind9/lib/dns/dst_internal.h
@@ -1,5 +1,5 @@
 /*
- * Portions Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Portions Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
  * Portions Copyright (C) 2000-2002  Internet Software Consortium.
  * Portions Copyright (C) 1995-2000 by Network Associates, Inc.
  *
@@ -16,7 +16,7 @@
  * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: dst_internal.h,v 1.1.4.1 2004/12/09 04:07:16 marka Exp $ */
+/* $Id: dst_internal.h,v 1.1.6.5 2006/01/27 23:57:44 marka Exp $ */
 
 #ifndef DST_DST_INTERNAL_H
 #define DST_DST_INTERNAL_H 1
@@ -46,18 +46,20 @@ extern isc_mem_t *dst__memory_pool;
 
 typedef struct dst_func dst_func_t;
 
+/*% DST Key Structure */
 struct dst_key {
 	unsigned int	magic;
-	dns_name_t *	key_name;	/* name of the key */
-	unsigned int	key_size;	/* size of the key in bits */
-	unsigned int	key_proto;	/* protocols this key is used for */
-	unsigned int	key_alg;	/* algorithm of the key */
-	isc_uint32_t	key_flags;	/* flags of the public key */
-	isc_uint16_t	key_id;		/* identifier of the key */
-	dns_rdataclass_t key_class;	/* class of the key record */
-	isc_mem_t	*mctx;		/* memory context */
-	void *		opaque;		/* pointer to key in crypto pkg fmt */
-	dst_func_t *	func;		/* crypto package specific functions */
+	dns_name_t *	key_name;	/*%< name of the key */
+	unsigned int	key_size;	/*%< size of the key in bits */
+	unsigned int	key_proto;	/*%< protocols this key is used for */
+	unsigned int	key_alg;	/*%< algorithm of the key */
+	isc_uint32_t	key_flags;	/*%< flags of the public key */
+	isc_uint16_t	key_id;		/*%< identifier of the key */
+	isc_uint16_t	key_bits;	/*%< hmac digest bits */
+	dns_rdataclass_t key_class;	/*%< class of the key record */
+	isc_mem_t	*mctx;		/*%< memory context */
+	void *		opaque;		/*%< pointer to key in crypto pkg fmt */
+	dst_func_t *	func;		/*%< crypto package specific functions */
 };
 
 struct dst_context {
@@ -100,30 +102,35 @@ struct dst_func {
 	void (*cleanup)(void);
 };
 
-/*
+/*%
  * Initializers
  */
 isc_result_t dst__openssl_init(void);
 
 isc_result_t dst__hmacmd5_init(struct dst_func **funcp);
+isc_result_t dst__hmacsha1_init(struct dst_func **funcp);
+isc_result_t dst__hmacsha224_init(struct dst_func **funcp);
+isc_result_t dst__hmacsha256_init(struct dst_func **funcp);
+isc_result_t dst__hmacsha384_init(struct dst_func **funcp);
+isc_result_t dst__hmacsha512_init(struct dst_func **funcp);
 isc_result_t dst__opensslrsa_init(struct dst_func **funcp);
 isc_result_t dst__openssldsa_init(struct dst_func **funcp);
 isc_result_t dst__openssldh_init(struct dst_func **funcp);
 isc_result_t dst__gssapi_init(struct dst_func **funcp);
 
-/*
+/*%
  * Destructors
  */
 void dst__openssl_destroy(void);
 
-/*
+/*%
  * Memory allocators using the DST memory pool.
  */
 void * dst__mem_alloc(size_t size);
 void   dst__mem_free(void *ptr);
 void * dst__mem_realloc(void *ptr, size_t size);
 
-/*
+/*%
  * Entropy retriever using the DST entropy pool.
  */
 isc_result_t dst__entropy_getdata(void *buf, unsigned int len,
@@ -132,3 +139,4 @@ isc_result_t dst__entropy_getdata(void *buf, unsigned int len,
 ISC_LANG_ENDDECLS
 
 #endif /* DST_DST_INTERNAL_H */
+/*! \file */
diff --git a/contrib/bind9/lib/dns/dst_lib.c b/contrib/bind9/lib/dns/dst_lib.c
index 8046110..305051c 100644
--- a/contrib/bind9/lib/dns/dst_lib.c
+++ b/contrib/bind9/lib/dns/dst_lib.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -17,9 +17,11 @@
 
 /*
  * Principal Author: Brian Wellington
- * $Id: dst_lib.c,v 1.1.4.1 2004/12/09 04:07:16 marka Exp $
+ * $Id: dst_lib.c,v 1.1.6.3 2005/04/29 00:15:51 marka Exp $
  */
 
+/*! \file */
+
 #include <config.h>
 
 #include <stddef.h>
diff --git a/contrib/bind9/lib/dns/dst_openssl.h b/contrib/bind9/lib/dns/dst_openssl.h
index 8dbc350..79e10b0 100644
--- a/contrib/bind9/lib/dns/dst_openssl.h
+++ b/contrib/bind9/lib/dns/dst_openssl.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2002  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: dst_openssl.h,v 1.1.2.1 2004/12/09 04:07:17 marka Exp $ */
+/* $Id: dst_openssl.h,v 1.1.4.3 2005/04/29 00:15:52 marka Exp $ */
 
 #ifndef DST_OPENSSL_H
 #define DST_OPENSSL_H 1
@@ -31,3 +31,4 @@ dst__openssl_toresult(isc_result_t fallback);
 ISC_LANG_ENDDECLS
 
 #endif /* DST_OPENSSL_H */
+/*! \file */
diff --git a/contrib/bind9/lib/dns/dst_parse.c b/contrib/bind9/lib/dns/dst_parse.c
index d34aeca..aad7998 100644
--- a/contrib/bind9/lib/dns/dst_parse.c
+++ b/contrib/bind9/lib/dns/dst_parse.c
@@ -1,5 +1,5 @@
 /*
- * Portions Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Portions Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
  * Portions Copyright (C) 1999-2002  Internet Software Consortium.
  * Portions Copyright (C) 1995-2000 by Network Associates, Inc.
  *
@@ -16,9 +16,9 @@
  * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/*
+/*%
  * Principal Author: Brian Wellington
- * $Id: dst_parse.c,v 1.1.4.1 2004/12/09 04:07:17 marka Exp $
+ * $Id: dst_parse.c,v 1.1.6.7 2006/05/16 03:59:26 marka Exp $
  */
 
 #include <config.h>
@@ -67,6 +67,23 @@ static struct parse_map map[] = {
 	{TAG_DSA_PUBLIC, "Public_value(y):"},
 
 	{TAG_HMACMD5_KEY, "Key:"},
+	{TAG_HMACMD5_BITS, "Bits:"},
+
+	{TAG_HMACSHA1_KEY, "Key:"},
+	{TAG_HMACSHA1_BITS, "Bits:"},
+
+	{TAG_HMACSHA224_KEY, "Key:"},
+	{TAG_HMACSHA224_BITS, "Bits:"},
+
+	{TAG_HMACSHA256_KEY, "Key:"},
+	{TAG_HMACSHA256_BITS, "Bits:"},
+
+	{TAG_HMACSHA384_KEY, "Key:"},
+	{TAG_HMACSHA384_BITS, "Bits:"},
+
+	{TAG_HMACSHA512_KEY, "Key:"},
+	{TAG_HMACSHA512_BITS, "Bits:"},
+
 	{0, NULL}
 };
 
@@ -141,16 +158,53 @@ check_dsa(const dst_private_t *priv) {
 }
 
 static int
-check_hmac_md5(const dst_private_t *priv) {
-	if (priv->nelements != HMACMD5_NTAGS)
+check_hmac_md5(const dst_private_t *priv, isc_boolean_t old) {
+	int i, j;
+
+	if (priv->nelements != HMACMD5_NTAGS) {
+		/*
+		 * If this is a good old format and we are accepting
+		 * the old format return success.
+		 */
+		if (old && priv->nelements == OLD_HMACMD5_NTAGS &&
+		    priv->elements[0].tag == TAG_HMACMD5_KEY)
+			return (0);
 		return (-1);
-	if (priv->elements[0].tag != TAG_HMACMD5_KEY)
+	}
+	/*
+	 * We must be new format at this point.
+	 */
+	for (i = 0; i < HMACMD5_NTAGS; i++) {
+		for (j = 0; j < priv->nelements; j++)
+			if (priv->elements[j].tag == TAG(DST_ALG_HMACMD5, i))
+				break;
+		if (j == priv->nelements)
+			return (-1);
+	}
+	return (0);
+}
+
+static int
+check_hmac_sha(const dst_private_t *priv, unsigned int ntags,
+	       unsigned int alg)
+{
+	unsigned int i, j;
+	if (priv->nelements != ntags)
 		return (-1);
+	for (i = 0; i < ntags; i++) {
+		for (j = 0; j < priv->nelements; j++)
+			if (priv->elements[j].tag == TAG(alg, i))
+				break;
+		if (j == priv->nelements)
+			return (-1);
+	}
 	return (0);
 }
 
 static int
-check_data(const dst_private_t *priv, const unsigned int alg) {
+check_data(const dst_private_t *priv, const unsigned int alg,
+	   isc_boolean_t old)
+{
 	/* XXXVIX this switch statement is too sparse to gen a jump table. */
 	switch (alg) {
 	case DST_ALG_RSAMD5:
@@ -161,7 +215,17 @@ check_data(const dst_private_t *priv, const unsigned int alg) {
 	case DST_ALG_DSA:
 		return (check_dsa(priv));
 	case DST_ALG_HMACMD5:
-		return (check_hmac_md5(priv));
+		return (check_hmac_md5(priv, old));
+	case DST_ALG_HMACSHA1:
+		return (check_hmac_sha(priv, HMACSHA1_NTAGS, alg));
+	case DST_ALG_HMACSHA224:
+		return (check_hmac_sha(priv, HMACSHA224_NTAGS, alg));
+	case DST_ALG_HMACSHA256:
+		return (check_hmac_sha(priv, HMACSHA256_NTAGS, alg));
+	case DST_ALG_HMACSHA384:
+		return (check_hmac_sha(priv, HMACSHA384_NTAGS, alg));
+	case DST_ALG_HMACSHA512:
+		return (check_hmac_sha(priv, HMACSHA512_NTAGS, alg));
 	default:
 		return (DST_R_UNSUPPORTEDALG);
 	}
@@ -313,7 +377,7 @@ dst__privstruct_parse(dst_key_t *key, unsigned int alg, isc_lex_t *lex,
  done:
 	priv->nelements = n;
 
-	if (check_data(priv, alg) < 0)
+	if (check_data(priv, alg, ISC_TRUE) < 0)
 		goto fail;
 
 	return (ISC_R_SUCCESS);
@@ -341,7 +405,7 @@ dst__privstruct_writefile(const dst_key_t *key, const dst_private_t *priv,
 
 	REQUIRE(priv != NULL);
 
-	if (check_data(priv, dst_key_alg(key)) < 0)
+	if (check_data(priv, dst_key_alg(key), ISC_FALSE) < 0)
 		return (DST_R_INVALIDPRIVATEKEY);
 
 	isc_buffer_init(&b, filename, sizeof(filename));
@@ -380,6 +444,21 @@ dst__privstruct_writefile(const dst_key_t *key, const dst_private_t *priv,
 	case DST_ALG_HMACMD5:
 		fprintf(fp, "(HMAC_MD5)\n");
 		break;
+	case DST_ALG_HMACSHA1:
+		fprintf(fp, "(HMAC_SHA1)\n");
+		break;
+	case DST_ALG_HMACSHA224:
+		fprintf(fp, "(HMAC_SHA224)\n");
+		break;
+	case DST_ALG_HMACSHA256:
+		fprintf(fp, "(HMAC_SHA256)\n");
+		break;
+	case DST_ALG_HMACSHA384:
+		fprintf(fp, "(HMAC_SHA384)\n");
+		break;
+	case DST_ALG_HMACSHA512:
+		fprintf(fp, "(HMAC_SHA512)\n");
+		break;
 	default:
 		fprintf(fp, "(?)\n");
 		break;
@@ -410,3 +489,5 @@ dst__privstruct_writefile(const dst_key_t *key, const dst_private_t *priv,
 	fclose(fp);
 	return (ISC_R_SUCCESS);
 }
+
+/*! \file */
diff --git a/contrib/bind9/lib/dns/dst_parse.h b/contrib/bind9/lib/dns/dst_parse.h
index 9ecef4f..8656f59 100644
--- a/contrib/bind9/lib/dns/dst_parse.h
+++ b/contrib/bind9/lib/dns/dst_parse.h
@@ -1,5 +1,5 @@
 /*
- * Portions Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Portions Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
  * Portions Copyright (C) 2000-2002  Internet Software Consortium.
  * Portions Copyright (C) 1995-2000 by Network Associates, Inc.
  *
@@ -16,8 +16,9 @@
  * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: dst_parse.h,v 1.1.4.1 2004/12/09 04:07:17 marka Exp $ */
+/* $Id: dst_parse.h,v 1.1.6.5 2006/01/27 23:57:44 marka Exp $ */
 
+/*! \file */
 #ifndef DST_DST_PARSE_H
 #define DST_DST_PARSE_H 1
 
@@ -59,8 +60,30 @@
 #define TAG_DSA_PRIVATE		((DST_ALG_DSA << TAG_SHIFT) + 3)
 #define TAG_DSA_PUBLIC		((DST_ALG_DSA << TAG_SHIFT) + 4)
 
-#define HMACMD5_NTAGS		1
+#define OLD_HMACMD5_NTAGS	1
+#define HMACMD5_NTAGS		2
 #define TAG_HMACMD5_KEY		((DST_ALG_HMACMD5 << TAG_SHIFT) + 0)
+#define TAG_HMACMD5_BITS	((DST_ALG_HMACMD5 << TAG_SHIFT) + 1)
+
+#define HMACSHA1_NTAGS		2
+#define TAG_HMACSHA1_KEY	((DST_ALG_HMACSHA1 << TAG_SHIFT) + 0)
+#define TAG_HMACSHA1_BITS	((DST_ALG_HMACSHA1 << TAG_SHIFT) + 1)
+
+#define HMACSHA224_NTAGS	2
+#define TAG_HMACSHA224_KEY	((DST_ALG_HMACSHA224 << TAG_SHIFT) + 0)
+#define TAG_HMACSHA224_BITS	((DST_ALG_HMACSHA224 << TAG_SHIFT) + 1)
+
+#define HMACSHA256_NTAGS	2
+#define TAG_HMACSHA256_KEY	((DST_ALG_HMACSHA256 << TAG_SHIFT) + 0)
+#define TAG_HMACSHA256_BITS	((DST_ALG_HMACSHA224 << TAG_SHIFT) + 1)
+
+#define HMACSHA384_NTAGS	2
+#define TAG_HMACSHA384_KEY	((DST_ALG_HMACSHA384 << TAG_SHIFT) + 0)
+#define TAG_HMACSHA384_BITS	((DST_ALG_HMACSHA384 << TAG_SHIFT) + 1)
+
+#define HMACSHA512_NTAGS	2
+#define TAG_HMACSHA512_KEY	((DST_ALG_HMACSHA512 << TAG_SHIFT) + 0)
+#define TAG_HMACSHA512_BITS	((DST_ALG_HMACSHA512 << TAG_SHIFT) + 1)
 
 struct dst_private_element {
 	unsigned short tag;
diff --git a/contrib/bind9/lib/dns/dst_result.c b/contrib/bind9/lib/dns/dst_result.c
index 9b1536c..c9bf073 100644
--- a/contrib/bind9/lib/dns/dst_result.c
+++ b/contrib/bind9/lib/dns/dst_result.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,9 +15,9 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/*
+/*%
  * Principal Author: Brian Wellington
- * $Id: dst_result.c,v 1.1.4.1 2004/12/09 04:07:17 marka Exp $
+ * $Id: dst_result.c,v 1.1.6.3 2005/04/29 00:15:52 marka Exp $
  */
 
 #include <config.h>
@@ -29,27 +29,27 @@
 #include <dst/lib.h>
 
 static const char *text[DST_R_NRESULTS] = {
-	"algorithm is unsupported",		/*  0 */
-	"openssl failure",			/*  1 */
-	"built with no crypto support",		/*  2 */
-	"illegal operation for a null key",	/*  3 */
-	"public key is invalid",		/*  4 */
-	"private key is invalid",		/*  5 */
-	"UNUSED6",				/*  6 */
-	"error occurred writing key to disk",	/*  7 */
-	"invalid algorithm specific parameter",	/*  8 */
-	"UNUSED9",				/*  9 */
-	"UNUSED10",				/* 10 */
-	"sign failure",				/* 11 */
-	"UNUSED12",				/* 12 */
-	"UNUSED13",				/* 13 */
-	"verify failure",			/* 14 */
-	"not a public key",			/* 15 */
-	"not a private key",			/* 16 */
-	"not a key that can compute a secret",	/* 17 */
-	"failure computing a shared secret",	/* 18 */
-	"no randomness available",		/* 19 */
-	"bad key type"				/* 20 */
+	"algorithm is unsupported",		/*%< 0 */
+	"openssl failure",			/*%< 1 */
+	"built with no crypto support",		/*%< 2 */
+	"illegal operation for a null key",	/*%< 3 */
+	"public key is invalid",		/*%< 4 */
+	"private key is invalid",		/*%< 5 */
+	"UNUSED6",				/*%< 6 */
+	"error occurred writing key to disk",	/*%< 7 */
+	"invalid algorithm specific parameter",	/*%< 8 */
+	"UNUSED9",				/*%< 9 */
+	"UNUSED10",				/*%< 10 */
+	"sign failure",				/*%< 11 */
+	"UNUSED12",				/*%< 12 */
+	"UNUSED13",				/*%< 13 */
+	"verify failure",			/*%< 14 */
+	"not a public key",			/*%< 15 */
+	"not a private key",			/*%< 16 */
+	"not a key that can compute a secret",	/*%< 17 */
+	"failure computing a shared secret",	/*%< 18 */
+	"no randomness available",		/*%< 19 */
+	"bad key type"				/*%< 20 */
 };
 
 #define DST_RESULT_RESULTSET			2
@@ -84,3 +84,5 @@ void
 dst_result_register(void) {
 	initialize();
 }
+
+/*! \file */
diff --git a/contrib/bind9/lib/dns/forward.c b/contrib/bind9/lib/dns/forward.c
index 1455fbad..e80a477 100644
--- a/contrib/bind9/lib/dns/forward.c
+++ b/contrib/bind9/lib/dns/forward.c
@@ -15,7 +15,9 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: forward.c,v 1.5.206.3 2005/03/17 03:58:30 marka Exp $ */
+/* $Id: forward.c,v 1.6.18.4 2005/07/12 01:22:20 marka Exp $ */
+
+/*! \file */
 
 #include <config.h>
 
@@ -62,13 +64,8 @@ dns_fwdtable_create(isc_mem_t *mctx, dns_fwdtable_t **fwdtablep) {
 		goto cleanup_fwdtable;
 
 	result = isc_rwlock_init(&fwdtable->rwlock, 0, 0);
-	if (result != ISC_R_SUCCESS) {
-		UNEXPECTED_ERROR(__FILE__, __LINE__,
-				 "isc_rwlock_init() failed: %s",
-				 isc_result_totext(result));
-		result = ISC_R_UNEXPECTED;
+	if (result != ISC_R_SUCCESS)
 		goto cleanup_rbt;
-	}
 
 	fwdtable->mctx = NULL;
 	isc_mem_attach(mctx, &fwdtable->mctx);
diff --git a/contrib/bind9/lib/dns/gen-unix.h b/contrib/bind9/lib/dns/gen-unix.h
index bd007c4..fc2dbf2 100644
--- a/contrib/bind9/lib/dns/gen-unix.h
+++ b/contrib/bind9/lib/dns/gen-unix.h
@@ -15,9 +15,10 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: gen-unix.h,v 1.12.12.5 2005/06/09 23:54:29 marka Exp $ */
+/* $Id: gen-unix.h,v 1.14.18.3 2005/06/08 02:07:54 marka Exp $ */
 
-/*
+/*! \file
+ * \brief
  * This file is responsible for defining two operations that are not
  * directly portable between Unix-like systems and Windows NT, option
  * parsing and directory scanning.  It is here because it was decided
diff --git a/contrib/bind9/lib/dns/gen.c b/contrib/bind9/lib/dns/gen.c
index 1d83023..1e6212a 100644
--- a/contrib/bind9/lib/dns/gen.c
+++ b/contrib/bind9/lib/dns/gen.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2006  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1998-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,9 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: gen.c,v 1.65.2.5.2.9 2006/10/02 06:31:26 marka Exp $ */
+/* $Id: gen.c,v 1.73.18.6 2006/10/02 06:36:43 marka Exp $ */
+
+/*! \file */
 
 #ifdef WIN32
 /*
@@ -123,6 +125,8 @@ const char copyright[] =
 " ***************   DO NOT EDIT!\n"
 " ***************\n"
 " ***************/\n"
+"\n"
+"/*! \\file */\n"
 "\n";
 
 #define TYPENAMES 256
@@ -168,7 +172,7 @@ sd(int, const char *, const char *, char);
 void
 insert_into_typenames(int, const char *, const char *);
 
-/*
+/*%
  * If you use more than 10 of these in, say, a printf(), you'll have problems.
  */
 char *
@@ -832,13 +836,10 @@ main(int argc, char **argv) {
 	} while (0)
 
 		for (cc = classes; cc != NULL; cc = cc->next) {
-			if (cc->rdclass == 4) {
-				PRINTCLASS("ch", 3);
+			if (cc->rdclass == 3)
 				PRINTCLASS("chaos", 3);
-
-			} else if (cc->rdclass == 255) {
+			else if (cc->rdclass == 255)
 				PRINTCLASS("none", 254);
-			}
 			PRINTCLASS(cc->classname, cc->rdclass);
 		}
 
diff --git a/contrib/bind9/lib/dns/gssapi_link.c b/contrib/bind9/lib/dns/gssapi_link.c
index 0a2e848..a6a367a 100644
--- a/contrib/bind9/lib/dns/gssapi_link.c
+++ b/contrib/bind9/lib/dns/gssapi_link.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000-2002  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -16,7 +16,7 @@
  */
 
 /*
- * $Id: gssapi_link.c,v 1.1.4.1 2004/12/09 04:07:17 marka Exp $
+ * $Id: gssapi_link.c,v 1.1.6.3 2005/04/29 00:15:53 marka Exp $
  */
 
 #ifdef GSSAPI
@@ -194,17 +194,17 @@ static dst_func_t gssapi_functions = {
 	gssapi_adddata,
 	gssapi_sign,
 	gssapi_verify,
-	NULL, /* computesecret */
+	NULL, /*%< computesecret */
 	gssapi_compare,
-	NULL, /* paramcompare */
+	NULL, /*%< paramcompare */
 	gssapi_generate,
 	gssapi_isprivate,
 	gssapi_destroy,
-	NULL, /* todns */
-	NULL, /* fromdns */
-	NULL, /* tofile */
-	NULL, /* parse */
-	NULL, /* cleanup */
+	NULL, /*%< todns */
+	NULL, /*%< fromdns */
+	NULL, /*%< tofile */
+	NULL, /*%< parse */
+	NULL, /*%< cleanup */
 };
 
 isc_result_t
@@ -218,3 +218,5 @@ dst__gssapi_init(dst_func_t **funcp) {
 #else
 int  gssapi_link_unneeded = 1;
 #endif
+
+/*! \file */
diff --git a/contrib/bind9/lib/dns/gssapictx.c b/contrib/bind9/lib/dns/gssapictx.c
index 2605a7a..ce5d6fa 100644
--- a/contrib/bind9/lib/dns/gssapictx.c
+++ b/contrib/bind9/lib/dns/gssapictx.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000, 2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: gssapictx.c,v 1.1.4.1 2004/12/09 04:07:17 marka Exp $ */
+/* $Id: gssapictx.c,v 1.1.6.3 2005/04/29 00:15:54 marka Exp $ */
 
 #include <config.h>
 
@@ -260,3 +260,5 @@ dst_gssapi_acceptctx(dns_name_t *name, void *cred,
 }
 
 #endif
+
+/*! \file */
diff --git a/contrib/bind9/lib/dns/hmac_link.c b/contrib/bind9/lib/dns/hmac_link.c
index 762fcee..9655c89 100644
--- a/contrib/bind9/lib/dns/hmac_link.c
+++ b/contrib/bind9/lib/dns/hmac_link.c
@@ -1,5 +1,5 @@
 /*
- * Portions Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Portions Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
  * Portions Copyright (C) 1999-2002  Internet Software Consortium.
  * Portions Copyright (C) 1995-2000 by Network Associates, Inc.
  *
@@ -18,14 +18,16 @@
 
 /*
  * Principal Author: Brian Wellington
- * $Id: hmac_link.c,v 1.1.4.1 2004/12/09 04:07:17 marka Exp $
+ * $Id: hmac_link.c,v 1.1.6.5 2006/01/27 23:57:44 marka Exp $
  */
 
 #include <config.h>
 
 #include <isc/buffer.h>
 #include <isc/hmacmd5.h>
+#include <isc/hmacsha.h>
 #include <isc/md5.h>
+#include <isc/sha1.h>
 #include <isc/mem.h>
 #include <isc/string.h>
 #include <isc/util.h>
@@ -46,6 +48,17 @@ typedef struct hmackey {
 } HMAC_Key;
 
 static isc_result_t
+getkeybits(dst_key_t *key, struct dst_private_element *element) {
+
+	if (element->length != 2)
+		return (DST_R_INVALIDPRIVATEKEY);
+
+	key->key_bits =	(element->data[0] << 8) + element->data[1];
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
 hmacmd5_createctx(dst_key_t *key, dst_context_t *dctx) {
 	isc_hmacmd5_t *hmacmd5ctx;
 	HMAC_Key *hkey = key->opaque;
@@ -95,10 +108,10 @@ static isc_result_t
 hmacmd5_verify(dst_context_t *dctx, const isc_region_t *sig) {
 	isc_hmacmd5_t *hmacmd5ctx = dctx->opaque;
 
-	if (sig->length < ISC_MD5_DIGESTLENGTH)
+	if (sig->length > ISC_MD5_DIGESTLENGTH)
 		return (DST_R_VERIFYFAILURE);
 
-	if (isc_hmacmd5_verify(hmacmd5ctx, sig->base))
+	if (isc_hmacmd5_verify2(hmacmd5ctx, sig->base, sig->length))
 		return (ISC_R_SUCCESS);
 	else
 		return (DST_R_VERIFYFAILURE);
@@ -130,9 +143,9 @@ hmacmd5_generate(dst_key_t *key, int pseudorandom_ok) {
 	unsigned char data[HMAC_LEN];
 
 	bytes = (key->key_size + 7) / 8;
-	if (bytes > 64) {
-		bytes = 64;
-		key->key_size = 512;
+	if (bytes > HMAC_LEN) {
+		bytes = HMAC_LEN;
+		key->key_size = HMAC_LEN * 8;
 	}
 
 	memset(data, 0, HMAC_LEN);
@@ -220,6 +233,7 @@ hmacmd5_tofile(const dst_key_t *key, const char *directory) {
 	HMAC_Key *hkey;
 	dst_private_t priv;
 	int bytes = (key->key_size + 7) / 8;
+	unsigned char buf[2];
 
 	if (key->opaque == NULL)
 		return (DST_R_NULLKEY);
@@ -230,6 +244,12 @@ hmacmd5_tofile(const dst_key_t *key, const char *directory) {
 	priv.elements[cnt].length = bytes;
 	priv.elements[cnt++].data = hkey->key;
 
+	buf[0] = (key->key_bits >> 8) & 0xffU;
+	buf[1] = key->key_bits & 0xffU;
+	priv.elements[cnt].tag = TAG_HMACMD5_BITS;
+	priv.elements[cnt].data = buf;
+	priv.elements[cnt++].length = 2;
+
 	priv.nelements = cnt;
 	return (dst__privstruct_writefile(key, &priv, directory));
 }
@@ -237,21 +257,40 @@ hmacmd5_tofile(const dst_key_t *key, const char *directory) {
 static isc_result_t
 hmacmd5_parse(dst_key_t *key, isc_lex_t *lexer) {
 	dst_private_t priv;
-	isc_result_t ret;
+	isc_result_t result, tresult;
 	isc_buffer_t b;
 	isc_mem_t *mctx = key->mctx;
+	unsigned int i;
 
 	/* read private key file */
-	ret = dst__privstruct_parse(key, DST_ALG_HMACMD5, lexer, mctx, &priv);
-	if (ret != ISC_R_SUCCESS)
-		return (ret);
+	result = dst__privstruct_parse(key, DST_ALG_HMACMD5, lexer, mctx, &priv);
+	if (result != ISC_R_SUCCESS)
+		return (result);
 
-	isc_buffer_init(&b, priv.elements[0].data, priv.elements[0].length);
-	isc_buffer_add(&b, priv.elements[0].length);
-	ret = hmacmd5_fromdns(key, &b);
+	key->key_bits = 0;
+	for (i = 0; i < priv.nelements && result == ISC_R_SUCCESS; i++) {
+		switch (priv.elements[i].tag) {
+		case TAG_HMACMD5_KEY:
+			isc_buffer_init(&b, priv.elements[i].data,
+				        priv.elements[i].length);
+			isc_buffer_add(&b, priv.elements[i].length);
+			tresult = hmacmd5_fromdns(key, &b);
+			if (tresult != ISC_R_SUCCESS)
+				result = tresult;
+			break;
+		case TAG_HMACMD5_BITS:
+			tresult = getkeybits(key, &priv.elements[i]);
+			if (tresult != ISC_R_SUCCESS)
+				result = tresult;
+			break;
+		default:
+			result = DST_R_INVALIDPRIVATEKEY;
+			break;
+		}
+	}
 	dst__privstruct_free(&priv, mctx);
 	memset(&priv, 0, sizeof(priv));
-	return (ret);
+	return (result);
 }
 
 static dst_func_t hmacmd5_functions = {
@@ -260,9 +299,9 @@ static dst_func_t hmacmd5_functions = {
 	hmacmd5_adddata,
 	hmacmd5_sign,
 	hmacmd5_verify,
-	NULL, /* computesecret */
+	NULL, /*%< computesecret */
 	hmacmd5_compare,
-	NULL, /* paramcompare */
+	NULL, /*%< paramcompare */
 	hmacmd5_generate,
 	hmacmd5_isprivate,
 	hmacmd5_destroy,
@@ -270,7 +309,7 @@ static dst_func_t hmacmd5_functions = {
 	hmacmd5_fromdns,
 	hmacmd5_tofile,
 	hmacmd5_parse,
-	NULL, /* cleanup */
+	NULL, /*%< cleanup */
 };
 
 isc_result_t
@@ -280,3 +319,1350 @@ dst__hmacmd5_init(dst_func_t **funcp) {
 		*funcp = &hmacmd5_functions;
 	return (ISC_R_SUCCESS);
 }
+
+static isc_result_t hmacsha1_fromdns(dst_key_t *key, isc_buffer_t *data);
+
+typedef struct {
+	unsigned char key[ISC_SHA1_DIGESTLENGTH];
+} HMACSHA1_Key;
+
+static isc_result_t
+hmacsha1_createctx(dst_key_t *key, dst_context_t *dctx) {
+	isc_hmacsha1_t *hmacsha1ctx;
+	HMACSHA1_Key *hkey = key->opaque;
+
+	hmacsha1ctx = isc_mem_get(dctx->mctx, sizeof(isc_hmacsha1_t));
+	if (hmacsha1ctx == NULL)
+		return (ISC_R_NOMEMORY);
+	isc_hmacsha1_init(hmacsha1ctx, hkey->key, ISC_SHA1_DIGESTLENGTH);
+	dctx->opaque = hmacsha1ctx;
+	return (ISC_R_SUCCESS);
+}
+
+static void
+hmacsha1_destroyctx(dst_context_t *dctx) {
+	isc_hmacsha1_t *hmacsha1ctx = dctx->opaque;
+
+	if (hmacsha1ctx != NULL) {
+		isc_hmacsha1_invalidate(hmacsha1ctx);
+		isc_mem_put(dctx->mctx, hmacsha1ctx, sizeof(isc_hmacsha1_t));
+		dctx->opaque = NULL;
+	}
+}
+
+static isc_result_t
+hmacsha1_adddata(dst_context_t *dctx, const isc_region_t *data) {
+	isc_hmacsha1_t *hmacsha1ctx = dctx->opaque;
+
+	isc_hmacsha1_update(hmacsha1ctx, data->base, data->length);
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+hmacsha1_sign(dst_context_t *dctx, isc_buffer_t *sig) {
+	isc_hmacsha1_t *hmacsha1ctx = dctx->opaque;
+	unsigned char *digest;
+
+	if (isc_buffer_availablelength(sig) < ISC_SHA1_DIGESTLENGTH)
+		return (ISC_R_NOSPACE);
+	digest = isc_buffer_used(sig);
+	isc_hmacsha1_sign(hmacsha1ctx, digest, ISC_SHA1_DIGESTLENGTH);
+	isc_buffer_add(sig, ISC_SHA1_DIGESTLENGTH);
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+hmacsha1_verify(dst_context_t *dctx, const isc_region_t *sig) {
+	isc_hmacsha1_t *hmacsha1ctx = dctx->opaque;
+
+	if (sig->length > ISC_SHA1_DIGESTLENGTH || sig->length == 0)
+		return (DST_R_VERIFYFAILURE);
+
+	if (isc_hmacsha1_verify(hmacsha1ctx, sig->base, sig->length))
+		return (ISC_R_SUCCESS);
+	else
+		return (DST_R_VERIFYFAILURE);
+}
+
+static isc_boolean_t
+hmacsha1_compare(const dst_key_t *key1, const dst_key_t *key2) {
+	HMACSHA1_Key *hkey1, *hkey2;
+
+	hkey1 = (HMACSHA1_Key *)key1->opaque;
+	hkey2 = (HMACSHA1_Key *)key2->opaque;
+
+	if (hkey1 == NULL && hkey2 == NULL)
+		return (ISC_TRUE);
+	else if (hkey1 == NULL || hkey2 == NULL)
+		return (ISC_FALSE);
+
+	if (memcmp(hkey1->key, hkey2->key, ISC_SHA1_DIGESTLENGTH) == 0)
+		return (ISC_TRUE);
+	else
+		return (ISC_FALSE);
+}
+
+static isc_result_t
+hmacsha1_generate(dst_key_t *key, int pseudorandom_ok) {
+	isc_buffer_t b;
+	isc_result_t ret;
+	int bytes;
+	unsigned char data[HMAC_LEN];
+
+	bytes = (key->key_size + 7) / 8;
+	if (bytes > HMAC_LEN) {
+		bytes = HMAC_LEN;
+		key->key_size = HMAC_LEN * 8;
+	}
+
+	memset(data, 0, HMAC_LEN);
+	ret = dst__entropy_getdata(data, bytes, ISC_TF(pseudorandom_ok != 0));
+
+	if (ret != ISC_R_SUCCESS)
+		return (ret);
+
+	isc_buffer_init(&b, data, bytes);
+	isc_buffer_add(&b, bytes);
+	ret = hmacsha1_fromdns(key, &b);
+	memset(data, 0, ISC_SHA1_DIGESTLENGTH);
+
+	return (ret);
+}
+
+static isc_boolean_t
+hmacsha1_isprivate(const dst_key_t *key) {
+	UNUSED(key);
+	return (ISC_TRUE);
+}
+
+static void
+hmacsha1_destroy(dst_key_t *key) {
+	HMACSHA1_Key *hkey = key->opaque;
+	memset(hkey, 0, sizeof(HMACSHA1_Key));
+	isc_mem_put(key->mctx, hkey, sizeof(HMACSHA1_Key));
+	key->opaque = NULL;
+}
+
+static isc_result_t
+hmacsha1_todns(const dst_key_t *key, isc_buffer_t *data) {
+	HMACSHA1_Key *hkey;
+	unsigned int bytes;
+
+	REQUIRE(key->opaque != NULL);
+
+	hkey = (HMACSHA1_Key *) key->opaque;
+
+	bytes = (key->key_size + 7) / 8;
+	if (isc_buffer_availablelength(data) < bytes)
+		return (ISC_R_NOSPACE);
+	isc_buffer_putmem(data, hkey->key, bytes);
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+hmacsha1_fromdns(dst_key_t *key, isc_buffer_t *data) {
+	HMACSHA1_Key *hkey;
+	int keylen;
+	isc_region_t r;
+	isc_sha1_t sha1ctx;
+
+	isc_buffer_remainingregion(data, &r);
+	if (r.length == 0)
+		return (ISC_R_SUCCESS);
+
+	hkey = (HMACSHA1_Key *) isc_mem_get(key->mctx, sizeof(HMACSHA1_Key));
+	if (hkey == NULL)
+		return (ISC_R_NOMEMORY);
+
+	memset(hkey->key, 0, sizeof(hkey->key));
+
+	if (r.length > ISC_SHA1_DIGESTLENGTH) {
+		isc_sha1_init(&sha1ctx);
+		isc_sha1_update(&sha1ctx, r.base, r.length);
+		isc_sha1_final(&sha1ctx, hkey->key);
+		keylen = ISC_SHA1_DIGESTLENGTH;
+	}
+	else {
+		memcpy(hkey->key, r.base, r.length);
+		keylen = r.length;
+	}
+
+	key->key_size = keylen * 8;
+	key->opaque = hkey;
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+hmacsha1_tofile(const dst_key_t *key, const char *directory) {
+	int cnt = 0;
+	HMACSHA1_Key *hkey;
+	dst_private_t priv;
+	int bytes = (key->key_size + 7) / 8;
+	unsigned char buf[2];
+
+	if (key->opaque == NULL)
+		return (DST_R_NULLKEY);
+
+	hkey = (HMACSHA1_Key *) key->opaque;
+
+	priv.elements[cnt].tag = TAG_HMACSHA1_KEY;
+	priv.elements[cnt].length = bytes;
+	priv.elements[cnt++].data = hkey->key;
+
+	buf[0] = (key->key_bits >> 8) & 0xffU;
+	buf[1] = key->key_bits & 0xffU;
+	priv.elements[cnt].tag = TAG_HMACSHA1_BITS;
+	priv.elements[cnt].data = buf;
+	priv.elements[cnt++].length = 2;
+
+	priv.nelements = cnt;
+	return (dst__privstruct_writefile(key, &priv, directory));
+}
+
+static isc_result_t
+hmacsha1_parse(dst_key_t *key, isc_lex_t *lexer) {
+	dst_private_t priv;
+	isc_result_t result, tresult;
+	isc_buffer_t b;
+	isc_mem_t *mctx = key->mctx;
+	unsigned int i;
+
+	/* read private key file */
+	result = dst__privstruct_parse(key, DST_ALG_HMACSHA1, lexer, mctx,
+				       &priv);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	key->key_bits = 0;
+	for (i = 0; i < priv.nelements; i++) {
+		switch (priv.elements[i].tag) {
+		case TAG_HMACSHA1_KEY:
+			isc_buffer_init(&b, priv.elements[i].data,
+				        priv.elements[i].length);
+			isc_buffer_add(&b, priv.elements[i].length);
+			tresult = hmacsha1_fromdns(key, &b);
+			if (tresult != ISC_R_SUCCESS)
+				result = tresult;
+			break;
+		case TAG_HMACSHA1_BITS:
+			tresult = getkeybits(key, &priv.elements[i]);
+			if (tresult != ISC_R_SUCCESS)
+				result = tresult;
+			break;
+		default:
+			result = DST_R_INVALIDPRIVATEKEY;
+			break;
+		}
+	}
+	dst__privstruct_free(&priv, mctx);
+	memset(&priv, 0, sizeof(priv));
+	return (result);
+}
+
+static dst_func_t hmacsha1_functions = {
+	hmacsha1_createctx,
+	hmacsha1_destroyctx,
+	hmacsha1_adddata,
+	hmacsha1_sign,
+	hmacsha1_verify,
+	NULL, /* computesecret */
+	hmacsha1_compare,
+	NULL, /* paramcompare */
+	hmacsha1_generate,
+	hmacsha1_isprivate,
+	hmacsha1_destroy,
+	hmacsha1_todns,
+	hmacsha1_fromdns,
+	hmacsha1_tofile,
+	hmacsha1_parse,
+	NULL, /* cleanup */
+};
+
+isc_result_t
+dst__hmacsha1_init(dst_func_t **funcp) {
+	REQUIRE(funcp != NULL);
+	if (*funcp == NULL)
+		*funcp = &hmacsha1_functions;
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t hmacsha224_fromdns(dst_key_t *key, isc_buffer_t *data);
+
+typedef struct {
+	unsigned char key[ISC_SHA224_DIGESTLENGTH];
+} HMACSHA224_Key;
+
+static isc_result_t
+hmacsha224_createctx(dst_key_t *key, dst_context_t *dctx) {
+	isc_hmacsha224_t *hmacsha224ctx;
+	HMACSHA224_Key *hkey = key->opaque;
+
+	hmacsha224ctx = isc_mem_get(dctx->mctx, sizeof(isc_hmacsha224_t));
+	if (hmacsha224ctx == NULL)
+		return (ISC_R_NOMEMORY);
+	isc_hmacsha224_init(hmacsha224ctx, hkey->key, ISC_SHA224_DIGESTLENGTH);
+	dctx->opaque = hmacsha224ctx;
+	return (ISC_R_SUCCESS);
+}
+
+static void
+hmacsha224_destroyctx(dst_context_t *dctx) {
+	isc_hmacsha224_t *hmacsha224ctx = dctx->opaque;
+
+	if (hmacsha224ctx != NULL) {
+		isc_hmacsha224_invalidate(hmacsha224ctx);
+		isc_mem_put(dctx->mctx, hmacsha224ctx, sizeof(isc_hmacsha224_t));
+		dctx->opaque = NULL;
+	}
+}
+
+static isc_result_t
+hmacsha224_adddata(dst_context_t *dctx, const isc_region_t *data) {
+	isc_hmacsha224_t *hmacsha224ctx = dctx->opaque;
+
+	isc_hmacsha224_update(hmacsha224ctx, data->base, data->length);
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+hmacsha224_sign(dst_context_t *dctx, isc_buffer_t *sig) {
+	isc_hmacsha224_t *hmacsha224ctx = dctx->opaque;
+	unsigned char *digest;
+
+	if (isc_buffer_availablelength(sig) < ISC_SHA224_DIGESTLENGTH)
+		return (ISC_R_NOSPACE);
+	digest = isc_buffer_used(sig);
+	isc_hmacsha224_sign(hmacsha224ctx, digest, ISC_SHA224_DIGESTLENGTH);
+	isc_buffer_add(sig, ISC_SHA224_DIGESTLENGTH);
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+hmacsha224_verify(dst_context_t *dctx, const isc_region_t *sig) {
+	isc_hmacsha224_t *hmacsha224ctx = dctx->opaque;
+
+	if (sig->length > ISC_SHA224_DIGESTLENGTH || sig->length == 0)
+		return (DST_R_VERIFYFAILURE);
+
+	if (isc_hmacsha224_verify(hmacsha224ctx, sig->base, sig->length))
+		return (ISC_R_SUCCESS);
+	else
+		return (DST_R_VERIFYFAILURE);
+}
+
+static isc_boolean_t
+hmacsha224_compare(const dst_key_t *key1, const dst_key_t *key2) {
+	HMACSHA224_Key *hkey1, *hkey2;
+
+	hkey1 = (HMACSHA224_Key *)key1->opaque;
+	hkey2 = (HMACSHA224_Key *)key2->opaque;
+
+	if (hkey1 == NULL && hkey2 == NULL)
+		return (ISC_TRUE);
+	else if (hkey1 == NULL || hkey2 == NULL)
+		return (ISC_FALSE);
+
+	if (memcmp(hkey1->key, hkey2->key, ISC_SHA224_DIGESTLENGTH) == 0)
+		return (ISC_TRUE);
+	else
+		return (ISC_FALSE);
+}
+
+static isc_result_t
+hmacsha224_generate(dst_key_t *key, int pseudorandom_ok) {
+	isc_buffer_t b;
+	isc_result_t ret;
+	int bytes;
+	unsigned char data[HMAC_LEN];
+
+	bytes = (key->key_size + 7) / 8;
+	if (bytes > HMAC_LEN) {
+		bytes = HMAC_LEN;
+		key->key_size = HMAC_LEN * 8;
+	}
+
+	memset(data, 0, HMAC_LEN);
+	ret = dst__entropy_getdata(data, bytes, ISC_TF(pseudorandom_ok != 0));
+
+	if (ret != ISC_R_SUCCESS)
+		return (ret);
+
+	isc_buffer_init(&b, data, bytes);
+	isc_buffer_add(&b, bytes);
+	ret = hmacsha224_fromdns(key, &b);
+	memset(data, 0, ISC_SHA224_DIGESTLENGTH);
+
+	return (ret);
+}
+
+static isc_boolean_t
+hmacsha224_isprivate(const dst_key_t *key) {
+	UNUSED(key);
+	return (ISC_TRUE);
+}
+
+static void
+hmacsha224_destroy(dst_key_t *key) {
+	HMACSHA224_Key *hkey = key->opaque;
+	memset(hkey, 0, sizeof(HMACSHA224_Key));
+	isc_mem_put(key->mctx, hkey, sizeof(HMACSHA224_Key));
+	key->opaque = NULL;
+}
+
+static isc_result_t
+hmacsha224_todns(const dst_key_t *key, isc_buffer_t *data) {
+	HMACSHA224_Key *hkey;
+	unsigned int bytes;
+
+	REQUIRE(key->opaque != NULL);
+
+	hkey = (HMACSHA224_Key *) key->opaque;
+
+	bytes = (key->key_size + 7) / 8;
+	if (isc_buffer_availablelength(data) < bytes)
+		return (ISC_R_NOSPACE);
+	isc_buffer_putmem(data, hkey->key, bytes);
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+hmacsha224_fromdns(dst_key_t *key, isc_buffer_t *data) {
+	HMACSHA224_Key *hkey;
+	int keylen;
+	isc_region_t r;
+	isc_sha224_t sha224ctx;
+
+	isc_buffer_remainingregion(data, &r);
+	if (r.length == 0)
+		return (ISC_R_SUCCESS);
+
+	hkey = (HMACSHA224_Key *) isc_mem_get(key->mctx, sizeof(HMACSHA224_Key));
+	if (hkey == NULL)
+		return (ISC_R_NOMEMORY);
+
+	memset(hkey->key, 0, sizeof(hkey->key));
+
+	if (r.length > ISC_SHA224_DIGESTLENGTH) {
+		isc_sha224_init(&sha224ctx);
+		isc_sha224_update(&sha224ctx, r.base, r.length);
+		isc_sha224_final(hkey->key, &sha224ctx);
+		keylen = ISC_SHA224_DIGESTLENGTH;
+	}
+	else {
+		memcpy(hkey->key, r.base, r.length);
+		keylen = r.length;
+	}
+
+	key->key_size = keylen * 8;
+	key->opaque = hkey;
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+hmacsha224_tofile(const dst_key_t *key, const char *directory) {
+	int cnt = 0;
+	HMACSHA224_Key *hkey;
+	dst_private_t priv;
+	int bytes = (key->key_size + 7) / 8;
+	unsigned char buf[2];
+
+	if (key->opaque == NULL)
+		return (DST_R_NULLKEY);
+
+	hkey = (HMACSHA224_Key *) key->opaque;
+
+	priv.elements[cnt].tag = TAG_HMACSHA224_KEY;
+	priv.elements[cnt].length = bytes;
+	priv.elements[cnt++].data = hkey->key;
+
+	buf[0] = (key->key_bits >> 8) & 0xffU;
+	buf[1] = key->key_bits & 0xffU;
+	priv.elements[cnt].tag = TAG_HMACSHA224_BITS;
+	priv.elements[cnt].data = buf;
+	priv.elements[cnt++].length = 2;
+
+	priv.nelements = cnt;
+	return (dst__privstruct_writefile(key, &priv, directory));
+}
+
+static isc_result_t
+hmacsha224_parse(dst_key_t *key, isc_lex_t *lexer) {
+	dst_private_t priv;
+	isc_result_t result, tresult;
+	isc_buffer_t b;
+	isc_mem_t *mctx = key->mctx;
+	unsigned int i;
+
+	/* read private key file */
+	result = dst__privstruct_parse(key, DST_ALG_HMACSHA224, lexer, mctx,
+				       &priv);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	key->key_bits = 0;
+	for (i = 0; i < priv.nelements; i++) {
+		switch (priv.elements[i].tag) {
+		case TAG_HMACSHA224_KEY:
+			isc_buffer_init(&b, priv.elements[i].data,
+				        priv.elements[i].length);
+			isc_buffer_add(&b, priv.elements[i].length);
+			tresult = hmacsha224_fromdns(key, &b);
+			if (tresult != ISC_R_SUCCESS)
+				result = tresult;
+			break;
+		case TAG_HMACSHA224_BITS:
+			tresult = getkeybits(key, &priv.elements[i]);
+			if (tresult != ISC_R_SUCCESS)
+				result = tresult;
+			break;
+		default:
+			result = DST_R_INVALIDPRIVATEKEY;
+			break;
+		}
+	}
+	dst__privstruct_free(&priv, mctx);
+	memset(&priv, 0, sizeof(priv));
+	return (result);
+}
+
+static dst_func_t hmacsha224_functions = {
+	hmacsha224_createctx,
+	hmacsha224_destroyctx,
+	hmacsha224_adddata,
+	hmacsha224_sign,
+	hmacsha224_verify,
+	NULL, /* computesecret */
+	hmacsha224_compare,
+	NULL, /* paramcompare */
+	hmacsha224_generate,
+	hmacsha224_isprivate,
+	hmacsha224_destroy,
+	hmacsha224_todns,
+	hmacsha224_fromdns,
+	hmacsha224_tofile,
+	hmacsha224_parse,
+	NULL, /* cleanup */
+};
+
+isc_result_t
+dst__hmacsha224_init(dst_func_t **funcp) {
+	REQUIRE(funcp != NULL);
+	if (*funcp == NULL)
+		*funcp = &hmacsha224_functions;
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t hmacsha256_fromdns(dst_key_t *key, isc_buffer_t *data);
+
+typedef struct {
+	unsigned char key[ISC_SHA256_DIGESTLENGTH];
+} HMACSHA256_Key;
+
+static isc_result_t
+hmacsha256_createctx(dst_key_t *key, dst_context_t *dctx) {
+	isc_hmacsha256_t *hmacsha256ctx;
+	HMACSHA256_Key *hkey = key->opaque;
+
+	hmacsha256ctx = isc_mem_get(dctx->mctx, sizeof(isc_hmacsha256_t));
+	if (hmacsha256ctx == NULL)
+		return (ISC_R_NOMEMORY);
+	isc_hmacsha256_init(hmacsha256ctx, hkey->key, ISC_SHA256_DIGESTLENGTH);
+	dctx->opaque = hmacsha256ctx;
+	return (ISC_R_SUCCESS);
+}
+
+static void
+hmacsha256_destroyctx(dst_context_t *dctx) {
+	isc_hmacsha256_t *hmacsha256ctx = dctx->opaque;
+
+	if (hmacsha256ctx != NULL) {
+		isc_hmacsha256_invalidate(hmacsha256ctx);
+		isc_mem_put(dctx->mctx, hmacsha256ctx, sizeof(isc_hmacsha256_t));
+		dctx->opaque = NULL;
+	}
+}
+
+static isc_result_t
+hmacsha256_adddata(dst_context_t *dctx, const isc_region_t *data) {
+	isc_hmacsha256_t *hmacsha256ctx = dctx->opaque;
+
+	isc_hmacsha256_update(hmacsha256ctx, data->base, data->length);
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+hmacsha256_sign(dst_context_t *dctx, isc_buffer_t *sig) {
+	isc_hmacsha256_t *hmacsha256ctx = dctx->opaque;
+	unsigned char *digest;
+
+	if (isc_buffer_availablelength(sig) < ISC_SHA256_DIGESTLENGTH)
+		return (ISC_R_NOSPACE);
+	digest = isc_buffer_used(sig);
+	isc_hmacsha256_sign(hmacsha256ctx, digest, ISC_SHA256_DIGESTLENGTH);
+	isc_buffer_add(sig, ISC_SHA256_DIGESTLENGTH);
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+hmacsha256_verify(dst_context_t *dctx, const isc_region_t *sig) {
+	isc_hmacsha256_t *hmacsha256ctx = dctx->opaque;
+
+	if (sig->length > ISC_SHA256_DIGESTLENGTH || sig->length == 0)
+		return (DST_R_VERIFYFAILURE);
+
+	if (isc_hmacsha256_verify(hmacsha256ctx, sig->base, sig->length))
+		return (ISC_R_SUCCESS);
+	else
+		return (DST_R_VERIFYFAILURE);
+}
+
+static isc_boolean_t
+hmacsha256_compare(const dst_key_t *key1, const dst_key_t *key2) {
+	HMACSHA256_Key *hkey1, *hkey2;
+
+	hkey1 = (HMACSHA256_Key *)key1->opaque;
+	hkey2 = (HMACSHA256_Key *)key2->opaque;
+
+	if (hkey1 == NULL && hkey2 == NULL)
+		return (ISC_TRUE);
+	else if (hkey1 == NULL || hkey2 == NULL)
+		return (ISC_FALSE);
+
+	if (memcmp(hkey1->key, hkey2->key, ISC_SHA256_DIGESTLENGTH) == 0)
+		return (ISC_TRUE);
+	else
+		return (ISC_FALSE);
+}
+
+static isc_result_t
+hmacsha256_generate(dst_key_t *key, int pseudorandom_ok) {
+	isc_buffer_t b;
+	isc_result_t ret;
+	int bytes;
+	unsigned char data[HMAC_LEN];
+
+	bytes = (key->key_size + 7) / 8;
+	if (bytes > HMAC_LEN) {
+		bytes = HMAC_LEN;
+		key->key_size = HMAC_LEN * 8;
+	}
+
+	memset(data, 0, HMAC_LEN);
+	ret = dst__entropy_getdata(data, bytes, ISC_TF(pseudorandom_ok != 0));
+
+	if (ret != ISC_R_SUCCESS)
+		return (ret);
+
+	isc_buffer_init(&b, data, bytes);
+	isc_buffer_add(&b, bytes);
+	ret = hmacsha256_fromdns(key, &b);
+	memset(data, 0, ISC_SHA256_DIGESTLENGTH);
+
+	return (ret);
+}
+
+static isc_boolean_t
+hmacsha256_isprivate(const dst_key_t *key) {
+	UNUSED(key);
+	return (ISC_TRUE);
+}
+
+static void
+hmacsha256_destroy(dst_key_t *key) {
+	HMACSHA256_Key *hkey = key->opaque;
+	memset(hkey, 0, sizeof(HMACSHA256_Key));
+	isc_mem_put(key->mctx, hkey, sizeof(HMACSHA256_Key));
+	key->opaque = NULL;
+}
+
+static isc_result_t
+hmacsha256_todns(const dst_key_t *key, isc_buffer_t *data) {
+	HMACSHA256_Key *hkey;
+	unsigned int bytes;
+
+	REQUIRE(key->opaque != NULL);
+
+	hkey = (HMACSHA256_Key *) key->opaque;
+
+	bytes = (key->key_size + 7) / 8;
+	if (isc_buffer_availablelength(data) < bytes)
+		return (ISC_R_NOSPACE);
+	isc_buffer_putmem(data, hkey->key, bytes);
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+hmacsha256_fromdns(dst_key_t *key, isc_buffer_t *data) {
+	HMACSHA256_Key *hkey;
+	int keylen;
+	isc_region_t r;
+	isc_sha256_t sha256ctx;
+
+	isc_buffer_remainingregion(data, &r);
+	if (r.length == 0)
+		return (ISC_R_SUCCESS);
+
+	hkey = (HMACSHA256_Key *) isc_mem_get(key->mctx, sizeof(HMACSHA256_Key));
+	if (hkey == NULL)
+		return (ISC_R_NOMEMORY);
+
+	memset(hkey->key, 0, sizeof(hkey->key));
+
+	if (r.length > ISC_SHA256_DIGESTLENGTH) {
+		isc_sha256_init(&sha256ctx);
+		isc_sha256_update(&sha256ctx, r.base, r.length);
+		isc_sha256_final(hkey->key, &sha256ctx);
+		keylen = ISC_SHA256_DIGESTLENGTH;
+	}
+	else {
+		memcpy(hkey->key, r.base, r.length);
+		keylen = r.length;
+	}
+
+	key->key_size = keylen * 8;
+	key->opaque = hkey;
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+hmacsha256_tofile(const dst_key_t *key, const char *directory) {
+	int cnt = 0;
+	HMACSHA256_Key *hkey;
+	dst_private_t priv;
+	int bytes = (key->key_size + 7) / 8;
+	unsigned char buf[2];
+
+	if (key->opaque == NULL)
+		return (DST_R_NULLKEY);
+
+	hkey = (HMACSHA256_Key *) key->opaque;
+
+	priv.elements[cnt].tag = TAG_HMACSHA256_KEY;
+	priv.elements[cnt].length = bytes;
+	priv.elements[cnt++].data = hkey->key;
+
+	buf[0] = (key->key_bits >> 8) & 0xffU;
+	buf[1] = key->key_bits & 0xffU;
+	priv.elements[cnt].tag = TAG_HMACSHA256_BITS;
+	priv.elements[cnt].data = buf;
+	priv.elements[cnt++].length = 2;
+
+	priv.nelements = cnt;
+	return (dst__privstruct_writefile(key, &priv, directory));
+}
+
+static isc_result_t
+hmacsha256_parse(dst_key_t *key, isc_lex_t *lexer) {
+	dst_private_t priv;
+	isc_result_t result, tresult;
+	isc_buffer_t b;
+	isc_mem_t *mctx = key->mctx;
+	unsigned int i;
+
+	/* read private key file */
+	result = dst__privstruct_parse(key, DST_ALG_HMACSHA256, lexer, mctx,
+				       &priv);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	key->key_bits = 0;
+	for (i = 0; i < priv.nelements; i++) {
+		switch (priv.elements[i].tag) {
+		case TAG_HMACSHA256_KEY:
+			isc_buffer_init(&b, priv.elements[i].data,
+				        priv.elements[i].length);
+			isc_buffer_add(&b, priv.elements[i].length);
+			tresult = hmacsha256_fromdns(key, &b);
+			if (tresult != ISC_R_SUCCESS)
+				result = tresult;
+			break;
+		case TAG_HMACSHA256_BITS:
+			tresult = getkeybits(key, &priv.elements[i]);
+			if (tresult != ISC_R_SUCCESS)
+				result = tresult;
+			break;
+		default:
+			result = DST_R_INVALIDPRIVATEKEY;
+			break;
+		}
+	}
+	dst__privstruct_free(&priv, mctx);
+	memset(&priv, 0, sizeof(priv));
+	return (result);
+}
+
+static dst_func_t hmacsha256_functions = {
+	hmacsha256_createctx,
+	hmacsha256_destroyctx,
+	hmacsha256_adddata,
+	hmacsha256_sign,
+	hmacsha256_verify,
+	NULL, /* computesecret */
+	hmacsha256_compare,
+	NULL, /* paramcompare */
+	hmacsha256_generate,
+	hmacsha256_isprivate,
+	hmacsha256_destroy,
+	hmacsha256_todns,
+	hmacsha256_fromdns,
+	hmacsha256_tofile,
+	hmacsha256_parse,
+	NULL, /* cleanup */
+};
+
+isc_result_t
+dst__hmacsha256_init(dst_func_t **funcp) {
+	REQUIRE(funcp != NULL);
+	if (*funcp == NULL)
+		*funcp = &hmacsha256_functions;
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t hmacsha384_fromdns(dst_key_t *key, isc_buffer_t *data);
+
+typedef struct {
+	unsigned char key[ISC_SHA384_DIGESTLENGTH];
+} HMACSHA384_Key;
+
+static isc_result_t
+hmacsha384_createctx(dst_key_t *key, dst_context_t *dctx) {
+	isc_hmacsha384_t *hmacsha384ctx;
+	HMACSHA384_Key *hkey = key->opaque;
+
+	hmacsha384ctx = isc_mem_get(dctx->mctx, sizeof(isc_hmacsha384_t));
+	if (hmacsha384ctx == NULL)
+		return (ISC_R_NOMEMORY);
+	isc_hmacsha384_init(hmacsha384ctx, hkey->key, ISC_SHA384_DIGESTLENGTH);
+	dctx->opaque = hmacsha384ctx;
+	return (ISC_R_SUCCESS);
+}
+
+static void
+hmacsha384_destroyctx(dst_context_t *dctx) {
+	isc_hmacsha384_t *hmacsha384ctx = dctx->opaque;
+
+	if (hmacsha384ctx != NULL) {
+		isc_hmacsha384_invalidate(hmacsha384ctx);
+		isc_mem_put(dctx->mctx, hmacsha384ctx, sizeof(isc_hmacsha384_t));
+		dctx->opaque = NULL;
+	}
+}
+
+static isc_result_t
+hmacsha384_adddata(dst_context_t *dctx, const isc_region_t *data) {
+	isc_hmacsha384_t *hmacsha384ctx = dctx->opaque;
+
+	isc_hmacsha384_update(hmacsha384ctx, data->base, data->length);
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+hmacsha384_sign(dst_context_t *dctx, isc_buffer_t *sig) {
+	isc_hmacsha384_t *hmacsha384ctx = dctx->opaque;
+	unsigned char *digest;
+
+	if (isc_buffer_availablelength(sig) < ISC_SHA384_DIGESTLENGTH)
+		return (ISC_R_NOSPACE);
+	digest = isc_buffer_used(sig);
+	isc_hmacsha384_sign(hmacsha384ctx, digest, ISC_SHA384_DIGESTLENGTH);
+	isc_buffer_add(sig, ISC_SHA384_DIGESTLENGTH);
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+hmacsha384_verify(dst_context_t *dctx, const isc_region_t *sig) {
+	isc_hmacsha384_t *hmacsha384ctx = dctx->opaque;
+
+	if (sig->length > ISC_SHA384_DIGESTLENGTH || sig->length == 0)
+		return (DST_R_VERIFYFAILURE);
+
+	if (isc_hmacsha384_verify(hmacsha384ctx, sig->base, sig->length))
+		return (ISC_R_SUCCESS);
+	else
+		return (DST_R_VERIFYFAILURE);
+}
+
+static isc_boolean_t
+hmacsha384_compare(const dst_key_t *key1, const dst_key_t *key2) {
+	HMACSHA384_Key *hkey1, *hkey2;
+
+	hkey1 = (HMACSHA384_Key *)key1->opaque;
+	hkey2 = (HMACSHA384_Key *)key2->opaque;
+
+	if (hkey1 == NULL && hkey2 == NULL)
+		return (ISC_TRUE);
+	else if (hkey1 == NULL || hkey2 == NULL)
+		return (ISC_FALSE);
+
+	if (memcmp(hkey1->key, hkey2->key, ISC_SHA384_DIGESTLENGTH) == 0)
+		return (ISC_TRUE);
+	else
+		return (ISC_FALSE);
+}
+
+static isc_result_t
+hmacsha384_generate(dst_key_t *key, int pseudorandom_ok) {
+	isc_buffer_t b;
+	isc_result_t ret;
+	int bytes;
+	unsigned char data[HMAC_LEN];
+
+	bytes = (key->key_size + 7) / 8;
+	if (bytes > HMAC_LEN) {
+		bytes = HMAC_LEN;
+		key->key_size = HMAC_LEN * 8;
+	}
+
+	memset(data, 0, HMAC_LEN);
+	ret = dst__entropy_getdata(data, bytes, ISC_TF(pseudorandom_ok != 0));
+
+	if (ret != ISC_R_SUCCESS)
+		return (ret);
+
+	isc_buffer_init(&b, data, bytes);
+	isc_buffer_add(&b, bytes);
+	ret = hmacsha384_fromdns(key, &b);
+	memset(data, 0, ISC_SHA384_DIGESTLENGTH);
+
+	return (ret);
+}
+
+static isc_boolean_t
+hmacsha384_isprivate(const dst_key_t *key) {
+	UNUSED(key);
+	return (ISC_TRUE);
+}
+
+static void
+hmacsha384_destroy(dst_key_t *key) {
+	HMACSHA384_Key *hkey = key->opaque;
+	memset(hkey, 0, sizeof(HMACSHA384_Key));
+	isc_mem_put(key->mctx, hkey, sizeof(HMACSHA384_Key));
+	key->opaque = NULL;
+}
+
+static isc_result_t
+hmacsha384_todns(const dst_key_t *key, isc_buffer_t *data) {
+	HMACSHA384_Key *hkey;
+	unsigned int bytes;
+
+	REQUIRE(key->opaque != NULL);
+
+	hkey = (HMACSHA384_Key *) key->opaque;
+
+	bytes = (key->key_size + 7) / 8;
+	if (isc_buffer_availablelength(data) < bytes)
+		return (ISC_R_NOSPACE);
+	isc_buffer_putmem(data, hkey->key, bytes);
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+hmacsha384_fromdns(dst_key_t *key, isc_buffer_t *data) {
+	HMACSHA384_Key *hkey;
+	int keylen;
+	isc_region_t r;
+	isc_sha384_t sha384ctx;
+
+	isc_buffer_remainingregion(data, &r);
+	if (r.length == 0)
+		return (ISC_R_SUCCESS);
+
+	hkey = (HMACSHA384_Key *) isc_mem_get(key->mctx, sizeof(HMACSHA384_Key));
+	if (hkey == NULL)
+		return (ISC_R_NOMEMORY);
+
+	memset(hkey->key, 0, sizeof(hkey->key));
+
+	if (r.length > ISC_SHA384_DIGESTLENGTH) {
+		isc_sha384_init(&sha384ctx);
+		isc_sha384_update(&sha384ctx, r.base, r.length);
+		isc_sha384_final(hkey->key, &sha384ctx);
+		keylen = ISC_SHA384_DIGESTLENGTH;
+	}
+	else {
+		memcpy(hkey->key, r.base, r.length);
+		keylen = r.length;
+	}
+
+	key->key_size = keylen * 8;
+	key->opaque = hkey;
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+hmacsha384_tofile(const dst_key_t *key, const char *directory) {
+	int cnt = 0;
+	HMACSHA384_Key *hkey;
+	dst_private_t priv;
+	int bytes = (key->key_size + 7) / 8;
+	unsigned char buf[2];
+
+	if (key->opaque == NULL)
+		return (DST_R_NULLKEY);
+
+	hkey = (HMACSHA384_Key *) key->opaque;
+
+	priv.elements[cnt].tag = TAG_HMACSHA384_KEY;
+	priv.elements[cnt].length = bytes;
+	priv.elements[cnt++].data = hkey->key;
+
+	buf[0] = (key->key_bits >> 8) & 0xffU;
+	buf[1] = key->key_bits & 0xffU;
+	priv.elements[cnt].tag = TAG_HMACSHA384_BITS;
+	priv.elements[cnt].data = buf;
+	priv.elements[cnt++].length = 2;
+
+	priv.nelements = cnt;
+	return (dst__privstruct_writefile(key, &priv, directory));
+}
+
+static isc_result_t
+hmacsha384_parse(dst_key_t *key, isc_lex_t *lexer) {
+	dst_private_t priv;
+	isc_result_t result, tresult;
+	isc_buffer_t b;
+	isc_mem_t *mctx = key->mctx;
+	unsigned int i;
+
+	/* read private key file */
+	result = dst__privstruct_parse(key, DST_ALG_HMACSHA384, lexer, mctx,
+				       &priv);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	key->key_bits = 0;
+	for (i = 0; i < priv.nelements; i++) {
+		switch (priv.elements[i].tag) {
+		case TAG_HMACSHA384_KEY:
+			isc_buffer_init(&b, priv.elements[i].data,
+				        priv.elements[i].length);
+			isc_buffer_add(&b, priv.elements[i].length);
+			tresult = hmacsha384_fromdns(key, &b);
+			if (tresult != ISC_R_SUCCESS)
+				result = tresult;
+			break;
+		case TAG_HMACSHA384_BITS:
+			tresult = getkeybits(key, &priv.elements[i]);
+			if (tresult != ISC_R_SUCCESS)
+				result = tresult;
+			break;
+		default:
+			result = DST_R_INVALIDPRIVATEKEY;
+			break;
+		}
+	}
+	dst__privstruct_free(&priv, mctx);
+	memset(&priv, 0, sizeof(priv));
+	return (result);
+}
+
+static dst_func_t hmacsha384_functions = {
+	hmacsha384_createctx,
+	hmacsha384_destroyctx,
+	hmacsha384_adddata,
+	hmacsha384_sign,
+	hmacsha384_verify,
+	NULL, /* computesecret */
+	hmacsha384_compare,
+	NULL, /* paramcompare */
+	hmacsha384_generate,
+	hmacsha384_isprivate,
+	hmacsha384_destroy,
+	hmacsha384_todns,
+	hmacsha384_fromdns,
+	hmacsha384_tofile,
+	hmacsha384_parse,
+	NULL, /* cleanup */
+};
+
+isc_result_t
+dst__hmacsha384_init(dst_func_t **funcp) {
+	REQUIRE(funcp != NULL);
+	if (*funcp == NULL)
+		*funcp = &hmacsha384_functions;
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t hmacsha512_fromdns(dst_key_t *key, isc_buffer_t *data);
+
+typedef struct {
+	unsigned char key[ISC_SHA512_DIGESTLENGTH];
+} HMACSHA512_Key;
+
+static isc_result_t
+hmacsha512_createctx(dst_key_t *key, dst_context_t *dctx) {
+	isc_hmacsha512_t *hmacsha512ctx;
+	HMACSHA512_Key *hkey = key->opaque;
+
+	hmacsha512ctx = isc_mem_get(dctx->mctx, sizeof(isc_hmacsha512_t));
+	if (hmacsha512ctx == NULL)
+		return (ISC_R_NOMEMORY);
+	isc_hmacsha512_init(hmacsha512ctx, hkey->key, ISC_SHA512_DIGESTLENGTH);
+	dctx->opaque = hmacsha512ctx;
+	return (ISC_R_SUCCESS);
+}
+
+static void
+hmacsha512_destroyctx(dst_context_t *dctx) {
+	isc_hmacsha512_t *hmacsha512ctx = dctx->opaque;
+
+	if (hmacsha512ctx != NULL) {
+		isc_hmacsha512_invalidate(hmacsha512ctx);
+		isc_mem_put(dctx->mctx, hmacsha512ctx, sizeof(isc_hmacsha512_t));
+		dctx->opaque = NULL;
+	}
+}
+
+static isc_result_t
+hmacsha512_adddata(dst_context_t *dctx, const isc_region_t *data) {
+	isc_hmacsha512_t *hmacsha512ctx = dctx->opaque;
+
+	isc_hmacsha512_update(hmacsha512ctx, data->base, data->length);
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+hmacsha512_sign(dst_context_t *dctx, isc_buffer_t *sig) {
+	isc_hmacsha512_t *hmacsha512ctx = dctx->opaque;
+	unsigned char *digest;
+
+	if (isc_buffer_availablelength(sig) < ISC_SHA512_DIGESTLENGTH)
+		return (ISC_R_NOSPACE);
+	digest = isc_buffer_used(sig);
+	isc_hmacsha512_sign(hmacsha512ctx, digest, ISC_SHA512_DIGESTLENGTH);
+	isc_buffer_add(sig, ISC_SHA512_DIGESTLENGTH);
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+hmacsha512_verify(dst_context_t *dctx, const isc_region_t *sig) {
+	isc_hmacsha512_t *hmacsha512ctx = dctx->opaque;
+
+	if (sig->length > ISC_SHA512_DIGESTLENGTH || sig->length == 0)
+		return (DST_R_VERIFYFAILURE);
+
+	if (isc_hmacsha512_verify(hmacsha512ctx, sig->base, sig->length))
+		return (ISC_R_SUCCESS);
+	else
+		return (DST_R_VERIFYFAILURE);
+}
+
+static isc_boolean_t
+hmacsha512_compare(const dst_key_t *key1, const dst_key_t *key2) {
+	HMACSHA512_Key *hkey1, *hkey2;
+
+	hkey1 = (HMACSHA512_Key *)key1->opaque;
+	hkey2 = (HMACSHA512_Key *)key2->opaque;
+
+	if (hkey1 == NULL && hkey2 == NULL)
+		return (ISC_TRUE);
+	else if (hkey1 == NULL || hkey2 == NULL)
+		return (ISC_FALSE);
+
+	if (memcmp(hkey1->key, hkey2->key, ISC_SHA512_DIGESTLENGTH) == 0)
+		return (ISC_TRUE);
+	else
+		return (ISC_FALSE);
+}
+
+static isc_result_t
+hmacsha512_generate(dst_key_t *key, int pseudorandom_ok) {
+	isc_buffer_t b;
+	isc_result_t ret;
+	int bytes;
+	unsigned char data[HMAC_LEN];
+
+	bytes = (key->key_size + 7) / 8;
+	if (bytes > HMAC_LEN) {
+		bytes = HMAC_LEN;
+		key->key_size = HMAC_LEN * 8;
+	}
+
+	memset(data, 0, HMAC_LEN);
+	ret = dst__entropy_getdata(data, bytes, ISC_TF(pseudorandom_ok != 0));
+
+	if (ret != ISC_R_SUCCESS)
+		return (ret);
+
+	isc_buffer_init(&b, data, bytes);
+	isc_buffer_add(&b, bytes);
+	ret = hmacsha512_fromdns(key, &b);
+	memset(data, 0, ISC_SHA512_DIGESTLENGTH);
+
+	return (ret);
+}
+
+static isc_boolean_t
+hmacsha512_isprivate(const dst_key_t *key) {
+	UNUSED(key);
+	return (ISC_TRUE);
+}
+
+static void
+hmacsha512_destroy(dst_key_t *key) {
+	HMACSHA512_Key *hkey = key->opaque;
+	memset(hkey, 0, sizeof(HMACSHA512_Key));
+	isc_mem_put(key->mctx, hkey, sizeof(HMACSHA512_Key));
+	key->opaque = NULL;
+}
+
+static isc_result_t
+hmacsha512_todns(const dst_key_t *key, isc_buffer_t *data) {
+	HMACSHA512_Key *hkey;
+	unsigned int bytes;
+
+	REQUIRE(key->opaque != NULL);
+
+	hkey = (HMACSHA512_Key *) key->opaque;
+
+	bytes = (key->key_size + 7) / 8;
+	if (isc_buffer_availablelength(data) < bytes)
+		return (ISC_R_NOSPACE);
+	isc_buffer_putmem(data, hkey->key, bytes);
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+hmacsha512_fromdns(dst_key_t *key, isc_buffer_t *data) {
+	HMACSHA512_Key *hkey;
+	int keylen;
+	isc_region_t r;
+	isc_sha512_t sha512ctx;
+
+	isc_buffer_remainingregion(data, &r);
+	if (r.length == 0)
+		return (ISC_R_SUCCESS);
+
+	hkey = (HMACSHA512_Key *) isc_mem_get(key->mctx, sizeof(HMACSHA512_Key));
+	if (hkey == NULL)
+		return (ISC_R_NOMEMORY);
+
+	memset(hkey->key, 0, sizeof(hkey->key));
+
+	if (r.length > ISC_SHA512_DIGESTLENGTH) {
+		isc_sha512_init(&sha512ctx);
+		isc_sha512_update(&sha512ctx, r.base, r.length);
+		isc_sha512_final(hkey->key, &sha512ctx);
+		keylen = ISC_SHA512_DIGESTLENGTH;
+	}
+	else {
+		memcpy(hkey->key, r.base, r.length);
+		keylen = r.length;
+	}
+
+	key->key_size = keylen * 8;
+	key->opaque = hkey;
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+hmacsha512_tofile(const dst_key_t *key, const char *directory) {
+	int cnt = 0;
+	HMACSHA512_Key *hkey;
+	dst_private_t priv;
+	int bytes = (key->key_size + 7) / 8;
+	unsigned char buf[2];
+
+	if (key->opaque == NULL)
+		return (DST_R_NULLKEY);
+
+	hkey = (HMACSHA512_Key *) key->opaque;
+
+	priv.elements[cnt].tag = TAG_HMACSHA512_KEY;
+	priv.elements[cnt].length = bytes;
+	priv.elements[cnt++].data = hkey->key;
+
+	buf[0] = (key->key_bits >> 8) & 0xffU;
+	buf[1] = key->key_bits & 0xffU;
+	priv.elements[cnt].tag = TAG_HMACSHA512_BITS;
+	priv.elements[cnt].data = buf;
+	priv.elements[cnt++].length = 2;
+
+	priv.nelements = cnt;
+	return (dst__privstruct_writefile(key, &priv, directory));
+}
+
+static isc_result_t
+hmacsha512_parse(dst_key_t *key, isc_lex_t *lexer) {
+	dst_private_t priv;
+	isc_result_t result, tresult;
+	isc_buffer_t b;
+	isc_mem_t *mctx = key->mctx;
+	unsigned int i;
+
+	/* read private key file */
+	result = dst__privstruct_parse(key, DST_ALG_HMACSHA512, lexer, mctx,
+				       &priv);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	key->key_bits = 0;
+	for (i = 0; i < priv.nelements; i++) {
+		switch (priv.elements[i].tag) {
+		case TAG_HMACSHA512_KEY:
+			isc_buffer_init(&b, priv.elements[i].data,
+				        priv.elements[i].length);
+			isc_buffer_add(&b, priv.elements[i].length);
+			tresult = hmacsha512_fromdns(key, &b);
+			if (tresult != ISC_R_SUCCESS)
+				result = tresult;
+			break;
+		case TAG_HMACSHA512_BITS:
+			tresult = getkeybits(key, &priv.elements[i]);
+			if (tresult != ISC_R_SUCCESS)
+				result = tresult;
+			break;
+		default:
+			result = DST_R_INVALIDPRIVATEKEY;
+			break;
+		}
+	}
+	dst__privstruct_free(&priv, mctx);
+	memset(&priv, 0, sizeof(priv));
+	return (result);
+}
+
+static dst_func_t hmacsha512_functions = {
+	hmacsha512_createctx,
+	hmacsha512_destroyctx,
+	hmacsha512_adddata,
+	hmacsha512_sign,
+	hmacsha512_verify,
+	NULL, /* computesecret */
+	hmacsha512_compare,
+	NULL, /* paramcompare */
+	hmacsha512_generate,
+	hmacsha512_isprivate,
+	hmacsha512_destroy,
+	hmacsha512_todns,
+	hmacsha512_fromdns,
+	hmacsha512_tofile,
+	hmacsha512_parse,
+	NULL, /* cleanup */
+};
+
+isc_result_t
+dst__hmacsha512_init(dst_func_t **funcp) {
+	REQUIRE(funcp != NULL);
+	if (*funcp == NULL)
+		*funcp = &hmacsha512_functions;
+	return (ISC_R_SUCCESS);
+}
+
+/*! \file */
diff --git a/contrib/bind9/lib/dns/include/Makefile.in b/contrib/bind9/lib/dns/include/Makefile.in
index 92dfb3b..593ad5a 100644
--- a/contrib/bind9/lib/dns/include/Makefile.in
+++ b/contrib/bind9/lib/dns/include/Makefile.in
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.11.206.2 2004/12/09 04:07:19 marka Exp $
+# $Id: Makefile.in,v 1.12.18.1 2004/12/09 04:41:46 marka Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
diff --git a/contrib/bind9/lib/dns/include/dns/Makefile.in b/contrib/bind9/lib/dns/include/dns/Makefile.in
index 267bc8d..3f367bc 100644
--- a/contrib/bind9/lib/dns/include/dns/Makefile.in
+++ b/contrib/bind9/lib/dns/include/dns/Makefile.in
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.43.2.1.10.6 2004/03/08 09:04:34 marka Exp $
+# $Id: Makefile.in,v 1.50 2004/03/05 05:09:40 marka Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
diff --git a/contrib/bind9/lib/dns/include/dns/acache.h b/contrib/bind9/lib/dns/include/dns/acache.h
new file mode 100644
index 0000000..50d7fc1
--- /dev/null
+++ b/contrib/bind9/lib/dns/include/dns/acache.h
@@ -0,0 +1,445 @@
+/*
+ * Copyright (C) 2004, 2006  Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: acache.h,v 1.3.2.4 2006/05/03 00:07:49 marka Exp $ */
+
+#ifndef DNS_ACACHE_H
+#define DNS_ACACHE_H 1
+
+/*****
+ ***** Module Info
+ *****/
+
+/*
+ * Acache
+ * 
+ * The Additional Cache Object
+ *
+ *	This module manages internal caching entries that correspond to
+ *	the additional section data of a DNS DB node (an RRset header, more
+ *	accurately).  An additional cache entry is expected to be (somehow)
+ *	attached to a particular RR in a particular DB node, and contains a set
+ *	of information of an additional data for the DB node.
+ *
+ *	An additional cache object is intended to be created as a per-view
+ *	object, and manages all cache entries within the view.
+ *
+ *	The intended usage of the additional caching is to provide a short cut
+ *	to additional glue RRs of an NS RR.  For each NS RR, it is often
+ *	necessary to look for glue RRs to make a proper response.  Once the
+ *	glue RRs are known, the additional caching allows the client to
+ *	associate the information to the original NS RR so that further
+ *	expensive lookups can be avoided for the NS RR.
+ *
+ *	Each additional cache entry contains information to identify a
+ *	particular DB node and (optionally) an associated RRset.  The
+ *	information consists of its zone, database, the version of the
+ *	database, database node, and RRset.
+ *
+ *	A "negative" information can also be cached.  For example, if a glue
+ *	RR does not exist as an authoritative data in the same zone as that
+ *	of the NS RR, this fact can be cached by specifying a NULL pointer
+ *	for the database, version, and node.  (See the description for
+ *	dns_acache_getentry() below for more details.)
+ *
+ *	Since each member stored in an additional cache entry holds a reference
+ *	to a corresponding object, a stale cache entry may cause unnecessary
+ *	memory consumption.  For instance, when a zone is reloaded, additional
+ *	cache entries that have a reference to the zone (and its DB and/or
+ *	DB nodes) can delay the cleanup of the referred objects.  In order to
+ *	minimize such a bad effect, this module provides several cleanup
+ *	mechanisms.
+ *
+ *	The first one is a shutdown procedure called when the associated view
+ *	is shut down.  In this case, dns_acache_shutdown() will be called and
+ *	all cache entries will be purged.  This mechanism will help the
+ *	situation when the configuration is reloaded or the main server is
+ *	stopped.
+ *
+ *	Per-DB cleanup mechanism is also provided.  Each additional cache entry
+ *	is associated with related DB, which is expected to have been
+ *	registered when the DB was created by dns_acache_setdb().  If a
+ *	particular DB is going to be destroyed, the primary holder of the DB,
+ *	a typical example of which is a zone, will call dns_acache_putdb().
+ *	Then this module will clean-up all cache entries associated with the
+ *	DB.  This mechanism is effective when a secondary zone DB is going to
+ *	be stale after a zone transfer.
+ *
+ *	Finally, this module supports for periodic clean-up of stale entries.
+ *	Each cache entry has a timestamp field, which is updated every time
+ *	the entry is referred.  A periodically invoked cleaner checks the
+ *	timestamp of each entry, and purge entries that have not been referred
+ *	for a certain period.  The cleaner interval can be specified by
+ *	dns_acache_setcleaninginterval().  If the periodic clean-up is not
+ *	enough, it is also possible to specify the upper limit of entries
+ *	in terms of the memory consumption.  If the maximum value is
+ *	specified, the cleaner is invoked when the memory consumption reaches
+ *	the high watermark inferred from the maximum value.  In this case,
+ *	the cleaner will use more aggressive algorithm to decide the "victim"
+ *	entries.  The maximum value can be specified by
+ *	dns_acache_setcachesize().
+ *
+ *	When a cache entry is going to be purged within this module, the
+ *	callback function specified at the creation time will be called.
+ *	The callback function is expected to release all internal resources
+ *	related to the entry, which will typically be specific to DB
+ *	implementation, and to call dns_acache_detachentry().  The callback
+ *	mechanism is very important, since the holder of an additional cache
+ *	entry may not be able to initiate the clean-up of the entry, due to
+ *	the reference ordering.  For example, as long as an additional cache
+ *	entry has a reference to a DB object, the DB cannot be freed, in which
+ *	a DB node may have a reference to the cache entry.
+ *
+ *	Credits:
+ *	The basic idea of this kind of short-cut for frequently used
+ *	information is similar to the "pre-compiled answer" approach adopted
+ *	in nsd by NLnet LABS with RIPE NCC.  Our work here is an independent
+ *	effort, but the success of nsd encouraged us to pursue this path.
+ *
+ *	The design and implementation of the periodic memory management and
+ *	the upper limitation of memory consumption was derived from the cache
+ *	DB implementation of BIND9.
+ *
+ * MP:
+ *	There are two main locks in this module.  One is for each entry, and
+ *	the other is for the additional cache object.
+ *
+ * Reliability:
+ *	The callback function for a cache entry is called with holding the
+ *	entry lock.  Thus, it implicitly assumes the callback function does not
+ *	call a function that can require the lock.  Typically, the only
+ *	function that can be called from the callback function safely is
+ *	dns_acache_detachentry().  The breakage of this implicit assumption
+ *	may cause a deadlock.
+ *
+ * Resources:
+ *	In a 32-bit architecture (such as i386), the following additional
+ *	memory is required comparing to the case that disables this module.
+ *	- 76 bytes for each additional cache entry
+ *	- if the entry has a DNS name and associated RRset,
+ *	  * 44 bytes + size of the name (1-255 bytes)
+ *	  * 52 bytes x number_of_RRs 
+ *	- 28 bytes for each DB related to this module
+ *
+ *	Using the additional cache also requires extra memory consumption in
+ *	the DB implementation.  In the current implementation for rbtdb, we
+ *	need:
+ *	- two additional pointers for each DB node (8 bytes for a 32-bit
+ *	  architecture
+ *	- for each RR associated to an RR in a DB node, we also need
+ *	  a pointer and management objects to support the additional cache
+ *	  function.  These are allocated on-demand.  The total size is
+ *	  32 bytes for a 32-bit architecture.
+ *
+ * Security:
+ *	Since this module does not handle any low-level data directly,
+ *	no security issue specific to this module is anticipated.
+ *
+ * Standards:
+ *	None.
+ */
+
+/***
+ *** Imports
+ ***/
+
+#include <isc/mutex.h>
+#include <isc/lang.h>
+#include <isc/refcount.h>
+#include <isc/stdtime.h>
+
+#include <dns/types.h>
+
+/***
+ *** Functions
+ ***/
+ISC_LANG_BEGINDECLS
+
+isc_result_t
+dns_acache_create(dns_acache_t **acachep, isc_mem_t *mctx,
+		  isc_taskmgr_t *taskmgr, isc_timermgr_t *timermgr);
+/*
+ * Create a new DNS additional cache object.
+ *
+ * Requires:
+ *
+ *	'mctx' is a valid memory context
+ *
+ *	'taskmgr' is a valid task manager
+ *
+ *	'timermgr' is a valid timer or NULL.  If NULL, no periodic cleaning of
+ *	the cache will take place.
+ *
+ *	'acachep' is a valid pointer, and *acachep == NULL
+ *
+ * Ensures:
+ *
+ *	'*acachep' is attached to the newly created cache
+ *
+ * Returns:
+ *
+ *	ISC_R_SUCCESS
+ *	ISC_R_NOMEMORY
+ *	ISC_R_UNEXPECTED
+ */
+
+void
+dns_acache_attach(dns_acache_t *source, dns_acache_t **targetp);
+/*
+ * Attach *targetp to cache.
+ *
+ * Requires:
+ *
+ *	'acache' is a valid additional cache.
+ *
+ *	'targetp' points to a NULL dns_acache_t *.
+ *
+ * Ensures:
+ *
+ *	*targetp is attached to the 'source' additional cache.
+ */
+
+void
+dns_acache_detach(dns_acache_t **acachep);
+/*
+ * Detach *acachep from its cache.
+ *
+ * Requires:
+ *
+ *	'*acachep' points to a valid additional cache.
+ *
+ * Ensures:
+ *
+ *	*acachep is NULL.
+ *
+ *	If '*acachep' is the last reference to the cache and the additional
+ *	cache does not have an outstanding task, all resources used by the
+ *	cache will be freed.
+ */
+
+void
+dns_acache_setcleaninginterval(dns_acache_t *acache, unsigned int t);
+/*
+ * Set the periodic cleaning interval of an additional cache to 'interval'
+ * seconds.
+ */
+
+void
+dns_acache_setcachesize(dns_acache_t *acache, isc_uint32_t size);
+/*
+ * Set the maximum additional cache size.  0 means unlimited.
+ */
+
+isc_result_t
+dns_acache_setdb(dns_acache_t *acache, dns_db_t *db);
+/*
+ * Set 'db' in 'acache' when the db can be referred from acache, in order
+ * to provide a hint for resolving the back reference.
+ *
+ * Requires:
+ *	'acache' is a valid acache pointer.
+ *	'db' is a valid DNS DB pointer.
+ *
+ * Ensures:
+ *	'acache' will have a reference to 'db'.
+ *
+ * Returns:
+ *	ISC_R_SUCCESS
+ *	ISC_R_EXISTS	(which means the specified 'db' is already set)
+ *	ISC_R_NOMEMORY
+ */
+
+isc_result_t
+dns_acache_putdb(dns_acache_t *acache, dns_db_t *db);
+/*
+ * Release 'db' from 'acache' if it has been set by dns_acache_setdb().
+ *
+ * Requires:
+ *	'acache' is a valid acache pointer.
+ *	'db' is a valid DNS DB pointer.
+ *
+ * Ensures:
+ *	'acache' will release the reference to 'db'.  Additionally, the content
+ *	of each cache entry that is related to the 'db' will be released via
+ *	the callback function.
+ *
+ * Returns:
+ *	ISC_R_SUCCESS
+ *	ISC_R_NOTFOUND	(which means the specified 'db' is not set in 'acache')
+ *	ISC_R_NOMEMORY
+ */
+
+void
+dns_acache_shutdown(dns_acache_t *acache);
+/*
+ * Shutdown 'acache'.
+ *
+ * Requires:
+ *
+ * 	'*acache' is a valid additional cache.
+ */
+
+isc_result_t
+dns_acache_createentry(dns_acache_t *acache, dns_db_t *origdb,
+		       void (*callback)(dns_acacheentry_t *, void **),
+		       void *cbarg, dns_acacheentry_t **entryp);
+/*
+ * Create an additional cache entry.  A new entry is created and attached to
+ * the given additional cache object.  A callback function is also associated
+ * with the created entry, which will be called when the cache entry is purged
+ * for some reason.
+ *
+ * Requires:
+ *
+ * 	'acache' is a valid additional cache.
+ *	'entryp' is a valid pointer, and *entryp == NULL
+ *	'origdb' is a valid DNS DB pointer.
+ *	'callback' and 'cbarg' can be NULL.  In this case, however, the entry
+ *	is meaningless (and will be cleaned-up in the next periodical
+ *	cleaning).
+ *
+ * Ensures:
+ *	'*entryp' will point to a new additional cache entry.
+ *
+ * Returns:
+ *	ISC_R_SUCCESS
+ *	ISC_R_NOMEMORY
+ */
+
+isc_result_t
+dns_acache_getentry(dns_acacheentry_t *entry, dns_zone_t **zonep,
+		    dns_db_t **dbp, dns_dbversion_t **versionp,
+		    dns_dbnode_t **nodep, dns_name_t *fname,
+		    dns_message_t *msg, isc_stdtime_t now);
+/*
+ * Get content from a particular additional cache entry.
+ *
+ * Requires:
+ *
+ * 	'entry' is a valid additional cache entry.
+ *	'zonep' is a NULL pointer or '*zonep' == NULL (this is the only
+ *	optional parameter.)
+ *	'dbp' is a valid pointer, and '*dbp' == NULL
+ *	'versionp' is a valid pointer, and '*versionp' == NULL
+ *	'nodep' is a valid pointer, and '*nodep' == NULL
+ *	'fname' is a valid DNS name.
+ *	'msg' is a valid DNS message.
+ *
+ * Ensures:
+ *	Several possible cases can happen according to the content.
+ *	1. For a positive cache entry,
+ *	'*zonep' will point to the corresponding zone (if zonep is a valid
+ *	pointer),
+ *	'*dbp' will point to a DB for the zone,
+ *	'*versionp' will point to its version, and
+ *	'*nodep' will point to the corresponding DB node.
+ *	'fname' will have the DNS name of the DB node and contain a list of
+ *	rdataset for the node (which can be an empty list).
+ *
+ * 	2. For a negative cache entry that means no corresponding zone exists,
+ *	'*zonep' == NULL (if zonep is a valid pointer)
+ *	'*dbp', '*versionp', and '*nodep' will be NULL.
+ *
+ *	3. For a negative cache entry that means no corresponding DB node
+ *	exists, '*zonep' will point to the corresponding zone (if zonep is a
+ *	valid pointer),
+ *	'*dbp' will point to a corresponding DB for zone,
+ *	'*versionp' will point to its version.
+ *	'*nodep' will be kept as NULL.
+ *	'fname' will not change.
+ *
+ *	On failure, no new references will be created.
+ *
+ * Returns:
+ *	ISC_R_SUCCESS
+ *	ISC_R_NOMEMORY
+ */
+
+isc_result_t
+dns_acache_setentry(dns_acache_t *acache, dns_acacheentry_t *entry,
+		    dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *version,
+		    dns_dbnode_t *node, dns_name_t *fname);
+/*
+ * Set content to a particular additional cache entry.
+ *
+ * Requires:
+ *	'acache' is a valid additional cache.
+ *	'entry' is a valid additional cache entry.
+ *	All the others pointers are NULL or a valid pointer of the
+ *	corresponding type.
+ *
+ * Returns:
+ *	ISC_R_SUCCESS
+ *	ISC_R_NOMEMORY
+ *	ISC_R_NOTFOUND
+ */
+
+void
+dns_acache_cancelentry(dns_acacheentry_t *entry);
+/*
+ * Cancel the use of the cache entry 'entry'.  This function is supposed to
+ * be called when the node that holds the entry finds the content is not
+ * correct any more.  This function will try to release as much dependency as
+ * possible, and will be ready to be cleaned-up.  The registered callback
+ * function will be canceled and will never called.
+ *
+ * Requires:
+ *	'entry' is a valid additional cache entry.
+ */
+
+void
+dns_acache_attachentry(dns_acacheentry_t *source, dns_acacheentry_t **targetp);
+/*
+ * Attach *targetp to the cache entry 'source'.
+ *
+ * Requires:
+ *
+ *	'source' is a valid additional cache entry.
+ *
+ *	'targetp' points to a NULL dns_acacheentry_t *.
+ *
+ * Ensures:
+ *
+ *	*targetp is attached to 'source'.
+ */
+		       
+void
+dns_acache_detachentry(dns_acacheentry_t **entryp);
+/*
+ * Detach *entryp from its cache.
+ *
+ * Requires:
+ *
+ *	'*entryp' points to a valid additional cache entry.
+ *
+ * Ensures:
+ *
+ *	*entryp is NULL.
+ *
+ *	If '*entryp' is the last reference to the entry, 
+ *	cache does not have an outstanding task, all resources used by the
+ *	entry (including the entry object itself) will be freed.
+ */
+
+void
+dns_acache_countquerymiss(dns_acache_t *acache);
+/*
+ * Count up a missed acache query.  XXXMLG need more docs.
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* DNS_ACACHE_H */
diff --git a/contrib/bind9/lib/dns/include/dns/acl.h b/contrib/bind9/lib/dns/include/dns/acl.h
index ce4c8b6..34e394f 100644
--- a/contrib/bind9/lib/dns/include/dns/acl.h
+++ b/contrib/bind9/lib/dns/include/dns/acl.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2006  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2002  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: acl.h,v 1.20.52.5 2006/03/02 00:37:20 marka Exp $ */
+/* $Id: acl.h,v 1.22.18.4 2006/03/02 00:37:21 marka Exp $ */
 
 #ifndef DNS_ACL_H
 #define DNS_ACL_H 1
@@ -24,7 +24,8 @@
  ***** Module Info
  *****/
 
-/*
+/*! \file
+ * \brief
  * Address match list handling.
  */
 
@@ -75,10 +76,10 @@ struct dns_acl {
 	isc_mem_t		*mctx;
 	isc_refcount_t		refcount;
 	dns_aclelement_t	*elements;
-	unsigned int 		alloc;		/* Elements allocated */
-	unsigned int 		length;		/* Elements initialized */
-	char 			*name;		/* Temporary use only */
-	ISC_LINK(dns_acl_t) 	nextincache;	/* Ditto */
+	unsigned int 		alloc;		/*%< Elements allocated */
+	unsigned int 		length;		/*%< Elements initialized */
+	char 			*name;		/*%< Temporary use only */
+	ISC_LINK(dns_acl_t) 	nextincache;	/*%< Ditto */
 };
 
 struct dns_aclenv {
@@ -98,26 +99,26 @@ ISC_LANG_BEGINDECLS
 
 isc_result_t
 dns_acl_create(isc_mem_t *mctx, int n, dns_acl_t **target);
-/*
+/*%<
  * Create a new ACL with room for 'n' elements.
  * The elements are uninitialized and the length is 0.
  */
 
 isc_result_t
 dns_acl_appendelement(dns_acl_t *acl, const dns_aclelement_t *elt);
-/*
+/*%<
  * Append an element to an existing ACL.
  */
 
 isc_result_t
 dns_acl_any(isc_mem_t *mctx, dns_acl_t **target);
-/*
+/*%<
  * Create a new ACL that matches everything.
  */
 
 isc_result_t
 dns_acl_none(isc_mem_t *mctx, dns_acl_t **target);
-/*
+/*%<
  * Create a new ACL that matches nothing.
  */
 
@@ -135,13 +136,13 @@ dns_acl_equal(const dns_acl_t *a, const dns_acl_t *b);
 
 isc_boolean_t
 dns_acl_isinsecure(const dns_acl_t *a);
-/*
- * Return ISC_TRUE iff the acl 'a' is considered insecure, that is,
+/*%<
+ * Return #ISC_TRUE iff the acl 'a' is considered insecure, that is,
  * if it contains IP addresses other than those of the local host.
  * This is intended for applications such as printing warning 
  * messages for suspect ACLs; it is not intended for making access
  * control decisions.  We make no guarantee that an ACL for which
- * this function returns ISC_FALSE is safe.
+ * this function returns #ISC_FALSE is safe.
  */
 
 isc_result_t
@@ -160,7 +161,7 @@ dns_acl_match(const isc_netaddr_t *reqaddr,
 	      const dns_aclenv_t *env,
 	      int *match,
 	      const dns_aclelement_t **matchelt);
-/*
+/*%<
  * General, low-level ACL matching.  This is expected to
  * be useful even for weird stuff like the topology and sortlist statements.
  *
@@ -181,7 +182,7 @@ dns_acl_match(const isc_netaddr_t *reqaddr,
  * If there is no match, *match will be set to zero.
  *
  * Returns:
- *	ISC_R_SUCCESS		Always succeeds.
+ *\li	#ISC_R_SUCCESS		Always succeeds.
  */
 
 isc_boolean_t
@@ -190,7 +191,7 @@ dns_aclelement_match(const isc_netaddr_t *reqaddr,
 		     const dns_aclelement_t *e,
 		     const dns_aclenv_t *env,		     
 		     const dns_aclelement_t **matchelt);
-/*
+/*%<
  * Like dns_acl_match, but matches against the single ACL element 'e'
  * rather than a complete list and returns ISC_TRUE iff it matched.
  * To determine whether the match was prositive or negative, the 
@@ -203,7 +204,7 @@ isc_result_t
 dns_acl_elementmatch(const dns_acl_t *acl,
 		     const dns_aclelement_t *elt,
 		     const dns_aclelement_t **matchelt);
-/*
+/*%<
  * Search for an ACL element in 'acl' which is exactly the same as 'elt'.
  * If there is one, and 'matchelt' is non NULL, then '*matchelt' will point
  * to the entry.
@@ -212,8 +213,8 @@ dns_acl_elementmatch(const dns_acl_t *acl,
  * before adding an entry.
  *
  * Returns:
- *	ISC_R_SUCCESS		Match succeeds.
- *	ISC_R_NOTFOUND		Match fails.
+ *\li	#ISC_R_SUCCESS		Match succeeds.
+ *\li	#ISC_R_NOTFOUND		Match fails.
  */
 
 ISC_LANG_ENDDECLS
diff --git a/contrib/bind9/lib/dns/include/dns/adb.h b/contrib/bind9/lib/dns/include/dns/adb.h
index 7a17eff..1e3cd61 100644
--- a/contrib/bind9/lib/dns/include/dns/adb.h
+++ b/contrib/bind9/lib/dns/include/dns/adb.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: adb.h,v 1.66.2.5.2.4 2004/03/06 08:13:50 marka Exp $ */
+/* $Id: adb.h,v 1.76.18.3 2005/06/23 04:23:16 marka Exp $ */
 
 #ifndef DNS_ADB_H
 #define DNS_ADB_H 1
@@ -24,7 +24,8 @@
  ***** Module Info
  *****/
 
-/*
+/*! \file
+ *\brief
  * DNS Address Database
  *
  * This module implements an address database (ADB) for mapping a name
@@ -49,21 +50,21 @@
  * Records are stored internally until a timer expires. The timer is the
  * smaller of the TTL or signature validity period.
  *
- * Lameness is stored per-zone, and this data hangs off each address field.
- * When an address is marked lame for a given zone the address will not
- * be returned to a caller.
+ * Lameness is stored per <qname,qtype> tuple, and this data hangs off each
+ * address field.  When an address is marked lame for a given tuple the address
+ * will not be returned to a caller.
  *
  *
  * MP:
  *
- *	The ADB takes care of all necessary locking.
+ *\li	The ADB takes care of all necessary locking.
  *
- *	Only the task which initiated the name lookup can cancel the lookup.
+ *\li	Only the task which initiated the name lookup can cancel the lookup.
  *
  *
  * Security:
  *
- *	None, since all data stored is required to be pre-filtered.
+ *\li	None, since all data stored is required to be pre-filtered.
  *	(Cache needs to be sane, fetches return bounds-checked and sanity-
  *       checked data, caller passes a good dns_name_t for the zone, etc)
  */
@@ -98,8 +99,8 @@ ISC_LANG_BEGINDECLS
 
 typedef struct dns_adbname		dns_adbname_t;
 
-/* dns_adbfind_t
- *
+/*! 
+ *\brief
  * Represents a lookup for a single name.
  *
  * On return, the client can safely use "list", and can reorder the list.
@@ -108,14 +109,14 @@ typedef struct dns_adbname		dns_adbname_t;
  */
 struct dns_adbfind {
 	/* Public */
-	unsigned int			magic;		/* RO: magic */
-	dns_adbaddrinfolist_t		list;		/* RO: list of addrs */
-	unsigned int			query_pending;	/* RO: partial list */
-	unsigned int			partial_result;	/* RO: addrs missing */
-	unsigned int			options;	/* RO: options */
-	isc_result_t			result_v4;	/* RO: v4 result */
-	isc_result_t			result_v6;	/* RO: v6 result */
-	ISC_LINK(dns_adbfind_t)		publink;	/* RW: client use */
+	unsigned int			magic;		/*%< RO: magic */
+	dns_adbaddrinfolist_t		list;		/*%< RO: list of addrs */
+	unsigned int			query_pending;	/*%< RO: partial list */
+	unsigned int			partial_result;	/*%< RO: addrs missing */
+	unsigned int			options;	/*%< RO: options */
+	isc_result_t			result_v4;	/*%< RO: v4 result */
+	isc_result_t			result_v6;	/*%< RO: v6 result */
+	ISC_LINK(dns_adbfind_t)		publink;	/*%< RW: client use */
 
 	/* Private */
 	isc_mutex_t			lock;		/* locks all below */
@@ -161,34 +162,65 @@ struct dns_adbfind {
  *	At least one address was omitted from the list because it was lame.
  *	This bit will NEVER be set if _RETURNLAME is set in the createfind().
  */
+/*% Return addresses of type INET. */
 #define DNS_ADBFIND_INET		0x00000001
+/*% Return addresses of type INET6. */
 #define DNS_ADBFIND_INET6		0x00000002
 #define DNS_ADBFIND_ADDRESSMASK		0x00000003
-
+/*%
+ *      Only schedule an event if no addresses are known.
+ *      Must set _WANTEVENT for this to be meaningful.
+ */
 #define DNS_ADBFIND_EMPTYEVENT		0x00000004
+/*%
+ *	An event is desired.  Check this bit in the returned find to see
+ *	if one will actually be generated.
+ */
 #define DNS_ADBFIND_WANTEVENT		0x00000008
+/*%
+ *	If set, fetches will not be generated unless no addresses are
+ *	available in any of the address families requested.
+ */
 #define DNS_ADBFIND_AVOIDFETCHES	0x00000010
+/*%
+ *	Fetches will start using the closest zone data or use the root servers.
+ *	This is useful for reestablishing glue that has expired.
+ */
 #define DNS_ADBFIND_STARTATZONE		0x00000020
+/*%
+ *	Glue or hints are ok.  These are used when matching names already
+ *	in the adb, and when dns databases are searched.
+ */
 #define DNS_ADBFIND_GLUEOK		0x00000040
+/*%
+ *	Glue or hints are ok.  These are used when matching names already
+ *	in the adb, and when dns databases are searched.
+ */
 #define DNS_ADBFIND_HINTOK		0x00000080
+/*%
+ *	Return lame servers in a find, so that all addresses are returned.
+ */
 #define DNS_ADBFIND_RETURNLAME		0x00000100
+/*%
+ *      Only schedule an event if no addresses are known.
+ *      Must set _WANTEVENT for this to be meaningful.
+ */
 #define DNS_ADBFIND_LAMEPRUNED		0x00000200
 
-/* dns_adbaddrinfo_t
- *
+/*%
  * The answers to queries come back as a list of these.
  */
 struct dns_adbaddrinfo {
-	unsigned int			magic;		/* private */
+	unsigned int			magic;		/*%< private */
 
-	isc_sockaddr_t			sockaddr;	/* [rw] */
-	unsigned int			srtt;		/* [rw] microseconds */
-	unsigned int			flags;		/* [rw] */
-	dns_adbentry_t		       *entry;		/* private */
+	isc_sockaddr_t			sockaddr;	/*%< [rw] */
+	unsigned int			srtt;		/*%< [rw] microseconds */
+	unsigned int			flags;		/*%< [rw] */
+	dns_adbentry_t		       *entry;		/*%< private */
 	ISC_LINK(dns_adbaddrinfo_t)	publink;
 };
 
-/*
+/*!< 
  * The event sent to the caller task is just a plain old isc_event_t.  It
  * contains no data other than a simple status, passed in the "type" field
  * to indicate that another address resolved, or all partially resolved
@@ -198,13 +230,13 @@ struct dns_adbaddrinfo {
  *
  * This is simply a standard event, with the "type" set to:
  *
- *	DNS_EVENT_ADBMOREADDRESSES   -- another address resolved.
- *	DNS_EVENT_ADBNOMOREADDRESSES -- all pending addresses failed,
+ *\li	#DNS_EVENT_ADBMOREADDRESSES   -- another address resolved.
+ *\li	#DNS_EVENT_ADBNOMOREADDRESSES -- all pending addresses failed,
  *					were canceled, or otherwise will
  *					not be usable.
- *	DNS_EVENT_ADBCANCELED	     -- The request was canceled by a
+ *\li	#DNS_EVENT_ADBCANCELED	     -- The request was canceled by a
  *					3rd party.
- *	DNS_EVENT_ADBNAMEDELETED     -- The name was deleted, so this request
+ *\li	#DNS_EVENT_ADBNAMEDELETED     -- The name was deleted, so this request
  *					was canceled.
  *
  * In each of these cases, the addresses returned by the initial call
@@ -219,89 +251,90 @@ struct dns_adbaddrinfo {
 isc_result_t
 dns_adb_create(isc_mem_t *mem, dns_view_t *view, isc_timermgr_t *tmgr,
 	       isc_taskmgr_t *taskmgr, dns_adb_t **newadb);
-/*
+/*%<
  * Create a new ADB.
  *
  * Notes:
  *
- *	Generally, applications should not create an ADB directly, but
+ *\li	Generally, applications should not create an ADB directly, but
  *	should instead call dns_view_createresolver().
  *
  * Requires:
  *
- *	'mem' must be a valid memory context.
+ *\li	'mem' must be a valid memory context.
  *
- *	'view' be a pointer to a valid view.
+ *\li	'view' be a pointer to a valid view.
  *
- *	'tmgr' be a pointer to a valid timer manager.
+ *\li	'tmgr' be a pointer to a valid timer manager.
  *
- *	'taskmgr' be a pointer to a valid task manager.
+ *\li	'taskmgr' be a pointer to a valid task manager.
  *
- *	'newadb' != NULL && '*newadb' == NULL.
+ *\li	'newadb' != NULL && '*newadb' == NULL.
  *
  * Returns:
  *
- *	ISC_R_SUCCESS	after happiness.
- *	ISC_R_NOMEMORY	after resource allocation failure.
+ *\li	#ISC_R_SUCCESS	after happiness.
+ *\li	#ISC_R_NOMEMORY	after resource allocation failure.
  */
 
 void
 dns_adb_attach(dns_adb_t *adb, dns_adb_t **adbp);
-/*
+/*%
  * Attach to an 'adb' to 'adbp'.
  *
  * Requires:
- *	'adb' to be a valid dns_adb_t, created via dns_adb_create().
- *	'adbp' to be a valid pointer to a *dns_adb_t which is initialized
+ *\li	'adb' to be a valid dns_adb_t, created via dns_adb_create().
+ *\li	'adbp' to be a valid pointer to a *dns_adb_t which is initialized
  *	to NULL.
  */
 
 void
 dns_adb_detach(dns_adb_t **adb);
-/*
+/*%
  * Delete the ADB. Sets *ADB to NULL. Cancels any outstanding requests.
  *
  * Requires:
  *
- *	'adb' be non-NULL and '*adb' be a valid dns_adb_t, created via
+ *\li	'adb' be non-NULL and '*adb' be a valid dns_adb_t, created via
  *	dns_adb_create().
  */
 
 void
 dns_adb_whenshutdown(dns_adb_t *adb, isc_task_t *task, isc_event_t **eventp);
-/*
+/*%
  * Send '*eventp' to 'task' when 'adb' has shutdown.
  *
  * Requires:
  *
- *	'*adb' is a valid dns_adb_t.
+ *\li	'*adb' is a valid dns_adb_t.
  *
- *	eventp != NULL && *eventp is a valid event.
+ *\li	eventp != NULL && *eventp is a valid event.
  *
  * Ensures:
  *
- *	*eventp == NULL
+ *\li	*eventp == NULL
  *
- *	The event's sender field is set to the value of adb when the event
+ *\li	The event's sender field is set to the value of adb when the event
  *	is sent.
  */
 
 void
 dns_adb_shutdown(dns_adb_t *adb);
-/*
+/*%<
  * Shutdown 'adb'.
  *
  * Requires:
  *
- * 	'*adb' is a valid dns_adb_t.
+ * \li	'*adb' is a valid dns_adb_t.
  */
 
 isc_result_t
 dns_adb_createfind(dns_adb_t *adb, isc_task_t *task, isc_taskaction_t action,
-		   void *arg, dns_name_t *name, dns_name_t *zone,
-		   unsigned int options, isc_stdtime_t now, dns_name_t *target,
+		   void *arg, dns_name_t *name, dns_name_t *qname,
+		   dns_rdatatype_t qtype, unsigned int options,
+		   isc_stdtime_t now, dns_name_t *target,
 		   in_port_t port, dns_adbfind_t **find);
-/*
+/*%<
  * Main interface for clients. The adb will look up the name given in
  * "name" and will build up a list of found addresses, and perhaps start
  * internal fetches to resolve names that are unknown currently.
@@ -311,9 +344,9 @@ dns_adb_createfind(dns_adb_t *adb, isc_task_t *task, isc_taskaction_t action,
  * set to a pointer to the dns_adbfind_t returned by this function.
  *
  * If no events will be generated, the *find->result_v4 and/or result_v6
- * members may be examined for address lookup status.  The usual ISC_R_SUCCESS,
- * ISC_R_FAILURE, and DNS_R_NX{DOMAIN,RRSET} are returned, along with
- * ISC_R_NOTFOUND meaning the ADB has not _yet_ found the values.  In this
+ * members may be examined for address lookup status.  The usual #ISC_R_SUCCESS,
+ * #ISC_R_FAILURE, and #DNS_R_NX{DOMAIN,RRSET} are returned, along with
+ * #ISC_R_NOTFOUND meaning the ADB has not _yet_ found the values.  In this
  * latter case, retrying may produce more addresses.
  *
  * If events will be returned, the result_v[46] members are only valid
@@ -346,42 +379,42 @@ dns_adb_createfind(dns_adb_t *adb, isc_task_t *task, isc_taskaction_t action,
  *
  * Requires:
  *
- *	*adb be a valid isc_adb_t object.
+ *\li	*adb be a valid isc_adb_t object.
  *
- *	If events are to be sent, *task be a valid task,
+ *\li	If events are to be sent, *task be a valid task,
  *	and isc_taskaction_t != NULL.
  *
- *	*name is a valid dns_name_t.
+ *\li	*name is a valid dns_name_t.
  *
- *	zone != NULL and *zone be a valid dns_name_t.
+ *\li	qname != NULL and *qname be a valid dns_name_t.
  *
- *	target == NULL or target is a valid name with a buffer.
+ *\li	target == NULL or target is a valid name with a buffer.
  *
- *	find != NULL && *find == NULL.
+ *\li	find != NULL && *find == NULL.
  *
  * Returns:
  *
- *	ISC_R_SUCCESS	Addresses might have been returned, and events will be
+ *\li	#ISC_R_SUCCESS	Addresses might have been returned, and events will be
  *			delivered for unresolved addresses.
- *	ISC_R_NOMORE	Addresses might have been returned, but no events
+ *\li	#ISC_R_NOMORE	Addresses might have been returned, but no events
  *			will ever be posted for this context.  This is only
  *			returned if task != NULL.
- *	ISC_R_NOMEMORY	insufficient resources
- *	DNS_R_ALIAS	'name' is an alias for another name.
+ *\li	#ISC_R_NOMEMORY	insufficient resources
+ *\li	#DNS_R_ALIAS	'name' is an alias for another name.
  *
  * Calls, and returns error codes from:
  *
- *	isc_stdtime_get()
+ *\li	isc_stdtime_get()
  *
  * Notes:
  *
- *	No internal reference to "name" exists after this function
+ *\li	No internal reference to "name" exists after this function
  *	returns.
  */
 
 void
 dns_adb_cancelfind(dns_adbfind_t *find);
-/*
+/*%<
  * Cancels the find, and sends the event off to the caller.
  *
  * It is an error to call dns_adb_cancelfind() on a find where
@@ -389,7 +422,7 @@ dns_adb_cancelfind(dns_adbfind_t *find);
  *
  * Note:
  *
- *	It is possible that the real completion event was posted just
+ *\li	It is possible that the real completion event was posted just
  *	before the dns_adb_cancelfind() call was made.  In this case,
  *	dns_adb_cancelfind() will do nothing.  The event callback needs
  *	to be prepared to find this situation (i.e. result is valid but
@@ -397,101 +430,105 @@ dns_adb_cancelfind(dns_adbfind_t *find);
  *
  * Requires:
  *
- *	'find' be a valid dns_adbfind_t pointer.
+ *\li	'find' be a valid dns_adbfind_t pointer.
  *
- *	events would have been posted to the task.  This can be checked
+ *\li	events would have been posted to the task.  This can be checked
  *	with (find->options & DNS_ADBFIND_WANTEVENT).
  *
  * Ensures:
  *
- *	The event was posted to the task.
+ *\li	The event was posted to the task.
  */
 
 void
 dns_adb_destroyfind(dns_adbfind_t **find);
-/*
+/*%<
  * Destroys the find reference.
  *
  * Note:
  *
- *	This can only be called after the event was delivered for a
+ *\li	This can only be called after the event was delivered for a
  *	find.  Additionally, the event MUST have been freed via
  *	isc_event_free() BEFORE this function is called.
  *
  * Requires:
  *
- *	'find' != NULL and *find be valid dns_adbfind_t pointer.
+ *\li	'find' != NULL and *find be valid dns_adbfind_t pointer.
  *
  * Ensures:
  *
- *	No "address found" events will be posted to the originating task
+ *\li	No "address found" events will be posted to the originating task
  *	after this function returns.
  */
 
 void
 dns_adb_dump(dns_adb_t *adb, FILE *f);
-/*
+/*%<
  * This function is only used for debugging.  It will dump as much of the
  * state of the running system as possible.
  *
  * Requires:
  *
- *	adb be valid.
+ *\li	adb be valid.
  *
- *	f != NULL, and is a file open for writing.
+ *\li	f != NULL, and is a file open for writing.
  */
 
 void
 dns_adb_dumpfind(dns_adbfind_t *find, FILE *f);
-/*
+/*%<
  * This function is only used for debugging.  Dump the data associated
  * with a find.
  *
  * Requires:
  *
- *	find is valid.
+ *\li	find is valid.
  *
- * 	f != NULL, and is a file open for writing.
+ * \li	f != NULL, and is a file open for writing.
  */
 
 isc_result_t
-dns_adb_marklame(dns_adb_t *adb, dns_adbaddrinfo_t *addr, dns_name_t *zone,
-		 isc_stdtime_t expire_time);
-/*
- * Mark the given address as lame for the zone "zone".  expire_time should
+dns_adb_marklame(dns_adb_t *adb, dns_adbaddrinfo_t *addr, dns_name_t *qname,
+		 dns_rdatatype_t type, isc_stdtime_t expire_time);
+/*%<
+ * Mark the given address as lame for the <qname,qtype>.  expire_time should
  * be set to the time when the entry should expire.  That is, if it is to
  * expire 10 minutes in the future, it should set it to (now + 10 * 60).
  *
  * Requires:
  *
- *	adb be valid.
+ *\li	adb be valid.
  *
- *	addr be valid.
+ *\li	addr be valid.
  *
- *	zone be the zone used in the dns_adb_createfind() call.
+ *\li	qname be the qname used in the dns_adb_createfind() call.
  *
  * Returns:
  *
- *	ISC_R_SUCCESS		-- all is well.
- *	ISC_R_NOMEMORY		-- could not mark address as lame.
+ *\li	#ISC_R_SUCCESS		-- all is well.
+ *\li	#ISC_R_NOMEMORY		-- could not mark address as lame.
  */
 
 /*
  * A reasonable default for RTT adjustments
  */
-#define DNS_ADB_RTTADJDEFAULT		7	/* default scale */
-#define DNS_ADB_RTTADJREPLACE		0	/* replace with our rtt */
-#define DNS_ADB_RTTADJAGE		10	/* age this rtt */
+#define DNS_ADB_RTTADJDEFAULT		7	/*%< default scale */
+#define DNS_ADB_RTTADJREPLACE		0	/*%< replace with our rtt */
+#define DNS_ADB_RTTADJAGE		10	/*%< age this rtt */
 
 void
 dns_adb_adjustsrtt(dns_adb_t *adb, dns_adbaddrinfo_t *addr,
 		   unsigned int rtt, unsigned int factor);
-/*
- * Mix the round trip time into the existing smoothed rtt.  The formula used
+/*%<
+ * Mix the round trip time into the existing smoothed rtt.  
+
+ * The formula used
  * (where srtt is the existing rtt value, and rtt and factor are arguments to
  * this function):
  *
+ *\code
  *	new_srtt = (old_srtt / 10 * factor) + (rtt / 10 * (10 - factor));
+ *\endcode
  *
  * XXXRTH  Do we want to publish the formula?  What if we want to change how
  *         this works later on?  Recommend/require that the units are
@@ -499,77 +536,79 @@ dns_adb_adjustsrtt(dns_adb_t *adb, dns_adbaddrinfo_t *addr,
  *
  * Requires:
  *
- *	adb be valid.
+ *\li	adb be valid.
  *
- *	addr be valid.
+ *\li	addr be valid.
  *
- *	0 <= factor <= 10
+ *\li	0 <= factor <= 10
  *
  * Note:
  *
- *	The srtt in addr will be updated to reflect the new global
+ *\li	The srtt in addr will be updated to reflect the new global
  *	srtt value.  This may include changes made by others.
  */
 
 void
 dns_adb_changeflags(dns_adb_t *adb, dns_adbaddrinfo_t *addr,
 		    unsigned int bits, unsigned int mask);
-/*
+/*%
+ * Change Flags.
+ *
  * Set the flags as given by:
  *
- *	newflags = (oldflags & ~mask) | (bits & mask);
+ *\li	newflags = (oldflags & ~mask) | (bits & mask);
  *
  * Requires:
  *
- *	adb be valid.
+ *\li	adb be valid.
  *
- *	addr be valid.
+ *\li	addr be valid.
  */
 
 isc_result_t
 dns_adb_findaddrinfo(dns_adb_t *adb, isc_sockaddr_t *sa,
 		     dns_adbaddrinfo_t **addrp, isc_stdtime_t now);
-/*
+/*%<
  * Return a dns_adbaddrinfo_t that is associated with address 'sa'.
  *
  * Requires:
  *
- *	adb is valid.
+ *\li	adb is valid.
  *
- *	sa is valid.
+ *\li	sa is valid.
  *
- *	addrp != NULL && *addrp == NULL
+ *\li	addrp != NULL && *addrp == NULL
  *
  * Returns:
- *	ISC_R_SUCCESS
- *	ISC_R_NOMEMORY
- *	ISC_R_SHUTTINGDOWN
+ *\li	#ISC_R_SUCCESS
+ *\li	#ISC_R_NOMEMORY
+ *\li	#ISC_R_SHUTTINGDOWN
  */
 
 void
 dns_adb_freeaddrinfo(dns_adb_t *adb, dns_adbaddrinfo_t **addrp);
-/*
+/*%<
  * Free a dns_adbaddrinfo_t allocated by dns_adb_findaddrinfo().
  *
  * Requires:
  *
- *	adb is valid.
+ *\li	adb is valid.
  *
- *	*addrp is a valid dns_adbaddrinfo_t *.
+ *\li	*addrp is a valid dns_adbaddrinfo_t *.
  */
 
 void
 dns_adb_flush(dns_adb_t *adb);
-/*
+/*%<
  * Flushes all cached data from the adb.
  *
  * Requires:
- * 	adb is valid.
+ *\li 	adb is valid.
  */
 
 void
 dns_adb_setadbsize(dns_adb_t *adb, isc_uint32_t size);
-/*
+/*%<
  * Set a target memory size.  If memory usage exceeds the target
  * size entries will be removed before they would have expired on
  * a random basis.
@@ -577,17 +616,17 @@ dns_adb_setadbsize(dns_adb_t *adb, isc_uint32_t size);
  * If 'size' is 0 then memory usage is unlimited.
  *
  * Requires:
- *	'adb' is valid.
+ *\li	'adb' is valid.
  */
 
 void
 dns_adb_flushname(dns_adb_t *adb, dns_name_t *name);
-/*
+/*%<
  * Flush 'name' from the adb cache.
  * 
  * Requires:
- *	'adb' is valid.
- *	'name' is valid.
+ *\li	'adb' is valid.
+ *\li	'name' is valid.
  */
 
 
diff --git a/contrib/bind9/lib/dns/include/dns/bit.h b/contrib/bind9/lib/dns/include/dns/bit.h
index e4a7d20..770f294 100644
--- a/contrib/bind9/lib/dns/include/dns/bit.h
+++ b/contrib/bind9/lib/dns/include/dns/bit.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000, 2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,11 +15,13 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: bit.h,v 1.7.206.1 2004/03/06 08:13:51 marka Exp $ */
+/* $Id: bit.h,v 1.8.18.2 2005/04/29 00:16:09 marka Exp $ */
 
 #ifndef DNS_BIT_H
 #define DNS_BIT_H 1
 
+/*! \file */
+
 #include <isc/int.h>
 #include <isc/boolean.h>
 
diff --git a/contrib/bind9/lib/dns/include/dns/byaddr.h b/contrib/bind9/lib/dns/include/dns/byaddr.h
index 8f69cd9..1f1e88c 100644
--- a/contrib/bind9/lib/dns/include/dns/byaddr.h
+++ b/contrib/bind9/lib/dns/include/dns/byaddr.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: byaddr.h,v 1.12.2.1.2.4 2004/03/08 09:04:34 marka Exp $ */
+/* $Id: byaddr.h,v 1.16.18.2 2005/04/29 00:16:09 marka Exp $ */
 
 #ifndef DNS_BYADDR_H
 #define DNS_BYADDR_H 1
@@ -24,28 +24,27 @@
  ***** Module Info
  *****/
 
-/*
- * DNS ByAddr
- *
+/*! \file
+ * \brief
  * The byaddr module provides reverse lookup services for IPv4 and IPv6
  * addresses.
  *
  * MP:
- *	The module ensures appropriate synchronization of data structures it
+ *\li	The module ensures appropriate synchronization of data structures it
  *	creates and manipulates.
  *
  * Reliability:
- *	No anticipated impact.
+ *\li	No anticipated impact.
  *
  * Resources:
- *	<TBS>
+ *\li	TBS
  *
  * Security:
- *	No anticipated impact.
+ *\li	No anticipated impact.
  *
  * Standards:
- *	RFCs:	1034, 1035, 2181, <TBS>
- *	Drafts:	<TBS>
+ *\li	RFCs:	1034, 1035, 2181, TBS
+ *\li	Drafts:	TBS
  */
 
 #include <isc/lang.h>
@@ -55,7 +54,7 @@
 
 ISC_LANG_BEGINDECLS
 
-/*
+/*%
  * A 'dns_byaddrevent_t' is returned when a byaddr completes.
  * The sender field will be set to the byaddr that completed.  If 'result'
  * is ISC_R_SUCCESS, then 'names' will contain a list of names associated
@@ -72,76 +71,79 @@ typedef struct dns_byaddrevent {
  * This option is deprecated since we now only consider nibbles.
 #define DNS_BYADDROPT_IPV6NIBBLE	0x0001
  */
+/*% Note DNS_BYADDROPT_IPV6NIBBLE is now deprecated. */
 #define DNS_BYADDROPT_IPV6INT		0x0002
 
 isc_result_t
 dns_byaddr_create(isc_mem_t *mctx, isc_netaddr_t *address, dns_view_t *view,
 		  unsigned int options, isc_task_t *task,
 		  isc_taskaction_t action, void *arg, dns_byaddr_t **byaddrp);
-/*
+/*%<
  * Find the domain name of 'address'.
  *
  * Notes:
  *
- *	There is a reverse lookup format for IPv6 addresses, 'nibble'
+ *\li	There is a reverse lookup format for IPv6 addresses, 'nibble'
  *
- *	The 'nibble' format for that address is
+ *\li	The 'nibble' format for that address is
  *
+ * \code
  *   1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.e.f.ip6.arpa.
+ * \endcode
  *
- *	DNS_BYADDROPT_IPV6INT can be used to get nibble lookups under ip6.int.
+ *\li	#DNS_BYADDROPT_IPV6INT can be used to get nibble lookups under ip6.int.
  *
  * Requires:
  *
- *	'mctx' is a valid mctx.
+ *\li	'mctx' is a valid mctx.
  *
- *	'address' is a valid IPv4 or IPv6 address.
+ *\li	'address' is a valid IPv4 or IPv6 address.
  *
- *	'view' is a valid view which has a resolver.
+ *\li	'view' is a valid view which has a resolver.
  *
- *	'task' is a valid task.
+ *\li	'task' is a valid task.
  *
- *	byaddrp != NULL && *byaddrp == NULL
+ *\li	byaddrp != NULL && *byaddrp == NULL
  *
  * Returns:
  *
- *	ISC_R_SUCCESS
- *	ISC_R_NOMEMORY
+ *\li	#ISC_R_SUCCESS
+ *\li	#ISC_R_NOMEMORY
  *
- *	Any resolver-related error (e.g. ISC_R_SHUTTINGDOWN) may also be
+ *\li	Any resolver-related error (e.g. #ISC_R_SHUTTINGDOWN) may also be
  *	returned.
  */
 
 void
 dns_byaddr_cancel(dns_byaddr_t *byaddr);
-/*
+/*%<
  * Cancel 'byaddr'.
  *
  * Notes:
  *
- *	If 'byaddr' has not completed, post its BYADDRDONE event with a
- *	result code of ISC_R_CANCELED.
+ *\li	If 'byaddr' has not completed, post its #BYADDRDONE event with a
+ *	result code of #ISC_R_CANCELED.
  *
  * Requires:
  *
- *	'byaddr' is a valid byaddr.
+ *\li	'byaddr' is a valid byaddr.
  */
 
 void
 dns_byaddr_destroy(dns_byaddr_t **byaddrp);
-/*
+/*%<
  * Destroy 'byaddr'.
  *
  * Requires:
  *
- *	'*byaddrp' is a valid byaddr.
+ *\li	'*byaddrp' is a valid byaddr.
  *
- *	The caller has received the BYADDRDONE event (either because the
+ *\li	The caller has received the BYADDRDONE event (either because the
  *	byaddr completed or because dns_byaddr_cancel() was called).
  *
  * Ensures:
  *
- *	*byaddrp == NULL.
+ *\li	*byaddrp == NULL.
  */
 
 isc_result_t
@@ -151,7 +153,7 @@ dns_byaddr_createptrname(isc_netaddr_t *address, isc_boolean_t nibble,
 isc_result_t
 dns_byaddr_createptrname2(isc_netaddr_t *address, unsigned int options,
 			  dns_name_t *name);
-/*
+/*%<
  * Creates a name that would be used in a PTR query for this address.  The
  * nibble flag indicates that the 'nibble' format is to be used if an IPv6
  * address is provided, instead of the 'bitstring' format.  Since we dropped
@@ -160,8 +162,8 @@ dns_byaddr_createptrname2(isc_netaddr_t *address, unsigned int options,
  *
  * Requires:
  * 
- * 	'address' is a valid address.
- * 	'name' is a valid name with a dedicated buffer.
+ * \li	'address' is a valid address.
+ * \li	'name' is a valid name with a dedicated buffer.
  */
 
 ISC_LANG_ENDDECLS
diff --git a/contrib/bind9/lib/dns/include/dns/cache.h b/contrib/bind9/lib/dns/include/dns/cache.h
index 4b775c9..fc4f78e 100644
--- a/contrib/bind9/lib/dns/include/dns/cache.h
+++ b/contrib/bind9/lib/dns/include/dns/cache.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2006  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: cache.h,v 1.17.12.5 2006/03/02 00:37:20 marka Exp $ */
+/* $Id: cache.h,v 1.19.18.3 2005/08/23 02:31:38 marka Exp $ */
 
 #ifndef DNS_CACHE_H
 #define DNS_CACHE_H 1
@@ -24,18 +24,17 @@
  ***** Module Info
  *****/
 
-/*
- * cache
- *
+/*! \file
+ * \brief
  * Defines dns_cache_t, the cache object.
  *
  * Notes:
- * 	A cache object contains DNS data of a single class.
+ *\li 	A cache object contains DNS data of a single class.
  *	Multiple classes will be handled by creating multiple
  *	views, each with a different class and its own cache.
  *
  * MP:
- *	See notes at the individual functions.
+ *\li	See notes at the individual functions.
  *
  * Reliability:
  *
@@ -66,71 +65,70 @@ dns_cache_create(isc_mem_t *mctx, isc_taskmgr_t *taskmgr,
 		 isc_timermgr_t *timermgr, dns_rdataclass_t rdclass,
 		 const char *db_type, unsigned int db_argc, char **db_argv,
 		 dns_cache_t **cachep);
-/*
+/*%<
  * Create a new DNS cache.
  *
  * Requires:
  *
- *	'mctx' is a valid memory context
+ *\li	'mctx' is a valid memory context
  *
- *	'taskmgr' is a valid task manager and 'timermgr' is a valid timer
+ *\li	'taskmgr' is a valid task manager and 'timermgr' is a valid timer
  * 	manager, or both are NULL.  If NULL, no periodic cleaning of the
  * 	cache will take place.
  *
- *	'cachep' is a valid pointer, and *cachep == NULL
+ *\li	'cachep' is a valid pointer, and *cachep == NULL
  *
  * Ensures:
  *
- *	'*cachep' is attached to the newly created cache
+ *\li	'*cachep' is attached to the newly created cache
  *
  * Returns:
  *
- *	ISC_R_SUCCESS
- *	ISC_R_NOMEMORY
+ *\li	#ISC_R_SUCCESS
+ *\li	#ISC_R_NOMEMORY
  */
 
 void
 dns_cache_attach(dns_cache_t *cache, dns_cache_t **targetp);
-/*
+/*%<
  * Attach *targetp to cache.
  *
  * Requires:
  *
- *	'cache' is a valid cache.
+ *\li	'cache' is a valid cache.
  *
- *	'targetp' points to a NULL dns_cache_t *.
+ *\li	'targetp' points to a NULL dns_cache_t *.
  *
  * Ensures:
  *
- *	*targetp is attached to cache.
+ *\li	*targetp is attached to cache.
  */
 
 void
 dns_cache_detach(dns_cache_t **cachep);
-/*
+/*%<
  * Detach *cachep from its cache.
  *
  * Requires:
  *
- *	'cachep' points to a valid cache.
+ *\li	'cachep' points to a valid cache.
  *
  * Ensures:
  *
- *	*cachep is NULL.
- *
- *	If '*cachep' is the last reference to the cache,
+ *\li	*cachep is NULL.
  *
- *		All resources used by the cache will be freed
+ *\li	If '*cachep' is the last reference to the cache,
+ *		all resources used by the cache will be freed
  */
 
 void
 dns_cache_attachdb(dns_cache_t *cache, dns_db_t **dbp);
-/*
+/*%<
  * Attach *dbp to the cache's database.
  *
  * Notes:
  *
- *	This may be used to get a reference to the database for
+ *\li	This may be used to get a reference to the database for
  *	the purpose of cache lookups (XXX currently it is also
  * 	the way to add data to the cache, but having a
  * 	separate dns_cache_add() interface instead would allow
@@ -140,39 +138,39 @@ dns_cache_attachdb(dns_cache_t *cache, dns_db_t **dbp);
  *
  * Requires:
  *
- *	'cache' is a valid cache.
+ *\li	'cache' is a valid cache.
  *
- *	'dbp' points to a NULL dns_db *.
+ *\li	'dbp' points to a NULL dns_db *.
  *
  * Ensures:
  *
- *	*dbp is attached to the database.
+ *\li	*dbp is attached to the database.
  */
 
 
 isc_result_t
-dns_cache_setfilename(dns_cache_t *cahce, const char *filename);
-/*
+dns_cache_setfilename(dns_cache_t *cache, const char *filename);
+/*%<
  * If 'filename' is non-NULL, make the cache persistent.
  * The cache's data will be stored in the given file.
  * If 'filename' is NULL, make the cache non-persistent.
  * Files that are no longer used are not unlinked automatically.
  *
  * Returns:
- *	ISC_R_SUCCESS
- *	ISC_R_NOMEMORY
- *	Various file-related failures
+ *\li	#ISC_R_SUCCESS
+ *\li	#ISC_R_NOMEMORY
+ *\li	Various file-related failures
  */
 
 isc_result_t
 dns_cache_load(dns_cache_t *cache);
-/*
+/*%<
  * If the cache has a file name, load the cache contents from the file.
  * Previous cache contents are not discarded.
  * If no file name has been set, do nothing and return success.
  *
  * MT:
- *	Multiple simultaneous attempts to load or dump the cache
+ *\li	Multiple simultaneous attempts to load or dump the cache
  * 	will be serialized with respect to one another, but
  *	the cache may be read and updated while the dump is
  *	in progress.  Updates performed during loading
@@ -181,19 +179,19 @@ dns_cache_load(dns_cache_t *cache);
  *
  * Returns:
  *
- *	ISC_R_SUCCESS
- *      Various failures depending on the database implementation type
+ *\li	#ISC_R_SUCCESS
+ *  \li    Various failures depending on the database implementation type
  */
 
 isc_result_t
 dns_cache_dump(dns_cache_t *cache);
-/*
+/*%<
  * If the cache has a file name, write the cache contents to disk,
  * overwriting any preexisting file.  If no file name has been set,
  * do nothing and return success.
  *
  * MT:
- *	Multiple simultaneous attempts to load or dump the cache
+ *\li	Multiple simultaneous attempts to load or dump the cache
  * 	will be serialized with respect to one another, but
  *	the cache may be read and updated while the dump is
  *	in progress.  Updates performed during the dump may
@@ -201,13 +199,13 @@ dns_cache_dump(dns_cache_t *cache);
  *
  * Returns:
  *
- *	ISC_R_SUCCESS
- *      Various failures depending on the database implementation type
+ *\li	#ISC_R_SUCCESS
+ *  \li    Various failures depending on the database implementation type
  */
 
 isc_result_t
 dns_cache_clean(dns_cache_t *cache, isc_stdtime_t now);
-/*
+/*%<
  * Force immediate cleaning of the cache, freeing all rdatasets
  * whose TTL has expired as of 'now' and that have no pending
  * references.
@@ -215,24 +213,24 @@ dns_cache_clean(dns_cache_t *cache, isc_stdtime_t now);
 
 void
 dns_cache_setcleaninginterval(dns_cache_t *cache, unsigned int interval);
-/*
+/*%<
  * Set the periodic cache cleaning interval to 'interval' seconds.
  */
 
 void
 dns_cache_setcachesize(dns_cache_t *cache, isc_uint32_t size);
-/*
+/*%<
  * Set the maximum cache size.  0 means unlimited.
  */
 
 isc_result_t
 dns_cache_flush(dns_cache_t *cache);
-/*
+/*%<
  * Flushes all data from the cache.
  *
  * Returns:
- *	ISC_R_SUCCESS
- *	ISC_R_NOMEMORY
+ *\li	#ISC_R_SUCCESS
+ *\li	#ISC_R_NOMEMORY
  */
 
 isc_result_t
@@ -241,13 +239,13 @@ dns_cache_flushname(dns_cache_t *cache, dns_name_t *name);
  * Flushes a given name from the cache.
  *
  * Requires:
- *	'cache' to be valid.
- *	'name' to be valid.
+ *\li	'cache' to be valid.
+ *\li	'name' to be valid.
  *
  * Returns:
- *	ISC_R_SUCCESS
- *	ISC_R_NOMEMORY
- *	other error returns.
+ *\li	#ISC_R_SUCCESS
+ *\li	#ISC_R_NOMEMORY
+ *\li	other error returns.
  */
 
 ISC_LANG_ENDDECLS
diff --git a/contrib/bind9/lib/dns/include/dns/callbacks.h b/contrib/bind9/lib/dns/include/dns/callbacks.h
index 9c2710a..6aee70b 100644
--- a/contrib/bind9/lib/dns/include/dns/callbacks.h
+++ b/contrib/bind9/lib/dns/include/dns/callbacks.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2002  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,11 +15,13 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: callbacks.h,v 1.15.2.2.8.1 2004/03/06 08:13:51 marka Exp $ */
+/* $Id: callbacks.h,v 1.18.18.2 2005/04/29 00:16:10 marka Exp $ */
 
 #ifndef DNS_CALLBACKS_H
 #define DNS_CALLBACKS_H 1
 
+/*! \file */
+
 /***
  ***	Imports
  ***/
@@ -35,19 +37,19 @@ ISC_LANG_BEGINDECLS
  ***/
 
 struct dns_rdatacallbacks {
-	/*
+	/*%
 	 * dns_load_master calls this when it has rdatasets to commit.
 	 */
 	dns_addrdatasetfunc_t add;
-	/*
+	/*%
 	 * dns_load_master / dns_rdata_fromtext call this to issue a error.
 	 */
 	void	(*error)(struct dns_rdatacallbacks *, const char *, ...);
-	/*
+	/*%
 	 * dns_load_master / dns_rdata_fromtext call this to issue a warning.
 	 */
 	void	(*warn)(struct dns_rdatacallbacks *, const char *, ...);
-	/*
+	/*%
 	 * Private data handles for use by the above callback functions.
 	 */
 	void	*add_private;
@@ -61,20 +63,22 @@ struct dns_rdatacallbacks {
 
 void
 dns_rdatacallbacks_init(dns_rdatacallbacks_t *callbacks);
-/*
+/*%<
  * Initialize 'callbacks'.
- * 	'error' and 'warn' are set to default callbacks that print the
+ *
+ *
+ * \li	'error' and 'warn' are set to default callbacks that print the
  *	error message through the DNS library log context.
  *
- *	All other elements are initialized to NULL.
+ *\li	All other elements are initialized to NULL.
  *
  * Requires:
- *      'callbacks' is a valid dns_rdatacallbacks_t,
+ *  \li    'callbacks' is a valid dns_rdatacallbacks_t,
  */
 
 void
 dns_rdatacallbacks_init_stdio(dns_rdatacallbacks_t *callbacks);
-/*
+/*%<
  * Like dns_rdatacallbacks_init, but logs to stdio.
  */
 
diff --git a/contrib/bind9/lib/dns/include/dns/cert.h b/contrib/bind9/lib/dns/include/dns/cert.h
index 28a3d4c..4de1aec 100644
--- a/contrib/bind9/lib/dns/include/dns/cert.h
+++ b/contrib/bind9/lib/dns/include/dns/cert.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,11 +15,13 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: cert.h,v 1.12.206.1 2004/03/06 08:13:51 marka Exp $ */
+/* $Id: cert.h,v 1.13.18.2 2005/04/29 00:16:10 marka Exp $ */
 
 #ifndef DNS_CERT_H
 #define DNS_CERT_H 1
 
+/*! \file */
+
 #include <isc/lang.h>
 
 #include <dns/types.h>
@@ -28,38 +30,38 @@ ISC_LANG_BEGINDECLS
 
 isc_result_t
 dns_cert_fromtext(dns_cert_t *certp, isc_textregion_t *source);
-/*
+/*%<
  * Convert the text 'source' refers to into a certificate type.
  * The text may contain either a mnemonic type name or a decimal type number.
  *
  * Requires:
- *	'certp' is a valid pointer.
+ *\li	'certp' is a valid pointer.
  *
- *	'source' is a valid text region.
+ *\li	'source' is a valid text region.
  *
  * Returns:
- *	ISC_R_SUCCESS			on success
- *	ISC_R_RANGE			numeric type is out of range
- *	DNS_R_UNKNOWN			mnemonic type is unknown
+ *\li	#ISC_R_SUCCESS			on success
+ *\li	#ISC_R_RANGE			numeric type is out of range
+ *\li	#DNS_R_UNKNOWN			mnemonic type is unknown
  */
 
 isc_result_t
 dns_cert_totext(dns_cert_t cert, isc_buffer_t *target);
-/*
+/*%<
  * Put a textual representation of certificate type 'cert' into 'target'.
  *
  * Requires:
- *	'cert' is a valid cert.
+ *\li	'cert' is a valid cert.
  *
- *	'target' is a valid text buffer.
+ *\li	'target' is a valid text buffer.
  *
  * Ensures:
- *	If the result is success:
+ *\li	If the result is success:
  *		The used space in 'target' is updated.
  *
  * Returns:
- *	ISC_R_SUCCESS			on success
- *	ISC_R_NOSPACE			target buffer is too small
+ *\li	#ISC_R_SUCCESS			on success
+ *\li	#ISC_R_NOSPACE			target buffer is too small
  */
 
 ISC_LANG_ENDDECLS
diff --git a/contrib/bind9/lib/dns/include/dns/compress.h b/contrib/bind9/lib/dns/include/dns/compress.h
index 042a4ea..4d9c011 100644
--- a/contrib/bind9/lib/dns/include/dns/compress.h
+++ b/contrib/bind9/lib/dns/include/dns/compress.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2006  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2002  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: compress.h,v 1.29.2.2.8.3 2006/03/02 00:37:20 marka Exp $ */
+/* $Id: compress.h,v 1.32.18.6 2006/03/02 00:37:21 marka Exp $ */
 
 #ifndef DNS_COMPRESS_H
 #define DNS_COMPRESS_H 1
@@ -27,11 +27,12 @@
 
 ISC_LANG_BEGINDECLS
 
-#define DNS_COMPRESS_NONE		0x00	/* no compression */
-#define DNS_COMPRESS_GLOBAL14		0x01	/* "normal" compression. */
-#define DNS_COMPRESS_ALL		0x01	/* all compression. */
+#define DNS_COMPRESS_NONE		0x00	/*%< no compression */
+#define DNS_COMPRESS_GLOBAL14		0x01	/*%< "normal" compression. */
+#define DNS_COMPRESS_ALL		0x01	/*%< all compression. */
+#define DNS_COMPRESS_CASESENSITIVE	0x02	/*%< case sensitive compression. */
 
-/*
+/*! \file
  *	Direct manipulation of the structures is strongly discouraged.
  */
 
@@ -49,198 +50,218 @@ struct dns_compressnode {
 };
 
 struct dns_compress {
-	unsigned int		magic;		/* Magic number. */
-	unsigned int		allowed;	/* Allowed methods. */
-	int			edns;		/* Edns version or -1. */
-	/* Global compression table. */
+	unsigned int		magic;		/*%< Magic number. */
+	unsigned int		allowed;	/*%< Allowed methods. */
+	int			edns;		/*%< Edns version or -1. */
+	/*% Global compression table. */
 	dns_compressnode_t	*table[DNS_COMPRESS_TABLESIZE];
-	/* Preallocated nodes for the table. */
+	/*% Preallocated nodes for the table. */
 	dns_compressnode_t	initialnodes[DNS_COMPRESS_INITIALNODES];
-	isc_uint16_t		count;		/* Number of nodes. */
-	isc_mem_t		*mctx;		/* Memory context. */
+	isc_uint16_t		count;		/*%< Number of nodes. */
+	isc_mem_t		*mctx;		/*%< Memory context. */
 };
 
 typedef enum {
-	DNS_DECOMPRESS_ANY,			/* Any compression */
-	DNS_DECOMPRESS_STRICT,			/* Allowed compression */
-	DNS_DECOMPRESS_NONE			/* No compression */
+	DNS_DECOMPRESS_ANY,			/*%< Any compression */
+	DNS_DECOMPRESS_STRICT,			/*%< Allowed compression */
+	DNS_DECOMPRESS_NONE			/*%< No compression */
 } dns_decompresstype_t;
 
 struct dns_decompress {
-	unsigned int		magic;		/* Magic number. */
-	unsigned int		allowed;	/* Allowed methods. */
-	int			edns;		/* Edns version or -1. */
-	dns_decompresstype_t	type;		/* Strict checking */
+	unsigned int		magic;		/*%< Magic number. */
+	unsigned int		allowed;	/*%< Allowed methods. */
+	int			edns;		/*%< Edns version or -1. */
+	dns_decompresstype_t	type;		/*%< Strict checking */
 };
 
 isc_result_t
 dns_compress_init(dns_compress_t *cctx, int edns, isc_mem_t *mctx);
-/*
+/*%<
  *	Inialise the compression context structure pointed to by 'cctx'.
  *
  *	Requires:
- *		'cctx' is a valid dns_compress_t structure.
- *		'mctx' is an initialized memory context.
+ *	\li	'cctx' is a valid dns_compress_t structure.
+ *	\li	'mctx' is an initialized memory context.
  *	Ensures:
- *		cctx->global is initialized.
+ *	\li	cctx->global is initialized.
  *
  *	Returns:
- *		ISC_R_SUCCESS
- *		failures from dns_rbt_create()
+ *	\li	#ISC_R_SUCCESS
+ *	\li	failures from dns_rbt_create()
  */
 
 void
 dns_compress_invalidate(dns_compress_t *cctx);
 
-/*
+/*%<
  *	Invalidate the compression structure pointed to by cctx.
  *
  *	Requires:
- *		'cctx' to be initialized.
+ *\li		'cctx' to be initialized.
  */
 
 void
 dns_compress_setmethods(dns_compress_t *cctx, unsigned int allowed);
 
-/*
+/*%<
  *	Sets allowed compression methods.
  *
  *	Requires:
- *		'cctx' to be initialized.
+ *\li		'cctx' to be initialized.
  */
 
 unsigned int
 dns_compress_getmethods(dns_compress_t *cctx);
 
-/*
+/*%<
  *	Gets allowed compression methods.
  *
  *	Requires:
- *		'cctx' to be initialized.
+ *\li		'cctx' to be initialized.
  *
  *	Returns:
- *		allowed compression bitmap.
+ *\li		allowed compression bitmap.
+ */
+
+void
+dns_compress_setsensitive(dns_compress_t *cctx, isc_boolean_t sensitive);
+
+/*
+ *	Preserve the case of compressed domain names.
+ *
+ *	Requires:
+ *		'cctx' to be initialized.
+ */
+
+isc_boolean_t
+dns_compress_getsensitive(dns_compress_t *cctx);
+/*
+ *	Return whether case is to be preservered when compressing
+ *	domain names.
+ *
+ *	Requires:
+ *		'cctx' to be initialized.
  */
 
 int
 dns_compress_getedns(dns_compress_t *cctx);
 
-/*
+/*%<
  *	Gets edns value.
  *
  *	Requires:
- *		'cctx' to be initialized.
+ *\li		'cctx' to be initialized.
  *
  *	Returns:
- *		-1 .. 255
+ *\li		-1 .. 255
  */
 
 isc_boolean_t
 dns_compress_findglobal(dns_compress_t *cctx, const dns_name_t *name,
 			dns_name_t *prefix, isc_uint16_t *offset);
-/*
+/*%<
  *	Finds longest possible match of 'name' in the global compression table.
  *
  *	Requires:
- *		'cctx' to be initialized.
- *		'name' to be a absolute name.
- *		'prefix' to be initialized.
- *		'offset' to point to an isc_uint16_t.
+ *\li		'cctx' to be initialized.
+ *\li		'name' to be a absolute name.
+ *\li		'prefix' to be initialized.
+ *\li		'offset' to point to an isc_uint16_t.
  *
  *	Ensures:
- *		'prefix' and 'offset' are valid if ISC_TRUE is 	returned.
+ *\li		'prefix' and 'offset' are valid if ISC_TRUE is 	returned.
  *
  *	Returns:
- *		ISC_TRUE / ISC_FALSE
+ *\li		#ISC_TRUE / #ISC_FALSE
  */
 
 void
 dns_compress_add(dns_compress_t *cctx, const dns_name_t *name,
 		 const dns_name_t *prefix, isc_uint16_t offset);
-/*
+/*%<
  *	Add compression pointers for 'name' to the compression table,
  *	not replacing existing pointers.
  *
  *	Requires:
- *		'cctx' initialized
+ *\li		'cctx' initialized
  *
- *		'name' must be initialized and absolute, and must remain
+ *\li		'name' must be initialized and absolute, and must remain
  *		valid until the message compression is complete.
  *
- *		'prefix' must be a prefix returned by
+ *\li		'prefix' must be a prefix returned by
  *		dns_compress_findglobal(), or the same as 'name'.
  */
 
 void
 dns_compress_rollback(dns_compress_t *cctx, isc_uint16_t offset);
 
-/*
+/*%<
  *	Remove any compression pointers from global table >= offset.
  *
  *	Requires:
- *		'cctx' is initialized.
+ *\li		'cctx' is initialized.
  */
 
 void
 dns_decompress_init(dns_decompress_t *dctx, int edns,
 		    dns_decompresstype_t type);
 
-/*
+/*%<
  *	Initializes 'dctx'.
  *	Records 'edns' and 'type' into the structure.
  *
  *	Requires:
- *		'dctx' to be a valid pointer.
+ *\li		'dctx' to be a valid pointer.
  */
 
 void
 dns_decompress_invalidate(dns_decompress_t *dctx);
 
-/*
+/*%<
  *	Invalidates 'dctx'.
  *
  *	Requires:
- *		'dctx' to be initialized
+ *\li		'dctx' to be initialized
  */
 
 void
 dns_decompress_setmethods(dns_decompress_t *dctx, unsigned int allowed);
 
-/*
+/*%<
  *	Sets 'dctx->allowed' to 'allowed'.
  *
  *	Requires:
- *		'dctx' to be initialized
+ *\li		'dctx' to be initialized
  */
 
 unsigned int
 dns_decompress_getmethods(dns_decompress_t *dctx);
 
-/*
+/*%<
  *	Returns 'dctx->allowed'
  *
  *	Requires:
- *		'dctx' to be initialized
+ *\li		'dctx' to be initialized
  */
 
 int
 dns_decompress_edns(dns_decompress_t *dctx);
 
-/*
+/*%<
  *	Returns 'dctx->edns'
  *
  *	Requires:
- *		'dctx' to be initialized
+ *\li		'dctx' to be initialized
  */
 
 dns_decompresstype_t
 dns_decompress_type(dns_decompress_t *dctx);
 
-/*
+/*%<
  *	Returns 'dctx->type'
  *
  *	Requires:
- *		'dctx' to be initialized
+ *\li		'dctx' to be initialized
  */
 
 ISC_LANG_ENDDECLS
diff --git a/contrib/bind9/lib/dns/include/dns/db.h b/contrib/bind9/lib/dns/include/dns/db.h
index 8e08882..a791a2e 100644
--- a/contrib/bind9/lib/dns/include/dns/db.h
+++ b/contrib/bind9/lib/dns/include/dns/db.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: db.h,v 1.67.12.8 2004/05/14 05:06:41 marka Exp $ */
+/* $Id: db.h,v 1.76.18.7 2005/10/13 02:12:25 marka Exp $ */
 
 #ifndef DNS_DB_H
 #define DNS_DB_H 1
@@ -24,31 +24,30 @@
  ***** Module Info
  *****/
 
-/*
- * DNS DB
- *
+/*! \file
+ * \brief
  * The DNS DB interface allows named rdatasets to be stored and retrieved.
  *
  * The dns_db_t type is like a "virtual class".  To actually use
  * DBs, an implementation of the class is required.
  *
- * XXX <more> XXX
+ * XXX more XXX
  *
  * MP:
- *	The module ensures appropriate synchronization of data structures it
+ * \li	The module ensures appropriate synchronization of data structures it
  *	creates and manipulates.
  *
  * Reliability:
- *	No anticipated impact.
+ * \li	No anticipated impact.
  *
  * Resources:
- *	<TBS>
+ * \li	TBS
  *
  * Security:
- *	No anticipated impact.
+ * \li	No anticipated impact.
  *
  * Standards:
- *	None.
+ * \li	None.
  */
 
 /*****
@@ -76,7 +75,8 @@ typedef struct dns_dbmethods {
 				     dns_dbload_t **dbloadp);
 	isc_result_t	(*endload)(dns_db_t *db, dns_dbload_t **dbloadp);
 	isc_result_t	(*dump)(dns_db_t *db, dns_dbversion_t *version,
-				const char *filename);
+				const char *filename,
+				dns_masterformat_t masterformat);
 	void		(*currentversion)(dns_db_t *db,
 					  dns_dbversion_t **versionp);
 	isc_result_t	(*newversion)(dns_db_t *db,
@@ -145,6 +145,7 @@ typedef struct dns_dbmethods {
 	isc_boolean_t	(*ispersistent)(dns_db_t *db);
 	void		(*overmem)(dns_db_t *db, isc_boolean_t overmem);
 	void		(*settask)(dns_db_t *db, isc_task_t *);
+	isc_result_t	(*getoriginnode)(dns_db_t *db, dns_dbnode_t **nodep);
 } dns_dbmethods_t;
 
 typedef isc_result_t
@@ -156,10 +157,10 @@ typedef isc_result_t
 #define DNS_DB_MAGIC		ISC_MAGIC('D','N','S','D')
 #define DNS_DB_VALID(db)	ISC_MAGIC_VALID(db, DNS_DB_MAGIC)
 
-/*
+/*%
  * This structure is actually just the common prefix of a DNS db
  * implementation's version of a dns_db_t.
- *
+ * \brief
  * Direct use of this structure by clients is forbidden.  DB implementations
  * may change the structure.  'magic' must be DNS_DB_MAGIC for any of the
  * dns_db_ routines to work.  DB implementations must maintain all DB
@@ -179,7 +180,8 @@ struct dns_db {
 #define DNS_DBATTR_CACHE		0x01
 #define DNS_DBATTR_STUB			0x02
 
-/*
+/*@{*/
+/*%
  * Options that can be specified for dns_db_find().
  */
 #define DNS_DBFIND_GLUEOK		0x01
@@ -189,16 +191,19 @@ struct dns_db {
 #define DNS_DBFIND_NOEXACT		0x10
 #define DNS_DBFIND_FORCENSEC		0x20
 #define DNS_DBFIND_COVERINGNSEC		0x40
+/*@}*/
 
-/*
+/*@{*/
+/*%
  * Options that can be specified for dns_db_addrdataset().
  */
 #define DNS_DBADD_MERGE			0x01
 #define DNS_DBADD_FORCE			0x02
 #define DNS_DBADD_EXACT			0x04
 #define DNS_DBADD_EXACTTTL		0x08
+/*@}*/
 
-/*
+/*%
  * Options that can be specified for dns_db_subtractrdataset().
  */
 #define DNS_DBSUB_EXACT			0x01
@@ -215,78 +220,77 @@ isc_result_t
 dns_db_create(isc_mem_t *mctx, const char *db_type, dns_name_t *origin,
 	      dns_dbtype_t type, dns_rdataclass_t rdclass,
 	      unsigned int argc, char *argv[], dns_db_t **dbp);
-/*
+/*%<
  * Create a new database using implementation 'db_type'.
  *
  * Notes:
- *	All names in the database must be subdomains of 'origin' and in class
+ * \li	All names in the database must be subdomains of 'origin' and in class
  *	'rdclass'.  The database makes its own copy of the origin, so the
  *	caller may do whatever they like with 'origin' and its storage once the
  *	call returns.
  *
- *	DB implementation-specific parameters are passed using argc and argv.
+ * \li	DB implementation-specific parameters are passed using argc and argv.
  *
  * Requires:
  *
- *	dbp != NULL and *dbp == NULL
+ * \li	dbp != NULL and *dbp == NULL
  *
- *	'origin' is a valid absolute domain name.
+ * \li	'origin' is a valid absolute domain name.
  *
- *	mctx is a valid memory context
+ * \li	mctx is a valid memory context
  *
  * Ensures:
  *
- *	A copy of 'origin' has been made for the databases use, and the
+ * \li	A copy of 'origin' has been made for the databases use, and the
  *	caller is free to do whatever they want with the name and storage
  *	associated with 'origin'.
  *
  * Returns:
  *
- *	ISC_R_SUCCESS
- *	ISC_R_NOMEMORY
- *	ISC_R_NOTFOUND				db_type not found
+ * \li	#ISC_R_SUCCESS
+ * \li	#ISC_R_NOMEMORY
+ * \li	#ISC_R_NOTFOUND				db_type not found
  *
- *	Many other errors are possible, depending on what db_type was
+ * \li	Many other errors are possible, depending on what db_type was
  *	specified.
  */
 
 void
 dns_db_attach(dns_db_t *source, dns_db_t **targetp);
-/*
+/*%<
  * Attach *targetp to source.
  *
  * Requires:
  *
- *	'source' is a valid database.
+ * \li	'source' is a valid database.
  *
- *	'targetp' points to a NULL dns_db_t *.
+ * \li	'targetp' points to a NULL dns_db_t *.
  *
  * Ensures:
  *
- *	*targetp is attached to source.
+ * \li	*targetp is attached to source.
  */
 
 void
 dns_db_detach(dns_db_t **dbp);
-/*
+/*%<
  * Detach *dbp from its database.
  *
  * Requires:
  *
- *	'dbp' points to a valid database.
+ * \li	'dbp' points to a valid database.
  *
  * Ensures:
  *
- *	*dbp is NULL.
- *
- *	If '*dbp' is the last reference to the database,
+ * \li	*dbp is NULL.
  *
- *		All resources used by the database will be freed
+ * \li	If '*dbp' is the last reference to the database,
+ *		all resources used by the database will be freed
  */
 
 isc_result_t
 dns_db_ondestroy(dns_db_t *db, isc_task_t *task, isc_event_t **eventp);
-/*
+/*%<
  * Causes 'eventp' to be sent to be sent to 'task' when the database is
  * destroyed.
  *
@@ -297,189 +301,198 @@ dns_db_ondestroy(dns_db_t *db, isc_task_t *task, isc_event_t **eventp);
 
 isc_boolean_t
 dns_db_iscache(dns_db_t *db);
-/*
+/*%<
  * Does 'db' have cache semantics?
  *
  * Requires:
  *
- *	'db' is a valid database.
+ * \li	'db' is a valid database.
  *
  * Returns:
- *	ISC_TRUE	'db' has cache semantics
- *	ISC_FALSE	otherwise
+ * \li	#ISC_TRUE	'db' has cache semantics
+ * \li	#ISC_FALSE	otherwise
  */
 
 isc_boolean_t
 dns_db_iszone(dns_db_t *db);
-/*
+/*%<
  * Does 'db' have zone semantics?
  *
  * Requires:
  *
- *	'db' is a valid database.
+ * \li	'db' is a valid database.
  *
  * Returns:
- *	ISC_TRUE	'db' has zone semantics
- *	ISC_FALSE	otherwise
+ * \li	#ISC_TRUE	'db' has zone semantics
+ * \li	#ISC_FALSE	otherwise
  */
 
 isc_boolean_t
 dns_db_isstub(dns_db_t *db);
-/*
+/*%<
  * Does 'db' have stub semantics?
  *
  * Requires:
  *
- *	'db' is a valid database.
+ * \li	'db' is a valid database.
  *
  * Returns:
- *	ISC_TRUE	'db' has zone semantics
- *	ISC_FALSE	otherwise
+ * \li	#ISC_TRUE	'db' has zone semantics
+ * \li	#ISC_FALSE	otherwise
  */
 
 isc_boolean_t
 dns_db_issecure(dns_db_t *db);
-/*
+/*%<
  * Is 'db' secure?
  *
  * Requires:
  *
- *	'db' is a valid database with zone semantics.
+ * \li	'db' is a valid database with zone semantics.
  *
  * Returns:
- *	ISC_TRUE	'db' is secure.
- *	ISC_FALSE	'db' is not secure.
+ * \li	#ISC_TRUE	'db' is secure.
+ * \li	#ISC_FALSE	'db' is not secure.
  */
 
 dns_name_t *
 dns_db_origin(dns_db_t *db);
-/*
+/*%<
  * The origin of the database.
  *
  * Note: caller must not try to change this name.
  *
  * Requires:
  *
- *	'db' is a valid database.
+ * \li	'db' is a valid database.
  *
  * Returns:
  *
- *	The origin of the database.
+ * \li	The origin of the database.
  */
 
 dns_rdataclass_t
 dns_db_class(dns_db_t *db);
-/*
+/*%<
  * The class of the database.
  *
  * Requires:
  *
- *	'db' is a valid database.
+ * \li	'db' is a valid database.
  *
  * Returns:
  *
- *	The class of the database.
+ * \li	The class of the database.
  */
 
 isc_result_t
 dns_db_beginload(dns_db_t *db, dns_addrdatasetfunc_t *addp,
 		 dns_dbload_t **dbloadp);
-/*
+/*%<
  * Begin loading 'db'.
  *
  * Requires:
  *
- *	'db' is a valid database.
+ * \li	'db' is a valid database.
  *
- *	This is the first attempt to load 'db'.
+ * \li	This is the first attempt to load 'db'.
  *
- *	addp != NULL && *addp == NULL
+ * \li	addp != NULL && *addp == NULL
  *
- *	dbloadp != NULL && *dbloadp == NULL
+ * \li	dbloadp != NULL && *dbloadp == NULL
  *
  * Ensures:
  *
- *	On success, *addp will be a valid dns_addrdatasetfunc_t suitable
+ * \li	On success, *addp will be a valid dns_addrdatasetfunc_t suitable
  *	for loading 'db'.  *dbloadp will be a valid DB load context which
  *	should be used as 'arg' when *addp is called.
  *
  * Returns:
  *
- *	ISC_R_SUCCESS
- *	ISC_R_NOMEMORY
+ * \li	#ISC_R_SUCCESS
+ * \li	#ISC_R_NOMEMORY
  *
- *	Other results are possible, depending upon the database
+ * \li	Other results are possible, depending upon the database
  *	implementation used, syntax errors in the master file, etc.
  */
 
 isc_result_t
 dns_db_endload(dns_db_t *db, dns_dbload_t **dbloadp);
-/*
+/*%<
  * Finish loading 'db'.
  *
  * Requires:
  *
- *	'db' is a valid database that is being loaded.
+ * \li	'db' is a valid database that is being loaded.
  *
- *	dbloadp != NULL and *dbloadp is a valid database load context.
+ * \li	dbloadp != NULL and *dbloadp is a valid database load context.
  *
  * Ensures:
  *
- *	*dbloadp == NULL
+ * \li	*dbloadp == NULL
  *
  * Returns:
  *
- *	ISC_R_SUCCESS
- *	ISC_R_NOMEMORY
+ * \li	#ISC_R_SUCCESS
+ * \li	#ISC_R_NOMEMORY
  *
- *	Other results are possible, depending upon the database
+ * \li	Other results are possible, depending upon the database
  *	implementation used, syntax errors in the master file, etc.
  */
 
 isc_result_t
 dns_db_load(dns_db_t *db, const char *filename);
-/*
+
+isc_result_t
+dns_db_load2(dns_db_t *db, const char *filename, dns_masterformat_t format);
+/*%<
  * Load master file 'filename' into 'db'.
  *
  * Notes:
- *	This routine is equivalent to calling
+ * \li	This routine is equivalent to calling
  *
+ *\code
  *		dns_db_beginload();
  *		dns_master_loadfile();
  *		dns_db_endload();
+ *\endcode
  *
  * Requires:
  *
- *	'db' is a valid database.
+ * \li	'db' is a valid database.
  *
- *	This is the first attempt to load 'db'.
+ * \li	This is the first attempt to load 'db'.
  *
  * Returns:
  *
- *	ISC_R_SUCCESS
- *	ISC_R_NOMEMORY
+ * \li	#ISC_R_SUCCESS
+ * \li	#ISC_R_NOMEMORY
  *
- *	Other results are possible, depending upon the database
+ * \li	Other results are possible, depending upon the database
  *	implementation used, syntax errors in the master file, etc.
  */
 
 isc_result_t
 dns_db_dump(dns_db_t *db, dns_dbversion_t *version, const char *filename);
-/*
+
+isc_result_t
+dns_db_dump2(dns_db_t *db, dns_dbversion_t *version, const char *filename,
+	     dns_masterformat_t masterformat);
+/*%<
  * Dump version 'version' of 'db' to master file 'filename'.
  *
  * Requires:
  *
- *	'db' is a valid database.
+ * \li	'db' is a valid database.
  *
- *	'version' is a valid version.
+ * \li	'version' is a valid version.
  *
  * Returns:
  *
- *	ISC_R_SUCCESS
- *	ISC_R_NOMEMORY
+ * \li	#ISC_R_SUCCESS
+ * \li	#ISC_R_NOMEMORY
  *
- *	Other results are possible, depending upon the database
+ * \li	Other results are possible, depending upon the database
  *	implementation used, OS file errors, etc.
  */
 
@@ -489,68 +502,68 @@ dns_db_dump(dns_db_t *db, dns_dbversion_t *version, const char *filename);
 
 void
 dns_db_currentversion(dns_db_t *db, dns_dbversion_t **versionp);
-/*
+/*%<
  * Open the current version for reading.
  *
  * Requires:
  *
- *	'db' is a valid database with zone semantics.
+ * \li	'db' is a valid database with zone semantics.
  *
- *	versionp != NULL && *verisonp == NULL
+ * \li	versionp != NULL && *verisonp == NULL
  *
  * Ensures:
  *
- *	On success, '*versionp' is attached to the current version.
+ * \li	On success, '*versionp' is attached to the current version.
  *
  */
 
 isc_result_t
 dns_db_newversion(dns_db_t *db, dns_dbversion_t **versionp);
-/*
+/*%<
  * Open a new version for reading and writing.
  *
  * Requires:
  *
- *	'db' is a valid database with zone semantics.
+ * \li	'db' is a valid database with zone semantics.
  *
- *	versionp != NULL && *verisonp == NULL
+ * \li	versionp != NULL && *verisonp == NULL
  *
  * Ensures:
  *
- *	On success, '*versionp' is attached to the current version.
+ * \li	On success, '*versionp' is attached to the current version.
  *
  * Returns:
  *
- *	ISC_R_SUCCESS
- *	ISC_R_NOMEMORY
+ * \li	#ISC_R_SUCCESS
+ * \li	#ISC_R_NOMEMORY
  *
- *	Other results are possible, depending upon the database
+ * \li	Other results are possible, depending upon the database
  *	implementation used.
  */
 
 void
 dns_db_attachversion(dns_db_t *db, dns_dbversion_t *source,
 		     dns_dbversion_t **targetp);
-/*
+/*%<
  * Attach '*targetp' to 'source'.
  *
  * Requires:
  *
- *	'db' is a valid database with zone semantics.
+ * \li	'db' is a valid database with zone semantics.
  *
- *	source is a valid open version
+ * \li	source is a valid open version
  *
- *	targetp != NULL && *targetp == NULL
+ * \li	targetp != NULL && *targetp == NULL
  *
  * Ensures:
  *
- *	'*targetp' is attached to source.
+ * \li	'*targetp' is attached to source.
  */
 
 void
 dns_db_closeversion(dns_db_t *db, dns_dbversion_t **versionp,
 		    isc_boolean_t commit);
-/*
+/*%<
  * Close version '*versionp'.
  *
  * Note: if '*versionp' is a read-write version and 'commit' is ISC_TRUE,
@@ -560,19 +573,19 @@ dns_db_closeversion(dns_db_t *db, dns_dbversion_t **versionp,
  *
  * Requires:
  *
- *	'db' is a valid database with zone semantics.
+ * \li	'db' is a valid database with zone semantics.
  *
- *	'*versionp' refers to a valid version.
+ * \li	'*versionp' refers to a valid version.
  *
- *	If committing a writable version, then there must be no other
+ * \li	If committing a writable version, then there must be no other
  *	outstanding references to the version (e.g. an active rdataset
  *	iterator).
  *
  * Ensures:
  *
- *	*versionp == NULL
+ * \li	*versionp == NULL
  *
- *	If *versionp is a read-write version, and commit is ISC_TRUE, then
+ * \li	If *versionp is a read-write version, and commit is ISC_TRUE, then
  *	the version will become the current version.  If !commit, then all
  *	changes made in the version will be undone, and the version will
  *	not become the current version.
@@ -585,37 +598,37 @@ dns_db_closeversion(dns_db_t *db, dns_dbversion_t **versionp,
 isc_result_t
 dns_db_findnode(dns_db_t *db, dns_name_t *name, isc_boolean_t create,
 		dns_dbnode_t **nodep);
-/*
+/*%<
  * Find the node with name 'name'.
  *
  * Notes:
- *	If 'create' is ISC_TRUE and no node with name 'name' exists, then
+ * \li	If 'create' is ISC_TRUE and no node with name 'name' exists, then
  *	such a node will be created.
  *
- *	This routine is for finding or creating a node with the specified
+ * \li	This routine is for finding or creating a node with the specified
  *	name.  There are no partial matches.  It is not suitable for use
  *	in building responses to ordinary DNS queries; clients which wish
  *	to do that should use dns_db_find() instead.
  *
  * Requires:
  *
- *	'db' is a valid database.
+ * \li	'db' is a valid database.
  *
- *	'name' is a valid, non-empty, absolute name.
+ * \li	'name' is a valid, non-empty, absolute name.
  *
- *	nodep != NULL && *nodep == NULL
+ * \li	nodep != NULL && *nodep == NULL
  *
  * Ensures:
  *
- *	On success, *nodep is attached to the node with name 'name'.
+ * \li	On success, *nodep is attached to the node with name 'name'.
  *
  * Returns:
  *
- *	ISC_R_SUCCESS
- *	ISC_R_NOTFOUND			If !create and name not found.
- *	ISC_R_NOMEMORY		        Can only happen if create is ISC_TRUE.
+ * \li	#ISC_R_SUCCESS
+ * \li	#ISC_R_NOTFOUND			If !create and name not found.
+ * \li	#ISC_R_NOMEMORY		        Can only happen if create is ISC_TRUE.
  *
- *	Other results are possible, depending upon the database
+ * \li	Other results are possible, depending upon the database
  *	implementation used.
  */
 
@@ -624,44 +637,44 @@ dns_db_find(dns_db_t *db, dns_name_t *name, dns_dbversion_t *version,
 	    dns_rdatatype_t type, unsigned int options, isc_stdtime_t now,
 	    dns_dbnode_t **nodep, dns_name_t *foundname,
 	    dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset);
-/*
+/*%<
  * Find the best match for 'name' and 'type' in version 'version' of 'db'.
  *
  * Notes:
  *
- *	If type == dns_rdataset_any, then rdataset will not be bound.
+ * \li	If type == dns_rdataset_any, then rdataset will not be bound.
  *
- *	If 'options' does not have DNS_DBFIND_GLUEOK set, then no glue will
- *	be returned.  For zone databases, glue is as defined in RFC 2181.
+ * \li	If 'options' does not have #DNS_DBFIND_GLUEOK set, then no glue will
+ *	be returned.  For zone databases, glue is as defined in RFC2181.
  *	For cache databases, glue is any rdataset with a trust of
  *	dns_trust_glue.
  *
- *	If 'options' does not have DNS_DBFIND_PENDINGOK set, then no
+ * \li	If 'options' does not have #DNS_DBFIND_PENDINGOK set, then no
  *	pending data will be returned.  This option is only meaningful for
  *	cache databases.
  *
- *	If the DNS_DBFIND_NOWILD option is set, then wildcard matching will
+ * \li	If the #DNS_DBFIND_NOWILD option is set, then wildcard matching will
  *	be disabled.  This option is only meaningful for zone databases.
  *
- *	If the DNS_DBFIND_FORCENSEC option is set, the database is assumed to
+ * \li	If the #DNS_DBFIND_FORCENSEC option is set, the database is assumed to
  *	have NSEC records, and these will be returned when appropriate.  This
  *	is only necessary when querying a database that was not secure
  *	when created.
  *
- *	If the DNS_DBFIND_COVERINGNSEC option is set, then look for a
+ * \li	If the DNS_DBFIND_COVERINGNSEC option is set, then look for a
  *	NSEC record that potentially covers 'name' if a answer cannot
  *	be found.  Note the returned NSEC needs to be checked to ensure
  *	that it is correct.  This only affects answers returned from the
  *	cache.
  *
- *	To respond to a query for SIG records, the caller should create a
+ * \li	To respond to a query for SIG records, the caller should create a
  *	rdataset iterator and extract the signatures from each rdataset.
  *
- *	Making queries of type ANY with DNS_DBFIND_GLUEOK is not recommended,
+ * \li	Making queries of type ANY with #DNS_DBFIND_GLUEOK is not recommended,
  *	because the burden of determining whether a given rdataset is valid
  *	glue or not falls upon the caller.
  *
- *	The 'now' field is ignored if 'db' is a zone database.  If 'db' is a
+ * \li	The 'now' field is ignored if 'db' is a zone database.  If 'db' is a
  *	cache database, an rdataset will not be found unless it expires after
  *	'now'.  Any ANY query will not match unless at least one rdataset at
  *	the node expires after 'now'.  If 'now' is zero, then the current time
@@ -669,43 +682,41 @@ dns_db_find(dns_db_t *db, dns_name_t *name, dns_dbversion_t *version,
  *
  * Requires:
  *
- *	'db' is a valid database.
+ * \li	'db' is a valid database.
  *
- *	'type' is not SIG, or a meta-RR type other than 'ANY' (e.g. 'OPT').
+ * \li	'type' is not SIG, or a meta-RR type other than 'ANY' (e.g. 'OPT').
  *
- *	'nodep' is NULL, or nodep is a valid pointer and *nodep == NULL.
+ * \li	'nodep' is NULL, or nodep is a valid pointer and *nodep == NULL.
  *
- *	'foundname' is a valid name with a dedicated buffer.
+ * \li	'foundname' is a valid name with a dedicated buffer.
  *
- *	'rdataset' is NULL, or is a valid unassociated rdataset.
+ * \li	'rdataset' is NULL, or is a valid unassociated rdataset.
  *
- * Ensures:
- *	On a non-error completion:
+ * Ensures,
+ *	on a non-error completion:
  *
- *		If nodep != NULL, then it is bound to the found node.
+ *	\li	If nodep != NULL, then it is bound to the found node.
  *
- *		If foundname != NULL, then it contains the full name of the
+ *	\li	If foundname != NULL, then it contains the full name of the
  *		found node.
  *
- *		If rdataset != NULL and type != dns_rdatatype_any, then
+ *	\li	If rdataset != NULL and type != dns_rdatatype_any, then
  *		rdataset is bound to the found rdataset.
  *
- * Returns:
- *
  *	Non-error results are:
  *
- *		ISC_R_SUCCESS			The desired node and type were
+ *	\li	#ISC_R_SUCCESS			The desired node and type were
  *						found.
  *
- *		DNS_R_WILDCARD			The desired node and type were
+ *	\li	#DNS_R_WILDCARD			The desired node and type were
  *						found after performing
  *						wildcard matching.  This is
  *						only returned if the
- *						DNS_DBFIND_INDICATEWILD
+ *						#DNS_DBFIND_INDICATEWILD
  *						option is set; otherwise
- *						ISC_R_SUCCESS is returned.
+ *						#ISC_R_SUCCESS is returned.
  *
- *		DNS_R_GLUE			The desired node and type were
+ *	\li	#DNS_R_GLUE			The desired node and type were
  *						found, but are glue.  This
  *						result can only occur if
  *						the DNS_DBFIND_GLUEOK option
@@ -720,7 +731,7 @@ dns_db_find(dns_db_t *db, dns_name_t *name, dns_dbversion_t *version,
  *						take care not to return invalid
  *						glue to a client.
  *
- *		DNS_R_DELEGATION		The data requested is beneath
+ *	\li	#DNS_R_DELEGATION		The data requested is beneath
  *						a zone cut.  node, foundname,
  *						and rdataset reference the
  *						NS RRset of the zone cut.
@@ -728,7 +739,7 @@ dns_db_find(dns_db_t *db, dns_name_t *name, dns_dbversion_t *version,
  *						then this is the deepest known
  *						delegation.
  *
- *		DNS_R_ZONECUT			type == dns_rdatatype_any, and
+ *	\li	#DNS_R_ZONECUT			type == dns_rdatatype_any, and
  *						the desired node is a zonecut.
  *						The caller must take care not
  *						to return inappropriate glue
@@ -737,24 +748,24 @@ dns_db_find(dns_db_t *db, dns_name_t *name, dns_dbversion_t *version,
  *						database and DNS_DBFIND_GLUEOK
  *						is set.
  *
- *		DNS_R_DNAME			The data requested is beneath
+ *	\li	#DNS_R_DNAME			The data requested is beneath
  *						a DNAME.  node, foundname,
  *						and rdataset reference the
  *						DNAME RRset.
  *
- *		DNS_R_CNAME			The rdataset requested was not
+ *	\li	#DNS_R_CNAME			The rdataset requested was not
  *						found, but there is a CNAME
  *						at the desired name.  node,
  *						foundname, and rdataset
  *						reference the CNAME RRset.
  *
- *		DNS_R_NXDOMAIN			The desired name does not
+ *	\li	#DNS_R_NXDOMAIN			The desired name does not
  *						exist.
  *
- *		DNS_R_NXRRSET			The desired name exists, but
+ *	\li	#DNS_R_NXRRSET			The desired name exists, but
  *						the desired type does not.
  *
- *		ISC_R_NOTFOUND			The desired name does not
+ *	\li	#ISC_R_NOTFOUND			The desired name does not
  *						exist, and no delegation could
  *						be found.  This result can only
  *						occur if 'db' is a cache
@@ -762,34 +773,34 @@ dns_db_find(dns_db_t *db, dns_name_t *name, dns_dbversion_t *version,
  *						use its nameserver(s) of last
  *						resort (e.g. root hints).
  *
- *		DNS_R_NCACHENXDOMAIN		The desired name does not
+ *	\li	#DNS_R_NCACHENXDOMAIN		The desired name does not
  *						exist.  'node' is bound to the
  *						cache node with the desired
  *						name, and 'rdataset' contains
  *						the negative caching proof.
  *
- *		DNS_R_NCACHENXRRSET		The desired type does not
+ *	\li	#DNS_R_NCACHENXRRSET		The desired type does not
  *						exist.  'node' is bound to the
  *						cache node with the desired
  *						name, and 'rdataset' contains
  *						the negative caching proof.
  *
- *		DNS_R_EMPTYNAME			The name exists but there is
+ *	\li	#DNS_R_EMPTYNAME			The name exists but there is
  *						no data at the name. 
  *
- *		DNS_R_COVERINGNSEC		The returned data is a NSEC
+ *	\li	#DNS_R_COVERINGNSEC		The returned data is a NSEC
  *						that potentially covers 'name'.
  *
  *	Error results:
  *
- *		ISC_R_NOMEMORY
+ *	\li	#ISC_R_NOMEMORY
  *
- *		DNS_R_BADDB			Data that is required to be
+ *	\li	#DNS_R_BADDB			Data that is required to be
  *						present in the DB, e.g. an NSEC
  *						record in a secure zone, is not
  *						present.
  *
- *		Other results are possible, and should all be treated as
+ *	\li	Other results are possible, and should all be treated as
  *		errors.
  */
 
@@ -798,100 +809,97 @@ dns_db_findzonecut(dns_db_t *db, dns_name_t *name,
 		   unsigned int options, isc_stdtime_t now,
 		   dns_dbnode_t **nodep, dns_name_t *foundname,
 		   dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset);
-/*
+/*%<
  * Find the deepest known zonecut which encloses 'name' in 'db'.
  *
  * Notes:
  *
- *	If the DNS_DBFIND_NOEXACT option is set, then the zonecut returned
+ * \li	If the #DNS_DBFIND_NOEXACT option is set, then the zonecut returned
  *	(if any) will be the deepest known ancestor of 'name'.
  *
- *	If 'now' is zero, then the current time will be used.
+ * \li	If 'now' is zero, then the current time will be used.
  *
  * Requires:
  *
- *	'db' is a valid database with cache semantics.
+ * \li	'db' is a valid database with cache semantics.
  *
- *	'nodep' is NULL, or nodep is a valid pointer and *nodep == NULL.
+ * \li	'nodep' is NULL, or nodep is a valid pointer and *nodep == NULL.
  *
- *	'foundname' is a valid name with a dedicated buffer.
+ * \li	'foundname' is a valid name with a dedicated buffer.
  *
- *	'rdataset' is NULL, or is a valid unassociated rdataset.
+ * \li	'rdataset' is NULL, or is a valid unassociated rdataset.
  *
- * Ensures:
- *	On a non-error completion:
+ * Ensures, on a non-error completion:
  *
- *		If nodep != NULL, then it is bound to the found node.
+ * \li	If nodep != NULL, then it is bound to the found node.
  *
- *		If foundname != NULL, then it contains the full name of the
- *		found node.
+ * \li	If foundname != NULL, then it contains the full name of the
+ *	found node.
  *
- *		If rdataset != NULL and type != dns_rdatatype_any, then
- *		rdataset is bound to the found rdataset.
+ * \li	If rdataset != NULL and type != dns_rdatatype_any, then
+ *	rdataset is bound to the found rdataset.
  *
- * Returns:
+ * Non-error results are:
  *
- *	Non-error results are:
- *
- *		ISC_R_SUCCESS
+ * \li	#ISC_R_SUCCESS
  *
- *		ISC_R_NOTFOUND
+ * \li	#ISC_R_NOTFOUND
  *
- *		Other results are possible, and should all be treated as
- *		errors.
+ * \li	Other results are possible, and should all be treated as
+ *	errors.
  */
 
 void
 dns_db_attachnode(dns_db_t *db, dns_dbnode_t *source, dns_dbnode_t **targetp);
-/*
+/*%<
  * Attach *targetp to source.
  *
  * Requires:
  *
- *	'db' is a valid database.
+ * \li	'db' is a valid database.
  *
- *	'source' is a valid node.
+ * \li	'source' is a valid node.
  *
- *	'targetp' points to a NULL dns_node_t *.
+ * \li	'targetp' points to a NULL dns_node_t *.
  *
  * Ensures:
  *
- *	*targetp is attached to source.
+ * \li	*targetp is attached to source.
  */
 
 void
 dns_db_detachnode(dns_db_t *db, dns_dbnode_t **nodep);
-/*
+/*%<
  * Detach *nodep from its node.
  *
  * Requires:
  *
- *	'db' is a valid database.
+ * \li	'db' is a valid database.
  *
- *	'nodep' points to a valid node.
+ * \li	'nodep' points to a valid node.
  *
  * Ensures:
  *
- *	*nodep is NULL.
+ * \li	*nodep is NULL.
  */
 
 isc_result_t
 dns_db_expirenode(dns_db_t *db, dns_dbnode_t *node, isc_stdtime_t now);
-/*
+/*%<
  * Mark as stale all records at 'node' which expire at or before 'now'.
  *
  * Note: if 'now' is zero, then the current time will be used.
  *
  * Requires:
  *
- *	'db' is a valid cache database.
+ * \li	'db' is a valid cache database.
  *
- *	'node' is a valid node.
+ * \li	'node' is a valid node.
  */
 
 void
 dns_db_printnode(dns_db_t *db, dns_dbnode_t *node, FILE *out);
-/*
+/*%<
  * Print a textual representation of the contents of the node to
  * 'out'.
  *
@@ -899,9 +907,9 @@ dns_db_printnode(dns_db_t *db, dns_dbnode_t *node, FILE *out);
  *
  * Requires:
  *
- *	'db' is a valid database.
+ * \li	'db' is a valid database.
  *
- *	'node' is a valid node.
+ * \li	'node' is a valid node.
  */
 
 /***
@@ -911,29 +919,29 @@ dns_db_printnode(dns_db_t *db, dns_dbnode_t *node, FILE *out);
 isc_result_t
 dns_db_createiterator(dns_db_t *db, isc_boolean_t relative_names,
 		      dns_dbiterator_t **iteratorp);
-/*
+/*%<
  * Create an iterator for version 'version' of 'db'.
  *
  * Notes:
  *
- *	If 'relative_names' is ISC_TRUE, then node names returned by the
+ * \li	If 'relative_names' is ISC_TRUE, then node names returned by the
  *	iterator will be relative to the iterator's current origin.  If
- *	ISC_FALSE, then the node names will be absolute.
+ *	#ISC_FALSE, then the node names will be absolute.
  *
  * Requires:
  *
- *	'db' is a valid database.
+ * \li	'db' is a valid database.
  *
- *	iteratorp != NULL && *iteratorp == NULL
+ * \li	iteratorp != NULL && *iteratorp == NULL
  *
  * Ensures:
  *
- *	On success, *iteratorp will be a valid database iterator.
+ * \li	On success, *iteratorp will be a valid database iterator.
  *
  * Returns:
  *
- *	ISC_R_SUCCESS
- *	ISC_R_NOMEMORY
+ * \li	#ISC_R_SUCCESS
+ * \li	#ISC_R_NOMEMORY
  */
 
 /***
@@ -949,62 +957,62 @@ dns_db_findrdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
 		    dns_rdatatype_t type, dns_rdatatype_t covers,
 		    isc_stdtime_t now, dns_rdataset_t *rdataset,
 		    dns_rdataset_t *sigrdataset);
-/*
+/*%<
  * Search for an rdataset of type 'type' at 'node' that are in version
  * 'version' of 'db'.  If found, make 'rdataset' refer to it.
  *
  * Notes:
  *
- *	If 'version' is NULL, then the current version will be used.
+ * \li	If 'version' is NULL, then the current version will be used.
  *
- *	Care must be used when using this routine to build a DNS response:
+ * \li	Care must be used when using this routine to build a DNS response:
  *	'node' should have been found with dns_db_find(), not
  *	dns_db_findnode().  No glue checking is done.  No checking for
  *	pending data is done.
  *
- *	The 'now' field is ignored if 'db' is a zone database.  If 'db' is a
+ * \li	The 'now' field is ignored if 'db' is a zone database.  If 'db' is a
  *	cache database, an rdataset will not be found unless it expires after
  *	'now'.  If 'now' is zero, then the current time will be used.
  *
  * Requires:
  *
- *	'db' is a valid database.
+ * \li	'db' is a valid database.
  *
- *	'node' is a valid node.
+ * \li	'node' is a valid node.
  *
- *	'rdataset' is a valid, disassociated rdataset.
+ * \li	'rdataset' is a valid, disassociated rdataset.
  *
- *	'sigrdataset' is a valid, disassociated rdataset, or it is NULL.
+ * \li	'sigrdataset' is a valid, disassociated rdataset, or it is NULL.
  *
- *	If 'covers' != 0, 'type' must be SIG.
+ * \li	If 'covers' != 0, 'type' must be SIG.
  *
- *	'type' is not a meta-RR type such as 'ANY' or 'OPT'.
+ * \li	'type' is not a meta-RR type such as 'ANY' or 'OPT'.
  *
  * Ensures:
  *
- *	On success, 'rdataset' is associated with the found rdataset.
+ * \li	On success, 'rdataset' is associated with the found rdataset.
  *
  * Returns:
  *
- *	ISC_R_SUCCESS
- *	ISC_R_NOTFOUND
+ * \li	#ISC_R_SUCCESS
+ * \li	#ISC_R_NOTFOUND
  *
- *	Other results are possible, depending upon the database
+ * \li	Other results are possible, depending upon the database
  *	implementation used.
  */
 
 isc_result_t
 dns_db_allrdatasets(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
 		    isc_stdtime_t now, dns_rdatasetiter_t **iteratorp);
-/*
+/*%<
  * Make '*iteratorp' an rdataset iteratator for all rdatasets at 'node' in
  * version 'version' of 'db'.
  *
  * Notes:
  *
- *	If 'version' is NULL, then the current version will be used.
+ * \li	If 'version' is NULL, then the current version will be used.
  *
- *	The 'now' field is ignored if 'db' is a zone database.  If 'db' is a
+ * \li	The 'now' field is ignored if 'db' is a zone database.  If 'db' is a
  *	cache database, an rdataset will not be found unless it expires after
  *	'now'.  Any ANY query will not match unless at least one rdataset at
  *	the node expires after 'now'.  If 'now' is zero, then the current time
@@ -1012,22 +1020,22 @@ dns_db_allrdatasets(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
  *
  * Requires:
  *
- *	'db' is a valid database.
+ * \li	'db' is a valid database.
  *
- *	'node' is a valid node.
+ * \li	'node' is a valid node.
  *
- *	iteratorp != NULL && *iteratorp == NULL
+ * \li	iteratorp != NULL && *iteratorp == NULL
  *
  * Ensures:
  *
- *	On success, '*iteratorp' is a valid rdataset iterator.
+ * \li	On success, '*iteratorp' is a valid rdataset iterator.
  *
  * Returns:
  *
- *	ISC_R_SUCCESS
- *	ISC_R_NOTFOUND
+ * \li	#ISC_R_SUCCESS
+ * \li	#ISC_R_NOTFOUND
  *
- *	Other results are possible, depending upon the database
+ * \li	Other results are possible, depending upon the database
  *	implementation used.
  */
 
@@ -1035,58 +1043,58 @@ isc_result_t
 dns_db_addrdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
 		   isc_stdtime_t now, dns_rdataset_t *rdataset,
 		   unsigned int options, dns_rdataset_t *addedrdataset);
-/*
+/*%<
  * Add 'rdataset' to 'node' in version 'version' of 'db'.
  *
  * Notes:
  *
- *	If the database has zone semantics, the DNS_DBADD_MERGE option is set,
+ * \li	If the database has zone semantics, the #DNS_DBADD_MERGE option is set,
  *	and an rdataset of the same type as 'rdataset' already exists at
  *	'node' then the contents of 'rdataset' will be merged with the existing
  *	rdataset.  If the option is not set, then rdataset will replace any
  *	existing rdataset of the same type.  If not merging and the
- *	DNS_DBADD_FORCE option is set, then the data will update the database
+ *	#DNS_DBADD_FORCE option is set, then the data will update the database
  *	without regard to trust levels.  If not forcing the data, then the
  *	rdataset will only be added if its trust level is >= the trust level of
  *	any existing rdataset.  Forcing is only meaningful for cache databases.
- *	If DNS_DBADD_EXACT is set then there must be no rdata in common between
- *	the old and new rdata sets.  If DNS_DBADD_EXACTTTL is set then both
+ *	If #DNS_DBADD_EXACT is set then there must be no rdata in common between
+ *	the old and new rdata sets.  If #DNS_DBADD_EXACTTTL is set then both
  *	the old and new rdata sets must have the same ttl.
  *
- *	The 'now' field is ignored if 'db' is a zone database.  If 'db' is
+ * \li	The 'now' field is ignored if 'db' is a zone database.  If 'db' is
  *	a cache database, then the added rdataset will expire no later than
  *	now + rdataset->ttl.
  *
- *	If 'addedrdataset' is not NULL, then it will be attached to the
+ * \li	If 'addedrdataset' is not NULL, then it will be attached to the
  *	resulting new rdataset in the database, or to the existing data if
  *	the existing data was better.
  *
  * Requires:
  *
- *	'db' is a valid database.
+ * \li	'db' is a valid database.
  *
- *	'node' is a valid node.
+ * \li	'node' is a valid node.
  *
- *	'rdataset' is a valid, associated rdataset with the same class
+ * \li	'rdataset' is a valid, associated rdataset with the same class
  *	as 'db'.
  *
- *	'addedrdataset' is NULL, or a valid, unassociated rdataset.
+ * \li	'addedrdataset' is NULL, or a valid, unassociated rdataset.
  *
- *	The database has zone semantics and 'version' is a valid
+ * \li	The database has zone semantics and 'version' is a valid
  *	read-write version, or the database has cache semantics
  *	and version is NULL.
  *
- *	If the database has cache semantics, the DNS_DBADD_MERGE option must
+ * \li	If the database has cache semantics, the #DNS_DBADD_MERGE option must
  *	not be set.
  *
  * Returns:
  *
- *	ISC_R_SUCCESS
- *	DNS_R_UNCHANGED			The operation did not change anything.
- *	ISC_R_NOMEMORY
- *	DNS_R_NOTEXACT
+ * \li	#ISC_R_SUCCESS
+ * \li	#DNS_R_UNCHANGED			The operation did not change anything.
+ * \li	#ISC_R_NOMEMORY
+ * \li	#DNS_R_NOTEXACT
  *
- *	Other results are possible, depending upon the database
+ * \li	Other results are possible, depending upon the database
  *	implementation used.
  */
 
@@ -1094,41 +1102,41 @@ isc_result_t
 dns_db_subtractrdataset(dns_db_t *db, dns_dbnode_t *node,
 			dns_dbversion_t *version, dns_rdataset_t *rdataset,
 			unsigned int options, dns_rdataset_t *newrdataset);
-/*
+/*%<
  * Remove any rdata in 'rdataset' from 'node' in version 'version' of
  * 'db'.
  *
  * Notes:
  *
- *	If 'newrdataset' is not NULL, then it will be attached to the
+ * \li	If 'newrdataset' is not NULL, then it will be attached to the
  *	resulting new rdataset in the database, unless the rdataset has
  *	become nonexistent.  If DNS_DBSUB_EXACT is set then all elements
  *	of 'rdataset' must exist at 'node'.
  *
  * Requires:
  *
- *	'db' is a valid database.
+ * \li	'db' is a valid database.
  *
- *	'node' is a valid node.
+ * \li	'node' is a valid node.
  *
- *	'rdataset' is a valid, associated rdataset with the same class
+ * \li	'rdataset' is a valid, associated rdataset with the same class
  *	as 'db'.
  *
- *	'newrdataset' is NULL, or a valid, unassociated rdataset.
+ * \li	'newrdataset' is NULL, or a valid, unassociated rdataset.
  *
- *	The database has zone semantics and 'version' is a valid
+ * \li	The database has zone semantics and 'version' is a valid
  *	read-write version.
  *
  * Returns:
  *
- *	ISC_R_SUCCESS
- *	DNS_R_UNCHANGED			The operation did not change anything.
- *	DNS_R_NXRRSET			All rdata of the same type as those
+ * \li	#ISC_R_SUCCESS
+ * \li	#DNS_R_UNCHANGED			The operation did not change anything.
+ * \li	#DNS_R_NXRRSET			All rdata of the same type as those
  *					in 'rdataset' have been deleted.
- *	DNS_R_NOTEXACT			Some part of 'rdataset' did not
+ * \li	#DNS_R_NOTEXACT			Some part of 'rdataset' did not
  *					exist and DNS_DBSUB_EXACT was set.
  *
- *	Other results are possible, depending upon the database
+ * \li	Other results are possible, depending upon the database
  *	implementation used.
  */
 
@@ -1136,134 +1144,154 @@ isc_result_t
 dns_db_deleterdataset(dns_db_t *db, dns_dbnode_t *node,
 		      dns_dbversion_t *version, dns_rdatatype_t type,
 		      dns_rdatatype_t covers);
-/*
+/*%<
  * Make it so that no rdataset of type 'type' exists at 'node' in version
  * version 'version' of 'db'.
  *
  * Notes:
  *
- *	If 'type' is dns_rdatatype_any, then no rdatasets will exist in
+ * \li	If 'type' is dns_rdatatype_any, then no rdatasets will exist in
  *	'version' (provided that the dns_db_deleterdataset() isn't followed
  *	by one or more dns_db_addrdataset() calls).
  *
  * Requires:
  *
- *	'db' is a valid database.
+ * \li	'db' is a valid database.
  *
- *	'node' is a valid node.
+ * \li	'node' is a valid node.
  *
- *	The database has zone semantics and 'version' is a valid
+ * \li	The database has zone semantics and 'version' is a valid
  *	read-write version, or the database has cache semantics
  *	and version is NULL.
  *
- *	'type' is not a meta-RR type, except for dns_rdatatype_any, which is
+ * \li	'type' is not a meta-RR type, except for dns_rdatatype_any, which is
  *	allowed.
  *
- *	If 'covers' != 0, 'type' must be SIG.
+ * \li	If 'covers' != 0, 'type' must be SIG.
  *
  * Returns:
  *
- *	ISC_R_SUCCESS
- *	DNS_R_UNCHANGED			No rdatasets of 'type' existed before
+ * \li	#ISC_R_SUCCESS
+ * \li	#DNS_R_UNCHANGED			No rdatasets of 'type' existed before
  *					the operation was attempted.
  *
- *	Other results are possible, depending upon the database
+ * \li	Other results are possible, depending upon the database
  *	implementation used.
  */
 
 isc_result_t
 dns_db_getsoaserial(dns_db_t *db, dns_dbversion_t *ver, isc_uint32_t *serialp);
-/*
+/*%<
  * Get the current SOA serial number from a zone database.
  *
  * Requires:
- *      'db' is a valid database with zone semantics.
- *      'ver' is a valid version.
+ * \li	'db' is a valid database with zone semantics.
+ * \li	'ver' is a valid version.
  */
 
 void
 dns_db_overmem(dns_db_t *db, isc_boolean_t overmem);
-/*
+/*%<
  * Enable / disable agressive cache cleaning.
  */
 
 unsigned int
 dns_db_nodecount(dns_db_t *db);
-/*
+/*%<
  * Count the number of nodes in 'db'.
  *
  * Requires:
  *
- *	'db' is a valid database.
+ * \li	'db' is a valid database.
  *
  * Returns:
- * 	The number of nodes in the database
+ * \li	The number of nodes in the database
  */
 
 void
 dns_db_settask(dns_db_t *db, isc_task_t *task);
-/*
+/*%<
  * If task is set then the final detach maybe performed asynchronously.
  *
  * Requires:
- *	'db' is a valid database.
- *	'task' to be valid or NULL.
+ * \li	'db' is a valid database.
+ * \li	'task' to be valid or NULL.
  */
 
 isc_boolean_t
 dns_db_ispersistent(dns_db_t *db);
-/*
+/*%<
  * Is 'db' persistent?  A persistent database does not need to be loaded
  * from disk or written to disk.
  *
  * Requires:
  *
- *	'db' is a valid database.
+ * \li	'db' is a valid database.
  *
  * Returns:
- *	ISC_TRUE	'db' is persistent.
- *	ISC_FALSE	'db' is not persistent.
+ * \li	#ISC_TRUE	'db' is persistent.
+ * \li	#ISC_FALSE	'db' is not persistent.
  */
 
 isc_result_t
 dns_db_register(const char *name, dns_dbcreatefunc_t create, void *driverarg,
 		isc_mem_t *mctx, dns_dbimplementation_t **dbimp);
 
-/*
+/*%<
  * Register a new database implementation and add it to the list of
  * supported implementations.
  *
  * Requires:
  *
- * 	'name' is not NULL
- * 	'order' is a valid function pointer
- * 	'mctx' is a valid memory context
- * 	dbimp != NULL && *dbimp == NULL
+ * \li 	'name' is not NULL
+ * \li	'order' is a valid function pointer
+ * \li	'mctx' is a valid memory context
+ * \li	dbimp != NULL && *dbimp == NULL
  *
  * Returns:
- * 	ISC_R_SUCCESS	The registration succeeded
- * 	ISC_R_NOMEMORY	Out of memory
- * 	ISC_R_EXISTS	A database implementation with the same name exists
+ * \li	#ISC_R_SUCCESS	The registration succeeded
+ * \li	#ISC_R_NOMEMORY	Out of memory
+ * \li	#ISC_R_EXISTS	A database implementation with the same name exists
  *
  * Ensures:
  *
- *	*dbimp points to an opaque structure which must be passed to
+ * \li	*dbimp points to an opaque structure which must be passed to
  *	dns_db_unregister().
  */
 
 void
 dns_db_unregister(dns_dbimplementation_t **dbimp);
-/*
+/*%<
  * Remove a database implementation from the the list of supported
  * implementations.  No databases of this type can be active when this
  * is called.
  *
  * Requires:
- * 	dbimp != NULL && *dbimp == NULL
+ * \li 	dbimp != NULL && *dbimp == NULL
  *
  * Ensures:
  *
- * 	Any memory allocated in *dbimp will be freed.
+ * \li	Any memory allocated in *dbimp will be freed.
+ */
+
+isc_result_t
+dns_db_getoriginnode(dns_db_t *db, dns_dbnode_t **nodep);
+/*%<
+ * Get the origin DB node corresponding to the DB's zone.  This function
+ * should typically succeed unless the underlying DB implementation doesn't
+ * support the feature.
+ *
+ * Requires:
+ *
+ * \li	'db' is a valid zone database.
+ * \li	'nodep' != NULL && '*nodep' == NULL
+ *
+ * Ensures:
+ * \li	On success, '*nodep' will point to the DB node of the zone's origin.
+ *
+ * Returns:
+ * \li	#ISC_R_SUCCESS
+ * \li	#ISC_R_NOTFOUND - the DB implementation does not support this feature.
  */
 
 ISC_LANG_ENDDECLS
diff --git a/contrib/bind9/lib/dns/include/dns/dbiterator.h b/contrib/bind9/lib/dns/include/dns/dbiterator.h
index 8b8cb1b..47ce082 100644
--- a/contrib/bind9/lib/dns/include/dns/dbiterator.h
+++ b/contrib/bind9/lib/dns/include/dns/dbiterator.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: dbiterator.h,v 1.18.206.1 2004/03/06 08:13:54 marka Exp $ */
+/* $Id: dbiterator.h,v 1.19.18.2 2005/04/29 00:16:11 marka Exp $ */
 
 #ifndef DNS_DBITERATOR_H
 #define DNS_DBITERATOR_H 1
@@ -24,9 +24,8 @@
  ***** Module Info
  *****/
 
-/*
- * DNS DB Iterator
- *
+/*! \file
+ * \brief
  * The DNS DB Iterator interface allows iteration of all of the nodes in a
  * database.
  *
@@ -37,25 +36,25 @@
  * It is the client's responsibility to call dns_db_detachnode() on all
  * nodes returned.
  *
- * XXX <more> XXX
+ * XXX &lt;more&gt; XXX
  *
  * MP:
- *	The iterator itself is not locked.  The caller must ensure
+ *\li	The iterator itself is not locked.  The caller must ensure
  *	synchronization.
  *
- *	The iterator methods ensure appropriate database locking.
+ *\li	The iterator methods ensure appropriate database locking.
  *
  * Reliability:
- *	No anticipated impact.
+ *\li	No anticipated impact.
  *
  * Resources:
- *	<TBS>
+ *\li	TBS
  *
  * Security:
- *	No anticipated impact.
+ *\li	No anticipated impact.
  *
  * Standards:
- *	None.
+ *\li	None.
  */
 
 /*****
@@ -89,7 +88,7 @@ typedef struct dns_dbiteratormethods {
 
 #define DNS_DBITERATOR_MAGIC	     ISC_MAGIC('D','N','S','I')
 #define DNS_DBITERATOR_VALID(dbi)    ISC_MAGIC_VALID(dbi, DNS_DBITERATOR_MAGIC)
-/*
+/*%
  * This structure is actually just the common prefix of a DNS db
  * implementation's version of a dns_dbiterator_t.
  *
@@ -110,136 +109,136 @@ struct dns_dbiterator {
 
 void
 dns_dbiterator_destroy(dns_dbiterator_t **iteratorp);
-/*
+/*%<
  * Destroy '*iteratorp'.
  *
  * Requires:
  *
- *	'*iteratorp' is a valid iterator.
+ *\li	'*iteratorp' is a valid iterator.
  *
  * Ensures:
  *
- *	All resources used by the iterator are freed.
+ *\li	All resources used by the iterator are freed.
  *
- *	*iteratorp == NULL.
+ *\li	*iteratorp == NULL.
  */
 
 isc_result_t
 dns_dbiterator_first(dns_dbiterator_t *iterator);
-/*
+/*%<
  * Move the node cursor to the first node in the database (if any).
  *
  * Requires:
- *	'iterator' is a valid iterator.
+ *\li	'iterator' is a valid iterator.
  *
  * Returns:
- *	ISC_R_SUCCESS
- *	ISC_R_NOMORE			There are no nodes in the database.
+ *\li	#ISC_R_SUCCESS
+ *\li	#ISC_R_NOMORE			There are no nodes in the database.
  *
- *	Other results are possible, depending on the DB implementation.
+ *\li	Other results are possible, depending on the DB implementation.
  */
 
 isc_result_t
 dns_dbiterator_last(dns_dbiterator_t *iterator);
-/*
+/*%<
  * Move the node cursor to the last node in the database (if any).
  *
  * Requires:
- *	'iterator' is a valid iterator.
+ *\li	'iterator' is a valid iterator.
  *
  * Returns:
- *	ISC_R_SUCCESS
- *	ISC_R_NOMORE			There are no nodes in the database.
+ *\li	#ISC_R_SUCCESS
+ *\li	#ISC_R_NOMORE			There are no nodes in the database.
  *
- *	Other results are possible, depending on the DB implementation.
+ *\li	Other results are possible, depending on the DB implementation.
  */
 
 isc_result_t
 dns_dbiterator_seek(dns_dbiterator_t *iterator, dns_name_t *name);
-/*
+/*%<
  * Move the node cursor to the node with name 'name'.
  *
  * Requires:
- *	'iterator' is a valid iterator.
+ *\li	'iterator' is a valid iterator.
  *
- *	'name' is a valid name.
+ *\li	'name' is a valid name.
  *
  * Returns:
- *	ISC_R_SUCCESS
- *	ISC_R_NOTFOUND
+ *\li	#ISC_R_SUCCESS
+ *\li	#ISC_R_NOTFOUND
  *
- *	Other results are possible, depending on the DB implementation.
+ *\li	Other results are possible, depending on the DB implementation.
  */
 
 isc_result_t
 dns_dbiterator_prev(dns_dbiterator_t *iterator);
-/*
+/*%<
  * Move the node cursor to the previous node in the database (if any).
  *
  * Requires:
- *	'iterator' is a valid iterator.
+ *\li	'iterator' is a valid iterator.
  *
  * Returns:
- *	ISC_R_SUCCESS
- *	ISC_R_NOMORE			There are no more nodes in the
+ *\li	#ISC_R_SUCCESS
+ *\li	#ISC_R_NOMORE			There are no more nodes in the
  *					database.
  *
- *	Other results are possible, depending on the DB implementation.
+ *\li	Other results are possible, depending on the DB implementation.
  */
 
 isc_result_t
 dns_dbiterator_next(dns_dbiterator_t *iterator);
-/*
+/*%<
  * Move the node cursor to the next node in the database (if any).
  *
  * Requires:
- *	'iterator' is a valid iterator.
+ *\li	'iterator' is a valid iterator.
  *
  * Returns:
- *	ISC_R_SUCCESS
- *	ISC_R_NOMORE			There are no more nodes in the
+ *\li	#ISC_R_SUCCESS
+ *\li	#ISC_R_NOMORE			There are no more nodes in the
  *					database.
  *
- *	Other results are possible, depending on the DB implementation.
+ *\li	Other results are possible, depending on the DB implementation.
  */
 
 isc_result_t
 dns_dbiterator_current(dns_dbiterator_t *iterator, dns_dbnode_t **nodep,
 		       dns_name_t *name);
-/*
+/*%<
  * Return the current node.
  *
  * Notes:
- *	If 'name' is not NULL, it will be set to the name of the node.
+ *\li	If 'name' is not NULL, it will be set to the name of the node.
  *
  * Requires:
- *	'iterator' is a valid iterator.
+ *\li	'iterator' is a valid iterator.
  *
- *	nodep != NULL && *nodep == NULL
+ *\li	nodep != NULL && *nodep == NULL
  *
- *	The node cursor of 'iterator' is at a valid location (i.e. the
+ *\li	The node cursor of 'iterator' is at a valid location (i.e. the
  *	result of last call to a cursor movement command was ISC_R_SUCCESS).
  *
- *	'name' is NULL, or is a valid name with a dedicated buffer.
+ *\li	'name' is NULL, or is a valid name with a dedicated buffer.
  *
  * Returns:
  *
- *	ISC_R_SUCCESS
- *	DNS_R_NEWORIGIN			If this iterator was created with
+ *\li	#ISC_R_SUCCESS
+ *\li	#DNS_R_NEWORIGIN			If this iterator was created with
  *					'relative_names' set to ISC_TRUE,
- *					then DNS_R_NEWORIGIN will be returned
+ *					then #DNS_R_NEWORIGIN will be returned
  *					when the origin the names are
  *					relative to changes.  This result
  *					can occur only when 'name' is not
  *					NULL.  This is also a successful
  *					result.
  *
- *	Other results are possible, depending on the DB implementation.
+ *\li	Other results are possible, depending on the DB implementation.
  */
 
 isc_result_t
 dns_dbiterator_pause(dns_dbiterator_t *iterator);
-/*
+/*%<
  * Pause iteration.
  *
  * Calling a cursor movement method or dns_dbiterator_current() may cause
@@ -250,47 +249,47 @@ dns_dbiterator_pause(dns_dbiterator_t *iterator);
  * iterator method in the immediate future.
  *
  * Requires:
- *	'iterator' is a valid iterator.
+ *\li	'iterator' is a valid iterator.
  *
  * Ensures:
- *	Any database locks being held for efficiency of iterator access are
+ *\li	Any database locks being held for efficiency of iterator access are
  *	released.
  *
  * Returns:
- *	ISC_R_SUCCESS
+ *\li	#ISC_R_SUCCESS
  *
- *	Other results are possible, depending on the DB implementation.
+ *\li	Other results are possible, depending on the DB implementation.
  */
 
 isc_result_t
 dns_dbiterator_origin(dns_dbiterator_t *iterator, dns_name_t *name);
-/*
+/*%<
  * Return the origin to which returned node names are relative.
  *
  * Requires:
  *
- *	'iterator' is a valid relative_names iterator.
+ *\li	'iterator' is a valid relative_names iterator.
  *
- *	'name' is a valid name with a dedicated buffer.
+ *\li	'name' is a valid name with a dedicated buffer.
  *
  * Returns:
  *
- *	ISC_R_SUCCESS
- *	ISC_R_NOSPACE
+ *\li	#ISC_R_SUCCESS
+ *\li	#ISC_R_NOSPACE
  *
- *	Other results are possible, depending on the DB implementation.
+ *\li	Other results are possible, depending on the DB implementation.
  */
 
 void
 dns_dbiterator_setcleanmode(dns_dbiterator_t *iterator, isc_boolean_t mode);
-/*
+/*%<
  * Indicate that the given iterator is/is not cleaning the DB.
  *
  * Notes:
- *	When 'mode' is ISC_TRUE, 
+ *\li	When 'mode' is ISC_TRUE, 
  *
  * Requires:
- *	'iterator' is a valid iterator.
+ *\li	'iterator' is a valid iterator.
  */
 
 ISC_LANG_ENDDECLS
diff --git a/contrib/bind9/lib/dns/include/dns/dbtable.h b/contrib/bind9/lib/dns/include/dns/dbtable.h
index 3874b46..18d3e50 100644
--- a/contrib/bind9/lib/dns/include/dns/dbtable.h
+++ b/contrib/bind9/lib/dns/include/dns/dbtable.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: dbtable.h,v 1.16.206.1 2004/03/06 08:13:55 marka Exp $ */
+/* $Id: dbtable.h,v 1.17.18.2 2005/04/29 00:16:11 marka Exp $ */
 
 #ifndef DNS_DBTABLE_H
 #define DNS_DBTABLE_H 1
@@ -24,26 +24,27 @@
  ***** Module Info
  *****/
 
-/*
+/*! \file
+ * \brief
  * DNS DB Tables
  *
- * XXX <TBS> XXX
+ * XXX TBS XXX
  *
  * MP:
- *	The module ensures appropriate synchronization of data structures it
+ *\li	The module ensures appropriate synchronization of data structures it
  *	creates and manipulates.
  *
  * Reliability:
- *	No anticipated impact.
+ *\li	No anticipated impact.
  *
  * Resources:
- *	None.
+ *\li	None.
  *
  * Security:
- *	No anticipated impact.
+ *\li	No anticipated impact.
  *
  * Standards:
- *	None.
+ *\li	None.
  */
 
 #include <isc/lang.h>
@@ -57,106 +58,106 @@ ISC_LANG_BEGINDECLS
 isc_result_t
 dns_dbtable_create(isc_mem_t *mctx, dns_rdataclass_t rdclass,
 		   dns_dbtable_t **dbtablep);
-/*
+/*%<
  * Make a new dbtable of class 'rdclass'
  *
  * Requires:
- *	mctx != NULL
- * 	dbtablep != NULL && *dptablep == NULL
- *	'rdclass' is a valid class
+ *\li	mctx != NULL
+ * \li	dbtablep != NULL && *dptablep == NULL
+ *\li	'rdclass' is a valid class
  *
  * Returns:
- *	ISC_R_SUCCESS
- *	ISC_R_NOMEMORY
- *	ISC_R_UNEXPECTED
+ *\li	#ISC_R_SUCCESS
+ *\li	#ISC_R_NOMEMORY
+ *\li	#ISC_R_UNEXPECTED
  */
 
 void
 dns_dbtable_attach(dns_dbtable_t *source, dns_dbtable_t **targetp);
-/*
+/*%<
  * Attach '*targetp' to 'source'.
  *
  * Requires:
  *
- *	'source' is a valid dbtable.
+ *\li	'source' is a valid dbtable.
  *
- *	'targetp' points to a NULL dns_dbtable_t *.
+ *\li	'targetp' points to a NULL dns_dbtable_t *.
  *
  * Ensures:
  *
- *	*targetp is attached to source.
+ *\li	*targetp is attached to source.
  */
 
 void
 dns_dbtable_detach(dns_dbtable_t **dbtablep);
-/*
+/*%<
  * Detach *dbtablep from its dbtable.
  *
  * Requires:
  *
- *	'*dbtablep' points to a valid dbtable.
+ *\li	'*dbtablep' points to a valid dbtable.
  *
  * Ensures:
  *
- *	*dbtablep is NULL.
- *
- *	If '*dbtablep' is the last reference to the dbtable,
+ *\li	*dbtablep is NULL.
  *
- *		All resources used by the dbtable will be freed
+ *\li	If '*dbtablep' is the last reference to the dbtable,
+ *		all resources used by the dbtable will be freed
  */
 
 isc_result_t
 dns_dbtable_add(dns_dbtable_t *dbtable, dns_db_t *db);
-/*
+/*%<
  * Add 'db' to 'dbtable'.
  *
  * Requires:
- *	'dbtable' is a valid dbtable.
+ *\li	'dbtable' is a valid dbtable.
  *
- *	'db' is a valid database with the same class as 'dbtable'
+ *\li	'db' is a valid database with the same class as 'dbtable'
  */
 
 void
 dns_dbtable_remove(dns_dbtable_t *dbtable, dns_db_t *db);
-/*
+/*%<
  * Remove 'db' from 'dbtable'.
  *
  * Requires:
- *	'db' was previously added to 'dbtable'.
+ *\li	'db' was previously added to 'dbtable'.
  */
 
 void
 dns_dbtable_adddefault(dns_dbtable_t *dbtable, dns_db_t *db);
-/*
+/*%<
  * Use 'db' as the result of a dns_dbtable_find() if no better match is
  * available.
  */
 
 void
 dns_dbtable_getdefault(dns_dbtable_t *dbtable, dns_db_t **db);
-/*
+/*%<
  * Get the 'db' used as the result of a dns_dbtable_find()
  * if no better match is available.
  */
 
 void
 dns_dbtable_removedefault(dns_dbtable_t *dbtable);
-/*
+/*%<
  * Remove the default db from 'dbtable'.
  */
 
 isc_result_t
 dns_dbtable_find(dns_dbtable_t *dbtable, dns_name_t *name,
 		 unsigned int options, dns_db_t **dbp);
-/*
+/*%<
  * Find the deepest match to 'name' in the dbtable, and return it
  *
  * Notes:
- *	If the DNS_DBTABLEFIND_NOEXACT option is set, the best partial
+ *\li	If the DNS_DBTABLEFIND_NOEXACT option is set, the best partial
  *	match (if any) to 'name' will be returned.
  *
- * Returns:  ISC_R_SUCCESS		on success
- *	     <something else>		no default and match
+ * Returns:  
+ * \li #ISC_R_SUCCESS		on success
+ *\li	     something else:		no default and match
  */
 
 ISC_LANG_ENDDECLS
diff --git a/contrib/bind9/lib/dns/include/dns/diff.h b/contrib/bind9/lib/dns/include/dns/diff.h
index 604f702..cd96a0b 100644
--- a/contrib/bind9/lib/dns/include/dns/diff.h
+++ b/contrib/bind9/lib/dns/include/dns/diff.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000, 2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: diff.h,v 1.4.12.3 2004/03/08 09:04:35 marka Exp $ */
+/* $Id: diff.h,v 1.6.18.2 2005/04/29 00:16:12 marka Exp $ */
 
 #ifndef DNS_DIFF_H
 #define DNS_DIFF_H 1
@@ -24,7 +24,8 @@
  ***** Module Info
  *****/
 
-/*
+/*! \file
+ * \brief
  * A diff is a convenience type representing a list of changes to be
  * made to a database.
  */
@@ -44,7 +45,7 @@
  *** Types
  ***/
 
-/*
+/*%
  * A dns_difftuple_t represents a single RR being added or deleted.
  * The RR type and class are in the 'rdata' member; the class is always
  * the real one, not a DynDNS meta-class, so that the rdatas can be
@@ -61,9 +62,9 @@
  */
 
 typedef enum {
-	DNS_DIFFOP_ADD,	        /* Add an RR. */
-	DNS_DIFFOP_DEL,		/* Delete an RR. */
-	DNS_DIFFOP_EXISTS	/* Assert RR existence. */
+	DNS_DIFFOP_ADD,	        /*%< Add an RR. */
+	DNS_DIFFOP_DEL,		/*%< Delete an RR. */
+	DNS_DIFFOP_EXISTS	/*%< Assert RR existence. */
 } dns_diffop_t;
 
 typedef struct dns_difftuple dns_difftuple_t;
@@ -82,7 +83,7 @@ struct dns_difftuple {
 	/* Variable-size name data and rdata follows. */
 };
 
-/*
+/*%
  * A dns_diff_t represents a set of changes being applied to
  * a zone.  Diffs are also used to represent "RRset exists
  * (value dependent)" prerequisites.
@@ -116,106 +117,106 @@ isc_result_t
 dns_difftuple_create(isc_mem_t *mctx,
 		     dns_diffop_t op, dns_name_t *name, dns_ttl_t ttl,
 		     dns_rdata_t *rdata, dns_difftuple_t **tp);
-/*
+/*%<
  * Create a tuple.  Deep copies are made of the name and rdata, so
  * they need not remain valid after the call.
  *
  * Requires:
- *	*tp != NULL && *tp == NULL.
+ *\li	*tp != NULL && *tp == NULL.
  *
  * Returns:
- *	ISC_R_SUCCESS
- *      ISC_R_NOMEMORY
+ *\li	ISC_R_SUCCESS
+ *  \li    ISC_R_NOMEMORY
  */
 
 void
 dns_difftuple_free(dns_difftuple_t **tp);
-/*
+/*%<
  * Free a tuple.
  *
  * Requires:
- *       **tp is a valid tuple.
+ *    \li   **tp is a valid tuple.
  *
  * Ensures:
- *       *tp == NULL
- *       All memory used by the tuple is freed.
+ *     \li  *tp == NULL
+ *      \li All memory used by the tuple is freed.
  */
 
 isc_result_t
 dns_difftuple_copy(dns_difftuple_t *orig, dns_difftuple_t **copyp);
-/*
+/*%<
  * Copy a tuple.
  *
  * Requires:
- * 	'orig' points to a valid tuple
- *	copyp != NULL && *copyp == NULL
+ * \li	'orig' points to a valid tuple
+ *\li	copyp != NULL && *copyp == NULL
  */
 
 void
 dns_diff_init(isc_mem_t *mctx, dns_diff_t *diff);
-/*
+/*%<
  * Initialize a diff.
  *
  * Requires:
- *    'diff' points to an uninitialized dns_diff_t
- *    allocated by the caller.
+ * \li   'diff' points to an uninitialized dns_diff_t
+ *  \li  allocated by the caller.
  *
  * Ensures:
- *    '*diff' is a valid, empty diff.
+ * \li   '*diff' is a valid, empty diff.
  */
 
 void
 dns_diff_clear(dns_diff_t *diff);
-/*
+/*%<
  * Clear a diff, destroying all its tuples.
  *
  * Requires:
- *    'diff' points to a valid dns_diff_t.
+ * \li   'diff' points to a valid dns_diff_t.
  *
  * Ensures:
- *     Any tuples in the diff are destroyed.
+ * \li    Any tuples in the diff are destroyed.
  *     The diff now empty, but it is still valid
  *     and may be reused without calling dns_diff_init
  *     again.  The only memory used is that of the
  *     dns_diff_t structure itself.
  *
  * Notes:
- *     Managing the memory of the dns_diff_t structure itself
+ * \li    Managing the memory of the dns_diff_t structure itself
  *     is the caller's responsibility.
  */
 
 void
 dns_diff_append(dns_diff_t *diff, dns_difftuple_t **tuple);
-/*
+/*%<
  * Append a single tuple to a diff.
  *
- *	'diff' is a valid diff.
- * 	'*tuple' is a valid tuple.
+ *\li	'diff' is a valid diff.
+ * \li	'*tuple' is a valid tuple.
  *
  * Ensures:
- *	*tuple is NULL.
- *	The tuple has been freed, or will be freed when the diff is cleared.
+ *\li	*tuple is NULL.
+ *\li	The tuple has been freed, or will be freed when the diff is cleared.
  */
 
 void
 dns_diff_appendminimal(dns_diff_t *diff, dns_difftuple_t **tuple);
-/*
+/*%<
  * Append 'tuple' to 'diff', removing any duplicate
  * or conflicting updates as needed to create a minimal diff.
  *
  * Requires:
- *	'diff' is a minimal diff.
+ *\li	'diff' is a minimal diff.
  *
  * Ensures:
- *	'diff' is still a minimal diff.
- *   	*tuple is NULL.
- *   	The tuple has been freed, or will be freed when the diff is cleared.
+ *\li	'diff' is still a minimal diff.
+ *  \li 	*tuple is NULL.
+ *   \li	The tuple has been freed, or will be freed when the diff is cleared.
  *
  */
 
 isc_result_t
 dns_diff_sort(dns_diff_t *diff, dns_diff_compare_func *compare);
-/*
+/*%<
  * Sort 'diff' in-place according to the comparison function 'compare'.
  */
 
@@ -223,7 +224,7 @@ isc_result_t
 dns_diff_apply(dns_diff_t *diff, dns_db_t *db, dns_dbversion_t *ver);
 isc_result_t
 dns_diff_applysilently(dns_diff_t *diff, dns_db_t *db, dns_dbversion_t *ver);
-/*
+/*%<
  * Apply 'diff' to the database 'db'.
  *
  * dns_diff_apply() logs warnings about updates with no effect or
@@ -234,44 +235,44 @@ dns_diff_applysilently(dns_diff_t *diff, dns_db_t *db, dns_dbversion_t *ver);
  * but less efficient.
  *
  * Requires:
- *	*diff is a valid diff (possibly empty), containing
- *   	tuples of type DNS_DIFFOP_ADD and/or
- *   	For DNS_DIFFOP_DEL tuples, the TTL is ignored.
+ *\li	*diff is a valid diff (possibly empty), containing
+ *   	tuples of type #DNS_DIFFOP_ADD and/or
+ *  	For #DNS_DIFFOP_DEL tuples, the TTL is ignored.
  *
  */
 
 isc_result_t
 dns_diff_load(dns_diff_t *diff, dns_addrdatasetfunc_t addfunc,
 	      void *add_private);
-/*
+/*%<
  * Like dns_diff_apply, but for use when loading a new database
  * instead of modifying an existing one.  This bypasses the
  * database transaction mechanisms.
  *
  * Requires:
- * 	'addfunc' is a valid dns_addradatasetfunc_t obtained from
+ *\li 	'addfunc' is a valid dns_addradatasetfunc_t obtained from
  * 	dns_db_beginload()
  *
- *	'add_private' points to a corresponding dns_dbload_t *
+ *\li	'add_private' points to a corresponding dns_dbload_t *
  *      (XXX why is it a void pointer, then?)
  */
 
 isc_result_t
 dns_diff_print(dns_diff_t *diff, FILE *file);
 
-/*
+/*%<
  * Print the differences to 'file' or if 'file' is NULL via the
  * logging system.
  *
  * Require:
- *	'diff' to be valid.
- *	'file' to refer to a open file or NULL.
+ *\li	'diff' to be valid.
+ *\li	'file' to refer to a open file or NULL.
  *
  * Returns:
- *	ISC_R_SUCCESS
- *	ISC_R_NOMEMORY
- *	ISC_R_UNEXPECTED
- *	any error from dns_rdataset_totext()
+ *\li	#ISC_R_SUCCESS
+ *\li	#ISC_R_NOMEMORY
+ *\li	#ISC_R_UNEXPECTED
+ *\li	any error from dns_rdataset_totext()
  */
 
 ISC_LANG_ENDDECLS
diff --git a/contrib/bind9/lib/dns/include/dns/dispatch.h b/contrib/bind9/lib/dns/include/dns/dispatch.h
index 201a65a..47f6b20 100644
--- a/contrib/bind9/lib/dns/include/dns/dispatch.h
+++ b/contrib/bind9/lib/dns/include/dns/dispatch.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: dispatch.h,v 1.45.2.2.4.2 2004/03/06 08:13:55 marka Exp $ */
+/* $Id: dispatch.h,v 1.48.18.2 2005/04/29 00:16:12 marka Exp $ */
 
 #ifndef DNS_DISPATCH_H
 #define DNS_DISPATCH_H 1
@@ -24,14 +24,14 @@
  ***** Module Info
  *****/
 
-/*
+/*! \file
+ * \brief
  * DNS Dispatch Management
- *
  * 	Shared UDP and single-use TCP dispatches for queries and responses.
  *
  * MP:
  *
- *     	All locking is performed internally to each dispatch.
+ *\li     	All locking is performed internally to each dispatch.
  * 	Restrictions apply to dns_dispatch_removeresponse().
  *
  * Reliability:
@@ -40,12 +40,12 @@
  *
  * Security:
  *
- *	Depends on the isc_socket_t and dns_message_t for prevention of
+ *\li	Depends on the isc_socket_t and dns_message_t for prevention of
  *	buffer overruns.
  *
  * Standards:
  *
- *	None.
+ *\li	None.
  */
 
 /***
@@ -61,7 +61,7 @@
 
 ISC_LANG_BEGINDECLS
 
-/*
+/*%
  * This event is sent to a task when a response comes in.
  * No part of this structure should ever be modified by the caller,
  * other than parts of the buffer.  The holy parts of the buffer are
@@ -79,16 +79,17 @@ ISC_LANG_BEGINDECLS
  */
 
 struct dns_dispatchevent {
-	ISC_EVENT_COMMON(dns_dispatchevent_t);	/* standard event common */
-	isc_result_t		result;		/* result code */
-	isc_int32_t		id;		/* message id */
-	isc_sockaddr_t		addr;		/* address recv'd from */
-	struct in6_pktinfo	pktinfo;	/* reply info for v6 */
-	isc_buffer_t	        buffer;		/* data buffer */
-	isc_uint32_t		attributes;	/* mirrored from socket.h */
+	ISC_EVENT_COMMON(dns_dispatchevent_t);	/*%< standard event common */
+	isc_result_t		result;		/*%< result code */
+	isc_int32_t		id;		/*%< message id */
+	isc_sockaddr_t		addr;		/*%< address recv'd from */
+	struct in6_pktinfo	pktinfo;	/*%< reply info for v6 */
+	isc_buffer_t	        buffer;		/*%< data buffer */
+	isc_uint32_t		attributes;	/*%< mirrored from socket.h */
 };
 
-/*
+/*@{*/
+/*%
  * Attributes for added dispatchers.
  *
  * Values with the mask 0xffff0000 are application defined.
@@ -121,83 +122,84 @@ struct dns_dispatchevent {
 #define DNS_DISPATCHATTR_NOLISTEN	0x00000020U
 #define DNS_DISPATCHATTR_MAKEQUERY	0x00000040U
 #define DNS_DISPATCHATTR_CONNECTED	0x00000080U
+/*@}*/
 
 isc_result_t
 dns_dispatchmgr_create(isc_mem_t *mctx, isc_entropy_t *entropy,
 		       dns_dispatchmgr_t **mgrp);
-/*
+/*%<
  * Creates a new dispatchmgr object.
  *
  * Requires:
- *	"mctx" be a valid memory context.
+ *\li	"mctx" be a valid memory context.
  *
- *	mgrp != NULL && *mgrp == NULL
+ *\li	mgrp != NULL && *mgrp == NULL
  *
- *	"entropy" may be NULL, in which case an insecure random generator
+ *\li	"entropy" may be NULL, in which case an insecure random generator
  *	will be used.  If it is non-NULL, it must be a valid entropy
  *	source.
  *
  * Returns:
- *	ISC_R_SUCCESS	-- all ok
+ *\li	ISC_R_SUCCESS	-- all ok
  *
- *	anything else	-- failure
+ *\li	anything else	-- failure
  */
 
 
 void
 dns_dispatchmgr_destroy(dns_dispatchmgr_t **mgrp);
-/*
+/*%<
  * Destroys the dispatchmgr when it becomes empty.  This could be
  * immediately.
  *
  * Requires:
- *	mgrp != NULL && *mgrp is a valid dispatchmgr.
+ *\li	mgrp != NULL && *mgrp is a valid dispatchmgr.
  */
 
 
 void
 dns_dispatchmgr_setblackhole(dns_dispatchmgr_t *mgr, dns_acl_t *blackhole);
-/*
+/*%<
  * Sets the dispatcher's "blackhole list," a list of addresses that will
  * be ignored by all dispatchers created by the dispatchmgr.
  *
  * Requires:
- * 	mgrp is a valid dispatchmgr
- * 	blackhole is a valid acl
+ * \li	mgrp is a valid dispatchmgr
+ * \li	blackhole is a valid acl
  */
 
 
 dns_acl_t *
 dns_dispatchmgr_getblackhole(dns_dispatchmgr_t *mgr);
-/*
+/*%<
  * Gets a pointer to the dispatcher's current blackhole list,
  * without incrementing its reference count.
  *
  * Requires:
- * 	mgr is a valid dispatchmgr
+ *\li 	mgr is a valid dispatchmgr
  * Returns:
- *	A pointer to the current blackhole list, or NULL.
+ *\li	A pointer to the current blackhole list, or NULL.
  */
 
 void
 dns_dispatchmgr_setblackportlist(dns_dispatchmgr_t *mgr,
                                  dns_portlist_t *portlist);
-/*
+/*%<
  * Sets a list of UDP ports that won't be used when creating a udp
  * dispatch with a wildcard port.
  *
  * Requires:
- *	mgr is a valid dispatchmgr
- *	portlist to be NULL or a valid port list.
+ *\li	mgr is a valid dispatchmgr
+ *\li	portlist to be NULL or a valid port list.
  */
 
 dns_portlist_t *
 dns_dispatchmgr_getblackportlist(dns_dispatchmgr_t *mgr);
-/*
+/*%<
  * Return the current port list.
  *
  * Requires:
- *	mgr is a valid dispatchmgr
+ *\li	mgr is a valid dispatchmgr
  */
 
 
@@ -210,29 +212,29 @@ dns_dispatch_getudp(dns_dispatchmgr_t *mgr, isc_socketmgr_t *sockmgr,
 		    unsigned int buckets, unsigned int increment,
 		    unsigned int attributes, unsigned int mask,
 		    dns_dispatch_t **dispp);
-/*
+/*%<
  * Attach to existing dns_dispatch_t if one is found with dns_dispatchmgr_find,
  * otherwise create a new UDP dispatch.
  *
  * Requires:
- *	All pointer parameters be valid for their respective types.
+ *\li	All pointer parameters be valid for their respective types.
  *
- *	dispp != NULL && *disp == NULL
+ *\li	dispp != NULL && *disp == NULL
  *
- *	512 <= buffersize <= 64k
+ *\li	512 <= buffersize <= 64k
  *
- *	maxbuffers > 0
+ *\li	maxbuffers > 0
  *
- *	buckets < 2097169
+ *\li	buckets < 2097169
  *
- *	increment > buckets
+ *\li	increment > buckets
  *
- *	(attributes & DNS_DISPATCHATTR_TCP) == 0
+ *\li	(attributes & DNS_DISPATCHATTR_TCP) == 0
  *
  * Returns:
- *	ISC_R_SUCCESS	-- success.
+ *\li	ISC_R_SUCCESS	-- success.
  *
- *	Anything else	-- failure.
+ *\li	Anything else	-- failure.
  */
 
 isc_result_t
@@ -241,7 +243,7 @@ dns_dispatch_createtcp(dns_dispatchmgr_t *mgr, isc_socket_t *sock,
 		       unsigned int maxbuffers, unsigned int maxrequests,
 		       unsigned int buckets, unsigned int increment,
 		       unsigned int attributes, dns_dispatch_t **dispp);
-/*
+/*%<
  * Create a new dns_dispatch and attach it to the provided isc_socket_t.
  *
  * For all dispatches, "buffersize" is the maximum packet size we will
@@ -258,65 +260,65 @@ dns_dispatch_createtcp(dns_dispatchmgr_t *mgr, isc_socket_t *sock,
  *
  * Requires:
  *
- *	mgr is a valid dispatch manager.
+ *\li	mgr is a valid dispatch manager.
  *
- *	sock is a valid.
+ *\li	sock is a valid.
  *
- *	task is a valid task that can be used internally to this dispatcher.
+ *\li	task is a valid task that can be used internally to this dispatcher.
  *
- * 	512 <= buffersize <= 64k
+ * \li	512 <= buffersize <= 64k
  *
- *	maxbuffers > 0.
+ *\li	maxbuffers > 0.
  *
- *	maxrequests <= maxbuffers.
+ *\li	maxrequests <= maxbuffers.
  *
- *	buckets < 2097169 (the next prime after 65536 * 32)
+ *\li	buckets < 2097169 (the next prime after 65536 * 32)
  *
- *	increment > buckets (and prime).
+ *\li	increment > buckets (and prime).
  *
- *	attributes includes DNS_DISPATCHATTR_TCP and does not include
- *	DNS_DISPATCHATTR_UDP.
+ *\li	attributes includes #DNS_DISPATCHATTR_TCP and does not include
+ *	#DNS_DISPATCHATTR_UDP.
  *
  * Returns:
- *	ISC_R_SUCCESS	-- success.
+ *\li	ISC_R_SUCCESS	-- success.
  *
- *	Anything else	-- failure.
+ *\li	Anything else	-- failure.
  */
 
 void
 dns_dispatch_attach(dns_dispatch_t *disp, dns_dispatch_t **dispp);
-/*
+/*%<
  * Attach to a dispatch handle.
  *
  * Requires:
- *	disp is valid.
+ *\li	disp is valid.
  *
- *	dispp != NULL && *dispp == NULL
+ *\li	dispp != NULL && *dispp == NULL
  */
 
 void
 dns_dispatch_detach(dns_dispatch_t **dispp);
-/*
+/*%<
  * Detaches from the dispatch.
  *
  * Requires:
- *	dispp != NULL and *dispp be a valid dispatch.
+ *\li	dispp != NULL and *dispp be a valid dispatch.
  */
 
 void
 dns_dispatch_starttcp(dns_dispatch_t *disp);
-/*
+/*%<
  * Start processing of a TCP dispatch once the socket connects.
  *
  * Requires:
- *	'disp' is valid.
+ *\li	'disp' is valid.
  */
 
 isc_result_t
 dns_dispatch_addresponse(dns_dispatch_t *disp, isc_sockaddr_t *dest,
 			 isc_task_t *task, isc_taskaction_t action, void *arg,
 			 isc_uint16_t *idp, dns_dispentry_t **resp);
-/*
+/*%<
  * Add a response entry for this dispatch.
  *
  * "*idp" is filled in with the assigned message ID, and *resp is filled in
@@ -327,24 +329,24 @@ dns_dispatch_addresponse(dns_dispatch_t *disp, isc_sockaddr_t *dest,
  * or through dns_dispatch_removeresponse() for another to be delivered.
  *
  * Requires:
- *	"idp" be non-NULL.
+ *\li	"idp" be non-NULL.
  *
- *	"task" "action" and "arg" be set as appropriate.
+ *\li	"task" "action" and "arg" be set as appropriate.
  *
- *	"dest" be non-NULL and valid.
+ *\li	"dest" be non-NULL and valid.
  *
- *	"resp" be non-NULL and *resp be NULL
+ *\li	"resp" be non-NULL and *resp be NULL
  *
  * Ensures:
  *
- *	<id, dest> is a unique tuple.  That means incoming messages
+ *\li	&lt;id, dest> is a unique tuple.  That means incoming messages
  *	are identifiable.
  *
  * Returns:
  *
- *	ISC_R_SUCCESS		-- all is well.
- *	ISC_R_NOMEMORY		-- memory could not be allocated.
- *	ISC_R_NOMORE		-- no more message ids can be allocated
+ *\li	ISC_R_SUCCESS		-- all is well.
+ *\li	ISC_R_NOMEMORY		-- memory could not be allocated.
+ *\li	ISC_R_NOMORE		-- no more message ids can be allocated
  *				   for this destination.
  */
 
@@ -352,88 +354,90 @@ dns_dispatch_addresponse(dns_dispatch_t *disp, isc_sockaddr_t *dest,
 void
 dns_dispatch_removeresponse(dns_dispentry_t **resp,
 			    dns_dispatchevent_t **sockevent);
-/*
+/*%<
  * Stops the flow of responses for the provided id and destination.
  * If "sockevent" is non-NULL, the dispatch event and associated buffer is
  * also returned to the system.
  *
  * Requires:
- *	"resp" != NULL and "*resp" contain a value previously allocated
+ *\li	"resp" != NULL and "*resp" contain a value previously allocated
  *	by dns_dispatch_addresponse();
  *
- *	May only be called from within the task given as the 'task' 
+ *\li	May only be called from within the task given as the 'task' 
  * 	argument to dns_dispatch_addresponse() when allocating '*resp'.
  */
 
 
 isc_socket_t *
 dns_dispatch_getsocket(dns_dispatch_t *disp);
-/*
+/*%<
  * Return the socket associated with this dispatcher.
  *
  * Requires:
- *	disp is valid.
+ *\li	disp is valid.
  *
  * Returns:
- *	The socket the dispatcher is using.
+ *\li	The socket the dispatcher is using.
  */
 
 isc_result_t 
 dns_dispatch_getlocaladdress(dns_dispatch_t *disp, isc_sockaddr_t *addrp);
-/*
+/*%<
  * Return the local address for this dispatch.
  * This currently only works for dispatches using UDP sockets.
  *
  * Requires:
- *	disp is valid.
- *	addrp to be non null.
+ *\li	disp is valid.
+ *\li	addrp to be non null.
  *
  * Returns:
- *	ISC_R_SUCCESS	
- *	ISC_R_NOTIMPLEMENTED
+ *\li	ISC_R_SUCCESS	
+ *\li	ISC_R_NOTIMPLEMENTED
  */
 
 void
 dns_dispatch_cancel(dns_dispatch_t *disp);
-/*
+/*%<
  * cancel outstanding clients
  *
  * Requires:
- *	disp is valid.
+ *\li	disp is valid.
  */
 
 void
 dns_dispatch_changeattributes(dns_dispatch_t *disp,
 			      unsigned int attributes, unsigned int mask);
-/*
+/*%<
  * Set the bits described by "mask" to the corresponding values in
  * "attributes".
  *
  * That is:
  *
+ * \code
  *	new = (old & ~mask) | (attributes & mask)
+ * \endcode
  *
- * This function has a side effect when DNS_DISPATCHATTR_NOLISTEN changes. 
+ * This function has a side effect when #DNS_DISPATCHATTR_NOLISTEN changes. 
  * When the flag becomes off, the dispatch will start receiving on the
  * corresponding socket.  When the flag becomes on, receive events on the
  * corresponding socket will be canceled.
  *
  * Requires:
- *	disp is valid.
+ *\li	disp is valid.
  *
- *	attributes are reasonable for the dispatch.  That is, setting the UDP
+ *\li	attributes are reasonable for the dispatch.  That is, setting the UDP
  *	attribute on a TCP socket isn't reasonable.
  */
 
 void
 dns_dispatch_importrecv(dns_dispatch_t *disp, isc_event_t *event);
-/*
+/*%<
  * Inform the dispatcher of a socket receive.  This is used for sockets
  * shared between dispatchers and clients.  If the dispatcher fails to copy
  * or send the event, nothing happens.
  *
  * Requires:
- * 	disp is valid, and the attribute DNS_DISPATCHATTR_NOLISTEN is set.
+ *\li 	disp is valid, and the attribute DNS_DISPATCHATTR_NOLISTEN is set.
  * 	event != NULL
  */
 
diff --git a/contrib/bind9/lib/dns/include/dns/dlz.h b/contrib/bind9/lib/dns/include/dns/dlz.h
new file mode 100644
index 0000000..4c61c91
--- /dev/null
+++ b/contrib/bind9/lib/dns/include/dns/dlz.h
@@ -0,0 +1,290 @@
+/*
+ * Portions Copyright (C) 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Portions Copyright (C) 1999-2001  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/*
+ * Copyright (C) 2002 Stichting NLnet, Netherlands, stichting@nlnet.nl.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the
+ * above copyright notice and this permission notice appear in all
+ * copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND STICHTING NLNET
+ * DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL
+ * STICHTING NLNET BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR
+ * CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS
+ * OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE
+ * USE OR PERFORMANCE OF THIS SOFTWARE.
+ *
+ * The development of Dynamically Loadable Zones (DLZ) for Bind 9 was
+ * conceived and contributed by Rob Butler.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the
+ * above copyright notice and this permission notice appear in all
+ * copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ROB BUTLER
+ * DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL
+ * ROB BUTLER BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR
+ * CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS
+ * OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE
+ * USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: dlz.h,v 1.2.2.2 2005/09/06 03:47:18 marka Exp $ */
+
+/*! \file */
+
+#ifndef DLZ_H
+#define DLZ_H 1
+
+/*****
+ ***** Module Info
+ *****/
+
+/*
+ * DLZ Interface
+ *
+ * The DLZ interface allows zones to be looked up using a driver instead of
+ * Bind's default in memory zone table.
+ *
+ *
+ * Reliability:
+ *	No anticipated impact.
+ *
+ * Resources:
+ *
+ * Security:
+ *	No anticipated impact.
+ *
+ * Standards:
+ *	None.
+ */
+
+/*****
+ ***** Imports
+ *****/
+
+#include <dns/name.h>
+#include <dns/types.h>
+#include <dns/view.h>
+
+#include <isc/lang.h>
+
+ISC_LANG_BEGINDECLS
+
+/***
+ *** Types
+ ***/
+
+#define DNS_DLZ_MAGIC		ISC_MAGIC('D','L','Z','D')
+#define DNS_DLZ_VALID(dlz)	ISC_MAGIC_VALID(dlz, DNS_DLZ_MAGIC)
+
+typedef isc_result_t
+(*dns_dlzallowzonexfr_t)(void *driverarg, void *dbdata, isc_mem_t *mctx,
+			 dns_rdataclass_t rdclass, dns_name_t *name,
+			 isc_sockaddr_t *clientaddr,
+			 dns_db_t **dbp);
+
+/*%<
+ * Method prototype.  Drivers implementing the DLZ interface MUST
+ * supply an allow zone transfer method.  This method is called when
+ * the DNS server is performing a zone transfer query.  The driver's
+ * method should return ISC_R_SUCCESS and a database pointer to the
+ * name server if the zone is supported by the database, and zone
+ * transfer is allowed.  Otherwise it will return ISC_R_NOTFOUND if
+ * the zone is not supported by the database, or ISC_R_NOPERM if zone
+ * transfers are not allowed.  If an error occurs it should return a
+ * result code indicating the type of error.
+ */
+
+typedef isc_result_t
+(*dns_dlzcreate_t)(isc_mem_t *mctx, const char *dlzname, unsigned int argc,
+		   char *argv[], void *driverarg, void **dbdata);
+
+/*%<
+ * Method prototype.  Drivers implementing the DLZ interface MUST
+ * supply a create method.  This method is called when the DNS server
+ * is starting up and creating drivers for use later.
+ */
+
+typedef void
+(*dns_dlzdestroy_t)(void *driverarg, void **dbdata);
+
+/*%<
+ * Method prototype.  Drivers implementing the DLZ interface MUST
+ * supply a destroy method.  This method is called when the DNS server
+ * is shuting down and no longer needs the driver.
+ */
+
+typedef isc_result_t
+(*dns_dlzfindzone_t)(void *driverarg, void *dbdata, isc_mem_t *mctx,
+		     dns_rdataclass_t rdclass, dns_name_t *name,
+		     dns_db_t **dbp);
+
+/*%<
+
+ * Method prototype.  Drivers implementing the DLZ interface MUST
+ * supply a find zone method.  This method is called when the DNS
+ * server is performing a query.  The find zone method will be called
+ * with the longest possible name first, and continue to be called
+ * with successively shorter domain names, until any of the following
+ * occur:
+ *
+ * \li	1) a match is found, and the function returns (ISC_R_SUCCESS)
+ *
+ * \li	2) a problem occurs, and the functions returns anything other
+ *	   than (ISC_R_NOTFOUND)
+ * \li	3) we run out of domain name labels. I.E. we have tried the
+ *	   shortest domain name
+ * \li	4) the number of labels in the domain name is less than
+ *	   min_lables for dns_dlzfindzone
+ *
+ * The driver's find zone method should return ISC_R_SUCCESS and a
+ * database pointer to the name server if the zone is supported by the
+ * database.  Otherwise it will return ISC_R_NOTFOUND, and a null
+ * pointer if the zone is not supported.  If an error occurs it should
+ * return a result code indicating the type of error.
+ */
+
+/*% the methods supplied by a DLZ driver */
+typedef struct dns_dlzmethods {
+	dns_dlzcreate_t		create;
+	dns_dlzdestroy_t	destroy;
+	dns_dlzfindzone_t	findzone;
+	dns_dlzallowzonexfr_t	allowzonexfr;
+} dns_dlzmethods_t;
+
+/*% information about a DLZ driver */
+struct dns_dlzimplementation {
+	const char				*name;
+	const dns_dlzmethods_t			*methods;
+	isc_mem_t				*mctx;
+	void					*driverarg;
+	ISC_LINK(dns_dlzimplementation_t)	link;
+};
+
+/*% an instance of a DLZ driver */
+struct dns_dlzdb {
+	unsigned int		magic;
+	isc_mem_t		*mctx;
+	dns_dlzimplementation_t	*implementation;
+	void			*dbdata;
+};
+
+
+/***
+ *** Method declarations
+ ***/
+
+isc_result_t
+dns_dlzallowzonexfr(dns_view_t *view, dns_name_t *name,
+		    isc_sockaddr_t *clientaddr, dns_db_t **dbp);
+
+/*%<
+ * This method is called when the DNS server is performing a zone
+ * transfer query.  It will call the DLZ driver's allow zone tranfer
+ * method.
+ */
+
+isc_result_t
+dns_dlzcreate(isc_mem_t *mctx, const char *dlzname,
+	      const char *drivername, unsigned int argc,
+	      char *argv[], dns_dlzdb_t **dbp);
+
+/*%<
+ * This method is called when the DNS server is starting up and
+ * creating drivers for use later.  It will search the DLZ driver list
+ * for 'drivername' and return a DLZ driver via dbp if a match is
+ * found.  If the DLZ driver supplies a create method, this function
+ * will call it.
+ */
+
+void
+dns_dlzdestroy(dns_dlzdb_t **dbp);
+
+/*%<
+ * This method is called when the DNS server is shuting down and no
+ * longer needs the driver.  If the DLZ driver supplies a destroy
+ * methods, this function will call it.
+ */
+
+isc_result_t
+dns_dlzfindzone(dns_view_t *view, dns_name_t *name,
+		unsigned int minlabels, dns_db_t **dbp);
+
+/*%<
+ * This method is called when the DNS server is performing a query.
+ * It will call the DLZ driver's find zone method.
+ */
+
+isc_result_t
+dns_dlzregister(const char *drivername, const dns_dlzmethods_t *methods,
+		 void *driverarg, isc_mem_t *mctx,
+		dns_dlzimplementation_t **dlzimp);
+
+/*%<
+ * Register a dynamically loadable zones (DLZ) driver for the database
+ * type 'drivername', implemented by the functions in '*methods'.
+ *
+ * dlzimp must point to a NULL dlz_implementation_t pointer.  That is,
+ * dlzimp != NULL && *dlzimp == NULL.  It will be assigned a value that
+ * will later be used to identify the driver when deregistering it.
+ */
+
+isc_result_t
+dns_dlzstrtoargv(isc_mem_t *mctx, char *s, unsigned int *argcp, char ***argvp);
+
+/*%<
+ * This method is called when the name server is starting up to parse
+ * the DLZ driver command line from named.conf.  Basically it splits
+ * up a string into and argc / argv.  The primary difference of this
+ * method is items between braces { } are considered only 1 word.  for
+ * example the command line "this is { one grouped phrase } and this
+ * isn't" would be parsed into:
+ *
+ * \li	argv[0]: "this"
+ * \li	argv[1]: "is"
+ * \li	argv{2]: " one grouped phrase "
+ * \li	argv[3]: "and"
+ * \li	argv[4]: "this"
+ * \li	argv{5}: "isn't"
+ *
+ * braces should NOT be nested, more than one grouping in the command
+ * line is allowed.  Notice, argv[2] has an extra space at the
+ * beginning and end.  Extra spaces are not stripped between a
+ * grouping.  You can do so in your driver if needed, or be sure not
+ * to put extra spaces before / after the braces.
+ */
+
+void
+dns_dlzunregister(dns_dlzimplementation_t **dlzimp);
+
+/*%<
+ * Removes the dlz driver from the list of registered dlz drivers.
+ * There must be no active dlz drivers of this type when this function
+ * is called.
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* DLZ_H */
diff --git a/contrib/bind9/lib/dns/include/dns/dnssec.h b/contrib/bind9/lib/dns/include/dns/dnssec.h
index 5f86178..2804e03 100644
--- a/contrib/bind9/lib/dns/include/dns/dnssec.h
+++ b/contrib/bind9/lib/dns/include/dns/dnssec.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2002  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,11 +15,13 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: dnssec.h,v 1.21.12.5 2004/03/08 09:04:35 marka Exp $ */
+/* $Id: dnssec.h,v 1.26.18.2 2005/04/29 00:16:12 marka Exp $ */
 
 #ifndef DNS_DNSSEC_H
 #define DNS_DNSSEC_H 1
 
+/*! \file */
+
 #include <isc/lang.h>
 #include <isc/stdtime.h>
 
@@ -32,51 +34,51 @@ ISC_LANG_BEGINDECLS
 isc_result_t
 dns_dnssec_keyfromrdata(dns_name_t *name, dns_rdata_t *rdata, isc_mem_t *mctx,
 			dst_key_t **key);
-/*
+/*%<
  *	Creates a DST key from a DNS record.  Basically a wrapper around
  *	dst_key_fromdns().
  *
  *	Requires:
- *		'name' is not NULL
- *		'rdata' is not NULL
- *		'mctx' is not NULL
- *		'key' is not NULL
- *		'*key' is NULL
+ *\li		'name' is not NULL
+ *\li		'rdata' is not NULL
+ *\li		'mctx' is not NULL
+ *\li		'key' is not NULL
+ *\li		'*key' is NULL
  *
  *	Returns:
- *		ISC_R_SUCCESS
- *		ISC_R_NOMEMORY
- *		DST_R_INVALIDPUBLICKEY
- *		various errors from dns_name_totext
+ *\li		#ISC_R_SUCCESS
+ *\li		#ISC_R_NOMEMORY
+ *\li		DST_R_INVALIDPUBLICKEY
+ *\li		various errors from dns_name_totext
  */
 
 isc_result_t
 dns_dnssec_sign(dns_name_t *name, dns_rdataset_t *set, dst_key_t *key,
 		isc_stdtime_t *inception, isc_stdtime_t *expire,
 		isc_mem_t *mctx, isc_buffer_t *buffer, dns_rdata_t *sigrdata);
-/*
+/*%<
  *	Generates a SIG record covering this rdataset.  This has no effect
  *	on existing SIG records.
  *
  *	Requires:
- *		'name' (the owner name of the record) is a valid name
- *		'set' is a valid rdataset
- *		'key' is a valid key
- *		'inception' is not NULL
- *		'expire' is not NULL
- *		'mctx' is not NULL
- *		'buffer' is not NULL
- *		'sigrdata' is not NULL
+ *\li		'name' (the owner name of the record) is a valid name
+ *\li		'set' is a valid rdataset
+ *\li		'key' is a valid key
+ *\li		'inception' is not NULL
+ *\li		'expire' is not NULL
+ *\li		'mctx' is not NULL
+ *\li		'buffer' is not NULL
+ *\li		'sigrdata' is not NULL
  *
  *	Returns:
- *		ISC_R_SUCCESS
- *		ISC_R_NOMEMORY
- *		ISC_R_NOSPACE
- *		DNS_R_INVALIDTIME - the expiration is before the inception
- *		DNS_R_KEYUNAUTHORIZED - the key cannot sign this data (either
+ *\li		#ISC_R_SUCCESS
+ *\li		#ISC_R_NOMEMORY
+ *\li		#ISC_R_NOSPACE
+ *\li		#DNS_R_INVALIDTIME - the expiration is before the inception
+ *\li		#DNS_R_KEYUNAUTHORIZED - the key cannot sign this data (either
  *			it is not a zone key or its flags prevent
  *			authentication)
- *		DST_R_*
+ *\li		DST_R_*
  */
 
 isc_result_t
@@ -88,35 +90,36 @@ isc_result_t
 dns_dnssec_verify2(dns_name_t *name, dns_rdataset_t *set, dst_key_t *key,
 		   isc_boolean_t ignoretime, isc_mem_t *mctx,
 		   dns_rdata_t *sigrdata, dns_name_t *wild);
-/*
+/*%<
  *	Verifies the SIG record covering this rdataset signed by a specific
  *	key.  This does not determine if the key's owner is authorized to
  *	sign this record, as this requires a resolver or database.
  *	If 'ignoretime' is ISC_TRUE, temporal validity will not be checked.
  *
  *	Requires:
- *		'name' (the owner name of the record) is a valid name
- *		'set' is a valid rdataset
- *		'key' is a valid key
- *		'mctx' is not NULL
- *		'sigrdata' is a valid rdata containing a SIG record
- *		'wild' if non-NULL then is a valid and has a buffer.
+ *\li		'name' (the owner name of the record) is a valid name
+ *\li		'set' is a valid rdataset
+ *\li		'key' is a valid key
+ *\li		'mctx' is not NULL
+ *\li		'sigrdata' is a valid rdata containing a SIG record
+ *\li		'wild' if non-NULL then is a valid and has a buffer.
  *
  *	Returns:
- *		ISC_R_SUCCESS
- *		ISC_R_NOMEMORY
- *		DNS_R_FROMWILDCARD - the signature is valid and is from
+ *\li		#ISC_R_SUCCESS
+ *\li		#ISC_R_NOMEMORY
+ *\li		#DNS_R_FROMWILDCARD - the signature is valid and is from
  *			a wildcard expansion.  dns_dnssec_verify2() only.
  *			'wild' contains the name of the wildcard if non-NULL.
- *		DNS_R_SIGINVALID - the signature fails to verify
- *		DNS_R_SIGEXPIRED - the signature has expired
- *		DNS_R_SIGFUTURE - the signature's validity period has not begun
- *		DNS_R_KEYUNAUTHORIZED - the key cannot sign this data (either
+ *\li		#DNS_R_SIGINVALID - the signature fails to verify
+ *\li		#DNS_R_SIGEXPIRED - the signature has expired
+ *\li		#DNS_R_SIGFUTURE - the signature's validity period has not begun
+ *\li		#DNS_R_KEYUNAUTHORIZED - the key cannot sign this data (either
  *			it is not a zone key or its flags prevent
  *			authentication)
- *		DST_R_*
+ *\li		DST_R_*
  */
 
+/*@{*/
 isc_result_t
 dns_dnssec_findzonekeys(dns_db_t *db, dns_dbversion_t *ver, dns_dbnode_t *node,
 			dns_name_t *name, isc_mem_t *mctx,
@@ -128,50 +131,51 @@ dns_dnssec_findzonekeys2(dns_db_t *db, dns_dbversion_t *ver,
 			 const char *directory, isc_mem_t *mctx,
 			 unsigned int maxkeys, dst_key_t **keys,
 			 unsigned int *nkeys);
-/*
+/*%<
  * 	Finds a set of zone keys.
  * 	XXX temporary - this should be handled in dns_zone_t.
  */
+/*@}*/
 
 isc_result_t
 dns_dnssec_signmessage(dns_message_t *msg, dst_key_t *key);
-/*
+/*%<
  *	Signs a message with a SIG(0) record.  This is implicitly called by
  *	dns_message_renderend() if msg->sig0key is not NULL.
  *
  *	Requires:
- *		'msg' is a valid message
- *		'key' is a valid key that can be used for signing
+ *\li		'msg' is a valid message
+ *\li		'key' is a valid key that can be used for signing
  *
  *	Returns:
- *		ISC_R_SUCCESS
- *		ISC_R_NOMEMORY
- *		DST_R_*
+ *\li		#ISC_R_SUCCESS
+ *\li		#ISC_R_NOMEMORY
+ *\li		DST_R_*
  */
 
 isc_result_t
 dns_dnssec_verifymessage(isc_buffer_t *source, dns_message_t *msg,
 			 dst_key_t *key);
-/*
+/*%<
  *	Verifies a message signed by a SIG(0) record.  This is not
  *	called implicitly by dns_message_parse().  If dns_message_signer()
  *	is called before dns_dnssec_verifymessage(), it will return
- *	DNS_R_NOTVERIFIEDYET.  dns_dnssec_verifymessage() will set
+ *	#DNS_R_NOTVERIFIEDYET.  dns_dnssec_verifymessage() will set
  *	the verified_sig0 flag in msg if the verify succeeds, and
  *	the sig0status field otherwise.
  *
  *	Requires:
- *		'source' is a valid buffer containing the unparsed message
- *		'msg' is a valid message
- *		'key' is a valid key
+ *\li		'source' is a valid buffer containing the unparsed message
+ *\li		'msg' is a valid message
+ *\li		'key' is a valid key
  *
  *	Returns:
- *		ISC_R_SUCCESS
- *		ISC_R_NOMEMORY
- *		ISC_R_NOTFOUND - no SIG(0) was found
- *		DNS_R_SIGINVALID - the SIG record is not well-formed or
+ *\li		#ISC_R_SUCCESS
+ *\li		#ISC_R_NOMEMORY
+ *\li		#ISC_R_NOTFOUND - no SIG(0) was found
+ *\li		#DNS_R_SIGINVALID - the SIG record is not well-formed or
  *				   was not generated by the key.
- *		DST_R_*
+ *\li		DST_R_*
  */
 
 ISC_LANG_ENDDECLS
diff --git a/contrib/bind9/lib/dns/include/dns/ds.h b/contrib/bind9/lib/dns/include/dns/ds.h
index 979ac9f..5e4cc40 100644
--- a/contrib/bind9/lib/dns/include/dns/ds.h
+++ b/contrib/bind9/lib/dns/include/dns/ds.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2002  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: ds.h,v 1.3.2.1 2004/03/08 02:08:00 marka Exp $ */
+/* $Id: ds.h,v 1.3.20.5 2006/02/22 23:50:09 marka Exp $ */
 
 #ifndef DNS_DS_H
 #define DNS_DS_H 1
@@ -25,11 +25,12 @@
 #include <dns/types.h>
 
 #define DNS_DSDIGEST_SHA1 (1)
+#define DNS_DSDIGEST_SHA256 (2)
 
 /*
- * Assuming SHA-1 digest type.
+ * Assuming SHA-256 digest type.
  */
-#define DNS_DS_BUFFERSIZE (24)
+#define DNS_DS_BUFFERSIZE (36)
 
 ISC_LANG_BEGINDECLS
 
@@ -37,20 +38,26 @@ isc_result_t
 dns_ds_buildrdata(dns_name_t *owner, dns_rdata_t *key,
 		  unsigned int digest_type, unsigned char *buffer,
 		  dns_rdata_t *rdata);
-/*
+/*%<
  * Build the rdata of a DS record.
  *
  * Requires:
- *	key	Points to a valid DNS KEY record.
- *	buffer	Points to a temporary buffer of at least
- * 		DNS_DS_BUFFERSIZE bytes.
- *	rdata	Points to an initialized dns_rdata_t.
+ *\li	key	Points to a valid DNS KEY record.
+ *\li	buffer	Points to a temporary buffer of at least
+ * 		#DNS_DS_BUFFERSIZE bytes.
+ *\li	rdata	Points to an initialized dns_rdata_t.
  *
  * Ensures:
- *      *rdata	Contains a valid DS rdata.  The 'data' member refers
+ *  \li    *rdata	Contains a valid DS rdata.  The 'data' member refers
  *		to 'buffer'.
  */
 
+isc_boolean_t
+dns_ds_digest_supported(unsigned int digest_type);
+/*%<
+ * Is this digest algorithm supported by dns_ds_buildrdata()?
+ */
+
 ISC_LANG_ENDDECLS
 
 #endif /* DNS_DS_H */
diff --git a/contrib/bind9/lib/dns/include/dns/events.h b/contrib/bind9/lib/dns/include/dns/events.h
index 1e66139..d1ebef3 100644
--- a/contrib/bind9/lib/dns/include/dns/events.h
+++ b/contrib/bind9/lib/dns/include/dns/events.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2002  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,14 +15,15 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: events.h,v 1.37.2.1.4.4 2004/03/08 09:04:36 marka Exp $ */
+/* $Id: events.h,v 1.42.18.3 2005/04/29 00:16:13 marka Exp $ */
 
 #ifndef DNS_EVENTS_H
 #define DNS_EVENTS_H 1
 
 #include <isc/eventclass.h>
 
-/*
+/*! \file 
+ * \brief
  * Registry of DNS event numbers.
  */
 
@@ -63,6 +64,10 @@
 #define DNS_EVENT_DUMPQUANTUM			(ISC_EVENTCLASS_DNS + 34)
 #define DNS_EVENT_IMPORTRECVDONE		(ISC_EVENTCLASS_DNS + 35)
 #define DNS_EVENT_FREESTORAGE			(ISC_EVENTCLASS_DNS + 36)
+#define DNS_EVENT_VIEWACACHESHUTDOWN		(ISC_EVENTCLASS_DNS + 37)
+#define DNS_EVENT_ACACHECONTROL			(ISC_EVENTCLASS_DNS + 38)
+#define DNS_EVENT_ACACHECLEAN			(ISC_EVENTCLASS_DNS + 39)
+#define DNS_EVENT_ACACHEOVERMEM			(ISC_EVENTCLASS_DNS + 40)
 
 #define DNS_EVENT_FIRSTEVENT			(ISC_EVENTCLASS_DNS + 0)
 #define DNS_EVENT_LASTEVENT			(ISC_EVENTCLASS_DNS + 65535)
diff --git a/contrib/bind9/lib/dns/include/dns/fixedname.h b/contrib/bind9/lib/dns/include/dns/fixedname.h
index 3ee306f..8380de6 100644
--- a/contrib/bind9/lib/dns/include/dns/fixedname.h
+++ b/contrib/bind9/lib/dns/include/dns/fixedname.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: fixedname.h,v 1.12.206.1 2004/03/06 08:13:55 marka Exp $ */
+/* $Id: fixedname.h,v 1.13.18.2 2005/04/29 00:16:13 marka Exp $ */
 
 #ifndef DNS_FIXEDNAME_H
 #define DNS_FIXEDNAME_H 1
@@ -24,28 +24,31 @@
  ***** Module Info
  *****/
 
-/*
+/*! \file
+ * \brief
  * Fixed-size Names
  *
  * dns_fixedname_t is a convenience type containing a name, an offsets table,
  * and a dedicated buffer big enough for the longest possible name.
  *
  * MP:
- *	The caller must ensure any required synchronization.
+ *\li	The caller must ensure any required synchronization.
  *
  * Reliability:
- *	No anticipated impact.
+ *\li	No anticipated impact.
  *
  * Resources:
- *	Per dns_fixedname_t:
+ *\li	Per dns_fixedname_t:
+ *\code
  *		sizeof(dns_name_t) + sizeof(dns_offsets_t) +
  *		sizeof(isc_buffer_t) + 255 bytes + structure padding
+ *\endcode
  *
  * Security:
- *	No anticipated impact.
+ *\li	No anticipated impact.
  *
  * Standards:
- *	None.
+ *\li	None.
  */
 
 /*****
diff --git a/contrib/bind9/lib/dns/include/dns/forward.h b/contrib/bind9/lib/dns/include/dns/forward.h
index 1eb62d2..ddf6d7f 100644
--- a/contrib/bind9/lib/dns/include/dns/forward.h
+++ b/contrib/bind9/lib/dns/include/dns/forward.h
@@ -15,11 +15,13 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: forward.h,v 1.2.206.3 2005/03/17 03:58:31 marka Exp $ */
+/* $Id: forward.h,v 1.3.18.3 2005/04/27 05:01:33 sra Exp $ */
 
 #ifndef DNS_FORWARD_H
 #define DNS_FORWARD_H 1
 
+/*! \file */
+
 #include <isc/lang.h>
 #include <isc/result.h>
 
@@ -34,68 +36,81 @@ struct dns_forwarders {
 
 isc_result_t
 dns_fwdtable_create(isc_mem_t *mctx, dns_fwdtable_t **fwdtablep);
-/*
+/*%<
  * Creates a new forwarding table.
  *
  * Requires:
- * 	mctx is a valid memory context.
- * 	fwdtablep != NULL && *fwdtablep == NULL
+ * \li 	mctx is a valid memory context.
+ * \li	fwdtablep != NULL && *fwdtablep == NULL
  *
  * Returns:
- *	ISC_R_SUCCESS
- *	ISC_R_NOMEMORY
+ * \li	#ISC_R_SUCCESS
+ * \li	#ISC_R_NOMEMORY
  */
 
 isc_result_t
 dns_fwdtable_add(dns_fwdtable_t *fwdtable, dns_name_t *name,
 		 isc_sockaddrlist_t *addrs, dns_fwdpolicy_t policy);
-/*
+/*%<
  * Adds an entry to the forwarding table.  The entry associates
  * a domain with a list of forwarders and a forwarding policy.  The
  * addrs list is copied if not empty, so the caller should free its copy.
  *
  * Requires:
- * 	fwdtable is a valid forwarding table.
- * 	name is a valid name
- * 	addrs is a valid list of sockaddrs, which may be empty.
+ * \li	fwdtable is a valid forwarding table.
+ * \li	name is a valid name
+ * \li	addrs is a valid list of sockaddrs, which may be empty.
  *
  * Returns:
- *	ISC_R_SUCCESS
- *	ISC_R_NOMEMORY
+ * \li	#ISC_R_SUCCESS
+ * \li	#ISC_R_NOMEMORY
  */
 
 isc_result_t
 dns_fwdtable_find(dns_fwdtable_t *fwdtable, dns_name_t *name,
 		  dns_forwarders_t **forwardersp);
+/*%<
+ * Finds a domain in the forwarding table.  The closest matching parent
+ * domain is returned.
+ *
+ * Requires:
+ * \li	fwdtable is a valid forwarding table.
+ * \li	name is a valid name
+ * \li	forwardersp != NULL && *forwardersp == NULL
+ *
+ * Returns:
+ * \li	#ISC_R_SUCCESS
+ * \li	#ISC_R_NOTFOUND
+ */
 
 isc_result_t
 dns_fwdtable_find2(dns_fwdtable_t *fwdtable, dns_name_t *name,
 		   dns_name_t *foundname, dns_forwarders_t **forwardersp);
-/*
+/*%<
  * Finds a domain in the forwarding table.  The closest matching parent
  * domain is returned.
  *
  * Requires:
- * 	fwdtable is a valid forwarding table.
- * 	name is a valid name
- * 	forwardersp != NULL && *forwardersp == NULL
- *	foundname to be NULL or a valid name with buffer.
+ * \li	fwdtable is a valid forwarding table.
+ * \li	name is a valid name
+ * \li	forwardersp != NULL && *forwardersp == NULL
+ * \li	foundname to be NULL or a valid name with buffer.
  *
  * Returns:
- * 	ISC_R_SUCCESS
- * 	ISC_R_NOTFOUND
+ * \li	#ISC_R_SUCCESS
+ * \li	#ISC_R_NOTFOUND
  */
 
 void
 dns_fwdtable_destroy(dns_fwdtable_t **fwdtablep);
-/*
+/*%<
  * Destroys a forwarding table.
  *
  * Requires:
- * 	fwtablep != NULL && *fwtablep != NULL
+ * \li	fwtablep != NULL && *fwtablep != NULL
  *
  * Ensures:
- * 	all memory associated with the forwarding table is freed.
+ * \li	all memory associated with the forwarding table is freed.
  */
 
 ISC_LANG_ENDDECLS
diff --git a/contrib/bind9/lib/dns/include/dns/journal.h b/contrib/bind9/lib/dns/include/dns/journal.h
index fdf6094..b776a30 100644
--- a/contrib/bind9/lib/dns/include/dns/journal.h
+++ b/contrib/bind9/lib/dns/include/dns/journal.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: journal.h,v 1.23.12.3 2004/03/08 09:04:36 marka Exp $ */
+/* $Id: journal.h,v 1.25.18.2 2005/04/29 00:16:13 marka Exp $ */
 
 #ifndef DNS_JOURNAL_H
 #define DNS_JOURNAL_H 1
@@ -24,7 +24,8 @@
  ***** Module Info
  *****/
 
-/*
+/*! \file
+ * \brief
  * Database journalling.
  */
 
@@ -44,7 +45,7 @@
  *** Types
  ***/
 
-/*
+/*%
  * A dns_journal_t represents an open journal file.  This is an opaque type.
  *
  * A particular dns_journal_t object may be opened for writing, in which case
@@ -67,19 +68,21 @@ ISC_LANG_BEGINDECLS
 isc_result_t
 dns_db_createsoatuple(dns_db_t *db, dns_dbversion_t *ver, isc_mem_t *mctx,
 		   dns_diffop_t op, dns_difftuple_t **tp);
-/*
+/*!< brief
  * Create a diff tuple for the current database SOA.
  * XXX this probably belongs somewhere else.
  */
 
 
+/*@{*/
 #define DNS_SERIAL_GT(a, b) ((int)(((a) - (b)) & 0xFFFFFFFF) > 0)
 #define DNS_SERIAL_GE(a, b) ((int)(((a) - (b)) & 0xFFFFFFFF) >= 0)
-/*
+/*!< brief
  * Compare SOA serial numbers.  DNS_SERIAL_GT(a, b) returns true iff
  * a is "greater than" b where "greater than" is as defined in RFC1982.
  * DNS_SERIAL_GE(a, b) returns true iff a is "greater than or equal to" b.
  */
+/*@}*/
 
 /**************************************************************************/
 /*
@@ -89,7 +92,7 @@ dns_db_createsoatuple(dns_db_t *db, dns_dbversion_t *ver, isc_mem_t *mctx,
 isc_result_t
 dns_journal_open(isc_mem_t *mctx, const char *filename, isc_boolean_t write,
 		 dns_journal_t **journalp);
-/*
+/*%<
  * Open the journal file 'filename' and create a dns_journal_t object for it.
  *
  * If 'write' is ISC_TRUE, the journal is open for writing.  If it does
@@ -101,7 +104,7 @@ dns_journal_open(isc_mem_t *mctx, const char *filename, isc_boolean_t write,
 
 void
 dns_journal_destroy(dns_journal_t **journalp);
-/*
+/*%<
  * Destroy a dns_journal_t, closing any open files and freeing its memory.
  */
 
@@ -112,52 +115,52 @@ dns_journal_destroy(dns_journal_t **journalp);
 
 isc_result_t
 dns_journal_begin_transaction(dns_journal_t *j);
-/*
+/*%<
  * Prepare to write a new transaction to the open journal file 'j'.
  *
  * Requires:
- *      'j' is open for writing.
+ *     \li 'j' is open for writing.
  */
 
 isc_result_t
 dns_journal_writediff(dns_journal_t *j, dns_diff_t *diff);
-/*
+/*%<
  * Write 'diff' to the current transaction of journal file 'j'.
  *
  * Requires:
- *      'j' is open for writing and dns_journal_begin_transaction()
+ * \li     'j' is open for writing and dns_journal_begin_transaction()
  * 	has been called.
  *
- * 	'diff' is a full or partial, correctly ordered IXFR
+ *\li 	'diff' is a full or partial, correctly ordered IXFR
  *      difference sequence.
  */
 
 isc_result_t
 dns_journal_commit(dns_journal_t *j);
-/*
+/*%<
  * Commit the current transaction of journal file 'j'.
  *
  * Requires:
- *      'j' is open for writing and dns_journal_begin_transaction()
+ * \li     'j' is open for writing and dns_journal_begin_transaction()
  * 	has been called.
  *
- *      dns_journal_writediff() has been called one or more times
+ *   \li   dns_journal_writediff() has been called one or more times
  * 	to form a complete, correctly ordered IXFR difference
  *      sequence.
  */
 
 isc_result_t
 dns_journal_write_transaction(dns_journal_t *j, dns_diff_t *diff);
-/*
+/*%
  * Write a complete transaction at once to a journal file,
  * sorting it if necessary, and commit it.  Equivalent to calling
  * dns_diff_sort(), dns_journal_begin_transaction(),
  * dns_journal_writediff(), and dns_journal_commit().
  *
  * Requires:
- *      'j' is open for writing.
+ *\li      'j' is open for writing.
  *
- * 	'diff' contains exactly one SOA deletion, one SOA addition
+ * \li	'diff' contains exactly one SOA deletion, one SOA addition
  *       with a greater serial number, and possibly other changes,
  *       in arbitrary order.
  */
@@ -171,46 +174,48 @@ isc_uint32_t
 dns_journal_first_serial(dns_journal_t *j);
 isc_uint32_t
 dns_journal_last_serial(dns_journal_t *j);
-/*
+/*%<
  * Get the first and last addressable serial number in the journal.
  */
 
 isc_result_t
 dns_journal_iter_init(dns_journal_t *j,
 		      isc_uint32_t begin_serial, isc_uint32_t end_serial);
-/*
+/*%<
  * Prepare to iterate over the transactions that will bring the database
  * from SOA serial number 'begin_serial' to 'end_serial'.
  *
  * Returns:
- *	ISC_R_SUCCESS
- *	ISC_R_RANGE	begin_serial is outside the addressable range.
- *	ISC_R_NOTFOUND	begin_serial is within the range of adressable
+ *\li	ISC_R_SUCCESS
+ *\li	ISC_R_RANGE	begin_serial is outside the addressable range.
+ *\li	ISC_R_NOTFOUND	begin_serial is within the range of adressable
  *			serial numbers covered by the journal, but
  *			this particular serial number does not exist.
  */
 
+/*@{*/
 isc_result_t
 dns_journal_first_rr(dns_journal_t *j);
 isc_result_t
 dns_journal_next_rr(dns_journal_t *j);
-/*
+/*%<
  * Position the iterator at the first/next RR in a journal
  * transaction sequence established using dns_journal_iter_init().
  *
  * Requires:
- *      dns_journal_iter_init() has been called.
+ *    \li  dns_journal_iter_init() has been called.
  *
  */
+/*@}*/
 
 void
 dns_journal_current_rr(dns_journal_t *j, dns_name_t **name, isc_uint32_t *ttl,
 		       dns_rdata_t **rdata);
-/*
+/*%<
  * Get the name, ttl, and rdata of the current journal RR.
  *
  * Requires:
- *      The last call to dns_journal_first_rr() or dns_journal_next_rr()
+ * \li     The last call to dns_journal_first_rr() or dns_journal_next_rr()
  *      returned ISC_R_SUCCESS.
  */
 
@@ -221,22 +226,22 @@ dns_journal_current_rr(dns_journal_t *j, dns_name_t **name, isc_uint32_t *ttl,
 
 isc_result_t
 dns_journal_rollforward(isc_mem_t *mctx, dns_db_t *db, const char *filename);
-/*
+/*%<
  * Roll forward (play back) the journal file "filename" into the
  * database "db".  This should be called when the server starts
  * after a shutdown or crash.
  *
  * Requires:
- *      'mctx' is a valid memory context.
- *	'db' is a valid database which does not have a version
+ *\li      'mctx' is a valid memory context.
+ *\li	'db' is a valid database which does not have a version
  *           open for writing.
- *      'filename' is the name of the journal file belonging to 'db'.
+ *  \li    'filename' is the name of the journal file belonging to 'db'.
  *
  * Returns:
- *	DNS_R_NOJOURNAL when journal does not exist.
- *	ISC_R_NOTFOUND when current serial in not in journal.
- *	ISC_R_RANGE when current serial in not in journals range.
- *	ISC_R_SUCCESS journal has been applied successfully to database.
+ *\li	DNS_R_NOJOURNAL when journal does not exist.
+ *\li	ISC_R_NOTFOUND when current serial in not in journal.
+ *\li	ISC_R_RANGE when current serial in not in journals range.
+ *\li	ISC_R_SUCCESS journal has been applied successfully to database.
  *	others
  */
 
@@ -249,7 +254,7 @@ dns_db_diff(isc_mem_t *mctx,
 	    dns_db_t *dba, dns_dbversion_t *dbvera,
 	    dns_db_t *dbb, dns_dbversion_t *dbverb,
 	    const char *journal_filename);
-/*
+/*%<
  * Compare the databases 'dba' and 'dbb' and generate a journal
  * entry containing the changes to make 'dba' from 'dbb' (note
  * the order).  This journal entry will consist of a single,
@@ -260,7 +265,7 @@ dns_db_diff(isc_mem_t *mctx,
 isc_result_t
 dns_journal_compact(isc_mem_t *mctx, char *filename, isc_uint32_t serial,
                     isc_uint32_t target_size);
-/*
+/*%<
  * Attempt to compact the journal if it is greater that 'target_size'.
  * Changes from 'serial' onwards will be preserved.  If the journal
  * exists and is non-empty 'serial' must exist in the journal.
diff --git a/contrib/bind9/lib/dns/include/dns/keyflags.h b/contrib/bind9/lib/dns/include/dns/keyflags.h
index 025b137..665b517 100644
--- a/contrib/bind9/lib/dns/include/dns/keyflags.h
+++ b/contrib/bind9/lib/dns/include/dns/keyflags.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,11 +15,13 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: keyflags.h,v 1.9.206.1 2004/03/06 08:13:56 marka Exp $ */
+/* $Id: keyflags.h,v 1.10.18.2 2005/04/29 00:16:13 marka Exp $ */
 
 #ifndef DNS_KEYFLAGS_H
 #define DNS_KEYFLAGS_H 1
 
+/*! \file */
+
 #include <isc/lang.h>
 
 #include <dns/types.h>
@@ -28,7 +30,7 @@ ISC_LANG_BEGINDECLS
 
 isc_result_t
 dns_keyflags_fromtext(dns_keyflags_t *flagsp, isc_textregion_t *source);
-/*
+/*%<
  * Convert the text 'source' refers to into a DNSSEC KEY flags value.
  * The text may contain either a set of flag mnemonics separated by
  * vertical bars or a decimal flags value.  For compatibility with
@@ -37,14 +39,14 @@ dns_keyflags_fromtext(dns_keyflags_t *flagsp, isc_textregion_t *source);
  * are also accepted.
  *
  * Requires:
- *	'flagsp' is a valid pointer.
+ *\li	'flagsp' is a valid pointer.
  *
- *	'source' is a valid text region.
+ *\li	'source' is a valid text region.
  *
  * Returns:
- *	ISC_R_SUCCESS			on success
- *	ISC_R_RANGE			numeric flag value is out of range
- *	DNS_R_UNKNOWN			mnemonic flag is unknown
+ *\li	ISC_R_SUCCESS			on success
+ *\li	ISC_R_RANGE			numeric flag value is out of range
+ *\li	DNS_R_UNKNOWN			mnemonic flag is unknown
  */
 
 ISC_LANG_ENDDECLS
diff --git a/contrib/bind9/lib/dns/include/dns/keytable.h b/contrib/bind9/lib/dns/include/dns/keytable.h
index f3a21a6..b8bfcc1 100644
--- a/contrib/bind9/lib/dns/include/dns/keytable.h
+++ b/contrib/bind9/lib/dns/include/dns/keytable.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2006  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000, 2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: keytable.h,v 1.10.206.3 2006/01/06 00:01:42 marka Exp $ */
+/* $Id: keytable.h,v 1.11.18.3 2005/12/05 00:00:03 marka Exp $ */
 
 #ifndef DNS_KEYTABLE_H
 #define DNS_KEYTABLE_H 1
@@ -24,22 +24,21 @@
  ***** Module Info
  *****/
 
-/*
- * Key Tables
- *
+/*! \file
+ * \brief
  * The keytable module provides services for storing and retrieving DNSSEC
  * trusted keys, as well as the ability to find the deepest matching key
  * for a given domain name.
  *
  * MP:
- *	The module ensures appropriate synchronization of data structures it
+ *\li	The module ensures appropriate synchronization of data structures it
  *	creates and manipulates.
  *
  * Resources:
- *	<TBS>
+ *\li	TBS
  *
  * Security:
- *	No anticipated impact.
+ *\li	No anticipated impact.
  */
 
 #include <isc/lang.h>
@@ -52,203 +51,202 @@ ISC_LANG_BEGINDECLS
 
 isc_result_t
 dns_keytable_create(isc_mem_t *mctx, dns_keytable_t **keytablep);
-/*
+/*%<
  * Create a keytable.
  *
  * Requires:
  *
- *	'mctx' is a valid memory context.
+ *\li	'mctx' is a valid memory context.
  *
- *	keytablep != NULL && *keytablep == NULL
+ *\li	keytablep != NULL && *keytablep == NULL
  *
  * Ensures:
  *
- *	On success, *keytablep is a valid, empty key table.
+ *\li	On success, *keytablep is a valid, empty key table.
  *
  * Returns:
  *
- *	ISC_R_SUCCESS
+ *\li	ISC_R_SUCCESS
  *
- *	Any other result indicates failure.
+ *\li	Any other result indicates failure.
  */
 
 
 void
 dns_keytable_attach(dns_keytable_t *source, dns_keytable_t **targetp);
-/*
+/*%<
  * Attach *targetp to source.
  *
  * Requires:
  *
- *	'source' is a valid keytable.
+ *\li	'source' is a valid keytable.
  *
- *	'targetp' points to a NULL dns_keytable_t *.
+ *\li	'targetp' points to a NULL dns_keytable_t *.
  *
  * Ensures:
  *
- *	*targetp is attached to source.
+ *\li	*targetp is attached to source.
  */
 
 void
 dns_keytable_detach(dns_keytable_t **keytablep);
-/*
+/*%<
  * Detach *keytablep from its keytable.
  *
  * Requires:
  *
- *	'keytablep' points to a valid keytable.
+ *\li	'keytablep' points to a valid keytable.
  *
  * Ensures:
  *
- *	*keytablep is NULL.
- *
- *	If '*keytablep' is the last reference to the keytable,
+ *\li	*keytablep is NULL.
  *
- *		All resources used by the keytable will be freed
+ *\li	If '*keytablep' is the last reference to the keytable,
+ *		all resources used by the keytable will be freed
  */
 
 isc_result_t
 dns_keytable_add(dns_keytable_t *keytable, dst_key_t **keyp);
-/*
+/*%<
  * Add '*keyp' to 'keytable'.
  *
  * Notes:
  *
- *	Ownership of *keyp is transferred to the keytable.
+ *\li	Ownership of *keyp is transferred to the keytable.
  *
  * Requires:
  *
- *	keyp != NULL && *keyp is a valid dst_key_t *.
+ *\li	keyp != NULL && *keyp is a valid dst_key_t *.
  *
  * Ensures:
  *
- *	On success, *keyp == NULL
+ *\li	On success, *keyp == NULL
  *
  * Returns:
  *
- *	ISC_R_SUCCESS
+ *\li	ISC_R_SUCCESS
  *
- *	Any other result indicates failure.
+ *\li	Any other result indicates failure.
  */
 
 isc_result_t
 dns_keytable_findkeynode(dns_keytable_t *keytable, dns_name_t *name,
 			 dns_secalg_t algorithm, dns_keytag_t tag,
 			 dns_keynode_t **keynodep);
-/*
+/*%<
  * Search for a key named 'name', matching 'algorithm' and 'tag' in
  * 'keytable'.  This finds the first instance which matches.  Use
  * dns_keytable_findnextkeynode() to find other instances.
  *
  * Requires:
  *
- *	'keytable' is a valid keytable.
+ *\li	'keytable' is a valid keytable.
  *
- *	'name' is a valid absolute name.
+ *\li	'name' is a valid absolute name.
  *
- *	keynodep != NULL && *keynodep == NULL
+ *\li	keynodep != NULL && *keynodep == NULL
  *
  * Returns:
  *
- *	ISC_R_SUCCESS
- *	DNS_R_PARTIALMATCH	the name existed in the keytable.
- *	ISC_R_NOTFOUND
+ *\li	ISC_R_SUCCESS
+ *\li	DNS_R_PARTIALMATCH	the name existed in the keytable.
+ *\li	ISC_R_NOTFOUND
  *
- *	Any other result indicates an error.
+ *\li	Any other result indicates an error.
  */
 
 isc_result_t
 dns_keytable_findnextkeynode(dns_keytable_t *keytable, dns_keynode_t *keynode,
 		                             dns_keynode_t **nextnodep);
-/*
+/*%<
  * Search for the next key with the same properties as 'keynode' in
  * 'keytable' as found by dns_keytable_findkeynode().
  *
  * Requires:
  *
- *	'keytable' is a valid keytable.
+ *\li	'keytable' is a valid keytable.
  *
- *	'keynode' is a valid keynode.
+ *\li	'keynode' is a valid keynode.
  *
- *	nextnodep != NULL && *nextnodep == NULL
+ *\li	nextnodep != NULL && *nextnodep == NULL
  *
  * Returns:
  *
- *	ISC_R_SUCCESS
- *	ISC_R_NOTFOUND
+ *\li	ISC_R_SUCCESS
+ *\li	ISC_R_NOTFOUND
  *
- *	Any other result indicates an error.
+ *\li	Any other result indicates an error.
  */
 
 isc_result_t
 dns_keytable_finddeepestmatch(dns_keytable_t *keytable, dns_name_t *name,
 			      dns_name_t *foundname);
-/*
+/*%<
  * Search for the deepest match of 'name' in 'keytable'.
  *
  * Requires:
  *
- *	'keytable' is a valid keytable.
+ *\li	'keytable' is a valid keytable.
  *
- *	'name' is a valid absolute name.
+ *\li	'name' is a valid absolute name.
  *
- *	'foundname' is a name with a dedicated buffer.
+ *\li	'foundname' is a name with a dedicated buffer.
  *
  * Returns:
  *
- *	ISC_R_SUCCESS
- *	ISC_R_NOTFOUND
+ *\li	ISC_R_SUCCESS
+ *\li	ISC_R_NOTFOUND
  *
- *	Any other result indicates an error.
+ *\li	Any other result indicates an error.
  */
 
 void
 dns_keytable_detachkeynode(dns_keytable_t *keytable,
 			   dns_keynode_t **keynodep);
-/*
+/*%<
  * Give back a keynode found via dns_keytable_findkeynode().
  *
  * Requires:
  *
- *	'keytable' is a valid keytable.
+ *\li	'keytable' is a valid keytable.
  *
- *	*keynodep is a valid keynode returned by a call to
+ *\li	*keynodep is a valid keynode returned by a call to
  *	dns_keytable_findkeynode().
  *
  * Ensures:
  *
- *	*keynodep == NULL
+ *\li	*keynodep == NULL
  */
 
 isc_result_t
 dns_keytable_issecuredomain(dns_keytable_t *keytable, dns_name_t *name,
 			    isc_boolean_t *wantdnssecp);
-/*
+/*%<
  * Is 'name' at or beneath a trusted key?
  *
  * Requires:
  *
- *	'keytable' is a valid keytable.
+ *\li	'keytable' is a valid keytable.
  *
- *	'name' is a valid absolute name.
+ *\li	'name' is a valid absolute name.
  *
- *	'*wantsdnssecp' is a valid isc_boolean_t.
+ *\li	'*wantsdnssecp' is a valid isc_boolean_t.
  *
  * Ensures:
  *
- *	On success, *wantsdnssecp will be ISC_TRUE if and only if 'name'
+ *\li	On success, *wantsdnssecp will be ISC_TRUE if and only if 'name'
  *	is at or beneath a trusted key.
  *
  * Returns:
  *
- *	ISC_R_SUCCESS
+ *\li	ISC_R_SUCCESS
  *
- *	Any other result is an error.
+ *\li	Any other result is an error.
  */
 
 dst_key_t *
 dns_keynode_key(dns_keynode_t *keynode);
-/*
+/*%<
  * Get the DST key associated with keynode.
  */
 
diff --git a/contrib/bind9/lib/dns/include/dns/keyvalues.h b/contrib/bind9/lib/dns/include/dns/keyvalues.h
index ef9e821..df17ace 100644
--- a/contrib/bind9/lib/dns/include/dns/keyvalues.h
+++ b/contrib/bind9/lib/dns/include/dns/keyvalues.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001, 2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,36 +15,38 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: keyvalues.h,v 1.11.12.3 2004/03/06 08:13:56 marka Exp $ */
+/* $Id: keyvalues.h,v 1.15.18.2 2005/04/29 00:16:14 marka Exp $ */
 
 #ifndef DNS_KEYVALUES_H
 #define DNS_KEYVALUES_H 1
 
+/*! \file */
+
 /*
  * Flags field of the KEY RR rdata
  */
-#define DNS_KEYFLAG_TYPEMASK	0xC000	/* Mask for "type" bits */
-#define DNS_KEYTYPE_AUTHCONF	0x0000	/* Key usable for both */
-#define DNS_KEYTYPE_CONFONLY	0x8000	/* Key usable for confidentiality */
-#define DNS_KEYTYPE_AUTHONLY	0x4000	/* Key usable for authentication */
-#define DNS_KEYTYPE_NOKEY	0xC000	/* No key usable for either; no key */
+#define DNS_KEYFLAG_TYPEMASK	0xC000	/*%< Mask for "type" bits */
+#define DNS_KEYTYPE_AUTHCONF	0x0000	/*%< Key usable for both */
+#define DNS_KEYTYPE_CONFONLY	0x8000	/*%< Key usable for confidentiality */
+#define DNS_KEYTYPE_AUTHONLY	0x4000	/*%< Key usable for authentication */
+#define DNS_KEYTYPE_NOKEY	0xC000	/*%< No key usable for either; no key */
 #define DNS_KEYTYPE_NOAUTH	DNS_KEYTYPE_CONFONLY
 #define DNS_KEYTYPE_NOCONF	DNS_KEYTYPE_AUTHONLY
 
-#define DNS_KEYFLAG_RESERVED2	0x2000	/* reserved - must be zero */
-#define DNS_KEYFLAG_EXTENDED	0x1000	/* key has extended flags */
-#define DNS_KEYFLAG_RESERVED4	0x0800	/* reserved - must be zero */
-#define DNS_KEYFLAG_RESERVED5	0x0400	/* reserved - must be zero */
-#define DNS_KEYFLAG_OWNERMASK	0x0300	/* these bits determine the type */
-#define DNS_KEYOWNER_USER	0x0000	/* key is assoc. with user */
-#define DNS_KEYOWNER_ENTITY	0x0200	/* key is assoc. with entity eg host */
-#define DNS_KEYOWNER_ZONE	0x0100	/* key is zone key */
-#define DNS_KEYOWNER_RESERVED	0x0300	/* reserved meaning */
-#define DNS_KEYFLAG_RESERVED8	0x0080	/* reserved - must be zero */
-#define DNS_KEYFLAG_RESERVED9	0x0040	/* reserved - must be zero */
-#define DNS_KEYFLAG_RESERVED10	0x0020	/* reserved - must be zero */
-#define DNS_KEYFLAG_RESERVED11	0x0010	/* reserved - must be zero */
-#define DNS_KEYFLAG_SIGNATORYMASK 0x000F /* key can sign RR's of same name */
+#define DNS_KEYFLAG_RESERVED2	0x2000	/*%< reserved - must be zero */
+#define DNS_KEYFLAG_EXTENDED	0x1000	/*%< key has extended flags */
+#define DNS_KEYFLAG_RESERVED4	0x0800	/*%< reserved - must be zero */
+#define DNS_KEYFLAG_RESERVED5	0x0400	/*%< reserved - must be zero */
+#define DNS_KEYFLAG_OWNERMASK	0x0300	/*%< these bits determine the type */
+#define DNS_KEYOWNER_USER	0x0000	/*%< key is assoc. with user */
+#define DNS_KEYOWNER_ENTITY	0x0200	/*%< key is assoc. with entity eg host */
+#define DNS_KEYOWNER_ZONE	0x0100	/*%< key is zone key */
+#define DNS_KEYOWNER_RESERVED	0x0300	/*%< reserved meaning */
+#define DNS_KEYFLAG_RESERVED8	0x0080	/*%< reserved - must be zero */
+#define DNS_KEYFLAG_RESERVED9	0x0040	/*%< reserved - must be zero */
+#define DNS_KEYFLAG_RESERVED10	0x0020	/*%< reserved - must be zero */
+#define DNS_KEYFLAG_RESERVED11	0x0010	/*%< reserved - must be zero */
+#define DNS_KEYFLAG_SIGNATORYMASK 0x000F /*%< key can sign RR's of same name */
 
 #define DNS_KEYFLAG_RESERVEDMASK (DNS_KEYFLAG_RESERVED2 | \
 				  DNS_KEYFLAG_RESERVED4 | \
@@ -53,21 +55,21 @@
 				  DNS_KEYFLAG_RESERVED9 | \
 				  DNS_KEYFLAG_RESERVED10 | \
 				  DNS_KEYFLAG_RESERVED11 )
-#define DNS_KEYFLAG_KSK		0x0001	/* key signing key */
+#define DNS_KEYFLAG_KSK		0x0001	/*%< key signing key */
 
-#define DNS_KEYFLAG_RESERVEDMASK2 0xFFFF	/* no bits defined here */
+#define DNS_KEYFLAG_RESERVEDMASK2 0xFFFF	/*%< no bits defined here */
 
 /* The Algorithm field of the KEY and SIG RR's is an integer, {1..254} */
-#define DNS_KEYALG_RSAMD5	1       /* RSA with MD5 */
+#define DNS_KEYALG_RSAMD5	1       /*%< RSA with MD5 */
 #define DNS_KEYALG_RSA		DNS_KEYALG_RSAMD5
-#define DNS_KEYALG_DH		2       /* Diffie Hellman KEY */
-#define DNS_KEYALG_DSA		3       /* DSA KEY */
+#define DNS_KEYALG_DH		2       /*%< Diffie Hellman KEY */
+#define DNS_KEYALG_DSA		3       /*%< DSA KEY */
 #define DNS_KEYALG_DSS		NS_ALG_DSA
 #define DNS_KEYALG_ECC		4
 #define DNS_KEYALG_RSASHA1	5
 #define DNS_KEYALG_INDIRECT	252
 #define DNS_KEYALG_PRIVATEDNS	253
-#define DNS_KEYALG_PRIVATEOID	254     /* Key begins with OID giving alg */
+#define DNS_KEYALG_PRIVATEOID	254     /*%< Key begins with OID giving alg */
 
 /* Protocol values  */
 #define	DNS_KEYPROTO_RESERVED	0
@@ -78,11 +80,11 @@
 #define DNS_KEYPROTO_ANY	255
 
 /* Signatures */
-#define DNS_SIG_RSAMINBITS	512	/* Size of a mod or exp in bits */
+#define DNS_SIG_RSAMINBITS	512	/*%< Size of a mod or exp in bits */
 #define DNS_SIG_RSAMAXBITS	2552
 	/* Total of binary mod and exp */
 #define DNS_SIG_RSAMAXBYTES	((DNS_SIG_RSAMAXBITS+7/8)*2+3)
-	/* Max length of text sig block */
+	/*%< Max length of text sig block */
 #define DNS_SIG_RSAMAXBASE64	(((DNS_SIG_RSAMAXBYTES+2)/3)*4)
 #define DNS_SIG_RSAMINSIZE	((DNS_SIG_RSAMINBITS+7)/8)
 #define DNS_SIG_RSAMAXSIZE	((DNS_SIG_RSAMAXBITS+7)/8)
diff --git a/contrib/bind9/lib/dns/include/dns/lib.h b/contrib/bind9/lib/dns/include/dns/lib.h
index e53dd2b..d59dde3 100644
--- a/contrib/bind9/lib/dns/include/dns/lib.h
+++ b/contrib/bind9/lib/dns/include/dns/lib.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,21 +15,27 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: lib.h,v 1.6.12.3 2004/03/08 09:04:36 marka Exp $ */
+/* $Id: lib.h,v 1.8.18.4 2005/09/20 04:33:48 marka Exp $ */
 
 #ifndef DNS_LIB_H
 #define DNS_LIB_H 1
 
+/*! \file */
+
 #include <isc/types.h>
 #include <isc/lang.h>
 
 ISC_LANG_BEGINDECLS
 
+/*%
+ * Tuning: external query load in packets per seconds.
+ */
+LIBDNS_EXTERNAL_DATA extern unsigned int dns_pps;
 LIBDNS_EXTERNAL_DATA extern isc_msgcat_t *dns_msgcat;
 
 void
 dns_lib_initmsgcat(void);
-/*
+/*%<
  * Initialize the DNS library's message catalog, dns_msgcat, if it
  * has not already been initialized.
  */
diff --git a/contrib/bind9/lib/dns/include/dns/log.h b/contrib/bind9/lib/dns/include/dns/log.h
index 9901fc9..7bee174 100644
--- a/contrib/bind9/lib/dns/include/dns/log.h
+++ b/contrib/bind9/lib/dns/include/dns/log.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001, 2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,9 +15,10 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: log.h,v 1.30.2.1.10.2 2004/03/06 08:13:57 marka Exp $ */
+/* $Id: log.h,v 1.33.18.4 2005/09/05 00:18:27 marka Exp $ */
 
-/* Principal Authors: DCL */
+/*! \file
+ * \author  Principal Authors: DCL */
 
 #ifndef DNS_LOG_H
 #define DNS_LOG_H 1
@@ -69,33 +70,35 @@ LIBDNS_EXTERNAL_DATA extern isc_logmodule_t dns_modules[];
 #define DNS_LOGMODULE_SDB		(&dns_modules[22])
 #define DNS_LOGMODULE_DIFF		(&dns_modules[23])
 #define DNS_LOGMODULE_HINTS		(&dns_modules[24])
+#define DNS_LOGMODULE_ACACHE		(&dns_modules[25])
+#define DNS_LOGMODULE_DLZ		(&dns_modules[26])
 
 ISC_LANG_BEGINDECLS
 
 void
 dns_log_init(isc_log_t *lctx);
-/*
+/*%
  * Make the libdns categories and modules available for use with the
  * ISC logging library.
  *
  * Requires:
- *	lctx is a valid logging context.
+ *\li	lctx is a valid logging context.
  *
- *	dns_log_init() is called only once.
+ *\li	dns_log_init() is called only once.
  *
  * Ensures:
- * 	The catgories and modules defined above are available for
+ * \li	The catgories and modules defined above are available for
  * 	use by isc_log_usechannnel() and isc_log_write().
  */
 
 void
 dns_log_setcontext(isc_log_t *lctx);
-/*
+/*%
  * Make the libdns library use the provided context for logging internal
  * messages.
  *
  * Requires:
- *	lctx is a valid logging context.
+ *\li	lctx is a valid logging context.
  */
 
 ISC_LANG_ENDDECLS
diff --git a/contrib/bind9/lib/dns/include/dns/lookup.h b/contrib/bind9/lib/dns/include/dns/lookup.h
index 2be254c..aea6f84 100644
--- a/contrib/bind9/lib/dns/include/dns/lookup.h
+++ b/contrib/bind9/lib/dns/include/dns/lookup.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000, 2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: lookup.h,v 1.5.206.1 2004/03/06 08:13:57 marka Exp $ */
+/* $Id: lookup.h,v 1.6.18.2 2005/04/29 00:16:15 marka Exp $ */
 
 #ifndef DNS_LOOKUP_H
 #define DNS_LOOKUP_H 1
@@ -24,29 +24,28 @@
  ***** Module Info
  *****/
 
-/*
- * DNS Lookup
- *
+/*! \file
+ * \brief
  * The lookup module performs simple DNS lookups.  It implements
  * the full resolver algorithm, both looking for local data and 
  * resoving external names as necessary.
  *
  * MP:
- *	The module ensures appropriate synchronization of data structures it
+ *\li	The module ensures appropriate synchronization of data structures it
  *	creates and manipulates.
  *
  * Reliability:
- *	No anticipated impact.
+ *\li	No anticipated impact.
  *
  * Resources:
- *	<TBS>
+ *\li	TBS
  *
  * Security:
- *	No anticipated impact.
+ *\li	No anticipated impact.
  *
  * Standards:
- *	RFCs:	1034, 1035, 2181, <TBS>
- *	Drafts:	<TBS>
+ *\li	RFCs:	1034, 1035, 2181, TBS
+ *\li	Drafts:	TBS
  */
 
 #include <isc/lang.h>
@@ -56,7 +55,7 @@
 
 ISC_LANG_BEGINDECLS
 
-/*
+/*%
  * A 'dns_lookupevent_t' is returned when a lookup completes.
  * The sender field will be set to the lookup that completed.  If 'result'
  * is ISC_R_SUCCESS, then 'names' will contain a list of names associated
@@ -77,60 +76,60 @@ isc_result_t
 dns_lookup_create(isc_mem_t *mctx, dns_name_t *name, dns_rdatatype_t type,
 		  dns_view_t *view, unsigned int options, isc_task_t *task,
 		  isc_taskaction_t action, void *arg, dns_lookup_t **lookupp);
-/*
+/*%<
  * Finds the rrsets matching 'name' and 'type'.
  *
  * Requires:
  *
- *	'mctx' is a valid mctx.
+ *\li	'mctx' is a valid mctx.
  *
- *	'name' is a valid name.
+ *\li	'name' is a valid name.
  *
- *	'view' is a valid view which has a resolver.
+ *\li	'view' is a valid view which has a resolver.
  *
- *	'task' is a valid task.
+ *\li	'task' is a valid task.
  *
- *	lookupp != NULL && *lookupp == NULL
+ *\li	lookupp != NULL && *lookupp == NULL
  *
  * Returns:
  *
- *	ISC_R_SUCCESS
- *	ISC_R_NOMEMORY
+ *\li	ISC_R_SUCCESS
+ *\li	ISC_R_NOMEMORY
  *
- *	Any resolver-related error (e.g. ISC_R_SHUTTINGDOWN) may also be
+ *\li	Any resolver-related error (e.g. ISC_R_SHUTTINGDOWN) may also be
  *	returned.
  */
 
 void
 dns_lookup_cancel(dns_lookup_t *lookup);
-/*
+/*%<
  * Cancel 'lookup'.
  *
  * Notes:
  *
- *	If 'lookup' has not completed, post its LOOKUPDONE event with a
+ *\li	If 'lookup' has not completed, post its LOOKUPDONE event with a
  *	result code of ISC_R_CANCELED.
  *
  * Requires:
  *
- *	'lookup' is a valid lookup.
+ *\li	'lookup' is a valid lookup.
  */
 
 void
 dns_lookup_destroy(dns_lookup_t **lookupp);
-/*
+/*%<
  * Destroy 'lookup'.
  *
  * Requires:
  *
- *	'*lookupp' is a valid lookup.
+ *\li	'*lookupp' is a valid lookup.
  *
- *	The caller has received the LOOKUPDONE event (either because the
+ *\li	The caller has received the LOOKUPDONE event (either because the
  *	lookup completed or because dns_lookup_cancel() was called).
  *
  * Ensures:
  *
- *	*lookupp == NULL.
+ *\li	*lookupp == NULL.
  */
 
 ISC_LANG_ENDDECLS
diff --git a/contrib/bind9/lib/dns/include/dns/master.h b/contrib/bind9/lib/dns/include/dns/master.h
index 0b861c6..1f94c8c 100644
--- a/contrib/bind9/lib/dns/include/dns/master.h
+++ b/contrib/bind9/lib/dns/include/dns/master.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2002  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,11 +15,13 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: master.h,v 1.31.2.3.2.7 2004/03/08 09:04:36 marka Exp $ */
+/* $Id: master.h,v 1.38.18.6 2005/06/20 01:19:43 marka Exp $ */
 
 #ifndef DNS_MASTER_H
 #define DNS_MASTER_H 1
 
+/*! \file */
+
 /***
  ***	Imports
  ***/
@@ -33,21 +35,60 @@
 /*
  * Flags to be passed in the 'options' argument in the functions below.
  */
-#define	DNS_MASTER_AGETTL 	0x00000001	/* Age the ttl based on $DATE. */
-#define DNS_MASTER_MANYERRORS 	0x00000002	/* Continue processing on errors. */
-#define DNS_MASTER_NOINCLUDE 	0x00000004	/* Disallow $INCLUDE directives. */
-#define DNS_MASTER_ZONE 	0x00000008	/* Loading a zone master file. */
-#define DNS_MASTER_HINT 	0x00000010	/* Loading a hint master file. */
-#define DNS_MASTER_SLAVE 	0x00000020	/* Loading a slave master file. */
-#define DNS_MASTER_CHECKNS 	0x00000040	/* Check NS records to see if
-						 * they are an address */
-#define DNS_MASTER_FATALNS 	0x00000080	/* Treat DNS_MASTER_CHECKNS
-						 * matches as fatal */
+#define	DNS_MASTER_AGETTL 	0x00000001	/*%< Age the ttl based on $DATE. */
+#define DNS_MASTER_MANYERRORS 	0x00000002	/*%< Continue processing on errors. */
+#define DNS_MASTER_NOINCLUDE 	0x00000004	/*%< Disallow $INCLUDE directives. */
+#define DNS_MASTER_ZONE 	0x00000008	/*%< Loading a zone master file. */
+#define DNS_MASTER_HINT 	0x00000010	/*%< Loading a hint master file. */
+#define DNS_MASTER_SLAVE 	0x00000020	/*%< Loading a slave master file. */
+#define DNS_MASTER_CHECKNS 	0x00000040	/*%<
+						 * Check NS records to see 
+						 * if they are an address
+						 */
+#define DNS_MASTER_FATALNS 	0x00000080	/*%<
+						 * Treat DNS_MASTER_CHECKNS
+						 * matches as fatal
+						 */
 #define DNS_MASTER_CHECKNAMES   0x00000100
 #define DNS_MASTER_CHECKNAMESFAIL 0x00000200
+#define DNS_MASTER_CHECKWILDCARD 0x00000400	/* Check for internal wildcards. */
+#define DNS_MASTER_CHECKMX	0x00000800
+#define DNS_MASTER_CHECKMXFAIL	0x00001000
 
 ISC_LANG_BEGINDECLS
 
+/*
+ * Structures that implement the "raw" format for master dump.
+ * These are provided for a reference purpose only; in the actual
+ * encoding, we directly read/write each field so that the encoded data
+ * is always "packed", regardless of the hardware architecture.
+ */
+#define DNS_RAWFORMAT_VERSION 0
+
+/* Common header */
+typedef struct {
+	isc_uint32_t		format;		/* must be
+						 * dns_masterformat_raw */
+	isc_uint32_t		version;	/* compatibility for future
+						 * extensions */
+	isc_uint32_t		dumptime;	/* timestamp on creation
+						 * (currently unused)
+						 */
+} dns_masterrawheader_t;
+
+/* The structure for each RRset */
+typedef struct {
+	isc_uint32_t		totallen;	/* length of the data for this
+						 * RRset, including the
+						 * "header" part */
+	dns_rdataclass_t	rdclass;	/* 16-bit class */
+	dns_rdatatype_t		type;		/* 16-bit type */
+	dns_rdatatype_t		covers;		/* same as type */
+	dns_ttl_t		ttl;		/* 32-bit TTL */
+	isc_uint32_t		nrdata;		/* number of RRs in this set */
+	/* followed by encoded owner name, and then rdata */
+} dns_masterrawrdataset_t;
+
 /***
  ***	Function
  ***/
@@ -62,6 +103,16 @@ dns_master_loadfile(const char *master_file,
 		    isc_mem_t *mctx);
 
 isc_result_t
+dns_master_loadfile2(const char *master_file,
+		     dns_name_t *top,
+		     dns_name_t *origin,
+		     dns_rdataclass_t zclass,
+		     unsigned int options,
+		     dns_rdatacallbacks_t *callbacks,
+		     isc_mem_t *mctx,
+		     dns_masterformat_t format);
+
+isc_result_t
 dns_master_loadstream(FILE *stream,
 		      dns_name_t *top,
 		      dns_name_t *origin,
@@ -100,6 +151,18 @@ dns_master_loadfileinc(const char *master_file,
 		       dns_loadctx_t **ctxp, isc_mem_t *mctx);
 
 isc_result_t
+dns_master_loadfileinc2(const char *master_file,
+			dns_name_t *top,
+			dns_name_t *origin,
+			dns_rdataclass_t zclass,
+			unsigned int options,
+			dns_rdatacallbacks_t *callbacks,
+			isc_task_t *task,
+			dns_loaddonefunc_t done, void *done_arg,
+			dns_loadctx_t **ctxp, isc_mem_t *mctx,
+			dns_masterformat_t format);
+
+isc_result_t
 dns_master_loadstreaminc(FILE *stream,
 			 dns_name_t *top,
 			 dns_name_t *origin,
@@ -132,8 +195,8 @@ dns_master_loadlexerinc(isc_lex_t *lex,
 			dns_loaddonefunc_t done, void *done_arg,
 			dns_loadctx_t **ctxp, isc_mem_t *mctx);
 
-/*
- * Loads a RFC 1305 master file from a file, stream, buffer, or existing
+/*%<
+ * Loads a RFC1305 master file from a file, stream, buffer, or existing
  * lexer into rdatasets and then calls 'callbacks->commit' to commit the
  * rdatasets.  Rdata memory belongs to dns_master_load and will be
  * reused / released when the callback completes.  dns_load_master will
@@ -150,63 +213,63 @@ dns_master_loadlexerinc(isc_lex_t *lex,
  * not called.
  *
  * Requires:
- *	'master_file' points to a valid string.
- *	'lexer' points to a valid lexer.
- *	'top' points to a valid name.
- *	'origin' points to a valid name.
- *	'callbacks->commit' points to a valid function.
- *	'callbacks->error' points to a valid function.
- *	'callbacks->warn' points to a valid function.
- *	'mctx' points to a valid memory context.
- *	'task' and 'done' to be valid.
- *	'lmgr' to be valid.
- *	'ctxp != NULL && ctxp == NULL'.
+ *\li	'master_file' points to a valid string.
+ *\li	'lexer' points to a valid lexer.
+ *\li	'top' points to a valid name.
+ *\li	'origin' points to a valid name.
+ *\li	'callbacks->commit' points to a valid function.
+ *\li	'callbacks->error' points to a valid function.
+ *\li	'callbacks->warn' points to a valid function.
+ *\li	'mctx' points to a valid memory context.
+ *\li	'task' and 'done' to be valid.
+ *\li	'lmgr' to be valid.
+ *\li	'ctxp != NULL && ctxp == NULL'.
  *
  * Returns:
- *	ISC_R_SUCCESS upon successfully loading the master file.
- *	ISC_R_SEENINCLUDE upon successfully loading the master file with
+ *\li	ISC_R_SUCCESS upon successfully loading the master file.
+ *\li	ISC_R_SEENINCLUDE upon successfully loading the master file with
  *		a $INCLUDE statement.
- *	ISC_R_NOMEMORY out of memory.
- *	ISC_R_UNEXPECTEDEND expected to be able to read a input token and
+ *\li	ISC_R_NOMEMORY out of memory.
+ *\li	ISC_R_UNEXPECTEDEND expected to be able to read a input token and
  *		there was not one.
- *	ISC_R_UNEXPECTED
- *	DNS_R_NOOWNER failed to specify a ownername.
- *	DNS_R_NOTTL failed to specify a ttl.
- *	DNS_R_BADCLASS record class did not match zone class.
- *	DNS_R_CONTINUE load still in progress (dns_master_load*inc() only).
- *	Any dns_rdata_fromtext() error code.
- *	Any error code from callbacks->commit().
+ *\li	ISC_R_UNEXPECTED
+ *\li	DNS_R_NOOWNER failed to specify a ownername.
+ *\li	DNS_R_NOTTL failed to specify a ttl.
+ *\li	DNS_R_BADCLASS record class did not match zone class.
+ *\li	DNS_R_CONTINUE load still in progress (dns_master_load*inc() only).
+ *\li	Any dns_rdata_fromtext() error code.
+ *\li	Any error code from callbacks->commit().
  */
 
 void
 dns_loadctx_detach(dns_loadctx_t **ctxp);
-/*
+/*%<
  * Detach from the load context.
  *
  * Requires:
- *	'*ctxp' to be valid.
+ *\li	'*ctxp' to be valid.
  *
  * Ensures:
- *	'*ctxp == NULL'
+ *\li	'*ctxp == NULL'
  */
 
 void
 dns_loadctx_attach(dns_loadctx_t *source, dns_loadctx_t **target);
-/*
+/*%<
  * Attach to the load context.
  *
  * Requires:
- *	'source' to be valid.
- *	'target != NULL && *target == NULL'.
+ *\li	'source' to be valid.
+ *\li	'target != NULL && *target == NULL'.
  */
 
 void
 dns_loadctx_cancel(dns_loadctx_t *ctx);
-/*
+/*%<
  * Cancel loading the zone file associated with this load context.
  *
  * Requires:
- *	'ctx' to be valid
+ *\li	'ctx' to be valid
  */
 
 ISC_LANG_ENDDECLS
diff --git a/contrib/bind9/lib/dns/include/dns/masterdump.h b/contrib/bind9/lib/dns/include/dns/masterdump.h
index 888c588..8cf5c13 100644
--- a/contrib/bind9/lib/dns/include/dns/masterdump.h
+++ b/contrib/bind9/lib/dns/include/dns/masterdump.h
@@ -15,11 +15,13 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: masterdump.h,v 1.22.12.10 2005/09/06 02:12:41 marka Exp $ */
+/* $Id: masterdump.h,v 1.31.14.4 2005/09/01 03:04:28 marka Exp $ */
 
 #ifndef DNS_MASTERDUMP_H
 #define DNS_MASTERDUMP_H 1
 
+/*! \file */
+
 /***
  ***	Imports
  ***/
@@ -46,10 +48,10 @@ typedef struct dns_master_style dns_master_style_t;
  * rdata.h.
  */
 
-/* Omit the owner name when possible. */
+/*% Omit the owner name when possible. */
 #define	DNS_STYLEFLAG_OMIT_OWNER        0x00010000U
 
-/*
+/*%
  * Omit the TTL when possible.  If DNS_STYLEFLAG_TTL is
  * also set, this means no TTLs are ever printed
  * because $TTL directives are generated before every
@@ -67,32 +69,32 @@ typedef struct dns_master_style dns_master_style_t;
  */
 #define	DNS_STYLEFLAG_OMIT_TTL		0x00020000U
 
-/* Omit the class when possible. */
+/*% Omit the class when possible. */
 #define	DNS_STYLEFLAG_OMIT_CLASS	0x00040000U
 
-/* Output $TTL directives. */
+/*% Output $TTL directives. */
 #define	DNS_STYLEFLAG_TTL		0x00080000U
 
-/*
+/*%
  * Output $ORIGIN directives and print owner names relative to
  * the origin when possible.
  */
 #define	DNS_STYLEFLAG_REL_OWNER		0x00100000U
 
-/* Print domain names in RR data in relative form when possible.
+/*% Print domain names in RR data in relative form when possible.
    For this to take effect, DNS_STYLEFLAG_REL_OWNER must also be set. */
 #define	DNS_STYLEFLAG_REL_DATA		0x00200000U
 
-/* Print the trust level of each rdataset. */
+/*% Print the trust level of each rdataset. */
 #define	DNS_STYLEFLAG_TRUST		0x00400000U
 
-/* Print negative caching entries. */
+/*% Print negative caching entries. */
 #define	DNS_STYLEFLAG_NCACHE		0x00800000U
 
-/* Never print the TTL */
+/*% Never print the TTL */
 #define	DNS_STYLEFLAG_NO_TTL		0x01000000U
                     
-/* Never print the CLASS */
+/*% Never print the CLASS */
 #define	DNS_STYLEFLAG_NO_CLASS		0x02000000U 
 
 ISC_LANG_BEGINDECLS
@@ -101,7 +103,7 @@ ISC_LANG_BEGINDECLS
  ***	Constants
  ***/
 
-/*
+/*%
  * The default master file style.
  *
  * This uses $TTL directives to avoid the need to dedicate a
@@ -110,13 +112,13 @@ ISC_LANG_BEGINDECLS
  */
 LIBDNS_EXTERNAL_DATA extern const dns_master_style_t dns_master_style_default;
 
-/*
+/*%
  * A master file style that dumps zones to a very generic format easily
  * imported/checked with external tools.
  */
 LIBDNS_EXTERNAL_DATA extern const dns_master_style_t dns_master_style_full;
 
-/*
+/*%
  * A master file style that prints explicit TTL values on each 
  * record line, never using $TTL statements.  The TTL has a tab 
  * stop of its own, but the class and type share one.
@@ -124,13 +126,13 @@ LIBDNS_EXTERNAL_DATA extern const dns_master_style_t dns_master_style_full;
 LIBDNS_EXTERNAL_DATA extern const dns_master_style_t
 					dns_master_style_explicitttl;
 
-/*
+/*%
  * A master style format designed for cache files.  It prints explicit TTL
  * values on each record line and never uses $ORIGIN or relative names.
  */
 LIBDNS_EXTERNAL_DATA extern const dns_master_style_t dns_master_style_cache;
 
-/*
+/*%
  * A master style that prints name, ttl, class, type, and value on 
  * every line.  Similar to explicitttl above, but more verbose.  
  * Intended for generating master files which can be easily parsed 
@@ -138,7 +140,7 @@ LIBDNS_EXTERNAL_DATA extern const dns_master_style_t dns_master_style_cache;
  */
 LIBDNS_EXTERNAL_DATA extern const dns_master_style_t dns_master_style_simple;
 
-/*
+/*%
  * The style used for debugging, "dig" output, etc.
  */
 LIBDNS_EXTERNAL_DATA extern const dns_master_style_t dns_master_style_debug;
@@ -149,54 +151,55 @@ LIBDNS_EXTERNAL_DATA extern const dns_master_style_t dns_master_style_debug;
 
 void
 dns_dumpctx_attach(dns_dumpctx_t *source, dns_dumpctx_t **target);
-/*
+/*%<
  * Attach to a dump context.
  *
  * Require:
- *	'source' to be valid.
- *	'target' to be non NULL and '*target' to be NULL.
+ *\li	'source' to be valid.
+ *\li	'target' to be non NULL and '*target' to be NULL.
  */
 
 void
 dns_dumpctx_detach(dns_dumpctx_t **dctxp);
-/*
+/*%<
  * Detach from a dump context.
  *
  * Require:
- *	'dctxp' to point to a valid dump context.
+ *\li	'dctxp' to point to a valid dump context.
  *
  * Ensures:
- *	'*dctxp' is NULL.
+ *\li	'*dctxp' is NULL.
  */
 
 void
 dns_dumpctx_cancel(dns_dumpctx_t *dctx);
-/*
+/*%<
  * Cancel a in progress dump.
  *
  * Require:
- *	'dctx' to be valid.
+ *\li	'dctx' to be valid.
  */
 
 dns_dbversion_t *
 dns_dumpctx_version(dns_dumpctx_t *dctx);
-/*
+/*%<
  * Return the version handle (if any) of the database being dumped.
  *
  * Require:
- *	'dctx' to be valid.
+ *\li	'dctx' to be valid.
  */
 
 dns_db_t *
 dns_dumpctx_db(dns_dumpctx_t *dctx);
-/*
+/*%<
  * Return the database being dumped.
  *
  * Require:
- *	'dctx' to be valid.
+ *\li	'dctx' to be valid.
  */
 
 
+/*@{*/
 isc_result_t
 dns_master_dumptostreaminc(isc_mem_t *mctx, dns_db_t *db,
 			   dns_dbversion_t *version,
@@ -208,26 +211,37 @@ isc_result_t
 dns_master_dumptostream(isc_mem_t *mctx, dns_db_t *db,
 			dns_dbversion_t *version,
 			const dns_master_style_t *style, FILE *f);
-/*
- * Dump the database 'db' to the steam 'f' in RFC1035 master
- * file format, in the style defined by 'style'
- * (e.g., &dns_default_master_style_default)
+
+isc_result_t
+dns_master_dumptostream2(isc_mem_t *mctx, dns_db_t *db,
+			 dns_dbversion_t *version,
+			 const dns_master_style_t *style,
+			 dns_masterformat_t format, FILE *f);
+/*%<
+ * Dump the database 'db' to the steam 'f' in the specified format by
+ * 'format'.  If the format is dns_masterformat_text (the RFC1035 format),
+ * 'style' specifies the file style (e.g., &dns_master_style_default).
+ *
+ * dns_master_dumptostream() is an old form of dns_master_dumptostream2(),
+ * which always specifies the dns_masterformat_text format.
  *
  * Temporary dynamic memory may be allocated from 'mctx'.
  *
  * Require:
- *	'task' to be valid.
- *	'done' to be non NULL.
- *	'dctxp' to be non NULL && '*dctxp' to be NULL.
+ *\li	'task' to be valid.
+ *\li	'done' to be non NULL.
+ *\li	'dctxp' to be non NULL && '*dctxp' to be NULL.
  * 
  * Returns:
- *	ISC_R_SUCCESS
- *	DNS_R_CONTINUE	dns_master_dumptostreaminc() only.
- *	ISC_R_NOMEMORY
- * 	Any database or rrset iterator error.
- *	Any dns_rdata_totext() error code.
+ *\li	ISC_R_SUCCESS
+ *\li	ISC_R_CONTINUE	dns_master_dumptostreaminc() only.
+ *\li	ISC_R_NOMEMORY
+ *\li	Any database or rrset iterator error.
+ *\li	Any dns_rdata_totext() error code.
  */
+/*@}*/
 
+/*@{*/
 isc_result_t
 dns_master_dumpinc(isc_mem_t *mctx, dns_db_t *db, dns_dbversion_t *version,
 		   const dns_master_style_t *style, const char *filename,
@@ -235,39 +249,56 @@ dns_master_dumpinc(isc_mem_t *mctx, dns_db_t *db, dns_dbversion_t *version,
 		   dns_dumpctx_t **dctxp);
 
 isc_result_t
+dns_master_dumpinc2(isc_mem_t *mctx, dns_db_t *db, dns_dbversion_t *version,
+		    const dns_master_style_t *style, const char *filename,
+		    isc_task_t *task, dns_dumpdonefunc_t done, void *done_arg,			    dns_dumpctx_t **dctxp, dns_masterformat_t format);
+
+isc_result_t
 dns_master_dump(isc_mem_t *mctx, dns_db_t *db,
 		dns_dbversion_t *version,
 		const dns_master_style_t *style, const char *filename);
-/*
- * Dump the database 'db' to the file 'filename' in RFC1035 master
- * file format, in the style defined by 'style'
- * (e.g., &dns_default_master_style_default)
+
+isc_result_t
+dns_master_dump2(isc_mem_t *mctx, dns_db_t *db,
+		 dns_dbversion_t *version,
+		 const dns_master_style_t *style, const char *filename,
+		 dns_masterformat_t format);
+
+/*%<
+ * Dump the database 'db' to the file 'filename' in the specified format by
+ * 'format'.  If the format is dns_masterformat_text (the RFC1035 format),
+ * 'style' specifies the file style (e.g., &dns_master_style_default).
+ *
+ * dns_master_dumpinc() and dns_master_dump() are old forms of _dumpinc2()
+ * and _dump2(), respectively, which always specify the dns_masterformat_text
+ * format.
  *
  * Temporary dynamic memory may be allocated from 'mctx'.
  *
  * Returns:
- *	ISC_R_SUCCESS
- *	DNS_R_CONTINUE	dns_master_dumpinc() only.
- *	ISC_R_NOMEMORY
- * 	Any database or rrset iterator error.
- *	Any dns_rdata_totext() error code.
+ *\li	ISC_R_SUCCESS
+ *\li	ISC_R_CONTINUE	dns_master_dumpinc() only.
+ *\li	ISC_R_NOMEMORY
+ *\li	Any database or rrset iterator error.
+ *\li	Any dns_rdata_totext() error code.
  */
+/*@}*/
 
 isc_result_t
 dns_master_rdatasettotext(dns_name_t *owner_name,
 			  dns_rdataset_t *rdataset,
 			  const dns_master_style_t *style,
 			  isc_buffer_t *target);
-/*
+/*%<
  * Convert 'rdataset' to text format, storing the result in 'target'.
  *
  * Notes:
- *	The rdata cursor position will be changed.
+ *\li	The rdata cursor position will be changed.
  *
  * Requires:
- *	'rdataset' is a valid non-question rdataset.
+ *\li	'rdataset' is a valid non-question rdataset.
  *
- *	'rdataset' is not empty.
+ *\li	'rdataset' is not empty.
  */
 
 isc_result_t
diff --git a/contrib/bind9/lib/dns/include/dns/message.h b/contrib/bind9/lib/dns/include/dns/message.h
index 960c11a..9002b83 100644
--- a/contrib/bind9/lib/dns/include/dns/message.h
+++ b/contrib/bind9/lib/dns/include/dns/message.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2006  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: message.h,v 1.100.2.3.8.10 2006/02/28 06:32:54 marka Exp $ */
+/* $Id: message.h,v 1.114.18.6 2006/03/02 23:19:20 marka Exp $ */
 
 #ifndef DNS_MESSAGE_H
 #define DNS_MESSAGE_H 1
@@ -33,7 +33,9 @@
 
 #include <dst/dst.h>
 
-/*
+/*! \file 
+ * \brief Message Handling Module
+ *
  * How this beast works:
  *
  * When a dns message is received in a buffer, dns_message_fromwire() is called
@@ -54,9 +56,9 @@
  * one of two ways.  Assume a name was allocated via
  * dns_message_gettempname():
  *
- *	(1) insert it into a section, using dns_message_addname().
+ *\li	(1) insert it into a section, using dns_message_addname().
  *
- *	(2) return it to the message using dns_message_puttempname().
+ *\li	(2) return it to the message using dns_message_puttempname().
  *
  * The same applies to rdatasets.
  *
@@ -74,6 +76,7 @@
  * Since the buffer itself exists until the message is destroyed, this sort
  * of code can be written:
  *
+ * \code
  *	buffer = isc_buffer_allocate(mctx, 512);
  *	name = NULL;
  *	name = dns_message_gettempname(message, &name);
@@ -81,6 +84,7 @@
  *	result = dns_name_fromtext(name, &source, dns_rootname, ISC_FALSE,
  *				   buffer);
  *	dns_message_takebuffer(message, &buffer);
+ * \endcode
  *
  *
  * TODO:
@@ -102,7 +106,7 @@
 #define DNS_MESSAGE_REPLYPRESERVE	(DNS_MESSAGEFLAG_RD|DNS_MESSAGEFLAG_CD)
 #define DNS_MESSAGEEXTFLAG_REPLYPRESERVE (DNS_MESSAGEEXTFLAG_DO)
 
-#define DNS_MESSAGE_HEADERLEN		12 /* 6 isc_uint16_t's */
+#define DNS_MESSAGE_HEADERLEN		12 /*%< 6 isc_uint16_t's */
 
 #define DNS_MESSAGE_MAGIC		ISC_MAGIC('M','S','G','@')
 #define DNS_MESSAGE_VALID(msg)		ISC_MAGIC_VALID(msg, DNS_MESSAGE_MAGIC)
@@ -140,32 +144,32 @@ typedef int dns_messagetextflag_t;
 /*
  * These tell the message library how the created dns_message_t will be used.
  */
-#define DNS_MESSAGE_INTENTUNKNOWN	0 /* internal use only */
-#define DNS_MESSAGE_INTENTPARSE		1 /* parsing messages */
-#define DNS_MESSAGE_INTENTRENDER	2 /* rendering */
+#define DNS_MESSAGE_INTENTUNKNOWN	0 /*%< internal use only */
+#define DNS_MESSAGE_INTENTPARSE		1 /*%< parsing messages */
+#define DNS_MESSAGE_INTENTRENDER	2 /*%< rendering */
 
 /*
  * Control behavior of parsing
  */
-#define DNS_MESSAGEPARSE_PRESERVEORDER	0x0001	/* preserve rdata order */
-#define DNS_MESSAGEPARSE_BESTEFFORT	0x0002	/* return a message if a
+#define DNS_MESSAGEPARSE_PRESERVEORDER	0x0001	/*%< preserve rdata order */
+#define DNS_MESSAGEPARSE_BESTEFFORT	0x0002	/*%< return a message if a
 						   recoverable parse error
 						   occurs */
-#define DNS_MESSAGEPARSE_CLONEBUFFER	0x0004	/* save a copy of the
+#define DNS_MESSAGEPARSE_CLONEBUFFER	0x0004	/*%< save a copy of the
 						   source buffer */
-#define DNS_MESSAGEPARSE_IGNORETRUNCATION 0x0008 /* trucation errors are
+#define DNS_MESSAGEPARSE_IGNORETRUNCATION 0x0008 /*%< trucation errors are
 						  * not fatal. */
 
 /*
  * Control behavior of rendering
  */
-#define DNS_MESSAGERENDER_ORDERED	0x0001	/* don't change order */
-#define DNS_MESSAGERENDER_PARTIAL	0x0002	/* allow a partial rdataset */
-#define DNS_MESSAGERENDER_OMITDNSSEC	0x0004	/* omit DNSSEC records */
-#define DNS_MESSAGERENDER_PREFER_A	0x0008	/* prefer A records in
-						 * additional section. */
-#define DNS_MESSAGERENDER_PREFER_AAAA	0x0010	/* prefer AAAA records in
-						 * additional section. */
+#define DNS_MESSAGERENDER_ORDERED	0x0001	/*%< don't change order */
+#define DNS_MESSAGERENDER_PARTIAL	0x0002	/*%< allow a partial rdataset */
+#define DNS_MESSAGERENDER_OMITDNSSEC	0x0004	/*%< omit DNSSEC records */
+#define DNS_MESSAGERENDER_PREFER_A	0x0008	/*%< prefer A records in
+						      additional section. */
+#define DNS_MESSAGERENDER_PREFER_AAAA	0x0010	/*%< prefer AAAA records in
+						  additional section. */
 
 typedef struct dns_msgblock dns_msgblock_t;
 
@@ -248,32 +252,32 @@ ISC_LANG_BEGINDECLS
 isc_result_t
 dns_message_create(isc_mem_t *mctx, unsigned int intent, dns_message_t **msgp);
 
-/*
+/*%<
  * Create msg structure.
  *
  * This function will allocate some internal blocks of memory that are
  * expected to be needed for parsing or rendering nearly any type of message.
  *
  * Requires:
- *	'mctx' be a valid memory context.
+ *\li	'mctx' be a valid memory context.
  *
- *	'msgp' be non-null and '*msg' be NULL.
+ *\li	'msgp' be non-null and '*msg' be NULL.
  *
- *	'intent' must be one of DNS_MESSAGE_INTENTPARSE or
- *	DNS_MESSAGE_INTENTRENDER.
+ *\li	'intent' must be one of DNS_MESSAGE_INTENTPARSE or
+ *	#DNS_MESSAGE_INTENTRENDER.
  *
  * Ensures:
- *	The data in "*msg" is set to indicate an unused and empty msg
+ *\li	The data in "*msg" is set to indicate an unused and empty msg
  *	structure.
  *
  * Returns:
- *	ISC_R_NOMEMORY		-- out of memory
- *	ISC_R_SUCCESS		-- success
+ *\li	#ISC_R_NOMEMORY		-- out of memory
+ *\li	#ISC_R_SUCCESS		-- success
  */
 
 void
 dns_message_reset(dns_message_t *msg, unsigned int intent);
-/*
+/*%<
  * Reset a message structure to default state.  All internal lists are freed
  * or reset to a default state as well.  This is simply a more efficient
  * way to call dns_message_destroy() followed by dns_message_allocate(),
@@ -286,22 +290,22 @@ dns_message_reset(dns_message_t *msg, unsigned int intent);
  *
  * Requires:
  *
- *	'msg' be valid.
+ *\li	'msg' be valid.
  *
- *	'intent' is DNS_MESSAGE_INTENTPARSE or DNS_MESSAGE_INTENTRENDER
+ *\li	'intent' is DNS_MESSAGE_INTENTPARSE or DNS_MESSAGE_INTENTRENDER
  */
 
 void
 dns_message_destroy(dns_message_t **msgp);
-/*
+/*%<
  * Destroy all state in the message.
  *
  * Requires:
  *
- *	'msgp' be valid.
+ *\li	'msgp' be valid.
  *
  * Ensures:
- *	'*msgp' == NULL
+ *\li	'*msgp' == NULL
  */
 
 isc_result_t
@@ -316,85 +320,83 @@ dns_message_pseudosectiontotext(dns_message_t *msg,
 				const dns_master_style_t *style,
 				dns_messagetextflag_t flags,
 				isc_buffer_t *target);
-/*
+/*%<
  * Convert section 'section' or 'pseudosection' of message 'msg' to
  * a cleartext representation
  *
  * Notes:
- *      See dns_message_totext for meanings of flags.
+ *     \li See dns_message_totext for meanings of flags.
  *
  * Requires:
  *
- *	'msg' is a valid message.
+ *\li	'msg' is a valid message.
  *
- *	'style' is a valid master dump style.
+ *\li	'style' is a valid master dump style.
  *
- *	'target' is a valid buffer.
+ *\li	'target' is a valid buffer.
  *
- *	'section' is a valid section label.
+ *\li	'section' is a valid section label.
  *
  * Ensures:
  *
- *	If the result is success:
- *
+ *\li	If the result is success:
  *		The used space in 'target' is updated.
  *
  * Returns:
  *
- *	ISC_R_SUCCESS
- *	ISC_R_NOSPACE
- *	ISC_R_NOMORE
+ *\li	#ISC_R_SUCCESS
+ *\li	#ISC_R_NOSPACE
+ *\li	#ISC_R_NOMORE
  *
- *	Note: On error return, *target may be partially filled with data.
+ *\li	Note: On error return, *target may be partially filled with data.
 */
 
 isc_result_t
 dns_message_totext(dns_message_t *msg, const dns_master_style_t *style,
 		   dns_messagetextflag_t flags, isc_buffer_t *target);
-/*
+/*%<
  * Convert all sections of message 'msg' to a cleartext representation
  *
  * Notes:
- *      In flags, If DNS_MESSAGETEXTFLAG_OMITDOT is set, then the
+ * \li     In flags, If #DNS_MESSAGETEXTFLAG_OMITDOT is set, then the
  *      final '.' in absolute names will not be emitted.  If
- *      DNS_MESSAGETEXTFLAG_NOCOMMENTS is cleared, lines beginning
+ *      #DNS_MESSAGETEXTFLAG_NOCOMMENTS is cleared, lines beginning
  *      with ";;" will be emitted indicating section name.  If
- *      DNS_MESSAGETEXTFLAG_NOHEADERS is cleared, header lines will
+ *      #DNS_MESSAGETEXTFLAG_NOHEADERS is cleared, header lines will
  *      be emitted.
  *
  * Requires:
  *
- *	'msg' is a valid message.
+ *\li	'msg' is a valid message.
  *
- *	'style' is a valid master dump style.
+ *\li	'style' is a valid master dump style.
  *
- *	'target' is a valid buffer.
+ *\li	'target' is a valid buffer.
  *
  * Ensures:
  *
- *	If the result is success:
- *
+ *\li	If the result is success:
  *		The used space in 'target' is updated.
  *
  * Returns:
  *
- *	ISC_R_SUCCESS
- *	ISC_R_NOSPACE
- *	ISC_R_NOMORE
+ *\li	#ISC_R_SUCCESS
+ *\li	#ISC_R_NOSPACE
+ *\li	#ISC_R_NOMORE
  *
- *	Note: On error return, *target may be partially filled with data.
+ *\li	Note: On error return, *target may be partially filled with data.
  */
 
 isc_result_t
 dns_message_parse(dns_message_t *msg, isc_buffer_t *source,
 		  unsigned int options);
-/*
+/*%<
  * Parse raw wire data in 'source' as a DNS message.
  *
  * OPT records are detected and stored in the pseudo-section "opt".
  * TSIGs are detected and stored in the pseudo-section "tsig".
  *
- * If DNS_MESSAGEPARSE_PRESERVEORDER is set, or if the opcode of the message
+ * If #DNS_MESSAGEPARSE_PRESERVEORDER is set, or if the opcode of the message
  * is UPDATE, a separate dns_name_t object will be created for each RR in the
  * message.  Each such dns_name_t will have a single rdataset containing the
  * single RR, and the order of the RRs in the message is preserved.
@@ -403,39 +405,39 @@ dns_message_parse(dns_message_t *msg, isc_buffer_t *source,
  * of rdatasets.  To access the names and their data, use
  * dns_message_firstname() and dns_message_nextname().
  *
- * If DNS_MESSAGEPARSE_BESTEFFORT is set, errors in message content will
+ * If #DNS_MESSAGEPARSE_BESTEFFORT is set, errors in message content will
  * not be considered FORMERRs.  If the entire message can be parsed, it
  * will be returned and DNS_R_RECOVERABLE will be returned.
  *
- * If DNS_MESSAGEPARSE_IGNORETRUNCATION is set then return as many complete
+ * If #DNS_MESSAGEPARSE_IGNORETRUNCATION is set then return as many complete
  * RR's as possible, DNS_R_RECOVERABLE will be returned.
  *
  * OPT and TSIG records are always handled specially, regardless of the
  * 'preserve_order' setting.
  *
  * Requires:
- *	"msg" be valid.
+ *\li	"msg" be valid.
  *
- *	"buffer" be a wire format buffer.
+ *\li	"buffer" be a wire format buffer.
  *
  * Ensures:
- *	The buffer's data format is correct.
+ *\li	The buffer's data format is correct.
  *
- *	The buffer's contents verify as correct regarding header bits, buffer
+ *\li	The buffer's contents verify as correct regarding header bits, buffer
  * 	and rdata sizes, etc.
  *
  * Returns:
- *	ISC_R_SUCCESS		-- all is well
- *	ISC_R_NOMEMORY		-- no memory
- *	DNS_R_RECOVERABLE	-- the message parsed properly, but contained
+ *\li	#ISC_R_SUCCESS		-- all is well
+ *\li	#ISC_R_NOMEMORY		-- no memory
+ *\li	#DNS_R_RECOVERABLE	-- the message parsed properly, but contained
  *				   errors.
- *	Many other errors possible XXXMLG
+ *\li	Many other errors possible XXXMLG
  */
 
 isc_result_t
 dns_message_renderbegin(dns_message_t *msg, dns_compress_t *cctx,
 			isc_buffer_t *buffer);
-/*
+/*%<
  * Begin rendering on a message.  Only one call can be made to this function
  * per message.
  *
@@ -447,24 +449,24 @@ dns_message_renderbegin(dns_message_t *msg, dns_compress_t *cctx,
  *
  * Requires:
  *
- *	'msg' be valid.
+ *\li	'msg' be valid.
  *
- *	'cctx' be valid.
+ *\li	'cctx' be valid.
  *
- *	'buffer' is a valid buffer.
+ *\li	'buffer' is a valid buffer.
  *
  * Side Effects:
  *
- *	The buffer is cleared before it is used.
+ *\li	The buffer is cleared before it is used.
  *
  * Returns:
- *	ISC_R_SUCCESS		-- all is well
- *	ISC_R_NOSPACE		-- output buffer is too small
+ *\li	#ISC_R_SUCCESS		-- all is well
+ *\li	#ISC_R_NOSPACE		-- output buffer is too small
  */
 
 isc_result_t
 dns_message_renderchangebuffer(dns_message_t *msg, isc_buffer_t *buffer);
-/*
+/*%<
  * Reset the buffer.  This can be used after growing the old buffer
  * on a ISC_R_NOSPACE return from most of the render functions.
  *
@@ -474,20 +476,20 @@ dns_message_renderchangebuffer(dns_message_t *msg, isc_buffer_t *buffer);
  *
  * Requires:
  *
- *	'msg' be valid.
+ *\li	'msg' be valid.
  *
- *	dns_message_renderbegin() was called.
+ *\li	dns_message_renderbegin() was called.
  *
- *	buffer != NULL.
+ *\li	buffer != NULL.
  *
  * Returns:
- *	ISC_R_NOSPACE		-- new buffer is too small
- *	ISC_R_SUCCESS		-- all is well.
+ *\li	#ISC_R_NOSPACE		-- new buffer is too small
+ *\li	#ISC_R_SUCCESS		-- all is well.
  */
 
 isc_result_t
 dns_message_renderreserve(dns_message_t *msg, unsigned int space);
-/*
+/*%<
  * XXXMLG should use size_t rather than unsigned int once the buffer
  * API is cleaned up
  *
@@ -495,18 +497,18 @@ dns_message_renderreserve(dns_message_t *msg, unsigned int space);
  *
  * Requires:
  *
- *	'msg' be valid.
+ *\li	'msg' be valid.
  *
- *	dns_message_renderbegin() was called.
+ *\li	dns_message_renderbegin() was called.
  *
  * Returns:
- *	ISC_R_SUCCESS		-- all is well.
- *	ISC_R_NOSPACE		-- not enough free space in the buffer.
+ *\li	#ISC_R_SUCCESS		-- all is well.
+ *\li	#ISC_R_NOSPACE		-- not enough free space in the buffer.
  */
 
 void
 dns_message_renderrelease(dns_message_t *msg, unsigned int space);
-/*
+/*%<
  * XXXMLG should use size_t rather than unsigned int once the buffer
  * API is cleaned up
  *
@@ -514,87 +516,87 @@ dns_message_renderrelease(dns_message_t *msg, unsigned int space);
  *
  * Requires:
  *
- *	'msg' be valid.
+ *\li	'msg' be valid.
  *
- *	'space' is less than or equal to the total amount of space reserved
+ *\li	'space' is less than or equal to the total amount of space reserved
  *	via prior calls to dns_message_renderreserve().
  *
- *	dns_message_renderbegin() was called.
+ *\li	dns_message_renderbegin() was called.
  */
 
 isc_result_t
 dns_message_rendersection(dns_message_t *msg, dns_section_t section,
 			  unsigned int options);
-/*
+/*%<
  * Render all names, rdatalists, etc from the given section at the
  * specified priority or higher.
  *
  * Requires:
- *	'msg' be valid.
+ *\li	'msg' be valid.
  *
- *	'section' be a valid section.
+ *\li	'section' be a valid section.
  *
- *	dns_message_renderbegin() was called.
+ *\li	dns_message_renderbegin() was called.
  *
  * Returns:
- *	ISC_R_SUCCESS		-- all records were written, and there are
+ *\li	#ISC_R_SUCCESS		-- all records were written, and there are
  *				   no more records for this section.
- *	ISC_R_NOSPACE		-- Not enough room in the buffer to write
+ *\li	#ISC_R_NOSPACE		-- Not enough room in the buffer to write
  *				   all records requested.
- *	DNS_R_MOREDATA		-- All requested records written, and there
+ *\li	#DNS_R_MOREDATA		-- All requested records written, and there
  *				   are records remaining for this section.
  */
 
 void
 dns_message_renderheader(dns_message_t *msg, isc_buffer_t *target);
-/*
+/*%<
  * Render the message header.  This is implicitly called by
  * dns_message_renderend().
  *
  * Requires:
  *
- *	'msg' be a valid message.
+ *\li	'msg' be a valid message.
  *
- *	dns_message_renderbegin() was called.
+ *\li	dns_message_renderbegin() was called.
  *
- *	'target' is a valid buffer with enough space to hold a message header
+ *\li	'target' is a valid buffer with enough space to hold a message header
  */
 
 isc_result_t
 dns_message_renderend(dns_message_t *msg);
-/*
+/*%<
  * Finish rendering to the buffer.  Note that more data can be in the
  * 'msg' structure.  Destroying the structure will free this, or in a multi-
  * part EDNS1 message this data can be rendered to another buffer later.
  *
  * Requires:
  *
- *	'msg' be a valid message.
+ *\li	'msg' be a valid message.
  *
- *	dns_message_renderbegin() was called.
+ *\li	dns_message_renderbegin() was called.
  *
  * Returns:
- *	ISC_R_SUCCESS		-- all is well.
+ *\li	#ISC_R_SUCCESS		-- all is well.
  */
 
 void
 dns_message_renderreset(dns_message_t *msg);
-/*
+/*%<
  * Reset the message so that it may be rendered again.
  *
  * Notes:
  *
- *	If dns_message_renderbegin() has been called, dns_message_renderend()
+ *\li	If dns_message_renderbegin() has been called, dns_message_renderend()
  *	must be called before calling this function.
  *
  * Requires:
  *
- *	'msg' be a valid message with rendering intent.
+ *\li	'msg' be a valid message with rendering intent.
  */
 
 isc_result_t
 dns_message_firstname(dns_message_t *msg, dns_section_t section);
-/*
+/*%<
  * Set internal per-section name pointer to the beginning of the section.
  *
  * The functions dns_message_firstname() and dns_message_nextname() may
@@ -602,39 +604,39 @@ dns_message_firstname(dns_message_t *msg, dns_section_t section);
  *
  * Requires:
  *
- *   	'msg' be valid.
+ *\li   	'msg' be valid.
  *
- *	'section' be a valid section.
+ *\li	'section' be a valid section.
  *
  * Returns:
- *	ISC_R_SUCCESS		-- All is well.
- *	ISC_R_NOMORE		-- No names on given section.
+ *\li	#ISC_R_SUCCESS		-- All is well.
+ *\li	#ISC_R_NOMORE		-- No names on given section.
  */
 
 isc_result_t
 dns_message_nextname(dns_message_t *msg, dns_section_t section);
-/*
+/*%<
  * Sets the internal per-section name pointer to point to the next name
  * in that section.
  *
  * Requires:
  *
- *   	'msg' be valid.
+ * \li  	'msg' be valid.
  *
- *	'section' be a valid section.
+ *\li	'section' be a valid section.
  *
- *	dns_message_firstname() must have been called on this section,
+ *\li	dns_message_firstname() must have been called on this section,
  *	and the result was ISC_R_SUCCESS.
  *
  * Returns:
- *	ISC_R_SUCCESS		-- All is well.
- *	ISC_R_NOMORE		-- No more names in given section.
+ *\li	#ISC_R_SUCCESS		-- All is well.
+ *\li	#ISC_R_NOMORE		-- No more names in given section.
  */
 
 void
 dns_message_currentname(dns_message_t *msg, dns_section_t section,
 			dns_name_t **name);
-/*
+/*%<
  * Sets 'name' to point to the name where the per-section internal name
  * pointer is currently set.
  *
@@ -643,15 +645,15 @@ dns_message_currentname(dns_message_t *msg, dns_section_t section,
  *
  * Requires:
  *
- *	'msg' be valid.
+ *\li	'msg' be valid.
  *
- *	'name' be non-NULL, and *name be NULL.
+ *\li	'name' be non-NULL, and *name be NULL.
  *
- *	'section' be a valid section.
+ *\li	'section' be a valid section.
  *
- *	dns_message_firstname() must have been called on this section,
+ *\li	dns_message_firstname() must have been called on this section,
  *	and the result of it and any dns_message_nextname() calls was
- *	ISC_R_SUCCESS.
+ *	#ISC_R_SUCCESS.
  */
 
 isc_result_t
@@ -659,55 +661,55 @@ dns_message_findname(dns_message_t *msg, dns_section_t section,
 		     dns_name_t *target, dns_rdatatype_t type,
 		     dns_rdatatype_t covers, dns_name_t **foundname,
 		     dns_rdataset_t **rdataset);
-/*
+/*%<
  * Search for a name in the specified section.  If it is found, *name is
  * set to point to the name, and *rdataset is set to point to the found
  * rdataset (if type is specified as other than dns_rdatatype_any).
  *
  * Requires:
- *	'msg' be valid.
+ *\li	'msg' be valid.
  *
- *	'section' be a valid section.
+ *\li	'section' be a valid section.
  *
- *	If a pointer to the name is desired, 'foundname' should be non-NULL.
+ *\li	If a pointer to the name is desired, 'foundname' should be non-NULL.
  *	If it is non-NULL, '*foundname' MUST be NULL.
  *
- *	If a type other than dns_datatype_any is searched for, 'rdataset'
+ *\li	If a type other than dns_datatype_any is searched for, 'rdataset'
  *	may be non-NULL, '*rdataset' be NULL, and will point at the found
  *	rdataset.  If the type is dns_datatype_any, 'rdataset' must be NULL.
  *
- *	'target' be a valid name.
+ *\li	'target' be a valid name.
  *
- *	'type' be a valid type.
+ *\li	'type' be a valid type.
  *
- *	If 'type' is dns_rdatatype_rrsig, 'covers' must be a valid type.
+ *\li	If 'type' is dns_rdatatype_rrsig, 'covers' must be a valid type.
  *	Otherwise it should be 0.
  *
  * Returns:
- *	ISC_R_SUCCESS		-- all is well.
- *	DNS_R_NXDOMAIN		-- name does not exist in that section.
- *	DNS_R_NXRRSET		-- The name does exist, but the desired
+ *\li	#ISC_R_SUCCESS		-- all is well.
+ *\li	#DNS_R_NXDOMAIN		-- name does not exist in that section.
+ *\li	#DNS_R_NXRRSET		-- The name does exist, but the desired
  *				   type does not.
  */
 
 isc_result_t
 dns_message_findtype(dns_name_t *name, dns_rdatatype_t type,
 		     dns_rdatatype_t covers, dns_rdataset_t **rdataset);
-/*
+/*%<
  * Search the name for the specified type.  If it is found, *rdataset is
  * filled in with a pointer to that rdataset.
  *
  * Requires:
- *	if '**rdataset' is non-NULL, *rdataset needs to be NULL.
+ *\li	if '**rdataset' is non-NULL, *rdataset needs to be NULL.
  *
- *	'type' be a valid type, and NOT dns_rdatatype_any.
+ *\li	'type' be a valid type, and NOT dns_rdatatype_any.
  *
- *	If 'type' is dns_rdatatype_rrsig, 'covers' must be a valid type.
+ *\li	If 'type' is dns_rdatatype_rrsig, 'covers' must be a valid type.
  *	Otherwise it should be 0.
  *
  * Returns:
- *	ISC_R_SUCCESS		-- all is well.
- *	ISC_R_NOTFOUND		-- the desired type does not exist.
+ *\li	#ISC_R_SUCCESS		-- all is well.
+ *\li	#ISC_R_NOTFOUND		-- the desired type does not exist.
  */
 
 isc_result_t
@@ -735,24 +737,24 @@ void
 dns_message_movename(dns_message_t *msg, dns_name_t *name,
 		     dns_section_t fromsection,
 		     dns_section_t tosection);
-/*
+/*%<
  * Move a name from one section to another.
  *
  * Requires:
  *
- *	'msg' be valid.
+ *\li	'msg' be valid.
  *
- *	'name' must be a name already in 'fromsection'.
+ *\li	'name' must be a name already in 'fromsection'.
  *
- *	'fromsection' must be a valid section.
+ *\li	'fromsection' must be a valid section.
  *
- *	'tosection' must be a valid section.
+ *\li	'tosection' must be a valid section.
  */
 
 void
 dns_message_addname(dns_message_t *msg, dns_name_t *name,
 		    dns_section_t section);
-/*
+/*%<
  * Adds the name to the given section.
  *
  * It is the caller's responsibility to enforce any unique name requirements
@@ -760,13 +762,32 @@ dns_message_addname(dns_message_t *msg, dns_name_t *name,
  *
  * Requires:
  *
- *	'msg' be valid, and be a renderable message.
+ *\li	'msg' be valid, and be a renderable message.
+ *
+ *\li	'name' be a valid absolute name.
+ *
+ *\li	'section' be a named section.
+ */
+
+void
+dns_message_removename(dns_message_t *msg, dns_name_t *name,
+                       dns_section_t section);
+/*%<
+ * Remove a existing name from a given section.
+ *
+ * It is the caller's responsibility to ensure the name is part of the
+ * given section.
+ *
+ * Requires:
+ *
+ *\li	'msg' be valid, and be a renderable message.
  *
- *	'name' be a valid absolute name.
+ *\li	'name' be a valid absolute name.
  *
- *	'section' be a named section.
+ *\li	'section' be a named section.
  */
 
+
 /*
  * LOANOUT FUNCTIONS
  *
@@ -777,7 +798,7 @@ dns_message_addname(dns_message_t *msg, dns_name_t *name,
 
 isc_result_t
 dns_message_gettempname(dns_message_t *msg, dns_name_t **item);
-/*
+/*%<
  * Return a name that can be used for any temporary purpose, including
  * inserting into the message's linked lists.  The name must be returned
  * to the message code using dns_message_puttempname() or inserted into
@@ -786,180 +807,180 @@ dns_message_gettempname(dns_message_t *msg, dns_name_t **item);
  * It is the caller's responsibility to initialize this name.
  *
  * Requires:
- *	msg be a valid message
+ *\li	msg be a valid message
  *
- *	item != NULL && *item == NULL
+ *\li	item != NULL && *item == NULL
  *
  * Returns:
- *	ISC_R_SUCCESS		-- All is well.
- *	ISC_R_NOMEMORY		-- No item can be allocated.
+ *\li	#ISC_R_SUCCESS		-- All is well.
+ *\li	#ISC_R_NOMEMORY		-- No item can be allocated.
  */
 
 isc_result_t
 dns_message_gettempoffsets(dns_message_t *msg, dns_offsets_t **item);
-/*
+/*%<
  * Return an offsets array that can be used for any temporary purpose,
  * such as attaching to a temporary name.  The offsets will be freed
  * when the message is destroyed or reset.
  *
  * Requires:
- *	msg be a valid message
+ *\li	msg be a valid message
  *
- *	item != NULL && *item == NULL
+ *\li	item != NULL && *item == NULL
  *
  * Returns:
- *	ISC_R_SUCCESS		-- All is well.
- *	ISC_R_NOMEMORY		-- No item can be allocated.
+ *\li	#ISC_R_SUCCESS		-- All is well.
+ *\li	#ISC_R_NOMEMORY		-- No item can be allocated.
  */
 
 isc_result_t
 dns_message_gettemprdata(dns_message_t *msg, dns_rdata_t **item);
-/*
+/*%<
  * Return a rdata that can be used for any temporary purpose, including
  * inserting into the message's linked lists.  The rdata will be freed
  * when the message is destroyed or reset.
  *
  * Requires:
- *	msg be a valid message
+ *\li	msg be a valid message
  *
- *	item != NULL && *item == NULL
+ *\li	item != NULL && *item == NULL
  *
  * Returns:
- *	ISC_R_SUCCESS		-- All is well.
- *	ISC_R_NOMEMORY		-- No item can be allocated.
+ *\li	#ISC_R_SUCCESS		-- All is well.
+ *\li	#ISC_R_NOMEMORY		-- No item can be allocated.
  */
 
 isc_result_t
 dns_message_gettemprdataset(dns_message_t *msg, dns_rdataset_t **item);
-/*
+/*%<
  * Return a rdataset that can be used for any temporary purpose, including
  * inserting into the message's linked lists. The name must be returned
  * to the message code using dns_message_puttempname() or inserted into
  * one of the message's sections before the message is destroyed.
  *
  * Requires:
- *	msg be a valid message
+ *\li	msg be a valid message
  *
- *	item != NULL && *item == NULL
+ *\li	item != NULL && *item == NULL
  *
  * Returns:
- *	ISC_R_SUCCESS		-- All is well.
- *	ISC_R_NOMEMORY		-- No item can be allocated.
+ *\li	#ISC_R_SUCCESS		-- All is well.
+ *\li	#ISC_R_NOMEMORY		-- No item can be allocated.
  */
 
 isc_result_t
 dns_message_gettemprdatalist(dns_message_t *msg, dns_rdatalist_t **item);
-/*
+/*%<
  * Return a rdatalist that can be used for any temporary purpose, including
  * inserting into the message's linked lists.  The rdatalist will be
  * destroyed when the message is destroyed or reset.
  *
  * Requires:
- *	msg be a valid message
+ *\li	msg be a valid message
  *
- *	item != NULL && *item == NULL
+ *\li	item != NULL && *item == NULL
  *
  * Returns:
- *	ISC_R_SUCCESS		-- All is well.
- *	ISC_R_NOMEMORY		-- No item can be allocated.
+ *\li	#ISC_R_SUCCESS		-- All is well.
+ *\li	#ISC_R_NOMEMORY		-- No item can be allocated.
  */
 
 void
 dns_message_puttempname(dns_message_t *msg, dns_name_t **item);
-/*
+/*%<
  * Return a borrowed name to the message's name free list.
  *
  * Requires:
- *	msg be a valid message
+ *\li	msg be a valid message
  *
- *	item != NULL && *item point to a name returned by
+ *\li	item != NULL && *item point to a name returned by
  *	dns_message_gettempname()
  *
  * Ensures:
- *	*item == NULL
+ *\li	*item == NULL
  */
 
 void
 dns_message_puttemprdata(dns_message_t *msg, dns_rdata_t **item);
-/*
+/*%<
  * Return a borrowed rdata to the message's rdata free list.
  *
  * Requires:
- *	msg be a valid message
+ *\li	msg be a valid message
  *
- *	item != NULL && *item point to a rdata returned by
+ *\li	item != NULL && *item point to a rdata returned by
  *	dns_message_gettemprdata()
  *
  * Ensures:
- *	*item == NULL
+ *\li	*item == NULL
  */
 
 void
 dns_message_puttemprdataset(dns_message_t *msg, dns_rdataset_t **item);
-/*
+/*%<
  * Return a borrowed rdataset to the message's rdataset free list.
  *
  * Requires:
- *	msg be a valid message
+ *\li	msg be a valid message
  *
- *	item != NULL && *item point to a rdataset returned by
+ *\li	item != NULL && *item point to a rdataset returned by
  *	dns_message_gettemprdataset()
  *
  * Ensures:
- *	*item == NULL
+ *\li	*item == NULL
  */
 
 void
 dns_message_puttemprdatalist(dns_message_t *msg, dns_rdatalist_t **item);
-/*
+/*%<
  * Return a borrowed rdatalist to the message's rdatalist free list.
  *
  * Requires:
- *	msg be a valid message
+ *\li	msg be a valid message
  *
- *	item != NULL && *item point to a rdatalist returned by
+ *\li	item != NULL && *item point to a rdatalist returned by
  *	dns_message_gettemprdatalist()
  *
  * Ensures:
- *	*item == NULL
+ *\li	*item == NULL
  */
 
 isc_result_t
 dns_message_peekheader(isc_buffer_t *source, dns_messageid_t *idp,
 		       unsigned int *flagsp);
-/*
+/*%<
  * Assume the remaining region of "source" is a DNS message.  Peek into
  * it and fill in "*idp" with the message id, and "*flagsp" with the flags.
  *
  * Requires:
  *
- *	source != NULL
+ *\li	source != NULL
  *
  * Ensures:
  *
- *	if (idp != NULL) *idp == message id.
+ *\li	if (idp != NULL) *idp == message id.
  *
- *	if (flagsp != NULL) *flagsp == message flags.
+ *\li	if (flagsp != NULL) *flagsp == message flags.
  *
  * Returns:
  *
- *	ISC_R_SUCCESS		-- all is well.
+ *\li	#ISC_R_SUCCESS		-- all is well.
  *
- *	ISC_R_UNEXPECTEDEND	-- buffer doesn't contain enough for a header.
+ *\li	#ISC_R_UNEXPECTEDEND	-- buffer doesn't contain enough for a header.
  */
 
 isc_result_t
 dns_message_reply(dns_message_t *msg, isc_boolean_t want_question_section);
-/*
+/*%<
  * Start formatting a reply to the query in 'msg'.
  *
  * Requires:
  *
- *	'msg' is a valid message with parsing intent, and contains a query.
+ *\li	'msg' is a valid message with parsing intent, and contains a query.
  *
  * Ensures:
  *
- *	The message will have a rendering intent.  If 'want_question_section'
+ *\li	The message will have a rendering intent.  If 'want_question_section'
  *	is true, the message opcode is query or notify, and the question
  *	section is present and properly formatted, then the question section
  *	will be included in the reply.  All other sections will be cleared.
@@ -968,9 +989,9 @@ dns_message_reply(dns_message_t *msg, isc_boolean_t want_question_section);
  *
  * Returns:
  *
- *	ISC_R_SUCCESS		-- all is well.
+ *\li	#ISC_R_SUCCESS		-- all is well.
  *
- *	DNS_R_FORMERR		-- the header or question section of the
+ *\li	#DNS_R_FORMERR		-- the header or question section of the
  *				   message is invalid, replying is impossible.
  *				   If DNS_R_FORMERR is returned when
  *				   want_question_section is ISC_FALSE, then
@@ -981,308 +1002,308 @@ dns_message_reply(dns_message_t *msg, isc_boolean_t want_question_section);
 
 dns_rdataset_t *
 dns_message_getopt(dns_message_t *msg);
-/*
+/*%<
  * Get the OPT record for 'msg'.
  *
  * Requires:
  *
- *	'msg' is a valid message.
+ *\li	'msg' is a valid message.
  *
  * Returns:
  *
- *	The OPT rdataset of 'msg', or NULL if there isn't one.
+ *\li	The OPT rdataset of 'msg', or NULL if there isn't one.
  */
 
 isc_result_t
 dns_message_setopt(dns_message_t *msg, dns_rdataset_t *opt);
-/*
+/*%<
  * Set the OPT record for 'msg'.
  *
  * Requires:
  *
- *	'msg' is a valid message with rendering intent
+ *\li	'msg' is a valid message with rendering intent
  *	and no sections have been rendered.
  *
- *	'opt' is a valid OPT record.
+ *\li	'opt' is a valid OPT record.
  *
  * Ensures:
  *
- *	The OPT record has either been freed or ownership of it has
+ *\li	The OPT record has either been freed or ownership of it has
  *	been transferred to the message.
  *
- *	If ISC_R_SUCCESS was returned, the OPT record will be rendered 
+ *\li	If ISC_R_SUCCESS was returned, the OPT record will be rendered 
  *	when dns_message_renderend() is called.
  *
  * Returns:
  *
- *	ISC_R_SUCCESS		-- all is well.
+ *\li	#ISC_R_SUCCESS		-- all is well.
  *
- *	ISC_R_NOSPACE		-- there is no space for the OPT record.
+ *\li	#ISC_R_NOSPACE		-- there is no space for the OPT record.
  */
 
 dns_rdataset_t *
 dns_message_gettsig(dns_message_t *msg, dns_name_t **owner);
-/*
+/*%<
  * Get the TSIG record and owner for 'msg'.
  *
  * Requires:
  *
- *	'msg' is a valid message.
- *	'owner' is NULL or *owner is NULL.
+ *\li	'msg' is a valid message.
+ *\li	'owner' is NULL or *owner is NULL.
  *
  * Returns:
  *
- *	The TSIG rdataset of 'msg', or NULL if there isn't one.
+ *\li	The TSIG rdataset of 'msg', or NULL if there isn't one.
  *
  * Ensures:
  *
- * 	If 'owner' is not NULL, it will point to the owner name.
+ * \li	If 'owner' is not NULL, it will point to the owner name.
  */
 
 isc_result_t
 dns_message_settsigkey(dns_message_t *msg, dns_tsigkey_t *key);
-/*
+/*%<
  * Set the tsig key for 'msg'.  This is only necessary for when rendering a
  * query or parsing a response.  The key (if non-NULL) is attached to, and
  * will be detached when the message is destroyed.
  *
  * Requires:
  *
- *	'msg' is a valid message with rendering intent,
+ *\li	'msg' is a valid message with rendering intent,
  *	dns_message_renderbegin() has been called, and no sections have been
  *	rendered.
- *	'key' is a valid tsig key or NULL.
+ *\li	'key' is a valid tsig key or NULL.
  *
  * Returns:
  *
- *	ISC_R_SUCCESS		-- all is well.
+ *\li	#ISC_R_SUCCESS		-- all is well.
  *
- *	ISC_R_NOSPACE		-- there is no space for the TSIG record.
+ *\li	#ISC_R_NOSPACE		-- there is no space for the TSIG record.
  */
 
 dns_tsigkey_t *
 dns_message_gettsigkey(dns_message_t *msg);
-/*
+/*%<
  * Gets the tsig key for 'msg'.
  *
  * Requires:
  *
- *	'msg' is a valid message
+ *\li	'msg' is a valid message
  */
 
 isc_result_t
 dns_message_setquerytsig(dns_message_t *msg, isc_buffer_t *querytsig);
-/*
+/*%<
  * Indicates that 'querytsig' is the TSIG from the signed query for which
  * 'msg' is the response.  This is also used for chained TSIGs in TCP
  * responses.
  *
  * Requires:
  *
- *	'querytsig' is a valid buffer as returned by dns_message_getquerytsig()
+ *\li	'querytsig' is a valid buffer as returned by dns_message_getquerytsig()
  *	or NULL
  *
- *	'msg' is a valid message
+ *\li	'msg' is a valid message
  *
  * Returns:
  *
- *	ISC_R_SUCCESS
- *	ISC_R_NOMEMORY
+ *\li	#ISC_R_SUCCESS
+ *\li	#ISC_R_NOMEMORY
  */
 
 isc_result_t
 dns_message_getquerytsig(dns_message_t *msg, isc_mem_t *mctx,
 			 isc_buffer_t **querytsig);
-/*
+/*%<
  * Gets the tsig from the TSIG from the signed query 'msg'.  This is also used
  * for chained TSIGs in TCP responses.  Unlike dns_message_gettsig, this makes
  * a copy of the data, so can be used if the message is destroyed.
  *
  * Requires:
  *
- *	'msg' is a valid signed message
- *	'mctx' is a valid memory context
- *	querytsig != NULL && *querytsig == NULL
+ *\li	'msg' is a valid signed message
+ *\li	'mctx' is a valid memory context
+ *\li	querytsig != NULL && *querytsig == NULL
  *
  * Returns:
  *
- *	ISC_R_SUCCESS
- *	ISC_R_NOMEMORY
+ *\li	#ISC_R_SUCCESS
+ *\li	#ISC_R_NOMEMORY
  *
  * Ensures:
- * 	'tsig' points to NULL or an allocated buffer which must be freed
+ *\li 	'tsig' points to NULL or an allocated buffer which must be freed
  * 	by the caller.
  */
 
 dns_rdataset_t *
 dns_message_getsig0(dns_message_t *msg, dns_name_t **owner);
-/*
+/*%<
  * Get the SIG(0) record and owner for 'msg'.
  *
  * Requires:
  *
- *	'msg' is a valid message.
- *	'owner' is NULL or *owner is NULL.
+ *\li	'msg' is a valid message.
+ *\li	'owner' is NULL or *owner is NULL.
  *
  * Returns:
  *
- *	The SIG(0) rdataset of 'msg', or NULL if there isn't one.
+ *\li	The SIG(0) rdataset of 'msg', or NULL if there isn't one.
  *
  * Ensures:
  *
- * 	If 'owner' is not NULL, it will point to the owner name.
+ * \li	If 'owner' is not NULL, it will point to the owner name.
  */
 
 isc_result_t
 dns_message_setsig0key(dns_message_t *msg, dst_key_t *key);
-/*
+/*%<
  * Set the SIG(0) key for 'msg'.
  *
  * Requires:
  *
- *	'msg' is a valid message with rendering intent,
+ *\li	'msg' is a valid message with rendering intent,
  *	dns_message_renderbegin() has been called, and no sections have been
  *	rendered.
- *	'key' is a valid sig key or NULL.
+ *\li	'key' is a valid sig key or NULL.
  *
  * Returns:
  *
- *	ISC_R_SUCCESS		-- all is well.
+ *\li	#ISC_R_SUCCESS		-- all is well.
  *
- *	ISC_R_NOSPACE		-- there is no space for the SIG(0) record.
+ *\li	#ISC_R_NOSPACE		-- there is no space for the SIG(0) record.
  */
 
 dst_key_t *
 dns_message_getsig0key(dns_message_t *msg);
-/*
+/*%<
  * Gets the SIG(0) key for 'msg'.
  *
  * Requires:
  *
- *	'msg' is a valid message
+ *\li	'msg' is a valid message
  */
 
 void
 dns_message_takebuffer(dns_message_t *msg, isc_buffer_t **buffer);
-/*
+/*%<
  * Give the *buffer to the message code to clean up when it is no
  * longer needed.  This is usually when the message is reset or
  * destroyed.
  *
  * Requires:
  *
- *	msg be a valid message.
+ *\li	msg be a valid message.
  *
- *	buffer != NULL && *buffer is a valid isc_buffer_t, which was
+ *\li	buffer != NULL && *buffer is a valid isc_buffer_t, which was
  *	dynamincally allocated via isc_buffer_allocate().
  */
 
 isc_result_t
 dns_message_signer(dns_message_t *msg, dns_name_t *signer);
-/*
+/*%<
  * If this message was signed, return the identity of the signer.
  * Unless ISC_R_NOTFOUND is returned, signer will reflect the name of the
  * key that signed the message.
  *
  * Requires:
  *
- *	msg is a valid parsed message.
- *	signer is a valid name
+ *\li	msg is a valid parsed message.
+ *\li	signer is a valid name
  *
  * Returns:
  *
- *	ISC_R_SUCCESS		- the message was signed, and *signer
+ *\li	#ISC_R_SUCCESS		- the message was signed, and *signer
  *				  contains the signing identity
  *
- *	ISC_R_NOTFOUND		- no TSIG or SIG(0) record is present in the
+ *\li	#ISC_R_NOTFOUND		- no TSIG or SIG(0) record is present in the
  *				  message
  *
- *	DNS_R_TSIGVERIFYFAILURE	- the message was signed by a TSIG, but the
+ *\li	#DNS_R_TSIGVERIFYFAILURE	- the message was signed by a TSIG, but the
  *				  signature failed to verify
  *
- *	DNS_R_TSIGERRORSET	- the message was signed by a TSIG and
+ *\li	#DNS_R_TSIGERRORSET	- the message was signed by a TSIG and
  *				  verified, but the query was rejected by
  *				  the server
  *
- *	DNS_R_NOIDENTITY	- the message was signed by a TSIG and
+ *\li	#DNS_R_NOIDENTITY	- the message was signed by a TSIG and
  *				  verified, but the key has no identity since
  *				  it was generated by an unsigned TKEY process
  *
- *	DNS_R_SIGINVALID	- the message was signed by a SIG(0), but
+ *\li	#DNS_R_SIGINVALID	- the message was signed by a SIG(0), but
  *				  the signature failed to verify
  *
- *	DNS_R_NOTVERIFIEDYET	- the message was signed by a TSIG or SIG(0),
+ *\li	#DNS_R_NOTVERIFIEDYET	- the message was signed by a TSIG or SIG(0),
  *				  but the signature has not been verified yet
  */
 
 isc_result_t
 dns_message_checksig(dns_message_t *msg, dns_view_t *view);
-/*
+/*%<
  * If this message was signed, verify the signature.
  *
  * Requires:
  *
- *	msg is a valid parsed message.
- *	view is a valid view or NULL
+ *\li	msg is a valid parsed message.
+ *\li	view is a valid view or NULL
  *
  * Returns:
  *
- *	ISC_R_SUCCESS		- the message was unsigned, or the message
+ *\li	#ISC_R_SUCCESS		- the message was unsigned, or the message
  *				  was signed correctly.
  *
- *	DNS_R_EXPECTEDTSIG	- A TSIG was expected, but not seen
- *	DNS_R_UNEXPECTEDTSIG	- A TSIG was seen but not expected
- *	DNS_R_TSIGVERIFYFAILURE - The TSIG failed to verify
+ *\li	#DNS_R_EXPECTEDTSIG	- A TSIG was expected, but not seen
+ *\li	#DNS_R_UNEXPECTEDTSIG	- A TSIG was seen but not expected
+ *\li	#DNS_R_TSIGVERIFYFAILURE - The TSIG failed to verify
  */
 
 isc_result_t
 dns_message_rechecksig(dns_message_t *msg, dns_view_t *view);
-/*
+/*%<
  * Reset the signature state and then if the message was signed,
  * verify the message.
  *
  * Requires:
  *
- *	msg is a valid parsed message.
- *	view is a valid view or NULL
+ *\li	msg is a valid parsed message.
+ *\li	view is a valid view or NULL
  *
  * Returns:
  *
- *	ISC_R_SUCCESS		- the message was unsigned, or the message
+ *\li	#ISC_R_SUCCESS		- the message was unsigned, or the message
  *				  was signed correctly.
  *
- *	DNS_R_EXPECTEDTSIG	- A TSIG was expected, but not seen
- *	DNS_R_UNEXPECTEDTSIG	- A TSIG was seen but not expected
- *	DNS_R_TSIGVERIFYFAILURE - The TSIG failed to verify
+ *\li	#DNS_R_EXPECTEDTSIG	- A TSIG was expected, but not seen
+ *\li	#DNS_R_UNEXPECTEDTSIG	- A TSIG was seen but not expected
+ *\li	#DNS_R_TSIGVERIFYFAILURE - The TSIG failed to verify
  */
 
 void
 dns_message_resetsig(dns_message_t *msg);
-/*
+/*%<
  * Reset the signature state.
  *
  * Requires:
- *	'msg' is a valid parsed message.
+ *\li	'msg' is a valid parsed message.
  */
 
 isc_region_t *
 dns_message_getrawmessage(dns_message_t *msg);
-/*
+/*%<
  * Retrieve the raw message in compressed wire format.  The message must
  * have been successfully parsed for it to have been saved.
  *
  * Requires:
- *	msg is a valid parsed message.
+ *\li	msg is a valid parsed message.
  *
  * Returns:
- *	NULL	if there is no saved message.
+ *\li	NULL	if there is no saved message.
  *	a pointer to a region which refers the dns message.
  */
 
 void
 dns_message_setsortorder(dns_message_t *msg, dns_rdatasetorderfunc_t order,
 			 const void *order_arg);
-/*
+/*%<
  * Define the order in which RR sets get rendered by
  * dns_message_rendersection() to be the ascending order
  * defined by the integer value returned by 'order' when
@@ -1290,27 +1311,27 @@ dns_message_setsortorder(dns_message_t *msg, dns_rdatasetorderfunc_t order,
  * 'order_arg' are NULL, a default order is used.
  *
  * Requires:
- *	msg be a valid message.
- *	order_arg is NULL if and only if order is NULL.
+ *\li	msg be a valid message.
+ *\li	order_arg is NULL if and only if order is NULL.
  */
 
 void 
 dns_message_settimeadjust(dns_message_t *msg, int timeadjust);
-/*
+/*%<
  * Adjust the time used to sign/verify a message by timeadjust.
  * Currently only TSIG.
  *
  * Requires:
- *	msg be a valid message.
+ *\li	msg be a valid message.
  */
 
 int 
 dns_message_gettimeadjust(dns_message_t *msg);
-/*
+/*%<
  * Return the current time adjustment.
  *
  * Requires:
- *	msg be a valid message.
+ *\li	msg be a valid message.
  */
 
 ISC_LANG_ENDDECLS
diff --git a/contrib/bind9/lib/dns/include/dns/name.h b/contrib/bind9/lib/dns/include/dns/name.h
index ce9e1f1..038ae05 100644
--- a/contrib/bind9/lib/dns/include/dns/name.h
+++ b/contrib/bind9/lib/dns/include/dns/name.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2006  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1998-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: name.h,v 1.95.2.3.2.14 2006/03/02 00:37:20 marka Exp $ */
+/* $Id: name.h,v 1.107.18.15 2006/03/02 00:37:21 marka Exp $ */
 
 #ifndef DNS_NAME_H
 #define DNS_NAME_H 1
@@ -24,9 +24,8 @@
  ***** Module Info
  *****/
 
-/*
- * DNS Names and Labels
- *
+/*! \file
+ * \brief
  * Provides facilities for manipulating DNS names and labels, including
  * conversions to and from wire format and text format.
  *
@@ -45,26 +44,26 @@
  * handles.
  *
  * MP:
- *	Clients of this module must impose any required synchronization.
+ *\li	Clients of this module must impose any required synchronization.
  *
  * Reliability:
- *	This module deals with low-level byte streams.  Errors in any of
+ *\li	This module deals with low-level byte streams.  Errors in any of
  *	the functions are likely to crash the server or corrupt memory.
  *
  * Resources:
- *	None.
+ *\li	None.
  *
  * Security:
  *
- *	*** WARNING ***
+ *\li	*** WARNING ***
  *
- *	dns_name_fromwire() deals with raw network data.  An error in
+ *\li	dns_name_fromwire() deals with raw network data.  An error in
  *	this routine could result in the failure or hijacking of the server.
  *
  * Standards:
- *	RFC 1035
- *	Draft EDNS0 (0)
- *	Draft Binary Labels (2)
+ *\li	RFC1035
+ *\li	Draft EDNS0 (0)
+ *\li	Draft Binary Labels (2)
  *
  */
 
@@ -109,7 +108,7 @@ ISC_LANG_BEGINDECLS
  *** Types
  ***/
 
-/*
+/*%
  * Clients are strongly discouraged from using this type directly,  with
  * the exception of the 'link' and 'list' fields which may be used directly
  * for whatever purpose the client desires.
@@ -135,89 +134,100 @@ struct dns_name {
 /*
  * Attributes below 0x0100 reserved for name.c usage.
  */
-#define DNS_NAMEATTR_CACHE		0x0100		/* Used by resolver. */
-#define DNS_NAMEATTR_ANSWER		0x0200		/* Used by resolver. */
-#define DNS_NAMEATTR_NCACHE		0x0400		/* Used by resolver. */
-#define DNS_NAMEATTR_CHAINING		0x0800		/* Used by resolver. */
-#define DNS_NAMEATTR_CHASE		0x1000		/* Used by resolver. */
-#define DNS_NAMEATTR_WILDCARD		0x2000		/* Used by server. */
+#define DNS_NAMEATTR_CACHE		0x0100		/*%< Used by resolver. */
+#define DNS_NAMEATTR_ANSWER		0x0200		/*%< Used by resolver. */
+#define DNS_NAMEATTR_NCACHE		0x0400		/*%< Used by resolver. */
+#define DNS_NAMEATTR_CHAINING		0x0800		/*%< Used by resolver. */
+#define DNS_NAMEATTR_CHASE		0x1000		/*%< Used by resolver. */
+#define DNS_NAMEATTR_WILDCARD		0x2000		/*%< Used by server. */
 
 #define DNS_NAME_DOWNCASE		0x0001
-#define DNS_NAME_CHECKNAMES		0x0002		/* Used by rdata. */
-#define DNS_NAME_CHECKNAMESFAIL		0x0004		/* Used by rdata. */
-#define DNS_NAME_CHECKREVERSE		0x0008		/* Used by rdata. */
+#define DNS_NAME_CHECKNAMES		0x0002		/*%< Used by rdata. */
+#define DNS_NAME_CHECKNAMESFAIL		0x0004		/*%< Used by rdata. */
+#define DNS_NAME_CHECKREVERSE		0x0008		/*%< Used by rdata. */
+#define DNS_NAME_CHECKMX		0x0010		/*%< Used by rdata. */
+#define DNS_NAME_CHECKMXFAIL		0x0020		/*%< Used by rdata. */
 
 LIBDNS_EXTERNAL_DATA extern dns_name_t *dns_rootname;
 LIBDNS_EXTERNAL_DATA extern dns_name_t *dns_wildcardname;
 
-/*
+/*%
  * Standard size of a wire format name
  */
 #define DNS_NAME_MAXWIRE 255
 
+/*
+ * Text output filter procedure.
+ * 'target' is the buffer to be converted.  The region to be converted
+ * is from 'buffer'->base + 'used_org' to the end of the used region.
+ */
+typedef isc_result_t (*dns_name_totextfilter_t)(isc_buffer_t *target,
+						unsigned int used_org,
+						isc_boolean_t absolute);
+
 /***
  *** Initialization
  ***/
 
 void
 dns_name_init(dns_name_t *name, unsigned char *offsets);
-/*
+/*%<
  * Initialize 'name'.
  *
  * Notes:
- *	'offsets' is never required to be non-NULL, but specifying a
+ * \li	'offsets' is never required to be non-NULL, but specifying a
  *	dns_offsets_t for 'offsets' will improve the performance of most
  *	name operations if the name is used more than once.
  *
  * Requires:
- *	'name' is not NULL and points to a struct dns_name.
+ * \li	'name' is not NULL and points to a struct dns_name.
  *
- *	offsets == NULL or offsets is a dns_offsets_t.
+ * \li	offsets == NULL or offsets is a dns_offsets_t.
  *
  * Ensures:
- *	'name' is a valid name.
- *	dns_name_countlabels(name) == 0
- *	dns_name_isabsolute(name) == ISC_FALSE
+ * \li	'name' is a valid name.
+ * \li	dns_name_countlabels(name) == 0
+ * \li	dns_name_isabsolute(name) == ISC_FALSE
  */
 
 void
 dns_name_reset(dns_name_t *name);
-/*
+/*%<
  * Reinitialize 'name'.
  *
  * Notes:
- *	This function distinguishes itself from dns_name_init() in two
+ * \li	This function distinguishes itself from dns_name_init() in two
  *	key ways:
  *
- *	+ If any buffer is associated with 'name' (via dns_name_setbuffer()
+ * \li	+ If any buffer is associated with 'name' (via dns_name_setbuffer()
  *	  or by being part of a dns_fixedname_t) the link to the buffer
  *	  is retained but the buffer itself is cleared.
  *
- *	+ Of the attributes associated with 'name', all are retained except
+ * \li	+ Of the attributes associated with 'name', all are retained except
  *	  DNS_NAMEATTR_ABSOLUTE.
  *
  * Requires:
- *	'name' is a valid name.
+ * \li	'name' is a valid name.
  *
  * Ensures:
- *	'name' is a valid name.
- *	dns_name_countlabels(name) == 0
- *	dns_name_isabsolute(name) == ISC_FALSE
+ * \li	'name' is a valid name.
+ * \li	dns_name_countlabels(name) == 0
+ * \li	dns_name_isabsolute(name) == ISC_FALSE
  */
 
 void
 dns_name_invalidate(dns_name_t *name);
-/*
+/*%<
  * Make 'name' invalid.
  *
  * Requires:
- *	'name' is a valid name.
+ * \li	'name' is a valid name.
  *
  * Ensures:
- *	If assertion checking is enabled, future attempts to use 'name'
+ * \li	If assertion checking is enabled, future attempts to use 'name'
  *	without initializing it will cause an assertion failure.
  *
- *	If the name had a dedicated buffer, that association is ended.
+ * \li	If the name had a dedicated buffer, that association is ended.
  */
 
 
@@ -227,93 +237,92 @@ dns_name_invalidate(dns_name_t *name);
 
 void
 dns_name_setbuffer(dns_name_t *name, isc_buffer_t *buffer);
-/*
+/*%<
  * Dedicate a buffer for use with 'name'.
  *
  * Notes:
- *	Specification of a target buffer in dns_name_fromwire(),
+ * \li	Specification of a target buffer in dns_name_fromwire(),
  *	dns_name_fromtext(), and dns_name_concatentate() is optional if
  *	'name' has a dedicated buffer.
  *
- *	The caller must not write to buffer until the name has been
+ * \li	The caller must not write to buffer until the name has been
  *	invalidated or is otherwise known not to be in use.
  *
- *	If buffer is NULL and the name previously had a dedicated buffer,
+ * \li	If buffer is NULL and the name previously had a dedicated buffer,
  *	than that buffer is no longer dedicated to use with this name.
  *	The caller is responsible for ensuring that the storage used by
  *	the name remains valid.
  *
  * Requires:
- *	'name' is a valid name.
+ * \li	'name' is a valid name.
  *
- *	'buffer' is a valid binary buffer and 'name' doesn't have a
+ * \li	'buffer' is a valid binary buffer and 'name' doesn't have a
  *	dedicated buffer already, or 'buffer' is NULL.
  */
 
 isc_boolean_t
 dns_name_hasbuffer(const dns_name_t *name);
-/*
+/*%<
  * Does 'name' have a dedicated buffer?
  *
  * Requires:
- *	'name' is a valid name.
+ * \li	'name' is a valid name.
  *
  * Returns:
- *	ISC_TRUE	'name' has a dedicated buffer.
- *	ISC_FALSE	'name' does not have a dedicated buffer.
+ * \li	ISC_TRUE	'name' has a dedicated buffer.
+ * \li	ISC_FALSE	'name' does not have a dedicated buffer.
  */
 
-
 /***
  *** Properties
  ***/
 
 isc_boolean_t
 dns_name_isabsolute(const dns_name_t *name);
-/*
+/*%<
  * Does 'name' end in the root label?
  *
  * Requires:
- *	'name' is a valid name
+ * \li	'name' is a valid name
  *
  * Returns:
- *	TRUE		The last label in 'name' is the root label.
- *	FALSE		The last label in 'name' is not the root label.
+ * \li	TRUE		The last label in 'name' is the root label.
+ * \li	FALSE		The last label in 'name' is not the root label.
  */
 
 isc_boolean_t
 dns_name_iswildcard(const dns_name_t *name);
-/*
+/*%<
  * Is 'name' a wildcard name?
  *
  * Requires:
- *	'name' is a valid name
+ * \li	'name' is a valid name
  *
- *	dns_name_countlabels(name) > 0
+ * \li	dns_name_countlabels(name) > 0
  *
  * Returns:
- *	TRUE		The least significant label of 'name' is '*'.
- *	FALSE		The least significant label of 'name' is not '*'.
+ * \li	TRUE		The least significant label of 'name' is '*'.
+ * \li	FALSE		The least significant label of 'name' is not '*'.
  */
 
 unsigned int
 dns_name_hash(dns_name_t *name, isc_boolean_t case_sensitive);
-/*
+/*%<
  * Provide a hash value for 'name'.
  *
  * Note: if 'case_sensitive' is ISC_FALSE, then names which differ only in
  * case will have the same hash value.
  *
  * Requires:
- *	'name' is a valid name
+ * \li	'name' is a valid name
  *
  * Returns:
- *	A hash value
+ * \li	A hash value
  */
 
 unsigned int
 dns_name_fullhash(dns_name_t *name, isc_boolean_t case_sensitive);
-/*
+/*%<
  * Provide a hash value for 'name'.  Unlike dns_name_hash(), this function
  * always takes into account of the entire name to calculate the hash value.
  *
@@ -321,15 +330,15 @@ dns_name_fullhash(dns_name_t *name, isc_boolean_t case_sensitive);
  * case will have the same hash value.
  *
  * Requires:
- *	'name' is a valid name
+ *\li	'name' is a valid name
  *
  * Returns:
- *	A hash value
+ *\li	A hash value
  */
 
 unsigned int
 dns_name_hashbylabel(dns_name_t *name, isc_boolean_t case_sensitive);
-/*
+/*%<
  * Provide a hash value for 'name', where the hash value is the sum
  * of the hash values of each label.
  *
@@ -337,20 +346,20 @@ dns_name_hashbylabel(dns_name_t *name, isc_boolean_t case_sensitive);
  * case will have the same hash value.
  *
  * Requires:
- *	'name' is a valid name
+ *\li	'name' is a valid name
  *
  * Returns:
- *	A hash value
+ *\li	A hash value
  */
 
-/***
+/*
  *** Comparisons
  ***/
 
 dns_namereln_t
 dns_name_fullcompare(const dns_name_t *name1, const dns_name_t *name2,
 		     int *orderp, unsigned int *nlabelsp);
-/*
+/*%<
  * Determine the relative ordering under the DNSSEC order relation of
  * 'name1' and 'name2', and also determine the hierarchical
  * relationship of the names.
@@ -361,39 +370,39 @@ dns_name_fullcompare(const dns_name_t *name1, const dns_name_t *name2,
  * same domain.
  *
  * Requires:
- *	'name1' is a valid name
+ *\li	'name1' is a valid name
  *
- *	dns_name_countlabels(name1) > 0
+ *\li	dns_name_countlabels(name1) > 0
  *
- *	'name2' is a valid name
+ *\li	'name2' is a valid name
  *
- *	dns_name_countlabels(name2) > 0
+ *\li	dns_name_countlabels(name2) > 0
  *
- *	orderp and nlabelsp are valid pointers.
+ *\li	orderp and nlabelsp are valid pointers.
  *
- *	Either name1 is absolute and name2 is absolute, or neither is.
+ *\li	Either name1 is absolute and name2 is absolute, or neither is.
  *
  * Ensures:
  *
- *	*orderp is < 0 if name1 < name2, 0 if name1 = name2, > 0 if
+ *\li	*orderp is < 0 if name1 < name2, 0 if name1 = name2, > 0 if
  *	name1 > name2.
  *
- *	*nlabelsp is the number of common significant labels.
+ *\li	*nlabelsp is the number of common significant labels.
  *
  * Returns:
- *	dns_namereln_none		There's no hierarchical relationship
+ *\li	dns_namereln_none		There's no hierarchical relationship
  *					between name1 and name2.
- *	dns_namereln_contains		name1 properly contains name2; i.e.
+ *\li	dns_namereln_contains		name1 properly contains name2; i.e.
  *					name2 is a proper subdomain of name1.
- *	dns_namereln_subdomain		name1 is a proper subdomain of name2.
- *	dns_namereln_equal		name1 and name2 are equal.
- *	dns_namereln_commonancestor	name1 and name2 share a common
+ *\li	dns_namereln_subdomain		name1 is a proper subdomain of name2.
+ *\li	dns_namereln_equal		name1 and name2 are equal.
+ *\li	dns_namereln_commonancestor	name1 and name2 share a common
  *					ancestor.
  */
 
 int
 dns_name_compare(const dns_name_t *name1, const dns_name_t *name2);
-/*
+/*%<
  * Determine the relative ordering under the DNSSEC order relation of
  * 'name1' and 'name2'.
  *
@@ -403,124 +412,130 @@ dns_name_compare(const dns_name_t *name1, const dns_name_t *name2);
  * same domain.
  *
  * Requires:
- *	'name1' is a valid name
+ * \li	'name1' is a valid name
  *
- *	'name2' is a valid name
+ * \li	'name2' is a valid name
  *
- *	Either name1 is absolute and name2 is absolute, or neither is.
+ * \li	Either name1 is absolute and name2 is absolute, or neither is.
  *
  * Returns:
- *	< 0		'name1' is less than 'name2'
- *	0		'name1' is equal to 'name2'
- *	> 0		'name1' is greater than 'name2'
+ * \li	< 0		'name1' is less than 'name2'
+ * \li	0		'name1' is equal to 'name2'
+ * \li	> 0		'name1' is greater than 'name2'
  */
 
 isc_boolean_t
 dns_name_equal(const dns_name_t *name1, const dns_name_t *name2);
-/*
+/*%<
  * Are 'name1' and 'name2' equal?
  *
  * Notes:
- *	Because it only needs to test for equality, dns_name_equal() can be
+ * \li	Because it only needs to test for equality, dns_name_equal() can be
  *	significantly faster than dns_name_fullcompare() or dns_name_compare().
  *
- *	Offsets tables are not used in the comparision.
+ * \li	Offsets tables are not used in the comparision.
  *
- * 	It makes no sense for one of the names to be relative and the
+ * \li	It makes no sense for one of the names to be relative and the
  *	other absolute.  If both names are relative, then to be meaningfully
  * 	compared the caller must ensure that they are both relative to the
  * 	same domain.
  *
  * Requires:
- *	'name1' is a valid name
+ * \li	'name1' is a valid name
  *
- *	'name2' is a valid name
+ * \li	'name2' is a valid name
  *
- *	Either name1 is absolute and name2 is absolute, or neither is.
+ * \li	Either name1 is absolute and name2 is absolute, or neither is.
  *
  * Returns:
- *	ISC_TRUE	'name1' and 'name2' are equal
- *	ISC_FALSE	'name1' and 'name2' are not equal
+ * \li	ISC_TRUE	'name1' and 'name2' are equal
+ * \li	ISC_FALSE	'name1' and 'name2' are not equal
+ */
+
+isc_boolean_t
+dns_name_caseequal(const dns_name_t *name1, const dns_name_t *name2);
+/*%<
+ * Case sensitive version of dns_name_equal().
  */
 
 int
 dns_name_rdatacompare(const dns_name_t *name1, const dns_name_t *name2);
-/*
+/*%<
  * Compare two names as if they are part of rdata in DNSSEC canonical
  * form.
  *
  * Requires:
- *	'name1' is a valid absolute name
+ * \li	'name1' is a valid absolute name
  *
- *	dns_name_countlabels(name1) > 0
+ * \li	dns_name_countlabels(name1) > 0
  *
- *	'name2' is a valid absolute name
+ * \li	'name2' is a valid absolute name
  *
- *	dns_name_countlabels(name2) > 0
+ * \li	dns_name_countlabels(name2) > 0
  *
  * Returns:
- *	< 0		'name1' is less than 'name2'
- *	0		'name1' is equal to 'name2'
- *	> 0		'name1' is greater than 'name2'
+ * \li	< 0		'name1' is less than 'name2'
+ * \li	0		'name1' is equal to 'name2'
+ * \li	> 0		'name1' is greater than 'name2'
  */
 
 isc_boolean_t
 dns_name_issubdomain(const dns_name_t *name1, const dns_name_t *name2);
-/*
+/*%<
  * Is 'name1' a subdomain of 'name2'?
  *
  * Notes:
- *	name1 is a subdomain of name2 if name1 is contained in name2, or
+ * \li	name1 is a subdomain of name2 if name1 is contained in name2, or
  *	name1 equals name2.
  *
- *	It makes no sense for one of the names to be relative and the
+ * \li	It makes no sense for one of the names to be relative and the
  *	other absolute.  If both names are relative, then to be meaningfully
  *	compared the caller must ensure that they are both relative to the
  *	same domain.
  *
  * Requires:
- *	'name1' is a valid name
+ * \li	'name1' is a valid name
  *
- *	'name2' is a valid name
+ * \li	'name2' is a valid name
  *
- *	Either name1 is absolute and name2 is absolute, or neither is.
+ * \li	Either name1 is absolute and name2 is absolute, or neither is.
  *
  * Returns:
- *	TRUE		'name1' is a subdomain of 'name2'
- *	FALSE		'name1' is not a subdomain of 'name2'
+ * \li	TRUE		'name1' is a subdomain of 'name2'
+ * \li	FALSE		'name1' is not a subdomain of 'name2'
  */
 
 isc_boolean_t
 dns_name_matcheswildcard(const dns_name_t *name, const dns_name_t *wname);
-/*
+/*%<
  * Does 'name' match the wildcard specified in 'wname'?
  *
  * Notes:
- *	name matches the wildcard specified in wname if all labels
+ * \li	name matches the wildcard specified in wname if all labels
  *	following the wildcard in wname are identical to the same number
  *	of labels at the end of name.
  *
- *	It makes no sense for one of the names to be relative and the
+ * \li	It makes no sense for one of the names to be relative and the
  *	other absolute.  If both names are relative, then to be meaningfully
  *	compared the caller must ensure that they are both relative to the
  *	same domain.
  *
  * Requires:
- *	'name' is a valid name
+ * \li	'name' is a valid name
  *
- *	dns_name_countlabels(name) > 0
+ * \li	dns_name_countlabels(name) > 0
  *
- *	'wname' is a valid name
+ * \li	'wname' is a valid name
  *
- *	dns_name_countlabels(wname) > 0
+ * \li	dns_name_countlabels(wname) > 0
  *
- *	dns_name_iswildcard(wname) is true
+ * \li	dns_name_iswildcard(wname) is true
  *
- *	Either name is absolute and wname is absolute, or neither is.
+ * \li	Either name is absolute and wname is absolute, or neither is.
  *
  * Returns:
- *	TRUE		'name' matches the wildcard specified in 'wname'
- *	FALSE		'name' does not match the wildcard specified in 'wname'
+ * \li	TRUE		'name' matches the wildcard specified in 'wname'
+ * \li	FALSE		'name' does not match the wildcard specified in 'wname'
  */
 
 /***
@@ -529,89 +544,91 @@ dns_name_matcheswildcard(const dns_name_t *name, const dns_name_t *wname);
 
 unsigned int
 dns_name_countlabels(const dns_name_t *name);
-/*
+/*%<
  * How many labels does 'name' have?
  *
  * Notes:
- *	In this case, as in other places, a 'label' is an ordinary label.
+ * \li	In this case, as in other places, a 'label' is an ordinary label.
  *
  * Requires:
- *	'name' is a valid name
+ * \li	'name' is a valid name
  *
  * Ensures:
- *	The result is <= 128.
+ * \li	The result is <= 128.
  *
  * Returns:
- *	The number of labels in 'name'.
+ * \li	The number of labels in 'name'.
  */
 
 void
 dns_name_getlabel(const dns_name_t *name, unsigned int n, dns_label_t *label);
-/*
+/*%<
  * Make 'label' refer to the 'n'th least significant label of 'name'.
  *
  * Notes:
- *	Numbering starts at 0.
+ * \li	Numbering starts at 0.
  *
- *	Given "rc.vix.com.", the label 0 is "rc", and label 3 is the
+ * \li	Given "rc.vix.com.", the label 0 is "rc", and label 3 is the
  *	root label.
  *
- *	'label' refers to the same memory as 'name', so 'name' must not
+ * \li	'label' refers to the same memory as 'name', so 'name' must not
  *	be changed while 'label' is still in use.
  *
  * Requires:
- *	n < dns_name_countlabels(name)
+ * \li	n < dns_name_countlabels(name)
  */
 
 void
 dns_name_getlabelsequence(const dns_name_t *source, unsigned int first,
 			  unsigned int n, dns_name_t *target);
-/*
+/*%<
  * Make 'target' refer to the 'n' labels including and following 'first'
  * in 'source'.
  *
  * Notes:
- *	Numbering starts at 0.
+ * \li	Numbering starts at 0.
  *
- *	Given "rc.vix.com.", the label 0 is "rc", and label 3 is the
+ * \li	Given "rc.vix.com.", the label 0 is "rc", and label 3 is the
  *	root label.
  *
- *	'target' refers to the same memory as 'source', so 'source'
+ * \li	'target' refers to the same memory as 'source', so 'source'
  *	must not be changed while 'target' is still in use.
  *
  * Requires:
- *	'source' and 'target' are valid names.
+ * \li	'source' and 'target' are valid names.
  *
- *	first < dns_name_countlabels(name)
+ * \li	first < dns_name_countlabels(name)
  *
- *	first + n <= dns_name_countlabels(name)
+ * \li	first + n <= dns_name_countlabels(name)
  */
 
 
 void
 dns_name_clone(const dns_name_t *source, dns_name_t *target);
-/*
+/*%<
  * Make 'target' refer to the same name as 'source'.
  *
  * Notes:
  *
- *	'target' refers to the same memory as 'source', so 'source'
+ * \li	'target' refers to the same memory as 'source', so 'source'
  *	must not be changed while 'target' is still in use.
  *
- *	This call is functionally equivalent to:
+ * \li	This call is functionally equivalent to:
  *
+ * \code
  *		dns_name_getlabelsequence(source, 0,
  *					  dns_name_countlabels(source),
  *					  target);
+ * \endcode
  *
  *	but is more efficient.  Also, dns_name_clone() works even if 'source'
  *	is empty.
  *
  * Requires:
  *
- *	'source' is a valid name.
+ * \li	'source' is a valid name.
  *
- *	'target' is a valid name that is not read-only.
+ * \li	'target' is a valid name that is not read-only.
  */
 
 /***
@@ -620,206 +637,205 @@ dns_name_clone(const dns_name_t *source, dns_name_t *target);
 
 void
 dns_name_fromregion(dns_name_t *name, const isc_region_t *r);
-/*
+/*%<
  * Make 'name' refer to region 'r'.
  *
  * Note:
- *	If the conversion encounters a root label before the end of the
+ * \li	If the conversion encounters a root label before the end of the
  *	region the conversion stops and the length is set to the length
  *	so far converted.  A maximum of 255 bytes is converted.
  *
  * Requires:
- *	The data in 'r' is a sequence of one or more type 00 or type 01000001
+ * \li	The data in 'r' is a sequence of one or more type 00 or type 01000001
  *	labels.
  */
 
 void
 dns_name_toregion(dns_name_t *name, isc_region_t *r);
-/*
+/*%<
  * Make 'r' refer to 'name'.
  *
  * Requires:
  *
- *	'name' is a valid name.
+ * \li	'name' is a valid name.
  *
- *	'r' is a valid region.
+ * \li	'r' is a valid region.
  */
 
 isc_result_t
 dns_name_fromwire(dns_name_t *name, isc_buffer_t *source,
 		  dns_decompress_t *dctx, unsigned int options,
 		  isc_buffer_t *target);
-/*
+/*%<
  * Copy the possibly-compressed name at source (active region) into target,
  * decompressing it.
  *
  * Notes:
- *	Decompression policy is controlled by 'dctx'.
+ * \li	Decompression policy is controlled by 'dctx'.
  *
- *	If DNS_NAME_DOWNCASE is set, any uppercase letters in 'source' will be
+ * \li	If DNS_NAME_DOWNCASE is set, any uppercase letters in 'source' will be
  *	downcased when they are copied into 'target'.
  *
  * Security:
  *
- *	*** WARNING ***
+ * \li	*** WARNING ***
  *
- *	This routine will often be used when 'source' contains raw network
+ * \li	This routine will often be used when 'source' contains raw network
  *	data.  A programming error in this routine could result in a denial
  *	of service, or in the hijacking of the server.
  *
  * Requires:
  *
- *	'name' is a valid name.
+ * \li	'name' is a valid name.
  *
- *	'source' is a valid buffer and the first byte of the active
+ * \li	'source' is a valid buffer and the first byte of the active
  *	region should be the first byte of a DNS wire format domain name.
  *
- *	'target' is a valid buffer or 'target' is NULL and 'name' has
+ * \li	'target' is a valid buffer or 'target' is NULL and 'name' has
  *	a dedicated buffer.
  *
- *	'dctx' is a valid decompression context.
+ * \li	'dctx' is a valid decompression context.
  *
  * Ensures:
  *
  *	If result is success:
- *	 	If 'target' is not NULL, 'name' is attached to it.
+ * \li	 	If 'target' is not NULL, 'name' is attached to it.
  *
- *		Uppercase letters are downcased in the copy iff
+ * \li		Uppercase letters are downcased in the copy iff
  *		DNS_NAME_DOWNCASE is set in options.
  *
- *		The current location in source is advanced, and the used space
+ * \li		The current location in source is advanced, and the used space
  *		in target is updated.
  *
  * Result:
- *	Success
- *	Bad Form: Label Length
- *	Bad Form: Unknown Label Type
- *	Bad Form: Name Length
- *	Bad Form: Compression type not allowed
- *	Bad Form: Bad compression pointer
- *	Bad Form: Input too short
- *	Resource Limit: Too many compression pointers
- *	Resource Limit: Not enough space in buffer
+ * \li	Success
+ * \li	Bad Form: Label Length
+ * \li	Bad Form: Unknown Label Type
+ * \li	Bad Form: Name Length
+ * \li	Bad Form: Compression type not allowed
+ * \li	Bad Form: Bad compression pointer
+ * \li	Bad Form: Input too short
+ * \li	Resource Limit: Too many compression pointers
+ * \li	Resource Limit: Not enough space in buffer
  */
 
 isc_result_t
 dns_name_towire(const dns_name_t *name, dns_compress_t *cctx,
-		isc_buffer_t *target);
-/*
+	        isc_buffer_t *target);
+/*%<
  * Convert 'name' into wire format, compressing it as specified by the
  * compression context 'cctx', and storing the result in 'target'.
  *
  * Notes:
- *	If the compression context allows global compression, then the
+ * \li	If the compression context allows global compression, then the
  *	global compression table may be updated.
  *
  * Requires:
- *	'name' is a valid name
+ * \li	'name' is a valid name
  *
- *	dns_name_countlabels(name) > 0
+ * \li	dns_name_countlabels(name) > 0
  *
- *	dns_name_isabsolute(name) == TRUE
+ * \li	dns_name_isabsolute(name) == TRUE
  *
- *	target is a valid buffer.
+ * \li	target is a valid buffer.
  *
- *	Any offsets specified in a global compression table are valid
+ * \li	Any offsets specified in a global compression table are valid
  *	for buffer.
  *
  * Ensures:
  *
  *	If the result is success:
  *
- *		The used space in target is updated.
+ * \li		The used space in target is updated.
  *
  * Returns:
- *	Success
- *	Resource Limit: Not enough space in buffer
+ * \li	Success
+ * \li	Resource Limit: Not enough space in buffer
  */
 
 isc_result_t
 dns_name_fromtext(dns_name_t *name, isc_buffer_t *source,
 		  dns_name_t *origin, unsigned int options,
 		  isc_buffer_t *target);
-/*
+/*%<
  * Convert the textual representation of a DNS name at source
  * into uncompressed wire form stored in target.
  *
  * Notes:
- *	Relative domain names will have 'origin' appended to them
+ * \li	Relative domain names will have 'origin' appended to them
  *	unless 'origin' is NULL, in which case relative domain names
  *	will remain relative.
  *
- *	If DNS_NAME_DOWNCASE is set in 'options', any uppercase letters
+ * \li	If DNS_NAME_DOWNCASE is set in 'options', any uppercase letters
  *	in 'source' will be downcased when they are copied into 'target'.
  *
  * Requires:
  *
- *	'name' is a valid name.
+ * \li	'name' is a valid name.
  *
- *	'source' is a valid buffer.
+ * \li	'source' is a valid buffer.
  *
- *	'target' is a valid buffer or 'target' is NULL and 'name' has
+ * \li	'target' is a valid buffer or 'target' is NULL and 'name' has
  *	a dedicated buffer.
  *
  * Ensures:
  *
  *	If result is success:
- *	 	If 'target' is not NULL, 'name' is attached to it.
+ * \li	 	If 'target' is not NULL, 'name' is attached to it.
  *
- *		Uppercase letters are downcased in the copy iff
+ * \li		Uppercase letters are downcased in the copy iff
  *		DNS_NAME_DOWNCASE is set in 'options'.
  *
- *		The current location in source is advanced, and the used space
+ * \li		The current location in source is advanced, and the used space
  *		in target is updated.
  *
  * Result:
- *	ISC_R_SUCCESS
- *	DNS_R_EMPTYLABEL
- *	DNS_R_LABELTOOLONG
- *	DNS_R_BADESCAPE
- *	(DNS_R_BADBITSTRING: should not be returned)
- *	(DNS_R_BITSTRINGTOOLONG: should not be returned)
- *	DNS_R_BADDOTTEDQUAD
- *	ISC_R_NOSPACE
- *	ISC_R_UNEXPECTEDEND
+ *\li	#ISC_R_SUCCESS
+ *\li	#DNS_R_EMPTYLABEL
+ *\li	#DNS_R_LABELTOOLONG
+ *\li	#DNS_R_BADESCAPE
+ *\li	(#DNS_R_BADBITSTRING: should not be returned)
+ *\li	(#DNS_R_BITSTRINGTOOLONG: should not be returned)
+ *\li	#DNS_R_BADDOTTEDQUAD
+ *\li	#ISC_R_NOSPACE
+ *\li	#ISC_R_UNEXPECTEDEND
  */
 
 isc_result_t
 dns_name_totext(dns_name_t *name, isc_boolean_t omit_final_dot,
 		isc_buffer_t *target);
-/*
+/*%<
  * Convert 'name' into text format, storing the result in 'target'.
  *
  * Notes:
- *	If 'omit_final_dot' is true, then the final '.' in absolute
+ *\li	If 'omit_final_dot' is true, then the final '.' in absolute
  *	names other than the root name will be omitted.
  *
- *	If dns_name_countlabels == 0, the name will be "@", representing the
- *	current origin as described by RFC 1035.
+ *\li	If dns_name_countlabels == 0, the name will be "@", representing the
+ *	current origin as described by RFC1035.
  *
- *	The name is not NUL terminated.
+ *\li	The name is not NUL terminated.
  *
  * Requires:
  *
- *	'name' is a valid name
+ *\li	'name' is a valid name
  *
- *	'target' is a valid buffer.
+ *\li	'target' is a valid buffer.
  *
- *	if dns_name_isabsolute == FALSE, then omit_final_dot == FALSE
+ *\li	if dns_name_isabsolute == FALSE, then omit_final_dot == FALSE
  *
  * Ensures:
  *
- *	If the result is success:
- *
- *		The used space in target is updated.
+ *\li	If the result is success:
+ *		the used space in target is updated.
  *
  * Returns:
- *	ISC_R_SUCCESS
- *	ISC_R_NOSPACE
+ *\li	#ISC_R_SUCCESS
+ *\li	#ISC_R_NOSPACE
  */
 
 #define DNS_NAME_MAXTEXT 1023
-/*
+/*%<
  * The maximum length of the text representation of a domain
  * name as generated by dns_name_totext().  This does not
  * include space for a terminating NULL.
@@ -844,56 +860,53 @@ dns_name_totext(dns_name_t *name, isc_boolean_t omit_final_dot,
 isc_result_t
 dns_name_tofilenametext(dns_name_t *name, isc_boolean_t omit_final_dot,
 			isc_buffer_t *target);
-/*
+/*%<
  * Convert 'name' into an alternate text format appropriate for filenames,
  * storing the result in 'target'.  The name data is downcased, guaranteeing
  * that the filename does not depend on the case of the converted name.
  *
  * Notes:
- *	If 'omit_final_dot' is true, then the final '.' in absolute
+ *\li	If 'omit_final_dot' is true, then the final '.' in absolute
  *	names other than the root name will be omitted.
  *
- *	The name is not NUL terminated.
+ *\li	The name is not NUL terminated.
  *
  * Requires:
  *
- *	'name' is a valid absolute name
+ *\li	'name' is a valid absolute name
  *
- *	'target' is a valid buffer.
+ *\li	'target' is a valid buffer.
  *
  * Ensures:
  *
- *	If the result is success:
- *
- *		The used space in target is updated.
+ *\li	If the result is success:
+ *		the used space in target is updated.
  *
  * Returns:
- *	ISC_R_SUCCESS
- *	ISC_R_NOSPACE
+ *\li	#ISC_R_SUCCESS
+ *\li	#ISC_R_NOSPACE
  */
 
 isc_result_t
 dns_name_downcase(dns_name_t *source, dns_name_t *name,
 		  isc_buffer_t *target);
-/*
+/*%<
  * Downcase 'source'.
  *
  * Requires:
  *
- *	'source' and 'name' are valid names.
- *
- *	If source == name, then
+ *\li	'source' and 'name' are valid names.
  *
+ *\li	If source == name, then
  *		'source' must not be read-only
  *
- *	Otherwise,
- *
+ *\li	Otherwise,
  *		'target' is a valid buffer or 'target' is NULL and
  *		'name' has a dedicated buffer.
  *
  * Returns:
- *	ISC_R_SUCCESS
- *	ISC_R_NOSPACE
+ *\li	#ISC_R_SUCCESS
+ *\li	#ISC_R_NOSPACE
  *
  * Note: if source == name, then the result will always be ISC_R_SUCCESS.
  */
@@ -901,199 +914,198 @@ dns_name_downcase(dns_name_t *source, dns_name_t *name,
 isc_result_t
 dns_name_concatenate(dns_name_t *prefix, dns_name_t *suffix,
 		     dns_name_t *name, isc_buffer_t *target);
-/*
+/*%<
  *	Concatenate 'prefix' and 'suffix'.
  *
  * Requires:
  *
- *	'prefix' is a valid name or NULL.
+ *\li	'prefix' is a valid name or NULL.
  *
- *	'suffix' is a valid name or NULL.
+ *\li	'suffix' is a valid name or NULL.
  *
- *	'name' is a valid name or NULL.
+ *\li	'name' is a valid name or NULL.
  *
- *	'target' is a valid buffer or 'target' is NULL and 'name' has
+ *\li	'target' is a valid buffer or 'target' is NULL and 'name' has
  *	a dedicated buffer.
  *
- *	If 'prefix' is absolute, 'suffix' must be NULL or the empty name.
+ *\li	If 'prefix' is absolute, 'suffix' must be NULL or the empty name.
  *
  * Ensures:
  *
- *	On success,
+ *\li	On success,
  *	 	If 'target' is not NULL and 'name' is not NULL, then 'name'
  *		is attached to it.
- *
  *		The used space in target is updated.
  *
  * Returns:
- *	ISC_R_SUCCESS
- *	ISC_R_NOSPACE
- *	DNS_R_NAMETOOLONG
+ *\li	#ISC_R_SUCCESS
+ *\li	#ISC_R_NOSPACE
+ *\li	#DNS_R_NAMETOOLONG
  */
 
 void
 dns_name_split(dns_name_t *name, unsigned int suffixlabels,
 	       dns_name_t *prefix, dns_name_t *suffix);
-/*
+/*%<
  *
  * Split 'name' into two pieces on a label boundary.
  *
  * Notes:
- *      'name' is split such that 'suffix' holds the most significant
+ * \li     'name' is split such that 'suffix' holds the most significant
  *      'suffixlabels' labels.  All other labels are stored in 'prefix'. 
  *
- *	Copying name data is avoided as much as possible, so 'prefix'
+ *\li	Copying name data is avoided as much as possible, so 'prefix'
  *	and 'suffix' will end up pointing at the data for 'name'.
  *
- *	It is legitimate to pass a 'prefix' or 'suffix' that has
+ *\li	It is legitimate to pass a 'prefix' or 'suffix' that has
  *	its name data stored someplace other than the dedicated buffer.
  *	This is useful to avoid name copying in the calling function.
  *
- *	It is also legitimate to pass a 'prefix' or 'suffix' that is
+ *\li	It is also legitimate to pass a 'prefix' or 'suffix' that is
  *	the same dns_name_t as 'name'.
  *
  * Requires:
- *	'name' is a valid name.
+ *\li	'name' is a valid name.
  *
- * 	'suffixlabels' cannot exceed the number of labels in 'name'.
+ *\li	'suffixlabels' cannot exceed the number of labels in 'name'.
  *
- *	'prefix' is a valid name or NULL, and cannot be read-only.
+ * \li	'prefix' is a valid name or NULL, and cannot be read-only.
  *
- *	'suffix' is a valid name or NULL, and cannot be read-only.
+ *\li	'suffix' is a valid name or NULL, and cannot be read-only.
  *
- *	If non-NULL, 'prefix' and 'suffix' must have dedicated buffers.
+ *\li	If non-NULL, 'prefix' and 'suffix' must have dedicated buffers.
  *
- *	'prefix' and 'suffix' cannot point to the same buffer.
+ *\li	'prefix' and 'suffix' cannot point to the same buffer.
  *
  * Ensures:
  *
- *	On success:
+ *\li	On success:
  *		If 'prefix' is not NULL it will contain the least significant
  *		labels.
- *
  *		If 'suffix' is not NULL it will contain the most significant
  *		labels.  dns_name_countlabels(suffix) will be equal to
  *		suffixlabels.
  *
- *	On failure:
+ *\li	On failure:
  *		Either 'prefix' or 'suffix' is invalidated (depending
  *		on which one the problem was encountered with).
  *
  * Returns:
- *	ISC_R_SUCCESS	No worries.  (This function should always success).
+ *\li	#ISC_R_SUCCESS	No worries.  (This function should always success).
  */
 
 isc_result_t
-dns_name_dup(const dns_name_t *source, isc_mem_t *mctx, dns_name_t *target);
-/*
+dns_name_dup(const dns_name_t *source, isc_mem_t *mctx,
+	     dns_name_t *target);
+/*%<
  * Make 'target' a dynamically allocated copy of 'source'.
  *
  * Requires:
  *
- *	'source' is a valid non-empty name.
+ *\li	'source' is a valid non-empty name.
  *
- *	'target' is a valid name that is not read-only.
+ *\li	'target' is a valid name that is not read-only.
  *
- *	'mctx' is a valid memory context.
+ *\li	'mctx' is a valid memory context.
  */
 
 isc_result_t
 dns_name_dupwithoffsets(dns_name_t *source, isc_mem_t *mctx,
 			dns_name_t *target);
-/*
+/*%<
  * Make 'target' a read-only dynamically allocated copy of 'source'.
  * 'target' will also have a dynamically allocated offsets table.
  *
  * Requires:
  *
- *	'source' is a valid non-empty name.
+ *\li	'source' is a valid non-empty name.
  *
- *	'target' is a valid name that is not read-only.
+ *\li	'target' is a valid name that is not read-only.
  *
- *	'target' has no offsets table.
+ *\li	'target' has no offsets table.
  *
- *	'mctx' is a valid memory context.
+ *\li	'mctx' is a valid memory context.
  */
 
 void
 dns_name_free(dns_name_t *name, isc_mem_t *mctx);
-/*
+/*%<
  * Free 'name'.
  *
  * Requires:
  *
- *	'name' is a valid name created previously in 'mctx' by dns_name_dup().
+ *\li	'name' is a valid name created previously in 'mctx' by dns_name_dup().
  *
- *	'mctx' is a valid memory context.
+ *\li	'mctx' is a valid memory context.
  *
  * Ensures:
  *
- *	All dynamic resources used by 'name' are freed and the name is
+ *\li	All dynamic resources used by 'name' are freed and the name is
  *	invalidated.
  */
 
 isc_result_t
 dns_name_digest(dns_name_t *name, dns_digestfunc_t digest, void *arg);
-/*
+/*%<
  * Send 'name' in DNSSEC canonical form to 'digest'.
  *
  * Requires:
  *
- *	'name' is a valid name.
+ *\li	'name' is a valid name.
  *
- *	'digest' is a valid dns_digestfunc_t.
+ *\li	'digest' is a valid dns_digestfunc_t.
  *
  * Ensures:
  *
- *	If successful, the DNSSEC canonical form of 'name' will have been
+ *\li	If successful, the DNSSEC canonical form of 'name' will have been
  *	sent to 'digest'.
  *
- *	If digest() returns something other than ISC_R_SUCCESS, that result
+ *\li	If digest() returns something other than ISC_R_SUCCESS, that result
  *	will be returned as the result of dns_name_digest().
  *
  * Returns:
  *
- *	ISC_R_SUCCESS
+ *\li	#ISC_R_SUCCESS
  *
- *	Many other results are possible if not successful.
+ *\li	Many other results are possible if not successful.
  *
  */
 
 isc_boolean_t
 dns_name_dynamic(dns_name_t *name);
-/*
+/*%<
  * Returns whether there is dynamic memory associated with this name.
  *
  * Requires:
  *
- *	'name' is a valid name.
+ *\li	'name' is a valid name.
  *
  * Returns:
  *
- *	'ISC_TRUE' if the name is dynamic othewise 'ISC_FALSE'.
+ *\li	'ISC_TRUE' if the name is dynamic othewise 'ISC_FALSE'.
  */
 
 isc_result_t
 dns_name_print(dns_name_t *name, FILE *stream);
-/*
+/*%<
  * Print 'name' on 'stream'.
  *
  * Requires:
  *
- *	'name' is a valid name.
+ *\li	'name' is a valid name.
  *
- *	'stream' is a valid stream.
+ *\li	'stream' is a valid stream.
  *
  * Returns:
  *
- *	ISC_R_SUCCESS
+ *\li	#ISC_R_SUCCESS
  *
- *	Any error that dns_name_totext() can return.
+ *\li	Any error that dns_name_totext() can return.
  */
 
 void
 dns_name_format(dns_name_t *name, char *cp, unsigned int size);
-/*
+/*%<
  * Format 'name' as text appropriate for use in log messages.
  *
  * Store the formatted name at 'cp', writing no more than
@@ -1108,47 +1120,63 @@ dns_name_format(dns_name_t *name, char *cp, unsigned int size);
  *
  * Requires:
  *
- *	'name' is a valid name.
+ *\li	'name' is a valid name.
  *
- *	'cp' points a valid character array of size 'size'.
+ *\li	'cp' points a valid character array of size 'size'.
  *
- *	'size' > 0.
+ *\li	'size' > 0.
  *
  */
 
+isc_result_t
+dns_name_settotextfilter(dns_name_totextfilter_t proc);
+/*%<
+ * Set / clear a thread specific function 'proc' to be called at the
+ * end of dns_name_totext().
+ *
+ * Note: Under Windows you need to call "dns_name_settotextfilter(NULL);"
+ * prior to exiting the thread otherwise memory will be leaked.
+ * For other platforms, which are pthreads based, this is still a good
+ * idea but not required.
+ *
+ * Returns
+ *\li	#ISC_R_SUCCESS
+ *\li	#ISC_R_UNEXPECTED
+ */
+
 #define DNS_NAME_FORMATSIZE (DNS_NAME_MAXTEXT + 1)
-/*
+/*%<
  * Suggested size of buffer passed to dns_name_format().
  * Includes space for the terminating NULL.
  */
 
 isc_result_t
 dns_name_copy(dns_name_t *source, dns_name_t *dest, isc_buffer_t *target);
-/*
+/*%<
  * Makes 'dest' refer to a copy of the name in 'source'.  The data are
  * either copied to 'target' or the dedicated buffer in 'dest'.
  *
  * Requires:
- * 	'source' is a valid name.
+ * \li	'source' is a valid name.
  *
- * 	'dest' is an initialized name with a dedicated buffer.
+ * \li	'dest' is an initialized name with a dedicated buffer.
  *
- * 	'target' is NULL or an initialized buffer.
+ * \li	'target' is NULL or an initialized buffer.
  *
- * 	Either dest has a dedicated buffer or target != NULL.
+ * \li	Either dest has a dedicated buffer or target != NULL.
  *
  * Ensures:
  *
- *	On success, the used space in target is updated.
+ *\li	On success, the used space in target is updated.
  *
  * Returns:
- *	ISC_R_SUCCESS
- *	ISC_R_NOSPACE
+ *\li	#ISC_R_SUCCESS
+ *\li	#ISC_R_NOSPACE
  */
 
 isc_boolean_t
 dns_name_ishostname(const dns_name_t *name, isc_boolean_t wildcard);
-/*
+/*%<
  * Return if 'name' is a valid hostname.  RFC 952 / RFC 1123.
  * If 'wildcard' is ISC_TRUE then allow the first label of name to
  * be a wildcard.
@@ -1161,16 +1189,37 @@ dns_name_ishostname(const dns_name_t *name, isc_boolean_t wildcard);
 
 isc_boolean_t
 dns_name_ismailbox(const dns_name_t *name);
-/*
+/*%<
  * Return if 'name' is a valid mailbox.  RFC 821.
  *
  * Requires:
- *	'name' to be valid.
+ * \li	'name' to be valid.
+ */
+
+isc_boolean_t
+dns_name_internalwildcard(const dns_name_t *name);
+/*%<
+ * Return if 'name' contains a internal wildcard name.
+ *
+ * Requires:
+ * \li	'name' to be valid.
+ */
+
+void
+dns_name_destroy(void);
+/*%<
+ * Cleanup dns_name_settotextfilter() / dns_name_totext() state.
+ *
+ * This should be called as part of the final cleanup process.
+ *
+ * Note: dns_name_settotextfilter(NULL); should be called for all
+ * threads which have called dns_name_settotextfilter() with a
+ * non-NULL argument prior to calling dns_name_destroy();
  */
 
 ISC_LANG_ENDDECLS
 
-/***
+/*
  *** High Peformance Macros
  ***/
 
diff --git a/contrib/bind9/lib/dns/include/dns/ncache.h b/contrib/bind9/lib/dns/include/dns/ncache.h
index 6bf6003..459effb 100644
--- a/contrib/bind9/lib/dns/include/dns/ncache.h
+++ b/contrib/bind9/lib/dns/include/dns/ncache.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2002  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: ncache.h,v 1.12.12.5 2004/03/08 09:04:37 marka Exp $ */
+/* $Id: ncache.h,v 1.17.18.2 2005/04/29 00:16:16 marka Exp $ */
 
 #ifndef DNS_NCACHE_H
 #define DNS_NCACHE_H 1
@@ -24,25 +24,26 @@
  ***** Module Info
  *****/
 
-/*
+/*! \file
+ *\brief
  * DNS Ncache
  *
- * XXX <TBS> XXX
+ * XXX TBS XXX
  *
  * MP:
- *	The caller must ensure any required synchronization.
+ *\li	The caller must ensure any required synchronization.
  *
  * Reliability:
- *	No anticipated impact.
+ *\li	No anticipated impact.
  *
  * Resources:
- *	<TBS>
+ *\li	TBS
  *
  * Security:
- *	No anticipated impact.
+ *\li	No anticipated impact.
  *
  * Standards:
- *	RFC 2308
+ *\li	RFC2308
  */
 
 #include <isc/lang.h>
@@ -52,7 +53,7 @@
 
 ISC_LANG_BEGINDECLS
 
-/*
+/*%
  * _OMITDNSSEC:
  *      Omit DNSSEC records when rendering.
  */
@@ -62,7 +63,7 @@ isc_result_t
 dns_ncache_add(dns_message_t *message, dns_db_t *cache, dns_dbnode_t *node,
 	       dns_rdatatype_t covers, isc_stdtime_t now, dns_ttl_t maxttl,
 	       dns_rdataset_t *addedrdataset);
-/*
+/*%<
  * Convert the authority data from 'message' into a negative cache
  * rdataset, and store it in 'cache' at 'node' with a TTL limited to
  * 'maxttl'.
@@ -71,21 +72,21 @@ dns_ncache_add(dns_message_t *message, dns_db_t *cache, dns_dbnode_t *node,
  * or dns_rdatatype_any when caching a NXDOMAIN response.
  *
  * Note:
- *	If 'addedrdataset' is not NULL, then it will be attached to the added
+ *\li	If 'addedrdataset' is not NULL, then it will be attached to the added
  *	rdataset.  See dns_db_addrdataset() for more details.
  *
  * Requires:
- *	'message' is a valid message with a properly formatting negative cache
+ *\li	'message' is a valid message with a properly formatting negative cache
  *	authority section.
  *
- *	The requirements of dns_db_addrdataset() apply to 'cache', 'node',
+ *\li	The requirements of dns_db_addrdataset() apply to 'cache', 'node',
  *	'now', and 'addedrdataset'.
  *
  * Returns:
- *	ISC_R_SUCCESS
- *	ISC_R_NOSPACE
+ *\li	#ISC_R_SUCCESS
+ *\li	#ISC_R_NOSPACE
  *
- *	Any result code of dns_db_addrdataset() is a possible result code
+ *\li	Any result code of dns_db_addrdataset() is a possible result code
  *	of dns_ncache_add().
  */
 
@@ -93,63 +94,63 @@ isc_result_t
 dns_ncache_towire(dns_rdataset_t *rdataset, dns_compress_t *cctx,
 		  isc_buffer_t *target, unsigned int options,
 		  unsigned int *countp);
-/*
+/*%<
  * Convert the negative caching rdataset 'rdataset' to wire format,
  * compressing names as specified in 'cctx', and storing the result in
  * 'target'.  If 'omit_dnssec' is set, DNSSEC records will not
  * be added to 'target'.
  *
  * Notes:
- *	The number of RRs added to target will be added to *countp.
+ *\li	The number of RRs added to target will be added to *countp.
  *
  * Requires:
- *	'rdataset' is a valid negative caching rdataset.
+ *\li	'rdataset' is a valid negative caching rdataset.
  *
- *	'rdataset' is not empty.
+ *\li	'rdataset' is not empty.
  *
- *	'countp' is a valid pointer.
+ *\li	'countp' is a valid pointer.
  *
  * Ensures:
- *	On a return of ISC_R_SUCCESS, 'target' contains a wire format
+ *\li	On a return of ISC_R_SUCCESS, 'target' contains a wire format
  *	for the data contained in 'rdataset'.  Any error return leaves
  *	the buffer unchanged.
  *
- *	*countp has been incremented by the number of RRs added to
+ *\li	*countp has been incremented by the number of RRs added to
  *	target.
  *
  * Returns:
- *	ISC_R_SUCCESS		- all ok
- *	ISC_R_NOSPACE		- 'target' doesn't have enough room
+ *\li	#ISC_R_SUCCESS		- all ok
+ *\li	#ISC_R_NOSPACE		- 'target' doesn't have enough room
  *
- *	Any error returned by dns_rdata_towire(), dns_rdataset_next(),
+ *\li	Any error returned by dns_rdata_towire(), dns_rdataset_next(),
  *	dns_name_towire().
  */
 
 isc_result_t
 dns_ncache_getrdataset(dns_rdataset_t *ncacherdataset, dns_name_t *name,
 		       dns_rdatatype_t type, dns_rdataset_t *rdataset);
-/*
+/*%<
  * Search the negative caching rdataset for an rdataset with the
  * specified name and type.
  *
  * Requires:
- *	'ncacherdataset' is a valid negative caching rdataset.
+ *\li	'ncacherdataset' is a valid negative caching rdataset.
  *
- *	'ncacherdataset' is not empty.
+ *\li	'ncacherdataset' is not empty.
  *
- *	'name' is a valid name.
+ *\li	'name' is a valid name.
  *
- *	'type' is not SIG, or a meta-RR type.
+ *\li	'type' is not SIG, or a meta-RR type.
  *
- *	'rdataset' is a valid disassociated rdataset.
+ *\li	'rdataset' is a valid disassociated rdataset.
  *
  * Ensures:
- *	On a return of ISC_R_SUCCESS, 'rdataset' is bound to the found
+ *\li	On a return of ISC_R_SUCCESS, 'rdataset' is bound to the found
  *	rdataset.
  *
  * Returns:
- *	ISC_R_SUCCESS		- the rdataset was found.
- *	ISC_R_NOTFOUND		- the rdataset was not found.
+ *\li	#ISC_R_SUCCESS		- the rdataset was found.
+ *\li	#ISC_R_NOTFOUND		- the rdataset was not found.
  *
  */
 
diff --git a/contrib/bind9/lib/dns/include/dns/nsec.h b/contrib/bind9/lib/dns/include/dns/nsec.h
index 68a5833..46b75fa 100644
--- a/contrib/bind9/lib/dns/include/dns/nsec.h
+++ b/contrib/bind9/lib/dns/include/dns/nsec.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001, 2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,11 +15,13 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: nsec.h,v 1.4.2.1 2004/03/08 02:08:00 marka Exp $ */
+/* $Id: nsec.h,v 1.4.20.2 2005/04/29 00:16:16 marka Exp $ */
 
 #ifndef DNS_NSEC_H
 #define DNS_NSEC_H 1
 
+/*! \file */
+
 #include <isc/lang.h>
 
 #include <dns/types.h>
@@ -33,33 +35,33 @@ isc_result_t
 dns_nsec_buildrdata(dns_db_t *db, dns_dbversion_t *version,
 		    dns_dbnode_t *node, dns_name_t *target,
 		    unsigned char *buffer, dns_rdata_t *rdata);
-/*
+/*%<
  * Build the rdata of a NSEC record.
  *
  * Requires:
- *	buffer	Points to a temporary buffer of at least
+ *\li	buffer	Points to a temporary buffer of at least
  * 		DNS_NSEC_BUFFERSIZE bytes.
- *	rdata	Points to an initialized dns_rdata_t.
+ *\li	rdata	Points to an initialized dns_rdata_t.
  *
  * Ensures:
- *      *rdata	Contains a valid NSEC rdata.  The 'data' member refers
+ *  \li    *rdata	Contains a valid NSEC rdata.  The 'data' member refers
  *		to 'buffer'.
  */
 
 isc_result_t
 dns_nsec_build(dns_db_t *db, dns_dbversion_t *version, dns_dbnode_t *node,
 	       dns_name_t *target, dns_ttl_t ttl);
-/*
+/*%<
  * Build a NSEC record and add it to a database.
  */
 
 isc_boolean_t
 dns_nsec_typepresent(dns_rdata_t *nsec, dns_rdatatype_t type);
-/*
+/*%<
  * Determine if a type is marked as present in an NSEC record.
  *
  * Requires:
- *	'nsec' points to a valid rdataset of type NSEC
+ *\li	'nsec' points to a valid rdataset of type NSEC
  */
 
 ISC_LANG_ENDDECLS
diff --git a/contrib/bind9/lib/dns/include/dns/opcode.h b/contrib/bind9/lib/dns/include/dns/opcode.h
index 4d656b8..4796dba 100644
--- a/contrib/bind9/lib/dns/include/dns/opcode.h
+++ b/contrib/bind9/lib/dns/include/dns/opcode.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2002  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,11 +15,13 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: opcode.h,v 1.1.200.3 2004/03/08 09:04:37 marka Exp $ */
+/* $Id: opcode.h,v 1.2.18.2 2005/04/29 00:16:16 marka Exp $ */
 
 #ifndef DNS_OPCODE_H
 #define DNS_OPCODE_H 1
 
+/*! \file */
+
 #include <isc/lang.h>
 
 #include <dns/types.h>
@@ -27,21 +29,21 @@
 ISC_LANG_BEGINDECLS
 
 isc_result_t dns_opcode_totext(dns_opcode_t opcode, isc_buffer_t *target);
-/*
+/*%<
  * Put a textual representation of error 'opcode' into 'target'.
  *
  * Requires:
- *	'opcode' is a valid opcode.
+ *\li	'opcode' is a valid opcode.
  *
- *	'target' is a valid text buffer.
+ *\li	'target' is a valid text buffer.
  *
  * Ensures:
- *	If the result is success:
+ *\li	If the result is success:
  *		The used space in 'target' is updated.
  *
  * Returns:
- *	ISC_R_SUCCESS			on success
- *	ISC_R_NOSPACE			target buffer is too small
+ *\li	#ISC_R_SUCCESS			on success
+ *\li	#ISC_R_NOSPACE			target buffer is too small
  */
 
 ISC_LANG_ENDDECLS
diff --git a/contrib/bind9/lib/dns/include/dns/order.h b/contrib/bind9/lib/dns/include/dns/order.h
index e28e3ca..6458db0 100644
--- a/contrib/bind9/lib/dns/include/dns/order.h
+++ b/contrib/bind9/lib/dns/include/dns/order.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2002  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,11 +15,13 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: order.h,v 1.2.202.3 2004/03/08 09:04:37 marka Exp $ */
+/* $Id: order.h,v 1.3.18.2 2005/04/29 00:16:17 marka Exp $ */
 
 #ifndef DNS_ORDER_H
 #define DNS_ORDER_H 1
 
+/*! \file */
+
 #include <isc/lang.h>
 #include <isc/types.h>
 
@@ -29,67 +31,67 @@ ISC_LANG_BEGINDECLS
 
 isc_result_t
 dns_order_create(isc_mem_t *mctx, dns_order_t **orderp);
-/*
+/*%<
  * Create a order object.
  *
  * Requires:
- * 	'orderp' to be non NULL and '*orderp == NULL'.
- *	'mctx' to be valid.
+ * \li	'orderp' to be non NULL and '*orderp == NULL'.
+ *\li	'mctx' to be valid.
  *
  * Returns:
- *	ISC_R_SUCCESS
- *	ISC_R_NOMEMORY
+ *\li	ISC_R_SUCCESS
+ *\li	ISC_R_NOMEMORY
  */
 
 isc_result_t
 dns_order_add(dns_order_t *order, dns_name_t *name,
 	      dns_rdatatype_t rdtype, dns_rdataclass_t rdclass,
 	      unsigned int mode);
-/*
+/*%<
  * Add a entry to the end of the order list.
  *
  * Requires:
- * 	'order' to be valid.
- *	'name' to be valid.
- *	'mode' to be one of DNS_RDATASERATTR_RANDOMIZE,
- *		DNS_RDATASERATTR_RANDOMIZE or zero (DNS_RDATASERATTR_CYCLIC).
+ * \li	'order' to be valid.
+ *\li	'name' to be valid.
+ *\li	'mode' to be one of #DNS_RDATASERATTR_RANDOMIZE,
+ *		#DNS_RDATASERATTR_RANDOMIZE or zero (#DNS_RDATASERATTR_CYCLIC).
  *
  * Returns:
- *	ISC_R_SUCCESS
- *	ISC_R_NOMEMORY
+ *\li	#ISC_R_SUCCESS
+ *\li	#ISC_R_NOMEMORY
  */
 
 unsigned int
 dns_order_find(dns_order_t *order, dns_name_t *name,
 	       dns_rdatatype_t rdtype, dns_rdataclass_t rdclass);
-/*
+/*%<
  * Find the first matching entry on the list.
  *
  * Requires:
- *	'order' to be valid.
- *	'name' to be valid.
+ *\li	'order' to be valid.
+ *\li	'name' to be valid.
  *
  * Returns the mode set by dns_order_add() or zero.
  */
 
 void
 dns_order_attach(dns_order_t *source, dns_order_t **target);
-/*
+/*%<
  * Attach to the 'source' object.
  *
  * Requires:
- * 	'source' to be valid.
- *	'target' to be non NULL and '*target == NULL'.
+ * \li	'source' to be valid.
+ *\li	'target' to be non NULL and '*target == NULL'.
  */
 
 void
 dns_order_detach(dns_order_t **orderp);
-/*
+/*%<
  * Detach from the object.  Clean up if last this was the last
  * reference.
  *
  * Requires:
- *	'*orderp' to be valid.
+ *\li	'*orderp' to be valid.
  */
 
 ISC_LANG_ENDDECLS
diff --git a/contrib/bind9/lib/dns/include/dns/peer.h b/contrib/bind9/lib/dns/include/dns/peer.h
index 9032964..be5a8c3 100644
--- a/contrib/bind9/lib/dns/include/dns/peer.h
+++ b/contrib/bind9/lib/dns/include/dns/peer.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2006  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000, 2001, 2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: peer.h,v 1.16.2.1.10.5 2006/03/02 00:37:20 marka Exp $ */
+/* $Id: peer.h,v 1.20.18.8 2006/02/28 03:10:48 marka Exp $ */
 
 #ifndef DNS_PEER_H
 #define DNS_PEER_H 1
@@ -24,7 +24,8 @@
  ***** Module Info
  *****/
 
-/*
+/*! \file
+ * \brief
  * Data structures for peers (e.g. a 'server' config file statement)
  */
 
@@ -64,6 +65,7 @@ struct dns_peer {
 	isc_mem_t	       *mem;
 
 	isc_netaddr_t		address;
+	unsigned int		prefixlen;
 	isc_boolean_t		bogus;
 	dns_transfer_format_t	transfer_format;
 	isc_uint32_t		transfers;
@@ -73,6 +75,10 @@ struct dns_peer {
 	isc_boolean_t		support_edns;
 	dns_name_t	       *key;
 	isc_sockaddr_t	       *transfer_source;
+	isc_sockaddr_t	       *notify_source;  
+	isc_sockaddr_t	       *query_source;  
+	isc_uint16_t		udpsize;		/* recieve size */
+	isc_uint16_t		maxudp;			/* transmit size */
 
 	isc_uint32_t		bitflags;
 
@@ -115,6 +121,10 @@ dns_peerlist_currpeer(dns_peerlist_t *peers, dns_peer_t **retval);
 isc_result_t
 dns_peer_new(isc_mem_t *mem, isc_netaddr_t *ipaddr, dns_peer_t **peer);
 
+isc_result_t
+dns_peer_newprefix(isc_mem_t *mem, isc_netaddr_t *ipaddr,
+		   unsigned int prefixlen, dns_peer_t **peer);
+
 void
 dns_peer_attach(dns_peer_t *source, dns_peer_t **target);
 
@@ -173,6 +183,30 @@ dns_peer_settransfersource(dns_peer_t *peer,
 isc_result_t
 dns_peer_gettransfersource(dns_peer_t *peer, isc_sockaddr_t *transfer_source);
 
+isc_result_t
+dns_peer_setudpsize(dns_peer_t *peer, isc_uint16_t udpsize);
+
+isc_result_t
+dns_peer_getudpsize(dns_peer_t *peer, isc_uint16_t *udpsize);
+
+isc_result_t
+dns_peer_setmaxudp(dns_peer_t *peer, isc_uint16_t maxudp);
+
+isc_result_t
+dns_peer_getmaxudp(dns_peer_t *peer, isc_uint16_t *maxudp);
+
+isc_result_t
+dns_peer_setnotifysource(dns_peer_t *peer, const isc_sockaddr_t *notify_source);
+
+isc_result_t
+dns_peer_getnotifysource(dns_peer_t *peer, isc_sockaddr_t *notify_source);
+
+isc_result_t
+dns_peer_setquerysource(dns_peer_t *peer, const isc_sockaddr_t *query_source);
+
+isc_result_t
+dns_peer_getquerysource(dns_peer_t *peer, isc_sockaddr_t *query_source);
+
 ISC_LANG_ENDDECLS
 
 #endif /* DNS_PEER_H */
diff --git a/contrib/bind9/lib/dns/include/dns/portlist.h b/contrib/bind9/lib/dns/include/dns/portlist.h
index ea672a9..2d400d4 100644
--- a/contrib/bind9/lib/dns/include/dns/portlist.h
+++ b/contrib/bind9/lib/dns/include/dns/portlist.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,9 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: portlist.h,v 1.2.84.2 2004/03/06 08:13:58 marka Exp $ */
+/* $Id: portlist.h,v 1.3.18.2 2005/04/29 00:16:17 marka Exp $ */
+
+/*! \file */
 
 #include <isc/lang.h>
 #include <isc/net.h>
@@ -27,73 +29,73 @@ ISC_LANG_BEGINDECLS
 
 isc_result_t
 dns_portlist_create(isc_mem_t *mctx, dns_portlist_t **portlistp);
-/*
+/*%<
  * Create a port list.
  * 
  * Requires:
- *	'mctx' to be valid.
- *	'portlistp' to be non NULL and '*portlistp' to be NULL;
+ *\li	'mctx' to be valid.
+ *\li	'portlistp' to be non NULL and '*portlistp' to be NULL;
  *
  * Returns:
- *	ISC_R_SUCCESS
- *	ISC_R_NOMEMORY
- *	ISC_R_UNEXPECTED
+ *\li	#ISC_R_SUCCESS
+ *\li	#ISC_R_NOMEMORY
+ *\li	#ISC_R_UNEXPECTED
  */
 
 isc_result_t
 dns_portlist_add(dns_portlist_t *portlist, int af, in_port_t port);
-/*
+/*%<
  * Add the given <port,af> tuple to the portlist.
  *
  * Requires:
- *	'portlist' to be valid.
- *	'af' to be AF_INET or AF_INET6
+ *\li	'portlist' to be valid.
+ *\li	'af' to be AF_INET or AF_INET6
  *
  * Returns:
- *	ISC_R_SUCCESS
- *	ISC_R_NOMEMORY
+ *\li	#ISC_R_SUCCESS
+ *\li	#ISC_R_NOMEMORY
  */
 
 void
 dns_portlist_remove(dns_portlist_t *portlist, int af, in_port_t port);
-/*
+/*%<
  * Remove the given <port,af> tuple to the portlist.
  *
  * Requires:
- *	'portlist' to be valid.
- *	'af' to be AF_INET or AF_INET6
+ *\li	'portlist' to be valid.
+ *\li	'af' to be AF_INET or AF_INET6
  */
 
 isc_boolean_t
 dns_portlist_match(dns_portlist_t *portlist, int af, in_port_t port);
-/*
+/*%<
  * Find the given <port,af> tuple to the portlist.
  *
  * Requires:
- *	'portlist' to be valid.
- *	'af' to be AF_INET or AF_INET6
+ *\li	'portlist' to be valid.
+ *\li	'af' to be AF_INET or AF_INET6
  *
  * Returns
- * 	ISC_TRUE if the tuple is found, ISC_FALSE otherwise.
+ * \li	#ISC_TRUE if the tuple is found, ISC_FALSE otherwise.
  */
 
 void
 dns_portlist_attach(dns_portlist_t *portlist, dns_portlist_t **portlistp);
-/*
+/*%<
  * Attach to a port list.
  *
  * Requires:
- *	'portlist' to be valid.
- *	'portlistp' to be non NULL and '*portlistp' to be NULL;
+ *\li	'portlist' to be valid.
+ *\li	'portlistp' to be non NULL and '*portlistp' to be NULL;
  */
 
 void
 dns_portlist_detach(dns_portlist_t **portlistp);
-/*
+/*%<
  * Detach from a port list.
  *
  * Requires:
- *	'*portlistp' to be valid.
+ *\li	'*portlistp' to be valid.
  */
 
 ISC_LANG_ENDDECLS
diff --git a/contrib/bind9/lib/dns/include/dns/rbt.h b/contrib/bind9/lib/dns/include/dns/rbt.h
index 6f99a7d..a1edf0c 100644
--- a/contrib/bind9/lib/dns/include/dns/rbt.h
+++ b/contrib/bind9/lib/dns/include/dns/rbt.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2002  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,13 +15,16 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: rbt.h,v 1.55.12.6 2004/10/11 05:55:51 marka Exp $ */
+/* $Id: rbt.h,v 1.59.18.5 2005/10/13 01:26:07 marka Exp $ */
 
 #ifndef DNS_RBT_H
 #define DNS_RBT_H 1
 
+/*! \file */
+
 #include <isc/lang.h>
 #include <isc/magic.h>
+#include <isc/refcount.h>
 
 #include <dns/types.h>
 
@@ -29,7 +32,8 @@ ISC_LANG_BEGINDECLS
 
 #define DNS_RBT_USEHASH 1
 
-/*
+/*@{*/
+/*%
  * Option values for dns_rbt_findnode() and dns_rbt_findname().
  * These are used to form a bitmask.
  */
@@ -37,6 +41,13 @@ ISC_LANG_BEGINDECLS
 #define DNS_RBTFIND_EMPTYDATA			0x01
 #define DNS_RBTFIND_NOEXACT			0x02
 #define DNS_RBTFIND_NOPREDECESSOR		0x04
+/*@}*/
+
+#ifndef DNS_RBT_USEISCREFCOUNT
+#ifdef ISC_REFCOUNT_HAVEATOMIC
+#define DNS_RBT_USEISCREFCOUNT 1
+#endif
+#endif
 
 /*
  * These should add up to 30.
@@ -51,7 +62,7 @@ ISC_LANG_BEGINDECLS
 #define DNS_RBTNODE_VALID(n)		ISC_TRUE
 #endif
 
-/*
+/*%
  * This is the structure that is used for each node in the red/black
  * tree of trees.  NOTE WELL:  the implementation manages this as a variable
  * length structure, with the actual wire-format name and other data
@@ -69,7 +80,8 @@ typedef struct dns_rbtnode {
 #ifdef DNS_RBT_USEHASH
 	struct dns_rbtnode *hashnext;
 #endif
-	/*
+	/*@{*/
+	/*!
 	 * The following bitfields add up to a total bitwidth of 32.
 	 * The range of values necessary for each item is indicated,
 	 * but in the case of "attributes" the field is wider to accomodate
@@ -81,19 +93,21 @@ typedef struct dns_rbtnode {
 	 * In each case below the "range" indicated is what's _necessary_ for
 	 * the bitfield to hold, not what it actually _can_ hold.
 	 */
-	unsigned int is_root : 1;	/* range is 0..1 */
-	unsigned int color : 1;		/* range is 0..1 */
-	unsigned int find_callback : 1;	/* range is 0..1 */
-	unsigned int attributes : 4;	/* range is 0..2 */
-	unsigned int namelen : 8;	/* range is 1..255 */
-	unsigned int offsetlen : 8;	/* range is 1..128 */
-	unsigned int padbytes : 9;	/* range is 0..380 */
+	unsigned int is_root : 1;	/*%< range is 0..1 */
+	unsigned int color : 1;		/*%< range is 0..1 */
+	unsigned int find_callback : 1;	/*%< range is 0..1 */
+	unsigned int attributes : 4;	/*%< range is 0..2 */
+	unsigned int namelen : 8;	/*%< range is 1..255 */
+	unsigned int offsetlen : 8;	/*%< range is 1..128 */
+	unsigned int padbytes : 9;	/*%< range is 0..380 */
+	/*@}*/
 
 #ifdef DNS_RBT_USEHASH
 	unsigned int hashval;
 #endif
 
-	/*
+	/*@{*/
+	/*!
 	 * These values are used in the RBT DB implementation.  The appropriate
 	 * node lock must be held before accessing them.
 	 */
@@ -101,7 +115,12 @@ typedef struct dns_rbtnode {
 	unsigned int dirty:1;
 	unsigned int wild:1;
 	unsigned int locknum:DNS_RBT_LOCKLENGTH;
+#ifndef DNS_RBT_USEISCREFCOUNT
 	unsigned int references:DNS_RBT_REFLENGTH;
+#else
+	isc_refcount_t references; /* note that this is not in the bitfield */
+#endif
+	/*@}*/
 } dns_rbtnode_t;
 
 typedef isc_result_t (*dns_rbtfindcallback_t)(dns_rbtnode_t *node,
@@ -112,7 +131,7 @@ typedef isc_result_t (*dns_rbtfindcallback_t)(dns_rbtnode_t *node,
  *****	Chain Info
  *****/
 
-/*
+/*!
  * A chain is used to keep track of the sequence of nodes to reach any given
  * node from the root of the tree.  Originally nodes did not have parent
  * pointers in them (for memory usage reasons) so there was no way to find
@@ -151,7 +170,7 @@ typedef isc_result_t (*dns_rbtfindcallback_t)(dns_rbtnode_t *node,
  * functions but additionally can provide the node to which the chain points.
  */
 
-/*
+/*%
  * The number of level blocks to allocate at a time.  Currently the maximum
  * number of levels is allocated directly in the structure, but future
  * revisions of this code might have a static initial block with dynamic
@@ -165,14 +184,14 @@ typedef isc_result_t (*dns_rbtfindcallback_t)(dns_rbtnode_t *node,
 typedef struct dns_rbtnodechain {
 	unsigned int		magic;
 	isc_mem_t *		mctx;
-	/*
+	/*%
 	 * The terminal node of the chain.  It is not in levels[].
 	 * This is ostensibly private ... but in a pinch it could be
 	 * used tell that the chain points nowhere without needing to
 	 * call dns_rbtnodechain_current().
 	 */
 	dns_rbtnode_t *		end;
-	/*
+	/*%
 	 * The maximum number of labels in a name is 128; bitstrings mean
 	 * a conceptually very large number (which I have not bothered to
 	 * compute) of logical levels because splitting can potentially occur
@@ -181,7 +200,7 @@ typedef struct dns_rbtnodechain {
 	 * in the worst case.
 	 */
 	dns_rbtnode_t *		levels[DNS_RBT_LEVELBLOCK];
-	/*
+	/*%
 	 * level_count indicates how deep the chain points into the
 	 * tree of trees, and is the index into the levels[] array.
 	 * Thus, levels[level_count - 1] is the last level node stored.
@@ -190,7 +209,7 @@ typedef struct dns_rbtnodechain {
 	 * so on.
 	 */
 	unsigned int		level_count;
-	/*
+	/*%
 	 * level_matches tells how many levels matched above the node
 	 * returned by dns_rbt_findnode().  A match (partial or exact) found
 	 * in the first level thus results in level_matches being set to 1.
@@ -203,44 +222,43 @@ typedef struct dns_rbtnodechain {
 /*****
  ***** Public interfaces.
  *****/
-
 isc_result_t
 dns_rbt_create(isc_mem_t *mctx, void (*deleter)(void *, void *),
 	       void *deleter_arg, dns_rbt_t **rbtp);
-/*
+/*%<
  * Initialize a red-black tree of trees.
  *
  * Notes:
- *	The deleter argument, if non-null, points to a function that is
+ *\li	The deleter argument, if non-null, points to a function that is
  *	responsible for cleaning up any memory associated with the data
  *	pointer of a node when the node is deleted.  It is passed the
  *	deleted node's data pointer as its first argument and deleter_arg
  *	as its second argument.
  *
  * Requires:
- * 	mctx is a pointer to a valid memory context.
- *	rbtp != NULL && *rbtp == NULL
- *	arg == NULL iff deleter == NULL
+ * \li	mctx is a pointer to a valid memory context.
+ *\li	rbtp != NULL && *rbtp == NULL
+ *\li	arg == NULL iff deleter == NULL
  *
  * Ensures:
- *	If result is ISC_R_SUCCESS:
+ *\li	If result is ISC_R_SUCCESS:
  *		*rbtp points to a valid red-black tree manager
  *
- *	If result is failure:
+ *\li	If result is failure:
  *		*rbtp does not point to a valid red-black tree manager.
  *
  * Returns:
- *	ISC_R_SUCCESS	Success
- *	ISC_R_NOMEMORY	Resource limit: Out of Memory
+ *\li	#ISC_R_SUCCESS	Success
+ *\li	#ISC_R_NOMEMORY	Resource limit: Out of Memory
  */
 
 isc_result_t
 dns_rbt_addname(dns_rbt_t *rbt, dns_name_t *name, void *data);
-/*
+/*%<
  * Add 'name' to the tree of trees, associated with 'data'.
  *
  * Notes:
- *	'data' is never required to be non-NULL, but specifying it
+ *\li	'data' is never required to be non-NULL, but specifying it
  *	when the name is added is faster than searching for 'name'
  *	again and then setting the data pointer.  The lack of a data pointer
  *	for a node also has other ramifications regarding whether
@@ -248,106 +266,103 @@ dns_rbt_addname(dns_rbt_t *rbt, dns_name_t *name, void *data);
  *	joins nodes.
  *
  * Requires:
- *	rbt is a valid rbt manager.
- *	dns_name_isabsolute(name) == TRUE
+ *\li	rbt is a valid rbt manager.
+ *\li	dns_name_isabsolute(name) == TRUE
  *
  * Ensures:
- *	'name' is not altered in any way.
+ *\li	'name' is not altered in any way.
  *
- *	Any external references to nodes in the tree are unaffected by
+ *\li	Any external references to nodes in the tree are unaffected by
  *	node splits that are necessary to insert the new name.
  *
- *	If result is ISC_R_SUCCESS:
+ *\li	If result is #ISC_R_SUCCESS:
  *		'name' is findable in the red/black tree of trees in O(log N).
- *
  *		The data pointer of the node for 'name' is set to 'data'.
  *
- *	If result is ISC_R_EXISTS or ISC_R_NOSPACE:
+ *\li	If result is #ISC_R_EXISTS or #ISC_R_NOSPACE:
  *		The tree of trees is unaltered.
  *
- *	If result is ISC_R_NOMEMORY:
+ *\li	If result is #ISC_R_NOMEMORY:
  *		No guarantees.
  *
  * Returns:
- *	ISC_R_SUCCESS	Success
- *	ISC_R_EXISTS	The name already exists with associated data.
- *	ISC_R_NOSPACE 	The name had more logical labels than are allowed.
- *	ISC_R_NOMEMORY	Resource Limit: Out of Memory
+ *\li	#ISC_R_SUCCESS	Success
+ *\li	#ISC_R_EXISTS	The name already exists with associated data.
+ *\li	#ISC_R_NOSPACE 	The name had more logical labels than are allowed.
+ *\li	#ISC_R_NOMEMORY	Resource Limit: Out of Memory
  */
 
 isc_result_t
 dns_rbt_addnode(dns_rbt_t *rbt, dns_name_t *name, dns_rbtnode_t **nodep);
 
-/*
+/*%<
  * Just like dns_rbt_addname, but returns the address of the node.
  *
  * Requires:
- *	rbt is a valid rbt structure.
- *	dns_name_isabsolute(name) == TRUE
- *	nodep != NULL && *nodep == NULL
+ *\li	rbt is a valid rbt structure.
+ *\li	dns_name_isabsolute(name) == TRUE
+ *\li	nodep != NULL && *nodep == NULL
  *
  * Ensures:
- *	'name' is not altered in any way.
+ *\li	'name' is not altered in any way.
  *
- *	Any external references to nodes in the tree are unaffected by
+ *\li	Any external references to nodes in the tree are unaffected by
  *	node splits that are necessary to insert the new name.
  *
- *	If result is ISC_R_SUCCESS:
+ *\li	If result is ISC_R_SUCCESS:
  *		'name' is findable in the red/black tree of trees in O(log N).
- *
  *		*nodep is the node that was added for 'name'.
  *
- *	If result is ISC_R_EXISTS:
+ *\li	If result is ISC_R_EXISTS:
  *		The tree of trees is unaltered.
- *
  *		*nodep is the existing node for 'name'.
  *
- *	If result is ISC_R_NOMEMORY:
+ *\li	If result is ISC_R_NOMEMORY:
  *		No guarantees.
  *
  * Returns:
- *	ISC_R_SUCCESS	Success
- *	ISC_R_EXISTS	The name already exists, possibly without data.
- *	ISC_R_NOMEMORY	Resource Limit: Out of Memory
+ *\li	#ISC_R_SUCCESS	Success
+ *\li	#ISC_R_EXISTS	The name already exists, possibly without data.
+ *\li	#ISC_R_NOMEMORY	Resource Limit: Out of Memory
  */
 
 isc_result_t
 dns_rbt_findname(dns_rbt_t *rbt, dns_name_t *name, unsigned int options,
 		 dns_name_t *foundname, void **data);
-/*
+/*%<
  * Get the data pointer associated with 'name'.
  *
  * Notes:
- *	When DNS_RBTFIND_NOEXACT is set, the closest matching superdomain is
- *      returned (also subject to DNS_RBTFIND_EMPTYDATA), even when there is
+ *\li	When #DNS_RBTFIND_NOEXACT is set, the closest matching superdomain is
+ *      returned (also subject to #DNS_RBTFIND_EMPTYDATA), even when there is
  *	an exact match in the tree.
  *
- *      A node that has no data is considered not to exist for this function,
- *      unless the DNS_RBTFIND_EMPTYDATA option is set.
+ *\li   A node that has no data is considered not to exist for this function,
+ *      unless the #DNS_RBTFIND_EMPTYDATA option is set.
  *
  * Requires:
- *	rbt is a valid rbt manager.
- *	dns_name_isabsolute(name) == TRUE
- *	data != NULL && *data == NULL
+ *\li	rbt is a valid rbt manager.
+ *\li	dns_name_isabsolute(name) == TRUE
+ *\li	data != NULL && *data == NULL
  *
  * Ensures:
- *	'name' and the tree are not altered in any way.
+ *\li	'name' and the tree are not altered in any way.
  *
- *	If result is ISC_R_SUCCESS:
+ *\li	If result is ISC_R_SUCCESS:
  *		*data is the data associated with 'name'.
  *
- *	If result is DNS_R_PARTIALMATCH:
+ *\li	If result is DNS_R_PARTIALMATCH:
  *		*data is the data associated with the deepest superdomain
  * 		of 'name' which has data.
  *
- *	If result is ISC_R_NOTFOUND:
+ *\li	If result is ISC_R_NOTFOUND:
  *		Neither the name nor a superdomain was found with data.
  *
  * Returns:
- *	ISC_R_SUCCESS		Success
- *	DNS_R_PARTIALMATCH	Superdomain found with data
- *	ISC_R_NOTFOUND		No match
- *	ISC_R_NOSPACE		Concatenating nodes to form foundname failed
+ *\li	#ISC_R_SUCCESS		Success
+ *\li	#DNS_R_PARTIALMATCH	Superdomain found with data
+ *\li	#ISC_R_NOTFOUND		No match
+ *\li	#ISC_R_NOSPACE		Concatenating nodes to form foundname failed
  */
 
 isc_result_t
@@ -355,20 +370,20 @@ dns_rbt_findnode(dns_rbt_t *rbt, dns_name_t *name, dns_name_t *foundname,
 		 dns_rbtnode_t **node, dns_rbtnodechain_t *chain,
 		 unsigned int options, dns_rbtfindcallback_t callback,
 		 void *callback_arg);
-/*
+/*%<
  * Find the node for 'name'.
  *
  * Notes:
- *	A node that has no data is considered not to exist for this function,
+ *\li	A node that has no data is considered not to exist for this function,
  *	unless the DNS_RBTFIND_EMPTYDATA option is set.  This applies to both
  *	exact matches and partial matches.
  *
- *	If the chain parameter is non-NULL, then the path through the tree
+ *\li	If the chain parameter is non-NULL, then the path through the tree
  *	to the DNSSEC predecessor of the searched for name is maintained,
  *	unless the DNS_RBTFIND_NOPREDECESSOR or DNS_RBTFIND_NOEXACT option
  *	is used. (For more details on those options, see below.)
  *
- *	If there is no predecessor, then the chain will point to nowhere, as
+ *\li	If there is no predecessor, then the chain will point to nowhere, as
  *	indicated by chain->end being NULL or dns_rbtnodechain_current
  *	returning ISC_R_NOTFOUND.  Note that in a normal Internet DNS RBT
  *	there will always be a predecessor for all names except the root
@@ -376,23 +391,23 @@ dns_rbt_findnode(dns_rbt_t *rbt, dns_name_t *name, dns_name_t *foundname,
  *	everything.  But you can certainly construct a trivial tree and a
  *	search for it that has no predecessor.
  *
- *	Within the chain structure, the 'levels' member of the structure holds
+ *\li	Within the chain structure, the 'levels' member of the structure holds
  *	the root node of each level except the first.
  *
- *	The 'level_count' of the chain indicates how deep the chain to the
+ *\li	The 'level_count' of the chain indicates how deep the chain to the
  *	predecessor name is, as an index into the 'levels[]' array.  It does
  *	not count name elements, per se, but only levels of the tree of trees,
  *	the distinction arrising because multiple labels from a name can be
  *	stored on only one level.  It is also does not include the level
  *	that has the node, since that level is not stored in levels[].
  *
- *	The chain's 'level_matches' is not directly related to the predecessor.
+ *\li	The chain's 'level_matches' is not directly related to the predecessor.
  *	It is the number of levels above the level of the found 'node',
  *	regardless of whether it was a partial match or exact match.  When
  *	the node is found in the top level tree, or no node is found at all,
  *	level_matches is 0.
  *
- *	When DNS_RBTFIND_NOEXACT is set, the closest matching superdomain is
+ *\li	When DNS_RBTFIND_NOEXACT is set, the closest matching superdomain is
  *      returned (also subject to DNS_RBTFIND_EMPTYDATA), even when
  *      there is an exact match in the tree.  In this case, the chain
  *	will not point to the DNSSEC predecessor, but will instead point
@@ -407,26 +422,29 @@ dns_rbt_findnode(dns_rbt_t *rbt, dns_name_t *name, dns_name_t *foundname,
  *	where you want the chain pointed, so this can be made more firm.
  *
  * Requires:
- *	rbt is a valid rbt manager.
- *	dns_name_isabsolute(name) == TRUE.
- *	node != NULL && *node == NULL.
- *	DNS_RBTFIND_NOEXACT and DNS_RBTFIND_NOPREDECESSOR are mutally
+ *\li	rbt is a valid rbt manager.
+ *\li	dns_name_isabsolute(name) == TRUE.
+ *\li	node != NULL && *node == NULL.
+ *\li	#DNS_RBTFIND_NOEXACT and DNS_RBTFIND_NOPREDECESSOR are mutally
  *		exclusive.
  *
  * Ensures:
- *	'name' and the tree are not altered in any way.
+ *\li	'name' and the tree are not altered in any way.
  *
- *	If result is ISC_R_SUCCESS:
+ *\li	If result is ISC_R_SUCCESS:
+ *\verbatim
  *		*node is the terminal node for 'name'.
- *
+
  *		'foundname' and 'name' represent the same name (though not
  *		the same memory).
- *
+
  *		'chain' points to the DNSSEC predecessor, if any, of 'name'.
  *
  *		chain->level_matches and chain->level_count are equal.
+ *\endverbatim
  *
  * 	If result is DNS_R_PARTIALMATCH:
+ *\verbatim
  *		*node is the data associated with the deepest superdomain
  * 		of 'name' which has data.
  *
@@ -434,59 +452,62 @@ dns_rbt_findnode(dns_rbt_t *rbt, dns_name_t *name, dns_name_t *foundname,
  *		data, unless the DNS_RBTFIND_EMPTYDATA option is set).
  *
  *		'chain' points to the DNSSEC predecessor, if any, of 'name'.
+ *\endverbatim
  *
- *	If result is ISC_R_NOTFOUND:
+ *\li	If result is ISC_R_NOTFOUND:
+ *\verbatim
  *		Neither the name nor a superdomain was found.  *node is NULL.
  *
  *		'chain' points to the DNSSEC predecessor, if any, of 'name'.
  *
  *		chain->level_matches is 0.
+ *\endverbatim
  *
  * Returns:
- *	ISC_R_SUCCESS		Success
- *	DNS_R_PARTIALMATCH	Superdomain found with data
- *	ISC_R_NOTFOUND		No match, or superdomain with no data
- *	ISC_R_NOSPACE Concatenating nodes to form foundname failed
+ *\li	#ISC_R_SUCCESS		Success
+ *\li	#DNS_R_PARTIALMATCH	Superdomain found with data
+ *\li	#ISC_R_NOTFOUND		No match, or superdomain with no data
+ *\li	#ISC_R_NOSPACE Concatenating nodes to form foundname failed
  */
 
 isc_result_t
 dns_rbt_deletename(dns_rbt_t *rbt, dns_name_t *name, isc_boolean_t recurse);
-/*
+/*%<
  * Delete 'name' from the tree of trees.
  *
  * Notes:
- *	When 'name' is removed, if recurse is ISC_TRUE then all of its
+ *\li	When 'name' is removed, if recurse is ISC_TRUE then all of its
  *      subnames are removed too.
  *
  * Requires:
- *	rbt is a valid rbt manager.
- *	dns_name_isabsolute(name) == TRUE
+ *\li	rbt is a valid rbt manager.
+ *\li	dns_name_isabsolute(name) == TRUE
  *
  * Ensures:
- *	'name' is not altered in any way.
+ *\li	'name' is not altered in any way.
  *
- *	Does NOT ensure that any external references to nodes in the tree
+ *\li	Does NOT ensure that any external references to nodes in the tree
  *	are unaffected by node joins.
  *
- *	If result is ISC_R_SUCCESS:
+ *\li	If result is ISC_R_SUCCESS:
  *		'name' does not appear in the tree with data; however,
  *		the node for the name might still exist which can be
  *		found with dns_rbt_findnode (but not dns_rbt_findname).
  *
- *	If result is ISC_R_NOTFOUND:
+ *\li	If result is ISC_R_NOTFOUND:
  *		'name' does not appear in the tree with data, because
  *		it did not appear in the tree before the function was called.
  *
- *	If result is something else:
+ *\li	If result is something else:
  *		See result codes for dns_rbt_findnode (if it fails, the
  *		node is not deleted) or dns_rbt_deletenode (if it fails,
  *		the node is deleted, but the tree is not optimized when
  *		it could have been).
  *
  * Returns:
- *	ISC_R_SUCCESS	Success
- *	ISC_R_NOTFOUND	No match
- *	something_else	Any return code from dns_rbt_findnode except
+ *\li	#ISC_R_SUCCESS	Success
+ *\li	#ISC_R_NOTFOUND	No match
+ *\li	something_else	Any return code from dns_rbt_findnode except
  *			DNS_R_PARTIALMATCH (which causes ISC_R_NOTFOUND
  *			to be returned instead), and any code from
  *			dns_rbt_deletenode.
@@ -494,115 +515,115 @@ dns_rbt_deletename(dns_rbt_t *rbt, dns_name_t *name, isc_boolean_t recurse);
 
 isc_result_t
 dns_rbt_deletenode(dns_rbt_t *rbt, dns_rbtnode_t *node, isc_boolean_t recurse);
-/*
+/*%<
  * Delete 'node' from the tree of trees.
  *
  * Notes:
- *	When 'node' is removed, if recurse is ISC_TRUE then all nodes
+ *\li	When 'node' is removed, if recurse is ISC_TRUE then all nodes
  *	in levels down from it are removed too.
  *
  * Requires:
- *	rbt is a valid rbt manager.
- *	node != NULL.
+ *\li	rbt is a valid rbt manager.
+ *\li	node != NULL.
  *
  * Ensures:
- *	Does NOT ensure that any external references to nodes in the tree
+ *\li	Does NOT ensure that any external references to nodes in the tree
  *	are unaffected by node joins.
  *
- *	If result is ISC_R_SUCCESS:
+ *\li	If result is ISC_R_SUCCESS:
  *		'node' does not appear in the tree with data; however,
  *		the node might still exist if it serves as a pointer to
  *		a lower tree level as long as 'recurse' was false, hence
  *		the node could can be found with dns_rbt_findnode whem
  *		that function's empty_data_ok parameter is true.
  *
- *	If result is ISC_R_NOMEMORY or ISC_R_NOSPACE:
+ *\li	If result is ISC_R_NOMEMORY or ISC_R_NOSPACE:
  *		The node was deleted, but the tree structure was not
  *		optimized.
  *
  * Returns:
- *	ISC_R_SUCCESS	Success
- *	ISC_R_NOMEMORY	Resource Limit: Out of Memory when joining nodes.
- *	ISC_R_NOSPACE	dns_name_concatenate failed when joining nodes.
+ *\li	#ISC_R_SUCCESS	Success
+ *\li	#ISC_R_NOMEMORY	Resource Limit: Out of Memory when joining nodes.
+ *\li	#ISC_R_NOSPACE	dns_name_concatenate failed when joining nodes.
  */
 
 void
 dns_rbt_namefromnode(dns_rbtnode_t *node, dns_name_t *name);
-/*
+/*%<
  * Convert the sequence of labels stored at 'node' into a 'name'.
  *
  * Notes:
- *	This function does not return the full name, from the root, but
+ *\li	This function does not return the full name, from the root, but
  *	just the labels at the indicated node.
  *
- *	The name data pointed to by 'name' is the information stored
+ *\li	The name data pointed to by 'name' is the information stored
  *	in the node, not a copy.  Altering the data at this pointer
  *	will likely cause grief.
  *
  * Requires:
- *	name->offsets == NULL
+ * \li	name->offsets == NULL
  *
  * Ensures:
- *	'name' is DNS_NAMEATTR_READONLY.
+ * \li	'name' is DNS_NAMEATTR_READONLY.
  *
- *	'name' will point directly to the labels stored after the
+ * \li	'name' will point directly to the labels stored after the
  *	dns_rbtnode_t struct.
  *
- *	'name' will have offsets that also point to the information stored
+ * \li	'name' will have offsets that also point to the information stored
  *	as part of the node.
  */
 
 isc_result_t
 dns_rbt_fullnamefromnode(dns_rbtnode_t *node, dns_name_t *name);
-/*
+/*%<
  * Like dns_rbt_namefromnode, but returns the full name from the root.
  *
  * Notes:
- *	Unlike dns_rbt_namefromnode, the name will not point directly
+ * \li	Unlike dns_rbt_namefromnode, the name will not point directly
  *	to node data.  Rather, dns_name_concatenate will be used to copy
  *	the name data from each node into the 'name' argument.
  *
  * Requires:
- *	name != NULL
- *	name has a dedicated buffer.
+ * \li	name != NULL
+ * \li	name has a dedicated buffer.
  *
  * Returns:
- *	ISC_R_SUCCESS
- *	ISC_R_NOSPACE		(possible via dns_name_concatenate)
- *	DNS_R_NAMETOOLONG	(possible via dns_name_concatenate)
+ * \li	ISC_R_SUCCESS
+ * \li	ISC_R_NOSPACE		(possible via dns_name_concatenate)
+ * \li	DNS_R_NAMETOOLONG	(possible via dns_name_concatenate)
  */
 
 char *
 dns_rbt_formatnodename(dns_rbtnode_t *node, char *printname,
 		       unsigned int size);
-/*
+/*%<
  * Format the full name of a node for printing, using dns_name_format().
  *
  * Notes:
- *	'size' is the length of the printname buffer.  This should be
+ * \li	'size' is the length of the printname buffer.  This should be
  *	DNS_NAME_FORMATSIZE or larger.
  *
  * Requires:
- *	node and printname are not NULL.
+ * \li	node and printname are not NULL.
  *
  * Returns:
- *	The 'printname' pointer.
+ * \li	The 'printname' pointer.
  */
 
 unsigned int
 dns_rbt_nodecount(dns_rbt_t *rbt);
-/*
+/*%<
  * Obtain the number of nodes in the tree of trees.
  *
  * Requires:
- *	rbt is a valid rbt manager.
+ * \li	rbt is a valid rbt manager.
  */
 
 void
 dns_rbt_destroy(dns_rbt_t **rbtp);
 isc_result_t
 dns_rbt_destroy2(dns_rbt_t **rbtp, unsigned int quantum);
-/*
+/*%<
  * Stop working with a red-black tree of trees. 
  * If 'quantum' is zero then the entire tree will be destroyed.
  * If 'quantum' is non zero then up to 'quantum' nodes will be destroyed
@@ -612,26 +633,26 @@ dns_rbt_destroy2(dns_rbt_t **rbtp, unsigned int quantum);
  * performed on the tree of trees.
  * 
  * Requires:
- * 	*rbt is a valid rbt manager.
+ * \li	*rbt is a valid rbt manager.
  *
  * Ensures on ISC_R_SUCCESS:
- *	All space allocated by the RBT library has been returned.
+ * \li	All space allocated by the RBT library has been returned.
  *
- *	*rbt is invalidated as an rbt manager.
+ * \li	*rbt is invalidated as an rbt manager.
  *
  * Returns:
- *	ISC_R_SUCCESS
- *	ISC_R_QUOTA if 'quantum' nodes have been destroyed.
+ * \li	ISC_R_SUCCESS
+ * \li	ISC_R_QUOTA if 'quantum' nodes have been destroyed.
  */
 
 void
 dns_rbt_printall(dns_rbt_t *rbt);
-/*
+/*%<
  * Print an ASCII representation of the internal structure of the red-black
  * tree of trees.
  *
  * Notes:
- *	The name stored at each node, along with the node's color, is printed.
+ * \li	The name stored at each node, along with the node's color, is printed.
  *	Then the down pointer, left and right pointers are displayed
  *	recursively in turn.  NULL down pointers are silently omitted;
  *	NULL left and right pointers are printed.
@@ -643,70 +664,70 @@ dns_rbt_printall(dns_rbt_t *rbt);
 
 void
 dns_rbtnodechain_init(dns_rbtnodechain_t *chain, isc_mem_t *mctx);
-/*
+/*%<
  * Initialize 'chain'.
  *
  * Requires:
- *	'chain' is a valid pointer.
+ *\li	'chain' is a valid pointer.
  *
- *	'mctx' is a valid memory context.
+ *\li	'mctx' is a valid memory context.
  *
  * Ensures:
- *	'chain' is suitable for use.
+ *\li	'chain' is suitable for use.
  */
 
 void
 dns_rbtnodechain_reset(dns_rbtnodechain_t *chain);
-/*
+/*%<
  * Free any dynamic storage associated with 'chain', and then reinitialize
  * 'chain'.
  *
  * Requires:
- *	'chain' is a valid pointer.
+ *\li	'chain' is a valid pointer.
  *
  * Ensures:
- *	'chain' is suitable for use, and uses no dynamic storage.
+ *\li	'chain' is suitable for use, and uses no dynamic storage.
  */
 
 void
 dns_rbtnodechain_invalidate(dns_rbtnodechain_t *chain);
-/*
+/*%<
  * Free any dynamic storage associated with 'chain', and then invalidates it.
  *
  * Notes:
- * 	Future calls to any dns_rbtnodechain_ function will need to call
+ *\li 	Future calls to any dns_rbtnodechain_ function will need to call
  * 	dns_rbtnodechain_init on the chain first (except, of course,
  *	dns_rbtnodechain_init itself).
  *
  * Requires:
- *	'chain' is a valid chain.
+ *\li	'chain' is a valid chain.
  *
  * Ensures:
- *	'chain' is no longer suitable for use, and uses no dynamic storage.
+ *\li	'chain' is no longer suitable for use, and uses no dynamic storage.
  */
 
 isc_result_t
 dns_rbtnodechain_current(dns_rbtnodechain_t *chain, dns_name_t *name,
 			 dns_name_t *origin, dns_rbtnode_t **node);
-/*
+/*%<
  * Provide the name, origin and node to which the chain is currently pointed.
  *
  * Notes:
- *	The tree need not have be locked against additions for the chain
+ *\li	The tree need not have be locked against additions for the chain
  *	to remain valid, however there are no guarantees if any deletion
  *	has been made since the chain was established.
  *
  * Requires:
- *	'chain' is a valid chain.
+ *\li	'chain' is a valid chain.
  *
  * Ensures:
- *	'node', if non-NULL, is the node to which the chain was pointed
+ *\li	'node', if non-NULL, is the node to which the chain was pointed
  *	by dns_rbt_findnode, dns_rbtnodechain_first or dns_rbtnodechain_last.
  *	If none were called for the chain since it was initialized or reset,
  *	or if the was no predecessor to the name searched for with
  *	dns_rbt_findnode, then '*node' is NULL and ISC_R_NOTFOUND is returned.
  *
- *	'name', if non-NULL, is the name stored at the terminal level of
+ *\li	'name', if non-NULL, is the name stored at the terminal level of
  *	the chain.  This is typically a single label, like the "www" of
  *	"www.isc.org", but need not be so.  At the root of the tree of trees,
  *	if the node is "." then 'name' is ".", otherwise it is relative to ".".
@@ -714,124 +735,181 @@ dns_rbtnodechain_current(dns_rbtnodechain_t *chain, dns_name_t *name,
  *	"isc.org." then the root node's stored name is "isc.org." but 'name'
  *	will be "isc.org".)
  *
- *	'origin', if non-NULL, is the sequence of labels in the levels
+ *\li	'origin', if non-NULL, is the sequence of labels in the levels
  *	above the terminal level, such as "isc.org." in the above example.
  *	'origin' is always "." for the root node.
  *
  *
  * Returns:
- *	ISC_R_SUCCESS		name, origin & node were successfully set.
- *	ISC_R_NOTFOUND		The chain does not point to any node.
- *	<something_else>	Any error return from dns_name_concatenate.
+ *\li	#ISC_R_SUCCESS		name, origin & node were successfully set.
+ *\li	#ISC_R_NOTFOUND		The chain does not point to any node.
+ *\li	&lt;something_else>	Any error return from dns_name_concatenate.
  */
 
 isc_result_t
 dns_rbtnodechain_first(dns_rbtnodechain_t *chain, dns_rbt_t *rbt,
 		       dns_name_t *name, dns_name_t *origin);
-/*
+/*%<
  * Set the chain to the lexically first node in the tree of trees.
  *
  * Notes:
- *	By the definition of ordering for DNS names, the root of the tree of
+ *\li	By the definition of ordering for DNS names, the root of the tree of
  *	trees is the very first node, since everything else in the megatree
  *	uses it as a common suffix.
  *
  * Requires:
- *	'chain' is a valid chain.
- *	'rbt' is a valid rbt manager.
+ *\li	'chain' is a valid chain.
+ *\li	'rbt' is a valid rbt manager.
  *
  * Ensures:
- *	The chain points to the very first node of the tree.
+ *\li	The chain points to the very first node of the tree.
  *
- *	'name' and 'origin', if non-NULL, are set as described for
+ *\li	'name' and 'origin', if non-NULL, are set as described for
  *	dns_rbtnodechain_current.  Thus 'origin' will always be ".".
  *
  * Returns:
- *	DNS_R_NEWORIGIN		The name & origin were successfully set.
- *	<something_else>	Any error result from dns_rbtnodechain_current.
+ *\li	#DNS_R_NEWORIGIN		The name & origin were successfully set.
+ *\li	&lt;something_else>	Any error result from dns_rbtnodechain_current.
  */
 
 isc_result_t
 dns_rbtnodechain_last(dns_rbtnodechain_t *chain, dns_rbt_t *rbt,
 		       dns_name_t *name, dns_name_t *origin);
-/*
+/*%<
  * Set the chain to the lexically last node in the tree of trees.
  *
  * Requires:
- *	'chain' is a valid chain.
- *	'rbt' is a valid rbt manager.
+ *\li	'chain' is a valid chain.
+ *\li	'rbt' is a valid rbt manager.
  *
  * Ensures:
- *	The chain points to the very last node of the tree.
+ *\li	The chain points to the very last node of the tree.
  *
- *	'name' and 'origin', if non-NULL, are set as described for
+ *\li	'name' and 'origin', if non-NULL, are set as described for
  *	dns_rbtnodechain_current.
  *
  * Returns:
- *	DNS_R_NEWORIGIN		The name & origin were successfully set.
- *	ISC_R_NOMEMORY		Resource Limit: Out of Memory building chain.
- *	<something_else>	Any error result from dns_name_concatenate.
+ *\li	#DNS_R_NEWORIGIN		The name & origin were successfully set.
+ *\li	#ISC_R_NOMEMORY		Resource Limit: Out of Memory building chain.
+ *\li	&lt;something_else>	Any error result from dns_name_concatenate.
  */
 
 isc_result_t
 dns_rbtnodechain_prev(dns_rbtnodechain_t *chain, dns_name_t *name,
 		      dns_name_t *origin);
-/*
+/*%<
  * Adjusts chain to point the DNSSEC predecessor of the name to which it
  * is currently pointed.
  *
  * Requires:
- *	'chain' is a valid chain.
- *	'chain' has been pointed somewhere in the tree with dns_rbt_findnode,
+ *\li	'chain' is a valid chain.
+ *\li	'chain' has been pointed somewhere in the tree with dns_rbt_findnode,
  *	dns_rbtnodechain_first or dns_rbtnodechain_last -- and remember that
  *	dns_rbt_findnode is not guaranteed to point the chain somewhere,
  *	since there may have been no predecessor to the searched for name.
  *
  * Ensures:
- *	The chain is pointed to the predecessor of its current target.
+ *\li	The chain is pointed to the predecessor of its current target.
  *
- *	'name' and 'origin', if non-NULL, are set as described for
+ *\li	'name' and 'origin', if non-NULL, are set as described for
  *	dns_rbtnodechain_current.
  *
- *	'origin' is only if a new origin was found.
+ *\li	'origin' is only if a new origin was found.
  *
  * Returns:
- *	ISC_R_SUCCESS		The predecessor was found and 'name' was set.
- *	DNS_R_NEWORIGIN		The predecessor was found with a different
+ *\li	#ISC_R_SUCCESS		The predecessor was found and 'name' was set.
+ *\li	#DNS_R_NEWORIGIN		The predecessor was found with a different
  *				origin and 'name' and 'origin' were set.
- *	ISC_R_NOMORE		There was no predecessor.
- *	<something_else>	Any error result from dns_rbtnodechain_current.
+ *\li	#ISC_R_NOMORE		There was no predecessor.
+ *\li	&lt;something_else>	Any error result from dns_rbtnodechain_current.
  */
 
 isc_result_t
 dns_rbtnodechain_next(dns_rbtnodechain_t *chain, dns_name_t *name,
 		      dns_name_t *origin);
-/*
+/*%<
  * Adjusts chain to point the DNSSEC successor of the name to which it
  * is currently pointed.
  *
  * Requires:
- *	'chain' is a valid chain.
- *	'chain' has been pointed somewhere in the tree with dns_rbt_findnode,
+ *\li	'chain' is a valid chain.
+ *\li	'chain' has been pointed somewhere in the tree with dns_rbt_findnode,
  *	dns_rbtnodechain_first or dns_rbtnodechain_last -- and remember that
  *	dns_rbt_findnode is not guaranteed to point the chain somewhere,
  *	since there may have been no predecessor to the searched for name.
  *
  * Ensures:
- *	The chain is pointed to the successor of its current target.
+ *\li	The chain is pointed to the successor of its current target.
  *
- *	'name' and 'origin', if non-NULL, are set as described for
+ *\li	'name' and 'origin', if non-NULL, are set as described for
  *	dns_rbtnodechain_current.
  *
- *	'origin' is only if a new origin was found.
+ *\li	'origin' is only if a new origin was found.
  *
  * Returns:
- *	ISC_R_SUCCESS		The successor was found and 'name' was set.
- *	DNS_R_NEWORIGIN		The successor was found with a different
+ *\li	#ISC_R_SUCCESS		The successor was found and 'name' was set.
+ *\li	#DNS_R_NEWORIGIN		The successor was found with a different
  *				origin and 'name' and 'origin' were set.
- *	ISC_R_NOMORE		There was no successor.
- *	<something_else>	Any error result from dns_name_concatenate.
+ *\li	#ISC_R_NOMORE		There was no successor.
+ *\li	&lt;something_else>	Any error result from dns_name_concatenate.
+ */
+
+/*
+ * Wrapper macros for manipulating the rbtnode reference counter:
+ *   Since we selectively use isc_refcount_t for the reference counter of
+ *   a rbtnode, operations on the counter depend on the actual type of it.
+ *   The following macros provide a common interface to these operations,
+ *   hiding the back-end.  The usage is the same as that of isc_refcount_xxx().
  */
+#ifdef DNS_RBT_USEISCREFCOUNT
+#define dns_rbtnode_refinit(node, n)				\
+	do {							\
+ 		isc_refcount_init(&(node)->references, (n));	\
+	} while (0) 
+#define dns_rbtnode_refdestroy(node)				\
+	do {							\
+		isc_refcount_destroy(&(node)->references);	\
+	} while (0) 
+#define dns_rbtnode_refcurrent(node)				\
+	isc_refcount_current(&(node)->references)
+#define dns_rbtnode_refincrement0(node, refs)			\
+	do {							\
+		isc_refcount_increment0(&(node)->references, (refs)); \
+	} while (0) 
+#define dns_rbtnode_refincrement(node, refs)			\
+	do {							\
+		isc_refcount_increment(&(node)->references, (refs)); \
+	} while (0) 
+#define dns_rbtnode_refdecrement(node, refs)			\
+	do {							\
+		isc_refcount_decrement(&(node)->references, (refs)); \
+	} while (0) 
+#else  /* DNS_RBT_USEISCREFCOUNT */
+#define dns_rbtnode_refinit(node, n)	((node)->references = (n))
+#define dns_rbtnode_refdestroy(node)	(REQUIRE((node)->references == 0))
+#define dns_rbtnode_refcurrent(node)	((node)->references)
+#define dns_rbtnode_refincrement0(node, refs)			\
+	do {							\
+		unsigned int *_tmp = (unsigned int *)(refs);	\
+		(node)->references++;				\
+		if ((_tmp) != NULL)				\
+			(*_tmp) = (node)->references;		\
+	} while (0) 
+#define dns_rbtnode_refincrement(node, refs)			\
+	do {							\
+		REQUIRE((node)->references > 0);		\
+		(node)->references++;				\
+		if ((refs) != NULL)				\
+			(*refs) = (node)->references;		\
+	} while (0) 
+#define dns_rbtnode_refdecrement(node, refs)			\
+	do {							\
+		REQUIRE((node)->references > 0);		\
+		(node)->references--;				\
+		if ((refs) != NULL)				\
+			(*refs) = (node)->references;		\
+	} while (0) 
+#endif /* DNS_RBT_USEISCREFCOUNT */
 
 ISC_LANG_ENDDECLS
 
diff --git a/contrib/bind9/lib/dns/include/dns/rcode.h b/contrib/bind9/lib/dns/include/dns/rcode.h
index b2494f7..03c145b 100644
--- a/contrib/bind9/lib/dns/include/dns/rcode.h
+++ b/contrib/bind9/lib/dns/include/dns/rcode.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,11 +15,13 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: rcode.h,v 1.12.206.1 2004/03/06 08:13:59 marka Exp $ */
+/* $Id: rcode.h,v 1.13.18.2 2005/04/29 00:16:18 marka Exp $ */
 
 #ifndef DNS_RCODE_H
 #define DNS_RCODE_H 1
 
+/*! \file */
+
 #include <isc/lang.h>
 
 #include <dns/types.h>
@@ -27,68 +29,68 @@
 ISC_LANG_BEGINDECLS
 
 isc_result_t dns_rcode_fromtext(dns_rcode_t *rcodep, isc_textregion_t *source);
-/*
+/*%<
  * Convert the text 'source' refers to into a DNS error value.
  *
  * Requires:
- *	'rcodep' is a valid pointer.
+ *\li	'rcodep' is a valid pointer.
  *
- *	'source' is a valid text region.
+ *\li	'source' is a valid text region.
  *
  * Returns:
- *	ISC_R_SUCCESS			on success
- *	DNS_R_UNKNOWN			type is unknown
+ *\li	#ISC_R_SUCCESS			on success
+ *\li	#DNS_R_UNKNOWN			type is unknown
  */
 
 isc_result_t dns_rcode_totext(dns_rcode_t rcode, isc_buffer_t *target);
-/*
+/*%<
  * Put a textual representation of error 'rcode' into 'target'.
  *
  * Requires:
- *	'rcode' is a valid rcode.
+ *\li	'rcode' is a valid rcode.
  *
- *	'target' is a valid text buffer.
+ *\li	'target' is a valid text buffer.
  *
  * Ensures:
- *	If the result is success:
+ *\li	If the result is success:
  *		The used space in 'target' is updated.
  *
  * Returns:
- *	ISC_R_SUCCESS			on success
- *	ISC_R_NOSPACE			target buffer is too small
+ *\li	#ISC_R_SUCCESS			on success
+ *\li	#ISC_R_NOSPACE			target buffer is too small
  */
 
 isc_result_t dns_tsigrcode_fromtext(dns_rcode_t *rcodep,
 				    isc_textregion_t *source);
-/*
+/*%<
  * Convert the text 'source' refers to into a TSIG/TKEY error value.
  *
  * Requires:
- *	'rcodep' is a valid pointer.
+ *\li	'rcodep' is a valid pointer.
  *
- *	'source' is a valid text region.
+ *\li	'source' is a valid text region.
  *
  * Returns:
- *	ISC_R_SUCCESS			on success
- *	DNS_R_UNKNOWN			type is unknown
+ *\li	#ISC_R_SUCCESS			on success
+ *\li	#DNS_R_UNKNOWN			type is unknown
  */
 
 isc_result_t dns_tsigrcode_totext(dns_rcode_t rcode, isc_buffer_t *target);
-/*
+/*%<
  * Put a textual representation of TSIG/TKEY error 'rcode' into 'target'.
  *
  * Requires:
- *	'rcode' is a valid TSIG/TKEY error code.
+ *\li	'rcode' is a valid TSIG/TKEY error code.
  *
- *	'target' is a valid text buffer.
+ *\li	'target' is a valid text buffer.
  *
  * Ensures:
- *	If the result is success:
+ *\li	If the result is success:
  *		The used space in 'target' is updated.
  *
  * Returns:
- *	ISC_R_SUCCESS			on success
- *	ISC_R_NOSPACE			target buffer is too small
+ *\li	#ISC_R_SUCCESS			on success
+ *\li	#ISC_R_NOSPACE			target buffer is too small
  */
 
 ISC_LANG_ENDDECLS
diff --git a/contrib/bind9/lib/dns/include/dns/rdata.h b/contrib/bind9/lib/dns/include/dns/rdata.h
index b006b17..a14bde7 100644
--- a/contrib/bind9/lib/dns/include/dns/rdata.h
+++ b/contrib/bind9/lib/dns/include/dns/rdata.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1998-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: rdata.h,v 1.51.2.3.2.4 2004/03/08 02:08:01 marka Exp $ */
+/* $Id: rdata.h,v 1.60.18.3 2005/05/19 04:59:56 marka Exp $ */
 
 #ifndef DNS_RDATA_H
 #define DNS_RDATA_H 1
@@ -24,9 +24,8 @@
  ***** Module Info
  *****/
 
-/*
- * DNS Rdata
- *
+/*! \file
+ * \brief
  * Provides facilities for manipulating DNS rdata, including conversions to
  * and from wire format and text format.
  *
@@ -46,7 +45,7 @@
  *
  * Implementation Notes:
  *
- *	The routines in this module are expected to be synthesized by the
+ *\li	The routines in this module are expected to be synthesized by the
  *	build process from a set of source files, one per rdata type.  For
  *	portability, it's probably best that the building be done by a C
  *	program.  Adding a new rdata type will be a simple matter of adding
@@ -54,38 +53,37 @@
  *	the format of a particular rdata type is in this file.
  *
  * MP:
- *	Clients of this module must impose any required synchronization.
+ *\li	Clients of this module must impose any required synchronization.
  *
  * Reliability:
- *	This module deals with low-level byte streams.  Errors in any of
+ *\li	This module deals with low-level byte streams.  Errors in any of
  *	the functions are likely to crash the server or corrupt memory.
  *
- *	Rdata is typed, and the caller must know what type of rdata it has.
+ *\li	Rdata is typed, and the caller must know what type of rdata it has.
  *	A caller that gets this wrong could crash the server.
  *
- *	The fromstruct() and tostruct() routines use a void * pointer to
+ *\li	The fromstruct() and tostruct() routines use a void * pointer to
  *	represent the structure.  The caller must ensure that it passes a
  *	pointer to the appropriate type, or the server could crash or memory
  *	could be corrupted.
  *
  * Resources:
- *	None.
+ *\li	None.
  *
  * Security:
  *
- *	*** WARNING ***
- *
+ *\li	*** WARNING ***
  *	dns_rdata_fromwire() deals with raw network data.  An error in
  *	this routine could result in the failure or hijacking of the server.
  *
  * Standards:
- *	RFC 1035
- *	Draft EDNS0 (0)
- *	Draft EDNS1 (0)
- *	Draft Binary Labels (2)
- *	Draft Local Compression (1)
- *	<Various RFCs for particular types; these will be documented in the
- *	 sources files of the types.>
+ *\li	RFC1035
+ *\li	Draft EDNS0 (0)
+ *\li	Draft EDNS1 (0)
+ *\li	Draft Binary Labels (2)
+ *\li	Draft Local Compression (1)
+ *\li	Various RFCs for particular types; these will be documented in the
+ *	 sources files of the types.
  *
  */
 
@@ -100,19 +98,17 @@
 
 ISC_LANG_BEGINDECLS
 
-/*****
- ***** RData
- *****
- ***** An 'rdata' is a handle to a binary region.  The handle has an RR
- ***** class and type, and the data in the binary region is in the format
- ***** of the given class and type.
- *****/
 
 /***
  *** Types
  ***/
 
-/*
+/*%
+ ***** An 'rdata' is a handle to a binary region.  The handle has an RR
+ ***** class and type, and the data in the binary region is in the format
+ ***** of the given class and type.
+ *****/
+/*%
  * Clients are strongly discouraged from using this type directly, with
  * the exception of the 'link' field which may be used directly for whatever
  * purpose the client desires.
@@ -128,7 +124,7 @@ struct dns_rdata {
 
 #define DNS_RDATA_INIT { NULL, 0, 0, 0, 0, {(void*)(-1), (void *)(-1)}}
 
-#define DNS_RDATA_UPDATE	0x0001		/* update pseudo record */
+#define DNS_RDATA_UPDATE	0x0001		/*%< update pseudo record */
 
 /*
  * Flags affecting rdata formatting style.  Flags 0xFFFF0000
@@ -136,17 +132,19 @@ struct dns_rdata {
  * See additional comments at dns_rdata_tofmttext().
  */
 
-/* Split the rdata into multiple lines to try to keep it
+/*% Split the rdata into multiple lines to try to keep it
  within the "width". */
 #define DNS_STYLEFLAG_MULTILINE		0x00000001U
 
-/* Output explanatory comments. */
+/*% Output explanatory comments. */
 #define DNS_STYLEFLAG_COMMENT		0x00000002U
 
 #define DNS_RDATA_DOWNCASE		DNS_NAME_DOWNCASE
 #define DNS_RDATA_CHECKNAMES		DNS_NAME_CHECKNAMES
 #define DNS_RDATA_CHECKNAMESFAIL	DNS_NAME_CHECKNAMESFAIL
 #define DNS_RDATA_CHECKREVERSE		DNS_NAME_CHECKREVERSE
+#define DNS_RDATA_CHECKMX		DNS_NAME_CHECKMX
+#define DNS_RDATA_CHECKMXFAIL		DNS_NAME_CHECKMXFAIL
 
 /***
  *** Initialization
@@ -154,7 +152,7 @@ struct dns_rdata {
 
 void
 dns_rdata_init(dns_rdata_t *rdata);
-/*
+/*%<
  * Make 'rdata' empty.
  *
  * Requires:
@@ -163,21 +161,21 @@ dns_rdata_init(dns_rdata_t *rdata);
 
 void
 dns_rdata_reset(dns_rdata_t *rdata);
-/*
+/*%<
  * Make 'rdata' empty.
  *
  * Requires:
- *	'rdata' is a previously initialized rdata and is not linked.
+ *\li	'rdata' is a previously initialized rdata and is not linked.
  */
 
 void
 dns_rdata_clone(const dns_rdata_t *src, dns_rdata_t *target);
-/*
+/*%<
  * Clone 'target' from 'src'.
  *
  * Requires:
- *	'src' to be initialized.
- *	'target' to be initialized.
+ *\li	'src' to be initialized.
+ *\li	'target' to be initialized.
  */
 
 /***
@@ -186,20 +184,20 @@ dns_rdata_clone(const dns_rdata_t *src, dns_rdata_t *target);
 
 int
 dns_rdata_compare(const dns_rdata_t *rdata1, const dns_rdata_t *rdata2);
-/*
+/*%<
  * Determine the relative ordering under the DNSSEC order relation of
  * 'rdata1' and 'rdata2'.
  *
  * Requires:
  *
- *	'rdata1' is a valid, non-empty rdata
+ *\li	'rdata1' is a valid, non-empty rdata
  *
- *	'rdata2' is a valid, non-empty rdata
+ *\li	'rdata2' is a valid, non-empty rdata
  *
  * Returns:
- *	< 0		'rdata1' is less than 'rdata2'
- *	0		'rdata1' is equal to 'rdata2'
- *	> 0		'rdata1' is greater than 'rdata2'
+ *\li	< 0		'rdata1' is less than 'rdata2'
+ *\li	0		'rdata1' is equal to 'rdata2'
+ *\li	> 0		'rdata1' is greater than 'rdata2'
  */
 
 /***
@@ -209,17 +207,17 @@ dns_rdata_compare(const dns_rdata_t *rdata1, const dns_rdata_t *rdata2);
 void
 dns_rdata_fromregion(dns_rdata_t *rdata, dns_rdataclass_t rdclass,
 		     dns_rdatatype_t type, isc_region_t *r);
-/*
+/*%<
  * Make 'rdata' refer to region 'r'.
  *
  * Requires:
  *
- *	The data in 'r' is properly formatted for whatever type it is.
+ *\li	The data in 'r' is properly formatted for whatever type it is.
  */
 
 void
 dns_rdata_toregion(const dns_rdata_t *rdata, isc_region_t *r);
-/*
+/*%<
  * Make 'r' refer to 'rdata'.
  */
 
@@ -228,73 +226,70 @@ dns_rdata_fromwire(dns_rdata_t *rdata, dns_rdataclass_t rdclass,
 		   dns_rdatatype_t type, isc_buffer_t *source,
 		   dns_decompress_t *dctx, unsigned int options,
 		   isc_buffer_t *target);
-/*
+/*%<
  * Copy the possibly-compressed rdata at source into the target region.
  *
  * Notes:
- *	Name decompression policy is controlled by 'dctx'.
+ *\li	Name decompression policy is controlled by 'dctx'.
  *
  *	'options'
- *	DNS_RDATA_DOWNCASE	downcase domain names when they are copied
+ *\li	DNS_RDATA_DOWNCASE	downcase domain names when they are copied
  *				into target.
  *
  * Requires:
  *
- *	'rdclass' and 'type' are valid.
+ *\li	'rdclass' and 'type' are valid.
  *
- *	'source' is a valid buffer, and the active region of 'source'
+ *\li	'source' is a valid buffer, and the active region of 'source'
  *	references the rdata to be processed.
  *
- *	'target' is a valid buffer.
+ *\li	'target' is a valid buffer.
  *
- *	'dctx' is a valid decompression context.
+ *\li	'dctx' is a valid decompression context.
  *
- * Ensures:
- *
- *	If result is success:
- *	 	If 'rdata' is not NULL, it is attached to the target.
- *
- *		The conditions dns_name_fromwire() ensures for names hold
+ * Ensures,
+ *	if result is success:
+ *	\li 	If 'rdata' is not NULL, it is attached to the target.
+ *	\li	The conditions dns_name_fromwire() ensures for names hold
  *		for all names in the rdata.
- *
- *		The current location in source is advanced, and the used space
+ *	\li	The current location in source is advanced, and the used space
  *		in target is updated.
  *
  * Result:
- *	Success
- *	<Any non-success status from dns_name_fromwire()>
- *	<Various 'Bad Form' class failures depending on class and type>
- *	Bad Form: Input too short
- *	Resource Limit: Not enough space
+ *\li	Success
+ *\li	Any non-success status from dns_name_fromwire()
+ *\li	Various 'Bad Form' class failures depending on class and type
+ *\li	Bad Form: Input too short
+ *\li	Resource Limit: Not enough space
  */
 
 isc_result_t
 dns_rdata_towire(dns_rdata_t *rdata, dns_compress_t *cctx,
 		 isc_buffer_t *target);
-/*
+/*%<
  * Convert 'rdata' into wire format, compressing it as specified by the
  * compression context 'cctx', and storing the result in 'target'.
  *
  * Notes:
- *	If the compression context allows global compression, then the
+ *\li	If the compression context allows global compression, then the
  *	global compression table may be updated.
  *
  * Requires:
- *	'rdata' is a valid, non-empty rdata
+ *\li	'rdata' is a valid, non-empty rdata
  *
- *	target is a valid buffer
+ *\li	target is a valid buffer
  *
- *	Any offsets specified in a global compression table are valid
+ *\li	Any offsets specified in a global compression table are valid
  *	for target.
  *
- * Ensures:
- *	If the result is success:
- *		The used space in target is updated.
+ * Ensures,
+ *	if the result is success:
+ *	\li	The used space in target is updated.
  *
  * Returns:
- *	Success
- *	<Any non-success status from dns_name_towire()>
- *	Resource Limit: Not enough space
+ *\li	Success
+ *\li	Any non-success status from dns_name_towire()
+ *\li	Resource Limit: Not enough space
  */
 
 isc_result_t
@@ -302,100 +297,100 @@ dns_rdata_fromtext(dns_rdata_t *rdata, dns_rdataclass_t rdclass,
 		   dns_rdatatype_t type, isc_lex_t *lexer, dns_name_t *origin,
 		   unsigned int options, isc_mem_t *mctx,
 		   isc_buffer_t *target, dns_rdatacallbacks_t *callbacks);
-/*
+/*%<
  * Convert the textual representation of a DNS rdata into uncompressed wire
  * form stored in the target region.  Tokens constituting the text of the rdata
  * are taken from 'lexer'.
  *
  * Notes:
- *	Relative domain names in the rdata will have 'origin' appended to them.
+ *\li	Relative domain names in the rdata will have 'origin' appended to them.
  *	A NULL origin implies "origin == dns_rootname".
  *
  *
  *	'options'
- *	DNS_RDATA_DOWNCASE	downcase domain names when they are copied
+ *\li	DNS_RDATA_DOWNCASE	downcase domain names when they are copied
  *				into target.
- *	DNS_RDATA_CHECKNAMES 	perform checknames checks.
- *	DNS_RDATA_CHECKNAMESFAIL fail if the checknames check fail.  If
+ *\li	DNS_RDATA_CHECKNAMES 	perform checknames checks.
+ *\li	DNS_RDATA_CHECKNAMESFAIL fail if the checknames check fail.  If
  *				not set a warning will be issued.
- *	DNS_RDATA_CHECKREVERSE  this should set if the owner name ends
+ *\li	DNS_RDATA_CHECKREVERSE  this should set if the owner name ends
  *				in IP6.ARPA, IP6.INT or IN-ADDR.ARPA.
  *
  * Requires:
  *
- *	'rdclass' and 'type' are valid.
+ *\li	'rdclass' and 'type' are valid.
  *
- *	'lexer' is a valid isc_lex_t.
+ *\li	'lexer' is a valid isc_lex_t.
  *
- *	'mctx' is a valid isc_mem_t.
+ *\li	'mctx' is a valid isc_mem_t.
  *
- *	'target' is a valid region.
+ *\li	'target' is a valid region.
  *
- *	'origin' if non NULL it must be absolute.
+ *\li	'origin' if non NULL it must be absolute.
  *	
- *	'callbacks' to be NULL or callbacks->warn and callbacks->error be
+ *\li	'callbacks' to be NULL or callbacks->warn and callbacks->error be
  *	initialized.
  *
- * Ensures:
- *	If result is success:
- *	 	If 'rdata' is not NULL, it is attached to the target.
- *
- *		The conditions dns_name_fromtext() ensures for names hold
+ * Ensures, 
+ *	if result is success:
+ *\li	 	If 'rdata' is not NULL, it is attached to the target.
+
+ *\li		The conditions dns_name_fromtext() ensures for names hold
  *		for all names in the rdata.
- *
- *		The used space in target is updated.
+
+ *\li		The used space in target is updated.
  *
  * Result:
- *	Success
- *	<Translated result codes from isc_lex_gettoken>
- *	<Various 'Bad Form' class failures depending on class and type>
- *	Bad Form: Input too short
- *	Resource Limit: Not enough space
- *	Resource Limit: Not enough memory
+ *\li	Success
+ *\li	Translated result codes from isc_lex_gettoken
+ *\li	Various 'Bad Form' class failures depending on class and type
+ *\li	Bad Form: Input too short
+ *\li	Resource Limit: Not enough space
+ *\li	Resource Limit: Not enough memory
  */
 
 isc_result_t
 dns_rdata_totext(dns_rdata_t *rdata, dns_name_t *origin, isc_buffer_t *target);
-/*
+/*%<
  * Convert 'rdata' into text format, storing the result in 'target'.
  * The text will consist of a single line, with fields separated by
  * single spaces.
  *
  * Notes:
- *	If 'origin' is not NULL, then any names in the rdata that are
+ *\li	If 'origin' is not NULL, then any names in the rdata that are
  *	subdomains of 'origin' will be made relative it.
  *
- *	XXX Do we *really* want to support 'origin'?  I'm inclined towards "no"
+ *\li	XXX Do we *really* want to support 'origin'?  I'm inclined towards "no"
  *	at the moment.
  *
  * Requires:
  *
- *	'rdata' is a valid, non-empty rdata
+ *\li	'rdata' is a valid, non-empty rdata
  *
- *	'origin' is NULL, or is a valid name
+ *\li	'origin' is NULL, or is a valid name
  *
- *	'target' is a valid text buffer
+ *\li	'target' is a valid text buffer
  *
- * Ensures:
- *	If the result is success:
+ * Ensures,
+ *	if the result is success:
  *
- *		The used space in target is updated.
+ *	\li	The used space in target is updated.
  *
  * Returns:
- *	Success
- *	<Any non-success status from dns_name_totext()>
- *	Resource Limit: Not enough space
+ *\li	Success
+ *\li	Any non-success status from dns_name_totext()
+ *\li	Resource Limit: Not enough space
  */
 
 isc_result_t
 dns_rdata_tofmttext(dns_rdata_t *rdata, dns_name_t *origin, unsigned int flags,
 		    unsigned int width, char *linebreak, isc_buffer_t *target);
-/*
+/*%<
  * Like dns_rdata_totext, but do formatted output suitable for
  * database dumps.  This is intended for use by dns_db_dump();
  * library users are discouraged from calling it directly.
  *
- * If (flags & DNS_STYLEFLAG_MULTILINE) != 0, attempt to stay
+ * If (flags & #DNS_STYLEFLAG_MULTILINE) != 0, attempt to stay
  * within 'width' by breaking the text into multiple lines.
  * The string 'linebreak' is inserted between lines, and parentheses
  * are added when necessary.  Because RRs contain unbreakable elements
@@ -403,11 +398,11 @@ dns_rdata_tofmttext(dns_rdata_t *rdata, dns_name_t *origin, unsigned int flags,
  * potentially large, there is no guarantee that the lines will
  * not exceed 'width' anyway.
  *
- * If (flags & DNS_STYLEFLAG_MULTILINE) == 0, the rdata is always
+ * If (flags & #DNS_STYLEFLAG_MULTILINE) == 0, the rdata is always
  * printed as a single line, and no parentheses are used.
  * The 'width' and 'linebreak' arguments are ignored.
  *
- * If (flags & DNS_STYLEFLAG_COMMENT) != 0, output explanatory
+ * If (flags & #DNS_STYLEFLAG_COMMENT) != 0, output explanatory
  * comments next to things like the SOA timer fields.  Some
  * comments (e.g., the SOA ones) are only printed when multiline
  * output is selected.
@@ -416,7 +411,7 @@ dns_rdata_tofmttext(dns_rdata_t *rdata, dns_name_t *origin, unsigned int flags,
 isc_result_t
 dns_rdata_fromstruct(dns_rdata_t *rdata, dns_rdataclass_t rdclass,
 		     dns_rdatatype_t type, void *source, isc_buffer_t *target);
-/*
+/*%<
  * Convert the C structure representation of an rdata into uncompressed wire
  * format in 'target'.
  *
@@ -424,30 +419,30 @@ dns_rdata_fromstruct(dns_rdata_t *rdata, dns_rdataclass_t rdclass,
  *
  * Requires:
  *
- *	'rdclass' and 'type' are valid.
+ *\li	'rdclass' and 'type' are valid.
  *
- *	'source' points to a valid C struct for the class and type.
+ *\li	'source' points to a valid C struct for the class and type.
  *
- *	'target' is a valid buffer.
+ *\li	'target' is a valid buffer.
  *
- *	All structure pointers to memory blocks should be NULL if their
+ *\li	All structure pointers to memory blocks should be NULL if their
  *	corresponding length values are zero.
  *
- * Ensures:
- *	If result is success:
- *	 	If 'rdata' is not NULL, it is attached to the target.
+ * Ensures,
+ *	if result is success:
+ *	\li 	If 'rdata' is not NULL, it is attached to the target.
  *
- *		The used space in 'target' is updated.
+ *	\li	The used space in 'target' is updated.
  *
  * Result:
- *	Success
- *	<Various 'Bad Form' class failures depending on class and type>
- *	Resource Limit: Not enough space
+ *\li	Success
+ *\li	Various 'Bad Form' class failures depending on class and type
+ *\li	Resource Limit: Not enough space
  */
 
 isc_result_t
 dns_rdata_tostruct(dns_rdata_t *rdata, void *target, isc_mem_t *mctx);
-/*
+/*%<
  * Convert an rdata into its C structure representation.
  *
  * If 'mctx' is NULL then 'rdata' must persist while 'target' is being used.
@@ -456,80 +451,80 @@ dns_rdata_tostruct(dns_rdata_t *rdata, void *target, isc_mem_t *mctx);
  *
  * Requires:
  *
- *	'rdata' is a valid, non-empty rdata.
+ *\li	'rdata' is a valid, non-empty rdata.
  *
- *	'target' to point to a valid pointer for the type and class.
+ *\li	'target' to point to a valid pointer for the type and class.
  *
  * Result:
- *	Success
- *	Resource Limit: Not enough memory
+ *\li	Success
+ *\li	Resource Limit: Not enough memory
  */
 
 void
 dns_rdata_freestruct(void *source);
-/*
+/*%<
  * Free dynamic memory attached to 'source' (if any).
  *
  * Requires:
  *
- *	'source' to point to the structure previously filled in by
+ *\li	'source' to point to the structure previously filled in by
  *	dns_rdata_tostruct().
  */
 
 isc_boolean_t
 dns_rdatatype_ismeta(dns_rdatatype_t type);
-/*
+/*%<
  * Return true iff the rdata type 'type' is a meta-type
  * like ANY or AXFR.
  */
 
 isc_boolean_t
 dns_rdatatype_issingleton(dns_rdatatype_t type);
-/*
+/*%<
  * Return true iff the rdata type 'type' is a singleton type,
  * like CNAME or SOA.
  *
  * Requires:
- * 	'type' is a valid rdata type.
+ * \li	'type' is a valid rdata type.
  *
  */
 
 isc_boolean_t
 dns_rdataclass_ismeta(dns_rdataclass_t rdclass);
-/*
+/*%<
  * Return true iff the rdata class 'rdclass' is a meta-class
  * like ANY or NONE.
  */
 
 isc_boolean_t
 dns_rdatatype_isdnssec(dns_rdatatype_t type);
-/*
+/*%<
  * Return true iff 'type' is one of the DNSSEC
  * rdata types that may exist alongside a CNAME record.
  *
  * Requires:
- * 	'type' is a valid rdata type.
+ * \li	'type' is a valid rdata type.
  */
 
 isc_boolean_t
 dns_rdatatype_iszonecutauth(dns_rdatatype_t type);
-/*
+/*%<
  * Return true iff rdata of type 'type' is considered authoritative
  * data (not glue) in the NSEC chain when it occurs in the parent zone
  * at a zone cut.
  *
  * Requires:
- * 	'type' is a valid rdata type.
+ * \li	'type' is a valid rdata type.
  *
  */
 
 isc_boolean_t
 dns_rdatatype_isknown(dns_rdatatype_t type);
-/*
+/*%<
  * Return true iff the rdata type 'type' is known.
  *
  * Requires:
- * 	'type' is a valid rdata type.
+ * \li	'type' is a valid rdata type.
  *
  */
 
@@ -537,140 +532,140 @@ dns_rdatatype_isknown(dns_rdatatype_t type);
 isc_result_t
 dns_rdata_additionaldata(dns_rdata_t *rdata, dns_additionaldatafunc_t add,
 			 void *arg);
-/*
+/*%<
  * Call 'add' for each name and type from 'rdata' which is subject to
  * additional section processing.
  *
  * Requires:
  *
- *	'rdata' is a valid, non-empty rdata.
+ *\li	'rdata' is a valid, non-empty rdata.
  *
- *	'add' is a valid dns_additionalfunc_t.
+ *\li	'add' is a valid dns_additionalfunc_t.
  *
  * Ensures:
  *
- *	If successful, then add() will have been called for each name
+ *\li	If successful, then add() will have been called for each name
  *	and type subject to additional section processing.
  *
- *	If add() returns something other than ISC_R_SUCCESS, that result
+ *\li	If add() returns something other than #ISC_R_SUCCESS, that result
  *	will be returned as the result of dns_rdata_additionaldata().
  *
  * Returns:
  *
- *	ISC_R_SUCCESS
+ *\li	ISC_R_SUCCESS
  *
- *	Many other results are possible if not successful.
+ *\li	Many other results are possible if not successful.
  */
 
 isc_result_t
 dns_rdata_digest(dns_rdata_t *rdata, dns_digestfunc_t digest, void *arg);
-/*
+/*%<
  * Send 'rdata' in DNSSEC canonical form to 'digest'.
  *
  * Note:
- *	'digest' may be called more than once by dns_rdata_digest().  The
+ *\li	'digest' may be called more than once by dns_rdata_digest().  The
  *	concatenation of all the regions, in the order they were given
  *	to 'digest', will be the DNSSEC canonical form of 'rdata'.
  *
  * Requires:
  *
- *	'rdata' is a valid, non-empty rdata.
+ *\li	'rdata' is a valid, non-empty rdata.
  *
- *	'digest' is a valid dns_digestfunc_t.
+ *\li	'digest' is a valid dns_digestfunc_t.
  *
  * Ensures:
  *
- *	If successful, then all of the rdata's data has been sent, in
+ *\li	If successful, then all of the rdata's data has been sent, in
  *	DNSSEC canonical form, to 'digest'.
  *
- *	If digest() returns something other than ISC_R_SUCCESS, that result
+ *\li	If digest() returns something other than ISC_R_SUCCESS, that result
  *	will be returned as the result of dns_rdata_digest().
  *
  * Returns:
  *
- *	ISC_R_SUCCESS
+ *\li	ISC_R_SUCCESS
  *
- *	Many other results are possible if not successful.
+ *\li	Many other results are possible if not successful.
  */
 
 isc_boolean_t
 dns_rdatatype_questiononly(dns_rdatatype_t type);
-/*
+/*%<
  * Return true iff rdata of type 'type' can only appear in the question
  * section of a properly formatted message.
  *
  * Requires:
- * 	'type' is a valid rdata type.
+ * \li	'type' is a valid rdata type.
  *
  */
 
 isc_boolean_t
 dns_rdatatype_notquestion(dns_rdatatype_t type);
-/*
+/*%<
  * Return true iff rdata of type 'type' can not appear in the question
  * section of a properly formatted message.
  *
  * Requires:
- * 	'type' is a valid rdata type.
+ * \li	'type' is a valid rdata type.
  *
  */
 
 isc_boolean_t
 dns_rdatatype_atparent(dns_rdatatype_t type);
-/*
+/*%<
  * Return true iff rdata of type 'type' should appear at the parent of
  * a zone cut.
  *
  * Requires:
- * 	'type' is a valid rdata type.
+ * \li	'type' is a valid rdata type.
  *
  */
 
 unsigned int
 dns_rdatatype_attributes(dns_rdatatype_t rdtype);
-/*
+/*%<
  * Return attributes for the given type.
  *
  * Requires:
- *	'rdtype' are known.
+ *\li	'rdtype' are known.
  *
  * Returns:
- *	a bitmask consisting of the following flags.
+ *\li	a bitmask consisting of the following flags.
  */
 
-/* only one may exist for a name */
+/*% only one may exist for a name */
 #define DNS_RDATATYPEATTR_SINGLETON		0x00000001U
-/* requires no other data be present */
+/*% requires no other data be present */
 #define DNS_RDATATYPEATTR_EXCLUSIVE		0x00000002U
-/* Is a meta type */
+/*% Is a meta type */
 #define DNS_RDATATYPEATTR_META			0x00000004U
-/* Is a DNSSEC type, like RRSIG or NSEC */
+/*% Is a DNSSEC type, like RRSIG or NSEC */
 #define DNS_RDATATYPEATTR_DNSSEC		0x00000008U
-/* Is a zone cut authority type */
+/*% Is a zone cut authority type */
 #define DNS_RDATATYPEATTR_ZONECUTAUTH		0x00000010U
-/* Is reserved (unusable) */
+/*% Is reserved (unusable) */
 #define DNS_RDATATYPEATTR_RESERVED		0x00000020U
-/* Is an unknown type */
+/*% Is an unknown type */
 #define DNS_RDATATYPEATTR_UNKNOWN		0x00000040U
-/* Is META, and can only be in a question section */
+/*% Is META, and can only be in a question section */
 #define DNS_RDATATYPEATTR_QUESTIONONLY		0x00000080U
-/* is META, and can NOT be in a question section */
+/*% is META, and can NOT be in a question section */
 #define DNS_RDATATYPEATTR_NOTQUESTION		0x00000100U
-/* Is present at zone cuts in the parent, not the child */
+/*% Is present at zone cuts in the parent, not the child */
 #define DNS_RDATATYPEATTR_ATPARENT		0x00000200U
 
 dns_rdatatype_t
 dns_rdata_covers(dns_rdata_t *rdata);
-/*
+/*%<
  * Return the rdatatype that this type covers.
  *
  * Requires:
- *	'rdata' is a valid, non-empty rdata.
+ *\li	'rdata' is a valid, non-empty rdata.
  *
- *	'rdata' is a type that covers other rdata types.
+ *\li	'rdata' is a type that covers other rdata types.
  *
  * Returns:
- *	The type covered.
+ *\li	The type covered.
  */
 
 isc_boolean_t
diff --git a/contrib/bind9/lib/dns/include/dns/rdataclass.h b/contrib/bind9/lib/dns/include/dns/rdataclass.h
index 359a2be..fc622bf 100644
--- a/contrib/bind9/lib/dns/include/dns/rdataclass.h
+++ b/contrib/bind9/lib/dns/include/dns/rdataclass.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1998-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,11 +15,13 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: rdataclass.h,v 1.17.206.1 2004/03/06 08:13:59 marka Exp $ */
+/* $Id: rdataclass.h,v 1.18.18.2 2005/04/29 00:16:18 marka Exp $ */
 
 #ifndef DNS_RDATACLASS_H
 #define DNS_RDATACLASS_H 1
 
+/*! \file */
+
 #include <isc/lang.h>
 
 #include <dns/types.h>
@@ -28,49 +30,49 @@ ISC_LANG_BEGINDECLS
 
 isc_result_t
 dns_rdataclass_fromtext(dns_rdataclass_t *classp, isc_textregion_t *source);
-/*
+/*%<
  * Convert the text 'source' refers to into a DNS class.
  *
  * Requires:
- *	'classp' is a valid pointer.
+ *\li	'classp' is a valid pointer.
  *
- *	'source' is a valid text region.
+ *\li	'source' is a valid text region.
  *
  * Returns:
- *	ISC_R_SUCCESS			on success
- *	DNS_R_UNKNOWN			class is unknown
+ *\li	#ISC_R_SUCCESS			on success
+ *\li	#DNS_R_UNKNOWN			class is unknown
  */
 
 isc_result_t
 dns_rdataclass_totext(dns_rdataclass_t rdclass, isc_buffer_t *target);
-/*
+/*%<
  * Put a textual representation of class 'rdclass' into 'target'.
  *
  * Requires:
- *	'rdclass' is a valid class.
+ *\li	'rdclass' is a valid class.
  *
- *	'target' is a valid text buffer.
+ *\li	'target' is a valid text buffer.
  *
- * Ensures:
- *	If the result is success:
- *		The used space in 'target' is updated.
+ * Ensures,
+ *	if the result is success:
+ *\li		The used space in 'target' is updated.
  *
  * Returns:
- *	ISC_R_SUCCESS			on success
- *	ISC_R_NOSPACE			target buffer is too small
+ *\li	#ISC_R_SUCCESS			on success
+ *\li	#ISC_R_NOSPACE			target buffer is too small
  */
 
 void
 dns_rdataclass_format(dns_rdataclass_t rdclass,
 		      char *array, unsigned int size);
-/*
+/*%<
  * Format a human-readable representation of the class 'rdclass'
  * into the character array 'array', which is of size 'size'.
  * The resulting string is guaranteed to be null-terminated.
  */
 
 #define DNS_RDATACLASS_FORMATSIZE sizeof("CLASS65535")
-/*
+/*%<
  * Minimum size of array to pass to dns_rdataclass_format().
  */
 
diff --git a/contrib/bind9/lib/dns/include/dns/rdatalist.h b/contrib/bind9/lib/dns/include/dns/rdatalist.h
index a846c89..697386f 100644
--- a/contrib/bind9/lib/dns/include/dns/rdatalist.h
+++ b/contrib/bind9/lib/dns/include/dns/rdatalist.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: rdatalist.h,v 1.13.206.1 2004/03/06 08:13:59 marka Exp $ */
+/* $Id: rdatalist.h,v 1.14.18.2 2005/04/29 00:16:19 marka Exp $ */
 
 #ifndef DNS_RDATALIST_H
 #define DNS_RDATALIST_H 1
@@ -24,32 +24,31 @@
  ***** Module Info
  *****/
 
-/*
- * DNS Rdatalist
- *
+/*! \file
+ * \brief
  * A DNS rdatalist is a list of rdata of a common type and class.
  *
  * MP:
- *	Clients of this module must impose any required synchronization.
+ *\li	Clients of this module must impose any required synchronization.
  *
  * Reliability:
- *	No anticipated impact.
+ *\li	No anticipated impact.
  *
  * Resources:
- *	<TBS>
+ *\li	TBS
  *
  * Security:
- *	No anticipated impact.
+ *\li	No anticipated impact.
  *
  * Standards:
- *	None.
+ *\li	None.
  */
 
 #include <isc/lang.h>
 
 #include <dns/types.h>
 
-/*
+/*%
  * Clients may use this type directly.
  */
 struct dns_rdatalist {
@@ -65,38 +64,38 @@ ISC_LANG_BEGINDECLS
 
 void
 dns_rdatalist_init(dns_rdatalist_t *rdatalist);
-/*
+/*%<
  * Initialize rdatalist.
  *
  * Ensures:
- *	All fields of rdatalist have been initialized to their default
+ *\li	All fields of rdatalist have been initialized to their default
  *	values.
  */
 
 isc_result_t
 dns_rdatalist_tordataset(dns_rdatalist_t *rdatalist,
 			 dns_rdataset_t *rdataset);
-/*
+/*%<
  * Make 'rdataset' refer to the rdata in 'rdatalist'.
  *
  * Note:
- *	The caller must ensure that 'rdatalist' remains valid and unchanged
+ *\li	The caller must ensure that 'rdatalist' remains valid and unchanged
  *	while 'rdataset' is associated with it.
  *
  * Requires:
  *
- *	'rdatalist' is a valid rdatalist.
+ *\li	'rdatalist' is a valid rdatalist.
  *
- *	'rdataset' is a valid rdataset that is not currently associated with
+ *\li	'rdataset' is a valid rdataset that is not currently associated with
  *	any rdata.
  *
- * Ensures:
- *	On success,
+ * Ensures,
+ *	on success,
  *
- *		'rdataset' is associated with the rdata in rdatalist.
+ *\li		'rdataset' is associated with the rdata in rdatalist.
  *
  * Returns:
- *	ISC_R_SUCCESS
+ *\li	#ISC_R_SUCCESS
  */
 
 ISC_LANG_ENDDECLS
diff --git a/contrib/bind9/lib/dns/include/dns/rdataset.h b/contrib/bind9/lib/dns/include/dns/rdataset.h
index 12cfbde..5597591 100644
--- a/contrib/bind9/lib/dns/include/dns/rdataset.h
+++ b/contrib/bind9/lib/dns/include/dns/rdataset.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: rdataset.h,v 1.41.2.5.2.10 2006/03/02 00:37:20 marka Exp $ */
+/* $Id: rdataset.h,v 1.51.18.7 2006/03/03 00:56:53 marka Exp $ */
 
 #ifndef DNS_RDATASET_H
 #define DNS_RDATASET_H 1
@@ -24,9 +24,8 @@
  ***** Module Info
  *****/
 
-/*
- * DNS Rdataset
- *
+/*! \file
+ * \brief
  * A DNS rdataset is a handle that can be associated with a collection of
  * rdata all having a common owner name, class, and type.
  *
@@ -34,31 +33,38 @@
  * rdatasets, an implementation of the method suite (e.g. "slabbed rdata") is
  * required.
  *
- * XXX <more> XXX
+ * XXX &lt;more&gt; XXX
  *
  * MP:
- *	Clients of this module must impose any required synchronization.
+ *\li	Clients of this module must impose any required synchronization.
  *
  * Reliability:
- *	No anticipated impact.
+ *\li	No anticipated impact.
  *
  * Resources:
- *	<TBS>
+ *\li	TBS
  *
  * Security:
- *	No anticipated impact.
+ *\li	No anticipated impact.
  *
  * Standards:
- *	None.
+ *\li	None.
  */
 
 #include <isc/lang.h>
 #include <isc/magic.h>
+#include <isc/stdtime.h>
 
 #include <dns/types.h>
 
 ISC_LANG_BEGINDECLS
 
+typedef enum {
+	dns_rdatasetadditional_fromauth,
+	dns_rdatasetadditional_fromcache,
+	dns_rdatasetadditional_fromglue
+} dns_rdatasetadditional_t;
+
 typedef struct dns_rdatasetmethods {
 	void			(*disassociate)(dns_rdataset_t *rdataset);
 	isc_result_t		(*first)(dns_rdataset_t *rdataset);
@@ -74,12 +80,36 @@ typedef struct dns_rdatasetmethods {
 					      dns_name_t *name,
 					      dns_rdataset_t *nsec,
 					      dns_rdataset_t *nsecsig);
+	isc_result_t		(*getadditional)(dns_rdataset_t *rdataset,
+						 dns_rdatasetadditional_t type,
+						 dns_rdatatype_t qtype,
+						 dns_acache_t *acache,
+						 dns_zone_t **zonep,
+						 dns_db_t **dbp,
+						 dns_dbversion_t **versionp,
+						 dns_dbnode_t **nodep,
+						 dns_name_t *fname,
+						 dns_message_t *msg,
+						 isc_stdtime_t now);
+	isc_result_t		(*setadditional)(dns_rdataset_t *rdataset,
+						 dns_rdatasetadditional_t type,
+						 dns_rdatatype_t qtype,
+						 dns_acache_t *acache,
+						 dns_zone_t *zone,
+						 dns_db_t *db,
+						 dns_dbversion_t *version,
+						 dns_dbnode_t *node,
+						 dns_name_t *fname);
+	isc_result_t		(*putadditional)(dns_acache_t *acache,
+						 dns_rdataset_t *rdataset,
+						 dns_rdatasetadditional_t type,
+						 dns_rdatatype_t qtype);
 } dns_rdatasetmethods_t;
 
 #define DNS_RDATASET_MAGIC	       ISC_MAGIC('D','N','S','R')
 #define DNS_RDATASET_VALID(set)	       ISC_MAGIC_VALID(set, DNS_RDATASET_MAGIC)
 
-/*
+/*%
  * Direct use of this structure by clients is strongly discouraged, except
  * for the 'link' field which may be used however the client wishes.  The
  * 'private', 'current', and 'index' fields MUST NOT be changed by clients.
@@ -103,14 +133,15 @@ struct dns_rdataset {
 	 * attributes
 	 */
 	unsigned int			attributes;
-	/*
+	/*%
 	 * the counter provides the starting point in the "cyclic" order.
 	 * The value ISC_UINT32_MAX has a special meaning of "picking up a
 	 * random value." in order to take care of databases that do not
 	 * increment the counter.
 	 */
 	isc_uint32_t			count;
-	/*
+	/*@{*/
+	/*%
 	 * These are for use by the rdataset implementation, and MUST NOT
 	 * be changed by clients.
 	 */
@@ -120,35 +151,41 @@ struct dns_rdataset {
 	unsigned int			privateuint4;
 	void *				private5;
 	void *				private6;
+	/*@}*/
 };
 
-/*
- * _RENDERED:
+/*!
+ * \def DNS_RDATASETATTR_RENDERED
  *	Used by message.c to indicate that the rdataset was rendered.
  *
- * _TTLADJUSTED:
+ * \def DNS_RDATASETATTR_TTLADJUSTED
  *	Used by message.c to indicate that the rdataset's rdata had differing
  *	TTL values, and the rdataset->ttl holds the smallest.
+ *
+ * \def DNS_RDATASETATTR_LOADORDER
+ *	Output the RRset in load order.
  */
+
 #define DNS_RDATASETATTR_QUESTION	0x00000001
-#define DNS_RDATASETATTR_RENDERED	0x00000002	/* Used by message.c */
-#define DNS_RDATASETATTR_ANSWERED	0x00000004	/* Used by server. */
-#define DNS_RDATASETATTR_CACHE		0x00000008	/* Used by resolver. */
-#define DNS_RDATASETATTR_ANSWER		0x00000010	/* Used by resolver. */
-#define DNS_RDATASETATTR_ANSWERSIG	0x00000020	/* Used by resolver. */
-#define DNS_RDATASETATTR_EXTERNAL	0x00000040	/* Used by resolver. */
-#define DNS_RDATASETATTR_NCACHE		0x00000080	/* Used by resolver. */
-#define DNS_RDATASETATTR_CHAINING	0x00000100	/* Used by resolver. */
-#define DNS_RDATASETATTR_TTLADJUSTED	0x00000200	/* Used by message.c */
+#define DNS_RDATASETATTR_RENDERED	0x00000002	/*%< Used by message.c */
+#define DNS_RDATASETATTR_ANSWERED	0x00000004	/*%< Used by server. */
+#define DNS_RDATASETATTR_CACHE		0x00000008	/*%< Used by resolver. */
+#define DNS_RDATASETATTR_ANSWER		0x00000010	/*%< Used by resolver. */
+#define DNS_RDATASETATTR_ANSWERSIG	0x00000020	/*%< Used by resolver. */
+#define DNS_RDATASETATTR_EXTERNAL	0x00000040	/*%< Used by resolver. */
+#define DNS_RDATASETATTR_NCACHE		0x00000080	/*%< Used by resolver. */
+#define DNS_RDATASETATTR_CHAINING	0x00000100	/*%< Used by resolver. */
+#define DNS_RDATASETATTR_TTLADJUSTED	0x00000200	/*%< Used by message.c */
 #define DNS_RDATASETATTR_FIXEDORDER	0x00000400
 #define DNS_RDATASETATTR_RANDOMIZE	0x00000800
-#define DNS_RDATASETATTR_CHASE		0x00001000	/* Used by resolver. */
+#define DNS_RDATASETATTR_CHASE		0x00001000	/*%< Used by resolver. */
 #define DNS_RDATASETATTR_NXDOMAIN	0x00002000
 #define DNS_RDATASETATTR_NOQNAME	0x00004000
-#define DNS_RDATASETATTR_CHECKNAMES	0x00008000	/* Used by resolver. */
+#define DNS_RDATASETATTR_CHECKNAMES	0x00008000	/*%< Used by resolver. */
 #define DNS_RDATASETATTR_REQUIREDGLUE	0x00010000
+#define DNS_RDATASETATTR_LOADORDER	0x00020000
 
-/*
+/*%
  * _OMITDNSSEC:
  * 	Omit DNSSEC records when rendering ncache records.
  */
@@ -156,147 +193,147 @@ struct dns_rdataset {
 
 void
 dns_rdataset_init(dns_rdataset_t *rdataset);
-/*
+/*%<
  * Make 'rdataset' a valid, disassociated rdataset.
  *
  * Requires:
- *	'rdataset' is not NULL.
+ *\li	'rdataset' is not NULL.
  *
  * Ensures:
- *	'rdataset' is a valid, disassociated rdataset.
+ *\li	'rdataset' is a valid, disassociated rdataset.
  */
 
 void
 dns_rdataset_invalidate(dns_rdataset_t *rdataset);
-/*
+/*%<
  * Invalidate 'rdataset'.
  *
  * Requires:
- *	'rdataset' is a valid, disassociated rdataset.
+ *\li	'rdataset' is a valid, disassociated rdataset.
  *
  * Ensures:
- *	If assertion checking is enabled, future attempts to use 'rdataset'
+ *\li	If assertion checking is enabled, future attempts to use 'rdataset'
  *	without initializing it will cause an assertion failure.
  */
 
 void
 dns_rdataset_disassociate(dns_rdataset_t *rdataset);
-/*
+/*%<
  * Disassociate 'rdataset' from its rdata, allowing it to be reused.
  *
  * Notes:
- *	The client must ensure it has no references to rdata in the rdataset
+ *\li	The client must ensure it has no references to rdata in the rdataset
  *	before disassociating.
  *
  * Requires:
- *	'rdataset' is a valid, associated rdataset.
+ *\li	'rdataset' is a valid, associated rdataset.
  *
  * Ensures:
- *	'rdataset' is a valid, disassociated rdataset.
+ *\li	'rdataset' is a valid, disassociated rdataset.
  */
 
 isc_boolean_t
 dns_rdataset_isassociated(dns_rdataset_t *rdataset);
-/*
+/*%<
  * Is 'rdataset' associated?
  *
  * Requires:
- *	'rdataset' is a valid rdataset.
+ *\li	'rdataset' is a valid rdataset.
  *
  * Returns:
- *	ISC_TRUE			'rdataset' is associated.
- *	ISC_FALSE			'rdataset' is not associated.
+ *\li	#ISC_TRUE			'rdataset' is associated.
+ *\li	#ISC_FALSE			'rdataset' is not associated.
  */
 
 void
 dns_rdataset_makequestion(dns_rdataset_t *rdataset, dns_rdataclass_t rdclass,
 			  dns_rdatatype_t type);
-/*
+/*%<
  * Make 'rdataset' a valid, associated, question rdataset, with a
  * question class of 'rdclass' and type 'type'.
  *
  * Notes:
- *	Question rdatasets have a class and type, but no rdata.
+ *\li	Question rdatasets have a class and type, but no rdata.
  *
  * Requires:
- *	'rdataset' is a valid, disassociated rdataset.
+ *\li	'rdataset' is a valid, disassociated rdataset.
  *
  * Ensures:
- *	'rdataset' is a valid, associated, question rdataset.
+ *\li	'rdataset' is a valid, associated, question rdataset.
  */
 
 void
 dns_rdataset_clone(dns_rdataset_t *source, dns_rdataset_t *target);
-/*
+/*%<
  * Make 'target' refer to the same rdataset as 'source'.
  *
  * Requires:
- *	'source' is a valid, associated rdataset.
+ *\li	'source' is a valid, associated rdataset.
  *
- *	'target' is a valid, dissociated rdataset.
+ *\li	'target' is a valid, dissociated rdataset.
  *
  * Ensures:
- *	'target' references the same rdataset as 'source'.
+ *\li	'target' references the same rdataset as 'source'.
  */
 
 unsigned int
 dns_rdataset_count(dns_rdataset_t *rdataset);
-/*
+/*%<
  * Return the number of records in 'rdataset'.
  *
  * Requires:
- *	'rdataset' is a valid, associated rdataset.
+ *\li	'rdataset' is a valid, associated rdataset.
  *
  * Returns:
- *	The number of records in 'rdataset'.
+ *\li	The number of records in 'rdataset'.
  */
 
 isc_result_t
 dns_rdataset_first(dns_rdataset_t *rdataset);
-/*
+/*%<
  * Move the rdata cursor to the first rdata in the rdataset (if any).
  *
  * Requires:
- *	'rdataset' is a valid, associated rdataset.
+ *\li	'rdataset' is a valid, associated rdataset.
  *
  * Returns:
- *	ISC_R_SUCCESS
- *	ISC_R_NOMORE			There are no rdata in the set.
+ *\li	#ISC_R_SUCCESS
+ *\li	#ISC_R_NOMORE			There are no rdata in the set.
  */
 
 isc_result_t
 dns_rdataset_next(dns_rdataset_t *rdataset);
-/*
+/*%<
  * Move the rdata cursor to the next rdata in the rdataset (if any).
  *
  * Requires:
- *	'rdataset' is a valid, associated rdataset.
+ *\li	'rdataset' is a valid, associated rdataset.
  *
  * Returns:
- *	ISC_R_SUCCESS
- *	ISC_R_NOMORE			There are no more rdata in the set.
+ *\li	#ISC_R_SUCCESS
+ *\li	#ISC_R_NOMORE			There are no more rdata in the set.
  */
 
 void
 dns_rdataset_current(dns_rdataset_t *rdataset, dns_rdata_t *rdata);
-/*
+/*%<
  * Make 'rdata' refer to the current rdata.
  *
  * Notes:
  *
- *	The data returned in 'rdata' is valid for the life of the
+ *\li	The data returned in 'rdata' is valid for the life of the
  *	rdataset; in particular, subsequent changes in the cursor position
  *	do not invalidate 'rdata'.
  *
  * Requires:
- *	'rdataset' is a valid, associated rdataset.
+ *\li	'rdataset' is a valid, associated rdataset.
  *
- *	The rdata cursor of 'rdataset' is at a valid location (i.e. the
+ *\li	The rdata cursor of 'rdataset' is at a valid location (i.e. the
  *	result of last call to a cursor movement command was ISC_R_SUCCESS).
  *
  * Ensures:
- *	'rdata' refers to the rdata at the rdata cursor location of
- *	'rdataset'.
+ *\li	'rdata' refers to the rdata at the rdata cursor location of
+ *\li	'rdataset'.
  */
 
 isc_result_t
@@ -305,23 +342,23 @@ dns_rdataset_totext(dns_rdataset_t *rdataset,
 		    isc_boolean_t omit_final_dot,
 		    isc_boolean_t question,
 		    isc_buffer_t *target);
-/*
+/*%<
  * Convert 'rdataset' to text format, storing the result in 'target'.
  *
  * Notes:
- *	The rdata cursor position will be changed.
+ *\li	The rdata cursor position will be changed.
  *
- *	The 'question' flag should normally be ISC_FALSE.  If it is 
- *	ISC_TRUE, the TTL and rdata fields are not printed.  This is 
+ *\li	The 'question' flag should normally be #ISC_FALSE.  If it is 
+ *	#ISC_TRUE, the TTL and rdata fields are not printed.  This is 
  *	for use when printing an rdata representing a question section.
  *
- *	This interface is deprecated; use dns_master_rdatasettottext()
+ *\li	This interface is deprecated; use dns_master_rdatasettottext()
  * 	and/or dns_master_questiontotext() instead.
  *
  * Requires:
- *	'rdataset' is a valid rdataset.
+ *\li	'rdataset' is a valid rdataset.
  *
- *	'rdataset' is not empty.
+ *\li	'rdataset' is not empty.
  */
 
 isc_result_t
@@ -331,35 +368,35 @@ dns_rdataset_towire(dns_rdataset_t *rdataset,
 		    isc_buffer_t *target,
 		    unsigned int options,
 		    unsigned int *countp);
-/*
+/*%<
  * Convert 'rdataset' to wire format, compressing names as specified
  * in 'cctx', and storing the result in 'target'.
  *
  * Notes:
- *	The rdata cursor position will be changed.
+ *\li	The rdata cursor position will be changed.
  *
- *	The number of RRs added to target will be added to *countp.
+ *\li	The number of RRs added to target will be added to *countp.
  *
  * Requires:
- *	'rdataset' is a valid rdataset.
+ *\li	'rdataset' is a valid rdataset.
  *
- *	'rdataset' is not empty.
+ *\li	'rdataset' is not empty.
  *
- *	'countp' is a valid pointer.
+ *\li	'countp' is a valid pointer.
  *
  * Ensures:
- *	On a return of ISC_R_SUCCESS, 'target' contains a wire format
+ *\li	On a return of ISC_R_SUCCESS, 'target' contains a wire format
  *	for the data contained in 'rdataset'.  Any error return leaves
  *	the buffer unchanged.
  *
- *	*countp has been incremented by the number of RRs added to
+ *\li	*countp has been incremented by the number of RRs added to
  *	target.
  *
  * Returns:
- *	ISC_R_SUCCESS		- all ok
- *	ISC_R_NOSPACE		- 'target' doesn't have enough room
+ *\li	#ISC_R_SUCCESS		- all ok
+ *\li	#ISC_R_NOSPACE		- 'target' doesn't have enough room
  *
- *	Any error returned by dns_rdata_towire(), dns_rdataset_next(),
+ *\li	Any error returned by dns_rdata_towire(), dns_rdataset_next(),
  *	dns_name_towire().
  */
 
@@ -372,13 +409,13 @@ dns_rdataset_towiresorted(dns_rdataset_t *rdataset,
 			  const void *order_arg,
 			  unsigned int options,
 			  unsigned int *countp);
-/*
+/*%<
  * Like dns_rdataset_towire(), but sorting the rdatasets according to
  * the integer value returned by 'order' when called witih the rdataset
  * and 'order_arg' as arguments.
  *
  * Requires:
- *	All the requirements of dns_rdataset_towire(), and
+ *\li	All the requirements of dns_rdataset_towire(), and
  *	that order_arg is NULL if and only if order is NULL.
  */
 
@@ -392,76 +429,167 @@ dns_rdataset_towirepartial(dns_rdataset_t *rdataset,
 			   unsigned int options,
 			   unsigned int *countp,
 			   void **state);
-/*
+/*%<
  * Like dns_rdataset_towiresorted() except that a partial rdataset
  * may be written.
  *
  * Requires:
- *	All the requirements of dns_rdataset_towiresorted().
+ *\li	All the requirements of dns_rdataset_towiresorted().
  *	If 'state' is non NULL then the current position in the
  *	rdataset will be remembered if the rdataset in not
  *	completely written and should be passed on on subsequent
  *	calls (NOT CURRENTLY IMPLEMENTED).
  *
  * Returns:
- *	ISC_R_SUCCESS if all of the records were written.
- *	ISC_R_NOSPACE if unable to fit in all of the records. *countp
+ *\li	#ISC_R_SUCCESS if all of the records were written.
+ *\li	#ISC_R_NOSPACE if unable to fit in all of the records. *countp
  *		      will be updated to reflect the number of records
  *		      written.
  */
 
-
 isc_result_t
 dns_rdataset_additionaldata(dns_rdataset_t *rdataset,
 			    dns_additionaldatafunc_t add, void *arg);
-/*
+/*%<
  * For each rdata in rdataset, call 'add' for each name and type in the
  * rdata which is subject to additional section processing.
  *
  * Requires:
  *
- *	'rdataset' is a valid, non-question rdataset.
+ *\li	'rdataset' is a valid, non-question rdataset.
  *
- *	'add' is a valid dns_additionaldatafunc_t
+ *\li	'add' is a valid dns_additionaldatafunc_t
  *
  * Ensures:
  *
- *	If successful, dns_rdata_additionaldata() will have been called for
+ *\li	If successful, dns_rdata_additionaldata() will have been called for
  *	each rdata in 'rdataset'.
  *
- *	If a call to dns_rdata_additionaldata() is not successful, the
+ *\li	If a call to dns_rdata_additionaldata() is not successful, the
  *	result returned will be the result of dns_rdataset_additionaldata().
  *
  * Returns:
  *
- *	ISC_R_SUCCESS
+ *\li	#ISC_R_SUCCESS
  *
- *	Any error that dns_rdata_additionaldata() can return.
+ *\li	Any error that dns_rdata_additionaldata() can return.
  */
 
 isc_result_t
 dns_rdataset_getnoqname(dns_rdataset_t *rdataset, dns_name_t *name,
 			dns_rdataset_t *nsec, dns_rdataset_t *nsecsig);
-/*
+/*%<
  * Return the noqname proof for this record.
  *
  * Requires:
- *	'rdataset' to be valid and DNS_RDATASETATTR_NOQNAME to be set.
- *	'name' to be valid.
- *	'nsec' and 'nsecsig' to be valid and not associated.
+ *\li	'rdataset' to be valid and #DNS_RDATASETATTR_NOQNAME to be set.
+ *\li	'name' to be valid.
+ *\li	'nsec' and 'nsecsig' to be valid and not associated.
  */
 
 isc_result_t
 dns_rdataset_addnoqname(dns_rdataset_t *rdataset, dns_name_t *name);
-/*
+/*%<
  * Associate a noqname proof with this record.
- * Sets DNS_RDATASETATTR_NOQNAME if successful.
+ * Sets #DNS_RDATASETATTR_NOQNAME if successful.
  * Adjusts the 'rdataset->ttl' to minimum of the 'rdataset->ttl' and
  * the 'nsec' and 'rrsig(nsec)' ttl.
  *
  * Requires:
- *	'rdataset' to be valid and DNS_RDATASETATTR_NOQNAME to be set.
- *	'name' to be valid and have NSEC and RRSIG(NSEC) rdatasets.
+ *\li	'rdataset' to be valid and #DNS_RDATASETATTR_NOQNAME to be set.
+ *\li	'name' to be valid and have NSEC and RRSIG(NSEC) rdatasets.
+ */
+
+isc_result_t
+dns_rdataset_getadditional(dns_rdataset_t *rdataset,
+			   dns_rdatasetadditional_t type,
+			   dns_rdatatype_t qtype,
+			   dns_acache_t *acache,
+			   dns_zone_t **zonep,
+			   dns_db_t **dbp,
+			   dns_dbversion_t **versionp,
+			   dns_dbnode_t **nodep,
+			   dns_name_t *fname,
+			   dns_message_t *msg,
+			   isc_stdtime_t now);
+/*%<
+ * Get cached additional information from the DB node for a particular
+ * 'rdataset.'  'type' is one of dns_rdatasetadditional_fromauth,
+ * dns_rdatasetadditional_fromcache, and dns_rdatasetadditional_fromglue,
+ * which specifies the origin of the information.  'qtype' is intended to
+ * be used for specifying a particular rdata type in the cached information.
+ *
+ * Requires:
+ * \li	'rdataset' is a valid rdataset.
+ * \li	'acache' can be NULL, in which case this function will simply return
+ * 	ISC_R_FAILURE.
+ * \li	For the other pointers, see dns_acache_getentry().
+ *
+ * Ensures:
+ * \li	See dns_acache_getentry().
+ *
+ * Returns:
+ * \li	#ISC_R_SUCCESS
+ * \li	#ISC_R_FAILURE	- additional information caching is not supported.
+ * \li	#ISC_R_NOTFOUND	- the corresponding DB node has not cached additional
+ *			  information for 'rdataset.'
+ * \li	Any error that dns_acache_getentry() can return.
+ */
+
+isc_result_t
+dns_rdataset_setadditional(dns_rdataset_t *rdataset,
+			   dns_rdatasetadditional_t type,
+			   dns_rdatatype_t qtype,
+			   dns_acache_t *acache,
+			   dns_zone_t *zone,
+			   dns_db_t *db,
+			   dns_dbversion_t *version,
+			   dns_dbnode_t *node,
+			   dns_name_t *fname);
+/*%<
+ * Set cached additional information to the DB node for a particular
+ * 'rdataset.'  See dns_rdataset_getadditional for the semantics of 'type'
+ * and 'qtype'.
+ *
+ * Requires:
+ * \li	'rdataset' is a valid rdataset.
+ * \li	'acache' can be NULL, in which case this function will simply return
+ *	ISC_R_FAILURE.
+ * \li	For the other pointers, see dns_acache_setentry().
+ *
+ * Ensures:
+ * \li	See dns_acache_setentry().
+ *
+ * Returns:
+ * \li	#ISC_R_SUCCESS
+ * \li	#ISC_R_FAILURE	- additional information caching is not supported.
+ * \li	#ISC_R_NOMEMORY
+ * \li	Any error that dns_acache_setentry() can return.
+ */
+
+isc_result_t
+dns_rdataset_putadditional(dns_acache_t *acache,
+			   dns_rdataset_t *rdataset,
+			   dns_rdatasetadditional_t type,
+			   dns_rdatatype_t qtype);
+/*%<
+ * Discard cached additional information stored in the DB node for a particular
+ * 'rdataset.'  See dns_rdataset_getadditional for the semantics of 'type'
+ * and 'qtype'.
+ *
+ * Requires:
+ * \li	'rdataset' is a valid rdataset.
+ * \li	'acache' can be NULL, in which case this function will simply return
+ *	ISC_R_FAILURE.
+ *
+ * Ensures:
+ * \li	See dns_acache_cancelentry().
+ *
+ * Returns:
+ * \li	#ISC_R_SUCCESS
+ * \li	#ISC_R_FAILURE	- additional information caching is not supported.
+ * \li	#ISC_R_NOTFOUND	- the corresponding DB node has not cached additional
+ *			  information for 'rdataset.'
  */
 
 ISC_LANG_ENDDECLS
diff --git a/contrib/bind9/lib/dns/include/dns/rdatasetiter.h b/contrib/bind9/lib/dns/include/dns/rdatasetiter.h
index 198aebb..b2e13f8 100644
--- a/contrib/bind9/lib/dns/include/dns/rdatasetiter.h
+++ b/contrib/bind9/lib/dns/include/dns/rdatasetiter.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: rdatasetiter.h,v 1.14.206.1 2004/03/06 08:13:59 marka Exp $ */
+/* $Id: rdatasetiter.h,v 1.15.18.2 2005/04/29 00:16:19 marka Exp $ */
 
 #ifndef DNS_RDATASETITER_H
 #define DNS_RDATASETITER_H 1
@@ -24,9 +24,8 @@
  ***** Module Info
  *****/
 
-/*
- * DNS Rdataset Iterator
- *
+/*! \file
+ * \brief
  * The DNS Rdataset Iterator interface allows iteration of all of the
  * rdatasets at a node.
  *
@@ -37,25 +36,25 @@
  * It is the client's responsibility to call dns_rdataset_disassociate()
  * on all rdatasets returned.
  *
- * XXX <more> XXX
+ * XXX more XXX
  *
  * MP:
- *	The iterator itself is not locked.  The caller must ensure
+ *\li	The iterator itself is not locked.  The caller must ensure
  *	synchronization.
  *
- *	The iterator methods ensure appropriate database locking.
+ *\li	The iterator methods ensure appropriate database locking.
  *
  * Reliability:
- *	No anticipated impact.
+ *\li	No anticipated impact.
  *
  * Resources:
- *	<TBS>
+ *\li	TBS
  *
  * Security:
- *	No anticipated impact.
+ *\li	No anticipated impact.
  *
  * Standards:
- *	None.
+ *\li	None.
  */
 
 /*****
@@ -85,12 +84,12 @@ typedef struct dns_rdatasetitermethods {
 #define DNS_RDATASETITER_MAGIC	     ISC_MAGIC('D','N','S','i')
 #define DNS_RDATASETITER_VALID(i)    ISC_MAGIC_VALID(i, DNS_RDATASETITER_MAGIC)
 
-/*
+/*%
  * This structure is actually just the common prefix of a DNS db
  * implementation's version of a dns_rdatasetiter_t.
- *
+ * \brief
  * Direct use of this structure by clients is forbidden.  DB implementations
- * may change the structure.  'magic' must be DNS_RDATASETITER_MAGIC for
+ * may change the structure.  'magic' must be #DNS_RDATASETITER_MAGIC for
  * any of the dns_rdatasetiter routines to work.  DB implementations must
  * maintain all DB rdataset iterator invariants.
  */
@@ -106,64 +105,64 @@ struct dns_rdatasetiter {
 
 void
 dns_rdatasetiter_destroy(dns_rdatasetiter_t **iteratorp);
-/*
+/*%<
  * Destroy '*iteratorp'.
  *
  * Requires:
  *
- *	'*iteratorp' is a valid iterator.
+ *\li	'*iteratorp' is a valid iterator.
  *
  * Ensures:
  *
- *	All resources used by the iterator are freed.
+ *\li	All resources used by the iterator are freed.
  *
- *	*iteratorp == NULL.
+ *\li	*iteratorp == NULL.
  */
 
 isc_result_t
 dns_rdatasetiter_first(dns_rdatasetiter_t *iterator);
-/*
+/*%<
  * Move the rdataset cursor to the first rdataset at the node (if any).
  *
  * Requires:
- *	'iterator' is a valid iterator.
+ *\li	'iterator' is a valid iterator.
  *
  * Returns:
- *	ISC_R_SUCCESS
- *	ISC_R_NOMORE			There are no rdatasets at the node.
+ *\li	ISC_R_SUCCESS
+ *\li	ISC_R_NOMORE			There are no rdatasets at the node.
  *
- *	Other results are possible, depending on the DB implementation.
+ *\li	Other results are possible, depending on the DB implementation.
  */
 
 isc_result_t
 dns_rdatasetiter_next(dns_rdatasetiter_t *iterator);
-/*
+/*%<
  * Move the rdataset cursor to the next rdataset at the node (if any).
  *
  * Requires:
- *	'iterator' is a valid iterator.
+ *\li	'iterator' is a valid iterator.
  *
  * Returns:
- *	ISC_R_SUCCESS
- *	ISC_R_NOMORE			There are no more rdatasets at the
+ *\li	ISC_R_SUCCESS
+ *\li	ISC_R_NOMORE			There are no more rdatasets at the
  *					node.
  *
- *	Other results are possible, depending on the DB implementation.
+ *\li	Other results are possible, depending on the DB implementation.
  */
 
 void
 dns_rdatasetiter_current(dns_rdatasetiter_t *iterator,
 			 dns_rdataset_t *rdataset);
-/*
+/*%<
  * Return the current rdataset.
  *
  * Requires:
- *	'iterator' is a valid iterator.
+ *\li	'iterator' is a valid iterator.
  *
- *	'rdataset' is a valid, disassociated rdataset.
+ *\li	'rdataset' is a valid, disassociated rdataset.
  *
- *	The rdataset cursor of 'iterator' is at a valid location (i.e. the
- *	result of last call to a cursor movement command was ISC_R_SUCCESS).
+ *\li	The rdataset cursor of 'iterator' is at a valid location (i.e. the
+ *	result of last call to a cursor movement command was #ISC_R_SUCCESS).
  */
 
 ISC_LANG_ENDDECLS
diff --git a/contrib/bind9/lib/dns/include/dns/rdataslab.h b/contrib/bind9/lib/dns/include/dns/rdataslab.h
index a0912db..b693a71 100644
--- a/contrib/bind9/lib/dns/include/dns/rdataslab.h
+++ b/contrib/bind9/lib/dns/include/dns/rdataslab.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2002  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,34 +15,33 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: rdataslab.h,v 1.20.2.2.2.4 2004/03/08 09:04:39 marka Exp $ */
+/* $Id: rdataslab.h,v 1.25.18.2 2005/04/29 00:16:19 marka Exp $ */
 
 #ifndef DNS_RDATASLAB_H
 #define DNS_RDATASLAB_H 1
 
-/*
- * DNS Rdata Slab
- *
+/*! \file
+ * \brief
  * Implements storage of rdatasets into slabs of memory.
  *
  * MP:
- *	Clients of this module must impose any required synchronization.
+ *\li	Clients of this module must impose any required synchronization.
  *
  * Reliability:
- *	This module deals with low-level byte streams.  Errors in any of
+ *\li	This module deals with low-level byte streams.  Errors in any of
  *	the functions are likely to crash the server or corrupt memory.
  *
- *	If the caller passes invalid memory references, these functions are
+ *\li	If the caller passes invalid memory references, these functions are
  *	likely to crash the server or corrupt memory.
  *
  * Resources:
- *	None.
+ *\li	None.
  *
  * Security:
- *	None.
+ *\li	None.
  *
  * Standards:
- *	None.
+ *\li	None.
  */
 
 /***
@@ -65,22 +64,22 @@ ISC_LANG_BEGINDECLS
 isc_result_t
 dns_rdataslab_fromrdataset(dns_rdataset_t *rdataset, isc_mem_t *mctx,
 			   isc_region_t *region, unsigned int reservelen);
-/*
+/*%<
  * Slabify a rdataset.  The slab area will be allocated and returned
  * in 'region'.
  *
  * Requires:
- *	'rdataset' is valid.
+ *\li	'rdataset' is valid.
  *
  * Ensures:
- *	'region' will have base pointing to the start of allocated memory,
+ *\li	'region' will have base pointing to the start of allocated memory,
  *	with the slabified region beginning at region->base + reservelen.
  *	region->length contains the total length allocated.
  *
  * Returns:
- *	ISC_R_SUCCESS		- successful completion
- *	ISC_R_NOMEMORY		- no memory.
- *	<XXX others>
+ *\li	ISC_R_SUCCESS		- successful completion
+ *\li	ISC_R_NOMEMORY		- no memory.
+ *\li	XXX others
  */
 
 void
@@ -88,27 +87,26 @@ dns_rdataslab_tordataset(unsigned char *slab, unsigned int reservelen,
 			 dns_rdataclass_t rdclass, dns_rdatatype_t rdtype,
 			 dns_rdatatype_t covers, dns_ttl_t ttl,
 			 dns_rdataset_t *rdataset);
-/*
+/*%<
  * Construct an rdataset from a slab.
  *
  * Requires:
- *	'slab' points to a slab.
- *	'rdataset' is disassociated.
+ *\li	'slab' points to a slab.
+ *\li	'rdataset' is disassociated.
  *
  * Ensures:
- *	'rdataset' is associated and points to a valid rdataest.
+ *\li	'rdataset' is associated and points to a valid rdataest.
  */
-
 unsigned int
 dns_rdataslab_size(unsigned char *slab, unsigned int reservelen);
-/*
+/*%<
  * Return the total size of an rdataslab.
  *
  * Requires:
- *	'slab' points to a slab.
+ *\li	'slab' points to a slab.
  *
  * Returns:
- *	The number of bytes in the slab, including the reservelen.
+ *\li	The number of bytes in the slab, including the reservelen.
  */
 
 isc_result_t
@@ -116,7 +114,7 @@ dns_rdataslab_merge(unsigned char *oslab, unsigned char *nslab,
 		    unsigned int reservelen, isc_mem_t *mctx,
 		    dns_rdataclass_t rdclass, dns_rdatatype_t type,
 		    unsigned int flags, unsigned char **tslabp);
-/*
+/*%<
  * Merge 'oslab' and 'nslab'.
  */
 
@@ -125,7 +123,7 @@ dns_rdataslab_subtract(unsigned char *mslab, unsigned char *sslab,
 		       unsigned int reservelen, isc_mem_t *mctx,
 		       dns_rdataclass_t rdclass, dns_rdatatype_t type,
 		       unsigned int flags, unsigned char **tslabp);
-/*
+/*%<
  * Subtract 'sslab' from 'mslab'.  If 'exact' is true then all elements
  * of 'sslab' must exist in 'mslab'.
  *
@@ -136,30 +134,28 @@ dns_rdataslab_subtract(unsigned char *mslab, unsigned char *sslab,
 isc_boolean_t
 dns_rdataslab_equal(unsigned char *slab1, unsigned char *slab2,
 		    unsigned int reservelen);
-
-/*
+/*%<
  * Compare two rdataslabs for equality.  This does _not_ do a full
  * DNSSEC comparison.
  *
  * Requires:
- *	'slab1' and 'slab2' point to slabs.
+ *\li	'slab1' and 'slab2' point to slabs.
  *
  * Returns:
- *	ISC_TRUE if the slabs are equal, ISC_FALSE otherwise.
+ *\li	ISC_TRUE if the slabs are equal, ISC_FALSE otherwise.
  */
-
 isc_boolean_t
 dns_rdataslab_equalx(unsigned char *slab1, unsigned char *slab2,
 		     unsigned int reservelen, dns_rdataclass_t rdclass, 
 		     dns_rdatatype_t type);
-/*
+/*%<
  * Compare two rdataslabs for DNSSEC equality. 
  *
  * Requires:
- *	'slab1' and 'slab2' point to slabs.
+ *\li	'slab1' and 'slab2' point to slabs.
  *
  * Returns:
- *	ISC_TRUE if the slabs are equal, ISC_FALSE otherwise.
+ *\li	ISC_TRUE if the slabs are equal, #ISC_FALSE otherwise.
  */
 
 ISC_LANG_ENDDECLS
diff --git a/contrib/bind9/lib/dns/include/dns/rdatatype.h b/contrib/bind9/lib/dns/include/dns/rdatatype.h
index 0fa865d..40a884d 100644
--- a/contrib/bind9/lib/dns/include/dns/rdatatype.h
+++ b/contrib/bind9/lib/dns/include/dns/rdatatype.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1998-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,11 +15,13 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: rdatatype.h,v 1.17.206.1 2004/03/06 08:13:59 marka Exp $ */
+/* $Id: rdatatype.h,v 1.18.18.2 2005/04/29 00:16:20 marka Exp $ */
 
 #ifndef DNS_RDATATYPE_H
 #define DNS_RDATATYPE_H 1
 
+/*! \file */
+
 #include <isc/lang.h>
 
 #include <dns/types.h>
@@ -28,49 +30,49 @@ ISC_LANG_BEGINDECLS
 
 isc_result_t
 dns_rdatatype_fromtext(dns_rdatatype_t *typep, isc_textregion_t *source);
-/*
+/*%<
  * Convert the text 'source' refers to into a DNS rdata type.
  *
  * Requires:
- *	'typep' is a valid pointer.
+ *\li	'typep' is a valid pointer.
  *
- *	'source' is a valid text region.
+ *\li	'source' is a valid text region.
  *
  * Returns:
- *	ISC_R_SUCCESS			on success
- *	DNS_R_UNKNOWN			type is unknown
+ *\li	ISC_R_SUCCESS			on success
+ *\li	DNS_R_UNKNOWN			type is unknown
  */
 
 isc_result_t
 dns_rdatatype_totext(dns_rdatatype_t type, isc_buffer_t *target);
-/*
+/*%<
  * Put a textual representation of type 'type' into 'target'.
  *
  * Requires:
- *	'type' is a valid type.
+ *\li	'type' is a valid type.
  *
- *	'target' is a valid text buffer.
+ *\li	'target' is a valid text buffer.
  *
- * Ensures:
- *	If the result is success:
- *		The used space in 'target' is updated.
+ * Ensures,
+ *	if the result is success:
+ *\li		The used space in 'target' is updated.
  *
  * Returns:
- *	ISC_R_SUCCESS			on success
- *	ISC_R_NOSPACE			target buffer is too small
+ *\li	#ISC_R_SUCCESS			on success
+ *\li	#ISC_R_NOSPACE			target buffer is too small
  */
 
 void
 dns_rdatatype_format(dns_rdatatype_t rdtype,
 		     char *array, unsigned int size);
-/*
+/*%<
  * Format a human-readable representation of the type 'rdtype'
  * into the character array 'array', which is of size 'size'.
  * The resulting string is guaranteed to be null-terminated.
  */
 
 #define DNS_RDATATYPE_FORMATSIZE sizeof("TYPE65535")
-/*
+/*%<
  * Minimum size of array to pass to dns_rdatatype_format().
  * May need to be adjusted if a new RR type with a very long
  * name is defined.
diff --git a/contrib/bind9/lib/dns/include/dns/request.h b/contrib/bind9/lib/dns/include/dns/request.h
index b3e7bcd..b858a9e 100644
--- a/contrib/bind9/lib/dns/include/dns/request.h
+++ b/contrib/bind9/lib/dns/include/dns/request.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000-2002  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: request.h,v 1.17.12.5 2004/03/08 09:04:39 marka Exp $ */
+/* $Id: request.h,v 1.21.18.2 2005/04/29 00:16:20 marka Exp $ */
 
 #ifndef DNS_REQUEST_H
 #define DNS_REQUEST_H 1
@@ -24,21 +24,21 @@
  ***** Module Info
  *****/
 
-/*
- * DNS Request
+/*! \file
  *
+ * \brief
  * The request module provides simple request/response services useful for
  * sending SOA queries, DNS Notify messages, and dynamic update requests.
  *
  * MP:
- *	The module ensures appropriate synchronization of data structures it
+ *\li	The module ensures appropriate synchronization of data structures it
  *	creates and manipulates.
  *
  * Resources:
- *	<TBS>
+ *\li	TBS
  *
  * Security:
- *	No anticipated impact.
+ *\li	No anticipated impact.
  */
 
 #include <isc/lang.h>
@@ -62,102 +62,101 @@ dns_requestmgr_create(isc_mem_t *mctx, isc_timermgr_t *timermgr,
 		      dns_dispatchmgr_t *dispatchmgr,
 		      dns_dispatch_t *dispatchv4, dns_dispatch_t *dispatchv6,
 		      dns_requestmgr_t **requestmgrp);
-/*
+/*%<
  * Create a request manager.
  *
  * Requires:
  *
- *	'mctx' is a valid memory context.
+ *\li	'mctx' is a valid memory context.
  *
- *	'timermgr' is a valid timer manager.
+ *\li	'timermgr' is a valid timer manager.
  *
- *	'socketmgr' is a valid socket manager.
+ *\li	'socketmgr' is a valid socket manager.
  *
- *	'taskmgr' is a valid task manager.
+ *\li	'taskmgr' is a valid task manager.
  *
- *	'dispatchv4' is a valid dispatcher with an IPv4 UDP socket, or is NULL.
+ *\li	'dispatchv4' is a valid dispatcher with an IPv4 UDP socket, or is NULL.
  *
- *	'dispatchv6' is a valid dispatcher with an IPv6 UDP socket, or is NULL.
+ *\li	'dispatchv6' is a valid dispatcher with an IPv6 UDP socket, or is NULL.
  *
- *	requestmgrp != NULL && *requestmgrp == NULL
+ *\li	requestmgrp != NULL && *requestmgrp == NULL
  *
  * Ensures:
  *
- *	On success, *requestmgrp is a valid request manager.
+ *\li	On success, *requestmgrp is a valid request manager.
  *
  * Returns:
  *
- *	ISC_R_SUCCESS
+ *\li	ISC_R_SUCCESS
  *
- *	Any other result indicates failure.
+ *\li	Any other result indicates failure.
  */
 
 void
 dns_requestmgr_whenshutdown(dns_requestmgr_t *requestmgr, isc_task_t *task,
 			    isc_event_t **eventp);
-/*
+/*%<
  * Send '*eventp' to 'task' when 'requestmgr' has completed shutdown.
  *
  * Notes:
  *
- *	It is not safe to detach the last reference to 'requestmgr' until
+ *\li	It is not safe to detach the last reference to 'requestmgr' until
  *	shutdown is complete.
  *
  * Requires:
  *
- *	'requestmgr' is a valid request manager.
+ *\li	'requestmgr' is a valid request manager.
  *
- *	'task' is a valid task.
+ *\li	'task' is a valid task.
  *
- *	*eventp is a valid event.
+ *\li	*eventp is a valid event.
  *
  * Ensures:
  *
- *	*eventp == NULL.
+ *\li	*eventp == NULL.
  */
 
 void
 dns_requestmgr_shutdown(dns_requestmgr_t *requestmgr);
-/*
+/*%<
  * Start the shutdown process for 'requestmgr'.
  *
  * Notes:
  *
- *	This call has no effect if the request manager is already shutting
+ *\li	This call has no effect if the request manager is already shutting
  *	down.
  *
  * Requires:
  *
- *	'requestmgr' is a valid requestmgr.
+ *\li	'requestmgr' is a valid requestmgr.
  */
 
 void
 dns_requestmgr_attach(dns_requestmgr_t *source, dns_requestmgr_t **targetp);
-/*
+/*%<
  *	Attach to the request manager.  dns_requestmgr_shutdown() must not
  *	have been called on 'source' prior to calling dns_requestmgr_attach().
  *
  * Requires:
  *
- *	'source' is a valid requestmgr.
+ *\li	'source' is a valid requestmgr.
  *
- *	'targetp' to be non NULL and '*targetp' to be NULL.
+ *\li	'targetp' to be non NULL and '*targetp' to be NULL.
  */
 
 void
 dns_requestmgr_detach(dns_requestmgr_t **requestmgrp);
-/*
- *
+/*%<
  *	Detach from the given requestmgr.  If this is the final detach
  *	requestmgr will be destroyed.  dns_requestmgr_shutdown() must
  *	be called before the final detach.
  *
  * Requires:
  *
- *	'*requestmgrp' is a valid requestmgr.
+ *\li	'*requestmgrp' is a valid requestmgr.
  *
  * Ensures:
- *	'*requestmgrp' is NULL.
+ *\li	'*requestmgrp' is NULL.
  */
 
 isc_result_t
@@ -167,31 +166,32 @@ dns_request_create(dns_requestmgr_t *requestmgr, dns_message_t *message,
 		   unsigned int timeout, isc_task_t *task,
 		   isc_taskaction_t action, void *arg,
 		   dns_request_t **requestp);
-/*
+/*%<
  * Create and send a request.
  *
  * Notes:
  *
- *	'message' will be rendered and sent to 'address'.  If the
- *	DNS_REQUESTOPT_TCP option is set, TCP will be used.  The request
+ *\li	'message' will be rendered and sent to 'address'.  If the
+ *	#DNS_REQUESTOPT_TCP option is set, TCP will be used.  The request
  *	will timeout after 'timeout' seconds.
  *
- *	When the request completes, successfully, due to a timeout, or
+ *\li	When the request completes, successfully, due to a timeout, or
  *	because it was canceled, a completion event will be sent to 'task'.
  *
  * Requires:
  *
- *	'message' is a valid DNS message.
+ *\li	'message' is a valid DNS message.
  *
- *	'address' is a valid sockaddr.
+ *\li	'address' is a valid sockaddr.
  *
- *	'timeout' > 0
+ *\li	'timeout' > 0
  *
- *	'task' is a valid task.
+ *\li	'task' is a valid task.
  *
- *	requestp != NULL && *requestp == NULL
+ *\li	requestp != NULL && *requestp == NULL
  */
 
+/*% See dns_request_createvia3() */
 isc_result_t
 dns_request_createvia(dns_requestmgr_t *requestmgr, dns_message_t *message,
 		      isc_sockaddr_t *srcaddr, isc_sockaddr_t *destaddr,
@@ -200,6 +200,7 @@ dns_request_createvia(dns_requestmgr_t *requestmgr, dns_message_t *message,
 		      isc_taskaction_t action, void *arg,
 		      dns_request_t **requestp);
 
+/*% See dns_request_createvia3() */
 isc_result_t
 dns_request_createvia2(dns_requestmgr_t *requestmgr, dns_message_t *message,
 		       isc_sockaddr_t *srcaddr, isc_sockaddr_t *destaddr,
@@ -216,36 +217,37 @@ dns_request_createvia3(dns_requestmgr_t *requestmgr, dns_message_t *message,
 		       unsigned int udpretries, isc_task_t *task,
 		       isc_taskaction_t action, void *arg,
 		       dns_request_t **requestp);
-/*
+/*%< 
  * Create and send a request.
  *
  * Notes:
  *
- *	'message' will be rendered and sent to 'address'.  If the
- *	DNS_REQUESTOPT_TCP option is set, TCP will be used.  The request
+ *\li	'message' will be rendered and sent to 'address'.  If the
+ *	#DNS_REQUESTOPT_TCP option is set, TCP will be used.  The request
  *	will timeout after 'timeout' seconds.  UDP requests will be resent
  *	at 'udptimeout' intervals if non-zero or 'udpretries' is non-zero.
  *
- *	When the request completes, successfully, due to a timeout, or
+ *\li	When the request completes, successfully, due to a timeout, or
  *	because it was canceled, a completion event will be sent to 'task'.
  *
  * Requires:
  *
- *	'message' is a valid DNS message.
+ *\li	'message' is a valid DNS message.
  *
- *	'dstaddr' is a valid sockaddr.
+ *\li	'dstaddr' is a valid sockaddr.
  *
- *	'srcaddr' is a valid sockaddr or NULL.
+ *\li	'srcaddr' is a valid sockaddr or NULL.
  *
- *	'srcaddr' and 'dstaddr' are the same protocol family.
+ *\li	'srcaddr' and 'dstaddr' are the same protocol family.
  *
- *	'timeout' > 0
+ *\li	'timeout' > 0
  *
- *	'task' is a valid task.
+ *\li	'task' is a valid task.
  *
- *	requestp != NULL && *requestp == NULL
+ *\li	requestp != NULL && *requestp == NULL
  */
 
+/*% See dns_request_createraw3() */
 isc_result_t
 dns_request_createraw(dns_requestmgr_t *requestmgr, isc_buffer_t *msgbuf,
 		      isc_sockaddr_t *srcaddr, isc_sockaddr_t *destaddr,
@@ -253,6 +255,7 @@ dns_request_createraw(dns_requestmgr_t *requestmgr, isc_buffer_t *msgbuf,
 		      isc_task_t *task, isc_taskaction_t action, void *arg,
 		      dns_request_t **requestp);
 
+/*% See dns_request_createraw3() */
 isc_result_t
 dns_request_createraw2(dns_requestmgr_t *requestmgr, isc_buffer_t *msgbuf,
 		       isc_sockaddr_t *srcaddr, isc_sockaddr_t *destaddr,
@@ -268,55 +271,55 @@ dns_request_createraw3(dns_requestmgr_t *requestmgr, isc_buffer_t *msgbuf,
 		       unsigned int udptimeout, unsigned int udpretries,
 		       isc_task_t *task, isc_taskaction_t action, void *arg,
 		       dns_request_t **requestp);
-/*
- * Create and send a request.
+/*!< 
+ * \brief Create and send a request.
  *
  * Notes:
  *
- *	'msgbuf' will be sent to 'destaddr' after setting the id.  If the
- *	DNS_REQUESTOPT_TCP option is set, TCP will be used.  The request
+ *\li	'msgbuf' will be sent to 'destaddr' after setting the id.  If the
+ *	#DNS_REQUESTOPT_TCP option is set, TCP will be used.  The request
  *	will timeout after 'timeout' seconds.   UDP requests will be resent
  *	at 'udptimeout' intervals if non-zero or if 'udpretries' is not zero.
  *	
- *	When the request completes, successfully, due to a timeout, or
+ *\li	When the request completes, successfully, due to a timeout, or
  *	because it was canceled, a completion event will be sent to 'task'.
  *
  * Requires:
  *
- *	'msgbuf' is a valid DNS message in compressed wire format.
+ *\li	'msgbuf' is a valid DNS message in compressed wire format.
  *
- *	'destaddr' is a valid sockaddr.
+ *\li	'destaddr' is a valid sockaddr.
  *
- *	'srcaddr' is a valid sockaddr or NULL.
+ *\li	'srcaddr' is a valid sockaddr or NULL.
  *
- *	'srcaddr' and 'dstaddr' are the same protocol family.
+ *\li	'srcaddr' and 'dstaddr' are the same protocol family.
  *
- *	'timeout' > 0
+ *\li	'timeout' > 0
  *
- *	'task' is a valid task.
+ *\li	'task' is a valid task.
  *
- *	requestp != NULL && *requestp == NULL
+ *\li	requestp != NULL && *requestp == NULL
  */
 
 void
 dns_request_cancel(dns_request_t *request);
-/*
+/*%<
  * Cancel 'request'.
  *
  * Requires:
  *
- *	'request' is a valid request.
+ *\li	'request' is a valid request.
  *
  * Ensures:
  *
- *	If the completion event for 'request' has not yet been sent, it
+ *\li	If the completion event for 'request' has not yet been sent, it
  *	will be sent, and the result code will be ISC_R_CANCELED.
  */
 
 isc_result_t
 dns_request_getresponse(dns_request_t *request, dns_message_t *message,
 			unsigned int options);
-/*
+/*%<
  * Get the response to 'request' by filling in 'message'.
  *
  * 'options' is passed to dns_message_parse().  See dns_message_parse()
@@ -324,46 +327,46 @@ dns_request_getresponse(dns_request_t *request, dns_message_t *message,
  *
  * Requires:
  *
- *	'request' is a valid request for which the caller has received the
+ *\li	'request' is a valid request for which the caller has received the
  *	completion event.
  *
- *	The result code of the completion event was ISC_R_SUCCESS.
+ *\li	The result code of the completion event was #ISC_R_SUCCESS.
  *
  * Returns:
  *
- *	ISC_R_SUCCESS
+ *\li	ISC_R_SUCCESS
  *
- *	Any result that dns_message_parse() can return.
+ *\li	Any result that dns_message_parse() can return.
  */
 
 isc_boolean_t
 dns_request_usedtcp(dns_request_t *request);
-/*
- * Return whether this query used TCP or not.  Setting DNS_REQUESTOPT_TCP
+/*%<
+ * Return whether this query used TCP or not.  Setting #DNS_REQUESTOPT_TCP
  * in the call to dns_request_create() will cause the function to return
- * ISC_TRUE, othewise the result is based on the query message size.
+ * #ISC_TRUE, othewise the result is based on the query message size.
  *
  * Requires:
- *	'request' is a valid request.
+ *\li	'request' is a valid request.
  *
  * Returns:
- *	ISC_TRUE	if TCP was used.
- *	ISC_FALSE	if UDP was used.
+ *\li	ISC_TRUE	if TCP was used.
+ *\li	ISC_FALSE	if UDP was used.
  */
 
 void
 dns_request_destroy(dns_request_t **requestp);
-/*
+/*%<
  * Destroy 'request'.
  *
  * Requires:
  *
- *	'request' is a valid request for which the caller has received the
+ *\li	'request' is a valid request for which the caller has received the
  *	completion event.
  *
  * Ensures:
  *
- *	*requestp == NULL
+ *\li	*requestp == NULL
  */
 
 ISC_LANG_ENDDECLS
diff --git a/contrib/bind9/lib/dns/include/dns/resolver.h b/contrib/bind9/lib/dns/include/dns/resolver.h
index 8e3e632..4e0e6a0 100644
--- a/contrib/bind9/lib/dns/include/dns/resolver.h
+++ b/contrib/bind9/lib/dns/include/dns/resolver.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2006  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001, 2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: resolver.h,v 1.34.12.9 2006/02/01 23:48:51 marka Exp $ */
+/* $Id: resolver.h,v 1.40.18.11 2006/02/01 22:39:17 marka Exp $ */
 
 #ifndef DNS_RESOLVER_H
 #define DNS_RESOLVER_H 1
@@ -24,9 +24,9 @@
  ***** Module Info
  *****/
 
-/*
- * DNS Resolver
+/*! \file
  *
+ * \brief
  * This is the BIND 9 resolver, the module responsible for resolving DNS
  * requests by iteratively querying authoritative servers and following
  * referrals.  This is a "full resolver", not to be confused with
@@ -35,21 +35,21 @@
  * daemon the stub resolver talks to.
  *
  * MP:
- *	The module ensures appropriate synchronization of data structures it
+ *\li	The module ensures appropriate synchronization of data structures it
  *	creates and manipulates.
  *
  * Reliability:
- *	No anticipated impact.
+ *\li	No anticipated impact.
  *
  * Resources:
- *	<TBS>
+ *\li	TBS
  *
  * Security:
- *	No anticipated impact.
+ *\li	No anticipated impact.
  *
  * Standards:
- *	RFCs:	1034, 1035, 2181, <TBS>
- *	Drafts:	<TBS>
+ *\li	RFCs:	1034, 1035, 2181, TBS
+ *\li	Drafts:	TBS
  */
 
 #include <isc/lang.h>
@@ -60,14 +60,14 @@
 
 ISC_LANG_BEGINDECLS
 
-/*
+/*%
  * A dns_fetchevent_t is sent when a 'fetch' completes.  Any of 'db',
  * 'node', 'rdataset', and 'sigrdataset' may be bound.  It is the
  * receiver's responsibility to detach before freeing the event.
- *
- * 'rdataset' and 'sigrdataset' are the values that were supplied when
- * dns_resolver_createfetch() was called.  They are returned to the
- * caller so that they may be freed.
+ * \brief
+ * 'rdataset', 'sigrdataset', 'client' and 'id' are the values that were
+ * supplied when dns_resolver_createfetch() was called.  They are returned
+ *  to the caller so that they may be freed.
  */
 typedef struct dns_fetchevent {
 	ISC_EVENT_COMMON(struct dns_fetchevent);
@@ -79,17 +79,25 @@ typedef struct dns_fetchevent {
 	dns_rdataset_t *		rdataset;
 	dns_rdataset_t *		sigrdataset;
 	dns_fixedname_t			foundname;
+	isc_sockaddr_t *		client;
+	dns_messageid_t			id;
 } dns_fetchevent_t;
 
 /*
  * Options that modify how a 'fetch' is done.
  */
-#define DNS_FETCHOPT_TCP		0x01	     /* Use TCP. */
-#define DNS_FETCHOPT_UNSHARED		0x02	     /* See below. */
-#define DNS_FETCHOPT_RECURSIVE		0x04	     /* Set RD? */
-#define DNS_FETCHOPT_NOEDNS0		0x08	     /* Do not use EDNS. */
-#define DNS_FETCHOPT_FORWARDONLY	0x10	     /* Only use forwarders. */
-#define DNS_FETCHOPT_NOVALIDATE		0x20	     /* Disable validation. */
+#define DNS_FETCHOPT_TCP		0x01	     /*%< Use TCP. */
+#define DNS_FETCHOPT_UNSHARED		0x02	     /*%< See below. */
+#define DNS_FETCHOPT_RECURSIVE		0x04	     /*%< Set RD? */
+#define DNS_FETCHOPT_NOEDNS0		0x08	     /*%< Do not use EDNS. */
+#define DNS_FETCHOPT_FORWARDONLY	0x10	     /*%< Only use forwarders. */
+#define DNS_FETCHOPT_NOVALIDATE		0x20	     /*%< Disable validation. */
+#define DNS_FETCHOPT_EDNS512		0x40	     /*%< Advertise a 512 byte
+						          UDP buffer. */
+
+#define	DNS_FETCHOPT_EDNSVERSIONSET	0x00800000
+#define	DNS_FETCHOPT_EDNSVERSIONMASK	0xff000000
+#define	DNS_FETCHOPT_EDNSVERSIONSHIFT	24
 
 /*
  * XXXRTH  Should this API be made semi-private?  (I.e.
@@ -110,114 +118,114 @@ dns_resolver_create(dns_view_t *view,
 		    dns_dispatch_t *dispatchv6,
 		    dns_resolver_t **resp);
 
-/*
+/*%<
  * Create a resolver.
  *
  * Notes:
  *
- *	Generally, applications should not create a resolver directly, but
+ *\li	Generally, applications should not create a resolver directly, but
  *	should instead call dns_view_createresolver().
  *
- *	No options are currently defined.
+ *\li	No options are currently defined.
  *
  * Requires:
  *
- *	'view' is a valid view.
+ *\li	'view' is a valid view.
  *
- *	'taskmgr' is a valid task manager.
+ *\li	'taskmgr' is a valid task manager.
  *
- *	'ntasks' > 0.
+ *\li	'ntasks' > 0.
  *
- *	'socketmgr' is a valid socket manager.
+ *\li	'socketmgr' is a valid socket manager.
  *
- *	'timermgr' is a valid timer manager.
+ *\li	'timermgr' is a valid timer manager.
  *
- *	'dispatchv4' is a valid dispatcher with an IPv4 UDP socket, or is NULL.
+ *\li	'dispatchv4' is a valid dispatcher with an IPv4 UDP socket, or is NULL.
  *
- *	'dispatchv6' is a valid dispatcher with an IPv6 UDP socket, or is NULL.
+ *\li	'dispatchv6' is a valid dispatcher with an IPv6 UDP socket, or is NULL.
  *
- *	resp != NULL && *resp == NULL.
+ *\li	resp != NULL && *resp == NULL.
  *
  * Returns:
  *
- *	ISC_R_SUCCESS				On success.
+ *\li	#ISC_R_SUCCESS				On success.
  *
- *	Anything else				Failure.
+ *\li	Anything else				Failure.
  */
 
 void
 dns_resolver_freeze(dns_resolver_t *res);
-/*
+/*%<
  * Freeze resolver.
  *
  * Notes:
  *
- *	Certain configuration changes cannot be made after the resolver
+ *\li	Certain configuration changes cannot be made after the resolver
  *	is frozen.  Fetches cannot be created until the resolver is frozen.
  *
  * Requires:
  *
- *	'res' is a valid, unfrozen resolver.
+ *\li	'res' is a valid, unfrozen resolver.
  *
  * Ensures:
  *
- *	'res' is frozen.
+ *\li	'res' is frozen.
  */
 
 void
 dns_resolver_prime(dns_resolver_t *res);
-/*
+/*%<
  * Prime resolver.
  *
  * Notes:
  *
- *	Resolvers which have a forwarding policy other than dns_fwdpolicy_only
+ *\li	Resolvers which have a forwarding policy other than dns_fwdpolicy_only
  *	need to be primed with the root nameservers, otherwise the root
  *	nameserver hints data may be used indefinitely.  This function requests
  *	that the resolver start a priming fetch, if it isn't already priming.
  *
  * Requires:
  *
- *	'res' is a valid, frozen resolver.
+ *\li	'res' is a valid, frozen resolver.
  */
 
 
 void
 dns_resolver_whenshutdown(dns_resolver_t *res, isc_task_t *task,
 			  isc_event_t **eventp);
-/*
+/*%<
  * Send '*eventp' to 'task' when 'res' has completed shutdown.
  *
  * Notes:
  *
- *	It is not safe to detach the last reference to 'res' until
+ *\li	It is not safe to detach the last reference to 'res' until
  *	shutdown is complete.
  *
  * Requires:
  *
- *	'res' is a valid resolver.
+ *\li	'res' is a valid resolver.
  *
- *	'task' is a valid task.
+ *\li	'task' is a valid task.
  *
- *	*eventp is a valid event.
+ *\li	*eventp is a valid event.
  *
  * Ensures:
  *
- *	*eventp == NULL.
+ *\li	*eventp == NULL.
  */
 
 void
 dns_resolver_shutdown(dns_resolver_t *res);
-/*
+/*%<
  * Start the shutdown process for 'res'.
  *
  * Notes:
  *
- *	This call has no effect if the resolver is already shutting down.
+ *\li	This call has no effect if the resolver is already shutting down.
  *
  * Requires:
  *
- *	'res' is a valid resolver.
+ *\li	'res' is a valid resolver.
  */
 
 void
@@ -236,88 +244,108 @@ dns_resolver_createfetch(dns_resolver_t *res, dns_name_t *name,
 			 dns_rdataset_t *rdataset,
 			 dns_rdataset_t *sigrdataset,
 			 dns_fetch_t **fetchp);
-/*
+
+isc_result_t
+dns_resolver_createfetch2(dns_resolver_t *res, dns_name_t *name,
+			  dns_rdatatype_t type,
+			  dns_name_t *domain, dns_rdataset_t *nameservers,
+			  dns_forwarders_t *forwarders,
+			  isc_sockaddr_t *client, isc_uint16_t id,
+			  unsigned int options, isc_task_t *task,
+			  isc_taskaction_t action, void *arg,
+			  dns_rdataset_t *rdataset,
+			  dns_rdataset_t *sigrdataset,
+			  dns_fetch_t **fetchp);
+/*%<
  * Recurse to answer a question.
  *
  * Notes:
  *
- *	This call starts a query for 'name', type 'type'.
+ *\li	This call starts a query for 'name', type 'type'.
  *
- *	The 'domain' is a parent domain of 'name' for which
+ *\li	The 'domain' is a parent domain of 'name' for which
  *	a set of name servers 'nameservers' is known.  If no
  *	such name server information is available, set
  * 	'domain' and 'nameservers' to NULL.
  *
- *	'forwarders' is unimplemented, and subject to change when
+ *\li	'forwarders' is unimplemented, and subject to change when
  *	we figure out how selective forwarding will work.
  *
- *	When the fetch completes (successfully or otherwise), a
- *	DNS_EVENT_FETCHDONE event with action 'action' and arg 'arg' will be
+ *\li	When the fetch completes (successfully or otherwise), a
+ *	#DNS_EVENT_FETCHDONE event with action 'action' and arg 'arg' will be
  *	posted to 'task'.
  *
- *	The values of 'rdataset' and 'sigrdataset' will be returned in
+ *\li	The values of 'rdataset' and 'sigrdataset' will be returned in
  *	the FETCHDONE event.
  *
+ *\li	'client' and 'id' are used for duplicate query detection.  '*client'
+ *	must remain stable until after 'action' has been called or
+ *	dns_resolver_cancelfetch() is called.
+ *
  * Requires:
  *
- *	'res' is a valid resolver that has been frozen.
+ *\li	'res' is a valid resolver that has been frozen.
  *
- *	'name' is a valid name.
+ *\li	'name' is a valid name.
  *
- *	'type' is not a meta type other than ANY.
+ *\li	'type' is not a meta type other than ANY.
  *
- *	'domain' is a valid name or NULL.
+ *\li	'domain' is a valid name or NULL.
  *
- *	'nameservers' is a valid NS rdataset (whose owner name is 'domain')
+ *\li	'nameservers' is a valid NS rdataset (whose owner name is 'domain')
  *	iff. 'domain' is not NULL.
  *
- *	'forwarders' is NULL.
+ *\li	'forwarders' is NULL.
+ *
+ *\li	'client' is a valid sockaddr or NULL.
  *
- *	'options' contains valid options.
+ *\li	'options' contains valid options.
  *
- *	'rdataset' is a valid, disassociated rdataset.
+ *\li	'rdataset' is a valid, disassociated rdataset.
  *
- *	'sigrdataset' is NULL, or is a valid, disassociated rdataset.
+ *\li	'sigrdataset' is NULL, or is a valid, disassociated rdataset.
  *
- *	fetchp != NULL && *fetchp == NULL.
+ *\li	fetchp != NULL && *fetchp == NULL.
  *
  * Returns:
  *
- *	ISC_R_SUCCESS					Success
+ *\li	#ISC_R_SUCCESS					Success
+ *\li	#DNS_R_DUPLICATE
+ *\li	#DNS_R_DROP
  *
- *	Many other values are possible, all of which indicate failure.
+ *\li	Many other values are possible, all of which indicate failure.
  */
 
 void
 dns_resolver_cancelfetch(dns_fetch_t *fetch);
-/*
+/*%<
  * Cancel 'fetch'.
  *
  * Notes:
  *
- *	If 'fetch' has not completed, post its FETCHDONE event with a
- *	result code of ISC_R_CANCELED.
+ *\li	If 'fetch' has not completed, post its FETCHDONE event with a
+ *	result code of #ISC_R_CANCELED.
  *
  * Requires:
  *
- *	'fetch' is a valid fetch.
+ *\li	'fetch' is a valid fetch.
  */
 
 void
 dns_resolver_destroyfetch(dns_fetch_t **fetchp);
-/*
+/*%<
  * Destroy 'fetch'.
  *
  * Requires:
  *
- *	'*fetchp' is a valid fetch.
+ *\li	'*fetchp' is a valid fetch.
  *
- *	The caller has received the FETCHDONE event (either because the
+ *\li	The caller has received the FETCHDONE event (either because the
  *	fetch completed or because dns_resolver_cancelfetch() was called).
  *
  * Ensures:
  *
- *	*fetchp == NULL.
+ *\li	*fetchp == NULL.
  */
 
 dns_dispatchmgr_t *
@@ -337,25 +365,25 @@ dns_resolver_taskmgr(dns_resolver_t *resolver);
 
 isc_uint32_t
 dns_resolver_getlamettl(dns_resolver_t *resolver);
-/*
+/*%<
  * Get the resolver's lame-ttl.  zero => no lame processing.
  *
  * Requires:
- *	'resolver' to be valid.
+ *\li	'resolver' to be valid.
  */
 
 void
 dns_resolver_setlamettl(dns_resolver_t *resolver, isc_uint32_t lame_ttl);
-/*
+/*%<
  * Set the resolver's lame-ttl.  zero => no lame processing.
  *
  * Requires:
- *	'resolver' to be valid.
+ *\li	'resolver' to be valid.
  */
 
 unsigned int
 dns_resolver_nrunning(dns_resolver_t *resolver);
-/*
+/*%<
  * Return the number of currently running resolutions in this
  * resolver.  This is may be less than the number of outstanding
  * fetches due to multiple identical fetches, or more than the
@@ -366,56 +394,62 @@ dns_resolver_nrunning(dns_resolver_t *resolver);
 isc_result_t
 dns_resolver_addalternate(dns_resolver_t *resolver, isc_sockaddr_t *alt,
 			  dns_name_t *name, in_port_t port);
-/*
+/*%<
  * Add alternate addresses to be tried in the event that the nameservers
  * for a zone are not available in the address families supported by the
  * operating system.
  *
  * Require:
- * 	only one of 'name' or 'alt' to be valid.
+ * \li	only one of 'name' or 'alt' to be valid.
  */
 
 void
 dns_resolver_setudpsize(dns_resolver_t *resolver, isc_uint16_t udpsize);
-/*
+/*%<
  * Set the EDNS UDP buffer size advertised by the server.
  */
 
 isc_uint16_t
 dns_resolver_getudpsize(dns_resolver_t *resolver);
-/*
+/*%<
  * Get the current EDNS UDP buffer size.
  */
 
 void
 dns_resolver_reset_algorithms(dns_resolver_t *resolver);
-/*
+/*%<
  * Clear the disabled DNSSEC algorithms.
  */
 
 isc_result_t
 dns_resolver_disable_algorithm(dns_resolver_t *resolver, dns_name_t *name,
 			       unsigned int alg);
-/*
+/*%<
  * Mark the give DNSSEC algorithm as disabled and below 'name'.
  * Valid algorithms are less than 256.
  *
  * Returns:
- *	ISC_R_SUCCESS
- *	ISC_R_RANGE
- *	ISC_R_NOMEMORY
+ *\li	#ISC_R_SUCCESS
+ *\li	#ISC_R_RANGE
+ *\li	#ISC_R_NOMEMORY
  */
 
 isc_boolean_t
 dns_resolver_algorithm_supported(dns_resolver_t *resolver, dns_name_t *name,
 				 unsigned int alg);
-/*
+/*%<
  * Check if the given algorithm is supported by this resolver.
  * This checks if the algorithm has been disabled via
  * dns_resolver_disable_algorithm() then the underlying
  * crypto libraries if not specifically disabled.
  */
 
+isc_boolean_t
+dns_resolver_digest_supported(dns_resolver_t *resolver, unsigned int digest_type);
+/*%<
+ * Is this digest type supported.
+ */
+
 void
 dns_resolver_resetmustbesecure(dns_resolver_t *resolver);
 
@@ -426,6 +460,20 @@ dns_resolver_setmustbesecure(dns_resolver_t *resolver, dns_name_t *name,
 isc_boolean_t
 dns_resolver_getmustbesecure(dns_resolver_t *resolver, dns_name_t *name);
 
+void
+dns_resolver_setclientsperquery(dns_resolver_t *resolver,
+				isc_uint32_t min, isc_uint32_t max);
+
+void
+dns_resolver_getclientsperquery(dns_resolver_t *resolver, isc_uint32_t *cur,
+				isc_uint32_t *min, isc_uint32_t *max);
+
+isc_boolean_t
+dns_resolver_getzeronosoattl(dns_resolver_t *resolver);
+ 
+void
+dns_resolver_setzeronosoattl(dns_resolver_t *resolver, isc_boolean_t state);
+
 ISC_LANG_ENDDECLS
 
 #endif /* DNS_RESOLVER_H */
diff --git a/contrib/bind9/lib/dns/include/dns/result.h b/contrib/bind9/lib/dns/include/dns/result.h
index f1a71d9..db5481b 100644
--- a/contrib/bind9/lib/dns/include/dns/result.h
+++ b/contrib/bind9/lib/dns/include/dns/result.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1998-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,11 +15,13 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: result.h,v 1.81.2.7.2.13 2004/05/14 05:06:41 marka Exp $ */
+/* $Id: result.h,v 1.104.10.6 2005/06/17 02:04:32 marka Exp $ */
 
 #ifndef DNS_RESULT_H
 #define DNS_RESULT_H 1
 
+/*! \file */
+
 #include <isc/lang.h>
 #include <isc/resultclass.h>
 
@@ -143,8 +145,10 @@
 #define DNS_R_UNKNOWNCOMMAND		(ISC_RESULTCLASS_DNS + 99)
 #define DNS_R_MUSTBESECURE		(ISC_RESULTCLASS_DNS + 100)
 #define DNS_R_COVERINGNSEC		(ISC_RESULTCLASS_DNS + 101)
+#define DNS_R_MXISADDRESS		(ISC_RESULTCLASS_DNS + 102)
+#define DNS_R_DUPLICATE			(ISC_RESULTCLASS_DNS + 103)
 
-#define DNS_R_NRESULTS			102	/* Number of results */
+#define DNS_R_NRESULTS			104	/*%< Number of results */
 
 /*
  * DNS wire format rcodes.
@@ -165,7 +169,7 @@
 #define DNS_R_NOTZONE			(ISC_RESULTCLASS_DNSRCODE + 10)
 #define DNS_R_BADVERS			(ISC_RESULTCLASS_DNSRCODE + 16)
 
-#define DNS_R_NRCODERESULTS		17	/* Number of rcode results */
+#define DNS_R_NRCODERESULTS		17	/*%< Number of rcode results */
 
 #define DNS_RESULT_ISRCODE(result) \
 	(ISC_RESULTCLASS_INCLASS(ISC_RESULTCLASS_DNSRCODE, (result)))
diff --git a/contrib/bind9/lib/dns/include/dns/rootns.h b/contrib/bind9/lib/dns/include/dns/rootns.h
index 02da556..a3ddc48 100644
--- a/contrib/bind9/lib/dns/include/dns/rootns.h
+++ b/contrib/bind9/lib/dns/include/dns/rootns.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,11 +15,13 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: rootns.h,v 1.8.206.1 2004/03/06 08:14:00 marka Exp $ */
+/* $Id: rootns.h,v 1.9.18.3 2005/04/27 05:01:38 sra Exp $ */
 
 #ifndef DNS_ROOTNS_H
 #define DNS_ROOTNS_H 1
 
+/*! \file */
+
 #include <isc/lang.h>
 
 #include <dns/types.h>
@@ -30,6 +32,14 @@ isc_result_t
 dns_rootns_create(isc_mem_t *mctx, dns_rdataclass_t rdclass,
                   const char *filename, dns_db_t **target);
 
+void
+dns_root_checkhints(dns_view_t *view, dns_db_t *hints, dns_db_t *db);
+/*
+ * Reports differences between hints and the real roots.
+ *
+ * Requires view, hints and (cache) db to be valid.
+ */
+
 ISC_LANG_ENDDECLS
 
 #endif /* DNS_ROOTNS_H */
diff --git a/contrib/bind9/lib/dns/include/dns/sdb.h b/contrib/bind9/lib/dns/include/dns/sdb.h
index 5fdeace..de849f9 100644
--- a/contrib/bind9/lib/dns/include/dns/sdb.h
+++ b/contrib/bind9/lib/dns/include/dns/sdb.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000, 2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: sdb.h,v 1.12.12.3 2004/03/08 09:04:39 marka Exp $ */
+/* $Id: sdb.h,v 1.15.18.2 2005/04/29 00:16:21 marka Exp $ */
 
 #ifndef DNS_SDB_H
 #define DNS_SDB_H 1
@@ -24,7 +24,8 @@
  ***** Module Info
  *****/
 
-/*
+/*! \file
+ * \brief
  * Simple database API.
  */
 
@@ -40,17 +41,17 @@
  *** Types
  ***/
 
-/*
+/*%
  * A simple database.  This is an opaque type.
  */
 typedef struct dns_sdb dns_sdb_t;
 
-/*
+/*%
  * A simple database lookup in progress.  This is an opaque type.
  */
 typedef struct dns_sdblookup dns_sdblookup_t;
 
-/*
+/*%
  * A simple database traversal in progress.  This is an opaque type.
  */
 typedef struct dns_sdballnodes dns_sdballnodes_t;
@@ -96,7 +97,7 @@ isc_result_t
 dns_sdb_register(const char *drivername, const dns_sdbmethods_t *methods,
 		 void *driverdata, unsigned int flags, isc_mem_t *mctx,
 		 dns_sdbimplementation_t **sdbimp);
-/*
+/*%<
  * Register a simple database driver for the database type 'drivername',
  * implemented by the functions in '*methods'.
  *
@@ -126,7 +127,7 @@ dns_sdb_register(const char *drivername, const dns_sdbmethods_t *methods,
  * The allnodes function, if non-NULL, fills in an opaque structure to be
  * used by a database iterator.  This allows the zone to be transferred.
  * This may use a considerable amount of memory for large zones, and the
- * zone transfer may not be fully RFC 1035 compliant if the zone is 
+ * zone transfer may not be fully RFC1035 compliant if the zone is 
  * frequently changed.
  *
  * The create function will be called for each zone configured
@@ -156,19 +157,20 @@ dns_sdb_register(const char *drivername, const dns_sdbmethods_t *methods,
 
 void
 dns_sdb_unregister(dns_sdbimplementation_t **sdbimp);
-/*
+/*%<
  * Removes the simple database driver from the list of registered database
  * types.  There must be no active databases of this type when this function
  * is called.
  */
 
+/*% See dns_sdb_putradata() */
 isc_result_t
 dns_sdb_putrr(dns_sdblookup_t *lookup, const char *type, dns_ttl_t ttl,
 	      const char *data);
 isc_result_t
 dns_sdb_putrdata(dns_sdblookup_t *lookup, dns_rdatatype_t type, dns_ttl_t ttl,
 		 const unsigned char *rdata, unsigned int rdlen);
-/*
+/*%<
  * Add a single resource record to the lookup structure to be
  * returned in the query response.  dns_sdb_putrr() takes the
  * resource record in master file text format as a null-terminated
@@ -176,6 +178,7 @@ dns_sdb_putrdata(dns_sdblookup_t *lookup, dns_rdatatype_t type, dns_ttl_t ttl,
  * uncompressed wire format.
  */
 
+/*% See dns_sdb_putnamerdata() */
 isc_result_t
 dns_sdb_putnamedrr(dns_sdballnodes_t *allnodes, const char *name,
 		   const char *type, dns_ttl_t ttl, const char *data);
@@ -183,7 +186,7 @@ isc_result_t
 dns_sdb_putnamedrdata(dns_sdballnodes_t *allnodes, const char *name,
 		      dns_rdatatype_t type, dns_ttl_t ttl,
 		      const void *rdata, unsigned int rdlen);
-/*
+/*%<
  * Add a single resource record to the allnodes structure to be
  * included in a zone transfer response, in text or wire
  * format as above.
@@ -192,7 +195,7 @@ dns_sdb_putnamedrdata(dns_sdballnodes_t *allnodes, const char *name,
 isc_result_t
 dns_sdb_putsoa(dns_sdblookup_t *lookup, const char *mname, const char *rname,
 	       isc_uint32_t serial);
-/*
+/*%<
  * This function may optionally be called from the 'authority' callback
  * to simplify construction of the SOA record for 'zone'.  It will
  * provide a SOA listing 'mname' as as the master server and 'rname' as
diff --git a/contrib/bind9/lib/dns/include/dns/sdlz.h b/contrib/bind9/lib/dns/include/dns/sdlz.h
new file mode 100644
index 0000000..13ba14a
--- /dev/null
+++ b/contrib/bind9/lib/dns/include/dns/sdlz.h
@@ -0,0 +1,266 @@
+/*
+ * Portions Copyright (C) 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Portions Copyright (C) 1999-2001  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/*
+ * Copyright (C) 2002 Stichting NLnet, Netherlands, stichting@nlnet.nl.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the
+ * above copyright notice and this permission notice appear in all
+ * copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND STICHTING NLNET
+ * DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL
+ * STICHTING NLNET BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR
+ * CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS
+ * OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE
+ * USE OR PERFORMANCE OF THIS SOFTWARE.
+ *
+ * The development of Dynamically Loadable Zones (DLZ) for Bind 9 was
+ * conceived and contributed by Rob Butler.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the
+ * above copyright notice and this permission notice appear in all
+ * copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ROB BUTLER
+ * DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL
+ * ROB BUTLER BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR
+ * CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS
+ * OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE
+ * USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: sdlz.h,v 1.2.2.2 2005/09/06 03:47:19 marka Exp $ */
+
+/*! \file */
+
+#ifndef SDLZ_H
+#define SDLZ_H 1
+
+#include <dns/dlz.h>
+
+ISC_LANG_BEGINDECLS
+
+#define DNS_SDLZFLAG_THREADSAFE		0x00000001U
+#define DNS_SDLZFLAG_RELATIVEOWNER	0x00000002U
+#define DNS_SDLZFLAG_RELATIVERDATA	0x00000004U
+
+ /* A simple DLZ database. */
+typedef struct dns_sdlz_db dns_sdlz_db_t;
+
+ /* A simple DLZ database lookup in progress. */
+typedef struct dns_sdlzlookup dns_sdlzlookup_t;
+
+ /* A simple DLZ database traversal in progress. */
+typedef struct dns_sdlzallnodes dns_sdlzallnodes_t;
+
+
+typedef isc_result_t
+(*dns_sdlzallnodesfunc_t)(const char *zone, void *driverarg, void *dbdata,
+			  dns_sdlzallnodes_t *allnodes);
+
+/*%<
+ * Method prototype.  Drivers implementing the SDLZ interface may
+ * supply an all nodes method.  This method is called when the DNS
+ * server is performing a zone transfer query, after the allow zone
+ * transfer method has been called.  This method is only called if the
+ * allow zone transfer method returned ISC_R_SUCCESS.  This method and
+ * the allow zone transfer method are both required for zone transfers
+ * to be supported.  If the driver generates data dynamically (instead
+ * of searching in a database for it) it should not implement this
+ * function as a zone transfer would be meaningless.  A SDLZ driver
+ * does not have to implement an all nodes method.
+ */
+
+typedef isc_result_t
+(*dns_sdlzallowzonexfr_t)(void *driverarg, void *dbdata, const char *name,
+			  const char *client);
+
+/*%<
+ * Method prototype.  Drivers implementing the SDLZ interface may
+ * supply an allow zone transfer method.  This method is called when
+ * the DNS server is performing a zone transfer query, before the all
+ * nodes method can be called.  This method and the all node method
+ * are both required for zone transfers to be supported.  If the
+ * driver generates data dynamically (instead of searching in a
+ * database for it) it should not implement this function as a zone
+ * transfer would be meaningless.  A SDLZ driver does not have to
+ * implement an allow zone transfer method.
+ *
+ * This method should return ISC_R_SUCCESS if the zone is supported by
+ * the database and a zone transfer is allowed for the specified
+ * client.  If the zone is supported by the database, but zone
+ * transfers are not allowed for the specified client this method
+ * should return ISC_R_NOPERM..  Lastly the method should return
+ * ISC_R_NOTFOUND if the zone is not supported by the database.  If an
+ * error occurs it should return a result code indicating the type of
+ * error.
+ */
+
+typedef isc_result_t
+(*dns_sdlzauthorityfunc_t)(const char *zone, void *driverarg, void *dbdata,
+			   dns_sdlzlookup_t *lookup);
+
+/*%<
+ * Method prototype.  Drivers implementing the SDLZ interface may
+ * supply an authority method.  This method is called when the DNS
+ * server is performing a query, after both the find zone and lookup
+ * methods have been called.  This method is required if the lookup
+ * function does not supply authority information for the dns
+ * record. A SDLZ driver does not have to implement an authority
+ * method.
+ */
+
+typedef isc_result_t
+(*dns_sdlzcreate_t)(const char *dlzname, unsigned int argc, char *argv[],
+		    void *driverarg, void **dbdata);
+
+/*%<
+ * Method prototype.  Drivers implementing the SDLZ interface may
+ * supply a create method.  This method is called when the DNS server
+ * is starting up and creating drivers for use later. A SDLZ driver
+ * does not have to implement a create method.
+ */
+
+typedef void
+(*dns_sdlzdestroy_t)(void *driverarg, void *dbdata);
+
+/*%<
+ * Method prototype.  Drivers implementing the SDLZ interface may
+ * supply a destroy method.  This method is called when the DNS server
+ * is shuting down and no longer needs the driver.  A SDLZ driver does
+ * not have to implement a destroy method.
+ */
+
+typedef isc_result_t
+(*dns_sdlzfindzone_t)(void *driverarg, void *dbdata, const char *name);
+
+/*%<
+ * Method prototype.  Drivers implementing the SDLZ interface MUST
+ * supply a find zone method.  This method is called when the DNS
+ * server is performing a query to to determine if 'name' is a
+ * supported dns zone.  The find zone method will be called with the
+ * longest possible name first, and continue to be called with
+ * successively shorter domain names, until any of the following
+ * occur:
+ *
+ * \li	1) the function returns (ISC_R_SUCCESS) indicating a zone name
+ *	   match.
+ *
+ * \li	2) a problem occurs, and the functions returns anything other than
+ *	   (ISC_R_NOTFOUND)
+ *
+ * \li	3) we run out of domain name labels. I.E. we have tried the
+ *	   shortest domain name
+ *
+ * \li	4) the number of labels in the domain name is less than min_lables
+ *	   for dns_dlzfindzone
+ *
+ * The driver's find zone method should return ISC_R_SUCCESS if the
+ * zone is supported by the database.  Otherwise it should return
+ * ISC_R_NOTFOUND, if the zone is not supported.  If an error occurs
+ * it should return a result code indicating the type of error.
+ */
+
+typedef isc_result_t
+(*dns_sdlzlookupfunc_t)(const char *zone, const char *name, void *driverarg,
+			void *dbdata, dns_sdlzlookup_t *lookup);
+
+/*%<
+ * Method prototype.  Drivers implementing the SDLZ interface MUST
+ * supply a lookup method.  This method is called when the DNS server
+ * is performing a query, after the find zone and before any other
+ * methods have been called.  This function returns record DNS record
+ * information using the dns_sdlz_putrr and dns_sdlz_putsoa functions.
+ * If this function supplies authority information for the DNS record
+ * the authority method is not required.  If it does not, the
+ * authority function is required.  A SDLZ driver must implement a
+ * lookup method.
+ */
+
+typedef struct dns_sdlzmethods {
+	dns_sdlzcreate_t	create;
+	dns_sdlzdestroy_t	destroy;
+	dns_sdlzfindzone_t	findzone;
+	dns_sdlzlookupfunc_t	lookup;
+	dns_sdlzauthorityfunc_t	authority;
+	dns_sdlzallnodesfunc_t	allnodes;
+	dns_sdlzallowzonexfr_t	allowzonexfr;
+} dns_sdlzmethods_t;
+
+isc_result_t
+dns_sdlzregister(const char *drivername, const dns_sdlzmethods_t *methods,
+		 void *driverarg, unsigned int flags, isc_mem_t *mctx,
+		 dns_sdlzimplementation_t **sdlzimp);
+/*%<
+ * Register a dynamically loadable zones (dlz) driver for the database
+ * type 'drivername', implemented by the functions in '*methods'.
+ *
+ * sdlzimp must point to a NULL dns_sdlzimplementation_t pointer.
+ * That is, sdlzimp != NULL && *sdlzimp == NULL.  It will be assigned
+ * a value that will later be used to identify the driver when
+ * deregistering it.
+ */
+
+void
+dns_sdlzunregister(dns_sdlzimplementation_t **sdlzimp);
+
+/*%<
+ * Removes the sdlz driver from the list of registered sdlz drivers.
+ * There must be no active sdlz drivers of this type when this
+ * function is called.
+ */
+
+isc_result_t
+dns_sdlz_putnamedrr(dns_sdlzallnodes_t *allnodes, const char *name,
+		   const char *type, dns_ttl_t ttl, const char *data);
+/*%<
+ * Add a single resource record to the allnodes structure to be later
+ * parsed into a zone transfer response.
+ */
+
+isc_result_t
+dns_sdlz_putrr(dns_sdlzlookup_t *lookup, const char *type, dns_ttl_t ttl,
+	      const char *data);
+/*%<
+ * Add a single resource record to the lookup structure to be later
+ * parsed into a query response.
+ */
+
+isc_result_t
+dns_sdlz_putsoa(dns_sdlzlookup_t *lookup, const char *mname, const char *rname,
+	       isc_uint32_t serial);
+/*%<
+ * This function may optionally be called from the 'authority'
+ * callback to simplify construction of the SOA record for 'zone'.  It
+ * will provide a SOA listing 'mname' as as the master server and
+ * 'rname' as the responsible person mailbox.  It is the
+ * responsibility of the driver to increment the serial number between
+ * responses if necessary.  All other SOA fields will have reasonable
+ * default values.
+ */
+
+
+ISC_LANG_ENDDECLS
+
+#endif /* SDLZ_H */
diff --git a/contrib/bind9/lib/dns/include/dns/secalg.h b/contrib/bind9/lib/dns/include/dns/secalg.h
index 3f7a16f..0466d91 100644
--- a/contrib/bind9/lib/dns/include/dns/secalg.h
+++ b/contrib/bind9/lib/dns/include/dns/secalg.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,11 +15,13 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: secalg.h,v 1.12.206.1 2004/03/06 08:14:00 marka Exp $ */
+/* $Id: secalg.h,v 1.13.18.2 2005/04/29 00:16:21 marka Exp $ */
 
 #ifndef DNS_SECALG_H
 #define DNS_SECALG_H 1
 
+/*! \file */
+
 #include <isc/lang.h>
 
 #include <dns/types.h>
@@ -28,40 +30,40 @@ ISC_LANG_BEGINDECLS
 
 isc_result_t
 dns_secalg_fromtext(dns_secalg_t *secalgp, isc_textregion_t *source);
-/*
+/*%<
  * Convert the text 'source' refers to into a DNSSEC security algorithm value.
  * The text may contain either a mnemonic algorithm name or a decimal algorithm
  * number.
  *
  * Requires:
- *	'secalgp' is a valid pointer.
+ *\li	'secalgp' is a valid pointer.
  *
- *	'source' is a valid text region.
+ *\li	'source' is a valid text region.
  *
  * Returns:
- *	ISC_R_SUCCESS			on success
- *	ISC_R_RANGE			numeric type is out of range
- *	DNS_R_UNKNOWN			mnemonic type is unknown
+ *\li	ISC_R_SUCCESS			on success
+ *\li	ISC_R_RANGE			numeric type is out of range
+ *\li	DNS_R_UNKNOWN			mnemonic type is unknown
  */
 
 isc_result_t
 dns_secalg_totext(dns_secalg_t secalg, isc_buffer_t *target);
-/*
+/*%<
  * Put a textual representation of the DNSSEC security algorithm 'secalg'
  * into 'target'.
  *
  * Requires:
- *	'secalg' is a valid secalg.
+ *\li	'secalg' is a valid secalg.
  *
- *	'target' is a valid text buffer.
+ *\li	'target' is a valid text buffer.
  *
- * Ensures:
- *	If the result is success:
- *		The used space in 'target' is updated.
+ * Ensures,
+ *	if the result is success:
+ *\li		The used space in 'target' is updated.
  *
  * Returns:
- *	ISC_R_SUCCESS			on success
- *	ISC_R_NOSPACE			target buffer is too small
+ *\li	ISC_R_SUCCESS			on success
+ *\li	ISC_R_NOSPACE			target buffer is too small
  */
 
 ISC_LANG_ENDDECLS
diff --git a/contrib/bind9/lib/dns/include/dns/secproto.h b/contrib/bind9/lib/dns/include/dns/secproto.h
index da8c1dd..a6cfd5c 100644
--- a/contrib/bind9/lib/dns/include/dns/secproto.h
+++ b/contrib/bind9/lib/dns/include/dns/secproto.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,11 +15,13 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: secproto.h,v 1.9.206.1 2004/03/06 08:14:00 marka Exp $ */
+/* $Id: secproto.h,v 1.10.18.2 2005/04/29 00:16:21 marka Exp $ */
 
 #ifndef DNS_SECPROTO_H
 #define DNS_SECPROTO_H 1
 
+/*! \file */
+
 #include <isc/lang.h>
 
 #include <dns/types.h>
@@ -28,40 +30,40 @@ ISC_LANG_BEGINDECLS
 
 isc_result_t
 dns_secproto_fromtext(dns_secproto_t *secprotop, isc_textregion_t *source);
-/*
+/*%<
  * Convert the text 'source' refers to into a DNSSEC security protocol value.
  * The text may contain either a mnemonic protocol name or a decimal protocol
  * number.
  *
  * Requires:
- *	'secprotop' is a valid pointer.
+ *\li	'secprotop' is a valid pointer.
  *
- *	'source' is a valid text region.
+ *\li	'source' is a valid text region.
  *
  * Returns:
- *	ISC_R_SUCCESS			on success
- *	ISC_R_RANGE			numeric type is out of range
- *	DNS_R_UNKNOWN			mnemonic type is unknown
+ *\li	ISC_R_SUCCESS			on success
+ *\li	ISC_R_RANGE			numeric type is out of range
+ *\li	DNS_R_UNKNOWN			mnemonic type is unknown
  */
 
 isc_result_t
 dns_secproto_totext(dns_secproto_t secproto, isc_buffer_t *target);
-/*
+/*%<
  * Put a textual representation of the DNSSEC security protocol 'secproto'
  * into 'target'.
  *
  * Requires:
- *	'secproto' is a valid secproto.
+ *\li	'secproto' is a valid secproto.
  *
- *	'target' is a valid text buffer.
+ *\li	'target' is a valid text buffer.
  *
- * Ensures:
- *	If the result is success:
- *		The used space in 'target' is updated.
+ * Ensures,
+ *	if the result is success:
+ *	\li	The used space in 'target' is updated.
  *
  * Returns:
- *	ISC_R_SUCCESS			on success
- *	ISC_R_NOSPACE			target buffer is too small
+ *\li	ISC_R_SUCCESS			on success
+ *\li	ISC_R_NOSPACE			target buffer is too small
  */
 
 ISC_LANG_ENDDECLS
diff --git a/contrib/bind9/lib/dns/include/dns/soa.h b/contrib/bind9/lib/dns/include/dns/soa.h
index 304ae15..70c6725 100644
--- a/contrib/bind9/lib/dns/include/dns/soa.h
+++ b/contrib/bind9/lib/dns/include/dns/soa.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000, 2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: soa.h,v 1.2.206.1 2004/03/06 08:14:00 marka Exp $ */
+/* $Id: soa.h,v 1.3.18.2 2005/04/29 00:16:22 marka Exp $ */
 
 #ifndef DNS_SOA_H
 #define DNS_SOA_H 1
@@ -24,7 +24,8 @@
  ***** Module Info
  *****/
 
-/*
+/*! \file
+ * \brief
  * SOA utilities.
  */
 
diff --git a/contrib/bind9/lib/dns/include/dns/ssu.h b/contrib/bind9/lib/dns/include/dns/ssu.h
index f26a039..b709030 100644
--- a/contrib/bind9/lib/dns/include/dns/ssu.h
+++ b/contrib/bind9/lib/dns/include/dns/ssu.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000, 2001, 2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,11 +15,13 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: ssu.h,v 1.11.206.3 2004/03/08 09:04:39 marka Exp $ */
+/* $Id: ssu.h,v 1.13.18.4 2006/02/16 23:51:32 marka Exp $ */
 
 #ifndef DNS_SSU_H
 #define DNS_SSU_H 1
 
+/*! \file */
+
 #include <isc/lang.h>
 
 #include <dns/types.h>
@@ -30,46 +32,50 @@ ISC_LANG_BEGINDECLS
 #define DNS_SSUMATCHTYPE_SUBDOMAIN 1
 #define DNS_SSUMATCHTYPE_WILDCARD 2
 #define DNS_SSUMATCHTYPE_SELF 3
+#define DNS_SSUMATCHTYPE_SELFSUB 4
+#define DNS_SSUMATCHTYPE_SELFWILD 5
+#define DNS_SSUMATCHTYPE_MAX 5		/* maximum defined value */
+
 
 isc_result_t
 dns_ssutable_create(isc_mem_t *mctx, dns_ssutable_t **table);
-/*
+/*%<
  *	Creates a table that will be used to store simple-secure-update rules.
  *	Note: all locking must be provided by the client.
  *
  *	Requires:
- *		'mctx' is a valid memory context
- *		'table' is not NULL, and '*table' is NULL
+ *\li		'mctx' is a valid memory context
+ *\li		'table' is not NULL, and '*table' is NULL
  *
  *	Returns:
- *		ISC_R_SUCCESS
- *		ISC_R_NOMEMORY
+ *\li		ISC_R_SUCCESS
+ *\li		ISC_R_NOMEMORY
  */
 
 void
 dns_ssutable_attach(dns_ssutable_t *source, dns_ssutable_t **targetp);
-/*
+/*%<
  *	Attach '*targetp' to 'source'.
  *
  *	Requires:
- *		'source' is a valid SSU table
- *		'targetp' points to a NULL dns_ssutable_t *.
+ *\li		'source' is a valid SSU table
+ *\li		'targetp' points to a NULL dns_ssutable_t *.
  *
  *	Ensures:
- *		*targetp is attached to source.
+ *\li		*targetp is attached to source.
  */
 
 void
 dns_ssutable_detach(dns_ssutable_t **tablep);
-/*
+/*%<
  *	Detach '*tablep' from its simple-secure-update rule table.
  *
  *	Requires:
- *		'tablep' points to a valid dns_ssutable_t
+ *\li		'tablep' points to a valid dns_ssutable_t
  *
  *	Ensures:
- *		*tablep is NULL
- *		If '*tablep' is the last reference to the SSU table, all
+ *\li		*tablep is NULL
+ *\li		If '*tablep' is the last reference to the SSU table, all
  *			resources used by the table will be freed.
  */
 
@@ -78,78 +84,80 @@ dns_ssutable_addrule(dns_ssutable_t *table, isc_boolean_t grant,
 		     dns_name_t *identity, unsigned int matchtype,
 		     dns_name_t *name, unsigned int ntypes,
 		     dns_rdatatype_t *types);
-/*
+/*%<
  *	Adds a new rule to a simple-secure-update rule table.  The rule
  *	either grants or denies update privileges of an identity (or set of
  *	identities) to modify a name (or set of names) or certain types present
  *	at that name.
  *
  *	Notes:
- *		If 'matchtype' is SELF, this rule only matches if the name
+ *\li		If 'matchtype' is SELF, this rule only matches if the name
  *		to be updated matches the signing identity.
  *
- *		If 'ntypes' is 0, this rule applies to all types except
+ *\li		If 'ntypes' is 0, this rule applies to all types except
  *		NS, SOA, RRSIG, and NSEC.
  *
- *		If 'types' includes ANY, this rule applies to all types
+ *\li		If 'types' includes ANY, this rule applies to all types
  *		except NSEC.
  *
  *	Requires:
- *		'table' is a valid SSU table
- *		'identity' is a valid absolute name
- *		'matchtype' must be one of the defined constants.
- *		'name' is a valid absolute name
- *		If 'ntypes' > 0, 'types' must not be NULL
+ *\li		'table' is a valid SSU table
+ *\li		'identity' is a valid absolute name
+ *\li		'matchtype' must be one of the defined constants.
+ *\li		'name' is a valid absolute name
+ *\li		If 'ntypes' > 0, 'types' must not be NULL
  *
  *	Returns:
- *		ISC_R_SUCCESS
- *		ISC_R_NOMEMORY
+ *\li		ISC_R_SUCCESS
+ *\li		ISC_R_NOMEMORY
  */
 
 isc_boolean_t
 dns_ssutable_checkrules(dns_ssutable_t *table, dns_name_t *signer,
 			dns_name_t *name, dns_rdatatype_t type);
-/*
+/*%<
  *	Checks that the attempted update of (name, type) is allowed according
  *	to the rules specified in the simple-secure-update rule table.  If
  *	no rules are matched, access is denied.  If signer is NULL, access
  *	is denied.
  *
  *	Requires:
- *		'table' is a valid SSU table
- *		'signer' is NULL or a valid absolute name
- *		'name' is a valid absolute name
+ *\li		'table' is a valid SSU table
+ *\li		'signer' is NULL or a valid absolute name
+ *\li		'name' is a valid absolute name
  */
 
 
+/*% Accessor functions to extract rule components */
 isc_boolean_t	dns_ssurule_isgrant(const dns_ssurule_t *rule);
+/*% Accessor functions to extract rule components */
 dns_name_t *	dns_ssurule_identity(const dns_ssurule_t *rule);
+/*% Accessor functions to extract rule components */
 unsigned int	dns_ssurule_matchtype(const dns_ssurule_t *rule);
+/*% Accessor functions to extract rule components */
 dns_name_t *	dns_ssurule_name(const dns_ssurule_t *rule);
+/*% Accessor functions to extract rule components */
 unsigned int	dns_ssurule_types(const dns_ssurule_t *rule,
 				  dns_rdatatype_t **types);
-/*
- * Accessor functions to extract rule components
- */
 
 isc_result_t	dns_ssutable_firstrule(const dns_ssutable_t *table,
 				       dns_ssurule_t **rule);
-/*
+/*%<
  * Initiates a rule iterator.  There is no need to maintain any state.
  *
  * Returns:
- *	ISC_R_SUCCESS
- *	ISC_R_NOMORE
+ *\li	#ISC_R_SUCCESS
+ *\li	#ISC_R_NOMORE
  */
 
 isc_result_t	dns_ssutable_nextrule(dns_ssurule_t *rule,
 				      dns_ssurule_t **nextrule);
-/*
+/*%<
  * Returns the next rule in the table.
  *
  * Returns:
- *	ISC_R_SUCCESS
- *	ISC_R_NOMORE
+ *\li	#ISC_R_SUCCESS
+ *\li	#ISC_R_NOMORE
  */
 
 ISC_LANG_ENDDECLS
diff --git a/contrib/bind9/lib/dns/include/dns/stats.h b/contrib/bind9/lib/dns/include/dns/stats.h
index db94b52..6cd95ac 100644
--- a/contrib/bind9/lib/dns/include/dns/stats.h
+++ b/contrib/bind9/lib/dns/include/dns/stats.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000, 2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,39 +15,43 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: stats.h,v 1.4.206.1 2004/03/06 08:14:00 marka Exp $ */
+/* $Id: stats.h,v 1.5.18.4 2005/06/27 00:20:03 marka Exp $ */
 
 #ifndef DNS_STATS_H
 #define DNS_STATS_H 1
 
+/*! \file */
+
 #include <dns/types.h>
 
-/*
+/*%
  * Query statistics counter types.
  */
 typedef enum {
-	dns_statscounter_success = 0,    /* Successful lookup */
-	dns_statscounter_referral = 1,   /* Referral result */
-	dns_statscounter_nxrrset = 2,    /* NXRRSET result */
-	dns_statscounter_nxdomain = 3,   /* NXDOMAIN result */
-	dns_statscounter_recursion = 4,  /* Recursion was used */
-	dns_statscounter_failure = 5     /* Some other failure */
+	dns_statscounter_success = 0,    /*%< Successful lookup */
+	dns_statscounter_referral = 1,   /*%< Referral result */
+	dns_statscounter_nxrrset = 2,    /*%< NXRRSET result */
+	dns_statscounter_nxdomain = 3,   /*%< NXDOMAIN result */
+	dns_statscounter_recursion = 4,  /*%< Recursion was used */
+	dns_statscounter_failure = 5,    /*%< Some other failure */
+	dns_statscounter_duplicate = 6,  /*%< Duplicate query */
+	dns_statscounter_dropped = 7     /*%< Duplicate query */
 } dns_statscounter_t;
 
-#define DNS_STATS_NCOUNTERS 6
+#define DNS_STATS_NCOUNTERS 8
 
 LIBDNS_EXTERNAL_DATA extern const char *dns_statscounter_names[];
 
 isc_result_t
 dns_stats_alloccounters(isc_mem_t *mctx, isc_uint64_t **ctrp);
-/*
+/*%<
  * Allocate an array of query statistics counters from the memory
  * context 'mctx'.
  */
 
 void
 dns_stats_freecounters(isc_mem_t *mctx, isc_uint64_t **ctrp);
-/*
+/*%<
  * Free an array of query statistics counters allocated from the memory
  * context 'mctx'.
  */
diff --git a/contrib/bind9/lib/dns/include/dns/tcpmsg.h b/contrib/bind9/lib/dns/include/dns/tcpmsg.h
index ae1d704..075f463 100644
--- a/contrib/bind9/lib/dns/include/dns/tcpmsg.h
+++ b/contrib/bind9/lib/dns/include/dns/tcpmsg.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,11 +15,13 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: tcpmsg.h,v 1.15.206.1 2004/03/06 08:14:00 marka Exp $ */
+/* $Id: tcpmsg.h,v 1.16.18.2 2005/04/29 00:16:22 marka Exp $ */
 
 #ifndef DNS_TCPMSG_H
 #define DNS_TCPMSG_H 1
 
+/*! \file */
+
 #include <isc/buffer.h>
 #include <isc/lang.h>
 #include <isc/socket.h>
@@ -45,56 +47,56 @@ ISC_LANG_BEGINDECLS
 
 void
 dns_tcpmsg_init(isc_mem_t *mctx, isc_socket_t *sock, dns_tcpmsg_t *tcpmsg);
-/*
+/*%<
  * Associate a tcp message state with a given memory context and
  * TCP socket.
  *
  * Requires:
  *
- *	"mctx" and "sock" be non-NULL and valid types.
+ *\li	"mctx" and "sock" be non-NULL and valid types.
  *
- *	"sock" be a read/write TCP socket.
+ *\li	"sock" be a read/write TCP socket.
  *
- *	"tcpmsg" be non-NULL and an uninitialized or invalidated structure.
+ *\li	"tcpmsg" be non-NULL and an uninitialized or invalidated structure.
  *
  * Ensures:
  *
- *	"tcpmsg" is a valid structure.
+ *\li	"tcpmsg" is a valid structure.
  */
 
 void
 dns_tcpmsg_setmaxsize(dns_tcpmsg_t *tcpmsg, unsigned int maxsize);
-/*
+/*%<
  * Set the maximum packet size to "maxsize"
  *
  * Requires:
  *
- *	"tcpmsg" be valid.
+ *\li	"tcpmsg" be valid.
  *
- *	512 <= "maxsize" <= 65536
+ *\li	512 <= "maxsize" <= 65536
  */
 
 isc_result_t
 dns_tcpmsg_readmessage(dns_tcpmsg_t *tcpmsg,
 		       isc_task_t *task, isc_taskaction_t action, void *arg);
-/*
+/*%<
  * Schedule an event to be delivered when a DNS message is readable, or
  * when an error occurs on the socket.
  *
  * Requires:
  *
- *	"tcpmsg" be valid.
+ *\li	"tcpmsg" be valid.
  *
- *	"task", "taskaction", and "arg" be valid.
+ *\li	"task", "taskaction", and "arg" be valid.
  *
  * Returns:
  *
- *	ISC_R_SUCCESS		-- no error
- *	Anything that the isc_socket_recv() call can return.  XXXMLG
+ *\li	ISC_R_SUCCESS		-- no error
+ *\li	Anything that the isc_socket_recv() call can return.  XXXMLG
  *
  * Notes:
  *
- *	The event delivered is a fully generic event.  It will contain no
+ *\li	The event delivered is a fully generic event.  It will contain no
  *	actual data.  The sender will be a pointer to the dns_tcpmsg_t.
  *	The result code inside that structure should be checked to see
  *	what the final result was.
@@ -102,41 +104,41 @@ dns_tcpmsg_readmessage(dns_tcpmsg_t *tcpmsg,
 
 void
 dns_tcpmsg_cancelread(dns_tcpmsg_t *tcpmsg);
-/*
+/*%<
  * Cancel a readmessage() call.  The event will still be posted with a
  * CANCELED result code.
  *
  * Requires:
  *
- *	"tcpmsg" be valid.
+ *\li	"tcpmsg" be valid.
  */
 
 void
 dns_tcpmsg_keepbuffer(dns_tcpmsg_t *tcpmsg, isc_buffer_t *buffer);
-/*
+/*%<
  * If a dns buffer is to be kept between calls, this function marks the
  * internal state-machine buffer as invalid, and copies all the contents
  * of the state into "buffer".
  *
  * Requires:
  *
- *	"tcpmsg" be valid.
+ *\li	"tcpmsg" be valid.
  *
- *	"buffer" be non-NULL.
+ *\li	"buffer" be non-NULL.
  */
 
 void
 dns_tcpmsg_invalidate(dns_tcpmsg_t *tcpmsg);
-/*
+/*%<
  * Clean up all allocated state, and invalidate the structure.
  *
  * Requires:
  *
- *	"tcpmsg" be valid.
+ *\li	"tcpmsg" be valid.
  *
  * Ensures:
  *
- *	"tcpmsg" is invalidated and disassociated with all memory contexts,
+ *\li	"tcpmsg" is invalidated and disassociated with all memory contexts,
  *	sockets, etc.
  */
 
diff --git a/contrib/bind9/lib/dns/include/dns/time.h b/contrib/bind9/lib/dns/include/dns/time.h
index 0b82443..9e8f5cc 100644
--- a/contrib/bind9/lib/dns/include/dns/time.h
+++ b/contrib/bind9/lib/dns/include/dns/time.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,11 +15,13 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: time.h,v 1.9.12.3 2004/03/08 09:04:39 marka Exp $ */
+/* $Id: time.h,v 1.11.18.2 2005/04/29 00:16:23 marka Exp $ */
 
 #ifndef DNS_TIME_H
 #define DNS_TIME_H 1
 
+/*! \file */
+
 /***
  ***	Imports
  ***/
@@ -35,7 +37,7 @@ ISC_LANG_BEGINDECLS
 
 isc_result_t
 dns_time64_fromtext(const char *source, isc_int64_t *target);
-/*
+/*%<
  * Convert a date and time in YYYYMMDDHHMMSS text format at 'source'
  * into to a 64-bit count of seconds since Jan 1 1970 0:00 GMT.
  * Store the count at 'target'.
@@ -43,7 +45,7 @@ dns_time64_fromtext(const char *source, isc_int64_t *target);
 
 isc_result_t
 dns_time32_fromtext(const char *source, isc_uint32_t *target);
-/*
+/*%<
  * Like dns_time64_fromtext, but returns the second count modulo 2^32
  * as per RFC2535.
  */
@@ -51,14 +53,14 @@ dns_time32_fromtext(const char *source, isc_uint32_t *target);
 
 isc_result_t
 dns_time64_totext(isc_int64_t value, isc_buffer_t *target);
-/*
+/*%<
  * Convert a 64-bit count of seconds since Jan 1 1970 0:00 GMT into
  * a YYYYMMDDHHMMSS text representation and append it to 'target'.
  */
 
 isc_result_t
 dns_time32_totext(isc_uint32_t value, isc_buffer_t *target);
-/*
+/*%<
  * Like dns_time64_totext, but for a 32-bit cyclic time value.
  * Of those dates whose counts of seconds since Jan 1 1970 0:00 GMT
  * are congruent with 'value' modulo 2^32, the one closest to the
diff --git a/contrib/bind9/lib/dns/include/dns/timer.h b/contrib/bind9/lib/dns/include/dns/timer.h
index 36e2ac3..cd936a0 100644
--- a/contrib/bind9/lib/dns/include/dns/timer.h
+++ b/contrib/bind9/lib/dns/include/dns/timer.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000, 2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,11 +15,13 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: timer.h,v 1.2.206.1 2004/03/06 08:14:00 marka Exp $ */
+/* $Id: timer.h,v 1.3.18.2 2005/04/29 00:16:23 marka Exp $ */
 
 #ifndef DNS_TIMER_H
 #define DNS_TIMER_H 1
 
+/*! \file */
+
 /***
  ***	Imports
  ***/
@@ -36,10 +38,10 @@ ISC_LANG_BEGINDECLS
 isc_result_t
 dns_timer_setidle(isc_timer_t *timer, unsigned int maxtime,
 		  unsigned int idletime, isc_boolean_t purge);
-/*
+/*%<
  * Convenience function for setting up simple, one-second-granularity
  * idle timers as used by zone transfers.
- *
+ * \brief
  * Set the timer 'timer' to go off after 'idletime' seconds of inactivity,
  * or after 'maxtime' at the very latest.  Events are purged iff
  * 'purge' is ISC_TRUE.
diff --git a/contrib/bind9/lib/dns/include/dns/tkey.h b/contrib/bind9/lib/dns/include/dns/tkey.h
index e5ca3b3..4e3e80a 100644
--- a/contrib/bind9/lib/dns/include/dns/tkey.h
+++ b/contrib/bind9/lib/dns/include/dns/tkey.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,11 +15,13 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: tkey.h,v 1.18.206.1 2004/03/06 08:14:00 marka Exp $ */
+/* $Id: tkey.h,v 1.19.18.2 2005/04/29 00:16:23 marka Exp $ */
 
 #ifndef DNS_TKEY_H
 #define DNS_TKEY_H 1
 
+/*! \file */
+
 #include <isc/lang.h>
 
 #include <dns/types.h>
@@ -45,55 +47,55 @@ struct dns_tkeyctx {
 
 isc_result_t
 dns_tkeyctx_create(isc_mem_t *mctx, isc_entropy_t *ectx, dns_tkeyctx_t **tctxp);
-/*
+/*%<
  *	Create an empty TKEY context.
  *
  * 	Requires:
- *		'mctx' is not NULL
- *		'tctx' is not NULL
- *		'*tctx' is NULL
+ *\li		'mctx' is not NULL
+ *\li		'tctx' is not NULL
+ *\li		'*tctx' is NULL
  *
  *	Returns
- *		ISC_R_SUCCESS
- *		ISC_R_NOMEMORY
- *		return codes from dns_name_fromtext()
+ *\li		#ISC_R_SUCCESS
+ *\li		#ISC_R_NOMEMORY
+ *\li		return codes from dns_name_fromtext()
  */
 
 void
 dns_tkeyctx_destroy(dns_tkeyctx_t **tctxp);
-/*
+/*%<
  *      Frees all data associated with the TKEY context
  *
  * 	Requires:
- *		'tctx' is not NULL
- *		'*tctx' is not NULL
+ *\li		'tctx' is not NULL
+ *\li		'*tctx' is not NULL
  */
 
 isc_result_t
 dns_tkey_processquery(dns_message_t *msg, dns_tkeyctx_t *tctx,
 		      dns_tsig_keyring_t *ring);
-/*
+/*%<
  *	Processes a query containing a TKEY record, adding or deleting TSIG
  *	keys if necessary, and modifies the message to contain the response.
  *
  *	Requires:
- *		'msg' is a valid message
- *		'tctx' is a valid TKEY context
- *		'ring' is a valid TSIG keyring
+ *\li		'msg' is a valid message
+ *\li		'tctx' is a valid TKEY context
+ *\li		'ring' is a valid TSIG keyring
  *
  *	Returns
- *		ISC_R_SUCCESS	msg was updated (the TKEY operation succeeded,
+ *\li		#ISC_R_SUCCESS	msg was updated (the TKEY operation succeeded,
  *				or msg now includes a TKEY with an error set)
  *		DNS_R_FORMERR	the packet was malformed (missing a TKEY
  *				or KEY).
- *		other		An error occurred while processing the message
+ *\li		other		An error occurred while processing the message
  */
 
 isc_result_t
 dns_tkey_builddhquery(dns_message_t *msg, dst_key_t *key, dns_name_t *name,
 		      dns_name_t *algorithm, isc_buffer_t *nonce,
 		      isc_uint32_t lifetime);
-/*
+/*%<
  *	Builds a query containing a TKEY that will generate a shared
  *	secret using a Diffie-Hellman key exchange.  The shared key
  *	will be of the specified algorithm (only DNS_TSIG_HMACMD5_NAME
@@ -105,61 +107,61 @@ dns_tkey_builddhquery(dns_message_t *msg, dst_key_t *key, dns_name_t *name,
  *
  *
  *	Requires:
- *		'msg' is a valid message
- *		'key' is a valid Diffie Hellman dst key
- *		'name' is a valid name
- *		'algorithm' is a valid name
+ *\li		'msg' is a valid message
+ *\li		'key' is a valid Diffie Hellman dst key
+ *\li		'name' is a valid name
+ *\li		'algorithm' is a valid name
  *
  *	Returns:
- *		ISC_R_SUCCESS	msg was successfully updated to include the
+ *\li		#ISC_R_SUCCESS	msg was successfully updated to include the
  *				query to be sent
- *		other		an error occurred while building the message
+ *\li		other		an error occurred while building the message
  */
 
 isc_result_t
 dns_tkey_buildgssquery(dns_message_t *msg, dns_name_t *name,
 		       dns_name_t *gname, void *cred,
 		       isc_uint32_t lifetime, void **context);
-/*
+/*%<
  * XXX
  */
 
 isc_result_t
 dns_tkey_builddeletequery(dns_message_t *msg, dns_tsigkey_t *key);
-/*
+/*%<
  *	Builds a query containing a TKEY record that will delete the
  *	specified shared secret from the server.
  *
  *	Requires:
- *		'msg' is a valid message
- *		'key' is a valid TSIG key
+ *\li		'msg' is a valid message
+ *\li		'key' is a valid TSIG key
  *
  *	Returns:
- *		ISC_R_SUCCESS	msg was successfully updated to include the
+ *\li		#ISC_R_SUCCESS	msg was successfully updated to include the
  *				query to be sent
- *		other		an error occurred while building the message
+ *\li		other		an error occurred while building the message
  */
 
 isc_result_t
 dns_tkey_processdhresponse(dns_message_t *qmsg, dns_message_t *rmsg,
                            dst_key_t *key, isc_buffer_t *nonce,
 			   dns_tsigkey_t **outkey, dns_tsig_keyring_t *ring);
-/*
+/*%<
  *	Processes a response to a query containing a TKEY that was
  *	designed to generate a shared secret using a Diffie-Hellman key
  *	exchange.  If the query was successful, a new shared key
  *	is created and added to the list of shared keys.
  *
  *	Requires:
- *		'qmsg' is a valid message (the query)
- *		'rmsg' is a valid message (the response)
- *		'key' is a valid Diffie Hellman dst key
- *		'outkey' is either NULL or a pointer to NULL
- *		'ring' is a valid keyring or NULL
+ *\li		'qmsg' is a valid message (the query)
+ *\li		'rmsg' is a valid message (the response)
+ *\li		'key' is a valid Diffie Hellman dst key
+ *\li		'outkey' is either NULL or a pointer to NULL
+ *\li		'ring' is a valid keyring or NULL
  *
  *	Returns:
- *		ISC_R_SUCCESS	the shared key was successfully added
- *		ISC_R_NOTFOUND	an error occurred while looking for a
+ *\li		#ISC_R_SUCCESS	the shared key was successfully added
+ *\li		#ISC_R_NOTFOUND	an error occurred while looking for a
  *				component of the query or response
  */
 
@@ -167,26 +169,26 @@ isc_result_t
 dns_tkey_processgssresponse(dns_message_t *qmsg, dns_message_t *rmsg,
 			    dns_name_t *gname, void *cred, void **context,
 			    dns_tsigkey_t **outkey, dns_tsig_keyring_t *ring);
-/*
+/*%<
  * XXX
  */
 
 isc_result_t
 dns_tkey_processdeleteresponse(dns_message_t *qmsg, dns_message_t *rmsg,
 			       dns_tsig_keyring_t *ring);
-/*
+/*%<
  *	Processes a response to a query containing a TKEY that was
  *	designed to delete a shared secret.  If the query was successful,
  *	the shared key is deleted from the list of shared keys.
  *
  *	Requires:
- *		'qmsg' is a valid message (the query)
- *		'rmsg' is a valid message (the response)
- *		'ring' is not NULL
+ *\li		'qmsg' is a valid message (the query)
+ *\li		'rmsg' is a valid message (the response)
+ *\li		'ring' is not NULL
  *
  *	Returns:
- *		ISC_R_SUCCESS	the shared key was successfully deleted
- *		ISC_R_NOTFOUND	an error occurred while looking for a
+ *\li		#ISC_R_SUCCESS	the shared key was successfully deleted
+ *\li		#ISC_R_NOTFOUND	an error occurred while looking for a
  *				component of the query or response
  */
 
diff --git a/contrib/bind9/lib/dns/include/dns/tsig.h b/contrib/bind9/lib/dns/include/dns/tsig.h
index 7b5b458..b3fd6cc 100644
--- a/contrib/bind9/lib/dns/include/dns/tsig.h
+++ b/contrib/bind9/lib/dns/include/dns/tsig.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2002  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,11 +15,13 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: tsig.h,v 1.40.2.2.8.3 2004/03/08 09:04:39 marka Exp $ */
+/* $Id: tsig.h,v 1.43.18.4 2006/01/27 23:57:44 marka Exp $ */
 
 #ifndef DNS_TSIG_H
 #define DNS_TSIG_H 1
 
+/*! \file */
+
 #include <isc/lang.h>
 #include <isc/refcount.h>
 #include <isc/rwlock.h>
@@ -39,8 +41,18 @@ LIBDNS_EXTERNAL_DATA extern dns_name_t *dns_tsig_gssapi_name;
 #define DNS_TSIG_GSSAPI_NAME		dns_tsig_gssapi_name
 LIBDNS_EXTERNAL_DATA extern dns_name_t *dns_tsig_gssapims_name;
 #define DNS_TSIG_GSSAPIMS_NAME		dns_tsig_gssapims_name
-
-/*
+LIBDNS_EXTERNAL_DATA extern dns_name_t *dns_tsig_hmacsha1_name;
+#define DNS_TSIG_HMACSHA1_NAME		dns_tsig_hmacsha1_name
+LIBDNS_EXTERNAL_DATA extern dns_name_t *dns_tsig_hmacsha224_name;
+#define DNS_TSIG_HMACSHA224_NAME	dns_tsig_hmacsha224_name
+LIBDNS_EXTERNAL_DATA extern dns_name_t *dns_tsig_hmacsha256_name;
+#define DNS_TSIG_HMACSHA256_NAME	dns_tsig_hmacsha256_name
+LIBDNS_EXTERNAL_DATA extern dns_name_t *dns_tsig_hmacsha384_name;
+#define DNS_TSIG_HMACSHA384_NAME	dns_tsig_hmacsha384_name
+LIBDNS_EXTERNAL_DATA extern dns_name_t *dns_tsig_hmacsha512_name;
+#define DNS_TSIG_HMACSHA512_NAME	dns_tsig_hmacsha512_name
+
+/*%
  * Default fudge value.
  */
 #define DNS_TSIG_FUDGE			300
@@ -53,17 +65,17 @@ struct dns_tsig_keyring {
 
 struct dns_tsigkey {
 	/* Unlocked */
-	unsigned int		magic;		/* Magic number. */
+	unsigned int		magic;		/*%< Magic number. */
 	isc_mem_t		*mctx;
-	dst_key_t		*key;		/* Key */
-	dns_name_t		name;		/* Key name */
-	dns_name_t		*algorithm;	/* Algorithm name */
-	dns_name_t		*creator;	/* name that created secret */
-	isc_boolean_t		generated;	/* was this generated? */
-	isc_stdtime_t		inception;	/* start of validity period */
-	isc_stdtime_t		expire;		/* end of validity period */
-	dns_tsig_keyring_t	*ring;		/* the enclosing keyring */
-	isc_refcount_t		refs;		/* reference counter */
+	dst_key_t		*key;		/*%< Key */
+	dns_name_t		name;		/*%< Key name */
+	dns_name_t		*algorithm;	/*%< Algorithm name */
+	dns_name_t		*creator;	/*%< name that created secret */
+	isc_boolean_t		generated;	/*%< was this generated? */
+	isc_stdtime_t		inception;	/*%< start of validity period */
+	isc_stdtime_t		expire;		/*%< end of validity period */
+	dns_tsig_keyring_t	*ring;		/*%< the enclosing keyring */
+	isc_refcount_t		refs;		/*%< reference counter */
 };
 
 #define dns_tsigkey_identity(tsigkey) \
@@ -84,7 +96,7 @@ dns_tsigkey_createfromkey(dns_name_t *name, dns_name_t *algorithm,
 			  dns_name_t *creator, isc_stdtime_t inception,
 			  isc_stdtime_t expire, isc_mem_t *mctx,
 			  dns_tsig_keyring_t *ring, dns_tsigkey_t **key);
-/*
+/*%<
  *	Creates a tsig key structure and saves it in the keyring.  If key is
  *	not NULL, *key will contain a copy of the key.  The keys validity
  *	period is specified by (inception, expire), and will not expire if
@@ -95,100 +107,100 @@ dns_tsigkey_createfromkey(dns_name_t *name, dns_name_t *algorithm,
  *	to generate a BADKEY response.
  *
  *	Requires:
- *		'name' is a valid dns_name_t
- *		'algorithm' is a valid dns_name_t
- *		'secret' is a valid pointer
- *		'length' is an integer >= 0
- *		'key' is a valid dst key or NULL
- *		'creator' points to a valid dns_name_t or is NULL
- *		'mctx' is a valid memory context
- *		'ring' is a valid TSIG keyring or NULL
- *		'key' or '*key' must be NULL
+ *\li		'name' is a valid dns_name_t
+ *\li		'algorithm' is a valid dns_name_t
+ *\li		'secret' is a valid pointer
+ *\li		'length' is an integer >= 0
+ *\li		'key' is a valid dst key or NULL
+ *\li		'creator' points to a valid dns_name_t or is NULL
+ *\li		'mctx' is a valid memory context
+ *\li		'ring' is a valid TSIG keyring or NULL
+ *\li		'key' or '*key' must be NULL
  *
  *	Returns:
- *		ISC_R_SUCCESS
- *		ISC_R_EXISTS - a key with this name already exists
- *		ISC_R_NOTIMPLEMENTED - algorithm is not implemented
- *		ISC_R_NOMEMORY
+ *\li		#ISC_R_SUCCESS
+ *\li		#ISC_R_EXISTS - a key with this name already exists
+ *\li		#ISC_R_NOTIMPLEMENTED - algorithm is not implemented
+ *\li		#ISC_R_NOMEMORY
  */
 
 void
 dns_tsigkey_attach(dns_tsigkey_t *source, dns_tsigkey_t **targetp);
-/*
+/*%<
  *	Attach '*targetp' to 'source'.
  *
  *	Requires:
- *		'key' is a valid TSIG key
+ *\li		'key' is a valid TSIG key
  *
  *	Ensures:
- *		*targetp is attached to source.
+ *\li		*targetp is attached to source.
  */
 
 void
 dns_tsigkey_detach(dns_tsigkey_t **keyp);
-/*
+/*%<
  *	Detaches from the tsig key structure pointed to by '*key'.
  *
  *	Requires:
- *		'keyp' is not NULL and '*keyp' is a valid TSIG key
+ *\li		'keyp' is not NULL and '*keyp' is a valid TSIG key
  *
  *	Ensures:
- *		'keyp' points to NULL
+ *\li		'keyp' points to NULL
  */
 
 void
 dns_tsigkey_setdeleted(dns_tsigkey_t *key);
-/*
+/*%<
  *	Prevents this key from being used again.  It will be deleted when
  *	no references exist.
  *
  *	Requires:
- *		'key' is a valid TSIG key on a keyring
+ *\li		'key' is a valid TSIG key on a keyring
  */
 
 isc_result_t
 dns_tsig_sign(dns_message_t *msg);
-/*
+/*%<
  *	Generates a TSIG record for this message
  *
  *	Requires:
- *		'msg' is a valid message
- *		'msg->tsigkey' is a valid TSIG key
- *		'msg->tsig' is NULL
+ *\li		'msg' is a valid message
+ *\li		'msg->tsigkey' is a valid TSIG key
+ *\li		'msg->tsig' is NULL
  *
  *	Returns:
- *		ISC_R_SUCCESS
- *		ISC_R_NOMEMORY
- *		ISC_R_NOSPACE
- *		DNS_R_EXPECTEDTSIG
+ *\li		#ISC_R_SUCCESS
+ *\li		#ISC_R_NOMEMORY
+ *\li		#ISC_R_NOSPACE
+ *\li		#DNS_R_EXPECTEDTSIG
  *			- this is a response & msg->querytsig is NULL
  */
 
 isc_result_t
 dns_tsig_verify(isc_buffer_t *source, dns_message_t *msg,
 		dns_tsig_keyring_t *ring1, dns_tsig_keyring_t *ring2);
-/*
+/*%<
  *	Verifies the TSIG record in this message
  *
  *	Requires:
- *		'source' is a valid buffer containing the unparsed message
- *		'msg' is a valid message
- *		'msg->tsigkey' is a valid TSIG key if this is a response
- *		'msg->tsig' is NULL
- *		'msg->querytsig' is not NULL if this is a response
- *		'ring1' and 'ring2' are each either a valid keyring or NULL
+ *\li		'source' is a valid buffer containing the unparsed message
+ *\li		'msg' is a valid message
+ *\li		'msg->tsigkey' is a valid TSIG key if this is a response
+ *\li		'msg->tsig' is NULL
+ *\li		'msg->querytsig' is not NULL if this is a response
+ *\li		'ring1' and 'ring2' are each either a valid keyring or NULL
  *
  *	Returns:
- *		ISC_R_SUCCESS
- *		ISC_R_NOMEMORY
- *		DNS_R_EXPECTEDTSIG - A TSIG was expected but not seen
- *		DNS_R_UNEXPECTEDTSIG - A TSIG was seen but not expected
- *		DNS_R_TSIGERRORSET - the TSIG verified but ->error was set
+ *\li		#ISC_R_SUCCESS
+ *\li		#ISC_R_NOMEMORY
+ *\li		#DNS_R_EXPECTEDTSIG - A TSIG was expected but not seen
+ *\li		#DNS_R_UNEXPECTEDTSIG - A TSIG was seen but not expected
+ *\li		#DNS_R_TSIGERRORSET - the TSIG verified but ->error was set
  *				     and this is a query
- *		DNS_R_CLOCKSKEW - the TSIG failed to verify because of
+ *\li		#DNS_R_CLOCKSKEW - the TSIG failed to verify because of
  *				  the time was out of the allowed range.
- *		DNS_R_TSIGVERIFYFAILURE - the TSIG failed to verify
- *		DNS_R_EXPECTEDRESPONSE - the message was set over TCP and
+ *\li		#DNS_R_TSIGVERIFYFAILURE - the TSIG failed to verify
+ *\li		#DNS_R_EXPECTEDRESPONSE - the message was set over TCP and
  *					 should have been a response,
  *					 but was not.
  */
@@ -196,45 +208,45 @@ dns_tsig_verify(isc_buffer_t *source, dns_message_t *msg,
 isc_result_t
 dns_tsigkey_find(dns_tsigkey_t **tsigkey, dns_name_t *name,
 		 dns_name_t *algorithm, dns_tsig_keyring_t *ring);
-/*
+/*%<
  *	Returns the TSIG key corresponding to this name and (possibly)
  *	algorithm.  Also increments the key's reference counter.
  *
  *	Requires:
- *		'tsigkey' is not NULL
- *		'*tsigkey' is NULL
- *		'name' is a valid dns_name_t
- *		'algorithm' is a valid dns_name_t or NULL
- *		'ring' is a valid keyring
+ *\li		'tsigkey' is not NULL
+ *\li		'*tsigkey' is NULL
+ *\li		'name' is a valid dns_name_t
+ *\li		'algorithm' is a valid dns_name_t or NULL
+ *\li		'ring' is a valid keyring
  *
  *	Returns:
- *		ISC_R_SUCCESS
- *		ISC_R_NOTFOUND
+ *\li		#ISC_R_SUCCESS
+ *\li		#ISC_R_NOTFOUND
  */
 
 
 isc_result_t
 dns_tsigkeyring_create(isc_mem_t *mctx, dns_tsig_keyring_t **ringp);
-/*
+/*%<
  *	Create an empty TSIG key ring.
  *
  *	Requires:
- *		'mctx' is not NULL
- *		'ringp' is not NULL, and '*ringp' is NULL
+ *\li		'mctx' is not NULL
+ *\li		'ringp' is not NULL, and '*ringp' is NULL
  *
  *	Returns:
- *		ISC_R_SUCCESS
- *		ISC_R_NOMEMORY
+ *\li		#ISC_R_SUCCESS
+ *\li		#ISC_R_NOMEMORY
  */
 
 
 void
 dns_tsigkeyring_destroy(dns_tsig_keyring_t **ringp);
-/*
+/*%<
  *	Destroy a TSIG key ring.
  *
  *	Requires:
- *		'ringp' is not NULL
+ *\li		'ringp' is not NULL
  */
 
 ISC_LANG_ENDDECLS
diff --git a/contrib/bind9/lib/dns/include/dns/ttl.h b/contrib/bind9/lib/dns/include/dns/ttl.h
index dc7167d..ad01578 100644
--- a/contrib/bind9/lib/dns/include/dns/ttl.h
+++ b/contrib/bind9/lib/dns/include/dns/ttl.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,11 +15,13 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: ttl.h,v 1.12.206.1 2004/03/06 08:14:01 marka Exp $ */
+/* $Id: ttl.h,v 1.13.18.2 2005/04/29 00:16:24 marka Exp $ */
 
 #ifndef DNS_TTL_H
 #define DNS_TTL_H 1
 
+/*! \file */
+
 /***
  ***	Imports
  ***/
@@ -36,7 +38,7 @@ ISC_LANG_BEGINDECLS
 isc_result_t
 dns_ttl_totext(isc_uint32_t src, isc_boolean_t verbose,
 	       isc_buffer_t *target);
-/*
+/*%<
  * Output a TTL or other time interval in a human-readable form.
  * The time interval is given as a count of seconds in 'src'.
  * The text representation is appended to 'target'.
@@ -47,28 +49,28 @@ dns_ttl_totext(isc_uint32_t src, isc_boolean_t verbose,
  * in "dig", like "1 week 2 days 3 hours 4 minutes 5 seconds".
  *
  * Returns:
- * 	ISC_R_SUCCESS
- * 	ISC_R_NOSPACE
+ * \li	ISC_R_SUCCESS
+ * \li	ISC_R_NOSPACE
  */
 
 isc_result_t
 dns_counter_fromtext(isc_textregion_t *source, isc_uint32_t *ttl);
-/*
+/*%<
  * Converts a counter from either a plain number or a BIND 8 style value.
  *
  * Returns:
- *	ISC_R_SUCCESS
- *	DNS_R_SYNTAX
+ *\li	ISC_R_SUCCESS
+ *\li	DNS_R_SYNTAX
  */
 
 isc_result_t
 dns_ttl_fromtext(isc_textregion_t *source, isc_uint32_t *ttl);
-/*
+/*%<
  * Converts a ttl from either a plain number or a BIND 8 style value.
  *
  * Returns:
- *	ISC_R_SUCCESS
- *	DNS_R_BADTTL
+ *\li	ISC_R_SUCCESS
+ *\li	DNS_R_BADTTL
  */
 
 ISC_LANG_ENDDECLS
diff --git a/contrib/bind9/lib/dns/include/dns/types.h b/contrib/bind9/lib/dns/include/dns/types.h
index 27995de..8dcbe57 100644
--- a/contrib/bind9/lib/dns/include/dns/types.h
+++ b/contrib/bind9/lib/dns/include/dns/types.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2006  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1998-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,21 +15,25 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: types.h,v 1.103.12.9 2006/03/02 00:37:20 marka Exp $ */
+/* $Id: types.h,v 1.109.18.12 2006/05/02 12:55:31 shane Exp $ */
 
 #ifndef DNS_TYPES_H
 #define DNS_TYPES_H 1
 
-/*
+/*! \file
+ * \brief
  * Including this file gives you type declarations suitable for use in
  * .h files, which lets us avoid circular type reference problems.
- *
+ * \brief
  * To actually use a type or get declarations of its methods, you must
  * include the appropriate .h file too.
  */
 
 #include <isc/types.h>
 
+typedef struct dns_acache			dns_acache_t;
+typedef struct dns_acacheentry			dns_acacheentry_t;
+typedef struct dns_acachestats			dns_acachestats_t;
 typedef struct dns_acl 				dns_acl_t;
 typedef struct dns_aclelement 			dns_aclelement_t;
 typedef struct dns_aclenv			dns_aclenv_t;
@@ -50,6 +54,9 @@ typedef void					dns_dbload_t;
 typedef void					dns_dbnode_t;
 typedef struct dns_dbtable			dns_dbtable_t;
 typedef void					dns_dbversion_t;
+typedef struct dns_dlzimplementation		dns_dlzimplementation_t;
+typedef struct dns_dlzdb			dns_dlzdb_t;
+typedef struct dns_sdlzimplementation		dns_sdlzimplementation_t;
 typedef struct dns_decompress			dns_decompress_t;
 typedef struct dns_dispatch			dns_dispatch_t;
 typedef struct dns_dispatchevent		dns_dispatchevent_t;
@@ -136,7 +143,8 @@ typedef enum {
 typedef enum {
 	dns_notifytype_no = 0,
 	dns_notifytype_yes = 1,
-	dns_notifytype_explicit = 2
+	dns_notifytype_explicit = 2,
+	dns_notifytype_masteronly = 3
 } dns_notifytype_t;
 
 typedef enum {
@@ -148,13 +156,19 @@ typedef enum {
 	dns_dialuptype_passive = 5
 } dns_dialuptype_t;
 
+typedef enum {
+	dns_masterformat_none = 0,
+	dns_masterformat_text = 1,
+	dns_masterformat_raw = 2
+} dns_masterformat_t;
+
 /*
  * These are generated by gen.c.
  */
 #include <dns/enumtype.h>	/* Provides dns_rdatatype_t. */
 #include <dns/enumclass.h>	/* Provides dns_rdataclass_t. */
 
-/*
+/*%
  * rcodes.
  */
 enum {
@@ -190,7 +204,7 @@ enum {
 #define dns_rcode_badvers		((dns_rcode_t)dns_rcode_badvers)
 };
 
-/*
+/*%
  * TSIG errors.
  */
 enum {
@@ -199,10 +213,11 @@ enum {
 	dns_tsigerror_badtime = 18,
 	dns_tsigerror_badmode = 19,
 	dns_tsigerror_badname = 20,
-	dns_tsigerror_badalg = 21
+	dns_tsigerror_badalg = 21,
+	dns_tsigerror_badtrunc = 22
 };
 
-/*
+/*%
  * Opcodes.
  */
 enum {
@@ -218,7 +233,7 @@ enum {
 #define dns_opcode_update		((dns_opcode_t)dns_opcode_update)
 };
 
-/*
+/*%
  * Trust levels.  Must be kept in sync with trustnames[] in masterdump.c.
  */
 enum {
@@ -226,11 +241,11 @@ enum {
 	dns_trust_none = 0,
 #define dns_trust_none			((dns_trust_t)dns_trust_none)
 
-	/* Subject to DNSSEC validation but has not yet been validated */
+	/*% Subject to DNSSEC validation but has not yet been validated */
 	dns_trust_pending = 1,
 #define dns_trust_pending		((dns_trust_t)dns_trust_pending)
 
-	/* Received in the additional section of a response. */
+	/*% Received in the additional section of a response. */
 	dns_trust_additional = 2,
 #define dns_trust_additional		((dns_trust_t)dns_trust_additional)
 
@@ -260,7 +275,7 @@ enum {
 #define dns_trust_ultimate		((dns_trust_t)dns_trust_ultimate)
 };
 
-/*
+/*%
  * Name checking severites.
  */
 typedef enum {
@@ -294,6 +309,20 @@ typedef void
 (*dns_updatecallback_t)(void *, isc_result_t, dns_message_t *);
 
 typedef int 
-(*dns_rdatasetorderfunc_t)(const dns_rdata_t *rdata, const void *arg);
+(*dns_rdatasetorderfunc_t)(const dns_rdata_t *, const void *);
+
+typedef isc_boolean_t
+(*dns_checkmxfunc_t)(dns_zone_t *, dns_name_t *, dns_name_t *);
+
+typedef isc_boolean_t
+(*dns_checksrvfunc_t)(dns_zone_t *, dns_name_t *, dns_name_t *);
+
+typedef isc_boolean_t
+(*dns_checknsfunc_t)(dns_zone_t *, dns_name_t *, dns_name_t *,
+		     dns_rdataset_t *, dns_rdataset_t *);
+
+typedef isc_boolean_t
+(*dns_isselffunc_t)(dns_view_t *, dns_tsigkey_t *, isc_sockaddr_t *,
+		    isc_sockaddr_t *, dns_rdataclass_t, void *);
 
 #endif /* DNS_TYPES_H */
diff --git a/contrib/bind9/lib/dns/include/dns/validator.h b/contrib/bind9/lib/dns/include/dns/validator.h
index a0d6acb..acce76e 100644
--- a/contrib/bind9/lib/dns/include/dns/validator.h
+++ b/contrib/bind9/lib/dns/include/dns/validator.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: validator.h,v 1.18.12.11.6.1 2007/01/11 04:51:39 marka Exp $ */
+/* $Id: validator.h,v 1.27.18.8 2007/01/08 02:42:00 marka Exp $ */
 
 #ifndef DNS_VALIDATOR_H
 #define DNS_VALIDATOR_H 1
diff --git a/contrib/bind9/lib/dns/include/dns/version.h b/contrib/bind9/lib/dns/include/dns/version.h
index 28c83be..bb254534 100644
--- a/contrib/bind9/lib/dns/include/dns/version.h
+++ b/contrib/bind9/lib/dns/include/dns/version.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,9 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: version.h,v 1.2.224.3 2004/03/08 09:04:40 marka Exp $ */
+/* $Id: version.h,v 1.3.18.2 2005/04/29 00:16:25 marka Exp $ */
+
+/*! \file */
 
 #include <isc/platform.h>
 
diff --git a/contrib/bind9/lib/dns/include/dns/view.h b/contrib/bind9/lib/dns/include/dns/view.h
index a3cd935..ea3d4c7 100644
--- a/contrib/bind9/lib/dns/include/dns/view.h
+++ b/contrib/bind9/lib/dns/include/dns/view.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: view.h,v 1.73.2.4.2.12 2004/03/10 02:55:58 marka Exp $ */
+/* $Id: view.h,v 1.91.18.9 2006/03/09 23:38:21 marka Exp $ */
 
 #ifndef DNS_VIEW_H
 #define DNS_VIEW_H 1
@@ -24,7 +24,8 @@
  ***** Module Info
  *****/
 
-/*
+/*! \file
+ * \brief
  * DNS View
  *
  * A "view" is a DNS namespace, together with an optional resolver and a
@@ -41,22 +42,22 @@
  * to be accessed without locking.
  *
  * MP:
- *	Before the view is frozen, the caller must ensure synchronization.
+ *\li	Before the view is frozen, the caller must ensure synchronization.
  *
- *	After the view is frozen, the module guarantees appropriate
+ *\li	After the view is frozen, the module guarantees appropriate
  *	synchronization of any data structures it creates and manipulates.
  *
  * Reliability:
- *	No anticipated impact.
+ *\li	No anticipated impact.
  *
  * Resources:
- *	<TBS>
+ *\li	TBS
  *
  * Security:
- *	No anticipated impact.
+ *\li	No anticipated impact.
  *
  * Standards:
- *	None.
+ *\li	None.
  */
 
 #include <stdio.h>
@@ -83,9 +84,11 @@ struct dns_view {
 	dns_rdataclass_t		rdclass;
 	char *				name;
 	dns_zt_t *			zonetable;
+	dns_dlzdb_t *			dlzdatabase;
 	dns_resolver_t *		resolver;
 	dns_adb_t *			adb;
 	dns_requestmgr_t *		requestmgr;
+	dns_acache_t *			acache;
 	dns_cache_t *			cache;
 	dns_db_t *			cachedb;
 	dns_db_t *			hints;
@@ -109,6 +112,8 @@ struct dns_view {
 	isc_boolean_t			additionalfromauth;
 	isc_boolean_t			minimalresponses;
 	isc_boolean_t			enablednssec;
+	isc_boolean_t			enablevalidation;
+	isc_boolean_t			acceptexpired;
 	dns_transfer_format_t		transfer_format;
 	dns_acl_t *			queryacl;
 	dns_acl_t *			recursionacl;
@@ -127,6 +132,7 @@ struct dns_view {
 	isc_boolean_t			checknames;
 	dns_name_t *			dlv;
 	dns_fixedname_t			dlv_fixed;
+	isc_uint16_t			maxudp;
 
 	/*
 	 * Configurable data for server use only,
@@ -156,109 +162,109 @@ struct dns_view {
 isc_result_t
 dns_view_create(isc_mem_t *mctx, dns_rdataclass_t rdclass,
 		const char *name, dns_view_t **viewp);
-/*
+/*%<
  * Create a view.
  *
  * Notes:
  *
- *	The newly created view has no cache, no resolver, and an empty
+ *\li	The newly created view has no cache, no resolver, and an empty
  *	zone table.  The view is not frozen.
  *
  * Requires:
  *
- *	'mctx' is a valid memory context.
+ *\li	'mctx' is a valid memory context.
  *
- *	'rdclass' is a valid class.
+ *\li	'rdclass' is a valid class.
  *
- *	'name' is a valid C string.
+ *\li	'name' is a valid C string.
  *
- *	viewp != NULL && *viewp == NULL
+ *\li	viewp != NULL && *viewp == NULL
  *
  * Returns:
  *
- *	ISC_R_SUCCESS
- *	ISC_R_NOMEMORY
+ *\li	#ISC_R_SUCCESS
+ *\li	#ISC_R_NOMEMORY
  *
- *	Other errors are possible.
+ *\li	Other errors are possible.
  */
 
 void
 dns_view_attach(dns_view_t *source, dns_view_t **targetp);
-/*
+/*%<
  * Attach '*targetp' to 'source'.
  *
  * Requires:
  *
- *	'source' is a valid, frozen view.
+ *\li	'source' is a valid, frozen view.
  *
- *	'targetp' points to a NULL dns_view_t *.
+ *\li	'targetp' points to a NULL dns_view_t *.
  *
  * Ensures:
  *
- *	*targetp is attached to source.
+ *\li	*targetp is attached to source.
  *
- *	While *targetp is attached, the view will not shut down.
+ *\li	While *targetp is attached, the view will not shut down.
  */
 
 void
 dns_view_detach(dns_view_t **viewp);
-/*
+/*%<
  * Detach '*viewp' from its view.
  *
  * Requires:
  *
- *	'viewp' points to a valid dns_view_t *
+ *\li	'viewp' points to a valid dns_view_t *
  *
  * Ensures:
  *
- *	*viewp is NULL.
+ *\li	*viewp is NULL.
  */
 
 void
 dns_view_flushanddetach(dns_view_t **viewp);
-/*
+/*%<
  * Detach '*viewp' from its view.  If this was the last reference
  * uncommited changed in zones will be flushed to disk.
  *
  * Requires:
  *
- *	'viewp' points to a valid dns_view_t *
+ *\li	'viewp' points to a valid dns_view_t *
  *
  * Ensures:
  *
- *	*viewp is NULL.
+ *\li	*viewp is NULL.
  */
 
 void
 dns_view_weakattach(dns_view_t *source, dns_view_t **targetp);
-/*
+/*%<
  * Weakly attach '*targetp' to 'source'.
  *
  * Requires:
  *
- *	'source' is a valid, frozen view.
+ *\li	'source' is a valid, frozen view.
  *
- *	'targetp' points to a NULL dns_view_t *.
+ *\li	'targetp' points to a NULL dns_view_t *.
  *
  * Ensures:
  *
- *	*targetp is attached to source.
+ *\li	*targetp is attached to source.
  *
- * 	While *targetp is attached, the view will not be freed.
+ * \li	While *targetp is attached, the view will not be freed.
  */
 
 void
 dns_view_weakdetach(dns_view_t **targetp);
-/*
+/*%<
  * Detach '*viewp' from its view.
  *
  * Requires:
  *
- *	'viewp' points to a valid dns_view_t *.
+ *\li	'viewp' points to a valid dns_view_t *.
  *
  * Ensures:
  *
- *	*viewp is NULL.
+ *\li	*viewp is NULL.
  */
 
 isc_result_t
@@ -270,94 +276,94 @@ dns_view_createresolver(dns_view_t *view,
 			dns_dispatchmgr_t *dispatchmgr,
 			dns_dispatch_t *dispatchv4,
 			dns_dispatch_t *dispatchv6);
-/*
+/*%<
  * Create a resolver and address database for the view.
  *
  * Requires:
  *
- *	'view' is a valid, unfrozen view.
+ *\li	'view' is a valid, unfrozen view.
  *
- *	'view' does not have a resolver already.
+ *\li	'view' does not have a resolver already.
  *
- *	The requirements of dns_resolver_create() apply to 'taskmgr',
+ *\li	The requirements of dns_resolver_create() apply to 'taskmgr',
  *	'ntasks', 'socketmgr', 'timermgr', 'options', 'dispatchv4', and
  *	'dispatchv6'.
  *
  * Returns:
  *
- *     	ISC_R_SUCCESS
+ *\li   	#ISC_R_SUCCESS
  *
- *	Any error that dns_resolver_create() can return.
+ *\li	Any error that dns_resolver_create() can return.
  */
 
 void
 dns_view_setcache(dns_view_t *view, dns_cache_t *cache);
-/*
+/*%<
  * Set the view's cache database.
  *
  * Requires:
  *
- *	'view' is a valid, unfrozen view.
+ *\li	'view' is a valid, unfrozen view.
  *
- *	'cache' is a valid cache.
+ *\li	'cache' is a valid cache.
  *
  * Ensures:
  *
- *     	The cache of 'view' is 'cached.
+ * \li    	The cache of 'view' is 'cached.
  *
- *	If this is not the first call to dns_view_setcache() for this
+ *\li	If this is not the first call to dns_view_setcache() for this
  *	view, then previously set cache is detached.
  */
 
 void
 dns_view_sethints(dns_view_t *view, dns_db_t *hints);
-/*
+/*%<
  * Set the view's hints database.
  *
  * Requires:
  *
- *	'view' is a valid, unfrozen view, whose hints database has not been
+ *\li	'view' is a valid, unfrozen view, whose hints database has not been
  *	set.
  *
- *	'hints' is a valid zone database.
+ *\li	'hints' is a valid zone database.
  *
  * Ensures:
  *
- *     	The hints database of 'view' is 'hints'.
+ * \li    	The hints database of 'view' is 'hints'.
  */
 
 void
 dns_view_setkeyring(dns_view_t *view, dns_tsig_keyring_t *ring);
-/*
+/*%<
  * Set the view's static TSIG keys
  *
  * Requires:
  *
- *      'view' is a valid, unfrozen view, whose static TSIG keyring has not
+ *   \li   'view' is a valid, unfrozen view, whose static TSIG keyring has not
  *	been set.
  *
- *      'ring' is a valid TSIG keyring
+ *\li      'ring' is a valid TSIG keyring
  *
  * Ensures:
  *
- *      The static TSIG keyring of 'view' is 'ring'.
+ *\li      The static TSIG keyring of 'view' is 'ring'.
  */
 
 void
 dns_view_setdstport(dns_view_t *view, in_port_t dstport);
-/*
+/*%<
  * Set the view's destination port.  This is the port to
  * which outgoing queries are sent.  The default is 53,
  * the standard DNS port.
  *
  * Requires:
  *
- *      'view' is a valid view.
+ *\li      'view' is a valid view.
  *
- *      'dstport' is a valid TCP/UDP port number.
+ *\li      'dstport' is a valid TCP/UDP port number.
  *
  * Ensures:
- *	External name servers will be assumed to be listning
+ *\li	External name servers will be assumed to be listning
  *	on 'dstport'.  For servers whose address has already
  *	obtained obtained at the time of the call, the view may
  *	continue to use the previously set port until the address
@@ -367,28 +373,28 @@ dns_view_setdstport(dns_view_t *view, in_port_t dstport);
 
 isc_result_t
 dns_view_addzone(dns_view_t *view, dns_zone_t *zone);
-/*
+/*%<
  * Add zone 'zone' to 'view'.
  *
  * Requires:
  *
- *	'view' is a valid, unfrozen view.
+ *\li	'view' is a valid, unfrozen view.
  *
- *	'zone' is a valid zone.
+ *\li	'zone' is a valid zone.
  */
 
 void
 dns_view_freeze(dns_view_t *view);
-/*
+/*%<
  * Freeze view.
  *
  * Requires:
  *
- *	'view' is a valid, unfrozen view.
+ *\li	'view' is a valid, unfrozen view.
  *
  * Ensures:
  *
- *	'view' is frozen.
+ *\li	'view' is frozen.
  */
 
 isc_result_t
@@ -396,63 +402,63 @@ dns_view_find(dns_view_t *view, dns_name_t *name, dns_rdatatype_t type,
 	      isc_stdtime_t now, unsigned int options, isc_boolean_t use_hints,
 	      dns_db_t **dbp, dns_dbnode_t **nodep, dns_name_t *foundname,
 	      dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset);
-/*
+/*%<
  * Find an rdataset whose owner name is 'name', and whose type is
  * 'type'.
  *
  * Notes:
  *
- *	See the description of dns_db_find() for information about 'options'.
- *	If the caller sets DNS_DBFIND_GLUEOK, it must ensure that 'name'
+ *\li	See the description of dns_db_find() for information about 'options'.
+ *	If the caller sets #DNS_DBFIND_GLUEOK, it must ensure that 'name'
  *	and 'type' are appropriate for glue retrieval.
  *
- *	If 'now' is zero, then the current time will be used.
+ *\li	If 'now' is zero, then the current time will be used.
  *
- *	If 'use_hints' is ISC_TRUE, and the view has a hints database, then
+ *\li	If 'use_hints' is ISC_TRUE, and the view has a hints database, then
  *	it will be searched last.  If the answer is found in the hints
  *	database, the result code will be DNS_R_HINT.  If the name is found
  *	in the hints database but not the type, the result code will be
- *	DNS_R_HINTNXRRSET.
+ *	#DNS_R_HINTNXRRSET.
  *
- *	'foundname' must meet the requirements of dns_db_find().
+ *\li	'foundname' must meet the requirements of dns_db_find().
  *
- *	If 'sigrdataset' is not NULL, and there is a SIG rdataset which
+ *\li	If 'sigrdataset' is not NULL, and there is a SIG rdataset which
  *	covers 'type', then 'sigrdataset' will be bound to it.
  *
  * Requires:
  *
- *	'view' is a valid, frozen view.
+ *\li	'view' is a valid, frozen view.
  *
- *	'name' is valid name.
+ *\li	'name' is valid name.
  *
- *	'type' is a valid dns_rdatatype_t, and is not a meta query type
+ *\li	'type' is a valid dns_rdatatype_t, and is not a meta query type
  *	except dns_rdatatype_any.
  *
- *	dbp == NULL || *dbp == NULL
+ *\li	dbp == NULL || *dbp == NULL
  *
- *	nodep == NULL || *nodep == NULL.  If nodep != NULL, dbp != NULL.
+ *\li	nodep == NULL || *nodep == NULL.  If nodep != NULL, dbp != NULL.
  *
- *	'foundname' is a valid name with a dedicated buffer or NULL.
+ *\li	'foundname' is a valid name with a dedicated buffer or NULL.
  *
- *	'rdataset' is a valid, disassociated rdataset.
+ *\li	'rdataset' is a valid, disassociated rdataset.
  *
- *	'sigrdataset' is NULL, or is a valid, disassociated rdataset.
+ *\li	'sigrdataset' is NULL, or is a valid, disassociated rdataset.
  *
  * Ensures:
  *
- *	In successful cases, 'rdataset', and possibly 'sigrdataset', are
+ *\li	In successful cases, 'rdataset', and possibly 'sigrdataset', are
  *	bound to the found data.
  *
- *	If dbp != NULL, it points to the database containing the data.
+ *\li	If dbp != NULL, it points to the database containing the data.
  *
- *	If nodep != NULL, it points to the database node containing the data.
+ *\li	If nodep != NULL, it points to the database node containing the data.
  *
- *	If foundname != NULL, it contains the full name of the found data.
+ *\li	If foundname != NULL, it contains the full name of the found data.
  *
  * Returns:
  *
- *	Any result that dns_db_find() can return, with the exception of
- *	DNS_R_DELEGATION.
+ *\li	Any result that dns_db_find() can return, with the exception of
+ *	#DNS_R_DELEGATION.
  */
 
 isc_result_t
@@ -460,62 +466,63 @@ dns_view_simplefind(dns_view_t *view, dns_name_t *name, dns_rdatatype_t type,
 		    isc_stdtime_t now, unsigned int options,
 		    isc_boolean_t use_hints,
 		    dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset);
-/*
+/*%<
  * Find an rdataset whose owner name is 'name', and whose type is
  * 'type'.
  *
  * Notes:
  *
- *	This routine is appropriate for simple, exact-match queries of the
+ *\li	This routine is appropriate for simple, exact-match queries of the
  *	view.  'name' must be a canonical name; there is no DNAME or CNAME
  *	processing.
  *
- *	See the description of dns_db_find() for information about 'options'.
+ *\li	See the description of dns_db_find() for information about 'options'.
  *	If the caller sets DNS_DBFIND_GLUEOK, it must ensure that 'name'
  *	and 'type' are appropriate for glue retrieval.
  *
- *	If 'now' is zero, then the current time will be used.
+ *\li	If 'now' is zero, then the current time will be used.
  *
- *	If 'use_hints' is ISC_TRUE, and the view has a hints database, then
+ *\li	If 'use_hints' is ISC_TRUE, and the view has a hints database, then
  *	it will be searched last.  If the answer is found in the hints
  *	database, the result code will be DNS_R_HINT.  If the name is found
  *	in the hints database but not the type, the result code will be
  *	DNS_R_HINTNXRRSET.
  *
- *	If 'sigrdataset' is not NULL, and there is a SIG rdataset which
+ *\li	If 'sigrdataset' is not NULL, and there is a SIG rdataset which
  *	covers 'type', then 'sigrdataset' will be bound to it.
  *
  * Requires:
  *
- *	'view' is a valid, frozen view.
+ *\li	'view' is a valid, frozen view.
  *
- *	'name' is valid name.
+ *\li	'name' is valid name.
  *
- *	'type' is a valid dns_rdatatype_t, and is not a meta query type
+ *\li	'type' is a valid dns_rdatatype_t, and is not a meta query type
  *	(e.g. dns_rdatatype_any), or dns_rdatatype_rrsig.
  *
- *	'rdataset' is a valid, disassociated rdataset.
+ *\li	'rdataset' is a valid, disassociated rdataset.
  *
- *	'sigrdataset' is NULL, or is a valid, disassociated rdataset.
+ *\li	'sigrdataset' is NULL, or is a valid, disassociated rdataset.
  *
  * Ensures:
  *
- *	In successful cases, 'rdataset', and possibly 'sigrdataset', are
+ *\li	In successful cases, 'rdataset', and possibly 'sigrdataset', are
  *	bound to the found data.
  *
  * Returns:
  *
- *	ISC_R_SUCCESS			Success; result is desired type.
- *	DNS_R_GLUE			Success; result is glue.
- *	DNS_R_HINT			Success; result is a hint.
- *	DNS_R_NCACHENXDOMAIN		Success; result is a ncache entry.
- *	DNS_R_NCACHENXRRSET		Success; result is a ncache entry.
- *	DNS_R_NXDOMAIN			The name does not exist.
- *	DNS_R_NXRRSET			The rrset does not exist.
- *	ISC_R_NOTFOUND			No matching data found,
+ *\li	#ISC_R_SUCCESS			Success; result is desired type.
+ *\li	DNS_R_GLUE			Success; result is glue.
+ *\li	DNS_R_HINT			Success; result is a hint.
+ *\li	DNS_R_NCACHENXDOMAIN		Success; result is a ncache entry.
+ *\li	DNS_R_NCACHENXRRSET		Success; result is a ncache entry.
+ *\li	DNS_R_NXDOMAIN			The name does not exist.
+ *\li	DNS_R_NXRRSET			The rrset does not exist.
+ *\li	#ISC_R_NOTFOUND			No matching data found,
  *					or an error occurred.
  */
 
+/*% See dns_view_findzonecut2() */
 isc_result_t
 dns_view_findzonecut(dns_view_t *view, dns_name_t *name, dns_name_t *fname,
 		     isc_stdtime_t now, unsigned int options,
@@ -527,7 +534,7 @@ dns_view_findzonecut2(dns_view_t *view, dns_name_t *name, dns_name_t *fname,
 		      isc_stdtime_t now, unsigned int options,
 		      isc_boolean_t use_hints, isc_boolean_t use_cache,
 		      dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset);
-/*
+/*%<
  * Find the best known zonecut containing 'name'.
  *
  * This uses local authority, cache, and optionally hints data.
@@ -535,69 +542,69 @@ dns_view_findzonecut2(dns_view_t *view, dns_name_t *name, dns_name_t *fname,
  *
  * Notes:
  *
- *	If 'now' is zero, then the current time will be used.
+ *\li	If 'now' is zero, then the current time will be used.
  *
- *	If 'use_hints' is ISC_TRUE, and the view has a hints database, then
+ *\li	If 'use_hints' is ISC_TRUE, and the view has a hints database, then
  *	it will be searched last.
  *
- *	If 'use_cache' is ISC_TRUE, and the view has a cache, then it will be
+ *\li	If 'use_cache' is ISC_TRUE, and the view has a cache, then it will be
  *	searched.
  *
- *	If 'sigrdataset' is not NULL, and there is a SIG rdataset which
+ *\li	If 'sigrdataset' is not NULL, and there is a SIG rdataset which
  *	covers 'type', then 'sigrdataset' will be bound to it.
  *
- *	If the DNS_DBFIND_NOEXACT option is set, then the zonecut returned
+ *\li	If the DNS_DBFIND_NOEXACT option is set, then the zonecut returned
  *	(if any) will be the deepest known ancestor of 'name'.
  *
  * Requires:
  *
- *	'view' is a valid, frozen view.
+ *\li	'view' is a valid, frozen view.
  *
- *	'name' is valid name.
+ *\li	'name' is valid name.
  *
- *	'rdataset' is a valid, disassociated rdataset.
+ *\li	'rdataset' is a valid, disassociated rdataset.
  *
- *	'sigrdataset' is NULL, or is a valid, disassociated rdataset.
+ *\li	'sigrdataset' is NULL, or is a valid, disassociated rdataset.
  *
  * Returns:
  *
- *	ISC_R_SUCCESS				Success.
+ *\li	#ISC_R_SUCCESS				Success.
  *
- *	Many other results are possible.
+ *\li	Many other results are possible.
  */
 
 isc_result_t
 dns_viewlist_find(dns_viewlist_t *list, const char *name,
 		  dns_rdataclass_t rdclass, dns_view_t **viewp);
-/*
+/*%<
  * Search for a view with name 'name' and class 'rdclass' in 'list'.
  * If found, '*viewp' is (strongly) attached to it.
  *
  * Requires:
  *
- *	'viewp' points to a NULL dns_view_t *.
+ *\li	'viewp' points to a NULL dns_view_t *.
  *
  * Returns:
  *
- *	ISC_R_SUCCESS		A matching view was found.
- *	ISC_R_NOTFOUND		No matching view was found.
+ *\li	#ISC_R_SUCCESS		A matching view was found.
+ *\li	#ISC_R_NOTFOUND		No matching view was found.
  */
 
 isc_result_t
 dns_view_findzone(dns_view_t *view, dns_name_t *name, dns_zone_t **zonep);
-/*
+/*%<
  * Search for the zone 'name' in the zone table of 'view'.
  * If found, 'zonep' is (strongly) attached to it.  There
  * are no partial matches.
  *
  * Requires:
  *
- *	'zonep' points to a NULL dns_zone_t *.
+ *\li	'zonep' points to a NULL dns_zone_t *.
  *
  * Returns:
- *	ISC_R_SUCCESS		A matching zone was found.
- *	ISC_R_NOTFOUND		No matching zone was found.
- *	others			An error occurred.
+ *\li	#ISC_R_SUCCESS		A matching zone was found.
+ *\li	#ISC_R_NOTFOUND		No matching zone was found.
+ *\li	others			An error occurred.
  */
 
 isc_result_t
@@ -605,7 +612,7 @@ dns_view_load(dns_view_t *view, isc_boolean_t stop);
 
 isc_result_t
 dns_view_loadnew(dns_view_t *view, isc_boolean_t stop);
-/*
+/*%<
  * Load zones attached to this view.  dns_view_load() loads
  * all zones whose master file has changed since the last
  * load; dns_view_loadnew() loads only zones that have never 
@@ -616,29 +623,29 @@ dns_view_loadnew(dns_view_t *view, isc_boolean_t stop);
  *
  * Requires:
  *
- *	'view' is valid.
+ *\li	'view' is valid.
  */
 
 isc_result_t
 dns_view_gettsig(dns_view_t *view, dns_name_t *keyname,
 		 dns_tsigkey_t **keyp);
-/*
+/*%<
  * Find the TSIG key configured in 'view' with name 'keyname',
  * if any.
  *
  * Reqires:
- *	keyp points to a NULL dns_tsigkey_t *.
+ *\li	keyp points to a NULL dns_tsigkey_t *.
  *
  * Returns:
- *	ISC_R_SUCCESS	A key was found and '*keyp' now points to it.
- *	ISC_R_NOTFOUND	No key was found.
- *	others		An error occurred.
+ *\li	#ISC_R_SUCCESS	A key was found and '*keyp' now points to it.
+ *\li	#ISC_R_NOTFOUND	No key was found.
+ *\li	others		An error occurred.
  */
 
 isc_result_t
 dns_view_getpeertsig(dns_view_t *view, isc_netaddr_t *peeraddr,
 		     dns_tsigkey_t **keyp);
-/*
+/*%<
  * Find the TSIG key configured in 'view' for the server whose
  * address is 'peeraddr', if any.
  *
@@ -646,35 +653,35 @@ dns_view_getpeertsig(dns_view_t *view, isc_netaddr_t *peeraddr,
  *	keyp points to a NULL dns_tsigkey_t *.
  *
  * Returns:
- *	ISC_R_SUCCESS	A key was found and '*keyp' now points to it.
- *	ISC_R_NOTFOUND	No key was found.
- *	others		An error occurred.
+ *\li	#ISC_R_SUCCESS	A key was found and '*keyp' now points to it.
+ *\li	#ISC_R_NOTFOUND	No key was found.
+ *\li	others		An error occurred.
  */
 
 isc_result_t
 dns_view_checksig(dns_view_t *view, isc_buffer_t *source, dns_message_t *msg);
-/*
+/*%<
  * Verifies the signature of a message.
  *
  * Requires:
  *
- *	'view' is a valid view.
- *	'source' is a valid buffer containing the message
- *	'msg' is a valid message
+ *\li	'view' is a valid view.
+ *\li	'source' is a valid buffer containing the message
+ *\li	'msg' is a valid message
  *
  * Returns:
- *	see dns_tsig_verify()
+ *\li	see dns_tsig_verify()
  */
 
 void
 dns_view_dialup(dns_view_t *view);
-/*
+/*%<
  * Perform dialup-time maintenance on the zones of 'view'.
  */
 
 isc_result_t
 dns_view_dumpdbtostream(dns_view_t *view, FILE *fp);
-/*
+/*%<
  * Dump the current state of the view 'view' to the stream 'fp'
  * for purposes of analysis or debugging.
  *
@@ -685,18 +692,18 @@ dns_view_dumpdbtostream(dns_view_t *view, FILE *fp);
  *
  * Requires:
  * 	
- *	'view' is valid.
+ *\li	'view' is valid.
  *
- *	'fp' refers to a file open for writing.
+ *\li	'fp' refers to a file open for writing.
  *
  * Returns:
- * 	ISC_R_SUCCESS	The cache was successfully dumped.
- * 	others		An error occurred (see dns_master_dump)
+ * \li	ISC_R_SUCCESS	The cache was successfully dumped.
+ * \li	others		An error occurred (see dns_master_dump)
  */
 
 isc_result_t
 dns_view_flushcache(dns_view_t *view);
-/*
+/*%<
  * Flush the view's cache (and ADB).
  *
  * Requires:
@@ -705,85 +712,93 @@ dns_view_flushcache(dns_view_t *view);
  * 	No other tasks are executing.
  *
  * Returns:
- *	ISC_R_SUCCESS
- *	ISC_R_NOMEMORY
+ *\li	#ISC_R_SUCCESS
+ *\li	#ISC_R_NOMEMORY
  */
 
 isc_result_t
 dns_view_flushname(dns_view_t *view, dns_name_t *);
-/*
+/*%<
  * Flush the given name from the view's cache (and ADB).
  *
  * Requires:
- *	'view' is valid.
- *	'name' is valid.
+ *\li	'view' is valid.
+ *\li	'name' is valid.
  *
  * Returns:
- *	ISC_R_SUCCESS
+ *\li	#ISC_R_SUCCESS
  *	other returns are failures.
  */
 
 isc_result_t
 dns_view_adddelegationonly(dns_view_t *view, dns_name_t *name);
-/*
+/*%<
  * Add the given name to the delegation only table.
  * 
  *
  * Requires:
- *	'view' is valid.
- *	'name' is valid.
+ *\li	'view' is valid.
+ *\li	'name' is valid.
  *
  * Returns:
- *	ISC_R_SUCCESS
- *	ISC_R_NOMEMORY
+ *\li	#ISC_R_SUCCESS
+ *\li	#ISC_R_NOMEMORY
  */
 
 isc_result_t
 dns_view_excludedelegationonly(dns_view_t *view, dns_name_t *name);
-/*
+/*%<
  * Add the given name to be excluded from the root-delegation-only.
  * 
  *
  * Requires:
- *	'view' is valid.
- *	'name' is valid.
+ *\li	'view' is valid.
+ *\li	'name' is valid.
  *
  * Returns:
- *	ISC_R_SUCCESS
- *	ISC_R_NOMEMORY
+ *\li	#ISC_R_SUCCESS
+ *\li	#ISC_R_NOMEMORY
  */
 
 isc_boolean_t
 dns_view_isdelegationonly(dns_view_t *view, dns_name_t *name);
-/*
+/*%<
  * Check if 'name' is in the delegation only table or if
  * rootdelonly is set that name is not being excluded.
  *
  * Requires:
- *	'view' is valid.
- *	'name' is valid.
+ *\li	'view' is valid.
+ *\li	'name' is valid.
  *
  * Returns:
- *	ISC_TRUE if the name is is the table.
- *	ISC_FALSE othewise.
+ *\li	#ISC_TRUE if the name is is the table.
+ *\li	#ISC_FALSE othewise.
  */
 
 void
 dns_view_setrootdelonly(dns_view_t *view, isc_boolean_t value);
-/*
+/*%<
  * Set the root delegation only flag.
  *
  * Requires:
- *	'view' is valid.
+ *\li	'view' is valid.
  */
 
 isc_boolean_t
 dns_view_getrootdelonly(dns_view_t *view);
-/*
+/*%<
  * Get the root delegation only flag.
  *
  * Requires:
- *	'view' is valid.
+ *\li	'view' is valid.
  */
 
+isc_result_t
+dns_view_freezezones(dns_view_t *view, isc_boolean_t freeze);
+/*%<
+ * Freeze/thaw updates to master zones.
+ *
+ * Requires:
+ * \li	'view' is valid.
+ */
 #endif /* DNS_VIEW_H */
diff --git a/contrib/bind9/lib/dns/include/dns/xfrin.h b/contrib/bind9/lib/dns/include/dns/xfrin.h
index 0f5e086..fcd482e 100644
--- a/contrib/bind9/lib/dns/include/dns/xfrin.h
+++ b/contrib/bind9/lib/dns/include/dns/xfrin.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2006  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001, 2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: xfrin.h,v 1.18.136.4 2006/07/20 01:10:29 marka Exp $ */
+/* $Id: xfrin.h,v 1.20.18.5 2006/07/20 01:10:30 marka Exp $ */
 
 #ifndef DNS_XFRIN_H
 #define DNS_XFRIN_H 1
@@ -24,7 +24,8 @@
  ***** Module Info
  *****/
 
-/*
+/*! \file 
+ * \brief
  * Incoming zone transfers (AXFR + IXFR).
  */
 
@@ -40,7 +41,7 @@
  *** Types
  ***/
 
-/*
+/*%
  * A transfer in progress.  This is an opaque type.
  */
 typedef struct dns_xfrin_ctx dns_xfrin_ctx_t;
@@ -51,6 +52,7 @@ typedef struct dns_xfrin_ctx dns_xfrin_ctx_t;
 
 ISC_LANG_BEGINDECLS
 
+/*% see dns_xfrin_create2() */
 isc_result_t
 dns_xfrin_create(dns_zone_t *zone, dns_rdatatype_t xfrtype,
 		 isc_sockaddr_t *masteraddr, dns_tsigkey_t *tsigkey,
@@ -65,7 +67,7 @@ dns_xfrin_create2(dns_zone_t *zone, dns_rdatatype_t xfrtype,
 		  isc_timermgr_t *timermgr, isc_socketmgr_t *socketmgr,
 		  isc_task_t *task, dns_xfrindone_t done,
 		  dns_xfrin_ctx_t **xfrp);
-/*
+/*%<
  * Attempt to start an incoming zone transfer of 'zone'
  * from 'masteraddr', creating a dns_xfrin_ctx_t object to
  * manage it.  Attach '*xfrp' to the newly created object.
@@ -75,17 +77,17 @@ dns_xfrin_create2(dns_zone_t *zone, dns_rdatatype_t xfrtype,
  * code as arguments when the transfer finishes.
  *
  * Requires:
- *	'xfrtype' is dns_rdatatype_axfr, dns_rdatatype_ixfr
+ *\li	'xfrtype' is dns_rdatatype_axfr, dns_rdatatype_ixfr
  *	or dns_rdatatype_soa (soa query followed by axfr if
  *	serial is greater than current serial).
  *
- *	If 'xfrtype' is dns_rdatatype_ixfr or dns_rdatatype_soa,
+ *\li	If 'xfrtype' is dns_rdatatype_ixfr or dns_rdatatype_soa,
  *	the zone has a database.
  */
 
 void
 dns_xfrin_shutdown(dns_xfrin_ctx_t *xfr);
-/*
+/*%<
  * If the zone transfer 'xfr' has already finished,
  * do nothing.  Otherwise, abort it and cause it to call
  * its done callback with a status of ISC_R_CANCELLED.
@@ -93,14 +95,14 @@ dns_xfrin_shutdown(dns_xfrin_ctx_t *xfr);
 
 void
 dns_xfrin_detach(dns_xfrin_ctx_t **xfrp);
-/*
+/*%<
  * Detach a reference to a zone transfer object.
  * Caller to maintain external locking if required.
  */
 
 void
 dns_xfrin_attach(dns_xfrin_ctx_t *source, dns_xfrin_ctx_t **target);
-/*
+/*%<
  * Caller to maintain external locking if required.
  */
 
diff --git a/contrib/bind9/lib/dns/include/dns/zone.h b/contrib/bind9/lib/dns/include/dns/zone.h
index 4baf36a..7cb8272 100644
--- a/contrib/bind9/lib/dns/include/dns/zone.h
+++ b/contrib/bind9/lib/dns/include/dns/zone.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2006  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,11 +15,13 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: zone.h,v 1.106.2.7.4.18 2006/08/01 03:44:00 marka Exp $ */
+/* $Id: zone.h,v 1.126.18.19 2006/08/01 03:45:21 marka Exp $ */
 
 #ifndef DNS_ZONE_H
 #define DNS_ZONE_H 1
 
+/*! \file */
+
 /***
  ***	Imports
  ***/
@@ -30,6 +32,7 @@
 #include <isc/lang.h>
 #include <isc/rwlock.h>
 
+#include <dns/masterdump.h>
 #include <dns/types.h>
 
 typedef enum {
@@ -39,19 +42,30 @@ typedef enum {
 	dns_zone_stub
 } dns_zonetype_t;
 
-#define DNS_ZONEOPT_SERVERS	  0x00000001U	/* perform server checks */
-#define DNS_ZONEOPT_PARENTS	  0x00000002U	/* perform parent checks */
-#define DNS_ZONEOPT_CHILDREN	  0x00000004U	/* perform child checks */
-#define DNS_ZONEOPT_NOTIFY	  0x00000008U	/* perform NOTIFY */
-#define DNS_ZONEOPT_MANYERRORS	  0x00000010U	/* return many errors on load */
-#define DNS_ZONEOPT_IXFRFROMDIFFS 0x00000020U	/* calculate differences */
-#define DNS_ZONEOPT_NOMERGE	  0x00000040U	/* don't merge journal */
-#define DNS_ZONEOPT_CHECKNS	  0x00000080U	/* check if NS's are addresses */
-#define DNS_ZONEOPT_FATALNS	  0x00000100U	/* DNS_ZONEOPT_CHECKNS is fatal */
-#define DNS_ZONEOPT_MULTIMASTER	  0x00000200U	/* this zone has multiple masters */
-#define DNS_ZONEOPT_USEALTXFRSRC  0x00000400U	/* use alternate transfer sources */
-#define DNS_ZONEOPT_CHECKNAMES	  0x00000800U	/* check-names */
-#define DNS_ZONEOPT_CHECKNAMESFAIL 0x00001000U	/* fatal check-name failures */
+#define DNS_ZONEOPT_SERVERS	  0x00000001U	/*%< perform server checks */
+#define DNS_ZONEOPT_PARENTS	  0x00000002U	/*%< perform parent checks */
+#define DNS_ZONEOPT_CHILDREN	  0x00000004U	/*%< perform child checks */
+#define DNS_ZONEOPT_NOTIFY	  0x00000008U	/*%< perform NOTIFY */
+#define DNS_ZONEOPT_MANYERRORS	  0x00000010U	/*%< return many errors on load */
+#define DNS_ZONEOPT_IXFRFROMDIFFS 0x00000020U	/*%< calculate differences */
+#define DNS_ZONEOPT_NOMERGE	  0x00000040U	/*%< don't merge journal */
+#define DNS_ZONEOPT_CHECKNS	  0x00000080U	/*%< check if NS's are addresses */
+#define DNS_ZONEOPT_FATALNS	  0x00000100U	/*%< DNS_ZONEOPT_CHECKNS is fatal */
+#define DNS_ZONEOPT_MULTIMASTER	  0x00000200U	/*%< this zone has multiple masters */
+#define DNS_ZONEOPT_USEALTXFRSRC  0x00000400U	/*%< use alternate transfer sources */
+#define DNS_ZONEOPT_CHECKNAMES	  0x00000800U	/*%< check-names */
+#define DNS_ZONEOPT_CHECKNAMESFAIL 0x00001000U	/*%< fatal check-name failures */
+#define DNS_ZONEOPT_CHECKWILDCARD 0x00002000U	/*%< check for internal wildcards */
+#define DNS_ZONEOPT_CHECKMX	  0x00004000U	/*%< check-mx */
+#define DNS_ZONEOPT_CHECKMXFAIL   0x00008000U	/*%< fatal check-mx failures */
+#define DNS_ZONEOPT_CHECKINTEGRITY 0x00010000U	/*%< perform integrity checks */
+#define DNS_ZONEOPT_CHECKSIBLING  0x00020000U	/*%< perform sibling glue checks */
+#define DNS_ZONEOPT_NOCHECKNS	  0x00040000U	/*%< disable IN NS address checks */
+#define DNS_ZONEOPT_WARNMXCNAME	  0x00080000U	/*%< warn on MX CNAME check */
+#define DNS_ZONEOPT_IGNOREMXCNAME 0x00100000U	/*%< ignore MX CNAME check */
+#define DNS_ZONEOPT_WARNSRVCNAME  0x00200000U	/*%< warn on SRV CNAME check */
+#define DNS_ZONEOPT_IGNORESRVCNAME 0x00400000U	/*%< ignore SRV CNAME check */
+#define DNS_ZONEOPT_UPDATECHECKKSK 0x00800000U	/*%< check dnskey KSK flag */
 
 #ifndef NOMINUM_PUBLIC
 /*
@@ -61,22 +75,22 @@ typedef enum {
 #endif /* NOMINUM_PUBLIC */
 
 #ifndef DNS_ZONE_MINREFRESH
-#define DNS_ZONE_MINREFRESH		    300	/* 5 minutes */
+#define DNS_ZONE_MINREFRESH		    300	/*%< 5 minutes */
 #endif
 #ifndef DNS_ZONE_MAXREFRESH
-#define DNS_ZONE_MAXREFRESH		2419200	/* 4 weeks */
+#define DNS_ZONE_MAXREFRESH		2419200	/*%< 4 weeks */
 #endif
 #ifndef DNS_ZONE_DEFAULTREFRESH
-#define DNS_ZONE_DEFAULTREFRESH		   3600	/* 1 hour */
+#define DNS_ZONE_DEFAULTREFRESH		   3600	/*%< 1 hour */
 #endif
 #ifndef DNS_ZONE_MINRETRY
-#define DNS_ZONE_MINRETRY		    300	/* 5 minutes */
+#define DNS_ZONE_MINRETRY		    300	/*%< 5 minutes */
 #endif
 #ifndef DNS_ZONE_MAXRETRY
-#define DNS_ZONE_MAXRETRY		1209600	/* 2 weeks */
+#define DNS_ZONE_MAXRETRY		1209600	/*%< 2 weeks */
 #endif
 #ifndef DNS_ZONE_DEFAULTRETRY
-#define DNS_ZONE_DEFAULTRETRY		     60	/* 1 minute, subject to
+#define DNS_ZONE_DEFAULTRETRY		     60	/*%< 1 minute, subject to
 						   exponential backoff */
 #endif
 
@@ -93,126 +107,135 @@ ISC_LANG_BEGINDECLS
 
 isc_result_t
 dns_zone_create(dns_zone_t **zonep, isc_mem_t *mctx);
-/*
+/*%<
  *	Creates a new empty zone and attach '*zonep' to it.
  *
  * Requires:
- *	'zonep' to point to a NULL pointer.
- *	'mctx' to be a valid memory context.
+ *\li	'zonep' to point to a NULL pointer.
+ *\li	'mctx' to be a valid memory context.
  *
  * Ensures:
- *	'*zonep' refers to a valid zone.
+ *\li	'*zonep' refers to a valid zone.
  *
  * Returns:
- *	ISC_R_SUCCESS
- *	ISC_R_NOMEMORY
- *	ISC_R_UNEXPECTED
+ *\li	#ISC_R_SUCCESS
+ *\li	#ISC_R_NOMEMORY
+ *\li	#ISC_R_UNEXPECTED
  */
 
 void
 dns_zone_setclass(dns_zone_t *zone, dns_rdataclass_t rdclass);
-/*
+/*%<
  *	Sets the class of a zone.  This operation can only be performed
  *	once on a zone.
  *
  * Require:
- *	'zone' to be a valid zone.
- *	dns_zone_setclass() not to have been called since the zone was
+ *\li	'zone' to be a valid zone.
+ *\li	dns_zone_setclass() not to have been called since the zone was
  *	created.
- *	'rdclass' != dns_rdataclass_none.
+ *\li	'rdclass' != dns_rdataclass_none.
  */
 
 dns_rdataclass_t
 dns_zone_getclass(dns_zone_t *zone);
-/*
+/*%<
  *	Returns the current zone class.
  *
  * Requires:
- *	'zone' to be a valid zone.
+ *\li	'zone' to be a valid zone.
  */
 
 void
 dns_zone_settype(dns_zone_t *zone, dns_zonetype_t type);
-/*
+/*%<
  *	Sets the zone type. This operation can only be performed once on
  *	a zone.
  *
  * Requires:
- *	'zone' to be a valid zone.
- *	dns_zone_settype() not to have been called since the zone was
+ *\li	'zone' to be a valid zone.
+ *\li	dns_zone_settype() not to have been called since the zone was
  *	created.
- *	'type' != dns_zone_none
+ *\li	'type' != dns_zone_none
  */
 
 void
 dns_zone_setview(dns_zone_t *zone, dns_view_t *view);
-/*
+/*%<
  *	Associate the zone with a view.
  *
  * Require:
- *	'zone' to be a valid zone.
+ *\li	'zone' to be a valid zone.
  */
 
 dns_view_t *
 dns_zone_getview(dns_zone_t *zone);
-/*
+/*%<
  *	Returns the zone's associated view.
  *
  * Requires:
- *	'zone' to be a valid zone.
+ *\li	'zone' to be a valid zone.
  */
 
 isc_result_t
 dns_zone_setorigin(dns_zone_t *zone, const dns_name_t *origin);
-/*
+/*%<
  *	Sets the zones origin to 'origin'.
  *
  * Require:
- *	'zone' to be a valid zone.
- *	'origin' to be non NULL.
+ *\li	'zone' to be a valid zone.
+ *\li	'origin' to be non NULL.
  *
  * Returns:
- *	ISC_R_SUCCESS
- * 	ISC_R_NOMEMORY
+ *\li	#ISC_R_SUCCESS
+ *\li 	#ISC_R_NOMEMORY
  */
 
 dns_name_t *
 dns_zone_getorigin(dns_zone_t *zone);
-/*
+/*%<
  *	Returns the value of the origin.
  *
  * Require:
- *	'zone' to be a valid zone.
+ *\li	'zone' to be a valid zone.
  */
 
 isc_result_t
 dns_zone_setfile(dns_zone_t *zone, const char *file);
-/*
- *	Sets the name of the master file from which the zone
- *	loads its database to 'file'.  For zones that have
- *	no associated master file, 'file' will be NULL.
+
+isc_result_t
+dns_zone_setfile2(dns_zone_t *zone, const char *file,
+		  dns_masterformat_t format);
+/*%<
+ *    Sets the name of the master file in the format of 'format' from which
+ *    the zone loads its database to 'file'.
+ *
+ *    For zones that have no associated master file, 'file' will be NULL.
  *
  *	For zones with persistent databases, the file name
  *	setting is ignored.
  *
+ *    dns_zone_setfile() is a backward-compatible form of
+ *    dns_zone_setfile2(), which always specifies the
+ *    dns_masterformat_text (RFC1035) format.
+ *
  * Require:
- *	'zone' to be a valid zone.
+ *\li	'zone' to be a valid zone.
  *
  * Returns:
- *	ISC_R_NOMEMORY
- *	ISC_R_SUCCESS
+ *\li	#ISC_R_NOMEMORY
+ *\li	#ISC_R_SUCCESS
  */
 
 const char *
 dns_zone_getfile(dns_zone_t *zone);
-/*
+/*%<
  * 	Gets the name of the zone's master file, if any.
  *
  * Requires:
- *	'zone' to be valid initialised zone.
+ *\li	'zone' to be valid initialised zone.
  *
  * Returns:
- *	Pointer to null-terminated file name, or NULL.
+ *\li	Pointer to null-terminated file name, or NULL.
  */
 
 isc_result_t
@@ -220,7 +243,7 @@ dns_zone_load(dns_zone_t *zone);
 
 isc_result_t
 dns_zone_loadnew(dns_zone_t *zone);
-/*
+/*%<
  *	Cause the database to be loaded from its backing store.
  *	Confirm that the minimum requirements for the zone type are
  *	met, otherwise DNS_R_BADZONE is returned.
@@ -230,187 +253,216 @@ dns_zone_loadnew(dns_zone_t *zone);
  *	and whose master file has changed since the last load.
  *
  * Require:
- *	'zone' to be a valid zone.
+ *\li	'zone' to be a valid zone.
  *
  * Returns:
- *	ISC_R_UNEXPECTED
- *	ISC_R_SUCCESS
- *	DNS_R_CONTINUE	  Incremental load has been queued.
- *	DNS_R_UPTODATE	  The zone has already been loaded based on
+ *\li	#ISC_R_UNEXPECTED
+ *\li	#ISC_R_SUCCESS
+ *\li	DNS_R_CONTINUE	  Incremental load has been queued.
+ *\li	DNS_R_UPTODATE	  The zone has already been loaded based on
  *			  file system timestamps.
- *	DNS_R_BADZONE
- *	Any result value from dns_db_load().
+ *\li	DNS_R_BADZONE
+ *\li	Any result value from dns_db_load().
  */
 
 void
 dns_zone_attach(dns_zone_t *source, dns_zone_t **target);
-/*
+/*%<
  *	Attach '*target' to 'source' incrementing its external
  * 	reference count.
  *
  * Require:
- *	'zone' to be a valid zone.
- *	'target' to be non NULL and '*target' to be NULL.
+ *\li	'zone' to be a valid zone.
+ *\li	'target' to be non NULL and '*target' to be NULL.
  */
 
 void
 dns_zone_detach(dns_zone_t **zonep);
-/*
+/*%<
  *	Detach from a zone decrementing its external reference count.
  *	If this was the last external reference to the zone it will be
  * 	shut down and eventually freed.
  *
  * Require:
- *	'zonep' to point to a valid zone.
+ *\li	'zonep' to point to a valid zone.
  */
 
 void
 dns_zone_iattach(dns_zone_t *source, dns_zone_t **target);
-/*
+/*%<
  *	Attach '*target' to 'source' incrementing its internal
  * 	reference count.  This is intended for use by operations
  * 	such as zone transfers that need to prevent the zone
  * 	object from being freed but not from shutting down.
  *
  * Require:
- *	The caller is running in the context of the zone's task.
- *	'zone' to be a valid zone.
- *	'target' to be non NULL and '*target' to be NULL.
+ *\li	The caller is running in the context of the zone's task.
+ *\li	'zone' to be a valid zone.
+ *\li	'target' to be non NULL and '*target' to be NULL.
  */
 
 void
 dns_zone_idetach(dns_zone_t **zonep);
-/*
+/*%<
  *	Detach from a zone decrementing its internal reference count.
  *	If there are no more internal or external references to the
  * 	zone, it will be freed.
  *
  * Require:
- *	The caller is running in the context of the zone's task.
- *	'zonep' to point to a valid zone.
+ *\li	The caller is running in the context of the zone's task.
+ *\li	'zonep' to point to a valid zone.
  */
 
 void
 dns_zone_setflag(dns_zone_t *zone, unsigned int flags, isc_boolean_t value);
-/*
+/*%<
  *	Sets ('value' == 'ISC_TRUE') / clears ('value' == 'IS_FALSE')
  *	zone flags.  Valid flag bits are DNS_ZONE_F_*.
  *
  * Requires
- *	'zone' to be a valid zone.
+ *\li	'zone' to be a valid zone.
  */
 
 isc_result_t
 dns_zone_getdb(dns_zone_t *zone, dns_db_t **dbp);
-/*
+/*%<
  * 	Attach '*dbp' to the database to if it exists otherwise
  *	return DNS_R_NOTLOADED.
  *
  * Require:
- *	'zone' to be a valid zone.
- *	'dbp' to be != NULL && '*dbp' == NULL.
+ *\li	'zone' to be a valid zone.
+ *\li	'dbp' to be != NULL && '*dbp' == NULL.
  *
  * Returns:
- *	ISC_R_SUCCESS
- *	DNS_R_NOTLOADED
+ *\li	#ISC_R_SUCCESS
+ *\li	DNS_R_NOTLOADED
  */
 
 isc_result_t
 dns_zone_setdbtype(dns_zone_t *zone,
 		   unsigned int dbargc, const char * const *dbargv);
-/*
+/*%<
  *	Sets the database type to dbargv[0] and database arguments
  *	to subsequent dbargv elements.
  *	'db_type' is not checked to see if it is a valid database type.
  *
  * Require:
- *	'zone' to be a valid zone.
- *	'database' to be non NULL.
- *	'dbargc' to be >= 1
- *	'dbargv' to point to dbargc NULL-terminated strings
+ *\li	'zone' to be a valid zone.
+ *\li	'database' to be non NULL.
+ *\li	'dbargc' to be >= 1
+ *\li	'dbargv' to point to dbargc NULL-terminated strings
  *
  * Returns:
- *	ISC_R_NOMEMORY
- *	ISC_R_SUCCESS
+ *\li	#ISC_R_NOMEMORY
+ *\li	#ISC_R_SUCCESS
+ */
+
+isc_result_t
+dns_zone_getdbtype(dns_zone_t *zone, char ***argv, isc_mem_t *mctx);
+/*%<
+ *	Returns the current dbtype.  isc_mem_free() should be used
+ * 	to free 'argv' after use.
+ *
+ * Require:
+ *\li	'zone' to be a valid zone.
+ *\li	'argv' to be non NULL and *argv to be NULL.
+ *\li	'mctx' to be valid.
+ *
+ * Returns:
+ *\li	#ISC_R_NOMEMORY
+ *\li	#ISC_R_SUCCESS
  */
 
 void
 dns_zone_markdirty(dns_zone_t *zone);
-/*
+/*%<
  *	Mark a zone as 'dirty'.
  *
  * Require:
- *	'zone' to be a valid zone.
+ *\li	'zone' to be a valid zone.
  */
 
 void
 dns_zone_expire(dns_zone_t *zone);
-/*
+/*%<
  *	Mark the zone as expired.  If the zone requires dumping cause it to
  *	be initiated.  Set the refresh and retry intervals to there default
  *	values and unload the zone.
  *
  * Require
- *	'zone' to be a valid zone.
+ *\li	'zone' to be a valid zone.
  */
 
 void
 dns_zone_refresh(dns_zone_t *zone);
-/*
+/*%<
  *	Initiate zone up to date checks.  The zone must already be being
  *	managed.
  *
  * Require
- *	'zone' to be a valid zone.
+ *\li	'zone' to be a valid zone.
  */
 
 isc_result_t
 dns_zone_flush(dns_zone_t *zone);
-/*
+/*%<
  *	Write the zone to database if there are uncommited changes.
  *
  * Require:
- *	'zone' to be a valid zone.
+ *\li	'zone' to be a valid zone.
  */
 
 isc_result_t
 dns_zone_dump(dns_zone_t *zone);
-/*
+/*%<
  *	Write the zone to database.
  *
  * Require:
- *	'zone' to be a valid zone.
+ *\li	'zone' to be a valid zone.
  */
 
 isc_result_t
 dns_zone_dumptostream(dns_zone_t *zone, FILE *fd);
-/*
- *	Write the zone to stream 'fd'.
+
+isc_result_t
+dns_zone_dumptostream2(dns_zone_t *zone, FILE *fd, dns_masterformat_t format,
+		       const dns_master_style_t *style);
+/*%<
+ *    Write the zone to stream 'fd' in the specified 'format'.
+ *    If the 'format' is dns_masterformat_text (RFC1035), 'style' also
+ *    specifies the file style (e.g., &dns_master_style_default).
+ *
+ *    dns_zone_dumptostream() is a backward-compatible form of
+ *    dns_zone_dumptostream2(), which always uses the dns_masterformat_text
+ *    format and the dns_master_style_default style.
+ *
+ *    Note that dns_zone_dumptostream2() is the most flexible form.  It
+ *    can also provide the functionality of dns_zone_fulldumptostream().
  *
  * Require:
- *	'zone' to be a valid zone.
- *	'fd' to be a stream open for writing.
+ *\li	'zone' to be a valid zone.
+ *\li	'fd' to be a stream open for writing.
  */
 
 isc_result_t
 dns_zone_fulldumptostream(dns_zone_t *zone, FILE *fd);
-/*
+/*%<
  *	The same as dns_zone_dumptostream, but dumps the zone with
  *	different dump settings (dns_master_style_full).
  *
  * Require:
- *	'zone' to be a valid zone.
- *	'fd' to be a stream open for writing.
+ *\li	'zone' to be a valid zone.
+ *\li	'fd' to be a stream open for writing.
  */
 
 void
 dns_zone_maintenance(dns_zone_t *zone);
-/*
+/*%<
  *	Perform regular maintenace on the zone.  This is called as a
  *	result of a zone being managed.
  *
  * Require
- *	'zone' to be a valid zone.
+ *\li	'zone' to be a valid zone.
  */
 
 isc_result_t
@@ -421,108 +473,108 @@ dns_zone_setmasterswithkeys(dns_zone_t *zone,
 			    const isc_sockaddr_t *masters,
 			    dns_name_t **keynames,
 			    isc_uint32_t count);
-/*
+/*%<
  *	Set the list of master servers for the zone.
  *
  * Require:
- *	'zone' to be a valid zone.
- *	'masters' array of isc_sockaddr_t with port set or NULL.
- *	'count' the number of masters.
- *      'keynames' array of dns_name_t's for tsig keys or NULL.
+ *\li	'zone' to be a valid zone.
+ *\li	'masters' array of isc_sockaddr_t with port set or NULL.
+ *\li	'count' the number of masters.
+ *\li      'keynames' array of dns_name_t's for tsig keys or NULL.
  *
- *      dns_zone_setmasters() is just a wrapper to setmasterswithkeys(),
+ *  \li    dns_zone_setmasters() is just a wrapper to setmasterswithkeys(),
  *      passing NULL in the keynames field.
  *
- * 	If 'masters' is NULL then 'count' must be zero.
+ * \li	If 'masters' is NULL then 'count' must be zero.
  *
  * Returns:
- *	ISC_R_SUCCESS
- *	ISC_R_NOMEMORY
- *      Any result dns_name_dup() can return, if keynames!=NULL
+ *\li	#ISC_R_SUCCESS
+ *\li	#ISC_R_NOMEMORY
+ *\li      Any result dns_name_dup() can return, if keynames!=NULL
  */
 
 isc_result_t
 dns_zone_setalsonotify(dns_zone_t *zone, const isc_sockaddr_t *notify,
 		       isc_uint32_t count);
-/*
+/*%<
  *	Set the list of additional servers to be notified when
  *	a zone changes.	 To clear the list use 'count = 0'.
  *
  * Require:
- *	'zone' to be a valid zone.
- *	'notify' to be non-NULL if count != 0.
- *	'count' to be the number of notifyees.
+ *\li	'zone' to be a valid zone.
+ *\li	'notify' to be non-NULL if count != 0.
+ *\li	'count' to be the number of notifyees.
  *
  * Returns:
- *	ISC_R_SUCCESS
- *	ISC_R_NOMEMORY
+ *\li	#ISC_R_SUCCESS
+ *\li	#ISC_R_NOMEMORY
  */
 
 void
 dns_zone_unload(dns_zone_t *zone);
-/*
+/*%<
  *	detach the database from the zone structure.
  *
  * Require:
- *	'zone' to be a valid zone.
+ *\li	'zone' to be a valid zone.
  */
 
 void
 dns_zone_setoption(dns_zone_t *zone, unsigned int option, isc_boolean_t value);
-/*
+/*%<
  *	Set given options on ('value' == ISC_TRUE) or off ('value' ==
- *	ISC_FALSE).
+ *	#ISC_FALSE).
  *
  * Require:
- *	'zone' to be a valid zone.
+ *\li	'zone' to be a valid zone.
  */
 
 unsigned int
 dns_zone_getoptions(dns_zone_t *zone);
-/*
+/*%<
  *	Returns the current zone options.
  *
  * Require:
- *	'zone' to be a valid zone.
+ *\li	'zone' to be a valid zone.
  */
 
 void
 dns_zone_setminrefreshtime(dns_zone_t *zone, isc_uint32_t val);
-/*
+/*%<
  *	Set the minimum refresh time.
  *
  * Requires:
- *	'zone' is valid.
- *	val > 0.
+ *\li	'zone' is valid.
+ *\li	val > 0.
  */
 
 void
 dns_zone_setmaxrefreshtime(dns_zone_t *zone, isc_uint32_t val);
-/*
+/*%<
  *	Set the maximum refresh time.
  *
  * Requires:
- *	'zone' is valid.
- *	val > 0.
+ *\li	'zone' is valid.
+ *\li	val > 0.
  */
 
 void
 dns_zone_setminretrytime(dns_zone_t *zone, isc_uint32_t val);
-/*
+/*%<
  *	Set the minimum retry time.
  *
  * Requires:
- *	'zone' is valid.
- *	val > 0.
+ *\li	'zone' is valid.
+ *\li	val > 0.
  */
 
 void
 dns_zone_setmaxretrytime(dns_zone_t *zone, isc_uint32_t val);
-/*
+/*%<
  *	Set the maximum retry time.
  *
  * Requires:
- *	'zone' is valid.
+ *\li	'zone' is valid.
  *	val > 0.
  */
 
@@ -531,436 +583,454 @@ dns_zone_setxfrsource4(dns_zone_t *zone, const isc_sockaddr_t *xfrsource);
 isc_result_t
 dns_zone_setaltxfrsource4(dns_zone_t *zone,
 			  const isc_sockaddr_t *xfrsource);
-/*
+/*%<
  * 	Set the source address to be used in IPv4 zone transfers.
  *
  * Require:
- *	'zone' to be a valid zone.
- *	'xfrsource' to contain the address.
+ *\li	'zone' to be a valid zone.
+ *\li	'xfrsource' to contain the address.
  *
  * Returns:
- *	ISC_R_SUCCESS
+ *\li	#ISC_R_SUCCESS
  */
 
 isc_sockaddr_t *
 dns_zone_getxfrsource4(dns_zone_t *zone);
 isc_sockaddr_t *
 dns_zone_getaltxfrsource4(dns_zone_t *zone);
-/*
+/*%<
  *	Returns the source address set by a previous dns_zone_setxfrsource4
  *	call, or the default of inaddr_any, port 0.
  *
  * Require:
- *	'zone' to be a valid zone.
+ *\li	'zone' to be a valid zone.
  */
 
 isc_result_t
 dns_zone_setxfrsource6(dns_zone_t *zone, const isc_sockaddr_t *xfrsource);
 isc_result_t
 dns_zone_setaltxfrsource6(dns_zone_t *zone,
-			 const isc_sockaddr_t *xfrsource);
-/*
+			  const isc_sockaddr_t *xfrsource);
+/*%<
  * 	Set the source address to be used in IPv6 zone transfers.
  *
  * Require:
- *	'zone' to be a valid zone.
- *	'xfrsource' to contain the address.
+ *\li	'zone' to be a valid zone.
+ *\li	'xfrsource' to contain the address.
  *
  * Returns:
- *	ISC_R_SUCCESS
+ *\li	#ISC_R_SUCCESS
  */
 
 isc_sockaddr_t *
 dns_zone_getxfrsource6(dns_zone_t *zone);
 isc_sockaddr_t *
 dns_zone_getaltxfrsource6(dns_zone_t *zone);
-/*
+/*%<
  *	Returns the source address set by a previous dns_zone_setxfrsource6
  *	call, or the default of in6addr_any, port 0.
  *
  * Require:
- *	'zone' to be a valid zone.
+ *\li	'zone' to be a valid zone.
  */
 
 isc_result_t
 dns_zone_setnotifysrc4(dns_zone_t *zone, const isc_sockaddr_t *notifysrc);
-/*
+/*%<
  * 	Set the source address to be used with IPv4 NOTIFY messages.
  *
  * Require:
- *	'zone' to be a valid zone.
- *	'notifysrc' to contain the address.
+ *\li	'zone' to be a valid zone.
+ *\li	'notifysrc' to contain the address.
  *
  * Returns:
- *	ISC_R_SUCCESS
+ *\li	#ISC_R_SUCCESS
  */
 
 isc_sockaddr_t *
 dns_zone_getnotifysrc4(dns_zone_t *zone);
-/*
+/*%<
  *	Returns the source address set by a previous dns_zone_setnotifysrc4
  *	call, or the default of inaddr_any, port 0.
  *
  * Require:
- *	'zone' to be a valid zone.
+ *\li	'zone' to be a valid zone.
  */
 
 isc_result_t
 dns_zone_setnotifysrc6(dns_zone_t *zone, const isc_sockaddr_t *notifysrc);
-/*
+/*%<
  * 	Set the source address to be used with IPv6 NOTIFY messages.
  *
  * Require:
- *	'zone' to be a valid zone.
- *	'notifysrc' to contain the address.
+ *\li	'zone' to be a valid zone.
+ *\li	'notifysrc' to contain the address.
  *
  * Returns:
- *	ISC_R_SUCCESS
+ *\li	#ISC_R_SUCCESS
  */
 
 isc_sockaddr_t *
 dns_zone_getnotifysrc6(dns_zone_t *zone);
-/*
+/*%<
  *	Returns the source address set by a previous dns_zone_setnotifysrc6
  *	call, or the default of in6addr_any, port 0.
  *
  * Require:
- *	'zone' to be a valid zone.
+ *\li	'zone' to be a valid zone.
  */
 
 void
 dns_zone_setnotifyacl(dns_zone_t *zone, dns_acl_t *acl);
-/*
+/*%<
  *	Sets the notify acl list for the zone.
  *
  * Require:
- *	'zone' to be a valid zone.
- *	'acl' to be a valid acl.
+ *\li	'zone' to be a valid zone.
+ *\li	'acl' to be a valid acl.
  */
 
 void
 dns_zone_setqueryacl(dns_zone_t *zone, dns_acl_t *acl);
-/*
+/*%<
  *	Sets the query acl list for the zone.
  *
  * Require:
- *	'zone' to be a valid zone.
- *	'acl' to be a valid acl.
+ *\li	'zone' to be a valid zone.
+ *\li	'acl' to be a valid acl.
  */
 
 void
 dns_zone_setupdateacl(dns_zone_t *zone, dns_acl_t *acl);
-/*
+/*%<
  *	Sets the update acl list for the zone.
  *
  * Require:
- *	'zone' to be a valid zone.
- *	'acl' to be valid acl.
+ *\li	'zone' to be a valid zone.
+ *\li	'acl' to be valid acl.
  */
 
 void
 dns_zone_setforwardacl(dns_zone_t *zone, dns_acl_t *acl);
-/*
+/*%<
  *	Sets the forward unsigned updates acl list for the zone.
  *
  * Require:
- *	'zone' to be a valid zone.
- *	'acl' to be valid acl.
+ *\li	'zone' to be a valid zone.
+ *\li	'acl' to be valid acl.
  */
 
 void
 dns_zone_setxfracl(dns_zone_t *zone, dns_acl_t *acl);
-/*
+/*%<
  *	Sets the transfer acl list for the zone.
  *
  * Require:
- *	'zone' to be a valid zone.
- *	'acl' to be valid acl.
+ *\li	'zone' to be a valid zone.
+ *\li	'acl' to be valid acl.
  */
 
 dns_acl_t *
 dns_zone_getnotifyacl(dns_zone_t *zone);
-/*
+/*%<
  * 	Returns the current notify acl or NULL.
  *
  * Require:
- *	'zone' to be a valid zone.
+ *\li	'zone' to be a valid zone.
  *
  * Returns:
- *	acl a pointer to the acl.
- *	NULL
+ *\li	acl a pointer to the acl.
+ *\li	NULL
  */
 
 dns_acl_t *
 dns_zone_getqueryacl(dns_zone_t *zone);
-/*
+/*%<
  * 	Returns the current query acl or NULL.
  *
  * Require:
- *	'zone' to be a valid zone.
+ *\li	'zone' to be a valid zone.
  *
  * Returns:
- *	acl a pointer to the acl.
- *	NULL
+ *\li	acl a pointer to the acl.
+ *\li	NULL
  */
 
 dns_acl_t *
 dns_zone_getupdateacl(dns_zone_t *zone);
-/*
+/*%<
  * 	Returns the current update acl or NULL.
  *
  * Require:
- *	'zone' to be a valid zone.
+ *\li	'zone' to be a valid zone.
  *
  * Returns:
- *	acl a pointer to the acl.
- *	NULL
+ *\li	acl a pointer to the acl.
+ *\li	NULL
  */
 
 dns_acl_t *
 dns_zone_getforwardacl(dns_zone_t *zone);
-/*
+/*%<
  * 	Returns the current forward unsigned updates acl or NULL.
  *
  * Require:
- *	'zone' to be a valid zone.
+ *\li	'zone' to be a valid zone.
  *
  * Returns:
- *	acl a pointer to the acl.
- *	NULL
+ *\li	acl a pointer to the acl.
+ *\li	NULL
  */
 
 dns_acl_t *
 dns_zone_getxfracl(dns_zone_t *zone);
-/*
+/*%<
  * 	Returns the current transfer acl or NULL.
  *
  * Require:
- *	'zone' to be a valid zone.
+ *\li	'zone' to be a valid zone.
  *
  * Returns:
- *	acl a pointer to the acl.
- *	NULL
+ *\li	acl a pointer to the acl.
+ *\li	NULL
  */
 
 void
 dns_zone_clearupdateacl(dns_zone_t *zone);
-/*
+/*%<
  *	Clear the current update acl.
  *
  * Require:
- *	'zone' to be a valid zone.
+ *\li	'zone' to be a valid zone.
  */
 
 void
 dns_zone_clearforwardacl(dns_zone_t *zone);
-/*
+/*%<
  *	Clear the current forward unsigned updates acl.
  *
  * Require:
- *	'zone' to be a valid zone.
+ *\li	'zone' to be a valid zone.
  */
 
 void
 dns_zone_clearnotifyacl(dns_zone_t *zone);
-/*
+/*%<
  *	Clear the current notify acl.
  *
  * Require:
- *	'zone' to be a valid zone.
+ *\li	'zone' to be a valid zone.
  */
 
 void
 dns_zone_clearqueryacl(dns_zone_t *zone);
-/*
+/*%<
  *	Clear the current query acl.
  *
  * Require:
- *	'zone' to be a valid zone.
+ *\li	'zone' to be a valid zone.
  */
 
 void
 dns_zone_clearxfracl(dns_zone_t *zone);
-/*
+/*%<
  *	Clear the current transfer acl.
  *
  * Require:
- *	'zone' to be a valid zone.
+ *\li	'zone' to be a valid zone.
  */
 
 isc_boolean_t
 dns_zone_getupdatedisabled(dns_zone_t *zone);
+/*%<
+ * Return update disabled.
+ */
 
 void
 dns_zone_setupdatedisabled(dns_zone_t *zone, isc_boolean_t state);
+/*%<
+ * Set update disabled.
+ */
+
+isc_boolean_t
+dns_zone_getzeronosoattl(dns_zone_t *zone);
+/*%<
+ * Return zero-no-soa-ttl status.
+ */
+
+void
+dns_zone_setzeronosoattl(dns_zone_t *zone, isc_boolean_t state);
+/*%<
+ * Set zero-no-soa-ttl status.
+ */
 
 void
 dns_zone_setchecknames(dns_zone_t *zone, dns_severity_t severity);
-/*
+/*%<
  * 	Set the severity of name checking when loading a zone.
  *
  * Require:
- *      'zone' to be a valid zone.
+ * \li     'zone' to be a valid zone.
  */
 
 dns_severity_t
 dns_zone_getchecknames(dns_zone_t *zone);
-/*
+/*%<
  *	Return the current severity of name checking.
  *
  * Require:
- *	'zone' to be a valid zone.
+ *\li	'zone' to be a valid zone.
  */
 
 void
 dns_zone_setjournalsize(dns_zone_t *zone, isc_int32_t size);
-/*
+/*%<
  *	Sets the journal size for the zone.
  *
  * Requires:
- *	'zone' to be a valid zone.
+ *\li	'zone' to be a valid zone.
  */
 
 isc_int32_t
 dns_zone_getjournalsize(dns_zone_t *zone);
-/*
+/*%<
  *	Return the journal size as set with a previous call to
  *	dns_zone_setjournalsize().
  *
  * Requires:
- *	'zone' to be a valid zone.
+ *\li	'zone' to be a valid zone.
  */
 
 isc_result_t
 dns_zone_notifyreceive(dns_zone_t *zone, isc_sockaddr_t *from,
 		       dns_message_t *msg);
-/*
+/*%<
  *	Tell the zone that it has recieved a NOTIFY message from another
  *	server.  This may cause some zone maintainence activity to occur.
  *
  * Requires:
- *	'zone' to be a valid zone.
- *	'*from' to contain the address of the server from which 'msg'
+ *\li	'zone' to be a valid zone.
+ *\li	'*from' to contain the address of the server from which 'msg'
  *		was recieved.
- *	'msg' a message with opcode NOTIFY and qr clear.
+ *\li	'msg' a message with opcode NOTIFY and qr clear.
  *
  * Returns:
- *	DNS_R_REFUSED
- *	DNS_R_NOTIMP
- *	DNS_R_FORMERR
- *	DNS_R_SUCCESS
+ *\li	DNS_R_REFUSED
+ *\li	DNS_R_NOTIMP
+ *\li	DNS_R_FORMERR
+ *\li	DNS_R_SUCCESS
  */
 
 void
 dns_zone_setmaxxfrin(dns_zone_t *zone, isc_uint32_t maxxfrin);
-/*
+/*%<
  * Set the maximum time (in seconds) that a zone transfer in (AXFR/IXFR)
  * of this zone will use before being aborted.
  *
  * Requires:
- * 	'zone' to be valid initialised zone.
+ * \li	'zone' to be valid initialised zone.
  */
 
 isc_uint32_t
 dns_zone_getmaxxfrin(dns_zone_t *zone);
-/*
+/*%<
  * Returns the maximum transfer time for this zone.  This will be
  * either the value set by the last call to dns_zone_setmaxxfrin() or
  * the default value of 1 hour.
  *
  * Requires:
- *	'zone' to be valid initialised zone.
+ *\li	'zone' to be valid initialised zone.
  */
 
 void
 dns_zone_setmaxxfrout(dns_zone_t *zone, isc_uint32_t maxxfrout);
-/*
+/*%<
  * Set the maximum time (in seconds) that a zone transfer out (AXFR/IXFR)
  * of this zone will use before being aborted.
  *
  * Requires:
- * 	'zone' to be valid initialised zone.
+ * \li	'zone' to be valid initialised zone.
  */
 
 isc_uint32_t
 dns_zone_getmaxxfrout(dns_zone_t *zone);
-/*
+/*%<
  * Returns the maximum transfer time for this zone.  This will be
  * either the value set by the last call to dns_zone_setmaxxfrout() or
  * the default value of 1 hour.
  *
  * Requires:
- *	'zone' to be valid initialised zone.
+ *\li	'zone' to be valid initialised zone.
  */
 
 isc_result_t
 dns_zone_setjournal(dns_zone_t *zone, const char *journal);
-/*
+/*%<
  * Sets the filename used for journaling updates / IXFR transfers.
  * The default journal name is set by dns_zone_setfile() to be
  * "file.jnl".  If 'journal' is NULL, the zone will have no
  * journal name.
  *
  * Requires:
- *	'zone' to be a valid zone.
+ *\li	'zone' to be a valid zone.
  *
  * Returns:
- *	ISC_R_SUCCESS
- *	ISC_R_NOMEMORY
+ *\li	#ISC_R_SUCCESS
+ *\li	#ISC_R_NOMEMORY
  */
 
 char *
 dns_zone_getjournal(dns_zone_t *zone);
-/*
+/*%<
  * Returns the journal name associated with this zone.
  * If no journal has been set this will be NULL.
  *
  * Requires:
- *	'zone' to be valid initialised zone.
+ *\li	'zone' to be valid initialised zone.
  */
 
 dns_zonetype_t
 dns_zone_gettype(dns_zone_t *zone);
-/*
+/*%<
  * Returns the type of the zone (master/slave/etc.)
  *
  * Requires:
- *	'zone' to be valid initialised zone.
+ *\li	'zone' to be valid initialised zone.
  */
 
 void
 dns_zone_settask(dns_zone_t *zone, isc_task_t *task);
-/*
+/*%<
  * Give a zone a task to work with.  Any current task will be detached.
  *
  * Requires:
- *	'zone' to be valid.
- *	'task' to be valid.
+ *\li	'zone' to be valid.
+ *\li	'task' to be valid.
  */
 
 void
 dns_zone_gettask(dns_zone_t *zone, isc_task_t **target);
-/*
+/*%<
  * Attach '*target' to the zone's task.
  *
  * Requires:
- *	'zone' to be valid initialised zone.
- *	'zone' to have a task.
- *	'target' to be != NULL && '*target' == NULL.
+ *\li	'zone' to be valid initialised zone.
+ *\li	'zone' to have a task.
+ *\li	'target' to be != NULL && '*target' == NULL.
  */
 
 void
 dns_zone_notify(dns_zone_t *zone);
-/*
+/*%<
  * Generate notify events for this zone.
  *
  * Requires:
- *	'zone' to be a valid zone.
+ *\li	'zone' to be a valid zone.
  */
 
 isc_result_t
 dns_zone_replacedb(dns_zone_t *zone, dns_db_t *db, isc_boolean_t dump);
-/*
+/*%<
  * Replace the database of "zone" with a new database "db".
  *
  * If "dump" is ISC_TRUE, then the new zone contents are dumped
@@ -974,11 +1044,11 @@ dns_zone_replacedb(dns_zone_t *zone, dns_db_t *db, isc_boolean_t dump);
  * journal file, and the master file dump is postponed.
  *
  * Requires:
- *	'zone' to be a valid zone.
+ * \li	'zone' to be a valid zone.
  *
  * Returns:
- *	DNS_R_SUCCESS
- *	DNS_R_BADZONE	zone failed basic consistancy checks:
+ * \li	DNS_R_SUCCESS
+ * \li	DNS_R_BADZONE	zone failed basic consistancy checks:
  *			* a single SOA must exist
  *			* some NS records must exist.
  *	Others
@@ -986,111 +1056,111 @@ dns_zone_replacedb(dns_zone_t *zone, dns_db_t *db, isc_boolean_t dump);
 
 isc_uint32_t
 dns_zone_getidlein(dns_zone_t *zone);
-/*
+/*%<
  * Requires:
- *	'zone' to be a valid zone.
+ * \li	'zone' to be a valid zone.
  *
  * Returns:
- *	number of seconds of idle time before we abort the transfer in.
+ * \li	number of seconds of idle time before we abort the transfer in.
  */
 
 void
 dns_zone_setidlein(dns_zone_t *zone, isc_uint32_t idlein);
-/*
- *	Set the idle timeout for transfer the.
- *	Zero set the default value, 1 hour.
+/*%<
+ * \li	Set the idle timeout for transfer the.
+ * \li	Zero set the default value, 1 hour.
  *
  * Requires:
- *	'zone' to be a valid zone.
+ * \li	'zone' to be a valid zone.
  */
 
 isc_uint32_t
 dns_zone_getidleout(dns_zone_t *zone);
-/*
+/*%<
  *
  * Requires:
- *	'zone' to be a valid zone.
+ * \li	'zone' to be a valid zone.
  *
  * Returns:
- *	number of seconds of idle time before we abort a transfer out.
+ * \li	number of seconds of idle time before we abort a transfer out.
  */
 
 void
 dns_zone_setidleout(dns_zone_t *zone, isc_uint32_t idleout);
-/*
- *	Set the idle timeout for transfers out.
- *	Zero set the default value, 1 hour.
+/*%<
+ * \li	Set the idle timeout for transfers out.
+ * \li	Zero set the default value, 1 hour.
  *
  * Requires:
- *	'zone' to be a valid zone.
+ * \li	'zone' to be a valid zone.
  */
 
 void
 dns_zone_getssutable(dns_zone_t *zone, dns_ssutable_t **table);
-/*
+/*%<
  * Get the simple-secure-update policy table.
  *
  * Requires:
- *	'zone' to be a valid zone.
+ * \li	'zone' to be a valid zone.
  */
 
 void
 dns_zone_setssutable(dns_zone_t *zone, dns_ssutable_t *table);
-/*
+/*%<
  * Set / clear the simple-secure-update policy table.
  *
  * Requires:
- *	'zone' to be a valid zone.
+ * \li	'zone' to be a valid zone.
  */
 
 isc_mem_t *
 dns_zone_getmctx(dns_zone_t *zone);
-/*
+/*%<
  * Get the memory context of a zone.
  *
  * Requires:
- *	'zone' to be a valid zone.
+ * \li	'zone' to be a valid zone.
  */
 
 dns_zonemgr_t *
 dns_zone_getmgr(dns_zone_t *zone);
-/*
+/*%<
  *	If 'zone' is managed return the zone manager otherwise NULL.
  *
  * Requires:
- *	'zone' to be a valid zone.
+ * \li	'zone' to be a valid zone.
  */
 
 void
 dns_zone_setsigvalidityinterval(dns_zone_t *zone, isc_uint32_t interval);
-/*
+/*%<
  * Set the zone's SIG validity interval.  This is the length of time
  * for which DNSSEC signatures created as a result of dynamic updates
  * to secure zones will remain valid, in seconds.
  *
  * Requires:
- *	'zone' to be a valid zone.
+ * \li	'zone' to be a valid zone.
  */
 
 isc_uint32_t
 dns_zone_getsigvalidityinterval(dns_zone_t *zone);
-/*
+/*%<
  * Get the zone's SIG validity interval.
  *
  * Requires:
- *	'zone' to be a valid zone.
+ * \li	'zone' to be a valid zone.
  */
 
 void
 dns_zone_setnotifytype(dns_zone_t *zone, dns_notifytype_t notifytype);
-/*
+/*%<
  * Sets zone notify method to "notifytype"
  */
 
 isc_result_t
 dns_zone_forwardupdate(dns_zone_t *zone, dns_message_t *msg,
                        dns_updatecallback_t callback, void *callback_arg);
-/*
+/*%<
  * Forward 'msg' to each master in turn until we get an answer or we
  * have exausted the list of masters. 'callback' will be called with
  * ISC_R_SUCCESS if we get an answer and the returned message will be
@@ -1100,69 +1170,69 @@ dns_zone_forwardupdate(dns_zone_t *zone, dns_message_t *msg,
  *		(callback)(callback_arg, result, answer_message);
  *
  * Require:
- *	'zone' to be valid
- *	'msg' to be valid.
- *	'callback' to be non NULL.
+ *\li	'zone' to be valid
+ *\li	'msg' to be valid.
+ *\li	'callback' to be non NULL.
  * Returns:
- *	ISC_R_SUCCESS if the message has been forwarded,
- *	ISC_R_NOMEMORY
- *	Others
+ *\li	#ISC_R_SUCCESS if the message has been forwarded,
+ *\li	#ISC_R_NOMEMORY
+ *\li	Others
  */
 
 isc_result_t
 dns_zone_next(dns_zone_t *zone, dns_zone_t **next);
-/*
+/*%<
  * Find the next zone in the list of managed zones.
  *
  * Requires:
- *	'zone' to be valid
- *	The zone manager for the indicated zone MUST be locked
+ *\li	'zone' to be valid
+ *\li	The zone manager for the indicated zone MUST be locked
  *	by the caller.  This is not checked.
- *	'next' be non-NULL, and '*next' be NULL.
+ *\li	'next' be non-NULL, and '*next' be NULL.
  *
  * Ensures:
- *	'next' points to a valid zone (result ISC_R_SUCCESS) or to NULL
+ *\li	'next' points to a valid zone (result ISC_R_SUCCESS) or to NULL
  *	(result ISC_R_NOMORE).
  */
 
 isc_result_t
 dns_zone_first(dns_zonemgr_t *zmgr, dns_zone_t **first);
-/*
+/*%<
  * Find the first zone in the list of managed zones.
  *
  * Requires:
- *	'zonemgr' to be valid
- *	The zone manager for the indicated zone MUST be locked
+ *\li	'zonemgr' to be valid
+ *\li	The zone manager for the indicated zone MUST be locked
  *	by the caller.  This is not checked.
- *	'first' be non-NULL, and '*first' be NULL
+ *\li	'first' be non-NULL, and '*first' be NULL
  *
  * Ensures:
- *	'first' points to a valid zone (result ISC_R_SUCCESS) or to NULL
+ *\li	'first' points to a valid zone (result ISC_R_SUCCESS) or to NULL
  *	(result ISC_R_NOMORE).
  */
 
 isc_result_t
 dns_zone_setkeydirectory(dns_zone_t *zone, const char *directory);
-/*
+/*%<
  *	Sets the name of the directory where private keys used for
  *	online signing of dynamic zones are found.
  *
  * Require:
- *	'zone' to be a valid zone.
+ *\li	'zone' to be a valid zone.
  *
  * Returns:
- *	ISC_R_NOMEMORY
- *	ISC_R_SUCCESS
+ *\li	#ISC_R_NOMEMORY
+ *\li	#ISC_R_SUCCESS
  */
 
 const char *
 dns_zone_getkeydirectory(dns_zone_t *zone);
-/*
+/*%<
  * 	Gets the name of the directory where private keys used for
  *	online signing of dynamic zones are found.
  *
  * Requires:
- *	'zone' to be valid initialised zone.
+ *\li	'zone' to be valid initialised zone.
  *
  * Returns:
  *	Pointer to null-terminated file name, or NULL.
@@ -1173,231 +1243,231 @@ isc_result_t
 dns_zonemgr_create(isc_mem_t *mctx, isc_taskmgr_t *taskmgr,
 		   isc_timermgr_t *timermgr, isc_socketmgr_t *socketmgr,
 		   dns_zonemgr_t **zmgrp);
-/*
+/*%<
  * Create a zone manager.
  *
  * Requires:
- *	'mctx' to be a valid memory context.
- *	'taskmgr' to be a valid task manager.
- *	'timermgr' to be a valid timer manager.
- *	'zmgrp'	to point to a NULL pointer.
+ *\li	'mctx' to be a valid memory context.
+ *\li	'taskmgr' to be a valid task manager.
+ *\li	'timermgr' to be a valid timer manager.
+ *\li	'zmgrp'	to point to a NULL pointer.
  */
 
 isc_result_t
 dns_zonemgr_managezone(dns_zonemgr_t *zmgr, dns_zone_t *zone);
-/*
+/*%<
  *	Bring the zone under control of a zone manager.
  *
  * Require:
- *	'zmgr' to be a valid zone manager.
- *	'zone' to be a valid zone.
+ *\li	'zmgr' to be a valid zone manager.
+ *\li	'zone' to be a valid zone.
  */
 
 isc_result_t
 dns_zonemgr_forcemaint(dns_zonemgr_t *zmgr);
-/*
+/*%<
  * Force zone maintenance of all zones managed by 'zmgr' at its
  * earliest conveniene.
  */
 
 void
 dns_zonemgr_resumexfrs(dns_zonemgr_t *zmgr);
-/*
+/*%<
  * Attempt to start any stalled zone transfers.
  */
 
 void
 dns_zonemgr_shutdown(dns_zonemgr_t *zmgr);
-/*
+/*%<
  *	Shut down the zone manager.
  *
  * Requires:
- *	'zmgr' to be a valid zone manager.
+ *\li	'zmgr' to be a valid zone manager.
  */
 
 void
 dns_zonemgr_attach(dns_zonemgr_t *source, dns_zonemgr_t **target);
-/*
+/*%<
  *	Attach '*target' to 'source' incrementing its external
  * 	reference count.
  *
  * Require:
- *	'zone' to be a valid zone.
- *	'target' to be non NULL and '*target' to be NULL.
+ *\li	'zone' to be a valid zone.
+ *\li	'target' to be non NULL and '*target' to be NULL.
  */
 
 void
 dns_zonemgr_detach(dns_zonemgr_t **zmgrp);
-/*
+/*%<
  *	 Detach from a zone manager.
  *
  * Requires:
- *	'*zmgrp' is a valid, non-NULL zone manager pointer.
+ *\li	'*zmgrp' is a valid, non-NULL zone manager pointer.
  *
  * Ensures:
- *	'*zmgrp' is NULL.
+ *\li	'*zmgrp' is NULL.
  */
 
 void
 dns_zonemgr_releasezone(dns_zonemgr_t *zmgr, dns_zone_t *zone);
-/*
+/*%<
  *	Release 'zone' from the managed by 'zmgr'.  'zmgr' is implicitly
  *	detached from 'zone'.
  *
  * Requires:
- *	'zmgr' to be a valid zone manager.
- *	'zone' to be a valid zone.
- *	'zmgr' == 'zone->zmgr'
+ *\li	'zmgr' to be a valid zone manager.
+ *\li	'zone' to be a valid zone.
+ *\li	'zmgr' == 'zone->zmgr'
  *
  * Ensures:
- *	'zone->zmgr' == NULL;
+ *\li	'zone->zmgr' == NULL;
  */
 
 void
 dns_zonemgr_settransfersin(dns_zonemgr_t *zmgr, isc_uint32_t value);
-/*
+/*%<
  *	Set the maximum number of simultaneous transfers in allowed by
  *	the zone manager.
  *
  * Requires:
- *	'zmgr' to be a valid zone manager.
+ *\li	'zmgr' to be a valid zone manager.
  */
 
 isc_uint32_t
 dns_zonemgr_getttransfersin(dns_zonemgr_t *zmgr);
-/*
+/*%<
  *	Return the the maximum number of simultaneous transfers in allowed.
  *
  * Requires:
- *	'zmgr' to be a valid zone manager.
+ *\li	'zmgr' to be a valid zone manager.
  */
 
 void
 dns_zonemgr_settransfersperns(dns_zonemgr_t *zmgr, isc_uint32_t value);
-/*
+/*%<
  *	Set the number of zone transfers allowed per nameserver.
  *
  * Requires:
- *	'zmgr' to be a valid zone manager
+ *\li	'zmgr' to be a valid zone manager
  */
 
 isc_uint32_t
 dns_zonemgr_getttransfersperns(dns_zonemgr_t *zmgr);
-/*
+/*%<
  *	Return the number of transfers allowed per nameserver.
  *
  * Requires:
- *	'zmgr' to be a valid zone manager.
+ *\li	'zmgr' to be a valid zone manager.
  */
 
 void
 dns_zonemgr_setiolimit(dns_zonemgr_t *zmgr, isc_uint32_t iolimit);
-/*
+/*%<
  *	Set the number of simultaneous file descriptors available for 
  *	reading and writing masterfiles.
  *
  * Requires:
- *	'zmgr' to be a valid zone manager.
- *	'iolimit' to be positive.
+ *\li	'zmgr' to be a valid zone manager.
+ *\li	'iolimit' to be positive.
  */
 
 isc_uint32_t
 dns_zonemgr_getiolimit(dns_zonemgr_t *zmgr);
-/*
+/*%<
  *	Get the number of simultaneous file descriptors available for 
  *	reading and writing masterfiles.
  *
  * Requires:
- *	'zmgr' to be a valid zone manager.
+ *\li	'zmgr' to be a valid zone manager.
  */
 
 void
 dns_zonemgr_setserialqueryrate(dns_zonemgr_t *zmgr, unsigned int value);
-/*
+/*%<
  *	Set the number of SOA queries sent per second.
  *
  * Requires:
- *	'zmgr' to be a valid zone manager
+ *\li	'zmgr' to be a valid zone manager
  */
 
 unsigned int
 dns_zonemgr_getserialqueryrate(dns_zonemgr_t *zmgr);
-/*
+/*%<
  *	Return the number of SOA queries sent per second.
  *
  * Requires:
- *	'zmgr' to be a valid zone manager.
+ *\li	'zmgr' to be a valid zone manager.
  */
 
 unsigned int
 dns_zonemgr_getcount(dns_zonemgr_t *zmgr, int state);
-/*
+/*%<
  *	Returns the number of zones in the specified state.
  *
  * Requires:
- *	'zmgr' to be a valid zone manager.
- *	'state' to be a valid DNS_ZONESTATE_ constant.
+ *\li	'zmgr' to be a valid zone manager.
+ *\li	'state' to be a valid DNS_ZONESTATE_ constant.
  */
 
 void
 dns_zone_forcereload(dns_zone_t *zone);
-/*
+/*%<
  *      Force a reload of specified zone.
  *
  * Requires:
- *      'zone' to be a valid zone.
+ *\li      'zone' to be a valid zone.
  */
 
 isc_boolean_t
 dns_zone_isforced(dns_zone_t *zone);
-/*
+/*%<
  *      Check if the zone is waiting a forced reload.
  *
  * Requires:
- *      'zone' to be a valid zone.
+ * \li     'zone' to be a valid zone.
  */
 
 isc_result_t
 dns_zone_setstatistics(dns_zone_t *zone, isc_boolean_t on);
-/*
+/*%<
  *      Make the zone keep or not keep an array of statistics
  * 	counter.
  *
  * Requires:
- *      zone be a valid zone.
+ *   \li   zone be a valid zone.
  */
 
 isc_uint64_t *
 dns_zone_getstatscounters(dns_zone_t *zone);
-/*
+/*%<
  * Requires:
  *      zone be a valid zone.
  *
  * Returns:
- *      A pointer to the zone's array of statistics counters,
+ * \li     A pointer to the zone's array of statistics counters,
  *	or NULL if it has none.
  */
 
 void
 dns_zone_dialup(dns_zone_t *zone);
-/*
+/*%<
  * Perform dialup-time maintenance on 'zone'.
  */
 
 void
 dns_zone_setdialup(dns_zone_t *zone, dns_dialuptype_t dialup);
-/*
+/*%<
  * Set the dialup type of 'zone' to 'dialup'.
  *
  * Requires:
- * 	'zone' to be valid initialised zone.
- *	'dialup' to be a valid dialup type.
+ * \li	'zone' to be valid initialised zone.
+ *\li	'dialup' to be a valid dialup type.
  */
 
 void
 dns_zone_log(dns_zone_t *zone, int level, const char *msg, ...)
 	ISC_FORMAT_PRINTF(3, 4);
-/*
+/*%<
  * Log the message 'msg...' at 'level', including text that identifies
  * the message as applying to 'zone'.
  */
@@ -1405,19 +1475,19 @@ dns_zone_log(dns_zone_t *zone, int level, const char *msg, ...)
 void
 dns_zone_logc(dns_zone_t *zone, isc_logcategory_t *category, int level,
 	      const char *msg, ...) ISC_FORMAT_PRINTF(4, 5);
-/*
+/*%<
  * Log the message 'msg...' at 'level', including text that identifies
  * the message as applying to 'zone'.
  */
 
 void
 dns_zone_name(dns_zone_t *zone, char *buf, size_t len);
-/*
+/*%<
  * Return the name of the zone with class and view.
  * 
  * Requires:
- *	'zone' to be valid.
- *	'buf' to be non NULL.
+ *\li	'zone' to be valid.
+ *\li	'buf' to be non NULL.
  */
 
 isc_result_t
@@ -1436,6 +1506,81 @@ dns_zone_checknames(dns_zone_t *zone, dns_name_t *name, dns_rdata_t *rdata);
  *	DNS_R_BADNAME		failed rdata checks.
  */
 
+void
+dns_zone_setacache(dns_zone_t *zone, dns_acache_t *acache);
+/*
+ *	Associate the zone with an additional cache.
+ *
+ * Require:
+ *	'zone' to be a valid zone.
+ *	'acache' to be a non NULL pointer.
+ *
+ * Ensures:
+ *	'zone' will have a reference to 'acache'
+ */
+
+void
+dns_zone_setcheckmx(dns_zone_t *zone, dns_checkmxfunc_t checkmx);
+/*
+ *	Set the post load integrity callback function 'checkmx'.
+ *	'checkmx' will be called if the MX is not within the zone.
+ *
+ * Require:
+ *	'zone' to be a valid zone.
+ */
+
+void
+dns_zone_setchecksrv(dns_zone_t *zone, dns_checkmxfunc_t checksrv);
+/*
+ *	Set the post load integrity callback function 'checksrv'.
+ *	'checksrv' will be called if the SRV TARGET is not within the zone.
+ *
+ * Require:
+ *	'zone' to be a valid zone.
+ */
+
+void
+dns_zone_setcheckns(dns_zone_t *zone, dns_checknsfunc_t checkns);
+/*
+ *	Set the post load integrity callback function 'checkmx'.
+ *	'checkmx' will be called if the MX is not within the zone.
+ *
+ * Require:
+ *	'zone' to be a valid zone.
+ */
+
+void
+dns_zone_setnotifydelay(dns_zone_t *zone, isc_uint32_t delay);
+/*
+ * Set the minimum delay between sets of notify messages.
+ *
+ * Requires:
+ *	'zone' to be valid.
+ */
+
+isc_uint32_t
+dns_zone_getnotifydelay(dns_zone_t *zone);
+/*
+ * Get the minimum delay between sets of notify messages.
+ *
+ * Requires:
+ *	'zone' to be valid.
+ */
+
+void
+dns_zone_setisself(dns_zone_t *zone, dns_isselffunc_t isself, void *arg);
+/*
+ * Set the isself callback function and argument.
+ *
+ * isc_boolean_t
+ * isself(dns_view_t *myview, dns_tsigkey_t *mykey, isc_netaddr_t *srcaddr,
+ *	  isc_netaddr_t *destaddr, dns_rdataclass_t rdclass, void *arg);
+ *
+ * 'isself' returns ISC_TRUE if a non-recursive query from 'srcaddr' to
+ * 'destaddr' with optional key 'mykey' for class 'rdclass' would be
+ * delivered to 'myview'.
+ */
+
 ISC_LANG_ENDDECLS
 
 #endif /* DNS_ZONE_H */
diff --git a/contrib/bind9/lib/dns/include/dns/zonekey.h b/contrib/bind9/lib/dns/include/dns/zonekey.h
index 1ac9066..ba4e076 100644
--- a/contrib/bind9/lib/dns/include/dns/zonekey.h
+++ b/contrib/bind9/lib/dns/include/dns/zonekey.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,11 +15,13 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: zonekey.h,v 1.3.206.1 2004/03/06 08:14:01 marka Exp $ */
+/* $Id: zonekey.h,v 1.4.18.2 2005/04/29 00:16:26 marka Exp $ */
 
 #ifndef DNS_ZONEKEY_H
 #define DNS_ZONEKEY_H 1
 
+/*! \file */
+
 #include <isc/lang.h>
 
 #include <dns/types.h>
@@ -28,7 +30,7 @@ ISC_LANG_BEGINDECLS
 
 isc_boolean_t
 dns_zonekey_iszonekey(dns_rdata_t *keyrdata);
-/*
+/*%<
  *	Determines if the key record contained in the rdata is a zone key.
  *
  *	Requires:
diff --git a/contrib/bind9/lib/dns/include/dns/zt.h b/contrib/bind9/lib/dns/include/dns/zt.h
index fb43590..436ef4c 100644
--- a/contrib/bind9/lib/dns/include/dns/zt.h
+++ b/contrib/bind9/lib/dns/include/dns/zt.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2002  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,11 +15,13 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: zt.h,v 1.27.2.2.8.1 2004/03/06 08:14:01 marka Exp $ */
+/* $Id: zt.h,v 1.30.18.3 2005/04/27 05:01:42 sra Exp $ */
 
 #ifndef DNS_ZT_H
 #define DNS_ZT_H 1
 
+/*! \file */
+
 #include <isc/lang.h>
 
 #include <dns/types.h>
@@ -30,101 +32,101 @@ ISC_LANG_BEGINDECLS
 
 isc_result_t
 dns_zt_create(isc_mem_t *mctx, dns_rdataclass_t rdclass, dns_zt_t **zt);
-/*
+/*%<
  * Creates a new zone table.
  *
  * Requires:
- * 	'mctx' to be initialized.
+ * \li	'mctx' to be initialized.
  *
  * Returns:
- *	ISC_R_SUCCESS on success.
- *	ISC_R_NOMEMORY
+ * \li	#ISC_R_SUCCESS on success.
+ * \li	#ISC_R_NOMEMORY
  */
 
 isc_result_t
 dns_zt_mount(dns_zt_t *zt, dns_zone_t *zone);
-/*
+/*%<
  * Mounts the zone on the zone table.
  *
  * Requires:
- *	'zt' to be valid
- *	'zone' to be valid
+ * \li	'zt' to be valid
+ * \li	'zone' to be valid
  *
  * Returns:
- *	ISC_R_SUCCESS
- *	ISC_R_EXISTS
- *	ISC_R_NOSPACE
- *	ISC_R_NOMEMORY
+ * \li	#ISC_R_SUCCESS
+ * \li	#ISC_R_EXISTS
+ * \li	#ISC_R_NOSPACE
+ * \li	#ISC_R_NOMEMORY
  */
 
 isc_result_t
 dns_zt_unmount(dns_zt_t *zt, dns_zone_t *zone);
-/*
+/*%<
  * Unmount the given zone from the table.
  *
  * Requires:
  * 	'zt' to be valid
- *	'zone' to be valid
+ * \li	'zone' to be valid
  *
  * Returns:
- * 	ISC_R_SUCCESS
- *	ISC_R_NOTFOUND
- *	ISC_R_NOMEMORY
+ * \li	#ISC_R_SUCCESS
+ * \li	#ISC_R_NOTFOUND
+ * \li	#ISC_R_NOMEMORY
  */
 
 isc_result_t
 dns_zt_find(dns_zt_t *zt, dns_name_t *name, unsigned int options,
 	    dns_name_t *foundname, dns_zone_t **zone);
-/*
+/*%<
  * Find the best match for 'name' in 'zt'.  If foundname is non NULL
  * then the name of the zone found is returned.
  *
  * Notes:
- *	If the DNS_ZTFIND_NOEXACT is set, the best partial match (if any)
+ * \li	If the DNS_ZTFIND_NOEXACT is set, the best partial match (if any)
  *	to 'name' will be returned.
  *
  * Requires:
- *	'zt' to be valid
- *	'name' to be valid
- *	'foundname' to be initialized and associated with a fixedname or NULL
- *	'zone' to be non NULL and '*zone' to be NULL
+ * \li	'zt' to be valid
+ * \li	'name' to be valid
+ * \li	'foundname' to be initialized and associated with a fixedname or NULL
+ * \li	'zone' to be non NULL and '*zone' to be NULL
  *
  * Returns:
- * 	ISC_R_SUCCESS
- *	DNS_R_PARTIALMATCH
- *	ISC_R_NOTFOUND
- *	ISC_R_NOSPACE
+ * \li	#ISC_R_SUCCESS
+ * \li	#DNS_R_PARTIALMATCH
+ * \li	#ISC_R_NOTFOUND
+ * \li	#ISC_R_NOSPACE
  */
 
 void
 dns_zt_detach(dns_zt_t **ztp);
-/*
+/*%<
  * Detach the given zonetable, if the reference count goes to zero the
  * zonetable will be freed.  In either case 'ztp' is set to NULL.
  *
  * Requires:
- *	'*ztp' to be valid
+ * \li	'*ztp' to be valid
  */
 
 void
 dns_zt_flushanddetach(dns_zt_t **ztp);
-/*
+/*%<
  * Detach the given zonetable, if the reference count goes to zero the
  * zonetable will be flushed and then freed.  In either case 'ztp' is
  * set to NULL.
  *
  * Requires:
- *	'*ztp' to be valid
+ * \li	'*ztp' to be valid
  */
 
 void
 dns_zt_attach(dns_zt_t *zt, dns_zt_t **ztp);
-/*
+/*%<
  * Attach 'zt' to '*ztp'.
  *
  * Requires:
- *	'zt' to be valid
- *	'*ztp' to be NULL
+ * \li	'zt' to be valid
+ * \li	'*ztp' to be NULL
  */
 
 isc_result_t
@@ -132,7 +134,7 @@ dns_zt_load(dns_zt_t *zt, isc_boolean_t stop);
 
 isc_result_t
 dns_zt_loadnew(dns_zt_t *zt, isc_boolean_t stop);
-/*
+/*%<
  * Load all zones in the table.  If 'stop' is ISC_TRUE,
  * stop on the first error and return it.  If 'stop'
  * is ISC_FALSE, ignore errors.
@@ -142,23 +144,37 @@ dns_zt_loadnew(dns_zt_t *zt, isc_boolean_t stop);
  * and whose master file has changed since the last load.
  *
  * Requires:
- *	'zt' to be valid
+ * \li	'zt' to be valid
+ */
+
+isc_result_t
+dns_zt_freezezones(dns_zt_t *zt, isc_boolean_t freeze);
+/*%<
+ * Freeze/thaw updates to master zones.
+ * Any pending updates will be flushed.
+ * Zones will be reloaded on thaw.
  */
 
 isc_result_t
 dns_zt_apply(dns_zt_t *zt, isc_boolean_t stop,
 	     isc_result_t (*action)(dns_zone_t *, void *), void *uap);
-/*
+
+isc_result_t
+dns_zt_apply2(dns_zt_t *zt, isc_boolean_t stop, isc_result_t *sub,
+	      isc_result_t (*action)(dns_zone_t *, void *), void *uap);
+/*%<
  * Apply a given 'action' to all zone zones in the table.
  * If 'stop' is 'ISC_TRUE' then walking the zone tree will stop if
  * 'action' does not return ISC_R_SUCCESS.
  *
  * Requires:
- *	'zt' to be valid.
- *	'action' to be non NULL.
+ * \li	'zt' to be valid.
+ * \li	'action' to be non NULL.
  *
  * Returns:
- *	ISC_R_SUCCESS if action was applied to all nodes.
+ * \li	ISC_R_SUCCESS if action was applied to all nodes.  If 'stop' is
+ *	ISC_FALSE and 'sub' is non NULL then the first error (if any)
+ *	reported by 'action' is returned in '*sub';
  *	any error code from 'action'.
  */
 
diff --git a/contrib/bind9/lib/dns/include/dst/Makefile.in b/contrib/bind9/lib/dns/include/dst/Makefile.in
index efebfaa..deaa221 100644
--- a/contrib/bind9/lib/dns/include/dst/Makefile.in
+++ b/contrib/bind9/lib/dns/include/dst/Makefile.in
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.1.4.1 2004/12/09 04:07:19 marka Exp $
+# $Id: Makefile.in,v 1.1.6.1 2004/12/09 04:41:47 marka Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
diff --git a/contrib/bind9/lib/dns/include/dst/dst.h b/contrib/bind9/lib/dns/include/dst/dst.h
index 1629da5..8d99186 100644
--- a/contrib/bind9/lib/dns/include/dst/dst.h
+++ b/contrib/bind9/lib/dns/include/dst/dst.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000-2002  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,11 +15,13 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: dst.h,v 1.1.4.1 2004/12/09 04:07:19 marka Exp $ */
+/* $Id: dst.h,v 1.1.6.5 2006/01/27 23:57:44 marka Exp $ */
 
 #ifndef DST_DST_H
 #define DST_DST_H 1
 
+/*! \file */
+
 #include <isc/lang.h>
 
 #include <dns/types.h>
@@ -30,7 +32,7 @@ ISC_LANG_BEGINDECLS
  *** Types
  ***/
 
-/*
+/*%
  * The dst_key structure is opaque.  Applications should use the accessor
  * functions provided to retrieve key attributes.  If an application needs
  * to set attributes, new accessor functions will be written.
@@ -42,27 +44,32 @@ typedef struct dst_context 	dst_context_t;
 /* DST algorithm codes */
 #define DST_ALG_UNKNOWN		0
 #define DST_ALG_RSAMD5		1
-#define DST_ALG_RSA		DST_ALG_RSAMD5	/* backwards compatibility */
+#define DST_ALG_RSA		DST_ALG_RSAMD5	/*%< backwards compatibility */
 #define DST_ALG_DH		2
 #define DST_ALG_DSA		3
 #define DST_ALG_ECC		4
 #define DST_ALG_RSASHA1		5
 #define DST_ALG_HMACMD5		157
 #define DST_ALG_GSSAPI		160
+#define DST_ALG_HMACSHA1	161	/* XXXMPA */
+#define DST_ALG_HMACSHA224	162	/* XXXMPA */
+#define DST_ALG_HMACSHA256	163	/* XXXMPA */
+#define DST_ALG_HMACSHA384	164	/* XXXMPA */
+#define DST_ALG_HMACSHA512	165	/* XXXMPA */
 #define DST_ALG_PRIVATE		254
 #define DST_ALG_EXPAND		255
 #define DST_MAX_ALGS		255
 
-/* A buffer of this size is large enough to hold any key */
+/*% A buffer of this size is large enough to hold any key */
 #define DST_KEY_MAXSIZE		1280
 
-/*
+/*%
  * A buffer of this size is large enough to hold the textual representation
  * of any key
  */
 #define DST_KEY_MAXTEXTSIZE	2048
 
-/* 'Type' for dst_read_key() */
+/*% 'Type' for dst_read_key() */
 #define DST_TYPE_KEY		0x1000000	/* KEY key */
 #define DST_TYPE_PRIVATE	0x2000000
 #define DST_TYPE_PUBLIC		0x4000000
@@ -73,239 +80,262 @@ typedef struct dst_context 	dst_context_t;
 
 isc_result_t
 dst_lib_init(isc_mem_t *mctx, isc_entropy_t *ectx, unsigned int eflags);
-/*
+/*%<
  * Initializes the DST subsystem.
  *
  * Requires:
- * 	"mctx" is a valid memory context
- * 	"ectx" is a valid entropy context
+ * \li 	"mctx" is a valid memory context
+ * \li	"ectx" is a valid entropy context
  *
  * Returns:
- * 	ISC_R_SUCCESS
- * 	ISC_R_NOMEMORY
+ * \li	ISC_R_SUCCESS
+ * \li	ISC_R_NOMEMORY
  *
  * Ensures:
- * 	DST is properly initialized.
+ * \li	DST is properly initialized.
  */
 
 void
 dst_lib_destroy(void);
-/*
+/*%<
  * Releases all resources allocated by DST.
  */
 
 isc_boolean_t
 dst_algorithm_supported(unsigned int alg);
-/*
+/*%<
  * Checks that a given algorithm is supported by DST.
  *
  * Returns:
- * 	ISC_TRUE
- * 	ISC_FALSE
+ * \li	ISC_TRUE
+ * \li	ISC_FALSE
  */
 
 isc_result_t
 dst_context_create(dst_key_t *key, isc_mem_t *mctx, dst_context_t **dctxp);
-/*
+/*%<
  * Creates a context to be used for a sign or verify operation.
  *
  * Requires:
- *	"key" is a valid key.
- * 	"mctx" is a valid memory context.
- * 	dctxp != NULL && *dctxp == NULL
+ * \li	"key" is a valid key.
+ * \li	"mctx" is a valid memory context.
+ * \li	dctxp != NULL && *dctxp == NULL
  *
  * Returns:
- * 	ISC_R_SUCCESS
- * 	ISC_R_NOMEMORY
+ * \li	ISC_R_SUCCESS
+ * \li	ISC_R_NOMEMORY
  *
  * Ensures:
- *	*dctxp will contain a usable context.
+ * \li	*dctxp will contain a usable context.
  */
 
 void
 dst_context_destroy(dst_context_t **dctxp);
-/*
+/*%<
  * Destroys all memory associated with a context.
  *
  * Requires:
- * 	*dctxp != NULL && *dctxp == NULL
+ * \li	*dctxp != NULL && *dctxp == NULL
  *
  * Ensures:
- *	*dctxp == NULL
+ * \li	*dctxp == NULL
  */
 
 isc_result_t
 dst_context_adddata(dst_context_t *dctx, const isc_region_t *data);
-/*
+/*%<
  * Incrementally adds data to the context to be used in a sign or verify
  * operation.
  *
  * Requires:
- * 	"dctx" is a valid context
- * 	"data" is a valid region
+ * \li	"dctx" is a valid context
+ * \li	"data" is a valid region
  *
  * Returns:
- * 	ISC_R_SUCCESS
- * 	DST_R_SIGNFAILURE
- * 	all other errors indicate failure
+ * \li	ISC_R_SUCCESS
+ * \li	DST_R_SIGNFAILURE
+ * \li	all other errors indicate failure
  */
 
 isc_result_t
 dst_context_sign(dst_context_t *dctx, isc_buffer_t *sig);
-/*
+/*%<
  * Computes a signature using the data and key stored in the context.
  *
  * Requires:
- * 	"dctx" is a valid context.
- *	"sig" is a valid buffer.
+ * \li	"dctx" is a valid context.
+ * \li	"sig" is a valid buffer.
  *
  * Returns:
- * 	ISC_R_SUCCESS
- * 	DST_R_VERIFYFAILURE
- * 	all other errors indicate failure
+ * \li	ISC_R_SUCCESS
+ * \li	DST_R_VERIFYFAILURE
+ * \li	all other errors indicate failure
  *
  * Ensures:
- *	"sig" will contain the signature
+ * \li	"sig" will contain the signature
  */
 
 isc_result_t
 dst_context_verify(dst_context_t *dctx, isc_region_t *sig);
-/*
+/*%<
  * Verifies the signature using the data and key stored in the context.
  *
  * Requires:
- * 	"dctx" is a valid context.
- *	"sig" is a valid region.
+ * \li	"dctx" is a valid context.
+ * \li	"sig" is a valid region.
  *
  * Returns:
- * 	ISC_R_SUCCESS
- * 	all other errors indicate failure
+ * \li	ISC_R_SUCCESS
+ * \li	all other errors indicate failure
  *
  * Ensures:
- *	"sig" will contain the signature
+ * \li	"sig" will contain the signature
  */
 
 isc_result_t
 dst_key_computesecret(const dst_key_t *pub, const dst_key_t *priv,
 		      isc_buffer_t *secret);
-/*
+/*%<
  * Computes a shared secret from two (Diffie-Hellman) keys.
  *
  * Requires:
- *     "pub" is a valid key that can be used to derive a shared secret
- *     "priv" is a valid private key that can be used to derive a shared secret
- *     "secret" is a valid buffer
+ * \li	"pub" is a valid key that can be used to derive a shared secret
+ * \li	"priv" is a valid private key that can be used to derive a shared secret
+ * \li	"secret" is a valid buffer
  *
  * Returns:
- * 	ISC_R_SUCCESS
- * 	any other result indicates failure
+ * \li	ISC_R_SUCCESS
+ * \li	any other result indicates failure
  *
  * Ensures:
- *      If successful, secret will contain the derived shared secret.
+ * \li	If successful, secret will contain the derived shared secret.
  */
 
 isc_result_t
 dst_key_fromfile(dns_name_t *name, dns_keytag_t id, unsigned int alg, int type,
 		 const char *directory, isc_mem_t *mctx, dst_key_t **keyp);
-/*
+/*%<
  * Reads a key from permanent storage.  The key can either be a public or
  * private key, and is specified by name, algorithm, and id.  If a private key
  * is specified, the public key must also be present.  If directory is NULL,
  * the current directory is assumed.
  *
  * Requires:
- *	"name" is a valid absolute dns name.
- *	"id" is a valid key tag identifier.
- *	"alg" is a supported key algorithm.
- *	"type" is DST_TYPE_PUBLIC, DST_TYPE_PRIVATE, or the bitwise union.
+ * \li	"name" is a valid absolute dns name.
+ * \li	"id" is a valid key tag identifier.
+ * \li	"alg" is a supported key algorithm.
+ * \li	"type" is DST_TYPE_PUBLIC, DST_TYPE_PRIVATE, or the bitwise union.
  *		  DST_TYPE_KEY look for a KEY record otherwise DNSKEY
- *	"mctx" is a valid memory context.
- *	"keyp" is not NULL and "*keyp" is NULL.
+ * \li	"mctx" is a valid memory context.
+ * \li	"keyp" is not NULL and "*keyp" is NULL.
  *
  * Returns:
- * 	ISC_R_SUCCESS
- * 	any other result indicates failure
+ * \li	ISC_R_SUCCESS
+ * \li	any other result indicates failure
  *
  * Ensures:
- *	If successful, *keyp will contain a valid key.
+ * \li	If successful, *keyp will contain a valid key.
  */
 
 isc_result_t
 dst_key_fromnamedfile(const char *filename, int type, isc_mem_t *mctx,
 		      dst_key_t **keyp);
-/*
+/*%<
  * Reads a key from permanent storage.  The key can either be a public or
  * key, and is specified by filename.  If a private key is specified, the
  * public key must also be present.
  *
  * Requires:
- * 	"filename" is not NULL
- *	"type" is DST_TYPE_PUBLIC, DST_TYPE_PRIVATE, or the bitwise union
+ * \li	"filename" is not NULL
+ * \li	"type" is DST_TYPE_PUBLIC, DST_TYPE_PRIVATE, or the bitwise union
  *		  DST_TYPE_KEY look for a KEY record otherwise DNSKEY
- *	"mctx" is a valid memory context
- *	"keyp" is not NULL and "*keyp" is NULL.
+ * \li	"mctx" is a valid memory context
+ * \li	"keyp" is not NULL and "*keyp" is NULL.
  *
  * Returns:
- * 	ISC_R_SUCCESS
- * 	any other result indicates failure
+ * \li	ISC_R_SUCCESS
+ * \li	any other result indicates failure
  *
  * Ensures:
- *	If successful, *keyp will contain a valid key.
+ * \li	If successful, *keyp will contain a valid key.
+ */
+
+
+isc_result_t
+dst_key_read_public(const char *filename, int type,
+		    isc_mem_t *mctx, dst_key_t **keyp);
+/*%<
+ * Reads a public key from permanent storage.  The key must be a public key.
+ *
+ * Requires:
+ * \li	"filename" is not NULL
+ * \li	"type" is DST_TYPE_KEY look for a KEY record otherwise DNSKEY
+ * \li	"mctx" is a valid memory context
+ * \li	"keyp" is not NULL and "*keyp" is NULL.
+ *
+ * Returns:
+ * \li	ISC_R_SUCCESS
+ * \li	DST_R_BADKEYTYPE if the key type is not the expected one
+ * \li	ISC_R_UNEXPECTEDTOKEN if the file can not be parsed as a public key
+ * \li	any other result indicates failure
+ *
+ * Ensures:
+ * \li	If successful, *keyp will contain a valid key.
  */
 
 isc_result_t
 dst_key_tofile(const dst_key_t *key, int type, const char *directory);
-/*
+/*%<
  * Writes a key to permanent storage.  The key can either be a public or
  * private key.  Public keys are written in DNS format and private keys
  * are written as a set of base64 encoded values.  If directory is NULL,
  * the current directory is assumed.
  *
  * Requires:
- *	"key" is a valid key.
- *	"type" is DST_TYPE_PUBLIC, DST_TYPE_PRIVATE, or the bitwise union
+ * \li	"key" is a valid key.
+ * \li	"type" is DST_TYPE_PUBLIC, DST_TYPE_PRIVATE, or the bitwise union
  *
  * Returns:
- * 	ISC_R_SUCCESS
- * 	any other result indicates failure
+ * \li	ISC_R_SUCCESS
+ * \li	any other result indicates failure
  */
 
 isc_result_t
 dst_key_fromdns(dns_name_t *name, dns_rdataclass_t rdclass,
 		isc_buffer_t *source, isc_mem_t *mctx, dst_key_t **keyp);
-/*
+/*%<
  * Converts a DNS KEY record into a DST key.
  *
  * Requires:
- *	"name" is a valid absolute dns name.
- *	"source" is a valid buffer.  There must be at least 4 bytes available.
- *	"mctx" is a valid memory context.
- *	"keyp" is not NULL and "*keyp" is NULL.
+ * \li	"name" is a valid absolute dns name.
+ * \li	"source" is a valid buffer.  There must be at least 4 bytes available.
+ * \li	"mctx" is a valid memory context.
+ * \li	"keyp" is not NULL and "*keyp" is NULL.
  *
  * Returns:
- * 	ISC_R_SUCCESS
- * 	any other result indicates failure
+ * \li	ISC_R_SUCCESS
+ * \li	any other result indicates failure
  *
  * Ensures:
- *	If successful, *keyp will contain a valid key, and the consumed
+ * \li	If successful, *keyp will contain a valid key, and the consumed
  *	pointer in data will be advanced.
  */
 
 isc_result_t
 dst_key_todns(const dst_key_t *key, isc_buffer_t *target);
-/*
+/*%<
  * Converts a DST key into a DNS KEY record.
  *
  * Requires:
- *	"key" is a valid key.
- *	"target" is a valid buffer.  There must be at least 4 bytes unused.
+ * \li	"key" is a valid key.
+ * \li	"target" is a valid buffer.  There must be at least 4 bytes unused.
  *
  * Returns:
- * 	ISC_R_SUCCESS
- * 	any other result indicates failure
+ * \li	ISC_R_SUCCESS
+ * \li	any other result indicates failure
  *
  * Ensures:
- *	If successful, the used pointer in 'target' is advanced by at least 4.
+ * \li	If successful, the used pointer in 'target' is advanced by at least 4.
  */
 
 isc_result_t
@@ -313,80 +343,80 @@ dst_key_frombuffer(dns_name_t *name, unsigned int alg,
 		   unsigned int flags, unsigned int protocol,
 		   dns_rdataclass_t rdclass,
 		   isc_buffer_t *source, isc_mem_t *mctx, dst_key_t **keyp);
-/*
+/*%<
  * Converts a buffer containing DNS KEY RDATA into a DST key.
  *
  * Requires:
- *	"name" is a valid absolute dns name.
- *	"alg" is a supported key algorithm.
- *	"source" is a valid buffer.
- *	"mctx" is a valid memory context.
- *	"keyp" is not NULL and "*keyp" is NULL.
+ *\li	"name" is a valid absolute dns name.
+ *\li	"alg" is a supported key algorithm.
+ *\li	"source" is a valid buffer.
+ *\li	"mctx" is a valid memory context.
+ *\li	"keyp" is not NULL and "*keyp" is NULL.
  *
  * Returns:
- * 	ISC_R_SUCCESS
- * 	any other result indicates failure
+ *\li 	ISC_R_SUCCESS
+ * \li	any other result indicates failure
  *
  * Ensures:
- *	If successful, *keyp will contain a valid key, and the consumed
+ *\li	If successful, *keyp will contain a valid key, and the consumed
  *	pointer in source will be advanced.
  */
 
 isc_result_t
 dst_key_tobuffer(const dst_key_t *key, isc_buffer_t *target);
-/*
+/*%<
  * Converts a DST key into DNS KEY RDATA format.
  *
  * Requires:
- *	"key" is a valid key.
- *	"target" is a valid buffer.
+ *\li	"key" is a valid key.
+ *\li	"target" is a valid buffer.
  *
  * Returns:
- * 	ISC_R_SUCCESS
- * 	any other result indicates failure
+ *\li 	ISC_R_SUCCESS
+ * \li	any other result indicates failure
  *
  * Ensures:
- *	If successful, the used pointer in 'target' is advanced.
+ *\li	If successful, the used pointer in 'target' is advanced.
  */
 
 isc_result_t
 dst_key_privatefrombuffer(dst_key_t *key, isc_buffer_t *buffer);
-/*
+/*%<
  * Converts a public key into a private key, reading the private key
  * information from the buffer.  The buffer should contain the same data
  * as the .private key file would.
  *
  * Requires:
- * 	"key" is a valid public key.
- *	"buffer" is not NULL.
+ *\li	"key" is a valid public key.
+ *\li	"buffer" is not NULL.
  *
  * Returns:
- * 	ISC_R_SUCCESS
- * 	any other result indicates failure
+ *\li 	ISC_R_SUCCESS
+ * \li	any other result indicates failure
  *
  * Ensures:
- *	If successful, key will contain a valid private key.
+ *\li	If successful, key will contain a valid private key.
  */
 
 
 isc_result_t
 dst_key_fromgssapi(dns_name_t *name, void *opaque, isc_mem_t *mctx,
 		                   dst_key_t **keyp);
-/*
+/*%<
  * Converts a GSSAPI opaque context id into a DST key.
  *
  * Requires:
- *	"name" is a valid absolute dns name.
- *	"opaque" is a GSSAPI context id.
- *	"mctx" is a valid memory context.
- *	"keyp" is not NULL and "*keyp" is NULL.
+ *\li	"name" is a valid absolute dns name.
+ *\li	"opaque" is a GSSAPI context id.
+ *\li	"mctx" is a valid memory context.
+ *\li	"keyp" is not NULL and "*keyp" is NULL.
  *
  * Returns:
- * 	ISC_R_SUCCESS
- * 	any other result indicates failure
+ *\li 	ISC_R_SUCCESS
+ * \li	any other result indicates failure
  *
  * Ensures:
- *	If successful, *keyp will contain a valid key and be responsible for
+ *\li	If successful, *keyp will contain a valid key and be responsible for
  *	the context id.
  */
 
@@ -396,9 +426,10 @@ dst_key_generate(dns_name_t *name, unsigned int alg,
 		 unsigned int flags, unsigned int protocol,
 		 dns_rdataclass_t rdclass,
 		 isc_mem_t *mctx, dst_key_t **keyp);
-/*
+/*%<
  * Generate a DST key (or keypair) with the supplied parameters.  The
  * interpretation of the "param" field depends on the algorithm:
+ * \code
  * 	RSA:	exponent
  * 		0	use exponent 3
  * 		!0	use Fermat4 (2^16 + 1)
@@ -410,66 +441,67 @@ dst_key_generate(dns_name_t *name, unsigned int alg,
  * 	HMACMD5: entropy
  *		0	default - require good entropy
  *		!0	lack of good entropy is ok
+ *\endcode
  *
  * Requires:
- *	"name" is a valid absolute dns name.
- *	"keyp" is not NULL and "*keyp" is NULL.
+ *\li	"name" is a valid absolute dns name.
+ *\li	"keyp" is not NULL and "*keyp" is NULL.
  *
  * Returns:
- * 	ISC_R_SUCCESS
- * 	any other result indicates failure
+ *\li 	ISC_R_SUCCESS
+ * \li	any other result indicates failure
  *
  * Ensures:
- *	If successful, *keyp will contain a valid key.
+ *\li	If successful, *keyp will contain a valid key.
  */
 
 isc_boolean_t
 dst_key_compare(const dst_key_t *key1, const dst_key_t *key2);
-/*
+/*%<
  * Compares two DST keys.
  *
  * Requires:
- *	"key1" is a valid key.
- *	"key2" is a valid key.
+ *\li	"key1" is a valid key.
+ *\li	"key2" is a valid key.
  *
  * Returns:
- * 	ISC_TRUE
- * 	ISC_FALSE
+ *\li 	ISC_TRUE
+ * \li	ISC_FALSE
  */
 
 isc_boolean_t
 dst_key_paramcompare(const dst_key_t *key1, const dst_key_t *key2);
-/*
+/*%<
  * Compares the parameters of two DST keys.  This is used to determine if
  * two (Diffie-Hellman) keys can be used to derive a shared secret.
  *
  * Requires:
- *	"key1" is a valid key.
- *	"key2" is a valid key.
+ *\li	"key1" is a valid key.
+ *\li	"key2" is a valid key.
  *
  * Returns:
- * 	ISC_TRUE
- * 	ISC_FALSE
+ *\li 	ISC_TRUE
+ * \li	ISC_FALSE
  */
 
 void
 dst_key_free(dst_key_t **keyp);
-/*
+/*%<
  * Release all memory associated with the key.
  *
  * Requires:
- *	"keyp" is not NULL and "*keyp" is a valid key.
+ *\li	"keyp" is not NULL and "*keyp" is a valid key.
  *
  * Ensures:
- *	All memory associated with "*keyp" will be freed.
- *	*keyp == NULL
+ *\li	All memory associated with "*keyp" will be freed.
+ *\li	*keyp == NULL
  */
 
-/*
+/*%<
  * Accessor functions to obtain key fields.
  *
  * Require:
- *	"key" is a valid key.
+ *\li	"key" is a valid key.
  */
 dns_name_t *
 dst_key_name(const dst_key_t *key);
@@ -504,65 +536,83 @@ dst_key_isnullkey(const dst_key_t *key);
 isc_result_t
 dst_key_buildfilename(const dst_key_t *key, int type,
 		      const char *directory, isc_buffer_t *out);
-/*
+/*%<
  * Generates the filename used by dst to store the specified key.
  * If directory is NULL, the current directory is assumed.
  *
  * Requires:
- *	"key" is a valid key
- *	"type" is either DST_TYPE_PUBLIC, DST_TYPE_PRIVATE, or 0 for no suffix.
- *	"out" is a valid buffer
+ *\li	"key" is a valid key
+ *\li	"type" is either DST_TYPE_PUBLIC, DST_TYPE_PRIVATE, or 0 for no suffix.
+ *\li	"out" is a valid buffer
  *
  * Ensures:
- *	the file name will be written to "out", and the used pointer will
+ *\li	the file name will be written to "out", and the used pointer will
  *		be advanced.
  */
 
 isc_result_t
 dst_key_sigsize(const dst_key_t *key, unsigned int *n);
-/*
+/*%<
  * Computes the size of a signature generated by the given key.
  *
  * Requires:
- *	"key" is a valid key.
- *	"n" is not NULL
+ *\li	"key" is a valid key.
+ *\li	"n" is not NULL
  *
  * Returns:
- *	ISC_R_SUCCESS
- *	DST_R_UNSUPPORTEDALG
+ *\li	#ISC_R_SUCCESS
+ *\li	DST_R_UNSUPPORTEDALG
  *
  * Ensures:
- * 	"n" stores the size of a generated signature
+ *\li	"n" stores the size of a generated signature
  */
 
 isc_result_t
 dst_key_secretsize(const dst_key_t *key, unsigned int *n);
-/*
+/*%<
  * Computes the size of a shared secret generated by the given key.
  *
  * Requires:
- *	"key" is a valid key.
- *	"n" is not NULL
+ *\li	"key" is a valid key.
+ *\li	"n" is not NULL
  *
  * Returns:
- *	ISC_R_SUCCESS
- *	DST_R_UNSUPPORTEDALG
+ *\li	#ISC_R_SUCCESS
+ *\li	DST_R_UNSUPPORTEDALG
  *
  * Ensures:
- * 	"n" stores the size of a generated shared secret
+ *\li	"n" stores the size of a generated shared secret
  */
 
 isc_uint16_t
 dst_region_computeid(const isc_region_t *source, unsigned int alg);
-/*
+/*%<
  * Computes the key id of the key stored in the provided region with the
  * given algorithm.
  *
  * Requires:
- * 	"source" contains a valid, non-NULL region.
+ *\li	"source" contains a valid, non-NULL region.
  *
  * Returns:
- * 	the key id
+ *\li 	the key id
+ */
+
+isc_uint16_t
+dst_key_getbits(const dst_key_t *key);
+/*
+ * Get the number of digest bits required (0 == MAX).
+ *
+ * Requires:
+ *	"key" is a valid key.
+ */
+
+void
+dst_key_setbits(dst_key_t *key, isc_uint16_t bits);
+/*
+ * Set the number of digest bits required (0 == MAX).
+ *
+ * Requires:
+ *	"key" is a valid key.
  */
 
 ISC_LANG_ENDDECLS
diff --git a/contrib/bind9/lib/dns/include/dst/gssapi.h b/contrib/bind9/lib/dns/include/dst/gssapi.h
index 1d74656..e30fb0c 100644
--- a/contrib/bind9/lib/dns/include/dst/gssapi.h
+++ b/contrib/bind9/lib/dns/include/dst/gssapi.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000, 2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,11 +15,13 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: gssapi.h,v 1.1.4.1 2004/12/09 04:07:20 marka Exp $ */
+/* $Id: gssapi.h,v 1.1.6.3 2005/04/29 00:16:28 marka Exp $ */
 
 #ifndef DST_GSSAPI_H
 #define DST_GSSAPI_H 1
 
+/*! \file */
+
 #include <isc/lang.h>
 
 #include <isc/types.h>
diff --git a/contrib/bind9/lib/dns/include/dst/lib.h b/contrib/bind9/lib/dns/include/dst/lib.h
index 7a8e73e..bd71261 100644
--- a/contrib/bind9/lib/dns/include/dst/lib.h
+++ b/contrib/bind9/lib/dns/include/dst/lib.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,11 +15,13 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: lib.h,v 1.1.4.1 2004/12/09 04:07:20 marka Exp $ */
+/* $Id: lib.h,v 1.1.6.3 2005/04/29 00:16:29 marka Exp $ */
 
 #ifndef DST_LIB_H
 #define DST_LIB_H 1
 
+/*! \file */
+
 #include <isc/types.h>
 #include <isc/lang.h>
 
diff --git a/contrib/bind9/lib/dns/include/dst/result.h b/contrib/bind9/lib/dns/include/dst/result.h
index 015e086..aa03b73 100644
--- a/contrib/bind9/lib/dns/include/dst/result.h
+++ b/contrib/bind9/lib/dns/include/dst/result.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,11 +15,13 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: result.h,v 1.1.4.1 2004/12/09 04:07:20 marka Exp $ */
+/* $Id: result.h,v 1.1.6.3 2005/04/29 00:16:29 marka Exp $ */
 
 #ifndef DST_RESULT_H
 #define DST_RESULT_H 1
 
+/*! \file */
+
 #include <isc/lang.h>
 #include <isc/resultclass.h>
 
diff --git a/contrib/bind9/lib/dns/journal.c b/contrib/bind9/lib/dns/journal.c
index 536416d..1f208c8 100644
--- a/contrib/bind9/lib/dns/journal.c
+++ b/contrib/bind9/lib/dns/journal.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: journal.c,v 1.77.2.1.10.13 2005/11/03 23:08:41 marka Exp $ */
+/* $Id: journal.c,v 1.86.18.8 2005/11/03 23:02:23 marka Exp $ */
 
 #include <config.h>
 
@@ -40,7 +40,44 @@
 #include <dns/result.h>
 #include <dns/soa.h>
 
-/*
+/*! \file 
+ * \brief Journalling.
+ *
+ * A journal file consists of
+ *
+ *   \li A fixed-size header of type journal_rawheader_t.
+ *
+ *   \li The index.  This is an unordered array of index entries
+ *     of type journal_rawpos_t giving the locations
+ *     of some arbitrary subset of the journal's addressable
+ *     transactions.  The index entries are used as hints to
+ *     speed up the process of locating a transaction with a given
+ *     serial number.  Unused index entries have an "offset"
+ *     field of zero.  The size of the index can vary between
+ *     journal files, but does not change during the lifetime
+ *     of a file.  The size can be zero.
+ *
+ *   \li The journal data.  This  consists of one or more transactions.
+ *     Each transaction begins with a transaction header of type
+ *     journal_rawxhdr_t.  The transaction header is followed by a
+ *     sequence of RRs, similar in structure to an IXFR difference
+ *     sequence (RFC1995).  That is, the pre-transaction SOA,
+ *     zero or more other deleted RRs, the post-transaction SOA,
+ *     and zero or more other added RRs.  Unlike in IXFR, each RR
+ *     is prefixed with a 32-bit length.
+ *
+ *     The journal data part grows as new transactions are
+ *     appended to the file.  Only those transactions
+ *     whose serial number is current-(2^31-1) to current
+ *     are considered "addressable" and may be pointed
+ *     to from the header or index.  They may be preceded
+ *     by old transactions that are no longer addressable,
+ *     and they may be followed by transactions that were
+ *     appended to the journal but never committed by updating
+ *     the "end" position in the header.  The latter will
+ *     be overwritten when new transactions are added.
+ */
+/*%
  * When true, accept IXFR difference sequences where the
  * SOA serial number does not change (BIND 8 sends such
  * sequences).
@@ -58,7 +95,7 @@ static isc_boolean_t bind8_compat = ISC_TRUE; /* XXX config */
 #define JOURNAL_DEBUG_LOGARGS(n) \
 	JOURNAL_COMMON_LOGARGS, ISC_LOG_DEBUG(n)
 
-/*
+/*%
  * It would be non-sensical (or at least obtuse) to use FAIL() with an
  * ISC_R_SUCCESS code, but the test is there to keep the Solaris compiler
  * from complaining about "end-of-loop code not reached".
@@ -134,55 +171,16 @@ dns_db_createsoatuple(dns_db_t *db, dns_dbversion_t *ver, isc_mem_t *mctx,
 	return (result);
 }
 
-/**************************************************************************/
-/*
- * Journalling.
- */
+/* Journalling */
 
-/*
- * A journal file consists of
- *
- *   - A fixed-size header of type journal_rawheader_t.
- *
- *   - The index.  This is an unordered array of index entries
- *     of type journal_rawpos_t giving the locations
- *     of some arbitrary subset of the journal's addressable
- *     transactions.  The index entries are used as hints to
- *     speed up the process of locating a transaction with a given
- *     serial number.  Unused index entries have an "offset"
- *     field of zero.  The size of the index can vary between
- *     journal files, but does not change during the lifetime
- *     of a file.  The size can be zero.
- *
- *   - The journal data.  This  consists of one or more transactions.
- *     Each transaction begins with a transaction header of type
- *     journal_rawxhdr_t.  The transaction header is followed by a
- *     sequence of RRs, similar in structure to an IXFR difference
- *     sequence (RFC1995).  That is, the pre-transaction SOA,
- *     zero or more other deleted RRs, the post-transaction SOA,
- *     and zero or more other added RRs.  Unlike in IXFR, each RR
- *     is prefixed with a 32-bit length.
- *
- *     The journal data part grows as new transactions are
- *     appended to the file.  Only those transactions
- *     whose serial number is current-(2^31-1) to current
- *     are considered "addressable" and may be pointed
- *     to from the header or index.  They may be preceded
- *     by old transactions that are no longer addressable,
- *     and they may be followed by transactions that were
- *     appended to the journal but never committed by updating
- *     the "end" position in the header.  The latter will
- *     be overwritten when new transactions are added.
- */
-
-/*
+/*%
  * On-disk representation of a "pointer" to a journal entry.
  * These are used in the journal header to locate the beginning
  * and end of the journal, and in the journal index to locate
  * other transactions.
  */
 typedef struct {
-	unsigned char	serial[4];  /* SOA serial before update. */
+	unsigned char	serial[4];  /*%< SOA serial before update. */
 	/*
 	 * XXXRTH  Should offset be 8 bytes?
 	 * XXXDCL ... probably, since isc_offset_t is 8 bytes on many OSs.
@@ -190,54 +188,54 @@ typedef struct {
 	 *            platforms as long as we are using fseek() rather
 	 *            than lseek().
 	 */
-	unsigned char	offset[4];  /* Offset from beginning of file. */
+	unsigned char	offset[4];  /*%< Offset from beginning of file. */
 } journal_rawpos_t;
 
-/*
- * The on-disk representation of the journal header.
- * All numbers are stored in big-endian order.
- */
 
-/*
+/*%
  * The header is of a fixed size, with some spare room for future
  * extensions.
  */
 #define JOURNAL_HEADER_SIZE 64 /* Bytes. */
 
+/*%
+ * The on-disk representation of the journal header.
+ * All numbers are stored in big-endian order.
+ */
 typedef union {
 	struct {
-		/* File format version ID. */
+		/*% File format version ID. */
 		unsigned char 		format[16];
-		/* Position of the first addressable transaction */
+		/*% Position of the first addressable transaction */
 		journal_rawpos_t 	begin;
-		/* Position of the next (yet nonexistent) transaction. */
+		/*% Position of the next (yet nonexistent) transaction. */
 		journal_rawpos_t 	end;
-		/* Number of index entries following the header. */
+		/*% Number of index entries following the header. */
 		unsigned char 		index_size[4];
 	} h;
 	/* Pad the header to a fixed size. */
 	unsigned char pad[JOURNAL_HEADER_SIZE];
 } journal_rawheader_t;
 
-/*
+/*%
  * The on-disk representation of the transaction header.
  * There is one of these at the beginning of each transaction.
  */
 typedef struct {
-	unsigned char	size[4]; 	/* In bytes, excluding header. */
-	unsigned char	serial0[4];	/* SOA serial before update. */
-	unsigned char	serial1[4];	/* SOA serial after update. */
+	unsigned char	size[4]; 	/*%< In bytes, excluding header. */
+	unsigned char	serial0[4];	/*%< SOA serial before update. */
+	unsigned char	serial1[4];	/*%< SOA serial after update. */
 } journal_rawxhdr_t;
 
-/*
+/*%
  * The on-disk representation of the RR header.
  * There is one of these at the beginning of each RR.
  */
 typedef struct {
-	unsigned char	size[4]; 	/* In bytes, excluding header. */
+	unsigned char	size[4]; 	/*%< In bytes, excluding header. */
 } journal_rawrrhdr_t;
 
-/*
+/*%
  * The in-core representation of the journal header.
  */
 typedef struct {
@@ -255,7 +253,7 @@ typedef struct {
 	isc_uint32_t	index_size;
 } journal_header_t;
 
-/*
+/*%
  * The in-core representation of the transaction header.
  */
 
@@ -265,7 +263,7 @@ typedef struct {
 	isc_uint32_t	serial1;
 } journal_xhdr_t;
 
-/*
+/*%
  * The in-core representation of the RR header.
  */
 typedef struct {
@@ -273,7 +271,7 @@ typedef struct {
 } journal_rrhdr_t;
 
 
-/*
+/*%
  * Initial contents to store in the header of a newly created
  * journal file.
  *
@@ -297,40 +295,38 @@ typedef enum {
 } journal_state_t;
 
 struct dns_journal {
-	unsigned int		magic;		/* JOUR */
-	isc_mem_t		*mctx;		/* Memory context */
+	unsigned int		magic;		/*%< JOUR */
+	isc_mem_t		*mctx;		/*%< Memory context */
 	journal_state_t		state;
-	const char 		*filename;	/* Journal file name */
-	FILE *			fp;		/* File handle */
-	isc_offset_t		offset;		/* Current file offset */
-	journal_header_t 	header;		/* In-core journal header */
-	unsigned char		*rawindex;	/* In-core buffer for journal
-						   index in on-disk format */
-	journal_pos_t		*index;		/* In-core journal index */
-
-	/* Current transaction state (when writing). */
+	const char 		*filename;	/*%< Journal file name */
+	FILE *			fp;		/*%< File handle */
+	isc_offset_t		offset;		/*%< Current file offset */
+	journal_header_t 	header;		/*%< In-core journal header */
+	unsigned char		*rawindex;	/*%< In-core buffer for journal index in on-disk format */
+	journal_pos_t		*index;		/*%< In-core journal index */
+
+	/*% Current transaction state (when writing). */
 	struct {
-		unsigned int	n_soa;		/* Number of SOAs seen */
-		journal_pos_t	pos[2];		/* Begin/end position */
+		unsigned int	n_soa;		/*%< Number of SOAs seen */
+		journal_pos_t	pos[2];		/*%< Begin/end position */
 	} x;
 
-	/* Iteration state (when reading). */
+	/*% Iteration state (when reading). */
 	struct {
 		/* These define the part of the journal we iterate over. */
-		journal_pos_t bpos;		/* Position before first, */
-		journal_pos_t epos;		/* and after last
-						   transaction */
+		journal_pos_t bpos;		/*%< Position before first, */
+		journal_pos_t epos;		/*%< and after last transaction */
 		/* The rest is iterator state. */
-		isc_uint32_t current_serial;	/* Current SOA serial */
-		isc_buffer_t source;		/* Data from disk */
-		isc_buffer_t target;		/* Data from _fromwire check */
-		dns_decompress_t dctx;		/* Dummy decompression ctx */
-		dns_name_t name;		/* Current domain name */
-		dns_rdata_t rdata;		/* Current rdata */
-		isc_uint32_t ttl;		/* Current TTL */
-		unsigned int xsize;		/* Size of transaction data */
-		unsigned int xpos;		/* Current position in it */
-		isc_result_t result;		/* Result of last call */
+		isc_uint32_t current_serial;	/*%< Current SOA serial */
+		isc_buffer_t source;		/*%< Data from disk */
+		isc_buffer_t target;		/*%< Data from _fromwire check */
+		dns_decompress_t dctx;		/*%< Dummy decompression ctx */
+		dns_name_t name;		/*%< Current domain name */
+		dns_rdata_t rdata;		/*%< Current rdata */
+		isc_uint32_t ttl;		/*%< Current TTL */
+		unsigned int xsize;		/*%< Size of transaction data */
+		unsigned int xpos;		/*%< Current position in it */
+		isc_result_t result;		/*%< Result of last call */
 	} it;
 };
 
diff --git a/contrib/bind9/lib/dns/key.c b/contrib/bind9/lib/dns/key.c
index 97d970e..b0f2c0a 100644
--- a/contrib/bind9/lib/dns/key.c
+++ b/contrib/bind9/lib/dns/key.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: key.c,v 1.1.4.3 2005/06/09 23:54:29 marka Exp $ */
+/* $Id: key.c,v 1.1.6.6 2006/01/27 23:57:44 marka Exp $ */
 
 #include <config.h>
 
@@ -125,3 +125,23 @@ dst_key_isnullkey(const dst_key_t *key) {
 		return (ISC_FALSE);
 	return (ISC_TRUE);
 }
+
+void
+dst_key_setbits(dst_key_t *key, isc_uint16_t bits) {
+	unsigned int maxbits;
+	REQUIRE(VALID_KEY(key));
+	if (bits != 0) {
+		RUNTIME_CHECK(dst_key_sigsize(key, &maxbits) == ISC_R_SUCCESS);
+		maxbits *= 8;
+		REQUIRE(bits <= maxbits);
+	}
+	key->key_bits = bits;
+}
+
+isc_uint16_t
+dst_key_getbits(const dst_key_t *key) {
+	REQUIRE(VALID_KEY(key));
+	return (key->key_bits);
+}
+
+/*! \file */
diff --git a/contrib/bind9/lib/dns/keytable.c b/contrib/bind9/lib/dns/keytable.c
index 7f3e3cf..ec0f8e4 100644
--- a/contrib/bind9/lib/dns/keytable.c
+++ b/contrib/bind9/lib/dns/keytable.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2006  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000, 2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,9 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: keytable.c,v 1.26.12.5 2006/01/06 00:01:42 marka Exp $ */
+/* $Id: keytable.c,v 1.28.18.4 2005/12/05 00:00:03 marka Exp $ */
+
+/*! \file */
 
 #include <config.h>
 
@@ -87,22 +89,12 @@ dns_keytable_create(isc_mem_t *mctx, dns_keytable_t **keytablep) {
 		goto cleanup_keytable;
 
 	result = isc_mutex_init(&keytable->lock);
-	if (result != ISC_R_SUCCESS) {
-		UNEXPECTED_ERROR(__FILE__, __LINE__,
-				 "isc_mutex_init() failed: %s",
-				 isc_result_totext(result));
-		result = ISC_R_UNEXPECTED;
+	if (result != ISC_R_SUCCESS)
 		goto cleanup_rbt;
-	}
 
 	result = isc_rwlock_init(&keytable->rwlock, 0, 0);
-	if (result != ISC_R_SUCCESS) {
-		UNEXPECTED_ERROR(__FILE__, __LINE__,
-				 "isc_rwlock_init() failed: %s",
-				 isc_result_totext(result));
-		result = ISC_R_UNEXPECTED;
+	if (result != ISC_R_SUCCESS)
 		goto cleanup_lock;
-	}
 
 	keytable->mctx = mctx;
 	keytable->active_nodes = 0;
diff --git a/contrib/bind9/lib/dns/lib.c b/contrib/bind9/lib/dns/lib.c
index 4449067..423908a 100644
--- a/contrib/bind9/lib/dns/lib.c
+++ b/contrib/bind9/lib/dns/lib.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,9 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: lib.c,v 1.9.12.3 2004/03/08 09:04:30 marka Exp $ */
+/* $Id: lib.c,v 1.11.18.3 2005/08/15 01:46:50 marka Exp $ */
+
+/*! \file */
 
 #include <config.h>
 
@@ -31,6 +33,7 @@
  *** Globals
  ***/
 
+LIBDNS_EXTERNAL_DATA unsigned int			dns_pps = 0U;
 LIBDNS_EXTERNAL_DATA isc_msgcat_t *			dns_msgcat = NULL;
 
 
diff --git a/contrib/bind9/lib/dns/log.c b/contrib/bind9/lib/dns/log.c
index d240767..939ea36 100644
--- a/contrib/bind9/lib/dns/log.c
+++ b/contrib/bind9/lib/dns/log.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001, 2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,9 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: log.c,v 1.33.2.2.10.3 2004/03/06 08:13:39 marka Exp $ */
+/* $Id: log.c,v 1.36.18.4 2005/09/05 00:18:24 marka Exp $ */
+
+/*! \file */
 
 /* Principal Authors: DCL */
 
@@ -25,7 +27,7 @@
 
 #include <dns/log.h>
 
-/*
+/*%
  * When adding a new category, be sure to add the appropriate
  * #define to <dns/log.h>.
  */
@@ -44,7 +46,7 @@ LIBDNS_EXTERNAL_DATA isc_logcategory_t dns_categories[] = {
 	{ NULL, 	0 }
 };
 
-/*
+/*%
  * When adding a new module, be sure to add the appropriate
  * #define to <dns/log.h>.
  */
@@ -74,6 +76,8 @@ LIBDNS_EXTERNAL_DATA isc_logmodule_t dns_modules[] = {
 	{ "dns/sdb",		0 },
 	{ "dns/diff",		0 },
 	{ "dns/hints",		0 },
+	{ "dns/acache",		0 },
+	{ "dns/dlz",		0 },
 	{ NULL, 		0 }
 };
 
diff --git a/contrib/bind9/lib/dns/lookup.c b/contrib/bind9/lib/dns/lookup.c
index 1cf5721..642a434 100644
--- a/contrib/bind9/lib/dns/lookup.c
+++ b/contrib/bind9/lib/dns/lookup.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2006  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000, 2001, 2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,9 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: lookup.c,v 1.9.12.7 2006/01/04 23:50:20 marka Exp $ */
+/* $Id: lookup.c,v 1.14.18.4 2005/11/30 03:44:39 marka Exp $ */
+
+/*! \file */
 
 #include <config.h>
 
diff --git a/contrib/bind9/lib/dns/master.c b/contrib/bind9/lib/dns/master.c
index 7a2dab3..8eb1f2d 100644
--- a/contrib/bind9/lib/dns/master.c
+++ b/contrib/bind9/lib/dns/master.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,9 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: master.c,v 1.122.2.8.2.14 2004/05/05 01:32:16 marka Exp $ */
+/* $Id: master.c,v 1.148.18.13 2006/12/07 23:57:58 marka Exp $ */
+
+/*! \file */
 
 #include <config.h>
 
@@ -25,6 +27,7 @@
 #include <isc/mem.h>
 #include <isc/print.h>
 #include <isc/serial.h>
+#include <isc/stdio.h>
 #include <isc/stdtime.h>
 #include <isc/string.h>
 #include <isc/task.h>
@@ -46,33 +49,34 @@
 #include <dns/time.h>
 #include <dns/ttl.h>
 
-/*
- * Grow the number of dns_rdatalist_t (RDLSZ) and dns_rdata_t (RDSZ) structures
+/*!
+ * Grow the number of dns_rdatalist_t (#RDLSZ) and dns_rdata_t (#RDSZ) structures
  * by these sizes when we need to.
  *
- * RDLSZ reflects the number of different types with the same name expected.
+ */
+/*% RDLSZ reflects the number of different types with the same name expected. */
+#define RDLSZ 32
+/*%
  * RDSZ reflects the number of rdata expected at a give name that can fit into
  * 64k.
  */
-
-#define RDLSZ 32
 #define RDSZ 512
 
 #define NBUFS 4
 #define MAXWIRESZ 255
 
-/*
+/*%
  * Target buffer size and minimum target size.
  * MINTSIZ must be big enough to hold the largest rdata record.
- *
+ * \brief
  * TSIZ >= MINTSIZ
  */
 #define TSIZ (128*1024)
-/*
+/*%
  * max message size - header - root - type - class - ttl - rdlen
  */
 #define MINTSIZ (65535 - 12 - 1 - 2 - 2 - 4 - 2)
-/*
+/*%
  * Size for tokens in the presentation format,
  * The largest tokens are the base64 blocks in KEY and CERT records,
  * Largest key allowed is about 1372 bytes but
@@ -87,19 +91,28 @@ typedef ISC_LIST(dns_rdatalist_t) rdatalist_head_t;
 
 typedef struct dns_incctx dns_incctx_t;
 
-/*
+/*%
  * Master file load state.
  */
 
 struct dns_loadctx {
 	unsigned int		magic;
 	isc_mem_t		*mctx;
-	isc_lex_t		*lex;
-	isc_boolean_t		keep_lex;
+	dns_masterformat_t	format;
+
 	dns_rdatacallbacks_t	*callbacks;
 	isc_task_t		*task;
 	dns_loaddonefunc_t	done;
 	void			*done_arg;
+
+	/* Common methods */
+	isc_result_t		(*openfile)(dns_loadctx_t *lctx,
+					    const char *filename);
+	isc_result_t		(*load)(dns_loadctx_t *lctx);
+
+	/* Members specific to the text format: */
+	isc_lex_t		*lex;
+	isc_boolean_t		keep_lex;
 	unsigned int		options;
 	isc_boolean_t		ttl_known;
 	isc_boolean_t		default_ttl_known;
@@ -111,9 +124,14 @@ struct dns_loadctx {
 	isc_uint32_t		default_ttl;
 	dns_rdataclass_t	zclass;
 	dns_fixedname_t		fixed_top;
-	dns_name_t		*top;			/* top of zone */
+	dns_name_t		*top;			/*%< top of zone */
+
+	/* Members specific to the raw format: */
+	FILE			*f;
+	isc_boolean_t		first;
+
 	/* Which fixed buffers we are using? */
-	unsigned int		loop_cnt;		/* records per quantum,
+	unsigned int		loop_cnt;		/*% records per quantum,
 							 * 0 => all. */
 	isc_boolean_t		canceled;
 	isc_mutex_t		lock;
@@ -144,6 +162,18 @@ struct dns_incctx {
 #define DNS_AS_STR(t) ((t).value.as_textregion.base)
 
 static isc_result_t
+openfile_text(dns_loadctx_t *lctx, const char *master_file);
+
+static isc_result_t
+openfile_raw(dns_loadctx_t *lctx, const char *master_file);
+
+static isc_result_t
+load_text(dns_loadctx_t *lctx);
+
+static isc_result_t
+load_raw(dns_loadctx_t *lctx);
+
+static isc_result_t
 pushfile(const char *master_file, dns_name_t *origin, dns_loadctx_t *lctx);
 
 static isc_result_t
@@ -405,6 +435,7 @@ incctx_destroy(isc_mem_t *mctx, dns_incctx_t *ictx) {
 static void
 loadctx_destroy(dns_loadctx_t *lctx) {
 	isc_mem_t *mctx;
+	isc_result_t result;
 
 	REQUIRE(DNS_LCTX_VALID(lctx));
 
@@ -412,6 +443,15 @@ loadctx_destroy(dns_loadctx_t *lctx) {
 	if (lctx->inc != NULL)
 		incctx_destroy(lctx->mctx, lctx->inc);
 
+	if (lctx->f != NULL) {
+		result = isc_stdio_close(lctx->f);
+		if (result != ISC_R_SUCCESS) {
+			UNEXPECTED_ERROR(__FILE__, __LINE__,
+					 "isc_stdio_close() failed: %s",
+					 isc_result_totext(result));
+		}
+	}
+
 	/* isc_lex_destroy() will close all open streams */
 	if (lctx->lex != NULL && !lctx->keep_lex)
 		isc_lex_destroy(&lctx->lex);
@@ -461,7 +501,8 @@ incctx_create(isc_mem_t *mctx, dns_name_t *origin, dns_incctx_t **ictxp) {
 }
 
 static isc_result_t
-loadctx_create(isc_mem_t *mctx, unsigned int options, dns_name_t *top,
+loadctx_create(dns_masterformat_t format, isc_mem_t *mctx,
+	       unsigned int options, dns_name_t *top,
 	       dns_rdataclass_t zclass, dns_name_t *origin,
 	       dns_rdatacallbacks_t *callbacks, isc_task_t *task,
 	       dns_loaddonefunc_t done, void *done_arg, isc_lex_t *lex,
@@ -489,10 +530,7 @@ loadctx_create(isc_mem_t *mctx, unsigned int options, dns_name_t *top,
 	result = isc_mutex_init(&lctx->lock);
 	if (result != ISC_R_SUCCESS) {
 		isc_mem_put(mctx, lctx, sizeof(*lctx));
-		UNEXPECTED_ERROR(__FILE__, __LINE__,
-				 "isc_mutex_init() failed: %s",
-				 isc_result_totext(result));
-		return (ISC_R_UNEXPECTED);
+		return (result);
 	}
 
 	lctx->inc = NULL;
@@ -500,6 +538,20 @@ loadctx_create(isc_mem_t *mctx, unsigned int options, dns_name_t *top,
 	if (result != ISC_R_SUCCESS) 
 		goto cleanup_ctx;
 
+	lctx->format = format;
+	switch (format) {
+	default:
+		INSIST(0);
+	case dns_masterformat_text:
+		lctx->openfile = openfile_text;
+		lctx->load = load_text;
+		break;
+	case dns_masterformat_raw:
+		lctx->openfile = openfile_raw;
+		lctx->load = load_raw;
+		break;
+	}
+
 	if (lex != NULL) {
 		lctx->lex = lex;
 		lctx->keep_lex = ISC_TRUE;
@@ -534,6 +586,9 @@ loadctx_create(isc_mem_t *mctx, unsigned int options, dns_name_t *top,
 	dns_name_toregion(top, &r);
 	dns_name_fromregion(lctx->top, &r);
 
+	lctx->f = NULL;
+	lctx->first = ISC_TRUE;
+
 	lctx->loop_cnt = (done != NULL) ? 100 : 0;
 	lctx->callbacks = callbacks;
 	lctx->task = NULL;
@@ -640,6 +695,25 @@ genname(char *name, int it, char *buffer, size_t length) {
 }
 
 static isc_result_t
+openfile_text(dns_loadctx_t *lctx, const char *master_file) {
+	return (isc_lex_openfile(lctx->lex, master_file));
+}
+
+static isc_result_t
+openfile_raw(dns_loadctx_t *lctx, const char *master_file) {
+	isc_result_t result;
+
+	result = isc_stdio_open(master_file, "r", &lctx->f);
+	if (result != ISC_R_SUCCESS && result != ISC_R_FILENOTFOUND) {
+		UNEXPECTED_ERROR(__FILE__, __LINE__,
+				 "isc_stdio_open() failed: %s",
+				 isc_result_totext(result));		
+	}
+
+	return (result);
+}
+
+static isc_result_t
 generate(dns_loadctx_t *lctx, char *range, char *lhs, char *gtype, char *rhs,
 	 const char *source, unsigned int line)
 {
@@ -711,6 +785,7 @@ generate(dns_loadctx_t *lctx, char *range, char *lhs, char *gtype, char *rhs,
 	case dns_rdatatype_a:
 	case dns_rdatatype_aaaa:
 		if (lctx->zclass == dns_rdataclass_in ||
+		    lctx->zclass == dns_rdataclass_ch ||
 		    lctx->zclass == dns_rdataclass_hs)
 			break;
 		/* FALLTHROUGH */
@@ -862,8 +937,25 @@ check_ns(dns_loadctx_t *lctx, isc_token_t *token, const char *source,
 	return (result);
 }
 
+static void
+check_wildcard(dns_incctx_t *ictx, const char *source, unsigned long line,
+	       dns_rdatacallbacks_t *callbacks)
+{
+	dns_name_t *name;
+
+	name = (ictx->glue != NULL) ? ictx->glue : ictx->current;
+	if (dns_name_internalwildcard(name)) {
+		char namebuf[DNS_NAME_FORMATSIZE];
+
+		dns_name_format(name, namebuf, sizeof(namebuf));
+		(*callbacks->warn)(callbacks, "%s:%lu: warning: ownername "
+				   "'%s' contains an non-terminal wildcard",
+				   source, line, namebuf);
+	}
+}
+
 static isc_result_t
-load(dns_loadctx_t *lctx) {
+load_text(dns_loadctx_t *lctx) {
 	dns_rdataclass_t rdclass;
 	dns_rdatatype_t type, covers;
 	isc_uint32_t ttl_offset = 0;
@@ -939,11 +1031,16 @@ load(dns_loadctx_t *lctx) {
 		options |= DNS_RDATA_CHECKNAMES;
 	if ((lctx->options & DNS_MASTER_CHECKNAMESFAIL) != 0)
 		options |= DNS_RDATA_CHECKNAMESFAIL;
+	if ((lctx->options & DNS_MASTER_CHECKMX) != 0)
+		options |= DNS_RDATA_CHECKMX;
+	if ((lctx->options & DNS_MASTER_CHECKMXFAIL) != 0)
+		options |= DNS_RDATA_CHECKMXFAIL;
 	source = isc_lex_getsourcename(lctx->lex);
 	do {
 		initialws = ISC_FALSE;
 		line = isc_lex_getsourceline(lctx->lex);
-		GETTOKEN(lctx->lex, ISC_LEXOPT_INITIALWS, &token, ISC_TRUE);
+		GETTOKEN(lctx->lex, ISC_LEXOPT_INITIALWS | ISC_LEXOPT_QSTRING,
+			 &token, ISC_TRUE);
 		line = isc_lex_getsourceline(lctx->lex);
 
 		if (token.type == isc_tokentype_eof) {
@@ -979,7 +1076,8 @@ load(dns_loadctx_t *lctx) {
 			 * Still working on the same name.
 			 */
 			initialws = ISC_TRUE;
-		} else if (token.type == isc_tokentype_string) {
+		} else if (token.type == isc_tokentype_string ||
+			   token.type == isc_tokentype_qstring) {
 
 			/*
 			 * "$" Support.
@@ -1117,6 +1215,7 @@ load(dns_loadctx_t *lctx) {
 					isc_mem_free(mctx, gtype);
 				if (rhs != NULL)
 					isc_mem_free(mctx, rhs);
+				range = lhs = gtype = rhs = NULL;
 				/* RANGE */
 				GETTOKEN(lctx->lex, 0, &token, ISC_FALSE);
 				range = isc_mem_strdup(mctx,
@@ -1346,6 +1445,14 @@ load(dns_loadctx_t *lctx) {
 					isc_buffer_init(&target, target_mem,
 							target_size);
 				}
+				/*
+				 * Check for internal wildcards.
+				 */
+				if ((lctx->options & DNS_MASTER_CHECKWILDCARD)
+						 != 0)
+					check_wildcard(ictx, source, line,
+						       callbacks);
+
 			}
 			if ((lctx->options & DNS_MASTER_ZONE) != 0 &&
 			    (lctx->options & DNS_MASTER_SLAVE) == 0 &&
@@ -1508,7 +1615,7 @@ load(dns_loadctx_t *lctx) {
 			current_has_delegation = ISC_TRUE;
 
 		/*
-		 * RFC 1123: MD and MF are not allowed to be loaded from
+		 * RFC1123: MD and MF are not allowed to be loaded from
 		 * master files.
 		 */
 		if ((lctx->options & DNS_MASTER_ZONE) != 0 &&
@@ -1571,7 +1678,7 @@ load(dns_loadctx_t *lctx) {
 			isc_boolean_t ok;
 			dns_name_t *name;
 
-			name = (ictx->glue != NULL) ? ictx-> glue :
+			name = (ictx->glue != NULL) ? ictx->glue :
 						      ictx->current;
 			ok = dns_rdata_checkowner(name, lctx->zclass, type,
 						  ISC_TRUE);
@@ -1686,7 +1793,7 @@ load(dns_loadctx_t *lctx) {
 		} else if (!explicit_ttl && lctx->warn_1035) {
 			(*callbacks->warn)(callbacks,
 					   "%s:%lu: "
-					   "using RFC 1035 TTL semantics",
+					   "using RFC1035 TTL semantics",
 					   source, line);
 			lctx->warn_1035 = ISC_FALSE;
 		}
@@ -1879,7 +1986,7 @@ pushfile(const char *master_file, dns_name_t *origin, dns_loadctx_t *lctx) {
 		new->drop = ictx->drop;
 	}
 
-	result = isc_lex_openfile(lctx->lex, master_file);
+	result = (lctx->openfile)(lctx, master_file);
 	if (result != ISC_R_SUCCESS)
 		goto cleanup;
 	new->parent = ictx;
@@ -1892,25 +1999,352 @@ pushfile(const char *master_file, dns_name_t *origin, dns_loadctx_t *lctx) {
 	return (result);
 }
 
+static inline isc_result_t
+read_and_check(isc_boolean_t do_read, isc_buffer_t *buffer,
+	       size_t len, FILE *f)
+{
+	isc_result_t result;
+
+	if (do_read) {
+		INSIST(isc_buffer_availablelength(buffer) >= len);
+		result = isc_stdio_read(isc_buffer_used(buffer), 1, len,
+					f, NULL);
+		if (result != ISC_R_SUCCESS)
+			return (result);
+		isc_buffer_add(buffer, len);
+	} else if (isc_buffer_remaininglength(buffer) < len)
+		return (ISC_R_RANGE);
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+load_raw(dns_loadctx_t *lctx) {
+	isc_result_t result = ISC_R_SUCCESS;
+	isc_boolean_t done = ISC_FALSE;
+	unsigned int loop_cnt = 0;
+	dns_rdatacallbacks_t *callbacks;
+	unsigned char namebuf[DNS_NAME_MAXWIRE];
+	isc_region_t r;
+	dns_name_t name;
+	rdatalist_head_t head, dummy;
+	dns_rdatalist_t rdatalist;
+	isc_mem_t *mctx = lctx->mctx;
+	dns_rdata_t *rdata = NULL;
+	unsigned int rdata_size = 0;
+	int target_size = TSIZ;
+	isc_buffer_t target;
+	unsigned char *target_mem = NULL;
+
+	REQUIRE(DNS_LCTX_VALID(lctx));
+	callbacks = lctx->callbacks;
+
+	if (lctx->first) {
+		dns_masterrawheader_t header;
+		isc_uint32_t format, version, dumptime;
+		size_t hdrlen = sizeof(format) + sizeof(version) +
+			sizeof(dumptime);
+
+		INSIST(hdrlen <= sizeof(header));
+		isc_buffer_init(&target, &header, sizeof(header));
+
+		result = isc_stdio_read(&header, 1, hdrlen, lctx->f, NULL);
+		if (result != ISC_R_SUCCESS) {
+			UNEXPECTED_ERROR(__FILE__, __LINE__,
+					 "isc_stdio_read failed: %s",
+					 isc_result_totext(result));
+			return (result);
+		}
+		isc_buffer_add(&target, hdrlen);
+		format = isc_buffer_getuint32(&target);
+		if (format != dns_masterformat_raw) {
+			(*callbacks->error)(callbacks,
+					    "dns_master_load: "
+					    "file format mismatch");
+			return (ISC_R_NOTIMPLEMENTED);
+		}
+
+		version = isc_buffer_getuint32(&target);
+		if (version > DNS_RAWFORMAT_VERSION) {
+			(*callbacks->error)(callbacks,
+					    "dns_master_load: "
+					    "unsupported file format version");
+			return (ISC_R_NOTIMPLEMENTED);
+		}
+
+		/* Empty read: currently, we do not use dumptime */
+		dumptime = isc_buffer_getuint32(&target);
+
+		lctx->first = ISC_FALSE;
+	}
+
+	ISC_LIST_INIT(head);
+	ISC_LIST_INIT(dummy);
+	dns_rdatalist_init(&rdatalist);
+
+	/*
+	 * Allocate target_size of buffer space.  This is greater than twice
+	 * the maximum individual RR data size.
+	 */
+	target_mem = isc_mem_get(mctx, target_size);
+	if (target_mem == NULL) {
+		result = ISC_R_NOMEMORY;
+		goto cleanup;
+	}
+	isc_buffer_init(&target, target_mem, target_size);
+
+	/*
+	 * In the following loop, we regard any error fatal regardless of
+	 * whether "MANYERRORS" is set in the context option.  This is because
+	 * normal errors should already have been checked at creation time.
+	 * Besides, it is very unlikely that we can recover from an error
+	 * in this format, and so trying to continue parsing erroneous data
+	 * does not really make sense.
+	 */
+	for (loop_cnt = 0;
+	     (lctx->loop_cnt == 0 || loop_cnt < lctx->loop_cnt);
+	     loop_cnt++) {
+		unsigned int i, rdcount, consumed_name;
+		isc_uint16_t namelen;
+		isc_uint32_t totallen;
+		size_t minlen, readlen;
+		isc_boolean_t sequential_read = ISC_FALSE;
+
+		/* Read the data length */
+		isc_buffer_clear(&target);
+		INSIST(isc_buffer_availablelength(&target) >=
+		       sizeof(totallen));
+		result = isc_stdio_read(target.base, 1, sizeof(totallen),
+					lctx->f, NULL);
+		if (result == ISC_R_EOF) {
+			result = ISC_R_SUCCESS;
+			done = ISC_TRUE;
+			break;
+		}
+		if (result != ISC_R_SUCCESS)
+			goto cleanup;
+		isc_buffer_add(&target, sizeof(totallen));
+		totallen = isc_buffer_getuint32(&target);
+		/*
+		 * Validation: the input data must at least contain the common
+		 * header.
+		 */
+		minlen = sizeof(totallen) + sizeof(isc_uint16_t) +
+			sizeof(isc_uint16_t) + sizeof(isc_uint16_t) +
+			sizeof(isc_uint32_t) + sizeof(isc_uint32_t);
+		if (totallen < minlen) {
+			result = ISC_R_RANGE;
+			goto cleanup;
+		}
+		totallen -= sizeof(totallen);
+
+		isc_buffer_clear(&target);
+		if (totallen > isc_buffer_availablelength(&target)) {
+			/*
+			 * The default buffer size should typically be large
+			 * enough to store the entire RRset.  We could try to
+			 * allocate enough space if this is not the case, but
+			 * it might cause a hazardous result when "totallen"
+			 * is forged.  Thus, we'd rather take an inefficient
+			 * but robust approach in this atypical case: read
+			 * data step by step, and commit partial data when
+			 * necessary.  Note that the buffer must be large
+			 * enough to store the "header part", owner name, and
+			 * at least one rdata (however large it is).
+			 */
+			sequential_read = ISC_TRUE;
+			readlen = minlen - sizeof(totallen);
+		} else {
+			/*
+			 * Typical case.  We can read the whole RRset at once
+			 * with the default buffer.
+			 */
+			readlen = totallen;
+		}
+		result = isc_stdio_read(target.base, 1, readlen,
+					lctx->f, NULL);
+		if (result != ISC_R_SUCCESS)
+			goto cleanup;
+		isc_buffer_add(&target, readlen);
+
+		/* Construct RRset headers */
+		rdatalist.rdclass = isc_buffer_getuint16(&target);
+		rdatalist.type = isc_buffer_getuint16(&target);
+		rdatalist.covers = isc_buffer_getuint16(&target);
+		rdatalist.ttl =  isc_buffer_getuint32(&target);
+		rdcount = isc_buffer_getuint32(&target);
+		if (rdcount == 0) {
+			result = ISC_R_RANGE;
+			goto cleanup;
+		}
+		INSIST(isc_buffer_consumedlength(&target) <= readlen);
+
+		/* Owner name: length followed by name */
+		result = read_and_check(sequential_read, &target,
+					sizeof(namelen), lctx->f);
+		if (result != ISC_R_SUCCESS)
+			goto cleanup;
+		namelen = isc_buffer_getuint16(&target);
+		if (namelen > sizeof(namebuf)) {
+			result = ISC_R_RANGE;
+			goto cleanup;
+		}
+
+		result = read_and_check(sequential_read, &target, namelen,
+					lctx->f);
+		if (result != ISC_R_SUCCESS)
+			goto cleanup;
+		isc_buffer_setactive(&target, (unsigned int)namelen);
+		isc_buffer_activeregion(&target, &r);
+		dns_name_init(&name, NULL);
+		dns_name_fromregion(&name, &r);
+		isc_buffer_forward(&target, (unsigned int)namelen);
+		consumed_name = isc_buffer_consumedlength(&target);
+
+		/* Rdata contents. */
+		if (rdcount > rdata_size) {
+			dns_rdata_t *new_rdata = NULL;
+
+			new_rdata = grow_rdata(rdata_size + RDSZ, rdata,
+					       rdata_size, &head,
+					       &dummy, mctx);
+			if (new_rdata == NULL) {
+				result = ISC_R_NOMEMORY;
+				goto cleanup;
+			}
+			rdata_size += RDSZ;
+			rdata = new_rdata;
+		}
+
+	continue_read:
+		for (i = 0; i < rdcount; i++) {
+			isc_uint16_t rdlen;
+
+			dns_rdata_init(&rdata[i]);
+			
+			if (sequential_read &&
+			    isc_buffer_availablelength(&target) < MINTSIZ) {
+				unsigned int j;
+
+				INSIST(i > 0); /* detect an infinite loop */
+
+				/* Partial Commit. */
+				ISC_LIST_APPEND(head, &rdatalist, link);
+				result = commit(callbacks, lctx, &head, &name,
+						NULL, 0);
+				for (j = 0; j < i; j++) {
+					ISC_LIST_UNLINK(rdatalist.rdata,
+							&rdata[j], link);
+					dns_rdata_reset(&rdata[j]);
+				}
+				if (result != ISC_R_SUCCESS)
+					goto cleanup;
+
+				/* Rewind the buffer and continue */
+				isc_buffer_clear(&target);
+				isc_buffer_add(&target, consumed_name);
+				isc_buffer_forward(&target, consumed_name);
+
+				rdcount -= i;
+				i = 0;
+
+				goto continue_read;
+			}
+
+			/* rdata length */
+			result = read_and_check(sequential_read, &target,
+						sizeof(rdlen), lctx->f);
+			if (result != ISC_R_SUCCESS)
+				goto cleanup;
+			rdlen = isc_buffer_getuint16(&target);
+
+			/* rdata */
+			result = read_and_check(sequential_read, &target,
+						rdlen, lctx->f);
+			if (result != ISC_R_SUCCESS)
+				goto cleanup;
+			isc_buffer_setactive(&target, (unsigned int)rdlen);
+			isc_buffer_activeregion(&target, &r);
+			isc_buffer_forward(&target, (unsigned int)rdlen);
+			dns_rdata_fromregion(&rdata[i], rdatalist.rdclass,
+					     rdatalist.type, &r);
+
+			ISC_LIST_APPEND(rdatalist.rdata, &rdata[i], link);
+		}
+
+		/*
+		 * Sanity check.  Still having remaining space is not
+		 * necessarily critical, but it very likely indicates broken
+		 * or malformed data.
+		 */
+		if (isc_buffer_remaininglength(&target) != 0) {
+			result = ISC_R_RANGE;
+			goto cleanup;
+		}
+
+		ISC_LIST_APPEND(head, &rdatalist, link);
+
+		/* Commit this RRset.  rdatalist will be unlinked. */
+		result = commit(callbacks, lctx, &head, &name, NULL, 0);
+
+		for (i = 0; i < rdcount; i++) {
+			ISC_LIST_UNLINK(rdatalist.rdata, &rdata[i], link);
+			dns_rdata_reset(&rdata[i]);
+		}
+
+		if (result != ISC_R_SUCCESS)
+			goto cleanup;
+	}
+
+	if (!done) {
+		INSIST(lctx->done != NULL && lctx->task != NULL);
+		result = DNS_R_CONTINUE;
+	} else if (result == ISC_R_SUCCESS && lctx->result != ISC_R_SUCCESS)
+		result = lctx->result;
+
+ cleanup:
+	if (rdata != NULL)
+		isc_mem_put(mctx, rdata, rdata_size * sizeof(*rdata));
+	if (target_mem != NULL)
+		isc_mem_put(mctx, target_mem, target_size);
+	if (result != ISC_R_SUCCESS && result != DNS_R_CONTINUE) {
+		(*callbacks->error)(callbacks, "dns_master_load: %s",
+				    dns_result_totext(result));
+	}
+
+	return (result);
+}
+
 isc_result_t
 dns_master_loadfile(const char *master_file, dns_name_t *top,
 		    dns_name_t *origin,
 		    dns_rdataclass_t zclass, unsigned int options,
 		    dns_rdatacallbacks_t *callbacks, isc_mem_t *mctx)
 {
+	return (dns_master_loadfile2(master_file, top, origin, zclass, options,
+				     callbacks, mctx, dns_masterformat_text));
+}
+
+isc_result_t
+dns_master_loadfile2(const char *master_file, dns_name_t *top,
+		     dns_name_t *origin,
+		     dns_rdataclass_t zclass, unsigned int options,
+		     dns_rdatacallbacks_t *callbacks, isc_mem_t *mctx,
+		     dns_masterformat_t format)
+{
 	dns_loadctx_t *lctx = NULL;
 	isc_result_t result;
 
-	result = loadctx_create(mctx, options, top, zclass, origin,
+	result = loadctx_create(format, mctx, options, top, zclass, origin,
 				callbacks, NULL, NULL, NULL, NULL, &lctx);
 	if (result != ISC_R_SUCCESS)
 		return (result);
 
-	result = isc_lex_openfile(lctx->lex, master_file);
+	result = (lctx->openfile)(lctx, master_file);
 	if (result != ISC_R_SUCCESS)
 		goto cleanup;
 
-	result = load(lctx);
+	result = (lctx->load)(lctx);
 	INSIST(result != DNS_R_CONTINUE);
 
  cleanup:
@@ -1926,18 +2360,32 @@ dns_master_loadfileinc(const char *master_file, dns_name_t *top,
 		       isc_task_t *task, dns_loaddonefunc_t done,
 		       void *done_arg, dns_loadctx_t **lctxp, isc_mem_t *mctx)
 {
+	return (dns_master_loadfileinc2(master_file, top, origin, zclass,
+					options, callbacks, task, done,
+					done_arg, lctxp, mctx,
+					dns_masterformat_text));
+}
+
+isc_result_t
+dns_master_loadfileinc2(const char *master_file, dns_name_t *top,
+			dns_name_t *origin, dns_rdataclass_t zclass,
+			unsigned int options, dns_rdatacallbacks_t *callbacks,
+			isc_task_t *task, dns_loaddonefunc_t done,
+			void *done_arg, dns_loadctx_t **lctxp, isc_mem_t *mctx,
+			dns_masterformat_t format)
+{
 	dns_loadctx_t *lctx = NULL;
 	isc_result_t result;
-	
+
 	REQUIRE(task != NULL);
 	REQUIRE(done != NULL);
 
-	result = loadctx_create(mctx, options, top, zclass, origin,
+	result = loadctx_create(format, mctx, options, top, zclass, origin,
 				callbacks, task, done, done_arg, NULL, &lctx);
 	if (result != ISC_R_SUCCESS)
 		return (result);
 
-	result = isc_lex_openfile(lctx->lex, master_file);
+	result = (lctx->openfile)(lctx, master_file);
 	if (result != ISC_R_SUCCESS)
 		goto cleanup;
 
@@ -1963,8 +2411,9 @@ dns_master_loadstream(FILE *stream, dns_name_t *top, dns_name_t *origin,
 
 	REQUIRE(stream != NULL);
 
-	result = loadctx_create(mctx, options, top, zclass, origin,
-				callbacks, NULL, NULL, NULL, NULL, &lctx);
+	result = loadctx_create(dns_masterformat_text, mctx, options, top,
+				zclass, origin, callbacks, NULL, NULL, NULL,
+				NULL, &lctx);
 	if (result != ISC_R_SUCCESS)
 		goto cleanup;
 
@@ -1972,7 +2421,7 @@ dns_master_loadstream(FILE *stream, dns_name_t *top, dns_name_t *origin,
 	if (result != ISC_R_SUCCESS)
 		goto cleanup;
 
-	result = load(lctx);
+	result = (lctx->load)(lctx);
 	INSIST(result != DNS_R_CONTINUE);
 
  cleanup:
@@ -1995,8 +2444,9 @@ dns_master_loadstreaminc(FILE *stream, dns_name_t *top, dns_name_t *origin,
 	REQUIRE(task != NULL);
 	REQUIRE(done != NULL);
 
-	result = loadctx_create(mctx, options, top, zclass, origin,
-				callbacks, task, done, done_arg, NULL, &lctx);
+	result = loadctx_create(dns_masterformat_text, mctx, options, top,
+				zclass, origin, callbacks, task, done,
+				done_arg, NULL, &lctx);
 	if (result != ISC_R_SUCCESS)
 		goto cleanup;
 
@@ -2027,8 +2477,9 @@ dns_master_loadbuffer(isc_buffer_t *buffer, dns_name_t *top,
 
 	REQUIRE(buffer != NULL);
 
-	result = loadctx_create(mctx, options, top, zclass, origin,
-				callbacks, NULL, NULL, NULL, NULL, &lctx);
+	result = loadctx_create(dns_masterformat_text, mctx, options, top,
+				zclass, origin, callbacks, NULL, NULL, NULL,
+				NULL, &lctx);
 	if (result != ISC_R_SUCCESS)
 		return (result);
 
@@ -2036,7 +2487,7 @@ dns_master_loadbuffer(isc_buffer_t *buffer, dns_name_t *top,
 	if (result != ISC_R_SUCCESS)
 		goto cleanup;
 
-	result = load(lctx);
+	result = (lctx->load)(lctx);
 	INSIST(result != DNS_R_CONTINUE);
 
  cleanup:
@@ -2060,8 +2511,9 @@ dns_master_loadbufferinc(isc_buffer_t *buffer, dns_name_t *top,
 	REQUIRE(task != NULL);
 	REQUIRE(done != NULL);
 
-	result = loadctx_create(mctx, options, top, zclass, origin,
-				callbacks, task, done, done_arg, NULL, &lctx);
+	result = loadctx_create(dns_masterformat_text, mctx, options, top,
+				zclass, origin, callbacks, task, done,
+				done_arg, NULL, &lctx);
 	if (result != ISC_R_SUCCESS)
 		return (result);
 
@@ -2092,12 +2544,13 @@ dns_master_loadlexer(isc_lex_t *lex, dns_name_t *top,
 
 	REQUIRE(lex != NULL);
 
-	result = loadctx_create(mctx, options, top, zclass, origin,
-				callbacks, NULL, NULL, NULL, lex, &lctx);
+	result = loadctx_create(dns_masterformat_text, mctx, options, top,
+				zclass, origin, callbacks, NULL, NULL, NULL,
+				lex, &lctx);
 	if (result != ISC_R_SUCCESS)
 		return (result);
 
-	result = load(lctx);
+	result = (lctx->load)(lctx);
 	INSIST(result != DNS_R_CONTINUE);
 
 	dns_loadctx_detach(&lctx);
@@ -2119,8 +2572,9 @@ dns_master_loadlexerinc(isc_lex_t *lex, dns_name_t *top,
 	REQUIRE(task != NULL);
 	REQUIRE(done != NULL);
 
-	result = loadctx_create(mctx, options, top, zclass, origin,
-				callbacks, task, done, done_arg, lex, &lctx);
+	result = loadctx_create(dns_masterformat_text, mctx, options, top,
+				zclass, origin, callbacks, task, done,
+				done_arg, lex, &lctx);
 	if (result != ISC_R_SUCCESS)
 		return (result);
 
@@ -2281,9 +2735,15 @@ commit(dns_rdatacallbacks_t *callbacks, dns_loadctx_t *lctx,
 		} else if (result != ISC_R_SUCCESS) {
 			dns_name_format(owner, namebuf,
 					sizeof(namebuf));
-			(*error)(callbacks, "%s: %s:%lu: %s: %s",
-				 "dns_master_load", source, line,
-				 namebuf, dns_result_totext(result));
+			if (source != NULL) {
+				(*error)(callbacks, "%s: %s:%lu: %s: %s",
+					 "dns_master_load", source, line,
+					 namebuf, dns_result_totext(result));
+			} else {
+				(*error)(callbacks, "%s: %s: %s",
+					 "dns_master_load", namebuf,
+					 dns_result_totext(result));
+			}
 		}
 		if (MANYERRS(lctx, result))
 			SETRESULT(lctx, result);
@@ -2342,7 +2802,7 @@ load_quantum(isc_task_t *task, isc_event_t *event) {
 	if (lctx->canceled)
 		result = ISC_R_CANCELED;
 	else
-		result = load(lctx);
+		result = (lctx->load)(lctx);
 	if (result == DNS_R_CONTINUE) {
 		event->ev_arg = lctx;
 		isc_task_send(task, &event);
diff --git a/contrib/bind9/lib/dns/masterdump.c b/contrib/bind9/lib/dns/masterdump.c
index 0f4716d..03716e2 100644
--- a/contrib/bind9/lib/dns/masterdump.c
+++ b/contrib/bind9/lib/dns/masterdump.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2006  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,9 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: masterdump.c,v 1.56.2.5.2.15 2006/03/10 00:17:21 marka Exp $ */
+/* $Id: masterdump.c,v 1.73.18.14 2006/08/08 06:39:36 marka Exp $ */
+
+/*! \file */
 
 #include <config.h>
 
@@ -29,13 +31,16 @@
 #include <isc/stdio.h>
 #include <isc/string.h>
 #include <isc/task.h>
+#include <isc/time.h>
 #include <isc/util.h>
 
 #include <dns/db.h>
 #include <dns/dbiterator.h>
 #include <dns/events.h>
 #include <dns/fixedname.h>
+#include <dns/lib.h>
 #include <dns/log.h>
+#include <dns/master.h>
 #include <dns/masterdump.h>
 #include <dns/rdata.h>
 #include <dns/rdataclass.h>
@@ -65,7 +70,7 @@ struct dns_master_style {
 	unsigned int tab_width;
 };
 
-/*
+/*%
  * The maximum length of the newline+indentation that is output
  * when inserting a line break in an RR.  This effectively puts an
  * upper limits on the value of "rdata_column", because if it is
@@ -73,7 +78,7 @@ struct dns_master_style {
  */
 #define DNS_TOTEXT_LINEBREAK_MAXLEN 100
 
-/*
+/*%
  * Context structure for a masterfile dump in progress.
  */
 typedef struct dns_totext_ctx {
@@ -134,7 +139,7 @@ dns_master_style_simple = {
 	24, 32, 32, 40, 80, 8
 };
 
-/*
+/*%
  * A style suitable for dns_rdataset_totext().
  */
 LIBDNS_EXTERNAL_DATA const dns_master_style_t
@@ -171,11 +176,16 @@ struct dns_dumpctx {
 	/* dns_master_dumpinc() */
 	char			*file;
 	char 			*tmpfile;
+	dns_masterformat_t	format;
+	isc_result_t		(*dumpsets)(isc_mem_t *mctx, dns_name_t *name,
+					    dns_rdatasetiter_t *rdsiter,
+					    dns_totext_ctx_t *ctx,
+					    isc_buffer_t *buffer, FILE *f);
 };
 
 #define NXDOMAIN(x) (((x)->attributes & DNS_RDATASETATTR_NXDOMAIN) != 0) 
 
-/*
+/*%
  * Output tabs and spaces to go from column '*current' to
  * column 'to', and update '*current' to reflect the new
  * current column.
@@ -348,6 +358,7 @@ rdataset_totext(dns_rdataset_t *rdataset,
 
 	REQUIRE(DNS_RDATASET_VALID(rdataset));
 
+	rdataset->attributes |= DNS_RDATASETATTR_LOADORDER;
 	result = dns_rdataset_first(rdataset);
 	REQUIRE(result == ISC_R_SUCCESS);
 
@@ -774,9 +785,9 @@ static const char *trustnames[] = {
 };
 
 static isc_result_t
-dump_rdatasets(isc_mem_t *mctx, dns_name_t *name, dns_rdatasetiter_t *rdsiter,
-	       dns_totext_ctx_t *ctx,
-	       isc_buffer_t *buffer, FILE *f)
+dump_rdatasets_text(isc_mem_t *mctx, dns_name_t *name,
+		    dns_rdatasetiter_t *rdsiter, dns_totext_ctx_t *ctx,
+		    isc_buffer_t *buffer, FILE *f)
 {
 	isc_result_t itresult, dumpresult;
 	isc_region_t r;
@@ -848,6 +859,146 @@ dump_rdatasets(isc_mem_t *mctx, dns_name_t *name, dns_rdatasetiter_t *rdsiter,
 	return (itresult);
 }
 
+/*
+ * Dump given RRsets in the "raw" format.
+ */
+static isc_result_t
+dump_rdataset_raw(isc_mem_t *mctx, dns_name_t *name, dns_rdataset_t *rdataset,
+		  isc_buffer_t *buffer, FILE *f)
+{
+	isc_result_t result;
+	isc_uint32_t totallen;
+	isc_uint16_t dlen;
+	isc_region_t r, r_hdr;
+
+	REQUIRE(buffer->length > 0);
+	REQUIRE(DNS_RDATASET_VALID(rdataset));
+
+ restart:
+	totallen = 0;
+	result = dns_rdataset_first(rdataset);
+	REQUIRE(result == ISC_R_SUCCESS);
+
+	isc_buffer_clear(buffer);
+
+	/*
+	 * Common header and owner name (length followed by name)
+	 * These fields should be in a moderate length, so we assume we
+	 * can store all of them in the initial buffer.
+	 */
+	isc_buffer_availableregion(buffer, &r_hdr);
+	INSIST(r_hdr.length >= sizeof(dns_masterrawrdataset_t));
+	isc_buffer_putuint32(buffer, totallen);	/* XXX: leave space */
+	isc_buffer_putuint16(buffer, rdataset->rdclass); /* 16-bit class */
+	isc_buffer_putuint16(buffer, rdataset->type); /* 16-bit type */
+	isc_buffer_putuint16(buffer, rdataset->covers);	/* same as type */
+	isc_buffer_putuint32(buffer, rdataset->ttl); /* 32-bit TTL */
+	isc_buffer_putuint32(buffer, dns_rdataset_count(rdataset));
+	totallen = isc_buffer_usedlength(buffer);
+	INSIST(totallen <= sizeof(dns_masterrawrdataset_t));
+
+	dns_name_toregion(name, &r);
+	INSIST(isc_buffer_availablelength(buffer) >=
+	       (sizeof(dlen) + r.length));
+	dlen = (isc_uint16_t)r.length;
+	isc_buffer_putuint16(buffer, dlen);
+	isc_buffer_copyregion(buffer, &r);
+	totallen += sizeof(dlen) + r.length;
+
+	do {
+		dns_rdata_t rdata = DNS_RDATA_INIT;
+		isc_region_t r;
+
+		dns_rdataset_current(rdataset, &rdata);
+		dns_rdata_toregion(&rdata, &r);
+		INSIST(r.length <= 0xffffU);
+		dlen = (isc_uint16_t)r.length;
+
+		/*
+		 * Copy the rdata into the buffer.  If the buffer is too small,
+		 * grow it.  This should be rare, so we'll simply restart the
+		 * entire procedure (or should we copy the old data and
+		 * continue?).
+		 */
+		if (isc_buffer_availablelength(buffer) <
+						 sizeof(dlen) + r.length) {
+			int newlength;
+			void *newmem;
+
+			newlength = buffer->length * 2;
+			newmem = isc_mem_get(mctx, newlength);
+			if (newmem == NULL)
+				return (ISC_R_NOMEMORY);
+			isc_mem_put(mctx, buffer->base, buffer->length);
+			isc_buffer_init(buffer, newmem, newlength);
+			goto restart;
+		}
+		isc_buffer_putuint16(buffer, dlen);
+		isc_buffer_copyregion(buffer, &r);
+		totallen += sizeof(dlen) + r.length;
+
+		result = dns_rdataset_next(rdataset);
+	} while (result == ISC_R_SUCCESS);
+
+	if (result != ISC_R_NOMORE)
+		return (result);
+
+	/*
+	 * Fill in the total length field.
+	 * XXX: this is a bit tricky.  Since we have already "used" the space
+	 * for the total length in the buffer, we first remember the entire
+	 * buffer length in the region, "rewind", and then write the value.
+	 */
+	isc_buffer_usedregion(buffer, &r);
+	isc_buffer_clear(buffer);
+	isc_buffer_putuint32(buffer, totallen);
+	INSIST(isc_buffer_usedlength(buffer) < totallen);
+
+	/*
+	 * Write the buffer contents to the raw master file.
+	 */
+	result = isc_stdio_write(r.base, 1, (size_t)r.length, f, NULL);
+
+	if (result != ISC_R_SUCCESS) {
+		UNEXPECTED_ERROR(__FILE__, __LINE__,
+				 "raw master file write failed: %s",
+				 isc_result_totext(result));
+		return (result);
+	}
+
+	return (result);
+}
+
+static isc_result_t
+dump_rdatasets_raw(isc_mem_t *mctx, dns_name_t *name,
+		   dns_rdatasetiter_t *rdsiter, dns_totext_ctx_t *ctx,
+		   isc_buffer_t *buffer, FILE *f)
+{
+	isc_result_t result;
+	dns_rdataset_t rdataset;
+
+	for (result = dns_rdatasetiter_first(rdsiter);
+	     result == ISC_R_SUCCESS;
+	     result = dns_rdatasetiter_next(rdsiter)) {
+
+		dns_rdataset_init(&rdataset);
+		dns_rdatasetiter_current(rdsiter, &rdataset);
+
+		if (rdataset.type == 0 &&
+		    (ctx->style.flags & DNS_STYLEFLAG_NCACHE) == 0) {
+			/* Omit negative cache entries */
+		} else {
+			result = dump_rdataset_raw(mctx, name, &rdataset,
+						   buffer, f);
+		}
+		dns_rdataset_disassociate(&rdataset);
+	}
+
+	if (result == ISC_R_NOMORE)
+		result = ISC_R_SUCCESS;
+
+	return (result);
+}
 
 /*
  * Initial size of text conversion buffer.  The buffer is used
@@ -856,7 +1007,7 @@ dump_rdatasets(isc_mem_t *mctx, dns_name_t *name, dns_rdatasetiter_t *rdsiter,
  *
  * When converting rdatasets, it is dynamically resized, but
  * when converting origins, timestamps, etc it is not.  Therefore,
- * the  initial size must large enough to hold the longest possible
+ * the initial size must large enough to hold the longest possible
  * text representation of any domain name (for $ORIGIN).
  */
 static const int initial_buffer_length = 1200;
@@ -1021,7 +1172,8 @@ task_send(dns_dumpctx_t *dctx) {
 
 static isc_result_t
 dumpctx_create(isc_mem_t *mctx, dns_db_t *db, dns_dbversion_t *version,
-	       const dns_master_style_t *style, FILE *f, dns_dumpctx_t **dctxp)
+	       const dns_master_style_t *style, FILE *f, dns_dumpctx_t **dctxp,
+	       dns_masterformat_t format)
 {
 	dns_dumpctx_t *dctx;
 	isc_result_t result;
@@ -1044,6 +1196,19 @@ dumpctx_create(isc_mem_t *mctx, dns_db_t *db, dns_dbversion_t *version,
 	dctx->canceled = ISC_FALSE;
 	dctx->file = NULL;
 	dctx->tmpfile = NULL;
+	dctx->format = format;
+
+	switch (format) {
+	case dns_masterformat_text:
+		dctx->dumpsets = dump_rdatasets_text;
+		break;
+	case dns_masterformat_raw:
+		dctx->dumpsets = dump_rdatasets_raw;
+		break;
+	default:
+		INSIST(0);
+		break;
+	}
 
 	result = totext_ctx_init(style, &dctx->tctx);
 	if (result != ISC_R_SUCCESS) {
@@ -1057,8 +1222,11 @@ dumpctx_create(isc_mem_t *mctx, dns_db_t *db, dns_dbversion_t *version,
 
 	dctx->do_date = dns_db_iscache(dctx->db);
 
-	relative = ((dctx->tctx.style.flags & DNS_STYLEFLAG_REL_OWNER) != 0) ?
-			ISC_TRUE : ISC_FALSE;
+	if (dctx->format == dns_masterformat_text &&
+	    (dctx->tctx.style.flags & DNS_STYLEFLAG_REL_OWNER) != 0) {
+		relative = ISC_TRUE;
+	} else
+		relative = ISC_FALSE;
 	result = dns_db_createiterator(dctx->db, relative, &dctx->dbiter);
 	if (result != ISC_R_SUCCESS)
 		goto cleanup;
@@ -1095,6 +1263,9 @@ dumptostreaminc(dns_dumpctx_t *dctx) {
 	dns_name_t *name;
 	dns_fixedname_t fixname;
 	unsigned int nodes;
+	dns_masterrawheader_t rawheader;
+	isc_uint32_t now32;
+	isc_time_t start;
 
 	bufmem = isc_mem_get(dctx->mctx, initial_buffer_length);
 	if (bufmem == NULL)
@@ -1106,26 +1277,68 @@ dumptostreaminc(dns_dumpctx_t *dctx) {
 	name = dns_fixedname_name(&fixname);
 
 	if (dctx->first) {
-		/*
-		 * If the database has cache semantics, output an RFC2540
-		 * $DATE directive so that the TTLs can be adjusted when
-		 * it is reloaded.  For zones it is not really needed, and
-		 * it would make the file incompatible with pre-RFC2540
-		 * software, so we omit it in the zone case.
-		 */
-		if (dctx->do_date) {
-			result = dns_time32_totext(dctx->now, &buffer);
-			RUNTIME_CHECK(result == ISC_R_SUCCESS);
-			isc_buffer_usedregion(&buffer, &r);
-			fprintf(dctx->f, "$DATE %.*s\n",
-				(int) r.length, (char *) r.base);
+		switch (dctx->format) {
+		case dns_masterformat_text:
+			/*
+			 * If the database has cache semantics, output an
+			 * RFC2540 $DATE directive so that the TTLs can be
+			 * adjusted when it is reloaded.  For zones it is not
+			 * really needed, and it would make the file
+			 * incompatible with pre-RFC2540 software, so we omit
+			 * it in the zone case.
+			 */
+			if (dctx->do_date) {
+				result = dns_time32_totext(dctx->now, &buffer);
+				RUNTIME_CHECK(result == ISC_R_SUCCESS);
+				isc_buffer_usedregion(&buffer, &r);
+				fprintf(dctx->f, "$DATE %.*s\n",
+					(int) r.length, (char *) r.base);
+			}
+			break;
+		case dns_masterformat_raw:
+			r.base = (unsigned char *)&rawheader;
+			r.length = sizeof(rawheader);
+			isc_buffer_region(&buffer, &r);
+			isc_buffer_putuint32(&buffer, dns_masterformat_raw);
+			isc_buffer_putuint32(&buffer, DNS_RAWFORMAT_VERSION);
+			if (sizeof(now32) != sizeof(dctx->now)) {
+				/*
+				 * We assume isc_stdtime_t is a 32-bit integer,
+				 * which should be the case on most cases.
+				 * If it turns out to be uncommon, we'll need
+				 * to bump the version number and revise the
+				 * header format.
+				 */
+				isc_log_write(dns_lctx,
+					      ISC_LOGCATEGORY_GENERAL,
+					      DNS_LOGMODULE_MASTERDUMP,
+					      ISC_LOG_INFO,
+					      "dumping master file in raw "
+					      "format: stdtime is not 32bits");
+				now32 = 0;
+			} else
+				now32 = dctx->now;
+			isc_buffer_putuint32(&buffer, now32);
+			INSIST(isc_buffer_usedlength(&buffer) <=
+			       sizeof(rawheader));
+			result = isc_stdio_write(buffer.base, 1,
+						 isc_buffer_usedlength(&buffer),
+						 dctx->f, NULL);
+			if (result != ISC_R_SUCCESS)
+				return (result);
+			isc_buffer_clear(&buffer);
+			break;
+		default:
+			INSIST(0);
 		}
+
 		result = dns_dbiterator_first(dctx->dbiter);
 		dctx->first = ISC_FALSE;
 	} else
 		result = ISC_R_SUCCESS;
 
 	nodes = dctx->nodes;
+	isc_time_now(&start);
 	while (result == ISC_R_SUCCESS && (dctx->nodes == 0 || nodes--)) {
 		dns_rdatasetiter_t *rdsiter = NULL;
 		dns_dbnode_t *node = NULL;
@@ -1148,8 +1361,8 @@ dumptostreaminc(dns_dumpctx_t *dctx) {
 			dns_db_detachnode(dctx->db, &node);
 			goto fail;
 		}
-		result = dump_rdatasets(dctx->mctx, name, rdsiter, &dctx->tctx,
-					&buffer, dctx->f);
+		result = (dctx->dumpsets)(dctx->mctx, name, rdsiter,
+					  &dctx->tctx, &buffer, dctx->f);
 		dns_rdatasetiter_destroy(&rdsiter);
 		if (result != ISC_R_SUCCESS) {
 			dns_db_detachnode(dctx->db, &node);
@@ -1159,7 +1372,46 @@ dumptostreaminc(dns_dumpctx_t *dctx) {
 		result = dns_dbiterator_next(dctx->dbiter);
 	}
 
+	/*
+	 * Work out how many nodes can be written in the time between
+	 * two requests to the nameserver.  Smooth the resulting number and
+	 * use it as a estimate for the number of nodes to be written in the
+	 * next iteration.
+	 */
 	if (dctx->nodes != 0 && result == ISC_R_SUCCESS) {
+		unsigned int pps = dns_pps;	/* packets per second */
+		unsigned int interval;
+		isc_uint64_t usecs;
+		isc_time_t end;
+
+		isc_time_now(&end);
+		if (pps < 100)
+			pps = 100;
+		interval = 1000000 / pps;	/* interval in usecs */
+		if (interval == 0)
+			interval = 1;
+		usecs = isc_time_microdiff(&end, &start);
+		if (usecs == 0) {
+			dctx->nodes = dctx->nodes * 2;
+			if (dctx->nodes > 1000)
+				dctx->nodes = 1000;
+		} else {
+			nodes = dctx->nodes * interval;
+			nodes /= (unsigned int)usecs;
+			if (nodes == 0)
+				nodes = 1;
+			else if (nodes > 1000)
+				nodes = 1000;
+
+			/* Smooth and assign. */
+			dctx->nodes = (nodes + dctx->nodes * 7) / 8;
+
+			isc_log_write(dns_lctx, ISC_LOGCATEGORY_GENERAL,
+				      DNS_LOGMODULE_MASTERDUMP,
+				      ISC_LOG_DEBUG(1),
+				      "dumptostreaminc(%p) new nodes -> %d\n",
+				      dctx, dctx->nodes);
+		}
 		result = dns_dbiterator_pause(dctx->dbiter);
 		RUNTIME_CHECK(result == ISC_R_SUCCESS);
 		result = DNS_R_CONTINUE;
@@ -1185,7 +1437,8 @@ dns_master_dumptostreaminc(isc_mem_t *mctx, dns_db_t *db,
 	REQUIRE(f != NULL);
 	REQUIRE(done != NULL);
 
-	result = dumpctx_create(mctx, db, version, style, f, &dctx);
+	result = dumpctx_create(mctx, db, version, style, f, &dctx,
+				dns_masterformat_text);
 	if (result != ISC_R_SUCCESS)
 		return (result);
 	isc_task_attach(task, &dctx->task);
@@ -1212,10 +1465,20 @@ dns_master_dumptostream(isc_mem_t *mctx, dns_db_t *db,
 			const dns_master_style_t *style,
 			FILE *f)
 {
+	return (dns_master_dumptostream2(mctx, db, version, style,
+					 dns_masterformat_text, f));
+}
+
+isc_result_t
+dns_master_dumptostream2(isc_mem_t *mctx, dns_db_t *db,
+			 dns_dbversion_t *version,
+			 const dns_master_style_t *style,
+			 dns_masterformat_t format, FILE *f)
+{
 	dns_dumpctx_t *dctx = NULL;
 	isc_result_t result;
 
-	result = dumpctx_create(mctx, db, version, style, f, &dctx);
+	result = dumpctx_create(mctx, db, version, style, f, &dctx, format);
 	if (result != ISC_R_SUCCESS)
 		return (result);
 
@@ -1264,6 +1527,17 @@ dns_master_dumpinc(isc_mem_t *mctx, dns_db_t *db, dns_dbversion_t *version,
 		   isc_task_t *task, dns_dumpdonefunc_t done, void *done_arg,
 		   dns_dumpctx_t **dctxp)
 {
+	return (dns_master_dumpinc2(mctx, db, version, style, filename, task,
+				    done, done_arg, dctxp,
+				    dns_masterformat_text));
+}
+
+isc_result_t
+dns_master_dumpinc2(isc_mem_t *mctx, dns_db_t *db, dns_dbversion_t *version,
+		    const dns_master_style_t *style, const char *filename,
+		    isc_task_t *task, dns_dumpdonefunc_t done, void *done_arg,
+		    dns_dumpctx_t **dctxp, dns_masterformat_t format)
+{
 	FILE *f = NULL;
 	isc_result_t result;
 	char *tempname = NULL;
@@ -1278,7 +1552,7 @@ dns_master_dumpinc(isc_mem_t *mctx, dns_db_t *db, dns_dbversion_t *version,
 	if (result != ISC_R_SUCCESS)
 		goto cleanup;
 
-	result = dumpctx_create(mctx, db, version, style, f, &dctx);
+	result = dumpctx_create(mctx, db, version, style, f, &dctx, format);
 	if (result != ISC_R_SUCCESS) {
 		(void)isc_stdio_close(f);
 		(void)isc_file_remove(tempname);
@@ -1314,6 +1588,15 @@ isc_result_t
 dns_master_dump(isc_mem_t *mctx, dns_db_t *db, dns_dbversion_t *version,
 		const dns_master_style_t *style, const char *filename)
 {
+	return (dns_master_dump2(mctx, db, version, style, filename,
+				 dns_masterformat_text));
+}
+
+isc_result_t
+dns_master_dump2(isc_mem_t *mctx, dns_db_t *db, dns_dbversion_t *version,
+		 const dns_master_style_t *style, const char *filename,
+		 dns_masterformat_t format)
+{
 	FILE *f = NULL;
 	isc_result_t result;
 	char *tempname;
@@ -1323,7 +1606,7 @@ dns_master_dump(isc_mem_t *mctx, dns_db_t *db, dns_dbversion_t *version,
 	if (result != ISC_R_SUCCESS)
 		return (result);
 
-	result = dumpctx_create(mctx, db, version, style, f, &dctx);
+	result = dumpctx_create(mctx, db, version, style, f, &dctx, format);
 	if (result != ISC_R_SUCCESS)
 		goto cleanup;
 
@@ -1340,6 +1623,7 @@ dns_master_dump(isc_mem_t *mctx, dns_db_t *db, dns_dbversion_t *version,
 
 /*
  * Dump a database node into a master file.
+ * XXX: this function assumes the text format.
  */
 isc_result_t
 dns_master_dumpnodetostream(isc_mem_t *mctx, dns_db_t *db,
@@ -1373,7 +1657,7 @@ dns_master_dumpnodetostream(isc_mem_t *mctx, dns_db_t *db,
 	result = dns_db_allrdatasets(db, node, version, now, &rdsiter);
 	if (result != ISC_R_SUCCESS)
 		goto failure;
-	result = dump_rdatasets(mctx, name, rdsiter, &ctx, &buffer, f);
+	result = dump_rdatasets_text(mctx, name, rdsiter, &ctx, &buffer, f);
 	if (result != ISC_R_SUCCESS)
 		goto failure;
 	dns_rdatasetiter_destroy(&rdsiter);
@@ -1452,4 +1736,3 @@ dns_master_styledestroy(dns_master_style_t **stylep, isc_mem_t *mctx) {
 	*stylep = NULL;
 	isc_mem_put(mctx, style, sizeof(*style));
 }
-
diff --git a/contrib/bind9/lib/dns/message.c b/contrib/bind9/lib/dns/message.c
index 3387543..a4a1f87 100644
--- a/contrib/bind9/lib/dns/message.c
+++ b/contrib/bind9/lib/dns/message.c
@@ -15,7 +15,9 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: message.c,v 1.194.2.10.2.24 2006/02/28 06:32:54 marka Exp $ */
+/* $Id: message.c,v 1.222.18.10 2006/03/02 23:19:20 marka Exp $ */
+
+/*! \file */
 
 /***
  *** Imports
@@ -63,7 +65,7 @@
 #define VALID_PSEUDOSECTION(s)	(((s) >= DNS_PSEUDOSECTION_ANY) \
 				 && ((s) < DNS_PSEUDOSECTION_MAX))
 
-/*
+/*%
  * This is the size of each individual scratchpad buffer, and the numbers
  * of various block allocations used within the server.
  * XXXMLG These should come from a config setting.
@@ -75,7 +77,7 @@
 #define RDATALIST_COUNT		  8
 #define RDATASET_COUNT		 RDATALIST_COUNT
 
-/*
+/*%
  * Text representation of the different items, for message_totext
  * functions.
  */
@@ -133,7 +135,7 @@ static const char *rcodetext[] = {
 };
 
 
-/*
+/*%
  * "helper" type, which consists of a block of some type, and is linkable.
  * For it to work, sizeof(dns_msgblock_t) must be a multiple of the pointer
  * size, or the allocated elements will not be alligned correctly.
@@ -1441,7 +1443,7 @@ getsection(isc_buffer_t *source, dns_message_t *msg, dns_decompress_t *dctx,
 		/*
 		 * Minimize TTLs.
 		 *
-		 * Section 5.2 of RFC 2181 says we should drop
+		 * Section 5.2 of RFC2181 says we should drop
 		 * nonauthoritative rrsets where the TTLs differ, but we
 		 * currently treat them the as if they were authoritative and
 		 * minimize them.
@@ -2282,6 +2284,18 @@ dns_message_addname(dns_message_t *msg, dns_name_t *name,
 	ISC_LIST_APPEND(msg->sections[section], name, link);
 }
 
+void
+dns_message_removename(dns_message_t *msg, dns_name_t *name,
+		       dns_section_t section)
+{
+	REQUIRE(msg != NULL);
+	REQUIRE(msg->from_to_wire == DNS_MESSAGE_INTENTRENDER);
+	REQUIRE(name != NULL);
+	REQUIRE(VALID_NAMED_SECTION(section));
+
+	ISC_LIST_UNLINK(msg->sections[section], name, link);
+}
+
 isc_result_t
 dns_message_gettempname(dns_message_t *msg, dns_name_t **item) {
 	REQUIRE(DNS_MESSAGE_VALID(msg));
diff --git a/contrib/bind9/lib/dns/name.c b/contrib/bind9/lib/dns/name.c
index 1a257de..7f5d4e9 100644
--- a/contrib/bind9/lib/dns/name.c
+++ b/contrib/bind9/lib/dns/name.c
@@ -15,17 +15,22 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: name.c,v 1.127.2.7.2.16 2006/03/02 00:37:20 marka Exp $ */
+/* $Id: name.c,v 1.144.18.16 2006/12/07 07:03:10 marka Exp $ */
+
+/*! \file */
 
 #include <config.h>
 
 #include <ctype.h>
+#include <stdlib.h>
 
 #include <isc/buffer.h>
 #include <isc/hash.h>
 #include <isc/mem.h>
+#include <isc/once.h>
 #include <isc/print.h>
 #include <isc/string.h>
+#include <isc/thread.h>
 #include <isc/util.h>
 
 #include <dns/compress.h>
@@ -122,7 +127,7 @@ static unsigned char maptolower[] = {
 		set_offsets(name, var, NULL); \
 	}
 
-/*
+/*%
  * Note:  If additional attributes are added that should not be set for
  *	  empty names, MAKE_EMPTY() must be changed so it clears them.
  */
@@ -134,7 +139,7 @@ do { \
 	name->attributes &= ~DNS_NAMEATTR_ABSOLUTE; \
 } while (0);
 
-/*
+/*%
  * A name is "bindable" if it can be set to point to a new value, i.e.
  * name->ndata and name->length may be changed.
  */
@@ -142,7 +147,7 @@ do { \
 	((name->attributes & (DNS_NAMEATTR_READONLY|DNS_NAMEATTR_DYNAMIC)) \
 	 == 0)
 
-/*
+/*%
  * Note that the name data must be a char array, not a string
  * literal, to avoid compiler warnings about discarding
  * the const attribute of a string.
@@ -182,6 +187,19 @@ LIBDNS_EXTERNAL_DATA dns_name_t *dns_wildcardname = &wild;
 unsigned int
 dns_fullname_hash(dns_name_t *name, isc_boolean_t case_sensitive);
 
+/*
+ * dns_name_t to text post-conversion procedure.
+ */
+#ifdef ISC_PLATFORM_USETHREADS
+static int thread_key_initialized = 0;
+static isc_mutex_t thread_key_mutex;
+static isc_mem_t *thread_key_mctx = NULL;
+static isc_thread_key_t totext_filter_proc_key;
+static isc_once_t once = ISC_ONCE_INIT;
+#else
+static dns_name_totextfilter_t totext_filter_proc = NULL;
+#endif
+
 static void
 set_offsets(const dns_name_t *name, unsigned char *offsets,
 	    dns_name_t *set_name);
@@ -385,6 +403,41 @@ dns_name_iswildcard(const dns_name_t *name) {
 	return (ISC_FALSE);
 }
 
+isc_boolean_t
+dns_name_internalwildcard(const dns_name_t *name) {
+	unsigned char *ndata;
+	unsigned int count;
+	unsigned int label;
+
+	/*
+	 * Does 'name' contain a internal wildcard?
+	 */
+
+	REQUIRE(VALID_NAME(name));
+	REQUIRE(name->labels > 0);
+
+	/*
+	 * Skip first label.
+	 */
+	ndata = name->ndata;
+	count = *ndata++;
+	INSIST(count <= 63);
+	ndata += count;
+	label = 1;
+	/*
+	 * Check all but the last of the remaining labels.
+	 */
+	while (label + 1 < name->labels) {
+		count = *ndata++;
+		INSIST(count <= 63);
+		if (count == 1 && *ndata == '*')
+			return (ISC_TRUE);
+		ndata += count;
+		label++;
+	}
+	return (ISC_FALSE);
+}
+
 static inline unsigned int
 name_hash(dns_name_t *name, isc_boolean_t case_sensitive) {
 	unsigned int length;
@@ -664,6 +717,35 @@ dns_name_equal(const dns_name_t *name1, const dns_name_t *name2) {
 	return (ISC_TRUE);
 }
 
+isc_boolean_t
+dns_name_caseequal(const dns_name_t *name1, const dns_name_t *name2) {
+
+	/*
+	 * Are 'name1' and 'name2' equal?
+	 *
+	 * Note: It makes no sense for one of the names to be relative and the
+	 * other absolute.  If both names are relative, then to be meaningfully
+	 * compared the caller must ensure that they are both relative to the
+	 * same domain.
+	 */
+
+	REQUIRE(VALID_NAME(name1));
+	REQUIRE(VALID_NAME(name2));
+	/*
+	 * Either name1 is absolute and name2 is absolute, or neither is.
+	 */
+	REQUIRE((name1->attributes & DNS_NAMEATTR_ABSOLUTE) ==
+		(name2->attributes & DNS_NAMEATTR_ABSOLUTE));
+
+	if (name1->length != name2->length)
+		return (ISC_FALSE);
+
+	if (memcmp(name1->ndata, name2->ndata, name1->length) != 0)
+		return (ISC_FALSE);
+
+	return (ISC_TRUE);
+}
+
 int
 dns_name_rdatacompare(const dns_name_t *name1, const dns_name_t *name2) {
 	unsigned int l1, l2, l, count1, count2, count;
@@ -1189,6 +1271,54 @@ dns_name_fromtext(dns_name_t *name, isc_buffer_t *source,
 	return (ISC_R_SUCCESS);
 }
 
+#ifdef ISC_PLATFORM_USETHREADS
+static void
+free_specific(void *arg) {
+	dns_name_totextfilter_t *mem = arg;
+	isc_mem_put(thread_key_mctx, mem, sizeof(*mem));
+	/* Stop use being called again. */
+	(void)isc_thread_key_setspecific(totext_filter_proc_key, NULL);
+}
+
+static void
+thread_key_mutex_init(void) {
+	RUNTIME_CHECK(isc_mutex_init(&thread_key_mutex) == ISC_R_SUCCESS);
+}
+
+static isc_result_t
+totext_filter_proc_key_init(void) {
+	isc_result_t result;
+
+	/*
+	 * We need the call to isc_once_do() to support profiled mutex
+	 * otherwise thread_key_mutex could be initialized at compile time.
+	 */
+	result = isc_once_do(&once, thread_key_mutex_init);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+        if (!thread_key_initialized) {
+		LOCK(&thread_key_mutex);
+		if (thread_key_mctx == NULL)
+			result = isc_mem_create2(0, 0, &thread_key_mctx, 0);
+		if (result != ISC_R_SUCCESS)
+			goto unlock;
+		isc_mem_setdestroycheck(thread_key_mctx, ISC_FALSE);
+		
+		if (!thread_key_initialized &&
+		     isc_thread_key_create(&totext_filter_proc_key,
+					    free_specific) != 0) {
+			result = ISC_R_FAILURE;
+			isc_mem_detach(&thread_key_mctx);
+		} else
+			thread_key_initialized = 1;
+ unlock:
+		UNLOCK(&thread_key_mutex);
+        }
+	return (result);
+}
+#endif
+
 isc_result_t
 dns_name_totext(dns_name_t *name, isc_boolean_t omit_final_dot,
 		isc_buffer_t *target)
@@ -1200,6 +1330,12 @@ dns_name_totext(dns_name_t *name, isc_boolean_t omit_final_dot,
 	unsigned int trem, count;
 	unsigned int labels;
 	isc_boolean_t saw_root = ISC_FALSE;
+	unsigned int oused = target->used;
+#ifdef ISC_PLATFORM_USETHREADS
+	dns_name_totextfilter_t *mem;
+	dns_name_totextfilter_t totext_filter_proc = NULL;
+	isc_result_t result;
+#endif
 
 	/*
 	 * This function assumes the name is in proper uncompressed
@@ -1208,6 +1344,11 @@ dns_name_totext(dns_name_t *name, isc_boolean_t omit_final_dot,
 	REQUIRE(VALID_NAME(name));
 	REQUIRE(ISC_BUFFER_VALID(target));
 
+#ifdef ISC_PLATFORM_USETHREADS
+	result = totext_filter_proc_key_init();
+	if (result != ISC_R_SUCCESS)
+		return (result);
+#endif
 	ndata = name->ndata;
 	nlen = name->length;
 	labels = name->labels;
@@ -1339,6 +1480,14 @@ dns_name_totext(dns_name_t *name, isc_boolean_t omit_final_dot,
 
 	isc_buffer_add(target, tlen - trem);
 
+#ifdef ISC_PLATFORM_USETHREADS
+	mem = isc_thread_key_getspecific(totext_filter_proc_key);
+	if (mem != NULL)
+		totext_filter_proc = *mem;
+#endif
+	if (totext_filter_proc != NULL)
+		return ((*totext_filter_proc)(target, oused, saw_root));
+
 	return (ISC_R_SUCCESS);
 }
 
@@ -1573,7 +1722,7 @@ dns_name_fromwire(dns_name_t *name, isc_buffer_t *source,
 {
 	unsigned char *cdata, *ndata;
 	unsigned int cused; /* Bytes of compressed name data used */
-	unsigned int hops,  nused, labels, n, nmax;
+	unsigned int nused, labels, n, nmax;
 	unsigned int current, new_current, biggest_pointer;
 	isc_boolean_t done;
 	fw_state state = fw_start;
@@ -1581,10 +1730,12 @@ dns_name_fromwire(dns_name_t *name, isc_buffer_t *source,
 	unsigned char *offsets;
 	dns_offsets_t odata;
 	isc_boolean_t downcase;
+	isc_boolean_t seen_pointer;
 
 	/*
 	 * Copy the possibly-compressed name at source into target,
-	 * decompressing it.
+	 * decompressing it.  Loop prevention is performed by checking
+	 * the new pointer against biggest_pointer.
 	 */
 
 	REQUIRE(VALID_NAME(name));
@@ -1618,11 +1769,11 @@ dns_name_fromwire(dns_name_t *name, isc_buffer_t *source,
 	 * Set up.
 	 */
 	labels = 0;
-	hops = 0;
 	done = ISC_FALSE;
 
 	ndata = isc_buffer_used(target);
 	nused = 0;
+	seen_pointer = ISC_FALSE;
 
 	/*
 	 * Find the maximum number of uncompressed target name
@@ -1648,7 +1799,7 @@ dns_name_fromwire(dns_name_t *name, isc_buffer_t *source,
 	while (current < source->active && !done) {
 		c = *cdata++;
 		current++;
-		if (hops == 0)
+		if (!seen_pointer)
 			cused++;
 
 		switch (state) {
@@ -1704,11 +1855,8 @@ dns_name_fromwire(dns_name_t *name, isc_buffer_t *source,
 				return (DNS_R_BADPOINTER);
 			biggest_pointer = new_current;
 			current = new_current;
-			cdata = (unsigned char *)source->base +
-				current;
-			hops++;
-			if (hops > DNS_POINTER_MAXHOPS)
-				return (DNS_R_TOOMANYHOPS);
+			cdata = (unsigned char *)source->base + current;
+			seen_pointer = ISC_TRUE;
 			state = fw_start;
 			break;
 		default:
@@ -1744,7 +1892,6 @@ dns_name_fromwire(dns_name_t *name, isc_buffer_t *source,
 		 * big enough buffer.
 		 */
 		return (ISC_R_NOSPACE);
-
 }
 
 isc_result_t
@@ -2124,6 +2271,49 @@ dns_name_print(dns_name_t *name, FILE *stream) {
 	return (ISC_R_SUCCESS);
 }
 
+isc_result_t
+dns_name_settotextfilter(dns_name_totextfilter_t proc) {
+#ifdef ISC_PLATFORM_USETHREADS
+	isc_result_t result;
+	dns_name_totextfilter_t *mem;
+	int res;
+
+	result = totext_filter_proc_key_init();
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	/*
+	 * If we already have been here set / clear as appropriate.
+	 * Otherwise allocate memory.
+	 */
+	mem = isc_thread_key_getspecific(totext_filter_proc_key);
+	if (mem != NULL && proc != NULL) {
+		*mem = proc;
+		return (ISC_R_SUCCESS);
+	}
+	if (proc == NULL) {
+		isc_mem_put(thread_key_mctx, mem, sizeof(*mem));
+		res = isc_thread_key_setspecific(totext_filter_proc_key, NULL);
+		if (res != 0)
+			result = ISC_R_UNEXPECTED;
+		return (result);
+	}
+	
+	mem = isc_mem_get(thread_key_mctx, sizeof(*mem));
+	if (mem == NULL)
+		return (ISC_R_NOMEMORY);
+	*mem = proc;
+	if (isc_thread_key_setspecific(totext_filter_proc_key, mem) != 0) {
+		isc_mem_put(thread_key_mctx, mem, sizeof(*mem));
+		result = ISC_R_UNEXPECTED;
+	}
+	return (result);
+#else
+	totext_filter_proc = proc;
+	return (ISC_R_SUCCESS);
+#endif
+}
+
 void
 dns_name_format(dns_name_t *name, char *cp, unsigned int size) {
 	isc_result_t result;
@@ -2198,3 +2388,19 @@ dns_name_copy(dns_name_t *source, dns_name_t *dest, isc_buffer_t *target) {
 	return (ISC_R_SUCCESS);
 }
 
+void
+dns_name_destroy(void) {
+#ifdef ISC_PLATFORM_USETHREADS
+	RUNTIME_CHECK(isc_once_do(&once, thread_key_mutex_init)
+				  == ISC_R_SUCCESS);
+
+	LOCK(&thread_key_mutex);
+	if (thread_key_initialized) {
+		isc_mem_detach(&thread_key_mctx);
+		isc_thread_key_delete(totext_filter_proc_key);
+		thread_key_initialized = 0;
+	}
+	UNLOCK(&thread_key_mutex);
+
+#endif
+}
diff --git a/contrib/bind9/lib/dns/ncache.c b/contrib/bind9/lib/dns/ncache.c
index dddde60..1fdc5c8 100644
--- a/contrib/bind9/lib/dns/ncache.c
+++ b/contrib/bind9/lib/dns/ncache.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,9 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: ncache.c,v 1.24.2.4.2.7 2004/03/08 02:07:54 marka Exp $ */
+/* $Id: ncache.c,v 1.36.18.3 2005/04/29 00:15:59 marka Exp $ */
+
+/*! \file */
 
 #include <config.h>
 
@@ -184,7 +186,7 @@ dns_ncache_add(dns_message_t *message, dns_db_t *cache, dns_dbnode_t *node,
 		 *
 		 * We trust that the caller wants negative caching, so this
 		 * means we have a "type 3 nxdomain" or "type 3 nodata"
-		 * response (see RFC 2308 for details).
+		 * response (see RFC2308 for details).
 		 *
 		 * We will now build a suitable negative cache rdataset that
 		 * will cause zero bytes to be emitted when converted to
@@ -208,7 +210,7 @@ dns_ncache_add(dns_message_t *message, dns_db_t *cache, dns_dbnode_t *node,
 		isc_buffer_putuint16(&buffer, 0);
 		isc_buffer_putuint16(&buffer, 0);
 		/*
-		 * RFC 2308, section 5, says that negative answers without
+		 * RFC2308, section 5, says that negative answers without
 		 * SOAs should not be cached.
 		 */
 		ttl = 0;
@@ -473,6 +475,9 @@ static dns_rdatasetmethods_t rdataset_methods = {
 	rdataset_clone,
 	rdataset_count,
 	NULL,
+	NULL,
+	NULL,
+	NULL,
 	NULL
 };
 
diff --git a/contrib/bind9/lib/dns/nsec.c b/contrib/bind9/lib/dns/nsec.c
index c259706..c1de67e 100644
--- a/contrib/bind9/lib/dns/nsec.c
+++ b/contrib/bind9/lib/dns/nsec.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001, 2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,9 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: nsec.c,v 1.5.2.1 2004/03/08 02:07:55 marka Exp $ */
+/* $Id: nsec.c,v 1.5.20.2 2005/04/29 00:15:59 marka Exp $ */
+
+/*! \file */
 
 #include <config.h>
 
diff --git a/contrib/bind9/lib/dns/openssl_link.c b/contrib/bind9/lib/dns/openssl_link.c
index 525905c..fda610a 100644
--- a/contrib/bind9/lib/dns/openssl_link.c
+++ b/contrib/bind9/lib/dns/openssl_link.c
@@ -1,5 +1,5 @@
 /*
- * Portions Copyright (C) 2004, 2006  Internet Systems Consortium, Inc. ("ISC")
+ * Portions Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
  * Portions Copyright (C) 1999-2003  Internet Software Consortium.
  * Portions Copyright (C) 1995-2000 by Network Associates, Inc.
  *
@@ -18,7 +18,7 @@
 
 /*
  * Principal Author: Brian Wellington
- * $Id: openssl_link.c,v 1.1.4.3 2006/05/23 23:51:03 marka Exp $
+ * $Id: openssl_link.c,v 1.1.6.9 2006/05/23 23:51:04 marka Exp $
  */
 #ifdef OPENSSL
 
@@ -37,6 +37,8 @@
 
 #include <openssl/err.h>
 #include <openssl/rand.h>
+#include <openssl/evp.h>
+#include <openssl/conf.h>
 #include <openssl/crypto.h>
 
 #if defined(CRYPTO_LOCK_ENGINE) && (OPENSSL_VERSION_NUMBER != 0x00907000L)
@@ -132,6 +134,11 @@ isc_result_t
 dst__openssl_init() {
 	isc_result_t result;
 
+#ifdef  DNS_CRYPTO_LEAKS
+	CRYPTO_malloc_debug_init();
+	CRYPTO_set_mem_debug_options(V_CRYPTO_MDEBUG_ALL);
+	CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ON);
+#endif
 	CRYPTO_set_mem_functions(mem_alloc, mem_realloc, mem_free);
 	nlocks = CRYPTO_num_locks();
 	locks = mem_alloc(sizeof(isc_mutex_t) * nlocks);
@@ -179,6 +186,33 @@ dst__openssl_init() {
 
 void
 dst__openssl_destroy() {
+
+	/*
+	 * Sequence taken from apps_shutdown() in <apps/apps.h>.
+	 */
+#if (OPENSSL_VERSION_NUMBER >= 0x00907000L)
+	CONF_modules_unload(1);
+#endif
+	EVP_cleanup();
+#if defined(USE_ENGINE) && OPENSSL_VERSION_NUMBER >= 0x00907000L
+	ENGINE_cleanup();
+#endif
+#if (OPENSSL_VERSION_NUMBER >= 0x00907000L)
+	CRYPTO_cleanup_all_ex_data();
+#endif
+	ERR_clear_error();
+	ERR_free_strings();
+	ERR_remove_state(0);
+
+#ifdef  DNS_CRYPTO_LEAKS
+	CRYPTO_mem_leaks_fp(stderr);
+#endif
+
+#if 0
+	/*
+	 * The old error sequence that leaked.  Remove for 9.4.1 if
+	 * there are no issues by then.
+	 */
 	ERR_clear_error();
 #ifdef USE_ENGINE
 	if (e != NULL) {
@@ -186,12 +220,17 @@ dst__openssl_destroy() {
 		e = NULL;
 	}
 #endif
+#endif
 	if (locks != NULL) {
 		DESTROYMUTEXBLOCK(locks, nlocks);
 		mem_free(locks);
 	}
-	if (rm != NULL)
+	if (rm != NULL) {
+#if OPENSSL_VERSION_NUMBER >= 0x00907000L
+		RAND_cleanup();
+#endif
 		mem_free(rm);
+	}
 }
 
 isc_result_t
@@ -217,3 +256,4 @@ dst__openssl_toresult(isc_result_t fallback) {
 EMPTY_TRANSLATION_UNIT
 
 #endif /* OPENSSL */
+/*! \file */
diff --git a/contrib/bind9/lib/dns/openssldh_link.c b/contrib/bind9/lib/dns/openssldh_link.c
index 74ba39a..6f2e987 100644
--- a/contrib/bind9/lib/dns/openssldh_link.c
+++ b/contrib/bind9/lib/dns/openssldh_link.c
@@ -1,5 +1,5 @@
 /*
- * Portions Copyright (C) 2004, 2006  Internet Systems Consortium, Inc. ("ISC")
+ * Portions Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
  * Portions Copyright (C) 1999-2002  Internet Software Consortium.
  * Portions Copyright (C) 1995-2000 by Network Associates, Inc.
  *
@@ -18,7 +18,7 @@
 
 /*
  * Principal Author: Brian Wellington
- * $Id: openssldh_link.c,v 1.1.4.3 2006/03/02 00:37:20 marka Exp $
+ * $Id: openssldh_link.c,v 1.1.6.9 2007/01/08 02:52:39 marka Exp $
  */
 
 #ifdef OPENSSL
@@ -138,81 +138,11 @@ openssldh_paramcompare(const dst_key_t *key1, const dst_key_t *key2) {
 	return (ISC_TRUE);
 }
 
-#ifndef HAVE_DH_GENERATE_PARAMETERS
-/* ====================================================================
- * Copyright (c) 1998-2002 The OpenSSL Project.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- *
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- *
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in
- *    the documentation and/or other materials provided with the
- *    distribution.
- *
- * 3. All advertising materials mentioning features or use of this
- *    software must display the following acknowledgment:
- *    "This product includes software developed by the OpenSSL Project
- *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
- *
- * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
- *    endorse or promote products derived from this software without
- *    prior written permission. For written permission, please contact
- *    openssl-core@openssl.org.
- *
- * 5. Products derived from this software may not be called "OpenSSL"
- *    nor may "OpenSSL" appear in their names without prior written
- *    permission of the OpenSSL Project.
- *
- * 6. Redistributions of any form whatsoever must retain the following
- *    acknowledgment:
- *    "This product includes software developed by the OpenSSL Project
- *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
- *
- * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
- * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
- * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
- * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
- * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
- * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
- * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
- * OF THE POSSIBILITY OF SUCH DAMAGE.
- * ====================================================================
- *
- * This product includes cryptographic software written by Eric Young
- * (eay@cryptsoft.com).  This product includes software written by Tim
- * Hudson (tjh@cryptsoft.com).
- *
- */
-static DH *
-DH_generate_parameters(int prime_len, int generator,
-		       void (*callback)(int,int,void *), void *cb_arg)
-{
-        BN_GENCB cb;
-        DH *dh = NULL;
-
-	dh = DH_new();
-	if (dh != NULL) {
-		BN_GENCB_set_old(&cb, callback, cb_arg);
-
-		if (DH_generate_parameters_ex(dh, prime_len, generator, &cb))
-			return (dh);
-		DH_free(dh);
-	}
-        return (NULL);
-}
-#endif
-
 static isc_result_t
 openssldh_generate(dst_key_t *key, int generator) {
+#if OPENSSL_VERSION_NUMBER > 0x00908000L
+        BN_GENCB cb;
+#endif
 	DH *dh = NULL;
 
 	if (generator == 0) {
@@ -222,7 +152,7 @@ openssldh_generate(dst_key_t *key, int generator) {
 		{
 			dh = DH_new();
 			if (dh == NULL)
-				return (ISC_R_NOMEMORY);
+				return (dst__openssl_toresult(ISC_R_NOMEMORY));
 			if (key->key_size == 768)
 				dh->p = &bn768;
 			else if (key->key_size == 1024)
@@ -230,14 +160,28 @@ openssldh_generate(dst_key_t *key, int generator) {
 			else
 				dh->p = &bn1536;
 			dh->g = &bn2;
-		}
-		else
+		} else
 			generator = 2;
 	}
 
-	if (generator != 0)
+	if (generator != 0) {
+#if OPENSSL_VERSION_NUMBER > 0x00908000L
+		dh = DH_new();
+		if (dh == NULL)
+			return (dst__openssl_toresult(DST_R_OPENSSLFAILURE));
+
+		BN_GENCB_set_old(&cb, NULL, NULL);
+
+		if (!DH_generate_parameters_ex(dh, key->key_size, generator,
+					       &cb)) {
+			DH_free(dh);
+			return (dst__openssl_toresult(DST_R_OPENSSLFAILURE));
+		}
+#else
 		dh = DH_generate_parameters(key->key_size, generator,
 					    NULL, NULL);
+#endif
+	}
 
 	if (dh == NULL)
 		return (dst__openssl_toresult(DST_R_OPENSSLFAILURE));
@@ -358,7 +302,7 @@ openssldh_fromdns(dst_key_t *key, isc_buffer_t *data) {
 
 	dh = DH_new();
 	if (dh == NULL)
-		return (ISC_R_NOMEMORY);
+		return (dst__openssl_toresult(ISC_R_NOMEMORY));
 	dh->flags &= ~DH_FLAG_CACHE_MONT_P;
 
 	/*
@@ -637,11 +581,11 @@ openssldh_cleanup(void) {
 }
 
 static dst_func_t openssldh_functions = {
-	NULL, /* createctx */
-	NULL, /* destroyctx */
-	NULL, /* adddata */
-	NULL, /* openssldh_sign */
-	NULL, /* openssldh_verify */
+	NULL, /*%< createctx */
+	NULL, /*%< destroyctx */
+	NULL, /*%< adddata */
+	NULL, /*%< openssldh_sign */
+	NULL, /*%< openssldh_verify */
 	openssldh_computesecret,
 	openssldh_compare,
 	openssldh_paramcompare,
@@ -679,3 +623,4 @@ dst__openssldh_init(dst_func_t **funcp) {
 EMPTY_TRANSLATION_UNIT
 
 #endif /* OPENSSL */
+/*! \file */
diff --git a/contrib/bind9/lib/dns/openssldsa_link.c b/contrib/bind9/lib/dns/openssldsa_link.c
index 267bfe8..64e6159 100644
--- a/contrib/bind9/lib/dns/openssldsa_link.c
+++ b/contrib/bind9/lib/dns/openssldsa_link.c
@@ -1,5 +1,5 @@
 /*
- * Portions Copyright (C) 2004, 2006  Internet Systems Consortium, Inc. ("ISC")
+ * Portions Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
  * Portions Copyright (C) 1999-2002  Internet Software Consortium.
  * Portions Copyright (C) 1995-2000 by Network Associates, Inc.
  *
@@ -16,7 +16,7 @@
  * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: openssldsa_link.c,v 1.1.4.3 2006/03/02 00:37:20 marka Exp $ */
+/* $Id: openssldsa_link.c,v 1.1.6.8 2007/01/08 03:03:48 marka Exp $ */
 
 #ifdef OPENSSL
 
@@ -124,7 +124,7 @@ openssldsa_verify(dst_context_t *dctx, const isc_region_t *sig) {
 	if (sig->length < 2 * ISC_SHA1_DIGESTLENGTH + 1)
 		return (DST_R_VERIFYFAILURE);
 
-	cp++;	/* Skip T */
+	cp++;	/*%< Skip T */
 	dsasig = DSA_SIG_new();
 	dsasig->r = BN_bin2bn(cp, ISC_SHA1_DIGESTLENGTH, NULL);
 	cp += ISC_SHA1_DIGESTLENGTH;
@@ -169,85 +169,11 @@ openssldsa_compare(const dst_key_t *key1, const dst_key_t *key2) {
 	return (ISC_TRUE);
 }
 
-#ifndef HAVE_DSA_GENERATE_PARAMETERS
-/* ====================================================================
- * Copyright (c) 1998-2002 The OpenSSL Project.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- *
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- *
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in
- *    the documentation and/or other materials provided with the
- *    distribution.
- *
- * 3. All advertising materials mentioning features or use of this
- *    software must display the following acknowledgment:
- *    "This product includes software developed by the OpenSSL Project
- *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
- *
- * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
- *    endorse or promote products derived from this software without
- *    prior written permission. For written permission, please contact
- *    openssl-core@openssl.org.
- *
- * 5. Products derived from this software may not be called "OpenSSL"
- *    nor may "OpenSSL" appear in their names without prior written
- *    permission of the OpenSSL Project.
- *
- * 6. Redistributions of any form whatsoever must retain the following
- *    acknowledgment:
- *    "This product includes software developed by the OpenSSL Project
- *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
- *
- * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
- * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
- * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
- * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
- * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
- * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
- * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
- * OF THE POSSIBILITY OF SUCH DAMAGE.
- * ====================================================================
- *
- * This product includes cryptographic software written by Eric Young
- * (eay@cryptsoft.com).  This product includes software written by Tim
- * Hudson (tjh@cryptsoft.com).
- *
- */
-static DSA *
-DSA_generate_parameters(int bits, unsigned char *seed_in, int seed_len,
-			int *counter_ret, unsigned long *h_ret,
-			void (*callback)(int, int, void *),
-			void *cb_arg)
-{
-        BN_GENCB cb;
-        DSA *dsa;
- 
-        dsa = DSA_new();
-	if (dsa != NULL) {
- 
-		BN_GENCB_set_old(&cb, callback, cb_arg);
-  
-		if (DSA_generate_parameters_ex(dsa, bits, seed_in, seed_len,  
-					       counter_ret, h_ret, &cb))
-			return (dsa);
-		DSA_free(dsa);
-	}
-        return (NULL);
-}
-#endif
-
 static isc_result_t
 openssldsa_generate(dst_key_t *key, int unused) {
+#if OPENSSL_VERSION_NUMBER > 0x00908000L
+        BN_GENCB cb;
+#endif
 	DSA *dsa;
 	unsigned char rand_array[ISC_SHA1_DIGESTLENGTH];
 	isc_result_t result;
@@ -259,12 +185,27 @@ openssldsa_generate(dst_key_t *key, int unused) {
 	if (result != ISC_R_SUCCESS)
 		return (result);
 
+#if OPENSSL_VERSION_NUMBER > 0x00908000L
+        dsa = DSA_new();
+	if (dsa == NULL)
+		return (dst__openssl_toresult(DST_R_OPENSSLFAILURE));
+
+	BN_GENCB_set_old(&cb, NULL, NULL);
+  
+	if (!DSA_generate_parameters_ex(dsa, key->key_size, rand_array,
+					ISC_SHA1_DIGESTLENGTH,  NULL, NULL,
+					&cb))
+	{
+		DSA_free(dsa);
+		return (dst__openssl_toresult(DST_R_OPENSSLFAILURE));
+	}
+#else
 	dsa = DSA_generate_parameters(key->key_size, rand_array,
 				      ISC_SHA1_DIGESTLENGTH, NULL, NULL,
 				      NULL, NULL);
-
 	if (dsa == NULL)
 		return (dst__openssl_toresult(DST_R_OPENSSLFAILURE));
+#endif
 
 	if (DSA_generate_key(dsa) == 0) {
 		DSA_free(dsa);
@@ -490,9 +431,9 @@ static dst_func_t openssldsa_functions = {
 	openssldsa_adddata,
 	openssldsa_sign,
 	openssldsa_verify,
-	NULL, /* computesecret */
+	NULL, /*%< computesecret */
 	openssldsa_compare,
-	NULL, /* paramcompare */
+	NULL, /*%< paramcompare */
 	openssldsa_generate,
 	openssldsa_isprivate,
 	openssldsa_destroy,
@@ -500,7 +441,7 @@ static dst_func_t openssldsa_functions = {
 	openssldsa_fromdns,
 	openssldsa_tofile,
 	openssldsa_parse,
-	NULL, /* cleanup */
+	NULL, /*%< cleanup */
 };
 
 isc_result_t
@@ -518,3 +459,4 @@ dst__openssldsa_init(dst_func_t **funcp) {
 EMPTY_TRANSLATION_UNIT
 
 #endif /* OPENSSL */
+/*! \file */
diff --git a/contrib/bind9/lib/dns/opensslrsa_link.c b/contrib/bind9/lib/dns/opensslrsa_link.c
index c33913c..2609df6 100644
--- a/contrib/bind9/lib/dns/opensslrsa_link.c
+++ b/contrib/bind9/lib/dns/opensslrsa_link.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2006  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -17,7 +17,7 @@
 
 /*
  * Principal Author: Brian Wellington
- * $Id: opensslrsa_link.c,v 1.1.4.9 2006/11/07 21:28:40 marka Exp $
+ * $Id: opensslrsa_link.c,v 1.1.6.11 2006/11/07 21:28:49 marka Exp $
  */
 #ifdef OPENSSL
 
@@ -50,7 +50,7 @@
 #ifdef WIN32
 #if !((OPENSSL_VERSION_NUMBER >= 0x009070cfL && \
        OPENSSL_VERSION_NUMBER < 0x00908000L) || \
-      OPENSSL_VERSION_NUMBER >= 0x0090804fL) 
+      OPENSSL_VERSION_NUMBER >= 0x0090804fL)
 #error Please upgrade OpenSSL to 0.9.8d/0.9.7l or greater.
 #endif
 #endif
@@ -367,7 +367,7 @@ opensslrsa_todns(const dst_key_t *key, isc_buffer_t *data) {
 	e_bytes = BN_num_bytes(rsa->e);
 	mod_bytes = BN_num_bytes(rsa->n);
 
-	if (e_bytes < 256) {	/* key exponent is <= 2040 bits */
+	if (e_bytes < 256) {	/*%< key exponent is <= 2040 bits */
 		if (r.length < 1)
 			return (ISC_R_NOSPACE);
 		isc_buffer_putuint8(data, (isc_uint8_t) e_bytes);
@@ -403,7 +403,7 @@ opensslrsa_fromdns(dst_key_t *key, isc_buffer_t *data) {
 
 	rsa = RSA_new();
 	if (rsa == NULL)
-		return (ISC_R_NOMEMORY);
+		return (dst__openssl_toresult(ISC_R_NOMEMORY));
 	SET_FLAGS(rsa);
 
 	if (r.length < 1) {
@@ -598,9 +598,9 @@ static dst_func_t opensslrsa_functions = {
 	opensslrsa_adddata,
 	opensslrsa_sign,
 	opensslrsa_verify,
-	NULL, /* computesecret */
+	NULL, /*%< computesecret */
 	opensslrsa_compare,
-	NULL, /* paramcompare */
+	NULL, /*%< paramcompare */
 	opensslrsa_generate,
 	opensslrsa_isprivate,
 	opensslrsa_destroy,
@@ -608,7 +608,7 @@ static dst_func_t opensslrsa_functions = {
 	opensslrsa_fromdns,
 	opensslrsa_tofile,
 	opensslrsa_parse,
-	NULL, /* cleanup */
+	NULL, /*%< cleanup */
 };
 
 isc_result_t
@@ -626,3 +626,4 @@ dst__opensslrsa_init(dst_func_t **funcp) {
 EMPTY_TRANSLATION_UNIT
 
 #endif /* OPENSSL */
+/*! \file */
diff --git a/contrib/bind9/lib/dns/order.c b/contrib/bind9/lib/dns/order.c
index f09afed..1d216b7 100644
--- a/contrib/bind9/lib/dns/order.c
+++ b/contrib/bind9/lib/dns/order.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2002  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,9 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: order.c,v 1.4.202.4 2004/03/08 09:04:30 marka Exp $ */
+/* $Id: order.c,v 1.5.18.3 2005/07/12 01:22:21 marka Exp $ */
+
+/*! \file */
 
 #include <config.h>
 
@@ -53,6 +55,8 @@ struct dns_order {
 isc_result_t
 dns_order_create(isc_mem_t *mctx, dns_order_t **orderp) {
 	dns_order_t *order;
+	isc_result_t result;
+
 	REQUIRE(orderp != NULL && *orderp == NULL);
 
 	order = isc_mem_get(mctx, sizeof(*order));
@@ -60,7 +64,13 @@ dns_order_create(isc_mem_t *mctx, dns_order_t **orderp) {
 		return (ISC_R_NOMEMORY);
 	
 	ISC_LIST_INIT(order->ents);
-	isc_refcount_init(&order->references, 1);     /* Implicit attach. */
+
+	/* Implicit attach. */
+	result = isc_refcount_init(&order->references, 1);
+	if (result != ISC_R_SUCCESS) {
+		isc_mem_put(mctx, order, sizeof(*order));
+		return (result);
+	}
 
 	order->mctx = NULL;
 	isc_mem_attach(mctx, &order->mctx);
diff --git a/contrib/bind9/lib/dns/peer.c b/contrib/bind9/lib/dns/peer.c
index 8b6ccdb..7d878b5 100644
--- a/contrib/bind9/lib/dns/peer.c
+++ b/contrib/bind9/lib/dns/peer.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2006  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000, 2001, 2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,9 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: peer.c,v 1.14.2.1.10.6 2006/03/02 00:37:20 marka Exp $ */
+/* $Id: peer.c,v 1.19.18.8 2006/02/28 03:10:48 marka Exp $ */
+
+/*! \file */
 
 #include <config.h>
 
@@ -29,7 +31,7 @@
 #include <dns/name.h>
 #include <dns/peer.h>
 
-/*
+/*%
  * Bit positions in the dns_peer_t structure flags field
  */
 #define BOGUS_BIT			0
@@ -38,6 +40,8 @@
 #define PROVIDE_IXFR_BIT		3
 #define REQUEST_IXFR_BIT		4
 #define SUPPORT_EDNS_BIT		5
+#define SERVER_UDPSIZE_BIT		6
+#define SERVER_MAXUDP_BIT		7
 
 static void
 peerlist_delete(dns_peerlist_t **list);
@@ -65,7 +69,6 @@ dns_peerlist_new(isc_mem_t *mem, dns_peerlist_t **list) {
 	return (ISC_R_SUCCESS);
 }
 
-
 void
 dns_peerlist_attach(dns_peerlist_t *source, dns_peerlist_t **target) {
 	REQUIRE(DNS_PEERLIST_VALID(source));
@@ -130,7 +133,20 @@ dns_peerlist_addpeer(dns_peerlist_t *peers, dns_peer_t *peer) {
 
 	dns_peer_attach(peer, &p);
 
-	ISC_LIST_APPEND(peers->elements, peer, next);
+	/*
+	 * More specifics to front of list.
+	 */
+	for (p = ISC_LIST_HEAD(peers->elements);
+	     p != NULL;
+	     p = ISC_LIST_NEXT(p, next))
+		if (p->prefixlen < peer->prefixlen)
+			break;
+
+	if (p != NULL)
+		ISC_LIST_INSERTBEFORE(peers->elements, p, peer, next);
+	else
+		ISC_LIST_APPEND(peers->elements, peer, next);
+		
 }
 
 isc_result_t
@@ -145,7 +161,8 @@ dns_peerlist_peerbyaddr(dns_peerlist_t *servers,
 
 	server = ISC_LIST_HEAD(servers->elements);
 	while (server != NULL) {
-		if (isc_netaddr_equal(addr, &server->address))
+		if (isc_netaddr_eqprefix(addr, &server->address,
+					 server->prefixlen))
 			break;
 
 		server = ISC_LIST_NEXT(server, next);
@@ -176,6 +193,27 @@ dns_peerlist_currpeer(dns_peerlist_t *peers, dns_peer_t **retval) {
 
 isc_result_t
 dns_peer_new(isc_mem_t *mem, isc_netaddr_t *addr, dns_peer_t **peerptr) {
+	unsigned int prefixlen = 0;
+
+	REQUIRE(peerptr != NULL);
+	switch(addr->family) {
+	case AF_INET:
+		prefixlen = 32;
+		break;
+	case AF_INET6:
+		 prefixlen = 128;
+		break;
+	default:
+		INSIST(0);
+	}
+
+	return (dns_peer_newprefix(mem, addr, prefixlen, peerptr));
+}
+
+isc_result_t
+dns_peer_newprefix(isc_mem_t *mem, isc_netaddr_t *addr, unsigned int prefixlen,
+		   dns_peer_t **peerptr)
+{ 
 	dns_peer_t *peer;
 
 	REQUIRE(peerptr != NULL);
@@ -186,6 +224,7 @@ dns_peer_new(isc_mem_t *mem, isc_netaddr_t *addr, dns_peer_t **peerptr) {
 
 	peer->magic = DNS_PEER_MAGIC;
 	peer->address = *addr;
+	peer->prefixlen = prefixlen;
 	peer->mem = mem;
 	peer->bogus = ISC_FALSE;
 	peer->transfer_format = dns_one_answer;
@@ -195,6 +234,8 @@ dns_peer_new(isc_mem_t *mem, isc_netaddr_t *addr, dns_peer_t **peerptr) {
 	peer->key = NULL;
 	peer->refs = 1;
 	peer->transfer_source = NULL;
+	peer->notify_source = NULL;
+	peer->query_source = NULL;
 
 	memset(&peer->bitflags, 0x0, sizeof(peer->bitflags));
 
@@ -522,3 +563,123 @@ dns_peer_gettransfersource(dns_peer_t *peer, isc_sockaddr_t *transfer_source) {
 	*transfer_source = *peer->transfer_source;
 	return (ISC_R_SUCCESS);
 }
+
+isc_result_t
+dns_peer_setnotifysource(dns_peer_t *peer,
+			 const isc_sockaddr_t *notify_source)
+{
+	REQUIRE(DNS_PEER_VALID(peer));
+
+	if (peer->notify_source != NULL) {
+		isc_mem_put(peer->mem, peer->notify_source,
+			    sizeof(*peer->notify_source));
+		peer->notify_source = NULL;
+	}
+	if (notify_source != NULL) {
+		peer->notify_source = isc_mem_get(peer->mem,
+					        sizeof(*peer->notify_source));
+		if (peer->notify_source == NULL)
+			return (ISC_R_NOMEMORY);
+
+		*peer->notify_source = *notify_source;
+	}
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+dns_peer_getnotifysource(dns_peer_t *peer, isc_sockaddr_t *notify_source) {
+	REQUIRE(DNS_PEER_VALID(peer));
+	REQUIRE(notify_source != NULL);
+
+	if (peer->notify_source == NULL)
+		return (ISC_R_NOTFOUND);
+	*notify_source = *peer->notify_source;
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+dns_peer_setquerysource(dns_peer_t *peer, const isc_sockaddr_t *query_source) {
+	REQUIRE(DNS_PEER_VALID(peer));
+
+	if (peer->query_source != NULL) {
+		isc_mem_put(peer->mem, peer->query_source,
+			    sizeof(*peer->query_source));
+		peer->query_source = NULL;
+	}
+	if (query_source != NULL) {
+		peer->query_source = isc_mem_get(peer->mem,
+					        sizeof(*peer->query_source));
+		if (peer->query_source == NULL)
+			return (ISC_R_NOMEMORY);
+
+		*peer->query_source = *query_source;
+	}
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+dns_peer_getquerysource(dns_peer_t *peer, isc_sockaddr_t *query_source) {
+	REQUIRE(DNS_PEER_VALID(peer));
+	REQUIRE(query_source != NULL);
+
+	if (peer->query_source == NULL)
+		return (ISC_R_NOTFOUND);
+	*query_source = *peer->query_source;
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+dns_peer_setudpsize(dns_peer_t *peer, isc_uint16_t udpsize) {
+	isc_boolean_t existed;
+
+	REQUIRE(DNS_PEER_VALID(peer));
+
+	existed = DNS_BIT_CHECK(SERVER_UDPSIZE_BIT, &peer->bitflags);
+
+	peer->udpsize = udpsize;
+	DNS_BIT_SET(SERVER_UDPSIZE_BIT, &peer->bitflags);
+
+	return (existed ? ISC_R_EXISTS : ISC_R_SUCCESS);
+}
+
+isc_result_t
+dns_peer_getudpsize(dns_peer_t *peer, isc_uint16_t *udpsize) {
+
+	REQUIRE(DNS_PEER_VALID(peer));
+	REQUIRE(udpsize != NULL);
+
+	if (DNS_BIT_CHECK(SERVER_UDPSIZE_BIT, &peer->bitflags)) {
+                *udpsize = peer->udpsize;
+                return (ISC_R_SUCCESS);
+        } else {
+                return (ISC_R_NOTFOUND);
+        }
+}
+
+isc_result_t
+dns_peer_setmaxudp(dns_peer_t *peer, isc_uint16_t maxudp) {
+	isc_boolean_t existed;
+
+	REQUIRE(DNS_PEER_VALID(peer));
+
+	existed = DNS_BIT_CHECK(SERVER_MAXUDP_BIT, &peer->bitflags);
+
+	peer->maxudp = maxudp;
+	DNS_BIT_SET(SERVER_MAXUDP_BIT, &peer->bitflags);
+
+	return (existed ? ISC_R_EXISTS : ISC_R_SUCCESS);
+}
+
+isc_result_t
+dns_peer_getmaxudp(dns_peer_t *peer, isc_uint16_t *maxudp) {
+
+	REQUIRE(DNS_PEER_VALID(peer));
+	REQUIRE(maxudp != NULL);
+
+	if (DNS_BIT_CHECK(SERVER_MAXUDP_BIT, &peer->bitflags)) {
+                *maxudp = peer->maxudp;
+                return (ISC_R_SUCCESS);
+        } else {
+                return (ISC_R_NOTFOUND);
+        }
+}
diff --git a/contrib/bind9/lib/dns/portlist.c b/contrib/bind9/lib/dns/portlist.c
index f65910b..7e76171 100644
--- a/contrib/bind9/lib/dns/portlist.c
+++ b/contrib/bind9/lib/dns/portlist.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2006  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,9 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: portlist.c,v 1.3.72.6 2006/08/25 05:25:50 marka Exp $ */
+/* $Id: portlist.c,v 1.6.18.5 2006/08/25 05:25:51 marka Exp $ */
+
+/*! \file */
 
 #include <config.h>
 
@@ -81,12 +83,14 @@ dns_portlist_create(isc_mem_t *mctx, dns_portlist_t **portlistp) {
         result = isc_mutex_init(&portlist->lock);
 	if (result != ISC_R_SUCCESS) {
 		isc_mem_put(mctx, portlist, sizeof(*portlist));
-		UNEXPECTED_ERROR(__FILE__, __LINE__,
-				 "isc_mutex_init() failed: %s",
-				 isc_result_totext(result));
-		return (ISC_R_UNEXPECTED);
+		return (result);
+	}
+	result = isc_refcount_init(&portlist->refcount, 1);
+	if (result != ISC_R_SUCCESS) {
+		DESTROYLOCK(&portlist->lock);
+		isc_mem_put(mctx, portlist, sizeof(*portlist));
+		return (result);
 	}
-	isc_refcount_init(&portlist->refcount, 1);
 	portlist->list = NULL;
 	portlist->allocated = 0;
 	portlist->active = 0;
diff --git a/contrib/bind9/lib/dns/rbt.c b/contrib/bind9/lib/dns/rbt.c
index ecff783..b8db99a 100644
--- a/contrib/bind9/lib/dns/rbt.c
+++ b/contrib/bind9/lib/dns/rbt.c
@@ -15,7 +15,9 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: rbt.c,v 1.115.2.2.2.13 2005/06/18 01:03:24 marka Exp $ */
+/* $Id: rbt.c,v 1.128.18.7 2005/10/13 01:26:06 marka Exp $ */
+
+/*! \file */
 
 /* Principal Authors: DCL */
 
@@ -24,10 +26,11 @@
 #include <isc/mem.h>
 #include <isc/platform.h>
 #include <isc/print.h>
+#include <isc/refcount.h>
 #include <isc/string.h>
 #include <isc/util.h>
 
-/*
+/*%
  * This define is so dns/name.h (included by dns/fixedname.h) uses more
  * efficient macro calls instead of functions for a few operations.
  */
@@ -52,7 +55,7 @@
 
 #ifdef RBT_MEM_TEST
 #undef RBT_HASH_SIZE
-#define RBT_HASH_SIZE 2	/* To give the reallocation code a workout. */
+#define RBT_HASH_SIZE 2	/*%< To give the reallocation code a workout. */
 #endif
 
 struct dns_rbt {
@@ -69,7 +72,7 @@ struct dns_rbt {
 #define RED 0
 #define BLACK 1
 
-/*
+/*%
  * Elements of the rbtnode structure.
  */
 #define PARENT(node)		((node)->parent)
@@ -87,16 +90,15 @@ struct dns_rbt {
 #define IS_ROOT(node)		ISC_TF((node)->is_root == 1)
 #define FINDCALLBACK(node)	ISC_TF((node)->find_callback == 1)
 
-/*
+/*%
  * Structure elements from the rbtdb.c, not
  * used as part of the rbt.c algorithms.
  */
 #define DIRTY(node)	((node)->dirty)
 #define WILD(node)	((node)->wild)
 #define LOCKNUM(node)	((node)->locknum)
-#define REFS(node)	((node)->references)
 
-/*
+/*%
  * The variable length stuff stored after the node.
  */
 #define NAME(node)	((unsigned char *)((node) + 1))
@@ -105,7 +107,7 @@ struct dns_rbt {
 #define NODE_SIZE(node)	(sizeof(*node) + \
 			 NAMELEN(node) + OFFSETLEN(node) + PADBYTES(node))
 
-/*
+/*%
  * Color management.
  */
 #define IS_RED(node)		((node) != NULL && (node)->color == RED)
@@ -113,7 +115,7 @@ struct dns_rbt {
 #define MAKE_RED(node)		((node)->color = RED)
 #define MAKE_BLACK(node)	((node)->color = BLACK)
 
-/*
+/*%
  * Chain management.
  *
  * The "ancestors" member of chains were removed, with their job now
@@ -123,7 +125,7 @@ struct dns_rbt {
 #define ADD_LEVEL(chain, node) \
 			(chain)->levels[(chain)->level_count++] = (node)
 
-/*
+/*%
  * The following macros directly access normally private name variables.
  * These macros are used to avoid a lot of function calls in the critical
  * path of the tree traversal code.
@@ -1310,6 +1312,7 @@ dns_rbt_deletenode(dns_rbt_t *rbt, dns_rbtnode_t *node, isc_boolean_t recurse)
 #if DNS_RBT_USEMAGIC
 	node->magic = 0;
 #endif
+	dns_rbtnode_refdestroy(node);
 	isc_mem_put(rbt->mctx, node, NODE_SIZE(node));
 	rbt->nodecount--;
 
@@ -1434,9 +1437,9 @@ create_node(isc_mem_t *mctx, dns_name_t *name, dns_rbtnode_t **nodep) {
 #endif
 
 	LOCKNUM(node) = 0;
-	REFS(node) = 0;
 	WILD(node) = 0;
 	DIRTY(node) = 0;
+	dns_rbtnode_refinit(node, 0);
 	node->find_callback = 0;
 
 	MAKE_BLACK(node);
diff --git a/contrib/bind9/lib/dns/rbtdb.c b/contrib/bind9/lib/dns/rbtdb.c
index 8930d35..cd25608 100644
--- a/contrib/bind9/lib/dns/rbtdb.c
+++ b/contrib/bind9/lib/dns/rbtdb.c
@@ -15,7 +15,9 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: rbtdb.c,v 1.168.2.11.2.26 2006/03/02 23:18:20 marka Exp $ */
+/* $Id: rbtdb.c,v 1.196.18.41 2006/10/26 06:04:29 marka Exp $ */
+
+/*! \file */
 
 /*
  * Principal Author: Bob Halley
@@ -32,12 +34,15 @@
 #include <isc/rwlock.h>
 #include <isc/string.h>
 #include <isc/task.h>
+#include <isc/time.h>
 #include <isc/util.h>
 
+#include <dns/acache.h>
 #include <dns/db.h>
 #include <dns/dbiterator.h>
 #include <dns/events.h>
 #include <dns/fixedname.h>
+#include <dns/lib.h>
 #include <dns/log.h>
 #include <dns/masterdump.h>
 #include <dns/rbt.h>
@@ -46,6 +51,8 @@
 #include <dns/rdatasetiter.h>
 #include <dns/rdataslab.h>
 #include <dns/result.h>
+#include <dns/view.h>
+#include <dns/zone.h>
 #include <dns/zonekey.h>
 
 #ifdef DNS_RBTDB_VERSION64
@@ -60,7 +67,7 @@
 #define RBTDB_MAGIC			ISC_MAGIC('R', 'B', 'D', '4')
 #endif
 
-/*
+/*%
  * Note that "impmagic" is not the first four bytes of the struct, so
  * ISC_MAGIC_VALID cannot be used.
  */
@@ -69,7 +76,7 @@
 
 #ifdef DNS_RBTDB_VERSION64
 typedef isc_uint64_t			rbtdb_serial_t;
-/*
+/*%
  * Make casting easier in symbolic debuggers by using different names
  * for the 64 bit version.
  */
@@ -98,6 +105,81 @@ typedef isc_uint32_t			rbtdb_rdatatype_t;
 		RBTDB_RDATATYPE_VALUE(0, dns_rdatatype_any)
 
 /*
+ * We use rwlock for DB lock only when ISC_RWLOCK_USEATOMIC is non 0.
+ * Using rwlock is effective with regard to lookup performance only when
+ * it is implemented in an efficient way.
+ * Otherwise, it is generally wise to stick to the simple locking since rwlock
+ * would require more memory or can even make lookups slower due to its own
+ * overhead (when it internally calls mutex locks).
+ */
+#ifdef ISC_RWLOCK_USEATOMIC
+#define DNS_RBTDB_USERWLOCK 1
+#else
+#define DNS_RBTDB_USERWLOCK 0
+#endif
+
+#if DNS_RBTDB_USERWLOCK
+#define RBTDB_INITLOCK(l)	isc_rwlock_init((l), 0, 0)
+#define RBTDB_DESTROYLOCK(l)	isc_rwlock_destroy(l)
+#define RBTDB_LOCK(l, t)	RWLOCK((l), (t))
+#define RBTDB_UNLOCK(l, t)	RWUNLOCK((l), (t))
+#else
+#define RBTDB_INITLOCK(l)	isc_mutex_init(l)
+#define RBTDB_DESTROYLOCK(l)	DESTROYLOCK(l)
+#define RBTDB_LOCK(l, t)	LOCK(l)
+#define RBTDB_UNLOCK(l, t)	UNLOCK(l)
+#endif
+
+/*
+ * Since node locking is sensitive to both performance and memory footprint,
+ * we need some trick here.  If we have both high-performance rwlock and
+ * high performance and small-memory reference counters, we use rwlock for
+ * node lock and isc_refcount for node references.  In this case, we don't have
+ * to protect the access to the counters by locks.
+ * Otherwise, we simply use ordinary mutex lock for node locking, and use
+ * simple integers as reference counters which is protected by the lock.
+ * In most cases, we can simply use wrapper macros such as NODE_LOCK and
+ * NODE_UNLOCK.  In some other cases, however, we need to protect reference
+ * counters first and then protect other parts of a node as read-only data.
+ * Special additional macros, NODE_STRONGLOCK(), NODE_WEAKLOCK(), etc, are also
+ * provided for these special cases.  When we can use the efficient backend
+ * routines, we should only protect the "other members" by NODE_WEAKLOCK(read).
+ * Otherwise, we should use NODE_STRONGLOCK() to protect the entire critical
+ * section including the access to the reference counter.
+ * Note that we cannot use NODE_LOCK()/NODE_UNLOCK() wherever the protected
+ * section is also protected by NODE_STRONGLOCK().
+ */
+#if defined(ISC_RWLOCK_USEATOMIC) && defined(DNS_RBT_USEISCREFCOUNT)
+typedef isc_rwlock_t nodelock_t;
+
+#define NODE_INITLOCK(l)	isc_rwlock_init((l), 0, 0)
+#define NODE_DESTROYLOCK(l)	isc_rwlock_destroy(l)
+#define NODE_LOCK(l, t)		RWLOCK((l), (t))
+#define NODE_UNLOCK(l, t)	RWUNLOCK((l), (t))
+#define NODE_TRYUPGRADE(l)	isc_rwlock_tryupgrade(l)
+
+#define NODE_STRONGLOCK(l)	((void)0)
+#define NODE_STRONGUNLOCK(l)	((void)0)
+#define NODE_WEAKLOCK(l, t)	NODE_LOCK(l, t)
+#define NODE_WEAKUNLOCK(l, t)	NODE_UNLOCK(l, t)
+#define NODE_WEAKDOWNGRADE(l)	isc_rwlock_downgrade(l)
+#else
+typedef isc_mutex_t nodelock_t;
+
+#define NODE_INITLOCK(l)	isc_mutex_init(l)
+#define NODE_DESTROYLOCK(l)	DESTROYLOCK(l)
+#define NODE_LOCK(l, t)		LOCK(l)
+#define NODE_UNLOCK(l, t)	UNLOCK(l)
+#define NODE_TRYUPGRADE(l)	ISC_R_SUCCESS
+
+#define NODE_STRONGLOCK(l)	LOCK(l)
+#define NODE_STRONGUNLOCK(l)	UNLOCK(l)
+#define NODE_WEAKLOCK(l, t)	((void)0)
+#define NODE_WEAKUNLOCK(l, t)	((void)0)
+#define NODE_WEAKDOWNGRADE(l)	((void)0)
+#endif
+
+/*
  * Allow clients with a virtual time of upto 5 minutes in the past to see
  * records that would have otherwise have expired.
  */
@@ -109,8 +191,10 @@ struct noqname {
 	void *	   nsecsig;
 };
 
+typedef struct acachectl acachectl_t;  
+
 typedef struct rdatasetheader {
-	/*
+	/*%
 	 * Locked by the owning node's lock.
 	 */
 	rbtdb_serial_t			serial;
@@ -119,13 +203,13 @@ typedef struct rdatasetheader {
 	isc_uint16_t			attributes;
 	dns_trust_t			trust;
 	struct noqname			*noqname;
-	/*
+	/*%<
 	 * We don't use the LIST macros, because the LIST structure has
 	 * both head and tail pointers, and is doubly linked.
 	 */
 
 	struct rdatasetheader		*next;
-	/*
+	/*%<
 	 * If this is the top header for an rdataset, 'next' points
 	 * to the top header for the next rdataset (i.e., the next type).
 	 * Otherwise, it points up to the header whose down pointer points
@@ -133,19 +217,22 @@ typedef struct rdatasetheader {
 	 */
 	  
 	struct rdatasetheader		*down;
-	/*
+	/*%<
 	 * Points to the header for the next older version of
 	 * this rdataset.
 	 */
 
 	isc_uint32_t			count;
-	/*
+	/*%<
 	 * Monotonously increased every time this rdataset is bound so that
 	 * it is used as the base of the starting point in DNS responses
 	 * when the "cyclic" rrset-order is required.  Since the ordering
 	 * should not be so crucial, no lock is set for the counter for
 	 * performance reasons.
 	 */
+
+	acachectl_t			*additional_auth;
+	acachectl_t			*additional_glue;
 } rdatasetheader_t;
 
 #define RDATASET_ATTR_NONEXISTENT	0x0001
@@ -154,6 +241,19 @@ typedef struct rdatasetheader {
 #define RDATASET_ATTR_RETAIN		0x0008
 #define RDATASET_ATTR_NXDOMAIN		0x0010
 
+typedef struct acache_cbarg {
+	dns_rdatasetadditional_t	type;
+	unsigned int			count;
+	dns_db_t			*db;
+	dns_dbnode_t			*node;
+	rdatasetheader_t		*header;
+} acache_cbarg_t;
+
+struct acachectl {
+	dns_acacheentry_t		*entry;
+	acache_cbarg_t			*cbarg;
+};
+
 /*
  * XXX
  * When the cache will pre-expire data (due to memory low or other
@@ -175,12 +275,14 @@ typedef struct rdatasetheader {
 #define NXDOMAIN(header) \
 	(((header)->attributes & RDATASET_ATTR_NXDOMAIN) != 0)
 
-#define DEFAULT_NODE_LOCK_COUNT		7		/* Should be prime. */
+#define DEFAULT_NODE_LOCK_COUNT		7	/*%< Should be prime. */
+#define DEFAULT_CACHE_NODE_LOCK_COUNT	1009	/*%< Should be prime. */
 
 typedef struct {
-	isc_mutex_t			lock;
+	nodelock_t			lock;
+	/* Protected in the refcount routines. */
+	isc_refcount_t			references;
 	/* Locked by lock. */
-	unsigned int			references;
 	isc_boolean_t			exiting;
 } rbtdb_nodelock_t;
 
@@ -195,9 +297,14 @@ typedef ISC_LIST(rbtdb_changed_t)	rbtdb_changedlist_t;
 typedef struct rbtdb_version {
 	/* Not locked */
 	rbtdb_serial_t			serial;
+	/*
+	 * Protected in the refcount routines.
+	 * XXXJT: should we change the lock policy based on the refcount
+	 * performance?
+	 */
+	isc_refcount_t			references;
 	/* Locked by database lock. */
 	isc_boolean_t			writer;
-	unsigned int			references;
 	isc_boolean_t			commit_ok;
 	rbtdb_changedlist_t		changed_list;
 	ISC_LINK(struct rbtdb_version)	link;
@@ -208,7 +315,11 @@ typedef ISC_LIST(rbtdb_version_t)	rbtdb_versionlist_t;
 typedef struct {
 	/* Unlocked. */
 	dns_db_t			common;
+#if DNS_RBTDB_USERWLOCK
+	isc_rwlock_t			lock;
+#else
 	isc_mutex_t			lock;
+#endif
 	isc_rwlock_t			tree_lock;
 	unsigned int			node_lock_count;
 	rbtdb_nodelock_t *	       	node_locks;
@@ -225,15 +336,20 @@ typedef struct {
 	rbtdb_versionlist_t		open_versions;
 	isc_boolean_t			overmem;
 	isc_task_t *			task;
+	dns_dbnode_t			*soanode;
+	dns_dbnode_t			*nsnode;
 	/* Locked by tree_lock. */
 	dns_rbt_t *			tree;
 	isc_boolean_t			secure;
+
+	/* Unlocked */
+	unsigned int			quantum;
 } dns_rbtdb_t;
 
 #define RBTDB_ATTR_LOADED		0x01
 #define RBTDB_ATTR_LOADING		0x02
 
-/*
+/*%
  * Search Context
  */
 typedef struct {
@@ -252,7 +368,7 @@ typedef struct {
 	isc_stdtime_t		now;
 } rbtdb_search_t;
 
-/*
+/*%
  * Load Context
  */
 typedef struct {
@@ -270,6 +386,30 @@ static isc_result_t rdataset_getnoqname(dns_rdataset_t *rdataset,
 				        dns_name_t *name,
 					dns_rdataset_t *nsec,
 					dns_rdataset_t *nsecsig);
+static isc_result_t rdataset_getadditional(dns_rdataset_t *rdataset,
+					   dns_rdatasetadditional_t type,
+					   dns_rdatatype_t qtype,
+					   dns_acache_t *acache,
+					   dns_zone_t **zonep,
+					   dns_db_t **dbp,
+					   dns_dbversion_t **versionp,
+					   dns_dbnode_t **nodep,
+					   dns_name_t *fname,
+					   dns_message_t *msg,
+					   isc_stdtime_t now);
+static isc_result_t rdataset_setadditional(dns_rdataset_t *rdataset,
+					   dns_rdatasetadditional_t type,
+					   dns_rdatatype_t qtype,
+					   dns_acache_t *acache,
+					   dns_zone_t *zone,
+					   dns_db_t *db,
+					   dns_dbversion_t *version,
+					   dns_dbnode_t *node,
+					   dns_name_t *fname);
+static isc_result_t rdataset_putadditional(dns_acache_t *acache,
+					   dns_rdataset_t *rdataset,
+					   dns_rdatasetadditional_t type,
+					   dns_rdatatype_t qtype);
 
 static dns_rdatasetmethods_t rdataset_methods = {
 	rdataset_disassociate,
@@ -279,7 +419,10 @@ static dns_rdatasetmethods_t rdataset_methods = {
 	rdataset_clone,
 	rdataset_count,
 	NULL,
-	rdataset_getnoqname
+	rdataset_getnoqname,
+	rdataset_getadditional,
+	rdataset_setadditional,
+	rdataset_putadditional
 };
 
 static void rdatasetiter_destroy(dns_rdatasetiter_t **iteratorp);
@@ -403,25 +546,87 @@ free_rbtdb_callback(isc_task_t *task, isc_event_t *event) {
 	free_rbtdb(rbtdb, ISC_TRUE, event);
 }
 
+/*%
+ * Work out how many nodes can be deleted in the time between two
+ * requests to the nameserver.  Smooth the resulting number and use it
+ * as a estimate for the number of nodes to be deleted in the next
+ * iteration.
+ */
+static unsigned int
+adjust_quantum(unsigned int old, isc_time_t *start) {
+	unsigned int pps = dns_pps;	/* packets per second */
+	unsigned int interval;
+	isc_uint64_t usecs;
+	isc_time_t end;
+	unsigned int new;
+
+	if (pps < 100)
+		pps = 100;
+	isc_time_now(&end);
+
+	interval = 1000000 / pps;	/* interval in usec */
+	if (interval == 0)
+		interval = 1;
+	usecs = isc_time_microdiff(&end, start);
+	if (usecs == 0) {
+		/*
+		 * We were unable to measure the amount of time taken.
+		 * Double the nodes deleted next time.
+		 */
+		old *= 2;
+		if (old > 1000)
+			old = 1000;
+		return (old);
+	}
+	new = old * interval;
+	new /= (unsigned int)usecs;
+	if (new == 0)
+		new = 1;
+	else if (new > 1000)
+		new = 1000;
+
+	/* Smooth */
+	new = (new + old * 3) / 4;
+	
+	isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE, DNS_LOGMODULE_CACHE,
+		      ISC_LOG_DEBUG(1), "adjust_quantum -> %d", new);
+
+	return (new);
+}
+		
 static void
 free_rbtdb(dns_rbtdb_t *rbtdb, isc_boolean_t log, isc_event_t *event) {
 	unsigned int i;
 	isc_ondestroy_t ondest;
 	isc_result_t result;
 	char buf[DNS_NAME_FORMATSIZE];
+	isc_time_t start;
 
-	REQUIRE(EMPTY(rbtdb->open_versions));
+	REQUIRE(rbtdb->current_version != NULL || EMPTY(rbtdb->open_versions));
 	REQUIRE(rbtdb->future_version == NULL);
 
-	if (rbtdb->current_version != NULL)
+	if (rbtdb->current_version != NULL) {
+		unsigned int refs;
+
+		isc_refcount_decrement(&rbtdb->current_version->references,
+				       &refs);
+		INSIST(refs == 0);
+		UNLINK(rbtdb->open_versions, rbtdb->current_version, link);
+		isc_refcount_destroy(&rbtdb->current_version->references);
 		isc_mem_put(rbtdb->common.mctx, rbtdb->current_version,
 			    sizeof(rbtdb_version_t));
+	}
+	if (event == NULL)
+		rbtdb->quantum = (rbtdb->task != NULL) ? 100 : 0;
  again:
 	if (rbtdb->tree != NULL) {
-		result = dns_rbt_destroy2(&rbtdb->tree,
-					  (rbtdb->task != NULL) ? 1000 : 0);
+		isc_time_now(&start);
+		result = dns_rbt_destroy2(&rbtdb->tree, rbtdb->quantum);
 		if (result == ISC_R_QUOTA) {
 			INSIST(rbtdb->task != NULL);
+			if (rbtdb->quantum != 0)
+				rbtdb->quantum = adjust_quantum(rbtdb->quantum,
+								&start);
 			if (event == NULL)
 				event = isc_event_allocate(rbtdb->common.mctx,
 							   NULL,
@@ -450,15 +655,17 @@ free_rbtdb(dns_rbtdb_t *rbtdb, isc_boolean_t log, isc_event_t *event) {
 	}
 	if (dns_name_dynamic(&rbtdb->common.origin))
 		dns_name_free(&rbtdb->common.origin, rbtdb->common.mctx);
-	for (i = 0; i < rbtdb->node_lock_count; i++)
-		DESTROYLOCK(&rbtdb->node_locks[i].lock);
+	for (i = 0; i < rbtdb->node_lock_count; i++) {
+		isc_refcount_destroy(&rbtdb->node_locks[i].references);
+		NODE_DESTROYLOCK(&rbtdb->node_locks[i].lock);
+	}
 	isc_mem_put(rbtdb->common.mctx, rbtdb->node_locks,
 		    rbtdb->node_lock_count * sizeof(rbtdb_nodelock_t));
 	isc_rwlock_destroy(&rbtdb->tree_lock);
 	isc_refcount_destroy(&rbtdb->references);
 	if (rbtdb->task != NULL)
 		isc_task_detach(&rbtdb->task);
-	DESTROYLOCK(&rbtdb->lock);
+	RBTDB_DESTROYLOCK(&rbtdb->lock);
 	rbtdb->common.magic = 0;
 	rbtdb->common.impmagic = 0;
 	ondest = rbtdb->common.ondest;
@@ -474,24 +681,31 @@ maybe_free_rbtdb(dns_rbtdb_t *rbtdb) {
 
 	/* XXX check for open versions here */
 
+	if (rbtdb->soanode != NULL)
+		dns_db_detachnode((dns_db_t *)rbtdb, &rbtdb->soanode);
+	if (rbtdb->nsnode != NULL)
+		dns_db_detachnode((dns_db_t *)rbtdb, &rbtdb->nsnode);
+
 	/*
 	 * Even though there are no external direct references, there still
 	 * may be nodes in use.
 	 */
 	for (i = 0; i < rbtdb->node_lock_count; i++) {
-		LOCK(&rbtdb->node_locks[i].lock);
+		NODE_LOCK(&rbtdb->node_locks[i].lock, isc_rwlocktype_write);
 		rbtdb->node_locks[i].exiting = ISC_TRUE;
-		if (rbtdb->node_locks[i].references == 0)
+		NODE_UNLOCK(&rbtdb->node_locks[i].lock, isc_rwlocktype_write);
+		if (isc_refcount_current(&rbtdb->node_locks[i].references)
+		    == 0) {
 			inactive++;
-		UNLOCK(&rbtdb->node_locks[i].lock);
+		}
 	}
 
 	if (inactive != 0) {
-		LOCK(&rbtdb->lock);
+		RBTDB_LOCK(&rbtdb->lock, isc_rwlocktype_write);
 		rbtdb->active -= inactive;
 		if (rbtdb->active == 0)
 			want_free = ISC_TRUE;
-		UNLOCK(&rbtdb->lock);
+		RBTDB_UNLOCK(&rbtdb->lock, isc_rwlocktype_write);
 		if (want_free) {
 			char buf[DNS_NAME_FORMATSIZE];
 			if (dns_name_dynamic(&rbtdb->common.origin))
@@ -526,15 +740,14 @@ static void
 currentversion(dns_db_t *db, dns_dbversion_t **versionp) {
 	dns_rbtdb_t *rbtdb = (dns_rbtdb_t *)db;
 	rbtdb_version_t *version;
+	unsigned int refs;
 
 	REQUIRE(VALID_RBTDB(rbtdb));
 
-	LOCK(&rbtdb->lock);
+	RBTDB_LOCK(&rbtdb->lock, isc_rwlocktype_read);
 	version = rbtdb->current_version;
-	if (version->references == 0)
-		PREPEND(rbtdb->open_versions, version, link);
-	version->references++;
-	UNLOCK(&rbtdb->lock);
+	isc_refcount_increment(&version->references, &refs);
+	RBTDB_UNLOCK(&rbtdb->lock, isc_rwlocktype_read);
 
 	*versionp = (dns_dbversion_t *)version;
 }
@@ -543,13 +756,18 @@ static inline rbtdb_version_t *
 allocate_version(isc_mem_t *mctx, rbtdb_serial_t serial,
 		 unsigned int references, isc_boolean_t writer)
 {
+	isc_result_t result;
 	rbtdb_version_t *version;
 
 	version = isc_mem_get(mctx, sizeof(*version));
 	if (version == NULL)
 		return (NULL);
 	version->serial = serial;
-	version->references = references;
+	result = isc_refcount_init(&version->references, references);
+	if (result != ISC_R_SUCCESS) {
+		isc_mem_put(mctx, version, sizeof(*version));
+		return (NULL);
+	}
 	version->writer = writer;
 	version->commit_ok = ISC_FALSE;
 	ISC_LIST_INIT(version->changed_list);
@@ -567,7 +785,7 @@ newversion(dns_db_t *db, dns_dbversion_t **versionp) {
 	REQUIRE(versionp != NULL && *versionp == NULL);
 	REQUIRE(rbtdb->future_version == NULL);
 
-	LOCK(&rbtdb->lock);
+	RBTDB_LOCK(&rbtdb->lock, isc_rwlocktype_write);
 	RUNTIME_CHECK(rbtdb->next_serial != 0);		/* XXX Error? */
 	version = allocate_version(rbtdb->common.mctx, rbtdb->next_serial, 1,
 				   ISC_TRUE);
@@ -576,7 +794,7 @@ newversion(dns_db_t *db, dns_dbversion_t **versionp) {
 		rbtdb->next_serial++;
 		rbtdb->future_version = version;
 	}
-	UNLOCK(&rbtdb->lock);
+	RBTDB_UNLOCK(&rbtdb->lock, isc_rwlocktype_write);
 
 	if (version == NULL)
 		return (ISC_R_NOMEMORY);
@@ -592,16 +810,12 @@ attachversion(dns_db_t *db, dns_dbversion_t *source,
 {
 	dns_rbtdb_t *rbtdb = (dns_rbtdb_t *)db;
 	rbtdb_version_t *rbtversion = source;
+	unsigned int refs;
 
 	REQUIRE(VALID_RBTDB(rbtdb));
 
-	LOCK(&rbtdb->lock);
-
-	INSIST(rbtversion->references > 0);
-	rbtversion->references++;
-	INSIST(rbtversion->references != 0);
-
-	UNLOCK(&rbtdb->lock);
+	isc_refcount_increment(&rbtversion->references, &refs);
+	INSIST(refs > 1);
 
 	*targetp = rbtversion;
 }
@@ -611,32 +825,62 @@ add_changed(dns_rbtdb_t *rbtdb, rbtdb_version_t *version,
 	    dns_rbtnode_t *node)
 {
 	rbtdb_changed_t *changed;
+	unsigned int refs;
 
 	/*
-	 * Caller must be holding the node lock.
+	 * Caller must be holding the node lock if its reference must be
+	 * protected by the lock.
 	 */
 
 	changed = isc_mem_get(rbtdb->common.mctx, sizeof(*changed));
 
-	LOCK(&rbtdb->lock);
+	RBTDB_LOCK(&rbtdb->lock, isc_rwlocktype_write);
 
 	REQUIRE(version->writer);
 
 	if (changed != NULL) {
-		INSIST(node->references > 0);
-		node->references++;
-		INSIST(node->references != 0);
+		dns_rbtnode_refincrement(node, &refs);
+		INSIST(refs != 0);
 		changed->node = node;
 		changed->dirty = ISC_FALSE;
 		ISC_LIST_INITANDAPPEND(version->changed_list, changed, link);
 	} else
 		version->commit_ok = ISC_FALSE;
 
-	UNLOCK(&rbtdb->lock);
+	RBTDB_UNLOCK(&rbtdb->lock, isc_rwlocktype_write);
 
 	return (changed);
 }
 
+static void
+free_acachearray(isc_mem_t *mctx, rdatasetheader_t *header,
+		 acachectl_t *array)
+{
+	unsigned int count;
+	unsigned int i;
+	unsigned char *raw;	/* RDATASLAB */
+
+	/*
+	 * The caller must be holding the corresponding node lock.
+	 */
+
+	if (array == NULL)
+		return;
+
+	raw = (unsigned char *)header + sizeof(*header);
+	count = raw[0] * 256 + raw[1];
+
+	/*
+	 * Sanity check: since an additional cache entry has a reference to
+	 * the original DB node (in the callback arg), there should be no
+	 * acache entries when the node can be freed. 
+	 */
+	for (i = 0; i < count; i++)
+		INSIST(array[i].entry == NULL && array[i].cbarg == NULL);
+
+	isc_mem_put(mctx, array, count * sizeof(acachectl_t));
+}
+
 static inline void
 free_noqname(isc_mem_t *mctx, struct noqname **noqname) {
 
@@ -658,7 +902,10 @@ free_rdataset(isc_mem_t *mctx, rdatasetheader_t *rdataset) {
 
 	if (rdataset->noqname != NULL)
 		free_noqname(mctx, &rdataset->noqname);
-	
+
+	free_acachearray(mctx, rdataset, rdataset->additional_auth);
+	free_acachearray(mctx, rdataset, rdataset->additional_glue);
+
 	if ((rdataset->attributes & RDATASET_ATTR_NONEXISTENT) != 0)
 		size = sizeof(*rdataset);
 	else
@@ -700,8 +947,19 @@ rollback_node(dns_rbtnode_t *node, rbtdb_serial_t serial) {
 }
 
 static inline void
+clean_stale_headers(isc_mem_t *mctx, rdatasetheader_t *top) {
+	rdatasetheader_t *d, *down_next;
+
+	for (d = top->down; d != NULL; d = down_next) {
+		down_next = d->down;
+		free_rdataset(mctx, d);
+	}
+	top->down = NULL;
+}
+
+static inline void
 clean_cache_node(dns_rbtdb_t *rbtdb, dns_rbtnode_t *node) {
-	rdatasetheader_t *current, *dcurrent, *top_prev, *top_next, *down_next;
+	rdatasetheader_t *current, *top_prev, *top_next;
 	isc_mem_t *mctx = rbtdb->common.mctx;
 
 	/*
@@ -711,15 +969,7 @@ clean_cache_node(dns_rbtdb_t *rbtdb, dns_rbtnode_t *node) {
 	top_prev = NULL;
 	for (current = node->data; current != NULL; current = top_next) {
 		top_next = current->next;
-		dcurrent = current->down;
-		if (dcurrent != NULL) {
-			do {
-				down_next = dcurrent->down;
-				free_rdataset(mctx, dcurrent);
-				dcurrent = down_next;
-			} while (dcurrent != NULL);
-			current->down = NULL;
-		}
+		clean_stale_headers(mctx, current);
 		/*
 		 * If current is nonexistent or stale, we can clean it up.
 		 */
@@ -862,31 +1112,72 @@ clean_zone_node(dns_rbtdb_t *rbtdb, dns_rbtnode_t *node,
 		node->dirty = 0;
 }
 
+/*
+ * Caller must be holding the node lock if its reference must be protected
+ * by the lock.
+ */
 static inline void
 new_reference(dns_rbtdb_t *rbtdb, dns_rbtnode_t *node) {
-	if (node->references == 0) {
-		rbtdb->node_locks[node->locknum].references++;
-		INSIST(rbtdb->node_locks[node->locknum].references != 0);
+	unsigned int lockrefs, noderefs;
+	isc_refcount_t *lockref;
+
+	dns_rbtnode_refincrement0(node, &noderefs);
+	if (noderefs == 1) {	/* this is the first reference to the node */
+		lockref = &rbtdb->node_locks[node->locknum].references;
+		isc_refcount_increment0(lockref, &lockrefs);
+		INSIST(lockrefs != 0);
 	}
-	node->references++;
-	INSIST(node->references != 0);
+	INSIST(noderefs != 0);
 }
 
-static void
-no_references(dns_rbtdb_t *rbtdb, dns_rbtnode_t *node,
-	      rbtdb_serial_t least_serial, isc_rwlocktype_t lock)
+/*
+ * Caller must be holding the node lock; either the "strong", read or write
+ * lock.  Note that the lock must be held even when node references are
+ * atomically modified; in that case the decrement operation itself does not
+ * have to be protected, but we must avoid a race condition where multiple
+ * threads are decreasing the reference to zero simultaneously and at least
+ * one of them is going to free the node.
+ * This function returns ISC_TRUE if and only if the node reference decreases
+ * to zero.
+ */
+static isc_boolean_t
+decrement_reference(dns_rbtdb_t *rbtdb, dns_rbtnode_t *node,
+		    rbtdb_serial_t least_serial,
+		    isc_rwlocktype_t nlock, isc_rwlocktype_t tlock)
 {
 	isc_result_t result;
 	isc_boolean_t write_locked;
-	unsigned int locknum;
-
-	/*
-	 * Caller must be holding the node lock.
-	 */
+	rbtdb_nodelock_t *nodelock;
+	unsigned int refs, nrefs;
+
+	nodelock = &rbtdb->node_locks[node->locknum];
+
+	/* Handle easy and typical case first. */
+	if (!node->dirty && (node->data != NULL || node->down != NULL)) {
+		dns_rbtnode_refdecrement(node, &nrefs);
+		INSIST((int)nrefs >= 0);
+		if (nrefs == 0) {
+			isc_refcount_decrement(&nodelock->references, &refs);
+			INSIST((int)refs >= 0);
+		}
+		return ((nrefs == 0) ? ISC_TRUE : ISC_FALSE);
+	}
 
-	REQUIRE(node->references == 0);
+	/* Upgrade the lock? */
+	if (nlock == isc_rwlocktype_read) {
+		NODE_WEAKUNLOCK(&nodelock->lock, isc_rwlocktype_read);
+		NODE_WEAKLOCK(&nodelock->lock, isc_rwlocktype_write);
+	}
+	dns_rbtnode_refdecrement(node, &nrefs);
+	INSIST((int)nrefs >= 0);
+	if (nrefs > 0) {
+		/* Restore the lock? */
+		if (nlock == isc_rwlocktype_read)
+			NODE_WEAKDOWNGRADE(&nodelock->lock);
+		return (ISC_FALSE);
+	}
 
-	if (node->dirty) {
+	if (node->dirty && dns_rbtnode_refcurrent(node) == 0) {
 		if (IS_CACHE(rbtdb))
 			clean_cache_node(rbtdb, node);
 		else {
@@ -895,35 +1186,38 @@ no_references(dns_rbtdb_t *rbtdb, dns_rbtnode_t *node,
 				 * Caller doesn't know the least serial.
 				 * Get it.
 				 */
-				LOCK(&rbtdb->lock);
+				RBTDB_LOCK(&rbtdb->lock, isc_rwlocktype_read);
 				least_serial = rbtdb->least_serial;
-				UNLOCK(&rbtdb->lock);
+				RBTDB_UNLOCK(&rbtdb->lock,
+					     isc_rwlocktype_read);
 			}
 			clean_zone_node(rbtdb, node, least_serial);
 		}
 	}
 
-	locknum = node->locknum;
-
-	INSIST(rbtdb->node_locks[locknum].references > 0);
-	rbtdb->node_locks[locknum].references--;
+	isc_refcount_decrement(&nodelock->references, &refs);
+	INSIST((int)refs >= 0);
 
 	/*
 	 * XXXDCL should this only be done for cache zones?
 	 */
-	if (node->data != NULL || node->down != NULL)
-		return;
+	if (node->data != NULL || node->down != NULL) {
+		/* Restore the lock? */
+		if (nlock == isc_rwlocktype_read)
+			NODE_WEAKDOWNGRADE(&nodelock->lock);
+		return (ISC_TRUE);
+	}
 
 	/*
 	 * XXXDCL need to add a deferred delete method for ISC_R_LOCKBUSY.
 	 */
-	if (lock != isc_rwlocktype_write) {
+	if (tlock != isc_rwlocktype_write) {
 		/*
 		 * Locking hierarchy notwithstanding, we don't need to free
 		 * the node lock before acquiring the tree write lock because
 		 * we only do a trylock.
 		 */
-		if (lock == isc_rwlocktype_read)
+		if (tlock == isc_rwlocktype_read)
 			result = isc_rwlock_tryupgrade(&rbtdb->tree_lock);
 		else
 			result = isc_rwlock_trylock(&rbtdb->tree_lock,
@@ -935,13 +1229,21 @@ no_references(dns_rbtdb_t *rbtdb, dns_rbtnode_t *node,
 	} else
 		write_locked = ISC_TRUE;
 
-	if (write_locked) {
+	if (write_locked && dns_rbtnode_refcurrent(node) == 0) {
+		/*
+		 * We can now delete the node if the reference counter is
+		 * zero.  This should be typically the case, but a different
+		 * thread may still gain a (new) reference just before the
+		 * current thread locks the tree (e.g., in findnode()).
+		 */
+
 		if (isc_log_wouldlog(dns_lctx, ISC_LOG_DEBUG(1))) {
 			char printname[DNS_NAME_FORMATSIZE];
 
 			isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE,
 				      DNS_LOGMODULE_CACHE, ISC_LOG_DEBUG(1),
-				      "no_references: delete from rbt: %p %s",
+				      "decrement_reference: "
+				      "delete from rbt: %p %s",
 				      node,
 				      dns_rbt_formatnodename(node, printname,
 							   sizeof(printname)));
@@ -951,20 +1253,27 @@ no_references(dns_rbtdb_t *rbtdb, dns_rbtnode_t *node,
 		if (result != ISC_R_SUCCESS)
 			isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE,
 				      DNS_LOGMODULE_CACHE, ISC_LOG_WARNING,
-				      "no_references: dns_rbt_deletenode: %s",
+				      "decrement_reference: "
+				      "dns_rbt_deletenode: %s",
 				      isc_result_totext(result));
 	}
 
+	/* Restore the lock? */
+	if (nlock == isc_rwlocktype_read)
+		NODE_WEAKDOWNGRADE(&nodelock->lock);
+
 	/*
 	 * Relock a read lock, or unlock the write lock if no lock was held.
 	 */
-	if (lock == isc_rwlocktype_none)
+	if (tlock == isc_rwlocktype_none)
 		if (write_locked)
 			RWUNLOCK(&rbtdb->tree_lock, isc_rwlocktype_write);
 
-	if (lock == isc_rwlocktype_read)
+	if (tlock == isc_rwlocktype_read)
 		if (write_locked)
 			isc_rwlock_downgrade(&rbtdb->tree_lock);
+
+	return (ISC_TRUE);
 }
 
 static inline void
@@ -1061,7 +1370,7 @@ closeversion(dns_db_t *db, dns_dbversion_t **versionp, isc_boolean_t commit) {
 	rbtdb_changed_t *changed, *next_changed;
 	rbtdb_serial_t serial, least_serial;
 	dns_rbtnode_t *rbtnode;
-	isc_mutex_t *lock;
+	unsigned int refs;
 
 	REQUIRE(VALID_RBTDB(rbtdb));
 	version = (rbtdb_version_t *)*versionp;
@@ -1069,113 +1378,146 @@ closeversion(dns_db_t *db, dns_dbversion_t **versionp, isc_boolean_t commit) {
 	cleanup_version = NULL;
 	ISC_LIST_INIT(cleanup_list);
 
-	LOCK(&rbtdb->lock);
-	INSIST(version->references > 0);
-	INSIST(!version->writer || !(commit && version->references > 1));
-	version->references--;
+	isc_refcount_decrement(&version->references, &refs);
+	if (refs > 0) {		/* typical and easy case first */
+		if (commit) {
+			RBTDB_LOCK(&rbtdb->lock, isc_rwlocktype_read);
+			INSIST(!version->writer);
+			RBTDB_UNLOCK(&rbtdb->lock, isc_rwlocktype_read);
+		}
+		goto end;
+	}
+
+	RBTDB_LOCK(&rbtdb->lock, isc_rwlocktype_write);
 	serial = version->serial;
-	if (version->references == 0) {
-		if (version->writer) {
-			if (commit) {
-				INSIST(version->commit_ok);
-				INSIST(version == rbtdb->future_version);
-				if (EMPTY(rbtdb->open_versions)) {
-					/*
-					 * We're going to become the least open
-					 * version.
-					 */
-					make_least_version(rbtdb, version,
-							   &cleanup_list);
-				} else {
-					/*
-					 * Some other open version is the
-					 * least version.  We can't cleanup
-					 * records that were changed in this
-					 * version because the older versions
-					 * may still be in use by an open
-					 * version.
-					 *
-					 * We can, however, discard the
-					 * changed records for things that
-					 * we've added that didn't exist in
-					 * prior versions.
-					 */
-					cleanup_nondirty(version,
-							 &cleanup_list);
-				}
-				/*
-				 * If the (soon to be former) current version
-				 * isn't being used by anyone, we can clean
-				 * it up.
-				 */
-				if (rbtdb->current_version->references == 0) {
-					cleanup_version =
-						rbtdb->current_version;
-					APPENDLIST(version->changed_list,
-						 cleanup_version->changed_list,
-						   link);
-				}
+	if (version->writer) {
+		if (commit) {
+			unsigned cur_ref;
+			rbtdb_version_t *cur_version;
+
+			INSIST(version->commit_ok);
+			INSIST(version == rbtdb->future_version);
+			/*
+			 * The current version is going to be replaced.
+			 * Release the (likely last) reference to it from the
+			 * DB itself and unlink it from the open list.
+			 */
+			cur_version = rbtdb->current_version;
+			isc_refcount_decrement(&cur_version->references,
+					       &cur_ref);
+			if (cur_ref == 0) {
+				if (cur_version->serial == rbtdb->least_serial)
+					INSIST(EMPTY(cur_version->changed_list));
+				UNLINK(rbtdb->open_versions,
+				       cur_version, link);
+			}
+			if (EMPTY(rbtdb->open_versions)) {
 				/*
-				 * Become the current version.
+				 * We're going to become the least open
+				 * version.
 				 */
-				version->writer = ISC_FALSE;
-				rbtdb->current_version = version;
-				rbtdb->current_serial = version->serial;
-				rbtdb->future_version = NULL;
+				make_least_version(rbtdb, version,
+						   &cleanup_list);
 			} else {
 				/*
-				 * We're rolling back this transaction.
+				 * Some other open version is the
+				 * least version.  We can't cleanup
+				 * records that were changed in this
+				 * version because the older versions
+				 * may still be in use by an open
+				 * version.
+				 *
+				 * We can, however, discard the
+				 * changed records for things that
+				 * we've added that didn't exist in
+				 * prior versions.
 				 */
-				cleanup_list = version->changed_list;
-				ISC_LIST_INIT(version->changed_list);
-				rollback = ISC_TRUE;
-				cleanup_version = version;
-				rbtdb->future_version = NULL;
+				cleanup_nondirty(version, &cleanup_list);
 			}
+			/*
+			 * If the (soon to be former) current version
+			 * isn't being used by anyone, we can clean
+			 * it up.
+			 */
+			if (cur_ref == 0) {
+				cleanup_version = cur_version;
+				APPENDLIST(version->changed_list,
+					   cleanup_version->changed_list,
+					   link);
+			}
+			/*
+			 * Become the current version.
+			 */
+			version->writer = ISC_FALSE;
+			rbtdb->current_version = version;
+			rbtdb->current_serial = version->serial;
+			rbtdb->future_version = NULL;
+
+			/*
+			 * Keep the current version in the open list, and
+			 * gain a reference for the DB itself (see the DB
+			 * creation function below).  This must be the only
+			 * case where we need to increment the counter from
+			 * zero and need to use isc_refcount_increment0().
+			 */
+			isc_refcount_increment0(&version->references,
+						&cur_ref);
+			INSIST(cur_ref == 1);
+			PREPEND(rbtdb->open_versions,
+				rbtdb->current_version, link);
 		} else {
-			if (version != rbtdb->current_version) {
-				/*
-				 * There are no external or internal references
-				 * to this version and it can be cleaned up.
-				 */
-				cleanup_version = version;
+			/*
+			 * We're rolling back this transaction.
+			 */
+			cleanup_list = version->changed_list;
+			ISC_LIST_INIT(version->changed_list);
+			rollback = ISC_TRUE;
+			cleanup_version = version;
+			rbtdb->future_version = NULL;
+		}
+	} else {
+		if (version != rbtdb->current_version) {
+			/*
+			 * There are no external or internal references
+			 * to this version and it can be cleaned up.
+			 */
+			cleanup_version = version;
 
+			/*
+			 * Find the version with the least serial
+			 * number greater than ours.
+			 */
+			least_greater = PREV(version, link);
+			if (least_greater == NULL)
+				least_greater = rbtdb->current_version;
+
+			INSIST(version->serial < least_greater->serial);
+			/*
+			 * Is this the least open version?
+			 */
+			if (version->serial == rbtdb->least_serial) {
 				/*
-				 * Find the version with the least serial
-				 * number greater than ours.
+				 * Yes.  Install the new least open
+				 * version.
 				 */
-				least_greater = PREV(version, link);
-				if (least_greater == NULL)
-					least_greater = rbtdb->current_version;
-
-				INSIST(version->serial < least_greater->serial);
+				make_least_version(rbtdb,
+						   least_greater,
+						   &cleanup_list);
+			} else {
 				/*
-				 * Is this the least open version?
+				 * Add any unexecuted cleanups to
+				 * those of the least greater version.
 				 */
-				if (version->serial == rbtdb->least_serial) {
-					/*
-					 * Yes.  Install the new least open
-					 * version.
-					 */
-					make_least_version(rbtdb,
-							   least_greater,
-							   &cleanup_list);
-				} else {
-					/*
-					 * Add any unexecuted cleanups to
-					 * those of the least greater version.
-					 */
-					APPENDLIST(least_greater->changed_list,
-						   version->changed_list,
-						   link);
-				}
-			} else if (version->serial == rbtdb->least_serial)
-				INSIST(EMPTY(version->changed_list));
-			UNLINK(rbtdb->open_versions, version, link);
-		}
+				APPENDLIST(least_greater->changed_list,
+					   version->changed_list,
+					   link);
+			}
+		} else if (version->serial == rbtdb->least_serial)
+			INSIST(EMPTY(version->changed_list));
+		UNLINK(rbtdb->open_versions, version, link);
 	}
 	least_serial = rbtdb->least_serial;
-	UNLOCK(&rbtdb->lock);
+	RBTDB_UNLOCK(&rbtdb->lock, isc_rwlocktype_write);
 
 	/*
 	 * Update the zone's secure status.
@@ -1193,28 +1535,26 @@ closeversion(dns_db_t *db, dns_dbversion_t **versionp, isc_boolean_t commit) {
 		for (changed = HEAD(cleanup_list);
 		     changed != NULL;
 		     changed = next_changed) {
+			nodelock_t *lock;
+
 			next_changed = NEXT(changed, link);
 			rbtnode = changed->node;
 			lock = &rbtdb->node_locks[rbtnode->locknum].lock;
 
-			LOCK(lock);
-
-			INSIST(rbtnode->references > 0);
-			rbtnode->references--;
+			NODE_LOCK(lock, isc_rwlocktype_write);
 			if (rollback)
 				rollback_node(rbtnode, serial);
-
-			if (rbtnode->references == 0)
-				no_references(rbtdb, rbtnode, least_serial,
-					      isc_rwlocktype_none);
-
-			UNLOCK(lock);
+			decrement_reference(rbtdb, rbtnode, least_serial,
+					    isc_rwlocktype_write,
+					    isc_rwlocktype_none);
+			NODE_UNLOCK(lock, isc_rwlocktype_write);
 
 			isc_mem_put(rbtdb->common.mctx, changed,
 				    sizeof(*changed));
 		}
 	}
 
+  end:
 	*versionp = NULL;
 }
 
@@ -1287,7 +1627,6 @@ findnode(dns_db_t *db, dns_name_t *name, isc_boolean_t create,
 	dns_rbtdb_t *rbtdb = (dns_rbtdb_t *)db;
 	dns_rbtnode_t *node = NULL;
 	dns_name_t nodename;
-	unsigned int locknum;
 	isc_result_t result;
 	isc_rwlocktype_t locktype = isc_rwlocktype_read;
 
@@ -1334,10 +1673,9 @@ findnode(dns_db_t *db, dns_name_t *name, isc_boolean_t create,
 			return (result);
 		}
 	}
-	locknum = node->locknum;
-	LOCK(&rbtdb->node_locks[locknum].lock);
+	NODE_STRONGLOCK(&rbtdb->node_locks[node->locknum].lock);
 	new_reference(rbtdb, node);
-	UNLOCK(&rbtdb->node_locks[locknum].lock);
+	NODE_STRONGUNLOCK(&rbtdb->node_locks[node->locknum].lock);
 	RWUNLOCK(&rbtdb->tree_lock, locktype);
 
 	*nodep = (dns_dbnode_t *)node;
@@ -1366,7 +1704,8 @@ zone_zonecut_callback(dns_rbtnode_t *node, dns_name_t *name, void *arg) {
 	result = DNS_R_CONTINUE;
 	onode = search->rbtdb->origin_node;
 
-	LOCK(&(search->rbtdb->node_locks[node->locknum].lock));
+	NODE_LOCK(&(search->rbtdb->node_locks[node->locknum].lock),
+		  isc_rwlocktype_read);
 
 	/*
 	 * Look for an NS or DNAME rdataset active in our version.
@@ -1477,7 +1816,8 @@ zone_zonecut_callback(dns_rbtnode_t *node, dns_name_t *name, void *arg) {
 			search->wild = ISC_TRUE;
 	}
 
-	UNLOCK(&(search->rbtdb->node_locks[node->locknum].lock));
+	NODE_UNLOCK(&(search->rbtdb->node_locks[node->locknum].lock),
+		    isc_rwlocktype_read);
 
 	return (result);
 }
@@ -1487,10 +1827,14 @@ bind_rdataset(dns_rbtdb_t *rbtdb, dns_rbtnode_t *node,
 	      rdatasetheader_t *header, isc_stdtime_t now,
 	      dns_rdataset_t *rdataset)
 {
-	unsigned char *raw;
+	unsigned char *raw;	/* RDATASLAB */
 
 	/*
-	 * Caller must be holding the node lock.
+	 * Caller must be holding the node reader lock.
+	 * XXXJT: technically, we need a writer lock, since we'll increment
+	 * the header count below.  However, since the actual counter value
+	 * doesn't matter, we prioritize performance here.  (We may want to
+	 * use atomic increment when available).
 	 */
 
 	if (rdataset == NULL)
@@ -1570,14 +1914,16 @@ setup_delegation(rbtdb_search_t *search, dns_dbnode_t **nodep,
 		search->need_cleanup = ISC_FALSE;
 	}
 	if (rdataset != NULL) {
-		LOCK(&(search->rbtdb->node_locks[node->locknum].lock));
+		NODE_LOCK(&(search->rbtdb->node_locks[node->locknum].lock),
+			  isc_rwlocktype_read);
 		bind_rdataset(search->rbtdb, node, search->zonecut_rdataset,
 			      search->now, rdataset);
 		if (sigrdataset != NULL && search->zonecut_sigrdataset != NULL)
 			bind_rdataset(search->rbtdb, node,
 				      search->zonecut_sigrdataset,
 				      search->now, sigrdataset);
-		UNLOCK(&(search->rbtdb->node_locks[node->locknum].lock));
+		NODE_UNLOCK(&(search->rbtdb->node_locks[node->locknum].lock),
+			    isc_rwlocktype_read);
 	}
 
 	if (type == dns_rdatatype_dname)
@@ -1589,7 +1935,7 @@ static inline isc_boolean_t
 valid_glue(rbtdb_search_t *search, dns_name_t *name, rbtdb_rdatatype_t type,
 	   dns_rbtnode_t *node)
 {
-	unsigned char *raw;
+	unsigned char *raw;	/* RDATASLAB */
 	unsigned int count, size;
 	dns_name_t ns_name;
 	isc_boolean_t valid = ISC_FALSE;
@@ -1618,12 +1964,12 @@ valid_glue(rbtdb_search_t *search, dns_name_t *name, rbtdb_rdatatype_t type,
 	header = search->zonecut_rdataset;
 	raw = (unsigned char *)header + sizeof(*header);
 	count = raw[0] * 256 + raw[1];
-	raw += 2;
+	raw += 2 + (4 * count);
 
 	while (count > 0) {
 		count--;
 		size = raw[0] * 256 + raw[1];
-		raw += 2;
+		raw += 4;
 		region.base = raw;
 		region.length = size;
 		raw += size;
@@ -1672,7 +2018,8 @@ activeempty(rbtdb_search_t *search, dns_rbtnodechain_t *chain,
 						  origin, &node);
 		if (result != ISC_R_SUCCESS)
 			break;
-		LOCK(&(rbtdb->node_locks[node->locknum].lock));
+		NODE_LOCK(&(rbtdb->node_locks[node->locknum].lock),
+			  isc_rwlocktype_read);
 		for (header = node->data;
 		     header != NULL;
 		     header = header->next) {
@@ -1680,7 +2027,8 @@ activeempty(rbtdb_search_t *search, dns_rbtnodechain_t *chain,
 			    !IGNORE(header) && EXISTS(header))
 				break;
 		}
-		UNLOCK(&(rbtdb->node_locks[node->locknum].lock));
+		NODE_UNLOCK(&(rbtdb->node_locks[node->locknum].lock),
+			    isc_rwlocktype_read);
 		if (header != NULL)
 			break;
 		result = dns_rbtnodechain_next(chain, NULL, NULL);
@@ -1737,7 +2085,8 @@ activeemtpynode(rbtdb_search_t *search, dns_name_t *qname, dns_name_t *wname) {
 						  origin, &node);
 		if (result != ISC_R_SUCCESS)
 			break;
-		LOCK(&(rbtdb->node_locks[node->locknum].lock));
+		NODE_LOCK(&(rbtdb->node_locks[node->locknum].lock),
+			  isc_rwlocktype_read);
 		for (header = node->data;
 		     header != NULL;
 		     header = header->next) {
@@ -1745,7 +2094,8 @@ activeemtpynode(rbtdb_search_t *search, dns_name_t *qname, dns_name_t *wname) {
 			    !IGNORE(header) && EXISTS(header))
 				break;
 		}
-		UNLOCK(&(rbtdb->node_locks[node->locknum].lock));
+		NODE_UNLOCK(&(rbtdb->node_locks[node->locknum].lock),
+			    isc_rwlocktype_read);
 		if (header != NULL)
 			break;
 		result = dns_rbtnodechain_prev(&chain, NULL, NULL);
@@ -1762,7 +2112,8 @@ activeemtpynode(rbtdb_search_t *search, dns_name_t *qname, dns_name_t *wname) {
 						  origin, &node);
 		if (result != ISC_R_SUCCESS)
 			break;
-		LOCK(&(rbtdb->node_locks[node->locknum].lock));
+		NODE_LOCK(&(rbtdb->node_locks[node->locknum].lock),
+			  isc_rwlocktype_read);
 		for (header = node->data;
 		     header != NULL;
 		     header = header->next) {
@@ -1770,7 +2121,8 @@ activeemtpynode(rbtdb_search_t *search, dns_name_t *qname, dns_name_t *wname) {
 			    !IGNORE(header) && EXISTS(header))
 				break;
 		}
-		UNLOCK(&(rbtdb->node_locks[node->locknum].lock));
+		NODE_UNLOCK(&(rbtdb->node_locks[node->locknum].lock),
+			    isc_rwlocktype_read);
 		if (header != NULL)
 			break;
 		result = dns_rbtnodechain_next(&chain, NULL, NULL);
@@ -1838,7 +2190,8 @@ find_wildcard(rbtdb_search_t *search, dns_rbtnode_t **nodep,
 	done = ISC_FALSE;
 	node = *nodep;
 	do {
-		LOCK(&(rbtdb->node_locks[node->locknum].lock));
+		NODE_LOCK(&(rbtdb->node_locks[node->locknum].lock),
+			  isc_rwlocktype_read);
 
 		/*
 		 * First we try to figure out if this node is active in
@@ -1863,7 +2216,8 @@ find_wildcard(rbtdb_search_t *search, dns_rbtnode_t **nodep,
 		else
 			wild = ISC_FALSE;
 
-		UNLOCK(&(rbtdb->node_locks[node->locknum].lock));
+		NODE_UNLOCK(&(rbtdb->node_locks[node->locknum].lock),
+			    isc_rwlocktype_read);
 
 		if (wild) {
 			/*
@@ -1896,33 +2250,38 @@ find_wildcard(rbtdb_search_t *search, dns_rbtnode_t **nodep,
 						  DNS_RBTFIND_EMPTYDATA,
 						  NULL, NULL);
 			if (result == ISC_R_SUCCESS) {
-			    /*
-			     * We have found the wildcard node.  If it
-			     * is active in the search's version, we're
-			     * done.
-			     */
-			    LOCK(&(rbtdb->node_locks[wnode->locknum].lock));
-			    for (header = wnode->data;
-				 header != NULL;
-				 header = header->next) {
-				    if (header->serial <= search->serial &&
-					!IGNORE(header) && EXISTS(header))
-					    break;
-			    }
-			    UNLOCK(&(rbtdb->node_locks[wnode->locknum].lock));
-			    if (header != NULL ||
-				activeempty(search, &wchain, wname)) {
-				    if (activeemtpynode(search, qname, wname))
+				nodelock_t *lock;
+
+				/*
+				 * We have found the wildcard node.  If it
+				 * is active in the search's version, we're
+				 * done.
+				 */
+				lock = &rbtdb->node_locks[wnode->locknum].lock;
+				NODE_LOCK(lock, isc_rwlocktype_read);
+				for (header = wnode->data;
+				     header != NULL;
+				     header = header->next) {
+					if (header->serial <= search->serial &&
+					    !IGNORE(header) && EXISTS(header))
+						break;
+				}
+				NODE_UNLOCK(lock, isc_rwlocktype_read);
+				if (header != NULL ||
+				    activeempty(search, &wchain, wname)) {
+					if (activeemtpynode(search, qname,
+							    wname)) {
 						return (ISC_R_NOTFOUND);
-				    /*
-				     * The wildcard node is active!
-				     *
-				     * Note: result is still ISC_R_SUCCESS
-				     * so we don't have to set it.
-				     */
-				    *nodep = wnode;
-				    break;
-			    }
+					}
+					/*
+					 * The wildcard node is active!
+					 *
+					 * Note: result is still ISC_R_SUCCESS
+					 * so we don't have to set it.
+					 */
+					*nodep = wnode;
+					break;
+				}
 			} else if (result != ISC_R_NOTFOUND &&
 				   result != DNS_R_PARTIALMATCH) {
 				/*
@@ -1974,7 +2333,8 @@ find_closest_nsec(rbtdb_search_t *search, dns_dbnode_t **nodep,
 						  origin, &node);
 		if (result != ISC_R_SUCCESS)
 			return (result);
-		LOCK(&(search->rbtdb->node_locks[node->locknum].lock));
+		NODE_LOCK(&(search->rbtdb->node_locks[node->locknum].lock),
+			  isc_rwlocktype_read);
 		found = NULL;
 		foundsig = NULL;
 		empty_node = ISC_TRUE;
@@ -2074,7 +2434,8 @@ find_closest_nsec(rbtdb_search_t *search, dns_dbnode_t **nodep,
 			result = dns_rbtnodechain_prev(&search->chain, NULL,
 						       NULL);
 		}
-		UNLOCK(&(search->rbtdb->node_locks[node->locknum].lock));
+		NODE_UNLOCK(&(search->rbtdb->node_locks[node->locknum].lock),
+			    isc_rwlocktype_read);
 	} while (empty_node && result == ISC_R_SUCCESS);
 
 	/*
@@ -2103,12 +2464,12 @@ zone_find(dns_db_t *db, dns_name_t *name, dns_dbversion_t *version,
 	isc_boolean_t at_zonecut = ISC_FALSE;
 	isc_boolean_t wild;
 	isc_boolean_t empty_node;
-	isc_mutex_t *lock;
 	rdatasetheader_t *header, *header_next, *found, *nsecheader;
 	rdatasetheader_t *foundsig, *cnamesig, *nsecsig;
 	rbtdb_rdatatype_t sigtype;
 	isc_boolean_t active;
 	dns_rbtnodechain_t chain;
+	nodelock_t *lock;
 
 
 	search.rbtdb = (dns_rbtdb_t *)db;
@@ -2243,7 +2604,8 @@ zone_find(dns_db_t *db, dns_name_t *name, dns_dbversion_t *version,
 	 * We now go looking for rdata...
 	 */
 
-	LOCK(&(search.rbtdb->node_locks[node->locknum].lock));
+	NODE_LOCK(&(search.rbtdb->node_locks[node->locknum].lock),
+		  isc_rwlocktype_read);
 
 	found = NULL;
 	foundsig = NULL;
@@ -2391,7 +2753,8 @@ zone_find(dns_db_t *db, dns_name_t *name, dns_dbversion_t *version,
 		 * we really have a partial match.
 		 */
 		if (!wild) {
-			UNLOCK(&(search.rbtdb->node_locks[node->locknum].lock));
+			lock = &search.rbtdb->node_locks[node->locknum].lock;
+			NODE_UNLOCK(lock, isc_rwlocktype_read);
 			goto partial_match;
 		}
 	}
@@ -2401,16 +2764,17 @@ zone_find(dns_db_t *db, dns_name_t *name, dns_dbversion_t *version,
 	 */
 	if (found == NULL) {
 		if (search.zonecut != NULL) {
-		    /*
-		     * We were trying to find glue at a node beneath a
-		     * zone cut, but didn't.
-		     *
-		     * Return the delegation.
-		     */
-		    UNLOCK(&(search.rbtdb->node_locks[node->locknum].lock));
-		    result = setup_delegation(&search, nodep, foundname,
-					      rdataset, sigrdataset);
-		    goto tree_exit;
+			/*
+			 * We were trying to find glue at a node beneath a
+			 * zone cut, but didn't.
+			 *
+			 * Return the delegation.
+			 */
+			lock = &search.rbtdb->node_locks[node->locknum].lock;
+			NODE_UNLOCK(lock, isc_rwlocktype_read);
+			result = setup_delegation(&search, nodep, foundname,
+						  rdataset, sigrdataset);
+			goto tree_exit;
 		}
 		/*
 		 * The desired type doesn't exist.
@@ -2426,11 +2790,12 @@ zone_find(dns_db_t *db, dns_name_t *name, dns_dbversion_t *version,
 				result = DNS_R_BADDB;
 				goto node_exit;
 			}
-			
-			UNLOCK(&(search.rbtdb->node_locks[node->locknum].lock));
+
+			lock = &search.rbtdb->node_locks[node->locknum].lock;
+			NODE_UNLOCK(lock, isc_rwlocktype_read);
 			result = find_closest_nsec(&search, nodep, foundname,
-						  rdataset, sigrdataset,
-						  search.rbtdb->secure);
+						   rdataset, sigrdataset,
+						   search.rbtdb->secure);
 			if (result == ISC_R_SUCCESS)
 				result = DNS_R_EMPTYWILD;
 			goto tree_exit;
@@ -2508,9 +2873,10 @@ zone_find(dns_db_t *db, dns_name_t *name, dns_dbversion_t *version,
 		if (result == DNS_R_GLUE &&
 		    (search.options & DNS_DBFIND_VALIDATEGLUE) != 0 &&
 		    !valid_glue(&search, foundname, type, node)) {
-		    UNLOCK(&(search.rbtdb->node_locks[node->locknum].lock));
-		    result = setup_delegation(&search, nodep, foundname,
-					      rdataset, sigrdataset);
+			lock = &search.rbtdb->node_locks[node->locknum].lock;
+			NODE_UNLOCK(lock, isc_rwlocktype_read);
+			result = setup_delegation(&search, nodep, foundname,
+						  rdataset, sigrdataset);
 		    goto tree_exit;
 		}
 	} else {
@@ -2539,7 +2905,8 @@ zone_find(dns_db_t *db, dns_name_t *name, dns_dbversion_t *version,
 		foundname->attributes |= DNS_NAMEATTR_WILDCARD;
 
  node_exit:
-	UNLOCK(&(search.rbtdb->node_locks[node->locknum].lock));
+	NODE_UNLOCK(&(search.rbtdb->node_locks[node->locknum].lock),
+		    isc_rwlocktype_read);
 
  tree_exit:
 	RWUNLOCK(&search.rbtdb->tree_lock, isc_rwlocktype_read);
@@ -2552,14 +2919,10 @@ zone_find(dns_db_t *db, dns_name_t *name, dns_dbversion_t *version,
 		node = search.zonecut;
 		lock = &(search.rbtdb->node_locks[node->locknum].lock);
 
-		LOCK(lock);
-		INSIST(node->references > 0);
-		node->references--;
-		if (node->references == 0)
-			no_references(search.rbtdb, node, 0,
-				      isc_rwlocktype_none);
-
-		UNLOCK(lock);
+		NODE_LOCK(lock, isc_rwlocktype_read);
+		decrement_reference(search.rbtdb, node, 0,
+				    isc_rwlocktype_read, isc_rwlocktype_none);
+		NODE_UNLOCK(lock, isc_rwlocktype_read);
 	}
 
 	if (close_version)
@@ -2596,6 +2959,8 @@ cache_zonecut_callback(dns_rbtnode_t *node, dns_name_t *name, void *arg) {
 	rdatasetheader_t *header, *header_prev, *header_next;
 	rdatasetheader_t *dname_header, *sigdname_header;
 	isc_result_t result;
+	nodelock_t *lock;
+	isc_rwlocktype_t locktype;
 
 	/* XXX comment */
 
@@ -2606,7 +2971,9 @@ cache_zonecut_callback(dns_rbtnode_t *node, dns_name_t *name, void *arg) {
 	 */
 	UNUSED(name);
 
-	LOCK(&(search->rbtdb->node_locks[node->locknum].lock));
+	lock = &(search->rbtdb->node_locks[node->locknum].lock);
+	locktype = isc_rwlocktype_read; 
+	NODE_LOCK(lock, locktype);
 
 	/*
 	 * Look for a DNAME or RRSIG DNAME rdataset.
@@ -2624,21 +2991,47 @@ cache_zonecut_callback(dns_rbtnode_t *node, dns_name_t *name, void *arg) {
 			 * the node as dirty, so it will get cleaned
 			 * up later.
 			 */
-			if (node->references == 0) {
-				INSIST(header->down == NULL);
-				if (header_prev != NULL)
-					header_prev->next =
-						header->next;
-				else
-					node->data = header->next;
-				free_rdataset(search->rbtdb->common.mctx,
-					      header);
-			} else {
-				header->attributes |=
-					RDATASET_ATTR_STALE;
-				node->dirty = 1;
+			if ((header->ttl <= search->now - RBTDB_VIRTUAL) &&
+			    (locktype == isc_rwlocktype_write ||
+			     NODE_TRYUPGRADE(lock) == ISC_R_SUCCESS)) {
+				/*
+				 * We update the node's status only when we
+				 * can get write access; otherwise, we leave
+				 * others to this work.  Periodical cleaning
+				 * will eventually take the job as the last
+				 * resort.
+				 * We won't downgrade the lock, since other
+				 * rdatasets are probably stale, too. 
+				 */
+				locktype = isc_rwlocktype_write;
+
+				if (dns_rbtnode_refcurrent(node) == 0) {
+					isc_mem_t *mctx;
+
+					/*
+					 * header->down can be non-NULL if the
+					 * refcount has just decremented to 0
+					 * but decrement_reference() has not
+					 * performed clean_cache_node(), in
+					 * which case we need to purge the
+					 * stale headers first.
+					 */
+					mctx = search->rbtdb->common.mctx;
+					clean_stale_headers(mctx, header);
+					if (header_prev != NULL)
+						header_prev->next =
+							header->next;
+					else
+						node->data = header->next;
+					free_rdataset(mctx, header);
+				} else {
+					header->attributes |=
+						RDATASET_ATTR_STALE;
+					node->dirty = 1;
+					header_prev = header;
+				}
+			} else
 				header_prev = header;
-			}
 		} else if (header->type == dns_rdatatype_dname &&
 			   EXISTS(header)) {
 			dname_header = header;
@@ -2667,7 +3060,7 @@ cache_zonecut_callback(dns_rbtnode_t *node, dns_name_t *name, void *arg) {
 	} else
 		result = DNS_R_CONTINUE;
 
-	UNLOCK(&(search->rbtdb->node_locks[node->locknum].lock));
+	NODE_UNLOCK(lock, locktype);
 
 	return (result);
 }
@@ -2685,6 +3078,8 @@ find_deepest_zonecut(rbtdb_search_t *search, dns_rbtnode_t *node,
 	dns_name_t name;
 	dns_rbtdb_t *rbtdb;
 	isc_boolean_t done;
+	nodelock_t *lock;
+	isc_rwlocktype_t locktype;
 
 	/*
 	 * Caller must be holding the tree lock.
@@ -2694,7 +3089,9 @@ find_deepest_zonecut(rbtdb_search_t *search, dns_rbtnode_t *node,
 	i = search->chain.level_matches;
 	done = ISC_FALSE;
 	do {
-		LOCK(&(rbtdb->node_locks[node->locknum].lock));
+		locktype = isc_rwlocktype_read;
+		lock = &rbtdb->node_locks[node->locknum].lock;
+		NODE_LOCK(lock, locktype);
 
 		/*
 		 * Look for NS and RRSIG NS rdatasets.
@@ -2714,21 +3111,37 @@ find_deepest_zonecut(rbtdb_search_t *search, dns_rbtnode_t *node,
 				 * the node as dirty, so it will get cleaned
 				 * up later.
 				 */
-				if (node->references == 0) {
-					INSIST(header->down == NULL);
-					if (header_prev != NULL)
-						header_prev->next =
-							header->next;
-					else
-						node->data = header->next;
-					free_rdataset(rbtdb->common.mctx,
-						      header);
-				} else {
-					header->attributes |=
-						RDATASET_ATTR_STALE;
-					node->dirty = 1;
+				if ((header->ttl <= search->now -
+						    RBTDB_VIRTUAL) &&
+				    (locktype == isc_rwlocktype_write ||
+				     NODE_TRYUPGRADE(lock) == ISC_R_SUCCESS)) {
+					/*
+					 * We update the node's status only
+					 * when we can get write access.
+					 */
+					locktype = isc_rwlocktype_write;
+
+					if (dns_rbtnode_refcurrent(node)
+					    == 0) {
+						isc_mem_t *m;
+
+						m = search->rbtdb->common.mctx;
+						clean_stale_headers(m, header);
+						if (header_prev != NULL)
+							header_prev->next =
+								header->next;
+						else
+							node->data =
+								header->next;
+						free_rdataset(m, header);
+					} else {
+						header->attributes |=
+							RDATASET_ATTR_STALE;
+						node->dirty = 1;
+						header_prev = header;
+					}
+				} else
 					header_prev = header;
-				}
 			} else if (EXISTS(header)) {
 				/*
 				 * We've found an extant rdataset.  See if
@@ -2792,7 +3205,7 @@ find_deepest_zonecut(rbtdb_search_t *search, dns_rbtnode_t *node,
 		}
 
 	node_exit:
-		UNLOCK(&(search->rbtdb->node_locks[node->locknum].lock));
+		NODE_UNLOCK(lock, locktype);
 
 		if (found == NULL && i > 0) {
 			i--;
@@ -2818,6 +3231,8 @@ find_coveringnsec(rbtdb_search_t *search, dns_dbnode_t **nodep,
 	dns_fixedname_t fname, forigin;
 	dns_name_t *name, *origin;
 	rbtdb_rdatatype_t matchtype, sigmatchtype;
+	nodelock_t *lock;
+	isc_rwlocktype_t locktype;
 
 	matchtype = RBTDB_RDATATYPE_VALUE(dns_rdatatype_nsec, 0);
 	sigmatchtype = RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig,
@@ -2833,7 +3248,9 @@ find_coveringnsec(rbtdb_search_t *search, dns_dbnode_t **nodep,
 						  origin, &node);
 		if (result != ISC_R_SUCCESS)
 			return (result);
-		LOCK(&(search->rbtdb->node_locks[node->locknum].lock));
+		locktype = isc_rwlocktype_read;
+		lock = &(search->rbtdb->node_locks[node->locknum].lock);
+		NODE_LOCK(lock, locktype);
 		found = NULL;
 		foundsig = NULL;
 		empty_node = ISC_TRUE;
@@ -2850,23 +3267,35 @@ find_coveringnsec(rbtdb_search_t *search, dns_dbnode_t **nodep,
 				 * node as dirty, so it will get cleaned up 
 				 * later.
 				 */
-				if (header->ttl > search->now - RBTDB_VIRTUAL)
-					header_prev = header;
-				else if (node->references == 0) {
-					INSIST(header->down == NULL);
-					if (header_prev != NULL)
-						header_prev->next =
-							header->next;
-					else
-						node->data = header->next;
-					free_rdataset(search->rbtdb->common.mctx,
-						      header);
-				} else {
-					header->attributes |=
-						 RDATASET_ATTR_STALE;
-					node->dirty = 1;
+				if ((header->ttl <= now - RBTDB_VIRTUAL) &&
+				    (locktype == isc_rwlocktype_write ||
+				     NODE_TRYUPGRADE(lock) == ISC_R_SUCCESS)) {
+					/*
+					 * We update the node's status only
+					 * when we can get write access.
+					 */
+					locktype = isc_rwlocktype_write;
+
+					if (dns_rbtnode_refcurrent(node)
+					    == 0) {
+						isc_mem_t *m;
+
+						m = search->rbtdb->common.mctx;
+						clean_stale_headers(m, header);
+						if (header_prev != NULL)
+							header_prev->next =
+								header->next;
+						else
+							node->data = header->next;
+						free_rdataset(m, header);
+					} else {
+						header->attributes |=
+							RDATASET_ATTR_STALE;
+						node->dirty = 1;
+						header_prev = header;
+					}
+				} else
 					header_prev = header;
-				}
 				continue;
 			}
 			if (NONEXISTENT(header) || NXDOMAIN(header)) {
@@ -2899,7 +3328,7 @@ find_coveringnsec(rbtdb_search_t *search, dns_dbnode_t **nodep,
 			result = dns_rbtnodechain_prev(&search->chain, NULL,
 						       NULL);
  unlock_node:
-		UNLOCK(&(search->rbtdb->node_locks[node->locknum].lock));
+		NODE_UNLOCK(lock, locktype);
 	} while (empty_node && result == ISC_R_SUCCESS);
 	return (result);
 }
@@ -2915,7 +3344,8 @@ cache_find(dns_db_t *db, dns_name_t *name, dns_dbversion_t *version,
 	rbtdb_search_t search;
 	isc_boolean_t cname_ok = ISC_TRUE;
 	isc_boolean_t empty_node;
-	isc_mutex_t *lock;
+	nodelock_t *lock;
+	isc_rwlocktype_t locktype;
 	rdatasetheader_t *header, *header_prev, *header_next;
 	rdatasetheader_t *found, *nsheader;
 	rdatasetheader_t *foundsig, *nssig, *cnamesig;
@@ -2989,7 +3419,9 @@ cache_find(dns_db_t *db, dns_name_t *name, dns_dbversion_t *version,
 	 * We now go looking for rdata...
 	 */
 
-	LOCK(&(search.rbtdb->node_locks[node->locknum].lock));
+	lock = &(search.rbtdb->node_locks[node->locknum].lock);
+	locktype = isc_rwlocktype_read;
+	NODE_LOCK(lock, locktype);
 
 	found = NULL;
 	foundsig = NULL;
@@ -3009,21 +3441,34 @@ cache_find(dns_db_t *db, dns_name_t *name, dns_dbversion_t *version,
 			 * mark it as stale, and the node as dirty, so it will
 			 * get cleaned up later.
 			 */
-			if (header->ttl > now - RBTDB_VIRTUAL)
-				header_prev = header;
-			else if (node->references == 0) {
-				INSIST(header->down == NULL);
-				if (header_prev != NULL)
-					header_prev->next = header->next;
-				else
-					node->data = header->next;
-				free_rdataset(search.rbtdb->common.mctx,
-					      header);
-			} else {
-				header->attributes |= RDATASET_ATTR_STALE;
-				node->dirty = 1;
+			if ((header->ttl <= now - RBTDB_VIRTUAL) &&
+			    (locktype == isc_rwlocktype_write ||
+			     NODE_TRYUPGRADE(lock) == ISC_R_SUCCESS)) {
+				/*
+				 * We update the node's status only when we
+				 * can get write access.
+				 */
+				locktype = isc_rwlocktype_write;
+
+				if (dns_rbtnode_refcurrent(node) == 0) {
+					isc_mem_t *mctx;
+
+					mctx = search.rbtdb->common.mctx;
+					clean_stale_headers(mctx, header);
+					if (header_prev != NULL)
+						header_prev->next =
+							header->next;
+					else
+						node->data = header->next;
+					free_rdataset(mctx, header);
+				} else {
+					header->attributes |=
+						RDATASET_ATTR_STALE;
+					node->dirty = 1;
+					header_prev = header;
+				}
+			} else
 				header_prev = header;
-			}
 		} else if (EXISTS(header)) {
 			/*
 			 * We now know that there is at least one active
@@ -3103,7 +3548,7 @@ cache_find(dns_db_t *db, dns_name_t *name, dns_dbversion_t *version,
 		 * extant rdatasets.  That means that this node doesn't
 		 * meaningfully exist, and that we really have a partial match.
 		 */
-		UNLOCK(&(search.rbtdb->node_locks[node->locknum].lock));
+		NODE_UNLOCK(lock, locktype);
 		goto find_ns;
 	}
 
@@ -3136,7 +3581,7 @@ cache_find(dns_db_t *db, dns_name_t *name, dns_dbversion_t *version,
 		/*
 		 * Go find the deepest zone cut.
 		 */
-		UNLOCK(&(search.rbtdb->node_locks[node->locknum].lock));
+		NODE_UNLOCK(lock, locktype);
 		goto find_ns;
 	}
 
@@ -3183,7 +3628,7 @@ cache_find(dns_db_t *db, dns_name_t *name, dns_dbversion_t *version,
 	}
 
  node_exit:
-	UNLOCK(&(search.rbtdb->node_locks[node->locknum].lock));
+	NODE_UNLOCK(lock, locktype);
 
  tree_exit:
 	RWUNLOCK(&search.rbtdb->tree_lock, isc_rwlocktype_read);
@@ -3196,13 +3641,10 @@ cache_find(dns_db_t *db, dns_name_t *name, dns_dbversion_t *version,
 		node = search.zonecut;
 		lock = &(search.rbtdb->node_locks[node->locknum].lock);
 
-		LOCK(lock);
-		INSIST(node->references > 0);
-		node->references--;
-		if (node->references == 0)
-			no_references(search.rbtdb, node, 0,
-				      isc_rwlocktype_none);
-		UNLOCK(lock);
+		NODE_LOCK(lock, isc_rwlocktype_read);
+		decrement_reference(search.rbtdb, node, 0,
+				    isc_rwlocktype_read, isc_rwlocktype_none);
+		NODE_UNLOCK(lock, isc_rwlocktype_read);
 	}
 
 	dns_rbtnodechain_reset(&search.chain);
@@ -3217,11 +3659,13 @@ cache_findzonecut(dns_db_t *db, dns_name_t *name, unsigned int options,
 		  dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset)
 {
 	dns_rbtnode_t *node = NULL;
+	nodelock_t *lock;
 	isc_result_t result;
 	rbtdb_search_t search;
 	rdatasetheader_t *header, *header_prev, *header_next;
 	rdatasetheader_t *found, *foundsig;
 	unsigned int rbtoptions = DNS_RBTFIND_EMPTYDATA;
+	isc_rwlocktype_t locktype;
 
 	search.rbtdb = (dns_rbtdb_t *)db;
 
@@ -3264,7 +3708,9 @@ cache_findzonecut(dns_db_t *db, dns_name_t *name, unsigned int options,
 	 * We now go looking for an NS rdataset at the node.
 	 */
 
-	LOCK(&(search.rbtdb->node_locks[node->locknum].lock));
+	lock = &(search.rbtdb->node_locks[node->locknum].lock);
+	locktype = isc_rwlocktype_read;
+	NODE_LOCK(lock, locktype);
 
 	found = NULL;
 	foundsig = NULL;
@@ -3278,21 +3724,34 @@ cache_findzonecut(dns_db_t *db, dns_name_t *name, unsigned int options,
 			 * mark it as stale, and the node as dirty, so it will
 			 * get cleaned up later.
 			 */
-			if (header->ttl > now - RBTDB_VIRTUAL)
-				header_prev = header;
-			else if (node->references == 0) {
-				INSIST(header->down == NULL);
-				if (header_prev != NULL)
-					header_prev->next = header->next;
-				else
-					node->data = header->next;
-				free_rdataset(search.rbtdb->common.mctx,
-					      header);
-			} else {
-				header->attributes |= RDATASET_ATTR_STALE;
-				node->dirty = 1;
+			if ((header->ttl <= now - RBTDB_VIRTUAL) &&
+			    (locktype == isc_rwlocktype_write ||
+			     NODE_TRYUPGRADE(lock) == ISC_R_SUCCESS)) {
+				/*
+				 * We update the node's status only when we
+				 * can get write access.
+				 */
+				locktype = isc_rwlocktype_write;
+
+				if (dns_rbtnode_refcurrent(node) == 0) {
+					isc_mem_t *mctx;
+
+					mctx = search.rbtdb->common.mctx;
+					clean_stale_headers(mctx, header);
+					if (header_prev != NULL)
+						header_prev->next =
+							header->next;
+					else
+						node->data = header->next;
+					free_rdataset(mctx, header);
+				} else {
+					header->attributes |=
+						RDATASET_ATTR_STALE;
+					node->dirty = 1;
+					header_prev = header;
+				}
+			} else
 				header_prev = header;
-			}
 		} else if (EXISTS(header)) {
 			/*
 			 * If we found a type we were looking for, remember
@@ -3321,7 +3780,7 @@ cache_findzonecut(dns_db_t *db, dns_name_t *name, unsigned int options,
 		/*
 		 * No NS records here.
 		 */
-		UNLOCK(&(search.rbtdb->node_locks[node->locknum].lock));
+		NODE_UNLOCK(lock, locktype);
 		goto find_ns;
 	}
 
@@ -3335,7 +3794,7 @@ cache_findzonecut(dns_db_t *db, dns_name_t *name, unsigned int options,
 		bind_rdataset(search.rbtdb, node, foundsig, search.now,
 			      sigrdataset);
 
-	UNLOCK(&(search.rbtdb->node_locks[node->locknum].lock));
+	NODE_UNLOCK(lock, locktype);
 
  tree_exit:
 	RWUNLOCK(&search.rbtdb->tree_lock, isc_rwlocktype_read);
@@ -3354,15 +3813,15 @@ static void
 attachnode(dns_db_t *db, dns_dbnode_t *source, dns_dbnode_t **targetp) {
 	dns_rbtdb_t *rbtdb = (dns_rbtdb_t *)db;
 	dns_rbtnode_t *node = (dns_rbtnode_t *)source;
+	unsigned int refs;
 
 	REQUIRE(VALID_RBTDB(rbtdb));
 	REQUIRE(targetp != NULL && *targetp == NULL);
 
-	LOCK(&rbtdb->node_locks[node->locknum].lock);
-	INSIST(node->references > 0);
-	node->references++;
-	INSIST(node->references != 0);			/* Catch overflow. */
-	UNLOCK(&rbtdb->node_locks[node->locknum].lock);
+	NODE_STRONGLOCK(&rbtdb->node_locks[node->locknum].lock);
+	dns_rbtnode_refincrement(node, &refs);
+	INSIST(refs != 0);
+	NODE_STRONGUNLOCK(&rbtdb->node_locks[node->locknum].lock);
 
 	*targetp = source;
 }
@@ -3373,35 +3832,34 @@ detachnode(dns_db_t *db, dns_dbnode_t **targetp) {
 	dns_rbtnode_t *node;
 	isc_boolean_t want_free = ISC_FALSE;
 	isc_boolean_t inactive = ISC_FALSE;
-	unsigned int locknum;
+	rbtdb_nodelock_t *nodelock;
 
 	REQUIRE(VALID_RBTDB(rbtdb));
 	REQUIRE(targetp != NULL && *targetp != NULL);
 
 	node = (dns_rbtnode_t *)(*targetp);
-	locknum = node->locknum;
+	nodelock = &rbtdb->node_locks[node->locknum];
 
-	LOCK(&rbtdb->node_locks[locknum].lock);
+	NODE_LOCK(&nodelock->lock, isc_rwlocktype_read);
 
-	INSIST(node->references > 0);
-	node->references--;
-	if (node->references == 0) {
-		no_references(rbtdb, node, 0, isc_rwlocktype_none);
-		if (rbtdb->node_locks[locknum].references == 0 &&
-		    rbtdb->node_locks[locknum].exiting)
+	if (decrement_reference(rbtdb, node, 0, isc_rwlocktype_read,
+				isc_rwlocktype_none)) {
+		if (isc_refcount_current(&nodelock->references) == 0 &&
+		    nodelock->exiting) {
 			inactive = ISC_TRUE;
+		}
 	}
 
-	UNLOCK(&rbtdb->node_locks[locknum].lock);
+	NODE_UNLOCK(&nodelock->lock, isc_rwlocktype_read);
 
 	*targetp = NULL;
 
 	if (inactive) {
-		LOCK(&rbtdb->lock);
+		RBTDB_LOCK(&rbtdb->lock, isc_rwlocktype_write);
 		rbtdb->active--;
 		if (rbtdb->active == 0)
 			want_free = ISC_TRUE;
-		UNLOCK(&rbtdb->lock);
+		RBTDB_UNLOCK(&rbtdb->lock, isc_rwlocktype_write);
 		if (want_free) {
 			char buf[DNS_NAME_FORMATSIZE];
 			if (dns_name_dynamic(&rbtdb->common.origin))
@@ -3465,14 +3923,19 @@ expirenode(dns_db_t *db, dns_dbnode_t *node, isc_stdtime_t now) {
 							   sizeof(printname)));
 	}
 
-	LOCK(&rbtdb->node_locks[rbtnode->locknum].lock);
+	/*
+	 * We may not need write access, but this code path is not performance
+	 * sensitive, so it should be okay to always lock as a writer.
+	 */
+	NODE_LOCK(&rbtdb->node_locks[rbtnode->locknum].lock,
+		  isc_rwlocktype_write);
 
 	for (header = rbtnode->data; header != NULL; header = header->next)
 		if (header->ttl <= now - RBTDB_VIRTUAL) {
 			/*
-			 * We don't check if rbtnode->references == 0 and try
+			 * We don't check if refcurrent(rbtnode) == 0 and try
 			 * to free like we do in cache_find(), because
-			 * rbtnode->references must be non-zero.  This is so
+			 * refcurrent(rbtnode) must be non-zero.  This is so
 			 * because 'node' is an argument to the function.
 			 */
 			header->attributes |= RDATASET_ATTR_STALE;
@@ -3496,7 +3959,8 @@ expirenode(dns_db_t *db, dns_dbnode_t *node, isc_stdtime_t now) {
 			isc_log_write(dns_lctx, category, module, level,
 				      "overmem cache: saved %s", printname);
 
-	UNLOCK(&rbtdb->node_locks[rbtnode->locknum].lock);
+	NODE_UNLOCK(&rbtdb->node_locks[rbtnode->locknum].lock,
+		    isc_rwlocktype_write);
 
 	return (ISC_R_SUCCESS);
 }
@@ -3518,10 +3982,12 @@ printnode(dns_db_t *db, dns_dbnode_t *node, FILE *out) {
 
 	REQUIRE(VALID_RBTDB(rbtdb));
 
-	LOCK(&rbtdb->node_locks[rbtnode->locknum].lock);
+	NODE_LOCK(&rbtdb->node_locks[rbtnode->locknum].lock,
+		  isc_rwlocktype_read);
 
 	fprintf(out, "node %p, %u references, locknum = %u\n",
-		rbtnode, rbtnode->references, rbtnode->locknum);
+		rbtnode, dns_rbtnode_refcurrent(rbtnode),
+		rbtnode->locknum);
 	if (rbtnode->data != NULL) {
 		rdatasetheader_t *current, *top_next;
 
@@ -3547,7 +4013,8 @@ printnode(dns_db_t *db, dns_dbnode_t *node, FILE *out) {
 	} else
 		fprintf(out, "(empty)\n");
 
-	UNLOCK(&rbtdb->node_locks[rbtnode->locknum].lock);
+	NODE_UNLOCK(&rbtdb->node_locks[rbtnode->locknum].lock,
+		    isc_rwlocktype_read);
 }
 
 static isc_result_t
@@ -3608,7 +4075,8 @@ zone_findrdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
 	serial = rbtversion->serial;
 	now = 0;
 
-	LOCK(&rbtdb->node_locks[rbtnode->locknum].lock);
+	NODE_LOCK(&rbtdb->node_locks[rbtnode->locknum].lock,
+		  isc_rwlocktype_read);
 
 	found = NULL;
 	foundsig = NULL;
@@ -3656,7 +4124,8 @@ zone_findrdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
 				      sigrdataset);
 	}
 
-	UNLOCK(&rbtdb->node_locks[rbtnode->locknum].lock);
+	NODE_UNLOCK(&rbtdb->node_locks[rbtnode->locknum].lock,
+		    isc_rwlocktype_read);
 
 	if (close_version)
 		closeversion(db, (dns_dbversion_t **) (void *)(&rbtversion),
@@ -3679,6 +4148,8 @@ cache_findrdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
 	rdatasetheader_t *header, *header_next, *found, *foundsig;
 	rbtdb_rdatatype_t matchtype, sigmatchtype, negtype;
 	isc_result_t result;
+	nodelock_t *lock;
+	isc_rwlocktype_t locktype;
 
 	REQUIRE(VALID_RBTDB(rbtdb));
 	REQUIRE(type != dns_rdatatype_any);
@@ -3690,7 +4161,9 @@ cache_findrdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
 	if (now == 0)
 		isc_stdtime_get(&now);
 
-	LOCK(&rbtdb->node_locks[rbtnode->locknum].lock);
+	lock = &rbtdb->node_locks[rbtnode->locknum].lock;
+	locktype = isc_rwlocktype_read;
+	NODE_LOCK(lock, locktype);
 
 	found = NULL;
 	foundsig = NULL;
@@ -3704,13 +4177,22 @@ cache_findrdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
 	for (header = rbtnode->data; header != NULL; header = header_next) {
 		header_next = header->next;
 		if (header->ttl <= now) {
-			/*
-			 * We don't check if rbtnode->references == 0 and try
-			 * to free like we do in cache_find(), because
-			 * rbtnode->references must be non-zero.  This is so
-			 * because 'node' is an argument to the function.
-			 */
-			if (header->ttl <= now - RBTDB_VIRTUAL) {
+			if ((header->ttl <= now - RBTDB_VIRTUAL) &&
+			    (locktype == isc_rwlocktype_write ||
+			     NODE_TRYUPGRADE(lock) == ISC_R_SUCCESS)) {
+				/*
+				 * We update the node's status only when we
+				 * can get write access.
+				 */
+				locktype = isc_rwlocktype_write;
+				
+				/*
+				 * We don't check if refcurrent(rbtnode) == 0
+				 * and try to free like we do in cache_find(),
+				 * because refcurrent(rbtnode) must be
+				 * non-zero.  This is so because 'node' is an
+				 * argument to the function.
+				 */
 				header->attributes |= RDATASET_ATTR_STALE;
 				rbtnode->dirty = 1;
 			}
@@ -3731,7 +4213,7 @@ cache_findrdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
 				      sigrdataset);
 	}
 
-	UNLOCK(&rbtdb->node_locks[rbtnode->locknum].lock);
+	NODE_UNLOCK(lock, locktype);
 
 	if (found == NULL)
 		return (ISC_R_NOTFOUND);
@@ -3757,6 +4239,7 @@ allrdatasets(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
 	dns_rbtnode_t *rbtnode = (dns_rbtnode_t *)node;
 	rbtdb_version_t *rbtversion = version;
 	rbtdb_rdatasetiter_t *iterator;
+	unsigned int refs;
 
 	REQUIRE(VALID_RBTDB(rbtdb));
 
@@ -3770,11 +4253,11 @@ allrdatasets(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
 			currentversion(db,
 				 (dns_dbversion_t **) (void *)(&rbtversion));
 		else {
-			LOCK(&rbtdb->lock);
-			INSIST(rbtversion->references > 0);
-			rbtversion->references++;
-			INSIST(rbtversion->references != 0);
-			UNLOCK(&rbtdb->lock);
+			unsigned int refs;
+
+			isc_refcount_increment(&rbtversion->references,
+					       &refs);
+			INSIST(refs > 1);
 		}
 	} else {
 		if (now == 0)
@@ -3789,14 +4272,14 @@ allrdatasets(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
 	iterator->common.version = (dns_dbversion_t *)rbtversion;
 	iterator->common.now = now;
 
-	LOCK(&rbtdb->node_locks[rbtnode->locknum].lock);
+	NODE_STRONGLOCK(&rbtdb->node_locks[rbtnode->locknum].lock);
+
+	dns_rbtnode_refincrement(rbtnode, &refs);
+	INSIST(refs != 0);
 
-	INSIST(rbtnode->references > 0);
-	rbtnode->references++;
-	INSIST(rbtnode->references != 0);
 	iterator->current = NULL;
 
-	UNLOCK(&rbtdb->node_locks[rbtnode->locknum].lock);
+	NODE_STRONGUNLOCK(&rbtdb->node_locks[rbtnode->locknum].lock);
 
 	*iteratorp = (dns_rdatasetiter_t *)iterator;
 
@@ -3987,6 +4470,7 @@ add(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, rbtdb_version_t *rbtversion,
 					 * The NXDOMAIN/NODATA(QTYPE=ANY)
 					 * is more trusted.
 					 */
+					
 					free_rdataset(rbtdb->common.mctx,
 						      newheader);
 					if (addedrdataset != NULL)
@@ -4343,6 +4827,8 @@ addrdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
 	newheader->noqname = NULL;
 	newheader->count = 0;
 	newheader->trust = rdataset->trust;
+	newheader->additional_auth = NULL;
+	newheader->additional_glue = NULL;
 	if (rbtversion != NULL) {
 		newheader->serial = rbtversion->serial;
 		now = 0;
@@ -4371,14 +4857,16 @@ addrdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
 	} else
 		delegating = ISC_FALSE;
 
-	LOCK(&rbtdb->node_locks[rbtnode->locknum].lock);
+	NODE_LOCK(&rbtdb->node_locks[rbtnode->locknum].lock,
+		  isc_rwlocktype_write);
 
 	result = add(rbtdb, rbtnode, rbtversion, newheader, options, ISC_FALSE,
 		     addedrdataset, now);
 	if (result == ISC_R_SUCCESS && delegating)
 		rbtnode->find_callback = 1;
 
-	UNLOCK(&rbtdb->node_locks[rbtnode->locknum].lock);
+	NODE_UNLOCK(&rbtdb->node_locks[rbtnode->locknum].lock,
+		    isc_rwlocktype_write);
 
 	if (delegating)
 		RWUNLOCK(&rbtdb->tree_lock, isc_rwlocktype_write);
@@ -4423,13 +4911,17 @@ subtractrdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
 	newheader->trust = 0;
 	newheader->noqname = NULL;
 	newheader->count = 0;
+	newheader->additional_auth = NULL;
+	newheader->additional_glue = NULL;
 
-	LOCK(&rbtdb->node_locks[rbtnode->locknum].lock);
+	NODE_LOCK(&rbtdb->node_locks[rbtnode->locknum].lock,
+		  isc_rwlocktype_write);
 
 	changed = add_changed(rbtdb, rbtversion, rbtnode);
 	if (changed == NULL) {
 		free_rdataset(rbtdb->common.mctx, newheader);
-		UNLOCK(&rbtdb->node_locks[rbtnode->locknum].lock);
+		NODE_UNLOCK(&rbtdb->node_locks[rbtnode->locknum].lock,
+			    isc_rwlocktype_write);
 		return (ISC_R_NOMEMORY);
 	}
 
@@ -4476,6 +4968,13 @@ subtractrdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
 			 * header, not newheader.
 			 */
 			newheader->serial = rbtversion->serial;
+			/*
+			 * XXXJT: dns_rdataslab_subtract() copied the pointers
+			 * to additional info.  We need to clear these fields
+			 * to avoid having duplicated references.
+			 */
+			newheader->additional_auth = NULL;
+			newheader->additional_glue = NULL;
 		} else if (result == DNS_R_NXRRSET) {
 			/*
 			 * This subtraction would remove all of the rdata;
@@ -4495,6 +4994,8 @@ subtractrdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
 			newheader->serial = rbtversion->serial;
 			newheader->noqname = NULL;
 			newheader->count = 0;
+			newheader->additional_auth = NULL;
+			newheader->additional_glue = NULL;
 		} else {
 			free_rdataset(rbtdb->common.mctx, newheader);
 			goto unlock;
@@ -4530,7 +5031,8 @@ subtractrdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
 		bind_rdataset(rbtdb, rbtnode, newheader, 0, newrdataset);
 
  unlock:
-	UNLOCK(&rbtdb->node_locks[rbtnode->locknum].lock);
+	NODE_UNLOCK(&rbtdb->node_locks[rbtnode->locknum].lock,
+		    isc_rwlocktype_write);
 
 	/*
 	 * Update the zone's secure status.  If version is non-NULL
@@ -4567,18 +5069,22 @@ deleterdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
 	newheader->attributes = RDATASET_ATTR_NONEXISTENT;
 	newheader->trust = 0;
 	newheader->noqname = NULL;
+	newheader->additional_auth = NULL;
+	newheader->additional_glue = NULL;
 	if (rbtversion != NULL)
 		newheader->serial = rbtversion->serial;
 	else
 		newheader->serial = 0;
 	newheader->count = 0;
 
-	LOCK(&rbtdb->node_locks[rbtnode->locknum].lock);
+	NODE_LOCK(&rbtdb->node_locks[rbtnode->locknum].lock,
+		  isc_rwlocktype_write);
 
 	result = add(rbtdb, rbtnode, rbtversion, newheader, DNS_DBADD_FORCE,
 		     ISC_FALSE, NULL, 0);
 
-	UNLOCK(&rbtdb->node_locks[rbtnode->locknum].lock);
+	NODE_UNLOCK(&rbtdb->node_locks[rbtnode->locknum].lock,
+		    isc_rwlocktype_write);
 
 	/*
 	 * Update the zone's secure status.  If version is non-NULL
@@ -4656,6 +5162,8 @@ loading_addrdataset(void *arg, dns_name_t *name, dns_rdataset_t *rdataset) {
 	newheader->serial = 1;
 	newheader->noqname = NULL;
 	newheader->count = 0;
+	newheader->additional_auth = NULL;
+	newheader->additional_glue = NULL;
 
 	result = add(rbtdb, node, rbtdb->current_version, newheader,
 		     DNS_DBADD_MERGE, ISC_TRUE, NULL, 0);
@@ -4687,13 +5195,13 @@ beginload(dns_db_t *db, dns_addrdatasetfunc_t *addp, dns_dbload_t **dbloadp) {
 	else
 		loadctx->now = 0;
 
-	LOCK(&rbtdb->lock);
+	RBTDB_LOCK(&rbtdb->lock, isc_rwlocktype_write);
 
 	REQUIRE((rbtdb->attributes & (RBTDB_ATTR_LOADED|RBTDB_ATTR_LOADING))
 		== 0);
 	rbtdb->attributes |= RBTDB_ATTR_LOADING;
 
-	UNLOCK(&rbtdb->lock);
+	RBTDB_UNLOCK(&rbtdb->lock, isc_rwlocktype_write);
 
 	*addp = loading_addrdataset;
 	*dbloadp = loadctx;
@@ -4711,7 +5219,7 @@ endload(dns_db_t *db, dns_dbload_t **dbloadp) {
 	loadctx = *dbloadp;
 	REQUIRE(loadctx->rbtdb == rbtdb);
 
-	LOCK(&rbtdb->lock);
+	RBTDB_LOCK(&rbtdb->lock, isc_rwlocktype_write);
 
 	REQUIRE((rbtdb->attributes & RBTDB_ATTR_LOADING) != 0);
 	REQUIRE((rbtdb->attributes & RBTDB_ATTR_LOADED) == 0);
@@ -4719,7 +5227,7 @@ endload(dns_db_t *db, dns_dbload_t **dbloadp) {
 	rbtdb->attributes &= ~RBTDB_ATTR_LOADING;
 	rbtdb->attributes |= RBTDB_ATTR_LOADED;
 
-	UNLOCK(&rbtdb->lock);
+	RBTDB_UNLOCK(&rbtdb->lock, isc_rwlocktype_write);
 
 	/*
 	 * If there's a KEY rdataset at the zone origin containing a
@@ -4736,16 +5244,17 @@ endload(dns_db_t *db, dns_dbload_t **dbloadp) {
 }
 
 static isc_result_t
-dump(dns_db_t *db, dns_dbversion_t *version, const char *filename) {
+dump(dns_db_t *db, dns_dbversion_t *version, const char *filename,
+     dns_masterformat_t masterformat) {
 	dns_rbtdb_t *rbtdb;
 
 	rbtdb = (dns_rbtdb_t *)db;
 
 	REQUIRE(VALID_RBTDB(rbtdb));
 
-	return (dns_master_dump(rbtdb->common.mctx, db, version,
-				&dns_master_style_default,
-				filename));
+	return (dns_master_dump2(rbtdb->common.mctx, db, version,
+				 &dns_master_style_default,
+				 filename, masterformat));
 }
 
 static void
@@ -4799,12 +5308,12 @@ settask(dns_db_t *db, isc_task_t *task) {
 
 	REQUIRE(VALID_RBTDB(rbtdb));
 
-	LOCK(&rbtdb->lock);
+	RBTDB_LOCK(&rbtdb->lock, isc_rwlocktype_write);
 	if (rbtdb->task != NULL)
 		isc_task_detach(&rbtdb->task);
 	if (task != NULL)
 		isc_task_attach(task, &rbtdb->task);
-	UNLOCK(&rbtdb->lock);
+	RBTDB_UNLOCK(&rbtdb->lock, isc_rwlocktype_write);
 }
 
 static isc_boolean_t
@@ -4813,6 +5322,31 @@ ispersistent(dns_db_t *db) {
 	return (ISC_FALSE);
 }
 
+static isc_result_t
+getoriginnode(dns_db_t *db, dns_dbnode_t **nodep) {
+	dns_rbtdb_t *rbtdb = (dns_rbtdb_t *)db;
+	dns_rbtnode_t *onode;
+	isc_result_t result = ISC_R_SUCCESS;
+
+	REQUIRE(VALID_RBTDB(rbtdb));
+	REQUIRE(nodep != NULL && *nodep == NULL);
+
+	/* Note that the access to origin_node doesn't require a DB lock */
+	onode = (dns_rbtnode_t *)rbtdb->origin_node;
+	if (onode != NULL) {
+		NODE_STRONGLOCK(&rbtdb->node_locks[onode->locknum].lock);
+		new_reference(rbtdb, onode);
+		NODE_STRONGUNLOCK(&rbtdb->node_locks[onode->locknum].lock);
+
+		*nodep = rbtdb->origin_node;
+	} else {
+		INSIST(!IS_CACHE(rbtdb));
+		result = ISC_R_NOTFOUND;
+	}
+
+	return (result);
+}
+
 static dns_dbmethods_t zone_methods = {
 	attach,
 	detach,
@@ -4840,7 +5374,8 @@ static dns_dbmethods_t zone_methods = {
 	nodecount,
 	ispersistent,
 	overmem,
-	settask
+	settask,
+	getoriginnode
 };
 
 static dns_dbmethods_t cache_methods = {
@@ -4870,7 +5405,8 @@ static dns_dbmethods_t cache_methods = {
 	nodecount,
 	ispersistent,
 	overmem,
-	settask
+	settask,
+	getoriginnode
 };
 
 isc_result_t
@@ -4896,6 +5432,7 @@ dns_rbtdb_create
 	rbtdb = isc_mem_get(mctx, sizeof(*rbtdb));
 	if (rbtdb == NULL)
 		return (ISC_R_NOMEMORY);
+
 	memset(rbtdb, '\0', sizeof(*rbtdb));
 	dns_name_init(&rbtdb->common.origin, NULL);
 	rbtdb->common.attributes = 0;
@@ -4910,55 +5447,48 @@ dns_rbtdb_create
 	rbtdb->common.rdclass = rdclass;
 	rbtdb->common.mctx = NULL;
 
-	result = isc_mutex_init(&rbtdb->lock);
-	if (result != ISC_R_SUCCESS) {
-		isc_mem_put(mctx, rbtdb, sizeof(*rbtdb));
-		UNEXPECTED_ERROR(__FILE__, __LINE__,
-				 "isc_mutex_init() failed: %s",
-				 isc_result_totext(result));
-		return (ISC_R_UNEXPECTED);
-	}
+	result = RBTDB_INITLOCK(&rbtdb->lock);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup_rbtdb;
 
 	result = isc_rwlock_init(&rbtdb->tree_lock, 0, 0);
-	if (result != ISC_R_SUCCESS) {
-		DESTROYLOCK(&rbtdb->lock);
-		isc_mem_put(mctx, rbtdb, sizeof(*rbtdb));
-		UNEXPECTED_ERROR(__FILE__, __LINE__,
-				 "isc_rwlock_init() failed: %s",
-				 isc_result_totext(result));
-		return (ISC_R_UNEXPECTED);
-	}
+	if (result != ISC_R_SUCCESS)
+		goto cleanup_lock;
 
+	if (rbtdb->node_lock_count == 0) {
+		if (IS_CACHE(rbtdb))
+			rbtdb->node_lock_count = DEFAULT_CACHE_NODE_LOCK_COUNT;
+		else
+			rbtdb->node_lock_count = DEFAULT_NODE_LOCK_COUNT;
+	}
 	INSIST(rbtdb->node_lock_count < (1 << DNS_RBT_LOCKLENGTH));
-
-	if (rbtdb->node_lock_count == 0)
-		rbtdb->node_lock_count = DEFAULT_NODE_LOCK_COUNT;
 	rbtdb->node_locks = isc_mem_get(mctx, rbtdb->node_lock_count *
 					sizeof(rbtdb_nodelock_t));
+	if (rbtdb->node_locks == NULL) {
+		result = ISC_R_NOMEMORY;
+		goto cleanup_tree_lock;
+	}
+
 	rbtdb->active = rbtdb->node_lock_count;
+
 	for (i = 0; i < (int)(rbtdb->node_lock_count); i++) {
-		result = isc_mutex_init(&rbtdb->node_locks[i].lock);
+		result = NODE_INITLOCK(&rbtdb->node_locks[i].lock);
+		if (result == ISC_R_SUCCESS) {
+			result = isc_refcount_init(&rbtdb->node_locks[i].references, 0);
+			if (result != ISC_R_SUCCESS)
+				NODE_DESTROYLOCK(&rbtdb->node_locks[i].lock);
+		}
 		if (result != ISC_R_SUCCESS) {
-			i--;
-			while (i >= 0) {
-				DESTROYLOCK(&rbtdb->node_locks[i].lock);
-				i--;
+			while (i-- > 0) {
+				NODE_DESTROYLOCK(&rbtdb->node_locks[i].lock);
+				isc_refcount_decrement(&rbtdb->node_locks[i].references, NULL);
+				isc_refcount_destroy(&rbtdb->node_locks[i].references);
 			}
-			isc_mem_put(mctx, rbtdb->node_locks,
-				    rbtdb->node_lock_count *
-				    sizeof(rbtdb_nodelock_t));
-			isc_rwlock_destroy(&rbtdb->tree_lock);
-			DESTROYLOCK(&rbtdb->lock);
-			isc_mem_put(mctx, rbtdb, sizeof(*rbtdb));
-			UNEXPECTED_ERROR(__FILE__, __LINE__,
-					 "isc_mutex_init() failed: %s",
-					 isc_result_totext(result));
-			return (ISC_R_UNEXPECTED);
+			goto cleanup_node_locks;
 		}
-		rbtdb->node_locks[i].references = 0;
 		rbtdb->node_locks[i].exiting = ISC_FALSE;
 	}
-
+	
 	/*
 	 * Attach to the mctx.  The database will persist so long as there
 	 * are references to it, and attaching to the mctx ensures that our
@@ -5001,7 +5531,7 @@ dns_rbtdb_create
 	 * the top-of-zone node can never be deleted, nor can its address
 	 * change.
 	 */
-	if (! IS_CACHE(rbtdb)) {
+	if (!IS_CACHE(rbtdb)) {
 		rbtdb->origin_node = NULL;
 		result = dns_rbt_addnode(rbtdb->tree, &rbtdb->common.origin,
 					 &rbtdb->origin_node);
@@ -5029,7 +5559,11 @@ dns_rbtdb_create
 	/*
 	 * Misc. Initialization.
 	 */
-	isc_refcount_init(&rbtdb->references, 1);
+	result = isc_refcount_init(&rbtdb->references, 1);
+	if (result != ISC_R_SUCCESS) {
+		free_rbtdb(rbtdb, ISC_FALSE, NULL);
+		return (result);
+	}
 	rbtdb->attributes = 0;
 	rbtdb->secure = ISC_FALSE;
 	rbtdb->overmem = ISC_FALSE;
@@ -5041,13 +5575,20 @@ dns_rbtdb_create
 	rbtdb->current_serial = 1;
 	rbtdb->least_serial = 1;
 	rbtdb->next_serial = 2;
-	rbtdb->current_version = allocate_version(mctx, 1, 0, ISC_FALSE);
+	rbtdb->current_version = allocate_version(mctx, 1, 1, ISC_FALSE);
 	if (rbtdb->current_version == NULL) {
+		isc_refcount_decrement(&rbtdb->references, NULL);
+		isc_refcount_destroy(&rbtdb->references);
 		free_rbtdb(rbtdb, ISC_FALSE, NULL);
 		return (ISC_R_NOMEMORY);
 	}
 	rbtdb->future_version = NULL;
 	ISC_LIST_INIT(rbtdb->open_versions);
+	/*
+	 * Keep the current version in the open list so that list operation
+	 * won't happen in normal lookup operations.
+	 */
+	PREPEND(rbtdb->open_versions, rbtdb->current_version, link);
 
 	rbtdb->common.magic = DNS_DB_MAGIC;
 	rbtdb->common.impmagic = RBTDB_MAGIC;
@@ -5055,6 +5596,20 @@ dns_rbtdb_create
 	*dbp = (dns_db_t *)rbtdb;
 
 	return (ISC_R_SUCCESS);
+
+ cleanup_node_locks:
+	isc_mem_put(mctx, rbtdb->node_locks,
+		    rbtdb->node_lock_count * sizeof(rbtdb_nodelock_t));
+
+ cleanup_tree_lock:
+	isc_rwlock_destroy(&rbtdb->tree_lock);
+
+ cleanup_lock:
+	RBTDB_DESTROYLOCK(&rbtdb->lock);
+
+ cleanup_rbtdb:
+	isc_mem_put(mctx, rbtdb,  sizeof(*rbtdb));
+	return (result);
 }
 
 
@@ -5072,7 +5627,7 @@ rdataset_disassociate(dns_rdataset_t *rdataset) {
 
 static isc_result_t
 rdataset_first(dns_rdataset_t *rdataset) {
-	unsigned char *raw = rdataset->private3;
+	unsigned char *raw = rdataset->private3;	/* RDATASLAB */
 	unsigned int count;
 
 	count = raw[0] * 256 + raw[1];
@@ -5080,11 +5635,20 @@ rdataset_first(dns_rdataset_t *rdataset) {
 		rdataset->private5 = NULL;
 		return (ISC_R_NOMORE);
 	}
-	raw += 2;
+	
+	if ((rdataset->attributes & DNS_RDATASETATTR_LOADORDER) == 0)
+		raw += 2 + (4 * count);
+	else
+		raw += 2;
+
 	/*
-	 * The privateuint4 field is the number of rdata beyond the cursor
-	 * position, so we decrement the total count by one before storing
-	 * it.
+	 * The privateuint4 field is the number of rdata beyond the
+	 * cursor position, so we decrement the total count by one
+	 * before storing it.
+	 *
+	 * If DNS_RDATASETATTR_LOADORDER is not set 'raw' points to the
+	 * first record.  If DNS_RDATASETATTR_LOADORDER is set 'raw' points
+	 * to the first entry in the offset table.
 	 */
 	count--;
 	rdataset->privateuint4 = count;
@@ -5097,30 +5661,47 @@ static isc_result_t
 rdataset_next(dns_rdataset_t *rdataset) {
 	unsigned int count;
 	unsigned int length;
-	unsigned char *raw;
+	unsigned char *raw;	/* RDATASLAB */
 
 	count = rdataset->privateuint4;
 	if (count == 0)
 		return (ISC_R_NOMORE);
 	count--;
 	rdataset->privateuint4 = count;
+
+	/*
+	 * Skip forward one record (length + 4) or one offset (4).
+	 */
 	raw = rdataset->private5;
-	length = raw[0] * 256 + raw[1];
-	raw += length + 2;
-	rdataset->private5 = raw;
+	if ((rdataset->attributes & DNS_RDATASETATTR_LOADORDER) == 0) {
+		length = raw[0] * 256 + raw[1];
+		raw += length;
+	}
+	rdataset->private5 = raw + 4;
 
 	return (ISC_R_SUCCESS);
 }
 
 static void
 rdataset_current(dns_rdataset_t *rdataset, dns_rdata_t *rdata) {
-	unsigned char *raw = rdataset->private5;
+	unsigned char *raw = rdataset->private5;	/* RDATASLAB */
+	unsigned int offset;
 	isc_region_t r;
 
 	REQUIRE(raw != NULL);
 
+	/*
+	 * Find the start of the record if not already in private5
+	 * then skip the length and order fields.
+	 */
+	if ((rdataset->attributes & DNS_RDATASETATTR_LOADORDER) != 0) {
+		offset = (raw[0] << 24) + (raw[1] << 16) +
+			 (raw[2] << 8) + raw[3];
+		raw = rdataset->private3;
+		raw += offset;
+	}
 	r.length = raw[0] * 256 + raw[1];
-	raw += 2;
+	raw += 4;
 	r.base = raw;
 	dns_rdata_fromregion(rdata, rdataset->rdclass, rdataset->type, &r);
 }
@@ -5143,7 +5724,7 @@ rdataset_clone(dns_rdataset_t *source, dns_rdataset_t *target) {
 
 static unsigned int
 rdataset_count(dns_rdataset_t *rdataset) {
-	unsigned char *raw = rdataset->private3;
+	unsigned char *raw = rdataset->private3;	/* RDATASLAB */
 	unsigned int count;
 
 	count = raw[0] * 256 + raw[1];
@@ -5233,7 +5814,8 @@ rdatasetiter_first(dns_rdatasetiter_t *iterator) {
 		now = 0;
 	}
 
-	LOCK(&rbtdb->node_locks[rbtnode->locknum].lock);
+	NODE_LOCK(&rbtdb->node_locks[rbtnode->locknum].lock,
+		  isc_rwlocktype_read);
 
 	for (header = rbtnode->data; header != NULL; header = top_next) {
 		top_next = header->next;
@@ -5260,7 +5842,8 @@ rdatasetiter_first(dns_rdatasetiter_t *iterator) {
 			break;
 	}
 
-	UNLOCK(&rbtdb->node_locks[rbtnode->locknum].lock);
+	NODE_UNLOCK(&rbtdb->node_locks[rbtnode->locknum].lock,
+		    isc_rwlocktype_read);
 
 	rbtiterator->current = header;
 
@@ -5294,7 +5877,8 @@ rdatasetiter_next(dns_rdatasetiter_t *iterator) {
 		now = 0;
 	}
 
-	LOCK(&rbtdb->node_locks[rbtnode->locknum].lock);
+	NODE_LOCK(&rbtdb->node_locks[rbtnode->locknum].lock,
+		  isc_rwlocktype_read);
 
 	type = header->type;
 	rdtype = RBTDB_RDATATYPE_BASE(header->type);
@@ -5335,7 +5919,8 @@ rdatasetiter_next(dns_rdatasetiter_t *iterator) {
 		}
 	}
 
-	UNLOCK(&rbtdb->node_locks[rbtnode->locknum].lock);
+	NODE_UNLOCK(&rbtdb->node_locks[rbtnode->locknum].lock,
+		    isc_rwlocktype_read);
 
 	rbtiterator->current = header;
 
@@ -5355,12 +5940,14 @@ rdatasetiter_current(dns_rdatasetiter_t *iterator, dns_rdataset_t *rdataset) {
 	header = rbtiterator->current;
 	REQUIRE(header != NULL);
 
-	LOCK(&rbtdb->node_locks[rbtnode->locknum].lock);
+	NODE_LOCK(&rbtdb->node_locks[rbtnode->locknum].lock,
+		  isc_rwlocktype_read);
 
 	bind_rdataset(rbtdb, rbtnode, header, rbtiterator->common.now,
 		      rdataset);
 
-	UNLOCK(&rbtdb->node_locks[rbtnode->locknum].lock);
+	NODE_UNLOCK(&rbtdb->node_locks[rbtnode->locknum].lock,
+		    isc_rwlocktype_read);
 }
 
 
@@ -5377,26 +5964,25 @@ reference_iter_node(rbtdb_dbiterator_t *rbtdbiter) {
 		return;
 
 	INSIST(rbtdbiter->tree_locked != isc_rwlocktype_none);
-	LOCK(&rbtdb->node_locks[node->locknum].lock);
+	NODE_STRONGLOCK(&rbtdb->node_locks[node->locknum].lock);
 	new_reference(rbtdb, node);
-	UNLOCK(&rbtdb->node_locks[node->locknum].lock);
+	NODE_STRONGUNLOCK(&rbtdb->node_locks[node->locknum].lock);
 }
 
 static inline void
 dereference_iter_node(rbtdb_dbiterator_t *rbtdbiter) {
 	dns_rbtdb_t *rbtdb = (dns_rbtdb_t *)rbtdbiter->common.db;
 	dns_rbtnode_t *node = rbtdbiter->node;
-	isc_mutex_t *lock;
+	nodelock_t *lock;
 
 	if (node == NULL)
 		return;
 
 	lock = &rbtdb->node_locks[node->locknum].lock;
-	LOCK(lock);
-	INSIST(rbtdbiter->node->references > 0);
-	if (--node->references == 0)
-		no_references(rbtdb, node, 0, rbtdbiter->tree_locked);
-	UNLOCK(lock);
+	NODE_LOCK(lock, isc_rwlocktype_read);
+	decrement_reference(rbtdb, node, 0, isc_rwlocktype_read,
+			    rbtdbiter->tree_locked);
+	NODE_UNLOCK(lock, isc_rwlocktype_read);
 
 	rbtdbiter->node = NULL;
 }
@@ -5406,7 +5992,7 @@ flush_deletions(rbtdb_dbiterator_t *rbtdbiter) {
 	dns_rbtnode_t *node;
 	dns_rbtdb_t *rbtdb = (dns_rbtdb_t *)rbtdbiter->common.db;
 	isc_boolean_t was_read_locked = ISC_FALSE;
-	isc_mutex_t *lock;
+	nodelock_t *lock;
 	int i;
 
 	if (rbtdbiter->delete != 0) {
@@ -5433,13 +6019,11 @@ flush_deletions(rbtdb_dbiterator_t *rbtdbiter) {
 			node = rbtdbiter->deletions[i];
 			lock = &rbtdb->node_locks[node->locknum].lock;
 
-			LOCK(lock);
-			INSIST(node->references > 0);
-			node->references--;
-			if (node->references == 0)
-				no_references(rbtdb, node, 0,
-					      rbtdbiter->tree_locked);
-			UNLOCK(lock);
+			NODE_LOCK(lock, isc_rwlocktype_read);
+			decrement_reference(rbtdb, node, 0,
+					    isc_rwlocktype_read,
+					    rbtdbiter->tree_locked);
+			NODE_UNLOCK(lock, isc_rwlocktype_read);
 		}
 
 		rbtdbiter->delete = 0;
@@ -5707,9 +6291,9 @@ dbiterator_current(dns_dbiterator_t *iterator, dns_dbnode_t **nodep,
 	} else
 		result = ISC_R_SUCCESS;
 
-	LOCK(&rbtdb->node_locks[node->locknum].lock);
+	NODE_STRONGLOCK(&rbtdb->node_locks[node->locknum].lock);
 	new_reference(rbtdb, node);
-	UNLOCK(&rbtdb->node_locks[node->locknum].lock);
+	NODE_STRONGUNLOCK(&rbtdb->node_locks[node->locknum].lock);
 
 	*nodep = rbtdbiter->node;
 
@@ -5730,10 +6314,13 @@ dbiterator_current(dns_dbiterator_t *iterator, dns_dbnode_t **nodep,
 		 * expirenode() currently always returns success.
 		 */
 		if (expire_result == ISC_R_SUCCESS && node->down == NULL) {
+			unsigned int refs;
+
 			rbtdbiter->deletions[rbtdbiter->delete++] = node;
-			LOCK(&rbtdb->node_locks[node->locknum].lock);
-			node->references++;
-			UNLOCK(&rbtdb->node_locks[node->locknum].lock);
+			NODE_STRONGLOCK(&rbtdb->node_locks[node->locknum].lock);
+			dns_rbtnode_refincrement(node, &refs);
+			INSIST(refs != 0);
+			NODE_STRONGUNLOCK(&rbtdb->node_locks[node->locknum].lock);
 		}
 	}
 
@@ -5775,3 +6362,356 @@ dbiterator_origin(dns_dbiterator_t *iterator, dns_name_t *name) {
 
 	return (dns_name_copy(origin, name, NULL));
 }
+
+/*%
+ * Additional cache routines.
+ */
+static isc_result_t
+rdataset_getadditional(dns_rdataset_t *rdataset, dns_rdatasetadditional_t type,
+		       dns_rdatatype_t qtype, dns_acache_t *acache,
+		       dns_zone_t **zonep, dns_db_t **dbp,
+		       dns_dbversion_t **versionp, dns_dbnode_t **nodep,
+		       dns_name_t *fname, dns_message_t *msg,
+		       isc_stdtime_t now)
+{
+	dns_rbtdb_t *rbtdb = rdataset->private1;
+	dns_rbtnode_t *rbtnode = rdataset->private2;
+	unsigned char *raw = rdataset->private3;	/* RDATASLAB */
+	unsigned int current_count = rdataset->privateuint4;
+	unsigned int count;
+	rdatasetheader_t *header;
+	nodelock_t *nodelock;
+	unsigned int total_count;
+	acachectl_t *acarray;
+	dns_acacheentry_t *entry;
+	isc_result_t result;
+
+	UNUSED(qtype); /* we do not use this value at least for now */
+	UNUSED(acache);
+
+	header = (struct rdatasetheader *)(raw - sizeof(*header));
+
+	total_count = raw[0] * 256 + raw[1];
+	INSIST(total_count > current_count);
+	count = total_count - current_count - 1;
+
+	acarray = NULL;
+
+	nodelock = &rbtdb->node_locks[rbtnode->locknum].lock;
+	NODE_LOCK(nodelock, isc_rwlocktype_read);
+
+	switch (type) {
+	case dns_rdatasetadditional_fromauth:
+		acarray = header->additional_auth;
+		break;
+	case dns_rdatasetadditional_fromcache:
+		acarray = NULL;
+		break;
+	case dns_rdatasetadditional_fromglue:
+		acarray = header->additional_glue;
+		break;
+	default:
+		INSIST(0);
+	}
+
+	if (acarray == NULL) {
+		if (type != dns_rdatasetadditional_fromcache)
+			dns_acache_countquerymiss(acache);
+		NODE_UNLOCK(nodelock, isc_rwlocktype_read);
+		return (ISC_R_NOTFOUND);
+	}
+
+	if (acarray[count].entry == NULL) {
+		dns_acache_countquerymiss(acache);
+		NODE_UNLOCK(nodelock, isc_rwlocktype_read);
+		return (ISC_R_NOTFOUND);
+	}
+
+	entry = NULL;
+	dns_acache_attachentry(acarray[count].entry, &entry);
+
+	NODE_UNLOCK(nodelock, isc_rwlocktype_read);
+
+	result = dns_acache_getentry(entry, zonep, dbp, versionp,
+				     nodep, fname, msg, now);
+
+	dns_acache_detachentry(&entry);
+
+	return (result);
+}
+
+static void
+acache_callback(dns_acacheentry_t *entry, void **arg) {
+	dns_rbtdb_t *rbtdb;
+	dns_rbtnode_t *rbtnode;
+	nodelock_t *nodelock;
+	acachectl_t *acarray = NULL;
+	acache_cbarg_t *cbarg;
+	unsigned int count;
+
+	REQUIRE(arg != NULL);
+	cbarg = *arg;
+
+	/*
+	 * The caller must hold the entry lock.
+	 */
+
+	rbtdb = (dns_rbtdb_t *)cbarg->db;
+	rbtnode = (dns_rbtnode_t *)cbarg->node;
+
+	nodelock = &rbtdb->node_locks[rbtnode->locknum].lock;
+	NODE_LOCK(nodelock, isc_rwlocktype_write);
+
+	switch (cbarg->type) {
+	case dns_rdatasetadditional_fromauth:
+		acarray = cbarg->header->additional_auth;
+		break;
+	case dns_rdatasetadditional_fromglue:
+		acarray = cbarg->header->additional_glue;
+		break;
+	default:
+		INSIST(0);
+	}
+
+	count = cbarg->count;
+	if (acarray[count].entry == entry)
+		acarray[count].entry = NULL;
+	INSIST(acarray[count].cbarg != NULL);
+	isc_mem_put(rbtdb->common.mctx, acarray[count].cbarg,
+		    sizeof(acache_cbarg_t));
+	acarray[count].cbarg = NULL;
+
+	dns_acache_detachentry(&entry);
+
+	NODE_UNLOCK(nodelock, isc_rwlocktype_write);
+
+	dns_db_detachnode((dns_db_t *)rbtdb, (dns_dbnode_t **)(void*)&rbtnode);
+	dns_db_detach((dns_db_t **)(void*)&rbtdb);
+
+	*arg = NULL;
+}
+
+static void
+acache_cancelentry(isc_mem_t *mctx, dns_acacheentry_t *entry,
+		      acache_cbarg_t **cbargp)
+{
+	acache_cbarg_t *cbarg;
+
+	REQUIRE(mctx != NULL);
+	REQUIRE(entry != NULL);
+	REQUIRE(cbargp != NULL && *cbargp != NULL);
+
+	cbarg = *cbargp;
+
+	dns_acache_cancelentry(entry);
+	dns_db_detachnode(cbarg->db, &cbarg->node);
+	dns_db_detach(&cbarg->db);
+
+	isc_mem_put(mctx, cbarg, sizeof(acache_cbarg_t));
+
+	*cbargp = NULL;
+}
+
+static isc_result_t
+rdataset_setadditional(dns_rdataset_t *rdataset, dns_rdatasetadditional_t type,
+		       dns_rdatatype_t qtype, dns_acache_t *acache,
+		       dns_zone_t *zone, dns_db_t *db,
+		       dns_dbversion_t *version, dns_dbnode_t *node,
+		       dns_name_t *fname)
+{
+	dns_rbtdb_t *rbtdb = rdataset->private1;
+	dns_rbtnode_t *rbtnode = rdataset->private2;
+	unsigned char *raw = rdataset->private3;	/* RDATASLAB */
+	unsigned int current_count = rdataset->privateuint4;
+	rdatasetheader_t *header;
+	unsigned int total_count, count;
+	nodelock_t *nodelock;
+	isc_result_t result;
+	acachectl_t *acarray;
+	dns_acacheentry_t *newentry, *oldentry = NULL;
+	acache_cbarg_t *newcbarg, *oldcbarg = NULL;
+
+	UNUSED(qtype);
+
+	if (type == dns_rdatasetadditional_fromcache)
+		return (ISC_R_SUCCESS);
+
+	header = (struct rdatasetheader *)(raw - sizeof(*header));
+
+	total_count = raw[0] * 256 + raw[1];
+	INSIST(total_count > current_count);
+	count = total_count - current_count - 1; /* should be private data */
+
+	newcbarg = isc_mem_get(rbtdb->common.mctx, sizeof(*newcbarg));
+	if (newcbarg == NULL)
+		return (ISC_R_NOMEMORY);
+	newcbarg->type = type;
+	newcbarg->count = count;
+	newcbarg->header = header;
+	newcbarg->db = NULL;
+	dns_db_attach((dns_db_t *)rbtdb, &newcbarg->db);
+	newcbarg->node = NULL;
+	dns_db_attachnode((dns_db_t *)rbtdb, (dns_dbnode_t *)rbtnode,
+			  &newcbarg->node);
+	newentry = NULL;
+	result = dns_acache_createentry(acache, (dns_db_t *)rbtdb,
+					acache_callback, newcbarg, &newentry);
+	if (result != ISC_R_SUCCESS)
+		goto fail;
+	/* Set cache data in the new entry. */
+	result = dns_acache_setentry(acache, newentry, zone, db,
+				     version, node, fname);
+	if (result != ISC_R_SUCCESS)
+		goto fail;
+
+	nodelock = &rbtdb->node_locks[rbtnode->locknum].lock;
+	NODE_LOCK(nodelock, isc_rwlocktype_write);
+
+	acarray = NULL;
+	switch (type) {
+	case dns_rdatasetadditional_fromauth:
+		acarray = header->additional_auth;
+		break;
+	case dns_rdatasetadditional_fromglue:
+		acarray = header->additional_glue;
+		break;
+	default:
+		INSIST(0);
+	}
+
+	if (acarray == NULL) {
+		unsigned int i;
+
+		acarray = isc_mem_get(rbtdb->common.mctx, total_count *
+				      sizeof(acachectl_t));
+
+		if (acarray == NULL) {
+			NODE_UNLOCK(nodelock, isc_rwlocktype_write);
+			goto fail;
+		}
+
+		for (i = 0; i < total_count; i++) {
+			acarray[i].entry = NULL;
+			acarray[i].cbarg = NULL;
+		}
+	}
+	switch (type) {
+	case dns_rdatasetadditional_fromauth:
+		header->additional_auth = acarray;
+		break;
+	case dns_rdatasetadditional_fromglue:
+		header->additional_glue = acarray;
+		break;
+	default:
+		INSIST(0);
+	}
+
+	if (acarray[count].entry != NULL) {
+		/*
+		 * Swap the entry.  Delay cleaning-up the old entry since
+		 * it would require a node lock.
+		 */
+		oldentry = acarray[count].entry;
+		INSIST(acarray[count].cbarg != NULL);
+		oldcbarg = acarray[count].cbarg;
+	}
+	acarray[count].entry = newentry;
+	acarray[count].cbarg = newcbarg;
+
+	NODE_UNLOCK(nodelock, isc_rwlocktype_write);
+
+	if (oldentry != NULL) {
+		if (oldcbarg != NULL)
+			acache_cancelentry(rbtdb->common.mctx, oldentry,
+					   &oldcbarg); 
+		dns_acache_detachentry(&oldentry);
+	}
+
+	return (ISC_R_SUCCESS);
+
+  fail:
+	if (newcbarg != NULL) {
+		if (newentry != NULL) {
+			acache_cancelentry(rbtdb->common.mctx, newentry,
+					   &newcbarg);
+			dns_acache_detachentry(&newentry);
+		} else {
+			dns_db_detachnode((dns_db_t *)rbtdb, &newcbarg->node);
+			dns_db_detach(&newcbarg->db);
+			isc_mem_put(rbtdb->common.mctx, newcbarg,
+			    sizeof(*newcbarg));
+		}
+	}
+
+	return (result);
+}
+
+static isc_result_t
+rdataset_putadditional(dns_acache_t *acache, dns_rdataset_t *rdataset,
+		       dns_rdatasetadditional_t type, dns_rdatatype_t qtype)
+{ 
+	dns_rbtdb_t *rbtdb = rdataset->private1;
+	dns_rbtnode_t *rbtnode = rdataset->private2;
+	unsigned char *raw = rdataset->private3;	/* RDATASLAB */
+	unsigned int current_count = rdataset->privateuint4;
+	rdatasetheader_t *header;
+	nodelock_t *nodelock;
+	unsigned int total_count, count;
+	acachectl_t *acarray;
+	dns_acacheentry_t *entry;
+	acache_cbarg_t *cbarg;
+
+	UNUSED(qtype);		/* we do not use this value at least for now */
+	UNUSED(acache);
+
+	if (type == dns_rdatasetadditional_fromcache)
+		return (ISC_R_SUCCESS);
+
+	header = (struct rdatasetheader *)(raw - sizeof(*header));
+
+	total_count = raw[0] * 256 + raw[1];
+	INSIST(total_count > current_count);
+	count = total_count - current_count - 1;
+
+	acarray = NULL;
+	entry = NULL;
+
+	nodelock = &rbtdb->node_locks[rbtnode->locknum].lock;
+	NODE_LOCK(nodelock, isc_rwlocktype_write);
+
+	switch (type) {
+	case dns_rdatasetadditional_fromauth:
+		acarray = header->additional_auth;
+		break;
+	case dns_rdatasetadditional_fromglue:
+		acarray = header->additional_glue;
+		break;
+	default:
+		INSIST(0);
+	}
+
+	if (acarray == NULL) {
+		NODE_UNLOCK(nodelock, isc_rwlocktype_write);
+		return (ISC_R_NOTFOUND);
+	}
+
+	entry = acarray[count].entry;
+	if (entry == NULL) {
+		NODE_UNLOCK(nodelock, isc_rwlocktype_write);
+		return (ISC_R_NOTFOUND);
+	}
+
+	acarray[count].entry = NULL;
+	cbarg = acarray[count].cbarg;
+	acarray[count].cbarg = NULL;
+
+	NODE_UNLOCK(nodelock, isc_rwlocktype_write);
+
+	if (entry != NULL) {
+		if (cbarg != NULL)
+			acache_cancelentry(rbtdb->common.mctx, entry, &cbarg);
+		dns_acache_detachentry(&entry);
+	}
+
+	return (ISC_R_SUCCESS);
+}
diff --git a/contrib/bind9/lib/dns/rbtdb.h b/contrib/bind9/lib/dns/rbtdb.h
index 086b75e..f9fb50b 100644
--- a/contrib/bind9/lib/dns/rbtdb.h
+++ b/contrib/bind9/lib/dns/rbtdb.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: rbtdb.h,v 1.13.206.1 2004/03/06 08:13:42 marka Exp $ */
+/* $Id: rbtdb.h,v 1.14.18.2 2005/04/29 00:16:02 marka Exp $ */
 
 #ifndef DNS_RBTDB_H
 #define DNS_RBTDB_H 1
@@ -27,7 +27,8 @@
  ***** Module Info
  *****/
 
-/*
+/*! \file
+ * \brief
  * DNS Red-Black Tree DB Implementation
  */
 
diff --git a/contrib/bind9/lib/dns/rbtdb64.c b/contrib/bind9/lib/dns/rbtdb64.c
index f41ab37..773fe91 100644
--- a/contrib/bind9/lib/dns/rbtdb64.c
+++ b/contrib/bind9/lib/dns/rbtdb64.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,9 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: rbtdb64.c,v 1.6.206.1 2004/03/06 08:13:42 marka Exp $ */
+/* $Id: rbtdb64.c,v 1.7.18.2 2005/04/29 00:16:02 marka Exp $ */
+
+/*! \file */
 
 #define DNS_RBTDB_VERSION64 1
 #include "rbtdb.c"
diff --git a/contrib/bind9/lib/dns/rbtdb64.h b/contrib/bind9/lib/dns/rbtdb64.h
index 5d426b5..e2de45c 100644
--- a/contrib/bind9/lib/dns/rbtdb64.h
+++ b/contrib/bind9/lib/dns/rbtdb64.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: rbtdb64.h,v 1.12.206.1 2004/03/06 08:13:43 marka Exp $ */
+/* $Id: rbtdb64.h,v 1.13.18.2 2005/04/29 00:16:02 marka Exp $ */
 
 #ifndef DNS_RBTDB64_H
 #define DNS_RBTDB64_H 1
@@ -26,7 +26,8 @@
  ***** Module Info
  *****/
 
-/*
+/*! \file
+ * \brief
  * DNS Red-Black Tree DB Implementation with 64-bit version numbers
  */
 
diff --git a/contrib/bind9/lib/dns/rcode.c b/contrib/bind9/lib/dns/rcode.c
index 337f649..f61aa35 100644
--- a/contrib/bind9/lib/dns/rcode.c
+++ b/contrib/bind9/lib/dns/rcode.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1998-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: rcode.c,v 1.1.4.1 2004/03/12 10:31:25 marka Exp $ */
+/* $Id: rcode.c,v 1.2.18.2 2006/01/27 23:57:44 marka Exp $ */
 
 #include <config.h>
 #include <ctype.h>
@@ -76,6 +76,7 @@
 	{ dns_tsigerror_badmode, "BADMODE", 0}, \
 	{ dns_tsigerror_badname, "BADNAME", 0}, \
 	{ dns_tsigerror_badalg, "BADALG", 0}, \
+	{ dns_tsigerror_badtrunc, "BADTRUNC", 0}, \
 	{ 0, NULL, 0 }
 
 /* RFC2538 section 2.1 */
diff --git a/contrib/bind9/lib/dns/rdata.c b/contrib/bind9/lib/dns/rdata.c
index bcd0e150..5641777 100644
--- a/contrib/bind9/lib/dns/rdata.c
+++ b/contrib/bind9/lib/dns/rdata.c
@@ -15,7 +15,9 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: rdata.c,v 1.147.2.11.2.22 2006/07/21 02:05:56 marka Exp $ */
+/* $Id: rdata.c,v 1.184.18.9 2006/07/21 02:05:57 marka Exp $ */
+
+/*! \file */
 
 #include <config.h>
 #include <ctype.h>
@@ -100,16 +102,16 @@
 #define ARGS_CHECKNAMES dns_rdata_t *rdata, dns_name_t *owner, dns_name_t *bad
 
 
-/*
+/*%
  * Context structure for the totext_ functions.
  * Contains formatting options for rdata-to-text
  * conversion.
  */
 typedef struct dns_rdata_textctx {
-	dns_name_t *origin;	/* Current origin, or NULL. */
-	unsigned int flags;	/* DNS_STYLEFLAG_* */
-	unsigned int width;	/* Width of rdata column. */
-  	const char *linebreak;	/* Line break string. */
+	dns_name_t *origin;	/*%< Current origin, or NULL. */
+	unsigned int flags;	/*%< DNS_STYLEFLAG_*  */
+	unsigned int width;	/*%< Width of rdata column. */
+  	const char *linebreak;	/*%< Line break string. */
 } dns_rdata_textctx_t;
 
 static isc_result_t
@@ -195,6 +197,10 @@ static void
 warn_badname(dns_name_t *name, isc_lex_t *lexer,
 	     dns_rdatacallbacks_t *callbacks);
 
+static void
+warn_badmx(isc_token_t *token, isc_lex_t *lexer,
+	   dns_rdatacallbacks_t *callbacks);
+
 static inline int
 getquad(const void *src, struct in_addr *dst,
 	isc_lex_t *lexer, dns_rdatacallbacks_t *callbacks)
@@ -1581,6 +1587,22 @@ fromtext_warneof(isc_lex_t *lexer, dns_rdatacallbacks_t *callbacks) {
 }
 
 static void
+warn_badmx(isc_token_t *token, isc_lex_t *lexer,
+	   dns_rdatacallbacks_t *callbacks)
+{
+	const char *file;
+	unsigned long line;
+
+	if (lexer != NULL) {
+		file = isc_lex_getsourcename(lexer);
+		line = isc_lex_getsourceline(lexer);
+		(*callbacks->warn)(callbacks, "%s:%u: warning: '%s': %s", 
+				   file, line, DNS_AS_STR(*token),
+				   dns_result_totext(DNS_R_MXISADDRESS));
+	}
+}
+
+static void
 warn_badname(dns_name_t *name, isc_lex_t *lexer,
 	     dns_rdatacallbacks_t *callbacks)
 {
diff --git a/contrib/bind9/lib/dns/rdata/any_255/tsig_250.c b/contrib/bind9/lib/dns/rdata/any_255/tsig_250.c
index c9b52c7..4fdadd3 100644
--- a/contrib/bind9/lib/dns/rdata/any_255/tsig_250.c
+++ b/contrib/bind9/lib/dns/rdata/any_255/tsig_250.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: tsig_250.c,v 1.52.2.1.2.8 2005/03/20 22:34:01 marka Exp $ */
+/* $Id: tsig_250.c,v 1.59.18.2 2005/03/20 22:34:32 marka Exp $ */
 
 /* Reviewed: Thu Mar 16 13:39:43 PST 2000 by gson */
 
diff --git a/contrib/bind9/lib/dns/rdata/any_255/tsig_250.h b/contrib/bind9/lib/dns/rdata/any_255/tsig_250.h
index 7b5ccc2..b84a715 100644
--- a/contrib/bind9/lib/dns/rdata/any_255/tsig_250.h
+++ b/contrib/bind9/lib/dns/rdata/any_255/tsig_250.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,13 +15,12 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: tsig_250.h,v 1.20.206.1 2004/03/06 08:14:02 marka Exp $ */
-
-/* RFC 2845 */
+/* $Id: tsig_250.h,v 1.21.18.2 2005/04/29 00:16:29 marka Exp $ */
 
 #ifndef ANY_255_TSIG_250_H
 #define ANY_255_TSIG_250_H 1
 
+/*% RFC2845 */
 typedef struct dns_rdata_any_tsig {
 	dns_rdatacommon_t	common;
 	isc_mem_t *		mctx;
diff --git a/contrib/bind9/lib/dns/rdata/ch_3/a_1.c b/contrib/bind9/lib/dns/rdata/ch_3/a_1.c
new file mode 100644
index 0000000..6a9b70c
--- /dev/null
+++ b/contrib/bind9/lib/dns/rdata/ch_3/a_1.c
@@ -0,0 +1,316 @@
+/*
+ * Copyright (C) 2005  Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: a_1.c,v 1.2.2.3 2005/08/23 04:10:09 marka Exp $ */
+
+/* by Bjorn.Victor@it.uu.se, 2005-05-07 */
+/* Based on generic/soa_6.c and generic/mx_15.c */
+
+#ifndef RDATA_CH_3_A_1_C
+#define RDATA_CH_3_A_1_C
+
+#include <isc/net.h>
+
+#define RRTYPE_A_ATTRIBUTES (0)
+
+static inline isc_result_t
+fromtext_ch_a(ARGS_FROMTEXT) {
+	isc_token_t token;
+	dns_name_t name;
+	isc_buffer_t buffer;
+
+	REQUIRE(type == 1);
+	REQUIRE(rdclass == dns_rdataclass_ch); /* 3 */
+
+	UNUSED(type);
+	UNUSED(callbacks);
+
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
+				      ISC_FALSE));
+
+	/* get domain name */
+	dns_name_init(&name, NULL);
+	buffer_fromregion(&buffer, &token.value.as_region);
+	origin = (origin != NULL) ? origin : dns_rootname;
+	RETTOK(dns_name_fromtext(&name, &buffer, origin, options, target));
+	if ((options & DNS_RDATA_CHECKNAMES) != 0 &&
+	    (options & DNS_RDATA_CHECKREVERSE) != 0) {
+		isc_boolean_t ok;
+		ok = dns_name_ishostname(&name, ISC_FALSE);
+		if (!ok && (options & DNS_RDATA_CHECKNAMESFAIL) != 0)
+			RETTOK(DNS_R_BADNAME);
+		if (!ok && callbacks != NULL)
+			warn_badname(&name, lexer, callbacks);
+	}
+
+	/* 16-bit octal address */
+	RETERR(isc_lex_getoctaltoken(lexer, &token, ISC_FALSE));
+	if (token.value.as_ulong > 0xffffU)
+		RETTOK(ISC_R_RANGE);
+	return (uint16_tobuffer(token.value.as_ulong, target));
+}
+
+static inline isc_result_t
+totext_ch_a(ARGS_TOTEXT) {
+	isc_region_t region;
+	dns_name_t name;
+	dns_name_t prefix;
+	isc_boolean_t sub;
+	char buf[sizeof("0177777")];
+	isc_uint16_t addr;
+
+	REQUIRE(rdata->type == 1);
+	REQUIRE(rdata->rdclass == dns_rdataclass_ch); /* 3 */
+	REQUIRE(rdata->length != 0);
+
+	dns_name_init(&name, NULL);
+	dns_name_init(&prefix, NULL);
+
+	dns_rdata_toregion(rdata, &region);
+	dns_name_fromregion(&name, &region);
+	isc_region_consume(&region, name_length(&name));
+	addr = uint16_fromregion(&region);
+
+	sub = name_prefix(&name, tctx->origin, &prefix);
+	RETERR(dns_name_totext(&prefix, sub, target));
+
+	sprintf(buf, "%o", addr); /* note octal */
+	RETERR(str_totext(" ", target));
+	return (str_totext(buf, target));
+}
+
+static inline isc_result_t
+fromwire_ch_a(ARGS_FROMWIRE) {
+	isc_region_t sregion;
+	isc_region_t tregion;
+	dns_name_t name;
+
+	REQUIRE(type == 1);
+	REQUIRE(rdclass == dns_rdataclass_ch);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+
+	dns_decompress_setmethods(dctx, DNS_COMPRESS_GLOBAL14);
+
+	dns_name_init(&name, NULL);
+	
+	RETERR(dns_name_fromwire(&name, source, dctx, options, target));
+
+	isc_buffer_activeregion(source, &sregion);
+	isc_buffer_availableregion(target, &tregion);
+	if (sregion.length < 2)
+		return (ISC_R_UNEXPECTEDEND);
+	if (tregion.length < 2)
+		return (ISC_R_NOSPACE);
+
+	memcpy(tregion.base, sregion.base, 2);
+	isc_buffer_forward(source, 2);
+	isc_buffer_add(target, 2);
+
+	return (ISC_R_SUCCESS);
+}
+
+static inline isc_result_t
+towire_ch_a(ARGS_TOWIRE) {
+	dns_name_t name;
+	dns_offsets_t offsets;
+	isc_region_t sregion;
+	isc_region_t tregion;
+
+	REQUIRE(rdata->type == 1);
+	REQUIRE(rdata->rdclass == dns_rdataclass_ch);
+	REQUIRE(rdata->length != 0);
+
+	dns_compress_setmethods(cctx, DNS_COMPRESS_GLOBAL14);
+
+	dns_name_init(&name, offsets);
+
+	dns_rdata_toregion(rdata, &sregion);
+
+	dns_name_fromregion(&name, &sregion);
+	isc_region_consume(&sregion, name_length(&name));
+	RETERR(dns_name_towire(&name, cctx, target));
+
+	isc_buffer_availableregion(target, &tregion);
+	if (tregion.length < 2)
+		return (ISC_R_NOSPACE);
+
+	memcpy(tregion.base, sregion.base, 2);
+	isc_buffer_add(target, 2);
+	return (ISC_R_SUCCESS);
+}
+
+static inline int
+compare_ch_a(ARGS_COMPARE) {
+	dns_name_t name1;
+	dns_name_t name2;
+	isc_region_t region1;
+	isc_region_t region2;
+	int order;
+
+	REQUIRE(rdata1->type == rdata2->type);
+	REQUIRE(rdata1->rdclass == rdata2->rdclass);
+	REQUIRE(rdata1->type == 1);
+	REQUIRE(rdata1->rdclass == dns_rdataclass_ch);
+	REQUIRE(rdata1->length != 0);
+	REQUIRE(rdata2->length != 0);
+
+	dns_name_init(&name1, NULL);
+	dns_name_init(&name2, NULL);
+
+	dns_rdata_toregion(rdata1, &region1);
+	dns_rdata_toregion(rdata2, &region2);
+
+	dns_name_fromregion(&name1, &region1);
+	dns_name_fromregion(&name2, &region2);
+	isc_region_consume(&region1, name_length(&name1));
+	isc_region_consume(&region2, name_length(&name2));
+
+	order = dns_name_rdatacompare(&name1, &name2);
+	if (order != 0)
+		return (order);
+
+	order = memcmp(rdata1->data, rdata2->data, 2);
+	if (order != 0)
+		order = (order < 0) ? -1 : 1;
+	return (order);
+}
+
+static inline isc_result_t
+fromstruct_ch_a(ARGS_FROMSTRUCT) {
+	dns_rdata_ch_a_t *a = source;
+	isc_region_t region;
+
+	REQUIRE(type == 1);
+	REQUIRE(source != NULL);
+	REQUIRE(a->common.rdtype == type);
+	REQUIRE(a->common.rdclass == rdclass);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+
+	dns_name_toregion(&a->ch_addr_dom, &region);
+	RETERR(isc_buffer_copyregion(target, &region));
+	
+	return (uint16_tobuffer(ntohs(a->ch_addr), target));
+}
+
+static inline isc_result_t
+tostruct_ch_a(ARGS_TOSTRUCT) {
+	dns_rdata_ch_a_t *a = target;
+	isc_region_t region;
+	dns_name_t name;
+
+	REQUIRE(rdata->type == 1);
+	REQUIRE(rdata->rdclass == dns_rdataclass_ch);
+	REQUIRE(rdata->length != 0);
+
+	a->common.rdclass = rdata->rdclass;
+	a->common.rdtype = rdata->type;
+	ISC_LINK_INIT(&a->common, link);
+
+	dns_rdata_toregion(rdata, &region);
+
+	dns_name_init(&name, NULL);
+	dns_name_fromregion(&name, &region);
+	isc_region_consume(&region, name_length(&name));
+
+	dns_name_init(&a->ch_addr_dom, NULL);
+	RETERR(name_duporclone(&name, mctx, &a->ch_addr_dom));
+	a->ch_addr = htons(uint16_fromregion(&region));
+	a->mctx = mctx;
+	return (ISC_R_SUCCESS);
+}
+
+static inline void
+freestruct_ch_a(ARGS_FREESTRUCT) {
+	dns_rdata_ch_a_t *a = source;
+
+	REQUIRE(source != NULL);
+	REQUIRE(a->common.rdtype == 1);
+
+	if (a->mctx == NULL)
+		return;
+
+	dns_name_free(&a->ch_addr_dom, a->mctx);
+	a->mctx = NULL;
+}
+
+static inline isc_result_t
+additionaldata_ch_a(ARGS_ADDLDATA) {
+
+	REQUIRE(rdata->type == 1);
+	REQUIRE(rdata->rdclass == dns_rdataclass_ch);
+
+	UNUSED(rdata);
+	UNUSED(add);
+	UNUSED(arg);
+
+	return (ISC_R_SUCCESS);
+}
+
+static inline isc_result_t
+digest_ch_a(ARGS_DIGEST) {
+	isc_region_t r;
+
+	dns_name_t name;
+
+	REQUIRE(rdata->type == 1);
+	REQUIRE(rdata->rdclass == dns_rdataclass_ch);
+
+	dns_rdata_toregion(rdata, &r);
+	dns_name_init(&name, NULL);
+	dns_name_fromregion(&name, &r);
+	isc_region_consume(&r, name_length(&name));
+	RETERR(dns_name_digest(&name, digest, arg));
+	return ((digest)(arg, &r));
+}
+
+static inline isc_boolean_t
+checkowner_ch_a(ARGS_CHECKOWNER) {
+
+	REQUIRE(type == 1);
+	REQUIRE(rdclass == dns_rdataclass_ch);
+
+	UNUSED(type);
+
+	return (dns_name_ishostname(name, wildcard));
+}
+
+static inline isc_boolean_t
+checknames_ch_a(ARGS_CHECKNAMES) {
+	isc_region_t region;
+	dns_name_t name;
+
+	REQUIRE(rdata->type == 1);
+	REQUIRE(rdata->rdclass == dns_rdataclass_ch);
+
+	UNUSED(owner);
+
+	dns_rdata_toregion(rdata, &region);
+	dns_name_init(&name, NULL);
+	dns_name_fromregion(&name, &region);
+	if (!dns_name_ishostname(&name, ISC_FALSE)) {
+		if (bad != NULL)
+			dns_name_clone(&name, bad);
+		return (ISC_FALSE);
+	}
+
+	return (ISC_TRUE);
+}
+
+#endif	/* RDATA_CH_3_A_1_C */
diff --git a/contrib/bind9/lib/dns/rdata/ch_3/a_1.h b/contrib/bind9/lib/dns/rdata/ch_3/a_1.h
new file mode 100644
index 0000000..9f67977
--- /dev/null
+++ b/contrib/bind9/lib/dns/rdata/ch_3/a_1.h
@@ -0,0 +1,34 @@
+/*
+ * Copyright (C) 2005  Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: a_1.h,v 1.2.2.2 2005/06/05 00:02:22 marka Exp $ */
+
+/* by Bjorn.Victor@it.uu.se, 2005-05-07 */
+/* Based on generic/mx_15.h */
+
+#ifndef CH_3_A_1_H
+#define CH_3_A_1_H 1
+
+typedef isc_uint16_t ch_addr_t;
+
+typedef struct dns_rdata_ch_a {
+	dns_rdatacommon_t	common;
+	isc_mem_t		*mctx;
+  	dns_name_t		ch_addr_dom; /* ch-addr domain for back mapping */
+	ch_addr_t		ch_addr; /* chaos address (16 bit) network order */
+} dns_rdata_ch_a_t;
+
+#endif /* CH_3_A_1_H */
diff --git a/contrib/bind9/lib/dns/rdata/generic/afsdb_18.c b/contrib/bind9/lib/dns/rdata/generic/afsdb_18.c
index f46844a..24a63e6 100644
--- a/contrib/bind9/lib/dns/rdata/generic/afsdb_18.c
+++ b/contrib/bind9/lib/dns/rdata/generic/afsdb_18.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001, 2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,11 +15,11 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: afsdb_18.c,v 1.39.2.1.2.3 2004/03/06 08:14:03 marka Exp $ */
+/* $Id: afsdb_18.c,v 1.43.18.2 2005/04/29 00:16:30 marka Exp $ */
 
 /* Reviewed: Wed Mar 15 14:59:00 PST 2000 by explorer */
 
-/* RFC 1183 */
+/* RFC1183 */
 
 #ifndef RDATA_GENERIC_AFSDB_18_C
 #define RDATA_GENERIC_AFSDB_18_C
diff --git a/contrib/bind9/lib/dns/rdata/generic/afsdb_18.h b/contrib/bind9/lib/dns/rdata/generic/afsdb_18.h
index 3f89f9d..1532da1 100644
--- a/contrib/bind9/lib/dns/rdata/generic/afsdb_18.h
+++ b/contrib/bind9/lib/dns/rdata/generic/afsdb_18.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -18,9 +18,10 @@
 #ifndef GENERIC_AFSDB_18_H
 #define GENERIC_AFSDB_18_H 1
 
-/* $Id: afsdb_18.h,v 1.15.206.1 2004/03/06 08:14:03 marka Exp $ */
+/* $Id: afsdb_18.h,v 1.16.18.2 2005/04/29 00:16:30 marka Exp $ */
 
-/* RFC 1183 */
+/*!
+ *  \brief Per RFC1183 */
 
 typedef struct dns_rdata_afsdb {
 	dns_rdatacommon_t	common;
diff --git a/contrib/bind9/lib/dns/rdata/generic/cert_37.c b/contrib/bind9/lib/dns/rdata/generic/cert_37.c
index 81a1aa7..c6ba3a8 100644
--- a/contrib/bind9/lib/dns/rdata/generic/cert_37.c
+++ b/contrib/bind9/lib/dns/rdata/generic/cert_37.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,11 +15,11 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: cert_37.c,v 1.40.2.1.2.5 2004/03/08 09:04:40 marka Exp $ */
+/* $Id: cert_37.c,v 1.46.18.2 2005/04/29 00:16:30 marka Exp $ */
 
 /* Reviewed: Wed Mar 15 21:14:32 EST 2000 by tale */
 
-/* RFC 2538 */
+/* RFC2538 */
 
 #ifndef RDATA_GENERIC_CERT_37_C
 #define RDATA_GENERIC_CERT_37_C
diff --git a/contrib/bind9/lib/dns/rdata/generic/cert_37.h b/contrib/bind9/lib/dns/rdata/generic/cert_37.h
index 01ae265..2af25b7 100644
--- a/contrib/bind9/lib/dns/rdata/generic/cert_37.h
+++ b/contrib/bind9/lib/dns/rdata/generic/cert_37.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,12 +15,12 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: cert_37.h,v 1.15.206.1 2004/03/06 08:14:03 marka Exp $ */
+/* $Id: cert_37.h,v 1.16.18.2 2005/04/29 00:16:31 marka Exp $ */
 
-/* RFC 2538 */
 #ifndef GENERIC_CERT_37_H
 #define GENERIC_CERT_37_H 1
 
+/*% RFC2538 */
 typedef struct dns_rdata_cert {
 	dns_rdatacommon_t	common;
 	isc_mem_t		*mctx;
diff --git a/contrib/bind9/lib/dns/rdata/generic/cname_5.c b/contrib/bind9/lib/dns/rdata/generic/cname_5.c
index 0ce7aa2..6ea1db1 100644
--- a/contrib/bind9/lib/dns/rdata/generic/cname_5.c
+++ b/contrib/bind9/lib/dns/rdata/generic/cname_5.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: cname_5.c,v 1.43.206.2 2004/03/06 08:14:03 marka Exp $ */
+/* $Id: cname_5.c,v 1.45 2004/03/05 05:10:10 marka Exp $ */
 
 /* reviewed: Wed Mar 15 16:48:45 PST 2000 by brister */
 
diff --git a/contrib/bind9/lib/dns/rdata/generic/cname_5.h b/contrib/bind9/lib/dns/rdata/generic/cname_5.h
index 2efee44..dc24383 100644
--- a/contrib/bind9/lib/dns/rdata/generic/cname_5.h
+++ b/contrib/bind9/lib/dns/rdata/generic/cname_5.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: cname_5.h,v 1.23.206.1 2004/03/06 08:14:04 marka Exp $ */
+/* $Id: cname_5.h,v 1.24 2004/03/05 05:10:10 marka Exp $ */
 
 #ifndef GENERIC_CNAME_5_H
 #define GENERIC_CNAME_5_H 1
diff --git a/contrib/bind9/lib/dns/rdata/generic/dlv_32769.c b/contrib/bind9/lib/dns/rdata/generic/dlv_32769.c
index b28435c..fa22580 100644
--- a/contrib/bind9/lib/dns/rdata/generic/dlv_32769.c
+++ b/contrib/bind9/lib/dns/rdata/generic/dlv_32769.c
@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: dlv_32769.c,v 1.2.4.2 2006/02/19 06:50:46 marka Exp $ */
+/* $Id: dlv_32769.c,v 1.2.2.2 2006/02/19 06:50:47 marka Exp $ */
 
 /* draft-ietf-dnsext-delegation-signer-05.txt */
 
diff --git a/contrib/bind9/lib/dns/rdata/generic/dlv_32769.h b/contrib/bind9/lib/dns/rdata/generic/dlv_32769.h
index 08a9b1d..bd03c73 100644
--- a/contrib/bind9/lib/dns/rdata/generic/dlv_32769.h
+++ b/contrib/bind9/lib/dns/rdata/generic/dlv_32769.h
@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: dlv_32769.h,v 1.2.4.2 2006/02/19 06:50:46 marka Exp $ */
+/* $Id: dlv_32769.h,v 1.2.2.2 2006/02/19 06:50:47 marka Exp $ */
 
 /* draft-ietf-dnsext-delegation-signer-05.txt */
 #ifndef GENERIC_DLV_32769_H
diff --git a/contrib/bind9/lib/dns/rdata/generic/dname_39.c b/contrib/bind9/lib/dns/rdata/generic/dname_39.c
index b532f2e..ed3133c 100644
--- a/contrib/bind9/lib/dns/rdata/generic/dname_39.c
+++ b/contrib/bind9/lib/dns/rdata/generic/dname_39.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: dname_39.c,v 1.34.206.2 2004/03/06 08:14:04 marka Exp $ */
+/* $Id: dname_39.c,v 1.36 2004/03/05 05:10:10 marka Exp $ */
 
 /* Reviewed: Wed Mar 15 16:52:38 PST 2000 by explorer */
 
diff --git a/contrib/bind9/lib/dns/rdata/generic/dname_39.h b/contrib/bind9/lib/dns/rdata/generic/dname_39.h
index a1b2192..93ec709 100644
--- a/contrib/bind9/lib/dns/rdata/generic/dname_39.h
+++ b/contrib/bind9/lib/dns/rdata/generic/dname_39.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -18,9 +18,10 @@
 #ifndef GENERIC_DNAME_39_H
 #define GENERIC_DNAME_39_H 1
 
-/* $Id: dname_39.h,v 1.16.206.1 2004/03/06 08:14:04 marka Exp $ */
+/* $Id: dname_39.h,v 1.17.18.2 2005/04/29 00:16:31 marka Exp $ */
 
-/* RFC2672 */
+/*! 
+ *  \brief per RFC2672 */
 
 typedef struct dns_rdata_dname {
 	dns_rdatacommon_t	common;
diff --git a/contrib/bind9/lib/dns/rdata/generic/dnskey_48.c b/contrib/bind9/lib/dns/rdata/generic/dnskey_48.c
index 5cf58d5..5a4e453 100644
--- a/contrib/bind9/lib/dns/rdata/generic/dnskey_48.c
+++ b/contrib/bind9/lib/dns/rdata/generic/dnskey_48.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,13 +15,13 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: dnskey_48.c,v 1.4.2.1 2004/03/08 02:08:02 marka Exp $ */
+/* $Id: dnskey_48.c,v 1.4.20.2 2005/04/29 00:16:31 marka Exp $ */
 
 /*
  * Reviewed: Wed Mar 15 16:47:10 PST 2000 by halley.
  */
 
-/* RFC 2535 */
+/* RFC2535 */
 
 #ifndef RDATA_GENERIC_DNSKEY_48_C
 #define RDATA_GENERIC_DNSKEY_48_C
diff --git a/contrib/bind9/lib/dns/rdata/generic/dnskey_48.h b/contrib/bind9/lib/dns/rdata/generic/dnskey_48.h
index 4dd71d2..9b3d262 100644
--- a/contrib/bind9/lib/dns/rdata/generic/dnskey_48.h
+++ b/contrib/bind9/lib/dns/rdata/generic/dnskey_48.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -18,9 +18,10 @@
 #ifndef GENERIC_DNSKEY_48_H
 #define GENERIC_DNSKEY_48_H 1
 
-/* $Id: dnskey_48.h,v 1.3.2.1 2004/03/08 02:08:02 marka Exp $ */
+/* $Id: dnskey_48.h,v 1.3.20.2 2005/04/29 00:16:32 marka Exp $ */
 
-/* RFC 2535 */
+/*!
+ *  \brief per RFC2535 */
 
 typedef struct dns_rdata_dnskey {
         dns_rdatacommon_t	common;
diff --git a/contrib/bind9/lib/dns/rdata/generic/ds_43.c b/contrib/bind9/lib/dns/rdata/generic/ds_43.c
index 0206b6f..b9a3a3e 100644
--- a/contrib/bind9/lib/dns/rdata/generic/ds_43.c
+++ b/contrib/bind9/lib/dns/rdata/generic/ds_43.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: ds_43.c,v 1.6.2.4 2005/09/06 07:29:31 marka Exp $ */
+/* $Id: ds_43.c,v 1.7.18.2 2005/09/06 07:29:32 marka Exp $ */
 
 /* draft-ietf-dnsext-delegation-signer-05.txt */
 
diff --git a/contrib/bind9/lib/dns/rdata/generic/ds_43.h b/contrib/bind9/lib/dns/rdata/generic/ds_43.h
index cd4a5ca..dae7bef 100644
--- a/contrib/bind9/lib/dns/rdata/generic/ds_43.h
+++ b/contrib/bind9/lib/dns/rdata/generic/ds_43.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2002  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,12 +15,13 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: ds_43.h,v 1.3.2.1 2004/03/08 02:08:03 marka Exp $ */
+/* $Id: ds_43.h,v 1.3.20.2 2005/04/29 00:16:32 marka Exp $ */
 
-/* draft-ietf-dnsext-delegation-signer-05.txt */
 #ifndef GENERIC_DS_43_H
 #define GENERIC_DS_43_H 1
 
+/*!
+ *  \brief per draft-ietf-dnsext-delegation-signer-05.txt */
 typedef struct dns_rdata_ds {
 	dns_rdatacommon_t	common;
 	isc_mem_t		*mctx;
diff --git a/contrib/bind9/lib/dns/rdata/generic/gpos_27.c b/contrib/bind9/lib/dns/rdata/generic/gpos_27.c
index 1768f17..9b37905 100644
--- a/contrib/bind9/lib/dns/rdata/generic/gpos_27.c
+++ b/contrib/bind9/lib/dns/rdata/generic/gpos_27.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2002  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,11 +15,11 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: gpos_27.c,v 1.32.12.5 2004/03/08 09:04:40 marka Exp $ */
+/* $Id: gpos_27.c,v 1.37.18.2 2005/04/29 00:16:32 marka Exp $ */
 
 /* reviewed: Wed Mar 15 16:48:45 PST 2000 by brister */
 
-/* RFC 1712 */
+/* RFC1712 */
 
 #ifndef RDATA_GENERIC_GPOS_27_C
 #define RDATA_GENERIC_GPOS_27_C
diff --git a/contrib/bind9/lib/dns/rdata/generic/gpos_27.h b/contrib/bind9/lib/dns/rdata/generic/gpos_27.h
index 6f9ed37..4949bde 100644
--- a/contrib/bind9/lib/dns/rdata/generic/gpos_27.h
+++ b/contrib/bind9/lib/dns/rdata/generic/gpos_27.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -18,9 +18,10 @@
 #ifndef GENERIC_GPOS_27_H
 #define GENERIC_GPOS_27_H 1
 
-/* $Id: gpos_27.h,v 1.12.206.1 2004/03/06 08:14:04 marka Exp $ */
+/* $Id: gpos_27.h,v 1.13.18.2 2005/04/29 00:16:32 marka Exp $ */
 
-/* RFC 1712 */
+/*!
+ *  \brief per RFC1712 */
 
 typedef struct dns_rdata_gpos {
 	dns_rdatacommon_t	common;
diff --git a/contrib/bind9/lib/dns/rdata/generic/hinfo_13.c b/contrib/bind9/lib/dns/rdata/generic/hinfo_13.c
index e432ce5..70c433c 100644
--- a/contrib/bind9/lib/dns/rdata/generic/hinfo_13.c
+++ b/contrib/bind9/lib/dns/rdata/generic/hinfo_13.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: hinfo_13.c,v 1.37.12.5 2004/03/08 09:04:40 marka Exp $ */
+/* $Id: hinfo_13.c,v 1.42 2004/03/05 05:10:11 marka Exp $ */
 
 /*
  * Reviewed: Wed Mar 15 16:47:10 PST 2000 by halley.
diff --git a/contrib/bind9/lib/dns/rdata/generic/hinfo_13.h b/contrib/bind9/lib/dns/rdata/generic/hinfo_13.h
index 61cbdd7..e542c48 100644
--- a/contrib/bind9/lib/dns/rdata/generic/hinfo_13.h
+++ b/contrib/bind9/lib/dns/rdata/generic/hinfo_13.h
@@ -18,7 +18,7 @@
 #ifndef GENERIC_HINFO_13_H
 #define GENERIC_HINFO_13_H 1
 
-/* $Id: hinfo_13.h,v 1.22.206.1 2004/03/06 08:14:05 marka Exp $ */
+/* $Id: hinfo_13.h,v 1.23 2004/03/05 05:10:12 marka Exp $ */
 
 typedef struct dns_rdata_hinfo {
 	dns_rdatacommon_t	common;
diff --git a/contrib/bind9/lib/dns/rdata/generic/ipseckey_45.c b/contrib/bind9/lib/dns/rdata/generic/ipseckey_45.c
new file mode 100644
index 0000000..3c3736e
--- /dev/null
+++ b/contrib/bind9/lib/dns/rdata/generic/ipseckey_45.c
@@ -0,0 +1,462 @@
+/*
+ * Copyright (C) 2005  Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: ipseckey_45.c,v 1.2.2.1 2005/07/07 03:17:36 marka Exp $ */
+
+#ifndef RDATA_GENERIC_IPSECKEY_45_C
+#define RDATA_GENERIC_IPSECKEY_45_C
+
+#include <string.h>
+
+#include <isc/net.h>
+
+#define RRTYPE_IPSECKEY_ATTRIBUTES (0)
+
+static inline isc_result_t
+fromtext_ipseckey(ARGS_FROMTEXT) {
+	isc_token_t token;
+	dns_name_t name;
+	isc_buffer_t buffer;
+	unsigned int gateway;
+	struct in_addr addr;
+	unsigned char addr6[16];
+	isc_region_t region;
+
+	REQUIRE(type == 45);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(callbacks);
+
+	/*
+	 * Precedence.
+	 */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_number,
+				      ISC_FALSE));
+	if (token.value.as_ulong > 0xffU)
+		RETTOK(ISC_R_RANGE);
+	RETERR(uint8_tobuffer(token.value.as_ulong, target));
+
+	/*
+	 * Gateway type.
+	 */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_number,
+				      ISC_FALSE));
+	if (token.value.as_ulong > 0x3U)
+		RETTOK(ISC_R_RANGE);
+	RETERR(uint8_tobuffer(token.value.as_ulong, target));
+	gateway = token.value.as_ulong;
+
+	/*
+	 * Algorithm.
+	 */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_number,
+				      ISC_FALSE));
+	if (token.value.as_ulong > 0xffU)
+		RETTOK(ISC_R_RANGE);
+	RETERR(uint8_tobuffer(token.value.as_ulong, target));
+
+	/*
+	 * Gateway.
+	 */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
+				      ISC_FALSE));
+
+	switch (gateway) {
+	case 0:
+		if (strcmp(DNS_AS_STR(token), ".") != 0)
+			RETTOK(DNS_R_SYNTAX);
+		break;
+
+	case 1:
+		if (getquad(DNS_AS_STR(token), &addr, lexer, callbacks) != 1)
+			RETTOK(DNS_R_BADDOTTEDQUAD);
+		isc_buffer_availableregion(target, &region);
+		if (region.length < 4)
+			return (ISC_R_NOSPACE);
+		memcpy(region.base, &addr, 4);
+		isc_buffer_add(target, 4);
+		break;
+
+	case 2:
+		if (inet_pton(AF_INET6, DNS_AS_STR(token), addr6) != 1)
+			RETTOK(DNS_R_BADAAAA);
+		isc_buffer_availableregion(target, &region);
+		if (region.length < 16)
+			return (ISC_R_NOSPACE);
+		memcpy(region.base, addr6, 16);
+		isc_buffer_add(target, 16);
+		break;
+
+	case 3:
+		dns_name_init(&name, NULL);
+		buffer_fromregion(&buffer, &token.value.as_region);
+		origin = (origin != NULL) ? origin : dns_rootname;
+		RETTOK(dns_name_fromtext(&name, &buffer, origin,
+					 options, target));
+		break;
+	}
+
+	/*
+	 * Public key.
+	 */
+	return (isc_base64_tobuffer(lexer, target, -1));
+}
+
+static inline isc_result_t
+totext_ipseckey(ARGS_TOTEXT) {
+	isc_region_t region;
+	dns_name_t name;
+	dns_name_t prefix;
+	isc_boolean_t sub;
+	char buf[sizeof("255 ")];
+	unsigned short num;
+	unsigned short gateway;
+
+	REQUIRE(rdata->type == 45);
+	REQUIRE(rdata->length >= 3);
+
+	dns_name_init(&name, NULL);
+	dns_name_init(&prefix, NULL);
+	
+	if (rdata->data[1] > 3U)
+		return (ISC_R_NOTIMPLEMENTED);
+
+        if ((tctx->flags & DNS_STYLEFLAG_MULTILINE) != 0)
+                RETERR(str_totext("( ", target));
+
+	/*
+	 * Precendence.
+	 */
+	dns_rdata_toregion(rdata, &region);
+	num = uint8_fromregion(&region);
+	isc_region_consume(&region, 1);
+	sprintf(buf, "%u ", num);
+	RETERR(str_totext(buf, target));
+
+	/*
+	 * Gateway type.
+	 */
+	gateway = uint8_fromregion(&region);
+	isc_region_consume(&region, 1);
+	sprintf(buf, "%u ", gateway);
+	RETERR(str_totext(buf, target));
+
+	/*
+	 * Algorithm.
+	 */
+	num = uint8_fromregion(&region);
+	isc_region_consume(&region, 1);
+	sprintf(buf, "%u ", num);
+	RETERR(str_totext(buf, target));
+
+	/*
+	 * Gateway.
+	 */
+	switch (gateway) {
+	case 0:
+		RETERR(str_totext(".", target));
+		break;
+
+	case 1:
+		RETERR(inet_totext(AF_INET, &region, target));
+		isc_region_consume(&region, 4);
+		break;
+
+	case 2:
+		RETERR(inet_totext(AF_INET6, &region, target));
+		isc_region_consume(&region, 16);
+		break;
+
+	case 3:
+		dns_name_fromregion(&name, &region);
+		sub = name_prefix(&name, tctx->origin, &prefix);
+		RETERR(dns_name_totext(&prefix, sub, target));
+		isc_region_consume(&region, name_length(&name));
+		break;
+	}
+
+	/*
+	 * Key.
+	 */
+	if (region.length > 0U) {
+		RETERR(str_totext(tctx->linebreak, target));
+		RETERR(isc_base64_totext(&region, tctx->width - 2,
+					 tctx->linebreak, target));
+	}
+
+        if ((tctx->flags & DNS_STYLEFLAG_MULTILINE) != 0)
+                RETERR(str_totext(" )", target));
+	return (ISC_R_SUCCESS);
+}
+
+static inline isc_result_t
+fromwire_ipseckey(ARGS_FROMWIRE) {
+        dns_name_t name;
+	isc_region_t region;
+
+	REQUIRE(type == 45);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+
+	dns_decompress_setmethods(dctx, DNS_COMPRESS_NONE);
+
+        dns_name_init(&name, NULL);
+
+	isc_buffer_activeregion(source, &region);
+	if (region.length < 3)
+		return (ISC_R_UNEXPECTEDEND);
+
+	switch (region.base[1]) {
+	case 0:
+		isc_buffer_forward(source, region.length);
+		return (mem_tobuffer(target, region.base, region.length));
+
+	case 1:
+		if (region.length < 7)
+			return (ISC_R_UNEXPECTEDEND);
+		isc_buffer_forward(source, region.length);
+		return (mem_tobuffer(target, region.base, region.length));
+
+	case 2:
+		if (region.length < 19)
+			return (ISC_R_UNEXPECTEDEND);
+		isc_buffer_forward(source, region.length);
+		return (mem_tobuffer(target, region.base, region.length));
+
+	case 3:
+		RETERR(mem_tobuffer(target, region.base, 3));
+		isc_buffer_forward(source, 3);
+		RETERR(dns_name_fromwire(&name, source, dctx, options, target));
+		isc_buffer_activeregion(source, &region);
+		return(mem_tobuffer(target, region.base, region.length));
+
+	default:
+		return (ISC_R_NOTIMPLEMENTED);
+	}
+}
+
+static inline isc_result_t
+towire_ipseckey(ARGS_TOWIRE) {
+	isc_region_t region;
+
+	REQUIRE(rdata->type == 45);
+	REQUIRE(rdata->length != 0);
+
+	UNUSED(cctx);
+
+	dns_rdata_toregion(rdata, &region);
+	return (mem_tobuffer(target, region.base, region.length));
+}
+
+static inline int
+compare_ipseckey(ARGS_COMPARE) {
+	isc_region_t region1;
+	isc_region_t region2;
+
+	REQUIRE(rdata1->type == rdata2->type);
+	REQUIRE(rdata1->rdclass == rdata2->rdclass);
+	REQUIRE(rdata1->type == 45);
+	REQUIRE(rdata1->length >= 3);
+	REQUIRE(rdata2->length >= 3);
+
+	dns_rdata_toregion(rdata1, &region1);
+	dns_rdata_toregion(rdata2, &region2);
+
+	return (isc_region_compare(&region1, &region2));
+}
+
+static inline isc_result_t
+fromstruct_ipseckey(ARGS_FROMSTRUCT) {
+	dns_rdata_ipseckey_t *ipseckey = source;
+	isc_region_t region;
+	isc_uint32_t n;
+
+	REQUIRE(type == 45);
+	REQUIRE(source != NULL);
+	REQUIRE(ipseckey->common.rdtype == type);
+	REQUIRE(ipseckey->common.rdclass == rdclass);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+
+	if (ipseckey->gateway_type > 3U)
+		return (ISC_R_NOTIMPLEMENTED);
+
+	RETERR(uint8_tobuffer(ipseckey->precedence, target));
+	RETERR(uint8_tobuffer(ipseckey->gateway_type, target));
+	RETERR(uint8_tobuffer(ipseckey->algorithm, target));
+
+	switch  (ipseckey->gateway_type) {
+	case 0:
+		break;
+
+	case 1:
+		n = ntohl(ipseckey->in_addr.s_addr);
+		RETERR(uint32_tobuffer(n, target));
+		break;
+
+	case 2:
+		RETERR(mem_tobuffer(target, ipseckey->in6_addr.s6_addr, 16));
+		break;
+
+	case 3:
+		dns_name_toregion(&ipseckey->gateway, &region);
+		RETERR(isc_buffer_copyregion(target, &region));
+		break;
+	}
+
+	return (mem_tobuffer(target, ipseckey->key, ipseckey->keylength));
+}
+
+static inline isc_result_t
+tostruct_ipseckey(ARGS_TOSTRUCT) {
+	isc_region_t region;
+	dns_rdata_ipseckey_t *ipseckey = target;
+	dns_name_t name;
+	isc_uint32_t n;
+
+	REQUIRE(rdata->type == 45);
+	REQUIRE(target != NULL);
+	REQUIRE(rdata->length >= 3);
+
+	if (rdata->data[1] > 3U)
+		return (ISC_R_NOTIMPLEMENTED);
+
+	ipseckey->common.rdclass = rdata->rdclass;
+	ipseckey->common.rdtype = rdata->type;
+	ISC_LINK_INIT(&ipseckey->common, link);
+
+	dns_name_init(&name, NULL);
+	dns_rdata_toregion(rdata, &region);
+
+	ipseckey->precedence = uint8_fromregion(&region);
+	isc_region_consume(&region, 1);
+
+	ipseckey->gateway_type = uint8_fromregion(&region);
+	isc_region_consume(&region, 1);
+
+	ipseckey->algorithm = uint8_fromregion(&region);
+	isc_region_consume(&region, 1);
+
+	switch (ipseckey->gateway_type) {
+	case 0:
+		break;
+
+	case 1:
+		n = uint32_fromregion(&region);
+		ipseckey->in_addr.s_addr = htonl(n);
+		isc_region_consume(&region, 4);
+		break;
+
+	case 2:
+		memcpy(ipseckey->in6_addr.s6_addr, region.base, 16);
+		isc_region_consume(&region, 16);
+		break;
+
+	case 3:
+		dns_name_init(&ipseckey->gateway, NULL);
+		dns_name_fromregion(&name, &region);
+		RETERR(name_duporclone(&name, mctx, &ipseckey->gateway));
+		isc_region_consume(&region, name_length(&name));
+		break;
+	}
+
+	ipseckey->keylength = region.length;
+	if (ipseckey->keylength != 0U) {
+		ipseckey->key = mem_maybedup(mctx, region.base,
+					     ipseckey->keylength);
+		if (ipseckey->key == NULL) {
+			if (ipseckey->gateway_type == 3)
+				dns_name_free(&ipseckey->gateway,
+					      ipseckey->mctx);
+			return (ISC_R_NOMEMORY);
+		}
+	} else
+		ipseckey->key = NULL;
+
+	ipseckey->mctx = mctx;
+	return (ISC_R_SUCCESS);
+}
+
+static inline void
+freestruct_ipseckey(ARGS_FREESTRUCT) {
+	dns_rdata_ipseckey_t *ipseckey = source;
+
+	REQUIRE(source != NULL);
+	REQUIRE(ipseckey->common.rdtype == 45);
+
+	if (ipseckey->mctx == NULL)
+		return;
+
+	if (ipseckey->gateway_type == 3)
+		dns_name_free(&ipseckey->gateway, ipseckey->mctx);
+
+	if (ipseckey->key != NULL)
+		isc_mem_free(ipseckey->mctx, ipseckey->key);
+
+	ipseckey->mctx = NULL;
+}
+
+static inline isc_result_t
+additionaldata_ipseckey(ARGS_ADDLDATA) {
+
+	REQUIRE(rdata->type == 45);
+
+	UNUSED(rdata);
+	UNUSED(add);
+	UNUSED(arg);
+
+	return (ISC_R_SUCCESS);
+}
+
+static inline isc_result_t
+digest_ipseckey(ARGS_DIGEST) {
+	isc_region_t region;
+
+	REQUIRE(rdata->type == 45);
+
+	dns_rdata_toregion(rdata, &region);
+	return ((digest)(arg, &region));
+}
+
+static inline isc_boolean_t
+checkowner_ipseckey(ARGS_CHECKOWNER) {
+
+	REQUIRE(type == 45);
+
+	UNUSED(name);
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(wildcard);
+
+	return (ISC_TRUE);
+}
+
+static inline isc_boolean_t
+checknames_ipseckey(ARGS_CHECKNAMES) {
+
+	REQUIRE(rdata->type == 45);
+
+	UNUSED(rdata);
+	UNUSED(owner);
+	UNUSED(bad);
+
+	return (ISC_TRUE);
+}
+
+#endif	/* RDATA_GENERIC_IPSECKEY_45_C */
diff --git a/contrib/bind9/lib/dns/rdata/generic/ipseckey_45.h b/contrib/bind9/lib/dns/rdata/generic/ipseckey_45.h
new file mode 100644
index 0000000..b766fa0
--- /dev/null
+++ b/contrib/bind9/lib/dns/rdata/generic/ipseckey_45.h
@@ -0,0 +1,35 @@
+/*
+ * Copyright (C) 2005  Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: ipseckey_45.h,v 1.2.2.1 2005/07/07 03:17:36 marka Exp $ */
+
+#ifndef GENERIC_IPSECKEY_45_H
+#define GENERIC_IPSECKEY_45_H 1
+
+typedef struct dns_rdata_ipseckey {
+	dns_rdatacommon_t	common;
+	isc_mem_t		*mctx;
+	isc_uint8_t		precedence;
+	isc_uint8_t		gateway_type;
+	isc_uint8_t		algorithm;
+	struct in_addr		in_addr;	/* gateway type 1 */
+	struct in6_addr		in6_addr;	/* gateway type 2 */
+	dns_name_t		gateway;	/* gateway type 3 */
+	unsigned char		*key;
+	isc_uint16_t		keylength;
+} dns_rdata_ipseckey_t;
+
+#endif /* GENERIC_IPSECKEY_45_H */
diff --git a/contrib/bind9/lib/dns/rdata/generic/isdn_20.c b/contrib/bind9/lib/dns/rdata/generic/isdn_20.c
index cc14157..1813759 100644
--- a/contrib/bind9/lib/dns/rdata/generic/isdn_20.c
+++ b/contrib/bind9/lib/dns/rdata/generic/isdn_20.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2002  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,11 +15,11 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: isdn_20.c,v 1.30.12.4 2004/03/08 09:04:41 marka Exp $ */
+/* $Id: isdn_20.c,v 1.34.18.2 2005/04/29 00:16:33 marka Exp $ */
 
 /* Reviewed: Wed Mar 15 16:53:11 PST 2000 by bwelling */
 
-/* RFC 1183 */
+/* RFC1183 */
 
 #ifndef RDATA_GENERIC_ISDN_20_C
 #define RDATA_GENERIC_ISDN_20_C
diff --git a/contrib/bind9/lib/dns/rdata/generic/isdn_20.h b/contrib/bind9/lib/dns/rdata/generic/isdn_20.h
index 3a63971..6a51317 100644
--- a/contrib/bind9/lib/dns/rdata/generic/isdn_20.h
+++ b/contrib/bind9/lib/dns/rdata/generic/isdn_20.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -18,9 +18,10 @@
 #ifndef GENERIC_ISDN_20_H
 #define GENERIC_ISDN_20_H 1
 
-/* $Id: isdn_20.h,v 1.13.206.1 2004/03/06 08:14:05 marka Exp $ */
+/* $Id: isdn_20.h,v 1.14.18.2 2005/04/29 00:16:33 marka Exp $ */
 
-/* RFC 1183 */
+/*!
+ * \brief Per RFC1183 */
 
 typedef struct dns_rdata_isdn {
 	dns_rdatacommon_t	common;
diff --git a/contrib/bind9/lib/dns/rdata/generic/key_25.c b/contrib/bind9/lib/dns/rdata/generic/key_25.c
index defbe6d..24dc10f 100644
--- a/contrib/bind9/lib/dns/rdata/generic/key_25.c
+++ b/contrib/bind9/lib/dns/rdata/generic/key_25.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,13 +15,13 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: key_25.c,v 1.41.12.7 2004/03/08 09:04:41 marka Exp $ */
+/* $Id: key_25.c,v 1.47.18.2 2005/04/29 00:16:33 marka Exp $ */
 
 /*
  * Reviewed: Wed Mar 15 16:47:10 PST 2000 by halley.
  */
 
-/* RFC 2535 */
+/* RFC2535 */
 
 #ifndef RDATA_GENERIC_KEY_25_C
 #define RDATA_GENERIC_KEY_25_C
diff --git a/contrib/bind9/lib/dns/rdata/generic/key_25.h b/contrib/bind9/lib/dns/rdata/generic/key_25.h
index e192a1b..03400db 100644
--- a/contrib/bind9/lib/dns/rdata/generic/key_25.h
+++ b/contrib/bind9/lib/dns/rdata/generic/key_25.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -18,9 +18,10 @@
 #ifndef GENERIC_KEY_25_H
 #define GENERIC_KEY_25_H 1
 
-/* $Id: key_25.h,v 1.14.206.1 2004/03/06 08:14:06 marka Exp $ */
+/* $Id: key_25.h,v 1.15.18.2 2005/04/29 00:16:33 marka Exp $ */
 
-/* RFC 2535 */
+/*!
+ * \brief Per RFC2535 */
 
 typedef struct dns_rdata_key_t {
         dns_rdatacommon_t	common;
diff --git a/contrib/bind9/lib/dns/rdata/generic/loc_29.c b/contrib/bind9/lib/dns/rdata/generic/loc_29.c
index 28003ab..c93ac90 100644
--- a/contrib/bind9/lib/dns/rdata/generic/loc_29.c
+++ b/contrib/bind9/lib/dns/rdata/generic/loc_29.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,11 +15,11 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: loc_29.c,v 1.30.2.3.2.6 2004/03/06 08:14:06 marka Exp $ */
+/* $Id: loc_29.c,v 1.41.18.2 2005/04/29 00:16:34 marka Exp $ */
 
 /* Reviewed: Wed Mar 15 18:13:09 PST 2000 by explorer */
 
-/* RFC 1876 */
+/* RFC1876 */
 
 #ifndef RDATA_GENERIC_LOC_29_C
 #define RDATA_GENERIC_LOC_29_C
diff --git a/contrib/bind9/lib/dns/rdata/generic/loc_29.h b/contrib/bind9/lib/dns/rdata/generic/loc_29.h
index cdca67b..d8eae16 100644
--- a/contrib/bind9/lib/dns/rdata/generic/loc_29.h
+++ b/contrib/bind9/lib/dns/rdata/generic/loc_29.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -18,9 +18,10 @@
 #ifndef GENERIC_LOC_29_H
 #define GENERIC_LOC_29_H 1
 
-/* $Id: loc_29.h,v 1.14.206.1 2004/03/06 08:14:06 marka Exp $ */
+/* $Id: loc_29.h,v 1.15.18.2 2005/04/29 00:16:34 marka Exp $ */
 
-/* RFC 1876 */
+/*!
+ * \brief Per RFC1876 */
 
 typedef struct dns_rdata_loc_0 {
 	isc_uint8_t	version;	/* must be first and zero */
diff --git a/contrib/bind9/lib/dns/rdata/generic/mb_7.c b/contrib/bind9/lib/dns/rdata/generic/mb_7.c
index 2562707..94c622d 100644
--- a/contrib/bind9/lib/dns/rdata/generic/mb_7.c
+++ b/contrib/bind9/lib/dns/rdata/generic/mb_7.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: mb_7.c,v 1.41.206.2 2004/03/06 08:14:06 marka Exp $ */
+/* $Id: mb_7.c,v 1.43 2004/03/05 05:10:13 marka Exp $ */
 
 /* Reviewed: Wed Mar 15 17:31:26 PST 2000 by bwelling */
 
diff --git a/contrib/bind9/lib/dns/rdata/generic/mb_7.h b/contrib/bind9/lib/dns/rdata/generic/mb_7.h
index 115ab49..f6a8b35 100644
--- a/contrib/bind9/lib/dns/rdata/generic/mb_7.h
+++ b/contrib/bind9/lib/dns/rdata/generic/mb_7.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1998-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,10 +15,11 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
+/* */
 #ifndef GENERIC_MB_7_H
 #define GENERIC_MB_7_H 1
 
-/* $Id: mb_7.h,v 1.22.206.1 2004/03/06 08:14:06 marka Exp $ */
+/* $Id: mb_7.h,v 1.23.18.2 2005/04/29 00:16:34 marka Exp $ */
 
 typedef struct dns_rdata_mb {
 	dns_rdatacommon_t	common;
diff --git a/contrib/bind9/lib/dns/rdata/generic/md_3.c b/contrib/bind9/lib/dns/rdata/generic/md_3.c
index 7488d84..75e4970 100644
--- a/contrib/bind9/lib/dns/rdata/generic/md_3.c
+++ b/contrib/bind9/lib/dns/rdata/generic/md_3.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: md_3.c,v 1.43.206.2 2004/03/06 08:14:07 marka Exp $ */
+/* $Id: md_3.c,v 1.45 2004/03/05 05:10:13 marka Exp $ */
 
 /* Reviewed: Wed Mar 15 17:48:20 PST 2000 by bwelling */
 
diff --git a/contrib/bind9/lib/dns/rdata/generic/md_3.h b/contrib/bind9/lib/dns/rdata/generic/md_3.h
index 8662829..578ce66 100644
--- a/contrib/bind9/lib/dns/rdata/generic/md_3.h
+++ b/contrib/bind9/lib/dns/rdata/generic/md_3.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1998-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,10 +15,11 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
+/* */
 #ifndef GENERIC_MD_3_H
 #define GENERIC_MD_3_H 1
 
-/* $Id: md_3.h,v 1.23.206.1 2004/03/06 08:14:07 marka Exp $ */
+/* $Id: md_3.h,v 1.24.18.2 2005/04/29 00:16:35 marka Exp $ */
 
 typedef struct dns_rdata_md {
 	dns_rdatacommon_t	common;
diff --git a/contrib/bind9/lib/dns/rdata/generic/mf_4.c b/contrib/bind9/lib/dns/rdata/generic/mf_4.c
index b6c72d9..362d300 100644
--- a/contrib/bind9/lib/dns/rdata/generic/mf_4.c
+++ b/contrib/bind9/lib/dns/rdata/generic/mf_4.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: mf_4.c,v 1.41.206.2 2004/03/06 08:14:07 marka Exp $ */
+/* $Id: mf_4.c,v 1.43 2004/03/05 05:10:14 marka Exp $ */
 
 /* reviewed: Wed Mar 15 17:47:33 PST 2000 by brister */
 
diff --git a/contrib/bind9/lib/dns/rdata/generic/mf_4.h b/contrib/bind9/lib/dns/rdata/generic/mf_4.h
index adb8254..2be0eec 100644
--- a/contrib/bind9/lib/dns/rdata/generic/mf_4.h
+++ b/contrib/bind9/lib/dns/rdata/generic/mf_4.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1998-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,10 +15,11 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
+/* */
 #ifndef GENERIC_MF_4_H
 #define GENERIC_MF_4_H 1
 
-/* $Id: mf_4.h,v 1.21.206.1 2004/03/06 08:14:07 marka Exp $ */
+/* $Id: mf_4.h,v 1.22.18.2 2005/04/29 00:16:35 marka Exp $ */
 
 typedef struct dns_rdata_mf {
 	dns_rdatacommon_t	common;
diff --git a/contrib/bind9/lib/dns/rdata/generic/mg_8.c b/contrib/bind9/lib/dns/rdata/generic/mg_8.c
index 26eac8dd..602d820 100644
--- a/contrib/bind9/lib/dns/rdata/generic/mg_8.c
+++ b/contrib/bind9/lib/dns/rdata/generic/mg_8.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: mg_8.c,v 1.39.206.2 2004/03/06 08:14:07 marka Exp $ */
+/* $Id: mg_8.c,v 1.41 2004/03/05 05:10:14 marka Exp $ */
 
 /* reviewed: Wed Mar 15 17:49:21 PST 2000 by brister */
 
diff --git a/contrib/bind9/lib/dns/rdata/generic/mg_8.h b/contrib/bind9/lib/dns/rdata/generic/mg_8.h
index b45c2bf..5679c17 100644
--- a/contrib/bind9/lib/dns/rdata/generic/mg_8.h
+++ b/contrib/bind9/lib/dns/rdata/generic/mg_8.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1998-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,10 +15,11 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
+/* */
 #ifndef GENERIC_MG_8_H
 #define GENERIC_MG_8_H 1
 
-/* $Id: mg_8.h,v 1.21.206.1 2004/03/06 08:14:07 marka Exp $ */
+/* $Id: mg_8.h,v 1.22.18.2 2005/04/29 00:16:35 marka Exp $ */
 
 typedef struct dns_rdata_mg {
 	dns_rdatacommon_t	common;
diff --git a/contrib/bind9/lib/dns/rdata/generic/minfo_14.c b/contrib/bind9/lib/dns/rdata/generic/minfo_14.c
index a3c4a9c..b757480 100644
--- a/contrib/bind9/lib/dns/rdata/generic/minfo_14.c
+++ b/contrib/bind9/lib/dns/rdata/generic/minfo_14.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: minfo_14.c,v 1.40.12.4 2004/03/08 09:04:41 marka Exp $ */
+/* $Id: minfo_14.c,v 1.43 2004/03/05 05:10:14 marka Exp $ */
 
 /* reviewed: Wed Mar 15 17:45:32 PST 2000 by brister */
 
diff --git a/contrib/bind9/lib/dns/rdata/generic/minfo_14.h b/contrib/bind9/lib/dns/rdata/generic/minfo_14.h
index 84078b9..754fe20 100644
--- a/contrib/bind9/lib/dns/rdata/generic/minfo_14.h
+++ b/contrib/bind9/lib/dns/rdata/generic/minfo_14.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1998-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,10 +15,11 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
+/* */
 #ifndef GENERIC_MINFO_14_H
 #define GENERIC_MINFO_14_H 1
 
-/* $Id: minfo_14.h,v 1.22.206.1 2004/03/06 08:14:08 marka Exp $ */
+/* $Id: minfo_14.h,v 1.23.18.2 2005/04/29 00:16:35 marka Exp $ */
 
 typedef struct dns_rdata_minfo {
 	dns_rdatacommon_t	common;
diff --git a/contrib/bind9/lib/dns/rdata/generic/mr_9.c b/contrib/bind9/lib/dns/rdata/generic/mr_9.c
index 30da6cb..ab4c6e0 100644
--- a/contrib/bind9/lib/dns/rdata/generic/mr_9.c
+++ b/contrib/bind9/lib/dns/rdata/generic/mr_9.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: mr_9.c,v 1.38.206.2 2004/03/06 08:14:08 marka Exp $ */
+/* $Id: mr_9.c,v 1.40 2004/03/05 05:10:15 marka Exp $ */
 
 /* Reviewed: Wed Mar 15 21:30:35 EST 2000 by tale */
 
diff --git a/contrib/bind9/lib/dns/rdata/generic/mr_9.h b/contrib/bind9/lib/dns/rdata/generic/mr_9.h
index ba6e154..e255d70 100644
--- a/contrib/bind9/lib/dns/rdata/generic/mr_9.h
+++ b/contrib/bind9/lib/dns/rdata/generic/mr_9.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1998-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,10 +15,11 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
+/* */
 #ifndef GENERIC_MR_9_H
 #define GENERIC_MR_9_H 1
 
-/* $Id: mr_9.h,v 1.21.206.1 2004/03/06 08:14:08 marka Exp $ */
+/* $Id: mr_9.h,v 1.22.18.2 2005/04/29 00:16:36 marka Exp $ */
 
 typedef struct dns_rdata_mr {
 	dns_rdatacommon_t	common;
diff --git a/contrib/bind9/lib/dns/rdata/generic/mx_15.c b/contrib/bind9/lib/dns/rdata/generic/mx_15.c
index 794249c..fd77ec8 100644
--- a/contrib/bind9/lib/dns/rdata/generic/mx_15.c
+++ b/contrib/bind9/lib/dns/rdata/generic/mx_15.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1998-2001, 2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,15 +15,37 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: mx_15.c,v 1.48.2.1.2.3 2004/03/06 08:14:08 marka Exp $ */
+/* $Id: mx_15.c,v 1.52.18.2 2005/05/20 01:10:11 marka Exp $ */
 
 /* reviewed: Wed Mar 15 18:05:46 PST 2000 by brister */
 
 #ifndef RDATA_GENERIC_MX_15_C
 #define RDATA_GENERIC_MX_15_C
 
+#include <string.h>
+
+#include <isc/net.h>
+
 #define RRTYPE_MX_ATTRIBUTES (0)
 
+static isc_boolean_t
+check_mx(isc_token_t *token) {
+	char tmp[sizeof("xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:123.123.123.123.")];
+	struct in_addr addr;
+	struct in6_addr addr6;
+
+	if (strlcpy(tmp, DNS_AS_STR(*token), sizeof(tmp)) >= sizeof(tmp))
+		return (ISC_TRUE);
+
+	if (tmp[strlen(tmp) - 1] == '.')
+		tmp[strlen(tmp) - 1] = '\0';
+	if (inet_aton(tmp, &addr) == 1 ||
+	    inet_pton(AF_INET6, tmp, &addr6) == 1)
+		return (ISC_FALSE);
+
+	return (ISC_TRUE);
+}
+
 static inline isc_result_t
 fromtext_mx(ARGS_FROMTEXT) {
 	isc_token_t token;
@@ -45,6 +67,15 @@ fromtext_mx(ARGS_FROMTEXT) {
 
 	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
 				      ISC_FALSE));
+
+	ok = ISC_TRUE;
+	if ((options & DNS_RDATA_CHECKMX) != 0)
+		ok = check_mx(&token);
+	if (!ok && (options & DNS_RDATA_CHECKMXFAIL) != 0)
+		RETTOK(DNS_R_MXISADDRESS);
+	if (!ok && callbacks != NULL)
+		warn_badmx(&token, lexer, callbacks);
+
 	dns_name_init(&name, NULL);
 	buffer_fromregion(&buffer, &token.value.as_region);
 	origin = (origin != NULL) ? origin : dns_rootname;
diff --git a/contrib/bind9/lib/dns/rdata/generic/mx_15.h b/contrib/bind9/lib/dns/rdata/generic/mx_15.h
index 01225fa..4d81b90 100644
--- a/contrib/bind9/lib/dns/rdata/generic/mx_15.h
+++ b/contrib/bind9/lib/dns/rdata/generic/mx_15.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1998-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,10 +15,11 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
+/* */
 #ifndef GENERIC_MX_15_H
 #define GENERIC_MX_15_H 1
 
-/* $Id: mx_15.h,v 1.24.206.1 2004/03/06 08:14:09 marka Exp $ */
+/* $Id: mx_15.h,v 1.25.18.2 2005/04/29 00:16:36 marka Exp $ */
 
 typedef struct dns_rdata_mx {
 	dns_rdatacommon_t	common;
diff --git a/contrib/bind9/lib/dns/rdata/generic/ns_2.c b/contrib/bind9/lib/dns/rdata/generic/ns_2.c
index bf32d63..2379433 100644
--- a/contrib/bind9/lib/dns/rdata/generic/ns_2.c
+++ b/contrib/bind9/lib/dns/rdata/generic/ns_2.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: ns_2.c,v 1.42.206.2 2004/03/06 08:14:09 marka Exp $ */
+/* $Id: ns_2.c,v 1.44 2004/03/05 05:10:15 marka Exp $ */
 
 /* Reviewed: Wed Mar 15 18:15:00 PST 2000 by bwelling */
 
diff --git a/contrib/bind9/lib/dns/rdata/generic/ns_2.h b/contrib/bind9/lib/dns/rdata/generic/ns_2.h
index 2bef1f8..ec8e771 100644
--- a/contrib/bind9/lib/dns/rdata/generic/ns_2.h
+++ b/contrib/bind9/lib/dns/rdata/generic/ns_2.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1998-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,10 +15,11 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
+/* */
 #ifndef GENERIC_NS_2_H
 #define GENERIC_NS_2_H 1
 
-/* $Id: ns_2.h,v 1.22.206.1 2004/03/06 08:14:09 marka Exp $ */
+/* $Id: ns_2.h,v 1.23.18.2 2005/04/29 00:16:37 marka Exp $ */
 
 typedef struct dns_rdata_ns {
 	dns_rdatacommon_t	common;
diff --git a/contrib/bind9/lib/dns/rdata/generic/nsec_47.c b/contrib/bind9/lib/dns/rdata/generic/nsec_47.c
index 74b7806..f3e56ca 100644
--- a/contrib/bind9/lib/dns/rdata/generic/nsec_47.c
+++ b/contrib/bind9/lib/dns/rdata/generic/nsec_47.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: nsec_47.c,v 1.7.2.1 2004/03/08 02:08:03 marka Exp $ */
+/* $Id: nsec_47.c,v 1.7 2004/03/05 05:10:15 marka Exp $ */
 
 /* reviewed: Wed Mar 15 18:21:15 PST 2000 by brister */
 
diff --git a/contrib/bind9/lib/dns/rdata/generic/nsec_47.h b/contrib/bind9/lib/dns/rdata/generic/nsec_47.h
index d76a25c..ff03483 100644
--- a/contrib/bind9/lib/dns/rdata/generic/nsec_47.h
+++ b/contrib/bind9/lib/dns/rdata/generic/nsec_47.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -18,9 +18,10 @@
 #ifndef GENERIC_NSEC_47_H
 #define GENERIC_NSEC_47_H 1
 
-/* $Id: nsec_47.h,v 1.4.2.1 2004/03/08 02:08:03 marka Exp $ */
+/* $Id: nsec_47.h,v 1.4.20.2 2005/04/29 00:16:37 marka Exp $ */
 
-/* draft-ietf-dnsext-nsec-rdata-01.txt */
+/*!
+ * \brief Per draft-ietf-dnsext-nsec-rdata-01.txt */
 
 typedef struct dns_rdata_nsec {
 	dns_rdatacommon_t	common;
diff --git a/contrib/bind9/lib/dns/rdata/generic/null_10.c b/contrib/bind9/lib/dns/rdata/generic/null_10.c
index 492044d..a6f8f9f4 100644
--- a/contrib/bind9/lib/dns/rdata/generic/null_10.c
+++ b/contrib/bind9/lib/dns/rdata/generic/null_10.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: null_10.c,v 1.35.2.1.10.4 2004/03/08 09:04:41 marka Exp $ */
+/* $Id: null_10.c,v 1.40 2004/03/05 05:10:16 marka Exp $ */
 
 /* Reviewed: Thu Mar 16 13:57:50 PST 2000 by explorer */
 
diff --git a/contrib/bind9/lib/dns/rdata/generic/null_10.h b/contrib/bind9/lib/dns/rdata/generic/null_10.h
index 44a9e8f..5afb1ae 100644
--- a/contrib/bind9/lib/dns/rdata/generic/null_10.h
+++ b/contrib/bind9/lib/dns/rdata/generic/null_10.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1998-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,10 +15,11 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
+/* */
 #ifndef GENERIC_NULL_10_H
 #define GENERIC_NULL_10_H 1
 
-/* $Id: null_10.h,v 1.20.206.1 2004/03/06 08:14:09 marka Exp $ */
+/* $Id: null_10.h,v 1.21.18.2 2005/04/29 00:16:37 marka Exp $ */
 
 typedef struct dns_rdata_null {
 	dns_rdatacommon_t	common;
diff --git a/contrib/bind9/lib/dns/rdata/generic/nxt_30.c b/contrib/bind9/lib/dns/rdata/generic/nxt_30.c
index e4dba7f..b7358e0 100644
--- a/contrib/bind9/lib/dns/rdata/generic/nxt_30.c
+++ b/contrib/bind9/lib/dns/rdata/generic/nxt_30.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,11 +15,11 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: nxt_30.c,v 1.49.2.2.2.9 2004/03/08 09:04:41 marka Exp $ */
+/* $Id: nxt_30.c,v 1.59.18.2 2005/04/29 00:16:38 marka Exp $ */
 
 /* reviewed: Wed Mar 15 18:21:15 PST 2000 by brister */
 
-/* RFC 2535 */
+/* RFC2535 */
 
 #ifndef RDATA_GENERIC_NXT_30_C
 #define RDATA_GENERIC_NXT_30_C
diff --git a/contrib/bind9/lib/dns/rdata/generic/nxt_30.h b/contrib/bind9/lib/dns/rdata/generic/nxt_30.h
index 540135f..3700fb1 100644
--- a/contrib/bind9/lib/dns/rdata/generic/nxt_30.h
+++ b/contrib/bind9/lib/dns/rdata/generic/nxt_30.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2002  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -18,9 +18,10 @@
 #ifndef GENERIC_NXT_30_H
 #define GENERIC_NXT_30_H 1
 
-/* $Id: nxt_30.h,v 1.18.12.3 2004/03/08 09:04:41 marka Exp $ */
+/* $Id: nxt_30.h,v 1.21.18.2 2005/04/29 00:16:38 marka Exp $ */
 
-/* RFC 2535 */
+/*!
+ *  \brief RFC2535 */
 
 typedef struct dns_rdata_nxt {
 	dns_rdatacommon_t	common;
diff --git a/contrib/bind9/lib/dns/rdata/generic/opt_41.c b/contrib/bind9/lib/dns/rdata/generic/opt_41.c
index ac74a28..e8f4816 100644
--- a/contrib/bind9/lib/dns/rdata/generic/opt_41.c
+++ b/contrib/bind9/lib/dns/rdata/generic/opt_41.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1998-2002  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,11 +15,11 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: opt_41.c,v 1.25.12.4 2004/03/08 09:04:41 marka Exp $ */
+/* $Id: opt_41.c,v 1.29.18.2 2005/04/29 00:16:38 marka Exp $ */
 
 /* Reviewed: Thu Mar 16 14:06:44 PST 2000 by gson */
 
-/* RFC 2671 */
+/* RFC2671 */
 
 #ifndef RDATA_GENERIC_OPT_41_C
 #define RDATA_GENERIC_OPT_41_C
diff --git a/contrib/bind9/lib/dns/rdata/generic/opt_41.h b/contrib/bind9/lib/dns/rdata/generic/opt_41.h
index c70ad90..827936e 100644
--- a/contrib/bind9/lib/dns/rdata/generic/opt_41.h
+++ b/contrib/bind9/lib/dns/rdata/generic/opt_41.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1998-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -18,9 +18,10 @@
 #ifndef GENERIC_OPT_41_H
 #define GENERIC_OPT_41_H 1
 
-/* $Id: opt_41.h,v 1.13.206.1 2004/03/06 08:14:10 marka Exp $ */
+/* $Id: opt_41.h,v 1.14.18.2 2005/04/29 00:16:38 marka Exp $ */
 
-/* RFC 2671 */
+/*!
+ *  \brief Per RFC2671 */
 
 typedef struct dns_rdata_opt_opcode {
 		isc_uint16_t	opcode;
diff --git a/contrib/bind9/lib/dns/rdata/generic/proforma.c b/contrib/bind9/lib/dns/rdata/generic/proforma.c
index 21c6577..bf8b2fd 100644
--- a/contrib/bind9/lib/dns/rdata/generic/proforma.c
+++ b/contrib/bind9/lib/dns/rdata/generic/proforma.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: proforma.c,v 1.30.12.4 2004/03/08 09:04:41 marka Exp $ */
+/* $Id: proforma.c,v 1.34 2004/03/05 05:10:17 marka Exp $ */
 
 #ifndef RDATA_GENERIC_#_#_C
 #define RDATA_GENERIC_#_#_C
diff --git a/contrib/bind9/lib/dns/rdata/generic/proforma.h b/contrib/bind9/lib/dns/rdata/generic/proforma.h
index 5d5090e..89d1606 100644
--- a/contrib/bind9/lib/dns/rdata/generic/proforma.h
+++ b/contrib/bind9/lib/dns/rdata/generic/proforma.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1998-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,10 +15,11 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
+/* */
 #ifndef GENERIC_PROFORMA_H
 #define GENERIC_PROFORMA_H 1
 
-/* $Id: proforma.h,v 1.18.206.1 2004/03/06 08:14:11 marka Exp $ */
+/* $Id: proforma.h,v 1.19.18.2 2005/04/29 00:16:39 marka Exp $ */
 
 typedef struct dns_rdata_# {
 	dns_rdatacommon_t	common;
diff --git a/contrib/bind9/lib/dns/rdata/generic/ptr_12.c b/contrib/bind9/lib/dns/rdata/generic/ptr_12.c
index 9be93b3..16d5706 100644
--- a/contrib/bind9/lib/dns/rdata/generic/ptr_12.c
+++ b/contrib/bind9/lib/dns/rdata/generic/ptr_12.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: ptr_12.c,v 1.39.206.2 2004/03/06 08:14:11 marka Exp $ */
+/* $Id: ptr_12.c,v 1.41 2004/03/05 05:10:17 marka Exp $ */
 
 /* Reviewed: Thu Mar 16 14:05:12 PST 2000 by explorer */
 
diff --git a/contrib/bind9/lib/dns/rdata/generic/ptr_12.h b/contrib/bind9/lib/dns/rdata/generic/ptr_12.h
index 53e7920..4eb8fa7 100644
--- a/contrib/bind9/lib/dns/rdata/generic/ptr_12.h
+++ b/contrib/bind9/lib/dns/rdata/generic/ptr_12.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1998-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,10 +15,11 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
+/* */
 #ifndef GENERIC_PTR_12_H
 #define GENERIC_PTR_12_H 1
 
-/* $Id: ptr_12.h,v 1.22.206.1 2004/03/06 08:14:11 marka Exp $ */
+/* $Id: ptr_12.h,v 1.23.18.2 2005/04/29 00:16:39 marka Exp $ */
 
 typedef struct dns_rdata_ptr {
         dns_rdatacommon_t       common;
diff --git a/contrib/bind9/lib/dns/rdata/generic/rp_17.c b/contrib/bind9/lib/dns/rdata/generic/rp_17.c
index 27e02ee..b153643 100644
--- a/contrib/bind9/lib/dns/rdata/generic/rp_17.c
+++ b/contrib/bind9/lib/dns/rdata/generic/rp_17.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,9 +15,9 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: rp_17.c,v 1.35.12.4 2004/03/08 09:04:42 marka Exp $ */
+/* $Id: rp_17.c,v 1.38.18.2 2005/04/29 00:16:39 marka Exp $ */
 
-/* RFC 1183 */
+/* RFC1183 */
 
 #ifndef RDATA_GENERIC_RP_17_C
 #define RDATA_GENERIC_RP_17_C
diff --git a/contrib/bind9/lib/dns/rdata/generic/rp_17.h b/contrib/bind9/lib/dns/rdata/generic/rp_17.h
index a88b9c0..533c7e7 100644
--- a/contrib/bind9/lib/dns/rdata/generic/rp_17.h
+++ b/contrib/bind9/lib/dns/rdata/generic/rp_17.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -18,9 +18,10 @@
 #ifndef GENERIC_RP_17_H
 #define GENERIC_RP_17_H 1
 
-/* $Id: rp_17.h,v 1.16.206.1 2004/03/06 08:14:11 marka Exp $ */
+/* $Id: rp_17.h,v 1.17.18.2 2005/04/29 00:16:39 marka Exp $ */
 
-/* RFC 1183 */
+/*!
+ *  \brief Per RFC1183 */
 
 typedef struct dns_rdata_rp {
         dns_rdatacommon_t       common;
diff --git a/contrib/bind9/lib/dns/rdata/generic/rrsig_46.c b/contrib/bind9/lib/dns/rdata/generic/rrsig_46.c
index ad43295..6561f28 100644
--- a/contrib/bind9/lib/dns/rdata/generic/rrsig_46.c
+++ b/contrib/bind9/lib/dns/rdata/generic/rrsig_46.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,11 +15,11 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: rrsig_46.c,v 1.4.2.3 2004/06/24 00:58:06 marka Exp $ */
+/* $Id: rrsig_46.c,v 1.5.18.3 2005/04/29 00:16:39 marka Exp $ */
 
 /* Reviewed: Fri Mar 17 09:05:02 PST 2000 by gson */
 
-/* RFC 2535 */
+/* RFC2535 */
 
 #ifndef RDATA_GENERIC_RRSIG_46_C
 #define RDATA_GENERIC_RRSIG_46_C
diff --git a/contrib/bind9/lib/dns/rdata/generic/rrsig_46.h b/contrib/bind9/lib/dns/rdata/generic/rrsig_46.h
index 148604b..b8b35a2 100644
--- a/contrib/bind9/lib/dns/rdata/generic/rrsig_46.h
+++ b/contrib/bind9/lib/dns/rdata/generic/rrsig_46.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -18,9 +18,10 @@
 #ifndef GENERIC_DNSSIG_46_H
 #define GENERIC_DNSSIG_46_H 1
 
-/* $Id: rrsig_46.h,v 1.3.2.1 2004/03/08 02:08:04 marka Exp $ */
+/* $Id: rrsig_46.h,v 1.3.20.2 2005/04/29 00:16:39 marka Exp $ */
 
-/* RFC 2535 */
+/*!
+ *  \brief Per RFC2535 */
 typedef struct dns_rdata_rrsig {
 	dns_rdatacommon_t	common;
 	isc_mem_t *		mctx;
diff --git a/contrib/bind9/lib/dns/rdata/generic/rt_21.c b/contrib/bind9/lib/dns/rdata/generic/rt_21.c
index daf9756..6977e98 100644
--- a/contrib/bind9/lib/dns/rdata/generic/rt_21.c
+++ b/contrib/bind9/lib/dns/rdata/generic/rt_21.c
@@ -15,11 +15,11 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: rt_21.c,v 1.37.2.1.2.5 2005/03/17 03:58:31 marka Exp $ */
+/* $Id: rt_21.c,v 1.41.18.3 2005/04/27 05:01:52 sra Exp $ */
 
 /* reviewed: Thu Mar 16 15:02:31 PST 2000 by brister */
 
-/* RFC 1183 */
+/* RFC1183 */
 
 #ifndef RDATA_GENERIC_RT_21_C
 #define RDATA_GENERIC_RT_21_C
diff --git a/contrib/bind9/lib/dns/rdata/generic/rt_21.h b/contrib/bind9/lib/dns/rdata/generic/rt_21.h
index 32b0352..b8ec969 100644
--- a/contrib/bind9/lib/dns/rdata/generic/rt_21.h
+++ b/contrib/bind9/lib/dns/rdata/generic/rt_21.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -18,9 +18,10 @@
 #ifndef GENERIC_RT_21_H
 #define GENERIC_RT_21_H 1
 
-/* $Id: rt_21.h,v 1.16.206.1 2004/03/06 08:14:12 marka Exp $ */
+/* $Id: rt_21.h,v 1.17.18.2 2005/04/29 00:16:40 marka Exp $ */
 
-/* RFC 1183 */
+/*!
+ *  \brief Per RFC1183 */
 
 typedef struct dns_rdata_rt {
 	dns_rdatacommon_t	common;
diff --git a/contrib/bind9/lib/dns/rdata/generic/sig_24.c b/contrib/bind9/lib/dns/rdata/generic/sig_24.c
index 39cb064..9842953 100644
--- a/contrib/bind9/lib/dns/rdata/generic/sig_24.c
+++ b/contrib/bind9/lib/dns/rdata/generic/sig_24.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,11 +15,11 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: sig_24.c,v 1.54.2.1.2.7 2004/03/08 09:04:42 marka Exp $ */
+/* $Id: sig_24.c,v 1.62.18.2 2005/04/29 00:16:40 marka Exp $ */
 
 /* Reviewed: Fri Mar 17 09:05:02 PST 2000 by gson */
 
-/* RFC 2535 */
+/* RFC2535 */
 
 #ifndef RDATA_GENERIC_SIG_24_C
 #define RDATA_GENERIC_SIG_24_C
diff --git a/contrib/bind9/lib/dns/rdata/generic/sig_24.h b/contrib/bind9/lib/dns/rdata/generic/sig_24.h
index 28bcac2..96ed767 100644
--- a/contrib/bind9/lib/dns/rdata/generic/sig_24.h
+++ b/contrib/bind9/lib/dns/rdata/generic/sig_24.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -18,9 +18,10 @@
 #ifndef GENERIC_SIG_24_H
 #define GENERIC_SIG_24_H 1
 
-/* $Id: sig_24.h,v 1.21.206.1 2004/03/06 08:14:12 marka Exp $ */
+/* $Id: sig_24.h,v 1.22.18.2 2005/04/29 00:16:40 marka Exp $ */
 
-/* RFC 2535 */
+/*!
+ *  \brief Per RFC2535 */
 
 typedef struct dns_rdata_sig_t {
 	dns_rdatacommon_t	common;
diff --git a/contrib/bind9/lib/dns/rdata/generic/soa_6.c b/contrib/bind9/lib/dns/rdata/generic/soa_6.c
index 7eeb36e..8de678c 100644
--- a/contrib/bind9/lib/dns/rdata/generic/soa_6.c
+++ b/contrib/bind9/lib/dns/rdata/generic/soa_6.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: soa_6.c,v 1.53.12.6 2004/03/08 09:04:42 marka Exp $ */
+/* $Id: soa_6.c,v 1.59 2004/03/05 05:10:18 marka Exp $ */
 
 /* Reviewed: Thu Mar 16 15:18:32 PST 2000 by explorer */
 
diff --git a/contrib/bind9/lib/dns/rdata/generic/soa_6.h b/contrib/bind9/lib/dns/rdata/generic/soa_6.h
index eca6dfd..4211786 100644
--- a/contrib/bind9/lib/dns/rdata/generic/soa_6.h
+++ b/contrib/bind9/lib/dns/rdata/generic/soa_6.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1998-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,21 +15,22 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
+/* */
 #ifndef GENERIC_SOA_6_H
 #define GENERIC_SOA_6_H 1
 
-/* $Id: soa_6.h,v 1.27.206.1 2004/03/06 08:14:12 marka Exp $ */
+/* $Id: soa_6.h,v 1.28.18.2 2005/04/29 00:16:40 marka Exp $ */
 
 typedef struct dns_rdata_soa {
 	dns_rdatacommon_t	common;
 	isc_mem_t		*mctx;
 	dns_name_t		origin;
 	dns_name_t		contact;
-	isc_uint32_t		serial;		/* host order */
-	isc_uint32_t		refresh;	/* host order */
-	isc_uint32_t		retry;		/* host order */
-	isc_uint32_t		expire;		/* host order */
-	isc_uint32_t		minimum;	/* host order */
+	isc_uint32_t		serial;		/*%< host order */
+	isc_uint32_t		refresh;	/*%< host order */
+	isc_uint32_t		retry;		/*%< host order */
+	isc_uint32_t		expire;		/*%< host order */
+	isc_uint32_t		minimum;	/*%< host order */
 } dns_rdata_soa_t;
 
 
diff --git a/contrib/bind9/lib/dns/rdata/generic/spf_99.c b/contrib/bind9/lib/dns/rdata/generic/spf_99.c
new file mode 100644
index 0000000..b65f580
--- /dev/null
+++ b/contrib/bind9/lib/dns/rdata/generic/spf_99.c
@@ -0,0 +1,238 @@
+/*
+ * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1998-2002  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: spf_99.c,v 1.1.2.2 2005/07/16 00:40:54 marka Exp $ */
+
+/* Reviewed: Thu Mar 16 15:40:00 PST 2000 by bwelling */
+
+#ifndef RDATA_GENERIC_SPF_99_C
+#define RDATA_GENERIC_SPF_99_C
+
+#define RRTYPE_SPF_ATTRIBUTES (0)
+
+static inline isc_result_t
+fromtext_spf(ARGS_FROMTEXT) {
+	isc_token_t token;
+	int strings;
+
+	REQUIRE(type == 99);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(origin);
+	UNUSED(options);
+	UNUSED(callbacks);
+
+	strings = 0;
+	for (;;) {
+		RETERR(isc_lex_getmastertoken(lexer, &token,
+					      isc_tokentype_qstring,
+					      ISC_TRUE));
+		if (token.type != isc_tokentype_qstring &&
+		    token.type != isc_tokentype_string)
+			break;
+		RETTOK(txt_fromtext(&token.value.as_textregion, target));
+		strings++;
+	}
+	/* Let upper layer handle eol/eof. */
+	isc_lex_ungettoken(lexer, &token);
+	return (strings == 0 ? ISC_R_UNEXPECTEDEND : ISC_R_SUCCESS);
+}
+
+static inline isc_result_t
+totext_spf(ARGS_TOTEXT) {
+	isc_region_t region;
+
+	UNUSED(tctx);
+
+	REQUIRE(rdata->type == 99);
+
+	dns_rdata_toregion(rdata, &region);
+
+	while (region.length > 0) {
+		RETERR(txt_totext(&region, target));
+		if (region.length > 0)
+			RETERR(str_totext(" ", target));
+	}
+
+	return (ISC_R_SUCCESS);
+}
+
+static inline isc_result_t
+fromwire_spf(ARGS_FROMWIRE) {
+	isc_result_t result;
+
+	REQUIRE(type == 99);
+
+	UNUSED(type);
+	UNUSED(dctx);
+	UNUSED(rdclass);
+	UNUSED(options);
+
+	do {
+		result = txt_fromwire(source, target);
+		if (result != ISC_R_SUCCESS)
+			return (result);
+	} while (!buffer_empty(source));
+	return (ISC_R_SUCCESS);
+}
+
+static inline isc_result_t
+towire_spf(ARGS_TOWIRE) {
+	isc_region_t region;
+
+	REQUIRE(rdata->type == 99);
+
+	UNUSED(cctx);
+
+	isc_buffer_availableregion(target, &region);
+	if (region.length < rdata->length)
+		return (ISC_R_NOSPACE);
+
+	memcpy(region.base, rdata->data, rdata->length);
+	isc_buffer_add(target, rdata->length);
+	return (ISC_R_SUCCESS);
+}
+
+static inline int
+compare_spf(ARGS_COMPARE) {
+	isc_region_t r1;
+	isc_region_t r2;
+
+	REQUIRE(rdata1->type == rdata2->type);
+	REQUIRE(rdata1->rdclass == rdata2->rdclass);
+	REQUIRE(rdata1->type == 99);
+
+	dns_rdata_toregion(rdata1, &r1);
+	dns_rdata_toregion(rdata2, &r2);
+	return (isc_region_compare(&r1, &r2));
+}
+
+static inline isc_result_t
+fromstruct_spf(ARGS_FROMSTRUCT) {
+	dns_rdata_spf_t *txt = source;
+	isc_region_t region;
+	isc_uint8_t length;
+
+	REQUIRE(type == 99);
+	REQUIRE(source != NULL);
+	REQUIRE(txt->common.rdtype == type);
+	REQUIRE(txt->common.rdclass == rdclass);
+	REQUIRE(txt->txt != NULL && txt->txt_len != 0);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+
+	region.base = txt->txt;
+	region.length = txt->txt_len;
+	while (region.length > 0) {
+		length = uint8_fromregion(&region);
+		isc_region_consume(&region, 1);
+		if (region.length <= length)
+			return (ISC_R_UNEXPECTEDEND);
+		isc_region_consume(&region, length);
+	}
+
+	return (mem_tobuffer(target, txt->txt, txt->txt_len));
+}
+
+static inline isc_result_t
+tostruct_spf(ARGS_TOSTRUCT) {
+	dns_rdata_spf_t *txt = target;
+	isc_region_t r;
+
+	REQUIRE(rdata->type == 99);
+	REQUIRE(target != NULL);
+
+	txt->common.rdclass = rdata->rdclass;
+	txt->common.rdtype = rdata->type;
+	ISC_LINK_INIT(&txt->common, link);
+
+	dns_rdata_toregion(rdata, &r);
+	txt->txt_len = r.length;
+	txt->txt = mem_maybedup(mctx, r.base, r.length);
+	if (txt->txt == NULL)
+		return (ISC_R_NOMEMORY);
+
+	txt->offset = 0;
+	txt->mctx = mctx;
+	return (ISC_R_SUCCESS);
+}
+
+static inline void
+freestruct_spf(ARGS_FREESTRUCT) {
+	dns_rdata_spf_t *txt = source;
+
+	REQUIRE(source != NULL);
+	REQUIRE(txt->common.rdtype == 99);
+
+	if (txt->mctx == NULL)
+		return;
+
+	if (txt->txt != NULL)
+		isc_mem_free(txt->mctx, txt->txt);
+	txt->mctx = NULL;
+}
+
+static inline isc_result_t
+additionaldata_spf(ARGS_ADDLDATA) {
+	REQUIRE(rdata->type == 99);
+
+	UNUSED(rdata);
+	UNUSED(add);
+	UNUSED(arg);
+
+	return (ISC_R_SUCCESS);
+}
+
+static inline isc_result_t
+digest_spf(ARGS_DIGEST) {
+	isc_region_t r;
+
+	REQUIRE(rdata->type == 99);
+
+	dns_rdata_toregion(rdata, &r);
+
+	return ((digest)(arg, &r));
+}
+
+static inline isc_boolean_t
+checkowner_spf(ARGS_CHECKOWNER) {
+
+	REQUIRE(type == 99);
+
+	UNUSED(name);
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(wildcard);
+
+	return (ISC_TRUE);
+}
+
+static inline isc_boolean_t
+checknames_spf(ARGS_CHECKNAMES) {
+
+	REQUIRE(rdata->type == 99);
+
+	UNUSED(rdata);
+	UNUSED(owner);
+	UNUSED(bad);
+
+	return (ISC_TRUE);
+}
+
+#endif	/* RDATA_GENERIC_SPF_99_C */
diff --git a/contrib/bind9/lib/dns/rdata/generic/spf_99.h b/contrib/bind9/lib/dns/rdata/generic/spf_99.h
new file mode 100644
index 0000000..afe77ec
--- /dev/null
+++ b/contrib/bind9/lib/dns/rdata/generic/spf_99.h
@@ -0,0 +1,51 @@
+/*
+ * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1998-2001  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#ifndef GENERIC_SPF_99_H
+#define GENERIC_SPF_99_H 1
+
+/* $Id: spf_99.h,v 1.1.2.2 2005/07/16 00:40:54 marka Exp $ */
+
+typedef struct dns_rdata_spf_string {
+                isc_uint8_t    length;
+                unsigned char   *data;
+} dns_rdata_spf_string_t;
+
+typedef struct dns_rdata_spf {
+        dns_rdatacommon_t       common;
+        isc_mem_t               *mctx;
+        unsigned char           *txt;
+        isc_uint16_t            txt_len;
+        /* private */
+        isc_uint16_t            offset;
+} dns_rdata_spf_t;
+
+/*
+ * ISC_LANG_BEGINDECLS and ISC_LANG_ENDDECLS are already done
+ * via rdatastructpre.h and rdatastructsuf.h.
+ */
+
+isc_result_t
+dns_rdata_spf_first(dns_rdata_spf_t *);
+
+isc_result_t
+dns_rdata_spf_next(dns_rdata_spf_t *);
+
+isc_result_t
+dns_rdata_spf_current(dns_rdata_spf_t *, dns_rdata_spf_string_t *);
+
+#endif /* GENERIC_SPF_99_H */
diff --git a/contrib/bind9/lib/dns/rdata/generic/sshfp_44.c b/contrib/bind9/lib/dns/rdata/generic/sshfp_44.c
index eabf056..64b51c7 100644
--- a/contrib/bind9/lib/dns/rdata/generic/sshfp_44.c
+++ b/contrib/bind9/lib/dns/rdata/generic/sshfp_44.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,9 +15,9 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: sshfp_44.c,v 1.1.8.3 2004/03/06 08:14:13 marka Exp $ */
+/* $Id: sshfp_44.c,v 1.3.18.1 2006/03/10 04:04:32 marka Exp $ */
 
-/* draft-ietf-secsh-dns-05.txt */
+/* RFC 4255 */
 
 #ifndef RDATA_GENERIC_SSHFP_44_C
 #define RDATA_GENERIC_SSHFP_44_C
diff --git a/contrib/bind9/lib/dns/rdata/generic/sshfp_44.h b/contrib/bind9/lib/dns/rdata/generic/sshfp_44.h
index ccdefd4..513eeac 100644
--- a/contrib/bind9/lib/dns/rdata/generic/sshfp_44.h
+++ b/contrib/bind9/lib/dns/rdata/generic/sshfp_44.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,9 +15,10 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: sshfp_44.h,v 1.1.8.2 2004/03/06 08:14:13 marka Exp $ */
+/* $Id: sshfp_44.h,v 1.2.18.3 2006/03/10 04:04:32 marka Exp $ */
 
-/* draft-ietf-secsh-dns-05.txt */
+/*!
+ *  \brief Per RFC 4255 */
 
 #ifndef GENERIC_SSHFP_44_H
 #define GENERIC_SSHFP_44_H 1
diff --git a/contrib/bind9/lib/dns/rdata/generic/tkey_249.c b/contrib/bind9/lib/dns/rdata/generic/tkey_249.c
index da63167..cee16ab 100644
--- a/contrib/bind9/lib/dns/rdata/generic/tkey_249.c
+++ b/contrib/bind9/lib/dns/rdata/generic/tkey_249.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: tkey_249.c,v 1.48.2.1.2.6 2004/03/08 09:04:42 marka Exp $ */
+/* $Id: tkey_249.c,v 1.55 2004/03/05 05:10:18 marka Exp $ */
 
 /*
  * Reviewed: Thu Mar 16 17:35:30 PST 2000 by halley.
diff --git a/contrib/bind9/lib/dns/rdata/generic/tkey_249.h b/contrib/bind9/lib/dns/rdata/generic/tkey_249.h
index 8e0081c..c1d2f06 100644
--- a/contrib/bind9/lib/dns/rdata/generic/tkey_249.h
+++ b/contrib/bind9/lib/dns/rdata/generic/tkey_249.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001, 2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -18,9 +18,10 @@
 #ifndef GENERIC_TKEY_249_H
 #define GENERIC_TKEY_249_H 1
 
-/* $Id: tkey_249.h,v 1.18.206.2 2004/03/06 08:14:13 marka Exp $ */
+/* $Id: tkey_249.h,v 1.20.18.2 2005/04/29 00:16:40 marka Exp $ */
 
-/* draft-ietf-dnsind-tkey-00.txt */
+/*!
+ *  \brief Per draft-ietf-dnsind-tkey-00.txt */
 
 typedef struct dns_rdata_tkey {
         dns_rdatacommon_t	common;
diff --git a/contrib/bind9/lib/dns/rdata/generic/txt_16.c b/contrib/bind9/lib/dns/rdata/generic/txt_16.c
index 631d7af..fa3ffef 100644
--- a/contrib/bind9/lib/dns/rdata/generic/txt_16.c
+++ b/contrib/bind9/lib/dns/rdata/generic/txt_16.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: txt_16.c,v 1.37.12.4 2004/03/08 09:04:42 marka Exp $ */
+/* $Id: txt_16.c,v 1.41 2004/03/05 05:10:18 marka Exp $ */
 
 /* Reviewed: Thu Mar 16 15:40:00 PST 2000 by bwelling */
 
diff --git a/contrib/bind9/lib/dns/rdata/generic/txt_16.h b/contrib/bind9/lib/dns/rdata/generic/txt_16.h
index db5019c..57d986a 100644
--- a/contrib/bind9/lib/dns/rdata/generic/txt_16.h
+++ b/contrib/bind9/lib/dns/rdata/generic/txt_16.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1998-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,10 +15,11 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
+/* */
 #ifndef GENERIC_TXT_16_H
 #define GENERIC_TXT_16_H 1
 
-/* $Id: txt_16.h,v 1.23.206.1 2004/03/06 08:14:14 marka Exp $ */
+/* $Id: txt_16.h,v 1.24.18.2 2005/04/29 00:16:40 marka Exp $ */
 
 typedef struct dns_rdata_txt_string {
                 isc_uint8_t    length;
diff --git a/contrib/bind9/lib/dns/rdata/generic/unspec_103.c b/contrib/bind9/lib/dns/rdata/generic/unspec_103.c
index 157e9a1..f316ad9 100644
--- a/contrib/bind9/lib/dns/rdata/generic/unspec_103.c
+++ b/contrib/bind9/lib/dns/rdata/generic/unspec_103.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: unspec_103.c,v 1.28.2.1.10.4 2004/03/08 09:04:43 marka Exp $ */
+/* $Id: unspec_103.c,v 1.33 2004/03/05 05:10:18 marka Exp $ */
 
 #ifndef RDATA_GENERIC_UNSPEC_103_C
 #define RDATA_GENERIC_UNSPEC_103_C
diff --git a/contrib/bind9/lib/dns/rdata/generic/unspec_103.h b/contrib/bind9/lib/dns/rdata/generic/unspec_103.h
index 021e308..6575c1a 100644
--- a/contrib/bind9/lib/dns/rdata/generic/unspec_103.h
+++ b/contrib/bind9/lib/dns/rdata/generic/unspec_103.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,10 +15,11 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
+/* */
 #ifndef GENERIC_UNSPEC_103_H
 #define GENERIC_UNSPEC_103_H 1
 
-/* $Id: unspec_103.h,v 1.12.206.1 2004/03/06 08:14:14 marka Exp $ */
+/* $Id: unspec_103.h,v 1.13.18.2 2005/04/29 00:16:40 marka Exp $ */
 
 typedef struct dns_rdata_unspec_t {
 	dns_rdatacommon_t	common;
diff --git a/contrib/bind9/lib/dns/rdata/generic/x25_19.c b/contrib/bind9/lib/dns/rdata/generic/x25_19.c
index 2f123ad..1199195 100644
--- a/contrib/bind9/lib/dns/rdata/generic/x25_19.c
+++ b/contrib/bind9/lib/dns/rdata/generic/x25_19.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2002  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,11 +15,11 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: x25_19.c,v 1.31.12.4 2004/03/08 09:04:43 marka Exp $ */
+/* $Id: x25_19.c,v 1.35.18.2 2005/04/29 00:16:40 marka Exp $ */
 
 /* Reviewed: Thu Mar 16 16:15:57 PST 2000 by bwelling */
 
-/* RFC 1183 */
+/* RFC1183 */
 
 #ifndef RDATA_GENERIC_X25_19_C
 #define RDATA_GENERIC_X25_19_C
diff --git a/contrib/bind9/lib/dns/rdata/generic/x25_19.h b/contrib/bind9/lib/dns/rdata/generic/x25_19.h
index bcb74cf..32320d0 100644
--- a/contrib/bind9/lib/dns/rdata/generic/x25_19.h
+++ b/contrib/bind9/lib/dns/rdata/generic/x25_19.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -18,9 +18,10 @@
 #ifndef GENERIC_X25_19_H
 #define GENERIC_X25_19_H 1
 
-/* $Id: x25_19.h,v 1.13.206.1 2004/03/06 08:14:14 marka Exp $ */
+/* $Id: x25_19.h,v 1.14.18.2 2005/04/29 00:16:40 marka Exp $ */
 
-/* RFC 1183 */
+/*!
+ *  \brief Per RFC1183 */
 
 typedef struct dns_rdata_x25 {
 	dns_rdatacommon_t	common;
diff --git a/contrib/bind9/lib/dns/rdata/hs_4/a_1.c b/contrib/bind9/lib/dns/rdata/hs_4/a_1.c
index 07d6adc..5d3ddae 100644
--- a/contrib/bind9/lib/dns/rdata/hs_4/a_1.c
+++ b/contrib/bind9/lib/dns/rdata/hs_4/a_1.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: a_1.c,v 1.25.12.4 2004/03/08 09:04:43 marka Exp $ */
+/* $Id: a_1.c,v 1.29 2004/03/05 05:10:20 marka Exp $ */
 
 /* reviewed: Thu Mar 16 15:58:36 PST 2000 by brister */
 
diff --git a/contrib/bind9/lib/dns/rdata/hs_4/a_1.h b/contrib/bind9/lib/dns/rdata/hs_4/a_1.h
index c06c648..59f54b5 100644
--- a/contrib/bind9/lib/dns/rdata/hs_4/a_1.h
+++ b/contrib/bind9/lib/dns/rdata/hs_4/a_1.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,10 +15,11 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
+/* */
 #ifndef HS_4_A_1_H
 #define HS_4_A_1_H 1
 
-/* $Id: a_1.h,v 1.7.206.1 2004/03/06 08:14:15 marka Exp $ */
+/* $Id: a_1.h,v 1.8.18.2 2005/04/29 00:16:41 marka Exp $ */
 
 typedef struct dns_rdata_hs_a {
 	dns_rdatacommon_t	common;
diff --git a/contrib/bind9/lib/dns/rdata/in_1/a6_38.c b/contrib/bind9/lib/dns/rdata/in_1/a6_38.c
index ded70c1..50017e1 100644
--- a/contrib/bind9/lib/dns/rdata/in_1/a6_38.c
+++ b/contrib/bind9/lib/dns/rdata/in_1/a6_38.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: a6_38.c,v 1.46.2.1.2.5 2004/03/08 09:04:43 marka Exp $ */
+/* $Id: a6_38.c,v 1.52 2004/03/05 05:10:23 marka Exp $ */
 
 /* RFC2874 */
 
diff --git a/contrib/bind9/lib/dns/rdata/in_1/a6_38.h b/contrib/bind9/lib/dns/rdata/in_1/a6_38.h
index 9134ced..bb15dad 100644
--- a/contrib/bind9/lib/dns/rdata/in_1/a6_38.h
+++ b/contrib/bind9/lib/dns/rdata/in_1/a6_38.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -18,9 +18,10 @@
 #ifndef IN_1_A6_38_H
 #define IN_1_A6_38_H 1
 
-/* $Id: a6_38.h,v 1.19.206.1 2004/03/06 08:14:15 marka Exp $ */
+/* $Id: a6_38.h,v 1.20.18.2 2005/04/29 00:16:41 marka Exp $ */
 
-/* RFC2874 */
+/*! 
+ *  \brief Per RFC2874 */
 
 typedef struct dns_rdata_in_a6 {
         dns_rdatacommon_t	common;
diff --git a/contrib/bind9/lib/dns/rdata/in_1/a_1.c b/contrib/bind9/lib/dns/rdata/in_1/a_1.c
index 30165c9..e8cb8ce 100644
--- a/contrib/bind9/lib/dns/rdata/in_1/a_1.c
+++ b/contrib/bind9/lib/dns/rdata/in_1/a_1.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: a_1.c,v 1.46.12.5 2004/03/08 09:04:43 marka Exp $ */
+/* $Id: a_1.c,v 1.51 2004/03/05 05:10:23 marka Exp $ */
 
 /* Reviewed: Thu Mar 16 16:52:50 PST 2000 by bwelling */
 
diff --git a/contrib/bind9/lib/dns/rdata/in_1/a_1.h b/contrib/bind9/lib/dns/rdata/in_1/a_1.h
index 34d7469..d92a973 100644
--- a/contrib/bind9/lib/dns/rdata/in_1/a_1.h
+++ b/contrib/bind9/lib/dns/rdata/in_1/a_1.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1998-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,10 +15,11 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
+/* */
 #ifndef IN_1_A_1_H
 #define IN_1_A_1_H 1
 
-/* $Id: a_1.h,v 1.23.206.1 2004/03/06 08:14:16 marka Exp $ */
+/* $Id: a_1.h,v 1.24.18.2 2005/04/29 00:16:41 marka Exp $ */
 
 typedef struct dns_rdata_in_a {
 	dns_rdatacommon_t	common;
diff --git a/contrib/bind9/lib/dns/rdata/in_1/aaaa_28.c b/contrib/bind9/lib/dns/rdata/in_1/aaaa_28.c
index 489fe01..1dd32cf 100644
--- a/contrib/bind9/lib/dns/rdata/in_1/aaaa_28.c
+++ b/contrib/bind9/lib/dns/rdata/in_1/aaaa_28.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2002  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,11 +15,11 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: aaaa_28.c,v 1.36.12.5 2004/03/08 09:04:44 marka Exp $ */
+/* $Id: aaaa_28.c,v 1.41.18.2 2005/04/29 00:16:41 marka Exp $ */
 
 /* Reviewed: Thu Mar 16 16:52:50 PST 2000 by bwelling */
 
-/* RFC 1886 */
+/* RFC1886 */
 
 #ifndef RDATA_IN_1_AAAA_28_C
 #define RDATA_IN_1_AAAA_28_C
diff --git a/contrib/bind9/lib/dns/rdata/in_1/aaaa_28.h b/contrib/bind9/lib/dns/rdata/in_1/aaaa_28.h
index e8a9319..31ad6a6 100644
--- a/contrib/bind9/lib/dns/rdata/in_1/aaaa_28.h
+++ b/contrib/bind9/lib/dns/rdata/in_1/aaaa_28.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -18,9 +18,10 @@
 #ifndef IN_1_AAAA_28_H
 #define IN_1_AAAA_28_H 1
 
-/* $Id: aaaa_28.h,v 1.16.206.1 2004/03/06 08:14:16 marka Exp $ */
+/* $Id: aaaa_28.h,v 1.17.18.2 2005/04/29 00:16:42 marka Exp $ */
 
-/* RFC 1886 */
+/*! 
+ *  \brief Per RFC1886 */
 
 typedef struct dns_rdata_in_aaaa {
 	dns_rdatacommon_t	common;
diff --git a/contrib/bind9/lib/dns/rdata/in_1/apl_42.c b/contrib/bind9/lib/dns/rdata/in_1/apl_42.c
index ac39569..42b2e7f 100644
--- a/contrib/bind9/lib/dns/rdata/in_1/apl_42.c
+++ b/contrib/bind9/lib/dns/rdata/in_1/apl_42.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2002  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,9 +15,9 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: apl_42.c,v 1.4.200.8 2004/03/16 12:38:15 marka Exp $ */
+/* $Id: apl_42.c,v 1.8.18.2 2005/04/29 00:16:42 marka Exp $ */
 
-/* RFC 3123 */
+/* RFC3123 */
 
 #ifndef RDATA_IN_1_APL_42_C
 #define RDATA_IN_1_APL_42_C
diff --git a/contrib/bind9/lib/dns/rdata/in_1/apl_42.h b/contrib/bind9/lib/dns/rdata/in_1/apl_42.h
index 83309a6..d434ace 100644
--- a/contrib/bind9/lib/dns/rdata/in_1/apl_42.h
+++ b/contrib/bind9/lib/dns/rdata/in_1/apl_42.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2002  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,10 +15,11 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
+/* */
 #ifndef IN_1_APL_42_H
 #define IN_1_APL_42_H 1
 
-/* $Id: apl_42.h,v 1.1.202.3 2004/03/08 09:04:44 marka Exp $ */
+/* $Id: apl_42.h,v 1.2.18.2 2005/04/29 00:16:42 marka Exp $ */
 
 typedef struct dns_rdata_apl_ent {
 	isc_boolean_t	negative;
diff --git a/contrib/bind9/lib/dns/rdata/in_1/kx_36.c b/contrib/bind9/lib/dns/rdata/in_1/kx_36.c
index fee1e3d..8a64aac 100644
--- a/contrib/bind9/lib/dns/rdata/in_1/kx_36.c
+++ b/contrib/bind9/lib/dns/rdata/in_1/kx_36.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001, 2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,11 +15,11 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: kx_36.c,v 1.37.2.1.2.3 2004/03/06 08:14:17 marka Exp $ */
+/* $Id: kx_36.c,v 1.41.18.2 2005/04/29 00:16:42 marka Exp $ */
 
 /* Reviewed: Thu Mar 16 17:24:54 PST 2000 by explorer */
 
-/* RFC 2230 */
+/* RFC2230 */
 
 #ifndef RDATA_IN_1_KX_36_C
 #define RDATA_IN_1_KX_36_C
diff --git a/contrib/bind9/lib/dns/rdata/in_1/kx_36.h b/contrib/bind9/lib/dns/rdata/in_1/kx_36.h
index 5ac328d..c44883d 100644
--- a/contrib/bind9/lib/dns/rdata/in_1/kx_36.h
+++ b/contrib/bind9/lib/dns/rdata/in_1/kx_36.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -18,9 +18,10 @@
 #ifndef IN_1_KX_36_H
 #define IN_1_KX_36_H 1
 
-/* $Id: kx_36.h,v 1.15.206.1 2004/03/06 08:14:17 marka Exp $ */
+/* $Id: kx_36.h,v 1.16.18.2 2005/04/29 00:16:42 marka Exp $ */
 
-/* RFC 2230 */
+/*! 
+ *  \brief Per RFC2230 */
 
 typedef struct dns_rdata_in_kx {
 	dns_rdatacommon_t	common;
diff --git a/contrib/bind9/lib/dns/rdata/in_1/naptr_35.c b/contrib/bind9/lib/dns/rdata/in_1/naptr_35.c
index f3c93c7..0e5961a 100644
--- a/contrib/bind9/lib/dns/rdata/in_1/naptr_35.c
+++ b/contrib/bind9/lib/dns/rdata/in_1/naptr_35.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001, 2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,11 +15,11 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: naptr_35.c,v 1.43.2.1.2.3 2004/03/06 08:14:17 marka Exp $ */
+/* $Id: naptr_35.c,v 1.47.18.2 2005/04/29 00:16:42 marka Exp $ */
 
 /* Reviewed: Thu Mar 16 16:52:50 PST 2000 by bwelling */
 
-/* RFC 2915 */
+/* RFC2915 */
 
 #ifndef RDATA_IN_1_NAPTR_35_C
 #define RDATA_IN_1_NAPTR_35_C
diff --git a/contrib/bind9/lib/dns/rdata/in_1/naptr_35.h b/contrib/bind9/lib/dns/rdata/in_1/naptr_35.h
index b1deb2ce..2578b48 100644
--- a/contrib/bind9/lib/dns/rdata/in_1/naptr_35.h
+++ b/contrib/bind9/lib/dns/rdata/in_1/naptr_35.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -18,9 +18,10 @@
 #ifndef IN_1_NAPTR_35_H
 #define IN_1_NAPTR_35_H 1
 
-/* $Id: naptr_35.h,v 1.18.206.1 2004/03/06 08:14:17 marka Exp $ */
+/* $Id: naptr_35.h,v 1.19.18.2 2005/04/29 00:16:42 marka Exp $ */
 
-/* RFC 2915 */
+/*! 
+ *  \brief Per RFC2915 */
 
 typedef struct dns_rdata_in_naptr {
 	dns_rdatacommon_t	common;
diff --git a/contrib/bind9/lib/dns/rdata/in_1/nsap-ptr_23.c b/contrib/bind9/lib/dns/rdata/in_1/nsap-ptr_23.c
index 0fa0fb2..1a65cbe 100644
--- a/contrib/bind9/lib/dns/rdata/in_1/nsap-ptr_23.c
+++ b/contrib/bind9/lib/dns/rdata/in_1/nsap-ptr_23.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,11 +15,11 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: nsap-ptr_23.c,v 1.32.206.2 2004/03/06 08:14:17 marka Exp $ */
+/* $Id: nsap-ptr_23.c,v 1.34.18.2 2005/04/29 00:16:42 marka Exp $ */
 
 /* Reviewed: Fri Mar 17 10:16:02 PST 2000 by gson */
 
-/* RFC 1348.  Obsoleted in RFC 1706 - use PTR instead. */
+/* RFC1348.  Obsoleted in RFC 1706 - use PTR instead. */
 
 #ifndef RDATA_IN_1_NSAP_PTR_23_C
 #define RDATA_IN_1_NSAP_PTR_23_C
diff --git a/contrib/bind9/lib/dns/rdata/in_1/nsap-ptr_23.h b/contrib/bind9/lib/dns/rdata/in_1/nsap-ptr_23.h
index 9bf3c65..bd8e025 100644
--- a/contrib/bind9/lib/dns/rdata/in_1/nsap-ptr_23.h
+++ b/contrib/bind9/lib/dns/rdata/in_1/nsap-ptr_23.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -18,9 +18,10 @@
 #ifndef IN_1_NSAP_PTR_23_H
 #define IN_1_NSAP_PTR_23_H 1
 
-/* $Id: nsap-ptr_23.h,v 1.14.206.1 2004/03/06 08:14:18 marka Exp $ */
+/* $Id: nsap-ptr_23.h,v 1.15.18.2 2005/04/29 00:16:43 marka Exp $ */
 
-/* RFC 1348.  Obsoleted in RFC 1706 - use PTR instead. */
+/*! 
+ *  \brief Per RFC1348.  Obsoleted in RFC 1706 - use PTR instead. */
 
 typedef struct dns_rdata_in_nsap_ptr {
 	dns_rdatacommon_t	common;
diff --git a/contrib/bind9/lib/dns/rdata/in_1/nsap_22.c b/contrib/bind9/lib/dns/rdata/in_1/nsap_22.c
index 594b97f..a348a30 100644
--- a/contrib/bind9/lib/dns/rdata/in_1/nsap_22.c
+++ b/contrib/bind9/lib/dns/rdata/in_1/nsap_22.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2002  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,11 +15,11 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: nsap_22.c,v 1.33.12.5 2004/03/08 09:04:44 marka Exp $ */
+/* $Id: nsap_22.c,v 1.38.18.2 2005/04/29 00:16:43 marka Exp $ */
 
 /* Reviewed: Fri Mar 17 10:41:07 PST 2000 by gson */
 
-/* RFC 1706 */
+/* RFC1706 */
 
 #ifndef RDATA_IN_1_NSAP_22_C
 #define RDATA_IN_1_NSAP_22_C
diff --git a/contrib/bind9/lib/dns/rdata/in_1/nsap_22.h b/contrib/bind9/lib/dns/rdata/in_1/nsap_22.h
index 6467433..583fbac 100644
--- a/contrib/bind9/lib/dns/rdata/in_1/nsap_22.h
+++ b/contrib/bind9/lib/dns/rdata/in_1/nsap_22.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -18,9 +18,10 @@
 #ifndef IN_1_NSAP_22_H
 #define IN_1_NSAP_22_H 1
 
-/* $Id: nsap_22.h,v 1.13.206.1 2004/03/06 08:14:18 marka Exp $ */
+/* $Id: nsap_22.h,v 1.14.18.2 2005/04/29 00:16:43 marka Exp $ */
 
-/* RFC 1706 */
+/*! 
+ *  \brief Per RFC1706 */
 
 typedef struct dns_rdata_in_nsap {
 	dns_rdatacommon_t	common;
diff --git a/contrib/bind9/lib/dns/rdata/in_1/px_26.c b/contrib/bind9/lib/dns/rdata/in_1/px_26.c
index 66214dd..3df9b99 100644
--- a/contrib/bind9/lib/dns/rdata/in_1/px_26.c
+++ b/contrib/bind9/lib/dns/rdata/in_1/px_26.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001, 2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,11 +15,11 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: px_26.c,v 1.34.2.1.2.4 2004/03/06 08:14:18 marka Exp $ */
+/* $Id: px_26.c,v 1.39.18.2 2005/04/29 00:16:43 marka Exp $ */
 
 /* Reviewed: Mon Mar 20 10:44:27 PST 2000 */
 
-/* RFC 2163 */
+/* RFC2163 */
 
 #ifndef RDATA_IN_1_PX_26_C
 #define RDATA_IN_1_PX_26_C
diff --git a/contrib/bind9/lib/dns/rdata/in_1/px_26.h b/contrib/bind9/lib/dns/rdata/in_1/px_26.h
index 79d4b18..a38d5f81 100644
--- a/contrib/bind9/lib/dns/rdata/in_1/px_26.h
+++ b/contrib/bind9/lib/dns/rdata/in_1/px_26.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -18,9 +18,10 @@
 #ifndef IN_1_PX_26_H
 #define IN_1_PX_26_H 1
 
-/* $Id: px_26.h,v 1.14.206.1 2004/03/06 08:14:18 marka Exp $ */
+/* $Id: px_26.h,v 1.15.18.2 2005/04/29 00:16:43 marka Exp $ */
 
-/* RFC 2163 */
+/*! 
+ *  \brief Per RFC2163 */
 
 typedef struct dns_rdata_in_px {
 	dns_rdatacommon_t	common;
diff --git a/contrib/bind9/lib/dns/rdata/in_1/srv_33.c b/contrib/bind9/lib/dns/rdata/in_1/srv_33.c
index 7bcba1b..2925a77 100644
--- a/contrib/bind9/lib/dns/rdata/in_1/srv_33.c
+++ b/contrib/bind9/lib/dns/rdata/in_1/srv_33.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001, 2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,11 +15,11 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: srv_33.c,v 1.36.2.1.2.4 2004/03/06 08:14:18 marka Exp $ */
+/* $Id: srv_33.c,v 1.41.18.2 2005/04/29 00:16:43 marka Exp $ */
 
 /* Reviewed: Fri Mar 17 13:01:00 PST 2000 by bwelling */
 
-/* RFC 2782 */
+/* RFC2782 */
 
 #ifndef RDATA_IN_1_SRV_33_C
 #define RDATA_IN_1_SRV_33_C
diff --git a/contrib/bind9/lib/dns/rdata/in_1/srv_33.h b/contrib/bind9/lib/dns/rdata/in_1/srv_33.h
index 91dbf37..7d9fef6 100644
--- a/contrib/bind9/lib/dns/rdata/in_1/srv_33.h
+++ b/contrib/bind9/lib/dns/rdata/in_1/srv_33.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -18,11 +18,12 @@
 #ifndef IN_1_SRV_33_H
 #define IN_1_SRV_33_H 1
 
-/* $Id: srv_33.h,v 1.14.206.1 2004/03/06 08:14:19 marka Exp $ */
+/* $Id: srv_33.h,v 1.15.18.2 2005/04/29 00:16:43 marka Exp $ */
 
 /* Reviewed: Fri Mar 17 13:01:00 PST 2000 by bwelling */
 
-/* RFC 2782 */
+/*! 
+ *  \brief Per RFC2782 */
 
 typedef struct dns_rdata_in_srv {
 	dns_rdatacommon_t	common;
diff --git a/contrib/bind9/lib/dns/rdata/in_1/wks_11.c b/contrib/bind9/lib/dns/rdata/in_1/wks_11.c
index c278686..749b8fd 100644
--- a/contrib/bind9/lib/dns/rdata/in_1/wks_11.c
+++ b/contrib/bind9/lib/dns/rdata/in_1/wks_11.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: wks_11.c,v 1.44.12.8 2004/09/16 01:00:58 marka Exp $ */
+/* $Id: wks_11.c,v 1.51.18.1 2004/09/16 01:02:19 marka Exp $ */
 
 /* Reviewed: Fri Mar 17 15:01:49 PST 2000 by explorer */
 
diff --git a/contrib/bind9/lib/dns/rdata/in_1/wks_11.h b/contrib/bind9/lib/dns/rdata/in_1/wks_11.h
index e734281..a0093b9 100644
--- a/contrib/bind9/lib/dns/rdata/in_1/wks_11.h
+++ b/contrib/bind9/lib/dns/rdata/in_1/wks_11.h
@@ -18,7 +18,7 @@
 #ifndef IN_1_WKS_11_H
 #define IN_1_WKS_11_H 1
 
-/* $Id: wks_11.h,v 1.19.206.1 2004/03/06 08:14:19 marka Exp $ */
+/* $Id: wks_11.h,v 1.20 2004/03/05 05:10:25 marka Exp $ */
 
 typedef	struct dns_rdata_in_wks {
 	dns_rdatacommon_t	common;
diff --git a/contrib/bind9/lib/dns/rdata/rdatastructpre.h b/contrib/bind9/lib/dns/rdata/rdatastructpre.h
index 19af8b4..d641ef5 100644
--- a/contrib/bind9/lib/dns/rdata/rdatastructpre.h
+++ b/contrib/bind9/lib/dns/rdata/rdatastructpre.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: rdatastructpre.h,v 1.13.206.1 2004/03/06 08:14:02 marka Exp $ */
+/* $Id: rdatastructpre.h,v 1.14 2004/03/05 05:10:04 marka Exp $ */
 
 #ifndef DNS_RDATASTRUCT_H
 #define DNS_RDATASTRUCT_H 1
diff --git a/contrib/bind9/lib/dns/rdata/rdatastructsuf.h b/contrib/bind9/lib/dns/rdata/rdatastructsuf.h
index 3eabff2..1ab1b0a 100644
--- a/contrib/bind9/lib/dns/rdata/rdatastructsuf.h
+++ b/contrib/bind9/lib/dns/rdata/rdatastructsuf.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: rdatastructsuf.h,v 1.7.206.1 2004/03/06 08:14:02 marka Exp $ */
+/* $Id: rdatastructsuf.h,v 1.8 2004/03/05 05:10:04 marka Exp $ */
 
 ISC_LANG_ENDDECLS
 
diff --git a/contrib/bind9/lib/dns/rdatalist.c b/contrib/bind9/lib/dns/rdatalist.c
index baa62e5..7229fa3 100644
--- a/contrib/bind9/lib/dns/rdatalist.c
+++ b/contrib/bind9/lib/dns/rdatalist.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001, 2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,9 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: rdatalist.c,v 1.25.2.2.2.2 2004/03/08 02:07:56 marka Exp $ */
+/* $Id: rdatalist.c,v 1.28.18.3 2005/04/29 00:16:02 marka Exp $ */
+
+/*! \file */
 
 #include <config.h>
 
@@ -38,7 +40,10 @@ static dns_rdatasetmethods_t methods = {
 	isc__rdatalist_clone,
 	isc__rdatalist_count,
 	isc__rdatalist_addnoqname,
-	isc__rdatalist_getnoqname
+	isc__rdatalist_getnoqname,
+	NULL,
+	NULL,
+	NULL
 };
 
 void
diff --git a/contrib/bind9/lib/dns/rdatalist_p.h b/contrib/bind9/lib/dns/rdatalist_p.h
index 3a7b52c..d697fec 100644
--- a/contrib/bind9/lib/dns/rdatalist_p.h
+++ b/contrib/bind9/lib/dns/rdatalist_p.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000, 2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,11 +15,13 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: rdatalist_p.h,v 1.3.206.2 2004/03/08 02:07:56 marka Exp $ */
+/* $Id: rdatalist_p.h,v 1.5.18.2 2005/04/29 00:16:03 marka Exp $ */
 
 #ifndef DNS_RDATALIST_P_H
 #define DNS_RDATALIST_P_H
 
+/*! \file */
+
 #include <isc/result.h>
 #include <dns/types.h>
 
diff --git a/contrib/bind9/lib/dns/rdataset.c b/contrib/bind9/lib/dns/rdataset.c
index 8af71c3..c86b3c5 100644
--- a/contrib/bind9/lib/dns/rdataset.c
+++ b/contrib/bind9/lib/dns/rdataset.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2006  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,9 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: rdataset.c,v 1.58.2.2.2.12 2006/03/02 00:37:20 marka Exp $ */
+/* $Id: rdataset.c,v 1.72.18.5 2006/03/02 00:37:21 marka Exp $ */
+
+/*! \file */
 
 #include <config.h>
 
@@ -174,6 +176,9 @@ static dns_rdatasetmethods_t question_methods = {
 	question_clone,
 	question_count,
 	NULL,
+	NULL,
+	NULL,
+	NULL,
 	NULL
 };
 
@@ -624,3 +629,81 @@ dns_rdataset_getnoqname(dns_rdataset_t *rdataset, dns_name_t *name,
 		return (ISC_R_NOTIMPLEMENTED);
 	return((rdataset->methods->getnoqname)(rdataset, name, nsec, nsecsig));
 }
+
+/*
+ * Additional cache stuff
+ */
+isc_result_t
+dns_rdataset_getadditional(dns_rdataset_t *rdataset,
+			   dns_rdatasetadditional_t type,
+			   dns_rdatatype_t qtype,
+			   dns_acache_t *acache,
+			   dns_zone_t **zonep,
+			   dns_db_t **dbp,
+			   dns_dbversion_t **versionp,
+			   dns_dbnode_t **nodep,
+			   dns_name_t *fname,
+			   dns_message_t *msg,
+			   isc_stdtime_t now)
+{
+	REQUIRE(DNS_RDATASET_VALID(rdataset));
+	REQUIRE(rdataset->methods != NULL);
+	REQUIRE(zonep == NULL || *zonep == NULL);
+	REQUIRE(dbp != NULL && *dbp == NULL);
+	REQUIRE(versionp != NULL && *versionp == NULL);
+	REQUIRE(nodep != NULL && *nodep == NULL);
+	REQUIRE(fname != NULL);
+	REQUIRE(msg != NULL);
+
+	if (acache != NULL && rdataset->methods->getadditional != NULL) {
+		return ((rdataset->methods->getadditional)(rdataset, type,
+							   qtype, acache,
+							   zonep, dbp,
+							   versionp, nodep,
+							   fname, msg, now));
+	}
+
+	return (ISC_R_FAILURE);
+}
+
+isc_result_t
+dns_rdataset_setadditional(dns_rdataset_t *rdataset,
+			   dns_rdatasetadditional_t type,
+			   dns_rdatatype_t qtype,
+			   dns_acache_t *acache,
+			   dns_zone_t *zone,
+			   dns_db_t *db,
+			   dns_dbversion_t *version,
+			   dns_dbnode_t *node,
+			   dns_name_t *fname)
+{
+	REQUIRE(DNS_RDATASET_VALID(rdataset));
+	REQUIRE(rdataset->methods != NULL);
+
+	if (acache != NULL && rdataset->methods->setadditional != NULL) {
+		return ((rdataset->methods->setadditional)(rdataset, type,
+							   qtype, acache, zone,
+							   db, version,
+							   node, fname));
+	}
+
+	return (ISC_R_FAILURE);
+}
+
+isc_result_t
+dns_rdataset_putadditional(dns_acache_t *acache,
+			   dns_rdataset_t *rdataset,
+			   dns_rdatasetadditional_t type,
+			   dns_rdatatype_t qtype)
+{
+	REQUIRE(DNS_RDATASET_VALID(rdataset));
+	REQUIRE(rdataset->methods != NULL);
+
+	if (acache != NULL && rdataset->methods->putadditional != NULL) {
+		return ((rdataset->methods->putadditional)(acache, rdataset,
+							   type, qtype));
+	}
+
+	return (ISC_R_FAILURE);
+}
+
diff --git a/contrib/bind9/lib/dns/rdatasetiter.c b/contrib/bind9/lib/dns/rdatasetiter.c
index f3b0f8b..8089e04 100644
--- a/contrib/bind9/lib/dns/rdatasetiter.c
+++ b/contrib/bind9/lib/dns/rdatasetiter.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,9 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: rdatasetiter.c,v 1.11.206.1 2004/03/06 08:13:44 marka Exp $ */
+/* $Id: rdatasetiter.c,v 1.12.18.2 2005/04/29 00:16:03 marka Exp $ */
+
+/*! \file */
 
 #include <config.h>
 
diff --git a/contrib/bind9/lib/dns/rdataslab.c b/contrib/bind9/lib/dns/rdataslab.c
index 0604cd5..3b5ab2d 100644
--- a/contrib/bind9/lib/dns/rdataslab.c
+++ b/contrib/bind9/lib/dns/rdataslab.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,9 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: rdataslab.c,v 1.29.2.2.2.6 2004/03/08 09:04:31 marka Exp $ */
+/* $Id: rdataslab.c,v 1.35.18.5 2006/03/05 23:58:51 marka Exp $ */
+
+/*! \file */
 
 #include <config.h>
 
@@ -31,25 +33,95 @@
 #include <dns/rdataset.h>
 #include <dns/rdataslab.h>
 
-/* Note: the "const void *" are just to make qsort happy. */
+/*
+ * The rdataslab structure allows iteration to occur in both load order
+ * and DNSSEC order.  The structure is as follows:
+ *
+ *	header		(reservelen bytes)
+ *	record count	(2 bytes)
+ *	offset table	(4 x record count bytes in load order)
+ *	data records
+ *		data length	(2 bytes)
+ *		order		(2 bytes)
+ *		data		(data length bytes)
+ *
+ * Offsets are from the end of the header.
+ *
+ * Load order traversal is performed by walking the offset table to find
+ * the start of the record.
+ *
+ * DNSSEC order traversal is performed by walking the data records.
+ *
+ * The order is stored with record to allow for efficient reconstuction of
+ * of the offset table following a merge or subtraction.
+ *
+ * The iterator methods here currently only support DNSSEC order iteration.
+ *
+ * The iterator methods in rbtdb support both load order and DNSSEC order
+ * iteration.
+ *
+ * WARNING:
+ *	rbtdb.c directly interacts with the slab's raw structures.  If the
+ *	structure changes then rbtdb.c also needs to be updated to reflect
+ *	the changes.  See the areas tagged with "RDATASLAB".
+ */
+
+struct xrdata {
+	dns_rdata_t	rdata;
+	unsigned int	order;
+};
+
+/*% Note: the "const void *" are just to make qsort happy.  */
 static int
 compare_rdata(const void *p1, const void *p2) {
-	const dns_rdata_t *rdata1 = p1;
-	const dns_rdata_t *rdata2 = p2;
-	return (dns_rdata_compare(rdata1, rdata2));
+	const struct xrdata *x1 = p1;
+	const struct xrdata *x2 = p2;
+	return (dns_rdata_compare(&x1->rdata, &x2->rdata));
+}
+
+static void
+fillin_offsets(unsigned char *offsetbase, unsigned int *offsettable,
+	       unsigned length)
+{
+	unsigned int i, j;
+	unsigned char *raw;
+
+	for (i = 0, j = 0; i < length; i++) {
+
+		if (offsettable[i] == 0)
+			continue;
+
+		/*
+		 * Fill in offset table.
+		 */
+		raw = &offsetbase[j*4 + 2];
+		*raw++ = (offsettable[i] & 0xff000000) >> 24;
+		*raw++ = (offsettable[i] & 0xff0000) >> 16;
+		*raw++ = (offsettable[i] & 0xff00) >> 8;
+		*raw = offsettable[i] & 0xff;
+
+		/*
+		 * Fill in table index.
+		 */
+		raw = offsetbase + offsettable[i] + 2;
+		*raw++ = (j & 0xff00) >> 8;
+		*raw = j++ & 0xff;
+	}
 }
 
 isc_result_t
 dns_rdataslab_fromrdataset(dns_rdataset_t *rdataset, isc_mem_t *mctx,
 			   isc_region_t *region, unsigned int reservelen)
 {
-	dns_rdata_t    *rdatas;
+	struct xrdata  *x;
 	unsigned char  *rawbuf;
+	unsigned char  *offsetbase;
 	unsigned int	buflen;
 	isc_result_t	result;
 	unsigned int	nitems;
 	unsigned int	nalloc;
 	unsigned int	i;
+	unsigned int   *offsettable;
 
 	buflen = reservelen + 2;
 
@@ -58,8 +130,11 @@ dns_rdataslab_fromrdataset(dns_rdataset_t *rdataset, isc_mem_t *mctx,
 	if (nitems == 0)
 		return (ISC_R_FAILURE);
 
-	rdatas = isc_mem_get(mctx, nalloc * sizeof(dns_rdata_t));
-	if (rdatas == NULL)
+	if (nalloc > 0xffff)
+		return (ISC_R_NOSPACE);
+
+	x = isc_mem_get(mctx, nalloc * sizeof(struct xrdata));
+	if (x == NULL)
 		return (ISC_R_NOMEMORY);
 
 	/*
@@ -70,8 +145,9 @@ dns_rdataslab_fromrdataset(dns_rdataset_t *rdataset, isc_mem_t *mctx,
 		goto free_rdatas;
 	for (i = 0; i < nalloc && result == ISC_R_SUCCESS; i++) {
 		INSIST(result == ISC_R_SUCCESS);
-		dns_rdata_init(&rdatas[i]);
-		dns_rdataset_current(rdataset, &rdatas[i]);
+		dns_rdata_init(&x[i].rdata);
+		dns_rdataset_current(rdataset, &x[i].rdata);
+		x[i].order = i;
 		result = dns_rdataset_next(rdataset);
 	}
 	if (result != ISC_R_NOMORE)
@@ -85,7 +161,10 @@ dns_rdataslab_fromrdataset(dns_rdataset_t *rdataset, isc_mem_t *mctx,
 		goto free_rdatas;
 	}
 
-	qsort(rdatas, nalloc, sizeof(dns_rdata_t), compare_rdata);
+	/*
+	 * Put into DNSSEC order.
+	 */
+	qsort(x, nalloc, sizeof(struct xrdata), compare_rdata);
 
 	/*
 	 * Remove duplicates and compute the total storage required.
@@ -93,20 +172,27 @@ dns_rdataslab_fromrdataset(dns_rdataset_t *rdataset, isc_mem_t *mctx,
 	 * If an rdata is not a duplicate, accumulate the storage size
 	 * required for the rdata.  We do not store the class, type, etc,
 	 * just the rdata, so our overhead is 2 bytes for the number of
-	 * records, and 2 for each rdata length, and then the rdata itself.
+	 * records, and 8 for each rdata, (length(2), offset(4) and order(2))
+	 * and then the rdata itself.
 	 */
 	for (i = 1; i < nalloc; i++) {
-		if (compare_rdata(&rdatas[i-1], &rdatas[i]) == 0) {
-			rdatas[i-1].data = NULL;
-			rdatas[i-1].length = 0;
+		if (compare_rdata(&x[i-1].rdata, &x[i].rdata) == 0) {
+			x[i-1].rdata.data = NULL;
+			x[i-1].rdata.length = 0;
+			/*
+			 * Preserve the least order so A, B, A -> A, B
+			 * after duplicate removal.
+			 */
+			if (x[i-1].order < x[i].order)
+				x[i].order = x[i-1].order;
 			nitems--;
 		} else
-			buflen += (2 + rdatas[i-1].length);
+			buflen += (8 + x[i-1].rdata.length);
 	}
 	/*
 	 * Don't forget the last item!
 	 */
-	buflen += (2 + rdatas[i-1].length);
+	buflen += (8 + x[i-1].rdata.length);
 
 	/*
 	 * Ensure that singleton types are actually singletons.
@@ -129,26 +215,47 @@ dns_rdataslab_fromrdataset(dns_rdataset_t *rdataset, isc_mem_t *mctx,
 		result = ISC_R_NOMEMORY;
 		goto free_rdatas;
 	}
+	
+	/* Allocate temporary offset table. */
+	offsettable = isc_mem_get(mctx, nalloc * sizeof(unsigned int));
+	if (offsettable == NULL) {
+		isc_mem_put(mctx, rawbuf, buflen);
+		result = ISC_R_NOMEMORY;
+		goto free_rdatas;
+	}
+	memset(offsettable, 0, nalloc * sizeof(unsigned int));
 
 	region->base = rawbuf;
 	region->length = buflen;
 
 	rawbuf += reservelen;
+	offsetbase = rawbuf;
 
 	*rawbuf++ = (nitems & 0xff00) >> 8;
 	*rawbuf++ = (nitems & 0x00ff);
+
+	/* Skip load order table.  Filled in later. */
+	rawbuf += nitems * 4;
+
 	for (i = 0; i < nalloc; i++) {
-		if (rdatas[i].data == NULL)
+		if (x[i].rdata.data == NULL)
 			continue;
-		*rawbuf++ = (rdatas[i].length & 0xff00) >> 8;
-		*rawbuf++ = (rdatas[i].length & 0x00ff);
-		memcpy(rawbuf, rdatas[i].data, rdatas[i].length);
-		rawbuf += rdatas[i].length;
+		offsettable[x[i].order] = rawbuf - offsetbase;
+		*rawbuf++ = (x[i].rdata.length & 0xff00) >> 8;
+		*rawbuf++ = (x[i].rdata.length & 0x00ff);
+		rawbuf += 2;	/* filled in later */
+		memcpy(rawbuf, x[i].rdata.data, x[i].rdata.length);
+		rawbuf += x[i].rdata.length;
 	}
+	
+	fillin_offsets(offsetbase, offsettable, nalloc);
+
+	isc_mem_put(mctx, offsettable, nalloc * sizeof(unsigned int));
+
 	result = ISC_R_SUCCESS;
 
  free_rdatas:
-	isc_mem_put(mctx, rdatas, nalloc * sizeof(dns_rdata_t));
+	isc_mem_put(mctx, x, nalloc * sizeof(struct xrdata));
 	return (result);
 }
 
@@ -167,7 +274,7 @@ rdataset_first(dns_rdataset_t *rdataset) {
 		rdataset->private5 = NULL;
 		return (ISC_R_NOMORE);
 	}
-	raw += 2;
+	raw += 2 + (4 * count);
 	/*
 	 * The privateuint4 field is the number of rdata beyond the cursor
 	 * position, so we decrement the total count by one before storing
@@ -193,7 +300,7 @@ rdataset_next(dns_rdataset_t *rdataset) {
 	rdataset->privateuint4 = count;
 	raw = rdataset->private5;
 	length = raw[0] * 256 + raw[1];
-	raw += length + 2;
+	raw += length + 4;
 	rdataset->private5 = raw;
 
 	return (ISC_R_SUCCESS);
@@ -207,7 +314,7 @@ rdataset_current(dns_rdataset_t *rdataset, dns_rdata_t *rdata) {
 	REQUIRE(raw != NULL);
 
 	r.length = raw[0] * 256 + raw[1];
-	raw += 2;
+	raw += 4;
 	r.base = raw;
 	dns_rdata_fromregion(rdata, rdataset->rdclass, rdataset->type, &r);
 }
@@ -241,6 +348,9 @@ static dns_rdatasetmethods_t rdataset_methods = {
 	rdataset_clone,
 	rdataset_count,
 	NULL,
+	NULL,
+	NULL,
+	NULL,
 	NULL
 };
 
@@ -280,11 +390,12 @@ dns_rdataslab_size(unsigned char *slab, unsigned int reservelen) {
 	current = slab + reservelen;
 	count = *current++ * 256;
 	count += *current++;
+	current += (4 * count);
 	while (count > 0) {
 		count--;
 		length = *current++ * 256;
 		length += *current++;
-		current += length;
+		current += length + 2;
 	}
 
 	return ((unsigned int)(current - slab));
@@ -306,6 +417,7 @@ rdata_from_slab(unsigned char **current,
 
 	region.length = *tcurrent++ * 256;
 	region.length += *tcurrent++;
+	tcurrent += 2;
 	region.base = tcurrent;
 	tcurrent += region.length;
 	dns_rdata_fromregion(rdata, rdclass, type, &region);
@@ -325,15 +437,22 @@ rdata_in_slab(unsigned char *slab, unsigned int reservelen,
 	unsigned int count, i;
 	unsigned char *current;
 	dns_rdata_t trdata = DNS_RDATA_INIT;
+	int n;
 
 	current = slab + reservelen;
 	count = *current++ * 256;
 	count += *current++;
 
+	current += (4 * count);
+
 	for (i = 0; i < count; i++) {
 		rdata_from_slab(&current, rdclass, type, &trdata);
-		if (dns_rdata_compare(&trdata, rdata) == 0)
+		
+		n = dns_rdata_compare(&trdata, rdata);
+		if (n == 0)
 			return (ISC_TRUE);
+		if (n > 0)	/* In DNSSEC order. */
+			break;
 		dns_rdata_reset(&trdata);
 	}
 	return (ISC_FALSE);
@@ -354,6 +473,11 @@ dns_rdataslab_merge(unsigned char *oslab, unsigned char *nslab,
 	unsigned int oadded = 0;
 	unsigned int nadded = 0;
 	unsigned int nncount = 0;
+	unsigned int oncount;
+	unsigned int norder = 0;
+	unsigned int oorder = 0;
+	unsigned char *offsetbase;
+	unsigned int *offsettable;
 
 	/*
 	 * XXX  Need parameter to allow "delete rdatasets in nslab" merge,
@@ -366,12 +490,16 @@ dns_rdataslab_merge(unsigned char *oslab, unsigned char *nslab,
 	ocurrent = oslab + reservelen;
 	ocount = *ocurrent++ * 256;
 	ocount += *ocurrent++;
+	ocurrent += (4 * ocount);
 	ostart = ocurrent;
 	ncurrent = nslab + reservelen;
 	ncount = *ncurrent++ * 256;
 	ncount += *ncurrent++;
+	ncurrent += (4 * ncount);
 	INSIST(ocount > 0 && ncount > 0);
 
+	oncount = ncount;
+
 	/*
 	 * Yes, this is inefficient!
 	 */
@@ -383,8 +511,8 @@ dns_rdataslab_merge(unsigned char *oslab, unsigned char *nslab,
 	for (count = 0; count < ocount; count++) {
 		length = *ocurrent++ * 256;
 		length += *ocurrent++;
-		olength += length + 2;
-		ocurrent += length;
+		olength += length + 8;
+		ocurrent += length + 2;
 	}
 
 	/*
@@ -400,6 +528,7 @@ dns_rdataslab_merge(unsigned char *oslab, unsigned char *nslab,
 	do {
 		nregion.length = *ncurrent++ * 256;
 		nregion.length += *ncurrent++;
+		ncurrent += 2;
 		nregion.base = ncurrent;
 		dns_rdata_init(&nrdata);
 		dns_rdata_fromregion(&nrdata, rdclass, type, &nregion);
@@ -408,7 +537,7 @@ dns_rdataslab_merge(unsigned char *oslab, unsigned char *nslab,
 			/*
 			 * This rdata isn't in the old slab.
 			 */
-			tlength += nregion.length + 2;
+			tlength += nregion.length + 8;
 			tcount++;
 			nncount++;
 			added_something = ISC_TRUE;
@@ -436,6 +565,9 @@ dns_rdataslab_merge(unsigned char *oslab, unsigned char *nslab,
 		return (DNS_R_SINGLETON);
 	}
 
+	if (tcount > 0xffff)
+		return (ISC_R_NOSPACE);
+
 	/*
 	 * Copy the reserved area from the new slab.
 	 */
@@ -444,6 +576,7 @@ dns_rdataslab_merge(unsigned char *oslab, unsigned char *nslab,
 		return (ISC_R_NOMEMORY);
 	memcpy(tstart, nslab, reservelen);
 	tcurrent = tstart + reservelen;
+	offsetbase = tcurrent;
 
 	/*
 	 * Write the new count.
@@ -452,16 +585,35 @@ dns_rdataslab_merge(unsigned char *oslab, unsigned char *nslab,
 	*tcurrent++ = (tcount & 0x00ff);
 
 	/*
+	 * Skip offset table.
+	 */
+	tcurrent += (tcount * 4);
+
+	offsettable = isc_mem_get(mctx,
+				  (ocount + oncount) * sizeof(unsigned int));
+	if (offsettable == NULL) {
+		isc_mem_put(mctx, tstart, tlength);
+		return (ISC_R_NOMEMORY);
+	}
+	memset(offsettable, 0, (ocount + oncount) * sizeof(unsigned int));
+
+	/*
 	 * Merge the two slabs.
 	 */
 	ocurrent = ostart;
 	INSIST(ocount != 0);
+	oorder = ocurrent[2] * 256 + ocurrent[3];
+	INSIST(oorder < ocount);
 	rdata_from_slab(&ocurrent, rdclass, type, &ordata);
 
 	ncurrent = nslab + reservelen + 2;
+	ncurrent += (4 * oncount);
+
 	if (ncount > 0) {
 		do {
 			dns_rdata_reset(&nrdata);
+			norder = ncurrent[2] * 256 + ncurrent[3];
+			INSIST(norder < oncount);
        			rdata_from_slab(&ncurrent, rdclass, type, &nrdata);
 		} while (rdata_in_slab(oslab, reservelen, rdclass,
 				       type, &nrdata));
@@ -476,27 +628,35 @@ dns_rdataslab_merge(unsigned char *oslab, unsigned char *nslab,
 		else
 			fromold = ISC_TF(compare_rdata(&ordata, &nrdata) < 0);
 		if (fromold) {
+			offsettable[oorder] = tcurrent - offsetbase;
 			length = ordata.length;
 			*tcurrent++ = (length & 0xff00) >> 8;
 			*tcurrent++ = (length & 0x00ff);
+			tcurrent += 2;	/* fill in later */
 			memcpy(tcurrent, ordata.data, length);
 			tcurrent += length;
 			oadded++;
 			if (oadded < ocount) {
 				dns_rdata_reset(&ordata);
+				oorder = ocurrent[2] * 256 + ocurrent[3];
+				INSIST(oorder < ocount);
        				rdata_from_slab(&ocurrent, rdclass, type,
 						&ordata);
 			}
 		} else {
+			offsettable[ocount + norder] = tcurrent - offsetbase;
 			length = nrdata.length;
 			*tcurrent++ = (length & 0xff00) >> 8;
 			*tcurrent++ = (length & 0x00ff);
+			tcurrent += 2;	/* fill in later */
 			memcpy(tcurrent, nrdata.data, length);
 			tcurrent += length;
 			nadded++;
 			if (nadded < ncount) {
 				do {
 					dns_rdata_reset(&nrdata);
+					norder = ncurrent[2] * 256 + ncurrent[3];
+					INSIST(norder < oncount);
        					rdata_from_slab(&ncurrent, rdclass,
 							type, &nrdata);
 				} while (rdata_in_slab(oslab, reservelen,
@@ -506,6 +666,11 @@ dns_rdataslab_merge(unsigned char *oslab, unsigned char *nslab,
 		}
 	}
 
+	fillin_offsets(offsetbase, offsettable, ocount + oncount);
+
+	isc_mem_put(mctx, offsettable,
+		    (ocount + oncount) * sizeof(unsigned int));
+
 	INSIST(tcurrent == tstart + tlength);
 
 	*tslabp = tstart;
@@ -520,9 +685,12 @@ dns_rdataslab_subtract(unsigned char *mslab, unsigned char *sslab,
 		       unsigned int flags, unsigned char **tslabp)
 {
 	unsigned char *mcurrent, *sstart, *scurrent, *tstart, *tcurrent;
-	unsigned int mcount, scount, rcount ,count, tlength, tcount;
+	unsigned int mcount, scount, rcount ,count, tlength, tcount, i;
 	dns_rdata_t srdata = DNS_RDATA_INIT;
 	dns_rdata_t mrdata = DNS_RDATA_INIT;
+	unsigned char *offsetbase;
+	unsigned int *offsettable;
+	unsigned int order;
 
 	REQUIRE(tslabp != NULL && *tslabp == NULL);
 	REQUIRE(mslab != NULL && sslab != NULL);
@@ -533,7 +701,6 @@ dns_rdataslab_subtract(unsigned char *mslab, unsigned char *sslab,
 	scurrent = sslab + reservelen;
 	scount = *scurrent++ * 256;
 	scount += *scurrent++;
-	sstart = scurrent;
 	INSIST(mcount > 0 && scount > 0);
 
 	/*
@@ -547,11 +714,15 @@ dns_rdataslab_subtract(unsigned char *mslab, unsigned char *sslab,
 	tcount = 0;
 	rcount = 0;
 
+	mcurrent += 4 * mcount;
+	scurrent += 4 * scount;
+	sstart = scurrent;
+
 	/*
 	 * Add in the length of rdata in the mslab that aren't in
 	 * the sslab.
 	 */
-	do {
+	for (i = 0; i < mcount; i++) {
 		unsigned char *mrdatabegin = mcurrent;
 		rdata_from_slab(&mcurrent, rdclass, type, &mrdata);
 		scurrent = sstart;
@@ -570,9 +741,10 @@ dns_rdataslab_subtract(unsigned char *mslab, unsigned char *sslab,
 			tcount++;
 		} else
 			rcount++;
-		mcount--;
 		dns_rdata_reset(&mrdata);
-	} while (mcount > 0);
+	}
+
+	tlength += (4 * tcount);
 
 	/*
 	 * Check that all the records originally existed.  The numeric
@@ -601,6 +773,14 @@ dns_rdataslab_subtract(unsigned char *mslab, unsigned char *sslab,
 		return (ISC_R_NOMEMORY);
 	memcpy(tstart, mslab, reservelen);
 	tcurrent = tstart + reservelen;
+	offsetbase = tcurrent;
+
+	offsettable = isc_mem_get(mctx, mcount * sizeof(unsigned int));
+	if (offsettable == NULL) {
+		isc_mem_put(mctx, tstart, tlength);
+		return (ISC_R_NOMEMORY);
+	}
+	memset(offsettable, 0, mcount * sizeof(unsigned int));
 
 	/*
 	 * Write the new count.
@@ -608,14 +788,19 @@ dns_rdataslab_subtract(unsigned char *mslab, unsigned char *sslab,
 	*tcurrent++ = (tcount & 0xff00) >> 8;
 	*tcurrent++ = (tcount & 0x00ff);
 
+	tcurrent += (4 * tcount);
+
 	/*
 	 * Copy the parts of mslab not in sslab.
 	 */
 	mcurrent = mslab + reservelen;
 	mcount = *mcurrent++ * 256;
 	mcount += *mcurrent++;
-	do {
+	mcurrent += (4 * mcount);
+	for (i = 0; i < mcount; i++) {
 		unsigned char *mrdatabegin = mcurrent;
+		order = mcurrent[2] * 256 + mcurrent[3];
+		INSIST(order < mcount);
 		rdata_from_slab(&mcurrent, rdclass, type, &mrdata);
 		scurrent = sstart;
 		for (count = 0; count < scount; count++) {
@@ -630,12 +815,16 @@ dns_rdataslab_subtract(unsigned char *mslab, unsigned char *sslab,
 			 * copied to the tslab.
 			 */
 			unsigned int length = mcurrent - mrdatabegin;
+			offsettable[order] = tcurrent - offsetbase;
 			memcpy(tcurrent, mrdatabegin, length);
 			tcurrent += length;
 		}
 		dns_rdata_reset(&mrdata);
-		mcount--;
-	} while (mcount > 0);
+	}
+
+	fillin_offsets(offsetbase, offsettable, mcount);
+
+	isc_mem_put(mctx, offsettable, mcount * sizeof(unsigned int));
 
 	INSIST(tcurrent == tstart + tlength);
 
@@ -663,6 +852,9 @@ dns_rdataslab_equal(unsigned char *slab1, unsigned char *slab2,
 	if (count1 != count2)
 		return (ISC_FALSE);
 
+	current1 += (4 * count1);
+	current2 += (4 * count2);
+
 	while (count1 > 0) {
 		length1 = *current1++ * 256;
 		length1 += *current1++;
@@ -670,6 +862,9 @@ dns_rdataslab_equal(unsigned char *slab1, unsigned char *slab2,
 		length2 = *current2++ * 256;
 		length2 += *current2++;
 
+		current1 += 2;
+		current2 += 2;
+
 		if (length1 != length2 ||
 		    memcmp(current1, current2, length1) != 0)
 			return (ISC_FALSE);
@@ -703,6 +898,9 @@ dns_rdataslab_equalx(unsigned char *slab1, unsigned char *slab2,
 	if (count1 != count2)
 		return (ISC_FALSE);
 
+	current1 += (4 * count1);
+	current2 += (4 * count2);
+
 	while (count1-- > 0) {
 		rdata_from_slab(&current1, rdclass, type, &rdata1);
 		rdata_from_slab(&current2, rdclass, type, &rdata2);
diff --git a/contrib/bind9/lib/dns/request.c b/contrib/bind9/lib/dns/request.c
index c325fd4..be8f93d 100644
--- a/contrib/bind9/lib/dns/request.c
+++ b/contrib/bind9/lib/dns/request.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2006  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000-2002  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,9 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: request.c,v 1.64.2.1.10.9 2006/08/21 00:50:48 marka Exp $ */
+/* $Id: request.c,v 1.72.18.5 2006/08/21 00:40:53 marka Exp $ */
+
+/*! \file */
 
 #include <config.h>
 
@@ -91,10 +93,10 @@ struct dns_request {
 
 #define DNS_REQUEST_F_CONNECTING 0x0001
 #define DNS_REQUEST_F_SENDING 0x0002
-#define DNS_REQUEST_F_CANCELED 0x0004	/* ctlevent received, or otherwise
+#define DNS_REQUEST_F_CANCELED 0x0004	/*%< ctlevent received, or otherwise
 					   synchronously canceled */
-#define DNS_REQUEST_F_TIMEDOUT 0x0008	/* cancelled due to a timeout */
-#define DNS_REQUEST_F_TCP 0x0010	/* This request used TCP */
+#define DNS_REQUEST_F_TIMEDOUT 0x0008	/*%< cancelled due to a timeout */
+#define DNS_REQUEST_F_TCP 0x0010	/*%< This request used TCP */
 #define DNS_REQUEST_CANCELED(r) \
 	(((r)->flags & DNS_REQUEST_F_CANCELED) != 0)
 #define DNS_REQUEST_CONNECTING(r) \
diff --git a/contrib/bind9/lib/dns/resolver.c b/contrib/bind9/lib/dns/resolver.c
index a56fecf..7312841 100644
--- a/contrib/bind9/lib/dns/resolver.c
+++ b/contrib/bind9/lib/dns/resolver.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,9 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: resolver.c,v 1.218.2.18.4.64.4.2 2007/01/11 05:05:10 marka Exp $ */
+/* $Id: resolver.c,v 1.284.18.57 2007/02/14 23:41:01 marka Exp $ */
+
+/*! \file */
 
 #include <config.h>
 
@@ -99,12 +101,12 @@
 #define QTRACE(m)
 #endif
 
-/*
+/*%
  * Maximum EDNS0 input packet size.
  */
 #define RECV_BUFFER_SIZE		4096		/* XXXRTH  Constant. */
 
-/*
+/*%
  * This defines the maximum number of timeouts we will permit before we
  * disable EDNS0 on the query.
  */
@@ -146,13 +148,13 @@ typedef struct query {
 #define RESQUERY_SENDING(q)		((q)->sends > 0)
 
 typedef enum {
-	fetchstate_init = 0,		/* Start event has not run yet. */
+	fetchstate_init = 0,		/*%< Start event has not run yet. */
 	fetchstate_active,
-	fetchstate_done			/* FETCHDONE events posted. */
+	fetchstate_done			/*%< FETCHDONE events posted. */
 } fetchstate;
 
 struct fetchctx {
-	/* Not locked. */
+	/*% Not locked. */
 	unsigned int			magic;
 	dns_resolver_t *		res;
 	dns_name_t			name;
@@ -160,15 +162,16 @@ struct fetchctx {
 	unsigned int			options;
 	unsigned int			bucketnum;
 	char *				info;
-	/* Locked by appropriate bucket lock. */
+	/*% Locked by appropriate bucket lock. */
 	fetchstate			state;
 	isc_boolean_t			want_shutdown;
 	isc_boolean_t			cloned;
+	isc_boolean_t			spilled;
 	unsigned int			references;
 	isc_event_t			control_event;
 	ISC_LINK(struct fetchctx)	link;
 	ISC_LIST(dns_fetchevent_t)	events;
-	/* Locked by task event serialization. */
+	/*% Locked by task event serialization. */
 	dns_name_t			domain;
 	dns_rdataset_t			nameservers;
 	unsigned int			attributes;
@@ -187,16 +190,18 @@ struct fetchctx {
 	isc_sockaddrlist_t		forwarders;
 	dns_fwdpolicy_t			fwdpolicy;
 	isc_sockaddrlist_t		bad;
+	isc_sockaddrlist_t		edns;
+	isc_sockaddrlist_t		edns512;
 	ISC_LIST(dns_validator_t)	validators;
 	dns_db_t *			cache;
 	dns_adb_t *			adb;
 
-	/*
+	/*%
 	 * The number of events we're waiting for.
 	 */
 	unsigned int			pending;
 
-	/*
+	/*%
 	 * The number of times we've "restarted" the current
 	 * nameserver set.  This acts as a failsafe to prevent
 	 * us from pounding constantly on a particular set of
@@ -206,13 +211,13 @@ struct fetchctx {
 	 */
 	unsigned int			restarts;
 
-	/*
+	/*%
 	 * The number of timeouts that have occurred since we 
 	 * last successfully received a response packet.  This
 	 * is used for EDNS0 black hole detection.
 	 */
 	unsigned int			timeouts;
-	/*
+	/*%
 	 * Look aside state for DS lookups.
 	 */
 	dns_name_t 			nsname; 
@@ -270,6 +275,7 @@ typedef struct fctxbucket {
 	isc_mutex_t			lock;
 	ISC_LIST(fetchctx_t)		fctxs;
 	isc_boolean_t			exiting;
+	isc_mem_t *			mctx;
 } fctxbucket_t;
 
 typedef struct alternate {
@@ -314,12 +320,17 @@ struct dns_resolver {
 	isc_rwlock_t			mbslock;
 #endif
 	dns_rbt_t *			mustbesecure;
+	unsigned int			spillatmax;
+	unsigned int			spillatmin;
+	isc_timer_t *			spillattimer;
+	isc_boolean_t			zero_no_soa_ttl;
 	/* Locked by lock. */
 	unsigned int			references;
 	isc_boolean_t			exiting;
 	isc_eventlist_t			whenshutdown;
 	unsigned int			activebuckets;
 	isc_boolean_t			priming;
+	unsigned int			spillat;
 	/* Locked by primelock. */
 	dns_fetch_t *			primefetch;
 	/* Locked by nlock. */
@@ -329,7 +340,7 @@ struct dns_resolver {
 #define RES_MAGIC			ISC_MAGIC('R', 'e', 's', '!')
 #define VALID_RESOLVER(res)		ISC_MAGIC_VALID(res, RES_MAGIC)
 
-/*
+/*%
  * Private addrinfo flags.  These must not conflict with DNS_FETCHOPT_NOEDNS0,
  * which we also use as an addrinfo flag.
  */
@@ -368,7 +379,8 @@ valcreate(fetchctx_t *fctx, dns_adbaddrinfo_t *addrinfo, dns_name_t *name,
 	dns_valarg_t *valarg;
 	isc_result_t result;
 
-	valarg = isc_mem_get(fctx->res->mctx, sizeof(*valarg));
+	valarg = isc_mem_get(fctx->res->buckets[fctx->bucketnum].mctx,
+			     sizeof(*valarg));
 	if (valarg == NULL)
 		return (ISC_R_NOMEMORY);
 
@@ -385,7 +397,8 @@ valcreate(fetchctx_t *fctx, dns_adbaddrinfo_t *addrinfo, dns_name_t *name,
 	if (result == ISC_R_SUCCESS)
 		ISC_LIST_APPEND(fctx->validators, validator, link);
 	else
-		isc_mem_put(fctx->res->mctx, valarg, sizeof(*valarg));
+		isc_mem_put(fctx->res->buckets[fctx->bucketnum].mctx,
+			    valarg, sizeof(*valarg));
 	return (result);
 }
 
@@ -571,8 +584,7 @@ fctx_cancelquery(resquery_t **queryp, dns_dispatchevent_t **deventp,
 			 * slow.  We don't know.  Increase the RTT.
 			 */
 			INSIST(no_response);
-			rtt = query->addrinfo->srtt +
-				(200000 * fctx->restarts);
+			rtt = query->addrinfo->srtt + 200000;
 			if (rtt > 10000000)
 				rtt = 10000000;
 			/*
@@ -755,6 +767,9 @@ static inline void
 fctx_sendevents(fetchctx_t *fctx, isc_result_t result) {
 	dns_fetchevent_t *event, *next_event;
 	isc_task_t *task;
+	unsigned int count = 0;
+	isc_interval_t i;
+	isc_boolean_t logit = ISC_FALSE;
 
 	/*
 	 * Caller must be holding the appropriate bucket lock.
@@ -780,6 +795,31 @@ fctx_sendevents(fetchctx_t *fctx, isc_result_t result) {
 		       fctx->type == dns_rdatatype_sig);
 
 		isc_task_sendanddetach(&task, ISC_EVENT_PTR(&event));
+		count++;
+	}
+
+	if ((fctx->attributes & FCTX_ATTR_HAVEANSWER) != 0 &&
+	    fctx->spilled &&
+	    (count < fctx->res->spillatmax || fctx->res->spillatmax == 0)) {
+		LOCK(&fctx->res->lock);
+	    	if (count == fctx->res->spillat && !fctx->res->exiting) {
+			fctx->res->spillat += 5;
+			if (fctx->res->spillat > fctx->res->spillatmax &&
+			    fctx->res->spillatmax != 0)
+				fctx->res->spillat = fctx->res->spillatmax;
+			isc_interval_set(&i, 20 * 60, 0);
+			result = isc_timer_reset(fctx->res->spillattimer,
+						 isc_timertype_ticker, NULL,
+						 &i, ISC_TRUE);
+			RUNTIME_CHECK(result == ISC_R_SUCCESS);
+			logit = ISC_TRUE;
+		}
+		UNLOCK(&fctx->res->lock);
+		if (logit)
+			isc_log_write(dns_lctx, DNS_LOGCATEGORY_RESOLVER,
+				      DNS_LOGMODULE_RESOLVER, ISC_LOG_NOTICE,
+				      "clients-per-query increased to %u",
+				      count + 1);
 	}
 }
 
@@ -884,7 +924,8 @@ resquery_senddone(isc_task_t *task, isc_event_t *event) {
 }
 
 static inline isc_result_t
-fctx_addopt(dns_message_t *message, dns_resolver_t *res) {
+fctx_addopt(dns_message_t *message, unsigned int version, isc_uint16_t udpsize)
+{ 
 	dns_rdataset_t *rdataset;
 	dns_rdatalist_t *rdatalist;
 	dns_rdata_t *rdata;
@@ -910,12 +951,13 @@ fctx_addopt(dns_message_t *message, dns_resolver_t *res) {
 	/*
 	 * Set Maximum UDP buffer size.
 	 */
-	rdatalist->rdclass = res->udpsize;
+	rdatalist->rdclass = udpsize;
 
 	/*
-	 * Set EXTENDED-RCODE, VERSION, and Z to 0, and the DO bit to 1.
+	 * Set EXTENDED-RCODE and Z to 0, DO to 1.
 	 */
-	rdatalist->ttl = DNS_MESSAGEEXTFLAG_DO;
+	rdatalist->ttl = (version << 16);
+	rdatalist->ttl |= DNS_MESSAGEEXTFLAG_DO;
 
 	/*
 	 * No EDNS options.
@@ -936,34 +978,37 @@ fctx_addopt(dns_message_t *message, dns_resolver_t *res) {
 static inline void
 fctx_setretryinterval(fetchctx_t *fctx, unsigned int rtt) {
 	unsigned int seconds;
+	unsigned int us;
 
 	/*
-	 * We retry every 2 seconds the first two times through the address
+	 * We retry every .5 seconds the first two times through the address
 	 * list, and then we do exponential back-off.
 	 */
 	if (fctx->restarts < 3)
-		seconds = 2;
+		us = 500000;
 	else
-		seconds = (2 << (fctx->restarts - 1));
+		us = (500000 << (fctx->restarts - 2));
 
 	/*
-	 * Double the round-trip time and convert to seconds.
+	 * Double the round-trip time.
 	 */
-	rtt /= 500000;
+	rtt *= 2;
 
 	/*
 	 * Always wait for at least the doubled round-trip time.
 	 */
-	if (seconds < rtt)
-		seconds = rtt;
+	if (us < rtt)
+		us = rtt;
 
 	/*
-	 * But don't ever wait for more than 30 seconds.
+	 * But don't ever wait for more than 10 seconds.
 	 */
-	if (seconds > 30)
-		seconds = 30;
+	if (us > 10000000)
+		us = 10000000;
 
-	isc_interval_set(&fctx->interval, seconds, 0);
+	seconds = us / 1000000;
+	us -= seconds * 1000000;
+	isc_interval_set(&fctx->interval, seconds, us * 1000);
 }
 
 static isc_result_t
@@ -974,6 +1019,8 @@ fctx_query(fetchctx_t *fctx, dns_adbaddrinfo_t *addrinfo,
 	isc_task_t *task;
 	isc_result_t result;
 	resquery_t *query;
+	isc_sockaddr_t addr;
+	isc_boolean_t have_addr = ISC_FALSE;
 
 	FCTXTRACE("query");
 
@@ -989,12 +1036,13 @@ fctx_query(fetchctx_t *fctx, dns_adbaddrinfo_t *addrinfo,
 
 	dns_message_reset(fctx->rmessage, DNS_MESSAGE_INTENTPARSE);
 
-	query = isc_mem_get(res->mctx, sizeof(*query));
+	query = isc_mem_get(res->buckets[fctx->bucketnum].mctx,
+			    sizeof(*query));
 	if (query == NULL) {
 		result = ISC_R_NOMEMORY;
 		goto stop_idle_timer;
 	}
-	query->mctx = res->mctx;
+	query->mctx = res->buckets[fctx->bucketnum].mctx;
 	query->options = options;
 	query->attributes = 0;
 	query->sends = 0;
@@ -1014,28 +1062,42 @@ fctx_query(fetchctx_t *fctx, dns_adbaddrinfo_t *addrinfo,
 	query->dispatchmgr = res->dispatchmgr;
 	query->dispatch = NULL;
 	query->tcpsocket = NULL;
+	if (res->view->peers != NULL) {
+		dns_peer_t *peer = NULL;
+		isc_netaddr_t dstip;
+		isc_netaddr_fromsockaddr(&dstip, &addrinfo->sockaddr);
+		result = dns_peerlist_peerbyaddr(res->view->peers,
+					         &dstip, &peer);
+		if (result == ISC_R_SUCCESS) {
+			result = dns_peer_getquerysource(peer, &addr);
+			if (result == ISC_R_SUCCESS)
+				have_addr = ISC_TRUE;
+		}
+	}
+
 	if ((query->options & DNS_FETCHOPT_TCP) != 0) {
-		isc_sockaddr_t addr;
 		int pf;
 
 		pf = isc_sockaddr_pf(&addrinfo->sockaddr);
-
-		switch (pf) {
-		case PF_INET:
-			result = dns_dispatch_getlocaladdress(res->dispatchv4,
-							      &addr);
-			break;
-		case PF_INET6:
-			result = dns_dispatch_getlocaladdress(res->dispatchv6,
-							      &addr);
-			break;
-		default:
-			result = ISC_R_NOTIMPLEMENTED;
-			break;
+		if (!have_addr) {
+			switch (pf) {
+			case PF_INET:
+				result =
+				  dns_dispatch_getlocaladdress(res->dispatchv4,
+							       &addr);
+				break;
+			case PF_INET6:
+				result =
+				  dns_dispatch_getlocaladdress(res->dispatchv6,
+							       &addr);
+				break;
+			default:
+				result = ISC_R_NOTIMPLEMENTED;
+				break;
+			}
+			if (result != ISC_R_SUCCESS)
+				goto cleanup_query;
 		}
-		if (result != ISC_R_SUCCESS)
-			goto cleanup_query;
-
 		isc_sockaddr_setport(&addr, 0);
 
 		result = isc_socket_create(res->socketmgr, pf,
@@ -1054,16 +1116,46 @@ fctx_query(fetchctx_t *fctx, dns_adbaddrinfo_t *addrinfo,
 		 * A dispatch will be created once the connect succeeds.
 		 */
 	} else {
-		switch (isc_sockaddr_pf(&addrinfo->sockaddr)) {
-		case PF_INET:
-			dns_dispatch_attach(res->dispatchv4, &query->dispatch);
-			break;
-		case PF_INET6:
-			dns_dispatch_attach(res->dispatchv6, &query->dispatch);
-			break;
-		default:
-			result = ISC_R_NOTIMPLEMENTED;
-			goto cleanup_query;
+		if (have_addr) {
+			unsigned int attrs, attrmask;
+			attrs = DNS_DISPATCHATTR_UDP;
+			switch (isc_sockaddr_pf(&addr)) {
+			case AF_INET:
+				attrs |= DNS_DISPATCHATTR_IPV4;
+				break;
+			case AF_INET6:
+				attrs |= DNS_DISPATCHATTR_IPV6;
+				break;
+			default:
+				result = ISC_R_NOTIMPLEMENTED;
+				goto cleanup_query;
+			}
+			attrmask = DNS_DISPATCHATTR_UDP;
+			attrmask |= DNS_DISPATCHATTR_TCP;
+			attrmask |= DNS_DISPATCHATTR_IPV4;
+			attrmask |= DNS_DISPATCHATTR_IPV6;
+			result = dns_dispatch_getudp(res->dispatchmgr,
+						     res->socketmgr,
+						     res->taskmgr, &addr,
+						     4096, 1000, 32768, 16411,
+						     16433, attrs, attrmask,
+						     &query->dispatch);
+			if (result != ISC_R_SUCCESS)
+				goto cleanup_query;
+		} else {
+			switch (isc_sockaddr_pf(&addrinfo->sockaddr)) {
+			case PF_INET:
+				dns_dispatch_attach(res->dispatchv4,
+						    &query->dispatch);
+				break;
+			case PF_INET6:
+				dns_dispatch_attach(res->dispatchv6,
+						    &query->dispatch);
+				break;
+			default:
+				result = ISC_R_NOTIMPLEMENTED;
+				goto cleanup_query;
+			}
 		}
 		/*
 		 * We should always have a valid dispatcher here.  If we
@@ -1115,7 +1207,8 @@ fctx_query(fetchctx_t *fctx, dns_adbaddrinfo_t *addrinfo,
 
  cleanup_query:
 	query->magic = 0;
-	isc_mem_put(res->mctx, query, sizeof(*query));
+	isc_mem_put(res->buckets[fctx->bucketnum].mctx,
+		    query, sizeof(*query));
 
  stop_idle_timer:
 	RUNTIME_CHECK(fctx_stopidletimer(fctx) == ISC_R_SUCCESS);
@@ -1123,6 +1216,66 @@ fctx_query(fetchctx_t *fctx, dns_adbaddrinfo_t *addrinfo,
 	return (result);
 }
 
+static isc_boolean_t
+triededns(fetchctx_t *fctx, isc_sockaddr_t *address) {
+	isc_sockaddr_t *sa;
+
+	for (sa = ISC_LIST_HEAD(fctx->edns);
+	     sa != NULL;
+	     sa = ISC_LIST_NEXT(sa, link)) {
+		if (isc_sockaddr_equal(sa, address))
+			return (ISC_TRUE);
+	}
+
+	return (ISC_FALSE);
+}
+
+static void
+add_triededns(fetchctx_t *fctx, isc_sockaddr_t *address) {
+	isc_sockaddr_t *sa;
+
+	if (triededns(fctx, address))
+		return;
+
+	sa = isc_mem_get(fctx->res->buckets[fctx->bucketnum].mctx,
+			 sizeof(*sa));
+	if (sa == NULL)
+		return;
+
+	*sa = *address;
+	ISC_LIST_INITANDAPPEND(fctx->edns, sa, link);
+}
+
+static isc_boolean_t
+triededns512(fetchctx_t *fctx, isc_sockaddr_t *address) {
+	isc_sockaddr_t *sa;
+
+	for (sa = ISC_LIST_HEAD(fctx->edns512);
+	     sa != NULL;
+	     sa = ISC_LIST_NEXT(sa, link)) {
+		if (isc_sockaddr_equal(sa, address))
+			return (ISC_TRUE);
+	}
+
+	return (ISC_FALSE);
+}
+
+static void
+add_triededns512(fetchctx_t *fctx, isc_sockaddr_t *address) {
+	isc_sockaddr_t *sa;
+
+	if (triededns512(fctx, address))
+		return;
+
+	sa = isc_mem_get(fctx->res->buckets[fctx->bucketnum].mctx,
+			 sizeof(*sa));
+	if (sa == NULL)
+		return;
+
+	*sa = *address;
+	ISC_LIST_INITANDAPPEND(fctx->edns512, sa, link);
+}
+
 static isc_result_t
 resquery_send(resquery_t *query) {
 	fetchctx_t *fctx;
@@ -1211,7 +1364,9 @@ resquery_send(resquery_t *query) {
 	 * Set CD if the client says don't validate or the question is
 	 * under a secure entry point.
 	 */
-	if ((query->options & DNS_FETCHOPT_NOVALIDATE) == 0) {
+	if ((query->options & DNS_FETCHOPT_NOVALIDATE) != 0) {
+		fctx->qmessage->flags |= DNS_MESSAGEFLAG_CD;
+	} else if (res->view->enablevalidation) {
 		result = dns_keytable_issecuredomain(res->view->secroots,
 						     &fctx->name,
 						     &secure_domain);
@@ -1221,8 +1376,7 @@ resquery_send(resquery_t *query) {
 			secure_domain = ISC_TRUE;
 		if (secure_domain)
 			fctx->qmessage->flags |= DNS_MESSAGEFLAG_CD;
-	} else
-		fctx->qmessage->flags |= DNS_MESSAGEFLAG_CD;
+	}
 
 	/*
 	 * We don't have to set opcode because it defaults to query.
@@ -1271,15 +1425,35 @@ resquery_send(resquery_t *query) {
 	 * Use EDNS0, unless the caller doesn't want it, or we know that
 	 * the remote server doesn't like it.
 	 */
-	if (fctx->timeouts >= MAX_EDNS0_TIMEOUTS &&
+
+	if ((triededns512(fctx, &query->addrinfo->sockaddr) ||
+	     fctx->timeouts >= (MAX_EDNS0_TIMEOUTS * 2)) &&
 	    (query->options & DNS_FETCHOPT_NOEDNS0) == 0) {
 		query->options |= DNS_FETCHOPT_NOEDNS0;
 		FCTXTRACE("too many timeouts, disabling EDNS0");
+	} else if ((triededns(fctx, &query->addrinfo->sockaddr) ||
+		    fctx->timeouts >= MAX_EDNS0_TIMEOUTS) &&
+	           (query->options & DNS_FETCHOPT_NOEDNS0) == 0) {
+		query->options |= DNS_FETCHOPT_EDNS512;
+		FCTXTRACE("too many timeouts, setting EDNS size to 512");
 	}
 
 	if ((query->options & DNS_FETCHOPT_NOEDNS0) == 0) {
 		if ((query->addrinfo->flags & DNS_FETCHOPT_NOEDNS0) == 0) {
-			result = fctx_addopt(fctx->qmessage, res);
+			unsigned int version = 0;	/* Default version. */
+			unsigned int flags;
+			isc_uint16_t udpsize = res->udpsize;
+
+			flags = query->addrinfo->flags;
+			if ((flags & DNS_FETCHOPT_EDNSVERSIONSET) != 0) {
+				version = flags & DNS_FETCHOPT_EDNSVERSIONMASK;
+				version >>= DNS_FETCHOPT_EDNSVERSIONSHIFT;
+			}
+			if ((query->options & DNS_FETCHOPT_EDNS512) != 0)
+				udpsize = 512;
+			else if (peer != NULL)
+				(void)dns_peer_getudpsize(peer, &udpsize);
+			result = fctx_addopt(fctx->qmessage, version, udpsize);
 			if (result != ISC_R_SUCCESS) {
 				/*
 				 * We couldn't add the OPT, but we'll press on.
@@ -1306,6 +1480,12 @@ resquery_send(resquery_t *query) {
 		goto cleanup_message;
 	}
 
+	if ((query->options & DNS_FETCHOPT_NOEDNS0) == 0)
+		add_triededns(fctx, &query->addrinfo->sockaddr);
+
+	if ((query->options & DNS_FETCHOPT_EDNS512) != 0)
+		add_triededns512(fctx, &query->addrinfo->sockaddr);
+
 	/*
 	 * Clear CD if EDNS is not in use.
 	 */
@@ -1680,7 +1860,8 @@ add_bad(fetchctx_t *fctx, isc_sockaddr_t *address, isc_result_t reason) {
 
 	FCTXTRACE("add_bad");
 
-	sa = isc_mem_get(fctx->res->mctx, sizeof(*sa));
+	sa = isc_mem_get(fctx->res->buckets[fctx->bucketnum].mctx,
+			 sizeof(*sa));
 	if (sa == NULL)
 		return;
 	*sa = *address;
@@ -1795,7 +1976,7 @@ sort_finds(fetchctx_t *fctx) {
 static void
 findname(fetchctx_t *fctx, dns_name_t *name, in_port_t port,
 	 unsigned int options, unsigned int flags, isc_stdtime_t now,
-	 isc_boolean_t *pruned, isc_boolean_t *need_alternate)
+	 isc_boolean_t *need_alternate)
 {
 	dns_adbaddrinfo_t *ai;
 	dns_adbfind_t *find;
@@ -1824,7 +2005,8 @@ findname(fetchctx_t *fctx, dns_name_t *name, in_port_t port,
 	result = dns_adb_createfind(fctx->adb,
 				    res->buckets[fctx->bucketnum].task,
 				    fctx_finddone, fctx, name,
-				    &fctx->domain, options, now, NULL,
+				    &fctx->name, fctx->type,
+				    options, now, NULL,
 				    res->view->dstport, &find);
 	if (result != ISC_R_SUCCESS) {
 		if (result == DNS_R_ALIAS) {
@@ -1887,18 +2069,6 @@ findname(fetchctx_t *fctx, dns_name_t *name, in_port_t port,
 			     (res->dispatchv6 == NULL &&
 			      find->result_v4 == DNS_R_NXRRSET)))
 				*need_alternate = ISC_TRUE;
-			/*
-			 * And ADB isn't going to send us any events
-			 * either.  This find loses.
-			 */
-			if ((find->options & DNS_ADBFIND_LAMEPRUNED) != 0) {
-				/*
-				 * The ADB pruned lame servers for
-				 * this name.  Remember that in case
-				 * we get desperate later on.
-				 */
-				*pruned = ISC_TRUE;
-			}
 			dns_adb_destroyfind(&find);
 		}
 	}
@@ -1913,7 +2083,7 @@ fctx_getaddresses(fetchctx_t *fctx) {
 	unsigned int stdoptions;
 	isc_sockaddr_t *sa;
 	dns_adbaddrinfo_t *ai;
-	isc_boolean_t pruned, all_bad;
+	isc_boolean_t all_bad;
 	dns_rdata_ns_t ns;
 	isc_boolean_t need_alternate = ISC_FALSE;
 
@@ -1929,7 +2099,6 @@ fctx_getaddresses(fetchctx_t *fctx) {
 	}
 
 	res = fctx->res;
-	pruned = ISC_FALSE;
 	stdoptions = 0;		/* Keep compiler happy. */
 
 	/*
@@ -2021,7 +2190,6 @@ fctx_getaddresses(fetchctx_t *fctx) {
 		stdoptions |= DNS_ADBFIND_INET6;
 	isc_stdtime_get(&now);
 
- restart:
 	INSIST(ISC_LIST_EMPTY(fctx->finds));
 	INSIST(ISC_LIST_EMPTY(fctx->altfinds));
 
@@ -2038,7 +2206,7 @@ fctx_getaddresses(fetchctx_t *fctx) {
 			continue;
 
 		findname(fctx, &ns.name, 0, stdoptions, 0, now,
-			 &pruned, &need_alternate);
+			 &need_alternate);
 		dns_rdata_reset(&rdata);
 		dns_rdata_freestruct(&ns);
 	}
@@ -2058,7 +2226,7 @@ fctx_getaddresses(fetchctx_t *fctx) {
 			if (!a->isaddress) {
 				findname(fctx, &a->_u._n.name, a->_u._n.port,
 					 stdoptions, FCTX_ADDRINFO_FORWARDER,
-					 now, &pruned, NULL);
+					 now, NULL);
 				continue;
 			}
 			if (isc_sockaddr_pf(&a->_u.addr) != family)
@@ -2101,18 +2269,6 @@ fctx_getaddresses(fetchctx_t *fctx) {
 			 * yet.   Tell the caller to wait for an answer.
 			 */
 			result = DNS_R_WAIT;
-		} else if (pruned) {
-			/*
-			 * Some addresses were removed by lame pruning.
-			 * Turn pruning off and try again.
-			 */
-			FCTXTRACE("restarting with returnlame");
-			INSIST((stdoptions & DNS_ADBFIND_RETURNLAME) == 0);
-			stdoptions |= DNS_ADBFIND_RETURNLAME;
-			pruned = ISC_FALSE;
-			fctx_cleanupaltfinds(fctx);
-			fctx_cleanupfinds(fctx);
-			goto restart;
 		} else {
 			/*
 			 * We've lost completely.  We don't know any
@@ -2427,21 +2583,37 @@ fctx_destroy(fetchctx_t *fctx) {
 	     sa = next_sa) {
 		next_sa = ISC_LIST_NEXT(sa, link);
 		ISC_LIST_UNLINK(fctx->bad, sa, link);
-		isc_mem_put(res->mctx, sa, sizeof(*sa));
+		isc_mem_put(res->buckets[bucketnum].mctx, sa, sizeof(*sa));
+	}
+
+	for (sa = ISC_LIST_HEAD(fctx->edns);
+	     sa != NULL;
+	     sa = next_sa) {
+		next_sa = ISC_LIST_NEXT(sa, link);
+		ISC_LIST_UNLINK(fctx->edns, sa, link);
+		isc_mem_put(res->buckets[bucketnum].mctx, sa, sizeof(*sa));
+	}
+
+	for (sa = ISC_LIST_HEAD(fctx->edns512);
+	     sa != NULL;
+	     sa = next_sa) {
+		next_sa = ISC_LIST_NEXT(sa, link);
+		ISC_LIST_UNLINK(fctx->edns512, sa, link);
+		isc_mem_put(res->buckets[bucketnum].mctx, sa, sizeof(*sa));
 	}
 
 	isc_timer_detach(&fctx->timer);
 	dns_message_destroy(&fctx->rmessage);
 	dns_message_destroy(&fctx->qmessage);
 	if (dns_name_countlabels(&fctx->domain) > 0)
-		dns_name_free(&fctx->domain, res->mctx);
+		dns_name_free(&fctx->domain, res->buckets[bucketnum].mctx);
 	if (dns_rdataset_isassociated(&fctx->nameservers))
 		dns_rdataset_disassociate(&fctx->nameservers);
-	dns_name_free(&fctx->name, res->mctx);
+	dns_name_free(&fctx->name, res->buckets[bucketnum].mctx);
 	dns_db_detach(&fctx->cache);
 	dns_adb_detach(&fctx->adb);
-	isc_mem_free(res->mctx, fctx->info);
-	isc_mem_put(res->mctx, fctx, sizeof(*fctx));
+	isc_mem_free(res->buckets[bucketnum].mctx, fctx->info);
+	isc_mem_put(res->buckets[bucketnum].mctx, fctx, sizeof(*fctx));
 
 	LOCK(&res->nlock);
 	res->nfctx--;
@@ -2670,8 +2842,9 @@ fctx_start(isc_task_t *task, isc_event_t *event) {
  */
 
 static inline isc_result_t
-fctx_join(fetchctx_t *fctx, isc_task_t *task, isc_taskaction_t action,
-	  void *arg, dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset,
+fctx_join(fetchctx_t *fctx, isc_task_t *task, isc_sockaddr_t *client,
+	  dns_messageid_t id, isc_taskaction_t action, void *arg,
+	  dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset,
 	  dns_fetch_t *fetch)
 {
 	isc_task_t *clone;
@@ -2687,8 +2860,7 @@ fctx_join(fetchctx_t *fctx, isc_task_t *task, isc_taskaction_t action,
 	clone = NULL;
 	isc_task_attach(task, &clone);
 	event = (dns_fetchevent_t *)
-		isc_event_allocate(fctx->res->mctx, clone,
-				   DNS_EVENT_FETCHDONE,
+		isc_event_allocate(fctx->res->mctx, clone, DNS_EVENT_FETCHDONE,
 				   action, arg, sizeof(*event));
 	if (event == NULL) {
 		isc_task_detach(&clone);
@@ -2701,6 +2873,8 @@ fctx_join(fetchctx_t *fctx, isc_task_t *task, isc_taskaction_t action,
 	event->rdataset = rdataset;
 	event->sigrdataset = sigrdataset;
 	event->fetch = fetch;
+	event->client = client;
+	event->id = id;
 	dns_fixedname_init(&event->foundname);
 
 	/*
@@ -2739,21 +2913,21 @@ fctx_create(dns_resolver_t *res, dns_name_t *name, dns_rdatatype_t type,
 	 */
 	REQUIRE(fctxp != NULL && *fctxp == NULL);
 
-	fctx = isc_mem_get(res->mctx, sizeof(*fctx));
+	fctx = isc_mem_get(res->buckets[bucketnum].mctx, sizeof(*fctx));
 	if (fctx == NULL)
 		return (ISC_R_NOMEMORY);
 	dns_name_format(name, buf, sizeof(buf));
 	dns_rdatatype_format(type, typebuf, sizeof(typebuf));
 	strcat(buf, "/");	/* checked */
 	strcat(buf, typebuf);	/* checked */
-	fctx->info = isc_mem_strdup(res->mctx, buf);
+	fctx->info = isc_mem_strdup(res->buckets[bucketnum].mctx, buf);
 	if (fctx->info == NULL) {
 		result = ISC_R_NOMEMORY;
 		goto cleanup_fetch;
 	}
 	FCTXTRACE("create");
 	dns_name_init(&fctx->name, NULL);
-	result = dns_name_dup(name, res->mctx, &fctx->name);
+	result = dns_name_dup(name, res->buckets[bucketnum].mctx, &fctx->name);
 	if (result != ISC_R_SUCCESS)
 		goto cleanup_info;
 	dns_name_init(&fctx->domain, NULL);
@@ -2780,6 +2954,8 @@ fctx_create(dns_resolver_t *res, dns_name_t *name, dns_rdatatype_t type,
 	ISC_LIST_INIT(fctx->forwarders);
 	fctx->fwdpolicy = dns_fwdpolicy_none;
 	ISC_LIST_INIT(fctx->bad);
+	ISC_LIST_INIT(fctx->edns);
+	ISC_LIST_INIT(fctx->edns512);
 	ISC_LIST_INIT(fctx->validators);
 	fctx->find = NULL;
 	fctx->altfind = NULL;
@@ -2787,6 +2963,7 @@ fctx_create(dns_resolver_t *res, dns_name_t *name, dns_rdatatype_t type,
 	fctx->restarts = 0;
 	fctx->timeouts = 0;
 	fctx->attributes = 0;
+	fctx->spilled = ISC_FALSE;
 	fctx->nqueries = 0;
 
 	dns_name_init(&fctx->nsname, NULL);
@@ -2829,7 +3006,9 @@ fctx_create(dns_resolver_t *res, dns_name_t *name, dns_rdatatype_t type,
 						      NULL);
 			if (result != ISC_R_SUCCESS)
 				goto cleanup_name;
-			result = dns_name_dup(domain, res->mctx, &fctx->domain);
+			result = dns_name_dup(domain,
+					      res->buckets[bucketnum].mctx,
+					      &fctx->domain);
 			if (result != ISC_R_SUCCESS) {
 				dns_rdataset_disassociate(&fctx->nameservers);
 				goto cleanup_name;
@@ -2838,12 +3017,16 @@ fctx_create(dns_resolver_t *res, dns_name_t *name, dns_rdatatype_t type,
 			/*
 			 * We're in forward-only mode.  Set the query domain.
 			 */
-			result = dns_name_dup(domain, res->mctx, &fctx->domain);
+			result = dns_name_dup(domain,
+					      res->buckets[bucketnum].mctx,
+					      &fctx->domain);
 			if (result != ISC_R_SUCCESS)
 				goto cleanup_name;
 		}
 	} else {
-		result = dns_name_dup(domain, res->mctx, &fctx->domain);
+		result = dns_name_dup(domain,
+				      res->buckets[bucketnum].mctx,
+				      &fctx->domain);
 		if (result != ISC_R_SUCCESS)
 			goto cleanup_name;
 		dns_rdataset_clone(nameservers, &fctx->nameservers);
@@ -2852,14 +3035,16 @@ fctx_create(dns_resolver_t *res, dns_name_t *name, dns_rdatatype_t type,
 	INSIST(dns_name_issubdomain(&fctx->name, &fctx->domain));
 
 	fctx->qmessage = NULL;
-	result = dns_message_create(res->mctx, DNS_MESSAGE_INTENTRENDER,
+	result = dns_message_create(res->buckets[bucketnum].mctx,
+				    DNS_MESSAGE_INTENTRENDER,
 				    &fctx->qmessage);
 
 	if (result != ISC_R_SUCCESS)
 		goto cleanup_domain;
 
 	fctx->rmessage = NULL;
-	result = dns_message_create(res->mctx, DNS_MESSAGE_INTENTPARSE,
+	result = dns_message_create(res->buckets[bucketnum].mctx,
+				    DNS_MESSAGE_INTENTPARSE,
 				    &fctx->rmessage);
 
 	if (result != ISC_R_SUCCESS)
@@ -2932,18 +3117,18 @@ fctx_create(dns_resolver_t *res, dns_name_t *name, dns_rdatatype_t type,
 
  cleanup_domain:
 	if (dns_name_countlabels(&fctx->domain) > 0)
-		dns_name_free(&fctx->domain, res->mctx);
+		dns_name_free(&fctx->domain, res->buckets[bucketnum].mctx);
 	if (dns_rdataset_isassociated(&fctx->nameservers))
 		dns_rdataset_disassociate(&fctx->nameservers);
 
  cleanup_name:
-	dns_name_free(&fctx->name, res->mctx);
+	dns_name_free(&fctx->name, res->buckets[bucketnum].mctx);
 
  cleanup_info:
-	isc_mem_free(res->mctx, fctx->info);
+	isc_mem_free(res->buckets[bucketnum].mctx, fctx->info);
 
  cleanup_fetch:
-	isc_mem_put(res->mctx, fctx, sizeof(*fctx));
+	isc_mem_put(res->buckets[bucketnum].mctx, fctx, sizeof(*fctx));
 
 	return (result);
 }
@@ -3180,7 +3365,8 @@ validated(isc_task_t *task, isc_event_t *event) {
 	 * destroy the fctx if necessary.
 	 */
 	dns_validator_destroy(&vevent->validator);
-	isc_mem_put(fctx->res->mctx, valarg, sizeof(*valarg));
+	isc_mem_put(fctx->res->buckets[fctx->bucketnum].mctx,
+		    valarg, sizeof(*valarg));
 
 	negative = ISC_TF(vevent->rdataset == NULL);
 
@@ -3290,7 +3476,8 @@ validated(isc_task_t *task, isc_event_t *event) {
 		 */
 		ttl = fctx->res->view->maxncachettl;
 		if (fctx->type == dns_rdatatype_soa &&
-		    covers == dns_rdatatype_any)
+		    covers == dns_rdatatype_any &&
+		    fctx->res->zero_no_soa_ttl)
 			ttl = 0;
 
 		result = ncache_adderesult(fctx->rmessage, fctx->cache, node,
@@ -3471,14 +3658,16 @@ cache_name(fetchctx_t *fctx, dns_name_t *name, dns_adbaddrinfo_t *addrinfo,
 	/*
 	 * Is DNSSEC validation required for this name?
 	 */
-	result = dns_keytable_issecuredomain(res->view->secroots, name,
-					     &secure_domain);
-	if (result != ISC_R_SUCCESS)
-		return (result);
+	if (res->view->enablevalidation) {
+		result = dns_keytable_issecuredomain(res->view->secroots, name,
+						     &secure_domain);
+		if (result != ISC_R_SUCCESS)
+			return (result);
 
-	if (!secure_domain && res->view->dlv != NULL) {
-		valoptions = DNS_VALIDATOR_DLV;
-		secure_domain = ISC_TRUE;
+		if (!secure_domain && res->view->dlv != NULL) {
+			valoptions = DNS_VALIDATOR_DLV;
+			secure_domain = ISC_TRUE;
+		}
 	}
 
 	if ((fctx->options & DNS_FETCHOPT_NOVALIDATE) != 0)
@@ -3899,14 +4088,16 @@ ncache_message(fetchctx_t *fctx, dns_adbaddrinfo_t *addrinfo,
 	/*
 	 * Is DNSSEC validation required for this name?
 	 */
-	result = dns_keytable_issecuredomain(res->view->secroots, name,
-					     &secure_domain);
-	if (result != ISC_R_SUCCESS)
-		return (result);
+	if (fctx->res->view->enablevalidation) {
+		result = dns_keytable_issecuredomain(res->view->secroots, name,
+						     &secure_domain);
+		if (result != ISC_R_SUCCESS)
+			return (result);
 
-	if (!secure_domain && res->view->dlv != NULL) {
-		valoptions = DNS_VALIDATOR_DLV;
-		secure_domain = ISC_TRUE;
+		if (!secure_domain && res->view->dlv != NULL) {
+			valoptions = DNS_VALIDATOR_DLV;
+			secure_domain = ISC_TRUE;
+		}
 	}
 
 	if ((fctx->options & DNS_FETCHOPT_NOVALIDATE) != 0)
@@ -4211,7 +4402,7 @@ noanswer_response(fetchctx_t *fctx, dns_name_t *oqname,
 	dns_message_t *message;
 	dns_name_t *name, *qname, *ns_name, *soa_name, *ds_name;
 	dns_rdataset_t *rdataset, *ns_rdataset;
-	isc_boolean_t done, aa, negative_response;
+	isc_boolean_t aa, negative_response;
 	dns_rdatatype_t type;
 	dns_section_t section =
 		bind8_ns_resp ? DNS_SECTION_ANSWER : DNS_SECTION_AUTHORITY;
@@ -4270,13 +4461,12 @@ noanswer_response(fetchctx_t *fctx, dns_name_t *oqname,
 	/*
 	 * Process the authority section.
 	 */
-	done = ISC_FALSE;
 	ns_name = NULL;
 	ns_rdataset = NULL;
 	soa_name = NULL;
 	ds_name = NULL;
 	result = dns_message_firstname(message, section);
-	while (!done && result == ISC_R_SUCCESS) {
+	while (result == ISC_R_SUCCESS) {
 		name = NULL;
 		dns_message_currentname(message, section, &name);
 		if (dns_name_issubdomain(name, &fctx->domain)) {
@@ -4338,15 +4528,29 @@ noanswer_response(fetchctx_t *fctx, dns_name_t *oqname,
 							dns_trust_additional;
 				}
 			}
-			/*
-			 * A negative response has a SOA record (Type 2) 
-			 * and a optional NS RRset (Type 1) or it has neither
-			 * a SOA or a NS RRset (Type 3, handled above) or
-			 * rcode is NXDOMAIN (handled above) in which case
-			 * the NS RRset is allowed (Type 4).
-			 */
-			if (soa_name != NULL)
-				negative_response = ISC_TRUE;
+		}
+		result = dns_message_nextname(message, section);
+		if (result == ISC_R_NOMORE)
+			break;
+		else if (result != ISC_R_SUCCESS)
+			return (result);
+	}
+
+	/*
+	 * A negative response has a SOA record (Type 2) 
+	 * and a optional NS RRset (Type 1) or it has neither
+	 * a SOA or a NS RRset (Type 3, handled above) or
+	 * rcode is NXDOMAIN (handled above) in which case
+	 * the NS RRset is allowed (Type 4).
+	 */
+	if (soa_name != NULL)
+		negative_response = ISC_TRUE;
+
+	result = dns_message_firstname(message, section);
+	while (result == ISC_R_SUCCESS) {
+		name = NULL;
+		dns_message_currentname(message, section, &name);
+		if (dns_name_issubdomain(name, &fctx->domain)) {
 			for (rdataset = ISC_LIST_HEAD(name->list);
 			     rdataset != NULL;
 			     rdataset = ISC_LIST_NEXT(rdataset, link)) {
@@ -4501,11 +4705,14 @@ noanswer_response(fetchctx_t *fctx, dns_name_t *oqname,
 		 *	   if so we should bail out.
 		 */
 		INSIST(dns_name_countlabels(&fctx->domain) > 0);
-		dns_name_free(&fctx->domain, fctx->res->mctx);
+		dns_name_free(&fctx->domain,
+			      fctx->res->buckets[fctx->bucketnum].mctx);
 		if (dns_rdataset_isassociated(&fctx->nameservers))
 			dns_rdataset_disassociate(&fctx->nameservers);
 		dns_name_init(&fctx->domain, NULL);
-		result = dns_name_dup(ns_name, fctx->res->mctx, &fctx->domain);
+		result = dns_name_dup(ns_name,
+				      fctx->res->buckets[fctx->bucketnum].mctx,
+				      &fctx->domain);
 		if (result != ISC_R_SUCCESS)
 			return (result);
 		fctx->attributes |= FCTX_ATTR_WANTCACHE;
@@ -4960,9 +5167,11 @@ resume_dslookup(isc_task_t *task, isc_event_t *event) {
 		if (dns_rdataset_isassociated(&fctx->nameservers))
 			dns_rdataset_disassociate(&fctx->nameservers);
 		dns_rdataset_clone(fevent->rdataset, &fctx->nameservers);
-		dns_name_free(&fctx->domain, fctx->res->mctx);
+		dns_name_free(&fctx->domain,
+			      fctx->res->buckets[bucketnum].mctx);
 		dns_name_init(&fctx->domain, NULL);
-		result = dns_name_dup(&fctx->nsname, fctx->res->mctx,
+		result = dns_name_dup(&fctx->nsname,
+				      fctx->res->buckets[bucketnum].mctx,
 				      &fctx->domain);
 		if (result != ISC_R_SUCCESS) {
 			fctx_done(fctx, DNS_R_SERVFAIL);
@@ -5386,6 +5595,28 @@ resquery_response(isc_task_t *task, isc_event_t *event) {
 			 * for this fetch.
 			 */
 			result = DNS_R_YXDOMAIN;
+		} else if (message->rcode == dns_rcode_badvers) {
+			dns_rdataset_t *opt;
+			unsigned int flags, mask;
+			unsigned int version;
+
+			resend = ISC_TRUE;
+			opt = dns_message_getopt(message);
+			version = (opt->ttl >> 16) & 0xff;
+			flags = (version << DNS_FETCHOPT_EDNSVERSIONSHIFT) |
+				DNS_FETCHOPT_EDNSVERSIONSET;
+			mask = DNS_FETCHOPT_EDNSVERSIONMASK |
+			       DNS_FETCHOPT_EDNSVERSIONSET;
+			switch (version) {
+			case 0:
+				dns_adb_changeflags(fctx->adb, query->addrinfo,
+						    flags, mask);
+				break;
+			default:
+				broken_server = DNS_R_BADVERS;
+				keep_trying = ISC_TRUE;
+				break;
+			}
 		} else {
 			/*
 			 * XXXRTH log.
@@ -5415,7 +5646,7 @@ resquery_response(isc_task_t *task, isc_event_t *event) {
 	    is_lame(fctx)) {
 		log_lame(fctx, query->addrinfo);
 		result = dns_adb_marklame(fctx->adb, query->addrinfo,
-					  &fctx->domain,
+					  &fctx->name, fctx->type,
 					  now + fctx->res->lame_ttl);
 		if (result != ISC_R_SUCCESS)
 			isc_log_write(dns_lctx, DNS_LOGCATEGORY_RESOLVER,
@@ -5637,9 +5868,11 @@ resquery_response(isc_task_t *task, isc_event_t *event) {
 				fctx_done(fctx, DNS_R_SERVFAIL);
 				return;
 			}
-			dns_name_free(&fctx->domain, fctx->res->mctx);
+			dns_name_free(&fctx->domain,
+				      fctx->res->buckets[fctx->bucketnum].mctx);
 			dns_name_init(&fctx->domain, NULL);
-			result = dns_name_dup(fname, fctx->res->mctx,
+			result = dns_name_dup(fname,
+					      fctx->res->buckets[fctx->bucketnum].mctx,
 					      &fctx->domain);
 			if (result != ISC_R_SUCCESS) {
 				fctx_done(fctx, DNS_R_SERVFAIL);
@@ -5737,6 +5970,7 @@ destroy(dns_resolver_t *res) {
 		isc_task_shutdown(res->buckets[i].task);
 		isc_task_detach(&res->buckets[i].task);
 		DESTROYLOCK(&res->buckets[i].lock);
+		isc_mem_detach(&res->buckets[i].mctx);
 	}
 	isc_mem_put(res->mctx, res->buckets,
 		    res->nbuckets * sizeof(fctxbucket_t));
@@ -5758,6 +5992,7 @@ destroy(dns_resolver_t *res) {
 #if USE_MBSLOCK
 	isc_rwlock_destroy(&res->mbslock);
 #endif
+	isc_timer_detach(&res->spillattimer);
 	res->magic = 0;
 	isc_mem_put(res->mctx, res, sizeof(*res));
 }
@@ -5796,11 +6031,44 @@ empty_bucket(dns_resolver_t *res) {
 	UNLOCK(&res->lock);
 }
 
+static void
+spillattimer_countdown(isc_task_t *task, isc_event_t *event) {
+	dns_resolver_t *res = event->ev_arg;
+	isc_result_t result;
+	unsigned int count;
+	isc_boolean_t logit = ISC_FALSE;
+
+	REQUIRE(VALID_RESOLVER(res));
+
+	UNUSED(task);
+	
+	LOCK(&res->lock);
+	INSIST(!res->exiting);
+	if (res->spillat > res->spillatmin) {
+		res->spillat--;
+		logit = ISC_TRUE;
+	}
+	if (res->spillat <= res->spillatmin) {
+		result = isc_timer_reset(res->spillattimer,
+					 isc_timertype_inactive, NULL,
+					 NULL, ISC_TRUE);
+		RUNTIME_CHECK(result == ISC_R_SUCCESS);
+	}
+	count = res->spillat;
+	UNLOCK(&res->lock);
+	if (logit)
+		isc_log_write(dns_lctx, DNS_LOGCATEGORY_RESOLVER,
+			      DNS_LOGMODULE_RESOLVER, ISC_LOG_NOTICE,
+			      "clients-per-query decreased to %u", count);
+
+	isc_event_free(&event);
+}
+
 isc_result_t
 dns_resolver_create(dns_view_t *view,
 		    isc_taskmgr_t *taskmgr, unsigned int ntasks,
 		    isc_socketmgr_t *socketmgr,
-		    isc_timermgr_t *timermgr,
+		    isc_timermgr_t *timermgr, 
 		    unsigned int options,
 		    dns_dispatchmgr_t *dispatchmgr,
 		    dns_dispatch_t *dispatchv4,
@@ -5810,6 +6078,7 @@ dns_resolver_create(dns_view_t *view,
 	dns_resolver_t *res;
 	isc_result_t result = ISC_R_SUCCESS;
 	unsigned int i, buckets_created = 0;
+	isc_task_t *task = NULL;
 	char name[16];
 
 	/*
@@ -5839,6 +6108,10 @@ dns_resolver_create(dns_view_t *view,
 	res->udpsize = RECV_BUFFER_SIZE;
 	res->algorithms = NULL;
 	res->mustbesecure = NULL;
+	res->spillatmin = res->spillat = 10;
+	res->spillatmax = 100;
+	res->spillattimer = NULL;
+	res->zero_no_soa_ttl = ISC_FALSE;
 
 	res->nbuckets = ntasks;
 	res->activebuckets = ntasks;
@@ -5858,6 +6131,13 @@ dns_resolver_create(dns_view_t *view,
 			DESTROYLOCK(&res->buckets[i].lock);
 			goto cleanup_buckets;
 		}
+		res->buckets[i].mctx = NULL;
+		result = isc_mem_create(0, 0, &res->buckets[i].mctx);
+		if (result != ISC_R_SUCCESS) {
+			isc_task_detach(&res->buckets[i].task);
+			DESTROYLOCK(&res->buckets[i].lock);
+			goto cleanup_buckets;
+		}
 		snprintf(name, sizeof(name), "res%u", i);
 		isc_task_setname(res->buckets[i].task, name, res);
 		ISC_LIST_INIT(res->buckets[i].fctxs);
@@ -5892,10 +6172,22 @@ dns_resolver_create(dns_view_t *view,
 	if (result != ISC_R_SUCCESS)
 		goto cleanup_nlock;
 
+	task = NULL;
+	result = isc_task_create(taskmgr, 0, &task);
+	if (result != ISC_R_SUCCESS)
+		 goto cleanup_primelock;
+
+	result = isc_timer_create(timermgr, isc_timertype_inactive, NULL, NULL,
+				  task, spillattimer_countdown, res,
+				  &res->spillattimer);
+	isc_task_detach(&task);
+	if (result != ISC_R_SUCCESS)
+		 goto cleanup_primelock;
+
 #if USE_ALGLOCK
 	result = isc_rwlock_init(&res->alglock, 0, 0);
 	if (result != ISC_R_SUCCESS)
-		goto cleanup_primelock;
+		goto cleanup_spillattimer;
 #endif
 #if USE_MBSLOCK
 	result = isc_rwlock_init(&res->mbslock, 0, 0);
@@ -5916,9 +6208,12 @@ dns_resolver_create(dns_view_t *view,
 #endif
 #endif
 #if USE_ALGLOCK || USE_MBSLOCK
+ cleanup_spillattimer:
+	isc_timer_detach(&res->spillattimer);
+#endif
+
  cleanup_primelock:
 	DESTROYLOCK(&res->primelock);
-#endif
 
  cleanup_nlock:
 	DESTROYLOCK(&res->nlock);
@@ -5934,6 +6229,7 @@ dns_resolver_create(dns_view_t *view,
 
  cleanup_buckets:
 	for (i = 0; i < buckets_created; i++) {
+		isc_mem_detach(&res->buckets[i].mctx);
 		DESTROYLOCK(&res->buckets[i].lock);
 		isc_task_shutdown(res->buckets[i].task);
 		isc_task_detach(&res->buckets[i].task);
@@ -5952,6 +6248,7 @@ prime_done(isc_task_t *task, isc_event_t *event) {
 	dns_resolver_t *res;
 	dns_fetchevent_t *fevent;
 	dns_fetch_t *fetch;
+	dns_db_t *db = NULL;
 
 	REQUIRE(event->ev_type == DNS_EVENT_FETCHDONE);
 	fevent = (dns_fetchevent_t *)event;
@@ -5970,6 +6267,13 @@ prime_done(isc_task_t *task, isc_event_t *event) {
 	UNLOCK(&res->primelock);
 
 	UNLOCK(&res->lock);
+	
+	if (fevent->result == ISC_R_SUCCESS &&
+	    res->view->cache != NULL && res->view->hints != NULL) {
+		dns_cache_attachdb(res->view->cache, &db);
+		dns_root_checkhints(res->view, res->view->hints, db);
+		dns_db_detach(&db);
+	}
 
 	if (fevent->node != NULL)
 		dns_db_detachnode(fevent->db, &fevent->node);
@@ -6111,6 +6415,7 @@ dns_resolver_shutdown(dns_resolver_t *res) {
 	unsigned int i;
 	fetchctx_t *fctx;
 	isc_socket_t *sock;
+	isc_result_t result;
 
 	REQUIRE(VALID_RESOLVER(res));
 
@@ -6147,6 +6452,10 @@ dns_resolver_shutdown(dns_resolver_t *res) {
 		}
 		if (res->activebuckets == 0)
 			send_shutdown_events(res);
+		result = isc_timer_reset(res->spillattimer,
+					 isc_timertype_inactive, NULL,
+					 NULL, ISC_TRUE);
+		RUNTIME_CHECK(result == ISC_R_SUCCESS);
 	}
 
 	UNLOCK(&res->lock);
@@ -6217,12 +6526,32 @@ dns_resolver_createfetch(dns_resolver_t *res, dns_name_t *name,
 			 dns_rdataset_t *sigrdataset,
 			 dns_fetch_t **fetchp)
 {
+	return (dns_resolver_createfetch2(res, name, type, domain,
+					  nameservers, forwarders, NULL, 0,
+					  options, task, action, arg,
+					  rdataset, sigrdataset, fetchp));
+}
+
+isc_result_t
+dns_resolver_createfetch2(dns_resolver_t *res, dns_name_t *name,
+			  dns_rdatatype_t type,
+			  dns_name_t *domain, dns_rdataset_t *nameservers,
+			  dns_forwarders_t *forwarders,
+			  isc_sockaddr_t *client, dns_messageid_t id,
+			  unsigned int options, isc_task_t *task,
+			  isc_taskaction_t action, void *arg,
+			  dns_rdataset_t *rdataset,
+			  dns_rdataset_t *sigrdataset,
+			  dns_fetch_t **fetchp)
+{
 	dns_fetch_t *fetch;
 	fetchctx_t *fctx = NULL;
-	isc_result_t result;
+	isc_result_t result = ISC_R_SUCCESS;
 	unsigned int bucketnum;
 	isc_boolean_t new_fctx = ISC_FALSE;
 	isc_event_t *event;
+	unsigned int count = 0;
+	unsigned int spillat;
 
 	UNUSED(forwarders);
 
@@ -6249,8 +6578,11 @@ dns_resolver_createfetch(dns_resolver_t *res, dns_name_t *name,
 	if (fetch == NULL)
 		return (ISC_R_NOMEMORY);
 
-	bucketnum = dns_name_hash(name, ISC_FALSE) % res->nbuckets;
+	bucketnum = dns_name_fullhash(name, ISC_FALSE) % res->nbuckets;
 
+	LOCK(&res->lock);
+	spillat = res->spillat;
+	UNLOCK(&res->lock);
 	LOCK(&res->buckets[bucketnum].lock);
 
 	if (res->buckets[bucketnum].exiting) {
@@ -6266,6 +6598,31 @@ dns_resolver_createfetch(dns_resolver_t *res, dns_name_t *name,
 				break;
 		}
 	}
+	
+	/*
+	 * Is this a duplicate?
+	 */
+	if (fctx != NULL && client != NULL) {
+		dns_fetchevent_t *fevent;
+		for (fevent = ISC_LIST_HEAD(fctx->events);
+		     fevent != NULL;
+		     fevent = ISC_LIST_NEXT(fevent, ev_link)) {
+			if (fevent->client != NULL && fevent->id == id &&
+			    isc_sockaddr_equal(fevent->client, client)) {
+				result = DNS_R_DUPLICATE;
+				goto unlock;
+			}
+			count++;
+		}
+	}
+	if (count >= res->spillatmin && res->spillatmin != 0) {
+		if (count >= spillat)
+			fctx->spilled = ISC_TRUE;
+		if (fctx->spilled) {
+			result = DNS_R_DROP;
+			goto unlock;
+		}
+	}
 
 	/*
 	 * If we didn't have a fetch, would attach to a done fetch, this
@@ -6285,7 +6642,7 @@ dns_resolver_createfetch(dns_resolver_t *res, dns_name_t *name,
 		new_fctx = ISC_TRUE;
 	}
 
-	result = fctx_join(fctx, task, action, arg,
+	result = fctx_join(fctx, task, client, id, action, arg,
 			   rdataset, sigrdataset, fetch);
 	if (new_fctx) {
 		if (result == ISC_R_SUCCESS) {
@@ -6641,6 +6998,13 @@ dns_resolver_algorithm_supported(dns_resolver_t *resolver, dns_name_t *name,
 	return (dst_algorithm_supported(alg));
 }
 
+isc_boolean_t
+dns_resolver_digest_supported(dns_resolver_t *resolver, unsigned int digest) {
+
+	UNUSED(resolver);
+	return (dns_ds_digest_supported(digest));
+}
+
 void
 dns_resolver_resetmustbesecure(dns_resolver_t *resolver) {
 
@@ -6706,3 +7070,45 @@ dns_resolver_getmustbesecure(dns_resolver_t *resolver, dns_name_t *name) {
 #endif
 	return (value);
 }
+
+void
+dns_resolver_getclientsperquery(dns_resolver_t *resolver, isc_uint32_t *cur,
+				isc_uint32_t *min, isc_uint32_t *max)
+{
+	REQUIRE(VALID_RESOLVER(resolver));
+
+	LOCK(&resolver->lock);
+	if (cur != NULL)
+		*cur = resolver->spillat;
+	if (min != NULL)
+		*min = resolver->spillatmin;
+	if (max != NULL)
+		*max = resolver->spillatmax;
+	UNLOCK(&resolver->lock);
+}
+
+void
+dns_resolver_setclientsperquery(dns_resolver_t *resolver, isc_uint32_t min,
+				isc_uint32_t max)
+{
+	REQUIRE(VALID_RESOLVER(resolver));
+
+	LOCK(&resolver->lock);
+	resolver->spillatmin = resolver->spillat = min;
+	resolver->spillatmax = max;
+	UNLOCK(&resolver->lock);
+}
+
+isc_boolean_t
+dns_resolver_getzeronosoattl(dns_resolver_t *resolver) {
+	REQUIRE(VALID_RESOLVER(resolver));
+
+	return (resolver->zero_no_soa_ttl);
+}
+
+void
+dns_resolver_setzeronosoattl(dns_resolver_t *resolver, isc_boolean_t state) {
+	REQUIRE(VALID_RESOLVER(resolver));
+
+	resolver->zero_no_soa_ttl = state;
+}
diff --git a/contrib/bind9/lib/dns/result.c b/contrib/bind9/lib/dns/result.c
index eb8308a..fdb58e0 100644
--- a/contrib/bind9/lib/dns/result.c
+++ b/contrib/bind9/lib/dns/result.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1998-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,9 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: result.c,v 1.90.2.9.2.13 2004/05/14 05:06:39 marka Exp $ */
+/* $Id: result.c,v 1.115.10.7 2005/06/17 02:04:31 marka Exp $ */
+
+/*! \file */
 
 #include <config.h>
 
@@ -26,155 +28,157 @@
 #include <dns/lib.h>
 
 static const char *text[DNS_R_NRESULTS] = {
-	"label too long",		       /*  0 DNS_R_LABELTOOLONG	     */
-	"bad escape",			       /*  1 DNS_R_BADESCAPE	     */
-	/*
+	"label too long",		       /*%< 0 DNS_R_LABELTOOLONG */
+	"bad escape",			       /*%< 1 DNS_R_BADESCAPE */
+	/*!
 	 * Note that DNS_R_BADBITSTRING and DNS_R_BITSTRINGTOOLONG are
 	 * deprecated.
 	 */
-	"bad bitstring",		       /*  2 DNS_R_BADBITSTRING	     */
-	"bitstring too long",		       /*  3 DNS_R_BITSTRINGTOOLONG  */
-	"empty label",			       /*  4 DNS_R_EMPTYLABEL	     */
-
-	"bad dotted quad",		       /*  5 DNS_R_BADDOTTEDQUAD     */
-	"invalid NS owner name (wildcard)",    /*  6 DNS_R_INVALIDNS	     */
-	"unknown class/type",		       /*  7 DNS_R_UNKNOWN	     */
-	"bad label type",		       /*  8 DNS_R_BADLABELTYPE	     */
-	"bad compression pointer",	       /*  9 DNS_R_BADPOINTER	     */
-
-	"too many hops",		       /* 10 DNS_R_TOOMANYHOPS	     */
-	"disallowed (by application policy)",  /* 11 DNS_R_DISALLOWED	     */
-	"extra input text",		       /* 12 DNS_R_EXTRATOKEN	     */
-	"extra input data",		       /* 13 DNS_R_EXTRADATA	     */
-	"text too long",		       /* 14 DNS_R_TEXTTOOLONG	     */
-
-	"not at top of zone",		       /* 15 DNS_R_NOTZONETOP	     */
-	"syntax error",			       /* 16 DNS_R_SYNTAX	     */
-	"bad checksum",			       /* 17 DNS_R_BADCKSUM	     */
-	"bad IPv6 address",		       /* 18 DNS_R_BADAAAA	     */
-	"no owner",			       /* 19 DNS_R_NOOWNER	     */
-
-	"no ttl",			       /* 20 DNS_R_NOTTL	     */
-	"bad class",			       /* 21 DNS_R_BADCLASS	     */
-	"name too long",		       /* 22 DNS_R_NAMETOOLONG	     */
-	"partial match",		       /* 23 DNS_R_PARTIALMATCH	     */
-	"new origin",			       /* 24 DNS_R_NEWORIGIN	     */
-
-	"unchanged",			       /* 25 DNS_R_UNCHANGED	     */
-	"bad ttl",			       /* 26 DNS_R_BADTTL	     */
-	"more data needed/to be rendered",     /* 27 DNS_R_NOREDATA	     */
-	"continue",			       /* 28 DNS_R_CONTINUE	     */
-	"delegation",			       /* 29 DNS_R_DELEGATION	     */
-
-	"glue",				       /* 30 DNS_R_GLUE		     */
-	"dname",			       /* 31 DNS_R_DNAME	     */
-	"cname",			       /* 32 DNS_R_CNAME	     */
-	"bad database",			       /* 33 DNS_R_BADDB	     */
-	"zonecut",			       /* 34 DNS_R_ZONECUT	     */
-
-	"bad zone",			       /* 35 DNS_R_BADZONE	     */
-	"more data",			       /* 36 DNS_R_MOREDATA	     */
-	"up to date",			       /* 37 DNS_R_UPTODATE	     */
-	"tsig verify failure",		       /* 38 DNS_R_TSIGVERIFYFAILURE */
-	"tsig indicates error",		       /* 39 DNS_R_TSIGERRORSET	     */
-
-	"RRSIG failed to verify",	       /* 40 DNS_R_SIGINVALID	     */
-	"RRSIG has expired",		       /* 41 DNS_R_SIGEXPIRED	     */
-	"RRSIG validity period has not begun", /* 42 DNS_R_SIGFUTURE	     */
-	"key is unauthorized to sign data",    /* 43 DNS_R_KEYUNAUTHORIZED   */
-	"invalid time",			       /* 44 DNS_R_INVALIDTIME	     */
-
-	"expected a TSIG or SIG(0)",	       /* 45 DNS_R_EXPECTEDTSIG	     */
-	"did not expect a TSIG or SIG(0)",     /* 46 DNS_R_UNEXPECTEDTSIG    */
-	"TKEY is unacceptable",		       /* 47 DNS_R_INVALIDTKEY	     */
-	"hint",				       /* 48 DNS_R_HINT		     */
-	"drop",				       /* 49 DNS_R_DROP		     */
-
-	"zone not loaded",		       /* 50 DNS_R_NOTLOADED	     */
-	"ncache nxdomain",		       /* 51 DNS_R_NCACHENXDOMAIN    */
-	"ncache nxrrset",		       /* 52 DNS_R_NCACHENXRRSET     */
-	"wait",				       /* 53 DNS_R_WAIT		     */
-	"not verified yet",		       /* 54 DNS_R_NOTVERIFIEDYET    */
-
-	"no identity",			       /* 55 DNS_R_NOIDENTITY	     */
-	"no journal",			       /* 56 DNS_R_NOJOURNAL	     */
-	"alias",			       /* 57 DNS_R_ALIAS	     */
-	"use TCP",			       /* 58 DNS_R_USETCP	     */
-	"no valid RRSIG",		       /* 59 DNS_R_NOVALIDSIG	     */
-
-	"no valid NSEC",		       /* 60 DNS_R_NOVALIDNSEC	     */
-	"not insecure",			       /* 61 DNS_R_NOTINSECURE	     */
-	"unknown service",		       /* 62 DNS_R_UNKNOWNSERVICE    */
-	"recoverable error occurred",	       /* 63 DNS_R_RECOVERABLE       */
-	"unknown opt attribute record",	       /* 64 DNS_R_UNKNOWNOPT	     */
-
-	"unexpected message id",	       /* 65 DNS_R_UNEXPECTEDID      */
-	"seen include file",		       /* 66 DNS_R_SEENINCLUDE       */
-	"not exact",		       	       /* 67 DNS_R_NOTEXACT	     */
-	"address blackholed",	       	       /* 68 DNS_R_BLACKHOLED	     */
-	"bad algorithm",		       /* 69 DNS_R_BADALG	     */
-
-	"invalid use of a meta type",	       /* 70 DNS_R_METATYPE	     */
-	"CNAME and other data",		       /* 71 DNS_R_CNAMEANDOTHER     */
-	"multiple RRs of singleton type",      /* 72 DNS_R_SINGLETON	     */
-	"hint nxrrset",			       /* 73 DNS_R_HINTNXRRSET	     */
-	"no master file configured",	       /* 74 DNS_R_NOMASTERFILE	     */
-
-	"unknown protocol",		       /* 75 DNS_R_UNKNOWNPROTO	     */
-	"clocks are unsynchronized",	       /* 76 DNS_R_CLOCKSKEW	     */
-	"IXFR failed",			       /* 77 DNS_R_BADIXFR	     */
-	"not authoritative",		       /* 78 DNS_R_NOTAUTHORITATIVE  */
-	"no valid KEY",		       	       /* 79 DNS_R_NOVALIDKEY	     */
-
-	"obsolete",			       /* 80 DNS_R_OBSOLETE	     */
-	"already frozen",		       /* 81 DNS_R_FROZEN	     */
-	"unknown flag",			       /* 82 DNS_R_UNKNOWNFLAG	     */
-	"expected a response",		       /* 83 DNS_R_EXPECTEDRESPONSE  */
-	"no valid DS",			       /* 84 DNS_R_NOVALIDDS	     */
-
-	"NS is an address",		       /* 85 DNS_R_NSISADDRESS	     */
-	"received FORMERR",		       /* 86 DNS_R_REMOTEFORMERR     */
-	"truncated TCP response",	       /* 87 DNS_R_TRUNCATEDTCP	     */
-	"lame server detected",		       /* 88 DNS_R_LAME		     */
-	"unexpected RCODE",		       /* 89 DNS_R_UNEXPECTEDRCODE   */
-
-	"unexpected OPCODE",		       /* 90 DNS_R_UNEXPECTEDOPCODE  */
-	"chase DS servers",		       /* 91 DNS_R_CHASEDSSERVERS    */
-	"empty name",			       /* 92 DNS_R_EMPTYNAME	     */
-	"empty wild",			       /* 93 DNS_R_EMPTYWILD	     */
-	"bad bitmap",			       /* 94 DNS_R_BADBITMAP	     */
-
-	"from wildcard",		       /* 95 DNS_R_FROMWILDCARD	     */
-	"bad owner name (check-names)",	       /* 96 DNS_R_BADOWNERNAME	     */
-	"bad name (check-names)",	       /* 97 DNS_R_BADNAME	     */
-	"dynamic zone",			       /* 98 DNS_R_DYNAMIC	     */
-	"unknown command",		       /* 99 DNS_R_UNKNOWNCOMMAND    */
-
-	"must-be-secure",		       /* 100 DNS_R_MUSTBESECURE     */
-	"covering NSEC record returned"	       /* 101 DNS_R_COVERINGNSEC     */
+	"bad bitstring",		       /*%< 2 DNS_R_BADBITSTRING */
+	"bitstring too long",		       /*%< 3 DNS_R_BITSTRINGTOOLONG */
+	"empty label",			       /*%< 4 DNS_R_EMPTYLABEL */
+
+	"bad dotted quad",		       /*%< 5 DNS_R_BADDOTTEDQUAD */
+	"invalid NS owner name (wildcard)",    /*%< 6 DNS_R_INVALIDNS */
+	"unknown class/type",		       /*%< 7 DNS_R_UNKNOWN */
+	"bad label type",		       /*%< 8 DNS_R_BADLABELTYPE */
+	"bad compression pointer",	       /*%< 9 DNS_R_BADPOINTER */
+
+	"too many hops",		       /*%< 10 DNS_R_TOOMANYHOPS */
+	"disallowed (by application policy)",  /*%< 11 DNS_R_DISALLOWED */
+	"extra input text",		       /*%< 12 DNS_R_EXTRATOKEN */
+	"extra input data",		       /*%< 13 DNS_R_EXTRADATA */
+	"text too long",		       /*%< 14 DNS_R_TEXTTOOLONG */
+
+	"not at top of zone",		       /*%< 15 DNS_R_NOTZONETOP */
+	"syntax error",			       /*%< 16 DNS_R_SYNTAX */
+	"bad checksum",			       /*%< 17 DNS_R_BADCKSUM */
+	"bad IPv6 address",		       /*%< 18 DNS_R_BADAAAA */
+	"no owner",			       /*%< 19 DNS_R_NOOWNER */
+
+	"no ttl",			       /*%< 20 DNS_R_NOTTL */
+	"bad class",			       /*%< 21 DNS_R_BADCLASS */
+	"name too long",		       /*%< 22 DNS_R_NAMETOOLONG */
+	"partial match",		       /*%< 23 DNS_R_PARTIALMATCH */
+	"new origin",			       /*%< 24 DNS_R_NEWORIGIN */
+
+	"unchanged",			       /*%< 25 DNS_R_UNCHANGED */
+	"bad ttl",			       /*%< 26 DNS_R_BADTTL */
+	"more data needed/to be rendered",     /*%< 27 DNS_R_NOREDATA */
+	"continue",			       /*%< 28 DNS_R_CONTINUE */
+	"delegation",			       /*%< 29 DNS_R_DELEGATION */
+
+	"glue",				       /*%< 30 DNS_R_GLUE */
+	"dname",			       /*%< 31 DNS_R_DNAME */
+	"cname",			       /*%< 32 DNS_R_CNAME */
+	"bad database",			       /*%< 33 DNS_R_BADDB */
+	"zonecut",			       /*%< 34 DNS_R_ZONECUT */
+
+	"bad zone",			       /*%< 35 DNS_R_BADZONE */
+	"more data",			       /*%< 36 DNS_R_MOREDATA */
+	"up to date",			       /*%< 37 DNS_R_UPTODATE */
+	"tsig verify failure",		       /*%< 38 DNS_R_TSIGVERIFYFAILURE */
+	"tsig indicates error",		       /*%< 39 DNS_R_TSIGERRORSET */
+
+	"RRSIG failed to verify",	       /*%< 40 DNS_R_SIGINVALID */
+	"RRSIG has expired",		       /*%< 41 DNS_R_SIGEXPIRED */
+	"RRSIG validity period has not begun", /*%< 42 DNS_R_SIGFUTURE */
+	"key is unauthorized to sign data",    /*%< 43 DNS_R_KEYUNAUTHORIZED */
+	"invalid time",			       /*%< 44 DNS_R_INVALIDTIME */
+
+	"expected a TSIG or SIG(0)",	       /*%< 45 DNS_R_EXPECTEDTSIG */
+	"did not expect a TSIG or SIG(0)",     /*%< 46 DNS_R_UNEXPECTEDTSIG */
+	"TKEY is unacceptable",		       /*%< 47 DNS_R_INVALIDTKEY */
+	"hint",				       /*%< 48 DNS_R_HINT */
+	"drop",				       /*%< 49 DNS_R_DROP */
+
+	"zone not loaded",		       /*%< 50 DNS_R_NOTLOADED */
+	"ncache nxdomain",		       /*%< 51 DNS_R_NCACHENXDOMAIN */
+	"ncache nxrrset",		       /*%< 52 DNS_R_NCACHENXRRSET */
+	"wait",				       /*%< 53 DNS_R_WAIT */
+	"not verified yet",		       /*%< 54 DNS_R_NOTVERIFIEDYET */
+
+	"no identity",			       /*%< 55 DNS_R_NOIDENTITY */
+	"no journal",			       /*%< 56 DNS_R_NOJOURNAL */
+	"alias",			       /*%< 57 DNS_R_ALIAS */
+	"use TCP",			       /*%< 58 DNS_R_USETCP */
+	"no valid RRSIG",		       /*%< 59 DNS_R_NOVALIDSIG */
+
+	"no valid NSEC",		       /*%< 60 DNS_R_NOVALIDNSEC */
+	"not insecure",			       /*%< 61 DNS_R_NOTINSECURE */
+	"unknown service",		       /*%< 62 DNS_R_UNKNOWNSERVICE */
+	"recoverable error occurred",	       /*%< 63 DNS_R_RECOVERABLE */
+	"unknown opt attribute record",	       /*%< 64 DNS_R_UNKNOWNOPT */
+
+	"unexpected message id",	       /*%< 65 DNS_R_UNEXPECTEDID */
+	"seen include file",		       /*%< 66 DNS_R_SEENINCLUDE */
+	"not exact",		       	       /*%< 67 DNS_R_NOTEXACT */
+	"address blackholed",	       	       /*%< 68 DNS_R_BLACKHOLED */
+	"bad algorithm",		       /*%< 69 DNS_R_BADALG */
+
+	"invalid use of a meta type",	       /*%< 70 DNS_R_METATYPE */
+	"CNAME and other data",		       /*%< 71 DNS_R_CNAMEANDOTHER */
+	"multiple RRs of singleton type",      /*%< 72 DNS_R_SINGLETON */
+	"hint nxrrset",			       /*%< 73 DNS_R_HINTNXRRSET */
+	"no master file configured",	       /*%< 74 DNS_R_NOMASTERFILE */
+
+	"unknown protocol",		       /*%< 75 DNS_R_UNKNOWNPROTO */
+	"clocks are unsynchronized",	       /*%< 76 DNS_R_CLOCKSKEW */
+	"IXFR failed",			       /*%< 77 DNS_R_BADIXFR */
+	"not authoritative",		       /*%< 78 DNS_R_NOTAUTHORITATIVE */
+	"no valid KEY",		       	       /*%< 79 DNS_R_NOVALIDKEY */
+
+	"obsolete",			       /*%< 80 DNS_R_OBSOLETE */
+	"already frozen",		       /*%< 81 DNS_R_FROZEN */
+	"unknown flag",			       /*%< 82 DNS_R_UNKNOWNFLAG */
+	"expected a response",		       /*%< 83 DNS_R_EXPECTEDRESPONSE */
+	"no valid DS",			       /*%< 84 DNS_R_NOVALIDDS */
+
+	"NS is an address",		       /*%< 85 DNS_R_NSISADDRESS */
+	"received FORMERR",		       /*%< 86 DNS_R_REMOTEFORMERR */
+	"truncated TCP response",	       /*%< 87 DNS_R_TRUNCATEDTCP */
+	"lame server detected",		       /*%< 88 DNS_R_LAME */
+	"unexpected RCODE",		       /*%< 89 DNS_R_UNEXPECTEDRCODE */
+
+	"unexpected OPCODE",		       /*%< 90 DNS_R_UNEXPECTEDOPCODE */
+	"chase DS servers",		       /*%< 91 DNS_R_CHASEDSSERVERS */
+	"empty name",			       /*%< 92 DNS_R_EMPTYNAME */
+	"empty wild",			       /*%< 93 DNS_R_EMPTYWILD */
+	"bad bitmap",			       /*%< 94 DNS_R_BADBITMAP */
+
+	"from wildcard",		       /*%< 95 DNS_R_FROMWILDCARD */
+	"bad owner name (check-names)",	       /*%< 96 DNS_R_BADOWNERNAME */
+	"bad name (check-names)",	       /*%< 97 DNS_R_BADNAME */
+	"dynamic zone",			       /*%< 98 DNS_R_DYNAMIC */
+	"unknown command",		       /*%< 99 DNS_R_UNKNOWNCOMMAND */
+
+	"must-be-secure",		       /*%< 100 DNS_R_MUSTBESECURE */
+	"covering NSEC record returned",       /*%< 101 DNS_R_COVERINGNSEC */
+	"MX is an address",		       /*%< 102 DNS_R_MXISADDRESS */
+	"duplicate query"		       /*%< 103 DNS_R_DUPLICATE */
 };
 
 static const char *rcode_text[DNS_R_NRCODERESULTS] = {
-	"NOERROR",				/*  0 DNS_R_NOEROR	     */
-	"FORMERR",				/*  1 DNS_R_FORMERR	     */
-	"SERVFAIL",				/*  2 DNS_R_SERVFAIL	     */
-	"NXDOMAIN",				/*  3 DNS_R_NXDOMAIN	     */
-	"NOTIMP",				/*  4 DNS_R_NOTIMP	     */
-
-	"REFUSED",				/*  5 DNS_R_REFUSED	     */
-	"YXDOMAIN",				/*  6 DNS_R_YXDOMAIN	     */
-	"YXRRSET",				/*  7 DNS_R_YXRRSET	     */
-	"NXRRSET",				/*  8 DNS_R_NXRRSET	     */
-	"NOTAUTH",				/*  9 DNS_R_NOTAUTH	     */
-
-	"NOTZONE",				/* 10 DNS_R_NOTZONE 	     */
-	"<rcode 11>",				/* 11 has no macro	     */
-	"<rcode 12>",				/* 12 has no macro	     */
-	"<rcode 13>",				/* 13 has no macro	     */
-	"<rcode 14>",				/* 14 has no macro	     */
-
-	"<rcode 15>",				/* 15 has no macro	     */
-	"BADVERS",				/* 16 DNS_R_BADVERS	     */
+	"NOERROR",				/*%< 0 DNS_R_NOEROR */
+	"FORMERR",				/*%< 1 DNS_R_FORMERR */
+	"SERVFAIL",				/*%< 2 DNS_R_SERVFAIL */
+	"NXDOMAIN",				/*%< 3 DNS_R_NXDOMAIN */
+	"NOTIMP",				/*%< 4 DNS_R_NOTIMP */
+
+	"REFUSED",				/*%< 5 DNS_R_REFUSED */
+	"YXDOMAIN",				/*%< 6 DNS_R_YXDOMAIN */
+	"YXRRSET",				/*%< 7 DNS_R_YXRRSET */
+	"NXRRSET",				/*%< 8 DNS_R_NXRRSET */
+	"NOTAUTH",				/*%< 9 DNS_R_NOTAUTH */
+
+	"NOTZONE",				/*%< 10 DNS_R_NOTZONE */
+	"<rcode 11>",				/*%< 11 has no macro */
+	"<rcode 12>",				/*%< 12 has no macro */
+	"<rcode 13>",				/*%< 13 has no macro */
+	"<rcode 14>",				/*%< 14 has no macro */
+
+	"<rcode 15>",				/*%< 15 has no macro */
+	"BADVERS",				/*%< 16 DNS_R_BADVERS */
 };
 
 #define DNS_RESULT_RESULTSET			2
diff --git a/contrib/bind9/lib/dns/rootns.c b/contrib/bind9/lib/dns/rootns.c
index 9e9c940..1c038a4 100644
--- a/contrib/bind9/lib/dns/rootns.c
+++ b/contrib/bind9/lib/dns/rootns.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2002  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,9 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: rootns.c,v 1.20.2.3.2.5 2004/03/08 09:04:32 marka Exp $ */
+/* $Id: rootns.c,v 1.26.18.3 2005/04/27 05:01:26 sra Exp $ */
+
+/*! \file */
 
 #include <config.h>
 
@@ -26,15 +28,18 @@
 #include <dns/callbacks.h>
 #include <dns/db.h>
 #include <dns/dbiterator.h>
-#include <dns/log.h>
 #include <dns/fixedname.h>
+#include <dns/log.h>
 #include <dns/master.h>
 #include <dns/rdata.h>
-#include <dns/rdatasetiter.h>
+#include <dns/rdata.h>
 #include <dns/rdataset.h>
+#include <dns/rdatasetiter.h>
 #include <dns/rdatastruct.h>
+#include <dns/rdatatype.h>
 #include <dns/result.h>
 #include <dns/rootns.h>
+#include <dns/view.h>
 
 static char root_ns[] =
 ";\n"
@@ -245,3 +250,265 @@ dns_rootns_create(isc_mem_t *mctx, dns_rdataclass_t rdclass,
 
 	return (result);
 }
+
+static void
+report(dns_view_t *view, dns_name_t *name, isc_boolean_t missing,
+       dns_rdata_t *rdata)
+{
+	const char *viewname = "", *sep = "";
+	char namebuf[DNS_NAME_FORMATSIZE];
+	char typebuf[DNS_RDATATYPE_FORMATSIZE];
+	char databuf[sizeof("xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:123.123.123.123")];
+	isc_buffer_t buffer;
+	isc_result_t result;
+
+        if (strcmp(view->name, "_bind") != 0 &&
+            strcmp(view->name, "_default") != 0) {
+                viewname = view->name;
+                sep = ": view ";
+        }
+
+	dns_name_format(name, namebuf, sizeof(namebuf));
+	dns_rdatatype_format(rdata->type, typebuf, sizeof(typebuf));
+	isc_buffer_init(&buffer, databuf, sizeof(databuf) - 1);
+	result = dns_rdata_totext(rdata, NULL, &buffer);
+	RUNTIME_CHECK(result == ISC_R_SUCCESS);
+	databuf[isc_buffer_usedlength(&buffer)] = '\0';
+
+	if (missing)
+		isc_log_write(dns_lctx, DNS_LOGCATEGORY_GENERAL,
+			      DNS_LOGMODULE_HINTS, ISC_LOG_WARNING,
+			      "checkhints%s%s: %s/%s (%s) missing from hints",
+			      sep, viewname, namebuf, typebuf, databuf);
+	else
+		isc_log_write(dns_lctx, DNS_LOGCATEGORY_GENERAL,
+			      DNS_LOGMODULE_HINTS, ISC_LOG_WARNING,
+			      "checkhints%s%s: %s/%s (%s) extra record "
+			      "in hints", sep, viewname, namebuf, typebuf,
+			      databuf);
+}
+
+static isc_boolean_t
+inrrset(dns_rdataset_t *rrset, dns_rdata_t *rdata) {
+	isc_result_t result;
+	dns_rdata_t current = DNS_RDATA_INIT;
+
+	result = dns_rdataset_first(rrset);
+	while (result == ISC_R_SUCCESS) {
+		dns_rdataset_current(rrset, &current);
+		if (dns_rdata_compare(rdata, &current) == 0)
+			return (ISC_TRUE);
+		dns_rdata_reset(&current);
+		result = dns_rdataset_next(rrset);
+	}
+	return (ISC_FALSE);
+}
+
+/*
+ * Check that the address RRsets match.
+ *
+ * Note we don't complain about missing glue records.
+ */
+
+static void
+check_address_records(dns_view_t *view, dns_db_t *hints, dns_db_t *db,
+		      dns_name_t *name, isc_stdtime_t now)
+{
+	isc_result_t hresult, rresult, result;
+	dns_rdataset_t hintrrset, rootrrset;
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+	dns_name_t *foundname;
+	dns_fixedname_t fixed;
+
+	dns_rdataset_init(&hintrrset);
+	dns_rdataset_init(&rootrrset);
+	dns_fixedname_init(&fixed);
+	foundname = dns_fixedname_name(&fixed);
+
+	hresult = dns_db_find(hints, name, NULL, dns_rdatatype_a, 0,
+			      now, NULL, foundname, &hintrrset, NULL);
+	rresult = dns_db_find(db, name, NULL, dns_rdatatype_a,
+			      DNS_DBFIND_GLUEOK, now, NULL, foundname,
+			      &rootrrset, NULL);
+	if (hresult == ISC_R_SUCCESS &&
+	    (rresult == ISC_R_SUCCESS || rresult == DNS_R_GLUE)) {
+		result = dns_rdataset_first(&rootrrset);
+		while (result == ISC_R_SUCCESS) {
+			dns_rdataset_current(&rootrrset, &rdata);
+			if (!inrrset(&hintrrset, &rdata))
+				report(view, name, ISC_TRUE, &rdata);
+			result = dns_rdataset_next(&rootrrset);
+		}
+		result = dns_rdataset_first(&hintrrset);
+		while (result == ISC_R_SUCCESS) {
+			dns_rdataset_current(&hintrrset, &rdata);
+			if (!inrrset(&rootrrset, &rdata))
+				report(view, name, ISC_FALSE, &rdata);
+			result = dns_rdataset_next(&hintrrset);
+		}
+	} 
+	if (hresult == ISC_R_NOTFOUND &&
+	    (rresult == ISC_R_SUCCESS || rresult == DNS_R_GLUE)) {
+		result = dns_rdataset_first(&rootrrset);
+		while (result == ISC_R_SUCCESS) {
+			dns_rdataset_current(&rootrrset, &rdata);
+			report(view, name, ISC_TRUE, &rdata);
+			result = dns_rdataset_next(&rootrrset);
+		}
+	}
+	if (dns_rdataset_isassociated(&rootrrset))
+		dns_rdataset_disassociate(&rootrrset);
+	if (dns_rdataset_isassociated(&hintrrset))
+		dns_rdataset_disassociate(&hintrrset);
+
+	/*
+	 * Check AAAA records.
+	 */
+	hresult = dns_db_find(hints, name, NULL, dns_rdatatype_aaaa, 0,
+			      now, NULL, foundname, &hintrrset, NULL);
+	rresult = dns_db_find(db, name, NULL, dns_rdatatype_aaaa,
+			      DNS_DBFIND_GLUEOK, now, NULL, foundname,
+			      &rootrrset, NULL);
+	if (hresult == ISC_R_SUCCESS &&
+	    (rresult == ISC_R_SUCCESS || rresult == DNS_R_GLUE)) {
+		result = dns_rdataset_first(&rootrrset);
+		while (result == ISC_R_SUCCESS) {
+			dns_rdataset_current(&rootrrset, &rdata);
+			if (!inrrset(&hintrrset, &rdata))
+				report(view, name, ISC_TRUE, &rdata);
+			dns_rdata_reset(&rdata);
+			result = dns_rdataset_next(&rootrrset);
+		}
+		result = dns_rdataset_first(&hintrrset);
+		while (result == ISC_R_SUCCESS) {
+			dns_rdataset_current(&hintrrset, &rdata);
+			if (!inrrset(&rootrrset, &rdata))
+				report(view, name, ISC_FALSE, &rdata);
+			dns_rdata_reset(&rdata);
+			result = dns_rdataset_next(&hintrrset);
+		}
+	} 
+	if (hresult == ISC_R_NOTFOUND &&
+	    (rresult == ISC_R_SUCCESS || rresult == DNS_R_GLUE)) {
+		result = dns_rdataset_first(&rootrrset);
+		while (result == ISC_R_SUCCESS) {
+			dns_rdataset_current(&rootrrset, &rdata);
+			report(view, name, ISC_TRUE, &rdata);
+			dns_rdata_reset(&rdata);
+			result = dns_rdataset_next(&rootrrset);
+		}
+	}
+	if (dns_rdataset_isassociated(&rootrrset))
+		dns_rdataset_disassociate(&rootrrset);
+	if (dns_rdataset_isassociated(&hintrrset))
+		dns_rdataset_disassociate(&hintrrset);
+}
+
+void
+dns_root_checkhints(dns_view_t *view, dns_db_t *hints, dns_db_t *db) {
+	isc_result_t result;
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+	dns_rdata_ns_t ns;
+	dns_rdataset_t hintns, rootns;
+	const char *viewname = "", *sep = "";
+	isc_stdtime_t now;
+	dns_name_t *name;
+	dns_fixedname_t fixed;
+
+	REQUIRE(hints != NULL);
+	REQUIRE(db != NULL);
+	REQUIRE(view != NULL);
+
+	isc_stdtime_get(&now);
+
+        if (strcmp(view->name, "_bind") != 0 &&
+            strcmp(view->name, "_default") != 0) {
+                viewname = view->name;
+                sep = ": view ";
+        }
+
+	dns_rdataset_init(&hintns);
+	dns_rdataset_init(&rootns);
+	dns_fixedname_init(&fixed);
+	name = dns_fixedname_name(&fixed);
+
+	result = dns_db_find(hints, dns_rootname, NULL, dns_rdatatype_ns, 0,
+			     now, NULL, name, &hintns, NULL);
+	if (result != ISC_R_SUCCESS) {
+		isc_log_write(dns_lctx, DNS_LOGCATEGORY_GENERAL,
+			      DNS_LOGMODULE_HINTS, ISC_LOG_WARNING,
+			      "checkhints%s%s: unable to get root NS rrset "
+			      "from hints: %s", sep, viewname,
+			      dns_result_totext(result));
+		goto cleanup;
+	}
+
+	result = dns_db_find(db, dns_rootname, NULL, dns_rdatatype_ns, 0,
+			     now, NULL, name, &rootns, NULL);
+	if (result != ISC_R_SUCCESS) {
+		isc_log_write(dns_lctx, DNS_LOGCATEGORY_GENERAL,
+			      DNS_LOGMODULE_HINTS, ISC_LOG_WARNING,
+			      "checkhints%s%s: unable to get root NS rrset "
+			      "from cache: %s", sep, viewname,
+			      dns_result_totext(result));
+		goto cleanup;
+	}
+	
+	/*
+	 * Look for missing root NS names.
+	 */
+	result = dns_rdataset_first(&rootns);
+	while (result == ISC_R_SUCCESS) {
+		dns_rdataset_current(&rootns, &rdata);
+		result = dns_rdata_tostruct(&rdata, &ns, NULL);
+		RUNTIME_CHECK(result == ISC_R_SUCCESS);
+		result = in_rootns(&hintns, &ns.name);
+		if (result != ISC_R_SUCCESS) {
+			char namebuf[DNS_NAME_FORMATSIZE];
+			/* missing from hints */
+			dns_name_format(&ns.name, namebuf, sizeof(namebuf));
+			isc_log_write(dns_lctx, DNS_LOGCATEGORY_GENERAL,
+				      DNS_LOGMODULE_HINTS, ISC_LOG_WARNING,
+				      "checkhints%s%s: unable to find root "
+				      "NS '%s' in hints", sep, viewname,
+				      namebuf);
+		} else 
+			check_address_records(view, hints, db, &ns.name, now);
+		dns_rdata_reset(&rdata);
+		result = dns_rdataset_next(&rootns);
+	}
+	if (result != ISC_R_NOMORE) {
+		goto cleanup;
+	}
+
+	/*
+	 * Look for extra root NS names.
+	 */
+	result = dns_rdataset_first(&hintns);
+	while (result == ISC_R_SUCCESS) {
+		dns_rdataset_current(&hintns, &rdata);
+		result = dns_rdata_tostruct(&rdata, &ns, NULL);
+		RUNTIME_CHECK(result == ISC_R_SUCCESS);
+		result = in_rootns(&rootns, &ns.name);
+		if (result != ISC_R_SUCCESS) {
+			char namebuf[DNS_NAME_FORMATSIZE];
+			/* extra entry in hints */
+			dns_name_format(&ns.name, namebuf, sizeof(namebuf));
+			isc_log_write(dns_lctx, DNS_LOGCATEGORY_GENERAL,
+				      DNS_LOGMODULE_HINTS, ISC_LOG_WARNING,
+				      "checkhints%s%s: extra NS '%s' in hints",
+				      sep, viewname, namebuf);
+		}
+		dns_rdata_reset(&rdata);
+		result = dns_rdataset_next(&hintns);
+	}
+	if (result != ISC_R_NOMORE) {
+		goto cleanup;
+	}
+
+ cleanup:
+	if (dns_rdataset_isassociated(&rootns))
+		dns_rdataset_disassociate(&rootns);
+	if (dns_rdataset_isassociated(&hintns))
+		dns_rdataset_disassociate(&hintns);
+}
diff --git a/contrib/bind9/lib/dns/sdb.c b/contrib/bind9/lib/dns/sdb.c
index ef22418..79ddef2 100644
--- a/contrib/bind9/lib/dns/sdb.c
+++ b/contrib/bind9/lib/dns/sdb.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000, 2001, 2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,9 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: sdb.c,v 1.35.12.8 2004/07/22 04:01:58 marka Exp $ */
+/* $Id: sdb.c,v 1.45.18.10 2006/12/07 23:57:58 marka Exp $ */
+
+/*! \file */
 
 #include <config.h>
 
@@ -99,7 +101,7 @@ typedef struct sdb_rdatasetiter {
 
 #define SDB_MAGIC		ISC_MAGIC('S', 'D', 'B', '-')
 
-/*
+/*%
  * Note that "impmagic" is not the first four bytes of the struct, so
  * ISC_MAGIC_VALID cannot be used.
  */
@@ -110,7 +112,7 @@ typedef struct sdb_rdatasetiter {
 #define VALID_SDBLOOKUP(sdbl)	ISC_MAGIC_VALID(sdbl, SDBLOOKUP_MAGIC)
 #define VALID_SDBNODE(sdbn)	VALID_SDBLOOKUP(sdbn)
 
-/* These values are taken from RFC 1537 */
+/* These values are taken from RFC1537 */
 #define SDB_DEFAULT_REFRESH	(60 * 60 * 8)
 #define SDB_DEFAULT_RETRY	(60 * 60 * 2)
 #define SDB_DEFAULT_EXPIRE	(60 * 60 * 24 * 7)
@@ -225,12 +227,8 @@ dns_sdb_register(const char *drivername, const dns_sdbmethods_t *methods,
 	imp->mctx = NULL;
 	isc_mem_attach(mctx, &imp->mctx);
 	result = isc_mutex_init(&imp->driverlock);
-	if (result != ISC_R_SUCCESS) {
-		UNEXPECTED_ERROR(__FILE__, __LINE__,
-				 "isc_mutex_init() failed: %s",
-				 isc_result_totext(result));
+	if (result != ISC_R_SUCCESS)
 		goto cleanup_mctx;
-	}
 
 	imp->dbimp = NULL;
 	result = dns_db_register(drivername, dns_sdb_create, imp, mctx,
@@ -269,10 +267,11 @@ dns_sdb_unregister(dns_sdbimplementation_t **sdbimp) {
 static inline unsigned int
 initial_size(unsigned int len) {
 	unsigned int size;
-	for (size = 64; size < (64 * 1024); size *= 2)
+
+	for (size = 1024; size < (64 * 1024); size *= 2)
 		if (len < size)
 			return (size);
-	return (64 * 1024);
+	return (65535);
 }
 
 isc_result_t
@@ -383,6 +382,8 @@ dns_sdb_putrr(dns_sdblookup_t *lookup, const char *type, dns_ttl_t ttl,
 		if (result != ISC_R_SUCCESS)
 			goto failure;
 
+		if (size >= 65535)
+			size = 65535;
 		p = isc_mem_get(mctx, size);
 		if (p == NULL) {
 			result = ISC_R_NOMEMORY;
@@ -398,6 +399,11 @@ dns_sdb_putrr(dns_sdblookup_t *lookup, const char *type, dns_ttl_t ttl,
 		if (result != ISC_R_NOSPACE)
 			break;
 
+		/*
+		 * Is the RR too big?
+		 */
+		if (size >= 65535)
+			break;
 		isc_mem_put(mctx, p, size);
 		p = NULL;
 		size *= 2;
@@ -599,10 +605,12 @@ endload(dns_db_t *db, dns_dbload_t **dbloadp) {
 }
 
 static isc_result_t
-dump(dns_db_t *db, dns_dbversion_t *version, const char *filename) {
+dump(dns_db_t *db, dns_dbversion_t *version, const char *filename,
+     dns_masterformat_t masterformat) {
 	UNUSED(db);
 	UNUSED(version);
 	UNUSED(filename);
+	UNUSED(masterformat);
 	return (ISC_R_NOTIMPLEMENTED);
 }
 
@@ -664,11 +672,8 @@ createnode(dns_sdb_t *sdb, dns_sdbnode_t **nodep) {
 	node->name = NULL;
 	result = isc_mutex_init(&node->lock);
 	if (result != ISC_R_SUCCESS) {
-		UNEXPECTED_ERROR(__FILE__, __LINE__,
-				 "isc_mutex_init() failed: %s",
-				 isc_result_totext(result));
 		isc_mem_put(sdb->common.mctx, node, sizeof(dns_sdbnode_t));
-		return (ISC_R_UNEXPECTED);
+		return (result);
 	}
 	dns_rdatacallbacks_init(&node->callbacks);
 	node->references = 1;
@@ -930,7 +935,8 @@ find(dns_db_t *db, dns_name_t *name, dns_dbversion_t *version,
 
 		xresult = dns_name_copy(xname, foundname, NULL);
 		if (xresult != ISC_R_SUCCESS) {
-			destroynode(node);
+			if (node != NULL)
+				destroynode(node);
 			if (dns_rdataset_isassociated(rdataset))
 				dns_rdataset_disassociate(rdataset);
 			return (DNS_R_BADDB);
@@ -1234,7 +1240,8 @@ static dns_dbmethods_t sdb_methods = {
 	nodecount,
 	ispersistent,
 	overmem,
-	settask
+	settask,
+	NULL
 };
 
 static isc_result_t
@@ -1270,13 +1277,8 @@ dns_sdb_create(isc_mem_t *mctx, dns_name_t *origin, dns_dbtype_t type,
 	isc_mem_attach(mctx, &sdb->common.mctx);
 
 	result = isc_mutex_init(&sdb->lock);
-	if (result != ISC_R_SUCCESS) {
-		UNEXPECTED_ERROR(__FILE__, __LINE__,
-				 "isc_mutex_init() failed: %s",
-				 isc_result_totext(result));
-		result = ISC_R_UNEXPECTED;
+	if (result != ISC_R_SUCCESS)
 		goto cleanup_mctx;
-	}
 
 	result = dns_name_dupwithoffsets(origin, mctx, &sdb->common.origin);
 	if (result != ISC_R_SUCCESS)
@@ -1361,7 +1363,10 @@ static dns_rdatasetmethods_t methods = {
 	rdataset_clone,
 	isc__rdatalist_count,
 	isc__rdatalist_addnoqname,
-	isc__rdatalist_getnoqname
+	isc__rdatalist_getnoqname,
+	NULL,
+	NULL,
+	NULL
 };
 
 static void
diff --git a/contrib/bind9/lib/dns/sdlz.c b/contrib/bind9/lib/dns/sdlz.c
new file mode 100644
index 0000000..2c6ba8d
--- /dev/null
+++ b/contrib/bind9/lib/dns/sdlz.c
@@ -0,0 +1,1781 @@
+/*
+ * Portions Copyright (C) 2005-2007  Internet Systems Consortium, Inc. ("ISC")
+ * Portions Copyright (C) 1999-2001  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/*
+ * Copyright (C) 2002 Stichting NLnet, Netherlands, stichting@nlnet.nl.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the
+ * above copyright notice and this permission notice appear in all
+ * copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND STICHTING NLNET
+ * DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL
+ * STICHTING NLNET BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR
+ * CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS
+ * OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE
+ * USE OR PERFORMANCE OF THIS SOFTWARE.
+ *
+ * The development of Dynamically Loadable Zones (DLZ) for Bind 9 was
+ * conceived and contributed by Rob Butler.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the
+ * above copyright notice and this permission notice appear in all
+ * copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ROB BUTLER
+ * DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL
+ * ROB BUTLER BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR
+ * CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS
+ * OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE
+ * USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: sdlz.c,v 1.2.2.9 2007/02/14 23:45:43 marka Exp $ */
+
+/*! \file */
+
+#include <config.h>
+#include <string.h>
+
+#include <isc/buffer.h>
+#include <isc/lex.h>
+#include <isc/log.h>
+#include <isc/rwlock.h>
+#include <isc/string.h>
+#include <isc/util.h>
+#include <isc/magic.h>
+#include <isc/mem.h>
+#include <isc/once.h>
+#include <isc/print.h>
+#include <isc/region.h>
+
+#include <dns/callbacks.h>
+#include <dns/db.h>
+#include <dns/dbiterator.h>
+#include <dns/dlz.h>
+#include <dns/fixedname.h>
+#include <dns/log.h>
+#include <dns/rdata.h>
+#include <dns/rdatalist.h>
+#include <dns/rdataset.h>
+#include <dns/rdatasetiter.h>
+#include <dns/rdatatype.h>
+#include <dns/result.h>
+#include <dns/master.h>
+#include <dns/sdlz.h>
+#include <dns/types.h>
+
+#include "rdatalist_p.h"
+
+/*
+ * Private Types
+ */
+
+struct dns_sdlzimplementation {
+	const dns_sdlzmethods_t		*methods;
+	isc_mem_t			*mctx;
+	void				*driverarg;
+	unsigned int			flags;
+	isc_mutex_t			driverlock;
+	dns_dlzimplementation_t		*dlz_imp;
+};
+
+struct dns_sdlz_db {
+	/* Unlocked */
+	dns_db_t			common;
+	void				*dbdata;
+	dns_sdlzimplementation_t	*dlzimp;
+	isc_mutex_t			refcnt_lock;
+	/* Locked */
+	unsigned int			references;
+};
+
+struct dns_sdlzlookup {
+	/* Unlocked */
+	unsigned int			magic;
+	dns_sdlz_db_t			*sdlz;
+	ISC_LIST(dns_rdatalist_t)	lists;
+	ISC_LIST(isc_buffer_t)		buffers;
+	dns_name_t			*name;
+	ISC_LINK(dns_sdlzlookup_t)	link;
+	isc_mutex_t			lock;
+	dns_rdatacallbacks_t		callbacks;
+	/* Locked */
+	unsigned int			references;
+};
+
+typedef struct dns_sdlzlookup dns_sdlznode_t;
+
+struct dns_sdlzallnodes {
+	dns_dbiterator_t		common;
+	ISC_LIST(dns_sdlznode_t)	nodelist;
+	dns_sdlznode_t			*current;
+	dns_sdlznode_t			*origin;
+};
+
+typedef dns_sdlzallnodes_t sdlz_dbiterator_t;
+
+typedef struct sdlz_rdatasetiter {
+	dns_rdatasetiter_t		common;
+	dns_rdatalist_t			*current;
+} sdlz_rdatasetiter_t;
+
+
+#define SDLZDB_MAGIC		ISC_MAGIC('D', 'L', 'Z', 'S')
+
+/*
+ * Note that "impmagic" is not the first four bytes of the struct, so
+ * ISC_MAGIC_VALID cannot be used.
+ */
+
+#define VALID_SDLZDB(sdlzdb)	((sdlzdb) != NULL && \
+				 (sdlzdb)->common.impmagic == SDLZDB_MAGIC)
+
+#define SDLZLOOKUP_MAGIC	ISC_MAGIC('D','L','Z','L')
+#define VALID_SDLZLOOKUP(sdlzl)	ISC_MAGIC_VALID(sdlzl, SDLZLOOKUP_MAGIC)
+#define VALID_SDLZNODE(sdlzn)	VALID_SDLZLOOKUP(sdlzn)
+
+/* These values are taken from RFC 1537 */
+#define SDLZ_DEFAULT_REFRESH	(60 * 60 * 8)
+#define SDLZ_DEFAULT_RETRY	(60 * 60 * 2)
+#define SDLZ_DEFAULT_EXPIRE	(60 * 60 * 24 * 7)
+#define SDLZ_DEFAULT_MINIMUM	(60 * 60 * 24)
+
+/* This is a reasonable value */
+#define SDLZ_DEFAULT_TTL	(60 * 60 * 24)
+
+static int dummy;
+
+#define MAYBE_LOCK(imp) \
+	do { \
+		unsigned int flags = imp->flags; \
+		if ((flags & DNS_SDLZFLAG_THREADSAFE) == 0) \
+			LOCK(&imp->driverlock); \
+	} while (0)
+
+#define MAYBE_UNLOCK(imp) \
+	do { \
+		unsigned int flags = imp->flags; \
+		if ((flags & DNS_SDLZFLAG_THREADSAFE) == 0) \
+			UNLOCK(&imp->driverlock); \
+	} while (0)
+
+/*
+ * Forward references.  Try to keep these to a minimum.
+ */
+
+static void list_tordataset(dns_rdatalist_t *rdatalist,
+			    dns_db_t *db, dns_dbnode_t *node,
+			    dns_rdataset_t *rdataset);
+
+static void detachnode(dns_db_t *db, dns_dbnode_t **targetp);
+
+static void		dbiterator_destroy(dns_dbiterator_t **iteratorp);
+static isc_result_t	dbiterator_first(dns_dbiterator_t *iterator);
+static isc_result_t	dbiterator_last(dns_dbiterator_t *iterator);
+static isc_result_t	dbiterator_seek(dns_dbiterator_t *iterator,
+					dns_name_t *name);
+static isc_result_t	dbiterator_prev(dns_dbiterator_t *iterator);
+static isc_result_t	dbiterator_next(dns_dbiterator_t *iterator);
+static isc_result_t	dbiterator_current(dns_dbiterator_t *iterator,
+					   dns_dbnode_t **nodep,
+					   dns_name_t *name);
+static isc_result_t	dbiterator_pause(dns_dbiterator_t *iterator);
+static isc_result_t	dbiterator_origin(dns_dbiterator_t *iterator,
+					  dns_name_t *name);
+
+static dns_dbiteratormethods_t dbiterator_methods = {
+	dbiterator_destroy,
+	dbiterator_first,
+	dbiterator_last,
+	dbiterator_seek,
+	dbiterator_prev,
+	dbiterator_next,
+	dbiterator_current,
+	dbiterator_pause,
+	dbiterator_origin
+};
+
+/*
+ * Utility functions
+ */
+
+/*% Converts the input string to lowercase, in place. */
+
+static void
+dns_sdlz_tolower(char *str) {
+
+	unsigned int len = strlen(str);
+	unsigned int i;
+
+	for (i = 0; i < len; i++) {
+		if (str[i] >= 'A' && str[i] <= 'Z')
+			str[i] += 32;
+	}
+
+}
+
+static inline unsigned int
+initial_size(const char *data) {
+	unsigned int len = (strlen(data) / 64) + 1;
+	return (len * 64 + 64);
+}
+
+/*
+ * Rdataset Iterator Methods. These methods were "borrowed" from the SDB
+ * driver interface.  See the SDB driver interface documentation for more info.
+ */
+
+static void
+rdatasetiter_destroy(dns_rdatasetiter_t **iteratorp) {
+	sdlz_rdatasetiter_t *sdlziterator =
+		(sdlz_rdatasetiter_t *)(*iteratorp);
+
+	detachnode(sdlziterator->common.db, &sdlziterator->common.node);
+	isc_mem_put(sdlziterator->common.db->mctx, sdlziterator,
+		    sizeof(sdlz_rdatasetiter_t));
+	*iteratorp = NULL;
+}
+
+static isc_result_t
+rdatasetiter_first(dns_rdatasetiter_t *iterator) {
+	sdlz_rdatasetiter_t *sdlziterator = (sdlz_rdatasetiter_t *)iterator;
+	dns_sdlznode_t *sdlznode = (dns_sdlznode_t *)iterator->node;
+
+	if (ISC_LIST_EMPTY(sdlznode->lists))
+		return (ISC_R_NOMORE);
+	sdlziterator->current = ISC_LIST_HEAD(sdlznode->lists);
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+rdatasetiter_next(dns_rdatasetiter_t *iterator) {
+	sdlz_rdatasetiter_t *sdlziterator = (sdlz_rdatasetiter_t *)iterator;
+
+	sdlziterator->current = ISC_LIST_NEXT(sdlziterator->current, link);
+	if (sdlziterator->current == NULL)
+		return (ISC_R_NOMORE);
+	else
+		return (ISC_R_SUCCESS);
+}
+
+static void
+rdatasetiter_current(dns_rdatasetiter_t *iterator, dns_rdataset_t *rdataset) {
+	sdlz_rdatasetiter_t *sdlziterator = (sdlz_rdatasetiter_t *)iterator;
+
+	list_tordataset(sdlziterator->current, iterator->db, iterator->node,
+			rdataset);
+}
+
+static dns_rdatasetitermethods_t rdatasetiter_methods = {
+	rdatasetiter_destroy,
+	rdatasetiter_first,
+	rdatasetiter_next,
+	rdatasetiter_current
+};
+
+/*
+ * DB routines. These methods were "borrowed" from the SDB driver interface.
+ * See the SDB driver interface documentation for more info.
+ */
+
+static void
+attach(dns_db_t *source, dns_db_t **targetp) {
+	dns_sdlz_db_t *sdlz = (dns_sdlz_db_t *) source;
+
+	REQUIRE(VALID_SDLZDB(sdlz));
+
+	LOCK(&sdlz->refcnt_lock);
+	REQUIRE(sdlz->references > 0);
+	sdlz->references++;
+	UNLOCK(&sdlz->refcnt_lock);
+
+	*targetp = source;
+}
+
+static void
+destroy(dns_sdlz_db_t *sdlz) {
+	isc_mem_t *mctx;
+	mctx = sdlz->common.mctx;
+
+	sdlz->common.magic = 0;
+	sdlz->common.impmagic = 0;
+
+	isc_mutex_destroy(&sdlz->refcnt_lock);
+
+	dns_name_free(&sdlz->common.origin, mctx);
+
+	isc_mem_put(mctx, sdlz, sizeof(dns_sdlz_db_t));
+	isc_mem_detach(&mctx);
+}
+
+static void
+detach(dns_db_t **dbp) {
+	dns_sdlz_db_t *sdlz = (dns_sdlz_db_t *)(*dbp);
+	isc_boolean_t need_destroy = ISC_FALSE;
+
+	REQUIRE(VALID_SDLZDB(sdlz));
+	LOCK(&sdlz->refcnt_lock);
+	REQUIRE(sdlz->references > 0);
+	sdlz->references--;
+	if (sdlz->references == 0)
+		need_destroy = ISC_TRUE;
+	UNLOCK(&sdlz->refcnt_lock);
+
+	if (need_destroy)
+		destroy(sdlz);
+
+	*dbp = NULL;
+}
+
+static isc_result_t
+beginload(dns_db_t *db, dns_addrdatasetfunc_t *addp, dns_dbload_t **dbloadp) {
+	UNUSED(db);
+	UNUSED(addp);
+	UNUSED(dbloadp);
+	return (ISC_R_NOTIMPLEMENTED);
+}
+
+static isc_result_t
+endload(dns_db_t *db, dns_dbload_t **dbloadp) {
+	UNUSED(db);
+	UNUSED(dbloadp);
+	return (ISC_R_NOTIMPLEMENTED);
+}
+
+static isc_result_t
+dump(dns_db_t *db, dns_dbversion_t *version, const char *filename,
+     dns_masterformat_t masterformat)
+{
+	UNUSED(db);
+	UNUSED(version);
+	UNUSED(filename);
+	UNUSED(masterformat);
+	return (ISC_R_NOTIMPLEMENTED);
+}
+
+static void
+currentversion(dns_db_t *db, dns_dbversion_t **versionp) {
+	REQUIRE(versionp != NULL && *versionp == NULL);
+
+	UNUSED(db);
+
+	*versionp = (void *) &dummy;
+	return;
+}
+
+static isc_result_t
+newversion(dns_db_t *db, dns_dbversion_t **versionp) {
+	UNUSED(db);
+	UNUSED(versionp);
+
+	return (ISC_R_NOTIMPLEMENTED);
+}
+
+static void
+attachversion(dns_db_t *db, dns_dbversion_t *source,
+	      dns_dbversion_t **targetp)
+{
+	REQUIRE(source != NULL && source == (void *) &dummy);
+
+	UNUSED(db);
+	UNUSED(source);
+	UNUSED(targetp);
+	*targetp = source;
+}
+
+static void
+closeversion(dns_db_t *db, dns_dbversion_t **versionp, isc_boolean_t commit) {
+	REQUIRE(versionp != NULL && *versionp == (void *) &dummy);
+	REQUIRE(commit == ISC_FALSE);
+
+	UNUSED(db);
+	UNUSED(commit);
+
+	*versionp = NULL;
+}
+
+static isc_result_t
+createnode(dns_sdlz_db_t *sdlz, dns_sdlznode_t **nodep) {
+	dns_sdlznode_t *node;
+	isc_result_t result;
+
+	node = isc_mem_get(sdlz->common.mctx, sizeof(dns_sdlznode_t));
+	if (node == NULL)
+		return (ISC_R_NOMEMORY);
+
+	node->sdlz = NULL;
+	attach((dns_db_t *)sdlz, (dns_db_t **)&node->sdlz);
+	ISC_LIST_INIT(node->lists);
+	ISC_LIST_INIT(node->buffers);
+	ISC_LINK_INIT(node, link);
+	node->name = NULL;
+	result = isc_mutex_init(&node->lock);
+	if (result != ISC_R_SUCCESS) {
+		UNEXPECTED_ERROR(__FILE__, __LINE__,
+				 "isc_mutex_init() failed: %s",
+				 isc_result_totext(result));
+		isc_mem_put(sdlz->common.mctx, node, sizeof(dns_sdlznode_t));
+		return (ISC_R_UNEXPECTED);
+	}
+	dns_rdatacallbacks_init(&node->callbacks);
+	node->references = 1;
+	node->magic = SDLZLOOKUP_MAGIC;
+
+	*nodep = node;
+	return (ISC_R_SUCCESS);
+}
+
+static void
+destroynode(dns_sdlznode_t *node) {
+	dns_rdatalist_t *list;
+	dns_rdata_t *rdata;
+	isc_buffer_t *b;
+	dns_sdlz_db_t *sdlz;
+	dns_db_t *db;
+	isc_mem_t *mctx;
+
+	sdlz = node->sdlz;
+	mctx = sdlz->common.mctx;
+
+	while (!ISC_LIST_EMPTY(node->lists)) {
+		list = ISC_LIST_HEAD(node->lists);
+		while (!ISC_LIST_EMPTY(list->rdata)) {
+			rdata = ISC_LIST_HEAD(list->rdata);
+			ISC_LIST_UNLINK(list->rdata, rdata, link);
+			isc_mem_put(mctx, rdata, sizeof(dns_rdata_t));
+		}
+		ISC_LIST_UNLINK(node->lists, list, link);
+		isc_mem_put(mctx, list, sizeof(dns_rdatalist_t));
+	}
+
+	while (!ISC_LIST_EMPTY(node->buffers)) {
+		b = ISC_LIST_HEAD(node->buffers);
+		ISC_LIST_UNLINK(node->buffers, b, link);
+		isc_buffer_free(&b);
+	}
+
+	if (node->name != NULL) {
+		dns_name_free(node->name, mctx);
+		isc_mem_put(mctx, node->name, sizeof(dns_name_t));
+	}
+	DESTROYLOCK(&node->lock);
+	node->magic = 0;
+	isc_mem_put(mctx, node, sizeof(dns_sdlznode_t));
+	db = &sdlz->common;
+	detach(&db);
+}
+
+static isc_result_t
+findnode(dns_db_t *db, dns_name_t *name, isc_boolean_t create,
+	 dns_dbnode_t **nodep)
+{
+	dns_sdlz_db_t *sdlz = (dns_sdlz_db_t *)db;
+	dns_sdlznode_t *node = NULL;
+	isc_result_t result;
+	isc_buffer_t b;
+	char namestr[DNS_NAME_MAXTEXT + 1];
+	isc_buffer_t b2;
+	char zonestr[DNS_NAME_MAXTEXT + 1];
+	isc_boolean_t isorigin;
+	dns_sdlzauthorityfunc_t authority;
+
+	REQUIRE(VALID_SDLZDB(sdlz));
+	REQUIRE(create == ISC_FALSE);
+	REQUIRE(nodep != NULL && *nodep == NULL);
+
+	UNUSED(name);
+	UNUSED(create);
+
+	isc_buffer_init(&b, namestr, sizeof(namestr));
+	if ((sdlz->dlzimp->flags & DNS_SDLZFLAG_RELATIVEOWNER) != 0) {
+		dns_name_t relname;
+		unsigned int labels;
+
+		labels = dns_name_countlabels(name) -
+			 dns_name_countlabels(&db->origin);
+		dns_name_init(&relname, NULL);
+		dns_name_getlabelsequence(name, 0, labels, &relname);
+		result = dns_name_totext(&relname, ISC_TRUE, &b);
+		if (result != ISC_R_SUCCESS)
+			return (result);
+	} else {
+		result = dns_name_totext(name, ISC_TRUE, &b);
+		if (result != ISC_R_SUCCESS)
+			return (result);
+	}
+	isc_buffer_putuint8(&b, 0);
+
+	isc_buffer_init(&b2, zonestr, sizeof(zonestr));
+	result = dns_name_totext(&sdlz->common.origin, ISC_TRUE, &b2);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+	isc_buffer_putuint8(&b2, 0);
+
+	result = createnode(sdlz, &node);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	isorigin = dns_name_equal(name, &sdlz->common.origin);
+
+	/* make sure strings are always lowercase */
+	dns_sdlz_tolower(zonestr);
+	dns_sdlz_tolower(namestr);
+
+	MAYBE_LOCK(sdlz->dlzimp);
+
+	/* try to lookup the host (namestr) */
+	result = sdlz->dlzimp->methods->lookup(zonestr, namestr,
+					       sdlz->dlzimp->driverarg,
+					       sdlz->dbdata, node);
+
+	/*
+	 * if the host (namestr) was not found, try to lookup a
+	 * "wildcard" host.
+	 */
+	if (result != ISC_R_SUCCESS) {
+		result = sdlz->dlzimp->methods->lookup(zonestr, "*",
+						       sdlz->dlzimp->driverarg,
+						       sdlz->dbdata, node);
+	}
+
+	MAYBE_UNLOCK(sdlz->dlzimp);
+
+	if (result != ISC_R_SUCCESS && !isorigin) {
+		destroynode(node);
+		return (result);
+	}
+
+	if (isorigin && sdlz->dlzimp->methods->authority != NULL) {
+		MAYBE_LOCK(sdlz->dlzimp);
+		authority = sdlz->dlzimp->methods->authority;
+		result = (*authority)(zonestr, sdlz->dlzimp->driverarg,
+				      sdlz->dbdata, node);
+		MAYBE_UNLOCK(sdlz->dlzimp);
+		if (result != ISC_R_SUCCESS &&
+		    result != ISC_R_NOTIMPLEMENTED) {
+			destroynode(node);
+			return (result);
+		}
+	}
+
+	*nodep = node;
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+findzonecut(dns_db_t *db, dns_name_t *name, unsigned int options,
+	    isc_stdtime_t now, dns_dbnode_t **nodep, dns_name_t *foundname,
+	    dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset)
+{
+	UNUSED(db);
+	UNUSED(name);
+	UNUSED(options);
+	UNUSED(now);
+	UNUSED(nodep);
+	UNUSED(foundname);
+	UNUSED(rdataset);
+	UNUSED(sigrdataset);
+
+	return (ISC_R_NOTIMPLEMENTED);
+}
+
+static void
+attachnode(dns_db_t *db, dns_dbnode_t *source, dns_dbnode_t **targetp) {
+	dns_sdlz_db_t *sdlz = (dns_sdlz_db_t *)db;
+	dns_sdlznode_t *node = (dns_sdlznode_t *)source;
+
+	REQUIRE(VALID_SDLZDB(sdlz));
+
+	UNUSED(sdlz);
+
+	LOCK(&node->lock);
+	INSIST(node->references > 0);
+	node->references++;
+	INSIST(node->references != 0);		/* Catch overflow. */
+	UNLOCK(&node->lock);
+
+	*targetp = source;
+}
+
+static void
+detachnode(dns_db_t *db, dns_dbnode_t **targetp) {
+	dns_sdlz_db_t *sdlz = (dns_sdlz_db_t *)db;
+	dns_sdlznode_t *node;
+	isc_boolean_t need_destroy = ISC_FALSE;
+
+	REQUIRE(VALID_SDLZDB(sdlz));
+	REQUIRE(targetp != NULL && *targetp != NULL);
+
+	UNUSED(sdlz);
+
+	node = (dns_sdlznode_t *)(*targetp);
+
+	LOCK(&node->lock);
+	INSIST(node->references > 0);
+	node->references--;
+	if (node->references == 0)
+		need_destroy = ISC_TRUE;
+	UNLOCK(&node->lock);
+
+	if (need_destroy)
+		destroynode(node);
+
+	*targetp = NULL;
+}
+
+static isc_result_t
+expirenode(dns_db_t *db, dns_dbnode_t *node, isc_stdtime_t now) {
+	UNUSED(db);
+	UNUSED(node);
+	UNUSED(now);
+	INSIST(0);
+	return (ISC_R_UNEXPECTED);
+}
+
+static void
+printnode(dns_db_t *db, dns_dbnode_t *node, FILE *out) {
+	UNUSED(db);
+	UNUSED(node);
+	UNUSED(out);
+	return;
+}
+
+static isc_result_t
+createiterator(dns_db_t *db, isc_boolean_t relative_names,
+	       dns_dbiterator_t **iteratorp)
+{
+	dns_sdlz_db_t *sdlz = (dns_sdlz_db_t *)db;
+	sdlz_dbiterator_t *sdlziter;
+	isc_result_t result;
+	isc_buffer_t b;
+	char zonestr[DNS_NAME_MAXTEXT + 1];
+
+	REQUIRE(VALID_SDLZDB(sdlz));
+
+	if (sdlz->dlzimp->methods->allnodes == NULL)
+		return (ISC_R_NOTIMPLEMENTED);
+
+	isc_buffer_init(&b, zonestr, sizeof(zonestr));
+	result = dns_name_totext(&sdlz->common.origin, ISC_TRUE, &b);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+	isc_buffer_putuint8(&b, 0);
+
+	sdlziter = isc_mem_get(sdlz->common.mctx, sizeof(sdlz_dbiterator_t));
+	if (sdlziter == NULL)
+		return (ISC_R_NOMEMORY);
+
+	sdlziter->common.methods = &dbiterator_methods;
+	sdlziter->common.db = NULL;
+	dns_db_attach(db, &sdlziter->common.db);
+	sdlziter->common.relative_names = relative_names;
+	sdlziter->common.magic = DNS_DBITERATOR_MAGIC;
+	ISC_LIST_INIT(sdlziter->nodelist);
+	sdlziter->current = NULL;
+	sdlziter->origin = NULL;
+
+	/* make sure strings are always lowercase */
+	dns_sdlz_tolower(zonestr);
+
+	MAYBE_LOCK(sdlz->dlzimp);
+	result = sdlz->dlzimp->methods->allnodes(zonestr,
+						 sdlz->dlzimp->driverarg,
+						 sdlz->dbdata, sdlziter);
+	MAYBE_UNLOCK(sdlz->dlzimp);
+	if (result != ISC_R_SUCCESS) {
+		dns_dbiterator_t *iter = &sdlziter->common;
+		dbiterator_destroy(&iter);
+		return (result);
+	}
+
+	if (sdlziter->origin != NULL) {
+		ISC_LIST_UNLINK(sdlziter->nodelist, sdlziter->origin, link);
+		ISC_LIST_PREPEND(sdlziter->nodelist, sdlziter->origin, link);
+	}
+
+	*iteratorp = (dns_dbiterator_t *)sdlziter;
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+findrdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
+	     dns_rdatatype_t type, dns_rdatatype_t covers,
+	     isc_stdtime_t now, dns_rdataset_t *rdataset,
+	     dns_rdataset_t *sigrdataset)
+{
+	dns_rdatalist_t *list;
+	dns_sdlznode_t *sdlznode = (dns_sdlznode_t *)node;
+
+	REQUIRE(VALID_SDLZNODE(node));
+
+	UNUSED(db);
+	UNUSED(version);
+	UNUSED(covers);
+	UNUSED(now);
+	UNUSED(sigrdataset);
+
+	if (type == dns_rdatatype_sig || type == dns_rdatatype_rrsig)
+		return (ISC_R_NOTIMPLEMENTED);
+
+	list = ISC_LIST_HEAD(sdlznode->lists);
+	while (list != NULL) {
+		if (list->type == type)
+			break;
+		list = ISC_LIST_NEXT(list, link);
+	}
+	if (list == NULL)
+		return (ISC_R_NOTFOUND);
+
+	list_tordataset(list, db, node, rdataset);
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+find(dns_db_t *db, dns_name_t *name, dns_dbversion_t *version,
+     dns_rdatatype_t type, unsigned int options, isc_stdtime_t now,
+     dns_dbnode_t **nodep, dns_name_t *foundname,
+     dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset)
+{
+	dns_sdlz_db_t *sdlz = (dns_sdlz_db_t *)db;
+	dns_dbnode_t *node = NULL;
+	dns_fixedname_t fname;
+	dns_rdataset_t xrdataset;
+	dns_name_t *xname;
+	unsigned int nlabels, olabels;
+	isc_result_t result;
+	unsigned int i;
+
+	REQUIRE(VALID_SDLZDB(sdlz));
+	REQUIRE(nodep == NULL || *nodep == NULL);
+	REQUIRE(version == NULL || version == (void *) &dummy);
+
+	UNUSED(options);
+	UNUSED(sdlz);
+
+	if (!dns_name_issubdomain(name, &db->origin))
+		return (DNS_R_NXDOMAIN);
+
+	olabels = dns_name_countlabels(&db->origin);
+	nlabels = dns_name_countlabels(name);
+
+	dns_fixedname_init(&fname);
+	xname = dns_fixedname_name(&fname);
+
+	if (rdataset == NULL) {
+		dns_rdataset_init(&xrdataset);
+		rdataset = &xrdataset;
+	}
+
+	result = DNS_R_NXDOMAIN;
+
+	for (i = olabels; i <= nlabels; i++) {
+		/*
+		 * Unless this is an explicit lookup at the origin, don't
+		 * look at the origin.
+		 */
+		if (i == olabels && i != nlabels)
+			continue;
+
+		/*
+		 * Look up the next label.
+		 */
+		dns_name_getlabelsequence(name, nlabels - i, i, xname);
+		result = findnode(db, xname, ISC_FALSE, &node);
+		if (result != ISC_R_SUCCESS) {
+			result = DNS_R_NXDOMAIN;
+			continue;
+		}
+
+		/*
+		 * Look for a DNAME at the current label, unless this is
+		 * the qname.
+		 */
+		if (i < nlabels) {
+			result = findrdataset(db, node, version,
+					      dns_rdatatype_dname,
+					      0, now, rdataset, sigrdataset);
+			if (result == ISC_R_SUCCESS) {
+				result = DNS_R_DNAME;
+				break;
+			}
+		}
+
+		/*
+		 * Look for an NS at the current label, unless this is the
+		 * origin or glue is ok.
+		 */
+		if (i != olabels && (options & DNS_DBFIND_GLUEOK) == 0) {
+			result = findrdataset(db, node, version,
+					      dns_rdatatype_ns,
+					      0, now, rdataset, sigrdataset);
+			if (result == ISC_R_SUCCESS) {
+				if (i == nlabels && type == dns_rdatatype_any)
+				{
+					result = DNS_R_ZONECUT;
+					dns_rdataset_disassociate(rdataset);
+					if (sigrdataset != NULL)
+						dns_rdataset_disassociate
+							(sigrdataset);
+				} else
+					result = DNS_R_DELEGATION;
+				break;
+			}
+		}
+
+		/*
+		 * If the current name is not the qname, add another label
+		 * and try again.
+		 */
+		if (i < nlabels) {
+			destroynode(node);
+			node = NULL;
+			continue;
+		}
+
+		/*
+		 * If we're looking for ANY, we're done.
+		 */
+		if (type == dns_rdatatype_any) {
+			result = ISC_R_SUCCESS;
+			break;
+		}
+
+		/*
+		 * Look for the qtype.
+		 */
+		result = findrdataset(db, node, version, type,
+				      0, now, rdataset, sigrdataset);
+		if (result == ISC_R_SUCCESS)
+			break;
+
+		/*
+		 * Look for a CNAME
+		 */
+		if (type != dns_rdatatype_cname) {
+			result = findrdataset(db, node, version,
+					      dns_rdatatype_cname,
+					      0, now, rdataset, sigrdataset);
+			if (result == ISC_R_SUCCESS) {
+				result = DNS_R_CNAME;
+				break;
+			}
+		}
+
+		result = DNS_R_NXRRSET;
+		break;
+	}
+
+	if (rdataset == &xrdataset && dns_rdataset_isassociated(rdataset))
+		dns_rdataset_disassociate(rdataset);
+
+	if (foundname != NULL) {
+		isc_result_t xresult;
+
+		xresult = dns_name_copy(xname, foundname, NULL);
+		if (xresult != ISC_R_SUCCESS) {
+			if (node != NULL)
+				destroynode(node);
+			if (dns_rdataset_isassociated(rdataset))
+				dns_rdataset_disassociate(rdataset);
+			return (DNS_R_BADDB);
+		}
+	}
+
+	if (nodep != NULL)
+		*nodep = node;
+	else if (node != NULL)
+		detachnode(db, &node);
+
+	return (result);
+}
+
+static isc_result_t
+allrdatasets(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
+	     isc_stdtime_t now, dns_rdatasetiter_t **iteratorp)
+{
+	sdlz_rdatasetiter_t *iterator;
+
+	REQUIRE(version == NULL || version == &dummy);
+
+	UNUSED(version);
+	UNUSED(now);
+
+	iterator = isc_mem_get(db->mctx, sizeof(sdlz_rdatasetiter_t));
+	if (iterator == NULL)
+		return (ISC_R_NOMEMORY);
+
+	iterator->common.magic = DNS_RDATASETITER_MAGIC;
+	iterator->common.methods = &rdatasetiter_methods;
+	iterator->common.db = db;
+	iterator->common.node = NULL;
+	attachnode(db, node, &iterator->common.node);
+	iterator->common.version = version;
+	iterator->common.now = now;
+
+	*iteratorp = (dns_rdatasetiter_t *)iterator;
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+addrdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
+	    isc_stdtime_t now, dns_rdataset_t *rdataset, unsigned int options,
+	    dns_rdataset_t *addedrdataset)
+{
+	UNUSED(db);
+	UNUSED(node);
+	UNUSED(version);
+	UNUSED(now);
+	UNUSED(rdataset);
+	UNUSED(options);
+	UNUSED(addedrdataset);
+
+	return (ISC_R_NOTIMPLEMENTED);
+}
+
+static isc_result_t
+subtractrdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
+		 dns_rdataset_t *rdataset, unsigned int options,
+		 dns_rdataset_t *newrdataset)
+{
+	UNUSED(db);
+	UNUSED(node);
+	UNUSED(version);
+	UNUSED(rdataset);
+	UNUSED(options);
+	UNUSED(newrdataset);
+
+	return (ISC_R_NOTIMPLEMENTED);
+}
+
+static isc_result_t
+deleterdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
+	       dns_rdatatype_t type, dns_rdatatype_t covers)
+{
+	UNUSED(db);
+	UNUSED(node);
+	UNUSED(version);
+	UNUSED(type);
+	UNUSED(covers);
+
+	return (ISC_R_NOTIMPLEMENTED);
+}
+
+static isc_boolean_t
+issecure(dns_db_t *db) {
+	UNUSED(db);
+
+	return (ISC_FALSE);
+}
+
+static unsigned int
+nodecount(dns_db_t *db) {
+	UNUSED(db);
+
+	return (0);
+}
+
+static isc_boolean_t
+ispersistent(dns_db_t *db) {
+	UNUSED(db);
+	return (ISC_TRUE);
+}
+
+static void
+overmem(dns_db_t *db, isc_boolean_t overmem) {
+	UNUSED(db);
+	UNUSED(overmem);
+}
+
+static void
+settask(dns_db_t *db, isc_task_t *task) {
+	UNUSED(db);
+	UNUSED(task);
+}
+
+
+static dns_dbmethods_t sdlzdb_methods = {
+	attach,
+	detach,
+	beginload,
+	endload,
+	dump,
+	currentversion,
+	newversion,
+	attachversion,
+	closeversion,
+	findnode,
+	find,
+	findzonecut,
+	attachnode,
+	detachnode,
+	expirenode,
+	printnode,
+	createiterator,
+	findrdataset,
+	allrdatasets,
+	addrdataset,
+	subtractrdataset,
+	deleterdataset,
+	issecure,
+	nodecount,
+	ispersistent,
+	overmem,
+	settask,
+	NULL,
+};
+
+/*
+ * Database Iterator Methods.  These methods were "borrowed" from the SDB
+ * driver interface.  See the SDB driver interface documentation for more info.
+ */
+
+static void
+dbiterator_destroy(dns_dbiterator_t **iteratorp) {
+	sdlz_dbiterator_t *sdlziter = (sdlz_dbiterator_t *)(*iteratorp);
+	dns_sdlz_db_t *sdlz = (dns_sdlz_db_t *)sdlziter->common.db;
+
+	while (!ISC_LIST_EMPTY(sdlziter->nodelist)) {
+		dns_sdlznode_t *node;
+		node = ISC_LIST_HEAD(sdlziter->nodelist);
+		ISC_LIST_UNLINK(sdlziter->nodelist, node, link);
+		destroynode(node);
+	}
+
+	dns_db_detach(&sdlziter->common.db);
+	isc_mem_put(sdlz->common.mctx, sdlziter, sizeof(sdlz_dbiterator_t));
+
+	*iteratorp = NULL;
+}
+
+static isc_result_t
+dbiterator_first(dns_dbiterator_t *iterator) {
+	sdlz_dbiterator_t *sdlziter = (sdlz_dbiterator_t *)iterator;
+
+	sdlziter->current = ISC_LIST_HEAD(sdlziter->nodelist);
+	if (sdlziter->current == NULL)
+		return (ISC_R_NOMORE);
+	else
+		return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+dbiterator_last(dns_dbiterator_t *iterator) {
+	sdlz_dbiterator_t *sdlziter = (sdlz_dbiterator_t *)iterator;
+
+	sdlziter->current = ISC_LIST_TAIL(sdlziter->nodelist);
+	if (sdlziter->current == NULL)
+		return (ISC_R_NOMORE);
+	else
+		return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+dbiterator_seek(dns_dbiterator_t *iterator, dns_name_t *name) {
+	sdlz_dbiterator_t *sdlziter = (sdlz_dbiterator_t *)iterator;
+
+	sdlziter->current = ISC_LIST_HEAD(sdlziter->nodelist);
+	while (sdlziter->current != NULL)
+		if (dns_name_equal(sdlziter->current->name, name))
+			return (ISC_R_SUCCESS);
+	return (ISC_R_NOTFOUND);
+}
+
+static isc_result_t
+dbiterator_prev(dns_dbiterator_t *iterator) {
+	sdlz_dbiterator_t *sdlziter = (sdlz_dbiterator_t *)iterator;
+
+	sdlziter->current = ISC_LIST_PREV(sdlziter->current, link);
+	if (sdlziter->current == NULL)
+		return (ISC_R_NOMORE);
+	else
+		return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+dbiterator_next(dns_dbiterator_t *iterator) {
+	sdlz_dbiterator_t *sdlziter = (sdlz_dbiterator_t *)iterator;
+
+	sdlziter->current = ISC_LIST_NEXT(sdlziter->current, link);
+	if (sdlziter->current == NULL)
+		return (ISC_R_NOMORE);
+	else
+		return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+dbiterator_current(dns_dbiterator_t *iterator, dns_dbnode_t **nodep,
+		   dns_name_t *name)
+{
+	sdlz_dbiterator_t *sdlziter = (sdlz_dbiterator_t *)iterator;
+
+	attachnode(iterator->db, sdlziter->current, nodep);
+	if (name != NULL)
+		return (dns_name_copy(sdlziter->current->name, name, NULL));
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+dbiterator_pause(dns_dbiterator_t *iterator) {
+	UNUSED(iterator);
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+dbiterator_origin(dns_dbiterator_t *iterator, dns_name_t *name) {
+	UNUSED(iterator);
+	return (dns_name_copy(dns_rootname, name, NULL));
+}
+
+/*
+ * Rdataset Methods. These methods were "borrowed" from the SDB driver
+ * interface.  See the SDB driver interface documentation for more info.
+ */
+
+static void
+disassociate(dns_rdataset_t *rdataset) {
+	dns_dbnode_t *node = rdataset->private5;
+	dns_sdlznode_t *sdlznode = (dns_sdlznode_t *) node;
+	dns_db_t *db = (dns_db_t *) sdlznode->sdlz;
+
+	detachnode(db, &node);
+	isc__rdatalist_disassociate(rdataset);
+}
+
+static void
+rdataset_clone(dns_rdataset_t *source, dns_rdataset_t *target) {
+	dns_dbnode_t *node = source->private5;
+	dns_sdlznode_t *sdlznode = (dns_sdlznode_t *) node;
+	dns_db_t *db = (dns_db_t *) sdlznode->sdlz;
+	dns_dbnode_t *tempdb = NULL;
+
+	isc__rdatalist_clone(source, target);
+	attachnode(db, node, &tempdb);
+	source->private5 = tempdb;
+}
+
+static dns_rdatasetmethods_t rdataset_methods = {
+	disassociate,
+	isc__rdatalist_first,
+	isc__rdatalist_next,
+	isc__rdatalist_current,
+	rdataset_clone,
+	isc__rdatalist_count,
+	isc__rdatalist_addnoqname,
+	isc__rdatalist_getnoqname,
+	NULL,
+	NULL,
+	NULL
+};
+
+static void
+list_tordataset(dns_rdatalist_t *rdatalist,
+		dns_db_t *db, dns_dbnode_t *node,
+		dns_rdataset_t *rdataset)
+{
+	/*
+	 * The sdlz rdataset is an rdatalist with some additions.
+	 *	- private1 & private2 are used by the rdatalist.
+	 *	- private3 & private 4 are unused.
+	 *	- private5 is the node.
+	 */
+
+	/* This should never fail. */
+	RUNTIME_CHECK(dns_rdatalist_tordataset(rdatalist, rdataset) ==
+		      ISC_R_SUCCESS);
+
+	rdataset->methods = &rdataset_methods;
+	dns_db_attachnode(db, node, &rdataset->private5);
+}
+
+/*
+ * SDLZ core methods. This is the core of the new DLZ functionality.
+ */
+
+/*%
+ * Build a 'bind' database driver structure to be returned by
+ * either the find zone or the allow zone transfer method.
+ * This method is only available in this source file, it is
+ * not made available anywhere else.
+ */
+
+static isc_result_t
+dns_sdlzcreateDBP(isc_mem_t *mctx, void *driverarg, void *dbdata,
+		  dns_name_t *name, dns_rdataclass_t rdclass, dns_db_t **dbp)
+{
+	isc_result_t result;
+	dns_sdlz_db_t *sdlzdb;
+	dns_sdlzimplementation_t *imp;
+
+	/* check that things are as we expect */
+	REQUIRE(dbp != NULL && *dbp == NULL);
+	REQUIRE(name != NULL);
+
+	imp = (dns_sdlzimplementation_t *) driverarg;
+
+	/* allocate and zero memory for driver structure */
+	sdlzdb = isc_mem_get(mctx, sizeof(dns_sdlz_db_t));
+	if (sdlzdb == NULL)
+		return (ISC_R_NOMEMORY);
+	memset(sdlzdb, 0, sizeof(dns_sdlz_db_t));
+
+	/* initialize and set origin */
+	dns_name_init(&sdlzdb->common.origin, NULL);
+	result = dns_name_dupwithoffsets(name, mctx, &sdlzdb->common.origin);
+	if (result != ISC_R_SUCCESS)
+		goto mem_cleanup;
+
+	/* initialize the reference count mutex */
+	result = isc_mutex_init(&sdlzdb->refcnt_lock);
+	if (result != ISC_R_SUCCESS)
+		goto name_cleanup;
+
+	/* set the rest of the database structure attributes */
+	sdlzdb->dlzimp = imp;
+	sdlzdb->common.methods = &sdlzdb_methods;
+	sdlzdb->common.attributes = 0;
+	sdlzdb->common.rdclass = rdclass;
+	sdlzdb->common.mctx = NULL;
+	sdlzdb->dbdata = dbdata;
+	sdlzdb->references = 1;
+
+	/* attach to the memory context */
+	isc_mem_attach(mctx, &sdlzdb->common.mctx);
+
+	/* mark structure as valid */
+	sdlzdb->common.magic = DNS_DB_MAGIC;
+	sdlzdb->common.impmagic = SDLZDB_MAGIC;
+	*dbp = (dns_db_t *) sdlzdb;
+
+	return (result);
+
+	/*
+	 * reference count mutex could not be initialized, clean up
+	 * name memory
+	 */
+ name_cleanup:
+	dns_name_free(&sdlzdb->common.origin, mctx);
+ mem_cleanup:
+	isc_mem_put(mctx, sdlzdb, sizeof(dns_sdlz_db_t));
+	return (result);
+}
+
+static isc_result_t
+dns_sdlzallowzonexfr(void *driverarg, void *dbdata, isc_mem_t *mctx,
+		     dns_rdataclass_t rdclass, dns_name_t *name,
+		     isc_sockaddr_t *clientaddr, dns_db_t **dbp)
+{
+	isc_buffer_t b;
+	isc_buffer_t b2;
+	char namestr[DNS_NAME_MAXTEXT + 1];
+	char clientstr[(sizeof "xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:255.255.255.255")
+		       + 1];
+	isc_netaddr_t netaddr;
+	isc_result_t result;
+	dns_sdlzimplementation_t *imp;
+
+	/*
+	 * Perform checks to make sure data is as we expect it to be.
+	 */
+	REQUIRE(driverarg != NULL);
+	REQUIRE(name != NULL);
+	REQUIRE(clientaddr != NULL);
+	REQUIRE(dbp != NULL && *dbp == NULL);
+
+	imp = (dns_sdlzimplementation_t *) driverarg;
+
+	/* Convert DNS name to ascii text */
+	isc_buffer_init(&b, namestr, sizeof(namestr));
+	result = dns_name_totext(name, ISC_TRUE, &b);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+	isc_buffer_putuint8(&b, 0);
+
+	/* convert client address to ascii text */
+	isc_buffer_init(&b2, clientstr, sizeof(clientstr));
+	isc_netaddr_fromsockaddr(&netaddr, clientaddr);
+	result = isc_netaddr_totext(&netaddr, &b2);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+	isc_buffer_putuint8(&b2, 0);
+
+        /* make sure strings are always lowercase */
+	dns_sdlz_tolower(namestr);
+	dns_sdlz_tolower(clientstr);
+
+	/* Call SDLZ driver's find zone method */
+	if (imp->methods->allowzonexfr != NULL) {
+		MAYBE_LOCK(imp);
+		result = imp->methods->allowzonexfr(imp->driverarg, dbdata,
+						    namestr, clientstr);
+		MAYBE_UNLOCK(imp);
+		/*
+		 * if zone is supported and transfers allowed build a 'bind'
+		 * database driver
+		 */
+		if (result == ISC_R_SUCCESS)
+			result = dns_sdlzcreateDBP(mctx, driverarg, dbdata,
+						   name, rdclass, dbp);
+		return (result);
+	}
+
+	return (ISC_R_NOTIMPLEMENTED);
+}
+
+static isc_result_t
+dns_sdlzcreate(isc_mem_t *mctx, const char *dlzname, unsigned int argc,
+	       char *argv[], void *driverarg, void **dbdata)
+{
+	dns_sdlzimplementation_t *imp;
+	isc_result_t result = ISC_R_NOTFOUND;
+
+	/* Write debugging message to log */
+	isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE,
+		      DNS_LOGMODULE_DLZ, ISC_LOG_DEBUG(2),
+		      "Loading SDLZ driver.");
+
+	/*
+	 * Performs checks to make sure data is as we expect it to be.
+	 */
+	REQUIRE(driverarg != NULL);
+	REQUIRE(dlzname != NULL);
+	REQUIRE(dbdata != NULL);
+	UNUSED(mctx);
+
+	imp = driverarg;
+
+	/* If the create method exists, call it. */
+	if (imp->methods->create != NULL) {
+		MAYBE_LOCK(imp);
+		result = imp->methods->create(dlzname, argc, argv,
+					      imp->driverarg, dbdata);
+		MAYBE_UNLOCK(imp);
+	}
+
+	/* Write debugging message to log */
+	if (result == ISC_R_SUCCESS) {
+		isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE,
+			      DNS_LOGMODULE_DLZ, ISC_LOG_DEBUG(2),
+			      "SDLZ driver loaded successfully.");
+	} else {
+		isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE,
+			      DNS_LOGMODULE_DLZ, ISC_LOG_ERROR,
+			      "SDLZ driver failed to load.");
+	}
+
+	return (result);
+}
+
+static void
+dns_sdlzdestroy(void *driverdata, void **dbdata)
+{
+
+	dns_sdlzimplementation_t *imp;
+
+	/* Write debugging message to log */
+	isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE,
+		      DNS_LOGMODULE_DLZ, ISC_LOG_DEBUG(2),
+		      "Unloading SDLZ driver.");
+
+	imp = driverdata;
+
+	/* If the destroy method exists, call it. */
+	if (imp->methods->destroy != NULL) {
+		MAYBE_LOCK(imp);
+		imp->methods->destroy(imp->driverarg, dbdata);
+		MAYBE_UNLOCK(imp);
+	}
+}
+
+static isc_result_t
+dns_sdlzfindzone(void *driverarg, void *dbdata, isc_mem_t *mctx,
+		 dns_rdataclass_t rdclass, dns_name_t *name, dns_db_t **dbp)
+{
+	isc_buffer_t b;
+	char namestr[DNS_NAME_MAXTEXT + 1];
+	isc_result_t result;
+	dns_sdlzimplementation_t *imp;
+
+	/*
+	 * Perform checks to make sure data is as we expect it to be.
+	 */
+	REQUIRE(driverarg != NULL);
+	REQUIRE(name != NULL);
+	REQUIRE(dbp != NULL && *dbp == NULL);
+
+	imp = (dns_sdlzimplementation_t *) driverarg;
+
+	/* Convert DNS name to ascii text */
+	isc_buffer_init(&b, namestr, sizeof(namestr));
+	result = dns_name_totext(name, ISC_TRUE, &b);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+	isc_buffer_putuint8(&b, 0);
+
+        /* make sure strings are always lowercase */
+	dns_sdlz_tolower(namestr);
+
+	/* Call SDLZ driver's find zone method */
+	MAYBE_LOCK(imp);
+	result = imp->methods->findzone(imp->driverarg, dbdata, namestr);
+	MAYBE_UNLOCK(imp);
+
+	/*
+	 * if zone is supported build a 'bind' database driver
+	 * structure to return
+	 */
+	if (result == ISC_R_SUCCESS)
+		result = dns_sdlzcreateDBP(mctx, driverarg, dbdata, name,
+					   rdclass, dbp);
+
+	return (result);
+}
+
+static dns_dlzmethods_t sdlzmethods = {
+	dns_sdlzcreate,
+	dns_sdlzdestroy,
+	dns_sdlzfindzone,
+	dns_sdlzallowzonexfr
+};
+
+/*
+ * Public functions.
+ */
+
+isc_result_t
+dns_sdlz_putrr(dns_sdlzlookup_t *lookup, const char *type, dns_ttl_t ttl,
+	       const char *data)
+{
+	dns_rdatalist_t *rdatalist;
+	dns_rdata_t *rdata;
+	dns_rdatatype_t typeval;
+	isc_consttextregion_t r;
+	isc_buffer_t b;
+	isc_buffer_t *rdatabuf = NULL;
+	isc_lex_t *lex;
+	isc_result_t result;
+	unsigned int size;
+	isc_mem_t *mctx;
+	dns_name_t *origin;
+
+	REQUIRE(VALID_SDLZLOOKUP(lookup));
+	REQUIRE(type != NULL);
+	REQUIRE(data != NULL);
+
+	mctx = lookup->sdlz->common.mctx;
+
+	r.base = type;
+	r.length = strlen(type);
+	result = dns_rdatatype_fromtext(&typeval, (void *) &r);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	rdatalist = ISC_LIST_HEAD(lookup->lists);
+	while (rdatalist != NULL) {
+		if (rdatalist->type == typeval)
+			break;
+		rdatalist = ISC_LIST_NEXT(rdatalist, link);
+	}
+
+	if (rdatalist == NULL) {
+		rdatalist = isc_mem_get(mctx, sizeof(dns_rdatalist_t));
+		if (rdatalist == NULL)
+			return (ISC_R_NOMEMORY);
+		rdatalist->rdclass = lookup->sdlz->common.rdclass;
+		rdatalist->type = typeval;
+		rdatalist->covers = 0;
+		rdatalist->ttl = ttl;
+		ISC_LIST_INIT(rdatalist->rdata);
+		ISC_LINK_INIT(rdatalist, link);
+		ISC_LIST_APPEND(lookup->lists, rdatalist, link);
+	} else
+		if (rdatalist->ttl != ttl)
+			return (DNS_R_BADTTL);
+
+	rdata = isc_mem_get(mctx, sizeof(dns_rdata_t));
+	if (rdata == NULL)
+		return (ISC_R_NOMEMORY);
+	dns_rdata_init(rdata);
+
+	if ((lookup->sdlz->dlzimp->flags & DNS_SDLZFLAG_RELATIVERDATA) != 0)
+		origin = &lookup->sdlz->common.origin;
+	else
+		origin = dns_rootname;
+
+	lex = NULL;
+	result = isc_lex_create(mctx, 64, &lex);
+	if (result != ISC_R_SUCCESS)
+		goto failure;
+
+	size = initial_size(data);
+	do {
+		isc_buffer_init(&b, data, strlen(data));
+		isc_buffer_add(&b, strlen(data));
+
+		result = isc_lex_openbuffer(lex, &b);
+		if (result != ISC_R_SUCCESS)
+			goto failure;
+
+		rdatabuf = NULL;
+		result = isc_buffer_allocate(mctx, &rdatabuf, size);
+		if (result != ISC_R_SUCCESS)
+			goto failure;
+
+		result = dns_rdata_fromtext(rdata, rdatalist->rdclass,
+					    rdatalist->type, lex,
+					    origin, ISC_FALSE,
+					    mctx, rdatabuf,
+					    &lookup->callbacks);
+		if (result != ISC_R_SUCCESS)
+			isc_buffer_free(&rdatabuf);
+		size *= 2;
+	} while (result == ISC_R_NOSPACE);
+
+	if (result != ISC_R_SUCCESS)
+		goto failure;
+
+	ISC_LIST_APPEND(rdatalist->rdata, rdata, link);
+	ISC_LIST_APPEND(lookup->buffers, rdatabuf, link);
+
+	if (lex != NULL)
+		isc_lex_destroy(&lex);
+
+	return (ISC_R_SUCCESS);
+
+ failure:
+ 	if (rdatabuf != NULL)
+		isc_buffer_free(&rdatabuf);
+	if (lex != NULL)
+		isc_lex_destroy(&lex);
+	isc_mem_put(mctx, rdata, sizeof(dns_rdata_t));
+
+	return (result);
+}
+
+isc_result_t
+dns_sdlz_putnamedrr(dns_sdlzallnodes_t *allnodes, const char *name,
+		    const char *type, dns_ttl_t ttl, const char *data)
+{
+	dns_name_t *newname, *origin;
+	dns_fixedname_t fnewname;
+	dns_sdlz_db_t *sdlz = (dns_sdlz_db_t *)allnodes->common.db;
+	dns_sdlznode_t *sdlznode;
+	isc_mem_t *mctx = sdlz->common.mctx;
+	isc_buffer_t b;
+	isc_result_t result;
+
+	dns_fixedname_init(&fnewname);
+	newname = dns_fixedname_name(&fnewname);
+
+	if ((sdlz->dlzimp->flags & DNS_SDLZFLAG_RELATIVERDATA) != 0)
+		origin = &sdlz->common.origin;
+	else
+		origin = dns_rootname;
+	isc_buffer_init(&b, name, strlen(name));
+	isc_buffer_add(&b, strlen(name));
+
+	result = dns_name_fromtext(newname, &b, origin, ISC_FALSE, NULL);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	if (allnodes->common.relative_names) {
+		/* All names are relative to the root */
+		unsigned int nlabels = dns_name_countlabels(newname);
+		dns_name_getlabelsequence(newname, 0, nlabels - 1, newname);
+	}
+
+	sdlznode = ISC_LIST_HEAD(allnodes->nodelist);
+	if (sdlznode == NULL || !dns_name_equal(sdlznode->name, newname)) {
+		sdlznode = NULL;
+		result = createnode(sdlz, &sdlznode);
+		if (result != ISC_R_SUCCESS)
+			return (result);
+		sdlznode->name = isc_mem_get(mctx, sizeof(dns_name_t));
+		if (sdlznode->name == NULL) {
+			destroynode(sdlznode);
+			return (ISC_R_NOMEMORY);
+		}
+		dns_name_init(sdlznode->name, NULL);
+		result = dns_name_dup(newname, mctx, sdlznode->name);
+		if (result != ISC_R_SUCCESS) {
+			isc_mem_put(mctx, sdlznode->name, sizeof(dns_name_t));
+			destroynode(sdlznode);
+			return (result);
+		}
+		ISC_LIST_PREPEND(allnodes->nodelist, sdlznode, link);
+		if (allnodes->origin == NULL &&
+		    dns_name_equal(newname, &sdlz->common.origin))
+			allnodes->origin = sdlznode;
+	}
+	return (dns_sdlz_putrr(sdlznode, type, ttl, data));
+
+}
+
+isc_result_t
+dns_sdlz_putsoa(dns_sdlzlookup_t *lookup, const char *mname, const char *rname,
+		isc_uint32_t serial)
+{
+	char str[2 * DNS_NAME_MAXTEXT + 5 * (sizeof("2147483647")) + 7];
+	int n;
+
+	REQUIRE(mname != NULL);
+	REQUIRE(rname != NULL);
+
+	n = snprintf(str, sizeof str, "%s %s %u %u %u %u %u",
+		     mname, rname, serial,
+		     SDLZ_DEFAULT_REFRESH, SDLZ_DEFAULT_RETRY,
+		     SDLZ_DEFAULT_EXPIRE, SDLZ_DEFAULT_MINIMUM);
+	if (n >= (int)sizeof(str) || n < 0)
+		return (ISC_R_NOSPACE);
+	return (dns_sdlz_putrr(lookup, "SOA", SDLZ_DEFAULT_TTL, str));
+}
+
+isc_result_t
+dns_sdlzregister(const char *drivername, const dns_sdlzmethods_t *methods,
+		 void *driverarg, unsigned int flags, isc_mem_t *mctx,
+		 dns_sdlzimplementation_t **sdlzimp)
+{
+
+	dns_sdlzimplementation_t *imp;
+	isc_result_t result;
+
+	/*
+	 * Performs checks to make sure data is as we expect it to be.
+	 */
+	REQUIRE(drivername != NULL);
+	REQUIRE(methods != NULL);
+	REQUIRE(methods->findzone != NULL);
+	REQUIRE(methods->lookup != NULL);
+	REQUIRE(mctx != NULL);
+	REQUIRE(sdlzimp != NULL && *sdlzimp == NULL);
+	REQUIRE((flags & ~(DNS_SDLZFLAG_RELATIVEOWNER |
+			   DNS_SDLZFLAG_RELATIVERDATA |
+			   DNS_SDLZFLAG_THREADSAFE)) == 0);
+
+	/* Write debugging message to log */
+	isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE,
+		      DNS_LOGMODULE_DLZ, ISC_LOG_DEBUG(2),
+		      "Registering SDLZ driver '%s'", drivername);
+
+	/*
+	 * Allocate memory for a sdlz_implementation object.  Error if
+	 * we cannot.
+	 */
+	imp = isc_mem_get(mctx, sizeof(dns_sdlzimplementation_t));
+	if (imp == NULL)
+		return (ISC_R_NOMEMORY);
+
+	/* Make sure memory region is set to all 0's */
+	memset(imp, 0, sizeof(dns_sdlzimplementation_t));
+
+	/* Store the data passed into this method */
+	imp->methods = methods;
+	imp->driverarg = driverarg;
+	imp->flags = flags;
+	imp->mctx = NULL;
+
+	/* attach the new sdlz_implementation object to a memory context */
+	isc_mem_attach(mctx, &imp->mctx);
+
+	/*
+	 * initialize the driver lock, error if we cannot
+	 * (used if a driver does not support multiple threads)
+	 */
+	result = isc_mutex_init(&imp->driverlock);
+	if (result != ISC_R_SUCCESS) {
+		UNEXPECTED_ERROR(__FILE__, __LINE__,
+				 "isc_mutex_init() failed: %s",
+				 isc_result_totext(result));
+		goto cleanup_mctx;
+	}
+
+	imp->dlz_imp = NULL;
+
+	/*
+	 * register the DLZ driver.  Pass in our "extra" sdlz information as
+	 * a driverarg.  (that's why we stored the passed in driver arg in our
+	 * sdlz_implementation structure)  Also, store the dlz_implementation
+	 * structure in our sdlz_implementation.
+	 */
+	result = dns_dlzregister(drivername, &sdlzmethods, imp, mctx,
+				 &imp->dlz_imp);
+
+	/* if registration fails, cleanup and get outta here. */
+	if (result != ISC_R_SUCCESS)
+		goto cleanup_mutex;
+
+	*sdlzimp = imp;
+
+	return (ISC_R_SUCCESS);
+
+ cleanup_mutex:
+	/* destroy the driver lock, we don't need it anymore */
+	DESTROYLOCK(&imp->driverlock);
+
+ cleanup_mctx:
+	/*
+	 * return the memory back to the available memory pool and
+	 * remove it from the memory context.
+	 */
+	isc_mem_put(mctx, imp, sizeof(dns_sdlzimplementation_t));
+	isc_mem_detach(&mctx);
+	return (result);
+}
+
+void
+dns_sdlzunregister(dns_sdlzimplementation_t **sdlzimp) {
+	dns_sdlzimplementation_t *imp;
+	isc_mem_t *mctx;
+
+	/* Write debugging message to log */
+	isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE,
+		      DNS_LOGMODULE_DLZ, ISC_LOG_DEBUG(2),
+		      "Unregistering SDLZ driver.");
+
+	/*
+	 * Performs checks to make sure data is as we expect it to be.
+	 */
+	REQUIRE(sdlzimp != NULL && *sdlzimp != NULL);
+
+	imp = *sdlzimp;
+
+	/* Unregister the DLZ driver implementation */
+	dns_dlzunregister(&imp->dlz_imp);
+
+	/* destroy the driver lock, we don't need it anymore */
+	DESTROYLOCK(&imp->driverlock);
+
+	mctx = imp->mctx;
+
+	/*
+	 * return the memory back to the available memory pool and
+	 * remove it from the memory context.
+	 */
+	isc_mem_put(mctx, imp, sizeof(dns_sdlzimplementation_t));
+	isc_mem_detach(&mctx);
+
+	*sdlzimp = NULL;
+}
diff --git a/contrib/bind9/lib/dns/soa.c b/contrib/bind9/lib/dns/soa.c
index c0e0518..20198c0 100644
--- a/contrib/bind9/lib/dns/soa.c
+++ b/contrib/bind9/lib/dns/soa.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000, 2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,9 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: soa.c,v 1.3.206.1 2004/03/06 08:13:45 marka Exp $ */
+/* $Id: soa.c,v 1.4.18.2 2005/04/29 00:16:05 marka Exp $ */
+
+/*! \file */
 
 #include <config.h>
 
diff --git a/contrib/bind9/lib/dns/ssu.c b/contrib/bind9/lib/dns/ssu.c
index a9ecdce..fa3011c 100644
--- a/contrib/bind9/lib/dns/ssu.c
+++ b/contrib/bind9/lib/dns/ssu.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000, 2001, 2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,8 +15,9 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
+/*! \file */
 /*
- * $Id: ssu.c,v 1.22.206.3 2004/03/08 09:04:32 marka Exp $
+ * $Id: ssu.c,v 1.24.18.4 2006/02/16 23:51:32 marka Exp $
  * Principal Author: Brian Wellington
  */
 
@@ -24,9 +25,11 @@
 
 #include <isc/magic.h>
 #include <isc/mem.h>
+#include <isc/result.h>
 #include <isc/string.h>		/* Required for HP/UX (and others?) */
 #include <isc/util.h>
 
+#include <dns/fixedname.h>
 #include <dns/name.h>
 #include <dns/ssu.h>
 
@@ -38,13 +41,13 @@
 
 struct dns_ssurule {
 	unsigned int magic;
-	isc_boolean_t grant;	/* is this a grant or a deny? */
-	unsigned int matchtype;	/* which type of pattern match? */
-	dns_name_t *identity;	/* the identity to match */
-	dns_name_t *name;	/* the name being updated */
-	unsigned int ntypes;	/* number of data types covered */
-	dns_rdatatype_t *types;	/* the data types.  Can include ANY, */
-				/* defaults to all but SIG,SOA,NS if NULL*/
+	isc_boolean_t grant;	/*%< is this a grant or a deny? */
+	unsigned int matchtype;	/*%< which type of pattern match? */
+	dns_name_t *identity;	/*%< the identity to match */
+	dns_name_t *name;	/*%< the name being updated */
+	unsigned int ntypes;	/*%< number of data types covered */
+	dns_rdatatype_t *types;	/*%< the data types.  Can include ANY, */
+				/*%< defaults to all but SIG,SOA,NS if NULL */
 	ISC_LINK(dns_ssurule_t) link;
 };
 
@@ -160,7 +163,7 @@ dns_ssutable_addrule(dns_ssutable_t *table, isc_boolean_t grant,
 	REQUIRE(VALID_SSUTABLE(table));
 	REQUIRE(dns_name_isabsolute(identity));
 	REQUIRE(dns_name_isabsolute(name));
-	REQUIRE(matchtype <= DNS_SSUMATCHTYPE_SELF);
+	REQUIRE(matchtype <= DNS_SSUMATCHTYPE_MAX);
 	if (matchtype == DNS_SSUMATCHTYPE_WILDCARD)
 		REQUIRE(dns_name_iswildcard(name));
 	if (ntypes > 0)
@@ -208,8 +211,7 @@ dns_ssutable_addrule(dns_ssutable_t *table, isc_boolean_t grant,
 			goto failure;
 		}
 		memcpy(rule->types, types, ntypes * sizeof(dns_rdatatype_t));
-	}
-	else
+	} else
 		rule->types = NULL;
 
 	rule->magic = SSURULEMAGIC;
@@ -249,6 +251,9 @@ dns_ssutable_checkrules(dns_ssutable_t *table, dns_name_t *signer,
 {
 	dns_ssurule_t *rule;
 	unsigned int i;
+	dns_fixedname_t fixed;
+	dns_name_t *wildcard;
+	isc_result_t result;
 
 	REQUIRE(VALID_SSUTABLE(table));
 	REQUIRE(signer == NULL || dns_name_isabsolute(signer));
@@ -265,35 +270,39 @@ dns_ssutable_checkrules(dns_ssutable_t *table, dns_name_t *signer,
 		if (dns_name_iswildcard(rule->identity)) {
 			if (!dns_name_matcheswildcard(signer, rule->identity))
 				continue;
-		}
-		else {
-			if (!dns_name_equal(signer, rule->identity))
+		} else if (!dns_name_equal(signer, rule->identity))
 				continue;
-		}
 
 		if (rule->matchtype == DNS_SSUMATCHTYPE_NAME) {
 			if (!dns_name_equal(name, rule->name))
 				continue;
-		}
-		else if (rule->matchtype == DNS_SSUMATCHTYPE_SUBDOMAIN) {
+		} else if (rule->matchtype == DNS_SSUMATCHTYPE_SUBDOMAIN) {
 			if (!dns_name_issubdomain(name, rule->name))
 				continue;
-		}
-		else if (rule->matchtype == DNS_SSUMATCHTYPE_WILDCARD) {
+		} else if (rule->matchtype == DNS_SSUMATCHTYPE_WILDCARD) {
 			if (!dns_name_matcheswildcard(name, rule->name))
 				continue;
-
-		}
-		else if (rule->matchtype == DNS_SSUMATCHTYPE_SELF) {
+		} else if (rule->matchtype == DNS_SSUMATCHTYPE_SELF) {
 			if (!dns_name_equal(signer, name))
 				continue;
+		} else if (rule->matchtype == DNS_SSUMATCHTYPE_SELFSUB) {
+			if (!dns_name_issubdomain(name, signer))
+				continue;
+		} else if (rule->matchtype == DNS_SSUMATCHTYPE_SELFWILD) {
+			dns_fixedname_init(&fixed);
+			wildcard = dns_fixedname_name(&fixed);
+			result = dns_name_concatenate(dns_wildcardname, signer,
+						      wildcard, NULL);
+			if (result != ISC_R_SUCCESS)
+				continue;
+			if (!dns_name_matcheswildcard(name, wildcard))
+				continue;
 		}
 
 		if (rule->ntypes == 0) {
 			if (!isusertype(type))
 				continue;
-		}
-		else {
+		} else {
 			for (i = 0; i < rule->ntypes; i++) {
 				if (rule->types[i] == dns_rdatatype_any ||
 				    rule->types[i] == type)
diff --git a/contrib/bind9/lib/dns/stats.c b/contrib/bind9/lib/dns/stats.c
index aefcbe0..660046f 100644
--- a/contrib/bind9/lib/dns/stats.c
+++ b/contrib/bind9/lib/dns/stats.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000, 2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,9 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: stats.c,v 1.5.206.1 2004/03/06 08:13:46 marka Exp $ */
+/* $Id: stats.c,v 1.6.18.4 2005/06/27 00:20:02 marka Exp $ */
+
+/*! \file */
 
 #include <config.h>
 
@@ -30,7 +32,9 @@ LIBDNS_EXTERNAL_DATA const char *dns_statscounter_names[DNS_STATS_NCOUNTERS] =
 	"nxrrset",
 	"nxdomain",
 	"recursion",
-	"failure"
+	"failure",
+	"duplicate",
+	"dropped"
 	};
 
 isc_result_t
diff --git a/contrib/bind9/lib/dns/tcpmsg.c b/contrib/bind9/lib/dns/tcpmsg.c
index a0fddcd..018c4ce 100644
--- a/contrib/bind9/lib/dns/tcpmsg.c
+++ b/contrib/bind9/lib/dns/tcpmsg.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2006  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,9 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: tcpmsg.c,v 1.24.206.3 2006/08/10 23:59:28 marka Exp $ */
+/* $Id: tcpmsg.c,v 1.25.18.4 2006/08/10 23:59:29 marka Exp $ */
+
+/*! \file */
 
 #include <config.h>
 
diff --git a/contrib/bind9/lib/dns/time.c b/contrib/bind9/lib/dns/time.c
index 770f021..b4e7bee 100644
--- a/contrib/bind9/lib/dns/time.c
+++ b/contrib/bind9/lib/dns/time.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1998-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,9 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: time.c,v 1.18.2.4.2.8 2004/08/28 06:25:20 marka Exp $ */
+/* $Id: time.c,v 1.26.18.3 2005/04/29 00:16:06 marka Exp $ */
+
+/*! \file */
 
 #include <config.h>
 
diff --git a/contrib/bind9/lib/dns/timer.c b/contrib/bind9/lib/dns/timer.c
index b364f54..b225722 100644
--- a/contrib/bind9/lib/dns/timer.c
+++ b/contrib/bind9/lib/dns/timer.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000, 2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,9 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: timer.c,v 1.2.206.1 2004/03/06 08:13:46 marka Exp $ */
+/* $Id: timer.c,v 1.3.18.2 2005/04/29 00:16:06 marka Exp $ */
+
+/*! \file */
 
 #include <config.h>
 
diff --git a/contrib/bind9/lib/dns/tkey.c b/contrib/bind9/lib/dns/tkey.c
index ca793d2..e4dbdc7 100644
--- a/contrib/bind9/lib/dns/tkey.c
+++ b/contrib/bind9/lib/dns/tkey.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001, 2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -16,9 +16,9 @@
  */
 
 /*
- * $Id: tkey.c,v 1.71.2.1.10.9 2006/01/04 23:50:20 marka Exp $
+ * $Id: tkey.c,v 1.76.18.5 2005/11/30 03:44:39 marka Exp $
  */
-
+/*! \file */
 #include <config.h>
 
 #include <isc/buffer.h>
diff --git a/contrib/bind9/lib/dns/tsig.c b/contrib/bind9/lib/dns/tsig.c
index 9bdde06..c5107b5 100644
--- a/contrib/bind9/lib/dns/tsig.c
+++ b/contrib/bind9/lib/dns/tsig.c
@@ -16,9 +16,9 @@
  */
 
 /*
- * $Id: tsig.c,v 1.112.2.3.8.10 2006/05/02 04:21:42 marka Exp $
+ * $Id: tsig.c,v 1.117.18.9 2006/05/02 04:23:12 marka Exp $
  */
-
+/*! \file */
 #include <config.h>
 #include <stdlib.h>
 
@@ -48,6 +48,11 @@
 #define is_response(msg) (msg->flags & DNS_MESSAGEFLAG_QR)
 #define algname_is_allocated(algname) \
 	((algname) != dns_tsig_hmacmd5_name && \
+	 (algname) != dns_tsig_hmacsha1_name && \
+	 (algname) != dns_tsig_hmacsha224_name && \
+	 (algname) != dns_tsig_hmacsha256_name && \
+	 (algname) != dns_tsig_hmacsha384_name && \
+	 (algname) != dns_tsig_hmacsha512_name && \
 	 (algname) != dns_tsig_gssapi_name && \
 	 (algname) != dns_tsig_gssapims_name)
 
@@ -96,6 +101,76 @@ static dns_name_t gsstsigms = {
 
 LIBDNS_EXTERNAL_DATA dns_name_t *dns_tsig_gssapims_name = &gsstsigms;
 
+static unsigned char hmacsha1_ndata[] = "\011hmac-sha1";
+static unsigned char hmacsha1_offsets[] = { 0, 10 };
+
+static dns_name_t  hmacsha1 = {
+        DNS_NAME_MAGIC,
+        hmacsha1_ndata, 11, 2,
+        DNS_NAMEATTR_READONLY | DNS_NAMEATTR_ABSOLUTE,
+        hmacsha1_offsets, NULL,
+        {(void *)-1, (void *)-1},
+        {NULL, NULL}
+};
+
+LIBDNS_EXTERNAL_DATA dns_name_t *dns_tsig_hmacsha1_name = &hmacsha1;
+
+static unsigned char hmacsha224_ndata[] = "\013hmac-sha224";
+static unsigned char hmacsha224_offsets[] = { 0, 12 };
+
+static dns_name_t hmacsha224 = {
+        DNS_NAME_MAGIC,
+        hmacsha224_ndata, 13, 2,
+        DNS_NAMEATTR_READONLY | DNS_NAMEATTR_ABSOLUTE,
+        hmacsha224_offsets, NULL,
+        {(void *)-1, (void *)-1},
+        {NULL, NULL}
+};
+
+LIBDNS_EXTERNAL_DATA dns_name_t *dns_tsig_hmacsha224_name = &hmacsha224;
+
+static unsigned char hmacsha256_ndata[] = "\013hmac-sha256";
+static unsigned char hmacsha256_offsets[] = { 0, 12 };
+
+static dns_name_t hmacsha256 = {
+        DNS_NAME_MAGIC,
+        hmacsha256_ndata, 13, 2,
+        DNS_NAMEATTR_READONLY | DNS_NAMEATTR_ABSOLUTE,
+        hmacsha256_offsets, NULL,
+        {(void *)-1, (void *)-1},
+        {NULL, NULL}
+};
+
+LIBDNS_EXTERNAL_DATA dns_name_t *dns_tsig_hmacsha256_name = &hmacsha256;
+
+static unsigned char hmacsha384_ndata[] = "\013hmac-sha384";
+static unsigned char hmacsha384_offsets[] = { 0, 12 };
+
+static dns_name_t hmacsha384 = {
+        DNS_NAME_MAGIC,
+        hmacsha384_ndata, 13, 2,
+        DNS_NAMEATTR_READONLY | DNS_NAMEATTR_ABSOLUTE,
+        hmacsha384_offsets, NULL,
+        {(void *)-1, (void *)-1},
+        {NULL, NULL}
+};
+
+LIBDNS_EXTERNAL_DATA dns_name_t *dns_tsig_hmacsha384_name = &hmacsha384;
+
+static unsigned char hmacsha512_ndata[] = "\013hmac-sha512";
+static unsigned char hmacsha512_offsets[] = { 0, 12 };
+
+static dns_name_t hmacsha512 = {
+        DNS_NAME_MAGIC,
+        hmacsha512_ndata, 13, 2,
+        DNS_NAMEATTR_READONLY | DNS_NAMEATTR_ABSOLUTE,
+        hmacsha512_offsets, NULL,
+        {(void *)-1, (void *)-1},
+        {NULL, NULL}
+};
+
+LIBDNS_EXTERNAL_DATA dns_name_t *dns_tsig_hmacsha512_name = &hmacsha512;
+
 static isc_result_t
 tsig_verify_tcp(isc_buffer_t *source, dns_message_t *msg);
 
@@ -137,6 +212,7 @@ dns_tsigkey_createfromkey(dns_name_t *name, dns_name_t *algorithm,
 	REQUIRE(name != NULL);
 	REQUIRE(algorithm != NULL);
 	REQUIRE(mctx != NULL);
+	REQUIRE(key != NULL || ring != NULL);
 
 	tkey = (dns_tsigkey_t *) isc_mem_get(mctx, sizeof(dns_tsigkey_t));
 	if (tkey == NULL)
@@ -154,6 +230,40 @@ dns_tsigkey_createfromkey(dns_name_t *name, dns_name_t *algorithm,
 			ret = DNS_R_BADALG;
 			goto cleanup_name;
 		}
+	} else if (dns_name_equal(algorithm, DNS_TSIG_HMACSHA1_NAME)) {
+		tkey->algorithm = DNS_TSIG_HMACSHA1_NAME;
+		if (dstkey != NULL && dst_key_alg(dstkey) != DST_ALG_HMACSHA1) {
+			ret = DNS_R_BADALG;
+			goto cleanup_name;
+		}
+	} else if (dns_name_equal(algorithm, DNS_TSIG_HMACSHA224_NAME)) {
+		tkey->algorithm = DNS_TSIG_HMACSHA224_NAME;
+		if (dstkey != NULL &&
+		    dst_key_alg(dstkey) != DST_ALG_HMACSHA224) {
+			ret = DNS_R_BADALG;
+			goto cleanup_name;
+		}
+	} else if (dns_name_equal(algorithm, DNS_TSIG_HMACSHA256_NAME)) {
+		tkey->algorithm = DNS_TSIG_HMACSHA256_NAME;
+		if (dstkey != NULL &&
+		    dst_key_alg(dstkey) != DST_ALG_HMACSHA256) {
+			ret = DNS_R_BADALG;
+			goto cleanup_name;
+		}
+	} else if (dns_name_equal(algorithm, DNS_TSIG_HMACSHA384_NAME)) {
+		tkey->algorithm = DNS_TSIG_HMACSHA384_NAME;
+		if (dstkey != NULL &&
+		    dst_key_alg(dstkey) != DST_ALG_HMACSHA384) {
+			ret = DNS_R_BADALG;
+			goto cleanup_name;
+		}
+	} else if (dns_name_equal(algorithm, DNS_TSIG_HMACSHA512_NAME)) {
+		tkey->algorithm = DNS_TSIG_HMACSHA512_NAME;
+		if (dstkey != NULL &&
+		    dst_key_alg(dstkey) != DST_ALG_HMACSHA512) {
+			ret = DNS_R_BADALG;
+			goto cleanup_name;
+		}
 	} else if (dns_name_equal(algorithm, DNS_TSIG_GSSAPI_NAME)) {
 		tkey->algorithm = DNS_TSIG_GSSAPI_NAME;
 		if (dstkey != NULL && dst_key_alg(dstkey) != DST_ALG_GSSAPI) {
@@ -202,20 +312,14 @@ dns_tsigkey_createfromkey(dns_name_t *name, dns_name_t *algorithm,
 	tkey->key = dstkey;
 	tkey->ring = ring;
 
-	if (ring != NULL) {
-		RWLOCK(&ring->lock, isc_rwlocktype_write);
-		ret = dns_rbt_addname(ring->keys, name, tkey);
-		if (ret != ISC_R_SUCCESS) {
-			RWUNLOCK(&ring->lock, isc_rwlocktype_write);
-			goto cleanup_algorithm;
-		}
-		refs++;
-		RWUNLOCK(&ring->lock, isc_rwlocktype_write);
-	}
-
 	if (key != NULL)
 		refs++;
-	isc_refcount_init(&tkey->refs, refs);
+	if (ring != NULL)
+		refs++;
+	ret = isc_refcount_init(&tkey->refs, refs);
+	if (ret != ISC_R_SUCCESS)
+		goto cleanup_creator;
+
 	tkey->generated = generated;
 	tkey->inception = inception;
 	tkey->expire = expire;
@@ -223,6 +327,16 @@ dns_tsigkey_createfromkey(dns_name_t *name, dns_name_t *algorithm,
 
 	tkey->magic = TSIG_MAGIC;
 
+	if (ring != NULL) {
+		RWLOCK(&ring->lock, isc_rwlocktype_write);
+		ret = dns_rbt_addname(ring->keys, name, tkey);
+		if (ret != ISC_R_SUCCESS) {
+			RWUNLOCK(&ring->lock, isc_rwlocktype_write);
+			goto cleanup_refs;
+		}
+		RWUNLOCK(&ring->lock, isc_rwlocktype_write);
+	}
+
 	if (dstkey != NULL && dst_key_size(dstkey) < 64) {
 		char namestr[DNS_NAME_FORMATSIZE];
 		dns_name_format(name, namestr, sizeof(namestr));
@@ -236,6 +350,16 @@ dns_tsigkey_createfromkey(dns_name_t *name, dns_name_t *algorithm,
 
 	return (ISC_R_SUCCESS);
 
+ cleanup_refs:
+	tkey->magic = 0;
+	while (refs-- > 0)
+		isc_refcount_decrement(&tkey->refs, NULL);
+	isc_refcount_destroy(&tkey->refs);
+ cleanup_creator:
+	if (tkey->creator != NULL) {
+		dns_name_free(tkey->creator, mctx);
+		isc_mem_put(mctx, tkey->creator, sizeof(dns_name_t));
+	}
  cleanup_algorithm:
 	if (algname_is_allocated(tkey->algorithm)) {
 		if (dns_name_dynamic(tkey->algorithm))
@@ -264,22 +388,93 @@ dns_tsigkey_create(dns_name_t *name, dns_name_t *algorithm,
 	if (length > 0)
 		REQUIRE(secret != NULL);
 
-	if (!dns_name_equal(algorithm, DNS_TSIG_HMACMD5_NAME) && length > 0)
+	if (dns_name_equal(algorithm, DNS_TSIG_HMACMD5_NAME)) {
+		if (secret != NULL) {
+			isc_buffer_t b;
+
+			isc_buffer_init(&b, secret, length);
+			isc_buffer_add(&b, length);
+			result = dst_key_frombuffer(name, DST_ALG_HMACMD5,
+						    DNS_KEYOWNER_ENTITY,
+						    DNS_KEYPROTO_DNSSEC,
+						    dns_rdataclass_in,
+						    &b, mctx, &dstkey);
+				if (result != ISC_R_SUCCESS)
+					return (result);
+		}
+	} else if (dns_name_equal(algorithm, DNS_TSIG_HMACSHA1_NAME)) {
+		if (secret != NULL) {
+			isc_buffer_t b;
+
+			isc_buffer_init(&b, secret, length);
+			isc_buffer_add(&b, length);
+			result = dst_key_frombuffer(name, DST_ALG_HMACSHA1,
+						    DNS_KEYOWNER_ENTITY,
+						    DNS_KEYPROTO_DNSSEC,
+						    dns_rdataclass_in,
+						    &b, mctx, &dstkey);
+				if (result != ISC_R_SUCCESS)
+					return (result);
+		}
+	} else if (dns_name_equal(algorithm, DNS_TSIG_HMACSHA224_NAME)) {
+		if (secret != NULL) {
+			isc_buffer_t b;
+
+			isc_buffer_init(&b, secret, length);
+			isc_buffer_add(&b, length);
+			result = dst_key_frombuffer(name, DST_ALG_HMACSHA224,
+						    DNS_KEYOWNER_ENTITY,
+						    DNS_KEYPROTO_DNSSEC,
+						    dns_rdataclass_in,
+						    &b, mctx, &dstkey);
+				if (result != ISC_R_SUCCESS)
+					return (result);
+		}
+	} else if (dns_name_equal(algorithm, DNS_TSIG_HMACSHA256_NAME)) {
+		if (secret != NULL) {
+			isc_buffer_t b;
+
+			isc_buffer_init(&b, secret, length);
+			isc_buffer_add(&b, length);
+			result = dst_key_frombuffer(name, DST_ALG_HMACSHA256,
+						    DNS_KEYOWNER_ENTITY,
+						    DNS_KEYPROTO_DNSSEC,
+						    dns_rdataclass_in,
+						    &b, mctx, &dstkey);
+				if (result != ISC_R_SUCCESS)
+					return (result);
+		}
+	} else if (dns_name_equal(algorithm, DNS_TSIG_HMACSHA384_NAME)) {
+		if (secret != NULL) {
+			isc_buffer_t b;
+
+			isc_buffer_init(&b, secret, length);
+			isc_buffer_add(&b, length);
+			result = dst_key_frombuffer(name, DST_ALG_HMACSHA384,
+						    DNS_KEYOWNER_ENTITY,
+						    DNS_KEYPROTO_DNSSEC,
+						    dns_rdataclass_in,
+						    &b, mctx, &dstkey);
+				if (result != ISC_R_SUCCESS)
+					return (result);
+		}
+	} else if (dns_name_equal(algorithm, DNS_TSIG_HMACSHA512_NAME)) {
+		if (secret != NULL) {
+			isc_buffer_t b;
+
+			isc_buffer_init(&b, secret, length);
+			isc_buffer_add(&b, length);
+			result = dst_key_frombuffer(name, DST_ALG_HMACSHA512,
+						    DNS_KEYOWNER_ENTITY,
+						    DNS_KEYPROTO_DNSSEC,
+						    dns_rdataclass_in,
+						    &b, mctx, &dstkey);
+				if (result != ISC_R_SUCCESS)
+					return (result);
+		}
+	} else if (length > 0)
 		return (DNS_R_BADALG);
 
-	if (secret != NULL) {
-		isc_buffer_t b;
-
-		isc_buffer_init(&b, secret, length);
-		isc_buffer_add(&b, length);
-		result = dst_key_frombuffer(name, DST_ALG_HMACMD5,
-					    DNS_KEYOWNER_ENTITY,
-					    DNS_KEYPROTO_DNSSEC,
-					    dns_rdataclass_in,
-					    &b, mctx, &dstkey);
-		if (result != ISC_R_SUCCESS)
-			return (result);
-	}
 	result = dns_tsigkey_createfromkey(name, algorithm, dstkey,
 					   generated, creator,
 					   inception, expire, mctx, ring, key);
@@ -423,6 +618,7 @@ dns_tsig_sign(dns_message_t *msg) {
 	if (key->key != NULL && tsig.error != dns_tsigerror_badsig) {
 		unsigned char header[DNS_MESSAGE_HEADERLEN];
 		isc_buffer_t headerbuf;
+		isc_uint16_t digestbits;
 
 		ret = dst_context_create(key->key, mctx, &ctx);
 		if (ret != ISC_R_SUCCESS)
@@ -549,7 +745,16 @@ dns_tsig_sign(dns_message_t *msg) {
 		if (ret != ISC_R_SUCCESS)
 			goto cleanup_signature;
 		dst_context_destroy(&ctx);
-		tsig.siglen = isc_buffer_usedlength(&sigbuf);
+		digestbits = dst_key_getbits(key->key);
+		if (digestbits != 0) {
+			unsigned int bytes = (digestbits + 1) / 8;
+			if (is_response(msg) && bytes < querytsig.siglen)
+				bytes = querytsig.siglen;
+			if (bytes > isc_buffer_usedlength(&sigbuf))
+				bytes = isc_buffer_usedlength(&sigbuf);
+			tsig.siglen = bytes;
+		} else
+			tsig.siglen = isc_buffer_usedlength(&sigbuf);
 	} else {
 		tsig.siglen = 0;
 		tsig.signature = NULL;
@@ -640,6 +845,8 @@ dns_tsig_verify(isc_buffer_t *source, dns_message_t *msg,
 	dst_context_t *ctx = NULL;
 	isc_mem_t *mctx;
 	isc_uint16_t addcount, id;
+	unsigned int siglen;
+	unsigned int alg;
 
 	REQUIRE(source != NULL);
 	REQUIRE(DNS_MESSAGE_VALID(msg));
@@ -752,6 +959,42 @@ dns_tsig_verify(isc_buffer_t *source, dns_message_t *msg,
 		return (DNS_R_CLOCKSKEW);
 	}
 
+	/*
+	 * Check digest length.
+	 */
+	alg = dst_key_alg(key);
+	ret = dst_key_sigsize(key, &siglen);
+	if (ret != ISC_R_SUCCESS)
+		return (ret);
+	if (alg == DST_ALG_HMACMD5 || alg == DST_ALG_HMACSHA1 ||
+	    alg == DST_ALG_HMACSHA224 || alg == DST_ALG_HMACSHA256 ||
+	    alg == DST_ALG_HMACSHA384 || alg == DST_ALG_HMACSHA512) {
+		isc_uint16_t digestbits = dst_key_getbits(key);
+		if (tsig.siglen > siglen) {
+			tsig_log(msg->tsigkey, 2, "signature length to big");
+			return (DNS_R_FORMERR);
+		}
+		if (tsig.siglen > 0 &&
+		    (tsig.siglen < 10 || tsig.siglen < ((siglen + 1) / 2))) {
+			tsig_log(msg->tsigkey, 2,
+				 "signature length below minimum");
+			return (DNS_R_FORMERR);
+		}
+		if (tsig.siglen > 0 && digestbits != 0 &&
+		    tsig.siglen < ((digestbits + 1) / 8)) { 
+			msg->tsigstatus = dns_tsigerror_badtrunc;
+			tsig_log(msg->tsigkey, 2,
+				 "truncated signature length too small");
+			return (DNS_R_TSIGVERIFYFAILURE);
+		}
+		if (tsig.siglen > 0 && digestbits == 0 &&
+		    tsig.siglen < siglen) {
+			msg->tsigstatus = dns_tsigerror_badtrunc;
+			tsig_log(msg->tsigkey, 2, "signature length too small");
+			return (DNS_R_TSIGVERIFYFAILURE);
+		}
+	}
+
 	if (tsig.siglen > 0) {
 		sig_r.base = tsig.signature;
 		sig_r.length = tsig.siglen;
@@ -1186,12 +1429,8 @@ dns_tsigkeyring_create(isc_mem_t *mctx, dns_tsig_keyring_t **ringp) {
 		return (ISC_R_NOMEMORY);
 
 	result = isc_rwlock_init(&ring->lock, 0, 0);
-	if (result != ISC_R_SUCCESS) {
-		UNEXPECTED_ERROR(__FILE__, __LINE__,
-				 "isc_rwlock_init() failed: %s",
-				 isc_result_totext(result));
-		return (ISC_R_UNEXPECTED);
-	}
+	if (result != ISC_R_SUCCESS)
+		return (result);
 
 	ring->keys = NULL;
 	result = dns_rbt_create(mctx, free_tsignode, NULL, &ring->keys);
diff --git a/contrib/bind9/lib/dns/ttl.c b/contrib/bind9/lib/dns/ttl.c
index 1dad0fb..39d2ac3 100644
--- a/contrib/bind9/lib/dns/ttl.c
+++ b/contrib/bind9/lib/dns/ttl.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,9 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: ttl.c,v 1.21.12.5 2004/03/08 09:04:32 marka Exp $ */
+/* $Id: ttl.c,v 1.25.18.2 2005/04/29 00:16:07 marka Exp $ */
+
+/*! \file */
 
 #include <config.h>
 
diff --git a/contrib/bind9/lib/dns/validator.c b/contrib/bind9/lib/dns/validator.c
index 571ad79..a92d647 100644
--- a/contrib/bind9/lib/dns/validator.c
+++ b/contrib/bind9/lib/dns/validator.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,9 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: validator.c,v 1.91.2.5.8.27.6.1 2007/01/11 04:51:39 marka Exp $ */
+/* $Id: validator.c,v 1.119.18.29 2007/01/08 02:41:59 marka Exp $ */
+
+/*! \file */
 
 #include <config.h>
 
@@ -69,9 +71,9 @@
  * validator_start -> nsecvalidate -> proveunsecure -> startfinddlvsep ->
  *	dlv_validator_start -> validator_start -> nsecvalidate -> proveunsecure
  *
- * \li When called without a rdataset and with DNS_VALIDATOR_DLV:
- * validator_start -> startfinddlvsep -> dlv_validator_start ->
- *	validator_start -> nsecvalidate -> proveunsecure
+ * Note: there isn't a case for DNS_VALIDATOR_DLV here as we want nsecvalidate()
+ * to always validate the authority section even when it does not contain
+ * signatures.
  *
  * validator_start: determines what type of validation to do.
  * validate: attempts to perform a positive validation.
@@ -90,7 +92,6 @@
 						 * have attempted a verify. */
 #define VALATTR_INSECURITY		0x0010	/*%< Attempting proveunsecure. */
 #define VALATTR_DLVTRIED		0x0020	/*%< Looked for a DLV record. */
-#define VALATTR_AUTHNONPENDING		0x0040	/*%< Tidy up pending auth. */
 
 /*!
  * NSEC proofs to be looked for.
@@ -155,18 +156,11 @@ dlv_validator_start(dns_validator_t *val);
 static isc_result_t
 finddlvsep(dns_validator_t *val, isc_boolean_t resume);
 
-static void
-auth_nonpending(dns_message_t *message);
-
 static isc_result_t
 startfinddlvsep(dns_validator_t *val, dns_name_t *unsecure);
 
 /*%
  * Mark the RRsets as a answer.
- *
- * If VALATTR_AUTHNONPENDING is set then this is a negative answer
- * in a insecure zone.  We need to mark any pending RRsets as
- * dns_trust_authauthority answers (this is deferred from resolver.c).
  */
 static inline void
 markanswer(dns_validator_t *val) {
@@ -175,9 +169,6 @@ markanswer(dns_validator_t *val) {
 		val->event->rdataset->trust = dns_trust_answer;
 	if (val->event->sigrdataset != NULL)
 		val->event->sigrdataset->trust = dns_trust_answer;
-	if (val->event->message != NULL &&
-	    (val->attributes & VALATTR_AUTHNONPENDING) != 0)
-		auth_nonpending(val->event->message);
 }
 
 static void
@@ -217,31 +208,6 @@ exit_check(dns_validator_t *val) {
 }
 
 /*%
- * Mark pending answers in the authority section as dns_trust_authauthority.
- */
-static void
-auth_nonpending(dns_message_t *message) {
-	isc_result_t result;
-	dns_name_t *name;
-	dns_rdataset_t *rdataset;
-
-	for (result = dns_message_firstname(message, DNS_SECTION_AUTHORITY);
-	     result == ISC_R_SUCCESS;
-	     result = dns_message_nextname(message, DNS_SECTION_AUTHORITY))
-	{
-		name = NULL;
-		dns_message_currentname(message, DNS_SECTION_AUTHORITY, &name);
-		for (rdataset = ISC_LIST_HEAD(name->list);
-		     rdataset != NULL;
-		     rdataset = ISC_LIST_NEXT(rdataset, link))
-		{
-			if (rdataset->trust == dns_trust_pending)
-				rdataset->trust = dns_trust_authauthority;
-		}
-	}
-}
-
-/*%
  * Look in the NSEC record returned from a DS query to see if there is
  * a NS RRset at this name.  If it is found we are at a delegation point.
  */
@@ -613,6 +579,8 @@ nsecnoexistnodata(dns_validator_t *val, dns_name_t* name, dns_name_t *nsecname,
 	unsigned int olabels, nlabels, labels;
 	dns_rdata_nsec_t nsec;
 	isc_boolean_t atparent;
+	isc_boolean_t ns;
+	isc_boolean_t soa;
 
 	REQUIRE(exists != NULL);
 	REQUIRE(data != NULL);
@@ -644,9 +612,9 @@ nsecnoexistnodata(dns_validator_t *val, dns_name_t* name, dns_name_t *nsecname,
 		 * The names are the same.
 		 */
 		atparent = dns_rdatatype_atparent(val->event->type);
-		if (dns_nsec_typepresent(&rdata, dns_rdatatype_ns) &&
-		    !dns_nsec_typepresent(&rdata, dns_rdatatype_soa))
-		{
+		ns = dns_nsec_typepresent(&rdata, dns_rdatatype_ns);
+		soa = dns_nsec_typepresent(&rdata, dns_rdatatype_soa);
+		if (ns && !soa) {
 			if (!atparent) {
 				/*
 				 * This NSEC record is from somewhere higher in
@@ -657,7 +625,7 @@ nsecnoexistnodata(dns_validator_t *val, dns_name_t* name, dns_name_t *nsecname,
 					      "ignoring parent nsec");
 				return (ISC_R_IGNORE);
 			}
-		} else if (atparent) {
+		} else if (atparent && ns && soa) {
 			/*
 			 * This NSEC record is from the child.
 			 * It can not be legitimately used here.
@@ -666,12 +634,20 @@ nsecnoexistnodata(dns_validator_t *val, dns_name_t* name, dns_name_t *nsecname,
 				      "ignoring child nsec");
 			return (ISC_R_IGNORE);
 		}
-		*exists = ISC_TRUE;
-		*data = dns_nsec_typepresent(&rdata, val->event->type);
-		validator_log(val, ISC_LOG_DEBUG(3),
-			      "nsec proves name exists (owner) data=%d",
-			      *data);
-		return (ISC_R_SUCCESS);
+		if (val->event->type == dns_rdatatype_cname ||
+		    val->event->type == dns_rdatatype_nxt ||
+		    val->event->type == dns_rdatatype_nsec ||
+		    val->event->type == dns_rdatatype_key ||
+		    !dns_nsec_typepresent(&rdata, dns_rdatatype_cname)) {
+			*exists = ISC_TRUE;
+			*data = dns_nsec_typepresent(&rdata, val->event->type);
+			validator_log(val, ISC_LOG_DEBUG(3),
+				      "nsec proves name exists (owner) data=%d",
+				      *data);
+			return (ISC_R_SUCCESS);
+		}
+		validator_log(val, ISC_LOG_DEBUG(3), "NSEC proves CNAME exists");
+		return (ISC_R_IGNORE);
 	}
 
 	if (relation == dns_namereln_subdomain &&
@@ -731,6 +707,7 @@ nsecnoexistnodata(dns_validator_t *val, dns_name_t* name, dns_name_t *nsecname,
 		result = dns_name_concatenate(dns_wildcardname, &common,
 					       wild, NULL);
 		if (result != ISC_R_SUCCESS) {
+			dns_rdata_freestruct(&nsec);
 			validator_log(val, ISC_LOG_DEBUG(3),
 				    "failure generating wildcard name");
 			return (result);
@@ -784,6 +761,7 @@ authvalidated(isc_task_t *task, isc_event_t *event) {
 		}
 	} else {
 		dns_name_t **proofs = val->event->proofs;
+		dns_name_t *wild = dns_fixedname_name(&val->wild);
 		
 		if (rdataset->trust == dns_trust_secure)
 			val->seensig = ISC_TRUE;
@@ -795,10 +773,9 @@ authvalidated(isc_task_t *task, isc_event_t *event) {
 	            (val->attributes & VALATTR_FOUNDNODATA) == 0 &&
 		    (val->attributes & VALATTR_FOUNDNOQNAME) == 0 &&
 		    nsecnoexistnodata(val, val->event->name, devent->name,
-				      rdataset, &exists, &data,
-				      dns_fixedname_name(&val->wild))
+				      rdataset, &exists, &data, wild)
 				      == ISC_R_SUCCESS)
-		 {
+		{
 			if (exists && !data) {
 				val->attributes |= VALATTR_FOUNDNODATA;
 				if (NEEDNODATA(val))
@@ -1285,15 +1262,27 @@ verify(dns_validator_t *val, dst_key_t *key, dns_rdata_t *rdata,
 {
 	isc_result_t result;
 	dns_fixedname_t fixed;
+	isc_boolean_t ignore = ISC_FALSE;
 
 	val->attributes |= VALATTR_TRIEDVERIFY;
 	dns_fixedname_init(&fixed);
+ again:
 	result = dns_dnssec_verify2(val->event->name, val->event->rdataset,
-				    key, ISC_FALSE, val->view->mctx, rdata,
+				    key, ignore, val->view->mctx, rdata,
 				    dns_fixedname_name(&fixed));
-	validator_log(val, ISC_LOG_DEBUG(3),
-		      "verify rdataset (keyid=%u): %s",
-		      keyid, isc_result_totext(result));
+	if (result == DNS_R_SIGEXPIRED && val->view->acceptexpired) {
+		ignore = ISC_TRUE;
+		goto again;
+	}
+	if (ignore && (result == ISC_R_SUCCESS || result == DNS_R_FROMWILDCARD))
+		validator_log(val, ISC_LOG_INFO,
+			      "accepted expired %sRRSIG (keyid=%u)",
+			      (result == DNS_R_FROMWILDCARD) ?
+			      "wildcard " : "", keyid);
+	else
+		validator_log(val, ISC_LOG_DEBUG(3),
+			      "verify rdataset (keyid=%u): %s",
+			      keyid, isc_result_totext(result));
 	if (result == DNS_R_FROMWILDCARD) {
 		if (!dns_name_equal(val->event->name,
 				    dns_fixedname_name(&fixed)))
@@ -1485,6 +1474,7 @@ dlv_validatezonekey(dns_validator_t *val) {
 	isc_boolean_t supported_algorithm;
 	isc_result_t result;
 	unsigned char dsbuf[DNS_DS_BUFFERSIZE];
+	isc_uint8_t digest_type;
 
 	validator_log(val, ISC_LOG_DEBUG(3), "dlv_validatezonekey");
 
@@ -1495,6 +1485,31 @@ dlv_validatezonekey(dns_validator_t *val) {
 	 */
 	supported_algorithm = ISC_FALSE;
 
+	/*
+	 * If DNS_DSDIGEST_SHA256 is present we are required to prefer
+	 * it over DNS_DSDIGEST_SHA1.  This in practice means that we
+	 * need to ignore DNS_DSDIGEST_SHA1 if a DNS_DSDIGEST_SHA256
+	 * is present.
+	 */
+	digest_type = DNS_DSDIGEST_SHA1;
+	for (result = dns_rdataset_first(&val->dlv);
+	     result == ISC_R_SUCCESS;
+	     result = dns_rdataset_next(&val->dlv)) {
+		dns_rdata_reset(&dlvrdata);
+		dns_rdataset_current(&val->dlv, &dlvrdata);
+		dns_rdata_tostruct(&dlvrdata, &dlv, NULL);
+
+		if (!dns_resolver_algorithm_supported(val->view->resolver,
+						      val->event->name,
+						      dlv.algorithm))
+			continue;
+
+		if (dlv.digest_type == DNS_DSDIGEST_SHA256) {
+			digest_type = DNS_DSDIGEST_SHA256;
+			break;
+		}
+	}
+
 	for (result = dns_rdataset_first(&val->dlv);
 	     result == ISC_R_SUCCESS;
 	     result = dns_rdataset_next(&val->dlv))
@@ -1503,8 +1518,14 @@ dlv_validatezonekey(dns_validator_t *val) {
 		dns_rdataset_current(&val->dlv, &dlvrdata);
 		(void)dns_rdata_tostruct(&dlvrdata, &dlv, NULL);
 
-		if (dlv.digest_type != DNS_DSDIGEST_SHA1 ||
-		    !dns_resolver_algorithm_supported(val->view->resolver,
+		if (!dns_resolver_digest_supported(val->view->resolver,
+						   dlv.digest_type))
+			continue;
+		
+		if (dlv.digest_type != digest_type)
+			continue;
+
+		if (!dns_resolver_algorithm_supported(val->view->resolver,
 						      val->event->name,
 						      dlv.algorithm))
 			continue;
@@ -1627,6 +1648,7 @@ validatezonekey(dns_validator_t *val) {
 	dst_key_t *dstkey;
 	isc_boolean_t supported_algorithm;
 	isc_boolean_t atsep = ISC_FALSE;
+	isc_uint8_t digest_type;
 
 	/*
 	 * Caller must be holding the validator lock.
@@ -1796,6 +1818,31 @@ validatezonekey(dns_validator_t *val) {
 
 	supported_algorithm = ISC_FALSE;
 
+	/*
+	 * If DNS_DSDIGEST_SHA256 is present we are required to prefer
+	 * it over DNS_DSDIGEST_SHA1.  This in practice means that we
+	 * need to ignore DNS_DSDIGEST_SHA1 if a DNS_DSDIGEST_SHA256
+	 * is present.
+	 */
+	digest_type = DNS_DSDIGEST_SHA1;
+	for (result = dns_rdataset_first(val->dsset);
+	     result == ISC_R_SUCCESS;
+	     result = dns_rdataset_next(val->dsset)) {
+		dns_rdata_reset(&dsrdata);
+		dns_rdataset_current(val->dsset, &dsrdata);
+		dns_rdata_tostruct(&dsrdata, &ds, NULL);
+
+		if (!dns_resolver_algorithm_supported(val->view->resolver,
+						      val->event->name,
+						      ds.algorithm))
+			continue;
+
+		if (ds.digest_type == DNS_DSDIGEST_SHA256) {
+			digest_type = DNS_DSDIGEST_SHA256;
+			break;
+		}
+	}
+
 	for (result = dns_rdataset_first(val->dsset);
 	     result == ISC_R_SUCCESS;
 	     result = dns_rdataset_next(val->dsset))
@@ -1804,8 +1851,13 @@ validatezonekey(dns_validator_t *val) {
 		dns_rdataset_current(val->dsset, &dsrdata);
 		(void)dns_rdata_tostruct(&dsrdata, &ds, NULL);
 
-		if (ds.digest_type != DNS_DSDIGEST_SHA1)
+		if (!dns_resolver_digest_supported(val->view->resolver,
+						   ds.digest_type))
 			continue;
+
+		if (ds.digest_type != digest_type)
+			continue;
+
 		if (!dns_resolver_algorithm_supported(val->view->resolver,
 						      val->event->name,
 						      ds.algorithm))
@@ -2044,12 +2096,6 @@ nsecvalidate(dns_validator_t *val, isc_boolean_t resume) {
 			if (rdataset->type == dns_rdatatype_rrsig)
 				continue;
 
-			if (rdataset->type == dns_rdatatype_soa) {
-				val->soaset = rdataset;
-				val->soaname = name;
-			} else if (rdataset->type == dns_rdatatype_nsec)
-				val->nsecset = rdataset;
-
 			for (sigrdataset = ISC_LIST_HEAD(name->list);
 			     sigrdataset != NULL;
 			     sigrdataset = ISC_LIST_NEXT(sigrdataset,
@@ -2059,8 +2105,6 @@ nsecvalidate(dns_validator_t *val, isc_boolean_t resume) {
 				    sigrdataset->covers == rdataset->type)
 					break;
 			}
-			if (sigrdataset == NULL)
-				continue;
 			/*
 			 * If a signed zone is missing the zone key, bad
 			 * things could happen.  A query for data in the zone
@@ -2149,7 +2193,6 @@ nsecvalidate(dns_validator_t *val, isc_boolean_t resume) {
 
 	validator_log(val, ISC_LOG_DEBUG(3),
 		      "nonexistence proof(s) not found");
-	val->attributes |= VALATTR_AUTHNONPENDING;
 	val->attributes |= VALATTR_INSECURITY;
 	return (proveunsecure(val, ISC_FALSE));
 }
@@ -2166,7 +2209,8 @@ check_ds(dns_validator_t *val, dns_name_t *name, dns_rdataset_t *rdataset) {
 		dns_rdataset_current(rdataset, &dsrdata);
 		(void)dns_rdata_tostruct(&dsrdata, &ds, NULL);
 
-		if (ds.digest_type == DNS_DSDIGEST_SHA1 &&
+		if (dns_resolver_digest_supported(val->view->resolver,
+						  ds.digest_type) &&
 		    dns_resolver_algorithm_supported(val->view->resolver,
 						     name, ds.algorithm)) {
 			dns_rdata_reset(&dsrdata);
@@ -2506,11 +2550,21 @@ proveunsecure(dns_validator_t *val, isc_boolean_t resume) {
 			      namebuf);
 
 		result = view_find(val, tname, dns_rdatatype_ds);
+
 		if (result == DNS_R_NXRRSET || result == DNS_R_NCACHENXRRSET) {
 			/*
 			 * There is no DS.  If this is a delegation,
 			 * we maybe done.
 			 */
+			if (val->frdataset.trust == dns_trust_pending) {
+				result = create_fetch(val, tname,
+						      dns_rdatatype_ds,
+						      dsfetched2,
+						      "proveunsecure");
+				if (result != ISC_R_SUCCESS)
+					goto out;
+				return (DNS_R_WAIT);
+			}
 			if (val->frdataset.trust < dns_trust_secure) {
 				/*
 				 * This shouldn't happen, since the negative
@@ -2675,7 +2729,8 @@ validator_start(isc_task_t *task, isc_event_t *event) {
 
 	LOCK(&val->lock);
 
-	if ((val->options & DNS_VALIDATOR_DLV) != 0) {
+	if ((val->options & DNS_VALIDATOR_DLV) != 0 &&
+	     val->event->rdataset != NULL) {
 		validator_log(val, ISC_LOG_DEBUG(3), "looking for DLV");
 		result = startfinddlvsep(val, dns_rootname);
 	} else if (val->event->rdataset != NULL &&
@@ -2812,9 +2867,6 @@ dns_validator_create(dns_view_t *view, dns_name_t *name, dns_rdatatype_t type,
 	val->keyset = NULL;
 	val->dsset = NULL;
 	dns_rdataset_init(&val->dlv);
-	val->soaset = NULL;
-	val->nsecset = NULL;
-	val->soaname = NULL;
 	val->seensig = ISC_FALSE;
 	val->havedlvsep = ISC_FALSE;
 	val->depth = 0;
diff --git a/contrib/bind9/lib/dns/version.c b/contrib/bind9/lib/dns/version.c
index 6b043ab..1c03774 100644
--- a/contrib/bind9/lib/dns/version.c
+++ b/contrib/bind9/lib/dns/version.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1998-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,9 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: version.c,v 1.9.12.3 2004/03/08 09:04:33 marka Exp $ */
+/* $Id: version.c,v 1.11.18.2 2005/04/29 00:16:07 marka Exp $ */
+
+/*! \file */
 
 #include <dns/version.h>
 
diff --git a/contrib/bind9/lib/dns/view.c b/contrib/bind9/lib/dns/view.c
index ac7af61..4938597 100644
--- a/contrib/bind9/lib/dns/view.c
+++ b/contrib/bind9/lib/dns/view.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,9 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: view.c,v 1.103.2.5.2.14 2004/03/10 02:55:58 marka Exp $ */
+/* $Id: view.c,v 1.126.18.11 2006/03/09 23:38:21 marka Exp $ */
+
+/*! \file */
 
 #include <config.h>
 
@@ -24,10 +26,12 @@
 #include <isc/string.h>		/* Required for HP/UX (and others?) */
 #include <isc/util.h>
 
+#include <dns/acache.h>
 #include <dns/acl.h>
 #include <dns/adb.h>
 #include <dns/cache.h>
 #include <dns/db.h>
+#include <dns/dlz.h>
 #include <dns/events.h>
 #include <dns/forward.h>
 #include <dns/keytable.h>
@@ -76,13 +80,9 @@ dns_view_create(isc_mem_t *mctx, dns_rdataclass_t rdclass,
 		goto cleanup_view;
 	}
 	result = isc_mutex_init(&view->lock);
-	if (result != ISC_R_SUCCESS) {
-		UNEXPECTED_ERROR(__FILE__, __LINE__,
-				 "isc_mutex_init() failed: %s",
-				 isc_result_totext(result));
-		result = ISC_R_UNEXPECTED;
+	if (result != ISC_R_SUCCESS)
 		goto cleanup_name;
-	}
+
 	view->zonetable = NULL;
 	result = dns_zt_create(mctx, rdclass, &view->zonetable);
 	if (result != ISC_R_SUCCESS) {
@@ -120,8 +120,10 @@ dns_view_create(isc_mem_t *mctx, dns_rdataclass_t rdclass,
 		goto cleanup_trustedkeys;
 	}
 
+	view->acache = NULL;
 	view->cache = NULL;
 	view->cachedb = NULL;
+	view->dlzdatabase = NULL;
 	view->hints = NULL;
 	view->resolver = NULL;
 	view->adb = NULL;
@@ -130,7 +132,9 @@ dns_view_create(isc_mem_t *mctx, dns_rdataclass_t rdclass,
 	view->rdclass = rdclass;
 	view->frozen = ISC_FALSE;
 	view->task = NULL;
-	isc_refcount_init(&view->references, 1);
+	result = isc_refcount_init(&view->references, 1);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup_fwdtable;
 	view->weakrefs = 0;
 	view->attributes = (DNS_VIEWATTR_RESSHUTDOWN|DNS_VIEWATTR_ADBSHUTDOWN|
 			    DNS_VIEWATTR_REQSHUTDOWN);
@@ -141,7 +145,7 @@ dns_view_create(isc_mem_t *mctx, dns_rdataclass_t rdclass,
 	view->matchrecursiveonly = ISC_FALSE;
 	result = dns_tsigkeyring_create(view->mctx, &view->dynamickeys);
 	if (result != ISC_R_SUCCESS)
-		goto cleanup_fwdtable;
+		goto cleanup_references;
 	view->peers = NULL;
 	view->order = NULL;
 	view->delonly = NULL;
@@ -156,6 +160,8 @@ dns_view_create(isc_mem_t *mctx, dns_rdataclass_t rdclass,
 	view->additionalfromcache = ISC_TRUE;
 	view->additionalfromauth = ISC_TRUE;
 	view->enablednssec = ISC_TRUE;
+	view->enablevalidation = ISC_TRUE;
+	view->acceptexpired = ISC_FALSE;
 	view->minimalresponses = ISC_FALSE;
 	view->transfer_format = dns_one_answer;
 	view->queryacl = NULL;
@@ -169,6 +175,7 @@ dns_view_create(isc_mem_t *mctx, dns_rdataclass_t rdclass,
 	view->preferred_glue = 0;
 	view->flush = ISC_FALSE;
 	view->dlv = NULL;
+	view->maxudp = 0;
 	dns_fixedname_init(&view->dlv_fixed);
 
 	result = dns_order_create(view->mctx, &view->order);
@@ -208,6 +215,9 @@ dns_view_create(isc_mem_t *mctx, dns_rdataclass_t rdclass,
  cleanup_dynkeys:
 	dns_tsigkeyring_destroy(&view->dynamickeys);
 
+ cleanup_references:
+	isc_refcount_destroy(&view->references);
+
  cleanup_fwdtable:
 	dns_fwdtable_destroy(&view->fwdtable);
 
@@ -253,12 +263,19 @@ destroy(dns_view_t *view) {
 		dns_adb_detach(&view->adb);
 	if (view->resolver != NULL)
 		dns_resolver_detach(&view->resolver);
+	if (view->acache != NULL) {
+		if (view->cachedb != NULL)
+			dns_acache_putdb(view->acache, view->cachedb);
+		dns_acache_detach(&view->acache);
+	}
 	if (view->requestmgr != NULL)
 		dns_requestmgr_detach(&view->requestmgr);
 	if (view->task != NULL)
 		isc_task_detach(&view->task);
 	if (view->hints != NULL)
 		dns_db_detach(&view->hints);
+	if (view->dlzdatabase != NULL)
+		dns_dlzdestroy(&view->dlzdatabase);
 	if (view->cachedb != NULL)
 		dns_db_detach(&view->cachedb);
 	if (view->cache != NULL)
@@ -365,6 +382,8 @@ view_flushanddetach(dns_view_t **viewp, isc_boolean_t flush) {
 			dns_adb_shutdown(view->adb);
 		if (!REQSHUTDOWN(view))
 			dns_requestmgr_shutdown(view->requestmgr);
+		if (view->acache != NULL)
+			dns_acache_shutdown(view->acache);
 		if (view->flush)
 			dns_zt_flushanddetach(&view->zonetable);
 		else
@@ -585,12 +604,17 @@ dns_view_setcache(dns_view_t *view, dns_cache_t *cache) {
 	REQUIRE(!view->frozen);
 
 	if (view->cache != NULL) {
+		if (view->acache != NULL)
+			dns_acache_putdb(view->acache, view->cachedb);
 		dns_db_detach(&view->cachedb);
 		dns_cache_detach(&view->cache);
 	}
 	dns_cache_attach(cache, &view->cache);
 	dns_cache_attachdb(cache, &view->cachedb);
 	INSIST(DNS_DB_VALID(view->cachedb));
+
+	if (view->acache != NULL)
+		dns_acache_setdb(view->acache, view->cachedb);
 }
 
 void
@@ -1198,8 +1222,12 @@ dns_view_flushcache(dns_view_t *view) {
 	result = dns_cache_flush(view->cache);
 	if (result != ISC_R_SUCCESS)
 		return (result);
+	if (view->acache != NULL)
+		dns_acache_putdb(view->acache, view->cachedb);
 	dns_db_detach(&view->cachedb);
 	dns_cache_attachdb(view->cache, &view->cachedb);
+	if (view->acache != NULL)
+		dns_acache_setdb(view->acache, view->cachedb);
 
 	dns_adb_flush(view->adb);
 	return (ISC_R_SUCCESS);
@@ -1330,3 +1358,9 @@ dns_view_getrootdelonly(dns_view_t *view) {
 	REQUIRE(DNS_VIEW_VALID(view));
 	return (view->rootdelonly);
 }
+
+isc_result_t
+dns_view_freezezones(dns_view_t *view, isc_boolean_t value) {
+	REQUIRE(DNS_VIEW_VALID(view));
+	return (dns_zt_freezezones(view->zonetable, value));
+}
diff --git a/contrib/bind9/lib/dns/xfrin.c b/contrib/bind9/lib/dns/xfrin.c
index fdeed14..bec8501 100644
--- a/contrib/bind9/lib/dns/xfrin.c
+++ b/contrib/bind9/lib/dns/xfrin.c
@@ -15,7 +15,9 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: xfrin.c,v 1.124.2.4.2.16 2006/07/19 01:04:24 marka Exp $ */
+/* $Id: xfrin.c,v 1.135.18.11 2006/07/19 00:58:01 marka Exp $ */
+
+/*! \file */
 
 #include <config.h>
 
@@ -51,7 +53,7 @@
  * Incoming AXFR and IXFR.
  */
 
-/*
+/*%
  * It would be non-sensical (or at least obtuse) to use FAIL() with an
  * ISC_R_SUCCESS code, but the test is there to keep the Solaris compiler
  * from complaining about "end-of-loop code not reached".
@@ -66,7 +68,7 @@
 		if (result != ISC_R_SUCCESS) goto failure;	\
 	} while (0)
 
-/*
+/*%
  * The states of the *XFR state machine.  We handle both IXFR and AXFR
  * with a single integrated state machine because they cannot be distinguished
  * immediately - an AXFR response to an IXFR request can only be detected
@@ -85,7 +87,7 @@ typedef enum {
 	XFRST_END
 } xfrin_state_t;
 
-/*
+/*%
  * Incoming zone transfer context.
  */
 
@@ -100,18 +102,18 @@ struct dns_xfrin_ctx {
 	isc_timer_t		*timer;
 	isc_socketmgr_t 	*socketmgr;
 
-	int			connects; 	/* Connect in progress */
-	int			sends;		/* Send in progress */
-	int			recvs;	  	/* Receive in progress */
+	int			connects; 	/*%< Connect in progress */
+	int			sends;		/*%< Send in progress */
+	int			recvs;	  	/*%< Receive in progress */
 	isc_boolean_t		shuttingdown;
 
-	dns_name_t 		name; 		/* Name of zone to transfer */
+	dns_name_t 		name; 		/*%< Name of zone to transfer */
 	dns_rdataclass_t 	rdclass;
 
 	isc_boolean_t		checkid;
 	dns_messageid_t		id;
 
-	/*
+	/*%
 	 * Requested transfer type (dns_rdatatype_axfr or
 	 * dns_rdatatype_ixfr).  The actual transfer type
 	 * may differ due to IXFR->AXFR fallback.
@@ -122,32 +124,32 @@ struct dns_xfrin_ctx {
 	isc_sockaddr_t		sourceaddr;
 	isc_socket_t 		*socket;
 
-	/* Buffer for IXFR/AXFR request message */
+	/*% Buffer for IXFR/AXFR request message */
 	isc_buffer_t 		qbuffer;
 	unsigned char 		qbuffer_data[512];
 
-	/* Incoming reply TCP message */
+	/*% Incoming reply TCP message */
 	dns_tcpmsg_t		tcpmsg;
 	isc_boolean_t		tcpmsg_valid;
 
 	dns_db_t 		*db;
 	dns_dbversion_t 	*ver;
-	dns_diff_t 		diff;		/* Pending database changes */
-	int 			difflen;	/* Number of pending tuples */
+	dns_diff_t 		diff;		/*%< Pending database changes */
+	int 			difflen;	/*%< Number of pending tuples */
 
 	xfrin_state_t 		state;
 	isc_uint32_t 		end_serial;
 	isc_boolean_t 		is_ixfr;
 
-	unsigned int		nmsg;		/* Number of messages recvd */
+	unsigned int		nmsg;		/*%< Number of messages recvd */
 
-	dns_tsigkey_t		*tsigkey;	/* Key used to create TSIG */
-	isc_buffer_t		*lasttsig;	/* The last TSIG */
-	dst_context_t		*tsigctx;	/* TSIG verification context */
-	unsigned int		sincetsig;	/* recvd since the last TSIG */
+	dns_tsigkey_t		*tsigkey;	/*%< Key used to create TSIG */
+	isc_buffer_t		*lasttsig;	/*%< The last TSIG */
+	dst_context_t		*tsigctx;	/*%< TSIG verification context */
+	unsigned int		sincetsig;	/*%< recvd since the last TSIG */
 	dns_xfrindone_t		done;
 
-	/*
+	/*%
 	 * AXFR- and IXFR-specific data.  Only one is used at a time
 	 * according to the is_ixfr flag, so this could be a union,
 	 * but keeping them separate makes it a bit simpler to clean
@@ -224,14 +226,14 @@ static isc_result_t
 render(dns_message_t *msg, isc_mem_t *mctx, isc_buffer_t *buf);
 
 static void
-xfrin_logv(int level, dns_name_t *zonename, dns_rdataclass_t rdclass,
-	   isc_sockaddr_t *masteraddr, const char *fmt, va_list ap)
-     ISC_FORMAT_PRINTF(5, 0);
+xfrin_logv(int level, const char *zonetext, isc_sockaddr_t *masteraddr,
+	   const char *fmt, va_list ap)
+     ISC_FORMAT_PRINTF(4, 0);
 
 static void
-xfrin_log1(int level, dns_name_t *zonename, dns_rdataclass_t rdclass,
-	   isc_sockaddr_t *masteraddr, const char *fmt, ...)
-     ISC_FORMAT_PRINTF(5, 6);
+xfrin_log1(int level, const char *zonetext, isc_sockaddr_t *masteraddr,
+	   const char *fmt, ...)
+     ISC_FORMAT_PRINTF(4, 5);
 
 static void
 xfrin_log(dns_xfrin_ctx_t *xfr, int level, const char *fmt, ...)
@@ -457,7 +459,7 @@ xfr_rr(dns_xfrin_ctx_t *xfr, dns_name_t *name, isc_uint32_t ttl,
 			FAIL(DNS_R_FORMERR);
 		}
 		/*
-		 * Remember the serial number in the intial SOA.
+		 * Remember the serial number in the initial SOA.
 		 * We need it to recognize the end of an IXFR.
 		 */
 		xfr->end_serial = dns_soa_getserial(rdata);
@@ -631,9 +633,12 @@ dns_xfrin_create2(dns_zone_t *zone, dns_rdatatype_t xfrtype,
  failure:
 	if (db != NULL)
 		dns_db_detach(&db);
-	if (result != ISC_R_SUCCESS)
-		xfrin_log1(ISC_LOG_ERROR, zonename, dns_zone_getclass(zone),
-			   masteraddr, "zone transfer setup failed");
+	if (result != ISC_R_SUCCESS) {
+		char zonetext[DNS_NAME_MAXTEXT+32];
+		dns_zone_name(zone, zonetext, sizeof(zonetext));
+		xfrin_log1(ISC_LOG_ERROR, zonetext, masteraddr,
+			   "zone transfer setup failed");
+	}
 	return (result);
 }
 
@@ -1400,23 +1405,19 @@ maybe_free(dns_xfrin_ctx_t *xfr) {
  * transfer of <zone> from <address>: <message>
  */
 static void
-xfrin_logv(int level, dns_name_t *zonename, dns_rdataclass_t rdclass,
-	   isc_sockaddr_t *masteraddr, const char *fmt, va_list ap)
+xfrin_logv(int level, const char *zonetext, isc_sockaddr_t *masteraddr,
+	   const char *fmt, va_list ap)
 {
-	char zntext[DNS_NAME_FORMATSIZE];
 	char mastertext[ISC_SOCKADDR_FORMATSIZE];
-	char classtext[DNS_RDATACLASS_FORMATSIZE];
 	char msgtext[2048];
 
-	dns_name_format(zonename, zntext, sizeof(zntext));
-	dns_rdataclass_format(rdclass, classtext, sizeof(classtext));
 	isc_sockaddr_format(masteraddr, mastertext, sizeof(mastertext));
 	vsnprintf(msgtext, sizeof(msgtext), fmt, ap);
 
 	isc_log_write(dns_lctx, DNS_LOGCATEGORY_XFER_IN,
 		      DNS_LOGMODULE_XFER_IN, level,
-		      "transfer of '%s/%s' from %s: %s",
-		      zntext, classtext, mastertext, msgtext);
+		      "transfer of '%s' from %s: %s",
+		      zonetext, mastertext, msgtext);
 }
 
 /*
@@ -1424,8 +1425,8 @@ xfrin_logv(int level, dns_name_t *zonename, dns_rdataclass_t rdclass,
  */
 
 static void
-xfrin_log1(int level, dns_name_t *zonename, dns_rdataclass_t rdclass,
-	   isc_sockaddr_t *masteraddr, const char *fmt, ...)
+xfrin_log1(int level, const char *zonetext, isc_sockaddr_t *masteraddr,
+           const char *fmt, ...)
 {
 	va_list ap;
 
@@ -1433,7 +1434,7 @@ xfrin_log1(int level, dns_name_t *zonename, dns_rdataclass_t rdclass,
 		return;
 
 	va_start(ap, fmt);
-	xfrin_logv(level, zonename, rdclass, masteraddr, fmt, ap);
+	xfrin_logv(level, zonetext, masteraddr, fmt, ap);
 	va_end(ap);
 }
 
@@ -1445,11 +1446,14 @@ static void
 xfrin_log(dns_xfrin_ctx_t *xfr, int level, const char *fmt, ...)
 {
 	va_list ap;
+	char zonetext[DNS_NAME_MAXTEXT+32];
 
 	if (isc_log_wouldlog(dns_lctx, level) == ISC_FALSE)
 		return;
 
+	dns_zone_name(xfr->zone, zonetext, sizeof(zonetext));
+
 	va_start(ap, fmt);
-	xfrin_logv(level, &xfr->name, xfr->rdclass, &xfr->masteraddr, fmt, ap);
+	xfrin_logv(level, zonetext, &xfr->masteraddr, fmt, ap);
 	va_end(ap);
 }
diff --git a/contrib/bind9/lib/dns/zone.c b/contrib/bind9/lib/dns/zone.c
index d2a47b0..5a73796 100644
--- a/contrib/bind9/lib/dns/zone.c
+++ b/contrib/bind9/lib/dns/zone.c
@@ -15,7 +15,9 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: zone.c,v 1.333.2.23.2.65 2006/07/19 01:04:24 marka Exp $ */
+/* $Id: zone.c,v 1.410.18.47 2006/12/07 06:21:16 marka Exp $ */
+
+/*! \file */
 
 #include <config.h>
 
@@ -25,16 +27,19 @@
 #include <isc/random.h>
 #include <isc/ratelimiter.h>
 #include <isc/refcount.h>
+#include <isc/rwlock.h>
 #include <isc/serial.h>
 #include <isc/string.h>
 #include <isc/taskpool.h>
 #include <isc/timer.h>
 #include <isc/util.h>
 
+#include <dns/acache.h>
 #include <dns/acl.h>
 #include <dns/adb.h>
 #include <dns/callbacks.h>
 #include <dns/db.h>
+#include <dns/dbiterator.h>
 #include <dns/events.h>
 #include <dns/journal.h>
 #include <dns/log.h>
@@ -79,7 +84,7 @@
 #define IO_MAGIC			ISC_MAGIC('Z', 'm', 'I', 'O')
 #define DNS_IO_VALID(load)		ISC_MAGIC_VALID(load, IO_MAGIC)
 
-/*
+/*%
  * Ensure 'a' is at least 'min' but not more than 'max'.
  */
 #define RANGE(a, min, max) \
@@ -88,16 +93,16 @@
 /*
  * Default values.
  */
-#define DNS_DEFAULT_IDLEIN 3600		/* 1 hour */
-#define DNS_DEFAULT_IDLEOUT 3600	/* 1 hour */
-#define MAX_XFER_TIME (2*3600)		/* Documented default is 2 hours */
+#define DNS_DEFAULT_IDLEIN 3600		/*%< 1 hour */
+#define DNS_DEFAULT_IDLEOUT 3600	/*%< 1 hour */
+#define MAX_XFER_TIME (2*3600)		/*%< Documented default is 2 hours */
 
 #ifndef DNS_MAX_EXPIRE
-#define DNS_MAX_EXPIRE	14515200	/* 24 weeks */
+#define DNS_MAX_EXPIRE	14515200	/*%< 24 weeks */
 #endif
 
 #ifndef DNS_DUMP_DELAY
-#define DNS_DUMP_DELAY 900		/* 15 minutes */
+#define DNS_DUMP_DELAY 900		/*%< 15 minutes */
 #endif
 
 typedef struct dns_notify dns_notify_t;
@@ -123,6 +128,18 @@ typedef ISC_LIST(dns_io_t) dns_iolist_t;
 #define LOCKED_ZONE(z) ISC_TRUE
 #endif
 
+#ifdef ISC_RWLOCK_USEATOMIC
+#define ZONEDB_INITLOCK(l)	isc_rwlock_init((l), 0, 0)
+#define ZONEDB_DESTROYLOCK(l)	isc_rwlock_destroy(l)
+#define ZONEDB_LOCK(l, t)	RWLOCK((l), (t))
+#define ZONEDB_UNLOCK(l, t)	RWUNLOCK((l), (t))
+#else
+#define ZONEDB_INITLOCK(l)	isc_mutex_init(l)
+#define ZONEDB_DESTROYLOCK(l)	DESTROYLOCK(l)
+#define ZONEDB_LOCK(l, t)	LOCK(l)
+#define ZONEDB_UNLOCK(l, t)	UNLOCK(l)
+#endif
+
 struct dns_zone {
 	/* Unlocked */
 	unsigned int		magic;
@@ -133,14 +150,21 @@ struct dns_zone {
 	isc_mem_t		*mctx;
 	isc_refcount_t		erefs;
 
+#ifdef ISC_RWLOCK_USEATOMIC
+	isc_rwlock_t		dblock;
+#else
+	isc_mutex_t		dblock;
+#endif
+	dns_db_t		*db;		/* Locked by dblock */
+
 	/* Locked */
-	dns_db_t		*db;
 	dns_zonemgr_t		*zmgr;
 	ISC_LINK(dns_zone_t)	link;		/* Used by zmgr. */
 	isc_timer_t		*timer;
 	unsigned int		irefs;
 	dns_name_t		origin;
 	char			*masterfile;
+	dns_masterformat_t	masterformat;
 	char			*journal;
 	isc_int32_t		journalsize;
 	dns_rdataclass_t	rdclass;
@@ -153,6 +177,7 @@ struct dns_zone {
 	isc_time_t		refreshtime;
 	isc_time_t		dumptime;
 	isc_time_t		loadtime;
+	isc_time_t		notifytime;
 	isc_uint32_t		serial;
 	isc_uint32_t		refresh;
 	isc_uint32_t		retry;
@@ -176,13 +201,13 @@ struct dns_zone {
 	unsigned int		notifycnt;
 	isc_sockaddr_t		notifyfrom;
 	isc_task_t		*task;
-	isc_sockaddr_t	 	notifysrc4;
-	isc_sockaddr_t	 	notifysrc6;
-	isc_sockaddr_t	 	xfrsource4;
-	isc_sockaddr_t	 	xfrsource6;
-	isc_sockaddr_t	 	altxfrsource4;
-	isc_sockaddr_t	 	altxfrsource6;
-	isc_sockaddr_t	 	sourceaddr;
+	isc_sockaddr_t		notifysrc4;
+	isc_sockaddr_t		notifysrc6;
+	isc_sockaddr_t		xfrsource4;
+	isc_sockaddr_t		xfrsource6;
+	isc_sockaddr_t		altxfrsource4;
+	isc_sockaddr_t		altxfrsource6;
+	isc_sockaddr_t		sourceaddr;
 	dns_xfrin_ctx_t		*xfr;		/* task locked */
 	dns_tsigkey_t		*tsigkey;	/* key used for xfr */
 	/* Access Control Lists */
@@ -192,6 +217,7 @@ struct dns_zone {
 	dns_acl_t		*query_acl;
 	dns_acl_t		*xfr_acl;
 	isc_boolean_t		update_disabled;
+	isc_boolean_t		zero_no_soa_ttl;
 	dns_severity_t		check_names;
 	ISC_LIST(dns_notify_t)	notifies;
 	dns_request_t		*request;
@@ -207,7 +233,11 @@ struct dns_zone {
 	dns_ssutable_t		*ssutable;
 	isc_uint32_t		sigvalidityinterval;
 	dns_view_t		*view;
-	/*
+	dns_acache_t		*acache;
+	dns_checkmxfunc_t	checkmx;
+	dns_checksrvfunc_t	checksrv;
+	dns_checknsfunc_t	checkns;
+	/*%
 	 * Zones in certain states such as "waiting for zone transfer"
 	 * or "zone transfer in progress" are kept on per-state linked lists
 	 * in the zone manager using the 'statelink' field.  The 'statelist'
@@ -216,10 +246,13 @@ struct dns_zone {
 	 */
 	ISC_LINK(dns_zone_t)	statelink;
 	dns_zonelist_t		*statelist;
-	/*
+	/*%
 	 * Optional per-zone statistics counters (NULL if not present).
 	 */
-	isc_uint64_t	    *counters;
+	isc_uint64_t	    	*counters;
+	isc_uint32_t		notifydelay;
+	dns_isselffunc_t	isself;
+	void			*isselfarg;
 };
 
 #define DNS_ZONE_FLAG(z,f) (ISC_TF(((z)->flags & (f)) != 0))
@@ -232,35 +265,35 @@ struct dns_zone {
 		(z)->flags &= ~(f); \
 		} while (0)
 	/* XXX MPA these may need to go back into zone.h */
-#define DNS_ZONEFLG_REFRESH	0x00000001U	/* refresh check in progress */
-#define DNS_ZONEFLG_NEEDDUMP	0x00000002U	/* zone need consolidation */
-#define DNS_ZONEFLG_USEVC	0x00000004U	/* use tcp for refresh query */
-#define DNS_ZONEFLG_DUMPING	0x00000008U	/* a dump is in progress */
-#define DNS_ZONEFLG_HASINCLUDE	0x00000010U	/* $INCLUDE in zone file */
-#define DNS_ZONEFLG_LOADED	0x00000020U	/* database has loaded */
-#define DNS_ZONEFLG_EXITING	0x00000040U	/* zone is being destroyed */
-#define DNS_ZONEFLG_EXPIRED	0x00000080U	/* zone has expired */
-#define DNS_ZONEFLG_NEEDREFRESH	0x00000100U	/* refresh check needed */
-#define DNS_ZONEFLG_UPTODATE	0x00000200U	/* zone contents are
+#define DNS_ZONEFLG_REFRESH	0x00000001U	/*%< refresh check in progress */
+#define DNS_ZONEFLG_NEEDDUMP	0x00000002U	/*%< zone need consolidation */
+#define DNS_ZONEFLG_USEVC	0x00000004U	/*%< use tcp for refresh query */
+#define DNS_ZONEFLG_DUMPING	0x00000008U	/*%< a dump is in progress */
+#define DNS_ZONEFLG_HASINCLUDE	0x00000010U	/*%< $INCLUDE in zone file */
+#define DNS_ZONEFLG_LOADED	0x00000020U	/*%< database has loaded */
+#define DNS_ZONEFLG_EXITING	0x00000040U	/*%< zone is being destroyed */
+#define DNS_ZONEFLG_EXPIRED	0x00000080U	/*%< zone has expired */
+#define DNS_ZONEFLG_NEEDREFRESH	0x00000100U	/*%< refresh check needed */
+#define DNS_ZONEFLG_UPTODATE	0x00000200U	/*%< zone contents are
 						 * uptodate */
-#define DNS_ZONEFLG_NEEDNOTIFY	0x00000400U	/* need to send out notify
+#define DNS_ZONEFLG_NEEDNOTIFY	0x00000400U	/*%< need to send out notify
 						 * messages */
-#define DNS_ZONEFLG_DIFFONRELOAD 0x00000800U	/* generate a journal diff on
+#define DNS_ZONEFLG_DIFFONRELOAD 0x00000800U	/*%< generate a journal diff on
 						 * reload */
-#define DNS_ZONEFLG_NOMASTERS	0x00001000U	/* an attempt to refresh a
+#define DNS_ZONEFLG_NOMASTERS	0x00001000U	/*%< an attempt to refresh a
 						 * zone with no masters
 						 * occured */
-#define DNS_ZONEFLG_LOADING	0x00002000U	/* load from disk in progress*/
-#define DNS_ZONEFLG_HAVETIMERS	0x00004000U	/* timer values have been set
+#define DNS_ZONEFLG_LOADING	0x00002000U	/*%< load from disk in progress*/
+#define DNS_ZONEFLG_HAVETIMERS	0x00004000U	/*%< timer values have been set
 						 * from SOA (if not set, we
 						 * are still using
 						 * default timer values) */
-#define DNS_ZONEFLG_FORCEXFER   0x00008000U     /* Force a zone xfer */
+#define DNS_ZONEFLG_FORCEXFER   0x00008000U     /*%< Force a zone xfer */
 #define DNS_ZONEFLG_NOREFRESH	0x00010000U
 #define DNS_ZONEFLG_DIALNOTIFY	0x00020000U
 #define DNS_ZONEFLG_DIALREFRESH	0x00040000U
 #define DNS_ZONEFLG_SHUTDOWN	0x00080000U
-#define DNS_ZONEFLAG_NOIXFR	0x00100000U	/* IXFR failed, force AXFR */
+#define DNS_ZONEFLAG_NOIXFR	0x00100000U	/*%< IXFR failed, force AXFR */
 #define DNS_ZONEFLG_FLUSH	0x00200000U
 #define DNS_ZONEFLG_NOEDNS	0x00400000U
 #define DNS_ZONEFLG_USEALTXFRSRC 0x00800000U
@@ -301,7 +334,7 @@ struct dns_zonemgr {
 	dns_iolist_t		low;
 };
 
-/*
+/*%
  * Hold notify state.
  */
 struct dns_notify {
@@ -318,7 +351,7 @@ struct dns_notify {
 
 #define DNS_NOTIFY_NOSOA	0x0001U
 
-/*
+/*%
  *	dns_stub holds state while performing a 'stub' transfer.
  *	'db' is the zone's 'db' or a new one if this is the initial
  *	transfer.
@@ -332,7 +365,7 @@ struct dns_stub {
 	dns_dbversion_t		*version;
 };
 
-/*
+/*%
  *	Hold load state.
  */
 struct dns_load {
@@ -344,7 +377,7 @@ struct dns_load {
 	dns_rdatacallbacks_t	callbacks;
 };
 
-/*
+/*%
  *	Hold forward state.
  */
 struct dns_forward {
@@ -359,7 +392,7 @@ struct dns_forward {
 	void			*callback_arg;
 };
 
-/*
+/*%
  *	Hold IO request state.
  */
 struct dns_io {
@@ -386,6 +419,8 @@ static void zone_iattach(dns_zone_t *source, dns_zone_t **target);
 static void zone_idetach(dns_zone_t **zonep);
 static isc_result_t zone_replacedb(dns_zone_t *zone, dns_db_t *db,
 				   isc_boolean_t dump);
+static inline void zone_attachdb(dns_zone_t *zone, dns_db_t *db);
+static inline void zone_detachdb(dns_zone_t *zone);
 static isc_result_t default_journal(dns_zone_t *zone);
 static void zone_xfrdone(dns_zone_t *zone, isc_result_t result);
 static isc_result_t zone_postload(dns_zone_t *zone, dns_db_t *db,
@@ -430,17 +465,18 @@ static void zonemgr_putio(dns_io_t **iop);
 static void zonemgr_cancelio(dns_io_t *io);
 
 static isc_result_t
-zone_get_from_db(dns_db_t *db, dns_name_t *origin, unsigned int *nscount,
+zone_get_from_db(dns_zone_t *zone, dns_db_t *db, unsigned int *nscount,
 		 unsigned int *soacount, isc_uint32_t *serial,
 		 isc_uint32_t *refresh, isc_uint32_t *retry,
-		 isc_uint32_t *expire, isc_uint32_t *minimum);
+		 isc_uint32_t *expire, isc_uint32_t *minimum,
+		 unsigned int *errors);
 
 static void zone_freedbargs(dns_zone_t *zone);
 static void forward_callback(isc_task_t *task, isc_event_t *event);
 static void zone_saveunique(dns_zone_t *zone, const char *path,
 			    const char *templat);
 static void zone_maintenance(dns_zone_t *zone);
-static void zone_notify(dns_zone_t *zone);
+static void zone_notify(dns_zone_t *zone, isc_time_t *now);
 static void dump_done(void *arg, isc_result_t result);
 
 #define ENTER zone_debuglog(zone, me, 1, "enter")
@@ -484,36 +520,41 @@ isc_result_t
 dns_zone_create(dns_zone_t **zonep, isc_mem_t *mctx) {
 	isc_result_t result;
 	dns_zone_t *zone;
+	isc_time_t now;
 
 	REQUIRE(zonep != NULL && *zonep == NULL);
 	REQUIRE(mctx != NULL);
 
+	TIME_NOW(&now);
 	zone = isc_mem_get(mctx, sizeof(*zone));
 	if (zone == NULL)
 		return (ISC_R_NOMEMORY);
 
+	zone->mctx = NULL;
+	isc_mem_attach(mctx, &zone->mctx);
+
 	result = isc_mutex_init(&zone->lock);
-	if (result != ISC_R_SUCCESS) {
-		isc_mem_put(mctx, zone, sizeof(*zone));
-		UNEXPECTED_ERROR(__FILE__, __LINE__,
-				 "isc_mutex_init() failed: %s",
-				 isc_result_totext(result));
-		return (ISC_R_UNEXPECTED);
-	}
+	if (result != ISC_R_SUCCESS)
+		goto free_zone;
+
+	result = ZONEDB_INITLOCK(&zone->dblock);
+	if (result != ISC_R_SUCCESS)
+		goto free_mutex;
 
 	/* XXX MPA check that all elements are initialised */
-	zone->mctx = NULL;
 #ifdef DNS_ZONE_CHECKLOCK
 	zone->locked = ISC_FALSE;
 #endif
-	isc_mem_attach(mctx, &zone->mctx);
 	zone->db = NULL;
 	zone->zmgr = NULL;
 	ISC_LINK_INIT(zone, link);
-	isc_refcount_init(&zone->erefs, 1);	/* Implicit attach. */
+	result = isc_refcount_init(&zone->erefs, 1);	/* Implicit attach. */
+	if (result != ISC_R_SUCCESS)
+		goto free_dblock;
 	zone->irefs = 0;
 	dns_name_init(&zone->origin, NULL);
 	zone->masterfile = NULL;
+	zone->masterformat =  dns_masterformat_none;
 	zone->keydirectory = NULL;
 	zone->journalsize = -1;
 	zone->journal = NULL;
@@ -527,6 +568,7 @@ dns_zone_create(dns_zone_t **zonep, isc_mem_t *mctx) {
 	isc_time_settoepoch(&zone->refreshtime);
 	isc_time_settoepoch(&zone->dumptime);
 	isc_time_settoepoch(&zone->loadtime);
+	zone->notifytime = now;
 	zone->serial = 0;
 	zone->refresh = DNS_ZONE_DEFAULTREFRESH;
 	zone->retry = DNS_ZONE_DEFAULTRETRY;
@@ -551,6 +593,7 @@ dns_zone_create(dns_zone_t **zonep, isc_mem_t *mctx) {
 	zone->query_acl = NULL;
 	zone->xfr_acl = NULL;
 	zone->update_disabled = ISC_FALSE;
+	zone->zero_no_soa_ttl = ISC_TRUE;
 	zone->check_names = dns_severity_ignore;
 	zone->request = NULL;
 	zone->lctx = NULL;
@@ -574,16 +617,23 @@ dns_zone_create(dns_zone_t **zonep, isc_mem_t *mctx) {
 	zone->ssutable = NULL;
 	zone->sigvalidityinterval = 30 * 24 * 3600;
 	zone->view = NULL;
+	zone->acache = NULL;
+	zone->checkmx = NULL;
+	zone->checksrv = NULL;
+	zone->checkns = NULL;
 	ISC_LINK_INIT(zone, statelink);
 	zone->statelist = NULL;
 	zone->counters = NULL;
+	zone->notifydelay = 5;
+	zone->isself = NULL;
+	zone->isselfarg = NULL;
 
 	zone->magic = ZONE_MAGIC;
 
 	/* Must be after magic is set. */
 	result = dns_zone_setdbtype(zone, dbargc_default, dbargv_default);
 	if (result != ISC_R_SUCCESS)
-		goto free_mutex;
+		goto free_erefs;
 
 	ISC_EVENT_INIT(&zone->ctlevent, sizeof(zone->ctlevent), 0, NULL,
 		       DNS_EVENT_ZONECONTROL, zone_shutdown, zone, zone,
@@ -591,8 +641,17 @@ dns_zone_create(dns_zone_t **zonep, isc_mem_t *mctx) {
 	*zonep = zone;
 	return (ISC_R_SUCCESS);
 
+ free_erefs:
+	isc_refcount_decrement(&zone->erefs, NULL);
+	isc_refcount_destroy(&zone->erefs);
+
+ free_dblock:
+	ZONEDB_DESTROYLOCK(&zone->dblock);
+
  free_mutex:
 	DESTROYLOCK(&zone->lock);
+
+ free_zone:
 	isc_mem_putanddetach(&zone->mctx, zone, sizeof(*zone));
 	return (result);
 }
@@ -639,7 +698,9 @@ zone_free(dns_zone_t *zone) {
 	if (zone->counters != NULL)
 		dns_stats_freecounters(zone->mctx, &zone->counters);
 	if (zone->db != NULL)
-		dns_db_detach(&zone->db);
+		zone_detachdb(zone);
+	if (zone->acache != NULL)
+		dns_acache_detach(&zone->acache);
 	zone_freedbargs(zone);
 	RUNTIME_CHECK(dns_zone_setmasterswithkeys(zone, NULL, NULL, 0)
 		      == ISC_R_SUCCESS);
@@ -662,6 +723,7 @@ zone_free(dns_zone_t *zone) {
 		dns_ssutable_detach(&zone->ssutable);
 
 	/* last stuff */
+	ZONEDB_DESTROYLOCK(&zone->dblock);
 	DESTROYLOCK(&zone->lock);
 	isc_refcount_destroy(&zone->erefs);
 	zone->magic = 0;
@@ -739,6 +801,39 @@ zone_freedbargs(dns_zone_t *zone) {
 }
 
 isc_result_t
+dns_zone_getdbtype(dns_zone_t *zone, char ***argv, isc_mem_t *mctx) {
+	size_t size = 0;
+	unsigned int i;
+	isc_result_t result = ISC_R_SUCCESS;
+	void *mem;
+	char **tmp, *tmp2;
+	
+	REQUIRE(DNS_ZONE_VALID(zone));
+	REQUIRE(argv != NULL && *argv == NULL);
+	
+	LOCK_ZONE(zone);
+	size = (zone->db_argc + 1) * sizeof(char *);
+	for (i = 0; i < zone->db_argc; i++)
+		size += strlen(zone->db_argv[i]) + 1;
+	mem = isc_mem_allocate(mctx, size);
+	if (mem != NULL) {
+		tmp = mem;
+		tmp2 = mem;
+		tmp2 += (zone->db_argc + 1) * sizeof(char *);
+		for (i = 0; i < zone->db_argc; i++) {
+			*tmp++ = tmp2;
+			strcpy(tmp2, zone->db_argv[i]);
+			tmp2 += strlen(tmp2) + 1;
+		}
+		*tmp = NULL;
+	} else
+		result = ISC_R_NOMEMORY;
+	UNLOCK_ZONE(zone);
+	*argv = mem;
+	return (result);
+}
+
+isc_result_t
 dns_zone_setdbtype(dns_zone_t *zone,
 		   unsigned int dbargc, const char * const *dbargv) {
 	isc_result_t result = ISC_R_SUCCESS;
@@ -822,6 +917,35 @@ dns_zone_setorigin(dns_zone_t *zone, const dns_name_t *origin) {
 	return (result);
 }
 
+void
+dns_zone_setacache(dns_zone_t *zone, dns_acache_t *acache) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+	REQUIRE(acache != NULL);
+	
+	LOCK_ZONE(zone);
+	if (zone->acache != NULL)
+		dns_acache_detach(&zone->acache);
+	dns_acache_attach(acache, &zone->acache);
+	ZONEDB_LOCK(&zone->dblock, isc_rwlocktype_read);
+	if (zone->db != NULL) {
+		isc_result_t result;
+
+		/*
+		 * If the zone reuses an existing DB, the DB needs to be
+		 * set in the acache explicitly.  We can safely ignore the
+		 * case where the DB is already set.  If other error happens,
+		 * the acache will not work effectively.
+		 */
+		result = dns_acache_setdb(acache, zone->db);
+		if (result != ISC_R_SUCCESS && result != ISC_R_EXISTS) {
+			UNEXPECTED_ERROR(__FILE__, __LINE__,
+					 "dns_acache_setdb() failed: %s",
+					 isc_result_totext(result));
+		}
+	}
+	ZONEDB_UNLOCK(&zone->dblock, isc_rwlocktype_read);
+	UNLOCK_ZONE(zone);
+}
 
 static isc_result_t
 dns_zone_setstring(dns_zone_t *zone, char **field, const char *value) {
@@ -844,14 +968,22 @@ dns_zone_setstring(dns_zone_t *zone, char **field, const char *value) {
 
 isc_result_t
 dns_zone_setfile(dns_zone_t *zone, const char *file) {
+	return (dns_zone_setfile2(zone, file, dns_masterformat_text));
+}
+
+isc_result_t
+dns_zone_setfile2(dns_zone_t *zone, const char *file,
+		  dns_masterformat_t format) {
 	isc_result_t result = ISC_R_SUCCESS;
 
 	REQUIRE(DNS_ZONE_VALID(zone));
 
 	LOCK_ZONE(zone);
 	result = dns_zone_setstring(zone, &zone->masterfile, file);
-	if (result == ISC_R_SUCCESS)
+	if (result == ISC_R_SUCCESS) {
+		zone->masterformat = format;
 		result = default_journal(zone);
+	}
 	UNLOCK_ZONE(zone);
 
 	return (result);
@@ -979,31 +1111,42 @@ zone_load(dns_zone_t *zone, unsigned int flags) {
 		goto cleanup;
 	}
 
+
+	/*
+	 * Store the current time before the zone is loaded, so that if the
+	 * file changes between the time of the load and the time that
+	 * zone->loadtime is set, then the file will still be reloaded
+	 * the next time dns_zone_load is called.
+	 */
+	TIME_NOW(&loadtime);
+
 	/*
 	 * Don't do the load if the file that stores the zone is older
 	 * than the last time the zone was loaded.  If the zone has not
 	 * been loaded yet, zone->loadtime will be the epoch.
 	 */
-	if (zone->masterfile != NULL && ! isc_time_isepoch(&zone->loadtime)) {
+	if (zone->masterfile != NULL) {
 		/*
 		 * The file is already loaded.  If we are just doing a
 		 * "rndc reconfig", we are done.
 		 */
-		if ((flags & DNS_ZONELOADFLAG_NOSTAT) != 0) {
+		if (!isc_time_isepoch(&zone->loadtime) &&
+		    (flags & DNS_ZONELOADFLAG_NOSTAT) != 0) {
 			result = ISC_R_SUCCESS;
 			goto cleanup;
 		}
-		if (! DNS_ZONE_FLAG(zone, DNS_ZONEFLG_HASINCLUDE)) {
-			result = isc_file_getmodtime(zone->masterfile,
-						     &filetime);
-			if (result == ISC_R_SUCCESS &&
+
+		result = isc_file_getmodtime(zone->masterfile, &filetime);
+		if (result == ISC_R_SUCCESS) {
+			if (!DNS_ZONE_FLAG(zone, DNS_ZONEFLG_HASINCLUDE) &&
 			    isc_time_compare(&filetime, &zone->loadtime) <= 0) {
 				dns_zone_log(zone, ISC_LOG_DEBUG(1),
-					     "skipping load: master file older "
-					     "than last load");
+					     "skipping load: master file "
+					     "older than last load");
 				result = DNS_R_UPTODATE;
 				goto cleanup;
 			}
+			loadtime = filetime;
 		}
 	}
 
@@ -1024,9 +1167,10 @@ zone_load(dns_zone_t *zone, unsigned int flags) {
 	     strcmp(zone->db_argv[0], "rbt64") == 0)) {
 		if (zone->masterfile == NULL ||
 		    !isc_file_exists(zone->masterfile)) {
-			if (zone->masterfile != NULL)
+			if (zone->masterfile != NULL) {
 				dns_zone_log(zone, ISC_LOG_DEBUG(1),
 					     "no master file");
+			}
 			zone->refreshtime = now;
 			if (zone->task != NULL)
 				zone_settimer(zone, &now);
@@ -1037,14 +1181,6 @@ zone_load(dns_zone_t *zone, unsigned int flags) {
 
 	dns_zone_log(zone, ISC_LOG_DEBUG(1), "starting load");
 
-	/*
-	 * Store the current time before the zone is loaded, so that if the
-	 * file changes between the time of the load and the time that
-	 * zone->loadtime is set, then the file will still be reloaded
-	 * the next time dns_zone_load is called.
-	 */
-	TIME_NOW(&loadtime);
-
 	result = dns_db_create(zone->mctx, zone->db_argv[0],
 			       &zone->origin, (zone->type == dns_zone_stub) ?
 			       dns_dbtype_stub : dns_dbtype_zone,
@@ -1125,14 +1261,21 @@ zone_gotreadhandle(isc_task_t *task, isc_event_t *event) {
 		options |= DNS_MASTER_CHECKNAMES;
 	if (DNS_ZONE_OPTION(load->zone, DNS_ZONEOPT_CHECKNAMESFAIL))
 		options |= DNS_MASTER_CHECKNAMESFAIL;
-	result = dns_master_loadfileinc(load->zone->masterfile,
-					dns_db_origin(load->db),
-					dns_db_origin(load->db),
-					load->zone->rdclass,
-					options,
-					&load->callbacks, task,
-					zone_loaddone, load,
-					&load->zone->lctx, load->zone->mctx);
+	if (DNS_ZONE_OPTION(load->zone, DNS_ZONEOPT_CHECKMX))
+		options |= DNS_MASTER_CHECKMX;
+	if (DNS_ZONE_OPTION(load->zone, DNS_ZONEOPT_CHECKMXFAIL))
+		options |= DNS_MASTER_CHECKMXFAIL;
+	if (DNS_ZONE_OPTION(load->zone, DNS_ZONEOPT_CHECKWILDCARD))
+		options |= DNS_MASTER_CHECKWILDCARD;
+	result = dns_master_loadfileinc2(load->zone->masterfile,
+					 dns_db_origin(load->db),
+					 dns_db_origin(load->db),
+					 load->zone->rdclass,
+					 options,
+					 &load->callbacks, task,
+					 zone_loaddone, load,
+					 &load->zone->lctx, load->zone->mctx,
+					 load->zone->masterformat);
 	if (result != ISC_R_SUCCESS && result != DNS_R_CONTINUE &&
 	    result != DNS_R_SEENINCLUDE)
 		goto fail;
@@ -1160,12 +1303,14 @@ zone_gotwritehandle(isc_task_t *task, isc_event_t *event) {
 		goto fail;
 
 	LOCK_ZONE(zone);
+	ZONEDB_LOCK(&zone->dblock, isc_rwlocktype_read);
 	dns_db_currentversion(zone->db, &version);
-	result = dns_master_dumpinc(zone->mctx, zone->db, version,
-				    &dns_master_style_default,
-				    zone->masterfile, zone->task,
-				    dump_done, zone, &zone->dctx);
+	result = dns_master_dumpinc2(zone->mctx, zone->db, version,
+				     &dns_master_style_default,
+				     zone->masterfile, zone->task, dump_done,
+				     zone, &zone->dctx, zone->masterformat);
 	dns_db_closeversion(zone->db, &version, ISC_FALSE);
+	ZONEDB_UNLOCK(&zone->dblock, isc_rwlocktype_read);
 	UNLOCK_ZONE(zone);
 	if (result != DNS_R_CONTINUE)
 		goto fail;
@@ -1195,6 +1340,12 @@ zone_startload(dns_db_t *db, dns_zone_t *zone, isc_time_t loadtime) {
 		options |= DNS_MASTER_CHECKNAMES;
 	if (DNS_ZONE_OPTION(zone, DNS_ZONEOPT_CHECKNAMESFAIL))
 		options |= DNS_MASTER_CHECKNAMESFAIL;
+	if (DNS_ZONE_OPTION(zone, DNS_ZONEOPT_CHECKMX))
+		options |= DNS_MASTER_CHECKMX;
+	if (DNS_ZONE_OPTION(zone, DNS_ZONEOPT_CHECKMXFAIL))
+		options |= DNS_MASTER_CHECKMXFAIL;
+	if (DNS_ZONE_OPTION(zone, DNS_ZONEOPT_CHECKWILDCARD))
+		options |= DNS_MASTER_CHECKWILDCARD;
 
 	if (zone->zmgr != NULL && zone->db != NULL && zone->task != NULL) {
 		load = isc_mem_get(zone->mctx, sizeof(*load));
@@ -1236,9 +1387,10 @@ zone_startload(dns_db_t *db, dns_zone_t *zone, isc_time_t loadtime) {
 					  &callbacks.add_private);
 		if (result != ISC_R_SUCCESS)
 			return (result);
-		result = dns_master_loadfile(zone->masterfile, &zone->origin,
-					     &zone->origin, zone->rdclass,
-					     options, &callbacks, zone->mctx);
+		result = dns_master_loadfile2(zone->masterfile, &zone->origin,
+					      &zone->origin, zone->rdclass,
+					      options, &callbacks, zone->mctx,
+					      zone->masterformat);
 		tresult = dns_db_endload(db, &callbacks.add_private);
 		if (result == ISC_R_SUCCESS)
 			result = tresult;
@@ -1255,12 +1407,487 @@ zone_startload(dns_db_t *db, dns_zone_t *zone, isc_time_t loadtime) {
 	return (result);
 }
 
+static isc_boolean_t
+zone_check_mx(dns_zone_t *zone, dns_db_t *db, dns_name_t *name,
+	      dns_name_t *owner)
+{
+	isc_result_t result;
+	char ownerbuf[DNS_NAME_FORMATSIZE];
+	char namebuf[DNS_NAME_FORMATSIZE];
+	char altbuf[DNS_NAME_FORMATSIZE];
+	dns_fixedname_t fixed;
+	dns_name_t *foundname;
+	int level;
+	
+	/*
+	 * Outside of zone.
+	 */
+	if (!dns_name_issubdomain(name, &zone->origin)) {
+		if (zone->checkmx != NULL)
+			return ((zone->checkmx)(zone, name, owner));
+		return (ISC_TRUE);
+	}
+
+	if (zone->type == dns_zone_master)
+		level = ISC_LOG_ERROR;
+	else
+		level = ISC_LOG_WARNING;
+
+	dns_fixedname_init(&fixed);
+	foundname = dns_fixedname_name(&fixed);
+
+	result = dns_db_find(db, name, NULL, dns_rdatatype_a,
+			     0, 0, NULL, foundname, NULL, NULL);
+	if (result == ISC_R_SUCCESS)
+		return (ISC_TRUE);
+
+	if (result == DNS_R_NXRRSET) {
+		result = dns_db_find(db, name, NULL, dns_rdatatype_aaaa,
+				     0, 0, NULL, foundname, NULL, NULL);
+		if (result == ISC_R_SUCCESS)
+			return (ISC_TRUE);
+	}
+
+	dns_name_format(owner, ownerbuf, sizeof ownerbuf);
+	dns_name_format(name, namebuf, sizeof namebuf);
+	if (result == DNS_R_NXRRSET || result == DNS_R_NXDOMAIN ||
+	    result == DNS_R_EMPTYNAME) {
+		dns_zone_log(zone, level,
+			     "%s/MX '%s' has no address records (A or AAAA)",
+			     ownerbuf, namebuf);
+		/* XXX950 make fatal for 9.5.0. */
+		return (ISC_TRUE);
+	}
+
+	if (result == DNS_R_CNAME) {
+		if (DNS_ZONE_OPTION(zone, DNS_ZONEOPT_WARNMXCNAME) ||
+		    DNS_ZONE_OPTION(zone, DNS_ZONEOPT_IGNOREMXCNAME))
+			level = ISC_LOG_WARNING;
+		if (!DNS_ZONE_OPTION(zone, DNS_ZONEOPT_IGNOREMXCNAME))
+			dns_zone_log(zone, level,
+				     "%s/MX '%s' is a CNAME (illegal)",
+				     ownerbuf, namebuf);
+		return ((level == ISC_LOG_WARNING) ? ISC_TRUE : ISC_FALSE);
+	}
+
+	if (result == DNS_R_DNAME) {
+		if (DNS_ZONE_OPTION(zone, DNS_ZONEOPT_WARNMXCNAME) ||
+		    DNS_ZONE_OPTION(zone, DNS_ZONEOPT_IGNOREMXCNAME))
+			level = ISC_LOG_WARNING;
+		if (!DNS_ZONE_OPTION(zone, DNS_ZONEOPT_IGNOREMXCNAME)) {
+			dns_name_format(foundname, altbuf, sizeof altbuf);
+			dns_zone_log(zone, level, "%s/MX '%s' is below a DNAME"
+				     " '%s' (illegal)", ownerbuf, namebuf,
+				     altbuf);
+		}
+		return ((level == ISC_LOG_WARNING) ? ISC_TRUE : ISC_FALSE);
+	}
+
+	if (zone->checkmx != NULL && result == DNS_R_DELEGATION)
+		return ((zone->checkmx)(zone, name, owner));
+
+	return (ISC_TRUE);
+}
+
+static isc_boolean_t
+zone_check_srv(dns_zone_t *zone, dns_db_t *db, dns_name_t *name,
+	       dns_name_t *owner)
+{
+	isc_result_t result;
+	char ownerbuf[DNS_NAME_FORMATSIZE];
+	char namebuf[DNS_NAME_FORMATSIZE];
+	char altbuf[DNS_NAME_FORMATSIZE];
+	dns_fixedname_t fixed;
+	dns_name_t *foundname;
+	int level;
+	
+	/*
+	 * "." means the services does not exist.
+	 */
+	if (dns_name_equal(name, dns_rootname))
+		return (ISC_TRUE);
+
+	/*
+	 * Outside of zone.
+	 */
+	if (!dns_name_issubdomain(name, &zone->origin)) {
+		if (zone->checksrv != NULL)
+			return ((zone->checksrv)(zone, name, owner));
+		return (ISC_TRUE);
+	}
+
+	if (zone->type == dns_zone_master)
+		level = ISC_LOG_ERROR;
+	else
+		level = ISC_LOG_WARNING;
+
+	dns_fixedname_init(&fixed);
+	foundname = dns_fixedname_name(&fixed);
+
+	result = dns_db_find(db, name, NULL, dns_rdatatype_a,
+			     0, 0, NULL, foundname, NULL, NULL);
+	if (result == ISC_R_SUCCESS)
+		return (ISC_TRUE);
+
+	if (result == DNS_R_NXRRSET) {
+		result = dns_db_find(db, name, NULL, dns_rdatatype_aaaa,
+				     0, 0, NULL, foundname, NULL, NULL);
+		if (result == ISC_R_SUCCESS)
+			return (ISC_TRUE);
+	}
+
+	dns_name_format(owner, ownerbuf, sizeof ownerbuf);
+	dns_name_format(name, namebuf, sizeof namebuf);
+	if (result == DNS_R_NXRRSET || result == DNS_R_NXDOMAIN ||
+	    result == DNS_R_EMPTYNAME) {
+		dns_zone_log(zone, level,
+			     "%s/SRV '%s' has no address records (A or AAAA)",
+			     ownerbuf, namebuf);
+		/* XXX950 make fatal for 9.5.0. */
+		return (ISC_TRUE);
+	}
+
+	if (result == DNS_R_CNAME) {
+		if (DNS_ZONE_OPTION(zone, DNS_ZONEOPT_WARNSRVCNAME) ||
+		    DNS_ZONE_OPTION(zone, DNS_ZONEOPT_IGNORESRVCNAME))
+			level = ISC_LOG_WARNING;
+		if (!DNS_ZONE_OPTION(zone, DNS_ZONEOPT_IGNORESRVCNAME))
+			dns_zone_log(zone, level,
+				     "%s/SRV '%s' is a CNAME (illegal)",
+				     ownerbuf, namebuf);
+		return ((level == ISC_LOG_WARNING) ? ISC_TRUE : ISC_FALSE);
+	}
+
+	if (result == DNS_R_DNAME) {
+		if (DNS_ZONE_OPTION(zone, DNS_ZONEOPT_WARNSRVCNAME) ||
+		    DNS_ZONE_OPTION(zone, DNS_ZONEOPT_IGNORESRVCNAME))
+			level = ISC_LOG_WARNING;
+		if (!DNS_ZONE_OPTION(zone, DNS_ZONEOPT_IGNORESRVCNAME)) {
+			dns_name_format(foundname, altbuf, sizeof altbuf);
+			dns_zone_log(zone, level, "%s/SRV '%s' is below a "
+				     "DNAME '%s' (illegal)", ownerbuf, namebuf,
+				     altbuf);
+		}
+		return ((level == ISC_LOG_WARNING) ? ISC_TRUE : ISC_FALSE);
+	}
+
+	if (zone->checksrv != NULL && result == DNS_R_DELEGATION)
+		return ((zone->checksrv)(zone, name, owner));
+
+	return (ISC_TRUE);
+}
+
+static isc_boolean_t
+zone_check_glue(dns_zone_t *zone, dns_db_t *db, dns_name_t *name,
+		dns_name_t *owner)
+{
+	isc_boolean_t answer = ISC_TRUE;
+	isc_result_t result, tresult;
+	char ownerbuf[DNS_NAME_FORMATSIZE];
+	char namebuf[DNS_NAME_FORMATSIZE];
+	char altbuf[DNS_NAME_FORMATSIZE];
+	dns_fixedname_t fixed;
+	dns_name_t *foundname;
+	dns_rdataset_t a;
+	dns_rdataset_t aaaa;
+	int level;
+	
+	/*
+	 * Outside of zone.
+	 */
+	if (!dns_name_issubdomain(name, &zone->origin)) {
+		if (zone->checkns != NULL)
+			return ((zone->checkns)(zone, name, owner, NULL, NULL));
+		return (ISC_TRUE);
+	}
+
+	if (zone->type == dns_zone_master)
+		level = ISC_LOG_ERROR;
+	else
+		level = ISC_LOG_WARNING;
+
+	dns_fixedname_init(&fixed);
+	foundname = dns_fixedname_name(&fixed);
+	dns_rdataset_init(&a);
+	dns_rdataset_init(&aaaa);
+
+	result = dns_db_find(db, name, NULL, dns_rdatatype_a,
+			     DNS_DBFIND_GLUEOK, 0, NULL,
+			     foundname, &a, NULL);
+
+	if (result == ISC_R_SUCCESS) {
+		dns_rdataset_disassociate(&a);
+		return (ISC_TRUE);
+	} else if (result == DNS_R_DELEGATION)
+		dns_rdataset_disassociate(&a);
+
+	if (result == DNS_R_NXRRSET || result == DNS_R_DELEGATION ||
+	    result == DNS_R_GLUE) {
+		tresult = dns_db_find(db, name, NULL, dns_rdatatype_aaaa,
+				     DNS_DBFIND_GLUEOK, 0, NULL,
+				     foundname, &aaaa, NULL);
+		if (tresult == ISC_R_SUCCESS) {
+			dns_rdataset_disassociate(&aaaa);
+			return (ISC_TRUE);
+		} 
+		if (tresult == DNS_R_DELEGATION)
+			dns_rdataset_disassociate(&aaaa);
+		if (result == DNS_R_GLUE || tresult == DNS_R_GLUE) {
+			/*
+			 * Check glue against child zone.
+			 */
+			if (zone->checkns != NULL)
+				answer = (zone->checkns)(zone, name, owner,
+							 &a, &aaaa);
+			if (dns_rdataset_isassociated(&a))
+				dns_rdataset_disassociate(&a);
+			if (dns_rdataset_isassociated(&aaaa))
+				dns_rdataset_disassociate(&aaaa);
+			return (answer);
+		}
+	} else
+		tresult = result;
+
+	dns_name_format(owner, ownerbuf, sizeof ownerbuf);
+	dns_name_format(name, namebuf, sizeof namebuf);
+	if (result == DNS_R_NXRRSET || result == DNS_R_NXDOMAIN ||
+	    result == DNS_R_EMPTYNAME || result == DNS_R_DELEGATION) {
+		const char *what;
+		if (dns_name_issubdomain(name, owner))
+			what = "REQUIRED GLUE ";
+		else if (result == DNS_R_DELEGATION)
+			what = "SIBLING GLUE ";
+		else
+			what = "";
+
+		if (result != DNS_R_DELEGATION ||
+		    DNS_ZONE_OPTION(zone, DNS_ZONEOPT_CHECKSIBLING)) {
+			dns_zone_log(zone, level, "%s/NS '%s' has no %s"
+				     "address records (A or AAAA)",
+				     ownerbuf, namebuf, what);
+			/*
+			 * Log missing address record.
+			 */
+			if (result == DNS_R_DELEGATION && zone->checkns != NULL)
+				(void)(zone->checkns)(zone, name, owner,
+						      &a, &aaaa);
+			/* XXX950 make fatal for 9.5.0. */
+			/* answer = ISC_FALSE; */
+		}
+	} else if (result == DNS_R_CNAME) {
+		dns_zone_log(zone, level, "%s/NS '%s' is a CNAME (illegal)",
+			     ownerbuf, namebuf);
+		/* XXX950 make fatal for 9.5.0. */
+		/* answer = ISC_FALSE; */
+	} else if (result == DNS_R_DNAME) {
+		dns_name_format(foundname, altbuf, sizeof altbuf);
+		dns_zone_log(zone, level,
+			     "%s/NS '%s' is below a DNAME '%s' (illegal)",
+			     ownerbuf, namebuf, altbuf);
+		/* XXX950 make fatal for 9.5.0. */
+		/* answer = ISC_FALSE; */
+	}
+
+	if (dns_rdataset_isassociated(&a))
+		dns_rdataset_disassociate(&a);
+	if (dns_rdataset_isassociated(&aaaa))
+		dns_rdataset_disassociate(&aaaa);
+	return (answer);
+}
+
+static isc_boolean_t
+integrity_checks(dns_zone_t *zone, dns_db_t *db) {
+	dns_dbiterator_t *dbiterator = NULL;
+	dns_dbnode_t *node = NULL;
+	dns_rdataset_t rdataset;
+	dns_fixedname_t fixed;
+	dns_fixedname_t fixedbottom;
+	dns_rdata_mx_t mx;
+	dns_rdata_ns_t ns;
+	dns_rdata_in_srv_t srv;
+	dns_rdata_t rdata;
+	dns_name_t *name;
+	dns_name_t *bottom;
+	isc_result_t result;
+	isc_boolean_t ok = ISC_TRUE;
+
+	dns_fixedname_init(&fixed);
+	name = dns_fixedname_name(&fixed);
+	dns_fixedname_init(&fixedbottom);
+	bottom = dns_fixedname_name(&fixedbottom);
+	dns_rdataset_init(&rdataset);
+	dns_rdata_init(&rdata);
+
+	result = dns_db_createiterator(db, ISC_FALSE, &dbiterator);
+	if (result != ISC_R_SUCCESS)
+		return (ISC_TRUE);
+
+	result = dns_dbiterator_first(dbiterator);
+	while (result == ISC_R_SUCCESS) {
+		result = dns_dbiterator_current(dbiterator, &node, name);
+		if (result != ISC_R_SUCCESS)
+			goto cleanup;
+
+		/*
+		 * Is this name visible in the zone?
+		 */
+		if (!dns_name_issubdomain(name, &zone->origin) ||
+		    (dns_name_countlabels(bottom) > 0 &&
+		     dns_name_issubdomain(name, bottom)))
+			goto next;
+
+		/*
+		 * Don't check the NS records at the origin.
+		 */
+		if (dns_name_equal(name, &zone->origin))
+			goto checkmx;
+
+		result = dns_db_findrdataset(db, node, NULL, dns_rdatatype_ns, 
+					     0, 0, &rdataset, NULL);
+		if (result != ISC_R_SUCCESS)
+			goto checkmx;
+		/*
+		 * Remember bottom of zone.
+		 */
+		dns_name_copy(name, bottom, NULL);
+
+		result = dns_rdataset_first(&rdataset);
+		while (result == ISC_R_SUCCESS) {
+			dns_rdataset_current(&rdataset, &rdata);
+			result = dns_rdata_tostruct(&rdata, &ns, NULL);
+			RUNTIME_CHECK(result == ISC_R_SUCCESS);
+			if (!zone_check_glue(zone, db, &ns.name, name))
+				ok = ISC_FALSE;
+			dns_rdata_reset(&rdata);
+			result = dns_rdataset_next(&rdataset);
+		}
+		dns_rdataset_disassociate(&rdataset);
+
+ checkmx:
+		result = dns_db_findrdataset(db, node, NULL, dns_rdatatype_mx, 
+					     0, 0, &rdataset, NULL);
+		if (result != ISC_R_SUCCESS)
+			goto checksrv;
+		result = dns_rdataset_first(&rdataset);
+		while (result == ISC_R_SUCCESS) {
+			dns_rdataset_current(&rdataset, &rdata);
+			result = dns_rdata_tostruct(&rdata, &mx, NULL);
+			RUNTIME_CHECK(result == ISC_R_SUCCESS);
+			if (!zone_check_mx(zone, db, &mx.mx, name))
+				ok = ISC_FALSE;
+			dns_rdata_reset(&rdata);
+			result = dns_rdataset_next(&rdataset);
+		}
+		dns_rdataset_disassociate(&rdataset);
+
+ checksrv:
+		if (zone->rdclass != dns_rdataclass_in)
+			goto next;
+		result = dns_db_findrdataset(db, node, NULL, dns_rdatatype_srv, 
+					     0, 0, &rdataset, NULL);
+		if (result != ISC_R_SUCCESS)
+			goto next;
+		result = dns_rdataset_first(&rdataset);
+		while (result == ISC_R_SUCCESS) {
+			dns_rdataset_current(&rdataset, &rdata);
+			result = dns_rdata_tostruct(&rdata, &srv, NULL);
+			RUNTIME_CHECK(result == ISC_R_SUCCESS);
+			if (!zone_check_srv(zone, db, &srv.target, name))
+				ok = ISC_FALSE;
+			dns_rdata_reset(&rdata);
+			result = dns_rdataset_next(&rdataset);
+		}
+		dns_rdataset_disassociate(&rdataset);
+
+ next:
+		dns_db_detachnode(db, &node);
+		result = dns_dbiterator_next(dbiterator);
+	}
+
+ cleanup:
+	if (node != NULL)
+		dns_db_detachnode(db, &node);
+	dns_dbiterator_destroy(&dbiterator);
+
+	return (ok);
+}
+
+/*
+ * OpenSSL verification of RSA keys with exponent 3 is known to be
+ * broken prior OpenSSL 0.9.8c/0.9.7k.  Look for such keys and warn
+ * if they are in use.
+ */
+static void
+zone_check_dnskeys(dns_zone_t *zone, dns_db_t *db) {
+	dns_dbnode_t *node = NULL;
+	dns_dbversion_t *version = NULL;
+	dns_rdata_dnskey_t dnskey;
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+	dns_rdataset_t rdataset;
+	isc_result_t result;
+	isc_boolean_t logit, foundrsa = ISC_FALSE, foundmd5 = ISC_FALSE;
+	const char *algorithm;
+
+	result = dns_db_findnode(db, &zone->origin, ISC_FALSE, &node);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+
+	dns_db_currentversion(db, &version);
+	dns_rdataset_init(&rdataset);
+	result = dns_db_findrdataset(db, node, version, dns_rdatatype_dnskey,
+				     dns_rdatatype_none, 0, &rdataset, NULL);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+
+	for (result = dns_rdataset_first(&rdataset);
+	     result == ISC_R_SUCCESS;
+	     result = dns_rdataset_next(&rdataset)) 
+	{
+		dns_rdataset_current(&rdataset, &rdata);
+		result = dns_rdata_tostruct(&rdata, &dnskey, NULL);
+		INSIST(result == ISC_R_SUCCESS);
+		
+		if ((dnskey.algorithm == DST_ALG_RSASHA1 ||
+		     dnskey.algorithm == DST_ALG_RSAMD5) &&
+		     dnskey.datalen > 1 && dnskey.data[0] == 1 &&
+		     dnskey.data[1] == 3)
+		{
+			if (dnskey.algorithm == DST_ALG_RSASHA1) {
+				logit = !foundrsa;
+				foundrsa = ISC_TRUE;
+				algorithm = "RSASHA1";
+			} else {
+				logit = !foundmd5;
+				foundmd5 = ISC_TRUE;
+				algorithm = "RSAMD5";
+			}
+			if (logit)
+				dns_zone_log(zone, ISC_LOG_WARNING,
+					     "weak %s (%u) key found "
+					     "(exponent=3)", algorithm,
+					     dnskey.algorithm);
+			if (foundrsa && foundmd5)
+				break;
+		}
+		dns_rdata_reset(&rdata);
+	}
+	dns_rdataset_disassociate(&rdataset);
+
+ cleanup:
+	if (node != NULL)
+		dns_db_detachnode(db, &node);
+	if (version != NULL)
+		dns_db_closeversion(db, &version, ISC_FALSE);
+	
+}
+
 static isc_result_t
 zone_postload(dns_zone_t *zone, dns_db_t *db, isc_time_t loadtime,
 	      isc_result_t result)
 {
 	unsigned int soacount = 0;
 	unsigned int nscount = 0;
+	unsigned int errors = 0;
 	isc_uint32_t serial, refresh, retry, expire, minimum;
 	isc_time_t now;
 	isc_boolean_t needdump = ISC_FALSE;
@@ -1281,12 +1908,13 @@ zone_postload(dns_zone_t *zone, dns_db_t *db, isc_time_t loadtime,
 					     "no master file");
 			else if (result != DNS_R_NOMASTERFILE)
 				dns_zone_log(zone, ISC_LOG_ERROR,
-					     "loading master file %s: %s",
+					     "loading from master file %s "
+					     "failed: %s",
 					     zone->masterfile,
 					     dns_result_totext(result));
 		} else
 			dns_zone_log(zone, ISC_LOG_ERROR,
-				     "loading master file %s: %s",
+				     "loading from master file %s failed: %s",
 				     zone->masterfile,
 				     dns_result_totext(result));
 		goto cleanup;
@@ -1337,14 +1965,12 @@ zone_postload(dns_zone_t *zone, dns_db_t *db, isc_time_t loadtime,
 	dns_zone_log(zone, ISC_LOG_DEBUG(1), "loaded");
 
 	/*
-	 * Obtain ns and soa counts for top of zone.
+	 * Obtain ns, soa and cname counts for top of zone.
 	 */
-	nscount = 0;
-	soacount = 0;
 	INSIST(db != NULL);
-	result = zone_get_from_db(db, &zone->origin, &nscount,
-				  &soacount, &serial, &refresh, &retry,
-				  &expire, &minimum);
+	result = zone_get_from_db(zone, db, &nscount, &soacount, &serial,
+				  &refresh, &retry, &expire, &minimum,
+				  &errors);
 	if (result != ISC_R_SUCCESS) {
 		dns_zone_log(zone, ISC_LOG_ERROR,
 			     "could not find NS and/or SOA records");
@@ -1371,6 +1997,17 @@ zone_postload(dns_zone_t *zone, dns_db_t *db, isc_time_t loadtime,
 		}
 		if (result != ISC_R_SUCCESS)
 			goto cleanup;
+		if (zone->type == dns_zone_master && errors != 0) {
+			result = DNS_R_BADZONE;
+			goto cleanup;
+		}
+		if (zone->type == dns_zone_master &&
+		    DNS_ZONE_OPTION(zone, DNS_ZONEOPT_CHECKINTEGRITY) &&
+		    !integrity_checks(zone, db)) {
+			result = DNS_R_BADZONE;
+			goto cleanup;
+		}
+
 		if (zone->db != NULL) {
 			/*
 			 * This is checked in zone_replacedb() for slave zones
@@ -1397,7 +2034,9 @@ zone_postload(dns_zone_t *zone, dns_db_t *db, isc_time_t loadtime,
 					     "zone serial has gone backwards");
 			else if (serial == zone->serial && !hasinclude) 
 				dns_zone_log(zone, ISC_LOG_ERROR,
-					     "zone serial unchanged");
+					     "zone serial unchanged. "
+					     "zone may fail to transfer "
+					     "to slaves.");
 		}
 		zone->serial = serial;
 		zone->refresh = RANGE(refresh,
@@ -1440,6 +2079,11 @@ zone_postload(dns_zone_t *zone, dns_db_t *db, isc_time_t loadtime,
 		goto cleanup;
 	}
 
+	/*
+	 * Check for weak DNSKEY's.
+	 */
+	if (zone->type == dns_zone_master)
+		zone_check_dnskeys(zone, db);
 
 #if 0
 	/* destroy notification example. */
@@ -1453,12 +2097,15 @@ zone_postload(dns_zone_t *zone, dns_db_t *db, isc_time_t loadtime,
 	}
 #endif
 
+	ZONEDB_LOCK(&zone->dblock, isc_rwlocktype_write);
 	if (zone->db != NULL) {
 		result = zone_replacedb(zone, db, ISC_FALSE);
+		ZONEDB_UNLOCK(&zone->dblock, isc_rwlocktype_write);
 		if (result != ISC_R_SUCCESS)
 			goto cleanup;
 	} else {
-		dns_db_attach(db, &zone->db);
+		zone_attachdb(zone, db);
+		ZONEDB_UNLOCK(&zone->dblock, isc_rwlocktype_write);
 		DNS_ZONE_SETFLAG(zone,
 				 DNS_ZONEFLG_LOADED|DNS_ZONEFLG_NEEDNOTIFY);
 	}
@@ -1509,36 +2156,111 @@ exit_check(dns_zone_t *zone) {
 	return (ISC_FALSE);
 }
 
+static isc_boolean_t
+zone_check_ns(dns_zone_t *zone, dns_db_t *db, dns_name_t *name) {
+	isc_result_t result;
+	char namebuf[DNS_NAME_FORMATSIZE];
+	char altbuf[DNS_NAME_FORMATSIZE];
+	dns_fixedname_t fixed;
+	dns_name_t *foundname;
+	int level;
+	
+	if (DNS_ZONE_OPTION(zone, DNS_ZONEOPT_NOCHECKNS))
+		return (ISC_TRUE);
+
+	if (zone->type == dns_zone_master)
+		level = ISC_LOG_ERROR;
+	else
+		level = ISC_LOG_WARNING;
+
+	dns_fixedname_init(&fixed);
+	foundname = dns_fixedname_name(&fixed);
+
+	result = dns_db_find(db, name, NULL, dns_rdatatype_a,
+			     0, 0, NULL, foundname, NULL, NULL);
+	if (result == ISC_R_SUCCESS)
+		return (ISC_TRUE);
+
+	if (result == DNS_R_NXRRSET) {
+		result = dns_db_find(db, name, NULL, dns_rdatatype_aaaa,
+				     0, 0, NULL, foundname, NULL, NULL);
+		if (result == ISC_R_SUCCESS)
+			return (ISC_TRUE);
+	}
+
+	dns_name_format(name, namebuf, sizeof namebuf);
+	if (result == DNS_R_NXRRSET || result == DNS_R_NXDOMAIN ||
+	    result == DNS_R_EMPTYNAME) {
+		dns_zone_log(zone, level,
+			     "NS '%s' has no address records (A or AAAA)",
+			     namebuf);
+		/* XXX950 Make fatal ISC_FALSE for 9.5.0. */
+		return (ISC_TRUE);
+	}
+
+	if (result == DNS_R_CNAME) {
+		dns_zone_log(zone, level, "NS '%s' is a CNAME (illegal)",
+			     namebuf);
+		/* XXX950 Make fatal ISC_FALSE for 9.5.0. */
+		return (ISC_TRUE);
+	}
+
+	if (result == DNS_R_DNAME) {
+		dns_name_format(foundname, altbuf, sizeof altbuf);
+		dns_zone_log(zone, level,
+			     "NS '%s' is below a DNAME '%s' (illegal)",
+			     namebuf, altbuf);
+		/* XXX950 Make fatal ISC_FALSE for 9.5.0. */
+		return (ISC_TRUE);
+	}
+
+	return (ISC_TRUE);
+}
+
 static isc_result_t
-zone_count_ns_rr(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
-		 unsigned int *nscount)
+zone_count_ns_rr(dns_zone_t *zone, dns_db_t *db, dns_dbnode_t *node,
+		 dns_dbversion_t *version, unsigned int *nscount,
+		 unsigned int *errors)
 {
 	isc_result_t result;
-	unsigned int count;
+	unsigned int count = 0;
+	unsigned int ecount = 0;
 	dns_rdataset_t rdataset;
-
-	REQUIRE(nscount != NULL);
+	dns_rdata_t rdata;
+	dns_rdata_ns_t ns;
 
 	dns_rdataset_init(&rdataset);
 	result = dns_db_findrdataset(db, node, version, dns_rdatatype_ns,
 				     dns_rdatatype_none, 0, &rdataset, NULL);
-	if (result == ISC_R_NOTFOUND) {
-		*nscount = 0;
-		result = ISC_R_SUCCESS;
-		goto invalidate_rdataset;
-	}
+	if (result == ISC_R_NOTFOUND)
+		goto success;
 	if (result != ISC_R_SUCCESS)
 		goto invalidate_rdataset;
 
-	count = 0;
 	result = dns_rdataset_first(&rdataset);
 	while (result == ISC_R_SUCCESS) {
+		if (errors != NULL && zone->rdclass == dns_rdataclass_in &&
+		    (zone->type == dns_zone_master ||
+		     zone->type == dns_zone_slave)) {
+			dns_rdata_init(&rdata);
+			dns_rdataset_current(&rdataset, &rdata);
+			result = dns_rdata_tostruct(&rdata, &ns, NULL);
+			RUNTIME_CHECK(result == ISC_R_SUCCESS);
+			if (dns_name_issubdomain(&ns.name, &zone->origin) &&
+			    !zone_check_ns(zone, db, &ns.name))
+				ecount++;
+		}
 		count++;
 		result = dns_rdataset_next(&rdataset);
 	}
 	dns_rdataset_disassociate(&rdataset);
 
-	*nscount = count;
+ success:
+	if (nscount != NULL)
+		*nscount = count;
+	if (errors != NULL)
+		*errors = ecount;
+
 	result = ISC_R_SUCCESS;
 
  invalidate_rdataset:
@@ -1626,10 +2348,11 @@ zone_load_soa_rr(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
  * zone must be locked.
  */
 static isc_result_t
-zone_get_from_db(dns_db_t *db, dns_name_t *origin, unsigned int *nscount,
+zone_get_from_db(dns_zone_t *zone, dns_db_t *db, unsigned int *nscount,
 		 unsigned int *soacount, isc_uint32_t *serial,
 		 isc_uint32_t *refresh, isc_uint32_t *retry,
-		 isc_uint32_t *expire, isc_uint32_t *minimum)
+		 isc_uint32_t *expire, isc_uint32_t *minimum,
+		 unsigned int *errors)
 {
 	dns_dbversion_t *version;
 	isc_result_t result;
@@ -1637,20 +2360,21 @@ zone_get_from_db(dns_db_t *db, dns_name_t *origin, unsigned int *nscount,
 	dns_dbnode_t *node;
 
 	REQUIRE(db != NULL);
-	REQUIRE(origin != NULL);
+	REQUIRE(zone != NULL);
 
 	version = NULL;
 	dns_db_currentversion(db, &version);
 
 	node = NULL;
-	result = dns_db_findnode(db, origin, ISC_FALSE, &node);
+	result = dns_db_findnode(db, &zone->origin, ISC_FALSE, &node);
 	if (result != ISC_R_SUCCESS) {
 		answer = result;
 		goto closeversion;
 	}
 
-	if (nscount != NULL) {
-		result = zone_count_ns_rr(db, node, version, nscount);
+	if (nscount != NULL || errors != NULL) {
+		result = zone_count_ns_rr(zone, db, node, version,
+					  nscount, errors);
 		if (result != ISC_R_SUCCESS)
 			answer = result;
 	}
@@ -1979,6 +2703,37 @@ dns_zone_setmasters(dns_zone_t *zone, const isc_sockaddr_t *masters,
 	return (result);
 }
 
+static isc_boolean_t
+same_masters(const isc_sockaddr_t *old, const isc_sockaddr_t *new,
+	     isc_uint32_t count)
+{
+	unsigned int i;
+
+	for (i = 0; i < count; i++)
+		if (!isc_sockaddr_equal(&old[i], &new[i]))
+			return (ISC_FALSE);
+	return (ISC_TRUE);
+}
+
+static isc_boolean_t
+same_keynames(dns_name_t **old, dns_name_t **new, isc_uint32_t count) {
+	unsigned int i;
+
+	if (old == NULL && new == NULL)
+		return (ISC_TRUE);
+	if (old == NULL || new == NULL)
+		return (ISC_FALSE);
+
+	for (i = 0; i < count; i++) {
+		if (old[i] == NULL && new[i] == NULL)
+			continue;
+		if (old[i] == NULL || new[i] == NULL ||
+		     !dns_name_equal(old[i], new[i]))
+			return (ISC_FALSE);
+	}
+	return (ISC_TRUE);
+}
+
 isc_result_t
 dns_zone_setmasterswithkeys(dns_zone_t *zone,
 			    const isc_sockaddr_t *masters,
@@ -1998,6 +2753,19 @@ dns_zone_setmasterswithkeys(dns_zone_t *zone,
 	}
 
 	LOCK_ZONE(zone);
+	/* 
+	 * The refresh code assumes that 'masters' wouldn't change under it.
+	 * If it will change then kill off any current refresh in progress
+	 * and update the masters info.  If it won't change then we can just
+	 * unlock and exit.
+	 */
+	if (count != zone->masterscnt ||
+	    !same_masters(zone->masters, masters, count) ||
+	    !same_keynames(zone->masterkeynames, keynames, count)) {
+		if (zone->request != NULL)
+			dns_request_cancel(zone->request);
+	} else
+		goto unlock;
 	if (zone->masters != NULL) {
 		isc_mem_put(zone->mctx, zone->masters,
 			    zone->masterscnt * sizeof(*new));
@@ -2115,12 +2883,12 @@ dns_zone_getdb(dns_zone_t *zone, dns_db_t **dpb) {
 
 	REQUIRE(DNS_ZONE_VALID(zone));
 
-	LOCK_ZONE(zone);
+	ZONEDB_LOCK(&zone->dblock, isc_rwlocktype_read);
 	if (zone->db == NULL)
 		result = DNS_R_NOTLOADED;
 	else
 		dns_db_attach(zone->db, dpb);
-	UNLOCK_ZONE(zone);
+	ZONEDB_UNLOCK(&zone->dblock, isc_rwlocktype_read);
 
 	return (result);
 }
@@ -2245,8 +3013,9 @@ zone_maintenance(dns_zone_t *zone) {
 	switch (zone->type) {
 	case dns_zone_master:
 	case dns_zone_slave:
-		if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_NEEDNOTIFY))
-			zone_notify(zone);
+		if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_NEEDNOTIFY) &&
+		    isc_time_compare(&now, &zone->notifytime) >= 0)
+			zone_notify(zone, &now);
 		break;
 	default:
 		break;
@@ -2498,6 +3267,7 @@ zone_dump(dns_zone_t *zone, isc_boolean_t compact) {
 	isc_boolean_t again;
 	dns_db_t *db = NULL;
 	char *masterfile = NULL;
+	dns_masterformat_t masterformat = dns_masterformat_none;
 
 /*
  * 'compact' MUST only be set if we are task locked.
@@ -2507,11 +3277,15 @@ zone_dump(dns_zone_t *zone, isc_boolean_t compact) {
 	ENTER;
 
  redo:
-	LOCK_ZONE(zone);
+	ZONEDB_LOCK(&zone->dblock, isc_rwlocktype_read);
 	if (zone->db != NULL)
 		dns_db_attach(zone->db, &db);
-	if (zone->masterfile != NULL)
+	ZONEDB_UNLOCK(&zone->dblock, isc_rwlocktype_read);
+	LOCK_ZONE(zone);
+	if (zone->masterfile != NULL) {
 		masterfile = isc_mem_strdup(zone->mctx, zone->masterfile);
+		masterformat = zone->masterformat;
+	}
 	UNLOCK_ZONE(zone);
 	if (db == NULL) {
 		result = DNS_R_NOTLOADED;
@@ -2536,9 +3310,9 @@ zone_dump(dns_zone_t *zone, isc_boolean_t compact) {
 		UNLOCK_ZONE(zone);
 	} else {
 		dns_db_currentversion(db, &version);
-		result = dns_master_dump(zone->mctx, db, version,
-					 &dns_master_style_default,
-					 masterfile);
+		result = dns_master_dump2(zone->mctx, db, version,
+					  &dns_master_style_default,
+					  masterfile, masterformat);
 		dns_db_closeversion(db, &version, ISC_FALSE);
 	}
  fail:
@@ -2576,35 +3350,46 @@ zone_dump(dns_zone_t *zone, isc_boolean_t compact) {
 }
 
 static isc_result_t
-dumptostream(dns_zone_t *zone, FILE *fd, const dns_master_style_t *style) {
+dumptostream(dns_zone_t *zone, FILE *fd, const dns_master_style_t *style,
+	     dns_masterformat_t format)
+{
 	isc_result_t result;
 	dns_dbversion_t *version = NULL;
 	dns_db_t *db = NULL;
 
 	REQUIRE(DNS_ZONE_VALID(zone));
 
-	LOCK_ZONE(zone);
+	ZONEDB_LOCK(&zone->dblock, isc_rwlocktype_read);
 	if (zone->db != NULL)
 		dns_db_attach(zone->db, &db);
-	UNLOCK_ZONE(zone);
+	ZONEDB_UNLOCK(&zone->dblock, isc_rwlocktype_read);
 	if (db == NULL)
 		return (DNS_R_NOTLOADED);
 
 	dns_db_currentversion(db, &version);
-	result = dns_master_dumptostream(zone->mctx, db, version, style, fd);
+	result = dns_master_dumptostream2(zone->mctx, db, version, style,
+					  format, fd);
 	dns_db_closeversion(db, &version, ISC_FALSE);
 	dns_db_detach(&db);
 	return (result);
 }
 
 isc_result_t
+dns_zone_dumptostream2(dns_zone_t *zone, FILE *fd, dns_masterformat_t format,
+		       const dns_master_style_t *style) {
+	return dumptostream(zone, fd, style, format);
+}
+
+isc_result_t
 dns_zone_dumptostream(dns_zone_t *zone, FILE *fd) {
-	return dumptostream(zone, fd, &dns_master_style_default);
+	return dumptostream(zone, fd, &dns_master_style_default,
+			    dns_masterformat_text);
 }
 
 isc_result_t
 dns_zone_fulldumptostream(dns_zone_t *zone, FILE *fd) {
-	return dumptostream(zone, fd, &dns_master_style_full);
+	return dumptostream(zone, fd, &dns_master_style_full,
+			    dns_masterformat_text);
 }
 
 void
@@ -2645,7 +3430,9 @@ zone_unload(dns_zone_t *zone) {
 
 	REQUIRE(LOCKED_ZONE(zone));
 
-	dns_db_detach(&zone->db);
+	ZONEDB_LOCK(&zone->dblock, isc_rwlocktype_write);
+	zone_detachdb(zone);
+	ZONEDB_UNLOCK(&zone->dblock, isc_rwlocktype_write);
 	DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_LOADED);
 	DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_NEEDDUMP);
 }
@@ -2700,6 +3487,46 @@ notify_isqueued(dns_zone_t *zone, dns_name_t *name, isc_sockaddr_t *addr) {
 	return (ISC_FALSE);
 }
 
+static isc_boolean_t
+notify_isself(dns_zone_t *zone, isc_sockaddr_t *dst) {
+	dns_tsigkey_t *key = NULL;
+	isc_sockaddr_t src;
+	isc_sockaddr_t any;
+	isc_boolean_t isself;
+	isc_netaddr_t dstaddr;
+
+	if (zone->view == NULL || zone->isself == NULL)
+		return (ISC_FALSE);
+
+	switch (isc_sockaddr_pf(dst)) {
+	case PF_INET:
+		src = zone->notifysrc4;
+		isc_sockaddr_any(&any);
+		break;
+	case PF_INET6:
+		src = zone->notifysrc6;
+		isc_sockaddr_any6(&any);
+		break;
+	default:
+		return (ISC_FALSE);
+	}
+
+	/*
+	 * When sending from any the kernel will assign a source address
+	 * that matches the destination address.
+	 */
+	if (isc_sockaddr_eqaddr(&any, &src))
+		src = *dst;
+
+	isc_netaddr_fromsockaddr(&dstaddr, dst);
+	(void)dns_view_getpeertsig(zone->view, &dstaddr, &key);
+	isself = (zone->isself)(zone->view, key, &src, dst, zone->rdclass,
+				zone->isselfarg);
+	if (key != NULL)
+		dns_tsigkey_detach(&key);
+	return (isself);
+}
+
 static void
 notify_destroy(dns_notify_t *notify, isc_boolean_t locked) {
 	isc_mem_t *mctx;
@@ -2800,7 +3627,7 @@ notify_find_address(dns_notify_t *notify) {
 	result = dns_adb_createfind(notify->zone->view->adb,
 				    notify->zone->task,
 				    process_adb_event, notify,
-				    &notify->ns, dns_rootname,
+				    &notify->ns, dns_rootname, 0,
 				    options, 0, NULL,
 				    notify->zone->view->dstport,
 				    &notify->find);
@@ -2853,6 +3680,7 @@ notify_send_toaddr(isc_task_t *task, isc_event_t *event) {
 	char addrbuf[ISC_SOCKADDR_FORMATSIZE];
 	isc_sockaddr_t src;
 	int timeout;
+	isc_boolean_t have_notifysource = ISC_FALSE;
 
 	notify = event->ev_arg;
 	REQUIRE(DNS_NOTIFY_VALID(notify));
@@ -2880,7 +3708,7 @@ notify_send_toaddr(isc_task_t *task, isc_event_t *event) {
 	 */
 	if (isc_sockaddr_pf(&notify->dst) == PF_INET6 &&
 	    IN6_IS_ADDR_V4MAPPED(&notify->dst.type.sin6.sin6_addr)) {
-	        isc_sockaddr_format(&notify->dst, addrbuf, sizeof(addrbuf));
+		isc_sockaddr_format(&notify->dst, addrbuf, sizeof(addrbuf));
 		notify_log(notify->zone, ISC_LOG_DEBUG(3),
 			   "notify: ignoring IPv6 mapped IPV4 address: %s",
 			   addrbuf);
@@ -2898,12 +3726,24 @@ notify_send_toaddr(isc_task_t *task, isc_event_t *event) {
 	isc_sockaddr_format(&notify->dst, addrbuf, sizeof(addrbuf));
 	notify_log(notify->zone, ISC_LOG_DEBUG(3), "sending notify to %s",
 		   addrbuf);
+	if (notify->zone->view->peers != NULL) {
+		dns_peer_t *peer = NULL;
+		result = dns_peerlist_peerbyaddr(notify->zone->view->peers,
+						 &dstip, &peer);
+		if (result == ISC_R_SUCCESS) {
+			result = dns_peer_getnotifysource(peer, &src);
+			if (result == ISC_R_SUCCESS)
+				have_notifysource = ISC_TRUE;
+		}
+	}
 	switch (isc_sockaddr_pf(&notify->dst)) {
 	case PF_INET:
-		src = notify->zone->notifysrc4;
+		if (!have_notifysource)
+			src = notify->zone->notifysrc4;
 		break;
 	case PF_INET6:
-		src = notify->zone->notifysrc6;
+		if (!have_notifysource)
+			src = notify->zone->notifysrc6;
 		break;
 	default:
 		result = ISC_R_NOTIMPLEMENTED;
@@ -2947,6 +3787,8 @@ notify_send(dns_notify_t *notify) {
 		dst = ai->sockaddr;
 		if (notify_isqueued(notify->zone, NULL, &dst))
 			continue;
+		if (notify_isself(notify->zone, &dst))
+			continue;
 		new = NULL;
 		result = notify_create(notify->mctx,
 				       (notify->flags & DNS_NOTIFY_NOSOA),
@@ -2982,8 +3824,9 @@ dns_zone_notify(dns_zone_t *zone) {
 }
 
 static void
-zone_notify(dns_zone_t *zone) {
+zone_notify(dns_zone_t *zone, isc_time_t *now) {
 	dns_dbnode_t *node = NULL;
+	dns_db_t *zonedb = NULL;
 	dns_dbversion_t *version = NULL;
 	dns_name_t *origin = NULL;
 	dns_name_t master;
@@ -3001,13 +3844,13 @@ zone_notify(dns_zone_t *zone) {
 	dns_notifytype_t notifytype;
 	unsigned int flags = 0;
 	isc_boolean_t loggednotify = ISC_FALSE;
-	dns_db_t *db = NULL;
 
 	REQUIRE(DNS_ZONE_VALID(zone));
 
 	LOCK_ZONE(zone);
 	DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_NEEDNOTIFY);
 	notifytype = zone->notifytype;
+	DNS_ZONE_TIME_ADD(now, zone->notifydelay, &zone->notifytime);
 	UNLOCK_ZONE(zone);
 
 	if (! DNS_ZONE_FLAG(zone, DNS_ZONEFLG_LOADED))
@@ -3016,11 +3859,8 @@ zone_notify(dns_zone_t *zone) {
 	if (notifytype == dns_notifytype_no)
 		return;
 
-	LOCK_ZONE(zone);
-	if (zone->db != NULL)
-		dns_db_attach(zone->db, &db);
-	UNLOCK_ZONE(zone);
-	if (db == NULL)
+	if (notifytype == dns_notifytype_masteronly &&
+	    zone->type != dns_zone_master)
 		return;
 
 	origin = &zone->origin;
@@ -3035,13 +3875,19 @@ zone_notify(dns_zone_t *zone) {
 	/*
 	 * Get SOA RRset.
 	 */
-	dns_db_currentversion(db, &version);
-	result = dns_db_findnode(db, origin, ISC_FALSE, &node);
+	ZONEDB_LOCK(&zone->dblock, isc_rwlocktype_read);
+	if (zone->db != NULL)
+		dns_db_attach(zone->db, &zonedb);
+	ZONEDB_UNLOCK(&zone->dblock, isc_rwlocktype_read);
+	if (zonedb == NULL)
+		return;
+	dns_db_currentversion(zonedb, &version);
+	result = dns_db_findnode(zonedb, origin, ISC_FALSE, &node);
 	if (result != ISC_R_SUCCESS)
 		goto cleanup1;
 
 	dns_rdataset_init(&soardset);
-	result = dns_db_findrdataset(db, node, version, dns_rdatatype_soa,
+	result = dns_db_findrdataset(zonedb, node, version, dns_rdatatype_soa,
 				     dns_rdatatype_none, 0, &soardset, NULL);
 	if (result != ISC_R_SUCCESS)
 		goto cleanup2;
@@ -3098,7 +3944,7 @@ zone_notify(dns_zone_t *zone) {
 	 */
 
 	dns_rdataset_init(&nsrdset);
-	result = dns_db_findrdataset(db, node, version, dns_rdatatype_ns,
+	result = dns_db_findrdataset(zonedb, node, version, dns_rdatatype_ns,
 				     dns_rdatatype_none, 0, &nsrdset, NULL);
 	if (result != ISC_R_SUCCESS)
 		goto cleanup3;
@@ -3155,10 +4001,10 @@ zone_notify(dns_zone_t *zone) {
 	if (dns_name_dynamic(&master))
 		dns_name_free(&master, zone->mctx);
  cleanup2:
-	dns_db_detachnode(db, &node);
+	dns_db_detachnode(zonedb, &node);
  cleanup1:
-	dns_db_closeversion(db, &version, ISC_FALSE);
-	dns_db_detach(&db);
+	dns_db_closeversion(zonedb, &version, ISC_FALSE);
+	dns_db_detach(&zonedb);
 }
 
 /***
@@ -3406,10 +4252,10 @@ stub_callback(isc_task_t *task, isc_event_t *event) {
 	 * Tidy up.
 	 */
 	dns_db_closeversion(stub->db, &stub->version, ISC_TRUE);
-	LOCK_ZONE(zone);
+	ZONEDB_LOCK(&zone->dblock, isc_rwlocktype_write);
 	if (zone->db == NULL)
-		dns_db_attach(stub->db, &zone->db);
-	UNLOCK_ZONE(zone);
+		zone_attachdb(zone, stub->db);
+	ZONEDB_UNLOCK(&zone->dblock, isc_rwlocktype_write);
 	dns_db_detach(&stub->db);
 
 	if (zone->masterfile != NULL) {
@@ -3955,7 +4801,7 @@ create_query(dns_zone_t *zone, dns_rdatatype_t rdtype,
 }
 
 static isc_result_t
-add_opt(dns_message_t *message) {
+add_opt(dns_message_t *message, isc_uint16_t udpsize) {
 	dns_rdataset_t *rdataset = NULL;
 	dns_rdatalist_t *rdatalist = NULL;
 	dns_rdata_t *rdata = NULL;
@@ -3978,7 +4824,7 @@ add_opt(dns_message_t *message) {
 	/*
 	 * Set Maximum UDP buffer size.
 	 */
-	rdatalist->rdclass = SEND_BUFFER_SIZE;
+	rdatalist->rdclass = udpsize;
 
 	/*
 	 * Set EXTENDED-RCODE, VERSION, DO and Z to 0.
@@ -4025,6 +4871,7 @@ soa_query(isc_task_t *task, isc_event_t *event) {
 	isc_boolean_t cancel = ISC_TRUE;
 	int timeout;
 	isc_boolean_t have_xfrsource;
+	isc_uint16_t udpsize = SEND_BUFFER_SIZE;
 
 	REQUIRE(DNS_ZONE_VALID(zone));
 
@@ -4068,7 +4915,7 @@ soa_query(isc_task_t *task, isc_event_t *event) {
 			char namebuf[DNS_NAME_FORMATSIZE];
 			dns_name_format(keyname, namebuf, sizeof(namebuf));
 			dns_zone_log(zone, ISC_LOG_ERROR,
-			             "unable to find key: %s", namebuf);
+				     "unable to find key: %s", namebuf);
 		}
 	}
 	if (key == NULL)
@@ -4088,6 +4935,10 @@ soa_query(isc_task_t *task, isc_event_t *event) {
 							    &zone->sourceaddr);
 			if (result == ISC_R_SUCCESS)
 				have_xfrsource = ISC_TRUE;
+			if (zone->view->resolver != NULL)
+				udpsize =
+				  dns_resolver_getudpsize(zone->view->resolver);
+			(void)dns_peer_getudpsize(peer, &udpsize);
 		}
 	}
 
@@ -4119,7 +4970,7 @@ soa_query(isc_task_t *task, isc_event_t *event) {
 		  DNS_REQUESTOPT_TCP : 0;
 
 	if (!DNS_ZONE_FLAG(zone, DNS_ZONEFLG_NOEDNS)) {
-		result = add_opt(message);
+		result = add_opt(message, udpsize);
 		if (result != ISC_R_SUCCESS)
 			zone_debuglog(zone, me, 1,
 				      "unable to add opt record: %s",
@@ -4184,6 +5035,7 @@ ns_query(dns_zone_t *zone, dns_rdataset_t *soardataset, dns_stub_t *stub) {
 	dns_dbnode_t *node = NULL;
 	int timeout;
 	isc_boolean_t have_xfrsource = ISC_FALSE;
+	isc_uint16_t udpsize = SEND_BUFFER_SIZE;
 
 	REQUIRE(DNS_ZONE_VALID(zone));
 	REQUIRE((soardataset != NULL && stub == NULL) ||
@@ -4213,9 +5065,13 @@ ns_query(dns_zone_t *zone, dns_rdataset_t *soardataset, dns_stub_t *stub) {
 		 * new one and attach it to the zone once we have the NS
 		 * RRset and glue.
 		 */
-		if (zone->db != NULL)
+		ZONEDB_LOCK(&zone->dblock, isc_rwlocktype_read);
+		if (zone->db != NULL) {
 			dns_db_attach(zone->db, &stub->db);
-		else {
+			ZONEDB_UNLOCK(&zone->dblock, isc_rwlocktype_read);
+		} else {
+			ZONEDB_UNLOCK(&zone->dblock, isc_rwlocktype_read);
+
 			INSIST(zone->db_argc >= 1);
 			result = dns_db_create(zone->mctx, zone->db_argv[0],
 					       &zone->origin, dns_dbtype_stub,
@@ -4284,7 +5140,7 @@ ns_query(dns_zone_t *zone, dns_rdataset_t *soardataset, dns_stub_t *stub) {
 			char namebuf[DNS_NAME_FORMATSIZE];
 			dns_name_format(keyname, namebuf, sizeof(namebuf));
 			dns_zone_log(zone, ISC_LOG_ERROR,
-			             "unable to find key: %s", namebuf);
+				     "unable to find key: %s", namebuf);
 		}
 	}
 	if (key == NULL)
@@ -4303,11 +5159,15 @@ ns_query(dns_zone_t *zone, dns_rdataset_t *soardataset, dns_stub_t *stub) {
 							    &zone->sourceaddr);
 			if (result == ISC_R_SUCCESS)
 				have_xfrsource = ISC_TRUE;
+			if (zone->view->resolver != NULL)
+				udpsize =
+				  dns_resolver_getudpsize(zone->view->resolver);
+			(void)dns_peer_getudpsize(peer, &udpsize);
 		}
 		
 	}
 	if (!DNS_ZONE_FLAG(zone, DNS_ZONEFLG_NOEDNS)) {
-		result = add_opt(message);
+		result = add_opt(message, udpsize);
 		if (result != ISC_R_SUCCESS)
 			zone_debuglog(zone, me, 1,
 				      "unable to add opt record: %s",
@@ -4367,7 +5227,7 @@ ns_query(dns_zone_t *zone, dns_rdataset_t *soardataset, dns_stub_t *stub) {
 	if (message != NULL)
 		dns_message_destroy(&message);
   unlock:
-        if (key != NULL)
+	if (key != NULL)
 		dns_tsigkey_detach(&key);
 	UNLOCK_ZONE(zone);
 	return;
@@ -4495,7 +5355,7 @@ zone_settimer(dns_zone_t *zone, isc_time_t *now) {
 	switch (zone->type) {
 	case dns_zone_master:
 		if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_NEEDNOTIFY))
-			next = *now;
+			next = zone->notifytime;
 		if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_NEEDDUMP) &&
 		    !DNS_ZONE_FLAG(zone, DNS_ZONEFLG_DUMPING)) {
 			INSIST(!isc_time_isepoch(&zone->dumptime));
@@ -4507,7 +5367,7 @@ zone_settimer(dns_zone_t *zone, isc_time_t *now) {
 
 	case dns_zone_slave:
 		if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_NEEDNOTIFY))
-			next = *now;
+			next = zone->notifytime;
 		/*FALLTHROUGH*/
 
 	case dns_zone_stub:
@@ -4582,6 +5442,7 @@ static isc_result_t
 notify_createmessage(dns_zone_t *zone, unsigned int flags,
 		     dns_message_t **messagep)
 {
+	dns_db_t *zonedb = NULL;
 	dns_dbnode_t *node = NULL;
 	dns_dbversion_t *version = NULL;
 	dns_message_t *message = NULL;
@@ -4647,15 +5508,20 @@ notify_createmessage(dns_zone_t *zone, unsigned int flags,
 	if (result != ISC_R_SUCCESS)
 		goto soa_cleanup;
 
+	ZONEDB_LOCK(&zone->dblock, isc_rwlocktype_read);
+	INSIST(zone->db != NULL); /* XXXJT: is this assumption correct? */
+	dns_db_attach(zone->db, &zonedb);
+	ZONEDB_UNLOCK(&zone->dblock, isc_rwlocktype_read);
+
 	dns_name_init(tempname, NULL);
 	dns_name_clone(&zone->origin, tempname);
-	dns_db_currentversion(zone->db, &version);
-	result = dns_db_findnode(zone->db, tempname, ISC_FALSE, &node);
+	dns_db_currentversion(zonedb, &version);
+	result = dns_db_findnode(zonedb, tempname, ISC_FALSE, &node);
 	if (result != ISC_R_SUCCESS)
 		goto soa_cleanup;
 
 	dns_rdataset_init(&rdataset);
-	result = dns_db_findrdataset(zone->db, node, version,
+	result = dns_db_findrdataset(zonedb, node, version,
 				     dns_rdatatype_soa,
 				     dns_rdatatype_none, 0, &rdataset,
 				     NULL);
@@ -4699,9 +5565,11 @@ notify_createmessage(dns_zone_t *zone, unsigned int flags,
 
  soa_cleanup:
 	if (node != NULL)
-		dns_db_detachnode(zone->db, &node);
+		dns_db_detachnode(zonedb, &node);
 	if (version != NULL)
-		dns_db_closeversion(zone->db, &version, ISC_FALSE);
+		dns_db_closeversion(zonedb, &version, ISC_FALSE);
+	if (zonedb != NULL)
+		dns_db_detach(&zonedb);
 	if (tempname != NULL)
 		dns_message_puttempname(message, &tempname);
 	if (temprdata != NULL)
@@ -4744,7 +5612,7 @@ dns_zone_notifyreceive(dns_zone_t *zone, isc_sockaddr_t *from,
 	 * If type != T_SOA return DNS_R_REFUSED.  We don't yet support
 	 * ROLLOVER.
 	 *
-	 * SOA:	RFC 1996
+	 * SOA:	RFC1996
 	 * Check that 'from' is a valid notify source, (zone->masters).
 	 *	Return DNS_R_REFUSED if not.
 	 *
@@ -5046,6 +5914,19 @@ dns_zone_setupdatedisabled(dns_zone_t *zone, isc_boolean_t state) {
 	zone->update_disabled = state;
 }
 
+isc_boolean_t
+dns_zone_getzeronosoattl(dns_zone_t *zone) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+	return (zone->zero_no_soa_ttl);
+
+}
+
+void
+dns_zone_setzeronosoattl(dns_zone_t *zone, isc_boolean_t state) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+	zone->zero_no_soa_ttl = state;
+}
+
 void
 dns_zone_setchecknames(dns_zone_t *zone, dns_severity_t severity) {
 
@@ -5244,7 +6125,8 @@ dns_zone_getmaxxfrout(dns_zone_t *zone) {
 	return (zone->maxxfrout);
 }
 
-dns_zonetype_t dns_zone_gettype(dns_zone_t *zone) {
+dns_zonetype_t
+dns_zone_gettype(dns_zone_t *zone) {
 	REQUIRE(DNS_ZONE_VALID(zone));
 
 	return (zone->type);
@@ -5265,8 +6147,10 @@ dns_zone_settask(dns_zone_t *zone, isc_task_t *task) {
 	if (zone->task != NULL)
 		isc_task_detach(&zone->task);
 	isc_task_attach(task, &zone->task);
+	ZONEDB_LOCK(&zone->dblock, isc_rwlocktype_read);
 	if (zone->db != NULL)
 		dns_db_settask(zone->db, zone->task);
+	ZONEDB_UNLOCK(&zone->dblock, isc_rwlocktype_read);
 	UNLOCK_ZONE(zone);
 }
 
@@ -5371,7 +6255,9 @@ dns_zone_replacedb(dns_zone_t *zone, dns_db_t *db, isc_boolean_t dump) {
 
 	REQUIRE(DNS_ZONE_VALID(zone));
 	LOCK_ZONE(zone);
+	ZONEDB_LOCK(&zone->dblock, isc_rwlocktype_write);
 	result = zone_replacedb(zone, db, dump);
+	ZONEDB_UNLOCK(&zone->dblock, isc_rwlocktype_write);
 	UNLOCK_ZONE(zone);
 	return (result);
 }
@@ -5384,13 +6270,13 @@ zone_replacedb(dns_zone_t *zone, dns_db_t *db, isc_boolean_t dump) {
 	unsigned int nscount = 0;
 
 	/*
-	 * 'zone' locked by caller.
+	 * 'zone' and 'zonedb' locked by caller.
 	 */
 	REQUIRE(DNS_ZONE_VALID(zone));
 	REQUIRE(LOCKED_ZONE(zone));
 
-	result = zone_get_from_db(db, &zone->origin, &nscount, &soacount,
-				  NULL, NULL, NULL, NULL, NULL);
+	result = zone_get_from_db(zone, db, &nscount, &soacount,
+				  NULL, NULL, NULL, NULL, NULL, NULL);
 	if (result == ISC_R_SUCCESS) {
 		if (soacount != 1) {
 			dns_zone_log(zone, ISC_LOG_ERROR,
@@ -5478,7 +6364,8 @@ zone_replacedb(dns_zone_t *zone, dns_db_t *db, isc_boolean_t dump) {
 			isc_log_write(dns_lctx, DNS_LOGCATEGORY_GENERAL,
 				      DNS_LOGMODULE_ZONE, ISC_LOG_DEBUG(3),
 				      "dumping new zone version");
-			result = dns_db_dump(db, ver, zone->masterfile);
+			result = dns_db_dump2(db, ver, zone->masterfile,
+					      zone->masterformat);
 			if (result != ISC_R_SUCCESS)
 				goto fail;
 
@@ -5518,8 +6405,8 @@ zone_replacedb(dns_zone_t *zone, dns_db_t *db, isc_boolean_t dump) {
 		      "replacing zone database");
 
 	if (zone->db != NULL)
-		dns_db_detach(&zone->db);
-	dns_db_attach(db, &zone->db);
+		zone_detachdb(zone);
+	zone_attachdb(zone, db);
 	dns_db_settask(zone->db, zone->task);
 	DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_LOADED|DNS_ZONEFLG_NEEDNOTIFY);
 	return (ISC_R_SUCCESS);
@@ -5529,6 +6416,33 @@ zone_replacedb(dns_zone_t *zone, dns_db_t *db, isc_boolean_t dump) {
 	return (result);
 }
 
+/* The caller must hold the dblock as a writer. */
+static inline void
+zone_attachdb(dns_zone_t *zone, dns_db_t *db) {
+	REQUIRE(zone->db == NULL && db != NULL);
+
+	dns_db_attach(db, &zone->db);
+	if (zone->acache != NULL) {
+		isc_result_t result;
+		result = dns_acache_setdb(zone->acache, db);
+		if (result != ISC_R_SUCCESS && result != ISC_R_EXISTS) {
+			UNEXPECTED_ERROR(__FILE__, __LINE__,
+					 "dns_acache_setdb() failed: %s",
+					 isc_result_totext(result));
+		}
+	}
+}
+
+/* The caller must hold the dblock as a writer. */
+static inline void
+zone_detachdb(dns_zone_t *zone) {
+	REQUIRE(zone->db != NULL);
+
+	if (zone->acache != NULL)
+		(void)dns_acache_putdb(zone->acache, zone->db);
+	dns_db_detach(&zone->db);
+}
+
 static void
 zone_xfrdone(dns_zone_t *zone, isc_result_t result) {
 	isc_time_t now;
@@ -5559,8 +6473,11 @@ zone_xfrdone(dns_zone_t *zone, isc_result_t result) {
 		/*
 		 * Has the zone expired underneath us?
 		 */
-		if (zone->db == NULL)
+		ZONEDB_LOCK(&zone->dblock, isc_rwlocktype_read);
+		if (zone->db == NULL) {
+			ZONEDB_UNLOCK(&zone->dblock, isc_rwlocktype_read);
 			goto same_master;
+		}
 
 		/*
 		 * Update the zone structure's data from the actual
@@ -5569,9 +6486,10 @@ zone_xfrdone(dns_zone_t *zone, isc_result_t result) {
 		nscount = 0;
 		soacount = 0;
 		INSIST(zone->db != NULL);
-		result = zone_get_from_db(zone->db, &zone->origin, &nscount,
+		result = zone_get_from_db(zone, zone->db, &nscount,
 					  &soacount, &serial, &refresh,
-					  &retry, &expire, &minimum);
+					  &retry, &expire, &minimum, NULL);
+		ZONEDB_UNLOCK(&zone->dblock, isc_rwlocktype_read);
 		if (result == ISC_R_SUCCESS) {
 			if (soacount != 1)
 				dns_zone_log(zone, ISC_LOG_ERROR,
@@ -6217,13 +7135,9 @@ dns_zonemgr_create(isc_mem_t *mctx, isc_taskmgr_t *taskmgr,
 	ISC_LIST_INIT(zmgr->waiting_for_xfrin);
 	ISC_LIST_INIT(zmgr->xfrin_in_progress);
 	result = isc_rwlock_init(&zmgr->rwlock, 0, 0);
-	if (result != ISC_R_SUCCESS) {
-		UNEXPECTED_ERROR(__FILE__, __LINE__,
-				 "isc_rwlock_init() failed: %s",
-				 isc_result_totext(result));
-		result = ISC_R_UNEXPECTED;
+	if (result != ISC_R_SUCCESS)
 		goto free_mem;
-	}
+
 	zmgr->transfersin = 10;
 	zmgr->transfersperns = 2;
 
@@ -6254,12 +7168,9 @@ dns_zonemgr_create(isc_mem_t *mctx, isc_taskmgr_t *taskmgr,
 	ISC_LIST_INIT(zmgr->low);
 
 	result = isc_mutex_init(&zmgr->iolock);
-	if (result != ISC_R_SUCCESS) {
-		UNEXPECTED_ERROR(__FILE__, __LINE__,
-				 "isc_mutex_init() failed: %s",
-				 isc_result_totext(result));
+	if (result != ISC_R_SUCCESS)
 		goto free_rl;
-	}
+
 	zmgr->magic = ZONEMGR_MAGIC;
 
 	*zmgrp = zmgr;
@@ -6955,6 +7866,7 @@ dns_zone_getkeydirectory(dns_zone_t *zone) {
 
 	return (zone->keydirectory);
 }
+
 unsigned int
 dns_zonemgr_getcount(dns_zonemgr_t *zmgr, int state) {
 	dns_zone_t *zone;
@@ -7046,3 +7958,47 @@ dns_zone_checknames(dns_zone_t *zone, dns_name_t *name, dns_rdata_t *rdata) {
 
 	return (ISC_R_SUCCESS);
 }
+
+void
+dns_zone_setcheckmx(dns_zone_t *zone, dns_checkmxfunc_t checkmx) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+	zone->checkmx = checkmx;
+}
+
+void
+dns_zone_setchecksrv(dns_zone_t *zone, dns_checksrvfunc_t checksrv) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+	zone->checksrv = checksrv;
+}
+
+void
+dns_zone_setcheckns(dns_zone_t *zone, dns_checknsfunc_t checkns) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+	zone->checkns = checkns;
+}
+
+void
+dns_zone_setisself(dns_zone_t *zone, dns_isselffunc_t isself, void *arg) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	LOCK_ZONE(zone);
+	zone->isself = isself;
+	zone->isselfarg = arg;
+	UNLOCK_ZONE(zone);
+}
+
+void
+dns_zone_setnotifydelay(dns_zone_t *zone, isc_uint32_t delay) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	LOCK_ZONE(zone);
+	zone->notifydelay = delay;
+	UNLOCK_ZONE(zone);
+}
+
+isc_uint32_t
+dns_zone_getnotifydelay(dns_zone_t *zone) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	return (zone->notifydelay);
+}
diff --git a/contrib/bind9/lib/dns/zonekey.c b/contrib/bind9/lib/dns/zonekey.c
index dc7ae0f..0ed63bb 100644
--- a/contrib/bind9/lib/dns/zonekey.c
+++ b/contrib/bind9/lib/dns/zonekey.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2001, 2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,9 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: zonekey.c,v 1.3.206.3 2004/03/08 09:04:33 marka Exp $ */
+/* $Id: zonekey.c,v 1.5.18.2 2005/04/29 00:16:08 marka Exp $ */
+
+/*! \file */
 
 #include <config.h>
 
diff --git a/contrib/bind9/lib/dns/zt.c b/contrib/bind9/lib/dns/zt.c
index 7aa6a9f..4cb8f3f 100644
--- a/contrib/bind9/lib/dns/zt.c
+++ b/contrib/bind9/lib/dns/zt.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2002  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,16 +15,24 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: zt.c,v 1.33.12.6 2004/03/08 21:06:28 marka Exp $ */
+/* $Id: zt.c,v 1.38.18.5 2005/11/30 03:44:39 marka Exp $ */
+
+/*! \file */
 
 #include <config.h>
 
+#include <isc/file.h>
 #include <isc/magic.h>
 #include <isc/mem.h>
+#include <isc/string.h>
 #include <isc/util.h>
 
+#include <dns/log.h>
+#include <dns/name.h>
 #include <dns/rbt.h>
+#include <dns/rdataclass.h>
 #include <dns/result.h>
+#include <dns/view.h>
 #include <dns/zone.h>
 #include <dns/zt.h>
 
@@ -51,6 +59,9 @@ load(dns_zone_t *zone, void *uap);
 static isc_result_t
 loadnew(dns_zone_t *zone, void *uap);
 
+static isc_result_t
+freezezones(dns_zone_t *zone, void *uap);
+
 isc_result_t
 dns_zt_create(isc_mem_t *mctx, dns_rdataclass_t rdclass, dns_zt_t **ztp) {
 	dns_zt_t *zt;
@@ -68,13 +79,8 @@ dns_zt_create(isc_mem_t *mctx, dns_rdataclass_t rdclass, dns_zt_t **ztp) {
 		goto cleanup_zt;
 
 	result = isc_rwlock_init(&zt->rwlock, 0, 0);
-	if (result != ISC_R_SUCCESS) {
-		UNEXPECTED_ERROR(__FILE__, __LINE__,
-				 "isc_rwlock_init() failed: %s",
-				 isc_result_totext(result));
-		result = ISC_R_UNEXPECTED;
+	if (result != ISC_R_SUCCESS)
 		goto cleanup_rbt;
-	}
 
 	zt->mctx = mctx;
 	zt->references = 1;
@@ -266,12 +272,90 @@ loadnew(dns_zone_t *zone, void *uap) {
 }
 
 isc_result_t
+dns_zt_freezezones(dns_zt_t *zt, isc_boolean_t freeze) {
+	isc_result_t result, tresult;
+
+	REQUIRE(VALID_ZT(zt));
+
+	RWLOCK(&zt->rwlock, isc_rwlocktype_read);
+	result = dns_zt_apply2(zt, ISC_FALSE, &tresult, freezezones, &freeze);
+	RWUNLOCK(&zt->rwlock, isc_rwlocktype_read);
+	return ((result == ISC_R_SUCCESS) ? tresult : result);
+}
+
+static isc_result_t
+freezezones(dns_zone_t *zone, void *uap) {
+	isc_boolean_t freeze = *(isc_boolean_t *)uap;
+	isc_boolean_t frozen;
+	isc_result_t result = ISC_R_SUCCESS;
+	char classstr[DNS_RDATACLASS_FORMATSIZE];
+	char zonename[DNS_NAME_FORMATSIZE];
+	dns_view_t *view;
+	char *journal;
+	const char *vname;
+	const char *sep;
+	int level;
+
+	if (dns_zone_gettype(zone) != dns_zone_master)
+		return (ISC_R_SUCCESS);
+
+	frozen = dns_zone_getupdatedisabled(zone);
+	if (freeze) {
+		if (frozen)
+			result = DNS_R_FROZEN;
+		if (result == ISC_R_SUCCESS)
+			result = dns_zone_flush(zone);
+		if (result == ISC_R_SUCCESS) {
+			journal = dns_zone_getjournal(zone);
+			if (journal != NULL)
+				(void)isc_file_remove(journal);
+		}
+	} else {
+		if (frozen) {
+			result = dns_zone_load(zone);
+			if (result == DNS_R_CONTINUE ||
+			    result == DNS_R_UPTODATE)
+				result = ISC_R_SUCCESS;
+		}
+	}
+	if (result == ISC_R_SUCCESS)
+		dns_zone_setupdatedisabled(zone, freeze);
+	view = dns_zone_getview(zone);
+	if (strcmp(view->name, "_bind") == 0 ||
+	    strcmp(view->name, "_default") == 0)
+	{
+		vname = "";
+		sep = "";
+	} else {
+		vname = view->name;
+		sep = " ";
+	}
+	dns_rdataclass_format(dns_zone_getclass(zone), classstr,
+			      sizeof(classstr));
+	dns_name_format(dns_zone_getorigin(zone), zonename, sizeof(zonename));
+	level = (result != ISC_R_SUCCESS) ? ISC_LOG_ERROR : ISC_LOG_DEBUG(1);
+	isc_log_write(dns_lctx, DNS_LOGCATEGORY_GENERAL, DNS_LOGMODULE_ZONE,
+		      level, "%s zone '%s/%s'%s%s: %s",
+		      freeze ? "freezing" : "thawing",
+		      zonename, classstr, sep, vname,
+		      isc_result_totext(result));
+	return (result);
+}
+
+isc_result_t
 dns_zt_apply(dns_zt_t *zt, isc_boolean_t stop,
 	     isc_result_t (*action)(dns_zone_t *, void *), void *uap)
 {
+	return (dns_zt_apply2(zt, stop, NULL, action, uap));
+}
+
+isc_result_t
+dns_zt_apply2(dns_zt_t *zt, isc_boolean_t stop, isc_result_t *sub,
+	      isc_result_t (*action)(dns_zone_t *, void *), void *uap)
+{
 	dns_rbtnode_t *node;
 	dns_rbtnodechain_t chain;
-	isc_result_t result;
+	isc_result_t result, tresult = ISC_R_SUCCESS;
 	dns_zone_t *zone;
 
 	REQUIRE(VALID_ZT(zt));
@@ -292,8 +376,12 @@ dns_zt_apply(dns_zt_t *zt, isc_boolean_t stop,
 			zone = node->data;
 			if (zone != NULL)
 				result = (action)(zone, uap);
-			if (result != ISC_R_SUCCESS && stop)
+			if (result != ISC_R_SUCCESS && stop) {
+				tresult = result;
 				goto cleanup;	/* don't break */
+			} else if (result != ISC_R_SUCCESS &&
+				   tresult == ISC_R_SUCCESS)
+				tresult = result;
 		}
 		result = dns_rbtnodechain_next(&chain, NULL, NULL);
 	}
@@ -302,6 +390,8 @@ dns_zt_apply(dns_zt_t *zt, isc_boolean_t stop,
 
  cleanup:
 	dns_rbtnodechain_invalidate(&chain);
+	if (sub != NULL)
+		*sub = tresult;
 
 	return (result);
 }
diff --git a/contrib/bind9/lib/isc/Makefile.in b/contrib/bind9/lib/isc/Makefile.in
index 7e53510..c03a3df 100644
--- a/contrib/bind9/lib/isc/Makefile.in
+++ b/contrib/bind9/lib/isc/Makefile.in
@@ -1,4 +1,4 @@
-# Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
 # Copyright (C) 1998-2003  Internet Software Consortium.
 #
 # Permission to use, copy, modify, and distribute this software for any
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.71.2.2.2.8 2004/07/20 07:01:58 marka Exp $
+# $Id: Makefile.in,v 1.81.18.6 2006/01/27 23:57:45 marka Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
@@ -25,6 +25,7 @@ top_srcdir =	@top_srcdir@
 
 CINCLUDES =	-I${srcdir}/unix/include \
 		-I${srcdir}/@ISC_THREAD_DIR@/include \
+		-I${srcdir}/@ISC_ARCH_DIR@/include \
 		-I./include \
 		-I${srcdir}/include
 CDEFINES =
@@ -52,25 +53,25 @@ WIN32OBJS = 	win32/condition.@O@ win32/dir.@O@ win32/file.@O@ \
 OBJS =		@ISC_EXTRA_OBJS@ \
 		assertions.@O@ base64.@O@ bitstring.@O@ buffer.@O@ \
 		bufferlist.@O@ commandline.@O@ error.@O@ event.@O@ \
-		hash.@O@ heap.@O@ hex.@O@ hmacmd5.@O@ \
+		hash.@O@ heap.@O@ hex.@O@ hmacmd5.@O@ hmacsha.@O@\
 		lex.@O@ lfsr.@O@ lib.@O@ log.@O@ md5.@O@ \
 		mem.@O@ mutexblock.@O@ netaddr.@O@ netscope.@O@ ondestroy.@O@ \
 		parseint.@O@ quota.@O@ random.@O@ \
-		ratelimiter.@O@ region.@O@ result.@O@ rwlock.@O@ \
-		serial.@O@ sha1.@O@ sockaddr.@O@ string.@O@ strtoul.@O@ \
-		symtab.@O@ task.@O@ taskpool.@O@ timer.@O@ version.@O@ \
-		${UNIXOBJS} ${NLSOBJS} ${THREADOBJS}
+		ratelimiter.@O@ refcount.@O@ region.@O@ result.@O@ rwlock.@O@ \
+		serial.@O@ sha1.@O@ sha2.@O@ sockaddr.@O@ string.@O@ \
+	        strtoul.@O@ symtab.@O@ task.@O@ taskpool.@O@ timer.@O@ \
+	        version.@O@ ${UNIXOBJS} ${NLSOBJS} ${THREADOBJS}
 
 # Alphabetically
 SRCS =		@ISC_EXTRA_SRCS@ \
 		assertions.c base64.c bitstring.c buffer.c \
 		bufferlist.c commandline.c error.c event.c \
-		heap.c hex.c hmacmd5.c \
+		heap.c hex.c hmacmd5.c hmacsha.c \
 		lex.c lfsr.c lib.c log.c \
 		md5.c mem.c mutexblock.c netaddr.c netscope.c ondestroy.c \
 		parseint.c quota.c random.c \
-		ratelimiter.c result.c rwlock.c \
-		serial.c sha1.c sockaddr.c string.c strtoul.c symtab.c \
+		ratelimiter.c refcount.c region.c result.c rwlock.c \
+		serial.c sha1.c sha2.c sockaddr.c string.c strtoul.c symtab.c \
 		task.c taskpool.c timer.c version.c
 
 LIBS =		@LIBS@
diff --git a/contrib/bind9/lib/isc/alpha/include/isc/atomic.h b/contrib/bind9/lib/isc/alpha/include/isc/atomic.h
new file mode 100644
index 0000000..a4b9b15
--- /dev/null
+++ b/contrib/bind9/lib/isc/alpha/include/isc/atomic.h
@@ -0,0 +1,170 @@
+/*
+ * Copyright (C) 2005  Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: atomic.h,v 1.2.2.2 2005/06/16 22:01:01 jinmei Exp $ */
+
+/*
+ * This code was written based on FreeBSD's kernel source whose copyright
+ * follows:
+ */
+
+/*-
+ * Copyright (c) 1998 Doug Rabson
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * $FreeBSD$
+ */
+
+#ifndef ISC_ATOMIC_H
+#define ISC_ATOMIC_H 1
+
+#include <isc/platform.h>
+#include <isc/types.h>
+
+#ifdef ISC_PLATFORM_USEOSFASM
+#include <c_asm.h>
+
+#pragma intrinsic(asm)
+
+/*
+ * This routine atomically increments the value stored in 'p' by 'val', and
+ * returns the previous value.
+ */
+static inline isc_int32_t 
+isc_atomic_xadd(isc_int32_t *p, isc_int32_t val) {
+	return (asm("1:"
+		    "ldl_l %t0, 0(%a0);"	/* load old value */
+		    "mov %t0, %v0;"		/* copy the old value */
+		    "addl %t0, %a1, %t0;"	/* calculate new value */
+		    "stl_c %t0, 0(%a0);"	/* attempt to store */
+		    "beq %t0, 1b;",		/* spin if failed */
+		    p, val));
+}
+
+/*
+ * This routine atomically stores the value 'val' in 'p'.
+ */
+static inline void
+isc_atomic_store(isc_int32_t *p, isc_int32_t val) {
+	(void)asm("1:"
+		  "ldl_l %t0, 0(%a0);"		/* load old value */
+		  "mov %a1, %t0;"		/* value to store */
+		  "stl_c %t0, 0(%a0);"		/* attempt to store */
+		  "beq %t0, 1b;",		/* spin if failed */
+		  p, val);
+}
+
+/*
+ * This routine atomically replaces the value in 'p' with 'val', if the
+ * original value is equal to 'cmpval'.  The original value is returned in any
+ * case.
+ */
+static inline isc_int32_t
+isc_atomic_cmpxchg(isc_int32_t *p, isc_int32_t cmpval, isc_int32_t val) {
+
+	return(asm("1:"
+		   "ldl_l %t0, 0(%a0);"		/* load old value */
+		   "mov %t0, %v0;"		/* copy the old value */
+		   "cmpeq %t0, %a1, %t0;"	/* compare */
+		   "beq %t0, 2f;"		/* exit if not equal */
+		   "mov %a2, %t0;"		/* value to store */
+		   "stl_c %t0, 0(%a0);"		/* attempt to store */
+		   "beq %t0, 1b;"		/* if it failed, spin */
+		   "2:",
+		   p, cmpval, val));
+}
+#elif defined (ISC_PLATFORM_USEGCCASM)
+static inline isc_int32_t 
+isc_atomic_xadd(isc_int32_t *p, isc_int32_t val) {
+	isc_int32_t temp, prev;
+
+	__asm__ volatile(
+		"1:"
+		"ldl_l %0, %1;"			/* load old value */
+		"mov %0, %2;"			/* copy the old value */
+		"addl %0, %3, %0;"		/* calculate new value */
+		"stl_c %0, %1;"			/* attempt to store */
+		"beq %0, 1b;"			/* spin if failed */
+		: "=&r"(temp), "+m"(*p), "=r"(prev)
+		: "r"(val)
+		: "memory");
+
+	return (prev);
+}
+
+static inline void
+isc_atomic_store(isc_int32_t *p, isc_int32_t val) {
+	isc_int32_t temp;
+
+	__asm__ volatile(
+		"1:"
+		"ldl_l %0, %1;"			/* load old value */
+		"mov %2, %0;"			/* value to store */
+		"stl_c %0, %1;"			/* attempt to store */
+		"beq %0, 1b;"			/* if it failed, spin */
+		: "=&r"(temp), "+m"(*p)
+		: "r"(val)
+		: "memory");
+}
+
+static inline isc_int32_t
+isc_atomic_cmpxchg(isc_int32_t *p, isc_int32_t cmpval, isc_int32_t val) {
+	isc_int32_t temp, prev;
+
+	__asm__ volatile(
+		"1:"
+		"ldl_l %0, %1;"			/* load old value */
+		"mov %0, %2;"			/* copy the old value */
+		"cmpeq %0, %3, %0;"		/* compare */
+		"beq %0, 2f;"			/* exit if not equal */
+		"mov %4, %0;"			/* value to store */
+		"stl_c %0, %1;"			/* attempt to store */
+		"beq %0, 1b;"			/* if it failed, spin */
+		"2:"
+		: "=&r"(temp), "+m"(*p), "=r"(prev)
+		: "r"(cmpval), "r"(val)
+		: "memory");
+
+	return (prev);
+}
+#else
+
+#error "unsupported compiler.  disable atomic ops by --disable-atomic"
+
+#endif
+
+#endif /* ISC_ATOMIC_H */
diff --git a/contrib/bind9/lib/isc/api b/contrib/bind9/lib/isc/api
index b4d0173..759a051 100644
--- a/contrib/bind9/lib/isc/api
+++ b/contrib/bind9/lib/isc/api
@@ -1,3 +1,3 @@
-LIBINTERFACE = 12
-LIBREVISION = 1
-LIBAGE = 1
+LIBINTERFACE = 32
+LIBREVISION = 3
+LIBAGE = 0
diff --git a/contrib/bind9/lib/isc/assertions.c b/contrib/bind9/lib/isc/assertions.c
index 94c6732..b3fcf4a 100644
--- a/contrib/bind9/lib/isc/assertions.c
+++ b/contrib/bind9/lib/isc/assertions.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1997-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,9 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: assertions.c,v 1.16.206.1 2004/03/06 08:14:27 marka Exp $ */
+/* $Id: assertions.c,v 1.17.18.2 2005/04/29 00:16:44 marka Exp $ */
+
+/*! \file */
 
 #include <config.h>
 
@@ -25,20 +27,20 @@
 #include <isc/assertions.h>
 #include <isc/msgs.h>
 
-/*
+/*%
  * Forward.
  */
-
 static void
 default_callback(const char *, int, isc_assertiontype_t, const char *);
 
-/*
+/*%
  * Public.
  */
 
 LIBISC_EXTERNAL_DATA isc_assertioncallback_t isc_assertion_failed =
 					     default_callback;
 
+/*% Set callback. */
 void
 isc_assertion_setcallback(isc_assertioncallback_t cb) {
 	if (cb == NULL)
@@ -47,6 +49,7 @@ isc_assertion_setcallback(isc_assertioncallback_t cb) {
 		isc_assertion_failed = cb;
 }
 
+/*% Type to Text */
 const char *
 isc_assertion_typetotext(isc_assertiontype_t type) {
 	const char *result;
diff --git a/contrib/bind9/lib/isc/base64.c b/contrib/bind9/lib/isc/base64.c
index 445f8f5..faeae92 100644
--- a/contrib/bind9/lib/isc/base64.c
+++ b/contrib/bind9/lib/isc/base64.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1998-2001, 2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,9 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: base64.c,v 1.23.2.2.2.3 2004/03/06 08:14:27 marka Exp $ */
+/* $Id: base64.c,v 1.28.18.2 2005/04/29 00:16:44 marka Exp $ */
+
+/*! \file */
 
 #include <config.h>
 
@@ -32,7 +34,8 @@
 	} while (0)
 
 
-/*
+/*@{*/
+/*!
  * These static functions are also present in lib/dns/rdata.c.  I'm not
  * sure where they should go. -- bwelling
  */
@@ -44,6 +47,7 @@ mem_tobuffer(isc_buffer_t *target, void *base, unsigned int length);
 
 static const char base64[] =
 	"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=";
+/*@}*/
 
 isc_result_t
 isc_base64_totext(isc_region_t *source, int wordlength,
@@ -90,14 +94,14 @@ isc_base64_totext(isc_region_t *source, int wordlength,
 	return (ISC_R_SUCCESS);
 }
 
-/*
+/*%
  * State of a base64 decoding process in progress.
  */
 typedef struct {
-	int length;		/* Desired length of binary data or -1 */
-	isc_buffer_t *target;	/* Buffer for resulting binary data */
-	int digits;		/* Number of buffered base64 digits */
-	isc_boolean_t seen_end;	/* True if "=" end marker seen */
+	int length;		/*%< Desired length of binary data or -1 */
+	isc_buffer_t *target;	/*%< Buffer for resulting binary data */
+	int digits;		/*%< Number of buffered base64 digits */
+	isc_boolean_t seen_end;	/*%< True if "=" end marker seen */
 	int val[4];
 } base64_decode_ctx_t;
 
diff --git a/contrib/bind9/lib/isc/bitstring.c b/contrib/bind9/lib/isc/bitstring.c
index e77ed39..105b5aa 100644
--- a/contrib/bind9/lib/isc/bitstring.c
+++ b/contrib/bind9/lib/isc/bitstring.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,9 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: bitstring.c,v 1.12.206.1 2004/03/06 08:14:27 marka Exp $ */
+/* $Id: bitstring.c,v 1.13.18.2 2005/04/29 00:16:44 marka Exp $ */
+
+/*! \file */
 
 #include <config.h>
 
diff --git a/contrib/bind9/lib/isc/buffer.c b/contrib/bind9/lib/isc/buffer.c
index 30ce529..fc07c00 100644
--- a/contrib/bind9/lib/isc/buffer.c
+++ b/contrib/bind9/lib/isc/buffer.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1998-2002  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,9 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: buffer.c,v 1.36.12.2 2004/03/08 09:04:48 marka Exp $ */
+/* $Id: buffer.c,v 1.40.18.2 2005/04/29 00:16:44 marka Exp $ */
+
+/*! \file */
 
 #include <config.h>
 
diff --git a/contrib/bind9/lib/isc/bufferlist.c b/contrib/bind9/lib/isc/bufferlist.c
index 6d64a3f..773d075 100644
--- a/contrib/bind9/lib/isc/bufferlist.c
+++ b/contrib/bind9/lib/isc/bufferlist.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,9 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: bufferlist.c,v 1.12.206.1 2004/03/06 08:14:28 marka Exp $ */
+/* $Id: bufferlist.c,v 1.13.18.2 2005/04/29 00:16:45 marka Exp $ */
+
+/*! \file */
 
 #include <config.h>
 
diff --git a/contrib/bind9/lib/isc/commandline.c b/contrib/bind9/lib/isc/commandline.c
index 4c8af7f..679ed6d 100644
--- a/contrib/bind9/lib/isc/commandline.c
+++ b/contrib/bind9/lib/isc/commandline.c
@@ -1,5 +1,5 @@
 /*
- * Portions Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Portions Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Portions Copyright (C) 1999-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -48,9 +48,9 @@
  * SUCH DAMAGE.
  */
 
-/* $Id: commandline.c,v 1.15.206.1 2004/03/06 08:14:28 marka Exp $ */
+/* $Id: commandline.c,v 1.16.18.2 2005/04/29 00:16:45 marka Exp $ */
 
-/*
+/*! \file
  * This file was adapted from the NetBSD project's source tree, RCS ID:
  *    NetBSD: getopt.c,v 1.15 1999/09/20 04:39:37 lukem Exp
  *
@@ -59,8 +59,8 @@
  */
 
 /*
- * Principal Authors: Computer Systems Research Group at UC Berkeley
- * Principal ISC caretaker: DCL
+ * \author Principal Authors: Computer Systems Research Group at UC Berkeley
+ * \author Principal ISC caretaker: DCL
  */
 
 #include <config.h>
@@ -72,17 +72,17 @@
 #include <isc/string.h>
 #include <isc/util.h>
 
-/* Index into parent argv vector. */
+/*% Index into parent argv vector. */
 LIBISC_EXTERNAL_DATA int isc_commandline_index = 1;
-/* Character checked for validity. */
+/*% Character checked for validity. */
 LIBISC_EXTERNAL_DATA int isc_commandline_option;
-/* Argument associated with option. */
+/*% Argument associated with option. */
 LIBISC_EXTERNAL_DATA char *isc_commandline_argument;
-/* For printing error messages. */
+/*% For printing error messages. */
 LIBISC_EXTERNAL_DATA char *isc_commandline_progname;
-/* Print error messages. */
+/*% Print error messages. */
 LIBISC_EXTERNAL_DATA isc_boolean_t isc_commandline_errprint = ISC_TRUE;
-/* Reset processing. */
+/*% Reset processing. */
 LIBISC_EXTERNAL_DATA isc_boolean_t isc_commandline_reset = ISC_TRUE;
 
 static char endopt = '\0';
@@ -91,7 +91,7 @@ static char endopt = '\0';
 #define	BADARG	':'
 #define ENDOPT  &endopt
 
-/*
+/*!
  * getopt --
  *	Parse argc/argv argument vector.
  */
diff --git a/contrib/bind9/lib/isc/entropy.c b/contrib/bind9/lib/isc/entropy.c
index 8834eef..3e87d87 100644
--- a/contrib/bind9/lib/isc/entropy.c
+++ b/contrib/bind9/lib/isc/entropy.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,12 +15,16 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: entropy.c,v 1.3.2.2.2.7 2004/03/08 09:04:48 marka Exp $ */
+/* $Id: entropy.c,v 1.11.18.3 2005/07/12 01:22:28 marka Exp $ */
 
-/*
+/*! \file
+ * \brief
  * This is the system independent part of the entropy module.  It is
  * compiled via inclusion from the relevant OS source file, ie,
- * unix/entropy.c or win32/entropy.c.
+ * \link unix/entropy.c unix/entropy.c \endlink or win32/entropy.c.
+ *
+ * \author Much of this code is modeled after the NetBSD /dev/random implementation,
+ * written by Michael Graff <explorer@netbsd.org>.
  */
 
 #include <errno.h>
@@ -42,10 +46,6 @@
 #include <isc/time.h>
 #include <isc/util.h>
 
-/*
- * Much of this code is modeled after the NetBSD /dev/random implementation,
- * written by Michael Graff <explorer@netbsd.org>.
- */
 
 #define ENTROPY_MAGIC		ISC_MAGIC('E', 'n', 't', 'e')
 #define SOURCE_MAGIC		ISC_MAGIC('E', 'n', 't', 's')
@@ -58,26 +58,28 @@
  *** you are doing.
  ***/
 
-/*
- * size of entropy pool in 32-bit words.  This _MUST_ be a power of 2.
+/*%
+ * Size of entropy pool in 32-bit words.  This _MUST_ be a power of 2.
  */
 #define RND_POOLWORDS	128
+/*% Pool in bytes. */
 #define RND_POOLBYTES	(RND_POOLWORDS * 4)
+/*% Pool in bits. */
 #define RND_POOLBITS	(RND_POOLWORDS * 32)
 
-/*
+/*%
  * Number of bytes returned per hash.  This must be true:
  *	threshold * 2 <= digest_size_in_bytes
  */
 #define RND_ENTROPY_THRESHOLD	10
 #define THRESHOLD_BITS		(RND_ENTROPY_THRESHOLD * 8)
 
-/*
+/*%
  * Size of the input event queue in samples.
  */
 #define RND_EVENTQSIZE	32
 
-/*
+/*%
  * The number of times we'll "reseed" for pseudorandom seeds.  This is an
  * extremely weak pseudorandom seed.  If the caller is using lots of
  * pseudorandom data and they cannot provide a stronger random source,
@@ -86,12 +88,13 @@
  */
 #define RND_INITIALIZE	128
 
+/*% Entropy Pool */
 typedef struct {
-	isc_uint32_t	cursor;		/* current add point in the pool */
-	isc_uint32_t	entropy;	/* current entropy estimate in bits */
-	isc_uint32_t	pseudo;		/* bits extracted in pseudorandom */
-	isc_uint32_t	rotate;		/* how many bits to rotate by */
-	isc_uint32_t	pool[RND_POOLWORDS];	/* random pool data */
+	isc_uint32_t	cursor;		/*%< current add point in the pool */
+	isc_uint32_t	entropy;	/*%< current entropy estimate in bits */
+	isc_uint32_t	pseudo;		/*%< bits extracted in pseudorandom */
+	isc_uint32_t	rotate;		/*%< how many bits to rotate by */
+	isc_uint32_t	pool[RND_POOLWORDS];	/*%< random pool data */
 } isc_entropypool_t;
 
 struct isc_entropy {
@@ -107,13 +110,14 @@ struct isc_entropy {
 	ISC_LIST(isc_entropysource_t)	sources;
 };
 
+/*% Sample Queue */
 typedef struct {
-	isc_uint32_t	last_time;	/* last time recorded */
-	isc_uint32_t	last_delta;	/* last delta value */
-	isc_uint32_t	last_delta2;	/* last delta2 value */
-	isc_uint32_t	nsamples;	/* number of samples filled in */
-	isc_uint32_t   *samples;	/* the samples */
-	isc_uint32_t   *extra;		/* extra samples added in */
+	isc_uint32_t	last_time;	/*%< last time recorded */
+	isc_uint32_t	last_delta;	/*%< last delta value */
+	isc_uint32_t	last_delta2;	/*%< last delta2 value */
+	isc_uint32_t	nsamples;	/*%< number of samples filled in */
+	isc_uint32_t   *samples;	/*%< the samples */
+	isc_uint32_t   *extra;		/*%< extra samples added in */
 } sample_queue_t;
 
 typedef struct {
@@ -137,7 +141,7 @@ struct isc_entropysource {
 	unsigned int	magic;
 	unsigned int	type;
 	isc_entropy_t  *ent;
-	isc_uint32_t	total;		/* entropy from this source */
+	isc_uint32_t	total;		/*%< entropy from this source */
 	ISC_LINK(isc_entropysource_t)	link;
 	char		name[32];
 	isc_boolean_t	bad;
@@ -151,12 +155,13 @@ struct isc_entropysource {
 	} sources;
 };
 
-#define ENTROPY_SOURCETYPE_SAMPLE	1	/* Type is a sample source */
-#define ENTROPY_SOURCETYPE_FILE		2	/* Type is a file source */
-#define ENTROPY_SOURCETYPE_CALLBACK	3	/* Type is a callback source */
-#define ENTROPY_SOURCETYPE_USOCKET	4	/* Type is a Unix socket source */
+#define ENTROPY_SOURCETYPE_SAMPLE	1	/*%< Type is a sample source */
+#define ENTROPY_SOURCETYPE_FILE		2	/*%< Type is a file source */
+#define ENTROPY_SOURCETYPE_CALLBACK	3	/*%< Type is a callback source */
+#define ENTROPY_SOURCETYPE_USOCKET	4	/*%< Type is a Unix socket source */
 
-/*
+/*@{*/
+/*%
  * The random pool "taps"
  */
 #define TAP1	99
@@ -164,8 +169,10 @@ struct isc_entropysource {
 #define TAP3	31
 #define TAP4	 9
 #define TAP5	 7
+/*@}*/
 
-/*
+/*@{*/
+/*%
  * Declarations for function provided by the system dependent sources that
  * include this file.
  */
@@ -181,6 +188,7 @@ destroyfilesource(isc_entropyfilesource_t *source);
 static void
 destroyusocketsource(isc_entropyusocketsource_t *source);
 
+/*@}*/
 
 static void
 samplequeue_release(isc_entropy_t *ent, sample_queue_t *sq) {
@@ -211,7 +219,7 @@ samplesource_allocate(isc_entropy_t *ent, sample_queue_t *sq) {
 	return (ISC_R_SUCCESS);
 }
 
-/*
+/*%
  * Add in entropy, even when the value we're adding in could be
  * very large.
  */
@@ -225,7 +233,7 @@ add_entropy(isc_entropy_t *ent, isc_uint32_t entropy) {
 	ent->pool.entropy = ISC_MIN(entropy, RND_POOLBITS);
 }
 
-/*
+/*%
  * Decrement the amount of entropy the pool has.
  */
 static inline void
@@ -234,7 +242,7 @@ subtract_entropy(isc_entropy_t *ent, isc_uint32_t entropy) {
 	ent->pool.entropy -= entropy;
 }
 
-/*
+/*!
  * Add in entropy, even when the value we're adding in could be
  * very large.
  */
@@ -248,7 +256,7 @@ add_pseudo(isc_entropy_t *ent, isc_uint32_t pseudo) {
 	ent->pool.pseudo = ISC_MIN(pseudo, RND_POOLBITS * 8);
 }
 
-/*
+/*!
  * Decrement the amount of pseudo the pool has.
  */
 static inline void
@@ -257,7 +265,7 @@ subtract_pseudo(isc_entropy_t *ent, isc_uint32_t pseudo) {
 	ent->pool.pseudo -= pseudo;
 }
 
-/*
+/*!
  * Add one word to the pool, rotating the input as needed.
  */
 static inline void
@@ -292,7 +300,7 @@ entropypool_add_word(isc_entropypool_t *rp, isc_uint32_t val) {
 	}
 }
 
-/*
+/*!
  * Add a buffer's worth of data to the pool.
  *
  * Requires that the lock is held on the entropy pool.
@@ -362,7 +370,7 @@ reseed(isc_entropy_t *ent) {
 		entropypool_adddata(ent, &pid, sizeof(pid), 0);
 	}
 
-	/*
+	/*!
 	 * After we've reseeded 100 times, only add new timing info every
 	 * 50 requests.  This will keep us from using lots and lots of
 	 * CPU just to return bad pseudorandom data anyway.
@@ -382,7 +390,7 @@ estimate_entropy(sample_queue_t *sq, isc_uint32_t t) {
 	isc_int32_t		delta2;
 	isc_int32_t		delta3;
 
-	/*
+	/*!
 	 * If the time counter has overflowed, calculate the real difference.
 	 * If it has not, it is simpler.
 	 */
@@ -661,7 +669,7 @@ isc_entropypool_invalidate(isc_entropypool_t *pool) {
 
 isc_result_t
 isc_entropy_create(isc_mem_t *mctx, isc_entropy_t **entp) {
-	isc_result_t ret;
+	isc_result_t result;
 	isc_entropy_t *ent;
 
 	REQUIRE(mctx != NULL);
@@ -674,10 +682,9 @@ isc_entropy_create(isc_mem_t *mctx, isc_entropy_t **entp) {
 	/*
 	 * We need a lock.
 	 */
-	if (isc_mutex_init(&ent->lock) != ISC_R_SUCCESS) {
-		ret = ISC_R_UNEXPECTED;
+	result = isc_mutex_init(&ent->lock);
+	if (result != ISC_R_SUCCESS)
 		goto errout;
-	}
 
 	/*
 	 * From here down, no failures will/can occur.
@@ -700,10 +707,10 @@ isc_entropy_create(isc_mem_t *mctx, isc_entropy_t **entp) {
  errout:
 	isc_mem_put(mctx, ent, sizeof(isc_entropy_t));
 
-	return (ret);
+	return (result);
 }
 
-/*
+/*!
  * Requires "ent" be locked.
  */
 static void
@@ -851,7 +858,7 @@ isc_entropy_createcallbacksource(isc_entropy_t *ent,
 				 void *arg,
 				 isc_entropysource_t **sourcep)
 {
-	isc_result_t ret;
+	isc_result_t result;
 	isc_entropysource_t *source;
 	isc_cbsource_t *cbs;
 
@@ -863,15 +870,15 @@ isc_entropy_createcallbacksource(isc_entropy_t *ent,
 
 	source = isc_mem_get(ent->mctx, sizeof(isc_entropysource_t));
 	if (source == NULL) {
-		ret = ISC_R_NOMEMORY;
+		result = ISC_R_NOMEMORY;
 		goto errout;
 	}
 	source->bad = ISC_FALSE;
 
 	cbs = &source->sources.callback;
 
-	ret = samplesource_allocate(ent, &cbs->samplequeue);
-	if (ret != ISC_R_SUCCESS)
+	result = samplesource_allocate(ent, &cbs->samplequeue);
+	if (result != ISC_R_SUCCESS)
 		goto errout;
 
 	cbs->start_called = ISC_FALSE;
@@ -907,7 +914,7 @@ isc_entropy_createcallbacksource(isc_entropy_t *ent,
 
 	UNLOCK(&ent->lock);
 
-	return (ret);
+	return (result);
 }
 
 void
@@ -939,7 +946,7 @@ isc_result_t
 isc_entropy_createsamplesource(isc_entropy_t *ent,
 			       isc_entropysource_t **sourcep)
 {
-	isc_result_t ret;
+	isc_result_t result;
 	isc_entropysource_t *source;
 	sample_queue_t *sq;
 
@@ -950,13 +957,13 @@ isc_entropy_createsamplesource(isc_entropy_t *ent,
 
 	source = isc_mem_get(ent->mctx, sizeof(isc_entropysource_t));
 	if (source == NULL) {
-		ret = ISC_R_NOMEMORY;
+		result = ISC_R_NOMEMORY;
 		goto errout;
 	}
 
 	sq = &source->sources.sample.samplequeue;
-	ret = samplesource_allocate(ent, sq);
-	if (ret != ISC_R_SUCCESS)
+	result = samplesource_allocate(ent, sq);
+	if (result != ISC_R_SUCCESS)
 		goto errout;
 
 	/*
@@ -986,10 +993,10 @@ isc_entropy_createsamplesource(isc_entropy_t *ent,
 
 	UNLOCK(&ent->lock);
 
-	return (ret);
+	return (result);
 }
 
-/*
+/*!
  * Add a sample, and return ISC_R_SUCCESS if the queue has become full,
  * ISC_R_NOENTROPY if it has space remaining, and ISC_R_NOMORE if the
  * queue was full when this function was called.
diff --git a/contrib/bind9/lib/isc/error.c b/contrib/bind9/lib/isc/error.c
index ceb7d2a..282986c 100644
--- a/contrib/bind9/lib/isc/error.c
+++ b/contrib/bind9/lib/isc/error.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1998-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,9 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: error.c,v 1.16.206.1 2004/03/06 08:14:28 marka Exp $ */
+/* $Id: error.c,v 1.17.18.2 2005/04/29 00:16:45 marka Exp $ */
+
+/*! \file */
 
 #include <config.h>
 
@@ -25,14 +27,17 @@
 #include <isc/error.h>
 #include <isc/msgs.h>
 
+/*% Default unexpected callback. */
 static void
 default_unexpected_callback(const char *, int, const char *, va_list)
      ISC_FORMAT_PRINTF(3, 0);
 
+/*% Default fatal callback. */
 static void
 default_fatal_callback(const char *, int, const char *, va_list)
      ISC_FORMAT_PRINTF(3, 0);
 
+/*% unexpected_callback */
 static isc_errorcallback_t unexpected_callback = default_unexpected_callback;
 static isc_errorcallback_t fatal_callback = default_fatal_callback;
 
diff --git a/contrib/bind9/lib/isc/event.c b/contrib/bind9/lib/isc/event.c
index f767870..7931061 100644
--- a/contrib/bind9/lib/isc/event.c
+++ b/contrib/bind9/lib/isc/event.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1998-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,10 +15,11 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: event.c,v 1.15.12.3 2004/03/08 09:04:48 marka Exp $ */
+/* $Id: event.c,v 1.17.18.2 2005/04/29 00:16:45 marka Exp $ */
 
-/*
- * Principal Author: Bob Halley
+/*!
+ * \file
+ * \author Principal Author: Bob Halley
  */
 
 #include <config.h>
diff --git a/contrib/bind9/lib/isc/fsaccess.c b/contrib/bind9/lib/isc/fsaccess.c
index 1193472..cdab3d8 100644
--- a/contrib/bind9/lib/isc/fsaccess.c
+++ b/contrib/bind9/lib/isc/fsaccess.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000, 2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,16 +15,17 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: fsaccess.c,v 1.5.206.1 2004/03/06 08:14:29 marka Exp $ */
+/* $Id: fsaccess.c,v 1.6.18.2 2005/04/29 00:16:45 marka Exp $ */
 
-/*
+/*! \file
+ * \brief
  * This file contains the OS-independent functionality of the API.
  */
 #include <isc/fsaccess.h>
 #include <isc/result.h>
 #include <isc/util.h>
 
-/*
+/*!
  * Shorthand.  Maybe ISC__FSACCESS_PERMISSIONBITS should not even be in
  * <isc/fsaccess.h>.  Could check consistency with sizeof(isc_fsaccess_t)
  * and the number of bits in each function.
diff --git a/contrib/bind9/lib/isc/hash.c b/contrib/bind9/lib/isc/hash.c
index 1094206..4b6dc06 100644
--- a/contrib/bind9/lib/isc/hash.c
+++ b/contrib/bind9/lib/isc/hash.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2006  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,14 +15,12 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: hash.c,v 1.2.2.4.2.3 2006/01/04 00:37:22 marka Exp $ */
+/* $Id: hash.c,v 1.6.18.5 2006/01/04 00:37:23 marka Exp $ */
 
-/*
+/*! \file
  * Some portion of this code was derived from universal hash function
  * libraries of Rice University. 
- */
-
-/*  "UH Universal Hashing Library"
+\section license UH Universal Hashing Library
 
 Copyright ((c)) 2002, Rice University
 All rights reserved.
@@ -74,28 +72,31 @@ if advised of the possibility of such damage.
 #define HASH_MAGIC		ISC_MAGIC('H', 'a', 's', 'h')
 #define VALID_HASH(h)		ISC_MAGIC_VALID((h), HASH_MAGIC)
 
-/*
+/*%
  * A large 32-bit prime number that specifies the range of the hash output.
  */
 #define PRIME32 0xFFFFFFFB              /* 2^32 -  5 */
 
-/*
+/*@{*/
+/*%
  * Types of random seed and hash accumulator.  Perhaps they can be system
  * dependent.
  */
 typedef isc_uint32_t hash_accum_t;
 typedef isc_uint16_t hash_random_t;
+/*@}*/
 
+/*% isc hash structure */
 struct isc_hash {
 	unsigned int	magic;
 	isc_mem_t	*mctx;
 	isc_mutex_t	lock;
 	isc_boolean_t	initialized;
 	isc_refcount_t	refcnt;
-	isc_entropy_t	*entropy; /* entropy source */
-	unsigned int	limit;	/* upper limit of key length */
-	size_t		vectorlen; /* size of the vector below */
-	hash_random_t	*rndvector; /* random vector for universal hashing */
+	isc_entropy_t	*entropy; /*%< entropy source */
+	unsigned int	limit;	/*%< upper limit of key length */
+	size_t		vectorlen; /*%< size of the vector below */
+	hash_random_t	*rndvector; /*%< random vector for universal hashing */
 };
 
 static isc_mutex_t createlock;
@@ -141,7 +142,7 @@ isc_result_t
 isc_hash_ctxcreate(isc_mem_t *mctx, isc_entropy_t *entropy,
 		   unsigned int limit, isc_hash_t **hctxp)
 {
-	isc_result_t ret;
+	isc_result_t result;
 	isc_hash_t *hctx;
 	size_t vlen;
 	hash_random_t *rv;
@@ -167,17 +168,16 @@ isc_hash_ctxcreate(isc_mem_t *mctx, isc_entropy_t *entropy,
 	vlen = sizeof(hash_random_t) * (limit + 1);
 	rv = isc_mem_get(mctx, vlen);
 	if (rv == NULL) {
-		ret = ISC_R_NOMEMORY;
+		result = ISC_R_NOMEMORY;
 		goto errout;
 	}
 
 	/*
 	 * We need a lock.
 	 */
-	if (isc_mutex_init(&hctx->lock) != ISC_R_SUCCESS) {
-		ret = ISC_R_UNEXPECTED;
+	result = isc_mutex_init(&hctx->lock);
+	if (result != ISC_R_SUCCESS)
 		goto errout;
-	}
 
 	/*
 	 * From here down, no failures will/can occur.
@@ -186,7 +186,9 @@ isc_hash_ctxcreate(isc_mem_t *mctx, isc_entropy_t *entropy,
 	hctx->mctx = NULL;
 	isc_mem_attach(mctx, &hctx->mctx);
 	hctx->initialized = ISC_FALSE;
-	isc_refcount_init(&hctx->refcnt, 1);
+	result = isc_refcount_init(&hctx->refcnt, 1);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup_lock;
 	hctx->entropy = NULL;
 	hctx->limit = limit;
 	hctx->vectorlen = vlen;
@@ -198,12 +200,14 @@ isc_hash_ctxcreate(isc_mem_t *mctx, isc_entropy_t *entropy,
 	*hctxp = hctx;
 	return (ISC_R_SUCCESS);
 
+ cleanup_lock:
+	DESTROYLOCK(&hctx->lock);
  errout:
 	isc_mem_put(mctx, hctx, sizeof(isc_hash_t));
 	if (rv != NULL)
 		isc_mem_put(mctx, rv, vlen);
 
-	return (ret);
+	return (result);
 }
 
 static void
diff --git a/contrib/bind9/lib/isc/heap.c b/contrib/bind9/lib/isc/heap.c
index fd67d7b..9c495a7 100644
--- a/contrib/bind9/lib/isc/heap.c
+++ b/contrib/bind9/lib/isc/heap.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: heap.c,v 1.28.12.4 2006/04/17 18:27:20 explorer Exp $ */
+/* $Id: heap.c,v 1.30.18.3 2006/04/17 18:27:33 explorer Exp $ */
 
 /*! \file
  * Heap implementation of priority queues adapted from the following:
diff --git a/contrib/bind9/lib/isc/hex.c b/contrib/bind9/lib/isc/hex.c
index a90f1ce..8dfec02 100644
--- a/contrib/bind9/lib/isc/hex.c
+++ b/contrib/bind9/lib/isc/hex.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,9 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: hex.c,v 1.8.2.2.8.3 2004/03/06 08:14:30 marka Exp $ */
+/* $Id: hex.c,v 1.14.18.2 2005/04/29 00:16:46 marka Exp $ */
+
+/*! \file */
 
 #include <config.h>
 
@@ -73,13 +75,13 @@ isc_hex_totext(isc_region_t *source, int wordlength,
 	return (ISC_R_SUCCESS);
 }
 
-/*
+/*%
  * State of a hex decoding process in progress.
  */
 typedef struct {
-	int length;		/* Desired length of binary data or -1 */
-	isc_buffer_t *target;	/* Buffer for resulting binary data */
-	int digits;		/* Number of buffered hex digits */
+	int length;		/*%< Desired length of binary data or -1 */
+	isc_buffer_t *target;	/*%< Buffer for resulting binary data */
+	int digits;		/*%< Number of buffered hex digits */
 	int val[2];
 } hex_decode_ctx_t;
 
diff --git a/contrib/bind9/lib/isc/hmacmd5.c b/contrib/bind9/lib/isc/hmacmd5.c
index 5166a98..f832146 100644
--- a/contrib/bind9/lib/isc/hmacmd5.c
+++ b/contrib/bind9/lib/isc/hmacmd5.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2006  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000, 2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,11 +15,11 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: hmacmd5.c,v 1.5.12.5 2006/02/26 23:49:48 marka Exp $ */
+/* $Id: hmacmd5.c,v 1.7.18.5 2006/02/26 22:30:56 marka Exp $ */
 
-/*
+/*! \file
  * This code implements the HMAC-MD5 keyed hash algorithm
- * described in RFC 2104.
+ * described in RFC2104.
  */
 
 #include "config.h"
@@ -35,7 +35,7 @@
 #define IPAD 0x36
 #define OPAD 0x5C
 
-/*
+/*!
  * Start HMAC-MD5 process.  Initialize an md5 context and digest the key.
  */
 void
@@ -67,7 +67,7 @@ isc_hmacmd5_invalidate(isc_hmacmd5_t *ctx) {
 	memset(ctx->key, 0, sizeof(ctx->key));
 }
 
-/*
+/*!
  * Update context to reflect the concatenation of another buffer full
  * of bytes.
  */
@@ -78,7 +78,7 @@ isc_hmacmd5_update(isc_hmacmd5_t *ctx, const unsigned char *buf,
 	isc_md5_update(&ctx->md5ctx, buf, len);
 }
 
-/*
+/*!
  * Compute signature - finalize MD5 operation and reapply MD5.
  */
 void
@@ -99,14 +99,20 @@ isc_hmacmd5_sign(isc_hmacmd5_t *ctx, unsigned char *digest) {
 	isc_hmacmd5_invalidate(ctx);
 }
 
-/*
+/*!
  * Verify signature - finalize MD5 operation and reapply MD5, then
  * compare to the supplied digest.
  */
 isc_boolean_t
 isc_hmacmd5_verify(isc_hmacmd5_t *ctx, unsigned char *digest) {
+	return (isc_hmacmd5_verify2(ctx, digest, ISC_MD5_DIGESTLENGTH));
+}
+
+isc_boolean_t
+isc_hmacmd5_verify2(isc_hmacmd5_t *ctx, unsigned char *digest, size_t len) {
 	unsigned char newdigest[ISC_MD5_DIGESTLENGTH];
 
+	REQUIRE(len <= ISC_MD5_DIGESTLENGTH);
 	isc_hmacmd5_sign(ctx, newdigest);
-	return (ISC_TF(memcmp(digest, newdigest, ISC_MD5_DIGESTLENGTH) == 0));
+	return (ISC_TF(memcmp(digest, newdigest, len) == 0));
 }
diff --git a/contrib/bind9/lib/isc/hmacsha.c b/contrib/bind9/lib/isc/hmacsha.c
new file mode 100644
index 0000000..8ee16af
--- /dev/null
+++ b/contrib/bind9/lib/isc/hmacsha.c
@@ -0,0 +1,438 @@
+/*
+ * Copyright (C) 2005, 2006  Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: hmacsha.c,v 1.2.2.4 2006/08/16 03:18:14 marka Exp $ */
+
+/*
+ * This code implements the HMAC-SHA1, HMAC-SHA224, HMAC-SHA256, HMAC-SHA384
+ * and HMAC-SHA512 keyed hash algorithm described in RFC 2104 and
+ * draft-ietf-dnsext-tsig-sha-01.txt.
+ */
+
+#include "config.h"
+
+#include <isc/assertions.h>
+#include <isc/hmacsha.h>
+#include <isc/sha1.h>
+#include <isc/sha2.h>
+#include <isc/string.h>
+#include <isc/types.h>
+#include <isc/util.h>
+
+#define IPAD 0x36
+#define OPAD 0x5C
+
+/*
+ * Start HMAC-SHA1 process.  Initialize an sha1 context and digest the key.
+ */
+void
+isc_hmacsha1_init(isc_hmacsha1_t *ctx, const unsigned char *key,
+		  unsigned int len)
+{
+	unsigned char ipad[ISC_SHA1_BLOCK_LENGTH];
+	unsigned int i;
+
+	memset(ctx->key, 0, sizeof(ctx->key));
+	if (len > sizeof(ctx->key)) {
+		isc_sha1_t sha1ctx;
+		isc_sha1_init(&sha1ctx);
+		isc_sha1_update(&sha1ctx, key, len);
+		isc_sha1_final(&sha1ctx, ctx->key);
+	} else
+		memcpy(ctx->key, key, len);
+
+	isc_sha1_init(&ctx->sha1ctx);
+	memset(ipad, IPAD, sizeof(ipad));
+	for (i = 0; i < ISC_SHA1_BLOCK_LENGTH; i++)
+		ipad[i] ^= ctx->key[i];
+	isc_sha1_update(&ctx->sha1ctx, ipad, sizeof(ipad));
+}
+
+void
+isc_hmacsha1_invalidate(isc_hmacsha1_t *ctx) {
+	isc_sha1_invalidate(&ctx->sha1ctx);
+	memset(ctx->key, 0, sizeof(ctx->key));
+	memset(ctx, 0, sizeof(ctx));
+}
+
+/*
+ * Update context to reflect the concatenation of another buffer full
+ * of bytes.
+ */
+void
+isc_hmacsha1_update(isc_hmacsha1_t *ctx, const unsigned char *buf,
+		   unsigned int len)
+{
+	isc_sha1_update(&ctx->sha1ctx, buf, len);
+}
+
+/*
+ * Compute signature - finalize SHA1 operation and reapply SHA1.
+ */
+void
+isc_hmacsha1_sign(isc_hmacsha1_t *ctx, unsigned char *digest, size_t len) {
+	unsigned char opad[ISC_SHA1_BLOCK_LENGTH];
+	unsigned char newdigest[ISC_SHA1_DIGESTLENGTH];
+	unsigned int i;
+
+	REQUIRE(len <= ISC_SHA1_DIGESTLENGTH);
+	isc_sha1_final(&ctx->sha1ctx, newdigest);
+
+	memset(opad, OPAD, sizeof(opad));
+	for (i = 0; i < ISC_SHA1_BLOCK_LENGTH; i++)
+		opad[i] ^= ctx->key[i];
+
+	isc_sha1_init(&ctx->sha1ctx);
+	isc_sha1_update(&ctx->sha1ctx, opad, sizeof(opad));
+	isc_sha1_update(&ctx->sha1ctx, newdigest, ISC_SHA1_DIGESTLENGTH);
+	isc_sha1_final(&ctx->sha1ctx, newdigest);
+	isc_hmacsha1_invalidate(ctx);
+	memcpy(digest, newdigest, len);
+	memset(newdigest, 0, sizeof(newdigest));
+}
+
+/*
+ * Verify signature - finalize SHA1 operation and reapply SHA1, then
+ * compare to the supplied digest.
+ */
+isc_boolean_t
+isc_hmacsha1_verify(isc_hmacsha1_t *ctx, unsigned char *digest, size_t len) {
+	unsigned char newdigest[ISC_SHA1_DIGESTLENGTH];
+
+	REQUIRE(len <= ISC_SHA1_BLOCK_LENGTH);
+	isc_hmacsha1_sign(ctx, newdigest, ISC_SHA1_DIGESTLENGTH);
+	return (ISC_TF(memcmp(digest, newdigest, len) == 0));
+}
+
+/*
+ * Start HMAC-SHA224 process.  Initialize an sha224 context and digest the key.
+ */
+void
+isc_hmacsha224_init(isc_hmacsha224_t *ctx, const unsigned char *key,
+		    unsigned int len)
+{
+	unsigned char ipad[ISC_SHA224_BLOCK_LENGTH];
+	unsigned int i;
+
+	memset(ctx->key, 0, sizeof(ctx->key));
+	if (len > sizeof(ctx->key)) {
+		isc_sha224_t sha224ctx;
+		isc_sha224_init(&sha224ctx);
+		isc_sha224_update(&sha224ctx, key, len);
+		isc_sha224_final(ctx->key, &sha224ctx);
+	} else
+		memcpy(ctx->key, key, len);
+
+	isc_sha224_init(&ctx->sha224ctx);
+	memset(ipad, IPAD, sizeof(ipad));
+	for (i = 0; i < ISC_SHA224_BLOCK_LENGTH; i++)
+		ipad[i] ^= ctx->key[i];
+	isc_sha224_update(&ctx->sha224ctx, ipad, sizeof(ipad));
+}
+
+void
+isc_hmacsha224_invalidate(isc_hmacsha224_t *ctx) {
+	memset(ctx->key, 0, sizeof(ctx->key));
+	memset(ctx, 0, sizeof(ctx));
+}
+
+/*
+ * Update context to reflect the concatenation of another buffer full
+ * of bytes.
+ */
+void
+isc_hmacsha224_update(isc_hmacsha224_t *ctx, const unsigned char *buf,
+		   unsigned int len)
+{
+	isc_sha224_update(&ctx->sha224ctx, buf, len);
+}
+
+/*
+ * Compute signature - finalize SHA224 operation and reapply SHA224.
+ */
+void
+isc_hmacsha224_sign(isc_hmacsha224_t *ctx, unsigned char *digest, size_t len) {
+	unsigned char opad[ISC_SHA224_BLOCK_LENGTH];
+	unsigned char newdigest[ISC_SHA224_DIGESTLENGTH];
+	unsigned int i;
+
+	REQUIRE(len <= ISC_SHA224_DIGESTLENGTH);
+	isc_sha224_final(newdigest, &ctx->sha224ctx);
+
+	memset(opad, OPAD, sizeof(opad));
+	for (i = 0; i < ISC_SHA224_BLOCK_LENGTH; i++)
+		opad[i] ^= ctx->key[i];
+
+	isc_sha224_init(&ctx->sha224ctx);
+	isc_sha224_update(&ctx->sha224ctx, opad, sizeof(opad));
+	isc_sha224_update(&ctx->sha224ctx, newdigest, ISC_SHA224_DIGESTLENGTH);
+	isc_sha224_final(newdigest, &ctx->sha224ctx);
+	memcpy(digest, newdigest, len);
+	memset(newdigest, 0, sizeof(newdigest));
+}
+
+/*
+ * Verify signature - finalize SHA224 operation and reapply SHA224, then
+ * compare to the supplied digest.
+ */
+isc_boolean_t
+isc_hmacsha224_verify(isc_hmacsha224_t *ctx, unsigned char *digest, size_t len) {
+	unsigned char newdigest[ISC_SHA224_DIGESTLENGTH];
+
+	REQUIRE(len <= ISC_SHA224_DIGESTLENGTH);
+	isc_hmacsha224_sign(ctx, newdigest, ISC_SHA224_DIGESTLENGTH);
+	return (ISC_TF(memcmp(digest, newdigest, len) == 0));
+}
+
+/*
+ * Start HMAC-SHA256 process.  Initialize an sha256 context and digest the key.
+ */
+void
+isc_hmacsha256_init(isc_hmacsha256_t *ctx, const unsigned char *key,
+		    unsigned int len)
+{
+	unsigned char ipad[ISC_SHA256_BLOCK_LENGTH];
+	unsigned int i;
+
+	memset(ctx->key, 0, sizeof(ctx->key));
+	if (len > sizeof(ctx->key)) {
+		isc_sha256_t sha256ctx;
+		isc_sha256_init(&sha256ctx);
+		isc_sha256_update(&sha256ctx, key, len);
+		isc_sha256_final(ctx->key, &sha256ctx);
+	} else
+		memcpy(ctx->key, key, len);
+
+	isc_sha256_init(&ctx->sha256ctx);
+	memset(ipad, IPAD, sizeof(ipad));
+	for (i = 0; i < ISC_SHA256_BLOCK_LENGTH; i++)
+		ipad[i] ^= ctx->key[i];
+	isc_sha256_update(&ctx->sha256ctx, ipad, sizeof(ipad));
+}
+
+void
+isc_hmacsha256_invalidate(isc_hmacsha256_t *ctx) {
+	memset(ctx->key, 0, sizeof(ctx->key));
+	memset(ctx, 0, sizeof(ctx));
+}
+
+/*
+ * Update context to reflect the concatenation of another buffer full
+ * of bytes.
+ */
+void
+isc_hmacsha256_update(isc_hmacsha256_t *ctx, const unsigned char *buf,
+		   unsigned int len)
+{
+	isc_sha256_update(&ctx->sha256ctx, buf, len);
+}
+
+/*
+ * Compute signature - finalize SHA256 operation and reapply SHA256.
+ */
+void
+isc_hmacsha256_sign(isc_hmacsha256_t *ctx, unsigned char *digest, size_t len) {
+	unsigned char opad[ISC_SHA256_BLOCK_LENGTH];
+	unsigned char newdigest[ISC_SHA256_DIGESTLENGTH];
+	unsigned int i;
+
+	REQUIRE(len <= ISC_SHA256_DIGESTLENGTH);
+	isc_sha256_final(newdigest, &ctx->sha256ctx);
+
+	memset(opad, OPAD, sizeof(opad));
+	for (i = 0; i < ISC_SHA256_BLOCK_LENGTH; i++)
+		opad[i] ^= ctx->key[i];
+
+	isc_sha256_init(&ctx->sha256ctx);
+	isc_sha256_update(&ctx->sha256ctx, opad, sizeof(opad));
+	isc_sha256_update(&ctx->sha256ctx, newdigest, ISC_SHA256_DIGESTLENGTH);
+	isc_sha256_final(newdigest, &ctx->sha256ctx);
+	memcpy(digest, newdigest, len);
+	memset(newdigest, 0, sizeof(newdigest));
+}
+
+/*
+ * Verify signature - finalize SHA256 operation and reapply SHA256, then
+ * compare to the supplied digest.
+ */
+isc_boolean_t
+isc_hmacsha256_verify(isc_hmacsha256_t *ctx, unsigned char *digest, size_t len) {
+	unsigned char newdigest[ISC_SHA256_DIGESTLENGTH];
+
+	REQUIRE(len <= ISC_SHA256_DIGESTLENGTH);
+	isc_hmacsha256_sign(ctx, newdigest, ISC_SHA256_DIGESTLENGTH);
+	return (ISC_TF(memcmp(digest, newdigest, len) == 0));
+}
+
+/*
+ * Start HMAC-SHA384 process.  Initialize an sha384 context and digest the key.
+ */
+void
+isc_hmacsha384_init(isc_hmacsha384_t *ctx, const unsigned char *key,
+		    unsigned int len)
+{
+	unsigned char ipad[ISC_SHA384_BLOCK_LENGTH];
+	unsigned int i;
+
+	memset(ctx->key, 0, sizeof(ctx->key));
+	if (len > sizeof(ctx->key)) {
+		isc_sha384_t sha384ctx;
+		isc_sha384_init(&sha384ctx);
+		isc_sha384_update(&sha384ctx, key, len);
+		isc_sha384_final(ctx->key, &sha384ctx);
+	} else
+		memcpy(ctx->key, key, len);
+
+	isc_sha384_init(&ctx->sha384ctx);
+	memset(ipad, IPAD, sizeof(ipad));
+	for (i = 0; i < ISC_SHA384_BLOCK_LENGTH; i++)
+		ipad[i] ^= ctx->key[i];
+	isc_sha384_update(&ctx->sha384ctx, ipad, sizeof(ipad));
+}
+
+void
+isc_hmacsha384_invalidate(isc_hmacsha384_t *ctx) {
+	memset(ctx->key, 0, sizeof(ctx->key));
+	memset(ctx, 0, sizeof(ctx));
+}
+
+/*
+ * Update context to reflect the concatenation of another buffer full
+ * of bytes.
+ */
+void
+isc_hmacsha384_update(isc_hmacsha384_t *ctx, const unsigned char *buf,
+		   unsigned int len)
+{
+	isc_sha384_update(&ctx->sha384ctx, buf, len);
+}
+
+/*
+ * Compute signature - finalize SHA384 operation and reapply SHA384.
+ */
+void
+isc_hmacsha384_sign(isc_hmacsha384_t *ctx, unsigned char *digest, size_t len) {
+	unsigned char opad[ISC_SHA384_BLOCK_LENGTH];
+	unsigned char newdigest[ISC_SHA384_DIGESTLENGTH];
+	unsigned int i;
+
+	REQUIRE(len <= ISC_SHA384_DIGESTLENGTH);
+	isc_sha384_final(newdigest, &ctx->sha384ctx);
+
+	memset(opad, OPAD, sizeof(opad));
+	for (i = 0; i < ISC_SHA384_BLOCK_LENGTH; i++)
+		opad[i] ^= ctx->key[i];
+
+	isc_sha384_init(&ctx->sha384ctx);
+	isc_sha384_update(&ctx->sha384ctx, opad, sizeof(opad));
+	isc_sha384_update(&ctx->sha384ctx, newdigest, ISC_SHA384_DIGESTLENGTH);
+	isc_sha384_final(newdigest, &ctx->sha384ctx);
+	memcpy(digest, newdigest, len);
+	memset(newdigest, 0, sizeof(newdigest));
+}
+
+/*
+ * Verify signature - finalize SHA384 operation and reapply SHA384, then
+ * compare to the supplied digest.
+ */
+isc_boolean_t
+isc_hmacsha384_verify(isc_hmacsha384_t *ctx, unsigned char *digest, size_t len) {
+	unsigned char newdigest[ISC_SHA384_DIGESTLENGTH];
+
+	REQUIRE(len <= ISC_SHA384_DIGESTLENGTH);
+	isc_hmacsha384_sign(ctx, newdigest, ISC_SHA384_DIGESTLENGTH);
+	return (ISC_TF(memcmp(digest, newdigest, len) == 0));
+}
+
+/*
+ * Start HMAC-SHA512 process.  Initialize an sha512 context and digest the key.
+ */
+void
+isc_hmacsha512_init(isc_hmacsha512_t *ctx, const unsigned char *key,
+		    unsigned int len)
+{
+	unsigned char ipad[ISC_SHA512_BLOCK_LENGTH];
+	unsigned int i;
+
+	memset(ctx->key, 0, sizeof(ctx->key));
+	if (len > sizeof(ctx->key)) {
+		isc_sha512_t sha512ctx;
+		isc_sha512_init(&sha512ctx);
+		isc_sha512_update(&sha512ctx, key, len);
+		isc_sha512_final(ctx->key, &sha512ctx);
+	} else
+		memcpy(ctx->key, key, len);
+
+	isc_sha512_init(&ctx->sha512ctx);
+	memset(ipad, IPAD, sizeof(ipad));
+	for (i = 0; i < ISC_SHA512_BLOCK_LENGTH; i++)
+		ipad[i] ^= ctx->key[i];
+	isc_sha512_update(&ctx->sha512ctx, ipad, sizeof(ipad));
+}
+
+void
+isc_hmacsha512_invalidate(isc_hmacsha512_t *ctx) {
+	memset(ctx->key, 0, sizeof(ctx->key));
+	memset(ctx, 0, sizeof(ctx));
+}
+
+/*
+ * Update context to reflect the concatenation of another buffer full
+ * of bytes.
+ */
+void
+isc_hmacsha512_update(isc_hmacsha512_t *ctx, const unsigned char *buf,
+		   unsigned int len)
+{
+	isc_sha512_update(&ctx->sha512ctx, buf, len);
+}
+
+/*
+ * Compute signature - finalize SHA512 operation and reapply SHA512.
+ */
+void
+isc_hmacsha512_sign(isc_hmacsha512_t *ctx, unsigned char *digest, size_t len) {
+	unsigned char opad[ISC_SHA512_BLOCK_LENGTH];
+	unsigned char newdigest[ISC_SHA512_DIGESTLENGTH];
+	unsigned int i;
+
+	REQUIRE(len <= ISC_SHA512_DIGESTLENGTH);
+	isc_sha512_final(newdigest, &ctx->sha512ctx);
+
+	memset(opad, OPAD, sizeof(opad));
+	for (i = 0; i < ISC_SHA512_BLOCK_LENGTH; i++)
+		opad[i] ^= ctx->key[i];
+
+	isc_sha512_init(&ctx->sha512ctx);
+	isc_sha512_update(&ctx->sha512ctx, opad, sizeof(opad));
+	isc_sha512_update(&ctx->sha512ctx, newdigest, ISC_SHA512_DIGESTLENGTH);
+	isc_sha512_final(newdigest, &ctx->sha512ctx);
+	memcpy(digest, newdigest, len);
+	memset(newdigest, 0, sizeof(newdigest));
+}
+
+/*
+ * Verify signature - finalize SHA512 operation and reapply SHA512, then
+ * compare to the supplied digest.
+ */
+isc_boolean_t
+isc_hmacsha512_verify(isc_hmacsha512_t *ctx, unsigned char *digest, size_t len) {
+	unsigned char newdigest[ISC_SHA512_DIGESTLENGTH];
+
+	REQUIRE(len <= ISC_SHA512_DIGESTLENGTH);
+	isc_hmacsha512_sign(ctx, newdigest, ISC_SHA512_DIGESTLENGTH);
+	return (ISC_TF(memcmp(digest, newdigest, len) == 0));
+}
diff --git a/contrib/bind9/lib/isc/ia64/include/isc/atomic.h b/contrib/bind9/lib/isc/ia64/include/isc/atomic.h
new file mode 100644
index 0000000..20cbabd
--- /dev/null
+++ b/contrib/bind9/lib/isc/ia64/include/isc/atomic.h
@@ -0,0 +1,88 @@
+/*
+ * Copyright (C) 2006  Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: atomic.h,v 1.2.2.1 2006/06/21 03:38:32 marka Exp $ */
+
+#ifndef ISC_ATOMIC_H
+#define ISC_ATOMIC_H 1
+
+#include <isc/platform.h>
+#include <isc/types.h>
+
+#ifdef ISC_PLATFORM_USEGCCASM
+/*
+ * This routine atomically increments the value stored in 'p' by 'val', and
+ * returns the previous value.
+ *
+ * Open issue: can 'fetchadd' make the code faster for some particular values
+ * (e.g., 1 and -1)?
+ */
+static inline isc_int32_t
+isc_atomic_xadd(isc_int32_t *p, isc_int32_t val) {
+	isc_int32_t prev, swapped;
+
+	for (prev = *(volatile isc_int32_t *)p; ; prev = swapped) {
+		swapped = prev + val;
+		__asm__ volatile(
+			"mov ar.ccv=%2;"
+			"cmpxchg4.acq %0=%4,%3,ar.ccv"
+			: "=r" (swapped), "=m" (*p)
+			: "r" (prev), "r" (swapped), "m" (*p)
+			: "memory");
+		if (swapped == prev)
+			break;
+	}
+
+	return (prev);
+}
+
+/*
+ * This routine atomically stores the value 'val' in 'p'.
+ */
+static inline void
+isc_atomic_store(isc_int32_t *p, isc_int32_t val) {
+	__asm__ volatile(
+		"st4.rel %0=%1"
+		: "=m" (*p)
+		: "r" (val)
+		: "memory"
+		);
+}
+
+/*
+ * This routine atomically replaces the value in 'p' with 'val', if the
+ * original value is equal to 'cmpval'.  The original value is returned in any
+ * case.
+ */
+static inline isc_int32_t
+isc_atomic_cmpxchg(isc_int32_t *p, isc_int32_t cmpval, isc_int32_t val) {
+	isc_int32_t ret;
+
+	__asm__ volatile(
+		"mov ar.ccv=%2;"
+		"cmpxchg4.acq %0=%4,%3,ar.ccv"
+		: "=r" (ret), "=m" (*p)
+		: "r" (cmpval), "r" (val), "m" (*p)
+		: "memory");
+
+	return (ret);
+}
+#else /* !ISC_PLATFORM_USEGCCASM */
+
+#error "unsupported compiler.  disable atomic ops by --disable-atomic"
+
+#endif
+#endif /* ISC_ATOMIC_H */
diff --git a/contrib/bind9/lib/isc/include/Makefile.in b/contrib/bind9/lib/isc/include/Makefile.in
index 59d66c7..ceb8eb6 100644
--- a/contrib/bind9/lib/isc/include/Makefile.in
+++ b/contrib/bind9/lib/isc/include/Makefile.in
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.10.206.1 2004/03/06 08:14:38 marka Exp $
+# $Id: Makefile.in,v 1.11 2004/03/05 05:10:53 marka Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
diff --git a/contrib/bind9/lib/isc/include/isc/Makefile.in b/contrib/bind9/lib/isc/include/isc/Makefile.in
index f484c0b..0f0e936 100644
--- a/contrib/bind9/lib/isc/include/isc/Makefile.in
+++ b/contrib/bind9/lib/isc/include/isc/Makefile.in
@@ -1,4 +1,4 @@
-# Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
 # Copyright (C) 1998-2001, 2003  Internet Software Consortium.
 #
 # Permission to use, copy, modify, and distribute this software for any
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.50.12.6 2005/03/22 02:32:07 marka Exp $
+# $Id: Makefile.in,v 1.54.18.4 2006/01/27 23:57:45 marka Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
@@ -35,9 +35,9 @@ HEADERS =	app.h assertions.h base64.h bitstring.h boolean.h buffer.h \
 		mutexblock.h netaddr.h ondestroy.h os.h parseint.h \
 		print.h quota.h random.h ratelimiter.h \
 		refcount.h region.h resource.h \
-		result.h resultclass.h rwlock.h serial.h sha1.h sockaddr.h \
-		socket.h stdio.h stdlib.h string.h symtab.h task.h taskpool.h \
-		timer.h types.h util.h version.h
+		result.h resultclass.h rwlock.h serial.h sha1.h sha2.h \
+		sockaddr.h socket.h stdio.h stdlib.h string.h symtab.h \
+	        task.h taskpool.h timer.h types.h util.h version.h
 
 SUBDIRS =
 TARGETS =
diff --git a/contrib/bind9/lib/isc/include/isc/app.h b/contrib/bind9/lib/isc/include/isc/app.h
index f77057b..f51aff7 100644
--- a/contrib/bind9/lib/isc/include/isc/app.h
+++ b/contrib/bind9/lib/isc/include/isc/app.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: app.h,v 1.1.206.1 2004/03/06 08:14:38 marka Exp $ */
+/* $Id: app.h,v 1.2.18.2 2005/04/29 00:16:52 marka Exp $ */
 
 #ifndef ISC_APP_H
 #define ISC_APP_H 1
@@ -24,18 +24,18 @@
  ***** Module Info
  *****/
 
-/*
- * ISC Application Support
+/*! \file
+ * \brief ISC Application Support
  *
  * Dealing with program termination can be difficult, especially in a
  * multithreaded program.  The routines in this module help coordinate
  * the shutdown process.  They are used as follows by the initial (main)
  * thread of the application:
  *
- *		isc_app_start();	Call very early in main(), before
+ *\li		isc_app_start();	Call very early in main(), before
  *					any other threads have been created.
  *
- *		isc_app_run();		This will post any on-run events,
+ *\li		isc_app_run();		This will post any on-run events,
  *					and then block until application
  *					shutdown is requested.  A shutdown
  *					request is made by calling
@@ -44,7 +44,7 @@
  *					After isc_app_run() returns, the
  *					application should shutdown itself.
  *
- *		isc_app_finish();	Call very late in main().
+ *\li		isc_app_finish();	Call very late in main().
  *
  * Applications that want to use SIGHUP/isc_app_reload() to trigger reloading
  * should check the result of isc_app_run() and call the reload routine if
@@ -54,22 +54,22 @@
  * Use of this module is not required.  In particular, isc_app_start() is
  * NOT an ISC library initialization routine.
  *
- * MP:
+ * \li MP:
  *	Clients must ensure that isc_app_start(), isc_app_run(), and
  *	isc_app_finish() are called at most once.  isc_app_shutdown()
  *	is safe to use by any thread (provided isc_app_start() has been
  *	called previously).
  *
- * Reliability:
+ * \li Reliability:
  *	No anticipated impact.
  *
- * Resources:
+ * \li Resources:
  *	None.
  *
- * Security:
+ * \li Security:
  *	No anticipated impact.
  *
- * Standards:
+ * \li Standards:
  *	None.
  */
 
@@ -87,8 +87,8 @@ ISC_LANG_BEGINDECLS
 
 isc_result_t
 isc_app_start(void);
-/*
- * Start an ISC library application.
+/*!<
+ * \brief Start an ISC library application.
  *
  * Notes:
  *	This call should be made before any other ISC library call, and as
@@ -98,8 +98,8 @@ isc_app_start(void);
 isc_result_t
 isc_app_onrun(isc_mem_t *mctx, isc_task_t *task, isc_taskaction_t action,
 	      void *arg);
-/*
- * Request delivery of an event when the application is run.
+/*!<
+ * \brief Request delivery of an event when the application is run.
  *
  * Requires:
  *	isc_app_start() has been called.
@@ -111,99 +111,99 @@ isc_app_onrun(isc_mem_t *mctx, isc_task_t *task, isc_taskaction_t action,
 
 isc_result_t
 isc_app_run(void);
-/*
- * Run an ISC library application.
+/*!<
+ * \brief Run an ISC library application.
  *
  * Notes:
- *	The caller (typically the initial thread of an application) will
+ *\li	The caller (typically the initial thread of an application) will
  *	block until shutdown is requested.  When the call returns, the
  *	caller should start shutting down the application.
  *
  * Requires:
- *	isc_app_start() has been called.
+ *\li	isc_app_start() has been called.
  *
  * Ensures:
- *	Any events requested via isc_app_onrun() will have been posted (in
+ *\li	Any events requested via isc_app_onrun() will have been posted (in
  *	FIFO order) before isc_app_run() blocks.
  *
  * Returns:
- *	ISC_R_SUCCESS			Shutdown has been requested.
- *	ISC_R_RELOAD			Reload has been requested.
+ *\li	ISC_R_SUCCESS			Shutdown has been requested.
+ *\li	ISC_R_RELOAD			Reload has been requested.
  */
 
 isc_result_t
 isc_app_shutdown(void);
-/*
- * Request application shutdown.
+/*!<
+ * \brief Request application shutdown.
  *
  * Notes:
- *	It is safe to call isc_app_shutdown() multiple times.  Shutdown will
+ *\li	It is safe to call isc_app_shutdown() multiple times.  Shutdown will
  *	only be triggered once.
  *
  * Requires:
- *	isc_app_run() has been called.
+ *\li	isc_app_run() has been called.
  *
  * Returns:
- *	ISC_R_SUCCESS
- *	ISC_R_UNEXPECTED
+ *\li	ISC_R_SUCCESS
+ *\li	ISC_R_UNEXPECTED
  */
 
 isc_result_t
 isc_app_reload(void);
-/*
- * Request application reload.
+/*!<
+ * \brief Request application reload.
  *
  * Requires:
- *	isc_app_run() has been called.
+ *\li	isc_app_run() has been called.
  *
  * Returns:
- *	ISC_R_SUCCESS
- *	ISC_R_UNEXPECTED
+ *\li	ISC_R_SUCCESS
+ *\li	ISC_R_UNEXPECTED
  */
 
 void
 isc_app_finish(void);
-/*
- * Finish an ISC library application.
+/*!<
+ * \brief Finish an ISC library application.
  *
  * Notes:
- *	This call should be made at or near the end of main().
+ *\li	This call should be made at or near the end of main().
  *
  * Requires:
- *	isc_app_start() has been called.
+ *\li	isc_app_start() has been called.
  *
  * Ensures:
- *	Any resources allocated by isc_app_start() have been released.
+ *\li	Any resources allocated by isc_app_start() have been released.
  */
 
 void
 isc_app_block(void);
-/*
- * Indicate that a blocking operation will be performed.
+/*!<
+ * \brief Indicate that a blocking operation will be performed.
  *
  * Notes:
- *	If a blocking operation is in process, a call to isc_app_shutdown()
+ *\li	If a blocking operation is in process, a call to isc_app_shutdown()
  *	or an external signal will abort the program, rather than allowing
  *	clean shutdown.  This is primarily useful for reading user input.
  *
  * Requires:
- * 	isc_app_start() has been called.
- * 	No other blocking operations are in progress.
+ * \li	isc_app_start() has been called.
+ * \li	No other blocking operations are in progress.
  */
 
 void
 isc_app_unblock(void);
-/*
- * Indicate that a blocking operation is complete.
+/*!<
+ * \brief Indicate that a blocking operation is complete.
  *
  * Notes:
- * 	When a blocking operation has completed, return the program to a
+ * \li	When a blocking operation has completed, return the program to a
  * 	state where a call to isc_app_shutdown() or an external signal will
  * 	shutdown normally.
  *
  * Requires:
- * 	isc_app_start() has been called.
- * 	isc_app_block() has been called by the same thread.
+ * \li	isc_app_start() has been called.
+ * \li	isc_app_block() has been called by the same thread.
  */
 
 
diff --git a/contrib/bind9/lib/isc/include/isc/assertions.h b/contrib/bind9/lib/isc/include/isc/assertions.h
index 6091de9..c1e68a1 100644
--- a/contrib/bind9/lib/isc/include/isc/assertions.h
+++ b/contrib/bind9/lib/isc/include/isc/assertions.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1997-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -16,7 +16,9 @@
  */
 
 /*
- * $Id: assertions.h,v 1.17.206.1 2004/03/06 08:14:38 marka Exp $
+ * $Id: assertions.h,v 1.18.18.2 2005/04/29 00:16:52 marka Exp $
+ */
+/*! \file assertions.h
  */
 
 #ifndef ISC_ASSERTIONS_H
@@ -27,6 +29,7 @@
 
 ISC_LANG_BEGINDECLS
 
+/*% isc assertion type */
 typedef enum {
 	isc_assertiontype_require,
 	isc_assertiontype_ensure,
diff --git a/contrib/bind9/lib/isc/include/isc/base64.h b/contrib/bind9/lib/isc/include/isc/base64.h
index 260dd1d..26ffa48 100644
--- a/contrib/bind9/lib/isc/include/isc/base64.h
+++ b/contrib/bind9/lib/isc/include/isc/base64.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,11 +15,13 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: base64.h,v 1.15.206.1 2004/03/06 08:14:38 marka Exp $ */
+/* $Id: base64.h,v 1.16.18.2 2005/04/29 00:16:53 marka Exp $ */
 
 #ifndef ISC_BASE64_H
 #define ISC_BASE64_H 1
 
+/*! \file */
+
 #include <isc/lang.h>
 #include <isc/types.h>
 
@@ -32,59 +34,59 @@ ISC_LANG_BEGINDECLS
 isc_result_t
 isc_base64_totext(isc_region_t *source, int wordlength,
 		  const char *wordbreak, isc_buffer_t *target);
-/*
- * Convert data into base64 encoded text.
+/*!<
+ * \brief Convert data into base64 encoded text.
  *
  * Notes:
- *	The base64 encoded text in 'target' will be divided into
+ *\li	The base64 encoded text in 'target' will be divided into
  *	words of at most 'wordlength' characters, separated by
  * 	the 'wordbreak' string.  No parentheses will surround
  *	the text.
  *
  * Requires:
- *	'source' is a region containing binary data
- *	'target' is a text buffer containing available space
- *	'wordbreak' points to a null-terminated string of
+ *\li	'source' is a region containing binary data
+ *\li	'target' is a text buffer containing available space
+ *\li	'wordbreak' points to a null-terminated string of
  *		zero or more whitespace characters
  *
  * Ensures:
- *	target will contain the base64 encoded version of the data
+ *\li	target will contain the base64 encoded version of the data
  *	in source.  The 'used' pointer in target will be advanced as
  *	necessary.
  */
 
 isc_result_t
 isc_base64_decodestring(const char *cstr, isc_buffer_t *target);
-/*
- * Decode a null-terminated base64 string.
+/*!<
+ * \brief Decode a null-terminated base64 string.
  *
  * Requires:
- *	'cstr' is non-null.
- *	'target' is a valid buffer.
+ *\li	'cstr' is non-null.
+ *\li	'target' is a valid buffer.
  *
  * Returns:
- *	ISC_R_SUCCESS	-- the entire decoded representation of 'cstring'
+ *\li	#ISC_R_SUCCESS	-- the entire decoded representation of 'cstring'
  *			   fit in 'target'.
- *	ISC_R_BADBASE64 -- 'cstr' is not a valid base64 encoding.
+ *\li	#ISC_R_BADBASE64 -- 'cstr' is not a valid base64 encoding.
  *
  * 	Other error returns are any possible error code from:
- *		isc_lex_create(),
- *		isc_lex_openbuffer(),
- *		isc_base64_tobuffer().
+ *\li		isc_lex_create(),
+ *\li		isc_lex_openbuffer(),
+ *\li		isc_base64_tobuffer().
  */
 
 isc_result_t
 isc_base64_tobuffer(isc_lex_t *lexer, isc_buffer_t *target, int length);
-/*
- * Convert base64 encoded text from a lexer context into data.
+/*!<
+ * \brief Convert base64 encoded text from a lexer context into data.
  *
  * Requires:
- *	'lex' is a valid lexer context
- *	'target' is a buffer containing binary data
- *	'length' is an integer
+ *\li	'lex' is a valid lexer context
+ *\li	'target' is a buffer containing binary data
+ *\li	'length' is an integer
  *
  * Ensures:
- *	target will contain the data represented by the base64 encoded
+ *\li	target will contain the data represented by the base64 encoded
  *	string parsed by the lexer.  No more than length bytes will be read,
  *	if length is positive.  The 'used' pointer in target will be
  *	advanced as necessary.
diff --git a/contrib/bind9/lib/isc/include/isc/bitstring.h b/contrib/bind9/lib/isc/include/isc/bitstring.h
index 6d6a555..3e626b8 100644
--- a/contrib/bind9/lib/isc/include/isc/bitstring.h
+++ b/contrib/bind9/lib/isc/include/isc/bitstring.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: bitstring.h,v 1.7.206.1 2004/03/06 08:14:38 marka Exp $ */
+/* $Id: bitstring.h,v 1.8.18.2 2005/04/29 00:16:53 marka Exp $ */
 
 #ifndef ISC_BITSTRING_H
 #define ISC_BITSTRING_H 1
@@ -24,8 +24,9 @@
  ***** Module Info
  *****/
 
-/*
- * Bitstring
+/*! \file bitstring.h
+ *
+ * \brief Bitstring manipulation functions.
  *
  * A bitstring is a packed array of bits, stored in a contiguous
  * sequence of octets.  The "most significant bit" (msb) of a bitstring
@@ -46,21 +47,25 @@
  * long and will take two octets.  Let "p" denote a pad bit.  In the msb0
  * encoding, it would be
  *
+ * \verbatim
  *             Octet 0           Octet 1
  *                         |
  *         1 1 0 1 0 0 0 1 | 1 1 1 p p p p p
  *         ^               |               ^
  *         |                               |
  *         bit 0                           bit 15
+ * \endverbatim
  *
  * In the lsb0 encoding, it would be
  *
+ * \verbatim
  *             Octet 0           Octet 1
  *                         |
  *         p p p p p 1 1 0 | 1 0 0 0 1 1 1 1 
  *         ^               |               ^
  *         |                               |
  *         bit 15                          bit 0
+ * \endverbatim
  */
 
 /***
@@ -91,59 +96,59 @@ struct isc_bitstring {
 void
 isc_bitstring_init(isc_bitstring_t *bitstring, unsigned char *data,
 		   unsigned int length, unsigned int size, isc_boolean_t lsb0);
-/*
- * Make 'bitstring' refer to the bitstring of 'size' bits starting
+/*!<
+ * \brief Make 'bitstring' refer to the bitstring of 'size' bits starting
  * at 'data'.  'length' bits of the bitstring are valid.  If 'lsb0'
  * is set then, bit 0 refers to the least significant bit of the
  * bitstring.  Otherwise bit 0 is the most significant bit.
  *
  * Requires:
  *
- *	'bitstring' points to a isc_bitstring_t.
+ *\li	'bitstring' points to a isc_bitstring_t.
  *
- *	'data' points to an array of unsigned char large enough to hold
+ *\li	'data' points to an array of unsigned char large enough to hold
  *	'size' bits.
  *
- *	'length' <= 'size'.
+ *\li	'length' <= 'size'.
  *
  * Ensures:
  *
- *	'bitstring' is a valid bitstring.
+ *\li	'bitstring' is a valid bitstring.
  */
 
 void
 isc_bitstring_invalidate(isc_bitstring_t *bitstring);
-/*
- * Invalidate 'bitstring'.
+/*!<
+ * \brief Invalidate 'bitstring'.
  *
  * Requires:
  *
- *	'bitstring' is a valid bitstring.
+ *\li	'bitstring' is a valid bitstring.
  *
  * Ensures:
  *
- *	'bitstring' is not a valid bitstring.
+ *\li	'bitstring' is not a valid bitstring.
  */
 
 void
 isc_bitstring_copy(isc_bitstring_t *source, unsigned int sbitpos,
 		   isc_bitstring_t *target, unsigned int tbitpos,
 		   unsigned int n);
-/*
- * Starting at bit 'sbitpos', copy 'n' bits from 'source' to
+/*!<
+ * \brief Starting at bit 'sbitpos', copy 'n' bits from 'source' to
  * the 'n' bits of 'target' starting at 'tbitpos'.
  *
  * Requires:
  *
- *	'source' and target are valid bitstrings with the same lsb0 setting.
+ *\li	'source' and target are valid bitstrings with the same lsb0 setting.
  *
- *	'sbitpos' + 'n' is less than or equal to the length of 'source'.
+ *\li	'sbitpos' + 'n' is less than or equal to the length of 'source'.
  *
- *	'tbitpos' + 'n' is less than or equal to the size of 'target'.
+ *\li	'tbitpos' + 'n' is less than or equal to the size of 'target'.
  *
  * Ensures:
  *
- *	The specified bits have been copied, and the length of 'target'
+ *\li	The specified bits have been copied, and the length of 'target'
  *	adjusted (if required).
  */
 
diff --git a/contrib/bind9/lib/isc/include/isc/boolean.h b/contrib/bind9/lib/isc/include/isc/boolean.h
index 0081447..ad736fe 100644
--- a/contrib/bind9/lib/isc/include/isc/boolean.h
+++ b/contrib/bind9/lib/isc/include/isc/boolean.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1998-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,11 +15,13 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: boolean.h,v 1.12.206.1 2004/03/06 08:14:39 marka Exp $ */
+/* $Id: boolean.h,v 1.13.18.2 2005/04/29 00:16:53 marka Exp $ */
 
 #ifndef ISC_BOOLEAN_H
 #define ISC_BOOLEAN_H 1
 
+/*! \file */
+
 typedef enum { isc_boolean_false = 0, isc_boolean_true = 1 } isc_boolean_t;
 
 #define ISC_FALSE isc_boolean_false
diff --git a/contrib/bind9/lib/isc/include/isc/buffer.h b/contrib/bind9/lib/isc/include/isc/buffer.h
index 02b82bc..a285e27 100644
--- a/contrib/bind9/lib/isc/include/isc/buffer.h
+++ b/contrib/bind9/lib/isc/include/isc/buffer.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1998-2002  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: buffer.h,v 1.39.12.2 2004/03/08 09:04:51 marka Exp $ */
+/* $Id: buffer.h,v 1.43.18.2 2005/04/29 00:16:53 marka Exp $ */
 
 #ifndef ISC_BUFFER_H
 #define ISC_BUFFER_H 1
@@ -24,10 +24,9 @@
  ***** Module Info
  *****/
 
-/*
- * Buffers
+/*! \file buffer.h
  *
- * A buffer is a region of memory, together with a set of related subregions.
+ * \brief A buffer is a region of memory, together with a set of related subregions.
  * Buffers are used for parsing and I/O operations.
  *
  * The 'used region' and the 'available' region are disjoint, and their
@@ -51,6 +50,7 @@
  * is empty.  If the current offset advances beyond the chosen offset, the
  * active region will also be empty.
  *
+ * \verbatim
  *  /------------entire length---------------\
  *  /----- used region -----\/-- available --\
  *  +----------------------------------------+
@@ -69,9 +69,11 @@
  * a-b == consumed region.
  * b-d == remaining region.
  * b-c == optional active region.
+ *\endverbatim
  *
  * The following invariants are maintained by all routines:
  *
+ *\code
  *	length > 0
  *
  *	base is a valid pointer to length bytes of memory
@@ -82,21 +84,22 @@
  *
  *	0 <= active <= used
  *	(although active < current implies empty active region)
+ *\endcode
  *
- * MP:
+ * \li MP:
  *	Buffers have no synchronization.  Clients must ensure exclusive
  *	access.
  *
- * Reliability:
+ * \li Reliability:
  *	No anticipated impact.
  *
- * Resources:
+ * \li Resources:
  *	Memory: 1 pointer + 6 unsigned integers per buffer.
  *
- * Security:
+ * \li Security:
  *	No anticipated impact.
  *
- * Standards:
+ * \li Standards:
  *	None.
  */
 
@@ -108,7 +111,7 @@
 #include <isc/magic.h>
 #include <isc/types.h>
 
-/*
+/*!
  * To make many functions be inline macros (via #define) define this.
  * If it is undefined, a function will be used.
  */
@@ -116,11 +119,13 @@
 
 ISC_LANG_BEGINDECLS
 
-/***
+/*@{*/
+/*!
  *** Magic numbers
  ***/
 #define ISC_BUFFER_MAGIC		0x42756621U	/* Buf!. */
 #define ISC_BUFFER_VALID(b)		ISC_MAGIC_VALID(b, ISC_BUFFER_MAGIC)
+/*@}*/
 
 /*
  * The following macros MUST be used only on valid buffers.  It is the
@@ -129,7 +134,8 @@ ISC_LANG_BEGINDECLS
  * another macro.)
  */
 
-/*
+/*@{*/
+/*!
  * Fundamental buffer elements.  (A through E in the introductory comment.)
  */
 #define isc_buffer_base(b)    ((void *)(b)->base)			  /*a*/
@@ -140,8 +146,10 @@ ISC_LANG_BEGINDECLS
 #define isc_buffer_used(b)    \
 		((void *)((unsigned char *)(b)->base + (b)->used))        /*d*/
 #define isc_buffer_length(b)  ((b)->length)				  /*e*/
+/*@}*/
 
-/*
+/*@{*/
+/*!
  * Derived lengths.  (Described in the introductory comment.)
  */
 #define isc_buffer_usedlength(b)	((b)->used)		      /* d-a */
@@ -149,8 +157,9 @@ ISC_LANG_BEGINDECLS
 #define isc_buffer_remaininglength(b)	((b)->used - (b)->current)    /* d-b */
 #define isc_buffer_activelength(b)	((b)->active - (b)->current)  /* c-b */
 #define isc_buffer_availablelength(b)	((b)->length - (b)->used)     /* e-d */
+/*@}*/
 
-/*
+/*!
  * Note that the buffer structure is public.  This is principally so buffer
  * operations can be implemented using macros.  Applications are strongly
  * discouraged from directly manipulating the structure.
@@ -159,14 +168,16 @@ ISC_LANG_BEGINDECLS
 struct isc_buffer {
 	unsigned int		magic;
 	void		       *base;
-	/* The following integers are byte offsets from 'base'. */
+        /*@{*/
+	/*! The following integers are byte offsets from 'base'. */
 	unsigned int		length;
 	unsigned int		used;
 	unsigned int 		current;
 	unsigned int 		active;
-	/* linkable */
+        /*@}*/
+	/*! linkable */
 	ISC_LINK(isc_buffer_t)	link;
-	/* private internal elements */
+	/*! private internal elements */
 	isc_mem_t	       *mctx;
 };
 
@@ -177,397 +188,397 @@ struct isc_buffer {
 isc_result_t
 isc_buffer_allocate(isc_mem_t *mctx, isc_buffer_t **dynbuffer,
 		    unsigned int length);
-/*
- * Allocate a dynamic linkable buffer which has "length" bytes in the
+/*!<
+ * \brief Allocate a dynamic linkable buffer which has "length" bytes in the
  * data region.
  *
  * Requires:
- *	"mctx" is valid.
+ *\li	"mctx" is valid.
  *
- *	"dynbuffer" is non-NULL, and "*dynbuffer" is NULL.
+ *\li	"dynbuffer" is non-NULL, and "*dynbuffer" is NULL.
  *
  * Returns:
- *	ISC_R_SUCCESS		- success
- *	ISC_R_NOMEMORY		- no memory available
+ *\li	ISC_R_SUCCESS		- success
+ *\li	ISC_R_NOMEMORY		- no memory available
  *
  * Note:
- *	Changing the buffer's length field is not permitted.
+ *\li	Changing the buffer's length field is not permitted.
  */
 
 void
 isc_buffer_free(isc_buffer_t **dynbuffer);
-/*
- * Release resources allocated for a dynamic buffer.
+/*!<
+ * \brief Release resources allocated for a dynamic buffer.
  *
  * Requires:
- *	"dynbuffer" is not NULL.
+ *\li	"dynbuffer" is not NULL.
  *
- *	"*dynbuffer" is a valid dynamic buffer.
+ *\li	"*dynbuffer" is a valid dynamic buffer.
  *
  * Ensures:
- *	"*dynbuffer" will be NULL on return, and all memory associated with
+ *\li	"*dynbuffer" will be NULL on return, and all memory associated with
  *	the dynamic buffer is returned to the memory context used in
  *	isc_buffer_allocate().
  */
 
 void
 isc__buffer_init(isc_buffer_t *b, const void *base, unsigned int length);
-/*
- * Make 'b' refer to the 'length'-byte region starting at base.
+/*!<
+ * \brief Make 'b' refer to the 'length'-byte region starting at base.
  *
  * Requires:
  *
- *	'length' > 0
+ *\li	'length' > 0
  *
- *	'base' is a pointer to a sequence of 'length' bytes.
+ *\li	'base' is a pointer to a sequence of 'length' bytes.
  *
  */
 
 void
 isc__buffer_invalidate(isc_buffer_t *b);
-/*
- * Make 'b' an invalid buffer.
+/*!<
+ * \brief Make 'b' an invalid buffer.
  *
  * Requires:
- *	'b' is a valid buffer.
+ *\li	'b' is a valid buffer.
  *
  * Ensures:
- *	If assertion checking is enabled, future attempts to use 'b' without
+ *\li	If assertion checking is enabled, future attempts to use 'b' without
  *	calling isc_buffer_init() on it will cause an assertion failure.
  */
 
 void
 isc__buffer_region(isc_buffer_t *b, isc_region_t *r);
-/*
- * Make 'r' refer to the region of 'b'.
+/*!<
+ * \brief Make 'r' refer to the region of 'b'.
  *
  * Requires:
  *
- *	'b' is a valid buffer.
+ *\li	'b' is a valid buffer.
  *
- *	'r' points to a region structure.
+ *\li	'r' points to a region structure.
  */
 
 void
 isc__buffer_usedregion(isc_buffer_t *b, isc_region_t *r);
-/*
- * Make 'r' refer to the used region of 'b'.
+/*!<
+ * \brief Make 'r' refer to the used region of 'b'.
  *
  * Requires:
  *
- *	'b' is a valid buffer.
+ *\li	'b' is a valid buffer.
  *
- *	'r' points to a region structure.
+ *\li	'r' points to a region structure.
  */
 
 void
 isc__buffer_availableregion(isc_buffer_t *b, isc_region_t *r);
-/*
- * Make 'r' refer to the available region of 'b'.
+/*!<
+ * \brief Make 'r' refer to the available region of 'b'.
  *
  * Requires:
  *
- *	'b' is a valid buffer.
+ *\li	'b' is a valid buffer.
  *
- *	'r' points to a region structure.
+ *\li	'r' points to a region structure.
  */
 
 void
 isc__buffer_add(isc_buffer_t *b, unsigned int n);
-/*
- * Increase the 'used' region of 'b' by 'n' bytes.
+/*!<
+ * \brief Increase the 'used' region of 'b' by 'n' bytes.
  *
  * Requires:
  *
- *	'b' is a valid buffer
+ *\li	'b' is a valid buffer
  *
- *	used + n <= length
+ *\li	used + n <= length
  *
  */
 
 void
 isc__buffer_subtract(isc_buffer_t *b, unsigned int n);
-/*
- * Decrease the 'used' region of 'b' by 'n' bytes.
+/*!<
+ * \brief Decrease the 'used' region of 'b' by 'n' bytes.
  *
  * Requires:
  *
- *	'b' is a valid buffer
+ *\li	'b' is a valid buffer
  *
- *	used >= n
+ *\li	used >= n
  *
  */
 
 void
 isc__buffer_clear(isc_buffer_t *b);
-/*
- * Make the used region empty.
+/*!<
+ * \brief Make the used region empty.
  *
  * Requires:
  *
- *	'b' is a valid buffer
+ *\li	'b' is a valid buffer
  *
  * Ensures:
  *
- *	used = 0
+ *\li	used = 0
  *
  */
 
 void
 isc__buffer_consumedregion(isc_buffer_t *b, isc_region_t *r);
-/*
- * Make 'r' refer to the consumed region of 'b'.
+/*!<
+ * \brief Make 'r' refer to the consumed region of 'b'.
  *
  * Requires:
  *
- *	'b' is a valid buffer.
+ *\li	'b' is a valid buffer.
  *
- *	'r' points to a region structure.
+ *\li	'r' points to a region structure.
  */
 
 void
 isc__buffer_remainingregion(isc_buffer_t *b, isc_region_t *r);
-/*
- * Make 'r' refer to the remaining region of 'b'.
+/*!<
+ * \brief Make 'r' refer to the remaining region of 'b'.
  *
  * Requires:
  *
- *	'b' is a valid buffer.
+ *\li	'b' is a valid buffer.
  *
- *	'r' points to a region structure.
+ *\li	'r' points to a region structure.
  */
 
 void
 isc__buffer_activeregion(isc_buffer_t *b, isc_region_t *r);
-/*
- * Make 'r' refer to the active region of 'b'.
+/*!<
+ * \brief Make 'r' refer to the active region of 'b'.
  *
  * Requires:
  *
- *	'b' is a valid buffer.
+ *\li	'b' is a valid buffer.
  *
- *	'r' points to a region structure.
+ *\li	'r' points to a region structure.
  */
 
 void
 isc__buffer_setactive(isc_buffer_t *b, unsigned int n);
-/*
- * Sets the end of the active region 'n' bytes after current.
+/*!<
+ * \brief Sets the end of the active region 'n' bytes after current.
  *
  * Requires:
  *
- *	'b' is a valid buffer.
+ *\li	'b' is a valid buffer.
  *
- *	current + n <= used
+ *\li	current + n <= used
  */
 
 void
 isc__buffer_first(isc_buffer_t *b);
-/*
- * Make the consumed region empty.
+/*!<
+ * \brief Make the consumed region empty.
  *
  * Requires:
  *
- *	'b' is a valid buffer
+ *\li	'b' is a valid buffer
  *
  * Ensures:
  *
- *	current == 0
+ *\li	current == 0
  *
  */
 
 void
 isc__buffer_forward(isc_buffer_t *b, unsigned int n);
-/*
- * Increase the 'consumed' region of 'b' by 'n' bytes.
+/*!<
+ * \brief Increase the 'consumed' region of 'b' by 'n' bytes.
  *
  * Requires:
  *
- *	'b' is a valid buffer
+ *\li	'b' is a valid buffer
  *
- *	current + n <= used
+ *\li	current + n <= used
  *
  */
 
 void
 isc__buffer_back(isc_buffer_t *b, unsigned int n);
-/*
- * Decrease the 'consumed' region of 'b' by 'n' bytes.
+/*!<
+ * \brief Decrease the 'consumed' region of 'b' by 'n' bytes.
  *
  * Requires:
  *
- *	'b' is a valid buffer
+ *\li	'b' is a valid buffer
  *
- *	n <= current
+ *\li	n <= current
  *
  */
 
 void
 isc_buffer_compact(isc_buffer_t *b);
-/*
- * Compact the used region by moving the remaining region so it occurs
+/*!<
+ * \brief Compact the used region by moving the remaining region so it occurs
  * at the start of the buffer.  The used region is shrunk by the size of
  * the consumed region, and the consumed region is then made empty.
  *
  * Requires:
  *
- *	'b' is a valid buffer
+ *\li	'b' is a valid buffer
  *
  * Ensures:
  *
- *	current == 0
+ *\li	current == 0
  *
- *	The size of the used region is now equal to the size of the remaining
+ *\li	The size of the used region is now equal to the size of the remaining
  *	region (as it was before the call).  The contents of the used region
  *	are those of the remaining region (as it was before the call).
  */
 
 isc_uint8_t
 isc_buffer_getuint8(isc_buffer_t *b);
-/*
- * Read an unsigned 8-bit integer from 'b' and return it.
+/*!<
+ * \brief Read an unsigned 8-bit integer from 'b' and return it.
  *
  * Requires:
  *
- *	'b' is a valid buffer.
+ *\li	'b' is a valid buffer.
  *
- *	The length of the available region of 'b' is at least 1.
+ *\li	The length of the available region of 'b' is at least 1.
  *
  * Ensures:
  *
- *	The current pointer in 'b' is advanced by 1.
+ *\li	The current pointer in 'b' is advanced by 1.
  *
  * Returns:
  *
- *	A 8-bit unsigned integer.
+ *\li	A 8-bit unsigned integer.
  */
 
 void
 isc__buffer_putuint8(isc_buffer_t *b, isc_uint8_t val);
-/*
- * Store an unsigned 8-bit integer from 'val' into 'b'.
+/*!<
+ * \brief Store an unsigned 8-bit integer from 'val' into 'b'.
  *
  * Requires:
- *	'b' is a valid buffer.
+ *\li	'b' is a valid buffer.
  *
- *	The length of the unused region of 'b' is at least 1.
+ *\li	The length of the unused region of 'b' is at least 1.
  *
  * Ensures:
- *	The used pointer in 'b' is advanced by 1.
+ *\li	The used pointer in 'b' is advanced by 1.
  */
 
 isc_uint16_t
 isc_buffer_getuint16(isc_buffer_t *b);
-/*
- * Read an unsigned 16-bit integer in network byte order from 'b', convert
+/*!<
+ * \brief Read an unsigned 16-bit integer in network byte order from 'b', convert
  * it to host byte order, and return it.
  *
  * Requires:
  *
- *	'b' is a valid buffer.
+ *\li	'b' is a valid buffer.
  *
- *	The length of the available region of 'b' is at least 2.
+ *\li	The length of the available region of 'b' is at least 2.
  *
  * Ensures:
  *
- *	The current pointer in 'b' is advanced by 2.
+ *\li	The current pointer in 'b' is advanced by 2.
  *
  * Returns:
  *
- *	A 16-bit unsigned integer.
+ *\li	A 16-bit unsigned integer.
  */
 
 void
 isc__buffer_putuint16(isc_buffer_t *b, isc_uint16_t val);
-/*
- * Store an unsigned 16-bit integer in host byte order from 'val'
+/*!<
+ * \brief Store an unsigned 16-bit integer in host byte order from 'val'
  * into 'b' in network byte order.
  *
  * Requires:
- *	'b' is a valid buffer.
+ *\li	'b' is a valid buffer.
  *
- *	The length of the unused region of 'b' is at least 2.
+ *\li	The length of the unused region of 'b' is at least 2.
  *
  * Ensures:
- *	The used pointer in 'b' is advanced by 2.
+ *\li	The used pointer in 'b' is advanced by 2.
  */
 
 isc_uint32_t
 isc_buffer_getuint32(isc_buffer_t *b);
-/*
- * Read an unsigned 32-bit integer in network byte order from 'b', convert
+/*!<
+ * \brief Read an unsigned 32-bit integer in network byte order from 'b', convert
  * it to host byte order, and return it.
  *
  * Requires:
  *
- *	'b' is a valid buffer.
+ *\li	'b' is a valid buffer.
  *
- *	The length of the available region of 'b' is at least 4.
+ *\li	The length of the available region of 'b' is at least 4.
  *
  * Ensures:
  *
- *	The current pointer in 'b' is advanced by 4.
+ *\li	The current pointer in 'b' is advanced by 4.
  *
  * Returns:
  *
- *	A 32-bit unsigned integer.
+ *\li	A 32-bit unsigned integer.
  */
 
 void
 isc__buffer_putuint32(isc_buffer_t *b, isc_uint32_t val);
-/*
- * Store an unsigned 32-bit integer in host byte order from 'val'
+/*!<
+ * \brief Store an unsigned 32-bit integer in host byte order from 'val'
  * into 'b' in network byte order.
  *
  * Requires:
- *	'b' is a valid buffer.
+ *\li	'b' is a valid buffer.
  *
- *	The length of the unused region of 'b' is at least 4.
+ *\li	The length of the unused region of 'b' is at least 4.
  *
  * Ensures:
- *	The used pointer in 'b' is advanced by 4.
+ *\li	The used pointer in 'b' is advanced by 4.
  */
 
 void
 isc__buffer_putmem(isc_buffer_t *b, const unsigned char *base,
 		   unsigned int length);
-/*
- * Copy 'length' bytes of memory at 'base' into 'b'.
+/*!<
+ * \brief Copy 'length' bytes of memory at 'base' into 'b'.
  *
  * Requires:
- *	'b' is a valid buffer.
+ *\li	'b' is a valid buffer.
  *
- *	'base' points to 'length' bytes of valid memory.
+ *\li	'base' points to 'length' bytes of valid memory.
  *
  */
 
 void
 isc__buffer_putstr(isc_buffer_t *b, const char *source);
-/*
- * Copy 'source' into 'b', not including terminating NUL.
+/*!<
+ * \brief Copy 'source' into 'b', not including terminating NUL.
  *
  * Requires:
- *	'b' is a valid buffer.
+ *\li	'b' is a valid buffer.
  *
- *	'source' to be a valid NULL terminated string.
+ *\li	'source' to be a valid NULL terminated string.
  *
- *	strlen(source) <= isc_buffer_available(b)
+ *\li	strlen(source) <= isc_buffer_available(b)
  */
 
 isc_result_t
 isc_buffer_copyregion(isc_buffer_t *b, const isc_region_t *r);
-/*
- * Copy the contents of 'r' into 'b'.
+/*!<
+ * \brief Copy the contents of 'r' into 'b'.
  *
  * Requires:
- *	'b' is a valid buffer.
+ *\li	'b' is a valid buffer.
  *
- *	'r' is a valid region.
+ *\li	'r' is a valid region.
  *
  * Returns:
  *
- *	ISC_R_SUCCESS
- *	ISC_R_NOSPACE			The available region of 'b' is not
+ *\li	ISC_R_SUCCESS
+ *\li	ISC_R_NOSPACE			The available region of 'b' is not
  *					big enough.
  */
 
@@ -580,7 +591,7 @@ ISC_LANG_ENDDECLS
  * ones beginning with "isc__"
  */
 
-/*
+/*! \note
  * XXXDCL Something more could be done with initializing buffers that
  * point to const data.  For example, a new function, isc_buffer_initconst,
  * could be used, and a new boolean flag in the buffer structure could
diff --git a/contrib/bind9/lib/isc/include/isc/bufferlist.h b/contrib/bind9/lib/isc/include/isc/bufferlist.h
index b24cde0..7fc2ecc 100644
--- a/contrib/bind9/lib/isc/include/isc/bufferlist.h
+++ b/contrib/bind9/lib/isc/include/isc/bufferlist.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: bufferlist.h,v 1.10.206.1 2004/03/06 08:14:39 marka Exp $ */
+/* $Id: bufferlist.h,v 1.11.18.2 2005/04/29 00:16:53 marka Exp $ */
 
 #ifndef ISC_BUFFERLIST_H
 #define ISC_BUFFERLIST_H 1
@@ -24,19 +24,19 @@
  ***** Module Info
  *****/
 
-/*
- * Buffer Lists
+/*! \file bufferlist.h
+ *
  *
- *	Buffer lists have no synchronization.  Clients must ensure exclusive
+ *\brief	Buffer lists have no synchronization.  Clients must ensure exclusive
  *	access.
  *
- * Reliability:
+ * \li Reliability:
  *	No anticipated impact.
 
- * Security:
+ * \li Security:
  *	No anticipated impact.
  *
- * Standards:
+ * \li Standards:
  *	None.
  */
 
@@ -55,30 +55,30 @@ ISC_LANG_BEGINDECLS
 
 unsigned int
 isc_bufferlist_usedcount(isc_bufferlist_t *bl);
-/*
- * Return the length of the sum of all used regions of all buffers in
+/*!<
+ * \brief Return the length of the sum of all used regions of all buffers in
  * the buffer list 'bl'
  *
  * Requires:
  *
- *	'bl' is not NULL.
+ *\li	'bl' is not NULL.
  *
  * Returns:
- *	sum of all used regions' lengths.
+ *\li	sum of all used regions' lengths.
  */
 
 unsigned int
 isc_bufferlist_availablecount(isc_bufferlist_t *bl);
-/*
- * Return the length of the sum of all available regions of all buffers in
+/*!<
+ * \brief Return the length of the sum of all available regions of all buffers in
  * the buffer list 'bl'
  *
  * Requires:
  *
- *	'bl' is not NULL.
+ *\li	'bl' is not NULL.
  *
  * Returns:
- *	sum of all available regions' lengths.
+ *\li	sum of all available regions' lengths.
  */
 
 ISC_LANG_ENDDECLS
diff --git a/contrib/bind9/lib/isc/include/isc/commandline.h b/contrib/bind9/lib/isc/include/isc/commandline.h
index 250f7f0..5ece26f 100644
--- a/contrib/bind9/lib/isc/include/isc/commandline.h
+++ b/contrib/bind9/lib/isc/include/isc/commandline.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,30 +15,33 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: commandline.h,v 1.9.206.1 2004/03/06 08:14:39 marka Exp $ */
+/* $Id: commandline.h,v 1.10.18.2 2005/04/29 00:16:53 marka Exp $ */
 
 #ifndef ISC_COMMANDLINE_H
 #define ISC_COMMANDLINE_H 1
 
+/*! \file */
+
 #include <isc/boolean.h>
 #include <isc/lang.h>
 #include <isc/platform.h>
 
-/* Index into parent argv vector. */
+/*% Index into parent argv vector. */
 LIBISC_EXTERNAL_DATA extern int isc_commandline_index;
-/* Character checked for validity. */
+/*% Character checked for validity. */
 LIBISC_EXTERNAL_DATA extern int isc_commandline_option;
-/* Argument associated with option. */
+/*% Argument associated with option. */
 LIBISC_EXTERNAL_DATA extern char *isc_commandline_argument;
-/* For printing error messages. */
+/*% For printing error messages. */
 LIBISC_EXTERNAL_DATA extern char *isc_commandline_progname;
-/* Print error message. */
+/*% Print error message. */
 LIBISC_EXTERNAL_DATA extern isc_boolean_t isc_commandline_errprint;
-/* Reset getopt. */
+/*% Reset getopt. */
 LIBISC_EXTERNAL_DATA extern isc_boolean_t isc_commandline_reset;
 
 ISC_LANG_BEGINDECLS
 
+/*% parse command line */
 int
 isc_commandline_parse(int argc, char * const *argv, const char *options);
 
diff --git a/contrib/bind9/lib/isc/include/isc/entropy.h b/contrib/bind9/lib/isc/include/isc/entropy.h
index 7200a12..2890f6c 100644
--- a/contrib/bind9/lib/isc/include/isc/entropy.h
+++ b/contrib/bind9/lib/isc/include/isc/entropy.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000, 2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: entropy.h,v 1.23.2.1.10.1 2004/03/06 08:14:40 marka Exp $ */
+/* $Id: entropy.h,v 1.25.18.2 2005/04/29 00:16:54 marka Exp $ */
 
 #ifndef ISC_ENTROPY_H
 #define ISC_ENTROPY_H 1
@@ -24,33 +24,30 @@
  ***** Module Info
  *****/
 
-/*
- * Entropy
- *
- * The entropy API
+/*! \file entropy.h
+ * \brief The entropy API
  *
- * MP:
+ * \li MP:
  *	The entropy object is locked internally.  All callbacks into
  *	application-provided functions (for setup, gathering, and
  *	shutdown of sources) are guaranteed to be called with the
  *	entropy API lock held.  This means these functions are
  *	not permitted to call back into the entropy API.
  *
- * Reliability:
+ * \li Reliability:
  *	No anticipated impact.
  *
- * Resources:
+ * \li Resources:
  *	A buffer, used as an entropy pool.
  *
- * Security:
+ * \li Security:
  *	While this code is believed to implement good entropy gathering
  *	and distribution, it has not been reviewed by a cryptographic
  *	expert.
- *
  *	Since the added entropy is only as good as the sources used,
  *	this module could hand out bad data and never know it.
  *
- * Standards:
+ * \li Standards:
  *	None.
  */
 
@@ -63,31 +60,37 @@
 #include <isc/lang.h>
 #include <isc/types.h>
 
-/*
- * Entropy callback function.
- */
+/*@{*/
+/*% Entropy callback function. */
 typedef isc_result_t (*isc_entropystart_t)(isc_entropysource_t *source,
 					   void *arg, isc_boolean_t blocking);
 typedef isc_result_t (*isc_entropyget_t)(isc_entropysource_t *source,
 					 void *arg, isc_boolean_t blocking);
 typedef void (*isc_entropystop_t)(isc_entropysource_t *source, void *arg);
+/*@}*/
 
 /***
  *** Flags.
  ***/
 
-/*
- * _GOODONLY
+/*!
+ * \brief 
  *	Extract only "good" data; return failure if there is not enough
  *	data available and there are no sources which we can poll to get
  *	data, or those sources are empty.
  *
- * _PARTIAL
+ *
+ */
+#define ISC_ENTROPY_GOODONLY	0x00000001U
+/*!
+ * \brief
  *	Extract as much good data as possible, but if there isn't enough
  *	at hand, return what is available.  This flag only makes sense
  *	when used with _GOODONLY.
- *
- * _BLOCKING
+ */
+#define ISC_ENTROPY_PARTIAL	0x00000002U
+/*!
+ * \brief
  *	Block the task until data is available.  This is contrary to the
  *	ISC task system, where tasks should never block.  However, if
  *	this is a special purpose application where blocking a task is
@@ -95,12 +98,10 @@ typedef void (*isc_entropystop_t)(isc_entropysource_t *source, void *arg);
  *	This flag only makes sense when used with _GOODONLY, and will
  *	block regardless of the setting for _PARTIAL.
  */
-#define ISC_ENTROPY_GOODONLY	0x00000001U
-#define ISC_ENTROPY_PARTIAL	0x00000002U
 #define ISC_ENTROPY_BLOCKING	0x00000004U
 
-/*
- * _ESTIMATE
+/*!
+ * \brief
  *	Estimate the amount of entropy contained in the sample pool.
  *	If this is not set, the source will be gathered and perodically
  *	mixed into the entropy pool, but no increment in contained entropy
@@ -110,17 +111,22 @@ typedef void (*isc_entropystop_t)(isc_entropysource_t *source, void *arg);
 
 /*
  * For use with isc_entropy_usebestsource().
- *
- * _KEYBOARDYES
+ */
+/*!
+ * \brief 
  *	Use the keyboard as the only entropy source.
- * _KEYBOARDNO
+ */
+#define ISC_ENTROPY_KEYBOARDYES		1
+/*!
+ * \brief 
  *	Never use the keyboard as an entropy source.
- * _KEYBOARDMAYBE
+ */
+#define ISC_ENTROPY_KEYBOARDNO		2
+/*!
+ * \brief
  *	Use the keyboard as an entropy source only if opening the
  *	random device fails.
  */
-#define ISC_ENTROPY_KEYBOARDYES		1
-#define ISC_ENTROPY_KEYBOARDNO		2
 #define ISC_ENTROPY_KEYBOARDMAYBE	3
 
 ISC_LANG_BEGINDECLS
@@ -131,26 +137,26 @@ ISC_LANG_BEGINDECLS
 
 isc_result_t
 isc_entropy_create(isc_mem_t *mctx, isc_entropy_t **entp);
-/*
- * Create a new entropy object.
+/*!<
+ * \brief Create a new entropy object.
  */
 
 void
 isc_entropy_attach(isc_entropy_t *ent, isc_entropy_t **entp);
-/*
+/*!<
  * Attaches to an entropy object.
  */
 
 void
 isc_entropy_detach(isc_entropy_t **entp);
-/*
- * Detaches from an entropy object.
+/*!<
+ * \brief Detaches from an entropy object.
  */
 
 isc_result_t
 isc_entropy_createfilesource(isc_entropy_t *ent, const char *fname);
-/*
- * Create a new entropy source from a file.
+/*!<
+ * \brief Create a new entropy source from a file.
  *
  * The file is assumed to contain good randomness, and will be mixed directly
  * into the pool with every byte adding 8 bits of entropy.
@@ -168,15 +174,15 @@ isc_entropy_createfilesource(isc_entropy_t *ent, const char *fname);
 
 void
 isc_entropy_destroysource(isc_entropysource_t **sourcep);
-/*
- * Removes an entropy source from the entropy system.
+/*!<
+ * \brief Removes an entropy source from the entropy system.
  */
 
 isc_result_t
 isc_entropy_createsamplesource(isc_entropy_t *ent,
 			       isc_entropysource_t **sourcep);
-/*
- * Create an entropy source that consists of samples.  Each sample is added
+/*!<
+ * \brief Create an entropy source that consists of samples.  Each sample is added
  * to the source via isc_entropy_addsamples(), below.
  */
 
@@ -187,8 +193,10 @@ isc_entropy_createcallbacksource(isc_entropy_t *ent,
 				 isc_entropystop_t stop,
 				 void *arg,
 				 isc_entropysource_t **sourcep);
-/*
- * Create an entropy source that is polled via a callback.  This would
+/*!<
+ * \brief Create an entropy source that is polled via a callback.  
+ *
+ * This would
  * be used when keyboard input is used, or a GUI input method.  It can
  * also be used to hook in any external entropy source.
  *
@@ -199,19 +207,22 @@ isc_entropy_createcallbacksource(isc_entropy_t *ent,
 
 void
 isc_entropy_stopcallbacksources(isc_entropy_t *ent);
-/*
- * Call the stop functions for callback sources that have had their
+/*!<
+ * \brief Call the stop functions for callback sources that have had their
  * start functions called.
  */
 
+/*@{*/
 isc_result_t
 isc_entropy_addcallbacksample(isc_entropysource_t *source, isc_uint32_t sample,
 			      isc_uint32_t extra);
 isc_result_t
 isc_entropy_addsample(isc_entropysource_t *source, isc_uint32_t sample,
 		      isc_uint32_t extra);
-/*
- * Add a sample to the sample source.  The sample MUST be a timestamp
+/*!<
+ * \brief Add a sample to the sample source.  
+ *
+ * The sample MUST be a timestamp
  * that increases over time, with the exception of wrap-around for
  * extremely high resolution timers which will quickly wrap-around
  * a 32-bit integer.
@@ -222,20 +233,28 @@ isc_entropy_addsample(isc_entropysource_t *source, isc_uint32_t sample,
  * When in an entropy API callback function, _addcallbacksource() must be
  * used.  At all other times, _addsample() must be used.
  */
+/*@}*/
 
 isc_result_t
 isc_entropy_getdata(isc_entropy_t *ent, void *data, unsigned int length,
 		    unsigned int *returned, unsigned int flags);
-/*
- * Extract data from the entropy pool.  This may load the pool from various
+/*!<
+ * \brief Extract data from the entropy pool.  This may load the pool from various
  * sources.
+ *
+ * Do this by stiring the pool and returning a part of hash as randomness.
+ * Note that no secrets are given away here since parts of the hash are
+ * xored together before returned.
+ *
+ * Honor the request from the caller to only return good data, any data,
+ * etc.
  */
 
 void
 isc_entropy_putdata(isc_entropy_t *ent, void *data, unsigned int length,
 		    isc_uint32_t entropy);
-/*
- * Add "length" bytes in "data" to the entropy pool, incrementing the pool's
+/*!<
+ * \brief Add "length" bytes in "data" to the entropy pool, incrementing the pool's
  * entropy count by "entropy."
  *
  * These bytes will prime the pseudorandom portion even no entropy is actually
@@ -244,42 +263,42 @@ isc_entropy_putdata(isc_entropy_t *ent, void *data, unsigned int length,
 
 void
 isc_entropy_stats(isc_entropy_t *ent, FILE *out);
-/*
- * Dump some (trivial) stats to the stdio stream "out".
+/*!<
+ * \brief Dump some (trivial) stats to the stdio stream "out".
  */
 
 isc_result_t
 isc_entropy_usebestsource(isc_entropy_t *ectx, isc_entropysource_t **source,
 			  const char *randomfile, int use_keyboard);
-/*
- * Use whatever source of entropy is best.
+/*!<
+ * \brief Use whatever source of entropy is best.
  *
  * Notes:
- *	If "randomfile" is not NULL, open it with
+ *\li	If "randomfile" is not NULL, open it with
  *	isc_entropy_createfilesource(). 
  *
- *	If "randomfile" is NULL and the system's random device was detected
+ *\li	If "randomfile" is NULL and the system's random device was detected
  *	when the program was configured and built, open that device with
  *	isc_entropy_createfilesource(). 
  *
- *	If "use_keyboard" is ISC_ENTROPY_KEYBOARDYES, then always open
+ *\li	If "use_keyboard" is #ISC_ENTROPY_KEYBOARDYES, then always open
  *	the keyboard as an entropy source (possibly in addition to
  *	"randomfile" or the random device).
  *
- *	If "use_keyboard" is ISC_ENTROPY_KEYBOARDMAYBE, open the keyboard only
+ *\li	If "use_keyboard" is #ISC_ENTROPY_KEYBOARDMAYBE, open the keyboard only
  *	if opening the random file/device fails.  A message will be
  *	printed describing the need for keyboard input.
  *
- *	If "use_keyboard" is ISC_ENTROPY_KEYBOARDNO, the keyboard will
+ *\li	If "use_keyboard" is #ISC_ENTROPY_KEYBOARDNO, the keyboard will
  *	never be opened.
  *
  * Returns:
- *	ISC_R_SUCCESS if at least one source of entropy could be started.
+ *\li	#ISC_R_SUCCESS if at least one source of entropy could be started.
  *
- *	ISC_R_NOENTROPY if use_keyboard is ISC_ENTROPY_KEYBOARDNO and
+ *\li	#ISC_R_NOENTROPY if use_keyboard is #ISC_ENTROPY_KEYBOARDNO and
  *	there is no random device pathname compiled into the program.
  *
- *	A return code from isc_entropy_createfilesource() or
+ *\li	A return code from isc_entropy_createfilesource() or
  *	isc_entropy_createcallbacksource().
  */
 
diff --git a/contrib/bind9/lib/isc/include/isc/error.h b/contrib/bind9/lib/isc/include/isc/error.h
index 6142926..3320ae9 100644
--- a/contrib/bind9/lib/isc/include/isc/error.h
+++ b/contrib/bind9/lib/isc/include/isc/error.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1998-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,11 +15,13 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: error.h,v 1.13.206.1 2004/03/06 08:14:40 marka Exp $ */
+/* $Id: error.h,v 1.14.18.2 2005/04/29 00:16:54 marka Exp $ */
 
 #ifndef ISC_ERROR_H
 #define ISC_ERROR_H 1
 
+/*! \file */
+
 #include <stdarg.h>
 
 #include <isc/formatcheck.h>
@@ -29,20 +31,25 @@ ISC_LANG_BEGINDECLS
 
 typedef void (*isc_errorcallback_t)(const char *, int, const char *, va_list);
 
+/*% set unexpected error */
 void
 isc_error_setunexpected(isc_errorcallback_t);
 
+/*% set fatal error */
 void
 isc_error_setfatal(isc_errorcallback_t);
 
+/*% unexpected error */
 void
 isc_error_unexpected(const char *, int, const char *, ...)
      ISC_FORMAT_PRINTF(3, 4);
 
+/*% fatal error */
 void
 isc_error_fatal(const char *, int, const char *, ...)
      ISC_FORMAT_PRINTF(3, 4);
 
+/*% runtimecheck error */
 void
 isc_error_runtimecheck(const char *, int, const char *);
 
diff --git a/contrib/bind9/lib/isc/include/isc/event.h b/contrib/bind9/lib/isc/include/isc/event.h
index 58ef2c3..f1b1d61 100644
--- a/contrib/bind9/lib/isc/include/isc/event.h
+++ b/contrib/bind9/lib/isc/include/isc/event.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1998-2002  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,11 +15,13 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: event.h,v 1.24.2.2.8.2 2004/04/15 02:10:41 marka Exp $ */
+/* $Id: event.h,v 1.27.18.3 2005/04/29 00:16:54 marka Exp $ */
 
 #ifndef ISC_EVENT_H
 #define ISC_EVENT_H 1
 
+/*! \file */
+
 #include <isc/lang.h>
 #include <isc/types.h>
 
@@ -41,14 +43,14 @@ typedef void (*isc_eventdestructor_t)(isc_event_t *);
 	void *				ev_destroy_arg; \
 	ISC_LINK(ltype)			ev_link
 
-/*
+/*%
  * Attributes matching a mask of 0x000000ff are reserved for the task library's
  * definition.  Attributes of 0xffffff00 may be used by the application
  * or non-ISC libraries.
  */
 #define ISC_EVENTATTR_NOPURGE		0x00000001
 
-/*
+/*%
  * The ISC_EVENTATTR_CANCELED attribute is intended to indicate
  * that an event is delivered as a result of a canceled operation
  * rather than successful completion, by mutual agreement
@@ -71,7 +73,7 @@ do { \
 	ISC_LINK_INIT((event), ev_link); \
 } while (0)
 
-/*
+/*%
  * This structure is public because "subclassing" it may be useful when
  * defining new event types.
  */
@@ -89,22 +91,26 @@ ISC_LANG_BEGINDECLS
 isc_event_t *
 isc_event_allocate(isc_mem_t *mctx, void *sender, isc_eventtype_t type,
 		   isc_taskaction_t action, const void *arg, size_t size);
-/*
+/*%<
+ * Allocate an event structure. 
+ *
  * Allocate and initialize in a structure with initial elements
  * defined by:
  *
+ * \code
  *	struct {
  *		ISC_EVENT_COMMON(struct isc_event);
  *		...
  *	};
+ * \endcode
  *	
  * Requires:
- *	'size' >= sizeof(struct isc_event)
- *	'action' to be non NULL
+ *\li	'size' >= sizeof(struct isc_event)
+ *\li	'action' to be non NULL
  *
  * Returns:
- *	a pointer to a initialized structure of the requested size.
- *	NULL if unable to allocate memory.
+ *\li	a pointer to a initialized structure of the requested size.
+ *\li	NULL if unable to allocate memory.
  */
 
 void
diff --git a/contrib/bind9/lib/isc/include/isc/eventclass.h b/contrib/bind9/lib/isc/include/isc/eventclass.h
index a783d35..71de715 100644
--- a/contrib/bind9/lib/isc/include/isc/eventclass.h
+++ b/contrib/bind9/lib/isc/include/isc/eventclass.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1998-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,25 +15,28 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: eventclass.h,v 1.13.206.1 2004/03/06 08:14:40 marka Exp $ */
+/* $Id: eventclass.h,v 1.14.18.2 2005/04/29 00:16:54 marka Exp $ */
 
 #ifndef ISC_EVENTCLASS_H
 #define ISC_EVENTCLASS_H 1
 
-/*****
+/*! \file isc/eventclass.h
  ***** Registry of Predefined Event Type Classes
  *****/
 
-/*
+/*%
  * An event class is an unsigned 16 bit number.  Each class may contain up
  * to 65536 events.  An event type is formed by adding the event number
  * within the class to the class number.
+ *
  */
 
 #define ISC_EVENTCLASS(eclass)		((eclass) << 16)
 
-/*
+/*@{*/
+/*!
  * Classes < 1024 are reserved for ISC use.
+ * Event classes >= 1024 and <= 65535 are reserved for application use.
  */
 
 #define	ISC_EVENTCLASS_TASK		ISC_EVENTCLASS(0)
@@ -45,9 +48,6 @@
 #define	ISC_EVENTCLASS_OMAPI		ISC_EVENTCLASS(6)
 #define	ISC_EVENTCLASS_RATELIMITER	ISC_EVENTCLASS(7)
 #define	ISC_EVENTCLASS_ISCCC		ISC_EVENTCLASS(8)
-
-/*
- * Event classes >= 1024 and <= 65535 are reserved for application use.
- */
+/*@}*/
 
 #endif /* ISC_EVENTCLASS_H */
diff --git a/contrib/bind9/lib/isc/include/isc/file.h b/contrib/bind9/lib/isc/include/isc/file.h
index 6de6c8a..16b0075 100644
--- a/contrib/bind9/lib/isc/include/isc/file.h
+++ b/contrib/bind9/lib/isc/include/isc/file.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000, 2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,11 +15,13 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: file.h,v 1.24.12.3 2004/03/08 09:04:51 marka Exp $ */
+/* $Id: file.h,v 1.27.18.2 2005/04/29 00:16:54 marka Exp $ */
 
 #ifndef ISC_FILE_H
 #define ISC_FILE_H 1
 
+/*! \file */
+
 #include <stdio.h>
 
 #include <isc/lang.h>
@@ -32,81 +34,81 @@ isc_file_settime(const char *file, isc_time_t *time);
 
 isc_result_t
 isc_file_getmodtime(const char *file, isc_time_t *time);
-/*
- * Get the time of last modication of a file.
+/*!<
+ * \brief Get the time of last modication of a file.
  *
  * Notes:
- *	The time that is set is relative to the (OS-specific) epoch, as are
+ *\li	The time that is set is relative to the (OS-specific) epoch, as are
  *	all isc_time_t structures.
  *
  * Requires:
- *	file != NULL.
- *	time != NULL.
+ *\li	file != NULL.
+ *\li	time != NULL.
  *
  * Ensures:
- *	If the file could not be accessed, 'time' is unchanged.
+ *\li	If the file could not be accessed, 'time' is unchanged.
  *
  * Returns:
- *	ISC_R_SUCCESS
+ *\li	#ISC_R_SUCCESS
  *		Success.
- *	ISC_R_NOTFOUND
+ *\li	#ISC_R_NOTFOUND
  *		No such file exists.
- *	ISC_R_INVALIDFILE
+ *\li	#ISC_R_INVALIDFILE
  *		The path specified was not usable by the operating system.
- *	ISC_R_NOPERM
+ *\li	#ISC_R_NOPERM
  *		The file's metainformation could not be retrieved because
  *		permission was denied to some part of the file's path.
- *	ISC_R_EIO
+ *\li	#ISC_R_EIO
  *		Hardware error interacting with the filesystem.
- *	ISC_R_UNEXPECTED
+ *\li	#ISC_R_UNEXPECTED
  *		Something totally unexpected happened.
  *
  */
 
 isc_result_t
 isc_file_mktemplate(const char *path, char *buf, size_t buflen);
-/*
- * Generate a template string suitable for use with isc_file_openunique.
+/*!<
+ * \brief Generate a template string suitable for use with isc_file_openunique().
  *
  * Notes:
- *	This function is intended to make creating temporary files
+ *\li	This function is intended to make creating temporary files
  *	portable between different operating systems.
  *
- *	The path is prepended to an implementation-defined string and
+ *\li	The path is prepended to an implementation-defined string and
  *	placed into buf.  The string has no path characters in it,
  *	and its maximum length is 14 characters plus a NUL.  Thus
  *	buflen should be at least strlen(path) + 15 characters or
  *	an error will be returned.
  *
  * Requires:
- *	buf != NULL.
+ *\li	buf != NULL.
  *
  * Ensures:
- *	If result == ISC_R_SUCCESS:
+ *\li	If result == #ISC_R_SUCCESS:
  *		buf contains a string suitable for use as the template argument
- *		to isc_file_openunique.
+ *		to isc_file_openunique().
  *
- *	If result != ISC_R_SUCCESS:
+ *\li	If result != #ISC_R_SUCCESS:
  *		buf is unchanged.
  *
  * Returns:
- *	ISC_R_SUCCESS 	Success.
- *	ISC_R_NOSPACE	buflen indicates buf is too small for the catenation
+ *\li	#ISC_R_SUCCESS 	Success.
+ *\li	#ISC_R_NOSPACE	buflen indicates buf is too small for the catenation
  *				of the path with the internal template string.
  */
 
 
 isc_result_t
 isc_file_openunique(char *templet, FILE **fp);
-/*
- * Create and open a file with a unique name based on 'templet'.
+/*!<
+ * \brief Create and open a file with a unique name based on 'templet'.
  *
  * Notes:
- *	'template' is a reserved work in C++.  If you want to complain
+ *\li	'template' is a reserved work in C++.  If you want to complain
  *	about the spelling of 'templet', first look it up in the
  *	Merriam-Webster English dictionary. (http://www.m-w.com/)
  *
- *	This function works by using the template to generate file names.
+ *\li	This function works by using the template to generate file names.
  *	The template must be a writable string, as it is modified in place.
  *	Trailing X characters in the file name (full file name on Unix,
  *	basename on Win32 -- eg, tmp-XXXXXX vs XXXXXX.tmp, respectively)
@@ -114,95 +116,97 @@ isc_file_openunique(char *templet, FILE **fp);
  *	is found.  If the template does not include pathname information,
  *	the files in the working directory of the program are searched.
  *
- *	isc_file_mktemplate is a good, portable way to get a template.
+ *\li	isc_file_mktemplate is a good, portable way to get a template.
  *
  * Requires:
- *	'fp' is non-NULL and '*fp' is NULL.
+ *\li	'fp' is non-NULL and '*fp' is NULL.
  *
- *	'template' is non-NULL, and of a form suitable for use by
+ *\li	'template' is non-NULL, and of a form suitable for use by
  *	the system as described above.
  *
  * Ensures:
- *	If result is ISC_R_SUCCESS:
+ *\li	If result is #ISC_R_SUCCESS:
  *		*fp points to an stream opening in stdio's "w+" mode.
  *
- *	If result is not ISC_R_SUCCESS:
+ *\li	If result is not #ISC_R_SUCCESS:
  *		*fp is NULL.
  *
  *		No file is open.  Even if one was created (but unable
  *		to be reopened as a stdio FILE pointer) then it has been
  *		removed.
  *
- *	This function does *not* ensure that the template string has not been
+ *\li	This function does *not* ensure that the template string has not been
  *	modified, even if the operation was unsuccessful.
  *
  * Returns:
- *	ISC_R_SUCCESS
+ *\li	#ISC_R_SUCCESS
  *		Success.
- *	ISC_R_EXISTS
+ *\li	#ISC_R_EXISTS
  *		No file with a unique name could be created based on the
  *		template.
- *	ISC_R_INVALIDFILE
+ *\li	#ISC_R_INVALIDFILE
  *		The path specified was not usable by the operating system.
- *	ISC_R_NOPERM
+ *\li	#ISC_R_NOPERM
  *		The file could not be created because permission was denied
  *		to some part of the file's path.
- *	ISC_R_EIO
+ *\li	#ISC_R_IOERROR
  *		Hardware error interacting with the filesystem.
- *	ISC_R_UNEXPECTED
+ *\li	#ISC_R_UNEXPECTED
  *		Something totally unexpected happened.
  */
 
 isc_result_t
 isc_file_remove(const char *filename);
-/*
- * Remove the file named by 'filename'.
+/*!<
+ * \brief Remove the file named by 'filename'.
  */
 
 isc_result_t
 isc_file_rename(const char *oldname, const char *newname);
-/*
- * Rename the file 'oldname' to 'newname'.
+/*!<
+ * \brief Rename the file 'oldname' to 'newname'.
  */
 
 isc_boolean_t
 isc_file_exists(const char *pathname);
-/*
- * Return ISC_TRUE iff the calling process can tell that the given file exists.
+/*!<
+ * \brief Return #ISC_TRUE if the calling process can tell that the given file exists.
  * Will not return true if the calling process has insufficient privileges
  * to search the entire path.
  */
 
 isc_boolean_t
 isc_file_isabsolute(const char *filename);
-/*
- * Return ISC_TRUE iff the given file name is absolute.
+/*!<
+ * \brief Return #ISC_TRUE if the given file name is absolute.
  */
 
 isc_boolean_t
 isc_file_iscurrentdir(const char *filename);
-/*
- * Return ISC_TRUE iff the given file name is the current directory (".").
+/*!<
+ * \brief Return #ISC_TRUE if the given file name is the current directory (".").
  */
 
 isc_boolean_t
 isc_file_ischdiridempotent(const char *filename);
-/*
- * Return ISC_TRUE if calling chdir(filename) multiple times will give
+/*%<
+ * Return #ISC_TRUE if calling chdir(filename) multiple times will give
  * the same result as calling it once.
  */
 
 const char *
 isc_file_basename(const char *filename);
-/*
+/*%<
  * Return the final component of the path in the file name.
  */
 
 isc_result_t
 isc_file_progname(const char *filename, char *buf, size_t buflen);
-/*
- * Given an operating system specific file name "filename"
+/*!<
+ * \brief Given an operating system specific file name "filename"
  * referring to a program, return the canonical program name. 
+ *
+ *
  * Any directory prefix or executable file name extension (if
  * used on the OS in case) is stripped.  On systems where program
  * names are case insensitive, the name is canonicalized to all
@@ -210,14 +214,14 @@ isc_file_progname(const char *filename, char *buf, size_t buflen);
  * chars, and null terminated.
  *
  * Returns:
- *	ISC_R_SUCCESS
- *	ISC_R_NOSPACE 	The name did not fit in 'buf'.
+ *\li	#ISC_R_SUCCESS
+ *\li	#ISC_R_NOSPACE 	The name did not fit in 'buf'.
  */
 
 isc_result_t
 isc_file_template(const char *path, const char *templet, char *buf,
 		  size_t buflen);
-/*
+/*%<
  * Create an OS specific template using 'path' to define the directory
  * 'templet' to describe the filename and store the result in 'buf'
  * such that path can be renamed to buf atomically.
@@ -225,13 +229,13 @@ isc_file_template(const char *path, const char *templet, char *buf,
 
 isc_result_t
 isc_file_renameunique(const char *file, char *templet);
-/*
+/*%<
  * Rename 'file' using 'templet' as a template for the new file name.
  */
 
 isc_result_t
 isc_file_absolutepath(const char *filename, char *path, size_t pathlen);
-/*
+/*%<
  * Given a file name, return the fully qualified path to the file.
  */
 
@@ -243,7 +247,7 @@ isc_file_absolutepath(const char *filename, char *path, size_t pathlen);
 
 isc_result_t
 isc_file_truncate(const char *filename, isc_offset_t size);
-/*
+/*%<
  * Truncate/extend the file specified to 'size' bytes.
  */
 
diff --git a/contrib/bind9/lib/isc/include/isc/formatcheck.h b/contrib/bind9/lib/isc/include/isc/formatcheck.h
index a7f26c1..93c6232 100644
--- a/contrib/bind9/lib/isc/include/isc/formatcheck.h
+++ b/contrib/bind9/lib/isc/include/isc/formatcheck.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000, 2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,15 +15,21 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: formatcheck.h,v 1.6.206.1 2004/03/06 08:14:41 marka Exp $ */
+/* $Id: formatcheck.h,v 1.7.18.2 2005/04/29 00:16:54 marka Exp $ */
 
 #ifndef ISC_FORMATCHECK_H
 #define ISC_FORMATCHECK_H 1
 
-/*
- * fmt is the location of the format string parameter.
- * args is the location of the first argument (or 0 for no argument checking).
- * Note: the first parameter is 1, not 0.
+/*! \file */
+
+/*%
+ * ISC_FORMAT_PRINTF().
+ *
+ * \li fmt is the location of the format string parameter.
+ * \li args is the location of the first argument (or 0 for no argument checking).
+ * 
+ * Note:
+ * \li The first parameter is 1, not 0.
  */
 #ifdef __GNUC__
 #define ISC_FORMAT_PRINTF(fmt, args) __attribute__((__format__(__printf__, fmt, args)))
diff --git a/contrib/bind9/lib/isc/include/isc/fsaccess.h b/contrib/bind9/lib/isc/include/isc/fsaccess.h
index 0f0c8ce..70c4d7c 100644
--- a/contrib/bind9/lib/isc/include/isc/fsaccess.h
+++ b/contrib/bind9/lib/isc/include/isc/fsaccess.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000, 2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,13 +15,13 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: fsaccess.h,v 1.7.206.1 2004/03/06 08:14:41 marka Exp $ */
+/* $Id: fsaccess.h,v 1.8.18.2 2005/04/29 00:16:55 marka Exp $ */
 
 #ifndef ISC_FSACCESS_H
 #define ISC_FSACCESS_H 1
 
-/*
- * The ISC filesystem access module encapsulates the setting of file
+/*! \file
+ * \brief The ISC filesystem access module encapsulates the setting of file
  * and directory access permissions into one API that is meant to be
  * portable to multiple operating systems.
  *
@@ -41,30 +41,30 @@
  *
  * Some of the more notable dumbing down of NT for this API includes:
  *
- *   o Each of FILE_READ_DATA and FILE_READ_EA are set with ISC_FSACCESS_READ.
+ *\li   Each of FILE_READ_DATA and FILE_READ_EA are set with #ISC_FSACCESS_READ.
  *
- *   o All of FILE_WRITE_DATA, FILE_WRITE_EA and FILE_APPEND_DATA are
- *     set with ISC_FSACCESS_WRITE.  FILE_WRITE_ATTRIBUTES is not set
+ * \li  All of FILE_WRITE_DATA, FILE_WRITE_EA and FILE_APPEND_DATA are
+ *     set with #ISC_FSACCESS_WRITE.  FILE_WRITE_ATTRIBUTES is not set
  *     so as to be consistent with Unix, where only the owner of the file
  *     or the superuser can change the attributes/mode of a file.
  *
- *   o Both of FILE_ADD_FILE and FILE_ADD_SUBDIRECTORY are set with
- *     ISC_FSACCESS_CREATECHILD.  This is similar to setting the WRITE
+ * \li  Both of FILE_ADD_FILE and FILE_ADD_SUBDIRECTORY are set with
+ *     #ISC_FSACCESS_CREATECHILD.  This is similar to setting the WRITE
  *     permission on a Unix directory.
  *
- *   o SYNCHRONIZE is always set for files and directories, unless someone
+ * \li  SYNCHRONIZE is always set for files and directories, unless someone
  *     can give me a reason why this is a bad idea.
  *
- *   o READ_CONTROL and FILE_READ_ATTRIBUTES are always set; this is
+ * \li  READ_CONTROL and FILE_READ_ATTRIBUTES are always set; this is
  *     consistent with Unix, where any file or directory can be stat()'d
  *     unless the directory path disallows complete access somewhere along
  *     the way.
  *
- *   o WRITE_DAC is only set for the owner.  This too is consistent with
+ * \li  WRITE_DAC is only set for the owner.  This too is consistent with
  *     Unix, and is tighter security than allowing anyone else to be
  *     able to set permissions.
  *
- *   o DELETE is only set for the owner.  On Unix the ability to delete
+ * \li  DELETE is only set for the owner.  On Unix the ability to delete
  *     a file is controlled by the directory permissions, but it isn't
  *     currently clear to me what happens on NT if the directory has
  *     FILE_DELETE_CHILD set but a file within it does not have DELETE
@@ -72,19 +72,19 @@
  *     gives maximum flexibility to the owner without exposing the
  *     file to deletion by others.
  *
- *   o WRITE_OWNER is never set.  This too is consistent with Unix,
+ * \li  WRITE_OWNER is never set.  This too is consistent with Unix,
  *     and is also tighter security than allowing anyone to change the
  *     ownership of the file apart from the superu..ahem, Administrator.
  *
- *   o Inheritance is set to NO_INHERITANCE.
+ * \li  Inheritance is set to NO_INHERITANCE.
  *
  * Unix's dumbing down includes:
  *
- *   o The sticky bit cannot be set.
+ * \li  The sticky bit cannot be set.
  *
- *   o setuid and setgid cannot be set.
+ * \li  setuid and setgid cannot be set.
  *
- *   o Only regular files and directories can be set.
+ * \li  Only regular files and directories can be set.
  *
  * The rest of this comment discusses a few of the incompatibilities
  * between the two systems that need more thought if this API is to
@@ -103,24 +103,24 @@
  * set on a directory.  You'd need to coordinate something with file creation
  * so that every file created had DELETE set for the owner but noone else.
  *
- * On Unix systems, setting ISC_FSACCESS_LISTDIRECTORY sets READ.
- * ... setting either of ISC_FSACCESS_(CREATE|DELETE)CHILD sets WRITE.
- * ... setting ISC_FSACCESS_ACCESSCHILD sets EXECUTE.
+ * On Unix systems, setting #ISC_FSACCESS_LISTDIRECTORY sets READ.
+ * ... setting either of #ISC_FSACCESS_(CREATE|DELETE)CHILD sets WRITE.
+ * ... setting #ISC_FSACCESS_ACCESSCHILD sets EXECUTE.
  *
- * On NT systems, setting ISC_FSACCESS_LISTDIRECTORY sets FILE_LIST_DIRECTORY.
+ * On NT systems, setting #ISC_FSACCESS_LISTDIRECTORY sets FILE_LIST_DIRECTORY.
  * ... setting ISC_FSACCESS_(CREATE|DELETE)CHILD sets
  *	FILE_(CREATE|DELETE)_CHILD independently.
- * ... setting ISC_FSACCESS_ACCESSCHILD sets FILE_TRAVERSE.
+ * ... setting #ISC_FSACCESS_ACCESSCHILD sets FILE_TRAVERSE.
  *
  * Unresolved:							XXXDCL
- *   What NT access right controls the ability to rename a file?
- *   How does DELETE work?  If a directory has FILE_DELETE_CHILD but a
+ * \li  What NT access right controls the ability to rename a file?
+ * \li  How does DELETE work?  If a directory has FILE_DELETE_CHILD but a
  *      file or directory within it does not have DELETE, is that file
  *	or directory deletable?
- *   To implement isc_fsaccess_get(), mapping an existing Unix permission
+ * \li  To implement isc_fsaccess_get(), mapping an existing Unix permission
  * 	mode_t back to an isc_fsaccess_t is pretty trivial; however, mapping
  *	an NT DACL could be impossible to do in a responsible way.
- *   Similarly, trying to implement the functionality of being able to
+ * \li  Similarly, trying to implement the functionality of being able to
  *	say "add group writability to whatever permissions already exist"
  *	could be tricky on NT because of the order-of-entry issue combined
  *	with possibly having one or more matching ACEs already explicitly
@@ -135,23 +135,23 @@
 /*
  * Trustees.
  */
-#define ISC_FSACCESS_OWNER	0x1 /* User account. */
-#define ISC_FSACCESS_GROUP	0x2 /* Primary group owner. */
-#define ISC_FSACCESS_OTHER	0x4 /* Not the owner or the group owner. */
-#define ISC_FSACCESS_WORLD	0x7 /* User, Group, Other. */
+#define ISC_FSACCESS_OWNER	0x1 /*%< User account. */
+#define ISC_FSACCESS_GROUP	0x2 /*%< Primary group owner. */
+#define ISC_FSACCESS_OTHER	0x4 /*%< Not the owner or the group owner. */
+#define ISC_FSACCESS_WORLD	0x7 /*%< User, Group, Other. */
 
 /*
  * Types of permission.
  */
-#define ISC_FSACCESS_READ		0x00000001 /* File only. */
-#define ISC_FSACCESS_WRITE		0x00000002 /* File only. */
-#define ISC_FSACCESS_EXECUTE		0x00000004 /* File only. */
-#define ISC_FSACCESS_CREATECHILD	0x00000008 /* Dir only. */
-#define ISC_FSACCESS_DELETECHILD	0x00000010 /* Dir only. */
-#define ISC_FSACCESS_LISTDIRECTORY	0x00000020 /* Dir only. */
-#define ISC_FSACCESS_ACCESSCHILD	0x00000040 /* Dir only. */
+#define ISC_FSACCESS_READ		0x00000001 /*%< File only. */
+#define ISC_FSACCESS_WRITE		0x00000002 /*%< File only. */
+#define ISC_FSACCESS_EXECUTE		0x00000004 /*%< File only. */
+#define ISC_FSACCESS_CREATECHILD	0x00000008 /*%< Dir only. */
+#define ISC_FSACCESS_DELETECHILD	0x00000010 /*%< Dir only. */
+#define ISC_FSACCESS_LISTDIRECTORY	0x00000020 /*%< Dir only. */
+#define ISC_FSACCESS_ACCESSCHILD	0x00000040 /*%< Dir only. */
 
-/*
+/*%
  * Adding any permission bits beyond 0x200 would mean typedef'ing
  * isc_fsaccess_t as isc_uint64_t, and redefining this value to
  * reflect the new range of permission types, Probably to 21 for
diff --git a/contrib/bind9/lib/isc/include/isc/hash.h b/contrib/bind9/lib/isc/include/isc/hash.h
index b94142b..cd29cdf 100644
--- a/contrib/bind9/lib/isc/include/isc/hash.h
+++ b/contrib/bind9/lib/isc/include/isc/hash.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: hash.h,v 1.2.2.1.2.2 2004/03/06 08:14:41 marka Exp $ */
+/* $Id: hash.h,v 1.4.18.2 2005/04/29 00:16:55 marka Exp $ */
 
 #ifndef ISC_HASH_H
 #define ISC_HASH_H 1
@@ -24,12 +24,10 @@
  ***** Module Info
  *****/
 
-/*
- * Hash
- *
- * The hash API
+/*! \file
  *
- *	Provides an unpredictable hash value for variable length data.
+ * \brief The hash API
+ *	provides an unpredictable hash value for variable length data.
  *	A hash object contains a random vector (which is hidden from clients
  *	of this API) to make the actual hash value unpredictable.
  *
@@ -48,27 +46,27 @@
  *	it should be typical to have a single context for an entire system.
  *	To support such cases, the API also provides a single-context mode.
  *
- * MP:
+ * \li MP:
  *	The hash object is almost read-only.  Once the internal random vector
  *	is initialized, no write operation will occur, and there will be no
  *	need to lock the object to calculate actual hash values.
  *
- * Reliability:
+ * \li Reliability:
  *	In some cases this module uses low-level data copy to initialize the
  *	random vector.  Errors in this part are likely to crash the server or
  *	corrupt memory.
  *
- * Resources:
+ * \li Resources:
  *	A buffer, used as a random vector for calculating hash values.
  *
- * Security:
+ * \li Security:
  *	This module intends to provide unpredictable hash values in
  *	adversarial environments in order to avoid denial of service attacks
  *	to hash buckets.
  *	Its unpredictability relies on the quality of entropy to build the
  *	random vector.
  *
- * Standards:
+ * \li Standards:
  *	None.
  */
 
@@ -88,10 +86,11 @@ isc_hash_ctxcreate(isc_mem_t *mctx, isc_entropy_t *entropy, unsigned int limit,
 		   isc_hash_t **hctx);
 isc_result_t
 isc_hash_create(isc_mem_t *mctx, isc_entropy_t *entropy, size_t limit);
-/*
- * Create a new hash object.
+/*!<
+ * \brief Create a new hash object.
  *
  * isc_hash_ctxcreate() creates a different object.
+ *
  * isc_hash_create() creates a module-internal object to support the
  * single-context mode.  It should be called only once.
  *
@@ -105,15 +104,16 @@ isc_hash_create(isc_mem_t *mctx, isc_entropy_t *entropy, size_t limit);
 
 void
 isc_hash_ctxattach(isc_hash_t *hctx, isc_hash_t **hctxp);
-/*
- * Attach to a hash object.
+/*!<
+ * \brief Attach to a hash object.
+ *
  * This function is only necessary for the multiple-context mode.
  */
 
 void
 isc_hash_ctxdetach(isc_hash_t **hctxp);
-/*
- * Detach from a hash object.
+/*!<
+ * \brief Detach from a hash object.
  *
  * This function  is for the multiple-context mode, and takes a valid
  * hash object as an argument.
@@ -121,19 +121,23 @@ isc_hash_ctxdetach(isc_hash_t **hctxp);
 
 void
 isc_hash_destroy(void);
-/*
- * This function is for the single-context mode, and is expected to be used
+/*!<
+ * \brief This function is for the single-context mode, and is expected to be used
  * as a counterpart of isc_hash_create().
+ *
  * A valid module-internal hash object must have been created, and this
  * function should be called only once.
  */
 
+/*@{*/
 void
 isc_hash_ctxinit(isc_hash_t *hctx);
 void
 isc_hash_init(void);
-/*
- * Initialize a hash object.  It fills in the random vector with a proper
+/*!<
+ * \brief Initialize a hash object.  
+ *
+ * It fills in the random vector with a proper
  * source of entropy, which is typically from the entropy object specified
  * at the creation.  Thus, it is desirable to call these functions after
  * initializing the entropy object with some good entropy sources.
@@ -142,26 +146,31 @@ isc_hash_init(void);
  *
  * isc_hash_ctxinit() is for the multiple-context mode, and takes a valid hash
  * object as an argument.
+ *
  * isc_hash_init() is for the single-context mode.  A valid module-internal
  * hash object must have been created, and this function should be called only
  * once.
  */
+/*@}*/
 
+/*@{*/
 unsigned int
 isc_hash_ctxcalc(isc_hash_t *hctx, const unsigned char *key,
 		 unsigned int keylen, isc_boolean_t case_sensitive);
 unsigned int
 isc_hash_calc(const unsigned char *key, unsigned int keylen,
 	      isc_boolean_t case_sensitive);
-/*
- * Calculate a hash value.
+/*!<
+ * \brief Calculate a hash value.
  *
  * isc_hash_ctxinit() is for the multiple-context mode, and takes a valid hash
  * object as an argument.
+ *
  * isc_hash_init() is for the single-context mode.  A valid module-internal
  * hash object must have been created.
  *
  * 'key' is the hash key, which is a variable length buffer.
+ *
  * 'keylen' specifies the key length, which must not be larger than the limit
  * specified for the corresponding hash object.
  *
@@ -169,6 +178,7 @@ isc_hash_calc(const unsigned char *key, unsigned int keylen,
  * case_sensitive values.  It should typically be ISC_FALSE if the hash key
  * is a DNS name.
  */
+/*@}*/
 
 ISC_LANG_ENDDECLS
 
diff --git a/contrib/bind9/lib/isc/include/isc/heap.h b/contrib/bind9/lib/isc/include/isc/heap.h
index 7c7f3c2..d54a8d5 100644
--- a/contrib/bind9/lib/isc/include/isc/heap.h
+++ b/contrib/bind9/lib/isc/include/isc/heap.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: heap.h,v 1.16.206.2 2006/04/17 18:27:20 explorer Exp $ */
+/* $Id: heap.h,v 1.17.18.3 2006/04/17 18:27:33 explorer Exp $ */
 
 #ifndef ISC_HEAP_H
 #define ISC_HEAP_H 1
diff --git a/contrib/bind9/lib/isc/include/isc/hex.h b/contrib/bind9/lib/isc/include/isc/hex.h
index cf7dfd0..9124a9b 100644
--- a/contrib/bind9/lib/isc/include/isc/hex.h
+++ b/contrib/bind9/lib/isc/include/isc/hex.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000, 2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,11 +15,13 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: hex.h,v 1.4.206.1 2004/03/06 08:14:41 marka Exp $ */
+/* $Id: hex.h,v 1.5.18.2 2005/04/29 00:16:55 marka Exp $ */
 
 #ifndef ISC_HEX_H
 #define ISC_HEX_H 1
 
+/*! \file */
+
 #include <isc/lang.h>
 #include <isc/types.h>
 
@@ -32,40 +34,40 @@ ISC_LANG_BEGINDECLS
 isc_result_t
 isc_hex_totext(isc_region_t *source, int wordlength,
 	       const char *wordbreak, isc_buffer_t *target);
-/*
- * Convert data into hex encoded text.
+/*!<
+ * \brief Convert data into hex encoded text.
  *
  * Notes:
- *	The hex encoded text in 'target' will be divided into
+ *\li	The hex encoded text in 'target' will be divided into
  *	words of at most 'wordlength' characters, separated by
  * 	the 'wordbreak' string.  No parentheses will surround
  *	the text.
  *
  * Requires:
- *	'source' is a region containing binary data
- *	'target' is a text buffer containing available space
- *	'wordbreak' points to a null-terminated string of
+ *\li	'source' is a region containing binary data
+ *\li	'target' is a text buffer containing available space
+ *\li	'wordbreak' points to a null-terminated string of
  *		zero or more whitespace characters
  *
  * Ensures:
- *	target will contain the hex encoded version of the data
+ *\li	target will contain the hex encoded version of the data
  *	in source.  The 'used' pointer in target will be advanced as
  *	necessary.
  */
 
 isc_result_t
 isc_hex_decodestring(char *cstr, isc_buffer_t *target);
-/*
- * Decode a null-terminated hex string.
+/*!<
+ * \brief Decode a null-terminated hex string.
  *
  * Requires:
- *	'cstr' is non-null.
- *	'target' is a valid buffer.
+ *\li	'cstr' is non-null.
+ *\li	'target' is a valid buffer.
  *
  * Returns:
- *	ISC_R_SUCCESS	-- the entire decoded representation of 'cstring'
+ *\li	#ISC_R_SUCCESS	-- the entire decoded representation of 'cstring'
  *			   fit in 'target'.
- *	ISC_R_BADHEX -- 'cstr' is not a valid hex encoding.
+ *\li	#ISC_R_BADHEX -- 'cstr' is not a valid hex encoding.
  *
  * 	Other error returns are any possible error code from:
  *		isc_lex_create(),
@@ -75,16 +77,16 @@ isc_hex_decodestring(char *cstr, isc_buffer_t *target);
 
 isc_result_t
 isc_hex_tobuffer(isc_lex_t *lexer, isc_buffer_t *target, int length);
-/*
- * Convert hex encoded text from a lexer context into data.
+/*!<
+ * \brief Convert hex encoded text from a lexer context into data.
  *
  * Requires:
- *	'lex' is a valid lexer context
- *	'target' is a buffer containing binary data
- *	'length' is an integer
+ *\li	'lex' is a valid lexer context
+ *\li	'target' is a buffer containing binary data
+ *\li	'length' is an integer
  *
  * Ensures:
- *	target will contain the data represented by the hex encoded
+ *\li	target will contain the data represented by the hex encoded
  *	string parsed by the lexer.  No more than length bytes will be read,
  *	if length is positive.  The 'used' pointer in target will be
  *	advanced as necessary.
diff --git a/contrib/bind9/lib/isc/include/isc/hmacmd5.h b/contrib/bind9/lib/isc/include/isc/hmacmd5.h
index 6e8647f..5c05675 100644
--- a/contrib/bind9/lib/isc/include/isc/hmacmd5.h
+++ b/contrib/bind9/lib/isc/include/isc/hmacmd5.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000, 2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,11 +15,11 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: hmacmd5.h,v 1.4.206.1 2004/03/06 08:14:42 marka Exp $ */
+/* $Id: hmacmd5.h,v 1.5.18.4 2006/01/27 23:57:45 marka Exp $ */
 
-/*
- * This is the header file for the HMAC-MD5 keyed hash algorithm
- * described in RFC 2104.
+/*! \file
+ * \brief This is the header file for the HMAC-MD5 keyed hash algorithm
+ * described in RFC2104.
  */
 
 #ifndef ISC_HMACMD5_H
@@ -55,6 +55,9 @@ isc_hmacmd5_sign(isc_hmacmd5_t *ctx, unsigned char *digest);
 isc_boolean_t
 isc_hmacmd5_verify(isc_hmacmd5_t *ctx, unsigned char *digest);
 
+isc_boolean_t
+isc_hmacmd5_verify2(isc_hmacmd5_t *ctx, unsigned char *digest, size_t len);
+
 ISC_LANG_ENDDECLS
 
 #endif /* ISC_HMACMD5_H */
diff --git a/contrib/bind9/lib/isc/include/isc/hmacsha.h b/contrib/bind9/lib/isc/include/isc/hmacsha.h
new file mode 100644
index 0000000..fce645c5
--- /dev/null
+++ b/contrib/bind9/lib/isc/include/isc/hmacsha.h
@@ -0,0 +1,156 @@
+/*
+ * Copyright (C) 2005, 2006  Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: hmacsha.h,v 1.2.2.3 2006/08/16 03:18:14 marka Exp $ */
+
+/*
+ * This is the header file for the HMAC-SHA1, HMAC-SHA224, HMAC-SHA256,
+ * HMAC-SHA334 and HMAC-SHA512 hash algorithm described in RFC 2104.
+ */
+
+#ifndef ISC_HMACSHA_H
+#define ISC_HMACSHA_H 1
+
+#include <isc/lang.h>
+#include <isc/sha1.h>
+#include <isc/sha2.h>
+#include <isc/types.h>
+
+#define ISC_HMACSHA1_KEYLENGTH ISC_SHA1_BLOCK_LENGTH
+#define ISC_HMACSHA224_KEYLENGTH ISC_SHA224_BLOCK_LENGTH
+#define ISC_HMACSHA256_KEYLENGTH ISC_SHA256_BLOCK_LENGTH
+#define ISC_HMACSHA384_KEYLENGTH ISC_SHA384_BLOCK_LENGTH
+#define ISC_HMACSHA512_KEYLENGTH ISC_SHA512_BLOCK_LENGTH
+
+typedef struct {
+	isc_sha1_t sha1ctx;
+	unsigned char key[ISC_HMACSHA1_KEYLENGTH];
+} isc_hmacsha1_t;
+
+typedef struct {
+	isc_sha224_t sha224ctx;
+	unsigned char key[ISC_HMACSHA224_KEYLENGTH];
+} isc_hmacsha224_t;
+
+typedef struct {
+	isc_sha256_t sha256ctx;
+	unsigned char key[ISC_HMACSHA256_KEYLENGTH];
+} isc_hmacsha256_t;
+
+typedef struct {
+	isc_sha384_t sha384ctx;
+	unsigned char key[ISC_HMACSHA384_KEYLENGTH];
+} isc_hmacsha384_t;
+
+typedef struct {
+	isc_sha512_t sha512ctx;
+	unsigned char key[ISC_HMACSHA512_KEYLENGTH];
+} isc_hmacsha512_t;
+
+ISC_LANG_BEGINDECLS
+
+void
+isc_hmacsha1_init(isc_hmacsha1_t *ctx, const unsigned char *key,
+		  unsigned int len);
+
+void
+isc_hmacsha1_invalidate(isc_hmacsha1_t *ctx);
+
+void
+isc_hmacsha1_update(isc_hmacsha1_t *ctx, const unsigned char *buf,
+		    unsigned int len);
+
+void
+isc_hmacsha1_sign(isc_hmacsha1_t *ctx, unsigned char *digest, size_t len);
+
+isc_boolean_t
+isc_hmacsha1_verify(isc_hmacsha1_t *ctx, unsigned char *digest, size_t len);
+
+
+void
+isc_hmacsha224_init(isc_hmacsha224_t *ctx, const unsigned char *key,
+		    unsigned int len);
+
+void
+isc_hmacsha224_invalidate(isc_hmacsha224_t *ctx);
+
+void
+isc_hmacsha224_update(isc_hmacsha224_t *ctx, const unsigned char *buf,
+		      unsigned int len);
+
+void
+isc_hmacsha224_sign(isc_hmacsha224_t *ctx, unsigned char *digest, size_t len);
+
+isc_boolean_t
+isc_hmacsha224_verify(isc_hmacsha224_t *ctx, unsigned char *digest, size_t len);
+
+
+void
+isc_hmacsha256_init(isc_hmacsha256_t *ctx, const unsigned char *key,
+		    unsigned int len);
+
+void
+isc_hmacsha256_invalidate(isc_hmacsha256_t *ctx);
+
+void
+isc_hmacsha256_update(isc_hmacsha256_t *ctx, const unsigned char *buf,
+		      unsigned int len);
+
+void
+isc_hmacsha256_sign(isc_hmacsha256_t *ctx, unsigned char *digest, size_t len);
+
+isc_boolean_t
+isc_hmacsha256_verify(isc_hmacsha256_t *ctx, unsigned char *digest, size_t len);
+
+
+void
+isc_hmacsha384_init(isc_hmacsha384_t *ctx, const unsigned char *key,
+		    unsigned int len);
+
+void
+isc_hmacsha384_invalidate(isc_hmacsha384_t *ctx);
+
+void
+isc_hmacsha384_update(isc_hmacsha384_t *ctx, const unsigned char *buf,
+		      unsigned int len);
+
+void
+isc_hmacsha384_sign(isc_hmacsha384_t *ctx, unsigned char *digest, size_t len);
+
+isc_boolean_t
+isc_hmacsha384_verify(isc_hmacsha384_t *ctx, unsigned char *digest, size_t len);
+
+
+void
+isc_hmacsha512_init(isc_hmacsha512_t *ctx, const unsigned char *key,
+		    unsigned int len);
+
+void
+isc_hmacsha512_invalidate(isc_hmacsha512_t *ctx);
+
+void
+isc_hmacsha512_update(isc_hmacsha512_t *ctx, const unsigned char *buf,
+		      unsigned int len);
+
+void
+isc_hmacsha512_sign(isc_hmacsha512_t *ctx, unsigned char *digest, size_t len);
+
+isc_boolean_t
+isc_hmacsha512_verify(isc_hmacsha512_t *ctx, unsigned char *digest, size_t len);
+
+ISC_LANG_ENDDECLS
+
+#endif /* ISC_HMACSHA_H */
diff --git a/contrib/bind9/lib/isc/include/isc/interfaceiter.h b/contrib/bind9/lib/isc/include/isc/interfaceiter.h
index 3a9b21b..12ec188 100644
--- a/contrib/bind9/lib/isc/include/isc/interfaceiter.h
+++ b/contrib/bind9/lib/isc/include/isc/interfaceiter.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: interfaceiter.h,v 1.10.206.1 2004/03/06 08:14:42 marka Exp $ */
+/* $Id: interfaceiter.h,v 1.11.18.2 2005/04/29 00:16:55 marka Exp $ */
 
 #ifndef ISC_INTERFACEITER_H
 #define ISC_INTERFACEITER_H 1
@@ -24,10 +24,8 @@
  ***** Module Info
  *****/
 
-/*
- * Interface iterator
- *
- * Iterate over the list of network interfaces.
+/*! \file
+ * \brief Iterates over the list of network interfaces.
  *
  * Interfaces whose address family is not supported are ignored and never
  * returned by the iterator.  Interfaces whose netmask, interface flags,
@@ -46,25 +44,26 @@
 #include <isc/netaddr.h>
 #include <isc/types.h>
 
-/*
- * Public structure describing a network interface.
+/*!
+ * \brief Public structure describing a network interface.
  */
 
 struct isc_interface {
-	char name[32];			/* Interface name, null-terminated. */
-	unsigned int af;		/* Address family. */
-	isc_netaddr_t address;		/* Local address. */
-	isc_netaddr_t netmask;		/* Network mask. */
-	isc_netaddr_t dstaddress; 	/* Destination address
-					   (point-to-point only). */
-	isc_uint32_t flags;		/* Flags; see below. */
+	char name[32];			/*%< Interface name, null-terminated. */
+	unsigned int af;		/*%< Address family. */
+	isc_netaddr_t address;		/*%< Local address. */
+	isc_netaddr_t netmask;		/*%< Network mask. */
+	isc_netaddr_t dstaddress; 	/*%< Destination address (point-to-point only). */
+	isc_uint32_t flags;		/*%< Flags; see INTERFACE flags. */
 };
 
-/* Interface flags. */
+/*@{*/
+/*! Interface flags. */
 
 #define INTERFACE_F_UP			0x00000001U
 #define INTERFACE_F_POINTTOPOINT	0x00000002U
 #define INTERFACE_F_LOOPBACK		0x00000004U
+/*@}*/
 
 /***
  *** Functions
@@ -74,59 +73,59 @@ ISC_LANG_BEGINDECLS
 
 isc_result_t
 isc_interfaceiter_create(isc_mem_t *mctx, isc_interfaceiter_t **iterp);
-/*
- * Create an iterator for traversing the operating system's list
+/*!<
+ * \brief Create an iterator for traversing the operating system's list
  * of network interfaces.
  *
  * Returns:
- *	ISC_R_SUCCESS
- * 	ISC_R_NOMEMORY
- *	Various network-related errors
+ *\li	#ISC_R_SUCCESS
+ * \li	#ISC_R_NOMEMORY
+ *\li	Various network-related errors
  */
 
 isc_result_t
 isc_interfaceiter_first(isc_interfaceiter_t *iter);
-/*
- * Position the iterator on the first interface.
+/*!<
+ * \brief Position the iterator on the first interface.
  *
  * Returns:
- *	ISC_R_SUCCESS		Success.
- *	ISC_R_NOMORE		There are no interfaces.
+ *\li	#ISC_R_SUCCESS		Success.
+ *\li	#ISC_R_NOMORE		There are no interfaces.
  */
 
 isc_result_t
 isc_interfaceiter_current(isc_interfaceiter_t *iter,
 			  isc_interface_t *ifdata);
-/*
- * Get information about the interface the iterator is currently
+/*!<
+ * \brief Get information about the interface the iterator is currently
  * positioned at and store it at *ifdata.
  *
  * Requires:
- * 	The iterator has been successfully positioned using
+ *\li 	The iterator has been successfully positioned using
  * 	isc_interface_iter_first() / isc_interface_iter_next().
  *
  * Returns:
- *	ISC_R_SUCCESS		Success.
+ *\li	#ISC_R_SUCCESS		Success.
  */
 
 isc_result_t
 isc_interfaceiter_next(isc_interfaceiter_t *iter);
-/*
- * Position the iterator on the next interface.
+/*!<
+ * \brief Position the iterator on the next interface.
  *
  * Requires:
- * 	The iterator has been successfully positioned using
+ * \li	The iterator has been successfully positioned using
  * 	isc_interface_iter_first() / isc_interface_iter_next().
  *
  * Returns:
- *	ISC_R_SUCCESS		Success.
- *	ISC_R_NOMORE		There are no more interfaces.
+ *\li	#ISC_R_SUCCESS		Success.
+ *\li	#ISC_R_NOMORE		There are no more interfaces.
  */
 
 void
 isc_interfaceiter_destroy(isc_interfaceiter_t **iterp);
-/*
- * Destroy the iterator.
+/*!<
+ * \brief Destroy the iterator.
  */
 
 ISC_LANG_ENDDECLS
diff --git a/contrib/bind9/lib/isc/include/isc/ipv6.h b/contrib/bind9/lib/isc/include/isc/ipv6.h
index 8b4b0eb..7c88f2b 100644
--- a/contrib/bind9/lib/isc/include/isc/ipv6.h
+++ b/contrib/bind9/lib/isc/include/isc/ipv6.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2002  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,12 +15,12 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: ipv6.h,v 1.17.12.4 2004/03/09 05:21:09 marka Exp $ */
+/* $Id: ipv6.h,v 1.20.18.2 2005/04/29 00:16:56 marka Exp $ */
 
 #ifndef ISC_IPV6_H
 #define ISC_IPV6_H 1
 
-/*
+/*!
  * Also define LWRES_IPV6_H to keep it from being included if liblwres is
  * being used, or redefinition errors will occur.
  */
@@ -30,23 +30,23 @@
  ***** Module Info
  *****/
 
-/*
- * IPv6 definitions for systems which do not support IPv6.
+/*! \file isc/ipv6.h
+ * \brief IPv6 definitions for systems which do not support IPv6.
  *
- * MP:
+ * \li MP:
  *	No impact.
  *
- * Reliability:
+ * \li Reliability:
  *	No anticipated impact.
  *
- * Resources:
+ * \li Resources:
  *	N/A.
  *
- * Security:
+ * \li Security:
  *	No anticipated impact.
  *
- * Standards:
- *	RFC 2553.
+ * \li Standards:
+ *	RFC2553.
  */
 
 /***
@@ -95,7 +95,7 @@ struct sockaddr_in6 {
 #define SIN6_LEN 1
 #endif
 
-/*
+/*%
  * Unspecified
  */
 #define IN6_IS_ADDR_UNSPECIFIED(a)      \
@@ -104,7 +104,7 @@ struct sockaddr_in6 {
          ((a)->s6_addr32[2] == 0) &&    \
          ((a)->s6_addr32[3] == 0))
 
-/*
+/*%
  * Loopback
  */
 #define IN6_IS_ADDR_LOOPBACK(a)         \
@@ -113,7 +113,7 @@ struct sockaddr_in6 {
          ((a)->s6_addr32[2] == 0) &&    \
          ((a)->s6_addr32[3] == htonl(1)))
 
-/*
+/*%
  * IPv4 compatible
  */
 #define IN6_IS_ADDR_V4COMPAT(a)         \
@@ -123,7 +123,7 @@ struct sockaddr_in6 {
          ((a)->s6_addr32[3] != 0) &&    \
          ((a)->s6_addr32[3] != htonl(1)))
 
-/*
+/*%
  * Mapped
  */
 #define IN6_IS_ADDR_V4MAPPED(a)               \
@@ -131,13 +131,13 @@ struct sockaddr_in6 {
          ((a)->s6_addr32[1] == 0) &&          \
          ((a)->s6_addr32[2] == htonl(0x0000ffff)))
 
-/*
+/*%
  * Multicast
  */
 #define IN6_IS_ADDR_MULTICAST(a)	\
 	((a)->s6_addr8[0] == 0xffU)
 
-/*
+/*%
  * Unicast link / site local.
  */
 #define IN6_IS_ADDR_LINKLOCAL(a)	\
diff --git a/contrib/bind9/lib/isc/include/isc/lang.h b/contrib/bind9/lib/isc/include/isc/lang.h
index f94f123..abe16f5 100644
--- a/contrib/bind9/lib/isc/include/isc/lang.h
+++ b/contrib/bind9/lib/isc/include/isc/lang.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,11 +15,13 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: lang.h,v 1.6.206.1 2004/03/06 08:14:42 marka Exp $ */
+/* $Id: lang.h,v 1.7.18.2 2005/04/29 00:16:56 marka Exp $ */
 
 #ifndef ISC_LANG_H
 #define ISC_LANG_H 1
 
+/*! \file */
+
 #ifdef __cplusplus
 #define ISC_LANG_BEGINDECLS	extern "C" {
 #define ISC_LANG_ENDDECLS	}
diff --git a/contrib/bind9/lib/isc/include/isc/lex.h b/contrib/bind9/lib/isc/include/isc/lex.h
index 29bdb2f..8c6624a 100644
--- a/contrib/bind9/lib/isc/include/isc/lex.h
+++ b/contrib/bind9/lib/isc/include/isc/lex.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1998-2002  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: lex.h,v 1.26.2.2.8.3 2004/03/08 09:04:51 marka Exp $ */
+/* $Id: lex.h,v 1.30.18.3 2005/06/04 00:39:05 marka Exp $ */
 
 #ifndef ISC_LEX_H
 #define ISC_LEX_H 1
@@ -24,28 +24,26 @@
  ***** Module Info
  *****/
 
-/*
- * Lex
- *
- * The "lex" module provides a lightweight tokenizer.  It can operate
+/*! \file isc/lex.h
+ * \brief The "lex" module provides a lightweight tokenizer.  It can operate
  * on files or buffers, and can handle "include".  It is designed for
  * parsing of DNS master files and the BIND configuration file, but
  * should be general enough to tokenize other things, e.g. HTTP.
  *
- * MP:
+ * \li MP:
  *	No synchronization is provided.  Clients must ensure exclusive
  *	access.
  *
- * Reliability:
+ * \li Reliability:
  *	No anticipated impact.
  *
- * Resources:
- *	<TBS>
+ * \li Resources:
+ *	TBS
  *
- * Security:
+ * \li Security:
  *	No anticipated impact.
  *
- * Standards:
+ * \li Standards:
  * 	None.
  */
 
@@ -65,31 +63,36 @@ ISC_LANG_BEGINDECLS
  *** Options
  ***/
 
-/*
+/*@{*/
+/*!
  * Various options for isc_lex_gettoken().
  */
 
-#define ISC_LEXOPT_EOL			0x01	/* Want end-of-line token. */
-#define ISC_LEXOPT_EOF			0x02	/* Want end-of-file token. */
-#define ISC_LEXOPT_INITIALWS		0x04	/* Want initial whitespace. */
-#define ISC_LEXOPT_NUMBER		0x08	/* Recognize numbers. */
-#define ISC_LEXOPT_QSTRING		0x10	/* Recognize qstrings. */
+#define ISC_LEXOPT_EOL			0x01	/*%< Want end-of-line token. */
+#define ISC_LEXOPT_EOF			0x02	/*%< Want end-of-file token. */
+#define ISC_LEXOPT_INITIALWS		0x04	/*%< Want initial whitespace. */
+#define ISC_LEXOPT_NUMBER		0x08	/*%< Recognize numbers. */
+#define ISC_LEXOPT_QSTRING		0x10	/*%< Recognize qstrings. */
+/*@}*/
 
-/*
+/*@{*/
+/*!
  * The ISC_LEXOPT_DNSMULTILINE option handles the processing of '(' and ')' in
  * the DNS master file format.  If this option is set, then the
  * ISC_LEXOPT_INITIALWS and ISC_LEXOPT_EOL options will be ignored when
  * the paren count is > 0.  To use this option, '(' and ')' must be special
  * characters.
  */
-#define ISC_LEXOPT_DNSMULTILINE		0x20	/* Handle '(' and ')'. */
-#define ISC_LEXOPT_NOMORE		0x40	/* Want "no more" token. */
-
-#define ISC_LEXOPT_CNUMBER		0x80    /* Regognise octal and hex */
-#define ISC_LEXOPT_ESCAPE		0x100	/* Recognize escapes. */
-#define ISC_LEXOPT_QSTRINGMULTILINE	0x200	/* Allow multiline "" strings */
-
-/*
+#define ISC_LEXOPT_DNSMULTILINE		0x20	/*%< Handle '(' and ')'. */
+#define ISC_LEXOPT_NOMORE		0x40	/*%< Want "no more" token. */
+
+#define ISC_LEXOPT_CNUMBER		0x80    /*%< Regognize octal and hex. */
+#define ISC_LEXOPT_ESCAPE		0x100	/*%< Recognize escapes. */
+#define ISC_LEXOPT_QSTRINGMULTILINE	0x200	/*%< Allow multiline "" strings */
+#define ISC_LEXOPT_OCTAL		0x400	/*%< Expect a octal number. */
+/*@}*/
+/*@{*/
+/*!
  * Various commenting styles, which may be changed at any time with
  * isc_lex_setcomments().
  */
@@ -98,12 +101,13 @@ ISC_LANG_BEGINDECLS
 #define ISC_LEXCOMMENT_CPLUSPLUS	0x02
 #define ISC_LEXCOMMENT_SHELL		0x04
 #define ISC_LEXCOMMENT_DNSMASTERFILE	0x08
+/*@}*/
 
 /***
  *** Types
  ***/
 
-/* Lex */
+/*! Lex */
 
 typedef char isc_lexspecials_t[256];
 
@@ -140,268 +144,285 @@ typedef struct isc_token {
 
 isc_result_t
 isc_lex_create(isc_mem_t *mctx, size_t max_token, isc_lex_t **lexp);
-/*
+/*%<
  * Create a lexer.
  *
  * 'max_token' is a hint of the number of bytes in the largest token.
  *
  * Requires:
- *	'*lexp' is a valid lexer.
+ *\li	'*lexp' is a valid lexer.
  *
- *	max_token > 0.
+ *\li	max_token > 0.
  *
  * Ensures:
- *	On success, *lexp is attached to the newly created lexer.
+ *\li	On success, *lexp is attached to the newly created lexer.
  *
  * Returns:
- *	ISC_R_SUCCESS
- *	ISC_R_NOMEMORY
+ *\li	#ISC_R_SUCCESS
+ *\li	#ISC_R_NOMEMORY
  */
 
 void
 isc_lex_destroy(isc_lex_t **lexp);
-/*
+/*%<
  * Destroy the lexer.
  *
  * Requires:
- *	'*lexp' is a valid lexer.
+ *\li	'*lexp' is a valid lexer.
  *
  * Ensures:
- *	*lexp == NULL
+ *\li	*lexp == NULL
  */
 
 unsigned int
 isc_lex_getcomments(isc_lex_t *lex);
-/*
+/*%<
  * Return the current lexer commenting styles.
  *
  * Requires:
- *	'lex' is a valid lexer.
+ *\li	'lex' is a valid lexer.
  *
  * Returns:
- *	The commenting sytles which are currently allowed.
+ *\li	The commenting sytles which are currently allowed.
  */
 
 void
 isc_lex_setcomments(isc_lex_t *lex, unsigned int comments);
-/*
+/*%<
  * Set allowed lexer commenting styles.
  *
  * Requires:
- *	'lex' is a valid lexer.
+ *\li	'lex' is a valid lexer.
  *
- *	'comments' has meaningful values.
+ *\li	'comments' has meaningful values.
  */
 
 void
 isc_lex_getspecials(isc_lex_t *lex, isc_lexspecials_t specials);
-/*
+/*%<
  * Put the current list of specials into 'specials'.
  *
  * Requires:
- *	'lex' is a valid lexer.
+ *\li	'lex' is a valid lexer.
  */
 
 void
 isc_lex_setspecials(isc_lex_t *lex, isc_lexspecials_t specials);
-/*
+/*!<
  * The characters in 'specials' are returned as tokens.  Along with
  * whitespace, they delimit strings and numbers.
  *
  * Note:
- *	Comment processing takes precedence over special character
+ *\li	Comment processing takes precedence over special character
  *	recognition.
  *
  * Requires:
- *	'lex' is a valid lexer.
+ *\li	'lex' is a valid lexer.
  */
 
 isc_result_t
 isc_lex_openfile(isc_lex_t *lex, const char *filename);
-/*
+/*%<
  * Open 'filename' and make it the current input source for 'lex'.
  *
  * Requires:
- *	'lex' is a valid lexer.
+ *\li	'lex' is a valid lexer.
  *
- *	filename is a valid C string.
+ *\li	filename is a valid C string.
  *
  * Returns:
- *	ISC_R_SUCCESS
- *	ISC_R_NOMEMORY			Out of memory
- *	ISC_R_NOTFOUND			File not found
- *	ISC_R_NOPERM			No permission to open file
- *	ISC_R_FAILURE			Couldn't open file, not sure why
- *	ISC_R_UNEXPECTED
+ *\li	#ISC_R_SUCCESS
+ *\li	#ISC_R_NOMEMORY			Out of memory
+ *\li	#ISC_R_NOTFOUND			File not found
+ *\li	#ISC_R_NOPERM			No permission to open file
+ *\li	#ISC_R_FAILURE			Couldn't open file, not sure why
+ *\li	#ISC_R_UNEXPECTED
  */
 
 isc_result_t
 isc_lex_openstream(isc_lex_t *lex, FILE *stream);
-/*
+/*%<
  * Make 'stream' the current input source for 'lex'.
  *
  * Requires:
- *	'lex' is a valid lexer.
+ *\li	'lex' is a valid lexer.
  *
- *	'stream' is a valid C stream.
+ *\li	'stream' is a valid C stream.
  *
  * Returns:
- *	ISC_R_SUCCESS
- *	ISC_R_NOMEMORY			Out of memory
+ *\li	#ISC_R_SUCCESS
+ *\li	#ISC_R_NOMEMORY			Out of memory
  */
 
 isc_result_t
 isc_lex_openbuffer(isc_lex_t *lex, isc_buffer_t *buffer);
-/*
+/*%<
  * Make 'buffer' the current input source for 'lex'.
  *
  * Requires:
- *	'lex' is a valid lexer.
+ *\li	'lex' is a valid lexer.
  *
- *	'buffer' is a valid buffer.
+ *\li	'buffer' is a valid buffer.
  *
  * Returns:
- *	ISC_R_SUCCESS
- *	ISC_R_NOMEMORY			Out of memory
+ *\li	#ISC_R_SUCCESS
+ *\li	#ISC_R_NOMEMORY			Out of memory
  */
 
 isc_result_t
 isc_lex_close(isc_lex_t *lex);
-/*
+/*%<
  * Close the most recently opened object (i.e. file or buffer).
  *
  * Returns:
- *	ISC_R_SUCCESS
- *	ISC_R_NOMORE			No more input sources
+ *\li	#ISC_R_SUCCESS
+ *\li	#ISC_R_NOMORE			No more input sources
  */
 
 isc_result_t
 isc_lex_gettoken(isc_lex_t *lex, unsigned int options, isc_token_t *tokenp);
-/*
+/*%<
  * Get the next token.
  *
  * Requires:
- *	'lex' is a valid lexer.
+ *\li	'lex' is a valid lexer.
  *
- *	'lex' has an input source.
+ *\li	'lex' has an input source.
  *
- *	'options' contains valid options.
+ *\li	'options' contains valid options.
  *
- *	'*tokenp' is a valid pointer.
+ *\li	'*tokenp' is a valid pointer.
  *
  * Returns:
- *	ISC_R_SUCCESS
- *	ISC_R_UNEXPECTEDEND
- *	ISC_R_NOMEMORY
+ *\li	#ISC_R_SUCCESS
+ *\li	#ISC_R_UNEXPECTEDEND
+ *\li	#ISC_R_NOMEMORY
  *
  *	These two results are returned only if their corresponding lexer
  *	options are not set.
  *
- *	ISC_R_EOF			End of input source
- *	ISC_R_NOMORE			No more input sources
+ *\li	#ISC_R_EOF			End of input source
+ *\li	#ISC_R_NOMORE			No more input sources
  */
 
 isc_result_t
 isc_lex_getmastertoken(isc_lex_t *lex, isc_token_t *token,
 		       isc_tokentype_t expect, isc_boolean_t eol);
-/*
+/*%<
  * Get the next token from a DNS master file type stream.  This is a
  * convenience function that sets appropriate options and handles quoted
  * strings and end of line correctly for master files.  It also ungets
  * unexpected tokens.
  *
  * Requires:
- *	'lex' is a valid lexer.
+ *\li	'lex' is a valid lexer.
  *
- *	'token' is a valid pointer
+ *\li	'token' is a valid pointer
  *
  * Returns:
  *
- * 	any return code from isc_lex_gettoken.
+ * \li	any return code from isc_lex_gettoken().
+ */
+
+isc_result_t
+isc_lex_getoctaltoken(isc_lex_t *lex, isc_token_t *token, isc_boolean_t eol);
+/*%<
+ * Get the next token from a DNS master file type stream.  This is a
+ * convenience function that sets appropriate options and handles end
+ * of line correctly for master files.  It also ungets unexpected tokens.
+ *
+ * Requires:
+ *\li	'lex' is a valid lexer.
+ *
+ *\li	'token' is a valid pointer
+ *
+ * Returns:
+ *
+ * \li	any return code from isc_lex_gettoken().
  */
 
 void
 isc_lex_ungettoken(isc_lex_t *lex, isc_token_t *tokenp);
-/*
+/*%<
  * Unget the current token.
  *
  * Requires:
- *	'lex' is a valid lexer.
+ *\li	'lex' is a valid lexer.
  *
- *	'lex' has an input source.
+ *\li	'lex' has an input source.
  *
- *	'tokenp' points to a valid token.
+ *\li	'tokenp' points to a valid token.
  *
- *	There is no ungotten token already.
+ *\li	There is no ungotten token already.
  */
 
 void
 isc_lex_getlasttokentext(isc_lex_t *lex, isc_token_t *tokenp, isc_region_t *r);
-/*
+/*%<
  * Returns a region containing the text of the last token returned.
  *
  * Requires:
- *	'lex' is a valid lexer.
+ *\li	'lex' is a valid lexer.
  *
- *	'lex' has an input source.
+ *\li	'lex' has an input source.
  *
- *	'tokenp' points to a valid token.
+ *\li	'tokenp' points to a valid token.
  *
- *	A token has been gotten and not ungotten.
+ *\li	A token has been gotten and not ungotten.
  */
 
 char *
 isc_lex_getsourcename(isc_lex_t *lex);
-/*
+/*%<
  * Return the input source name.
  *
  * Requires:
- *	'lex' is a valid lexer.
+ *\li	'lex' is a valid lexer.
  *
  * Returns:
- * 	source name or NULL if no current source.
- *	result valid while current input source exists.
+ * \li	source name or NULL if no current source.
+ *\li	result valid while current input source exists.
  */
 
 
 unsigned long
 isc_lex_getsourceline(isc_lex_t *lex);
-/*
+/*%<
  * Return the input source line number.
  *
  * Requires:
- *	'lex' is a valid lexer.
+ *\li	'lex' is a valid lexer.
  *
  * Returns:
- * 	Current line number or 0 if no current source.
+ *\li 	Current line number or 0 if no current source.
  */
 
 isc_result_t
 isc_lex_setsourcename(isc_lex_t *lex, const char *name);
-/*
+/*%<
  * Assigns a new name to the input source.
  *
  * Requires:
  *
- * 	'lex' is a valid lexer.
+ * \li	'lex' is a valid lexer.
  *
  * Returns:
- * 	ISC_R_SUCCESS
- * 	ISC_R_NOMEMORY
- * 	ISC_R_NOTFOUND - there are no sources.
+ * \li	#ISC_R_SUCCESS
+ * \li	#ISC_R_NOMEMORY
+ * \li	#ISC_R_NOTFOUND - there are no sources.
  */
 
 isc_boolean_t
 isc_lex_isfile(isc_lex_t *lex);
-/*
+/*%<
  * Return whether the current input source is a file.
  *
  * Requires:
- *	'lex' is a valid lexer.
+ *\li	'lex' is a valid lexer.
  *
  * Returns:
- * 	ISC_TRUE if the current input is a file,
- *	ISC_FALSE otherwise.
+ * \li	#ISC_TRUE if the current input is a file,
+ *\li	#ISC_FALSE otherwise.
  */
 
 
diff --git a/contrib/bind9/lib/isc/include/isc/lfsr.h b/contrib/bind9/lib/isc/include/isc/lfsr.h
index e562380..0c2e845 100644
--- a/contrib/bind9/lib/isc/include/isc/lfsr.h
+++ b/contrib/bind9/lib/isc/include/isc/lfsr.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,17 +15,19 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: lfsr.h,v 1.10.206.1 2004/03/06 08:14:43 marka Exp $ */
+/* $Id: lfsr.h,v 1.11.18.2 2005/04/29 00:16:56 marka Exp $ */
 
 #ifndef ISC_LFSR_H
 #define ISC_LFSR_H 1
 
+/*! \file */
+
 #include <isc/lang.h>
 #include <isc/types.h>
 
 typedef struct isc_lfsr isc_lfsr_t;
 
-/*
+/*%
  * This function is called when reseeding is needed.  It is allowed to
  * modify any state in the LFSR in any way it sees fit OTHER THAN "bits".
  *
@@ -36,96 +38,91 @@ typedef struct isc_lfsr isc_lfsr_t;
  */
 typedef void (*isc_lfsrreseed_t)(isc_lfsr_t *, void *);
 
-/*
+/*%
  * The members of this structure can be used by the application, but care
  * needs to be taken to not change state once the lfsr is in operation.
  */
 struct isc_lfsr {
-	isc_uint32_t		state;	/* previous state */
-	unsigned int		bits;	/* length */
-	isc_uint32_t		tap;	/* bit taps */
-	unsigned int		count;	/* reseed count (in BITS!) */
-	isc_lfsrreseed_t	reseed;	/* reseed function */
-	void		       *arg;	/* reseed function argument */
+	isc_uint32_t		state;	/*%< previous state */
+	unsigned int		bits;	/*%< length */
+	isc_uint32_t		tap;	/*%< bit taps */
+	unsigned int		count;	/*%< reseed count (in BITS!) */
+	isc_lfsrreseed_t	reseed;	/*%< reseed function */
+	void		       *arg;	/*%< reseed function argument */
 };
 
 ISC_LANG_BEGINDECLS
 
-/*
- * In all these functions it is important that the caller only use as many
- * bits as the LFSR has state.  Also, it isn't guaranteed that an LFSR of
- * bit length 32 will have 2^32 unique states before repeating.
- */
 
 void 
 isc_lfsr_init(isc_lfsr_t *lfsr, isc_uint32_t state, unsigned int bits,
 		   isc_uint32_t tap, unsigned int count,
 		   isc_lfsrreseed_t reseed, void *arg);
-/*
+/*%<
  * Initialize an LFSR.
  *
  * Note:
  *
- *	Putting untrusted values into this function will cause the LFSR to
+ *\li	Putting untrusted values into this function will cause the LFSR to
  *	generate (perhaps) non-maximal length sequences.
  *
  * Requires:
  *
- *	lfsr != NULL
+ *\li	lfsr != NULL
  *
- *	8 <= bits <= 32
+ *\li	8 <= bits <= 32
  *
- *	tap != 0
+ *\li	tap != 0
  */
 
 void 
 isc_lfsr_generate(isc_lfsr_t *lfsr, void *data, unsigned int count);
-/*
+/*%<
  * Returns "count" bytes of data from the LFSR.
  *
  * Requires:
  *
- *	lfsr be valid.
+ *\li	lfsr be valid.
  *
- *	data != NULL.
+ *\li	data != NULL.
  *
- *	count > 0.
+ *\li	count > 0.
  */
 
 void 
 isc_lfsr_skip(isc_lfsr_t *lfsr, unsigned int skip);
-/*
+/*%<
  * Skip "skip" states.
  *
  * Requires:
  *
- *	lfsr be valid.
+ *\li	lfsr be valid.
  */
 
 isc_uint32_t 
 isc_lfsr_generate32(isc_lfsr_t *lfsr1, isc_lfsr_t *lfsr2);
-/*
+/*%<
  * Given two LFSRs, use the current state from each to skip entries in the
  * other.  The next states are then xor'd together and returned.
  *
  * WARNING:
  *
- *	This function is used only for very, very low security data, such
+ *\li	This function is used only for very, very low security data, such
  *	as DNS message IDs where it is desired to have an unpredictable
  *	stream of bytes that are harder to predict than a simple flooding
  *	attack.
  *
  * Notes:
  *
- *	Since the current state from each of the LFSRs is used to skip
+ *\li	Since the current state from each of the LFSRs is used to skip
  *	state in the other, it is important that no state be leaked
  *	from either LFSR.
  *
  * Requires:
  *
- *	lfsr1 and lfsr2 be valid.
+ *\li	lfsr1 and lfsr2 be valid.
  *
- *	1 <= skipbits <= 31
+ *\li	1 <= skipbits <= 31
  */
 
 ISC_LANG_ENDDECLS
diff --git a/contrib/bind9/lib/isc/include/isc/lib.h b/contrib/bind9/lib/isc/include/isc/lib.h
index 1ad4493..45c547c 100644
--- a/contrib/bind9/lib/isc/include/isc/lib.h
+++ b/contrib/bind9/lib/isc/include/isc/lib.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,11 +15,13 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: lib.h,v 1.6.12.3 2004/03/08 09:04:51 marka Exp $ */
+/* $Id: lib.h,v 1.8.18.2 2005/04/29 00:16:58 marka Exp $ */
 
 #ifndef ISC_LIB_H
 #define ISC_LIB_H 1
 
+/*! \file */
+
 #include <isc/types.h>
 #include <isc/lang.h>
 
@@ -29,8 +31,8 @@ LIBISC_EXTERNAL_DATA extern isc_msgcat_t *isc_msgcat;
 
 void
 isc_lib_initmsgcat(void);
-/*
- * Initialize the ISC library's message catalog, isc_msgcat, if it
+/*!<
+ * \brief Initialize the ISC library's message catalog, isc_msgcat, if it
  * has not already been initialized.
  */
 
diff --git a/contrib/bind9/lib/isc/include/isc/list.h b/contrib/bind9/lib/isc/include/isc/list.h
index 5fe82e3..2adc33f 100644
--- a/contrib/bind9/lib/isc/include/isc/list.h
+++ b/contrib/bind9/lib/isc/include/isc/list.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: list.h,v 1.18.2.2.8.3 2006/06/06 00:11:40 marka Exp $ */
+/* $Id: list.h,v 1.20.18.2 2006/06/06 00:11:41 marka Exp $ */
 
 #ifndef ISC_LIST_H
 #define ISC_LIST_H 1
diff --git a/contrib/bind9/lib/isc/include/isc/log.h b/contrib/bind9/lib/isc/include/isc/log.h
index 97aeba0..c381775 100644
--- a/contrib/bind9/lib/isc/include/isc/log.h
+++ b/contrib/bind9/lib/isc/include/isc/log.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2002  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,11 +15,13 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: log.h,v 1.39.2.4.2.7 2004/04/10 04:31:40 marka Exp $ */
+/* $Id: log.h,v 1.47.18.3 2005/04/29 00:16:58 marka Exp $ */
 
 #ifndef ISC_LOG_H
 #define ISC_LOG_H 1
 
+/*! \file */
+
 #include <stdio.h>
 #include <stdarg.h>
 #include <syslog.h> /* XXXDCL NT */
@@ -29,29 +31,36 @@
 #include <isc/platform.h>
 #include <isc/types.h>
 
-/*
- * Severity levels, patterned after Unix's syslog levels.
+/*@{*/
+/*!
+ * \brief Severity levels, patterned after Unix's syslog levels.
  *
- * ISC_LOG_DYNAMIC can only be used for defining channels with
- * isc_log_createchannel(), not to specify a level in isc_log_write().
  */
 #define ISC_LOG_DEBUG(level)	(level)
+/*!
+ * #ISC_LOG_DYNAMIC can only be used for defining channels with
+ * isc_log_createchannel(), not to specify a level in isc_log_write().
+ */
 #define ISC_LOG_DYNAMIC	  	  0
 #define ISC_LOG_INFO		(-1)
 #define ISC_LOG_NOTICE		(-2)
 #define ISC_LOG_WARNING 	(-3)
 #define ISC_LOG_ERROR		(-4)
 #define ISC_LOG_CRITICAL	(-5)
+/*@}*/
 
-/*
- * Destinations.
+/*@{*/
+/*!
+ * \brief Destinations.
  */
 #define ISC_LOG_TONULL		1
 #define ISC_LOG_TOSYSLOG	2
 #define ISC_LOG_TOFILE		3
 #define ISC_LOG_TOFILEDESC	4
+/*@}*/
 
-/*
+/*@{*/
+/*%
  * Channel flags.
  */
 #define ISC_LOG_PRINTTIME	0x0001
@@ -62,18 +71,24 @@
 #define ISC_LOG_PRINTALL	0x001F
 #define ISC_LOG_DEBUGONLY	0x1000
 #define ISC_LOG_OPENERR		0x8000		/* internal */
+/*@}*/
 
-/*
- * Other options.
+/*@{*/
+/*!
+ * \brief Other options.
+ *
  * XXXDCL INFINITE doesn't yet work.  Arguably it isn't needed, but
  *   since I am intend to make large number of versions work efficiently,
  *   INFINITE is going to be trivial to add to that.
  */
 #define ISC_LOG_ROLLINFINITE	(-1)
 #define ISC_LOG_ROLLNEVER	(-2)
+/*@}*/
 
-/*
- * Used to name the categories used by a library.  An array of isc_logcategory
+/*!
+ * \brief Used to name the categories used by a library.  
+ *
+ * An array of isc_logcategory
  * structures names each category, and the id value is initialized by calling
  * isc_log_registercategories.
  */
@@ -82,28 +97,30 @@ struct isc_logcategory {
 	unsigned int id;
 };
 
-/*
- * Similar to isc_logcategory above, but for all the modules a library defines.
+/*%
+ * Similar to isc_logcategory, but for all the modules a library defines.
  */
 struct isc_logmodule {
 	const char *name;
 	unsigned int id;
 };
 
-/*
+/*%
  * The isc_logfile structure is initialized as part of an isc_logdestination
- * before calling isc_log_createchannel().  When defining an ISC_LOG_TOFILE
+ * before calling isc_log_createchannel().  
+ *
+ * When defining an #ISC_LOG_TOFILE
  * channel the name, versions and maximum_size should be set before calling
- * isc_log_createchannel().  To define an ISC_LOG_TOFILEDESC channel set only
+ * isc_log_createchannel().  To define an #ISC_LOG_TOFILEDESC channel set only
  * the stream before the call.
  * 
  * Setting maximum_size to zero implies no maximum.
  */
 typedef struct isc_logfile {
-	FILE *stream;		/* Initialized to NULL for ISC_LOG_TOFILE. */
-	const char *name;	/* NULL for ISC_LOG_TOFILEDESC. */
-	int versions;	/* >= 0, ISC_LOG_ROLLNEVER, ISC_LOG_ROLLINFINITE. */
-	/*
+	FILE *stream;		/*%< Initialized to NULL for #ISC_LOG_TOFILE. */
+	const char *name;	/*%< NULL for #ISC_LOG_TOFILEDESC. */
+	int versions;	/* >= 0, #ISC_LOG_ROLLNEVER, #ISC_LOG_ROLLINFINITE. */
+	/*%
 	 * stdio's ftell is standardized to return a long, which may well not
 	 * be big enough for the largest file supportable by the operating
 	 * system (though it is _probably_ big enough for the largest log
@@ -111,10 +128,10 @@ typedef struct isc_logfile {
 	 * to a size large enough for the largest possible file on a system.
 	 */
 	isc_offset_t maximum_size;
-	isc_boolean_t maximum_reached; /* Private. */
+	isc_boolean_t maximum_reached; /*%< Private. */
 } isc_logfile_t;
 
-/*
+/*%
  * Passed to isc_log_createchannel to define the attributes of either
  * a stdio or a syslog log.
  */
@@ -123,7 +140,8 @@ typedef union isc_logdestination {
 	int facility;		/* XXXDCL NT */
 } isc_logdestination_t;
 
-/*
+/*@{*/
+/*%
  * The built-in categories of libisc.
  *
  * Each library registering categories should provide library_LOGCATEGORY_name
@@ -133,13 +151,16 @@ typedef union isc_logdestination {
 LIBISC_EXTERNAL_DATA extern isc_logcategory_t isc_categories[];
 LIBISC_EXTERNAL_DATA extern isc_log_t *isc_lctx;
 LIBISC_EXTERNAL_DATA extern isc_logmodule_t isc_modules[];
+/*@}*/
 
-/*
+/*@{*/
+/*%
  * Do not log directly to DEFAULT.  Use another category.  When in doubt,
  * use GENERAL.
  */
 #define ISC_LOGCATEGORY_DEFAULT	(&isc_categories[0])
 #define ISC_LOGCATEGORY_GENERAL	(&isc_categories[1])
+/*@}*/
 
 #define ISC_LOGMODULE_SOCKET (&isc_modules[0])
 #define ISC_LOGMODULE_TIME (&isc_modules[1])
@@ -150,33 +171,33 @@ ISC_LANG_BEGINDECLS
 
 isc_result_t
 isc_log_create(isc_mem_t *mctx, isc_log_t **lctxp, isc_logconfig_t **lcfgp);
-/*
+/*%<
  * Establish a new logging context, with default channels.
  *
  * Notes:
- *	isc_log_create calls isc_logconfig_create, so see its comment
+ *\li	isc_log_create() calls isc_logconfig_create(), so see its comment
  *	below for more information.
  *
  * Requires:
- *	mctx is a valid memory context.
- *	lctxp is not null and *lctxp is null.
- *	lcfgp is null or lcfgp is not null and *lcfgp is null.
+ *\li	mctx is a valid memory context.
+ *\li	lctxp is not null and *lctxp is null.
+ *\li	lcfgp is null or lcfgp is not null and *lcfgp is null.
  *
  * Ensures:
- *	*lctxp will point to a valid logging context if all of the necessary
+ *\li	*lctxp will point to a valid logging context if all of the necessary
  *	memory was allocated, or NULL otherwise.
- *	*lcfgp will point to a valid logging configuration if all of the
+ *\li	*lcfgp will point to a valid logging configuration if all of the
  *	necessary memory was allocated, or NULL otherwise.
- *	On failure, no additional memory is allocated.
+ *\li	On failure, no additional memory is allocated.
  *
  * Returns:
- *	ISC_R_SUCCESS		Success
- *	ISC_R_NOMEMORY		Resource limit: Out of memory
+ *\li	#ISC_R_SUCCESS		Success
+ *\li	#ISC_R_NOMEMORY		Resource limit: Out of memory
  */
 
 isc_result_t
 isc_logconfig_create(isc_log_t *lctx, isc_logconfig_t **lcfgp);
-/*
+/*%<
  * Create the data structure that holds all of the configurable information
  * about where messages are actually supposed to be sent -- the information
  * that could changed based on some configuration file, as opposed to the
@@ -184,190 +205,192 @@ isc_logconfig_create(isc_log_t *lctx, isc_logconfig_t **lcfgp);
  * into a program, or the debug_level which is dynamic state information.
  *
  * Notes:
- *	It is necessary to specify the logging context the configuration
+ *\li	It is necessary to specify the logging context the configuration
  * 	will be used with because the number of categories and modules
  *	needs to be known in order to set the configuration.  However,
  *	the configuration is not used by the logging context until the
  *	isc_logconfig_use function is called.
  *
- *	The memory context used for operations that allocate memory for
+ *\li	The memory context used for operations that allocate memory for
  *	the configuration is that of the logging context, as specified
  *	in the isc_log_create call.
  *
- *	Four default channels are established:
+ *\li	Four default channels are established:
+ *\verbatim
  *	    	default_syslog
- *		 - log to syslog's daemon facility ISC_LOG_INFO or higher
+ *		 - log to syslog's daemon facility #ISC_LOG_INFO or higher
  *		default_stderr
- *		 - log to stderr ISC_LOG_INFO or higher
+ *		 - log to stderr #ISC_LOG_INFO or higher
  *		default_debug
- *		 - log to stderr ISC_LOG_DEBUG dynamically
+ *		 - log to stderr #ISC_LOG_DEBUG dynamically
  *		null
  *		 - log nothing
+ *\endverbatim
  *
  * Requires:
- * 	lctx is a valid logging context.
- *	lcftp is not null and *lcfgp is null.
+ *\li 	lctx is a valid logging context.
+ *\li	lcftp is not null and *lcfgp is null.
  *
  * Ensures:
- *	*lcfgp will point to a valid logging context if all of the necessary
+ *\li	*lcfgp will point to a valid logging context if all of the necessary
  *	memory was allocated, or NULL otherwise.
- *	On failure, no additional memory is allocated.
+ *\li	On failure, no additional memory is allocated.
  *
  * Returns:
- *	ISC_R_SUCCESS		Success
- *	ISC_R_NOMEMORY		Resource limit: Out of memory
+ *\li	#ISC_R_SUCCESS		Success
+ *\li	#ISC_R_NOMEMORY		Resource limit: Out of memory
  */
 
 isc_logconfig_t *
 isc_logconfig_get(isc_log_t *lctx);
-/*
+/*%<
  * Returns a pointer to the configuration currently in use by the log context.
  *
  * Requires:
- *	lctx is a valid context.
+ *\li	lctx is a valid context.
  *
  * Ensures:
- *	The configuration pointer is non-null.
+ *\li	The configuration pointer is non-null.
  *
  * Returns:
- *	The configuration pointer.
+ *\li	The configuration pointer.
  */
 
 isc_result_t
 isc_logconfig_use(isc_log_t *lctx, isc_logconfig_t *lcfg);
-/*
+/*%<
  * Associate a new configuration with a logging context.
  *
  * Notes:
- *	This is thread safe.  The logging context will lock a mutex
+ *\li	This is thread safe.  The logging context will lock a mutex
  *	before attempting to swap in the new configuration, and isc_log_doit
  *	(the internal function used by all of isc_log_[v]write[1]) locks
  *	the same lock for the duration of its use of the configuration.
  *
  * Requires:
- *	lctx is a valid logging context.
- *	lcfg is a valid logging configuration.
- *	lctx is the same configuration given to isc_logconfig_create
+ *\li	lctx is a valid logging context.
+ *\li	lcfg is a valid logging configuration.
+ *\li	lctx is the same configuration given to isc_logconfig_create
  *		when the configuration was created.
  *
  * Ensures:
- *	Future calls to isc_log_write will use the new configuration.
+ *\li	Future calls to isc_log_write will use the new configuration.
  *
  * Returns:
- *	ISC_R_SUCCESS		Success
- *	ISC_R_NOMEMORY		Resource limit: Out of memory
+ *\li	#ISC_R_SUCCESS		Success
+ *\li	#ISC_R_NOMEMORY		Resource limit: Out of memory
  */
 
 void
 isc_log_destroy(isc_log_t **lctxp);
-/*
+/*%<
  * Deallocate the memory associated with a logging context.
  *
  * Requires:
- *	*lctx is a valid logging context.
+ *\li	*lctx is a valid logging context.
  *
  * Ensures:
- *	All of the memory associated with the logging context is returned
+ *\li	All of the memory associated with the logging context is returned
  *	to the free memory pool.
  *
- *	Any open files are closed.
+ *\li	Any open files are closed.
  *
- *	The logging context is marked as invalid.
+ *\li	The logging context is marked as invalid.
  */
 
 void
 isc_logconfig_destroy(isc_logconfig_t **lcfgp);
-/*
+/*%<
  * Destroy a logging configuration.
  *
  * Notes:
- *	This function cannot be used directly with the return value of
+ *\li	This function cannot be used directly with the return value of
  *	isc_logconfig_get, because a logging context must always have
  *	a valid configuration associated with it.
  *
  * Requires:
- *	lcfgp is not null and *lcfgp is a valid logging configuration.
- *	The logging configuration is not in use by an existing logging context.
+ *\li	lcfgp is not null and *lcfgp is a valid logging configuration.
+ *\li	The logging configuration is not in use by an existing logging context.
  *
  * Ensures:
- *	All memory allocated for the configuration is freed.
+ *\li	All memory allocated for the configuration is freed.
  *
- *	The configuration is marked as invalid.
+ *\li	The configuration is marked as invalid.
  */
 
 void
 isc_log_registercategories(isc_log_t *lctx, isc_logcategory_t categories[]);
-/*
+/*%<
  * Identify logging categories a library will use.
  *
  * Notes:
- *	A category should only be registered once, but no mechanism enforces
+ *\li	A category should only be registered once, but no mechanism enforces
  *	this rule.
  *
- *	The end of the categories array is identified by a NULL name.
+ *\li	The end of the categories array is identified by a NULL name.
  *
- *	Because the name is used by ISC_LOG_PRINTCATEGORY, it should not
+ *\li	Because the name is used by #ISC_LOG_PRINTCATEGORY, it should not
  *	be altered or destroyed after isc_log_registercategories().
  *
- *	Because each element of the categories array is used by
+ *\li	Because each element of the categories array is used by
  *	isc_log_categorybyname, it should not be altered or destroyed
  *	after registration.
  *
- *	The value of the id integer in each structure is overwritten
+ *\li	The value of the id integer in each structure is overwritten
  *	by this function, and so id need not be initialized to any particular
  *	value prior to the function call.
  *
- *	A subsequent call to isc_log_registercategories with the same
+ *\li	A subsequent call to isc_log_registercategories with the same
  *	logging context (but new categories) will cause the last
  *	element of the categories array from the prior call to have
  *	its "name" member changed from NULL to point to the new
  *	categories array, and its "id" member set to UINT_MAX.
  *
  * Requires:
- *	lctx is a valid logging context.
- *	categories != NULL.
- *	categories[0].name != NULL.
+ *\li	lctx is a valid logging context.
+ *\li	categories != NULL.
+ *\li	categories[0].name != NULL.
  *
  * Ensures:
- * 	There are references to each category in the logging context,
+ * \li	There are references to each category in the logging context,
  * 	so they can be used with isc_log_usechannel() and isc_log_write().
  */
 
 void
 isc_log_registermodules(isc_log_t *lctx, isc_logmodule_t modules[]);
-/*
+/*%<
  * Identify logging categories a library will use.
  *
  * Notes:
- *	A module should only be registered once, but no mechanism enforces
+ *\li	A module should only be registered once, but no mechanism enforces
  *	this rule.
  *
- *	The end of the modules array is identified by a NULL name.
+ *\li	The end of the modules array is identified by a NULL name.
  *
- *	Because the name is used by ISC_LOG_PRINTMODULE, it should not
+ *\li	Because the name is used by #ISC_LOG_PRINTMODULE, it should not
  *	be altered or destroyed after isc_log_registermodules().
  *
- *	Because each element of the modules array is used by
+ *\li	Because each element of the modules array is used by
  *	isc_log_modulebyname, it should not be altered or destroyed
  *	after registration.
  *
- *	The value of the id integer in each structure is overwritten
+ *\li	The value of the id integer in each structure is overwritten
  *	by this function, and so id need not be initialized to any particular
  *	value prior to the function call.
  *
- *	A subsequent call to isc_log_registermodules with the same
+ *\li	A subsequent call to isc_log_registermodules with the same
  *	logging context (but new modules) will cause the last
  *	element of the modules array from the prior call to have
  *	its "name" member changed from NULL to point to the new
  *	modules array, and its "id" member set to UINT_MAX.
  *
  * Requires:
- *	lctx is a valid logging context.
- *	modules != NULL.
- *	modules[0].name != NULL;
+ *\li	lctx is a valid logging context.
+ *\li	modules != NULL.
+ *\li	modules[0].name != NULL;
  *
  * Ensures:
- *	Each module has a reference in the logging context, so they can be
+ *\li	Each module has a reference in the logging context, so they can be
  *	used with isc_log_usechannel() and isc_log_write().
  */
 
@@ -376,68 +399,67 @@ isc_log_createchannel(isc_logconfig_t *lcfg, const char *name,
 		      unsigned int type, int level,
 		      const isc_logdestination_t *destination,
 		      unsigned int flags);
-/*
+/*%<
  * Specify the parameters of a logging channel.
  *
  * Notes:
- *	The name argument is copied to memory in the logging context, so
+ *\li	The name argument is copied to memory in the logging context, so
  *	it can be altered or destroyed after isc_log_createchannel().
  *
- *	Defining a very large number of channels will have a performance
+ *\li	Defining a very large number of channels will have a performance
  *	impact on isc_log_usechannel(), since the names are searched
  *	linearly until a match is made.  This same issue does not affect
  *	isc_log_write, however.
  *
- *	Channel names can be redefined; this is primarily useful for programs
+ *\li	Channel names can be redefined; this is primarily useful for programs
  *	that want their own definition of default_syslog, default_debug
  *	and default_stderr.
  *
- *	Any channel that is redefined will not affect logging that was
+ *\li	Any channel that is redefined will not affect logging that was
  *	already directed to its original definition, _except_ for the
  *	default_stderr channel.  This case is handled specially so that
  *	the default logging category can be changed by redefining
  *	default_stderr.  (XXXDCL Though now that I think of it, the default
  *	logging category can be changed with only one additional function
  *	call by defining a new channel and then calling isc_log_usechannel()
- *	for ISC_LOGCATEGORY_DEFAULT.)
+ *	for #ISC_LOGCATEGORY_DEFAULT.)
  *
- *	Specifying ISC_LOG_PRINTTIME or ISC_LOG_PRINTTAG for syslog is allowed,
+ *\li	Specifying #ISC_LOG_PRINTTIME or #ISC_LOG_PRINTTAG for syslog is allowed,
  *	but probably not what you wanted to do.
  *
- *	ISC_LOG_DEBUGONLY will mark the channel as usable only when the
+ *	#ISC_LOG_DEBUGONLY will mark the channel as usable only when the
  *	debug level of the logging context (see isc_log_setdebuglevel)
  *	is non-zero.
  *
  * Requires:
- *	lcfg is a valid logging configuration.
+ *\li	lcfg is a valid logging configuration.
  *
- *	name is not NULL.
+ *\li	name is not NULL.
  *
- *	type is ISC_LOG_TOSYSLOG, ISC_LOG_TOFILE, ISC_LOG_TOFILEDESC or
- *		ISC_LOG_TONULL.
+ *\li	type is #ISC_LOG_TOSYSLOG, #ISC_LOG_TOFILE, #ISC_LOG_TOFILEDESC or
+ *		#ISC_LOG_TONULL.
  *
- *	destination is not NULL unless type is ISC_LOG_TONULL.
+ *\li	destination is not NULL unless type is #ISC_LOG_TONULL.
  *
- *	level is >= ISC_LOG_CRITICAL (the most negative logging level).
+ *\li	level is >= #ISC_LOG_CRITICAL (the most negative logging level).
  *
- *	flags does not include any bits aside from the ISC_LOG_PRINT* bits
- *	or ISC_LOG_DEBUGONLY.
+ *\li	flags does not include any bits aside from the ISC_LOG_PRINT* bits
+ *	or #ISC_LOG_DEBUGONLY.
  *
  * Ensures:
- *	ISC_R_SUCCESS
+ *\li	#ISC_R_SUCCESS
  *		A channel with the given name is usable with
  *		isc_log_usechannel().
  *
- *	ISC_R_NOMEMORY or ISC_R_UNEXPECTED
+ *\li	#ISC_R_NOMEMORY or #ISC_R_UNEXPECTED
  *		No additional memory is being used by the logging context.
- *
  *		Any channel that previously existed with the given name
  *		is not redefined.
  *
  * Returns:
- *	ISC_R_SUCCESS		Success
- *	ISC_R_NOMEMORY		Resource limit: Out of memory
- *	ISC_R_UNEXPECTED	type was out of range and REQUIRE()
+ *\li	#ISC_R_SUCCESS		Success
+ *\li	#ISC_R_NOMEMORY		Resource limit: Out of memory
+ *\li	#ISC_R_UNEXPECTED	type was out of range and REQUIRE()
  *					was disabled.
  */
 
@@ -445,166 +467,186 @@ isc_result_t
 isc_log_usechannel(isc_logconfig_t *lcfg, const char *name,
 		   const isc_logcategory_t *category,
 		   const isc_logmodule_t *module);
-/*
+/*%<
  * Associate a named logging channel with a category and module that
  * will use it.
  *
  * Notes:
- *	The name is searched for linearly in the set of known channel names
+ *\li	The name is searched for linearly in the set of known channel names
  *	until a match is found.  (Note the performance impact of a very large
  *	number of named channels.)  When multiple channels of the same
  *	name are defined, the most recent definition is found.
  *
- *	Specifing a very large number of channels for a category will have
+ *\li	Specifing a very large number of channels for a category will have
  *	a moderate impact on performance in isc_log_write(), as each
  *	call looks up the category for the start of a linked list, which
  *	it follows all the way to the end to find matching modules.  The
  *	test for matching modules is  integral, though.
  *
- *	If category is NULL, then the channel is associated with the indicated
+ *\li	If category is NULL, then the channel is associated with the indicated
  *	module for all known categories (including the "default" category).
  *
- *	If module is NULL, then the channel is associated with every module
+ *\li	If module is NULL, then the channel is associated with every module
  *	that uses that category.
  *
- *	Passing both category and module as NULL would make every log message
+ *\li	Passing both category and module as NULL would make every log message
  *	use the indicated channel.
  *
- * 	Specifying a channel that is ISC_LOG_TONULL for a category/module pair
+ * \li	Specifying a channel that is #ISC_LOG_TONULL for a category/module pair
  *	has no effect on any other channels associated with that pair,
  *	regardless of ordering.  Thus you cannot use it to "mask out" one
  *	category/module pair when you have specified some other channel that
  * 	is also used by that category/module pair.
  *
  * Requires:
- *	lcfg is a valid logging configuration.
+ *\li	lcfg is a valid logging configuration.
  *
- *	category is NULL or has an id that is in the range of known ids.
+ *\li	category is NULL or has an id that is in the range of known ids.
  *
  *	module is NULL or has an id that is in the range of known ids.
  *
  * Ensures:
- *	ISC_R_SUCCESS
+ *\li	#ISC_R_SUCCESS
  *		The channel will be used by the indicated category/module
  *		arguments.
  *
- *	ISC_R_NOMEMORY
+ *\li	#ISC_R_NOMEMORY
  *		If assignment for a specific category has been requested,
  *		the channel has not been associated with the indicated
  *		category/module arguments and no additional memory is
  *		used by the logging context.
- *
  *		If assignment for all categories has been requested
  *		then _some_ may have succeeded (starting with category
  *		"default" and progressing through the order of categories
- *		passed to isc_log_registercategories) and additional memory
+ *		passed to isc_log_registercategories()) and additional memory
  *		is being used by whatever assignments succeeded.
  *
  * Returns:
- *	ISC_R_SUCCESS	Success
- *	ISC_R_NOMEMORY	Resource limit: Out of memory
+ *\li	#ISC_R_SUCCESS	Success
+ *\li	#ISC_R_NOMEMORY	Resource limit: Out of memory
  */
 
-void
-isc_log_write(isc_log_t *lctx, isc_logcategory_t *category,
-	      isc_logmodule_t *module, int level,
-	      const char *format, ...)
-ISC_FORMAT_PRINTF(5, 6);
-/*
+/* Attention: next four comments PRECEED code */
+/*! 
+ *   \brief
  * Write a message to the log channels.
  *
  * Notes:
- *	Log messages containing natural language text should be logged with
+ *\li	Log messages containing natural language text should be logged with
  *	isc_log_iwrite() to allow for localization.
  *
- *	lctx can be NULL; this is allowed so that programs which use
+ *\li	lctx can be NULL; this is allowed so that programs which use
  *	libraries that use the ISC logging system are not required to
  *	also use it.
  *
- *	The format argument is a printf(3) string, with additional arguments
+ *\li	The format argument is a printf(3) string, with additional arguments
  *	as necessary.
  *
  * Requires:
- *	lctx is a valid logging context.
+ *\li	lctx is a valid logging context.
  *
- *	The category and module arguments must have ids that are in the
+ *\li	The category and module arguments must have ids that are in the
  *	range of known ids, as estabished by isc_log_registercategories()
  *	and isc_log_registermodules().
  *
- *	level != ISC_LOG_DYNAMIC.  ISC_LOG_DYNAMIC is used only to define
+ *\li	level != #ISC_LOG_DYNAMIC.  ISC_LOG_DYNAMIC is used only to define
  *	channels, and explicit debugging level must be identified for
  *	isc_log_write() via ISC_LOG_DEBUG(level).
  *
- *	format != NULL.
+ *\li	format != NULL.
  *
  * Ensures:
- *	The log message is written to every channel associated with the
+ *\li	The log message is written to every channel associated with the
  *	indicated category/module pair.
  *
  * Returns:
- *	Nothing.  Failure to log a message is not construed as a
+ *\li	Nothing.  Failure to log a message is not construed as a
  *	meaningful error.
  */
-
 void
-isc_log_vwrite(isc_log_t *lctx, isc_logcategory_t *category,
+isc_log_write(isc_log_t *lctx, isc_logcategory_t *category,
 	       isc_logmodule_t *module, int level,
-	       const char *format, va_list args)
-ISC_FORMAT_PRINTF(5, 0);
-/*
+	      const char *format, ...)
+
+ISC_FORMAT_PRINTF(5, 6);
+
+/*%
  * Write a message to the log channels.
  *
  * Notes:
- *	lctx can be NULL; this is allowed so that programs which use
+ *\li	lctx can be NULL; this is allowed so that programs which use
  *	libraries that use the ISC logging system are not required to
  *	also use it.
  *
- *	The format argument is a printf(3) string, with additional arguments
+ *\li	The format argument is a printf(3) string, with additional arguments
  *	as necessary.
  *
  * Requires:
- *	lctx is a valid logging context.
+ *\li	lctx is a valid logging context.
  *
- *	The category and module arguments must have ids that are in the
+ *\li	The category and module arguments must have ids that are in the
  *	range of known ids, as estabished by isc_log_registercategories()
  *	and isc_log_registermodules().
  *
- *	level != ISC_LOG_DYNAMIC.  ISC_LOG_DYNAMIC is used only to define
+ *\li	level != #ISC_LOG_DYNAMIC.  ISC_LOG_DYNAMIC is used only to define
  *	channels, and explicit debugging level must be identified for
  *	isc_log_write() via ISC_LOG_DEBUG(level).
  *
- *	format != NULL.
+ *\li	format != NULL.
  *
  * Ensures:
- *	The log message is written to every channel associated with the
+ *\li	The log message is written to every channel associated with the
  *	indicated category/module pair.
  *
  * Returns:
- *	Nothing.  Failure to log a message is not construed as a
+ *\li	Nothing.  Failure to log a message is not construed as a
  *	meaningful error.
  */
+void
+isc_log_vwrite(isc_log_t *lctx, isc_logcategory_t *category,
+	       isc_logmodule_t *module, int level,
+	       const char *format, va_list args)
+
+ISC_FORMAT_PRINTF(5, 0);
 
+/*%
+ * Write a message to the log channels, pruning duplicates that occur within
+ * a configurable amount of seconds (see isc_log_[sg]etduplicateinterval).
+ * This function is otherwise identical to isc_log_write().
+ */
 void
 isc_log_write1(isc_log_t *lctx, isc_logcategory_t *category,
 	       isc_logmodule_t *module, int level, const char *format, ...)
+
 ISC_FORMAT_PRINTF(5, 6);
-/*
+
+/*%
  * Write a message to the log channels, pruning duplicates that occur within
  * a configurable amount of seconds (see isc_log_[sg]etduplicateinterval).
- * This function is otherwise identical to isc_log_write().
+ * This function is otherwise identical to isc_log_vwrite().
  */
-
 void
 isc_log_vwrite1(isc_log_t *lctx, isc_logcategory_t *category,
 		isc_logmodule_t *module, int level, const char *format,
 		va_list args)
+
 ISC_FORMAT_PRINTF(5, 0);
-/*
- * Write a message to the log channels, pruning duplicates that occur within
- * a configurable amount of seconds (see isc_log_[sg]etduplicateinterval).
- * This function is otherwise identical to isc_log_vwrite().
- */
 
+/*%
+ * These are four internationalized versions of the the isc_log_[v]write[1]
+ * functions.  
+ *
+ * The only difference is that they take arguments for a message
+ * catalog, message set, and message number, all immediately preceding the
+ * format argument.  The format argument becomes the default text, a la
+ * isc_msgcat_get.  If the message catalog is NULL, no lookup is attempted
+ * for a message -- which makes the message set and message number irrelevant,
+ * and the non-internationalized call should have probably been used instead.
+ *
+ * Yes, that means there are now *eight* interfaces to logging a message.
+ * Sheesh.   Make the madness stop!
+ */
+/*@{*/
 void
 isc_log_iwrite(isc_log_t *lctx, isc_logcategory_t *category,
 	      isc_logmodule_t *module, int level,
@@ -632,72 +674,61 @@ isc_log_ivwrite1(isc_log_t *lctx, isc_logcategory_t *category,
 		 isc_msgcat_t *msgcat, int msgset, int message,
 		 const char *format, va_list args)
 ISC_FORMAT_PRINTF(8, 0);
-/*
- * These are four internationalized versions of the the isc_log_[v]write[1]
- * functions.  The only difference is that they take arguments for a message
- * catalog, message set, and message number, all immediately preceding the
- * format argument.  The format argument becomes the default text, a la
- * isc_msgcat_get.  If the message catalog is NULL, no lookup is attempted
- * for a message -- which makes the message set and message number irrelevant,
- * and the non-internationalized call should have probably been used instead.
- *
- * Yes, that means there are now *eight* interfaces to logging a message.
- * Sheesh.   Make the madness stop!
- */
+/*@}*/
 
 void
 isc_log_setdebuglevel(isc_log_t *lctx, unsigned int level);
-/*
+/*%<
  * Set the debugging level used for logging.
  *
  * Notes:
- *	Setting the debugging level to 0 disables debugging log messages.
+ *\li	Setting the debugging level to 0 disables debugging log messages.
  *
  * Requires:
- *	lctx is a valid logging context.
+ *\li	lctx is a valid logging context.
  *
  * Ensures:
- *	The debugging level is set to the requested value.
+ *\li	The debugging level is set to the requested value.
  */
 
 unsigned int
 isc_log_getdebuglevel(isc_log_t *lctx);
-/*
+/*%<
  * Get the current debugging level.
  *
  * Notes:
- *	This is provided so that a program can have a notion of
+ *\li	This is provided so that a program can have a notion of
  *	"increment debugging level" or "decrement debugging level"
  *	without needing to keep track of what the current level is.
  *
- *	A return value of 0 indicates that debugging messages are disabled.
+ *\li	A return value of 0 indicates that debugging messages are disabled.
  *
  * Requires:
- *	lctx is a valid logging context.
+ *\li	lctx is a valid logging context.
  *
  * Ensures:
- *	The current logging debugging level is returned.
+ *\li	The current logging debugging level is returned.
  */
 
 isc_boolean_t
 isc_log_wouldlog(isc_log_t *lctx, int level);
-/*
+/*%<
  * Determine whether logging something to 'lctx' at 'level' would
  * actually cause something to be logged somewhere.
  *
- * If ISC_FALSE is returned, it is guaranteed that nothing would
+ * If #ISC_FALSE is returned, it is guaranteed that nothing would
  * be logged, allowing the caller to omit unnecessary
  * isc_log_write() calls and possible message preformatting.
  */
 
 void
 isc_log_setduplicateinterval(isc_logconfig_t *lcfg, unsigned int interval);
-/*
+/*%<
  * Set the interval over which duplicate log messages will be ignored
  * by isc_log_[v]write1(), in seconds.
  *
  * Notes:
- *	Increasing the duplicate interval from X to Y will not necessarily
+ *\li	Increasing the duplicate interval from X to Y will not necessarily
  *	filter out duplicates of messages logged in Y - X seconds since the
  *	increase.  (Example: Message1 is logged at midnight.  Message2
  *	is logged at 00:01:00, when the interval is only 30 seconds, causing
@@ -707,43 +738,43 @@ isc_log_setduplicateinterval(isc_logconfig_t *lcfg, unsigned int interval);
  *	passed since the first occurrence.
  *
  * Requires:
- *	lctx is a valid logging context.
+ *\li	lctx is a valid logging context.
  */
 
 unsigned int
 isc_log_getduplicateinterval(isc_logconfig_t *lcfg);
-/*
+/*%<
  * Get the current duplicate filtering interval.
  *
  * Requires:
- *	lctx is a valid logging context.
+ *\li	lctx is a valid logging context.
  *
  * Returns:
- *	The current duplicate filtering interval.
+ *\li	The current duplicate filtering interval.
  */
 
 isc_result_t
 isc_log_settag(isc_logconfig_t *lcfg, const char *tag);
-/*
- * Set the program name or other identifier for ISC_LOG_PRINTTAG.
+/*%<
+ * Set the program name or other identifier for #ISC_LOG_PRINTTAG.
  *
  * Requires:
- *	lcfg is a valid logging configuration.
+ *\li	lcfg is a valid logging configuration.
  *
  * Notes:
- *	If this function has not set the tag to a non-NULL, non-empty value,
- *	then the ISC_LOG_PRINTTAG channel flag will not print anything.
+ *\li	If this function has not set the tag to a non-NULL, non-empty value,
+ *	then the #ISC_LOG_PRINTTAG channel flag will not print anything.
  *	Unlike some implementations of syslog on Unix systems, you *must* set
  *	the tag in order to get it logged.  It is not implicitly derived from
  *	the program name (which is pretty impossible to infer portably).
  *
- *	Setting the tag to NULL or the empty string will also cause the
- *	ISC_LOG_PRINTTAG channel flag to not print anything.  If tag equals the
+ *\li	Setting the tag to NULL or the empty string will also cause the
+ *	#ISC_LOG_PRINTTAG channel flag to not print anything.  If tag equals the
  *	empty string, calls to isc_log_gettag will return NULL.
  *
  * Returns:
- *	ISC_R_SUCCESS	Success
- *	ISC_R_NOMEMORY  Resource Limit: Out of memory
+ *\li	#ISC_R_SUCCESS	Success
+ *\li	#ISC_R_NOMEMORY  Resource Limit: Out of memory
  *
  * XXXDCL when creating a new isc_logconfig_t, it might be nice if the tag
  * of the currently active isc_logconfig_t was inherited.  this does not
@@ -752,33 +783,35 @@ isc_log_settag(isc_logconfig_t *lcfg, const char *tag);
 
 char *
 isc_log_gettag(isc_logconfig_t *lcfg);
-/*
- * Get the current identifier printed with ISC_LOG_PRINTTAG.
+/*%<
+ * Get the current identifier printed with #ISC_LOG_PRINTTAG.
  *
  * Requires:
- *	lcfg is a valid logging configuration.
+ *\li	lcfg is a valid logging configuration.
  *
  * Notes:
- *	Since isc_log_settag() will not associate a zero-length string
+ *\li	Since isc_log_settag() will not associate a zero-length string
  *	with the logging configuration, attempts to do so will cause
  *	this function to return NULL.  However, a determined programmer
  *	will observe that (currently) a tag of length greater than zero
  *	could be set, and then modified to be zero length.
  *
  * Returns:
- *	A pointer to the current identifier, or NULL if none has been set.
+ *\li	A pointer to the current identifier, or NULL if none has been set.
  */
 
 void
 isc_log_opensyslog(const char *tag, int options, int facility);
-/*
+/*%<
  * Initialize syslog logging.
  *
  * Notes:
- *	XXXDCL NT
+ *\li	XXXDCL NT
  *	This is currently equivalent to openlog(), but is not going to remain
  *	that way.  In the meantime, the arguments are all identical to
  *	those used by openlog(3), as follows:
+ *
+ * \code
  *		tag: The string to use in the position of the program
  *			name in syslog messages.  Most (all?) syslogs
  *			will use basename(argv[0]) if tag is NULL.
@@ -789,89 +822,90 @@ isc_log_opensyslog(const char *tag, int options, int facility);
  *		facility: The default syslog facility.  This is irrelevant
  *			since isc_log_write will ALWAYS use the channel's
  *			declared facility.
+ * \endcode
  *
- *	Zero effort has been made (yet) to accomodate systems with openlog()
+ *\li	Zero effort has been made (yet) to accomodate systems with openlog()
  *	that only takes two arguments, or to identify valid syslog
  *	facilities or options for any given architecture.
  *
- *	It is necessary to call isc_log_opensyslog() to initialize
+ *\li	It is necessary to call isc_log_opensyslog() to initialize
  *	syslogging on machines which do not support network connections to
  *	syslogd because they require a Unix domain socket to be used.  Since
  *	this is a chore to determine at run-time, it is suggested that it
  *	always be called by programs using the ISC logging system.
  *
  * Requires:
- *	Nothing.
+ *\li	Nothing.
  *
  * Ensures:
- *	openlog() is called to initialize the syslog system.
+ *\li	openlog() is called to initialize the syslog system.
  */
 
 void
 isc_log_closefilelogs(isc_log_t *lctx);
-/*
- * Close all open files used by ISC_LOG_TOFILE channels.
+/*%<
+ * Close all open files used by #ISC_LOG_TOFILE channels.
  *
  * Notes:
- *	This function is provided for programs that want to use their own
+ *\li	This function is provided for programs that want to use their own
  *	log rolling mechanism rather than the one provided internally.
  *	For example, a program that wanted to keep daily logs would define
- *	a channel which used ISC_LOG_ROLLNEVER, then once a day would
+ *	a channel which used #ISC_LOG_ROLLNEVER, then once a day would
  *	rename the log file and call isc_log_closefilelogs().
  *
- *	ISC_LOG_TOFILEDESC channels are unaffected.
+ *\li	#ISC_LOG_TOFILEDESC channels are unaffected.
  *
  * Requires:
- *	lctx is a valid context.
+ *\li	lctx is a valid context.
  *
  * Ensures:
- *	The open files are closed and will be reopened when they are
+ *\li	The open files are closed and will be reopened when they are
  *	next needed.
  */
 
 isc_logcategory_t *
 isc_log_categorybyname(isc_log_t *lctx, const char *name);
-/*
+/*%<
  * Find a category by its name.
  *
  * Notes:
- *	The string name of a category is not required to be unique.
+ *\li	The string name of a category is not required to be unique.
  *
  * Requires:
- *	lctx is a valid context.
- *	name is not NULL.
+ *\li	lctx is a valid context.
+ *\li	name is not NULL.
  *
  * Returns:
- *	A pointer to the _first_ isc_logcategory_t structure used by "name".
+ *\li	A pointer to the _first_ isc_logcategory_t structure used by "name".
  *
- *	NULL if no category exists by that name.
+ *\li	NULL if no category exists by that name.
  */
 
 isc_logmodule_t *
 isc_log_modulebyname(isc_log_t *lctx, const char *name);
-/*
+/*%<
  * Find a module by its name.
  *
  * Notes:
- *	The string name of a module is not required to be unique.
+ *\li	The string name of a module is not required to be unique.
  *
  * Requires:
- *	lctx is a valid context.
- *	name is not NULL.
+ *\li	lctx is a valid context.
+ *\li	name is not NULL.
  *
  * Returns:
- *	A pointer to the _first_ isc_logmodule_t structure used by "name".
+ *\li	A pointer to the _first_ isc_logmodule_t structure used by "name".
  *
- *	NULL if no module exists by that name.
+ *\li	NULL if no module exists by that name.
  */
 
 void
 isc_log_setcontext(isc_log_t *lctx);
-/*
+/*%<
  * Sets the context used by the libisc for logging.
  *
  * Requires:
- *	lctx be a valid context.
+ *\li	lctx be a valid context.
  */
 
 ISC_LANG_ENDDECLS
diff --git a/contrib/bind9/lib/isc/include/isc/magic.h b/contrib/bind9/lib/isc/include/isc/magic.h
index 729e512..045b54f 100644
--- a/contrib/bind9/lib/isc/include/isc/magic.h
+++ b/contrib/bind9/lib/isc/include/isc/magic.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,20 +15,21 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: magic.h,v 1.11.206.1 2004/03/06 08:14:43 marka Exp $ */
+/* $Id: magic.h,v 1.12.18.2 2005/04/29 00:16:59 marka Exp $ */
 
 #ifndef ISC_MAGIC_H
 #define ISC_MAGIC_H 1
 
+/*! \file */
+
 typedef struct {
 	unsigned int magic;
 } isc__magic_t;
 
 
-/*
+/*%
  * To use this macro the magic number MUST be the first thing in the
  * structure, and MUST be of type "unsigned int".
- *
  * The intent of this is to allow magic numbers to be checked even though
  * the object is otherwise opaque.
  */
diff --git a/contrib/bind9/lib/isc/include/isc/md5.h b/contrib/bind9/lib/isc/include/isc/md5.h
index c6c3825..3f9667e 100644
--- a/contrib/bind9/lib/isc/include/isc/md5.h
+++ b/contrib/bind9/lib/isc/include/isc/md5.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000, 2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,10 +15,11 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: md5.h,v 1.8.206.1 2004/03/06 08:14:43 marka Exp $ */
+/* $Id: md5.h,v 1.9.18.4 2006/02/01 00:10:34 marka Exp $ */
 
-/*
- * This is the header file for the MD5 message-digest algorithm.
+/*! \file 
+ * \brief This is the header file for the MD5 message-digest algorithm.
+ *
  * The algorithm is due to Ron Rivest.  This code was
  * written by Colin Plumb in 1993, no copyright is claimed.
  * This code is in the public domain; do with it what you wish.
@@ -45,7 +46,7 @@
 #include <isc/lang.h>
 #include <isc/types.h>
 
-#define ISC_MD5_DIGESTLENGTH 16
+#define ISC_MD5_DIGESTLENGTH 16U
 
 typedef struct {
 	isc_uint32_t buf[4];
diff --git a/contrib/bind9/lib/isc/include/isc/mem.h b/contrib/bind9/lib/isc/include/isc/mem.h
index 6455924..dc68bcb 100644
--- a/contrib/bind9/lib/isc/include/isc/mem.h
+++ b/contrib/bind9/lib/isc/include/isc/mem.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1997-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,11 +15,13 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: mem.h,v 1.54.12.4 2004/10/11 05:55:51 marka Exp $ */
+/* $Id: mem.h,v 1.59.18.9 2006/01/04 23:50:23 marka Exp $ */
 
 #ifndef ISC_MEM_H
 #define ISC_MEM_H 1
 
+/*! \file */
+
 #include <stdio.h>
 
 #include <isc/lang.h>
@@ -36,7 +38,7 @@ typedef void (*isc_mem_water_t)(void *, int);
 typedef void * (*isc_memalloc_t)(void *, size_t);
 typedef void (*isc_memfree_t)(void *, void *);
 
-/*
+/*%
  * Define ISC_MEM_DEBUG=1 to make all functions that free memory
  * set the pointer being freed to NULL after being freed.
  * This is the default; set ISC_MEM_DEBUG=0 to disable it.
@@ -45,7 +47,7 @@ typedef void (*isc_memfree_t)(void *, void *);
 #define ISC_MEM_DEBUG 1
 #endif
 
-/*
+/*%
  * Define ISC_MEM_TRACKLINES=1 to turn on detailed tracing of memory
  * allocation and freeing by file and line number.
  */
@@ -53,7 +55,7 @@ typedef void (*isc_memfree_t)(void *, void *);
 #define ISC_MEM_TRACKLINES 1
 #endif
 
-/*
+/*%
  * Define ISC_MEM_CHECKOVERRUN=1 to turn on checks for using memory outside
  * the requested space.  This will increase the size of each allocation.
  */
@@ -61,7 +63,7 @@ typedef void (*isc_memfree_t)(void *, void *);
 #define ISC_MEM_CHECKOVERRUN 1
 #endif
 
-/*
+/*%
  * Define ISC_MEM_FILL=1 to fill each block of memory returned to the system
  * with the byte string '0xbe'.  This helps track down uninitialized pointers
  * and the like.  On freeing memory, the space is filled with '0xde' for
@@ -71,7 +73,7 @@ typedef void (*isc_memfree_t)(void *, void *);
 #define ISC_MEM_FILL 1
 #endif
 
-/*
+/*%
  * Define ISC_MEMPOOL_NAMES=1 to make memory pools store a symbolic
  * name so that the leaking pool can be more readily identified in
  * case of a memory leak.
@@ -81,27 +83,40 @@ typedef void (*isc_memfree_t)(void *, void *);
 #endif
 
 LIBISC_EXTERNAL_DATA extern unsigned int isc_mem_debugging;
+/*@{*/
 #define ISC_MEM_DEBUGTRACE		0x00000001U
 #define ISC_MEM_DEBUGRECORD		0x00000002U
 #define ISC_MEM_DEBUGUSAGE		0x00000004U
-/*
+#define ISC_MEM_DEBUGSIZE		0x00000008U
+#define ISC_MEM_DEBUGCTX		0x00000010U
+#define ISC_MEM_DEBUGALL		0x0000001FU
+/*!<
  * The variable isc_mem_debugging holds a set of flags for
  * turning certain memory debugging options on or off at
  * runtime.  Its is intialized to the value ISC_MEM_DEGBUGGING,
  * which is 0 by default but may be overridden at compile time.
  * The following flags can be specified:
  *
- * ISC_MEM_DEBUGTRACE
+ * \li #ISC_MEM_DEBUGTRACE
  *	Log each allocation and free to isc_lctx.
  *
- * ISC_MEM_DEBUGRECORD
+ * \li #ISC_MEM_DEBUGRECORD
  *	Remember each allocation, and match them up on free.
  *	Crash if a free doesn't match an allocation.
  *
- * ISC_MEM_DEBUGUSAGE
+ * \li #ISC_MEM_DEBUGUSAGE
  *	If a hi_water mark is set, print the maximium inuse memory
  *	every time it is raised once it exceeds the hi_water mark.
+ *
+ * \li #ISC_MEM_DEBUGSIZE
+ *	Check the size argument being passed to isc_mem_put() matches
+ *	that passed to isc_mem_get().
+ *
+ * \li #ISC_MEM_DEBUGCTX
+ *	Check the mctx argument being passed to isc_mem_put() matches
+ *	that passed to isc_mem_get().
  */
+/*@}*/
 
 #if ISC_MEM_TRACKLINES
 #define _ISC_MEM_FILELINE	, __FILE__, __LINE__
@@ -111,17 +126,43 @@ LIBISC_EXTERNAL_DATA extern unsigned int isc_mem_debugging;
 #define _ISC_MEM_FLARG
 #endif
 
+/*!
+ * Define ISC_MEM_USE_INTERNAL_MALLOC=1 to use the internal malloc()
+ * implementation in preference to the system one.  The internal malloc()
+ * is very space-efficient, and quite fast on uniprocessor systems.  It
+ * performs poorly on multiprocessor machines.
+ * JT: we can overcome the performance issue on multiprocessor machines
+ * by carefully separating memory contexts.
+ */
+
+#ifndef ISC_MEM_USE_INTERNAL_MALLOC
+#define ISC_MEM_USE_INTERNAL_MALLOC 1
+#endif
+
+/*
+ * Flags for isc_mem_create2()calls.
+ */
+#define ISC_MEMFLAG_NOLOCK	0x00000001	 /* no lock is necessary */
+#define ISC_MEMFLAG_INTERNAL	0x00000002	 /* use internal malloc */
+#if ISC_MEM_USE_INTERNAL_MALLOC
+#define ISC_MEMFLAG_DEFAULT 	ISC_MEMFLAG_INTERNAL
+#else
+#define ISC_MEMFLAG_DEFAULT 	0
+#endif
+
+
 #define isc_mem_get(c, s)	isc__mem_get((c), (s) _ISC_MEM_FILELINE)
 #define isc_mem_allocate(c, s)	isc__mem_allocate((c), (s) _ISC_MEM_FILELINE)
 #define isc_mem_strdup(c, p)	isc__mem_strdup((c), (p) _ISC_MEM_FILELINE)
 #define isc_mempool_get(c)	isc__mempool_get((c) _ISC_MEM_FILELINE)
 
-/*
+/*% 
  * isc_mem_putanddetach() is a convienence function for use where you
  * have a structure with an attached memory context.
  *
  * Given:
  *
+ * \code
  * struct {
  *	...
  *	isc_mem_t *mctx;
@@ -131,14 +172,17 @@ LIBISC_EXTERNAL_DATA extern unsigned int isc_mem_debugging;
  * isc_mem_t *mctx;
  *
  * isc_mem_putanddetach(&ptr->mctx, ptr, sizeof(*ptr));
+ * \endcode
  *
  * is the equivalent of:
  *
+ * \code
  * mctx = NULL;
  * isc_mem_attach(ptr->mctx, &mctx);
  * isc_mem_detach(&ptr->mctx);
  * isc_mem_put(mctx, ptr, sizeof(*ptr));
  * isc_mem_detach(&mctx);
+ * \endcode
  */
 
 #if ISC_MEM_DEBUG
@@ -170,25 +214,35 @@ LIBISC_EXTERNAL_DATA extern unsigned int isc_mem_debugging;
 #define isc_mempool_put(c, p)	isc__mempool_put((c), (p) _ISC_MEM_FILELINE)
 #endif
 
+/*@{*/
 isc_result_t 
 isc_mem_create(size_t max_size, size_t target_size,
 	       isc_mem_t **mctxp);
 
+isc_result_t
+isc_mem_create2(size_t max_size, size_t target_size,
+		isc_mem_t **mctxp, unsigned int flags);
+
 isc_result_t 
 isc_mem_createx(size_t max_size, size_t target_size,
 		isc_memalloc_t memalloc, isc_memfree_t memfree,
 		void *arg, isc_mem_t **mctxp);
-/*
- * Create a memory context.
+
+isc_result_t 
+isc_mem_createx2(size_t max_size, size_t target_size,
+		 isc_memalloc_t memalloc, isc_memfree_t memfree,
+		 void *arg, isc_mem_t **mctxp, unsigned int flags);
+
+/*!<
+ * \brief Create a memory context.
  *
  * 'max_size' and 'target_size' are tuning parameters.  When
- * ISC_MEM_USE_INTERNAL_MALLOC is true, allocations smaller than
- * 'max_size' will be satisfied by getting blocks of size
- * 'target_size' from the system allocator and breaking them up into
- * pieces; larger allocations will use the system allocator directly.
- * If 'max_size' and/or 'target_size' are zero, default values will be
- * used.  When ISC_MEM_USE_INTERNAL_MALLOC is false, 'target_size' is
- * ignored.
+ * ISC_MEMFLAG_INTERNAL is set, allocations smaller than 'max_size'
+ * will be satisfied by getting blocks of size 'target_size' from the
+ * system allocator and breaking them up into pieces; larger allocations
+ * will use the system allocator directly. If 'max_size' and/or
+ * 'target_size' are zero, default values will be * used.  When
+ * ISC_MEMFLAG_INTERNAL is not set, 'target_size' is ignored.
  *
  * 'max_size' is also used to size the statistics arrays and the array
  * used to record active memory when ISC_MEM_DEBUGRECORD is set.  Settin
@@ -200,15 +254,23 @@ isc_mem_createx(size_t max_size, size_t target_size,
  * using isc_mem_create() will use the standard library malloc()
  * and free().
  *
+ * If ISC_MEMFLAG_NOLOCK is set in 'flags', the corresponding memory context
+ * will be accessed without locking.  The user who creates the context must
+ * ensure there be no race.  Since this can be a source of bug, it is generally
+ * inadvisable to use this flag unless the user is very sure about the race
+ * condition and the access to the object is highly performance sensitive.
+ *
  * Requires:
  * mctxp != NULL && *mctxp == NULL */
+/*@}*/
 
+/*@{*/
 void 
 isc_mem_attach(isc_mem_t *, isc_mem_t **);
 void 
 isc_mem_detach(isc_mem_t **);
-/*
- * Attach to / detach from a memory context.
+/*!<
+ * \brief Attach to / detach from a memory context.
  *
  * This is intended for applications that use multiple memory contexts
  * in such a way that it is not obvious when the last allocations from
@@ -219,10 +281,11 @@ isc_mem_detach(isc_mem_t **);
  * and destroy it at the end of main(), thereby guaranteeing that it
  * is not destroyed while there are outstanding allocations.
  */
+/*@}*/
 
 void 
 isc_mem_destroy(isc_mem_t **);
-/*
+/*%<
  * Destroy a memory context.
  */
 
@@ -230,38 +293,40 @@ isc_result_t
 isc_mem_ondestroy(isc_mem_t *ctx,
 		  isc_task_t *task,
 		  isc_event_t **event);
-/*
+/*%<
  * Request to be notified with an event when a memory context has
  * been successfully destroyed.
  */
 
 void 
 isc_mem_stats(isc_mem_t *mctx, FILE *out);
-/*
+/*%<
  * Print memory usage statistics for 'mctx' on the stream 'out'.
  */
 
 void 
 isc_mem_setdestroycheck(isc_mem_t *mctx,
 			isc_boolean_t on);
-/*
- * Iff 'on' is ISC_TRUE, 'mctx' will check for memory leaks when
+/*%<
+ * If 'on' is ISC_TRUE, 'mctx' will check for memory leaks when
  * destroyed and abort the program if any are present.
  */
 
+/*@{*/
 void 
 isc_mem_setquota(isc_mem_t *, size_t);
 size_t 
 isc_mem_getquota(isc_mem_t *);
-/*
+/*%<
  * Set/get the memory quota of 'mctx'.  This is a hard limit
  * on the amount of memory that may be allocated from mctx;
  * if it is exceeded, allocations will fail.
  */
+/*@}*/
 
 size_t 
 isc_mem_inuse(isc_mem_t *mctx);
-/*
+/*%<
  * Get an estimate of the number of memory in use in 'mctx', in bytes.
  * This includes quantization overhead, but does not include memory
  * allocated from the system but not yet used.
@@ -270,11 +335,13 @@ isc_mem_inuse(isc_mem_t *mctx);
 void
 isc_mem_setwater(isc_mem_t *mctx, isc_mem_water_t water, void *water_arg,
 		 size_t hiwater, size_t lowater);
-/*
- * Set high and low water marks for this memory context.  When the memory
- * usage of 'mctx' exceeds 'hiwater', '(water)(water_arg, ISC_MEM_HIWATER)'
+/*%<
+ * Set high and low water marks for this memory context.  
+ * 
+ * When the memory
+ * usage of 'mctx' exceeds 'hiwater', '(water)(water_arg, #ISC_MEM_HIWATER)'
  * will be called.  When the usage drops below 'lowater', 'water' will
- * again be called, this time with ISC_MEM_LOWATER.
+ * again be called, this time with #ISC_MEM_LOWATER.
  *
  * If 'water' is NULL then 'water_arg', 'hi_water' and 'lo_water' are
  * ignored and the state is reset.
@@ -285,53 +352,77 @@ isc_mem_setwater(isc_mem_t *mctx, isc_mem_water_t water, void *water_arg,
  *	hi_water >= lo_water
  */
 
+void
+isc_mem_printactive(isc_mem_t *mctx, FILE *file);
+/*%<
+ * Print to 'file' all active memory in 'mctx'.
+ *
+ * Requires ISC_MEM_DEBUGRECORD to have been set.
+ */
+
+void
+isc_mem_printallactive(FILE *file);
+/*%<
+ * Print to 'file' all active memory in all contexts.
+ *
+ * Requires ISC_MEM_DEBUGRECORD to have been set.
+ */
+
+void
+isc_mem_checkdestroyed(FILE *file);
+/*%<
+ * Check that all memory contexts have been destroyed.
+ * Prints out those that have not been.
+ * Fatally fails if there are still active contexts.
+ */
+
 /*
  * Memory pools
  */
 
 isc_result_t
 isc_mempool_create(isc_mem_t *mctx, size_t size, isc_mempool_t **mpctxp);
-/*
+/*%<
  * Create a memory pool.
  *
  * Requires:
- *	mctx is a valid memory context.
- *	size > 0
- *	mpctxp != NULL and *mpctxp == NULL
+ *\li	mctx is a valid memory context.
+ *\li	size > 0
+ *\li	mpctxp != NULL and *mpctxp == NULL
  *
  * Defaults:
- *	maxalloc = UINT_MAX
- *	freemax = 1
- *	fillcount = 1
+ *\li	maxalloc = UINT_MAX
+ *\li	freemax = 1
+ *\li	fillcount = 1
  *
  * Returns:
- *	ISC_R_NOMEMORY		-- not enough memory to create pool
- *	ISC_R_SUCCESS		-- all is well.
+ *\li	#ISC_R_NOMEMORY		-- not enough memory to create pool
+ *\li	#ISC_R_SUCCESS		-- all is well.
  */
 
 void
 isc_mempool_destroy(isc_mempool_t **mpctxp);
-/*
+/*%<
  * Destroy a memory pool.
  *
  * Requires:
- *	mpctxp != NULL && *mpctxp is a valid pool.
- *	The pool has no un"put" allocations outstanding
+ *\li	mpctxp != NULL && *mpctxp is a valid pool.
+ *\li	The pool has no un"put" allocations outstanding
  */
 
 void
 isc_mempool_setname(isc_mempool_t *mpctx, const char *name);
-/*
+/*%<
  * Associate a name with a memory pool.  At most 15 characters may be used.
  *
  * Requires:
- *	mpctx is a valid pool.
- *	name != NULL;
+ *\li	mpctx is a valid pool.
+ *\li	name != NULL;
  */
 
 void
 isc_mempool_associatelock(isc_mempool_t *mpctx, isc_mutex_t *lock);
-/*
+/*%<
  * Associate a lock with this memory pool.
  *
  * This lock is used when getting or putting items using this memory pool,
@@ -346,13 +437,13 @@ isc_mempool_associatelock(isc_mempool_t *mpctx, isc_mutex_t *lock);
  *
  * Requires:
  *
- *	mpctpx is a valid pool.
+ *\li	mpctpx is a valid pool.
  *
- *	lock != NULL.
+ *\li	lock != NULL.
  *
- *	No previous lock is assigned to this pool.
+ *\li	No previous lock is assigned to this pool.
  *
- *	The lock is initialized before calling this function via the normal
+ *\li	The lock is initialized before calling this function via the normal
  *	means of doing that.
  */
 
@@ -372,57 +463,57 @@ isc_mempool_associatelock(isc_mempool_t *mpctx, isc_mutex_t *lock);
 
 unsigned int
 isc_mempool_getfreemax(isc_mempool_t *mpctx);
-/*
+/*%<
  * Returns the maximum allowed size of the free list.
  */
 
 void
 isc_mempool_setfreemax(isc_mempool_t *mpctx, unsigned int limit);
-/*
+/*%<
  * Sets the maximum allowed size of the free list.
  */
 
 unsigned int
 isc_mempool_getfreecount(isc_mempool_t *mpctx);
-/*
+/*%<
  * Returns current size of the free list.
  */
 
 unsigned int
 isc_mempool_getmaxalloc(isc_mempool_t *mpctx);
-/*
+/*!<
  * Returns the maximum allowed number of allocations.
  */
 
 void
 isc_mempool_setmaxalloc(isc_mempool_t *mpctx, unsigned int limit);
-/*
+/*%<
  * Sets the maximum allowed number of allocations.
  *
  * Additional requirements:
- *	limit > 0
+ *\li	limit > 0
  */
 
 unsigned int
 isc_mempool_getallocated(isc_mempool_t *mpctx);
-/*
+/*%<
  * Returns the number of items allocated from this pool.
  */
 
 unsigned int
 isc_mempool_getfillcount(isc_mempool_t *mpctx);
-/*
+/*%<
  * Returns the number of items allocated as a block from the parent memory
  * context when the free list is empty.
  */
 
 void
 isc_mempool_setfillcount(isc_mempool_t *mpctx, unsigned int limit);
-/*
+/*%<
  * Sets the fillcount.
  *
  * Additional requirements:
- *	limit > 0
+ *\li	limit > 0
  */
 
 
diff --git a/contrib/bind9/lib/isc/include/isc/msgcat.h b/contrib/bind9/lib/isc/include/isc/msgcat.h
index 97839fa..813b57c 100644
--- a/contrib/bind9/lib/isc/include/isc/msgcat.h
+++ b/contrib/bind9/lib/isc/include/isc/msgcat.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: msgcat.h,v 1.8.206.1 2004/03/06 08:14:44 marka Exp $ */
+/* $Id: msgcat.h,v 1.9.18.2 2005/04/29 00:16:59 marka Exp $ */
 
 #ifndef ISC_MSGCAT_H
 #define ISC_MSGCAT_H 1
@@ -24,34 +24,33 @@
  ***** Module Info
  *****/
 
-/*
- * ISC Message Catalog
- *
- * Message catalogs aid internationalization of applications by allowing
+/*! \file isc/msgcat.h
+ * \brief The ISC Message Catalog
+ * aids internationalization of applications by allowing
  * messages to be retrieved from locale-specific files instead of
  * hardwiring them into the application.  This allows translations of
  * messages appropriate to the locale to be supplied without recompiling
  * the application.
  *
  * Notes:
- *	It's very important that message catalogs work, even if only the
+ *\li	It's very important that message catalogs work, even if only the
  *	default_text can be used.
  *
  * MP:
- *	The caller must ensure appropriate synchronization of
+ *\li	The caller must ensure appropriate synchronization of
  *	isc_msgcat_open() and isc_msgcat_close().  isc_msgcat_get()
  *	ensures appropriate synchronization.
  *
  * Reliability:
- *	No anticipated impact.
+ *\li	No anticipated impact.
  *
  * Resources:
- *	<TBS>
+ *\li	TBS
  *
- * Security:
+ * \li Security:
  *	No anticipated impact.
  *
- * Standards:
+ * \li Standards:
  *	None.
  */
 
@@ -70,61 +69,61 @@ ISC_LANG_BEGINDECLS
 
 void
 isc_msgcat_open(const char *name, isc_msgcat_t **msgcatp);
-/*
+/*%<
  * Open a message catalog.
  *
  * Notes:
  *
- *	If memory cannot be allocated or other failures occur, *msgcatp
+ *\li	If memory cannot be allocated or other failures occur, *msgcatp
  *	will be set to NULL.  If a NULL msgcat is given to isc_msgcat_get(),
  *	the default_text will be returned, ensuring that some message text
  *	will be available, no matter what's going wrong.
  *
  * Requires:
  *
- *	'name' is a valid string.
+ *\li	'name' is a valid string.
  *
- *	msgcatp != NULL && *msgcatp == NULL
+ *\li	msgcatp != NULL && *msgcatp == NULL
  */
 
 void
 isc_msgcat_close(isc_msgcat_t **msgcatp);
-/*
+/*%<
  * Close a message catalog.
  *
  * Notes:
  *
- *	Any string pointers returned by prior calls to isc_msgcat_get() are
+ *\li	Any string pointers returned by prior calls to isc_msgcat_get() are
  *	invalid after isc_msgcat_close() has been called and must not be
  *	used.
  *
  * Requires:
  *
- *	*msgcatp is a valid message catalog or is NULL.
+ *\li	*msgcatp is a valid message catalog or is NULL.
  *
  * Ensures:
  *
- *	All resources associated with the message catalog are released.
+ *\li	All resources associated with the message catalog are released.
  *
- *	*msgcatp == NULL
+ *\li	*msgcatp == NULL
  */
 
 const char *
 isc_msgcat_get(isc_msgcat_t *msgcat, int set, int message,
 	       const char *default_text);
-/*
+/*%<
  * Get message 'message' from message set 'set' in 'msgcat'.  If it
  * is not available, use 'default_text'.
  *
  * Requires:
  *
- *	'msgcat' is a valid message catalog or is NULL.
+ *\li	'msgcat' is a valid message catalog or is NULL.
  *
- *	set > 0
+ *\li	set > 0
  *
- *	message > 0
+ *\li	message > 0
  *
- *	'default_text' is a valid string.
+ *\li	'default_text' is a valid string.
  */
 
 ISC_LANG_ENDDECLS
diff --git a/contrib/bind9/lib/isc/include/isc/msgs.h b/contrib/bind9/lib/isc/include/isc/msgs.h
index 967005b..97b2108 100644
--- a/contrib/bind9/lib/isc/include/isc/msgs.h
+++ b/contrib/bind9/lib/isc/include/isc/msgs.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,16 +15,20 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: msgs.h,v 1.5.2.2.8.3 2004/03/06 08:14:44 marka Exp $ */
+/* $Id: msgs.h,v 1.9.18.2 2005/04/29 00:16:59 marka Exp $ */
 
 #ifndef ISC_MSGS_H
 #define ISC_MSGS_H 1
 
+/*! \file */
+
 #include <isc/lib.h>		/* Provide isc_msgcat global variable. */
 #include <isc/msgcat.h>		/* Provide isc_msgcat_*() functions. */
 
-/*
- * Message sets, named per source file, excepting "GENERAL".
+/*@{*/
+/*!
+ * \brief Message sets, named per source file, excepting "GENERAL".
+ *
  * IMPORTANT: The original list is alphabetical, but any new sets must
  * be added to the end.
  */
@@ -49,135 +53,139 @@
 #define ISC_MSGSET_TIMER	19
 #define ISC_MSGSET_UTIL		20
 #define ISC_MSGSET_IFITERGETIFADDRS 21
+/*@}*/
 
-/*
- * Message numbers.  They are only required to be unique per message set,
+/*@{*/
+/*!
+ * Message numbers  
+ * are only required to be unique per message set,
  * but are unique throughout the entire catalog to not be as confusing when
  * debugging.
  *
  * The initial numbering was done by multiply by 100 the set number the
  * message appears in then adding the incremental message number.
  */
-#define ISC_MSG_FAILED		101 /* "failed" */
-#define ISC_MSG_SUCCEEDED	102 /* Compatible with "failed" */
-#define ISC_MSG_SUCCESS		103 /* More usual way to say "success" */
-#define ISC_MSG_STARTING	104 /* As in "daemon: starting" */
-#define ISC_MSG_STOPING		105 /* As in "daemon: stopping" */
-#define ISC_MSG_ENTERING	106 /* As in "some_subr: entering" */
-#define ISC_MSG_EXITING		107 /* As in "some_subr: exiting" */
-#define ISC_MSG_CALLING		108 /* As in "calling some_subr()" */
-#define ISC_MSG_RETURNED	109 /* As in "some_subr: returned <foo>" */
-#define ISC_MSG_FATALERROR	110 /* "fatal error" */
-#define ISC_MSG_SHUTTINGDOWN	111 /* "shutting down" */
-#define ISC_MSG_RUNNING		112 /* "running" */
-#define ISC_MSG_WAIT		113 /* "wait" */
-#define ISC_MSG_WAITUNTIL	114 /* "waituntil" */
-
-#define ISC_MSG_SIGNALSETUP	201 /* "handle_signal() %d setup: %s" */
-
-#define ISC_MSG_ILLEGALOPT	301 /* "illegal option" */
-#define ISC_MSG_OPTNEEDARG	302 /* "option requires an argument" */
-
-#define ISC_MSG_ENTROPYSTATS	401 /* "Entropy pool %p:  refcnt %u ..." */
-
-#define ISC_MSG_MAKESCANSOCKET	501 /* "making interface scan socket: %s" */
-#define ISC_MSG_GETIFCONFIG	502 /* "get interface configuration: %s" */
-#define ISC_MSG_BUFFERMAX	503 /* "... maximum buffer size exceeded" */
-#define ISC_MSG_GETDESTADDR	504 /* "%s: getting destination address: %s" */
-#define ISC_MSG_GETNETMASK	505 /* "%s: getting netmask: %s" */
-
-#define ISC_MSG_GETIFLISTSIZE	601 /* "getting interface list size: ..." */
-#define ISC_MSG_GETIFLIST	602 /* "getting interface list: ..." */
-#define ISC_MSG_UNEXPECTEDTYPE	603 /* "... unexpected ... message type" */
-
-#define ISC_MSG_UNEXPECTEDSTATE	701 /* "Unexpected state %d" */
-
-#define ISC_MSG_BADTIME		801 /* "Bad 00 99:99:99.999 " */
-#define ISC_MSG_LEVEL		802 /* "level %d: " */
-
-#define ISC_MSG_ADDTRACE	901 /* "add %p size %u " */
-#define ISC_MSG_DELTRACE	902 /* "del %p size %u " */
-#define ISC_MSG_POOLSTATS	903 /* "[Pool statistics]\n" */
-#define ISC_MSG_POOLNAME	904 /* "name" */
-#define ISC_MSG_POOLSIZE	905 /* "size" */
-#define ISC_MSG_POOLMAXALLOC	906 /* "maxalloc" */
-#define ISC_MSG_POOLALLOCATED	907 /* "allocated" */
-#define ISC_MSG_POOLFREECOUNT	908 /* "freecount" */
-#define ISC_MSG_POOLFREEMAX	909 /* "freemax" */
-#define ISC_MSG_POOLFILLCOUNT	910 /* "fillcount" */
-#define ISC_MSG_POOLGETS	911 /* "gets" */
-#define ISC_MSG_DUMPALLOC	912 /* "DUMP OF ALL OUTSTANDING MEMORY ..." */
-#define ISC_MSG_NONE		913 /* "\tNone.\n" */
-#define ISC_MSG_PTRFILELINE	914 /* "\tptr %p file %s line %u\n" */
-
-#define ISC_MSG_UNKNOWNADDR    1001 /* "<unknown address, family %u>" */
-
-#define ISC_MSG_NOLONGDBL      1104 /* "long doubles are not supported" */
-
-#define ISC_MSG_PRINTLOCK      1201 /* "rwlock %p thread %lu ..." */
-#define ISC_MSG_READ	       1202 /* "read" */
-#define ISC_MSG_WRITE	       1203 /* "write" */
-#define ISC_MSG_READING	       1204 /* "reading" */
-#define ISC_MSG_WRITING	       1205 /* "writing" */
-#define ISC_MSG_PRELOCK	       1206 /* "prelock" */
-#define ISC_MSG_POSTLOCK       1207 /* "postlock" */
-#define ISC_MSG_PREUNLOCK      1208 /* "preunlock" */
-#define ISC_MSG_POSTUNLOCK     1209 /* "postunlock" */
-
-#define ISC_MSG_UNKNOWNFAMILY  1301 /* "unknown address family: %d" */
-
-#define ISC_MSG_WRITEFAILED    1401 /* "write() failed during watcher ..." */
-#define ISC_MSG_READFAILED     1402 /* "read() failed during watcher ... " */
-#define ISC_MSG_PROCESSCMSG    1403 /* "processing cmsg %p" */
-#define ISC_MSG_IFRECEIVED     1404 /* "interface received on ifindex %u" */
-#define ISC_MSG_SENDTODATA     1405 /* "sendto pktinfo data, ifindex %u" */
-#define ISC_MSG_DOIORECV       1406 /* "doio_recv: recvmsg(%d) %d bytes ..." */
-#define ISC_MSG_PKTRECV	       1407 /* "packet received correctly" */
-#define ISC_MSG_DESTROYING     1408 /* "destroying" */
-#define ISC_MSG_CREATED	       1409 /* "created" */
-#define ISC_MSG_ACCEPTLOCK     1410 /* "internal_accept called, locked ..." */
-#define ISC_MSG_ACCEPTEDCXN    1411 /* "accepted connection, new socket %p" */
-#define ISC_MSG_INTERNALRECV   1412 /* "internal_recv: task %p got event %p" */
-#define ISC_MSG_INTERNALSEND   1413 /* "internal_send: task %p got event %p" */
-#define ISC_MSG_WATCHERMSG     1414 /* "watcher got message %d" */
-#define ISC_MSG_SOCKETSREMAIN  1415 /* "sockets exist" */
-#define ISC_MSG_PKTINFOPROVIDED	1416 /* "pktinfo structure provided, ..." */
-#define ISC_MSG_BOUND	       1417 /* "bound" */
-#define ISC_MSG_ACCEPTRETURNED 1418 /* accept() returned %d/%s */
-#define ISC_MSG_TOOMANYFDS     1419 /* %s: too many open file descriptors */
-#define ISC_MSG_ZEROPORT       1420 /* dropping source port zero packet */
-#define ISC_MSG_FILTER	       1420 /* setsockopt(SO_ACCEPTFILTER): %s */
-
-#define ISC_MSG_AWAKE	       1502 /* "awake" */
-#define ISC_MSG_WORKING	       1503 /* "working" */
-#define ISC_MSG_EXECUTE	       1504 /* "execute action" */
-#define ISC_MSG_EMPTY	       1505 /* "empty" */
-#define ISC_MSG_DONE	       1506 /* "done" */
-#define ISC_MSG_QUANTUM	       1507 /* "quantum" */
-
-#define ISC_MSG_SCHEDULE       1601 /* "schedule" */
-#define ISC_MSG_SIGNALSCHED    1602 /* "signal (schedule)" */
-#define ISC_MSG_SIGNALDESCHED  1603 /* "signal (deschedule)" */
-#define ISC_MSG_SIGNALDESTROY  1604 /* "signal (destroy)" */
-#define ISC_MSG_IDLERESCHED    1605 /* "idle reschedule" */
-#define ISC_MSG_EVENTNOTALLOC  1606 /* "couldn't allocate event" */
-#define ISC_MSG_SCHEDFAIL      1607 /* "couldn't schedule timer: %u" */
-#define ISC_MSG_POSTING	       1608 /* "posting" */
-#define ISC_MSG_WAKEUP	       1609 /* "wakeup" */
-
-#define ISC_MSG_LOCK	       1701 /* "LOCK" */
-#define ISC_MSG_LOCKING	       1702 /* "LOCKING" */
-#define ISC_MSG_LOCKED	       1703 /* "LOCKED" */
-#define ISC_MSG_UNLOCKED       1704 /* "UNLOCKED" */
-#define ISC_MSG_RWLOCK	       1705 /* "RWLOCK" */
-#define ISC_MSG_RWLOCKED       1706 /* "RWLOCKED" */
-#define ISC_MSG_RWUNLOCK       1707 /* "RWUNLOCK" */
-#define ISC_MSG_BROADCAST      1708 /* "BROADCAST" */
-#define ISC_MSG_SIGNAL	       1709 /* "SIGNAL" */
-#define ISC_MSG_UTILWAIT       1710 /* "WAIT" */
-#define ISC_MSG_WAITED	       1711 /* "WAITED" */
-
-#define ISC_MSG_GETIFADDRS     1801 /* "getting interface addresses: ..." */
-
+#define ISC_MSG_FAILED		101 /*%< "failed" */
+#define ISC_MSG_SUCCEEDED	102 /*%< Compatible with "failed" */
+#define ISC_MSG_SUCCESS		103 /*%< More usual way to say "success" */
+#define ISC_MSG_STARTING	104 /*%< As in "daemon: starting" */
+#define ISC_MSG_STOPING		105 /*%< As in "daemon: stopping" */
+#define ISC_MSG_ENTERING	106 /*%< As in "some_subr: entering" */
+#define ISC_MSG_EXITING		107 /*%< As in "some_subr: exiting" */
+#define ISC_MSG_CALLING		108 /*%< As in "calling some_subr()" */
+#define ISC_MSG_RETURNED	109 /*%< As in "some_subr: returned <foo>" */
+#define ISC_MSG_FATALERROR	110 /*%< "fatal error" */
+#define ISC_MSG_SHUTTINGDOWN	111 /*%< "shutting down" */
+#define ISC_MSG_RUNNING		112 /*%< "running" */
+#define ISC_MSG_WAIT		113 /*%< "wait" */
+#define ISC_MSG_WAITUNTIL	114 /*%< "waituntil" */
+
+#define ISC_MSG_SIGNALSETUP	201 /*%< "handle_signal() %d setup: %s" */
+
+#define ISC_MSG_ILLEGALOPT	301 /*%< "illegal option" */
+#define ISC_MSG_OPTNEEDARG	302 /*%< "option requires an argument" */
+
+#define ISC_MSG_ENTROPYSTATS	401 /*%< "Entropy pool %p:  refcnt %u ..." */
+
+#define ISC_MSG_MAKESCANSOCKET	501 /*%< "making interface scan socket: %s" */
+#define ISC_MSG_GETIFCONFIG	502 /*%< "get interface configuration: %s" */
+#define ISC_MSG_BUFFERMAX	503 /*%< "... maximum buffer size exceeded" */
+#define ISC_MSG_GETDESTADDR	504 /*%< "%s: getting destination address: %s" */
+#define ISC_MSG_GETNETMASK	505 /*%< "%s: getting netmask: %s" */
+
+#define ISC_MSG_GETIFLISTSIZE	601 /*%< "getting interface list size: ..." */
+#define ISC_MSG_GETIFLIST	602 /*%< "getting interface list: ..." */
+#define ISC_MSG_UNEXPECTEDTYPE	603 /*%< "... unexpected ... message type" */
+
+#define ISC_MSG_UNEXPECTEDSTATE	701 /*%< "Unexpected state %d" */
+
+#define ISC_MSG_BADTIME		801 /*%< "Bad 00 99:99:99.999 " */
+#define ISC_MSG_LEVEL		802 /*%< "level %d: " */
+
+#define ISC_MSG_ADDTRACE	901 /*%< "add %p size %u " */
+#define ISC_MSG_DELTRACE	902 /*%< "del %p size %u " */
+#define ISC_MSG_POOLSTATS	903 /*%< "[Pool statistics]\n" */
+#define ISC_MSG_POOLNAME	904 /*%< "name" */
+#define ISC_MSG_POOLSIZE	905 /*%< "size" */
+#define ISC_MSG_POOLMAXALLOC	906 /*%< "maxalloc" */
+#define ISC_MSG_POOLALLOCATED	907 /*%< "allocated" */
+#define ISC_MSG_POOLFREECOUNT	908 /*%< "freecount" */
+#define ISC_MSG_POOLFREEMAX	909 /*%< "freemax" */
+#define ISC_MSG_POOLFILLCOUNT	910 /*%< "fillcount" */
+#define ISC_MSG_POOLGETS	911 /*%< "gets" */
+#define ISC_MSG_DUMPALLOC	912 /*%< "DUMP OF ALL OUTSTANDING MEMORY ..." */
+#define ISC_MSG_NONE		913 /*%< "\tNone.\n" */
+#define ISC_MSG_PTRFILELINE	914 /*%< "\tptr %p file %s line %u\n" */
+
+#define ISC_MSG_UNKNOWNADDR    1001 /*%< "<unknown address, family %u>" */
+
+#define ISC_MSG_NOLONGDBL      1104 /*%< "long doubles are not supported" */
+
+#define ISC_MSG_PRINTLOCK      1201 /*%< "rwlock %p thread %lu ..." */
+#define ISC_MSG_READ	       1202 /*%< "read" */
+#define ISC_MSG_WRITE	       1203 /*%< "write" */
+#define ISC_MSG_READING	       1204 /*%< "reading" */
+#define ISC_MSG_WRITING	       1205 /*%< "writing" */
+#define ISC_MSG_PRELOCK	       1206 /*%< "prelock" */
+#define ISC_MSG_POSTLOCK       1207 /*%< "postlock" */
+#define ISC_MSG_PREUNLOCK      1208 /*%< "preunlock" */
+#define ISC_MSG_POSTUNLOCK     1209 /*%< "postunlock" */
+
+#define ISC_MSG_UNKNOWNFAMILY  1301 /*%< "unknown address family: %d" */
+
+#define ISC_MSG_WRITEFAILED    1401 /*%< "write() failed during watcher ..." */
+#define ISC_MSG_READFAILED     1402 /*%< "read() failed during watcher ... " */
+#define ISC_MSG_PROCESSCMSG    1403 /*%< "processing cmsg %p" */
+#define ISC_MSG_IFRECEIVED     1404 /*%< "interface received on ifindex %u" */
+#define ISC_MSG_SENDTODATA     1405 /*%< "sendto pktinfo data, ifindex %u" */
+#define ISC_MSG_DOIORECV       1406 /*%< "doio_recv: recvmsg(%d) %d bytes ..." */
+#define ISC_MSG_PKTRECV	       1407 /*%< "packet received correctly" */
+#define ISC_MSG_DESTROYING     1408 /*%< "destroying" */
+#define ISC_MSG_CREATED	       1409 /*%< "created" */
+#define ISC_MSG_ACCEPTLOCK     1410 /*%< "internal_accept called, locked ..." */
+#define ISC_MSG_ACCEPTEDCXN    1411 /*%< "accepted connection, new socket %p" */
+#define ISC_MSG_INTERNALRECV   1412 /*%< "internal_recv: task %p got event %p" */
+#define ISC_MSG_INTERNALSEND   1413 /*%< "internal_send: task %p got event %p" */
+#define ISC_MSG_WATCHERMSG     1414 /*%< "watcher got message %d" */
+#define ISC_MSG_SOCKETSREMAIN  1415 /*%< "sockets exist" */
+#define ISC_MSG_PKTINFOPROVIDED	1416 /*%< "pktinfo structure provided, ..." */
+#define ISC_MSG_BOUND	       1417 /*%< "bound" */
+#define ISC_MSG_ACCEPTRETURNED 1418 /*%< accept() returned %d/%s */
+#define ISC_MSG_TOOMANYFDS     1419 /*%< %s: too many open file descriptors */
+#define ISC_MSG_ZEROPORT       1420 /*%< dropping source port zero packet */
+#define ISC_MSG_FILTER	       1420 /*%< setsockopt(SO_ACCEPTFILTER): %s */
+
+#define ISC_MSG_AWAKE	       1502 /*%< "awake" */
+#define ISC_MSG_WORKING	       1503 /*%< "working" */
+#define ISC_MSG_EXECUTE	       1504 /*%< "execute action" */
+#define ISC_MSG_EMPTY	       1505 /*%< "empty" */
+#define ISC_MSG_DONE	       1506 /*%< "done" */
+#define ISC_MSG_QUANTUM	       1507 /*%< "quantum" */
+
+#define ISC_MSG_SCHEDULE       1601 /*%< "schedule" */
+#define ISC_MSG_SIGNALSCHED    1602 /*%< "signal (schedule)" */
+#define ISC_MSG_SIGNALDESCHED  1603 /*%< "signal (deschedule)" */
+#define ISC_MSG_SIGNALDESTROY  1604 /*%< "signal (destroy)" */
+#define ISC_MSG_IDLERESCHED    1605 /*%< "idle reschedule" */
+#define ISC_MSG_EVENTNOTALLOC  1606 /*%< "couldn't allocate event" */
+#define ISC_MSG_SCHEDFAIL      1607 /*%< "couldn't schedule timer: %u" */
+#define ISC_MSG_POSTING	       1608 /*%< "posting" */
+#define ISC_MSG_WAKEUP	       1609 /*%< "wakeup" */
+
+#define ISC_MSG_LOCK	       1701 /*%< "LOCK" */
+#define ISC_MSG_LOCKING	       1702 /*%< "LOCKING" */
+#define ISC_MSG_LOCKED	       1703 /*%< "LOCKED" */
+#define ISC_MSG_UNLOCKED       1704 /*%< "UNLOCKED" */
+#define ISC_MSG_RWLOCK	       1705 /*%< "RWLOCK" */
+#define ISC_MSG_RWLOCKED       1706 /*%< "RWLOCKED" */
+#define ISC_MSG_RWUNLOCK       1707 /*%< "RWUNLOCK" */
+#define ISC_MSG_BROADCAST      1708 /*%< "BROADCAST" */
+#define ISC_MSG_SIGNAL	       1709 /*%< "SIGNAL" */
+#define ISC_MSG_UTILWAIT       1710 /*%< "WAIT" */
+#define ISC_MSG_WAITED	       1711 /*%< "WAITED" */
+
+#define ISC_MSG_GETIFADDRS     1801 /*%< "getting interface addresses: ..." */
+
+/*@}*/
 
 #endif /* ISC_MSGS_H */
diff --git a/contrib/bind9/lib/isc/include/isc/mutexblock.h b/contrib/bind9/lib/isc/include/isc/mutexblock.h
index 9bfd90c..fa244c9 100644
--- a/contrib/bind9/lib/isc/include/isc/mutexblock.h
+++ b/contrib/bind9/lib/isc/include/isc/mutexblock.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,11 +15,13 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: mutexblock.h,v 1.10.206.1 2004/03/06 08:14:44 marka Exp $ */
+/* $Id: mutexblock.h,v 1.11.18.2 2005/04/29 00:17:00 marka Exp $ */
 
 #ifndef ISC_MUTEXBLOCK_H
 #define ISC_MUTEXBLOCK_H 1
 
+/*! \file */
+
 #include <isc/lang.h>
 #include <isc/mutex.h>
 #include <isc/types.h>
@@ -28,39 +30,39 @@ ISC_LANG_BEGINDECLS
 
 isc_result_t
 isc_mutexblock_init(isc_mutex_t *block, unsigned int count);
-/*
+/*%<
  * Initialize a block of locks.  If an error occurs all initialized locks
  * will be destroyed, if possible.
  *
  * Requires:
  *
- *	block != NULL
+ *\li	block != NULL
  *
- *	count > 0
+ *\li	count > 0
  *
  * Returns:
  *
- *	Any code isc_mutex_init() can return is a valid return for this
+ *\li	Any code isc_mutex_init() can return is a valid return for this
  *	function.
  */
 
 isc_result_t
 isc_mutexblock_destroy(isc_mutex_t *block, unsigned int count);
-/*
+/*%<
  * Destroy a block of locks.
  *
  * Requires:
  *
- *	block != NULL
+ *\li	block != NULL
  *
- *	count > 0
+ *\li	count > 0
  *
- *	Each lock in the block be initialized via isc_mutex_init() or
+ *\li	Each lock in the block be initialized via isc_mutex_init() or
  * 	the whole block was initialized via isc_mutex_initblock().
  *
  * Returns:
  *
- *	Any code isc_mutex_init() can return is a valid return for this
+ *\li	Any code isc_mutex_init() can return is a valid return for this
  *	function.
  */
 
diff --git a/contrib/bind9/lib/isc/include/isc/netaddr.h b/contrib/bind9/lib/isc/include/isc/netaddr.h
index ad3328c..06d063e 100644
--- a/contrib/bind9/lib/isc/include/isc/netaddr.h
+++ b/contrib/bind9/lib/isc/include/isc/netaddr.h
@@ -15,15 +15,22 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: netaddr.h,v 1.18.12.9 2005/07/29 00:13:10 marka Exp $ */
+/* $Id: netaddr.h,v 1.25.18.5 2005/07/28 04:58:47 marka Exp $ */
 
 #ifndef ISC_NETADDR_H
 #define ISC_NETADDR_H 1
 
+/*! \file */
+
 #include <isc/lang.h>
 #include <isc/net.h>
 #include <isc/types.h>
 
+#ifdef ISC_PLATFORM_HAVESYSUNH
+#include <sys/types.h>
+#include <sys/un.h>
+#endif
+
 ISC_LANG_BEGINDECLS
 
 struct isc_netaddr {
@@ -31,6 +38,9 @@ struct isc_netaddr {
 	union {
     		struct in_addr in;
 		struct in6_addr in6;
+#ifdef ISC_PLATFORM_HAVESYSUNH
+		char un[sizeof(((struct sockaddr_un *)0)->sun_path)];
+#endif
 	} type;
 	isc_uint32_t zone;
 };
@@ -41,40 +51,40 @@ isc_netaddr_equal(const isc_netaddr_t *a, const isc_netaddr_t *b);
 isc_boolean_t
 isc_netaddr_eqprefix(const isc_netaddr_t *a, const isc_netaddr_t *b,
 		     unsigned int prefixlen);
-/*
+/*%<
  * Compare the 'prefixlen' most significant bits of the network
- * addresses 'a' and 'b'.  Return ISC_TRUE if they are equal,
- * ISC_FALSE if not.
+ * addresses 'a' and 'b'.  Return #ISC_TRUE if they are equal,
+ * #ISC_FALSE if not.
  */
 
 isc_result_t
 isc_netaddr_masktoprefixlen(const isc_netaddr_t *s, unsigned int *lenp);
-/*
+/*%<
  * Convert a netmask in 's' into a prefix length in '*lenp'.
  * The mask should consist of zero or more '1' bits in the most
  * most significant part of the address, followed by '0' bits.
- * If this is not the case, ISC_R_MASKNONCONTIG is returned.
+ * If this is not the case, #ISC_R_MASKNONCONTIG is returned.
  *
  * Returns:
- *	ISC_R_SUCCESS
- *	ISC_R_MASKNONCONTIG
+ *\li	#ISC_R_SUCCESS
+ *\li	#ISC_R_MASKNONCONTIG
  */
 
 isc_result_t
 isc_netaddr_totext(const isc_netaddr_t *netaddr, isc_buffer_t *target);
-/*
+/*%<
  * Append a text representation of 'sockaddr' to the buffer 'target'.
  * The text is NOT null terminated.  Handles IPv4 and IPv6 addresses.
  *
  * Returns:
- *	ISC_R_SUCCESS
- *	ISC_R_NOSPACE	The text or the null termination did not fit.
- *	ISC_R_FAILURE	Unspecified failure
+ *\li	#ISC_R_SUCCESS
+ *\li	#ISC_R_NOSPACE	The text or the null termination did not fit.
+ *\li	#ISC_R_FAILURE	Unspecified failure
  */
 
 void
 isc_netaddr_format(const isc_netaddr_t *na, char *array, unsigned int size);
-/*
+/*%<
  * Format a human-readable representation of the network address '*na'
  * into the character array 'array', which is of size 'size'.
  * The resulting string is guaranteed to be null-terminated.
@@ -82,7 +92,7 @@ isc_netaddr_format(const isc_netaddr_t *na, char *array, unsigned int size);
 
 #define ISC_NETADDR_FORMATSIZE \
 	sizeof("xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:XXX.XXX.XXX.XXX%SSSSSSSSSS")
-/*
+/*%<
  * Minimum size of array to pass to isc_netaddr_format().
  */
 
@@ -95,6 +105,9 @@ isc_netaddr_fromin(isc_netaddr_t *netaddr, const struct in_addr *ina);
 void
 isc_netaddr_fromin6(isc_netaddr_t *netaddr, const struct in6_addr *ina6);
 
+isc_result_t
+isc_netaddr_frompath(isc_netaddr_t *netaddr, const char *path);
+
 void
 isc_netaddr_setzone(isc_netaddr_t *netaddr, isc_uint32_t zone);
 
@@ -103,46 +116,59 @@ isc_netaddr_getzone(const isc_netaddr_t *netaddr);
 
 void
 isc_netaddr_any(isc_netaddr_t *netaddr);
-/*
+/*%<
  * Return the IPv4 wildcard address.
  */
 
 void
 isc_netaddr_any6(isc_netaddr_t *netaddr);
-/*
+/*%<
  * Return the IPv6 wildcard address.
  */
 
 isc_boolean_t
 isc_netaddr_ismulticast(isc_netaddr_t *na);
-/*
+/*%<
  * Returns ISC_TRUE if the address is a multicast address.
  */
 
 isc_boolean_t
 isc_netaddr_isexperimental(isc_netaddr_t *na);
-/*
+/*%<
  * Returns ISC_TRUE if the address is a experimental (CLASS E) address.
  */
 
 isc_boolean_t
 isc_netaddr_islinklocal(isc_netaddr_t *na);
-/*
- * Returns ISC_TRUE if the address is a link local address.
+/*%<
+ * Returns #ISC_TRUE if the address is a link local address.
  */
 
 isc_boolean_t
 isc_netaddr_issitelocal(isc_netaddr_t *na);
-/*
- * Returns ISC_TRUE if the address is a site local address.
+/*%<
+ * Returns #ISC_TRUE if the address is a site local address.
  */
 
 void
 isc_netaddr_fromv4mapped(isc_netaddr_t *t, const isc_netaddr_t *s);
-/*
+/*%<
  * Convert an IPv6 v4mapped address into an IPv4 address.
  */
 
+isc_result_t
+isc_netaddr_prefixok(const isc_netaddr_t *na, unsigned int prefixlen);
+/*
+ * Test whether the netaddr 'na' and 'prefixlen' are consistant.
+ * e.g. prefixlen within range.
+ *      na does not have bits set which are not covered by the prefixlen.
+ *
+ * Returns:
+ *	ISC_R_SUCCESS
+ *	ISC_R_RANGE		prefixlen out of range
+ *	ISC_R_NOTIMPLENTED	unsupported family
+ *	ISC_R_FAILURE		extra bits.
+ */
 
 ISC_LANG_ENDDECLS
 
diff --git a/contrib/bind9/lib/isc/include/isc/netscope.h b/contrib/bind9/lib/isc/include/isc/netscope.h
index 7cc0f18..d9bea54 100644
--- a/contrib/bind9/lib/isc/include/isc/netscope.h
+++ b/contrib/bind9/lib/isc/include/isc/netscope.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2002  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,22 +15,25 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: netscope.h,v 1.4.142.5 2004/03/08 09:04:52 marka Exp $ */
+/* $Id: netscope.h,v 1.5.18.2 2005/04/29 00:17:00 marka Exp $ */
 
 #ifndef ISC_NETSCOPE_H
 #define ISC_NETSCOPE_H 1
 
+/*! \file */
+
 ISC_LANG_BEGINDECLS
 
-/*
+/*%
  * Convert a string of an IPv6 scope zone to zone index.  If the conversion
  * succeeds, 'zoneid' will store the index value.
+ *
  * XXXJT: when a standard interface for this purpose is defined,
  * we should use it.
  *
  * Returns:
- *	ISC_R_SUCCESS: conversion succeeds
- *	ISC_R_FAILURE: conversion fails
+ * \li	ISC_R_SUCCESS: conversion succeeds
+ * \li	ISC_R_FAILURE: conversion fails
  */
 isc_result_t
 isc_netscope_pton(int af, char *scopename, void *addr, isc_uint32_t *zoneid);
diff --git a/contrib/bind9/lib/isc/include/isc/ondestroy.h b/contrib/bind9/lib/isc/include/isc/ondestroy.h
index a2c584a..035873c 100644
--- a/contrib/bind9/lib/isc/include/isc/ondestroy.h
+++ b/contrib/bind9/lib/isc/include/isc/ondestroy.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000, 2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: ondestroy.h,v 1.7.206.1 2004/03/06 08:14:45 marka Exp $ */
+/* $Id: ondestroy.h,v 1.8.18.2 2005/04/29 00:17:00 marka Exp $ */
 
 #ifndef ISC_ONDESTROY_H
 #define ISC_ONDESTROY_H 1
@@ -25,33 +25,39 @@
 
 ISC_LANG_BEGINDECLS
 
-/*
+/*! \file 
  * ondestroy handling.
  *
  * Any class ``X'' of objects that wants to send out notifications
  * on its destruction should declare a field of type isc_ondestroy_t
  * (call it 'ondest').
  *
+ * \code
  * 	typedef struct {
  * 		...
  * 		isc_ondestroy_t	ondest;
  * 		...
  * 	} X;
+ * \endcode
  *
  * When an object ``A'' of type X is created
  * it must initialize the field ondest with a call to
  *
+ * \code
  * 	isc_ondestroy_init(&A->ondest).
+ * \endcode
  *
  * X should also provide a registration function for third-party
  * objects to call to register their interest in being told about
  * the destruction of a particular instance of X.
  *
+ * \code
  *	isc_result_t
  * 	X_ondestroy(X *instance, isc_task_t *task,
  * 		     isc_event_t **eventp) {
  * 		return(isc_ondestroy_register(&instance->ondest, task,eventp));
  * 	}
+ * \endcode
  *
  *	Note: locking of the ondestory structure embedded inside of X, is
  * 	X's responsibility.
@@ -59,15 +65,17 @@ ISC_LANG_BEGINDECLS
  * When an instance of X is destroyed, a call to  isc_ondestroy_notify()
  * sends the notifications:
  *
+ * \code
  *	X *instance;
  *	isc_ondestroy_t ondest = instance->ondest;
  *
  *	... completely cleanup 'instance' here...
  *
  * 	isc_ondestroy_notify(&ondest, instance);
+ * \endcode
  *
  *
- * see dns/zone.c for an ifdef'd-out example.
+ * see lib/dns/zone.c for an ifdef'd-out example.
  */
 
 struct isc_ondestroy {
@@ -77,7 +85,7 @@ struct isc_ondestroy {
 
 void
 isc_ondestroy_init(isc_ondestroy_t *ondest);
-/*
+/*%<
  * Initialize the on ondest structure. *must* be called before first call
  * to isc_ondestroy_register().
  */
@@ -86,7 +94,7 @@ isc_result_t
 isc_ondestroy_register(isc_ondestroy_t *ondest, isc_task_t *task,
 		       isc_event_t **eventp);
 
-/*
+/*%<
  * Stores task and *eventp away inside *ondest.  Ownership of **event is
  * taken from the caller (and *eventp is set to NULL). The task is attached
  * to.
@@ -94,7 +102,7 @@ isc_ondestroy_register(isc_ondestroy_t *ondest, isc_task_t *task,
 
 void
 isc_ondestroy_notify(isc_ondestroy_t *ondest, void *sender);
-/*
+/*%<
  * Dispatches the event(s) to the task(s) that were given in
  * isc_ondestroy_register call(s) (done via calls to
  * isc_task_sendanddetach()).  Before dispatch, the sender value of each
diff --git a/contrib/bind9/lib/isc/include/isc/os.h b/contrib/bind9/lib/isc/include/isc/os.h
index 5c3bd62..b2b76d5 100644
--- a/contrib/bind9/lib/isc/include/isc/os.h
+++ b/contrib/bind9/lib/isc/include/isc/os.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000, 2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,18 +15,20 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: os.h,v 1.5.206.1 2004/03/06 08:14:45 marka Exp $ */
+/* $Id: os.h,v 1.6.18.2 2005/04/29 00:17:00 marka Exp $ */
 
 #ifndef ISC_OS_H
 #define ISC_OS_H 1
 
+/*! \file */
+
 #include <isc/lang.h>
 
 ISC_LANG_BEGINDECLS
 
 unsigned int
 isc_os_ncpus(void);
-/*
+/*%<
  * Return the number of CPUs available on the system, or 1 if this cannot
  * be determined.
  */
diff --git a/contrib/bind9/lib/isc/include/isc/parseint.h b/contrib/bind9/lib/isc/include/isc/parseint.h
index c877131..6940add 100644
--- a/contrib/bind9/lib/isc/include/isc/parseint.h
+++ b/contrib/bind9/lib/isc/include/isc/parseint.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2001, 2002  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: parseint.h,v 1.2.202.4 2004/03/08 09:04:52 marka Exp $ */
+/* $Id: parseint.h,v 1.3.18.2 2005/04/29 00:17:00 marka Exp $ */
 
 #ifndef ISC_PARSEINT_H
 #define ISC_PARSEINT_H 1
@@ -23,8 +23,8 @@
 #include <isc/lang.h>
 #include <isc/types.h>
 
-/*
- * Parse integers, in a saner way than atoi() or strtoul() do.
+/*! \file
+ * \brief Parse integers, in a saner way than atoi() or strtoul() do.
  */
 
 /***
@@ -41,21 +41,22 @@ isc_parse_uint16(isc_uint16_t *uip, const char *string, int base);
 
 isc_result_t
 isc_parse_uint8(isc_uint8_t *uip, const char *string, int base);
-/*
+/*%<
  * Parse the null-terminated string 'string' containing a base 'base'
- * integer, storing the result in '*uip'.  The base is interpreted
+ * integer, storing the result in '*uip'.  
+ * The base is interpreted
  * as in strtoul().  Unlike strtoul(), leading whitespace, minus or
  * plus signs are not accepted, and all errors (including overflow)
  * are reported uniformly through the return value.
  *
  * Requires:
- *	'string' points to a null-terminated string
- *	0 <= 'base' <= 36
+ *\li	'string' points to a null-terminated string
+ *\li	0 <= 'base' <= 36
  *
  * Returns:
- *	ISC_R_SUCCESS
- *	ISC_R_BADNUMBER   The string is not numeric (in the given base)
- *	ISC_R_RANGE	  The number is not representable as the requested type.
+ *\li	#ISC_R_SUCCESS
+ *\li	#ISC_R_BADNUMBER   The string is not numeric (in the given base)
+ *\li	#ISC_R_RANGE	  The number is not representable as the requested type.
  */
 
 ISC_LANG_ENDDECLS
diff --git a/contrib/bind9/lib/isc/include/isc/platform.h.in b/contrib/bind9/lib/isc/include/isc/platform.h.in
index 7a803d7..f74fb19 100644
--- a/contrib/bind9/lib/isc/include/isc/platform.h.in
+++ b/contrib/bind9/lib/isc/include/isc/platform.h.in
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,11 +15,13 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: platform.h.in,v 1.24.2.1.10.11 2004/03/08 09:04:52 marka Exp $ */
+/* $Id: platform.h.in,v 1.34.18.7 2007/02/13 00:04:50 marka Exp $ */
 
 #ifndef ISC_PLATFORM_H
 #define ISC_PLATFORM_H 1
 
+/*! \file */
+
 /*****
  ***** Platform-dependent defines.
  *****/
@@ -28,195 +30,239 @@
  *** Network.
  ***/
 
-/*
+/*! \brief
  * Define if this system needs the <netinet/in6.h> header file included
  * for full IPv6 support (pretty much only UnixWare).
  */
 @ISC_PLATFORM_NEEDNETINETIN6H@
 
-/*
+/*! \brief
  * Define if this system needs the <netinet6/in6.h> header file included
  * to support in6_pkinfo (pretty much only BSD/OS).
  */
 @ISC_PLATFORM_NEEDNETINET6IN6H@
 
-/*
+/*! \brief
  * If sockaddrs on this system have an sa_len field, ISC_PLATFORM_HAVESALEN
  * will be defined.
  */
 @ISC_PLATFORM_HAVESALEN@
 
-/*
+/*! \brief
  * If this system has the IPv6 structure definitions, ISC_PLATFORM_HAVEIPV6
  * will be defined.
  */
 @ISC_PLATFORM_HAVEIPV6@
 
-/*
+/*! \brief
  * If this system is missing in6addr_any, ISC_PLATFORM_NEEDIN6ADDRANY will
  * be defined.
  */
 @ISC_PLATFORM_NEEDIN6ADDRANY@
 
-/*
+/*! \brief
  * If this system is missing in6addr_loopback, ISC_PLATFORM_NEEDIN6ADDRLOOPBACK
  * will be defined.
  */
 @ISC_PLATFORM_NEEDIN6ADDRLOOPBACK@
 
-/*
+/*! \brief
  * If this system has in6_pktinfo, ISC_PLATFORM_HAVEIN6PKTINFO will be
  * defined.
  */
 @ISC_PLATFORM_HAVEIN6PKTINFO@
 
-/*
+/*! \brief
  * If this system has in_addr6, rather than in6_addr, ISC_PLATFORM_HAVEINADDR6
  * will be defined.
  */
 @ISC_PLATFORM_HAVEINADDR6@
 
-/*
+/*! \brief
  * If this system has sin6_scope_id, ISC_PLATFORM_HAVESCOPEID will be defined.
  */
 @ISC_PLATFORM_HAVESCOPEID@
 
-/*
+/*! \brief
  * If this system needs inet_ntop(), ISC_PLATFORM_NEEDNTOP will be defined.
  */
 @ISC_PLATFORM_NEEDNTOP@
 
-/*
+/*! \brief
  * If this system needs inet_pton(), ISC_PLATFORM_NEEDPTON will be defined.
  */
 @ISC_PLATFORM_NEEDPTON@
 
-/*
+/*! \brief
  * If this system needs inet_aton(), ISC_PLATFORM_NEEDATON will be defined.
  */
 @ISC_PLATFORM_NEEDATON@
 
-/*
+/*! \brief
  * If this system needs in_port_t, ISC_PLATFORM_NEEDPORTT will be defined.
  */
 @ISC_PLATFORM_NEEDPORTT@
 
-/*
+/*! \brief
  * If the system needs strsep(), ISC_PLATFORM_NEEDSTRSEP will be defined.
  */
 @ISC_PLATFORM_NEEDSTRSEP@
 
-/*
+/*! \brief
  * If the system needs strlcpy(), ISC_PLATFORM_NEEDSTRLCPY will be defined.
  */
 @ISC_PLATFORM_NEEDSTRLCPY@
 
-/*
+/*! \brief
  * If the system needs strlcat(), ISC_PLATFORM_NEEDSTRLCAT will be defined.
  */
 @ISC_PLATFORM_NEEDSTRLCAT@
 
-/*
+/*! \brief
  * Define either ISC_PLATFORM_BSD44MSGHDR or ISC_PLATFORM_BSD43MSGHDR.
  */
 @ISC_PLATFORM_MSGHDRFLAVOR@
 
-/*
+/*! \brief
  * Define if PTHREAD_ONCE_INIT should be surrounded by braces to
  * prevent compiler warnings (such as with gcc on Solaris 2.8).
  */
 @ISC_PLATFORM_BRACEPTHREADONCEINIT@
 
-/*
+/*! \brief
  * Define on some UnixWare systems to fix erroneous definitions of various
  * IN6_IS_ADDR_* macros.
  */
 @ISC_PLATFORM_FIXIN6ISADDR@
 
-/***
+/*
  *** Printing.
  ***/
 
-/*
+/*! \brief
  * If this system needs vsnprintf() and snprintf(), ISC_PLATFORM_NEEDVSNPRINTF
  * will be defined.
  */
 @ISC_PLATFORM_NEEDVSNPRINTF@
 
-/*
+/*! \brief
  * If this system need a modern sprintf() that returns (int) not (char*).
  */
 @ISC_PLATFORM_NEEDSPRINTF@
 
-/*
+/*! \brief
  * The printf format string modifier to use with isc_uint64_t values.
  */
 @ISC_PLATFORM_QUADFORMAT@
 
-/*
+/*! \brief
  * Defined if we are using threads.
  */
 @ISC_PLATFORM_USETHREADS@
 
-/*
+/*! \brief
  * Defined if unistd.h does not cause fd_set to be delared.
  */
 @ISC_PLATFORM_NEEDSYSSELECTH@
 
-/*
+/*! \brief
  * Type used for resource limits.
  */
 @ISC_PLATFORM_RLIMITTYPE@
 
-/*
+/*! \brief
  * Define if your compiler supports "long long int".
  */
 @ISC_PLATFORM_HAVELONGLONG@
 
-/*
+/*! \brief
  * Define if the system has struct lifconf which is a extended struct ifconf
  * for IPv6.
  */
 @ISC_PLATFORM_HAVELIFCONF@
 
-/*
+/*! \brief
  * Define if the system has struct if_laddrconf which is a extended struct
  * ifconf for IPv6.
  */
 @ISC_PLATFORM_HAVEIF_LADDRCONF@
 
-/*
+/*! \brief
  * Define if the system has struct if_laddrreq.
  */
 @ISC_PLATFORM_HAVEIF_LADDRREQ@
 
-/*
+/*! \brief
  * Used to control how extern data is linked; needed for Win32 platforms.
  */
 @ISC_PLATFORM_USEDECLSPEC@
 
-/*
+/*! \brief
  * Define if the system supports if_nametoindex.
  */
 @ISC_PLATFORM_HAVEIFNAMETOINDEX@
 
-/*
+/*! \brief
  * Define if this system needs strtoul.
  */
 @ISC_PLATFORM_NEEDSTRTOUL@
 
-/*
+/*! \brief
  * Define if this system needs memmove.
  */
 @ISC_PLATFORM_NEEDMEMMOVE@
 
+/*
+ * Define if the platform has <sys/un.h>.
+ */
+@ISC_PLATFORM_HAVESYSUNH@
+
+/*
+ * If the "xadd" operation is available on this architecture,
+ * ISC_PLATFORM_HAVEXADD will be defined. 
+ */
+@ISC_PLATFORM_HAVEXADD@
+
+/*
+ * If the "atomic swap" operation is available on this architecture,
+ * ISC_PLATFORM_HAVEATOMICSTORE" will be defined. 
+ */
+@ISC_PLATFORM_HAVEATOMICSTORE@
+
+/*
+ * If the "compare-and-exchange" operation is available on this architecture,
+ * ISC_PLATFORM_HAVECMPXCHG will be defined. 
+ */
+@ISC_PLATFORM_HAVECMPXCHG@
+
+/*
+ * Define if gcc ASM extension is available
+ */
+@ISC_PLATFORM_USEGCCASM@
+
+/*
+ * Define if Tru64 style ASM syntax must be used.
+ */
+@ISC_PLATFORM_USEOSFASM@
+
+/*
+ * Define if the standard __asm function must be used.
+ */
+@ISC_PLATFORM_USESTDASM@
+
+/*
+ * Define if MacOS style of PPC assembly must be used.
+ * e.g. "r6", not "6", for register six.
+ */
+@ISC_PLATFORM_USEMACASM@
+
 #ifndef ISC_PLATFORM_USEDECLSPEC
 #define LIBISC_EXTERNAL_DATA
 #define LIBDNS_EXTERNAL_DATA
 #define LIBISCCC_EXTERNAL_DATA
 #define LIBISCCFG_EXTERNAL_DATA
 #define LIBBIND9_EXTERNAL_DATA
-#else /* ISC_PLATFORM_USEDECLSPEC */
+#else /*! \brief ISC_PLATFORM_USEDECLSPEC */
 #ifdef LIBISC_EXPORTS
 #define LIBISC_EXTERNAL_DATA __declspec(dllexport)
 #else
@@ -242,7 +288,7 @@
 #else
 #define LIBBIND9_EXTERNAL_DATA __declspec(dllimport)
 #endif
-#endif /* ISC_PLATFORM_USEDECLSPEC */
+#endif /*! \brief ISC_PLATFORM_USEDECLSPEC */
 
 /*
  * Tell emacs to use C mode for this file.
diff --git a/contrib/bind9/lib/isc/include/isc/print.h b/contrib/bind9/lib/isc/include/isc/print.h
index 1bf3704..95c6b1c 100644
--- a/contrib/bind9/lib/isc/include/isc/print.h
+++ b/contrib/bind9/lib/isc/include/isc/print.h
@@ -15,11 +15,13 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: print.h,v 1.17.188.4 2005/06/09 23:54:30 marka Exp $ */
+/* $Id: print.h,v 1.19.18.3 2005/06/08 02:07:56 marka Exp $ */
 
 #ifndef ISC_PRINT_H
 #define ISC_PRINT_H 1
 
+/*! \file */
+
 /***
  *** Imports
  ***/
@@ -28,7 +30,7 @@
 #include <isc/lang.h>
 #include <isc/platform.h>
 
-/*
+/*!
  * This block allows lib/isc/print.c to be cleanly compiled even if
  * the platform does not need it.  The standard Makefile will still
  * not compile print.c or archive print.o, so this is just to make test
diff --git a/contrib/bind9/lib/isc/include/isc/quota.h b/contrib/bind9/lib/isc/include/isc/quota.h
index 4044118..6f95cd5 100644
--- a/contrib/bind9/lib/isc/include/isc/quota.h
+++ b/contrib/bind9/lib/isc/include/isc/quota.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: quota.h,v 1.8.12.6 2005/08/11 15:00:08 marka Exp $ */
+/* $Id: quota.h,v 1.10.18.4 2005/08/11 15:01:54 marka Exp $ */
 
 #ifndef ISC_QUOTA_H
 #define ISC_QUOTA_H 1
@@ -24,10 +24,9 @@
  ***** Module Info
  *****/
 
-/*
- * Quota
+/*! \file isc/quota.h
  *
- * The isc_quota_t object is a simple helper object for implementing
+ * \brief The isc_quota_t object is a simple helper object for implementing
  * quotas on things like the number of simultaneous connections to
  * a server.  It keeps track of the amount of quota in use, and
  * encapsulates the locking necessary to allow multiple tasks to
@@ -48,9 +47,9 @@
 
 ISC_LANG_BEGINDECLS
 
+/*% isc_quota structure */
 struct isc_quota {
-	isc_mutex_t	lock;
-	/* Locked by lock. */
+	isc_mutex_t	lock; /*%< Locked by lock. */
 	int 		max;
 	int 		used;
 	int		soft;
@@ -58,7 +57,7 @@ struct isc_quota {
 
 isc_result_t
 isc_quota_init(isc_quota_t *quota, int max);
-/*
+/*%<
  * Initialize a quota object.
  *
  * Returns:
@@ -68,49 +67,49 @@ isc_quota_init(isc_quota_t *quota, int max);
 
 void
 isc_quota_destroy(isc_quota_t *quota);
-/*
+/*%<
  * Destroy a quota object.
  */
 
 void
 isc_quota_soft(isc_quota_t *quota, int soft);
-/*
- * Turn on/off soft quotas.
+/*%<
+ * Set a soft quota.
  */
 
 void
 isc_quota_max(isc_quota_t *quota, int max);
-/*
+/*%<
  * Re-set a maximum quota.
  */
 
 isc_result_t
 isc_quota_reserve(isc_quota_t *quota);
-/*
+/*%<
  * Attempt to reserve one unit of 'quota'.
  *
  * Returns:
- * 	ISC_R_SUCCESS	Success
- *	ISC_R_SOFTQUOTA	Success soft quota reached
- *	ISC_R_QUOTA	Quota is full
+ * \li 	#ISC_R_SUCCESS		Success
+ * \li	#ISC_R_SOFTQUOTA	Success soft quota reached
+ * \li	#ISC_R_QUOTA		Quota is full
  */
 
 void
 isc_quota_release(isc_quota_t *quota);
-/*
+/*%<
  * Release one unit of quota.
  */
 
 isc_result_t
 isc_quota_attach(isc_quota_t *quota, isc_quota_t **p);
-/*
+/*%<
  * Like isc_quota_reserve, and also attaches '*p' to the
  * quota if successful (ISC_R_SUCCESS or ISC_R_SOFTQUOTA).
  */
 
 void
 isc_quota_detach(isc_quota_t **p);
-/*
+/*%<
  * Like isc_quota_release, and also detaches '*p' from the
  * quota.
  */
diff --git a/contrib/bind9/lib/isc/include/isc/random.h b/contrib/bind9/lib/isc/include/isc/random.h
index ee416c5..c5cef8b 100644
--- a/contrib/bind9/lib/isc/include/isc/random.h
+++ b/contrib/bind9/lib/isc/include/isc/random.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: random.h,v 1.11.206.1 2004/03/06 08:14:46 marka Exp $ */
+/* $Id: random.h,v 1.12.18.2 2005/04/29 00:17:01 marka Exp $ */
 
 #ifndef ISC_RANDOM_H
 #define ISC_RANDOM_H 1
@@ -23,9 +23,11 @@
 #include <isc/lang.h>
 #include <isc/types.h>
 
-/*
- * Implements a random state pool which will let the caller return a
- * series of possibly non-reproducable random values.  Note that the
+/*! \file
+ * \brief Implements a random state pool which will let the caller return a
+ * series of possibly non-reproducable random values.  
+ *
+ * Note that the
  * strength of these numbers is not all that high, and should not be
  * used in cryptography functions.  It is useful for jittering values
  * a bit here and there, such as timeouts, etc.
@@ -35,13 +37,13 @@ ISC_LANG_BEGINDECLS
 
 void
 isc_random_seed(isc_uint32_t seed);
-/*
+/*%<
  * Set the initial seed of the random state.
  */
 
 void
 isc_random_get(isc_uint32_t *val);
-/*
+/*%<
  * Get a random value.
  *
  * Requires:
@@ -50,7 +52,7 @@ isc_random_get(isc_uint32_t *val);
 
 isc_uint32_t
 isc_random_jitter(isc_uint32_t max, isc_uint32_t jitter);
-/*
+/*%<
  * Get a random value between (max - jitter) and (max).
  * This is useful for jittering timer values.
  */
diff --git a/contrib/bind9/lib/isc/include/isc/ratelimiter.h b/contrib/bind9/lib/isc/include/isc/ratelimiter.h
index 2acab34..1944754 100644
--- a/contrib/bind9/lib/isc/include/isc/ratelimiter.h
+++ b/contrib/bind9/lib/isc/include/isc/ratelimiter.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2002  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: ratelimiter.h,v 1.13.14.3 2004/03/08 09:04:53 marka Exp $ */
+/* $Id: ratelimiter.h,v 1.15.18.2 2005/04/29 00:17:01 marka Exp $ */
 
 #ifndef ISC_RATELIMITER_H
 #define ISC_RATELIMITER_H 1
@@ -24,8 +24,8 @@
  ***** Module Info
  *****/
 
-/*
- * A rate limiter is a mechanism for dispatching events at a limited
+/*! \file
+ * \brief A rate limiter is a mechanism for dispatching events at a limited
  * rate.  This is intended to be used when sending zone maintenance
  * SOA queries, NOTIFY messages, etc.
  */
@@ -46,13 +46,13 @@ ISC_LANG_BEGINDECLS
 isc_result_t
 isc_ratelimiter_create(isc_mem_t *mctx, isc_timermgr_t *timermgr,
 		       isc_task_t *task, isc_ratelimiter_t **ratelimiterp);
-/*
+/*%<
  * Create a rate limiter.  The execution interval is initially undefined.
  */
 
 isc_result_t
 isc_ratelimiter_setinterval(isc_ratelimiter_t *rl, isc_interval_t *interval);
-/*
+/*!<
  * Set the mininum interval between event executions.
  * The interval value is copied, so the caller need not preserve it.
  *
@@ -62,7 +62,7 @@ isc_ratelimiter_setinterval(isc_ratelimiter_t *rl, isc_interval_t *interval);
 
 void
 isc_ratelimiter_setpertic(isc_ratelimiter_t *rl, isc_uint32_t perint);
-/*
+/*%<
  * Set the number of events processed per interval timer tick.
  * If 'perint' is zero it is treated as 1.
  */
@@ -70,8 +70,10 @@ isc_ratelimiter_setpertic(isc_ratelimiter_t *rl, isc_uint32_t perint);
 isc_result_t
 isc_ratelimiter_enqueue(isc_ratelimiter_t *rl, isc_task_t *task,
 			isc_event_t **eventp);
-/*
- * Queue an event for rate-limited execution.  This is similar
+/*%<
+ * Queue an event for rate-limited execution.  
+ *
+ * This is similar
  * to doing an isc_task_send() to the 'task', except that the
  * execution may be delayed to achieve the desired rate of
  * execution.
@@ -80,50 +82,50 @@ isc_ratelimiter_enqueue(isc_ratelimiter_t *rl, isc_task_t *task,
  * must ensure that the task exists until the event is delivered.
  *
  * Requires:
- *	An interval has been set by calling
+ *\li	An interval has been set by calling
  *	isc_ratelimiter_setinterval().
  *
- *	'task' to be non NULL.
- *	'(*eventp)->ev_sender' to be NULL.
+ *\li	'task' to be non NULL.
+ *\li	'(*eventp)->ev_sender' to be NULL.
  */
 
 void
 isc_ratelimiter_shutdown(isc_ratelimiter_t *ratelimiter);
-/*
+/*%<
  * Shut down a rate limiter.
  *
  * Ensures:
- *	All events that have not yet been
+ *\li	All events that have not yet been
  * 	dispatched to the task are dispatched immediately with
- *	the ISC_EVENTATTR_CANCELED bit set in ev_attributes.
+ *	the #ISC_EVENTATTR_CANCELED bit set in ev_attributes.
  *
- *	Further attempts to enqueue events will fail with
- * 	ISC_R_SHUTTINGDOWN.
+ *\li	Further attempts to enqueue events will fail with
+ * 	#ISC_R_SHUTTINGDOWN.
  *
- *	The reatelimiter is no longer attached to its task.
+ *\li	The reatelimiter is no longer attached to its task.
  */
 
 void
 isc_ratelimiter_attach(isc_ratelimiter_t *source, isc_ratelimiter_t **target);
-/*
+/*%<
  * Attach to a rate limiter.
  */
 
 void
 isc_ratelimiter_detach(isc_ratelimiter_t **ratelimiterp);
-/*
+/*%<
  * Detach from a rate limiter.
  */
 
 isc_result_t
 isc_ratelimiter_stall(isc_ratelimiter_t *rl);
-/*
+/*%<
  * Stall event processing.
  */
 
 isc_result_t
 isc_ratelimiter_release(isc_ratelimiter_t *rl);
-/*
+/*%<
  * Release a stalled rate limiter.
  */
 
diff --git a/contrib/bind9/lib/isc/include/isc/refcount.h b/contrib/bind9/lib/isc/include/isc/refcount.h
index d2c7b6f..b930465 100644
--- a/contrib/bind9/lib/isc/include/isc/refcount.h
+++ b/contrib/bind9/lib/isc/include/isc/refcount.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2001, 2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,19 +15,22 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: refcount.h,v 1.3.2.2.2.2 2004/04/14 05:12:25 marka Exp $ */
+/* $Id: refcount.h,v 1.6.18.5 2005/07/12 01:22:31 marka Exp $ */
 
 #ifndef ISC_REFCOUNT_H
 #define ISC_REFCOUNT_H 1
 
+#include <isc/atomic.h>
 #include <isc/lang.h>
 #include <isc/mutex.h>
 #include <isc/platform.h>
 #include <isc/types.h>
 #include <isc/util.h>
 
-/*
- * Implements a locked reference counter.  These functions may actually be
+/*! \file
+ * \brief Implements a locked reference counter.  
+ *
+ * These functions may actually be
  * implemented using macros, and implementations of these macros are below.
  * The isc_refcount_t type should not be accessed directly, as its contents
  * depend on the implementation.
@@ -39,8 +42,8 @@ ISC_LANG_BEGINDECLS
  * Function prototypes
  */
 
-/*
- * void
+/* 
+ * isc_result_t
  * isc_refcount_init(isc_refcount_t *ref, unsigned int n);
  *
  * Initialize the reference counter.  There will be 'n' initial references.
@@ -63,9 +66,14 @@ ISC_LANG_BEGINDECLS
 /*
  * void
  * isc_refcount_increment(isc_refcount_t *ref, unsigned int *targetp);
+ * isc_refcount_increment0(isc_refcount_t *ref, unsigned int *targetp);
  *
  * Increments the reference count, returning the new value in targetp if it's
- * not NULL.
+ * not NULL.  The reference counter typically begins with the initial counter
+ * of 1, and will be destroyed once the counter reaches 0.  Thus,
+ * isc_refcount_increment() additionally requires the previous counter be
+ * larger than 0 so that an error which violates the usage can be easily
+ * caught.  isc_refcount_increment0() does not have this restriction.
  *
  * Requires:
  *	ref != NULL.
@@ -87,20 +95,54 @@ ISC_LANG_BEGINDECLS
  * Sample implementations
  */
 #ifdef ISC_PLATFORM_USETHREADS
+#ifdef ISC_PLATFORM_HAVEXADD
+
+#define ISC_REFCOUNT_HAVEATOMIC 1
 
 typedef struct isc_refcount {
-	int refs;
-	isc_mutex_t lock;
+	isc_int32_t refs;
 } isc_refcount_t;
 
-#define isc_refcount_init(rp, n) 			\
-	do {						\
-		isc_result_t _r;			\
-		(rp)->refs = (n);			\
-		_r = isc_mutex_init(&(rp)->lock);	\
-		RUNTIME_CHECK(_r == ISC_R_SUCCESS);	\
+#define isc_refcount_destroy(rp) (REQUIRE((rp)->refs == 0))
+#define isc_refcount_current(rp) ((unsigned int)((rp)->refs))
+
+#define isc_refcount_increment0(rp, tp)				\
+	do {							\
+		unsigned int *_tmp = (unsigned int *)(tp);	\
+		isc_int32_t prev;				\
+		prev = isc_atomic_xadd(&(rp)->refs, 1);		\
+		if (_tmp != NULL)				\
+			*_tmp = prev + 1;			\
 	} while (0)
 
+#define isc_refcount_increment(rp, tp)				\
+	do {							\
+		unsigned int *_tmp = (unsigned int *)(tp);	\
+		isc_int32_t prev;				\
+		prev = isc_atomic_xadd(&(rp)->refs, 1);		\
+		REQUIRE(prev > 0);				\
+		if (_tmp != NULL)				\
+			*_tmp = prev + 1;			\
+	} while (0)
+
+#define isc_refcount_decrement(rp, tp)				\
+	do {							\
+		unsigned int *_tmp = (unsigned int *)(tp);	\
+		isc_int32_t prev;				\
+		prev = isc_atomic_xadd(&(rp)->refs, -1);	\
+		REQUIRE(prev > 0);				\
+		if (_tmp != NULL)				\
+			*_tmp = prev - 1;			\
+	} while (0)
+
+#else  /* ISC_PLATFORM_HAVEXADD */
+
+typedef struct isc_refcount {
+	int refs;
+	isc_mutex_t lock;
+} isc_refcount_t;
+
+/*% Destroys a reference counter. */
 #define isc_refcount_destroy(rp)			\
 	do {						\
 		REQUIRE((rp)->refs == 0);		\
@@ -109,6 +151,17 @@ typedef struct isc_refcount {
 
 #define isc_refcount_current(rp) ((unsigned int)((rp)->refs))
 
+/*% Increments the reference count, returning the new value in targetp if it's not NULL. */
+#define isc_refcount_increment0(rp, tp)				\
+	do {							\
+		unsigned int *_tmp = (unsigned int *)(tp);	\
+		LOCK(&(rp)->lock);				\
+		++((rp)->refs);					\
+		if (_tmp != NULL)				\
+			*_tmp = ((rp)->refs);			\
+		UNLOCK(&(rp)->lock);				\
+	} while (0)
+
 #define isc_refcount_increment(rp, tp)				\
 	do {							\
 		unsigned int *_tmp = (unsigned int *)(tp);	\
@@ -120,6 +173,7 @@ typedef struct isc_refcount {
 		UNLOCK(&(rp)->lock);				\
 	} while (0)
 
+/*% Decrements the reference count,  returning the new value in targetp if it's not NULL. */
 #define isc_refcount_decrement(rp, tp)				\
 	do {							\
 		unsigned int *_tmp = (unsigned int *)(tp);	\
@@ -131,17 +185,17 @@ typedef struct isc_refcount {
 		UNLOCK(&(rp)->lock);				\
 	} while (0)
 
-#else
+#endif /* ISC_PLATFORM_HAVEXADD */
+#else  /* ISC_PLATFORM_USETHREADS */
 
 typedef struct isc_refcount {
 	int refs;
 } isc_refcount_t;
 
-#define isc_refcount_init(rp, n) ((rp)->refs = (n))
 #define isc_refcount_destroy(rp) (REQUIRE((rp)->refs == 0))
 #define isc_refcount_current(rp) ((unsigned int)((rp)->refs))
 
-#define isc_refcount_increment(rp, tp)					\
+#define isc_refcount_increment0(rp, tp)					\
 	do {								\
 		unsigned int *_tmp = (unsigned int *)(tp);		\
 		int _n = ++(rp)->refs;					\
@@ -149,15 +203,30 @@ typedef struct isc_refcount {
 			*_tmp = _n;					\
 	} while (0)
 
+#define isc_refcount_increment(rp, tp)					\
+	do {								\
+		unsigned int *_tmp = (unsigned int *)(tp);		\
+		int _n;							\
+		REQUIRE((rp)->refs > 0);				\
+		_n = ++(rp)->refs;					\
+		if (_tmp != NULL)					\
+			*_tmp = _n;					\
+	} while (0)
+
 #define isc_refcount_decrement(rp, tp)					\
 	do {								\
 		unsigned int *_tmp = (unsigned int *)(tp);		\
-		int _n = --(rp)->refs;					\
+		int _n;							\
+		REQUIRE((rp)->refs > 0);				\
+		_n = --(rp)->refs;					\
 		if (_tmp != NULL)					\
 			*_tmp = _n;					\
 	} while (0)
 
-#endif
+#endif /* ISC_PLATFORM_USETHREADS */
+
+isc_result_t
+isc_refcount_init(isc_refcount_t *ref, unsigned int n);
 
 ISC_LANG_ENDDECLS
 
diff --git a/contrib/bind9/lib/isc/include/isc/region.h b/contrib/bind9/lib/isc/include/isc/region.h
index 5622394..9b651fe 100644
--- a/contrib/bind9/lib/isc/include/isc/region.h
+++ b/contrib/bind9/lib/isc/include/isc/region.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1998-2002  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,11 +15,13 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: region.h,v 1.16.12.3 2004/03/08 09:04:53 marka Exp $ */
+/* $Id: region.h,v 1.19.18.2 2005/04/29 00:17:01 marka Exp $ */
 
 #ifndef ISC_REGION_H
 #define ISC_REGION_H 1
 
+/*! \file */
+
 #include <isc/types.h>
 
 struct isc_region {
@@ -45,7 +47,8 @@ struct isc_consttextregion {
 	unsigned int	length;
 };
 
-/*
+/*@{*/
+/*!
  * The region structure is not opaque, and is usually directly manipulated.
  * Some macros are defined below for convenience.
  */
@@ -76,20 +79,21 @@ struct isc_consttextregion {
 		_r->base += _l; \
 		_r->length -= _l; \
 	} while (0)
+/*@}*/
 
 int
 isc_region_compare(isc_region_t *r1, isc_region_t *r2);
-/*
+/*%<
  * Compares the contents of two regions 
  *
  * Requires: 
- *	'r1' is a valid region
- *	'r2' is a valid region
+ *\li	'r1' is a valid region
+ *\li	'r2' is a valid region
  *
  * Returns:
- *	 < 0 if r1 is lexicographically less than r2
- *	 = 0 if r1 is lexicographically identical to r2
- *	 > 0 if r1 is lexicographically greater than r2
+ *\li	 < 0 if r1 is lexicographically less than r2
+ *\li	 = 0 if r1 is lexicographically identical to r2
+ *\li	 > 0 if r1 is lexicographically greater than r2
  */
 
 #endif /* ISC_REGION_H */
diff --git a/contrib/bind9/lib/isc/include/isc/resource.h b/contrib/bind9/lib/isc/include/isc/resource.h
index 2c2a829..53b2a4e 100644
--- a/contrib/bind9/lib/isc/include/isc/resource.h
+++ b/contrib/bind9/lib/isc/include/isc/resource.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000, 2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,11 +15,13 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: resource.h,v 1.4.206.1 2004/03/06 08:14:47 marka Exp $ */
+/* $Id: resource.h,v 1.5.18.2 2005/04/29 00:17:02 marka Exp $ */
 
 #ifndef ISC_RESOURCE_H
 #define ISC_RESOURCE_H 1
 
+/*! \file */
+
 #include <isc/lang.h>
 #include <isc/types.h>
 
@@ -29,40 +31,40 @@ ISC_LANG_BEGINDECLS
 
 isc_result_t
 isc_resource_setlimit(isc_resource_t resource, isc_resourcevalue_t value);
-/*
+/*%<
  * Set the maximum limit for a system resource.
  *
  * Notes:
- *	If 'value' exceeds the maximum possible on the operating system,
+ *\li	If 'value' exceeds the maximum possible on the operating system,
  *	it is silently limited to that maximum -- or to "infinity", if
- *	the operating system has that concept.  ISC_RESOURCE_UNLIMITED
+ *	the operating system has that concept.  #ISC_RESOURCE_UNLIMITED
  *	can be used to explicitly ask for the maximum.
  *
  * Requires:
- *	'resource' is a valid member of the isc_resource_t enumeration.
+ *\li	'resource' is a valid member of the isc_resource_t enumeration.
  *
  * Returns:
- *	ISC_R_SUCCESS	Success.
- *	ISC_R_NOTIMPLEMENTED	'resource' is not a type known by the OS.
- *	ISC_R_NOPERM	The calling process did not have adequate permission
+ *\li	#ISC_R_SUCCESS	Success.
+ *\li	#ISC_R_NOTIMPLEMENTED	'resource' is not a type known by the OS.
+ *\li	#ISC_R_NOPERM	The calling process did not have adequate permission
  *			to change the resource limit.
  */
 
 isc_result_t
 isc_resource_getlimit(isc_resource_t resource, isc_resourcevalue_t *value);
-/*
+/*%<
  * Get the maximum limit for a system resource.
  *
  * Notes:
- *	'value' is set to the maximum limit.
+ *\li	'value' is set to the maximum limit.
  *
- *	ISC_RESOURCE_UNLIMITED is the maximum value of isc_resourcevalue_t.
+ *\li	#ISC_RESOURCE_UNLIMITED is the maximum value of isc_resourcevalue_t.
  *
- *	On many (all?) Unix systems, RLIM_INFINITY is a valid value that is
- *	significantly less than ISC_RESOURCE_UNLIMITED, but which in practice
+ *\li	On many (all?) Unix systems, RLIM_INFINITY is a valid value that is
+ *	significantly less than #ISC_RESOURCE_UNLIMITED, but which in practice
  *	behaves the same.
  *
- *	The current ISC libdns configuration file parser assigns a value
+ *\li	The current ISC libdns configuration file parser assigns a value
  *	of ISC_UINT32_MAX for a size_spec of "unlimited" and ISC_UNIT32_MAX - 1
  *	for "default", the latter of which is supposed to represent "the
  *	limit that was in force when the server started".  Since these are
@@ -72,11 +74,11 @@ isc_resource_getlimit(isc_resource_t resource, isc_resourcevalue_t *value);
  *	discrete integral values or generalized concepts.
  *
  * Requires:
- *	'resource' is a valid member of the isc_resource_t enumeration.
+ *\li	'resource' is a valid member of the isc_resource_t enumeration.
  *
  * Returns:
- *	ISC_R_SUCCESS		Success.
- *	ISC_R_NOTIMPLEMENTED	'resource' is not a type known by the OS.
+ *\li	#ISC_R_SUCCESS		Success.
+ *\li	#ISC_R_NOTIMPLEMENTED	'resource' is not a type known by the OS.
  */
 
 ISC_LANG_ENDDECLS
diff --git a/contrib/bind9/lib/isc/include/isc/result.h b/contrib/bind9/lib/isc/include/isc/result.h
index 93f7cef..0de3493 100644
--- a/contrib/bind9/lib/isc/include/isc/result.h
+++ b/contrib/bind9/lib/isc/include/isc/result.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1998-2001, 2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: result.h,v 1.57.2.2.8.5 2004/05/15 03:46:13 jinmei Exp $ */
+/* $Id: result.h,v 1.62.18.4 2005/06/22 22:05:49 marka Exp $ */
 
 #ifndef ISC_RESULT_H
 #define ISC_RESULT_H 1
@@ -23,77 +23,75 @@
 #include <isc/lang.h>
 #include <isc/types.h>
 
-#define ISC_R_SUCCESS			0	/* success */
-#define ISC_R_NOMEMORY			1	/* out of memory */
-#define ISC_R_TIMEDOUT			2	/* timed out */
-#define ISC_R_NOTHREADS			3	/* no available threads */
-#define ISC_R_ADDRNOTAVAIL		4	/* address not available */
-#define ISC_R_ADDRINUSE			5	/* address in use */
-#define ISC_R_NOPERM			6	/* permission denied */
-#define ISC_R_NOCONN			7	/* no pending connections */
-#define ISC_R_NETUNREACH		8	/* network unreachable */
-#define ISC_R_HOSTUNREACH		9	/* host unreachable */
-#define ISC_R_NETDOWN			10	/* network down */
-#define ISC_R_HOSTDOWN			11	/* host down */
-#define ISC_R_CONNREFUSED		12	/* connection refused */
-#define ISC_R_NORESOURCES		13	/* not enough free resources */
-#define ISC_R_EOF			14	/* end of file */
-#define ISC_R_BOUND			15	/* socket already bound */
-#define ISC_R_RELOAD			16	/* reload */
-#define ISC_R_LOCKBUSY			17	/* lock busy */
-#define ISC_R_EXISTS			18	/* already exists */
-#define ISC_R_NOSPACE			19	/* ran out of space */
-#define ISC_R_CANCELED			20	/* operation canceled */
-#define ISC_R_NOTBOUND			21	/* socket is not bound */
-#define ISC_R_SHUTTINGDOWN		22	/* shutting down */
-#define ISC_R_NOTFOUND			23	/* not found */
-#define ISC_R_UNEXPECTEDEND		24	/* unexpected end of input */
-#define ISC_R_FAILURE			25	/* generic failure */
-#define ISC_R_IOERROR			26	/* I/O error */
-#define ISC_R_NOTIMPLEMENTED		27	/* not implemented */
-#define ISC_R_UNBALANCED		28	/* unbalanced parentheses */
-#define ISC_R_NOMORE			29	/* no more */
-#define ISC_R_INVALIDFILE		30	/* invalid file */
-#define ISC_R_BADBASE64			31	/* bad base64 encoding */
-#define ISC_R_UNEXPECTEDTOKEN		32	/* unexpected token */
-#define ISC_R_QUOTA			33	/* quota reached */
-#define ISC_R_UNEXPECTED		34	/* unexpected error */
-#define ISC_R_ALREADYRUNNING		35	/* already running */
-#define ISC_R_IGNORE			36	/* ignore */
-#define ISC_R_MASKNONCONTIG             37	/* addr mask not contiguous */
-#define ISC_R_FILENOTFOUND		38	/* file not found */
-#define ISC_R_FILEEXISTS		39	/* file already exists */
-#define ISC_R_NOTCONNECTED		40	/* socket is not connected */
-#define ISC_R_RANGE			41	/* out of range */
-#define ISC_R_NOENTROPY			42	/* out of entropy */
-#define ISC_R_MULTICAST			43	/* invalid use of multicast */
-#define ISC_R_NOTFILE			44	/* not a file */
-#define ISC_R_NOTDIRECTORY		45	/* not a directory */
-#define ISC_R_QUEUEFULL			46	/* queue is full */
-#define ISC_R_FAMILYMISMATCH		47	/* address family mismatch */
-#define ISC_R_FAMILYNOSUPPORT		48	/* AF not supported */
-#define ISC_R_BADHEX			49	/* bad hex encoding */
-#define ISC_R_TOOMANYOPENFILES		50	/* too many open files */
-#define ISC_R_NOTBLOCKING		51	/* not blocking */
-#define ISC_R_UNBALANCEDQUOTES		52	/* unbalanced quotes */
-#define ISC_R_INPROGRESS		53	/* operation in progress */
-#define ISC_R_CONNECTIONRESET		54	/* connection reset */
-#define ISC_R_SOFTQUOTA			55	/* soft quota reached */
-#define ISC_R_BADNUMBER			56	/* not a valid number */
-#define ISC_R_DISABLED			57	/* disabled */
-#define ISC_R_MAXSIZE			58	/* max size */
-#define ISC_R_BADADDRESSFORM		59	/* invalid address format */
+#define ISC_R_SUCCESS			0	/*%< success */
+#define ISC_R_NOMEMORY			1	/*%< out of memory */
+#define ISC_R_TIMEDOUT			2	/*%< timed out */
+#define ISC_R_NOTHREADS			3	/*%< no available threads */
+#define ISC_R_ADDRNOTAVAIL		4	/*%< address not available */
+#define ISC_R_ADDRINUSE			5	/*%< address in use */
+#define ISC_R_NOPERM			6	/*%< permission denied */
+#define ISC_R_NOCONN			7	/*%< no pending connections */
+#define ISC_R_NETUNREACH		8	/*%< network unreachable */
+#define ISC_R_HOSTUNREACH		9	/*%< host unreachable */
+#define ISC_R_NETDOWN			10	/*%< network down */
+#define ISC_R_HOSTDOWN			11	/*%< host down */
+#define ISC_R_CONNREFUSED		12	/*%< connection refused */
+#define ISC_R_NORESOURCES		13	/*%< not enough free resources */
+#define ISC_R_EOF			14	/*%< end of file */
+#define ISC_R_BOUND			15	/*%< socket already bound */
+#define ISC_R_RELOAD			16	/*%< reload */
+#define ISC_R_LOCKBUSY			17	/*%< lock busy */
+#define ISC_R_EXISTS			18	/*%< already exists */
+#define ISC_R_NOSPACE			19	/*%< ran out of space */
+#define ISC_R_CANCELED			20	/*%< operation canceled */
+#define ISC_R_NOTBOUND			21	/*%< socket is not bound */
+#define ISC_R_SHUTTINGDOWN		22	/*%< shutting down */
+#define ISC_R_NOTFOUND			23	/*%< not found */
+#define ISC_R_UNEXPECTEDEND		24	/*%< unexpected end of input */
+#define ISC_R_FAILURE			25	/*%< generic failure */
+#define ISC_R_IOERROR			26	/*%< I/O error */
+#define ISC_R_NOTIMPLEMENTED		27	/*%< not implemented */
+#define ISC_R_UNBALANCED		28	/*%< unbalanced parentheses */
+#define ISC_R_NOMORE			29	/*%< no more */
+#define ISC_R_INVALIDFILE		30	/*%< invalid file */
+#define ISC_R_BADBASE64			31	/*%< bad base64 encoding */
+#define ISC_R_UNEXPECTEDTOKEN		32	/*%< unexpected token */
+#define ISC_R_QUOTA			33	/*%< quota reached */
+#define ISC_R_UNEXPECTED		34	/*%< unexpected error */
+#define ISC_R_ALREADYRUNNING		35	/*%< already running */
+#define ISC_R_IGNORE			36	/*%< ignore */
+#define ISC_R_MASKNONCONTIG             37	/*%< addr mask not contiguous */
+#define ISC_R_FILENOTFOUND		38	/*%< file not found */
+#define ISC_R_FILEEXISTS		39	/*%< file already exists */
+#define ISC_R_NOTCONNECTED		40	/*%< socket is not connected */
+#define ISC_R_RANGE			41	/*%< out of range */
+#define ISC_R_NOENTROPY			42	/*%< out of entropy */
+#define ISC_R_MULTICAST			43	/*%< invalid use of multicast */
+#define ISC_R_NOTFILE			44	/*%< not a file */
+#define ISC_R_NOTDIRECTORY		45	/*%< not a directory */
+#define ISC_R_QUEUEFULL			46	/*%< queue is full */
+#define ISC_R_FAMILYMISMATCH		47	/*%< address family mismatch */
+#define ISC_R_FAMILYNOSUPPORT		48	/*%< AF not supported */
+#define ISC_R_BADHEX			49	/*%< bad hex encoding */
+#define ISC_R_TOOMANYOPENFILES		50	/*%< too many open files */
+#define ISC_R_NOTBLOCKING		51	/*%< not blocking */
+#define ISC_R_UNBALANCEDQUOTES		52	/*%< unbalanced quotes */
+#define ISC_R_INPROGRESS		53	/*%< operation in progress */
+#define ISC_R_CONNECTIONRESET		54	/*%< connection reset */
+#define ISC_R_SOFTQUOTA			55	/*%< soft quota reached */
+#define ISC_R_BADNUMBER			56	/*%< not a valid number */
+#define ISC_R_DISABLED			57	/*%< disabled */
+#define ISC_R_MAXSIZE			58	/*%< max size */
+#define ISC_R_BADADDRESSFORM		59	/*%< invalid address format */
 
-/*
- * Not a result code: the number of results.
- */
+/*% Not a result code: the number of results. */
 #define ISC_R_NRESULTS 			60
 
 ISC_LANG_BEGINDECLS
 
 const char *
 isc_result_totext(isc_result_t);
-/*
+/*%<
  * Convert an isc_result_t into a string message describing the result.
  */
 
diff --git a/contrib/bind9/lib/isc/include/isc/resultclass.h b/contrib/bind9/lib/isc/include/isc/resultclass.h
index adb5338..5e20800 100644
--- a/contrib/bind9/lib/isc/include/isc/resultclass.h
+++ b/contrib/bind9/lib/isc/include/isc/resultclass.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,19 +15,21 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: resultclass.h,v 1.11.206.1 2004/03/06 08:14:47 marka Exp $ */
+/* $Id: resultclass.h,v 1.12.18.2 2005/04/29 00:17:02 marka Exp $ */
 
 #ifndef ISC_RESULTCLASS_H
 #define ISC_RESULTCLASS_H 1
 
-/*****
- ***** Registry of Predefined Result Type Classes
- *****/
 
-/*
+/*! \file
+ * \brief Registry of Predefined Result Type Classes
+ *
  * A result class number is an unsigned 16 bit number.  Each class may
  * contain up to 65536 results.  A result code is formed by adding the
  * result number within the class to the class number multiplied by 65536.
+ *
+ * Classes < 1024 are reserved for ISC use.
+ * Result classes >= 1024 and <= 65535 are reserved for application use.
  */
 
 #define ISC_RESULTCLASS_FROMNUM(num)		((num) << 16)
@@ -36,9 +38,6 @@
 #define ISC_RESULTCLASS_INCLASS(rclass, result) \
 	((rclass) == ((result) & 0xFFFF0000))
 
-/*
- * Classes < 1024 are reserved for ISC use.
- */
 
 #define	ISC_RESULTCLASS_ISC		ISC_RESULTCLASS_FROMNUM(0)
 #define	ISC_RESULTCLASS_DNS		ISC_RESULTCLASS_FROMNUM(1)
@@ -47,8 +46,5 @@
 #define	ISC_RESULTCLASS_OMAPI		ISC_RESULTCLASS_FROMNUM(4)
 #define	ISC_RESULTCLASS_ISCCC		ISC_RESULTCLASS_FROMNUM(5)
 
-/*
- * Result classes >= 1024 and <= 65535 are reserved for application use.
- */
 
 #endif /* ISC_RESULTCLASS_H */
diff --git a/contrib/bind9/lib/isc/include/isc/rwlock.h b/contrib/bind9/lib/isc/include/isc/rwlock.h
index 44edfcc..404f93c 100644
--- a/contrib/bind9/lib/isc/include/isc/rwlock.h
+++ b/contrib/bind9/lib/isc/include/isc/rwlock.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1998-2001, 2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,11 +15,13 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: rwlock.h,v 1.18.2.3.2.1 2004/03/06 08:14:47 marka Exp $ */
+/* $Id: rwlock.h,v 1.21.18.3 2005/06/04 06:23:44 jinmei Exp $ */
 
 #ifndef ISC_RWLOCK_H
 #define ISC_RWLOCK_H 1
 
+/*! \file */
+
 #include <isc/condition.h>
 #include <isc/lang.h>
 #include <isc/platform.h>
@@ -34,19 +36,56 @@ typedef enum {
 } isc_rwlocktype_t;
 
 #ifdef ISC_PLATFORM_USETHREADS
+#if defined(ISC_PLATFORM_HAVEXADD) && defined(ISC_PLATFORM_HAVECMPXCHG)
+#define ISC_RWLOCK_USEATOMIC 1
+#endif
+
 struct isc_rwlock {
 	/* Unlocked. */
 	unsigned int		magic;
 	isc_mutex_t		lock;
+
+#if defined(ISC_PLATFORM_HAVEXADD) && defined(ISC_PLATFORM_HAVECMPXCHG)
+	/*
+	 * When some atomic instructions with hardware assistance are
+	 * available, rwlock will use those so that concurrent readers do not
+	 * interfere with each other through mutex as long as no writers
+	 * appear, massively reducing the lock overhead in the typical case.
+	 *
+	 * The basic algorithm of this approach is the "simple
+	 * writer-preference lock" shown in the following URL:
+	 * http://www.cs.rochester.edu/u/scott/synchronization/pseudocode/rw.html
+	 * but our implementation does not rely on the spin lock unlike the
+	 * original algorithm to be more portable as a user space application.
+	 */
+
+	/* Read or modified atomically. */
+	isc_int32_t		write_requests;
+	isc_int32_t		write_completions;
+	isc_int32_t		cnt_and_flag;
+
 	/* Locked by lock. */
 	isc_condition_t		readable;
 	isc_condition_t		writeable;
+	unsigned int		readers_waiting;
+
+	/* Locked by rwlock itself. */
+	unsigned int		write_granted;
+
+	/* Unlocked. */
+	unsigned int		write_quota;
+
+#else  /* ISC_PLATFORM_HAVEXADD && ISC_PLATFORM_HAVECMPXCHG */
+
+	/*%< Locked by lock. */
+	isc_condition_t		readable;
+	isc_condition_t		writeable;
 	isc_rwlocktype_t	type;
 
-	/* The number of threads that have the lock. */
+	/*% The number of threads that have the lock. */
 	unsigned int		active;
 
-	/*
+	/*%
 	 * The number of lock grants made since the lock was last switched
 	 * from reading to writing or vice versa; used in determining
 	 * when the quota is reached and it is time to switch.
@@ -58,6 +97,7 @@ struct isc_rwlock {
 	unsigned int		read_quota;
 	unsigned int		write_quota;
 	isc_rwlocktype_t	original;
+#endif  /* ISC_PLATFORM_HAVEXADD && ISC_PLATFORM_HAVECMPXCHG */
 };
 #else /* ISC_PLATFORM_USETHREADS */
 struct isc_rwlock {
diff --git a/contrib/bind9/lib/isc/include/isc/serial.h b/contrib/bind9/lib/isc/include/isc/serial.h
index cb054a6..86d9b2f 100644
--- a/contrib/bind9/lib/isc/include/isc/serial.h
+++ b/contrib/bind9/lib/isc/include/isc/serial.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: serial.h,v 1.9.206.1 2004/03/06 08:14:48 marka Exp $ */
+/* $Id: serial.h,v 1.10.18.2 2005/04/29 00:17:02 marka Exp $ */
 
 #ifndef ISC_SERIAL_H
 #define ISC_SERIAL_H 1
@@ -23,9 +23,8 @@
 #include <isc/lang.h>
 #include <isc/types.h>
 
-/*
- *	Implement 32 bit serial space arithmetic comparision functions.
- *
+/*! \file
+ *	\brief Implement 32 bit serial space arithmetic comparision functions.
  *	Note: Undefined results are returned as ISC_FALSE.
  */
 
@@ -37,37 +36,37 @@ ISC_LANG_BEGINDECLS
 
 isc_boolean_t
 isc_serial_lt(isc_uint32_t a, isc_uint32_t b);
-/*
+/*%<
  *	Return true if 'a' < 'b' otherwise false.
  */
 
 isc_boolean_t
 isc_serial_gt(isc_uint32_t a, isc_uint32_t b);
-/*
+/*%<
  *	Return true if 'a' > 'b' otherwise false.
  */
 
 isc_boolean_t
 isc_serial_le(isc_uint32_t a, isc_uint32_t b);
-/*
+/*%<
  *	Return true if 'a' <= 'b' otherwise false.
  */
 
 isc_boolean_t
 isc_serial_ge(isc_uint32_t a, isc_uint32_t b);
-/*
+/*%<
  *	Return true if 'a' >= 'b' otherwise false.
  */
 
 isc_boolean_t
 isc_serial_eq(isc_uint32_t a, isc_uint32_t b);
-/*
+/*%<
  *	Return true if 'a' == 'b' otherwise false.
  */
 
 isc_boolean_t
 isc_serial_ne(isc_uint32_t a, isc_uint32_t b);
-/*
+/*%<
  *	Return true if 'a' != 'b' otherwise false.
  */
 
diff --git a/contrib/bind9/lib/isc/include/isc/sha1.h b/contrib/bind9/lib/isc/include/isc/sha1.h
index 935578b..bb22f06 100644
--- a/contrib/bind9/lib/isc/include/isc/sha1.h
+++ b/contrib/bind9/lib/isc/include/isc/sha1.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000, 2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -18,25 +18,26 @@
 #ifndef ISC_SHA1_H
 #define ISC_SHA1_H 1
 
-/* $Id: sha1.h,v 1.8.206.1 2004/03/06 08:14:48 marka Exp $ */
+/* $Id: sha1.h,v 1.9.18.5 2006/08/16 03:18:14 marka Exp $ */
 
 /*	$NetBSD: sha1.h,v 1.2 1998/05/29 22:55:44 thorpej Exp $	*/
 
-/*
- * SHA-1 in C
- * By Steve Reid <steve@edmweb.com>
- * 100% Public Domain
+/*! \file
+ * \brief SHA-1 in C
+ * \author By Steve Reid <steve@edmweb.com>
+ * \note 100% Public Domain
  */
 
 #include <isc/lang.h>
 #include <isc/types.h>
 
-#define ISC_SHA1_DIGESTLENGTH 20
+#define ISC_SHA1_DIGESTLENGTH 20U
+#define ISC_SHA1_BLOCK_LENGTH 64U
 
 typedef struct {
 	isc_uint32_t state[5];
 	isc_uint32_t count[2];
-	unsigned char buffer[64];
+	unsigned char buffer[ISC_SHA1_BLOCK_LENGTH];
 } isc_sha1_t;
 
 ISC_LANG_BEGINDECLS
diff --git a/contrib/bind9/lib/isc/include/isc/sha2.h b/contrib/bind9/lib/isc/include/isc/sha2.h
new file mode 100644
index 0000000..e54c620
--- /dev/null
+++ b/contrib/bind9/lib/isc/include/isc/sha2.h
@@ -0,0 +1,132 @@
+/*
+ * Copyright (C) 2005, 2006  Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: sha2.h,v 1.2.2.6 2006/08/16 03:18:14 marka Exp $ */
+
+/*	$FreeBSD$	*/
+/*	$KAME: sha2.h,v 1.3 2001/03/12 08:27:48 itojun Exp $	*/
+
+/*
+ * sha2.h
+ *
+ * Version 1.0.0beta1
+ *
+ * Written by Aaron D. Gifford <me@aarongifford.com>
+ *
+ * Copyright 2000 Aaron D. Gifford.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. Neither the name of the copyright holder nor the names of contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR(S) AND CONTRIBUTOR(S) ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR(S) OR CONTRIBUTOR(S) BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ */
+
+#ifndef ISC_SHA2_H
+#define ISC_SHA2_H
+
+#include <isc/lang.h>
+#include <isc/types.h>
+
+/*** SHA-224/256/384/512 Various Length Definitions ***********************/
+
+#define ISC_SHA224_BLOCK_LENGTH		64U
+#define ISC_SHA224_DIGESTLENGTH	28U
+#define ISC_SHA224_DIGESTSTRINGLENGTH	(ISC_SHA224_DIGESTLENGTH * 2 + 1)
+#define ISC_SHA256_BLOCK_LENGTH		64U
+#define ISC_SHA256_DIGESTLENGTH	32U
+#define ISC_SHA256_DIGESTSTRINGLENGTH	(ISC_SHA256_DIGESTLENGTH * 2 + 1)
+#define ISC_SHA384_BLOCK_LENGTH		128
+#define ISC_SHA384_DIGESTLENGTH	48U
+#define ISC_SHA384_DIGESTSTRINGLENGTH	(ISC_SHA384_DIGESTLENGTH * 2 + 1)
+#define ISC_SHA512_BLOCK_LENGTH		128U
+#define ISC_SHA512_DIGESTLENGTH	64U
+#define ISC_SHA512_DIGESTSTRINGLENGTH	(ISC_SHA512_DIGESTLENGTH * 2 + 1)
+
+
+ISC_LANG_BEGINDECLS
+
+/*** SHA-256/384/512 Context Structures *******************************/
+
+/*
+ * Keep buffer immediately after bitcount to preserve alignment.
+ */
+typedef struct {
+	isc_uint32_t	state[8];
+	isc_uint64_t	bitcount;
+	isc_uint8_t	buffer[ISC_SHA256_BLOCK_LENGTH];
+} isc_sha256_t;
+
+/*
+ * Keep buffer immediately after bitcount to preserve alignment.
+ */
+typedef struct {
+	isc_uint64_t	state[8];
+	isc_uint64_t	bitcount[2];
+	isc_uint8_t	buffer[ISC_SHA512_BLOCK_LENGTH];
+} isc_sha512_t;
+
+typedef isc_sha256_t isc_sha224_t;
+typedef isc_sha512_t isc_sha384_t;
+
+/*** SHA-224/256/384/512 Function Prototypes ******************************/
+
+void isc_sha224_init (isc_sha224_t *);
+void isc_sha224_update (isc_sha224_t *, const isc_uint8_t *, size_t);
+void isc_sha224_final (isc_uint8_t[ISC_SHA224_DIGESTLENGTH], isc_sha224_t *);
+char *isc_sha224_end (isc_sha224_t *, char[ISC_SHA224_DIGESTSTRINGLENGTH]);
+char *isc_sha224_data (const isc_uint8_t *, size_t, char[ISC_SHA224_DIGESTSTRINGLENGTH]);
+
+void isc_sha256_init (isc_sha256_t *);
+void isc_sha256_update (isc_sha256_t *, const isc_uint8_t *, size_t);
+void isc_sha256_final (isc_uint8_t[ISC_SHA256_DIGESTLENGTH], isc_sha256_t *);
+char *isc_sha256_end (isc_sha256_t *, char[ISC_SHA256_DIGESTSTRINGLENGTH]);
+char *isc_sha256_data (const isc_uint8_t *, size_t, char[ISC_SHA256_DIGESTSTRINGLENGTH]);
+
+void isc_sha384_init (isc_sha384_t *);
+void isc_sha384_update (isc_sha384_t *, const isc_uint8_t *, size_t);
+void isc_sha384_final (isc_uint8_t[ISC_SHA384_DIGESTLENGTH], isc_sha384_t *);
+char *isc_sha384_end (isc_sha384_t *, char[ISC_SHA384_DIGESTSTRINGLENGTH]);
+char *isc_sha384_data (const isc_uint8_t *, size_t, char[ISC_SHA384_DIGESTSTRINGLENGTH]);
+
+void isc_sha512_init (isc_sha512_t *);
+void isc_sha512_update (isc_sha512_t *, const isc_uint8_t *, size_t);
+void isc_sha512_final (isc_uint8_t[ISC_SHA512_DIGESTLENGTH], isc_sha512_t *);
+char *isc_sha512_end (isc_sha512_t *, char[ISC_SHA512_DIGESTSTRINGLENGTH]);
+char *isc_sha512_data (const isc_uint8_t *, size_t, char[ISC_SHA512_DIGESTSTRINGLENGTH]);
+
+ISC_LANG_ENDDECLS
+
+#endif /* ISC_SHA2_H */
diff --git a/contrib/bind9/lib/isc/include/isc/sockaddr.h b/contrib/bind9/lib/isc/include/isc/sockaddr.h
index 88e4594..83412d2 100644
--- a/contrib/bind9/lib/isc/include/isc/sockaddr.h
+++ b/contrib/bind9/lib/isc/include/isc/sockaddr.h
@@ -15,20 +15,28 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: sockaddr.h,v 1.35.12.10 2006/03/02 00:37:20 marka Exp $ */
+/* $Id: sockaddr.h,v 1.42.18.8 2006/03/02 00:37:22 marka Exp $ */
 
 #ifndef ISC_SOCKADDR_H
 #define ISC_SOCKADDR_H 1
 
+/*! \file */
+
 #include <isc/lang.h>
 #include <isc/net.h>
 #include <isc/types.h>
+#ifdef ISC_PLATFORM_HAVESYSUNH
+#include <sys/un.h>
+#endif
 
 struct isc_sockaddr {
 	union {
 		struct sockaddr		sa;
 		struct sockaddr_in	sin;
 		struct sockaddr_in6	sin6;
+#ifdef ISC_PLATFORM_HAVESYSUNH
+		struct sockaddr_un	sunix;
+#endif
 	}				type;
 	unsigned int			length;		/* XXXRTH beginning? */
 	ISC_LINK(struct isc_sockaddr)	link;
@@ -36,17 +44,36 @@ struct isc_sockaddr {
 
 typedef ISC_LIST(struct isc_sockaddr)	isc_sockaddrlist_t;
 
+#define ISC_SOCKADDR_CMPADDR	  0x0001	/*%< compare the address
+						 *   sin_addr/sin6_addr */
+#define ISC_SOCKADDR_CMPPORT 	  0x0002	/*%< compare the port
+						 *   sin_port/sin6_port */
+#define ISC_SOCKADDR_CMPSCOPE     0x0004	/*%< compare the scope
+						 *   sin6_scope */
+#define ISC_SOCKADDR_CMPSCOPEZERO 0x0008	/*%< when comparing scopes
+						 *   zero scopes always match */
+
 ISC_LANG_BEGINDECLS
 
 isc_boolean_t
+isc_sockaddr_compare(const isc_sockaddr_t *a, const isc_sockaddr_t *b,
+		     unsigned int flags);
+/*%<
+ * Compare the elements of the two address ('a' and 'b') as specified
+ * by 'flags' and report if they are equal or not.
+ *
+ * 'flags' is set from ISC_SOCKADDR_CMP*.
+ */
+
+isc_boolean_t
 isc_sockaddr_equal(const isc_sockaddr_t *a, const isc_sockaddr_t *b);
-/*
+/*%<
  * Return ISC_TRUE iff the socket addresses 'a' and 'b' are equal.
  */
 
 isc_boolean_t
 isc_sockaddr_eqaddr(const isc_sockaddr_t *a, const isc_sockaddr_t *b);
-/*
+/*%<
  * Return ISC_TRUE iff the address parts of the socket addresses
  * 'a' and 'b' are equal, ignoring the ports.
  */
@@ -54,14 +81,14 @@ isc_sockaddr_eqaddr(const isc_sockaddr_t *a, const isc_sockaddr_t *b);
 isc_boolean_t
 isc_sockaddr_eqaddrprefix(const isc_sockaddr_t *a, const isc_sockaddr_t *b,
 			  unsigned int prefixlen);
-/*
+/*%<
  * Return ISC_TRUE iff the most significant 'prefixlen' bits of the
  * socket addresses 'a' and 'b' are equal, ignoring the ports.
  */
 
 unsigned int
 isc_sockaddr_hash(const isc_sockaddr_t *sockaddr, isc_boolean_t address_only);
-/*
+/*%<
  * Return a hash value for the socket address 'sockaddr'.  If 'address_only'
  * is ISC_TRUE, the hash value will not depend on the port.
  *
@@ -71,97 +98,97 @@ isc_sockaddr_hash(const isc_sockaddr_t *sockaddr, isc_boolean_t address_only);
 
 void
 isc_sockaddr_any(isc_sockaddr_t *sockaddr);
-/*
+/*%<
  * Return the IPv4 wildcard address.
  */
 
 void
 isc_sockaddr_any6(isc_sockaddr_t *sockaddr);
-/*
+/*%<
  * Return the IPv6 wildcard address.
  */
 
 void
 isc_sockaddr_anyofpf(isc_sockaddr_t *sockaddr, int family);
-/*
+/*%<
  * Set '*sockaddr' to the wildcard address of protocol family
  * 'family'.
  *
  * Requires:
- *	'family' is AF_INET or AF_INET6.
+ * \li	'family' is AF_INET or AF_INET6.
  */
 
 void
 isc_sockaddr_fromin(isc_sockaddr_t *sockaddr, const struct in_addr *ina,
 		    in_port_t port);
-/*
+/*%<
  * Construct an isc_sockaddr_t from an IPv4 address and port.
  */
 
 void
 isc_sockaddr_fromin6(isc_sockaddr_t *sockaddr, const struct in6_addr *ina6,
 		     in_port_t port);
-/*
+/*%<
  * Construct an isc_sockaddr_t from an IPv6 address and port.
  */
 
 void
 isc_sockaddr_v6fromin(isc_sockaddr_t *sockaddr, const struct in_addr *ina,
 		      in_port_t port);
-/*
+/*%<
  * Construct an IPv6 isc_sockaddr_t representing a mapped IPv4 address.
  */
 
 void
 isc_sockaddr_fromnetaddr(isc_sockaddr_t *sockaddr, const isc_netaddr_t *na,
 			 in_port_t port);
-/*
+/*%<
  * Construct an isc_sockaddr_t from an isc_netaddr_t and port.
  */
 
 int
 isc_sockaddr_pf(const isc_sockaddr_t *sockaddr);
-/*
+/*%<
  * Get the protocol family of 'sockaddr'.
  *
  * Requires:
  *
- *	'sockaddr' is a valid sockaddr with an address family of AF_INET
+ *\li	'sockaddr' is a valid sockaddr with an address family of AF_INET
  *	or AF_INET6.
  *
  * Returns:
  *
- *	The protocol family of 'sockaddr', e.g. PF_INET or PF_INET6.
+ *\li	The protocol family of 'sockaddr', e.g. PF_INET or PF_INET6.
  */
 
 void
 isc_sockaddr_setport(isc_sockaddr_t *sockaddr, in_port_t port);
-/*
+/*%<
  * Set the port of 'sockaddr' to 'port'.
  */
 
 in_port_t
 isc_sockaddr_getport(const isc_sockaddr_t *sockaddr);
-/*
+/*%<
  * Get the port stored in 'sockaddr'.
  */
 
 isc_result_t
 isc_sockaddr_totext(const isc_sockaddr_t *sockaddr, isc_buffer_t *target);
-/*
+/*%<
  * Append a text representation of 'sockaddr' to the buffer 'target'.
  * The text will include both the IP address (v4 or v6) and the port.
  * The text is null terminated, but the terminating null is not
  * part of the buffer's used region.
  *
  * Returns:
- *	ISC_R_SUCCESS
- *	ISC_R_NOSPACE	The text or the null termination did not fit.
+ * \li	ISC_R_SUCCESS
+ * \li	ISC_R_NOSPACE	The text or the null termination did not fit.
  */
 
 void
 isc_sockaddr_format(const isc_sockaddr_t *sa, char *array, unsigned int size);
-/*
+/*%<
  * Format a human-readable representation of the socket address '*sa'
  * into the character array 'array', which is of size 'size'.
  * The resulting string is guaranteed to be null-terminated.
@@ -169,8 +196,8 @@ isc_sockaddr_format(const isc_sockaddr_t *sa, char *array, unsigned int size);
 
 isc_boolean_t
 isc_sockaddr_ismulticast(const isc_sockaddr_t *sa);
-/*
- * Returns ISC_TRUE if the address is a multicast address.
+/*%<
+ * Returns #ISC_TRUE if the address is a multicast address.
  */
 
 isc_boolean_t
@@ -181,19 +208,30 @@ isc_sockaddr_isexperimental(const isc_sockaddr_t *sa);
 
 isc_boolean_t
 isc_sockaddr_islinklocal(const isc_sockaddr_t *sa);
-/*
+/*%<
  * Returns ISC_TRUE if the address is a link local addresss.
  */
 
 isc_boolean_t
 isc_sockaddr_issitelocal(const isc_sockaddr_t *sa);
-/*
+/*%<
  * Returns ISC_TRUE if the address is a sitelocal address.
  */
 
-#define ISC_SOCKADDR_FORMATSIZE \
-	sizeof("xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:XXX.XXX.XXX.XXX#YYYYY%SSSSSSSSSS")
+isc_result_t
+isc_sockaddr_frompath(isc_sockaddr_t *sockaddr, const char *path);
 /*
+ *  Create a UNIX domain sockaddr that refers to path.
+ *
+ * Returns:
+ * \li	ISC_R_NOSPACE
+ * \li	ISC_R_NOTIMPLEMENTED
+ * \li	ISC_R_SUCCESS
+ */
+
+#define ISC_SOCKADDR_FORMATSIZE \
+	sizeof("xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:XXX.XXX.XXX.XXX%SSSSSSSSSS#YYYYY")
+/*%<
  * Minimum size of array to pass to isc_sockaddr_format().
  */
 
diff --git a/contrib/bind9/lib/isc/include/isc/socket.h b/contrib/bind9/lib/isc/include/isc/socket.h
index 9dcadb2..ccc49f5 100644
--- a/contrib/bind9/lib/isc/include/isc/socket.h
+++ b/contrib/bind9/lib/isc/include/isc/socket.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1998-2002  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: socket.h,v 1.54.12.4 2004/03/08 09:04:53 marka Exp $ */
+/* $Id: socket.h,v 1.57.18.6 2006/06/07 00:29:45 marka Exp $ */
 
 #ifndef ISC_SOCKET_H
 #define ISC_SOCKET_H 1
@@ -24,36 +24,32 @@
  ***** Module Info
  *****/
 
-/*
- * Sockets
- *
- * Provides TCP and UDP sockets for network I/O.  The sockets are event
+/*! \file
+ * \brief Provides TCP and UDP sockets for network I/O.  The sockets are event
  * sources in the task system.
  *
  * When I/O completes, a completion event for the socket is posted to the
  * event queue of the task which requested the I/O.
  *
- * MP:
+ * \li MP:
  *	The module ensures appropriate synchronization of data structures it
  *	creates and manipulates.
- *
  *	Clients of this module must not be holding a socket's task's lock when
  *	making a call that affects that socket.  Failure to follow this rule
  *	can result in deadlock.
- *
  *	The caller must ensure that isc_socketmgr_destroy() is called only
  *	once for a given manager.
  *
- * Reliability:
+ * \li Reliability:
  *	No anticipated impact.
  *
- * Resources:
- *	<TBS>
+ * \li Resources:
+ *	TBS
  *
- * Security:
+ * \li Security:
  *	No anticipated impact.
  *
- * Standards:
+ * \li Standards:
  *	None.
  */
 
@@ -75,7 +71,7 @@ ISC_LANG_BEGINDECLS
  *** Constants
  ***/
 
-/*
+/*%
  * Maximum number of buffers in a scatter/gather read/write.  The operating
  * system in use must support at least this number (plus one on some.)
  */
@@ -87,33 +83,35 @@ ISC_LANG_BEGINDECLS
 
 struct isc_socketevent {
 	ISC_EVENT_COMMON(isc_socketevent_t);
-	isc_result_t		result;		/* OK, EOF, whatever else */
-	unsigned int		minimum;	/* minimum i/o for event */
-	unsigned int		n;		/* bytes read or written */
-	unsigned int		offset;		/* offset into buffer list */
-	isc_region_t		region;		/* for single-buffer i/o */
-	isc_bufferlist_t	bufferlist;	/* list of buffers */
-	isc_sockaddr_t		address;	/* source address */
-	isc_time_t		timestamp;	/* timestamp of packet recv */
-	struct in6_pktinfo	pktinfo;	/* ipv6 pktinfo */
-	isc_uint32_t		attributes;	/* see below */
+	isc_result_t		result;		/*%< OK, EOF, whatever else */
+	unsigned int		minimum;	/*%< minimum i/o for event */
+	unsigned int		n;		/*%< bytes read or written */
+	unsigned int		offset;		/*%< offset into buffer list */
+	isc_region_t		region;		/*%< for single-buffer i/o */
+	isc_bufferlist_t	bufferlist;	/*%< list of buffers */
+	isc_sockaddr_t		address;	/*%< source address */
+	isc_time_t		timestamp;	/*%< timestamp of packet recv */
+	struct in6_pktinfo	pktinfo;	/*%< ipv6 pktinfo */
+	isc_uint32_t		attributes;	/*%< see below */
+	isc_eventdestructor_t   destroy;	/*%< original destructor */
 };
 
 typedef struct isc_socket_newconnev isc_socket_newconnev_t;
 struct isc_socket_newconnev {
 	ISC_EVENT_COMMON(isc_socket_newconnev_t);
 	isc_socket_t *		newsocket;
-	isc_result_t		result;		/* OK, EOF, whatever else */
-	isc_sockaddr_t		address;	/* source address */
+	isc_result_t		result;		/*%< OK, EOF, whatever else */
+	isc_sockaddr_t		address;	/*%< source address */
 };
 
 typedef struct isc_socket_connev isc_socket_connev_t;
 struct isc_socket_connev {
 	ISC_EVENT_COMMON(isc_socket_connev_t);
-	isc_result_t		result;		/* OK, EOF, whatever else */
+	isc_result_t		result;		/*%< OK, EOF, whatever else */
 };
 
-/*
+/*@{*/
+/*!
  * _ATTACHED:	Internal use only.
  * _TRUNC:	Packet was truncated on receive.
  * _CTRUNC:	Packet control information was truncated.  This can
@@ -129,6 +127,7 @@ struct isc_socket_connev {
 #define ISC_SOCKEVENTATTR_TIMESTAMP		0x00200000U /* public */
 #define ISC_SOCKEVENTATTR_PKTINFO		0x00100000U /* public */
 #define ISC_SOCKEVENTATTR_MULTICAST		0x00080000U /* public */
+/*@}*/
 
 #define ISC_SOCKEVENT_ANYEVENT  (0)
 #define ISC_SOCKEVENT_RECVDONE	(ISC_EVENTCLASS_SOCKET + 1)
@@ -144,30 +143,37 @@ struct isc_socket_connev {
 
 typedef enum {
 	isc_sockettype_udp = 1,
-	isc_sockettype_tcp = 2
+	isc_sockettype_tcp = 2,
+	isc_sockettype_unix = 3
 } isc_sockettype_t;
 
-/*
+/*@{*/
+/*!
  * How a socket should be shutdown in isc_socket_shutdown() calls.
  */
-#define ISC_SOCKSHUT_RECV	0x00000001	/* close read side */
-#define ISC_SOCKSHUT_SEND	0x00000002	/* close write side */
-#define ISC_SOCKSHUT_ALL	0x00000003	/* close them all */
+#define ISC_SOCKSHUT_RECV	0x00000001	/*%< close read side */
+#define ISC_SOCKSHUT_SEND	0x00000002	/*%< close write side */
+#define ISC_SOCKSHUT_ALL	0x00000003	/*%< close them all */
+/*@}*/
 
-/*
+/*@{*/
+/*!
  * What I/O events to cancel in isc_socket_cancel() calls.
  */
-#define ISC_SOCKCANCEL_RECV	0x00000001	/* cancel recv */
-#define ISC_SOCKCANCEL_SEND	0x00000002	/* cancel send */
-#define ISC_SOCKCANCEL_ACCEPT	0x00000004	/* cancel accept */
-#define ISC_SOCKCANCEL_CONNECT	0x00000008	/* cancel connect */
-#define ISC_SOCKCANCEL_ALL	0x0000000f	/* cancel everything */
-
-/*
+#define ISC_SOCKCANCEL_RECV	0x00000001	/*%< cancel recv */
+#define ISC_SOCKCANCEL_SEND	0x00000002	/*%< cancel send */
+#define ISC_SOCKCANCEL_ACCEPT	0x00000004	/*%< cancel accept */
+#define ISC_SOCKCANCEL_CONNECT	0x00000008	/*%< cancel connect */
+#define ISC_SOCKCANCEL_ALL	0x0000000f	/*%< cancel everything */
+/*@}*/
+
+/*@{*/
+/*!
  * Flags for isc_socket_send() and isc_socket_recv() calls.
  */
-#define ISC_SOCKFLAG_IMMEDIATE	0x00000001	/* send event only if needed */
-#define ISC_SOCKFLAG_NORETRY	0x00000002	/* drop failed UDP sends */
+#define ISC_SOCKFLAG_IMMEDIATE	0x00000001	/*%< send event only if needed */
+#define ISC_SOCKFLAG_NORETRY	0x00000002	/*%< drop failed UDP sends */
+/*@}*/
 
 /***
  *** Socket and Socket Manager Functions
@@ -181,18 +187,18 @@ isc_socket_create(isc_socketmgr_t *manager,
 		  int pf,
 		  isc_sockettype_t type,
 		  isc_socket_t **socketp);
-/*
+/*%<
  * Create a new 'type' socket managed by 'manager'.
  *
  * Note:
  *
- *	'pf' is the desired protocol family, e.g. PF_INET or PF_INET6.
+ *\li	'pf' is the desired protocol family, e.g. PF_INET or PF_INET6.
  *
  * Requires:
  *
- *	'manager' is a valid manager
+ *\li	'manager' is a valid manager
  *
- *	'socketp' is a valid pointer, and *socketp == NULL
+ *\li	'socketp' is a valid pointer, and *socketp == NULL
  *
  * Ensures:
  *
@@ -200,16 +206,16 @@ isc_socket_create(isc_socketmgr_t *manager,
  *
  * Returns:
  *
- *	ISC_R_SUCCESS
- *	ISC_R_NOMEMORY
- *	ISC_R_NORESOURCES
- *	ISC_R_UNEXPECTED
+ *\li	#ISC_R_SUCCESS
+ *\li	#ISC_R_NOMEMORY
+ *\li	#ISC_R_NORESOURCES
+ *\li	#ISC_R_UNEXPECTED
  */
 
 void
 isc_socket_cancel(isc_socket_t *sock, isc_task_t *task,
 		  unsigned int how);
-/*
+/*%<
  * Cancel pending I/O of the type specified by "how".
  *
  * Note: if "task" is NULL, then the cancel applies to all tasks using the
@@ -217,45 +223,45 @@ isc_socket_cancel(isc_socket_t *sock, isc_task_t *task,
  *
  * Requires:
  *
- *	"socket" is a valid socket
+ * \li	"socket" is a valid socket
  *
- *	"task" is NULL or a valid task
+ * \li	"task" is NULL or a valid task
  *
  * "how" is a bitmask describing the type of cancelation to perform.
  * The type ISC_SOCKCANCEL_ALL will cancel all pending I/O on this
  * socket.
  *
- * ISC_SOCKCANCEL_RECV:
+ * \li ISC_SOCKCANCEL_RECV:
  *	Cancel pending isc_socket_recv() calls.
  *
- * ISC_SOCKCANCEL_SEND:
+ * \li ISC_SOCKCANCEL_SEND:
  *	Cancel pending isc_socket_send() and isc_socket_sendto() calls.
  *
- * ISC_SOCKCANCEL_ACCEPT:
+ * \li ISC_SOCKCANCEL_ACCEPT:
  *	Cancel pending isc_socket_accept() calls.
  *
- * ISC_SOCKCANCEL_CONNECT:
+ * \li ISC_SOCKCANCEL_CONNECT:
  *	Cancel pending isc_socket_connect() call.
  */
 
 void
 isc_socket_shutdown(isc_socket_t *sock, unsigned int how);
-/*
+/*%<
  * Shutdown 'socket' according to 'how'.
  *
  * Requires:
  *
- *	'socket' is a valid socket.
+ * \li	'socket' is a valid socket.
  *
- *	'task' is NULL or is a valid task.
+ * \li	'task' is NULL or is a valid task.
  *
- *	If 'how' is 'ISC_SOCKSHUT_RECV' or 'ISC_SOCKSHUT_ALL' then
+ * \li	If 'how' is 'ISC_SOCKSHUT_RECV' or 'ISC_SOCKSHUT_ALL' then
  *
  *		The read queue must be empty.
  *
  *		No further read requests may be made.
  *
- *	If 'how' is 'ISC_SOCKSHUT_SEND' or 'ISC_SOCKSHUT_ALL' then
+ * \li	If 'how' is 'ISC_SOCKSHUT_SEND' or 'ISC_SOCKSHUT_ALL' then
  *
  *		The write queue must be empty.
  *
@@ -264,39 +270,39 @@ isc_socket_shutdown(isc_socket_t *sock, unsigned int how);
 
 void
 isc_socket_attach(isc_socket_t *sock, isc_socket_t **socketp);
-/*
+/*%<
  * Attach *socketp to socket.
  *
  * Requires:
  *
- *	'socket' is a valid socket.
+ * \li	'socket' is a valid socket.
  *
- *	'socketp' points to a NULL socket.
+ * \li	'socketp' points to a NULL socket.
  *
  * Ensures:
  *
- *	*socketp is attached to socket.
+ * \li	*socketp is attached to socket.
  */
 
 void
 isc_socket_detach(isc_socket_t **socketp);
-/*
+/*%<
  * Detach *socketp from its socket.
  *
  * Requires:
  *
- *	'socketp' points to a valid socket.
+ * \li	'socketp' points to a valid socket.
  *
- *	If '*socketp' is the last reference to the socket,
+ * \li	If '*socketp' is the last reference to the socket,
  *	then:
  *
  *		There must be no pending I/O requests.
  *
  * Ensures:
  *
- *	*socketp is NULL.
+ * \li	*socketp is NULL.
  *
- *	If '*socketp' is the last reference to the socket,
+ * \li	If '*socketp' is the last reference to the socket,
  *	then:
  *
  *		The socket will be shutdown (both reading and writing)
@@ -307,145 +313,146 @@ isc_socket_detach(isc_socket_t **socketp);
 
 isc_result_t
 isc_socket_bind(isc_socket_t *sock, isc_sockaddr_t *addressp);
-/*
+/*%<
  * Bind 'socket' to '*addressp'.
  *
  * Requires:
  *
- *	'socket' is a valid socket
+ * \li	'socket' is a valid socket
  *
- *	'addressp' points to a valid isc_sockaddr.
+ * \li	'addressp' points to a valid isc_sockaddr.
  *
  * Returns:
  *
- *	ISC_R_SUCCESS
- *	ISC_R_NOPERM
- *	ISC_R_ADDRNOTAVAIL
- *	ISC_R_ADDRINUSE
- *	ISC_R_BOUND
- *	ISC_R_UNEXPECTED
+ * \li	ISC_R_SUCCESS
+ * \li	ISC_R_NOPERM
+ * \li	ISC_R_ADDRNOTAVAIL
+ * \li	ISC_R_ADDRINUSE
+ * \li	ISC_R_BOUND
+ * \li	ISC_R_UNEXPECTED
  */
 
 isc_result_t
 isc_socket_filter(isc_socket_t *sock, const char *filter);
-/*
+/*%<
  * Inform the kernel that it should perform accept filtering.
  * If filter is NULL the current filter will be removed.:w
  */
 
 isc_result_t
 isc_socket_listen(isc_socket_t *sock, unsigned int backlog);
-/*
+/*%<
  * Set listen mode on the socket.  After this call, the only function that
  * can be used (other than attach and detach) is isc_socket_accept().
  *
  * Notes:
  *
- *	'backlog' is as in the UNIX system call listen() and may be
+ * \li	'backlog' is as in the UNIX system call listen() and may be
  *	ignored by non-UNIX implementations.
  *
- *	If 'backlog' is zero, a reasonable system default is used, usually
+ * \li	If 'backlog' is zero, a reasonable system default is used, usually
  *	SOMAXCONN.
  *
  * Requires:
  *
- *	'socket' is a valid, bound TCP socket.
+ * \li	'socket' is a valid, bound TCP socket or a valid, bound UNIX socket.
  *
  * Returns:
  *
- *	ISC_R_SUCCESS
- *	ISC_R_UNEXPECTED
+ * \li	ISC_R_SUCCESS
+ * \li	ISC_R_UNEXPECTED
  */
 
 isc_result_t
 isc_socket_accept(isc_socket_t *sock,
 		  isc_task_t *task, isc_taskaction_t action, const void *arg);
-/*
+/*%<
  * Queue accept event.  When a new connection is received, the task will
  * get an ISC_SOCKEVENT_NEWCONN event with the sender set to the listen
  * socket.  The new socket structure is sent inside the isc_socket_newconnev_t
  * event type, and is attached to the task 'task'.
  *
  * REQUIRES:
- *	'socket' is a valid TCP socket that isc_socket_listen() was called
+ * \li	'socket' is a valid TCP socket that isc_socket_listen() was called
  *	on.
  *
- *	'task' is a valid task
+ * \li	'task' is a valid task
  *
- *	'action' is a valid action
+ * \li	'action' is a valid action
  *
  * RETURNS:
- *	ISC_R_SUCCESS
- *	ISC_R_NOMEMORY
- *	ISC_R_UNEXPECTED
+ * \li	ISC_R_SUCCESS
+ * \li	ISC_R_NOMEMORY
+ * \li	ISC_R_UNEXPECTED
  */
 
 isc_result_t
 isc_socket_connect(isc_socket_t *sock, isc_sockaddr_t *addressp,
 		   isc_task_t *task, isc_taskaction_t action,
 		   const void *arg);
-/*
+/*%<
  * Connect 'socket' to peer with address *saddr.  When the connection
  * succeeds, or when an error occurs, a CONNECT event with action 'action'
  * and arg 'arg' will be posted to the event queue for 'task'.
  *
  * Requires:
  *
- *	'socket' is a valid TCP socket
+ * \li	'socket' is a valid TCP socket
  *
- *	'addressp' points to a valid isc_sockaddr
+ * \li	'addressp' points to a valid isc_sockaddr
  *
- *	'task' is a valid task
+ * \li	'task' is a valid task
  *
- *	'action' is a valid action
+ * \li	'action' is a valid action
  *
  * Returns:
  *
- *	ISC_R_SUCCESS
- *	ISC_R_NOMEMORY
- *	ISC_R_UNEXPECTED
+ * \li	ISC_R_SUCCESS
+ * \li	ISC_R_NOMEMORY
+ * \li	ISC_R_UNEXPECTED
  *
  * Posted event's result code:
  *
- *	ISC_R_SUCCESS
- *	ISC_R_TIMEDOUT
- *	ISC_R_CONNREFUSED
- *	ISC_R_NETUNREACH
- *	ISC_R_UNEXPECTED
+ * \li	ISC_R_SUCCESS
+ * \li	ISC_R_TIMEDOUT
+ * \li	ISC_R_CONNREFUSED
+ * \li	ISC_R_NETUNREACH
+ * \li	ISC_R_UNEXPECTED
  */
 
 isc_result_t
 isc_socket_getpeername(isc_socket_t *sock, isc_sockaddr_t *addressp);
-/*
+/*%<
  * Get the name of the peer connected to 'socket'.
  *
  * Requires:
  *
- *	'socket' is a valid TCP socket.
+ * \li	'socket' is a valid TCP socket.
  *
  * Returns:
  *
- *	ISC_R_SUCCESS
- *	ISC_R_TOOSMALL
- *	ISC_R_UNEXPECTED
+ * \li	ISC_R_SUCCESS
+ * \li	ISC_R_TOOSMALL
+ * \li	ISC_R_UNEXPECTED
  */
 
 isc_result_t
 isc_socket_getsockname(isc_socket_t *sock, isc_sockaddr_t *addressp);
-/*
+/*%<
  * Get the name of 'socket'.
  *
  * Requires:
  *
- *	'socket' is a valid socket.
+ * \li	'socket' is a valid socket.
  *
  * Returns:
  *
- *	ISC_R_SUCCESS
- *	ISC_R_TOOSMALL
- *	ISC_R_UNEXPECTED
+ * \li	ISC_R_SUCCESS
+ * \li	ISC_R_TOOSMALL
+ * \li	ISC_R_UNEXPECTED
  */
 
+/*@{*/
 isc_result_t
 isc_socket_recv(isc_socket_t *sock, isc_region_t *region,
 		unsigned int minimum,
@@ -460,39 +467,39 @@ isc_socket_recv2(isc_socket_t *sock, isc_region_t *region,
 		 unsigned int minimum, isc_task_t *task,
 		 isc_socketevent_t *event, unsigned int flags);
 
-/*
+/*!
  * Receive from 'socket', storing the results in region.
  *
  * Notes:
  *
- *	Let 'length' refer to the length of 'region' or to the sum of all
+ *\li	Let 'length' refer to the length of 'region' or to the sum of all
  *	available regions in the list of buffers '*buflist'.
  *
- *	If 'minimum' is non-zero and at least that many bytes are read,
+ *\li	If 'minimum' is non-zero and at least that many bytes are read,
  *	the completion event will be posted to the task 'task.'  If minimum
  *	is zero, the exact number of bytes requested in the region must
  * 	be read for an event to be posted.  This only makes sense for TCP
  *	connections, and is always set to 1 byte for UDP.
  *
- *	The read will complete when the desired number of bytes have been
+ *\li	The read will complete when the desired number of bytes have been
  *	read, if end-of-input occurs, or if an error occurs.  A read done
  *	event with the given 'action' and 'arg' will be posted to the
  *	event queue of 'task'.
  *
- *	The caller may not modify 'region', the buffers which are passed
+ *\li	The caller may not modify 'region', the buffers which are passed
  *	into this function, or any data they refer to until the completion
  *	event is received.
  *
- *	For isc_socket_recvv():
+ *\li	For isc_socket_recvv():
  *	On successful completion, '*buflist' will be empty, and the list of
  *	all buffers will be returned in the done event's 'bufferlist'
  *	member.  On error return, '*buflist' will be unchanged.
  *
- *	For isc_socket_recv2():
+ *\li	For isc_socket_recv2():
  *	'event' is not NULL, and the non-socket specific fields are
  *	expected to be initialized.
  *
- *	For isc_socket_recv2():
+ *\li	For isc_socket_recv2():
  *	The only defined value for 'flags' is ISC_SOCKFLAG_IMMEDIATE.  If
  *	set and the operation completes, the return value will be
  *	ISC_R_SUCCESS and the event will be filled in and not sent.  If the
@@ -502,36 +509,38 @@ isc_socket_recv2(isc_socket_t *sock, isc_region_t *region,
  *
  * Requires:
  *
- *	'socket' is a valid, bound socket.
+ *\li	'socket' is a valid, bound socket.
  *
- *	For isc_socket_recv():
+ *\li	For isc_socket_recv():
  *	'region' is a valid region
  *
- *	For isc_socket_recvv():
+ *\li	For isc_socket_recvv():
  *	'buflist' is non-NULL, and '*buflist' contain at least one buffer.
  *
- *	'task' is a valid task
+ *\li	'task' is a valid task
  *
- *	For isc_socket_recv() and isc_socket_recvv():
+ *\li	For isc_socket_recv() and isc_socket_recvv():
  *	action != NULL and is a valid action
  *
- *	For isc_socket_recv2():
+ *\li	For isc_socket_recv2():
  *	event != NULL
  *
  * Returns:
  *
- *	ISC_R_SUCCESS
- *	ISC_R_INPROGRESS
- *	ISC_R_NOMEMORY
- *	ISC_R_UNEXPECTED
+ *\li	#ISC_R_SUCCESS
+ *\li	#ISC_R_INPROGRESS
+ *\li	#ISC_R_NOMEMORY
+ *\li	#ISC_R_UNEXPECTED
  *
  * Event results:
  *
- *	ISC_R_SUCCESS
- *	ISC_R_UNEXPECTED
- *	XXX needs other net-type errors
+ *\li	#ISC_R_SUCCESS
+ *\li	#ISC_R_UNEXPECTED
+ *\li	XXX needs other net-type errors
  */
+/*@}*/
 
+/*@{*/
 isc_result_t
 isc_socket_send(isc_socket_t *sock, isc_region_t *region,
 		isc_task_t *task, isc_taskaction_t action, const void *arg);
@@ -552,41 +561,41 @@ isc_socket_sendto2(isc_socket_t *sock, isc_region_t *region,
 		   isc_sockaddr_t *address, struct in6_pktinfo *pktinfo,
 		   isc_socketevent_t *event, unsigned int flags);
 
-/*
+/*!
  * Send the contents of 'region' to the socket's peer.
  *
  * Notes:
  *
- *	Shutting down the requestor's task *may* result in any
+ *\li	Shutting down the requestor's task *may* result in any
  *	still pending writes being dropped or completed, depending on the
  *	underlying OS implementation.
  *
- *	If 'action' is NULL, then no completion event will be posted.
+ *\li	If 'action' is NULL, then no completion event will be posted.
  *
- *	The caller may not modify 'region', the buffers which are passed
+ *\li	The caller may not modify 'region', the buffers which are passed
  *	into this function, or any data they refer to until the completion
  *	event is received.
  *
- *	For isc_socket_sendv() and isc_socket_sendtov():
+ *\li	For isc_socket_sendv() and isc_socket_sendtov():
  *	On successful completion, '*buflist' will be empty, and the list of
  *	all buffers will be returned in the done event's 'bufferlist'
  *	member.  On error return, '*buflist' will be unchanged.
  *
- *	For isc_socket_sendto2():
+ *\li	For isc_socket_sendto2():
  *	'event' is not NULL, and the non-socket specific fields are
  *	expected to be initialized.
  *
- *	For isc_socket_sendto2():
+ *\li	For isc_socket_sendto2():
  *	The only defined values for 'flags' are ISC_SOCKFLAG_IMMEDIATE
  *	and ISC_SOCKFLAG_NORETRY.
  *
- *	If ISC_SOCKFLAG_IMMEDIATE is set and the operation completes, the
+ *\li	If ISC_SOCKFLAG_IMMEDIATE is set and the operation completes, the
  *	return value will be ISC_R_SUCCESS and the event will be filled
  *	in and not sent.  If the operation does not complete, the return
  *	value will be ISC_R_INPROGRESS and the event will be sent when
  *	the operation completes.
  *
- *	ISC_SOCKFLAG_NORETRY can only be set for UDP sockets.  If set
+ *\li	ISC_SOCKFLAG_NORETRY can only be set for UDP sockets.  If set
  *	and the send operation fails due to a transient error, the send
  *	will not be retried and the error will be indicated in the event.
  *	Using this option along with ISC_SOCKFLAG_IMMEDIATE allows the caller
@@ -594,109 +603,148 @@ isc_socket_sendto2(isc_socket_t *sock, isc_region_t *region,
  *
  * Requires:
  *
- *	'socket' is a valid, bound socket.
+ *\li	'socket' is a valid, bound socket.
  *
- *	For isc_socket_send():
+ *\li	For isc_socket_send():
  *	'region' is a valid region
  *
- *	For isc_socket_sendv() and isc_socket_sendtov():
+ *\li	For isc_socket_sendv() and isc_socket_sendtov():
  *	'buflist' is non-NULL, and '*buflist' contain at least one buffer.
  *
- *	'task' is a valid task
+ *\li	'task' is a valid task
  *
- *	For isc_socket_sendv(), isc_socket_sendtov(), isc_socket_send(), and
+ *\li	For isc_socket_sendv(), isc_socket_sendtov(), isc_socket_send(), and
  *	isc_socket_sendto():
  *	action == NULL or is a valid action
  *
- *	For isc_socket_sendto2():
+ *\li	For isc_socket_sendto2():
  *	event != NULL
  *
  * Returns:
  *
- *	ISC_R_SUCCESS
- *	ISC_R_INPROGRESS
- *	ISC_R_NOMEMORY
- *	ISC_R_UNEXPECTED
+ *\li	#ISC_R_SUCCESS
+ *\li	#ISC_R_INPROGRESS
+ *\li	#ISC_R_NOMEMORY
+ *\li	#ISC_R_UNEXPECTED
  *
  * Event results:
  *
- *	ISC_R_SUCCESS
- *	ISC_R_UNEXPECTED
- *	XXX needs other net-type errors
+ *\li	#ISC_R_SUCCESS
+ *\li	#ISC_R_UNEXPECTED
+ *\li	XXX needs other net-type errors
  */
+/*@}*/
 
 isc_result_t
 isc_socketmgr_create(isc_mem_t *mctx, isc_socketmgr_t **managerp);
-/*
+/*%<
  * Create a socket manager.
  *
  * Notes:
  *
- *	All memory will be allocated in memory context 'mctx'.
+ *\li	All memory will be allocated in memory context 'mctx'.
  *
  * Requires:
  *
- *	'mctx' is a valid memory context.
+ *\li	'mctx' is a valid memory context.
  *
- *	'managerp' points to a NULL isc_socketmgr_t.
+ *\li	'managerp' points to a NULL isc_socketmgr_t.
  *
  * Ensures:
  *
- *	'*managerp' is a valid isc_socketmgr_t.
+ *\li	'*managerp' is a valid isc_socketmgr_t.
  *
  * Returns:
  *
- *	ISC_R_SUCCESS
- *	ISC_R_NOMEMORY
- *	ISC_R_UNEXPECTED
+ *\li	#ISC_R_SUCCESS
+ *\li	#ISC_R_NOMEMORY
+ *\li	#ISC_R_UNEXPECTED
  */
 
 void
 isc_socketmgr_destroy(isc_socketmgr_t **managerp);
-/*
+/*%<
  * Destroy a socket manager.
  *
  * Notes:
  *
- *	This routine blocks until there are no sockets left in the manager,
+ *\li	This routine blocks until there are no sockets left in the manager,
  *	so if the caller holds any socket references using the manager, it
  *	must detach them before calling isc_socketmgr_destroy() or it will
  *	block forever.
  *
  * Requires:
  *
- *	'*managerp' is a valid isc_socketmgr_t.
+ *\li	'*managerp' is a valid isc_socketmgr_t.
  *
- *	All sockets managed by this manager are fully detached.
+ *\li	All sockets managed by this manager are fully detached.
  *
  * Ensures:
  *
- *	*managerp == NULL
+ *\li	*managerp == NULL
  *
- *	All resources used by the manager have been freed.
+ *\li	All resources used by the manager have been freed.
  */
 
 isc_sockettype_t
 isc_socket_gettype(isc_socket_t *sock);
-/*
+/*%<
  * Returns the socket type for "sock."
  *
  * Requires:
  *
- *	"sock" is a valid socket.
+ *\li	"sock" is a valid socket.
  */
 
+/*@{*/
 isc_boolean_t
 isc_socket_isbound(isc_socket_t *sock);
 
 void
 isc_socket_ipv6only(isc_socket_t *sock, isc_boolean_t yes);
-/*
+/*%<
  * If the socket is an IPv6 socket set/clear the IPV6_IPV6ONLY socket
  * option if the host OS supports this option.
  *
  * Requires:
- *	'sock' is a valid socket.
+ *\li	'sock' is a valid socket.
+ */
+/*@}*/
+
+void
+isc_socket_cleanunix(isc_sockaddr_t *addr, isc_boolean_t active);
+
+/*%<
+ * Cleanup UNIX domain sockets in the file-system.  If 'active' is true
+ * then just unlink the socket.  If 'active' is false try to determine
+ * if there is a listener of the socket or not.  If no listener is found
+ * then unlink socket.
+ *
+ * Prior to unlinking the path is tested to see if it a socket.
+ *
+ * Note: there are a number of race conditions which cannot be avoided
+ *       both in the filesystem and any application using UNIX domain
+ *	 sockets (e.g. socket is tested between bind() and listen(),
+ *	 the socket is deleted and replaced in the file-system between
+ *	 stat() and unlink()).
+ */
+
+isc_result_t
+isc_socket_permunix(isc_sockaddr_t *sockaddr, isc_uint32_t perm,
+                    isc_uint32_t owner, isc_uint32_t group);
+/*%<
+ * Set ownership and file permissions on the UNIX domain socket.
+ *
+ * Note: On Solaris and SunOS this secures the directory containing
+ *       the socket as Solaris and SunOS do not honour the filesytem
+ *	 permissions on the socket.
+ *
+ * Requires:
+ * \li	'sockaddr' to be a valid UNIX domain sockaddr.
+ *
+ * Returns:
+ * \li	#ISC_R_SUCCESS
+ * \li	#ISC_R_FAILURE
  */
 
 ISC_LANG_ENDDECLS
diff --git a/contrib/bind9/lib/isc/include/isc/stdio.h b/contrib/bind9/lib/isc/include/isc/stdio.h
index 7dad284..e3bf0cd 100644
--- a/contrib/bind9/lib/isc/include/isc/stdio.h
+++ b/contrib/bind9/lib/isc/include/isc/stdio.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000, 2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,11 +15,22 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: stdio.h,v 1.6.206.1 2004/03/06 08:14:48 marka Exp $ */
+/* $Id: stdio.h,v 1.7.18.2 2005/04/29 00:17:03 marka Exp $ */
 
 #ifndef ISC_STDIO_H
 #define ISC_STDIO_H 1
 
+/*! \file */
+
+/*% 
+ * These functions are wrappers around the corresponding stdio functions.
+ *
+ * They return a detailed error code in the form of an an isc_result_t.  ANSI C
+ * does not guarantee that stdio functions set errno, hence these functions
+ * must use platform dependent methods (e.g., the POSIX errno) to construct the
+ * error code.
+ */
+
 #include <stdio.h>
 
 #include <isc/lang.h>
@@ -27,36 +38,35 @@
 
 ISC_LANG_BEGINDECLS
 
+/*% Open */
 isc_result_t
 isc_stdio_open(const char *filename, const char *mode, FILE **fp);
 
+/*% Close */
 isc_result_t
 isc_stdio_close(FILE *f);
 
+/*% Seek */
 isc_result_t
 isc_stdio_seek(FILE *f, long offset, int whence);
 
+/*% Read */
 isc_result_t
 isc_stdio_read(void *ptr, size_t size, size_t nmemb, FILE *f,
 	       size_t *nret);
 
+/*% Write */
 isc_result_t
 isc_stdio_write(const void *ptr, size_t size, size_t nmemb, FILE *f,
 		size_t *nret);
 
+/*% Flush */
 isc_result_t
 isc_stdio_flush(FILE *f);
-/*
- * These functions are wrappers around the corresponding stdio functions,
- * returning a detailed error code in the form of an an isc_result_t.  ANSI C
- * does not guarantee that stdio functions set errno, hence these functions
- * must use platform dependent methods (e.g., the POSIX errno) to construct the
- * error code.
- */
 
 isc_result_t
 isc_stdio_sync(FILE *f);
-/*
+/*%<
  * Invoke fsync() on the file descriptor underlying an stdio stream, or an
  * equivalent system-dependent operation.  Note that this function has no
  * direct counterpart in the stdio library.
diff --git a/contrib/bind9/lib/isc/include/isc/stdlib.h b/contrib/bind9/lib/isc/include/isc/stdlib.h
index 7b75584..0e2c697 100644
--- a/contrib/bind9/lib/isc/include/isc/stdlib.h
+++ b/contrib/bind9/lib/isc/include/isc/stdlib.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,11 +15,13 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: stdlib.h,v 1.1.32.2 2004/03/06 08:14:48 marka Exp $ */
+/* $Id: stdlib.h,v 1.2.18.2 2005/04/29 00:17:03 marka Exp $ */
 
 #ifndef ISC_STDLIB_H
 #define ISC_STDLIB_H 1
 
+/*! \file */
+
 #include <stdlib.h>
 
 #include <isc/lang.h>
diff --git a/contrib/bind9/lib/isc/include/isc/string.h b/contrib/bind9/lib/isc/include/isc/string.h
index 4fbfe19..1373cf2 100644
--- a/contrib/bind9/lib/isc/include/isc/string.h
+++ b/contrib/bind9/lib/isc/include/isc/string.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000, 2001, 2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,22 +15,28 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: string.h,v 1.9.164.3 2004/03/06 08:14:49 marka Exp $ */
+/* $Id: string.h,v 1.12.18.3 2005/08/16 04:39:05 marka Exp $ */
 
 #ifndef ISC_STRING_H
 #define ISC_STRING_H 1
 
+/*! \file */
+
 #include <string.h>
 
+#include <isc/formatcheck.h>
 #include <isc/int.h>
 #include <isc/lang.h>
 #include <isc/platform.h>
+#include <isc/types.h>
+
+#define ISC_STRING_MAGIC 0x5e
 
 ISC_LANG_BEGINDECLS
 
 isc_uint64_t
 isc_string_touint64(char *source, char **endp, int base);
-/*
+/*%<
  * Convert the string pointed to by 'source' to isc_uint64_t.
  *
  * On successful conversion 'endp' points to the first character
@@ -43,6 +49,150 @@ isc_string_touint64(char *source, char **endp, int base);
  * On error 'endp' points to 'source'.
  */
 
+isc_result_t
+isc_string_copy(char *target, size_t size, const char *source);
+/*
+ * Copy the string pointed to by 'source' to 'target' which is a
+ * pointer to a string of at least 'size' bytes.
+ *
+ * Requires:
+ *	'target' is a pointer to a char[] of at least 'size' bytes.
+ *	'size' an integer > 0.
+ *	'source' == NULL or points to a NUL terminated string.
+ *
+ * Ensures:
+ *	If result == ISC_R_SUCCESS
+ *		'target' will be a NUL terminated string of no more
+ *		than 'size' bytes (including NUL).
+ *
+ *	If result == ISC_R_NOSPACE
+ *		'target' is undefined.
+ *
+ * Returns:
+ *	ISC_R_SUCCESS  -- 'source' was successfully copied to 'target'.
+ *	ISC_R_NOSPACE  -- 'source' could not be copied since 'target'
+ *	                  is too small.
+ */
+
+void
+isc_string_copy_truncate(char *target, size_t size, const char *source);
+/*
+ * Copy the string pointed to by 'source' to 'target' which is a
+ * pointer to a string of at least 'size' bytes.
+ *
+ * Requires:
+ *	'target' is a pointer to a char[] of at least 'size' bytes.
+ *	'size' an integer > 0.
+ *	'source' == NULL or points to a NUL terminated string.
+ *
+ * Ensures:
+ *	'target' will be a NUL terminated string of no more
+ *	than 'size' bytes (including NUL).
+ */
+
+isc_result_t
+isc_string_append(char *target, size_t size, const char *source);
+/*
+ * Append the string pointed to by 'source' to 'target' which is a
+ * pointer to a NUL terminated string of at least 'size' bytes.
+ *
+ * Requires:
+ *	'target' is a pointer to a NUL terminated char[] of at
+ *	least 'size' bytes.
+ *	'size' an integer > 0.
+ *	'source' == NULL or points to a NUL terminated string.
+ *
+ * Ensures:
+ *	If result == ISC_R_SUCCESS
+ *		'target' will be a NUL terminated string of no more
+ *		than 'size' bytes (including NUL).
+ *
+ *	If result == ISC_R_NOSPACE
+ *		'target' is undefined.
+ *
+ * Returns:
+ *	ISC_R_SUCCESS  -- 'source' was successfully appended to 'target'.
+ *	ISC_R_NOSPACE  -- 'source' could not be appended since 'target'
+ *	                  is too small.
+ */
+
+void
+isc_string_append_truncate(char *target, size_t size, const char *source);
+/*
+ * Append the string pointed to by 'source' to 'target' which is a
+ * pointer to a NUL terminated string of at least 'size' bytes.
+ *
+ * Requires:
+ *	'target' is a pointer to a NUL terminated char[] of at
+ *	least 'size' bytes.
+ *	'size' an integer > 0.
+ *	'source' == NULL or points to a NUL terminated string.
+ *
+ * Ensures:
+ *	'target' will be a NUL terminated string of no more
+ *	than 'size' bytes (including NUL).
+ */
+
+isc_result_t
+isc_string_printf(char *target, size_t size, const char *format, ...);
+/*
+ * Print 'format' to 'target' which is a pointer to a string of at least
+ * 'size' bytes.
+ *
+ * Requires:
+ *	'target' is a pointer to a char[] of at least 'size' bytes.
+ *	'size' an integer > 0.
+ *	'format' == NULL or points to a NUL terminated string.
+ *
+ * Ensures:
+ *	If result == ISC_R_SUCCESS
+ *		'target' will be a NUL terminated string of no more
+ *		than 'size' bytes (including NUL).
+ *
+ *	If result == ISC_R_NOSPACE
+ *		'target' is undefined.
+ *
+ * Returns:
+ *	ISC_R_SUCCESS  -- 'format' was successfully printed to 'target'.
+ *	ISC_R_NOSPACE  -- 'format' could not be printed to 'target' since it
+ *	                  is too small.
+ */
+
+void
+isc_string_printf_truncate(char *target, size_t size, const char *format, ...)
+	ISC_FORMAT_PRINTF(3, 4);
+/*
+ * Print 'format' to 'target' which is a pointer to a string of at least
+ * 'size' bytes.
+ *
+ * Requires:
+ *	'target' is a pointer to a char[] of at least 'size' bytes.
+ *	'size' an integer > 0.
+ *	'format' == NULL or points to a NUL terminated string.
+ *
+ * Ensures:
+ *	'target' will be a NUL terminated string of no more
+ *	than 'size' bytes (including NUL).
+ */
+
+
+char *
+isc_string_regiondup(isc_mem_t *mctx, const isc_region_t *source);
+/*
+ * Copy the region pointed to by r to a NUL terminated string
+ * allocated from the memory context pointed to by mctx.
+ *
+ * The result should be deallocated using isc_mem_free()
+ *
+ * Requires:
+ *	'mctx' is a point to a valid memory context.
+ *	'source' is a pointer to a valid region.
+ *
+ * Returns:
+ *	a pointer to a NUL terminated string or
+ *	NULL if memory for the copy could not be allocated
+ *
+ */
 
 char *
 isc_string_separate(char **stringp, const char *delim);
diff --git a/contrib/bind9/lib/isc/include/isc/symtab.h b/contrib/bind9/lib/isc/include/isc/symtab.h
index b22fe81..94ea173 100644
--- a/contrib/bind9/lib/isc/include/isc/symtab.h
+++ b/contrib/bind9/lib/isc/include/isc/symtab.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2006  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1996-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: symtab.h,v 1.16.206.3 2006/03/02 00:37:20 marka Exp $ */
+/* $Id: symtab.h,v 1.17.18.4 2006/03/02 00:37:22 marka Exp $ */
 
 #ifndef ISC_SYMTAB_H
 #define ISC_SYMTAB_H 1
@@ -24,10 +24,8 @@
  ***** Module Info
  *****/
 
-/*
- * Symbol Table
- *
- * Provides a simple memory-based symbol table.
+/*! \file
+ * \brief Provides a simple memory-based symbol table.
  *
  * Keys are C strings, and key comparisons are case-insenstive.  A type may
  * be specified when looking up, defining, or undefining.  A type value of
@@ -38,11 +36,11 @@
  * tuple when a tuple with the given key and type already exists in the table.
  * What to do in this case is specified by the client.  Possible policies are:
  *
- *	isc_symexists_reject	Disallow the define, returning ISC_R_EXISTS
- *	isc_symexists_replace	Replace the old value with the new.  The
+ *\li	#isc_symexists_reject	Disallow the define, returning #ISC_R_EXISTS
+ *\li	#isc_symexists_replace	Replace the old value with the new.  The
  *				undefine action (if provided) will be called
  *				with the old <key, type, value> tuple.
- *	isc_symexists_add	Add the new tuple, leaving the old tuple in
+ *\li	#isc_symexists_add	Add the new tuple, leaving the old tuple in
  *				the table.  Subsequent lookups will retrieve
  *				the most-recently-defined tuple.
  *
@@ -59,19 +57,19 @@
  * undefined.  It can be used to free memory associated with keys and/or
  * values.
  *
- * MP:
+ * \li MP:
  *	The callers of this module must ensure any required synchronization.
  *
- * Reliability:
+ * \li Reliability:
  *	No anticipated impact.
  *
- * Resources:
- *	<TBS>
+ * \li Resources:
+ *	TBS
  *
- * Security:
+ * \li Security:
  *	No anticipated impact.
  *
- * Standards:
+ * \li Standards:
  *	None.
  */
 
@@ -82,10 +80,10 @@
 #include <isc/lang.h>
 #include <isc/types.h>
 
-/***
+/*
  *** Symbol Tables.
  ***/
-
+/*% Symbol table value. */
 typedef union isc_symvalue {
 	void *				as_pointer;
 	const void *			as_cpointer;
@@ -95,31 +93,36 @@ typedef union isc_symvalue {
 
 typedef void (*isc_symtabaction_t)(char *key, unsigned int type,
 				   isc_symvalue_t value, void *userarg);
-
+/*% Symbol table exists. */
 typedef enum {
-	isc_symexists_reject = 0,
-	isc_symexists_replace = 1,
-	isc_symexists_add = 2
+	isc_symexists_reject = 0,	/*%< Disallow the define */
+	isc_symexists_replace = 1,	/*%< Replace the old value with the new */
+	isc_symexists_add = 2		/*%< Add the new tuple */
 } isc_symexists_t;
 
 ISC_LANG_BEGINDECLS
 
+/*% Create a symbol table. */
 isc_result_t
 isc_symtab_create(isc_mem_t *mctx, unsigned int size,
 		  isc_symtabaction_t undefine_action, void *undefine_arg,
 		  isc_boolean_t case_sensitive, isc_symtab_t **symtabp);
 
+/*% Destroy a symbol table. */
 void
 isc_symtab_destroy(isc_symtab_t **symtabp);
 
+/*% Lookup a symbol table. */
 isc_result_t
 isc_symtab_lookup(isc_symtab_t *symtab, const char *key, unsigned int type,
 		  isc_symvalue_t *value);
 
+/*% Define a symbol table. */
 isc_result_t
 isc_symtab_define(isc_symtab_t *symtab, const char *key, unsigned int type,
 		  isc_symvalue_t value, isc_symexists_t exists_policy);
 
+/*% Undefine a symbol table. */
 isc_result_t
 isc_symtab_undefine(isc_symtab_t *symtab, const char *key, unsigned int type);
 
diff --git a/contrib/bind9/lib/isc/include/isc/task.h b/contrib/bind9/lib/isc/include/isc/task.h
index 0e8190a..f7d237c 100644
--- a/contrib/bind9/lib/isc/include/isc/task.h
+++ b/contrib/bind9/lib/isc/include/isc/task.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1998-2001, 2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: task.h,v 1.49.206.3 2004/03/09 05:21:09 marka Exp $ */
+/* $Id: task.h,v 1.51.18.2 2005/04/29 00:17:03 marka Exp $ */
 
 #ifndef ISC_TASK_H
 #define ISC_TASK_H 1
@@ -24,33 +24,55 @@
  ***** Module Info
  *****/
 
-/*
- * Task System
- *
- * The task system provides a lightweight execution context, which is
- * basically an event queue.  When a task's event queue is non-empty, the
+/*! \file
+ * \brief The task system provides a lightweight execution context, which is
+ * basically an event queue.  
+
+ * When a task's event queue is non-empty, the
  * task is runnable.  A small work crew of threads, typically one per CPU,
  * execute runnable tasks by dispatching the events on the tasks' event
  * queues.  Context switching between tasks is fast.
  *
- * MP:
+ * \li MP:
  *	The module ensures appropriate synchronization of data structures it
  *	creates and manipulates.
- *
  *	The caller must ensure that isc_taskmgr_destroy() is called only
  *	once for a given manager.
  *
- * Reliability:
+ * \li Reliability:
  *	No anticipated impact.
  *
- * Resources:
- *	<TBS>
+ * \li Resources:
+ *	TBS
  *
- * Security:
+ * \li Security:
  *	No anticipated impact.
  *
- * Standards:
+ * \li Standards:
  *	None.
+ *
+ * \section purge Purging and Unsending
+ *
+ * Events which have been queued for a task but not delivered may be removed
+ * from the task's event queue by purging or unsending.
+ *
+ * With both types, the caller specifies a matching pattern that selects
+ * events based upon their sender, type, and tag.
+ *
+ * Purging calls isc_event_free() on the matching events.
+ *
+ * Unsending returns a list of events that matched the pattern.
+ * The caller is then responsible for them.
+ *
+ * Consumers of events should purge, not unsend.
+ *
+ * Producers of events often want to remove events when the caller indicates
+ * it is no longer interested in the object, e.g. by cancelling a timer.
+ * Sometimes this can be done by purging, but for some event types, the
+ * calls to isc_event_free() cause deadlock because the event free routine
+ * wants to acquire a lock the caller is already holding.  Unsending instead
+ * of purging solves this problem.  As a general rule, producers should only
+ * unsend events which they have sent.
  */
 
 
@@ -76,355 +98,335 @@ ISC_LANG_BEGINDECLS
 isc_result_t
 isc_task_create(isc_taskmgr_t *manager, unsigned int quantum,
 		isc_task_t **taskp);
-/*
+/*%<
  * Create a task.
  *
  * Notes:
  *
- *	If 'quantum' is non-zero, then only that many events can be dispatched
+ *\li	If 'quantum' is non-zero, then only that many events can be dispatched
  *	before the task must yield to other tasks waiting to execute.  If
  *	quantum is zero, then the default quantum of the task manager will
  *	be used.
  *
- *	The 'quantum' option may be removed from isc_task_create() in the
+ *\li	The 'quantum' option may be removed from isc_task_create() in the
  *	future.  If this happens, isc_task_getquantum() and
  *	isc_task_setquantum() will be provided.
  *
  * Requires:
  *
- *	'manager' is a valid task manager.
+ *\li	'manager' is a valid task manager.
  *
- *	taskp != NULL && *taskp == NULL
+ *\li	taskp != NULL && *taskp == NULL
  *
  * Ensures:
  *
- *	On success, '*taskp' is bound to the new task.
+ *\li	On success, '*taskp' is bound to the new task.
  *
  * Returns:
  *
- *     	ISC_R_SUCCESS
- *	ISC_R_NOMEMORY
- *	ISC_R_UNEXPECTED
- *	ISC_R_SHUTTINGDOWN
+ *\li   #ISC_R_SUCCESS
+ *\li	#ISC_R_NOMEMORY
+ *\li	#ISC_R_UNEXPECTED
+ *\li	#ISC_R_SHUTTINGDOWN
  */
 
 void
 isc_task_attach(isc_task_t *source, isc_task_t **targetp);
-/*
+/*%<
  * Attach *targetp to source.
  *
  * Requires:
  *
- *	'source' is a valid task.
+ *\li	'source' is a valid task.
  *
- *	'targetp' points to a NULL isc_task_t *.
+ *\li	'targetp' points to a NULL isc_task_t *.
  *
  * Ensures:
  *
- *	*targetp is attached to source.
+ *\li	*targetp is attached to source.
  */
 
 void
 isc_task_detach(isc_task_t **taskp);
-/*
+/*%<
  * Detach *taskp from its task.
  *
  * Requires:
  *
- *	'*taskp' is a valid task.
+ *\li	'*taskp' is a valid task.
  *
  * Ensures:
  *
- *	*taskp is NULL.
+ *\li	*taskp is NULL.
  *
- *	If '*taskp' is the last reference to the task, the task is idle (has
+ *\li	If '*taskp' is the last reference to the task, the task is idle (has
  *	an empty event queue), and has not been shutdown, the task will be
  *	shutdown.
  *
- *	If '*taskp' is the last reference to the task and
+ *\li	If '*taskp' is the last reference to the task and
  *	the task has been shutdown,
- *
- *		All resources used by the task will be freed.
+ *		all resources used by the task will be freed.
  */
 
 void
 isc_task_send(isc_task_t *task, isc_event_t **eventp);
-/*
+/*%<
  * Send '*event' to 'task'.
  *
  * Requires:
  *
- *	'task' is a valid task.
- *	eventp != NULL && *eventp != NULL.
+ *\li	'task' is a valid task.
+ *\li	eventp != NULL && *eventp != NULL.
  *
  * Ensures:
  *
- *	*eventp == NULL.
+ *\li	*eventp == NULL.
  */
 
 void
 isc_task_sendanddetach(isc_task_t **taskp, isc_event_t **eventp);
-/*
+/*%<
  * Send '*event' to '*taskp' and then detach '*taskp' from its
  * task.
  *
  * Requires:
  *
- *	'*taskp' is a valid task.
- *	eventp != NULL && *eventp != NULL.
+ *\li	'*taskp' is a valid task.
+ *\li	eventp != NULL && *eventp != NULL.
  *
  * Ensures:
  *
- *	*eventp == NULL.
+ *\li	*eventp == NULL.
  *
- *	*taskp == NULL.
+ *\li	*taskp == NULL.
  *
- *	If '*taskp' is the last reference to the task, the task is
+ *\li	If '*taskp' is the last reference to the task, the task is
  *	idle (has an empty event queue), and has not been shutdown,
  *	the task will be shutdown.
  *
- *	If '*taskp' is the last reference to the task and
+ *\li	If '*taskp' is the last reference to the task and
  *	the task has been shutdown,
- *
- *		All resources used by the task will be freed.
+ *		all resources used by the task will be freed.
  */
 
-/*
- * Purging and Unsending
- *
- * Events which have been queued for a task but not delivered may be removed
- * from the task's event queue by purging or unsending.
- *
- * With both types, the caller specifies a matching pattern that selects
- * events based upon their sender, type, and tag.
- *
- * Purging calls isc_event_free() on the matching events.
- *
- * Unsending returns a list of events that matched the pattern.
- * The caller is then responsible for them.
- *
- * Consumers of events should purge, not unsend.
- *
- * Producers of events often want to remove events when the caller indicates
- * it is no longer interested in the object, e.g. by cancelling a timer.
- * Sometimes this can be done by purging, but for some event types, the
- * calls to isc_event_free() cause deadlock because the event free routine
- * wants to acquire a lock the caller is already holding.  Unsending instead
- * of purging solves this problem.  As a general rule, producers should only
- * unsend events which they have sent.
- */
 
 unsigned int
 isc_task_purgerange(isc_task_t *task, void *sender, isc_eventtype_t first,
 		    isc_eventtype_t last, void *tag);
-/*
+/*%<
  * Purge events from a task's event queue.
  *
  * Requires:
  *
- *	'task' is a valid task.
+ *\li	'task' is a valid task.
  *
- *	last >= first
+ *\li	last >= first
  *
  * Ensures:
  *
- *	Events in the event queue of 'task' whose sender is 'sender', whose
+ *\li	Events in the event queue of 'task' whose sender is 'sender', whose
  *	type is >= first and <= last, and whose tag is 'tag' will be purged,
  *	unless they are marked as unpurgable.
  *
- *	A sender of NULL will match any sender.  A NULL tag matches any
+ *\li	A sender of NULL will match any sender.  A NULL tag matches any
  *	tag.
  *
  * Returns:
  *
- *	The number of events purged.
+ *\li	The number of events purged.
  */
 
 unsigned int
 isc_task_purge(isc_task_t *task, void *sender, isc_eventtype_t type,
 	       void *tag);
-/*
+/*%<
  * Purge events from a task's event queue.
  *
  * Notes:
  *
- *	This function is equivalent to
+ *\li	This function is equivalent to
  *
+ *\code
  *		isc_task_purgerange(task, sender, type, type, tag);
+ *\endcode
  *
  * Requires:
  *
- *	'task' is a valid task.
+ *\li	'task' is a valid task.
  *
  * Ensures:
  *
- *	Events in the event queue of 'task' whose sender is 'sender', whose
+ *\li	Events in the event queue of 'task' whose sender is 'sender', whose
  *	type is 'type', and whose tag is 'tag' will be purged, unless they
  *	are marked as unpurgable.
  *
- *	A sender of NULL will match any sender.  A NULL tag matches any
+ *\li	A sender of NULL will match any sender.  A NULL tag matches any
  *	tag.
  *
  * Returns:
  *
- *	The number of events purged.
+ *\li	The number of events purged.
  */
 
 isc_boolean_t
 isc_task_purgeevent(isc_task_t *task, isc_event_t *event);
-/*
+/*%<
  * Purge 'event' from a task's event queue.
  *
  * XXXRTH:  WARNING:  This method may be removed before beta.
  *
  * Notes:
  *
- *	If 'event' is on the task's event queue, it will be purged,
+ *\li	If 'event' is on the task's event queue, it will be purged,
  * 	unless it is marked as unpurgeable.  'event' does not have to be
  *	on the task's event queue; in fact, it can even be an invalid
  *	pointer.  Purging only occurs if the event is actually on the task's
  *	event queue.
  *
- * 	Purging never changes the state of the task.
+ * \li	Purging never changes the state of the task.
  *
  * Requires:
  *
- *	'task' is a valid task.
+ *\li	'task' is a valid task.
  *
  * Ensures:
  *
- *	'event' is not in the event queue for 'task'.
+ *\li	'event' is not in the event queue for 'task'.
  *
  * Returns:
  *
- *	ISC_TRUE			The event was purged.
- *	ISC_FALSE			The event was not in the event queue,
+ *\li	#ISC_TRUE			The event was purged.
+ *\li	#ISC_FALSE			The event was not in the event queue,
  *					or was marked unpurgeable.
  */
 
 unsigned int
 isc_task_unsendrange(isc_task_t *task, void *sender, isc_eventtype_t first,
 		     isc_eventtype_t last, void *tag, isc_eventlist_t *events);
-/*
+/*%<
  * Remove events from a task's event queue.
  *
  * Requires:
  *
- *	'task' is a valid task.
+ *\li	'task' is a valid task.
  *
- *	last >= first.
+ *\li	last >= first.
  *
- *	*events is a valid list.
+ *\li	*events is a valid list.
  *
  * Ensures:
  *
- *	Events in the event queue of 'task' whose sender is 'sender', whose
+ *\li	Events in the event queue of 'task' whose sender is 'sender', whose
  *	type is >= first and <= last, and whose tag is 'tag' will be dequeued
  *	and appended to *events.
  *
- *	A sender of NULL will match any sender.  A NULL tag matches any
+ *\li	A sender of NULL will match any sender.  A NULL tag matches any
  *	tag.
  *
  * Returns:
  *
- *	The number of events unsent.
+ *\li	The number of events unsent.
  */
 
 unsigned int
 isc_task_unsend(isc_task_t *task, void *sender, isc_eventtype_t type,
 		void *tag, isc_eventlist_t *events);
-/*
+/*%<
  * Remove events from a task's event queue.
  *
  * Notes:
  *
- *	This function is equivalent to
+ *\li	This function is equivalent to
  *
+ *\code
  *		isc_task_unsendrange(task, sender, type, type, tag, events);
+ *\endcode
  *
  * Requires:
  *
- *	'task' is a valid task.
+ *\li	'task' is a valid task.
  *
- *	*events is a valid list.
+ *\li	*events is a valid list.
  *
  * Ensures:
  *
- *	Events in the event queue of 'task' whose sender is 'sender', whose
+ *\li	Events in the event queue of 'task' whose sender is 'sender', whose
  *	type is 'type', and whose tag is 'tag' will be dequeued and appended
  *	to *events.
  *
  * Returns:
  *
- *	The number of events unsent.
+ *\li	The number of events unsent.
  */
 
 isc_result_t
 isc_task_onshutdown(isc_task_t *task, isc_taskaction_t action,
 		    const void *arg);
-/*
+/*%<
  * Send a shutdown event with action 'action' and argument 'arg' when
  * 'task' is shutdown.
  *
  * Notes:
  *
- *	Shutdown events are posted in LIFO order.
+ *\li	Shutdown events are posted in LIFO order.
  *
  * Requires:
  *
- *	'task' is a valid task.
+ *\li	'task' is a valid task.
  *
- *	'action' is a valid task action.
+ *\li	'action' is a valid task action.
  *
  * Ensures:
  *
- *	When the task is shutdown, shutdown events requested with
+ *\li	When the task is shutdown, shutdown events requested with
  *	isc_task_onshutdown() will be appended to the task's event queue.
  *
 
  * Returns:
  *
- *	ISC_R_SUCCESS
- *	ISC_R_NOMEMORY
- *	ISC_R_TASKSHUTTINGDOWN			Task is shutting down.
+ *\li	#ISC_R_SUCCESS
+ *\li	#ISC_R_NOMEMORY
+ *\li	#ISC_R_TASKSHUTTINGDOWN			Task is shutting down.
  */
 
 void
 isc_task_shutdown(isc_task_t *task);
-/*
+/*%<
  * Shutdown 'task'.
  *
  * Notes:
  *
- *	Shutting down a task causes any shutdown events requested with
+ *\li	Shutting down a task causes any shutdown events requested with
  *	isc_task_onshutdown() to be posted (in LIFO order).  The task
  *	moves into a "shutting down" mode which prevents further calls
  *	to isc_task_onshutdown().
  *
- *	Trying to shutdown a task that has already been shutdown has no
+ *\li	Trying to shutdown a task that has already been shutdown has no
  *	effect.
  *
  * Requires:
  *
- *	'task' is a valid task.
+ *\li	'task' is a valid task.
  *
  * Ensures:
  *
- *	Any shutdown events requested with isc_task_onshutdown() have been
+ *\li	Any shutdown events requested with isc_task_onshutdown() have been
  *	posted (in LIFO order).
  */
 
 void
 isc_task_destroy(isc_task_t **taskp);
-/*
+/*%<
  * Destroy '*taskp'.
  *
  * Notes:
  *
- *	This call is equivalent to:
+ *\li	This call is equivalent to:
  *
+ *\code
  *		isc_task_shutdown(*taskp);
  *		isc_task_detach(taskp);
+ *\endcode
  *
  * Requires:
  *
@@ -432,45 +434,44 @@ isc_task_destroy(isc_task_t **taskp);
  *
  * Ensures:
  *
- *	Any shutdown events requested with isc_task_onshutdown() have been
+ *\li	Any shutdown events requested with isc_task_onshutdown() have been
  *	posted (in LIFO order).
  *
- *	*taskp == NULL
+ *\li	*taskp == NULL
  *
- *	If '*taskp' is the last reference to the task,
- *
- *		All resources used by the task will be freed.
+ *\li	If '*taskp' is the last reference to the task,
+ *		all resources used by the task will be freed.
  */
 
 void
 isc_task_setname(isc_task_t *task, const char *name, void *tag);
-/*
+/*%<
  * Name 'task'.
  *
  * Notes:
  *
- *	Only the first 15 characters of 'name' will be copied.
+ *\li	Only the first 15 characters of 'name' will be copied.
  *
- *	Naming a task is currently only useful for debugging purposes.
+ *\li	Naming a task is currently only useful for debugging purposes.
  *
  * Requires:
  *
- *	'task' is a valid task.
+ *\li	'task' is a valid task.
  */
 
 const char *
 isc_task_getname(isc_task_t *task);
-/*
+/*%<
  * Get the name of 'task', as previously set using isc_task_setname().
  *
  * Notes:
- *	This function is for debugging purposes only.
+ *\li	This function is for debugging purposes only.
  *
  * Requires:
- *	'task' is a valid task.
+ *\li	'task' is a valid task.
  *
  * Returns:
- *	A non-NULL pointer to a null-terminated string.
+ *\li	A non-NULL pointer to a null-terminated string.
  * 	If the task has not been named, the string is
  * 	empty.
  *
@@ -478,19 +479,19 @@ isc_task_getname(isc_task_t *task);
 
 void *
 isc_task_gettag(isc_task_t *task);
-/*
+/*%<
  * Get the tag value for  'task', as previously set using isc_task_settag().
  *
  * Notes:
- *	This function is for debugging purposes only.
+ *\li	This function is for debugging purposes only.
  *
  * Requires:
- *	'task' is a valid task.
+ *\li	'task' is a valid task.
  */
 
 isc_result_t
 isc_task_beginexclusive(isc_task_t *task);
-/*
+/*%<
  * Request exclusive access for 'task', which must be the calling
  * task.  Waits for any other concurrently executing tasks to finish their
  * current event, and prevents any new events from executing in any of the
@@ -500,37 +501,37 @@ isc_task_beginexclusive(isc_task_t *task);
  * isc_task_endexclusive() before returning from the current event handler.
  *
  * Requires:
- *	'task' is the calling task.
+ *\li	'task' is the calling task.
  *
  * Returns:
- *	ISC_R_SUCCESS		The current task now has exclusive access.
- *	ISC_R_LOCKBUSY		Another task has already requested exclusive
+ *\li	#ISC_R_SUCCESS		The current task now has exclusive access.
+ *\li	#ISC_R_LOCKBUSY		Another task has already requested exclusive
  *				access.
  */
 
 void
 isc_task_endexclusive(isc_task_t *task);
-/*
+/*%<
  * Relinquish the exclusive access obtained by isc_task_beginexclusive(), 
  * allowing other tasks to execute.
  *
  * Requires:
- *	'task' is the calling task, and has obtained
+ *\li	'task' is the calling task, and has obtained
  *		exclusive access by calling isc_task_spl().
  */
 
 void
 isc_task_getcurrenttime(isc_task_t *task, isc_stdtime_t *t);
-/*
+/*%<
  * Provide the most recent timestamp on the task.  The timestamp is considered
  * as the "current time" in the second-order granularity.
  *
  * Requires:
- *	'task' is a valid task.
- *	't' is a valid non NULL pointer.
+ *\li	'task' is a valid task.
+ *\li	't' is a valid non NULL pointer.
  *
  * Ensures:
- *	'*t' has the "current time".
+ *\li	'*t' has the "current time".
  */
 
 /*****
@@ -540,73 +541,73 @@ isc_task_getcurrenttime(isc_task_t *task, isc_stdtime_t *t);
 isc_result_t
 isc_taskmgr_create(isc_mem_t *mctx, unsigned int workers,
 		   unsigned int default_quantum, isc_taskmgr_t **managerp);
-/*
+/*%<
  * Create a new task manager.
  *
  * Notes:
  *
- *	'workers' in the number of worker threads to create.  In general,
+ *\li	'workers' in the number of worker threads to create.  In general,
  *	the value should be close to the number of processors in the system.
  *	The 'workers' value is advisory only.  An attempt will be made to
  *	create 'workers' threads, but if at least one thread creation
  *	succeeds, isc_taskmgr_create() may return ISC_R_SUCCESS.
  *
- *	If 'default_quantum' is non-zero, then it will be used as the default
+ *\li	If 'default_quantum' is non-zero, then it will be used as the default
  *	quantum value when tasks are created.  If zero, then an implementation
  *	defined default quantum will be used.
  *
  * Requires:
  *
- *      'mctx' is a valid memory context.
+ *\li      'mctx' is a valid memory context.
  *
- *	workers > 0
+ *\li	workers > 0
  *
- *	managerp != NULL && *managerp == NULL
+ *\li	managerp != NULL && *managerp == NULL
  *
  * Ensures:
  *
- *	On success, '*managerp' will be attached to the newly created task
+ *\li	On success, '*managerp' will be attached to the newly created task
  *	manager.
  *
  * Returns:
  *
- *	ISC_R_SUCCESS
- *	ISC_R_NOMEMORY
- *	ISC_R_NOTHREADS			No threads could be created.
- *	ISC_R_UNEXPECTED		An unexpected error occurred.
+ *\li	#ISC_R_SUCCESS
+ *\li	#ISC_R_NOMEMORY
+ *\li	#ISC_R_NOTHREADS			No threads could be created.
+ *\li	#ISC_R_UNEXPECTED		An unexpected error occurred.
  */
 
 void
 isc_taskmgr_destroy(isc_taskmgr_t **managerp);
-/*
+/*%<
  * Destroy '*managerp'.
  *
  * Notes:
  *
- *	Calling isc_taskmgr_destroy() will shutdown all tasks managed by
+ *\li	Calling isc_taskmgr_destroy() will shutdown all tasks managed by
  *	*managerp that haven't already been shutdown.  The call will block
  *	until all tasks have entered the done state.
  *
- *	isc_taskmgr_destroy() must not be called by a task event action,
+ *\li	isc_taskmgr_destroy() must not be called by a task event action,
  *	because it would block forever waiting for the event action to
  *	complete.  An event action that wants to cause task manager shutdown
  *	should request some non-event action thread of execution to do the
  *	shutdown, e.g. by signalling a condition variable or using
  *	isc_app_shutdown().
  *
- *	Task manager references are not reference counted, so the caller
+ *\li	Task manager references are not reference counted, so the caller
  *	must ensure that no attempt will be made to use the manager after
  *	isc_taskmgr_destroy() returns.
  *
  * Requires:
  *
- *	'*managerp' is a valid task manager.
+ *\li	'*managerp' is a valid task manager.
  *
- *	isc_taskmgr_destroy() has not be called previously on '*managerp'.
+ *\li	isc_taskmgr_destroy() has not be called previously on '*managerp'.
  *
  * Ensures:
  *
- *	All resources used by the task manager, and any tasks it managed,
+ *\li	All resources used by the task manager, and any tasks it managed,
  *	have been freed.
  */
 
diff --git a/contrib/bind9/lib/isc/include/isc/taskpool.h b/contrib/bind9/lib/isc/include/isc/taskpool.h
index 42066d2..6c97605 100644
--- a/contrib/bind9/lib/isc/include/isc/taskpool.h
+++ b/contrib/bind9/lib/isc/include/isc/taskpool.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: taskpool.h,v 1.8.206.1 2004/03/06 08:14:49 marka Exp $ */
+/* $Id: taskpool.h,v 1.9.18.2 2005/04/29 00:17:04 marka Exp $ */
 
 #ifndef ISC_TASKPOOL_H
 #define ISC_TASKPOOL_H 1
@@ -24,10 +24,8 @@
  ***** Module Info
  *****/
 
-/*
- * Task Pool
- *
- * A task pool is a mechanism for sharing a small number of tasks
+/*! \file
+ * \brief A task pool is a mechanism for sharing a small number of tasks
  * among a large number of objects such that each object is
  * assigned a unique task, but each task may be shared by several
  * objects.
@@ -62,44 +60,44 @@ isc_result_t
 isc_taskpool_create(isc_taskmgr_t *tmgr, isc_mem_t *mctx,
 		    unsigned int ntasks, unsigned int quantum,
 		    isc_taskpool_t **poolp);
-/*
+/*%<
  * Create a task pool of "ntasks" tasks, each with quantum
  * "quantum".
  *
  * Requires:
  *
- *	'tmgr' is a valid task manager.
+ *\li	'tmgr' is a valid task manager.
  *
- *	'mctx' is a valid memory context.
+ *\li	'mctx' is a valid memory context.
  *
- *	poolp != NULL && *poolp == NULL
+ *\li	poolp != NULL && *poolp == NULL
  *
  * Ensures:
  *
- *	On success, '*taskp' points to the new task pool.
+ *\li	On success, '*taskp' points to the new task pool.
  *
  * Returns:
  *
- *     	ISC_R_SUCCESS
- *	ISC_R_NOMEMORY
- *	ISC_R_UNEXPECTED
+ *\li	#ISC_R_SUCCESS
+ *\li	#ISC_R_NOMEMORY
+ *\li	#ISC_R_UNEXPECTED
  */
 
 void 
 isc_taskpool_gettask(isc_taskpool_t *pool, unsigned int hash,
 			  isc_task_t **targetp);
-/*
+/*%<
  * Attach to the task corresponding to the hash value "hash".
  */
 
 void
 isc_taskpool_destroy(isc_taskpool_t **poolp);
-/*
+/*%<
  * Destroy a task pool.  The tasks in the pool are detached but not
  * shut down.
  *
  * Requires:
- * 	'*poolp' is a valid task pool.
+ * \li	'*poolp' is a valid task pool.
  */
 
 ISC_LANG_ENDDECLS
diff --git a/contrib/bind9/lib/isc/include/isc/timer.h b/contrib/bind9/lib/isc/include/isc/timer.h
index 439c943..1e139dd 100644
--- a/contrib/bind9/lib/isc/include/isc/timer.h
+++ b/contrib/bind9/lib/isc/include/isc/timer.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: timer.h,v 1.28.12.6 2005/10/27 00:27:30 marka Exp $ */
+/* $Id: timer.h,v 1.31.18.3 2005/10/26 06:50:50 marka Exp $ */
 
 #ifndef ISC_TIMER_H
 #define ISC_TIMER_H 1
@@ -24,50 +24,46 @@
  ***** Module Info
  *****/
 
-/*
- * Timers
- *
- * Provides timers which are event sources in the task system.
+/*! \file
+ * \brief Provides timers which are event sources in the task system.
  *
  * Three types of timers are supported:
  *
- *	'ticker' timers generate a periodic tick event.
+ *\li	'ticker' timers generate a periodic tick event.
  *
- *	'once' timers generate an idle timeout event if they are idle for too
+ *\li	'once' timers generate an idle timeout event if they are idle for too
  *	long, and generate a life timeout event if their lifetime expires.
  *	They are used to implement both (possibly expiring) idle timers and
  *	'one-shot' timers.
  *
- *	'limited' timers generate a periodic tick event until they reach
+ *\li	'limited' timers generate a periodic tick event until they reach
  *	their lifetime when they generate a life timeout event.
  *
- *	'inactive' timers generate no events.
+ *\li	'inactive' timers generate no events.
  *
  * Timers can change type.  It is typical to create a timer as
  * an 'inactive' timer and then change it into a 'ticker' or
  * 'once' timer.
  *
- * MP:
+ *\li MP:
  *	The module ensures appropriate synchronization of data structures it
  *	creates and manipulates.
- *
  *	Clients of this module must not be holding a timer's task's lock when
  *	making a call that affects that timer.  Failure to follow this rule
  *	can result in deadlock.
- *
  *	The caller must ensure that isc_timermgr_destroy() is called only
  *	once for a given manager.
  *
- * Reliability:
+ * \li Reliability:
  *	No anticipated impact.
  *
- * Resources:
- *	<TBS>
+ * \li Resources:
+ *	TBS
  *
- * Security:
+ * \li Security:
  *	No anticipated impact.
  *
- * Standards:
+ * \li Standards:
  *	None.
  */
 
@@ -87,11 +83,12 @@ ISC_LANG_BEGINDECLS
  *** Types
  ***/
 
+/*% Timer Type */
 typedef enum {
-	isc_timertype_ticker = 0,
-	isc_timertype_once = 1,
-	isc_timertype_limited = 2,
-	isc_timertype_inactive = 3
+	isc_timertype_ticker = 0, 	/*%< Ticker */
+	isc_timertype_once = 1, 	/*%< Once */
+	isc_timertype_limited = 2, 	/*%< Limited */
+	isc_timertype_inactive = 3 	/*%< Inactive */
 } isc_timertype_t;
 
 typedef struct isc_timerevent {
@@ -120,7 +117,7 @@ isc_timer_create(isc_timermgr_t *manager,
 		 isc_taskaction_t action,
 		 const void *arg,
 		 isc_timer_t **timerp);
-/*
+/*%<
  * Create a new 'type' timer managed by 'manager'.  The timers parameters
  * are specified by 'expires' and 'interval'.  Events will be posted to
  * 'task' and when dispatched 'action' will be called with 'arg' as the
@@ -128,51 +125,51 @@ isc_timer_create(isc_timermgr_t *manager,
  *
  * Notes:
  *
- *	For ticker timers, the timer will generate a 'tick' event every
+ *\li	For ticker timers, the timer will generate a 'tick' event every
  *	'interval' seconds.  The value of 'expires' is ignored.
  *
- *	For once timers, 'expires' specifies the time when a life timeout
+ *\li	For once timers, 'expires' specifies the time when a life timeout
  *	event should be generated.  If 'expires' is 0 (the epoch), then no life
  *	timeout will be generated.  'interval' specifies how long the timer
  *	can be idle before it generates an idle timeout.  If 0, then no
  *	idle timeout will be generated.
  *
- *	If 'expires' is NULL, the epoch will be used.
+ *\li	If 'expires' is NULL, the epoch will be used.
  *
  *	If 'interval' is NULL, the zero interval will be used.
  *
  * Requires:
  *
- *	'manager' is a valid manager
+ *\li	'manager' is a valid manager
  *
- *	'task' is a valid task
+ *\li	'task' is a valid task
  *
- *	'action' is a valid action
+ *\li	'action' is a valid action
  *
- *	'expires' points to a valid time, or is NULL.
+ *\li	'expires' points to a valid time, or is NULL.
  *
- *	'interval' points to a valid interval, or is NULL.
+ *\li	'interval' points to a valid interval, or is NULL.
  *
- *	type == isc_timertype_inactive ||
+ *\li	type == isc_timertype_inactive ||
  *	('expires' and 'interval' are not both 0)
  *
- *	'timerp' is a valid pointer, and *timerp == NULL
+ *\li	'timerp' is a valid pointer, and *timerp == NULL
  *
  * Ensures:
  *
- *	'*timerp' is attached to the newly created timer
+ *\li	'*timerp' is attached to the newly created timer
  *
- *	The timer is attached to the task
+ *\li	The timer is attached to the task
  *
- *	An idle timeout will not be generated until at least Now + the
+ *\li	An idle timeout will not be generated until at least Now + the
  *	timer's interval if 'timer' is a once timer with a non-zero
  *	interval.
  *
  * Returns:
  *
- *	Success
- *	No memory
- *	Unexpected error
+ *\li	Success
+ *\li	No memory
+ *\li	Unexpected error
  */
 
 isc_result_t
@@ -181,90 +178,91 @@ isc_timer_reset(isc_timer_t *timer,
 		isc_time_t *expires,
 		isc_interval_t *interval,
 		isc_boolean_t purge);
-/*
+/*%<
  * Change the timer's type, expires, and interval values to the given
  * values.  If 'purge' is TRUE, any pending events from this timer
  * are purged from its task's event queue.
  *
  * Notes:
  *
- *	If 'expires' is NULL, the epoch will be used.
+ *\li	If 'expires' is NULL, the epoch will be used.
  *
- *	If 'interval' is NULL, the zero interval will be used.
+ *\li	If 'interval' is NULL, the zero interval will be used.
  *
  * Requires:
  *
- *	'timer' is a valid timer
+ *\li	'timer' is a valid timer
  *
- *	The same requirements that isc_timer_create() imposes on 'type',
+ *\li	The same requirements that isc_timer_create() imposes on 'type',
  *	'expires' and 'interval' apply.
  *
  * Ensures:
  *
- *	An idle timeout will not be generated until at least Now + the
+ *\li	An idle timeout will not be generated until at least Now + the
  *	timer's interval if 'timer' is a once timer with a non-zero
  *	interval.
  *
  * Returns:
  *
- *	Success
- *	No memory
- *	Unexpected error
+ *\li	Success
+ *\li	No memory
+ *\li	Unexpected error
  */
 
 isc_result_t
 isc_timer_touch(isc_timer_t *timer);
-/*
+/*%<
  * Set the last-touched time of 'timer' to the current time.
  *
  * Requires:
  *
- *	'timer' is a valid once timer.
+ *\li	'timer' is a valid once timer.
  *
  * Ensures:
  *
- *	An idle timeout will not be generated until at least Now + the
+ *\li	An idle timeout will not be generated until at least Now + the
  *	timer's interval if 'timer' is a once timer with a non-zero
  *	interval.
  *
  * Returns:
  *
- *	Success
- *	Unexpected error
+ *\li	Success
+ *\li	Unexpected error
  */
 
 void
 isc_timer_attach(isc_timer_t *timer, isc_timer_t **timerp);
-/*
+/*%<
  * Attach *timerp to timer.
  *
  * Requires:
  *
- *	'timer' is a valid timer.
+ *\li	'timer' is a valid timer.
  *
- *	'timerp' points to a NULL timer.
+ *\li	'timerp' points to a NULL timer.
  *
  * Ensures:
  *
- *	*timerp is attached to timer.
+ *\li	*timerp is attached to timer.
  */
 
 void
 isc_timer_detach(isc_timer_t **timerp);
-/*
+/*%<
  * Detach *timerp from its timer.
  *
  * Requires:
  *
- *	'timerp' points to a valid timer.
+ *\li	'timerp' points to a valid timer.
  *
  * Ensures:
  *
- *	*timerp is NULL.
+ *\li	*timerp is NULL.
  *
- *	If '*timerp' is the last reference to the timer,
+ *\li	If '*timerp' is the last reference to the timer,
  *	then:
  *
+ *\code
  *		The timer will be shutdown
  *
  *		The timer will detach from its task
@@ -275,6 +273,7 @@ isc_timer_detach(isc_timer_t **timerp);
  *		Therefore, if isc_timer_detach() is called in the context
  *		of the timer's task, it is guaranteed that no more
  *		timer event callbacks will run after the call.
+ *\endcode
  */
 
 isc_timertype_t
@@ -289,51 +288,51 @@ isc_timer_gettype(isc_timer_t *timer);
 
 isc_result_t
 isc_timermgr_create(isc_mem_t *mctx, isc_timermgr_t **managerp);
-/*
+/*%<
  * Create a timer manager.
  *
  * Notes:
  *
- *	All memory will be allocated in memory context 'mctx'.
+ *\li	All memory will be allocated in memory context 'mctx'.
  *
  * Requires:
  *
- *	'mctx' is a valid memory context.
+ *\li	'mctx' is a valid memory context.
  *
- *	'managerp' points to a NULL isc_timermgr_t.
+ *\li	'managerp' points to a NULL isc_timermgr_t.
  *
  * Ensures:
  *
- *	'*managerp' is a valid isc_timermgr_t.
+ *\li	'*managerp' is a valid isc_timermgr_t.
  *
  * Returns:
  *
- *	Success
- *	No memory
- *	Unexpected error
+ *\li	Success
+ *\li	No memory
+ *\li	Unexpected error
  */
 
 void
 isc_timermgr_destroy(isc_timermgr_t **managerp);
-/*
+/*%<
  * Destroy a timer manager.
  *
  * Notes:
  *
- *	This routine blocks until there are no timers left in the manager,
+ *\li	This routine blocks until there are no timers left in the manager,
  *	so if the caller holds any timer references using the manager, it
  *	must detach them before calling isc_timermgr_destroy() or it will
  *	block forever.
  *
  * Requires:
  *
- *	'*managerp' is a valid isc_timermgr_t.
+ *\li	'*managerp' is a valid isc_timermgr_t.
  *
  * Ensures:
  *
- *	*managerp == NULL
+ *\li	*managerp == NULL
  *
- *	All resources used by the manager have been freed.
+ *\li	All resources used by the manager have been freed.
  */
 
 void isc_timermgr_poke(isc_timermgr_t *m);
diff --git a/contrib/bind9/lib/isc/include/isc/types.h b/contrib/bind9/lib/isc/include/isc/types.h
index fad77da..35a0be7 100644
--- a/contrib/bind9/lib/isc/include/isc/types.h
+++ b/contrib/bind9/lib/isc/include/isc/types.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,12 +15,13 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: types.h,v 1.32.2.3.2.1 2004/03/06 08:14:50 marka Exp $ */
+/* $Id: types.h,v 1.35.18.2 2005/04/29 00:17:04 marka Exp $ */
 
 #ifndef ISC_TYPES_H
 #define ISC_TYPES_H 1
 
-/*
+/*! \file
+ * \brief
  * OS-specific types, from the OS-specific include directories.
  */
 #include <isc/int.h>
@@ -37,57 +38,56 @@
  */
 #include <isc/list.h>
 
-/***
- *** Core Types.  Alphabetized by defined type.
- ***/
+/* Core Types.  Alphabetized by defined type. */
 
-typedef struct isc_bitstring		isc_bitstring_t;
-typedef struct isc_buffer		isc_buffer_t;
-typedef ISC_LIST(isc_buffer_t)		isc_bufferlist_t;
-typedef struct isc_constregion		isc_constregion_t;
-typedef struct isc_consttextregion	isc_consttextregion_t;
-typedef struct isc_entropy		isc_entropy_t;
-typedef struct isc_entropysource	isc_entropysource_t;
-typedef struct isc_event		isc_event_t;
-typedef ISC_LIST(isc_event_t)		isc_eventlist_t;
-typedef unsigned int			isc_eventtype_t;
-typedef isc_uint32_t			isc_fsaccess_t;
-typedef struct isc_hash			isc_hash_t;
-typedef struct isc_interface		isc_interface_t;
-typedef struct isc_interfaceiter	isc_interfaceiter_t;
-typedef struct isc_interval		isc_interval_t;
-typedef struct isc_lex			isc_lex_t;
-typedef struct isc_log 			isc_log_t;
-typedef struct isc_logcategory		isc_logcategory_t;
-typedef struct isc_logconfig		isc_logconfig_t;
-typedef struct isc_logmodule		isc_logmodule_t;
-typedef struct isc_mem			isc_mem_t;
-typedef struct isc_mempool		isc_mempool_t;
-typedef struct isc_msgcat		isc_msgcat_t;
-typedef struct isc_ondestroy		isc_ondestroy_t;
-typedef struct isc_netaddr		isc_netaddr_t;
-typedef struct isc_quota		isc_quota_t;
-typedef struct isc_random		isc_random_t;
-typedef struct isc_ratelimiter		isc_ratelimiter_t;
-typedef struct isc_region		isc_region_t;
-typedef isc_uint64_t			isc_resourcevalue_t;
-typedef unsigned int			isc_result_t;
-typedef struct isc_rwlock		isc_rwlock_t;
-typedef struct isc_sockaddr		isc_sockaddr_t;
-typedef struct isc_socket		isc_socket_t;
-typedef struct isc_socketevent		isc_socketevent_t;
-typedef struct isc_socketmgr		isc_socketmgr_t;
-typedef struct isc_symtab		isc_symtab_t;
-typedef struct isc_task			isc_task_t;
-typedef ISC_LIST(isc_task_t)		isc_tasklist_t;
-typedef struct isc_taskmgr		isc_taskmgr_t;
-typedef struct isc_textregion		isc_textregion_t;
-typedef struct isc_time			isc_time_t;
-typedef struct isc_timer		isc_timer_t;
-typedef struct isc_timermgr		isc_timermgr_t;
+typedef struct isc_bitstring		isc_bitstring_t; 	/*%< Bitstring */
+typedef struct isc_buffer		isc_buffer_t;		/*%< Buffer */
+typedef ISC_LIST(isc_buffer_t)		isc_bufferlist_t;	/*%< Buffer List */
+typedef struct isc_constregion		isc_constregion_t;	/*%< Const region */
+typedef struct isc_consttextregion	isc_consttextregion_t;	/*%< Const Text Region */
+typedef struct isc_entropy		isc_entropy_t;		/*%< Entropy */
+typedef struct isc_entropysource	isc_entropysource_t;	/*%< Entropy Source */
+typedef struct isc_event		isc_event_t;		/*%< Event */
+typedef ISC_LIST(isc_event_t)		isc_eventlist_t;	/*%< Event List */
+typedef unsigned int			isc_eventtype_t;	/*%< Event Type */
+typedef isc_uint32_t			isc_fsaccess_t;		/*%< FS Access */
+typedef struct isc_hash			isc_hash_t;		/*%< Hash */
+typedef struct isc_interface		isc_interface_t;	/*%< Interface */
+typedef struct isc_interfaceiter	isc_interfaceiter_t;	/*%< Interface Iterator */
+typedef struct isc_interval		isc_interval_t;		/*%< Interval */
+typedef struct isc_lex			isc_lex_t;		/*%< Lex */
+typedef struct isc_log 			isc_log_t;		/*%< Log */
+typedef struct isc_logcategory		isc_logcategory_t;	/*%< Log Category */
+typedef struct isc_logconfig		isc_logconfig_t;	/*%< Log Configuration */
+typedef struct isc_logmodule		isc_logmodule_t;	/*%< Log Module */
+typedef struct isc_mem			isc_mem_t;		/*%< Memory */
+typedef struct isc_mempool		isc_mempool_t;		/*%< Memory Pool */
+typedef struct isc_msgcat		isc_msgcat_t;		/*%< Message Catalog */
+typedef struct isc_ondestroy		isc_ondestroy_t;	/*%< On Destroy */
+typedef struct isc_netaddr		isc_netaddr_t;		/*%< Net Address */
+typedef struct isc_quota		isc_quota_t;		/*%< Quota */
+typedef struct isc_random		isc_random_t;		/*%< Random */
+typedef struct isc_ratelimiter		isc_ratelimiter_t;	/*%< Rate Limiter */
+typedef struct isc_region		isc_region_t;		/*%< Region */
+typedef isc_uint64_t			isc_resourcevalue_t;	/*%< Resource Value */
+typedef unsigned int			isc_result_t;		/*%< Result */
+typedef struct isc_rwlock		isc_rwlock_t;		/*%< Read Write Lock */
+typedef struct isc_sockaddr		isc_sockaddr_t;		/*%< Socket Address */
+typedef struct isc_socket		isc_socket_t;		/*%< Socket */
+typedef struct isc_socketevent		isc_socketevent_t;	/*%< Socket Event */
+typedef struct isc_socketmgr		isc_socketmgr_t;	/*%< Socket Manager */
+typedef struct isc_symtab		isc_symtab_t;		/*%< Symbol Table */
+typedef struct isc_task			isc_task_t;		/*%< Task */
+typedef ISC_LIST(isc_task_t)		isc_tasklist_t;		/*%< Task List */
+typedef struct isc_taskmgr		isc_taskmgr_t;		/*%< Task Manager */
+typedef struct isc_textregion		isc_textregion_t;	/*%< Text Region */
+typedef struct isc_time			isc_time_t;		/*%< Time */
+typedef struct isc_timer		isc_timer_t;		/*%< Timer */
+typedef struct isc_timermgr		isc_timermgr_t;		/*%< Timer Manager */
 
 typedef void (*isc_taskaction_t)(isc_task_t *, isc_event_t *);
 
+/*% Resource */
 typedef enum {
 	isc_resource_coresize = 1,
 	isc_resource_cputime,
diff --git a/contrib/bind9/lib/isc/include/isc/util.h b/contrib/bind9/lib/isc/include/isc/util.h
index c2798d6..95fe436 100644
--- a/contrib/bind9/lib/isc/include/isc/util.h
+++ b/contrib/bind9/lib/isc/include/isc/util.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1998-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,17 +15,18 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: util.h,v 1.21.12.5 2004/03/08 09:04:53 marka Exp $ */
+/* $Id: util.h,v 1.24.18.2 2005/04/29 00:17:04 marka Exp $ */
 
 #ifndef ISC_UTIL_H
 #define ISC_UTIL_H 1
 
-/*
+/*! \file util.h
  * NOTE:
  *
  * This file is not to be included from any <isc/???.h> (or other) library
  * files.
  *
+ * \brief
  * Including this file puts several macros in your name space that are
  * not protected (as all the other ISC functions/macros do) by prepending
  * ISC_ or isc_ to the name.
@@ -35,21 +36,22 @@
  *** General Macros.
  ***/
 
-/*
+/*%
  * Use this to hide unused function arguments.
- *
+ * \code
  * int
  * foo(char *bar)
  * {
  *	UNUSED(bar);
  * }
+ * \endcode
  */
 #define UNUSED(x)      (void)(x)
 
 #define ISC_MAX(a, b)  ((a) > (b) ? (a) : (b))
 #define ISC_MIN(a, b)  ((a) < (b) ? (a) : (b))
 
-/*
+/*%
  * Use this to remove the const qualifier of a variable to assign it to
  * a non-const variable or pass it as a non-const function argument ...
  * but only when you are sure it won't then be changed!
@@ -64,16 +66,15 @@
 		var = _u.v; \
 	} while (0)
 
-/*
+/*%
  * Use this in translation units that would otherwise be empty, to
  * suppress compiler warnings.
  */
 #define EMPTY_TRANSLATION_UNIT static void isc__empty(void) { isc__empty(); }
 
-/*
+/*%
  * We use macros instead of calling the routines directly because
  * the capital letters make the locking stand out.
- *
  * We RUNTIME_CHECK for success since in general there's no way
  * for us to continue if they fail.
  */
@@ -203,9 +204,13 @@
  */
 #include <isc/assertions.h>	/* Contractual promise. */
 
+/*% Require Assertion */
 #define REQUIRE(e)			ISC_REQUIRE(e)
+/*% Ensure Assertion */
 #define ENSURE(e)			ISC_ENSURE(e)
+/*% Insist Assertion */
 #define INSIST(e)			ISC_INSIST(e)
+/*% Invariant Assertion */
 #define INVARIANT(e)			ISC_INVARIANT(e)
 
 /*
@@ -213,11 +218,14 @@
  */
 #include <isc/error.h>		/* Contractual promise. */
 
+/*% Unexpected Error */
 #define UNEXPECTED_ERROR		isc_error_unexpected
+/*% Fatal Error */
 #define FATAL_ERROR			isc_error_fatal
+/*% Runtime Check */
 #define RUNTIME_CHECK(cond)		ISC_ERROR_RUNTIMECHECK(cond)
 
-/*
+/*%
  * Time
  */
 #define TIME_NOW(tp) 	RUNTIME_CHECK(isc_time_now((tp)) == ISC_R_SUCCESS)
diff --git a/contrib/bind9/lib/isc/include/isc/version.h b/contrib/bind9/lib/isc/include/isc/version.h
index 3da836c..82d4617 100644
--- a/contrib/bind9/lib/isc/include/isc/version.h
+++ b/contrib/bind9/lib/isc/include/isc/version.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,9 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: version.h,v 1.2.220.3 2004/03/08 09:04:54 marka Exp $ */
+/* $Id: version.h,v 1.3.18.2 2005/04/29 00:17:04 marka Exp $ */
+
+/*! \file */
 
 #include <isc/platform.h>
 
diff --git a/contrib/bind9/lib/isc/inet_aton.c b/contrib/bind9/lib/isc/inet_aton.c
index 530b010..1602521 100644
--- a/contrib/bind9/lib/isc/inet_aton.c
+++ b/contrib/bind9/lib/isc/inet_aton.c
@@ -1,5 +1,5 @@
 /*
- * Portions Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Portions Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Portions Copyright (C) 1996-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -67,10 +67,11 @@
  * ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS
  * SOFTWARE.
  */
+/*! \file */
 
 #if defined(LIBC_SCCS) && !defined(lint)
 static char sccsid[] = "@(#)inet_addr.c	8.1 (Berkeley) 6/17/93";
-static char rcsid[] = "$Id: inet_aton.c,v 1.15.12.3 2004/03/08 09:04:49 marka Exp $";
+static char rcsid[] = "$Id: inet_aton.c,v 1.17.18.2 2005/04/29 00:16:46 marka Exp $";
 #endif /* LIBC_SCCS and not lint */
 
 #include <config.h>
@@ -81,7 +82,7 @@ static char rcsid[] = "$Id: inet_aton.c,v 1.15.12.3 2004/03/08 09:04:49 marka Ex
 #include <isc/types.h>
 #include <isc/net.h>
 
-/*
+/*%
  * Check whether "cp" is a valid ascii representation
  * of an Internet address and convert to a binary address.
  * Returns 1 if the address is valid, 0 if not.
diff --git a/contrib/bind9/lib/isc/inet_ntop.c b/contrib/bind9/lib/isc/inet_ntop.c
index 6dadd73..c0d1161 100644
--- a/contrib/bind9/lib/isc/inet_ntop.c
+++ b/contrib/bind9/lib/isc/inet_ntop.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1996-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,9 +15,11 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
+/*! \file */
+
 #if defined(LIBC_SCCS) && !defined(lint)
 static char rcsid[] =
-	"$Id: inet_ntop.c,v 1.12.12.4 2004/08/28 06:25:21 marka Exp $";
+	"$Id: inet_ntop.c,v 1.14.18.3 2005/04/29 00:16:46 marka Exp $";
 #endif /* LIBC_SCCS and not lint */
 
 #include <config.h>
@@ -45,12 +47,12 @@ static const char *inet_ntop6(const unsigned char *src, char *dst,
 			      size_t size);
 #endif
 
-/* char *
+/*! char *
  * isc_net_ntop(af, src, dst, size)
  *	convert a network format address to presentation format.
- * return:
+ * \return
  *	pointer to presentation format address (`dst'), or NULL (see errno).
- * author:
+ * \author 
  *	Paul Vixie, 1996.
  */
 const char *
@@ -70,15 +72,16 @@ isc_net_ntop(int af, const void *src, char *dst, size_t size)
 	/* NOTREACHED */
 }
 
-/* const char *
+/*! const char *
  * inet_ntop4(src, dst, size)
  *	format an IPv4 address
- * return:
+ * \return
  *	`dst' (as a const)
- * notes:
+ * \note
  *	(1) uses no statics
+ * \note
  *	(2) takes a unsigned char* not an in_addr as input
- * author:
+ * \author
  *	Paul Vixie, 1996.
  */
 static const char *
@@ -97,10 +100,10 @@ inet_ntop4(const unsigned char *src, char *dst, size_t size)
 	return (dst);
 }
 
-/* const char *
+/*! const char *
  * isc_inet_ntop6(src, dst, size)
  *	convert IPv6 binary address into presentation (printable) format
- * author:
+ * \author
  *	Paul Vixie, 1996.
  */
 #ifdef AF_INET6
diff --git a/contrib/bind9/lib/isc/inet_pton.c b/contrib/bind9/lib/isc/inet_pton.c
index 026fedf..a537e9c 100644
--- a/contrib/bind9/lib/isc/inet_pton.c
+++ b/contrib/bind9/lib/isc/inet_pton.c
@@ -15,9 +15,11 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
+/*! \file */
+
 #if defined(LIBC_SCCS) && !defined(lint)
 static char rcsid[] =
-	"$Id: inet_pton.c,v 1.10.2.4.2.3 2005/03/31 23:56:14 marka Exp $";
+	"$Id: inet_pton.c,v 1.13.18.4 2005/04/29 00:16:46 marka Exp $";
 #endif /* LIBC_SCCS and not lint */
 
 #include <config.h>
@@ -27,8 +29,11 @@ static char rcsid[] =
 
 #include <isc/net.h>
 
+/*% INT16 Size */
 #define NS_INT16SZ	 2
+/*% IPv4 Address Size */
 #define NS_INADDRSZ	 4
+/*% IPv6 Address Size */
 #define NS_IN6ADDRSZ	16
 
 /*
@@ -39,15 +44,14 @@ static char rcsid[] =
 static int inet_pton4(const char *src, unsigned char *dst);
 static int inet_pton6(const char *src, unsigned char *dst);
 
-/* int
- * isc_net_pton(af, src, dst)
+/*% 
  *	convert from presentation format (which usually means ASCII printable)
  *	to network format (which is usually some kind of binary format).
- * return:
+ * \return
  *	1 if the address was valid for the specified address family
  *	0 if the address wasn't valid (`dst' is untouched in this case)
  *	-1 if some other error occurred (`dst' is untouched in this case, too)
- * author:
+ * \author
  *	Paul Vixie, 1996.
  */
 int
@@ -64,14 +68,14 @@ isc_net_pton(int af, const char *src, void *dst) {
 	/* NOTREACHED */
 }
 
-/* int
- * inet_pton4(src, dst)
+/*!\fn static int inet_pton4(const char *src, unsigned char *dst)
+ * \brief
  *	like inet_aton() but without all the hexadecimal and shorthand.
- * return:
+ * \return
  *	1 if `src' is a valid dotted quad, else 0.
- * notice:
+ * \note
  *	does not touch `dst' unless it's returning 1.
- * author:
+ * \author
  *	Paul Vixie, 1996.
  */
 static int
@@ -113,17 +117,17 @@ inet_pton4(const char *src, unsigned char *dst) {
 	return (1);
 }
 
-/* int
- * inet_pton6(src, dst)
+/*%
  *	convert presentation level address to network order binary form.
- * return:
+ * \return
  *	1 if `src' is a valid [RFC1884 2.2] address, else 0.
- * notice:
+ * \note
  *	(1) does not touch `dst' unless it's returning 1.
+ * \note
  *	(2) :: in a full address is silently ignored.
- * credit:
+ * \author
  *	inspired by Mark Andrews.
- * author:
+ * \author
  *	Paul Vixie, 1996.
  */
 static int
diff --git a/contrib/bind9/lib/isc/lex.c b/contrib/bind9/lib/isc/lex.c
index 3511d6b..2e4e48a 100644
--- a/contrib/bind9/lib/isc/lex.c
+++ b/contrib/bind9/lib/isc/lex.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2006  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1998-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,9 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: lex.c,v 1.66.2.6.2.10 2006/01/04 23:50:21 marka Exp $ */
+/* $Id: lex.c,v 1.78.18.5 2005/11/30 03:44:39 marka Exp $ */
+
+/*! \file */
 
 #include <config.h>
 
@@ -563,7 +565,11 @@ isc_lex_gettoken(isc_lex_t *lex, unsigned int options, isc_token_t *tokenp) {
 			} else if (isdigit((unsigned char)c) &&
 				   (options & ISC_LEXOPT_NUMBER) != 0) {
 				lex->last_was_eol = ISC_FALSE;
-				state = lexstate_number;
+				if ((options & ISC_LEXOPT_OCTAL) != 0 &&
+				    (c == '8' || c == '9'))
+					state = lexstate_string;
+				else
+					state = lexstate_number;
 				goto no_read;
 			} else {
 				lex->last_was_eol = ISC_FALSE;
@@ -584,7 +590,9 @@ isc_lex_gettoken(isc_lex_t *lex, unsigned int options, isc_token_t *tokenp) {
 				    c == '\n' || c == EOF ||
 				    lex->specials[c]) {
 					int base;
-					if ((options & ISC_LEXOPT_CNUMBER) != 0)
+					if ((options & ISC_LEXOPT_OCTAL) != 0)
+						base = 8;
+					else if ((options & ISC_LEXOPT_CNUMBER) != 0)
 						base = 0;
 					else
 						base = 10;
@@ -620,6 +628,9 @@ isc_lex_gettoken(isc_lex_t *lex, unsigned int options, isc_token_t *tokenp) {
 					/* Above test supports hex numbers */
 					state = lexstate_string;
 				}
+			} else if ((options & ISC_LEXOPT_OCTAL) != 0 &&
+				   (c == '8' || c == '9')) {
+				state = lexstate_string;
 			}
 			if (remaining == 0U) {
 				result = grow_data(lex, &remaining,
@@ -821,6 +832,33 @@ isc_lex_getmastertoken(isc_lex_t *lex, isc_token_t *token,
 	return (ISC_R_SUCCESS);
 }
 
+isc_result_t
+isc_lex_getoctaltoken(isc_lex_t *lex, isc_token_t *token, isc_boolean_t eol)
+{
+	unsigned int options = ISC_LEXOPT_EOL | ISC_LEXOPT_EOF |
+			       ISC_LEXOPT_DNSMULTILINE | ISC_LEXOPT_ESCAPE|
+			       ISC_LEXOPT_NUMBER | ISC_LEXOPT_OCTAL;
+	isc_result_t result;
+
+	result = isc_lex_gettoken(lex, options, token);
+	if (result == ISC_R_RANGE)
+		isc_lex_ungettoken(lex, token);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	if (eol && ((token->type == isc_tokentype_eol) ||
+		    (token->type == isc_tokentype_eof)))
+		return (ISC_R_SUCCESS);
+	if (token->type != isc_tokentype_number) {
+		isc_lex_ungettoken(lex, token);
+		if (token->type == isc_tokentype_eol ||
+		    token->type == isc_tokentype_eof)
+			return (ISC_R_UNEXPECTEDEND);
+		return (ISC_R_BADNUMBER);
+	}
+	return (ISC_R_SUCCESS);
+}
+
 void
 isc_lex_ungettoken(isc_lex_t *lex, isc_token_t *tokenp) {
 	inputsource *source;
diff --git a/contrib/bind9/lib/isc/lfsr.c b/contrib/bind9/lib/isc/lfsr.c
index 6d5b7ff..61f9386 100644
--- a/contrib/bind9/lib/isc/lfsr.c
+++ b/contrib/bind9/lib/isc/lfsr.c
@@ -15,7 +15,9 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: lfsr.c,v 1.11.2.2.2.6 2005/10/14 01:38:50 marka Exp $ */
+/* $Id: lfsr.c,v 1.14.18.4 2005/10/14 01:28:29 marka Exp $ */
+
+/*! \file */
 
 #include <config.h>
 
@@ -50,7 +52,7 @@ isc_lfsr_init(isc_lfsr_t *lfsr, isc_uint32_t state, unsigned int bits,
 		lfsr->state = 0xffffffffU >> (32 - lfsr->bits);
 }
 
-/*
+/*!
  * Return the next state of the lfsr.
  */
 static inline isc_uint32_t
diff --git a/contrib/bind9/lib/isc/lib.c b/contrib/bind9/lib/isc/lib.c
index fa30abf..7a70c12 100644
--- a/contrib/bind9/lib/isc/lib.c
+++ b/contrib/bind9/lib/isc/lib.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,9 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: lib.c,v 1.8.12.3 2004/03/08 09:04:49 marka Exp $ */
+/* $Id: lib.c,v 1.10.18.2 2005/04/29 00:16:47 marka Exp $ */
+
+/*! \file */
 
 #include <config.h>
 
@@ -53,7 +55,7 @@ void
 isc_lib_initmsgcat(void) {
 	isc_result_t result;
 
-	/*
+	/*!
 	 * Initialize the ISC library's message catalog, isc_msgcat, if it
 	 * has not already been initialized.
 	 */
diff --git a/contrib/bind9/lib/isc/log.c b/contrib/bind9/lib/isc/log.c
index 511573b..27c01d1 100644
--- a/contrib/bind9/lib/isc/log.c
+++ b/contrib/bind9/lib/isc/log.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2006  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,9 +15,10 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: log.c,v 1.70.2.8.2.14 2006/03/02 00:37:20 marka Exp $ */
+/* $Id: log.c,v 1.84.18.8 2006/03/02 00:37:22 marka Exp $ */
 
-/* Principal Authors: DCL */
+/*! \file
+ * \author  Principal Authors: DCL */
 
 #include <config.h>
 
@@ -56,7 +57,7 @@
 #define PATH_MAX 1024	/* AIX and others don't define this. */
 #endif
 
-/*
+/*!
  * This is the structure that holds each named channel.  A simple linked
  * list chains all of the channels together, so an individual channel is
  * found by doing strcmp()s with the names down the list.  Their should
@@ -76,7 +77,7 @@ struct isc_logchannel {
 	ISC_LINK(isc_logchannel_t)	link;
 };
 
-/*
+/*!
  * The logchannellist structure associates categories and modules with
  * channels.  First the appropriate channellist is found based on the
  * category, and then each structure in the linked list is checked for
@@ -92,7 +93,7 @@ struct isc_logchannellist {
 	ISC_LINK(isc_logchannellist_t)	link;
 };
 
-/*
+/*!
  * This structure is used to remember messages for pruning via
  * isc_log_[v]write1().
  */
@@ -104,7 +105,7 @@ struct isc_logmessage {
 	ISC_LINK(isc_logmessage_t)	link;
 };
 
-/*
+/*!
  * The isc_logconfig structure is used to store the configurable information
  * about where messages are actually supposed to be sent -- the information
  * that could changed based on some configuration file, as opposed to the
@@ -123,7 +124,7 @@ struct isc_logconfig {
 	isc_boolean_t			dynamic;
 };
 
-/*
+/*!
  * This isc_log structure provides the context for the isc_log functions.
  * The log context locks itself in isc_log_doit, the internal backend to
  * isc_log_write.  The locking is necessary both to provide exclusive access
@@ -156,7 +157,7 @@ struct isc_log {
 	ISC_LIST(isc_logmessage_t)	messages;
 };
 
-/*
+/*!
  * Used when ISC_LOG_PRINTLEVEL is enabled for a channel.
  */
 static const char *log_level_strings[] = {
@@ -168,7 +169,7 @@ static const char *log_level_strings[] = {
 	"critical"
 };
 
-/*
+/*!
  * Used to convert ISC_LOG_* priorities into syslog priorities.
  * XXXDCL This will need modification for NT.
  */
@@ -181,7 +182,7 @@ static const int syslog_map[] = {
 	LOG_CRIT
 };
 
-/*
+/*!
  * When adding new categories, a corresponding ISC_LOGCATEGORY_foo
  * definition needs to be added to <isc/log.h>.
  *
@@ -195,8 +196,8 @@ LIBISC_EXTERNAL_DATA isc_logcategory_t isc_categories[] = {
 	{ NULL, 0 }
 };
 
-/*
- * See above comment for categories, and apply it to modules.
+/*!
+ * See above comment for categories on LIBISC_EXTERNAL_DATA, and apply it to modules.
  */
 LIBISC_EXTERNAL_DATA isc_logmodule_t isc_modules[] = {
 	{ "socket", 0 },
@@ -206,19 +207,19 @@ LIBISC_EXTERNAL_DATA isc_logmodule_t isc_modules[] = {
 	{ NULL, 0 }
 };
 
-/*
+/*!
  * This essentially constant structure must be filled in at run time,
  * because its channel member is pointed to a channel that is created
  * dynamically with isc_log_createchannel.
  */
 static isc_logchannellist_t default_channel;
 
-/*
+/*!
  * libisc logs to this context.
  */
 LIBISC_EXTERNAL_DATA isc_log_t *isc_lctx = NULL;
 
-/*
+/*!
  * Forward declarations.
  */
 static isc_result_t
@@ -241,7 +242,8 @@ isc_log_doit(isc_log_t *lctx, isc_logcategory_t *category,
 	     const char *format, va_list args)
      ISC_FORMAT_PRINTF(9, 0);
 
-/*
+/*@{*/
+/*!
  * Convenience macros.
  */
 
@@ -252,6 +254,7 @@ isc_log_doit(isc_log_t *lctx, isc_logcategory_t *category,
 #define FILE_MAXSIZE(channel)	 (channel->destination.file.maximum_size)
 #define FILE_MAXREACHED(channel) (channel->destination.file.maximum_reached)
 
+/*@}*/
 /****
  **** Public interfaces.
  ****/
@@ -280,7 +283,11 @@ isc_log_create(isc_mem_t *mctx, isc_log_t **lctxp, isc_logconfig_t **lcfgp) {
 
 		ISC_LIST_INIT(lctx->messages);
 
-		RUNTIME_CHECK(isc_mutex_init(&lctx->lock) == ISC_R_SUCCESS);
+		result = isc_mutex_init(&lctx->lock);
+		if (result != ISC_R_SUCCESS) {
+			isc_mem_put(mctx, lctx, sizeof(*lctx));
+			return (result);
+		}
 
 		/*
 		 * Normally setting the magic number is the last step done
diff --git a/contrib/bind9/lib/isc/md5.c b/contrib/bind9/lib/isc/md5.c
index 863612b..07d7546 100644
--- a/contrib/bind9/lib/isc/md5.c
+++ b/contrib/bind9/lib/isc/md5.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000, 2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,9 +15,9 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: md5.c,v 1.9.206.1 2004/03/06 08:14:32 marka Exp $ */
+/* $Id: md5.c,v 1.10.18.2 2005/04/29 00:16:47 marka Exp $ */
 
-/*
+/*! \file
  * This code implements the MD5 message-digest algorithm.
  * The algorithm is due to Ron Rivest.  This code was
  * written by Colin Plumb in 1993, no copyright is claimed.
@@ -54,7 +54,7 @@ byteSwap(isc_uint32_t *buf, unsigned words)
 	} while (--words);
 }
 
-/*
+/*!
  * Start MD5 accumulation.  Set bit count to 0 and buffer to mysterious
  * initialization constants.
  */
@@ -74,19 +74,21 @@ isc_md5_invalidate(isc_md5_t *ctx) {
 	memset(ctx, 0, sizeof(isc_md5_t));
 }
 
-/* The four core functions - F1 is optimized somewhat */
+/*@{*/
+/*! The four core functions - F1 is optimized somewhat */
 
 /* #define F1(x, y, z) (x & y | ~x & z) */
 #define F1(x, y, z) (z ^ (x & (y ^ z)))
 #define F2(x, y, z) F1(z, x, y)
 #define F3(x, y, z) (x ^ y ^ z)
 #define F4(x, y, z) (y ^ (x | ~z))
+/*@}*/
 
-/* This is the central step in the MD5 algorithm. */
+/*! This is the central step in the MD5 algorithm. */
 #define MD5STEP(f,w,x,y,z,in,s) \
 	 (w += f(x,y,z) + in, w = (w<<s | w>>(32-s)) + x)
 
-/*
+/*!
  * The core of the MD5 algorithm, this alters an existing MD5 hash to
  * reflect the addition of 16 longwords of new data.  MD5Update blocks
  * the data and converts bytes into longwords for this routine.
@@ -174,7 +176,7 @@ transform(isc_uint32_t buf[4], isc_uint32_t const in[16]) {
 	buf[3] += d;
 }
 
-/*
+/*!
  * Update context to reflect the concatenation of another buffer full
  * of bytes.
  */
@@ -213,7 +215,7 @@ isc_md5_update(isc_md5_t *ctx, const unsigned char *buf, unsigned int len) {
 	memcpy(ctx->in, buf, len);
 }
 
-/*
+/*!
  * Final wrapup - pad to 64-byte boundary with the bit pattern
  * 1 0* (64-bit count of bits processed, MSB-first)
  */
diff --git a/contrib/bind9/lib/isc/mem.c b/contrib/bind9/lib/isc/mem.c
index f5069fb..35918dc 100644
--- a/contrib/bind9/lib/isc/mem.c
+++ b/contrib/bind9/lib/isc/mem.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1997-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,9 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: mem.c,v 1.98.2.7.2.7 2005/03/17 03:58:32 marka Exp $ */
+/* $Id: mem.c,v 1.116.18.12 2006/12/08 05:07:59 marka Exp $ */
+
+/*! \file */
 
 #include <config.h>
 
@@ -28,35 +30,29 @@
 #include <isc/magic.h>
 #include <isc/mem.h>
 #include <isc/msgs.h>
+#include <isc/once.h>
 #include <isc/ondestroy.h>
 #include <isc/string.h>
 
 #include <isc/mutex.h>
 #include <isc/util.h>
 
+#define MCTXLOCK(m, l) if (((m)->flags & ISC_MEMFLAG_NOLOCK) == 0) LOCK(l)
+#define MCTXUNLOCK(m, l) if (((m)->flags & ISC_MEMFLAG_NOLOCK) == 0) UNLOCK(l)
+
 #ifndef ISC_MEM_DEBUGGING
 #define ISC_MEM_DEBUGGING 0
 #endif
 LIBISC_EXTERNAL_DATA unsigned int isc_mem_debugging = ISC_MEM_DEBUGGING;
 
 /*
- * Define ISC_MEM_USE_INTERNAL_MALLOC=1 to use the internal malloc()
- * implementation in preference to the system one.  The internal malloc()
- * is very space-efficient, and quite fast on uniprocessor systems.  It
- * performs poorly on multiprocessor machines.
- */
-#ifndef ISC_MEM_USE_INTERNAL_MALLOC
-#define ISC_MEM_USE_INTERNAL_MALLOC 0
-#endif
-
-/*
  * Constants.
  */
 
 #define DEF_MAX_SIZE		1100
 #define DEF_MEM_TARGET		4096
-#define ALIGNMENT_SIZE		8		/* must be a power of 2 */
-#define NUM_BASIC_BLOCKS	64		/* must be > 1 */
+#define ALIGNMENT_SIZE		8		/*%< must be a power of 2 */
+#define NUM_BASIC_BLOCKS	64		/*%< must be > 1 */
 #define TABLE_INCREMENT		1024
 #define DEBUGLIST_COUNT		1024
 
@@ -87,11 +83,12 @@ struct element {
 };
 
 typedef struct {
-	/*
+	/*!
 	 * This structure must be ALIGNMENT_SIZE bytes.
 	 */
 	union {
 		size_t		size;
+		isc_mem_t	*ctx;
 		char		bytes[ALIGNMENT_SIZE];
 	} u;
 } size_info;
@@ -99,10 +96,8 @@ typedef struct {
 struct stats {
 	unsigned long		gets;
 	unsigned long		totalgets;
-#if ISC_MEM_USE_INTERNAL_MALLOC
 	unsigned long		blocks;
 	unsigned long		freefrags;
-#endif /* ISC_MEM_USE_INTERNAL_MALLOC */
 };
 
 #define MEM_MAGIC		ISC_MAGIC('M', 'e', 'm', 'C')
@@ -112,9 +107,16 @@ struct stats {
 typedef ISC_LIST(debuglink_t)	debuglist_t;
 #endif
 
+/* List of all active memory contexts. */
+
+static ISC_LIST(isc_mem_t)	contexts;
+static isc_once_t		once = ISC_ONCE_INIT;
+static isc_mutex_t		lock;
+
 struct isc_mem {
 	unsigned int		magic;
 	isc_ondestroy_t		ondestroy;
+	unsigned int		flags;
 	isc_mutex_t		lock;
 	isc_memalloc_t		memalloc;
 	isc_memfree_t		memfree;
@@ -134,7 +136,7 @@ struct isc_mem {
 	void *			water_arg;
 	ISC_LIST(isc_mempool_t)	pools;
 
-#if ISC_MEM_USE_INTERNAL_MALLOC
+	/*  ISC_MEMFLAG_INTERNAL */
 	size_t			mem_target;
 	element **		freelists;
 	element *		basic_blocks;
@@ -143,13 +145,13 @@ struct isc_mem {
 	unsigned int		basic_table_size;
 	unsigned char *		lowest;
 	unsigned char *		highest;
-#endif /* ISC_MEM_USE_INTERNAL_MALLOC */
 
 #if ISC_MEM_TRACKLINES
 	debuglist_t *	 	debuglist;
 #endif
 
 	unsigned int		memalloc_failures;
+	ISC_LINK(isc_mem_t)	link;
 };
 
 #define MEMPOOL_MAGIC		ISC_MAGIC('M', 'E', 'M', 'p')
@@ -157,24 +159,24 @@ struct isc_mem {
 
 struct isc_mempool {
 	/* always unlocked */
-	unsigned int	magic;		/* magic number */
-	isc_mutex_t    *lock;		/* optional lock */
-	isc_mem_t      *mctx;		/* our memory context */
-	/* locked via the memory context's lock */
-	ISC_LINK(isc_mempool_t)	link;	/* next pool in this mem context */
-	/* optionally locked from here down */
-	element	       *items;		/* low water item list */
-	size_t		size;		/* size of each item on this pool */
-	unsigned int	maxalloc;	/* max number of items allowed */
-	unsigned int	allocated;	/* # of items currently given out */
-	unsigned int	freecount;	/* # of items on reserved list */
-	unsigned int	freemax;	/* # of items allowed on free list */
-	unsigned int	fillcount;	/* # of items to fetch on each fill */
-	/* Stats only. */
-	unsigned int	gets;		/* # of requests to this pool */
-	/* Debugging only. */
+	unsigned int	magic;		/*%< magic number */
+	isc_mutex_t    *lock;		/*%< optional lock */
+	isc_mem_t      *mctx;		/*%< our memory context */
+	/*%< locked via the memory context's lock */
+	ISC_LINK(isc_mempool_t)	link;	/*%< next pool in this mem context */
+	/*%< optionally locked from here down */
+	element	       *items;		/*%< low water item list */
+	size_t		size;		/*%< size of each item on this pool */
+	unsigned int	maxalloc;	/*%< max number of items allowed */
+	unsigned int	allocated;	/*%< # of items currently given out */
+	unsigned int	freecount;	/*%< # of items on reserved list */
+	unsigned int	freemax;	/*%< # of items allowed on free list */
+	unsigned int	fillcount;	/*%< # of items to fetch on each fill */
+	/*%< Stats only. */
+	unsigned int	gets;		/*%< # of requests to this pool */
+	/*%< Debugging only. */
 #if ISC_MEMPOOL_NAMES
-	char		name[16];	/* printed name in stats reports */
+	char		name[16];	/*%< printed name in stats reports */
 #endif
 };
 
@@ -198,7 +200,7 @@ struct isc_mempool {
 static void
 print_active(isc_mem_t *ctx, FILE *out);
 
-/*
+/*!
  * mctx must be locked.
  */
 static inline void
@@ -309,7 +311,6 @@ delete_trace_entry(isc_mem_t *mctx, const void *ptr, unsigned int size,
 }
 #endif /* ISC_MEM_TRACKLINES */
 
-#if ISC_MEM_USE_INTERNAL_MALLOC
 static inline size_t
 rmsize(size_t size) {
 	/*
@@ -320,13 +321,13 @@ rmsize(size_t size) {
 
 static inline size_t
 quantize(size_t size) {
-	/*
+	/*!
 	 * Round up the result in order to get a size big
 	 * enough to satisfy the request and be aligned on ALIGNMENT_SIZE
 	 * byte boundaries.
 	 */
 
-	if (size == 0)
+	if (size == 0U)
 		return (ALIGNMENT_SIZE);
 	return ((size + ALIGNMENT_SIZE - 1) & (~(ALIGNMENT_SIZE - 1)));
 }
@@ -347,7 +348,7 @@ more_basic_blocks(isc_mem_t *ctx) {
 	 * Did we hit the quota for this context?
 	 */
 	increment = NUM_BASIC_BLOCKS * ctx->mem_target;
-	if (ctx->quota != 0 && ctx->total + increment > ctx->quota)
+	if (ctx->quota != 0U && ctx->total + increment > ctx->quota)
 		return (ISC_FALSE);
 
 	INSIST(ctx->basic_table_count <= ctx->basic_table_size);
@@ -408,7 +409,7 @@ more_frags(isc_mem_t *ctx, size_t new_size) {
 	void *new;
 	unsigned char *curr, *next;
 
-	/*
+	/*!
 	 * Try to get more fragments by chopping up a basic block.
 	 */
 
@@ -448,7 +449,7 @@ more_frags(isc_mem_t *ctx, size_t new_size) {
 	 * Add the remaining fragment of the basic block to a free list.
 	 */
 	total_size = rmsize(total_size);
-	if (total_size > 0) {
+	if (total_size > 0U) {
 		((element *)next)->next = ctx->freelists[total_size];
 		ctx->freelists[total_size] = (element *)next;
 		ctx->stats[total_size].freefrags++;
@@ -472,7 +473,7 @@ mem_getunlocked(isc_mem_t *ctx, size_t size) {
 		/*
 		 * memget() was called on something beyond our upper limit.
 		 */
-		if (ctx->quota != 0 && ctx->total + size > ctx->quota) {
+		if (ctx->quota != 0U && ctx->total + size > ctx->quota) {
 			ret = NULL;
 			goto done;
 		}
@@ -556,7 +557,7 @@ mem_putunlocked(isc_mem_t *ctx, void *mem, size_t size) {
 		memset(mem, 0xde, size); /* Mnemonic for "dead". */
 #endif
 		(ctx->memfree)(ctx->arg, mem);
-		INSIST(ctx->stats[ctx->max_size].gets != 0);
+		INSIST(ctx->stats[ctx->max_size].gets != 0U);
 		ctx->stats[ctx->max_size].gets--;
 		INSIST(size <= ctx->total);
 		ctx->inuse -= size;
@@ -583,15 +584,13 @@ mem_putunlocked(isc_mem_t *ctx, void *mem, size_t size) {
 	 * max. size (max_size) ends up getting recorded as a call to
 	 * max_size.
 	 */
-	INSIST(ctx->stats[size].gets != 0);
+	INSIST(ctx->stats[size].gets != 0U);
 	ctx->stats[size].gets--;
 	ctx->stats[new_size].freefrags++;
 	ctx->inuse -= new_size;
 }
 
-#else /* ISC_MEM_USE_INTERNAL_MALLOC */
-
-/*
+/*!
  * Perform a malloc, doing memory filling and overrun detection as necessary.
  */
 static inline void *
@@ -619,7 +618,7 @@ mem_get(isc_mem_t *ctx, size_t size) {
 	return (ret);
 }
 
-/*
+/*!
  * Perform a free, doing memory filling and overrun detection as necessary.
  */
 static inline void
@@ -635,7 +634,7 @@ mem_put(isc_mem_t *ctx, void *mem, size_t size) {
 	(ctx->memfree)(ctx->arg, mem);
 }
 
-/*
+/*!
  * Update internal counters after a memory get.
  */
 static inline void
@@ -652,7 +651,7 @@ mem_getstats(isc_mem_t *ctx, size_t size) {
 	}
 }
 
-/*
+/*!
  * Update internal counters after a memory put.
  */
 static inline void
@@ -671,8 +670,6 @@ mem_putstats(isc_mem_t *ctx, void *ptr, size_t size) {
 	}
 }
 
-#endif /* ISC_MEM_USE_INTERNAL_MALLOC */
-
 /*
  * Private.
  */
@@ -691,6 +688,11 @@ default_memfree(void *arg, void *ptr) {
 	free(ptr);
 }
 
+static void
+initialize_action(void) {
+        RUNTIME_CHECK(isc_mutex_init(&lock) == ISC_R_SUCCESS);
+}
+
 /*
  * Public.
  */
@@ -700,6 +702,16 @@ isc_mem_createx(size_t init_max_size, size_t target_size,
 		isc_memalloc_t memalloc, isc_memfree_t memfree, void *arg,
 		isc_mem_t **ctxp)
 {
+	return (isc_mem_createx2(init_max_size, target_size, memalloc, memfree,
+				 arg, ctxp, ISC_MEMFLAG_DEFAULT));
+				 
+}
+
+isc_result_t
+isc_mem_createx2(size_t init_max_size, size_t target_size,
+		 isc_memalloc_t memalloc, isc_memfree_t memfree, void *arg,
+		 isc_mem_t **ctxp, unsigned int flags)
+{
 	isc_mem_t *ctx;
 	isc_result_t result;
 
@@ -709,27 +721,25 @@ isc_mem_createx(size_t init_max_size, size_t target_size,
 
 	INSIST((ALIGNMENT_SIZE & (ALIGNMENT_SIZE - 1)) == 0);
 
-#if !ISC_MEM_USE_INTERNAL_MALLOC
-	UNUSED(target_size);
-#endif
+	RUNTIME_CHECK(isc_once_do(&once, initialize_action) == ISC_R_SUCCESS);
 
 	ctx = (memalloc)(arg, sizeof(*ctx));
 	if (ctx == NULL)
 		return (ISC_R_NOMEMORY);
 
-	if (isc_mutex_init(&ctx->lock) != ISC_R_SUCCESS) {
-		UNEXPECTED_ERROR(__FILE__, __LINE__,
-				 "isc_mutex_init() %s",
-				 isc_msgcat_get(isc_msgcat, ISC_MSGSET_GENERAL,
-						ISC_MSG_FAILED, "failed"));
-		(memfree)(arg, ctx);
-		return (ISC_R_UNEXPECTED);
+	if ((flags & ISC_MEMFLAG_NOLOCK) == 0) {
+		result = isc_mutex_init(&ctx->lock);
+		if (result != ISC_R_SUCCESS) {
+			(memfree)(arg, ctx);
+			return (result);
+		}
 	}
 
 	if (init_max_size == 0U)
 		ctx->max_size = DEF_MAX_SIZE;
 	else
 		ctx->max_size = init_max_size;
+	ctx->flags = flags;
 	ctx->references = 1;
 	ctx->quota = 0;
 	ctx->total = 0;
@@ -751,10 +761,13 @@ isc_mem_createx(size_t init_max_size, size_t target_size,
 	ctx->debuglist = NULL;
 #endif
 	ISC_LIST_INIT(ctx->pools);
-
-#if ISC_MEM_USE_INTERNAL_MALLOC
 	ctx->freelists = NULL;
-#endif /* ISC_MEM_USE_INTERNAL_MALLOC */
+	ctx->basic_blocks = NULL;
+	ctx->basic_table = NULL;
+	ctx->basic_table_count = 0;
+	ctx->basic_table_size = 0;
+	ctx->lowest = NULL;
+	ctx->highest = NULL;
 
 	ctx->stats = (memalloc)(arg,
 				(ctx->max_size+1) * sizeof(struct stats));
@@ -764,25 +777,20 @@ isc_mem_createx(size_t init_max_size, size_t target_size,
 	}
 	memset(ctx->stats, 0, (ctx->max_size + 1) * sizeof(struct stats));
 
-#if ISC_MEM_USE_INTERNAL_MALLOC
-	if (target_size == 0)
-		ctx->mem_target = DEF_MEM_TARGET;
-	else
-		ctx->mem_target = target_size;
-	ctx->freelists = (memalloc)(arg, ctx->max_size * sizeof(element *));
-	if (ctx->freelists == NULL) {
-		result = ISC_R_NOMEMORY;
-		goto error;
+	if ((flags & ISC_MEMFLAG_INTERNAL) != 0) {
+		if (target_size == 0U)
+			ctx->mem_target = DEF_MEM_TARGET;
+		else
+			ctx->mem_target = target_size;
+		ctx->freelists = (memalloc)(arg, ctx->max_size *
+						 sizeof(element *));
+		if (ctx->freelists == NULL) {
+			result = ISC_R_NOMEMORY;
+			goto error;
+		}
+		memset(ctx->freelists, 0,
+		       ctx->max_size * sizeof(element *));
 	}
-	memset(ctx->freelists, 0,
-	       ctx->max_size * sizeof(element *));
-	ctx->basic_blocks = NULL;
-	ctx->basic_table = NULL;
-	ctx->basic_table_count = 0;
-	ctx->basic_table_size = 0;
-	ctx->lowest = NULL;
-	ctx->highest = NULL;
-#endif /* ISC_MEM_USE_INTERNAL_MALLOC */
 
 #if ISC_MEM_TRACKLINES
 	if ((isc_mem_debugging & ISC_MEM_DEBUGRECORD) != 0) {
@@ -801,6 +809,10 @@ isc_mem_createx(size_t init_max_size, size_t target_size,
 
 	ctx->memalloc_failures = 0;
 
+	LOCK(&lock);
+	ISC_LIST_INITANDAPPEND(contexts, ctx, link);
+	UNLOCK(&lock);
+
 	*ctxp = ctx;
 	return (ISC_R_SUCCESS);
 
@@ -808,15 +820,14 @@ isc_mem_createx(size_t init_max_size, size_t target_size,
 	if (ctx != NULL) {
 		if (ctx->stats != NULL)
 			(memfree)(arg, ctx->stats);
-#if ISC_MEM_USE_INTERNAL_MALLOC
 		if (ctx->freelists != NULL)
 			(memfree)(arg, ctx->freelists);
-#endif /* ISC_MEM_USE_INTERNAL_MALLOC */
 #if ISC_MEM_TRACKLINES
 		if (ctx->debuglist != NULL)
 			(ctx->memfree)(ctx->arg, ctx->debuglist);
 #endif /* ISC_MEM_TRACKLINES */
-		DESTROYLOCK(&ctx->lock);
+		if ((ctx->flags & ISC_MEMFLAG_NOLOCK) == 0)
+			DESTROYLOCK(&ctx->lock);
 		(memfree)(arg, ctx);
 	}
 
@@ -827,9 +838,18 @@ isc_result_t
 isc_mem_create(size_t init_max_size, size_t target_size,
 	       isc_mem_t **ctxp)
 {
-	return (isc_mem_createx(init_max_size, target_size,
-				default_memalloc, default_memfree, NULL,
-				ctxp));
+	return (isc_mem_createx2(init_max_size, target_size,
+				 default_memalloc, default_memfree, NULL,
+				 ctxp, ISC_MEMFLAG_DEFAULT));
+}
+
+isc_result_t
+isc_mem_create2(size_t init_max_size, size_t target_size,
+		isc_mem_t **ctxp, unsigned int flags)
+{
+	return (isc_mem_createx2(init_max_size, target_size,
+				 default_memalloc, default_memfree, NULL,
+				 ctxp, flags));
 }
 
 static void
@@ -839,9 +859,11 @@ destroy(isc_mem_t *ctx) {
 
 	ctx->magic = 0;
 
-#if ISC_MEM_USE_INTERNAL_MALLOC
+	LOCK(&lock);
+	ISC_LIST_UNLINK(contexts, ctx, link);
+	UNLOCK(&lock);
+
 	INSIST(ISC_LIST_EMPTY(ctx->pools));
-#endif /* ISC_MEM_USE_INTERNAL_MALLOC */
 
 #if ISC_MEM_TRACKLINES
 	if (ctx->debuglist != NULL) {
@@ -880,16 +902,17 @@ destroy(isc_mem_t *ctx) {
 
 	(ctx->memfree)(ctx->arg, ctx->stats);
 
-#if ISC_MEM_USE_INTERNAL_MALLOC
-	for (i = 0; i < ctx->basic_table_count; i++)
-		(ctx->memfree)(ctx->arg, ctx->basic_table[i]);
-	(ctx->memfree)(ctx->arg, ctx->freelists);
-	(ctx->memfree)(ctx->arg, ctx->basic_table);
-#endif /* ISC_MEM_USE_INTERNAL_MALLOC */
+	if ((ctx->flags & ISC_MEMFLAG_INTERNAL) != 0) {
+		for (i = 0; i < ctx->basic_table_count; i++)
+			(ctx->memfree)(ctx->arg, ctx->basic_table[i]);
+		(ctx->memfree)(ctx->arg, ctx->freelists);
+		(ctx->memfree)(ctx->arg, ctx->basic_table);
+	}
 
 	ondest = ctx->ondestroy;
 
-	DESTROYLOCK(&ctx->lock);
+	if ((ctx->flags & ISC_MEMFLAG_NOLOCK) == 0)
+		DESTROYLOCK(&ctx->lock);
 	(ctx->memfree)(ctx->arg, ctx);
 
 	isc_ondestroy_notify(&ondest, ctx);
@@ -900,9 +923,9 @@ isc_mem_attach(isc_mem_t *source, isc_mem_t **targetp) {
 	REQUIRE(VALID_CONTEXT(source));
 	REQUIRE(targetp != NULL && *targetp == NULL);
 
-	LOCK(&source->lock);
+	MCTXLOCK(source, &source->lock);
 	source->references++;
-	UNLOCK(&source->lock);
+	MCTXUNLOCK(source, &source->lock);
 
 	*targetp = source;
 }
@@ -916,12 +939,12 @@ isc_mem_detach(isc_mem_t **ctxp) {
 	ctx = *ctxp;
 	REQUIRE(VALID_CONTEXT(ctx));
 
-	LOCK(&ctx->lock);
+	MCTXLOCK(ctx, &ctx->lock);
 	INSIST(ctx->references > 0);
 	ctx->references--;
 	if (ctx->references == 0)
 		want_destroy = ISC_TRUE;
-	UNLOCK(&ctx->lock);
+	MCTXUNLOCK(ctx, &ctx->lock);
 
 	if (want_destroy)
 		destroy(ctx);
@@ -943,6 +966,8 @@ void
 isc__mem_putanddetach(isc_mem_t **ctxp, void *ptr, size_t size FLARG) {
 	isc_mem_t *ctx;
 	isc_boolean_t want_destroy = ISC_FALSE;
+	size_info *si;
+	size_t oldsize;
 
 	REQUIRE(ctxp != NULL);
 	ctx = *ctxp;
@@ -955,14 +980,35 @@ isc__mem_putanddetach(isc_mem_t **ctxp, void *ptr, size_t size FLARG) {
 	 */
 	*ctxp = NULL;
 
-#if ISC_MEM_USE_INTERNAL_MALLOC
-	LOCK(&ctx->lock);
-	mem_putunlocked(ctx, ptr, size);
-#else /* ISC_MEM_USE_INTERNAL_MALLOC */
-	mem_put(ctx, ptr, size);
-	LOCK(&ctx->lock);
-	mem_putstats(ctx, ptr, size);
-#endif /* ISC_MEM_USE_INTERNAL_MALLOC */
+	if ((isc_mem_debugging & (ISC_MEM_DEBUGSIZE|ISC_MEM_DEBUGCTX)) != 0) {
+		if ((isc_mem_debugging & ISC_MEM_DEBUGSIZE) != 0) {
+			si = &(((size_info *)ptr)[-1]);
+			oldsize = si->u.size - ALIGNMENT_SIZE;
+			if ((isc_mem_debugging & ISC_MEM_DEBUGCTX) != 0)
+				oldsize -= ALIGNMENT_SIZE;
+			INSIST(oldsize == size);
+		}
+		isc__mem_free(ctx, ptr FLARG_PASS);
+
+		MCTXLOCK(ctx, &ctx->lock);
+		ctx->references--;
+		if (ctx->references == 0)
+			want_destroy = ISC_TRUE;
+		MCTXUNLOCK(ctx, &ctx->lock);
+		if (want_destroy)
+			destroy(ctx);
+
+		return;
+	}
+
+	if ((ctx->flags & ISC_MEMFLAG_INTERNAL) != 0) {
+		MCTXLOCK(ctx, &ctx->lock);
+		mem_putunlocked(ctx, ptr, size);
+	} else {
+		mem_put(ctx, ptr, size);
+		MCTXLOCK(ctx, &ctx->lock);
+		mem_putstats(ctx, ptr, size);
+	}
 
 	DELETE_TRACE(ctx, ptr, size, file, line);
 	INSIST(ctx->references > 0);
@@ -970,7 +1016,7 @@ isc__mem_putanddetach(isc_mem_t **ctxp, void *ptr, size_t size FLARG) {
 	if (ctx->references == 0)
 		want_destroy = ISC_TRUE;
 
-	UNLOCK(&ctx->lock);
+	MCTXUNLOCK(ctx, &ctx->lock);
 
 	if (want_destroy)
 		destroy(ctx);
@@ -989,14 +1035,14 @@ isc_mem_destroy(isc_mem_t **ctxp) {
 	ctx = *ctxp;
 	REQUIRE(VALID_CONTEXT(ctx));
 
-	LOCK(&ctx->lock);
+	MCTXLOCK(ctx, &ctx->lock);
 #if ISC_MEM_TRACKLINES
 	if (ctx->references != 1)
 		print_active(ctx, stderr);
 #endif
 	REQUIRE(ctx->references == 1);
 	ctx->references--;
-	UNLOCK(&ctx->lock);
+	MCTXUNLOCK(ctx, &ctx->lock);
 
 	destroy(ctx);
 
@@ -1007,9 +1053,9 @@ isc_result_t
 isc_mem_ondestroy(isc_mem_t *ctx, isc_task_t *task, isc_event_t **event) {
 	isc_result_t res;
 
-	LOCK(&ctx->lock);
+	MCTXLOCK(ctx, &ctx->lock);
 	res = isc_ondestroy_register(&ctx->ondestroy, task, event);
-	UNLOCK(&ctx->lock);
+	MCTXUNLOCK(ctx, &ctx->lock);
 
 	return (res);
 }
@@ -1022,15 +1068,18 @@ isc__mem_get(isc_mem_t *ctx, size_t size FLARG) {
 
 	REQUIRE(VALID_CONTEXT(ctx));
 
-#if ISC_MEM_USE_INTERNAL_MALLOC
-	LOCK(&ctx->lock);
-	ptr = mem_getunlocked(ctx, size);
-#else /* ISC_MEM_USE_INTERNAL_MALLOC */
-	ptr = mem_get(ctx, size);
-	LOCK(&ctx->lock);
-	if (ptr != NULL)
-		mem_getstats(ctx, size);
-#endif /* ISC_MEM_USE_INTERNAL_MALLOC */
+	if ((isc_mem_debugging & (ISC_MEM_DEBUGSIZE|ISC_MEM_DEBUGCTX)) != 0)
+		return (isc__mem_allocate(ctx, size FLARG_PASS));
+
+	if ((ctx->flags & ISC_MEMFLAG_INTERNAL) != 0) {
+		MCTXLOCK(ctx, &ctx->lock);
+		ptr = mem_getunlocked(ctx, size);
+	} else {
+		ptr = mem_get(ctx, size);
+		MCTXLOCK(ctx, &ctx->lock);
+		if (ptr != NULL)
+			mem_getstats(ctx, size);
+	}
 
 	ADD_TRACE(ctx, ptr, size, file, line);
 	if (ctx->hi_water != 0U && !ctx->hi_called &&
@@ -1045,7 +1094,7 @@ isc__mem_get(isc_mem_t *ctx, size_t size FLARG) {
 			fprintf(stderr, "maxinuse = %lu\n",
 				(unsigned long)ctx->inuse);
 	}
-	UNLOCK(&ctx->lock);
+	MCTXUNLOCK(ctx, &ctx->lock);
 
 	if (call_water)
 		(ctx->water)(ctx->water_arg, ISC_MEM_HIWATER);
@@ -1057,18 +1106,32 @@ void
 isc__mem_put(isc_mem_t *ctx, void *ptr, size_t size FLARG)
 {
 	isc_boolean_t call_water = ISC_FALSE;
+	size_info *si;
+	size_t oldsize;
 
 	REQUIRE(VALID_CONTEXT(ctx));
 	REQUIRE(ptr != NULL);
 
-#if ISC_MEM_USE_INTERNAL_MALLOC
-	LOCK(&ctx->lock);
-	mem_putunlocked(ctx, ptr, size);
-#else /* ISC_MEM_USE_INTERNAL_MALLOC */
-	mem_put(ctx, ptr, size);
-	LOCK(&ctx->lock);
-	mem_putstats(ctx, ptr, size);
-#endif /* ISC_MEM_USE_INTERNAL_MALLOC */
+	if ((isc_mem_debugging & (ISC_MEM_DEBUGSIZE|ISC_MEM_DEBUGCTX)) != 0) {
+		if ((isc_mem_debugging & ISC_MEM_DEBUGSIZE) != 0) {
+			si = &(((size_info *)ptr)[-1]);
+			oldsize = si->u.size - ALIGNMENT_SIZE;
+			if ((isc_mem_debugging & ISC_MEM_DEBUGCTX) != 0)
+				oldsize -= ALIGNMENT_SIZE;
+			INSIST(oldsize == size);
+		}
+		isc__mem_free(ctx, ptr FLARG_PASS);
+		return;
+	}
+
+	if ((ctx->flags & ISC_MEMFLAG_INTERNAL) != 0) {
+		MCTXLOCK(ctx, &ctx->lock);
+		mem_putunlocked(ctx, ptr, size);
+	} else {
+		mem_put(ctx, ptr, size);
+		MCTXLOCK(ctx, &ctx->lock);
+		mem_putstats(ctx, ptr, size);
+	}
 
 	DELETE_TRACE(ctx, ptr, size, file, line);
 
@@ -1084,7 +1147,7 @@ isc__mem_put(isc_mem_t *ctx, void *ptr, size_t size FLARG)
 		if (ctx->water != NULL)
 			call_water = ISC_TRUE;
 	}
-	UNLOCK(&ctx->lock);
+	MCTXUNLOCK(ctx, &ctx->lock);
 
 	if (call_water)
 		(ctx->water)(ctx->water_arg, ISC_MEM_LOWATER);
@@ -1141,7 +1204,7 @@ isc_mem_stats(isc_mem_t *ctx, FILE *out) {
 	const isc_mempool_t *pool;
 
 	REQUIRE(VALID_CONTEXT(ctx));
-	LOCK(&ctx->lock);
+	MCTXLOCK(ctx, &ctx->lock);
 
 	for (i = 0; i <= ctx->max_size; i++) {
 		s = &ctx->stats[i];
@@ -1151,11 +1214,10 @@ isc_mem_stats(isc_mem_t *ctx, FILE *out) {
 		fprintf(out, "%s%5lu: %11lu gets, %11lu rem",
 			(i == ctx->max_size) ? ">=" : "  ",
 			(unsigned long) i, s->totalgets, s->gets);
-#if ISC_MEM_USE_INTERNAL_MALLOC
-		if (s->blocks != 0 || s->freefrags != 0)
+		if ((ctx->flags & ISC_MEMFLAG_INTERNAL) != 0 &&
+		    (s->blocks != 0U || s->freefrags != 0U))
 			fprintf(out, " (%lu bl, %lu ff)",
 				s->blocks, s->freefrags);
-#endif /* ISC_MEM_USE_INTERNAL_MALLOC */
 		fputc('\n', out);
 	}
 
@@ -1203,7 +1265,7 @@ isc_mem_stats(isc_mem_t *ctx, FILE *out) {
 	print_active(ctx, out);
 #endif
 
-	UNLOCK(&ctx->lock);
+	MCTXUNLOCK(ctx, &ctx->lock);
 }
 
 /*
@@ -1216,13 +1278,20 @@ isc__mem_allocateunlocked(isc_mem_t *ctx, size_t size) {
 	size_info *si;
 
 	size += ALIGNMENT_SIZE;
-#if ISC_MEM_USE_INTERNAL_MALLOC
-	si = mem_getunlocked(ctx, size);
-#else /* ISC_MEM_USE_INTERNAL_MALLOC */
-	si = mem_get(ctx, size);
-#endif /* ISC_MEM_USE_INTERNAL_MALLOC */
+	if ((isc_mem_debugging & ISC_MEM_DEBUGCTX) != 0)
+		size += ALIGNMENT_SIZE;
+
+	if ((ctx->flags & ISC_MEMFLAG_INTERNAL) != 0)
+		si = mem_getunlocked(ctx, size);
+	else
+		si = mem_get(ctx, size);
+
 	if (si == NULL)
 		return (NULL);
+	if ((isc_mem_debugging & ISC_MEM_DEBUGCTX) != 0) {
+		si->u.ctx = ctx;
+		si++;
+	}
 	si->u.size = size;
 	return (&si[1]);
 }
@@ -1230,24 +1299,39 @@ isc__mem_allocateunlocked(isc_mem_t *ctx, size_t size) {
 void *
 isc__mem_allocate(isc_mem_t *ctx, size_t size FLARG) {
 	size_info *si;
+	isc_boolean_t call_water = ISC_FALSE;
 
 	REQUIRE(VALID_CONTEXT(ctx));
 
-#if ISC_MEM_USE_INTERNAL_MALLOC
-	LOCK(&ctx->lock);
-	si = isc__mem_allocateunlocked(ctx, size);
-#else /* ISC_MEM_USE_INTERNAL_MALLOC */
-	si = isc__mem_allocateunlocked(ctx, size);
-	LOCK(&ctx->lock);
-	if (si != NULL)
-		mem_getstats(ctx, si[-1].u.size);
-#endif /* ISC_MEM_USE_INTERNAL_MALLOC */
+	if ((ctx->flags & ISC_MEMFLAG_INTERNAL) != 0) {
+		MCTXLOCK(ctx, &ctx->lock);
+		si = isc__mem_allocateunlocked(ctx, size);
+	} else {
+		si = isc__mem_allocateunlocked(ctx, size);
+		MCTXLOCK(ctx, &ctx->lock);
+		if (si != NULL)
+			mem_getstats(ctx, si[-1].u.size);
+	}
 
 #if ISC_MEM_TRACKLINES
 	ADD_TRACE(ctx, si, si[-1].u.size, file, line);
 #endif
+	if (ctx->hi_water != 0U && !ctx->hi_called &&
+	    ctx->inuse > ctx->hi_water) {
+		ctx->hi_called = ISC_TRUE;
+		call_water = ISC_TRUE;
+	}
+	if (ctx->inuse > ctx->maxinuse) {
+		ctx->maxinuse = ctx->inuse;
+		if (ctx->hi_water != 0U && ctx->inuse > ctx->hi_water &&
+		    (isc_mem_debugging & ISC_MEM_DEBUGUSAGE) != 0)
+			fprintf(stderr, "maxinuse = %lu\n",
+				(unsigned long)ctx->inuse);
+	}
+	MCTXUNLOCK(ctx, &ctx->lock);
 
-	UNLOCK(&ctx->lock);
+	if (call_water)
+		(ctx->water)(ctx->water_arg, ISC_MEM_HIWATER);
 
 	return (si);
 }
@@ -1256,25 +1340,47 @@ void
 isc__mem_free(isc_mem_t *ctx, void *ptr FLARG) {
 	size_info *si;
 	size_t size;
+	isc_boolean_t call_water= ISC_FALSE;
 
 	REQUIRE(VALID_CONTEXT(ctx));
 	REQUIRE(ptr != NULL);
 
-	si = &(((size_info *)ptr)[-1]);
-	size = si->u.size;
+	if ((isc_mem_debugging & ISC_MEM_DEBUGCTX) != 0) {
+		si = &(((size_info *)ptr)[-2]);
+		REQUIRE(si->u.ctx == ctx);
+		size = si[1].u.size;
+	} else {
+		si = &(((size_info *)ptr)[-1]);
+		size = si->u.size;
+	}
 
-#if ISC_MEM_USE_INTERNAL_MALLOC
-	LOCK(&ctx->lock);
-	mem_putunlocked(ctx, si, size);
-#else /* ISC_MEM_USE_INTERNAL_MALLOC */
-	mem_put(ctx, si, size);
-	LOCK(&ctx->lock);
-	mem_putstats(ctx, si, size);
-#endif /* ISC_MEM_USE_INTERNAL_MALLOC */
+	if ((ctx->flags & ISC_MEMFLAG_INTERNAL) != 0) {
+		MCTXLOCK(ctx, &ctx->lock);
+		mem_putunlocked(ctx, si, size);
+	} else {
+		mem_put(ctx, si, size);
+		MCTXLOCK(ctx, &ctx->lock);
+		mem_putstats(ctx, si, size);
+	}
 
 	DELETE_TRACE(ctx, ptr, size, file, line);
 
-	UNLOCK(&ctx->lock);
+	/*
+	 * The check against ctx->lo_water == 0 is for the condition
+	 * when the context was pushed over hi_water but then had
+	 * isc_mem_setwater() called with 0 for hi_water and lo_water.
+	 */
+	if (ctx->hi_called && 
+	    (ctx->inuse < ctx->lo_water || ctx->lo_water == 0U)) {
+		ctx->hi_called = ISC_FALSE;
+
+		if (ctx->water != NULL)
+			call_water = ISC_TRUE;
+	}
+	MCTXUNLOCK(ctx, &ctx->lock);
+
+	if (call_water)
+		(ctx->water)(ctx->water_arg, ISC_MEM_LOWATER);
 }
 
 
@@ -1303,11 +1409,11 @@ isc__mem_strdup(isc_mem_t *mctx, const char *s FLARG) {
 void
 isc_mem_setdestroycheck(isc_mem_t *ctx, isc_boolean_t flag) {
 	REQUIRE(VALID_CONTEXT(ctx));
-	LOCK(&ctx->lock);
+	MCTXLOCK(ctx, &ctx->lock);
 
 	ctx->checkfree = flag;
 
-	UNLOCK(&ctx->lock);
+	MCTXUNLOCK(ctx, &ctx->lock);
 }
 
 /*
@@ -1317,11 +1423,11 @@ isc_mem_setdestroycheck(isc_mem_t *ctx, isc_boolean_t flag) {
 void
 isc_mem_setquota(isc_mem_t *ctx, size_t quota) {
 	REQUIRE(VALID_CONTEXT(ctx));
-	LOCK(&ctx->lock);
+	MCTXLOCK(ctx, &ctx->lock);
 
 	ctx->quota = quota;
 
-	UNLOCK(&ctx->lock);
+	MCTXUNLOCK(ctx, &ctx->lock);
 }
 
 size_t
@@ -1329,11 +1435,11 @@ isc_mem_getquota(isc_mem_t *ctx) {
 	size_t quota;
 
 	REQUIRE(VALID_CONTEXT(ctx));
-	LOCK(&ctx->lock);
+	MCTXLOCK(ctx, &ctx->lock);
 
 	quota = ctx->quota;
 
-	UNLOCK(&ctx->lock);
+	MCTXUNLOCK(ctx, &ctx->lock);
 
 	return (quota);
 }
@@ -1343,11 +1449,11 @@ isc_mem_inuse(isc_mem_t *ctx) {
 	size_t inuse;
 
 	REQUIRE(VALID_CONTEXT(ctx));
-	LOCK(&ctx->lock);
+	MCTXLOCK(ctx, &ctx->lock);
 
 	inuse = ctx->inuse;
 
-	UNLOCK(&ctx->lock);
+	MCTXUNLOCK(ctx, &ctx->lock);
 
 	return (inuse);
 }
@@ -1356,24 +1462,38 @@ void
 isc_mem_setwater(isc_mem_t *ctx, isc_mem_water_t water, void *water_arg,
                  size_t hiwater, size_t lowater)
 {
+	isc_boolean_t callwater = ISC_FALSE;
+	isc_mem_water_t oldwater;
+	void *oldwater_arg;
+
 	REQUIRE(VALID_CONTEXT(ctx));
 	REQUIRE(hiwater >= lowater);
 
-	LOCK(&ctx->lock);
+	MCTXLOCK(ctx, &ctx->lock);
+	oldwater = ctx->water;
+	oldwater_arg = ctx->water_arg;
 	if (water == NULL) {
+		callwater = ctx->hi_called;
 		ctx->water = NULL;
 		ctx->water_arg = NULL;
 		ctx->hi_water = 0;
 		ctx->lo_water = 0;
 		ctx->hi_called = ISC_FALSE;
 	} else {
+		if (ctx->hi_called &&
+		    (ctx->water != water || ctx->water_arg != water_arg ||
+		     ctx->inuse < lowater || lowater == 0U))
+			callwater = ISC_TRUE;
 		ctx->water = water;
 		ctx->water_arg = water_arg;
 		ctx->hi_water = hiwater;
 		ctx->lo_water = lowater;
 		ctx->hi_called = ISC_FALSE;
 	}
-	UNLOCK(&ctx->lock);
+	MCTXUNLOCK(ctx, &ctx->lock);
+	
+	if (callwater && oldwater != NULL)
+		(oldwater)(oldwater_arg, ISC_MEM_LOWATER);
 }
 
 /*
@@ -1413,9 +1533,9 @@ isc_mempool_create(isc_mem_t *mctx, size_t size, isc_mempool_t **mpctxp) {
 
 	*mpctxp = mpctx;
 
-	LOCK(&mctx->lock);
+	MCTXLOCK(mctx, &mctx->lock);
 	ISC_LIST_INITANDAPPEND(mctx->pools, mpctx, link);
-	UNLOCK(&mctx->lock);
+	MCTXUNLOCK(mctx, &mctx->lock);
 
 	return (ISC_R_SUCCESS);
 }
@@ -1468,28 +1588,28 @@ isc_mempool_destroy(isc_mempool_t **mpctxp) {
 	/*
 	 * Return any items on the free list
 	 */
-	LOCK(&mctx->lock);
+	MCTXLOCK(mctx, &mctx->lock);
 	while (mpctx->items != NULL) {
 		INSIST(mpctx->freecount > 0);
 		mpctx->freecount--;
 		item = mpctx->items;
 		mpctx->items = item->next;
 
-#if ISC_MEM_USE_INTERNAL_MALLOC
-		mem_putunlocked(mctx, item, mpctx->size);
-#else /* ISC_MEM_USE_INTERNAL_MALLOC */
-		mem_put(mctx, item, mpctx->size);
-		mem_putstats(mctx, item, mpctx->size);
-#endif /* ISC_MEM_USE_INTERNAL_MALLOC */
+		if ((mctx->flags & ISC_MEMFLAG_INTERNAL) != 0) {
+			mem_putunlocked(mctx, item, mpctx->size);
+		} else {
+			mem_put(mctx, item, mpctx->size);
+			mem_putstats(mctx, item, mpctx->size);
+		}
 	}
-	UNLOCK(&mctx->lock);
+	MCTXUNLOCK(mctx, &mctx->lock);
 
 	/*
 	 * Remove our linked list entry from the memory context.
 	 */
-	LOCK(&mctx->lock);
+	MCTXLOCK(mctx, &mctx->lock);
 	ISC_LIST_UNLINK(mctx->pools, mpctx, link);
-	UNLOCK(&mctx->lock);
+	MCTXUNLOCK(mctx, &mctx->lock);
 
 	mpctx->magic = 0;
 
@@ -1548,22 +1668,22 @@ isc__mempool_get(isc_mempool_t *mpctx FLARG) {
 	 * We need to dip into the well.  Lock the memory context here and
 	 * fill up our free list.
 	 */
-	LOCK(&mctx->lock);
+	MCTXLOCK(mctx, &mctx->lock);
 	for (i = 0; i < mpctx->fillcount; i++) {
-#if ISC_MEM_USE_INTERNAL_MALLOC
-		item = mem_getunlocked(mctx, mpctx->size);
-#else /* ISC_MEM_USE_INTERNAL_MALLOC */
-		item = mem_get(mctx, mpctx->size);
-		if (item != NULL)
-			mem_getstats(mctx, mpctx->size);
-#endif /* ISC_MEM_USE_INTERNAL_MALLOC */
+		if ((mctx->flags & ISC_MEMFLAG_INTERNAL) != 0) {
+			item = mem_getunlocked(mctx, mpctx->size);
+		} else {
+			item = mem_get(mctx, mpctx->size);
+			if (item != NULL)
+				mem_getstats(mctx, mpctx->size);
+		}
 		if (item == NULL)
 			break;
 		item->next = mpctx->items;
 		mpctx->items = item;
 		mpctx->freecount++;
 	}
-	UNLOCK(&mctx->lock);
+	MCTXUNLOCK(mctx, &mctx->lock);
 
 	/*
 	 * If we didn't get any items, return NULL.
@@ -1583,9 +1703,9 @@ isc__mempool_get(isc_mempool_t *mpctx FLARG) {
 
 #if ISC_MEM_TRACKLINES
 	if (item != NULL) {
-		LOCK(&mctx->lock);
+		MCTXLOCK(mctx, &mctx->lock);
 		ADD_TRACE(mctx, item, mpctx->size, file, line);
-		UNLOCK(&mctx->lock);
+		MCTXUNLOCK(mctx, &mctx->lock);
 	}
 #endif /* ISC_MEM_TRACKLINES */
 
@@ -1609,25 +1729,25 @@ isc__mempool_put(isc_mempool_t *mpctx, void *mem FLARG) {
 	mpctx->allocated--;
 
 #if ISC_MEM_TRACKLINES
-	LOCK(&mctx->lock);
+	MCTXLOCK(mctx, &mctx->lock);
 	DELETE_TRACE(mctx, mem, mpctx->size, file, line);
-	UNLOCK(&mctx->lock);
+	MCTXUNLOCK(mctx, &mctx->lock);
 #endif /* ISC_MEM_TRACKLINES */
 
 	/*
 	 * If our free list is full, return this to the mctx directly.
 	 */
 	if (mpctx->freecount >= mpctx->freemax) {
-#if ISC_MEM_USE_INTERNAL_MALLOC
-		LOCK(&mctx->lock);
-		mem_putunlocked(mctx, mem, mpctx->size);
-		UNLOCK(&mctx->lock);
-#else /* ISC_MEM_USE_INTERNAL_MALLOC */
-		mem_put(mctx, mem, mpctx->size);
-		LOCK(&mctx->lock);
-		mem_putstats(mctx, mem, mpctx->size);
-		UNLOCK(&mctx->lock);
-#endif /* ISC_MEM_USE_INTERNAL_MALLOC */
+		if ((mctx->flags & ISC_MEMFLAG_INTERNAL) != 0) {
+			MCTXLOCK(mctx, &mctx->lock);
+			mem_putunlocked(mctx, mem, mpctx->size);
+			MCTXUNLOCK(mctx, &mctx->lock);
+		} else {
+			mem_put(mctx, mem, mpctx->size);
+			MCTXLOCK(mctx, &mctx->lock);
+			mem_putstats(mctx, mem, mpctx->size);
+			MCTXUNLOCK(mctx, &mctx->lock);
+		}
 		if (mpctx->lock != NULL)
 			UNLOCK(mpctx->lock);
 		return;
@@ -1775,3 +1895,60 @@ isc_mempool_getfillcount(isc_mempool_t *mpctx) {
 
 	return (fillcount);
 }
+
+void
+isc_mem_printactive(isc_mem_t *ctx, FILE *file) {
+
+	REQUIRE(VALID_CONTEXT(ctx));
+	REQUIRE(file != NULL);
+
+#if !ISC_MEM_TRACKLINES
+	UNUSED(ctx);
+	UNUSED(file);
+#else
+	print_active(ctx, file);
+#endif
+}
+
+void
+isc_mem_printallactive(FILE *file) {
+#if !ISC_MEM_TRACKLINES
+	UNUSED(file);
+#else
+	isc_mem_t *ctx;
+
+	RUNTIME_CHECK(isc_once_do(&once, initialize_action) == ISC_R_SUCCESS);
+
+	LOCK(&lock);
+	for (ctx = ISC_LIST_HEAD(contexts);
+	     ctx != NULL;
+	     ctx = ISC_LIST_NEXT(ctx, link)) {
+		fprintf(file, "context: %p\n", ctx);
+		print_active(ctx, file);
+	}
+	UNLOCK(&lock);
+#endif
+}
+
+void    
+isc_mem_checkdestroyed(FILE *file) {
+
+	RUNTIME_CHECK(isc_once_do(&once, initialize_action) == ISC_R_SUCCESS);
+
+	LOCK(&lock);
+	if (!ISC_LIST_EMPTY(contexts))  {
+#if ISC_MEM_TRACKLINES
+		isc_mem_t *ctx;
+
+		for (ctx = ISC_LIST_HEAD(contexts);
+		     ctx != NULL;
+		     ctx = ISC_LIST_NEXT(ctx, link)) {
+			fprintf(file, "context: %p\n", ctx);
+			print_active(ctx, file);
+		}
+		fflush(file);
+#endif
+		INSIST(1);
+	}
+	UNLOCK(&lock);
+}
diff --git a/contrib/bind9/lib/isc/mips/include/isc/atomic.h b/contrib/bind9/lib/isc/mips/include/isc/atomic.h
new file mode 100644
index 0000000..368a6ef
--- /dev/null
+++ b/contrib/bind9/lib/isc/mips/include/isc/atomic.h
@@ -0,0 +1,98 @@
+/*
+ * Copyright (C) 2005  Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: atomic.h,v 1.1.2.1 2005/07/09 07:14:00 jinmei Exp $ */
+
+#ifndef ISC_ATOMIC_H
+#define ISC_ATOMIC_H 1
+
+#include <isc/platform.h>
+#include <isc/types.h>
+
+#ifdef ISC_PLATFORM_USEGCCASM
+/*
+ * This routine atomically increments the value stored in 'p' by 'val', and
+ * returns the previous value.
+ */
+static inline isc_int32_t
+isc_atomic_xadd(isc_int32_t *p, int val) {
+	isc_int32_t orig;
+
+	/* add is a cheat, since MIPS has no mov instruction */
+	__asm__ volatile (
+	    "1:"
+	    "ll $3, %1\n"
+	    "add %0, $0, $3\n"
+	    "add $3, $3, %2\n"
+	    "sc $3, %1\n"
+	    "beq $3, 0, 1b"
+	    : "=&r"(orig)
+	    : "m"(*p), "r"(val)
+	    : "memory", "$3"
+		);
+
+	return (orig);
+}
+
+/*
+ * This routine atomically stores the value 'val' in 'p'.
+ */
+static inline void
+isc_atomic_store(isc_int32_t *p, isc_int32_t val) {
+	__asm__ volatile (
+	    "1:"
+	    "ll $3, %0\n"
+	    "add $3, $0, %1\n"
+	    "sc $3, %0\n"
+	    "beq $3, 0, 1b"
+	    :
+	    : "m"(*p), "r"(val)
+	    : "memory", "$3"
+		);
+}
+
+/*
+ * This routine atomically replaces the value in 'p' with 'val', if the
+ * original value is equal to 'cmpval'.  The original value is returned in any
+ * case.
+ */
+static inline isc_int32_t
+isc_atomic_cmpxchg(isc_int32_t *p, int cmpval, int val) {
+	isc_int32_t orig;
+
+	__asm__ volatile(
+	    "1:"
+	    "ll $3, %1\n"
+	    "add %0, $0, $3\n"
+	    "bne $3, %2, 2f\n"
+	    "add $3, $0, %3\n"
+	    "sc $3, %1\n"
+	    "beq $3, 0, 1b\n"
+	    "2:"
+	    : "=&r"(orig)
+	    : "m"(*p), "r"(cmpval), "r"(val)
+	    : "memory", "$3"
+		);
+
+	return (orig);
+}
+
+#else /* !ISC_PLATFORM_USEGCCASM */
+
+#error "unsupported compiler.  disable atomic ops by --disable-atomic"
+
+#endif
+#endif /* ISC_ATOMIC_H */
diff --git a/contrib/bind9/lib/isc/mutexblock.c b/contrib/bind9/lib/isc/mutexblock.c
index dc7c23d..d8a82cc 100644
--- a/contrib/bind9/lib/isc/mutexblock.c
+++ b/contrib/bind9/lib/isc/mutexblock.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,9 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: mutexblock.c,v 1.14.12.3 2004/03/08 09:04:49 marka Exp $ */
+/* $Id: mutexblock.c,v 1.16.18.2 2005/04/29 00:16:47 marka Exp $ */
+
+/*! \file */
 
 #include <config.h>
 
diff --git a/contrib/bind9/lib/isc/netaddr.c b/contrib/bind9/lib/isc/netaddr.c
index 712ad2c..e56e05b 100644
--- a/contrib/bind9/lib/isc/netaddr.c
+++ b/contrib/bind9/lib/isc/netaddr.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2002  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,9 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: netaddr.c,v 1.18.12.9 2004/05/15 03:46:12 jinmei Exp $ */
+/* $Id: netaddr.c,v 1.27.18.8 2005/04/27 05:02:03 sra Exp $ */
+
+/*! \file */
 
 #include <config.h>
 
@@ -51,6 +53,12 @@ isc_netaddr_equal(const isc_netaddr_t *a, const isc_netaddr_t *b) {
 		    a->zone != b->zone)
 			return (ISC_FALSE);
 		break;
+#ifdef ISC_PLATFORM_HAVESYSUNH
+	case AF_UNIX:
+		if (strcmp(a->type.un, b->type.un) != 0)
+			return (ISC_FALSE);
+		break;
+#endif
 	default:
 		return (ISC_FALSE);
 	}
@@ -135,6 +143,16 @@ isc_netaddr_totext(const isc_netaddr_t *netaddr, isc_buffer_t *target) {
 	case AF_INET6:
 		type = &netaddr->type.in6;
 		break;
+#ifdef ISC_PLATFORM_HAVESYSUNH
+	case AF_UNIX:
+		alen = strlen(netaddr->type.un);
+		if (alen > isc_buffer_availablelength(target))
+			return (ISC_R_NOSPACE);
+		isc_buffer_putmem(target,
+				  (const unsigned char *)(netaddr->type.un),
+				  alen);
+		return (ISC_R_SUCCESS);
+#endif
 	default:
 		return (ISC_R_FAILURE);
 	}
@@ -190,6 +208,42 @@ isc_netaddr_format(const isc_netaddr_t *na, char *array, unsigned int size) {
 	}
 }
 
+
+isc_result_t
+isc_netaddr_prefixok(const isc_netaddr_t *na, unsigned int prefixlen) {
+	static const unsigned char zeros[16];
+	unsigned int nbits, nbytes, ipbytes;
+	const unsigned char *p;
+
+	switch (na->family) {
+	case AF_INET:
+		p = (const unsigned char *) &na->type.in;
+		ipbytes = 4;
+		if (prefixlen > 32)
+			return (ISC_R_RANGE);
+		break;
+	case AF_INET6:
+		p = (const unsigned char *) &na->type.in6;
+		ipbytes = 16;
+		if (prefixlen > 128)
+			return (ISC_R_RANGE);
+		break;
+	default:
+		ipbytes = 0;
+		return (ISC_R_NOTIMPLEMENTED);
+	}
+	nbytes = prefixlen / 8;
+	nbits = prefixlen % 8;
+	if (nbits != 0) {
+		if ((p[nbytes] & (0xff>>nbits)) != 0U)
+			return (ISC_R_FAILURE);
+		nbytes++;
+	}
+	if (memcmp(p + nbytes, zeros, ipbytes - nbytes) != 0)
+		return (ISC_R_FAILURE);
+	return (ISC_R_SUCCESS);
+}
+
 isc_result_t
 isc_netaddr_masktoprefixlen(const isc_netaddr_t *s, unsigned int *lenp) {
 	unsigned int nbits, nbytes, ipbytes, i;
@@ -246,6 +300,25 @@ isc_netaddr_fromin6(isc_netaddr_t *netaddr, const struct in6_addr *ina6) {
 	netaddr->type.in6 = *ina6;
 }
 
+isc_result_t
+isc_netaddr_frompath(isc_netaddr_t *netaddr, const char *path) {
+#ifdef ISC_PLATFORM_HAVESYSUNH
+        if (strlen(path) > sizeof(netaddr->type.un) - 1)
+                return (ISC_R_NOSPACE);
+
+        memset(netaddr, 0, sizeof(*netaddr));
+        netaddr->family = AF_UNIX;
+        strcpy(netaddr->type.un, path);
+        netaddr->zone = 0;
+        return (ISC_R_SUCCESS);
+#else 
+	UNUSED(netaddr);
+	UNUSED(path);
+        return (ISC_R_NOTIMPLEMENTED);
+#endif
+}
+
+
 void
 isc_netaddr_setzone(isc_netaddr_t *netaddr, isc_uint32_t zone) {
 	/* we currently only support AF_INET6. */
@@ -276,6 +349,12 @@ isc_netaddr_fromsockaddr(isc_netaddr_t *t, const isc_sockaddr_t *s) {
 		t->zone = 0;
 #endif
 		break;
+#ifdef ISC_PLATFORM_HAVESYSUNH
+	case AF_UNIX:
+		memcpy(t->type.un, s->type.sunix.sun_path, sizeof(t->type.un));
+		t->zone = 0;
+		break;
+#endif
 	default:
 		INSIST(0);
 	}
diff --git a/contrib/bind9/lib/isc/netscope.c b/contrib/bind9/lib/isc/netscope.c
index 8df4483..75827d2 100644
--- a/contrib/bind9/lib/isc/netscope.c
+++ b/contrib/bind9/lib/isc/netscope.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2006  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2002  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,9 +15,11 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
+/*! \file */
+
 #if defined(LIBC_SCCS) && !defined(lint)
 static char rcsid[] =
-	"$Id: netscope.c,v 1.5.142.9 2006/08/25 05:25:50 marka Exp $";
+	"$Id: netscope.c,v 1.7.18.4 2006/08/25 05:25:51 marka Exp $";
 #endif /* LIBC_SCCS and not lint */
 
 #include <config.h>
diff --git a/contrib/bind9/lib/isc/nls/Makefile.in b/contrib/bind9/lib/isc/nls/Makefile.in
index f16b4cb..8211d9b 100644
--- a/contrib/bind9/lib/isc/nls/Makefile.in
+++ b/contrib/bind9/lib/isc/nls/Makefile.in
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.11.206.1 2004/03/06 08:14:50 marka Exp $
+# $Id: Makefile.in,v 1.12 2004/03/05 05:11:05 marka Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
diff --git a/contrib/bind9/lib/isc/nls/msgcat.c b/contrib/bind9/lib/isc/nls/msgcat.c
index 906e26e..ae56de7 100644
--- a/contrib/bind9/lib/isc/nls/msgcat.c
+++ b/contrib/bind9/lib/isc/nls/msgcat.c
@@ -15,10 +15,11 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: msgcat.c,v 1.10.12.6 2005/06/09 23:54:31 marka Exp $ */
+/* $Id: msgcat.c,v 1.13.18.3 2005/06/08 02:07:57 marka Exp $ */
 
-/*
- * Principal Author: Bob Halley
+/*! \file msgcat.c
+ *
+ * \author Principal Author: Bob Halley
  */
 
 #include <config.h>
diff --git a/contrib/bind9/lib/isc/noatomic/include/isc/atomic.h b/contrib/bind9/lib/isc/noatomic/include/isc/atomic.h
new file mode 100644
index 0000000..1c7035f
--- /dev/null
+++ b/contrib/bind9/lib/isc/noatomic/include/isc/atomic.h
@@ -0,0 +1,24 @@
+/*
+ * Copyright (C) 2005  Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: atomic.h,v 1.2.2.1 2005/06/04 06:23:44 jinmei Exp $ */
+
+#ifndef ISC_ATOMIC_H
+#define ISC_ATOMIC_H 1
+
+/* This file is inherently empty. */
+
+#endif /* ISC_ATOMIC_H */
diff --git a/contrib/bind9/lib/isc/nothreads/Makefile.in b/contrib/bind9/lib/isc/nothreads/Makefile.in
index 639c9fa..c9e8637 100644
--- a/contrib/bind9/lib/isc/nothreads/Makefile.in
+++ b/contrib/bind9/lib/isc/nothreads/Makefile.in
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.4.206.1 2004/03/06 08:14:51 marka Exp $
+# $Id: Makefile.in,v 1.5 2004/03/05 05:11:08 marka Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
diff --git a/contrib/bind9/lib/isc/nothreads/condition.c b/contrib/bind9/lib/isc/nothreads/condition.c
index 395d52f..329fbc8 100644
--- a/contrib/bind9/lib/isc/nothreads/condition.c
+++ b/contrib/bind9/lib/isc/nothreads/condition.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: condition.c,v 1.4.12.5 2006/08/25 05:25:50 marka Exp $ */
+/* $Id: condition.c,v 1.6.18.2 2006/08/25 05:25:51 marka Exp $ */
 
 #include <config.h>
 
diff --git a/contrib/bind9/lib/isc/nothreads/include/Makefile.in b/contrib/bind9/lib/isc/nothreads/include/Makefile.in
index 4c58269..ecfc329 100644
--- a/contrib/bind9/lib/isc/nothreads/include/Makefile.in
+++ b/contrib/bind9/lib/isc/nothreads/include/Makefile.in
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.2.206.1 2004/03/06 08:14:52 marka Exp $
+# $Id: Makefile.in,v 1.3 2004/03/05 05:11:11 marka Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
diff --git a/contrib/bind9/lib/isc/nothreads/include/isc/Makefile.in b/contrib/bind9/lib/isc/nothreads/include/isc/Makefile.in
index 6717404..f6482fb 100644
--- a/contrib/bind9/lib/isc/nothreads/include/isc/Makefile.in
+++ b/contrib/bind9/lib/isc/nothreads/include/isc/Makefile.in
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.4.206.1 2004/03/06 08:14:52 marka Exp $
+# $Id: Makefile.in,v 1.5 2004/03/05 05:11:13 marka Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
diff --git a/contrib/bind9/lib/isc/nothreads/include/isc/condition.h b/contrib/bind9/lib/isc/nothreads/include/isc/condition.h
index b899a82..39889b1 100644
--- a/contrib/bind9/lib/isc/nothreads/include/isc/condition.h
+++ b/contrib/bind9/lib/isc/nothreads/include/isc/condition.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: condition.h,v 1.3.206.1 2004/03/06 08:14:52 marka Exp $ */
+/* $Id: condition.h,v 1.4 2004/03/05 05:11:13 marka Exp $ */
 
 /*
  * This provides a limited subset of the isc_condition_t
diff --git a/contrib/bind9/lib/isc/nothreads/include/isc/mutex.h b/contrib/bind9/lib/isc/nothreads/include/isc/mutex.h
index c80a945..a586435 100644
--- a/contrib/bind9/lib/isc/nothreads/include/isc/mutex.h
+++ b/contrib/bind9/lib/isc/nothreads/include/isc/mutex.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: mutex.h,v 1.3.206.1 2004/03/06 08:14:53 marka Exp $ */
+/* $Id: mutex.h,v 1.4 2004/03/05 05:11:13 marka Exp $ */
 
 #ifndef ISC_MUTEX_H
 #define ISC_MUTEX_H 1
diff --git a/contrib/bind9/lib/isc/nothreads/include/isc/once.h b/contrib/bind9/lib/isc/nothreads/include/isc/once.h
index 9f54ac8..470120a 100644
--- a/contrib/bind9/lib/isc/nothreads/include/isc/once.h
+++ b/contrib/bind9/lib/isc/nothreads/include/isc/once.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: once.h,v 1.3.206.1 2004/03/06 08:14:53 marka Exp $ */
+/* $Id: once.h,v 1.4 2004/03/05 05:11:13 marka Exp $ */
 
 #ifndef ISC_ONCE_H
 #define ISC_ONCE_H 1
diff --git a/contrib/bind9/lib/isc/nothreads/include/isc/thread.h b/contrib/bind9/lib/isc/nothreads/include/isc/thread.h
index e045b98..6c85913 100644
--- a/contrib/bind9/lib/isc/nothreads/include/isc/thread.h
+++ b/contrib/bind9/lib/isc/nothreads/include/isc/thread.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: thread.h,v 1.3.206.1 2004/03/06 08:14:53 marka Exp $ */
+/* $Id: thread.h,v 1.4 2004/03/05 05:11:13 marka Exp $ */
 
 #ifndef ISC_THREAD_H
 #define ISC_THREAD_H 1
diff --git a/contrib/bind9/lib/isc/nothreads/mutex.c b/contrib/bind9/lib/isc/nothreads/mutex.c
index a707947..0048d87 100644
--- a/contrib/bind9/lib/isc/nothreads/mutex.c
+++ b/contrib/bind9/lib/isc/nothreads/mutex.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: mutex.c,v 1.4.12.5 2006/08/25 05:25:50 marka Exp $ */
+/* $Id: mutex.c,v 1.6.18.2 2006/08/25 05:25:51 marka Exp $ */
 
 #include <config.h>
 
diff --git a/contrib/bind9/lib/isc/nothreads/thread.c b/contrib/bind9/lib/isc/nothreads/thread.c
index 1aea72a..0f20927 100644
--- a/contrib/bind9/lib/isc/nothreads/thread.c
+++ b/contrib/bind9/lib/isc/nothreads/thread.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: thread.c,v 1.2.206.1 2004/03/06 08:14:52 marka Exp $ */
+/* $Id: thread.c,v 1.3 2004/03/05 05:11:09 marka Exp $ */
 
 #include <config.h>
 
diff --git a/contrib/bind9/lib/isc/ondestroy.c b/contrib/bind9/lib/isc/ondestroy.c
index aacb8f2..2cd9687 100644
--- a/contrib/bind9/lib/isc/ondestroy.c
+++ b/contrib/bind9/lib/isc/ondestroy.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000, 2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,9 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: ondestroy.c,v 1.11.206.1 2004/03/06 08:14:33 marka Exp $ */
+/* $Id: ondestroy.c,v 1.12.18.2 2005/04/29 00:16:48 marka Exp $ */
+
+/*! \file */
 
 #include <config.h>
 
diff --git a/contrib/bind9/lib/isc/parseint.c b/contrib/bind9/lib/isc/parseint.c
index fe74e57..0696344 100644
--- a/contrib/bind9/lib/isc/parseint.c
+++ b/contrib/bind9/lib/isc/parseint.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2001-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,9 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: parseint.c,v 1.3.26.5 2004/03/08 09:04:49 marka Exp $ */
+/* $Id: parseint.c,v 1.4.18.2 2005/04/29 00:16:48 marka Exp $ */
+
+/*! \file */
 
 #include <config.h>
 
diff --git a/contrib/bind9/lib/isc/powerpc/include/isc/atomic.h b/contrib/bind9/lib/isc/powerpc/include/isc/atomic.h
new file mode 100644
index 0000000..2af9835
--- /dev/null
+++ b/contrib/bind9/lib/isc/powerpc/include/isc/atomic.h
@@ -0,0 +1,160 @@
+/*
+ * Copyright (C) 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: atomic.h,v 1.1.6.5 2007/02/13 00:04:50 marka Exp $ */
+
+#ifndef ISC_ATOMIC_H
+#define ISC_ATOMIC_H 1
+
+#include <isc/platform.h>
+#include <isc/types.h>
+
+/*!\file
+ * static inline isc_int32_t
+ * isc_atomic_xadd(isc_int32_t *p, isc_int32_t val);
+ *
+ * This routine atomically increments the value stored in 'p' by 'val', and
+ * returns the previous value.
+ *
+ * static inline void
+ * isc_atomic_store(void *p, isc_int32_t val);
+ *
+ * This routine atomically stores the value 'val' in 'p'.
+ *
+ * static inline isc_int32_t
+ * isc_atomic_cmpxchg(isc_int32_t *p, isc_int32_t cmpval, isc_int32_t val);
+ *
+ * This routine atomically replaces the value in 'p' with 'val', if the
+ * original value is equal to 'cmpval'.  The original value is returned in any
+ * case.
+ */
+
+#if defined(_AIX)
+
+#include <sys/atomic_op.h>
+
+#define isc_atomic_xadd(p, v) fetch_and_add(p, v)
+#define isc_atomic_store(p, v) _clear_lock(p, v)
+
+#ifdef __GNUC__
+static inline int
+#else
+static int
+#endif
+isc_atomic_cmpxchg(atomic_p p, int old, int new) {
+        int orig = old;
+
+#ifdef __GNUC__
+        asm("ics");
+#else
+         __isync();
+#endif
+        if (compare_and_swap(p, &orig, new))
+		return (old);
+        return (orig);
+}
+
+#elif defined(ISC_PLATFORM_USEGCCASM) || defined(ISC_PLATFORM_USEMACASM)
+static inline isc_int32_t
+isc_atomic_xadd(isc_int32_t *p, isc_int32_t val) {
+	isc_int32_t orig;
+
+	__asm__ volatile (
+#ifdef ISC_PLATFORM_USEMACASM
+		"1:"
+		"lwarx r6, 0, %1\n"
+	    	"mr %0, r6\n"
+		"add r6, r6, %2\n"
+		"stwcx. r6, 0, %1\n"
+		"bne- 1b"
+#else
+		"1:"
+		"lwarx 6, 0, %1\n"
+	    	"mr %0, 6\n"
+		"add 6, 6, %2\n"
+		"stwcx. 6, 0, %1\n"
+		"bne- 1b"
+#endif
+		: "=&r"(orig)
+		: "r"(p), "r"(val)
+		: "r6", "memory"
+		);
+
+	return (orig);
+}
+
+static inline void
+isc_atomic_store(void *p, isc_int32_t val) {
+	__asm__ volatile (
+#ifdef ISC_PLATFORM_USEMACASM
+		"1:"
+		"lwarx r6, 0, %0\n"
+		"lwz r6, %1\n"
+		"stwcx. r6, 0, %0\n"
+		"bne- 1b"
+#else
+		"1:"
+		"lwarx 6, 0, %0\n"
+		"lwz 6, %1\n"
+		"stwcx. 6, 0, %0\n"
+		"bne- 1b"
+#endif
+		:
+		: "r"(p), "m"(val)
+		: "r6", "memory"
+		);
+}
+
+static inline isc_int32_t
+isc_atomic_cmpxchg(isc_int32_t *p, isc_int32_t cmpval, isc_int32_t val) {
+	isc_int32_t orig;
+
+	__asm__ volatile (
+#ifdef ISC_PLATFORM_USEMACASM
+		"1:"
+		"lwarx r6, 0, %1\n"
+		"mr %0,r6\n"
+		"cmpw r6, %2\n"
+		"bne 2f\n"
+		"mr r6, %3\n"
+		"stwcx. r6, 0, %1\n"
+		"bne- 1b\n"
+		"2:"
+#else
+		"1:"
+		"lwarx 6, 0, %1\n"
+		"mr %0,6\n"
+		"cmpw 6, %2\n"
+		"bne 2f\n"
+		"mr 6, %3\n"
+		"stwcx. 6, 0, %1\n"
+		"bne- 1b\n"
+		"2:"
+#endif
+		: "=&r" (orig)
+		: "r"(p), "r"(cmpval), "r"(val)
+		: "r6", "memory"
+		);
+
+	return (orig);
+}
+
+#else
+
+#error "unsupported compiler.  disable atomic ops by --disable-atomic"
+
+#endif
+#endif /* ISC_ATOMIC_H */
diff --git a/contrib/bind9/lib/isc/print.c b/contrib/bind9/lib/isc/print.c
index ee50b29..59c528b 100644
--- a/contrib/bind9/lib/isc/print.c
+++ b/contrib/bind9/lib/isc/print.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: print.c,v 1.22.2.3.2.4 2006/04/17 18:27:20 explorer Exp $ */
+/* $Id: print.c,v 1.27.18.3 2006/04/17 18:27:33 explorer Exp $ */
 
 /*! \file */
 
diff --git a/contrib/bind9/lib/isc/pthreads/Makefile.in b/contrib/bind9/lib/isc/pthreads/Makefile.in
index f245afa..b9cc906 100644
--- a/contrib/bind9/lib/isc/pthreads/Makefile.in
+++ b/contrib/bind9/lib/isc/pthreads/Makefile.in
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.16.206.1 2004/03/06 08:14:53 marka Exp $
+# $Id: Makefile.in,v 1.17 2004/03/05 05:11:16 marka Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
diff --git a/contrib/bind9/lib/isc/pthreads/condition.c b/contrib/bind9/lib/isc/pthreads/condition.c
index 489980c..b9c26c6 100644
--- a/contrib/bind9/lib/isc/pthreads/condition.c
+++ b/contrib/bind9/lib/isc/pthreads/condition.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1998-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,9 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: condition.c,v 1.30.2.1.10.1 2004/03/06 08:14:53 marka Exp $ */
+/* $Id: condition.c,v 1.32.18.2 2005/04/29 00:17:05 marka Exp $ */
+
+/*! \file */
 
 #include <config.h>
 
@@ -44,7 +46,7 @@ isc_condition_waituntil(isc_condition_t *c, isc_mutex_t *m, isc_time_t *t) {
 	if (result != ISC_R_SUCCESS)
 		return (result);
 
-	/*
+	/*!
 	 * POSIX defines a timespec's tv_nsec as long.  isc_time_nanoseconds
 	 * ensures its return value is < 1 billion, which will fit in a long.
 	 */
diff --git a/contrib/bind9/lib/isc/pthreads/include/Makefile.in b/contrib/bind9/lib/isc/pthreads/include/Makefile.in
index 5fec836..b1164b6 100644
--- a/contrib/bind9/lib/isc/pthreads/include/Makefile.in
+++ b/contrib/bind9/lib/isc/pthreads/include/Makefile.in
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.11.206.1 2004/03/06 08:14:54 marka Exp $
+# $Id: Makefile.in,v 1.12 2004/03/05 05:11:19 marka Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
diff --git a/contrib/bind9/lib/isc/pthreads/include/isc/Makefile.in b/contrib/bind9/lib/isc/pthreads/include/isc/Makefile.in
index dd15a11..2e11f6c 100644
--- a/contrib/bind9/lib/isc/pthreads/include/isc/Makefile.in
+++ b/contrib/bind9/lib/isc/pthreads/include/isc/Makefile.in
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.13.206.1 2004/03/06 08:14:56 marka Exp $
+# $Id: Makefile.in,v 1.14 2004/03/05 05:11:40 marka Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
diff --git a/contrib/bind9/lib/isc/pthreads/include/isc/condition.h b/contrib/bind9/lib/isc/pthreads/include/isc/condition.h
index c33772f..f7cea75 100644
--- a/contrib/bind9/lib/isc/pthreads/include/isc/condition.h
+++ b/contrib/bind9/lib/isc/pthreads/include/isc/condition.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1998-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,11 +15,13 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: condition.h,v 1.21.206.1 2004/03/06 08:14:56 marka Exp $ */
+/* $Id: condition.h,v 1.22.18.2 2005/04/29 00:17:05 marka Exp $ */
 
 #ifndef ISC_CONDITION_H
 #define ISC_CONDITION_H 1
 
+/*! \file */
+
 #include <isc/lang.h>
 #include <isc/mutex.h>
 #include <isc/result.h>
diff --git a/contrib/bind9/lib/isc/pthreads/include/isc/mutex.h b/contrib/bind9/lib/isc/pthreads/include/isc/mutex.h
index f6e526d..edafaf6 100644
--- a/contrib/bind9/lib/isc/pthreads/include/isc/mutex.h
+++ b/contrib/bind9/lib/isc/pthreads/include/isc/mutex.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1998-2002  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,17 +15,22 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: mutex.h,v 1.23.26.3 2004/03/08 09:04:55 marka Exp $ */
+/* $Id: mutex.h,v 1.25.18.3 2005/07/12 01:22:33 marka Exp $ */
 
 #ifndef ISC_MUTEX_H
 #define ISC_MUTEX_H 1
 
+/*! \file */
+
 #include <pthread.h>
 #include <stdio.h>
 
+#include <isc/lang.h>
 #include <isc/result.h>		/* for ISC_R_ codes */
 
-/*
+ISC_LANG_BEGINDECLS
+
+/*!
  * Supply mutex attributes that enable deadlock detection
  * (helpful when debugging).  This is system dependent and
  * currently only supported on NetBSD.
@@ -39,7 +44,7 @@ extern pthread_mutexattr_t isc__mutex_attrs;
 
 /* XXX We could do fancier error handling... */
 
-/*
+/*!
  * Define ISC_MUTEX_PROFILE to turn on profiling of mutexes by line.  When
  * enabled, isc_mutex_stats() can be used to print a table showing the
  * number of times each type of mutex was locked and the amount of time
@@ -53,8 +58,8 @@ extern pthread_mutexattr_t isc__mutex_attrs;
 typedef struct isc_mutexstats isc_mutexstats_t;
 
 typedef struct {
-	pthread_mutex_t		mutex;	/* The actual mutex. */
-	isc_mutexstats_t *	stats;	/* Mutex statistics. */
+	pthread_mutex_t		mutex;	/*%< The actual mutex. */
+	isc_mutexstats_t *	stats;	/*%< Mutex statistics. */
 } isc_mutex_t;
 #else
 typedef pthread_mutex_t	isc_mutex_t;
@@ -70,8 +75,8 @@ typedef pthread_mutex_t	isc_mutex_t;
         isc_mutex_init_errcheck((mp))
 #else
 #define isc_mutex_init(mp) \
-	((pthread_mutex_init((mp), ISC__MUTEX_ATTRS) == 0) ? \
-	 ISC_R_SUCCESS : ISC_R_UNEXPECTED)
+	isc__mutex_init((mp), __FILE__, __LINE__)
+isc_result_t isc__mutex_init(isc_mutex_t *mp, const char *file, unsigned int line);
 #endif
 #endif
 
@@ -136,4 +141,5 @@ isc_mutex_init_errcheck(isc_mutex_t *mp);
 
 #endif /* ISC_MUTEX_PROFILE */
 
+ISC_LANG_ENDDECLS
 #endif /* ISC_MUTEX_H */
diff --git a/contrib/bind9/lib/isc/pthreads/include/isc/once.h b/contrib/bind9/lib/isc/pthreads/include/isc/once.h
index 39b4885..7e9f672 100644
--- a/contrib/bind9/lib/isc/pthreads/include/isc/once.h
+++ b/contrib/bind9/lib/isc/pthreads/include/isc/once.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,11 +15,13 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: once.h,v 1.8.206.1 2004/03/06 08:14:57 marka Exp $ */
+/* $Id: once.h,v 1.9.18.2 2005/04/29 00:17:06 marka Exp $ */
 
 #ifndef ISC_ONCE_H
 #define ISC_ONCE_H 1
 
+/*! \file */
+
 #include <pthread.h>
 
 #include <isc/platform.h>
@@ -28,12 +30,12 @@
 typedef pthread_once_t isc_once_t;
 
 #ifdef ISC_PLATFORM_BRACEPTHREADONCEINIT
-/*
+/*!
  * This accomodates systems that define PTHRAD_ONCE_INIT improperly.
  */
 #define ISC_ONCE_INIT { PTHREAD_ONCE_INIT }
 #else
-/*
+/*!
  * This is the usual case.
  */
 #define ISC_ONCE_INIT PTHREAD_ONCE_INIT
diff --git a/contrib/bind9/lib/isc/pthreads/include/isc/thread.h b/contrib/bind9/lib/isc/pthreads/include/isc/thread.h
index 6287dcd..3262607 100644
--- a/contrib/bind9/lib/isc/pthreads/include/isc/thread.h
+++ b/contrib/bind9/lib/isc/pthreads/include/isc/thread.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1998-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,11 +15,13 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: thread.h,v 1.19.206.1 2004/03/06 08:14:57 marka Exp $ */
+/* $Id: thread.h,v 1.20.18.4 2005/09/18 07:58:08 marka Exp $ */
 
 #ifndef ISC_THREAD_H
 #define ISC_THREAD_H 1
 
+/*! \file */
+
 #include <pthread.h>
 
 #include <isc/lang.h>
@@ -31,6 +33,7 @@ typedef pthread_t isc_thread_t;
 typedef void * isc_threadresult_t;
 typedef void * isc_threadarg_t;
 typedef isc_threadresult_t (*isc_threadfunc_t)(isc_threadarg_t);
+typedef pthread_key_t isc_thread_key_t;
 
 isc_result_t
 isc_thread_create(isc_threadfunc_t, isc_threadarg_t, isc_thread_t *);
@@ -47,6 +50,11 @@ isc_thread_setconcurrency(unsigned int level);
 #define isc_thread_self \
 	(unsigned long)pthread_self
 
+#define isc_thread_key_create pthread_key_create
+#define isc_thread_key_getspecific pthread_getspecific
+#define isc_thread_key_setspecific pthread_setspecific
+#define isc_thread_key_delete pthread_key_delete
+
 ISC_LANG_ENDDECLS
 
 #endif /* ISC_THREAD_H */
diff --git a/contrib/bind9/lib/isc/pthreads/mutex.c b/contrib/bind9/lib/isc/pthreads/mutex.c
index 71db669..7716980 100644
--- a/contrib/bind9/lib/isc/pthreads/mutex.c
+++ b/contrib/bind9/lib/isc/pthreads/mutex.c
@@ -15,20 +15,25 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: mutex.c,v 1.6.26.5 2005/03/17 03:58:32 marka Exp $ */
+/* $Id: mutex.c,v 1.8.18.4 2005/07/12 01:22:32 marka Exp $ */
+
+/*! \file */
 
 #include <config.h>
 
 #include <stdio.h>
 #include <time.h>
 #include <sys/time.h>
+#include <errno.h>
 
 #include <isc/mutex.h>
 #include <isc/util.h>
+#include <isc/strerror.h>
 
 #if ISC_MUTEX_PROFILE
 
-/* Operations on timevals; adapted from FreeBSD's sys/time.h */
+/*@{*/
+/*% Operations on timevals; adapted from FreeBSD's sys/time.h */
 #define timevalclear(tvp)      ((tvp)->tv_sec = (tvp)->tv_usec = 0)
 #define timevaladd(vvp, uvp)                                            \
         do {                                                            \
@@ -49,6 +54,8 @@
                 }                                                       \
         } while (0)
 
+/*@}*/
+
 #define ISC_MUTEX_MAX_LOCKERS 32
 
 typedef struct {
@@ -60,8 +67,8 @@ typedef struct {
 } isc_mutexlocker_t;
 
 struct isc_mutexstats {
-	const char *		file;	/* File mutex was created in. */
-	int 			line;	/* Line mutex was created on. */
+	const char *		file;	/*%< File mutex was created in. */
+	int 			line;	/*%< Line mutex was created on. */
 	unsigned		count;
 	struct timeval		lock_t;
 	struct timeval		locked_total;
@@ -78,10 +85,13 @@ static pthread_mutex_t statslock = PTHREAD_MUTEX_INITIALIZER;
 
 isc_result_t
 isc_mutex_init_profile(isc_mutex_t *mp, const char *file, int line) {
-	int i;
+	int i, err;
 
-	if (pthread_mutex_init(&mp->mutex, NULL) != 0)
-		return ISC_R_UNEXPECTED;
+	err = pthread_mutex_init(&mp->mutex, NULL);
+	if (err == ENOMEM)
+		return (ISC_R_NOMEMORY);
+	if (err != 0)
+		return (ISC_R_UNEXPECTED);
 
 	RUNTIME_CHECK(pthread_mutex_lock(&statslock) == 0);
 
@@ -116,7 +126,7 @@ isc_mutex_init_profile(isc_mutex_t *mp, const char *file, int line) {
 		timevalclear(&mp->stats->lockers[i].wait_total);
 	}
 
-	return ISC_R_SUCCESS;
+	return (ISC_R_SUCCESS);
 }
 
 isc_result_t
@@ -159,7 +169,7 @@ isc_mutex_lock_profile(isc_mutex_t *mp, const char *file, int line) {
 
 	mp->stats->cur_locker = locker;
 
-	return ISC_R_SUCCESS;
+	return (ISC_R_SUCCESS);
 }
 
 isc_result_t
@@ -219,17 +229,18 @@ isc_result_t
 isc_mutex_init_errcheck(isc_mutex_t *mp)
 {
 	pthread_mutexattr_t attr;
+	int err;
 
 	if (pthread_mutexattr_init(&attr) != 0)
-		return ISC_R_UNEXPECTED;
+		return (ISC_R_UNEXPECTED);
 
 	if (pthread_mutexattr_settype(&attr, PTHREAD_MUTEX_ERRORCHECK) != 0)
-		return ISC_R_UNEXPECTED;
+		return (ISC_R_UNEXPECTED);
   
-	if (pthread_mutex_init(mp, &attr) != 0)
-		return ISC_R_UNEXPECTED;
-
-	return ISC_R_SUCCESS;
+	err = pthread_mutex_init(mp, &attr) != 0)
+	if (err == ENOMEM)
+		return (ISC_R_NOMEMORY);
+	return ((err == 0) ? ISC_R_SUCCESS : ISC_R_UNEXPECTED);
 }
 #endif
 
@@ -239,3 +250,21 @@ pthread_mutexattr_t isc__mutex_attrs = {
 	0				/* m_flags, which appears to be unused. */
 };
 #endif
+
+isc_result_t
+isc__mutex_init(isc_mutex_t *mp, const char *file, unsigned int line) {
+	char strbuf[ISC_STRERRORSIZE];
+	isc_result_t result = ISC_R_SUCCESS;
+	int err;
+
+	err = pthread_mutex_init(mp, ISC__MUTEX_ATTRS);
+	if (err == ENOMEM)
+		return (ISC_R_NOMEMORY);
+	if (err != 0) {
+		isc__strerror(errno, strbuf, sizeof(strbuf));
+		UNEXPECTED_ERROR(file, line, "isc_mutex_init() failed: %s",
+				 strbuf);
+		result = ISC_R_UNEXPECTED;
+	}
+	return (result);
+}
diff --git a/contrib/bind9/lib/isc/pthreads/thread.c b/contrib/bind9/lib/isc/pthreads/thread.c
index a07daf8..bdbb593 100644
--- a/contrib/bind9/lib/isc/pthreads/thread.c
+++ b/contrib/bind9/lib/isc/pthreads/thread.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000, 2001, 2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,9 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: thread.c,v 1.9.2.2.2.2 2004/12/04 06:50:03 marka Exp $ */
+/* $Id: thread.c,v 1.12.18.3 2005/04/29 00:17:05 marka Exp $ */
+
+/*! \file */
 
 #include <config.h>
 
diff --git a/contrib/bind9/lib/isc/quota.c b/contrib/bind9/lib/isc/quota.c
index 273a1b2..9290167 100644
--- a/contrib/bind9/lib/isc/quota.c
+++ b/contrib/bind9/lib/isc/quota.c
@@ -15,7 +15,9 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: quota.c,v 1.11.12.5 2005/07/29 00:13:09 marka Exp $ */
+/* $Id: quota.c,v 1.13.18.3 2005/07/27 02:44:21 marka Exp $ */
+
+/*! \file */
 
 #include <config.h>
 
diff --git a/contrib/bind9/lib/isc/random.c b/contrib/bind9/lib/isc/random.c
index e5c4d31..f6c7d6e 100644
--- a/contrib/bind9/lib/isc/random.c
+++ b/contrib/bind9/lib/isc/random.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,9 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: random.c,v 1.15.74.5 2004/03/08 09:04:49 marka Exp $ */
+/* $Id: random.c,v 1.21.18.2 2005/04/29 00:16:48 marka Exp $ */
+
+/*! \file */
 
 #include <config.h>
 
diff --git a/contrib/bind9/lib/isc/ratelimiter.c b/contrib/bind9/lib/isc/ratelimiter.c
index 211363c..3d65139 100644
--- a/contrib/bind9/lib/isc/ratelimiter.c
+++ b/contrib/bind9/lib/isc/ratelimiter.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2002  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,9 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: ratelimiter.c,v 1.18.14.4 2004/03/08 09:04:50 marka Exp $ */
+/* $Id: ratelimiter.c,v 1.21.18.2 2005/04/29 00:16:49 marka Exp $ */
+
+/*! \file */
 
 #include <config.h>
 
diff --git a/contrib/bind9/lib/isc/refcount.c b/contrib/bind9/lib/isc/refcount.c
new file mode 100644
index 0000000..d5095eb
--- /dev/null
+++ b/contrib/bind9/lib/isc/refcount.c
@@ -0,0 +1,37 @@
+/*
+ * Copyright (C) 2005  Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: refcount.c,v 1.2.2.2 2005/07/25 00:51:46 marka Exp $ */
+
+#include <config.h>
+
+#include <stddef.h>
+
+#include <isc/mutex.h>
+#include <isc/refcount.h>
+#include <isc/result.h>
+
+isc_result_t
+isc_refcount_init(isc_refcount_t *ref, unsigned int n) {
+	REQUIRE(ref != NULL);
+
+	ref->refs = n;
+#if defined(ISC_PLATFORM_USETHREADS) && !defined(ISC_PLATFORM_HAVEXADD)
+	return (isc_mutex_init(&ref->lock));
+#else
+	return (ISC_R_SUCCESS);
+#endif
+}
diff --git a/contrib/bind9/lib/isc/region.c b/contrib/bind9/lib/isc/region.c
index 92f4f02..bc32b86 100644
--- a/contrib/bind9/lib/isc/region.c
+++ b/contrib/bind9/lib/isc/region.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2002  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,9 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: region.c,v 1.2.202.3 2004/03/08 09:04:50 marka Exp $ */
+/* $Id: region.c,v 1.3.18.2 2005/04/29 00:16:49 marka Exp $ */
+
+/*! \file */
 
 #include <config.h>
 
diff --git a/contrib/bind9/lib/isc/result.c b/contrib/bind9/lib/isc/result.c
index fd4e5c6..e0c8653 100644
--- a/contrib/bind9/lib/isc/result.c
+++ b/contrib/bind9/lib/isc/result.c
@@ -15,7 +15,9 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: result.c,v 1.56.2.2.8.9 2005/06/09 23:54:30 marka Exp $ */
+/* $Id: result.c,v 1.62.18.6 2005/06/22 22:05:48 marka Exp $ */
+
+/*! \file */
 
 #include <config.h>
 
@@ -39,66 +41,66 @@ typedef struct resulttable {
 } resulttable;
 
 static const char *text[ISC_R_NRESULTS] = {
-	"success",				/*  0 */
-	"out of memory",			/*  1 */
-	"timed out",				/*  2 */
-	"no available threads",			/*  3 */
-	"address not available",		/*  4 */
-	"address in use",			/*  5 */
-	"permission denied",			/*  6 */
-	"no pending connections",		/*  7 */
-	"network unreachable",			/*  8 */
-	"host unreachable",			/*  9 */
-	"network down",				/* 10 */
-	"host down",				/* 11 */
-	"connection refused",			/* 12 */
-	"not enough free resources",		/* 13 */
-	"end of file",				/* 14 */
-	"socket already bound",			/* 15 */
-	"reload",				/* 16 */
-	"lock busy",				/* 17 */
-	"already exists",			/* 18 */
-	"ran out of space",			/* 19 */
-	"operation canceled",			/* 20 */
-	"socket is not bound",			/* 21 */
-	"shutting down",			/* 22 */
-	"not found",				/* 23 */
-	"unexpected end of input",		/* 24 */
-	"failure",				/* 25 */
-	"I/O error",				/* 26 */
-	"not implemented",			/* 27 */
-	"unbalanced parentheses",		/* 28 */
-	"no more",				/* 29 */
-	"invalid file",				/* 30 */
-	"bad base64 encoding",			/* 31 */
-	"unexpected token",			/* 32 */
-	"quota reached",			/* 33 */
-	"unexpected error",			/* 34 */
-	"already running",			/* 35 */
-	"ignore",				/* 36 */
-	"address mask not contiguous",		/* 37 */
-	"file not found",			/* 38 */
-	"file already exists",			/* 39 */
-	"socket is not connected",		/* 40 */
-	"out of range",				/* 41 */
-	"out of entropy",			/* 42 */
-	"invalid use of multicast address",	/* 43 */
-	"not a file",				/* 44 */
-	"not a directory",			/* 45 */
-	"queue is full",			/* 46 */
-	"address family mismatch",		/* 47 */
-	"address family not supported",		/* 48 */
-	"bad hex encoding",			/* 49 */
-	"too many open files",			/* 50 */
-	"not blocking",				/* 51 */
-	"unbalanced quotes",			/* 52 */
-	"operation in progress",		/* 53 */
-	"connection reset",			/* 54 */
-	"soft quota reached",			/* 55 */
-	"not a valid number",			/* 56 */
-	"disabled",				/* 57 */
-	"max size",				/* 58 */
-	"invalid address format"		/* 59 */
+	"success",				/*%< 0 */
+	"out of memory",			/*%< 1 */
+	"timed out",				/*%< 2 */
+	"no available threads",			/*%< 3 */
+	"address not available",		/*%< 4 */
+	"address in use",			/*%< 5 */
+	"permission denied",			/*%< 6 */
+	"no pending connections",		/*%< 7 */
+	"network unreachable",			/*%< 8 */
+	"host unreachable",			/*%< 9 */
+	"network down",				/*%< 10 */
+	"host down",				/*%< 11 */
+	"connection refused",			/*%< 12 */
+	"not enough free resources",		/*%< 13 */
+	"end of file",				/*%< 14 */
+	"socket already bound",			/*%< 15 */
+	"reload",				/*%< 16 */
+	"lock busy",				/*%< 17 */
+	"already exists",			/*%< 18 */
+	"ran out of space",			/*%< 19 */
+	"operation canceled",			/*%< 20 */
+	"socket is not bound",			/*%< 21 */
+	"shutting down",			/*%< 22 */
+	"not found",				/*%< 23 */
+	"unexpected end of input",		/*%< 24 */
+	"failure",				/*%< 25 */
+	"I/O error",				/*%< 26 */
+	"not implemented",			/*%< 27 */
+	"unbalanced parentheses",		/*%< 28 */
+	"no more",				/*%< 29 */
+	"invalid file",				/*%< 30 */
+	"bad base64 encoding",			/*%< 31 */
+	"unexpected token",			/*%< 32 */
+	"quota reached",			/*%< 33 */
+	"unexpected error",			/*%< 34 */
+	"already running",			/*%< 35 */
+	"ignore",				/*%< 36 */
+	"address mask not contiguous",		/*%< 37 */
+	"file not found",			/*%< 38 */
+	"file already exists",			/*%< 39 */
+	"socket is not connected",		/*%< 40 */
+	"out of range",				/*%< 41 */
+	"out of entropy",			/*%< 42 */
+	"invalid use of multicast address",	/*%< 43 */
+	"not a file",				/*%< 44 */
+	"not a directory",			/*%< 45 */
+	"queue is full",			/*%< 46 */
+	"address family mismatch",		/*%< 47 */
+	"address family not supported",		/*%< 48 */
+	"bad hex encoding",			/*%< 49 */
+	"too many open files",			/*%< 50 */
+	"not blocking",				/*%< 51 */
+	"unbalanced quotes",			/*%< 52 */
+	"operation in progress",		/*%< 53 */
+	"connection reset",			/*%< 54 */
+	"soft quota reached",			/*%< 55 */
+	"not a valid number",			/*%< 56 */
+	"disabled",				/*%< 57 */
+	"max size",				/*%< 58 */
+	"invalid address format"		/*%< 59 */
 };
 
 #define ISC_RESULT_RESULTSET			2
diff --git a/contrib/bind9/lib/isc/rwlock.c b/contrib/bind9/lib/isc/rwlock.c
index 3e444d8..69b8f56 100644
--- a/contrib/bind9/lib/isc/rwlock.c
+++ b/contrib/bind9/lib/isc/rwlock.c
@@ -15,12 +15,15 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: rwlock.c,v 1.33.2.4.2.3 2005/03/17 03:58:32 marka Exp $ */
+/* $Id: rwlock.c,v 1.37.18.5 2005/07/12 01:22:30 marka Exp $ */
+
+/*! \file */
 
 #include <config.h>
 
 #include <stddef.h>
 
+#include <isc/atomic.h>
 #include <isc/magic.h>
 #include <isc/msgs.h>
 #include <isc/platform.h>
@@ -81,6 +84,20 @@ isc_rwlock_init(isc_rwlock_t *rwl, unsigned int read_quota,
 	 */
 	rwl->magic = 0;
 
+#if defined(ISC_PLATFORM_HAVEXADD) && defined(ISC_PLATFORM_HAVECMPXCHG)
+	rwl->write_requests = 0;
+	rwl->write_completions = 0;
+	rwl->cnt_and_flag = 0;
+	rwl->readers_waiting = 0;
+	rwl->write_granted = 0;
+	if (read_quota != 0) {
+		UNEXPECTED_ERROR(__FILE__, __LINE__,
+				 "read quota is not supported");
+	}
+	if (write_quota == 0)
+		write_quota = RWLOCK_DEFAULT_WRITE_QUOTA;
+	rwl->write_quota = write_quota;
+#else
 	rwl->type = isc_rwlocktype_read;
 	rwl->original = isc_rwlocktype_none;
 	rwl->active = 0;
@@ -93,15 +110,12 @@ isc_rwlock_init(isc_rwlock_t *rwl, unsigned int read_quota,
 	if (write_quota == 0)
 		write_quota = RWLOCK_DEFAULT_WRITE_QUOTA;
 	rwl->write_quota = write_quota;
+#endif
+
 	result = isc_mutex_init(&rwl->lock);
-	if (result != ISC_R_SUCCESS) {
-		UNEXPECTED_ERROR(__FILE__, __LINE__,
-				 "isc_mutex_init() %s: %s",
-				 isc_msgcat_get(isc_msgcat, ISC_MSGSET_GENERAL,
-						ISC_MSG_FAILED, "failed"),
-				 isc_result_totext(result));
-		return (ISC_R_UNEXPECTED);
-	}
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
 	result = isc_condition_init(&rwl->readable);
 	if (result != ISC_R_SUCCESS) {
 		UNEXPECTED_ERROR(__FILE__, __LINE__,
@@ -111,7 +125,6 @@ isc_rwlock_init(isc_rwlock_t *rwl, unsigned int read_quota,
 				 isc_result_totext(result));
 		result = ISC_R_UNEXPECTED;
 		goto destroy_lock;
-
 	}
 	result = isc_condition_init(&rwl->writeable);
 	if (result != ISC_R_SUCCESS) {
@@ -136,6 +149,389 @@ isc_rwlock_init(isc_rwlock_t *rwl, unsigned int read_quota,
 	return (result);
 }
 
+void
+isc_rwlock_destroy(isc_rwlock_t *rwl) {
+	REQUIRE(VALID_RWLOCK(rwl));
+
+#if defined(ISC_PLATFORM_HAVEXADD) && defined(ISC_PLATFORM_HAVECMPXCHG)
+	REQUIRE(rwl->write_requests == rwl->write_completions &&
+		rwl->cnt_and_flag == 0 && rwl->readers_waiting == 0);
+#else
+	LOCK(&rwl->lock);
+	REQUIRE(rwl->active == 0 &&
+		rwl->readers_waiting == 0 &&
+		rwl->writers_waiting == 0);
+	UNLOCK(&rwl->lock);
+#endif
+
+	rwl->magic = 0;
+	(void)isc_condition_destroy(&rwl->readable);
+	(void)isc_condition_destroy(&rwl->writeable);
+	DESTROYLOCK(&rwl->lock);
+}
+
+#if defined(ISC_PLATFORM_HAVEXADD) && defined(ISC_PLATFORM_HAVECMPXCHG)
+
+/*
+ * When some architecture-dependent atomic operations are available,
+ * rwlock can be more efficient than the generic algorithm defined below.
+ * The basic algorithm is described in the following URL:
+ *   http://www.cs.rochester.edu/u/scott/synchronization/pseudocode/rw.html
+ *
+ * The key is to use the following integer variables modified atomically:
+ *   write_requests, write_completions, and cnt_and_flag.
+ *
+ * write_requests and write_completions act as a waiting queue for writers
+ * in order to ensure the FIFO order.  Both variables begin with the initial
+ * value of 0.  When a new writer tries to get a write lock, it increments
+ * write_requests and gets the previous value of the variable as a "ticket".
+ * When write_completions reaches the ticket number, the new writer can start
+ * writing.  When the writer completes its work, it increments
+ * write_completions so that another new writer can start working.  If the
+ * write_requests is not equal to write_completions, it means a writer is now
+ * working or waiting.  In this case, a new readers cannot start reading, or
+ * in other words, this algorithm basically prefers writers.
+ *
+ * cnt_and_flag is a "lock" shared by all readers and writers.  This integer
+ * variable is a kind of structure with two members: writer_flag (1 bit) and
+ * reader_count (31 bits).  The writer_flag shows whether a writer is working,
+ * and the reader_count shows the number of readers currently working or almost
+ * ready for working.  A writer who has the current "ticket" tries to get the
+ * lock by exclusively setting the writer_flag to 1, provided that the whole
+ * 32-bit is 0 (meaning no readers or writers working).  On the other hand,
+ * a new reader tries to increment the "reader_count" field provided that
+ * the writer_flag is 0 (meaning there is no writer working).
+ *
+ * If some of the above operations fail, the reader or the writer sleeps
+ * until the related condition changes.  When a working reader or writer
+ * completes its work, some readers or writers are sleeping, and the condition
+ * that suspended the reader or writer has changed, it wakes up the sleeping
+ * readers or writers.
+ *
+ * As already noted, this algorithm basically prefers writers.  In order to
+ * prevent readers from starving, however, the algorithm also introduces the
+ * "writer quota" (Q).  When Q consecutive writers have completed their work,
+ * suspending readers, the last writer will wake up the readers, even if a new
+ * writer is waiting.
+ *
+ * Implementation specific note: due to the combination of atomic operations
+ * and a mutex lock, ordering between the atomic operation and locks can be
+ * very sensitive in some cases.  In particular, it is generally very important
+ * to check the atomic variable that requires a reader or writer to sleep after
+ * locking the mutex and before actually sleeping; otherwise, it could be very
+ * likely to cause a deadlock.  For example, assume "var" is a variable
+ * atomically modified, then the corresponding code would be:
+ *	if (var == need_sleep) {
+ *		LOCK(lock);
+ *		if (var == need_sleep)
+ *			WAIT(cond, lock);
+ *		UNLOCK(lock);
+ *	}
+ * The second check is important, since "var" is protected by the atomic
+ * operation, not by the mutex, and can be changed just before sleeping.
+ * (The first "if" could be omitted, but this is also important in order to
+ * make the code efficient by avoiding the use of the mutex unless it is
+ * really necessary.)
+ */
+
+#define WRITER_ACTIVE	0x1
+#define READER_INCR	0x2
+
+isc_result_t
+isc_rwlock_lock(isc_rwlock_t *rwl, isc_rwlocktype_t type) {
+	isc_int32_t cntflag;
+
+	REQUIRE(VALID_RWLOCK(rwl));
+
+#ifdef ISC_RWLOCK_TRACE
+	print_lock(isc_msgcat_get(isc_msgcat, ISC_MSGSET_RWLOCK,
+				  ISC_MSG_PRELOCK, "prelock"), rwl, type);
+#endif
+
+	if (type == isc_rwlocktype_read) {
+		if (rwl->write_requests != rwl->write_completions) {
+			/* there is a waiting or active writer */
+			LOCK(&rwl->lock);
+			if (rwl->write_requests != rwl->write_completions) {
+				rwl->readers_waiting++;
+				WAIT(&rwl->readable, &rwl->lock);
+				rwl->readers_waiting--;
+			}
+			UNLOCK(&rwl->lock);
+		}
+
+		cntflag = isc_atomic_xadd(&rwl->cnt_and_flag, READER_INCR);
+		while (1) {
+			if ((rwl->cnt_and_flag & WRITER_ACTIVE) == 0)
+				break;
+
+			/* A writer is still working */
+			LOCK(&rwl->lock);
+			rwl->readers_waiting++;
+			if ((rwl->cnt_and_flag & WRITER_ACTIVE) != 0)
+				WAIT(&rwl->readable, &rwl->lock);
+			rwl->readers_waiting--;
+			UNLOCK(&rwl->lock);
+
+			/*
+			 * Typically, the reader should be able to get a lock
+			 * at this stage:
+			 *   (1) there should have been no pending writer when
+			 *       the reader was trying to increment the
+			 *       counter; otherwise, the writer should be in
+			 *       the waiting queue, preventing the reader from
+			 *       proceeding to this point.
+			 *   (2) once the reader increments the counter, no
+			 *       more writer can get a lock.
+			 * Still, it is possible another writer can work at
+			 * this point, e.g. in the following scenario:
+			 *   A previous writer unlocks the writer lock.
+			 *   This reader proceeds to point (1).
+			 *   A new writer appears, and gets a new lock before
+			 *   the reader increments the counter.
+			 *   The reader then increments the counter.
+			 *   The previous writer notices there is a waiting
+			 *   reader who is almost ready, and wakes it up.
+			 * So, the reader needs to confirm whether it can now
+			 * read explicitly (thus we loop).  Note that this is
+			 * not an infinite process, since the reader has
+			 * incremented the counter at this point.
+			 */
+		}
+
+		/*
+		 * If we are temporarily preferred to writers due to the writer
+		 * quota, reset the condition (race among readers doesn't
+		 * matter).
+		 */
+		rwl->write_granted = 0;
+	} else {
+		isc_int32_t prev_writer;
+
+		/* enter the waiting queue, and wait for our turn */
+		prev_writer = isc_atomic_xadd(&rwl->write_requests, 1);
+		while (rwl->write_completions != prev_writer) {
+			LOCK(&rwl->lock);
+			if (rwl->write_completions != prev_writer) {
+				WAIT(&rwl->writeable, &rwl->lock);
+				UNLOCK(&rwl->lock);
+				continue;
+			}
+			UNLOCK(&rwl->lock);
+			break;
+		}
+
+		while (1) {
+			cntflag = isc_atomic_cmpxchg(&rwl->cnt_and_flag, 0,
+						     WRITER_ACTIVE);
+			if (cntflag == 0)
+				break;
+
+			/* Another active reader or writer is working. */
+			LOCK(&rwl->lock);
+			if (rwl->cnt_and_flag != 0)
+				WAIT(&rwl->writeable, &rwl->lock);
+			UNLOCK(&rwl->lock);
+		}
+
+		INSIST((rwl->cnt_and_flag & WRITER_ACTIVE) != 0);
+		rwl->write_granted++;
+	}
+
+#ifdef ISC_RWLOCK_TRACE
+	print_lock(isc_msgcat_get(isc_msgcat, ISC_MSGSET_RWLOCK,
+				  ISC_MSG_POSTLOCK, "postlock"), rwl, type);
+#endif
+
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+isc_rwlock_trylock(isc_rwlock_t *rwl, isc_rwlocktype_t type) {
+	isc_int32_t cntflag;
+
+	REQUIRE(VALID_RWLOCK(rwl));
+
+#ifdef ISC_RWLOCK_TRACE
+	print_lock(isc_msgcat_get(isc_msgcat, ISC_MSGSET_RWLOCK,
+				  ISC_MSG_PRELOCK, "prelock"), rwl, type);
+#endif
+
+	if (type == isc_rwlocktype_read) {
+		/* If a writer is waiting or working, we fail. */
+		if (rwl->write_requests != rwl->write_completions)
+			return (ISC_R_LOCKBUSY);
+
+		/* Otherwise, be ready for reading. */
+		cntflag = isc_atomic_xadd(&rwl->cnt_and_flag, READER_INCR);
+		if ((cntflag & WRITER_ACTIVE) != 0) {
+			/*
+			 * A writer is working.  We lose, and cancel the read
+			 * request.
+			 */
+			cntflag = isc_atomic_xadd(&rwl->cnt_and_flag,
+						  -READER_INCR);
+			/*
+			 * If no other readers are waiting and we've suspended
+			 * new writers in this short period, wake them up.
+			 */
+			if (cntflag == READER_INCR &&
+			    rwl->write_completions != rwl->write_requests) {
+				LOCK(&rwl->lock);
+				BROADCAST(&rwl->writeable);
+				UNLOCK(&rwl->lock);
+			}
+			
+			return (ISC_R_LOCKBUSY);
+		}
+	} else {
+		/* Try locking without entering the waiting queue. */
+		cntflag = isc_atomic_cmpxchg(&rwl->cnt_and_flag, 0,
+					     WRITER_ACTIVE);
+		if (cntflag != 0)
+			return (ISC_R_LOCKBUSY);
+
+		/*
+		 * XXXJT: jump into the queue, possibly breaking the writer
+		 * order.
+		 */
+		(void)isc_atomic_xadd(&rwl->write_completions, -1);
+
+		rwl->write_granted++;
+	}
+
+#ifdef ISC_RWLOCK_TRACE
+	print_lock(isc_msgcat_get(isc_msgcat, ISC_MSGSET_RWLOCK,
+				  ISC_MSG_POSTLOCK, "postlock"), rwl, type);
+#endif
+
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+isc_rwlock_tryupgrade(isc_rwlock_t *rwl) {
+	isc_int32_t prevcnt;
+
+	REQUIRE(VALID_RWLOCK(rwl));
+
+	/* Try to acquire write access. */
+	prevcnt = isc_atomic_cmpxchg(&rwl->cnt_and_flag,
+				     READER_INCR, WRITER_ACTIVE);
+	/*
+	 * There must have been no writer, and there must have been at least
+	 * one reader.
+	 */
+	INSIST((prevcnt & WRITER_ACTIVE) == 0 &&
+	       (prevcnt & ~WRITER_ACTIVE) != 0);
+
+	if (prevcnt == READER_INCR) {
+		/*
+		 * We are the only reader and have been upgraded.
+		 * Now jump into the head of the writer waiting queue.
+		 */
+		(void)isc_atomic_xadd(&rwl->write_completions, -1);
+	} else
+		return (ISC_R_LOCKBUSY);
+
+	return (ISC_R_SUCCESS);
+	
+}
+
+void
+isc_rwlock_downgrade(isc_rwlock_t *rwl) {
+	isc_int32_t prev_readers;
+
+	REQUIRE(VALID_RWLOCK(rwl));
+
+	/* Become an active reader. */
+	prev_readers = isc_atomic_xadd(&rwl->cnt_and_flag, READER_INCR);
+	/* We must have been a writer. */
+	INSIST((prev_readers & WRITER_ACTIVE) != 0);
+
+	/* Complete write */
+	(void)isc_atomic_xadd(&rwl->cnt_and_flag, -WRITER_ACTIVE);
+	(void)isc_atomic_xadd(&rwl->write_completions, 1);
+
+	/* Resume other readers */
+	LOCK(&rwl->lock);
+	if (rwl->readers_waiting > 0)
+		BROADCAST(&rwl->readable);
+	UNLOCK(&rwl->lock);
+}
+
+isc_result_t
+isc_rwlock_unlock(isc_rwlock_t *rwl, isc_rwlocktype_t type) {
+	isc_int32_t prev_cnt;
+
+	REQUIRE(VALID_RWLOCK(rwl));
+
+#ifdef ISC_RWLOCK_TRACE
+	print_lock(isc_msgcat_get(isc_msgcat, ISC_MSGSET_RWLOCK,
+				  ISC_MSG_PREUNLOCK, "preunlock"), rwl, type);
+#endif
+
+	if (type == isc_rwlocktype_read) {
+		prev_cnt = isc_atomic_xadd(&rwl->cnt_and_flag, -READER_INCR);
+
+		/*
+		 * If we're the last reader and any writers are waiting, wake
+		 * them up.  We need to wake up all of them to ensure the
+		 * FIFO order.
+		 */
+		if (prev_cnt == READER_INCR &&
+		    rwl->write_completions != rwl->write_requests) {
+			LOCK(&rwl->lock);
+			BROADCAST(&rwl->writeable);
+			UNLOCK(&rwl->lock);
+		}
+	} else {
+		isc_boolean_t wakeup_writers = ISC_TRUE;
+
+		/*
+		 * Reset the flag, and (implicitly) tell other writers
+		 * we are done.
+		 */
+		(void)isc_atomic_xadd(&rwl->cnt_and_flag, -WRITER_ACTIVE);
+		(void)isc_atomic_xadd(&rwl->write_completions, 1);
+
+		if (rwl->write_granted >= rwl->write_quota ||
+		    rwl->write_requests == rwl->write_completions ||
+		    (rwl->cnt_and_flag & ~WRITER_ACTIVE) != 0) {
+			/*
+			 * We have passed the write quota, no writer is
+			 * waiting, or some readers are almost ready, pending
+			 * possible writers.  Note that the last case can
+			 * happen even if write_requests != write_completions
+			 * (which means a new writer in the queue), so we need
+			 * to catch the case explicitly.
+			 */
+			LOCK(&rwl->lock);
+			if (rwl->readers_waiting > 0) {
+				wakeup_writers = ISC_FALSE;
+				BROADCAST(&rwl->readable);
+			}
+			UNLOCK(&rwl->lock);
+		}
+
+		if (rwl->write_requests != rwl->write_completions &&
+		    wakeup_writers) {
+			LOCK(&rwl->lock);
+			BROADCAST(&rwl->writeable);
+			UNLOCK(&rwl->lock);
+		}
+	}
+
+#ifdef ISC_RWLOCK_TRACE
+	print_lock(isc_msgcat_get(isc_msgcat, ISC_MSGSET_RWLOCK,
+				  ISC_MSG_POSTUNLOCK, "postunlock"),
+		   rwl, type);
+#endif
+
+	return (ISC_R_SUCCESS);
+}
+
+#else /* ISC_PLATFORM_HAVEXADD && ISC_PLATFORM_HAVECMPXCHG */
+
 static isc_result_t
 doit(isc_rwlock_t *rwl, isc_rwlocktype_t type, isc_boolean_t nonblock) {
 	isc_boolean_t skip = ISC_FALSE;
@@ -321,22 +717,7 @@ isc_rwlock_unlock(isc_rwlock_t *rwl, isc_rwlocktype_t type) {
 	return (ISC_R_SUCCESS);
 }
 
-void
-isc_rwlock_destroy(isc_rwlock_t *rwl) {
-	REQUIRE(VALID_RWLOCK(rwl));
-
-	LOCK(&rwl->lock);
-	REQUIRE(rwl->active == 0 &&
-		rwl->readers_waiting == 0 &&
-		rwl->writers_waiting == 0);
-	UNLOCK(&rwl->lock);
-
-	rwl->magic = 0;
-	(void)isc_condition_destroy(&rwl->readable);
-	(void)isc_condition_destroy(&rwl->writeable);
-	DESTROYLOCK(&rwl->lock);
-}
-
+#endif /* ISC_PLATFORM_HAVEXADD && ISC_PLATFORM_HAVECMPXCHG */
 #else /* ISC_PLATFORM_USETHREADS */
 
 isc_result_t
diff --git a/contrib/bind9/lib/isc/serial.c b/contrib/bind9/lib/isc/serial.c
index 4fe0ee5..5d1bde7 100644
--- a/contrib/bind9/lib/isc/serial.c
+++ b/contrib/bind9/lib/isc/serial.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,10 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: serial.c,v 1.7.206.1 2004/03/06 08:14:35 marka Exp $ */
+/* $Id: serial.c,v 1.8.18.2 2005/04/29 00:16:49 marka Exp $ */
+
+/*! \file */
+
 #include <config.h>
 
 #include <isc/serial.h>
diff --git a/contrib/bind9/lib/isc/sha1.c b/contrib/bind9/lib/isc/sha1.c
index 0549e88..6f4af6d 100644
--- a/contrib/bind9/lib/isc/sha1.c
+++ b/contrib/bind9/lib/isc/sha1.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000, 2001, 2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,16 +15,16 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: sha1.c,v 1.10.2.2.2.3 2004/03/06 08:14:35 marka Exp $ */
+/* $Id: sha1.c,v 1.14.18.2 2005/04/29 00:16:49 marka Exp $ */
 
 /*	$NetBSD: sha1.c,v 1.5 2000/01/22 22:19:14 mycroft Exp $	*/
 /*	$OpenBSD: sha1.c,v 1.9 1997/07/23 21:12:32 kstailey Exp $	*/
 
-/*
+/*! \file
  * SHA-1 in C
- * By Steve Reid <steve@edmweb.com>
+ * \author By Steve Reid <steve@edmweb.com>
  * 100% Public Domain
- *
+ * \verbatim
  * Test Vectors (from FIPS PUB 180-1)
  * "abc"
  *   A9993E36 4706816A BA3E2571 7850C26C 9CD0D89D
@@ -32,6 +32,7 @@
  *   84983E44 1C3BD26E BAAE4AA1 F95129E5 E54670F1
  * A million repetitions of "a"
  *   34AA973C D4C4DAA4 F61EEB2B DBAD2731 6534016F
+ * \endverbatim
  */
 
 #include "config.h"
@@ -44,7 +45,8 @@
 
 #define rol(value, bits) (((value) << (bits)) | ((value) >> (32 - (bits))))
 
-/*
+/*@{*/
+/*!
  * blk0() and blk() perform the initial expand.
  * I got the idea of expanding during the round function from SSLeay
  */
@@ -61,7 +63,9 @@
 				^ block->l[(i + 2) & 15] \
 				^ block->l[i & 15], 1))
 
-/*
+/*@}*/
+/*@{*/
+/*!
  * (R0+R1), R2, R3, R4 are the different operations (rounds) used in SHA1
  */
 #define R0(v,w,x,y,z,i) \
@@ -80,6 +84,8 @@
 	z += (w ^ x ^ y) + blk(i) + 0xCA62C1D6 + rol(v, 5); \
 	w = rol(w, 30);
 
+/*@}*/
+
 typedef union {
 	unsigned char c[64];
 	unsigned int l[16];
@@ -154,7 +160,7 @@ do_R4(isc_uint32_t *a, isc_uint32_t *b, isc_uint32_t *c, isc_uint32_t *d,
 }
 #endif
 
-/*
+/*!
  * Hash a single 512-bit block. This is the core of the algorithm.
  */
 static void
@@ -217,7 +223,7 @@ transform(isc_uint32_t state[5], const unsigned char buffer[64]) {
 }
 
 
-/*
+/*!
  * isc_sha1_init - Initialize new context
  */
 void
@@ -240,7 +246,7 @@ isc_sha1_invalidate(isc_sha1_t *context) {
 	memset(context, 0, sizeof(isc_sha1_t));
 }
 
-/*
+/*!
  * Run your data through this.
  */
 void
@@ -270,7 +276,7 @@ isc_sha1_update(isc_sha1_t *context, const unsigned char *data,
 }
 
 
-/*
+/*!
  * Add padding and return the message digest.
  */
 
diff --git a/contrib/bind9/lib/isc/sha2.c b/contrib/bind9/lib/isc/sha2.c
new file mode 100644
index 0000000..7b41a28
--- /dev/null
+++ b/contrib/bind9/lib/isc/sha2.c
@@ -0,0 +1,1234 @@
+/*
+ * Copyright (C) 2005, 2006  Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: sha2.c,v 1.2.2.12 2006/08/16 03:18:14 marka Exp $ */
+
+/*	$FreeBSD$	*/
+/*	$KAME: sha2.c,v 1.8 2001/11/08 01:07:52 itojun Exp $	*/
+
+/*
+ * sha2.c
+ *
+ * Version 1.0.0beta1
+ *
+ * Written by Aaron D. Gifford <me@aarongifford.com>
+ *
+ * Copyright 2000 Aaron D. Gifford.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. Neither the name of the copyright holder nor the names of contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR(S) AND CONTRIBUTOR(S) ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR(S) OR CONTRIBUTOR(S) BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ */
+
+
+#include <config.h>
+
+#include <isc/assertions.h>
+#include <isc/sha2.h>
+#include <isc/string.h>
+#include <isc/util.h>
+
+/*
+ * UNROLLED TRANSFORM LOOP NOTE:
+ * You can define SHA2_UNROLL_TRANSFORM to use the unrolled transform
+ * loop version for the hash transform rounds (defined using macros
+ * later in this file).  Either define on the command line, for example:
+ *
+ *   cc -DISC_SHA2_UNROLL_TRANSFORM -o sha2 sha2.c sha2prog.c
+ *
+ * or define below:
+ *
+ *   #define ISC_SHA2_UNROLL_TRANSFORM
+ *
+ */
+
+/*** SHA-256/384/512 Machine Architecture Definitions *****************/
+/*
+ * BYTE_ORDER NOTE:
+ *
+ * Please make sure that your system defines BYTE_ORDER.  If your
+ * architecture is little-endian, make sure it also defines
+ * LITTLE_ENDIAN and that the two (BYTE_ORDER and LITTLE_ENDIAN) are
+ * equivilent.
+ *
+ * If your system does not define the above, then you can do so by
+ * hand like this:
+ *
+ *   #define LITTLE_ENDIAN 1234
+ *   #define BIG_ENDIAN    4321
+ *
+ * And for little-endian machines, add:
+ *
+ *   #define BYTE_ORDER LITTLE_ENDIAN 
+ *
+ * Or for big-endian machines:
+ *
+ *   #define BYTE_ORDER BIG_ENDIAN
+ *
+ * The FreeBSD machine this was written on defines BYTE_ORDER
+ * appropriately by including <sys/types.h> (which in turn includes
+ * <machine/endian.h> where the appropriate definitions are actually
+ * made).
+ */
+#if !defined(BYTE_ORDER) || (BYTE_ORDER != LITTLE_ENDIAN && BYTE_ORDER != BIG_ENDIAN)
+#ifndef BYTE_ORDER
+#ifndef BIG_ENDIAN
+#define BIG_ENDIAN 4321
+#endif
+#ifndef LITTLE_ENDIAN
+#define LITTLE_ENDIAN 1234
+#endif
+#ifdef WORDS_BIGENDIAN
+#define BYTE_ORDER BIG_ENDIAN
+#else
+#define BYTE_ORDER LITTLE_ENDIAN
+#endif
+#else
+#error Define BYTE_ORDER to be equal to either LITTLE_ENDIAN or BIG_ENDIAN
+#endif
+#endif
+
+/*** SHA-256/384/512 Various Length Definitions ***********************/
+/* NOTE: Most of these are in sha2.h */
+#define ISC_SHA256_SHORT_BLOCK_LENGTH	(ISC_SHA256_BLOCK_LENGTH - 8)
+#define ISC_SHA384_SHORT_BLOCK_LENGTH	(ISC_SHA384_BLOCK_LENGTH - 16)
+#define ISC_SHA512_SHORT_BLOCK_LENGTH	(ISC_SHA512_BLOCK_LENGTH - 16)
+
+
+/*** ENDIAN REVERSAL MACROS *******************************************/
+#if BYTE_ORDER == LITTLE_ENDIAN
+#define REVERSE32(w,x)	{ \
+	isc_uint32_t tmp = (w); \
+	tmp = (tmp >> 16) | (tmp << 16); \
+	(x) = ((tmp & 0xff00ff00UL) >> 8) | ((tmp & 0x00ff00ffUL) << 8); \
+}
+#ifdef WIN32
+#define REVERSE64(w,x)	{ \
+	isc_uint64_t tmp = (w); \
+	tmp = (tmp >> 32) | (tmp << 32); \
+	tmp = ((tmp & 0xff00ff00ff00ff00UL) >> 8) | \
+	      ((tmp & 0x00ff00ff00ff00ffUL) << 8); \
+	(x) = ((tmp & 0xffff0000ffff0000UL) >> 16) | \
+	      ((tmp & 0x0000ffff0000ffffUL) << 16); \
+}
+#else
+#define REVERSE64(w,x)	{ \
+	isc_uint64_t tmp = (w); \
+	tmp = (tmp >> 32) | (tmp << 32); \
+	tmp = ((tmp & 0xff00ff00ff00ff00ULL) >> 8) | \
+	      ((tmp & 0x00ff00ff00ff00ffULL) << 8); \
+	(x) = ((tmp & 0xffff0000ffff0000ULL) >> 16) | \
+	      ((tmp & 0x0000ffff0000ffffULL) << 16); \
+}
+#endif
+#endif /* BYTE_ORDER == LITTLE_ENDIAN */
+
+/*
+ * Macro for incrementally adding the unsigned 64-bit integer n to the
+ * unsigned 128-bit integer (represented using a two-element array of
+ * 64-bit words):
+ */
+#define ADDINC128(w,n)	{ \
+	(w)[0] += (isc_uint64_t)(n); \
+	if ((w)[0] < (n)) { \
+		(w)[1]++; \
+	} \
+}
+
+/*** THE SIX LOGICAL FUNCTIONS ****************************************/
+/*
+ * Bit shifting and rotation (used by the six SHA-XYZ logical functions:
+ *
+ *   NOTE:  The naming of R and S appears backwards here (R is a SHIFT and
+ *   S is a ROTATION) because the SHA-256/384/512 description document
+ *   (see http://csrc.nist.gov/cryptval/shs/sha256-384-512.pdf) uses this
+ *   same "backwards" definition.
+ */
+/* Shift-right (used in SHA-256, SHA-384, and SHA-512): */
+#define R(b,x) 		((x) >> (b))
+/* 32-bit Rotate-right (used in SHA-256): */
+#define S32(b,x)	(((x) >> (b)) | ((x) << (32 - (b))))
+/* 64-bit Rotate-right (used in SHA-384 and SHA-512): */
+#define S64(b,x)	(((x) >> (b)) | ((x) << (64 - (b))))
+
+/* Two of six logical functions used in SHA-256, SHA-384, and SHA-512: */
+#define Ch(x,y,z)	(((x) & (y)) ^ ((~(x)) & (z)))
+#define Maj(x,y,z)	(((x) & (y)) ^ ((x) & (z)) ^ ((y) & (z)))
+
+/* Four of six logical functions used in SHA-256: */
+#define Sigma0_256(x)	(S32(2,  (x)) ^ S32(13, (x)) ^ S32(22, (x)))
+#define Sigma1_256(x)	(S32(6,  (x)) ^ S32(11, (x)) ^ S32(25, (x)))
+#define sigma0_256(x)	(S32(7,  (x)) ^ S32(18, (x)) ^ R(3 ,   (x)))
+#define sigma1_256(x)	(S32(17, (x)) ^ S32(19, (x)) ^ R(10,   (x)))
+
+/* Four of six logical functions used in SHA-384 and SHA-512: */
+#define Sigma0_512(x)	(S64(28, (x)) ^ S64(34, (x)) ^ S64(39, (x)))
+#define Sigma1_512(x)	(S64(14, (x)) ^ S64(18, (x)) ^ S64(41, (x)))
+#define sigma0_512(x)	(S64( 1, (x)) ^ S64( 8, (x)) ^ R( 7,   (x)))
+#define sigma1_512(x)	(S64(19, (x)) ^ S64(61, (x)) ^ R( 6,   (x)))
+
+/*** INTERNAL FUNCTION PROTOTYPES *************************************/
+/* NOTE: These should not be accessed directly from outside this
+ * library -- they are intended for private internal visibility/use
+ * only.
+ */
+void isc_sha512_last(isc_sha512_t *);
+void isc_sha256_transform(isc_sha256_t *, const isc_uint32_t*);
+void isc_sha512_transform(isc_sha512_t *, const isc_uint64_t*);
+
+
+/*** SHA-XYZ INITIAL HASH VALUES AND CONSTANTS ************************/
+/* Hash constant words K for SHA-224 and SHA-256: */
+static const isc_uint32_t K256[64] = {
+	0x428a2f98UL, 0x71374491UL, 0xb5c0fbcfUL, 0xe9b5dba5UL,
+	0x3956c25bUL, 0x59f111f1UL, 0x923f82a4UL, 0xab1c5ed5UL,
+	0xd807aa98UL, 0x12835b01UL, 0x243185beUL, 0x550c7dc3UL,
+	0x72be5d74UL, 0x80deb1feUL, 0x9bdc06a7UL, 0xc19bf174UL,
+	0xe49b69c1UL, 0xefbe4786UL, 0x0fc19dc6UL, 0x240ca1ccUL,
+	0x2de92c6fUL, 0x4a7484aaUL, 0x5cb0a9dcUL, 0x76f988daUL,
+	0x983e5152UL, 0xa831c66dUL, 0xb00327c8UL, 0xbf597fc7UL,
+	0xc6e00bf3UL, 0xd5a79147UL, 0x06ca6351UL, 0x14292967UL,
+	0x27b70a85UL, 0x2e1b2138UL, 0x4d2c6dfcUL, 0x53380d13UL,
+	0x650a7354UL, 0x766a0abbUL, 0x81c2c92eUL, 0x92722c85UL,
+	0xa2bfe8a1UL, 0xa81a664bUL, 0xc24b8b70UL, 0xc76c51a3UL,
+	0xd192e819UL, 0xd6990624UL, 0xf40e3585UL, 0x106aa070UL,
+	0x19a4c116UL, 0x1e376c08UL, 0x2748774cUL, 0x34b0bcb5UL,
+	0x391c0cb3UL, 0x4ed8aa4aUL, 0x5b9cca4fUL, 0x682e6ff3UL,
+	0x748f82eeUL, 0x78a5636fUL, 0x84c87814UL, 0x8cc70208UL,
+	0x90befffaUL, 0xa4506cebUL, 0xbef9a3f7UL, 0xc67178f2UL
+};
+
+/* Initial hash value H for SHA-224: */
+static const isc_uint32_t sha224_initial_hash_value[8] = {
+	0xc1059ed8UL,
+	0x367cd507UL,
+	0x3070dd17UL,
+	0xf70e5939UL,
+	0xffc00b31UL,
+	0x68581511UL,
+	0x64f98fa7UL,
+	0xbefa4fa4UL
+};
+
+/* Initial hash value H for SHA-256: */
+static const isc_uint32_t sha256_initial_hash_value[8] = {
+	0x6a09e667UL,
+	0xbb67ae85UL,
+	0x3c6ef372UL,
+	0xa54ff53aUL,
+	0x510e527fUL,
+	0x9b05688cUL,
+	0x1f83d9abUL,
+	0x5be0cd19UL
+};
+
+#ifdef WIN32
+/* Hash constant words K for SHA-384 and SHA-512: */
+static const isc_uint64_t K512[80] = {
+	0x428a2f98d728ae22UL, 0x7137449123ef65cdUL,
+	0xb5c0fbcfec4d3b2fUL, 0xe9b5dba58189dbbcUL,
+	0x3956c25bf348b538UL, 0x59f111f1b605d019UL,
+	0x923f82a4af194f9bUL, 0xab1c5ed5da6d8118UL,
+	0xd807aa98a3030242UL, 0x12835b0145706fbeUL,
+	0x243185be4ee4b28cUL, 0x550c7dc3d5ffb4e2UL,
+	0x72be5d74f27b896fUL, 0x80deb1fe3b1696b1UL,
+	0x9bdc06a725c71235UL, 0xc19bf174cf692694UL,
+	0xe49b69c19ef14ad2UL, 0xefbe4786384f25e3UL,
+	0x0fc19dc68b8cd5b5UL, 0x240ca1cc77ac9c65UL,
+	0x2de92c6f592b0275UL, 0x4a7484aa6ea6e483UL,
+	0x5cb0a9dcbd41fbd4UL, 0x76f988da831153b5UL,
+	0x983e5152ee66dfabUL, 0xa831c66d2db43210UL,
+	0xb00327c898fb213fUL, 0xbf597fc7beef0ee4UL,
+	0xc6e00bf33da88fc2UL, 0xd5a79147930aa725UL,
+	0x06ca6351e003826fUL, 0x142929670a0e6e70UL,
+	0x27b70a8546d22ffcUL, 0x2e1b21385c26c926UL,
+	0x4d2c6dfc5ac42aedUL, 0x53380d139d95b3dfUL,
+	0x650a73548baf63deUL, 0x766a0abb3c77b2a8UL,
+	0x81c2c92e47edaee6UL, 0x92722c851482353bUL,
+	0xa2bfe8a14cf10364UL, 0xa81a664bbc423001UL,
+	0xc24b8b70d0f89791UL, 0xc76c51a30654be30UL,
+	0xd192e819d6ef5218UL, 0xd69906245565a910UL,
+	0xf40e35855771202aUL, 0x106aa07032bbd1b8UL,
+	0x19a4c116b8d2d0c8UL, 0x1e376c085141ab53UL,
+	0x2748774cdf8eeb99UL, 0x34b0bcb5e19b48a8UL,
+	0x391c0cb3c5c95a63UL, 0x4ed8aa4ae3418acbUL,
+	0x5b9cca4f7763e373UL, 0x682e6ff3d6b2b8a3UL,
+	0x748f82ee5defb2fcUL, 0x78a5636f43172f60UL,
+	0x84c87814a1f0ab72UL, 0x8cc702081a6439ecUL,
+	0x90befffa23631e28UL, 0xa4506cebde82bde9UL,
+	0xbef9a3f7b2c67915UL, 0xc67178f2e372532bUL,
+	0xca273eceea26619cUL, 0xd186b8c721c0c207UL,
+	0xeada7dd6cde0eb1eUL, 0xf57d4f7fee6ed178UL,
+	0x06f067aa72176fbaUL, 0x0a637dc5a2c898a6UL,
+	0x113f9804bef90daeUL, 0x1b710b35131c471bUL,
+	0x28db77f523047d84UL, 0x32caab7b40c72493UL,
+	0x3c9ebe0a15c9bebcUL, 0x431d67c49c100d4cUL,
+	0x4cc5d4becb3e42b6UL, 0x597f299cfc657e2aUL,
+	0x5fcb6fab3ad6faecUL, 0x6c44198c4a475817UL
+};
+
+/* Initial hash value H for SHA-384: */
+static const isc_uint64_t sha384_initial_hash_value[8] = {
+	0xcbbb9d5dc1059ed8UL,
+	0x629a292a367cd507UL,
+	0x9159015a3070dd17UL,
+	0x152fecd8f70e5939UL,
+	0x67332667ffc00b31UL,
+	0x8eb44a8768581511UL,
+	0xdb0c2e0d64f98fa7UL,
+	0x47b5481dbefa4fa4UL
+};
+
+/* Initial hash value H for SHA-512: */
+static const isc_uint64_t sha512_initial_hash_value[8] = {
+	0x6a09e667f3bcc908U,
+	0xbb67ae8584caa73bUL,
+	0x3c6ef372fe94f82bUL,
+	0xa54ff53a5f1d36f1UL,
+	0x510e527fade682d1UL,
+	0x9b05688c2b3e6c1fUL,
+	0x1f83d9abfb41bd6bUL,
+	0x5be0cd19137e2179UL
+};
+#else
+/* Hash constant words K for SHA-384 and SHA-512: */
+static const isc_uint64_t K512[80] = {
+	0x428a2f98d728ae22ULL, 0x7137449123ef65cdULL,
+	0xb5c0fbcfec4d3b2fULL, 0xe9b5dba58189dbbcULL,
+	0x3956c25bf348b538ULL, 0x59f111f1b605d019ULL,
+	0x923f82a4af194f9bULL, 0xab1c5ed5da6d8118ULL,
+	0xd807aa98a3030242ULL, 0x12835b0145706fbeULL,
+	0x243185be4ee4b28cULL, 0x550c7dc3d5ffb4e2ULL,
+	0x72be5d74f27b896fULL, 0x80deb1fe3b1696b1ULL,
+	0x9bdc06a725c71235ULL, 0xc19bf174cf692694ULL,
+	0xe49b69c19ef14ad2ULL, 0xefbe4786384f25e3ULL,
+	0x0fc19dc68b8cd5b5ULL, 0x240ca1cc77ac9c65ULL,
+	0x2de92c6f592b0275ULL, 0x4a7484aa6ea6e483ULL,
+	0x5cb0a9dcbd41fbd4ULL, 0x76f988da831153b5ULL,
+	0x983e5152ee66dfabULL, 0xa831c66d2db43210ULL,
+	0xb00327c898fb213fULL, 0xbf597fc7beef0ee4ULL,
+	0xc6e00bf33da88fc2ULL, 0xd5a79147930aa725ULL,
+	0x06ca6351e003826fULL, 0x142929670a0e6e70ULL,
+	0x27b70a8546d22ffcULL, 0x2e1b21385c26c926ULL,
+	0x4d2c6dfc5ac42aedULL, 0x53380d139d95b3dfULL,
+	0x650a73548baf63deULL, 0x766a0abb3c77b2a8ULL,
+	0x81c2c92e47edaee6ULL, 0x92722c851482353bULL,
+	0xa2bfe8a14cf10364ULL, 0xa81a664bbc423001ULL,
+	0xc24b8b70d0f89791ULL, 0xc76c51a30654be30ULL,
+	0xd192e819d6ef5218ULL, 0xd69906245565a910ULL,
+	0xf40e35855771202aULL, 0x106aa07032bbd1b8ULL,
+	0x19a4c116b8d2d0c8ULL, 0x1e376c085141ab53ULL,
+	0x2748774cdf8eeb99ULL, 0x34b0bcb5e19b48a8ULL,
+	0x391c0cb3c5c95a63ULL, 0x4ed8aa4ae3418acbULL,
+	0x5b9cca4f7763e373ULL, 0x682e6ff3d6b2b8a3ULL,
+	0x748f82ee5defb2fcULL, 0x78a5636f43172f60ULL,
+	0x84c87814a1f0ab72ULL, 0x8cc702081a6439ecULL,
+	0x90befffa23631e28ULL, 0xa4506cebde82bde9ULL,
+	0xbef9a3f7b2c67915ULL, 0xc67178f2e372532bULL,
+	0xca273eceea26619cULL, 0xd186b8c721c0c207ULL,
+	0xeada7dd6cde0eb1eULL, 0xf57d4f7fee6ed178ULL,
+	0x06f067aa72176fbaULL, 0x0a637dc5a2c898a6ULL,
+	0x113f9804bef90daeULL, 0x1b710b35131c471bULL,
+	0x28db77f523047d84ULL, 0x32caab7b40c72493ULL,
+	0x3c9ebe0a15c9bebcULL, 0x431d67c49c100d4cULL,
+	0x4cc5d4becb3e42b6ULL, 0x597f299cfc657e2aULL,
+	0x5fcb6fab3ad6faecULL, 0x6c44198c4a475817ULL
+};
+
+/* Initial hash value H for SHA-384: */
+static const isc_uint64_t sha384_initial_hash_value[8] = {
+	0xcbbb9d5dc1059ed8ULL,
+	0x629a292a367cd507ULL,
+	0x9159015a3070dd17ULL,
+	0x152fecd8f70e5939ULL,
+	0x67332667ffc00b31ULL,
+	0x8eb44a8768581511ULL,
+	0xdb0c2e0d64f98fa7ULL,
+	0x47b5481dbefa4fa4ULL
+};
+
+/* Initial hash value H for SHA-512: */
+static const isc_uint64_t sha512_initial_hash_value[8] = {
+	0x6a09e667f3bcc908ULL,
+	0xbb67ae8584caa73bULL,
+	0x3c6ef372fe94f82bULL,
+	0xa54ff53a5f1d36f1ULL,
+	0x510e527fade682d1ULL,
+	0x9b05688c2b3e6c1fULL,
+	0x1f83d9abfb41bd6bULL,
+	0x5be0cd19137e2179ULL
+};
+#endif
+
+/*
+ * Constant used by SHA256/384/512_End() functions for converting the
+ * digest to a readable hexadecimal character string:
+ */
+static const char *sha2_hex_digits = "0123456789abcdef";
+
+
+
+/*** SHA-224: *********************************************************/
+void
+isc_sha224_init(isc_sha224_t *context) {
+	if (context == (isc_sha256_t *)0) {
+		return;
+	}
+	memcpy(context->state, sha224_initial_hash_value,
+	       ISC_SHA256_DIGESTLENGTH);
+	memset(context->buffer, 0, ISC_SHA256_BLOCK_LENGTH);
+	context->bitcount = 0;
+}
+
+void 
+isc_sha224_update(isc_sha224_t *context, const isc_uint8_t* data, size_t len) {
+	isc_sha256_update((isc_sha256_t *)context, data, len);
+}
+
+void 
+isc_sha224_final(isc_uint8_t digest[], isc_sha224_t *context) {
+	isc_uint8_t sha256_digest[ISC_SHA256_DIGESTLENGTH];
+	isc_sha256_final(sha256_digest, (isc_sha256_t *)context);
+	memcpy(digest, sha256_digest, ISC_SHA224_DIGESTLENGTH);
+	memset(sha256_digest, 0, ISC_SHA256_DIGESTLENGTH);
+}
+
+char *
+isc_sha224_end(isc_sha224_t *context, char buffer[]) {
+	isc_uint8_t	digest[ISC_SHA224_DIGESTLENGTH], *d = digest;
+	unsigned int	i;
+
+	/* Sanity check: */
+	REQUIRE(context != (isc_sha224_t *)0);
+
+	if (buffer != (char*)0) {
+		isc_sha224_final(digest, context);
+
+		for (i = 0; i < ISC_SHA224_DIGESTLENGTH; i++) {
+			*buffer++ = sha2_hex_digits[(*d & 0xf0) >> 4];
+			*buffer++ = sha2_hex_digits[*d & 0x0f];
+			d++;
+		}
+		*buffer = (char)0;
+	} else {
+		memset(context, 0, sizeof(context));
+	}
+	memset(digest, 0, ISC_SHA224_DIGESTLENGTH);
+	return buffer;
+}
+
+char*
+isc_sha224_data(const isc_uint8_t *data, size_t len,
+	        char digest[ISC_SHA224_DIGESTSTRINGLENGTH])
+{
+	isc_sha224_t context;
+
+	isc_sha224_init(&context);
+	isc_sha224_update(&context, data, len);
+	return (isc_sha224_end(&context, digest));
+}
+
+/*** SHA-256: *********************************************************/
+void
+isc_sha256_init(isc_sha256_t *context) {
+	if (context == (isc_sha256_t *)0) {
+		return;
+	}
+	memcpy(context->state, sha256_initial_hash_value,
+	       ISC_SHA256_DIGESTLENGTH);
+	memset(context->buffer, 0, ISC_SHA256_BLOCK_LENGTH);
+	context->bitcount = 0;
+}
+
+#ifdef ISC_SHA2_UNROLL_TRANSFORM
+
+/* Unrolled SHA-256 round macros: */
+
+#if BYTE_ORDER == LITTLE_ENDIAN
+
+#define ROUND256_0_TO_15(a,b,c,d,e,f,g,h)	\
+	REVERSE32(*data++, W256[j]); \
+	T1 = (h) + Sigma1_256(e) + Ch((e), (f), (g)) + \
+             K256[j] + W256[j]; \
+	(d) += T1; \
+	(h) = T1 + Sigma0_256(a) + Maj((a), (b), (c)); \
+	j++
+
+
+#else /* BYTE_ORDER == LITTLE_ENDIAN */
+
+#define ROUND256_0_TO_15(a,b,c,d,e,f,g,h)	\
+	T1 = (h) + Sigma1_256(e) + Ch((e), (f), (g)) + \
+	     K256[j] + (W256[j] = *data++); \
+	(d) += T1; \
+	(h) = T1 + Sigma0_256(a) + Maj((a), (b), (c)); \
+	j++
+
+#endif /* BYTE_ORDER == LITTLE_ENDIAN */
+
+#define ROUND256(a,b,c,d,e,f,g,h)	\
+	s0 = W256[(j+1)&0x0f]; \
+	s0 = sigma0_256(s0); \
+	s1 = W256[(j+14)&0x0f]; \
+	s1 = sigma1_256(s1); \
+	T1 = (h) + Sigma1_256(e) + Ch((e), (f), (g)) + K256[j] + \
+	     (W256[j&0x0f] += s1 + W256[(j+9)&0x0f] + s0); \
+	(d) += T1; \
+	(h) = T1 + Sigma0_256(a) + Maj((a), (b), (c)); \
+	j++
+
+void isc_sha256_transform(isc_sha256_t *context, const isc_uint32_t* data) {
+	isc_uint32_t	a, b, c, d, e, f, g, h, s0, s1;
+	isc_uint32_t	T1, *W256;
+	int		j;
+
+	W256 = (isc_uint32_t*)context->buffer;
+
+	/* Initialize registers with the prev. intermediate value */
+	a = context->state[0];
+	b = context->state[1];
+	c = context->state[2];
+	d = context->state[3];
+	e = context->state[4];
+	f = context->state[5];
+	g = context->state[6];
+	h = context->state[7];
+
+	j = 0;
+	do {
+		/* Rounds 0 to 15 (unrolled): */
+		ROUND256_0_TO_15(a,b,c,d,e,f,g,h);
+		ROUND256_0_TO_15(h,a,b,c,d,e,f,g);
+		ROUND256_0_TO_15(g,h,a,b,c,d,e,f);
+		ROUND256_0_TO_15(f,g,h,a,b,c,d,e);
+		ROUND256_0_TO_15(e,f,g,h,a,b,c,d);
+		ROUND256_0_TO_15(d,e,f,g,h,a,b,c);
+		ROUND256_0_TO_15(c,d,e,f,g,h,a,b);
+		ROUND256_0_TO_15(b,c,d,e,f,g,h,a);
+	} while (j < 16);
+
+	/* Now for the remaining rounds to 64: */
+	do {
+		ROUND256(a,b,c,d,e,f,g,h);
+		ROUND256(h,a,b,c,d,e,f,g);
+		ROUND256(g,h,a,b,c,d,e,f);
+		ROUND256(f,g,h,a,b,c,d,e);
+		ROUND256(e,f,g,h,a,b,c,d);
+		ROUND256(d,e,f,g,h,a,b,c);
+		ROUND256(c,d,e,f,g,h,a,b);
+		ROUND256(b,c,d,e,f,g,h,a);
+	} while (j < 64);
+
+	/* Compute the current intermediate hash value */
+	context->state[0] += a;
+	context->state[1] += b;
+	context->state[2] += c;
+	context->state[3] += d;
+	context->state[4] += e;
+	context->state[5] += f;
+	context->state[6] += g;
+	context->state[7] += h;
+
+	/* Clean up */
+	a = b = c = d = e = f = g = h = T1 = 0;
+}
+
+#else /* ISC_SHA2_UNROLL_TRANSFORM */
+
+void
+isc_sha256_transform(isc_sha256_t *context, const isc_uint32_t* data) {
+	isc_uint32_t	a, b, c, d, e, f, g, h, s0, s1;
+	isc_uint32_t	T1, T2, *W256;
+	int		j;
+
+	W256 = (isc_uint32_t*)context->buffer;
+
+	/* Initialize registers with the prev. intermediate value */
+	a = context->state[0];
+	b = context->state[1];
+	c = context->state[2];
+	d = context->state[3];
+	e = context->state[4];
+	f = context->state[5];
+	g = context->state[6];
+	h = context->state[7];
+
+	j = 0;
+	do {
+#if BYTE_ORDER == LITTLE_ENDIAN
+		/* Copy data while converting to host byte order */
+		REVERSE32(*data++,W256[j]);
+		/* Apply the SHA-256 compression function to update a..h */
+		T1 = h + Sigma1_256(e) + Ch(e, f, g) + K256[j] + W256[j];
+#else /* BYTE_ORDER == LITTLE_ENDIAN */
+		/* Apply the SHA-256 compression function to update a..h with copy */
+		T1 = h + Sigma1_256(e) + Ch(e, f, g) + K256[j] + (W256[j] = *data++);
+#endif /* BYTE_ORDER == LITTLE_ENDIAN */
+		T2 = Sigma0_256(a) + Maj(a, b, c);
+		h = g;
+		g = f;
+		f = e;
+		e = d + T1;
+		d = c;
+		c = b;
+		b = a;
+		a = T1 + T2;
+
+		j++;
+	} while (j < 16);
+
+	do {
+		/* Part of the message block expansion: */
+		s0 = W256[(j+1)&0x0f];
+		s0 = sigma0_256(s0);
+		s1 = W256[(j+14)&0x0f];	
+		s1 = sigma1_256(s1);
+
+		/* Apply the SHA-256 compression function to update a..h */
+		T1 = h + Sigma1_256(e) + Ch(e, f, g) + K256[j] + 
+		     (W256[j&0x0f] += s1 + W256[(j+9)&0x0f] + s0);
+		T2 = Sigma0_256(a) + Maj(a, b, c);
+		h = g;
+		g = f;
+		f = e;
+		e = d + T1;
+		d = c;
+		c = b;
+		b = a;
+		a = T1 + T2;
+
+		j++;
+	} while (j < 64);
+
+	/* Compute the current intermediate hash value */
+	context->state[0] += a;
+	context->state[1] += b;
+	context->state[2] += c;
+	context->state[3] += d;
+	context->state[4] += e;
+	context->state[5] += f;
+	context->state[6] += g;
+	context->state[7] += h;
+
+	/* Clean up */
+	a = b = c = d = e = f = g = h = T1 = T2 = 0;
+}
+
+#endif /* ISC_SHA2_UNROLL_TRANSFORM */
+
+void
+isc_sha256_update(isc_sha256_t *context, const isc_uint8_t *data, size_t len) {
+	unsigned int	freespace, usedspace;
+
+	if (len == 0U) {
+		/* Calling with no data is valid - we do nothing */
+		return;
+	}
+
+	/* Sanity check: */
+	REQUIRE(context != (isc_sha256_t *)0 && data != (isc_uint8_t*)0);
+
+	usedspace = (unsigned int)((context->bitcount >> 3) %
+				   ISC_SHA256_BLOCK_LENGTH);
+	if (usedspace > 0) {
+		/* Calculate how much free space is available in the buffer */
+		freespace = ISC_SHA256_BLOCK_LENGTH - usedspace;
+
+		if (len >= freespace) {
+			/* Fill the buffer completely and process it */
+			memcpy(&context->buffer[usedspace], data, freespace);
+			context->bitcount += freespace << 3;
+			len -= freespace;
+			data += freespace;
+			isc_sha256_transform(context,
+					     (isc_uint32_t*)context->buffer);
+		} else {
+			/* The buffer is not yet full */
+			memcpy(&context->buffer[usedspace], data, len);
+			context->bitcount += len << 3;
+			/* Clean up: */
+			usedspace = freespace = 0;
+			return;
+		}
+	}
+	while (len >= ISC_SHA256_BLOCK_LENGTH) {
+		/* Process as many complete blocks as we can */
+		memcpy(context->buffer, data, ISC_SHA256_BLOCK_LENGTH);
+		isc_sha256_transform(context, (isc_uint32_t*)context->buffer);
+		context->bitcount += ISC_SHA256_BLOCK_LENGTH << 3;
+		len -= ISC_SHA256_BLOCK_LENGTH;
+		data += ISC_SHA256_BLOCK_LENGTH;
+	}
+	if (len > 0U) {
+		/* There's left-overs, so save 'em */
+		memcpy(context->buffer, data, len);
+		context->bitcount += len << 3;
+	}
+	/* Clean up: */
+	usedspace = freespace = 0;
+}
+
+void
+isc_sha256_final(isc_uint8_t digest[], isc_sha256_t *context) {
+	isc_uint32_t	*d = (isc_uint32_t*)digest;
+	unsigned int	usedspace;
+
+	/* Sanity check: */
+	REQUIRE(context != (isc_sha256_t *)0);
+
+	/* If no digest buffer is passed, we don't bother doing this: */
+	if (digest != (isc_uint8_t*)0) {
+		usedspace = (unsigned int)((context->bitcount >> 3) %
+					   ISC_SHA256_BLOCK_LENGTH);
+#if BYTE_ORDER == LITTLE_ENDIAN
+		/* Convert FROM host byte order */
+		REVERSE64(context->bitcount,context->bitcount);
+#endif
+		if (usedspace > 0) {
+			/* Begin padding with a 1 bit: */
+			context->buffer[usedspace++] = 0x80;
+
+			if (usedspace <= ISC_SHA256_SHORT_BLOCK_LENGTH) {
+				/* Set-up for the last transform: */
+				memset(&context->buffer[usedspace], 0,
+				       ISC_SHA256_SHORT_BLOCK_LENGTH - usedspace);
+			} else {
+				if (usedspace < ISC_SHA256_BLOCK_LENGTH) {
+					memset(&context->buffer[usedspace], 0,
+					       ISC_SHA256_BLOCK_LENGTH -
+					       usedspace);
+				}
+				/* Do second-to-last transform: */
+				isc_sha256_transform(context,
+					       (isc_uint32_t*)context->buffer);
+
+				/* And set-up for the last transform: */
+				memset(context->buffer, 0,
+				       ISC_SHA256_SHORT_BLOCK_LENGTH);
+			}
+		} else {
+			/* Set-up for the last transform: */
+			memset(context->buffer, 0, ISC_SHA256_SHORT_BLOCK_LENGTH);
+
+			/* Begin padding with a 1 bit: */
+			*context->buffer = 0x80;
+		}
+		/* Set the bit count: */
+		*(isc_uint64_t*)&context->buffer[ISC_SHA256_SHORT_BLOCK_LENGTH] = context->bitcount;
+
+		/* Final transform: */
+		isc_sha256_transform(context, (isc_uint32_t*)context->buffer);
+
+#if BYTE_ORDER == LITTLE_ENDIAN
+		{
+			/* Convert TO host byte order */
+			int	j;
+			for (j = 0; j < 8; j++) {
+				REVERSE32(context->state[j],context->state[j]);
+				*d++ = context->state[j];
+			}
+		}
+#else
+		memcpy(d, context->state, ISC_SHA256_DIGESTLENGTH);
+#endif
+	}
+
+	/* Clean up state data: */
+	memset(context, 0, sizeof(context));
+	usedspace = 0;
+}
+
+char *
+isc_sha256_end(isc_sha256_t *context, char buffer[]) {
+	isc_uint8_t	digest[ISC_SHA256_DIGESTLENGTH], *d = digest;
+	unsigned int	i;
+
+	/* Sanity check: */
+	REQUIRE(context != (isc_sha256_t *)0);
+
+	if (buffer != (char*)0) {
+		isc_sha256_final(digest, context);
+
+		for (i = 0; i < ISC_SHA256_DIGESTLENGTH; i++) {
+			*buffer++ = sha2_hex_digits[(*d & 0xf0) >> 4];
+			*buffer++ = sha2_hex_digits[*d & 0x0f];
+			d++;
+		}
+		*buffer = (char)0;
+	} else {
+		memset(context, 0, sizeof(context));
+	}
+	memset(digest, 0, ISC_SHA256_DIGESTLENGTH);
+	return buffer;
+}
+
+char *
+isc_sha256_data(const isc_uint8_t* data, size_t len,
+		char digest[ISC_SHA256_DIGESTSTRINGLENGTH])
+{
+	isc_sha256_t context;
+
+	isc_sha256_init(&context);
+	isc_sha256_update(&context, data, len);
+	return (isc_sha256_end(&context, digest));
+}
+
+
+/*** SHA-512: *********************************************************/
+void
+isc_sha512_init(isc_sha512_t *context) {
+	if (context == (isc_sha512_t *)0) {
+		return;
+	}
+	memcpy(context->state, sha512_initial_hash_value,
+	       ISC_SHA512_DIGESTLENGTH);
+	memset(context->buffer, 0, ISC_SHA512_BLOCK_LENGTH);
+	context->bitcount[0] = context->bitcount[1] =  0;
+}
+
+#ifdef ISC_SHA2_UNROLL_TRANSFORM
+
+/* Unrolled SHA-512 round macros: */
+#if BYTE_ORDER == LITTLE_ENDIAN
+
+#define ROUND512_0_TO_15(a,b,c,d,e,f,g,h)	\
+	REVERSE64(*data++, W512[j]); \
+	T1 = (h) + Sigma1_512(e) + Ch((e), (f), (g)) + \
+             K512[j] + W512[j]; \
+	(d) += T1, \
+	(h) = T1 + Sigma0_512(a) + Maj((a), (b), (c)), \
+	j++
+
+
+#else /* BYTE_ORDER == LITTLE_ENDIAN */
+
+#define ROUND512_0_TO_15(a,b,c,d,e,f,g,h)	\
+	T1 = (h) + Sigma1_512(e) + Ch((e), (f), (g)) + \
+             K512[j] + (W512[j] = *data++); \
+	(d) += T1; \
+	(h) = T1 + Sigma0_512(a) + Maj((a), (b), (c)); \
+	j++
+
+#endif /* BYTE_ORDER == LITTLE_ENDIAN */
+
+#define ROUND512(a,b,c,d,e,f,g,h)	\
+	s0 = W512[(j+1)&0x0f]; \
+	s0 = sigma0_512(s0); \
+	s1 = W512[(j+14)&0x0f]; \
+	s1 = sigma1_512(s1); \
+	T1 = (h) + Sigma1_512(e) + Ch((e), (f), (g)) + K512[j] + \
+             (W512[j&0x0f] += s1 + W512[(j+9)&0x0f] + s0); \
+	(d) += T1; \
+	(h) = T1 + Sigma0_512(a) + Maj((a), (b), (c)); \
+	j++
+
+void isc_sha512_transform(isc_sha512_t *context, const isc_uint64_t* data) {
+	isc_uint64_t	a, b, c, d, e, f, g, h, s0, s1;
+	isc_uint64_t	T1, *W512 = (isc_uint64_t*)context->buffer;
+	int		j;
+
+	/* Initialize registers with the prev. intermediate value */
+	a = context->state[0];
+	b = context->state[1];
+	c = context->state[2];
+	d = context->state[3];
+	e = context->state[4];
+	f = context->state[5];
+	g = context->state[6];
+	h = context->state[7];
+
+	j = 0;
+	do {
+		ROUND512_0_TO_15(a,b,c,d,e,f,g,h);
+		ROUND512_0_TO_15(h,a,b,c,d,e,f,g);
+		ROUND512_0_TO_15(g,h,a,b,c,d,e,f);
+		ROUND512_0_TO_15(f,g,h,a,b,c,d,e);
+		ROUND512_0_TO_15(e,f,g,h,a,b,c,d);
+		ROUND512_0_TO_15(d,e,f,g,h,a,b,c);
+		ROUND512_0_TO_15(c,d,e,f,g,h,a,b);
+		ROUND512_0_TO_15(b,c,d,e,f,g,h,a);
+	} while (j < 16);
+
+	/* Now for the remaining rounds up to 79: */
+	do {
+		ROUND512(a,b,c,d,e,f,g,h);
+		ROUND512(h,a,b,c,d,e,f,g);
+		ROUND512(g,h,a,b,c,d,e,f);
+		ROUND512(f,g,h,a,b,c,d,e);
+		ROUND512(e,f,g,h,a,b,c,d);
+		ROUND512(d,e,f,g,h,a,b,c);
+		ROUND512(c,d,e,f,g,h,a,b);
+		ROUND512(b,c,d,e,f,g,h,a);
+	} while (j < 80);
+
+	/* Compute the current intermediate hash value */
+	context->state[0] += a;
+	context->state[1] += b;
+	context->state[2] += c;
+	context->state[3] += d;
+	context->state[4] += e;
+	context->state[5] += f;
+	context->state[6] += g;
+	context->state[7] += h;
+
+	/* Clean up */
+	a = b = c = d = e = f = g = h = T1 = 0;
+}
+
+#else /* ISC_SHA2_UNROLL_TRANSFORM */
+
+void
+isc_sha512_transform(isc_sha512_t *context, const isc_uint64_t* data) {
+	isc_uint64_t	a, b, c, d, e, f, g, h, s0, s1;
+	isc_uint64_t	T1, T2, *W512 = (isc_uint64_t*)context->buffer;
+	int		j;
+
+	/* Initialize registers with the prev. intermediate value */
+	a = context->state[0];
+	b = context->state[1];
+	c = context->state[2];
+	d = context->state[3];
+	e = context->state[4];
+	f = context->state[5];
+	g = context->state[6];
+	h = context->state[7];
+
+	j = 0;
+	do {
+#if BYTE_ORDER == LITTLE_ENDIAN
+		/* Convert TO host byte order */
+		REVERSE64(*data++, W512[j]);
+		/* Apply the SHA-512 compression function to update a..h */
+		T1 = h + Sigma1_512(e) + Ch(e, f, g) + K512[j] + W512[j];
+#else /* BYTE_ORDER == LITTLE_ENDIAN */
+		/* Apply the SHA-512 compression function to update a..h with copy */
+		T1 = h + Sigma1_512(e) + Ch(e, f, g) + K512[j] + (W512[j] = *data++);
+#endif /* BYTE_ORDER == LITTLE_ENDIAN */
+		T2 = Sigma0_512(a) + Maj(a, b, c);
+		h = g;
+		g = f;
+		f = e;
+		e = d + T1;
+		d = c;
+		c = b;
+		b = a;
+		a = T1 + T2;
+
+		j++;
+	} while (j < 16);
+
+	do {
+		/* Part of the message block expansion: */
+		s0 = W512[(j+1)&0x0f];
+		s0 = sigma0_512(s0);
+		s1 = W512[(j+14)&0x0f];
+		s1 =  sigma1_512(s1);
+
+		/* Apply the SHA-512 compression function to update a..h */
+		T1 = h + Sigma1_512(e) + Ch(e, f, g) + K512[j] +
+		     (W512[j&0x0f] += s1 + W512[(j+9)&0x0f] + s0);
+		T2 = Sigma0_512(a) + Maj(a, b, c);
+		h = g;
+		g = f;
+		f = e;
+		e = d + T1;
+		d = c;
+		c = b;
+		b = a;
+		a = T1 + T2;
+
+		j++;
+	} while (j < 80);
+
+	/* Compute the current intermediate hash value */
+	context->state[0] += a;
+	context->state[1] += b;
+	context->state[2] += c;
+	context->state[3] += d;
+	context->state[4] += e;
+	context->state[5] += f;
+	context->state[6] += g;
+	context->state[7] += h;
+
+	/* Clean up */
+	a = b = c = d = e = f = g = h = T1 = T2 = 0;
+}
+
+#endif /* ISC_SHA2_UNROLL_TRANSFORM */
+
+void isc_sha512_update(isc_sha512_t *context, const isc_uint8_t *data, size_t len) {
+	unsigned int	freespace, usedspace;
+
+	if (len == 0U) {
+		/* Calling with no data is valid - we do nothing */
+		return;
+	}
+
+	/* Sanity check: */
+	REQUIRE(context != (isc_sha512_t *)0 && data != (isc_uint8_t*)0);
+
+	usedspace = (unsigned int)((context->bitcount[0] >> 3) %
+				   ISC_SHA512_BLOCK_LENGTH);
+	if (usedspace > 0) {
+		/* Calculate how much free space is available in the buffer */
+		freespace = ISC_SHA512_BLOCK_LENGTH - usedspace;
+
+		if (len >= freespace) {
+			/* Fill the buffer completely and process it */
+			memcpy(&context->buffer[usedspace], data, freespace);
+			ADDINC128(context->bitcount, freespace << 3);
+			len -= freespace;
+			data += freespace;
+			isc_sha512_transform(context,
+					     (isc_uint64_t*)context->buffer);
+		} else {
+			/* The buffer is not yet full */
+			memcpy(&context->buffer[usedspace], data, len);
+			ADDINC128(context->bitcount, len << 3);
+			/* Clean up: */
+			usedspace = freespace = 0;
+			return;
+		}
+	}
+	while (len >= ISC_SHA512_BLOCK_LENGTH) {
+		/* Process as many complete blocks as we can */
+		memcpy(context->buffer, data, ISC_SHA512_BLOCK_LENGTH);
+		isc_sha512_transform(context, (isc_uint64_t*)context->buffer);
+		ADDINC128(context->bitcount, ISC_SHA512_BLOCK_LENGTH << 3);
+		len -= ISC_SHA512_BLOCK_LENGTH;
+		data += ISC_SHA512_BLOCK_LENGTH;
+	}
+	if (len > 0U) {
+		/* There's left-overs, so save 'em */
+		memcpy(context->buffer, data, len);
+		ADDINC128(context->bitcount, len << 3);
+	}
+	/* Clean up: */
+	usedspace = freespace = 0;
+}
+
+void isc_sha512_last(isc_sha512_t *context) {
+	unsigned int	usedspace;
+
+	usedspace = (unsigned int)((context->bitcount[0] >> 3) %
+				    ISC_SHA512_BLOCK_LENGTH);
+#if BYTE_ORDER == LITTLE_ENDIAN
+	/* Convert FROM host byte order */
+	REVERSE64(context->bitcount[0],context->bitcount[0]);
+	REVERSE64(context->bitcount[1],context->bitcount[1]);
+#endif
+	if (usedspace > 0) {
+		/* Begin padding with a 1 bit: */
+		context->buffer[usedspace++] = 0x80;
+
+		if (usedspace <= ISC_SHA512_SHORT_BLOCK_LENGTH) {
+			/* Set-up for the last transform: */
+			memset(&context->buffer[usedspace], 0,
+			       ISC_SHA512_SHORT_BLOCK_LENGTH - usedspace);
+		} else {
+			if (usedspace < ISC_SHA512_BLOCK_LENGTH) {
+				memset(&context->buffer[usedspace], 0,
+				       ISC_SHA512_BLOCK_LENGTH - usedspace);
+			}
+			/* Do second-to-last transform: */
+			isc_sha512_transform(context,
+					    (isc_uint64_t*)context->buffer);
+
+			/* And set-up for the last transform: */
+			memset(context->buffer, 0, ISC_SHA512_BLOCK_LENGTH - 2);
+		}
+	} else {
+		/* Prepare for final transform: */
+		memset(context->buffer, 0, ISC_SHA512_SHORT_BLOCK_LENGTH);
+
+		/* Begin padding with a 1 bit: */
+		*context->buffer = 0x80;
+	}
+	/* Store the length of input data (in bits): */
+	*(isc_uint64_t*)&context->buffer[ISC_SHA512_SHORT_BLOCK_LENGTH] = context->bitcount[1];
+	*(isc_uint64_t*)&context->buffer[ISC_SHA512_SHORT_BLOCK_LENGTH+8] = context->bitcount[0];
+
+	/* Final transform: */
+	isc_sha512_transform(context, (isc_uint64_t*)context->buffer);
+}
+
+void isc_sha512_final(isc_uint8_t digest[], isc_sha512_t *context) {
+	isc_uint64_t	*d = (isc_uint64_t*)digest;
+
+	/* Sanity check: */
+	REQUIRE(context != (isc_sha512_t *)0);
+
+	/* If no digest buffer is passed, we don't bother doing this: */
+	if (digest != (isc_uint8_t*)0) {
+		isc_sha512_last(context);
+
+		/* Save the hash data for output: */
+#if BYTE_ORDER == LITTLE_ENDIAN
+		{
+			/* Convert TO host byte order */
+			int	j;
+			for (j = 0; j < 8; j++) {
+				REVERSE64(context->state[j],context->state[j]);
+				*d++ = context->state[j];
+			}
+		}
+#else
+		memcpy(d, context->state, ISC_SHA512_DIGESTLENGTH);
+#endif
+	}
+
+	/* Zero out state data */
+	memset(context, 0, sizeof(context));
+}
+
+char *
+isc_sha512_end(isc_sha512_t *context, char buffer[]) {
+	isc_uint8_t	digest[ISC_SHA512_DIGESTLENGTH], *d = digest;
+	unsigned int	i;
+
+	/* Sanity check: */
+	REQUIRE(context != (isc_sha512_t *)0);
+
+	if (buffer != (char*)0) {
+		isc_sha512_final(digest, context);
+
+		for (i = 0; i < ISC_SHA512_DIGESTLENGTH; i++) {
+			*buffer++ = sha2_hex_digits[(*d & 0xf0) >> 4];
+			*buffer++ = sha2_hex_digits[*d & 0x0f];
+			d++;
+		}
+		*buffer = (char)0;
+	} else {
+		memset(context, 0, sizeof(context));
+	}
+	memset(digest, 0, ISC_SHA512_DIGESTLENGTH);
+	return buffer;
+}
+
+char *
+isc_sha512_data(const isc_uint8_t *data, size_t len,
+		char digest[ISC_SHA512_DIGESTSTRINGLENGTH])
+{
+	isc_sha512_t 	context;
+
+	isc_sha512_init(&context);
+	isc_sha512_update(&context, data, len);
+	return (isc_sha512_end(&context, digest));
+}
+
+
+/*** SHA-384: *********************************************************/
+void
+isc_sha384_init(isc_sha384_t *context) {
+	if (context == (isc_sha384_t *)0) {
+		return;
+	}
+	memcpy(context->state, sha384_initial_hash_value,
+	       ISC_SHA512_DIGESTLENGTH);
+	memset(context->buffer, 0, ISC_SHA384_BLOCK_LENGTH);
+	context->bitcount[0] = context->bitcount[1] = 0;
+}
+
+void 
+isc_sha384_update(isc_sha384_t *context, const isc_uint8_t* data, size_t len) {
+	isc_sha512_update((isc_sha512_t *)context, data, len);
+}
+
+void 
+isc_sha384_final(isc_uint8_t digest[], isc_sha384_t *context) {
+	isc_uint64_t	*d = (isc_uint64_t*)digest;
+
+	/* Sanity check: */
+	REQUIRE(context != (isc_sha384_t *)0);
+
+	/* If no digest buffer is passed, we don't bother doing this: */
+	if (digest != (isc_uint8_t*)0) {
+		isc_sha512_last((isc_sha512_t *)context);
+
+		/* Save the hash data for output: */
+#if BYTE_ORDER == LITTLE_ENDIAN
+		{
+			/* Convert TO host byte order */
+			int	j;
+			for (j = 0; j < 6; j++) {
+				REVERSE64(context->state[j],context->state[j]);
+				*d++ = context->state[j];
+			}
+		}
+#else
+		memcpy(d, context->state, ISC_SHA384_DIGESTLENGTH);
+#endif
+	}
+
+	/* Zero out state data */
+	memset(context, 0, sizeof(context));
+}
+
+char *
+isc_sha384_end(isc_sha384_t *context, char buffer[]) {
+	isc_uint8_t	digest[ISC_SHA384_DIGESTLENGTH], *d = digest;
+	unsigned int	i;
+
+	/* Sanity check: */
+	REQUIRE(context != (isc_sha384_t *)0);
+
+	if (buffer != (char*)0) {
+		isc_sha384_final(digest, context);
+
+		for (i = 0; i < ISC_SHA384_DIGESTLENGTH; i++) {
+			*buffer++ = sha2_hex_digits[(*d & 0xf0) >> 4];
+			*buffer++ = sha2_hex_digits[*d & 0x0f];
+			d++;
+		}
+		*buffer = (char)0;
+	} else {
+		memset(context, 0, sizeof(context));
+	}
+	memset(digest, 0, ISC_SHA384_DIGESTLENGTH);
+	return buffer;
+}
+
+char*
+isc_sha384_data(const isc_uint8_t *data, size_t len,
+	        char digest[ISC_SHA384_DIGESTSTRINGLENGTH])
+{
+	isc_sha384_t context;
+
+	isc_sha384_init(&context);
+	isc_sha384_update(&context, data, len);
+	return (isc_sha384_end(&context, digest));
+}
diff --git a/contrib/bind9/lib/isc/sockaddr.c b/contrib/bind9/lib/isc/sockaddr.c
index a40f0c9..2fd73af 100644
--- a/contrib/bind9/lib/isc/sockaddr.c
+++ b/contrib/bind9/lib/isc/sockaddr.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2006  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,9 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: sockaddr.c,v 1.48.2.1.2.12 2006/03/02 00:37:20 marka Exp $ */
+/* $Id: sockaddr.c,v 1.59.18.9 2006/06/21 01:25:40 marka Exp $ */
+
+/*! \file */
 
 #include <config.h>
 
@@ -33,6 +35,21 @@
 
 isc_boolean_t
 isc_sockaddr_equal(const isc_sockaddr_t *a, const isc_sockaddr_t *b) {
+	return (isc_sockaddr_compare(a, b, ISC_SOCKADDR_CMPADDR|
+					   ISC_SOCKADDR_CMPPORT|
+					   ISC_SOCKADDR_CMPSCOPE));
+}
+
+isc_boolean_t
+isc_sockaddr_eqaddr(const isc_sockaddr_t *a, const isc_sockaddr_t *b) {
+	return (isc_sockaddr_compare(a, b, ISC_SOCKADDR_CMPADDR|
+					   ISC_SOCKADDR_CMPSCOPE));
+}
+
+isc_boolean_t
+isc_sockaddr_compare(const isc_sockaddr_t *a, const isc_sockaddr_t *b,
+		     unsigned int flags)
+{
 	REQUIRE(a != NULL && b != NULL);
 
 	if (a->length != b->length)
@@ -47,21 +64,33 @@ isc_sockaddr_equal(const isc_sockaddr_t *a, const isc_sockaddr_t *b) {
 		return (ISC_FALSE);
 	switch (a->type.sa.sa_family) {
 	case AF_INET:
-		if (memcmp(&a->type.sin.sin_addr, &b->type.sin.sin_addr,
+		if ((flags & ISC_SOCKADDR_CMPADDR) != 0 &&
+		    memcmp(&a->type.sin.sin_addr, &b->type.sin.sin_addr,
 			   sizeof(a->type.sin.sin_addr)) != 0)
 			return (ISC_FALSE);
-		if (a->type.sin.sin_port != b->type.sin.sin_port)
+		if ((flags & ISC_SOCKADDR_CMPPORT) != 0 &&
+		    a->type.sin.sin_port != b->type.sin.sin_port)
 			return (ISC_FALSE);
 		break;
 	case AF_INET6:
-		if (memcmp(&a->type.sin6.sin6_addr, &b->type.sin6.sin6_addr,
+		if ((flags & ISC_SOCKADDR_CMPADDR) != 0 &&
+		    memcmp(&a->type.sin6.sin6_addr, &b->type.sin6.sin6_addr,
 			   sizeof(a->type.sin6.sin6_addr)) != 0)
 			return (ISC_FALSE);
 #ifdef ISC_PLATFORM_HAVESCOPEID
-		if (a->type.sin6.sin6_scope_id != b->type.sin6.sin6_scope_id)
+		/*
+		 * If ISC_SOCKADDR_CMPSCOPEZERO is set then don't return
+		 * ISC_FALSE if one of the scopes in zero.
+		 */
+		if ((flags & ISC_SOCKADDR_CMPSCOPE) != 0 &&
+		    a->type.sin6.sin6_scope_id != b->type.sin6.sin6_scope_id &&
+		    ((flags & ISC_SOCKADDR_CMPSCOPEZERO) == 0 ||
+		      (a->type.sin6.sin6_scope_id != 0 &&
+		       b->type.sin6.sin6_scope_id != 0)))
 			return (ISC_FALSE);
 #endif
-		if (a->type.sin6.sin6_port != b->type.sin6.sin6_port)
+		if ((flags & ISC_SOCKADDR_CMPPORT) != 0 &&
+		    a->type.sin6.sin6_port != b->type.sin6.sin6_port)
 			return (ISC_FALSE);
 		break;
 	default:
@@ -72,37 +101,6 @@ isc_sockaddr_equal(const isc_sockaddr_t *a, const isc_sockaddr_t *b) {
 }
 
 isc_boolean_t
-isc_sockaddr_eqaddr(const isc_sockaddr_t *a, const isc_sockaddr_t *b) {
-	REQUIRE(a != NULL && b != NULL);
-
-	if (a->length != b->length)
-		return (ISC_FALSE);
-
-	if (a->type.sa.sa_family != b->type.sa.sa_family)
-		return (ISC_FALSE);
-	switch (a->type.sa.sa_family) {
-	case AF_INET:
-		if (memcmp(&a->type.sin.sin_addr, &b->type.sin.sin_addr,
-			   sizeof(a->type.sin.sin_addr)) != 0)
-			return (ISC_FALSE);
-		break;
-	case AF_INET6:
-		if (memcmp(&a->type.sin6.sin6_addr, &b->type.sin6.sin6_addr,
-			   sizeof(a->type.sin6.sin6_addr)) != 0)
-			return (ISC_FALSE);
-#ifdef ISC_PLATFORM_HAVESCOPEID
-		if (a->type.sin6.sin6_scope_id != b->type.sin6.sin6_scope_id)
-			return (ISC_FALSE);
-#endif
-		break;
-	default:
-		if (memcmp(&a->type, &b->type, a->length) != 0)
-			return (ISC_FALSE);
-	}
-	return (ISC_TRUE);
-}
-
-isc_boolean_t
 isc_sockaddr_eqaddrprefix(const isc_sockaddr_t *a, const isc_sockaddr_t *b,
 			  unsigned int prefixlen)
 {
@@ -134,6 +132,23 @@ isc_sockaddr_totext(const isc_sockaddr_t *sockaddr, isc_buffer_t *target) {
 	case AF_INET6:
 		snprintf(pbuf, sizeof(pbuf), "%u", ntohs(sockaddr->type.sin6.sin6_port));
 		break;
+#ifdef ISC_PLAFORM_HAVESYSUNH
+	case AF_UNIX:
+		plen = strlen(sockaddr->type.sunix.sun_path);
+		if (plen >= isc_buffer_availablelength(target))
+			return (ISC_R_NOSPACE);
+
+		isc_buffer_putmem(target, sockaddr->type.sunix.sun_path, plen);
+
+		/*
+		 * Null terminate after used region.
+		 */
+		isc_buffer_availableregion(target, &avail);
+		INSIST(avail.length >= 1);
+		avail.base[0] = '\0';
+
+		return (ISC_R_SUCCESS);
+#endif
 	default:
 		return (ISC_R_FAILURE);
 	}
@@ -425,8 +440,12 @@ isc_boolean_t
 isc_sockaddr_ismulticast(const isc_sockaddr_t *sockaddr) {
 	isc_netaddr_t netaddr;
 
-	isc_netaddr_fromsockaddr(&netaddr, sockaddr);
-	return (isc_netaddr_ismulticast(&netaddr));
+	if (sockaddr->type.sa.sa_family == AF_INET ||
+	    sockaddr->type.sa.sa_family == AF_INET6) {
+		isc_netaddr_fromsockaddr(&netaddr, sockaddr);
+		return (isc_netaddr_ismulticast(&netaddr));
+	}
+	return (ISC_FALSE);
 }
 
 isc_boolean_t
@@ -461,3 +480,24 @@ isc_sockaddr_islinklocal(const isc_sockaddr_t *sockaddr) {
 	}
 	return (ISC_FALSE);
 }
+
+isc_result_t
+isc_sockaddr_frompath(isc_sockaddr_t *sockaddr, const char *path) {
+#ifdef ISC_PLATFORM_HAVESYSUNH
+	if (strlen(path) >= sizeof(sockaddr->type.sunix.sun_path))
+		return (ISC_R_NOSPACE);
+	memset(sockaddr, 0, sizeof(*sockaddr));
+	sockaddr->length = sizeof(sockaddr->type.sunix);
+	sockaddr->type.sunix.sun_family = AF_UNIX;
+#ifdef ISC_PLATFORM_HAVESALEN
+	sockaddr->type.sunix.sun_len =
+			(unsigned char)sizeof(sockaddr->type.sunix);
+#endif
+	strcpy(sockaddr->type.sunix.sun_path, path);
+	return (ISC_R_SUCCESS);
+#else
+	UNUSED(sockaddr);
+	UNUSED(path);
+	return (ISC_R_NOTIMPLEMENTED);
+#endif
+}
diff --git a/contrib/bind9/lib/isc/sparc64/include/isc/atomic.h b/contrib/bind9/lib/isc/sparc64/include/isc/atomic.h
new file mode 100644
index 0000000..5c254cf
--- /dev/null
+++ b/contrib/bind9/lib/isc/sparc64/include/isc/atomic.h
@@ -0,0 +1,127 @@
+/*
+ * Copyright (C) 2005  Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: atomic.h,v 1.2.2.2 2005/06/16 22:01:02 jinmei Exp $ */
+
+/*
+ * This code was written based on FreeBSD's kernel source whose copyright
+ * follows:
+ */
+
+/*-
+ * Copyright (c) 1998 Doug Rabson.
+ * Copyright (c) 2001 Jake Burkholder.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ *	from: FreeBSD: src/sys/i386/include/atomic.h,v 1.20 2001/02/11
+ * $FreeBSD$
+ */
+
+#ifndef ISC_ATOMIC_H
+#define ISC_ATOMIC_H 1
+
+#include <isc/platform.h>
+#include <isc/types.h>
+
+#define	ASI_P	0x80		/* Primary Address Space Identifier */
+
+#ifdef ISC_PLATFORM_USEGCCASM
+
+/*
+ * This routine atomically increments the value stored in 'p' by 'val', and
+ * returns the previous value.
+ */
+static inline isc_int32_t
+isc_atomic_xadd(isc_int32_t *p, isc_int32_t val) {
+	isc_int32_t prev, swapped;
+
+	for (prev = *(volatile isc_int32_t *)p; ; prev = swapped) {
+		swapped = prev + val;
+		__asm__ volatile(
+			"casa [%1] %2, %3, %0"
+			: "+r"(swapped)
+			: "r"(p), "n"(ASI_P), "r"(prev));
+		if (swapped == prev)
+			break;
+	}
+
+	return (prev);
+}
+
+/*
+ * This routine atomically stores the value 'val' in 'p'.
+ */
+static inline void
+isc_atomic_store(isc_int32_t *p, isc_int32_t val) {
+	isc_int32_t prev, swapped;
+
+	for (prev = *(volatile isc_int32_t *)p; ; prev = swapped) {
+		swapped = val;
+		__asm__ volatile(
+			"casa [%1] %2, %3, %0"
+			: "+r"(swapped)
+			: "r"(p), "n"(ASI_P), "r"(prev)
+			: "memory");
+		if (swapped == prev)
+			break;
+	}
+}
+
+/*
+ * This routine atomically replaces the value in 'p' with 'val', if the
+ * original value is equal to 'cmpval'.  The original value is returned in any
+ * case.
+ */
+static inline isc_int32_t
+isc_atomic_cmpxchg(isc_int32_t *p, isc_int32_t cmpval, isc_int32_t val) {
+	isc_int32_t temp = val;
+
+	__asm__ volatile(
+		"casa [%1] %2, %3, %0"
+		: "+r"(temp)
+		: "r"(p), "n"(ASI_P), "r"(cmpval));
+
+	return (temp);
+}
+
+#else  /* ISC_PLATFORM_USEGCCASM */
+
+#error "unsupported compiler.  disable atomic ops by --disable-atomic"
+
+#endif /* ISC_PLATFORM_USEGCCASM */
+
+#endif /* ISC_ATOMIC_H */
diff --git a/contrib/bind9/lib/isc/string.c b/contrib/bind9/lib/isc/string.c
index 2a1e557..c09fa4f 100644
--- a/contrib/bind9/lib/isc/string.c
+++ b/contrib/bind9/lib/isc/string.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001, 2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,13 +15,19 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: string.c,v 1.6.164.5 2004/09/16 01:00:58 marka Exp $ */
+/* $Id: string.c,v 1.10.18.7 2006/10/03 23:50:51 marka Exp $ */
+
+/*! \file */
 
 #include <config.h>
 
 #include <ctype.h>
 
+#include <isc/mem.h>
+#include <isc/print.h>
+#include <isc/region.h>
 #include <isc/string.h>
+#include <isc/util.h>
 
 static char digits[] = "0123456789abcdefghijklmnoprstuvwxyz";
 
@@ -89,6 +95,105 @@ isc_string_touint64(char *source, char **end, int base) {
 	return (tmp);
 }
 
+isc_result_t
+isc_string_copy(char *target, size_t size, const char *source) {
+	REQUIRE(size > 0U);
+
+	if (strlcpy(target, source, size) >= size) {
+		memset(target, ISC_STRING_MAGIC, size);
+		return (ISC_R_NOSPACE);
+	}
+
+	ENSURE(strlen(target) < size);
+
+	return (ISC_R_SUCCESS);
+}
+
+void
+isc_string_copy_truncate(char *target, size_t size, const char *source) {
+	REQUIRE(size > 0U);
+
+	strlcpy(target, source, size);
+
+	ENSURE(strlen(target) < size);
+}
+
+isc_result_t
+isc_string_append(char *target, size_t size, const char *source) {
+	REQUIRE(size > 0U);
+	REQUIRE(strlen(target) < size);
+
+	if (strlcat(target, source, size) >= size) {
+		memset(target, ISC_STRING_MAGIC, size);
+		return (ISC_R_NOSPACE);
+	}
+
+	ENSURE(strlen(target) < size);
+
+	return (ISC_R_SUCCESS);
+}
+
+void
+isc_string_append_truncate(char *target, size_t size, const char *source) {
+	REQUIRE(size > 0U);
+	REQUIRE(strlen(target) < size);
+
+	strlcat(target, source, size);
+
+	ENSURE(strlen(target) < size);
+}
+
+isc_result_t
+isc_string_printf(char *target, size_t size, const char *format, ...) {
+	va_list args;
+	size_t n;
+
+	REQUIRE(size > 0U);
+
+	va_start(args, format);
+	n = vsnprintf(target, size, format, args);
+	va_end(args);
+
+	if (n >= size) {
+		memset(target, ISC_STRING_MAGIC, size);
+		return (ISC_R_NOSPACE);
+	}
+
+	ENSURE(strlen(target) < size);
+
+	return (ISC_R_SUCCESS);
+}
+
+void
+isc_string_printf_truncate(char *target, size_t size, const char *format, ...) {
+	va_list args;
+	size_t n;
+
+	REQUIRE(size > 0U);
+
+	va_start(args, format);
+	n = vsnprintf(target, size, format, args);
+	va_end(args);
+
+	ENSURE(strlen(target) < size);
+}
+
+char *
+isc_string_regiondup(isc_mem_t *mctx, const isc_region_t *source) {
+	char *target;
+
+	REQUIRE(mctx != NULL);
+	REQUIRE(source != NULL);
+
+	target = (char *) isc_mem_allocate(mctx, source->length + 1);
+	if (target != NULL) {
+		memcpy(source->base, target, source->length);
+		target[source->length] = '\0';
+	}
+
+	return (target);
+}
+
 char *
 isc_string_separate(char **stringp, const char *delim) {
 	char *string = *stringp;
diff --git a/contrib/bind9/lib/isc/strtoul.c b/contrib/bind9/lib/isc/strtoul.c
index b3d7e49..5070c08 100644
--- a/contrib/bind9/lib/isc/strtoul.c
+++ b/contrib/bind9/lib/isc/strtoul.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -48,11 +48,12 @@
  * SUCH DAMAGE.
  */
 
+/*! \file */
 #if defined(LIBC_SCCS) && !defined(lint)
 static char sccsid[] = "@(#)strtoul.c	8.1 (Berkeley) 6/4/93";
 #endif /* LIBC_SCCS and not lint */
 
-/* $Id: strtoul.c,v 1.2.14.3 2004/03/06 08:14:36 marka Exp $ */
+/* $Id: strtoul.c,v 1.3.18.2 2005/04/29 00:16:50 marka Exp $ */
 
 #include <config.h>
 
@@ -63,7 +64,7 @@ static char sccsid[] = "@(#)strtoul.c	8.1 (Berkeley) 6/4/93";
 #include <isc/stdlib.h>
 #include <isc/util.h>
 
-/*
+/*!
  * Convert a string to an unsigned long integer.
  *
  * Ignores `locale' stuff.  Assumes that the upper and lower case
diff --git a/contrib/bind9/lib/isc/symtab.c b/contrib/bind9/lib/isc/symtab.c
index 8b2b8c4..716ca88 100644
--- a/contrib/bind9/lib/isc/symtab.c
+++ b/contrib/bind9/lib/isc/symtab.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1996-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,9 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: symtab.c,v 1.24.12.3 2004/03/08 09:04:50 marka Exp $ */
+/* $Id: symtab.c,v 1.26.18.2 2005/04/29 00:16:50 marka Exp $ */
+
+/*! \file */
 
 #include <config.h>
 
diff --git a/contrib/bind9/lib/isc/task.c b/contrib/bind9/lib/isc/task.c
index 9b31523..5c80712 100644
--- a/contrib/bind9/lib/isc/task.c
+++ b/contrib/bind9/lib/isc/task.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1998-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,10 +15,10 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: task.c,v 1.85.2.3.8.5 2004/10/15 00:45:45 marka Exp $ */
+/* $Id: task.c,v 1.91.18.6 2006/01/04 23:50:23 marka Exp $ */
 
-/*
- * Principal Author: Bob Halley
+/*! \file
+ * \author Principal Author: Bob Halley
  */
 
 /*
@@ -174,6 +174,7 @@ isc_task_create(isc_taskmgr_t *manager, unsigned int quantum,
 {
 	isc_task_t *task;
 	isc_boolean_t exiting;
+	isc_result_t result;
 
 	REQUIRE(VALID_MANAGER(manager));
 	REQUIRE(taskp != NULL && *taskp == NULL);
@@ -183,13 +184,10 @@ isc_task_create(isc_taskmgr_t *manager, unsigned int quantum,
 		return (ISC_R_NOMEMORY);
 	XTRACE("isc_task_create");
 	task->manager = manager;
-	if (isc_mutex_init(&task->lock) != ISC_R_SUCCESS) {
+	result = isc_mutex_init(&task->lock);
+	if (result != ISC_R_SUCCESS) {
 		isc_mem_put(manager->mctx, task, sizeof(*task));
-		UNEXPECTED_ERROR(__FILE__, __LINE__,
-				 "isc_mutex_init() %s",
-				 isc_msgcat_get(isc_msgcat, ISC_MSGSET_GENERAL,
-						ISC_MSG_FAILED, "failed"));
-		return (ISC_R_UNEXPECTED);
+		return (result);
 	}
 	task->state = task_state_idle;
 	task->references = 1;
@@ -1066,14 +1064,10 @@ isc_taskmgr_create(isc_mem_t *mctx, unsigned int workers,
 		return (ISC_R_NOMEMORY);
 	manager->magic = TASK_MANAGER_MAGIC;
 	manager->mctx = NULL;
-	if (isc_mutex_init(&manager->lock) != ISC_R_SUCCESS) {
-		UNEXPECTED_ERROR(__FILE__, __LINE__,
-				 "isc_mutex_init() %s",
-				 isc_msgcat_get(isc_msgcat, ISC_MSGSET_GENERAL,
-						ISC_MSG_FAILED, "failed"));
-		result = ISC_R_UNEXPECTED;
+	result = isc_mutex_init(&manager->lock);
+	if (result != ISC_R_SUCCESS)
 		goto cleanup_mgr;
-	}
+
 #ifdef ISC_PLATFORM_USETHREADS
 	manager->workers = 0;
 	manager->threads = isc_mem_allocate(mctx,
@@ -1235,6 +1229,8 @@ isc_taskmgr_destroy(isc_taskmgr_t **managerp) {
 	UNLOCK(&manager->lock);
 	while (isc__taskmgr_ready())
 		(void)isc__taskmgr_dispatch();
+	if (!ISC_LIST_EMPTY(manager->tasks))
+		isc_mem_printallactive(stderr);
 	INSIST(ISC_LIST_EMPTY(manager->tasks));
 #endif /* ISC_PLATFORM_USETHREADS */
 
diff --git a/contrib/bind9/lib/isc/task_p.h b/contrib/bind9/lib/isc/task_p.h
index f842c5b..8ada721 100644
--- a/contrib/bind9/lib/isc/task_p.h
+++ b/contrib/bind9/lib/isc/task_p.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000, 2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,11 +15,13 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: task_p.h,v 1.6.206.1 2004/03/06 08:14:36 marka Exp $ */
+/* $Id: task_p.h,v 1.7.18.2 2005/04/29 00:16:50 marka Exp $ */
 
 #ifndef ISC_TASK_P_H
 #define ISC_TASK_P_H
 
+/*! \file */
+
 isc_boolean_t
 isc__taskmgr_ready(void);
 
diff --git a/contrib/bind9/lib/isc/taskpool.c b/contrib/bind9/lib/isc/taskpool.c
index a3931a9..f1f619d 100644
--- a/contrib/bind9/lib/isc/taskpool.c
+++ b/contrib/bind9/lib/isc/taskpool.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2006  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,9 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: taskpool.c,v 1.10.12.5 2006/01/04 23:50:21 marka Exp $ */
+/* $Id: taskpool.c,v 1.12.18.3 2005/11/30 03:44:39 marka Exp $ */
+
+/*! \file */
 
 #include <config.h>
 
diff --git a/contrib/bind9/lib/isc/timer.c b/contrib/bind9/lib/isc/timer.c
index 6a6acf6..4b96fa5 100644
--- a/contrib/bind9/lib/isc/timer.c
+++ b/contrib/bind9/lib/isc/timer.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1998-2002  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,9 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: timer.c,v 1.64.12.13 2006/01/04 23:50:21 marka Exp $ */
+/* $Id: timer.c,v 1.73.18.5 2005/11/30 03:44:39 marka Exp $ */
+
+/*! \file */
 
 #include <config.h>
 
@@ -57,14 +59,14 @@
 #define VALID_TIMER(t)			ISC_MAGIC_VALID(t, TIMER_MAGIC)
 
 struct isc_timer {
-	/* Not locked. */
+	/*! Not locked. */
 	unsigned int			magic;
 	isc_timermgr_t *		manager;
 	isc_mutex_t			lock;
-	/* Locked by timer lock. */
+	/*! Locked by timer lock. */
 	unsigned int			references;
 	isc_time_t			idle;
-	/* Locked by manager lock. */
+	/*! Locked by manager lock. */
 	isc_timertype_t			type;
 	isc_time_t			expires;
 	isc_interval_t			interval;
@@ -99,7 +101,7 @@ struct isc_timermgr {
 };
 
 #ifndef ISC_PLATFORM_USETHREADS
-/*
+/*!
  * If threads are not in use, there can be only one.
  */
 static isc_timermgr_t *timermgr = NULL;
@@ -115,7 +117,7 @@ schedule(isc_timer_t *timer, isc_time_t *now, isc_boolean_t signal_ok) {
 	isc_boolean_t timedwait;
 #endif
 
-	/*
+	/*!
 	 * Note: the caller must ensure locking.
 	 */
 
@@ -128,7 +130,7 @@ schedule(isc_timer_t *timer, isc_time_t *now, isc_boolean_t signal_ok) {
 	manager = timer->manager;
 
 #ifdef ISC_PLATFORM_USETHREADS
-	/*
+	/*!
 	 * If the manager was timed wait, we may need to signal the
 	 * manager to force a wakeup.
 	 */
@@ -373,14 +375,11 @@ isc_timer_create(isc_timermgr_t *manager, isc_timertype_t type,
 	 */
 	DE_CONST(arg, timer->arg);
 	timer->index = 0;
-	if (isc_mutex_init(&timer->lock) != ISC_R_SUCCESS) {
+	result = isc_mutex_init(&timer->lock);
+	if (result != ISC_R_SUCCESS) {
 		isc_task_detach(&timer->task);
 		isc_mem_put(manager->mctx, timer, sizeof(*timer));
-		UNEXPECTED_ERROR(__FILE__, __LINE__,
-				 "isc_mutex_init() %s",
-				 isc_msgcat_get(isc_msgcat, ISC_MSGSET_GENERAL,
-						ISC_MSG_FAILED, "failed"));
-		return (ISC_R_UNEXPECTED);
+		return (result);
 	}
 	ISC_LINK_INIT(timer, link);
 	timer->magic = TIMER_MAGIC;
@@ -583,7 +582,7 @@ dispatch(isc_timermgr_t *manager, isc_time_t *now) {
 	isc_timer_t *timer;
 	isc_result_t result;
 
-	/*
+	/*!
 	 * The caller must be holding the manager lock.
 	 */
 
@@ -783,14 +782,11 @@ isc_timermgr_create(isc_mem_t *mctx, isc_timermgr_t **managerp) {
 		isc_mem_put(mctx, manager, sizeof(*manager));
 		return (ISC_R_NOMEMORY);
 	}
-	if (isc_mutex_init(&manager->lock) != ISC_R_SUCCESS) {
+	result = isc_mutex_init(&manager->lock);
+	if (result != ISC_R_SUCCESS) {
 		isc_heap_destroy(&manager->heap);
 		isc_mem_put(mctx, manager, sizeof(*manager));
-		UNEXPECTED_ERROR(__FILE__, __LINE__,
-				 "isc_mutex_init() %s",
-				 isc_msgcat_get(isc_msgcat, ISC_MSGSET_GENERAL,
-						ISC_MSG_FAILED, "failed"));
-		return (ISC_R_UNEXPECTED);
+		return (result);
 	}
 	isc_mem_attach(mctx, &manager->mctx);
 #ifdef ISC_PLATFORM_USETHREADS
diff --git a/contrib/bind9/lib/isc/timer_p.h b/contrib/bind9/lib/isc/timer_p.h
index ad7a5d0..fcc7b6c 100644
--- a/contrib/bind9/lib/isc/timer_p.h
+++ b/contrib/bind9/lib/isc/timer_p.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000, 2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,11 +15,13 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: timer_p.h,v 1.4.12.3 2004/03/08 09:04:50 marka Exp $ */
+/* $Id: timer_p.h,v 1.6.18.2 2005/04/29 00:16:51 marka Exp $ */
 
 #ifndef ISC_TIMER_P_H
 #define ISC_TIMER_P_H
 
+/*! \file */
+
 isc_result_t
 isc__timermgr_nextevent(isc_time_t *when);
 
diff --git a/contrib/bind9/lib/isc/unix/Makefile.in b/contrib/bind9/lib/isc/unix/Makefile.in
index 49845d4..afb77a6 100644
--- a/contrib/bind9/lib/isc/unix/Makefile.in
+++ b/contrib/bind9/lib/isc/unix/Makefile.in
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.35.2.1.10.2 2004/06/22 02:48:36 marka Exp $
+# $Id: Makefile.in,v 1.38.18.1 2004/06/22 02:54:06 marka Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
diff --git a/contrib/bind9/lib/isc/unix/app.c b/contrib/bind9/lib/isc/unix/app.c
index 811d67b..59b1f6c 100644
--- a/contrib/bind9/lib/isc/unix/app.c
+++ b/contrib/bind9/lib/isc/unix/app.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,9 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: app.c,v 1.43.2.3.8.5 2004/03/08 02:08:05 marka Exp $ */
+/* $Id: app.c,v 1.50.18.2 2005/04/29 00:17:06 marka Exp $ */
+
+/*! \file */
 
 #include <config.h>
 
@@ -54,7 +56,7 @@ static isc_eventlist_t		on_run;
 static isc_mutex_t		lock;
 static isc_boolean_t		shutdown_requested = ISC_FALSE;
 static isc_boolean_t		running = ISC_FALSE;
-/*
+/*!
  * We assume that 'want_shutdown' can be read and written atomically.
  */
 static isc_boolean_t		want_shutdown = ISC_FALSE;
@@ -69,14 +71,14 @@ static pthread_t		blockedthread;
 #endif /* ISC_PLATFORM_USETHREADS */
 
 #ifdef HAVE_LINUXTHREADS
-/*
+/*!
  * Linux has sigwait(), but it appears to prevent signal handlers from
  * running, even if they're not in the set being waited for.  This makes
  * it impossible to get the default actions for SIGILL, SIGSEGV, etc.
  * Instead of messing with it, we just use sigsuspend() instead.
  */
 #undef HAVE_SIGWAIT
-/*
+/*!
  * We need to remember which thread is the main thread...
  */
 static pthread_t		main_thread;
@@ -291,7 +293,7 @@ isc_app_onrun(isc_mem_t *mctx, isc_task_t *task, isc_taskaction_t action,
 }
 
 #ifndef ISC_PLATFORM_USETHREADS
-/*
+/*!
  * Event loop for nonthreaded programs.
  */
 static isc_result_t
@@ -371,14 +373,14 @@ evloop() {
  * is set by isc_condition_signal().
  */
 
-/*
- * True iff we are currently executing in the recursive
+/*!
+ * \brief True if we are currently executing in the recursive
  * event loop.
  */
 static isc_boolean_t in_recursive_evloop = ISC_FALSE;
 
-/*
- * True iff we are exiting the event loop as the result of
+/*!
+ * \brief True if we are exiting the event loop as the result of
  * a call to isc_condition_signal() rather than a shutdown
  * or reload.
  */
diff --git a/contrib/bind9/lib/isc/unix/dir.c b/contrib/bind9/lib/isc/unix/dir.c
index 85a1217..b627c88 100644
--- a/contrib/bind9/lib/isc/unix/dir.c
+++ b/contrib/bind9/lib/isc/unix/dir.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,9 +15,10 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: dir.c,v 1.18.2.1.2.3 2004/03/08 09:04:55 marka Exp $ */
+/* $Id: dir.c,v 1.20.18.3 2005/09/05 00:18:30 marka Exp $ */
 
-/* Principal Authors: DCL */
+/*! \file
+ * \author  Principal Authors: DCL */
 
 #include <config.h>
 
@@ -50,18 +51,37 @@ isc_dir_init(isc_dir_t *dir) {
 	dir->magic = ISC_DIR_MAGIC;
 }
 
-/*
- * Allocate workspace and open directory stream. If either one fails,
+/*!
+ * \brief Allocate workspace and open directory stream. If either one fails,
  * NULL will be returned.
  */
 isc_result_t
 isc_dir_open(isc_dir_t *dir, const char *dirname) {
+	char *p;
 	isc_result_t result = ISC_R_SUCCESS;
 
 	REQUIRE(VALID_DIR(dir));
 	REQUIRE(dirname != NULL);
 
 	/*
+	 * Copy directory name.  Need to have enough space for the name,
+	 * a possible path separator, the wildcard, and the final NUL.
+	 */
+	if (strlen(dirname) + 3 > sizeof(dir->dirname))
+		/* XXXDCL ? */
+		return (ISC_R_NOSPACE);
+	strcpy(dir->dirname, dirname);
+
+	/*
+	 * Append path separator, if needed, and "*".
+	 */
+	p = dir->dirname + strlen(dir->dirname);
+	if (dir->dirname < p && *(p - 1) != '/')
+		*p++ = '/';
+	*p++ = '*';
+	*p++ = '\0';
+
+	/*
 	 * Open stream.
 	 */
 	dir->handle = opendir(dirname);
@@ -72,8 +92,10 @@ isc_dir_open(isc_dir_t *dir, const char *dirname) {
 	return (result);
 }
 
-/*
- * Return previously retrieved file or get next one.  Unix's dirent has
+/*!
+ * \brief Return previously retrieved file or get next one.  
+
+ * Unix's dirent has
  * separate open and read functions, but the Win32 and DOS interfaces open
  * the dir stream and reads the first file in one operation.
  */
@@ -107,8 +129,8 @@ isc_dir_read(isc_dir_t *dir) {
 	return (ISC_R_SUCCESS);
 }
 
-/*
- * Close directory stream.
+/*!
+ * \brief Close directory stream.
  */
 void
 isc_dir_close(isc_dir_t *dir) {
@@ -118,8 +140,8 @@ isc_dir_close(isc_dir_t *dir) {
        dir->handle = NULL;
 }
 
-/*
- * Reposition directory stream at start.
+/*!
+ * \brief Reposition directory stream at start.
  */
 isc_result_t
 isc_dir_reset(isc_dir_t *dir) {
@@ -132,8 +154,8 @@ isc_dir_reset(isc_dir_t *dir) {
 
 isc_result_t
 isc_dir_chdir(const char *dirname) {
-	/*
-	 * Change the current directory to 'dirname'.
+	/*!
+	 * \brief Change the current directory to 'dirname'.
 	 */
 
 	REQUIRE(dirname != NULL);
@@ -165,8 +187,8 @@ isc_dir_createunique(char *templet) {
 
 	REQUIRE(templet != NULL);
 
-	/*
-	 * mkdtemp is not portable, so this emulates it.
+	/*!
+	 * \brief mkdtemp is not portable, so this emulates it.
 	 */
 
 	pid = getpid();
diff --git a/contrib/bind9/lib/isc/unix/entropy.c b/contrib/bind9/lib/isc/unix/entropy.c
index d52849a..4c0d0d0 100644
--- a/contrib/bind9/lib/isc/unix/entropy.c
+++ b/contrib/bind9/lib/isc/unix/entropy.c
@@ -15,10 +15,11 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: entropy.c,v 1.60.2.3.8.14 2006/03/02 23:29:17 marka Exp $ */
+/* $Id: entropy.c,v 1.71.18.7 2006/12/07 04:53:03 marka Exp $ */
 
-/*
- * This is the system depenedent part of the ISC entropy API.
+/* \file unix/entropy.c
+ * \brief
+ * This is the system dependent part of the ISC entropy API.
  */
 
 #include <config.h>
@@ -41,7 +42,7 @@
 
 #include "errno2result.h"
 
-/*
+/*%
  * There is only one variable in the entropy data structures that is not
  * system independent, but pulling the structure that uses it into this file
  * ultimately means pulling several other independent structures here also to
@@ -486,8 +487,6 @@ isc_entropy_createfilesource(isc_entropy_t *ent, const char *fname) {
 
 	LOCK(&ent->lock);
 
-	source = NULL;
-
 	if (stat(fname, &_stat) < 0) {
 		ret = isc__errno2result(errno);
 		goto errout;
@@ -589,9 +588,6 @@ isc_entropy_createfilesource(isc_entropy_t *ent, const char *fname) {
 	(void)close(fd);
 
  errout:
-	if (source != NULL)
-		isc_mem_put(ent->mctx, source, sizeof(isc_entropysource_t));
-
 	UNLOCK(&ent->lock);
 
 	return (ret);
diff --git a/contrib/bind9/lib/isc/unix/errno2result.c b/contrib/bind9/lib/isc/unix/errno2result.c
index 66a4e91..d4b188f 100644
--- a/contrib/bind9/lib/isc/unix/errno2result.c
+++ b/contrib/bind9/lib/isc/unix/errno2result.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000-2002  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,9 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: errno2result.c,v 1.8.2.4.8.1 2004/03/06 08:14:59 marka Exp $ */
+/* $Id: errno2result.c,v 1.13.18.2 2005/04/29 00:17:07 marka Exp $ */
+
+/*! \file */
 
 #include <config.h>
 
@@ -25,7 +27,7 @@
 
 #include "errno2result.h"
 
-/*
+/*%
  * Convert a POSIX errno value into an isc_result_t.  The
  * list of supported errno values is not complete; new users
  * of this function should add any expected errors that are
diff --git a/contrib/bind9/lib/isc/unix/errno2result.h b/contrib/bind9/lib/isc/unix/errno2result.h
index 9a8d07c..5e36116 100644
--- a/contrib/bind9/lib/isc/unix/errno2result.h
+++ b/contrib/bind9/lib/isc/unix/errno2result.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000, 2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,11 +15,13 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: errno2result.h,v 1.7.206.1 2004/03/06 08:14:59 marka Exp $ */
+/* $Id: errno2result.h,v 1.8.18.2 2005/04/29 00:17:07 marka Exp $ */
 
 #ifndef UNIX_ERRNO2RESULT_H
 #define UNIX_ERRNO2RESULT_H 1
 
+/*! \file */
+
 /* XXXDCL this should be moved to lib/isc/include/isc/errno2result.h. */
 
 #include <errno.h>		/* Provides errno. */
diff --git a/contrib/bind9/lib/isc/unix/file.c b/contrib/bind9/lib/isc/unix/file.c
index 7ed6272..e45e0fe 100644
--- a/contrib/bind9/lib/isc/unix/file.c
+++ b/contrib/bind9/lib/isc/unix/file.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000-2002  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -48,7 +48,9 @@
  * SUCH DAMAGE.
  */
 
-/* $Id: file.c,v 1.38.12.8 2004/03/16 05:50:25 marka Exp $ */
+/* $Id: file.c,v 1.47.18.2 2005/04/29 00:17:07 marka Exp $ */
+
+/*! \file */
 
 #include <config.h>
 
@@ -154,7 +156,7 @@ isc_file_settime(const char *file, isc_time_t *time) {
 }
 
 #undef TEMPLATE
-#define TEMPLATE "tmp-XXXXXXXXXX" /* 14 characters. */
+#define TEMPLATE "tmp-XXXXXXXXXX" /*%< 14 characters. */
 
 isc_result_t
 isc_file_mktemplate(const char *path, char *buf, size_t buflen) {
diff --git a/contrib/bind9/lib/isc/unix/fsaccess.c b/contrib/bind9/lib/isc/unix/fsaccess.c
index 3745ca2..f3ed60f 100644
--- a/contrib/bind9/lib/isc/unix/fsaccess.c
+++ b/contrib/bind9/lib/isc/unix/fsaccess.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2006  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000, 2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: fsaccess.c,v 1.6.206.3 2006/08/25 05:25:50 marka Exp $ */
+/* $Id: fsaccess.c,v 1.7.18.4 2006/08/25 05:25:51 marka Exp $ */
 
 #include <config.h>
 
@@ -26,7 +26,8 @@
 
 #include "errno2result.h"
 
-/*
+/*! \file
+ * \brief
  * The OS-independent part of the API is in lib/isc.
  */
 #include "../fsaccess.c"
diff --git a/contrib/bind9/lib/isc/unix/ifiter_getifaddrs.c b/contrib/bind9/lib/isc/unix/ifiter_getifaddrs.c
index ad6e1e0..7e359aa 100644
--- a/contrib/bind9/lib/isc/unix/ifiter_getifaddrs.c
+++ b/contrib/bind9/lib/isc/unix/ifiter_getifaddrs.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,28 +15,33 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: ifiter_getifaddrs.c,v 1.2.68.3 2004/03/06 08:14:59 marka Exp $ */
+/* $Id: ifiter_getifaddrs.c,v 1.4.18.2 2005/04/29 00:17:08 marka Exp $ */
 
-/*
+/*! \file
+ * \brief
  * Obtain the list of network interfaces using the getifaddrs(3) library.
  */
 
 #include <ifaddrs.h>
 
+/*% Iterator Magic */
 #define IFITER_MAGIC		ISC_MAGIC('I', 'F', 'I', 'G')
+/*% Valid Iterator */
 #define VALID_IFITER(t)		ISC_MAGIC_VALID(t, IFITER_MAGIC)
 
+/*% Iterator structure */
 struct isc_interfaceiter {
-	unsigned int		magic;		/* Magic number. */
+	unsigned int		magic;		/*%< Magic number. */
 	isc_mem_t		*mctx;
-	void			*buf;		/* (unused) */
-	unsigned int		bufsize;	/* (always 0) */
-	struct ifaddrs		*ifaddrs;	/* List of ifaddrs */
-	struct ifaddrs		*pos;		/* Ptr to current ifaddr */
-	isc_interface_t		current;	/* Current interface data. */
-	isc_result_t		result;		/* Last result code. */
+	void			*buf;		/*%< (unused) */
+	unsigned int		bufsize;	/*%< (always 0) */
+	struct ifaddrs		*ifaddrs;	/*%< List of ifaddrs */
+	struct ifaddrs		*pos;		/*%< Ptr to current ifaddr */
+	isc_interface_t		current;	/*%< Current interface data. */
+	isc_result_t		result;		/*%< Last result code. */
 };
 
+
 isc_result_t
 isc_interfaceiter_create(isc_mem_t *mctx, isc_interfaceiter_t **iterp) {
 	isc_interfaceiter_t *iter;
diff --git a/contrib/bind9/lib/isc/unix/ifiter_ioctl.c b/contrib/bind9/lib/isc/unix/ifiter_ioctl.c
index 68a1365..5ebcef8 100644
--- a/contrib/bind9/lib/isc/unix/ifiter_ioctl.c
+++ b/contrib/bind9/lib/isc/unix/ifiter_ioctl.c
@@ -15,9 +15,10 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: ifiter_ioctl.c,v 1.19.2.5.2.19 2006/02/03 23:51:37 marka Exp $ */
+/* $Id: ifiter_ioctl.c,v 1.44.18.11 2006/02/03 23:51:38 marka Exp $ */
 
-/*
+/*! \file
+ * \brief
  * Obtain the list of network interfaces using the SIOCGLIFCONF ioctl.
  * See netintro(4).
  */
@@ -93,7 +94,7 @@ struct isc_interfaceiter {
 #endif
 
 
-/*
+/*%
  * Size of buffer for SIOCGLIFCONF, in bytes.  We assume no sane system
  * will have more than a megabyte of interface configuration data.
  */
diff --git a/contrib/bind9/lib/isc/unix/ifiter_sysctl.c b/contrib/bind9/lib/isc/unix/ifiter_sysctl.c
index b10a2d2..212a478 100644
--- a/contrib/bind9/lib/isc/unix/ifiter_sysctl.c
+++ b/contrib/bind9/lib/isc/unix/ifiter_sysctl.c
@@ -15,9 +15,10 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: ifiter_sysctl.c,v 1.14.12.9 2005/03/17 03:58:33 marka Exp $ */
+/* $Id: ifiter_sysctl.c,v 1.20.18.3 2005/04/27 05:02:35 sra Exp $ */
 
-/*
+/*! \file
+ * \brief
  * Obtain the list of network interfaces using sysctl.
  * See TCP/IP Illustrated Volume 2, sections 19.8, 19.14,
  * and 19.16.
diff --git a/contrib/bind9/lib/isc/unix/include/Makefile.in b/contrib/bind9/lib/isc/unix/include/Makefile.in
index 5a06022..78eba44 100644
--- a/contrib/bind9/lib/isc/unix/include/Makefile.in
+++ b/contrib/bind9/lib/isc/unix/include/Makefile.in
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.11.206.1 2004/03/06 08:15:03 marka Exp $
+# $Id: Makefile.in,v 1.12 2004/03/05 05:11:50 marka Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
diff --git a/contrib/bind9/lib/isc/unix/include/isc/Makefile.in b/contrib/bind9/lib/isc/unix/include/isc/Makefile.in
index 4c5bae2..9599f7c 100644
--- a/contrib/bind9/lib/isc/unix/include/isc/Makefile.in
+++ b/contrib/bind9/lib/isc/unix/include/isc/Makefile.in
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.27.206.1 2004/03/06 08:15:03 marka Exp $
+# $Id: Makefile.in,v 1.28 2004/03/05 05:11:52 marka Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
diff --git a/contrib/bind9/lib/isc/unix/include/isc/dir.h b/contrib/bind9/lib/isc/unix/include/isc/dir.h
index 53b51df..cc85706 100644
--- a/contrib/bind9/lib/isc/unix/include/isc/dir.h
+++ b/contrib/bind9/lib/isc/unix/include/isc/dir.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,13 +15,15 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: dir.h,v 1.15.12.3 2004/03/08 09:04:57 marka Exp $ */
+/* $Id: dir.h,v 1.17.18.2 2005/04/29 00:17:09 marka Exp $ */
 
 /* Principal Authors: DCL */
 
 #ifndef ISC_DIR_H
 #define ISC_DIR_H 1
 
+/*! \file */
+
 #include <sys/types.h>		/* Required on some systems. */
 #include <dirent.h>
 
@@ -31,8 +33,9 @@
 #define ISC_DIR_NAMEMAX 256
 #define ISC_DIR_PATHMAX 1024
 
+/*% Directory Entry */
 typedef struct isc_direntry {
-	/*
+	/*!
 	 * Ideally, this should be NAME_MAX, but AIX does not define it by
 	 * default and dynamically allocating the space based on pathconf()
 	 * complicates things undesirably, as does adding special conditionals
@@ -42,9 +45,10 @@ typedef struct isc_direntry {
 	unsigned int	length;
 } isc_direntry_t;
 
+/*% Directory */
 typedef struct isc_dir {
 	unsigned int	magic;
-	/*
+	/*!
 	 * As with isc_direntry_t->name, making this "right" for all systems
 	 * is slightly problematic because AIX does not define PATH_MAX.
 	 */
@@ -78,7 +82,7 @@ isc_dir_chroot(const char *dirname);
 
 isc_result_t
 isc_dir_createunique(char *templet);
-/*
+/*!<
  * Use a templet (such as from isc_file_mktemplate()) to create a uniquely
  * named, empty directory.  The templet string is modified in place.
  * If result == ISC_R_SUCCESS, it is the name of the directory that was
diff --git a/contrib/bind9/lib/isc/unix/include/isc/int.h b/contrib/bind9/lib/isc/unix/include/isc/int.h
index be36ccb..1e1de7b 100644
--- a/contrib/bind9/lib/isc/unix/include/isc/int.h
+++ b/contrib/bind9/lib/isc/unix/include/isc/int.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,11 +15,13 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: int.h,v 1.11.206.1 2004/03/06 08:15:04 marka Exp $ */
+/* $Id: int.h,v 1.12.18.2 2005/04/29 00:17:09 marka Exp $ */
 
 #ifndef ISC_INT_H
 #define ISC_INT_H 1
 
+/*! \file */
+
 typedef char				isc_int8_t;
 typedef unsigned char			isc_uint8_t;
 typedef short				isc_int16_t;
@@ -37,7 +39,7 @@ typedef unsigned long long		isc_uint64_t;
 #define ISC_INT16_MAX	32767
 #define ISC_UINT16_MAX	65535
 
-/*
+/*%
  * Note that "int" is 32 bits on all currently supported Unix-like operating
  * systems, but "long" can be either 32 bits or 64 bits, thus the 32 bit
  * constants are not qualified with "L".
diff --git a/contrib/bind9/lib/isc/unix/include/isc/keyboard.h b/contrib/bind9/lib/isc/unix/include/isc/keyboard.h
index 31005b1..4b28cc0 100644
--- a/contrib/bind9/lib/isc/unix/include/isc/keyboard.h
+++ b/contrib/bind9/lib/isc/unix/include/isc/keyboard.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000, 2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,11 +15,13 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: keyboard.h,v 1.6.206.1 2004/03/06 08:15:04 marka Exp $ */
+/* $Id: keyboard.h,v 1.7.18.2 2005/04/29 00:17:09 marka Exp $ */
 
 #ifndef ISC_KEYBOARD_H
 #define ISC_KEYBOARD_H 1
 
+/*! \file */
+
 #include <termios.h>
 
 #include <isc/lang.h>
diff --git a/contrib/bind9/lib/isc/unix/include/isc/net.h b/contrib/bind9/lib/isc/unix/include/isc/net.h
index f1a015f..bdd8c14 100644
--- a/contrib/bind9/lib/isc/unix/include/isc/net.h
+++ b/contrib/bind9/lib/isc/unix/include/isc/net.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: net.h,v 1.31.2.2.10.8 2004/04/29 01:31:23 marka Exp $ */
+/* $Id: net.h,v 1.39.18.4 2005/04/27 05:02:37 sra Exp $ */
 
 #ifndef ISC_NET_H
 #define ISC_NET_H 1
@@ -24,19 +24,20 @@
  ***** Module Info
  *****/
 
-/*
+/*! \file
+ * \brief
  * Basic Networking Types
  *
  * This module is responsible for defining the following basic networking
  * types:
  *
- *		struct in_addr
- *		struct in6_addr
- *		struct in6_pktinfo
- *		struct sockaddr
- *		struct sockaddr_in
- *		struct sockaddr_in6
- *		in_port_t
+ *\li		struct in_addr
+ *\li		struct in6_addr
+ *\li		struct in6_pktinfo
+ *\li		struct sockaddr
+ *\li		struct sockaddr_in
+ *\li		struct sockaddr_in6
+ *\li		in_port_t
  *
  * It ensures that the AF_ and PF_ macros are defined.
  *
@@ -44,27 +45,27 @@
  *
  * It declares inet_aton(), inet_ntop(), and inet_pton().
  *
- * It ensures that INADDR_LOOPBACK, INADDR_ANY, IN6ADDR_ANY_INIT,
+ * It ensures that #INADDR_LOOPBACK, #INADDR_ANY, #IN6ADDR_ANY_INIT,
  * in6addr_any, and in6addr_loopback are available.
  *
  * It ensures that IN_MULTICAST() is available to check for multicast
  * addresses.
  *
  * MP:
- *	No impact.
+ *\li	No impact.
  *
  * Reliability:
- *	No anticipated impact.
+ *\li	No anticipated impact.
  *
  * Resources:
- *	N/A.
+ *\li	N/A.
  *
  * Security:
- *	No anticipated impact.
+ *\li	No anticipated impact.
  *
  * Standards:
- *	BSD Socket API
- *	RFC 2553
+ *\li	BSD Socket API
+ *\li	RFC2553
  */
 
 /***
@@ -94,19 +95,19 @@
 #include <isc/types.h>
 
 #ifdef ISC_PLATFORM_HAVEINADDR6
-#define in6_addr in_addr6	/* Required for pre RFC2133 implementations. */
+#define in6_addr in_addr6	/*%< Required for pre RFC2133 implementations. */
 #endif
 
 #ifdef ISC_PLATFORM_HAVEIPV6
-/*
+#ifndef IN6ADDR_ANY_INIT
+#ifdef s6_addr
+/*%
  * Required for some pre RFC2133 implementations.
  * IN6ADDR_ANY_INIT and IN6ADDR_LOOPBACK_INIT were added in
  * draft-ietf-ipngwg-bsd-api-04.txt or draft-ietf-ipngwg-bsd-api-05.txt.  
  * If 's6_addr' is defined then assume that there is a union and three
  * levels otherwise assume two levels required.
  */
-#ifndef IN6ADDR_ANY_INIT
-#ifdef s6_addr
 #define IN6ADDR_ANY_INIT { { { 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0 } } }
 #else
 #define IN6ADDR_ANY_INIT { { 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0 } }
@@ -115,6 +116,7 @@
 
 #ifndef IN6ADDR_LOOPBACK_INIT
 #ifdef s6_addr
+/*% IPv6 address loopback init */
 #define IN6ADDR_LOOPBACK_INIT { { { 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1 } } }
 #else
 #define IN6ADDR_LOOPBACK_INIT { { 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1 } }
@@ -122,12 +124,14 @@
 #endif
 
 #ifndef IN6_IS_ADDR_V4MAPPED
+/*% Is IPv6 address V4 mapped? */
 #define IN6_IS_ADDR_V4MAPPED(x) \
 	 (memcmp((x)->s6_addr, in6addr_any.s6_addr, 10) == 0 && \
 	  (x)->s6_addr[10] == 0xff && (x)->s6_addr[11] == 0xff)
 #endif
 
 #ifndef IN6_IS_ADDR_V4COMPAT
+/*% Is IPv6 address V4 compatible? */
 #define IN6_IS_ADDR_V4COMPAT(x) \
 	 (memcmp((x)->s6_addr, in6addr_any.s6_addr, 12) == 0 && \
 	 ((x)->s6_addr[12] != 0 || (x)->s6_addr[13] != 0 || \
@@ -136,50 +140,58 @@
 #endif
 
 #ifndef IN6_IS_ADDR_MULTICAST
+/*% Is IPv6 address multicast? */
 #define IN6_IS_ADDR_MULTICAST(a)        ((a)->s6_addr[0] == 0xff)
 #endif
 
 #ifndef IN6_IS_ADDR_LINKLOCAL
+/*% Is IPv6 address linklocal? */
 #define IN6_IS_ADDR_LINKLOCAL(a) \
 	(((a)->s6_addr[0] == 0xfe) && (((a)->s6_addr[1] & 0xc0) == 0x80))
 #endif
 
 #ifndef IN6_IS_ADDR_SITELOCAL
+/*% is IPv6 address sitelocal? */
 #define IN6_IS_ADDR_SITELOCAL(a) \
 	(((a)->s6_addr[0] == 0xfe) && (((a)->s6_addr[1] & 0xc0) == 0xc0))
 #endif
 
 
 #ifndef IN6_IS_ADDR_LOOPBACK
+/*% is IPv6 address loopback? */
 #define IN6_IS_ADDR_LOOPBACK(x) \
 	(memcmp((x)->s6_addr, in6addr_loopback.s6_addr, 16) == 0)
 #endif
 #endif
 
 #ifndef AF_INET6
+/*% IPv6 */
 #define AF_INET6 99
 #endif
 
 #ifndef PF_INET6
+/*% IPv6 */
 #define PF_INET6 AF_INET6
 #endif
 
 #ifndef INADDR_LOOPBACK
+/*% inaddr loopback */
 #define INADDR_LOOPBACK 0x7f000001UL
 #endif
 
 #ifndef ISC_PLATFORM_HAVEIN6PKTINFO
+/*% IPv6 packet info */
 struct in6_pktinfo {
-	struct in6_addr ipi6_addr;    /* src/dst IPv6 address */
-	unsigned int    ipi6_ifindex; /* send/recv interface index */
+	struct in6_addr ipi6_addr;    /*%< src/dst IPv6 address */
+	unsigned int    ipi6_ifindex; /*%< send/recv interface index */
 };
 #endif
 
-/*
- * Cope with a missing in6addr_any and in6addr_loopback.
- */
 #if defined(ISC_PLATFORM_HAVEIPV6) && defined(ISC_PLATFORM_NEEDIN6ADDRANY)
 extern const struct in6_addr isc_net_in6addrany;
+/*%
+ * Cope with a missing in6addr_any and in6addr_loopback.
+ */
 #define in6addr_any isc_net_in6addrany
 #endif
 
@@ -188,11 +200,12 @@ extern const struct in6_addr isc_net_in6addrloop;
 #define in6addr_loopback isc_net_in6addrloop
 #endif
 
-/*
- * Fix UnixWare 7.1.1's broken IN6_IS_ADDR_* definitions.
- */
 #ifdef ISC_PLATFORM_FIXIN6ISADDR
 #undef  IN6_IS_ADDR_GEOGRAPHIC
+/*! 
+ * \brief
+ * Fix UnixWare 7.1.1's broken IN6_IS_ADDR_* definitions.
+ */
 #define IN6_IS_ADDR_GEOGRAPHIC(a) (((a)->S6_un.S6_l[0] & 0xE0) == 0x80)
 #undef  IN6_IS_ADDR_IPX
 #define IN6_IS_ADDR_IPX(a)        (((a)->S6_un.S6_l[0] & 0xFE) == 0x04)
@@ -208,24 +221,26 @@ extern const struct in6_addr isc_net_in6addrloop;
 #define IN6_IS_ADDR_SITELOCAL(a)  (((a)->S6_un.S6_l[0] & 0xC0FF) == 0xC0FE)
 #endif /* ISC_PLATFORM_FIXIN6ISADDR */
 
-/*
+#ifdef ISC_PLATFORM_NEEDPORTT
+/*%
  * Ensure type in_port_t is defined.
  */
-#ifdef ISC_PLATFORM_NEEDPORTT
 typedef isc_uint16_t in_port_t;
 #endif
 
-/*
+#ifndef MSG_TRUNC
+/*%
  * If this system does not have MSG_TRUNC (as returned from recvmsg())
  * ISC_PLATFORM_RECVOVERFLOW will be defined.  This will enable the MSG_TRUNC
  * faking code in socket.c.
  */
-#ifndef MSG_TRUNC
 #define ISC_PLATFORM_RECVOVERFLOW
 #endif
 
+/*% IP address. */
 #define ISC__IPADDR(x)	((isc_uint32_t)htonl((isc_uint32_t)(x)))
 
+/*% Is IP address multicast? */
 #define ISC_IPADDR_ISMULTICAST(i) \
 		(((isc_uint32_t)(i) & ISC__IPADDR(0xf0000000)) \
 		 == ISC__IPADDR(0xe0000000))
@@ -242,40 +257,40 @@ ISC_LANG_BEGINDECLS
 
 isc_result_t
 isc_net_probeipv4(void);
-/*
+/*%<
  * Check if the system's kernel supports IPv4.
  *
  * Returns:
  *
- *	ISC_R_SUCCESS		IPv4 is supported.
- *	ISC_R_NOTFOUND		IPv4 is not supported.
- *	ISC_R_DISABLED		IPv4 is disabled.
- *	ISC_R_UNEXPECTED
+ *\li	#ISC_R_SUCCESS		IPv4 is supported.
+ *\li	#ISC_R_NOTFOUND		IPv4 is not supported.
+ *\li	#ISC_R_DISABLED		IPv4 is disabled.
+ *\li	#ISC_R_UNEXPECTED
  */
 
 isc_result_t
 isc_net_probeipv6(void);
-/*
+/*%<
  * Check if the system's kernel supports IPv6.
  *
  * Returns:
  *
- *	ISC_R_SUCCESS		IPv6 is supported.
- *	ISC_R_NOTFOUND		IPv6 is not supported.
- *	ISC_R_DISABLED		IPv6 is disabled.
- *	ISC_R_UNEXPECTED
+ *\li	#ISC_R_SUCCESS		IPv6 is supported.
+ *\li	#ISC_R_NOTFOUND		IPv6 is not supported.
+ *\li	#ISC_R_DISABLED		IPv6 is disabled.
+ *\li	#ISC_R_UNEXPECTED
  */
 
 isc_result_t
 isc_net_probe_ipv6only(void);
-/*
+/*%<
  * Check if the system's kernel supports the IPV6_V6ONLY socket option.
  *
  * Returns:
  *
- *	ISC_R_SUCCESS		the option is supported for both TCP and UDP.
- *	ISC_R_NOTFOUND		IPv6 itself or the option is not supported.
- *	ISC_R_UNEXPECTED
+ *\li	#ISC_R_SUCCESS		the option is supported for both TCP and UDP.
+ *\li	#ISC_R_NOTFOUND		IPv6 itself or the option is not supported.
+ *\li	#ISC_R_UNEXPECTED
  */
 
 isc_result_t
@@ -286,9 +301,9 @@ isc_net_probe_ipv6pktinfo(void);
  *
  * Returns:
  *
- *	ISC_R_SUCCESS		the option is supported.
- *	ISC_R_NOTFOUND		IPv6 itself or the option is not supported.
- *	ISC_R_UNEXPECTED
+ * \li	#ISC_R_SUCCESS		the option is supported.
+ * \li	#ISC_R_NOTFOUND		IPv6 itself or the option is not supported.
+ * \li	#ISC_R_UNEXPECTED
  */
 
 void
@@ -303,6 +318,12 @@ isc_net_enableipv4(void);
 void
 isc_net_enableipv6(void);
 
+isc_result_t
+isc_net_probeunix(void);
+/*
+ * Returns whether UNIX domain sockets are supported.
+ */
+
 #ifdef ISC_PLATFORM_NEEDNTOP
 const char *
 isc_net_ntop(int af, const void *src, char *dst, size_t size);
diff --git a/contrib/bind9/lib/isc/unix/include/isc/netdb.h b/contrib/bind9/lib/isc/unix/include/isc/netdb.h
index beb9137..428f087 100644
--- a/contrib/bind9/lib/isc/unix/include/isc/netdb.h
+++ b/contrib/bind9/lib/isc/unix/include/isc/netdb.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: netdb.h,v 1.6.206.1 2004/03/06 08:15:04 marka Exp $ */
+/* $Id: netdb.h,v 1.7.18.2 2005/04/29 00:17:10 marka Exp $ */
 
 #ifndef ISC_NETDB_H
 #define ISC_NETDB_H 1
@@ -24,25 +24,26 @@
  ***** Module Info
  *****/
 
-/*
+/*! \file
+ * \brief
  * Portable netdb.h support.
  *
  * This module is responsible for defining the get<x>by<y> APIs.
  *
  * MP:
- *	No impact.
+ *\li	No impact.
  *
  * Reliability:
- *	No anticipated impact.
+ *\li	No anticipated impact.
  *
  * Resources:
- *	N/A.
+ *\li	N/A.
  *
  * Security:
- *	No anticipated impact.
+ *\li	No anticipated impact.
  *
  * Standards:
- *	BSD API
+ *\li	BSD API
  */
 
 /***
diff --git a/contrib/bind9/lib/isc/unix/include/isc/offset.h b/contrib/bind9/lib/isc/unix/include/isc/offset.h
index 0ea1362..15fbad4 100644
--- a/contrib/bind9/lib/isc/unix/include/isc/offset.h
+++ b/contrib/bind9/lib/isc/unix/include/isc/offset.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000, 2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,12 +15,13 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: offset.h,v 1.10.206.1 2004/03/06 08:15:04 marka Exp $ */
+/* $Id: offset.h,v 1.11.18.2 2005/04/29 00:17:10 marka Exp $ */
 
 #ifndef ISC_OFFSET_H
 #define ISC_OFFSET_H 1
 
-/*
+/*! \file
+ * \brief
  * File offsets are operating-system dependent.
  */
 #include <limits.h>             /* Required for CHAR_BIT. */
@@ -28,7 +29,7 @@
 
 typedef off_t isc_offset_t;
 
-/*
+/*%
  * POSIX says "Additionally, blkcnt_t and off_t are extended signed integral
  * types", so the maximum value is all 1s except for the high bit.
  * This definition is more complex than it really needs to be because it was
diff --git a/contrib/bind9/lib/isc/unix/include/isc/stat.h b/contrib/bind9/lib/isc/unix/include/isc/stat.h
index 4304208..d1b2489 100644
--- a/contrib/bind9/lib/isc/unix/include/isc/stat.h
+++ b/contrib/bind9/lib/isc/unix/include/isc/stat.h
@@ -1,6 +1,5 @@
 /*
  * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: stat.h,v 1.1.2.1.4.1 2004/03/06 08:15:05 marka Exp $ */
+/* $Id: stat.h,v 1.2.18.1 2004/08/19 04:42:54 marka Exp $ */
 
 #ifndef ISC_STAT_H
 #define ISC_STAT_H 1
diff --git a/contrib/bind9/lib/isc/unix/include/isc/stdtime.h b/contrib/bind9/lib/isc/unix/include/isc/stdtime.h
index 9b855c7..24a91d2 100644
--- a/contrib/bind9/lib/isc/unix/include/isc/stdtime.h
+++ b/contrib/bind9/lib/isc/unix/include/isc/stdtime.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,31 +15,44 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: stdtime.h,v 1.8.206.1 2004/03/06 08:15:05 marka Exp $ */
+/* $Id: stdtime.h,v 1.9.18.3 2005/06/04 06:23:45 jinmei Exp $ */
 
 #ifndef ISC_STDTIME_H
 #define ISC_STDTIME_H 1
 
+/*! \file */
+
 #include <isc/lang.h>
 #include <isc/int.h>
 
-/*
+/*%
  * It's public information that 'isc_stdtime_t' is an unsigned integral type.
  * Applications that want maximum portability should not assume anything
  * about its size.
  */
 typedef isc_uint32_t isc_stdtime_t;
+/*
+ * isc_stdtime32_t is a 32-bit version of isc_stdtime_t.  A variable of this
+ * type should only be used as an opaque integer (e.g.,) to compare two
+ * time values.
+ */
+typedef isc_uint32_t isc_stdtime32_t;
 
 ISC_LANG_BEGINDECLS
-
+/* */
 void
 isc_stdtime_get(isc_stdtime_t *t);
-/*
+/*%<
  * Set 't' to the number of seconds since 00:00:00 UTC, January 1, 1970.
  *
  * Requires:
  *
- *	't' is a valid pointer.
+ *\li	't' is a valid pointer.
+ */
+
+#define isc_stdtime_convert32(t, t32p) (*(t32p) = t)
+/*
+ * Convert the standard time to its 32-bit version.
  */
 
 ISC_LANG_ENDDECLS
diff --git a/contrib/bind9/lib/isc/unix/include/isc/strerror.h b/contrib/bind9/lib/isc/unix/include/isc/strerror.h
index f51fbdc..fb2e8a4 100644
--- a/contrib/bind9/lib/isc/unix/include/isc/strerror.h
+++ b/contrib/bind9/lib/isc/unix/include/isc/strerror.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,20 +15,23 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: strerror.h,v 1.2.12.3 2004/03/08 09:04:57 marka Exp $ */
+/* $Id: strerror.h,v 1.4.18.2 2005/04/29 00:17:10 marka Exp $ */
 
 #ifndef ISC_STRERROR_H
 #define ISC_STRERROR_H
 
+/*! \file */
+
 #include <sys/types.h>
 
 #include <isc/lang.h>
 
 ISC_LANG_BEGINDECLS
 
+/*% String Error Size */
 #define ISC_STRERRORSIZE 128
 
-/*
+/*%
  * Provide a thread safe wrapper to strerrror().
  *
  * Requires:
diff --git a/contrib/bind9/lib/isc/unix/include/isc/syslog.h b/contrib/bind9/lib/isc/unix/include/isc/syslog.h
index 2c0625e..08adca1 100644
--- a/contrib/bind9/lib/isc/unix/include/isc/syslog.h
+++ b/contrib/bind9/lib/isc/unix/include/isc/syslog.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,11 +15,13 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: syslog.h,v 1.2.206.1 2004/03/06 08:15:05 marka Exp $ */
+/* $Id: syslog.h,v 1.3.18.2 2005/04/29 00:17:10 marka Exp $ */
 
 #ifndef ISC_SYSLOG_H
 #define ISC_SYSLOG_H 1
 
+/*! \file */
+
 #include <isc/lang.h>
 #include <isc/types.h>
 
@@ -27,17 +29,17 @@ ISC_LANG_BEGINDECLS
 
 isc_result_t
 isc_syslog_facilityfromstring(const char *str, int *facilityp);
-/*
+/*%<
  * Convert 'str' to the appropriate syslog facility constant.
  *
  * Requires:
  *
- *	'str' is not NULL
- *	'facilityp' is not NULL
+ *\li	'str' is not NULL
+ *\li	'facilityp' is not NULL
  *
  * Returns:
- * 	ISC_R_SUCCESS
- * 	ISC_R_NOTFOUND
+ * \li	#ISC_R_SUCCESS
+ * \li	#ISC_R_NOTFOUND
  */
 
 ISC_LANG_ENDDECLS
diff --git a/contrib/bind9/lib/isc/unix/include/isc/time.h b/contrib/bind9/lib/isc/unix/include/isc/time.h
index 6021c13..6579439 100644
--- a/contrib/bind9/lib/isc/unix/include/isc/time.h
+++ b/contrib/bind9/lib/isc/unix/include/isc/time.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1998-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,11 +15,13 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: time.h,v 1.25.2.1.10.4 2004/03/08 09:04:58 marka Exp $ */
+/* $Id: time.h,v 1.30.18.2 2005/04/29 00:17:10 marka Exp $ */
 
 #ifndef ISC_TIME_H
 #define ISC_TIME_H 1
 
+/*! \file */
+
 #include <isc/lang.h>
 #include <isc/types.h>
 
@@ -27,7 +29,8 @@
  *** Intervals
  ***/
 
-/*
+/*! 
+ *  \brief
  * The contents of this structure are private, and MUST NOT be accessed
  * directly by callers.
  *
@@ -45,32 +48,32 @@ ISC_LANG_BEGINDECLS
 void
 isc_interval_set(isc_interval_t *i,
 		 unsigned int seconds, unsigned int nanoseconds);
-/*
+/*%<
  * Set 'i' to a value representing an interval of 'seconds' seconds and
  * 'nanoseconds' nanoseconds, suitable for use in isc_time_add() and
  * isc_time_subtract().
  *
  * Requires:
  *
- *	't' is a valid pointer.
- *	nanoseconds < 1000000000.
+ *\li	't' is a valid pointer.
+ *\li	nanoseconds < 1000000000.
  */
 
 isc_boolean_t
 isc_interval_iszero(const isc_interval_t *i);
-/*
+/*%<
  * Returns ISC_TRUE iff. 'i' is the zero interval.
  *
  * Requires:
  *
- *	'i' is a valid pointer.
+ *\li	'i' is a valid pointer.
  */
 
 /***
  *** Absolute Times
  ***/
 
-/*
+/*%
  * The contents of this structure are private, and MUST NOT be accessed
  * directly by callers.
  *
@@ -86,116 +89,118 @@ extern isc_time_t *isc_time_epoch;
 
 void
 isc_time_set(isc_time_t *t, unsigned int seconds, unsigned int nanoseconds);
-/*
+/*%<
  * Set 't' to a particular number of seconds + nanoseconds since the epoch.
  *
  * Notes:
- *	This call is equivalent to:
- *
+ *\li	This call is equivalent to:
+ *\code
  *	isc_time_settoepoch(t);
  *	isc_interval_set(i, seconds, nanoseconds);
  *	isc_time_add(t, i, t);
- *
+ *\endcode
  * Requires:
- *	't' is a valid pointer.
- *	nanoseconds < 1000000000.
+ *\li	't' is a valid pointer.
+ *\li	nanoseconds < 1000000000.
  */
 
 void
 isc_time_settoepoch(isc_time_t *t);
-/*
+/*%<
  * Set 't' to the time of the epoch.
  *
  * Notes:
- * 	The date of the epoch is platform-dependent.
+ * \li	The date of the epoch is platform-dependent.
  *
  * Requires:
  *
- *	't' is a valid pointer.
+ *\li	't' is a valid pointer.
  */
 
 isc_boolean_t
 isc_time_isepoch(const isc_time_t *t);
-/*
+/*%<
  * Returns ISC_TRUE iff. 't' is the epoch ("time zero").
  *
  * Requires:
  *
- *	't' is a valid pointer.
+ *\li	't' is a valid pointer.
  */
 
 isc_result_t
 isc_time_now(isc_time_t *t);
-/*
+/*%<
  * Set 't' to the current absolute time.
  *
  * Requires:
  *
- *	't' is a valid pointer.
+ *\li	't' is a valid pointer.
  *
  * Returns:
  *
- *	Success
- *	Unexpected error
+ *\li	Success
+ *\li	Unexpected error
  *		Getting the time from the system failed.
- *	Out of range
+ *\li	Out of range
  *		The time from the system is too large to be represented
  *		in the current definition of isc_time_t.
  */
 
 isc_result_t
 isc_time_nowplusinterval(isc_time_t *t, const isc_interval_t *i);
-/*
+/*%<
  * Set *t to the current absolute time + i.
  *
  * Note:
- *	This call is equivalent to:
+ *\li	This call is equivalent to:
  *
+ *\code
  *		isc_time_now(t);
  *		isc_time_add(t, i, t);
+ *\endcode
  *
  * Requires:
  *
- *	't' and 'i' are valid pointers.
+ *\li	't' and 'i' are valid pointers.
  *
  * Returns:
  *
- *	Success
- *	Unexpected error
+ *\li	Success
+ *\li	Unexpected error
  *		Getting the time from the system failed.
- *	Out of range
+ *\li	Out of range
  *		The interval added to the time from the system is too large to
  *		be represented in the current definition of isc_time_t.
  */
 
 int
 isc_time_compare(const isc_time_t *t1, const isc_time_t *t2);
-/*
+/*%<
  * Compare the times referenced by 't1' and 't2'
  *
  * Requires:
  *
- *	't1' and 't2' are valid pointers.
+ *\li	't1' and 't2' are valid pointers.
  *
  * Returns:
  *
- *	-1		t1 < t2		(comparing times, not pointers)
- *	0		t1 = t2
- *	1		t1 > t2
+ *\li	-1		t1 < t2		(comparing times, not pointers)
+ *\li	0		t1 = t2
+ *\li	1		t1 > t2
  */
 
 isc_result_t
 isc_time_add(const isc_time_t *t, const isc_interval_t *i, isc_time_t *result);
-/*
+/*%<
  * Add 'i' to 't', storing the result in 'result'.
  *
  * Requires:
  *
- *	't', 'i', and 'result' are valid pointers.
+ *\li	't', 'i', and 'result' are valid pointers.
  *
  * Returns:
- * 	Success
- *	Out of range
+ * \li	Success
+ *\li	Out of range
  * 		The interval added to the time is too large to
  *		be represented in the current definition of isc_time_t.
  */
@@ -203,50 +208,50 @@ isc_time_add(const isc_time_t *t, const isc_interval_t *i, isc_time_t *result);
 isc_result_t
 isc_time_subtract(const isc_time_t *t, const isc_interval_t *i,
 		  isc_time_t *result);
-/*
+/*%<
  * Subtract 'i' from 't', storing the result in 'result'.
  *
  * Requires:
  *
- *	't', 'i', and 'result' are valid pointers.
+ *\li	't', 'i', and 'result' are valid pointers.
  *
  * Returns:
- *	Success
- *	Out of range
+ *\li	Success
+ *\li	Out of range
  *		The interval is larger than the time since the epoch.
  */
 
 isc_uint64_t
 isc_time_microdiff(const isc_time_t *t1, const isc_time_t *t2);
-/*
+/*%<
  * Find the difference in microseconds between time t1 and time t2.
  * t2 is the subtrahend of t1; ie, difference = t1 - t2.
  *
  * Requires:
  *
- *	't1' and 't2' are valid pointers.
+ *\li	't1' and 't2' are valid pointers.
  *
  * Returns:
- *	The difference of t1 - t2, or 0 if t1 <= t2.
+ *\li	The difference of t1 - t2, or 0 if t1 <= t2.
  */
 
 isc_uint32_t
 isc_time_seconds(const isc_time_t *t);
-/*
+/*%<
  * Return the number of seconds since the epoch stored in a time structure.
  *
  * Requires:
  *
- *	't' is a valid pointer.
+ *\li	't' is a valid pointer.
  */
 
 isc_result_t
 isc_time_secondsastimet(const isc_time_t *t, time_t *secondsp);
-/*
+/*%<
  * Ensure the number of seconds in an isc_time_t is representable by a time_t.
  *
  * Notes:
- *	The number of seconds stored in an isc_time_t might be larger
+ *\li	The number of seconds stored in an isc_time_t might be larger
  *	than the number of seconds a time_t is able to handle.  Since
  *	time_t is mostly opaque according to the ANSI/ISO standard
  *	(essentially, all you can be sure of is that it is an arithmetic type,
@@ -256,41 +261,41 @@ isc_time_secondsastimet(const isc_time_t *t, time_t *secondsp);
  *	time_t from an isc_time_t.
  *
  * Requires:
- *	't' is a valid pointer.
+ *\li	't' is a valid pointer.
  *
  * Returns:
- *	Success
- *	Out of range
+ *\li	Success
+ *\li	Out of range
  */
 
 isc_uint32_t
 isc_time_nanoseconds(const isc_time_t *t);
-/*
+/*%<
  * Return the number of nanoseconds stored in a time structure.
  *
  * Notes:
- *	This is the number of nanoseconds in excess of the the number
+ *\li	This is the number of nanoseconds in excess of the the number
  *	of seconds since the epoch; it will always be less than one
  *	full second.
  *
  * Requires:
- *	't' is a valid pointer.
+ *\li	't' is a valid pointer.
  *
  * Ensures:
- *	The returned value is less than 1*10^9.
+ *\li	The returned value is less than 1*10^9.
  */
 
 void
 isc_time_formattimestamp(const isc_time_t *t, char *buf, unsigned int len);
-/*
+/*%<
  * Format the time 't' into the buffer 'buf' of length 'len',
  * using a format like "30-Aug-2000 04:06:47.997" and the local time zone.
  * If the text does not fit in the buffer, the result is indeterminate,
  * but is always guaranteed to be null terminated.
  *
  *  Requires:
- *      'len' > 0
- *      'buf' points to an array of at least len chars
+ *\li      'len' > 0
+ *  \li    'buf' points to an array of at least len chars
  *
  */
 
diff --git a/contrib/bind9/lib/isc/unix/interfaceiter.c b/contrib/bind9/lib/isc/unix/interfaceiter.c
index 9520bdeb..72ecdd2 100644
--- a/contrib/bind9/lib/isc/unix/interfaceiter.c
+++ b/contrib/bind9/lib/isc/unix/interfaceiter.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,9 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: interfaceiter.c,v 1.22.2.1.10.14 2004/08/28 06:25:22 marka Exp $ */
+/* $Id: interfaceiter.c,v 1.35.18.5 2005/04/29 00:17:08 marka Exp $ */
+
+/*! \file */
 
 #include <config.h>
 
@@ -51,9 +53,9 @@
 
 /* Common utility functions */
 
-/*
+/*%
  * Extract the network address part from a "struct sockaddr".
- *
+ * \brief
  * The address family is given explicitly
  * instead of using src->sa_family, because the latter does not work
  * for copying a network mask obtained by SIOCGIFNETMASK (it does
diff --git a/contrib/bind9/lib/isc/unix/ipv6.c b/contrib/bind9/lib/isc/unix/ipv6.c
index f11262f..3066e0c 100644
--- a/contrib/bind9/lib/isc/unix/ipv6.c
+++ b/contrib/bind9/lib/isc/unix/ipv6.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2006  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,9 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: ipv6.c,v 1.7.206.3 2006/08/25 05:25:50 marka Exp $ */
+/* $Id: ipv6.c,v 1.8.18.4 2006/08/25 05:25:51 marka Exp $ */
+
+/*! \file */
 
 #include <config.h>
 
diff --git a/contrib/bind9/lib/isc/unix/keyboard.c b/contrib/bind9/lib/isc/unix/keyboard.c
index 146338a..db56b3c 100644
--- a/contrib/bind9/lib/isc/unix/keyboard.c
+++ b/contrib/bind9/lib/isc/unix/keyboard.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: keyboard.c,v 1.9.12.3 2004/03/08 09:04:56 marka Exp $ */
+/* $Id: keyboard.c,v 1.11 2004/03/05 05:11:46 marka Exp $ */
 
 #include <config.h>
 
diff --git a/contrib/bind9/lib/isc/unix/net.c b/contrib/bind9/lib/isc/unix/net.c
index e0aeccb..6169c2b 100644
--- a/contrib/bind9/lib/isc/unix/net.c
+++ b/contrib/bind9/lib/isc/unix/net.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: net.c,v 1.22.2.2.10.9 2005/03/17 03:58:33 marka Exp $ */
+/* $Id: net.c,v 1.29.18.4 2005/03/16 01:22:50 marka Exp $ */
 
 #include <config.h>
 
@@ -43,6 +43,7 @@ static isc_once_t 	once_ipv6only = ISC_ONCE_INIT;
 static isc_once_t 	once_ipv6pktinfo = ISC_ONCE_INIT;
 static isc_result_t	ipv4_result = ISC_R_NOTFOUND;
 static isc_result_t	ipv6_result = ISC_R_NOTFOUND;
+static isc_result_t	unix_result = ISC_R_NOTFOUND;
 static isc_result_t	ipv6only_result = ISC_R_NOTFOUND;
 static isc_result_t	ipv6pktinfo_result = ISC_R_NOTFOUND;
 
@@ -137,6 +138,9 @@ initialize_action(void) {
 #endif
 #endif
 #endif
+#ifdef ISC_PLATFORM_HAVESYSUNH
+	unix_result = try_proto(PF_UNIX);
+#endif
 }
 
 static void
@@ -156,6 +160,12 @@ isc_net_probeipv6(void) {
 	return (ipv6_result);
 }
 
+isc_result_t
+isc_net_probeunix(void) {
+	initialize();
+	return (unix_result);
+}
+
 #ifdef ISC_PLATFORM_HAVEIPV6
 #ifdef WANT_IPV6
 static void
diff --git a/contrib/bind9/lib/isc/unix/os.c b/contrib/bind9/lib/isc/unix/os.c
index 4d34d8c..6bbf059 100644
--- a/contrib/bind9/lib/isc/unix/os.c
+++ b/contrib/bind9/lib/isc/unix/os.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: os.c,v 1.11.12.6 2005/10/14 02:13:07 marka Exp $ */
+/* $Id: os.c,v 1.13.18.3 2005/10/14 02:13:08 marka Exp $ */
 
 #include <config.h>
 
diff --git a/contrib/bind9/lib/isc/unix/resource.c b/contrib/bind9/lib/isc/unix/resource.c
index b6faf32..703ec27 100644
--- a/contrib/bind9/lib/isc/unix/resource.c
+++ b/contrib/bind9/lib/isc/unix/resource.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: resource.c,v 1.11.206.1 2004/03/06 08:15:01 marka Exp $ */
+/* $Id: resource.c,v 1.12 2004/03/05 05:11:46 marka Exp $ */
 
 #include <config.h>
 
diff --git a/contrib/bind9/lib/isc/unix/socket.c b/contrib/bind9/lib/isc/unix/socket.c
index f95e3c8..6b4c34c 100644
--- a/contrib/bind9/lib/isc/unix/socket.c
+++ b/contrib/bind9/lib/isc/unix/socket.c
@@ -15,13 +15,19 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: socket.c,v 1.207.2.19.2.26 2006/05/19 02:53:36 marka Exp $ */
+/* $Id: socket.c,v 1.237.18.24 2006/06/06 00:56:09 marka Exp $ */
+
+/*! \file */
 
 #include <config.h>
 
 #include <sys/param.h>
 #include <sys/types.h>
 #include <sys/socket.h>
+#include <sys/stat.h>
+#ifdef ISC_PLATFORM_HAVESYSUNH
+#include <sys/un.h>
+#endif
 #include <sys/time.h>
 #include <sys/uio.h>
 
@@ -57,7 +63,7 @@
 #include "socket_p.h"
 #endif /* ISC_PLATFORM_USETHREADS */
 
-/*
+/*%
  * Some systems define the socket length argument as an int, some as size_t,
  * some as socklen_t.  This is here so it can be easily changed if needed.
  */
@@ -65,7 +71,7 @@
 #define ISC_SOCKADDR_LEN_T unsigned int
 #endif
 
-/*
+/*%
  * Define what the possible "soft" errors can be.  These are non-fatal returns
  * of various network related functions, like recv() and so on.
  *
@@ -80,7 +86,7 @@
 
 #define DLVL(x) ISC_LOGCATEGORY_GENERAL, ISC_LOGMODULE_SOCKET, ISC_LOG_DEBUG(x)
 
-/*
+/*!<
  * DLVL(90)  --  Function entry/exit and other tracing.
  * DLVL(70)  --  Socket "correctness" -- including returning of events, etc.
  * DLVL(60)  --  Socket data send/receive
@@ -104,7 +110,7 @@ typedef isc_event_t intev_t;
 #define SOCKET_MAGIC		ISC_MAGIC('I', 'O', 'i', 'o')
 #define VALID_SOCKET(t)		ISC_MAGIC_VALID(t, SOCKET_MAGIC)
 
-/*
+/*!
  * IPv6 control information.  If the socket is an IPv6 socket we want
  * to collect the destination address and interface so the client can
  * set them on outgoing packets.
@@ -115,7 +121,7 @@ typedef isc_event_t intev_t;
 #endif
 #endif
 
-/*
+/*%
  * NetBSD and FreeBSD can timestamp packets.  XXXMLG Should we have
  * a setsockopt() like interface to request timestamps, and if the OS
  * doesn't do it for us, call gettimeofday() on every UDP receive?
@@ -126,7 +132,12 @@ typedef isc_event_t intev_t;
 #endif
 #endif
 
-/*
+/*%
+ * The size to raise the recieve buffer to (from BIND 8).
+ */
+#define RCVBUFSIZE (32*1024)
+
+/*%
  * The number of times a send operation is repeated if the result is EINTR.
  */
 #define NRETRIES 10
@@ -238,9 +249,9 @@ static void build_msghdr_recv(isc_socket_t *, isc_socketevent_t *,
 #define SELECT_POKE_SHUTDOWN		(-1)
 #define SELECT_POKE_NOTHING		(-2)
 #define SELECT_POKE_READ		(-3)
-#define SELECT_POKE_ACCEPT		(-3) /* Same as _READ */
+#define SELECT_POKE_ACCEPT		(-3) /*%< Same as _READ */
 #define SELECT_POKE_WRITE		(-4)
-#define SELECT_POKE_CONNECT		(-4) /* Same as _WRITE */
+#define SELECT_POKE_CONNECT		(-4) /*%< Same as _WRITE */
 #define SELECT_POKE_CLOSE		(-5)
 
 #define SOCK_DEAD(s)			((s)->references == 0)
@@ -870,6 +881,15 @@ set_dev_address(isc_sockaddr_t *address, isc_socket_t *sock,
 	}
 }
 
+static void
+destroy_socketevent(isc_event_t *event) {
+	isc_socketevent_t *ev = (isc_socketevent_t *)event;
+
+	INSIST(ISC_LIST_EMPTY(ev->bufferlist));
+
+	(ev->destroy)(event);
+}
+
 static isc_socketevent_t *
 allocate_socketevent(isc_socket_t *sock, isc_eventtype_t eventtype,
 		     isc_taskaction_t action, const void *arg)
@@ -891,6 +911,8 @@ allocate_socketevent(isc_socket_t *sock, isc_eventtype_t eventtype,
 	ev->n = 0;
 	ev->offset = 0;
 	ev->attributes = 0;
+	ev->destroy = ev->ev_destroy;
+	ev->ev_destroy = destroy_socketevent;
 
 	return (ev);
 }
@@ -1225,7 +1247,7 @@ allocate_socket(isc_socketmgr_t *manager, isc_sockettype_t type,
 		isc_socket_t **socketp)
 {
 	isc_socket_t *sock;
-	isc_result_t ret;
+	isc_result_t result;
 	ISC_SOCKADDR_LEN_T cmsgbuflen;
 
 	sock = isc_mem_get(manager->mctx, sizeof(*sock));
@@ -1233,7 +1255,7 @@ allocate_socket(isc_socketmgr_t *manager, isc_sockettype_t type,
 	if (sock == NULL)
 		return (ISC_R_NOMEMORY);
 
-	ret = ISC_R_UNEXPECTED;
+	result = ISC_R_UNEXPECTED;
 
 	sock->magic = 0;
 	sock->references = 0;
@@ -1293,13 +1315,9 @@ allocate_socket(isc_socketmgr_t *manager, isc_sockettype_t type,
 	/*
 	 * initialize the lock
 	 */
-	if (isc_mutex_init(&sock->lock) != ISC_R_SUCCESS) {
+	result = isc_mutex_init(&sock->lock);
+	if (result != ISC_R_SUCCESS) {
 		sock->magic = 0;
-		UNEXPECTED_ERROR(__FILE__, __LINE__,
-				 "isc_mutex_init() %s",
-				 isc_msgcat_get(isc_msgcat, ISC_MSGSET_GENERAL,
-						ISC_MSG_FAILED, "failed"));
-		ret = ISC_R_UNEXPECTED;
 		goto error;
 	}
 
@@ -1327,7 +1345,7 @@ allocate_socket(isc_socketmgr_t *manager, isc_sockettype_t type,
 			    sock->sendcmsgbuflen);
 	isc_mem_put(manager->mctx, sock, sizeof(*sock));
 
-	return (ret);
+	return (result);
 }
 
 /*
@@ -1379,19 +1397,23 @@ isc_socket_create(isc_socketmgr_t *manager, int pf, isc_sockettype_t type,
 		  isc_socket_t **socketp)
 {
 	isc_socket_t *sock = NULL;
-	isc_result_t ret;
+	isc_result_t result;
 #if defined(USE_CMSG) || defined(SO_BSDCOMPAT)
 	int on = 1;
 #endif
+#if defined(SO_RCVBUF)
+	ISC_SOCKADDR_LEN_T optlen;
+	int size;
+#endif
 	char strbuf[ISC_STRERRORSIZE];
 	const char *err = "socket";
 
 	REQUIRE(VALID_MANAGER(manager));
 	REQUIRE(socketp != NULL && *socketp == NULL);
 
-	ret = allocate_socket(manager, type, &sock);
-	if (ret != ISC_R_SUCCESS)
-		return (ret);
+	result = allocate_socket(manager, type, &sock);
+	if (result != ISC_R_SUCCESS)
+		return (result);
 
 	sock->pf = pf;
 	switch (type) {
@@ -1401,6 +1423,9 @@ isc_socket_create(isc_socketmgr_t *manager, int pf, isc_sockettype_t type,
 	case isc_sockettype_tcp:
 		sock->fd = socket(pf, SOCK_STREAM, IPPROTO_TCP);
 		break;
+	case isc_sockettype_unix:
+		sock->fd = socket(pf, SOCK_STREAM, 0);
+		break;
 	}
 
 #ifdef F_DUPFD
@@ -1468,7 +1493,8 @@ isc_socket_create(isc_socketmgr_t *manager, int pf, isc_sockettype_t type,
 	}
 
 #ifdef SO_BSDCOMPAT
-	if (setsockopt(sock->fd, SOL_SOCKET, SO_BSDCOMPAT,
+	if (type != isc_sockettype_unix &&
+	    setsockopt(sock->fd, SOL_SOCKET, SO_BSDCOMPAT,
 		       (void *)&on, sizeof(on)) < 0) {
 		isc__strerror(errno, strbuf, sizeof(strbuf));
 		UNEXPECTED_ERROR(__FILE__, __LINE__,
@@ -1481,9 +1507,10 @@ isc_socket_create(isc_socketmgr_t *manager, int pf, isc_sockettype_t type,
 	}
 #endif
 
-#if defined(USE_CMSG)
+#if defined(USE_CMSG) || defined(SO_RCVBUF)
 	if (type == isc_sockettype_udp) {
 
+#if defined(USE_CMSG)
 #if defined(SO_TIMESTAMP)
 		if (setsockopt(sock->fd, SOL_SOCKET, SO_TIMESTAMP,
 			       (void *)&on, sizeof(on)) < 0
@@ -1553,9 +1580,30 @@ isc_socket_create(isc_socketmgr_t *manager, int pf, isc_sockettype_t type,
 		}
 #endif
 #endif /* ISC_PLATFORM_HAVEIPV6 */
-
+#endif /* defined(USE_CMSG) */
+
+#if defined(SO_RCVBUF)
+		optlen = sizeof(size);
+		if (getsockopt(sock->fd, SOL_SOCKET, SO_RCVBUF,
+			       (void *)&size, &optlen) >= 0 &&
+		     size < RCVBUFSIZE) {
+			size = RCVBUFSIZE;
+			if (setsockopt(sock->fd, SOL_SOCKET, SO_RCVBUF,
+				       (void *)&size, sizeof(size)) == -1) {
+				isc__strerror(errno, strbuf, sizeof(strbuf));
+				UNEXPECTED_ERROR(__FILE__, __LINE__,
+					"setsockopt(%d, SO_RCVBUF, %d) %s: %s",
+					sock->fd, size,
+					isc_msgcat_get(isc_msgcat,
+						       ISC_MSGSET_GENERAL,
+						       ISC_MSG_FAILED,
+						       "failed"),
+					strbuf);
+			}
+		}
+#endif
 	}
-#endif /* USE_CMSG */
+#endif /* defined(USE_CMSG) || defined(SO_RCVBUF) */
 
 	sock->references = 1;
 	*socketp = sock;
@@ -2316,6 +2364,7 @@ isc_socketmgr_create(isc_mem_t *mctx, isc_socketmgr_t **managerp) {
 #ifdef ISC_PLATFORM_USETHREADS
 	char strbuf[ISC_STRERRORSIZE];
 #endif
+	isc_result_t result;
 
 	REQUIRE(managerp != NULL && *managerp == NULL);
 
@@ -2335,13 +2384,10 @@ isc_socketmgr_create(isc_mem_t *mctx, isc_socketmgr_t **managerp) {
 	manager->mctx = NULL;
 	memset(manager->fds, 0, sizeof(manager->fds));
 	ISC_LIST_INIT(manager->socklist);
-	if (isc_mutex_init(&manager->lock) != ISC_R_SUCCESS) {
+	result = isc_mutex_init(&manager->lock);
+	if (result != ISC_R_SUCCESS) {
 		isc_mem_put(mctx, manager, sizeof(*manager));
-		UNEXPECTED_ERROR(__FILE__, __LINE__,
-				 "isc_mutex_init() %s",
-				 isc_msgcat_get(isc_msgcat, ISC_MSGSET_GENERAL,
-						ISC_MSG_FAILED, "failed"));
-		return (ISC_R_UNEXPECTED);
+		return (result);
 	}
 #ifdef ISC_PLATFORM_USETHREADS
 	if (isc_condition_init(&manager->shutdown_ok) != ISC_R_SUCCESS) {
@@ -2884,6 +2930,190 @@ isc_socket_sendto2(isc_socket_t *sock, isc_region_t *region,
 	return (socket_send(sock, event, task, address, pktinfo, flags));
 }
 
+void
+isc_socket_cleanunix(isc_sockaddr_t *sockaddr, isc_boolean_t active) {
+#ifdef ISC_PLATFORM_HAVESYSUNH
+	int s;
+	struct stat sb;
+	char strbuf[ISC_STRERRORSIZE];
+
+	if (sockaddr->type.sa.sa_family != AF_UNIX)
+		return;
+
+#ifndef S_ISSOCK
+#if defined(S_IFMT) && defined(S_IFSOCK)
+#define S_ISSOCK(mode) ((mode & S_IFMT)==S_IFSOCK)
+#elif defined(_S_IFMT) && defined(S_IFSOCK)
+#define S_ISSOCK(mode) ((mode & _S_IFMT)==S_IFSOCK)
+#endif
+#endif
+
+#ifndef S_ISFIFO
+#if defined(S_IFMT) && defined(S_IFIFO)
+#define S_ISFIFO(mode) ((mode & S_IFMT)==S_IFIFO)
+#elif defined(_S_IFMT) && defined(S_IFIFO)
+#define S_ISFIFO(mode) ((mode & _S_IFMT)==S_IFIFO)
+#endif
+#endif
+
+#if !defined(S_ISFIFO) && !defined(S_ISSOCK)
+#error You need to define S_ISFIFO and S_ISSOCK as appropriate for your platform.  See <sys/stat.h>.
+#endif
+
+#ifndef S_ISFIFO
+#define S_ISFIFO(mode) 0
+#endif
+
+#ifndef S_ISSOCK
+#define S_ISSOCK(mode) 0
+#endif
+
+	if (active) {
+		if (stat(sockaddr->type.sunix.sun_path, &sb) < 0) {
+			isc__strerror(errno, strbuf, sizeof(strbuf));
+			isc_log_write(isc_lctx, ISC_LOGCATEGORY_GENERAL,
+				      ISC_LOGMODULE_SOCKET, ISC_LOG_ERROR,
+				      "isc_socket_cleanunix: stat(%s): %s",
+				      sockaddr->type.sunix.sun_path, strbuf);
+			return;
+		}
+		if (!(S_ISSOCK(sb.st_mode) || S_ISFIFO(sb.st_mode))) {
+			isc_log_write(isc_lctx, ISC_LOGCATEGORY_GENERAL,
+				      ISC_LOGMODULE_SOCKET, ISC_LOG_ERROR,
+				      "isc_socket_cleanunix: %s: not a socket",
+				      sockaddr->type.sunix.sun_path);
+			return;
+		}
+		if (unlink(sockaddr->type.sunix.sun_path) < 0) {
+			isc__strerror(errno, strbuf, sizeof(strbuf));
+			isc_log_write(isc_lctx, ISC_LOGCATEGORY_GENERAL,
+				      ISC_LOGMODULE_SOCKET, ISC_LOG_ERROR,
+				      "isc_socket_cleanunix: unlink(%s): %s",
+				      sockaddr->type.sunix.sun_path, strbuf);
+		}
+		return;
+	}
+
+	s = socket(AF_UNIX, SOCK_STREAM, 0);
+	if (s < 0) {
+		isc__strerror(errno, strbuf, sizeof(strbuf));
+		isc_log_write(isc_lctx, ISC_LOGCATEGORY_GENERAL,
+			      ISC_LOGMODULE_SOCKET, ISC_LOG_WARNING,
+			      "isc_socket_cleanunix: socket(%s): %s",
+			      sockaddr->type.sunix.sun_path, strbuf);
+		return;
+	}
+
+	if (stat(sockaddr->type.sunix.sun_path, &sb) < 0) {
+		switch (errno) {
+		case ENOENT:    /* We exited cleanly last time */
+			break;
+		default:
+			isc__strerror(errno, strbuf, sizeof(strbuf));
+			isc_log_write(isc_lctx, ISC_LOGCATEGORY_GENERAL,
+				      ISC_LOGMODULE_SOCKET, ISC_LOG_WARNING,
+				      "isc_socket_cleanunix: stat(%s): %s",
+				      sockaddr->type.sunix.sun_path, strbuf);
+			break;
+		}
+		goto cleanup;
+	}
+
+	if (!(S_ISSOCK(sb.st_mode) || S_ISFIFO(sb.st_mode))) {
+		isc_log_write(isc_lctx, ISC_LOGCATEGORY_GENERAL,
+			      ISC_LOGMODULE_SOCKET, ISC_LOG_WARNING,
+			      "isc_socket_cleanunix: %s: not a socket",
+			      sockaddr->type.sunix.sun_path);
+		goto cleanup;
+	}
+
+	if (connect(s, (struct sockaddr *)&sockaddr->type.sunix,
+		    sizeof(sockaddr->type.sunix)) < 0) {
+		switch (errno) {
+		case ECONNREFUSED:
+		case ECONNRESET:
+			if (unlink(sockaddr->type.sunix.sun_path) < 0) {
+				isc__strerror(errno, strbuf, sizeof(strbuf));
+				isc_log_write(isc_lctx, ISC_LOGCATEGORY_GENERAL,
+					      ISC_LOGMODULE_SOCKET,
+					      ISC_LOG_WARNING,
+					      "isc_socket_cleanunix: "
+					      "unlink(%s): %s",
+					      sockaddr->type.sunix.sun_path,
+					      strbuf);
+			}
+			break;
+		default:
+			isc__strerror(errno, strbuf, sizeof(strbuf));
+			isc_log_write(isc_lctx, ISC_LOGCATEGORY_GENERAL,
+				      ISC_LOGMODULE_SOCKET, ISC_LOG_WARNING,
+				      "isc_socket_cleanunix: connect(%s): %s",
+				      sockaddr->type.sunix.sun_path, strbuf);
+			break;
+		}
+	}
+ cleanup:
+	close(s);
+#else
+	UNUSED(sockaddr);
+	UNUSED(active);
+#endif
+}
+
+isc_result_t
+isc_socket_permunix(isc_sockaddr_t *sockaddr, isc_uint32_t perm,
+		    isc_uint32_t owner, isc_uint32_t group)
+{
+#ifdef ISC_PLATFORM_HAVESYSUNH
+	isc_result_t result = ISC_R_SUCCESS;
+	char strbuf[ISC_STRERRORSIZE];
+	char path[sizeof(sockaddr->type.sunix.sun_path)];
+#ifdef NEED_SECURE_DIRECTORY
+	char *slash;
+#endif
+
+	REQUIRE(sockaddr->type.sa.sa_family == AF_UNIX);
+	INSIST(strlen(sockaddr->type.sunix.sun_path) < sizeof(path));
+	strcpy(path, sockaddr->type.sunix.sun_path);
+
+#ifdef NEED_SECURE_DIRECTORY
+	slash = strrchr(path, '/');
+	if (slash != NULL) {
+		if (slash != path)
+			*slash = '\0';
+		else
+			strcpy(path, "/");
+	} else
+		strcpy(path, ".");
+#endif
+	
+	if (chmod(path, perm) < 0) {
+		isc__strerror(errno, strbuf, sizeof(strbuf));
+		isc_log_write(isc_lctx, ISC_LOGCATEGORY_GENERAL,
+			      ISC_LOGMODULE_SOCKET, ISC_LOG_ERROR,
+			      "isc_socket_permunix: chmod(%s, %d): %s",
+			      path, perm, strbuf);
+		result = ISC_R_FAILURE;
+	}
+	if (chown(path, owner, group) < 0) {
+		isc__strerror(errno, strbuf, sizeof(strbuf));
+		isc_log_write(isc_lctx, ISC_LOGCATEGORY_GENERAL,
+			      ISC_LOGMODULE_SOCKET, ISC_LOG_ERROR,
+			      "isc_socket_permunix: chown(%s, %d, %d): %s",
+			      path, owner, group,
+			      strbuf);
+		result = ISC_R_FAILURE;
+	}
+	return (result);
+#else
+	UNUSED(sockaddr);
+	UNUSED(perm);
+	UNUSED(owner);
+	UNUSED(group);
+	return (ISC_R_NOTIMPLEMENTED);
+#endif
+}
+
 isc_result_t
 isc_socket_bind(isc_socket_t *sock, isc_sockaddr_t *sockaddr) {
 	char strbuf[ISC_STRERRORSIZE];
@@ -2900,6 +3130,10 @@ isc_socket_bind(isc_socket_t *sock, isc_sockaddr_t *sockaddr) {
 	/*
 	 * Only set SO_REUSEADDR when we want a specific port.
 	 */
+#ifdef AF_UNIX
+	if (sock->pf == AF_UNIX)
+		goto bind_socket;
+#endif
 	if (isc_sockaddr_getport(sockaddr) != (in_port_t)0 &&
 	    setsockopt(sock->fd, SOL_SOCKET, SO_REUSEADDR, (void *)&on,
 		       sizeof(on)) < 0) {
@@ -2909,6 +3143,9 @@ isc_socket_bind(isc_socket_t *sock, isc_sockaddr_t *sockaddr) {
 						ISC_MSG_FAILED, "failed"));
 		/* Press on... */
 	}
+#ifdef AF_UNIX
+ bind_socket:
+#endif
 	if (bind(sock->fd, &sockaddr->type.sa, sockaddr->length) < 0) {
 		UNLOCK(&sock->lock);
 		switch (errno) {
@@ -2985,7 +3222,8 @@ isc_socket_listen(isc_socket_t *sock, unsigned int backlog) {
 
 	REQUIRE(!sock->listener);
 	REQUIRE(sock->bound);
-	REQUIRE(sock->type == isc_sockettype_tcp);
+	REQUIRE(sock->type == isc_sockettype_tcp ||
+		sock->type == isc_sockettype_unix);
 
 	if (backlog == 0)
 		backlog = SOMAXCONN;
@@ -3016,7 +3254,7 @@ isc_socket_accept(isc_socket_t *sock,
 	isc_socketmgr_t *manager;
 	isc_task_t *ntask = NULL;
 	isc_socket_t *nsock;
-	isc_result_t ret;
+	isc_result_t result;
 	isc_boolean_t do_poke = ISC_FALSE;
 
 	REQUIRE(VALID_SOCKET(sock));
@@ -3041,11 +3279,11 @@ isc_socket_accept(isc_socket_t *sock,
 	}
 	ISC_LINK_INIT(dev, ev_link);
 
-	ret = allocate_socket(manager, sock->type, &nsock);
-	if (ret != ISC_R_SUCCESS) {
+	result = allocate_socket(manager, sock->type, &nsock);
+	if (result != ISC_R_SUCCESS) {
 		isc_event_free(ISC_EVENT_PTR(&dev));
 		UNLOCK(&sock->lock);
-		return (ret);
+		return (result);
 	}
 
 	/*
@@ -3309,7 +3547,7 @@ internal_connect(isc_task_t *me, isc_event_t *ev) {
 
 isc_result_t
 isc_socket_getpeername(isc_socket_t *sock, isc_sockaddr_t *addressp) {
-	isc_result_t ret;
+	isc_result_t result;
 
 	REQUIRE(VALID_SOCKET(sock));
 	REQUIRE(addressp != NULL);
@@ -3318,20 +3556,20 @@ isc_socket_getpeername(isc_socket_t *sock, isc_sockaddr_t *addressp) {
 
 	if (sock->connected) {
 		*addressp = sock->address;
-		ret = ISC_R_SUCCESS;
+		result = ISC_R_SUCCESS;
 	} else {
-		ret = ISC_R_NOTCONNECTED;
+		result = ISC_R_NOTCONNECTED;
 	}
 
 	UNLOCK(&sock->lock);
 
-	return (ret);
+	return (result);
 }
 
 isc_result_t
 isc_socket_getsockname(isc_socket_t *sock, isc_sockaddr_t *addressp) {
 	ISC_SOCKADDR_LEN_T len;
-	isc_result_t ret;
+	isc_result_t result;
 	char strbuf[ISC_STRERRORSIZE];
 
 	REQUIRE(VALID_SOCKET(sock));
@@ -3340,18 +3578,18 @@ isc_socket_getsockname(isc_socket_t *sock, isc_sockaddr_t *addressp) {
 	LOCK(&sock->lock);
 
 	if (!sock->bound) {
-		ret = ISC_R_NOTBOUND;
+		result = ISC_R_NOTBOUND;
 		goto out;
 	}
 
-	ret = ISC_R_SUCCESS;
+	result = ISC_R_SUCCESS;
 
 	len = sizeof(addressp->type);
 	if (getsockname(sock->fd, &addressp->type.sa, (void *)&len) < 0) {
 		isc__strerror(errno, strbuf, sizeof(strbuf));
 		UNEXPECTED_ERROR(__FILE__, __LINE__, "getsockname: %s",
 				 strbuf);
-		ret = ISC_R_UNEXPECTED;
+		result = ISC_R_UNEXPECTED;
 		goto out;
 	}
 	addressp->length = (unsigned int)len;
@@ -3359,7 +3597,7 @@ isc_socket_getsockname(isc_socket_t *sock, isc_sockaddr_t *addressp) {
  out:
 	UNLOCK(&sock->lock);
 
-	return (ret);
+	return (result);
 }
 
 /*
diff --git a/contrib/bind9/lib/isc/unix/socket_p.h b/contrib/bind9/lib/isc/unix/socket_p.h
index f430bf2..c260bbc 100644
--- a/contrib/bind9/lib/isc/unix/socket_p.h
+++ b/contrib/bind9/lib/isc/unix/socket_p.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000, 2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,11 +15,13 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: socket_p.h,v 1.6.206.1 2004/03/06 08:15:02 marka Exp $ */
+/* $Id: socket_p.h,v 1.7.18.2 2005/04/29 00:17:08 marka Exp $ */
 
 #ifndef ISC_SOCKET_P_H
 #define ISC_SOCKET_P_H
 
+/*! \file */
+
 #ifdef ISC_PLATFORM_NEEDSYSSELECTH
 #include <sys/select.h>
 #endif
diff --git a/contrib/bind9/lib/isc/unix/stdio.c b/contrib/bind9/lib/isc/unix/stdio.c
index 794164e..64db925 100644
--- a/contrib/bind9/lib/isc/unix/stdio.c
+++ b/contrib/bind9/lib/isc/unix/stdio.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: stdio.c,v 1.5.206.1 2004/03/06 08:15:02 marka Exp $ */
+/* $Id: stdio.c,v 1.6 2004/03/05 05:11:47 marka Exp $ */
 
 #include <config.h>
 
diff --git a/contrib/bind9/lib/isc/unix/stdtime.c b/contrib/bind9/lib/isc/unix/stdtime.c
index b8d818d..3f240b7 100644
--- a/contrib/bind9/lib/isc/unix/stdtime.c
+++ b/contrib/bind9/lib/isc/unix/stdtime.c
@@ -15,7 +15,9 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: stdtime.c,v 1.11.2.1.10.5 2005/06/09 23:54:31 marka Exp $ */
+/* $Id: stdtime.c,v 1.14.18.3 2005/06/08 02:07:57 marka Exp $ */
+
+/*! \file */
 
 #include <config.h>
 
diff --git a/contrib/bind9/lib/isc/unix/strerror.c b/contrib/bind9/lib/isc/unix/strerror.c
index 863867e..18cc367 100644
--- a/contrib/bind9/lib/isc/unix/strerror.c
+++ b/contrib/bind9/lib/isc/unix/strerror.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,9 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: strerror.c,v 1.1.2.1.10.3 2004/03/08 09:04:57 marka Exp $ */
+/* $Id: strerror.c,v 1.4.18.2 2005/04/29 00:17:08 marka Exp $ */
+
+/*! \file */
 
 #include <config.h>
 
@@ -29,7 +31,7 @@
 #include <isc/util.h>
 
 #ifdef HAVE_STRERROR
-/*
+/*%
  * We need to do this this way for profiled locks.
  */
 static isc_mutex_t isc_strerror_lock;
diff --git a/contrib/bind9/lib/isc/unix/syslog.c b/contrib/bind9/lib/isc/unix/syslog.c
index e531544..cc99339 100644
--- a/contrib/bind9/lib/isc/unix/syslog.c
+++ b/contrib/bind9/lib/isc/unix/syslog.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,9 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: syslog.c,v 1.1.12.3 2004/03/08 09:04:57 marka Exp $ */
+/* $Id: syslog.c,v 1.3.18.2 2005/04/29 00:17:09 marka Exp $ */
+
+/*! \file */
 
 #include <config.h>
 
diff --git a/contrib/bind9/lib/isc/unix/time.c b/contrib/bind9/lib/isc/unix/time.c
index 39c851c..bac24d7 100644
--- a/contrib/bind9/lib/isc/unix/time.c
+++ b/contrib/bind9/lib/isc/unix/time.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1998-2001, 2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,9 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: time.c,v 1.34.2.6.2.4 2004/03/06 08:15:03 marka Exp $ */
+/* $Id: time.c,v 1.47.18.2 2005/04/29 00:17:09 marka Exp $ */
+
+/*! \file */
 
 #include <config.h>
 
@@ -33,9 +35,9 @@
 #include <isc/time.h>
 #include <isc/util.h>
 
-#define NS_PER_S	1000000000	/* Nanoseconds per second. */
-#define NS_PER_US	1000		/* Nanoseconds per microsecond. */
-#define US_PER_S	1000000		/* Microseconds per second. */
+#define NS_PER_S	1000000000	/*%< Nanoseconds per second. */
+#define NS_PER_US	1000		/*%< Nanoseconds per microsecond. */
+#define US_PER_S	1000000		/*%< Microseconds per second. */
 
 /*
  * All of the INSIST()s checks of nanoseconds < NS_PER_S are for
@@ -48,7 +50,7 @@
 #define ISC_FIX_TV_USEC 1
 #endif
 
-/***
+/*%
  *** Intervals
  ***/
 
diff --git a/contrib/bind9/lib/isc/version.c b/contrib/bind9/lib/isc/version.c
index d0f270d..6d3b3d2 100644
--- a/contrib/bind9/lib/isc/version.c
+++ b/contrib/bind9/lib/isc/version.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1998-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,9 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: version.c,v 1.9.12.3 2004/03/08 09:04:51 marka Exp $ */
+/* $Id: version.c,v 1.11.18.2 2005/04/29 00:16:51 marka Exp $ */
+
+/*! \file */
 
 #include <isc/version.h>
 
diff --git a/contrib/bind9/lib/isc/x86_32/include/isc/atomic.h b/contrib/bind9/lib/isc/x86_32/include/isc/atomic.h
new file mode 100644
index 0000000..f3136d9
--- /dev/null
+++ b/contrib/bind9/lib/isc/x86_32/include/isc/atomic.h
@@ -0,0 +1,158 @@
+/*
+ * Copyright (C) 2005  Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: atomic.h,v 1.2.2.3 2005/07/27 04:23:33 marka Exp $ */
+
+#ifndef ISC_ATOMIC_H
+#define ISC_ATOMIC_H 1
+
+#include <isc/platform.h>
+#include <isc/types.h>
+
+#ifdef ISC_PLATFORM_USEGCCASM
+/*
+ * This routine atomically increments the value stored in 'p' by 'val', and
+ * returns the previous value.
+ */
+static inline isc_int32_t
+isc_atomic_xadd(isc_int32_t *p, isc_int32_t val) {
+	isc_int32_t prev = val;
+
+	__asm__ volatile(
+#ifdef ISC_PLATFORM_USETHREADS
+		"lock;"
+#endif
+		"xadd %0, %1"
+		:"=q"(prev)
+		:"m"(*p), "0"(prev)
+		:"memory", "cc");
+
+	return (prev);
+}
+
+/*
+ * This routine atomically stores the value 'val' in 'p'.
+ */
+static inline void
+isc_atomic_store(isc_int32_t *p, isc_int32_t val) {
+	__asm__ volatile(
+#ifdef ISC_PLATFORM_USETHREADS
+		/*
+		 * xchg should automatically lock memory, but we add it
+		 * explicitly just in case (it at least doesn't harm)
+		 */
+		"lock;"		
+#endif
+
+		"xchgl %1, %0"
+		:
+		: "r"(val), "m"(*p)
+		: "memory");
+}
+
+/*
+ * This routine atomically replaces the value in 'p' with 'val', if the
+ * original value is equal to 'cmpval'.  The original value is returned in any
+ * case.
+ */
+static inline isc_int32_t
+isc_atomic_cmpxchg(isc_int32_t *p, isc_int32_t cmpval, isc_int32_t val) {
+	__asm__ volatile(
+#ifdef ISC_PLATFORM_USETHREADS
+		"lock;"
+#endif
+		"cmpxchgl %1, %2"
+		: "=a"(cmpval)
+		: "r"(val), "m"(*p), "a"(cmpval)
+		: "memory");
+
+	return (cmpval);
+}
+
+#elif defined(ISC_PLATFORM_USESTDASM)
+/*
+ * The followings are "generic" assembly code which implements the same
+ * functionality in case the gcc extension cannot be used.  It should be
+ * better to avoid inlining below, since we directly refer to specific
+ * positions of the stack frame, which would not actually point to the
+ * intended address in the embedded mnemonic.
+ */
+#include <isc/util.h>		/* for 'UNUSED' macro */
+
+static isc_int32_t
+isc_atomic_xadd(isc_int32_t *p, isc_int32_t val) {
+	UNUSED(p);
+	UNUSED(val);
+
+	__asm (
+		"movl 8(%ebp), %ecx\n"
+		"movl 12(%ebp), %edx\n"
+#ifdef ISC_PLATFORM_USETHREADS
+		"lock;"
+#endif
+		"xadd %edx, (%ecx)\n"
+
+		/*
+		 * set the return value directly in the register so that we
+		 * can avoid guessing the correct position in the stack for a
+		 * local variable.
+		 */
+		"movl %edx, %eax"
+		);
+}
+
+static void
+isc_atomic_store(isc_int32_t *p, isc_int32_t val) {
+	UNUSED(p);
+	UNUSED(val);
+
+	__asm (
+		"movl 8(%ebp), %ecx\n"
+		"movl 12(%ebp), %edx\n"
+#ifdef ISC_PLATFORM_USETHREADS
+		"lock;"
+#endif
+		"xchgl (%ecx), %edx\n"
+		);
+}
+
+static isc_int32_t
+isc_atomic_cmpxchg(isc_int32_t *p, isc_int32_t cmpval, isc_int32_t val) {
+	UNUSED(p);
+	UNUSED(cmpval);
+	UNUSED(val);
+
+	__asm (
+		"movl 8(%ebp), %ecx\n"
+		"movl 12(%ebp), %eax\n"	/* must be %eax for cmpxchgl */
+		"movl 16(%ebp), %edx\n"
+#ifdef ISC_PLATFORM_USETHREADS
+		"lock;"
+#endif
+
+		/*
+		 * If (%ecx) == %eax then (%ecx) := %edx.
+		 % %eax is set to old (%ecx), which will be the return value.
+		 */
+		"cmpxchgl %edx, (%ecx)"
+		);
+}
+#else /* !ISC_PLATFORM_USEGCCASM && !ISC_PLATFORM_USESTDASM */
+
+#error "unsupported compiler.  disable atomic ops by --disable-atomic"
+
+#endif
+#endif /* ISC_ATOMIC_H */
diff --git a/contrib/bind9/lib/isc/x86_64/include/isc/atomic.h b/contrib/bind9/lib/isc/x86_64/include/isc/atomic.h
new file mode 100644
index 0000000..0752d8f
--- /dev/null
+++ b/contrib/bind9/lib/isc/x86_64/include/isc/atomic.h
@@ -0,0 +1,103 @@
+/*
+ * Copyright (C) 2005  Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: atomic.h,v 1.2.20.1 2005/09/02 13:27:12 marka Exp $ */
+
+#ifndef ISC_ATOMIC_H
+#define ISC_ATOMIC_H 1
+
+#include <isc/platform.h>
+#include <isc/types.h>
+
+#ifdef ISC_PLATFORM_USEGCCASM
+
+/* We share the gcc-version with x86_32 */
+#error "impossible case.  check build configuration"
+
+#elif defined(ISC_PLATFORM_USESTDASM)
+/*
+ * The followings are "generic" assembly code which implements the same
+ * functionality in case the gcc extension cannot be used.  It should be
+ * better to avoid inlining below, since we directly refer to specific
+ * registers for arguments, which would not actually correspond to the
+ * intended address or value in the embedded mnemonic.
+ */
+#include <isc/util.h>		/* for 'UNUSED' macro */
+
+static isc_int32_t
+isc_atomic_xadd(isc_int32_t *p, isc_int32_t val) {
+	UNUSED(p);
+	UNUSED(val);
+
+	__asm (
+		"movq %rdi, %rdx\n"
+		"movl %esi, %eax\n"
+#ifdef ISC_PLATFORM_USETHREADS
+		"lock;"
+#endif
+		"xadd %eax, (%rdx)\n"
+
+		/*
+		 * set the return value directly in the register so that we
+		 * can avoid guessing the correct position in the stack for a
+		 * local variable.
+		 */
+		);
+}
+
+static void
+isc_atomic_store(isc_int32_t *p, isc_int32_t val) {
+	UNUSED(p);
+	UNUSED(val);
+
+	__asm (
+		"movq %rdi, %rax\n"
+		"movl %esi, %edx\n"
+#ifdef ISC_PLATFORM_USETHREADS
+		"lock;"
+#endif
+		"xchgl (%rax), %edx\n"
+		);
+}
+
+static isc_int32_t
+isc_atomic_cmpxchg(isc_int32_t *p, isc_int32_t cmpval, isc_int32_t val) {
+	UNUSED(p);
+	UNUSED(cmpval);
+	UNUSED(val);
+
+	__asm (
+		"movl %edx, %ecx\n"
+		"movl %esi, %eax\n"
+		"movq %rdi, %rdx\n"
+
+#ifdef ISC_PLATFORM_USETHREADS
+		"lock;"
+#endif
+		/*
+		 * If (%rdi) == %eax then (%rdi) := %edx.
+		 % %eax is set to old (%ecx), which will be the return value.
+		 */
+		"cmpxchgl %ecx, (%rdx)"
+		);
+}
+
+#else /* !ISC_PLATFORM_USEGCCASM && !ISC_PLATFORM_USESTDASM */
+
+#error "unsupported compiler.  disable atomic ops by --disable-atomic"
+
+#endif
+#endif /* ISC_ATOMIC_H */
diff --git a/contrib/bind9/lib/isccc/Makefile.in b/contrib/bind9/lib/isccc/Makefile.in
index f6ae951..cb41681 100644
--- a/contrib/bind9/lib/isccc/Makefile.in
+++ b/contrib/bind9/lib/isccc/Makefile.in
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.2.12.5 2004/07/20 07:01:58 marka Exp $
+# $Id: Makefile.in,v 1.6.18.1 2004/07/20 07:03:29 marka Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
diff --git a/contrib/bind9/lib/isccc/alist.c b/contrib/bind9/lib/isccc/alist.c
index 21b14a2..a8335c8 100644
--- a/contrib/bind9/lib/isccc/alist.c
+++ b/contrib/bind9/lib/isccc/alist.c
@@ -1,5 +1,5 @@
 /*
- * Portions Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Portions Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Portions Copyright (C) 2001  Internet Software Consortium.
  * Portions Copyright (C) 2001  Nominum, Inc.
  *
@@ -16,7 +16,9 @@
  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: alist.c,v 1.2.206.1 2004/03/06 08:15:18 marka Exp $ */
+/* $Id: alist.c,v 1.3.18.2 2005/04/29 00:17:11 marka Exp $ */
+
+/*! \file */
 
 #include <config.h>
 
diff --git a/contrib/bind9/lib/isccc/api b/contrib/bind9/lib/isccc/api
index 8c77091..cd8c055 100644
--- a/contrib/bind9/lib/isccc/api
+++ b/contrib/bind9/lib/isccc/api
@@ -1,3 +1,3 @@
-LIBINTERFACE = 2
-LIBREVISION = 2
-LIBAGE = 2
+LIBINTERFACE = 30
+LIBREVISION = 1
+LIBAGE = 0
diff --git a/contrib/bind9/lib/isccc/base64.c b/contrib/bind9/lib/isccc/base64.c
index 81d356c..e723cf2 100644
--- a/contrib/bind9/lib/isccc/base64.c
+++ b/contrib/bind9/lib/isccc/base64.c
@@ -1,5 +1,5 @@
 /*
- * Portions Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Portions Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Portions Copyright (C) 2001  Internet Software Consortium.
  * Portions Copyright (C) 2001  Nominum, Inc.
  *
@@ -16,7 +16,9 @@
  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: base64.c,v 1.2.206.1 2004/03/06 08:15:19 marka Exp $ */
+/* $Id: base64.c,v 1.3.18.2 2005/04/29 00:17:11 marka Exp $ */
+
+/*! \file */
 
 #include <config.h>
 
diff --git a/contrib/bind9/lib/isccc/cc.c b/contrib/bind9/lib/isccc/cc.c
index ccf8c68..e65349e 100644
--- a/contrib/bind9/lib/isccc/cc.c
+++ b/contrib/bind9/lib/isccc/cc.c
@@ -1,5 +1,5 @@
 /*
- * Portions Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Portions Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
  * Portions Copyright (C) 2001-2003  Internet Software Consortium.
  * Portions Copyright (C) 2001  Nominum, Inc.
  *
@@ -16,7 +16,9 @@
  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: cc.c,v 1.4.2.3.2.5 2004/08/28 06:25:23 marka Exp $ */
+/* $Id: cc.c,v 1.10.18.5 2006/12/07 23:57:58 marka Exp $ */
+
+/*! \file */
 
 #include <config.h>
 
@@ -44,12 +46,12 @@
 typedef isccc_sexpr_t *sexpr_ptr;
 
 static unsigned char auth_hmd5[] = {
-	0x05, 0x5f, 0x61, 0x75, 0x74, 0x68,		/* len + _auth */
-	ISCCC_CCMSGTYPE_TABLE,				/* message type */
-	0x00, 0x00, 0x00, 0x20,				/* length == 32 */
-	0x04, 0x68, 0x6d, 0x64, 0x35,			/* len + hmd5 */
-	ISCCC_CCMSGTYPE_BINARYDATA,			/* message type */
-	0x00, 0x00, 0x00, 0x16,				/* length == 22 */
+	0x05, 0x5f, 0x61, 0x75, 0x74, 0x68,		/*%< len + _auth */
+	ISCCC_CCMSGTYPE_TABLE,				/*%< message type */
+	0x00, 0x00, 0x00, 0x20,				/*%< length == 32 */
+	0x04, 0x68, 0x6d, 0x64, 0x35,			/*%< len + hmd5 */
+	ISCCC_CCMSGTYPE_BINARYDATA,			/*%< message type */
+	0x00, 0x00, 0x00, 0x16,				/*%< length == 22 */
 	/*
 	 * The base64 encoding of one of our HMAC-MD5 signatures is
 	 * 22 bytes.
@@ -59,7 +61,7 @@ static unsigned char auth_hmd5[] = {
 	0x00, 0x00, 0x00, 0x00, 0x00, 0x00
 };
 
-#define HMD5_OFFSET	21		/* 6 + 1 + 4 + 5 + 1 + 4 */
+#define HMD5_OFFSET	21		/*%< 21 = 6 + 1 + 4 + 5 + 1 + 4 */
 #define HMD5_LENGTH	22
 
 static isc_result_t
@@ -466,12 +468,21 @@ createmessage(isc_uint32_t version, const char *from, const char *to,
 	result = ISC_R_NOMEMORY;
 
 	_ctrl = isccc_alist_create();
+	if (_ctrl == NULL)
+		goto bad;
+	if (isccc_alist_define(alist, "_ctrl", _ctrl) == NULL) {
+		isccc_sexpr_free(&_ctrl);
+		goto bad;
+	}
+
 	_data = isccc_alist_create();
-	if (_ctrl == NULL || _data == NULL)
+	if (_data == NULL)
 		goto bad;
-	if (isccc_alist_define(alist, "_ctrl", _ctrl) == NULL ||
-	    isccc_alist_define(alist, "_data", _data) == NULL)
+	if (isccc_alist_define(alist, "_data", _data) == NULL) {
+		isccc_sexpr_free(&_data);
 		goto bad;
+	}
+
 	if (isccc_cc_defineuint32(_ctrl, "_ser", serial) == NULL ||
 	    isccc_cc_defineuint32(_ctrl, "_tim", now) == NULL ||
 	    (want_expires &&
diff --git a/contrib/bind9/lib/isccc/ccmsg.c b/contrib/bind9/lib/isccc/ccmsg.c
index fc5fae8..d624c9b 100644
--- a/contrib/bind9/lib/isccc/ccmsg.c
+++ b/contrib/bind9/lib/isccc/ccmsg.c
@@ -1,5 +1,5 @@
 /*
- * Portions Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Portions Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Portions Copyright (C) 2001  Internet Software Consortium.
  * Portions Copyright (C) 2001  Nominum, Inc.
  *
@@ -16,7 +16,9 @@
  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: ccmsg.c,v 1.4.206.1 2004/03/06 08:15:19 marka Exp $ */
+/* $Id: ccmsg.c,v 1.5.18.2 2005/04/29 00:17:11 marka Exp $ */
+
+/*! \file */
 
 #include <config.h>
 
diff --git a/contrib/bind9/lib/isccc/include/Makefile.in b/contrib/bind9/lib/isccc/include/Makefile.in
index 91a2bca..f3d46ab 100644
--- a/contrib/bind9/lib/isccc/include/Makefile.in
+++ b/contrib/bind9/lib/isccc/include/Makefile.in
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.2.206.1 2004/03/06 08:15:20 marka Exp $
+# $Id: Makefile.in,v 1.3 2004/03/05 05:12:12 marka Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
diff --git a/contrib/bind9/lib/isccc/include/isccc/Makefile.in b/contrib/bind9/lib/isccc/include/isccc/Makefile.in
index b86e50c..b7b1d55 100644
--- a/contrib/bind9/lib/isccc/include/isccc/Makefile.in
+++ b/contrib/bind9/lib/isccc/include/isccc/Makefile.in
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.3.12.3 2004/03/08 09:05:05 marka Exp $
+# $Id: Makefile.in,v 1.5 2004/03/05 05:12:15 marka Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
diff --git a/contrib/bind9/lib/isccc/include/isccc/alist.h b/contrib/bind9/lib/isccc/include/isccc/alist.h
index 409c48b..16b5ba2 100644
--- a/contrib/bind9/lib/isccc/include/isccc/alist.h
+++ b/contrib/bind9/lib/isccc/include/isccc/alist.h
@@ -1,5 +1,5 @@
 /*
- * Portions Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Portions Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Portions Copyright (C) 2001  Internet Software Consortium.
  * Portions Copyright (C) 2001  Nominum, Inc.
  *
@@ -16,11 +16,13 @@
  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: alist.h,v 1.2.206.1 2004/03/06 08:15:21 marka Exp $ */
+/* $Id: alist.h,v 1.3.18.2 2005/04/29 00:17:12 marka Exp $ */
 
 #ifndef ISCCC_ALIST_H
 #define ISCCC_ALIST_H 1
 
+/*! \file */
+
 #include <stdio.h>
 
 #include <isc/lang.h>
diff --git a/contrib/bind9/lib/isccc/include/isccc/base64.h b/contrib/bind9/lib/isccc/include/isccc/base64.h
index 14fbe57..dd70e8d 100644
--- a/contrib/bind9/lib/isccc/include/isccc/base64.h
+++ b/contrib/bind9/lib/isccc/include/isccc/base64.h
@@ -1,5 +1,5 @@
 /*
- * Portions Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Portions Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Portions Copyright (C) 2001  Internet Software Consortium.
  * Portions Copyright (C) 2001  Nominum, Inc.
  *
@@ -16,11 +16,13 @@
  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: base64.h,v 1.2.206.1 2004/03/06 08:15:21 marka Exp $ */
+/* $Id: base64.h,v 1.3.18.2 2005/04/29 00:17:13 marka Exp $ */
 
 #ifndef ISCCC_BASE64_H
 #define ISCCC_BASE64_H 1
 
+/*! \file */
+
 #include <isc/lang.h>
 #include <isccc/types.h>
 
@@ -33,36 +35,36 @@ ISC_LANG_BEGINDECLS
 isc_result_t
 isccc_base64_encode(isccc_region_t *source, int wordlength,
 		  const char *wordbreak, isccc_region_t *target);
-/*
+/*%<
  * Convert data into base64 encoded text.
  *
  * Notes:
- *	The base64 encoded text in 'target' will be divided into
+ *\li	The base64 encoded text in 'target' will be divided into
  *	words of at most 'wordlength' characters, separated by
  * 	the 'wordbreak' string.  No parentheses will surround
  *	the text.
  *
  * Requires:
- *	'source' is a region containing binary data.
- *	'target' is a text region containing available space.
- *	'wordbreak' points to a null-terminated string of
+ *\li	'source' is a region containing binary data.
+ *\li	'target' is a text region containing available space.
+ *\li	'wordbreak' points to a null-terminated string of
  *		zero or more whitespace characters.
  */
 
 isc_result_t
 isccc_base64_decode(const char *cstr, isccc_region_t *target);
-/*
+/*%<
  * Decode a null-terminated base64 string.
  *
  * Requires:
- *	'cstr' is non-null.
- *	'target' is a valid region.
+ *\li	'cstr' is non-null.
+ *\li	'target' is a valid region.
  *
  * Returns:
- *	ISC_R_SUCCESS	-- the entire decoded representation of 'cstring'
+ *\li	#ISC_R_SUCCESS	-- the entire decoded representation of 'cstring'
  *			   fit in 'target'.
- *	ISC_R_BADBASE64 -- 'cstr' is not a valid base64 encoding.
- *	ISC_R_NOSPACE	-- 'target' is not big enough.
+ *\li	#ISC_R_BADBASE64 -- 'cstr' is not a valid base64 encoding.
+ *\li	#ISC_R_NOSPACE	-- 'target' is not big enough.
  */
 
 ISC_LANG_ENDDECLS
diff --git a/contrib/bind9/lib/isccc/include/isccc/cc.h b/contrib/bind9/lib/isccc/include/isccc/cc.h
index aedf1f7..2e291ea 100644
--- a/contrib/bind9/lib/isccc/include/isccc/cc.h
+++ b/contrib/bind9/lib/isccc/include/isccc/cc.h
@@ -1,5 +1,5 @@
 /*
- * Portions Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Portions Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Portions Copyright (C) 2001  Internet Software Consortium.
  * Portions Copyright (C) 2001  Nominum, Inc.
  *
@@ -16,69 +16,90 @@
  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: cc.h,v 1.3.206.1 2004/03/06 08:15:21 marka Exp $ */
+/* $Id: cc.h,v 1.4.18.2 2005/04/29 00:17:13 marka Exp $ */
 
 #ifndef ISCCC_CC_H
 #define ISCCC_CC_H 1
 
+/*! \file */
+
 #include <isc/lang.h>
 #include <isccc/types.h>
 
 ISC_LANG_BEGINDECLS
 
+/*% Maximum Datagram Package */
 #define ISCCC_CC_MAXDGRAMPACKET		4096
 
+/*% Message Type String */
 #define ISCCC_CCMSGTYPE_STRING		0x00
+/*% Message Type Binary Data */
 #define ISCCC_CCMSGTYPE_BINARYDATA	0x01
+/*% Message Type Table */
 #define ISCCC_CCMSGTYPE_TABLE		0x02
+/*% Message Type List */
 #define ISCCC_CCMSGTYPE_LIST		0x03
 
+/*% Send to Wire */
 isc_result_t
 isccc_cc_towire(isccc_sexpr_t *alist, isccc_region_t *target,
 	      isccc_region_t *secret);
 
+/*% Get From Wire */
 isc_result_t
 isccc_cc_fromwire(isccc_region_t *source, isccc_sexpr_t **alistp,
 		isccc_region_t *secret);
 
+/*% Create Message */
 isc_result_t
 isccc_cc_createmessage(isc_uint32_t version, const char *from, const char *to,
 		     isc_uint32_t serial, isccc_time_t now,
 		     isccc_time_t expires, isccc_sexpr_t **alistp);
 
+/*% Create Acknowledgment */
 isc_result_t
 isccc_cc_createack(isccc_sexpr_t *message, isc_boolean_t ok,
 		 isccc_sexpr_t **ackp);
 
+/*% Is Ack? */
 isc_boolean_t
 isccc_cc_isack(isccc_sexpr_t *message);
 
+/*% Is Reply? */
 isc_boolean_t
 isccc_cc_isreply(isccc_sexpr_t *message);
 
+/*% Create Response */
 isc_result_t
 isccc_cc_createresponse(isccc_sexpr_t *message, isccc_time_t now,
 		      isccc_time_t expires, isccc_sexpr_t **alistp);
 
+/*% Define String */
 isccc_sexpr_t *
 isccc_cc_definestring(isccc_sexpr_t *alist, const char *key, const char *str);
 
+/*% Define uint 32 */
 isccc_sexpr_t *
 isccc_cc_defineuint32(isccc_sexpr_t *alist, const char *key, isc_uint32_t i);
 
+/*% Lookup String */
 isc_result_t
 isccc_cc_lookupstring(isccc_sexpr_t *alist, const char *key, char **strp);
 
+/*% Lookup uint 32 */
 isc_result_t
 isccc_cc_lookupuint32(isccc_sexpr_t *alist, const char *key,
 		    isc_uint32_t *uintp);
 
+/*% Create Symbol Table */
 isc_result_t
 isccc_cc_createsymtab(isccc_symtab_t **symtabp);
 
+/*% Clean up Symbol Table */
 void
 isccc_cc_cleansymtab(isccc_symtab_t *symtab, isccc_time_t now);
 
+/*% Check for Duplicates */
 isc_result_t
 isccc_cc_checkdup(isccc_symtab_t *symtab, isccc_sexpr_t *message,
 		   isccc_time_t now);
diff --git a/contrib/bind9/lib/isccc/include/isccc/ccmsg.h b/contrib/bind9/lib/isccc/include/isccc/ccmsg.h
index 54734bb..372047d 100644
--- a/contrib/bind9/lib/isccc/include/isccc/ccmsg.h
+++ b/contrib/bind9/lib/isccc/include/isccc/ccmsg.h
@@ -1,5 +1,5 @@
 /*
- * Portions Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Portions Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Portions Copyright (C) 2001  Internet Software Consortium.
  * Portions Copyright (C) 2001  Nominum, Inc.
  *
@@ -16,15 +16,18 @@
  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: ccmsg.h,v 1.3.206.1 2004/03/06 08:15:21 marka Exp $ */
+/* $Id: ccmsg.h,v 1.4.18.2 2005/04/29 00:17:13 marka Exp $ */
 
 #ifndef ISCCC_CCMSG_H
 #define ISCCC_CCMSG_H 1
 
+/*! \file */
+
 #include <isc/buffer.h>
 #include <isc/lang.h>
 #include <isc/socket.h>
 
+/*% ISCCC Message Structure */
 typedef struct isccc_ccmsg {
 	/* private (don't touch!) */
 	unsigned int		magic;
@@ -46,56 +49,56 @@ ISC_LANG_BEGINDECLS
 
 void
 isccc_ccmsg_init(isc_mem_t *mctx, isc_socket_t *sock, isccc_ccmsg_t *ccmsg);
-/*
+/*%
  * Associate a cc message state with a given memory context and
  * TCP socket.
  *
  * Requires:
  *
- *	"mctx" and "sock" be non-NULL and valid types.
+ *\li	"mctx" and "sock" be non-NULL and valid types.
  *
- *	"sock" be a read/write TCP socket.
+ *\li	"sock" be a read/write TCP socket.
  *
- *	"ccmsg" be non-NULL and an uninitialized or invalidated structure.
+ *\li	"ccmsg" be non-NULL and an uninitialized or invalidated structure.
  *
  * Ensures:
  *
- *	"ccmsg" is a valid structure.
+ *\li	"ccmsg" is a valid structure.
  */
 
 void
 isccc_ccmsg_setmaxsize(isccc_ccmsg_t *ccmsg, unsigned int maxsize);
-/*
+/*%
  * Set the maximum packet size to "maxsize"
  *
  * Requires:
  *
- *	"ccmsg" be valid.
+ *\li	"ccmsg" be valid.
  *
- *	512 <= "maxsize" <= 4294967296
+ *\li	512 <= "maxsize" <= 4294967296
  */
 
 isc_result_t
 isccc_ccmsg_readmessage(isccc_ccmsg_t *ccmsg,
 		       isc_task_t *task, isc_taskaction_t action, void *arg);
-/*
+/*%
  * Schedule an event to be delivered when a command channel message is
  * readable, or when an error occurs on the socket.
  *
  * Requires:
  *
- *	"ccmsg" be valid.
+ *\li	"ccmsg" be valid.
  *
- *	"task", "taskaction", and "arg" be valid.
+ *\li	"task", "taskaction", and "arg" be valid.
  *
  * Returns:
  *
- *	ISC_R_SUCCESS		-- no error
- *	Anything that the isc_socket_recv() call can return.  XXXMLG
+ *\li	#ISC_R_SUCCESS		-- no error
+ *\li	Anything that the isc_socket_recv() call can return.  XXXMLG
  *
  * Notes:
  *
- *	The event delivered is a fully generic event.  It will contain no
+ *\li	The event delivered is a fully generic event.  It will contain no
  *	actual data.  The sender will be a pointer to the isccc_ccmsg_t.
  *	The result code inside that structure should be checked to see
  *	what the final result was.
@@ -103,27 +106,27 @@ isccc_ccmsg_readmessage(isccc_ccmsg_t *ccmsg,
 
 void
 isccc_ccmsg_cancelread(isccc_ccmsg_t *ccmsg);
-/*
+/*%
  * Cancel a readmessage() call.  The event will still be posted with a
  * CANCELED result code.
  *
  * Requires:
  *
- *	"ccmsg" be valid.
+ *\li	"ccmsg" be valid.
  */
 
 void
 isccc_ccmsg_invalidate(isccc_ccmsg_t *ccmsg);
-/*
+/*%
  * Clean up all allocated state, and invalidate the structure.
  *
  * Requires:
  *
- *	"ccmsg" be valid.
+ *\li	"ccmsg" be valid.
  *
  * Ensures:
  *
- *	"ccmsg" is invalidated and disassociated with all memory contexts,
+ *\li	"ccmsg" is invalidated and disassociated with all memory contexts,
  *	sockets, etc.
  */
 
diff --git a/contrib/bind9/lib/isccc/include/isccc/events.h b/contrib/bind9/lib/isccc/include/isccc/events.h
index b78fc65..0ac365f 100644
--- a/contrib/bind9/lib/isccc/include/isccc/events.h
+++ b/contrib/bind9/lib/isccc/include/isccc/events.h
@@ -1,5 +1,5 @@
 /*
- * Portions Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Portions Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Portions Copyright (C) 2001  Internet Software Consortium.
  * Portions Copyright (C) 2001  Nominum, Inc.
  *
@@ -16,14 +16,16 @@
  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: events.h,v 1.2.206.1 2004/03/06 08:15:22 marka Exp $ */
+/* $Id: events.h,v 1.3.18.2 2005/04/29 00:17:13 marka Exp $ */
 
 #ifndef ISCCC_EVENTS_H
 #define ISCCC_EVENTS_H 1
 
+/*! \file */
+
 #include <isc/eventclass.h>
 
-/*
+/*%
  * Registry of ISCCC event numbers.
  */
 
diff --git a/contrib/bind9/lib/isccc/include/isccc/lib.h b/contrib/bind9/lib/isccc/include/isccc/lib.h
index a57357d..247267c 100644
--- a/contrib/bind9/lib/isccc/include/isccc/lib.h
+++ b/contrib/bind9/lib/isccc/include/isccc/lib.h
@@ -1,5 +1,5 @@
 /*
- * Portions Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Portions Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Portions Copyright (C) 2001  Internet Software Consortium.
  * Portions Copyright (C) 2001  Nominum, Inc.
  *
@@ -16,11 +16,13 @@
  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: lib.h,v 1.2.12.3 2004/03/08 09:05:05 marka Exp $ */
+/* $Id: lib.h,v 1.4.18.2 2005/04/29 00:17:13 marka Exp $ */
 
 #ifndef ISCCC_LIB_H
 #define ISCCC_LIB_H 1
 
+/*! \file */
+
 #include <isc/types.h>
 #include <isc/lang.h>
 
@@ -30,7 +32,7 @@ LIBISCCC_EXTERNAL_DATA extern isc_msgcat_t *isccc_msgcat;
 
 void
 isccc_lib_initmsgcat(void);
-/*
+/*%
  * Initialize the ISCCC library's message catalog, isccc_msgcat, if it
  * has not already been initialized.
  */
diff --git a/contrib/bind9/lib/isccc/include/isccc/result.h b/contrib/bind9/lib/isccc/include/isccc/result.h
index 33bbb4f..6fbc298 100644
--- a/contrib/bind9/lib/isccc/include/isccc/result.h
+++ b/contrib/bind9/lib/isccc/include/isccc/result.h
@@ -1,5 +1,5 @@
 /*
- * Portions Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Portions Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Portions Copyright (C) 2001, 2003  Internet Software Consortium.
  * Portions Copyright (C) 2001  Nominum, Inc.
  *
@@ -16,31 +16,39 @@
  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: result.h,v 1.3.2.2.2.1 2004/03/06 08:15:22 marka Exp $ */
+/* $Id: result.h,v 1.5.18.2 2005/04/29 00:17:14 marka Exp $ */
 
 #ifndef ISCCC_RESULT_H
 #define ISCCC_RESULT_H 1
 
+/*! \file */
+
 #include <isc/lang.h>
 #include <isc/resultclass.h>
 #include <isc/result.h>
 
 #include <isccc/types.h>
 
+/*% Unknown Version */
 #define ISCCC_R_UNKNOWNVERSION		(ISC_RESULTCLASS_ISCCC + 0)
+/*% Syntax Error */
 #define ISCCC_R_SYNTAX			(ISC_RESULTCLASS_ISCCC + 1)
+/*% Bad Authorization */
 #define ISCCC_R_BADAUTH			(ISC_RESULTCLASS_ISCCC + 2)
+/*% Expired */
 #define ISCCC_R_EXPIRED			(ISC_RESULTCLASS_ISCCC + 3)
+/*% Clock Skew */
 #define ISCCC_R_CLOCKSKEW		(ISC_RESULTCLASS_ISCCC + 4)
+/*% Duplicate */
 #define ISCCC_R_DUPLICATE		(ISC_RESULTCLASS_ISCCC + 5)
 
-#define ISCCC_R_NRESULTS 		6	/* Number of results */
+#define ISCCC_R_NRESULTS 		6	/*%< Number of results */
 
 ISC_LANG_BEGINDECLS
 
 const char *
 isccc_result_totext(isc_result_t result);
-/*
+/*%
  * Convert a isccc_result_t into a string message describing the result.
  */
 
diff --git a/contrib/bind9/lib/isccc/include/isccc/sexpr.h b/contrib/bind9/lib/isccc/include/isccc/sexpr.h
index 0195a94..cb1d297 100644
--- a/contrib/bind9/lib/isccc/include/isccc/sexpr.h
+++ b/contrib/bind9/lib/isccc/include/isccc/sexpr.h
@@ -1,5 +1,5 @@
 /*
- * Portions Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Portions Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Portions Copyright (C) 2001  Internet Software Consortium.
  * Portions Copyright (C) 2001  Nominum, Inc.
  *
@@ -16,11 +16,13 @@
  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: sexpr.h,v 1.3.206.1 2004/03/06 08:15:22 marka Exp $ */
+/* $Id: sexpr.h,v 1.4.18.2 2005/04/29 00:17:14 marka Exp $ */
 
 #ifndef ISCCC_SEXPR_H
 #define ISCCC_SEXPR_H 1
 
+/*! \file */
+
 #include <stdio.h>
 
 #include <isc/lang.h>
@@ -28,11 +30,13 @@
 
 ISC_LANG_BEGINDECLS
 
+/*% dotted pair structure */
 struct isccc_dottedpair {
 	isccc_sexpr_t *car;
 	isccc_sexpr_t *cdr;
 };
 
+/*% iscc_sexpr structure */
 struct isccc_sexpr {
 	unsigned int			type;
 	union {
@@ -42,7 +46,7 @@ struct isccc_sexpr {
 	}				value;
 };
 
-#define ISCCC_SEXPRTYPE_NONE		0x00	/* Illegal. */
+#define ISCCC_SEXPRTYPE_NONE		0x00	/*%< Illegal. */
 #define ISCCC_SEXPRTYPE_T			0x01
 #define ISCCC_SEXPRTYPE_STRING		0x02
 #define ISCCC_SEXPRTYPE_DOTTEDPAIR	0x03
diff --git a/contrib/bind9/lib/isccc/include/isccc/symtab.h b/contrib/bind9/lib/isccc/include/isccc/symtab.h
index 53f30e7..5b11a01 100644
--- a/contrib/bind9/lib/isccc/include/isccc/symtab.h
+++ b/contrib/bind9/lib/isccc/include/isccc/symtab.h
@@ -1,5 +1,5 @@
 /*
- * Portions Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Portions Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Portions Copyright (C) 2001  Internet Software Consortium.
  * Portions Copyright (C) 2001  Nominum, Inc.
  *
@@ -16,7 +16,7 @@
  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: symtab.h,v 1.2.206.1 2004/03/06 08:15:22 marka Exp $ */
+/* $Id: symtab.h,v 1.3.18.2 2005/04/29 00:17:14 marka Exp $ */
 
 #ifndef ISCCC_SYMTAB_H
 #define ISCCC_SYMTAB_H 1
@@ -25,9 +25,8 @@
  ***** Module Info
  *****/
 
-/*
- * Symbol Table
- *
+/*! \file 
+ * \brief
  * Provides a simple memory-based symbol table.
  *
  * Keys are C strings.  A type may be specified when looking up,
@@ -39,11 +38,11 @@
  * exists in the table.  What to do in this case is specified by the
  * client.  Possible policies are:
  *
- *	isccc_symexists_reject	Disallow the define, returning ISC_R_EXISTS
- *	isccc_symexists_replace	Replace the old value with the new.  The
+ *\li	isccc_symexists_reject	Disallow the define, returning #ISC_R_EXISTS
+ *\li	isccc_symexists_replace	Replace the old value with the new.  The
  *				undefine action (if provided) will be called
  *				with the old <key, type, value> tuple.
- *	isccc_symexists_add	Add the new tuple, leaving the old tuple in
+ *\li	isccc_symexists_add	Add the new tuple, leaving the old tuple in
  *				the table.  Subsequent lookups will retrieve
  *				the most-recently-defined tuple.
  *
diff --git a/contrib/bind9/lib/isccc/include/isccc/symtype.h b/contrib/bind9/lib/isccc/include/isccc/symtype.h
index 2c15603..e72ae92 100644
--- a/contrib/bind9/lib/isccc/include/isccc/symtype.h
+++ b/contrib/bind9/lib/isccc/include/isccc/symtype.h
@@ -1,5 +1,5 @@
 /*
- * Portions Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Portions Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Portions Copyright (C) 2001  Internet Software Consortium.
  * Portions Copyright (C) 2001  Nominum, Inc.
  *
@@ -16,11 +16,13 @@
  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: symtype.h,v 1.2.206.1 2004/03/06 08:15:22 marka Exp $ */
+/* $Id: symtype.h,v 1.3.18.2 2005/04/29 00:17:14 marka Exp $ */
 
 #ifndef ISCCC_SYMTYPE_H
 #define ISCCC_SYMTYPE_H 1
 
+/*! \file */
+
 #define ISCCC_SYMTYPE_ZONESTATS			0x0001
 #define ISCCC_SYMTYPE_CCDUP			0x0002
 #define ISCCC_SYMTYPE_TELLSERVICE			0x0003
diff --git a/contrib/bind9/lib/isccc/include/isccc/types.h b/contrib/bind9/lib/isccc/include/isccc/types.h
index 9b21ca1..f46d257 100644
--- a/contrib/bind9/lib/isccc/include/isccc/types.h
+++ b/contrib/bind9/lib/isccc/include/isccc/types.h
@@ -1,5 +1,5 @@
 /*
- * Portions Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Portions Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Portions Copyright (C) 2001  Internet Software Consortium.
  * Portions Copyright (C) 2001  Nominum, Inc.
  *
@@ -16,20 +16,28 @@
  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: types.h,v 1.2.206.1 2004/03/06 08:15:23 marka Exp $ */
+/* $Id: types.h,v 1.3.18.2 2005/04/29 00:17:14 marka Exp $ */
 
 #ifndef ISCCC_TYPES_H
 #define ISCCC_TYPES_H 1
 
+/*! \file */
+
 #include <isc/boolean.h>
 #include <isc/int.h>
 #include <isc/result.h>
 
+/*% isccc_time_t typedef */
 typedef isc_uint32_t isccc_time_t;
+
+/*% isccc_sexpr_t typedef */
 typedef struct isccc_sexpr isccc_sexpr_t;
+/*% isccc_dottedpair_t typedef */
 typedef struct isccc_dottedpair isccc_dottedpair_t;
+/*% isccc_symtab_t typedef */
 typedef struct isccc_symtab isccc_symtab_t;
 
+/*% iscc region structure */
 typedef struct isccc_region {
 	unsigned char *		rstart;
 	unsigned char *		rend;
diff --git a/contrib/bind9/lib/isccc/include/isccc/util.h b/contrib/bind9/lib/isccc/include/isccc/util.h
index 8442586..7662483 100644
--- a/contrib/bind9/lib/isccc/include/isccc/util.h
+++ b/contrib/bind9/lib/isccc/include/isccc/util.h
@@ -1,5 +1,5 @@
 /*
- * Portions Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Portions Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Portions Copyright (C) 2001  Internet Software Consortium.
  * Portions Copyright (C) 2001  Nominum, Inc.
  *
@@ -16,17 +16,18 @@
  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: util.h,v 1.3.206.1 2004/03/06 08:15:23 marka Exp $ */
+/* $Id: util.h,v 1.4.18.2 2005/04/29 00:17:14 marka Exp $ */
 
 #ifndef ISCCC_UTIL_H
 #define ISCCC_UTIL_H 1
 
 #include <isc/util.h>
 
-/*
+/*! \file
+ * \brief
  * Macros for dealing with unaligned numbers.
  *
- * Note: no side effects are allowed when invoking these macros!
+ * \note no side effects are allowed when invoking these macros!
  */
 
 #define GET8(v, w) \
@@ -193,7 +194,7 @@
 	(r).rend = (r).rstart + strlen(s); \
 } while (0)
 
-/*
+/*%
  * Use this to remove the const qualifier of a variable to assign it to
  * a non-const variable or pass it as a non-const function argument ...
  * but only when you are sure it won't then be changed!
diff --git a/contrib/bind9/lib/isccc/include/isccc/version.h b/contrib/bind9/lib/isccc/include/isccc/version.h
index 36a909c..b82ed8b 100644
--- a/contrib/bind9/lib/isccc/include/isccc/version.h
+++ b/contrib/bind9/lib/isccc/include/isccc/version.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,9 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: version.h,v 1.2.222.3 2004/03/08 09:05:05 marka Exp $ */
+/* $Id: version.h,v 1.3.18.2 2005/04/29 00:17:15 marka Exp $ */
+
+/*! \file */
 
 #include <isc/platform.h>
 
diff --git a/contrib/bind9/lib/isccc/lib.c b/contrib/bind9/lib/isccc/lib.c
index d37e28c..bef2d9a 100644
--- a/contrib/bind9/lib/isccc/lib.c
+++ b/contrib/bind9/lib/isccc/lib.c
@@ -1,5 +1,5 @@
 /*
- * Portions Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Portions Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Portions Copyright (C) 2001  Internet Software Consortium.
  * Portions Copyright (C) 2001  Nominum, Inc.
  *
@@ -16,7 +16,9 @@
  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: lib.c,v 1.2.12.3 2004/03/08 09:05:04 marka Exp $ */
+/* $Id: lib.c,v 1.4.18.2 2005/04/29 00:17:12 marka Exp $ */
+
+/*! \file */
 
 #include <config.h>
 
diff --git a/contrib/bind9/lib/isccc/result.c b/contrib/bind9/lib/isccc/result.c
index e63e85f..974e51b 100644
--- a/contrib/bind9/lib/isccc/result.c
+++ b/contrib/bind9/lib/isccc/result.c
@@ -1,5 +1,5 @@
 /*
- * Portions Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Portions Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Portions Copyright (C) 2001, 2003  Internet Software Consortium.
  * Portions Copyright (C) 2001  Nominum, Inc.
  *
@@ -16,7 +16,9 @@
  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: result.c,v 1.3.2.2.2.1 2004/03/06 08:15:19 marka Exp $ */
+/* $Id: result.c,v 1.5.18.2 2005/04/29 00:17:12 marka Exp $ */
+
+/*! \file */
 
 #include <config.h>
 
diff --git a/contrib/bind9/lib/isccc/sexpr.c b/contrib/bind9/lib/isccc/sexpr.c
index a372a7d..573a63c 100644
--- a/contrib/bind9/lib/isccc/sexpr.c
+++ b/contrib/bind9/lib/isccc/sexpr.c
@@ -1,5 +1,5 @@
 /*
- * Portions Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Portions Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Portions Copyright (C) 2001  Internet Software Consortium.
  * Portions Copyright (C) 2001  Nominum, Inc.
  *
@@ -16,7 +16,9 @@
  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: sexpr.c,v 1.2.12.3 2004/03/08 09:05:04 marka Exp $ */
+/* $Id: sexpr.c,v 1.4.18.2 2005/04/29 00:17:12 marka Exp $ */
+
+/*! \file */
 
 #include <config.h>
 
diff --git a/contrib/bind9/lib/isccc/symtab.c b/contrib/bind9/lib/isccc/symtab.c
index 6aca485..2c259d7 100644
--- a/contrib/bind9/lib/isccc/symtab.c
+++ b/contrib/bind9/lib/isccc/symtab.c
@@ -1,5 +1,5 @@
 /*
- * Portions Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Portions Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Portions Copyright (C) 2001  Internet Software Consortium.
  * Portions Copyright (C) 2001  Nominum, Inc.
  *
@@ -16,7 +16,9 @@
  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: symtab.c,v 1.3.12.3 2004/03/08 09:05:04 marka Exp $ */
+/* $Id: symtab.c,v 1.5.18.2 2005/04/29 00:17:12 marka Exp $ */
+
+/*! \file */
 
 #include <config.h>
 
diff --git a/contrib/bind9/lib/isccc/version.c b/contrib/bind9/lib/isccc/version.c
index 08cda2f..0d65dcb 100644
--- a/contrib/bind9/lib/isccc/version.c
+++ b/contrib/bind9/lib/isccc/version.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1998-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,9 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: version.c,v 1.1.12.3 2004/03/08 09:05:04 marka Exp $ */
+/* $Id: version.c,v 1.3.18.2 2005/04/29 00:17:12 marka Exp $ */
+
+/*! \file */
 
 #include <isccc/version.h>
 
diff --git a/contrib/bind9/lib/isccfg/Makefile.in b/contrib/bind9/lib/isccfg/Makefile.in
index ee80508..7d19123 100644
--- a/contrib/bind9/lib/isccfg/Makefile.in
+++ b/contrib/bind9/lib/isccfg/Makefile.in
@@ -1,4 +1,4 @@
-# Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
 # Copyright (C) 2001-2003  Internet Software Consortium.
 #
 # Permission to use, copy, modify, and distribute this software for any
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.6.12.8 2004/07/20 07:01:58 marka Exp $
+# $Id: Makefile.in,v 1.12.18.4 2005/09/05 00:18:30 marka Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
@@ -27,7 +27,7 @@ top_srcdir =	@top_srcdir@
 
 CINCLUDES =	-I. ${DNS_INCLUDES} ${ISC_INCLUDES} ${ISCCFG_INCLUDES}
 
-CDEFINES =
+CDEFINES =      @USE_DLZ@
 CWARNINGS =
 
 ISCLIBS =	../../lib/isc/libisc.@A@
@@ -43,10 +43,10 @@ LIBS =		@LIBS@
 SUBDIRS =	include
 
 # Alphabetically
-OBJS =		log.@O@ namedconf.@O@ parser.@O@ version.@O@
+OBJS =		aclconf.@O@ log.@O@ namedconf.@O@ parser.@O@ version.@O@
 
 # Alphabetically
-SRCS =		log.c namedconf.c parser.c version.c
+SRCS =		aclconf.c log.c namedconf.c parser.c version.c
 
 TARGETS = 	timestamp
 
diff --git a/contrib/bind9/lib/isccfg/aclconf.c b/contrib/bind9/lib/isccfg/aclconf.c
new file mode 100644
index 0000000..d7b41ce
--- /dev/null
+++ b/contrib/bind9/lib/isccfg/aclconf.c
@@ -0,0 +1,256 @@
+/*
+ * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1999-2002  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: aclconf.c,v 1.2.2.6 2006/03/02 00:37:22 marka Exp $ */
+
+#include <config.h>
+
+#include <isc/mem.h>
+#include <isc/string.h>		/* Required for HP/UX (and others?) */
+#include <isc/util.h>
+
+#include <isccfg/namedconf.h>
+#include <isccfg/aclconf.h>
+
+#include <dns/acl.h>
+#include <dns/fixedname.h>
+#include <dns/log.h>
+
+#define LOOP_MAGIC ISC_MAGIC('L','O','O','P') 
+
+void
+cfg_aclconfctx_init(cfg_aclconfctx_t *ctx) {
+	ISC_LIST_INIT(ctx->named_acl_cache);
+}
+
+void
+cfg_aclconfctx_destroy(cfg_aclconfctx_t *ctx) {
+     	dns_acl_t *dacl, *next;
+	for (dacl = ISC_LIST_HEAD(ctx->named_acl_cache);
+	     dacl != NULL;
+	     dacl = next)
+	{
+		next = ISC_LIST_NEXT(dacl, nextincache);
+		dns_acl_detach(&dacl);
+	}
+}
+
+/*
+ * Find the definition of the named acl whose name is "name".
+ */
+static isc_result_t
+get_acl_def(const cfg_obj_t *cctx, const char *name, const cfg_obj_t **ret) {
+	isc_result_t result;
+	const cfg_obj_t *acls = NULL;
+	const cfg_listelt_t *elt;
+	
+	result = cfg_map_get(cctx, "acl", &acls);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+	for (elt = cfg_list_first(acls);
+	     elt != NULL;
+	     elt = cfg_list_next(elt)) {
+		const cfg_obj_t *acl = cfg_listelt_value(elt);
+		const char *aclname = cfg_obj_asstring(cfg_tuple_get(acl, "name"));
+		if (strcasecmp(aclname, name) == 0) {
+			*ret = cfg_tuple_get(acl, "value");
+			return (ISC_R_SUCCESS);
+		}
+	}
+	return (ISC_R_NOTFOUND);
+}
+
+static isc_result_t
+convert_named_acl(const cfg_obj_t *nameobj, const cfg_obj_t *cctx,
+		  isc_log_t *lctx, cfg_aclconfctx_t *ctx,
+		  isc_mem_t *mctx, dns_acl_t **target)
+{
+	isc_result_t result;
+	const cfg_obj_t *cacl = NULL;
+	dns_acl_t *dacl;
+	dns_acl_t loop;
+	const char *aclname = cfg_obj_asstring(nameobj);
+
+	/* Look for an already-converted version. */
+	for (dacl = ISC_LIST_HEAD(ctx->named_acl_cache);
+	     dacl != NULL;
+	     dacl = ISC_LIST_NEXT(dacl, nextincache))
+	{
+		if (strcasecmp(aclname, dacl->name) == 0) {
+			if (ISC_MAGIC_VALID(dacl, LOOP_MAGIC)) {
+				cfg_obj_log(nameobj, lctx, ISC_LOG_ERROR,
+					    "acl loop detected: %s", aclname);
+				return (ISC_R_FAILURE);
+			}
+			dns_acl_attach(dacl, target);
+			return (ISC_R_SUCCESS);
+		}
+	}
+	/* Not yet converted.  Convert now. */
+	result = get_acl_def(cctx, aclname, &cacl);
+	if (result != ISC_R_SUCCESS) {
+		cfg_obj_log(nameobj, lctx, ISC_LOG_WARNING,
+			    "undefined ACL '%s'", aclname);
+		return (result);
+	}
+	/*
+	 * Add a loop detection element.
+	 */
+	memset(&loop, 0, sizeof(loop));
+	ISC_LINK_INIT(&loop, nextincache);
+	DE_CONST(aclname, loop.name);
+	loop.magic = LOOP_MAGIC;
+	ISC_LIST_APPEND(ctx->named_acl_cache, &loop, nextincache);
+	result = cfg_acl_fromconfig(cacl, cctx, lctx, ctx, mctx, &dacl);
+	ISC_LIST_UNLINK(ctx->named_acl_cache, &loop, nextincache);
+	loop.magic = 0;
+	loop.name = NULL;
+	if (result != ISC_R_SUCCESS)
+		return (result);
+	dacl->name = isc_mem_strdup(dacl->mctx, aclname);
+	if (dacl->name == NULL)
+		return (ISC_R_NOMEMORY);
+	ISC_LIST_APPEND(ctx->named_acl_cache, dacl, nextincache);
+	dns_acl_attach(dacl, target);
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+convert_keyname(const cfg_obj_t *keyobj, isc_log_t *lctx, isc_mem_t *mctx,
+		dns_name_t *dnsname)
+{
+	isc_result_t result;
+	isc_buffer_t buf;
+	dns_fixedname_t fixname;
+	unsigned int keylen;
+	const char *txtname = cfg_obj_asstring(keyobj);
+
+	keylen = strlen(txtname);
+	isc_buffer_init(&buf, txtname, keylen);
+	isc_buffer_add(&buf, keylen);
+	dns_fixedname_init(&fixname);
+	result = dns_name_fromtext(dns_fixedname_name(&fixname), &buf,
+				   dns_rootname, ISC_FALSE, NULL);
+	if (result != ISC_R_SUCCESS) {
+		cfg_obj_log(keyobj, lctx, ISC_LOG_WARNING,
+			    "key name '%s' is not a valid domain name",
+			    txtname);
+		return (result);
+	}
+	return (dns_name_dup(dns_fixedname_name(&fixname), mctx, dnsname));
+}
+
+isc_result_t
+cfg_acl_fromconfig(const cfg_obj_t *caml,
+		   const cfg_obj_t *cctx,
+	 	   isc_log_t *lctx,
+		   cfg_aclconfctx_t *ctx,
+		   isc_mem_t *mctx,
+		   dns_acl_t **target)
+{
+	isc_result_t result;
+	unsigned int count;
+	dns_acl_t *dacl = NULL;
+	dns_aclelement_t *de;
+	const cfg_listelt_t *elt;
+
+	REQUIRE(target != NULL && *target == NULL);
+
+	count = 0;
+	for (elt = cfg_list_first(caml);
+	     elt != NULL;
+	     elt = cfg_list_next(elt))
+		count++;
+
+	result = dns_acl_create(mctx, count, &dacl);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	de = dacl->elements;
+	for (elt = cfg_list_first(caml);
+	     elt != NULL;
+	     elt = cfg_list_next(elt))
+	{
+		const cfg_obj_t *ce = cfg_listelt_value(elt);
+		if (cfg_obj_istuple(ce)) {
+			/* This must be a negated element. */
+			ce = cfg_tuple_get(ce, "value");
+			de->negative = ISC_TRUE;
+		} else {
+			de->negative = ISC_FALSE;
+		}
+
+		if (cfg_obj_isnetprefix(ce)) {
+			/* Network prefix */
+			de->type = dns_aclelementtype_ipprefix;
+
+			cfg_obj_asnetprefix(ce,
+					    &de->u.ip_prefix.address,
+					    &de->u.ip_prefix.prefixlen);
+		} else if (cfg_obj_istype(ce, &cfg_type_keyref)) {
+			/* Key name */
+			de->type = dns_aclelementtype_keyname;
+			dns_name_init(&de->u.keyname, NULL);
+			result = convert_keyname(ce, lctx, mctx,
+						 &de->u.keyname);
+			if (result != ISC_R_SUCCESS)
+				goto cleanup;
+		} else if (cfg_obj_islist(ce)) {
+			/* Nested ACL */
+			de->type = dns_aclelementtype_nestedacl;
+			result = cfg_acl_fromconfig(ce, cctx, lctx, ctx,
+						    mctx, &de->u.nestedacl);
+			if (result != ISC_R_SUCCESS)
+				goto cleanup;
+		} else if (cfg_obj_isstring(ce)) {
+			/* ACL name */
+			const char *name = cfg_obj_asstring(ce);
+			if (strcasecmp(name, "localhost") == 0) {
+				de->type = dns_aclelementtype_localhost;
+			} else if (strcasecmp(name, "localnets") == 0) {
+				de->type = dns_aclelementtype_localnets;
+			}  else if (strcasecmp(name, "any") == 0) {
+				de->type = dns_aclelementtype_any;
+			}  else if (strcasecmp(name, "none") == 0) {
+				de->type = dns_aclelementtype_any;
+				de->negative = ISC_TF(! de->negative);
+			} else {
+				de->type = dns_aclelementtype_nestedacl;
+				result = convert_named_acl(ce, cctx, lctx,
+							   ctx, mctx,
+							   &de->u.nestedacl);
+				if (result != ISC_R_SUCCESS)
+					goto cleanup;
+			}
+		} else {
+			cfg_obj_log(ce, lctx, ISC_LOG_WARNING,
+				    "address match list contains "
+				    "unsupported element type");
+			result = ISC_R_FAILURE;
+			goto cleanup;
+		}
+		de++;
+		dacl->length++;
+	}
+
+	*target = dacl;
+	return (ISC_R_SUCCESS);
+
+ cleanup:
+	dns_acl_detach(&dacl);
+	return (result);
+}
diff --git a/contrib/bind9/lib/isccfg/api b/contrib/bind9/lib/isccfg/api
index 59ed93b..7560ffd 100644
--- a/contrib/bind9/lib/isccfg/api
+++ b/contrib/bind9/lib/isccfg/api
@@ -1,3 +1,3 @@
-LIBINTERFACE = 1
-LIBREVISION = 6
+LIBINTERFACE = 30
+LIBREVISION = 2
 LIBAGE = 0
diff --git a/contrib/bind9/lib/isccfg/include/Makefile.in b/contrib/bind9/lib/isccfg/include/Makefile.in
index 77d3219..4eddd92 100644
--- a/contrib/bind9/lib/isccfg/include/Makefile.in
+++ b/contrib/bind9/lib/isccfg/include/Makefile.in
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.4.206.1 2004/03/06 08:15:27 marka Exp $
+# $Id: Makefile.in,v 1.5 2004/03/05 05:12:24 marka Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
diff --git a/contrib/bind9/lib/isccfg/include/isccfg/Makefile.in b/contrib/bind9/lib/isccfg/include/isccfg/Makefile.in
index dc8b1b1..d71d2c2 100644
--- a/contrib/bind9/lib/isccfg/include/isccfg/Makefile.in
+++ b/contrib/bind9/lib/isccfg/include/isccfg/Makefile.in
@@ -1,4 +1,4 @@
-# Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
 # Copyright (C) 2001, 2002  Internet Software Consortium.
 #
 # Permission to use, copy, modify, and distribute this software for any
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.4.12.3 2004/03/08 09:05:07 marka Exp $
+# $Id: Makefile.in,v 1.8.18.2 2005/01/12 01:54:57 marka Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
@@ -26,7 +26,7 @@ top_srcdir =	@top_srcdir@
 # machine generated.  The latter are handled specially in the
 # install target below.
 #
-HEADERS =	cfg.h grammar.h log.h namedconf.h version.h
+HEADERS =	aclconf.h cfg.h grammar.h log.h namedconf.h version.h
 
 SUBDIRS =
 TARGETS =
diff --git a/contrib/bind9/lib/isccfg/include/isccfg/aclconf.h b/contrib/bind9/lib/isccfg/include/isccfg/aclconf.h
new file mode 100644
index 0000000..a13740c
--- /dev/null
+++ b/contrib/bind9/lib/isccfg/include/isccfg/aclconf.h
@@ -0,0 +1,73 @@
+/*
+ * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1999-2001  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: aclconf.h,v 1.2.2.5 2006/03/02 00:37:22 marka Exp $ */
+
+#ifndef ISCCFG_ACLCONF_H
+#define ISCCFG_ACLCONF_H 1
+
+#include <isc/lang.h>
+
+#include <isccfg/cfg.h>
+
+#include <dns/types.h>
+
+typedef struct cfg_aclconfctx {
+	ISC_LIST(dns_acl_t) named_acl_cache;
+} cfg_aclconfctx_t;
+
+/***
+ *** Functions
+ ***/
+
+ISC_LANG_BEGINDECLS
+
+void
+cfg_aclconfctx_init(cfg_aclconfctx_t *ctx);
+/*
+ * Initialize an ACL configuration context.
+ */
+
+void
+cfg_aclconfctx_destroy(cfg_aclconfctx_t *ctx);
+/*
+ * Destroy an ACL configuration context.
+ */
+
+isc_result_t
+cfg_acl_fromconfig(const cfg_obj_t *caml,
+		   const cfg_obj_t *cctx,
+		   isc_log_t *lctx,
+		   cfg_aclconfctx_t *ctx,
+		   isc_mem_t *mctx,
+		   dns_acl_t **target);
+/*
+ * Construct a new dns_acl_t from configuration data in 'caml' and
+ * 'cctx'.  Memory is allocated through 'mctx'.
+ *
+ * Any named ACLs referred to within 'caml' will be be converted
+ * into nested dns_acl_t objects.  Multiple references to the same
+ * named ACLs will be converted into shared references to a single
+ * nested dns_acl_t object when the referring objects were created
+ * passing the same ACL configuration context 'ctx'.
+ *
+ * On success, attach '*target' to the new dns_acl_t object.
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* ISCCFG_ACLCONF_H */
diff --git a/contrib/bind9/lib/isccfg/include/isccfg/cfg.h b/contrib/bind9/lib/isccfg/include/isccfg/cfg.h
index c486719..6a30a1c 100644
--- a/contrib/bind9/lib/isccfg/include/isccfg/cfg.h
+++ b/contrib/bind9/lib/isccfg/include/isccfg/cfg.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2006  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000-2002  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: cfg.h,v 1.30.12.6 2006/03/02 00:37:20 marka Exp $ */
+/* $Id: cfg.h,v 1.34.18.5 2006/03/02 00:37:22 marka Exp $ */
 
 #ifndef ISCCFG_CFG_H
 #define ISCCFG_CFG_H 1
@@ -24,7 +24,8 @@
  ***** Module Info
  *****/
 
-/*
+/*! \file
+ * \brief
  * This is the new, table-driven, YACC-free configuration file parser.
  */
 
@@ -42,19 +43,19 @@
  *** Types
  ***/
 
-typedef struct cfg_parser cfg_parser_t;
-/*
+/*%
  * A configuration parser.
  */
+typedef struct cfg_parser cfg_parser_t;
 
-/*
+/*%
  * A configuration type definition object.  There is a single
  * static cfg_type_t object for each data type supported by
  * the configuration parser.
  */
 typedef struct cfg_type cfg_type_t;
 
-/*
+/*%
  * A configuration object.  This is the basic building block of the
  * configuration parse tree.  It contains a value (which may be
  * of one of several types) and information identifying the file
@@ -63,12 +64,12 @@ typedef struct cfg_type cfg_type_t;
  */
 typedef struct cfg_obj cfg_obj_t;
 
-/*
+/*%
  * A configuration object list element.
  */
 typedef struct cfg_listelt cfg_listelt_t;
 
-/*
+/*%
  * A callback function to be called when parsing an option 
  * that needs to be interpreted at parsing time, like
  * "directory".
@@ -84,7 +85,7 @@ ISC_LANG_BEGINDECLS
 
 isc_result_t
 cfg_parser_create(isc_mem_t *mctx, isc_log_t *lctx, cfg_parser_t **ret);
-/*
+/*%<
  * Create a configuration file parser.  Any warning and error
  * messages will be logged to 'lctx'.
  *
@@ -97,7 +98,7 @@ void
 cfg_parser_setcallback(cfg_parser_t *pctx,
 		       cfg_parsecallback_t callback,
 		       void *arg);
-/*
+/*%<
  * Make the parser call 'callback' whenever it encounters
  * a configuration clause with the callback attribute,
  * passing it the clause name, the clause value,
@@ -113,7 +114,7 @@ cfg_parse_file(cfg_parser_t *pctx, const char *filename,
 isc_result_t
 cfg_parse_buffer(cfg_parser_t *pctx, isc_buffer_t *buffer,
 		 const cfg_type_t *type, cfg_obj_t **ret);
-/*
+/*%<
  * Read a configuration containing data of type 'type'
  * and make '*ret' point to its parse tree.
  *
@@ -124,246 +125,246 @@ cfg_parse_buffer(cfg_parser_t *pctx, isc_buffer_t *buffer,
  * Returns an error if the file does not parse correctly.
  * 
  * Requires:
- *      "filename" is valid.
- *      "mem" is valid.
- *	"type" is valid.
- *      "cfg" is non-NULL and "*cfg" is NULL.
+ *\li 	"filename" is valid.
+ *\li 	"mem" is valid.
+ *\li	"type" is valid.
+ *\li 	"cfg" is non-NULL and "*cfg" is NULL.
  *
  * Returns:
- *      ISC_R_SUCCESS                 - success
- *      ISC_R_NOMEMORY                - no memory available
- *      ISC_R_INVALIDFILE             - file doesn't exist or is unreadable
- *      others	                      - file contains errors
+ *     \li #ISC_R_SUCCESS                 - success
+ *\li      #ISC_R_NOMEMORY                - no memory available
+ *\li      #ISC_R_INVALIDFILE             - file doesn't exist or is unreadable
+ *\li      others	                      - file contains errors
  */
 
 void
 cfg_parser_destroy(cfg_parser_t **pctxp);
-/*
+/*%<
  * Destroy a configuration parser.
  */
 
 isc_boolean_t
 cfg_obj_isvoid(const cfg_obj_t *obj);
-/*
+/*%<
  * Return true iff 'obj' is of void type (e.g., an optional 
  * value not specified).
  */
 
 isc_boolean_t
 cfg_obj_ismap(const cfg_obj_t *obj);
-/*
+/*%<
  * Return true iff 'obj' is of a map type.
  */
 
 isc_result_t
 cfg_map_get(const cfg_obj_t *mapobj, const char* name, const cfg_obj_t **obj);
-/*
+/*%<
  * Extract an element from a configuration object, which
  * must be of a map type.
  *
  * Requires:
- *      'mapobj' points to a valid configuration object of a map type.
- *      'name' points to a null-terminated string.
- * 	'obj' is non-NULL and '*obj' is NULL.
+ * \li     'mapobj' points to a valid configuration object of a map type.
+ * \li     'name' points to a null-terminated string.
+ * \li	'obj' is non-NULL and '*obj' is NULL.
  *
  * Returns:
- *      ISC_R_SUCCESS                  - success
- *      ISC_R_NOTFOUND                 - name not found in map
+ * \li     #ISC_R_SUCCESS                  - success
+ * \li     #ISC_R_NOTFOUND                 - name not found in map
  */
 
 const cfg_obj_t *
 cfg_map_getname(const cfg_obj_t *mapobj);
-/*
+/*%<
  * Get the name of a named map object, like a server "key" clause.
  *
  * Requires:
- *      'mapobj' points to a valid configuration object of a map type.
+ *    \li  'mapobj' points to a valid configuration object of a map type.
  *
  * Returns:
- *      A pointer to a configuration object naming the map object,
+ * \li     A pointer to a configuration object naming the map object,
  *	or NULL if the map object does not have a name.
  */
 
 isc_boolean_t
 cfg_obj_istuple(const cfg_obj_t *obj);
-/*
+/*%<
  * Return true iff 'obj' is of a map type.
  */
 
 const cfg_obj_t *
 cfg_tuple_get(const cfg_obj_t *tupleobj, const char *name);
-/*
+/*%<
  * Extract an element from a configuration object, which
  * must be of a tuple type.
  *
  * Requires:
- *      'tupleobj' points to a valid configuration object of a tuple type.
- *      'name' points to a null-terminated string naming one of the
- *	fields of said tuple type.
+ * \li     'tupleobj' points to a valid configuration object of a tuple type.
+ * \li     'name' points to a null-terminated string naming one of the
+ *\li	fields of said tuple type.
  */
 
 isc_boolean_t
 cfg_obj_isuint32(const cfg_obj_t *obj);
-/*
+/*%<
  * Return true iff 'obj' is of integer type.
  */
 
 isc_uint32_t
 cfg_obj_asuint32(const cfg_obj_t *obj);
-/*
+/*%<
  * Returns the value of a configuration object of 32-bit integer type.
  *
  * Requires:
- *      'obj' points to a valid configuration object of 32-bit integer type.
+ * \li     'obj' points to a valid configuration object of 32-bit integer type.
  *
  * Returns:
- *      A 32-bit unsigned integer.
+ * \li     A 32-bit unsigned integer.
  */
 
 isc_boolean_t
 cfg_obj_isuint64(const cfg_obj_t *obj);
-/*
+/*%<
  * Return true iff 'obj' is of integer type.
  */
 
 isc_uint64_t
 cfg_obj_asuint64(const cfg_obj_t *obj);
-/*
+/*%<
  * Returns the value of a configuration object of 64-bit integer type.
  *
  * Requires:
- *      'obj' points to a valid configuration object of 64-bit integer type.
+ * \li     'obj' points to a valid configuration object of 64-bit integer type.
  *
  * Returns:
- *      A 64-bit unsigned integer.
+ * \li     A 64-bit unsigned integer.
  */
 
 isc_boolean_t
 cfg_obj_isstring(const cfg_obj_t *obj);
-/*
+/*%<
  * Return true iff 'obj' is of string type.
  */
 
 const char *
 cfg_obj_asstring(const cfg_obj_t *obj);
-/*
+/*%<
  * Returns the value of a configuration object of a string type
  * as a null-terminated string.
  *
  * Requires:
- *      'obj' points to a valid configuration object of a string type.
+ * \li     'obj' points to a valid configuration object of a string type.
  *
  * Returns:
- *      A pointer to a null terminated string.
+ * \li     A pointer to a null terminated string.
  */
 
 isc_boolean_t
 cfg_obj_isboolean(const cfg_obj_t *obj);
-/*
+/*%<
  * Return true iff 'obj' is of a boolean type.
  */
 
 isc_boolean_t
 cfg_obj_asboolean(const cfg_obj_t *obj);
-/*
+/*%<
  * Returns the value of a configuration object of a boolean type.
  *
  * Requires:
- *      'obj' points to a valid configuration object of a boolean type.
+ * \li     'obj' points to a valid configuration object of a boolean type.
  *
  * Returns:
- *      A boolean value.
+ * \li     A boolean value.
  */
 
 isc_boolean_t
 cfg_obj_issockaddr(const cfg_obj_t *obj);
-/*
+/*%<
  * Return true iff 'obj' is a socket address.
  */
 
 const isc_sockaddr_t *
 cfg_obj_assockaddr(const cfg_obj_t *obj);
-/*
+/*%<
  * Returns the value of a configuration object representing a socket address.
  *
  * Requires:
- *      'obj' points to a valid configuration object of a socket address type.
+ * \li     'obj' points to a valid configuration object of a socket address type.
  *
  * Returns:
- *      A pointer to a sockaddr.  The sockaddr must be copied by the caller
+ * \li     A pointer to a sockaddr.  The sockaddr must be copied by the caller
  *      if necessary.
  */
 
 isc_boolean_t
 cfg_obj_isnetprefix(const cfg_obj_t *obj);
-/*
+/*%<
  * Return true iff 'obj' is a network prefix.
  */
 
 void
 cfg_obj_asnetprefix(const cfg_obj_t *obj, isc_netaddr_t *netaddr,
 		    unsigned int *prefixlen);
-/*
+/*%<
  * Gets the value of a configuration object representing a network
  * prefix.  The network address is returned through 'netaddr' and the
  * prefix length in bits through 'prefixlen'.
  *
  * Requires:
- *      'obj' points to a valid configuration object of network prefix type.
- *	'netaddr' and 'prefixlen' are non-NULL.
+ * \li     'obj' points to a valid configuration object of network prefix type.
+ *\li	'netaddr' and 'prefixlen' are non-NULL.
  */
 
 isc_boolean_t
 cfg_obj_islist(const cfg_obj_t *obj);
-/*
+/*%<
  * Return true iff 'obj' is of list type.
  */
 
 const cfg_listelt_t *
 cfg_list_first(const cfg_obj_t *obj);
-/*
+/*%<
  * Returns the first list element in a configuration object of a list type.
  *
  * Requires:
- *      'obj' points to a valid configuration object of a list type or NULL.
+ * \li     'obj' points to a valid configuration object of a list type or NULL.
  *
  * Returns:
- *      A pointer to a cfg_listelt_t representing the first list element,
+ *   \li   A pointer to a cfg_listelt_t representing the first list element,
  * 	or NULL if the list is empty or nonexistent.
  */
 
 const cfg_listelt_t *
 cfg_list_next(const cfg_listelt_t *elt);
-/*
+/*%<
  * Returns the next element of a list of configuration objects.
  *
  * Requires:
- *      'elt' points to cfg_listelt_t obtained from cfg_list_first() or
+ * \li     'elt' points to cfg_listelt_t obtained from cfg_list_first() or
  *	a previous call to cfg_list_next().
  *
  * Returns:
- *      A pointer to a cfg_listelt_t representing the next element,
+ * \li     A pointer to a cfg_listelt_t representing the next element,
  * 	or NULL if there are no more elements.
  */
 
 const cfg_obj_t *
 cfg_listelt_value(const cfg_listelt_t *elt);
-/*
+/*%<
  * Returns the configuration object associated with cfg_listelt_t.
  *
  * Requires:
- *      'elt' points to cfg_listelt_t obtained from cfg_list_first() or
+ * \li     'elt' points to cfg_listelt_t obtained from cfg_list_first() or
  *	cfg_list_next().
  *
  * Returns:
- *      A non-NULL pointer to a configuration object.
+ * \li     A non-NULL pointer to a configuration object.
  */
 
 void
 cfg_print(const cfg_obj_t *obj,
 	  void (*f)(void *closure, const char *text, int textlen),
 	  void *closure);
-/*
+/*%<
  * Print the configuration object 'obj' by repeatedly calling the
  * function 'f', passing 'closure' and a region of text starting
  * at 'text' and comprising 'textlen' characters.
@@ -373,18 +374,18 @@ void
 cfg_print_grammar(const cfg_type_t *type,
 	  void (*f)(void *closure, const char *text, int textlen),
 	  void *closure);
-/*
+/*%<
  * Print a summary of the grammar of the configuration type 'type'.
  */
 
 isc_boolean_t
 cfg_obj_istype(const cfg_obj_t *obj, const cfg_type_t *type);
-/*
+/*%<
  * Return true iff 'obj' is of type 'type'. 
  */
 
 void cfg_obj_destroy(cfg_parser_t *pctx, cfg_obj_t **obj);
-/*
+/*%<
  * Destroy a configuration object.
  */
 
@@ -392,7 +393,7 @@ void
 cfg_obj_log(const cfg_obj_t *obj, isc_log_t *lctx, int level,
             const char *fmt, ...)
 	ISC_FORMAT_PRINTF(4, 5);
-/*
+/*%<
  * Log a message concerning configuration object 'obj' to the logging
  * channel of 'pctx', at log level 'level'.  The message will be prefixed
  * with the file name(s) and line number where 'obj' was defined.
@@ -400,13 +401,13 @@ cfg_obj_log(const cfg_obj_t *obj, isc_log_t *lctx, int level,
 
 const char *
 cfg_obj_file(const cfg_obj_t *obj);
-/*
+/*%<
  * Return the file that defined this object.
  */
 
 unsigned int
 cfg_obj_line(const cfg_obj_t *obj);
-/*
+/*%<
  * Return the line in file where this object was defined.
  */
 
diff --git a/contrib/bind9/lib/isccfg/include/isccfg/grammar.h b/contrib/bind9/lib/isccfg/include/isccfg/grammar.h
index 4aaeb4f..fa66146 100644
--- a/contrib/bind9/lib/isccfg/include/isccfg/grammar.h
+++ b/contrib/bind9/lib/isccfg/include/isccfg/grammar.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2006  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2002, 2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,11 +15,13 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: grammar.h,v 1.3.50.6 2006/03/02 00:37:20 marka Exp $ */
+/* $Id: grammar.h,v 1.4.18.8 2006/02/28 03:10:49 marka Exp $ */
 
 #ifndef ISCCFG_GRAMMAR_H
 #define ISCCFG_GRAMMAR_H 1
 
+/*! \file */
+
 #include <isc/lex.h>
 #include <isc/netaddr.h>
 #include <isc/sockaddr.h>
@@ -33,17 +35,17 @@
  * and the grammars; not visible to users of the parser.
  */
 
-/* Clause may occur multiple times (e.g., "zone") */
+/*% Clause may occur multiple times (e.g., "zone") */
 #define CFG_CLAUSEFLAG_MULTI 		0x00000001
-/* Clause is obsolete */
+/*% Clause is obsolete */
 #define CFG_CLAUSEFLAG_OBSOLETE 	0x00000002
-/* Clause is not implemented, and may never be */
+/*% Clause is not implemented, and may never be */
 #define CFG_CLAUSEFLAG_NOTIMP	 	0x00000004
-/* Clause is not implemented yet */
+/*% Clause is not implemented yet */
 #define CFG_CLAUSEFLAG_NYI 		0x00000008
-/* Default value has changed since earlier release */
+/*% Default value has changed since earlier release */
 #define CFG_CLAUSEFLAG_NEWDEFAULT	0x00000010
-/*
+/*%
  * Clause needs to be interpreted during parsing
  * by calling a callback function, like the
  * "directory" option.
@@ -71,7 +73,7 @@ typedef void	     (*cfg_freefunc_t)(cfg_parser_t *, cfg_obj_t *);
  * Structure definitions
  */
 
-/*
+/*%
  * A configuration printer object.  This is an abstract
  * interface to a destination to which text can be printed
  * by calling the function 'f'.
@@ -82,42 +84,39 @@ struct cfg_printer {
 	int indent;
 };
 
-/* A clause definition. */
-
+/*% A clause definition. */
 struct cfg_clausedef {
 	const char      *name;
 	cfg_type_t      *type;
 	unsigned int	flags;
 };
 
-/* A tuple field definition. */
-
+/*% A tuple field definition. */
 struct cfg_tuplefielddef {
 	const char      *name;
 	cfg_type_t      *type;
 	unsigned int	flags;
 };
 
-/* A configuration object type definition. */
+/*% A configuration object type definition. */
 struct cfg_type {
-	const char *name;	/* For debugging purposes only */
+	const char *name;	/*%< For debugging purposes only */
 	cfg_parsefunc_t	parse;
 	cfg_printfunc_t print;
-	cfg_docfunc_t	doc;	/* Print grammar description */
-	cfg_rep_t *	rep;	/* Data representation */
-	const void *	of;	/* Additional data for meta-types */
+	cfg_docfunc_t	doc;	/*%< Print grammar description */
+	cfg_rep_t *	rep;	/*%< Data representation */
+	const void *	of;	/*%< Additional data for meta-types */
 };
 
-/* A keyword-type definition, for things like "port <integer>". */
-
+/*% A keyword-type definition, for things like "port <integer>". */
 typedef struct {
 	const char *name;
 	const cfg_type_t *type;
 } keyword_type_t;
 
 struct cfg_map {
-	cfg_obj_t	 *id; /* Used for 'named maps' like keys, zones, &c */
-	const cfg_clausedef_t * const *clausesets; /* The clauses that
+	cfg_obj_t	 *id; /*%< Used for 'named maps' like keys, zones, &c */
+	const cfg_clausedef_t * const *clausesets; /*%< The clauses that
 						      can occur in this map;
 						      used for printing */
 	isc_symtab_t     *symtab;
@@ -130,15 +129,15 @@ struct cfg_netprefix {
 	unsigned int prefixlen;
 };
 
-/*
+/*%
  * A configuration data representation.
  */
 struct cfg_rep {
-	const char *	name;	/* For debugging only */
-	cfg_freefunc_t 	free;	/* How to free this kind of data. */
+	const char *	name;	/*%< For debugging only */
+	cfg_freefunc_t 	free;	/*%< How to free this kind of data. */
 };
 
-/*
+/*%
  * A configuration object.  This is the main building block
  * of the configuration parse tree.
  */
@@ -148,7 +147,7 @@ struct cfg_obj {
 	union {
 		isc_uint32_t  	uint32;
 		isc_uint64_t  	uint64;
-		isc_textregion_t string; /* null terminated, too */
+		isc_textregion_t string; /*%< null terminated, too */
 		isc_boolean_t 	boolean;
 		cfg_map_t	map;
 		cfg_list_t	list;
@@ -161,14 +160,13 @@ struct cfg_obj {
 };
 
 
-/* A list element. */
-
+/*% A list element. */
 struct cfg_listelt {
 	cfg_obj_t               *obj;
 	ISC_LINK(cfg_listelt_t)  link;
 };
 
-/* The parser object. */
+/*% The parser object. */
 struct cfg_parser {
 	isc_mem_t *	mctx;
 	isc_log_t *	lctx;
@@ -177,13 +175,13 @@ struct cfg_parser {
 	unsigned int    warnings;
 	isc_token_t     token;
 
-	/* We are at the end of all input. */
+	/*% We are at the end of all input. */
 	isc_boolean_t	seen_eof;
 
-	/* The current token has been pushed back. */
+	/*% The current token has been pushed back. */
 	isc_boolean_t	ungotten;
 
-	/*
+	/*%
 	 * The stack of currently active files, represented
 	 * as a configuration list of configuration strings.
 	 * The head is the top-level file, subsequent elements 
@@ -192,7 +190,7 @@ struct cfg_parser {
 	 */
 	cfg_obj_t *	open_files;
 
-	/*
+	/*%
 	 * Names of files that we have parsed and closed
 	 * and were previously on the open_file list.
 	 * We keep these objects around after closing
@@ -203,7 +201,7 @@ struct cfg_parser {
 	 */
 	cfg_obj_t *	closed_files;
 
-	/*
+	/*%
 	 * Current line number.  We maintain our own
 	 * copy of this so that it is available even
 	 * when a file has just been closed.
@@ -215,15 +213,19 @@ struct cfg_parser {
 };
 
 
-/*
+/*@{*/
+/*%
  * Flags defining whether to accept certain types of network addresses.
  */
 #define CFG_ADDR_V4OK 		0x00000001
 #define CFG_ADDR_V4PREFIXOK 	0x00000002
 #define CFG_ADDR_V6OK 		0x00000004
 #define CFG_ADDR_WILDOK		0x00000008
+#define CFG_ADDR_MASK		(CFG_ADDR_V6OK|CFG_ADDR_V4OK)
+/*@}*/
 
-/*
+/*@{*/
+/*%
  * Predefined data representation types.
  */
 LIBISCCFG_EXTERNAL_DATA extern cfg_rep_t cfg_rep_uint32;
@@ -236,8 +238,10 @@ LIBISCCFG_EXTERNAL_DATA extern cfg_rep_t cfg_rep_tuple;
 LIBISCCFG_EXTERNAL_DATA extern cfg_rep_t cfg_rep_sockaddr;
 LIBISCCFG_EXTERNAL_DATA extern cfg_rep_t cfg_rep_netprefix;
 LIBISCCFG_EXTERNAL_DATA extern cfg_rep_t cfg_rep_void;
+/*@}*/
 
-/*
+/*@{*/
+/*%
  * Predefined configuration object types.
  */
 LIBISCCFG_EXTERNAL_DATA extern cfg_type_t cfg_type_boolean;
@@ -248,10 +252,15 @@ LIBISCCFG_EXTERNAL_DATA extern cfg_type_t cfg_type_astring;
 LIBISCCFG_EXTERNAL_DATA extern cfg_type_t cfg_type_ustring;
 LIBISCCFG_EXTERNAL_DATA extern cfg_type_t cfg_type_sockaddr;
 LIBISCCFG_EXTERNAL_DATA extern cfg_type_t cfg_type_netaddr;
+LIBISCCFG_EXTERNAL_DATA extern cfg_type_t cfg_type_netaddr4;
+LIBISCCFG_EXTERNAL_DATA extern cfg_type_t cfg_type_netaddr4wild;
+LIBISCCFG_EXTERNAL_DATA extern cfg_type_t cfg_type_netaddr6;
+LIBISCCFG_EXTERNAL_DATA extern cfg_type_t cfg_type_netaddr6wild;
 LIBISCCFG_EXTERNAL_DATA extern cfg_type_t cfg_type_netprefix;
 LIBISCCFG_EXTERNAL_DATA extern cfg_type_t cfg_type_void;
 LIBISCCFG_EXTERNAL_DATA extern cfg_type_t cfg_type_token;
 LIBISCCFG_EXTERNAL_DATA extern cfg_type_t cfg_type_unsupported;
+/*@}*/
 
 isc_result_t
 cfg_gettoken(cfg_parser_t *pctx, int options);
@@ -314,7 +323,7 @@ cfg_parse_netprefix(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret)
 
 isc_result_t
 cfg_parse_special(cfg_parser_t *pctx, int special);
-/* Parse a required special character 'special'. */
+/*%< Parse a required special character 'special'. */
 
 isc_result_t
 cfg_create_tuple(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **objp);
@@ -358,11 +367,11 @@ cfg_doc_enum(cfg_printer_t *pctx, const cfg_type_t *type);
 
 void
 cfg_print_chars(cfg_printer_t *pctx, const char *text, int len);
-/* Print 'len' characters at 'text' */
+/*%< Print 'len' characters at 'text' */
 
 void
 cfg_print_cstr(cfg_printer_t *pctx, const char *s);
-/* Print the null-terminated string 's' */
+/*%< Print the null-terminated string 's' */
 
 isc_result_t
 cfg_parse_map(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret);
@@ -373,6 +382,10 @@ cfg_parse_named_map(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret)
 isc_result_t
 cfg_parse_addressed_map(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret);
 
+isc_result_t
+cfg_parse_netprefix_map(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **
+ret);
+
 void
 cfg_print_map(cfg_printer_t *pctx, const cfg_obj_t *obj);
 
@@ -405,28 +418,28 @@ cfg_print_obj(cfg_printer_t *pctx, const cfg_obj_t *obj);
 
 void
 cfg_doc_obj(cfg_printer_t *pctx, const cfg_type_t *type);
-/*
+/*%<
  * Print a description of the grammar of an arbitrary configuration
  * type 'type'
  */
 
 void
 cfg_doc_terminal(cfg_printer_t *pctx, const cfg_type_t *type);
-/*
+/*%<
  * Document the type 'type' as a terminal by printing its
- * name in angle brackets, e.g., <uint32>.
+ * name in angle brackets, e.g., &lt;uint32>.
  */
 
 void
 cfg_parser_error(cfg_parser_t *pctx, unsigned int flags,
 		 const char *fmt, ...) ISC_FORMAT_PRINTF(3, 4);
-/*
+/*! 
  * Pass one of these flags to cfg_parser_error() to include the
  * token text in log message.
  */
-#define CFG_LOG_NEAR    0x00000001	/* Say "near <token>" */
-#define CFG_LOG_BEFORE  0x00000002	/* Say "before <token>" */
-#define CFG_LOG_NOPREP  0x00000004	/* Say just "<token>" */
+#define CFG_LOG_NEAR    0x00000001	/*%< Say "near <token>" */
+#define CFG_LOG_BEFORE  0x00000002	/*%< Say "before <token>" */
+#define CFG_LOG_NOPREP  0x00000004	/*%< Say just "<token>" */
 
 void
 cfg_parser_warning(cfg_parser_t *pctx, unsigned int flags,
@@ -434,6 +447,6 @@ cfg_parser_warning(cfg_parser_t *pctx, unsigned int flags,
 
 isc_boolean_t
 cfg_is_enum(const char *s, const char *const *enums);
-/* Return true iff the string 's' is one of the strings in 'enums' */
+/*%< Return true iff the string 's' is one of the strings in 'enums' */
 
 #endif /* ISCCFG_GRAMMAR_H */
diff --git a/contrib/bind9/lib/isccfg/include/isccfg/log.h b/contrib/bind9/lib/isccfg/include/isccfg/log.h
index b3d2da7d..f66c37f 100644
--- a/contrib/bind9/lib/isccfg/include/isccfg/log.h
+++ b/contrib/bind9/lib/isccfg/include/isccfg/log.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,11 +15,13 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: log.h,v 1.3.2.1.10.3 2004/03/08 09:05:07 marka Exp $ */
+/* $Id: log.h,v 1.6.18.2 2005/04/29 00:17:16 marka Exp $ */
 
 #ifndef ISCCFG_LOG_H
 #define ISCCFG_LOG_H 1
 
+/*! \file */
+
 #include <isc/lang.h>
 #include <isc/log.h>
 
@@ -34,17 +36,17 @@ ISC_LANG_BEGINDECLS
 
 void
 cfg_log_init(isc_log_t *lctx);
-/*
+/*%<
  * Make the libisccfg categories and modules available for use with the
  * ISC logging library.
  *
  * Requires:
- *	lctx is a valid logging context.
+ *\li	lctx is a valid logging context.
  *
- *	cfg_log_init() is called only once.
+ *\li	cfg_log_init() is called only once.
  *
  * Ensures:
- * 	The catgories and modules defined above are available for
+ * \li	The catgories and modules defined above are available for
  * 	use by isc_log_usechannnel() and isc_log_write().
  */
 
diff --git a/contrib/bind9/lib/isccfg/include/isccfg/namedconf.h b/contrib/bind9/lib/isccfg/include/isccfg/namedconf.h
index 4d5bd0b..6125b26 100644
--- a/contrib/bind9/lib/isccfg/include/isccfg/namedconf.h
+++ b/contrib/bind9/lib/isccfg/include/isccfg/namedconf.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2002  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,12 +15,13 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: namedconf.h,v 1.2.202.3 2004/03/08 09:05:07 marka Exp $ */
+/* $Id: namedconf.h,v 1.3.18.2 2005/04/29 00:17:16 marka Exp $ */
 
 #ifndef ISCCFG_NAMEDCONF_H
 #define ISCCFG_NAMEDCONF_H 1
 
-/*
+/*! \file
+ * \brief
  * This module defines the named.conf, rndc.conf, and rndc.key grammars.
  */
 
@@ -30,15 +31,15 @@
  * Configuration object types.
  */
 LIBISCCFG_EXTERNAL_DATA extern cfg_type_t cfg_type_namedconf;
-/* A complete named.conf file. */
+/*%< A complete named.conf file. */
 
 LIBISCCFG_EXTERNAL_DATA extern cfg_type_t cfg_type_rndcconf;
-/* A complete rndc.conf file. */
+/*%< A complete rndc.conf file. */
 
 LIBISCCFG_EXTERNAL_DATA extern cfg_type_t cfg_type_rndckey;
-/* A complete rndc.key file. */
+/*%< A complete rndc.key file. */
 
 LIBISCCFG_EXTERNAL_DATA extern cfg_type_t cfg_type_keyref;
-/* A key reference, used as an ACL element */
+/*%< A key reference, used as an ACL element */
 
 #endif /* ISCCFG_CFG_H */
diff --git a/contrib/bind9/lib/isccfg/include/isccfg/version.h b/contrib/bind9/lib/isccfg/include/isccfg/version.h
index d02a814..38bb14b 100644
--- a/contrib/bind9/lib/isccfg/include/isccfg/version.h
+++ b/contrib/bind9/lib/isccfg/include/isccfg/version.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,9 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: version.h,v 1.2.222.3 2004/03/08 09:05:08 marka Exp $ */
+/* $Id: version.h,v 1.3.18.2 2005/04/29 00:17:16 marka Exp $ */
+
+/*! \file */
 
 #include <isc/platform.h>
 
diff --git a/contrib/bind9/lib/isccfg/log.c b/contrib/bind9/lib/isccfg/log.c
index b16b4d3..5d5ccb5 100644
--- a/contrib/bind9/lib/isccfg/log.c
+++ b/contrib/bind9/lib/isccfg/log.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,9 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: log.c,v 1.2.2.1.10.3 2004/03/08 09:05:06 marka Exp $ */
+/* $Id: log.c,v 1.5.18.2 2005/04/29 00:17:15 marka Exp $ */
+
+/*! \file */
 
 #include <config.h>
 
@@ -23,7 +25,7 @@
 
 #include <isccfg/log.h>
 
-/*
+/*%
  * When adding a new category, be sure to add the appropriate
  * #define to <isccfg/log.h>.
  */
@@ -32,7 +34,7 @@ LIBISCCFG_EXTERNAL_DATA isc_logcategory_t cfg_categories[] = {
 	{ NULL, 	0 }
 };
 
-/*
+/*%
  * When adding a new module, be sure to add the appropriate
  * #define to <isccfg/log.h>.
  */
diff --git a/contrib/bind9/lib/isccfg/namedconf.c b/contrib/bind9/lib/isccfg/namedconf.c
index d54bbe2..65e30a2 100644
--- a/contrib/bind9/lib/isccfg/namedconf.c
+++ b/contrib/bind9/lib/isccfg/namedconf.c
@@ -15,7 +15,9 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: namedconf.c,v 1.21.44.34 2006/03/02 00:37:20 marka Exp $ */
+/* $Id: namedconf.c,v 1.30.18.38 2006/05/03 01:46:40 marka Exp $ */
+
+/*! \file */
 
 #include <config.h>
 
@@ -32,18 +34,18 @@
 
 #define TOKEN_STRING(pctx) (pctx->token.value.as_textregion.base)
 
-/* Check a return value. */
+/*% Check a return value. */
 #define CHECK(op) 						\
      	do { result = (op); 					\
 		if (result != ISC_R_SUCCESS) goto cleanup; 	\
 	} while (0)
 
-/* Clean up a configuration object if non-NULL. */
+/*% Clean up a configuration object if non-NULL. */
 #define CLEANUP_OBJ(obj) \
 	do { if ((obj) != NULL) cfg_obj_destroy(pctx, &(obj)); } while (0)
 
 
-/*
+/*%
  * Forward declarations of static functions.
  */
 
@@ -71,10 +73,12 @@ static cfg_type_t cfg_type_addrmatchelt;
 static cfg_type_t cfg_type_bracketed_aml;
 static cfg_type_t cfg_type_bracketed_namesockaddrkeylist;
 static cfg_type_t cfg_type_bracketed_sockaddrlist;
+static cfg_type_t cfg_type_bracketed_sockaddrnameportlist;
 static cfg_type_t cfg_type_controls;
 static cfg_type_t cfg_type_controls_sockaddr;
 static cfg_type_t cfg_type_destinationlist;
 static cfg_type_t cfg_type_dialuptype;
+static cfg_type_t cfg_type_ixfrdifftype;
 static cfg_type_t cfg_type_key;
 static cfg_type_t cfg_type_logfile;
 static cfg_type_t cfg_type_logging;
@@ -104,8 +108,35 @@ static cfg_type_t cfg_type_view;
 static cfg_type_t cfg_type_viewopts;
 static cfg_type_t cfg_type_zone;
 static cfg_type_t cfg_type_zoneopts;
+static cfg_type_t cfg_type_dynamically_loadable_zones;
+static cfg_type_t cfg_type_dynamically_loadable_zones_opts;
+
+/*
+ * Clauses that can be found in a 'dynamically loadable zones' statement
+ */
+static cfg_clausedef_t
+dynamically_loadable_zones_clauses[] = {
+	{ "database", &cfg_type_astring, 0 },
+	{ NULL, NULL, 0 }
+};
+
+/*
+ * A dynamically loadable zones statement.
+ */
+static cfg_tuplefielddef_t dynamically_loadable_zones_fields[] = {
+	{ "name", &cfg_type_astring, 0 },
+	{ "options", &cfg_type_dynamically_loadable_zones_opts, 0 },
+	{ NULL, NULL, 0 }
+};
+
+static cfg_type_t cfg_type_dynamically_loadable_zones = {
+	"dlz", cfg_parse_tuple, cfg_print_tuple, cfg_doc_tuple,
+	&cfg_rep_tuple,
+	dynamically_loadable_zones_fields
+	};
 
-/* tkey-dhkey */
+
+/*% tkey-dhkey */
 
 static cfg_tuplefielddef_t tkey_dhkey_fields[] = {
 	{ "name", &cfg_type_qstring, 0 },
@@ -118,7 +149,7 @@ static cfg_type_t cfg_type_tkey_dhkey = {
 	tkey_dhkey_fields
 };
 
-/* listen-on */
+/*% listen-on */
 
 static cfg_tuplefielddef_t listenon_fields[] = {
 	{ "port", &cfg_type_optional_port, 0 },
@@ -128,7 +159,7 @@ static cfg_tuplefielddef_t listenon_fields[] = {
 static cfg_type_t cfg_type_listenon = {
 	"listenon", cfg_parse_tuple, cfg_print_tuple, cfg_doc_tuple, &cfg_rep_tuple, listenon_fields };
 
-/* acl */
+/*% acl */
 
 static cfg_tuplefielddef_t acl_fields[] = {
 	{ "name", &cfg_type_astring, 0 },
@@ -139,7 +170,7 @@ static cfg_tuplefielddef_t acl_fields[] = {
 static cfg_type_t cfg_type_acl = {
 	"acl", cfg_parse_tuple, cfg_print_tuple, cfg_doc_tuple, &cfg_rep_tuple, acl_fields };
 
-/* masters */
+/*% masters */
 static cfg_tuplefielddef_t masters_fields[] = {
 	{ "name", &cfg_type_astring, 0 },
 	{ "port", &cfg_type_optional_port, 0 },
@@ -150,7 +181,7 @@ static cfg_tuplefielddef_t masters_fields[] = {
 static cfg_type_t cfg_type_masters = {
 	"masters", cfg_parse_tuple, cfg_print_tuple, cfg_doc_tuple, &cfg_rep_tuple, masters_fields };
 
-/*
+/*%
  * "sockaddrkeylist", a list of socket addresses with optional keys
  * and an optional default port, as used in the masters option.
  * E.g.,
@@ -183,7 +214,7 @@ static cfg_type_t cfg_type_namesockaddrkeylist = {
 	namesockaddrkeylist_fields
 };
 
-/*
+/*%
  * A list of socket addresses with an optional default port,
  * as used in the also-notify option.  E.g.,
  * "port 1234 { 10.0.0.1; 1::2 port 69; }"
@@ -198,7 +229,7 @@ static cfg_type_t cfg_type_portiplist = {
 	portiplist_fields
 };
 
-/*
+/*%
  * A public key, as in the "pubkey" statement.
  */
 static cfg_tuplefielddef_t pubkey_fields[] = {
@@ -211,7 +242,7 @@ static cfg_tuplefielddef_t pubkey_fields[] = {
 static cfg_type_t cfg_type_pubkey = {
 	"pubkey", cfg_parse_tuple, cfg_print_tuple, cfg_doc_tuple, &cfg_rep_tuple, pubkey_fields };
 
-/*
+/*%
  * A list of RR types, used in grant statements.
  * Note that the old parser allows quotes around the RR type names.
  */
@@ -227,13 +258,13 @@ static cfg_type_t cfg_type_mode = {
 };
 
 static const char *matchtype_enums[] = {
-	"name", "subdomain", "wildcard", "self", NULL };
+	"name", "subdomain", "wildcard", "self", "selfsub", "selfwild", NULL };
 static cfg_type_t cfg_type_matchtype = {
 	"matchtype", cfg_parse_enum, cfg_print_ustring, cfg_doc_enum, &cfg_rep_string,
 	&matchtype_enums
 };
 
-/*
+/*%
  * A grant statement, used in the update policy.
  */
 static cfg_tuplefielddef_t grant_fields[] = {
@@ -252,7 +283,7 @@ static cfg_type_t cfg_type_updatepolicy = {
 	&cfg_rep_list, &cfg_type_grant
 };
 
-/*
+/*%
  * A view statement.
  */
 static cfg_tuplefielddef_t view_fields[] = {
@@ -264,7 +295,7 @@ static cfg_tuplefielddef_t view_fields[] = {
 static cfg_type_t cfg_type_view = {
 	"view", cfg_parse_tuple, cfg_print_tuple, cfg_doc_tuple, &cfg_rep_tuple, view_fields };
 
-/*
+/*%
  * A zone statement.
  */
 static cfg_tuplefielddef_t zone_fields[] = {
@@ -276,7 +307,7 @@ static cfg_tuplefielddef_t zone_fields[] = {
 static cfg_type_t cfg_type_zone = {
 	"zone", cfg_parse_tuple, cfg_print_tuple, cfg_doc_tuple, &cfg_rep_tuple, zone_fields };
 
-/*
+/*%
  * A "category" clause in the "logging" statement.
  */
 static cfg_tuplefielddef_t category_fields[] = {
@@ -288,7 +319,7 @@ static cfg_type_t cfg_type_category = {
 	"category", cfg_parse_tuple, cfg_print_tuple, cfg_doc_tuple, &cfg_rep_tuple, category_fields };
 
 
-/*
+/*%
  * A trusted key, as used in the "trusted-keys" statement.
  */
 static cfg_tuplefielddef_t trustedkey_fields[] = {
@@ -325,7 +356,7 @@ static cfg_type_t cfg_type_optional_wild_name = {
 	print_keyvalue, doc_optional_keyvalue, &cfg_rep_string, &wild_name_kw
 };
 
-/*
+/*%
  * An rrset ordering element.
  */
 static cfg_tuplefielddef_t rrsetorderingelement_fields[] = {
@@ -341,7 +372,7 @@ static cfg_type_t cfg_type_rrsetorderingelement = {
 	rrsetorderingelement_fields
 };
 
-/*
+/*%
  * A global or view "check-names" option.  Note that the zone
  * "check-names" option has a different syntax.
  */
@@ -385,7 +416,7 @@ static cfg_type_t cfg_type_optional_port = {
 	doc_optional_keyvalue, &cfg_rep_uint32, &port_kw
 };
 
-/* A list of keys, as in the "key" clause of the controls statement. */
+/*% A list of keys, as in the "key" clause of the controls statement. */
 static cfg_type_t cfg_type_keylist = {
 	"keylist", cfg_parse_bracketed_list, cfg_print_bracketed_list, cfg_doc_bracketed_list, &cfg_rep_list,
 	&cfg_type_astring
@@ -405,8 +436,8 @@ static cfg_type_t cfg_type_forwardtype = {
 static const char *zonetype_enums[] = {
 	"master", "slave", "stub", "hint", "forward", "delegation-only", NULL };
 static cfg_type_t cfg_type_zonetype = {
-	"zonetype", cfg_parse_enum, cfg_print_ustring, cfg_doc_enum, &cfg_rep_string,
-	&zonetype_enums
+	"zonetype", cfg_parse_enum, cfg_print_ustring, cfg_doc_enum,
+	&cfg_rep_string, &zonetype_enums
 };
 
 static const char *loglevel_enums[] = {
@@ -423,7 +454,7 @@ static cfg_type_t cfg_type_transferformat = {
 	&transferformat_enums
 };
 
-/*
+/*%
  * The special keyword "none", as used in the pid-file option.
  */
 
@@ -437,7 +468,7 @@ static cfg_type_t cfg_type_none = {
 	"none", NULL, print_none, NULL, &cfg_rep_void, NULL
 };
 
-/*
+/*%
  * A quoted string or the special keyword "none".  Used in the pid-file option.
  */
 static isc_result_t
@@ -464,7 +495,7 @@ doc_qstringornone(cfg_printer_t *pctx, const cfg_type_t *type) {
 static cfg_type_t cfg_type_qstringornone = {
 	"qstringornone", parse_qstringornone, NULL, doc_qstringornone, NULL, NULL };
 
-/*
+/*%
  * keyword hostname
  */
 
@@ -478,7 +509,7 @@ static cfg_type_t cfg_type_hostname = {
 	"hostname", NULL, print_hostname, NULL, &cfg_rep_boolean, NULL
 };
 
-/*
+/*%
  * "server-id" argument.
  */
 
@@ -510,7 +541,7 @@ doc_serverid(cfg_printer_t *pctx, const cfg_type_t *type) {
 static cfg_type_t cfg_type_serverid = {
 	"serverid", parse_serverid, NULL, doc_serverid, NULL, NULL };
 
-/*
+/*%
  * Port list.
  */
 static isc_result_t
@@ -539,7 +570,7 @@ static cfg_type_t cfg_type_bracketed_portlist = {
 	&cfg_rep_list, &cfg_type_port
 };
 
-/*
+/*%
  * Clauses that can be found within the top level of the named.conf
  * file only.
  */
@@ -555,7 +586,7 @@ namedconf_clauses[] = {
 	{ NULL, NULL, 0 }
 };
 
-/*
+/*%
  * Clauses that can occur at the top level or in the view
  * statement, but not in the options block.
  */
@@ -563,12 +594,14 @@ static cfg_clausedef_t
 namedconf_or_view_clauses[] = {
 	{ "key", &cfg_type_key, CFG_CLAUSEFLAG_MULTI },
 	{ "zone", &cfg_type_zone, CFG_CLAUSEFLAG_MULTI },
+	/* only 1 DLZ per view allowed */
+ 	{ "dlz", &cfg_type_dynamically_loadable_zones, 0 },
 	{ "server", &cfg_type_server, CFG_CLAUSEFLAG_MULTI },
 	{ "trusted-keys", &cfg_type_trustedkeys, CFG_CLAUSEFLAG_MULTI },
 	{ NULL, NULL, 0 }
 };
 
-/*
+/*%
  * Clauses that can be found within the 'options' statement.
  */
 static cfg_clausedef_t
@@ -660,7 +693,13 @@ static cfg_type_t cfg_type_mustbesecure = {
 	&cfg_rep_tuple, mustbesecure_fields
 };
 
-/*
+static const char *masterformat_enums[] = { "text", "raw", NULL };
+static cfg_type_t cfg_type_masterformat = {
+	"masterformat", cfg_parse_enum, cfg_print_ustring, cfg_doc_enum,
+	&cfg_rep_string, &masterformat_enums
+};
+
+/*%
  * dnssec-lookaside
  */
 
@@ -682,13 +721,14 @@ static cfg_type_t cfg_type_lookaside = {
 	&cfg_rep_tuple, lookaside_fields
 };
 
-/*
+/*%
  * Clauses that can be found within the 'view' statement,
  * with defaults in the 'options' statement.
  */
 
 static cfg_clausedef_t
 view_clauses[] = {
+	{ "allow-query-cache", &cfg_type_bracketed_aml, 0 },
 	{ "allow-recursion", &cfg_type_bracketed_aml, 0 },
 	{ "allow-v6-synthesis", &cfg_type_bracketed_aml,
 	  CFG_CLAUSEFLAG_OBSOLETE },
@@ -723,17 +763,31 @@ view_clauses[] = {
 	{ "preferred-glue", &cfg_type_astring, 0 },
 	{ "dual-stack-servers", &cfg_type_nameportiplist, 0 },
 	{ "edns-udp-size", &cfg_type_uint32, 0 },
+	{ "max-udp-size", &cfg_type_uint32, 0 },
 	{ "root-delegation-only",  &cfg_type_optional_exclude, 0 },
 	{ "disable-algorithms", &cfg_type_disablealgorithm,
 	  CFG_CLAUSEFLAG_MULTI },
 	{ "dnssec-enable", &cfg_type_boolean, 0 },
+	{ "dnssec-validation", &cfg_type_boolean, 0 },
 	{ "dnssec-lookaside", &cfg_type_lookaside, CFG_CLAUSEFLAG_MULTI },
 	{ "dnssec-must-be-secure",  &cfg_type_mustbesecure,
 	   CFG_CLAUSEFLAG_MULTI },
+	{ "dnssec-accept-expired", &cfg_type_boolean, 0 },
+	{ "ixfr-from-differences", &cfg_type_ixfrdifftype, 0 },
+	{ "acache-enable", &cfg_type_boolean, 0 },
+	{ "acache-cleaning-interval", &cfg_type_uint32, 0 },
+	{ "max-acache-size", &cfg_type_sizenodefault, 0 },
+	{ "clients-per-query", &cfg_type_uint32, 0 },
+	{ "max-clients-per-query", &cfg_type_uint32, 0 },
+	{ "empty-server", &cfg_type_astring, 0 },
+	{ "empty-contact", &cfg_type_astring, 0 },
+	{ "empty-zones-enable", &cfg_type_boolean, 0 },
+	{ "disable-empty-zone", &cfg_type_astring, CFG_CLAUSEFLAG_MULTI },
+	{ "zero-no-soa-ttl-cache", &cfg_type_boolean, 0 },
 	{ NULL, NULL, 0 }
 };
 
-/*
+/*%
  * Clauses that can be found within the 'view' statement only.
  */
 static cfg_clausedef_t
@@ -744,7 +798,7 @@ view_only_clauses[] = {
 	{ NULL, NULL, 0 }
 };
 
-/*
+/*%
  * Clauses that can be found in a 'zone' statement,
  * with defaults in the 'view' or 'options' statement.
  */
@@ -752,16 +806,18 @@ static cfg_clausedef_t
 zone_clauses[] = {
 	{ "allow-query", &cfg_type_bracketed_aml, 0 },
 	{ "allow-transfer", &cfg_type_bracketed_aml, 0 },
+	{ "allow-update", &cfg_type_bracketed_aml, 0 },
 	{ "allow-update-forwarding", &cfg_type_bracketed_aml, 0 },
 	{ "allow-notify", &cfg_type_bracketed_aml, 0 },
+	{ "masterfile-format", &cfg_type_masterformat, 0 },
 	{ "notify", &cfg_type_notifytype, 0 },
 	{ "notify-source", &cfg_type_sockaddr4wild, 0 },
 	{ "notify-source-v6", &cfg_type_sockaddr6wild, 0 },
 	{ "also-notify", &cfg_type_portiplist, 0 },
+	{ "notify-delay", &cfg_type_uint32, 0 },
 	{ "dialup", &cfg_type_dialuptype, 0 },
 	{ "forward", &cfg_type_forwardtype, 0 },
 	{ "forwarders", &cfg_type_portiplist, 0 },
-	{ "ixfr-from-differences", &cfg_type_boolean, 0 },
 	{ "maintain-ixfr-base", &cfg_type_boolean, CFG_CLAUSEFLAG_OBSOLETE },
 	{ "max-ixfr-log-size", &cfg_type_size, CFG_CLAUSEFLAG_OBSOLETE },
 	{ "max-journal-size", &cfg_type_sizenodefault, 0 },
@@ -782,18 +838,26 @@ zone_clauses[] = {
 	{ "use-alt-transfer-source", &cfg_type_boolean, 0 },
 	{ "zone-statistics", &cfg_type_boolean, 0 },
 	{ "key-directory", &cfg_type_qstring, 0 },
+	{ "check-wildcard", &cfg_type_boolean, 0 },
+	{ "check-integrity", &cfg_type_boolean, 0 },
+	{ "check-mx", &cfg_type_checkmode, 0 },
+	{ "check-mx-cname", &cfg_type_checkmode, 0 },
+	{ "check-srv-cname", &cfg_type_checkmode, 0 },
+	{ "check-sibling", &cfg_type_boolean, 0 },
+	{ "zero-no-soa-ttl", &cfg_type_boolean, 0 },
+	{ "update-check-ksk", &cfg_type_boolean, 0 },
 	{ NULL, NULL, 0 }
 };
 
-/*
+/*%
  * Clauses that can be found in a 'zone' statement
  * only.
  */
 static cfg_clausedef_t
 zone_only_clauses[] = {
 	{ "type", &cfg_type_zonetype, 0 },
-	{ "allow-update", &cfg_type_bracketed_aml, 0 },
 	{ "file", &cfg_type_qstring, 0 },
+	{ "journal", &cfg_type_qstring, 0 },
 	{ "ixfr-base", &cfg_type_qstring, CFG_CLAUSEFLAG_OBSOLETE },
 	{ "ixfr-tmp-file", &cfg_type_qstring, CFG_CLAUSEFLAG_OBSOLETE },
 	{ "masters", &cfg_type_namesockaddrkeylist, 0 },
@@ -807,11 +871,12 @@ zone_only_clauses[] = {
 	 * the zone options and the global/view options.  Ugh.
 	 */
 	{ "check-names", &cfg_type_checkmode, 0 },
+	{ "ixfr-from-differences", &cfg_type_boolean, 0 },
 	{ NULL, NULL, 0 }
 };
 
 
-/* The top-level named.conf syntax. */
+/*% The top-level named.conf syntax. */
 
 static cfg_clausedef_t *
 namedconf_clausesets[] = {
@@ -825,7 +890,7 @@ LIBISCCFG_EXTERNAL_DATA cfg_type_t cfg_type_namedconf = {
 	&cfg_rep_map, namedconf_clausesets
 };
 
-/* The "options" statement syntax. */
+/*% The "options" statement syntax. */
 
 static cfg_clausedef_t *
 options_clausesets[] = {
@@ -837,7 +902,7 @@ options_clausesets[] = {
 static cfg_type_t cfg_type_options = {
 	"options", cfg_parse_map, cfg_print_map, cfg_doc_map, &cfg_rep_map, options_clausesets };
 
-/* The "view" statement syntax. */
+/*% The "view" statement syntax. */
 
 static cfg_clausedef_t *
 view_clausesets[] = {
@@ -845,12 +910,13 @@ view_clausesets[] = {
 	namedconf_or_view_clauses,
 	view_clauses,
 	zone_clauses,
+ 	dynamically_loadable_zones_clauses,
 	NULL
 };
 static cfg_type_t cfg_type_viewopts = {
 	"view", cfg_parse_map, cfg_print_map, cfg_doc_map, &cfg_rep_map, view_clausesets };
 
-/* The "zone" statement syntax. */
+/*% The "zone" statement syntax. */
 
 static cfg_clausedef_t *
 zone_clausesets[] = {
@@ -859,9 +925,23 @@ zone_clausesets[] = {
 	NULL
 };
 static cfg_type_t cfg_type_zoneopts = {
-	"zoneopts", cfg_parse_map, cfg_print_map, cfg_doc_map, &cfg_rep_map, zone_clausesets };
-
-/*
+	"zoneopts", cfg_parse_map, cfg_print_map, 
+	cfg_doc_map, &cfg_rep_map, zone_clausesets };
+ 
+/*% The "dynamically loadable zones" statement syntax. */
+ 
+static cfg_clausedef_t *
+dynamically_loadable_zones_clausesets[] = {
+	dynamically_loadable_zones_clauses,
+ 	NULL
+};
+static cfg_type_t cfg_type_dynamically_loadable_zones_opts = {
+	"dynamically_loadable_zones_opts", cfg_parse_map, 
+	cfg_print_map, cfg_doc_map, &cfg_rep_map,
+	dynamically_loadable_zones_clausesets 
+};
+ 
+/*%
  * Clauses that can be found within the 'key' statement.
  */
 static cfg_clausedef_t
@@ -877,10 +957,12 @@ key_clausesets[] = {
 	NULL
 };
 static cfg_type_t cfg_type_key = {
-	"key", cfg_parse_named_map, cfg_print_map, cfg_doc_map, &cfg_rep_map, key_clausesets };
+	"key", cfg_parse_named_map, cfg_print_map,
+	cfg_doc_map, &cfg_rep_map, key_clausesets 
+};
 
 
-/*
+/*%
  * Clauses that can be found in a 'server' statement.
  */
 static cfg_clausedef_t
@@ -893,6 +975,12 @@ server_clauses[] = {
 	{ "transfer-format", &cfg_type_transferformat, 0 },
 	{ "keys", &cfg_type_server_key_kludge, 0 },
 	{ "edns", &cfg_type_boolean, 0 },
+	{ "edns-udp-size", &cfg_type_uint32, 0 },
+	{ "max-udp-size", &cfg_type_uint32, 0 },
+	{ "notify-source", &cfg_type_sockaddr4wild, 0 },
+	{ "notify-source-v6", &cfg_type_sockaddr6wild, 0 },
+	{ "query-source", &cfg_type_querysource4, 0 },
+	{ "query-source-v6", &cfg_type_querysource6, 0 },
 	{ "transfer-source", &cfg_type_sockaddr4wild, 0 },
 	{ "transfer-source-v6", &cfg_type_sockaddr6wild, 0 },
 	{ NULL, NULL, 0 }
@@ -903,12 +991,12 @@ server_clausesets[] = {
 	NULL
 };
 static cfg_type_t cfg_type_server = {
-	"server", cfg_parse_addressed_map, cfg_print_map, cfg_doc_map, &cfg_rep_map,
+	"server", cfg_parse_netprefix_map, cfg_print_map, cfg_doc_map, &cfg_rep_map,
 	server_clausesets
 };
 
 
-/*
+/*%
  * Clauses that can be found in a 'channel' clause in the
  * 'logging' statement.
  *
@@ -941,12 +1029,12 @@ static cfg_type_t cfg_type_channel = {
 	&cfg_rep_map, channel_clausesets
 };
 
-/* A list of log destination, used in the "category" clause. */
+/*% A list of log destination, used in the "category" clause. */
 static cfg_type_t cfg_type_destinationlist = {
 	"destinationlist", cfg_parse_bracketed_list, cfg_print_bracketed_list, cfg_doc_bracketed_list,
 	&cfg_rep_list, &cfg_type_astring };
 
-/*
+/*%
  * Clauses that can be found in a 'logging' statement.
  */
 static cfg_clausedef_t
@@ -1028,14 +1116,14 @@ parse_sizeval(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret) {
 	return (result);
 }
 
-/*
+/*%
  * A size value (number + optional unit).
  */
 static cfg_type_t cfg_type_sizeval = {
 	"sizeval", parse_sizeval, cfg_print_uint64, cfg_doc_terminal,
 	&cfg_rep_uint64, NULL };
 
-/*
+/*%
  * A size, "unlimited", or "default".
  */
 
@@ -1050,7 +1138,7 @@ static cfg_type_t cfg_type_size = {
 	&cfg_rep_string, size_enums
 };
 
-/*
+/*%
  * A size or "unlimited", but not "default".
  */
 static const char *sizenodefault_enums[] = { "unlimited", NULL };
@@ -1059,7 +1147,7 @@ static cfg_type_t cfg_type_sizenodefault = {
 	&cfg_rep_string, sizenodefault_enums
 };
 
-/*
+/*%
  * optional_keyvalue
  */
 static isc_result_t
@@ -1163,7 +1251,7 @@ static cfg_type_t cfg_type_dialuptype = {
 	&cfg_rep_string, dialup_enums
 };
 
-static const char *notify_enums[] = { "explicit", NULL };
+static const char *notify_enums[] = { "explicit", "master-only", NULL };
 static isc_result_t
 parse_notify_type(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret) {
 	return (parse_enum_or_other(pctx, type, &cfg_type_boolean, ret));
@@ -1173,6 +1261,16 @@ static cfg_type_t cfg_type_notifytype = {
  	&cfg_rep_string, notify_enums,
 };
 
+static const char *ixfrdiff_enums[] = { "master", "slave", NULL };
+static isc_result_t
+parse_ixfrdiff_type(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret) {
+        return (parse_enum_or_other(pctx, type, &cfg_type_boolean, ret));
+}
+static cfg_type_t cfg_type_ixfrdifftype = {
+        "ixfrdiff", parse_ixfrdiff_type, cfg_print_ustring, doc_enum_or_other,
+        &cfg_rep_string, ixfrdiff_enums,
+};
+
 static keyword_type_t key_kw = { "key", &cfg_type_astring };
 
 LIBISCCFG_EXTERNAL_DATA cfg_type_t cfg_type_keyref = {
@@ -1185,14 +1283,14 @@ static cfg_type_t cfg_type_optional_keyref = {
 	doc_optional_keyvalue, &cfg_rep_string, &key_kw
 };
 
-/*
+/*%
  * A "controls" statement is represented as a map with the multivalued
- * "inet" and "unix" clauses.  Inet controls are tuples; unix controls
- * are cfg_unsupported_t objects.
+ * "inet" and "unix" clauses. 
  */
 
 static keyword_type_t controls_allow_kw = {
 	"allow", &cfg_type_bracketed_aml };
+
 static cfg_type_t cfg_type_controls_allow = {
 	"controls_allow", parse_keyvalue,
 	print_keyvalue, doc_keyvalue,
@@ -1201,6 +1299,7 @@ static cfg_type_t cfg_type_controls_allow = {
 
 static keyword_type_t controls_keys_kw = {
 	"keys", &cfg_type_keylist };
+
 static cfg_type_t cfg_type_controls_keys = {
 	"controls_keys", parse_optional_keyvalue,
 	print_keyvalue, doc_optional_keyvalue,
@@ -1213,16 +1312,57 @@ static cfg_tuplefielddef_t inetcontrol_fields[] = {
 	{ "keys", &cfg_type_controls_keys, 0 },
 	{ NULL, NULL, 0 }
 };
+
 static cfg_type_t cfg_type_inetcontrol = {
 	"inetcontrol", cfg_parse_tuple, cfg_print_tuple, cfg_doc_tuple, &cfg_rep_tuple,
 	inetcontrol_fields
 };
 
+static keyword_type_t controls_perm_kw = {
+	"perm", &cfg_type_uint32 };
+
+static cfg_type_t cfg_type_controls_perm = {
+	"controls_perm", parse_keyvalue,
+	print_keyvalue, doc_keyvalue,
+	&cfg_rep_uint32, &controls_perm_kw
+};
+
+static keyword_type_t controls_owner_kw = {
+	"owner", &cfg_type_uint32 };
+
+static cfg_type_t cfg_type_controls_owner = {
+	"controls_owner", parse_keyvalue,
+	print_keyvalue, doc_keyvalue,
+	&cfg_rep_uint32, &controls_owner_kw
+};
+
+static keyword_type_t controls_group_kw = {
+	"group", &cfg_type_uint32 };
+
+static cfg_type_t cfg_type_controls_group = {
+	"controls_allow", parse_keyvalue,
+	print_keyvalue, doc_keyvalue,
+	&cfg_rep_uint32, &controls_group_kw
+};
+
+static cfg_tuplefielddef_t unixcontrol_fields[] = {
+	{ "path", &cfg_type_qstring, 0 },
+	{ "perm", &cfg_type_controls_perm, 0 },
+	{ "owner", &cfg_type_controls_owner, 0 },
+	{ "group", &cfg_type_controls_group, 0 },
+	{ "keys", &cfg_type_controls_keys, 0 },
+	{ NULL, NULL, 0 }
+};
+
+static cfg_type_t cfg_type_unixcontrol = {
+	"unixcontrol", cfg_parse_tuple, cfg_print_tuple, cfg_doc_tuple, &cfg_rep_tuple,
+	unixcontrol_fields
+};
+
 static cfg_clausedef_t
 controls_clauses[] = {
 	{ "inet", &cfg_type_inetcontrol, CFG_CLAUSEFLAG_MULTI },
-	{ "unix", &cfg_type_unsupported,
-	  CFG_CLAUSEFLAG_MULTI|CFG_CLAUSEFLAG_NOTIMP },
+	{ "unix", &cfg_type_unixcontrol, CFG_CLAUSEFLAG_MULTI },
 	{ NULL, NULL, 0 }
 };
 
@@ -1235,7 +1375,7 @@ static cfg_type_t cfg_type_controls = {
 	"controls", cfg_parse_map, cfg_print_map, cfg_doc_map, &cfg_rep_map,	&controls_clausesets
 };
 
-/*
+/*%
  * An optional class, as used in view and zone statements.
  */
 static isc_result_t
@@ -1257,24 +1397,24 @@ static cfg_type_t cfg_type_optional_class = {
 };
 
 static isc_result_t
-parse_querysource(cfg_parser_t *pctx, int flags, cfg_obj_t **ret) {
+parse_querysource(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret) {
 	isc_result_t result;
 	cfg_obj_t *obj = NULL;
 	isc_netaddr_t netaddr;
 	in_port_t port;
 	unsigned int have_address = 0;
 	unsigned int have_port = 0;
+	const unsigned int *flagp = type->of;
 
-	if ((flags & CFG_ADDR_V4OK) != 0)
+	if ((*flagp & CFG_ADDR_V4OK) != 0)
 		isc_netaddr_any(&netaddr);
-	else if ((flags & CFG_ADDR_V6OK) != 0)
+	else if ((*flagp & CFG_ADDR_V6OK) != 0)
 		isc_netaddr_any6(&netaddr);
 	else
 		INSIST(0);
 
 	port = 0;
 
-	CHECK(cfg_create_obj(pctx, &cfg_type_querysource, &obj));
 	for (;;) {
 		CHECK(cfg_peektoken(pctx, 0));
 		if (pctx->token.type == isc_tokentype_string) {
@@ -1283,8 +1423,7 @@ parse_querysource(cfg_parser_t *pctx, int flags, cfg_obj_t **ret) {
 			{
 				/* read "address" */
 				CHECK(cfg_gettoken(pctx, 0)); 
-				CHECK(cfg_parse_rawaddr(pctx,
-						flags | CFG_ADDR_WILDOK,
+				CHECK(cfg_parse_rawaddr(pctx, *flagp,
 							&netaddr));
 				have_address++;
 			} else if (strcasecmp(TOKEN_STRING(pctx), "port") == 0)
@@ -1295,6 +1434,8 @@ parse_querysource(cfg_parser_t *pctx, int flags, cfg_obj_t **ret) {
 							CFG_ADDR_WILDOK,
 							&port));
 				have_port++;
+			} else if (have_port == 0 && have_address == 0) {
+				return (cfg_parse_sockaddr(pctx, type, ret));
 			} else {
 				cfg_parser_error(pctx, CFG_LOG_NEAR,
 					     "expected 'address' or 'port'");
@@ -1309,6 +1450,7 @@ parse_querysource(cfg_parser_t *pctx, int flags, cfg_obj_t **ret) {
 		return (ISC_R_UNEXPECTEDTOKEN);
 	}
 
+	CHECK(cfg_create_obj(pctx, &cfg_type_querysource, &obj));
 	isc_sockaddr_fromnetaddr(&obj->value.sockaddr, &netaddr, port);
 	*ret = obj;
 	return (ISC_R_SUCCESS);
@@ -1319,18 +1461,6 @@ parse_querysource(cfg_parser_t *pctx, int flags, cfg_obj_t **ret) {
 	return (result);
 }
 
-static isc_result_t
-parse_querysource4(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret) {
-	UNUSED(type);
-	return (parse_querysource(pctx, CFG_ADDR_V4OK, ret));
-}
-
-static isc_result_t
-parse_querysource6(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret) {
-	UNUSED(type);
-	return (parse_querysource(pctx, CFG_ADDR_V6OK, ret));
-}
-
 static void
 print_querysource(cfg_printer_t *pctx, const cfg_obj_t *obj) {
 	isc_netaddr_t na;
@@ -1341,18 +1471,23 @@ print_querysource(cfg_printer_t *pctx, const cfg_obj_t *obj) {
 	cfg_print_rawuint(pctx, isc_sockaddr_getport(&obj->value.sockaddr));
 }
 
+static unsigned int sockaddr4wild_flags = CFG_ADDR_WILDOK | CFG_ADDR_V4OK;
+static unsigned int sockaddr6wild_flags = CFG_ADDR_WILDOK | CFG_ADDR_V6OK;
 static cfg_type_t cfg_type_querysource4 = {
-	"querysource4", parse_querysource4, NULL, cfg_doc_terminal,
-	NULL, NULL
+	"querysource4", parse_querysource, NULL, cfg_doc_terminal,
+	NULL, &sockaddr4wild_flags
 };
+
 static cfg_type_t cfg_type_querysource6 = {
-	"querysource6", parse_querysource6, NULL, cfg_doc_terminal,
-	NULL, NULL
+	"querysource6", parse_querysource, NULL, cfg_doc_terminal,
+	NULL, &sockaddr6wild_flags
 };
+
 static cfg_type_t cfg_type_querysource = {
-	"querysource", NULL, print_querysource, NULL, &cfg_rep_sockaddr, NULL };
+	"querysource", NULL, print_querysource, NULL, &cfg_rep_sockaddr, NULL
+};
 
-/* addrmatchelt */
+/*% addrmatchelt */
 
 static isc_result_t
 parse_addrmatchelt(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret) {
@@ -1396,7 +1531,7 @@ parse_addrmatchelt(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret)
 	return (result);
 }
 
-/*
+/*%
  * A negated address match list element (like "! 10.0.0.1").
  * Somewhat sneakily, the caller is expected to parse the
  * "!", but not to print it.
@@ -1418,21 +1553,21 @@ static cfg_type_t cfg_type_negated = {
 	&negated_fields
 };
 
-/* An address match list element */
+/*% An address match list element */
 
 static cfg_type_t cfg_type_addrmatchelt = {
 	"address_match_element", parse_addrmatchelt, NULL, cfg_doc_terminal,
 	NULL, NULL
 };
 
-/* A bracketed address match list */
+/*% A bracketed address match list */
 
 static cfg_type_t cfg_type_bracketed_aml = {
 	"bracketed_aml", cfg_parse_bracketed_list, cfg_print_bracketed_list,
 	cfg_doc_bracketed_list, &cfg_rep_list, &cfg_type_addrmatchelt
 };
 
-/*
+/*%
  * The socket address syntax in the "controls" statement is silly.
  * It allows both socket address families, but also allows "*",
  * whis is gratuitously interpreted as the IPv4 wildcard address.
@@ -1444,7 +1579,7 @@ static cfg_type_t cfg_type_controls_sockaddr = {
 	cfg_doc_sockaddr, &cfg_rep_sockaddr, &controls_sockaddr_flags
 };
 
-/*
+/*%
  * Handle the special kludge syntax of the "keys" clause in the "server"
  * statement, which takes a single key with or without braces and semicolon.
  */
@@ -1483,7 +1618,7 @@ static cfg_type_t cfg_type_server_key_kludge = {
 };
 
 
-/*
+/*%
  * An optional logging facility.
  */
 
@@ -1509,7 +1644,7 @@ static cfg_type_t cfg_type_optional_facility = {
 	NULL, NULL };
 
 
-/*
+/*%
  * A log severity.  Return as a string, except "debug N",
  * which is returned as a keyword object.
  */
@@ -1554,7 +1689,7 @@ static cfg_type_t cfg_type_logseverity = {
 	"log_severity", parse_logseverity, NULL, cfg_doc_terminal,
 	NULL, NULL };
 
-/*
+/*%
  * The "file" clause of the "channel" statement.
  * This is yet another special case.
  */
@@ -1642,20 +1777,19 @@ static cfg_type_t cfg_type_logfile = {
 	&cfg_rep_tuple, logfile_fields
 };
 
-/* An IPv4/IPv6 address with optional port, "*" accepted as wildcard. */
-static unsigned int sockaddr4wild_flags = CFG_ADDR_WILDOK | CFG_ADDR_V4OK;
+/*% An IPv4 address with optional port, "*" accepted as wildcard. */
 static cfg_type_t cfg_type_sockaddr4wild = {
 	"sockaddr4wild", cfg_parse_sockaddr, cfg_print_sockaddr,
 	cfg_doc_sockaddr, &cfg_rep_sockaddr, &sockaddr4wild_flags
 };
 
-static unsigned int sockaddr6wild_flags = CFG_ADDR_WILDOK | CFG_ADDR_V6OK;
+/*% An IPv6 address with optional port, "*" accepted as wildcard. */
 static cfg_type_t cfg_type_sockaddr6wild = {
 	"v6addrportwild", cfg_parse_sockaddr, cfg_print_sockaddr,
 	cfg_doc_sockaddr, &cfg_rep_sockaddr, &sockaddr6wild_flags
 };
 
-/*
+/*%
  * lwres
  */
 
@@ -1688,17 +1822,21 @@ lwres_clausesets[] = {
 	NULL
 };
 static cfg_type_t cfg_type_lwres = {
-	"lwres", cfg_parse_map, cfg_print_map, cfg_doc_map, &cfg_rep_map, lwres_clausesets };
+	"lwres", cfg_parse_map, cfg_print_map, cfg_doc_map, &cfg_rep_map,
+	lwres_clausesets
+};
 
-/*
+/*%
  * rndc
  */
 
 static cfg_clausedef_t
 rndcconf_options_clauses[] = {
-	{ "default-server", &cfg_type_astring, 0 },
 	{ "default-key", &cfg_type_astring, 0 },
 	{ "default-port", &cfg_type_uint32, 0 },
+	{ "default-server", &cfg_type_astring, 0 },
+	{ "default-source-address", &cfg_type_netaddr4wild, 0 },
+	{ "default-source-address-v6", &cfg_type_netaddr6wild, 0 },
 	{ NULL, NULL, 0 }
 };
 
@@ -1709,14 +1847,17 @@ rndcconf_options_clausesets[] = {
 };
 
 static cfg_type_t cfg_type_rndcconf_options = {
-	"rndcconf_options", cfg_parse_map, cfg_print_map, cfg_doc_map, &cfg_rep_map,
-	rndcconf_options_clausesets
+	"rndcconf_options", cfg_parse_map, cfg_print_map, cfg_doc_map,
+	&cfg_rep_map, rndcconf_options_clausesets
 };
 
 static cfg_clausedef_t
 rndcconf_server_clauses[] = {
 	{ "key", &cfg_type_astring, 0 },
 	{ "port", &cfg_type_uint32, 0 },
+	{ "source-address", &cfg_type_netaddr4wild, 0 },
+	{ "source-address-v6", &cfg_type_netaddr6wild, 0 },
+	{ "addresses", &cfg_type_bracketed_sockaddrnameportlist, 0 },
 	{ NULL, NULL, 0 }
 };
 
@@ -1727,8 +1868,8 @@ rndcconf_server_clausesets[] = {
 };
 
 static cfg_type_t cfg_type_rndcconf_server = {
-	"rndcconf_server", cfg_parse_named_map, cfg_print_map, cfg_doc_map, &cfg_rep_map,
-	rndcconf_server_clausesets
+	"rndcconf_server", cfg_parse_named_map, cfg_print_map, cfg_doc_map,
+	&cfg_rep_map, rndcconf_server_clausesets
 };
 
 static cfg_clausedef_t
@@ -1841,7 +1982,7 @@ static cfg_type_t cfg_type_bracketed_sockaddrnameportlist = {
 	&cfg_rep_list, &cfg_type_sockaddrnameport
 };
 
-/*
+/*%
  * A list of socket addresses or name with an optional default port,
  * as used in the dual-stack-servers option.  E.g.,
  * "port 1234 { dual-stack-servers.net; 10.0.0.1; 1::2 port 69; }"
@@ -1857,7 +1998,7 @@ static cfg_type_t cfg_type_nameportiplist = {
 	&cfg_rep_tuple, nameportiplist_fields
 };
 
-/*
+/*%
  * masters element.
  */
 
diff --git a/contrib/bind9/lib/isccfg/parser.c b/contrib/bind9/lib/isccfg/parser.c
index 42ce9f0..19a51a6 100644
--- a/contrib/bind9/lib/isccfg/parser.c
+++ b/contrib/bind9/lib/isccfg/parser.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2006  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,9 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: parser.c,v 1.70.2.20.2.21 2006/02/28 06:32:54 marka Exp $ */
+/* $Id: parser.c,v 1.112.18.11 2006/02/28 03:10:49 marka Exp $ */
+
+/*! \file */
 
 #include <config.h>
 
@@ -125,7 +127,7 @@ cfg_rep_t cfg_rep_void = { "void", free_noop };
  * Configuration type definitions.
  */
 
-/*
+/*%
  * An implicit list.  These are formed by clauses that occur multiple times.
  */
 static cfg_type_t cfg_type_implicitlist = {
@@ -1087,7 +1089,6 @@ cfg_print_spacelist(cfg_printer_t *pctx, const cfg_obj_t *obj) {
 	}
 }
 
-
 isc_boolean_t
 cfg_obj_islist(const cfg_obj_t *obj) {
 	REQUIRE(obj != NULL);
@@ -1360,13 +1361,22 @@ cfg_parse_named_map(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret)
 
 /*
  * Parse a map identified by a network address.
- * Used for the "server" statement.
+ * Used to be used for the "server" statement.
  */
 isc_result_t
 cfg_parse_addressed_map(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret) {
 	return (parse_any_named_map(pctx, &cfg_type_netaddr, type, ret));
 }
 
+/*
+ * Parse a map identified by a network prefix.
+ * Used for the "server" statement.
+ */
+isc_result_t
+cfg_parse_netprefix_map(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret) {
+	return (parse_any_named_map(pctx, &cfg_type_netprefix, type, ret));
+}
+
 void
 cfg_print_mapbody(cfg_printer_t *pctx, const cfg_obj_t *obj) {
 	isc_result_t result = ISC_R_SUCCESS;
@@ -1485,6 +1495,9 @@ cfg_doc_map(cfg_printer_t *pctx, const cfg_type_t *type) {
 	} else if (type->parse == cfg_parse_addressed_map) {
 		cfg_doc_obj(pctx, &cfg_type_netaddr);
 		cfg_print_chars(pctx, " ", 1);
+	} else if (type->parse == cfg_parse_netprefix_map) {
+		cfg_doc_obj(pctx, &cfg_type_netprefix);
+		cfg_print_chars(pctx, " ", 1);
 	}
 	
 	print_open(pctx);
@@ -1717,10 +1730,29 @@ token_addr(cfg_parser_t *pctx, unsigned int flags, isc_netaddr_t *na) {
 isc_result_t
 cfg_parse_rawaddr(cfg_parser_t *pctx, unsigned int flags, isc_netaddr_t *na) {
 	isc_result_t result;
+	const char *wild = "";
+	const char *prefix = "";
+
 	CHECK(cfg_gettoken(pctx, 0));
 	result = token_addr(pctx, flags, na);
-	if (result == ISC_R_UNEXPECTEDTOKEN)
-		cfg_parser_error(pctx, CFG_LOG_NEAR, "expected IP address");
+	if (result == ISC_R_UNEXPECTEDTOKEN) {
+		if ((flags & CFG_ADDR_WILDOK) != 0)
+			wild = " or '*'";
+		if ((flags & CFG_ADDR_V4PREFIXOK) != 0)
+			wild = " or IPv4 prefix";
+		if ((flags & CFG_ADDR_MASK) == CFG_ADDR_V4OK)
+			cfg_parser_error(pctx, CFG_LOG_NEAR,
+					 "expected IPv4 address%s%s",
+					 prefix, wild);
+		else if ((flags & CFG_ADDR_MASK) == CFG_ADDR_V6OK)
+			cfg_parser_error(pctx, CFG_LOG_NEAR,
+					 "expected IPv6 address%s%s",
+					 prefix, wild);
+		else
+			cfg_parser_error(pctx, CFG_LOG_NEAR,
+					 "expected IP address%s%s",
+					 prefix, wild);
+	}
  cleanup:
 	return (result);
 }
@@ -1775,14 +1807,21 @@ cfg_print_rawaddr(cfg_printer_t *pctx, const isc_netaddr_t *na) {
 
 /* netaddr */
 
+static unsigned int netaddr_flags = CFG_ADDR_V4OK | CFG_ADDR_V6OK;
+static unsigned int netaddr4_flags = CFG_ADDR_V4OK;
+static unsigned int netaddr4wild_flags = CFG_ADDR_V4OK | CFG_ADDR_WILDOK;
+static unsigned int netaddr6_flags = CFG_ADDR_V6OK;
+static unsigned int netaddr6wild_flags = CFG_ADDR_V6OK | CFG_ADDR_WILDOK;
+
 static isc_result_t
 parse_netaddr(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret) {
 	isc_result_t result;
 	cfg_obj_t *obj = NULL;
 	isc_netaddr_t netaddr;
-	UNUSED(type);
+	unsigned int flags = *(const unsigned int *)type->of;
+
 	CHECK(cfg_create_obj(pctx, type, &obj));
-	CHECK(cfg_parse_rawaddr(pctx, CFG_ADDR_V4OK | CFG_ADDR_V6OK, &netaddr));
+	CHECK(cfg_parse_rawaddr(pctx, flags, &netaddr));
 	isc_sockaddr_fromnetaddr(&obj->value.sockaddr, &netaddr, 0);
 	*ret = obj;
 	return (ISC_R_SUCCESS);
@@ -1791,9 +1830,55 @@ parse_netaddr(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret) {
 	return (result);
 }
 
+static void
+cfg_doc_netaddr(cfg_printer_t *pctx, const cfg_type_t *type) {
+	const unsigned int *flagp = type->of;
+	int n = 0;
+	if (*flagp != CFG_ADDR_V4OK && *flagp != CFG_ADDR_V6OK)
+		cfg_print_chars(pctx, "( ", 2);
+	if (*flagp & CFG_ADDR_V4OK) {
+		cfg_print_cstr(pctx, "<ipv4_address>");
+		n++;
+	}
+	if (*flagp & CFG_ADDR_V6OK) {
+		if (n != 0)
+			cfg_print_chars(pctx, " | ", 3);
+		cfg_print_cstr(pctx, "<ipv6_address>");
+		n++;			
+	}
+	if (*flagp & CFG_ADDR_WILDOK) {
+		if (n != 0)
+			cfg_print_chars(pctx, " | ", 3);
+		cfg_print_chars(pctx, "*", 1);
+		n++;
+	}
+	if (*flagp != CFG_ADDR_V4OK && *flagp != CFG_ADDR_V6OK)
+		cfg_print_chars(pctx, " )", 2);
+}
+
 cfg_type_t cfg_type_netaddr = {
-	"netaddr", parse_netaddr, cfg_print_sockaddr, cfg_doc_terminal,
-	&cfg_rep_sockaddr, NULL
+	"netaddr", parse_netaddr, cfg_print_sockaddr, cfg_doc_netaddr,
+	&cfg_rep_sockaddr, &netaddr_flags
+};
+
+cfg_type_t cfg_type_netaddr4 = {
+	"netaddr4", parse_netaddr, cfg_print_sockaddr, cfg_doc_netaddr,
+	&cfg_rep_sockaddr, &netaddr4_flags
+};
+
+cfg_type_t cfg_type_netaddr4wild = {
+	"netaddr4wild", parse_netaddr, cfg_print_sockaddr, cfg_doc_netaddr,
+	&cfg_rep_sockaddr, &netaddr4wild_flags
+};
+
+cfg_type_t cfg_type_netaddr6 = {
+	"netaddr6", parse_netaddr, cfg_print_sockaddr, cfg_doc_netaddr,
+	&cfg_rep_sockaddr, &netaddr6_flags
+};
+
+cfg_type_t cfg_type_netaddr6wild = {
+	"netaddr6wild", parse_netaddr, cfg_print_sockaddr, cfg_doc_netaddr,
+	&cfg_rep_sockaddr, &netaddr6wild_flags
 };
 
 /* netprefix */
diff --git a/contrib/bind9/lib/isccfg/version.c b/contrib/bind9/lib/isccfg/version.c
index fe001d7..0b7287b 100644
--- a/contrib/bind9/lib/isccfg/version.c
+++ b/contrib/bind9/lib/isccfg/version.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1998-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,9 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: version.c,v 1.1.12.3 2004/03/08 09:05:06 marka Exp $ */
+/* $Id: version.c,v 1.3.18.2 2005/04/29 00:17:15 marka Exp $ */
+
+/*! \file */
 
 #include <isccfg/version.h>
 
diff --git a/contrib/bind9/lib/lwres/Makefile.in b/contrib/bind9/lib/lwres/Makefile.in
index 024b988..a06bd8a 100644
--- a/contrib/bind9/lib/lwres/Makefile.in
+++ b/contrib/bind9/lib/lwres/Makefile.in
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.25.12.8 2005/06/09 23:54:32 marka Exp $
+# $Id: Makefile.in,v 1.28.18.4 2005/06/09 23:55:10 marka Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
diff --git a/contrib/bind9/lib/lwres/api b/contrib/bind9/lib/lwres/api
index 63704dd..d94beab 100644
--- a/contrib/bind9/lib/lwres/api
+++ b/contrib/bind9/lib/lwres/api
@@ -1,3 +1,3 @@
-LIBINTERFACE = 10
-LIBREVISION = 5
-LIBAGE = 1
+LIBINTERFACE = 30
+LIBREVISION = 4
+LIBAGE = 0
diff --git a/contrib/bind9/lib/lwres/assert_p.h b/contrib/bind9/lib/lwres/assert_p.h
index 78b4b79..c47ecec 100644
--- a/contrib/bind9/lib/lwres/assert_p.h
+++ b/contrib/bind9/lib/lwres/assert_p.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000, 2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,11 +15,13 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: assert_p.h,v 1.9.206.1 2004/03/06 08:15:30 marka Exp $ */
+/* $Id: assert_p.h,v 1.10.18.2 2005/04/29 00:17:16 marka Exp $ */
 
 #ifndef LWRES_ASSERT_P_H
 #define LWRES_ASSERT_P_H 1
 
+/*! \file */
+
 #include <assert.h>		/* Required for assert() prototype. */
 
 #define REQUIRE(x)		assert(x)
diff --git a/contrib/bind9/lib/lwres/context.c b/contrib/bind9/lib/lwres/context.c
index b606b9d..0da426b 100644
--- a/contrib/bind9/lib/lwres/context.c
+++ b/contrib/bind9/lib/lwres/context.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000, 2001, 2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,8 +15,76 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: context.c,v 1.41.2.1.2.4 2004/09/17 05:50:31 marka Exp $ */
-
+/* $Id: context.c,v 1.45.18.3 2005/04/29 00:17:16 marka Exp $ */
+
+/*! \file context.c 
+   lwres_context_create() creates a #lwres_context_t structure for use in
+   lightweight resolver operations. It holds a socket and other data
+   needed for communicating with a resolver daemon. The new
+   lwres_context_t is returned through contextp, a pointer to a
+   lwres_context_t pointer. This lwres_context_t pointer must initially
+   be NULL, and is modified to point to the newly created
+   lwres_context_t.
+
+   When the lightweight resolver needs to perform dynamic memory
+   allocation, it will call malloc_function to allocate memory and
+   free_function to free it. If malloc_function and free_function are
+   NULL, memory is allocated using malloc and free. It is not
+   permitted to have a NULL malloc_function and a non-NULL free_function
+   or vice versa. arg is passed as the first parameter to the memory
+   allocation functions. If malloc_function and free_function are NULL,
+   arg is unused and should be passed as NULL.
+
+   Once memory for the structure has been allocated, it is initialized
+   using lwres_conf_init() and returned via *contextp.
+
+   lwres_context_destroy() destroys a #lwres_context_t, closing its
+   socket. contextp is a pointer to a pointer to the context that is to
+   be destroyed. The pointer will be set to NULL when the context has
+   been destroyed.
+
+   The context holds a serial number that is used to identify resolver
+   request packets and associate responses with the corresponding
+   requests. This serial number is controlled using
+   lwres_context_initserial() and lwres_context_nextserial().
+   lwres_context_initserial() sets the serial number for context *ctx to
+   serial. lwres_context_nextserial() increments the serial number and
+   returns the previous value.
+
+   Memory for a lightweight resolver context is allocated and freed using
+   lwres_context_allocmem() and lwres_context_freemem(). These use
+   whatever allocations were defined when the context was created with
+   lwres_context_create(). lwres_context_allocmem() allocates len bytes
+   of memory and if successful returns a pointer to the allocated
+   storage. lwres_context_freemem() frees len bytes of space starting at
+   location mem.
+
+   lwres_context_sendrecv() performs I/O for the context ctx. Data are
+   read and written from the context's socket. It writes data from
+   sendbase -- typically a lightweight resolver query packet -- and waits
+   for a reply which is copied to the receive buffer at recvbase. The
+   number of bytes that were written to this receive buffer is returned
+   in *recvd_len.
+
+\section context_return Return Values
+
+   lwres_context_create() returns #LWRES_R_NOMEMORY if memory for the
+   struct lwres_context could not be allocated, #LWRES_R_SUCCESS
+   otherwise.
+
+   Successful calls to the memory allocator lwres_context_allocmem()
+   return a pointer to the start of the allocated space. It returns NULL
+   if memory could not be allocated.
+
+   #LWRES_R_SUCCESS is returned when lwres_context_sendrecv() completes
+   successfully. #LWRES_R_IOERROR is returned if an I/O error occurs and
+   #LWRES_R_TIMEOUT is returned if lwres_context_sendrecv() times out
+   waiting for a response.
+
+\section context_see See Also
+
+   lwres_conf_init(), malloc, free.
+ */
 #include <config.h>
 
 #include <fcntl.h>
@@ -37,7 +105,7 @@
 #include "context_p.h"
 #include "assert_p.h"
 
-/*
+/*!
  * Some systems define the socket length argument as an int, some as size_t,
  * some as socklen_t.  The last is what the current POSIX standard mandates.
  * This definition is here so it can be portable but easily changed if needed.
@@ -46,7 +114,7 @@
 #define LWRES_SOCKADDR_LEN_T unsigned int
 #endif
 
-/*
+/*!
  * Make a socket nonblocking.
  */
 #ifndef MAKE_NONBLOCKING
@@ -69,9 +137,16 @@ lwres_malloc(void *, size_t);
 static void
 lwres_free(void *, void *, size_t);
 
+/*!
+ * lwres_result_t
+ */
 static lwres_result_t
 context_connect(lwres_context_t *);
 
+/*%
+ * Creates a #lwres_context_t structure for use in
+ *  lightweight resolver operations.
+ */
 lwres_result_t
 lwres_context_create(lwres_context_t **contextp, void *arg,
 		     lwres_malloc_t malloc_function,
@@ -118,6 +193,12 @@ lwres_context_create(lwres_context_t **contextp, void *arg,
 	return (LWRES_R_SUCCESS);
 }
 
+/*%
+Destroys a #lwres_context_t, closing its socket. 
+contextp is a pointer to a pointer to the context that is 
+to be destroyed. The pointer will be set to NULL 
+when the context has been destroyed.
+ */
 void
 lwres_context_destroy(lwres_context_t **contextp) {
 	lwres_context_t *ctx;
@@ -134,7 +215,7 @@ lwres_context_destroy(lwres_context_t **contextp) {
 
 	CTXFREE(ctx, sizeof(lwres_context_t));
 }
-
+/*% Increments the serial number and returns the previous value. */
 lwres_uint32_t
 lwres_context_nextserial(lwres_context_t *ctx) {
 	REQUIRE(ctx != NULL);
@@ -142,6 +223,7 @@ lwres_context_nextserial(lwres_context_t *ctx) {
 	return (ctx->serial++);
 }
 
+/*% Sets the serial number for context *ctx to serial. */
 void
 lwres_context_initserial(lwres_context_t *ctx, lwres_uint32_t serial) {
 	REQUIRE(ctx != NULL);
@@ -149,6 +231,7 @@ lwres_context_initserial(lwres_context_t *ctx, lwres_uint32_t serial) {
 	ctx->serial = serial;
 }
 
+/*% Frees len bytes of space starting at location mem. */
 void
 lwres_context_freemem(lwres_context_t *ctx, void *mem, size_t len) {
 	REQUIRE(mem != NULL);
@@ -157,6 +240,7 @@ lwres_context_freemem(lwres_context_t *ctx, void *mem, size_t len) {
 	CTXFREE(mem, len);
 }
 
+/*% Allocates len bytes of memory and if successful returns a pointer to the allocated storage. */
 void *
 lwres_context_allocmem(lwres_context_t *ctx, size_t len) {
 	REQUIRE(len != 0U);
@@ -334,6 +418,7 @@ lwres_context_recv(lwres_context_t *ctx,
 	return (LWRES_R_SUCCESS);
 }
 
+/*% performs I/O for the context ctx. */
 lwres_result_t
 lwres_context_sendrecv(lwres_context_t *ctx,
 		       void *sendbase, int sendlen,
diff --git a/contrib/bind9/lib/lwres/context_p.h b/contrib/bind9/lib/lwres/context_p.h
index 3e22bc0..d255ef6 100644
--- a/contrib/bind9/lib/lwres/context_p.h
+++ b/contrib/bind9/lib/lwres/context_p.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000, 2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,42 +15,48 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: context_p.h,v 1.12.206.1 2004/03/06 08:15:30 marka Exp $ */
+/* $Id: context_p.h,v 1.13.18.2 2005/04/29 00:17:17 marka Exp $ */
 
 #ifndef LWRES_CONTEXT_P_H
 #define LWRES_CONTEXT_P_H 1
 
-/*
+/*! \file */
+
+/*@{*/
+/**
  * Helper functions, assuming the context is always called "ctx" in
  * the scope these functions are called from.
  */
 #define CTXMALLOC(len)		ctx->malloc(ctx->arg, (len))
 #define CTXFREE(addr, len)	ctx->free(ctx->arg, (addr), (len))
+/*@}*/
 
 #define LWRES_DEFAULT_TIMEOUT	120	/* 120 seconds for a reply */
 
-/*
+/**
  * Not all the attributes here are actually settable by the application at
  * this time.
  */
 struct lwres_context {
-	unsigned int		timeout;	/* time to wait for reply */
-	lwres_uint32_t		serial;		/* serial number state */
+	unsigned int		timeout;	/*%< time to wait for reply */
+	lwres_uint32_t		serial;		/*%< serial number state */
 
 	/*
 	 * For network I/O.
 	 */
-	int			sock;		/* socket to send on */
-	lwres_addr_t		address;	/* address to send to */
+	int			sock;		/*%< socket to send on */
+	lwres_addr_t		address;	/*%< address to send to */
 
+	/*@{*/
 	/*
 	 * Function pointers for allocating memory.
 	 */
 	lwres_malloc_t		malloc;
 	lwres_free_t		free;
 	void		       *arg;
+	/*@}*/
 
-	/*
+	/*%
 	 * resolv.conf-like data
 	 */
 	lwres_conf_t		confdata;
diff --git a/contrib/bind9/lib/lwres/gai_strerror.c b/contrib/bind9/lib/lwres/gai_strerror.c
index 06b7fbe..0dcfe40 100644
--- a/contrib/bind9/lib/lwres/gai_strerror.c
+++ b/contrib/bind9/lib/lwres/gai_strerror.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2006  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000, 2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,12 +15,40 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: gai_strerror.c,v 1.14.2.1.10.3 2006/08/25 05:25:50 marka Exp $ */
+/* $Id: gai_strerror.c,v 1.16.18.4 2006/08/25 05:25:51 marka Exp $ */
+
+/*! \file gai_strerror.c
+ * lwres_gai_strerror() returns an error message corresponding to an
+ * error code returned by getaddrinfo(). The following error codes and
+ * their meaning are defined in \link netdb.h include/lwres/netdb.h.\endlink
+ *
+ * \li #EAI_ADDRFAMILY address family for hostname not supported
+ * \li #EAI_AGAIN temporary failure in name resolution
+ * \li #EAI_BADFLAGS invalid value for #ai_flags
+ * \li #EAI_FAIL non-recoverable failure in name resolution
+ * \li #EAI_FAMILY ai_family not supported
+ * \li #EAI_MEMORY memory allocation failure
+ * \li #EAI_NODATA no address associated with hostname
+ * \li #EAI_NONAME hostname or servname not provided, or not known
+ * \li #EAI_SERVICE servname not supported for ai_socktype
+ * \li #EAI_SOCKTYPE ai_socktype not supported
+ * \li #EAI_SYSTEM system error returned in errno
+ *
+ * The message invalid error code is returned if ecode is out of range.
+ *
+ * ai_flags, ai_family and ai_socktype are elements of the struct
+ * addrinfo used by lwres_getaddrinfo().
+ *
+ * \section gai_strerror_see See Also
+ *
+ * strerror, lwres_getaddrinfo(), getaddrinfo(), RFC2133.
+ */
 
 #include <config.h>
 
 #include <lwres/netdb.h>
 
+/*% Text of error messages. */
 static const char *gai_messages[] = {
 	"no error",
 	"address family for hostname not supported",
@@ -38,6 +66,7 @@ static const char *gai_messages[] = {
 	"bad protocol"
 };
 
+/*% Returns an error message corresponding to an error code returned by getaddrinfo() */
 char *
 lwres_gai_strerror(int ecode) {
 	union {
diff --git a/contrib/bind9/lib/lwres/getaddrinfo.c b/contrib/bind9/lib/lwres/getaddrinfo.c
index 9ad10df..e06ca29 100644
--- a/contrib/bind9/lib/lwres/getaddrinfo.c
+++ b/contrib/bind9/lib/lwres/getaddrinfo.c
@@ -18,7 +18,118 @@
  * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: getaddrinfo.c,v 1.41.206.6 2006/11/13 11:57:41 marka Exp $ */
+/* $Id: getaddrinfo.c,v 1.43.18.6 2006/11/14 01:07:28 marka Exp $ */
+
+/*! \file */
+
+/**
+ *    lwres_getaddrinfo() is used to get a list of IP addresses and port
+ *    numbers for host hostname and service servname. The function is the
+ *    lightweight resolver's implementation of getaddrinfo() as defined in
+ *    RFC2133. hostname and servname are pointers to null-terminated strings
+ *    or NULL. hostname is either a host name or a numeric host address
+ *    string: a dotted decimal IPv4 address or an IPv6 address. servname is
+ *    either a decimal port number or a service name as listed in
+ *    /etc/services.
+ * 
+ *    If the operating system does not provide a struct addrinfo, the
+ *    following structure is used:
+ * 
+ * \code
+ * struct  addrinfo {
+ *         int             ai_flags;       // AI_PASSIVE, AI_CANONNAME
+ *         int             ai_family;      // PF_xxx
+ *         int             ai_socktype;    // SOCK_xxx
+ *         int             ai_protocol;    // 0 or IPPROTO_xxx for IPv4 and IPv6
+ *         size_t          ai_addrlen;     // length of ai_addr
+ *         char            *ai_canonname;  // canonical name for hostname
+ *         struct sockaddr *ai_addr;       // binary address
+ *         struct addrinfo *ai_next;       // next structure in linked list
+ * };
+ * \endcode
+ * 
+ * 
+ *    hints is an optional pointer to a struct addrinfo. This structure can
+ *    be used to provide hints concerning the type of socket that the caller
+ *    supports or wishes to use. The caller can supply the following
+ *    structure elements in *hints:
+ * 
+ * <ul>
+ *    <li>ai_family:
+ *           The protocol family that should be used. When ai_family is set
+ *           to PF_UNSPEC, it means the caller will accept any protocol
+ *           family supported by the operating system.</li>
+ * 
+ *    <li>ai_socktype:
+ *           denotes the type of socket -- SOCK_STREAM, SOCK_DGRAM or
+ *           SOCK_RAW -- that is wanted. When ai_socktype is zero the caller
+ *           will accept any socket type.</li>
+ * 
+ *    <li>ai_protocol:
+ *           indicates which transport protocol is wanted: IPPROTO_UDP or
+ *           IPPROTO_TCP. If ai_protocol is zero the caller will accept any
+ *           protocol.</li>
+ * 
+ *    <li>ai_flags:
+ *           Flag bits. If the AI_CANONNAME bit is set, a successful call to
+ *           lwres_getaddrinfo() will return a null-terminated string
+ *           containing the canonical name of the specified hostname in
+ *           ai_canonname of the first addrinfo structure returned. Setting
+ *           the AI_PASSIVE bit indicates that the returned socket address
+ *           structure is intended for used in a call to bind(2). In this
+ *           case, if the hostname argument is a NULL pointer, then the IP
+ *           address portion of the socket address structure will be set to
+ *           INADDR_ANY for an IPv4 address or IN6ADDR_ANY_INIT for an IPv6
+ *           address.<br /><br />
+ * 
+ *           When ai_flags does not set the AI_PASSIVE bit, the returned
+ *           socket address structure will be ready for use in a call to
+ *           connect(2) for a connection-oriented protocol or connect(2),
+ *           sendto(2), or sendmsg(2) if a connectionless protocol was
+ *           chosen. The IP address portion of the socket address structure
+ *           will be set to the loopback address if hostname is a NULL
+ *           pointer and AI_PASSIVE is not set in ai_flags.<br /><br />
+ * 
+ *           If ai_flags is set to AI_NUMERICHOST it indicates that hostname
+ *           should be treated as a numeric string defining an IPv4 or IPv6
+ *           address and no name resolution should be attempted.
+ * </li></ul>
+ * 
+ *    All other elements of the struct addrinfo passed via hints must be
+ *    zero.
+ * 
+ *    A hints of NULL is treated as if the caller provided a struct addrinfo
+ *    initialized to zero with ai_familyset to PF_UNSPEC.
+ * 
+ *    After a successful call to lwres_getaddrinfo(), *res is a pointer to a
+ *    linked list of one or more addrinfo structures. Each struct addrinfo
+ *    in this list cn be processed by following the ai_next pointer, until a
+ *    NULL pointer is encountered. The three members ai_family, ai_socktype,
+ *    and ai_protocol in each returned addrinfo structure contain the
+ *    corresponding arguments for a call to socket(2). For each addrinfo
+ *    structure in the list, the ai_addr member points to a filled-in socket
+ *    address structure of length ai_addrlen.
+ * 
+ *    All of the information returned by lwres_getaddrinfo() is dynamically
+ *    allocated: the addrinfo structures, and the socket address structures
+ *    and canonical host name strings pointed to by the addrinfostructures.
+ *    Memory allocated for the dynamically allocated structures created by a
+ *    successful call to lwres_getaddrinfo() is released by
+ *    lwres_freeaddrinfo(). ai is a pointer to a struct addrinfo created by
+ *    a call to lwres_getaddrinfo().
+ * 
+ * \section lwresreturn RETURN VALUES
+ * 
+ *    lwres_getaddrinfo() returns zero on success or one of the error codes
+ *    listed in gai_strerror() if an error occurs. If both hostname and
+ *    servname are NULL lwres_getaddrinfo() returns #EAI_NONAME.
+ * 
+ * \section lwressee SEE ALSO
+ * 
+ *    lwres(3), lwres_getaddrinfo(), lwres_freeaddrinfo(),
+ *    lwres_gai_strerror(), RFC2133, getservbyname(3), connect(2),
+ *    sendto(2), sendmsg(2), socket(2).
+ */
 
 #include <config.h>
 
@@ -35,6 +146,8 @@
 #define SIN6(addr)	((struct sockaddr_in6 *)(addr))
 #define SUN(addr)	((struct sockaddr_un *)(addr))
 
+/*! \struct addrinfo
+ */
 static struct addrinfo
 	*ai_reverse(struct addrinfo *oai),
 	*ai_clone(struct addrinfo *oai, int family),
@@ -55,7 +168,7 @@ static void set_order(int, int (**)(const char *, int, struct addrinfo **,
 #define FOUND_MAX	2
 
 #define ISC_AI_MASK (AI_PASSIVE|AI_CANONNAME|AI_NUMERICHOST)
-
+/*% Get a list of IP addresses and port numbers for host hostname and service servname. */
 int
 lwres_getaddrinfo(const char *hostname, const char *servname,
 	const struct addrinfo *hints, struct addrinfo **res)
@@ -137,7 +250,7 @@ lwres_getaddrinfo(const char *hostname, const char *servname,
 	}
 
 #ifdef	AF_LOCAL
-	/*
+	/*!
 	 * First, deal with AF_LOCAL.  If the family was not set,
 	 * then assume AF_LOCAL if the first character of the
 	 * hostname/servname is '/'.
@@ -575,6 +688,7 @@ add_ipv6(const char *hostname, int flags, struct addrinfo **aip,
 	return (result);
 }
 
+/*% Free address info. */
 void
 lwres_freeaddrinfo(struct addrinfo *ai) {
 	struct addrinfo *ai_next;
@@ -617,7 +731,7 @@ get_local(const char *name, int socktype, struct addrinfo **res) {
 }
 #endif
 
-/*
+/*!
  * Allocate an addrinfo structure, and a sockaddr structure
  * of the specificed length.  We initialize:
  *	ai_addrlen
diff --git a/contrib/bind9/lib/lwres/gethost.c b/contrib/bind9/lib/lwres/gethost.c
index 9c362b9..3cd6e4a 100644
--- a/contrib/bind9/lib/lwres/gethost.c
+++ b/contrib/bind9/lib/lwres/gethost.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000, 2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,139 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: gethost.c,v 1.29.206.1 2004/03/06 08:15:30 marka Exp $ */
+/* $Id: gethost.c,v 1.30.18.2 2005/04/29 00:17:17 marka Exp $ */
+
+/*! \file */
+
+/**
+ *    These functions provide hostname-to-address and address-to-hostname
+ *    lookups by means of the lightweight resolver. They are similar to the
+ *    standard gethostent(3) functions provided by most operating systems.
+ *    They use a struct hostent which is usually defined in <namedb.h>.
+ * 
+ * \code
+ * struct  hostent {
+ *         char    *h_name;        // official name of host
+ * 	   char    **h_aliases;    // alias list
+ *         int     h_addrtype;     // host address type
+ *         int     h_length;       // length of address
+ *         char    **h_addr_list;  // list of addresses from name server
+ * };
+ * #define h_addr  h_addr_list[0]  // address, for backward compatibility
+ * \endcode
+ * 
+ *    The members of this structure are:
+ * 
+ * \li   h_name:
+ *           The official (canonical) name of the host.
+ * 
+ * \li   h_aliases:
+ *           A NULL-terminated array of alternate names (nicknames) for the
+ *           host.
+ * 
+ * \li   h_addrtype:
+ *           The type of address being returned -- PF_INET or PF_INET6.
+ * 
+ * \li   h_length:
+ *           The length of the address in bytes.
+ * 
+ * \li   h_addr_list:
+ *           A NULL terminated array of network addresses for the host. Host
+ *           addresses are returned in network byte order.
+ * 
+ *    For backward compatibility with very old software, h_addr is the first
+ *    address in h_addr_list.
+ * 
+ *    lwres_gethostent(), lwres_sethostent(), lwres_endhostent(),
+ *    lwres_gethostent_r(), lwres_sethostent_r() and lwres_endhostent_r()
+ *    provide iteration over the known host entries on systems that provide
+ *    such functionality through facilities like /etc/hosts or NIS. The
+ *    lightweight resolver does not currently implement these functions; it
+ *    only provides them as stub functions that always return failure.
+ * 
+ *    lwres_gethostbyname() and lwres_gethostbyname2() look up the hostname
+ *    name. lwres_gethostbyname() always looks for an IPv4 address while
+ *    lwres_gethostbyname2() looks for an address of protocol family af:
+ *    either PF_INET or PF_INET6 -- IPv4 or IPV6 addresses respectively.
+ *    Successful calls of the functions return a struct hostent for the name
+ *    that was looked up. NULL is returned if the lookups by
+ *    lwres_gethostbyname() or lwres_gethostbyname2() fail.
+ * 
+ *    Reverse lookups of addresses are performed by lwres_gethostbyaddr().
+ *    addr is an address of length len bytes and protocol family type --
+ *    PF_INET or PF_INET6. lwres_gethostbyname_r() is a thread-safe function
+ *    for forward lookups. If an error occurs, an error code is returned in
+ *    *error. resbuf is a pointer to a struct hostent which is initialised
+ *    by a successful call to lwres_gethostbyname_r() . buf is a buffer of
+ *    length len bytes which is used to store the h_name, h_aliases, and
+ *    h_addr_list elements of the struct hostent returned in resbuf.
+ *    Successful calls to lwres_gethostbyname_r() return resbuf, which is a
+ *    pointer to the struct hostent it created.
+ * 
+ *    lwres_gethostbyaddr_r() is a thread-safe function that performs a
+ *    reverse lookup of address addr which is len bytes long and is of
+ *    protocol family type -- PF_INET or PF_INET6. If an error occurs, the
+ *    error code is returned in *error. The other function parameters are
+ *    identical to those in lwres_gethostbyname_r(). resbuf is a pointer to
+ *    a struct hostent which is initialised by a successful call to
+ *    lwres_gethostbyaddr_r(). buf is a buffer of length len bytes which is
+ *    used to store the h_name, h_aliases, and h_addr_list elements of the
+ *    struct hostent returned in resbuf. Successful calls to
+ *    lwres_gethostbyaddr_r() return resbuf, which is a pointer to the
+ *    struct hostent it created.
+ * 
+ * \section gethost_return Return Values
+ * 
+ *    The functions lwres_gethostbyname(), lwres_gethostbyname2(),
+ *    lwres_gethostbyaddr(), and lwres_gethostent() return NULL to indicate
+ *    an error. In this case the global variable lwres_h_errno will contain
+ *    one of the following error codes defined in \link netdb.h <lwres/netdb.h>:\endlink
+ * 
+ * \li #HOST_NOT_FOUND:
+ *           The host or address was not found.
+ * 
+ * \li #TRY_AGAIN:
+ *           A recoverable error occurred, e.g., a timeout. Retrying the
+ *           lookup may succeed.
+ * 
+ * \li #NO_RECOVERY:
+ *           A non-recoverable error occurred.
+ * 
+ * \li #NO_DATA:
+ *           The name exists, but has no address information associated with
+ *           it (or vice versa in the case of a reverse lookup). The code
+ *           NO_ADDRESS is accepted as a synonym for NO_DATA for backwards
+ *           compatibility.
+ * 
+ *    lwres_hstrerror() translates these error codes to suitable error
+ *    messages.
+ * 
+ *    lwres_gethostent() and lwres_gethostent_r() always return NULL.
+ * 
+ *    Successful calls to lwres_gethostbyname_r() and
+ *    lwres_gethostbyaddr_r() return resbuf, a pointer to the struct hostent
+ *    that was initialised by these functions. They return NULL if the
+ *    lookups fail or if buf was too small to hold the list of addresses and
+ *    names referenced by the h_name, h_aliases, and h_addr_list elements of
+ *    the struct hostent. If buf was too small, both lwres_gethostbyname_r()
+ *    and lwres_gethostbyaddr_r() set the global variable errno to ERANGE.
+ * 
+ * \section gethost_see See Also
+ * 
+ *    gethostent(), \link getipnode.c getipnode\endlink, lwres_hstrerror()
+ * 
+ * \section gethost_bugs Bugs
+ * 
+ *    lwres_gethostbyname(), lwres_gethostbyname2(), lwres_gethostbyaddr()
+ *    and lwres_endhostent() are not thread safe; they return pointers to
+ *    static data and provide error codes through a global variable.
+ *    Thread-safe versions for name and address lookup are provided by
+ *    lwres_gethostbyname_r(), and lwres_gethostbyaddr_r() respectively.
+ * 
+ *    The resolver daemon does not currently support any non-DNS name
+ *    services such as /etc/hosts or NIS, consequently the above functions
+ *    don't, either.
+ */
 
 #include <config.h>
 
@@ -34,6 +166,7 @@
 static struct hostent *he = NULL;
 static int copytobuf(struct hostent *, struct hostent *, char *, int);
 
+/*% Always looks for an IPv4 address. */
 struct hostent *
 lwres_gethostbyname(const char *name) {
 
@@ -44,6 +177,7 @@ lwres_gethostbyname(const char *name) {
 	return (he);
 }
 
+/*% Looks for either an IPv4 or IPv6 address. */
 struct hostent *
 lwres_gethostbyname2(const char *name, int af) {
 	if (he != NULL)
@@ -53,6 +187,7 @@ lwres_gethostbyname2(const char *name, int af) {
 	return (he);
 }
 
+/*% Reverse lookup of addresses. */
 struct hostent *
 lwres_gethostbyaddr(const char *addr, int len, int type) {
 
@@ -63,6 +198,7 @@ lwres_gethostbyaddr(const char *addr, int len, int type) {
 	return (he);
 }
 
+/*% Stub function.  Always returns failure. */
 struct hostent *
 lwres_gethostent(void) {
 	if (he != NULL)
@@ -71,6 +207,7 @@ lwres_gethostent(void) {
 	return (NULL);
 }
 
+/*% Stub function.  Always returns failure. */
 void
 lwres_sethostent(int stayopen) {
 	/*
@@ -79,6 +216,7 @@ lwres_sethostent(int stayopen) {
 	UNUSED(stayopen);
 }
 
+/*% Stub function.  Always returns failure. */
 void
 lwres_endhostent(void) {
 	/*
@@ -86,6 +224,7 @@ lwres_endhostent(void) {
 	 */
 }
 
+/*% Thread-safe function for forward lookups. */
 struct hostent *
 lwres_gethostbyname_r(const char *name, struct hostent *resbuf,
 		char *buf, int buflen, int *error)
@@ -105,6 +244,7 @@ lwres_gethostbyname_r(const char *name, struct hostent *resbuf,
 	return (resbuf);
 }
 
+/*% Thread-safe reverse lookup. */
 struct hostent  *
 lwres_gethostbyaddr_r(const char *addr, int len, int type,
 		      struct hostent *resbuf, char *buf, int buflen,
@@ -125,6 +265,7 @@ lwres_gethostbyaddr_r(const char *addr, int len, int type,
 	return (resbuf);
 }
 
+/*% Stub function.  Always returns failure. */
 struct hostent  *
 lwres_gethostent_r(struct hostent *resbuf, char *buf, int buflen, int *error) {
 	UNUSED(resbuf);
@@ -134,6 +275,7 @@ lwres_gethostent_r(struct hostent *resbuf, char *buf, int buflen, int *error) {
 	return (NULL);
 }
 
+/*% Stub function.  Always returns failure. */
 void
 lwres_sethostent_r(int stayopen) {
 	/*
@@ -142,6 +284,7 @@ lwres_sethostent_r(int stayopen) {
 	UNUSED(stayopen);
 }
 
+/*% Stub function.  Always returns failure. */
 void
 lwres_endhostent_r(void) {
 	/*
diff --git a/contrib/bind9/lib/lwres/getipnode.c b/contrib/bind9/lib/lwres/getipnode.c
index 9b1a07b..46eed14 100644
--- a/contrib/bind9/lib/lwres/getipnode.c
+++ b/contrib/bind9/lib/lwres/getipnode.c
@@ -15,7 +15,110 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: getipnode.c,v 1.30.2.4.2.6 2005/04/29 00:03:32 marka Exp $ */
+/* $Id: getipnode.c,v 1.37.18.3 2005/04/29 00:17:18 marka Exp $ */
+
+/*! \file */
+
+/**
+ *    These functions perform thread safe, protocol independent
+ *    nodename-to-address and address-to-nodename translation as defined in
+ *    RFC2553.  This use a struct hostent which is defined in namedb.h:
+ * 
+ * \code
+ * struct  hostent {
+ *         char    *h_name;        // official name of host
+ *         char    **h_aliases;    // alias list
+ *         int     h_addrtype;     // host address type
+ *         int     h_length;       // length of address
+ *         char    **h_addr_list;  // list of addresses from name server
+ * };
+ * #define h_addr  h_addr_list[0]  // address, for backward compatibility
+ * \endcode
+ * 
+ *    The members of this structure are:
+ * 
+ * \li   h_name:
+ *           The official (canonical) name of the host.
+ * 
+ * \li   h_aliases:
+ *           A NULL-terminated array of alternate names (nicknames) for the
+ *           host.
+ * 
+ * \li   h_addrtype:
+ *           The type of address being returned - usually PF_INET or
+ *           PF_INET6.
+ * 
+ * \li   h_length:
+ *           The length of the address in bytes.
+ * 
+ * \li   h_addr_list:
+ *           A NULL terminated array of network addresses for the host. Host
+ *           addresses are returned in network byte order.
+ * 
+ *    lwres_getipnodebyname() looks up addresses of protocol family af for
+ *    the hostname name. The flags parameter contains ORed flag bits to
+ *    specify the types of addresses that are searched for, and the types of
+ *    addresses that are returned. The flag bits are:
+ * 
+ * \li   #AI_V4MAPPED:
+ *           This is used with an af of #AF_INET6, and causes IPv4 addresses
+ *           to be returned as IPv4-mapped IPv6 addresses.
+ * 
+ * \li   #AI_ALL:
+ *           This is used with an af of #AF_INET6, and causes all known
+ *           addresses (IPv6 and IPv4) to be returned. If #AI_V4MAPPED is
+ *           also set, the IPv4 addresses are return as mapped IPv6
+ *           addresses.
+ * 
+ * \li   #AI_ADDRCONFIG:
+ *           Only return an IPv6 or IPv4 address if here is an active
+ *           network interface of that type. This is not currently
+ *           implemented in the BIND 9 lightweight resolver, and the flag is
+ *           ignored.
+ * 
+ * \li   #AI_DEFAULT:
+ *           This default sets the #AI_V4MAPPED and #AI_ADDRCONFIG flag bits.
+ * 
+ *    lwres_getipnodebyaddr() performs a reverse lookup of address src which
+ *    is len bytes long. af denotes the protocol family, typically PF_INET
+ *    or PF_INET6.
+ * 
+ *    lwres_freehostent() releases all the memory associated with the struct
+ *    hostent pointer. Any memory allocated for the h_name, h_addr_list
+ *    and h_aliases is freed, as is the memory for the hostent structure
+ *    itself.
+ * 
+ * \section getipnode_return Return Values
+ * 
+ *    If an error occurs, lwres_getipnodebyname() and
+ *    lwres_getipnodebyaddr() set *error_num to an appropriate error code
+ *    and the function returns a NULL pointer. The error codes and their
+ *    meanings are defined in \link netdb.h <lwres/netdb.h>\endlink:
+ * 
+ * \li   #HOST_NOT_FOUND:
+ *           No such host is known.
+ * 
+ * \li   #NO_ADDRESS:
+ *           The server recognised the request and the name but no address
+ *           is available. Another type of request to the name server for
+ *           the domain might return an answer.
+ * 
+ * \li   #TRY_AGAIN:
+ *           A temporary and possibly transient error occurred, such as a
+ *           failure of a server to respond. The request may succeed if
+ *           retried.
+ * 
+ * \li   #NO_RECOVERY:
+ *           An unexpected failure occurred, and retrying the request is
+ *           pointless.
+ * 
+ *    lwres_hstrerror() translates these error codes to suitable error
+ *    messages.
+ * 
+ * \section getipnode_see See Also
+ * 
+ * getaddrinfo.c, gethost.c, getnameinfo.c, herror.c, RFC2553  
+ */
 
 #include <config.h>
 
@@ -80,7 +183,7 @@ hostfromname(lwres_gabnresponse_t *name, int af);
  ***	Public functions.
  ***/
 
-/*
+/*!
  *	AI_V4MAPPED + AF_INET6
  *	If no IPv6 address then a query for IPv4 and map returned values.
  *
@@ -222,6 +325,7 @@ lwres_getipnodebyname(const char *name, int af, int flags, int *error_num) {
 	return (he3);
 }
 
+/*% performs a reverse lookup of address src which is len bytes long. af denotes the protocol family, typically #PF_INET or PF_INET6. */
 struct hostent *
 lwres_getipnodebyaddr(const void *src, size_t len, int af, int *error_num) {
 	struct hostent *he1, *he2;
@@ -345,6 +449,7 @@ lwres_getipnodebyaddr(const void *src, size_t len, int af, int *error_num) {
 	return (he1);
 }
 
+/*% releases all the memory associated with the struct hostent pointer */
 void
 lwres_freehostent(struct hostent *he) {
 	char **cpp;
diff --git a/contrib/bind9/lib/lwres/getnameinfo.c b/contrib/bind9/lib/lwres/getnameinfo.c
index 059c529..d1874a0 100644
--- a/contrib/bind9/lib/lwres/getnameinfo.c
+++ b/contrib/bind9/lib/lwres/getnameinfo.c
@@ -1,5 +1,5 @@
 /*
- * Portions Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Portions Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Portions Copyright (C) 1999-2001, 2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,9 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: getnameinfo.c,v 1.30.2.3.2.4 2004/08/28 06:25:24 marka Exp $ */
+/* $Id: getnameinfo.c,v 1.34.18.3 2005/04/29 00:17:18 marka Exp $ */
+
+/*! \file */
 
 /*
  * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@@ -53,6 +55,62 @@
  *   but INRIA implementation returns EAI_xxx defined for getaddrinfo().
  */
 
+
+/**
+ *    This function is equivalent to the getnameinfo(3) function defined in
+ *    RFC2133. lwres_getnameinfo() returns the hostname for the struct
+ *    sockaddr sa which is salen bytes long. The hostname is of length
+ *    hostlen and is returned via *host. The maximum length of the hostname
+ *    is 1025 bytes: #NI_MAXHOST.
+ * 
+ *    The name of the service associated with the port number in sa is
+ *    returned in *serv. It is servlen bytes long. The maximum length of the
+ *    service name is #NI_MAXSERV - 32 bytes.
+ * 
+ *    The flags argument sets the following bits:
+ * 
+ * \li   #NI_NOFQDN:
+ *           A fully qualified domain name is not required for local hosts.
+ *           The local part of the fully qualified domain name is returned
+ *           instead.
+ * 
+ * \li   #NI_NUMERICHOST
+ *           Return the address in numeric form, as if calling inet_ntop(),
+ *           instead of a host name.
+ * 
+ * \li   #NI_NAMEREQD
+ *           A name is required. If the hostname cannot be found in the DNS
+ *           and this flag is set, a non-zero error code is returned. If the
+ *           hostname is not found and the flag is not set, the address is
+ *           returned in numeric form.
+ * 
+ * \li   #NI_NUMERICSERV
+ *           The service name is returned as a digit string representing the
+ *           port number.
+ * 
+ * \li   #NI_DGRAM
+ *           Specifies that the service being looked up is a datagram
+ *           service, and causes getservbyport() to be called with a second
+ *           argument of "udp" instead of its default of "tcp". This is
+ *           required for the few ports (512-514) that have different
+ *           services for UDP and TCP.
+ * 
+ * \section getnameinfo_return Return Values
+ * 
+ *    lwres_getnameinfo() returns 0 on success or a non-zero error code if
+ *    an error occurs.
+ * 
+ * \section getname_see See Also
+ * 
+ *    RFC2133, getservbyport(), 
+ *    lwres_getnamebyaddr(). lwres_net_ntop().
+ * 
+ * \section getnameinfo_bugs Bugs
+ * 
+ *    RFC2133 fails to define what the nonzero return values of
+ *    getnameinfo() are.
+ */
+
 #include <config.h>
 
 #include <stdio.h>
@@ -67,12 +125,13 @@
 
 #define SUCCESS 0
 
+/*% afd structure definition */
 static struct afd {
 	int a_af;
 	size_t a_addrlen;
 	size_t a_socklen;
 } afdl [] = {
-	/*
+	/*!
 	 * First entry is linked last...
 	 */
 	{ AF_INET, sizeof(struct in_addr), sizeof(struct sockaddr_in) },
@@ -88,7 +147,7 @@ static struct afd {
 #define ENI_SALEN	6
 #define ENI_NOSOCKET 	7
 
-/*
+/*!
  * The test against 0 is there to keep the Solaris compiler
  * from complaining about "end-of-loop code not reached".
  */
@@ -97,6 +156,7 @@ static struct afd {
 		if (result != 0) goto cleanup;	\
 	} while (0)
 
+/*% lightweight resolver socket address structure to hostname and service name */
 int
 lwres_getnameinfo(const struct sockaddr *sa, size_t salen, char *host,
 		  size_t hostlen, char *serv, size_t servlen, int flags)
diff --git a/contrib/bind9/lib/lwres/getrrset.c b/contrib/bind9/lib/lwres/getrrset.c
index 6160039..6b7e5e5 100644
--- a/contrib/bind9/lib/lwres/getrrset.c
+++ b/contrib/bind9/lib/lwres/getrrset.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,77 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: getrrset.c,v 1.11.2.3.2.2 2004/03/06 08:15:31 marka Exp $ */
+/* $Id: getrrset.c,v 1.14.18.2 2005/04/29 00:17:18 marka Exp $ */
+
+/*! \file */
+
+/**
+ * DESCRIPTION
+ * 
+ *    lwres_getrrsetbyname() gets a set of resource records associated with
+ *    a hostname, class, and type. hostname is a pointer a to
+ *    null-terminated string. The flags field is currently unused and must
+ *    be zero.
+ * 
+ *    After a successful call to lwres_getrrsetbyname(), *res is a pointer
+ *    to an #rrsetinfo structure, containing a list of one or more #rdatainfo
+ *    structures containing resource records and potentially another list of
+ *    rdatainfo structures containing SIG resource records associated with
+ *    those records. The members #rri_rdclass and #rri_rdtype are copied from
+ *    the parameters. #rri_ttl and #rri_name are properties of the obtained
+ *    rrset. The resource records contained in #rri_rdatas and #rri_sigs are
+ *    in uncompressed DNS wire format. Properties of the rdataset are
+ *    represented in the #rri_flags bitfield. If the #RRSET_VALIDATED bit is
+ *    set, the data has been DNSSEC validated and the signatures verified.
+ * 
+ *    All of the information returned by lwres_getrrsetbyname() is
+ *    dynamically allocated: the rrsetinfo and rdatainfo structures, and the
+ *    canonical host name strings pointed to by the rrsetinfostructure.
+ *    Memory allocated for the dynamically allocated structures created by a
+ *    successful call to lwres_getrrsetbyname() is released by
+ *    lwres_freerrset(). rrset is a pointer to a struct rrset created by a
+ *    call to lwres_getrrsetbyname().
+ * 
+ *    The following structures are used:
+ * 
+ * \code
+ * struct  rdatainfo {
+ *         unsigned int            rdi_length;     // length of data
+ *         unsigned char           *rdi_data;      // record data
+ * };
+ * 
+ * struct  rrsetinfo {
+ *         unsigned int            rri_flags;      // RRSET_VALIDATED...
+ *         unsigned int            rri_rdclass;    // class number
+ *         unsigned int            rri_rdtype;     // RR type number
+ *         unsigned int            rri_ttl;        // time to live
+ *         unsigned int            rri_nrdatas;    // size of rdatas array
+ *         unsigned int            rri_nsigs;      // size of sigs array
+ *         char                    *rri_name;      // canonical name
+ *         struct rdatainfo        *rri_rdatas;    // individual records
+ *         struct rdatainfo        *rri_sigs;      // individual signatures
+ * };
+ * \endcode
+ * 
+ * \section getrrset_return Return Values
+ * 
+ *    lwres_getrrsetbyname() returns zero on success, and one of the
+ *    following error codes if an error occurred:
+ * 
+ * \li   #ERRSET_NONAME: the name does not exist
+ * 
+ * \li   #ERRSET_NODATA:
+ *           the name exists, but does not have data of the desired type
+ * 
+ * \li   #ERRSET_NOMEMORY:
+ *           memory could not be allocated
+ * 
+ * \li   #ERRSET_INVAL:
+ *           a parameter is invalid
+ * 
+ * \li   #ERRSET_FAIL:
+ *           other failure
+ */
 
 #include <config.h>
 
@@ -29,6 +99,9 @@
 
 #include "assert_p.h"
 
+/*!
+ * Structure to map results
+ */
 static unsigned int
 lwresult_to_result(lwres_result_t lwresult) {
 	switch (lwresult) {
@@ -40,7 +113,8 @@ lwresult_to_result(lwres_result_t lwresult) {
 	}
 }
 
-/*
+/*@{*/
+/*!
  * malloc / calloc functions that guarantee to only
  * return NULL if there is an error, like they used
  * to before the ANSI C committee broke them.
@@ -61,7 +135,9 @@ sane_calloc(size_t number, size_t size) {
 		memset(mem, 0, len);
 	return (mem);
 }
+/*@}*/
 
+/*% Returns a set of resource records associated with a hostname, class, and type. hostname is a pointer a to null-terminated string. */
 int
 lwres_getrrsetbyname(const char *hostname, unsigned int rdclass,
 		     unsigned int rdtype, unsigned int flags,
@@ -191,6 +267,7 @@ lwres_getrrsetbyname(const char *hostname, unsigned int rdclass,
 	return (result);
 }
 
+/*% Releases memory allocated for the dynamically allocated structures created by a successful call to lwres_getrrsetbyname(). */
 void
 lwres_freerrset(struct rrsetinfo *rrset) {
 	unsigned int i;
diff --git a/contrib/bind9/lib/lwres/herror.c b/contrib/bind9/lib/lwres/herror.c
index 1d0756a..42b6c71 100644
--- a/contrib/bind9/lib/lwres/herror.c
+++ b/contrib/bind9/lib/lwres/herror.c
@@ -1,5 +1,5 @@
 /*
- * Portions Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Portions Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Portions Copyright (C) 2000, 2001, 2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -48,10 +48,31 @@
  * SUCH DAMAGE.
  */
 
+/*! \file herror.c
+   lwres_herror() prints the string s on stderr followed by the string
+   generated by lwres_hstrerror() for the error code stored in the global
+   variable lwres_h_errno.
+
+   lwres_hstrerror() returns an appropriate string for the error code
+   gievn by err. The values of the error codes and messages are as
+   follows:
+
+\li   #NETDB_SUCCESS: Resolver Error 0 (no error)
+
+\li   #HOST_NOT_FOUND: Unknown host
+
+\li #TRY_AGAIN: Host name lookup failure
+
+\li   #NO_RECOVERY: Unknown server error
+
+\li   #NO_DATA: No address associated with name
+
+ */
+
 #if defined(LIBC_SCCS) && !defined(lint)
 static const char sccsid[] = "@(#)herror.c	8.1 (Berkeley) 6/4/93";
 static const char rcsid[] =
-	"$Id: herror.c,v 1.10.12.2 2004/03/06 08:15:31 marka Exp $";
+	"$Id: herror.c,v 1.13.18.2 2005/04/29 00:17:18 marka Exp $";
 #endif /* LIBC_SCCS and not lint */
 
 #include <config.h>
@@ -63,22 +84,22 @@ static const char rcsid[] =
 
 LIBLWRES_EXTERNAL_DATA int	lwres_h_errno;
 
-/*
+/*!
  * these have never been declared in any header file so make them static
  */
 
 static const char *h_errlist[] = {
-	"Resolver Error 0 (no error)",
-	"Unknown host",				/* 1 HOST_NOT_FOUND */
-	"Host name lookup failure",		/* 2 TRY_AGAIN */
-	"Unknown server error",			/* 3 NO_RECOVERY */
-	"No address associated with name",	/* 4 NO_ADDRESS */
+	"Resolver Error 0 (no error)",		/*%< 0 no error */
+	"Unknown host",				/*%< 1 HOST_NOT_FOUND */
+	"Host name lookup failure",		/*%< 2 TRY_AGAIN */
+	"Unknown server error",			/*%< 3 NO_RECOVERY */
+	"No address associated with name",	/*%< 4 NO_ADDRESS */
 };
 
 static int	h_nerr = { sizeof(h_errlist) / sizeof(h_errlist[0]) };
 
 
-/*
+/*!
  * herror --
  *	print the error indicated by the h_errno value.
  */
@@ -87,7 +108,7 @@ lwres_herror(const char *s) {
 	fprintf(stderr, "%s: %s\n", s, lwres_hstrerror(lwres_h_errno));
 }
 
-/*
+/*!
  * hstrerror --
  *	return the string associated with a given "host" errno value.
  */
diff --git a/contrib/bind9/lib/lwres/include/Makefile.in b/contrib/bind9/lib/lwres/include/Makefile.in
index dc075b9..7501060 100644
--- a/contrib/bind9/lib/lwres/include/Makefile.in
+++ b/contrib/bind9/lib/lwres/include/Makefile.in
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.5.206.1 2004/03/06 08:15:33 marka Exp $
+# $Id: Makefile.in,v 1.6 2004/03/05 05:12:49 marka Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
diff --git a/contrib/bind9/lib/lwres/include/lwres/Makefile.in b/contrib/bind9/lib/lwres/include/lwres/Makefile.in
index 48c28f6..98b8f48 100644
--- a/contrib/bind9/lib/lwres/include/lwres/Makefile.in
+++ b/contrib/bind9/lib/lwres/include/lwres/Makefile.in
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.19.12.3 2004/03/08 09:05:11 marka Exp $
+# $Id: Makefile.in,v 1.21 2004/03/05 05:12:52 marka Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
diff --git a/contrib/bind9/lib/lwres/include/lwres/context.h b/contrib/bind9/lib/lwres/include/lwres/context.h
index 962b142..bd24446 100644
--- a/contrib/bind9/lib/lwres/include/lwres/context.h
+++ b/contrib/bind9/lib/lwres/include/lwres/context.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000, 2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,18 +15,20 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: context.h,v 1.14.206.1 2004/03/06 08:15:34 marka Exp $ */
+/* $Id: context.h,v 1.15.18.2 2005/04/29 00:17:21 marka Exp $ */
 
 #ifndef LWRES_CONTEXT_H
 #define LWRES_CONTEXT_H 1
 
+/*! \file */
+
 #include <stddef.h>
 
 #include <lwres/lang.h>
 #include <lwres/int.h>
 #include <lwres/result.h>
 
-/*
+/*!
  * Used to set various options such as timeout, authentication, etc
  */
 typedef struct lwres_context lwres_context_t;
@@ -51,7 +53,7 @@ typedef void (*lwres_free_t)(void *arg, void *mem, size_t length);
  * Share /etc/resolv.conf data between contexts.
  */
 
-/*
+/*!
  * _SERVERMODE
  *	Don't allocate and connect a socket to the server, since the
  *	caller _is_ a server.
@@ -63,7 +65,7 @@ lwres_context_create(lwres_context_t **contextp, void *arg,
 		     lwres_malloc_t malloc_function,
 		     lwres_free_t free_function,
 		     unsigned int flags);
-/*
+/**<
  * Allocate a lwres context.  This is used in all lwres calls.
  *
  * Memory management can be replaced here by passing in two functions.
@@ -75,28 +77,22 @@ lwres_context_create(lwres_context_t **contextp, void *arg,
  *
  * If they are NULL, the standard malloc() and free() will be used.
  *
- * Requires:
- *
- *	contextp != NULL && contextp == NULL.
+ *\pre	contextp != NULL && contextp == NULL.
  *
- * Returns:
- *
- *	Returns 0 on success, non-zero on failure.
+ *\return	Returns 0 on success, non-zero on failure.
  */
 
 void
 lwres_context_destroy(lwres_context_t **contextp);
-/*
+/**<
  * Frees all memory associated with a lwres context.
  *
- * Requires:
- *
- *	contextp != NULL && contextp == NULL.
+ *\pre	contextp != NULL && contextp == NULL.
  */
 
 lwres_uint32_t
 lwres_context_nextserial(lwres_context_t *ctx);
-/*
+/**<
  * XXXMLG Document
  */
 
diff --git a/contrib/bind9/lib/lwres/include/lwres/int.h b/contrib/bind9/lib/lwres/include/lwres/int.h
index 2523924..337316e 100644
--- a/contrib/bind9/lib/lwres/include/lwres/int.h
+++ b/contrib/bind9/lib/lwres/include/lwres/int.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000, 2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,11 +15,13 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: int.h,v 1.7.206.1 2004/03/06 08:15:34 marka Exp $ */
+/* $Id: int.h,v 1.8.18.2 2005/04/29 00:17:21 marka Exp $ */
 
 #ifndef LWRES_INT_H
 #define LWRES_INT_H 1
 
+/*! \file */
+
 typedef char				lwres_int8_t;
 typedef unsigned char			lwres_uint8_t;
 typedef short				lwres_int16_t;
diff --git a/contrib/bind9/lib/lwres/include/lwres/ipv6.h b/contrib/bind9/lib/lwres/include/lwres/ipv6.h
index 5dc06d6..06dab59 100644
--- a/contrib/bind9/lib/lwres/include/lwres/ipv6.h
+++ b/contrib/bind9/lib/lwres/include/lwres/ipv6.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000, 2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: ipv6.h,v 1.9.206.1 2004/03/06 08:15:34 marka Exp $ */
+/* $Id: ipv6.h,v 1.10.18.2 2005/04/29 00:17:21 marka Exp $ */
 
 #ifndef LWRES_IPV6_H
 #define LWRES_IPV6_H 1
@@ -24,7 +24,7 @@
  ***** Module Info
  *****/
 
-/*
+/*! \file ipv6.h
  * IPv6 definitions for systems which do not support IPv6.
  */
 
@@ -39,6 +39,7 @@
  *** Types.
  ***/
 
+/*% in6_addr structure */
 struct in6_addr {
         union {
 		lwres_uint8_t	_S6_u8[16];
@@ -46,10 +47,13 @@ struct in6_addr {
 		lwres_uint32_t	_S6_u32[4];
         } _S6_un;
 };
+/*@{*/
+/*% IP v6 types */
 #define s6_addr		_S6_un._S6_u8
 #define s6_addr8	_S6_un._S6_u8
 #define s6_addr16	_S6_un._S6_u16
 #define s6_addr32	_S6_un._S6_u32
+/*@}*/
 
 #define IN6ADDR_ANY_INIT 	{{{ 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0 }}}
 #define IN6ADDR_LOOPBACK_INIT 	{{{ 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1 }}}
@@ -57,6 +61,7 @@ struct in6_addr {
 LIBLWRES_EXTERNAL_DATA extern const struct in6_addr in6addr_any;
 LIBLWRES_EXTERNAL_DATA extern const struct in6_addr in6addr_loopback;
 
+/*% used in getaddrinfo.c and getnameinfo.c */
 struct sockaddr_in6 {
 #ifdef LWRES_PLATFORM_HAVESALEN
 	lwres_uint8_t		sin6_len;
@@ -74,13 +79,14 @@ struct sockaddr_in6 {
 #define SIN6_LEN 1
 #endif
 
+/*% in6_pktinfo structure */
 struct in6_pktinfo {
-	struct in6_addr ipi6_addr;    /* src/dst IPv6 address */
-	unsigned int    ipi6_ifindex; /* send/recv interface index */
+	struct in6_addr ipi6_addr;    /*%< src/dst IPv6 address */
+	unsigned int    ipi6_ifindex; /*%< send/recv interface index */
 };
 
-/*
- * Unspecified
+/*!
+ * Unspecified IPv6 address
  */
 #define IN6_IS_ADDR_UNSPECIFIED(a)      \
         (((a)->s6_addr32[0] == 0) &&    \
diff --git a/contrib/bind9/lib/lwres/include/lwres/lang.h b/contrib/bind9/lib/lwres/include/lwres/lang.h
index bd99ec0..a38f19d 100644
--- a/contrib/bind9/lib/lwres/include/lwres/lang.h
+++ b/contrib/bind9/lib/lwres/include/lwres/lang.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000, 2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,11 +15,13 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: lang.h,v 1.6.206.1 2004/03/06 08:15:35 marka Exp $ */
+/* $Id: lang.h,v 1.7.18.2 2005/04/29 00:17:21 marka Exp $ */
 
 #ifndef LWRES_LANG_H
 #define LWRES_LANG_H 1
 
+/*! \file */
+
 #ifdef __cplusplus
 #define LWRES_LANG_BEGINDECLS	extern "C" {
 #define LWRES_LANG_ENDDECLS	}
diff --git a/contrib/bind9/lib/lwres/include/lwres/list.h b/contrib/bind9/lib/lwres/include/lwres/list.h
index 9b61787..c22c596 100644
--- a/contrib/bind9/lib/lwres/include/lwres/list.h
+++ b/contrib/bind9/lib/lwres/include/lwres/list.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1997-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,11 +15,13 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: list.h,v 1.7.206.1 2004/03/06 08:15:35 marka Exp $ */
+/* $Id: list.h,v 1.8.18.2 2005/04/29 00:17:22 marka Exp $ */
 
 #ifndef LWRES_LIST_H
 #define LWRES_LIST_H 1
 
+/*! \file */
+
 #define LWRES_LIST(type) struct { type *head, *tail; }
 #define LWRES_LIST_INIT(list) \
 	do { (list).head = NULL; (list).tail = NULL; } while (0)
diff --git a/contrib/bind9/lib/lwres/include/lwres/lwbuffer.h b/contrib/bind9/lib/lwres/include/lwres/lwbuffer.h
index 97f7b9d..51b1aad 100644
--- a/contrib/bind9/lib/lwres/include/lwres/lwbuffer.h
+++ b/contrib/bind9/lib/lwres/include/lwres/lwbuffer.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000, 2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,17 +15,10 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: lwbuffer.h,v 1.15.206.1 2004/03/06 08:15:35 marka Exp $ */
+/* $Id: lwbuffer.h,v 1.16.18.2 2005/04/29 00:17:22 marka Exp $ */
 
-#ifndef LWRES_LWBUFFER_H
-#define LWRES_LWBUFFER_H 1
 
-/*****
- ***** Module Info
- *****/
-
-/*
- * Buffers
+/*! \file lwbuffer.h
  *
  * A buffer is a region of memory, together with a set of related subregions.
  * Buffers are used for parsing and I/O operations.
@@ -51,6 +44,7 @@
  * region is empty.  If the current offset advances beyond the chosen offset,
  * the active region will also be empty.
  *
+ * \verbatim
  *  /----- used region -----\/-- available --\
  *  +----------------------------------------+
  *  | consumed  | remaining |                |
@@ -68,9 +62,11 @@
  * a-b == consumed region.
  * b-d == remaining region.
  * b-c == optional active region.
+ * \endverbatim
  *
  * The following invariants are maintained by all routines:
  *
+ *\verbatim
  *	length > 0
  *
  *	base is a valid pointer to length bytes of memory
@@ -81,24 +77,28 @@
  *
  *	0 <= active <= used
  *	(although active < current implies empty active region)
+ *\endverbatim
  *
- * MP:
+ * \li MP:
  *	Buffers have no synchronization.  Clients must ensure exclusive
  *	access.
  *
- * Reliability:
+ * \li Reliability:
  *	No anticipated impact.
  *
- * Resources:
+ * \li Resources:
  *	Memory: 1 pointer + 6 unsigned integers per buffer.
  *
- * Security:
+ * \li Security:
  *	No anticipated impact.
  *
- * Standards:
+ * \li Standards:
  *	None.
  */
 
+#ifndef LWRES_LWBUFFER_H
+#define LWRES_LWBUFFER_H 1
+
 /***
  *** Imports
  ***/
@@ -116,32 +116,35 @@ LWRES_LANG_BEGINDECLS
 #define LWRES_BUFFER_VALID(b)		((b) != NULL && \
 					 (b)->magic == LWRES_BUFFER_MAGIC)
 
-/*
+/*!
  * The following macros MUST be used only on valid buffers.  It is the
  * caller's responsibility to ensure this by using the LWRES_BUFFER_VALID
  * check above, or by calling another lwres_buffer_*() function (rather than
  * another macro.)
  */
 
-/*
+/*!
  * Get the length of the used region of buffer "b"
  */
 #define LWRES_BUFFER_USEDCOUNT(b)	((b)->used)
 
-/*
+/*!
  * Get the length of the available region of buffer "b"
  */
 #define LWRES_BUFFER_AVAILABLECOUNT(b)	((b)->length - (b)->used)
 
 #define LWRES_BUFFER_REMAINING(b)	((b)->used - (b)->current)
 
-/*
+/*!
  * Note that the buffer structure is public.  This is principally so buffer
  * operations can be implemented using macros.  Applications are strongly
  * discouraged from directly manipulating the structure.
  */
 
 typedef struct lwres_buffer lwres_buffer_t;
+/*!
+ * Buffer data structure
+ */
 struct lwres_buffer {
 	unsigned int		magic;
 	unsigned char 	       *base;
@@ -158,7 +161,7 @@ struct lwres_buffer {
 
 void
 lwres_buffer_init(lwres_buffer_t *b, void *base, unsigned int length);
-/*
+/**<
  * Make 'b' refer to the 'length'-byte region starting at base.
  *
  * Requires:
@@ -171,7 +174,7 @@ lwres_buffer_init(lwres_buffer_t *b, void *base, unsigned int length);
 
 void
 lwres_buffer_invalidate(lwres_buffer_t *b);
-/*
+/**<
  * Make 'b' an invalid buffer.
  *
  * Requires:
@@ -184,7 +187,7 @@ lwres_buffer_invalidate(lwres_buffer_t *b);
 
 void
 lwres_buffer_add(lwres_buffer_t *b, unsigned int n);
-/*
+/**<
  * Increase the 'used' region of 'b' by 'n' bytes.
  *
  * Requires:
@@ -197,7 +200,7 @@ lwres_buffer_add(lwres_buffer_t *b, unsigned int n);
 
 void
 lwres_buffer_subtract(lwres_buffer_t *b, unsigned int n);
-/*
+/**<
  * Decrease the 'used' region of 'b' by 'n' bytes.
  *
  * Requires:
@@ -210,7 +213,7 @@ lwres_buffer_subtract(lwres_buffer_t *b, unsigned int n);
 
 void
 lwres_buffer_clear(lwres_buffer_t *b);
-/*
+/**<
  * Make the used region empty.
  *
  * Requires:
@@ -223,9 +226,10 @@ lwres_buffer_clear(lwres_buffer_t *b);
  *
  */
 
+
 void
 lwres_buffer_first(lwres_buffer_t *b);
-/*
+/**<
  * Make the consumed region empty.
  *
  * Requires:
@@ -240,7 +244,7 @@ lwres_buffer_first(lwres_buffer_t *b);
 
 void
 lwres_buffer_forward(lwres_buffer_t *b, unsigned int n);
-/*
+/**<
  * Increase the 'consumed' region of 'b' by 'n' bytes.
  *
  * Requires:
@@ -253,7 +257,7 @@ lwres_buffer_forward(lwres_buffer_t *b, unsigned int n);
 
 void
 lwres_buffer_back(lwres_buffer_t *b, unsigned int n);
-/*
+/**<
  * Decrease the 'consumed' region of 'b' by 'n' bytes.
  *
  * Requires:
@@ -266,7 +270,7 @@ lwres_buffer_back(lwres_buffer_t *b, unsigned int n);
 
 lwres_uint8_t
 lwres_buffer_getuint8(lwres_buffer_t *b);
-/*
+/**<
  * Read an unsigned 8-bit integer from 'b' and return it.
  *
  * Requires:
@@ -286,7 +290,7 @@ lwres_buffer_getuint8(lwres_buffer_t *b);
 
 void
 lwres_buffer_putuint8(lwres_buffer_t *b, lwres_uint8_t val);
-/*
+/**<
  * Store an unsigned 8-bit integer from 'val' into 'b'.
  *
  * Requires:
@@ -300,7 +304,7 @@ lwres_buffer_putuint8(lwres_buffer_t *b, lwres_uint8_t val);
 
 lwres_uint16_t
 lwres_buffer_getuint16(lwres_buffer_t *b);
-/*
+/**<
  * Read an unsigned 16-bit integer in network byte order from 'b', convert
  * it to host byte order, and return it.
  *
@@ -321,7 +325,7 @@ lwres_buffer_getuint16(lwres_buffer_t *b);
 
 void
 lwres_buffer_putuint16(lwres_buffer_t *b, lwres_uint16_t val);
-/*
+/**<
  * Store an unsigned 16-bit integer in host byte order from 'val'
  * into 'b' in network byte order.
  *
@@ -336,7 +340,7 @@ lwres_buffer_putuint16(lwres_buffer_t *b, lwres_uint16_t val);
 
 lwres_uint32_t
 lwres_buffer_getuint32(lwres_buffer_t *b);
-/*
+/**<
  * Read an unsigned 32-bit integer in network byte order from 'b', convert
  * it to host byte order, and return it.
  *
@@ -357,7 +361,7 @@ lwres_buffer_getuint32(lwres_buffer_t *b);
 
 void
 lwres_buffer_putuint32(lwres_buffer_t *b, lwres_uint32_t val);
-/*
+/**<
  * Store an unsigned 32-bit integer in host byte order from 'val'
  * into 'b' in network byte order.
  *
@@ -373,7 +377,7 @@ lwres_buffer_putuint32(lwres_buffer_t *b, lwres_uint32_t val);
 void
 lwres_buffer_putmem(lwres_buffer_t *b, const unsigned char *base,
 		    unsigned int length);
-/*
+/**<
  * Copy 'length' bytes of memory at 'base' into 'b'.
  *
  * Requires:
@@ -386,7 +390,7 @@ lwres_buffer_putmem(lwres_buffer_t *b, const unsigned char *base,
 void
 lwres_buffer_getmem(lwres_buffer_t *b, unsigned char *base,
 		    unsigned int length);
-/*
+/**<
  * Copy 'length' bytes of memory from 'b' into 'base'.
  *
  * Requires:
diff --git a/contrib/bind9/lib/lwres/include/lwres/lwpacket.h b/contrib/bind9/lib/lwres/include/lwres/lwpacket.h
index 48f6a34..c37353d 100644
--- a/contrib/bind9/lib/lwres/include/lwres/lwpacket.h
+++ b/contrib/bind9/lib/lwres/include/lwres/lwpacket.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: lwpacket.h,v 1.17.206.1 2004/03/06 08:15:35 marka Exp $ */
+/* $Id: lwpacket.h,v 1.18.18.2 2005/04/29 00:17:22 marka Exp $ */
 
 #ifndef LWRES_LWPACKET_H
 #define LWRES_LWPACKET_H 1
@@ -24,89 +24,124 @@
 #include <lwres/lwbuffer.h>
 #include <lwres/result.h>
 
+/*% lwres_lwpacket_t */
 typedef struct lwres_lwpacket lwres_lwpacket_t;
 
+/*% lwres_lwpacket structure */
 struct lwres_lwpacket {
+	/*! The overall packet length, including the 
+	 *  entire packet header.
+	 *  This field is filled in by the
+	 *  \link lwres_gabn.c lwres_gabn_*()\endlink 
+	 *  and \link lwres_gnba.c lwres_gnba_*()\endlink calls.
+	 */
 	lwres_uint32_t		length;
+	/*! Specifies the header format.  Currently, 
+	 *  there is only one format, #LWRES_LWPACKETVERSION_0.
+	 *  This field is filled in by the
+	 *  \link lwres_gabn.c lwres_gabn_*()\endlink 
+	 *  and \link lwres_gnba.c lwres_gnba_*()\endlink calls.
+         */
 	lwres_uint16_t		version;
+ 	/*! Specifies library-defined flags for this packet, such as
+	 *  whether the packet is a request or a reply.  None of 
+	 *  these are definable by the caller, but library-defined values 
+	 *  can be set by the caller.  For example, one bit in this field 
+	 *  indicates if the packet is a request or a response.
+	 *  This field is filled in by
+	 *  the application wits the exception of the
+	 *  #LWRES_LWPACKETFLAG_RESPONSE bit, which is set by the library
+	 *  in the
+	 *  \link lwres_gabn.c lwres_gabn_*()\endlink 
+	 *  and \link lwres_gnba.c lwres_gnba_*()\endlink calls.
+         */
 	lwres_uint16_t		pktflags;
+ 	/*! Set by the requestor and is returned in all replies.  
+	 *  If two packets from the same source have the same serial 
+	 *  number and are from the same source, they are assumed to 
+	 *  be duplicates and the latter ones may be dropped.  
+	 *  (The library does not do this by default on replies, but
+ 	 * does so on requests.)
+         */
 	lwres_uint32_t		serial;
+ 	/*! Opcodes between 0x04000000 and 0xffffffff
+ 	 *  are application defined.  Opcodes between 
+	 *  0x00000000 and 0x03ffffff are
+ 	 * reserved for library use.
+	 *  This field is filled in by the
+	 *  \link lwres_gabn.c lwres_gabn_*()\endlink 
+	 *  and \link lwres_gnba.c lwres_gnba_*()\endlink calls.
+	 */
 	lwres_uint32_t		opcode;
+ 	/*! Only valid for results.  
+	 *  Results between 0x04000000 and 0xffffffff are application 
+	 *  defined.
+ 	 * Results between 0x00000000 and 0x03ffffff are reserved for 
+	 * library use.
+ 	 * (This is the same reserved range defined in <isc/resultclass.h>, 
+	 * so it
+ 	 * would be trivial to map ISC_R_* result codes into packet result 
+	 * codes when appropriate.)
+	 *  This field is filled in by the
+	 *  \link lwres_gabn.c lwres_gabn_*()\endlink 
+	 *  and \link lwres_gnba.c lwres_gnba_*()\endlink calls.
+	 */
 	lwres_uint32_t		result;
+ 	/*! Set to the maximum buffer size that the receiver can
+ 	 *  handle on requests, and the size of the buffer needed to 
+	 *  satisfy a request
+ 	 *  when the buffer is too large for replies.
+	 *  This field is supplied by the application.
+	 */
 	lwres_uint32_t		recvlength;
+ 	/*! The packet level auth type used.
+ 	 *  Authtypes between 0x1000 and 0xffff are application defined.  
+	 *  Authtypes
+ 	 *  between 0x0000 and 0x0fff are reserved for library use.  
+	 *  This is currently
+ 	 *  unused and MUST be set to zero.
+	 */
 	lwres_uint16_t		authtype;
+ 	/*! The length of the authentication data.  
+	 *  See the specific
+ 	 * authtypes for more information on what is contained 
+	 * in this field.  This is currently unused, and 
+	 * MUST be set to zero.
+	 */
 	lwres_uint16_t		authlength;
 };
 
-#define LWRES_LWPACKET_LENGTH		(4 * 5 + 2 * 4)
+#define LWRES_LWPACKET_LENGTH		(4 * 5 + 2 * 4) /*%< Overall length. */
 
-#define LWRES_LWPACKETFLAG_RESPONSE	0x0001U	/* if set, pkt is a response */
+#define LWRES_LWPACKETFLAG_RESPONSE	0x0001U	/*%< If set, pkt is a response. */
 
 
-#define LWRES_LWPACKETVERSION_0		0
+#define LWRES_LWPACKETVERSION_0		0	/*%< Header format. */
 
-/*
- * "length" is the overall packet length, including the entire packet header.
- *
- * "version" specifies the header format.  Currently, there is only one
- * format, LWRES_LWPACKETVERSION_0.
- *
- * "flags" specifies library-defined flags for this packet.  None of these
- * are definable by the caller, but library-defined values can be set by
- * the caller.  For example, one bit in this field indicates if the packet
- * is a request or a response.
- *
- * "serial" is set by the requestor and is returned in all replies.  If two
- * packets from the same source have the same serial number and are from
- * the same source, they are assumed to be duplicates and the latter ones
- * may be dropped.  (The library does not do this by default on replies, but
- * does so on requests.)
- *
- * "opcode" is application defined.  Opcodes between 0x04000000 and 0xffffffff
- * are application defined.  Opcodes between 0x00000000 and 0x03ffffff are
- * reserved for library use.
- *
- * "result" is application defined, and valid only on replies.
- * Results between 0x04000000 and 0xffffffff are application defined.
- * Results between 0x00000000 and 0x03ffffff are reserved for library use.
- * (This is the same reserved range defined in <isc/resultclass.h>, so it
- * would be trivial to map ISC_R_* result codes into packet result codes
- * when appropriate.)
+/*! \file lwpacket.h
  *
- * "recvlength" is set to the maximum buffer size that the receiver can
- * handle on requests, and the size of the buffer needed to satisfy a request
- * when the buffer is too large for replies.
- *
- * "authtype" is the packet level auth type used.
- * Authtypes between 0x1000 and 0xffff are application defined.  Authtypes
- * between 0x0000 and 0x0fff are reserved for library use.  This is currently
- * unused and MUST be set to zero.
- *
- * "authlen" is the length of the authentication data.  See the specific
- * authtypes for more information on what is contained in this field.  This
- * is currently unused, and MUST be set to zero.
  *
  * The remainder of the packet consists of two regions, one described by
  * "authlen" and one of "length - authlen - sizeof(lwres_lwpacket_t)".
  *
  * That is:
  *
+ * \code
  *	pkt header
  *	authlen bytes of auth information
  *	data bytes
- */
-
-/*
+ * \endcode
+ *
  * Currently defined opcodes:
  *
- *	NOOP.  Success is always returned, with the packet contents echoed.
+ *\li	#LWRES_OPCODE_NOOP.  Success is always returned, with the packet contents echoed.
  *
- *	GETADDRSBYNAME.  Return all known addresses for a given name.
+ *\li	#LWRES_OPCODE_GETADDRSBYNAME.  Return all known addresses for a given name.
  *		This may return NIS or /etc/hosts info as well as DNS
  *		information.  Flags will be provided to indicate ip4/ip6
  *		addresses are desired.
  *
- *	GETNAMEBYADDR.	Return the hostname for the given address.  Once
+ *\li	#LWRES_OPCODE_GETNAMEBYADDR.	Return the hostname for the given address.  Once
  *		again, it will return data from multiple sources.
  */
 
diff --git a/contrib/bind9/lib/lwres/include/lwres/lwres.h b/contrib/bind9/lib/lwres/include/lwres/lwres.h
index 7260b00..b245363 100644
--- a/contrib/bind9/lib/lwres/include/lwres/lwres.h
+++ b/contrib/bind9/lib/lwres/include/lwres/lwres.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000, 2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: lwres.h,v 1.49.12.3 2004/03/08 09:05:11 marka Exp $ */
+/* $Id: lwres.h,v 1.51.18.2 2005/04/29 00:17:22 marka Exp $ */
 
 #ifndef LWRES_LWRES_H
 #define LWRES_LWRES_H 1
@@ -28,14 +28,16 @@
 #include <lwres/lwpacket.h>
 #include <lwres/platform.h>
 
-/*
+/*! \file */
+
+/*!
  * Design notes:
  *
  * Each opcode has two structures and three functions which operate on each
  * structure.  For example, using the "no operation/ping" opcode as an
  * example:
  *
- *	lwres_nooprequest_t:
+ *	<ul><li>lwres_nooprequest_t:
  *
  *		lwres_nooprequest_render() takes a lwres_nooprequest_t and
  *		and renders it into wire format, storing the allocated
@@ -43,20 +45,20 @@
  *		is no longer needed, it must be freed by
  *		lwres_context_freemem().  All other memory used by the
  *		caller must be freed manually, including the
- *		lwres_nooprequest_t passed in.
+ *		lwres_nooprequest_t passed in.<br /><br />
  *
  *		lwres_nooprequest_parse() takes a wire format message and
  *		breaks it out into a lwres_nooprequest_t.  The structure
  *		must be freed via lwres_nooprequest_free() when it is no longer
- *		needed.
+ *		needed.<br /><br />
  *
  *		lwres_nooprequest_free() releases into the lwres_context_t
- *		any space allocated during parsing.
+ *		any space allocated during parsing.</li>
  *
- *	lwres_noopresponse_t:
+ *	<li>lwres_noopresponse_t:
  *
  *		The functions used are similar to the three used for
- *		requests, just with different names.
+ *		requests, just with different names.</li></ul>
  *
  * Typically, the client will use request_render, response_parse, and
  * response_free, while the daemon will use request_parse, response_render,
@@ -64,62 +66,57 @@
  *
  * The basic flow of a typical client is:
  *
- *	fill in a request_t, and call the render function.
+ *	\li fill in a request_t, and call the render function.
  *
- *	Transmit the buffer returned to the daemon.
+ *	\li Transmit the buffer returned to the daemon.
  *
- *	Wait for a response.
+ *	\li Wait for a response.
  *
- *	When a response is received, parse it into a response_t.
+ *	\li When a response is received, parse it into a response_t.
  *
- *	free the request buffer using lwres_context_freemem().
+ *	\li free the request buffer using lwres_context_freemem().
  *
- *	free the response structure and its associated buffer using
+ *	\li free the response structure and its associated buffer using
  *	response_free().
  */
 
-#define LWRES_UDP_PORT		921
-#define LWRES_RECVLENGTH	16384
-#define LWRES_ADDR_MAXLEN	16	/* changing this breaks ABI */
-#define LWRES_RESOLV_CONF	"/etc/resolv.conf"
+#define LWRES_UDP_PORT		921	/*%< UDP Port Number */
+#define LWRES_RECVLENGTH	16384 /*%< Maximum Packet Length */
+#define LWRES_ADDR_MAXLEN	16	/*%< changing this breaks ABI */
+#define LWRES_RESOLV_CONF	"/etc/resolv.conf" /*%< Location of resolv.conf */
 
-/*
- * Flags.
- *
- * 	These flags are only relevant to rrset queries.
- *
- *	TRUSTNOTREQUIRED:  DNSSEC is not required (input)
- *	SECUREDATA: The data was crypto-verified with DNSSEC (output)
- *
- */
+/*% DNSSEC is not required (input).  Only relevant to rrset queries. */
 #define LWRES_FLAG_TRUSTNOTREQUIRED	0x00000001U
+/*% The data was crypto-verified with DNSSEC (output). */
 #define LWRES_FLAG_SECUREDATA		0x00000002U
 
-/*
- * no-op
- */
+/*% no-op */
 #define LWRES_OPCODE_NOOP		0x00000000U
 
+/*% lwres_nooprequest_t */
 typedef struct {
 	/* public */
 	lwres_uint16_t			datalength;
 	unsigned char		       *data;
 } lwres_nooprequest_t;
 
+/*% lwres_noopresponse_t */
 typedef struct {
 	/* public */
 	lwres_uint16_t			datalength;
 	unsigned char		       *data;
 } lwres_noopresponse_t;
 
-/*
- * get addresses by name
- */
+/*% get addresses by name */
 #define LWRES_OPCODE_GETADDRSBYNAME	0x00010001U
 
+/*% lwres_addr_t */
 typedef struct lwres_addr lwres_addr_t;
+
+/*% LWRES_LIST */
 typedef LWRES_LIST(lwres_addr_t) lwres_addrlist_t;
 
+/*% lwres_addr */
 struct lwres_addr {
 	lwres_uint32_t			family;
 	lwres_uint16_t			length;
@@ -127,6 +124,7 @@ struct lwres_addr {
 	LWRES_LINK(lwres_addr_t)	link;
 };
 
+/*% lwres_gabnrequest_t */
 typedef struct {
 	/* public */
 	lwres_uint32_t			flags;
@@ -135,6 +133,7 @@ typedef struct {
 	char			       *name;
 } lwres_gabnrequest_t;
 
+/*% lwres_gabnresponse_t */
 typedef struct {
 	/* public */
 	lwres_uint32_t			flags;
@@ -145,21 +144,22 @@ typedef struct {
 	lwres_uint16_t			realnamelen;
 	lwres_uint16_t		       *aliaslen;
 	lwres_addrlist_t		addrs;
-	/* if base != NULL, it will be freed when this structure is freed. */
+	/*! if base != NULL, it will be freed when this structure is freed. */
 	void			       *base;
 	size_t				baselen;
 } lwres_gabnresponse_t;
 
-/*
- * get name by address
- */
+/*% get name by address */
 #define LWRES_OPCODE_GETNAMEBYADDR	0x00010002U
+
+/*% lwres_gnbarequest_t */
 typedef struct {
 	/* public */
 	lwres_uint32_t			flags;
 	lwres_addr_t			addr;
 } lwres_gnbarequest_t;
 
+/*% lwres_gnbaresponse_t */
 typedef struct {
 	/* public */
 	lwres_uint32_t			flags;
@@ -168,16 +168,15 @@ typedef struct {
 	char			      **aliases;
 	lwres_uint16_t			realnamelen;
 	lwres_uint16_t		       *aliaslen;
-	/* if base != NULL, it will be freed when this structure is freed. */
+	/*! if base != NULL, it will be freed when this structure is freed. */
 	void			       *base;
 	size_t				baselen;
 } lwres_gnbaresponse_t;
 
-/*
- * get rdata by name
- */
+/*% get rdata by name */
 #define LWRES_OPCODE_GETRDATABYNAME	0x00010003U
 
+/*% lwres_grbnrequest_t */
 typedef struct {
 	/* public */
 	lwres_uint32_t			flags;
@@ -187,6 +186,7 @@ typedef struct {
 	char			       *name;
 } lwres_grbnrequest_t;
 
+/*% lwres_grbnresponse_t */
 typedef struct {
 	/* public */
 	lwres_uint32_t			flags;
@@ -201,58 +201,59 @@ typedef struct {
 	lwres_uint16_t		       *rdatalen;
 	unsigned char		      **sigs;
 	lwres_uint16_t		       *siglen;
-	/* if base != NULL, it will be freed when this structure is freed. */
+	/*% if base != NULL, it will be freed when this structure is freed. */
 	void			       *base;
 	size_t				baselen;
 } lwres_grbnresponse_t;
 
+/*% Used by lwres_getrrsetbyname() */
 #define LWRDATA_VALIDATED	0x00000001
 
-/*
+/*!
  * resolv.conf data
  */
 
-#define LWRES_CONFMAXNAMESERVERS 3	/* max 3 "nameserver" entries */
-#define LWRES_CONFMAXLWSERVERS 1	/* max 1 "lwserver" entry */
-#define LWRES_CONFMAXSEARCH 8		/* max 8 domains in "search" entry */
-#define LWRES_CONFMAXLINELEN 256	/* max size of a line */
-#define LWRES_CONFMAXSORTLIST 10
+#define LWRES_CONFMAXNAMESERVERS 3	/*%< max 3 "nameserver" entries */
+#define LWRES_CONFMAXLWSERVERS 1	/*%< max 1 "lwserver" entry */
+#define LWRES_CONFMAXSEARCH 8		/*%< max 8 domains in "search" entry */
+#define LWRES_CONFMAXLINELEN 256	/*%< max size of a line */
+#define LWRES_CONFMAXSORTLIST 10	/*%< max 10 */
+
+/*% lwres_conf_t */
 typedef struct {
 	lwres_context_t *lwctx;
 	lwres_addr_t    nameservers[LWRES_CONFMAXNAMESERVERS];
-	lwres_uint8_t	nsnext;		/* index for next free slot */
+	lwres_uint8_t	nsnext;		/*%< index for next free slot */
 
 	lwres_addr_t	lwservers[LWRES_CONFMAXLWSERVERS];
-	lwres_uint8_t	lwnext;		/* index for next free slot */
+	lwres_uint8_t	lwnext;		/*%< index for next free slot */
 
 	char	       *domainname;
 
 	char 	       *search[LWRES_CONFMAXSEARCH];
-	lwres_uint8_t	searchnxt;	/* index for next free slot */
+	lwres_uint8_t	searchnxt;	/*%< index for next free slot */
 
 	struct {
 		lwres_addr_t addr;
-		/* mask has a non-zero 'family' and 'length' if set */
+		/*% mask has a non-zero 'family' and 'length' if set */
 		lwres_addr_t mask;
 	} sortlist[LWRES_CONFMAXSORTLIST];
 	lwres_uint8_t	sortlistnxt;
 
-	lwres_uint8_t	resdebug;      /* non-zero if 'options debug' set */
-	lwres_uint8_t	ndots;	       /* set to n in 'options ndots:n' */
-	lwres_uint8_t	no_tld_query;  /* non-zero if 'options no_tld_query' */
+	lwres_uint8_t	resdebug;      /*%< non-zero if 'options debug' set */
+	lwres_uint8_t	ndots;	       /*%< set to n in 'options ndots:n' */
+	lwres_uint8_t	no_tld_query;  /*%< non-zero if 'options no_tld_query' */
 } lwres_conf_t;
 
-#define LWRES_ADDRTYPE_V4		0x00000001U	/* ipv4 */
-#define LWRES_ADDRTYPE_V6		0x00000002U	/* ipv6 */
+#define LWRES_ADDRTYPE_V4		0x00000001U	/*%< ipv4 */
+#define LWRES_ADDRTYPE_V6		0x00000002U	/*%< ipv6 */
 
-#define LWRES_MAX_ALIASES		16		/* max # of aliases */
-#define LWRES_MAX_ADDRS			64		/* max # of addrs */
+#define LWRES_MAX_ALIASES		16		/*%< max # of aliases */
+#define LWRES_MAX_ADDRS			64		/*%< max # of addrs */
 
 LWRES_LANG_BEGINDECLS
 
-/*
- * This is in host byte order.
- */
+/*% This is in host byte order. */
 LIBLWRES_EXTERNAL_DATA extern lwres_uint16_t lwres_udp_port;
 
 LIBLWRES_EXTERNAL_DATA extern const char *lwres_resolv_conf;
@@ -276,12 +277,12 @@ lwres_gabnresponse_parse(lwres_context_t *ctx, lwres_buffer_t *b,
 
 void
 lwres_gabnrequest_free(lwres_context_t *ctx, lwres_gabnrequest_t **structp);
-/*
+/**<
  * Frees any dynamically allocated memory for this structure.
  *
  * Requires:
  *
- *	ctx != NULL, and be a context returned via lwres_contextcreate().
+ *	ctx != NULL, and be a context returned via lwres_context_create().
  *
  *	structp != NULL && *structp != NULL.
  *
@@ -295,12 +296,12 @@ lwres_gabnrequest_free(lwres_context_t *ctx, lwres_gabnrequest_t **structp);
 
 void
 lwres_gabnresponse_free(lwres_context_t *ctx, lwres_gabnresponse_t **structp);
-/*
+/**<
  * Frees any dynamically allocated memory for this structure.
  *
  * Requires:
  *
- *	ctx != NULL, and be a context returned via lwres_contextcreate().
+ *	ctx != NULL, and be a context returned via lwres_context_create().
  *
  *	structp != NULL && *structp != NULL.
  *
@@ -332,12 +333,12 @@ lwres_gnbaresponse_parse(lwres_context_t *ctx, lwres_buffer_t *b,
 
 void
 lwres_gnbarequest_free(lwres_context_t *ctx, lwres_gnbarequest_t **structp);
-/*
+/**<
  * Frees any dynamically allocated memory for this structure.
  *
  * Requires:
  *
- *	ctx != NULL, and be a context returned via lwres_contextcreate().
+ *	ctx != NULL, and be a context returned via lwres_context_create().
  *
  *	structp != NULL && *structp != NULL.
  *
@@ -351,12 +352,12 @@ lwres_gnbarequest_free(lwres_context_t *ctx, lwres_gnbarequest_t **structp);
 
 void
 lwres_gnbaresponse_free(lwres_context_t *ctx, lwres_gnbaresponse_t **structp);
-/*
+/**<
  * Frees any dynamically allocated memory for this structure.
  *
  * Requires:
  *
- *	ctx != NULL, and be a context returned via lwres_contextcreate().
+ *	ctx != NULL, and be a context returned via lwres_context_create().
  *
  *	structp != NULL && *structp != NULL.
  *
@@ -387,12 +388,12 @@ lwres_grbnresponse_parse(lwres_context_t *ctx, lwres_buffer_t *b,
 
 void
 lwres_grbnrequest_free(lwres_context_t *ctx, lwres_grbnrequest_t **structp);
-/*
+/**<
  * Frees any dynamically allocated memory for this structure.
  *
  * Requires:
  *
- *	ctx != NULL, and be a context returned via lwres_contextcreate().
+ *	ctx != NULL, and be a context returned via lwres_context_create().
  *
  *	structp != NULL && *structp != NULL.
  *
@@ -406,12 +407,12 @@ lwres_grbnrequest_free(lwres_context_t *ctx, lwres_grbnrequest_t **structp);
 
 void
 lwres_grbnresponse_free(lwres_context_t *ctx, lwres_grbnresponse_t **structp);
-/*
+/**<
  * Frees any dynamically allocated memory for this structure.
  *
  * Requires:
  *
- *	ctx != NULL, and be a context returned via lwres_contextcreate().
+ *	ctx != NULL, and be a context returned via lwres_context_create().
  *
  *	structp != NULL && *structp != NULL.
  *
@@ -426,12 +427,12 @@ lwres_grbnresponse_free(lwres_context_t *ctx, lwres_grbnresponse_t **structp);
 lwres_result_t
 lwres_nooprequest_render(lwres_context_t *ctx, lwres_nooprequest_t *req,
 			 lwres_lwpacket_t *pkt, lwres_buffer_t *b);
-/*
+/**<
  * Allocate space and render into wire format a noop request packet.
  *
  * Requires:
  *
- *	ctx != NULL, and be a context returned via lwres_contextcreate().
+ *	ctx != NULL, and be a context returned via lwres_context_create().
  *
  *	b != NULL, and points to a lwres_buffer_t.  The contents of the
  *	buffer structure will be initialized to contain the wire-format
@@ -455,7 +456,7 @@ lwres_noopresponse_render(lwres_context_t *ctx, lwres_noopresponse_t *req,
 lwres_result_t
 lwres_nooprequest_parse(lwres_context_t *ctx, lwres_buffer_t *b,
 			lwres_lwpacket_t *pkt, lwres_nooprequest_t **structp);
-/*
+/**<
  * Parse a noop request.  Note that to get here, the lwpacket must have
  * already been parsed and removed by the caller, otherwise it would be
  * pretty hard for it to know this is the right function to call.
@@ -474,12 +475,12 @@ lwres_nooprequest_free(lwres_context_t *ctx, lwres_nooprequest_t **structp);
 void
 lwres_noopresponse_free(lwres_context_t *ctx, lwres_noopresponse_t **structp);
 
-/*
+/**<
  * Frees any dynamically allocated memory for this structure.
  *
  * Requires:
  *
- *	ctx != NULL, and be a context returned via lwres_contextcreate().
+ *	ctx != NULL, and be a context returned via lwres_context_create().
  *
  *	structp != NULL && *structp != NULL.
  *
@@ -493,7 +494,7 @@ lwres_noopresponse_free(lwres_context_t *ctx, lwres_noopresponse_t **structp);
 
 lwres_result_t
 lwres_conf_parse(lwres_context_t *ctx, const char *filename);
-/*
+/**<
  * parses a resolv.conf-format file and stores the results in the structure
  * pointed to by *ctx.
  *
@@ -509,7 +510,7 @@ lwres_conf_parse(lwres_context_t *ctx, const char *filename);
 
 lwres_result_t
 lwres_conf_print(lwres_context_t *ctx, FILE *fp);
-/*
+/**<
  * Prints a resolv.conf-format of confdata output to fp.
  *
  * Requires:
@@ -518,7 +519,7 @@ lwres_conf_print(lwres_context_t *ctx, FILE *fp);
 
 void
 lwres_conf_init(lwres_context_t *ctx);
-/*
+/**<
  * sets all internal fields to a default state. Used to initialize a new
  * lwres_conf_t structure (not reset a used on).
  *
@@ -528,7 +529,7 @@ lwres_conf_init(lwres_context_t *ctx);
 
 void
 lwres_conf_clear(lwres_context_t *ctx);
-/*
+/**<
  * frees all internally allocated memory in confdata. Uses the memory
  * routines supplied by ctx.
  *
@@ -538,8 +539,7 @@ lwres_conf_clear(lwres_context_t *ctx);
 
 lwres_conf_t *
 lwres_conf_get(lwres_context_t *ctx);
-/*
- * returns a pointer to the current config structure.
+/**<
  * Be extremely cautions in modifying the contents of this structure; it
  * needs an API to return the various bits of data, walk lists, etc.
  *
diff --git a/contrib/bind9/lib/lwres/include/lwres/netdb.h.in b/contrib/bind9/lib/lwres/include/lwres/netdb.h.in
index 7bf545f..eaef63b 100644
--- a/contrib/bind9/lib/lwres/include/lwres/netdb.h.in
+++ b/contrib/bind9/lib/lwres/include/lwres/netdb.h.in
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000, 2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,9 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: netdb.h.in,v 1.34.206.1 2004/03/06 08:15:35 marka Exp $ */
+/* $Id: netdb.h.in,v 1.35.18.2 2005/04/29 00:17:22 marka Exp $ */
+
+/*! \file */
 
 #ifndef LWRES_NETDB_H
 #define LWRES_NETDB_H 1
diff --git a/contrib/bind9/lib/lwres/include/lwres/platform.h.in b/contrib/bind9/lib/lwres/include/lwres/platform.h.in
index e995aa4..f69e09f 100644
--- a/contrib/bind9/lib/lwres/include/lwres/platform.h.in
+++ b/contrib/bind9/lib/lwres/include/lwres/platform.h.in
@@ -15,7 +15,9 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: platform.h.in,v 1.12.2.1.10.5 2005/06/08 02:08:32 marka Exp $ */
+/* $Id: platform.h.in,v 1.14.18.5 2005/06/08 02:07:59 marka Exp $ */
+
+/*! \file */
 
 #ifndef LWRES_PLATFORM_H
 #define LWRES_PLATFORM_H 1
@@ -108,4 +110,11 @@
 #endif
 #endif
 
+/*
+ * Tell Emacs to use C mode on this file.
+ * Local Variables:
+ * mode: c
+ * End:
+ */
+
 #endif /* LWRES_PLATFORM_H */
diff --git a/contrib/bind9/lib/lwres/include/lwres/result.h b/contrib/bind9/lib/lwres/include/lwres/result.h
index 617ae322..6253fb2 100644
--- a/contrib/bind9/lib/lwres/include/lwres/result.h
+++ b/contrib/bind9/lib/lwres/include/lwres/result.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000, 2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,11 +15,13 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: result.h,v 1.14.206.1 2004/03/06 08:15:36 marka Exp $ */
+/* $Id: result.h,v 1.15.18.2 2005/04/29 00:17:23 marka Exp $ */
 
 #ifndef LWRES_RESULT_H
 #define LWRES_RESULT_H 1
 
+/*! \file */
+
 typedef unsigned int lwres_result_t;
 
 #define LWRES_R_SUCCESS			0
diff --git a/contrib/bind9/lib/lwres/include/lwres/stdlib.h b/contrib/bind9/lib/lwres/include/lwres/stdlib.h
index f5d4db2..6855fcf 100644
--- a/contrib/bind9/lib/lwres/include/lwres/stdlib.h
+++ b/contrib/bind9/lib/lwres/include/lwres/stdlib.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: stdlib.h,v 1.2.4.1 2005/06/08 02:08:32 marka Exp $ */
+/* $Id: stdlib.h,v 1.2.2.1 2005/06/08 02:08:01 marka Exp $ */
 
 #ifndef LWRES_STDLIB_H
 #define LWRES_STDLIB_H 1
diff --git a/contrib/bind9/lib/lwres/include/lwres/version.h b/contrib/bind9/lib/lwres/include/lwres/version.h
index 1b291ce..252b903 100644
--- a/contrib/bind9/lib/lwres/include/lwres/version.h
+++ b/contrib/bind9/lib/lwres/include/lwres/version.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,9 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: version.h,v 1.2.224.3 2004/03/08 09:05:11 marka Exp $ */
+/* $Id: version.h,v 1.3.18.2 2005/04/29 00:17:23 marka Exp $ */
+
+/*! \file */
 
 #include <lwres/platform.h>
 
diff --git a/contrib/bind9/lib/lwres/lwbuffer.c b/contrib/bind9/lib/lwres/lwbuffer.c
index 69009f0..5191592 100644
--- a/contrib/bind9/lib/lwres/lwbuffer.c
+++ b/contrib/bind9/lib/lwres/lwbuffer.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000, 2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,99 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: lwbuffer.c,v 1.10.206.1 2004/03/06 08:15:31 marka Exp $ */
+/* $Id: lwbuffer.c,v 1.11.18.2 2005/04/29 00:17:18 marka Exp $ */
+
+/*! \file */
+
+/**
+ *    These functions provide bounds checked access to a region of memory
+ *    where data is being read or written. They are based on, and similar
+ *    to, the isc_buffer_ functions in the ISC library.
+ * 
+ *    A buffer is a region of memory, together with a set of related
+ *    subregions. The used region and the available region are disjoint, and
+ *    their union is the buffer's region. The used region extends from the
+ *    beginning of the buffer region to the last used byte. The available
+ *    region extends from one byte greater than the last used byte to the
+ *    end of the buffer's region. The size of the used region can be changed
+ *    using various buffer commands. Initially, the used region is empty.
+ * 
+ *    The used region is further subdivided into two disjoint regions: the
+ *    consumed region and the remaining region. The union of these two
+ *    regions is the used region. The consumed region extends from the
+ *    beginning of the used region to the byte before the current offset (if
+ *    any). The remaining region the current pointer to the end of the used
+ *    region. The size of the consumed region can be changed using various
+ *    buffer commands. Initially, the consumed region is empty.
+ * 
+ *    The active region is an (optional) subregion of the remaining region.
+ *    It extends from the current offset to an offset in the remaining
+ *    region. Initially, the active region is empty. If the current offset
+ *    advances beyond the chosen offset, the active region will also be
+ *    empty.
+ * 
+ * 
+ * \verbatim
+ *    /------------entire length---------------\\
+ *    /----- used region -----\\/-- available --\\
+ *    +----------------------------------------+
+ *    | consumed  | remaining |                |
+ *    +----------------------------------------+
+ *    a           b     c     d                e
+ * 
+ *   a == base of buffer.
+ *   b == current pointer.  Can be anywhere between a and d.
+ *   c == active pointer.  Meaningful between b and d.
+ *   d == used pointer.
+ *   e == length of buffer.
+ * 
+ *   a-e == entire length of buffer.
+ *   a-d == used region.
+ *   a-b == consumed region.
+ *   b-d == remaining region.
+ *   b-c == optional active region.
+ * \endverbatim
+ * 
+ *    lwres_buffer_init() initializes the lwres_buffer_t *b and assocates it
+ *    with the memory region of size length bytes starting at location base.
+ * 
+ *    lwres_buffer_invalidate() marks the buffer *b as invalid. Invalidating
+ *    a buffer after use is not required, but makes it possible to catch its
+ *    possible accidental use.
+ * 
+ *    The functions lwres_buffer_add() and lwres_buffer_subtract()
+ *    respectively increase and decrease the used space in buffer *b by n
+ *    bytes. lwres_buffer_add() checks for buffer overflow and
+ *    lwres_buffer_subtract() checks for underflow. These functions do not
+ *    allocate or deallocate memory. They just change the value of used.
+ * 
+ *    A buffer is re-initialised by lwres_buffer_clear(). The function sets
+ *    used , current and active to zero.
+ * 
+ *    lwres_buffer_first() makes the consumed region of buffer *p empty by
+ *    setting current to zero (the start of the buffer).
+ * 
+ *    lwres_buffer_forward() increases the consumed region of buffer *b by n
+ *    bytes, checking for overflow. Similarly, lwres_buffer_back() decreases
+ *    buffer b's consumed region by n bytes and checks for underflow.
+ * 
+ *    lwres_buffer_getuint8() reads an unsigned 8-bit integer from *b and
+ *    returns it. lwres_buffer_putuint8() writes the unsigned 8-bit integer
+ *    val to buffer *b.
+ * 
+ *    lwres_buffer_getuint16() and lwres_buffer_getuint32() are identical to
+ *    lwres_buffer_putuint8() except that they respectively read an unsigned
+ *    16-bit or 32-bit integer in network byte order from b. Similarly,
+ *    lwres_buffer_putuint16() and lwres_buffer_putuint32() writes the
+ *    unsigned 16-bit or 32-bit integer val to buffer b, in network byte
+ *    order.
+ * 
+ *    Arbitrary amounts of data are read or written from a lightweight
+ *    resolver buffer with lwres_buffer_getmem() and lwres_buffer_putmem()
+ *    respectively. lwres_buffer_putmem() copies length bytes of memory at
+ *    base to b. Conversely, lwres_buffer_getmem() copies length bytes of
+ *    memory from b to base.
+ */
 
 #include <config.h>
 
@@ -42,12 +134,10 @@ lwres_buffer_init(lwres_buffer_t *b, void *base, unsigned int length)
 	b->active = 0;
 }
 
+/*  Make 'b' an invalid buffer. */
 void
 lwres_buffer_invalidate(lwres_buffer_t *b)
 {
-	/*
-	 * Make 'b' an invalid buffer.
-	 */
 
 	REQUIRE(LWRES_BUFFER_VALID(b));
 
@@ -59,12 +149,10 @@ lwres_buffer_invalidate(lwres_buffer_t *b)
 	b->active = 0;
 }
 
+/* Increase the 'used' region of 'b' by 'n' bytes. */
 void
 lwres_buffer_add(lwres_buffer_t *b, unsigned int n)
 {
-	/*
-	 * Increase the 'used' region of 'b' by 'n' bytes.
-	 */
 
 	REQUIRE(LWRES_BUFFER_VALID(b));
 	REQUIRE(b->used + n <= b->length);
@@ -72,12 +160,10 @@ lwres_buffer_add(lwres_buffer_t *b, unsigned int n)
 	b->used += n;
 }
 
+/* Decrease the 'used' region of 'b' by 'n' bytes. */
 void
 lwres_buffer_subtract(lwres_buffer_t *b, unsigned int n)
 {
-	/*
-	 * Decrease the 'used' region of 'b' by 'n' bytes.
-	 */
 
 	REQUIRE(LWRES_BUFFER_VALID(b));
 	REQUIRE(b->used >= n);
@@ -89,12 +175,10 @@ lwres_buffer_subtract(lwres_buffer_t *b, unsigned int n)
 		b->active = b->used;
 }
 
+/* Make the used region empty. */
 void
 lwres_buffer_clear(lwres_buffer_t *b)
 {
-	/*
-	 * Make the used region empty.
-	 */
 
 	REQUIRE(LWRES_BUFFER_VALID(b));
 
@@ -103,24 +187,20 @@ lwres_buffer_clear(lwres_buffer_t *b)
 	b->active = 0;
 }
 
+/* Make the consumed region empty. */
 void
 lwres_buffer_first(lwres_buffer_t *b)
 {
-	/*
-	 * Make the consumed region empty.
-	 */
 
 	REQUIRE(LWRES_BUFFER_VALID(b));
 
 	b->current = 0;
 }
 
+/* Increase the 'consumed' region of 'b' by 'n' bytes. */
 void
 lwres_buffer_forward(lwres_buffer_t *b, unsigned int n)
 {
-	/*
-	 * Increase the 'consumed' region of 'b' by 'n' bytes.
-	 */
 
 	REQUIRE(LWRES_BUFFER_VALID(b));
 	REQUIRE(b->current + n <= b->used);
@@ -128,12 +208,10 @@ lwres_buffer_forward(lwres_buffer_t *b, unsigned int n)
 	b->current += n;
 }
 
+/* Decrease the 'consumed' region of 'b' by 'n' bytes. */
 void
 lwres_buffer_back(lwres_buffer_t *b, unsigned int n)
 {
-	/*
-	 * Decrease the 'consumed' region of 'b' by 'n' bytes.
-	 */
 
 	REQUIRE(LWRES_BUFFER_VALID(b));
 	REQUIRE(n <= b->current);
@@ -141,15 +219,13 @@ lwres_buffer_back(lwres_buffer_t *b, unsigned int n)
 	b->current -= n;
 }
 
+/* Read an unsigned 8-bit integer from 'b' and return it. */
 lwres_uint8_t
 lwres_buffer_getuint8(lwres_buffer_t *b)
 {
 	unsigned char *cp;
 	lwres_uint8_t result;
 
-	/*
-	 * Read an unsigned 8-bit integer from 'b' and return it.
-	 */
 
 	REQUIRE(LWRES_BUFFER_VALID(b));
 	REQUIRE(b->used - b->current >= 1);
@@ -162,6 +238,7 @@ lwres_buffer_getuint8(lwres_buffer_t *b)
 	return (result);
 }
 
+/* Put an unsigned 8-bit integer */
 void
 lwres_buffer_putuint8(lwres_buffer_t *b, lwres_uint8_t val)
 {
@@ -176,16 +253,13 @@ lwres_buffer_putuint8(lwres_buffer_t *b, lwres_uint8_t val)
 	cp[0] = (val & 0x00ff);
 }
 
+/*  Read an unsigned 16-bit integer in network byte order from 'b', convert it to host byte order, and return it. */
 lwres_uint16_t
 lwres_buffer_getuint16(lwres_buffer_t *b)
 {
 	unsigned char *cp;
 	lwres_uint16_t result;
 
-	/*
-	 * Read an unsigned 16-bit integer in network byte order from 'b',
-	 * convert it to host byte order, and return it.
-	 */
 
 	REQUIRE(LWRES_BUFFER_VALID(b));
 	REQUIRE(b->used - b->current >= 2);
@@ -199,6 +273,7 @@ lwres_buffer_getuint16(lwres_buffer_t *b)
 	return (result);
 }
 
+/* Put an unsigned 16-bit integer. */
 void
 lwres_buffer_putuint16(lwres_buffer_t *b, lwres_uint16_t val)
 {
@@ -214,17 +289,13 @@ lwres_buffer_putuint16(lwres_buffer_t *b, lwres_uint16_t val)
 	cp[1] = (val & 0x00ff);
 }
 
+/*  Read an unsigned 32-bit integer in network byte order from 'b', convert it to host byte order, and return it. */
 lwres_uint32_t
 lwres_buffer_getuint32(lwres_buffer_t *b)
 {
 	unsigned char *cp;
 	lwres_uint32_t result;
 
-	/*
-	 * Read an unsigned 32-bit integer in network byte order from 'b',
-	 * convert it to host byte order, and return it.
-	 */
-
 	REQUIRE(LWRES_BUFFER_VALID(b));
 	REQUIRE(b->used - b->current >= 4);
 
@@ -239,6 +310,7 @@ lwres_buffer_getuint32(lwres_buffer_t *b)
 	return (result);
 }
 
+/* Put an unsigned 32-bit integer. */
 void
 lwres_buffer_putuint32(lwres_buffer_t *b, lwres_uint32_t val)
 {
@@ -256,6 +328,7 @@ lwres_buffer_putuint32(lwres_buffer_t *b, lwres_uint32_t val)
 	cp[3] = (unsigned char)(val & 0x000000ff);
 }
 
+/* copies length bytes of memory at base to b */
 void
 lwres_buffer_putmem(lwres_buffer_t *b, const unsigned char *base,
 		    unsigned int length)
@@ -270,6 +343,7 @@ lwres_buffer_putmem(lwres_buffer_t *b, const unsigned char *base,
 	b->used += length;
 }
 
+/* copies length bytes of memory at b to base */
 void
 lwres_buffer_getmem(lwres_buffer_t *b, unsigned char *base,
 		    unsigned int length)
diff --git a/contrib/bind9/lib/lwres/lwconfig.c b/contrib/bind9/lib/lwres/lwconfig.c
index 4b4886b..cf4f6a7 100644
--- a/contrib/bind9/lib/lwres/lwconfig.c
+++ b/contrib/bind9/lib/lwres/lwconfig.c
@@ -15,26 +15,43 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: lwconfig.c,v 1.33.2.1.2.10 2006/10/03 23:50:50 marka Exp $ */
-
-/***
- *** Module for parsing resolv.conf files.
- ***
- *** entry points are:
- ***	lwres_conf_init(lwres_context_t *ctx)
- ***		intializes data structure for subsequent config parsing.
- ***
- ***	lwres_conf_parse(lwres_context_t *ctx, const char *filename)
- ***		parses a file and fills in the data structure.
- ***
- ***	lwres_conf_print(lwres_context_t *ctx, FILE *fp)
- ***		prints the config data structure to the FILE.
- ***
- ***	lwres_conf_clear(lwres_context_t *ctx)
- ***		frees up all the internal memory used by the config data
- ***		 structure, returning it to the lwres_context_t.
- ***
- ***/
+/* $Id: lwconfig.c,v 1.38.18.5 2006/10/03 23:50:51 marka Exp $ */
+
+/*! \file */
+
+/**
+ * Module for parsing resolv.conf files.
+ *
+ *    lwres_conf_init() creates an empty lwres_conf_t structure for
+ *    lightweight resolver context ctx.
+ * 
+ *    lwres_conf_clear() frees up all the internal memory used by that
+ *    lwres_conf_t structure in resolver context ctx.
+ * 
+ *    lwres_conf_parse() opens the file filename and parses it to initialise
+ *    the resolver context ctx's lwres_conf_t structure.
+ * 
+ *    lwres_conf_print() prints the lwres_conf_t structure for resolver
+ *    context ctx to the FILE fp.
+ * 
+ * \section lwconfig_return Return Values
+ * 
+ *    lwres_conf_parse() returns #LWRES_R_SUCCESS if it successfully read and
+ *    parsed filename. It returns #LWRES_R_FAILURE if filename could not be
+ *    opened or contained incorrect resolver statements.
+ * 
+ *    lwres_conf_print() returns #LWRES_R_SUCCESS unless an error occurred
+ *    when converting the network addresses to a numeric host address
+ *    string. If this happens, the function returns #LWRES_R_FAILURE.
+ * 
+ * \section lwconfig_see See Also
+ * 
+ *    stdio(3), \link resolver resolver \endlink
+ * 
+ * \section files Files
+ * 
+ *    /etc/resolv.conf
+ */
 
 #include <config.h>
 
@@ -109,7 +126,7 @@ lwresaddr2af(int lwresaddrtype)
 }
 
 
-/*
+/*!
  * Eat characters from FP until EOL or EOF. Returns EOF or '\n'
  */
 static int
@@ -124,7 +141,7 @@ eatline(FILE *fp) {
 }
 
 
-/*
+/*!
  * Eats white space up to next newline or non-whitespace character (of
  * EOF). Returns the last character read. Comments are considered white
  * space.
@@ -144,7 +161,7 @@ eatwhite(FILE *fp) {
 }
 
 
-/*
+/*!
  * Skip over any leading whitespace and then read in the next sequence of
  * non-whitespace characters. In this context newline is not considered
  * whitespace. Returns EOF on end-of-file, or the character
@@ -203,6 +220,7 @@ lwres_strdup(lwres_context_t *ctx, const char *str) {
 	return (p);
 }
 
+/*% intializes data structure for subsequent config parsing. */
 void
 lwres_conf_init(lwres_context_t *ctx) {
 	int i;
@@ -232,6 +250,7 @@ lwres_conf_init(lwres_context_t *ctx) {
 	}
 }
 
+/*% Frees up all the internal memory used by the config data structure, returning it to the lwres_context_t. */
 void
 lwres_conf_clear(lwres_context_t *ctx) {
 	int i;
@@ -542,6 +561,7 @@ lwres_conf_parseoption(lwres_context_t *ctx,  FILE *fp) {
 	return (LWRES_R_SUCCESS);
 }
 
+/*% parses a file and fills in the data structure. */
 lwres_result_t
 lwres_conf_parse(lwres_context_t *ctx, const char *filename) {
 	FILE *fp = NULL;
@@ -600,6 +620,7 @@ lwres_conf_parse(lwres_context_t *ctx, const char *filename) {
 	return (ret);
 }
 
+/*% Prints the config data structure to the FILE. */
 lwres_result_t
 lwres_conf_print(lwres_context_t *ctx, FILE *fp) {
 	int i;
@@ -695,6 +716,7 @@ lwres_conf_print(lwres_context_t *ctx, FILE *fp) {
 	return (LWRES_R_SUCCESS);
 }
 
+/*% Returns a pointer to the current config structure. */
 lwres_conf_t *
 lwres_conf_get(lwres_context_t *ctx) {
 	REQUIRE(ctx != NULL);
diff --git a/contrib/bind9/lib/lwres/lwinetaton.c b/contrib/bind9/lib/lwres/lwinetaton.c
index aa63027..cc4b9bd 100644
--- a/contrib/bind9/lib/lwres/lwinetaton.c
+++ b/contrib/bind9/lib/lwres/lwinetaton.c
@@ -1,5 +1,5 @@
 /*
- * Portions Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Portions Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Portions Copyright (C) 1996-2001, 2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -68,9 +68,11 @@
  * SOFTWARE.
  */
 
+/*! \file lwinetaton.c
+ */
 #if defined(LIBC_SCCS) && !defined(lint)
 static char sccsid[] = "@(#)inet_addr.c	8.1 (Berkeley) 6/17/93";
-static char rcsid[] = "$Id: lwinetaton.c,v 1.10.2.1.2.1 2004/03/06 08:15:32 marka Exp $";
+static char rcsid[] = "$Id: lwinetaton.c,v 1.12.18.2 2005/04/29 00:17:19 marka Exp $";
 #endif /* LIBC_SCCS and not lint */
 
 #include <config.h>
@@ -84,7 +86,7 @@ static char rcsid[] = "$Id: lwinetaton.c,v 1.10.2.1.2.1 2004/03/06 08:15:32 mark
 
 #include "assert_p.h"
 
-/*
+/*!
  * Check whether "cp" is a valid ascii representation
  * of an Internet address and convert to a binary address.
  * Returns 1 if the address is valid, 0 if not.
diff --git a/contrib/bind9/lib/lwres/lwinetntop.c b/contrib/bind9/lib/lwres/lwinetntop.c
index 78cd0b0..e65656f 100644
--- a/contrib/bind9/lib/lwres/lwinetntop.c
+++ b/contrib/bind9/lib/lwres/lwinetntop.c
@@ -15,9 +15,11 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
+/*! \file lwinetntop.c
+ */
 #if defined(LIBC_SCCS) && !defined(lint)
 static char rcsid[] =
-	"$Id: lwinetntop.c,v 1.9.12.5 2005/11/04 00:16:34 marka Exp $";
+	"$Id: lwinetntop.c,v 1.12.18.4 2005/11/03 23:02:24 marka Exp $";
 #endif /* LIBC_SCCS and not lint */
 
 #include <config.h>
@@ -45,7 +47,7 @@ static const char *inet_ntop6(const unsigned char *src, char *dst,
 			      size_t size);
 #endif
 
-/* char *
+/*! char *
  * lwres_net_ntop(af, src, dst, size)
  *	convert a network format address to presentation format.
  * return:
@@ -69,7 +71,7 @@ lwres_net_ntop(int af, const void *src, char *dst, size_t size) {
 	/* NOTREACHED */
 }
 
-/* const char *
+/*! const char *
  * inet_ntop4(src, dst, size)
  *	format an IPv4 address
  * return:
@@ -96,7 +98,7 @@ inet_ntop4(const unsigned char *src, char *dst, size_t size) {
 	return (dst);
 }
 
-/* const char *
+/*! const char *
  * inet_ntop6(src, dst, size)
  *	convert IPv6 binary address into presentation (printable) format
  * author:
@@ -105,7 +107,7 @@ inet_ntop4(const unsigned char *src, char *dst, size_t size) {
 #ifdef AF_INET6
 static const char *
 inet_ntop6(const unsigned char *src, char *dst, size_t size) {
-	/*
+	/*!
 	 * Note that int32_t and int16_t need only be "at least" large enough
 	 * to contain a value of the specified size.  On some systems, like
 	 * Crays, there is no such thing as an integer variable with 16 bits.
diff --git a/contrib/bind9/lib/lwres/lwinetpton.c b/contrib/bind9/lib/lwres/lwinetpton.c
index e24334b..5155fd1 100644
--- a/contrib/bind9/lib/lwres/lwinetpton.c
+++ b/contrib/bind9/lib/lwres/lwinetpton.c
@@ -15,8 +15,11 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
+/*! \file lwinetpton.c
+ */
+
 #if defined(LIBC_SCCS) && !defined(lint)
-static char rcsid[] = "$Id: lwinetpton.c,v 1.6.206.3 2005/03/31 23:56:15 marka Exp $";
+static char rcsid[] = "$Id: lwinetpton.c,v 1.7.18.3 2005/04/27 05:02:48 sra Exp $";
 #endif /* LIBC_SCCS and not lint */
 
 #include <config.h>
@@ -38,7 +41,8 @@ static char rcsid[] = "$Id: lwinetpton.c,v 1.6.206.3 2005/03/31 23:56:15 marka E
 static int inet_pton4(const char *src, unsigned char *dst);
 static int inet_pton6(const char *src, unsigned char *dst);
 
-/* int
+/*! 
+ * int
  * lwres_net_pton(af, src, dst)
  *	convert from presentation format (which usually means ASCII printable)
  *	to network format (which is usually some kind of binary format).
@@ -63,7 +67,7 @@ lwres_net_pton(int af, const char *src, void *dst) {
 	/* NOTREACHED */
 }
 
-/* int
+/*! int
  * inet_pton4(src, dst)
  *	like inet_aton() but without all the hexadecimal and shorthand.
  * return:
@@ -110,7 +114,7 @@ inet_pton4(const char *src, unsigned char *dst) {
 	return (1);
 }
 
-/* int
+/*! int
  * inet_pton6(src, dst)
  *	convert presentation level address to network order binary form.
  * return:
diff --git a/contrib/bind9/lib/lwres/lwpacket.c b/contrib/bind9/lib/lwres/lwpacket.c
index 6e28df0..964b465 100644
--- a/contrib/bind9/lib/lwres/lwpacket.c
+++ b/contrib/bind9/lib/lwres/lwpacket.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000, 2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,46 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: lwpacket.c,v 1.13.206.1 2004/03/06 08:15:32 marka Exp $ */
+/* $Id: lwpacket.c,v 1.14.18.2 2005/04/29 00:17:19 marka Exp $ */
+
+/*! \file */
+
+/**
+ *    These functions rely on a struct lwres_lwpacket which is defined in
+ *    \link lwpacket.h lwres/lwpacket.h.\endlink
+ * 
+ *    The following opcodes are currently defined:   
+ * 
+ * \li   #LWRES_OPCODE_NOOP
+ *           Success is always returned and the packet contents are
+ *           echoed. The \link lwres_noop.c lwres_noop_*()\endlink functions should be used for this
+ *           type.
+ * 
+ * \li   #LWRES_OPCODE_GETADDRSBYNAME
+ *           returns all known addresses for a given name. The
+ *           \link lwres_gabn.c lwres_gabn_*()\endlink functions should be used for this type.
+ * 
+ * \li   #LWRES_OPCODE_GETNAMEBYADDR
+ *           return the hostname for the given address. The
+ *           \link lwres_gnba.c lwres_gnba_*() \endlink functions should be used for this type.     
+ * 
+ *    lwres_lwpacket_renderheader() transfers the contents of lightweight
+ *    resolver packet structure #lwres_lwpacket_t *pkt in network byte
+ *    order to the lightweight resolver buffer, *b.
+ * 
+ *    lwres_lwpacket_parseheader() performs the converse operation. It
+ *    transfers data in network byte order from buffer *b to resolver
+ *    packet *pkt. The contents of the buffer b should correspond to a   
+ *    #lwres_lwpacket_t.
+ * 
+ * \section lwpacket_return Return Values
+ * 
+ *    Successful calls to lwres_lwpacket_renderheader() and
+ *    lwres_lwpacket_parseheader() return #LWRES_R_SUCCESS. If there is
+ *    insufficient space to copy data between the buffer *b and
+ *    lightweight resolver packet *pkt both functions return
+ *    #LWRES_R_UNEXPECTEDEND.
+ */
 
 #include <config.h>
 
@@ -29,9 +68,12 @@
 
 #include "assert_p.h"
 
+/*% Length of Packet */
 #define LWPACKET_LENGTH \
 	(sizeof(lwres_uint16_t) * 4 + sizeof(lwres_uint32_t) * 5)
 
+/*% transfers the contents of lightweight resolver packet structure lwres_lwpacket_t *pkt in network byte order to the lightweight resolver buffer, *b. */
+
 lwres_result_t
 lwres_lwpacket_renderheader(lwres_buffer_t *b, lwres_lwpacket_t *pkt) {
 	REQUIRE(b != NULL);
@@ -53,6 +95,8 @@ lwres_lwpacket_renderheader(lwres_buffer_t *b, lwres_lwpacket_t *pkt) {
 	return (LWRES_R_SUCCESS);
 }
 
+/*% transfers data in network byte order from buffer *b to resolver packet *pkt. The contents of the buffer b should correspond to a lwres_lwpacket_t. */
+
 lwres_result_t
 lwres_lwpacket_parseheader(lwres_buffer_t *b, lwres_lwpacket_t *pkt) {
 	lwres_uint32_t space;
diff --git a/contrib/bind9/lib/lwres/lwres_gabn.c b/contrib/bind9/lib/lwres/lwres_gabn.c
index 9df87ce..c6f1139 100644
--- a/contrib/bind9/lib/lwres/lwres_gabn.c
+++ b/contrib/bind9/lib/lwres/lwres_gabn.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000, 2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,92 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: lwres_gabn.c,v 1.27.12.3 2004/03/08 09:05:10 marka Exp $ */
+/* $Id: lwres_gabn.c,v 1.29.18.2 2005/04/29 00:17:19 marka Exp $ */
+
+/*! \file lwres_gabn.c
+   These are low-level routines for creating and parsing lightweight
+   resolver name-to-address lookup request and response messages.
+
+   There are four main functions for the getaddrbyname opcode. One render
+   function converts a getaddrbyname request structure --
+   lwres_gabnrequest_t -- to the lighweight resolver's canonical format.
+   It is complemented by a parse function that converts a packet in this
+   canonical format to a getaddrbyname request structure. Another render
+   function converts the getaddrbyname response structure --
+   lwres_gabnresponse_t -- to the canonical format. This is complemented
+   by a parse function which converts a packet in canonical format to a
+   getaddrbyname response structure.
+
+   These structures are defined in \link lwres.h <lwres/lwres.h>.\endlink They are shown below.
+
+\code
+#define LWRES_OPCODE_GETADDRSBYNAME     0x00010001U
+
+typedef struct lwres_addr lwres_addr_t;
+typedef LWRES_LIST(lwres_addr_t) lwres_addrlist_t;
+
+typedef struct {
+        lwres_uint32_t  flags;
+        lwres_uint32_t  addrtypes;
+        lwres_uint16_t  namelen;
+        char           *name;
+} lwres_gabnrequest_t;
+
+typedef struct {
+        lwres_uint32_t          flags;
+        lwres_uint16_t          naliases;
+        lwres_uint16_t          naddrs;
+        char                   *realname;
+        char                  **aliases;
+        lwres_uint16_t          realnamelen;
+        lwres_uint16_t         *aliaslen;
+        lwres_addrlist_t        addrs;
+        void                   *base;
+        size_t                  baselen;
+} lwres_gabnresponse_t;
+\endcode
+
+   lwres_gabnrequest_render() uses resolver context ctx to convert
+   getaddrbyname request structure req to canonical format. The packet
+   header structure pkt is initialised and transferred to buffer b. The
+   contents of *req are then appended to the buffer in canonical format.
+   lwres_gabnresponse_render() performs the same task, except it converts
+   a getaddrbyname response structure lwres_gabnresponse_t to the
+   lightweight resolver's canonical format.
+
+   lwres_gabnrequest_parse() uses context ctx to convert the contents of
+   packet pkt to a lwres_gabnrequest_t structure. Buffer b provides space
+   to be used for storing this structure. When the function succeeds, the
+   resulting lwres_gabnrequest_t is made available through *structp.
+   lwres_gabnresponse_parse() offers the same semantics as
+   lwres_gabnrequest_parse() except it yields a lwres_gabnresponse_t
+   structure.
+
+   lwres_gabnresponse_free() and lwres_gabnrequest_free() release the
+   memory in resolver context ctx that was allocated to the
+   lwres_gabnresponse_t or lwres_gabnrequest_t structures referenced via
+   structp. Any memory associated with ancillary buffers and strings for
+   those structures is also discarded.
+
+\section lwres_gabn_return Return Values
+
+   The getaddrbyname opcode functions lwres_gabnrequest_render(),
+   lwres_gabnresponse_render() lwres_gabnrequest_parse() and
+   lwres_gabnresponse_parse() all return #LWRES_R_SUCCESS on success. They
+   return #LWRES_R_NOMEMORY if memory allocation fails.
+   #LWRES_R_UNEXPECTEDEND is returned if the available space in the buffer
+   b is too small to accommodate the packet header or the
+   lwres_gabnrequest_t and lwres_gabnresponse_t structures.
+   lwres_gabnrequest_parse() and lwres_gabnresponse_parse() will return
+   #LWRES_R_UNEXPECTEDEND if the buffer is not empty after decoding the
+   received packet. These functions will return #LWRES_R_FAILURE if
+   pktflags in the packet header structure #lwres_lwpacket_t indicate that
+   the packet is not a response to an earlier query.
+
+\section lwres_gabn_see See Also
+
+   \link lwpacket.c lwres_lwpacket \endlink
+ */
 
 #include <config.h>
 
@@ -31,6 +116,7 @@
 #include "context_p.h"
 #include "assert_p.h"
 
+/*% uses resolver context ctx to convert getaddrbyname request structure req to canonical format. */
 lwres_result_t
 lwres_gabnrequest_render(lwres_context_t *ctx, lwres_gabnrequest_t *req,
 			 lwres_lwpacket_t *pkt, lwres_buffer_t *b)
@@ -97,7 +183,7 @@ lwres_gabnrequest_render(lwres_context_t *ctx, lwres_gabnrequest_t *req,
 
 	return (LWRES_R_SUCCESS);
 }
-
+/*% converts a getaddrbyname response structure lwres_gabnresponse_t to the lightweight resolver's canonical format. */
 lwres_result_t
 lwres_gabnresponse_render(lwres_context_t *ctx, lwres_gabnresponse_t *req,
 			  lwres_lwpacket_t *pkt, lwres_buffer_t *b)
@@ -194,7 +280,7 @@ lwres_gabnresponse_render(lwres_context_t *ctx, lwres_gabnresponse_t *req,
 
 	return (LWRES_R_SUCCESS);
 }
-
+/*% Uses context ctx to convert the contents of packet pkt to a lwres_gabnrequest_t structure. */
 lwres_result_t
 lwres_gabnrequest_parse(lwres_context_t *ctx, lwres_buffer_t *b,
 			lwres_lwpacket_t *pkt, lwres_gabnrequest_t **structp)
@@ -243,6 +329,8 @@ lwres_gabnrequest_parse(lwres_context_t *ctx, lwres_buffer_t *b,
 	return (LWRES_R_SUCCESS);
 }
 
+/*% Offers the same semantics as lwres_gabnrequest_parse() except it yields a lwres_gabnresponse_t structure. */
+
 lwres_result_t
 lwres_gabnresponse_parse(lwres_context_t *ctx, lwres_buffer_t *b,
 			lwres_lwpacket_t *pkt, lwres_gabnresponse_t **structp)
@@ -372,6 +460,7 @@ lwres_gabnresponse_parse(lwres_context_t *ctx, lwres_buffer_t *b,
 	return (ret);
 }
 
+/*% Release the memory in resolver context ctx that was allocated to the lwres_gabnrequest_t. */
 void
 lwres_gabnrequest_free(lwres_context_t *ctx, lwres_gabnrequest_t **structp)
 {
@@ -386,6 +475,7 @@ lwres_gabnrequest_free(lwres_context_t *ctx, lwres_gabnrequest_t **structp)
 	CTXFREE(gabn, sizeof(lwres_gabnrequest_t));
 }
 
+/*% Release the memory in resolver context ctx that was allocated to the lwres_gabnresponse_t. */
 void
 lwres_gabnresponse_free(lwres_context_t *ctx, lwres_gabnresponse_t **structp)
 {
diff --git a/contrib/bind9/lib/lwres/lwres_gnba.c b/contrib/bind9/lib/lwres/lwres_gnba.c
index a11c066..5f41648 100644
--- a/contrib/bind9/lib/lwres/lwres_gnba.c
+++ b/contrib/bind9/lib/lwres/lwres_gnba.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000-2002  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,88 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: lwres_gnba.c,v 1.20.2.2.8.4 2004/03/08 09:05:11 marka Exp $ */
+/* $Id: lwres_gnba.c,v 1.23.18.2 2005/04/29 00:17:20 marka Exp $ */
+
+/*! \file lwres_gnba.c
+   These are low-level routines for creating and parsing lightweight
+   resolver address-to-name lookup request and response messages.
+
+   There are four main functions for the getnamebyaddr opcode. One
+ render function converts a getnamebyaddr request structure --
+   lwres_gnbarequest_t -- to the lightweight resolver's canonical
+   format. It is complemented by a parse function that converts a
+   packet in this canonical format to a getnamebyaddr request
+   structure. Another render function converts the getnamebyaddr
+   response structure -- lwres_gnbaresponse_t to the canonical format.
+   This is complemented by a parse function which converts a packet in
+   canonical format to a getnamebyaddr response structure.       
+
+   These structures are defined in \link lwres.h <lwres/lwres.h.>\endlink They are shown
+   below.
+
+\code
+#define LWRES_OPCODE_GETNAMEBYADDR      0x00010002U
+
+typedef struct {
+        lwres_uint32_t  flags;
+        lwres_addr_t    addr;
+} lwres_gnbarequest_t;
+
+typedef struct {
+        lwres_uint32_t  flags;
+        lwres_uint16_t  naliases;
+        char           *realname;
+        char          **aliases;
+        lwres_uint16_t  realnamelen;
+        lwres_uint16_t *aliaslen;
+        void           *base;
+        size_t          baselen;
+} lwres_gnbaresponse_t;
+\endcode
+
+   lwres_gnbarequest_render() uses resolver context ctx to convert
+   getnamebyaddr request structure req to canonical format. The packet
+   header structure pkt is initialised and transferred to buffer b.
+   The contents of *req are then appended to the buffer in canonical
+   format. lwres_gnbaresponse_render() performs the same task, except
+   it converts a getnamebyaddr response structure lwres_gnbaresponse_t
+   to the lightweight resolver's canonical format.
+
+   lwres_gnbarequest_parse() uses context ctx to convert the contents
+   of packet pkt to a lwres_gnbarequest_t structure. Buffer b provides
+   space to be used for storing this structure. When the function
+   succeeds, the resulting lwres_gnbarequest_t is made available
+   through *structp. lwres_gnbaresponse_parse() offers the same   
+semantics as lwres_gnbarequest_parse() except it yields a    
+   lwres_gnbaresponse_t structure.
+
+   lwres_gnbaresponse_free() and lwres_gnbarequest_free() release the
+   memory in resolver context ctx that was allocated to the     
+   lwres_gnbaresponse_t or lwres_gnbarequest_t structures referenced  
+   via structp. Any memory associated with ancillary buffers and      
+   strings for those structures is also discarded.
+
+\section lwres_gbna_return Return Values
+
+   The getnamebyaddr opcode functions lwres_gnbarequest_render(),
+   lwres_gnbaresponse_render() lwres_gnbarequest_parse() and
+   lwres_gnbaresponse_parse() all return #LWRES_R_SUCCESS on success.
+   They return #LWRES_R_NOMEMORY if memory allocation fails.
+   #LWRES_R_UNEXPECTEDEND is returned if the available space in the
+   buffer b is too small to accommodate the packet header or the
+   lwres_gnbarequest_t and lwres_gnbaresponse_t structures.
+   lwres_gnbarequest_parse() and lwres_gnbaresponse_parse() will
+   return #LWRES_R_UNEXPECTEDEND if the buffer is not empty after
+   decoding the received packet. These functions will return
+   #LWRES_R_FAILURE if pktflags in the packet header structure
+   #lwres_lwpacket_t indicate that the packet is not a response to an
+   earlier query.
+
+\section lwres_gbna_see See Also
+
+   \link lwpacket.c lwres_packet\endlink
+
+ */
 
 #include <config.h>
 
@@ -31,6 +112,7 @@
 #include "context_p.h"
 #include "assert_p.h"
 
+/*% Uses resolver context ctx to convert getnamebyaddr request structure req to canonical format. */
 lwres_result_t
 lwres_gnbarequest_render(lwres_context_t *ctx, lwres_gnbarequest_t *req,
 			 lwres_lwpacket_t *pkt, lwres_buffer_t *b)
@@ -88,6 +170,7 @@ lwres_gnbarequest_render(lwres_context_t *ctx, lwres_gnbarequest_t *req,
 	return (LWRES_R_SUCCESS);
 }
 
+/*% Converts a getnamebyaddr response structure lwres_gnbaresponse_t to the lightweight resolver's canonical format. */
 lwres_result_t
 lwres_gnbaresponse_render(lwres_context_t *ctx, lwres_gnbaresponse_t *req,
 			  lwres_lwpacket_t *pkt, lwres_buffer_t *b)
@@ -159,6 +242,7 @@ lwres_gnbaresponse_render(lwres_context_t *ctx, lwres_gnbaresponse_t *req,
 	return (LWRES_R_SUCCESS);
 }
 
+/*% Uses context ctx to convert the contents of packet pkt to a lwres_gnbarequest_t structure. */
 lwres_result_t
 lwres_gnbarequest_parse(lwres_context_t *ctx, lwres_buffer_t *b,
 			lwres_lwpacket_t *pkt, lwres_gnbarequest_t **structp)
@@ -202,6 +286,8 @@ lwres_gnbarequest_parse(lwres_context_t *ctx, lwres_buffer_t *b,
 	return (ret);
 }
 
+/*% Offers the same semantics as lwres_gnbarequest_parse() except it yields a lwres_gnbaresponse_t structure. */
+
 lwres_result_t
 lwres_gnbaresponse_parse(lwres_context_t *ctx, lwres_buffer_t *b,
 			 lwres_lwpacket_t *pkt, lwres_gnbaresponse_t **structp)
@@ -292,6 +378,7 @@ lwres_gnbaresponse_parse(lwres_context_t *ctx, lwres_buffer_t *b,
 	return (ret);
 }
 
+/*% Release the memory in resolver context ctx that was allocated to the lwres_gnbarequest_t. */
 void
 lwres_gnbarequest_free(lwres_context_t *ctx, lwres_gnbarequest_t **structp)
 {
@@ -306,6 +393,7 @@ lwres_gnbarequest_free(lwres_context_t *ctx, lwres_gnbarequest_t **structp)
 	CTXFREE(gnba, sizeof(lwres_gnbarequest_t));
 }
 
+/*% Release the memory in resolver context ctx that was allocated to the lwres_gnbaresponse_t. */
 void
 lwres_gnbaresponse_free(lwres_context_t *ctx, lwres_gnbaresponse_t **structp)
 {
diff --git a/contrib/bind9/lib/lwres/lwres_grbn.c b/contrib/bind9/lib/lwres/lwres_grbn.c
index f8147fc..976708e 100644
--- a/contrib/bind9/lib/lwres/lwres_grbn.c
+++ b/contrib/bind9/lib/lwres/lwres_grbn.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000, 2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,11 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: lwres_grbn.c,v 1.4.12.3 2004/03/08 09:05:11 marka Exp $ */
+/* $Id: lwres_grbn.c,v 1.6.18.2 2005/04/29 00:17:20 marka Exp $ */
+
+/*! \file lwres_grbn.c
+
+ */
 
 #include <config.h>
 
@@ -31,6 +35,7 @@
 #include "context_p.h"
 #include "assert_p.h"
 
+/*% Thread-save equivalent to \link lwres_gabn.c lwres_gabn* \endlink routines. */
 lwres_result_t
 lwres_grbnrequest_render(lwres_context_t *ctx, lwres_grbnrequest_t *req,
 			 lwres_lwpacket_t *pkt, lwres_buffer_t *b)
@@ -103,6 +108,7 @@ lwres_grbnrequest_render(lwres_context_t *ctx, lwres_grbnrequest_t *req,
 	return (LWRES_R_SUCCESS);
 }
 
+/*% Thread-save equivalent to \link lwres_gabn.c lwres_gabn* \endlink routines. */
 lwres_result_t
 lwres_grbnresponse_render(lwres_context_t *ctx, lwres_grbnresponse_t *req,
 			  lwres_lwpacket_t *pkt, lwres_buffer_t *b)
@@ -190,6 +196,7 @@ lwres_grbnresponse_render(lwres_context_t *ctx, lwres_grbnresponse_t *req,
 	return (LWRES_R_SUCCESS);
 }
 
+/*% Thread-save equivalent to \link lwres_gabn.c lwres_gabn* \endlink routines. */
 lwres_result_t
 lwres_grbnrequest_parse(lwres_context_t *ctx, lwres_buffer_t *b,
 			lwres_lwpacket_t *pkt, lwres_grbnrequest_t **structp)
@@ -243,6 +250,7 @@ lwres_grbnrequest_parse(lwres_context_t *ctx, lwres_buffer_t *b,
 	return (LWRES_R_SUCCESS);
 }
 
+/*% Thread-save equivalent to \link lwres_gabn.c lwres_gabn* \endlink routines. */
 lwres_result_t
 lwres_grbnresponse_parse(lwres_context_t *ctx, lwres_buffer_t *b,
 			lwres_lwpacket_t *pkt, lwres_grbnresponse_t **structp)
@@ -376,6 +384,7 @@ lwres_grbnresponse_parse(lwres_context_t *ctx, lwres_buffer_t *b,
 	return (ret);
 }
 
+/*% Thread-save equivalent to \link lwres_gabn.c lwres_gabn* \endlink routines. */
 void
 lwres_grbnrequest_free(lwres_context_t *ctx, lwres_grbnrequest_t **structp)
 {
@@ -390,6 +399,7 @@ lwres_grbnrequest_free(lwres_context_t *ctx, lwres_grbnrequest_t **structp)
 	CTXFREE(grbn, sizeof(lwres_grbnrequest_t));
 }
 
+/*% Thread-save equivalent to \link lwres_gabn.c lwres_gabn* \endlink routines. */
 void
 lwres_grbnresponse_free(lwres_context_t *ctx, lwres_grbnresponse_t **structp)
 {
diff --git a/contrib/bind9/lib/lwres/lwres_noop.c b/contrib/bind9/lib/lwres/lwres_noop.c
index f67c2b3..e76bc4d 100644
--- a/contrib/bind9/lib/lwres/lwres_noop.c
+++ b/contrib/bind9/lib/lwres/lwres_noop.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000, 2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,87 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: lwres_noop.c,v 1.14.206.1 2004/03/06 08:15:33 marka Exp $ */
+/* $Id: lwres_noop.c,v 1.15.18.2 2005/04/29 00:17:20 marka Exp $ */
+
+/*! \file */
+
+/**
+ *    These are low-level routines for creating and parsing lightweight
+ *    resolver no-op request and response messages.
+ * 
+ *    The no-op message is analogous to a ping packet: a packet is sent to
+ *    the resolver daemon and is simply echoed back. The opcode is intended
+ *    to allow a client to determine if the server is operational or not.
+ * 
+ *    There are four main functions for the no-op opcode. One render
+ *    function converts a no-op request structure -- lwres_nooprequest_t --
+ *    to the lighweight resolver's canonical format. It is complemented by a
+ *    parse function that converts a packet in this canonical format to a
+ *    no-op request structure. Another render function converts the no-op
+ *    response structure -- lwres_noopresponse_t to the canonical format.
+ *    This is complemented by a parse function which converts a packet in
+ *    canonical format to a no-op response structure.
+ * 
+ *    These structures are defined in \link lwres.h <lwres/lwres.h.> \endlink They are shown below.
+ * 
+ * \code
+ * #define LWRES_OPCODE_NOOP       0x00000000U
+ * 
+ * typedef struct {
+ *         lwres_uint16_t  datalength;
+ *         unsigned char   *data;
+ * } lwres_nooprequest_t;
+ * 
+ * typedef struct {
+ *         lwres_uint16_t  datalength;
+ *         unsigned char   *data;
+ * } lwres_noopresponse_t;
+ * \endcode
+ * 
+ *    Although the structures have different types, they are identical. This
+ *    is because the no-op opcode simply echos whatever data was sent: the
+ *    response is therefore identical to the request.
+ * 
+ *    lwres_nooprequest_render() uses resolver context ctx to convert no-op
+ *    request structure req to canonical format. The packet header structure
+ *    pkt is initialised and transferred to buffer b. The contents of *req
+ *    are then appended to the buffer in canonical format.
+ *    lwres_noopresponse_render() performs the same task, except it converts
+ *    a no-op response structure lwres_noopresponse_t to the lightweight
+ *    resolver's canonical format.
+ * 
+ *    lwres_nooprequest_parse() uses context ctx to convert the contents of
+ *    packet pkt to a lwres_nooprequest_t structure. Buffer b provides space
+ *    to be used for storing this structure. When the function succeeds, the
+ *    resulting lwres_nooprequest_t is made available through *structp.
+ *    lwres_noopresponse_parse() offers the same semantics as
+ *    lwres_nooprequest_parse() except it yields a lwres_noopresponse_t
+ *    structure.
+ * 
+ *    lwres_noopresponse_free() and lwres_nooprequest_free() release the
+ *    memory in resolver context ctx that was allocated to the
+ *    lwres_noopresponse_t or lwres_nooprequest_t structures referenced via
+ *    structp.
+ * 
+ * \section lwres_noop_return Return Values
+ * 
+ *    The no-op opcode functions lwres_nooprequest_render(),
+ *    lwres_noopresponse_render() lwres_nooprequest_parse() and
+ *    lwres_noopresponse_parse() all return #LWRES_R_SUCCESS on success. They
+ *    return #LWRES_R_NOMEMORY if memory allocation fails.
+ *    #LWRES_R_UNEXPECTEDEND is returned if the available space in the buffer
+ *    b is too small to accommodate the packet header or the
+ *    lwres_nooprequest_t and lwres_noopresponse_t structures.
+ *    lwres_nooprequest_parse() and lwres_noopresponse_parse() will return
+ *    #LWRES_R_UNEXPECTEDEND if the buffer is not empty after decoding the
+ *    received packet. These functions will return #LWRES_R_FAILURE if
+ *    pktflags in the packet header structure #lwres_lwpacket_t indicate that
+ *    the packet is not a response to an earlier query.
+ * 
+ * \section lwres_noop_see See Also
+ * 
+ *    lwpacket.c
+ */
 
 #include <config.h>
 
@@ -31,6 +111,7 @@
 #include "context_p.h"
 #include "assert_p.h"
 
+/*% Uses resolver context ctx to convert no-op request structure req to canonical format. */
 lwres_result_t
 lwres_nooprequest_render(lwres_context_t *ctx, lwres_nooprequest_t *req,
 			 lwres_lwpacket_t *pkt, lwres_buffer_t *b)
@@ -82,6 +163,8 @@ lwres_nooprequest_render(lwres_context_t *ctx, lwres_nooprequest_t *req,
 	return (LWRES_R_SUCCESS);
 }
 
+/*% Converts a no-op response structure lwres_noopresponse_t to the lightweight resolver's canonical format. */
+
 lwres_result_t
 lwres_noopresponse_render(lwres_context_t *ctx, lwres_noopresponse_t *req,
 			  lwres_lwpacket_t *pkt, lwres_buffer_t *b)
@@ -132,6 +215,7 @@ lwres_noopresponse_render(lwres_context_t *ctx, lwres_noopresponse_t *req,
 	return (LWRES_R_SUCCESS);
 }
 
+/*% Uses context ctx to convert the contents of packet pkt to a lwres_nooprequest_t structure. */
 lwres_result_t
 lwres_nooprequest_parse(lwres_context_t *ctx, lwres_buffer_t *b,
 			lwres_lwpacket_t *pkt, lwres_nooprequest_t **structp)
@@ -179,6 +263,7 @@ lwres_nooprequest_parse(lwres_context_t *ctx, lwres_buffer_t *b,
 	return (ret);
 }
 
+/*% Offers the same semantics as lwres_nooprequest_parse() except it yields a lwres_noopresponse_t structure. */
 lwres_result_t
 lwres_noopresponse_parse(lwres_context_t *ctx, lwres_buffer_t *b,
 			 lwres_lwpacket_t *pkt, lwres_noopresponse_t **structp)
@@ -226,6 +311,7 @@ lwres_noopresponse_parse(lwres_context_t *ctx, lwres_buffer_t *b,
 	return (ret);
 }
 
+/*% Release the memory in resolver context ctx. */
 void
 lwres_noopresponse_free(lwres_context_t *ctx, lwres_noopresponse_t **structp)
 {
@@ -240,6 +326,7 @@ lwres_noopresponse_free(lwres_context_t *ctx, lwres_noopresponse_t **structp)
 	CTXFREE(noop, sizeof(lwres_noopresponse_t));
 }
 
+/*% Release the memory in resolver context ctx. */
 void
 lwres_nooprequest_free(lwres_context_t *ctx, lwres_nooprequest_t **structp)
 {
diff --git a/contrib/bind9/lib/lwres/lwresutil.c b/contrib/bind9/lib/lwres/lwresutil.c
index 1035f17..6d6764f 100644
--- a/contrib/bind9/lib/lwres/lwresutil.c
+++ b/contrib/bind9/lib/lwres/lwresutil.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000, 2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,86 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: lwresutil.c,v 1.29.206.1 2004/03/06 08:15:33 marka Exp $ */
+/* $Id: lwresutil.c,v 1.30.18.2 2005/04/29 00:17:20 marka Exp $ */
+
+/*! \file */
+
+/**
+ *    lwres_string_parse() retrieves a DNS-encoded string starting the
+ *    current pointer of lightweight resolver buffer b: i.e. b->current.
+ *    When the function returns, the address of the first byte of the
+ *    encoded string is returned via *c and the length of that string is
+ *    given by *len. The buffer's current pointer is advanced to point at
+ *    the character following the string length, the encoded string, and
+ *    the trailing NULL character.
+ * 
+ *    lwres_addr_parse() extracts an address from the buffer b. The
+ *    buffer's current pointer b->current is presumed to point at an
+ *    encoded address: the address preceded by a 32-bit protocol family
+ *    identifier and a 16-bit length field. The encoded address is copied
+ *    to addr->address and addr->length indicates the size in bytes of
+ *    the address that was copied. b->current is advanced to point at the
+ *  next byte of available data in the buffer following the encoded
+ *    address.
+ * 
+ *    lwres_getaddrsbyname() and lwres_getnamebyaddr() use the
+ *    lwres_gnbaresponse_t structure defined below:
+ * 
+ * \code
+ * typedef struct {
+ *         lwres_uint32_t          flags;
+ *         lwres_uint16_t          naliases;
+ *         lwres_uint16_t          naddrs;
+ *         char                   *realname;
+ *         char                  **aliases;
+ *         lwres_uint16_t          realnamelen;
+ *         lwres_uint16_t         *aliaslen;
+ *         lwres_addrlist_t        addrs;
+ *         void                   *base;
+ *         size_t                  baselen;
+ * } lwres_gabnresponse_t;
+ * \endcode
+ * 
+ *    The contents of this structure are not manipulated directly but
+ *    they are controlled through the \link lwres_gabn.c lwres_gabn*\endlink functions.  
+ * 
+ *    The lightweight resolver uses lwres_getaddrsbyname() to perform
+ *    foward lookups. Hostname name is looked up using the resolver
+ *    context ctx for memory allocation. addrtypes is a bitmask      
+ *    indicating which type of addresses are to be looked up. Current
+ *    values for this bitmask are #LWRES_ADDRTYPE_V4 for IPv4 addresses
+ *    and #LWRES_ADDRTYPE_V6 for IPv6 addresses. Results of the lookup are
+ *    returned in *structp.
+ * 
+ *    lwres_getnamebyaddr() performs reverse lookups. Resolver context  
+ *    ctx is used for memory allocation. The address type is indicated by
+ *    addrtype: #LWRES_ADDRTYPE_V4 or #LWRES_ADDRTYPE_V6. The address to be
+ *    looked up is given by addr and its length is addrlen bytes. The    
+ *    result of the function call is made available through *structp.   
+ * 
+ * \section lwresutil_return Return Values
+ * 
+ *    Successful calls to lwres_string_parse() and lwres_addr_parse()
+ *    return #LWRES_R_SUCCESS. Both functions return #LWRES_R_FAILURE if 
+ *    the buffer is corrupt or #LWRES_R_UNEXPECTEDEND if the buffer has   
+ *    less space than expected for the components of the encoded string
+ *    or address.
+ * 
+ * lwres_getaddrsbyname() returns #LWRES_R_SUCCESS on success and it
+ *    returns #LWRES_R_NOTFOUND if the hostname name could not be found.
+ * 
+ *    #LWRES_R_SUCCESS is returned by a successful call to
+ *    lwres_getnamebyaddr().
+ * 
+ *    Both lwres_getaddrsbyname() and lwres_getnamebyaddr() return
+ *    #LWRES_R_NOMEMORY when memory allocation requests fail and
+ *    #LWRES_R_UNEXPECTEDEND if the buffers used for sending queries and
+ *    receiving replies are too small.     
+ * 
+ * \section lwresutil_see See Also
+ * 
+ *    lwbuffer.c, lwres_gabn.c
+ */
 
 #include <config.h>
 
@@ -31,7 +110,8 @@
 #include "assert_p.h"
 #include "context_p.h"
 
-/*
+/*% Parse data. */
+/*!
  * Requires:
  *
  *	The "current" pointer in "b" points to encoded raw data.
@@ -78,7 +158,8 @@ lwres_data_parse(lwres_buffer_t *b, unsigned char **p, lwres_uint16_t *len)
 	return (LWRES_R_SUCCESS);
 }
 
-/*
+/*% Retrieves a DNS-encoded string. */
+/*!
  * Requires:
  *
  *	The "current" pointer in "b" point to an encoded string.
@@ -133,6 +214,7 @@ lwres_string_parse(lwres_buffer_t *b, char **c, lwres_uint16_t *len)
 	return (LWRES_R_SUCCESS);
 }
 
+/*% Extracts an address from the buffer b. */
 lwres_result_t
 lwres_addr_parse(lwres_buffer_t *b, lwres_addr_t *addr)
 {
@@ -154,6 +236,7 @@ lwres_addr_parse(lwres_buffer_t *b, lwres_addr_t *addr)
 	return (LWRES_R_SUCCESS);
 }
 
+/*% Used to perform forward lookups. */
 lwres_result_t
 lwres_getaddrsbyname(lwres_context_t *ctx, const char *name,
 		     lwres_uint32_t addrtypes, lwres_gabnresponse_t **structp)
@@ -268,6 +351,7 @@ lwres_getaddrsbyname(lwres_context_t *ctx, const char *name,
 }
 
 
+/*% Used to perform reverse lookups. */
 lwres_result_t
 lwres_getnamebyaddr(lwres_context_t *ctx, lwres_uint32_t addrtype,
 		    lwres_uint16_t addrlen, const unsigned char *addr,
@@ -376,6 +460,7 @@ lwres_getnamebyaddr(lwres_context_t *ctx, lwres_uint32_t addrtype,
 	return (ret);
 }
 
+/*% Get rdata by name. */
 lwres_result_t
 lwres_getrdatabyname(lwres_context_t *ctx, const char *name,
 		     lwres_uint16_t rdclass, lwres_uint16_t rdtype,
diff --git a/contrib/bind9/lib/lwres/man/Makefile.in b/contrib/bind9/lib/lwres/man/Makefile.in
index a591a2a..e28123c 100644
--- a/contrib/bind9/lib/lwres/man/Makefile.in
+++ b/contrib/bind9/lib/lwres/man/Makefile.in
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.6.206.1 2004/03/06 08:15:36 marka Exp $
+# $Id: Makefile.in,v 1.7 2004/03/05 05:12:55 marka Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
diff --git a/contrib/bind9/lib/lwres/man/lwres.3 b/contrib/bind9/lib/lwres/man/lwres.3
index 886f1f1..968e8f8 100644
--- a/contrib/bind9/lib/lwres/man/lwres.3
+++ b/contrib/bind9/lib/lwres/man/lwres.3
@@ -1,4 +1,4 @@
-.\" Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC")
 .\" Copyright (C) 2000, 2001 Internet Software Consortium.
 .\" 
 .\" Permission to use, copy, modify, and distribute this software for any
@@ -13,13 +13,13 @@
 .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 .\" PERFORMANCE OF THIS SOFTWARE.
 .\"
-.\" $Id: lwres.3,v 1.15.206.6 2006/06/29 13:02:31 marka Exp $
+.\" $Id: lwres.3,v 1.17.18.11 2007/01/30 00:23:44 marka Exp $
 .\"
 .hy 0
 .ad l
 .\"     Title: lwres
 .\"    Author: 
-.\" Generator: DocBook XSL Stylesheets v1.70.1 <http://docbook.sf.net/>
+.\" Generator: DocBook XSL Stylesheets v1.71.1 <http://docbook.sf.net/>
 .\"      Date: Jun 30, 2000
 .\"    Manual: BIND9
 .\"    Source: BIND9
@@ -159,4 +159,7 @@ bit should be set.
 \fBresolver\fR(5),
 \fBlwresd\fR(8).
 .SH "COPYRIGHT"
-Copyright \(co 2004, 2005 Internet Systems Consortium, Inc. ("ISC")
+Copyright \(co 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC")
+.br
+Copyright \(co 2000, 2001 Internet Software Consortium.
+.br
diff --git a/contrib/bind9/lib/lwres/man/lwres.docbook b/contrib/bind9/lib/lwres/man/lwres.docbook
index 83258a9..2a94ec8 100644
--- a/contrib/bind9/lib/lwres/man/lwres.docbook
+++ b/contrib/bind9/lib/lwres/man/lwres.docbook
@@ -1,8 +1,8 @@
-<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.0//EN"
-               "http://www.oasis-open.org/docbook/xml/4.0/docbookx.dtd"
+<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
+               "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
 	       [<!ENTITY mdash "&#8212;">]>
 <!--
- - Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
  - Copyright (C) 2000, 2001  Internet Software Consortium.
  -
  - Permission to use, copy, modify, and distribute this software for any
@@ -18,23 +18,28 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-<!-- $Id: lwres.docbook,v 1.3.206.3 2005/05/12 21:36:11 sra Exp $ -->
-
+<!-- $Id: lwres.docbook,v 1.4.18.5 2007/01/29 23:57:21 marka Exp $ -->
 <refentry>
-<refentryinfo>
 
-<date>Jun 30, 2000</date>
-</refentryinfo>
-<refmeta>
-<refentrytitle>lwres</refentrytitle>
-<manvolnum>3</manvolnum>
-<refmiscinfo>BIND9</refmiscinfo>
-</refmeta>
+  <refentryinfo>
+    <date>Jun 30, 2000</date>
+  </refentryinfo>
+
+  <refmeta>
+    <refentrytitle>lwres</refentrytitle>
+    <manvolnum>3</manvolnum>
+    <refmiscinfo>BIND9</refmiscinfo>
+  </refmeta>
+  <refnamediv>
+    <refname>lwres</refname>
+    <refpurpose>introduction to the lightweight resolver library</refpurpose>
+  </refnamediv>
 
   <docinfo>
     <copyright>
       <year>2004</year>
       <year>2005</year>
+      <year>2007</year>
       <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
     </copyright>
     <copyright>
@@ -44,217 +49,218 @@
     </copyright>
   </docinfo>
 
-<refnamediv>
-<refname>lwres</refname>
-<refpurpose>introduction to the lightweight resolver library</refpurpose>
-</refnamediv>
-
-<refsynopsisdiv>
-<funcsynopsis>
+  <refsynopsisdiv>
+    <funcsynopsis>
 <funcsynopsisinfo>#include &lt;lwres/lwres.h&gt;</funcsynopsisinfo>
 </funcsynopsis>
-</refsynopsisdiv>
+  </refsynopsisdiv>
 
-<refsect1>
-<title>DESCRIPTION</title>
-<para>
-The BIND 9 lightweight resolver library is a simple, name service
-independent stub resolver library.  It provides hostname-to-address
-and address-to-hostname lookup services to applications by
-transmitting lookup requests to a resolver daemon
-<command>lwresd</command>
-running on the local host. The resover daemon performs the
-lookup using the DNS or possibly other name service protocols,
-and returns the results to the application through the library.  
-The library and resolver daemon communicate using a simple
-UDP-based protocol.
-</para>
-</refsect1>
+  <refsect1>
+    <title>DESCRIPTION</title>
+    <para>
+      The BIND 9 lightweight resolver library is a simple, name service
+      independent stub resolver library.  It provides hostname-to-address
+      and address-to-hostname lookup services to applications by
+      transmitting lookup requests to a resolver daemon
+      <command>lwresd</command>
+      running on the local host. The resover daemon performs the
+      lookup using the DNS or possibly other name service protocols,
+      and returns the results to the application through the library.
+      The library and resolver daemon communicate using a simple
+      UDP-based protocol.
+    </para>
+  </refsect1>
 
-<refsect1>
-<title>OVERVIEW</title>
-<para>
-The lwresd library implements multiple name service APIs.
-The standard
-<function>gethostbyname()</function>,
-<function>gethostbyaddr()</function>,
-<function>gethostbyname_r()</function>,
-<function>gethostbyaddr_r()</function>,
-<function>getaddrinfo()</function>,
-<function>getipnodebyname()</function>,
-and
-<function>getipnodebyaddr()</function>
-functions are all supported.  To allow the lwres library to coexist
-with system libraries that define functions of the same name,
-the library defines these functions with names prefixed by
-<literal>lwres_</literal>.
-To define the standard names, applications must include the
-header file
-<filename>&lt;lwres/netdb.h&gt;</filename>
-which contains macro definitions mapping the standard function names
-into
-<literal>lwres_</literal>
-prefixed ones.  Operating system vendors who integrate the lwres
-library into their base distributions should rename the functions
-in the library proper so that the renaming macros are not needed.
-</para>
-<para>
-The library also provides a native API consisting of the functions
-<function>lwres_getaddrsbyname()</function>
-and
-<function>lwres_getnamebyaddr()</function>.
-These may be called by applications that require more detailed
-control over the lookup process than the standard functions
-provide.
-</para>
-<para>
-In addition to these name service independent address lookup
-functions, the library implements a new, experimental API
-for looking up arbitrary DNS resource records, using the
-<function>lwres_getaddrsbyname()</function>
-function.
-</para>
-<para>
-Finally, there is a low-level API for converting lookup
-requests and responses to and from raw lwres protocol packets.  
-This API can be used by clients requiring nonblocking operation, 
-and is also used when implementing the server side of the lwres
-protocol, for example in the
-<command>lwresd</command>
-resolver daemon.  The use of this low-level API in clients
-and servers is outlined in the following sections.
-</para>
-</refsect1>
-<refsect1>
-<title>CLIENT-SIDE LOW-LEVEL API CALL FLOW</title>
-<para>
-When a client program wishes to make an lwres request using the
-native low-level API, it typically performs the following 
-sequence of actions.
-</para>
-<para>
-(1) Allocate or use an existing <type>lwres_packet_t</type>,
-called <varname>pkt</varname> below.
-</para>
-<para>
-(2) Set <structfield>pkt.recvlength</structfield> to the maximum length we will accept.  
-This is done so the receiver of our packets knows how large our receive 
-buffer is.  The "default" is a constant in
-<filename>lwres.h</filename>: <constant>LWRES_RECVLENGTH = 4096</constant>.
-</para>
-<para>
-(3) Set <structfield>pkt.serial</structfield>
-to a unique serial number.  This value is echoed
-back to the application by the remote server.
-</para>
-<para>
-(4) Set <structfield>pkt.pktflags</structfield>.  Usually this is set to 0.
-</para>
-<para>
-(5) Set <structfield>pkt.result</structfield> to 0.
-</para>
-<para>
-(6) Call <function>lwres_*request_render()</function>, 
-or marshall in the data using the primitives
-such as <function>lwres_packet_render()</function>
-and storing the packet data.
-</para>
-<para>
-(7) Transmit the resulting buffer.
-</para>
-<para>
-(8) Call <function>lwres_*response_parse()</function>
-to parse any packets received.
-</para>
-<para>
-(9) Verify that the opcode and serial match a request, and process the
-packet specific information contained in the body.
-</para>
-</refsect1>
-<refsect1>
-<title>SERVER-SIDE LOW-LEVEL API CALL FLOW</title>
-<para>
-When implementing the server side of the lightweight resolver
-protocol using the lwres library, a sequence of actions like the
-following is typically involved in processing each request packet.
-</para>
-<para>
-Note that the same <type>lwres_packet_t</type> is used
-in both the <function>_parse()</function> and <function>_render()</function> calls,
-with only a few modifications made
-to the packet header's contents between uses.  This method is recommended
-as it keeps the serial, opcode, and other fields correct.
-</para>
-<para>
-(1) When a packet is received, call <function>lwres_*request_parse()</function> to
-unmarshall it.  This returns a <type>lwres_packet_t</type> (also called <varname>pkt</varname>, below)
-as well as a data specific type, such as <type>lwres_gabnrequest_t</type>.
-</para>
-<para>
-(2) Process the request in the data specific type.
-</para>
-<para>
-(3) Set the <structfield>pkt.result</structfield>,
-<structfield>pkt.recvlength</structfield> as above.  All other fields can
-be left untouched since they were filled in by the <function>*_parse()</function> call
-above.  If using <function>lwres_*response_render()</function>,
-<structfield>pkt.pktflags</structfield> will be set up
-properly.  Otherwise, the <constant>LWRES_LWPACKETFLAG_RESPONSE</constant> bit should be
-set.
-</para>
-<para>
-(4) Call the data specific rendering function, such as
-<function>lwres_gabnresponse_render()</function>.
-</para>
-<para>
-(5) Send the resulting packet to the client.
-</para>
-<para>
-</para>
-</refsect1>
-<refsect1>
-<title>SEE ALSO</title>
-<para>
-<citerefentry>
-<refentrytitle>lwres_gethostent</refentrytitle><manvolnum>3</manvolnum>
-</citerefentry>,
+  <refsect1>
+    <title>OVERVIEW</title>
+    <para>
+      The lwresd library implements multiple name service APIs.
+      The standard
+      <function>gethostbyname()</function>,
+      <function>gethostbyaddr()</function>,
+      <function>gethostbyname_r()</function>,
+      <function>gethostbyaddr_r()</function>,
+      <function>getaddrinfo()</function>,
+      <function>getipnodebyname()</function>,
+      and
+      <function>getipnodebyaddr()</function>
+      functions are all supported.  To allow the lwres library to coexist
+      with system libraries that define functions of the same name,
+      the library defines these functions with names prefixed by
+      <literal>lwres_</literal>.
+      To define the standard names, applications must include the
+      header file
+      <filename>&lt;lwres/netdb.h&gt;</filename>
+      which contains macro definitions mapping the standard function names
+      into
+      <literal>lwres_</literal>
+      prefixed ones.  Operating system vendors who integrate the lwres
+      library into their base distributions should rename the functions
+      in the library proper so that the renaming macros are not needed.
+    </para>
+    <para>
+      The library also provides a native API consisting of the functions
+      <function>lwres_getaddrsbyname()</function>
+      and
+      <function>lwres_getnamebyaddr()</function>.
+      These may be called by applications that require more detailed
+      control over the lookup process than the standard functions
+      provide.
+    </para>
+    <para>
+      In addition to these name service independent address lookup
+      functions, the library implements a new, experimental API
+      for looking up arbitrary DNS resource records, using the
+      <function>lwres_getaddrsbyname()</function>
+      function.
+    </para>
+    <para>
+      Finally, there is a low-level API for converting lookup
+      requests and responses to and from raw lwres protocol packets.
+      This API can be used by clients requiring nonblocking operation,
+      and is also used when implementing the server side of the lwres
+      protocol, for example in the
+      <command>lwresd</command>
+      resolver daemon.  The use of this low-level API in clients
+      and servers is outlined in the following sections.
+    </para>
+  </refsect1>
+  <refsect1>
+    <title>CLIENT-SIDE LOW-LEVEL API CALL FLOW</title>
+    <para>
+      When a client program wishes to make an lwres request using the
+      native low-level API, it typically performs the following
+      sequence of actions.
+    </para>
+    <para>
+      (1) Allocate or use an existing <type>lwres_packet_t</type>,
+      called <varname>pkt</varname> below.
+    </para>
+    <para>
+      (2) Set <structfield>pkt.recvlength</structfield> to the maximum length
+      we will accept.
+      This is done so the receiver of our packets knows how large our receive
+      buffer is.  The "default" is a constant in
+      <filename>lwres.h</filename>: <constant>LWRES_RECVLENGTH = 4096</constant>.
+    </para>
+    <para>
+      (3) Set <structfield>pkt.serial</structfield>
+      to a unique serial number.  This value is echoed
+      back to the application by the remote server.
+    </para>
+    <para>
+      (4) Set <structfield>pkt.pktflags</structfield>.  Usually this is set to
+      0.
+    </para>
+    <para>
+      (5) Set <structfield>pkt.result</structfield> to 0.
+    </para>
+    <para>
+      (6) Call <function>lwres_*request_render()</function>,
+      or marshall in the data using the primitives
+      such as <function>lwres_packet_render()</function>
+      and storing the packet data.
+    </para>
+    <para>
+      (7) Transmit the resulting buffer.
+    </para>
+    <para>
+      (8) Call <function>lwres_*response_parse()</function>
+      to parse any packets received.
+    </para>
+    <para>
+      (9) Verify that the opcode and serial match a request, and process the
+      packet specific information contained in the body.
+    </para>
+  </refsect1>
+  <refsect1>
+    <title>SERVER-SIDE LOW-LEVEL API CALL FLOW</title>
+    <para>
+      When implementing the server side of the lightweight resolver
+      protocol using the lwres library, a sequence of actions like the
+      following is typically involved in processing each request packet.
+    </para>
+    <para>
+      Note that the same <type>lwres_packet_t</type> is used
+      in both the <function>_parse()</function> and <function>_render()</function> calls,
+      with only a few modifications made
+      to the packet header's contents between uses.  This method is
+      recommended
+      as it keeps the serial, opcode, and other fields correct.
+    </para>
+    <para>
+      (1) When a packet is received, call <function>lwres_*request_parse()</function> to
+      unmarshall it.  This returns a <type>lwres_packet_t</type> (also called <varname>pkt</varname>, below)
+      as well as a data specific type, such as <type>lwres_gabnrequest_t</type>.
+    </para>
+    <para>
+      (2) Process the request in the data specific type.
+    </para>
+    <para>
+      (3) Set the <structfield>pkt.result</structfield>,
+      <structfield>pkt.recvlength</structfield> as above.  All other fields
+      can
+      be left untouched since they were filled in by the <function>*_parse()</function> call
+      above.  If using <function>lwres_*response_render()</function>,
+      <structfield>pkt.pktflags</structfield> will be set up
+      properly.  Otherwise, the <constant>LWRES_LWPACKETFLAG_RESPONSE</constant> bit should be
+      set.
+    </para>
+    <para>
+      (4) Call the data specific rendering function, such as
+      <function>lwres_gabnresponse_render()</function>.
+    </para>
+    <para>
+      (5) Send the resulting packet to the client.
+    </para>
+    <para></para>
+  </refsect1>
+  <refsect1>
+    <title>SEE ALSO</title>
+    <para><citerefentry>
+        <refentrytitle>lwres_gethostent</refentrytitle><manvolnum>3</manvolnum>
+      </citerefentry>,
 
-<citerefentry>
-<refentrytitle>lwres_getipnode</refentrytitle><manvolnum>3</manvolnum>
-</citerefentry>,
+      <citerefentry>
+        <refentrytitle>lwres_getipnode</refentrytitle><manvolnum>3</manvolnum>
+      </citerefentry>,
 
-<citerefentry>
-<refentrytitle>lwres_getnameinfo</refentrytitle><manvolnum>3</manvolnum>
-</citerefentry>,
+      <citerefentry>
+        <refentrytitle>lwres_getnameinfo</refentrytitle><manvolnum>3</manvolnum>
+      </citerefentry>,
 
-<citerefentry>
-<refentrytitle>lwres_noop</refentrytitle><manvolnum>3</manvolnum>
-</citerefentry>,
+      <citerefentry>
+        <refentrytitle>lwres_noop</refentrytitle><manvolnum>3</manvolnum>
+      </citerefentry>,
 
-<citerefentry>
-<refentrytitle>lwres_gabn</refentrytitle><manvolnum>3</manvolnum>
-</citerefentry>,
+      <citerefentry>
+        <refentrytitle>lwres_gabn</refentrytitle><manvolnum>3</manvolnum>
+      </citerefentry>,
 
-<citerefentry>
-<refentrytitle>lwres_gnba</refentrytitle><manvolnum>3</manvolnum>
-</citerefentry>,
+      <citerefentry>
+        <refentrytitle>lwres_gnba</refentrytitle><manvolnum>3</manvolnum>
+      </citerefentry>,
 
-<citerefentry>
-<refentrytitle>lwres_context</refentrytitle><manvolnum>3</manvolnum>
-</citerefentry>,
+      <citerefentry>
+        <refentrytitle>lwres_context</refentrytitle><manvolnum>3</manvolnum>
+      </citerefentry>,
 
-<citerefentry>
-<refentrytitle>lwres_config</refentrytitle><manvolnum>3</manvolnum>
-</citerefentry>,
+      <citerefentry>
+        <refentrytitle>lwres_config</refentrytitle><manvolnum>3</manvolnum>
+      </citerefentry>,
 
-<citerefentry>
-<refentrytitle>resolver</refentrytitle><manvolnum>5</manvolnum>
-</citerefentry>,
+      <citerefentry>
+        <refentrytitle>resolver</refentrytitle><manvolnum>5</manvolnum>
+      </citerefentry>,
 
-<citerefentry>
-<refentrytitle>lwresd</refentrytitle><manvolnum>8</manvolnum>
-</citerefentry>.
+      <citerefentry>
+        <refentrytitle>lwresd</refentrytitle><manvolnum>8</manvolnum>
+      </citerefentry>.
 
-</para>
-</refsect1>
-</refentry>
+    </para>
+  </refsect1>
+</refentry><!--
+ - Local variables:
+ - mode: sgml
+ - End:
+-->
diff --git a/contrib/bind9/lib/lwres/man/lwres.html b/contrib/bind9/lib/lwres/man/lwres.html
index 02af1f7..e4bbc09 100644
--- a/contrib/bind9/lib/lwres/man/lwres.html
+++ b/contrib/bind9/lib/lwres/man/lwres.html
@@ -1,5 +1,5 @@
 <!--
- - Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC")
  - Copyright (C) 2000, 2001 Internet Software Consortium.
  - 
  - Permission to use, copy, modify, and distribute this software for any
@@ -14,15 +14,15 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-<!-- $Id: lwres.html,v 1.4.2.1.4.12 2006/06/29 13:02:31 marka Exp $ -->
+<!-- $Id: lwres.html,v 1.5.18.18 2007/01/30 00:23:45 marka Exp $ -->
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
 <title>lwres</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.70.1">
+<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
 </head>
 <body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en">
-<a name="id2482688"></a><div class="titlepage"></div>
+<a name="id2476275"></a><div class="titlepage"></div>
 <div class="refnamediv">
 <h2>Name</h2>
 <p>lwres &#8212; introduction to the lightweight resolver library</p>
@@ -32,185 +32,187 @@
 <div class="funcsynopsis"><pre class="funcsynopsisinfo">#include &lt;lwres/lwres.h&gt;</pre></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2549397"></a><h2>DESCRIPTION</h2>
-<p>
-The BIND 9 lightweight resolver library is a simple, name service
-independent stub resolver library.  It provides hostname-to-address
-and address-to-hostname lookup services to applications by
-transmitting lookup requests to a resolver daemon
-<span><strong class="command">lwresd</strong></span>
-running on the local host. The resover daemon performs the
-lookup using the DNS or possibly other name service protocols,
-and returns the results to the application through the library.  
-The library and resolver daemon communicate using a simple
-UDP-based protocol.
-</p>
+<a name="id2543348"></a><h2>DESCRIPTION</h2>
+<p>
+      The BIND 9 lightweight resolver library is a simple, name service
+      independent stub resolver library.  It provides hostname-to-address
+      and address-to-hostname lookup services to applications by
+      transmitting lookup requests to a resolver daemon
+      <span><strong class="command">lwresd</strong></span>
+      running on the local host. The resover daemon performs the
+      lookup using the DNS or possibly other name service protocols,
+      and returns the results to the application through the library.
+      The library and resolver daemon communicate using a simple
+      UDP-based protocol.
+    </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2549410"></a><h2>OVERVIEW</h2>
-<p>
-The lwresd library implements multiple name service APIs.
-The standard
-<code class="function">gethostbyname()</code>,
-<code class="function">gethostbyaddr()</code>,
-<code class="function">gethostbyname_r()</code>,
-<code class="function">gethostbyaddr_r()</code>,
-<code class="function">getaddrinfo()</code>,
-<code class="function">getipnodebyname()</code>,
-and
-<code class="function">getipnodebyaddr()</code>
-functions are all supported.  To allow the lwres library to coexist
-with system libraries that define functions of the same name,
-the library defines these functions with names prefixed by
-<code class="literal">lwres_</code>.
-To define the standard names, applications must include the
-header file
-<code class="filename">&lt;lwres/netdb.h&gt;</code>
-which contains macro definitions mapping the standard function names
-into
-<code class="literal">lwres_</code>
-prefixed ones.  Operating system vendors who integrate the lwres
-library into their base distributions should rename the functions
-in the library proper so that the renaming macros are not needed.
-</p>
-<p>
-The library also provides a native API consisting of the functions
-<code class="function">lwres_getaddrsbyname()</code>
-and
-<code class="function">lwres_getnamebyaddr()</code>.
-These may be called by applications that require more detailed
-control over the lookup process than the standard functions
-provide.
-</p>
-<p>
-In addition to these name service independent address lookup
-functions, the library implements a new, experimental API
-for looking up arbitrary DNS resource records, using the
-<code class="function">lwres_getaddrsbyname()</code>
-function.
-</p>
-<p>
-Finally, there is a low-level API for converting lookup
-requests and responses to and from raw lwres protocol packets.  
-This API can be used by clients requiring nonblocking operation, 
-and is also used when implementing the server side of the lwres
-protocol, for example in the
-<span><strong class="command">lwresd</strong></span>
-resolver daemon.  The use of this low-level API in clients
-and servers is outlined in the following sections.
-</p>
+<a name="id2543361"></a><h2>OVERVIEW</h2>
+<p>
+      The lwresd library implements multiple name service APIs.
+      The standard
+      <code class="function">gethostbyname()</code>,
+      <code class="function">gethostbyaddr()</code>,
+      <code class="function">gethostbyname_r()</code>,
+      <code class="function">gethostbyaddr_r()</code>,
+      <code class="function">getaddrinfo()</code>,
+      <code class="function">getipnodebyname()</code>,
+      and
+      <code class="function">getipnodebyaddr()</code>
+      functions are all supported.  To allow the lwres library to coexist
+      with system libraries that define functions of the same name,
+      the library defines these functions with names prefixed by
+      <code class="literal">lwres_</code>.
+      To define the standard names, applications must include the
+      header file
+      <code class="filename">&lt;lwres/netdb.h&gt;</code>
+      which contains macro definitions mapping the standard function names
+      into
+      <code class="literal">lwres_</code>
+      prefixed ones.  Operating system vendors who integrate the lwres
+      library into their base distributions should rename the functions
+      in the library proper so that the renaming macros are not needed.
+    </p>
+<p>
+      The library also provides a native API consisting of the functions
+      <code class="function">lwres_getaddrsbyname()</code>
+      and
+      <code class="function">lwres_getnamebyaddr()</code>.
+      These may be called by applications that require more detailed
+      control over the lookup process than the standard functions
+      provide.
+    </p>
+<p>
+      In addition to these name service independent address lookup
+      functions, the library implements a new, experimental API
+      for looking up arbitrary DNS resource records, using the
+      <code class="function">lwres_getaddrsbyname()</code>
+      function.
+    </p>
+<p>
+      Finally, there is a low-level API for converting lookup
+      requests and responses to and from raw lwres protocol packets.
+      This API can be used by clients requiring nonblocking operation,
+      and is also used when implementing the server side of the lwres
+      protocol, for example in the
+      <span><strong class="command">lwresd</strong></span>
+      resolver daemon.  The use of this low-level API in clients
+      and servers is outlined in the following sections.
+    </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2549474"></a><h2>CLIENT-SIDE LOW-LEVEL API CALL FLOW</h2>
-<p>
-When a client program wishes to make an lwres request using the
-native low-level API, it typically performs the following 
-sequence of actions.
-</p>
-<p>
-(1) Allocate or use an existing <span class="type">lwres_packet_t</span>,
-called <code class="varname">pkt</code> below.
-</p>
-<p>
-(2) Set <em class="structfield"><code>pkt.recvlength</code></em> to the maximum length we will accept.  
-This is done so the receiver of our packets knows how large our receive 
-buffer is.  The "default" is a constant in
-<code class="filename">lwres.h</code>: <code class="constant">LWRES_RECVLENGTH = 4096</code>.
-</p>
-<p>
-(3) Set <em class="structfield"><code>pkt.serial</code></em>
-to a unique serial number.  This value is echoed
-back to the application by the remote server.
-</p>
-<p>
-(4) Set <em class="structfield"><code>pkt.pktflags</code></em>.  Usually this is set to 0.
-</p>
-<p>
-(5) Set <em class="structfield"><code>pkt.result</code></em> to 0.
-</p>
-<p>
-(6) Call <code class="function">lwres_*request_render()</code>, 
-or marshall in the data using the primitives
-such as <code class="function">lwres_packet_render()</code>
-and storing the packet data.
-</p>
-<p>
-(7) Transmit the resulting buffer.
-</p>
-<p>
-(8) Call <code class="function">lwres_*response_parse()</code>
-to parse any packets received.
-</p>
-<p>
-(9) Verify that the opcode and serial match a request, and process the
-packet specific information contained in the body.
-</p>
+<a name="id2543425"></a><h2>CLIENT-SIDE LOW-LEVEL API CALL FLOW</h2>
+<p>
+      When a client program wishes to make an lwres request using the
+      native low-level API, it typically performs the following
+      sequence of actions.
+    </p>
+<p>
+      (1) Allocate or use an existing <span class="type">lwres_packet_t</span>,
+      called <code class="varname">pkt</code> below.
+    </p>
+<p>
+      (2) Set <em class="structfield"><code>pkt.recvlength</code></em> to the maximum length
+      we will accept.
+      This is done so the receiver of our packets knows how large our receive
+      buffer is.  The "default" is a constant in
+      <code class="filename">lwres.h</code>: <code class="constant">LWRES_RECVLENGTH = 4096</code>.
+    </p>
+<p>
+      (3) Set <em class="structfield"><code>pkt.serial</code></em>
+      to a unique serial number.  This value is echoed
+      back to the application by the remote server.
+    </p>
+<p>
+      (4) Set <em class="structfield"><code>pkt.pktflags</code></em>.  Usually this is set to
+      0.
+    </p>
+<p>
+      (5) Set <em class="structfield"><code>pkt.result</code></em> to 0.
+    </p>
+<p>
+      (6) Call <code class="function">lwres_*request_render()</code>,
+      or marshall in the data using the primitives
+      such as <code class="function">lwres_packet_render()</code>
+      and storing the packet data.
+    </p>
+<p>
+      (7) Transmit the resulting buffer.
+    </p>
+<p>
+      (8) Call <code class="function">lwres_*response_parse()</code>
+      to parse any packets received.
+    </p>
+<p>
+      (9) Verify that the opcode and serial match a request, and process the
+      packet specific information contained in the body.
+    </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2549689"></a><h2>SERVER-SIDE LOW-LEVEL API CALL FLOW</h2>
-<p>
-When implementing the server side of the lightweight resolver
-protocol using the lwres library, a sequence of actions like the
-following is typically involved in processing each request packet.
-</p>
-<p>
-Note that the same <span class="type">lwres_packet_t</span> is used
-in both the <code class="function">_parse()</code> and <code class="function">_render()</code> calls,
-with only a few modifications made
-to the packet header's contents between uses.  This method is recommended
-as it keeps the serial, opcode, and other fields correct.
-</p>
-<p>
-(1) When a packet is received, call <code class="function">lwres_*request_parse()</code> to
-unmarshall it.  This returns a <span class="type">lwres_packet_t</span> (also called <code class="varname">pkt</code>, below)
-as well as a data specific type, such as <span class="type">lwres_gabnrequest_t</span>.
-</p>
-<p>
-(2) Process the request in the data specific type.
-</p>
-<p>
-(3) Set the <em class="structfield"><code>pkt.result</code></em>,
-<em class="structfield"><code>pkt.recvlength</code></em> as above.  All other fields can
-be left untouched since they were filled in by the <code class="function">*_parse()</code> call
-above.  If using <code class="function">lwres_*response_render()</code>,
-<em class="structfield"><code>pkt.pktflags</code></em> will be set up
-properly.  Otherwise, the <code class="constant">LWRES_LWPACKETFLAG_RESPONSE</code> bit should be
-set.
-</p>
-<p>
-(4) Call the data specific rendering function, such as
-<code class="function">lwres_gabnresponse_render()</code>.
-</p>
-<p>
-(5) Send the resulting packet to the client.
-</p>
-<p>
-</p>
+<a name="id2543573"></a><h2>SERVER-SIDE LOW-LEVEL API CALL FLOW</h2>
+<p>
+      When implementing the server side of the lightweight resolver
+      protocol using the lwres library, a sequence of actions like the
+      following is typically involved in processing each request packet.
+    </p>
+<p>
+      Note that the same <span class="type">lwres_packet_t</span> is used
+      in both the <code class="function">_parse()</code> and <code class="function">_render()</code> calls,
+      with only a few modifications made
+      to the packet header's contents between uses.  This method is
+      recommended
+      as it keeps the serial, opcode, and other fields correct.
+    </p>
+<p>
+      (1) When a packet is received, call <code class="function">lwres_*request_parse()</code> to
+      unmarshall it.  This returns a <span class="type">lwres_packet_t</span> (also called <code class="varname">pkt</code>, below)
+      as well as a data specific type, such as <span class="type">lwres_gabnrequest_t</span>.
+    </p>
+<p>
+      (2) Process the request in the data specific type.
+    </p>
+<p>
+      (3) Set the <em class="structfield"><code>pkt.result</code></em>,
+      <em class="structfield"><code>pkt.recvlength</code></em> as above.  All other fields
+      can
+      be left untouched since they were filled in by the <code class="function">*_parse()</code> call
+      above.  If using <code class="function">lwres_*response_render()</code>,
+      <em class="structfield"><code>pkt.pktflags</code></em> will be set up
+      properly.  Otherwise, the <code class="constant">LWRES_LWPACKETFLAG_RESPONSE</code> bit should be
+      set.
+    </p>
+<p>
+      (4) Call the data specific rendering function, such as
+      <code class="function">lwres_gabnresponse_render()</code>.
+    </p>
+<p>
+      (5) Send the resulting packet to the client.
+    </p>
+<p></p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2549774"></a><h2>SEE ALSO</h2>
-<p>
-<span class="citerefentry"><span class="refentrytitle">lwres_gethostent</span>(3)</span>,
+<a name="id2543656"></a><h2>SEE ALSO</h2>
+<p><span class="citerefentry"><span class="refentrytitle">lwres_gethostent</span>(3)</span>,
 
-<span class="citerefentry"><span class="refentrytitle">lwres_getipnode</span>(3)</span>,
+      <span class="citerefentry"><span class="refentrytitle">lwres_getipnode</span>(3)</span>,
 
-<span class="citerefentry"><span class="refentrytitle">lwres_getnameinfo</span>(3)</span>,
+      <span class="citerefentry"><span class="refentrytitle">lwres_getnameinfo</span>(3)</span>,
 
-<span class="citerefentry"><span class="refentrytitle">lwres_noop</span>(3)</span>,
+      <span class="citerefentry"><span class="refentrytitle">lwres_noop</span>(3)</span>,
 
-<span class="citerefentry"><span class="refentrytitle">lwres_gabn</span>(3)</span>,
+      <span class="citerefentry"><span class="refentrytitle">lwres_gabn</span>(3)</span>,
 
-<span class="citerefentry"><span class="refentrytitle">lwres_gnba</span>(3)</span>,
+      <span class="citerefentry"><span class="refentrytitle">lwres_gnba</span>(3)</span>,
 
-<span class="citerefentry"><span class="refentrytitle">lwres_context</span>(3)</span>,
+      <span class="citerefentry"><span class="refentrytitle">lwres_context</span>(3)</span>,
 
-<span class="citerefentry"><span class="refentrytitle">lwres_config</span>(3)</span>,
+      <span class="citerefentry"><span class="refentrytitle">lwres_config</span>(3)</span>,
 
-<span class="citerefentry"><span class="refentrytitle">resolver</span>(5)</span>,
+      <span class="citerefentry"><span class="refentrytitle">resolver</span>(5)</span>,
 
-<span class="citerefentry"><span class="refentrytitle">lwresd</span>(8)</span>.
+      <span class="citerefentry"><span class="refentrytitle">lwresd</span>(8)</span>.
 
-</p>
+    </p>
 </div>
 </div></body>
 </html>
diff --git a/contrib/bind9/lib/lwres/man/lwres_buffer.3 b/contrib/bind9/lib/lwres/man/lwres_buffer.3
index 6231237..4bebafa 100644
--- a/contrib/bind9/lib/lwres/man/lwres_buffer.3
+++ b/contrib/bind9/lib/lwres/man/lwres_buffer.3
@@ -1,4 +1,4 @@
-.\" Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC")
 .\" Copyright (C) 2000, 2001 Internet Software Consortium.
 .\" 
 .\" Permission to use, copy, modify, and distribute this software for any
@@ -13,13 +13,13 @@
 .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 .\" PERFORMANCE OF THIS SOFTWARE.
 .\"
-.\" $Id: lwres_buffer.3,v 1.12.2.1.8.6 2006/06/29 13:02:31 marka Exp $
+.\" $Id: lwres_buffer.3,v 1.15.18.11 2007/01/30 00:23:45 marka Exp $
 .\"
 .hy 0
 .ad l
 .\"     Title: lwres_buffer
 .\"    Author: 
-.\" Generator: DocBook XSL Stylesheets v1.70.1 <http://docbook.sf.net/>
+.\" Generator: DocBook XSL Stylesheets v1.71.1 <http://docbook.sf.net/>
 .\"      Date: Jun 30, 2000
 .\"    Manual: BIND9
 .\"    Source: BIND9
@@ -36,37 +36,37 @@ lwres_buffer_init, lwres_buffer_invalidate, lwres_buffer_add, lwres_buffer_subtr
 #include <lwres/lwbuffer.h>
 .fi
 .HP 23
-.BI "void lwres_buffer_init(lwres_buffer_t\ *b, void\ *base, unsigned\ int\ length);"
+.BI "void lwres_buffer_init(lwres_buffer_t\ *" "b" ", void\ *" "base" ", unsigned\ int\ " "length" ");"
 .HP 29
-.BI "void lwres_buffer_invalidate(lwres_buffer_t\ *b);"
+.BI "void lwres_buffer_invalidate(lwres_buffer_t\ *" "b" ");"
 .HP 22
-.BI "void lwres_buffer_add(lwres_buffer_t\ *b, unsigned\ int\ n);"
+.BI "void lwres_buffer_add(lwres_buffer_t\ *" "b" ", unsigned\ int\ " "n" ");"
 .HP 27
-.BI "void lwres_buffer_subtract(lwres_buffer_t\ *b, unsigned\ int\ n);"
+.BI "void lwres_buffer_subtract(lwres_buffer_t\ *" "b" ", unsigned\ int\ " "n" ");"
 .HP 24
-.BI "void lwres_buffer_clear(lwres_buffer_t\ *b);"
+.BI "void lwres_buffer_clear(lwres_buffer_t\ *" "b" ");"
 .HP 24
-.BI "void lwres_buffer_first(lwres_buffer_t\ *b);"
+.BI "void lwres_buffer_first(lwres_buffer_t\ *" "b" ");"
 .HP 26
-.BI "void lwres_buffer_forward(lwres_buffer_t\ *b, unsigned\ int\ n);"
+.BI "void lwres_buffer_forward(lwres_buffer_t\ *" "b" ", unsigned\ int\ " "n" ");"
 .HP 23
-.BI "void lwres_buffer_back(lwres_buffer_t\ *b, unsigned\ int\ n);"
+.BI "void lwres_buffer_back(lwres_buffer_t\ *" "b" ", unsigned\ int\ " "n" ");"
 .HP 36
-.BI "lwres_uint8_t lwres_buffer_getuint8(lwres_buffer_t\ *b);"
+.BI "lwres_uint8_t lwres_buffer_getuint8(lwres_buffer_t\ *" "b" ");"
 .HP 27
-.BI "void lwres_buffer_putuint8(lwres_buffer_t\ *b, lwres_uint8_t\ val);"
+.BI "void lwres_buffer_putuint8(lwres_buffer_t\ *" "b" ", lwres_uint8_t\ " "val" ");"
 .HP 38
-.BI "lwres_uint16_t lwres_buffer_getuint16(lwres_buffer_t\ *b);"
+.BI "lwres_uint16_t lwres_buffer_getuint16(lwres_buffer_t\ *" "b" ");"
 .HP 28
-.BI "void lwres_buffer_putuint16(lwres_buffer_t\ *b, lwres_uint16_t\ val);"
+.BI "void lwres_buffer_putuint16(lwres_buffer_t\ *" "b" ", lwres_uint16_t\ " "val" ");"
 .HP 38
-.BI "lwres_uint32_t lwres_buffer_getuint32(lwres_buffer_t\ *b);"
+.BI "lwres_uint32_t lwres_buffer_getuint32(lwres_buffer_t\ *" "b" ");"
 .HP 28
-.BI "void lwres_buffer_putuint32(lwres_buffer_t\ *b, lwres_uint32_t\ val);"
+.BI "void lwres_buffer_putuint32(lwres_buffer_t\ *" "b" ", lwres_uint32_t\ " "val" ");"
 .HP 25
-.BI "void lwres_buffer_putmem(lwres_buffer_t\ *b, const\ unsigned\ char\ *base, unsigned\ int\ length);"
+.BI "void lwres_buffer_putmem(lwres_buffer_t\ *" "b" ", const\ unsigned\ char\ *" "base" ", unsigned\ int\ " "length" ");"
 .HP 25
-.BI "void lwres_buffer_getmem(lwres_buffer_t\ *b, unsigned\ char\ *base, unsigned\ int\ length);"
+.BI "void lwres_buffer_getmem(lwres_buffer_t\ *" "b" ", unsigned\ char\ *" "base" ", unsigned\ int\ " "length" ");"
 .SH "DESCRIPTION"
 .PP
 These functions provide bounds checked access to a region of memory where data is being read or written. They are based on, and similar to, the
@@ -92,8 +92,7 @@ The
 \fIactive region\fR
 is an (optional) subregion of the remaining region. It extends from the current offset to an offset in the remaining region. Initially, the active region is empty. If the current offset advances beyond the chosen offset, the active region will also be empty.
 .PP
-.sp
-.RS 3n
+.RS 4
 .nf
    /\-\-\-\-\-\-\-\-\-\-\-\-entire length\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\\\\
    /\-\-\-\-\- used region \-\-\-\-\-\\\\/\-\- available \-\-\\\\
@@ -101,11 +100,23 @@ is an (optional) subregion of the remaining region. It extends from the current
    | consumed  | remaining |                |
    +\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-+
    a           b     c     d                e
+.fi
+.RE
+.sp
+.PP
+.RS 4
+.nf
   a == base of buffer.
   b == current pointer.  Can be anywhere between a and d.
   c == active pointer.  Meaningful between b and d.
   d == used pointer.
   e == length of buffer.
+.fi
+.RE
+.sp
+.PP
+.RS 4
+.nf
   a\-e == entire length of buffer.
   a\-d == used region.
   a\-b == consumed region.
@@ -146,8 +157,7 @@ used.
 .PP
 A buffer is re\-initialised by
 \fBlwres_buffer_clear()\fR. The function sets
-used
-,
+used,
 current
 and
 active
@@ -217,4 +227,7 @@ bytes of memory from
 to
 \fIbase\fR.
 .SH "COPYRIGHT"
-Copyright \(co 2004, 2005 Internet Systems Consortium, Inc. ("ISC")
+Copyright \(co 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC")
+.br
+Copyright \(co 2000, 2001 Internet Software Consortium.
+.br
diff --git a/contrib/bind9/lib/lwres/man/lwres_buffer.docbook b/contrib/bind9/lib/lwres/man/lwres_buffer.docbook
index c70aee5..ab0c560 100644
--- a/contrib/bind9/lib/lwres/man/lwres_buffer.docbook
+++ b/contrib/bind9/lib/lwres/man/lwres_buffer.docbook
@@ -1,8 +1,8 @@
-<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.0//EN"
-               "http://www.oasis-open.org/docbook/xml/4.0/docbookx.dtd"
+<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
+               "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
 	       [<!ENTITY mdash "&#8212;">]>
 <!--
- - Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
  - Copyright (C) 2000, 2001  Internet Software Consortium.
  -
  - Permission to use, copy, modify, and distribute this software for any
@@ -18,23 +18,23 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-<!-- $Id: lwres_buffer.docbook,v 1.3.206.3 2005/05/12 21:36:11 sra Exp $ -->
-
+<!-- $Id: lwres_buffer.docbook,v 1.4.18.5 2007/01/29 23:57:21 marka Exp $ -->
 <refentry>
-<refentryinfo>
-<date>Jun 30, 2000</date>
-</refentryinfo>
+  <refentryinfo>
+    <date>Jun 30, 2000</date>
+  </refentryinfo>
 
-<refmeta>
-<refentrytitle>lwres_buffer</refentrytitle>
-<manvolnum>3</manvolnum>
-<refmiscinfo>BIND9</refmiscinfo>
-</refmeta>
+  <refmeta>
+    <refentrytitle>lwres_buffer</refentrytitle>
+    <manvolnum>3</manvolnum>
+    <refmiscinfo>BIND9</refmiscinfo>
+  </refmeta>
 
   <docinfo>
     <copyright>
       <year>2004</year>
       <year>2005</year>
+      <year>2007</year>
       <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
     </copyright>
     <copyright>
@@ -44,350 +44,351 @@
     </copyright>
   </docinfo>
 
-<refnamediv>
-<refname>lwres_buffer_init</refname>
-<refname>lwres_buffer_invalidate</refname>
-<refname>lwres_buffer_add</refname>
-<refname>lwres_buffer_subtract</refname>
-<refname>lwres_buffer_clear</refname>
-<refname>lwres_buffer_first</refname>
-<refname>lwres_buffer_forward</refname>
-<refname>lwres_buffer_back</refname>
-<refname>lwres_buffer_getuint8</refname>
-<refname>lwres_buffer_putuint8</refname>
-<refname>lwres_buffer_getuint16</refname>
-<refname>lwres_buffer_putuint16</refname>
-<refname>lwres_buffer_getuint32</refname>
-<refname>lwres_buffer_putuint32</refname>
-<refname>lwres_buffer_putmem</refname>
-<refname>lwres_buffer_getmem</refname>
-<refpurpose>lightweight resolver buffer management</refpurpose>
-</refnamediv>
+  <refnamediv>
+    <refname>lwres_buffer_init</refname>
+    <refname>lwres_buffer_invalidate</refname>
+    <refname>lwres_buffer_add</refname>
+    <refname>lwres_buffer_subtract</refname>
+    <refname>lwres_buffer_clear</refname>
+    <refname>lwres_buffer_first</refname>
+    <refname>lwres_buffer_forward</refname>
+    <refname>lwres_buffer_back</refname>
+    <refname>lwres_buffer_getuint8</refname>
+    <refname>lwres_buffer_putuint8</refname>
+    <refname>lwres_buffer_getuint16</refname>
+    <refname>lwres_buffer_putuint16</refname>
+    <refname>lwres_buffer_getuint32</refname>
+    <refname>lwres_buffer_putuint32</refname>
+    <refname>lwres_buffer_putmem</refname>
+    <refname>lwres_buffer_getmem</refname>
+    <refpurpose>lightweight resolver buffer management</refpurpose>
+  </refnamediv>
 
-<refsynopsisdiv>
+  <refsynopsisdiv>
 
-<funcsynopsis>
+    <funcsynopsis>
 <funcsynopsisinfo>
 #include &lt;lwres/lwbuffer.h&gt;
 </funcsynopsisinfo>
 
 <funcprototype>
 
-<funcdef>
+        <funcdef>
 void
 <function>lwres_buffer_init</function></funcdef>
-<paramdef>lwres_buffer_t *b</paramdef>
-<paramdef>void *base</paramdef>
-<paramdef>unsigned int length</paramdef>
-</funcprototype>
+        <paramdef>lwres_buffer_t *<parameter>b</parameter></paramdef>
+        <paramdef>void *<parameter>base</parameter></paramdef>
+        <paramdef>unsigned int <parameter>length</parameter></paramdef>
+        </funcprototype>
 
 <funcprototype>
-<funcdef>
+        <funcdef>
 void
 <function>lwres_buffer_invalidate</function></funcdef>
-<paramdef>lwres_buffer_t *b</paramdef>
-</funcprototype>
+        <paramdef>lwres_buffer_t *<parameter>b</parameter></paramdef>
+        </funcprototype>
 <funcprototype>
-<funcdef>
+        <funcdef>
 void
 <function>lwres_buffer_add</function></funcdef>
-<paramdef>lwres_buffer_t *b</paramdef>
-<paramdef>unsigned int n</paramdef>
-</funcprototype>
+        <paramdef>lwres_buffer_t *<parameter>b</parameter></paramdef>
+        <paramdef>unsigned int <parameter>n</parameter></paramdef>
+        </funcprototype>
 
 <funcprototype>
-<funcdef>
+        <funcdef>
 void
 <function>lwres_buffer_subtract</function></funcdef>
-<paramdef>lwres_buffer_t *b</paramdef>
-<paramdef>unsigned int n</paramdef>
-</funcprototype>
+        <paramdef>lwres_buffer_t *<parameter>b</parameter></paramdef>
+        <paramdef>unsigned int <parameter>n</parameter></paramdef>
+        </funcprototype>
 
 <funcprototype>
-<funcdef>
+        <funcdef>
 void
 <function>lwres_buffer_clear</function></funcdef>
-<paramdef>lwres_buffer_t *b</paramdef>
-</funcprototype>
+        <paramdef>lwres_buffer_t *<parameter>b</parameter></paramdef>
+        </funcprototype>
 
 <funcprototype>
-<funcdef>
+        <funcdef>
 void
 <function>lwres_buffer_first</function></funcdef>
-<paramdef>lwres_buffer_t *b</paramdef>
-</funcprototype>
+        <paramdef>lwres_buffer_t *<parameter>b</parameter></paramdef>
+        </funcprototype>
 
 <funcprototype>
-<funcdef>
+        <funcdef>
 void
 <function>lwres_buffer_forward</function></funcdef>
-<paramdef>lwres_buffer_t *b</paramdef>
-<paramdef>unsigned int n</paramdef>
-</funcprototype>
+        <paramdef>lwres_buffer_t *<parameter>b</parameter></paramdef>
+        <paramdef>unsigned int <parameter>n</parameter></paramdef>
+        </funcprototype>
 <funcprototype>
 
-<funcdef>
+        <funcdef>
 void
 <function>lwres_buffer_back</function></funcdef>
-<paramdef>lwres_buffer_t *b</paramdef>
-<paramdef>unsigned int n</paramdef>
-</funcprototype>
+        <paramdef>lwres_buffer_t *<parameter>b</parameter></paramdef>
+        <paramdef>unsigned int <parameter>n</parameter></paramdef>
+        </funcprototype>
 
 <funcprototype>
-<funcdef>
+        <funcdef>
 lwres_uint8_t
 <function>lwres_buffer_getuint8</function></funcdef>
-<paramdef>lwres_buffer_t *b</paramdef>
-</funcprototype>
+        <paramdef>lwres_buffer_t *<parameter>b</parameter></paramdef>
+        </funcprototype>
 
 <funcprototype>
-<funcdef>
+        <funcdef>
 void
 <function>lwres_buffer_putuint8</function></funcdef>
-<paramdef>lwres_buffer_t *b</paramdef>
-<paramdef>lwres_uint8_t val</paramdef>
-</funcprototype>
+        <paramdef>lwres_buffer_t *<parameter>b</parameter></paramdef>
+        <paramdef>lwres_uint8_t <parameter>val</parameter></paramdef>
+        </funcprototype>
 
 <funcprototype>
-<funcdef>
+        <funcdef>
 lwres_uint16_t
 <function>lwres_buffer_getuint16</function></funcdef>
-<paramdef>lwres_buffer_t *b</paramdef>
-</funcprototype>
+        <paramdef>lwres_buffer_t *<parameter>b</parameter></paramdef>
+        </funcprototype>
 
 <funcprototype>
-<funcdef>
+        <funcdef>
 void
 <function>lwres_buffer_putuint16</function></funcdef>
-<paramdef>lwres_buffer_t *b</paramdef>
-<paramdef>lwres_uint16_t val</paramdef>
-</funcprototype>
+        <paramdef>lwres_buffer_t *<parameter>b</parameter></paramdef>
+        <paramdef>lwres_uint16_t <parameter>val</parameter></paramdef>
+        </funcprototype>
 
 <funcprototype>
-<funcdef>
+        <funcdef>
 lwres_uint32_t
 <function>lwres_buffer_getuint32</function></funcdef>
-<paramdef>lwres_buffer_t *b</paramdef>
-</funcprototype>
+        <paramdef>lwres_buffer_t *<parameter>b</parameter></paramdef>
+        </funcprototype>
 
 <funcprototype>
-<funcdef>
+        <funcdef>
 void
 <function>lwres_buffer_putuint32</function></funcdef>
-<paramdef>lwres_buffer_t *b</paramdef>
-<paramdef>lwres_uint32_t val</paramdef>
-</funcprototype>
+        <paramdef>lwres_buffer_t *<parameter>b</parameter></paramdef>
+        <paramdef>lwres_uint32_t <parameter>val</parameter></paramdef>
+        </funcprototype>
 
 <funcprototype>
-<funcdef>
+        <funcdef>
 void
 <function>lwres_buffer_putmem</function></funcdef>
-<paramdef>lwres_buffer_t *b</paramdef>
-<paramdef>const unsigned char *base</paramdef>
-<paramdef>unsigned int length</paramdef>
-</funcprototype>
+        <paramdef>lwres_buffer_t *<parameter>b</parameter></paramdef>
+        <paramdef>const unsigned char *<parameter>base</parameter></paramdef>
+        <paramdef>unsigned int <parameter>length</parameter></paramdef>
+        </funcprototype>
 
 <funcprototype>
-<funcdef>
+        <funcdef>
 void
 <function>lwres_buffer_getmem</function></funcdef>
-<paramdef>lwres_buffer_t *b</paramdef>
-<paramdef>unsigned char *base</paramdef>
-<paramdef>unsigned int length</paramdef>
-</funcprototype>
+        <paramdef>lwres_buffer_t *<parameter>b</parameter></paramdef>
+        <paramdef>unsigned char *<parameter>base</parameter></paramdef>
+        <paramdef>unsigned int <parameter>length</parameter></paramdef>
+      </funcprototype>
 
 </funcsynopsis>
-</refsynopsisdiv>
+  </refsynopsisdiv>
 
-<refsect1>
+  <refsect1>
 
-<title>DESCRIPTION</title>
-<para>
-These functions provide bounds checked access to a region of memory
-where data is being read or written.
-They are based on, and similar to, the
-<literal>isc_buffer_</literal>
-functions in the ISC library.
-</para>
-<para>
-A buffer is a region of memory, together with a set of related
-subregions.
-The <emphasis>used region</emphasis> and the
-<emphasis>available</emphasis> region are disjoint, and
-their union is the buffer's region.
-The used region extends from the beginning of the buffer region to the
-last used byte.
-The available region extends from one byte greater than the last used
-byte to the end of the  buffer's region.
-The size of the used region can be changed using various
-buffer commands.
-Initially, the used region is empty.
-</para>
-<para>
-The used region is further subdivided into two disjoint regions: the
-<emphasis>consumed region</emphasis> and the <emphasis>remaining region</emphasis>.
-The union of these two regions is the used region.
-The consumed region extends from the beginning of the used region to
-the byte before the <emphasis>current</emphasis> offset (if any).
-The <emphasis>remaining</emphasis> region the current pointer to the end of the used
-region.
-The size of the consumed region can be changed using various
-buffer commands.
-Initially, the consumed region is empty.
-</para>
-<para>
-The <emphasis>active region</emphasis> is an (optional) subregion of the remaining
-region.
-It extends from the current offset to an offset in the
-remaining region.
-Initially, the active region is empty.
-If the current offset advances beyond the chosen offset,
-the active region will also be empty.
-</para>
-<para>
-<programlisting>
- 
+    <title>DESCRIPTION</title>
+    <para>
+      These functions provide bounds checked access to a region of memory
+      where data is being read or written.
+      They are based on, and similar to, the
+      <literal>isc_buffer_</literal>
+      functions in the ISC library.
+    </para>
+    <para>
+      A buffer is a region of memory, together with a set of related
+      subregions.
+      The <emphasis>used region</emphasis> and the
+      <emphasis>available</emphasis> region are disjoint, and
+      their union is the buffer's region.
+      The used region extends from the beginning of the buffer region to the
+      last used byte.
+      The available region extends from one byte greater than the last used
+      byte to the end of the  buffer's region.
+      The size of the used region can be changed using various
+      buffer commands.
+      Initially, the used region is empty.
+    </para>
+    <para>
+      The used region is further subdivided into two disjoint regions: the
+      <emphasis>consumed region</emphasis> and the <emphasis>remaining region</emphasis>.
+      The union of these two regions is the used region.
+      The consumed region extends from the beginning of the used region to
+      the byte before the <emphasis>current</emphasis> offset (if any).
+      The <emphasis>remaining</emphasis> region the current pointer to the end
+      of the used
+      region.
+      The size of the consumed region can be changed using various
+      buffer commands.
+      Initially, the consumed region is empty.
+    </para>
+    <para>
+      The <emphasis>active region</emphasis> is an (optional) subregion of the
+      remaining
+      region.
+      It extends from the current offset to an offset in the
+      remaining region.
+      Initially, the active region is empty.
+      If the current offset advances beyond the chosen offset,
+      the active region will also be empty.
+    </para>
+    <para><programlisting>
    /------------entire length---------------\\
    /----- used region -----\\/-- available --\\
    +----------------------------------------+
    | consumed  | remaining |                |
    +----------------------------------------+
    a           b     c     d                e
- 
+      </programlisting>
+    </para>
+    <para><programlisting>
   a == base of buffer.
   b == current pointer.  Can be anywhere between a and d.
   c == active pointer.  Meaningful between b and d.
   d == used pointer.
   e == length of buffer.
- 
+      </programlisting>
+    </para>
+    <para><programlisting>
   a-e == entire length of buffer.
   a-d == used region.
   a-b == consumed region.
   b-d == remaining region.
   b-c == optional active region.
 </programlisting>
-</para>
-<para>
-<function>lwres_buffer_init()</function>
-initializes the
-<type>lwres_buffer_t</type>
-<parameter>*b</parameter>
-and assocates it with the memory region of size
-<parameter>length</parameter>
-bytes starting at location
-<parameter>base.</parameter>
-</para>
-<para>
-<function>lwres_buffer_invalidate()</function>
-marks the buffer
-<parameter>*b</parameter>
-as invalid.  Invalidating a buffer after use is not required,
-but makes it possible to catch its possible accidental use.
-</para>
-<para>
-The functions
-<function>lwres_buffer_add()</function>
-and
-<function>lwres_buffer_subtract()</function>
-respectively increase and decrease the used space in
-buffer
-<parameter>*b</parameter>
-by
-<parameter>n</parameter>
-bytes.
-<function>lwres_buffer_add()</function>
-checks for buffer overflow and
-<function>lwres_buffer_subtract()</function>
-checks for underflow.
-These functions do not allocate or deallocate memory.
-They just change the value of
-<structfield>used</structfield>.
-</para>
-<para>
-A buffer is re-initialised by
-<function>lwres_buffer_clear()</function>.
-The function sets
-<structfield>used</structfield> ,
-<structfield>current</structfield>
-and
-<structfield>active</structfield>
-to zero.
-</para>
-<para>
-<function>lwres_buffer_first</function>
-makes the consumed region of buffer
-<parameter>*p</parameter>
-empty by setting
-<structfield>current</structfield>
-to zero (the start of the buffer).
-</para>
-<para>
-<function>lwres_buffer_forward()</function>
-increases the consumed region of buffer
-<parameter>*b</parameter>
-by
-<parameter>n</parameter>
-bytes, checking for overflow.
-Similarly,
-<function>lwres_buffer_back()</function>
-decreases buffer
-<parameter>b</parameter>'s
-consumed region by
-<parameter>n</parameter>
-bytes and checks for underflow.
-</para>
-<para>
-<function>lwres_buffer_getuint8()</function>
-reads an unsigned 8-bit integer from
-<parameter>*b</parameter>
-and returns it.
-<function>lwres_buffer_putuint8()</function>
-writes the unsigned 8-bit integer
-<parameter>val</parameter>
-to buffer
-<parameter>*b</parameter>.
-</para>
-<para>
-<function>lwres_buffer_getuint16()</function>
-and
-<function>lwres_buffer_getuint32()</function>
-are identical to
-<function>lwres_buffer_putuint8()</function>
-except that they respectively read an unsigned 16-bit or 32-bit integer 
-in network byte order from
-<parameter>b</parameter>.
-Similarly,
-<function>lwres_buffer_putuint16()</function>
-and
-<function>lwres_buffer_putuint32()</function>
-writes the unsigned 16-bit or 32-bit integer
-<parameter>val</parameter>
-to buffer
-<parameter>b</parameter>,
-in network byte order.
-</para>
-<para>
-Arbitrary amounts of data are read or written from a lightweight
-resolver buffer with
-<function>lwres_buffer_getmem()</function>
-and
-<function>lwres_buffer_putmem()</function>
-respectively.
-<function>lwres_buffer_putmem()</function>
-copies
-<parameter>length</parameter>
-bytes of memory at
-<parameter>base</parameter>
-to
-<parameter>b</parameter>.
-Conversely,
-<function>lwres_buffer_getmem()</function>
-copies
-<parameter>length</parameter>
-bytes of memory from
-<parameter>b</parameter>
-to
-<parameter>base</parameter>.
-</para>
-</refsect1>
-</refentry>
+    </para>
+    <para><function>lwres_buffer_init()</function>
+      initializes the
+      <type>lwres_buffer_t</type>
+      <parameter>*b</parameter>
+      and assocates it with the memory region of size
+      <parameter>length</parameter>
+      bytes starting at location
+      <parameter>base.</parameter>
+    </para>
+    <para><function>lwres_buffer_invalidate()</function>
+      marks the buffer <parameter>*b</parameter>
+      as invalid.  Invalidating a buffer after use is not required,
+      but makes it possible to catch its possible accidental use.
+    </para>
+    <para>
+      The functions
+      <function>lwres_buffer_add()</function>
+      and
+      <function>lwres_buffer_subtract()</function>
+      respectively increase and decrease the used space in
+      buffer
+      <parameter>*b</parameter>
+      by
+      <parameter>n</parameter>
+      bytes.
+      <function>lwres_buffer_add()</function>
+      checks for buffer overflow and
+      <function>lwres_buffer_subtract()</function>
+      checks for underflow.
+      These functions do not allocate or deallocate memory.
+      They just change the value of
+      <structfield>used</structfield>.
+    </para>
+    <para>
+      A buffer is re-initialised by
+      <function>lwres_buffer_clear()</function>.
+      The function sets
+      <structfield>used</structfield>,
+      <structfield>current</structfield>
+      and
+      <structfield>active</structfield>
+      to zero.
+    </para>
+    <para><function>lwres_buffer_first</function>
+      makes the consumed region of buffer
+      <parameter>*p</parameter>
+      empty by setting
+      <structfield>current</structfield>
+      to zero (the start of the buffer).
+    </para>
+    <para><function>lwres_buffer_forward()</function>
+      increases the consumed region of buffer
+      <parameter>*b</parameter>
+      by
+      <parameter>n</parameter>
+      bytes, checking for overflow.
+      Similarly,
+      <function>lwres_buffer_back()</function>
+      decreases buffer
+      <parameter>b</parameter>'s
+      consumed region by
+      <parameter>n</parameter>
+      bytes and checks for underflow.
+    </para>
+    <para><function>lwres_buffer_getuint8()</function>
+      reads an unsigned 8-bit integer from
+      <parameter>*b</parameter>
+      and returns it.
+      <function>lwres_buffer_putuint8()</function>
+      writes the unsigned 8-bit integer
+      <parameter>val</parameter>
+      to buffer
+      <parameter>*b</parameter>.
+    </para>
+    <para><function>lwres_buffer_getuint16()</function>
+      and
+      <function>lwres_buffer_getuint32()</function>
+      are identical to
+      <function>lwres_buffer_putuint8()</function>
+      except that they respectively read an unsigned 16-bit or 32-bit integer
+      in network byte order from
+      <parameter>b</parameter>.
+      Similarly,
+      <function>lwres_buffer_putuint16()</function>
+      and
+      <function>lwres_buffer_putuint32()</function>
+      writes the unsigned 16-bit or 32-bit integer
+      <parameter>val</parameter>
+      to buffer
+      <parameter>b</parameter>,
+      in network byte order.
+    </para>
+    <para>
+      Arbitrary amounts of data are read or written from a lightweight
+      resolver buffer with
+      <function>lwres_buffer_getmem()</function>
+      and
+      <function>lwres_buffer_putmem()</function>
+      respectively.
+      <function>lwres_buffer_putmem()</function>
+      copies
+      <parameter>length</parameter>
+      bytes of memory at
+      <parameter>base</parameter>
+      to
+      <parameter>b</parameter>.
+      Conversely,
+      <function>lwres_buffer_getmem()</function>
+      copies
+      <parameter>length</parameter>
+      bytes of memory from
+      <parameter>b</parameter>
+      to
+      <parameter>base</parameter>.
+    </para>
+  </refsect1>
+</refentry><!--
+ - Local variables:
+ - mode: sgml
+ - End:
+-->
diff --git a/contrib/bind9/lib/lwres/man/lwres_buffer.html b/contrib/bind9/lib/lwres/man/lwres_buffer.html
index 9443fbd..ed3e427 100644
--- a/contrib/bind9/lib/lwres/man/lwres_buffer.html
+++ b/contrib/bind9/lib/lwres/man/lwres_buffer.html
@@ -1,5 +1,5 @@
 <!--
- - Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC")
  - Copyright (C) 2000, 2001 Internet Software Consortium.
  - 
  - Permission to use, copy, modify, and distribute this software for any
@@ -14,15 +14,15 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-<!-- $Id: lwres_buffer.html,v 1.4.2.1.4.10 2006/06/29 13:02:31 marka Exp $ -->
+<!-- $Id: lwres_buffer.html,v 1.5.18.16 2007/01/30 00:23:45 marka Exp $ -->
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
 <title>lwres_buffer</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.70.1">
+<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
 </head>
 <body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en">
-<a name="id2482688"></a><div class="titlepage"></div>
+<a name="id2476275"></a><div class="titlepage"></div>
 <div class="refnamediv">
 <h2>Name</h2>
 <p>lwres_buffer_init, lwres_buffer_invalidate, lwres_buffer_add, lwres_buffer_subtract, lwres_buffer_clear, lwres_buffer_first, lwres_buffer_forward, lwres_buffer_back, lwres_buffer_getuint8, lwres_buffer_putuint8, lwres_buffer_getuint16, lwres_buffer_putuint16, lwres_buffer_getuint32, lwres_buffer_putuint32, lwres_buffer_putmem, lwres_buffer_getmem &#8212; lightweight resolver buffer management</p>
@@ -38,60 +38,45 @@
 <td><code class="funcdef">
 void
 <b class="fsfunc">lwres_buffer_init</b>(</code></td>
-<td> </td>
-<td>, </td>
-</tr>
-<tr>
-<td> </td>
-<td> </td>
-<td>, </td>
+<td>lwres_buffer_t * </td>
+<td>
+<var class="pdparam">b</var>, </td>
 </tr>
 <tr>
 <td> </td>
-<td> </td>
-<td>, </td>
+<td>void * </td>
+<td>
+<var class="pdparam">base</var>, </td>
 </tr>
 <tr>
 <td> </td>
-<td> </td>
+<td>unsigned int  </td>
 <td>
-<code>)</code>;</td>
+<var class="pdparam">length</var><code>)</code>;</td>
 </tr>
 </table>
-<table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em">
-<tr>
+<table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em"><tr>
 <td><code class="funcdef">
 void
 <b class="fsfunc">lwres_buffer_invalidate</b>(</code></td>
-<td> </td>
+<td>lwres_buffer_t * </td>
 <td>
-<code>)</code>;</td>
-</tr>
-<tr>
-<td> </td>
-<td> </td>
-<td>
-<code>)</code>;</td>
-</tr>
-</table>
+<var class="pdparam">b</var><code>)</code>;</td>
+</tr></table>
 <table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em">
 <tr>
 <td><code class="funcdef">
 void
 <b class="fsfunc">lwres_buffer_add</b>(</code></td>
-<td> </td>
-<td>, </td>
-</tr>
-<tr>
-<td> </td>
-<td> </td>
-<td>, </td>
+<td>lwres_buffer_t * </td>
+<td>
+<var class="pdparam">b</var>, </td>
 </tr>
 <tr>
 <td> </td>
-<td> </td>
+<td>unsigned int  </td>
 <td>
-<code>)</code>;</td>
+<var class="pdparam">n</var><code>)</code>;</td>
 </tr>
 </table>
 <table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em">
@@ -99,71 +84,47 @@ void
 <td><code class="funcdef">
 void
 <b class="fsfunc">lwres_buffer_subtract</b>(</code></td>
-<td> </td>
-<td>, </td>
-</tr>
-<tr>
-<td> </td>
-<td> </td>
-<td>, </td>
+<td>lwres_buffer_t * </td>
+<td>
+<var class="pdparam">b</var>, </td>
 </tr>
 <tr>
 <td> </td>
-<td> </td>
+<td>unsigned int  </td>
 <td>
-<code>)</code>;</td>
+<var class="pdparam">n</var><code>)</code>;</td>
 </tr>
 </table>
-<table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em">
-<tr>
+<table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em"><tr>
 <td><code class="funcdef">
 void
 <b class="fsfunc">lwres_buffer_clear</b>(</code></td>
-<td> </td>
-<td>
-<code>)</code>;</td>
-</tr>
-<tr>
-<td> </td>
-<td> </td>
+<td>lwres_buffer_t * </td>
 <td>
-<code>)</code>;</td>
-</tr>
-</table>
-<table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em">
-<tr>
+<var class="pdparam">b</var><code>)</code>;</td>
+</tr></table>
+<table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em"><tr>
 <td><code class="funcdef">
 void
 <b class="fsfunc">lwres_buffer_first</b>(</code></td>
-<td> </td>
+<td>lwres_buffer_t * </td>
 <td>
-<code>)</code>;</td>
-</tr>
-<tr>
-<td> </td>
-<td> </td>
-<td>
-<code>)</code>;</td>
-</tr>
-</table>
+<var class="pdparam">b</var><code>)</code>;</td>
+</tr></table>
 <table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em">
 <tr>
 <td><code class="funcdef">
 void
 <b class="fsfunc">lwres_buffer_forward</b>(</code></td>
-<td> </td>
-<td>, </td>
-</tr>
-<tr>
-<td> </td>
-<td> </td>
-<td>, </td>
+<td>lwres_buffer_t * </td>
+<td>
+<var class="pdparam">b</var>, </td>
 </tr>
 <tr>
 <td> </td>
-<td> </td>
+<td>unsigned int  </td>
 <td>
-<code>)</code>;</td>
+<var class="pdparam">n</var><code>)</code>;</td>
 </tr>
 </table>
 <table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em">
@@ -171,127 +132,87 @@ void
 <td><code class="funcdef">
 void
 <b class="fsfunc">lwres_buffer_back</b>(</code></td>
-<td> </td>
-<td>, </td>
-</tr>
-<tr>
-<td> </td>
-<td> </td>
-<td>, </td>
+<td>lwres_buffer_t * </td>
+<td>
+<var class="pdparam">b</var>, </td>
 </tr>
 <tr>
 <td> </td>
-<td> </td>
+<td>unsigned int  </td>
 <td>
-<code>)</code>;</td>
+<var class="pdparam">n</var><code>)</code>;</td>
 </tr>
 </table>
-<table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em">
-<tr>
+<table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em"><tr>
 <td><code class="funcdef">
 lwres_uint8_t
 <b class="fsfunc">lwres_buffer_getuint8</b>(</code></td>
-<td> </td>
+<td>lwres_buffer_t * </td>
 <td>
-<code>)</code>;</td>
-</tr>
-<tr>
-<td> </td>
-<td> </td>
-<td>
-<code>)</code>;</td>
-</tr>
-</table>
+<var class="pdparam">b</var><code>)</code>;</td>
+</tr></table>
 <table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em">
 <tr>
 <td><code class="funcdef">
 void
 <b class="fsfunc">lwres_buffer_putuint8</b>(</code></td>
-<td> </td>
-<td>, </td>
-</tr>
-<tr>
-<td> </td>
-<td> </td>
-<td>, </td>
+<td>lwres_buffer_t * </td>
+<td>
+<var class="pdparam">b</var>, </td>
 </tr>
 <tr>
 <td> </td>
-<td> </td>
+<td>lwres_uint8_t  </td>
 <td>
-<code>)</code>;</td>
+<var class="pdparam">val</var><code>)</code>;</td>
 </tr>
 </table>
-<table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em">
-<tr>
+<table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em"><tr>
 <td><code class="funcdef">
 lwres_uint16_t
 <b class="fsfunc">lwres_buffer_getuint16</b>(</code></td>
-<td> </td>
+<td>lwres_buffer_t * </td>
 <td>
-<code>)</code>;</td>
-</tr>
-<tr>
-<td> </td>
-<td> </td>
-<td>
-<code>)</code>;</td>
-</tr>
-</table>
+<var class="pdparam">b</var><code>)</code>;</td>
+</tr></table>
 <table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em">
 <tr>
 <td><code class="funcdef">
 void
 <b class="fsfunc">lwres_buffer_putuint16</b>(</code></td>
-<td> </td>
-<td>, </td>
-</tr>
-<tr>
-<td> </td>
-<td> </td>
-<td>, </td>
+<td>lwres_buffer_t * </td>
+<td>
+<var class="pdparam">b</var>, </td>
 </tr>
 <tr>
 <td> </td>
-<td> </td>
+<td>lwres_uint16_t  </td>
 <td>
-<code>)</code>;</td>
+<var class="pdparam">val</var><code>)</code>;</td>
 </tr>
 </table>
-<table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em">
-<tr>
+<table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em"><tr>
 <td><code class="funcdef">
 lwres_uint32_t
 <b class="fsfunc">lwres_buffer_getuint32</b>(</code></td>
-<td> </td>
+<td>lwres_buffer_t * </td>
 <td>
-<code>)</code>;</td>
-</tr>
-<tr>
-<td> </td>
-<td> </td>
-<td>
-<code>)</code>;</td>
-</tr>
-</table>
+<var class="pdparam">b</var><code>)</code>;</td>
+</tr></table>
 <table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em">
 <tr>
 <td><code class="funcdef">
 void
 <b class="fsfunc">lwres_buffer_putuint32</b>(</code></td>
-<td> </td>
-<td>, </td>
-</tr>
-<tr>
-<td> </td>
-<td> </td>
-<td>, </td>
+<td>lwres_buffer_t * </td>
+<td>
+<var class="pdparam">b</var>, </td>
 </tr>
 <tr>
 <td> </td>
-<td> </td>
+<td>lwres_uint32_t  </td>
 <td>
-<code>)</code>;</td>
+<var class="pdparam">val</var><code>)</code>;</td>
 </tr>
 </table>
 <table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em">
@@ -299,24 +220,21 @@ void
 <td><code class="funcdef">
 void
 <b class="fsfunc">lwres_buffer_putmem</b>(</code></td>
-<td> </td>
-<td>, </td>
-</tr>
-<tr>
-<td> </td>
-<td> </td>
-<td>, </td>
+<td>lwres_buffer_t * </td>
+<td>
+<var class="pdparam">b</var>, </td>
 </tr>
 <tr>
 <td> </td>
-<td> </td>
-<td>, </td>
+<td>const unsigned char * </td>
+<td>
+<var class="pdparam">base</var>, </td>
 </tr>
 <tr>
 <td> </td>
-<td> </td>
+<td>unsigned int  </td>
 <td>
-<code>)</code>;</td>
+<var class="pdparam">length</var><code>)</code>;</td>
 </tr>
 </table>
 <table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0">
@@ -324,89 +242,91 @@ void
 <td><code class="funcdef">
 void
 <b class="fsfunc">lwres_buffer_getmem</b>(</code></td>
-<td> </td>
-<td>, </td>
-</tr>
-<tr>
-<td> </td>
-<td> </td>
-<td>, </td>
+<td>lwres_buffer_t * </td>
+<td>
+<var class="pdparam">b</var>, </td>
 </tr>
 <tr>
 <td> </td>
-<td> </td>
-<td>, </td>
+<td>unsigned char * </td>
+<td>
+<var class="pdparam">base</var>, </td>
 </tr>
 <tr>
 <td> </td>
-<td> </td>
+<td>unsigned int  </td>
 <td>
-<code>)</code>;</td>
+<var class="pdparam">length</var><code>)</code>;</td>
 </tr>
 </table>
 </div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2549674"></a><h2>DESCRIPTION</h2>
+<a name="id2543892"></a><h2>DESCRIPTION</h2>
 <p>
-These functions provide bounds checked access to a region of memory
-where data is being read or written.
-They are based on, and similar to, the
-<code class="literal">isc_buffer_</code>
-functions in the ISC library.
-</p>
+      These functions provide bounds checked access to a region of memory
+      where data is being read or written.
+      They are based on, and similar to, the
+      <code class="literal">isc_buffer_</code>
+      functions in the ISC library.
+    </p>
 <p>
-A buffer is a region of memory, together with a set of related
-subregions.
-The <span class="emphasis"><em>used region</em></span> and the
-<span class="emphasis"><em>available</em></span> region are disjoint, and
-their union is the buffer's region.
-The used region extends from the beginning of the buffer region to the
-last used byte.
-The available region extends from one byte greater than the last used
-byte to the end of the  buffer's region.
-The size of the used region can be changed using various
-buffer commands.
-Initially, the used region is empty.
-</p>
+      A buffer is a region of memory, together with a set of related
+      subregions.
+      The <span class="emphasis"><em>used region</em></span> and the
+      <span class="emphasis"><em>available</em></span> region are disjoint, and
+      their union is the buffer's region.
+      The used region extends from the beginning of the buffer region to the
+      last used byte.
+      The available region extends from one byte greater than the last used
+      byte to the end of the  buffer's region.
+      The size of the used region can be changed using various
+      buffer commands.
+      Initially, the used region is empty.
+    </p>
 <p>
-The used region is further subdivided into two disjoint regions: the
-<span class="emphasis"><em>consumed region</em></span> and the <span class="emphasis"><em>remaining region</em></span>.
-The union of these two regions is the used region.
-The consumed region extends from the beginning of the used region to
-the byte before the <span class="emphasis"><em>current</em></span> offset (if any).
-The <span class="emphasis"><em>remaining</em></span> region the current pointer to the end of the used
-region.
-The size of the consumed region can be changed using various
-buffer commands.
-Initially, the consumed region is empty.
-</p>
+      The used region is further subdivided into two disjoint regions: the
+      <span class="emphasis"><em>consumed region</em></span> and the <span class="emphasis"><em>remaining region</em></span>.
+      The union of these two regions is the used region.
+      The consumed region extends from the beginning of the used region to
+      the byte before the <span class="emphasis"><em>current</em></span> offset (if any).
+      The <span class="emphasis"><em>remaining</em></span> region the current pointer to the end
+      of the used
+      region.
+      The size of the consumed region can be changed using various
+      buffer commands.
+      Initially, the consumed region is empty.
+    </p>
 <p>
-The <span class="emphasis"><em>active region</em></span> is an (optional) subregion of the remaining
-region.
-It extends from the current offset to an offset in the
-remaining region.
-Initially, the active region is empty.
-If the current offset advances beyond the chosen offset,
-the active region will also be empty.
-</p>
-<p>
-</p>
+      The <span class="emphasis"><em>active region</em></span> is an (optional) subregion of the
+      remaining
+      region.
+      It extends from the current offset to an offset in the
+      remaining region.
+      Initially, the active region is empty.
+      If the current offset advances beyond the chosen offset,
+      the active region will also be empty.
+    </p>
 <pre class="programlisting">
- 
    /------------entire length---------------\\
    /----- used region -----\\/-- available --\\
    +----------------------------------------+
    | consumed  | remaining |                |
    +----------------------------------------+
    a           b     c     d                e
- 
+      </pre>
+<p>
+    </p>
+<pre class="programlisting">
   a == base of buffer.
   b == current pointer.  Can be anywhere between a and d.
   c == active pointer.  Meaningful between b and d.
   d == used pointer.
   e == length of buffer.
- 
+      </pre>
+<p>
+    </p>
+<pre class="programlisting">
   a-e == entire length of buffer.
   a-d == used region.
   a-b == consumed region.
@@ -414,129 +334,122 @@ the active region will also be empty.
   b-c == optional active region.
 </pre>
 <p>
-</p>
-<p>
-<code class="function">lwres_buffer_init()</code>
-initializes the
-<span class="type">lwres_buffer_t</span>
-<em class="parameter"><code>*b</code></em>
-and assocates it with the memory region of size
-<em class="parameter"><code>length</code></em>
-bytes starting at location
-<em class="parameter"><code>base.</code></em>
-</p>
-<p>
-<code class="function">lwres_buffer_invalidate()</code>
-marks the buffer
-<em class="parameter"><code>*b</code></em>
-as invalid.  Invalidating a buffer after use is not required,
-but makes it possible to catch its possible accidental use.
-</p>
-<p>
-The functions
-<code class="function">lwres_buffer_add()</code>
-and
-<code class="function">lwres_buffer_subtract()</code>
-respectively increase and decrease the used space in
-buffer
-<em class="parameter"><code>*b</code></em>
-by
-<em class="parameter"><code>n</code></em>
-bytes.
-<code class="function">lwres_buffer_add()</code>
-checks for buffer overflow and
-<code class="function">lwres_buffer_subtract()</code>
-checks for underflow.
-These functions do not allocate or deallocate memory.
-They just change the value of
-<em class="structfield"><code>used</code></em>.
-</p>
-<p>
-A buffer is re-initialised by
-<code class="function">lwres_buffer_clear()</code>.
-The function sets
-<em class="structfield"><code>used</code></em> ,
-<em class="structfield"><code>current</code></em>
-and
-<em class="structfield"><code>active</code></em>
-to zero.
-</p>
-<p>
-<code class="function">lwres_buffer_first</code>
-makes the consumed region of buffer
-<em class="parameter"><code>*p</code></em>
-empty by setting
-<em class="structfield"><code>current</code></em>
-to zero (the start of the buffer).
-</p>
-<p>
-<code class="function">lwres_buffer_forward()</code>
-increases the consumed region of buffer
-<em class="parameter"><code>*b</code></em>
-by
-<em class="parameter"><code>n</code></em>
-bytes, checking for overflow.
-Similarly,
-<code class="function">lwres_buffer_back()</code>
-decreases buffer
-<em class="parameter"><code>b</code></em>'s
-consumed region by
-<em class="parameter"><code>n</code></em>
-bytes and checks for underflow.
-</p>
+    </p>
+<p><code class="function">lwres_buffer_init()</code>
+      initializes the
+      <span class="type">lwres_buffer_t</span>
+      <em class="parameter"><code>*b</code></em>
+      and assocates it with the memory region of size
+      <em class="parameter"><code>length</code></em>
+      bytes starting at location
+      <em class="parameter"><code>base.</code></em>
+    </p>
+<p><code class="function">lwres_buffer_invalidate()</code>
+      marks the buffer <em class="parameter"><code>*b</code></em>
+      as invalid.  Invalidating a buffer after use is not required,
+      but makes it possible to catch its possible accidental use.
+    </p>
 <p>
-<code class="function">lwres_buffer_getuint8()</code>
-reads an unsigned 8-bit integer from
-<em class="parameter"><code>*b</code></em>
-and returns it.
-<code class="function">lwres_buffer_putuint8()</code>
-writes the unsigned 8-bit integer
-<em class="parameter"><code>val</code></em>
-to buffer
-<em class="parameter"><code>*b</code></em>.
-</p>
+      The functions
+      <code class="function">lwres_buffer_add()</code>
+      and
+      <code class="function">lwres_buffer_subtract()</code>
+      respectively increase and decrease the used space in
+      buffer
+      <em class="parameter"><code>*b</code></em>
+      by
+      <em class="parameter"><code>n</code></em>
+      bytes.
+      <code class="function">lwres_buffer_add()</code>
+      checks for buffer overflow and
+      <code class="function">lwres_buffer_subtract()</code>
+      checks for underflow.
+      These functions do not allocate or deallocate memory.
+      They just change the value of
+      <em class="structfield"><code>used</code></em>.
+    </p>
 <p>
-<code class="function">lwres_buffer_getuint16()</code>
-and
-<code class="function">lwres_buffer_getuint32()</code>
-are identical to
-<code class="function">lwres_buffer_putuint8()</code>
-except that they respectively read an unsigned 16-bit or 32-bit integer 
-in network byte order from
-<em class="parameter"><code>b</code></em>.
-Similarly,
-<code class="function">lwres_buffer_putuint16()</code>
-and
-<code class="function">lwres_buffer_putuint32()</code>
-writes the unsigned 16-bit or 32-bit integer
-<em class="parameter"><code>val</code></em>
-to buffer
-<em class="parameter"><code>b</code></em>,
-in network byte order.
-</p>
+      A buffer is re-initialised by
+      <code class="function">lwres_buffer_clear()</code>.
+      The function sets
+      <em class="structfield"><code>used</code></em>,
+      <em class="structfield"><code>current</code></em>
+      and
+      <em class="structfield"><code>active</code></em>
+      to zero.
+    </p>
+<p><code class="function">lwres_buffer_first</code>
+      makes the consumed region of buffer
+      <em class="parameter"><code>*p</code></em>
+      empty by setting
+      <em class="structfield"><code>current</code></em>
+      to zero (the start of the buffer).
+    </p>
+<p><code class="function">lwres_buffer_forward()</code>
+      increases the consumed region of buffer
+      <em class="parameter"><code>*b</code></em>
+      by
+      <em class="parameter"><code>n</code></em>
+      bytes, checking for overflow.
+      Similarly,
+      <code class="function">lwres_buffer_back()</code>
+      decreases buffer
+      <em class="parameter"><code>b</code></em>'s
+      consumed region by
+      <em class="parameter"><code>n</code></em>
+      bytes and checks for underflow.
+    </p>
+<p><code class="function">lwres_buffer_getuint8()</code>
+      reads an unsigned 8-bit integer from
+      <em class="parameter"><code>*b</code></em>
+      and returns it.
+      <code class="function">lwres_buffer_putuint8()</code>
+      writes the unsigned 8-bit integer
+      <em class="parameter"><code>val</code></em>
+      to buffer
+      <em class="parameter"><code>*b</code></em>.
+    </p>
+<p><code class="function">lwres_buffer_getuint16()</code>
+      and
+      <code class="function">lwres_buffer_getuint32()</code>
+      are identical to
+      <code class="function">lwres_buffer_putuint8()</code>
+      except that they respectively read an unsigned 16-bit or 32-bit integer
+      in network byte order from
+      <em class="parameter"><code>b</code></em>.
+      Similarly,
+      <code class="function">lwres_buffer_putuint16()</code>
+      and
+      <code class="function">lwres_buffer_putuint32()</code>
+      writes the unsigned 16-bit or 32-bit integer
+      <em class="parameter"><code>val</code></em>
+      to buffer
+      <em class="parameter"><code>b</code></em>,
+      in network byte order.
+    </p>
 <p>
-Arbitrary amounts of data are read or written from a lightweight
-resolver buffer with
-<code class="function">lwres_buffer_getmem()</code>
-and
-<code class="function">lwres_buffer_putmem()</code>
-respectively.
-<code class="function">lwres_buffer_putmem()</code>
-copies
-<em class="parameter"><code>length</code></em>
-bytes of memory at
-<em class="parameter"><code>base</code></em>
-to
-<em class="parameter"><code>b</code></em>.
-Conversely,
-<code class="function">lwres_buffer_getmem()</code>
-copies
-<em class="parameter"><code>length</code></em>
-bytes of memory from
-<em class="parameter"><code>b</code></em>
-to
-<em class="parameter"><code>base</code></em>.
-</p>
+      Arbitrary amounts of data are read or written from a lightweight
+      resolver buffer with
+      <code class="function">lwres_buffer_getmem()</code>
+      and
+      <code class="function">lwres_buffer_putmem()</code>
+      respectively.
+      <code class="function">lwres_buffer_putmem()</code>
+      copies
+      <em class="parameter"><code>length</code></em>
+      bytes of memory at
+      <em class="parameter"><code>base</code></em>
+      to
+      <em class="parameter"><code>b</code></em>.
+      Conversely,
+      <code class="function">lwres_buffer_getmem()</code>
+      copies
+      <em class="parameter"><code>length</code></em>
+      bytes of memory from
+      <em class="parameter"><code>b</code></em>
+      to
+      <em class="parameter"><code>base</code></em>.
+    </p>
 </div>
 </div></body>
 </html>
diff --git a/contrib/bind9/lib/lwres/man/lwres_config.3 b/contrib/bind9/lib/lwres/man/lwres_config.3
index 0a23923..5a4123d 100644
--- a/contrib/bind9/lib/lwres/man/lwres_config.3
+++ b/contrib/bind9/lib/lwres/man/lwres_config.3
@@ -1,4 +1,4 @@
-.\" Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC")
 .\" Copyright (C) 2000, 2001 Internet Software Consortium.
 .\" 
 .\" Permission to use, copy, modify, and distribute this software for any
@@ -13,13 +13,13 @@
 .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 .\" PERFORMANCE OF THIS SOFTWARE.
 .\"
-.\" $Id: lwres_config.3,v 1.12.2.1.8.6 2006/06/29 13:02:31 marka Exp $
+.\" $Id: lwres_config.3,v 1.15.18.11 2007/01/30 00:23:45 marka Exp $
 .\"
 .hy 0
 .ad l
 .\"     Title: lwres_config
 .\"    Author: 
-.\" Generator: DocBook XSL Stylesheets v1.70.1 <http://docbook.sf.net/>
+.\" Generator: DocBook XSL Stylesheets v1.71.1 <http://docbook.sf.net/>
 .\"      Date: Jun 30, 2000
 .\"    Manual: BIND9
 .\"    Source: BIND9
@@ -36,15 +36,15 @@ lwres_conf_init, lwres_conf_clear, lwres_conf_parse, lwres_conf_print, lwres_con
 #include <lwres/lwres.h>
 .fi
 .HP 21
-.BI "void lwres_conf_init(lwres_context_t\ *ctx);"
+.BI "void lwres_conf_init(lwres_context_t\ *" "ctx" ");"
 .HP 22
-.BI "void lwres_conf_clear(lwres_context_t\ *ctx);"
+.BI "void lwres_conf_clear(lwres_context_t\ *" "ctx" ");"
 .HP 32
-.BI "lwres_result_t lwres_conf_parse(lwres_context_t\ *ctx, const\ char\ *filename);"
+.BI "lwres_result_t lwres_conf_parse(lwres_context_t\ *" "ctx" ", const\ char\ *" "filename" ");"
 .HP 32
-.BI "lwres_result_t lwres_conf_print(lwres_context_t\ *ctx, FILE\ *fp);"
+.BI "lwres_result_t lwres_conf_print(lwres_context_t\ *" "ctx" ", FILE\ *" "fp" ");"
 .HP 30
-.BI "lwres_conf_t * lwres_conf_get(lwres_context_t\ *ctx);"
+.BI "lwres_conf_t * lwres_conf_get(lwres_context_t\ *" "ctx" ");"
 .SH "DESCRIPTION"
 .PP
 \fBlwres_conf_init()\fR
@@ -100,4 +100,7 @@ unless an error occurred when converting the network addresses to a numeric host
 .PP
 \fI/etc/resolv.conf\fR
 .SH "COPYRIGHT"
-Copyright \(co 2004, 2005 Internet Systems Consortium, Inc. ("ISC")
+Copyright \(co 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC")
+.br
+Copyright \(co 2000, 2001 Internet Software Consortium.
+.br
diff --git a/contrib/bind9/lib/lwres/man/lwres_config.docbook b/contrib/bind9/lib/lwres/man/lwres_config.docbook
index 03426be..13113d3 100644
--- a/contrib/bind9/lib/lwres/man/lwres_config.docbook
+++ b/contrib/bind9/lib/lwres/man/lwres_config.docbook
@@ -1,8 +1,8 @@
-<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.0//EN"
-               "http://www.oasis-open.org/docbook/xml/4.0/docbookx.dtd"
+<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
+               "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
 	       [<!ENTITY mdash "&#8212;">]>
 <!--
- - Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
  - Copyright (C) 2000, 2001  Internet Software Consortium.
  -
  - Permission to use, copy, modify, and distribute this software for any
@@ -18,24 +18,24 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-<!-- $Id: lwres_config.docbook,v 1.2.206.3 2005/05/12 21:36:12 sra Exp $ -->
-
+<!-- $Id: lwres_config.docbook,v 1.3.18.5 2007/01/29 23:57:21 marka Exp $ -->
 <refentry>
-<refentryinfo>
+  <refentryinfo>
 
-<date>Jun 30, 2000</date>
-</refentryinfo>
+    <date>Jun 30, 2000</date>
+  </refentryinfo>
 
-<refmeta>
-<refentrytitle>lwres_config</refentrytitle>
-<manvolnum>3</manvolnum>
-<refmiscinfo>BIND9</refmiscinfo>
-</refmeta>
+  <refmeta>
+    <refentrytitle>lwres_config</refentrytitle>
+    <manvolnum>3</manvolnum>
+    <refmiscinfo>BIND9</refmiscinfo>
+  </refmeta>
 
   <docinfo>
     <copyright>
       <year>2004</year>
       <year>2005</year>
+      <year>2007</year>
       <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
     </copyright>
     <copyright>
@@ -45,131 +45,129 @@
     </copyright>
   </docinfo>
 
-<refnamediv>
-<refname>lwres_conf_init</refname>
-<refname>lwres_conf_clear</refname>
-<refname>lwres_conf_parse</refname>
-<refname>lwres_conf_print</refname>
-<refname>lwres_conf_get</refname>
-<refpurpose>lightweight resolver configuration</refpurpose>
-</refnamediv>
+  <refnamediv>
+    <refname>lwres_conf_init</refname>
+    <refname>lwres_conf_clear</refname>
+    <refname>lwres_conf_parse</refname>
+    <refname>lwres_conf_print</refname>
+    <refname>lwres_conf_get</refname>
+    <refpurpose>lightweight resolver configuration</refpurpose>
+  </refnamediv>
 
-<refsynopsisdiv>
-<funcsynopsis>
+  <refsynopsisdiv>
+    <funcsynopsis>
 <funcsynopsisinfo>#include &lt;lwres/lwres.h&gt;</funcsynopsisinfo>
 <funcprototype>
-<funcdef>
+        <funcdef>
 void
 <function>lwres_conf_init</function></funcdef>
-<paramdef>lwres_context_t *ctx</paramdef>
-</funcprototype>
+        <paramdef>lwres_context_t *<parameter>ctx</parameter></paramdef>
+        </funcprototype>
 <funcprototype>
-<funcdef>
+        <funcdef>
 void
 <function>lwres_conf_clear</function></funcdef>
-<paramdef>lwres_context_t *ctx</paramdef>
-</funcprototype>
+        <paramdef>lwres_context_t *<parameter>ctx</parameter></paramdef>
+        </funcprototype>
 <funcprototype>
-<funcdef>
+        <funcdef>
 lwres_result_t
 <function>lwres_conf_parse</function></funcdef>
-<paramdef>lwres_context_t *ctx</paramdef>
-<paramdef>const char *filename</paramdef>
-</funcprototype>
+        <paramdef>lwres_context_t *<parameter>ctx</parameter></paramdef>
+        <paramdef>const char *<parameter>filename</parameter></paramdef>
+        </funcprototype>
 <funcprototype>
-<funcdef>
+        <funcdef>
 lwres_result_t
 <function>lwres_conf_print</function></funcdef>
-<paramdef>lwres_context_t *ctx</paramdef>
-<paramdef>FILE *fp</paramdef>
-</funcprototype>
+        <paramdef>lwres_context_t *<parameter>ctx</parameter></paramdef>
+        <paramdef>FILE *<parameter>fp</parameter></paramdef>
+        </funcprototype>
 <funcprototype>
-<funcdef>
+        <funcdef>
 lwres_conf_t *
 <function>lwres_conf_get</function></funcdef>
-<paramdef>lwres_context_t *ctx</paramdef>
-</funcprototype>
+        <paramdef>lwres_context_t *<parameter>ctx</parameter></paramdef>
+      </funcprototype>
 </funcsynopsis>
-</refsynopsisdiv>
+  </refsynopsisdiv>
+
+  <refsect1>
+    <title>DESCRIPTION</title>
+
+    <para><function>lwres_conf_init()</function>
+      creates an empty
+      <type>lwres_conf_t</type>
+      structure for lightweight resolver context
+      <parameter>ctx</parameter>.
+    </para>
+
+    <para><function>lwres_conf_clear()</function>
+      frees up all the internal memory used by
+      that
+      <type>lwres_conf_t</type>
+      structure in resolver context
+      <parameter>ctx</parameter>.
+    </para>
 
-<refsect1>
-<title>DESCRIPTION</title>
-<para>
-<function>lwres_conf_init()</function>
-creates an empty
-<type>lwres_conf_t</type>
-structure for lightweight resolver context
-<parameter>ctx</parameter>.
-</para>
-<para>
-<function>lwres_conf_clear()</function>
-frees up all the internal memory used by
-that
-<type>lwres_conf_t</type>
-structure in resolver context
-<parameter>ctx</parameter>.
-</para>
-<para>
-<function>lwres_conf_parse()</function>
-opens the file
-<parameter>filename</parameter>
-and parses it to initialise the resolver context
-<parameter>ctx</parameter>'s
-<type>lwres_conf_t</type>
-structure.
-</para>
-<para>
-<function>lwres_conf_print()</function>
-prints the
-<type>lwres_conf_t</type>
-structure for resolver context
-<parameter>ctx</parameter>
-to the
-<type>FILE</type>
-<parameter>fp</parameter>.
-</para>
-</refsect1>
-<refsect1>
+    <para><function>lwres_conf_parse()</function>
+      opens the file
+      <parameter>filename</parameter>
+      and parses it to initialise the resolver context
+      <parameter>ctx</parameter>'s
+      <type>lwres_conf_t</type>
+      structure.
+    </para>
 
-<title>RETURN VALUES</title>
-<para>
-<function>lwres_conf_parse()</function>
-returns
-<errorcode>LWRES_R_SUCCESS</errorcode>
-if it successfully read and parsed
-<parameter>filename</parameter>.
-It returns
-<errorcode>LWRES_R_FAILURE</errorcode>
-if
-<parameter>filename</parameter>
-could not be opened or contained incorrect
-resolver statements.
-</para>
-<para>
-<function>lwres_conf_print()</function>
-returns
-<errorcode>LWRES_R_SUCCESS</errorcode>
-unless an error occurred when converting the network addresses to a
-numeric host address string.
-If this happens, the function returns
-<errorcode>LWRES_R_FAILURE</errorcode>.
-</para>
-</refsect1>
-<refsect1>
-<title>SEE ALSO</title>
-<para>
-<citerefentry>
-<refentrytitle>stdio</refentrytitle><manvolnum>3</manvolnum>
-</citerefentry>,
-<citerefentry>
-<refentrytitle>resolver</refentrytitle><manvolnum>5</manvolnum>
-</citerefentry>.
-</para>
-</refsect1>
-<refsect1>
-<title>FILES</title>
-<para>
-<filename>/etc/resolv.conf</filename>
-</para>
-</refsect1>
-</refentry>
+    <para><function>lwres_conf_print()</function>
+      prints the
+      <type>lwres_conf_t</type>
+      structure for resolver context
+      <parameter>ctx</parameter>
+      to the
+      <type>FILE</type>
+      <parameter>fp</parameter>.
+    </para>
+  </refsect1>
+  <refsect1>
+
+    <title>RETURN VALUES</title>
+
+    <para><function>lwres_conf_parse()</function>
+      returns <errorcode>LWRES_R_SUCCESS</errorcode>
+      if it successfully read and parsed
+      <parameter>filename</parameter>.
+      It returns <errorcode>LWRES_R_FAILURE</errorcode>
+      if <parameter>filename</parameter>
+      could not be opened or contained incorrect
+      resolver statements.
+    </para>
+
+    <para><function>lwres_conf_print()</function>
+      returns <errorcode>LWRES_R_SUCCESS</errorcode>
+      unless an error occurred when converting the network addresses to a
+      numeric host address string.
+      If this happens, the function returns
+      <errorcode>LWRES_R_FAILURE</errorcode>.
+    </para>
+  </refsect1>
+  <refsect1>
+    <title>SEE ALSO</title>
+    <para><citerefentry>
+        <refentrytitle>stdio</refentrytitle><manvolnum>3</manvolnum>
+      </citerefentry>,
+      <citerefentry>
+        <refentrytitle>resolver</refentrytitle><manvolnum>5</manvolnum>
+      </citerefentry>.
+    </para>
+  </refsect1>
+  <refsect1>
+    <title>FILES</title>
+    <para><filename>/etc/resolv.conf</filename>
+    </para>
+  </refsect1>
+</refentry><!--
+ - Local variables:
+ - mode: sgml
+ - End:
+-->
diff --git a/contrib/bind9/lib/lwres/man/lwres_config.html b/contrib/bind9/lib/lwres/man/lwres_config.html
index 339a487..efa33d8 100644
--- a/contrib/bind9/lib/lwres/man/lwres_config.html
+++ b/contrib/bind9/lib/lwres/man/lwres_config.html
@@ -1,5 +1,5 @@
 <!--
- - Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC")
  - Copyright (C) 2000, 2001 Internet Software Consortium.
  - 
  - Permission to use, copy, modify, and distribute this software for any
@@ -14,15 +14,15 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-<!-- $Id: lwres_config.html,v 1.4.2.1.4.11 2006/06/29 13:02:31 marka Exp $ -->
+<!-- $Id: lwres_config.html,v 1.5.18.17 2007/01/30 00:23:45 marka Exp $ -->
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
 <title>lwres_config</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.70.1">
+<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
 </head>
 <body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en">
-<a name="id2482688"></a><div class="titlepage"></div>
+<a name="id2476275"></a><div class="titlepage"></div>
 <div class="refnamediv">
 <h2>Name</h2>
 <p>lwres_conf_init, lwres_conf_clear, lwres_conf_parse, lwres_conf_print, lwres_conf_get &#8212; lightweight resolver configuration</p>
@@ -31,56 +31,36 @@
 <h2>Synopsis</h2>
 <div class="funcsynopsis">
 <pre class="funcsynopsisinfo">#include &lt;lwres/lwres.h&gt;</pre>
-<table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em">
-<tr>
+<table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em"><tr>
 <td><code class="funcdef">
 void
 <b class="fsfunc">lwres_conf_init</b>(</code></td>
-<td> </td>
+<td>lwres_context_t * </td>
 <td>
-<code>)</code>;</td>
-</tr>
-<tr>
-<td> </td>
-<td> </td>
-<td>
-<code>)</code>;</td>
-</tr>
-</table>
-<table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em">
-<tr>
+<var class="pdparam">ctx</var><code>)</code>;</td>
+</tr></table>
+<table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em"><tr>
 <td><code class="funcdef">
 void
 <b class="fsfunc">lwres_conf_clear</b>(</code></td>
-<td> </td>
+<td>lwres_context_t * </td>
 <td>
-<code>)</code>;</td>
-</tr>
-<tr>
-<td> </td>
-<td> </td>
-<td>
-<code>)</code>;</td>
-</tr>
-</table>
+<var class="pdparam">ctx</var><code>)</code>;</td>
+</tr></table>
 <table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em">
 <tr>
 <td><code class="funcdef">
 lwres_result_t
 <b class="fsfunc">lwres_conf_parse</b>(</code></td>
-<td> </td>
-<td>, </td>
-</tr>
-<tr>
-<td> </td>
-<td> </td>
-<td>, </td>
+<td>lwres_context_t * </td>
+<td>
+<var class="pdparam">ctx</var>, </td>
 </tr>
 <tr>
 <td> </td>
-<td> </td>
+<td>const char * </td>
 <td>
-<code>)</code>;</td>
+<var class="pdparam">filename</var><code>)</code>;</td>
 </tr>
 </table>
 <table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em">
@@ -88,113 +68,89 @@ lwres_result_t
 <td><code class="funcdef">
 lwres_result_t
 <b class="fsfunc">lwres_conf_print</b>(</code></td>
-<td> </td>
-<td>, </td>
-</tr>
-<tr>
-<td> </td>
-<td> </td>
-<td>, </td>
+<td>lwres_context_t * </td>
+<td>
+<var class="pdparam">ctx</var>, </td>
 </tr>
 <tr>
 <td> </td>
-<td> </td>
+<td>FILE * </td>
 <td>
-<code>)</code>;</td>
+<var class="pdparam">fp</var><code>)</code>;</td>
 </tr>
 </table>
-<table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0">
-<tr>
+<table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0"><tr>
 <td><code class="funcdef">
 lwres_conf_t *
 <b class="fsfunc">lwres_conf_get</b>(</code></td>
-<td> </td>
-<td>
-<code>)</code>;</td>
-</tr>
-<tr>
-<td> </td>
-<td> </td>
+<td>lwres_context_t * </td>
 <td>
-<code>)</code>;</td>
-</tr>
-</table>
+<var class="pdparam">ctx</var><code>)</code>;</td>
+</tr></table>
 </div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2549475"></a><h2>DESCRIPTION</h2>
-<p>
-<code class="function">lwres_conf_init()</code>
-creates an empty
-<span class="type">lwres_conf_t</span>
-structure for lightweight resolver context
-<em class="parameter"><code>ctx</code></em>.
-</p>
-<p>
-<code class="function">lwres_conf_clear()</code>
-frees up all the internal memory used by
-that
-<span class="type">lwres_conf_t</span>
-structure in resolver context
-<em class="parameter"><code>ctx</code></em>.
-</p>
-<p>
-<code class="function">lwres_conf_parse()</code>
-opens the file
-<em class="parameter"><code>filename</code></em>
-and parses it to initialise the resolver context
-<em class="parameter"><code>ctx</code></em>'s
-<span class="type">lwres_conf_t</span>
-structure.
-</p>
-<p>
-<code class="function">lwres_conf_print()</code>
-prints the
-<span class="type">lwres_conf_t</span>
-structure for resolver context
-<em class="parameter"><code>ctx</code></em>
-to the
-<span class="type">FILE</span>
-<em class="parameter"><code>fp</code></em>.
-</p>
+<a name="id2543441"></a><h2>DESCRIPTION</h2>
+<p><code class="function">lwres_conf_init()</code>
+      creates an empty
+      <span class="type">lwres_conf_t</span>
+      structure for lightweight resolver context
+      <em class="parameter"><code>ctx</code></em>.
+    </p>
+<p><code class="function">lwres_conf_clear()</code>
+      frees up all the internal memory used by
+      that
+      <span class="type">lwres_conf_t</span>
+      structure in resolver context
+      <em class="parameter"><code>ctx</code></em>.
+    </p>
+<p><code class="function">lwres_conf_parse()</code>
+      opens the file
+      <em class="parameter"><code>filename</code></em>
+      and parses it to initialise the resolver context
+      <em class="parameter"><code>ctx</code></em>'s
+      <span class="type">lwres_conf_t</span>
+      structure.
+    </p>
+<p><code class="function">lwres_conf_print()</code>
+      prints the
+      <span class="type">lwres_conf_t</span>
+      structure for resolver context
+      <em class="parameter"><code>ctx</code></em>
+      to the
+      <span class="type">FILE</span>
+      <em class="parameter"><code>fp</code></em>.
+    </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2549546"></a><h2>RETURN VALUES</h2>
-<p>
-<code class="function">lwres_conf_parse()</code>
-returns
-<span class="errorcode">LWRES_R_SUCCESS</span>
-if it successfully read and parsed
-<em class="parameter"><code>filename</code></em>.
-It returns
-<span class="errorcode">LWRES_R_FAILURE</span>
-if
-<em class="parameter"><code>filename</code></em>
-could not be opened or contained incorrect
-resolver statements.
-</p>
-<p>
-<code class="function">lwres_conf_print()</code>
-returns
-<span class="errorcode">LWRES_R_SUCCESS</span>
-unless an error occurred when converting the network addresses to a
-numeric host address string.
-If this happens, the function returns
-<span class="errorcode">LWRES_R_FAILURE</span>.
-</p>
+<a name="id2543508"></a><h2>RETURN VALUES</h2>
+<p><code class="function">lwres_conf_parse()</code>
+      returns <span class="errorcode">LWRES_R_SUCCESS</span>
+      if it successfully read and parsed
+      <em class="parameter"><code>filename</code></em>.
+      It returns <span class="errorcode">LWRES_R_FAILURE</span>
+      if <em class="parameter"><code>filename</code></em>
+      could not be opened or contained incorrect
+      resolver statements.
+    </p>
+<p><code class="function">lwres_conf_print()</code>
+      returns <span class="errorcode">LWRES_R_SUCCESS</span>
+      unless an error occurred when converting the network addresses to a
+      numeric host address string.
+      If this happens, the function returns
+      <span class="errorcode">LWRES_R_FAILURE</span>.
+    </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2549586"></a><h2>SEE ALSO</h2>
-<p>
-<span class="citerefentry"><span class="refentrytitle">stdio</span>(3)</span>,
-<span class="citerefentry"><span class="refentrytitle">resolver</span>(5)</span>.
-</p>
+<a name="id2543545"></a><h2>SEE ALSO</h2>
+<p><span class="citerefentry"><span class="refentrytitle">stdio</span>(3)</span>,
+      <span class="citerefentry"><span class="refentrytitle">resolver</span>(5)</span>.
+    </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2549612"></a><h2>FILES</h2>
-<p>
-<code class="filename">/etc/resolv.conf</code>
-</p>
+<a name="id2543571"></a><h2>FILES</h2>
+<p><code class="filename">/etc/resolv.conf</code>
+    </p>
 </div>
 </div></body>
 </html>
diff --git a/contrib/bind9/lib/lwres/man/lwres_context.3 b/contrib/bind9/lib/lwres/man/lwres_context.3
index ba68e40..8883a01 100644
--- a/contrib/bind9/lib/lwres/man/lwres_context.3
+++ b/contrib/bind9/lib/lwres/man/lwres_context.3
@@ -1,4 +1,4 @@
-.\" Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC")
 .\" Copyright (C) 2000, 2001, 2003 Internet Software Consortium.
 .\" 
 .\" Permission to use, copy, modify, and distribute this software for any
@@ -13,13 +13,13 @@
 .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 .\" PERFORMANCE OF THIS SOFTWARE.
 .\"
-.\" $Id: lwres_context.3,v 1.13.2.2.2.7 2006/06/29 13:02:31 marka Exp $
+.\" $Id: lwres_context.3,v 1.17.18.11 2007/01/30 00:23:45 marka Exp $
 .\"
 .hy 0
 .ad l
 .\"     Title: lwres_context
 .\"    Author: 
-.\" Generator: DocBook XSL Stylesheets v1.70.1 <http://docbook.sf.net/>
+.\" Generator: DocBook XSL Stylesheets v1.71.1 <http://docbook.sf.net/>
 .\"      Date: Jun 30, 2000
 .\"    Manual: BIND9
 .\"    Source: BIND9
@@ -36,19 +36,19 @@ lwres_context_create, lwres_context_destroy, lwres_context_nextserial, lwres_con
 #include <lwres/lwres.h>
 .fi
 .HP 36
-.BI "lwres_result_t lwres_context_create(lwres_context_t\ **contextp, void\ *arg, lwres_malloc_t\ malloc_function, lwres_free_t\ free_function);"
+.BI "lwres_result_t lwres_context_create(lwres_context_t\ **" "contextp" ", void\ *" "arg" ", lwres_malloc_t\ " "malloc_function" ", lwres_free_t\ " "free_function" ");"
 .HP 37
-.BI "lwres_result_t lwres_context_destroy(lwres_context_t\ **contextp);"
+.BI "lwres_result_t lwres_context_destroy(lwres_context_t\ **" "contextp" ");"
 .HP 30
-.BI "void lwres_context_initserial(lwres_context_t\ *ctx, lwres_uint32_t\ serial);"
+.BI "void lwres_context_initserial(lwres_context_t\ *" "ctx" ", lwres_uint32_t\ " "serial" ");"
 .HP 40
-.BI "lwres_uint32_t lwres_context_nextserial(lwres_context_t\ *ctx);"
+.BI "lwres_uint32_t lwres_context_nextserial(lwres_context_t\ *" "ctx" ");"
 .HP 27
-.BI "void lwres_context_freemem(lwres_context_t\ *ctx, void\ *mem, size_t\ len);"
+.BI "void lwres_context_freemem(lwres_context_t\ *" "ctx" ", void\ *" "mem" ", size_t\ " "len" ");"
 .HP 28
-.BI "void lwres_context_allocmem(lwres_context_t\ *ctx, size_t\ len);"
+.BI "void lwres_context_allocmem(lwres_context_t\ *" "ctx" ", size_t\ " "len" ");"
 .HP 30
-.BI "void * lwres_context_sendrecv(lwres_context_t\ *ctx, void\ *sendbase, int\ sendlen, void\ *recvbase, int\ recvlen, int\ *recvd_len);"
+.BI "void * lwres_context_sendrecv(lwres_context_t\ *" "ctx" ", void\ *" "sendbase" ", int\ " "sendlen" ", void\ *" "recvbase" ", int\ " "recvlen" ", int\ *" "recvd_len" ");"
 .SH "DESCRIPTION"
 .PP
 \fBlwres_context_create()\fR
@@ -72,7 +72,8 @@ to free it. If
 \fImalloc_function\fR
 and
 \fIfree_function\fR
-are NULL, memory is allocated using .Xr malloc 3 and
+are NULL, memory is allocated using
+\fBmalloc\fR(3). and
 \fBfree\fR(3). It is not permitted to have a NULL
 \fImalloc_function\fR
 and a non\-NULL
@@ -161,6 +162,9 @@ times out waiting for a response.
 .PP
 \fBlwres_conf_init\fR(3),
 \fBmalloc\fR(3),
-\fBfree\fR(3 ).
+\fBfree\fR(3).
 .SH "COPYRIGHT"
-Copyright \(co 2004, 2005 Internet Systems Consortium, Inc. ("ISC")
+Copyright \(co 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC")
+.br
+Copyright \(co 2000, 2001, 2003 Internet Software Consortium.
+.br
diff --git a/contrib/bind9/lib/lwres/man/lwres_context.docbook b/contrib/bind9/lib/lwres/man/lwres_context.docbook
index 48d4336..65f157c 100644
--- a/contrib/bind9/lib/lwres/man/lwres_context.docbook
+++ b/contrib/bind9/lib/lwres/man/lwres_context.docbook
@@ -1,8 +1,8 @@
-<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.0//EN"
-               "http://www.oasis-open.org/docbook/xml/4.0/docbookx.dtd"
+<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
+               "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
 	       [<!ENTITY mdash "&#8212;">]>
 <!--
- - Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
  - Copyright (C) 2000, 2001, 2003  Internet Software Consortium.
  -
  - Permission to use, copy, modify, and distribute this software for any
@@ -18,24 +18,24 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-<!-- $Id: lwres_context.docbook,v 1.3.2.2.2.3 2005/05/12 21:36:12 sra Exp $ -->
-
+<!-- $Id: lwres_context.docbook,v 1.5.18.5 2007/01/29 23:57:21 marka Exp $ -->
 <refentry>
-<refentryinfo>
 
+  <refentryinfo>
+    <date>Jun 30, 2000</date>
+  </refentryinfo>
 
-<date>Jun 30, 2000</date>
-</refentryinfo>
-<refmeta>
-<refentrytitle>lwres_context</refentrytitle>
-<manvolnum>3</manvolnum>
-<refmiscinfo>BIND9</refmiscinfo>
-</refmeta>
+  <refmeta>
+    <refentrytitle>lwres_context</refentrytitle>
+    <manvolnum>3</manvolnum>
+    <refmiscinfo>BIND9</refmiscinfo>
+  </refmeta>
 
   <docinfo>
     <copyright>
       <year>2004</year>
       <year>2005</year>
+      <year>2007</year>
       <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
     </copyright>
     <copyright>
@@ -46,255 +46,217 @@
     </copyright>
   </docinfo>
 
-<refnamediv>
-<refname>lwres_context_create</refname>
-<refname>lwres_context_destroy</refname>
-<refname>lwres_context_nextserial</refname>
-<refname>lwres_context_initserial</refname>
-<refname>lwres_context_freemem</refname>
-<refname>lwres_context_allocmem</refname>
-<refname>lwres_context_sendrecv</refname>
-<refpurpose>lightweight resolver context management</refpurpose>
-</refnamediv>
-<refsynopsisdiv>
-<funcsynopsis>
+  <refnamediv>
+    <refname>lwres_context_create</refname>
+    <refname>lwres_context_destroy</refname>
+    <refname>lwres_context_nextserial</refname>
+    <refname>lwres_context_initserial</refname>
+    <refname>lwres_context_freemem</refname>
+    <refname>lwres_context_allocmem</refname>
+    <refname>lwres_context_sendrecv</refname>
+    <refpurpose>lightweight resolver context management</refpurpose>
+  </refnamediv>
+  <refsynopsisdiv>
+    <funcsynopsis>
 <funcsynopsisinfo>#include &lt;lwres/lwres.h&gt;</funcsynopsisinfo>
 <funcprototype>
-<funcdef>
+        <funcdef>
 lwres_result_t
 <function>lwres_context_create</function></funcdef>
-<paramdef>lwres_context_t **contextp</paramdef>
-<paramdef>void *arg</paramdef>
-<paramdef>lwres_malloc_t malloc_function</paramdef>
-<paramdef>lwres_free_t free_function</paramdef>
-</funcprototype>
+        <paramdef>lwres_context_t **<parameter>contextp</parameter></paramdef>
+        <paramdef>void *<parameter>arg</parameter></paramdef>
+        <paramdef>lwres_malloc_t <parameter>malloc_function</parameter></paramdef>
+        <paramdef>lwres_free_t <parameter>free_function</parameter></paramdef>
+        </funcprototype>
 <funcprototype>
-<funcdef>
+        <funcdef>
 lwres_result_t
 <function>lwres_context_destroy</function></funcdef>
-<paramdef>lwres_context_t **contextp</paramdef>
-</funcprototype>
+        <paramdef>lwres_context_t **<parameter>contextp</parameter></paramdef>
+        </funcprototype>
 <funcprototype>
-<funcdef>
+        <funcdef>
 void
 <function>lwres_context_initserial</function></funcdef>
-<paramdef>lwres_context_t *ctx</paramdef>
-<paramdef>lwres_uint32_t serial</paramdef>
-</funcprototype>
+        <paramdef>lwres_context_t *<parameter>ctx</parameter></paramdef>
+        <paramdef>lwres_uint32_t <parameter>serial</parameter></paramdef>
+        </funcprototype>
 <funcprototype>
-<funcdef>
+        <funcdef>
 lwres_uint32_t
 <function>lwres_context_nextserial</function></funcdef>
-<paramdef>lwres_context_t *ctx</paramdef>
-</funcprototype>
+        <paramdef>lwres_context_t *<parameter>ctx</parameter></paramdef>
+        </funcprototype>
 <funcprototype>
-<funcdef>
+        <funcdef>
 void
 <function>lwres_context_freemem</function></funcdef>
-<paramdef>lwres_context_t *ctx</paramdef>
-<paramdef>void *mem</paramdef>
-<paramdef>size_t len</paramdef>
-</funcprototype>
+        <paramdef>lwres_context_t *<parameter>ctx</parameter></paramdef>
+        <paramdef>void *<parameter>mem</parameter></paramdef>
+        <paramdef>size_t <parameter>len</parameter></paramdef>
+        </funcprototype>
 <funcprototype>
-<funcdef>
+        <funcdef>
 void
 <function>lwres_context_allocmem</function></funcdef>
-<paramdef>lwres_context_t *ctx</paramdef>
-<paramdef>size_t len</paramdef>
-</funcprototype>
+        <paramdef>lwres_context_t *<parameter>ctx</parameter></paramdef>
+        <paramdef>size_t <parameter>len</parameter></paramdef>
+        </funcprototype>
 <funcprototype>
-<funcdef>
+        <funcdef>
 void *
 <function>lwres_context_sendrecv</function></funcdef>
-<paramdef>lwres_context_t *ctx</paramdef>
-<paramdef>void *sendbase</paramdef>
-<paramdef>int sendlen</paramdef>
-<paramdef>void *recvbase</paramdef>
-<paramdef>int recvlen</paramdef>
-<paramdef>int *recvd_len</paramdef>
-</funcprototype>
+        <paramdef>lwres_context_t *<parameter>ctx</parameter></paramdef>
+        <paramdef>void *<parameter>sendbase</parameter></paramdef>
+        <paramdef>int <parameter>sendlen</parameter></paramdef>
+        <paramdef>void *<parameter>recvbase</parameter></paramdef>
+        <paramdef>int <parameter>recvlen</parameter></paramdef>
+        <paramdef>int *<parameter>recvd_len</parameter></paramdef>
+      </funcprototype>
 </funcsynopsis>
-</refsynopsisdiv>
-<refsect1>
-<title>DESCRIPTION</title>
-<para>
-<function>lwres_context_create()</function>
-creates a
-<type>lwres_context_t</type>
-structure for use in lightweight resolver operations.
-It holds a socket and other data needed for communicating
-with a resolver daemon.
-The new
-<type>lwres_context_t</type>
-is returned through
-<parameter>contextp</parameter>,
-
-a pointer to a
-<type>lwres_context_t</type>
-pointer.  This 
-<type>lwres_context_t</type>
-pointer must initially be NULL, and is modified 
-to point to the newly created
-<type>lwres_context_t</type>.
-
-</para>
-<para>
-When the lightweight resolver needs to perform dynamic memory
-allocation, it will call
-<parameter>malloc_function</parameter>
-to allocate memory and
-<parameter>free_function</parameter>
-
-to free it.  If 
-<parameter>malloc_function</parameter>
-and
-<parameter>free_function</parameter>
+  </refsynopsisdiv>
+  <refsect1>
+    <title>DESCRIPTION</title>
 
-are NULL, memory is allocated using
-.Xr malloc 3
-and
-<citerefentry>
-<refentrytitle>free</refentrytitle><manvolnum>3</manvolnum>
-</citerefentry>.
+    <para><function>lwres_context_create()</function>
+      creates a <type>lwres_context_t</type> structure for use in
+      lightweight resolver operations.  It holds a socket and other
+      data needed for communicating with a resolver daemon.  The new
+      <type>lwres_context_t</type> is returned through
+      <parameter>contextp</parameter>, a pointer to a
+      <type>lwres_context_t</type> pointer.  This
+      <type>lwres_context_t</type> pointer must initially be NULL, and
+      is modified to point to the newly created
+      <type>lwres_context_t</type>.
+    </para>
+    <para>
+      When the lightweight resolver needs to perform dynamic memory
+      allocation, it will call
+      <parameter>malloc_function</parameter>
+      to allocate memory and
+      <parameter>free_function</parameter>
+      to free it.  If
+      <parameter>malloc_function</parameter>
+      and
+      <parameter>free_function</parameter>
+      are NULL, memory is allocated using
+      <citerefentry>
+        <refentrytitle>malloc</refentrytitle><manvolnum>3</manvolnum>
+      </citerefentry>.
+      and
+      <citerefentry>
+        <refentrytitle>free</refentrytitle><manvolnum>3</manvolnum>
+      </citerefentry>.
 
-It is not permitted to have a NULL
-<parameter>malloc_function</parameter>
-and a non-NULL
-<parameter>free_function</parameter>
-or vice versa.
-<parameter>arg</parameter>
-is passed as the first parameter to the memory
-allocation functions.  
-If
-<parameter>malloc_function</parameter>
-and
-<parameter>free_function</parameter>
-are NULL,
-<parameter>arg</parameter>
+      It is not permitted to have a NULL
+      <parameter>malloc_function</parameter> and a non-NULL
+      <parameter>free_function</parameter> or vice versa.
+      <parameter>arg</parameter> is passed as the first parameter to
+      the memory allocation functions.  If
+      <parameter>malloc_function</parameter> and
+      <parameter>free_function</parameter> are NULL,
+      <parameter>arg</parameter> is unused and should be passed as
+      NULL.
+    </para>
 
-is unused and should be passed as NULL.
-</para>
-<para>
-Once memory for the structure has been allocated,
-it is initialized using
-<citerefentry>
-<refentrytitle>lwres_conf_init</refentrytitle><manvolnum>3</manvolnum>
-</citerefentry>
+    <para>
+      Once memory for the structure has been allocated,
+      it is initialized using
+      <citerefentry>
+        <refentrytitle>lwres_conf_init</refentrytitle><manvolnum>3</manvolnum>
+      </citerefentry>
+      and returned via <parameter>*contextp</parameter>.
+    </para>
 
-and returned via
-<parameter>*contextp</parameter>.
+    <para><function>lwres_context_destroy()</function>
+      destroys a <type>lwres_context_t</type>, closing its socket.
+      <parameter>contextp</parameter> is a pointer to a pointer to the
+      context that is to be destroyed.  The pointer will be set to
+      NULL when the context has been destroyed.
+    </para>
 
-</para>
-<para>
-<function>lwres_context_destroy()</function>
-destroys a 
-<type>lwres_context_t</type>,
+    <para>
+      The context holds a serial number that is used to identify
+      resolver request packets and associate responses with the
+      corresponding requests.  This serial number is controlled using
+      <function>lwres_context_initserial()</function> and
+      <function>lwres_context_nextserial()</function>.
+      <function>lwres_context_initserial()</function> sets the serial
+      number for context <parameter>*ctx</parameter> to
+      <parameter>serial</parameter>.
+      <function>lwres_context_nextserial()</function> increments the
+      serial number and returns the previous value.
+    </para>
 
-closing its socket.
-<parameter>contextp</parameter>
-is a pointer to a pointer to the context that is to be destroyed.
-The pointer will be set to NULL when the context has been destroyed.
-</para>
-<para>
-The context holds a serial number that is used to identify resolver
-request packets and associate responses with the corresponding requests.
-This serial number is controlled using
-<function>lwres_context_initserial()</function>
-and
-<function>lwres_context_nextserial()</function>.
-<function>lwres_context_initserial()</function>
-sets the serial number for context
-<parameter>*ctx</parameter>
-to
-<parameter>serial</parameter>.
+    <para>
+      Memory for a lightweight resolver context is allocated and freed
+      using <function>lwres_context_allocmem()</function> and
+      <function>lwres_context_freemem()</function>.  These use
+      whatever allocations were defined when the context was created
+      with <function>lwres_context_create()</function>.
+      <function>lwres_context_allocmem()</function> allocates
+      <parameter>len</parameter> bytes of memory and if successful
+      returns a pointer to the allocated storage.
+      <function>lwres_context_freemem()</function> frees
+      <parameter>len</parameter> bytes of space starting at location
+      <parameter>mem</parameter>.
+    </para>
 
-<function>lwres_context_nextserial()</function>
-increments the serial number and returns the previous value.
-</para>
-<para>
-Memory for a lightweight resolver context is allocated and freed using
-<function>lwres_context_allocmem()</function>
-and
-<function>lwres_context_freemem()</function>.
-These use whatever allocations were defined when the context was
-created with
-<function>lwres_context_create()</function>.
-<function>lwres_context_allocmem()</function>
-allocates
-<parameter>len</parameter>
-bytes of memory and if successful returns a pointer to the allocated
-storage.
-<function>lwres_context_freemem()</function>
-frees
-<parameter>len</parameter>
-bytes of space starting at location
-<parameter>mem</parameter>.
+    <para><function>lwres_context_sendrecv()</function>
+      performs I/O for the context <parameter>ctx</parameter>.  Data
+      are read and written from the context's socket.  It writes data
+      from <parameter>sendbase</parameter> &mdash; typically a
+      lightweight resolver query packet &mdash; and waits for a reply
+      which is copied to the receive buffer at
+      <parameter>recvbase</parameter>.  The number of bytes that were
+      written to this receive buffer is returned in
+      <parameter>*recvd_len</parameter>.
+    </para>
+  </refsect1>
 
-</para>
-<para>
-<function>lwres_context_sendrecv()</function>
-performs I/O for the context
-<parameter>ctx</parameter>.
+  <refsect1>
+    <title>RETURN VALUES</title>
 
-Data are read and written from the context's socket.
-It writes data from
-<parameter>sendbase</parameter>
-&mdash; typically a lightweight resolver query packet &mdash;
-and waits for a reply which is copied to the receive buffer at
-<parameter>recvbase</parameter>.
+    <para><function>lwres_context_create()</function>
+      returns <errorcode>LWRES_R_NOMEMORY</errorcode> if memory for
+      the <type>struct lwres_context</type> could not be allocated,
+      <errorcode>LWRES_R_SUCCESS</errorcode> otherwise.
+    </para>
+    <para>
+      Successful calls to the memory allocator
+      <function>lwres_context_allocmem()</function>
+      return a pointer to the start of the allocated space.
+      It returns NULL if memory could not be allocated.
+    </para>
+    <para><errorcode>LWRES_R_SUCCESS</errorcode>
+      is returned when
+      <function>lwres_context_sendrecv()</function>
+      completes successfully.
+      <errorcode>LWRES_R_IOERROR</errorcode>
+      is returned if an I/O error occurs and
+      <errorcode>LWRES_R_TIMEOUT</errorcode>
+      is returned if
+      <function>lwres_context_sendrecv()</function>
+      times out waiting for a response.
+    </para>
+  </refsect1>
+  <refsect1>
+    <title>SEE ALSO</title>
+    <para><citerefentry>
+        <refentrytitle>lwres_conf_init</refentrytitle><manvolnum>3</manvolnum>
+      </citerefentry>,
 
-The number of bytes that were written to this receive buffer is
-returned in
-<parameter>*recvd_len</parameter>.
+      <citerefentry>
+        <refentrytitle>malloc</refentrytitle><manvolnum>3</manvolnum>
+      </citerefentry>,
 
-</para>
-</refsect1>
-<refsect1>
-<title>RETURN VALUES</title>
-<para>
-<function>lwres_context_create()</function>
-returns
-<errorcode>LWRES_R_NOMEMORY</errorcode>
-if memory for the
-<type>struct lwres_context</type>
-could not be allocated, 
-<errorcode>LWRES_R_SUCCESS</errorcode>
-otherwise.
-</para>
-<para>
-Successful calls to the memory allocator
-<function>lwres_context_allocmem()</function>
-return a pointer to the start of the allocated space.
-It returns NULL if memory could not be allocated.
-</para>
-<para>
-<errorcode>LWRES_R_SUCCESS</errorcode>
-is returned when
-<function>lwres_context_sendrecv()</function>
-completes successfully.
-<errorcode>LWRES_R_IOERROR</errorcode>
-is returned if an I/O error occurs and
-<errorcode>LWRES_R_TIMEOUT</errorcode>
-is returned if
-<function>lwres_context_sendrecv()</function>
-times out waiting for a response.
-</para>
-</refsect1>
-<refsect1>
-<title>SEE ALSO</title>
-<para>
-<citerefentry>
-<refentrytitle>lwres_conf_init</refentrytitle><manvolnum>3</manvolnum>
-</citerefentry>,
-
-<citerefentry>
-<refentrytitle>malloc</refentrytitle><manvolnum>3</manvolnum>
-</citerefentry>,
-
-<citerefentry>
-<refentrytitle>free</refentrytitle><manvolnum>3
-</manvolnum>
-</citerefentry>.
-</para>
-</refsect1>
-</refentry>
+      <citerefentry>
+        <refentrytitle>free</refentrytitle><manvolnum>3</manvolnum>
+      </citerefentry>.
+    </para>
+  </refsect1>
+</refentry><!--
+ - Local variables:
+ - mode: sgml
+ - End:
+-->
diff --git a/contrib/bind9/lib/lwres/man/lwres_context.html b/contrib/bind9/lib/lwres/man/lwres_context.html
index 6f7fbec..f2aa7e1 100644
--- a/contrib/bind9/lib/lwres/man/lwres_context.html
+++ b/contrib/bind9/lib/lwres/man/lwres_context.html
@@ -1,5 +1,5 @@
 <!--
- - Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC")
  - Copyright (C) 2000, 2001, 2003 Internet Software Consortium.
  - 
  - Permission to use, copy, modify, and distribute this software for any
@@ -14,15 +14,15 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-<!-- $Id: lwres_context.html,v 1.5.2.2.2.12 2006/06/29 13:02:31 marka Exp $ -->
+<!-- $Id: lwres_context.html,v 1.7.18.16 2007/01/30 00:23:45 marka Exp $ -->
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
 <title>lwres_context</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.70.1">
+<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
 </head>
 <body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en">
-<a name="id2482688"></a><div class="titlepage"></div>
+<a name="id2476275"></a><div class="titlepage"></div>
 <div class="refnamediv">
 <h2>Name</h2>
 <p>lwres_context_create, lwres_context_destroy, lwres_context_nextserial, lwres_context_initserial, lwres_context_freemem, lwres_context_allocmem, lwres_context_sendrecv &#8212; lightweight resolver context management</p>
@@ -36,106 +36,81 @@
 <td><code class="funcdef">
 lwres_result_t
 <b class="fsfunc">lwres_context_create</b>(</code></td>
-<td> </td>
-<td>, </td>
-</tr>
-<tr>
-<td> </td>
-<td> </td>
-<td>, </td>
+<td>lwres_context_t ** </td>
+<td>
+<var class="pdparam">contextp</var>, </td>
 </tr>
 <tr>
 <td> </td>
-<td> </td>
-<td>, </td>
+<td>void * </td>
+<td>
+<var class="pdparam">arg</var>, </td>
 </tr>
 <tr>
 <td> </td>
-<td> </td>
-<td>, </td>
+<td>lwres_malloc_t  </td>
+<td>
+<var class="pdparam">malloc_function</var>, </td>
 </tr>
 <tr>
 <td> </td>
-<td> </td>
+<td>lwres_free_t  </td>
 <td>
-<code>)</code>;</td>
+<var class="pdparam">free_function</var><code>)</code>;</td>
 </tr>
 </table>
-<table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em">
-<tr>
+<table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em"><tr>
 <td><code class="funcdef">
 lwres_result_t
 <b class="fsfunc">lwres_context_destroy</b>(</code></td>
-<td> </td>
+<td>lwres_context_t ** </td>
 <td>
-<code>)</code>;</td>
-</tr>
-<tr>
-<td> </td>
-<td> </td>
-<td>
-<code>)</code>;</td>
-</tr>
-</table>
+<var class="pdparam">contextp</var><code>)</code>;</td>
+</tr></table>
 <table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em">
 <tr>
 <td><code class="funcdef">
 void
 <b class="fsfunc">lwres_context_initserial</b>(</code></td>
-<td> </td>
-<td>, </td>
-</tr>
-<tr>
-<td> </td>
-<td> </td>
-<td>, </td>
+<td>lwres_context_t * </td>
+<td>
+<var class="pdparam">ctx</var>, </td>
 </tr>
 <tr>
 <td> </td>
-<td> </td>
+<td>lwres_uint32_t  </td>
 <td>
-<code>)</code>;</td>
+<var class="pdparam">serial</var><code>)</code>;</td>
 </tr>
 </table>
-<table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em">
-<tr>
+<table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em"><tr>
 <td><code class="funcdef">
 lwres_uint32_t
 <b class="fsfunc">lwres_context_nextserial</b>(</code></td>
-<td> </td>
-<td>
-<code>)</code>;</td>
-</tr>
-<tr>
-<td> </td>
-<td> </td>
+<td>lwres_context_t * </td>
 <td>
-<code>)</code>;</td>
-</tr>
-</table>
+<var class="pdparam">ctx</var><code>)</code>;</td>
+</tr></table>
 <table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em">
 <tr>
 <td><code class="funcdef">
 void
 <b class="fsfunc">lwres_context_freemem</b>(</code></td>
-<td> </td>
-<td>, </td>
-</tr>
-<tr>
-<td> </td>
-<td> </td>
-<td>, </td>
+<td>lwres_context_t * </td>
+<td>
+<var class="pdparam">ctx</var>, </td>
 </tr>
 <tr>
 <td> </td>
-<td> </td>
-<td>, </td>
+<td>void * </td>
+<td>
+<var class="pdparam">mem</var>, </td>
 </tr>
 <tr>
 <td> </td>
-<td> </td>
+<td>size_t  </td>
 <td>
-<code>)</code>;</td>
+<var class="pdparam">len</var><code>)</code>;</td>
 </tr>
 </table>
 <table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em">
@@ -143,19 +118,15 @@ void
 <td><code class="funcdef">
 void
 <b class="fsfunc">lwres_context_allocmem</b>(</code></td>
-<td> </td>
-<td>, </td>
-</tr>
-<tr>
-<td> </td>
-<td> </td>
-<td>, </td>
+<td>lwres_context_t * </td>
+<td>
+<var class="pdparam">ctx</var>, </td>
 </tr>
 <tr>
 <td> </td>
-<td> </td>
+<td>size_t  </td>
 <td>
-<code>)</code>;</td>
+<var class="pdparam">len</var><code>)</code>;</td>
 </tr>
 </table>
 <table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0">
@@ -163,214 +134,162 @@ void
 <td><code class="funcdef">
 void *
 <b class="fsfunc">lwres_context_sendrecv</b>(</code></td>
-<td> </td>
-<td>, </td>
-</tr>
-<tr>
-<td> </td>
-<td> </td>
-<td>, </td>
+<td>lwres_context_t * </td>
+<td>
+<var class="pdparam">ctx</var>, </td>
 </tr>
 <tr>
 <td> </td>
-<td> </td>
-<td>, </td>
+<td>void * </td>
+<td>
+<var class="pdparam">sendbase</var>, </td>
 </tr>
 <tr>
 <td> </td>
-<td> </td>
-<td>, </td>
+<td>int  </td>
+<td>
+<var class="pdparam">sendlen</var>, </td>
 </tr>
 <tr>
 <td> </td>
-<td> </td>
-<td>, </td>
+<td>void * </td>
+<td>
+<var class="pdparam">recvbase</var>, </td>
 </tr>
 <tr>
 <td> </td>
-<td> </td>
-<td>, </td>
+<td>int  </td>
+<td>
+<var class="pdparam">recvlen</var>, </td>
 </tr>
 <tr>
 <td> </td>
-<td> </td>
+<td>int * </td>
 <td>
-<code>)</code>;</td>
+<var class="pdparam">recvd_len</var><code>)</code>;</td>
 </tr>
 </table>
 </div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2549540"></a><h2>DESCRIPTION</h2>
-<p>
-<code class="function">lwres_context_create()</code>
-creates a
-<span class="type">lwres_context_t</span>
-structure for use in lightweight resolver operations.
-It holds a socket and other data needed for communicating
-with a resolver daemon.
-The new
-<span class="type">lwres_context_t</span>
-is returned through
-<em class="parameter"><code>contextp</code></em>,
-
-a pointer to a
-<span class="type">lwres_context_t</span>
-pointer.  This 
-<span class="type">lwres_context_t</span>
-pointer must initially be NULL, and is modified 
-to point to the newly created
-<span class="type">lwres_context_t</span>.
-
-</p>
-<p>
-When the lightweight resolver needs to perform dynamic memory
-allocation, it will call
-<em class="parameter"><code>malloc_function</code></em>
-to allocate memory and
-<em class="parameter"><code>free_function</code></em>
-
-to free it.  If 
-<em class="parameter"><code>malloc_function</code></em>
-and
-<em class="parameter"><code>free_function</code></em>
-
-are NULL, memory is allocated using
-.Xr malloc 3
-and
-<span class="citerefentry"><span class="refentrytitle">free</span>(3)</span>.
-
-It is not permitted to have a NULL
-<em class="parameter"><code>malloc_function</code></em>
-and a non-NULL
-<em class="parameter"><code>free_function</code></em>
-or vice versa.
-<em class="parameter"><code>arg</code></em>
-is passed as the first parameter to the memory
-allocation functions.  
-If
-<em class="parameter"><code>malloc_function</code></em>
-and
-<em class="parameter"><code>free_function</code></em>
-are NULL,
-<em class="parameter"><code>arg</code></em>
-
-is unused and should be passed as NULL.
-</p>
+<a name="id2543531"></a><h2>DESCRIPTION</h2>
+<p><code class="function">lwres_context_create()</code>
+      creates a <span class="type">lwres_context_t</span> structure for use in
+      lightweight resolver operations.  It holds a socket and other
+      data needed for communicating with a resolver daemon.  The new
+      <span class="type">lwres_context_t</span> is returned through
+      <em class="parameter"><code>contextp</code></em>, a pointer to a
+      <span class="type">lwres_context_t</span> pointer.  This
+      <span class="type">lwres_context_t</span> pointer must initially be NULL, and
+      is modified to point to the newly created
+      <span class="type">lwres_context_t</span>.
+    </p>
 <p>
-Once memory for the structure has been allocated,
-it is initialized using
-<span class="citerefentry"><span class="refentrytitle">lwres_conf_init</span>(3)</span>
+      When the lightweight resolver needs to perform dynamic memory
+      allocation, it will call
+      <em class="parameter"><code>malloc_function</code></em>
+      to allocate memory and
+      <em class="parameter"><code>free_function</code></em>
+      to free it.  If
+      <em class="parameter"><code>malloc_function</code></em>
+      and
+      <em class="parameter"><code>free_function</code></em>
+      are NULL, memory is allocated using
+      <span class="citerefentry"><span class="refentrytitle">malloc</span>(3)</span>.
+      and
+      <span class="citerefentry"><span class="refentrytitle">free</span>(3)</span>.
 
-and returned via
-<em class="parameter"><code>*contextp</code></em>.
-
-</p>
-<p>
-<code class="function">lwres_context_destroy()</code>
-destroys a 
-<span class="type">lwres_context_t</span>,
-
-closing its socket.
-<em class="parameter"><code>contextp</code></em>
-is a pointer to a pointer to the context that is to be destroyed.
-The pointer will be set to NULL when the context has been destroyed.
-</p>
+      It is not permitted to have a NULL
+      <em class="parameter"><code>malloc_function</code></em> and a non-NULL
+      <em class="parameter"><code>free_function</code></em> or vice versa.
+      <em class="parameter"><code>arg</code></em> is passed as the first parameter to
+      the memory allocation functions.  If
+      <em class="parameter"><code>malloc_function</code></em> and
+      <em class="parameter"><code>free_function</code></em> are NULL,
+      <em class="parameter"><code>arg</code></em> is unused and should be passed as
+      NULL.
+    </p>
 <p>
-The context holds a serial number that is used to identify resolver
-request packets and associate responses with the corresponding requests.
-This serial number is controlled using
-<code class="function">lwres_context_initserial()</code>
-and
-<code class="function">lwres_context_nextserial()</code>.
-<code class="function">lwres_context_initserial()</code>
-sets the serial number for context
-<em class="parameter"><code>*ctx</code></em>
-to
-<em class="parameter"><code>serial</code></em>.
-
-<code class="function">lwres_context_nextserial()</code>
-increments the serial number and returns the previous value.
-</p>
+      Once memory for the structure has been allocated,
+      it is initialized using
+      <span class="citerefentry"><span class="refentrytitle">lwres_conf_init</span>(3)</span>
+      and returned via <em class="parameter"><code>*contextp</code></em>.
+    </p>
+<p><code class="function">lwres_context_destroy()</code>
+      destroys a <span class="type">lwres_context_t</span>, closing its socket.
+      <em class="parameter"><code>contextp</code></em> is a pointer to a pointer to the
+      context that is to be destroyed.  The pointer will be set to
+      NULL when the context has been destroyed.
+    </p>
 <p>
-Memory for a lightweight resolver context is allocated and freed using
-<code class="function">lwres_context_allocmem()</code>
-and
-<code class="function">lwres_context_freemem()</code>.
-These use whatever allocations were defined when the context was
-created with
-<code class="function">lwres_context_create()</code>.
-<code class="function">lwres_context_allocmem()</code>
-allocates
-<em class="parameter"><code>len</code></em>
-bytes of memory and if successful returns a pointer to the allocated
-storage.
-<code class="function">lwres_context_freemem()</code>
-frees
-<em class="parameter"><code>len</code></em>
-bytes of space starting at location
-<em class="parameter"><code>mem</code></em>.
-
-</p>
+      The context holds a serial number that is used to identify
+      resolver request packets and associate responses with the
+      corresponding requests.  This serial number is controlled using
+      <code class="function">lwres_context_initserial()</code> and
+      <code class="function">lwres_context_nextserial()</code>.
+      <code class="function">lwres_context_initserial()</code> sets the serial
+      number for context <em class="parameter"><code>*ctx</code></em> to
+      <em class="parameter"><code>serial</code></em>.
+      <code class="function">lwres_context_nextserial()</code> increments the
+      serial number and returns the previous value.
+    </p>
 <p>
-<code class="function">lwres_context_sendrecv()</code>
-performs I/O for the context
-<em class="parameter"><code>ctx</code></em>.
-
-Data are read and written from the context's socket.
-It writes data from
-<em class="parameter"><code>sendbase</code></em>
-&#8212; typically a lightweight resolver query packet &#8212;
-and waits for a reply which is copied to the receive buffer at
-<em class="parameter"><code>recvbase</code></em>.
-
-The number of bytes that were written to this receive buffer is
-returned in
-<em class="parameter"><code>*recvd_len</code></em>.
-
-</p>
+      Memory for a lightweight resolver context is allocated and freed
+      using <code class="function">lwres_context_allocmem()</code> and
+      <code class="function">lwres_context_freemem()</code>.  These use
+      whatever allocations were defined when the context was created
+      with <code class="function">lwres_context_create()</code>.
+      <code class="function">lwres_context_allocmem()</code> allocates
+      <em class="parameter"><code>len</code></em> bytes of memory and if successful
+      returns a pointer to the allocated storage.
+      <code class="function">lwres_context_freemem()</code> frees
+      <em class="parameter"><code>len</code></em> bytes of space starting at location
+      <em class="parameter"><code>mem</code></em>.
+    </p>
+<p><code class="function">lwres_context_sendrecv()</code>
+      performs I/O for the context <em class="parameter"><code>ctx</code></em>.  Data
+      are read and written from the context's socket.  It writes data
+      from <em class="parameter"><code>sendbase</code></em> &#8212; typically a
+      lightweight resolver query packet &#8212; and waits for a reply
+      which is copied to the receive buffer at
+      <em class="parameter"><code>recvbase</code></em>.  The number of bytes that were
+      written to this receive buffer is returned in
+      <em class="parameter"><code>*recvd_len</code></em>.
+    </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2549789"></a><h2>RETURN VALUES</h2>
-<p>
-<code class="function">lwres_context_create()</code>
-returns
-<span class="errorcode">LWRES_R_NOMEMORY</span>
-if memory for the
-<span class="type">struct lwres_context</span>
-could not be allocated, 
-<span class="errorcode">LWRES_R_SUCCESS</span>
-otherwise.
-</p>
+<a name="id2543719"></a><h2>RETURN VALUES</h2>
+<p><code class="function">lwres_context_create()</code>
+      returns <span class="errorcode">LWRES_R_NOMEMORY</span> if memory for
+      the <span class="type">struct lwres_context</span> could not be allocated,
+      <span class="errorcode">LWRES_R_SUCCESS</span> otherwise.
+    </p>
 <p>
-Successful calls to the memory allocator
-<code class="function">lwres_context_allocmem()</code>
-return a pointer to the start of the allocated space.
-It returns NULL if memory could not be allocated.
-</p>
-<p>
-<span class="errorcode">LWRES_R_SUCCESS</span>
-is returned when
-<code class="function">lwres_context_sendrecv()</code>
-completes successfully.
-<span class="errorcode">LWRES_R_IOERROR</span>
-is returned if an I/O error occurs and
-<span class="errorcode">LWRES_R_TIMEOUT</span>
-is returned if
-<code class="function">lwres_context_sendrecv()</code>
-times out waiting for a response.
-</p>
+      Successful calls to the memory allocator
+      <code class="function">lwres_context_allocmem()</code>
+      return a pointer to the start of the allocated space.
+      It returns NULL if memory could not be allocated.
+    </p>
+<p><span class="errorcode">LWRES_R_SUCCESS</span>
+      is returned when
+      <code class="function">lwres_context_sendrecv()</code>
+      completes successfully.
+      <span class="errorcode">LWRES_R_IOERROR</span>
+      is returned if an I/O error occurs and
+      <span class="errorcode">LWRES_R_TIMEOUT</span>
+      is returned if
+      <code class="function">lwres_context_sendrecv()</code>
+      times out waiting for a response.
+    </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2549841"></a><h2>SEE ALSO</h2>
-<p>
-<span class="citerefentry"><span class="refentrytitle">lwres_conf_init</span>(3)</span>,
+<a name="id2543769"></a><h2>SEE ALSO</h2>
+<p><span class="citerefentry"><span class="refentrytitle">lwres_conf_init</span>(3)</span>,
 
-<span class="citerefentry"><span class="refentrytitle">malloc</span>(3)</span>,
+      <span class="citerefentry"><span class="refentrytitle">malloc</span>(3)</span>,
 
-<span class="citerefentry"><span class="refentrytitle">free</span>(3
-)</span>.
-</p>
+      <span class="citerefentry"><span class="refentrytitle">free</span>(3)</span>.
+    </p>
 </div>
 </div></body>
 </html>
diff --git a/contrib/bind9/lib/lwres/man/lwres_gabn.3 b/contrib/bind9/lib/lwres/man/lwres_gabn.3
index 593ebc5..69d311f 100644
--- a/contrib/bind9/lib/lwres/man/lwres_gabn.3
+++ b/contrib/bind9/lib/lwres/man/lwres_gabn.3
@@ -1,4 +1,4 @@
-.\" Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC")
 .\" Copyright (C) 2000, 2001 Internet Software Consortium.
 .\" 
 .\" Permission to use, copy, modify, and distribute this software for any
@@ -13,13 +13,13 @@
 .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 .\" PERFORMANCE OF THIS SOFTWARE.
 .\"
-.\" $Id: lwres_gabn.3,v 1.13.2.1.8.6 2006/06/29 13:02:31 marka Exp $
+.\" $Id: lwres_gabn.3,v 1.16.18.11 2007/01/30 00:23:45 marka Exp $
 .\"
 .hy 0
 .ad l
 .\"     Title: lwres_gabn
 .\"    Author: 
-.\" Generator: DocBook XSL Stylesheets v1.70.1 <http://docbook.sf.net/>
+.\" Generator: DocBook XSL Stylesheets v1.71.1 <http://docbook.sf.net/>
 .\"      Date: Jun 30, 2000
 .\"    Manual: BIND9
 .\"    Source: BIND9
@@ -36,17 +36,17 @@ lwres_gabnrequest_render, lwres_gabnresponse_render, lwres_gabnrequest_parse, lw
 #include <lwres/lwres.h>
 .fi
 .HP 40
-.BI "lwres_result_t lwres_gabnrequest_render(lwres_context_t\ *ctx, lwres_gabnrequest_t\ *req, lwres_lwpacket_t\ *pkt, lwres_buffer_t\ *b);"
+.BI "lwres_result_t lwres_gabnrequest_render(lwres_context_t\ *" "ctx" ", lwres_gabnrequest_t\ *" "req" ", lwres_lwpacket_t\ *" "pkt" ", lwres_buffer_t\ *" "b" ");"
 .HP 41
-.BI "lwres_result_t lwres_gabnresponse_render(lwres_context_t\ *ctx, lwres_gabnresponse_t\ *req, lwres_lwpacket_t\ *pkt, lwres_buffer_t\ *b);"
+.BI "lwres_result_t lwres_gabnresponse_render(lwres_context_t\ *" "ctx" ", lwres_gabnresponse_t\ *" "req" ", lwres_lwpacket_t\ *" "pkt" ", lwres_buffer_t\ *" "b" ");"
 .HP 39
-.BI "lwres_result_t lwres_gabnrequest_parse(lwres_context_t\ *ctx, lwres_buffer_t\ *b, lwres_lwpacket_t\ *pkt, lwres_gabnrequest_t\ **structp);"
+.BI "lwres_result_t lwres_gabnrequest_parse(lwres_context_t\ *" "ctx" ", lwres_buffer_t\ *" "b" ", lwres_lwpacket_t\ *" "pkt" ", lwres_gabnrequest_t\ **" "structp" ");"
 .HP 40
-.BI "lwres_result_t lwres_gabnresponse_parse(lwres_context_t\ *ctx, lwres_buffer_t\ *b, lwres_lwpacket_t\ *pkt, lwres_gabnresponse_t\ **structp);"
+.BI "lwres_result_t lwres_gabnresponse_parse(lwres_context_t\ *" "ctx" ", lwres_buffer_t\ *" "b" ", lwres_lwpacket_t\ *" "pkt" ", lwres_gabnresponse_t\ **" "structp" ");"
 .HP 29
-.BI "void lwres_gabnresponse_free(lwres_context_t\ *ctx, lwres_gabnresponse_t\ **structp);"
+.BI "void lwres_gabnresponse_free(lwres_context_t\ *" "ctx" ", lwres_gabnresponse_t\ **" "structp" ");"
 .HP 28
-.BI "void lwres_gabnrequest_free(lwres_context_t\ *ctx, lwres_gabnrequest_t\ **structp);"
+.BI "void lwres_gabnrequest_free(lwres_context_t\ *" "ctx" ", lwres_gabnrequest_t\ **" "structp" ");"
 .SH "DESCRIPTION"
 .PP
 These are low\-level routines for creating and parsing lightweight resolver name\-to\-address lookup request and response messages.
@@ -59,18 +59,36 @@ There are four main functions for the getaddrbyname opcode. One render function
 .PP
 These structures are defined in
 \fI<lwres/lwres.h>\fR. They are shown below.
-.sp
-.RS 3n
+.PP
+.RS 4
 .nf
 #define LWRES_OPCODE_GETADDRSBYNAME     0x00010001U
+.fi
+.RE
+.sp
+.PP
+.RS 4
+.nf
 typedef struct lwres_addr lwres_addr_t;
 typedef LWRES_LIST(lwres_addr_t) lwres_addrlist_t;
+.fi
+.RE
+.sp
+.PP
+.RS 4
+.nf
 typedef struct {
         lwres_uint32_t  flags;
         lwres_uint32_t  addrtypes;
         lwres_uint16_t  namelen;
         char           *name;
 } lwres_gabnrequest_t;
+.fi
+.RE
+.sp
+.PP
+.RS 4
+.nf
 typedef struct {
         lwres_uint32_t          flags;
         lwres_uint16_t          naliases;
@@ -169,6 +187,9 @@ in the packet header structure
 indicate that the packet is not a response to an earlier query.
 .SH "SEE ALSO"
 .PP
-\fBlwres_packet\fR(3 )
+\fBlwres_packet\fR(3)
 .SH "COPYRIGHT"
-Copyright \(co 2004, 2005 Internet Systems Consortium, Inc. ("ISC")
+Copyright \(co 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC")
+.br
+Copyright \(co 2000, 2001 Internet Software Consortium.
+.br
diff --git a/contrib/bind9/lib/lwres/man/lwres_gabn.docbook b/contrib/bind9/lib/lwres/man/lwres_gabn.docbook
index 6e90ea3..3b81acf 100644
--- a/contrib/bind9/lib/lwres/man/lwres_gabn.docbook
+++ b/contrib/bind9/lib/lwres/man/lwres_gabn.docbook
@@ -1,8 +1,8 @@
-<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.0//EN"
-               "http://www.oasis-open.org/docbook/xml/4.0/docbookx.dtd"
+<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
+               "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
 	       [<!ENTITY mdash "&#8212;">]>
 <!--
- - Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
  - Copyright (C) 2000, 2001  Internet Software Consortium.
  -
  - Permission to use, copy, modify, and distribute this software for any
@@ -18,24 +18,24 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-<!-- $Id: lwres_gabn.docbook,v 1.3.206.3 2005/05/12 21:36:12 sra Exp $ -->
-
+<!-- $Id: lwres_gabn.docbook,v 1.4.18.5 2007/01/29 23:57:21 marka Exp $ -->
 <refentry>
-<refentryinfo>
 
+  <refentryinfo>
+    <date>Jun 30, 2000</date>
+  </refentryinfo>
 
-<date>Jun 30, 2000</date>
-</refentryinfo>
-<refmeta>
-<refentrytitle>lwres_gabn</refentrytitle>
-<manvolnum>3</manvolnum>
-<refmiscinfo>BIND9</refmiscinfo>
-</refmeta>
+  <refmeta>
+    <refentrytitle>lwres_gabn</refentrytitle>
+    <manvolnum>3</manvolnum>
+    <refmiscinfo>BIND9</refmiscinfo>
+  </refmeta>
 
   <docinfo>
     <copyright>
       <year>2004</year>
       <year>2005</year>
+      <year>2007</year>
       <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
     </copyright>
     <copyright>
@@ -45,106 +45,114 @@
     </copyright>
   </docinfo>
 
-<refnamediv>
-<refname>lwres_gabnrequest_render</refname>
-<refname>lwres_gabnresponse_render</refname>
-<refname>lwres_gabnrequest_parse</refname>
-<refname>lwres_gabnresponse_parse</refname>
-<refname>lwres_gabnresponse_free</refname>
-<refname>lwres_gabnrequest_free</refname>
-<refpurpose>lightweight resolver getaddrbyname message handling</refpurpose>
-</refnamediv>
-<refsynopsisdiv>
-<funcsynopsis>
+  <refnamediv>
+    <refname>lwres_gabnrequest_render</refname>
+    <refname>lwres_gabnresponse_render</refname>
+    <refname>lwres_gabnrequest_parse</refname>
+    <refname>lwres_gabnresponse_parse</refname>
+    <refname>lwres_gabnresponse_free</refname>
+    <refname>lwres_gabnrequest_free</refname>
+    <refpurpose>lightweight resolver getaddrbyname message handling</refpurpose>
+  </refnamediv>
+  <refsynopsisdiv>
+    <funcsynopsis>
 <funcsynopsisinfo>#include &lt;lwres/lwres.h&gt;</funcsynopsisinfo>
 <funcprototype>
-<funcdef>
+        <funcdef>
 lwres_result_t
 <function>lwres_gabnrequest_render</function></funcdef>
-<paramdef>lwres_context_t *ctx</paramdef>
-<paramdef>lwres_gabnrequest_t *req</paramdef>
-<paramdef>lwres_lwpacket_t *pkt</paramdef>
-<paramdef>lwres_buffer_t *b</paramdef>
-</funcprototype>
+        <paramdef>lwres_context_t *<parameter>ctx</parameter></paramdef>
+        <paramdef>lwres_gabnrequest_t *<parameter>req</parameter></paramdef>
+        <paramdef>lwres_lwpacket_t *<parameter>pkt</parameter></paramdef>
+        <paramdef>lwres_buffer_t *<parameter>b</parameter></paramdef>
+        </funcprototype>
 <funcprototype>
-<funcdef>
+        <funcdef>
 lwres_result_t
 <function>lwres_gabnresponse_render</function></funcdef>
-<paramdef>lwres_context_t *ctx</paramdef>
-<paramdef>lwres_gabnresponse_t *req</paramdef>
-<paramdef>lwres_lwpacket_t *pkt</paramdef>
-<paramdef>lwres_buffer_t *b</paramdef>
-</funcprototype>
+        <paramdef>lwres_context_t *<parameter>ctx</parameter></paramdef>
+        <paramdef>lwres_gabnresponse_t *<parameter>req</parameter></paramdef>
+        <paramdef>lwres_lwpacket_t *<parameter>pkt</parameter></paramdef>
+        <paramdef>lwres_buffer_t *<parameter>b</parameter></paramdef>
+        </funcprototype>
 <funcprototype>
-<funcdef>
+        <funcdef>
 lwres_result_t
 <function>lwres_gabnrequest_parse</function></funcdef>
-<paramdef>lwres_context_t *ctx</paramdef>
-<paramdef>lwres_buffer_t *b</paramdef>
-<paramdef>lwres_lwpacket_t *pkt</paramdef>
-<paramdef>lwres_gabnrequest_t **structp</paramdef>
-</funcprototype>
+        <paramdef>lwres_context_t *<parameter>ctx</parameter></paramdef>
+        <paramdef>lwres_buffer_t *<parameter>b</parameter></paramdef>
+        <paramdef>lwres_lwpacket_t *<parameter>pkt</parameter></paramdef>
+        <paramdef>lwres_gabnrequest_t **<parameter>structp</parameter></paramdef>
+        </funcprototype>
 <funcprototype>
-<funcdef>
+        <funcdef>
 lwres_result_t
 <function>lwres_gabnresponse_parse</function></funcdef>
-<paramdef>lwres_context_t *ctx</paramdef>
-<paramdef>lwres_buffer_t *b</paramdef>
-<paramdef>lwres_lwpacket_t *pkt</paramdef>
-<paramdef>lwres_gabnresponse_t **structp</paramdef>
-</funcprototype>
+        <paramdef>lwres_context_t *<parameter>ctx</parameter></paramdef>
+        <paramdef>lwres_buffer_t *<parameter>b</parameter></paramdef>
+        <paramdef>lwres_lwpacket_t *<parameter>pkt</parameter></paramdef>
+        <paramdef>lwres_gabnresponse_t **<parameter>structp</parameter></paramdef>
+        </funcprototype>
 <funcprototype>
-<funcdef>
+        <funcdef>
 void
 <function>lwres_gabnresponse_free</function></funcdef>
-<paramdef>lwres_context_t *ctx</paramdef>
-<paramdef>lwres_gabnresponse_t **structp</paramdef>
-</funcprototype>
+        <paramdef>lwres_context_t *<parameter>ctx</parameter></paramdef>
+        <paramdef>lwres_gabnresponse_t **<parameter>structp</parameter></paramdef>
+        </funcprototype>
 <funcprototype>
-<funcdef>
+        <funcdef>
 void
 <function>lwres_gabnrequest_free</function></funcdef>
-<paramdef>lwres_context_t *ctx</paramdef>
-<paramdef>lwres_gabnrequest_t **structp</paramdef>
-</funcprototype>
+        <paramdef>lwres_context_t *<parameter>ctx</parameter></paramdef>
+        <paramdef>lwres_gabnrequest_t **<parameter>structp</parameter></paramdef>
+      </funcprototype>
 </funcsynopsis>
-</refsynopsisdiv>
-<refsect1>
-<title>DESCRIPTION</title>
-<para>
-These are low-level routines for creating and parsing
-lightweight resolver name-to-address lookup request and 
-response messages.
-</para><para>
-There are four main functions for the getaddrbyname opcode.
-One render function converts a getaddrbyname request structure &mdash;
-<type>lwres_gabnrequest_t</type> &mdash;
-to the lighweight resolver's canonical format.
-It is complemented by a parse function that converts a packet in this
-canonical format to a getaddrbyname request structure.
-Another render function converts the getaddrbyname response structure &mdash;
-<type>lwres_gabnresponse_t</type> &mdash;
-to the canonical format.
-This is complemented by a parse function which converts a packet in
-canonical format to a getaddrbyname response structure.
-</para>
-<para>
-These structures are defined in
-<filename>&lt;lwres/lwres.h&gt;</filename>.
-They are shown below.
-<programlisting>
+  </refsynopsisdiv>
+  <refsect1>
+    <title>DESCRIPTION</title>
+    <para>
+      These are low-level routines for creating and parsing
+      lightweight resolver name-to-address lookup request and
+      response messages.
+    </para>
+    <para>
+      There are four main functions for the getaddrbyname opcode.
+      One render function converts a getaddrbyname request structure &mdash;
+      <type>lwres_gabnrequest_t</type> &mdash;
+      to the lighweight resolver's canonical format.
+      It is complemented by a parse function that converts a packet in this
+      canonical format to a getaddrbyname request structure.
+      Another render function converts the getaddrbyname response structure
+      &mdash; <type>lwres_gabnresponse_t</type> &mdash;
+      to the canonical format.
+      This is complemented by a parse function which converts a packet in
+      canonical format to a getaddrbyname response structure.
+    </para>
+    <para>
+      These structures are defined in
+      <filename>&lt;lwres/lwres.h&gt;</filename>.
+      They are shown below.
+    </para>
+    <para><programlisting>
 #define LWRES_OPCODE_GETADDRSBYNAME     0x00010001U
-
+</programlisting>
+    </para>
+    <para><programlisting>
 typedef struct lwres_addr lwres_addr_t;
 typedef LWRES_LIST(lwres_addr_t) lwres_addrlist_t;
-
+</programlisting>
+    </para>
+    <para><programlisting>
 typedef struct {
         lwres_uint32_t  flags;
         lwres_uint32_t  addrtypes;
         lwres_uint16_t  namelen;
         char           *name;
 } lwres_gabnrequest_t;
-
+</programlisting>
+    </para>
+    <para><programlisting>
 typedef struct {
         lwres_uint32_t          flags;
         lwres_uint16_t          naliases;
@@ -158,114 +166,95 @@ typedef struct {
         size_t                  baselen;
 } lwres_gabnresponse_t;
 </programlisting>
-</para>
-<para>
-<function>lwres_gabnrequest_render()</function>
-uses resolver context
-<parameter>ctx</parameter>
-to convert getaddrbyname request structure
-<parameter>req</parameter>
-to canonical format.
-The packet header structure
-<parameter>pkt</parameter>
-is initialised and transferred to
-buffer
-<parameter>b</parameter>.
+    </para>
+
+    <para><function>lwres_gabnrequest_render()</function>
+      uses resolver context <parameter>ctx</parameter> to convert
+      getaddrbyname request structure <parameter>req</parameter> to
+      canonical format.  The packet header structure
+      <parameter>pkt</parameter> is initialised and transferred to
+      buffer <parameter>b</parameter>.
+
+      The contents of <parameter>*req</parameter> are then appended to
+      the buffer in canonical format.
+      <function>lwres_gabnresponse_render()</function> performs the
+      same task, except it converts a getaddrbyname response structure
+      <type>lwres_gabnresponse_t</type> to the lightweight resolver's
+      canonical format.
+    </para>
 
-The contents of
-<parameter>*req</parameter>
-are then appended to the buffer in canonical format.
-<function>lwres_gabnresponse_render()</function>
-performs the same task, except it converts a getaddrbyname response structure
-<type>lwres_gabnresponse_t</type>
-to the lightweight resolver's canonical format.
-</para>
-<para>
-<function>lwres_gabnrequest_parse()</function>
-uses context
-<parameter>ctx</parameter>
-to convert the contents of packet
-<parameter>pkt</parameter>
-to a
-<type>lwres_gabnrequest_t</type>
-structure.
-Buffer
-<parameter>b</parameter>
-provides space to be used for storing this structure.
-When the function succeeds, the resulting
-<type>lwres_gabnrequest_t</type>
-is made available through
-<parameter>*structp</parameter>.
+    <para><function>lwres_gabnrequest_parse()</function>
+      uses context <parameter>ctx</parameter> to convert the contents
+      of packet <parameter>pkt</parameter> to a
+      <type>lwres_gabnrequest_t</type> structure.  Buffer
+      <parameter>b</parameter> provides space to be used for storing
+      this structure.  When the function succeeds, the resulting
+      <type>lwres_gabnrequest_t</type> is made available through
+      <parameter>*structp</parameter>.
 
-<function>lwres_gabnresponse_parse()</function>
-offers the same semantics as
-<function>lwres_gabnrequest_parse()</function>
-except it yields a
-<type>lwres_gabnresponse_t</type>
-structure.
-</para>
-<para>
-<function>lwres_gabnresponse_free()</function>
-and
-<function>lwres_gabnrequest_free()</function>
-release the memory in resolver context
-<parameter>ctx</parameter>
-that was allocated to the
-<type>lwres_gabnresponse_t</type>
-or
-<type>lwres_gabnrequest_t</type>
-structures referenced via
-<parameter>structp</parameter>.
+      <function>lwres_gabnresponse_parse()</function> offers the same
+      semantics as <function>lwres_gabnrequest_parse()</function>
+      except it yields a <type>lwres_gabnresponse_t</type> structure.
+    </para>
 
-Any memory associated with ancillary buffers and strings for those
-structures is also discarded.
-</para>
-</refsect1>
-<refsect1>
-<title>RETURN VALUES</title>
-<para>
-The getaddrbyname opcode functions
-<function>lwres_gabnrequest_render()</function>, 
-<function>lwres_gabnresponse_render()</function>
-<function>lwres_gabnrequest_parse()</function>
-and
-<function>lwres_gabnresponse_parse()</function>
-all return
-<errorcode>LWRES_R_SUCCESS</errorcode>
-on success.
-They return
-<errorcode>LWRES_R_NOMEMORY</errorcode>
-if memory allocation fails.
-<errorcode>LWRES_R_UNEXPECTEDEND</errorcode>
-is returned if the available space in the buffer
-<parameter>b</parameter>
-is too small to accommodate the packet header or the
-<type>lwres_gabnrequest_t</type>
-and
-<type>lwres_gabnresponse_t</type>
-structures.
-<function>lwres_gabnrequest_parse()</function>
-and
-<function>lwres_gabnresponse_parse()</function>
-will return
-<errorcode>LWRES_R_UNEXPECTEDEND</errorcode>
-if the buffer is not empty after decoding the received packet.
-These functions will return
-<errorcode>LWRES_R_FAILURE</errorcode>
-if
-<structfield>pktflags</structfield>
-in the packet header structure
-<type>lwres_lwpacket_t</type>
-indicate that the packet is not a response to an earlier query.
-</para>
-</refsect1>
-<refsect1>
-<title>SEE ALSO</title>
-<para>
-<citerefentry>
-<refentrytitle>lwres_packet</refentrytitle><manvolnum>3
-</manvolnum>
-</citerefentry>
-</para>
-</refsect1>
-</refentry>
+    <para><function>lwres_gabnresponse_free()</function>
+      and <function>lwres_gabnrequest_free()</function> release the
+      memory in resolver context <parameter>ctx</parameter> that was
+      allocated to the <type>lwres_gabnresponse_t</type> or
+      <type>lwres_gabnrequest_t</type> structures referenced via
+      <parameter>structp</parameter>.
+
+      Any memory associated with ancillary buffers and strings for
+      those structures is also discarded.
+    </para>
+  </refsect1>
+  <refsect1>
+    <title>RETURN VALUES</title>
+    <para>
+      The getaddrbyname opcode functions
+      <function>lwres_gabnrequest_render()</function>,
+      <function>lwres_gabnresponse_render()</function>
+      <function>lwres_gabnrequest_parse()</function>
+      and
+      <function>lwres_gabnresponse_parse()</function>
+      all return
+      <errorcode>LWRES_R_SUCCESS</errorcode>
+      on success.
+      They return
+      <errorcode>LWRES_R_NOMEMORY</errorcode>
+      if memory allocation fails.
+      <errorcode>LWRES_R_UNEXPECTEDEND</errorcode>
+      is returned if the available space in the buffer
+      <parameter>b</parameter>
+      is too small to accommodate the packet header or the
+      <type>lwres_gabnrequest_t</type>
+      and
+      <type>lwres_gabnresponse_t</type>
+      structures.
+      <function>lwres_gabnrequest_parse()</function>
+      and
+      <function>lwres_gabnresponse_parse()</function>
+      will return
+      <errorcode>LWRES_R_UNEXPECTEDEND</errorcode>
+      if the buffer is not empty after decoding the received packet.
+      These functions will return
+      <errorcode>LWRES_R_FAILURE</errorcode>
+      if
+      <structfield>pktflags</structfield>
+      in the packet header structure
+      <type>lwres_lwpacket_t</type>
+      indicate that the packet is not a response to an earlier query.
+    </para>
+  </refsect1>
+  <refsect1>
+    <title>SEE ALSO</title>
+    <para><citerefentry>
+        <refentrytitle>lwres_packet</refentrytitle><manvolnum>3</manvolnum>
+      </citerefentry>
+    </para>
+  </refsect1>
+</refentry><!--
+ - Local variables:
+ - mode: sgml
+ - End:
+-->
diff --git a/contrib/bind9/lib/lwres/man/lwres_gabn.html b/contrib/bind9/lib/lwres/man/lwres_gabn.html
index fce25c5..e27954b 100644
--- a/contrib/bind9/lib/lwres/man/lwres_gabn.html
+++ b/contrib/bind9/lib/lwres/man/lwres_gabn.html
@@ -1,5 +1,5 @@
 <!--
- - Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC")
  - Copyright (C) 2000, 2001 Internet Software Consortium.
  - 
  - Permission to use, copy, modify, and distribute this software for any
@@ -14,15 +14,15 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-<!-- $Id: lwres_gabn.html,v 1.6.2.1.4.11 2006/06/29 13:02:31 marka Exp $ -->
+<!-- $Id: lwres_gabn.html,v 1.7.18.17 2007/01/30 00:23:45 marka Exp $ -->
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
 <title>lwres_gabn</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.70.1">
+<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
 </head>
 <body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en">
-<a name="id2482688"></a><div class="titlepage"></div>
+<a name="id2476275"></a><div class="titlepage"></div>
 <div class="refnamediv">
 <h2>Name</h2>
 <p>lwres_gabnrequest_render, lwres_gabnresponse_render, lwres_gabnrequest_parse, lwres_gabnresponse_parse, lwres_gabnresponse_free, lwres_gabnrequest_free &#8212; lightweight resolver getaddrbyname message handling</p>
@@ -36,29 +36,27 @@
 <td><code class="funcdef">
 lwres_result_t
 <b class="fsfunc">lwres_gabnrequest_render</b>(</code></td>
-<td> </td>
-<td>, </td>
-</tr>
-<tr>
-<td> </td>
-<td> </td>
-<td>, </td>
+<td>lwres_context_t * </td>
+<td>
+<var class="pdparam">ctx</var>, </td>
 </tr>
 <tr>
 <td> </td>
-<td> </td>
-<td>, </td>
+<td>lwres_gabnrequest_t * </td>
+<td>
+<var class="pdparam">req</var>, </td>
 </tr>
 <tr>
 <td> </td>
-<td> </td>
-<td>, </td>
+<td>lwres_lwpacket_t * </td>
+<td>
+<var class="pdparam">pkt</var>, </td>
 </tr>
 <tr>
 <td> </td>
-<td> </td>
+<td>lwres_buffer_t * </td>
 <td>
-<code>)</code>;</td>
+<var class="pdparam">b</var><code>)</code>;</td>
 </tr>
 </table>
 <table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em">
@@ -66,29 +64,27 @@ lwres_result_t
 <td><code class="funcdef">
 lwres_result_t
 <b class="fsfunc">lwres_gabnresponse_render</b>(</code></td>
-<td> </td>
-<td>, </td>
-</tr>
-<tr>
-<td> </td>
-<td> </td>
-<td>, </td>
+<td>lwres_context_t * </td>
+<td>
+<var class="pdparam">ctx</var>, </td>
 </tr>
 <tr>
 <td> </td>
-<td> </td>
-<td>, </td>
+<td>lwres_gabnresponse_t * </td>
+<td>
+<var class="pdparam">req</var>, </td>
 </tr>
 <tr>
 <td> </td>
-<td> </td>
-<td>, </td>
+<td>lwres_lwpacket_t * </td>
+<td>
+<var class="pdparam">pkt</var>, </td>
 </tr>
 <tr>
 <td> </td>
-<td> </td>
+<td>lwres_buffer_t * </td>
 <td>
-<code>)</code>;</td>
+<var class="pdparam">b</var><code>)</code>;</td>
 </tr>
 </table>
 <table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em">
@@ -96,29 +92,27 @@ lwres_result_t
 <td><code class="funcdef">
 lwres_result_t
 <b class="fsfunc">lwres_gabnrequest_parse</b>(</code></td>
-<td> </td>
-<td>, </td>
-</tr>
-<tr>
-<td> </td>
-<td> </td>
-<td>, </td>
+<td>lwres_context_t * </td>
+<td>
+<var class="pdparam">ctx</var>, </td>
 </tr>
 <tr>
 <td> </td>
-<td> </td>
-<td>, </td>
+<td>lwres_buffer_t * </td>
+<td>
+<var class="pdparam">b</var>, </td>
 </tr>
 <tr>
 <td> </td>
-<td> </td>
-<td>, </td>
+<td>lwres_lwpacket_t * </td>
+<td>
+<var class="pdparam">pkt</var>, </td>
 </tr>
 <tr>
 <td> </td>
-<td> </td>
+<td>lwres_gabnrequest_t ** </td>
 <td>
-<code>)</code>;</td>
+<var class="pdparam">structp</var><code>)</code>;</td>
 </tr>
 </table>
 <table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em">
@@ -126,29 +120,27 @@ lwres_result_t
 <td><code class="funcdef">
 lwres_result_t
 <b class="fsfunc">lwres_gabnresponse_parse</b>(</code></td>
-<td> </td>
-<td>, </td>
-</tr>
-<tr>
-<td> </td>
-<td> </td>
-<td>, </td>
+<td>lwres_context_t * </td>
+<td>
+<var class="pdparam">ctx</var>, </td>
 </tr>
 <tr>
 <td> </td>
-<td> </td>
-<td>, </td>
+<td>lwres_buffer_t * </td>
+<td>
+<var class="pdparam">b</var>, </td>
 </tr>
 <tr>
 <td> </td>
-<td> </td>
-<td>, </td>
+<td>lwres_lwpacket_t * </td>
+<td>
+<var class="pdparam">pkt</var>, </td>
 </tr>
 <tr>
 <td> </td>
-<td> </td>
+<td>lwres_gabnresponse_t ** </td>
 <td>
-<code>)</code>;</td>
+<var class="pdparam">structp</var><code>)</code>;</td>
 </tr>
 </table>
 <table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em">
@@ -156,19 +148,15 @@ lwres_result_t
 <td><code class="funcdef">
 void
 <b class="fsfunc">lwres_gabnresponse_free</b>(</code></td>
-<td> </td>
-<td>, </td>
-</tr>
-<tr>
-<td> </td>
-<td> </td>
-<td>, </td>
+<td>lwres_context_t * </td>
+<td>
+<var class="pdparam">ctx</var>, </td>
 </tr>
 <tr>
 <td> </td>
-<td> </td>
+<td>lwres_gabnresponse_t ** </td>
 <td>
-<code>)</code>;</td>
+<var class="pdparam">structp</var><code>)</code>;</td>
 </tr>
 </table>
 <table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0">
@@ -176,61 +164,66 @@ void
 <td><code class="funcdef">
 void
 <b class="fsfunc">lwres_gabnrequest_free</b>(</code></td>
-<td> </td>
-<td>, </td>
-</tr>
-<tr>
-<td> </td>
-<td> </td>
-<td>, </td>
+<td>lwres_context_t * </td>
+<td>
+<var class="pdparam">ctx</var>, </td>
 </tr>
 <tr>
 <td> </td>
-<td> </td>
+<td>lwres_gabnrequest_t ** </td>
 <td>
-<code>)</code>;</td>
+<var class="pdparam">structp</var><code>)</code>;</td>
 </tr>
 </table>
 </div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2549528"></a><h2>DESCRIPTION</h2>
+<a name="id2543522"></a><h2>DESCRIPTION</h2>
 <p>
-These are low-level routines for creating and parsing
-lightweight resolver name-to-address lookup request and 
-response messages.
-</p>
+      These are low-level routines for creating and parsing
+      lightweight resolver name-to-address lookup request and
+      response messages.
+    </p>
 <p>
-There are four main functions for the getaddrbyname opcode.
-One render function converts a getaddrbyname request structure &#8212;
-<span class="type">lwres_gabnrequest_t</span> &#8212;
-to the lighweight resolver's canonical format.
-It is complemented by a parse function that converts a packet in this
-canonical format to a getaddrbyname request structure.
-Another render function converts the getaddrbyname response structure &#8212;
-<span class="type">lwres_gabnresponse_t</span> &#8212;
-to the canonical format.
-This is complemented by a parse function which converts a packet in
-canonical format to a getaddrbyname response structure.
-</p>
+      There are four main functions for the getaddrbyname opcode.
+      One render function converts a getaddrbyname request structure &#8212;
+      <span class="type">lwres_gabnrequest_t</span> &#8212;
+      to the lighweight resolver's canonical format.
+      It is complemented by a parse function that converts a packet in this
+      canonical format to a getaddrbyname request structure.
+      Another render function converts the getaddrbyname response structure
+      &#8212; <span class="type">lwres_gabnresponse_t</span> &#8212;
+      to the canonical format.
+      This is complemented by a parse function which converts a packet in
+      canonical format to a getaddrbyname response structure.
+    </p>
 <p>
-These structures are defined in
-<code class="filename">&lt;lwres/lwres.h&gt;</code>.
-They are shown below.
-</p>
+      These structures are defined in
+      <code class="filename">&lt;lwres/lwres.h&gt;</code>.
+      They are shown below.
+    </p>
 <pre class="programlisting">
 #define LWRES_OPCODE_GETADDRSBYNAME     0x00010001U
-
+</pre>
+<p>
+    </p>
+<pre class="programlisting">
 typedef struct lwres_addr lwres_addr_t;
 typedef LWRES_LIST(lwres_addr_t) lwres_addrlist_t;
-
+</pre>
+<p>
+    </p>
+<pre class="programlisting">
 typedef struct {
         lwres_uint32_t  flags;
         lwres_uint32_t  addrtypes;
         lwres_uint16_t  namelen;
         char           *name;
 } lwres_gabnrequest_t;
-
+</pre>
+<p>
+    </p>
+<pre class="programlisting">
 typedef struct {
         lwres_uint32_t          flags;
         lwres_uint16_t          naliases;
@@ -245,113 +238,87 @@ typedef struct {
 } lwres_gabnresponse_t;
 </pre>
 <p>
-</p>
-<p>
-<code class="function">lwres_gabnrequest_render()</code>
-uses resolver context
-<em class="parameter"><code>ctx</code></em>
-to convert getaddrbyname request structure
-<em class="parameter"><code>req</code></em>
-to canonical format.
-The packet header structure
-<em class="parameter"><code>pkt</code></em>
-is initialised and transferred to
-buffer
-<em class="parameter"><code>b</code></em>.
+    </p>
+<p><code class="function">lwres_gabnrequest_render()</code>
+      uses resolver context <em class="parameter"><code>ctx</code></em> to convert
+      getaddrbyname request structure <em class="parameter"><code>req</code></em> to
+      canonical format.  The packet header structure
+      <em class="parameter"><code>pkt</code></em> is initialised and transferred to
+      buffer <em class="parameter"><code>b</code></em>.
 
-The contents of
-<em class="parameter"><code>*req</code></em>
-are then appended to the buffer in canonical format.
-<code class="function">lwres_gabnresponse_render()</code>
-performs the same task, except it converts a getaddrbyname response structure
-<span class="type">lwres_gabnresponse_t</span>
-to the lightweight resolver's canonical format.
-</p>
-<p>
-<code class="function">lwres_gabnrequest_parse()</code>
-uses context
-<em class="parameter"><code>ctx</code></em>
-to convert the contents of packet
-<em class="parameter"><code>pkt</code></em>
-to a
-<span class="type">lwres_gabnrequest_t</span>
-structure.
-Buffer
-<em class="parameter"><code>b</code></em>
-provides space to be used for storing this structure.
-When the function succeeds, the resulting
-<span class="type">lwres_gabnrequest_t</span>
-is made available through
-<em class="parameter"><code>*structp</code></em>.
+      The contents of <em class="parameter"><code>*req</code></em> are then appended to
+      the buffer in canonical format.
+      <code class="function">lwres_gabnresponse_render()</code> performs the
+      same task, except it converts a getaddrbyname response structure
+      <span class="type">lwres_gabnresponse_t</span> to the lightweight resolver's
+      canonical format.
+    </p>
+<p><code class="function">lwres_gabnrequest_parse()</code>
+      uses context <em class="parameter"><code>ctx</code></em> to convert the contents
+      of packet <em class="parameter"><code>pkt</code></em> to a
+      <span class="type">lwres_gabnrequest_t</span> structure.  Buffer
+      <em class="parameter"><code>b</code></em> provides space to be used for storing
+      this structure.  When the function succeeds, the resulting
+      <span class="type">lwres_gabnrequest_t</span> is made available through
+      <em class="parameter"><code>*structp</code></em>.
 
-<code class="function">lwres_gabnresponse_parse()</code>
-offers the same semantics as
-<code class="function">lwres_gabnrequest_parse()</code>
-except it yields a
-<span class="type">lwres_gabnresponse_t</span>
-structure.
-</p>
-<p>
-<code class="function">lwres_gabnresponse_free()</code>
-and
-<code class="function">lwres_gabnrequest_free()</code>
-release the memory in resolver context
-<em class="parameter"><code>ctx</code></em>
-that was allocated to the
-<span class="type">lwres_gabnresponse_t</span>
-or
-<span class="type">lwres_gabnrequest_t</span>
-structures referenced via
-<em class="parameter"><code>structp</code></em>.
+      <code class="function">lwres_gabnresponse_parse()</code> offers the same
+      semantics as <code class="function">lwres_gabnrequest_parse()</code>
+      except it yields a <span class="type">lwres_gabnresponse_t</span> structure.
+    </p>
+<p><code class="function">lwres_gabnresponse_free()</code>
+      and <code class="function">lwres_gabnrequest_free()</code> release the
+      memory in resolver context <em class="parameter"><code>ctx</code></em> that was
+      allocated to the <span class="type">lwres_gabnresponse_t</span> or
+      <span class="type">lwres_gabnrequest_t</span> structures referenced via
+      <em class="parameter"><code>structp</code></em>.
 
-Any memory associated with ancillary buffers and strings for those
-structures is also discarded.
-</p>
+      Any memory associated with ancillary buffers and strings for
+      those structures is also discarded.
+    </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2549720"></a><h2>RETURN VALUES</h2>
+<a name="id2543667"></a><h2>RETURN VALUES</h2>
 <p>
-The getaddrbyname opcode functions
-<code class="function">lwres_gabnrequest_render()</code>, 
-<code class="function">lwres_gabnresponse_render()</code>
-<code class="function">lwres_gabnrequest_parse()</code>
-and
-<code class="function">lwres_gabnresponse_parse()</code>
-all return
-<span class="errorcode">LWRES_R_SUCCESS</span>
-on success.
-They return
-<span class="errorcode">LWRES_R_NOMEMORY</span>
-if memory allocation fails.
-<span class="errorcode">LWRES_R_UNEXPECTEDEND</span>
-is returned if the available space in the buffer
-<em class="parameter"><code>b</code></em>
-is too small to accommodate the packet header or the
-<span class="type">lwres_gabnrequest_t</span>
-and
-<span class="type">lwres_gabnresponse_t</span>
-structures.
-<code class="function">lwres_gabnrequest_parse()</code>
-and
-<code class="function">lwres_gabnresponse_parse()</code>
-will return
-<span class="errorcode">LWRES_R_UNEXPECTEDEND</span>
-if the buffer is not empty after decoding the received packet.
-These functions will return
-<span class="errorcode">LWRES_R_FAILURE</span>
-if
-<em class="structfield"><code>pktflags</code></em>
-in the packet header structure
-<span class="type">lwres_lwpacket_t</span>
-indicate that the packet is not a response to an earlier query.
-</p>
+      The getaddrbyname opcode functions
+      <code class="function">lwres_gabnrequest_render()</code>,
+      <code class="function">lwres_gabnresponse_render()</code>
+      <code class="function">lwres_gabnrequest_parse()</code>
+      and
+      <code class="function">lwres_gabnresponse_parse()</code>
+      all return
+      <span class="errorcode">LWRES_R_SUCCESS</span>
+      on success.
+      They return
+      <span class="errorcode">LWRES_R_NOMEMORY</span>
+      if memory allocation fails.
+      <span class="errorcode">LWRES_R_UNEXPECTEDEND</span>
+      is returned if the available space in the buffer
+      <em class="parameter"><code>b</code></em>
+      is too small to accommodate the packet header or the
+      <span class="type">lwres_gabnrequest_t</span>
+      and
+      <span class="type">lwres_gabnresponse_t</span>
+      structures.
+      <code class="function">lwres_gabnrequest_parse()</code>
+      and
+      <code class="function">lwres_gabnresponse_parse()</code>
+      will return
+      <span class="errorcode">LWRES_R_UNEXPECTEDEND</span>
+      if the buffer is not empty after decoding the received packet.
+      These functions will return
+      <span class="errorcode">LWRES_R_FAILURE</span>
+      if
+      <em class="structfield"><code>pktflags</code></em>
+      in the packet header structure
+      <span class="type">lwres_lwpacket_t</span>
+      indicate that the packet is not a response to an earlier query.
+    </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2549853"></a><h2>SEE ALSO</h2>
-<p>
-<span class="citerefentry"><span class="refentrytitle">lwres_packet</span>(3
-)</span>
-</p>
+<a name="id2543733"></a><h2>SEE ALSO</h2>
+<p><span class="citerefentry"><span class="refentrytitle">lwres_packet</span>(3)</span>
+    </p>
 </div>
 </div></body>
 </html>
diff --git a/contrib/bind9/lib/lwres/man/lwres_gai_strerror.3 b/contrib/bind9/lib/lwres/man/lwres_gai_strerror.3
index e6efcd0..4fd03e2 100644
--- a/contrib/bind9/lib/lwres/man/lwres_gai_strerror.3
+++ b/contrib/bind9/lib/lwres/man/lwres_gai_strerror.3
@@ -1,4 +1,4 @@
-.\" Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC")
 .\" Copyright (C) 2000, 2001 Internet Software Consortium.
 .\" 
 .\" Permission to use, copy, modify, and distribute this software for any
@@ -13,13 +13,13 @@
 .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 .\" PERFORMANCE OF THIS SOFTWARE.
 .\"
-.\" $Id: lwres_gai_strerror.3,v 1.13.2.1.8.6 2006/06/29 13:02:31 marka Exp $
+.\" $Id: lwres_gai_strerror.3,v 1.16.18.11 2007/01/30 00:23:45 marka Exp $
 .\"
 .hy 0
 .ad l
 .\"     Title: lwres_gai_strerror
 .\"    Author: 
-.\" Generator: DocBook XSL Stylesheets v1.70.1 <http://docbook.sf.net/>
+.\" Generator: DocBook XSL Stylesheets v1.71.1 <http://docbook.sf.net/>
 .\"      Date: Jun 30, 2000
 .\"    Manual: BIND9
 .\"    Source: BIND9
@@ -30,56 +30,78 @@
 .\" disable justification (adjust text to left margin only)
 .ad l
 .SH "NAME"
-gai_strerror \- print suitable error string
+lwres_gai_strerror \- print suitable error string
 .SH "SYNOPSIS"
 .nf
 #include <lwres/netdb.h>
 .fi
 .HP 20
-.BI "char * gai_strerror(int\ ecode);"
+.BI "char * gai_strerror(int\ " "ecode" ");"
 .SH "DESCRIPTION"
 .PP
 \fBlwres_gai_strerror()\fR
 returns an error message corresponding to an error code returned by
 \fBgetaddrinfo()\fR. The following error codes and their meaning are defined in
 \fIinclude/lwres/netdb.h\fR.
-.TP 3n
+.PP
 \fBEAI_ADDRFAMILY\fR
+.RS 4
 address family for hostname not supported
-.TP 3n
+.RE
+.PP
 \fBEAI_AGAIN\fR
+.RS 4
 temporary failure in name resolution
-.TP 3n
+.RE
+.PP
 \fBEAI_BADFLAGS\fR
+.RS 4
 invalid value for
 \fBai_flags\fR
-.TP 3n
+.RE
+.PP
 \fBEAI_FAIL\fR
+.RS 4
 non\-recoverable failure in name resolution
-.TP 3n
+.RE
+.PP
 \fBEAI_FAMILY\fR
+.RS 4
 \fBai_family\fR
 not supported
-.TP 3n
+.RE
+.PP
 \fBEAI_MEMORY\fR
+.RS 4
 memory allocation failure
-.TP 3n
+.RE
+.PP
 \fBEAI_NODATA\fR
+.RS 4
 no address associated with hostname
-.TP 3n
+.RE
+.PP
 \fBEAI_NONAME\fR
+.RS 4
 hostname or servname not provided, or not known
-.TP 3n
+.RE
+.PP
 \fBEAI_SERVICE\fR
+.RS 4
 servname not supported for
 \fBai_socktype\fR
-.TP 3n
+.RE
+.PP
 \fBEAI_SOCKTYPE\fR
+.RS 4
 \fBai_socktype\fR
 not supported
-.TP 3n
+.RE
+.PP
 \fBEAI_SYSTEM\fR
+.RS 4
 system error returned in errno
+.RE
 The message
 invalid error code
 is returned if
@@ -101,4 +123,7 @@ used by
 \fBgetaddrinfo\fR(3),
 \fBRFC2133\fR().
 .SH "COPYRIGHT"
-Copyright \(co 2004, 2005 Internet Systems Consortium, Inc. ("ISC")
+Copyright \(co 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC")
+.br
+Copyright \(co 2000, 2001 Internet Software Consortium.
+.br
diff --git a/contrib/bind9/lib/lwres/man/lwres_gai_strerror.docbook b/contrib/bind9/lib/lwres/man/lwres_gai_strerror.docbook
index f34836d..77a211b 100644
--- a/contrib/bind9/lib/lwres/man/lwres_gai_strerror.docbook
+++ b/contrib/bind9/lib/lwres/man/lwres_gai_strerror.docbook
@@ -1,8 +1,8 @@
-<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.0//EN"
-               "http://www.oasis-open.org/docbook/xml/4.0/docbookx.dtd"
+<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
+               "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
 	       [<!ENTITY mdash "&#8212;">]>
 <!--
- - Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
  - Copyright (C) 2000, 2001  Internet Software Consortium.
  -
  - Permission to use, copy, modify, and distribute this software for any
@@ -18,24 +18,24 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-<!-- $Id: lwres_gai_strerror.docbook,v 1.3.206.3 2005/05/12 21:36:13 sra Exp $ -->
-
+<!-- $Id: lwres_gai_strerror.docbook,v 1.4.18.5 2007/01/29 23:57:21 marka Exp $ -->
 <refentry>
-<refentryinfo>
 
+  <refentryinfo>
+    <date>Jun 30, 2000</date>
+  </refentryinfo>
 
-<date>Jun 30, 2000</date>
-</refentryinfo>
-<refmeta>
-<refentrytitle>lwres_gai_strerror</refentrytitle>
-<manvolnum>3</manvolnum>
-<refmiscinfo>BIND9</refmiscinfo>
-</refmeta>
+  <refmeta>
+    <refentrytitle>lwres_gai_strerror</refentrytitle>
+    <manvolnum>3</manvolnum>
+    <refmiscinfo>BIND9</refmiscinfo>
+  </refmeta>
 
   <docinfo>
     <copyright>
       <year>2004</year>
       <year>2005</year>
+      <year>2007</year>
       <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
     </copyright>
     <copyright>
@@ -45,133 +45,156 @@
     </copyright>
   </docinfo>
 
-<refnamediv>
-<refname>gai_strerror</refname>
-<refpurpose>print suitable error string</refpurpose>
-</refnamediv>
-<refsynopsisdiv>
-<funcsynopsis>
+  <refnamediv>
+    <refname>lwres_gai_strerror</refname>
+    <refpurpose>print suitable error string</refpurpose>
+  </refnamediv>
+
+  <refsynopsisdiv>
+    <funcsynopsis>
 <funcsynopsisinfo>#include &lt;lwres/netdb.h&gt;</funcsynopsisinfo>
 <funcprototype>
-<funcdef>
+        <funcdef>
 char *
 <function>gai_strerror</function></funcdef>
-<paramdef>int ecode</paramdef>
-</funcprototype>
+        <paramdef>int <parameter>ecode</parameter></paramdef>
+      </funcprototype>
 </funcsynopsis>
-</refsynopsisdiv>
+  </refsynopsisdiv>
 
-<refsect1>
-<title>DESCRIPTION</title>
-<para>
-<function>lwres_gai_strerror()</function>
-returns an error message corresponding to an error code returned by
-<function>getaddrinfo()</function>.
-The following error codes and their meaning are defined in
-<filename>include/lwres/netdb.h</filename>.
-<variablelist>
-<varlistentry><term><errorcode>EAI_ADDRFAMILY</errorcode></term>
-<listitem>
-<para>
-address family for hostname not supported
-</para>
-</listitem></varlistentry>
-<varlistentry><term><errorcode>EAI_AGAIN</errorcode></term>
-<listitem>
-<para>
-temporary failure in name resolution
-</para>
-</listitem></varlistentry>
-<varlistentry><term><errorcode>EAI_BADFLAGS</errorcode></term>
-<listitem>
-<para>
-invalid value for
-<constant>ai_flags</constant>
-</para>
-</listitem></varlistentry>
-<varlistentry><term><errorcode>EAI_FAIL</errorcode></term>
-<listitem>
-<para>
-non-recoverable failure in name resolution
-</para>
-</listitem></varlistentry>
-<varlistentry><term><errorcode>EAI_FAMILY</errorcode></term>
-<listitem>
-<para>
-<constant>ai_family</constant> not supported
-</para>
-</listitem></varlistentry>
-<varlistentry><term><errorcode>EAI_MEMORY</errorcode></term>
-<listitem>
-<para>
-memory allocation failure
-</para>
-</listitem></varlistentry>
-<varlistentry><term><errorcode>EAI_NODATA</errorcode></term>
-<listitem>
-<para>
-no address associated with hostname
-</para>
-</listitem></varlistentry>
-<varlistentry><term><errorcode>EAI_NONAME</errorcode></term>
-<listitem>
-<para>
-hostname or servname not provided, or not known
-</para>
-</listitem></varlistentry>
-<varlistentry><term><errorcode>EAI_SERVICE</errorcode></term>
-<listitem>
-<para>
-servname not supported for <constant>ai_socktype</constant>
-</para>
-</listitem></varlistentry>
-<varlistentry><term><errorcode>EAI_SOCKTYPE</errorcode></term>
-<listitem>
-<para>
-<constant>ai_socktype</constant> not supported
-</para>
-</listitem></varlistentry>
-<varlistentry><term><errorcode>EAI_SYSTEM</errorcode></term>
-<listitem>
-<para>
-system error returned in errno
-</para>
-</listitem></varlistentry>
-</variablelist>
-The message <errorname>invalid error code</errorname> is returned if
-<parameter>ecode</parameter>
-is out of range.
-</para>
-<para>
-<constant>ai_flags</constant>,
-<constant>ai_family</constant>
-and
-<constant>ai_socktype</constant>
-are elements of the
-<type>struct  addrinfo</type>
-used by
-<function>lwres_getaddrinfo()</function>.
-</para>
-</refsect1>
+  <refsect1>
+    <title>DESCRIPTION</title>
 
-<refsect1>
-<title>SEE ALSO</title>
-<para>
-<citerefentry>
-<refentrytitle>strerror</refentrytitle><manvolnum>3</manvolnum>
-</citerefentry>,
+    <para><function>lwres_gai_strerror()</function>
+      returns an error message corresponding to an error code returned by
+      <function>getaddrinfo()</function>.
+      The following error codes and their meaning are defined in
+      <filename>include/lwres/netdb.h</filename>.
+      <variablelist>
+        <varlistentry>
+          <term><errorcode>EAI_ADDRFAMILY</errorcode></term>
+          <listitem>
+            <para>
+              address family for hostname not supported
+            </para>
+          </listitem>
+        </varlistentry>
+        <varlistentry>
+          <term><errorcode>EAI_AGAIN</errorcode></term>
+          <listitem>
+            <para>
+              temporary failure in name resolution
+            </para>
+          </listitem>
+        </varlistentry>
+        <varlistentry>
+          <term><errorcode>EAI_BADFLAGS</errorcode></term>
+          <listitem>
+            <para>
+              invalid value for
+              <constant>ai_flags</constant>
+            </para>
+          </listitem>
+        </varlistentry>
+        <varlistentry>
+          <term><errorcode>EAI_FAIL</errorcode></term>
+          <listitem>
+            <para>
+              non-recoverable failure in name resolution
+            </para>
+          </listitem>
+        </varlistentry>
+        <varlistentry>
+          <term><errorcode>EAI_FAMILY</errorcode></term>
+          <listitem>
+            <para><constant>ai_family</constant> not supported
+            </para>
+          </listitem>
+        </varlistentry>
+        <varlistentry>
+          <term><errorcode>EAI_MEMORY</errorcode></term>
+          <listitem>
+            <para>
+              memory allocation failure
+            </para>
+          </listitem>
+        </varlistentry>
+        <varlistentry>
+          <term><errorcode>EAI_NODATA</errorcode></term>
+          <listitem>
+            <para>
+              no address associated with hostname
+            </para>
+          </listitem>
+        </varlistentry>
+        <varlistentry>
+          <term><errorcode>EAI_NONAME</errorcode></term>
+          <listitem>
+            <para>
+              hostname or servname not provided, or not known
+            </para>
+          </listitem>
+        </varlistentry>
+        <varlistentry>
+          <term><errorcode>EAI_SERVICE</errorcode></term>
+          <listitem>
+            <para>
+              servname not supported for <constant>ai_socktype</constant>
+            </para>
+          </listitem>
+        </varlistentry>
+        <varlistentry>
+          <term><errorcode>EAI_SOCKTYPE</errorcode></term>
+          <listitem>
+            <para><constant>ai_socktype</constant> not supported
+            </para>
+          </listitem>
+        </varlistentry>
+        <varlistentry>
+          <term><errorcode>EAI_SYSTEM</errorcode></term>
+          <listitem>
+            <para>
+              system error returned in errno
+            </para>
+          </listitem>
+        </varlistentry>
+      </variablelist>
+      The message <errorname>invalid error code</errorname> is returned if
+      <parameter>ecode</parameter>
+      is out of range.
+    </para>
+    <para><constant>ai_flags</constant>,
+      <constant>ai_family</constant>
+      and
+      <constant>ai_socktype</constant>
+      are elements of the
+      <type>struct  addrinfo</type>
+      used by
+      <function>lwres_getaddrinfo()</function>.
+    </para>
+  </refsect1>
 
-<citerefentry>
-<refentrytitle>lwres_getaddrinfo</refentrytitle><manvolnum>3</manvolnum>
-</citerefentry>,
+  <refsect1>
+    <title>SEE ALSO</title>
+    <para><citerefentry>
+        <refentrytitle>strerror</refentrytitle><manvolnum>3</manvolnum>
+      </citerefentry>,
 
-<citerefentry>
-<refentrytitle>getaddrinfo</refentrytitle><manvolnum>3</manvolnum>
-</citerefentry>,
+      <citerefentry>
+        <refentrytitle>lwres_getaddrinfo</refentrytitle><manvolnum>3</manvolnum>
+      </citerefentry>,
 
-<citerefentry>
-<refentrytitle>RFC2133</refentrytitle>
-</citerefentry>.
-</para>
-</refsect1>
-</refentry>
+      <citerefentry>
+        <refentrytitle>getaddrinfo</refentrytitle><manvolnum>3</manvolnum>
+      </citerefentry>,
+
+      <citerefentry>
+        <refentrytitle>RFC2133</refentrytitle>
+      </citerefentry>.
+    </para>
+  </refsect1>
+</refentry><!--
+ - Local variables:
+ - mode: sgml
+ - End:
+-->
diff --git a/contrib/bind9/lib/lwres/man/lwres_gai_strerror.html b/contrib/bind9/lib/lwres/man/lwres_gai_strerror.html
index 4b244e3..9673253 100644
--- a/contrib/bind9/lib/lwres/man/lwres_gai_strerror.html
+++ b/contrib/bind9/lib/lwres/man/lwres_gai_strerror.html
@@ -1,5 +1,5 @@
 <!--
- - Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC")
  - Copyright (C) 2000, 2001 Internet Software Consortium.
  - 
  - Permission to use, copy, modify, and distribute this software for any
@@ -14,111 +14,111 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-<!-- $Id: lwres_gai_strerror.html,v 1.5.2.1.4.12 2006/06/29 13:02:31 marka Exp $ -->
+<!-- $Id: lwres_gai_strerror.html,v 1.6.18.18 2007/01/30 00:23:45 marka Exp $ -->
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
 <title>lwres_gai_strerror</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.70.1">
+<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
 </head>
 <body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en">
-<a name="id2482688"></a><div class="titlepage"></div>
+<a name="id2476275"></a><div class="titlepage"></div>
 <div class="refnamediv">
 <h2>Name</h2>
-<p>gai_strerror &#8212; print suitable error string</p>
+<p>lwres_gai_strerror &#8212; print suitable error string</p>
 </div>
 <div class="refsynopsisdiv">
 <h2>Synopsis</h2>
 <div class="funcsynopsis">
 <pre class="funcsynopsisinfo">#include &lt;lwres/netdb.h&gt;</pre>
-<p><code class="funcdef">
+<table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0"><tr>
+<td><code class="funcdef">
 char *
-<b class="fsfunc">gai_strerror</b>(</code>int ecode<code>)</code>;</p>
+<b class="fsfunc">gai_strerror</b>(</code></td>
+<td>int  </td>
+<td>
+<var class="pdparam">ecode</var><code>)</code>;</td>
+</tr></table>
 </div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2549408"></a><h2>DESCRIPTION</h2>
-<p>
-<code class="function">lwres_gai_strerror()</code>
-returns an error message corresponding to an error code returned by
-<code class="function">getaddrinfo()</code>.
-The following error codes and their meaning are defined in
-<code class="filename">include/lwres/netdb.h</code>.
-</p>
+<a name="id2543361"></a><h2>DESCRIPTION</h2>
+<p><code class="function">lwres_gai_strerror()</code>
+      returns an error message corresponding to an error code returned by
+      <code class="function">getaddrinfo()</code>.
+      The following error codes and their meaning are defined in
+      <code class="filename">include/lwres/netdb.h</code>.
+      </p>
 <div class="variablelist"><dl>
 <dt><span class="term"><span class="errorcode">EAI_ADDRFAMILY</span></span></dt>
 <dd><p>
-address family for hostname not supported
-</p></dd>
+              address family for hostname not supported
+            </p></dd>
 <dt><span class="term"><span class="errorcode">EAI_AGAIN</span></span></dt>
 <dd><p>
-temporary failure in name resolution
-</p></dd>
+              temporary failure in name resolution
+            </p></dd>
 <dt><span class="term"><span class="errorcode">EAI_BADFLAGS</span></span></dt>
 <dd><p>
-invalid value for
-<code class="constant">ai_flags</code>
-</p></dd>
+              invalid value for
+              <code class="constant">ai_flags</code>
+            </p></dd>
 <dt><span class="term"><span class="errorcode">EAI_FAIL</span></span></dt>
 <dd><p>
-non-recoverable failure in name resolution
-</p></dd>
+              non-recoverable failure in name resolution
+            </p></dd>
 <dt><span class="term"><span class="errorcode">EAI_FAMILY</span></span></dt>
-<dd><p>
-<code class="constant">ai_family</code> not supported
-</p></dd>
+<dd><p><code class="constant">ai_family</code> not supported
+            </p></dd>
 <dt><span class="term"><span class="errorcode">EAI_MEMORY</span></span></dt>
 <dd><p>
-memory allocation failure
-</p></dd>
+              memory allocation failure
+            </p></dd>
 <dt><span class="term"><span class="errorcode">EAI_NODATA</span></span></dt>
 <dd><p>
-no address associated with hostname
-</p></dd>
+              no address associated with hostname
+            </p></dd>
 <dt><span class="term"><span class="errorcode">EAI_NONAME</span></span></dt>
 <dd><p>
-hostname or servname not provided, or not known
-</p></dd>
+              hostname or servname not provided, or not known
+            </p></dd>
 <dt><span class="term"><span class="errorcode">EAI_SERVICE</span></span></dt>
 <dd><p>
-servname not supported for <code class="constant">ai_socktype</code>
-</p></dd>
+              servname not supported for <code class="constant">ai_socktype</code>
+            </p></dd>
 <dt><span class="term"><span class="errorcode">EAI_SOCKTYPE</span></span></dt>
-<dd><p>
-<code class="constant">ai_socktype</code> not supported
-</p></dd>
+<dd><p><code class="constant">ai_socktype</code> not supported
+            </p></dd>
 <dt><span class="term"><span class="errorcode">EAI_SYSTEM</span></span></dt>
 <dd><p>
-system error returned in errno
-</p></dd>
+              system error returned in errno
+            </p></dd>
 </dl></div>
 <p>
-The message <span class="errorname">invalid error code</span> is returned if
-<em class="parameter"><code>ecode</code></em>
-is out of range.
-</p>
-<p>
-<code class="constant">ai_flags</code>,
-<code class="constant">ai_family</code>
-and
-<code class="constant">ai_socktype</code>
-are elements of the
-<span class="type">struct  addrinfo</span>
-used by
-<code class="function">lwres_getaddrinfo()</code>.
-</p>
+      The message <span class="errorname">invalid error code</span> is returned if
+      <em class="parameter"><code>ecode</code></em>
+      is out of range.
+    </p>
+<p><code class="constant">ai_flags</code>,
+      <code class="constant">ai_family</code>
+      and
+      <code class="constant">ai_socktype</code>
+      are elements of the
+      <span class="type">struct  addrinfo</span>
+      used by
+      <code class="function">lwres_getaddrinfo()</code>.
+    </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2549605"></a><h2>SEE ALSO</h2>
-<p>
-<span class="citerefentry"><span class="refentrytitle">strerror</span>(3)</span>,
+<a name="id2543576"></a><h2>SEE ALSO</h2>
+<p><span class="citerefentry"><span class="refentrytitle">strerror</span>(3)</span>,
 
-<span class="citerefentry"><span class="refentrytitle">lwres_getaddrinfo</span>(3)</span>,
+      <span class="citerefentry"><span class="refentrytitle">lwres_getaddrinfo</span>(3)</span>,
 
-<span class="citerefentry"><span class="refentrytitle">getaddrinfo</span>(3)</span>,
+      <span class="citerefentry"><span class="refentrytitle">getaddrinfo</span>(3)</span>,
 
-<span class="citerefentry"><span class="refentrytitle">RFC2133</span></span>.
-</p>
+      <span class="citerefentry"><span class="refentrytitle">RFC2133</span></span>.
+    </p>
 </div>
 </div></body>
 </html>
diff --git a/contrib/bind9/lib/lwres/man/lwres_getaddrinfo.3 b/contrib/bind9/lib/lwres/man/lwres_getaddrinfo.3
index fe52cd5..9d198d6 100644
--- a/contrib/bind9/lib/lwres/man/lwres_getaddrinfo.3
+++ b/contrib/bind9/lib/lwres/man/lwres_getaddrinfo.3
@@ -1,4 +1,4 @@
-.\" Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC")
 .\" Copyright (C) 2000, 2001, 2003 Internet Software Consortium.
 .\" 
 .\" Permission to use, copy, modify, and distribute this software for any
@@ -13,13 +13,13 @@
 .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 .\" PERFORMANCE OF THIS SOFTWARE.
 .\"
-.\" $Id: lwres_getaddrinfo.3,v 1.16.2.1.8.7 2006/06/29 13:02:31 marka Exp $
+.\" $Id: lwres_getaddrinfo.3,v 1.20.18.11 2007/01/30 00:23:45 marka Exp $
 .\"
 .hy 0
 .ad l
 .\"     Title: lwres_getaddrinfo
 .\"    Author: 
-.\" Generator: DocBook XSL Stylesheets v1.70.1 <http://docbook.sf.net/>
+.\" Generator: DocBook XSL Stylesheets v1.71.1 <http://docbook.sf.net/>
 .\"      Date: Jun 30, 2000
 .\"    Manual: BIND9
 .\"    Source: BIND9
@@ -36,14 +36,14 @@ lwres_getaddrinfo, lwres_freeaddrinfo \- socket address structure to host and se
 #include <lwres/netdb.h>
 .fi
 .HP 22
-.BI "int lwres_getaddrinfo(const\ char\ *hostname, const\ char\ *servname, const\ struct\ addrinfo\ *hints, struct\ addrinfo\ **res);"
+.BI "int lwres_getaddrinfo(const\ char\ *" "hostname" ", const\ char\ *" "servname" ", const\ struct\ addrinfo\ *" "hints" ", struct\ addrinfo\ **" "res" ");"
 .HP 24
-.BI "void lwres_freeaddrinfo(struct\ addrinfo\ *ai);"
+.BI "void lwres_freeaddrinfo(struct\ addrinfo\ *" "ai" ");"
 .PP
 If the operating system does not provide a
 \fBstruct addrinfo\fR, the following structure is used:
-.sp
-.RS 3n
+.PP
+.RS 4
 .nf
 struct  addrinfo {
         int             ai_flags;       /* AI_PASSIVE, AI_CANONNAME */
@@ -82,14 +82,17 @@ is either a decimal port number or a service name as listed in
 is an optional pointer to a
 \fBstruct addrinfo\fR. This structure can be used to provide hints concerning the type of socket that the caller supports or wishes to use. The caller can supply the following structure elements in
 \fI*hints\fR:
-.TP 3n
+.PP
 \fBai_family\fR
+.RS 4
 The protocol family that should be used. When
 \fBai_family\fR
 is set to
 \fBPF_UNSPEC\fR, it means the caller will accept any protocol family supported by the operating system.
-.TP 3n
+.RE
+.PP
 \fBai_socktype\fR
+.RS 4
 denotes the type of socket \(em
 \fBSOCK_STREAM\fR,
 \fBSOCK_DGRAM\fR
@@ -98,13 +101,17 @@ or
 \(em that is wanted. When
 \fBai_socktype\fR
 is zero the caller will accept any socket type.
-.TP 3n
+.RE
+.PP
 \fBai_protocol\fR
+.RS 4
 indicates which transport protocol is wanted: IPPROTO_UDP or IPPROTO_TCP. If
 \fBai_protocol\fR
 is zero the caller will accept any protocol.
-.TP 3n
+.RE
+.PP
 \fBai_flags\fR
+.RS 4
 Flag bits. If the
 \fBAI_CANONNAME\fR
 bit is set, a successful call to
@@ -129,11 +136,11 @@ When
 does not set the
 \fBAI_PASSIVE\fR
 bit, the returned socket address structure will be ready for use in a call to
-\fBconnect\fR(2 )
+\fBconnect\fR(2)
 for a connection\-oriented protocol or
 \fBconnect\fR(2),
 \fBsendto\fR(2), or
-\fBsendmsg\fR(2 )
+\fBsendmsg\fR(2)
 if a connectionless protocol was chosen. The IP address portion of the socket address structure will be set to the loopback address if
 \fIhostname\fR
 is a
@@ -150,6 +157,7 @@ is set to
 it indicates that
 \fIhostname\fR
 should be treated as a numeric string defining an IPv4 or IPv6 address and no name resolution should be attempted.
+.RE
 .PP
 All other elements of the
 \fBstruct addrinfo\fR
@@ -208,7 +216,7 @@ created by a call to
 .PP
 \fBlwres_getaddrinfo()\fR
 returns zero on success or one of the error codes listed in
-\fBgai_strerror\fR(3 )
+\fBgai_strerror\fR(3)
 if an error occurs. If both
 \fIhostname\fR
 and
@@ -232,4 +240,7 @@ returns
 \fBsendmsg\fR(2),
 \fBsocket\fR(2).
 .SH "COPYRIGHT"
-Copyright \(co 2004, 2005 Internet Systems Consortium, Inc. ("ISC")
+Copyright \(co 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC")
+.br
+Copyright \(co 2000, 2001, 2003 Internet Software Consortium.
+.br
diff --git a/contrib/bind9/lib/lwres/man/lwres_getaddrinfo.docbook b/contrib/bind9/lib/lwres/man/lwres_getaddrinfo.docbook
index 1907219..fa7c086 100644
--- a/contrib/bind9/lib/lwres/man/lwres_getaddrinfo.docbook
+++ b/contrib/bind9/lib/lwres/man/lwres_getaddrinfo.docbook
@@ -1,8 +1,8 @@
-<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.0//EN"
-               "http://www.oasis-open.org/docbook/xml/4.0/docbookx.dtd"
+<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
+               "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
 	       [<!ENTITY mdash "&#8212;">]>
 <!--
- - Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
  - Copyright (C) 2000, 2001, 2003  Internet Software Consortium.
  -
  - Permission to use, copy, modify, and distribute this software for any
@@ -18,24 +18,24 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-<!-- $Id: lwres_getaddrinfo.docbook,v 1.5.206.4 2005/05/12 21:36:14 sra Exp $ -->
-
+<!-- $Id: lwres_getaddrinfo.docbook,v 1.7.18.5 2007/01/29 23:57:21 marka Exp $ -->
 <refentry>
 
-<refentryinfo>
-<date>Jun 30, 2000</date>
-</refentryinfo>
+  <refentryinfo>
+    <date>Jun 30, 2000</date>
+  </refentryinfo>
 
-<refmeta>
-<refentrytitle>lwres_getaddrinfo</refentrytitle>
-<manvolnum>3</manvolnum>
-<refmiscinfo>BIND9</refmiscinfo>
-</refmeta>
+  <refmeta>
+    <refentrytitle>lwres_getaddrinfo</refentrytitle>
+    <manvolnum>3</manvolnum>
+    <refmiscinfo>BIND9</refmiscinfo>
+  </refmeta>
 
   <docinfo>
     <copyright>
       <year>2004</year>
       <year>2005</year>
+      <year>2007</year>
       <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
     </copyright>
     <copyright>
@@ -46,37 +46,37 @@
     </copyright>
   </docinfo>
 
-<refnamediv>
-<refname>lwres_getaddrinfo</refname>
-<refname>lwres_freeaddrinfo</refname>
-<refpurpose>socket address structure to host and service name</refpurpose>
-</refnamediv>
-<refsynopsisdiv>
-<funcsynopsis>
+  <refnamediv>
+    <refname>lwres_getaddrinfo</refname>
+    <refname>lwres_freeaddrinfo</refname>
+    <refpurpose>socket address structure to host and service name</refpurpose>
+  </refnamediv>
+  <refsynopsisdiv>
+    <funcsynopsis>
 <funcsynopsisinfo>#include &lt;lwres/netdb.h&gt;</funcsynopsisinfo>
 <funcprototype>
-<funcdef>
+        <funcdef>
 int
 <function>lwres_getaddrinfo</function></funcdef>
-<paramdef>const char *hostname</paramdef>
-<paramdef>const char *servname</paramdef>
-<paramdef>const struct addrinfo *hints</paramdef>
-<paramdef>struct addrinfo **res</paramdef>
-</funcprototype>
+        <paramdef>const char *<parameter>hostname</parameter></paramdef>
+        <paramdef>const char *<parameter>servname</parameter></paramdef>
+        <paramdef>const struct addrinfo *<parameter>hints</parameter></paramdef>
+        <paramdef>struct addrinfo **<parameter>res</parameter></paramdef>
+        </funcprototype>
 <funcprototype>
-<funcdef>
+        <funcdef>
 void
 <function>lwres_freeaddrinfo</function></funcdef>
-<paramdef>struct addrinfo *ai</paramdef>
-</funcprototype>
+        <paramdef>struct addrinfo *<parameter>ai</parameter></paramdef>
+      </funcprototype>
 </funcsynopsis>
 
-<para>
-If the operating system does not provide a
-<type>struct addrinfo</type>,
-the following structure is used:
-
-<programlisting>
+    <para>
+      If the operating system does not provide a
+      <type>struct addrinfo</type>,
+      the following structure is used:
+    </para>
+    <para><programlisting>
 struct  addrinfo {
         int             ai_flags;       /* AI_PASSIVE, AI_CANONNAME */
         int             ai_family;      /* PF_xxx */
@@ -88,301 +88,300 @@ struct  addrinfo {
         struct addrinfo *ai_next;       /* next structure in linked list */
 };
 </programlisting>
-</para>
-
-</refsynopsisdiv>
-
-<refsect1>
-<title>DESCRIPTION</title>
-<para>
-<function>lwres_getaddrinfo()</function>
-is used to get a list of IP addresses and port numbers for host
-<parameter>hostname</parameter>
-and service
-<parameter>servname</parameter>.
-
-The function is the lightweight resolver's implementation of
-<function>getaddrinfo()</function>
-as defined in RFC2133.
-<parameter>hostname</parameter>
-and
-<parameter>servname</parameter>
-are pointers to null-terminated
-strings or
-<type>NULL</type>.
-
-<parameter>hostname</parameter>
-is either a host name or a numeric host address string: a dotted decimal
-IPv4 address or an IPv6 address.
-<parameter>servname</parameter>
-is either a decimal port number or a service name as listed in
-<filename>/etc/services</filename>.
-</para>
-
-<para>
-<parameter>hints</parameter>
-is an optional pointer to a
-<type>struct addrinfo</type>.
-This structure can be used to provide hints concerning the type of socket
-that the caller supports or wishes to use.
-The caller can supply the following structure elements in
-<parameter>*hints</parameter>:
-
-<variablelist>
-<varlistentry><term><constant>ai_family</constant></term>
-<listitem>
-<para>The protocol family that should be used.
-When
-<constant>ai_family</constant>
-is set to
-<type>PF_UNSPEC</type>,
-it means the caller will accept any protocol family supported by the
-operating system.
-</para></listitem></varlistentry>
-<varlistentry><term><constant>ai_socktype</constant></term>
-<listitem>
-<para>
-denotes the type of socket &mdash;
-<type>SOCK_STREAM</type>,
-<type>SOCK_DGRAM</type>
-or
-<type>SOCK_RAW</type>
-&mdash; that is wanted.
-When
-<constant>ai_socktype</constant>
-is zero the caller will accept any socket type.
-</para>
-</listitem>
-</varlistentry>
-<varlistentry><term><constant>ai_protocol</constant></term>
-<listitem>
-<para>
-indicates which transport protocol is wanted: IPPROTO_UDP or 
-IPPROTO_TCP.
-If
-<constant>ai_protocol</constant>
-is zero the caller will accept any protocol.
-</para>
-</listitem>
-</varlistentry>
-<varlistentry><term><constant>ai_flags</constant></term>
-<listitem>
-<para>
-Flag bits.
-If the
-<type>AI_CANONNAME</type>
-bit is set, a successful call to
-<function>lwres_getaddrinfo()</function>
-will return a null-terminated string containing the canonical name
-of the specified hostname in
-<constant>ai_canonname</constant>
-of the first
-<type>addrinfo</type>
-structure returned.
-Setting the
-<type>AI_PASSIVE</type>
-bit indicates that the returned socket address structure is intended
-for used in a call to
-<citerefentry>
-<refentrytitle>bind</refentrytitle><manvolnum>2</manvolnum>
-</citerefentry>.
-
-In this case, if the hostname argument is a
-<type>NULL</type>
-pointer, then the IP address portion of the socket
-address structure will be set to
-<type>INADDR_ANY</type>
-for an IPv4 address or
-<type>IN6ADDR_ANY_INIT</type>
-for an IPv6 address.
-</para>
-<para>
-When
-<constant>ai_flags</constant>
-does not set the
-<type>AI_PASSIVE</type>
-bit, the returned socket address structure will be ready
-for use in a call to
-<citerefentry>
-<refentrytitle>connect</refentrytitle><manvolnum>2
-</manvolnum>
-</citerefentry>
-for a connection-oriented protocol or
-<citerefentry>
-<refentrytitle>connect</refentrytitle><manvolnum>2</manvolnum>
-</citerefentry>,
-
-<citerefentry>
-<refentrytitle>sendto</refentrytitle><manvolnum>2</manvolnum>
-</citerefentry>,
-
-or
-<citerefentry>
-<refentrytitle>sendmsg</refentrytitle><manvolnum>2
-</manvolnum>
-</citerefentry>
-if a connectionless protocol was chosen.
-The IP address portion of the socket address structure will be
-set to the loopback address if
-<parameter>hostname</parameter>
-is a
-<type>NULL</type>
-pointer and
-<type>AI_PASSIVE</type>
-is not set in
-<constant>ai_flags</constant>.
-</para>
-<para>
-If
-<constant>ai_flags</constant>
-is set to
-<type>AI_NUMERICHOST</type>
-it indicates that
-<parameter>hostname</parameter>
-should be treated as a numeric string defining an IPv4 or IPv6 address
-and no name resolution should be attempted.
-</para>
-</listitem>
-</varlistentry>
-</variablelist>
-</para>
-
-<para>
-All other elements of the <type>struct addrinfo</type> passed
-via <parameter>hints</parameter> must be zero.
-</para>
-
-<para>
-A <parameter>hints</parameter> of <type>NULL</type> is treated as if
-the caller provided a <type>struct addrinfo</type> initialized to zero
-with <constant>ai_family</constant>set to
-<constant>PF_UNSPEC</constant>.
-</para>
-
-<para>
-After a successful call to
-<function>lwres_getaddrinfo()</function>,
-<parameter>*res</parameter>
-is a pointer to a linked list of one or more
-<type>addrinfo</type>
-structures.
-Each
-<type>struct addrinfo</type>
-in this list cn be processed by following
-the
-<constant>ai_next</constant>
-pointer, until a
-<type>NULL</type>
-pointer is encountered.
-The three members
-<constant>ai_family</constant>,
-<constant>ai_socktype</constant>,
-and
-<constant>ai_protocol</constant>
-in each
-returned
-<type>addrinfo</type>
-structure contain the corresponding arguments for a call to
-<citerefentry>
-<refentrytitle>socket</refentrytitle><manvolnum>2</manvolnum>
-</citerefentry>.
-For each
-<type>addrinfo</type>
-structure in the list, the
-<constant>ai_addr</constant>
-member points to a filled-in socket address structure of length
-<constant>ai_addrlen</constant>.
-</para>
-
-<para>
-All of the information returned by
-<function>lwres_getaddrinfo()</function>
-is dynamically allocated: the addrinfo structures, and the socket
-address structures and canonical host name strings pointed to by the
-<constant>addrinfo</constant>structures.
-Memory allocated for the dynamically allocated structures created by
-a successful call to
-<function>lwres_getaddrinfo()</function>
-is released by
-<function>lwres_freeaddrinfo()</function>.
-<parameter>ai</parameter>
-is a pointer to a
-<type>struct addrinfo</type>
-created by a call to
-<function>lwres_getaddrinfo()</function>.
-</para>
-
-</refsect1>
-
-<refsect1>
-<title>RETURN VALUES</title>
-<para>
-<function>lwres_getaddrinfo()</function>
-returns zero on success or one of the error codes listed in
-<citerefentry>
-<refentrytitle>gai_strerror</refentrytitle><manvolnum>3
-</manvolnum>
-</citerefentry>
-if an error occurs.
-If both
-<parameter>hostname</parameter>
-and
-<parameter>servname</parameter>
-are
-<type>NULL</type>
-<function>lwres_getaddrinfo()</function>
-returns
-<errorcode>EAI_NONAME</errorcode>.
-
-</para>
-</refsect1>
-<refsect1>
-<title>SEE ALSO</title>
-<para>
-<citerefentry>
-<refentrytitle>lwres</refentrytitle><manvolnum>3</manvolnum>
-</citerefentry>,
-
-<citerefentry>
-<refentrytitle>lwres_getaddrinfo</refentrytitle><manvolnum>3</manvolnum>
-</citerefentry>,
-
-<citerefentry>
-<refentrytitle>lwres_freeaddrinfo</refentrytitle><manvolnum>3</manvolnum>
-</citerefentry>,
-
-<citerefentry>
-<refentrytitle>lwres_gai_strerror</refentrytitle><manvolnum>3</manvolnum>
-</citerefentry>,
-
-<citerefentry>
-<refentrytitle>RFC2133</refentrytitle>
-</citerefentry>,
-
-<citerefentry>
-<refentrytitle>getservbyname</refentrytitle><manvolnum>3</manvolnum>
-</citerefentry>,
-
-<citerefentry>
-<refentrytitle>bind</refentrytitle><manvolnum>2</manvolnum>
-</citerefentry>,
-
-<citerefentry>
-<refentrytitle>connect</refentrytitle><manvolnum>2</manvolnum>
-</citerefentry>,
-
-<citerefentry>
-<refentrytitle>sendto</refentrytitle><manvolnum>2</manvolnum>
-</citerefentry>,
-
-<citerefentry>
-<refentrytitle>sendmsg</refentrytitle><manvolnum>2</manvolnum>
-</citerefentry>,
-
-<citerefentry>
-<refentrytitle>socket</refentrytitle><manvolnum>2</manvolnum>
-</citerefentry>.
-</para>
-
-</refsect1>
-</refentry>
+    </para>
+
+  </refsynopsisdiv>
+
+  <refsect1>
+    <title>DESCRIPTION</title>
+
+    <para><function>lwres_getaddrinfo()</function>
+      is used to get a list of IP addresses and port numbers for host
+      <parameter>hostname</parameter> and service
+      <parameter>servname</parameter>.
+
+      The function is the lightweight resolver's implementation of
+      <function>getaddrinfo()</function> as defined in RFC2133.
+      <parameter>hostname</parameter> and
+      <parameter>servname</parameter> are pointers to null-terminated
+      strings or <type>NULL</type>.
+
+      <parameter>hostname</parameter> is either a host name or a
+      numeric host address string: a dotted decimal IPv4 address or an
+      IPv6 address.  <parameter>servname</parameter> is either a
+      decimal port number or a service name as listed in
+      <filename>/etc/services</filename>.
+    </para>
+
+    <para><parameter>hints</parameter>
+      is an optional pointer to a
+      <type>struct addrinfo</type>.
+      This structure can be used to provide hints concerning the type of
+      socket
+      that the caller supports or wishes to use.
+      The caller can supply the following structure elements in
+      <parameter>*hints</parameter>:
+
+      <variablelist>
+        <varlistentry>
+          <term><constant>ai_family</constant></term>
+          <listitem>
+            <para>
+              The protocol family that should be used.
+              When
+              <constant>ai_family</constant>
+              is set to
+              <type>PF_UNSPEC</type>,
+              it means the caller will accept any protocol family supported by
+              the
+              operating system.
+            </para>
+          </listitem>
+        </varlistentry>
+        <varlistentry>
+          <term><constant>ai_socktype</constant></term>
+          <listitem>
+            <para>
+              denotes the type of socket &mdash;
+              <type>SOCK_STREAM</type>,
+              <type>SOCK_DGRAM</type>
+              or
+              <type>SOCK_RAW</type>
+              &mdash; that is wanted.
+              When
+              <constant>ai_socktype</constant>
+              is zero the caller will accept any socket type.
+            </para>
+          </listitem>
+        </varlistentry>
+        <varlistentry>
+          <term><constant>ai_protocol</constant></term>
+          <listitem>
+            <para>
+              indicates which transport protocol is wanted: IPPROTO_UDP or
+              IPPROTO_TCP.
+              If
+              <constant>ai_protocol</constant>
+              is zero the caller will accept any protocol.
+            </para>
+          </listitem>
+        </varlistentry>
+        <varlistentry>
+          <term><constant>ai_flags</constant></term>
+          <listitem>
+            <para>
+              Flag bits.
+              If the
+              <type>AI_CANONNAME</type>
+              bit is set, a successful call to
+              <function>lwres_getaddrinfo()</function>
+              will return a null-terminated string containing the canonical
+              name
+              of the specified hostname in
+              <constant>ai_canonname</constant>
+              of the first
+              <type>addrinfo</type>
+              structure returned.
+              Setting the
+              <type>AI_PASSIVE</type>
+              bit indicates that the returned socket address structure is
+              intended
+              for used in a call to
+              <citerefentry>
+                <refentrytitle>bind</refentrytitle><manvolnum>2</manvolnum>
+              </citerefentry>.
+
+              In this case, if the hostname argument is a
+              <type>NULL</type>
+              pointer, then the IP address portion of the socket
+              address structure will be set to
+              <type>INADDR_ANY</type>
+              for an IPv4 address or
+              <type>IN6ADDR_ANY_INIT</type>
+              for an IPv6 address.
+            </para>
+            <para>
+              When
+              <constant>ai_flags</constant>
+              does not set the
+              <type>AI_PASSIVE</type>
+              bit, the returned socket address structure will be ready
+              for use in a call to
+              <citerefentry>
+                <refentrytitle>connect</refentrytitle><manvolnum>2</manvolnum>
+              </citerefentry>
+              for a connection-oriented protocol or
+              <citerefentry>
+                <refentrytitle>connect</refentrytitle><manvolnum>2</manvolnum>
+              </citerefentry>,
+
+              <citerefentry>
+                <refentrytitle>sendto</refentrytitle><manvolnum>2</manvolnum>
+              </citerefentry>,
+
+              or
+              <citerefentry>
+                <refentrytitle>sendmsg</refentrytitle><manvolnum>2</manvolnum>
+              </citerefentry>
+              if a connectionless protocol was chosen.
+              The IP address portion of the socket address structure will be
+              set to the loopback address if
+              <parameter>hostname</parameter>
+              is a
+              <type>NULL</type>
+              pointer and
+              <type>AI_PASSIVE</type>
+              is not set in
+              <constant>ai_flags</constant>.
+            </para>
+            <para>
+              If
+              <constant>ai_flags</constant>
+              is set to
+              <type>AI_NUMERICHOST</type>
+              it indicates that
+              <parameter>hostname</parameter>
+              should be treated as a numeric string defining an IPv4 or IPv6
+              address
+              and no name resolution should be attempted.
+            </para>
+          </listitem>
+        </varlistentry>
+      </variablelist>
+    </para>
+
+    <para>
+      All other elements of the <type>struct addrinfo</type> passed
+      via <parameter>hints</parameter> must be zero.
+    </para>
+
+    <para>
+      A <parameter>hints</parameter> of <type>NULL</type> is
+      treated as if
+      the caller provided a <type>struct addrinfo</type> initialized to zero
+      with <constant>ai_family</constant>set to
+      <constant>PF_UNSPEC</constant>.
+    </para>
+
+    <para>
+      After a successful call to
+      <function>lwres_getaddrinfo()</function>,
+      <parameter>*res</parameter>
+      is a pointer to a linked list of one or more
+      <type>addrinfo</type>
+      structures.
+      Each
+      <type>struct addrinfo</type>
+      in this list cn be processed by following
+      the
+      <constant>ai_next</constant>
+      pointer, until a
+      <type>NULL</type>
+      pointer is encountered.
+      The three members
+      <constant>ai_family</constant>,
+      <constant>ai_socktype</constant>,
+      and
+      <constant>ai_protocol</constant>
+      in each
+      returned
+      <type>addrinfo</type>
+      structure contain the corresponding arguments for a call to
+      <citerefentry>
+        <refentrytitle>socket</refentrytitle><manvolnum>2</manvolnum>
+      </citerefentry>.
+      For each
+      <type>addrinfo</type>
+      structure in the list, the
+      <constant>ai_addr</constant>
+      member points to a filled-in socket address structure of length
+      <constant>ai_addrlen</constant>.
+    </para>
+
+    <para>
+      All of the information returned by
+      <function>lwres_getaddrinfo()</function>
+      is dynamically allocated: the addrinfo structures, and the socket
+      address structures and canonical host name strings pointed to by the
+      <constant>addrinfo</constant>structures.
+      Memory allocated for the dynamically allocated structures created by
+      a successful call to
+      <function>lwres_getaddrinfo()</function>
+      is released by
+      <function>lwres_freeaddrinfo()</function>.
+      <parameter>ai</parameter>
+      is a pointer to a
+      <type>struct addrinfo</type>
+      created by a call to
+      <function>lwres_getaddrinfo()</function>.
+    </para>
+
+  </refsect1>
+
+  <refsect1>
+    <title>RETURN VALUES</title>
+
+    <para><function>lwres_getaddrinfo()</function>
+      returns zero on success or one of the error codes listed in
+      <citerefentry>
+        <refentrytitle>gai_strerror</refentrytitle><manvolnum>3</manvolnum>
+      </citerefentry>
+      if an error occurs.  If both <parameter>hostname</parameter> and
+      <parameter>servname</parameter> are <type>NULL</type>
+      <function>lwres_getaddrinfo()</function> returns
+      <errorcode>EAI_NONAME</errorcode>.
+    </para>
+  </refsect1>
+  <refsect1>
+    <title>SEE ALSO</title>
+    <para><citerefentry>
+        <refentrytitle>lwres</refentrytitle><manvolnum>3</manvolnum>
+      </citerefentry>,
+
+      <citerefentry>
+        <refentrytitle>lwres_getaddrinfo</refentrytitle><manvolnum>3</manvolnum>
+      </citerefentry>,
+
+      <citerefentry>
+        <refentrytitle>lwres_freeaddrinfo</refentrytitle><manvolnum>3</manvolnum>
+      </citerefentry>,
+
+      <citerefentry>
+        <refentrytitle>lwres_gai_strerror</refentrytitle><manvolnum>3</manvolnum>
+      </citerefentry>,
+
+      <citerefentry>
+        <refentrytitle>RFC2133</refentrytitle>
+      </citerefentry>,
+
+      <citerefentry>
+        <refentrytitle>getservbyname</refentrytitle><manvolnum>3</manvolnum>
+      </citerefentry>,
+
+      <citerefentry>
+        <refentrytitle>bind</refentrytitle><manvolnum>2</manvolnum>
+      </citerefentry>,
+
+      <citerefentry>
+        <refentrytitle>connect</refentrytitle><manvolnum>2</manvolnum>
+      </citerefentry>,
+
+      <citerefentry>
+        <refentrytitle>sendto</refentrytitle><manvolnum>2</manvolnum>
+      </citerefentry>,
+
+      <citerefentry>
+        <refentrytitle>sendmsg</refentrytitle><manvolnum>2</manvolnum>
+      </citerefentry>,
+
+      <citerefentry>
+        <refentrytitle>socket</refentrytitle><manvolnum>2</manvolnum>
+      </citerefentry>.
+    </para>
+
+  </refsect1>
+</refentry><!--
+ - Local variables:
+ - mode: sgml
+ - End:
+-->
diff --git a/contrib/bind9/lib/lwres/man/lwres_getaddrinfo.html b/contrib/bind9/lib/lwres/man/lwres_getaddrinfo.html
index 375c319..d2dcdd9 100644
--- a/contrib/bind9/lib/lwres/man/lwres_getaddrinfo.html
+++ b/contrib/bind9/lib/lwres/man/lwres_getaddrinfo.html
@@ -1,5 +1,5 @@
 <!--
- - Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC")
  - Copyright (C) 2000, 2001, 2003 Internet Software Consortium.
  - 
  - Permission to use, copy, modify, and distribute this software for any
@@ -14,15 +14,15 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-<!-- $Id: lwres_getaddrinfo.html,v 1.8.2.1.4.12 2006/06/29 13:02:31 marka Exp $ -->
+<!-- $Id: lwres_getaddrinfo.html,v 1.10.18.17 2007/01/30 00:23:45 marka Exp $ -->
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
 <title>lwres_getaddrinfo</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.70.1">
+<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
 </head>
 <body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en">
-<a name="id2482688"></a><div class="titlepage"></div>
+<a name="id2476275"></a><div class="titlepage"></div>
 <div class="refnamediv">
 <h2>Name</h2>
 <p>lwres_getaddrinfo, lwres_freeaddrinfo &#8212; socket address structure to host and service name</p>
@@ -36,54 +36,43 @@
 <td><code class="funcdef">
 int
 <b class="fsfunc">lwres_getaddrinfo</b>(</code></td>
-<td> </td>
-<td>, </td>
-</tr>
-<tr>
-<td> </td>
-<td> </td>
-<td>, </td>
+<td>const char * </td>
+<td>
+<var class="pdparam">hostname</var>, </td>
 </tr>
 <tr>
 <td> </td>
-<td> </td>
-<td>, </td>
+<td>const char * </td>
+<td>
+<var class="pdparam">servname</var>, </td>
 </tr>
 <tr>
 <td> </td>
-<td> </td>
-<td>, </td>
+<td>const struct addrinfo * </td>
+<td>
+<var class="pdparam">hints</var>, </td>
 </tr>
 <tr>
 <td> </td>
-<td> </td>
+<td>struct addrinfo ** </td>
 <td>
-<code>)</code>;</td>
+<var class="pdparam">res</var><code>)</code>;</td>
 </tr>
 </table>
-<table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0">
-<tr>
+<table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0"><tr>
 <td><code class="funcdef">
 void
 <b class="fsfunc">lwres_freeaddrinfo</b>(</code></td>
-<td> </td>
+<td>struct addrinfo * </td>
 <td>
-<code>)</code>;</td>
-</tr>
-<tr>
-<td> </td>
-<td> </td>
-<td>
-<code>)</code>;</td>
-</tr>
-</table>
+<var class="pdparam">ai</var><code>)</code>;</td>
+</tr></table>
 </div>
 <p>
-If the operating system does not provide a
-<span class="type">struct addrinfo</span>,
-the following structure is used:
-
-</p>
+      If the operating system does not provide a
+      <span class="type">struct addrinfo</span>,
+      the following structure is used:
+    </p>
 <pre class="programlisting">
 struct  addrinfo {
         int             ai_flags;       /* AI_PASSIVE, AI_CANONNAME */
@@ -97,250 +86,237 @@ struct  addrinfo {
 };
 </pre>
 <p>
-</p>
+    </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2549448"></a><h2>DESCRIPTION</h2>
-<p>
-<code class="function">lwres_getaddrinfo()</code>
-is used to get a list of IP addresses and port numbers for host
-<em class="parameter"><code>hostname</code></em>
-and service
-<em class="parameter"><code>servname</code></em>.
+<a name="id2543412"></a><h2>DESCRIPTION</h2>
+<p><code class="function">lwres_getaddrinfo()</code>
+      is used to get a list of IP addresses and port numbers for host
+      <em class="parameter"><code>hostname</code></em> and service
+      <em class="parameter"><code>servname</code></em>.
 
-The function is the lightweight resolver's implementation of
-<code class="function">getaddrinfo()</code>
-as defined in RFC2133.
-<em class="parameter"><code>hostname</code></em>
-and
-<em class="parameter"><code>servname</code></em>
-are pointers to null-terminated
-strings or
-<span class="type">NULL</span>.
+      The function is the lightweight resolver's implementation of
+      <code class="function">getaddrinfo()</code> as defined in RFC2133.
+      <em class="parameter"><code>hostname</code></em> and
+      <em class="parameter"><code>servname</code></em> are pointers to null-terminated
+      strings or <span class="type">NULL</span>.
 
-<em class="parameter"><code>hostname</code></em>
-is either a host name or a numeric host address string: a dotted decimal
-IPv4 address or an IPv6 address.
-<em class="parameter"><code>servname</code></em>
-is either a decimal port number or a service name as listed in
-<code class="filename">/etc/services</code>.
-</p>
-<p>
-<em class="parameter"><code>hints</code></em>
-is an optional pointer to a
-<span class="type">struct addrinfo</span>.
-This structure can be used to provide hints concerning the type of socket
-that the caller supports or wishes to use.
-The caller can supply the following structure elements in
-<em class="parameter"><code>*hints</code></em>:
+      <em class="parameter"><code>hostname</code></em> is either a host name or a
+      numeric host address string: a dotted decimal IPv4 address or an
+      IPv6 address.  <em class="parameter"><code>servname</code></em> is either a
+      decimal port number or a service name as listed in
+      <code class="filename">/etc/services</code>.
+    </p>
+<p><em class="parameter"><code>hints</code></em>
+      is an optional pointer to a
+      <span class="type">struct addrinfo</span>.
+      This structure can be used to provide hints concerning the type of
+      socket
+      that the caller supports or wishes to use.
+      The caller can supply the following structure elements in
+      <em class="parameter"><code>*hints</code></em>:
 
-</p>
+      </p>
 <div class="variablelist"><dl>
 <dt><span class="term"><code class="constant">ai_family</code></span></dt>
-<dd><p>The protocol family that should be used.
-When
-<code class="constant">ai_family</code>
-is set to
-<span class="type">PF_UNSPEC</span>,
-it means the caller will accept any protocol family supported by the
-operating system.
-</p></dd>
+<dd><p>
+              The protocol family that should be used.
+              When
+              <code class="constant">ai_family</code>
+              is set to
+              <span class="type">PF_UNSPEC</span>,
+              it means the caller will accept any protocol family supported by
+              the
+              operating system.
+            </p></dd>
 <dt><span class="term"><code class="constant">ai_socktype</code></span></dt>
 <dd><p>
-denotes the type of socket &#8212;
-<span class="type">SOCK_STREAM</span>,
-<span class="type">SOCK_DGRAM</span>
-or
-<span class="type">SOCK_RAW</span>
-&#8212; that is wanted.
-When
-<code class="constant">ai_socktype</code>
-is zero the caller will accept any socket type.
-</p></dd>
+              denotes the type of socket &#8212;
+              <span class="type">SOCK_STREAM</span>,
+              <span class="type">SOCK_DGRAM</span>
+              or
+              <span class="type">SOCK_RAW</span>
+              &#8212; that is wanted.
+              When
+              <code class="constant">ai_socktype</code>
+              is zero the caller will accept any socket type.
+            </p></dd>
 <dt><span class="term"><code class="constant">ai_protocol</code></span></dt>
 <dd><p>
-indicates which transport protocol is wanted: IPPROTO_UDP or 
-IPPROTO_TCP.
-If
-<code class="constant">ai_protocol</code>
-is zero the caller will accept any protocol.
-</p></dd>
+              indicates which transport protocol is wanted: IPPROTO_UDP or
+              IPPROTO_TCP.
+              If
+              <code class="constant">ai_protocol</code>
+              is zero the caller will accept any protocol.
+            </p></dd>
 <dt><span class="term"><code class="constant">ai_flags</code></span></dt>
 <dd>
 <p>
-Flag bits.
-If the
-<span class="type">AI_CANONNAME</span>
-bit is set, a successful call to
-<code class="function">lwres_getaddrinfo()</code>
-will return a null-terminated string containing the canonical name
-of the specified hostname in
-<code class="constant">ai_canonname</code>
-of the first
-<span class="type">addrinfo</span>
-structure returned.
-Setting the
-<span class="type">AI_PASSIVE</span>
-bit indicates that the returned socket address structure is intended
-for used in a call to
-<span class="citerefentry"><span class="refentrytitle">bind</span>(2)</span>.
+              Flag bits.
+              If the
+              <span class="type">AI_CANONNAME</span>
+              bit is set, a successful call to
+              <code class="function">lwres_getaddrinfo()</code>
+              will return a null-terminated string containing the canonical
+              name
+              of the specified hostname in
+              <code class="constant">ai_canonname</code>
+              of the first
+              <span class="type">addrinfo</span>
+              structure returned.
+              Setting the
+              <span class="type">AI_PASSIVE</span>
+              bit indicates that the returned socket address structure is
+              intended
+              for used in a call to
+              <span class="citerefentry"><span class="refentrytitle">bind</span>(2)</span>.
 
-In this case, if the hostname argument is a
-<span class="type">NULL</span>
-pointer, then the IP address portion of the socket
-address structure will be set to
-<span class="type">INADDR_ANY</span>
-for an IPv4 address or
-<span class="type">IN6ADDR_ANY_INIT</span>
-for an IPv6 address.
-</p>
+              In this case, if the hostname argument is a
+              <span class="type">NULL</span>
+              pointer, then the IP address portion of the socket
+              address structure will be set to
+              <span class="type">INADDR_ANY</span>
+              for an IPv4 address or
+              <span class="type">IN6ADDR_ANY_INIT</span>
+              for an IPv6 address.
+            </p>
 <p>
-When
-<code class="constant">ai_flags</code>
-does not set the
-<span class="type">AI_PASSIVE</span>
-bit, the returned socket address structure will be ready
-for use in a call to
-<span class="citerefentry"><span class="refentrytitle">connect</span>(2
-)</span>
-for a connection-oriented protocol or
-<span class="citerefentry"><span class="refentrytitle">connect</span>(2)</span>,
+              When
+              <code class="constant">ai_flags</code>
+              does not set the
+              <span class="type">AI_PASSIVE</span>
+              bit, the returned socket address structure will be ready
+              for use in a call to
+              <span class="citerefentry"><span class="refentrytitle">connect</span>(2)</span>
+              for a connection-oriented protocol or
+              <span class="citerefentry"><span class="refentrytitle">connect</span>(2)</span>,
 
-<span class="citerefentry"><span class="refentrytitle">sendto</span>(2)</span>,
+              <span class="citerefentry"><span class="refentrytitle">sendto</span>(2)</span>,
 
-or
-<span class="citerefentry"><span class="refentrytitle">sendmsg</span>(2
-)</span>
-if a connectionless protocol was chosen.
-The IP address portion of the socket address structure will be
-set to the loopback address if
-<em class="parameter"><code>hostname</code></em>
-is a
-<span class="type">NULL</span>
-pointer and
-<span class="type">AI_PASSIVE</span>
-is not set in
-<code class="constant">ai_flags</code>.
-</p>
+              or
+              <span class="citerefentry"><span class="refentrytitle">sendmsg</span>(2)</span>
+              if a connectionless protocol was chosen.
+              The IP address portion of the socket address structure will be
+              set to the loopback address if
+              <em class="parameter"><code>hostname</code></em>
+              is a
+              <span class="type">NULL</span>
+              pointer and
+              <span class="type">AI_PASSIVE</span>
+              is not set in
+              <code class="constant">ai_flags</code>.
+            </p>
 <p>
-If
-<code class="constant">ai_flags</code>
-is set to
-<span class="type">AI_NUMERICHOST</span>
-it indicates that
-<em class="parameter"><code>hostname</code></em>
-should be treated as a numeric string defining an IPv4 or IPv6 address
-and no name resolution should be attempted.
-</p>
+              If
+              <code class="constant">ai_flags</code>
+              is set to
+              <span class="type">AI_NUMERICHOST</span>
+              it indicates that
+              <em class="parameter"><code>hostname</code></em>
+              should be treated as a numeric string defining an IPv4 or IPv6
+              address
+              and no name resolution should be attempted.
+            </p>
 </dd>
 </dl></div>
 <p>
-</p>
+    </p>
 <p>
-All other elements of the <span class="type">struct addrinfo</span> passed
-via <em class="parameter"><code>hints</code></em> must be zero.
-</p>
+      All other elements of the <span class="type">struct addrinfo</span> passed
+      via <em class="parameter"><code>hints</code></em> must be zero.
+    </p>
 <p>
-A <em class="parameter"><code>hints</code></em> of <span class="type">NULL</span> is treated as if
-the caller provided a <span class="type">struct addrinfo</span> initialized to zero
-with <code class="constant">ai_family</code>set to
-<code class="constant">PF_UNSPEC</code>.
-</p>
+      A <em class="parameter"><code>hints</code></em> of <span class="type">NULL</span> is
+      treated as if
+      the caller provided a <span class="type">struct addrinfo</span> initialized to zero
+      with <code class="constant">ai_family</code>set to
+      <code class="constant">PF_UNSPEC</code>.
+    </p>
 <p>
-After a successful call to
-<code class="function">lwres_getaddrinfo()</code>,
-<em class="parameter"><code>*res</code></em>
-is a pointer to a linked list of one or more
-<span class="type">addrinfo</span>
-structures.
-Each
-<span class="type">struct addrinfo</span>
-in this list cn be processed by following
-the
-<code class="constant">ai_next</code>
-pointer, until a
-<span class="type">NULL</span>
-pointer is encountered.
-The three members
-<code class="constant">ai_family</code>,
-<code class="constant">ai_socktype</code>,
-and
-<code class="constant">ai_protocol</code>
-in each
-returned
-<span class="type">addrinfo</span>
-structure contain the corresponding arguments for a call to
-<span class="citerefentry"><span class="refentrytitle">socket</span>(2)</span>.
-For each
-<span class="type">addrinfo</span>
-structure in the list, the
-<code class="constant">ai_addr</code>
-member points to a filled-in socket address structure of length
-<code class="constant">ai_addrlen</code>.
-</p>
+      After a successful call to
+      <code class="function">lwres_getaddrinfo()</code>,
+      <em class="parameter"><code>*res</code></em>
+      is a pointer to a linked list of one or more
+      <span class="type">addrinfo</span>
+      structures.
+      Each
+      <span class="type">struct addrinfo</span>
+      in this list cn be processed by following
+      the
+      <code class="constant">ai_next</code>
+      pointer, until a
+      <span class="type">NULL</span>
+      pointer is encountered.
+      The three members
+      <code class="constant">ai_family</code>,
+      <code class="constant">ai_socktype</code>,
+      and
+      <code class="constant">ai_protocol</code>
+      in each
+      returned
+      <span class="type">addrinfo</span>
+      structure contain the corresponding arguments for a call to
+      <span class="citerefentry"><span class="refentrytitle">socket</span>(2)</span>.
+      For each
+      <span class="type">addrinfo</span>
+      structure in the list, the
+      <code class="constant">ai_addr</code>
+      member points to a filled-in socket address structure of length
+      <code class="constant">ai_addrlen</code>.
+    </p>
 <p>
-All of the information returned by
-<code class="function">lwres_getaddrinfo()</code>
-is dynamically allocated: the addrinfo structures, and the socket
-address structures and canonical host name strings pointed to by the
-<code class="constant">addrinfo</code>structures.
-Memory allocated for the dynamically allocated structures created by
-a successful call to
-<code class="function">lwres_getaddrinfo()</code>
-is released by
-<code class="function">lwres_freeaddrinfo()</code>.
-<em class="parameter"><code>ai</code></em>
-is a pointer to a
-<span class="type">struct addrinfo</span>
-created by a call to
-<code class="function">lwres_getaddrinfo()</code>.
-</p>
+      All of the information returned by
+      <code class="function">lwres_getaddrinfo()</code>
+      is dynamically allocated: the addrinfo structures, and the socket
+      address structures and canonical host name strings pointed to by the
+      <code class="constant">addrinfo</code>structures.
+      Memory allocated for the dynamically allocated structures created by
+      a successful call to
+      <code class="function">lwres_getaddrinfo()</code>
+      is released by
+      <code class="function">lwres_freeaddrinfo()</code>.
+      <em class="parameter"><code>ai</code></em>
+      is a pointer to a
+      <span class="type">struct addrinfo</span>
+      created by a call to
+      <code class="function">lwres_getaddrinfo()</code>.
+    </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2549874"></a><h2>RETURN VALUES</h2>
-<p>
-<code class="function">lwres_getaddrinfo()</code>
-returns zero on success or one of the error codes listed in
-<span class="citerefentry"><span class="refentrytitle">gai_strerror</span>(3
-)</span>
-if an error occurs.
-If both
-<em class="parameter"><code>hostname</code></em>
-and
-<em class="parameter"><code>servname</code></em>
-are
-<span class="type">NULL</span>
-<code class="function">lwres_getaddrinfo()</code>
-returns
-<span class="errorcode">EAI_NONAME</span>.
-
-</p>
+<a name="id2543789"></a><h2>RETURN VALUES</h2>
+<p><code class="function">lwres_getaddrinfo()</code>
+      returns zero on success or one of the error codes listed in
+      <span class="citerefentry"><span class="refentrytitle">gai_strerror</span>(3)</span>
+      if an error occurs.  If both <em class="parameter"><code>hostname</code></em> and
+      <em class="parameter"><code>servname</code></em> are <span class="type">NULL</span>
+      <code class="function">lwres_getaddrinfo()</code> returns
+      <span class="errorcode">EAI_NONAME</span>.
+    </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2549912"></a><h2>SEE ALSO</h2>
-<p>
-<span class="citerefentry"><span class="refentrytitle">lwres</span>(3)</span>,
+<a name="id2543827"></a><h2>SEE ALSO</h2>
+<p><span class="citerefentry"><span class="refentrytitle">lwres</span>(3)</span>,
 
-<span class="citerefentry"><span class="refentrytitle">lwres_getaddrinfo</span>(3)</span>,
+      <span class="citerefentry"><span class="refentrytitle">lwres_getaddrinfo</span>(3)</span>,
 
-<span class="citerefentry"><span class="refentrytitle">lwres_freeaddrinfo</span>(3)</span>,
+      <span class="citerefentry"><span class="refentrytitle">lwres_freeaddrinfo</span>(3)</span>,
 
-<span class="citerefentry"><span class="refentrytitle">lwres_gai_strerror</span>(3)</span>,
+      <span class="citerefentry"><span class="refentrytitle">lwres_gai_strerror</span>(3)</span>,
 
-<span class="citerefentry"><span class="refentrytitle">RFC2133</span></span>,
+      <span class="citerefentry"><span class="refentrytitle">RFC2133</span></span>,
 
-<span class="citerefentry"><span class="refentrytitle">getservbyname</span>(3)</span>,
+      <span class="citerefentry"><span class="refentrytitle">getservbyname</span>(3)</span>,
 
-<span class="citerefentry"><span class="refentrytitle">bind</span>(2)</span>,
+      <span class="citerefentry"><span class="refentrytitle">bind</span>(2)</span>,
 
-<span class="citerefentry"><span class="refentrytitle">connect</span>(2)</span>,
+      <span class="citerefentry"><span class="refentrytitle">connect</span>(2)</span>,
 
-<span class="citerefentry"><span class="refentrytitle">sendto</span>(2)</span>,
+      <span class="citerefentry"><span class="refentrytitle">sendto</span>(2)</span>,
 
-<span class="citerefentry"><span class="refentrytitle">sendmsg</span>(2)</span>,
+      <span class="citerefentry"><span class="refentrytitle">sendmsg</span>(2)</span>,
 
-<span class="citerefentry"><span class="refentrytitle">socket</span>(2)</span>.
-</p>
+      <span class="citerefentry"><span class="refentrytitle">socket</span>(2)</span>.
+    </p>
 </div>
 </div></body>
 </html>
diff --git a/contrib/bind9/lib/lwres/man/lwres_gethostent.3 b/contrib/bind9/lib/lwres/man/lwres_gethostent.3
index 6fe933d7..e6fbcd7 100644
--- a/contrib/bind9/lib/lwres/man/lwres_gethostent.3
+++ b/contrib/bind9/lib/lwres/man/lwres_gethostent.3
@@ -1,4 +1,4 @@
-.\" Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC")
 .\" Copyright (C) 2001 Internet Software Consortium.
 .\" 
 .\" Permission to use, copy, modify, and distribute this software for any
@@ -13,13 +13,13 @@
 .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 .\" PERFORMANCE OF THIS SOFTWARE.
 .\"
-.\" $Id: lwres_gethostent.3,v 1.16.2.1.8.6 2006/06/29 13:02:31 marka Exp $
+.\" $Id: lwres_gethostent.3,v 1.19.18.10 2007/01/30 00:23:45 marka Exp $
 .\"
 .hy 0
 .ad l
 .\"     Title: lwres_gethostent
 .\"    Author: 
-.\" Generator: DocBook XSL Stylesheets v1.70.1 <http://docbook.sf.net/>
+.\" Generator: DocBook XSL Stylesheets v1.71.1 <http://docbook.sf.net/>
 .\"      Date: Jun 30, 2000
 .\"    Manual: BIND9
 .\"    Source: BIND9
@@ -36,37 +36,37 @@ lwres_gethostbyname, lwres_gethostbyname2, lwres_gethostbyaddr, lwres_gethostent
 #include <lwres/netdb.h>
 .fi
 .HP 37
-.BI "struct hostent * lwres_gethostbyname(const\ char\ *name);"
+.BI "struct hostent * lwres_gethostbyname(const\ char\ *" "name" ");"
 .HP 38
-.BI "struct hostent * lwres_gethostbyname2(const\ char\ *name, int\ af);"
+.BI "struct hostent * lwres_gethostbyname2(const\ char\ *" "name" ", int\ " "af" ");"
 .HP 37
-.BI "struct hostent * lwres_gethostbyaddr(const\ char\ *addr, int\ len, int\ type);"
+.BI "struct hostent * lwres_gethostbyaddr(const\ char\ *" "addr" ", int\ " "len" ", int\ " "type" ");"
 .HP 34
 .BI "struct hostent * lwres_gethostent(void);"
 .HP 22
-.BI "void lwres_sethostent(int\ stayopen);"
+.BI "void lwres_sethostent(int\ " "stayopen" ");"
 .HP 22
 .BI "void lwres_endhostent(void);"
 .HP 39
-.BI "struct hostent * lwres_gethostbyname_r(const\ char\ *name, struct\ hostent\ *resbuf, char\ *buf, int\ buflen, int\ *error);"
+.BI "struct hostent * lwres_gethostbyname_r(const\ char\ *" "name" ", struct\ hostent\ *" "resbuf" ", char\ *" "buf" ", int\ " "buflen" ", int\ *" "error" ");"
 .HP 39
-.BI "struct hostent * lwres_gethostbyaddr_r(const\ char\ *addr, int\ len, int\ type, struct\ hostent\ *resbuf, char\ *buf, int\ buflen, int\ *error);"
+.BI "struct hostent * lwres_gethostbyaddr_r(const\ char\ *" "addr" ", int\ " "len" ", int\ " "type" ", struct\ hostent\ *" "resbuf" ", char\ *" "buf" ", int\ " "buflen" ", int\ *" "error" ");"
 .HP 36
-.BI "struct hostent * lwres_gethostent_r(struct\ hostent\ *resbuf, char\ *buf, int\ buflen, int\ *error);"
+.BI "struct hostent * lwres_gethostent_r(struct\ hostent\ *" "resbuf" ", char\ *" "buf" ", int\ " "buflen" ", int\ *" "error" ");"
 .HP 24
-.BI "void lwres_sethostent_r(int\ stayopen);"
+.BI "void lwres_sethostent_r(int\ " "stayopen" ");"
 .HP 24
 .BI "void lwres_endhostent_r(void);"
 .SH "DESCRIPTION"
 .PP
 These functions provide hostname\-to\-address and address\-to\-hostname lookups by means of the lightweight resolver. They are similar to the standard
-\fBgethostent\fR(3 )
+\fBgethostent\fR(3)
 functions provided by most operating systems. They use a
 \fBstruct hostent\fR
 which is usually defined in
 \fI<namedb.h>\fR.
-.sp
-.RS 3n
+.PP
+.RS 4
 .nf
 struct  hostent {
         char    *h_name;        /* official name of host */
@@ -81,26 +81,36 @@ struct  hostent {
 .sp
 .PP
 The members of this structure are:
-.TP 3n
+.PP
 \fBh_name\fR
+.RS 4
 The official (canonical) name of the host.
-.TP 3n
+.RE
+.PP
 \fBh_aliases\fR
+.RS 4
 A NULL\-terminated array of alternate names (nicknames) for the host.
-.TP 3n
+.RE
+.PP
 \fBh_addrtype\fR
+.RS 4
 The type of address being returned \(em
 \fBPF_INET\fR
 or
 \fBPF_INET6\fR.
-.TP 3n
+.RE
+.PP
 \fBh_length\fR
+.RS 4
 The length of the address in bytes.
-.TP 3n
+.RE
+.PP
 \fBh_addr_list\fR
+.RS 4
 A
 \fBNULL\fR
 terminated array of network addresses for the host. Host addresses are returned in network byte order.
+.RE
 .PP
 For backward compatibility with very old software,
 \fBh_addr\fR
@@ -158,8 +168,7 @@ is a thread\-safe function for forward lookups. If an error occurs, an error cod
 is a pointer to a
 \fBstruct hostent\fR
 which is initialised by a successful call to
-\fBlwres_gethostbyname_r()\fR
-.
+\fBlwres_gethostbyname_r()\fR.
 \fIbuf\fR
 is a buffer of length
 \fIlen\fR
@@ -222,20 +231,28 @@ return NULL to indicate an error. In this case the global variable
 \fBlwres_h_errno\fR
 will contain one of the following error codes defined in
 \fI<lwres/netdb.h>\fR:
-.TP 3n
+.PP
 \fBHOST_NOT_FOUND\fR
+.RS 4
 The host or address was not found.
-.TP 3n
+.RE
+.PP
 \fBTRY_AGAIN\fR
+.RS 4
 A recoverable error occurred, e.g., a timeout. Retrying the lookup may succeed.
-.TP 3n
+.RE
+.PP
 \fBNO_RECOVERY\fR
+.RS 4
 A non\-recoverable error occurred.
-.TP 3n
+.RE
+.PP
 \fBNO_DATA\fR
+.RS 4
 The name exists, but has no address information associated with it (or vice versa in the case of a reverse lookup). The code NO_ADDRESS is accepted as a synonym for NO_DATA for backwards compatibility.
+.RE
 .PP
-\fBlwres_hstrerror\fR(3 )
+\fBlwres_hstrerror\fR(3)
 translates these error codes to suitable error messages.
 .PP
 \fBlwres_gethostent()\fR
@@ -274,7 +291,7 @@ to
 .PP
 \fBgethostent\fR(3),
 \fBlwres_getipnode\fR(3),
-\fBlwres_hstrerror\fR(3 )
+\fBlwres_hstrerror\fR(3)
 .SH "BUGS"
 .PP
 \fBlwres_gethostbyname()\fR,
@@ -292,4 +309,7 @@ The resolver daemon does not currently support any non\-DNS name services such a
 or
 \fBNIS\fR, consequently the above functions don't, either.
 .SH "COPYRIGHT"
-Copyright \(co 2004, 2005 Internet Systems Consortium, Inc. ("ISC")
+Copyright \(co 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC")
+.br
+Copyright \(co 2001 Internet Software Consortium.
+.br
diff --git a/contrib/bind9/lib/lwres/man/lwres_gethostent.docbook b/contrib/bind9/lib/lwres/man/lwres_gethostent.docbook
index 9f92d3b..41a3bc3 100644
--- a/contrib/bind9/lib/lwres/man/lwres_gethostent.docbook
+++ b/contrib/bind9/lib/lwres/man/lwres_gethostent.docbook
@@ -1,8 +1,8 @@
-<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.0//EN"
-               "http://www.oasis-open.org/docbook/xml/4.0/docbookx.dtd"
+<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
+               "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
 	       [<!ENTITY mdash "&#8212;">]>
 <!--
- - Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
  - Copyright (C) 2001  Internet Software Consortium.
  -
  - Permission to use, copy, modify, and distribute this software for any
@@ -18,24 +18,24 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-<!-- $Id: lwres_gethostent.docbook,v 1.5.206.3 2005/05/13 01:22:36 marka Exp $ -->
-
+<!-- $Id: lwres_gethostent.docbook,v 1.6.18.4 2007/01/29 23:57:21 marka Exp $ -->
 <refentry>
 
-<refentryinfo>
-<date>Jun 30, 2000</date>
-</refentryinfo>
+  <refentryinfo>
+    <date>Jun 30, 2000</date>
+  </refentryinfo>
 
-<refmeta>
-<refentrytitle>lwres_gethostent</refentrytitle>
-<manvolnum>3</manvolnum>
-<refmiscinfo>BIND9</refmiscinfo>
-</refmeta>
+  <refmeta>
+    <refentrytitle>lwres_gethostent</refentrytitle>
+    <manvolnum>3</manvolnum>
+    <refmiscinfo>BIND9</refmiscinfo>
+  </refmeta>
 
   <docinfo>
     <copyright>
       <year>2004</year>
       <year>2005</year>
+      <year>2007</year>
       <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
     </copyright>
     <copyright>
@@ -44,125 +44,124 @@
     </copyright>
   </docinfo>
 
-<refnamediv>
-<refname>lwres_gethostbyname</refname>
-<refname>lwres_gethostbyname2</refname>
-<refname>lwres_gethostbyaddr</refname>
-<refname>lwres_gethostent</refname>
-<refname>lwres_sethostent</refname>
-<refname>lwres_endhostent</refname>
-<refname>lwres_gethostbyname_r</refname>
-<refname>lwres_gethostbyaddr_r</refname>
-<refname>lwres_gethostent_r</refname>
-<refname>lwres_sethostent_r</refname>
-<refname>lwres_endhostent_r</refname>
-<refpurpose>lightweight resolver get network host entry</refpurpose>
-</refnamediv>
-<refsynopsisdiv>
-<funcsynopsis>
+  <refnamediv>
+    <refname>lwres_gethostbyname</refname>
+    <refname>lwres_gethostbyname2</refname>
+    <refname>lwres_gethostbyaddr</refname>
+    <refname>lwres_gethostent</refname>
+    <refname>lwres_sethostent</refname>
+    <refname>lwres_endhostent</refname>
+    <refname>lwres_gethostbyname_r</refname>
+    <refname>lwres_gethostbyaddr_r</refname>
+    <refname>lwres_gethostent_r</refname>
+    <refname>lwres_sethostent_r</refname>
+    <refname>lwres_endhostent_r</refname>
+    <refpurpose>lightweight resolver get network host entry</refpurpose>
+  </refnamediv>
+  <refsynopsisdiv>
+    <funcsynopsis>
 <funcsynopsisinfo>#include &lt;lwres/netdb.h&gt;</funcsynopsisinfo>
 <funcprototype>
-<funcdef>
+        <funcdef>
 struct hostent *
 <function>lwres_gethostbyname</function></funcdef>
-<paramdef>const char *name</paramdef>
-</funcprototype>
+        <paramdef>const char *<parameter>name</parameter></paramdef>
+        </funcprototype>
 <funcprototype>
-<funcdef>
+        <funcdef>
 struct hostent *
 <function>lwres_gethostbyname2</function></funcdef>
-<paramdef>const char *name</paramdef>
-<paramdef>int af</paramdef>
-</funcprototype>
+        <paramdef>const char *<parameter>name</parameter></paramdef>
+        <paramdef>int <parameter>af</parameter></paramdef>
+        </funcprototype>
 <funcprototype>
-<funcdef>
+        <funcdef>
 struct hostent *
 <function>lwres_gethostbyaddr</function></funcdef>
-<paramdef>const char *addr</paramdef>
-<paramdef>int len</paramdef>
-<paramdef>int type</paramdef>
-</funcprototype>
+        <paramdef>const char *<parameter>addr</parameter></paramdef>
+        <paramdef>int <parameter>len</parameter></paramdef>
+        <paramdef>int <parameter>type</parameter></paramdef>
+        </funcprototype>
 <funcprototype>
-<funcdef>
+        <funcdef>
 struct hostent *
 <function>lwres_gethostent</function></funcdef>
-<paramdef>void</paramdef>
-</funcprototype>
+        <paramdef>void</paramdef>
+        </funcprototype>
 <funcprototype>
-<funcdef>
+        <funcdef>
 void
 <function>lwres_sethostent</function></funcdef>
-<paramdef>int stayopen</paramdef>
-</funcprototype>
+        <paramdef>int <parameter>stayopen</parameter></paramdef>
+        </funcprototype>
 <funcprototype>
-<funcdef>
+        <funcdef>
 void
 <function>lwres_endhostent</function></funcdef>
-<paramdef>void</paramdef>
-</funcprototype>
+        <paramdef>void</paramdef>
+        </funcprototype>
 <funcprototype>
-<funcdef>
+        <funcdef>
 struct hostent *
 <function>lwres_gethostbyname_r</function></funcdef>
-<paramdef>const char *name</paramdef>
-<paramdef>struct hostent *resbuf</paramdef>
-<paramdef>char *buf</paramdef>
-<paramdef>int buflen</paramdef>
-<paramdef>int *error</paramdef>
-</funcprototype>
+        <paramdef>const char *<parameter>name</parameter></paramdef>
+        <paramdef>struct hostent *<parameter>resbuf</parameter></paramdef>
+        <paramdef>char *<parameter>buf</parameter></paramdef>
+        <paramdef>int <parameter>buflen</parameter></paramdef>
+        <paramdef>int *<parameter>error</parameter></paramdef>
+        </funcprototype>
 <funcprototype>
-<funcdef>
+        <funcdef>
 struct hostent  *
 <function>lwres_gethostbyaddr_r</function></funcdef>
-<paramdef>const char *addr</paramdef>
-<paramdef>int len</paramdef>
-<paramdef>int type</paramdef>
-<paramdef>struct hostent *resbuf</paramdef>
-<paramdef>char *buf</paramdef>
-<paramdef>int buflen</paramdef>
-<paramdef>int *error</paramdef>
-</funcprototype>
+        <paramdef>const char *<parameter>addr</parameter></paramdef>
+        <paramdef>int <parameter>len</parameter></paramdef>
+        <paramdef>int <parameter>type</parameter></paramdef>
+        <paramdef>struct hostent *<parameter>resbuf</parameter></paramdef>
+        <paramdef>char *<parameter>buf</parameter></paramdef>
+        <paramdef>int <parameter>buflen</parameter></paramdef>
+        <paramdef>int *<parameter>error</parameter></paramdef>
+        </funcprototype>
 <funcprototype>
-<funcdef>
+        <funcdef>
 struct hostent  *
 <function>lwres_gethostent_r</function></funcdef>
-<paramdef>struct hostent *resbuf</paramdef>
-<paramdef>char *buf</paramdef>
-<paramdef>int buflen</paramdef>
-<paramdef>int *error</paramdef>
-</funcprototype>
+        <paramdef>struct hostent *<parameter>resbuf</parameter></paramdef>
+        <paramdef>char *<parameter>buf</parameter></paramdef>
+        <paramdef>int <parameter>buflen</parameter></paramdef>
+        <paramdef>int *<parameter>error</parameter></paramdef>
+        </funcprototype>
 <funcprototype>
-<funcdef>
+        <funcdef>
 void
 <function>lwres_sethostent_r</function></funcdef>
-<paramdef>int stayopen</paramdef>
-</funcprototype>
+        <paramdef>int <parameter>stayopen</parameter></paramdef>
+        </funcprototype>
 <funcprototype>
-<funcdef>
+        <funcdef>
 void
 <function>lwres_endhostent_r</function></funcdef>
-<paramdef>void</paramdef>
-</funcprototype>
+        <paramdef>void</paramdef>
+      </funcprototype>
 </funcsynopsis>
-</refsynopsisdiv>
-
-<refsect1>
-<title>DESCRIPTION</title>
-<para>
-These functions provide hostname-to-address and
-address-to-hostname lookups by means of the lightweight resolver.
-They are similar to the standard
-<citerefentry>
-<refentrytitle>gethostent</refentrytitle><manvolnum>3
-</manvolnum>
-</citerefentry>
-functions provided by most operating systems.
-They use a
-<type>struct hostent</type>
-which is usually defined in
-<filename>&lt;namedb.h&gt;</filename>.
+  </refsynopsisdiv>
 
-<programlisting>
+  <refsect1>
+    <title>DESCRIPTION</title>
+    <para>
+      These functions provide hostname-to-address and
+      address-to-hostname lookups by means of the lightweight resolver.
+      They are similar to the standard
+      <citerefentry>
+        <refentrytitle>gethostent</refentrytitle><manvolnum>3</manvolnum>
+      </citerefentry>
+      functions provided by most operating systems.
+      They use a
+      <type>struct hostent</type>
+      which is usually defined in
+      <filename>&lt;namedb.h&gt;</filename>.
+    </para>
+    <para><programlisting>
 struct  hostent {
         char    *h_name;        /* official name of host */
         char    **h_aliases;    /* alias list */
@@ -172,250 +171,269 @@ struct  hostent {
 };
 #define h_addr  h_addr_list[0]  /* address, for backward compatibility */
 </programlisting>
-</para>
-<para>
-The members of this structure are:
-<variablelist>
-<varlistentry><term><constant>h_name</constant></term>
-<listitem>
-<para>
-The official (canonical) name of the host.
-</para>
-</listitem></varlistentry>
-<varlistentry><term><constant>h_aliases</constant></term>
-<listitem>
-<para>
-A NULL-terminated array of alternate names (nicknames) for the host.
-</para>
-</listitem></varlistentry>
-<varlistentry><term><constant>h_addrtype</constant></term>
-<listitem>
-<para>
-The type of address being returned &mdash;
-<type>PF_INET</type>
-or
-<type>PF_INET6</type>.
-</para>
-</listitem></varlistentry>
-<varlistentry><term><constant>h_length</constant></term>
-<listitem>
-<para>
-The length of the address in bytes.
-</para>
-</listitem></varlistentry>
-<varlistentry><term><constant>h_addr_list</constant></term>
-<listitem>
-<para>
-A <type>NULL</type>
-terminated array of network addresses for the host.
-Host addresses are returned in network byte order.
-</para>
-</listitem></varlistentry>
-</variablelist>
-</para>
-<para>
-For backward compatibility with very old software,
-<constant>h_addr</constant>
-is the first address in
-<constant>h_addr_list.</constant>
-</para>
-<para>
-<function>lwres_gethostent()</function>,
-<function>lwres_sethostent()</function>,
-<function>lwres_endhostent()</function>,
-<function>lwres_gethostent_r()</function>,
-<function>lwres_sethostent_r()</function>
-and
-<function>lwres_endhostent_r()</function>
-provide iteration over the known host entries on systems that
-provide such functionality through facilities like
-<filename>/etc/hosts</filename>
-or NIS.  The lightweight resolver does not currently implement
-these functions; it only provides them as stub functions that always
-return failure.
-</para>
+    </para>
+    <para>
+      The members of this structure are:
+      <variablelist>
+        <varlistentry>
+          <term><constant>h_name</constant></term>
+          <listitem>
+            <para>
+              The official (canonical) name of the host.
+            </para>
+          </listitem>
+        </varlistentry>
+        <varlistentry>
+          <term><constant>h_aliases</constant></term>
+          <listitem>
+            <para>
+              A NULL-terminated array of alternate names (nicknames) for the
+              host.
+            </para>
+          </listitem>
+        </varlistentry>
+        <varlistentry>
+          <term><constant>h_addrtype</constant></term>
+          <listitem>
+            <para>
+              The type of address being returned &mdash;
+              <type>PF_INET</type>
+              or
+              <type>PF_INET6</type>.
+            </para>
+          </listitem>
+        </varlistentry>
+        <varlistentry>
+          <term><constant>h_length</constant></term>
+          <listitem>
+            <para>
+              The length of the address in bytes.
+            </para>
+          </listitem>
+        </varlistentry>
+        <varlistentry>
+          <term><constant>h_addr_list</constant></term>
+          <listitem>
+            <para>
+              A <type>NULL</type>
+              terminated array of network addresses for the host.
+              Host addresses are returned in network byte order.
+            </para>
+          </listitem>
+        </varlistentry>
+      </variablelist>
+    </para>
+    <para>
+      For backward compatibility with very old software,
+      <constant>h_addr</constant>
+      is the first address in
+      <constant>h_addr_list.</constant>
+    </para>
+    <para><function>lwres_gethostent()</function>,
+      <function>lwres_sethostent()</function>,
+      <function>lwres_endhostent()</function>,
+      <function>lwres_gethostent_r()</function>,
+      <function>lwres_sethostent_r()</function>
+      and
+      <function>lwres_endhostent_r()</function>
+      provide iteration over the known host entries on systems that
+      provide such functionality through facilities like
+      <filename>/etc/hosts</filename>
+      or NIS.  The lightweight resolver does not currently implement
+      these functions; it only provides them as stub functions that always
+      return failure.
+    </para>
 
-<para>
-<function>lwres_gethostbyname()</function> and
-<function>lwres_gethostbyname2()</function> look up the hostname
-<parameter>name</parameter>.
-<function>lwres_gethostbyname()</function> always looks for an IPv4
-address while <function>lwres_gethostbyname2()</function> looks for an
-address of protocol family <parameter>af</parameter>: either
-<type>PF_INET</type> or <type>PF_INET6</type> &mdash; IPv4 or IPV6
-addresses respectively.  Successful calls of the functions return a
-<type>struct hostent</type>for the name that was looked up.
-<type>NULL</type> is returned if the lookups by
-<function>lwres_gethostbyname()</function> or
-<function>lwres_gethostbyname2()</function> fail.
-</para>
+    <para><function>lwres_gethostbyname()</function>
+      and <function>lwres_gethostbyname2()</function> look up the
+      hostname <parameter>name</parameter>.
+      <function>lwres_gethostbyname()</function> always looks for an
+      IPv4 address while <function>lwres_gethostbyname2()</function>
+      looks for an address of protocol family
+      <parameter>af</parameter>: either <type>PF_INET</type> or
+      <type>PF_INET6</type> &mdash; IPv4 or IPV6 addresses
+      respectively.  Successful calls of the functions return a
+      <type>struct hostent</type>for the name that was looked up.
+      <type>NULL</type> is returned if the lookups by
+      <function>lwres_gethostbyname()</function> or
+      <function>lwres_gethostbyname2()</function> fail.
+    </para>
 
-<para>
-Reverse lookups of addresses are performed by
-<function>lwres_gethostbyaddr()</function>.
-<parameter>addr</parameter> is an address of length
-<parameter>len</parameter> bytes and protocol family
-<parameter>type</parameter> &mdash; <type>PF_INET</type> or
-<type>PF_INET6</type>.
-<function>lwres_gethostbyname_r()</function> is a thread-safe function
-for forward lookups.  If an error occurs, an error code is returned in
-<parameter>*error</parameter>.
-<parameter>resbuf</parameter> is a pointer to a <type>struct
-hostent</type> which is initialised by a successful call to
-<function>lwres_gethostbyname_r()</function> .
-<parameter>buf</parameter> is a buffer of length
-<parameter>len</parameter> bytes which is used to store the
-<constant>h_name</constant>, <constant>h_aliases</constant>, and
-<constant>h_addr_list</constant> elements of the <type>struct
-hostent</type> returned in <parameter>resbuf</parameter>.
-Successful calls to <function>lwres_gethostbyname_r()</function>
-return <parameter>resbuf</parameter>,
-which is a pointer to the <type>struct hostent</type> it created.
-</para>
+    <para>
+      Reverse lookups of addresses are performed by
+      <function>lwres_gethostbyaddr()</function>.
+      <parameter>addr</parameter> is an address of length
+      <parameter>len</parameter> bytes and protocol family
+      <parameter>type</parameter> &mdash; <type>PF_INET</type> or
+      <type>PF_INET6</type>.
+      <function>lwres_gethostbyname_r()</function> is a
+      thread-safe function
+      for forward lookups.  If an error occurs, an error code is returned in
+      <parameter>*error</parameter>.
+      <parameter>resbuf</parameter> is a pointer to a
+      <type>struct hostent</type> which is initialised by a successful call to
+      <function>lwres_gethostbyname_r()</function>.
+      <parameter>buf</parameter> is a buffer of length
+      <parameter>len</parameter> bytes which is used to store the
+      <constant>h_name</constant>, <constant>h_aliases</constant>, and
+      <constant>h_addr_list</constant> elements of the
+      <type>struct hostent</type> returned in <parameter>resbuf</parameter>.
+      Successful calls to <function>lwres_gethostbyname_r()</function>
+      return <parameter>resbuf</parameter>,
+      which is a pointer to the <type>struct hostent</type> it created.
+    </para>
 
-<para>
-<function>lwres_gethostbyaddr_r()</function> is a thread-safe function
-that performs a reverse lookup of address <parameter>addr</parameter>
-which is <parameter>len</parameter> bytes long and is of protocol
-family <parameter>type</parameter> &mdash; <type>PF_INET</type> or
-<type>PF_INET6</type>.  If an error occurs, the error code is returned
-in <parameter>*error</parameter>.  The other function parameters are
-identical to those in <function>lwres_gethostbyname_r()</function>.
-<parameter>resbuf</parameter> is a pointer to a <type>struct
-hostent</type> which is initialised by a successful call to
-<function>lwres_gethostbyaddr_r()</function>.
-<parameter>buf</parameter> is a buffer of length
-<parameter>len</parameter> bytes which is used to store the
-<constant>h_name</constant>, <constant>h_aliases</constant>, and
-<constant>h_addr_list</constant> elements of the <type>struct
-hostent</type> returned in <parameter>resbuf</parameter>.  Successful
-calls to <function>lwres_gethostbyaddr_r()</function> return
-<parameter>resbuf</parameter>, which is a pointer to the
-<function>struct hostent()</function> it created.
-</para>
+    <para><function>lwres_gethostbyaddr_r()</function>
+      is a thread-safe function
+      that performs a reverse lookup of address <parameter>addr</parameter>
+      which is <parameter>len</parameter> bytes long and is of
+      protocol
+      family <parameter>type</parameter> &mdash; <type>PF_INET</type> or
+      <type>PF_INET6</type>.  If an error occurs, the error code is returned
+      in <parameter>*error</parameter>.  The other function
+      parameters are
+      identical to those in <function>lwres_gethostbyname_r()</function>.
+      <parameter>resbuf</parameter> is a pointer to a
+      <type>struct hostent</type> which is initialised by a successful call to
+      <function>lwres_gethostbyaddr_r()</function>.
+      <parameter>buf</parameter> is a buffer of length
+      <parameter>len</parameter> bytes which is used to store the
+      <constant>h_name</constant>, <constant>h_aliases</constant>, and
+      <constant>h_addr_list</constant> elements of the
+      <type>struct hostent</type> returned in <parameter>resbuf</parameter>.
+      Successful calls to <function>lwres_gethostbyaddr_r()</function> return
+      <parameter>resbuf</parameter>, which is a pointer to the
+      <function>struct hostent()</function> it created.
+    </para>
 
-</refsect1>
+  </refsect1>
 
-<refsect1>
-<title>RETURN VALUES</title>
-<para>
-The functions
-<function>lwres_gethostbyname()</function>,
-<function>lwres_gethostbyname2()</function>,
-<function>lwres_gethostbyaddr()</function>,
-and
-<function>lwres_gethostent()</function>
-return NULL to indicate an error.  In this case the global variable
-<type>lwres_h_errno</type>
-will contain one of the following error codes defined in
-<filename>&lt;lwres/netdb.h&gt;</filename>:
+  <refsect1>
+    <title>RETURN VALUES</title>
+    <para>
+      The functions
+      <function>lwres_gethostbyname()</function>,
+      <function>lwres_gethostbyname2()</function>,
+      <function>lwres_gethostbyaddr()</function>,
+      and
+      <function>lwres_gethostent()</function>
+      return NULL to indicate an error.  In this case the global variable
+      <type>lwres_h_errno</type>
+      will contain one of the following error codes defined in
+      <filename>&lt;lwres/netdb.h&gt;</filename>:
 
-<variablelist>
-<varlistentry><term><constant>HOST_NOT_FOUND</constant></term>
-<listitem>
-<para>
-The host or address was not found.
-</para>
-</listitem></varlistentry>
-<varlistentry><term><constant>TRY_AGAIN</constant></term>
-<listitem>
-<para>
-A recoverable error occurred, e.g., a timeout.
-Retrying the lookup may succeed.
-</para>
-</listitem></varlistentry>
-<varlistentry><term><constant>NO_RECOVERY</constant></term>
-<listitem>
-<para>
-A non-recoverable error occurred.
-</para>
-</listitem></varlistentry>
-<varlistentry><term><constant>NO_DATA</constant></term>
-<listitem>
-<para>
-The name exists, but has no address information
-associated with it (or vice versa in the case
-of a reverse lookup).  The code NO_ADDRESS
-is accepted as a synonym for NO_DATA for backwards
-compatibility.
-</para>
-</listitem></varlistentry>
-</variablelist>
-</para>
+      <variablelist>
+        <varlistentry>
+          <term><constant>HOST_NOT_FOUND</constant></term>
+          <listitem>
+            <para>
+              The host or address was not found.
+            </para>
+          </listitem>
+        </varlistentry>
+        <varlistentry>
+          <term><constant>TRY_AGAIN</constant></term>
+          <listitem>
+            <para>
+              A recoverable error occurred, e.g., a timeout.
+              Retrying the lookup may succeed.
+            </para>
+          </listitem>
+        </varlistentry>
+        <varlistentry>
+          <term><constant>NO_RECOVERY</constant></term>
+          <listitem>
+            <para>
+              A non-recoverable error occurred.
+            </para>
+          </listitem>
+        </varlistentry>
+        <varlistentry>
+          <term><constant>NO_DATA</constant></term>
+          <listitem>
+            <para>
+              The name exists, but has no address information
+              associated with it (or vice versa in the case
+              of a reverse lookup).  The code NO_ADDRESS
+              is accepted as a synonym for NO_DATA for backwards
+              compatibility.
+            </para>
+          </listitem>
+        </varlistentry>
+      </variablelist>
+    </para>
 
-<para>
-<citerefentry>
-<refentrytitle>lwres_hstrerror</refentrytitle><manvolnum>3
-</manvolnum>
-</citerefentry>
-translates these error codes to suitable error messages.
-</para>
+    <para><citerefentry>
+        <refentrytitle>lwres_hstrerror</refentrytitle><manvolnum>3</manvolnum>
+      </citerefentry>
+      translates these error codes to suitable error messages.
+    </para>
 
-<para>
-<function>lwres_gethostent()</function>
-and
-<function>lwres_gethostent_r()</function>
-always return
-<type>NULL</type>.
-</para>
+    <para><function>lwres_gethostent()</function>
+      and <function>lwres_gethostent_r()</function>
+      always return <type>NULL</type>.
+    </para>
 
-<para>
-Successful calls to <function>lwres_gethostbyname_r()</function> and
-<function>lwres_gethostbyaddr_r()</function> return
-<parameter>resbuf</parameter>, a pointer to the <type>struct
-hostent</type> that was initialised by these functions.  They return
-<type>NULL</type> if the lookups fail or if <parameter>buf</parameter>
-was too small to hold the list of addresses and names referenced by
-the <constant>h_name</constant>, <constant>h_aliases</constant>, and
-<constant>h_addr_list</constant> elements of the <type>struct
-hostent</type>.  If <parameter>buf</parameter> was too small, both
-<function>lwres_gethostbyname_r()</function> and
-<function>lwres_gethostbyaddr_r()</function> set the global variable
-<type>errno</type> to <errorcode>ERANGE</errorcode>.
-</para>
+    <para>
+      Successful calls to <function>lwres_gethostbyname_r()</function> and
+      <function>lwres_gethostbyaddr_r()</function> return
+      <parameter>resbuf</parameter>, a pointer to the
+      <type>struct hostent</type> that was initialised by these functions.  They return
+      <type>NULL</type> if the lookups fail or if <parameter>buf</parameter>
+      was too small to hold the list of addresses and names referenced by
+      the <constant>h_name</constant>, <constant>h_aliases</constant>, and
+      <constant>h_addr_list</constant> elements of the
+      <type>struct hostent</type>.
+      If <parameter>buf</parameter> was too small, both
+      <function>lwres_gethostbyname_r()</function> and
+      <function>lwres_gethostbyaddr_r()</function> set the global
+      variable
+      <type>errno</type> to <errorcode>ERANGE</errorcode>.
+    </para>
 
-</refsect1>
-<refsect1>
-<title>SEE ALSO</title>
-<para>
-<citerefentry>
-<refentrytitle>gethostent</refentrytitle><manvolnum>3</manvolnum>
-</citerefentry>,
+  </refsect1>
+  <refsect1>
+    <title>SEE ALSO</title>
+    <para><citerefentry>
+        <refentrytitle>gethostent</refentrytitle><manvolnum>3</manvolnum>
+      </citerefentry>,
 
-<citerefentry>
-<refentrytitle>lwres_getipnode</refentrytitle><manvolnum>3</manvolnum>
-</citerefentry>,
+      <citerefentry>
+        <refentrytitle>lwres_getipnode</refentrytitle><manvolnum>3</manvolnum>
+      </citerefentry>,
 
-<citerefentry>
-<refentrytitle>lwres_hstrerror</refentrytitle><manvolnum>3
-</manvolnum>
-</citerefentry>
-</para>
-</refsect1>
+      <citerefentry>
+        <refentrytitle>lwres_hstrerror</refentrytitle><manvolnum>3</manvolnum>
+      </citerefentry>
+    </para>
+  </refsect1>
 
-<refsect1>
-<title>BUGS</title>
-<para>
-<function>lwres_gethostbyname()</function>,
-<function>lwres_gethostbyname2()</function>,
-<function>lwres_gethostbyaddr()</function>
-and
-<function>lwres_endhostent()</function>
-are not thread safe; they return pointers to static data and 
-provide error codes through a global variable.
-Thread-safe versions for name and address lookup are provided by
-<function>lwres_gethostbyname_r()</function>,
-and
-<function>lwres_gethostbyaddr_r()</function>
-respectively.
-</para>
-<para>
-The resolver daemon does not currently support any non-DNS
-name services such as 
-<filename>/etc/hosts</filename>
-or
-<type>NIS</type>,
-consequently the above functions don't, either.
-</para>
-</refsect1>
-</refentry>
+  <refsect1>
+    <title>BUGS</title>
+    <para><function>lwres_gethostbyname()</function>,
+      <function>lwres_gethostbyname2()</function>,
+      <function>lwres_gethostbyaddr()</function>
+      and
+      <function>lwres_endhostent()</function>
+      are not thread safe; they return pointers to static data and
+      provide error codes through a global variable.
+      Thread-safe versions for name and address lookup are provided by
+      <function>lwres_gethostbyname_r()</function>,
+      and
+      <function>lwres_gethostbyaddr_r()</function>
+      respectively.
+    </para>
+    <para>
+      The resolver daemon does not currently support any non-DNS
+      name services such as
+      <filename>/etc/hosts</filename>
+      or
+      <type>NIS</type>,
+      consequently the above functions don't, either.
+    </para>
+  </refsect1>
+</refentry><!--
+ - Local variables:
+ - mode: sgml
+ - End:
+-->
diff --git a/contrib/bind9/lib/lwres/man/lwres_gethostent.html b/contrib/bind9/lib/lwres/man/lwres_gethostent.html
index fefc67b..0b7ba442 100644
--- a/contrib/bind9/lib/lwres/man/lwres_gethostent.html
+++ b/contrib/bind9/lib/lwres/man/lwres_gethostent.html
@@ -1,5 +1,5 @@
 <!--
- - Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC")
  - Copyright (C) 2001 Internet Software Consortium.
  - 
  - Permission to use, copy, modify, and distribute this software for any
@@ -14,15 +14,15 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-<!-- $Id: lwres_gethostent.html,v 1.8.2.1.4.10 2006/06/29 13:02:31 marka Exp $ -->
+<!-- $Id: lwres_gethostent.html,v 1.9.18.15 2007/01/30 00:23:45 marka Exp $ -->
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
 <title>lwres_gethostent</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.70.1">
+<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
 </head>
 <body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en">
-<a name="id2482688"></a><div class="titlepage"></div>
+<a name="id2476275"></a><div class="titlepage"></div>
 <div class="refnamediv">
 <h2>Name</h2>
 <p>lwres_gethostbyname, lwres_gethostbyname2, lwres_gethostbyaddr, lwres_gethostent, lwres_sethostent, lwres_endhostent, lwres_gethostbyname_r, lwres_gethostbyaddr_r, lwres_gethostent_r, lwres_sethostent_r, lwres_endhostent_r &#8212; lightweight resolver get network host entry</p>
@@ -31,40 +31,28 @@
 <h2>Synopsis</h2>
 <div class="funcsynopsis">
 <pre class="funcsynopsisinfo">#include &lt;lwres/netdb.h&gt;</pre>
-<table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em">
-<tr>
+<table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em"><tr>
 <td><code class="funcdef">
 struct hostent *
 <b class="fsfunc">lwres_gethostbyname</b>(</code></td>
-<td> </td>
+<td>const char * </td>
 <td>
-<code>)</code>;</td>
-</tr>
-<tr>
-<td> </td>
-<td> </td>
-<td>
-<code>)</code>;</td>
-</tr>
-</table>
+<var class="pdparam">name</var><code>)</code>;</td>
+</tr></table>
 <table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em">
 <tr>
 <td><code class="funcdef">
 struct hostent *
 <b class="fsfunc">lwres_gethostbyname2</b>(</code></td>
-<td> </td>
-<td>, </td>
-</tr>
-<tr>
-<td> </td>
-<td> </td>
-<td>, </td>
+<td>const char * </td>
+<td>
+<var class="pdparam">name</var>, </td>
 </tr>
 <tr>
 <td> </td>
-<td> </td>
+<td>int  </td>
 <td>
-<code>)</code>;</td>
+<var class="pdparam">af</var><code>)</code>;</td>
 </tr>
 </table>
 <table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em">
@@ -72,68 +60,79 @@ struct hostent *
 <td><code class="funcdef">
 struct hostent *
 <b class="fsfunc">lwres_gethostbyaddr</b>(</code></td>
-<td> </td>
-<td>, </td>
-</tr>
-<tr>
-<td> </td>
-<td> </td>
-<td>, </td>
+<td>const char * </td>
+<td>
+<var class="pdparam">addr</var>, </td>
 </tr>
 <tr>
 <td> </td>
-<td> </td>
-<td>, </td>
+<td>int  </td>
+<td>
+<var class="pdparam">len</var>, </td>
 </tr>
 <tr>
 <td> </td>
-<td> </td>
+<td>int  </td>
 <td>
-<code>)</code>;</td>
+<var class="pdparam">type</var><code>)</code>;</td>
 </tr>
 </table>
-<p><code class="funcdef">
+<table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em"><tr>
+<td><code class="funcdef">
 struct hostent *
-<b class="fsfunc">lwres_gethostent</b>(</code>void<code>)</code>;</p>
-<p><code class="funcdef">
+<b class="fsfunc">lwres_gethostent</b>(</code></td>
+<td> </td>
+<td>
+<code>)</code>;</td>
+</tr></table>
+<table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em"><tr>
+<td><code class="funcdef">
 void
-<b class="fsfunc">lwres_sethostent</b>(</code>int stayopen<code>)</code>;</p>
-<p><code class="funcdef">
+<b class="fsfunc">lwres_sethostent</b>(</code></td>
+<td>int  </td>
+<td>
+<var class="pdparam">stayopen</var><code>)</code>;</td>
+</tr></table>
+<table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em"><tr>
+<td><code class="funcdef">
 void
-<b class="fsfunc">lwres_endhostent</b>(</code>void<code>)</code>;</p>
+<b class="fsfunc">lwres_endhostent</b>(</code></td>
+<td> </td>
+<td>
+<code>)</code>;</td>
+</tr></table>
 <table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em">
 <tr>
 <td><code class="funcdef">
 struct hostent *
 <b class="fsfunc">lwres_gethostbyname_r</b>(</code></td>
-<td> </td>
-<td>, </td>
-</tr>
-<tr>
-<td> </td>
-<td> </td>
-<td>, </td>
+<td>const char * </td>
+<td>
+<var class="pdparam">name</var>, </td>
 </tr>
 <tr>
 <td> </td>
-<td> </td>
-<td>, </td>
+<td>struct hostent * </td>
+<td>
+<var class="pdparam">resbuf</var>, </td>
 </tr>
 <tr>
 <td> </td>
-<td> </td>
-<td>, </td>
+<td>char * </td>
+<td>
+<var class="pdparam">buf</var>, </td>
 </tr>
 <tr>
 <td> </td>
-<td> </td>
-<td>, </td>
+<td>int  </td>
+<td>
+<var class="pdparam">buflen</var>, </td>
 </tr>
 <tr>
 <td> </td>
-<td> </td>
+<td>int * </td>
 <td>
-<code>)</code>;</td>
+<var class="pdparam">error</var><code>)</code>;</td>
 </tr>
 </table>
 <table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em">
@@ -141,44 +140,45 @@ struct hostent *
 <td><code class="funcdef">
 struct hostent  *
 <b class="fsfunc">lwres_gethostbyaddr_r</b>(</code></td>
-<td> </td>
-<td>, </td>
-</tr>
-<tr>
-<td> </td>
-<td> </td>
-<td>, </td>
+<td>const char * </td>
+<td>
+<var class="pdparam">addr</var>, </td>
 </tr>
 <tr>
 <td> </td>
-<td> </td>
-<td>, </td>
+<td>int  </td>
+<td>
+<var class="pdparam">len</var>, </td>
 </tr>
 <tr>
 <td> </td>
-<td> </td>
-<td>, </td>
+<td>int  </td>
+<td>
+<var class="pdparam">type</var>, </td>
 </tr>
 <tr>
 <td> </td>
-<td> </td>
-<td>, </td>
+<td>struct hostent * </td>
+<td>
+<var class="pdparam">resbuf</var>, </td>
 </tr>
 <tr>
 <td> </td>
-<td> </td>
-<td>, </td>
+<td>char * </td>
+<td>
+<var class="pdparam">buf</var>, </td>
 </tr>
 <tr>
 <td> </td>
-<td> </td>
-<td>, </td>
+<td>int  </td>
+<td>
+<var class="pdparam">buflen</var>, </td>
 </tr>
 <tr>
 <td> </td>
-<td> </td>
+<td>int * </td>
 <td>
-<code>)</code>;</td>
+<var class="pdparam">error</var><code>)</code>;</td>
 </tr>
 </table>
 <table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em">
@@ -186,54 +186,60 @@ struct hostent  *
 <td><code class="funcdef">
 struct hostent  *
 <b class="fsfunc">lwres_gethostent_r</b>(</code></td>
-<td> </td>
-<td>, </td>
-</tr>
-<tr>
-<td> </td>
-<td> </td>
-<td>, </td>
+<td>struct hostent * </td>
+<td>
+<var class="pdparam">resbuf</var>, </td>
 </tr>
 <tr>
 <td> </td>
-<td> </td>
-<td>, </td>
+<td>char * </td>
+<td>
+<var class="pdparam">buf</var>, </td>
 </tr>
 <tr>
 <td> </td>
-<td> </td>
-<td>, </td>
+<td>int  </td>
+<td>
+<var class="pdparam">buflen</var>, </td>
 </tr>
 <tr>
 <td> </td>
-<td> </td>
+<td>int * </td>
 <td>
-<code>)</code>;</td>
+<var class="pdparam">error</var><code>)</code>;</td>
 </tr>
 </table>
-<p><code class="funcdef">
+<table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em"><tr>
+<td><code class="funcdef">
 void
-<b class="fsfunc">lwres_sethostent_r</b>(</code>int stayopen<code>)</code>;</p>
-<p><code class="funcdef">
+<b class="fsfunc">lwres_sethostent_r</b>(</code></td>
+<td>int  </td>
+<td>
+<var class="pdparam">stayopen</var><code>)</code>;</td>
+</tr></table>
+<table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0"><tr>
+<td><code class="funcdef">
 void
-<b class="fsfunc">lwres_endhostent_r</b>(</code>void<code>)</code>;</p>
+<b class="fsfunc">lwres_endhostent_r</b>(</code></td>
+<td> </td>
+<td>
+<code>)</code>;</td>
+</tr></table>
 </div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2549606"></a><h2>DESCRIPTION</h2>
+<a name="id2543608"></a><h2>DESCRIPTION</h2>
 <p>
-These functions provide hostname-to-address and
-address-to-hostname lookups by means of the lightweight resolver.
-They are similar to the standard
-<span class="citerefentry"><span class="refentrytitle">gethostent</span>(3
-)</span>
-functions provided by most operating systems.
-They use a
-<span class="type">struct hostent</span>
-which is usually defined in
-<code class="filename">&lt;namedb.h&gt;</code>.
-
-</p>
+      These functions provide hostname-to-address and
+      address-to-hostname lookups by means of the lightweight resolver.
+      They are similar to the standard
+      <span class="citerefentry"><span class="refentrytitle">gethostent</span>(3)</span>
+      functions provided by most operating systems.
+      They use a
+      <span class="type">struct hostent</span>
+      which is usually defined in
+      <code class="filename">&lt;namedb.h&gt;</code>.
+    </p>
 <pre class="programlisting">
 struct  hostent {
         char    *h_name;        /* official name of host */
@@ -245,219 +251,216 @@ struct  hostent {
 #define h_addr  h_addr_list[0]  /* address, for backward compatibility */
 </pre>
 <p>
-</p>
+    </p>
 <p>
-The members of this structure are:
-</p>
+      The members of this structure are:
+      </p>
 <div class="variablelist"><dl>
 <dt><span class="term"><code class="constant">h_name</code></span></dt>
 <dd><p>
-The official (canonical) name of the host.
-</p></dd>
+              The official (canonical) name of the host.
+            </p></dd>
 <dt><span class="term"><code class="constant">h_aliases</code></span></dt>
 <dd><p>
-A NULL-terminated array of alternate names (nicknames) for the host.
-</p></dd>
+              A NULL-terminated array of alternate names (nicknames) for the
+              host.
+            </p></dd>
 <dt><span class="term"><code class="constant">h_addrtype</code></span></dt>
 <dd><p>
-The type of address being returned &#8212;
-<span class="type">PF_INET</span>
-or
-<span class="type">PF_INET6</span>.
-</p></dd>
+              The type of address being returned &#8212;
+              <span class="type">PF_INET</span>
+              or
+              <span class="type">PF_INET6</span>.
+            </p></dd>
 <dt><span class="term"><code class="constant">h_length</code></span></dt>
 <dd><p>
-The length of the address in bytes.
-</p></dd>
+              The length of the address in bytes.
+            </p></dd>
 <dt><span class="term"><code class="constant">h_addr_list</code></span></dt>
 <dd><p>
-A <span class="type">NULL</span>
-terminated array of network addresses for the host.
-Host addresses are returned in network byte order.
-</p></dd>
+              A <span class="type">NULL</span>
+              terminated array of network addresses for the host.
+              Host addresses are returned in network byte order.
+            </p></dd>
 </dl></div>
 <p>
-</p>
-<p>
-For backward compatibility with very old software,
-<code class="constant">h_addr</code>
-is the first address in
-<code class="constant">h_addr_list.</code>
-</p>
+    </p>
 <p>
-<code class="function">lwres_gethostent()</code>,
-<code class="function">lwres_sethostent()</code>,
-<code class="function">lwres_endhostent()</code>,
-<code class="function">lwres_gethostent_r()</code>,
-<code class="function">lwres_sethostent_r()</code>
-and
-<code class="function">lwres_endhostent_r()</code>
-provide iteration over the known host entries on systems that
-provide such functionality through facilities like
-<code class="filename">/etc/hosts</code>
-or NIS.  The lightweight resolver does not currently implement
-these functions; it only provides them as stub functions that always
-return failure.
-</p>
+      For backward compatibility with very old software,
+      <code class="constant">h_addr</code>
+      is the first address in
+      <code class="constant">h_addr_list.</code>
+    </p>
+<p><code class="function">lwres_gethostent()</code>,
+      <code class="function">lwres_sethostent()</code>,
+      <code class="function">lwres_endhostent()</code>,
+      <code class="function">lwres_gethostent_r()</code>,
+      <code class="function">lwres_sethostent_r()</code>
+      and
+      <code class="function">lwres_endhostent_r()</code>
+      provide iteration over the known host entries on systems that
+      provide such functionality through facilities like
+      <code class="filename">/etc/hosts</code>
+      or NIS.  The lightweight resolver does not currently implement
+      these functions; it only provides them as stub functions that always
+      return failure.
+    </p>
+<p><code class="function">lwres_gethostbyname()</code>
+      and <code class="function">lwres_gethostbyname2()</code> look up the
+      hostname <em class="parameter"><code>name</code></em>.
+      <code class="function">lwres_gethostbyname()</code> always looks for an
+      IPv4 address while <code class="function">lwres_gethostbyname2()</code>
+      looks for an address of protocol family
+      <em class="parameter"><code>af</code></em>: either <span class="type">PF_INET</span> or
+      <span class="type">PF_INET6</span> &#8212; IPv4 or IPV6 addresses
+      respectively.  Successful calls of the functions return a
+      <span class="type">struct hostent</span>for the name that was looked up.
+      <span class="type">NULL</span> is returned if the lookups by
+      <code class="function">lwres_gethostbyname()</code> or
+      <code class="function">lwres_gethostbyname2()</code> fail.
+    </p>
 <p>
-<code class="function">lwres_gethostbyname()</code> and
-<code class="function">lwres_gethostbyname2()</code> look up the hostname
-<em class="parameter"><code>name</code></em>.
-<code class="function">lwres_gethostbyname()</code> always looks for an IPv4
-address while <code class="function">lwres_gethostbyname2()</code> looks for an
-address of protocol family <em class="parameter"><code>af</code></em>: either
-<span class="type">PF_INET</span> or <span class="type">PF_INET6</span> &#8212; IPv4 or IPV6
-addresses respectively.  Successful calls of the functions return a
-<span class="type">struct hostent</span>for the name that was looked up.
-<span class="type">NULL</span> is returned if the lookups by
-<code class="function">lwres_gethostbyname()</code> or
-<code class="function">lwres_gethostbyname2()</code> fail.
-</p>
-<p>
-Reverse lookups of addresses are performed by
-<code class="function">lwres_gethostbyaddr()</code>.
-<em class="parameter"><code>addr</code></em> is an address of length
-<em class="parameter"><code>len</code></em> bytes and protocol family
-<em class="parameter"><code>type</code></em> &#8212; <span class="type">PF_INET</span> or
-<span class="type">PF_INET6</span>.
-<code class="function">lwres_gethostbyname_r()</code> is a thread-safe function
-for forward lookups.  If an error occurs, an error code is returned in
-<em class="parameter"><code>*error</code></em>.
-<em class="parameter"><code>resbuf</code></em> is a pointer to a <span class="type">struct
-hostent</span> which is initialised by a successful call to
-<code class="function">lwres_gethostbyname_r()</code> .
-<em class="parameter"><code>buf</code></em> is a buffer of length
-<em class="parameter"><code>len</code></em> bytes which is used to store the
-<code class="constant">h_name</code>, <code class="constant">h_aliases</code>, and
-<code class="constant">h_addr_list</code> elements of the <span class="type">struct
-hostent</span> returned in <em class="parameter"><code>resbuf</code></em>.
-Successful calls to <code class="function">lwres_gethostbyname_r()</code>
-return <em class="parameter"><code>resbuf</code></em>,
-which is a pointer to the <span class="type">struct hostent</span> it created.
-</p>
-<p>
-<code class="function">lwres_gethostbyaddr_r()</code> is a thread-safe function
-that performs a reverse lookup of address <em class="parameter"><code>addr</code></em>
-which is <em class="parameter"><code>len</code></em> bytes long and is of protocol
-family <em class="parameter"><code>type</code></em> &#8212; <span class="type">PF_INET</span> or
-<span class="type">PF_INET6</span>.  If an error occurs, the error code is returned
-in <em class="parameter"><code>*error</code></em>.  The other function parameters are
-identical to those in <code class="function">lwres_gethostbyname_r()</code>.
-<em class="parameter"><code>resbuf</code></em> is a pointer to a <span class="type">struct
-hostent</span> which is initialised by a successful call to
-<code class="function">lwres_gethostbyaddr_r()</code>.
-<em class="parameter"><code>buf</code></em> is a buffer of length
-<em class="parameter"><code>len</code></em> bytes which is used to store the
-<code class="constant">h_name</code>, <code class="constant">h_aliases</code>, and
-<code class="constant">h_addr_list</code> elements of the <span class="type">struct
-hostent</span> returned in <em class="parameter"><code>resbuf</code></em>.  Successful
-calls to <code class="function">lwres_gethostbyaddr_r()</code> return
-<em class="parameter"><code>resbuf</code></em>, which is a pointer to the
-<code class="function">struct hostent()</code> it created.
-</p>
+      Reverse lookups of addresses are performed by
+      <code class="function">lwres_gethostbyaddr()</code>.
+      <em class="parameter"><code>addr</code></em> is an address of length
+      <em class="parameter"><code>len</code></em> bytes and protocol family
+      <em class="parameter"><code>type</code></em> &#8212; <span class="type">PF_INET</span> or
+      <span class="type">PF_INET6</span>.
+      <code class="function">lwres_gethostbyname_r()</code> is a
+      thread-safe function
+      for forward lookups.  If an error occurs, an error code is returned in
+      <em class="parameter"><code>*error</code></em>.
+      <em class="parameter"><code>resbuf</code></em> is a pointer to a
+      <span class="type">struct hostent</span> which is initialised by a successful call to
+      <code class="function">lwres_gethostbyname_r()</code>.
+      <em class="parameter"><code>buf</code></em> is a buffer of length
+      <em class="parameter"><code>len</code></em> bytes which is used to store the
+      <code class="constant">h_name</code>, <code class="constant">h_aliases</code>, and
+      <code class="constant">h_addr_list</code> elements of the
+      <span class="type">struct hostent</span> returned in <em class="parameter"><code>resbuf</code></em>.
+      Successful calls to <code class="function">lwres_gethostbyname_r()</code>
+      return <em class="parameter"><code>resbuf</code></em>,
+      which is a pointer to the <span class="type">struct hostent</span> it created.
+    </p>
+<p><code class="function">lwres_gethostbyaddr_r()</code>
+      is a thread-safe function
+      that performs a reverse lookup of address <em class="parameter"><code>addr</code></em>
+      which is <em class="parameter"><code>len</code></em> bytes long and is of
+      protocol
+      family <em class="parameter"><code>type</code></em> &#8212; <span class="type">PF_INET</span> or
+      <span class="type">PF_INET6</span>.  If an error occurs, the error code is returned
+      in <em class="parameter"><code>*error</code></em>.  The other function
+      parameters are
+      identical to those in <code class="function">lwres_gethostbyname_r()</code>.
+      <em class="parameter"><code>resbuf</code></em> is a pointer to a
+      <span class="type">struct hostent</span> which is initialised by a successful call to
+      <code class="function">lwres_gethostbyaddr_r()</code>.
+      <em class="parameter"><code>buf</code></em> is a buffer of length
+      <em class="parameter"><code>len</code></em> bytes which is used to store the
+      <code class="constant">h_name</code>, <code class="constant">h_aliases</code>, and
+      <code class="constant">h_addr_list</code> elements of the
+      <span class="type">struct hostent</span> returned in <em class="parameter"><code>resbuf</code></em>.
+      Successful calls to <code class="function">lwres_gethostbyaddr_r()</code> return
+      <em class="parameter"><code>resbuf</code></em>, which is a pointer to the
+      <code class="function">struct hostent()</code> it created.
+    </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2550013"></a><h2>RETURN VALUES</h2>
+<a name="id2543959"></a><h2>RETURN VALUES</h2>
 <p>
-The functions
-<code class="function">lwres_gethostbyname()</code>,
-<code class="function">lwres_gethostbyname2()</code>,
-<code class="function">lwres_gethostbyaddr()</code>,
-and
-<code class="function">lwres_gethostent()</code>
-return NULL to indicate an error.  In this case the global variable
-<span class="type">lwres_h_errno</span>
-will contain one of the following error codes defined in
-<code class="filename">&lt;lwres/netdb.h&gt;</code>:
+      The functions
+      <code class="function">lwres_gethostbyname()</code>,
+      <code class="function">lwres_gethostbyname2()</code>,
+      <code class="function">lwres_gethostbyaddr()</code>,
+      and
+      <code class="function">lwres_gethostent()</code>
+      return NULL to indicate an error.  In this case the global variable
+      <span class="type">lwres_h_errno</span>
+      will contain one of the following error codes defined in
+      <code class="filename">&lt;lwres/netdb.h&gt;</code>:
 
-</p>
+      </p>
 <div class="variablelist"><dl>
 <dt><span class="term"><code class="constant">HOST_NOT_FOUND</code></span></dt>
 <dd><p>
-The host or address was not found.
-</p></dd>
+              The host or address was not found.
+            </p></dd>
 <dt><span class="term"><code class="constant">TRY_AGAIN</code></span></dt>
 <dd><p>
-A recoverable error occurred, e.g., a timeout.
-Retrying the lookup may succeed.
-</p></dd>
+              A recoverable error occurred, e.g., a timeout.
+              Retrying the lookup may succeed.
+            </p></dd>
 <dt><span class="term"><code class="constant">NO_RECOVERY</code></span></dt>
 <dd><p>
-A non-recoverable error occurred.
-</p></dd>
+              A non-recoverable error occurred.
+            </p></dd>
 <dt><span class="term"><code class="constant">NO_DATA</code></span></dt>
 <dd><p>
-The name exists, but has no address information
-associated with it (or vice versa in the case
-of a reverse lookup).  The code NO_ADDRESS
-is accepted as a synonym for NO_DATA for backwards
-compatibility.
-</p></dd>
+              The name exists, but has no address information
+              associated with it (or vice versa in the case
+              of a reverse lookup).  The code NO_ADDRESS
+              is accepted as a synonym for NO_DATA for backwards
+              compatibility.
+            </p></dd>
 </dl></div>
 <p>
-</p>
-<p>
-<span class="citerefentry"><span class="refentrytitle">lwres_hstrerror</span>(3
-)</span>
-translates these error codes to suitable error messages.
-</p>
+    </p>
+<p><span class="citerefentry"><span class="refentrytitle">lwres_hstrerror</span>(3)</span>
+      translates these error codes to suitable error messages.
+    </p>
+<p><code class="function">lwres_gethostent()</code>
+      and <code class="function">lwres_gethostent_r()</code>
+      always return <span class="type">NULL</span>.
+    </p>
 <p>
-<code class="function">lwres_gethostent()</code>
-and
-<code class="function">lwres_gethostent_r()</code>
-always return
-<span class="type">NULL</span>.
-</p>
-<p>
-Successful calls to <code class="function">lwres_gethostbyname_r()</code> and
-<code class="function">lwres_gethostbyaddr_r()</code> return
-<em class="parameter"><code>resbuf</code></em>, a pointer to the <span class="type">struct
-hostent</span> that was initialised by these functions.  They return
-<span class="type">NULL</span> if the lookups fail or if <em class="parameter"><code>buf</code></em>
-was too small to hold the list of addresses and names referenced by
-the <code class="constant">h_name</code>, <code class="constant">h_aliases</code>, and
-<code class="constant">h_addr_list</code> elements of the <span class="type">struct
-hostent</span>.  If <em class="parameter"><code>buf</code></em> was too small, both
-<code class="function">lwres_gethostbyname_r()</code> and
-<code class="function">lwres_gethostbyaddr_r()</code> set the global variable
-<span class="type">errno</span> to <span class="errorcode">ERANGE</span>.
-</p>
+      Successful calls to <code class="function">lwres_gethostbyname_r()</code> and
+      <code class="function">lwres_gethostbyaddr_r()</code> return
+      <em class="parameter"><code>resbuf</code></em>, a pointer to the
+      <span class="type">struct hostent</span> that was initialised by these functions.  They return
+      <span class="type">NULL</span> if the lookups fail or if <em class="parameter"><code>buf</code></em>
+      was too small to hold the list of addresses and names referenced by
+      the <code class="constant">h_name</code>, <code class="constant">h_aliases</code>, and
+      <code class="constant">h_addr_list</code> elements of the
+      <span class="type">struct hostent</span>.
+      If <em class="parameter"><code>buf</code></em> was too small, both
+      <code class="function">lwres_gethostbyname_r()</code> and
+      <code class="function">lwres_gethostbyaddr_r()</code> set the global
+      variable
+      <span class="type">errno</span> to <span class="errorcode">ERANGE</span>.
+    </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2550173"></a><h2>SEE ALSO</h2>
-<p>
-<span class="citerefentry"><span class="refentrytitle">gethostent</span>(3)</span>,
+<a name="id2544193"></a><h2>SEE ALSO</h2>
+<p><span class="citerefentry"><span class="refentrytitle">gethostent</span>(3)</span>,
 
-<span class="citerefentry"><span class="refentrytitle">lwres_getipnode</span>(3)</span>,
+      <span class="citerefentry"><span class="refentrytitle">lwres_getipnode</span>(3)</span>,
 
-<span class="citerefentry"><span class="refentrytitle">lwres_hstrerror</span>(3
-)</span>
-</p>
+      <span class="citerefentry"><span class="refentrytitle">lwres_hstrerror</span>(3)</span>
+    </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2550209"></a><h2>BUGS</h2>
-<p>
-<code class="function">lwres_gethostbyname()</code>,
-<code class="function">lwres_gethostbyname2()</code>,
-<code class="function">lwres_gethostbyaddr()</code>
-and
-<code class="function">lwres_endhostent()</code>
-are not thread safe; they return pointers to static data and 
-provide error codes through a global variable.
-Thread-safe versions for name and address lookup are provided by
-<code class="function">lwres_gethostbyname_r()</code>,
-and
-<code class="function">lwres_gethostbyaddr_r()</code>
-respectively.
-</p>
+<a name="id2544227"></a><h2>BUGS</h2>
+<p><code class="function">lwres_gethostbyname()</code>,
+      <code class="function">lwres_gethostbyname2()</code>,
+      <code class="function">lwres_gethostbyaddr()</code>
+      and
+      <code class="function">lwres_endhostent()</code>
+      are not thread safe; they return pointers to static data and
+      provide error codes through a global variable.
+      Thread-safe versions for name and address lookup are provided by
+      <code class="function">lwres_gethostbyname_r()</code>,
+      and
+      <code class="function">lwres_gethostbyaddr_r()</code>
+      respectively.
+    </p>
 <p>
-The resolver daemon does not currently support any non-DNS
-name services such as 
-<code class="filename">/etc/hosts</code>
-or
-<span class="type">NIS</span>,
-consequently the above functions don't, either.
-</p>
+      The resolver daemon does not currently support any non-DNS
+      name services such as
+      <code class="filename">/etc/hosts</code>
+      or
+      <span class="type">NIS</span>,
+      consequently the above functions don't, either.
+    </p>
 </div>
 </div></body>
 </html>
diff --git a/contrib/bind9/lib/lwres/man/lwres_getipnode.3 b/contrib/bind9/lib/lwres/man/lwres_getipnode.3
index f7ab62b..9c9f374 100644
--- a/contrib/bind9/lib/lwres/man/lwres_getipnode.3
+++ b/contrib/bind9/lib/lwres/man/lwres_getipnode.3
@@ -1,4 +1,4 @@
-.\" Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC")
 .\" Copyright (C) 2000, 2001, 2003 Internet Software Consortium.
 .\" 
 .\" Permission to use, copy, modify, and distribute this software for any
@@ -13,13 +13,13 @@
 .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 .\" PERFORMANCE OF THIS SOFTWARE.
 .\"
-.\" $Id: lwres_getipnode.3,v 1.13.2.2.4.7 2006/06/29 13:02:31 marka Exp $
+.\" $Id: lwres_getipnode.3,v 1.17.18.11 2007/01/30 00:23:45 marka Exp $
 .\"
 .hy 0
 .ad l
 .\"     Title: lwres_getipnode
 .\"    Author: 
-.\" Generator: DocBook XSL Stylesheets v1.70.1 <http://docbook.sf.net/>
+.\" Generator: DocBook XSL Stylesheets v1.71.1 <http://docbook.sf.net/>
 .\"      Date: Jun 30, 2000
 .\"    Manual: BIND9
 .\"    Source: BIND9
@@ -36,11 +36,11 @@ lwres_getipnodebyname, lwres_getipnodebyaddr, lwres_freehostent \- lightweight r
 #include <lwres/netdb.h>
 .fi
 .HP 39
-.BI "struct hostent * lwres_getipnodebyname(const\ char\ *name, int\ af, int\ flags, int\ *error_num);"
+.BI "struct hostent * lwres_getipnodebyname(const\ char\ *" "name" ", int\ " "af" ", int\ " "flags" ", int\ *" "error_num" ");"
 .HP 39
-.BI "struct hostent * lwres_getipnodebyaddr(const\ void\ *src, size_t\ len, int\ af, int\ *error_num);"
+.BI "struct hostent * lwres_getipnodebyaddr(const\ void\ *" "src" ", size_t\ " "len" ", int\ " "af" ", int\ *" "error_num" ");"
 .HP 23
-.BI "void lwres_freehostent(struct\ hostent\ *he);"
+.BI "void lwres_freehostent(struct\ hostent\ *" "he" ");"
 .SH "DESCRIPTION"
 .PP
 These functions perform thread safe, protocol independent nodename\-to\-address and address\-to\-nodename translation as defined in RFC2553.
@@ -49,8 +49,8 @@ They use a
 \fBstruct hostent\fR
 which is defined in
 \fInamedb.h\fR:
-.sp
-.RS 3n
+.PP
+.RS 4
 .nf
 struct  hostent {
         char    *h_name;        /* official name of host */
@@ -65,26 +65,36 @@ struct  hostent {
 .sp
 .PP
 The members of this structure are:
-.TP 3n
+.PP
 \fBh_name\fR
+.RS 4
 The official (canonical) name of the host.
-.TP 3n
+.RE
+.PP
 \fBh_aliases\fR
+.RS 4
 A NULL\-terminated array of alternate names (nicknames) for the host.
-.TP 3n
+.RE
+.PP
 \fBh_addrtype\fR
+.RS 4
 The type of address being returned \- usually
 \fBPF_INET\fR
 or
 \fBPF_INET6\fR.
-.TP 3n
+.RE
+.PP
 \fBh_length\fR
+.RS 4
 The length of the address in bytes.
-.TP 3n
+.RE
+.PP
 \fBh_addr_list\fR
+.RS 4
 A
 \fBNULL\fR
 terminated array of network addresses for the host. Host addresses are returned in network byte order.
+.RE
 .PP
 \fBlwres_getipnodebyname()\fR
 looks up addresses of protocol family
@@ -93,26 +103,34 @@ for the hostname
 \fIname\fR. The
 \fIflags\fR
 parameter contains ORed flag bits to specify the types of addresses that are searched for, and the types of addresses that are returned. The flag bits are:
-.TP 3n
+.PP
 \fBAI_V4MAPPED\fR
+.RS 4
 This is used with an
 \fIaf\fR
 of AF_INET6, and causes IPv4 addresses to be returned as IPv4\-mapped IPv6 addresses.
-.TP 3n
+.RE
+.PP
 \fBAI_ALL\fR
+.RS 4
 This is used with an
 \fIaf\fR
 of AF_INET6, and causes all known addresses (IPv6 and IPv4) to be returned. If AI_V4MAPPED is also set, the IPv4 addresses are return as mapped IPv6 addresses.
-.TP 3n
+.RE
+.PP
 \fBAI_ADDRCONFIG\fR
+.RS 4
 Only return an IPv6 or IPv4 address if here is an active network interface of that type. This is not currently implemented in the BIND 9 lightweight resolver, and the flag is ignored.
-.TP 3n
+.RE
+.PP
 \fBAI_DEFAULT\fR
+.RS 4
 This default sets the
 \fBAI_V4MAPPED\fR
 and
 \fBAI_ADDRCONFIG\fR
 flag bits.
+.RE
 .PP
 \fBlwres_getipnodebyaddr()\fR
 performs a reverse lookup of address
@@ -150,20 +168,28 @@ to an appropriate error code and the function returns a
 \fBNULL\fR
 pointer. The error codes and their meanings are defined in
 \fI<lwres/netdb.h>\fR:
-.TP 3n
+.PP
 \fBHOST_NOT_FOUND\fR
+.RS 4
 No such host is known.
-.TP 3n
+.RE
+.PP
 \fBNO_ADDRESS\fR
+.RS 4
 The server recognised the request and the name but no address is available. Another type of request to the name server for the domain might return an answer.
-.TP 3n
+.RE
+.PP
 \fBTRY_AGAIN\fR
+.RS 4
 A temporary and possibly transient error occurred, such as a failure of a server to respond. The request may succeed if retried.
-.TP 3n
+.RE
+.PP
 \fBNO_RECOVERY\fR
+.RS 4
 An unexpected failure occurred, and retrying the request is pointless.
+.RE
 .PP
-\fBlwres_hstrerror\fR(3 )
+\fBlwres_hstrerror\fR(3)
 translates these error codes to suitable error messages.
 .SH "SEE ALSO"
 .PP
@@ -174,4 +200,7 @@ translates these error codes to suitable error messages.
 \fBlwres_getnameinfo\fR(3),
 \fBlwres_hstrerror\fR(3).
 .SH "COPYRIGHT"
-Copyright \(co 2004, 2005 Internet Systems Consortium, Inc. ("ISC")
+Copyright \(co 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC")
+.br
+Copyright \(co 2000, 2001, 2003 Internet Software Consortium.
+.br
diff --git a/contrib/bind9/lib/lwres/man/lwres_getipnode.docbook b/contrib/bind9/lib/lwres/man/lwres_getipnode.docbook
index 94de72c..6bd4803 100644
--- a/contrib/bind9/lib/lwres/man/lwres_getipnode.docbook
+++ b/contrib/bind9/lib/lwres/man/lwres_getipnode.docbook
@@ -1,8 +1,8 @@
-<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.0//EN"
-               "http://www.oasis-open.org/docbook/xml/4.0/docbookx.dtd"
+<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
+               "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
 	       [<!ENTITY mdash "&#8212;">]>
 <!--
- - Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
  - Copyright (C) 2000, 2001, 2003  Internet Software Consortium.
  -
  - Permission to use, copy, modify, and distribute this software for any
@@ -18,24 +18,24 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-<!-- $Id: lwres_getipnode.docbook,v 1.4.2.2.4.3 2005/05/12 21:36:14 sra Exp $ -->
-
+<!-- $Id: lwres_getipnode.docbook,v 1.6.18.5 2007/01/29 23:57:21 marka Exp $ -->
 <refentry>
 
-<refentryinfo>
-<date>Jun 30, 2000</date>
-</refentryinfo>
+  <refentryinfo>
+    <date>Jun 30, 2000</date>
+  </refentryinfo>
 
-<refmeta>
-<refentrytitle>lwres_getipnode</refentrytitle>
-<manvolnum>3</manvolnum>
-<refmiscinfo>BIND9</refmiscinfo>
-</refmeta>
+  <refmeta>
+    <refentrytitle>lwres_getipnode</refentrytitle>
+    <manvolnum>3</manvolnum>
+    <refmiscinfo>BIND9</refmiscinfo>
+  </refmeta>
 
   <docinfo>
     <copyright>
       <year>2004</year>
       <year>2005</year>
+      <year>2007</year>
       <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
     </copyright>
     <copyright>
@@ -46,57 +46,58 @@
     </copyright>
   </docinfo>
 
-<refnamediv>
-<refname>lwres_getipnodebyname</refname>
-<refname>lwres_getipnodebyaddr</refname>
-<refname>lwres_freehostent</refname>
-<refpurpose>lightweight resolver nodename / address translation API</refpurpose>
-</refnamediv>
-<refsynopsisdiv>
-<funcsynopsis>
+  <refnamediv>
+    <refname>lwres_getipnodebyname</refname>
+    <refname>lwres_getipnodebyaddr</refname>
+    <refname>lwres_freehostent</refname>
+    <refpurpose>lightweight resolver nodename / address translation API</refpurpose>
+  </refnamediv>
+  <refsynopsisdiv>
+    <funcsynopsis>
 <funcsynopsisinfo>#include &lt;lwres/netdb.h&gt;</funcsynopsisinfo>
 <funcprototype>
-<funcdef>
+        <funcdef>
 struct hostent *
 <function>lwres_getipnodebyname</function></funcdef>
-<paramdef>const char *name</paramdef>
-<paramdef>int af</paramdef>
-<paramdef>int flags</paramdef>
-<paramdef>int *error_num</paramdef>
-</funcprototype>
+        <paramdef>const char *<parameter>name</parameter></paramdef>
+        <paramdef>int <parameter>af</parameter></paramdef>
+        <paramdef>int <parameter>flags</parameter></paramdef>
+        <paramdef>int *<parameter>error_num</parameter></paramdef>
+        </funcprototype>
 <funcprototype>
-<funcdef>
+        <funcdef>
 struct hostent *
 <function>lwres_getipnodebyaddr</function></funcdef>
-<paramdef>const void *src</paramdef>
-<paramdef>size_t len</paramdef>
-<paramdef>int af</paramdef>
-<paramdef>int *error_num</paramdef>
-</funcprototype>
+        <paramdef>const void *<parameter>src</parameter></paramdef>
+        <paramdef>size_t <parameter>len</parameter></paramdef>
+        <paramdef>int <parameter>af</parameter></paramdef>
+        <paramdef>int *<parameter>error_num</parameter></paramdef>
+        </funcprototype>
 <funcprototype>
-<funcdef>
+        <funcdef>
 void
 <function>lwres_freehostent</function></funcdef>
-<paramdef>struct hostent *he</paramdef>
-</funcprototype>
+        <paramdef>struct hostent *<parameter>he</parameter></paramdef>
+      </funcprototype>
 </funcsynopsis>
-</refsynopsisdiv>
+  </refsynopsisdiv>
 
-<refsect1>
-<title>DESCRIPTION</title>
+  <refsect1>
+    <title>DESCRIPTION</title>
 
-<para>
-These functions perform thread safe, protocol independent
-nodename-to-address and address-to-nodename 
-translation as defined in RFC2553.
-</para>
+    <para>
+      These functions perform thread safe, protocol independent
+      nodename-to-address and address-to-nodename
+      translation as defined in RFC2553.
+    </para>
 
-<para>
-They use a
-<type>struct hostent</type>
-which is defined in
-<filename>namedb.h</filename>:
-<programlisting>
+    <para>
+      They use a
+      <type>struct hostent</type>
+      which is defined in
+      <filename>namedb.h</filename>:
+    </para>
+    <para><programlisting>
 struct  hostent {
         char    *h_name;        /* official name of host */
         char    **h_aliases;    /* alias list */
@@ -106,218 +107,225 @@ struct  hostent {
 };
 #define h_addr  h_addr_list[0]  /* address, for backward compatibility */
 </programlisting>
-</para>
-
-<para>
-The members of this structure are:
-<variablelist>
-<varlistentry><term><constant>h_name</constant></term>
-<listitem>
-<para>
-The official (canonical) name of the host.
-</para>
-</listitem></varlistentry>
-<varlistentry><term><constant>h_aliases</constant></term>
-<listitem>
-<para>
-A NULL-terminated array of alternate names (nicknames) for the host.
-</para>
-</listitem></varlistentry>
-<varlistentry><term><constant>h_addrtype</constant></term>
-<listitem>
-<para>
-The type of address being returned - usually
-<type>PF_INET</type>
-or
-<type>PF_INET6</type>.
+    </para>
 
-</para>
-</listitem></varlistentry>
-<varlistentry><term><constant>h_length</constant></term>
-<listitem>
-<para>
-The length of the address in bytes.
-</para>
-</listitem></varlistentry>
-<varlistentry><term><constant>h_addr_list</constant></term>
-<listitem>
-<para>
-A
-<type>NULL</type>
-terminated array of network addresses for the host.
-Host addresses are returned in network byte order.
-</para>
-</listitem></varlistentry>
-</variablelist>
-</para>
-<para>
-<function>lwres_getipnodebyname()</function>
-looks up addresses of protocol family
-<parameter>af</parameter>
+    <para>
+      The members of this structure are:
+      <variablelist>
+        <varlistentry>
+          <term><constant>h_name</constant></term>
+          <listitem>
+            <para>
+              The official (canonical) name of the host.
+            </para>
+          </listitem>
+        </varlistentry>
+        <varlistentry>
+          <term><constant>h_aliases</constant></term>
+          <listitem>
+            <para>
+              A NULL-terminated array of alternate names (nicknames) for the
+              host.
+            </para>
+          </listitem>
+        </varlistentry>
+        <varlistentry>
+          <term><constant>h_addrtype</constant></term>
+          <listitem>
+            <para>
+              The type of address being returned - usually
+              <type>PF_INET</type>
+              or
+              <type>PF_INET6</type>.
 
-for the hostname
-<parameter>name</parameter>.
+            </para>
+          </listitem>
+        </varlistentry>
+        <varlistentry>
+          <term><constant>h_length</constant></term>
+          <listitem>
+            <para>
+              The length of the address in bytes.
+            </para>
+          </listitem>
+        </varlistentry>
+        <varlistentry>
+          <term><constant>h_addr_list</constant></term>
+          <listitem>
+            <para>
+              A
+              <type>NULL</type>
+              terminated array of network addresses for the host.
+              Host addresses are returned in network byte order.
+            </para>
+          </listitem>
+        </varlistentry>
+      </variablelist>
+    </para>
 
-The
-<parameter>flags</parameter>
-parameter contains ORed flag bits to 
-specify the types of addresses that are searched
-for, and the types of addresses that are returned. 
-The flag bits are:
-<variablelist>
-<varlistentry><term><constant>AI_V4MAPPED</constant></term>
-<listitem>
-<para>
-This is used with an
-<parameter>af</parameter>
-of AF_INET6, and causes IPv4 addresses to be returned as IPv4-mapped
-IPv6 addresses.
-</para>
-</listitem></varlistentry>
-<varlistentry><term><constant>AI_ALL</constant></term>
-<listitem>
-<para>
-This is used with an
-<parameter>af</parameter>
-of AF_INET6, and causes all known addresses (IPv6 and IPv4) to be returned.
-If AI_V4MAPPED is also set, the IPv4 addresses are return as mapped
-IPv6 addresses.
-</para>
-</listitem></varlistentry>
-<varlistentry><term><constant>AI_ADDRCONFIG</constant></term>
-<listitem>
-<para>
-Only return an IPv6 or IPv4 address if here is an active network
-interface of that type.  This is not currently implemented
-in the BIND 9 lightweight resolver, and the flag is ignored.
-</para>
-</listitem></varlistentry>
-<varlistentry><term><constant>AI_DEFAULT</constant></term>
-<listitem>
-<para>
-This default sets the
-<constant>AI_V4MAPPED</constant>
-and
-<constant>AI_ADDRCONFIG</constant>
-flag bits.
-</para>
-</listitem></varlistentry>
-</variablelist>
-</para>
-<para>
-<function>lwres_getipnodebyaddr()</function>
-performs a reverse lookup
-of address
-<parameter>src</parameter>
-which is
-<parameter>len</parameter>
-bytes long.
-<parameter>af</parameter>
-denotes the protocol family, typically
-<type>PF_INET</type>
-or
-<type>PF_INET6</type>.
+    <para><function>lwres_getipnodebyname()</function>
+      looks up addresses of protocol family <parameter>af</parameter>
+      for the hostname <parameter>name</parameter>.  The
+      <parameter>flags</parameter> parameter contains ORed flag bits
+      to specify the types of addresses that are searched for, and the
+      types of addresses that are returned.  The flag bits are:
 
-</para>
-<para>
-<function>lwres_freehostent()</function>
-releases all the memory associated with
-the
-<type>struct hostent</type>
-pointer
-<parameter>he</parameter>.
+      <variablelist>
+        <varlistentry>
+          <term><constant>AI_V4MAPPED</constant></term>
+          <listitem>
+            <para>
+              This is used with an
+              <parameter>af</parameter>
+              of AF_INET6, and causes IPv4 addresses to be returned as
+              IPv4-mapped
+              IPv6 addresses.
+            </para>
+          </listitem>
+        </varlistentry>
+        <varlistentry>
+          <term><constant>AI_ALL</constant></term>
+          <listitem>
+            <para>
+              This is used with an
+              <parameter>af</parameter>
+              of AF_INET6, and causes all known addresses (IPv6 and IPv4) to
+              be returned.
+              If AI_V4MAPPED is also set, the IPv4 addresses are return as
+              mapped
+              IPv6 addresses.
+            </para>
+          </listitem>
+        </varlistentry>
+        <varlistentry>
+          <term><constant>AI_ADDRCONFIG</constant></term>
+          <listitem>
+            <para>
+              Only return an IPv6 or IPv4 address if here is an active network
+              interface of that type.  This is not currently implemented
+              in the BIND 9 lightweight resolver, and the flag is ignored.
+            </para>
+          </listitem>
+        </varlistentry>
+        <varlistentry>
+          <term><constant>AI_DEFAULT</constant></term>
+          <listitem>
+            <para>
+              This default sets the
+              <constant>AI_V4MAPPED</constant>
+              and
+              <constant>AI_ADDRCONFIG</constant>
+              flag bits.
+            </para>
+          </listitem>
+        </varlistentry>
+      </variablelist>
+    </para>
 
-Any memory allocated for the
-<constant>h_name</constant>,
+    <para><function>lwres_getipnodebyaddr()</function>
+      performs a reverse lookup of address <parameter>src</parameter>
+      which is <parameter>len</parameter> bytes long.
+      <parameter>af</parameter> denotes the protocol family, typically
+      <type>PF_INET</type> or <type>PF_INET6</type>.
+    </para>
+    <para><function>lwres_freehostent()</function>
+      releases all the memory associated with the <type>struct
+      hostent</type> pointer <parameter>he</parameter>.  Any memory
+      allocated for the <constant>h_name</constant>,
+      <constant>h_addr_list</constant> and
+      <constant>h_aliases</constant> is freed, as is the memory for
+      the <type>hostent</type> structure itself.
+    </para>
+  </refsect1>
+  <refsect1>
+    <title>RETURN VALUES</title>
+    <para>
+      If an error occurs,
+      <function>lwres_getipnodebyname()</function>
+      and
+      <function>lwres_getipnodebyaddr()</function>
+      set
+      <parameter>*error_num</parameter>
+      to an appropriate error code and the function returns a
+      <type>NULL</type>
+      pointer.
+      The error codes and their meanings are defined in
+      <filename>&lt;lwres/netdb.h&gt;</filename>:
+      <variablelist>
+        <varlistentry>
+          <term><constant>HOST_NOT_FOUND</constant></term>
+          <listitem>
+            <para>
+              No such host is known.
+            </para>
+          </listitem>
+        </varlistentry>
+        <varlistentry>
+          <term><constant>NO_ADDRESS</constant></term>
+          <listitem>
+            <para>
+              The server recognised the request and the name but no address is
+              available.  Another type of request to the name server for the
+              domain might return an answer.
+            </para>
+          </listitem>
+        </varlistentry>
+        <varlistentry>
+          <term><constant>TRY_AGAIN</constant></term>
+          <listitem>
+            <para>
+              A temporary and possibly transient error occurred, such as a
+              failure of a server to respond.  The request may succeed if
+              retried.
+            </para>
+          </listitem>
+        </varlistentry>
+        <varlistentry>
+          <term><constant>NO_RECOVERY</constant></term>
+          <listitem>
+            <para>
+              An unexpected failure occurred, and retrying the request
+              is pointless.
+            </para>
+          </listitem>
+        </varlistentry>
+      </variablelist>
+    </para>
+    <para><citerefentry>
+        <refentrytitle>lwres_hstrerror</refentrytitle><manvolnum>3</manvolnum>
+      </citerefentry>
+      translates these error codes to suitable error messages.
+    </para>
+  </refsect1>
+  <refsect1>
+    <title>SEE ALSO</title>
+    <para><citerefentry>
+        <refentrytitle>RFC2553</refentrytitle>
+      </citerefentry>,
 
-<constant>h_addr_list</constant>
-and
-<constant>h_aliases</constant>
-is freed, as is the memory for the
-<type>hostent</type>
-structure itself.
-</para>
-</refsect1>
-<refsect1>
-<title>RETURN VALUES</title>
-<para>
-If an error occurs,
-<function>lwres_getipnodebyname()</function>
-and
-<function>lwres_getipnodebyaddr()</function>
-set
-<parameter>*error_num</parameter>
-to an appropriate error code and the function returns a
-<type>NULL</type>
-pointer.
-The error codes and their meanings are defined in
-<filename>&lt;lwres/netdb.h&gt;</filename>:
-<variablelist>
-<varlistentry><term><constant>HOST_NOT_FOUND</constant></term>
-<listitem>
-<para>
-No such host is known.
-</para>
-</listitem></varlistentry>
-<varlistentry><term><constant>NO_ADDRESS</constant></term>
-<listitem>
-<para>
-The server recognised the request and the name but no address is
-available.  Another type of request to the name server for the
-domain might return an answer.
-</para>
-</listitem></varlistentry>
-<varlistentry><term><constant>TRY_AGAIN</constant></term>
-<listitem>
-<para>
-A temporary and possibly transient error occurred, such as a
-failure of a server to respond.  The request may succeed if
-retried.
-</para>
-</listitem></varlistentry>
-<varlistentry><term><constant>NO_RECOVERY</constant></term>
-<listitem>
-<para>
-An unexpected failure occurred, and retrying the request
-is pointless.
-</para>
-</listitem></varlistentry>
-</variablelist>
-</para>
-<para>
-<citerefentry>
-<refentrytitle>lwres_hstrerror</refentrytitle><manvolnum>3
-</manvolnum>
-</citerefentry>
-translates these error codes to suitable error messages.
-</para>
-</refsect1>
-<refsect1>
-<title>SEE ALSO</title>
-<para>
-<citerefentry>
-<refentrytitle>RFC2553</refentrytitle>
-</citerefentry>,
+      <citerefentry>
+        <refentrytitle>lwres</refentrytitle><manvolnum>3</manvolnum>
+      </citerefentry>,
 
-<citerefentry>
-<refentrytitle>lwres</refentrytitle><manvolnum>3</manvolnum>
-</citerefentry>,
+      <citerefentry>
+        <refentrytitle>lwres_gethostent</refentrytitle><manvolnum>3</manvolnum>
+      </citerefentry>,
 
-<citerefentry>
-<refentrytitle>lwres_gethostent</refentrytitle><manvolnum>3</manvolnum>
-</citerefentry>,
+      <citerefentry>
+        <refentrytitle>lwres_getaddrinfo</refentrytitle><manvolnum>3</manvolnum>
+      </citerefentry>,
 
-<citerefentry>
-<refentrytitle>lwres_getaddrinfo</refentrytitle><manvolnum>3</manvolnum>
-</citerefentry>,
+      <citerefentry>
+        <refentrytitle>lwres_getnameinfo</refentrytitle><manvolnum>3</manvolnum>
+      </citerefentry>,
 
-<citerefentry>
-<refentrytitle>lwres_getnameinfo</refentrytitle><manvolnum>3</manvolnum>
-</citerefentry>,
-
-<citerefentry>
-<refentrytitle>lwres_hstrerror</refentrytitle><manvolnum>3</manvolnum>
-</citerefentry>.
-</para>
-</refsect1>
-</refentry>
+      <citerefentry>
+        <refentrytitle>lwres_hstrerror</refentrytitle><manvolnum>3</manvolnum>
+      </citerefentry>.
+    </para>
+  </refsect1>
+</refentry><!--
+ - Local variables:
+ - mode: sgml
+ - End:
+-->
diff --git a/contrib/bind9/lib/lwres/man/lwres_getipnode.html b/contrib/bind9/lib/lwres/man/lwres_getipnode.html
index 779da90..a585f1d 100644
--- a/contrib/bind9/lib/lwres/man/lwres_getipnode.html
+++ b/contrib/bind9/lib/lwres/man/lwres_getipnode.html
@@ -1,5 +1,5 @@
 <!--
- - Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC")
  - Copyright (C) 2000, 2001, 2003 Internet Software Consortium.
  - 
  - Permission to use, copy, modify, and distribute this software for any
@@ -14,15 +14,15 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-<!-- $Id: lwres_getipnode.html,v 1.7.2.1.4.11 2006/06/29 13:02:31 marka Exp $ -->
+<!-- $Id: lwres_getipnode.html,v 1.9.18.16 2007/01/30 00:23:45 marka Exp $ -->
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
 <title>lwres_getipnode</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.70.1">
+<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
 </head>
 <body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en">
-<a name="id2482688"></a><div class="titlepage"></div>
+<a name="id2476275"></a><div class="titlepage"></div>
 <div class="refnamediv">
 <h2>Name</h2>
 <p>lwres_getipnodebyname, lwres_getipnodebyaddr, lwres_freehostent &#8212; lightweight resolver nodename / address translation API</p>
@@ -36,29 +36,27 @@
 <td><code class="funcdef">
 struct hostent *
 <b class="fsfunc">lwres_getipnodebyname</b>(</code></td>
-<td> </td>
-<td>, </td>
-</tr>
-<tr>
-<td> </td>
-<td> </td>
-<td>, </td>
+<td>const char * </td>
+<td>
+<var class="pdparam">name</var>, </td>
 </tr>
 <tr>
 <td> </td>
-<td> </td>
-<td>, </td>
+<td>int  </td>
+<td>
+<var class="pdparam">af</var>, </td>
 </tr>
 <tr>
 <td> </td>
-<td> </td>
-<td>, </td>
+<td>int  </td>
+<td>
+<var class="pdparam">flags</var>, </td>
 </tr>
 <tr>
 <td> </td>
-<td> </td>
+<td>int * </td>
 <td>
-<code>)</code>;</td>
+<var class="pdparam">error_num</var><code>)</code>;</td>
 </tr>
 </table>
 <table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em">
@@ -66,62 +64,52 @@ struct hostent *
 <td><code class="funcdef">
 struct hostent *
 <b class="fsfunc">lwres_getipnodebyaddr</b>(</code></td>
-<td> </td>
-<td>, </td>
-</tr>
-<tr>
-<td> </td>
-<td> </td>
-<td>, </td>
+<td>const void * </td>
+<td>
+<var class="pdparam">src</var>, </td>
 </tr>
 <tr>
 <td> </td>
-<td> </td>
-<td>, </td>
+<td>size_t  </td>
+<td>
+<var class="pdparam">len</var>, </td>
 </tr>
 <tr>
 <td> </td>
-<td> </td>
-<td>, </td>
+<td>int  </td>
+<td>
+<var class="pdparam">af</var>, </td>
 </tr>
 <tr>
 <td> </td>
-<td> </td>
+<td>int * </td>
 <td>
-<code>)</code>;</td>
+<var class="pdparam">error_num</var><code>)</code>;</td>
 </tr>
 </table>
-<table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0">
-<tr>
+<table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0"><tr>
 <td><code class="funcdef">
 void
 <b class="fsfunc">lwres_freehostent</b>(</code></td>
-<td> </td>
-<td>
-<code>)</code>;</td>
-</tr>
-<tr>
-<td> </td>
-<td> </td>
+<td>struct hostent * </td>
 <td>
-<code>)</code>;</td>
-</tr>
-</table>
+<var class="pdparam">he</var><code>)</code>;</td>
+</tr></table>
 </div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2549461"></a><h2>DESCRIPTION</h2>
+<a name="id2543431"></a><h2>DESCRIPTION</h2>
 <p>
-These functions perform thread safe, protocol independent
-nodename-to-address and address-to-nodename 
-translation as defined in RFC2553.
-</p>
+      These functions perform thread safe, protocol independent
+      nodename-to-address and address-to-nodename
+      translation as defined in RFC2553.
+    </p>
 <p>
-They use a
-<span class="type">struct hostent</span>
-which is defined in
-<code class="filename">namedb.h</code>:
-</p>
+      They use a
+      <span class="type">struct hostent</span>
+      which is defined in
+      <code class="filename">namedb.h</code>:
+    </p>
 <pre class="programlisting">
 struct  hostent {
         char    *h_name;        /* official name of host */
@@ -133,184 +121,159 @@ struct  hostent {
 #define h_addr  h_addr_list[0]  /* address, for backward compatibility */
 </pre>
 <p>
-</p>
+    </p>
 <p>
-The members of this structure are:
-</p>
+      The members of this structure are:
+      </p>
 <div class="variablelist"><dl>
 <dt><span class="term"><code class="constant">h_name</code></span></dt>
 <dd><p>
-The official (canonical) name of the host.
-</p></dd>
+              The official (canonical) name of the host.
+            </p></dd>
 <dt><span class="term"><code class="constant">h_aliases</code></span></dt>
 <dd><p>
-A NULL-terminated array of alternate names (nicknames) for the host.
-</p></dd>
+              A NULL-terminated array of alternate names (nicknames) for the
+              host.
+            </p></dd>
 <dt><span class="term"><code class="constant">h_addrtype</code></span></dt>
 <dd><p>
-The type of address being returned - usually
-<span class="type">PF_INET</span>
-or
-<span class="type">PF_INET6</span>.
+              The type of address being returned - usually
+              <span class="type">PF_INET</span>
+              or
+              <span class="type">PF_INET6</span>.
 
-</p></dd>
+            </p></dd>
 <dt><span class="term"><code class="constant">h_length</code></span></dt>
 <dd><p>
-The length of the address in bytes.
-</p></dd>
+              The length of the address in bytes.
+            </p></dd>
 <dt><span class="term"><code class="constant">h_addr_list</code></span></dt>
 <dd><p>
-A
-<span class="type">NULL</span>
-terminated array of network addresses for the host.
-Host addresses are returned in network byte order.
-</p></dd>
+              A
+              <span class="type">NULL</span>
+              terminated array of network addresses for the host.
+              Host addresses are returned in network byte order.
+            </p></dd>
 </dl></div>
 <p>
-</p>
-<p>
-<code class="function">lwres_getipnodebyname()</code>
-looks up addresses of protocol family
-<em class="parameter"><code>af</code></em>
-
-for the hostname
-<em class="parameter"><code>name</code></em>.
+    </p>
+<p><code class="function">lwres_getipnodebyname()</code>
+      looks up addresses of protocol family <em class="parameter"><code>af</code></em>
+      for the hostname <em class="parameter"><code>name</code></em>.  The
+      <em class="parameter"><code>flags</code></em> parameter contains ORed flag bits
+      to specify the types of addresses that are searched for, and the
+      types of addresses that are returned.  The flag bits are:
 
-The
-<em class="parameter"><code>flags</code></em>
-parameter contains ORed flag bits to 
-specify the types of addresses that are searched
-for, and the types of addresses that are returned. 
-The flag bits are:
-</p>
+      </p>
 <div class="variablelist"><dl>
 <dt><span class="term"><code class="constant">AI_V4MAPPED</code></span></dt>
 <dd><p>
-This is used with an
-<em class="parameter"><code>af</code></em>
-of AF_INET6, and causes IPv4 addresses to be returned as IPv4-mapped
-IPv6 addresses.
-</p></dd>
+              This is used with an
+              <em class="parameter"><code>af</code></em>
+              of AF_INET6, and causes IPv4 addresses to be returned as
+              IPv4-mapped
+              IPv6 addresses.
+            </p></dd>
 <dt><span class="term"><code class="constant">AI_ALL</code></span></dt>
 <dd><p>
-This is used with an
-<em class="parameter"><code>af</code></em>
-of AF_INET6, and causes all known addresses (IPv6 and IPv4) to be returned.
-If AI_V4MAPPED is also set, the IPv4 addresses are return as mapped
-IPv6 addresses.
-</p></dd>
+              This is used with an
+              <em class="parameter"><code>af</code></em>
+              of AF_INET6, and causes all known addresses (IPv6 and IPv4) to
+              be returned.
+              If AI_V4MAPPED is also set, the IPv4 addresses are return as
+              mapped
+              IPv6 addresses.
+            </p></dd>
 <dt><span class="term"><code class="constant">AI_ADDRCONFIG</code></span></dt>
 <dd><p>
-Only return an IPv6 or IPv4 address if here is an active network
-interface of that type.  This is not currently implemented
-in the BIND 9 lightweight resolver, and the flag is ignored.
-</p></dd>
+              Only return an IPv6 or IPv4 address if here is an active network
+              interface of that type.  This is not currently implemented
+              in the BIND 9 lightweight resolver, and the flag is ignored.
+            </p></dd>
 <dt><span class="term"><code class="constant">AI_DEFAULT</code></span></dt>
 <dd><p>
-This default sets the
-<code class="constant">AI_V4MAPPED</code>
-and
-<code class="constant">AI_ADDRCONFIG</code>
-flag bits.
-</p></dd>
+              This default sets the
+              <code class="constant">AI_V4MAPPED</code>
+              and
+              <code class="constant">AI_ADDRCONFIG</code>
+              flag bits.
+            </p></dd>
 </dl></div>
 <p>
-</p>
-<p>
-<code class="function">lwres_getipnodebyaddr()</code>
-performs a reverse lookup
-of address
-<em class="parameter"><code>src</code></em>
-which is
-<em class="parameter"><code>len</code></em>
-bytes long.
-<em class="parameter"><code>af</code></em>
-denotes the protocol family, typically
-<span class="type">PF_INET</span>
-or
-<span class="type">PF_INET6</span>.
-
-</p>
-<p>
-<code class="function">lwres_freehostent()</code>
-releases all the memory associated with
-the
-<span class="type">struct hostent</span>
-pointer
-<em class="parameter"><code>he</code></em>.
-
-Any memory allocated for the
-<code class="constant">h_name</code>,
-
-<code class="constant">h_addr_list</code>
-and
-<code class="constant">h_aliases</code>
-is freed, as is the memory for the
-<span class="type">hostent</span>
-structure itself.
-</p>
+    </p>
+<p><code class="function">lwres_getipnodebyaddr()</code>
+      performs a reverse lookup of address <em class="parameter"><code>src</code></em>
+      which is <em class="parameter"><code>len</code></em> bytes long.
+      <em class="parameter"><code>af</code></em> denotes the protocol family, typically
+      <span class="type">PF_INET</span> or <span class="type">PF_INET6</span>.
+    </p>
+<p><code class="function">lwres_freehostent()</code>
+      releases all the memory associated with the <span class="type">struct
+      hostent</span> pointer <em class="parameter"><code>he</code></em>.  Any memory
+      allocated for the <code class="constant">h_name</code>,
+      <code class="constant">h_addr_list</code> and
+      <code class="constant">h_aliases</code> is freed, as is the memory for
+      the <span class="type">hostent</span> structure itself.
+    </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2549832"></a><h2>RETURN VALUES</h2>
+<a name="id2543689"></a><h2>RETURN VALUES</h2>
 <p>
-If an error occurs,
-<code class="function">lwres_getipnodebyname()</code>
-and
-<code class="function">lwres_getipnodebyaddr()</code>
-set
-<em class="parameter"><code>*error_num</code></em>
-to an appropriate error code and the function returns a
-<span class="type">NULL</span>
-pointer.
-The error codes and their meanings are defined in
-<code class="filename">&lt;lwres/netdb.h&gt;</code>:
-</p>
+      If an error occurs,
+      <code class="function">lwres_getipnodebyname()</code>
+      and
+      <code class="function">lwres_getipnodebyaddr()</code>
+      set
+      <em class="parameter"><code>*error_num</code></em>
+      to an appropriate error code and the function returns a
+      <span class="type">NULL</span>
+      pointer.
+      The error codes and their meanings are defined in
+      <code class="filename">&lt;lwres/netdb.h&gt;</code>:
+      </p>
 <div class="variablelist"><dl>
 <dt><span class="term"><code class="constant">HOST_NOT_FOUND</code></span></dt>
 <dd><p>
-No such host is known.
-</p></dd>
+              No such host is known.
+            </p></dd>
 <dt><span class="term"><code class="constant">NO_ADDRESS</code></span></dt>
 <dd><p>
-The server recognised the request and the name but no address is
-available.  Another type of request to the name server for the
-domain might return an answer.
-</p></dd>
+              The server recognised the request and the name but no address is
+              available.  Another type of request to the name server for the
+              domain might return an answer.
+            </p></dd>
 <dt><span class="term"><code class="constant">TRY_AGAIN</code></span></dt>
 <dd><p>
-A temporary and possibly transient error occurred, such as a
-failure of a server to respond.  The request may succeed if
-retried.
-</p></dd>
+              A temporary and possibly transient error occurred, such as a
+              failure of a server to respond.  The request may succeed if
+              retried.
+            </p></dd>
 <dt><span class="term"><code class="constant">NO_RECOVERY</code></span></dt>
 <dd><p>
-An unexpected failure occurred, and retrying the request
-is pointless.
-</p></dd>
+              An unexpected failure occurred, and retrying the request
+              is pointless.
+            </p></dd>
 </dl></div>
 <p>
-</p>
-<p>
-<span class="citerefentry"><span class="refentrytitle">lwres_hstrerror</span>(3
-)</span>
-translates these error codes to suitable error messages.
-</p>
+    </p>
+<p><span class="citerefentry"><span class="refentrytitle">lwres_hstrerror</span>(3)</span>
+      translates these error codes to suitable error messages.
+    </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2549923"></a><h2>SEE ALSO</h2>
-<p>
-<span class="citerefentry"><span class="refentrytitle">RFC2553</span></span>,
+<a name="id2543786"></a><h2>SEE ALSO</h2>
+<p><span class="citerefentry"><span class="refentrytitle">RFC2553</span></span>,
 
-<span class="citerefentry"><span class="refentrytitle">lwres</span>(3)</span>,
+      <span class="citerefentry"><span class="refentrytitle">lwres</span>(3)</span>,
 
-<span class="citerefentry"><span class="refentrytitle">lwres_gethostent</span>(3)</span>,
+      <span class="citerefentry"><span class="refentrytitle">lwres_gethostent</span>(3)</span>,
 
-<span class="citerefentry"><span class="refentrytitle">lwres_getaddrinfo</span>(3)</span>,
+      <span class="citerefentry"><span class="refentrytitle">lwres_getaddrinfo</span>(3)</span>,
 
-<span class="citerefentry"><span class="refentrytitle">lwres_getnameinfo</span>(3)</span>,
+      <span class="citerefentry"><span class="refentrytitle">lwres_getnameinfo</span>(3)</span>,
 
-<span class="citerefentry"><span class="refentrytitle">lwres_hstrerror</span>(3)</span>.
-</p>
+      <span class="citerefentry"><span class="refentrytitle">lwres_hstrerror</span>(3)</span>.
+    </p>
 </div>
 </div></body>
 </html>
diff --git a/contrib/bind9/lib/lwres/man/lwres_getnameinfo.3 b/contrib/bind9/lib/lwres/man/lwres_getnameinfo.3
index a9af04b..449f591 100644
--- a/contrib/bind9/lib/lwres/man/lwres_getnameinfo.3
+++ b/contrib/bind9/lib/lwres/man/lwres_getnameinfo.3
@@ -1,4 +1,4 @@
-.\" Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC")
 .\" Copyright (C) 2000, 2001 Internet Software Consortium.
 .\" 
 .\" Permission to use, copy, modify, and distribute this software for any
@@ -13,13 +13,13 @@
 .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 .\" PERFORMANCE OF THIS SOFTWARE.
 .\"
-.\" $Id: lwres_getnameinfo.3,v 1.15.2.1.8.6 2006/06/29 13:02:31 marka Exp $
+.\" $Id: lwres_getnameinfo.3,v 1.18.18.11 2007/01/30 00:23:45 marka Exp $
 .\"
 .hy 0
 .ad l
 .\"     Title: lwres_getnameinfo
 .\"    Author: 
-.\" Generator: DocBook XSL Stylesheets v1.70.1 <http://docbook.sf.net/>
+.\" Generator: DocBook XSL Stylesheets v1.71.1 <http://docbook.sf.net/>
 .\"      Date: Jun 30, 2000
 .\"    Manual: BIND9
 .\"    Source: BIND9
@@ -36,7 +36,7 @@ lwres_getnameinfo \- lightweight resolver socket address structure to hostname a
 #include <lwres/netdb.h>
 .fi
 .HP 22
-.BI "int lwres_getnameinfo(const\ struct\ sockaddr\ *sa, size_t\ salen, char\ *host, size_t\ hostlen, char\ *serv, size_t\ servlen, int\ flags);"
+.BI "int lwres_getnameinfo(const\ struct\ sockaddr\ *" "sa" ", size_t\ " "salen" ", char\ *" "host" ", size_t\ " "hostlen" ", char\ *" "serv" ", size_t\ " "servlen" ", int\ " "flags" ");"
 .SH "DESCRIPTION"
 .PP
 This function is equivalent to the
@@ -68,21 +68,31 @@ bytes long. The maximum length of the service name is
 The
 \fIflags\fR
 argument sets the following bits:
-.TP 3n
+.PP
 \fBNI_NOFQDN\fR
+.RS 4
 A fully qualified domain name is not required for local hosts. The local part of the fully qualified domain name is returned instead.
-.TP 3n
+.RE
+.PP
 \fBNI_NUMERICHOST\fR
+.RS 4
 Return the address in numeric form, as if calling inet_ntop(), instead of a host name.
-.TP 3n
+.RE
+.PP
 \fBNI_NAMEREQD\fR
+.RS 4
 A name is required. If the hostname cannot be found in the DNS and this flag is set, a non\-zero error code is returned. If the hostname is not found and the flag is not set, the address is returned in numeric form.
-.TP 3n
+.RE
+.PP
 \fBNI_NUMERICSERV\fR
+.RS 4
 The service name is returned as a digit string representing the port number.
-.TP 3n
+.RE
+.PP
 \fBNI_DGRAM\fR
+.RS 4
 Specifies that the service being looked up is a datagram service, and causes getservbyport() to be called with a second argument of "udp" instead of its default of "tcp". This is required for the few ports (512\-514) that have different services for UDP and TCP.
+.RE
 .SH "RETURN VALUES"
 .PP
 \fBlwres_getnameinfo()\fR
@@ -101,4 +111,7 @@ RFC2133 fails to define what the nonzero return values of
 \fBgetnameinfo\fR(3)
 are.
 .SH "COPYRIGHT"
-Copyright \(co 2004, 2005 Internet Systems Consortium, Inc. ("ISC")
+Copyright \(co 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC")
+.br
+Copyright \(co 2000, 2001 Internet Software Consortium.
+.br
diff --git a/contrib/bind9/lib/lwres/man/lwres_getnameinfo.docbook b/contrib/bind9/lib/lwres/man/lwres_getnameinfo.docbook
index b6e10ac..4886196 100644
--- a/contrib/bind9/lib/lwres/man/lwres_getnameinfo.docbook
+++ b/contrib/bind9/lib/lwres/man/lwres_getnameinfo.docbook
@@ -1,8 +1,8 @@
-<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.0//EN"
-               "http://www.oasis-open.org/docbook/xml/4.0/docbookx.dtd"
+<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
+               "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
 	       [<!ENTITY mdash "&#8212;">]>
 <!--
- - Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
  - Copyright (C) 2000, 2001  Internet Software Consortium.
  -
  - Permission to use, copy, modify, and distribute this software for any
@@ -18,24 +18,24 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-<!-- $Id: lwres_getnameinfo.docbook,v 1.3.206.3 2005/05/12 21:36:15 sra Exp $ -->
-
+<!-- $Id: lwres_getnameinfo.docbook,v 1.4.18.5 2007/01/29 23:57:21 marka Exp $ -->
 <refentry>
 
-<refentryinfo>
-<date>Jun 30, 2000</date>
-</refentryinfo>
+  <refentryinfo>
+    <date>Jun 30, 2000</date>
+  </refentryinfo>
 
-<refmeta>
-<refentrytitle>lwres_getnameinfo</refentrytitle>
-<manvolnum>3</manvolnum>
-<refmiscinfo>BIND9</refmiscinfo>
-</refmeta>
+  <refmeta>
+    <refentrytitle>lwres_getnameinfo</refentrytitle>
+    <manvolnum>3</manvolnum>
+    <refmiscinfo>BIND9</refmiscinfo>
+  </refmeta>
 
   <docinfo>
     <copyright>
       <year>2004</year>
       <year>2005</year>
+      <year>2007</year>
       <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
     </copyright>
     <copyright>
@@ -45,126 +45,161 @@
     </copyright>
   </docinfo>
 
-<refnamediv>
-<refname>lwres_getnameinfo</refname>
-<refpurpose>lightweight resolver socket address structure to hostname and service name</refpurpose>
-</refnamediv>
-<refsynopsisdiv>
-<funcsynopsis>
+  <refnamediv>
+    <refname>lwres_getnameinfo</refname>
+    <refpurpose>lightweight resolver socket address structure to hostname and
+      service name
+    </refpurpose>
+  </refnamediv>
+  <refsynopsisdiv>
+    <funcsynopsis>
 <funcsynopsisinfo>#include &lt;lwres/netdb.h&gt;</funcsynopsisinfo>
 <funcprototype>
-<funcdef>
+        <funcdef>
 int
 <function>lwres_getnameinfo</function></funcdef>
-<paramdef>const struct sockaddr *sa</paramdef>
-<paramdef>size_t salen</paramdef>
-<paramdef>char *host</paramdef>
-<paramdef>size_t hostlen</paramdef>
-<paramdef>char *serv</paramdef>
-<paramdef>size_t servlen</paramdef>
-<paramdef>int flags</paramdef>
-</funcprototype>
+        <paramdef>const struct sockaddr *<parameter>sa</parameter></paramdef>
+        <paramdef>size_t <parameter>salen</parameter></paramdef>
+        <paramdef>char *<parameter>host</parameter></paramdef>
+        <paramdef>size_t <parameter>hostlen</parameter></paramdef>
+        <paramdef>char *<parameter>serv</parameter></paramdef>
+        <paramdef>size_t <parameter>servlen</parameter></paramdef>
+        <paramdef>int <parameter>flags</parameter></paramdef>
+      </funcprototype>
 </funcsynopsis>
-</refsynopsisdiv>
+  </refsynopsisdiv>
 
-<refsect1>
-<title>DESCRIPTION</title>
+  <refsect1>
+    <title>DESCRIPTION</title>
 
-<para> This function is equivalent to the <citerefentry>
-<refentrytitle>getnameinfo</refentrytitle><manvolnum>3</manvolnum>
-</citerefentry> function defined in RFC2133.
-<function>lwres_getnameinfo()</function> returns the hostname for the
-<type>struct sockaddr</type> <parameter>sa</parameter> which is
-<parameter>salen</parameter> bytes long.  The hostname is of length
-<parameter>hostlen</parameter> and is returned via
-<parameter>*host.</parameter> The maximum length of the hostname is
-1025 bytes: <constant>NI_MAXHOST</constant>.</para>
+    <para>
+       This function is equivalent to the
+      <citerefentry>
+        <refentrytitle>getnameinfo</refentrytitle><manvolnum>3</manvolnum>
+      </citerefentry> function defined in RFC2133.
+      <function>lwres_getnameinfo()</function> returns the
+      hostname for the
+      <type>struct sockaddr</type> <parameter>sa</parameter> which
+      is
+      <parameter>salen</parameter> bytes long.  The hostname is of
+      length
+      <parameter>hostlen</parameter> and is returned via
+      <parameter>*host.</parameter> The maximum length of the
+      hostname is
+      1025 bytes: <constant>NI_MAXHOST</constant>.
+    </para>
 
-<para> The name of the service associated with the port number in
-<parameter>sa</parameter> is returned in <parameter>*serv.</parameter>
-It is <parameter>servlen</parameter> bytes long.  The maximum length
-of the service name is <constant>NI_MAXSERV</constant> - 32 bytes.
-</para>
+    <para> The name of the service associated with the port number in
+      <parameter>sa</parameter> is returned in <parameter>*serv.</parameter>
+      It is <parameter>servlen</parameter> bytes long.  The
+      maximum length
+      of the service name is <constant>NI_MAXSERV</constant> - 32
+      bytes.
+    </para>
 
-<para> The <parameter>flags</parameter> argument sets the following
-bits:
-<variablelist>
-<varlistentry><term><constant>NI_NOFQDN</constant></term>
-<listitem>
-<para>
-A fully qualified domain name is not required for local hosts.
-The local part of the fully qualified domain name is returned instead.
-</para></listitem></varlistentry>
-<varlistentry><term><constant>NI_NUMERICHOST</constant></term>
-<listitem>
-<para>
-Return the address in numeric form, as if calling inet_ntop(),
-instead of a host name.
-</para></listitem></varlistentry>
-<varlistentry><term><constant>NI_NAMEREQD</constant></term>
-<listitem>
-<para>
-A name is required. If the hostname cannot be found in the DNS and
-this flag is set, a non-zero error code is returned.
-If the hostname is not found and the flag is not set, the 
-address is returned in numeric form.
-</para></listitem></varlistentry>
-<varlistentry><term><constant>NI_NUMERICSERV</constant></term>
-<listitem>
-<para>
-The service name is returned as a digit string representing the port number.
-</para></listitem></varlistentry>
-<varlistentry><term><constant>NI_DGRAM</constant></term>
-<listitem>
-<para>
-Specifies that the service being looked up is a datagram
-service,  and causes getservbyport() to be called with a second
-argument of "udp" instead of its default of "tcp".  This is required
-for the few ports (512-514) that have different services for UDP and
-TCP.
-</para></listitem></varlistentry>
-</variablelist>
-</para>
-</refsect1>
+    <para>
+       The <parameter>flags</parameter> argument sets the
+      following
+      bits:
+      <variablelist>
+        <varlistentry>
+          <term><constant>NI_NOFQDN</constant></term>
+          <listitem>
+            <para>
+              A fully qualified domain name is not required for local hosts.
+              The local part of the fully qualified domain name is returned
+              instead.
+            </para>
+          </listitem>
+        </varlistentry>
+        <varlistentry>
+          <term><constant>NI_NUMERICHOST</constant></term>
+          <listitem>
+            <para>
+              Return the address in numeric form, as if calling inet_ntop(),
+              instead of a host name.
+            </para>
+          </listitem>
+        </varlistentry>
+        <varlistentry>
+          <term><constant>NI_NAMEREQD</constant></term>
+          <listitem>
+            <para>
+              A name is required. If the hostname cannot be found in the DNS
+              and
+              this flag is set, a non-zero error code is returned.
+              If the hostname is not found and the flag is not set, the
+              address is returned in numeric form.
+            </para>
+          </listitem>
+        </varlistentry>
+        <varlistentry>
+          <term><constant>NI_NUMERICSERV</constant></term>
+          <listitem>
+            <para>
+              The service name is returned as a digit string representing the
+              port number.
+            </para>
+          </listitem>
+        </varlistentry>
+        <varlistentry>
+          <term><constant>NI_DGRAM</constant></term>
+          <listitem>
+            <para>
+              Specifies that the service being looked up is a datagram
+              service,  and causes getservbyport() to be called with a second
+              argument of "udp" instead of its default of "tcp".  This is
+              required
+              for the few ports (512-514) that have different services for UDP
+              and
+              TCP.
+            </para>
+          </listitem>
+        </varlistentry>
+      </variablelist>
+    </para>
+  </refsect1>
 
-<refsect1>
-<title>RETURN VALUES</title>
-<para>
-<function>lwres_getnameinfo()</function>
-returns 0 on success or a non-zero error code if an error occurs.
-</para>
-</refsect1>
-<refsect1>
-<title>SEE ALSO</title>
-<para>
-<citerefentry>
-<refentrytitle>RFC2133</refentrytitle>
-</citerefentry>,
-<citerefentry>
-<refentrytitle>getservbyport</refentrytitle><manvolnum>3</manvolnum>
-</citerefentry>,
-<citerefentry>
-<refentrytitle>lwres</refentrytitle><manvolnum>3</manvolnum>
-</citerefentry>,
-<citerefentry>
-<refentrytitle>lwres_getnameinfo</refentrytitle><manvolnum>3</manvolnum>
-</citerefentry>,
-<citerefentry>
-<refentrytitle>lwres_getnamebyaddr</refentrytitle><manvolnum>3</manvolnum>
-</citerefentry>.
-<citerefentry>
-<refentrytitle>lwres_net_ntop</refentrytitle><manvolnum>3</manvolnum>
-</citerefentry>.
-</para>
-</refsect1>
-<refsect1>
-<title>BUGS</title>
-<para>
-RFC2133 fails to define what the nonzero return values of
-<citerefentry>
-<refentrytitle>getnameinfo</refentrytitle><manvolnum>3</manvolnum>
-</citerefentry>
-are.
-</para>
-</refsect1>
-</refentry>
+  <refsect1>
+    <title>RETURN VALUES</title>
+    <para><function>lwres_getnameinfo()</function>
+      returns 0 on success or a non-zero error code if an error occurs.
+    </para>
+  </refsect1>
+  <refsect1>
+    <title>SEE ALSO</title>
+    <para><citerefentry>
+        <refentrytitle>RFC2133</refentrytitle>
+      </citerefentry>,
+      <citerefentry>
+        <refentrytitle>getservbyport</refentrytitle><manvolnum>3</manvolnum>
+      </citerefentry>,
+      <citerefentry>
+        <refentrytitle>lwres</refentrytitle><manvolnum>3</manvolnum>
+      </citerefentry>,
+      <citerefentry>
+        <refentrytitle>lwres_getnameinfo</refentrytitle><manvolnum>3</manvolnum>
+      </citerefentry>,
+      <citerefentry>
+        <refentrytitle>lwres_getnamebyaddr</refentrytitle><manvolnum>3</manvolnum>
+      </citerefentry>.
+      <citerefentry>
+        <refentrytitle>lwres_net_ntop</refentrytitle><manvolnum>3</manvolnum>
+      </citerefentry>.
+    </para>
+  </refsect1>
+  <refsect1>
+    <title>BUGS</title>
+    <para>
+      RFC2133 fails to define what the nonzero return values of
+      <citerefentry>
+        <refentrytitle>getnameinfo</refentrytitle><manvolnum>3</manvolnum>
+      </citerefentry>
+      are.
+    </para>
+  </refsect1>
+</refentry><!--
+ - Local variables:
+ - mode: sgml
+ - End:
+-->
diff --git a/contrib/bind9/lib/lwres/man/lwres_getnameinfo.html b/contrib/bind9/lib/lwres/man/lwres_getnameinfo.html
index 3111730..312cfe5 100644
--- a/contrib/bind9/lib/lwres/man/lwres_getnameinfo.html
+++ b/contrib/bind9/lib/lwres/man/lwres_getnameinfo.html
@@ -1,5 +1,5 @@
 <!--
- - Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC")
  - Copyright (C) 2000, 2001 Internet Software Consortium.
  - 
  - Permission to use, copy, modify, and distribute this software for any
@@ -14,18 +14,20 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-<!-- $Id: lwres_getnameinfo.html,v 1.5.2.1.4.12 2006/06/29 13:02:31 marka Exp $ -->
+<!-- $Id: lwres_getnameinfo.html,v 1.6.18.17 2007/01/30 00:23:45 marka Exp $ -->
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
 <title>lwres_getnameinfo</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.70.1">
+<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
 </head>
 <body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en">
-<a name="id2482688"></a><div class="titlepage"></div>
+<a name="id2476275"></a><div class="titlepage"></div>
 <div class="refnamediv">
 <h2>Name</h2>
-<p>lwres_getnameinfo &#8212; lightweight resolver socket address structure to hostname and service name</p>
+<p>lwres_getnameinfo &#8212; lightweight resolver socket address structure to hostname and
+      service name
+    </p>
 </div>
 <div class="refsynopsisdiv">
 <h2>Synopsis</h2>
@@ -36,124 +38,139 @@
 <td><code class="funcdef">
 int
 <b class="fsfunc">lwres_getnameinfo</b>(</code></td>
-<td> </td>
-<td>, </td>
-</tr>
-<tr>
-<td> </td>
-<td> </td>
-<td>, </td>
+<td>const struct sockaddr * </td>
+<td>
+<var class="pdparam">sa</var>, </td>
 </tr>
 <tr>
 <td> </td>
-<td> </td>
-<td>, </td>
+<td>size_t  </td>
+<td>
+<var class="pdparam">salen</var>, </td>
 </tr>
 <tr>
 <td> </td>
-<td> </td>
-<td>, </td>
+<td>char * </td>
+<td>
+<var class="pdparam">host</var>, </td>
 </tr>
 <tr>
 <td> </td>
-<td> </td>
-<td>, </td>
+<td>size_t  </td>
+<td>
+<var class="pdparam">hostlen</var>, </td>
 </tr>
 <tr>
 <td> </td>
-<td> </td>
-<td>, </td>
+<td>char * </td>
+<td>
+<var class="pdparam">serv</var>, </td>
 </tr>
 <tr>
 <td> </td>
-<td> </td>
-<td>, </td>
+<td>size_t  </td>
+<td>
+<var class="pdparam">servlen</var>, </td>
 </tr>
 <tr>
 <td> </td>
-<td> </td>
+<td>int  </td>
 <td>
-<code>)</code>;</td>
+<var class="pdparam">flags</var><code>)</code>;</td>
 </tr>
 </table>
 </div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2549427"></a><h2>DESCRIPTION</h2>
-<p> This function is equivalent to the <span class="citerefentry"><span class="refentrytitle">getnameinfo</span>(3)</span> function defined in RFC2133.
-<code class="function">lwres_getnameinfo()</code> returns the hostname for the
-<span class="type">struct sockaddr</span> <em class="parameter"><code>sa</code></em> which is
-<em class="parameter"><code>salen</code></em> bytes long.  The hostname is of length
-<em class="parameter"><code>hostlen</code></em> and is returned via
-<em class="parameter"><code>*host.</code></em> The maximum length of the hostname is
-1025 bytes: <code class="constant">NI_MAXHOST</code>.</p>
+<a name="id2543393"></a><h2>DESCRIPTION</h2>
+<p>
+       This function is equivalent to the
+      <span class="citerefentry"><span class="refentrytitle">getnameinfo</span>(3)</span> function defined in RFC2133.
+      <code class="function">lwres_getnameinfo()</code> returns the
+      hostname for the
+      <span class="type">struct sockaddr</span> <em class="parameter"><code>sa</code></em> which
+      is
+      <em class="parameter"><code>salen</code></em> bytes long.  The hostname is of
+      length
+      <em class="parameter"><code>hostlen</code></em> and is returned via
+      <em class="parameter"><code>*host.</code></em> The maximum length of the
+      hostname is
+      1025 bytes: <code class="constant">NI_MAXHOST</code>.
+    </p>
 <p> The name of the service associated with the port number in
-<em class="parameter"><code>sa</code></em> is returned in <em class="parameter"><code>*serv.</code></em>
-It is <em class="parameter"><code>servlen</code></em> bytes long.  The maximum length
-of the service name is <code class="constant">NI_MAXSERV</code> - 32 bytes.
-</p>
-<p> The <em class="parameter"><code>flags</code></em> argument sets the following
-bits:
-</p>
+      <em class="parameter"><code>sa</code></em> is returned in <em class="parameter"><code>*serv.</code></em>
+      It is <em class="parameter"><code>servlen</code></em> bytes long.  The
+      maximum length
+      of the service name is <code class="constant">NI_MAXSERV</code> - 32
+      bytes.
+    </p>
+<p>
+       The <em class="parameter"><code>flags</code></em> argument sets the
+      following
+      bits:
+      </p>
 <div class="variablelist"><dl>
 <dt><span class="term"><code class="constant">NI_NOFQDN</code></span></dt>
 <dd><p>
-A fully qualified domain name is not required for local hosts.
-The local part of the fully qualified domain name is returned instead.
-</p></dd>
+              A fully qualified domain name is not required for local hosts.
+              The local part of the fully qualified domain name is returned
+              instead.
+            </p></dd>
 <dt><span class="term"><code class="constant">NI_NUMERICHOST</code></span></dt>
 <dd><p>
-Return the address in numeric form, as if calling inet_ntop(),
-instead of a host name.
-</p></dd>
+              Return the address in numeric form, as if calling inet_ntop(),
+              instead of a host name.
+            </p></dd>
 <dt><span class="term"><code class="constant">NI_NAMEREQD</code></span></dt>
 <dd><p>
-A name is required. If the hostname cannot be found in the DNS and
-this flag is set, a non-zero error code is returned.
-If the hostname is not found and the flag is not set, the 
-address is returned in numeric form.
-</p></dd>
+              A name is required. If the hostname cannot be found in the DNS
+              and
+              this flag is set, a non-zero error code is returned.
+              If the hostname is not found and the flag is not set, the
+              address is returned in numeric form.
+            </p></dd>
 <dt><span class="term"><code class="constant">NI_NUMERICSERV</code></span></dt>
 <dd><p>
-The service name is returned as a digit string representing the port number.
-</p></dd>
+              The service name is returned as a digit string representing the
+              port number.
+            </p></dd>
 <dt><span class="term"><code class="constant">NI_DGRAM</code></span></dt>
 <dd><p>
-Specifies that the service being looked up is a datagram
-service,  and causes getservbyport() to be called with a second
-argument of "udp" instead of its default of "tcp".  This is required
-for the few ports (512-514) that have different services for UDP and
-TCP.
-</p></dd>
+              Specifies that the service being looked up is a datagram
+              service,  and causes getservbyport() to be called with a second
+              argument of "udp" instead of its default of "tcp".  This is
+              required
+              for the few ports (512-514) that have different services for UDP
+              and
+              TCP.
+            </p></dd>
 </dl></div>
 <p>
-</p>
+    </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2549553"></a><h2>RETURN VALUES</h2>
-<p>
-<code class="function">lwres_getnameinfo()</code>
-returns 0 on success or a non-zero error code if an error occurs.
-</p>
+<a name="id2543534"></a><h2>RETURN VALUES</h2>
+<p><code class="function">lwres_getnameinfo()</code>
+      returns 0 on success or a non-zero error code if an error occurs.
+    </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2549634"></a><h2>SEE ALSO</h2>
-<p>
-<span class="citerefentry"><span class="refentrytitle">RFC2133</span></span>,
-<span class="citerefentry"><span class="refentrytitle">getservbyport</span>(3)</span>,
-<span class="citerefentry"><span class="refentrytitle">lwres</span>(3)</span>,
-<span class="citerefentry"><span class="refentrytitle">lwres_getnameinfo</span>(3)</span>,
-<span class="citerefentry"><span class="refentrytitle">lwres_getnamebyaddr</span>(3)</span>.
-<span class="citerefentry"><span class="refentrytitle">lwres_net_ntop</span>(3)</span>.
-</p>
+<a name="id2543546"></a><h2>SEE ALSO</h2>
+<p><span class="citerefentry"><span class="refentrytitle">RFC2133</span></span>,
+      <span class="citerefentry"><span class="refentrytitle">getservbyport</span>(3)</span>,
+      <span class="citerefentry"><span class="refentrytitle">lwres</span>(3)</span>,
+      <span class="citerefentry"><span class="refentrytitle">lwres_getnameinfo</span>(3)</span>,
+      <span class="citerefentry"><span class="refentrytitle">lwres_getnamebyaddr</span>(3)</span>.
+      <span class="citerefentry"><span class="refentrytitle">lwres_net_ntop</span>(3)</span>.
+    </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2549692"></a><h2>BUGS</h2>
+<a name="id2543604"></a><h2>BUGS</h2>
 <p>
-RFC2133 fails to define what the nonzero return values of
-<span class="citerefentry"><span class="refentrytitle">getnameinfo</span>(3)</span>
-are.
-</p>
+      RFC2133 fails to define what the nonzero return values of
+      <span class="citerefentry"><span class="refentrytitle">getnameinfo</span>(3)</span>
+      are.
+    </p>
 </div>
 </div></body>
 </html>
diff --git a/contrib/bind9/lib/lwres/man/lwres_getrrsetbyname.3 b/contrib/bind9/lib/lwres/man/lwres_getrrsetbyname.3
index 1aeca28..548b8e7 100644
--- a/contrib/bind9/lib/lwres/man/lwres_getrrsetbyname.3
+++ b/contrib/bind9/lib/lwres/man/lwres_getrrsetbyname.3
@@ -1,4 +1,4 @@
-.\" Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC")
 .\" Copyright (C) 2000, 2001 Internet Software Consortium.
 .\" 
 .\" Permission to use, copy, modify, and distribute this software for any
@@ -13,13 +13,13 @@
 .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 .\" PERFORMANCE OF THIS SOFTWARE.
 .\"
-.\" $Id: lwres_getrrsetbyname.3,v 1.11.2.1.8.6 2006/06/29 13:02:31 marka Exp $
+.\" $Id: lwres_getrrsetbyname.3,v 1.14.18.11 2007/01/30 00:23:45 marka Exp $
 .\"
 .hy 0
 .ad l
 .\"     Title: lwres_getrrsetbyname
 .\"    Author: 
-.\" Generator: DocBook XSL Stylesheets v1.70.1 <http://docbook.sf.net/>
+.\" Generator: DocBook XSL Stylesheets v1.71.1 <http://docbook.sf.net/>
 .\"      Date: Oct 18, 2000
 .\"    Manual: BIND9
 .\"    Source: BIND9
@@ -36,18 +36,24 @@ lwres_getrrsetbyname, lwres_freerrset \- retrieve DNS records
 #include <lwres/netdb.h>
 .fi
 .HP 25
-.BI "int lwres_getrrsetbyname(const\ char\ *hostname, unsigned\ int\ rdclass, unsigned\ int\ rdtype, unsigned\ int\ flags, struct\ rrsetinfo\ **res);"
+.BI "int lwres_getrrsetbyname(const\ char\ *" "hostname" ", unsigned\ int\ " "rdclass" ", unsigned\ int\ " "rdtype" ", unsigned\ int\ " "flags" ", struct\ rrsetinfo\ **" "res" ");"
 .HP 21
-.BI "void lwres_freerrset(struct\ rrsetinfo\ *rrset);"
+.BI "void lwres_freerrset(struct\ rrsetinfo\ *" "rrset" ");"
 .PP
 The following structures are used:
-.sp
-.RS 3n
+.PP
+.RS 4
 .nf
 struct  rdatainfo {
         unsigned int            rdi_length;     /* length of data */
         unsigned char           *rdi_data;      /* record data */
 };
+.fi
+.RE
+.sp
+.PP
+.RS 4
+.nf
 struct  rrsetinfo {
         unsigned int            rri_flags;      /* RRSET_VALIDATED... */
         unsigned int            rri_rdclass;    /* class number */
@@ -120,24 +126,39 @@ created by a call to
 .PP
 \fBlwres_getrrsetbyname()\fR
 returns zero on success, and one of the following error codes if an error occurred:
-.TP 3n
+.PP
 \fBERRSET_NONAME\fR
+.RS 4
 the name does not exist
-.TP 3n
+.RE
+.PP
 \fBERRSET_NODATA\fR
+.RS 4
 the name exists, but does not have data of the desired type
-.TP 3n
+.RE
+.PP
 \fBERRSET_NOMEMORY\fR
+.RS 4
 memory could not be allocated
-.TP 3n
+.RE
+.PP
 \fBERRSET_INVAL\fR
+.RS 4
 a parameter is invalid
-.TP 3n
+.RE
+.PP
 \fBERRSET_FAIL\fR
+.RS 4
 other failure
-.TP 3n
+.RE
+.PP
+.RS 4
+.RE
 .SH "SEE ALSO"
 .PP
 \fBlwres\fR(3).
 .SH "COPYRIGHT"
-Copyright \(co 2004, 2005 Internet Systems Consortium, Inc. ("ISC")
+Copyright \(co 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC")
+.br
+Copyright \(co 2000, 2001 Internet Software Consortium.
+.br
diff --git a/contrib/bind9/lib/lwres/man/lwres_getrrsetbyname.docbook b/contrib/bind9/lib/lwres/man/lwres_getrrsetbyname.docbook
index 53c33be..2fd996b 100644
--- a/contrib/bind9/lib/lwres/man/lwres_getrrsetbyname.docbook
+++ b/contrib/bind9/lib/lwres/man/lwres_getrrsetbyname.docbook
@@ -1,8 +1,8 @@
-<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.0//EN"
-               "http://www.oasis-open.org/docbook/xml/4.0/docbookx.dtd"
+<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
+               "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
 	       [<!ENTITY mdash "&#8212;">]>
 <!--
- - Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
  - Copyright (C) 2000, 2001  Internet Software Consortium.
  -
  - Permission to use, copy, modify, and distribute this software for any
@@ -18,24 +18,24 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-<!-- $Id: lwres_getrrsetbyname.docbook,v 1.3.206.3 2005/05/12 21:36:15 sra Exp $ -->
-
+<!-- $Id: lwres_getrrsetbyname.docbook,v 1.4.18.5 2007/01/29 23:57:21 marka Exp $ -->
 <refentry>
-<refentryinfo>
 
+  <refentryinfo>
+    <date>Oct 18, 2000</date>
+  </refentryinfo>
 
-<date>Oct 18, 2000</date>
-</refentryinfo>
-<refmeta>
-<refentrytitle>lwres_getrrsetbyname</refentrytitle>
-<manvolnum>3</manvolnum>
-<refmiscinfo>BIND9</refmiscinfo>
-</refmeta>
+  <refmeta>
+    <refentrytitle>lwres_getrrsetbyname</refentrytitle>
+    <manvolnum>3</manvolnum>
+    <refmiscinfo>BIND9</refmiscinfo>
+  </refmeta>
 
   <docinfo>
     <copyright>
       <year>2004</year>
       <year>2005</year>
+      <year>2007</year>
       <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
     </copyright>
     <copyright>
@@ -45,40 +45,43 @@
     </copyright>
   </docinfo>
 
-<refnamediv>
-<refname>lwres_getrrsetbyname</refname>
-<refname>lwres_freerrset</refname>
-<refpurpose>retrieve DNS records</refpurpose>
-</refnamediv>
-<refsynopsisdiv>
-<funcsynopsis>
+  <refnamediv>
+    <refname>lwres_getrrsetbyname</refname>
+    <refname>lwres_freerrset</refname>
+    <refpurpose>retrieve DNS records</refpurpose>
+  </refnamediv>
+  <refsynopsisdiv>
+    <funcsynopsis>
 <funcsynopsisinfo>#include &lt;lwres/netdb.h&gt;</funcsynopsisinfo>
 <funcprototype>
-<funcdef>
+        <funcdef>
 int
 <function>lwres_getrrsetbyname</function></funcdef>
-<paramdef>const char *hostname</paramdef>
-<paramdef>unsigned int rdclass</paramdef>
-<paramdef>unsigned int rdtype</paramdef>
-<paramdef>unsigned int flags</paramdef>
-<paramdef>struct rrsetinfo **res</paramdef>
-</funcprototype>
+        <paramdef>const char *<parameter>hostname</parameter></paramdef>
+        <paramdef>unsigned int <parameter>rdclass</parameter></paramdef>
+        <paramdef>unsigned int <parameter>rdtype</parameter></paramdef>
+        <paramdef>unsigned int <parameter>flags</parameter></paramdef>
+        <paramdef>struct rrsetinfo **<parameter>res</parameter></paramdef>
+        </funcprototype>
 <funcprototype>
-<funcdef>
+        <funcdef>
 void
 <function>lwres_freerrset</function></funcdef>
-<paramdef>struct rrsetinfo *rrset</paramdef>
-</funcprototype>
+        <paramdef>struct rrsetinfo *<parameter>rrset</parameter></paramdef>
+      </funcprototype>
 </funcsynopsis>
 
-<para>
-The following structures are used:
-<programlisting>
+    <para>
+      The following structures are used:
+    </para>
+    <para><programlisting>
 struct  rdatainfo {
         unsigned int            rdi_length;     /* length of data */
         unsigned char           *rdi_data;      /* record data */
 };
-
+</programlisting>
+    </para>
+    <para><programlisting>
 struct  rrsetinfo {
         unsigned int            rri_flags;      /* RRSET_VALIDATED... */
         unsigned int            rri_rdclass;    /* class number */
@@ -91,134 +94,130 @@ struct  rrsetinfo {
         struct rdatainfo        *rri_sigs;      /* individual signatures */
 };
 </programlisting>
-</para>
-</refsynopsisdiv>
-
-<refsect1>
-<title>DESCRIPTION</title>
-<para>
-<function>lwres_getrrsetbyname()</function>
-gets a set of resource records associated with a
-<parameter>hostname</parameter>,
-
-<parameter>class</parameter>,
-
-and
-<parameter>type</parameter>.
-
-<parameter>hostname</parameter>
-is
-a pointer a to null-terminated string.  The
-<parameter>flags</parameter>
-field is currently unused and must be zero.
-</para>
-<para>
-After a successful call to
-<function>lwres_getrrsetbyname()</function>,
-
-<parameter>*res</parameter>
-is a pointer to an
-<type>rrsetinfo</type>
-structure, containing a list of one or more
-<type>rdatainfo</type>
-structures containing resource records and potentially another list of
-<type>rdatainfo</type>
-structures containing SIG resource records
-associated with those records.
-The members
-<constant>rri_rdclass</constant>
-and
-<constant>rri_rdtype</constant>
-are copied from the parameters.
-<constant>rri_ttl</constant>
-and
-<constant>rri_name</constant>
-are properties of the obtained rrset.
-The resource records contained in
-<constant>rri_rdatas</constant>
-and
-<constant>rri_sigs</constant>
-are in uncompressed DNS wire format.
-Properties of the rdataset are represented in the
-<constant>rri_flags</constant>
-bitfield.  If the RRSET_VALIDATED bit is set, the data has been DNSSEC
-validated and the signatures verified.  
-</para>
-<para>
-All of the information returned by
-<function>lwres_getrrsetbyname()</function>
-is dynamically allocated: the
-<constant>rrsetinfo</constant>
-and
-<constant>rdatainfo</constant>
-structures,
-and the canonical host name strings pointed to by the
-<constant>rrsetinfo</constant>structure.
-
-Memory allocated for the dynamically allocated structures created by
-a successful call to
-<function>lwres_getrrsetbyname()</function>
-is released by
-<function>lwres_freerrset()</function>.
-
-<parameter>rrset</parameter>
-is a pointer to a
-<type>struct rrset</type>
-created by a call to
-<function>lwres_getrrsetbyname()</function>.
-
-</para>
-<para>
-</para>
-</refsect1>
-<refsect1>
-<title>RETURN VALUES</title>
-<para>
-<function>lwres_getrrsetbyname()</function>
-returns zero on success, and one of the following error
-codes if an error occurred:
-<variablelist>
-
-<varlistentry><term><constant>ERRSET_NONAME</constant></term>
-<listitem><para>
-the name does not exist
-</para></listitem></varlistentry>
-
-<varlistentry><term><constant>ERRSET_NODATA</constant></term>
-<listitem><para>
-the name exists, but does not have data of the desired type
-</para></listitem></varlistentry>
-
-<varlistentry><term><constant>ERRSET_NOMEMORY</constant></term>
-<listitem><para>
-memory could not be allocated
-</para></listitem></varlistentry>
-
-<varlistentry><term><constant>ERRSET_INVAL</constant></term>
-<listitem><para>
-a parameter is invalid
-</para></listitem></varlistentry>
-
-<varlistentry><term><constant>ERRSET_FAIL</constant></term>
-<listitem><para>
-other failure
-</para></listitem></varlistentry>
-
-<varlistentry><term><constant></constant></term>
-<listitem><para>
-</para></listitem></varlistentry>
-
-</variablelist>
-
-</para>
-</refsect1>
-<refsect1>
-<title>SEE ALSO</title>
-<para>
-<citerefentry>
-<refentrytitle>lwres</refentrytitle><manvolnum>3</manvolnum>
-</citerefentry>.
-</para>
-
-</refsect1>
-</refentry>
+    </para>
+  </refsynopsisdiv>
+
+  <refsect1>
+    <title>DESCRIPTION</title>
+    <para><function>lwres_getrrsetbyname()</function>
+      gets a set of resource records associated with a
+      <parameter>hostname</parameter>, <parameter>class</parameter>,
+      and <parameter>type</parameter>.
+      <parameter>hostname</parameter> is a pointer a to
+      null-terminated string.  The <parameter>flags</parameter> field
+      is currently unused and must be zero.
+    </para>
+    <para>
+      After a successful call to
+      <function>lwres_getrrsetbyname()</function>,
+      <parameter>*res</parameter> is a pointer to an
+      <type>rrsetinfo</type> structure, containing a list of one or
+      more <type>rdatainfo</type> structures containing resource
+      records and potentially another list of <type>rdatainfo</type>
+      structures containing SIG resource records associated with those
+      records.  The members <constant>rri_rdclass</constant> and
+      <constant>rri_rdtype</constant> are copied from the parameters.
+      <constant>rri_ttl</constant> and <constant>rri_name</constant>
+      are properties of the obtained rrset.  The resource records
+      contained in <constant>rri_rdatas</constant> and
+      <constant>rri_sigs</constant> are in uncompressed DNS wire
+      format.  Properties of the rdataset are represented in the
+      <constant>rri_flags</constant> bitfield.  If the RRSET_VALIDATED
+      bit is set, the data has been DNSSEC validated and the
+      signatures verified.
+    </para>
+    <para>
+      All of the information returned by
+      <function>lwres_getrrsetbyname()</function> is dynamically
+      allocated: the <constant>rrsetinfo</constant> and
+      <constant>rdatainfo</constant> structures, and the canonical
+      host name strings pointed to by the
+      <constant>rrsetinfo</constant>structure.
+
+      Memory allocated for the dynamically allocated structures
+      created by a successful call to
+      <function>lwres_getrrsetbyname()</function> is released by
+      <function>lwres_freerrset()</function>.
+
+      <parameter>rrset</parameter> is a pointer to a <type>struct
+      rrset</type> created by a call to
+      <function>lwres_getrrsetbyname()</function>.
+    </para>
+    <para></para>
+  </refsect1>
+  <refsect1>
+    <title>RETURN VALUES</title>
+    <para><function>lwres_getrrsetbyname()</function>
+      returns zero on success, and one of the following error codes if
+      an error occurred:
+      <variablelist>
+
+        <varlistentry>
+          <term><constant>ERRSET_NONAME</constant></term>
+          <listitem>
+            <para>
+              the name does not exist
+            </para>
+          </listitem>
+        </varlistentry>
+
+        <varlistentry>
+          <term><constant>ERRSET_NODATA</constant></term>
+          <listitem>
+            <para>
+              the name exists, but does not have data of the desired type
+            </para>
+          </listitem>
+        </varlistentry>
+
+        <varlistentry>
+          <term><constant>ERRSET_NOMEMORY</constant></term>
+          <listitem>
+            <para>
+              memory could not be allocated
+            </para>
+          </listitem>
+        </varlistentry>
+
+        <varlistentry>
+          <term><constant>ERRSET_INVAL</constant></term>
+          <listitem>
+            <para>
+              a parameter is invalid
+            </para>
+          </listitem>
+        </varlistentry>
+
+        <varlistentry>
+          <term><constant>ERRSET_FAIL</constant></term>
+          <listitem>
+            <para>
+              other failure
+            </para>
+          </listitem>
+        </varlistentry>
+
+        <varlistentry>
+          <term><constant/></term>
+          <listitem>
+            <para></para>
+          </listitem>
+        </varlistentry>
+
+      </variablelist>
+
+    </para>
+  </refsect1>
+  <refsect1>
+    <title>SEE ALSO</title>
+    <para><citerefentry>
+        <refentrytitle>lwres</refentrytitle><manvolnum>3</manvolnum>
+      </citerefentry>.
+    </para>
+
+  </refsect1>
+</refentry><!--
+ - Local variables:
+ - mode: sgml
+ - End:
+-->
diff --git a/contrib/bind9/lib/lwres/man/lwres_getrrsetbyname.html b/contrib/bind9/lib/lwres/man/lwres_getrrsetbyname.html
index 6cbed6f..0925367 100644
--- a/contrib/bind9/lib/lwres/man/lwres_getrrsetbyname.html
+++ b/contrib/bind9/lib/lwres/man/lwres_getrrsetbyname.html
@@ -1,5 +1,5 @@
 <!--
- - Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC")
  - Copyright (C) 2000, 2001 Internet Software Consortium.
  - 
  - Permission to use, copy, modify, and distribute this software for any
@@ -14,15 +14,15 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-<!-- $Id: lwres_getrrsetbyname.html,v 1.5.2.1.4.11 2006/06/29 13:02:31 marka Exp $ -->
+<!-- $Id: lwres_getrrsetbyname.html,v 1.6.18.17 2007/01/30 00:23:45 marka Exp $ -->
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
 <title>lwres_getrrsetbyname</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.70.1">
+<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
 </head>
 <body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en">
-<a name="id2482688"></a><div class="titlepage"></div>
+<a name="id2476275"></a><div class="titlepage"></div>
 <div class="refnamediv">
 <h2>Name</h2>
 <p>lwres_getrrsetbyname, lwres_freerrset &#8212; retrieve DNS records</p>
@@ -36,62 +36,56 @@
 <td><code class="funcdef">
 int
 <b class="fsfunc">lwres_getrrsetbyname</b>(</code></td>
-<td> </td>
-<td>, </td>
-</tr>
-<tr>
-<td> </td>
-<td> </td>
-<td>, </td>
+<td>const char * </td>
+<td>
+<var class="pdparam">hostname</var>, </td>
 </tr>
 <tr>
 <td> </td>
-<td> </td>
-<td>, </td>
+<td>unsigned int  </td>
+<td>
+<var class="pdparam">rdclass</var>, </td>
 </tr>
 <tr>
 <td> </td>
-<td> </td>
-<td>, </td>
+<td>unsigned int  </td>
+<td>
+<var class="pdparam">rdtype</var>, </td>
 </tr>
 <tr>
 <td> </td>
-<td> </td>
-<td>, </td>
+<td>unsigned int  </td>
+<td>
+<var class="pdparam">flags</var>, </td>
 </tr>
 <tr>
 <td> </td>
-<td> </td>
+<td>struct rrsetinfo ** </td>
 <td>
-<code>)</code>;</td>
+<var class="pdparam">res</var><code>)</code>;</td>
 </tr>
 </table>
-<table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0">
-<tr>
+<table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0"><tr>
 <td><code class="funcdef">
 void
 <b class="fsfunc">lwres_freerrset</b>(</code></td>
-<td> </td>
-<td>
-<code>)</code>;</td>
-</tr>
-<tr>
-<td> </td>
-<td> </td>
+<td>struct rrsetinfo * </td>
 <td>
-<code>)</code>;</td>
-</tr>
-</table>
+<var class="pdparam">rrset</var><code>)</code>;</td>
+</tr></table>
 </div>
 <p>
-The following structures are used:
-</p>
+      The following structures are used:
+    </p>
 <pre class="programlisting">
 struct  rdatainfo {
         unsigned int            rdi_length;     /* length of data */
         unsigned char           *rdi_data;      /* record data */
 };
-
+</pre>
+<p>
+    </p>
+<pre class="programlisting">
 struct  rrsetinfo {
         unsigned int            rri_flags;      /* RRSET_VALIDATED... */
         unsigned int            rri_rdclass;    /* class number */
@@ -105,126 +99,94 @@ struct  rrsetinfo {
 };
 </pre>
 <p>
-</p>
+    </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2549443"></a><h2>DESCRIPTION</h2>
-<p>
-<code class="function">lwres_getrrsetbyname()</code>
-gets a set of resource records associated with a
-<em class="parameter"><code>hostname</code></em>,
-
-<em class="parameter"><code>class</code></em>,
-
-and
-<em class="parameter"><code>type</code></em>.
-
-<em class="parameter"><code>hostname</code></em>
-is
-a pointer a to null-terminated string.  The
-<em class="parameter"><code>flags</code></em>
-field is currently unused and must be zero.
-</p>
+<a name="id2543414"></a><h2>DESCRIPTION</h2>
+<p><code class="function">lwres_getrrsetbyname()</code>
+      gets a set of resource records associated with a
+      <em class="parameter"><code>hostname</code></em>, <em class="parameter"><code>class</code></em>,
+      and <em class="parameter"><code>type</code></em>.
+      <em class="parameter"><code>hostname</code></em> is a pointer a to
+      null-terminated string.  The <em class="parameter"><code>flags</code></em> field
+      is currently unused and must be zero.
+    </p>
 <p>
-After a successful call to
-<code class="function">lwres_getrrsetbyname()</code>,
-
-<em class="parameter"><code>*res</code></em>
-is a pointer to an
-<span class="type">rrsetinfo</span>
-structure, containing a list of one or more
-<span class="type">rdatainfo</span>
-structures containing resource records and potentially another list of
-<span class="type">rdatainfo</span>
-structures containing SIG resource records
-associated with those records.
-The members
-<code class="constant">rri_rdclass</code>
-and
-<code class="constant">rri_rdtype</code>
-are copied from the parameters.
-<code class="constant">rri_ttl</code>
-and
-<code class="constant">rri_name</code>
-are properties of the obtained rrset.
-The resource records contained in
-<code class="constant">rri_rdatas</code>
-and
-<code class="constant">rri_sigs</code>
-are in uncompressed DNS wire format.
-Properties of the rdataset are represented in the
-<code class="constant">rri_flags</code>
-bitfield.  If the RRSET_VALIDATED bit is set, the data has been DNSSEC
-validated and the signatures verified.  
-</p>
+      After a successful call to
+      <code class="function">lwres_getrrsetbyname()</code>,
+      <em class="parameter"><code>*res</code></em> is a pointer to an
+      <span class="type">rrsetinfo</span> structure, containing a list of one or
+      more <span class="type">rdatainfo</span> structures containing resource
+      records and potentially another list of <span class="type">rdatainfo</span>
+      structures containing SIG resource records associated with those
+      records.  The members <code class="constant">rri_rdclass</code> and
+      <code class="constant">rri_rdtype</code> are copied from the parameters.
+      <code class="constant">rri_ttl</code> and <code class="constant">rri_name</code>
+      are properties of the obtained rrset.  The resource records
+      contained in <code class="constant">rri_rdatas</code> and
+      <code class="constant">rri_sigs</code> are in uncompressed DNS wire
+      format.  Properties of the rdataset are represented in the
+      <code class="constant">rri_flags</code> bitfield.  If the RRSET_VALIDATED
+      bit is set, the data has been DNSSEC validated and the
+      signatures verified.
+    </p>
 <p>
-All of the information returned by
-<code class="function">lwres_getrrsetbyname()</code>
-is dynamically allocated: the
-<code class="constant">rrsetinfo</code>
-and
-<code class="constant">rdatainfo</code>
-structures,
-and the canonical host name strings pointed to by the
-<code class="constant">rrsetinfo</code>structure.
-
-Memory allocated for the dynamically allocated structures created by
-a successful call to
-<code class="function">lwres_getrrsetbyname()</code>
-is released by
-<code class="function">lwres_freerrset()</code>.
+      All of the information returned by
+      <code class="function">lwres_getrrsetbyname()</code> is dynamically
+      allocated: the <code class="constant">rrsetinfo</code> and
+      <code class="constant">rdatainfo</code> structures, and the canonical
+      host name strings pointed to by the
+      <code class="constant">rrsetinfo</code>structure.
 
-<em class="parameter"><code>rrset</code></em>
-is a pointer to a
-<span class="type">struct rrset</span>
-created by a call to
-<code class="function">lwres_getrrsetbyname()</code>.
+      Memory allocated for the dynamically allocated structures
+      created by a successful call to
+      <code class="function">lwres_getrrsetbyname()</code> is released by
+      <code class="function">lwres_freerrset()</code>.
 
-</p>
-<p>
-</p>
+      <em class="parameter"><code>rrset</code></em> is a pointer to a <span class="type">struct
+      rrset</span> created by a call to
+      <code class="function">lwres_getrrsetbyname()</code>.
+    </p>
+<p></p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2549623"></a><h2>RETURN VALUES</h2>
-<p>
-<code class="function">lwres_getrrsetbyname()</code>
-returns zero on success, and one of the following error
-codes if an error occurred:
-</p>
+<a name="id2543526"></a><h2>RETURN VALUES</h2>
+<p><code class="function">lwres_getrrsetbyname()</code>
+      returns zero on success, and one of the following error codes if
+      an error occurred:
+      </p>
 <div class="variablelist"><dl>
 <dt><span class="term"><code class="constant">ERRSET_NONAME</code></span></dt>
 <dd><p>
-the name does not exist
-</p></dd>
+              the name does not exist
+            </p></dd>
 <dt><span class="term"><code class="constant">ERRSET_NODATA</code></span></dt>
 <dd><p>
-the name exists, but does not have data of the desired type
-</p></dd>
+              the name exists, but does not have data of the desired type
+            </p></dd>
 <dt><span class="term"><code class="constant">ERRSET_NOMEMORY</code></span></dt>
 <dd><p>
-memory could not be allocated
-</p></dd>
+              memory could not be allocated
+            </p></dd>
 <dt><span class="term"><code class="constant">ERRSET_INVAL</code></span></dt>
 <dd><p>
-a parameter is invalid
-</p></dd>
+              a parameter is invalid
+            </p></dd>
 <dt><span class="term"><code class="constant">ERRSET_FAIL</code></span></dt>
 <dd><p>
-other failure
-</p></dd>
+              other failure
+            </p></dd>
 <dt><span class="term"><code class="constant"></code></span></dt>
-<dd><p>
-</p></dd>
+<dd><p></p></dd>
 </dl></div>
 <p>
 
-</p>
+    </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2549697"></a><h2>SEE ALSO</h2>
-<p>
-<span class="citerefentry"><span class="refentrytitle">lwres</span>(3)</span>.
-</p>
+<a name="id2543626"></a><h2>SEE ALSO</h2>
+<p><span class="citerefentry"><span class="refentrytitle">lwres</span>(3)</span>.
+    </p>
 </div>
 </div></body>
 </html>
diff --git a/contrib/bind9/lib/lwres/man/lwres_gnba.3 b/contrib/bind9/lib/lwres/man/lwres_gnba.3
index dc546d2..1c6574f 100644
--- a/contrib/bind9/lib/lwres/man/lwres_gnba.3
+++ b/contrib/bind9/lib/lwres/man/lwres_gnba.3
@@ -1,4 +1,4 @@
-.\" Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC")
 .\" Copyright (C) 2000, 2001 Internet Software Consortium.
 .\" 
 .\" Permission to use, copy, modify, and distribute this software for any
@@ -13,13 +13,13 @@
 .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 .\" PERFORMANCE OF THIS SOFTWARE.
 .\"
-.\" $Id: lwres_gnba.3,v 1.13.2.1.8.6 2006/06/29 13:02:31 marka Exp $
+.\" $Id: lwres_gnba.3,v 1.16.18.11 2007/01/30 00:23:45 marka Exp $
 .\"
 .hy 0
 .ad l
 .\"     Title: lwres_gnba
 .\"    Author: 
-.\" Generator: DocBook XSL Stylesheets v1.70.1 <http://docbook.sf.net/>
+.\" Generator: DocBook XSL Stylesheets v1.71.1 <http://docbook.sf.net/>
 .\"      Date: Jun 30, 2000
 .\"    Manual: BIND9
 .\"    Source: BIND9
@@ -38,15 +38,15 @@ lwres_gnbarequest_render, lwres_gnbaresponse_render, lwres_gnbarequest_parse, lw
 .HP 40
 .BI "lwres_result_t lwres_gnbarequest_render(lwres_context_t\ *" "ctx" ", lwres_gnbarequest_t\ *" "req" ", lwres_lwpacket_t\ *" "pkt" ", lwres_buffer_t\ *" "b" ");"
 .HP 41
-.BI "lwres_result_t lwres_gnbaresponse_render(lwres_context_t\ *ctx, lwres_gnbaresponse_t\ *req, lwres_lwpacket_t\ *pkt, lwres_buffer_t\ *b);"
+.BI "lwres_result_t lwres_gnbaresponse_render(lwres_context_t\ *" "ctx" ", lwres_gnbaresponse_t\ *" "req" ", lwres_lwpacket_t\ *" "pkt" ", lwres_buffer_t\ *" "b" ");"
 .HP 39
-.BI "lwres_result_t lwres_gnbarequest_parse(lwres_context_t\ *ctx, lwres_buffer_t\ *b, lwres_lwpacket_t\ *pkt, lwres_gnbarequest_t\ **structp);"
+.BI "lwres_result_t lwres_gnbarequest_parse(lwres_context_t\ *" "ctx" ", lwres_buffer_t\ *" "b" ", lwres_lwpacket_t\ *" "pkt" ", lwres_gnbarequest_t\ **" "structp" ");"
 .HP 40
-.BI "lwres_result_t lwres_gnbaresponse_parse(lwres_context_t\ *ctx, lwres_buffer_t\ *b, lwres_lwpacket_t\ *pkt, lwres_gnbaresponse_t\ **structp);"
+.BI "lwres_result_t lwres_gnbaresponse_parse(lwres_context_t\ *" "ctx" ", lwres_buffer_t\ *" "b" ", lwres_lwpacket_t\ *" "pkt" ", lwres_gnbaresponse_t\ **" "structp" ");"
 .HP 29
-.BI "void lwres_gnbaresponse_free(lwres_context_t\ *ctx, lwres_gnbaresponse_t\ **structp);"
+.BI "void lwres_gnbaresponse_free(lwres_context_t\ *" "ctx" ", lwres_gnbaresponse_t\ **" "structp" ");"
 .HP 28
-.BI "void lwres_gnbarequest_free(lwres_context_t\ *ctx, lwres_gnbarequest_t\ **structp);"
+.BI "void lwres_gnbarequest_free(lwres_context_t\ *" "ctx" ", lwres_gnbarequest_t\ **" "structp" ");"
 .SH "DESCRIPTION"
 .PP
 These are low\-level routines for creating and parsing lightweight resolver address\-to\-name lookup request and response messages.
@@ -59,14 +59,26 @@ to the canonical format. This is complemented by a parse function which converts
 .PP
 These structures are defined in
 \fIlwres/lwres.h\fR. They are shown below.
-.sp
-.RS 3n
+.PP
+.RS 4
 .nf
 #define LWRES_OPCODE_GETNAMEBYADDR      0x00010002U
+.fi
+.RE
+.sp
+.PP
+.RS 4
+.nf
 typedef struct {
         lwres_uint32_t  flags;
         lwres_addr_t    addr;
 } lwres_gnbarequest_t;
+.fi
+.RE
+.sp
+.PP
+.RS 4
+.nf
 typedef struct {
         lwres_uint32_t  flags;
         lwres_uint16_t  naliases;
@@ -165,4 +177,7 @@ indicate that the packet is not a response to an earlier query.
 .PP
 \fBlwres_packet\fR(3).
 .SH "COPYRIGHT"
-Copyright \(co 2004, 2005 Internet Systems Consortium, Inc. ("ISC")
+Copyright \(co 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC")
+.br
+Copyright \(co 2000, 2001 Internet Software Consortium.
+.br
diff --git a/contrib/bind9/lib/lwres/man/lwres_gnba.docbook b/contrib/bind9/lib/lwres/man/lwres_gnba.docbook
index 7531486..5a76889 100644
--- a/contrib/bind9/lib/lwres/man/lwres_gnba.docbook
+++ b/contrib/bind9/lib/lwres/man/lwres_gnba.docbook
@@ -1,8 +1,8 @@
-<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.0//EN"
-               "http://www.oasis-open.org/docbook/xml/4.0/docbookx.dtd"
+<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
+               "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
 	       [<!ENTITY mdash "&#8212;">]>
 <!--
- - Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
  - Copyright (C) 2000, 2001  Internet Software Consortium.
  -
  - Permission to use, copy, modify, and distribute this software for any
@@ -18,24 +18,24 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-<!-- $Id: lwres_gnba.docbook,v 1.4.206.3 2005/05/12 21:36:15 sra Exp $ -->
-
+<!-- $Id: lwres_gnba.docbook,v 1.5.18.5 2007/01/29 23:57:21 marka Exp $ -->
 <refentry>
 
-<refentryinfo>
-<date>Jun 30, 2000</date>
-</refentryinfo>
+  <refentryinfo>
+    <date>Jun 30, 2000</date>
+  </refentryinfo>
 
-<refmeta>
-<refentrytitle>lwres_gnba</refentrytitle>
-<manvolnum>3</manvolnum>
-<refmiscinfo>BIND9</refmiscinfo>
-</refmeta>
+  <refmeta>
+    <refentrytitle>lwres_gnba</refentrytitle>
+    <manvolnum>3</manvolnum>
+    <refmiscinfo>BIND9</refmiscinfo>
+  </refmeta>
 
   <docinfo>
     <copyright>
       <year>2004</year>
       <year>2005</year>
+      <year>2007</year>
       <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
     </copyright>
     <copyright>
@@ -45,114 +45,120 @@
     </copyright>
   </docinfo>
 
-<refnamediv>
-<refname>lwres_gnbarequest_render</refname>
-<refname>lwres_gnbaresponse_render</refname>
-<refname>lwres_gnbarequest_parse</refname>
-<refname>lwres_gnbaresponse_parse</refname>
-<refname>lwres_gnbaresponse_free</refname>
-<refname>lwres_gnbarequest_free</refname>
-<refpurpose>lightweight resolver getnamebyaddress message handling</refpurpose>
-</refnamediv>
+  <refnamediv>
+    <refname>lwres_gnbarequest_render</refname>
+    <refname>lwres_gnbaresponse_render</refname>
+    <refname>lwres_gnbarequest_parse</refname>
+    <refname>lwres_gnbaresponse_parse</refname>
+    <refname>lwres_gnbaresponse_free</refname>
+    <refname>lwres_gnbarequest_free</refname>
+    <refpurpose>lightweight resolver getnamebyaddress message handling</refpurpose>
+  </refnamediv>
 
-<refsynopsisdiv>
+  <refsynopsisdiv>
 
-<funcsynopsis>
+    <funcsynopsis>
 <funcsynopsisinfo>
 #include &lt;lwres/lwres.h&gt;
 </funcsynopsisinfo>
 
 <funcprototype>
-<funcdef>
+        <funcdef>
 lwres_result_t
 <function>lwres_gnbarequest_render</function>
 </funcdef>
-<paramdef>lwres_context_t *<parameter>ctx</parameter></paramdef>
-<paramdef>lwres_gnbarequest_t *<parameter>req</parameter></paramdef>
-<paramdef>lwres_lwpacket_t *<parameter>pkt</parameter></paramdef>
-<paramdef>lwres_buffer_t *<parameter>b</parameter></paramdef>
-</funcprototype>
+        <paramdef>lwres_context_t *<parameter>ctx</parameter></paramdef>
+        <paramdef>lwres_gnbarequest_t *<parameter>req</parameter></paramdef>
+        <paramdef>lwres_lwpacket_t *<parameter>pkt</parameter></paramdef>
+        <paramdef>lwres_buffer_t *<parameter>b</parameter></paramdef>
+        </funcprototype>
 
 <funcprototype>
-<funcdef>
+        <funcdef>
 lwres_result_t
 <function>lwres_gnbaresponse_render</function>
 </funcdef>
-<paramdef>lwres_context_t *ctx</paramdef>
-<paramdef>lwres_gnbaresponse_t *req</paramdef>
-<paramdef>lwres_lwpacket_t *pkt</paramdef>
-<paramdef>lwres_buffer_t *b</paramdef>
-</funcprototype>
+        <paramdef>lwres_context_t *<parameter>ctx</parameter></paramdef>
+        <paramdef>lwres_gnbaresponse_t *<parameter>req</parameter></paramdef>
+        <paramdef>lwres_lwpacket_t *<parameter>pkt</parameter></paramdef>
+        <paramdef>lwres_buffer_t *<parameter>b</parameter></paramdef>
+        </funcprototype>
 <funcprototype>
-<funcdef>
+        <funcdef>
 lwres_result_t
 <function>lwres_gnbarequest_parse</function></funcdef>
-<paramdef>lwres_context_t *ctx</paramdef>
-<paramdef>lwres_buffer_t *b</paramdef>
-<paramdef>lwres_lwpacket_t *pkt</paramdef>
-<paramdef>lwres_gnbarequest_t **structp</paramdef>
-</funcprototype>
+        <paramdef>lwres_context_t *<parameter>ctx</parameter></paramdef>
+        <paramdef>lwres_buffer_t *<parameter>b</parameter></paramdef>
+        <paramdef>lwres_lwpacket_t *<parameter>pkt</parameter></paramdef>
+        <paramdef>lwres_gnbarequest_t **<parameter>structp</parameter></paramdef>
+        </funcprototype>
 <funcprototype>
-<funcdef>
+        <funcdef>
 lwres_result_t
 <function>lwres_gnbaresponse_parse</function></funcdef>
-<paramdef>lwres_context_t *ctx</paramdef>
-<paramdef>lwres_buffer_t *b</paramdef>
-<paramdef>lwres_lwpacket_t *pkt</paramdef>
-<paramdef>lwres_gnbaresponse_t **structp</paramdef>
-</funcprototype>
+        <paramdef>lwres_context_t *<parameter>ctx</parameter></paramdef>
+        <paramdef>lwres_buffer_t *<parameter>b</parameter></paramdef>
+        <paramdef>lwres_lwpacket_t *<parameter>pkt</parameter></paramdef>
+        <paramdef>lwres_gnbaresponse_t **<parameter>structp</parameter></paramdef>
+        </funcprototype>
 
 <funcprototype>
-<funcdef>
+        <funcdef>
 void
 <function>lwres_gnbaresponse_free</function>
 </funcdef>
-<paramdef>lwres_context_t *ctx</paramdef>
-<paramdef>lwres_gnbaresponse_t **structp</paramdef>
-</funcprototype>
+        <paramdef>lwres_context_t *<parameter>ctx</parameter></paramdef>
+        <paramdef>lwres_gnbaresponse_t **<parameter>structp</parameter></paramdef>
+        </funcprototype>
 <funcprototype>
-<funcdef>
+        <funcdef>
 void
 <function>lwres_gnbarequest_free</function></funcdef>
-<paramdef>lwres_context_t *ctx</paramdef>
-<paramdef>lwres_gnbarequest_t **structp</paramdef>
-</funcprototype>
+        <paramdef>lwres_context_t *<parameter>ctx</parameter></paramdef>
+        <paramdef>lwres_gnbarequest_t **<parameter>structp</parameter></paramdef>
+      </funcprototype>
 </funcsynopsis>
 
-</refsynopsisdiv>
+  </refsynopsisdiv>
 
-<refsect1>
-<title>DESCRIPTION</title>
-<para>
-These are low-level routines for creating and parsing
-lightweight resolver address-to-name lookup request and 
-response messages.
-</para>
-<para>
-There are four main functions for the getnamebyaddr opcode.
-One render function converts a getnamebyaddr request structure &mdash;
-<type>lwres_gnbarequest_t</type> &mdash;
-to the lightweight resolver's canonical format.
-It is complemented by a parse function that converts a packet in this
-canonical format to a getnamebyaddr request structure.
-Another render function converts the getnamebyaddr response structure &mdash;
-<type>lwres_gnbaresponse_t</type>
-to the canonical format.
-This is complemented by a parse function which converts a packet in
-canonical format to a getnamebyaddr response structure.
-</para>
-<para>
-These structures are defined in
-<filename>lwres/lwres.h</filename>.
-They are shown below.
-<programlisting>
+  <refsect1>
+    <title>DESCRIPTION</title>
+    <para>
+      These are low-level routines for creating and parsing
+      lightweight resolver address-to-name lookup request and
+      response messages.
+    </para>
+    <para>
+      There are four main functions for the getnamebyaddr opcode.
+      One render function converts a getnamebyaddr request structure &mdash;
+      <type>lwres_gnbarequest_t</type> &mdash;
+      to the lightweight resolver's canonical format.
+      It is complemented by a parse function that converts a packet in this
+      canonical format to a getnamebyaddr request structure.
+      Another render function converts the getnamebyaddr response structure
+      &mdash;
+      <type>lwres_gnbaresponse_t</type>
+      to the canonical format.
+      This is complemented by a parse function which converts a packet in
+      canonical format to a getnamebyaddr response structure.
+    </para>
+    <para>
+      These structures are defined in
+      <filename>lwres/lwres.h</filename>.
+      They are shown below.
+    </para>
+    <para><programlisting>
 #define LWRES_OPCODE_GETNAMEBYADDR      0x00010002U
-
+</programlisting>
+    </para>
+    <para><programlisting>
 typedef struct {
         lwres_uint32_t  flags;
         lwres_addr_t    addr;
 } lwres_gnbarequest_t;
-
+</programlisting>
+    </para>
+    <para><programlisting>
 typedef struct {
         lwres_uint32_t  flags;
         lwres_uint16_t  naliases;
@@ -164,111 +170,92 @@ typedef struct {
         size_t          baselen;
 } lwres_gnbaresponse_t;
 </programlisting>
-</para>
-<para>
-<function>lwres_gnbarequest_render()</function>
-uses resolver context
-<varname>ctx</varname>
-to convert getnamebyaddr request structure
-<varname>req</varname>
-to canonical format.
-The packet header structure
-<varname>pkt</varname>
-is initialised and transferred to
-buffer
-<varname>b</varname>.
-The contents of
-<varname>*req</varname>
-are then appended to the buffer in canonical format.
-<function>lwres_gnbaresponse_render()</function>
-performs the same task, except it converts a getnamebyaddr response structure
-<type>lwres_gnbaresponse_t</type>
-to the lightweight resolver's canonical format.
-</para>
-<para>
-<function>lwres_gnbarequest_parse()</function>
-uses context
-<varname>ctx</varname>
-to convert the contents of packet
-<varname>pkt</varname>
-to a
-<type>lwres_gnbarequest_t</type>
-structure.
-Buffer
-<varname>b</varname>
-provides space to be used for storing this structure.
-When the function succeeds, the resulting
-<type>lwres_gnbarequest_t</type>
-is made available through
-<varname>*structp</varname>.
-<function>lwres_gnbaresponse_parse()</function>
-offers the same semantics as
-<function>lwres_gnbarequest_parse()</function>
-except it yields a
-<type>lwres_gnbaresponse_t</type>
-structure.
-</para>
-<para>
-<function>lwres_gnbaresponse_free()</function>
-and
-<function>lwres_gnbarequest_free()</function>
-release the memory in resolver context
-<varname>ctx</varname>
-that was allocated to the
-<type>lwres_gnbaresponse_t</type>
-or
-<type>lwres_gnbarequest_t</type>
-structures referenced via
-<varname>structp</varname>.
-Any memory associated with ancillary buffers and strings for those
-structures is also discarded.
-</para>
-</refsect1>
-<refsect1>
-<title>RETURN VALUES</title>
-<para>
-The getnamebyaddr opcode functions
-<function>lwres_gnbarequest_render()</function>,
-<function>lwres_gnbaresponse_render()</function>
-<function>lwres_gnbarequest_parse()</function>
-and
-<function>lwres_gnbaresponse_parse()</function>
-all return
-<errorcode>LWRES_R_SUCCESS</errorcode>
-on success.
-They return
-<errorcode>LWRES_R_NOMEMORY</errorcode>
-if memory allocation fails.
-<errorcode>LWRES_R_UNEXPECTEDEND</errorcode>
-is returned if the available space in the buffer
-<varname>b</varname>
-is too small to accommodate the packet header or the
-<type>lwres_gnbarequest_t</type>
-and
-<type>lwres_gnbaresponse_t</type>
-structures.
-<function>lwres_gnbarequest_parse()</function>
-and
-<function>lwres_gnbaresponse_parse()</function>
-will return
-<errorcode>LWRES_R_UNEXPECTEDEND</errorcode>
-if the buffer is not empty after decoding the received packet.
-These functions will return
-<errorcode>LWRES_R_FAILURE</errorcode>
-if
-<structfield>pktflags</structfield>
-in the packet header structure
-<type>lwres_lwpacket_t</type>
-indicate that the packet is not a response to an earlier query.
-</para>
-</refsect1>
-<refsect1>
-<title>SEE ALSO</title>
-<para>
-<citerefentry>
-<refentrytitle>lwres_packet</refentrytitle>
-<manvolnum>3</manvolnum>
-</citerefentry>.
-</para>
-</refsect1>
-</refentry>
+    </para>
+
+    <para><function>lwres_gnbarequest_render()</function>
+      uses resolver context <varname>ctx</varname> to convert
+      getnamebyaddr request structure <varname>req</varname> to
+      canonical format.  The packet header structure
+      <varname>pkt</varname> is initialised and transferred to buffer
+      <varname>b</varname>.  The contents of <varname>*req</varname>
+      are then appended to the buffer in canonical format.
+      <function>lwres_gnbaresponse_render()</function> performs the
+      same task, except it converts a getnamebyaddr response structure
+      <type>lwres_gnbaresponse_t</type> to the lightweight resolver's
+      canonical format.
+    </para>
+
+    <para><function>lwres_gnbarequest_parse()</function>
+      uses context <varname>ctx</varname> to convert the contents of
+      packet <varname>pkt</varname> to a
+      <type>lwres_gnbarequest_t</type> structure.  Buffer
+      <varname>b</varname> provides space to be used for storing this
+      structure.  When the function succeeds, the resulting
+      <type>lwres_gnbarequest_t</type> is made available through
+      <varname>*structp</varname>.
+      <function>lwres_gnbaresponse_parse()</function> offers the same
+      semantics as <function>lwres_gnbarequest_parse()</function>
+      except it yields a <type>lwres_gnbaresponse_t</type> structure.
+    </para>
+
+    <para><function>lwres_gnbaresponse_free()</function>
+      and <function>lwres_gnbarequest_free()</function> release the
+      memory in resolver context <varname>ctx</varname> that was
+      allocated to the <type>lwres_gnbaresponse_t</type> or
+      <type>lwres_gnbarequest_t</type> structures referenced via
+      <varname>structp</varname>.  Any memory associated with
+      ancillary buffers and strings for those structures is also
+      discarded.
+    </para>
+  </refsect1>
+
+  <refsect1>
+    <title>RETURN VALUES</title>
+    <para>
+      The getnamebyaddr opcode functions
+      <function>lwres_gnbarequest_render()</function>,
+      <function>lwres_gnbaresponse_render()</function>
+      <function>lwres_gnbarequest_parse()</function>
+      and
+      <function>lwres_gnbaresponse_parse()</function>
+      all return
+      <errorcode>LWRES_R_SUCCESS</errorcode>
+      on success.
+      They return
+      <errorcode>LWRES_R_NOMEMORY</errorcode>
+      if memory allocation fails.
+      <errorcode>LWRES_R_UNEXPECTEDEND</errorcode>
+      is returned if the available space in the buffer
+      <varname>b</varname>
+      is too small to accommodate the packet header or the
+      <type>lwres_gnbarequest_t</type>
+      and
+      <type>lwres_gnbaresponse_t</type>
+      structures.
+      <function>lwres_gnbarequest_parse()</function>
+      and
+      <function>lwres_gnbaresponse_parse()</function>
+      will return
+      <errorcode>LWRES_R_UNEXPECTEDEND</errorcode>
+      if the buffer is not empty after decoding the received packet.
+      These functions will return
+      <errorcode>LWRES_R_FAILURE</errorcode>
+      if
+      <structfield>pktflags</structfield>
+      in the packet header structure
+      <type>lwres_lwpacket_t</type>
+      indicate that the packet is not a response to an earlier query.
+    </para>
+  </refsect1>
+  <refsect1>
+    <title>SEE ALSO</title>
+    <para><citerefentry>
+        <refentrytitle>lwres_packet</refentrytitle><manvolnum>3</manvolnum>
+      </citerefentry>.
+    </para>
+  </refsect1>
+</refentry><!--
+ - Local variables:
+ - mode: sgml
+ - End:
+-->
diff --git a/contrib/bind9/lib/lwres/man/lwres_gnba.html b/contrib/bind9/lib/lwres/man/lwres_gnba.html
index 4d07580..aac60c6 100644
--- a/contrib/bind9/lib/lwres/man/lwres_gnba.html
+++ b/contrib/bind9/lib/lwres/man/lwres_gnba.html
@@ -1,5 +1,5 @@
 <!--
- - Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC")
  - Copyright (C) 2000, 2001 Internet Software Consortium.
  - 
  - Permission to use, copy, modify, and distribute this software for any
@@ -14,15 +14,15 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-<!-- $Id: lwres_gnba.html,v 1.6.2.1.4.11 2006/06/29 13:02:31 marka Exp $ -->
+<!-- $Id: lwres_gnba.html,v 1.7.18.17 2007/01/30 00:23:45 marka Exp $ -->
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
 <title>lwres_gnba</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.70.1">
+<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
 </head>
 <body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en">
-<a name="id2482688"></a><div class="titlepage"></div>
+<a name="id2476275"></a><div class="titlepage"></div>
 <div class="refnamediv">
 <h2>Name</h2>
 <p>lwres_gnbarequest_render, lwres_gnbaresponse_render, lwres_gnbarequest_parse, lwres_gnbaresponse_parse, lwres_gnbaresponse_free, lwres_gnbarequest_free &#8212; lightweight resolver getnamebyaddress message handling</p>
@@ -39,31 +39,25 @@
 lwres_result_t
 <b class="fsfunc">lwres_gnbarequest_render</b>
 (</code></td>
-<td> </td>
-<td>
-<var class="pdparam">ctx</var>, </td>
-</tr>
-<tr>
-<td> </td>
-<td> </td>
+<td>lwres_context_t * </td>
 <td>
 <var class="pdparam">ctx</var>, </td>
 </tr>
 <tr>
 <td> </td>
-<td> </td>
+<td>lwres_gnbarequest_t * </td>
 <td>
 <var class="pdparam">req</var>, </td>
 </tr>
 <tr>
 <td> </td>
-<td> </td>
+<td>lwres_lwpacket_t * </td>
 <td>
 <var class="pdparam">pkt</var>, </td>
 </tr>
 <tr>
 <td> </td>
-<td> </td>
+<td>lwres_buffer_t * </td>
 <td>
 <var class="pdparam">b</var><code>)</code>;</td>
 </tr>
@@ -74,29 +68,27 @@ lwres_result_t
 lwres_result_t
 <b class="fsfunc">lwres_gnbaresponse_render</b>
 (</code></td>
-<td> </td>
-<td>, </td>
-</tr>
-<tr>
-<td> </td>
-<td> </td>
-<td>, </td>
+<td>lwres_context_t * </td>
+<td>
+<var class="pdparam">ctx</var>, </td>
 </tr>
 <tr>
 <td> </td>
-<td> </td>
-<td>, </td>
+<td>lwres_gnbaresponse_t * </td>
+<td>
+<var class="pdparam">req</var>, </td>
 </tr>
 <tr>
 <td> </td>
-<td> </td>
-<td>, </td>
+<td>lwres_lwpacket_t * </td>
+<td>
+<var class="pdparam">pkt</var>, </td>
 </tr>
 <tr>
 <td> </td>
-<td> </td>
+<td>lwres_buffer_t * </td>
 <td>
-<code>)</code>;</td>
+<var class="pdparam">b</var><code>)</code>;</td>
 </tr>
 </table>
 <table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em">
@@ -104,29 +96,27 @@ lwres_result_t
 <td><code class="funcdef">
 lwres_result_t
 <b class="fsfunc">lwres_gnbarequest_parse</b>(</code></td>
-<td> </td>
-<td>, </td>
-</tr>
-<tr>
-<td> </td>
-<td> </td>
-<td>, </td>
+<td>lwres_context_t * </td>
+<td>
+<var class="pdparam">ctx</var>, </td>
 </tr>
 <tr>
 <td> </td>
-<td> </td>
-<td>, </td>
+<td>lwres_buffer_t * </td>
+<td>
+<var class="pdparam">b</var>, </td>
 </tr>
 <tr>
 <td> </td>
-<td> </td>
-<td>, </td>
+<td>lwres_lwpacket_t * </td>
+<td>
+<var class="pdparam">pkt</var>, </td>
 </tr>
 <tr>
 <td> </td>
-<td> </td>
+<td>lwres_gnbarequest_t ** </td>
 <td>
-<code>)</code>;</td>
+<var class="pdparam">structp</var><code>)</code>;</td>
 </tr>
 </table>
 <table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em">
@@ -134,29 +124,27 @@ lwres_result_t
 <td><code class="funcdef">
 lwres_result_t
 <b class="fsfunc">lwres_gnbaresponse_parse</b>(</code></td>
-<td> </td>
-<td>, </td>
-</tr>
-<tr>
-<td> </td>
-<td> </td>
-<td>, </td>
+<td>lwres_context_t * </td>
+<td>
+<var class="pdparam">ctx</var>, </td>
 </tr>
 <tr>
 <td> </td>
-<td> </td>
-<td>, </td>
+<td>lwres_buffer_t * </td>
+<td>
+<var class="pdparam">b</var>, </td>
 </tr>
 <tr>
 <td> </td>
-<td> </td>
-<td>, </td>
+<td>lwres_lwpacket_t * </td>
+<td>
+<var class="pdparam">pkt</var>, </td>
 </tr>
 <tr>
 <td> </td>
-<td> </td>
+<td>lwres_gnbaresponse_t ** </td>
 <td>
-<code>)</code>;</td>
+<var class="pdparam">structp</var><code>)</code>;</td>
 </tr>
 </table>
 <table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em">
@@ -165,19 +153,15 @@ lwres_result_t
 void
 <b class="fsfunc">lwres_gnbaresponse_free</b>
 (</code></td>
-<td> </td>
-<td>, </td>
-</tr>
-<tr>
-<td> </td>
-<td> </td>
-<td>, </td>
+<td>lwres_context_t * </td>
+<td>
+<var class="pdparam">ctx</var>, </td>
 </tr>
 <tr>
 <td> </td>
-<td> </td>
+<td>lwres_gnbaresponse_t ** </td>
 <td>
-<code>)</code>;</td>
+<var class="pdparam">structp</var><code>)</code>;</td>
 </tr>
 </table>
 <table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0">
@@ -185,56 +169,59 @@ void
 <td><code class="funcdef">
 void
 <b class="fsfunc">lwres_gnbarequest_free</b>(</code></td>
-<td> </td>
-<td>, </td>
-</tr>
-<tr>
-<td> </td>
-<td> </td>
-<td>, </td>
+<td>lwres_context_t * </td>
+<td>
+<var class="pdparam">ctx</var>, </td>
 </tr>
 <tr>
 <td> </td>
-<td> </td>
+<td>lwres_gnbarequest_t ** </td>
 <td>
-<code>)</code>;</td>
+<var class="pdparam">structp</var><code>)</code>;</td>
 </tr>
 </table>
 </div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2549540"></a><h2>DESCRIPTION</h2>
+<a name="id2543525"></a><h2>DESCRIPTION</h2>
 <p>
-These are low-level routines for creating and parsing
-lightweight resolver address-to-name lookup request and 
-response messages.
-</p>
+      These are low-level routines for creating and parsing
+      lightweight resolver address-to-name lookup request and
+      response messages.
+    </p>
 <p>
-There are four main functions for the getnamebyaddr opcode.
-One render function converts a getnamebyaddr request structure &#8212;
-<span class="type">lwres_gnbarequest_t</span> &#8212;
-to the lightweight resolver's canonical format.
-It is complemented by a parse function that converts a packet in this
-canonical format to a getnamebyaddr request structure.
-Another render function converts the getnamebyaddr response structure &#8212;
-<span class="type">lwres_gnbaresponse_t</span>
-to the canonical format.
-This is complemented by a parse function which converts a packet in
-canonical format to a getnamebyaddr response structure.
-</p>
+      There are four main functions for the getnamebyaddr opcode.
+      One render function converts a getnamebyaddr request structure &#8212;
+      <span class="type">lwres_gnbarequest_t</span> &#8212;
+      to the lightweight resolver's canonical format.
+      It is complemented by a parse function that converts a packet in this
+      canonical format to a getnamebyaddr request structure.
+      Another render function converts the getnamebyaddr response structure
+      &#8212;
+      <span class="type">lwres_gnbaresponse_t</span>
+      to the canonical format.
+      This is complemented by a parse function which converts a packet in
+      canonical format to a getnamebyaddr response structure.
+    </p>
 <p>
-These structures are defined in
-<code class="filename">lwres/lwres.h</code>.
-They are shown below.
-</p>
+      These structures are defined in
+      <code class="filename">lwres/lwres.h</code>.
+      They are shown below.
+    </p>
 <pre class="programlisting">
 #define LWRES_OPCODE_GETNAMEBYADDR      0x00010002U
-
+</pre>
+<p>
+    </p>
+<pre class="programlisting">
 typedef struct {
         lwres_uint32_t  flags;
         lwres_addr_t    addr;
 } lwres_gnbarequest_t;
-
+</pre>
+<p>
+    </p>
+<pre class="programlisting">
 typedef struct {
         lwres_uint32_t  flags;
         lwres_uint16_t  naliases;
@@ -247,109 +234,83 @@ typedef struct {
 } lwres_gnbaresponse_t;
 </pre>
 <p>
-</p>
-<p>
-<code class="function">lwres_gnbarequest_render()</code>
-uses resolver context
-<code class="varname">ctx</code>
-to convert getnamebyaddr request structure
-<code class="varname">req</code>
-to canonical format.
-The packet header structure
-<code class="varname">pkt</code>
-is initialised and transferred to
-buffer
-<code class="varname">b</code>.
-The contents of
-<code class="varname">*req</code>
-are then appended to the buffer in canonical format.
-<code class="function">lwres_gnbaresponse_render()</code>
-performs the same task, except it converts a getnamebyaddr response structure
-<span class="type">lwres_gnbaresponse_t</span>
-to the lightweight resolver's canonical format.
-</p>
-<p>
-<code class="function">lwres_gnbarequest_parse()</code>
-uses context
-<code class="varname">ctx</code>
-to convert the contents of packet
-<code class="varname">pkt</code>
-to a
-<span class="type">lwres_gnbarequest_t</span>
-structure.
-Buffer
-<code class="varname">b</code>
-provides space to be used for storing this structure.
-When the function succeeds, the resulting
-<span class="type">lwres_gnbarequest_t</span>
-is made available through
-<code class="varname">*structp</code>.
-<code class="function">lwres_gnbaresponse_parse()</code>
-offers the same semantics as
-<code class="function">lwres_gnbarequest_parse()</code>
-except it yields a
-<span class="type">lwres_gnbaresponse_t</span>
-structure.
-</p>
-<p>
-<code class="function">lwres_gnbaresponse_free()</code>
-and
-<code class="function">lwres_gnbarequest_free()</code>
-release the memory in resolver context
-<code class="varname">ctx</code>
-that was allocated to the
-<span class="type">lwres_gnbaresponse_t</span>
-or
-<span class="type">lwres_gnbarequest_t</span>
-structures referenced via
-<code class="varname">structp</code>.
-Any memory associated with ancillary buffers and strings for those
-structures is also discarded.
-</p>
+    </p>
+<p><code class="function">lwres_gnbarequest_render()</code>
+      uses resolver context <code class="varname">ctx</code> to convert
+      getnamebyaddr request structure <code class="varname">req</code> to
+      canonical format.  The packet header structure
+      <code class="varname">pkt</code> is initialised and transferred to buffer
+      <code class="varname">b</code>.  The contents of <code class="varname">*req</code>
+      are then appended to the buffer in canonical format.
+      <code class="function">lwres_gnbaresponse_render()</code> performs the
+      same task, except it converts a getnamebyaddr response structure
+      <span class="type">lwres_gnbaresponse_t</span> to the lightweight resolver's
+      canonical format.
+    </p>
+<p><code class="function">lwres_gnbarequest_parse()</code>
+      uses context <code class="varname">ctx</code> to convert the contents of
+      packet <code class="varname">pkt</code> to a
+      <span class="type">lwres_gnbarequest_t</span> structure.  Buffer
+      <code class="varname">b</code> provides space to be used for storing this
+      structure.  When the function succeeds, the resulting
+      <span class="type">lwres_gnbarequest_t</span> is made available through
+      <code class="varname">*structp</code>.
+      <code class="function">lwres_gnbaresponse_parse()</code> offers the same
+      semantics as <code class="function">lwres_gnbarequest_parse()</code>
+      except it yields a <span class="type">lwres_gnbaresponse_t</span> structure.
+    </p>
+<p><code class="function">lwres_gnbaresponse_free()</code>
+      and <code class="function">lwres_gnbarequest_free()</code> release the
+      memory in resolver context <code class="varname">ctx</code> that was
+      allocated to the <span class="type">lwres_gnbaresponse_t</span> or
+      <span class="type">lwres_gnbarequest_t</span> structures referenced via
+      <code class="varname">structp</code>.  Any memory associated with
+      ancillary buffers and strings for those structures is also
+      discarded.
+    </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2549733"></a><h2>RETURN VALUES</h2>
+<a name="id2543665"></a><h2>RETURN VALUES</h2>
 <p>
-The getnamebyaddr opcode functions
-<code class="function">lwres_gnbarequest_render()</code>,
-<code class="function">lwres_gnbaresponse_render()</code>
-<code class="function">lwres_gnbarequest_parse()</code>
-and
-<code class="function">lwres_gnbaresponse_parse()</code>
-all return
-<span class="errorcode">LWRES_R_SUCCESS</span>
-on success.
-They return
-<span class="errorcode">LWRES_R_NOMEMORY</span>
-if memory allocation fails.
-<span class="errorcode">LWRES_R_UNEXPECTEDEND</span>
-is returned if the available space in the buffer
-<code class="varname">b</code>
-is too small to accommodate the packet header or the
-<span class="type">lwres_gnbarequest_t</span>
-and
-<span class="type">lwres_gnbaresponse_t</span>
-structures.
-<code class="function">lwres_gnbarequest_parse()</code>
-and
-<code class="function">lwres_gnbaresponse_parse()</code>
-will return
-<span class="errorcode">LWRES_R_UNEXPECTEDEND</span>
-if the buffer is not empty after decoding the received packet.
-These functions will return
-<span class="errorcode">LWRES_R_FAILURE</span>
-if
-<em class="structfield"><code>pktflags</code></em>
-in the packet header structure
-<span class="type">lwres_lwpacket_t</span>
-indicate that the packet is not a response to an earlier query.
-</p>
+      The getnamebyaddr opcode functions
+      <code class="function">lwres_gnbarequest_render()</code>,
+      <code class="function">lwres_gnbaresponse_render()</code>
+      <code class="function">lwres_gnbarequest_parse()</code>
+      and
+      <code class="function">lwres_gnbaresponse_parse()</code>
+      all return
+      <span class="errorcode">LWRES_R_SUCCESS</span>
+      on success.
+      They return
+      <span class="errorcode">LWRES_R_NOMEMORY</span>
+      if memory allocation fails.
+      <span class="errorcode">LWRES_R_UNEXPECTEDEND</span>
+      is returned if the available space in the buffer
+      <code class="varname">b</code>
+      is too small to accommodate the packet header or the
+      <span class="type">lwres_gnbarequest_t</span>
+      and
+      <span class="type">lwres_gnbaresponse_t</span>
+      structures.
+      <code class="function">lwres_gnbarequest_parse()</code>
+      and
+      <code class="function">lwres_gnbaresponse_parse()</code>
+      will return
+      <span class="errorcode">LWRES_R_UNEXPECTEDEND</span>
+      if the buffer is not empty after decoding the received packet.
+      These functions will return
+      <span class="errorcode">LWRES_R_FAILURE</span>
+      if
+      <em class="structfield"><code>pktflags</code></em>
+      in the packet header structure
+      <span class="type">lwres_lwpacket_t</span>
+      indicate that the packet is not a response to an earlier query.
+    </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2549866"></a><h2>SEE ALSO</h2>
-<p>
-<span class="citerefentry"><span class="refentrytitle">lwres_packet</span>(3)</span>.
-</p>
+<a name="id2543731"></a><h2>SEE ALSO</h2>
+<p><span class="citerefentry"><span class="refentrytitle">lwres_packet</span>(3)</span>.
+    </p>
 </div>
 </div></body>
 </html>
diff --git a/contrib/bind9/lib/lwres/man/lwres_hstrerror.3 b/contrib/bind9/lib/lwres/man/lwres_hstrerror.3
index d6fc8f5..6fa744e 100644
--- a/contrib/bind9/lib/lwres/man/lwres_hstrerror.3
+++ b/contrib/bind9/lib/lwres/man/lwres_hstrerror.3
@@ -1,4 +1,4 @@
-.\" Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC")
 .\" Copyright (C) 2000, 2001 Internet Software Consortium.
 .\" 
 .\" Permission to use, copy, modify, and distribute this software for any
@@ -13,13 +13,13 @@
 .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 .\" PERFORMANCE OF THIS SOFTWARE.
 .\"
-.\" $Id: lwres_hstrerror.3,v 1.13.2.1.8.6 2006/06/29 13:02:31 marka Exp $
+.\" $Id: lwres_hstrerror.3,v 1.16.18.11 2007/01/30 00:23:45 marka Exp $
 .\"
 .hy 0
 .ad l
 .\"     Title: lwres_hstrerror
 .\"    Author: 
-.\" Generator: DocBook XSL Stylesheets v1.70.1 <http://docbook.sf.net/>
+.\" Generator: DocBook XSL Stylesheets v1.71.1 <http://docbook.sf.net/>
 .\"      Date: Jun 30, 2000
 .\"    Manual: BIND9
 .\"    Source: BIND9
@@ -36,9 +36,9 @@ lwres_herror, lwres_hstrerror \- lightweight resolver error message generation
 #include <lwres/netdb.h>
 .fi
 .HP 18
-.BI "void lwres_herror(const\ char\ *s);"
+.BI "void lwres_herror(const\ char\ *" "s" ");"
 .HP 29
-.BI "const char * lwres_hstrerror(int\ err);"
+.BI "const char * lwres_hstrerror(int\ " "err" ");"
 .SH "DESCRIPTION"
 .PP
 \fBlwres_herror()\fR
@@ -54,21 +54,31 @@ for the error code stored in the global variable
 \fBlwres_hstrerror()\fR
 returns an appropriate string for the error code gievn by
 \fIerr\fR. The values of the error codes and messages are as follows:
-.TP 3n
+.PP
 \fBNETDB_SUCCESS\fR
+.RS 4
 Resolver Error 0 (no error)
-.TP 3n
+.RE
+.PP
 \fBHOST_NOT_FOUND\fR
+.RS 4
 Unknown host
-.TP 3n
+.RE
+.PP
 \fBTRY_AGAIN\fR
+.RS 4
 Host name lookup failure
-.TP 3n
+.RE
+.PP
 \fBNO_RECOVERY\fR
+.RS 4
 Unknown server error
-.TP 3n
+.RE
+.PP
 \fBNO_DATA\fR
+.RS 4
 No address associated with name
+.RE
 .SH "RETURN VALUES"
 .PP
 The string
@@ -83,4 +93,7 @@ is not a valid error code.
 \fBherror\fR(3),
 \fBlwres_hstrerror\fR(3).
 .SH "COPYRIGHT"
-Copyright \(co 2004, 2005 Internet Systems Consortium, Inc. ("ISC")
+Copyright \(co 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC")
+.br
+Copyright \(co 2000, 2001 Internet Software Consortium.
+.br
diff --git a/contrib/bind9/lib/lwres/man/lwres_hstrerror.docbook b/contrib/bind9/lib/lwres/man/lwres_hstrerror.docbook
index a36c072..8150e8c 100644
--- a/contrib/bind9/lib/lwres/man/lwres_hstrerror.docbook
+++ b/contrib/bind9/lib/lwres/man/lwres_hstrerror.docbook
@@ -1,8 +1,8 @@
-<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.0//EN"
-               "http://www.oasis-open.org/docbook/xml/4.0/docbookx.dtd"
+<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
+               "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
 	       [<!ENTITY mdash "&#8212;">]>
 <!--
- - Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
  - Copyright (C) 2000, 2001  Internet Software Consortium.
  -
  - Permission to use, copy, modify, and distribute this software for any
@@ -18,24 +18,24 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-<!-- $Id: lwres_hstrerror.docbook,v 1.4.206.3 2005/05/12 21:36:15 sra Exp $ -->
-
+<!-- $Id: lwres_hstrerror.docbook,v 1.5.18.5 2007/01/29 23:57:21 marka Exp $ -->
 <refentry>
 
-<refentryinfo>
-<date>Jun 30, 2000</date>
-</refentryinfo>
+  <refentryinfo>
+    <date>Jun 30, 2000</date>
+  </refentryinfo>
 
-<refmeta>
-<refentrytitle>lwres_hstrerror</refentrytitle>
-<manvolnum>3</manvolnum>
-<refmiscinfo>BIND9</refmiscinfo>
-</refmeta>
+  <refmeta>
+    <refentrytitle>lwres_hstrerror</refentrytitle>
+    <manvolnum>3</manvolnum>
+    <refmiscinfo>BIND9</refmiscinfo>
+  </refmeta>
 
   <docinfo>
     <copyright>
       <year>2004</year>
       <year>2005</year>
+      <year>2007</year>
       <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
     </copyright>
     <copyright>
@@ -45,95 +45,108 @@
     </copyright>
   </docinfo>
 
-<refnamediv>
-<refname>lwres_herror</refname>
-<refname>lwres_hstrerror</refname>
-<refpurpose>lightweight resolver error message generation</refpurpose>
-</refnamediv>
-<refsynopsisdiv>
-<funcsynopsis>
+  <refnamediv>
+    <refname>lwres_herror</refname>
+    <refname>lwres_hstrerror</refname>
+    <refpurpose>lightweight resolver error message generation</refpurpose>
+  </refnamediv>
+  <refsynopsisdiv>
+    <funcsynopsis>
 <funcsynopsisinfo>#include &lt;lwres/netdb.h&gt;</funcsynopsisinfo>
 <funcprototype>
-<funcdef>
+        <funcdef>
 void
 <function>lwres_herror</function></funcdef>
-<paramdef>const char *s</paramdef>
-</funcprototype>
+        <paramdef>const char *<parameter>s</parameter></paramdef>
+        </funcprototype>
 <funcprototype>
-<funcdef>
+        <funcdef>
 const char *
 <function>lwres_hstrerror</function></funcdef>
-<paramdef>int err</paramdef>
-</funcprototype>
+        <paramdef>int <parameter>err</parameter></paramdef>
+      </funcprototype>
 </funcsynopsis>
-</refsynopsisdiv>
+  </refsynopsisdiv>
 
-<refsect1>
-<title>DESCRIPTION</title>
+  <refsect1>
+    <title>DESCRIPTION</title>
 
-<para>
-<function>lwres_herror()</function> prints the string
-<parameter>s</parameter> on <type>stderr</type> followed by the string
-generated by <function>lwres_hstrerror()</function> for the error code
-stored in the global variable <constant>lwres_h_errno</constant>.
-</para>
+    <para><function>lwres_herror()</function>
+      prints the string <parameter>s</parameter> on
+      <type>stderr</type> followed by the string generated by
+      <function>lwres_hstrerror()</function> for the error code stored
+      in the global variable <constant>lwres_h_errno</constant>.
+    </para>
 
-<para>
-<function>lwres_hstrerror()</function> returns an appropriate string
-for the error code gievn by <parameter>err</parameter>.  The values of
-the error codes and messages are as follows:
+    <para><function>lwres_hstrerror()</function>
+      returns an appropriate string for the error code gievn by
+      <parameter>err</parameter>.  The values of the error codes and
+      messages are as follows:
 
-<variablelist>
-<varlistentry><term><errorcode>NETDB_SUCCESS</errorcode></term>
-<listitem>
-<para>
-<errorname>Resolver Error 0 (no error)</errorname>
-</para></listitem></varlistentry>
-<varlistentry><term><errorcode>HOST_NOT_FOUND</errorcode></term>
-<listitem>
-<para>
-<errorname>Unknown host</errorname>
-</para></listitem></varlistentry>
-<varlistentry><term><errorcode>TRY_AGAIN</errorcode></term>
-<listitem>
-<para>
-<errorname>Host name lookup failure</errorname>
-</para></listitem></varlistentry>
-<varlistentry><term><errorcode>NO_RECOVERY</errorcode></term>
-<listitem>
-<para>
-<errorname>Unknown server error</errorname>
-</para></listitem></varlistentry>
-<varlistentry><term><errorcode>NO_DATA</errorcode></term>
-<listitem>
-<para>
-<errorname>No address associated with name</errorname>
-</para></listitem></varlistentry>
-</variablelist>
-</para>
-</refsect1>
+      <variablelist>
+        <varlistentry>
+          <term><errorcode>NETDB_SUCCESS</errorcode></term>
+          <listitem>
+            <para><errorname>Resolver Error 0 (no error)</errorname>
+            </para>
+          </listitem>
+        </varlistentry>
+        <varlistentry>
+          <term><errorcode>HOST_NOT_FOUND</errorcode></term>
+          <listitem>
+            <para><errorname>Unknown host</errorname>
+            </para>
+          </listitem>
+        </varlistentry>
+        <varlistentry>
+          <term><errorcode>TRY_AGAIN</errorcode></term>
+          <listitem>
+            <para><errorname>Host name lookup failure</errorname>
+            </para>
+          </listitem>
+        </varlistentry>
+        <varlistentry>
+          <term><errorcode>NO_RECOVERY</errorcode></term>
+          <listitem>
+            <para><errorname>Unknown server error</errorname>
+            </para>
+          </listitem>
+        </varlistentry>
+        <varlistentry>
+          <term><errorcode>NO_DATA</errorcode></term>
+          <listitem>
+            <para><errorname>No address associated with name</errorname>
+            </para>
+          </listitem>
+        </varlistentry>
+      </variablelist>
+    </para>
+  </refsect1>
 
-<refsect1>
-<title>RETURN VALUES</title>
-<para>
-The string <errorname>Unknown resolver error</errorname> is returned by
-<function>lwres_hstrerror()</function>
-when the value of
-<constant>lwres_h_errno</constant>
-is not a valid error code.
-</para>
-</refsect1>
-<refsect1>
-<title>SEE ALSO</title>
-<para>
-<citerefentry>
-<refentrytitle>herror</refentrytitle><manvolnum>3</manvolnum>
-</citerefentry>,
+  <refsect1>
+    <title>RETURN VALUES</title>
+    <para>
+      The string <errorname>Unknown resolver error</errorname> is returned by
+      <function>lwres_hstrerror()</function>
+      when the value of
+      <constant>lwres_h_errno</constant>
+      is not a valid error code.
+    </para>
+  </refsect1>
+  <refsect1>
+    <title>SEE ALSO</title>
+    <para><citerefentry>
+        <refentrytitle>herror</refentrytitle><manvolnum>3</manvolnum>
+      </citerefentry>,
 
-<citerefentry>
-<refentrytitle>lwres_hstrerror</refentrytitle><manvolnum>3</manvolnum>
-</citerefentry>.
-</para>
+      <citerefentry>
+        <refentrytitle>lwres_hstrerror</refentrytitle><manvolnum>3</manvolnum>
+      </citerefentry>.
+    </para>
 
-</refsect1>
-</refentry>
+  </refsect1>
+</refentry><!--
+ - Local variables:
+ - mode: sgml
+ - End:
+-->
diff --git a/contrib/bind9/lib/lwres/man/lwres_hstrerror.html b/contrib/bind9/lib/lwres/man/lwres_hstrerror.html
index d2f1e4a..b52ff06 100644
--- a/contrib/bind9/lib/lwres/man/lwres_hstrerror.html
+++ b/contrib/bind9/lib/lwres/man/lwres_hstrerror.html
@@ -1,5 +1,5 @@
 <!--
- - Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC")
  - Copyright (C) 2000, 2001 Internet Software Consortium.
  - 
  - Permission to use, copy, modify, and distribute this software for any
@@ -14,15 +14,15 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-<!-- $Id: lwres_hstrerror.html,v 1.5.2.1.4.12 2006/06/29 13:02:31 marka Exp $ -->
+<!-- $Id: lwres_hstrerror.html,v 1.6.18.17 2007/01/30 00:23:45 marka Exp $ -->
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
 <title>lwres_hstrerror</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.70.1">
+<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
 </head>
 <body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en">
-<a name="id2482688"></a><div class="titlepage"></div>
+<a name="id2476275"></a><div class="titlepage"></div>
 <div class="refnamediv">
 <h2>Name</h2>
 <p>lwres_herror, lwres_hstrerror &#8212; lightweight resolver error message generation</p>
@@ -31,70 +31,74 @@
 <h2>Synopsis</h2>
 <div class="funcsynopsis">
 <pre class="funcsynopsisinfo">#include &lt;lwres/netdb.h&gt;</pre>
-<p><code class="funcdef">
+<table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em"><tr>
+<td><code class="funcdef">
 void
-<b class="fsfunc">lwres_herror</b>(</code>const char *s<code>)</code>;</p>
-<p><code class="funcdef">
+<b class="fsfunc">lwres_herror</b>(</code></td>
+<td>const char * </td>
+<td>
+<var class="pdparam">s</var><code>)</code>;</td>
+</tr></table>
+<table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0"><tr>
+<td><code class="funcdef">
 const char *
-<b class="fsfunc">lwres_hstrerror</b>(</code>int err<code>)</code>;</p>
+<b class="fsfunc">lwres_hstrerror</b>(</code></td>
+<td>int  </td>
+<td>
+<var class="pdparam">err</var><code>)</code>;</td>
+</tr></table>
 </div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2549424"></a><h2>DESCRIPTION</h2>
-<p>
-<code class="function">lwres_herror()</code> prints the string
-<em class="parameter"><code>s</code></em> on <span class="type">stderr</span> followed by the string
-generated by <code class="function">lwres_hstrerror()</code> for the error code
-stored in the global variable <code class="constant">lwres_h_errno</code>.
-</p>
-<p>
-<code class="function">lwres_hstrerror()</code> returns an appropriate string
-for the error code gievn by <em class="parameter"><code>err</code></em>.  The values of
-the error codes and messages are as follows:
+<a name="id2543379"></a><h2>DESCRIPTION</h2>
+<p><code class="function">lwres_herror()</code>
+      prints the string <em class="parameter"><code>s</code></em> on
+      <span class="type">stderr</span> followed by the string generated by
+      <code class="function">lwres_hstrerror()</code> for the error code stored
+      in the global variable <code class="constant">lwres_h_errno</code>.
+    </p>
+<p><code class="function">lwres_hstrerror()</code>
+      returns an appropriate string for the error code gievn by
+      <em class="parameter"><code>err</code></em>.  The values of the error codes and
+      messages are as follows:
 
-</p>
+      </p>
 <div class="variablelist"><dl>
 <dt><span class="term"><span class="errorcode">NETDB_SUCCESS</span></span></dt>
-<dd><p>
-<span class="errorname">Resolver Error 0 (no error)</span>
-</p></dd>
+<dd><p><span class="errorname">Resolver Error 0 (no error)</span>
+            </p></dd>
 <dt><span class="term"><span class="errorcode">HOST_NOT_FOUND</span></span></dt>
-<dd><p>
-<span class="errorname">Unknown host</span>
-</p></dd>
+<dd><p><span class="errorname">Unknown host</span>
+            </p></dd>
 <dt><span class="term"><span class="errorcode">TRY_AGAIN</span></span></dt>
-<dd><p>
-<span class="errorname">Host name lookup failure</span>
-</p></dd>
+<dd><p><span class="errorname">Host name lookup failure</span>
+            </p></dd>
 <dt><span class="term"><span class="errorcode">NO_RECOVERY</span></span></dt>
-<dd><p>
-<span class="errorname">Unknown server error</span>
-</p></dd>
+<dd><p><span class="errorname">Unknown server error</span>
+            </p></dd>
 <dt><span class="term"><span class="errorcode">NO_DATA</span></span></dt>
-<dd><p>
-<span class="errorname">No address associated with name</span>
-</p></dd>
+<dd><p><span class="errorname">No address associated with name</span>
+            </p></dd>
 </dl></div>
 <p>
-</p>
+    </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2549536"></a><h2>RETURN VALUES</h2>
+<a name="id2543497"></a><h2>RETURN VALUES</h2>
 <p>
-The string <span class="errorname">Unknown resolver error</span> is returned by
-<code class="function">lwres_hstrerror()</code>
-when the value of
-<code class="constant">lwres_h_errno</code>
-is not a valid error code.
-</p>
+      The string <span class="errorname">Unknown resolver error</span> is returned by
+      <code class="function">lwres_hstrerror()</code>
+      when the value of
+      <code class="constant">lwres_h_errno</code>
+      is not a valid error code.
+    </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2549555"></a><h2>SEE ALSO</h2>
-<p>
-<span class="citerefentry"><span class="refentrytitle">herror</span>(3)</span>,
+<a name="id2543517"></a><h2>SEE ALSO</h2>
+<p><span class="citerefentry"><span class="refentrytitle">herror</span>(3)</span>,
 
-<span class="citerefentry"><span class="refentrytitle">lwres_hstrerror</span>(3)</span>.
-</p>
+      <span class="citerefentry"><span class="refentrytitle">lwres_hstrerror</span>(3)</span>.
+    </p>
 </div>
 </div></body>
 </html>
diff --git a/contrib/bind9/lib/lwres/man/lwres_inetntop.3 b/contrib/bind9/lib/lwres/man/lwres_inetntop.3
index 6395e60..4cb09f8 100644
--- a/contrib/bind9/lib/lwres/man/lwres_inetntop.3
+++ b/contrib/bind9/lib/lwres/man/lwres_inetntop.3
@@ -1,4 +1,4 @@
-.\" Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC")
 .\" Copyright (C) 2000, 2001 Internet Software Consortium.
 .\" 
 .\" Permission to use, copy, modify, and distribute this software for any
@@ -13,13 +13,13 @@
 .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 .\" PERFORMANCE OF THIS SOFTWARE.
 .\"
-.\" $Id: lwres_inetntop.3,v 1.12.2.1.8.6 2006/06/29 13:02:31 marka Exp $
+.\" $Id: lwres_inetntop.3,v 1.15.18.11 2007/01/30 00:23:45 marka Exp $
 .\"
 .hy 0
 .ad l
 .\"     Title: lwres_inetntop
 .\"    Author: 
-.\" Generator: DocBook XSL Stylesheets v1.70.1 <http://docbook.sf.net/>
+.\" Generator: DocBook XSL Stylesheets v1.71.1 <http://docbook.sf.net/>
 .\"      Date: Jun 30, 2000
 .\"    Manual: BIND9
 .\"    Source: BIND9
@@ -36,7 +36,7 @@ lwres_net_ntop \- lightweight resolver IP address presentation
 #include <lwres/net.h>
 .fi
 .HP 28
-.BI "const char * lwres_net_ntop(int\ af, const\ void\ *src, char\ *dst, size_t\ size);"
+.BI "const char * lwres_net_ntop(int\ " "af" ", const\ void\ *" "src" ", char\ *" "dst" ", size_t\ " "size" ");"
 .SH "DESCRIPTION"
 .PP
 \fBlwres_net_ntop()\fR
@@ -71,4 +71,7 @@ is not supported.
 \fBinet_ntop\fR(3),
 \fBerrno\fR(3).
 .SH "COPYRIGHT"
-Copyright \(co 2004, 2005 Internet Systems Consortium, Inc. ("ISC")
+Copyright \(co 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC")
+.br
+Copyright \(co 2000, 2001 Internet Software Consortium.
+.br
diff --git a/contrib/bind9/lib/lwres/man/lwres_inetntop.docbook b/contrib/bind9/lib/lwres/man/lwres_inetntop.docbook
index 651ef04..7b80fe4 100644
--- a/contrib/bind9/lib/lwres/man/lwres_inetntop.docbook
+++ b/contrib/bind9/lib/lwres/man/lwres_inetntop.docbook
@@ -1,8 +1,8 @@
-<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.0//EN"
-               "http://www.oasis-open.org/docbook/xml/4.0/docbookx.dtd"
+<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
+               "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
 	       [<!ENTITY mdash "&#8212;">]>
 <!--
- - Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
  - Copyright (C) 2000, 2001  Internet Software Consortium.
  -
  - Permission to use, copy, modify, and distribute this software for any
@@ -18,24 +18,24 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-<!-- $Id: lwres_inetntop.docbook,v 1.3.206.3 2005/05/12 21:36:15 sra Exp $ -->
-
+<!-- $Id: lwres_inetntop.docbook,v 1.4.18.5 2007/01/29 23:57:21 marka Exp $ -->
 <refentry>
 
-<refentryinfo>
-<date>Jun 30, 2000</date>
-</refentryinfo>
+  <refentryinfo>
+    <date>Jun 30, 2000</date>
+  </refentryinfo>
 
-<refmeta>
-<refentrytitle>lwres_inetntop</refentrytitle>
-<manvolnum>3</manvolnum>
-<refmiscinfo>BIND9</refmiscinfo>
-</refmeta>
+  <refmeta>
+    <refentrytitle>lwres_inetntop</refentrytitle>
+    <manvolnum>3</manvolnum>
+    <refmiscinfo>BIND9</refmiscinfo>
+  </refmeta>
 
   <docinfo>
     <copyright>
       <year>2004</year>
       <year>2005</year>
+      <year>2007</year>
       <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
     </copyright>
     <copyright>
@@ -45,70 +45,76 @@
     </copyright>
   </docinfo>
 
-<refnamediv>
-<refname>lwres_net_ntop</refname>
-<refpurpose>lightweight resolver IP address presentation</refpurpose>
-</refnamediv>
-<refsynopsisdiv>
-<funcsynopsis>
+  <refnamediv>
+    <refname>lwres_net_ntop</refname>
+    <refpurpose>lightweight resolver IP address presentation</refpurpose>
+  </refnamediv>
+  <refsynopsisdiv>
+    <funcsynopsis>
 <funcsynopsisinfo>#include &lt;lwres/net.h&gt;</funcsynopsisinfo>
 <funcprototype>
-<funcdef>
+        <funcdef>
 const char *
 <function>lwres_net_ntop</function></funcdef>
-<paramdef>int af</paramdef>
-<paramdef>const void *src</paramdef>
-<paramdef>char *dst</paramdef>
-<paramdef>size_t size</paramdef>
-</funcprototype>
+        <paramdef>int <parameter>af</parameter></paramdef>
+        <paramdef>const void *<parameter>src</parameter></paramdef>
+        <paramdef>char *<parameter>dst</parameter></paramdef>
+        <paramdef>size_t <parameter>size</parameter></paramdef>
+      </funcprototype>
 </funcsynopsis>
-</refsynopsisdiv>
+  </refsynopsisdiv>
 
-<refsect1>
-<title>DESCRIPTION</title>
+  <refsect1>
+    <title>DESCRIPTION</title>
 
-<para>
-<function>lwres_net_ntop()</function> converts an IP address of
-protocol family <parameter>af</parameter> &mdash; IPv4 or IPv6 &mdash;
-at location <parameter>src</parameter> from network format to its
-conventional representation as a string.  For IPv4 addresses, that
-string would be a dotted-decimal.  An IPv6 address would be
-represented in colon notation as described in RFC1884.
-</para>
+    <para><function>lwres_net_ntop()</function>
+      converts an IP address of protocol family
+      <parameter>af</parameter> &mdash; IPv4 or IPv6 &mdash; at
+      location <parameter>src</parameter> from network format to its
+      conventional representation as a string.  For IPv4 addresses,
+      that string would be a dotted-decimal.  An IPv6 address would be
+      represented in colon notation as described in RFC1884.
+    </para>
 
-<para>
-The generated string is copied to <parameter>dst</parameter> provided
-<parameter>size</parameter> indicates it is long enough to store the
-ASCII representation of the address.
-</para>
+    <para>
+      The generated string is copied to <parameter>dst</parameter>
+      provided
+      <parameter>size</parameter> indicates it is long enough to
+      store the
+      ASCII representation of the address.
+    </para>
 
-</refsect1>
-<refsect1>
-<title>RETURN VALUES</title>
+  </refsect1>
+  <refsect1>
+    <title>RETURN VALUES</title>
 
-<para>
-If successful, the function returns <parameter>dst</parameter>:
-a pointer to a string containing the presentation format of the
-address.  <function>lwres_net_ntop()</function> returns
-<type>NULL</type> and sets the global variable
-<constant>errno</constant> to <errorcode>EAFNOSUPPORT</errorcode> if
-the protocol family given in <parameter>af</parameter> is not
-supported.
-</para>
+    <para>
+      If successful, the function returns <parameter>dst</parameter>:
+      a pointer to a string containing the presentation format of the
+      address.  <function>lwres_net_ntop()</function> returns
+      <type>NULL</type> and sets the global variable
+      <constant>errno</constant> to <errorcode>EAFNOSUPPORT</errorcode> if
+      the protocol family given in <parameter>af</parameter> is
+      not
+      supported.
+    </para>
 
-</refsect1>
-<refsect1>
-<title>SEE ALSO</title>
-<para>
-<citerefentry>
-<refentrytitle>RFC1884</refentrytitle>
-</citerefentry>,
-<citerefentry>
-<refentrytitle>inet_ntop</refentrytitle><manvolnum>3</manvolnum>
-</citerefentry>,
-<citerefentry>
-<refentrytitle>errno</refentrytitle><manvolnum>3</manvolnum>
-</citerefentry>.
-</para>
-</refsect1>
-</refentry>
+  </refsect1>
+  <refsect1>
+    <title>SEE ALSO</title>
+    <para><citerefentry>
+        <refentrytitle>RFC1884</refentrytitle>
+      </citerefentry>,
+      <citerefentry>
+        <refentrytitle>inet_ntop</refentrytitle><manvolnum>3</manvolnum>
+      </citerefentry>,
+      <citerefentry>
+        <refentrytitle>errno</refentrytitle><manvolnum>3</manvolnum>
+      </citerefentry>.
+    </para>
+  </refsect1>
+</refentry><!--
+ - Local variables:
+ - mode: sgml
+ - End:
+-->
diff --git a/contrib/bind9/lib/lwres/man/lwres_inetntop.html b/contrib/bind9/lib/lwres/man/lwres_inetntop.html
index ca5c0bd..532d500 100644
--- a/contrib/bind9/lib/lwres/man/lwres_inetntop.html
+++ b/contrib/bind9/lib/lwres/man/lwres_inetntop.html
@@ -1,5 +1,5 @@
 <!--
- - Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC")
  - Copyright (C) 2000, 2001 Internet Software Consortium.
  - 
  - Permission to use, copy, modify, and distribute this software for any
@@ -14,15 +14,15 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-<!-- $Id: lwres_inetntop.html,v 1.5.2.1.4.12 2006/06/29 13:02:31 marka Exp $ -->
+<!-- $Id: lwres_inetntop.html,v 1.6.18.17 2007/01/30 00:23:45 marka Exp $ -->
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
 <title>lwres_inetntop</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.70.1">
+<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
 </head>
 <body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en">
-<a name="id2482688"></a><div class="titlepage"></div>
+<a name="id2476275"></a><div class="titlepage"></div>
 <div class="refnamediv">
 <h2>Name</h2>
 <p>lwres_net_ntop &#8212; lightweight resolver IP address presentation</p>
@@ -36,68 +36,68 @@
 <td><code class="funcdef">
 const char *
 <b class="fsfunc">lwres_net_ntop</b>(</code></td>
-<td> </td>
-<td>, </td>
-</tr>
-<tr>
-<td> </td>
-<td> </td>
-<td>, </td>
+<td>int  </td>
+<td>
+<var class="pdparam">af</var>, </td>
 </tr>
 <tr>
 <td> </td>
-<td> </td>
-<td>, </td>
+<td>const void * </td>
+<td>
+<var class="pdparam">src</var>, </td>
 </tr>
 <tr>
 <td> </td>
-<td> </td>
-<td>, </td>
+<td>char * </td>
+<td>
+<var class="pdparam">dst</var>, </td>
 </tr>
 <tr>
 <td> </td>
-<td> </td>
+<td>size_t  </td>
 <td>
-<code>)</code>;</td>
+<var class="pdparam">size</var><code>)</code>;</td>
 </tr>
 </table>
 </div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2549419"></a><h2>DESCRIPTION</h2>
-<p>
-<code class="function">lwres_net_ntop()</code> converts an IP address of
-protocol family <em class="parameter"><code>af</code></em> &#8212; IPv4 or IPv6 &#8212;
-at location <em class="parameter"><code>src</code></em> from network format to its
-conventional representation as a string.  For IPv4 addresses, that
-string would be a dotted-decimal.  An IPv6 address would be
-represented in colon notation as described in RFC1884.
-</p>
+<a name="id2543379"></a><h2>DESCRIPTION</h2>
+<p><code class="function">lwres_net_ntop()</code>
+      converts an IP address of protocol family
+      <em class="parameter"><code>af</code></em> &#8212; IPv4 or IPv6 &#8212; at
+      location <em class="parameter"><code>src</code></em> from network format to its
+      conventional representation as a string.  For IPv4 addresses,
+      that string would be a dotted-decimal.  An IPv6 address would be
+      represented in colon notation as described in RFC1884.
+    </p>
 <p>
-The generated string is copied to <em class="parameter"><code>dst</code></em> provided
-<em class="parameter"><code>size</code></em> indicates it is long enough to store the
-ASCII representation of the address.
-</p>
+      The generated string is copied to <em class="parameter"><code>dst</code></em>
+      provided
+      <em class="parameter"><code>size</code></em> indicates it is long enough to
+      store the
+      ASCII representation of the address.
+    </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2549452"></a><h2>RETURN VALUES</h2>
+<a name="id2543411"></a><h2>RETURN VALUES</h2>
 <p>
-If successful, the function returns <em class="parameter"><code>dst</code></em>:
-a pointer to a string containing the presentation format of the
-address.  <code class="function">lwres_net_ntop()</code> returns
-<span class="type">NULL</span> and sets the global variable
-<code class="constant">errno</code> to <span class="errorcode">EAFNOSUPPORT</span> if
-the protocol family given in <em class="parameter"><code>af</code></em> is not
-supported.
-</p>
+      If successful, the function returns <em class="parameter"><code>dst</code></em>:
+      a pointer to a string containing the presentation format of the
+      address.  <code class="function">lwres_net_ntop()</code> returns
+      <span class="type">NULL</span> and sets the global variable
+      <code class="constant">errno</code> to <span class="errorcode">EAFNOSUPPORT</span> if
+      the protocol family given in <em class="parameter"><code>af</code></em> is
+      not
+      supported.
+    </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2549483"></a><h2>SEE ALSO</h2>
-<p>
-<span class="citerefentry"><span class="refentrytitle">RFC1884</span></span>,
-<span class="citerefentry"><span class="refentrytitle">inet_ntop</span>(3)</span>,
-<span class="citerefentry"><span class="refentrytitle">errno</span>(3)</span>.
-</p>
+<a name="id2543444"></a><h2>SEE ALSO</h2>
+<p><span class="citerefentry"><span class="refentrytitle">RFC1884</span></span>,
+      <span class="citerefentry"><span class="refentrytitle">inet_ntop</span>(3)</span>,
+      <span class="citerefentry"><span class="refentrytitle">errno</span>(3)</span>.
+    </p>
 </div>
 </div></body>
 </html>
diff --git a/contrib/bind9/lib/lwres/man/lwres_noop.3 b/contrib/bind9/lib/lwres/man/lwres_noop.3
index e32c2f8..7884109 100644
--- a/contrib/bind9/lib/lwres/man/lwres_noop.3
+++ b/contrib/bind9/lib/lwres/man/lwres_noop.3
@@ -1,4 +1,4 @@
-.\" Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC")
 .\" Copyright (C) 2000, 2001 Internet Software Consortium.
 .\" 
 .\" Permission to use, copy, modify, and distribute this software for any
@@ -13,13 +13,13 @@
 .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 .\" PERFORMANCE OF THIS SOFTWARE.
 .\"
-.\" $Id: lwres_noop.3,v 1.14.2.1.8.6 2006/06/29 13:02:31 marka Exp $
+.\" $Id: lwres_noop.3,v 1.17.18.11 2007/01/30 00:23:45 marka Exp $
 .\"
 .hy 0
 .ad l
 .\"     Title: lwres_noop
 .\"    Author: 
-.\" Generator: DocBook XSL Stylesheets v1.70.1 <http://docbook.sf.net/>
+.\" Generator: DocBook XSL Stylesheets v1.71.1 <http://docbook.sf.net/>
 .\"      Date: Jun 30, 2000
 .\"    Manual: BIND9
 .\"    Source: BIND9
@@ -36,17 +36,17 @@ lwres_nooprequest_render, lwres_noopresponse_render, lwres_nooprequest_parse, lw
 #include <lwres/lwres.h>
 .fi
 .HP 40
-.BI "lwres_result_t lwres_nooprequest_render(lwres_context_t\ *ctx, lwres_nooprequest_t\ *req, lwres_lwpacket_t\ *pkt, lwres_buffer_t\ *b);"
+.BI "lwres_result_t lwres_nooprequest_render(lwres_context_t\ *" "ctx" ", lwres_nooprequest_t\ *" "req" ", lwres_lwpacket_t\ *" "pkt" ", lwres_buffer_t\ *" "b" ");"
 .HP 41
-.BI "lwres_result_t lwres_noopresponse_render(lwres_context_t\ *ctx, lwres_noopresponse_t\ *req, lwres_lwpacket_t\ *pkt, lwres_buffer_t\ *b);"
+.BI "lwres_result_t lwres_noopresponse_render(lwres_context_t\ *" "ctx" ", lwres_noopresponse_t\ *" "req" ", lwres_lwpacket_t\ *" "pkt" ", lwres_buffer_t\ *" "b" ");"
 .HP 39
-.BI "lwres_result_t lwres_nooprequest_parse(lwres_context_t\ *ctx, lwres_buffer_t\ *b, lwres_lwpacket_t\ *pkt, lwres_nooprequest_t\ **structp);"
+.BI "lwres_result_t lwres_nooprequest_parse(lwres_context_t\ *" "ctx" ", lwres_buffer_t\ *" "b" ", lwres_lwpacket_t\ *" "pkt" ", lwres_nooprequest_t\ **" "structp" ");"
 .HP 40
-.BI "lwres_result_t lwres_noopresponse_parse(lwres_context_t\ *ctx, lwres_buffer_t\ *b, lwres_lwpacket_t\ *pkt, lwres_noopresponse_t\ **structp);"
+.BI "lwres_result_t lwres_noopresponse_parse(lwres_context_t\ *" "ctx" ", lwres_buffer_t\ *" "b" ", lwres_lwpacket_t\ *" "pkt" ", lwres_noopresponse_t\ **" "structp" ");"
 .HP 29
-.BI "void lwres_noopresponse_free(lwres_context_t\ *ctx, lwres_noopresponse_t\ **structp);"
+.BI "void lwres_noopresponse_free(lwres_context_t\ *" "ctx" ", lwres_noopresponse_t\ **" "structp" ");"
 .HP 28
-.BI "void lwres_nooprequest_free(lwres_context_t\ *ctx, lwres_nooprequest_t\ **structp);"
+.BI "void lwres_nooprequest_free(lwres_context_t\ *" "ctx" ", lwres_nooprequest_t\ **" "structp" ");"
 .SH "DESCRIPTION"
 .PP
 These are low\-level routines for creating and parsing lightweight resolver no\-op request and response messages.
@@ -63,14 +63,26 @@ to the canonical format. This is complemented by a parse function which converts
 .PP
 These structures are defined in
 \fIlwres/lwres.h\fR. They are shown below.
-.sp
-.RS 3n
+.PP
+.RS 4
 .nf
 #define LWRES_OPCODE_NOOP       0x00000000U
+.fi
+.RE
+.sp
+.PP
+.RS 4
+.nf
 typedef struct {
         lwres_uint16_t  datalength;
         unsigned char   *data;
 } lwres_nooprequest_t;
+.fi
+.RE
+.sp
+.PP
+.RS 4
+.nf
 typedef struct {
         lwres_uint16_t  datalength;
         unsigned char   *data;
@@ -78,6 +90,7 @@ typedef struct {
 .fi
 .RE
 .sp
+.PP
 Although the structures have different types, they are identical. This is because the no\-op opcode simply echos whatever data was sent: the response is therefore identical to the request.
 .PP
 \fBlwres_nooprequest_render()\fR
@@ -162,6 +175,9 @@ in the packet header structure
 indicate that the packet is not a response to an earlier query.
 .SH "SEE ALSO"
 .PP
-\fBlwres_packet\fR(3 )
+\fBlwres_packet\fR(3)
 .SH "COPYRIGHT"
-Copyright \(co 2004, 2005 Internet Systems Consortium, Inc. ("ISC")
+Copyright \(co 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC")
+.br
+Copyright \(co 2000, 2001 Internet Software Consortium.
+.br
diff --git a/contrib/bind9/lib/lwres/man/lwres_noop.docbook b/contrib/bind9/lib/lwres/man/lwres_noop.docbook
index fcb3c59..cef6d87 100644
--- a/contrib/bind9/lib/lwres/man/lwres_noop.docbook
+++ b/contrib/bind9/lib/lwres/man/lwres_noop.docbook
@@ -1,8 +1,8 @@
-<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.0//EN"
-               "http://www.oasis-open.org/docbook/xml/4.0/docbookx.dtd"
+<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
+               "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
 	       [<!ENTITY mdash "&#8212;">]>
 <!--
- - Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
  - Copyright (C) 2000, 2001  Internet Software Consortium.
  -
  - Permission to use, copy, modify, and distribute this software for any
@@ -18,24 +18,24 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-<!-- $Id: lwres_noop.docbook,v 1.4.206.3 2005/05/12 21:36:16 sra Exp $ -->
-
+<!-- $Id: lwres_noop.docbook,v 1.5.18.5 2007/01/29 23:57:21 marka Exp $ -->
 <refentry>
 
-<refentryinfo>
-<date>Jun 30, 2000</date>
-</refentryinfo>
+  <refentryinfo>
+    <date>Jun 30, 2000</date>
+  </refentryinfo>
 
-<refmeta>
-<refentrytitle>lwres_noop</refentrytitle>
-<manvolnum>3</manvolnum>
-<refmiscinfo>BIND9</refmiscinfo>
-</refmeta>
+  <refmeta>
+    <refentrytitle>lwres_noop</refentrytitle>
+    <manvolnum>3</manvolnum>
+    <refmiscinfo>BIND9</refmiscinfo>
+  </refmeta>
 
   <docinfo>
     <copyright>
       <year>2004</year>
       <year>2005</year>
+      <year>2007</year>
       <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
     </copyright>
     <copyright>
@@ -45,200 +45,211 @@
     </copyright>
   </docinfo>
 
-<refnamediv>
-<refname>lwres_nooprequest_render</refname>
-<refname>lwres_noopresponse_render</refname>
-<refname>lwres_nooprequest_parse</refname>
-<refname>lwres_noopresponse_parse</refname>
-<refname>lwres_noopresponse_free</refname>
-<refname>lwres_nooprequest_free</refname>
-<refpurpose>lightweight resolver no-op message handling</refpurpose>
-</refnamediv>
-<refsynopsisdiv>
-<funcsynopsis>
+  <refnamediv>
+    <refname>lwres_nooprequest_render</refname>
+    <refname>lwres_noopresponse_render</refname>
+    <refname>lwres_nooprequest_parse</refname>
+    <refname>lwres_noopresponse_parse</refname>
+    <refname>lwres_noopresponse_free</refname>
+    <refname>lwres_nooprequest_free</refname>
+    <refpurpose>lightweight resolver no-op message handling</refpurpose>
+  </refnamediv>
+  <refsynopsisdiv>
+    <funcsynopsis>
 <funcsynopsisinfo>
 #include &lt;lwres/lwres.h&gt;</funcsynopsisinfo>
 <funcprototype>
-<funcdef>
+        <funcdef>
 lwres_result_t
 <function>lwres_nooprequest_render</function></funcdef>
-<paramdef>lwres_context_t *ctx</paramdef>
-<paramdef>lwres_nooprequest_t *req</paramdef>
-<paramdef>lwres_lwpacket_t *pkt</paramdef>
-<paramdef>lwres_buffer_t *b</paramdef>
-</funcprototype>
+        <paramdef>lwres_context_t *<parameter>ctx</parameter></paramdef>
+        <paramdef>lwres_nooprequest_t *<parameter>req</parameter></paramdef>
+        <paramdef>lwres_lwpacket_t *<parameter>pkt</parameter></paramdef>
+        <paramdef>lwres_buffer_t *<parameter>b</parameter></paramdef>
+        </funcprototype>
 <funcprototype>
-<funcdef>
+        <funcdef>
 lwres_result_t
 <function>lwres_noopresponse_render</function></funcdef>
-<paramdef>lwres_context_t *ctx</paramdef>
-<paramdef>lwres_noopresponse_t *req</paramdef>
-<paramdef>lwres_lwpacket_t *pkt</paramdef>
-<paramdef>lwres_buffer_t *b</paramdef>
-</funcprototype>
+        <paramdef>lwres_context_t *<parameter>ctx</parameter></paramdef>
+        <paramdef>lwres_noopresponse_t *<parameter>req</parameter></paramdef>
+        <paramdef>lwres_lwpacket_t *<parameter>pkt</parameter></paramdef>
+        <paramdef>lwres_buffer_t *<parameter>b</parameter></paramdef>
+        </funcprototype>
 <funcprototype>
-<funcdef>
+        <funcdef>
 lwres_result_t
 <function>lwres_nooprequest_parse</function></funcdef>
-<paramdef>lwres_context_t *ctx</paramdef>
-<paramdef>lwres_buffer_t *b</paramdef>
-<paramdef>lwres_lwpacket_t *pkt</paramdef>
-<paramdef>lwres_nooprequest_t **structp</paramdef>
-</funcprototype>
+        <paramdef>lwres_context_t *<parameter>ctx</parameter></paramdef>
+        <paramdef>lwres_buffer_t *<parameter>b</parameter></paramdef>
+        <paramdef>lwres_lwpacket_t *<parameter>pkt</parameter></paramdef>
+        <paramdef>lwres_nooprequest_t **<parameter>structp</parameter></paramdef>
+        </funcprototype>
 <funcprototype>
-<funcdef>
+        <funcdef>
 lwres_result_t
 <function>lwres_noopresponse_parse</function></funcdef>
-<paramdef>lwres_context_t *ctx</paramdef>
-<paramdef>lwres_buffer_t *b</paramdef>
-<paramdef>lwres_lwpacket_t *pkt</paramdef>
-<paramdef>lwres_noopresponse_t **structp</paramdef>
-</funcprototype>
+        <paramdef>lwres_context_t *<parameter>ctx</parameter></paramdef>
+        <paramdef>lwres_buffer_t *<parameter>b</parameter></paramdef>
+        <paramdef>lwres_lwpacket_t *<parameter>pkt</parameter></paramdef>
+        <paramdef>lwres_noopresponse_t **<parameter>structp</parameter></paramdef>
+        </funcprototype>
 <funcprototype>
-<funcdef>
+        <funcdef>
 void
 <function>lwres_noopresponse_free</function></funcdef>
-<paramdef>lwres_context_t *ctx</paramdef>
-<paramdef>lwres_noopresponse_t **structp</paramdef>
-</funcprototype>
+        <paramdef>lwres_context_t *<parameter>ctx</parameter></paramdef>
+        <paramdef>lwres_noopresponse_t **<parameter>structp</parameter></paramdef>
+        </funcprototype>
 <funcprototype>
-<funcdef>
+        <funcdef>
 void
 <function>lwres_nooprequest_free</function></funcdef>
-<paramdef>lwres_context_t *ctx</paramdef>
-<paramdef>lwres_nooprequest_t **structp</paramdef>
-</funcprototype>
+        <paramdef>lwres_context_t *<parameter>ctx</parameter></paramdef>
+        <paramdef>lwres_nooprequest_t **<parameter>structp</parameter></paramdef>
+      </funcprototype>
 </funcsynopsis>
-</refsynopsisdiv>
-<refsect1>
-<title>DESCRIPTION</title>
-<para>
-These are low-level routines for creating and parsing
-lightweight resolver no-op request and response messages.
-</para>
-<para>
-The no-op message is analogous to a <command>ping</command> packet: 
-a packet is sent to the resolver daemon and is simply echoed back.
-The opcode is intended to allow a client to determine if the server is
-operational or not.
-</para>
-<para>
-There are four main functions for the no-op opcode.
-One render function converts a no-op request structure &mdash;
-<type>lwres_nooprequest_t</type> &mdash;
-to the lighweight resolver's canonical format.
-It is complemented by a parse function that converts a packet in this
-canonical format to a no-op request structure.
-Another render function converts the no-op response structure &mdash;
-<type>lwres_noopresponse_t</type>
-to the canonical format.
-This is complemented by a parse function which converts a packet in
-canonical format to a no-op response structure.
-</para>
-<para>
-These structures are defined in
-<filename>lwres/lwres.h</filename>.
+  </refsynopsisdiv>
+  <refsect1>
+    <title>DESCRIPTION</title>
+    <para>
+      These are low-level routines for creating and parsing
+      lightweight resolver no-op request and response messages.
+    </para>
+    <para>
+      The no-op message is analogous to a <command>ping</command>
+      packet:
+      a packet is sent to the resolver daemon and is simply echoed back.
+      The opcode is intended to allow a client to determine if the server is
+      operational or not.
+    </para>
+    <para>
+      There are four main functions for the no-op opcode.
+      One render function converts a no-op request structure &mdash;
+      <type>lwres_nooprequest_t</type> &mdash;
+      to the lighweight resolver's canonical format.
+      It is complemented by a parse function that converts a packet in this
+      canonical format to a no-op request structure.
+      Another render function converts the no-op response structure &mdash;
+      <type>lwres_noopresponse_t</type>
+      to the canonical format.
+      This is complemented by a parse function which converts a packet in
+      canonical format to a no-op response structure.
+    </para>
+    <para>
+      These structures are defined in
+      <filename>lwres/lwres.h</filename>.
 
-They are shown below.
-<programlisting>
+      They are shown below.
+    </para>
+    <para><programlisting>
 #define LWRES_OPCODE_NOOP       0x00000000U
-
+</programlisting>
+    </para>
+    <para><programlisting>
 typedef struct {
         lwres_uint16_t  datalength;
         unsigned char   *data;
 } lwres_nooprequest_t;
-
+</programlisting>
+    </para>
+    <para><programlisting>
 typedef struct {
         lwres_uint16_t  datalength;
         unsigned char   *data;
 } lwres_noopresponse_t;
 </programlisting>
-Although the structures have different types, they are identical.
-This is because the no-op opcode simply echos whatever data was sent:
-the response is therefore identical to the request.
-</para>
+    </para>
+    <para>
+      Although the structures have different types, they are identical.
+      This is because the no-op opcode simply echos whatever data was sent:
+      the response is therefore identical to the request.
+    </para>
 
-<para>
-<function>lwres_nooprequest_render()</function> uses resolver
-context <parameter>ctx</parameter> to convert no-op request structure
-<parameter>req</parameter> to canonical format.  The packet header
-structure <parameter>pkt</parameter> is initialised and transferred to
-buffer <parameter>b</parameter>.  The contents of
-<parameter>*req</parameter> are then appended to the buffer in
-canonical format.  <function>lwres_noopresponse_render()</function>
-performs the same task, except it converts a no-op response structure
-<type>lwres_noopresponse_t</type> to the lightweight resolver's
-canonical format.
-</para>
+    <para><function>lwres_nooprequest_render()</function>
+      uses resolver context <parameter>ctx</parameter> to convert
+      no-op request structure <parameter>req</parameter> to canonical
+      format.  The packet header structure <parameter>pkt</parameter>
+      is initialised and transferred to buffer
+      <parameter>b</parameter>.  The contents of
+      <parameter>*req</parameter> are then appended to the buffer in
+      canonical format.
+      <function>lwres_noopresponse_render()</function> performs the
+      same task, except it converts a no-op response structure
+      <type>lwres_noopresponse_t</type> to the lightweight resolver's
+      canonical format.
+    </para>
 
-<para>
-<function>lwres_nooprequest_parse()</function> uses context
-<parameter>ctx</parameter> to convert the contents of packet
-<parameter>pkt</parameter> to a <type>lwres_nooprequest_t</type>
-structure.  Buffer <parameter>b</parameter> provides space to be used
-for storing this structure.  When the function succeeds, the resulting
-<type>lwres_nooprequest_t</type> is made available through
-<parameter>*structp</parameter>.
-<function>lwres_noopresponse_parse()</function> offers the same
-semantics as <function>lwres_nooprequest_parse()</function> except it
-yields a <type>lwres_noopresponse_t</type> structure.
-</para>
+    <para><function>lwres_nooprequest_parse()</function>
+      uses context <parameter>ctx</parameter> to convert the contents
+      of packet <parameter>pkt</parameter> to a
+      <type>lwres_nooprequest_t</type> structure.  Buffer
+      <parameter>b</parameter> provides space to be used for storing
+      this structure.  When the function succeeds, the resulting
+      <type>lwres_nooprequest_t</type> is made available through
+      <parameter>*structp</parameter>.
+      <function>lwres_noopresponse_parse()</function> offers the same
+      semantics as <function>lwres_nooprequest_parse()</function>
+      except it yields a <type>lwres_noopresponse_t</type> structure.
+    </para>
 
-<para>
-<function>lwres_noopresponse_free()</function> and
-<function>lwres_nooprequest_free()</function> release the memory in
-resolver context <parameter>ctx</parameter> that was allocated to the
-<type>lwres_noopresponse_t</type> or <type>lwres_nooprequest_t</type>
-structures referenced via <parameter>structp</parameter>.
-</para>
+    <para><function>lwres_noopresponse_free()</function>
+      and <function>lwres_nooprequest_free()</function> release the
+      memory in resolver context <parameter>ctx</parameter> that was
+      allocated to the <type>lwres_noopresponse_t</type> or
+      <type>lwres_nooprequest_t</type> structures referenced via
+      <parameter>structp</parameter>.
+    </para>
 
-</refsect1>
-<refsect1>
-<title>RETURN VALUES</title>
-<para>
-The no-op opcode functions
-<function>lwres_nooprequest_render()</function>,
+  </refsect1>
+  <refsect1>
+    <title>RETURN VALUES</title>
+    <para>
+      The no-op opcode functions
+      <function>lwres_nooprequest_render()</function>,
 
-<function>lwres_noopresponse_render()</function>
-<function>lwres_nooprequest_parse()</function>
-and
-<function>lwres_noopresponse_parse()</function>
-all return
-<errorcode>LWRES_R_SUCCESS</errorcode>
-on success.
-They return
-<errorcode>LWRES_R_NOMEMORY</errorcode>
-if memory allocation fails.
-<errorcode>LWRES_R_UNEXPECTEDEND</errorcode>
-is returned if the available space in the buffer
-<parameter>b</parameter>
-is too small to accommodate the packet header or the
-<type>lwres_nooprequest_t</type>
-and
-<type>lwres_noopresponse_t</type>
-structures.
-<function>lwres_nooprequest_parse()</function>
-and
-<function>lwres_noopresponse_parse()</function>
-will return
-<errorcode>LWRES_R_UNEXPECTEDEND</errorcode>
-if the buffer is not empty after decoding the received packet.
-These functions will return
-<errorcode>LWRES_R_FAILURE</errorcode>
-if
-<constant>pktflags</constant>
-in the packet header structure
-<type>lwres_lwpacket_t</type>
-indicate that the packet is not a response to an earlier query.
-</para>
-</refsect1>
-<refsect1>
-<title>SEE ALSO</title>
-<para>
-<citerefentry>
-<refentrytitle>lwres_packet</refentrytitle><manvolnum>3
-</manvolnum>
-</citerefentry>
-</para>
-</refsect1>
-</refentry>
+      <function>lwres_noopresponse_render()</function>
+      <function>lwres_nooprequest_parse()</function>
+      and
+      <function>lwres_noopresponse_parse()</function>
+      all return
+      <errorcode>LWRES_R_SUCCESS</errorcode>
+      on success.
+      They return
+      <errorcode>LWRES_R_NOMEMORY</errorcode>
+      if memory allocation fails.
+      <errorcode>LWRES_R_UNEXPECTEDEND</errorcode>
+      is returned if the available space in the buffer
+      <parameter>b</parameter>
+      is too small to accommodate the packet header or the
+      <type>lwres_nooprequest_t</type>
+      and
+      <type>lwres_noopresponse_t</type>
+      structures.
+      <function>lwres_nooprequest_parse()</function>
+      and
+      <function>lwres_noopresponse_parse()</function>
+      will return
+      <errorcode>LWRES_R_UNEXPECTEDEND</errorcode>
+      if the buffer is not empty after decoding the received packet.
+      These functions will return
+      <errorcode>LWRES_R_FAILURE</errorcode>
+      if
+      <constant>pktflags</constant>
+      in the packet header structure
+      <type>lwres_lwpacket_t</type>
+      indicate that the packet is not a response to an earlier query.
+    </para>
+  </refsect1>
+  <refsect1>
+    <title>SEE ALSO</title>
+    <para><citerefentry>
+        <refentrytitle>lwres_packet</refentrytitle><manvolnum>3</manvolnum>
+      </citerefentry>
+    </para>
+  </refsect1>
+</refentry><!--
+ - Local variables:
+ - mode: sgml
+ - End:
+-->
diff --git a/contrib/bind9/lib/lwres/man/lwres_noop.html b/contrib/bind9/lib/lwres/man/lwres_noop.html
index 145bcac..4705ecb 100644
--- a/contrib/bind9/lib/lwres/man/lwres_noop.html
+++ b/contrib/bind9/lib/lwres/man/lwres_noop.html
@@ -1,5 +1,5 @@
 <!--
- - Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC")
  - Copyright (C) 2000, 2001 Internet Software Consortium.
  - 
  - Permission to use, copy, modify, and distribute this software for any
@@ -14,15 +14,15 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-<!-- $Id: lwres_noop.html,v 1.7.2.1.4.11 2006/06/29 13:02:31 marka Exp $ -->
+<!-- $Id: lwres_noop.html,v 1.8.18.17 2007/01/30 00:23:45 marka Exp $ -->
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
 <title>lwres_noop</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.70.1">
+<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
 </head>
 <body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en">
-<a name="id2482688"></a><div class="titlepage"></div>
+<a name="id2476275"></a><div class="titlepage"></div>
 <div class="refnamediv">
 <h2>Name</h2>
 <p>lwres_nooprequest_render, lwres_noopresponse_render, lwres_nooprequest_parse, lwres_noopresponse_parse, lwres_noopresponse_free, lwres_nooprequest_free &#8212; lightweight resolver no-op message handling</p>
@@ -37,29 +37,27 @@
 <td><code class="funcdef">
 lwres_result_t
 <b class="fsfunc">lwres_nooprequest_render</b>(</code></td>
-<td> </td>
-<td>, </td>
-</tr>
-<tr>
-<td> </td>
-<td> </td>
-<td>, </td>
+<td>lwres_context_t * </td>
+<td>
+<var class="pdparam">ctx</var>, </td>
 </tr>
 <tr>
 <td> </td>
-<td> </td>
-<td>, </td>
+<td>lwres_nooprequest_t * </td>
+<td>
+<var class="pdparam">req</var>, </td>
 </tr>
 <tr>
 <td> </td>
-<td> </td>
-<td>, </td>
+<td>lwres_lwpacket_t * </td>
+<td>
+<var class="pdparam">pkt</var>, </td>
 </tr>
 <tr>
 <td> </td>
-<td> </td>
+<td>lwres_buffer_t * </td>
 <td>
-<code>)</code>;</td>
+<var class="pdparam">b</var><code>)</code>;</td>
 </tr>
 </table>
 <table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em">
@@ -67,29 +65,27 @@ lwres_result_t
 <td><code class="funcdef">
 lwres_result_t
 <b class="fsfunc">lwres_noopresponse_render</b>(</code></td>
-<td> </td>
-<td>, </td>
-</tr>
-<tr>
-<td> </td>
-<td> </td>
-<td>, </td>
+<td>lwres_context_t * </td>
+<td>
+<var class="pdparam">ctx</var>, </td>
 </tr>
 <tr>
 <td> </td>
-<td> </td>
-<td>, </td>
+<td>lwres_noopresponse_t * </td>
+<td>
+<var class="pdparam">req</var>, </td>
 </tr>
 <tr>
 <td> </td>
-<td> </td>
-<td>, </td>
+<td>lwres_lwpacket_t * </td>
+<td>
+<var class="pdparam">pkt</var>, </td>
 </tr>
 <tr>
 <td> </td>
-<td> </td>
+<td>lwres_buffer_t * </td>
 <td>
-<code>)</code>;</td>
+<var class="pdparam">b</var><code>)</code>;</td>
 </tr>
 </table>
 <table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em">
@@ -97,29 +93,27 @@ lwres_result_t
 <td><code class="funcdef">
 lwres_result_t
 <b class="fsfunc">lwres_nooprequest_parse</b>(</code></td>
-<td> </td>
-<td>, </td>
-</tr>
-<tr>
-<td> </td>
-<td> </td>
-<td>, </td>
+<td>lwres_context_t * </td>
+<td>
+<var class="pdparam">ctx</var>, </td>
 </tr>
 <tr>
 <td> </td>
-<td> </td>
-<td>, </td>
+<td>lwres_buffer_t * </td>
+<td>
+<var class="pdparam">b</var>, </td>
 </tr>
 <tr>
 <td> </td>
-<td> </td>
-<td>, </td>
+<td>lwres_lwpacket_t * </td>
+<td>
+<var class="pdparam">pkt</var>, </td>
 </tr>
 <tr>
 <td> </td>
-<td> </td>
+<td>lwres_nooprequest_t ** </td>
 <td>
-<code>)</code>;</td>
+<var class="pdparam">structp</var><code>)</code>;</td>
 </tr>
 </table>
 <table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em">
@@ -127,29 +121,27 @@ lwres_result_t
 <td><code class="funcdef">
 lwres_result_t
 <b class="fsfunc">lwres_noopresponse_parse</b>(</code></td>
-<td> </td>
-<td>, </td>
-</tr>
-<tr>
-<td> </td>
-<td> </td>
-<td>, </td>
+<td>lwres_context_t * </td>
+<td>
+<var class="pdparam">ctx</var>, </td>
 </tr>
 <tr>
 <td> </td>
-<td> </td>
-<td>, </td>
+<td>lwres_buffer_t * </td>
+<td>
+<var class="pdparam">b</var>, </td>
 </tr>
 <tr>
 <td> </td>
-<td> </td>
-<td>, </td>
+<td>lwres_lwpacket_t * </td>
+<td>
+<var class="pdparam">pkt</var>, </td>
 </tr>
 <tr>
 <td> </td>
-<td> </td>
+<td>lwres_noopresponse_t ** </td>
 <td>
-<code>)</code>;</td>
+<var class="pdparam">structp</var><code>)</code>;</td>
 </tr>
 </table>
 <table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em">
@@ -157,19 +149,15 @@ lwres_result_t
 <td><code class="funcdef">
 void
 <b class="fsfunc">lwres_noopresponse_free</b>(</code></td>
-<td> </td>
-<td>, </td>
-</tr>
-<tr>
-<td> </td>
-<td> </td>
-<td>, </td>
+<td>lwres_context_t * </td>
+<td>
+<var class="pdparam">ctx</var>, </td>
 </tr>
 <tr>
 <td> </td>
-<td> </td>
+<td>lwres_noopresponse_t ** </td>
 <td>
-<code>)</code>;</td>
+<var class="pdparam">structp</var><code>)</code>;</td>
 </tr>
 </table>
 <table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0">
@@ -177,149 +165,153 @@ void
 <td><code class="funcdef">
 void
 <b class="fsfunc">lwres_nooprequest_free</b>(</code></td>
-<td> </td>
-<td>, </td>
-</tr>
-<tr>
-<td> </td>
-<td> </td>
-<td>, </td>
+<td>lwres_context_t * </td>
+<td>
+<var class="pdparam">ctx</var>, </td>
 </tr>
 <tr>
 <td> </td>
-<td> </td>
+<td>lwres_nooprequest_t ** </td>
 <td>
-<code>)</code>;</td>
+<var class="pdparam">structp</var><code>)</code>;</td>
 </tr>
 </table>
 </div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2549528"></a><h2>DESCRIPTION</h2>
+<a name="id2543522"></a><h2>DESCRIPTION</h2>
 <p>
-These are low-level routines for creating and parsing
-lightweight resolver no-op request and response messages.
-</p>
+      These are low-level routines for creating and parsing
+      lightweight resolver no-op request and response messages.
+    </p>
 <p>
-The no-op message is analogous to a <span><strong class="command">ping</strong></span> packet: 
-a packet is sent to the resolver daemon and is simply echoed back.
-The opcode is intended to allow a client to determine if the server is
-operational or not.
-</p>
+      The no-op message is analogous to a <span><strong class="command">ping</strong></span>
+      packet:
+      a packet is sent to the resolver daemon and is simply echoed back.
+      The opcode is intended to allow a client to determine if the server is
+      operational or not.
+    </p>
 <p>
-There are four main functions for the no-op opcode.
-One render function converts a no-op request structure &#8212;
-<span class="type">lwres_nooprequest_t</span> &#8212;
-to the lighweight resolver's canonical format.
-It is complemented by a parse function that converts a packet in this
-canonical format to a no-op request structure.
-Another render function converts the no-op response structure &#8212;
-<span class="type">lwres_noopresponse_t</span>
-to the canonical format.
-This is complemented by a parse function which converts a packet in
-canonical format to a no-op response structure.
-</p>
+      There are four main functions for the no-op opcode.
+      One render function converts a no-op request structure &#8212;
+      <span class="type">lwres_nooprequest_t</span> &#8212;
+      to the lighweight resolver's canonical format.
+      It is complemented by a parse function that converts a packet in this
+      canonical format to a no-op request structure.
+      Another render function converts the no-op response structure &#8212;
+      <span class="type">lwres_noopresponse_t</span>
+      to the canonical format.
+      This is complemented by a parse function which converts a packet in
+      canonical format to a no-op response structure.
+    </p>
 <p>
-These structures are defined in
-<code class="filename">lwres/lwres.h</code>.
+      These structures are defined in
+      <code class="filename">lwres/lwres.h</code>.
 
-They are shown below.
-</p>
+      They are shown below.
+    </p>
 <pre class="programlisting">
 #define LWRES_OPCODE_NOOP       0x00000000U
-
+</pre>
+<p>
+    </p>
+<pre class="programlisting">
 typedef struct {
         lwres_uint16_t  datalength;
         unsigned char   *data;
 } lwres_nooprequest_t;
-
+</pre>
+<p>
+    </p>
+<pre class="programlisting">
 typedef struct {
         lwres_uint16_t  datalength;
         unsigned char   *data;
 } lwres_noopresponse_t;
 </pre>
 <p>
-Although the structures have different types, they are identical.
-This is because the no-op opcode simply echos whatever data was sent:
-the response is therefore identical to the request.
-</p>
-<p>
-<code class="function">lwres_nooprequest_render()</code> uses resolver
-context <em class="parameter"><code>ctx</code></em> to convert no-op request structure
-<em class="parameter"><code>req</code></em> to canonical format.  The packet header
-structure <em class="parameter"><code>pkt</code></em> is initialised and transferred to
-buffer <em class="parameter"><code>b</code></em>.  The contents of
-<em class="parameter"><code>*req</code></em> are then appended to the buffer in
-canonical format.  <code class="function">lwres_noopresponse_render()</code>
-performs the same task, except it converts a no-op response structure
-<span class="type">lwres_noopresponse_t</span> to the lightweight resolver's
-canonical format.
-</p>
+    </p>
 <p>
-<code class="function">lwres_nooprequest_parse()</code> uses context
-<em class="parameter"><code>ctx</code></em> to convert the contents of packet
-<em class="parameter"><code>pkt</code></em> to a <span class="type">lwres_nooprequest_t</span>
-structure.  Buffer <em class="parameter"><code>b</code></em> provides space to be used
-for storing this structure.  When the function succeeds, the resulting
-<span class="type">lwres_nooprequest_t</span> is made available through
-<em class="parameter"><code>*structp</code></em>.
-<code class="function">lwres_noopresponse_parse()</code> offers the same
-semantics as <code class="function">lwres_nooprequest_parse()</code> except it
-yields a <span class="type">lwres_noopresponse_t</span> structure.
-</p>
-<p>
-<code class="function">lwres_noopresponse_free()</code> and
-<code class="function">lwres_nooprequest_free()</code> release the memory in
-resolver context <em class="parameter"><code>ctx</code></em> that was allocated to the
-<span class="type">lwres_noopresponse_t</span> or <span class="type">lwres_nooprequest_t</span>
-structures referenced via <em class="parameter"><code>structp</code></em>.
-</p>
+      Although the structures have different types, they are identical.
+      This is because the no-op opcode simply echos whatever data was sent:
+      the response is therefore identical to the request.
+    </p>
+<p><code class="function">lwres_nooprequest_render()</code>
+      uses resolver context <em class="parameter"><code>ctx</code></em> to convert
+      no-op request structure <em class="parameter"><code>req</code></em> to canonical
+      format.  The packet header structure <em class="parameter"><code>pkt</code></em>
+      is initialised and transferred to buffer
+      <em class="parameter"><code>b</code></em>.  The contents of
+      <em class="parameter"><code>*req</code></em> are then appended to the buffer in
+      canonical format.
+      <code class="function">lwres_noopresponse_render()</code> performs the
+      same task, except it converts a no-op response structure
+      <span class="type">lwres_noopresponse_t</span> to the lightweight resolver's
+      canonical format.
+    </p>
+<p><code class="function">lwres_nooprequest_parse()</code>
+      uses context <em class="parameter"><code>ctx</code></em> to convert the contents
+      of packet <em class="parameter"><code>pkt</code></em> to a
+      <span class="type">lwres_nooprequest_t</span> structure.  Buffer
+      <em class="parameter"><code>b</code></em> provides space to be used for storing
+      this structure.  When the function succeeds, the resulting
+      <span class="type">lwres_nooprequest_t</span> is made available through
+      <em class="parameter"><code>*structp</code></em>.
+      <code class="function">lwres_noopresponse_parse()</code> offers the same
+      semantics as <code class="function">lwres_nooprequest_parse()</code>
+      except it yields a <span class="type">lwres_noopresponse_t</span> structure.
+    </p>
+<p><code class="function">lwres_noopresponse_free()</code>
+      and <code class="function">lwres_nooprequest_free()</code> release the
+      memory in resolver context <em class="parameter"><code>ctx</code></em> that was
+      allocated to the <span class="type">lwres_noopresponse_t</span> or
+      <span class="type">lwres_nooprequest_t</span> structures referenced via
+      <em class="parameter"><code>structp</code></em>.
+    </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2549797"></a><h2>RETURN VALUES</h2>
+<a name="id2543672"></a><h2>RETURN VALUES</h2>
 <p>
-The no-op opcode functions
-<code class="function">lwres_nooprequest_render()</code>,
+      The no-op opcode functions
+      <code class="function">lwres_nooprequest_render()</code>,
 
-<code class="function">lwres_noopresponse_render()</code>
-<code class="function">lwres_nooprequest_parse()</code>
-and
-<code class="function">lwres_noopresponse_parse()</code>
-all return
-<span class="errorcode">LWRES_R_SUCCESS</span>
-on success.
-They return
-<span class="errorcode">LWRES_R_NOMEMORY</span>
-if memory allocation fails.
-<span class="errorcode">LWRES_R_UNEXPECTEDEND</span>
-is returned if the available space in the buffer
-<em class="parameter"><code>b</code></em>
-is too small to accommodate the packet header or the
-<span class="type">lwres_nooprequest_t</span>
-and
-<span class="type">lwres_noopresponse_t</span>
-structures.
-<code class="function">lwres_nooprequest_parse()</code>
-and
-<code class="function">lwres_noopresponse_parse()</code>
-will return
-<span class="errorcode">LWRES_R_UNEXPECTEDEND</span>
-if the buffer is not empty after decoding the received packet.
-These functions will return
-<span class="errorcode">LWRES_R_FAILURE</span>
-if
-<code class="constant">pktflags</code>
-in the packet header structure
-<span class="type">lwres_lwpacket_t</span>
-indicate that the packet is not a response to an earlier query.
-</p>
+      <code class="function">lwres_noopresponse_render()</code>
+      <code class="function">lwres_nooprequest_parse()</code>
+      and
+      <code class="function">lwres_noopresponse_parse()</code>
+      all return
+      <span class="errorcode">LWRES_R_SUCCESS</span>
+      on success.
+      They return
+      <span class="errorcode">LWRES_R_NOMEMORY</span>
+      if memory allocation fails.
+      <span class="errorcode">LWRES_R_UNEXPECTEDEND</span>
+      is returned if the available space in the buffer
+      <em class="parameter"><code>b</code></em>
+      is too small to accommodate the packet header or the
+      <span class="type">lwres_nooprequest_t</span>
+      and
+      <span class="type">lwres_noopresponse_t</span>
+      structures.
+      <code class="function">lwres_nooprequest_parse()</code>
+      and
+      <code class="function">lwres_noopresponse_parse()</code>
+      will return
+      <span class="errorcode">LWRES_R_UNEXPECTEDEND</span>
+      if the buffer is not empty after decoding the received packet.
+      These functions will return
+      <span class="errorcode">LWRES_R_FAILURE</span>
+      if
+      <code class="constant">pktflags</code>
+      in the packet header structure
+      <span class="type">lwres_lwpacket_t</span>
+      indicate that the packet is not a response to an earlier query.
+    </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2549861"></a><h2>SEE ALSO</h2>
-<p>
-<span class="citerefentry"><span class="refentrytitle">lwres_packet</span>(3
-)</span>
-</p>
+<a name="id2543738"></a><h2>SEE ALSO</h2>
+<p><span class="citerefentry"><span class="refentrytitle">lwres_packet</span>(3)</span>
+    </p>
 </div>
 </div></body>
 </html>
diff --git a/contrib/bind9/lib/lwres/man/lwres_packet.3 b/contrib/bind9/lib/lwres/man/lwres_packet.3
index 35a8f10..14109085 100644
--- a/contrib/bind9/lib/lwres/man/lwres_packet.3
+++ b/contrib/bind9/lib/lwres/man/lwres_packet.3
@@ -1,4 +1,4 @@
-.\" Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC")
 .\" Copyright (C) 2000, 2001 Internet Software Consortium.
 .\" 
 .\" Permission to use, copy, modify, and distribute this software for any
@@ -13,13 +13,13 @@
 .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 .\" PERFORMANCE OF THIS SOFTWARE.
 .\"
-.\" $Id: lwres_packet.3,v 1.15.2.1.8.6 2006/06/29 13:02:31 marka Exp $
+.\" $Id: lwres_packet.3,v 1.18.18.11 2007/01/30 00:23:45 marka Exp $
 .\"
 .hy 0
 .ad l
 .\"     Title: lwres_packet
 .\"    Author: 
-.\" Generator: DocBook XSL Stylesheets v1.70.1 <http://docbook.sf.net/>
+.\" Generator: DocBook XSL Stylesheets v1.71.1 <http://docbook.sf.net/>
 .\"      Date: Jun 30, 2000
 .\"    Manual: BIND9
 .\"    Source: BIND9
@@ -36,19 +36,25 @@ lwres_lwpacket_renderheader, lwres_lwpacket_parseheader \- lightweight resolver
 #include <lwres/lwpacket.h>
 .fi
 .HP 43
-.BI "lwres_result_t lwres_lwpacket_renderheader(lwres_buffer_t\ *b, lwres_lwpacket_t\ *pkt);"
+.BI "lwres_result_t lwres_lwpacket_renderheader(lwres_buffer_t\ *" "b" ", lwres_lwpacket_t\ *" "pkt" ");"
 .HP 42
-.BI "lwres_result_t lwres_lwpacket_parseheader(lwres_buffer_t\ *b, lwres_lwpacket_t\ *pkt);"
+.BI "lwres_result_t lwres_lwpacket_parseheader(lwres_buffer_t\ *" "b" ", lwres_lwpacket_t\ *" "pkt" ");"
 .SH "DESCRIPTION"
 .PP
 These functions rely on a
 \fBstruct lwres_lwpacket\fR
 which is defined in
 \fIlwres/lwpacket.h\fR.
-.sp
-.RS 3n
+.PP
+.RS 4
 .nf
 typedef struct lwres_lwpacket lwres_lwpacket_t;
+.fi
+.RE
+.sp
+.PP
+.RS 4
+.nf
 struct lwres_lwpacket {
         lwres_uint32_t          length;
         lwres_uint16_t          version;
@@ -65,45 +71,69 @@ struct lwres_lwpacket {
 .sp
 .PP
 The elements of this structure are:
-.TP 3n
+.PP
 \fBlength\fR
+.RS 4
 the overall packet length, including the entire packet header. This field is filled in by the lwres_gabn_*() and lwres_gnba_*() calls.
-.TP 3n
+.RE
+.PP
 \fBversion\fR
+.RS 4
 the header format. There is currently only one format,
 \fBLWRES_LWPACKETVERSION_0\fR. This field is filled in by the lwres_gabn_*() and lwres_gnba_*() calls.
-.TP 3n
+.RE
+.PP
 \fBpktflags\fR
+.RS 4
 library\-defined flags for this packet: for instance whether the packet is a request or a reply. Flag values can be set, but not defined by the caller. This field is filled in by the application wit the exception of the LWRES_LWPACKETFLAG_RESPONSE bit, which is set by the library in the lwres_gabn_*() and lwres_gnba_*() calls.
-.TP 3n
+.RE
+.PP
 \fBserial\fR
+.RS 4
 is set by the requestor and is returned in all replies. If two or more packets from the same source have the same serial number and are from the same source, they are assumed to be duplicates and the latter ones may be dropped. This field must be set by the application.
-.TP 3n
+.RE
+.PP
 \fBopcode\fR
+.RS 4
 indicates the operation. Opcodes between 0x00000000 and 0x03ffffff are reserved for use by the lightweight resolver library. Opcodes between 0x04000000 and 0xffffffff are application defined. This field is filled in by the lwres_gabn_*() and lwres_gnba_*() calls.
-.TP 3n
+.RE
+.PP
 \fBresult\fR
+.RS 4
 is only valid for replies. Results between 0x04000000 and 0xffffffff are application defined. Results between 0x00000000 and 0x03ffffff are reserved for library use. This field is filled in by the lwres_gabn_*() and lwres_gnba_*() calls.
-.TP 3n
+.RE
+.PP
 \fBrecvlength\fR
+.RS 4
 is the maximum buffer size that the receiver can handle on requests and the size of the buffer needed to satisfy a request when the buffer is too large for replies. This field is supplied by the application.
-.TP 3n
+.RE
+.PP
 \fBauthtype\fR
+.RS 4
 defines the packet level authentication that is used. Authorisation types between 0x1000 and 0xffff are application defined and types between 0x0000 and 0x0fff are reserved for library use. Currently these are not used and must be zero.
-.TP 3n
+.RE
+.PP
 \fBauthlen\fR
+.RS 4
 gives the length of the authentication data. Since packet authentication is currently not used, this must be zero.
+.RE
 .PP
 The following opcodes are currently defined:
-.TP 3n
+.PP
 \fBNOOP\fR
+.RS 4
 Success is always returned and the packet contents are echoed. The lwres_noop_*() functions should be used for this type.
-.TP 3n
+.RE
+.PP
 \fBGETADDRSBYNAME\fR
+.RS 4
 returns all known addresses for a given name. The lwres_gabn_*() functions should be used for this type.
-.TP 3n
+.RE
+.PP
 \fBGETNAMEBYADDR\fR
+.RS 4
 return the hostname for the given address. The lwres_gnba_*() functions should be used for this type.
+.RE
 .PP
 \fBlwres_lwpacket_renderheader()\fR
 transfers the contents of lightweight resolver packet structure
@@ -134,4 +164,7 @@ and lightweight resolver packet
 both functions return
 \fBLWRES_R_UNEXPECTEDEND\fR.
 .SH "COPYRIGHT"
-Copyright \(co 2004, 2005 Internet Systems Consortium, Inc. ("ISC")
+Copyright \(co 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC")
+.br
+Copyright \(co 2000, 2001 Internet Software Consortium.
+.br
diff --git a/contrib/bind9/lib/lwres/man/lwres_packet.docbook b/contrib/bind9/lib/lwres/man/lwres_packet.docbook
index 226f994..71b3e1b 100644
--- a/contrib/bind9/lib/lwres/man/lwres_packet.docbook
+++ b/contrib/bind9/lib/lwres/man/lwres_packet.docbook
@@ -1,8 +1,8 @@
-<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.0//EN"
-               "http://www.oasis-open.org/docbook/xml/4.0/docbookx.dtd"
+<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
+               "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
 	       [<!ENTITY mdash "&#8212;">]>
 <!--
- - Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
  - Copyright (C) 2000, 2001  Internet Software Consortium.
  -
  - Permission to use, copy, modify, and distribute this software for any
@@ -18,24 +18,24 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-<!-- $Id: lwres_packet.docbook,v 1.6.206.3 2005/05/12 21:36:16 sra Exp $ -->
-
+<!-- $Id: lwres_packet.docbook,v 1.7.18.5 2007/01/29 23:57:21 marka Exp $ -->
 <refentry>
 
-<refentryinfo>
-<date>Jun 30, 2000</date>
-</refentryinfo>
+  <refentryinfo>
+    <date>Jun 30, 2000</date>
+  </refentryinfo>
 
-<refmeta>
-<refentrytitle>lwres_packet</refentrytitle>
-<manvolnum>3</manvolnum>
-<refmiscinfo>BIND9</refmiscinfo>
-</refmeta>
+  <refmeta>
+    <refentrytitle>lwres_packet</refentrytitle>
+    <manvolnum>3</manvolnum>
+    <refmiscinfo>BIND9</refmiscinfo>
+  </refmeta>
 
   <docinfo>
     <copyright>
       <year>2004</year>
       <year>2005</year>
+      <year>2007</year>
       <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
     </copyright>
     <copyright>
@@ -45,41 +45,44 @@
     </copyright>
   </docinfo>
 
-<refnamediv>
-<refname>lwres_lwpacket_renderheader</refname>
-<refname>lwres_lwpacket_parseheader</refname>
-<refpurpose>lightweight resolver packet handling functions</refpurpose>
-</refnamediv>
-<refsynopsisdiv>
-<funcsynopsis>
+  <refnamediv>
+    <refname>lwres_lwpacket_renderheader</refname>
+    <refname>lwres_lwpacket_parseheader</refname>
+    <refpurpose>lightweight resolver packet handling functions</refpurpose>
+  </refnamediv>
+  <refsynopsisdiv>
+    <funcsynopsis>
 <funcsynopsisinfo>#include &lt;lwres/lwpacket.h&gt;</funcsynopsisinfo>
 <funcprototype>
-<funcdef>
+        <funcdef>
 lwres_result_t
 <function>lwres_lwpacket_renderheader</function></funcdef>
-<paramdef>lwres_buffer_t *b</paramdef>
-<paramdef>lwres_lwpacket_t *pkt</paramdef>
-</funcprototype>
+        <paramdef>lwres_buffer_t *<parameter>b</parameter></paramdef>
+        <paramdef>lwres_lwpacket_t *<parameter>pkt</parameter></paramdef>
+        </funcprototype>
 <funcprototype>
-<funcdef>
+        <funcdef>
 lwres_result_t
 <function>lwres_lwpacket_parseheader</function></funcdef>
-<paramdef>lwres_buffer_t *b</paramdef>
-<paramdef>lwres_lwpacket_t *pkt</paramdef>
-</funcprototype>
+        <paramdef>lwres_buffer_t *<parameter>b</parameter></paramdef>
+        <paramdef>lwres_lwpacket_t *<parameter>pkt</parameter></paramdef>
+      </funcprototype>
 </funcsynopsis>
-</refsynopsisdiv>
-<refsect1>
-<title>DESCRIPTION</title>
-<para>
-These functions rely on a
-<type>struct lwres_lwpacket</type>
-which is defined in
-<filename>lwres/lwpacket.h</filename>.
+  </refsynopsisdiv>
+  <refsect1>
+    <title>DESCRIPTION</title>
+    <para>
+      These functions rely on a
+      <type>struct lwres_lwpacket</type>
+      which is defined in
+      <filename>lwres/lwpacket.h</filename>.
+    </para>
 
-<programlisting>
+    <para><programlisting>
 typedef struct lwres_lwpacket lwres_lwpacket_t;
-
+      </programlisting>
+    </para>
+    <para><programlisting>
 struct lwres_lwpacket {
         lwres_uint32_t          length;
         lwres_uint16_t          version;
@@ -92,142 +95,197 @@ struct lwres_lwpacket {
         lwres_uint16_t          authlength;
 };
 </programlisting>
-</para>
+    </para>
 
-<para>
-The elements of this structure are:
-<variablelist>
-<varlistentry><term><constant>length</constant></term>
-<listitem>
-<para>
-the overall packet length, including the entire packet header.
-This field is filled in by the lwres_gabn_*() and lwres_gnba_*()
-calls.
-</para></listitem></varlistentry>
-<varlistentry><term><constant>version</constant></term>
-<listitem>
-<para>
-the header format. There is currently only one format,
-<type>LWRES_LWPACKETVERSION_0</type>.
+    <para>
+      The elements of this structure are:
+      <variablelist>
+        <varlistentry>
+          <term><constant>length</constant></term>
+          <listitem>
+            <para>
+              the overall packet length, including the entire packet header.
+              This field is filled in by the lwres_gabn_*() and lwres_gnba_*()
+              calls.
+            </para>
+          </listitem>
+        </varlistentry>
+        <varlistentry>
+          <term><constant>version</constant></term>
+          <listitem>
+            <para>
+              the header format. There is currently only one format,
+              <type>LWRES_LWPACKETVERSION_0</type>.
 
-This field is filled in by the lwres_gabn_*() and lwres_gnba_*()
-calls.
-</para></listitem></varlistentry>
-<varlistentry><term><constant>pktflags</constant></term>
-<listitem>
-<para>
-library-defined flags for this packet: for instance whether the packet
-is a request or a reply. Flag values can be set, but not defined by
-the caller.
-This field is filled in by the application wit the exception of the
-LWRES_LWPACKETFLAG_RESPONSE bit, which is set by the library in the
-lwres_gabn_*() and lwres_gnba_*() calls.
-</para></listitem></varlistentry>
-<varlistentry><term><constant>serial</constant></term>
-<listitem>
-<para>
-is set by the requestor and is returned in all replies. If two or more
-packets from the same source have the same serial number and are from
-the same source, they are assumed to be duplicates and the latter ones
-may be dropped.
-This field must be set by the application.
-</para></listitem></varlistentry>
-<varlistentry><term><constant>opcode</constant></term>
-<listitem>
-<para>
-indicates the operation.
-Opcodes between 0x00000000 and 0x03ffffff are
-reserved for use by the lightweight resolver library. Opcodes between
-0x04000000 and 0xffffffff are application defined.
-This field is filled in by the lwres_gabn_*() and lwres_gnba_*()
-calls.
-</para></listitem></varlistentry>
-<varlistentry><term><constant>result</constant></term>
-<listitem>
-<para>
-is only valid for replies.
-Results between 0x04000000 and 0xffffffff are application defined.
-Results between 0x00000000 and 0x03ffffff are reserved for library use.
-This field is filled in by the lwres_gabn_*() and lwres_gnba_*()
-calls.
-</para></listitem></varlistentry>
-<varlistentry><term><constant>recvlength</constant></term>
-<listitem>
-<para>
-is the maximum buffer size that the receiver can handle on requests
-and the size of the buffer needed to satisfy a request when the buffer
-is too large for replies.
-This field is supplied by the application.
-</para></listitem></varlistentry>
-<varlistentry><term><constant>authtype</constant></term>
-<listitem>
-<para>
-defines the packet level authentication that is used.
-Authorisation types between 0x1000 and 0xffff are application defined
-and types between 0x0000 and 0x0fff are reserved for library use.
-Currently these are not used and must be zero.
-</para></listitem></varlistentry>
-<varlistentry><term><constant>authlen</constant></term>
-<listitem>
-<para>
-gives the length of the authentication data.
-Since packet authentication is currently not used, this must be zero.
-</para></listitem></varlistentry>
-</variablelist>
-</para>
-<para>
-The following opcodes are currently defined:
-<variablelist>
-<varlistentry><term><constant>NOOP</constant></term>
-<listitem>
-<para>
-Success is always returned and the packet contents are echoed.
-The lwres_noop_*() functions should be used for this type.
-</para></listitem></varlistentry>
-<varlistentry><term><constant>GETADDRSBYNAME</constant></term>
-<listitem>
-<para>
-returns all known addresses for a given name.
-The lwres_gabn_*() functions should be used for this type.
-</para></listitem></varlistentry>
-<varlistentry><term><constant>GETNAMEBYADDR</constant></term>
-<listitem>
-<para>
-return the hostname for the given address.
-The lwres_gnba_*() functions should be used for this type.
-</para></listitem></varlistentry>
-</variablelist>
-</para>
+              This field is filled in by the lwres_gabn_*() and lwres_gnba_*()
+              calls.
+            </para>
+          </listitem>
+        </varlistentry>
+        <varlistentry>
+          <term><constant>pktflags</constant></term>
+          <listitem>
+            <para>
+              library-defined flags for this packet: for instance whether the
+              packet
+              is a request or a reply. Flag values can be set, but not defined
+              by
+              the caller.
+              This field is filled in by the application wit the exception of
+              the
+              LWRES_LWPACKETFLAG_RESPONSE bit, which is set by the library in
+              the
+              lwres_gabn_*() and lwres_gnba_*() calls.
+            </para>
+          </listitem>
+        </varlistentry>
+        <varlistentry>
+          <term><constant>serial</constant></term>
+          <listitem>
+            <para>
+              is set by the requestor and is returned in all replies. If two
+              or more
+              packets from the same source have the same serial number and are
+              from
+              the same source, they are assumed to be duplicates and the
+              latter ones
+              may be dropped.
+              This field must be set by the application.
+            </para>
+          </listitem>
+        </varlistentry>
+        <varlistentry>
+          <term><constant>opcode</constant></term>
+          <listitem>
+            <para>
+              indicates the operation.
+              Opcodes between 0x00000000 and 0x03ffffff are
+              reserved for use by the lightweight resolver library. Opcodes
+              between
+              0x04000000 and 0xffffffff are application defined.
+              This field is filled in by the lwres_gabn_*() and lwres_gnba_*()
+              calls.
+            </para>
+          </listitem>
+        </varlistentry>
+        <varlistentry>
+          <term><constant>result</constant></term>
+          <listitem>
+            <para>
+              is only valid for replies.
+              Results between 0x04000000 and 0xffffffff are application
+              defined.
+              Results between 0x00000000 and 0x03ffffff are reserved for
+              library use.
+              This field is filled in by the lwres_gabn_*() and lwres_gnba_*()
+              calls.
+            </para>
+          </listitem>
+        </varlistentry>
+        <varlistentry>
+          <term><constant>recvlength</constant></term>
+          <listitem>
+            <para>
+              is the maximum buffer size that the receiver can handle on
+              requests
+              and the size of the buffer needed to satisfy a request when the
+              buffer
+              is too large for replies.
+              This field is supplied by the application.
+            </para>
+          </listitem>
+        </varlistentry>
+        <varlistentry>
+          <term><constant>authtype</constant></term>
+          <listitem>
+            <para>
+              defines the packet level authentication that is used.
+              Authorisation types between 0x1000 and 0xffff are application
+              defined
+              and types between 0x0000 and 0x0fff are reserved for library
+              use.
+              Currently these are not used and must be zero.
+            </para>
+          </listitem>
+        </varlistentry>
+        <varlistentry>
+          <term><constant>authlen</constant></term>
+          <listitem>
+            <para>
+              gives the length of the authentication data.
+              Since packet authentication is currently not used, this must be
+              zero.
+            </para>
+          </listitem>
+        </varlistentry>
+      </variablelist>
+    </para>
+    <para>
+      The following opcodes are currently defined:
+      <variablelist>
+        <varlistentry>
+          <term><constant>NOOP</constant></term>
+          <listitem>
+            <para>
+              Success is always returned and the packet contents are echoed.
+              The lwres_noop_*() functions should be used for this type.
+            </para>
+          </listitem>
+        </varlistentry>
+        <varlistentry>
+          <term><constant>GETADDRSBYNAME</constant></term>
+          <listitem>
+            <para>
+              returns all known addresses for a given name.
+              The lwres_gabn_*() functions should be used for this type.
+            </para>
+          </listitem>
+        </varlistentry>
+        <varlistentry>
+          <term><constant>GETNAMEBYADDR</constant></term>
+          <listitem>
+            <para>
+              return the hostname for the given address.
+              The lwres_gnba_*() functions should be used for this type.
+            </para>
+          </listitem>
+        </varlistentry>
+      </variablelist>
+    </para>
 
-<para>
-<function>lwres_lwpacket_renderheader()</function> transfers the
-contents of lightweight resolver packet structure
-<type>lwres_lwpacket_t</type> <parameter>*pkt</parameter> in network
-byte order to the lightweight resolver buffer,
-<parameter>*b</parameter>.
-</para>
+    <para><function>lwres_lwpacket_renderheader()</function>
+      transfers the contents of lightweight resolver packet structure
+      <type>lwres_lwpacket_t</type> <parameter>*pkt</parameter> in
+      network byte order to the lightweight resolver buffer,
+      <parameter>*b</parameter>.
+    </para>
 
-<para>
-<function>lwres_lwpacket_parseheader()</function> performs the
-converse operation.  It transfers data in network byte order from
-buffer <parameter>*b</parameter> to resolver packet
-<parameter>*pkt</parameter>.  The contents of the buffer
-<parameter>b</parameter> should correspond to a
-<type>lwres_lwpacket_t</type>.
-</para>
+    <para><function>lwres_lwpacket_parseheader()</function>
+      performs the converse operation.  It transfers data in network
+      byte order from buffer <parameter>*b</parameter> to resolver
+      packet <parameter>*pkt</parameter>.  The contents of the buffer
+      <parameter>b</parameter> should correspond to a
+      <type>lwres_lwpacket_t</type>.
+    </para>
 
-</refsect1>
+  </refsect1>
 
-<refsect1>
-<title>RETURN VALUES</title>
-<para> Successful calls to
-<function>lwres_lwpacket_renderheader()</function> and
-<function>lwres_lwpacket_parseheader()</function> return
-<errorcode>LWRES_R_SUCCESS</errorcode>.  If there is insufficient
-space to copy data between the buffer <parameter>*b</parameter> and
-lightweight resolver packet <parameter>*pkt</parameter> both functions
-return <errorcode>LWRES_R_UNEXPECTEDEND</errorcode>.
-</para>
+  <refsect1>
+    <title>RETURN VALUES</title>
+    <para>
+      Successful calls to
+      <function>lwres_lwpacket_renderheader()</function> and
+      <function>lwres_lwpacket_parseheader()</function> return
+      <errorcode>LWRES_R_SUCCESS</errorcode>.  If there is insufficient
+      space to copy data between the buffer <parameter>*b</parameter> and
+      lightweight resolver packet <parameter>*pkt</parameter> both
+      functions
+      return <errorcode>LWRES_R_UNEXPECTEDEND</errorcode>.
+    </para>
 
-</refsect1>
-</refentry>
+  </refsect1>
+</refentry><!--
+ - Local variables:
+ - mode: sgml
+ - End:
+-->
diff --git a/contrib/bind9/lib/lwres/man/lwres_packet.html b/contrib/bind9/lib/lwres/man/lwres_packet.html
index 32bb81e..eeb7ebd 100644
--- a/contrib/bind9/lib/lwres/man/lwres_packet.html
+++ b/contrib/bind9/lib/lwres/man/lwres_packet.html
@@ -1,5 +1,5 @@
 <!--
- - Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC")
  - Copyright (C) 2000, 2001 Internet Software Consortium.
  - 
  - Permission to use, copy, modify, and distribute this software for any
@@ -14,15 +14,15 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-<!-- $Id: lwres_packet.html,v 1.8.2.1.4.12 2006/06/29 13:02:31 marka Exp $ -->
+<!-- $Id: lwres_packet.html,v 1.9.18.17 2007/01/30 00:23:45 marka Exp $ -->
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
 <title>lwres_packet</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.70.1">
+<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
 </head>
 <body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en">
-<a name="id2482688"></a><div class="titlepage"></div>
+<a name="id2476275"></a><div class="titlepage"></div>
 <div class="refnamediv">
 <h2>Name</h2>
 <p>lwres_lwpacket_renderheader, lwres_lwpacket_parseheader &#8212; lightweight resolver packet handling functions</p>
@@ -36,19 +36,15 @@
 <td><code class="funcdef">
 lwres_result_t
 <b class="fsfunc">lwres_lwpacket_renderheader</b>(</code></td>
-<td> </td>
-<td>, </td>
-</tr>
-<tr>
-<td> </td>
-<td> </td>
-<td>, </td>
+<td>lwres_buffer_t * </td>
+<td>
+<var class="pdparam">b</var>, </td>
 </tr>
 <tr>
 <td> </td>
-<td> </td>
+<td>lwres_lwpacket_t * </td>
 <td>
-<code>)</code>;</td>
+<var class="pdparam">pkt</var><code>)</code>;</td>
 </tr>
 </table>
 <table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0">
@@ -56,35 +52,33 @@ lwres_result_t
 <td><code class="funcdef">
 lwres_result_t
 <b class="fsfunc">lwres_lwpacket_parseheader</b>(</code></td>
-<td> </td>
-<td>, </td>
-</tr>
-<tr>
-<td> </td>
-<td> </td>
-<td>, </td>
+<td>lwres_buffer_t * </td>
+<td>
+<var class="pdparam">b</var>, </td>
 </tr>
 <tr>
 <td> </td>
-<td> </td>
+<td>lwres_lwpacket_t * </td>
 <td>
-<code>)</code>;</td>
+<var class="pdparam">pkt</var><code>)</code>;</td>
 </tr>
 </table>
 </div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2549430"></a><h2>DESCRIPTION</h2>
+<a name="id2543389"></a><h2>DESCRIPTION</h2>
 <p>
-These functions rely on a
-<span class="type">struct lwres_lwpacket</span>
-which is defined in
-<code class="filename">lwres/lwpacket.h</code>.
-
-</p>
+      These functions rely on a
+      <span class="type">struct lwres_lwpacket</span>
+      which is defined in
+      <code class="filename">lwres/lwpacket.h</code>.
+    </p>
 <pre class="programlisting">
 typedef struct lwres_lwpacket lwres_lwpacket_t;
-
+      </pre>
+<p>
+    </p>
+<pre class="programlisting">
 struct lwres_lwpacket {
         lwres_uint32_t          length;
         lwres_uint16_t          version;
@@ -98,129 +92,144 @@ struct lwres_lwpacket {
 };
 </pre>
 <p>
-</p>
+    </p>
 <p>
-The elements of this structure are:
-</p>
+      The elements of this structure are:
+      </p>
 <div class="variablelist"><dl>
 <dt><span class="term"><code class="constant">length</code></span></dt>
 <dd><p>
-the overall packet length, including the entire packet header.
-This field is filled in by the lwres_gabn_*() and lwres_gnba_*()
-calls.
-</p></dd>
+              the overall packet length, including the entire packet header.
+              This field is filled in by the lwres_gabn_*() and lwres_gnba_*()
+              calls.
+            </p></dd>
 <dt><span class="term"><code class="constant">version</code></span></dt>
 <dd><p>
-the header format. There is currently only one format,
-<span class="type">LWRES_LWPACKETVERSION_0</span>.
+              the header format. There is currently only one format,
+              <span class="type">LWRES_LWPACKETVERSION_0</span>.
 
-This field is filled in by the lwres_gabn_*() and lwres_gnba_*()
-calls.
-</p></dd>
+              This field is filled in by the lwres_gabn_*() and lwres_gnba_*()
+              calls.
+            </p></dd>
 <dt><span class="term"><code class="constant">pktflags</code></span></dt>
 <dd><p>
-library-defined flags for this packet: for instance whether the packet
-is a request or a reply. Flag values can be set, but not defined by
-the caller.
-This field is filled in by the application wit the exception of the
-LWRES_LWPACKETFLAG_RESPONSE bit, which is set by the library in the
-lwres_gabn_*() and lwres_gnba_*() calls.
-</p></dd>
+              library-defined flags for this packet: for instance whether the
+              packet
+              is a request or a reply. Flag values can be set, but not defined
+              by
+              the caller.
+              This field is filled in by the application wit the exception of
+              the
+              LWRES_LWPACKETFLAG_RESPONSE bit, which is set by the library in
+              the
+              lwres_gabn_*() and lwres_gnba_*() calls.
+            </p></dd>
 <dt><span class="term"><code class="constant">serial</code></span></dt>
 <dd><p>
-is set by the requestor and is returned in all replies. If two or more
-packets from the same source have the same serial number and are from
-the same source, they are assumed to be duplicates and the latter ones
-may be dropped.
-This field must be set by the application.
-</p></dd>
+              is set by the requestor and is returned in all replies. If two
+              or more
+              packets from the same source have the same serial number and are
+              from
+              the same source, they are assumed to be duplicates and the
+              latter ones
+              may be dropped.
+              This field must be set by the application.
+            </p></dd>
 <dt><span class="term"><code class="constant">opcode</code></span></dt>
 <dd><p>
-indicates the operation.
-Opcodes between 0x00000000 and 0x03ffffff are
-reserved for use by the lightweight resolver library. Opcodes between
-0x04000000 and 0xffffffff are application defined.
-This field is filled in by the lwres_gabn_*() and lwres_gnba_*()
-calls.
-</p></dd>
+              indicates the operation.
+              Opcodes between 0x00000000 and 0x03ffffff are
+              reserved for use by the lightweight resolver library. Opcodes
+              between
+              0x04000000 and 0xffffffff are application defined.
+              This field is filled in by the lwres_gabn_*() and lwres_gnba_*()
+              calls.
+            </p></dd>
 <dt><span class="term"><code class="constant">result</code></span></dt>
 <dd><p>
-is only valid for replies.
-Results between 0x04000000 and 0xffffffff are application defined.
-Results between 0x00000000 and 0x03ffffff are reserved for library use.
-This field is filled in by the lwres_gabn_*() and lwres_gnba_*()
-calls.
-</p></dd>
+              is only valid for replies.
+              Results between 0x04000000 and 0xffffffff are application
+              defined.
+              Results between 0x00000000 and 0x03ffffff are reserved for
+              library use.
+              This field is filled in by the lwres_gabn_*() and lwres_gnba_*()
+              calls.
+            </p></dd>
 <dt><span class="term"><code class="constant">recvlength</code></span></dt>
 <dd><p>
-is the maximum buffer size that the receiver can handle on requests
-and the size of the buffer needed to satisfy a request when the buffer
-is too large for replies.
-This field is supplied by the application.
-</p></dd>
+              is the maximum buffer size that the receiver can handle on
+              requests
+              and the size of the buffer needed to satisfy a request when the
+              buffer
+              is too large for replies.
+              This field is supplied by the application.
+            </p></dd>
 <dt><span class="term"><code class="constant">authtype</code></span></dt>
 <dd><p>
-defines the packet level authentication that is used.
-Authorisation types between 0x1000 and 0xffff are application defined
-and types between 0x0000 and 0x0fff are reserved for library use.
-Currently these are not used and must be zero.
-</p></dd>
+              defines the packet level authentication that is used.
+              Authorisation types between 0x1000 and 0xffff are application
+              defined
+              and types between 0x0000 and 0x0fff are reserved for library
+              use.
+              Currently these are not used and must be zero.
+            </p></dd>
 <dt><span class="term"><code class="constant">authlen</code></span></dt>
 <dd><p>
-gives the length of the authentication data.
-Since packet authentication is currently not used, this must be zero.
-</p></dd>
+              gives the length of the authentication data.
+              Since packet authentication is currently not used, this must be
+              zero.
+            </p></dd>
 </dl></div>
 <p>
-</p>
+    </p>
 <p>
-The following opcodes are currently defined:
-</p>
+      The following opcodes are currently defined:
+      </p>
 <div class="variablelist"><dl>
 <dt><span class="term"><code class="constant">NOOP</code></span></dt>
 <dd><p>
-Success is always returned and the packet contents are echoed.
-The lwres_noop_*() functions should be used for this type.
-</p></dd>
+              Success is always returned and the packet contents are echoed.
+              The lwres_noop_*() functions should be used for this type.
+            </p></dd>
 <dt><span class="term"><code class="constant">GETADDRSBYNAME</code></span></dt>
 <dd><p>
-returns all known addresses for a given name.
-The lwres_gabn_*() functions should be used for this type.
-</p></dd>
+              returns all known addresses for a given name.
+              The lwres_gabn_*() functions should be used for this type.
+            </p></dd>
 <dt><span class="term"><code class="constant">GETNAMEBYADDR</code></span></dt>
 <dd><p>
-return the hostname for the given address.
-The lwres_gnba_*() functions should be used for this type.
-</p></dd>
+              return the hostname for the given address.
+              The lwres_gnba_*() functions should be used for this type.
+            </p></dd>
 </dl></div>
 <p>
-</p>
-<p>
-<code class="function">lwres_lwpacket_renderheader()</code> transfers the
-contents of lightweight resolver packet structure
-<span class="type">lwres_lwpacket_t</span> <em class="parameter"><code>*pkt</code></em> in network
-byte order to the lightweight resolver buffer,
-<em class="parameter"><code>*b</code></em>.
-</p>
-<p>
-<code class="function">lwres_lwpacket_parseheader()</code> performs the
-converse operation.  It transfers data in network byte order from
-buffer <em class="parameter"><code>*b</code></em> to resolver packet
-<em class="parameter"><code>*pkt</code></em>.  The contents of the buffer
-<em class="parameter"><code>b</code></em> should correspond to a
-<span class="type">lwres_lwpacket_t</span>.
-</p>
+    </p>
+<p><code class="function">lwres_lwpacket_renderheader()</code>
+      transfers the contents of lightweight resolver packet structure
+      <span class="type">lwres_lwpacket_t</span> <em class="parameter"><code>*pkt</code></em> in
+      network byte order to the lightweight resolver buffer,
+      <em class="parameter"><code>*b</code></em>.
+    </p>
+<p><code class="function">lwres_lwpacket_parseheader()</code>
+      performs the converse operation.  It transfers data in network
+      byte order from buffer <em class="parameter"><code>*b</code></em> to resolver
+      packet <em class="parameter"><code>*pkt</code></em>.  The contents of the buffer
+      <em class="parameter"><code>b</code></em> should correspond to a
+      <span class="type">lwres_lwpacket_t</span>.
+    </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2549769"></a><h2>RETURN VALUES</h2>
-<p> Successful calls to
-<code class="function">lwres_lwpacket_renderheader()</code> and
-<code class="function">lwres_lwpacket_parseheader()</code> return
-<span class="errorcode">LWRES_R_SUCCESS</span>.  If there is insufficient
-space to copy data between the buffer <em class="parameter"><code>*b</code></em> and
-lightweight resolver packet <em class="parameter"><code>*pkt</code></em> both functions
-return <span class="errorcode">LWRES_R_UNEXPECTEDEND</span>.
-</p>
+<a name="id2543706"></a><h2>RETURN VALUES</h2>
+<p>
+      Successful calls to
+      <code class="function">lwres_lwpacket_renderheader()</code> and
+      <code class="function">lwres_lwpacket_parseheader()</code> return
+      <span class="errorcode">LWRES_R_SUCCESS</span>.  If there is insufficient
+      space to copy data between the buffer <em class="parameter"><code>*b</code></em> and
+      lightweight resolver packet <em class="parameter"><code>*pkt</code></em> both
+      functions
+      return <span class="errorcode">LWRES_R_UNEXPECTEDEND</span>.
+    </p>
 </div>
 </div></body>
 </html>
diff --git a/contrib/bind9/lib/lwres/man/lwres_resutil.3 b/contrib/bind9/lib/lwres/man/lwres_resutil.3
index 907706c..9aebc9f 100644
--- a/contrib/bind9/lib/lwres/man/lwres_resutil.3
+++ b/contrib/bind9/lib/lwres/man/lwres_resutil.3
@@ -1,4 +1,4 @@
-.\" Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC")
 .\" Copyright (C) 2000, 2001 Internet Software Consortium.
 .\" 
 .\" Permission to use, copy, modify, and distribute this software for any
@@ -13,13 +13,13 @@
 .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 .\" PERFORMANCE OF THIS SOFTWARE.
 .\"
-.\" $Id: lwres_resutil.3,v 1.14.2.1.8.6 2006/06/29 13:02:31 marka Exp $
+.\" $Id: lwres_resutil.3,v 1.17.18.11 2007/01/30 00:23:45 marka Exp $
 .\"
 .hy 0
 .ad l
 .\"     Title: lwres_resutil
 .\"    Author: 
-.\" Generator: DocBook XSL Stylesheets v1.70.1 <http://docbook.sf.net/>
+.\" Generator: DocBook XSL Stylesheets v1.71.1 <http://docbook.sf.net/>
 .\"      Date: Jun 30, 2000
 .\"    Manual: BIND9
 .\"    Source: BIND9
@@ -36,13 +36,13 @@ lwres_string_parse, lwres_addr_parse, lwres_getaddrsbyname, lwres_getnamebyaddr
 #include <lwres/lwres.h>
 .fi
 .HP 34
-.BI "lwres_result_t lwres_string_parse(lwres_buffer_t\ *b, char\ **c, lwres_uint16_t\ *len);"
+.BI "lwres_result_t lwres_string_parse(lwres_buffer_t\ *" "b" ", char\ **" "c" ", lwres_uint16_t\ *" "len" ");"
 .HP 32
-.BI "lwres_result_t lwres_addr_parse(lwres_buffer_t\ *b, lwres_addr_t\ *addr);"
+.BI "lwres_result_t lwres_addr_parse(lwres_buffer_t\ *" "b" ", lwres_addr_t\ *" "addr" ");"
 .HP 36
-.BI "lwres_result_t lwres_getaddrsbyname(lwres_context_t\ *ctx, const\ char\ *name, lwres_uint32_t\ addrtypes, lwres_gabnresponse_t\ **structp);"
+.BI "lwres_result_t lwres_getaddrsbyname(lwres_context_t\ *" "ctx" ", const\ char\ *" "name" ", lwres_uint32_t\ " "addrtypes" ", lwres_gabnresponse_t\ **" "structp" ");"
 .HP 35
-.BI "lwres_result_t lwres_getnamebyaddr(lwres_context_t\ *ctx, lwres_uint32_t\ addrtype, lwres_uint16_t\ addrlen, const\ unsigned\ char\ *addr, lwres_gnbaresponse_t\ **structp);"
+.BI "lwres_result_t lwres_getnamebyaddr(lwres_context_t\ *" "ctx" ", lwres_uint32_t\ " "addrtype" ", lwres_uint16_t\ " "addrlen" ", const\ unsigned\ char\ *" "addr" ", lwres_gnbaresponse_t\ **" "structp" ");"
 .SH "DESCRIPTION"
 .PP
 \fBlwres_string_parse()\fR
@@ -73,8 +73,8 @@ and
 use the
 \fBlwres_gnbaresponse_t\fR
 structure defined below:
-.sp
-.RS 3n
+.PP
+.RS 4
 .nf
 typedef struct {
         lwres_uint32_t          flags;
@@ -90,9 +90,9 @@ typedef struct {
 } lwres_gabnresponse_t;
 .fi
 .RE
-.sp
+.PP
 The contents of this structure are not manipulated directly but they are controlled through the
-\fBlwres_gabn\fR(3 )
+\fBlwres_gabn\fR(3)
 functions.
 .PP
 The lightweight resolver uses
@@ -164,4 +164,7 @@ if the buffers used for sending queries and receiving replies are too small.
 \fBlwres_buffer\fR(3),
 \fBlwres_gabn\fR(3).
 .SH "COPYRIGHT"
-Copyright \(co 2004, 2005 Internet Systems Consortium, Inc. ("ISC")
+Copyright \(co 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC")
+.br
+Copyright \(co 2000, 2001 Internet Software Consortium.
+.br
diff --git a/contrib/bind9/lib/lwres/man/lwres_resutil.docbook b/contrib/bind9/lib/lwres/man/lwres_resutil.docbook
index 7ab2146..3b60f06 100644
--- a/contrib/bind9/lib/lwres/man/lwres_resutil.docbook
+++ b/contrib/bind9/lib/lwres/man/lwres_resutil.docbook
@@ -1,8 +1,8 @@
-<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.0//EN"
-               "http://www.oasis-open.org/docbook/xml/4.0/docbookx.dtd"
+<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
+               "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
 	       [<!ENTITY mdash "&#8212;">]>
 <!--
- - Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
  - Copyright (C) 2000, 2001  Internet Software Consortium.
  -
  - Permission to use, copy, modify, and distribute this software for any
@@ -18,24 +18,24 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-<!-- $Id: lwres_resutil.docbook,v 1.5.206.3 2005/05/12 21:36:16 sra Exp $ -->
-
+<!-- $Id: lwres_resutil.docbook,v 1.6.18.5 2007/01/29 23:57:21 marka Exp $ -->
 <refentry>
 
-<refentryinfo>
-<date>Jun 30, 2000</date>
-</refentryinfo>
+  <refentryinfo>
+    <date>Jun 30, 2000</date>
+  </refentryinfo>
 
-<refmeta>
-  <refentrytitle>lwres_resutil</refentrytitle>
-  <manvolnum>3</manvolnum>
-  <refmiscinfo>BIND9</refmiscinfo>
-</refmeta>
+  <refmeta>
+    <refentrytitle>lwres_resutil</refentrytitle>
+    <manvolnum>3</manvolnum>
+    <refmiscinfo>BIND9</refmiscinfo>
+  </refmeta>
 
   <docinfo>
     <copyright>
       <year>2004</year>
       <year>2005</year>
+      <year>2007</year>
       <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
     </copyright>
     <copyright>
@@ -45,89 +45,88 @@
     </copyright>
   </docinfo>
 
-<refnamediv>
-<refname>lwres_string_parse</refname>
-<refname>lwres_addr_parse</refname>
-<refname>lwres_getaddrsbyname</refname>
-<refname>lwres_getnamebyaddr</refname>
-<refpurpose>lightweight resolver utility functions</refpurpose>
-</refnamediv>
-<refsynopsisdiv>
-<funcsynopsis>
+  <refnamediv>
+    <refname>lwres_string_parse</refname>
+    <refname>lwres_addr_parse</refname>
+    <refname>lwres_getaddrsbyname</refname>
+    <refname>lwres_getnamebyaddr</refname>
+    <refpurpose>lightweight resolver utility functions</refpurpose>
+  </refnamediv>
+  <refsynopsisdiv>
+    <funcsynopsis>
 <funcsynopsisinfo>#include &lt;lwres/lwres.h&gt;</funcsynopsisinfo>
 <funcprototype>
-<funcdef>
+        <funcdef>
 lwres_result_t
 <function>lwres_string_parse</function></funcdef>
-<paramdef>lwres_buffer_t *b</paramdef>
-<paramdef>char **c</paramdef>
-<paramdef>lwres_uint16_t *len</paramdef>
-</funcprototype>
+        <paramdef>lwres_buffer_t *<parameter>b</parameter></paramdef>
+        <paramdef>char **<parameter>c</parameter></paramdef>
+        <paramdef>lwres_uint16_t *<parameter>len</parameter></paramdef>
+        </funcprototype>
 <funcprototype>
-<funcdef>
+        <funcdef>
 lwres_result_t
 <function>lwres_addr_parse</function></funcdef>
-<paramdef>lwres_buffer_t *b</paramdef>
-<paramdef>lwres_addr_t *addr</paramdef>
-</funcprototype>
+        <paramdef>lwres_buffer_t *<parameter>b</parameter></paramdef>
+        <paramdef>lwres_addr_t *<parameter>addr</parameter></paramdef>
+        </funcprototype>
 <funcprototype>
-<funcdef>
+        <funcdef>
 lwres_result_t
 <function>lwres_getaddrsbyname</function></funcdef>
-<paramdef>lwres_context_t *ctx</paramdef>
-<paramdef>const char *name</paramdef>
-<paramdef>lwres_uint32_t addrtypes</paramdef>
-<paramdef>lwres_gabnresponse_t **structp</paramdef>
-</funcprototype>
+        <paramdef>lwres_context_t *<parameter>ctx</parameter></paramdef>
+        <paramdef>const char *<parameter>name</parameter></paramdef>
+        <paramdef>lwres_uint32_t <parameter>addrtypes</parameter></paramdef>
+        <paramdef>lwres_gabnresponse_t **<parameter>structp</parameter></paramdef>
+        </funcprototype>
 <funcprototype>
-<funcdef>
+        <funcdef>
 lwres_result_t
 <function>lwres_getnamebyaddr</function></funcdef>
-<paramdef>lwres_context_t *ctx</paramdef>
-<paramdef>lwres_uint32_t addrtype</paramdef>
-<paramdef>lwres_uint16_t addrlen</paramdef>
-<paramdef>const unsigned char *addr</paramdef>
-<paramdef>lwres_gnbaresponse_t **structp</paramdef>
-</funcprototype>
+        <paramdef>lwres_context_t *<parameter>ctx</parameter></paramdef>
+        <paramdef>lwres_uint32_t <parameter>addrtype</parameter></paramdef>
+        <paramdef>lwres_uint16_t <parameter>addrlen</parameter></paramdef>
+        <paramdef>const unsigned char *<parameter>addr</parameter></paramdef>
+        <paramdef>lwres_gnbaresponse_t **<parameter>structp</parameter></paramdef>
+      </funcprototype>
 </funcsynopsis>
-</refsynopsisdiv>
-
-<refsect1>
-<title>DESCRIPTION</title>
-
-<para>
-<function>lwres_string_parse()</function> retrieves a DNS-encoded
-string starting the current pointer of lightweight resolver buffer
-<parameter>b</parameter>: i.e.  <constant>b-&gt;current</constant>.
-When the function returns, the address of the first byte of the
-encoded string is returned via <parameter>*c</parameter> and the
-length of that string is given by <parameter>*len</parameter>.  The
-buffer's current pointer is advanced to point at the character
-following the string length, the encoded string, and the trailing
-<type>NULL</type> character.
-</para>
-
-<para>
-<function>lwres_addr_parse()</function> extracts an address from the
-buffer <parameter>b</parameter>.  The buffer's current pointer
-<constant>b-&gt;current</constant> is presumed to point at an encoded
-address: the address preceded by a 32-bit protocol family identifier
-and a 16-bit length field.  The encoded address is copied to
-<constant>addr-&gt;address</constant> and
-<constant>addr-&gt;length</constant> indicates the size in bytes of
-the address that was copied.  <constant>b-&gt;current</constant> is
-advanced to point at the next byte of available data in the buffer
-following the encoded address.
-</para>
-
-<para>
-<function>lwres_getaddrsbyname()</function>
-and
-<function>lwres_getnamebyaddr()</function>
-use the
-<type>lwres_gnbaresponse_t</type>
-structure defined below:
-<programlisting>
+  </refsynopsisdiv>
+
+  <refsect1>
+    <title>DESCRIPTION</title>
+
+    <para><function>lwres_string_parse()</function>
+      retrieves a DNS-encoded string starting the current pointer of
+      lightweight resolver buffer <parameter>b</parameter>: i.e.
+      <constant>b-&gt;current</constant>.  When the function returns,
+      the address of the first byte of the encoded string is returned
+      via <parameter>*c</parameter> and the length of that string is
+      given by <parameter>*len</parameter>.  The buffer's current
+      pointer is advanced to point at the character following the
+      string length, the encoded string, and the trailing
+      <type>NULL</type> character.
+    </para>
+
+    <para><function>lwres_addr_parse()</function>
+      extracts an address from the buffer <parameter>b</parameter>.
+      The buffer's current pointer <constant>b-&gt;current</constant>
+      is presumed to point at an encoded address: the address preceded
+      by a 32-bit protocol family identifier and a 16-bit length
+      field.  The encoded address is copied to
+      <constant>addr-&gt;address</constant> and
+      <constant>addr-&gt;length</constant> indicates the size in bytes
+      of the address that was copied.
+      <constant>b-&gt;current</constant> is advanced to point at the
+      next byte of available data in the buffer following the encoded
+      address.
+    </para>
+
+    <para><function>lwres_getaddrsbyname()</function>
+      and <function>lwres_getnamebyaddr()</function> use the
+      <type>lwres_gnbaresponse_t</type> structure defined below:
+    </para>
+
+<para><programlisting>
 typedef struct {
         lwres_uint32_t          flags;
         lwres_uint16_t          naliases;
@@ -140,97 +139,100 @@ typedef struct {
         void                   *base;
         size_t                  baselen;
 } lwres_gabnresponse_t;
-</programlisting>
-The contents of this structure are not manipulated directly but
-they are controlled through the
-<citerefentry>
-<refentrytitle>lwres_gabn</refentrytitle><manvolnum>3
-</manvolnum>
-</citerefentry>
-functions.
-</para>
-
-<para>
-The lightweight resolver uses
-<function>lwres_getaddrsbyname()</function> to perform foward lookups.
-Hostname <parameter>name</parameter> is looked up using the resolver
-context <parameter>ctx</parameter> for memory allocation.
-<parameter>addrtypes</parameter> is a bitmask indicating which type of
-addresses are to be looked up.  Current values for this bitmask are
-<type>LWRES_ADDRTYPE_V4</type> for IPv4 addresses and
-<type>LWRES_ADDRTYPE_V6</type> for IPv6 addresses.  Results of the
-lookup are returned in <parameter>*structp</parameter>.
-</para>
-
-<para>
-<function>lwres_getnamebyaddr()</function> performs reverse lookups.
-Resolver context <parameter>ctx</parameter> is used for memory
-allocation.  The address type is indicated by
-<parameter>addrtype</parameter>: <type>LWRES_ADDRTYPE_V4</type> or
-<type>LWRES_ADDRTYPE_V6</type>.  The address to be looked up is given
-by <parameter>addr</parameter> and its length is
-<parameter>addrlen</parameter> bytes.  The result of the function call
-is made available through <parameter>*structp</parameter>.
-</para>
-</refsect1>
-
-<refsect1>
-<title>RETURN VALUES</title>
-<para>
-Successful calls to
-<function>lwres_string_parse()</function>
-and
-<function>lwres_addr_parse()</function>
-return
-<errorcode>LWRES_R_SUCCESS.</errorcode>
-Both functions return
-<errorcode>LWRES_R_FAILURE</errorcode>
-if the buffer is corrupt or
-<errorcode>LWRES_R_UNEXPECTEDEND</errorcode>
-if the buffer has less space than expected for the components of the
-encoded string or address.
-</para>
-<para>
-<function>lwres_getaddrsbyname()</function>
-returns
-<errorcode>LWRES_R_SUCCESS</errorcode>
-on success and it returns
-<errorcode>LWRES_R_NOTFOUND</errorcode>
-if the hostname
-<parameter>name</parameter>
-could not be found.
-</para>
-<para>
-<errorcode>LWRES_R_SUCCESS</errorcode>
-is returned by a successful call to
-<function>lwres_getnamebyaddr()</function>.
-</para>
-
-<para>
-Both
-<function>lwres_getaddrsbyname()</function>
-and
-<function>lwres_getnamebyaddr()</function>
-return
-<errorcode>LWRES_R_NOMEMORY</errorcode>
-when memory allocation requests fail and
-<errorcode>LWRES_R_UNEXPECTEDEND</errorcode>
-if the buffers used for sending queries and receiving replies are too
-small.
-</para>
-
-</refsect1>
-<refsect1>
-<title>SEE ALSO</title>
-<para>
-<citerefentry>
-<refentrytitle>lwres_buffer</refentrytitle><manvolnum>3</manvolnum>
-</citerefentry>,
-
-<citerefentry>
-<refentrytitle>lwres_gabn</refentrytitle><manvolnum>3</manvolnum>
-</citerefentry>.
-</para>
-
-</refsect1>
-</refentry>
+</programlisting></para>
+
+    <para>
+      The contents of this structure are not manipulated directly but
+      they are controlled through the
+      <citerefentry>
+        <refentrytitle>lwres_gabn</refentrytitle><manvolnum>3</manvolnum>
+      </citerefentry>
+      functions.
+    </para>
+
+    <para>
+      The lightweight resolver uses
+      <function>lwres_getaddrsbyname()</function> to perform
+      foward lookups.
+      Hostname <parameter>name</parameter> is looked up using the
+      resolver
+      context <parameter>ctx</parameter> for memory allocation.
+      <parameter>addrtypes</parameter> is a bitmask indicating
+      which type of
+      addresses are to be looked up.  Current values for this bitmask are
+      <type>LWRES_ADDRTYPE_V4</type> for IPv4 addresses and
+      <type>LWRES_ADDRTYPE_V6</type> for IPv6 addresses.  Results of the
+      lookup are returned in <parameter>*structp</parameter>.
+    </para>
+
+    <para><function>lwres_getnamebyaddr()</function>
+      performs reverse lookups.  Resolver context
+      <parameter>ctx</parameter> is used for memory allocation.  The
+      address type is indicated by <parameter>addrtype</parameter>:
+      <type>LWRES_ADDRTYPE_V4</type> or
+      <type>LWRES_ADDRTYPE_V6</type>.  The address to be looked up is
+      given by <parameter>addr</parameter> and its length is
+      <parameter>addrlen</parameter> bytes.  The result of the
+      function call is made available through
+      <parameter>*structp</parameter>.
+    </para>
+  </refsect1>
+
+  <refsect1>
+    <title>RETURN VALUES</title>
+    <para>
+      Successful calls to
+      <function>lwres_string_parse()</function>
+      and
+      <function>lwres_addr_parse()</function>
+      return
+      <errorcode>LWRES_R_SUCCESS.</errorcode>
+      Both functions return
+      <errorcode>LWRES_R_FAILURE</errorcode>
+      if the buffer is corrupt or
+      <errorcode>LWRES_R_UNEXPECTEDEND</errorcode>
+      if the buffer has less space than expected for the components of the
+      encoded string or address.
+    </para>
+
+    <para><function>lwres_getaddrsbyname()</function>
+      returns <errorcode>LWRES_R_SUCCESS</errorcode> on success and it
+      returns <errorcode>LWRES_R_NOTFOUND</errorcode> if the hostname
+      <parameter>name</parameter> could not be found.
+    </para>
+    <para><errorcode>LWRES_R_SUCCESS</errorcode>
+      is returned by a successful call to
+      <function>lwres_getnamebyaddr()</function>.
+    </para>
+
+    <para>
+      Both
+      <function>lwres_getaddrsbyname()</function>
+      and
+      <function>lwres_getnamebyaddr()</function>
+      return
+      <errorcode>LWRES_R_NOMEMORY</errorcode>
+      when memory allocation requests fail and
+      <errorcode>LWRES_R_UNEXPECTEDEND</errorcode>
+      if the buffers used for sending queries and receiving replies are too
+      small.
+    </para>
+
+  </refsect1>
+  <refsect1>
+    <title>SEE ALSO</title>
+    <para><citerefentry>
+        <refentrytitle>lwres_buffer</refentrytitle><manvolnum>3</manvolnum>
+      </citerefentry>,
+
+      <citerefentry>
+        <refentrytitle>lwres_gabn</refentrytitle><manvolnum>3</manvolnum>
+      </citerefentry>.
+    </para>
+
+  </refsect1>
+</refentry><!--
+ - Local variables:
+ - mode: sgml
+ - End:
+-->
diff --git a/contrib/bind9/lib/lwres/man/lwres_resutil.html b/contrib/bind9/lib/lwres/man/lwres_resutil.html
index a9bc1ee..dfa2e1c 100644
--- a/contrib/bind9/lib/lwres/man/lwres_resutil.html
+++ b/contrib/bind9/lib/lwres/man/lwres_resutil.html
@@ -1,5 +1,5 @@
 <!--
- - Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC")
  - Copyright (C) 2000, 2001 Internet Software Consortium.
  - 
  - Permission to use, copy, modify, and distribute this software for any
@@ -14,15 +14,15 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-<!-- $Id: lwres_resutil.html,v 1.8.2.1.4.11 2006/06/29 13:02:31 marka Exp $ -->
+<!-- $Id: lwres_resutil.html,v 1.9.18.16 2007/01/30 00:23:45 marka Exp $ -->
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
 <title>lwres_resutil</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.70.1">
+<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
 </head>
 <body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en">
-<a name="id2482688"></a><div class="titlepage"></div>
+<a name="id2476275"></a><div class="titlepage"></div>
 <div class="refnamediv">
 <h2>Name</h2>
 <p>lwres_string_parse, lwres_addr_parse, lwres_getaddrsbyname, lwres_getnamebyaddr &#8212; lightweight resolver utility functions</p>
@@ -36,24 +36,21 @@
 <td><code class="funcdef">
 lwres_result_t
 <b class="fsfunc">lwres_string_parse</b>(</code></td>
-<td> </td>
-<td>, </td>
-</tr>
-<tr>
-<td> </td>
-<td> </td>
-<td>, </td>
+<td>lwres_buffer_t * </td>
+<td>
+<var class="pdparam">b</var>, </td>
 </tr>
 <tr>
 <td> </td>
-<td> </td>
-<td>, </td>
+<td>char ** </td>
+<td>
+<var class="pdparam">c</var>, </td>
 </tr>
 <tr>
 <td> </td>
-<td> </td>
+<td>lwres_uint16_t * </td>
 <td>
-<code>)</code>;</td>
+<var class="pdparam">len</var><code>)</code>;</td>
 </tr>
 </table>
 <table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em">
@@ -61,19 +58,15 @@ lwres_result_t
 <td><code class="funcdef">
 lwres_result_t
 <b class="fsfunc">lwres_addr_parse</b>(</code></td>
-<td> </td>
-<td>, </td>
-</tr>
-<tr>
-<td> </td>
-<td> </td>
-<td>, </td>
+<td>lwres_buffer_t * </td>
+<td>
+<var class="pdparam">b</var>, </td>
 </tr>
 <tr>
 <td> </td>
-<td> </td>
+<td>lwres_addr_t * </td>
 <td>
-<code>)</code>;</td>
+<var class="pdparam">addr</var><code>)</code>;</td>
 </tr>
 </table>
 <table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em">
@@ -81,29 +74,27 @@ lwres_result_t
 <td><code class="funcdef">
 lwres_result_t
 <b class="fsfunc">lwres_getaddrsbyname</b>(</code></td>
-<td> </td>
-<td>, </td>
-</tr>
-<tr>
-<td> </td>
-<td> </td>
-<td>, </td>
+<td>lwres_context_t * </td>
+<td>
+<var class="pdparam">ctx</var>, </td>
 </tr>
 <tr>
 <td> </td>
-<td> </td>
-<td>, </td>
+<td>const char * </td>
+<td>
+<var class="pdparam">name</var>, </td>
 </tr>
 <tr>
 <td> </td>
-<td> </td>
-<td>, </td>
+<td>lwres_uint32_t  </td>
+<td>
+<var class="pdparam">addrtypes</var>, </td>
 </tr>
 <tr>
 <td> </td>
-<td> </td>
+<td>lwres_gabnresponse_t ** </td>
 <td>
-<code>)</code>;</td>
+<var class="pdparam">structp</var><code>)</code>;</td>
 </tr>
 </table>
 <table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0">
@@ -111,71 +102,67 @@ lwres_result_t
 <td><code class="funcdef">
 lwres_result_t
 <b class="fsfunc">lwres_getnamebyaddr</b>(</code></td>
-<td> </td>
-<td>, </td>
-</tr>
-<tr>
-<td> </td>
-<td> </td>
-<td>, </td>
+<td>lwres_context_t * </td>
+<td>
+<var class="pdparam">ctx</var>, </td>
 </tr>
 <tr>
 <td> </td>
-<td> </td>
-<td>, </td>
+<td>lwres_uint32_t  </td>
+<td>
+<var class="pdparam">addrtype</var>, </td>
 </tr>
 <tr>
 <td> </td>
-<td> </td>
-<td>, </td>
+<td>lwres_uint16_t  </td>
+<td>
+<var class="pdparam">addrlen</var>, </td>
 </tr>
 <tr>
 <td> </td>
-<td> </td>
-<td>, </td>
+<td>const unsigned char * </td>
+<td>
+<var class="pdparam">addr</var>, </td>
 </tr>
 <tr>
 <td> </td>
-<td> </td>
+<td>lwres_gnbaresponse_t ** </td>
 <td>
-<code>)</code>;</td>
+<var class="pdparam">structp</var><code>)</code>;</td>
 </tr>
 </table>
 </div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2549485"></a><h2>DESCRIPTION</h2>
-<p>
-<code class="function">lwres_string_parse()</code> retrieves a DNS-encoded
-string starting the current pointer of lightweight resolver buffer
-<em class="parameter"><code>b</code></em>: i.e.  <code class="constant">b-&gt;current</code>.
-When the function returns, the address of the first byte of the
-encoded string is returned via <em class="parameter"><code>*c</code></em> and the
-length of that string is given by <em class="parameter"><code>*len</code></em>.  The
-buffer's current pointer is advanced to point at the character
-following the string length, the encoded string, and the trailing
-<span class="type">NULL</span> character.
-</p>
-<p>
-<code class="function">lwres_addr_parse()</code> extracts an address from the
-buffer <em class="parameter"><code>b</code></em>.  The buffer's current pointer
-<code class="constant">b-&gt;current</code> is presumed to point at an encoded
-address: the address preceded by a 32-bit protocol family identifier
-and a 16-bit length field.  The encoded address is copied to
-<code class="constant">addr-&gt;address</code> and
-<code class="constant">addr-&gt;length</code> indicates the size in bytes of
-the address that was copied.  <code class="constant">b-&gt;current</code> is
-advanced to point at the next byte of available data in the buffer
-following the encoded address.
-</p>
-<p>
-<code class="function">lwres_getaddrsbyname()</code>
-and
-<code class="function">lwres_getnamebyaddr()</code>
-use the
-<span class="type">lwres_gnbaresponse_t</span>
-structure defined below:
-</p>
+<a name="id2543466"></a><h2>DESCRIPTION</h2>
+<p><code class="function">lwres_string_parse()</code>
+      retrieves a DNS-encoded string starting the current pointer of
+      lightweight resolver buffer <em class="parameter"><code>b</code></em>: i.e.
+      <code class="constant">b-&gt;current</code>.  When the function returns,
+      the address of the first byte of the encoded string is returned
+      via <em class="parameter"><code>*c</code></em> and the length of that string is
+      given by <em class="parameter"><code>*len</code></em>.  The buffer's current
+      pointer is advanced to point at the character following the
+      string length, the encoded string, and the trailing
+      <span class="type">NULL</span> character.
+    </p>
+<p><code class="function">lwres_addr_parse()</code>
+      extracts an address from the buffer <em class="parameter"><code>b</code></em>.
+      The buffer's current pointer <code class="constant">b-&gt;current</code>
+      is presumed to point at an encoded address: the address preceded
+      by a 32-bit protocol family identifier and a 16-bit length
+      field.  The encoded address is copied to
+      <code class="constant">addr-&gt;address</code> and
+      <code class="constant">addr-&gt;length</code> indicates the size in bytes
+      of the address that was copied.
+      <code class="constant">b-&gt;current</code> is advanced to point at the
+      next byte of available data in the buffer following the encoded
+      address.
+    </p>
+<p><code class="function">lwres_getaddrsbyname()</code>
+      and <code class="function">lwres_getnamebyaddr()</code> use the
+      <span class="type">lwres_gnbaresponse_t</span> structure defined below:
+    </p>
 <pre class="programlisting">
 typedef struct {
         lwres_uint32_t          flags;
@@ -191,85 +178,81 @@ typedef struct {
 } lwres_gabnresponse_t;
 </pre>
 <p>
-The contents of this structure are not manipulated directly but
-they are controlled through the
-<span class="citerefentry"><span class="refentrytitle">lwres_gabn</span>(3
-)</span>
-functions.
-</p>
-<p>
-The lightweight resolver uses
-<code class="function">lwres_getaddrsbyname()</code> to perform foward lookups.
-Hostname <em class="parameter"><code>name</code></em> is looked up using the resolver
-context <em class="parameter"><code>ctx</code></em> for memory allocation.
-<em class="parameter"><code>addrtypes</code></em> is a bitmask indicating which type of
-addresses are to be looked up.  Current values for this bitmask are
-<span class="type">LWRES_ADDRTYPE_V4</span> for IPv4 addresses and
-<span class="type">LWRES_ADDRTYPE_V6</span> for IPv6 addresses.  Results of the
-lookup are returned in <em class="parameter"><code>*structp</code></em>.
-</p>
+      The contents of this structure are not manipulated directly but
+      they are controlled through the
+      <span class="citerefentry"><span class="refentrytitle">lwres_gabn</span>(3)</span>
+      functions.
+    </p>
 <p>
-<code class="function">lwres_getnamebyaddr()</code> performs reverse lookups.
-Resolver context <em class="parameter"><code>ctx</code></em> is used for memory
-allocation.  The address type is indicated by
-<em class="parameter"><code>addrtype</code></em>: <span class="type">LWRES_ADDRTYPE_V4</span> or
-<span class="type">LWRES_ADDRTYPE_V6</span>.  The address to be looked up is given
-by <em class="parameter"><code>addr</code></em> and its length is
-<em class="parameter"><code>addrlen</code></em> bytes.  The result of the function call
-is made available through <em class="parameter"><code>*structp</code></em>.
-</p>
+      The lightweight resolver uses
+      <code class="function">lwres_getaddrsbyname()</code> to perform
+      foward lookups.
+      Hostname <em class="parameter"><code>name</code></em> is looked up using the
+      resolver
+      context <em class="parameter"><code>ctx</code></em> for memory allocation.
+      <em class="parameter"><code>addrtypes</code></em> is a bitmask indicating
+      which type of
+      addresses are to be looked up.  Current values for this bitmask are
+      <span class="type">LWRES_ADDRTYPE_V4</span> for IPv4 addresses and
+      <span class="type">LWRES_ADDRTYPE_V6</span> for IPv6 addresses.  Results of the
+      lookup are returned in <em class="parameter"><code>*structp</code></em>.
+    </p>
+<p><code class="function">lwres_getnamebyaddr()</code>
+      performs reverse lookups.  Resolver context
+      <em class="parameter"><code>ctx</code></em> is used for memory allocation.  The
+      address type is indicated by <em class="parameter"><code>addrtype</code></em>:
+      <span class="type">LWRES_ADDRTYPE_V4</span> or
+      <span class="type">LWRES_ADDRTYPE_V6</span>.  The address to be looked up is
+      given by <em class="parameter"><code>addr</code></em> and its length is
+      <em class="parameter"><code>addrlen</code></em> bytes.  The result of the
+      function call is made available through
+      <em class="parameter"><code>*structp</code></em>.
+    </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2549693"></a><h2>RETURN VALUES</h2>
-<p>
-Successful calls to
-<code class="function">lwres_string_parse()</code>
-and
-<code class="function">lwres_addr_parse()</code>
-return
-<span class="errorcode">LWRES_R_SUCCESS.</span>
-Both functions return
-<span class="errorcode">LWRES_R_FAILURE</span>
-if the buffer is corrupt or
-<span class="errorcode">LWRES_R_UNEXPECTEDEND</span>
-if the buffer has less space than expected for the components of the
-encoded string or address.
-</p>
+<a name="id2543605"></a><h2>RETURN VALUES</h2>
 <p>
-<code class="function">lwres_getaddrsbyname()</code>
-returns
-<span class="errorcode">LWRES_R_SUCCESS</span>
-on success and it returns
-<span class="errorcode">LWRES_R_NOTFOUND</span>
-if the hostname
-<em class="parameter"><code>name</code></em>
-could not be found.
-</p>
+      Successful calls to
+      <code class="function">lwres_string_parse()</code>
+      and
+      <code class="function">lwres_addr_parse()</code>
+      return
+      <span class="errorcode">LWRES_R_SUCCESS.</span>
+      Both functions return
+      <span class="errorcode">LWRES_R_FAILURE</span>
+      if the buffer is corrupt or
+      <span class="errorcode">LWRES_R_UNEXPECTEDEND</span>
+      if the buffer has less space than expected for the components of the
+      encoded string or address.
+    </p>
+<p><code class="function">lwres_getaddrsbyname()</code>
+      returns <span class="errorcode">LWRES_R_SUCCESS</span> on success and it
+      returns <span class="errorcode">LWRES_R_NOTFOUND</span> if the hostname
+      <em class="parameter"><code>name</code></em> could not be found.
+    </p>
+<p><span class="errorcode">LWRES_R_SUCCESS</span>
+      is returned by a successful call to
+      <code class="function">lwres_getnamebyaddr()</code>.
+    </p>
 <p>
-<span class="errorcode">LWRES_R_SUCCESS</span>
-is returned by a successful call to
-<code class="function">lwres_getnamebyaddr()</code>.
-</p>
-<p>
-Both
-<code class="function">lwres_getaddrsbyname()</code>
-and
-<code class="function">lwres_getnamebyaddr()</code>
-return
-<span class="errorcode">LWRES_R_NOMEMORY</span>
-when memory allocation requests fail and
-<span class="errorcode">LWRES_R_UNEXPECTEDEND</span>
-if the buffers used for sending queries and receiving replies are too
-small.
-</p>
+      Both
+      <code class="function">lwres_getaddrsbyname()</code>
+      and
+      <code class="function">lwres_getnamebyaddr()</code>
+      return
+      <span class="errorcode">LWRES_R_NOMEMORY</span>
+      when memory allocation requests fail and
+      <span class="errorcode">LWRES_R_UNEXPECTEDEND</span>
+      if the buffers used for sending queries and receiving replies are too
+      small.
+    </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2549763"></a><h2>SEE ALSO</h2>
-<p>
-<span class="citerefentry"><span class="refentrytitle">lwres_buffer</span>(3)</span>,
+<a name="id2543676"></a><h2>SEE ALSO</h2>
+<p><span class="citerefentry"><span class="refentrytitle">lwres_buffer</span>(3)</span>,
 
-<span class="citerefentry"><span class="refentrytitle">lwres_gabn</span>(3)</span>.
-</p>
+      <span class="citerefentry"><span class="refentrytitle">lwres_gabn</span>(3)</span>.
+    </p>
 </div>
 </div></body>
 </html>
diff --git a/contrib/bind9/lib/lwres/print.c b/contrib/bind9/lib/lwres/print.c
index 1552228..49da037 100644
--- a/contrib/bind9/lib/lwres/print.c
+++ b/contrib/bind9/lib/lwres/print.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: print.c,v 1.2.4.7 2005/10/14 01:38:51 marka Exp $ */
+/* $Id: print.c,v 1.2.2.7 2005/10/14 01:28:30 marka Exp $ */
 
 #include <config.h>
 
diff --git a/contrib/bind9/lib/lwres/print_p.h b/contrib/bind9/lib/lwres/print_p.h
index 4e27e55..4c2d2bf 100644
--- a/contrib/bind9/lib/lwres/print_p.h
+++ b/contrib/bind9/lib/lwres/print_p.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: print_p.h,v 1.2.4.1 2004/08/28 06:25:25 marka Exp $ */
+/* $Id: print_p.h,v 1.2.2.1 2004/08/28 06:21:13 marka Exp $ */
 
 #ifndef LWRES_PRINT_P_H
 #define LWRES_PRINT_P_H 1
diff --git a/contrib/bind9/lib/lwres/strtoul.c b/contrib/bind9/lib/lwres/strtoul.c
index 9cda194..3fc8971 100644
--- a/contrib/bind9/lib/lwres/strtoul.c
+++ b/contrib/bind9/lib/lwres/strtoul.c
@@ -53,7 +53,7 @@
 static char sccsid[] = "@(#)strtoul.c	8.1 (Berkeley) 6/4/93";
 #endif /* LIBC_SCCS and not lint */
 
-/* $Id: strtoul.c,v 1.2.4.1 2005/06/08 02:08:31 marka Exp $ */
+/* $Id: strtoul.c,v 1.2.2.1 2005/06/08 02:07:59 marka Exp $ */
 
 #include <config.h>
 
diff --git a/contrib/bind9/lib/lwres/unix/Makefile.in b/contrib/bind9/lib/lwres/unix/Makefile.in
index b734bc1..577e3d3 100644
--- a/contrib/bind9/lib/lwres/unix/Makefile.in
+++ b/contrib/bind9/lib/lwres/unix/Makefile.in
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.1.206.1 2004/03/06 08:15:43 marka Exp $
+# $Id: Makefile.in,v 1.2 2004/03/05 05:12:59 marka Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
diff --git a/contrib/bind9/lib/lwres/unix/include/Makefile.in b/contrib/bind9/lib/lwres/unix/include/Makefile.in
index 8f3798e..8ca7489 100644
--- a/contrib/bind9/lib/lwres/unix/include/Makefile.in
+++ b/contrib/bind9/lib/lwres/unix/include/Makefile.in
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.1.206.1 2004/03/06 08:15:43 marka Exp $
+# $Id: Makefile.in,v 1.2 2004/03/05 05:13:03 marka Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
diff --git a/contrib/bind9/lib/lwres/unix/include/lwres/Makefile.in b/contrib/bind9/lib/lwres/unix/include/lwres/Makefile.in
index e969f50..7e0b594 100644
--- a/contrib/bind9/lib/lwres/unix/include/lwres/Makefile.in
+++ b/contrib/bind9/lib/lwres/unix/include/lwres/Makefile.in
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.1.206.1 2004/03/06 08:15:43 marka Exp $
+# $Id: Makefile.in,v 1.2 2004/03/05 05:13:06 marka Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
diff --git a/contrib/bind9/lib/lwres/unix/include/lwres/net.h b/contrib/bind9/lib/lwres/unix/include/lwres/net.h
index b214de6..8fb14ee 100644
--- a/contrib/bind9/lib/lwres/unix/include/lwres/net.h
+++ b/contrib/bind9/lib/lwres/unix/include/lwres/net.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000-2002  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: net.h,v 1.3.12.3 2004/03/08 09:05:12 marka Exp $ */
+/* $Id: net.h,v 1.5.18.2 2005/04/29 00:17:23 marka Exp $ */
 
 #ifndef LWRES_NET_H
 #define LWRES_NET_H 1
@@ -24,17 +24,15 @@
  ***** Module Info
  *****/
 
-/*
- * Basic Networking Types
- *
+/*! \file net.h
  * This module is responsible for defining the following basic networking
  * types:
  *
- *		struct in_addr
- *		struct in6_addr
- *		struct sockaddr
- *		struct sockaddr_in
- *		struct sockaddr_in6
+ *\li		struct in_addr
+ *\li		struct in6_addr
+ *\li		struct sockaddr
+ *\li		struct sockaddr_in
+ *\li		struct sockaddr_in6
  *
  * It ensures that the AF_ and PF_ macros are defined.
  *
@@ -42,7 +40,7 @@
  *
  * It declares lwres_net_aton(), lwres_net_ntop(), and lwres_net_pton().
  *
- * It ensures that INADDR_LOOPBACK, INADDR_ANY and IN6ADDR_ANY_INIT
+ * It ensures that #INADDR_LOOPBACK, #INADDR_ANY and #IN6ADDR_ANY_INIT
  * are defined.
  */
 
@@ -79,7 +77,7 @@
 #define in6_addr in_addr6	/* Required for pre RFC2133 implementations. */
 #endif
 
-/*
+/*!
  * Required for some pre RFC2133 implementations.
  * IN6ADDR_ANY_INIT and IN6ADDR_LOOPBACK_INIT were added in
  * draft-ietf-ipngwg-bsd-api-04.txt or draft-ietf-ipngwg-bsd-api-05.txt.  
@@ -94,6 +92,9 @@
 #endif
 #endif
 
+/*!
+ * Initialize address loopback.  See IN6ADDR_ANY_INIT
+ */
 #ifndef IN6ADDR_LOOPBACK_INIT
 #ifdef s6_addr
 #define IN6ADDR_LOOPBACK_INIT { { { 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1 } } }
@@ -102,14 +103,18 @@
 #endif
 #endif
 
+/*% Used by AI_ALL */
 #ifndef AF_INET6
 #define AF_INET6 99
 #endif
 
+
+/*% Used to return IPV6 address types. */
 #ifndef PF_INET6
 #define PF_INET6 AF_INET6
 #endif
 
+/*% inaddr Loopback */
 #ifndef INADDR_LOOPBACK
 #define INADDR_LOOPBACK 0x7f000001UL
 #endif
diff --git a/contrib/bind9/lib/lwres/version.c b/contrib/bind9/lib/lwres/version.c
index ac3e6c8..33561fd 100644
--- a/contrib/bind9/lib/lwres/version.c
+++ b/contrib/bind9/lib/lwres/version.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000, 2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,9 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: version.c,v 1.6.12.3 2004/03/08 09:05:11 marka Exp $ */
+/* $Id: version.c,v 1.8.18.2 2005/04/29 00:17:21 marka Exp $ */
+
+/*! \file */
 
 #include <lwres/version.h>
 
diff --git a/contrib/bind9/make/Makefile.in b/contrib/bind9/make/Makefile.in
index 73efb1f..ae96e13 100644
--- a/contrib/bind9/make/Makefile.in
+++ b/contrib/bind9/make/Makefile.in
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.13.206.1 2004/03/06 13:16:21 marka Exp $
+# $Id: Makefile.in,v 1.14 2004/03/05 05:14:06 marka Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
diff --git a/contrib/bind9/make/includes.in b/contrib/bind9/make/includes.in
index 2e5b89b..304305d 100644
--- a/contrib/bind9/make/includes.in
+++ b/contrib/bind9/make/includes.in
@@ -1,4 +1,4 @@
-# Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
 # Copyright (C) 1999-2001  Internet Software Consortium.
 #
 # Permission to use, copy, modify, and distribute this software for any
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: includes.in,v 1.15.12.4 2004/12/09 04:07:30 marka Exp $
+# $Id: includes.in,v 1.17.18.2 2005/06/04 06:23:47 jinmei Exp $
 
 # Search for machine-generated header files in the build tree,
 # and for normal headers in the source tree (${top_srcdir}).
@@ -25,7 +25,8 @@ ISC_INCLUDES = @BIND9_ISC_BUILDINCLUDE@ \
 	-I${top_srcdir}/lib/isc \
 	-I${top_srcdir}/lib/isc/include \
 	-I${top_srcdir}/lib/isc/unix/include \
-	-I${top_srcdir}/lib/isc/@ISC_THREAD_DIR@/include
+	-I${top_srcdir}/lib/isc/@ISC_THREAD_DIR@/include \
+	-I${top_srcdir}/lib/isc/@ISC_ARCH_DIR@/include
 
 ISCCC_INCLUDES = @BIND9_ISCCC_BUILDINCLUDE@ \
        -I${top_srcdir}/lib/isccc/include
diff --git a/contrib/bind9/make/rules.in b/contrib/bind9/make/rules.in
index 39e82ce..9a860a3 100644
--- a/contrib/bind9/make/rules.in
+++ b/contrib/bind9/make/rules.in
@@ -1,4 +1,4 @@
-# Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
 # Copyright (C) 1998-2003  Internet Software Consortium.
 #
 # Permission to use, copy, modify, and distribute this software for any
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: rules.in,v 1.40.2.5.4.10 2006/01/06 00:01:42 marka Exp $
+# $Id: rules.in,v 1.47.18.12 2007/01/29 23:57:21 marka Exp $
 
 ###
 ### Common Makefile rules for BIND 9.
@@ -182,6 +182,7 @@ RANLIB =	@RANLIB@
 
 INSTALL =		@INSTALL@
 INSTALL_PROGRAM =	@INSTALL_PROGRAM@
+LINK_PROGRAM =		@LN_S@
 INSTALL_SCRIPT =	@INSTALL_SCRIPT@
 INSTALL_DATA =		@INSTALL_DATA@
 
@@ -190,10 +191,11 @@ INSTALL_DATA =		@INSTALL_DATA@
 ### not to exist when not generating documentation.
 ###
 
-XSLTPROC =		@XSLTPROC@ --novalid
+XSLTPROC =		@XSLTPROC@ --novalid --xinclude --nonet
 PERL =			@PERL@
 LATEX =			@LATEX@
 PDFLATEX =		@PDFLATEX@
+W3M =			@W3M@
 
 ###
 ### DocBook -> HTML
diff --git a/contrib/bind9/version b/contrib/bind9/version
index 49710d4..868b69f 100644
--- a/contrib/bind9/version
+++ b/contrib/bind9/version
@@ -1,10 +1,10 @@
-# $Id: version,v 1.26.2.17.2.26.4.1 2007/01/11 05:06:25 marka Exp $
+# $Id: version,v 1.29.134.13.8.1 2007/04/30 01:11:30 marka Exp $
 #
 # This file must follow /bin/sh rules.  It is imported directly via
 # configure.
 #
 MAJORVER=9
-MINORVER=3
-PATCHVER=4
+MINORVER=4
+PATCHVER=1
 RELEASETYPE=
 RELEASEVER=